Adding upstream version 1:9.16.44.upstream/1%9.16.44upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

4505 files changed, 841749 insertions, 0 deletions

diff --git a/.clang-format b/.clang-format
new file mode 100644
index 0000000..7137d8e
--- /dev/null
+++ b/.clang-format
@@ -0,0 +1,76 @@
+BasedOnStyle: LLVM
+IndentWidth: 8
+UseTab: Always
+BreakBeforeBraces: Custom
+BraceWrapping:
+  AfterClass:      false
+  AfterEnum:       false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterControlStatement: MultiLine
+  AfterFunction:   false # should also be MultiLine, but not yet supported
+  AfterExternBlock: false
+  BeforeElse:      false
+  BeforeWhile:     false
+  IndentBraces:    false
+  SplitEmptyFunction: true
+AllowShortIfStatementsOnASingleLine: false
+IndentCaseLabels: false
+AlwaysBreakAfterReturnType: All
+Cpp11BracedListStyle: false
+ColumnLimit: 80
+AlignAfterOpenBracket: Align
+AlignConsecutiveBitFields: true
+AlignConsecutiveDeclarations: false
+AlignConsecutiveMacros: true
+AlignTrailingComments: true
+AllowAllArgumentsOnNextLine: true
+AlwaysBreakBeforeMultilineStrings: false
+BreakBeforeBinaryOperators: None
+BreakBeforeTernaryOperators: true
+AlignEscapedNewlines: Left
+DerivePointerAlignment: false
+PointerAlignment: Right
+PointerBindsToType: false
+IncludeBlocks: Regroup
+IncludeCategories:
+  - Regex:           '^<isc/'
+    Priority:        5
+  - Regex:           '^<(pk11|pkcs11)/'
+    Priority:        10
+  - Regex:           '^<dns/'
+    Priority:        15
+  - Regex:           '^<dst/'
+    Priority:        20
+  - Regex:           '^<isccc/'
+    Priority:        25
+  - Regex:           '^<isccfg/'
+    Priority:        30
+  - Regex:           '^<ns/'
+    Priority:        35
+  - Regex:           '^<irs/'
+    Priority:        40
+  - Regex:           '^<bind9/'
+    Priority:        45
+  - Regex:           '^<(dig|named|rndc|confgen|dlz)/'
+    Priority:        50
+  - Regex:           '^<dlz_'
+    Priority:        55
+  - Regex:           '^".*"'
+    Priority:        99
+  - Regex:           '<openssl/'
+    Priority:        1
+  - Regex:           '<(mysql|protobuf-c)/'
+    Priority:        1
+  - Regex:           '.*'
+    Priority:        0
+IndentExternBlock: NoIndent
+KeepEmptyLinesAtTheStartOfBlocks: false
+MaxEmptyLinesToKeep: 1
+PenaltyBreakAssignment: 30
+PenaltyBreakComment: 10
+PenaltyBreakFirstLessLess: 0
+PenaltyBreakString: 80
+PenaltyExcessCharacter: 100
+Standard: Cpp11
+ContinuationIndentWidth: 8
diff --git a/.clang-format.headers b/.clang-format.headers
new file mode 100644
index 0000000..b536276
--- /dev/null
+++ b/.clang-format.headers
@@ -0,0 +1,64 @@
+BasedOnStyle: LLVM
+IndentWidth: 8
+UseTab: Always
+BreakBeforeBraces: Custom
+BraceWrapping:
+  AfterClass:      false
+  AfterEnum:       false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterControlStatement: MultiLine
+  AfterFunction:   false # should also be MultiLine, but not yet supported
+  AfterExternBlock: false
+  BeforeElse:      false
+  BeforeWhile:     false
+  IndentBraces:    false
+  SplitEmptyFunction: true
+AllowShortIfStatementsOnASingleLine: false
+IndentCaseLabels: false
+AlwaysBreakAfterReturnType: All
+Cpp11BracedListStyle: false
+ColumnLimit: 80
+AlignAfterOpenBracket: Align
+AlignConsecutiveBitFields: true
+AlignConsecutiveDeclarations: true
+AlignConsecutiveMacros: true
+AlignTrailingComments: true
+AllowAllArgumentsOnNextLine: true
+AlwaysBreakBeforeMultilineStrings: false
+BreakBeforeBinaryOperators: None
+BreakBeforeTernaryOperators: true
+AlignEscapedNewlines: Left
+DerivePointerAlignment: false
+PointerAlignment: Right
+PointerBindsToType: false
+IncludeBlocks: Regroup
+IncludeCategories:
+  - Regex:           '^<isc/'
+    Priority:        2
+  - Regex:           '^<dns/'
+    Priority:        3
+  - Regex:           '^<iscccc/'
+    Priority:        4
+  - Regex:           '^<isccfg/'
+    Priority:        5
+  - Regex:           '^<ns/'
+    Priority:        6
+  - Regex:           '^<bind9/)'
+    Priority:        7
+  - Regex:           '^(<[^/]*)/)'
+    Priority:        8
+  - Regex:           '<[[:alnum:].]+>'
+    Priority:        1
+  - Regex:           '".*"'
+    Priority:        9
+IndentExternBlock: NoIndent
+KeepEmptyLinesAtTheStartOfBlocks: false
+MaxEmptyLinesToKeep: 1
+PenaltyBreakAssignment: 30
+PenaltyBreakComment: 10
+PenaltyBreakFirstLessLess: 0
+PenaltyBreakString: 80
+PenaltyExcessCharacter: 100
+Standard: Cpp11
+ContinuationIndentWidth: 8
diff --git a/.dir-locals.el b/.dir-locals.el
new file mode 100644
index 0000000..1fe69da
--- /dev/null
+++ b/.dir-locals.el
@@ -0,0 +1,120 @@
+;;; Directory Local Variables
+;;; For more information see (info "(emacs) Directory Variables")
+
+((c-mode .
+  ((eval .
+	 (set (make-local-variable 'directory-of-current-dir-locals-file)
+	      (file-name-directory (locate-dominating-file default-directory ".dir-locals.el"))
+	      )
+	 )
+   (eval .
+	 (set (make-local-variable 'include-directories)
+	      (list
+
+	       ;; top directory
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "./"))
+
+	       ;; libisc
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/isc/unix/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/isc/pthreads/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/isc/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/isc"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/isc/netmgr"))
+
+	       ;; libdns
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/dns/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/dns"))
+
+	       ;; libisccc
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/isccc/include"))
+
+	       ;; libisccfg
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/isccfg/include"))
+
+	       ;; libns
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/ns/include"))
+
+	       ;; libirs
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/irs/include"))
+
+	       ;; libbind9
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "lib/bind9/include"))
+
+	       ;; bin
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/check"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/confgen/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/confgen"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/confgen/include"))	       
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/dig/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/named/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/named/unix/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/dnssec/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/named/include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "bin/rndc/include"))
+
+	       (expand-file-name "/usr/include/libxml2")
+	       (expand-file-name "/usr/include/json-c")
+	       
+	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
+	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
+	       (expand-file-name "/usr/local/opt/json-c/include/json-c/")
+	       (expand-file-name "/usr/local/include")
+	       )
+	      )
+	 )
+
+   (eval setq flycheck-clang-include-path include-directories)
+   (eval setq flycheck-cppcheck-include-path include-directories)
+   (eval setq flycheck-gcc-include-path include-directories)
+   (eval setq flycheck-clang-args
+	 (list
+	  "-include"
+	  (expand-file-name
+	   (concat directory-of-current-dir-locals-file "config.h"))
+	  )
+	 )
+   (eval setq flycheck-gcc-args
+	 (list
+	  "-include"
+	  (expand-file-name
+	   (concat directory-of-current-dir-locals-file "config.h"))
+	  )
+	 )
+   (eval setq flycheck-cppcheck-args
+	 (list
+	  "--enable=all"
+	  "--suppress=missingIncludeSystem"
+	  "--suppress=nullPointerRedundantCheck"
+	  (concat "--suppressions-list=" (expand-file-name
+			       (concat directory-of-current-dir-locals-file "util/suppressions.txt")))
+	  (concat "-include=" (expand-file-name
+			       (concat directory-of-current-dir-locals-file "config.h")))
+	  )
+	 )
+   )
+  ))
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..3003b4d
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,13 @@
+*.sln.in eol=crlf
+*.vcxproj.* eol=crlf
+
+/fuzz/dns_rdata_fromwire_text.in/input-* -text
+
+.gitignore			 export-ignore
+/conftools			 export-ignore
+/doc/design			 export-ignore
+/doc/dev			 export-ignore
+/util/**			 export-ignore
+/util/bindkeys.pl		-export-ignore
+/util/check-make-install.in	-export-ignore
+/util/mksymtbl.pl		-export-ignore
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..03c997e
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,55 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "bind-9.16", "bind-9.18", "main" ]
+  schedule:
+    - cron: '39 8 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Install build dependencies
+      uses: awalsh128/cache-apt-pkgs-action@latest
+      with:
+        packages: libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply
+        version: 1.0
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ� Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
new file mode 100644
index 0000000..c9babfb
--- /dev/null
+++ b/.github/workflows/sonarcloud.yml
@@ -0,0 +1,50 @@
+name: SonarCloud
+
+on:
+  push:
+    branches: [ "bind-9.16", "bind-9.18", "main" ]
+  schedule:
+    - cron: '39 8 * * 3'
+
+jobs:
+  build:
+    name: Build and analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    env:
+      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Install build dependencies
+      uses: awalsh128/cache-apt-pkgs-action@latest
+      with:
+        packages: libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply
+        version: 1.0
+
+    - name: Install sonar-scanner and build-wrapper
+      uses: SonarSource/sonarcloud-github-c-cpp@v1
+
+    - name: Run build-wrapper
+      run: |
+        autoreconf -fi
+        ./configure
+        build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make clean all
+
+    - name: Run sonar-scanner
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      run: |
+        sonar-scanner --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..e02d2d2
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,1800 @@
+variables:
+  # Not normally needed, but may be if some script uses `apt-get install`.
+  DEBIAN_FRONTEND: noninteractive
+  # Locale settings do not affect the build, but might affect tests.
+  LC_ALL: C
+
+  CI_REGISTRY_IMAGE: registry.gitlab.isc.org/isc-projects/images/bind9
+  CCACHE_DIR: "/ccache"
+  SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
+
+  # VirtualBox driver needs to set build_dir to "/builds" in gitlab-runner.toml
+  KYUA_RESULT: "$CI_PROJECT_DIR/kyua.results"
+
+  GIT_DEPTH: 1
+  GIT_CLEAN_FLAGS: -ffdxq
+
+  # The following values may be overwritten in GitLab's CI/CD Variables Settings.
+  BUILD_PARALLEL_JOBS: 6
+  TEST_PARALLEL_JOBS: 4
+
+  CONFIGURE: ./configure
+  CLANG_VERSION: 16
+  CLANG: "clang-${CLANG_VERSION}"
+  SCAN_BUILD: "scan-build-${CLANG_VERSION}"
+  LLVM_SYMBOLIZER: "/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer"
+  ASAN_SYMBOLIZER_PATH: "/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer"
+  CLANG_FORMAT: "clang-format-${CLANG_VERSION}"
+
+  CFLAGS_COMMON: -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra
+
+  # Pass run-time flags to AddressSanitizer to get core dumps on error.
+  ASAN_OPTIONS: abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1
+
+  TSAN_OPTIONS_COMMON: "disable_coredump=0 second_deadlock_stack=1 atexit_sleep_ms=1000 history_size=7 log_exe_name=true log_path=tsan"
+  TSAN_SUPPRESSIONS: "suppressions=${CI_PROJECT_DIR}/.tsan-suppress"
+  TSAN_OPTIONS_DEBIAN: "${TSAN_OPTIONS_COMMON} ${TSAN_SUPPRESSIONS} external_symbolizer_path=${LLVM_SYMBOLIZER}"
+  TSAN_OPTIONS_FEDORA: "${TSAN_OPTIONS_COMMON} ${TSAN_SUPPRESSIONS} external_symbolizer_path=/usr/bin/llvm-symbolizer"
+
+  UBSAN_OPTIONS: "halt_on_error=1:abort_on_error=1:disable_coredump=0"
+
+  TARBALL_COMPRESSOR: xz
+  TARBALL_EXTENSION: xz
+
+  INSTALL_PATH: "${CI_PROJECT_DIR}/.local"
+
+  # Disable pytest's "cacheprovider" plugin to prevent it from creating
+  # cross-testrun files as there is no need to use that feature in CI.
+  PYTEST_ADDOPTS: "-p no:cacheprovider"
+
+  # Default platforms to run "stress" tests on
+  BIND_STRESS_TEST_OS: linux
+  BIND_STRESS_TEST_ARCH: amd64
+
+default:
+  # Allow all running CI jobs to be automatically canceled when a new
+  # version of a branch is pushed.
+  #
+  # See: https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines
+  interruptible: true
+
+stages:
+  - precheck
+  - build
+  - unit
+  - system
+  - performance
+  - docs
+  - postcheck
+  - release
+
+### Runner Tag Templates
+
+.libvirt-amd64: &libvirt_amd64
+  tags:
+    - libvirt
+    - amd64
+
+# Jobs with these tags do not run on AWS but on permanent OVH systems.
+
+.linux-respdiff-amd64: &linux_respdiff_amd64
+  tags:
+    - linux
+    - ovh
+    - amd64
+
+# Autoscaling GitLab Runner on AWS EC2
+
+.linux-amd64: &linux_amd64
+  tags:
+    - linux
+    - aws
+    - runner-manager
+    - amd64
+
+# Stress-testing runners
+
+.linux-stress-amd64: &linux_stress_amd64
+  tags:
+    - amd64
+    - aws
+    - linux-stress
+    - stress
+
+.linux-stress-arm64: &linux_stress_arm64
+  tags:
+    - aarch64
+    - aws
+    - linux-stress
+    - stress
+
+.freebsd-stress-amd64: &freebsd_stress_amd64
+  tags:
+    - amd64
+    - aws
+    - bsd-stress
+    - stress
+
+.windows-amd64: &windows_amd64
+  tags:
+    - windows
+    - amd64
+
+### Docker Image Templates
+
+# Alpine Linux
+
+.alpine-3.18-amd64: &alpine_3_18_amd64_image
+  image: "$CI_REGISTRY_IMAGE:alpine-3.18-amd64"
+  <<: *linux_amd64
+
+# Oracle Linux
+
+.oraclelinux-7-amd64: &oraclelinux_7_amd64_image
+  image: "$CI_REGISTRY_IMAGE:oraclelinux-7-amd64"
+  <<: *linux_amd64
+
+.oraclelinux-8-amd64: &oraclelinux_8_amd64_image
+  image: "$CI_REGISTRY_IMAGE:oraclelinux-8-amd64"
+  <<: *linux_amd64
+
+.oraclelinux-9-amd64: &oraclelinux_9_amd64_image
+  image: "$CI_REGISTRY_IMAGE:oraclelinux-9-amd64"
+  <<: *linux_amd64
+
+# Debian
+
+.debian-buster-amd64: &debian_buster_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-buster-amd64"
+  <<: *linux_amd64
+
+.debian-bullseye-amd64: &debian_bullseye_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-bullseye-amd64"
+  <<: *linux_amd64
+
+.respdiff-debian-bookworm-amd64: &respdiff_debian_bookworm_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-bookworm-amd64"
+  <<: *linux_respdiff_amd64
+
+.debian-bookworm-amd64: &debian_bookworm_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-bookworm-amd64"
+  <<: *linux_amd64
+
+.tsan-debian-bookworm-amd64: &tsan_debian_bookworm_amd64_image
+  image: "$CI_REGISTRY_IMAGE:tsan-debian-bookworm-amd64"
+  <<: *linux_amd64
+
+.debian-bookworm-amd64cross32: &debian_bookworm_amd64cross32_image
+  image: "$CI_REGISTRY_IMAGE:debian-bookworm-amd64cross32"
+  <<: *linux_amd64
+
+.debian-sid-amd64: &debian_sid_amd64_image
+  image: "$CI_REGISTRY_IMAGE:debian-sid-amd64"
+  <<: *linux_amd64
+
+# openSUSE Tumbleweed
+
+.tumbleweed-latest-amd64: &tumbleweed_latest_amd64_image
+  image: "$CI_REGISTRY_IMAGE:tumbleweed-latest-amd64"
+  <<: *linux_amd64
+
+# Fedora
+
+.tsan-fedora-38-amd64: &tsan_fedora_38_amd64_image
+  image: "$CI_REGISTRY_IMAGE:tsan-fedora-38-amd64"
+  <<: *linux_amd64
+
+.fedora-38-amd64: &fedora_38_amd64_image
+  image: "$CI_REGISTRY_IMAGE:fedora-38-amd64"
+  <<: *linux_amd64
+
+.fedora-38-arm64: &fedora_38_arm64_image
+  image: "$CI_REGISTRY_IMAGE:fedora-38-arm64"
+  <<: *linux_stress_arm64
+
+# Ubuntu
+
+.ubuntu-bionic-amd64: &ubuntu_bionic_amd64_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-bionic-amd64"
+  <<: *linux_amd64
+
+.ubuntu-focal-amd64: &ubuntu_focal_amd64_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-focal-amd64"
+  <<: *linux_amd64
+
+.ubuntu-jammy-amd64: &ubuntu_jammy_amd64_image
+  image: "$CI_REGISTRY_IMAGE:ubuntu-jammy-amd64"
+  <<: *linux_amd64
+
+# Windows
+
+.windows-server-2016-amd64: &windows_server_2016_amd64_image
+  image: "$CI_REGISTRY_IMAGE:windows-server-2016-amd64"
+  <<: *windows_amd64
+
+# Base image
+# This is a meta image that is used as a base for non-specific jobs
+
+.base: &base_image
+  <<: *debian_bookworm_amd64_image
+
+### QCOW2 Image Templates
+
+.freebsd-12-amd64: &freebsd_12_amd64_image
+  image: "freebsd-12.4-x86_64"
+  <<: *libvirt_amd64
+
+.freebsd-13-amd64: &freebsd_13_amd64_image
+  image: "freebsd-13.2-x86_64"
+  <<: *libvirt_amd64
+
+.openbsd-amd64: &openbsd_amd64_image
+  image: "openbsd-7.3-x86_64"
+  <<: *libvirt_amd64
+
+### Job Templates
+
+.api-schedules-tags-triggers-web-triggering-rules: &api_schedules_tags_triggers_web_triggering_rules
+  only:
+    - api
+    - schedules
+    - tags
+    - triggers
+    - web
+
+.api-schedules-triggers-web-triggering-rules: &api_schedules_triggers_web_triggering_rules
+  only:
+    - api
+    - schedules
+    - triggers
+    - web
+
+.default-triggering-rules: &default_triggering_rules
+  only:
+    - api
+    - merge_requests
+    - schedules
+    - tags
+    - triggers
+    - web
+
+.precheck: &precheck_job
+  <<: *default_triggering_rules
+  <<: *base_image
+  stage: precheck
+
+.autoconf: &autoconf_job
+  <<: *default_triggering_rules
+  <<: *base_image
+  stage: precheck
+  script:
+    - autoreconf2.69 -fi
+  artifacts:
+    untracked: true
+
+.configure: &configure
+    - ${CONFIGURE}
+      --disable-maintainer-mode
+      --enable-developer
+      --with-libtool
+      --disable-static
+      --enable-option-checking=fatal
+      --enable-dnstap
+      --with-cmocka
+      --with-libxml2
+      --with-json-c
+      --without-make-clean
+      $EXTRA_CONFIGURE
+      || (test -s config.log && cat config.log; exit 1)
+
+.parse_tsan: &parse_tsan
+    - find -name 'tsan.*' -exec python3 util/parse_tsan.py {} \;
+
+.build: &build_job
+  <<: *default_triggering_rules
+  stage: build
+  before_script:
+    - test -w "${CCACHE_DIR}" && export PATH="/usr/lib/ccache:${PATH}"
+    - test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}"
+  script:
+    - *configure
+    - test -n "${SKIP_MAKE_DEPEND}" || make -j${BUILD_PARALLEL_JOBS:-1} depend 2>&1 | tee make-depend.log
+    - test -n "${SKIP_MAKE_DEPEND}" || ( ! grep -F "error:" make-depend.log )
+    - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
+    - test -z "${BUILD_CONTRIB}" || for DIR in contrib/dlz/modules/*; do test -f "${DIR}/Makefile" && make -C "${DIR}"; done
+    - test -z "${RUN_MAKE_INSTALL}" || make DESTDIR="${INSTALL_PATH}" install
+    - test -z "${RUN_MAKE_INSTALL}" -o -z "${BUILD_CONTRIB}" || for DIR in contrib/dlz/modules/*; do test -f "${DIR}/Makefile" && make -C "${DIR}" DESTDIR="${INSTALL_PATH}" install; done
+    - test -z "${RUN_MAKE_INSTALL}" || DESTDIR="${INSTALL_PATH}" sh util/check-make-install
+    - if [[ "${CFLAGS}" == *"-fsanitize=address"* ]]; then ( ! grep -F AddressSanitizer config.log ); fi
+    - test -z "${CROSS_COMPILATION}" || grep -F -A 1 "checking whether we are cross compiling" config.log | grep -q "result.*yes"
+    - test -z "${CROSS_COMPILATION}" || file lib/dns/gen | grep -F -q "ELF 64-bit LSB"
+    - test -z "${CROSS_COMPILATION}" || ( ! git ls-files -z --others --exclude lib/dns/gen | xargs -0 file | grep "ELF 64-bit LSB" )
+  needs:
+    - job: autoreconf
+      artifacts: true
+  artifacts:
+    untracked: true
+    when: always
+
+.windows_build: &windows_build_job
+  stage: build
+  script:
+    - 'Push-Location "C:/Program Files (x86)/Microsoft Visual Studio/2017/BuildTools/VC/Auxiliary/Build"'
+    - '& cmd.exe /C "vcvarsall.bat x64 & set" | Foreach-Object { if ($_ -match "(.*?)=(.*)") { Set-Item -force -path "Env:\$($matches[1])" -value "$($matches[2])" } }'
+    - 'Pop-Location'
+    - 'Set-Location win32utils'
+    - '& "C:/Strawberry/perl/bin/perl.exe" Configure
+         "with-tools-version=15.0"
+         "with-platform-toolset=v141"
+         "with-platform-version=10.0.17763.0"
+         "with-vcredist=C:/Program Files (x86)/Microsoft Visual Studio/2017/BuildTools/VC/Redist/MSVC/14.16.27012/vcredist_x64.exe"
+         "with-openssl=C:/OpenSSL"
+         "with-libxml2=C:/libxml2"
+         "with-libuv=C:/libuv"
+         "without-python"
+         "with-system-tests"
+         x64'
+    - 'Set-Item -path "Env:CL" -value "/MP$([Math]::Truncate($BUILD_PARALLEL_JOBS/2))"'
+    - '& msbuild.exe /maxCpuCount:2 /t:Build /p:Configuration=$VSCONF bind9.sln'
+  needs: []
+  artifacts:
+    untracked: true
+
+.setup_interfaces: &setup_interfaces
+    - if [ "$(id -u)" -eq "0" ]; then
+        sh -x bin/tests/system/ifconfig.sh up;
+      else
+        sudo sh -x bin/tests/system/ifconfig.sh up;
+      fi
+
+.setup_softhsm: &setup_softhsm
+    - export SLOT=$(sh -x bin/tests/prepare-softhsm2.sh)
+    - test -n "${SLOT}" && test "${SLOT}" -gt 0
+
+cross-version-config-tests:
+  stage: system
+  <<: *base_image
+  <<: *default_triggering_rules
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON}"
+    # Disable option checking to prevent problems with new default options in
+    # the &configure anchor.
+    EXTRA_CONFIGURE: "--disable-option-checking"
+  script:
+    # Exclude the dyndb test from the system test as the sample library can't
+    # locate the libdns library from the BIND 9 baseline version.
+    - sed -i '/^dyndb \\$/d' bin/tests/system/conf.sh.common
+    - *configure
+    - *setup_interfaces
+    - make -j${BUILD_PARALLEL_JOBS:-1}
+    - export BIND_BRANCH=16
+    # When testing a .0 release, compare it against the previous development
+    # release (e.g., 9.19.0 and 9.18.0 should both be compared against 9.17.22).
+    - if [ "$(sed -n -E "s|^m4_define\(\[bind_VERSION_PATCH\], ([0-9]+)\)dnl$|\1|p" configure.ac)" = "0" ]; then export BIND_BRANCH=$((BIND_BRANCH - 1 - (BIND_BRANCH % 2))); fi
+    - BASELINE="$(curl -s "https://gitlab.isc.org/api/v4/projects/1/repository/tags?search=^v9.${BIND_BRANCH}&order_by=version" | jq -r ".[0].name")"
+    - git clone --branch "${BASELINE}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git "bind-${BASELINE}"
+    - cd "bind-${BASELINE}"
+    - autoreconf2.69 -fi
+    - *configure
+    - make -j${BUILD_PARALLEL_JOBS:-1}
+    - cd bin/tests/system
+    # Neutralize shell and pytests; in effect, "nsX" servers are just started
+    # and stopped, thus configuration checked.
+    - truncate --size=0 */tests{.sh,*.py}
+    # Run the setup phase of all system tests in the most recently tagged BIND 9
+    # release using the binaries built for the current BIND 9 version.  This
+    # intends to detect obvious backward compatibility issues with the latter.
+    - sed -i -E "s|(export TOP)=.*|\1=${CI_PROJECT_DIR}|" conf.sh
+    - make -j${TEST_PARALLEL_JOBS:-1} -k check V=1
+  needs:
+    - job: autoreconf
+      artifacts: true
+  artifacts:
+    paths:
+      - bind-*
+    untracked: true
+    expire_in: "1 day"
+    when: on_failure
+
+.system_test_common: &system_test_common
+  <<: *default_triggering_rules
+  stage: system
+  before_script:
+    - *setup_interfaces
+    - *setup_softhsm
+  script:
+    - ( cd bin/tests/system && make -j${TEST_PARALLEL_JOBS:-1} -k test V=1 )
+    - test -s bin/tests/system/systests.output
+    - if git rev-parse > /dev/null 2>&1; then ( ! grep "^I:.*:file.*not removed$" bin/tests/system/systests.output ); fi
+    - '( ! grep -F "grep: warning:" bin/tests/system/systests.output )'
+
+.system_test: &system_test_job
+  <<: *system_test_common
+  artifacts:
+    untracked: true
+    when: on_failure
+
+.system_test_gcov: &system_test_gcov_job
+  <<: *system_test_common
+  artifacts:
+    untracked: true
+    when: always
+
+.system_test_tsan: &system_test_tsan_job
+  <<: *system_test_common
+  after_script:
+    - *parse_tsan
+  artifacts:
+    untracked: true
+    when: on_failure
+
+.kyua_report: &kyua_report_html
+  - kyua --logfile /dev/null report-html
+         --force
+         --results-file "$KYUA_RESULT"
+         --results-filter ""
+         --output kyua_html > /dev/null
+
+.windows_system_test: &windows_system_test_job
+  stage: system
+  script:
+    - 'Push-Location bin/tests/system'
+    - '$ifIndex = Get-NetIPInterface -AddressFamily IPv4 -InterfaceMetric 75 | Select-Object -ExpandProperty ifIndex'
+    - '& C:/tools/cygwin/bin/sed.exe -i "s/^exit.*/netsh interface ipv4 set dnsservers $ifIndex dhcp/; s/\(name\|interface\)=Loopback/$ifIndex/;" ifconfig.bat'
+    - '& C:/tools/cygwin/bin/sed.exe -i "s/kill -f/kill -W/;" conf.sh stop.pl'
+    - '& cmd.exe /C ifconfig.bat up; ""'
+    - 'Start-Sleep 2'
+    - '$Env:Path = "C:/tools/cygwin/bin;$Env:Path"'
+    - '& sh.exe runall.sh $TEST_PARALLEL_JOBS'
+    - 'If (Test-Path C:/CrashDumps/*) { dir C:/CrashDumps; Throw }'
+  artifacts:
+    untracked: true
+    when: on_failure
+
+.unit_test_common: &unit_test_common
+  <<: *default_triggering_rules
+  stage: unit
+  before_script:
+    - *setup_softhsm
+  script:
+    - make unit
+  after_script:
+    - *kyua_report_html
+
+.unit_test: &unit_test_job
+  <<: *unit_test_common
+  artifacts:
+    untracked: true
+    when: on_failure
+
+.unit_test_gcov: &unit_test_gcov_job
+  <<: *unit_test_common
+  artifacts:
+    untracked: true
+    when: always
+
+.unit_test_tsan: &unit_test_tsan_job
+  <<: *unit_test_common
+  after_script:
+    - *kyua_report_html
+    - *parse_tsan
+  artifacts:
+    untracked: true
+    when: on_failure
+
+.respdiff: &respdiff_job
+  stage: system
+  before_script:
+    - *configure
+    - make -j${BUILD_PARALLEL_JOBS:-1} V=1
+    - *setup_interfaces
+    - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git
+    - cd bind-qa/bind9/respdiff
+  needs: []
+  artifacts:
+    paths:
+      - bind-qa/bind9/respdiff
+    exclude:
+      - bind-qa/bind9/respdiff/rspworkdir/data.mdb # Exclude a 10 GB file.
+    untracked: true
+    when: always
+
+### Job Definitions
+
+# Jobs in the precheck stage
+
+autoreconf:
+  <<: *autoconf_job
+
+misc:
+  <<: *precheck_job
+  script:
+    - sh util/check-ans-prereq.sh
+    - sh util/checklibs.sh > checklibs.out
+    - sh util/tabify-changes < CHANGES > CHANGES.tmp
+    - diff -urNap CHANGES CHANGES.tmp
+    - perl util/check-changes CHANGES
+    - sh util/check-line-length.sh CHANGES
+    - test ! -f CHANGES.SE || sh util/tabify-changes < CHANGES.SE > CHANGES.tmp
+    - test ! -f CHANGES.SE || diff -urNap CHANGES.SE CHANGES.tmp
+    - test ! -f CHANGES.SE || perl util/check-changes master=0 CHANGES.SE
+    - test ! -f CHANGES.SE || sh util/check-line-length.sh CHANGES.SE
+    - rm CHANGES.tmp
+    - xmllint --noout --nonet `git ls-files '*.xml' '*.docbook'`
+    - sh util/check-win32util-configure
+    - sh util/check-categories.sh
+    - sh util/xmllint-html.sh
+  needs: []
+  artifacts:
+    paths:
+      - checklibs.out
+    when: on_failure
+
+black:
+  <<: *precheck_job
+  needs: []
+  script:
+    - black $(git ls-files '*.py' '*.py.in')
+    - git diff > black.patch
+    - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
+  artifacts:
+    paths:
+      - black.patch
+    expire_in: "1 week"
+    when: on_failure
+
+clang-format:
+  <<: *precheck_job
+  needs: []
+  script:
+    - if [ -r .clang-format ]; then "${CLANG_FORMAT}" -i -style=file $(git ls-files '*.c' '*.h'); fi
+    - git diff > clang-format.patch
+    - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
+  artifacts:
+    paths:
+      - clang-format.patch
+    expire_in: "1 week"
+    when: on_failure
+
+coccinelle:
+  <<: *precheck_job
+  needs: []
+  script:
+    - util/check-cocci
+    - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
+
+reuse:
+  <<: *precheck_job
+  needs: []
+  image:
+    name: docker.io/fsfe/reuse:latest
+    entrypoint: [""]
+  script:
+    - reuse lint
+
+danger:
+  <<: *precheck_job
+  needs: []
+  script:
+    - danger-python ci -f
+  only:
+    refs:
+      - merge_requests
+    variables:
+      - $DANGER_GITLAB_API_TOKEN
+
+pylint:
+  <<: *default_triggering_rules
+  <<: *base_image
+  stage: postcheck
+  needs:
+    - job: autoreconf
+      artifacts: true
+  script:
+    - *configure
+    - export PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python"
+    - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py|^bin/tests/system/)')
+      # Ignore Pylint wrong-import-position error in system test to enable use of pytest.importorskip
+    - pylint --rcfile $CI_PROJECT_DIR/.pylintrc --disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep -vE 'ans\.py')
+
+checkbashisms:
+  <<: *precheck_job
+  needs: []
+  script:
+    - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print | sed -e '/^\.\/install-sh$/d')
+
+tarball-create:
+  stage: precheck
+  <<: *base_image
+  <<: *default_triggering_rules
+  script:
+    - source version
+    - export BIND9_VERSION="${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}"
+    - export BIND_DIRECTORY="bind-${BIND9_VERSION}"
+    - git archive --prefix="${BIND_DIRECTORY}/" --output="${BIND_DIRECTORY}.tar" HEAD
+    - mkdir "${BIND_DIRECTORY}"
+    - echo "SRCID=$(git rev-list --max-count=1 HEAD | cut -b1-7)" > "${BIND_DIRECTORY}/srcid"
+    - tar --append --file="${BIND_DIRECTORY}.tar" "${BIND_DIRECTORY}/srcid"
+    - sphinx-build -b man -d "${BIND_DIRECTORY}/tmp/.doctrees/" -W -a -v -c doc/man/ -D version="@BIND9_VERSION@" -D today="@RELEASE_DATE@" -D release="@BIND9_VERSIONSTRING@" doc/man "${BIND_DIRECTORY}/doc/man"
+    - rm -rf "${BIND_DIRECTORY}/tmp/.doctrees/"
+    - for man in "${BIND_DIRECTORY}/doc/man/"*; do mv "$man" "$man"in; done
+    - tar --append --file="${BIND_DIRECTORY}.tar" "${BIND_DIRECTORY}/doc/man/"*in
+    - ${TARBALL_COMPRESSOR} "${BIND_DIRECTORY}.tar"
+  artifacts:
+    paths:
+      - bind-*.tar.${TARBALL_EXTENSION}
+
+# Jobs for doc builds on Debian 12 "bookworm" (amd64)
+
+docs:
+  <<: *default_triggering_rules
+  <<: *base_image
+  stage: docs
+  before_script:
+    - test -w "${CCACHE_DIR}" && export PATH="/usr/lib/ccache:${PATH}"
+    - test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}"
+  script:
+    - *configure
+    - make maintainer-clean
+    - autoreconf2.69 -fi
+    - *configure
+    - make -j${BUILD_PARALLEL_JOBS:-1} all V=1
+    - make -j${BUILD_PARALLEL_JOBS:-1} doc V=1
+    - if test "$(git status --porcelain | grep -Ev '\?\?' | grep -v -F -e aclocal.m4 -e configure -e ltmain.sh -e m4/ | wc -l)" -gt "0"; then git status --short; exit 1; fi
+    - qpdf --check doc/arm/_build/latex/Bv9ARM.pdf
+    - find doc/man/ -maxdepth 1 -name "*.[0-9]" -exec mandoc -T lint "{}" \; | ( ! grep -v -e "skipping paragraph macro. sp after" -e "unknown font, skipping request. ft C" -e "input text line longer than 80 bytes" )
+  needs:
+    - job: autoreconf
+      artifacts: true
+  artifacts:
+    paths:
+      - doc/arm/
+      - doc/man/
+      - doc/misc/
+    when: always
+
+# Jobs for regular GCC builds on Alpine Linux 3.18 (amd64)
+
+gcc:alpine3.18:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON}"
+  <<: *alpine_3_18_amd64_image
+  <<: *build_job
+
+system:gcc:alpine3.18:amd64:
+  <<: *alpine_3_18_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:alpine3.18:amd64
+      artifacts: true
+
+unit:gcc:alpine3.18:amd64:
+  <<: *alpine_3_18_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:alpine3.18:amd64
+      artifacts: true
+
+# Jobs for regular GCC builds on Oracle Linux 7 (amd64)
+
+gcc:oraclelinux7:amd64:
+  variables:
+    CC: gcc
+    # -Wno-address suppresses isc_buffer macro warnings
+    CFLAGS: "${CFLAGS_COMMON} -Wno-address"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *oraclelinux_7_amd64_image
+  <<: *build_job
+
+system:gcc:oraclelinux7:amd64:
+  <<: *oraclelinux_7_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:oraclelinux7:amd64
+      artifacts: true
+
+unit:gcc:oraclelinux7:amd64:
+  <<: *oraclelinux_7_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:oraclelinux7:amd64
+      artifacts: true
+
+# Jobs for regular GCC builds on Oracle Linux 8 (amd64)
+
+gcc:oraclelinux8:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--enable-buffer-useinline --with-libidn2"
+  <<: *oraclelinux_8_amd64_image
+  <<: *build_job
+
+system:gcc:oraclelinux8:amd64:
+  <<: *oraclelinux_8_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:oraclelinux8:amd64
+      artifacts: true
+
+unit:gcc:oraclelinux8:amd64:
+  <<: *oraclelinux_8_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:oraclelinux8:amd64
+      artifacts: true
+
+# Jobs for regular GCC builds on Oracle Linux 9 (amd64)
+
+gcc:oraclelinux9:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--with-libidn2 --disable-developer"
+  <<: *oraclelinux_9_amd64_image
+  <<: *build_job
+
+system:gcc:oraclelinux9:amd64:
+  <<: *oraclelinux_9_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:oraclelinux9:amd64
+      artifacts: true
+
+unit:gcc:oraclelinux9:amd64:
+  <<: *oraclelinux_9_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:oraclelinux9:amd64
+      artifacts: true
+
+gcc:tarball:nosphinx:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--with-libidn2 --disable-developer"
+    RUN_MAKE_INSTALL: 1
+  <<: *oraclelinux_9_amd64_image
+  <<: *build_job
+  before_script:
+    - (! command -v sphinx-build >/dev/null)
+    - tar --extract --file bind-*.tar.${TARBALL_EXTENSION}
+    - rm -f bind-*.tar.${TARBALL_EXTENSION}
+    - cd bind-*
+  needs:
+    - job: tarball-create
+      artifacts: true
+
+# Jobs for regular GCC builds on Debian 10 "buster" (amd64)
+
+gcc:buster:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *debian_buster_amd64_image
+  <<: *build_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+
+system:gcc:buster:amd64:
+  <<: *debian_buster_amd64_image
+  <<: *system_test_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  needs:
+    - job: gcc:buster:amd64
+      artifacts: true
+
+unit:gcc:buster:amd64:
+  <<: *debian_buster_amd64_image
+  <<: *unit_test_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  needs:
+    - job: gcc:buster:amd64
+      artifacts: true
+
+# Jobs for Debian 11 "bullseye" (amd64)
+
+clang:bullseye:amd64:
+  variables:
+    CC: ${CLANG}
+    CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion"
+  <<: *debian_bullseye_amd64_image
+  <<: *build_job
+
+system:clang:bullseye:amd64:
+  <<: *debian_bullseye_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: clang:bullseye:amd64
+      artifacts: true
+
+unit:clang:bullseye:amd64:
+  <<: *debian_bullseye_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: clang:bullseye:amd64
+      artifacts: true
+
+gcc:bullseye:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *debian_bullseye_amd64_image
+  <<: *build_job
+
+system:gcc:bullseye:amd64:
+  <<: *debian_bullseye_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:bullseye:amd64
+      artifacts: true
+
+unit:gcc:bullseye:amd64:
+  <<: *debian_bullseye_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:bullseye:amd64
+      artifacts: true
+
+# Jobs for regular GCC builds on Debian 12 "bookworm" (amd64)
+
+gcc:bookworm:amd64:
+  variables:
+    BUILD_CONTRIB: 1
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} --coverage -O0"
+    EXTRA_CONFIGURE: "--with-libidn2"
+    LDFLAGS: "--coverage"
+    RUN_MAKE_INSTALL: 1
+  <<: *debian_bookworm_amd64_image
+  <<: *build_job
+
+system:gcc:bookworm:amd64:
+  <<: *debian_bookworm_amd64_image
+  <<: *system_test_gcov_job
+  variables:
+    CI_ENABLE_ALL_TESTS: 1
+  needs:
+    - job: unit:gcc:bookworm:amd64
+      artifacts: true
+
+unit:gcc:bookworm:amd64:
+  <<: *debian_bookworm_amd64_image
+  <<: *unit_test_gcov_job
+  variables:
+    CI_ENABLE_ALL_TESTS: 1
+  needs:
+    - job: gcc:bookworm:amd64
+      artifacts: true
+
+# Build job for cross-compiled GCC builds on 64-bit Debian 12 "bookworm"
+# (amd64) with 32-bit BIND 9.
+
+gcc:bookworm:amd64cross32:
+  variables:
+    BUILD_CC: gcc
+    BUILD_CFLAGS: "${CFLAGS_COMMON}"
+    CFLAGS: "${CFLAGS_COMMON}"
+    CROSS_COMPILATION: 1
+    EXTRA_CONFIGURE: "--build=x86_64-linux-gnu --host=i686-linux-gnu --with-libidn2"
+  <<: *debian_bookworm_amd64cross32_image
+  <<: *build_job
+
+# Jobs for scan-build builds on Debian 12 "bookworm" (amd64)
+
+.scan_build: &scan_build
+  - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)"
+                  --keep-cc
+                  --status-bugs
+                  --keep-going
+                  -o scan-build.reports make -j${BUILD_PARALLEL_JOBS:-1} all V=1
+
+scan-build:
+  <<: *default_triggering_rules
+  <<: *base_image
+  stage: postcheck
+  variables:
+    CC: "${CLANG}"
+    CFLAGS: "${CFLAGS_COMMON}"
+    CONFIGURE: "${SCAN_BUILD} ./configure"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  script:
+    - *configure
+    - *scan_build
+  needs:
+    - job: autoreconf
+      artifacts: true
+  artifacts:
+    paths:
+      - scan-build.reports/
+    when: on_failure
+
+# Jobs for regular GCC builds on Debian "sid" (amd64)
+# Also tests configration option: --without-lmdb.
+
+gcc:sid:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -O3"
+    EXTRA_CONFIGURE: "--with-libidn2 --without-lmdb"
+    RUN_MAKE_INSTALL: 1
+  <<: *debian_sid_amd64_image
+  <<: *build_job
+
+system:gcc:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:sid:amd64
+      artifacts: true
+
+unit:gcc:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:sid:amd64
+      artifacts: true
+
+# Job for out-of-tree GCC build on Debian 12 "bookworm" (amd64)
+# Also tests configration option: --with-lmdb.
+
+gcc:out-of-tree:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    CONFIGURE: ../configure
+    EXTRA_CONFIGURE: "--with-libidn2 --with-lmdb"
+    SKIP_MAKE_DEPEND: 1
+    RUN_MAKE_INSTALL: 1
+    OOT_BUILD_WORKSPACE: workspace
+  <<: *base_image
+  <<: *build_job
+
+# Jobs for tarball GCC builds on Debian 12 "bookworm" (amd64)
+
+gcc:tarball:
+  variables:
+    CC: gcc
+    EXTRA_CONFIGURE: "--with-libidn2"
+    RUN_MAKE_INSTALL: 1
+  <<: *base_image
+  <<: *build_job
+  before_script:
+    - tar --extract --file bind-*.tar.${TARBALL_EXTENSION}
+    - rm -f bind-*.tar.${TARBALL_EXTENSION}
+    - cd bind-*
+  needs:
+    - job: tarball-create
+      artifacts: true
+
+system:gcc:tarball:
+  <<: *base_image
+  <<: *system_test_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  before_script:
+    - cd bind-*
+    - *setup_interfaces
+  needs:
+    - job: gcc:tarball
+      artifacts: true
+
+unit:gcc:tarball:
+  <<: *base_image
+  <<: *unit_test_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  before_script:
+    - cd bind-*
+  needs:
+    - job: gcc:tarball
+      artifacts: true
+
+# Jobs for debug GCC builds on openSUSE Tumbleweed (amd64)
+
+gcc:tumbleweed:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -DDEBUG"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *tumbleweed_latest_amd64_image
+  <<: *build_job
+
+system:gcc:tumbleweed:amd64:
+  <<: *tumbleweed_latest_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:tumbleweed:amd64
+      artifacts: true
+
+unit:gcc:tumbleweed:amd64:
+  <<: *tumbleweed_latest_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:tumbleweed:amd64
+      artifacts: true
+
+# Jobs for regular GCC builds on Ubuntu 18.04 Bionic Beaver (amd64)
+
+gcc:bionic:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -O2"
+    EXTRA_CONFIGURE: "--disable-dnstap --with-gssapi --without-cmocka"
+  <<: *ubuntu_bionic_amd64_image
+  <<: *build_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+
+system:gcc:bionic:amd64:
+  <<: *ubuntu_bionic_amd64_image
+  <<: *system_test_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  needs:
+    - job: gcc:bionic:amd64
+      artifacts: true
+
+# Jobs for regular GCC builds on Ubuntu 20.04 Focal Fossa (amd64)
+
+gcc:focal:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    EXTRA_CONFIGURE: "--with-libidn2 --with-gssapi=/usr --disable-geoip"
+  <<: *ubuntu_focal_amd64_image
+  <<: *build_job
+
+system:gcc:focal:amd64:
+  <<: *ubuntu_focal_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:focal:amd64
+      artifacts: true
+
+unit:gcc:focal:amd64:
+  <<: *ubuntu_focal_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:focal:amd64
+      artifacts: true
+
+# Jobs for regular GCC builds on Ubuntu 22.04 Jammy Jellyfish (amd64)
+
+gcc:jammy:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *ubuntu_jammy_amd64_image
+  <<: *build_job
+
+system:gcc:jammy:amd64:
+  <<: *ubuntu_jammy_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:jammy:amd64
+      artifacts: true
+
+unit:gcc:jammy:amd64:
+  <<: *ubuntu_jammy_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:jammy:amd64
+      artifacts: true
+
+# Jobs for ASAN builds on Fedora 38 (amd64)
+
+gcc:asan:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=address,undefined"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *fedora_38_amd64_image
+  <<: *build_job
+
+system:gcc:asan:
+  <<: *fedora_38_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:asan
+      artifacts: true
+
+unit:gcc:asan:
+  <<: *fedora_38_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:asan
+      artifacts: true
+
+clang:asan:
+  variables:
+    CC: ${CLANG}
+    CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=address,undefined"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  <<: *base_image
+  <<: *build_job
+
+system:clang:asan:
+  <<: *base_image
+  <<: *system_test_job
+  needs:
+    - job: clang:asan
+      artifacts: true
+
+unit:clang:asan:
+  <<: *base_image
+  <<: *unit_test_job
+  needs:
+    - job: clang:asan
+      artifacts: true
+
+# Jobs for TSAN builds on Fedora 38 (amd64)
+
+gcc:tsan:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=thread"
+    EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock"
+  <<: *tsan_fedora_38_amd64_image
+  <<: *build_job
+
+system:gcc:tsan:
+  variables:
+    TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}"
+  <<: *tsan_fedora_38_amd64_image
+  <<: *system_test_tsan_job
+  needs:
+    - job: gcc:tsan
+      artifacts: true
+
+unit:gcc:tsan:
+  variables:
+    TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}"
+  <<: *tsan_fedora_38_amd64_image
+  <<: *unit_test_tsan_job
+  needs:
+    - job: gcc:tsan
+      artifacts: true
+
+clang:tsan:
+  <<: *tsan_debian_bookworm_amd64_image
+  <<: *build_job
+  variables:
+    CC: "${CLANG}"
+    CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=thread"
+    EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock"
+
+system:clang:tsan:
+  variables:
+    TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}"
+  <<: *tsan_debian_bookworm_amd64_image
+  <<: *system_test_tsan_job
+  needs:
+    - job: clang:tsan
+      artifacts: true
+
+unit:clang:tsan:
+  variables:
+    TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}"
+  <<: *tsan_debian_bookworm_amd64_image
+  <<: *unit_test_tsan_job
+  needs:
+    - job: clang:tsan
+      artifacts: true
+
+# Jobs for Clang builds on Debian 12 "bookworm" (amd64)
+
+clang:bookworm:amd64:
+  variables:
+    BUILD_CONTRIB: 1
+    CC: ${CLANG}
+    CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion"
+    EXTRA_CONFIGURE: "--with-python=python3"
+    RUN_MAKE_INSTALL: 1
+  <<: *debian_bookworm_amd64_image
+  <<: *build_job
+
+system:clang:bookworm:amd64:
+  <<: *debian_bookworm_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: clang:bookworm:amd64
+      artifacts: true
+
+unit:clang:bookworm:amd64:
+  <<: *debian_bookworm_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: clang:bookworm:amd64
+      artifacts: true
+
+# Jobs for PKCS#11-enabled builds
+
+clang:softhsm2.6:
+  variables:
+    CC: "${CLANG}"
+    CFLAGS: "${CFLAGS_COMMON} -O1"
+    EXTRA_CONFIGURE: "--with-libidn2 --enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so"
+  <<: *debian_bullseye_amd64_image
+  <<: *build_job
+
+system:clang:softhsm2.6:
+  variables:
+    DISABLE_ALGORITHM_SUPPORT_CHECKING: 1
+  <<: *debian_bullseye_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: clang:softhsm2.6
+      artifacts: true
+
+unit:clang:softhsm2.6:
+  <<: *debian_bullseye_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: clang:softhsm2.6
+      artifacts: true
+
+gcc:softhsm2.6:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -O1"
+    EXTRA_CONFIGURE: "--with-libidn2 --enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so"
+  <<: *debian_bookworm_amd64_image
+  <<: *build_job
+
+system:gcc:softhsm2.6:
+  variables:
+    DISABLE_ALGORITHM_SUPPORT_CHECKING: 1
+  <<: *debian_bookworm_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: gcc:softhsm2.6
+      artifacts: true
+
+unit:gcc:softhsm2.6:
+  <<: *debian_bookworm_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: gcc:softhsm2.6
+      artifacts: true
+
+# Jobs for Clang builds on FreeBSD 12 (amd64)
+
+clang:freebsd12:amd64:
+  variables:
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--with-gssapi=krb5-config"
+    USER: gitlab-runner
+  <<: *freebsd_12_amd64_image
+  <<: *build_job
+
+system:clang:freebsd12:amd64:
+  <<: *freebsd_12_amd64_image
+  <<: *system_test_job
+  variables:
+    USER: gitlab-runner
+  needs:
+    - job: clang:freebsd12:amd64
+      artifacts: true
+
+unit:clang:freebsd12:amd64:
+  <<: *freebsd_12_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: clang:freebsd12:amd64
+      artifacts: true
+
+# Jobs for Clang builds on FreeBSD 13 (amd64)
+
+clang:freebsd13:amd64:
+  variables:
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--with-gssapi=/usr/bin/krb5-config"
+    USER: gitlab-runner
+  <<: *freebsd_13_amd64_image
+  <<: *build_job
+
+system:clang:freebsd13:amd64:
+  <<: *freebsd_13_amd64_image
+  <<: *system_test_job
+  variables:
+    USER: gitlab-runner
+  needs:
+    - job: clang:freebsd13:amd64
+      artifacts: true
+
+unit:clang:freebsd13:amd64:
+  <<: *freebsd_13_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: clang:freebsd13:amd64
+      artifacts: true
+
+# Jobs for Clang builds on OpenBSD (amd64)
+
+clang:openbsd:amd64:
+  variables:
+    CC: clang
+    USER: gitlab-runner
+    EXTRA_CONFIGURE: "--disable-dnstap"
+  <<: *openbsd_amd64_image
+  <<: *build_job
+
+system:clang:openbsd:amd64:
+  <<: *openbsd_amd64_image
+  <<: *system_test_job
+  <<: *api_schedules_triggers_web_triggering_rules
+  variables:
+    USER: gitlab-runner
+  needs:
+    - job: clang:openbsd:amd64
+      artifacts: true
+  allow_failure: true
+
+# Jobs with libtool disabled
+
+nolibtool:sid:amd64:
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON}"
+    EXTRA_CONFIGURE: "--with-libidn2 --without-libtool --with-dlopen"
+  <<: *debian_sid_amd64_image
+  <<: *build_job
+
+system:nolibtool:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *system_test_job
+  needs:
+    - job: nolibtool:sid:amd64
+      artifacts: true
+
+unit:nolibtool:sid:amd64:
+  <<: *debian_sid_amd64_image
+  <<: *unit_test_job
+  needs:
+    - job: nolibtool:sid:amd64
+      artifacts: true
+
+# Jobs for Visual Studio 2017 builds on Windows (amd64)
+
+msvc:windows:amd64:
+  <<: *windows_server_2016_amd64_image
+  <<: *windows_build_job
+  <<: *default_triggering_rules
+  variables:
+    VSCONF: Release
+
+system:msvc:windows:amd64:
+  <<: *windows_server_2016_amd64_image
+  <<: *windows_system_test_job
+  <<: *default_triggering_rules
+  variables:
+    VSCONF: Release
+  needs:
+    - job: msvc:windows:amd64
+      artifacts: true
+
+msvc-debug:windows:amd64:
+  <<: *windows_server_2016_amd64_image
+  <<: *windows_build_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  variables:
+    VSCONF: Debug
+
+system:msvc-debug:windows:amd64:
+  <<: *windows_server_2016_amd64_image
+  <<: *windows_system_test_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  variables:
+    VSCONF: Debug
+  needs:
+    - job: msvc-debug:windows:amd64
+      artifacts: true
+
+# Job producing a release tarball
+
+release:
+  <<: *base_image
+  stage: release
+  script:
+    # Determine BIND version
+    - source version
+    - export BIND_DIRECTORY="bind-${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
+    # Remove redundant files and system test utilities from Windows build artifacts
+    - find Build/Release/ -name "*.pdb" -print -delete
+    - find Build/Debug/ \( -name "*.bsc" -o -name "*.idb" \) -print -delete
+    - find Build/ -regextype posix-extended -regex "Build/.*/($(find bin/tests/ -type f | sed -nE "s|^bin/tests(/system)?/win32/(.*)\.vcxproj$|\2|p" | paste -d"|" -s))\..*" -print -delete
+    # Create Windows zips
+    - openssl dgst -sha256 "${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" | tee Build/Release/SHA256 Build/Debug/SHA256
+    - cp "doc/arm/_build/latex/Bv9ARM.pdf" Build/Release/
+    - cp "doc/arm/_build/latex/Bv9ARM.pdf" Build/Debug/
+    - ( cd Build/Release; zip "../../BIND${BIND_DIRECTORY#bind-}.x64.zip" * )
+    - ( cd Build/Debug; zip "../../BIND${BIND_DIRECTORY#bind-}.debug.x64.zip" * )
+    # Prepare release tarball contents (tarballs + zips + documentation)
+    - mkdir -p release/doc/arm
+    - pushd release
+    - mv "../${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}" ../BIND*.zip .
+    - tar --extract --file="${BIND_DIRECTORY}.tar.${TARBALL_EXTENSION}"
+    - mv "${BIND_DIRECTORY}"/{CHANGES*,COPYRIGHT,LICENSE,README,srcid} .
+    - rm -rf "${BIND_DIRECTORY}"
+    - mv "../doc/arm/_build/html" doc/arm/
+    - mv "../doc/arm/_build/latex/Bv9ARM.pdf" doc/arm/
+    - echo '<!DOCTYPE HTML><html lang="en"><meta http-equiv="refresh" content="0; url=doc/arm/html/notes.html"><title>Redirect</title></html>' > "RELEASE-NOTES-${BIND_DIRECTORY}.html"
+    - popd
+    # Create release tarball
+    - tar --create --file="${CI_COMMIT_TAG}.tar.gz" --gzip release/
+  needs:
+    - job: tarball-create
+      artifacts: true
+    - job: msvc:windows:amd64
+      artifacts: true
+    - job: msvc-debug:windows:amd64
+      artifacts: true
+    - job: docs
+      artifacts: true
+  only:
+    - tags
+  artifacts:
+    paths:
+      - "*.tar.gz"
+    expire_in: never
+
+# Coverity Scan analysis upload
+
+.coverity_prep: &coverity_prep
+  - curl --output /tmp/cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64
+         --form project=$COVERITY_SCAN_PROJECT_NAME
+         --form token=$COVERITY_SCAN_TOKEN
+         --form md5=1
+  - curl --output /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
+         --form project=$COVERITY_SCAN_PROJECT_NAME
+         --form token=$COVERITY_SCAN_TOKEN
+  - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)"
+  - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp
+  - test -d /tmp/cov-analysis-linux64-*
+
+.coverity_build: &coverity_build
+  - /tmp/cov-analysis-linux64-*/bin/cov-build --dir /tmp/cov-int --fs-capture-search . sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1'
+  - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int
+  - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
+        --form token=$COVERITY_SCAN_TOKEN
+        --form email=bind-changes@isc.org
+        --form file=@/tmp/cov-int.tar.gz
+        --form version="$(git rev-parse --short HEAD)"
+        --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1
+        | tee curl-response.txt
+  - grep -q 'Build successfully submitted' curl-response.txt
+
+coverity:
+  <<: *base_image
+  stage: postcheck
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  script:
+    - *coverity_prep
+    - *configure
+    - *coverity_build
+  after_script:
+    - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/
+  needs:
+    - job: autoreconf
+      artifacts: true
+  artifacts:
+    paths:
+      - curl-response.txt
+      - cov-int.tar.gz
+    expire_in: "1 week"
+    when: on_failure
+  only:
+    variables:
+      - $COVERITY_SCAN_PROJECT_NAME
+      - $COVERITY_SCAN_TOKEN
+
+# Respdiff tests
+
+respdiff-short:
+  <<: *respdiff_job
+  <<: *default_triggering_rules
+  <<: *debian_bookworm_amd64_image
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    MAX_DISAGREEMENTS_PERCENTAGE: "0.1"
+  script:
+    - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named"
+
+respdiff-short:asan:
+  <<: *respdiff_job
+  <<: *default_triggering_rules
+  <<: *debian_bookworm_amd64_image
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=address,undefined"
+    MAX_DISAGREEMENTS_PERCENTAGE: "0.1"
+  script:
+    - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named"
+
+respdiff-short:tsan:
+  <<: *respdiff_job
+  <<: *default_triggering_rules
+  <<: *tsan_debian_bookworm_amd64_image
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=thread"
+    EXTRA_CONFIGURE: "--enable-pthread-rwlock"
+    MAX_DISAGREEMENTS_PERCENTAGE: "0.1"
+    TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}"
+    RESPDIFF_JOBS: 32
+  script:
+    - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named"
+  after_script:
+    - *parse_tsan
+
+respdiff-long:
+  <<: *respdiff_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  <<: *respdiff_debian_bookworm_amd64_image
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    MAX_DISAGREEMENTS_PERCENTAGE: "0.1"
+  script:
+    - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named"
+
+respdiff-long:asan:
+  <<: *respdiff_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  <<: *debian_bookworm_amd64_image
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=address,undefined"
+    MAX_DISAGREEMENTS_PERCENTAGE: "0.1"
+  script:
+    - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named"
+
+respdiff-long:tsan:
+  <<: *respdiff_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  <<: *tsan_debian_bookworm_amd64_image
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0"
+    LDFLAGS: "-fsanitize=thread"
+    EXTRA_CONFIGURE: "--enable-pthread-rwlock"
+    MAX_DISAGREEMENTS_PERCENTAGE: "0.1"
+    TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}"
+    RESPDIFF_JOBS: 32
+  script:
+    - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named"
+  after_script:
+    - *parse_tsan
+
+respdiff-long-third-party:
+  <<: *respdiff_job
+  <<: *api_schedules_tags_triggers_web_triggering_rules
+  <<: *debian_bookworm_amd64_image
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    MAX_DISAGREEMENTS_PERCENTAGE: "0.2"
+  script:
+    - bash respdiff.sh -s third_party -q "${PWD}/100k_mixed.txt" -c 1 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}"
+
+# "Stress" tests
+
+# Parallel build in the "make" step is avoided since multiple jobs can be
+# executed concurrently on the same runner. This may present problems when one
+# job runs a performance-sensitive task of replying to queries while another
+# takes all cores to build BIND.
+.stress: &stress_job
+  stage: performance
+  script:
+    - *configure
+    - *setup_interfaces
+    - *setup_softhsm
+    - make -k all V=1
+    - make DESTDIR="${INSTALL_PATH}" install
+    - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git
+    - cd bind-qa/bind9/stress
+    - LD_LIBRARY_PATH="${INSTALL_PATH}/usr/local/lib" BIND_INSTALL_PATH="${INSTALL_PATH}/usr/local" WORKSPACE="${CI_PROJECT_DIR}" bash stress.sh
+  needs:
+    - job: autoreconf
+      artifacts: true
+  artifacts:
+    untracked: true
+    expire_in: "1 week"
+    when: always
+  timeout: 2h
+
+stress:authoritative:fedora:38:amd64:
+  <<: *fedora_38_amd64_image
+  <<: *linux_stress_amd64
+  <<: *stress_job
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    FLAME: /usr/bin/flame
+    MODE: authoritative
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i)
+
+stress:recursive:fedora:38:amd64:
+  <<: *fedora_38_amd64_image
+  <<: *linux_stress_amd64
+  <<: *stress_job
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    FLAME: /usr/bin/flame
+    MODE: recursive
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i)
+
+stress:rpz:fedora:38:amd64:
+  <<: *fedora_38_amd64_image
+  <<: *linux_stress_amd64
+  <<: *stress_job
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    FLAME: /usr/bin/flame
+    MODE: rpz
+    RATE: 1500
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i)
+
+stress:authoritative:fedora:38:arm64:
+  <<: *fedora_38_arm64_image
+  <<: *linux_stress_arm64
+  <<: *stress_job
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    FLAME: /usr/bin/flame
+    MODE: authoritative
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i)
+
+stress:recursive:fedora:38:arm64:
+  <<: *fedora_38_arm64_image
+  <<: *linux_stress_arm64
+  <<: *stress_job
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    FLAME: /usr/bin/flame
+    MODE: recursive
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i)
+
+stress:rpz:fedora:38:arm64:
+  <<: *fedora_38_arm64_image
+  <<: *linux_stress_arm64
+  <<: *stress_job
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    FLAME: /usr/bin/flame
+    MODE: rpz
+    RATE: 1500
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i)
+
+stress:authoritative:freebsd12:amd64:
+  <<: *freebsd_12_amd64_image
+  <<: *freebsd_stress_amd64
+  <<: *stress_job
+  variables:
+    CC: clang
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    FLAME: /usr/local/bin/flame
+    MODE: authoritative
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /freebsd/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i)
+
+stress:recursive:freebsd12:amd64:
+  <<: *freebsd_12_amd64_image
+  <<: *freebsd_stress_amd64
+  <<: *stress_job
+  variables:
+    CC: clang
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    FLAME: /usr/local/bin/flame
+    MODE: recursive
+    RATE: 10000
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /freebsd/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i)
+
+stress:rpz:freebsd12:amd64:
+  <<: *freebsd_12_amd64_image
+  <<: *freebsd_stress_amd64
+  <<: *stress_job
+  variables:
+    CC: clang
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    FLAME: /usr/local/bin/flame
+    MODE: rpz
+    RATE: 1500
+    RUN_TIME: 1
+  only:
+    variables:
+      - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /freebsd/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i)
+
+gcov:
+  <<: *base_image
+  <<: *default_triggering_rules
+  stage: postcheck
+  needs:
+    - job: system:gcc:bookworm:amd64
+      artifacts: true
+  script:
+    # The "a-conftest.gcno" file is result of the ./configure step and
+    # should be removed as it does not belong to the BIND 9 code base.
+    - rm a-conftest.gcno
+    # Generate XML file in the Cobertura XML format suitable for use by GitLab
+    # for the purpose of displaying code coverage information in the diff view
+    # of a given merge request.
+    - gcovr --exclude-directories bin/tests --exclude-directories doc --exclude-directories fuzz --exclude tests --cobertura-pretty -o coverage.xml
+    - gcovr --exclude-directories bin/tests --exclude-directories doc --exclude-directories fuzz --exclude tests --html-details -o coverage.html
+    - gcovr --exclude-directories bin/tests --exclude-directories doc --exclude-directories fuzz --exclude tests --txt -o coverage.txt
+    - tail -n 3 coverage.txt
+  artifacts:
+    paths:
+      - coverage*.html
+      - coverage.css
+      - coverage.txt
+      - coverage.xml
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage.xml
+
+# Pairwise testing of ./configure options
+
+pairwise:
+  <<: *base_image
+  stage: build
+  needs:
+    - job: autoreconf
+      artifacts: true
+  script:
+      - util/pairwise-testing.sh
+  artifacts:
+    paths:
+      - pairwise-commands.txt
+      - pairwise-model.txt
+      - pairwise-output.*.txt
+    when: on_failure
+  only:
+    variables:
+      - $PAIRWISE_TESTING
diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md
new file mode 100644
index 0000000..b2f43e8
--- /dev/null
+++ b/.gitlab/issue_templates/Bug.md
@@ -0,0 +1,46 @@
+<!--
+If the bug you are reporting is potentially security-related - for example,
+if it involves an assertion failure or other crash in `named` that can be
+triggered repeatedly - then please do *NOT* report it here, but send an
+email to [security-officer@isc.org](security-officer@isc.org).
+-->
+
+### Summary
+
+(Summarize the bug encountered concisely.)
+
+### BIND version used
+
+(Paste the output of `named -V`.)
+
+### Steps to reproduce
+
+(How one can reproduce the issue - this is very important.)
+
+### What is the current *bug* behavior?
+
+(What actually happens.)
+
+### What is the expected *correct* behavior?
+
+(What you should see instead.)
+
+### Relevant configuration files
+
+(Paste any relevant configuration files - please use code blocks (```)
+to format console output. If submitting the contents of your
+configuration file in a non-confidential Issue, it is advisable to
+obscure key secrets: this can be done automatically by using
+`named-checkconf -px`.)
+
+### Relevant logs and/or screenshots
+
+(Paste any relevant logs - please use code blocks (```) to format console
+output, logs, and code, as it's very hard to read otherwise.)
+
+### Possible fixes
+
+(If you can, link to the line of code that might be responsible for the
+problem.)
+
+/label ~bug
diff --git a/.gitlab/issue_templates/Feature_Request.md b/.gitlab/issue_templates/Feature_Request.md
new file mode 100644
index 0000000..9ad28f4
--- /dev/null
+++ b/.gitlab/issue_templates/Feature_Request.md
@@ -0,0 +1,11 @@
+### Description
+
+(Describe the problem, use cases, benefits, and/or goals.)
+
+### Request
+
+(Describe the solution you'd like to see.)
+
+### Links / references
+
+/label ~"feature request"
diff --git a/.gitlab/issue_templates/Release.md b/.gitlab/issue_templates/Release.md
new file mode 100644
index 0000000..a00afa6
--- /dev/null
+++ b/.gitlab/issue_templates/Release.md
@@ -0,0 +1,65 @@
+## Release Schedule
+
+**Tagging Deadline:**
+
+**Public Release:**
+
+## Release Checklist
+
+## 2 Working Days Before the Tagging Deadline
+
+ - [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
+ - [ ] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only).
+ - [ ] ***(QA)*** Ensure all merge requests marked for backporting have been indeed backported.
+
+## Before the Tagging Deadline
+
+ - [ ] ***(QA)*** Inform Support/Marketing of impending release (and give estimated release dates).
+ - [ ] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
+ - [ ] ***(SwEng)*** Update API files for libraries with new version information.
+ - [ ] ***(SwEng)*** Change software version and library versions in `configure.ac` (new major release only).
+ - [ ] ***(SwEng)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
+ - [ ] ***(SwEng)*** Update `CHANGES`.
+ - [ ] ***(SwEng)*** Update `CHANGES.SE` (Subscription Edition only).
+ - [ ] ***(SwEng)*** Update `README.md`.
+ - [ ] ***(SwEng)*** Update `version`.
+ - [ ] ***(SwEng)*** Build documentation on `docs.isc.org`.
+ - [ ] ***(QA)*** Check that all the above steps were performed correctly.
+ - [ ] ***(QA)*** Check that the contents of release notes match the merge requests comprising the releases.
+ - [ ] ***(QA)*** Check that the formatting is correct for text, PDF, and HTML versions of release notes.
+ - [ ] ***(SwEng)*** Tag the releases[^2].  (Tags may only be pushed to the public repository for releases which are *not* security releases.)
+ - [ ] ***(SwEng)*** If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` to allow development to continue on the maintenance branch whilst release engineering continues.
+
+## Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
+
+ - [ ] ***(QA)*** Verify GitLab CI results for the tags created and prepare a QA report for the releases to be published.
+ - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums.
+ - [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures.
+ - [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again.
+ - [ ] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
+ - [ ] ***(QA)*** Build and test ASN and/or Subscription Edition packages.
+ - [ ] ***(QA)*** Notify Support that the releases have been prepared.
+ - [ ] ***(Support)*** Send out ASNs (if applicable).
+
+## On the Day of Public Release
+
+ - [ ] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
+ - [ ] ***(Support)*** Place tarballs in public location on FTP site.
+ - [ ] ***(Support)*** Publish links to downloads on ISC website.
+ - [ ] ***(Support)*** Write release email to *bind-announce*.
+ - [ ] ***(Support)*** Write email to *bind-users* (if a major release).
+ - [ ] ***(Support)*** Update tickets in case of waiting support customers.
+ - [ ] ***(QA)*** Build and test any outstanding private packages.
+ - [ ] ***(QA)*** Build public packages (`*.deb`, RPMs).
+ - [ ] ***(QA)*** Inform Marketing of the release.
+ - [ ] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
+ - [ ] ***(Marketing)*** Post short note to Twitter.
+ - [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
+ - [ ] ***(Marketing)*** Write blog article (if a major release).
+ - [ ] ***(QA)*** Ensure all new tags are annotated and signed.
+ - [ ] ***(SwEng)*** Push tags for the published releases to the public repository.
+ - [ ] ***(SwEng)*** Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`).
+
+[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
+
+[^2]: Preferred command line: `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]`, where `[alphatag]` is an optional string such as `b1`, `rc1`, etc.
diff --git a/.pylintrc b/.pylintrc
new file mode 100644
index 0000000..f9b1110
--- /dev/null
+++ b/.pylintrc
@@ -0,0 +1,9 @@
+[MASTER]
+disable=
+    C0103, # invalid-name
+    C0114, # missing-module-docstring
+    C0115, # missing-class-docstring
+    C0116, # missing-function-docstring
+    C0209, # consider-using-f-string
+    C0415, # import-outside-toplevel
+    R0801, # duplicate-code
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
new file mode 100644
index 0000000..5ea7be0
--- /dev/null
+++ b/.readthedocs.yaml
@@ -0,0 +1,20 @@
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+version: 2
+
+build:
+  os: ubuntu-22.04
+  tools:
+    python: "3.11"
+
+# Build documentation in doc/arm/ with Sphinx
+sphinx:
+  configuration: doc/arm/conf.py
+
+# Build all formats
+formats: all
+
+# Explicitly set the version of Python and its requirements
+python:
+   install:
+   - requirements: doc/arm/requirements.txt
diff --git a/.reuse/dep5 b/.reuse/dep5
new file mode 100644
index 0000000..e26b02d
--- /dev/null
+++ b/.reuse/dep5
@@ -0,0 +1,233 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: BIND 9
+Upstream-Contact: Internet Systems Consortium, Inc. ("ISC") <info@isc.org>
+Source: https://gitlab.isc.org/isc-projects/bind9/
+
+#
+# Build system, data files from tests, and misc cruft
+#
+Files: **/README
+       **/*.after*
+       **/*.bad
+       **/*.batch
+       **/*.before*
+       **/*.ccache
+       **/*.good
+       **/*.key
+       **/*.pem
+       **/*.private
+       **/*.raw
+       **/*.saved
+       **/*.zonelist
+       **/*dig.out*
+       **/Makefile
+       **/Makefile.*
+       **/expect
+       **/testdata/*
+       .github/*
+       .gitlab/*
+       AUTHORS
+       CHANGES
+       COPYRIGHT
+       CODE_OF_CONDUCT
+       CONTRIBUTING
+       HISTORY
+       Kyuafile
+       Makefile
+       Makefile.*
+       OPTIONS
+       README
+       bin/named/bind9.xsl
+       bin/named/bind9.xsl.h
+       bin/tests/bigtest/zones
+       bin/tests/optional/rbt_test.out
+       bin/tests/system/checkdstool/dig.bat
+       bin/tests/system/checkdstool/*.db
+       bin/tests/system/checkzone/zones/bad-caa-rr.db
+       bin/tests/system/checkzone/zones/bad1.db
+       bin/tests/system/checkzone/zones/crashzone.db
+       bin/tests/system/dnstap/large-answer.fstrm
+       bin/tests/system/formerr/nametoolong
+       bin/tests/system/formerr/noquestions
+       bin/tests/system/formerr/twoquestions
+       bin/tests/system/journal/ns1/managed-keys.bind.in
+       bin/tests/system/journal/ns1/managed-keys.bind.jnl.in
+       bin/tests/system/journal/ns2/managed-keys.bind.in
+       bin/tests/system/journal/ns2/managed-keys.bind.jnl.in
+       bin/tests/system/keepalive/expected
+       bin/tests/system/legacy/ns6/edns512.db.signed
+       bin/tests/system/legacy/ns7/edns512-notcp.db.signed
+       bin/tests/system/notify/ns4/named.port.in
+       bin/tests/system/nsupdate/commandlist
+       bin/tests/system/nsupdate/verylarge.in
+       bin/tests/system/org.isc.bind.system.plist
+       bin/tests/system/pipelined/input
+       bin/tests/system/pipelined/inputb
+       bin/tests/system/pipelined/ref
+       bin/tests/system/pipelined/refb
+       bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt
+       bin/tests/system/pkcs11/usepkcs11
+       bin/tests/system/rsabigexponent/ns2/dsset-example.in
+       bin/tests/system/run.gdb
+       bin/tests/system/runtime/ctrl-chars
+       bin/tests/system/runtime/long-cmd-line
+       bin/tests/system/statschannel/traffic.expect.1
+       bin/tests/system/statschannel/traffic.expect.2
+       bin/tests/system/statschannel/traffic.expect.4
+       bin/tests/system/statschannel/traffic.expect.5
+       bin/tests/system/statschannel/traffic.expect.6
+       bin/tests/system/tcp/1996-alloc_dnsbuf-crash-test.pkt
+       bin/tests/system/tsig/badlocation
+       bin/tests/system/tsig/badtime
+       bin/tests/system/unknown/large.out
+       bin/tests/system/xfer/ans5/badkeydata
+       bin/tests/system/xfer/ans5/badmessageid
+       bin/tests/system/xfer/ans5/goodaxfr
+       bin/tests/system/xfer/ans5/partial
+       bin/tests/system/xfer/ans5/soamismatch
+       bin/tests/system/xfer/ans5/unknownkey
+       bin/tests/system/xfer/ans5/unsigned
+       bin/tests/system/xfer/ans5/wrongkey
+       bin/tests/system/xfer/ans5/wrongname
+       bin/tests/system/xfer/knowngood.mapped
+       bind.keys
+       cocci/*.cocci
+       cocci/*.disabled
+       cocci/*.spatch
+       doc/arm/isc-logo.pdf
+       doc/arm/requirements.txt
+       doc/man/*.1in
+       doc/man/*.5in
+       doc/man/*.8in
+       fuzz/*.in/*
+Copyright: Internet Systems Consortium, Inc. ("ISC")
+License: MPL-2.0
+
+#
+# Libtool Files
+#
+Files: aclocal.m4
+       ltmain.sh
+       m4/libtool.m4
+       m4/ltoptions.m4
+       m4/ltsugar.m4
+       m4/ltversion.m4
+       m4/ltversion.m4
+       m4/lt~obsolete.m4
+Copyright: Free Software Foundation, Inc.
+License: GPL-3.0-or-later WITH Autoconf-exception-3.0
+
+#
+# DNSSEC Guide images
+#
+Files: doc/dnssec-guide/img/*.png
+Copyright: Internet Systems Consortium, Inc. ("ISC")
+License: MPL-2.0
+
+#
+# DLZ Modules
+#
+Files: contrib/dlz/modules/*/testing/*
+Copyright: Internet Systems Consortium, Inc. ("ISC")
+	   Stichting NLnet, Netherlands
+License: ISC and MPL-2.0
+
+#
+# Stuff that's basically uncopyrightable (configuration, generated files),
+# use CC0-1.0 for clarity that we don't care
+#
+Files: **/.clang-format
+       **/.clang-format.headers
+       **/.dir-locals.el
+       **/.gitattributes
+       **/.gitignore
+       **/named*.args
+       **/named.dropedns
+       **/named.ednsformerr
+       **/named.ednsnotimp
+       **/named.ednsrefused
+       **/named.maxudp1460
+       **/named.maxudp512
+       **/named.noaa
+       **/named.noedns
+       **/named.nosoa
+       **/named.notcp
+       **/startme
+       .clang-format
+       .clang-format.headers
+       .dir-locals.el
+       .gitattributes
+       .gitignore
+       .gitlab-ci.yml
+       .lgtm.yml
+       .pylintrc
+       .readthedocs.yaml
+       .tsan-suppress
+       .uncrustify.cfg
+       config.guess
+       config.h.in
+       config.h.win32
+       config.threads.in
+       config.sub
+       configure
+       bin/tests/system/dlz/ns1/dns-root/*
+       doc/misc/*.zoneopt
+       doc/misc/options
+       doc/misc/options.active
+       install-sh
+       lib/dns/mapapi
+       mkinstalldirs
+       util/suppressions.txt
+       version
+       sonar-project.properties
+Copyright: Internet Systems Consortium, Inc. ("ISC")
+License: CC0-1.0
+
+#
+# geoip2 test files (mmdb is generated from json)
+#
+Files: bin/tests/system/geoip2/data/*.json
+       bin/tests/system/geoip2/data/*.mmdb
+Copyright: Internet Systems Consortium, Inc. ("ISC")
+License: CC0-1.0
+
+#
+# files that may be left over from other branches.
+#
+# in a newly cloned branch or after running "git clean", these
+# files don't exist, but they can be left lying around after
+# checking out an older branch. we explicitly ignore them so they
+# won't clutter up the output when running "reuse lint" by hand
+# in a working source tree.
+#
+Files: **/platform.h
+       bin/tests/system/*.log
+       bin/tests/system/*.trs
+       fuzz/*.log
+       fuzz/*.trs
+       lib/*/tests/*.log
+       lib/*/tests/*.trs
+Copyright: Internet Systems Consortium, Inc. ("ISC")
+License: CC0-1.0
+
+#
+# Windows build system
+#
+Files: **/*.def
+       **/*.def.in
+       **/*.sln
+       **/*.sln.in
+       **/*.vcxproj.filters
+       **/*.vcxproj.filters.in
+       **/*.vcxproj
+       **/*.vcxproj.in
+       **/*.vcxproj.user
+       bin/win32/BINDInstall/BINDInstall.rc
+       bin/win32/BINDInstall/res/BINDInstall.ico
+       bin/win32/BINDInstall/res/BINDInstall.rc2
+       contrib/dlz/example/win32/dxdriver.dsp
+       contrib/dlz/example/win32/dxdriver.dsw
+       contrib/dlz/example/win32/dxdriver.mak
+       win32utils/GeoIP.diff
+Copyright: Internet Systems Consortium, Inc. ("ISC")
+License: CC0-1.0
diff --git a/.reuse/templates/isc.jinja2 b/.reuse/templates/isc.jinja2
new file mode 100644
index 0000000..3f29bd1
--- /dev/null
+++ b/.reuse/templates/isc.jinja2
@@ -0,0 +1,16 @@
+{% for copyright_line in copyright_lines %}
+{{ copyright_line }}
+{% endfor %}
+
+{% for expression in spdx_expressions %}
+SPDX-License-Identifier: {{ expression }}
+{% endfor %}
+
+{% if "MPL-2.0" in spdx_expressions %}
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+{% endif %}
diff --git a/.tsan-suppress b/.tsan-suppress
new file mode 100644
index 0000000..b12e038
--- /dev/null
+++ b/.tsan-suppress
@@ -0,0 +1,2 @@
+# Uninstrumented library.
+called_from_lib:libfstrm.so
diff --git a/.uncrustify.cfg b/.uncrustify.cfg
new file mode 100644
index 0000000..012c070
--- /dev/null
+++ b/.uncrustify.cfg
@@ -0,0 +1,1434 @@
+# Uncrustify 0.59
+
+#
+# General options
+#
+
+# The type of line endings
+newlines                                 = auto     # auto/lf/crlf/cr
+
+# The original size of tabs in the input
+input_tab_size                           = 8        # number
+
+# The size of tabs in the output (only used if align_with_tabs=true)
+output_tab_size                          = 8        # number
+
+# The ASCII value of the string escape char, usually 92 (\) or 94 (^). (Pawn)
+string_escape_char                       = 92       # number
+
+# Alternate string escape char for Pawn. Only works right before the quote char.
+string_escape_char2                      = 0        # number
+
+# Allow interpreting '>=' and '>>=' as part of a template in 'void f(list<list<B>>=val);'.
+# If true (default), 'assert(x<0 && y>=3)' will be broken.
+# Improvements to template detection may make this option obsolete.
+tok_split_gte                            = false    # false/true
+
+# Control what to do with the UTF-8 BOM (recommend 'remove')
+utf8_bom                                 = ignore   # ignore/add/remove/force
+
+# If the file only contains chars between 128 and 255 and is not UTF-8, then output as UTF-8
+utf8_byte                                = false    # false/true
+
+# Force the output encoding to UTF-8
+utf8_force                               = false    # false/true
+
+#
+# Indenting
+#
+
+# The number of columns to indent per level.
+# Usually 2, 3, 4, or 8.
+indent_columns                           = 8        # number
+
+# The continuation indent. If non-zero, this overrides the indent of '(' and '=' continuation indents.
+# For FreeBSD, this is set to 4.
+indent_continue                          = 0        # number
+
+# How to use tabs when indenting code
+# 0=spaces only
+# 1=indent with tabs to brace level, align with spaces
+# 2=indent and align with tabs, using spaces when not on a tabstop
+indent_with_tabs                         = 2        # number
+
+# Comments that are not a brace level are indented with tabs on a tabstop.
+# Requires indent_with_tabs=2. If false, will use spaces.
+indent_cmt_with_tabs                     = false    # false/true
+
+# Whether to indent strings broken by '\' so that they line up
+indent_align_string                      = false    # false/true
+
+# The number of spaces to indent multi-line XML strings.
+# Requires indent_align_string=True
+indent_xml_string                        = 0        # number
+
+# Spaces to indent '{' from level
+indent_brace                             = 0        # number
+
+# Whether braces are indented to the body level
+indent_braces                            = false    # false/true
+
+# Disabled indenting function braces if indent_braces is true
+indent_braces_no_func                    = false    # false/true
+
+# Disabled indenting class braces if indent_braces is true
+indent_braces_no_class                   = false    # false/true
+
+# Disabled indenting struct braces if indent_braces is true
+indent_braces_no_struct                  = false    # false/true
+
+# Indent based on the size of the brace parent, i.e. 'if' => 3 spaces, 'for' => 4 spaces, etc.
+indent_brace_parent                      = false    # false/true
+
+# Whether the 'namespace' body is indented
+indent_namespace                         = false    # false/true
+
+# The number of spaces to indent a namespace block
+indent_namespace_level                   = 0        # number
+
+# If the body of the namespace is longer than this number, it won't be indented.
+# Requires indent_namespace=true. Default=0 (no limit)
+indent_namespace_limit                   = 0        # number
+
+# Whether the 'extern "C"' body is indented
+indent_extern                            = false    # false/true
+
+# Whether the 'class' body is indented
+indent_class                             = false    # false/true
+
+# Whether to indent the stuff after a leading class colon
+indent_class_colon                       = false    # false/true
+
+# Additional indenting for constructor initializer list
+indent_ctor_init                         = 0        # number
+
+# False=treat 'else\nif' as 'else if' for indenting purposes
+# True=indent the 'if' one level
+indent_else_if                           = false    # false/true
+
+# Amount to indent variable declarations after a open brace. neg=relative, pos=absolute
+indent_var_def_blk                       = 0        # number
+
+# Indent continued variable declarations instead of aligning.
+indent_var_def_cont                      = false    # false/true
+
+# True:  indent continued function call parameters one indent level
+# False: align parameters under the open paren
+indent_func_call_param                   = false    # false/true
+
+# Same as indent_func_call_param, but for function defs
+indent_func_def_param                    = false    # false/true
+
+# Same as indent_func_call_param, but for function protos
+indent_func_proto_param                  = false    # false/true
+
+# Same as indent_func_call_param, but for class declarations
+indent_func_class_param                  = false    # false/true
+
+# Same as indent_func_call_param, but for class variable constructors
+indent_func_ctor_var_param               = false    # false/true
+
+# Same as indent_func_call_param, but for templates
+indent_template_param                    = false    # false/true
+
+# Double the indent for indent_func_xxx_param options
+indent_func_param_double                 = false    # false/true
+
+# Indentation column for standalone 'const' function decl/proto qualifier
+indent_func_const                        = 0        # number
+
+# Indentation column for standalone 'throw' function decl/proto qualifier
+indent_func_throw                        = 0        # number
+
+# The number of spaces to indent a continued '->' or '.'
+# Usually set to 0, 1, or indent_columns.
+indent_member                            = 0        # number
+
+# Spaces to indent single line ('//') comments on lines before code
+indent_sing_line_comments                = 0        # number
+
+# If set, will indent trailing single line ('//') comments relative
+# to the code instead of trying to keep the same absolute column
+indent_relative_single_line_comments     = false    # false/true
+
+# Spaces to indent 'case' from 'switch'
+# Usually 0 or indent_columns.
+indent_switch_case                       = 0        # number
+
+# Spaces to shift the 'case' line, without affecting any other lines
+# Usually 0.
+indent_case_shift                        = 0        # number
+
+# Spaces to indent '{' from 'case'.
+# By default, the brace will appear under the 'c' in case.
+# Usually set to 0 or indent_columns.
+indent_case_brace                        = 0        # number
+
+# Whether to indent comments found in first column
+indent_col1_comment                      = false    # false/true
+
+# How to indent goto labels
+#  >0 : absolute column where 1 is the leftmost column
+#  <=0 : subtract from brace indent
+indent_label                             = 2        # number
+
+# Same as indent_label, but for access specifiers that are followed by a colon
+indent_access_spec                       = 1        # number
+
+# Indent the code after an access specifier by one level.
+# If set, this option forces 'indent_access_spec=0'
+indent_access_spec_body                  = false    # false/true
+
+# If an open paren is followed by a newline, indent the next line so that it lines up after the open paren (not recommended)
+indent_paren_nl                          = false    # false/true
+
+# Controls the indent of a close paren after a newline.
+# 0: Indent to body level
+# 1: Align under the open paren
+# 2: Indent to the brace level
+indent_paren_close                       = 0        # number
+
+# Controls the indent of a comma when inside a paren.If TRUE, aligns under the open paren
+indent_comma_paren                       = false    # false/true
+
+# Controls the indent of a BOOL operator when inside a paren.If TRUE, aligns under the open paren
+indent_bool_paren                        = false    # false/true
+
+# If 'indent_bool_paren' is true, controls the indent of the first expression. If TRUE, aligns the first expression to the following ones
+indent_first_bool_expr                   = false    # false/true
+
+# If an open square is followed by a newline, indent the next line so that it lines up after the open square (not recommended)
+indent_square_nl                         = false    # false/true
+
+# Don't change the relative indent of ESQL/C 'EXEC SQL' bodies
+indent_preserve_sql                      = false    # false/true
+
+# Align continued statements at the '='. Default=True
+# If FALSE or the '=' is followed by a newline, the next line is indent one tab.
+indent_align_assign                      = true     # false/true
+
+#
+# Spacing options
+#
+
+# Add or remove space around arithmetic operator '+', '-', '/', '*', etc
+sp_arith                                 = add      # ignore/add/remove/force
+
+# Add or remove space around assignment operator '=', '+=', etc
+sp_assign                                = add      # ignore/add/remove/force
+
+# Add or remove space around assignment operator '=' in a prototype
+sp_assign_default                        = add      # ignore/add/remove/force
+
+# Add or remove space before assignment operator '=', '+=', etc. Overrides sp_assign.
+sp_before_assign                         = ignore   # ignore/add/remove/force
+
+# Add or remove space after assignment operator '=', '+=', etc. Overrides sp_assign.
+sp_after_assign                          = ignore   # ignore/add/remove/force
+
+# Add or remove space around assignment '=' in enum
+sp_enum_assign                           = ignore   # ignore/add/remove/force
+
+# Add or remove space before assignment '=' in enum. Overrides sp_enum_assign.
+sp_enum_before_assign                    = ignore   # ignore/add/remove/force
+
+# Add or remove space after assignment '=' in enum. Overrides sp_enum_assign.
+sp_enum_after_assign                     = ignore   # ignore/add/remove/force
+
+# Add or remove space around preprocessor '##' concatenation operator. Default=Add
+sp_pp_concat                             = add      # ignore/add/remove/force
+
+# Add or remove space after preprocessor '#' stringify operator. Also affects the '#@' charizing operator. Default=Add
+sp_pp_stringify                          = add      # ignore/add/remove/force
+
+# Add or remove space around boolean operators '&&' and '||'
+sp_bool                                  = add      # ignore/add/remove/force
+
+# Add or remove space around compare operator '<', '>', '==', etc
+sp_compare                               = add      # ignore/add/remove/force
+
+# Add or remove space inside '(' and ')'
+sp_inside_paren                          = ignore   # ignore/add/remove/force
+
+# Add or remove space between nested parens
+sp_paren_paren                           = ignore   # ignore/add/remove/force
+
+# Whether to balance spaces inside nested parens
+sp_balance_nested_parens                 = false    # false/true
+
+# Add or remove space between ')' and '{'
+sp_paren_brace                           = ignore   # ignore/add/remove/force
+
+# Add or remove space before pointer star '*'
+sp_before_ptr_star                       = ignore   # ignore/add/remove/force
+
+# Add or remove space before pointer star '*' that isn't followed by a variable name
+# If set to 'ignore', sp_before_ptr_star is used instead.
+sp_before_unnamed_ptr_star               = ignore   # ignore/add/remove/force
+
+# Add or remove space between pointer stars '*'
+sp_between_ptr_star                      = ignore   # ignore/add/remove/force
+
+# Add or remove space after pointer star '*', if followed by a word.
+sp_after_ptr_star                        = remove   # ignore/add/remove/force
+
+# Add or remove space after a pointer star '*', if followed by a func proto/def.
+sp_after_ptr_star_func                   = ignore   # ignore/add/remove/force
+
+# Add or remove space before a pointer star '*', if followed by a func proto/def.
+sp_before_ptr_star_func                  = ignore   # ignore/add/remove/force
+
+# Add or remove space before a reference sign '&'
+sp_before_byref                          = ignore   # ignore/add/remove/force
+
+# Add or remove space before a reference sign '&' that isn't followed by a variable name
+# If set to 'ignore', sp_before_byref is used instead.
+sp_before_unnamed_byref                  = ignore   # ignore/add/remove/force
+
+# Add or remove space after reference sign '&', if followed by a word.
+sp_after_byref                           = remove   # ignore/add/remove/force
+
+# Add or remove space after a reference sign '&', if followed by a func proto/def.
+sp_after_byref_func                      = ignore   # ignore/add/remove/force
+
+# Add or remove space before a reference sign '&', if followed by a func proto/def.
+sp_before_byref_func                     = ignore   # ignore/add/remove/force
+
+# Add or remove space between type and word. Default=Force
+sp_after_type                            = force    # ignore/add/remove/force
+
+# Add or remove space in 'template <' vs 'template<'.
+# If set to ignore, sp_before_angle is used.
+sp_template_angle                        = ignore   # ignore/add/remove/force
+
+# Add or remove space before '<>'
+sp_before_angle                          = ignore   # ignore/add/remove/force
+
+# Add or remove space inside '<' and '>'
+sp_inside_angle                          = ignore   # ignore/add/remove/force
+
+# Add or remove space after '<>'
+sp_after_angle                           = ignore   # ignore/add/remove/force
+
+# Add or remove space between '<>' and '(' as found in 'new List<byte>();'
+sp_angle_paren                           = ignore   # ignore/add/remove/force
+
+# Add or remove space between '<>' and a word as in 'List<byte> m;'
+sp_angle_word                            = ignore   # ignore/add/remove/force
+
+# Add or remove space between '>' and '>' in '>>' (template stuff C++/C# only). Default=Add
+sp_angle_shift                           = add      # ignore/add/remove/force
+
+# Add or remove space before '(' of 'if', 'for', 'switch', and 'while'
+sp_before_sparen                         = add      # ignore/add/remove/force
+
+# Add or remove space inside if-condition '(' and ')'
+sp_inside_sparen                         = remove   # ignore/add/remove/force
+
+# Add or remove space before if-condition ')'. Overrides sp_inside_sparen.
+sp_inside_sparen_close                   = remove   # ignore/add/remove/force
+
+# Add or remove space after ')' of 'if', 'for', 'switch', and 'while'
+sp_after_sparen                          = add      # ignore/add/remove/force
+
+# Add or remove space between ')' and '{' of 'if', 'for', 'switch', and 'while'
+sp_sparen_brace                          = add      # ignore/add/remove/force
+
+# Add or remove space between 'invariant' and '(' in the D language.
+sp_invariant_paren                       = ignore   # ignore/add/remove/force
+
+# Add or remove space after the ')' in 'invariant (C) c' in the D language.
+sp_after_invariant_paren                 = ignore   # ignore/add/remove/force
+
+# Add or remove space before empty statement ';' on 'if', 'for' and 'while'
+sp_special_semi                          = remove   # ignore/add/remove/force
+
+# Add or remove space before ';'. Default=Remove
+sp_before_semi                           = remove   # ignore/add/remove/force
+
+# Add or remove space before ';' in non-empty 'for' statements
+sp_before_semi_for                       = ignore   # ignore/add/remove/force
+
+# Add or remove space before a semicolon of an empty part of a for statement.
+sp_before_semi_for_empty                 = ignore   # ignore/add/remove/force
+
+# Add or remove space after ';', except when followed by a comment. Default=Add
+sp_after_semi                            = ignore   # ignore/add/remove/force
+
+# Add or remove space after ';' in non-empty 'for' statements. Default=Force
+sp_after_semi_for                        = ignore   # ignore/add/remove/force
+
+# Add or remove space after the final semicolon of an empty part of a for statement: for ( ; ; <here> ).
+sp_after_semi_for_empty                  = ignore   # ignore/add/remove/force
+
+# Add or remove space before '[' (except '[]')
+sp_before_square                         = ignore   # ignore/add/remove/force
+
+# Add or remove space before '[]'
+sp_before_squares                        = ignore   # ignore/add/remove/force
+
+# Add or remove space inside a non-empty '[' and ']'
+sp_inside_square                         = ignore   # ignore/add/remove/force
+
+# Add or remove space after ','
+sp_after_comma                           = add      # ignore/add/remove/force
+
+# Add or remove space before ','
+sp_before_comma                          = remove   # ignore/add/remove/force
+
+# Add or remove space between an open paren and comma: '(,' vs '( ,'
+sp_paren_comma                           = force    # ignore/add/remove/force
+
+# Add or remove space before the variadic '...' when preceded by a non-punctuator
+sp_before_ellipsis                       = ignore   # ignore/add/remove/force
+
+# Add or remove space after class ':'
+sp_after_class_colon                     = ignore   # ignore/add/remove/force
+
+# Add or remove space before class ':'
+sp_before_class_colon                    = ignore   # ignore/add/remove/force
+
+# Add or remove space before case ':'. Default=Remove
+sp_before_case_colon                     = remove   # ignore/add/remove/force
+
+# Add or remove space between 'operator' and operator sign
+sp_after_operator                        = ignore   # ignore/add/remove/force
+
+# Add or remove space between the operator symbol and the open paren, as in 'operator ++('
+sp_after_operator_sym                    = ignore   # ignore/add/remove/force
+
+# Add or remove space after C/D cast, i.e. 'cast(int)a' vs 'cast(int) a' or '(int)a' vs '(int) a'
+sp_after_cast                            = ignore   # ignore/add/remove/force
+
+# Add or remove spaces inside cast parens
+sp_inside_paren_cast                     = ignore   # ignore/add/remove/force
+
+# Add or remove space between the type and open paren in a C++ cast, i.e. 'int(exp)' vs 'int (exp)'
+sp_cpp_cast_paren                        = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'sizeof' and '('
+sp_sizeof_paren                          = ignore   # ignore/add/remove/force
+
+# Add or remove space after the tag keyword (Pawn)
+sp_after_tag                             = ignore   # ignore/add/remove/force
+
+# Add or remove space inside enum '{' and '}'
+sp_inside_braces_enum                    = ignore   # ignore/add/remove/force
+
+# Add or remove space inside struct/union '{' and '}'
+sp_inside_braces_struct                  = ignore   # ignore/add/remove/force
+
+# Add or remove space inside '{' and '}'
+sp_inside_braces                         = ignore   # ignore/add/remove/force
+
+# Add or remove space inside '{}'
+sp_inside_braces_empty                   = ignore   # ignore/add/remove/force
+
+# Add or remove space between return type and function name
+# A minimum of 1 is forced except for pointer return types.
+sp_type_func                             = ignore   # ignore/add/remove/force
+
+# Add or remove space between function name and '(' on function declaration
+sp_func_proto_paren                      = ignore   # ignore/add/remove/force
+
+# Add or remove space between function name and '(' on function definition
+sp_func_def_paren                        = ignore   # ignore/add/remove/force
+
+# Add or remove space inside empty function '()'
+sp_inside_fparens                        = ignore   # ignore/add/remove/force
+
+# Add or remove space inside function '(' and ')'
+sp_inside_fparen                         = ignore   # ignore/add/remove/force
+
+# Add or remove space between ']' and '(' when part of a function call.
+sp_square_fparen                         = ignore   # ignore/add/remove/force
+
+# Add or remove space between ')' and '{' of function
+sp_fparen_brace                          = ignore   # ignore/add/remove/force
+
+# Add or remove space between function name and '(' on function calls
+sp_func_call_paren                       = ignore   # ignore/add/remove/force
+
+# Add or remove space between function name and '()' on function calls without parameters.
+# If set to 'ignore' (the default), sp_func_call_paren is used.
+sp_func_call_paren_empty                 = ignore   # ignore/add/remove/force
+
+# Add or remove space between the user function name and '(' on function calls
+# You need to set a keyword to be a user function, like this: 'set func_call_user _' in the config file.
+sp_func_call_user_paren                  = ignore   # ignore/add/remove/force
+
+# Add or remove space between a constructor/destructor and the open paren
+sp_func_class_paren                      = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'return' and '('
+sp_return_paren                          = ignore   # ignore/add/remove/force
+
+# Add or remove space between '__attribute__' and '('
+sp_attribute_paren                       = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'defined' and '(' in '#if defined (FOO)'
+sp_defined_paren                         = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'throw' and '(' in 'throw (something)'
+sp_throw_paren                           = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'catch' and '(' in 'catch (something) { }'
+# If set to ignore, sp_before_sparen is used.
+sp_catch_paren                           = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'version' and '(' in 'version (something) { }' (D language)
+# If set to ignore, sp_before_sparen is used.
+sp_version_paren                         = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'scope' and '(' in 'scope (something) { }' (D language)
+# If set to ignore, sp_before_sparen is used.
+sp_scope_paren                           = ignore   # ignore/add/remove/force
+
+# Add or remove space between macro and value
+sp_macro                                 = ignore   # ignore/add/remove/force
+
+# Add or remove space between macro function ')' and value
+sp_macro_func                            = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'else' and '{' if on the same line
+sp_else_brace                            = add      # ignore/add/remove/force
+
+# Add or remove space between '}' and 'else' if on the same line
+sp_brace_else                            = add      # ignore/add/remove/force
+
+# Add or remove space between '}' and the name of a typedef on the same line
+sp_brace_typedef                         = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'catch' and '{' if on the same line
+sp_catch_brace                           = ignore   # ignore/add/remove/force
+
+# Add or remove space between '}' and 'catch' if on the same line
+sp_brace_catch                           = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'finally' and '{' if on the same line
+sp_finally_brace                         = ignore   # ignore/add/remove/force
+
+# Add or remove space between '}' and 'finally' if on the same line
+sp_brace_finally                         = ignore   # ignore/add/remove/force
+
+# Add or remove space between 'try' and '{' if on the same line
+sp_try_brace                             = ignore   # ignore/add/remove/force
+
+# Add or remove space between get/set and '{' if on the same line
+sp_getset_brace                          = ignore   # ignore/add/remove/force
+
+# Add or remove space before the '::' operator
+sp_before_dc                             = ignore   # ignore/add/remove/force
+
+# Add or remove space after the '::' operator
+sp_after_dc                              = ignore   # ignore/add/remove/force
+
+# Add or remove around the D named array initializer ':' operator
+sp_d_array_colon                         = ignore   # ignore/add/remove/force
+
+# Add or remove space after the '!' (not) operator. Default=Remove
+sp_not                                   = remove   # ignore/add/remove/force
+
+# Add or remove space after the '~' (invert) operator. Default=Remove
+sp_inv                                   = remove   # ignore/add/remove/force
+
+# Add or remove space after the '&' (address-of) operator. Default=Remove
+# This does not affect the spacing after a '&' that is part of a type.
+sp_addr                                  = remove   # ignore/add/remove/force
+
+# Add or remove space around the '.' or '->' operators. Default=Remove
+sp_member                                = remove   # ignore/add/remove/force
+
+# Add or remove space after the '*' (dereference) operator. Default=Remove
+# This does not affect the spacing after a '*' that is part of a type.
+sp_deref                                 = remove   # ignore/add/remove/force
+
+# Add or remove space after '+' or '-', as in 'x = -5' or 'y = +7'. Default=Remove
+sp_sign                                  = remove   # ignore/add/remove/force
+
+# Add or remove space before or after '++' and '--', as in '(--x)' or 'y++;'. Default=Remove
+sp_incdec                                = remove   # ignore/add/remove/force
+
+# Add or remove space before a backslash-newline at the end of a line. Default=Add
+sp_before_nl_cont                        = add      # ignore/add/remove/force
+
+# Add or remove space after the scope '+' or '-', as in '-(void) foo;' or '+(int) bar;'
+sp_after_oc_scope                        = ignore   # ignore/add/remove/force
+
+# Add or remove space after the colon in message specs
+# '-(int) f:(int) x;' vs '-(int) f: (int) x;'
+sp_after_oc_colon                        = ignore   # ignore/add/remove/force
+
+# Add or remove space before the colon in message specs
+# '-(int) f: (int) x;' vs '-(int) f : (int) x;'
+sp_before_oc_colon                       = ignore   # ignore/add/remove/force
+
+# Add or remove space after the colon in message specs
+# '[object setValue:1];' vs '[object setValue: 1];'
+sp_after_send_oc_colon                   = ignore   # ignore/add/remove/force
+
+# Add or remove space before the colon in message specs
+# '[object setValue:1];' vs '[object setValue :1];'
+sp_before_send_oc_colon                  = ignore   # ignore/add/remove/force
+
+# Add or remove space after the (type) in message specs
+# '-(int)f: (int) x;' vs '-(int)f: (int)x;'
+sp_after_oc_type                         = ignore   # ignore/add/remove/force
+
+# Add or remove space after the first (type) in message specs
+# '-(int) f:(int)x;' vs '-(int)f:(int)x;'
+sp_after_oc_return_type                  = ignore   # ignore/add/remove/force
+
+# Add or remove space between '@selector' and '('
+# '@selector(msgName)' vs '@selector (msgName)'
+# Also applies to @protocol() constructs
+sp_after_oc_at_sel                       = ignore   # ignore/add/remove/force
+
+# Add or remove space between '@selector(x)' and the following word
+# '@selector(foo) a:' vs '@selector(foo)a:'
+sp_after_oc_at_sel_parens                = ignore   # ignore/add/remove/force
+
+# Add or remove space inside '@selector' parens
+# '@selector(foo)' vs '@selector( foo )'
+# Also applies to @protocol() constructs
+sp_inside_oc_at_sel_parens               = ignore   # ignore/add/remove/force
+
+# Add or remove space before a block pointer caret
+# '^int (int arg){...}' vs. ' ^int (int arg){...}'
+sp_before_oc_block_caret                 = ignore   # ignore/add/remove/force
+
+# Add or remove space after a block pointer caret
+# '^int (int arg){...}' vs. '^ int (int arg){...}'
+sp_after_oc_block_caret                  = ignore   # ignore/add/remove/force
+
+# Add or remove space around the ':' in 'b ? t : f'
+sp_cond_colon                            = ignore   # ignore/add/remove/force
+
+# Add or remove space around the '?' in 'b ? t : f'
+sp_cond_question                         = ignore   # ignore/add/remove/force
+
+# Fix the spacing between 'case' and the label. Only 'ignore' and 'force' make sense here.
+sp_case_label                            = ignore   # ignore/add/remove/force
+
+# Control the space around the D '..' operator.
+sp_range                                 = ignore   # ignore/add/remove/force
+
+# Control the space after the opening of a C++ comment '// A' vs '//A'
+sp_cmt_cpp_start                         = ignore   # ignore/add/remove/force
+
+# Controls the spaces between #else or #endif and a trailing comment
+sp_endif_cmt                             = ignore   # ignore/add/remove/force
+
+# Controls the spaces after 'new', 'delete', and 'delete[]'
+sp_after_new                             = ignore   # ignore/add/remove/force
+
+# Controls the spaces before a trailing or embedded comment
+sp_before_tr_emb_cmt                     = ignore   # ignore/add/remove/force
+
+# Number of spaces before a trailing or embedded comment
+sp_num_before_tr_emb_cmt                 = 0        # number
+
+#
+# Code alignment (not left column spaces/tabs)
+#
+
+# Whether to keep non-indenting tabs
+align_keep_tabs                          = false    # false/true
+
+# Whether to use tabs for aligning
+align_with_tabs                          = true     # false/true
+
+# Whether to bump out to the next tab when aligning
+align_on_tabstop                         = false    # false/true
+
+# Whether to left-align numbers
+align_number_left                        = false    # false/true
+
+# Align variable definitions in prototypes and functions
+align_func_params                        = false    # false/true
+
+# Align parameters in single-line functions that have the same name.
+# The function names must already be aligned with each other.
+align_same_func_call_params              = false    # false/true
+
+# The span for aligning variable definitions (0=don't align)
+align_var_def_span                       = 0        # number
+
+# How to align the star in variable definitions.
+#  0=Part of the type     'void *   foo;'
+#  1=Part of the variable 'void     *foo;'
+#  2=Dangling             'void    *foo;'
+align_var_def_star_style                 = 0        # number
+
+# How to align the '&' in variable definitions.
+#  0=Part of the type
+#  1=Part of the variable
+#  2=Dangling
+align_var_def_amp_style                  = 0        # number
+
+# The threshold for aligning variable definitions (0=no limit)
+align_var_def_thresh                     = 0        # number
+
+# The gap for aligning variable definitions
+align_var_def_gap                        = 0        # number
+
+# Whether to align the colon in struct bit fields
+align_var_def_colon                      = false    # false/true
+
+# Whether to align any attribute after the variable name
+align_var_def_attribute                  = false    # false/true
+
+# Whether to align inline struct/enum/union variable definitions
+align_var_def_inline                     = false    # false/true
+
+# The span for aligning on '=' in assignments (0=don't align)
+align_assign_span                        = 0        # number
+
+# The threshold for aligning on '=' in assignments (0=no limit)
+align_assign_thresh                      = 0        # number
+
+# The span for aligning on '=' in enums (0=don't align)
+align_enum_equ_span                      = 0        # number
+
+# The threshold for aligning on '=' in enums (0=no limit)
+align_enum_equ_thresh                    = 0        # number
+
+# The span for aligning struct/union (0=don't align)
+align_var_struct_span                    = 3        # number
+
+# The threshold for aligning struct/union member definitions (0=no limit)
+align_var_struct_thresh                  = 0        # number
+
+# The gap for aligning struct/union member definitions
+align_var_struct_gap                     = 8        # number
+
+# The span for aligning struct initializer values (0=don't align)
+align_struct_init_span                   = 0        # number
+
+# The minimum space between the type and the synonym of a typedef
+align_typedef_gap                        = 0        # number
+
+# The span for aligning single-line typedefs (0=don't align)
+align_typedef_span                       = 0        # number
+
+# How to align typedef'd functions with other typedefs
+# 0: Don't mix them at all
+# 1: align the open paren with the types
+# 2: align the function type name with the other type names
+align_typedef_func                       = 2        # number
+
+# Controls the positioning of the '*' in typedefs. Just try it.
+# 0: Align on typedef type, ignore '*'
+# 1: The '*' is part of type name: typedef int  *pint;
+# 2: The '*' is part of the type, but dangling: typedef int *pint;
+align_typedef_star_style                 = 0        # number
+
+# Controls the positioning of the '&' in typedefs. Just try it.
+# 0: Align on typedef type, ignore '&'
+# 1: The '&' is part of type name: typedef int  &pint;
+# 2: The '&' is part of the type, but dangling: typedef int &pint;
+align_typedef_amp_style                  = 0        # number
+
+# The span for aligning comments that end lines (0=don't align)
+align_right_cmt_span                     = 0        # number
+
+# If aligning comments, mix with comments after '}' and #endif with less than 3 spaces before the comment
+align_right_cmt_mix                      = false    # false/true
+
+# If a trailing comment is more than this number of columns away from the text it follows,
+# it will qualify for being aligned. This has to be > 0 to do anything.
+align_right_cmt_gap                      = 0        # number
+
+# Align trailing comment at or beyond column N; 'pulls in' comments as a bonus side effect (0=ignore)
+align_right_cmt_at_col                   = 0        # number
+
+# The span for aligning function prototypes (0=don't align)
+align_func_proto_span                    = 0        # number
+
+# Minimum gap between the return type and the function name.
+align_func_proto_gap                     = 0        # number
+
+# Align function protos on the 'operator' keyword instead of what follows
+align_on_operator                        = false    # false/true
+
+# Whether to mix aligning prototype and variable declarations.
+# If true, align_var_def_XXX options are used instead of align_func_proto_XXX options.
+align_mix_var_proto                      = false    # false/true
+
+# Align single-line functions with function prototypes, uses align_func_proto_span
+align_single_line_func                   = false    # false/true
+
+# Aligning the open brace of single-line functions.
+# Requires align_single_line_func=true, uses align_func_proto_span
+align_single_line_brace                  = false    # false/true
+
+# Gap for align_single_line_brace.
+align_single_line_brace_gap              = 0        # number
+
+# The span for aligning ObjC msg spec (0=don't align)
+align_oc_msg_spec_span                   = 0        # number
+
+# Whether to align macros wrapped with a backslash and a newline.
+# This will not work right if the macro contains a multi-line comment.
+align_nl_cont                            = false    # false/true
+
+# The minimum space between label and value of a preprocessor define
+align_pp_define_gap                      = 0        # number
+
+# The span for aligning on '#define' bodies (0=don't align)
+align_pp_define_span                     = 0        # number
+
+# Align lines that start with '<<' with previous '<<'. Default=true
+align_left_shift                         = true     # false/true
+
+# Span for aligning parameters in an Obj-C message call on the ':' (0=don't align)
+align_oc_msg_colon_span                  = 0        # number
+
+# Aligning parameters in an Obj-C '+' or '-' declaration on the ':'
+align_oc_decl_colon                      = false    # false/true
+
+#
+# Newline adding and removing options
+#
+
+# Whether to collapse empty blocks between '{' and '}'
+nl_collapse_empty_body                   = false    # false/true
+
+# Don't split one-line braced assignments - 'foo_t f = { 1, 2 };'
+nl_assign_leave_one_liners               = false    # false/true
+
+# Don't split one-line braced statements inside a class xx { } body
+nl_class_leave_one_liners                = false    # false/true
+
+# Don't split one-line enums: 'enum foo { BAR = 15 };'
+nl_enum_leave_one_liners                 = false    # false/true
+
+# Don't split one-line get or set functions
+nl_getset_leave_one_liners               = false    # false/true
+
+# Don't split one-line function definitions - 'int foo() { return 0; }'
+nl_func_leave_one_liners                 = false    # false/true
+
+# Don't split one-line if/else statements - 'if(a) b++;'
+nl_if_leave_one_liners                   = false    # false/true
+
+# Add or remove newlines at the start of the file
+nl_start_of_file                         = ignore   # ignore/add/remove/force
+
+# The number of newlines at the start of the file (only used if nl_start_of_file is 'add' or 'force'
+nl_start_of_file_min                     = 0        # number
+
+# Add or remove newline at the end of the file
+nl_end_of_file                           = ignore   # ignore/add/remove/force
+
+# The number of newlines at the end of the file (only used if nl_end_of_file is 'add' or 'force')
+nl_end_of_file_min                       = 0        # number
+
+# Add or remove newline between '=' and '{'
+nl_assign_brace                          = ignore   # ignore/add/remove/force
+
+# Add or remove newline between '=' and '[' (D only)
+nl_assign_square                         = ignore   # ignore/add/remove/force
+
+# Add or remove newline after '= [' (D only). Will also affect the newline before the ']'
+nl_after_square_assign                   = ignore   # ignore/add/remove/force
+
+# The number of blank lines after a block of variable definitions at the top of a function body.
+# 0=no change (default)
+nl_func_var_def_blk                      = 0        # number
+
+# Add or remove newline between a function call's ')' and '{', as in:
+# list_for_each(item, &list) { }
+nl_fcall_brace                           = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'enum' and '{'
+nl_enum_brace                            = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'struct and '{'
+nl_struct_brace                          = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'union' and '{'
+nl_union_brace                           = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'if' and '{'
+nl_if_brace                              = ignore   # ignore/add/remove/force
+
+# Add or remove newline between '}' and 'else'
+nl_brace_else                            = remove   # ignore/add/remove/force
+
+# Add or remove newline between 'else if' and '{'
+# If set to ignore, nl_if_brace is used instead
+nl_elseif_brace                          = remove   # ignore/add/remove/force
+
+# Add or remove newline between 'else' and '{'
+nl_else_brace                            = remove   # ignore/add/remove/force
+
+# Add or remove newline between 'else' and 'if'
+nl_else_if                               = remove   # ignore/add/remove/force
+
+# Add or remove newline between '}' and 'finally'
+nl_brace_finally                         = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'finally' and '{'
+nl_finally_brace                         = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'try' and '{'
+nl_try_brace                             = ignore   # ignore/add/remove/force
+
+# Add or remove newline between get/set and '{'
+nl_getset_brace                          = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'for' and '{'
+nl_for_brace                             = remove   # ignore/add/remove/force
+
+# Add or remove newline between 'catch' and '{'
+nl_catch_brace                           = ignore   # ignore/add/remove/force
+
+# Add or remove newline between '}' and 'catch'
+nl_brace_catch                           = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'while' and '{'
+nl_while_brace                           = remove   # ignore/add/remove/force
+
+# Add or remove newline between 'using' and '{'
+nl_using_brace                           = ignore   # ignore/add/remove/force
+
+# Add or remove newline between two open or close braces.
+# Due to general newline/brace handling, REMOVE may not work.
+nl_brace_brace                           = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'do' and '{'
+nl_do_brace                              = ignore   # ignore/add/remove/force
+
+# Add or remove newline between '}' and 'while' of 'do' statement
+nl_brace_while                           = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'switch' and '{'
+nl_switch_brace                          = remove   # ignore/add/remove/force
+
+# Add a newline between ')' and '{' if the ')' is on a different line than the if/for/etc.
+# Overrides nl_for_brace, nl_if_brace, nl_switch_brace, nl_while_switch, and nl_catch_brace.
+nl_multi_line_cond                       = true     # false/true
+
+# Force a newline in a define after the macro name for multi-line defines.
+nl_multi_line_define                     = false    # false/true
+
+# Whether to put a newline before 'case' statement
+nl_before_case                           = false    # false/true
+
+# Add or remove newline between ')' and 'throw'
+nl_before_throw                          = ignore   # ignore/add/remove/force
+
+# Whether to put a newline after 'case' statement
+nl_after_case                            = false    # false/true
+
+# Add or remove a newline between a case ':' and '{'. Overrides nl_after_case.
+nl_case_colon_brace                      = ignore   # ignore/add/remove/force
+
+# Newline between namespace and {
+nl_namespace_brace                       = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'template<>' and whatever follows.
+nl_template_class                        = ignore   # ignore/add/remove/force
+
+# Add or remove newline between 'class' and '{'
+nl_class_brace                           = ignore   # ignore/add/remove/force
+
+# Add or remove newline after each ',' in the constructor member initialization
+nl_class_init_args                       = ignore   # ignore/add/remove/force
+
+# Add or remove newline between return type and function name in a function definition
+nl_func_type_name                        = add      # ignore/add/remove/force
+
+# Add or remove newline between return type and function name inside a class {}
+# Uses nl_func_type_name or nl_func_proto_type_name if set to ignore.
+nl_func_type_name_class                  = ignore   # ignore/add/remove/force
+
+# Add or remove newline between function scope and name in a definition
+# Controls the newline after '::' in 'void A::f() { }'
+nl_func_scope_name                       = ignore   # ignore/add/remove/force
+
+# Add or remove newline between return type and function name in a prototype
+nl_func_proto_type_name                  = ignore   # ignore/add/remove/force
+
+# Add or remove newline between a function name and the opening '('
+nl_func_paren                            = ignore   # ignore/add/remove/force
+
+# Add or remove newline between a function name and the opening '(' in the definition
+nl_func_def_paren                        = ignore   # ignore/add/remove/force
+
+# Add or remove newline after '(' in a function declaration
+nl_func_decl_start                       = ignore   # ignore/add/remove/force
+
+# Add or remove newline after '(' in a function definition
+nl_func_def_start                        = ignore   # ignore/add/remove/force
+
+# Overrides nl_func_decl_start when there is only one parameter.
+nl_func_decl_start_single                = ignore   # ignore/add/remove/force
+
+# Overrides nl_func_def_start when there is only one parameter.
+nl_func_def_start_single                 = ignore   # ignore/add/remove/force
+
+# Add or remove newline after each ',' in a function declaration
+nl_func_decl_args                        = remove   # ignore/add/remove/force
+
+# Add or remove newline after each ',' in a function definition
+nl_func_def_args                         = remove   # ignore/add/remove/force
+
+# Add or remove newline before the ')' in a function declaration
+nl_func_decl_end                         = ignore   # ignore/add/remove/force
+
+# Add or remove newline before the ')' in a function definition
+nl_func_def_end                          = ignore   # ignore/add/remove/force
+
+# Overrides nl_func_decl_end when there is only one parameter.
+nl_func_decl_end_single                  = ignore   # ignore/add/remove/force
+
+# Overrides nl_func_def_end when there is only one parameter.
+nl_func_def_end_single                   = ignore   # ignore/add/remove/force
+
+# Add or remove newline between '()' in a function declaration.
+nl_func_decl_empty                       = ignore   # ignore/add/remove/force
+
+# Add or remove newline between '()' in a function definition.
+nl_func_def_empty                        = ignore   # ignore/add/remove/force
+
+# Add or remove newline between function signature and '{'
+nl_fdef_brace                            = ignore   # ignore/add/remove/force
+
+# Whether to put a newline after 'return' statement
+nl_after_return                          = false    # false/true
+
+# Add or remove a newline between the return keyword and return expression.
+nl_return_expr                           = ignore   # ignore/add/remove/force
+
+# Whether to put a newline after semicolons, except in 'for' statements
+nl_after_semicolon                       = false    # false/true
+
+# Whether to put a newline after brace open.
+# This also adds a newline before the matching brace close.
+nl_after_brace_open                      = false    # false/true
+
+# If nl_after_brace_open and nl_after_brace_open_cmt are true, a newline is
+# placed between the open brace and a trailing single-line comment.
+nl_after_brace_open_cmt                  = false    # false/true
+
+# Whether to put a newline after a virtual brace open with a non-empty body.
+# These occur in un-braced if/while/do/for statement bodies.
+nl_after_vbrace_open                     = false    # false/true
+
+# Whether to put a newline after a virtual brace open with an empty body.
+# These occur in un-braced if/while/do/for statement bodies.
+nl_after_vbrace_open_empty               = false    # false/true
+
+# Whether to put a newline after a brace close.
+# Does not apply if followed by a necessary ';'.
+nl_after_brace_close                     = false    # false/true
+
+# Whether to put a newline after a virtual brace close.
+# Would add a newline before return in: 'if (foo) a++; return;'
+nl_after_vbrace_close                    = false    # false/true
+
+# Whether to alter newlines in '#define' macros
+nl_define_macro                          = false    # false/true
+
+# Whether to not put blanks after '#ifxx', '#elxx', or before '#endif'
+nl_squeeze_ifdef                         = false    # false/true
+
+# Add or remove blank line before 'if'
+nl_before_if                             = ignore   # ignore/add/remove/force
+
+# Add or remove blank line after 'if' statement
+nl_after_if                              = ignore   # ignore/add/remove/force
+
+# Add or remove blank line before 'for'
+nl_before_for                            = ignore   # ignore/add/remove/force
+
+# Add or remove blank line after 'for' statement
+nl_after_for                             = ignore   # ignore/add/remove/force
+
+# Add or remove blank line before 'while'
+nl_before_while                          = ignore   # ignore/add/remove/force
+
+# Add or remove blank line after 'while' statement
+nl_after_while                           = ignore   # ignore/add/remove/force
+
+# Add or remove blank line before 'switch'
+nl_before_switch                         = ignore   # ignore/add/remove/force
+
+# Add or remove blank line after 'switch' statement
+nl_after_switch                          = ignore   # ignore/add/remove/force
+
+# Add or remove blank line before 'do'
+nl_before_do                             = ignore   # ignore/add/remove/force
+
+# Add or remove blank line after 'do/while' statement
+nl_after_do                              = ignore   # ignore/add/remove/force
+
+# Whether to double-space commented-entries in struct/enum
+nl_ds_struct_enum_cmt                    = false    # false/true
+
+# Whether to double-space before the close brace of a struct/union/enum
+# (lower priority than 'eat_blanks_before_close_brace')
+nl_ds_struct_enum_close_brace            = false    # false/true
+
+# Add or remove a newline around a class colon.
+# Related to pos_class_colon, nl_class_init_args, and pos_comma.
+nl_class_colon                           = ignore   # ignore/add/remove/force
+
+# Change simple unbraced if statements into a one-liner
+# 'if(b)\n i++;' => 'if(b) i++;'
+nl_create_if_one_liner                   = false    # false/true
+
+# Change simple unbraced for statements into a one-liner
+# 'for (i=0;i<5;i++)\n foo(i);' => 'for (i=0;i<5;i++) foo(i);'
+nl_create_for_one_liner                  = false    # false/true
+
+# Change simple unbraced while statements into a one-liner
+# 'while (i<5)\n foo(i++);' => 'while (i<5) foo(i++);'
+nl_create_while_one_liner                = false    # false/true
+
+#
+# Positioning options
+#
+
+# The position of arithmetic operators in wrapped expressions
+pos_arith                                = ignore   # ignore/lead/lead_break/lead_force/trail/trail_break/trail_force
+
+# The position of assignment in wrapped expressions.
+# Do not affect '=' followed by '{'
+pos_assign                               = ignore   # ignore/lead/lead_break/lead_force/trail/trail_break/trail_force
+
+# The position of boolean operators in wrapped expressions
+pos_bool                                 = trail    # ignore/lead/lead_break/lead_force/trail/trail_break/trail_force
+
+# The position of comparison operators in wrapped expressions
+pos_compare                              = ignore   # ignore/lead/lead_break/lead_force/trail/trail_break/trail_force
+
+# The position of conditional (b ? t : f) operators in wrapped expressions
+pos_conditional                          = ignore   # ignore/lead/lead_break/lead_force/trail/trail_break/trail_force
+
+# The position of the comma in wrapped expressions
+pos_comma                                = ignore   # ignore/lead/lead_break/lead_force/trail/trail_break/trail_force
+
+# The position of the comma in the constructor initialization list
+pos_class_comma                          = ignore   # ignore/lead/lead_break/lead_force/trail/trail_break/trail_force
+
+# The position of colons between constructor and member initialization
+pos_class_colon                          = ignore   # ignore/lead/lead_break/lead_force/trail/trail_break/trail_force
+
+#
+# Line Splitting options
+#
+
+# Try to limit code width to N number of columns
+code_width                               = 79       # number
+
+# Whether to fully split long 'for' statements at semi-colons
+ls_for_split_full                        = true     # false/true
+
+# Whether to fully split long function protos/calls at commas
+ls_func_split_full                       = true     # false/true
+
+#
+# Blank line options
+#
+
+# The maximum consecutive newlines
+nl_max                                   = 0        # number
+
+# The number of newlines after a function prototype, if followed by another function prototype
+nl_after_func_proto                      = 0        # number
+
+# The number of newlines after a function prototype, if not followed by another function prototype
+nl_after_func_proto_group                = 0        # number
+
+# The number of newlines after '}' of a multi-line function body
+nl_after_func_body                       = 0        # number
+
+# The number of newlines after '}' of a multi-line function body in a class declaration
+nl_after_func_body_class                 = 0        # number
+
+# The number of newlines after '}' of a single line function body
+nl_after_func_body_one_liner             = 0        # number
+
+# The minimum number of newlines before a multi-line comment.
+# Doesn't apply if after a brace open or another multi-line comment.
+nl_before_block_comment                  = 0        # number
+
+# The minimum number of newlines before a single-line C comment.
+# Doesn't apply if after a brace open or other single-line C comments.
+nl_before_c_comment                      = 0        # number
+
+# The minimum number of newlines before a CPP comment.
+# Doesn't apply if after a brace open or other CPP comments.
+nl_before_cpp_comment                    = 0        # number
+
+# Whether to force a newline after a multi-line comment.
+nl_after_multiline_comment               = false    # false/true
+
+# The number of newlines after '}' or ';' of a struct/enum/union definition
+nl_after_struct                          = 0        # number
+
+# The number of newlines after '}' or ';' of a class definition
+nl_after_class                           = 0        # number
+
+# The number of newlines before a 'private:', 'public:', 'protected:', 'signals:', or 'slots:' label.
+# Will not change the newline count if after a brace open.
+# 0 = No change.
+nl_before_access_spec                    = 0        # number
+
+# The number of newlines after a 'private:', 'public:', 'protected:', 'signals:', or 'slots:' label.
+# 0 = No change.
+nl_after_access_spec                     = 0        # number
+
+# The number of newlines between a function def and the function comment.
+# 0 = No change.
+nl_comment_func_def                      = 0        # number
+
+# The number of newlines after a try-catch-finally block that isn't followed by a brace close.
+# 0 = No change.
+nl_after_try_catch_finally               = 0        # number
+
+# The number of newlines before and after a property, indexer or event decl.
+# 0 = No change.
+nl_around_cs_property                    = 0        # number
+
+# The number of newlines between the get/set/add/remove handlers in C#.
+# 0 = No change.
+nl_between_get_set                       = 0        # number
+
+# Add or remove newline between C# property and the '{'
+nl_property_brace                        = ignore   # ignore/add/remove/force
+
+# Whether to remove blank lines after '{'
+eat_blanks_after_open_brace              = true     # false/true
+
+# Whether to remove blank lines before '}'
+eat_blanks_before_close_brace            = true     # false/true
+
+#
+# Code modifying options (non-whitespace)
+#
+
+# Add or remove braces on single-line 'do' statement
+mod_full_brace_do                        = ignore   # ignore/add/remove/force
+
+# Add or remove braces on single-line 'for' statement
+mod_full_brace_for                       = ignore   # ignore/add/remove/force
+
+# Add or remove braces on single-line function definitions. (Pawn)
+mod_full_brace_function                  = ignore   # ignore/add/remove/force
+
+# Add or remove braces on single-line 'if' statement. Will not remove the braces if they contain an 'else'.
+mod_full_brace_if                        = add      # ignore/add/remove/force
+
+# Make all if/elseif/else statements in a chain be braced or not. Overrides mod_full_brace_if.
+# If any must be braced, they are all braced.  If all can be unbraced, then the braces are removed.
+mod_full_brace_if_chain                  = false    # false/true
+
+# Don't remove braces around statements that span N newlines
+mod_full_brace_nl                        = 0        # number
+
+# Add or remove braces on single-line 'while' statement
+mod_full_brace_while                     = add      # ignore/add/remove/force
+
+# Add or remove braces on single-line 'using ()' statement
+mod_full_brace_using                     = ignore   # ignore/add/remove/force
+
+# Add or remove unnecessary paren on 'return' statement
+mod_paren_on_return                      = add      # ignore/add/remove/force
+
+# Whether to change optional semicolons to real semicolons
+mod_pawn_semicolon                       = false    # false/true
+
+# Add parens on 'while' and 'if' statement around bools
+mod_full_paren_if_bool                   = false    # false/true
+
+# Whether to remove superfluous semicolons
+mod_remove_extra_semicolon               = true     # false/true
+
+# If a function body exceeds the specified number of newlines and doesn't have a comment after
+# the close brace, a comment will be added.
+mod_add_long_function_closebrace_comment = 0        # number
+
+# If a switch body exceeds the specified number of newlines and doesn't have a comment after
+# the close brace, a comment will be added.
+mod_add_long_switch_closebrace_comment   = 0        # number
+
+# If an #ifdef body exceeds the specified number of newlines and doesn't have a comment after
+# the #endif, a comment will be added.
+mod_add_long_ifdef_endif_comment         = 1        # number
+
+# If an #ifdef or #else body exceeds the specified number of newlines and doesn't have a comment after
+# the #else, a comment will be added.
+mod_add_long_ifdef_else_comment          = 1        # number
+
+# If TRUE, will sort consecutive single-line 'import' statements [Java, D]
+mod_sort_import                          = false    # false/true
+
+# If TRUE, will sort consecutive single-line 'using' statements [C#]
+mod_sort_using                           = false    # false/true
+
+# If TRUE, will sort consecutive single-line '#include' statements [C/C++] and '#import' statements [Obj-C]
+# This is generally a bad idea, as it may break your code.
+mod_sort_include                         = false    # false/true
+
+# If TRUE, it will move a 'break' that appears after a fully braced 'case' before the close brace.
+mod_move_case_break                      = false    # false/true
+
+# Will add or remove the braces around a fully braced case statement.
+# Will only remove the braces if there are no variable declarations in the block.
+mod_case_brace                           = ignore   # ignore/add/remove/force
+
+# If TRUE, it will remove a void 'return;' that appears as the last statement in a function.
+mod_remove_empty_return                  = false    # false/true
+
+#
+# Comment modifications
+#
+
+# Try to wrap comments at cmt_width columns
+cmt_width                                = 80       # number
+
+# Set the comment reflow mode (default: 0)
+# 0: no reflowing (apart from the line wrapping due to cmt_width)
+# 1: no touching at all
+# 2: full reflow
+cmt_reflow_mode                          = 2        # number
+
+# If false, disable all multi-line comment changes, including cmt_width. keyword substitution, and leading chars.
+# Default is true.
+cmt_indent_multi                         = true     # false/true
+
+# Whether to group c-comments that look like they are in a block
+cmt_c_group                              = false    # false/true
+
+# Whether to put an empty '/*' on the first line of the combined c-comment
+cmt_c_nl_start                           = true     # false/true
+
+# Whether to put a newline before the closing '*/' of the combined c-comment
+cmt_c_nl_end                             = true     # false/true
+
+# Whether to group cpp-comments that look like they are in a block
+cmt_cpp_group                            = false    # false/true
+
+# Whether to put an empty '/*' on the first line of the combined cpp-comment
+cmt_cpp_nl_start                         = false    # false/true
+
+# Whether to put a newline before the closing '*/' of the combined cpp-comment
+cmt_cpp_nl_end                           = false    # false/true
+
+# Whether to change cpp-comments into c-comments
+cmt_cpp_to_c                             = true     # false/true
+
+# Whether to put a star on subsequent comment lines
+cmt_star_cont                            = true     # false/true
+
+# The number of spaces to insert at the start of subsequent comment lines
+cmt_sp_before_star_cont                  = 0        # number
+
+# The number of spaces to insert after the star on subsequent comment lines
+cmt_sp_after_star_cont                   = 0        # number
+
+# For multi-line comments with a '*' lead, remove leading spaces if the first and last lines of
+# the comment are the same length. Default=True
+cmt_multi_check_last                     = true     # false/true
+
+# The filename that contains text to insert at the head of a file if the file doesn't start with a C/C++ comment.
+# Will substitute $(filename) with the current file's name.
+cmt_insert_file_header                   = ""         # string
+
+# The filename that contains text to insert at the end of a file if the file doesn't end with a C/C++ comment.
+# Will substitute $(filename) with the current file's name.
+cmt_insert_file_footer                   = ""         # string
+
+# The filename that contains text to insert before a function implementation if the function isn't preceded with a C/C++ comment.
+# Will substitute $(function) with the function name and $(javaparam) with the javadoc @param and @return stuff.
+# Will also substitute $(fclass) with the class name: void CFoo::Bar() { ... }
+cmt_insert_func_header                   = ""         # string
+
+# The filename that contains text to insert before a class if the class isn't preceded with a C/C++ comment.
+# Will substitute $(class) with the class name.
+cmt_insert_class_header                  = ""         # string
+
+# The filename that contains text to insert before a Obj-C message specification if the method isn't preceded with a C/C++ comment.
+# Will substitute $(message) with the function name and $(javaparam) with the javadoc @param and @return stuff.
+cmt_insert_oc_msg_header                 = ""         # string
+
+# If a preprocessor is encountered when stepping backwards from a function name, then
+# this option decides whether the comment should be inserted.
+# Affects cmt_insert_oc_msg_header, cmt_insert_func_header and cmt_insert_class_header.
+cmt_insert_before_preproc                = false    # false/true
+
+#
+# Preprocessor options
+#
+
+# Control indent of preprocessors inside #if blocks at brace level 0
+pp_indent                                = ignore   # ignore/add/remove/force
+
+# Whether to indent #if/#else/#endif at the brace level (true) or from column 1 (false)
+pp_indent_at_level                       = false    # false/true
+
+# If pp_indent_at_level=false, specifies the number of columns to indent per level. Default=1.
+pp_indent_count                          = 1        # number
+
+# Add or remove space after # based on pp_level of #if blocks
+pp_space                                 = ignore   # ignore/add/remove/force
+
+# Sets the number of spaces added with pp_space
+pp_space_count                           = 0        # number
+
+# The indent for #region and #endregion in C# and '#pragma region' in C/C++
+pp_indent_region                         = 0        # number
+
+# Whether to indent the code between #region and #endregion
+pp_region_indent_code                    = false    # false/true
+
+# If pp_indent_at_level=true, sets the indent for #if, #else, and #endif when not at file-level
+pp_indent_if                             = 0        # number
+
+# Control whether to indent the code between #if, #else and #endif when not at file-level
+pp_if_indent_code                        = false    # false/true
+
+# Whether to indent '#define' at the brace level (true) or from column 1 (false)
+pp_define_at_level                       = false    # false/true
+
+# You can force a token to be a type with the 'type' option.
+# Example:
+# type myfoo1 myfoo2
+#
+# You can create custom macro-based indentation using macro-open,
+# macro-else and macro-close.
+# Example:
+# macro-open  BEGIN_TEMPLATE_MESSAGE_MAP
+# macro-open  BEGIN_MESSAGE_MAP
+# macro-close END_MESSAGE_MAP
+#
+# You can assign any keyword to any type with the set option.
+# set func_call_user _ N_
+#
+# The full syntax description of all custom definition config entries
+# is shown below:
+#
+# define custom tokens as:
+# - embed whitespace in token using '' escape character, or
+#   put token in quotes
+# - these: ' " and ` are recognized as quote delimiters
+#
+# type token1 token2 token3 ...
+#             ^ optionally specify multiple tokens on a single line
+# define def_token output_token
+#                  ^ output_token is optional, then NULL is assumed
+# macro-open token
+# macro-close token
+# macro-else token
+# set id token1 token2 ...
+#               ^ optionally specify multiple tokens on a single line
+#     ^ id is one of the names in token_enum.h sans the CT_ prefix,
+#       e.g. PP_PRAGMA
+#
+# all tokens are separated by any mix of ',' commas, '=' equal signs
+# and whitespace (space, tab)
+#
diff --git a/CHANGES b/CHANGES
new file mode 100644
index 0000000..fa0ff27
--- /dev/null
+++ b/CHANGES
@@ -0,0 +1,19658 @@
+	--- 9.16.44 released ---
+
+6245.	[security]	Limit the amount of recursion that can be performed
+			by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152]
+
+6235.	[doc]		Clarify BIND 9 time formats. [GL #4266]
+
+6230.	[bug]		Prevent an unnecessary query restart if a synthesized
+			CNAME target points to the CNAME owner. [GL #3835]
+
+	--- 9.16.43 released ---
+
+6212.	[bug]		Don't process detach and close netmgr events when
+			the netmgr has been paused. [GL #4200]
+
+	--- 9.16.42 released ---
+
+6192.	[security]	A query that prioritizes stale data over lookup
+			triggers a fetch to refresh the stale data in cache.
+			If the fetch is aborted for exceeding the recursion
+			quota, it was possible for 'named' to enter an infinite
+			callback loop and crash due to stack overflow. This has
+			been fixed. (CVE-2023-2911) [GL #4089]
+
+6190.	[security]	Improve the overmem cleaning process to prevent the
+			cache going over the configured limit. (CVE-2023-2828)
+			[GL #4055]
+
+6183.	[bug]		Fix a serve-stale bug where a delegation from cache
+			could be returned to the client. [GL #3950]
+
+6173.	[bug]		Properly process extra "nameserver" lines in
+			resolv.conf otherwise the next line is not properly
+			processed. [GL #4066]
+
+6169.	[bug]		named could crash when deleting inline-signing zones
+			with "rndc delzone". [GL #4054]
+
+	--- 9.16.41 released ---
+
+6157.	[bug]		When removing delegations in an OPTOUT range
+			empty-non-terminal NSEC3 records generated by
+			those delegations were not removed. [GL #4027]
+
+	--- 9.16.40 released ---
+
+6142.	[bug]		Reduce the number of dns_dnssec_verify calls made
+			determining if revoked keys needs to be removed from
+			the trust anchors. [GL #3981]
+
+6138.	[doc]		Fix the DF-flag documentation on the outgoing
+			UDP packets. [GL #3710]
+
+6132.	[doc]		Remove a dead link in the DNSSEC guide. [GL #3967]
+
+6129.	[cleanup]	Value stored to 'source' during its initialization is
+			never read. [GL #3965]
+
+6124.	[bug]		When changing from a NSEC3 capable DNSSEC algorithm to
+			an NSEC3 incapable DNSSEC algorithm using KASP the zone
+			could sometimes be incompletely signed. [GL #3937]
+
+5741.	[bug]		Log files with "timestamp" suffixes could be left in
+			place after rolling, even if the number of preserved
+			log files exceeded the configured "versions" limit.
+			[GL #828] [GL #3959]
+
+	--- 9.16.39 released ---
+
+6119.	[bug]		Make sure to revert the reconfigured zones to the
+			previous version of the view, when the new view
+			reconfiguration fails during the configuration of
+			one of the configured zones. [GL #3911]
+
+6116.	[bug]		Fix error path cleanup issue in the dns_catz_new_zones()
+			function. [GL #3900]
+
+6115.	[bug]		Unregister db update notify callback before detaching
+			from the previous db inside the catz update notify
+			callback. [GL #3777]
+
+6105.	[bug]		Detach 'rpzs' and 'catzs' from the previous view in
+			configure_rpz() and configure_catz(), respectively,
+			just after attaching it to the new view. [GL #3880]
+
+6098.	[test]		Don't test HMAC-MD5 when not supported by libcrypto.
+			[GL #3871]
+
+6095.	[test]		Test various 'islands of trust' configurations when
+			using managed keys. [GL #3662]
+
+6094.	[bug]		Building against (or running with) libuv versions
+			1.35.0 and 1.36.0 is now a fatal error.  The rules for
+			mixing and matching compile-time and run-time libuv
+			versions have been tightened for libuv versions between
+			1.35.0 and 1.40.0. [GL #3840]
+
+	--- 9.16.38 released ---
+
+6083.	[bug]		Fix DNSRPS-enabled builds as they were inadvertently
+			broken by change 6042. [GL #3827]
+
+6081.	[bug]		Handle primary server address lookup failures in
+			nsupdate more gracefully. [GL #3830]
+
+6080.	[bug]		'named -V' leaked memory. [GL #3829]
+
+6079.	[bug]		Force set the DS state after a 'rdnc dnssec -checkds'
+			command. [GL #3822]
+
+6075.	[bug]		Add missing node lock when setting node->wild in
+			add_wildcard_magic. [GL #3799]
+
+6072.	[bug]		Avoid the OpenSSL lock contention when initializing
+			Message Digest Contexts by using explicit algorithm
+			fetching, initializing static contexts for every
+			supported algorithms, and initializing the new context
+			by copying the static copy. [GL #3795]
+
+6069.	[bug]		Detach from the view in zone_shutdown() to
+			release the memory held by the dead view
+			early. [GL #3801]
+
+	--- 9.16.37 released ---
+
+6067.	[security]	Fix serve-stale crash when recursive clients soft quota
+			is reached. (CVE-2022-3924) [GL #3619]
+
+6066.	[security]	Handle RRSIG lookups when serve-stale is active.
+			(CVE-2022-3736) [GL #3622]
+
+6064.	[security]	An UPDATE message flood could cause named to exhaust all
+			available memory. This flaw was addressed by adding a
+			new "update-quota" statement that controls the number of
+			simultaneous UPDATE messages that can be processed or
+			forwarded. The default is 100. A stats counter has been
+			added to record events when the update quota is
+			exceeded, and the XML and JSON statistics version
+			numbers have been updated. (CVE-2022-3094) [GL #3523]
+
+6062.	[func]		The DSCP implementation, which has only been
+			partly operational since 9.16.0, is now marked as
+			deprecated. Configuring DSCP values in named.conf
+			will cause a warning will be logged. [GL #3773]
+
+6060.	[bug]		Fix a use-after-free bug in dns_zonemgr_releasezone()
+			by detaching from the zone manager outside of the write
+			lock. [GL #3768]
+
+6059.	[bug]		In some serve stale scenarios, like when following an
+			expired CNAME record, named could return SERVFAIL if the
+			previous request wasn't successful. Consider non-stale
+			data when in serve-stale mode. [GL #3678]
+
+6058.	[bug]		Prevent named from crashing when "rndc delzone"
+			attempts to delete a zone added by a catalog zone.
+			[GL #3745]
+
+6050.	[bug]		Changes to the RPZ response-policy min-update-interval
+			and add-soa options now take effect as expected when
+			named is reconfigured. [GL #3740]
+
+6048.	[bug]		Fix a log message error in dns_catz_update_from_db(),
+			where serials with values of 2^31 or larger were logged
+			incorrectly as negative numbers. [GL #3742]
+
+6045.	[cleanup]	The list of supported DNSSEC algorithms changed log
+			level from "warning" to "notice" to match named's other
+			startup messages. [GL !7217]
+
+6044.	[bug]		There was an "RSASHA236" typo in a log message.
+			[GL !7206]
+
+5845.	[bug]		Refactor the timer to keep track of posted events
+			as to use isc_task_purgeevent() instead of using
+			isc_task_purgerange().  The isc_task_purgeevent()
+			has been refactored to purge a single event instead
+			of walking through the list of posted events.
+			[GL #3252]
+
+	--- 9.16.36 released ---
+
+6043.	[bug]		The key file IO locks objects would never get
+			deleted from the hashtable due to off-by-one error.
+			[GL #3727]
+
+6042.	[bug]		ANY responses could sometimes have the wrong TTL.
+			[GL #3613]
+
+6040.	[bug]		Speed up the named shutdown time by explicitly
+			canceling all recursing ns_client objects for
+			each ns_clientmgr. [GL #3183]
+
+6039.	[bug]		Removing a catalog zone from catalog-zones without
+			also removing the referenced zone could leave a
+			dangling pointer. [GL #3683]
+
+6031.	[bug]		Move the "final reference detached" log message
+			from dns_zone unit to the DEBUG(1) log level.
+			[GL #3707]
+
+6024.	[func]		Deprecate 'auto-dnssec'. [GL #3667]
+
+6021.	[bug]		Use the current domain name when checking answers from
+			a dual-stack-server. [GL #3607]
+
+6020.	[bug]		Ensure 'named-checkconf -z' respects the check-wildcard
+			option when loading a zone.  [GL #1905]
+
+6017.	[bug]		The view's zone table was not locked when it should
+			have been leading to race conditions when external
+			extensions that manipulate the zone table where in
+			use. [GL #3468]
+
+	--- 9.16.35 released ---
+
+6013.	[bug]		Fix a crash that could happen when you change
+			a dnssec-policy zone with NSEC3 to start using
+			inline-signing. [GL #3591]
+
+6009.	[bug]		Don't trust a placeholder KEYDATA from the managed-keys
+			zone by adding it into secroots. [GL #2895]
+
+6008.	[bug]		Fixed a race condition that could cause a crash
+			in dns_zone_synckeyzone(). [GL #3617]
+
+6002.	[bug]		Fix a resolver prefetch bug when the record's TTL value
+			is equal to the configured prefetch eligibility value,
+			but the record was erroneously not treated as eligible
+			for prefetching. [GL #3603]
+
+6001.	[bug]		Always call dns_adb_endudpfetch() after calling
+			dns_adb_beginudpfetch() for UDP queries in resolver.c,
+			in order to adjust back the quota. [GL #3598]
+
+6000.	[bug]		Fix a startup issue on Solaris systems with many
+			(reportedly > 510) CPUs. Thanks to Stacey Marshall from
+			Oracle for deep investigation of the problem. [GL #3563]
+
+5999.	[bug]		rpz-ip rules could be ineffective in some scenarios
+			with CD=1 queries. [GL #3247]
+
+5998.	[bug]		The RecursClients statistics counter could overflow
+			in certain resolution scenarios. [GL #3584]
+
+5996.	[bug]		Fix a couple of bugs in cfg_print_duration(), which
+			could result in generating incomplete duration values
+			when printing the configuration using named-checkconf.
+			[GL !6880]
+
+	--- 9.16.34 released ---
+
+5991.	[protocol]	Add support for parsing and validating "dohpath" to
+			SVCB. [GL #3544]
+
+5988.	[bug]		Some out of memory conditions in opensslrsa_link.c
+			could lead to memory leaks. [GL #3551]
+
+5984.	[func]		'named -V' now reports the list of supported
+			DNSSEC/DS/HMAC algorithms and the supported TKEY modes.
+			[GL #3541]
+
+5983.	[bug]		Changing just the TSIG key names for primaries in
+			catalog zones' member zones was not effective.
+			[GL #3557]
+
+5973.	[bug]		Fixed a possible invalid detach in UPDATE
+			processing. [GL #3522]
+
+5963.	[bug]		Ensure struct named_server is properly initialized.
+			[GL #6531]
+
+5921.	[test]		Convert system tests to use a default DNSKEY algorithm
+			where the test is not DNSKEY algorithm specific.
+			[GL #3440]
+
+	--- 9.16.33 released ---
+
+5962.	[security]	Fix memory leak in EdDSA verify processing.
+			(CVE-2022-38178) [GL #3487]
+
+5961.	[security]	Fix memory leak in ECDSA verify processing.
+			(CVE-2022-38177) [GL #3487]
+
+5960.	[security]	Fix serve-stale crash that could happen when
+			stale-answer-client-timeout was set to 0 and there was
+			a stale CNAME in the cache for an incoming query.
+			(CVE-2022-3080) [GL #3517]
+
+5957.	[security]	Prevent excessive resource use while processing large
+			delegations. (CVE-2022-2795) [GL #3394]
+
+5956.	[func]		Make RRL code treat all QNAMEs that are subject to
+			wildcard processing within a given zone as the same
+			name. [GL #3459]
+
+5955.	[port]		The libxml2 library has deprecated the usage of
+			xmlInitThreads() and xmlCleanupThreads() functions. Use
+			xmlInitParser() and xmlCleanupParser() instead.
+			[GL #3518]
+
+5954.	[func]		Fallback to IDNA2003 processing in dig when IDNA2008
+			conversion fails. [GL #3485]
+
+5953.	[bug]		Fix a crash on shutdown in delete_trace_entry(). Add
+			mctx attach/detach pair to make sure that the memory
+			context used by a memory pool is not destroyed before
+			the memory pool itself. [GL #3515]
+
+5952.	[bug]		Use quotes around address strings in YAML output.
+			[GL #3511]
+
+5951.	[bug]		In some cases, the dnstap query_message field was
+			erroneously set when logging response messages.
+			[GL #3501]
+
+5948.	[bug]		Fix nsec3.c:dns_nsec3_activex() function, add a missing
+			dns_db_detachnode() call. [GL #3500]
+
+5945.	[bug]		If parsing /etc/bind.key failed, delv could assert
+			when trying to parse the built in trust anchors as
+			the parser hadn't been reset. [GL !6468]
+
+5942.	[bug]		Fix tkey.c:buildquery() function's error handling by
+			adding the missing cleanup code. [GL #3492]
+
+5941.	[func]		Zones with dnssec-policy now require dynamic DNS or
+			inline-siging to be configured explicitly. [GL #3381]
+
+5936.	[bug]		Don't enable serve-stale for lookups that error because
+			it is a duplicate query or a query that would be
+			dropped. [GL #2982]
+
+	--- 9.16.32 released ---
+
+5934.	[func]		Improve fetches-per-zone fetch limit logging to log
+			the final allowed and spilled values of the fetch
+			counters before the counter object gets destroyed.
+			[GL #3461]
+
+5933.	[port]		Automatically disable RSASHA1 and NSEC3RSASHA1 in
+			named on Fedorda 33, Oracle Linux 9 and RHEL9 when
+			they are disabled by the security policy. [GL #3469]
+
+5932.	[bug]		Fix rndc dumpdb -expired and always include expired
+			RRsets, not just for RBTDB_VIRTUAL time window.
+			[GL #3462]
+
+5929.	[bug]		The "max-zone-ttl" option in "dnssec-policy" was
+			not fully effective; it was used for timing key
+			rollovers but did not actually place an upper limit
+			on TTLs when loading a zone. This has been
+			corrected, and the documentation has been clarified
+			to indicate that the old "max-zone-ttl" zone option
+			is now ignored when "dnssec-policy" is in use.
+			[GL #2918]
+
+5924.	[func]		When it's necessary to use AXFR to respond to an
+			IXFR request, a message explaining the reason
+			is now logged at level info. [GL #2683]
+
+5923.	[bug]		Fix inheritance for dnssec-policy when checking for
+			inline-signing. [GL #3438]
+
+5922.	[bug]		Forwarding of UPDATE message could fail with the
+			introduction of netmgr. This has been fixed. [GL #3389]
+
+	--- 9.16.31 released ---
+
+5917.	[bug]		Update ifconfig.sh script as is miscomputed interface
+			identifiers when destroying interfaces. [GL #3061]
+
+5915.	[bug]		Detect missing closing brace (}) and computational
+			overflows in $GENERATE directives. [GL #3429]
+
+5913.	[bug]		Fix a race between resolver query timeout and
+			validation in resolver.c:validated(). Remove
+			resolver.c:maybe_destroy() as it is no loger needed.
+			[GL #3398]
+
+5909.	[bug]		The server-side destination port was missing from dnstap
+			captures of client traffic. [GL #3309]
+
+5905.	[bug]		When the TCP connection would be closed/reset between
+			the connect/accept and the read, the uv_read_start()
+			return value would be unexpected and cause an assertion
+			failure. [GL #3400]
+
+5903.	[bug]		When named checks that the OPCODE in a response matches
+			that of the request, if there is a mismatch named logs
+			an error.  Some of those error messages incorrectly
+			used RCODE instead of OPCODE to lookup the nemonic.
+			This has been corrected. [GL !6420]
+
+	--- 9.16.30 released ---
+
+5899.	[func]		Don't try to process DNSSEC-related and ZONEMD records
+			in catz. [GL #3380]
+
+5890.	[bug]		When the fetches-per-server quota was adjusted
+			because of an authoritative server timing out more
+			or less frequently, it was incorrectly set to 1
+			rather than the intended value.  This has been
+			fixed. [GL #3327]
+
+5888.	[bug]		Only write key files if the dnssec-policy keymgr has
+			changed the metadata. [GL #3302]
+
+5823.	[func]		Replace hazard pointers based lock-free list with
+			locked-list based queue that's simpler and has no or
+			little performance impact. [GL #3180]
+
+	--- 9.16.29 released ---
+
+5885.	[bug]		RPZ NSIP and NSDNAME rule processing didn't handle stub
+			and static-stub zones at or above the query name.  This
+			has now been addressed. [GL #3232]
+
+5881.	[bug]		dig +nssearch could hang in rare cases when recv_done()
+			callback was being called earlier than send_done().
+			[GL #3278]
+
+5880.	[func]		Add new named command-line option -C to print built-in
+			defaults. [GL #1326]
+
+5879.	[contrib]	dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306]
+
+5874.	[bug]		keymgr didn't work with python 3.11. [GL !6157]
+
+5866.	[bug]		Work around a jemalloc quirk which could trigger an
+			out-of-memory condition in named over time. [GL #3287]
+
+5863.	[bug]		If there was a pending negative cache DS entry,
+			validations depending upon it could fail. [GL #3279]
+
+5858.	[bug]		Don't remove CDS/CDNSKEY DELETE records on zone sign
+			when using 'auto-dnssec maintain;'. [GL #2931]
+
+	--- 9.16.28 released ---
+
+5856.	[bug]		The "starting maxtime timer" message related to outgoing
+			zone transfers was incorrectly logged at the ERROR level
+			instead of DEBUG(1). [GL #3208]
+
+5852.	[func]		Add new "reuseport" option to enable/disable load
+			balancing of sockets. [GL #3249]
+
+5843.	[bug]		When an UPDATE targets a zone that is not configured,
+			the requested zone name is now logged in the "not
+			authoritative" error message, so that it is easier to
+			track down problematic update clients. [GL #3209]
+
+5836.	[bug]		Quote the dns64 prefix in error messages that complain
+			about problems with it, to avoid confusion with the
+			following dns64 ACLs. [GL #3210]
+
+5834.	[cleanup]	C99 variable-length arrays are difficult to use safely,
+			so avoid them except in test code. [GL #3201]
+
+5828.	[bug]		Replace single TCP write timer with per-TCP write
+			timers. [GL #3200]
+
+5824.	[bug]		Invalid dnssec-policy definitions were being accepted
+			where the defined keys did not cover both KSK and ZSK
+			roles for a given algorithm.  This is now checked for
+			and the dnssec-policy is rejected if both roles are
+			not present for all algorithms in use. [GL #3142]
+
+	--- 9.16.27 released ---
+
+5818.	[security]	A synchronous call to closehandle_cb() caused
+			isc__nm_process_sock_buffer() to be called recursively,
+			which in turn left TCP connections hanging in the
+			CLOSE_WAIT state blocking indefinitely when
+			out-of-order processing was disabled. (CVE-2022-0396)
+			[GL #3112]
+
+5817.	[security]	The rules for acceptance of records into the cache
+			have been tightened to prevent the possibility of
+			poisoning if forwarders send records outside
+			the configured bailiwick. (CVE-2021-25220) [GL #2950]
+
+5816.	[bug]		Make BIND compile with LibreSSL 3.5.0, as it was using
+			not very accurate pre-processor checks for using shims.
+			[GL #3172]
+
+5815.	[bug]		If an oversized key name of a specific length was used
+			in the text form of an HTTP or SVBC record, an INSIST
+			could be triggered when parsing it. [GL #3175]
+
+5814.	[bug]		The RecursClients statistics counter could underflow
+			in certain resolution scenarios. [GL #3147]
+
+5811.	[bug]		Reimplement the maximum and idle timeouts for outgoing
+			zone transfers. [GL #1897]
+
+5807.	[bug]		Add a TCP "write" timer, and time out writing
+			connections after the "tcp-idle-timeout" period
+			has elapsed. [GL #3132]
+
+5804.	[func]		Add a debug log message when starting and ending
+			the task exclusive mode. [GL #3137]
+
+	--- 9.16.26 released ---
+
+5801.	[bug]		Log "quota reached" message when hard quota
+			is reached when accepting a connection. [GL #3125]
+
+5800.	[func]		Add ECS support to the DLZ interface. [GL #3082]
+
+5797.	[bug]		A failed view configuration during a named
+			reconfiguration procedure could cause inconsistencies
+			in BIND internal structures, causing a crash or other
+			unexpected errors. [GL #3060]
+
+5795.	[bug]		rndc could crash when interrupted by a signal
+			before receiving a response. [GL #3080]
+
+5793.	[bug]		Correctly detect and enable UDP recvmmsg support
+			in all versions of libuv that support it. [GL #3095]
+
+	--- 9.16.25 released ---
+
+5789.	[bug]		Allow replacing expired zone signatures with
+			signatures created by the KSK. [GL #3049]
+
+5788.	[bug]		An assertion could occur if a catalog zone event was
+			scheduled while the task manager was being shut
+			down. [GL #3074]
+
+5787.	[doc]		Update 'auto-dnssec' documentation, it may only be
+			activated at zone level. [GL #3023]
+
+5786.	[bug]		Defer detaching from zone->raw in zone_shutdown() if
+			the zone is in the process of being dumped to disk, to
+			ensure that the unsigned serial number information is
+			always written in the raw-format header of the signed
+			version on an inline-signed zone. [GL #3071]
+
+5785.	[bug]		named could leak memory when two dnssec-policy clauses
+			had the same name. named failed to log this error.
+			[GL #3085]
+
+5776.	[bug]		Add a missing isc_condition_destroy() for nmsocket
+			condition variable and add missing isc_mutex_destroy()
+			for nmworker lock. [GL #3051]
+
+5676.	[func]		Memory use in named was excessive. This has been
+			addressed by:
+			- Replacing locked memory pools with normal memory
+			  allocations.
+			- Reducing the number of retained free items in
+			  unlocked memory pools.
+			- Disabling the internal allocator by default.
+			  "named -M internal" turns it back on.
+			[GL #2398]
+
+	--- 9.16.24 released ---
+
+5773.	[func]		Change the message when accepting TCP connection has
+			failed to say "Accepting TCP connection failed" and
+			change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA
+			and ISC_R_SOFTQUOTA results codes from ERROR to INFO.
+			[GL #2700]
+
+5768.	[bug]		dnssec-dsfromkey failed to omit revoked keys. [GL #853]
+
+5764.	[bug]		dns_sdlz_putrr failed to process some valid resource
+			records. [GL #3021]
+
+5762.	[bug]		Fix a "named" crash related to removing and restoring a
+			`catalog-zone` entry in the configuration file and
+			running `rndc reconfig`. [GL #1608]
+
+5758.	[bug]		mdig now honors the operating system's preferred
+			ephemeral port range. [GL #2374]
+
+5757.	[test]		Replace sed in nsupdate system test with awk to
+			construct the nsupdate command.  The sed expression
+			was not reliably changing the ttl. [GL #3003]
+
+	--- 9.16.23 released ---
+
+5752.	[bug]		Fix an assertion failure caused by missing member zones
+			during a reload of a catalog zone. [GL #2308]
+
+5750.	[bug]		Fix a bug when comparing two RSA keys. There was a typo
+			which caused the "p" prime factors to not being
+			compared. [GL #2972]
+
+5737.	[bug]		Address Coverity warning in lib/dns/dnssec.c.
+			[GL #2935]
+
+	--- 9.16.22 released ---
+
+5736.	[security]	The "lame-ttl" option is now forcibly set to 0. This
+			effectively disables the lame server cache, as it could
+			previously be abused by an attacker to significantly
+			degrade resolver performance. (CVE-2021-25219)
+			[GL #2899]
+
+5724.	[bug]		Address a potential deadlock when checking zone content
+			consistency. [GL #2908]
+
+5723.	[bug]		Change 5709 broke backward compatibility for the
+			"check-names master ..." and "check-names slave ..."
+			options. This has been fixed. [GL #2911]
+
+5720.	[contrib]	Old-style DLZ drivers that had to be enabled at
+			build-time have been marked as deprecated. [GL #2814]
+
+5719.	[func]		The "map" zone file format has been marked as
+			deprecated. [GL #2882]
+
+5717.	[func]		The "cache-file" option, which was documented as "for
+			testing purposes only" and not to be used, has been
+			removed. [GL #2903]
+
+5716.	[bug]		Multiple library names were mistakenly passed to the
+			krb5-config utility when ./configure was invoked with
+			the --with-gssapi=[/path/to/]krb5-config option. This
+			has been fixed by invoking krb5-config separately for
+			each required library. [GL #2866]
+
+5715.	[func]		Add a check for ports specified in "*-source(-v6)"
+			options clashing with a global listening port. Such a
+			configuration was already unsupported, but it failed
+			silently; it is now treated as an error. [GL #2888]
+
+5714.	[bug]		Remove the "adjust interface" mechanism which was
+			responsible for setting up listeners on interfaces when
+			the "*-source(-v6)" address and port were the same as
+			the "listen-on(-v6)" address and port. Such a
+			configuration is no longer supported; under certain
+			timing conditions, that mechanism could prevent named
+			from listening on some TCP ports. This has been fixed.
+			[GL #2852]
+
+5712.	[doc]		Add deprecation notice about removing native PKCS#11
+			support in the next major BIND 9 release. [GL #2691]
+
+	--- 9.16.21 released ---
+
+5711.	[bug]		"map" files exceeding 2GB in size failed to load due to
+			a size comparison that incorrectly treated the file size
+			as a signed integer. [GL #2878]
+
+5710.	[port]		win32: incorrect parentheses resulted in the wrong
+			sizeof() tests being used to pick the appropriate
+			Windows atomic operations for the object's size.
+			[GL #2891]
+
+5709.	[cleanup]	Enum values throughout the code have been updated
+			to use the terms "primary" and "secondary" instead of
+			"master" and "slave", respectively. [GL #1944]
+
+5708.	[bug]		The thread-local isc_tid_v variable was not properly
+			initialized when running BIND 9 as a Windows Service,
+			leading to a crash on startup. [GL #2837]
+
+5705.	[bug]		Change #5686 altered the internal memory structure of
+			zone databases, but neglected to update the MAPAPI value
+			for zone files in "map" format. This caused named to
+			attempt to load incompatible map files, triggering an
+			assertion failure on startup. The MAPAPI value has now
+			been updated, so named rejects outdated files when
+			encountering them. [GL #2872]
+
+5704.	[bug]		Change #5317 caused the EDNS TCP Keepalive option to be
+			ignored inadvertently in client requests. It has now
+			been fixed and this option is handled properly again.
+			[GL #1927]
+
+5701.	[bug]		named-checkconf failed to detect syntactically invalid
+			values of the "key" and "tls" parameters used to define
+			members of remote server lists. [GL #2461]
+
+5700.	[bug]		When a member zone was removed from a catalog zone,
+			journal files for the former were not deleted.
+			[GL #2842]
+
+5699.	[func]		Data structures holding DNSSEC signing statistics are
+			now grown and shrunk as necessary upon key rollover
+			events. [GL #1721]
+
+5698.	[bug]		When a DNSSEC-signed zone which only has a single
+			signing key available is migrated to use KASP, that key
+			is now treated as a Combined Signing Key (CSK).
+			[GL #2857]
+
+5696.	[protocol]	Support for HTTPS and SVCB record types has been added.
+			(This does not include ADDITIONAL section processing for
+			these record types, only basic support for RR type
+			parsing and printing.) [GL #1132]
+
+5694.	[bug]		Stale data in the cache could cause named to send
+			non-minimized queries despite QNAME minimization being
+			enabled. [GL #2665]
+
+5691.	[bug]		When a dynamic zone was made available in another view
+			using the "in-view" statement, running "rndc freeze"
+			always reported an "already frozen" error even though
+			the zone was successfully frozen. [GL #2844]
+
+5690.	[func]		dnssec-signzone now honors Predecessor and Successor
+			metadata found in private key files: if a signature for
+			an RRset generated by the inactive predecessor exists
+			and does not need to be replaced, no additional
+			signature is now created for that RRset using the
+			successor key. This enables dnssec-signzone to gradually
+			replace RRSIGs during a ZSK rollover. [GL #1551]
+
+	--- 9.16.20 released ---
+
+5689.	[security]	An assertion failure occurred when named attempted to
+			send a UDP packet that exceeded the MTU size, if
+			Response Rate Limiting (RRL) was enabled.
+			(CVE-2021-25218) [GL #2856]
+
+5688.	[bug]		Zones using KASP and inline-signed zones failed to apply
+			changes from the unsigned zone to the signed zone under
+			certain circumstances. This has been fixed. [GL #2735]
+
+5687.	[bug]		"rndc reload <zonename>" could trigger a redundant
+			reload for an inline-signed zone whose zone file was not
+			modified since the last "rndc reload". This has been
+			fixed. [GL #2855]
+
+5686.	[func]		The number of internal data structures allocated for
+			each zone was reduced. [GL #2829]
+
+5685.	[bug]		named failed to check the opcode of responses when
+			performing zone refreshes, stub zone updates, and UPDATE
+			forwarding. This has been fixed. [GL #2762]
+
+5682.	[bug]		Some changes to "zone-statistics" settings were not
+			properly processed by "rndc reconfig". This has been
+			fixed. [GL #2820]
+
+5681.	[func]		Relax the checks in the dns_zone_cdscheck() function to
+			allow CDS and CDNSKEY records in the zone that do not
+			match an existing DNSKEY record, as long as the
+			algorithm matches. This allows a clean rollover from one
+			provider to another in a multi-signer DNSSEC
+			configuration. [GL #2710]
+
+5679.	[func]		Thread affinity is no longer set. [GL #2822]
+
+5678.	[bug]		The "check DS" code failed to release all resources upon
+			named shutdown when a refresh was in progress. This has
+			been fixed. [GL #2811]
+
+5672.	[bug]		Authentication of rndc messages could fail if a
+			"controls" statement was configured with multiple key
+			algorithms for the same listener. This has been fixed.
+			[GL #2756]
+
+	--- 9.16.19 released ---
+
+5671.	[bug]		A race condition could occur where two threads were
+			competing for the same set of key file locks, leading to
+			a deadlock. This has been fixed. [GL #2786]
+
+5670.	[bug]		create_keydata() created an invalid placeholder keydata
+			record upon a refresh failure, which prevented the
+			database of managed keys from subsequently being read
+			back. This has been fixed. [GL #2686]
+
+5669.	[func]		KASP support was extended with the "check DS" feature.
+			Zones with "dnssec-policy" and "parental-agents"
+			configured now check for DS presence and can perform
+			automatic KSK rollovers. [GL #1126]
+
+5668.	[bug]		Rescheduling a setnsec3param() task when a zone failed
+			to load on startup caused a hang on shutdown. This has
+			been fixed. [GL #2791]
+
+5667.	[bug]		The configuration-checking code failed to account for
+			the inheritance rules of the "dnssec-policy" option.
+			This has been fixed. [GL #2780]
+
+5666.	[doc]		The safe "edns-udp-size" value was tweaked to match the
+			probing value from BIND 9.16 for better compatibility.
+			[GL #2183]
+
+5665.	[bug]		If nsupdate sends an SOA request and receives a REFUSED
+			response, it now fails over to the next available
+			server. [GL #2758]
+
+5664.	[func]		For UDP messages larger than the path MTU, named now
+			sends an empty response with the TC (TrunCated) bit set.
+			In addition, setting the DF (Don't Fragment) flag on
+			outgoing UDP sockets was re-enabled. [GL #2790]
+
+5662.	[bug]		Views with recursion disabled are now configured with a
+			default cache size of 2 MB unless "max-cache-size" is
+			explicitly set. This prevents cache RBT hash tables from
+			being needlessly preallocated for such views. [GL #2777]
+
+5661.	[bug]		Change 5644 inadvertently introduced a deadlock: when
+			locking the key file mutex for each zone structure in a
+			different view, the "in-view" logic was not considered.
+			This has been fixed. [GL #2783]
+
+5658.	[bug]		Increasing "max-cache-size" for a running named instance
+			(using "rndc reconfig") did not cause the hash tables
+			used by cache databases to be grown accordingly. This
+			has been fixed. [GL #2770]
+
+5655.	[bug]		Signed, insecure delegation responses prepared by named
+			either lacked the necessary NSEC records or contained
+			duplicate NSEC records when both wildcard expansion and
+			CNAME chaining were required to prepare the response.
+			This has been fixed. [GL #2759]
+
+5653.	[bug]		A bug that caused the NSEC3 salt to be changed on every
+			restart for zones using KASP has been fixed. [GL #2725]
+
+	--- 9.16.18 released ---
+
+5660.	[bug]		The configuration-checking code failed to account for
+			the inheritance rules of the "key-directory" option.
+			[GL #2778]
+
+5659.	[bug]		When preparing DNS responses, named could replace the
+			letters 'W' (uppercase) and 'w' (lowercase) with '\000'.
+			This has been fixed. [GL #2779]
+
+	--- 9.16.17 released ---
+
+5652.	[bug]		A copy-and-paste error in change 5584 caused the
+			IP_DONTFRAG socket option to be enabled instead of
+			disabled. This has been fixed. [GL #2746]
+
+5651.	[func]		Refactor zone dumping to be processed asynchronously via
+			the uv_work_t thread pool API. [GL #2732]
+
+5650.	[bug]		Prevent a crash that could occur if serve-stale was
+			enabled and a prefetch was triggered during a query
+			restart. [GL #2733]
+
+5649.	[bug]		If a query was answered with stale data on a server with
+			DNS64 enabled, an assertion could occur if a non-stale
+			answer arrived afterward. [GL #2731]
+
+5648.	[bug]		The calculation of the estimated IXFR transaction size
+			in dns_journal_iter_init() was invalid. [GL #2685]
+
+5644.	[bug]		Fix a race condition in reading and writing key files
+			for zones using KASP and configured in multiple views.
+			[GL #1875]
+
+5643.	[cleanup]	"make install" no longer creates an empty
+			${localstatedir}/run directory. [GL #2709]
+
+5642.	[bug]		Zones which are configured in multiple views with
+			different values set for "dnssec-policy" and with
+			identical values set for "key-directory" are now
+			detected and treated as a configuration error.
+			[GL #2463]
+
+5641.	[bug]		Address a potential memory leak in
+			dst_key_fromnamedfile(). [GL #2689]
+
+5639.	[bug]		Check that the first and last SOA record of an AXFR are
+			consistent. [GL #2528]
+
+5638.	[bug]		Improvements related to network manager/task manager
+			integration:
+			- isc_managers_create() and isc_managers_destroy()
+			  functions were added to handle setup and teardown of
+			  netmgr, taskmgr, timermgr, and socketmgr, since these
+			  require a precise order of operations now.
+			- Event queue processing is now quantized to prevent
+			  infinite looping.
+			- The netmgr can now be paused from within a netmgr
+			  thread.
+			- Deadlocks due to a conflict between netmgr's
+			  pause/resume and listen/stoplistening operations were
+			  fixed.
+			[GL #2654]
+
+5633.	[doc]		The "inline-signing" option was incorrectly described as
+			being inherited from the "options"/"view" levels and was
+			incorrectly accepted at those levels without effect.
+			This has been fixed. [GL #2536]
+
+5624.	[func]		Task manager events are now processed inside network
+			manager loops. The task manager no longer needs its own
+			set of worker threads, which improves resolver
+			performance. [GL #2638]
+
+	--- 9.16.16 released ---
+
+5637.	[func]		Change the default value of the "max-ixfr-ratio" option
+			to "unlimited". [GL #2671]
+
+5636.	[bug]		named and named-checkconf did not report an error when
+			multiple zones with the "dnssec-policy" option set were
+			using the same zone file. This has been fixed.
+			[GL #2603]
+
+5635.	[bug]		Journal compaction could fail when a journal with
+			invalid transaction headers was not detected at startup.
+			This has been fixed. [GL #2670]
+
+5634.	[bug]		If "dnssec-policy" was active and a private key file was
+			temporarily offline during a rekey event, named could
+			incorrectly introduce replacement keys and break a
+			signed zone. This has been fixed. [GL #2596]
+
+5633.	[doc]		The "inline-signing" option was incorrectly described as
+			being inherited from the "options"/"view" levels and was
+			incorrectly accepted at those levels without effect.
+			This has been fixed. [GL #2536]
+
+5632.	[func]		Add a new built-in KASP, "insecure", which is used to
+			transition a zone from a signed to an unsigned state.
+			The existing built-in KASP "none" should no longer be
+			used to unsign a zone. [GL #2645]
+
+5631.	[protocol]	Update the implementation of the ZONEMD RR type to match
+			RFC 8976. [GL #2658]
+
+5630.	[func]		Treat DNSSEC responses containing NSEC3 records with
+			iteration counts greater than 150 as insecure.
+			[GL #2445]
+
+5629.	[func]		Reduce the maximum supported number of NSEC3 iterations
+			that can be configured for a zone to 150. [GL #2642]
+
+5627.	[bug]		RRSIG(SOA) RRsets placed anywhere other than at the zone
+			apex were triggering infinite resigning loops. This has
+			been fixed. [GL #2650]
+
+5626.	[bug]		When generating zone signing keys, KASP now also checks
+			for key ID conflicts among newly created keys, rather
+			than just between new and existing ones. [GL #2628]
+
+5625.	[bug]		A deadlock could occur when multiple "rndc addzone",
+			"rndc delzone", and/or "rndc modzone" commands were
+			invoked simultaneously for different zones. This has
+			been fixed. [GL #2626]
+
+5622.	[cleanup]	The lib/samples/ directory has been removed, as export
+			versions of libraries are no longer maintained.
+			[GL !4835]
+
+5619.	[protocol]	Implement draft-vandijk-dnsop-nsec-ttl, updating the
+			protocol such that NSEC(3) TTL values are set to the
+			minimum of the SOA MINIMUM value or the SOA TTL.
+			[GL #2347]
+
+5618.	[bug]		Change 5149 introduced some inconsistencies in the way
+			record TTLs were presented in cache dumps. These
+			inconsistencies have been eliminated. [GL #389]
+			[GL #2289]
+
+	--- 9.16.15 released ---
+
+5621.	[bug]		Due to a backporting mistake in change 5609, named
+			binaries built against a Kerberos/GSSAPI library whose
+			header files did not define the GSS_SPNEGO_MECHANISM
+			preprocessor macro were not able to start if their
+			configuration included the "tkey-gssapi-credential"
+			option. This has been fixed. [GL #2634]
+
+5620.	[bug]		If zone journal files written by BIND 9.16.11 or earlier
+			were present when BIND was upgraded, the zone file for
+			that zone could have been inadvertently rewritten with
+			the current zone contents. This caused the original zone
+			file structure (e.g. comments, $INCLUDE directives) to
+			be lost, although the zone data itself was preserved.
+			This has been fixed. [GL #2623]
+
+	--- 9.16.14 released ---
+
+5617.	[security]	A specially crafted GSS-TSIG query could cause a buffer
+			overflow in the ISC implementation of SPNEGO.
+			(CVE-2021-25216) [GL #2604]
+
+5616.	[security]	named crashed when a DNAME record placed in the ANSWER
+			section during DNAME chasing turned out to be the final
+			answer to a client query. (CVE-2021-25215) [GL #2540]
+
+5615.	[security]	Insufficient IXFR checks could result in named serving a
+			zone without an SOA record at the apex, leading to a
+			RUNTIME_CHECK assertion failure when the zone was
+			subsequently refreshed. This has been fixed by adding an
+			owner name check for all SOA records which are included
+			in a zone transfer. (CVE-2021-25214) [GL #2467]
+
+5614.	[bug]		Ensure all resources are properly cleaned up when a call
+			to gss_accept_sec_context() fails. [GL #2620]
+
+5613.	[bug]		It was possible to write an invalid transaction header
+			in the journal file for a managed-keys database after
+			upgrading. This has been fixed. Invalid headers in
+			existing journal files are detected and named is able
+			to recover from them. [GL #2600]
+
+5611.	[func]		Set "stale-answer-client-timeout" to "off" by default.
+			[GL #2608]
+
+5610.	[bug]		Prevent a crash which could happen when a lookup
+			triggered by "stale-answer-client-timeout" was attempted
+			right after recursion for a client query finished.
+			[GL #2594]
+
+5609.	[func]		The ISC implementation of SPNEGO was removed from BIND 9
+			source code. It was no longer necessary as all major
+			contemporary Kerberos/GSSAPI libraries include support
+			for SPNEGO. [GL #2607]
+
+5608.	[bug]		When sending queries over TCP, dig now properly handles
+			"+tries=1 +retry=0" by not retrying the connection when
+			the remote server closes the connection prematurely.
+			[GL #2490]
+
+5607.	[bug]		As "rndc dnssec -checkds" and "rndc dnssec -rollover"
+			commands may affect the next scheduled key event,
+			reconfiguration of zone keys is now triggered after
+			receiving either of these commands to prevent
+			unnecessary key rollover delays. [GL #2488]
+
+5606.	[bug]		CDS/CDNSKEY DELETE records are now removed when a zone
+			transitions from a secure to an insecure state.
+			named-checkzone also no longer reports an error when
+			such records are found in an unsigned zone. [GL #2517]
+
+5605.	[bug]		"dig -u" now uses the CLOCK_REALTIME clock source for
+			more accurate time reporting. [GL #2592]
+
+5603.	[bug]		Fix a memory leak that occurred when named failed to
+			bind a UDP socket to a network interface. [GL #2575]
+
+5602.	[bug]		Fix TCPDNS and TLSDNS timers in Network Manager. This
+			makes the "tcp-initial-timeout" and "tcp-idle-timeout"
+			options work correctly again. [GL #2583]
+
+5601.	[bug]		Zones using KASP could not be thawed after they were
+			frozen using "rndc freeze". This has been fixed.
+			[GL #2523]
+
+	--- 9.16.13 released ---
+
+5597.	[bug]		When serve-stale was enabled and starting the recursive
+			resolution process for a query failed, a named instance
+			could crash if it was configured as both a recursive and
+			authoritative server. This problem was introduced by
+			change 5573 and has now been fixed. [GL #2565]
+
+5595.	[cleanup]	Public header files for BIND 9 libraries no longer
+			directly include third-party library headers. This
+			prevents the need to include paths to third-party header
+			files in CFLAGS whenever BIND 9 public header files are
+			used, which could cause build-time issues on hosts with
+			older versions of BIND 9 installed. [GL #2357]
+
+5594.	[bug]		Building with --enable-dnsrps --enable-dnsrps-dl failed.
+			[GL #2298]
+
+5593.	[bug]		Journal files written by older versions of named can now
+			be read when loading zones, so that journal
+			incompatibility does not cause problems on upgrade.
+			Outdated journals are updated to the new format after
+			loading. [GL #2505]
+
+5592.	[bug]		Prevent hazard pointer table overflows on machines with
+			many cores, by allowing the thread IDs (serving as
+			indices into hazard pointer tables) of finished threads
+			to be reused by those created later. [GL #2396]
+
+5591.	[bug]		Fix a crash that occurred when
+			"stale-answer-client-timeout" was triggered without any
+			(stale) data available in the cache to answer the query.
+			[GL #2503]
+
+5590.	[bug]		NSEC3 records were not immediately created for dynamic
+			zones using NSEC3 with "dnssec-policy", resulting in
+			such zones going bogus. Add code to process the
+			NSEC3PARAM queue at zone load time so that NSEC3 records
+			for such zones are created immediately. [GL #2498]
+
+5588.	[func]		Add a new "purge-keys" option for "dnssec-policy". This
+			option determines the period of time for which key files
+			are retained after they become obsolete. [GL #2408]
+
+5586.	[bug]		An invalid direction field in a LOC record resulted in
+			an INSIST failure when a zone file containing such a
+			record was loaded. [GL #2499]
+
+5584.	[bug]		No longer set the IP_DONTFRAG option on UDP sockets, to
+			prevent dropping outgoing packets exceeding
+			"max-udp-size". [GL #2466]
+
+5582.	[bug]		BIND 9 failed to build when static OpenSSL libraries
+			were used and the pkg-config files for libssl and/or
+			libcrypto were unavailable. This has been fixed by
+			ensuring that the correct linking order for libssl and
+			libcrypto is always used. [GL #2402]
+
+5581.	[bug]		Fix a memory leak that occurred when inline-signed zones
+			were added to the configuration, followed by a
+			reconfiguration of named. [GL #2041]
+
+5580.	[test]		The system test framework no longer differentiates
+			between SKIPPED and UNTESTED system test results. Any
+			system test which is not run is now marked as SKIPPED.
+			[GL !4517]
+
+5573.	[func]		When serve-stale is enabled and stale data is available,
+			named now returns stale answers upon encountering any
+			unexpected error in the query resolution process.
+			However, the "stale-refresh-time" window is still only
+			started upon a timeout. [GL #2434]
+
+5564.	[cleanup]	Network manager's TLSDNS module was refactored to use
+			libuv and libssl directly instead of a stack of TCP/TLS
+			sockets. [GL #2335]
+
+	--- 9.16.12 released ---
+
+5578.	[protocol]	Make "check-names" accept A records below "_spf",
+			"_spf_rate", and "_spf_verify" labels in order to cater
+			for the "exists" SPF mechanism specified in RFC 7208
+			section 5.7 and appendix D.1. [GL #2377]
+
+5577.	[bug]		Fix the "three is a crowd" key rollover bug in KASP by
+			correctly implementing Equation (2) of the "Flexible and
+			Robust Key Rollover" paper. [GL #2375]
+
+5575.	[bug]		When migrating to KASP, BIND 9 considered keys with the
+			"Inactive" and/or "Delete" timing metadata to be
+			possible active keys. This has been fixed. [GL #2406]
+
+5572.	[bug]		Address potential double free in generatexml().
+			[GL #2420]
+
+5571.	[bug]		named failed to start when its configuration included a
+			zone with a non-builtin "allow-update" ACL attached.
+			[GL #2413]
+
+5570.	[bug]		Improve performance of the DNSSEC verification code by
+			reducing the number of repeated calls to
+			dns_dnssec_keyfromrdata(). [GL #2073]
+
+5569.	[bug]		Emit useful error message when "rndc retransfer" is
+			applied to a zone of inappropriate type. [GL #2342]
+
+5568.	[bug]		Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
+			keys. [GL #2178]
+
+5567.	[bug]		Dig now reports unknown dash options while pre-parsing
+			the options. This prevents "-multi" instead of "+multi"
+			from reporting memory usage before ending option parsing
+			with "Invalid option: -lti". [GL #2403]
+
+5566.	[func]		Add "stale-answer-client-timeout" option, which is the
+			amount of time a recursive resolver waits before
+			attempting to answer the query using stale data from
+			cache. [GL #2247]
+
+5565.	[func]		The SONAMEs for BIND 9 libraries now include the current
+			BIND 9 version number, in an effort to tightly couple
+			internal libraries with a specific release. [GL #2387]
+
+5562.	[security]	Fix off-by-one bug in ISC SPNEGO implementation.
+			(CVE-2020-8625) [GL #2354]
+
+5561.	[bug]		KASP incorrectly set signature validity to the value of
+			the DNSKEY signature validity. This is now fixed.
+			[GL #2383]
+
+5560.	[func]		The default value of "max-stale-ttl" has been changed
+			from 12 hours to 1 day and the default value of
+			"stale-answer-ttl" has been changed from 1 second to 30
+			seconds, following RFC 8767 recommendations. [GL #2248]
+
+5456.	[func]		Added "primaries" as a synonym for "masters" in
+			named.conf, and "primary-only" as a synonym for
+			"master-only" in the parameters to "notify", to bring
+			terminology up-to-date with RFC 8499. [GL #1948]
+
+5362.	[func]		Limit the size of IXFR responses so that AXFR will
+			be used instead if it would be smaller. This is
+			controlled by the "max-ixfr-ratio" option, which
+			is a percentage representing the ratio of IXFR size
+			to the size of the entire zone. This value cannot
+			exceed 100%, which is the default. [GL #1515]
+
+	--- 9.16.11 released ---
+
+5559.	[bug]		The --with-maxminddb=PATH form of the build-time option
+			enabling support for libmaxminddb was not working
+			correctly. This has been fixed. [GL #2366]
+
+5557.	[bug]		Prevent RBTDB instances from being destroyed by multiple
+			threads at the same time. [GL #2317]
+
+5556.	[bug]		Further tweak newline printing in dnssec-signzone and
+			dnssec-verify. [GL #2359]
+
+5555.	[bug]		server->reload_status was not properly initialized.
+			[GL #2361]
+
+5554.	[bug]		dnssec-signzone and dnssec-verify were missing newlines
+			between log messages. [GL #2359]
+
+5553.	[bug]		When reconfiguring named, removing "auto-dnssec" did not
+			turn off DNSSEC maintenance. [GL #2341]
+
+5552.	[func]		When switching to "dnssec-policy none;", named now
+			permits a safe transition to insecure mode and publishes
+			the CDS and CDNSKEY DELETE records, as described in RFC
+			8078. [GL #1750]
+
+5551.	[bug]		named no longer attempts to assign threads to CPUs
+			outside the CPU affinity set. Thanks to Ole Bjørn
+			Hessen. [GL #2245]
+
+5550.	[func]		dnssec-signzone and named now log a warning when falling
+			back to the "increment" SOA serial method. [GL #2058]
+
+5545.	[func]		OS support for load-balanced sockets is no longer
+			required to receive incoming queries in multiple netmgr
+			threads. [GL #2137]
+
+5543.	[bug]		Fix UDP performance issues caused by making netmgr
+			callbacks asynchronous-only. [GL #2320]
+
+5542.	[bug]		Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
+			[GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
+			[GL #2321]
+
+	--- 9.16.10 released ---
+
+5544.	[func]		Restore the default value of "nocookie-udp-size" to 4096
+			bytes. [GL #2250]
+
+5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
+			100. [GL #2305]
+
+5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
+			[GL #2315]
+
+5539.	[bug]		Tighten handling of missing DNS COOKIE responses over
+			UDP by falling back to TCP. [GL #2275]
+
+5538.	[func]		Add NSEC3 support to KASP. A new option for
+			"dnssec-policy", "nsec3param", can be used to set the
+			desired NSEC3 parameters. NSEC3 salt collisions are
+			automatically prevented during resalting. Salt
+			generation is now logged with zone context. [GL #1620]
+
+5534.	[bug]		The CNAME synthesized from a DNAME was incorrectly
+			followed when the QTYPE was CNAME or ANY. [GL #2280]
+
+	--- 9.16.9 released ---
+
+5533.	[func]		Add the "stale-refresh-time" option, a time window that
+			starts after a failed lookup, during which a stale RRset
+			is served directly from cache before a new attempt to
+			refresh it is made. [GL #2066]
+
+5530.	[bug]		dnstap did not capture responses to forwarded UPDATE
+			requests. [GL #2252]
+
+5527.	[bug]		A NULL pointer dereference occurred when creating an NTA
+			recheck query failed. [GL #2244]
+
+5525.	[bug]		Change 5503 inadvertently broke cross-compilation by
+			replacing a call to AC_LINK_IFELSE() with a call to
+			AC_RUN_IFELSE() in configure.ac.  This has been fixed,
+			making cross-compilation possible again. [GL #2237]
+
+5523.	[bug]		The initial lookup in a zone transitioning to/from a
+			signed state could fail if the DNSKEY RRset was not
+			found. [GL #2236]
+
+5522.	[bug]		Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
+
+5520.	[bug]		Fixed a number of shutdown races, reference counting
+			errors, and spurious log messages that could occur
+			in the network manager. [GL #2221]
+
+5518.	[bug]		Stub zones now work correctly with primary servers using
+			"minimal-responses yes". [GL #1736]
+
+5517.	[bug]		Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
+			[GL #2208]
+
+	--- 9.16.8 released ---
+
+5516.	[func]		The default EDNS buffer size has been changed from 4096
+			to 1232 bytes. [GL #2183]
+
+5515.	[func]		Add 'rndc dnssec -rollover' command to trigger a manual
+			rollover for a specific key. [GL #1749]
+
+5514.	[bug]		Fix KASP expected key size for Ed25519 and Ed448.
+			[GL #2171]
+
+5513.	[doc]		The ARM section describing the "rrset-order" statement
+			was rewritten to make it unambiguous and up-to-date with
+			the source code. [GL #2139]
+
+5512.	[bug]		"rrset-order" rules using "order none" were causing
+			named to crash despite named-checkconf treating them as
+			valid. [GL #2139]
+
+5511.	[bug]		'dig -u +yaml' failed to display timestamps to the
+			microsecond. [GL #2190]
+
+5510.	[bug]		Implement the attach/detach semantics for dns_message_t
+			to fix a data race in accessing an already-destroyed
+			fctx->rmessage. [GL #2124]
+
+5509.	[bug]		filter-aaaa: named crashed upon shutdown if it was in
+			the process of recursing for A RRsets. [GL #1040]
+
+5508.	[func]		Added new parameter "-expired" for "rndc dumpdb" that
+			also prints expired RRsets (awaiting cleanup) to the
+			dump file. [GL #1870]
+
+5507.	[bug]		Named could compute incorrect SIG(0) responses.
+			[GL #2109]
+
+5506.	[bug]		Properly handle failed sysconf() calls, so we don't
+			report invalid memory size. [GL #2166]
+
+5505.	[bug]		Updating contents of a mixed-case RPZ could cause some
+			rules to be ignored. [GL #2169]
+
+5503.	[bug]		Cleaned up reference counting of network manager
+			handles, now using isc_nmhandle_attach() and _detach()
+			instead of _ref() and _unref(). [GL #2122]
+
+	--- 9.16.7 released ---
+
+5501.	[func]		Log CDS/CDNSKEY publication. [GL #1748]
+
+5500.	[bug]		Fix (non-)publication of CDS and CDNSKEY records.
+			[GL #2103]
+
+5499.	[func]		Add '-P ds' and '-D ds' arguments to dnssec-settime.
+			[GL #1748]
+
+5497.	[bug]		'dig +bufsize=0' failed to disable EDNS. [GL #2054]
+
+5496.	[bug]		Address a TSAN report by ensuring each rate limiter
+			object holds a reference to its task. [GL #2081]
+
+5495.	[bug]		With query minimization enabled, named failed to
+			resolve ip6.arpa. names that had extra labels to the
+			left of the IPv6 part. [GL #1847]
+
+5494.	[bug]		Silence the EPROTO syslog message on older systems.
+			[GL #1928]
+
+5493.	[bug]		Fix off-by-one error when calculating new hash table
+			size. [GL #2104]
+
+5492.	[bug]		Tighten LOC parsing to reject a period (".") and/or "m"
+			as a value. Fix handling of negative altitudes which are
+			not whole meters. [GL #2074]
+
+5491.	[bug]		rbtversion->glue_table_size could be read without the
+			appropriate lock being held. [GL #2080]
+
+5489.	[bug]		Named erroneously accepted certain invalid resource
+			records that were incorrectly processed after
+			subsequently being written to disk and loaded back, as
+			the wire format differed. Such records include: CERT,
+			IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
+			X25. [GL !3953]
+
+5488.	[bug]		NTA code needed to have a weak reference on its
+			associated view to prevent the latter from being deleted
+			while NTA tests were being performed. [GL #2067]
+
+5486.	[func]		Add 'rndc dnssec -checkds' command, which signals to
+			named that the DS record for a given zone or key has
+			been updated in the parent zone. [GL #1613]
+
+	--- 9.16.6 released ---
+
+5484.	[func]		Expire zero TTL records quickly rather than using them
+			for stale answers. [GL #1829]
+
+5483.	[func]		A new configuration option "stale-cache-enable" has been
+			introduced to enable or disable keeping stale answers in
+			cache. [GL #1712]
+
+5482.	[bug]		If the Duplicate Address Detection (DAD) mechanism had
+			not yet finished after adding a new IPv6 address to the
+			system, BIND 9 would fail to bind to IPv6 addresses in a
+			tentative state. [GL #2038]
+
+5481.	[security]	"update-policy" rules of type "subdomain" were
+			incorrectly treated as "zonesub" rules, which allowed
+			keys used in "subdomain" rules to update names outside
+			of the specified subdomains. The problem was fixed by
+			making sure "subdomain" rules are again processed as
+			described in the ARM. (CVE-2020-8624) [GL #2055]
+
+5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
+			was possible to trigger an assertion failure in code
+			determining the number of bits in the PKCS#11 RSA public
+			key with a specially crafted packet. (CVE-2020-8623)
+			[GL #2037]
+
+5479.	[security]	named could crash in certain query resolution scenarios
+			where QNAME minimization and forwarding were both
+			enabled. (CVE-2020-8621) [GL #1997]
+
+5478.	[security]	It was possible to trigger an assertion failure by
+			sending a specially crafted large TCP DNS message.
+			(CVE-2020-8620) [GL #1996]
+
+5477.	[bug]		The idle timeout for connected TCP sockets, which was
+			previously set to a high fixed value, is now derived
+			from the client query processing timeout configured for
+			a resolver. [GL #2024]
+
+5476.	[security]	It was possible to trigger an assertion failure when
+			verifying the response to a TSIG-signed request.
+			(CVE-2020-8622) [GL #2028]
+
+5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
+			overridden by other rules that were loaded from RPZ
+			zones which appeared later in the "response-policy"
+			statement. This has been fixed. [GL #1619]
+
+5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
+			when it should have. [GL !3880]
+
+5473.	[func]		The RBT hash table implementation has been changed
+			to use a faster hash function (HalfSipHash2-4) and
+			Fibonacci hashing for better distribution. Setting
+			"max-cache-size" now preallocates a fixed-size hash
+			table so that rehashing does not cause resolution
+			brownouts while the hash table is grown. [GL #1775]
+
+5471.	[bug]		The introduction of KASP support inadvertently caused
+			the second field of "sig-validity-interval" to always be
+			calculated in hours, even in cases when it should have
+			been calculated in days. This has been fixed. (Thanks to
+			Tony Finch.) [GL !3735]
+
+5469.	[port]		On illumos, a constant called SEC is already defined in
+			<sys/time.h>, which conflicts with an identically named
+			constant in libbind9. This conflict has been resolved.
+			[GL #1993]
+
+5468.	[bug]		Addressed potential double unlock in process_fd().
+			[GL #2005]
+
+5466.	[bug]		Addressed an error in recursive clients stats reporting.
+			[GL #1719]
+
+5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
+			or trusted-keys if the bindkeys-file (bind.keys) cannot
+			be parsed. [GL #1235]
+
+5464.	[bug]		Requesting more than 128 files to be saved when rolling
+			dnstap log files caused a buffer overflow. This has been
+			fixed. [GL #1989]
+
+5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]
+
+5461.	[bug]		The STALE rdataset header attribute was updated while
+			the write lock was not being held, leading to incorrect
+			statistics. The header attributes are now converted to
+			use atomic operations. [GL #1475]
+
+	--- 9.16.5 released ---
+
+5458.	[bug]		Prevent a theoretically possible NULL dereference caused
+			by a data race between zone_maintenance() and
+			dns_zone_setview_helper(). [GL #1627]
+
+5455.	[bug]		named could crash when cleaning dead nodes in
+			lib/dns/rbtdb.c that were being reused. [GL #1968]
+
+5454.	[bug]		Address a startup crash that occurred when the server
+			was under load and the root zone had not yet been
+			loaded. [GL #1862]
+
+5453.	[bug]		named crashed on shutdown when a new rndc connection was
+			received during shutdown. [GL #1747]
+
+5452.	[bug]		The "blackhole" ACL was accidentally disabled for client
+			queries. [GL #1936]
+
+5451.	[func]		Add 'rndc dnssec -status' command. [GL #1612]
+
+5449.	[bug]		Fix a socket shutdown race in netmgr udp. [GL #1938]
+
+5448.	[bug]		Fix a race condition in isc__nm_tcpdns_send().
+			[GL #1937]
+
+5447.	[bug]		IPv6 addresses ending in "::" could break YAML
+			parsing. A "0" is now appended to such addresses
+			in YAML output from dig, mdig, delv, and dnstap-read.
+			[GL #1952]
+
+5446.	[bug]		The validator could fail to accept a properly signed
+			RRset if an unsupported algorithm appeared earlier in
+			the DNSKEY RRset than a supported algorithm. It could
+			also stop if it detected a malformed public key.
+			[GL #1689]
+
+5444.	[bug]		'rndc dnstap -roll <value>' did not limit the number of
+			saved files to <value>. [GL !3728]
+
+5443.	[bug]		The "primary" and "secondary" keywords, when used
+			as parameters for "check-names", were not
+			processed correctly and were being ignored. [GL #1949]
+
+5441.	[bug]		${LMDB_CFLAGS} was missing from make/includes.in.
+			[GL #1955]
+
+5440.	[test]		Properly handle missing kyua. [GL #1950]
+
+5439.	[bug]		The DS RRset returned by dns_keynode_dsset() was used in
+			a non-thread-safe manner. [GL #1926]
+
+	--- 9.16.4 released ---
+
+5438.	[bug]		Fix a race in TCP accepting code. [GL #1930]
+
+5437.	[bug]		Fix a data race in lib/dns/resolver.c:log_formerr().
+			[GL #1808]
+
+5436.	[security]	It was possible to trigger an INSIST when determining
+			whether a record would fit into a TCP message buffer.
+			(CVE-2020-8618) [GL #1850]
+
+5435.	[tests]		Add RFC 4592 responses examples to the wildcard system
+			test. [GL #1718]
+
+5434.	[security]	It was possible to trigger an INSIST in
+			lib/dns/rbtdb.c:new_reference() with a particular zone
+			content and query patterns. (CVE-2020-8619) [GL #1111]
+			[GL #1718]
+
+5431.	[func]		Reject DS records at the zone apex when loading
+			master files. Log but otherwise ignore attempts to
+			add DS records at the zone apex via UPDATE. [GL #1798]
+
+5430.	[doc]		Update docs - with netmgr, a separate listening socket
+			is created for each IPv6 interface (just as with IPv4).
+			[GL #1782]
+
+5428.	[bug]		Clean up GSSAPI resources in nsupdate only after taskmgr
+			has been destroyed. Thanks to Petr Menšík. [GL !3316]
+
+5426.	[bug]		Don't abort() when setting SO_INCOMING_CPU on the socket
+			fails. [GL #1911]
+
+5425.	[func]		The default value of "max-stale-ttl" has been changed
+			from 1 week to 12 hours. [GL #1877]
+
+5424.	[bug]		With KASP, when creating a successor key, the "goal"
+			state of the current active key (predecessor) was not
+			changed and thus never removed from the zone. [GL #1846]
+
+5423.	[bug]		Fix a bug in keymgr_key_has_successor(): it incorrectly
+			returned true if any other key in the keyring had a
+			successor. [GL #1845]
+
+5422.	[bug]		When using dnssec-policy, print correct key timing
+			metadata. [GL #1843]
+
+5421.	[bug]		Fix a race that could cause named to crash when looking
+			up the nodename of an RBT node if the tree was modified.
+			[GL #1857]
+
+5420.	[bug]		Add missing isc_{mutex,conditional}_destroy() calls
+			that caused a memory leak on FreeBSD. [GL #1893]
+
+5418.	[bug]		delv failed to parse deprecated trusted-keys-style
+			trust anchors. [GL #1860]
+
+5416.	[bug]		Fix a lock order inversion in lib/isc/unix/socket.c.
+			[GL #1859]
+
+5415.	[test]		Address race in dnssec system test that led to
+			test failures. [GL #1852]
+
+5414.	[test]		Adjust time allowed for journal truncation to occur
+			in nsupdate system test to avoid test failure.
+			[GL #1855]
+
+5413.	[test]		Address race in autosign system test that led to
+			test failures. [GL #1852]
+
+5412.	[bug]		'provide-ixfr no;' failed to return up-to-date responses
+			when the serial was greater than or equal to the
+			current serial. [GL #1714]
+
+5411.	[cleanup]	TCP accept code has been refactored to use a single
+			accept() and pass the accepted socket to child threads
+			for processing. [GL !3320]
+
+5409.	[performance]	When looking up NSEC3 data in a zone database, skip the
+			check for empty non-terminal nodes; the NSEC3 tree does
+			not have any. [GL #1834]
+
+5408.	[protocol]	Print Extended DNS Errors if present in OPT record.
+			[GL #1835]
+
+5407.	[func]		Zone timers are now exported via statistics channel.
+			Thanks to Paul Frieden, Verizon Media. [GL #1232]
+
+5405.	[bug]		'named-checkconf -p' could include spurious text in
+			server-addresses statements due to an uninitialized DSCP
+			value. [GL #1812]
+
+	--- 9.16.3 released ---
+
+5404.	[bug]		'named-checkconf -z' could incorrectly indicate
+			success if errors were found in one view but not in a
+			subsequent one. [GL #1807]
+
+5403.	[func]		Do not set UDP receive/send buffer sizes - use system
+			defaults. [GL #1713]
+
+5402.	[bug]		On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
+			Enable use of SO_REUSEADDR on all platforms which
+			support it. [GL !3365]
+
+5401.	[bug]		The number of input queues allocated during dnstap
+			initialization was too low, which could prevent some
+			dnstap data from being logged. [GL #1795]
+
+5400.	[func]		Add engine support to OpenSSL EdDSA implementation.
+			[GL #1763]
+
+5399.	[func]		Add engine support to OpenSSL ECDSA implementation.
+			[GL #1534]
+
+5398.	[bug]		Named could fail to restart if a zone with a double
+			quote (") in its name was added with 'rndc addzone'.
+			[GL #1695]
+
+5397.	[func]		Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
+			Thanks to Aaron Thompson. [GL !3326]
+
+5396.	[func]		When necessary (i.e. in libuv >= 1.37), use the
+			UV_UDP_RECVMMSG flag to enable recvmmsg() support in
+			libuv. [GL #1797]
+
+5395.	[security]	Further limit the number of queries that can be
+			triggered from a request.  Root and TLD servers
+			are no longer exempt from max-recursion-queries.
+			Fetches for missing name server address records
+			are limited to 4 for any domain. (CVE-2020-8616)
+			[GL #1388]
+
+5394.	[cleanup]	Named formerly attempted to change the effective UID and
+			GID in named_os_openfile(), which could trigger a
+			spurious log message if they were already set to the
+			desired values. This has been fixed. [GL #1042]
+			[GL #1090]
+
+5392.	[bug]		It was possible for named to crash during shutdown
+			or reconfiguration if an RPZ zone was still being
+			updated. [GL #1779]
+
+5390.	[security]	Replaying a TSIG BADTIME response as a request could
+			trigger an assertion failure. (CVE-2020-8617)
+			[GL #1703]
+
+5389.	[bug]		Finish PKCS#11 code cleanup, fix a couple of smaller
+			bugs and use PKCS#11 v3.0 EdDSA macros and constants.
+			Thanks to Aaron Thompson. [GL !3391]
+
+5387.	[func]		Warn about AXFR streams with inconsistent message IDs.
+			[GL #1674]
+
+5386.	[cleanup]	Address Coverity warnings in lib/dns/keymgr.c.
+			[GL #1737]
+
+5385.	[func]		Make ISC rwlock implementation the default again.
+			[GL #1753]
+
+5384.	[bug]		With "dnssec-policy" in effect, "inline-signing" was
+			implicitly set to "yes". Now "inline-signing" is only
+			set to "yes" if the zone is not dynamic. [GL #1709]
+
+	--- 9.16.2 released ---
+
+5383.	[func]		Add a quota attach function with a callback and clean up
+			the isc_quota API. [GL !3280]
+
+5382.	[bug]		Use clock_gettime() instead of gettimeofday() for
+			isc_stdtime() function. [GL #1679]
+
+5381.	[bug]		Fix logging API data race by adding rwlock and caching
+			logging levels in stdatomic variables to restore
+			performance to original levels. [GL #1675] [GL #1717]
+
+5380.	[contrib]	Fix building MySQL DLZ modules against MySQL 8
+			libraries. [GL #1678]
+
+5378.	[bug]		Receiving invalid DNS data was triggering an assertion
+			failure in nslookup. [GL #1652]
+
+5376.	[bug]		Fix ineffective DNS rebinding protection when BIND is
+			configured as a forwarding DNS server. Thanks to Tobias
+			Klein. [GL #1574]
+
+5375.	[test]		Fix timing issues in the "kasp" system test. [GL #1669]
+
+5374.	[bug]		Statistics counters tracking recursive clients and
+			active connections could underflow. [GL #1087]
+
+5373.	[bug]		Collecting statistics for DNSSEC signing operations
+			(change 5254) caused an array of significant size (over
+			100 kB) to be allocated for each configured zone. Each
+			of these arrays is tracking all possible key IDs; this
+			could trigger an out-of-memory condition on servers with
+			a high enough number of zones configured. Fixed by
+			tracking up to four keys per zone and rotating counters
+			when keys are replaced. This fixes the immediate problem
+			of high memory usage, but should be improved in a future
+			release by growing or shrinking the number of keys to
+			track upon key rollover events. [GL #1179]
+
+5372.	[bug]		Fix migration from existing DNSSEC key files
+			("auto-dnssec maintain") to "dnssec-policy". [GL #1706]
+
+5371.	[bug]		Improve incremental updates of the RPZ summary
+			database to reduce delays that could occur when
+			a policy zone update included a large number of
+			record deletions. [GL #1447]
+
+5370.	[bug]		Deactivation of a netmgr handle associated with a
+			socket could be skipped in some circumstances.
+			Fixed by deactivating the netmgr handle before
+			scheduling the asynchronous close routine. [GL #1700]
+
+5368.	[bug]		Named failed to restart if 'rndc addzone' names
+			contained special characters (e.g. '/'). [GL #1655]
+
+5367.	[bug]		Fixed a flaw in the calculation of the zone database
+			size so that "max-journal-size default" uses the correct
+			limit. [GL #1661]
+
+	--- 9.16.1 released ---
+
+5366.	[bug]		Fix a race condition with the keymgr when the same
+			zone plus dnssec-policy is configured in multiple
+			views. [GL #1653]
+
+5365.	[bug]		Algorithm rollover was stuck on submitting DS
+			because keymgr thought it would move to an invalid
+			state.  Fixed by checking the current key against
+			the desired state, not the existing state. [GL #1626]
+
+5364.	[bug]		Algorithm rollover waited too long before introducing
+			zone signatures.  It waited to make sure all signatures
+			were regenerated, but when introducing a new algorithm,
+			all signatures are regenerated immediately.  Only
+			add the sign delay if there is a predecessor key.
+			[GL #1625]
+
+5363.	[bug]		When changing a dnssec-policy, existing keys with
+			properties that no longer match were not being retired.
+			[GL #1624]
+
+5361.	[bug]		named might not accept new connections after
+			hitting tcp-clients quota. [GL #1643]
+
+5360.	[bug]		delv could fail to load trust anchors in DNSKEY
+			format. [GL #1647]
+
+5358.	[bug]		Inline master zones whose master files were touched
+			but otherwise unchanged and were subsequently reloaded
+			may have stopped re-signing. [GL !3135]
+
+5357.	[bug]		Newly added RRSIG records with expiry times before
+			the previous earliest expiry times might not be
+			re-signed in time.  This was a side effect of 5315.
+			[GL !3137]
+
+	--- 9.16.0 released ---
+
+5356.	[func]		Update dnssec-policy configuration statements:
+			- Rename "zone-max-ttl" dnssec-policy option to
+			  "max-zone-ttl" for consistency with the existing
+			  zone option.
+			- Allow for "lifetime unlimited" as a synonym for
+			  "lifetime PT0S".
+			- Make "key-directory" optional.
+			- Warn if specifying a key length does not make
+			  sense; fail if key length is out of range for
+			  the algorithm.
+			- Allow use of mnemonics when specifying key
+			  algorithm (e.g. "rsasha256", "ecdsa384", etc.).
+			- Make ISO 8601 durations case-insensitive.
+			[GL #1598]
+
+5355.	[func]		What was set with --with-tuning=large option in
+			older BIND9 versions is now a default, and
+			a --with-tuning=small option was added for small
+			(e.g. OpenWRT) systems. [GL !2989]
+
+5354.	[bug]		dnssec-policy created new KSK keys for zones in the
+			initial stage of signing (with the DS not yet in the
+			rumoured or omnipresent states).  Fix by checking the
+			key goals rather than the active state when determining
+			whether new keys are needed. [GL #1593]
+
+5353.	[doc]		Document port and dscp parameters in forwarders
+			configuration option. [GL #914]
+
+5352.	[bug]		Correctly handle catalog zone entries containing
+			characters that aren't legal in filenames. [GL #1592]
+
+5351.	[bug]		CDS / CDNSKEY consistency checks failed to handle
+			removal records. [GL #1554]
+
+5350.	[bug]		When a view was configured with class CHAOS, the
+			server could crash while processing a query for a
+			non-existent record. [GL #1540]
+
+5349.	[bug]		Fix a race in task_pause/unpause. [GL #1571]
+
+5348.	[bug]		dnssec-settime -Psync was not being honoured.
+			[GL !2925]
+
+	--- 9.15.8 released ---
+
+5347.	[bug]		Fixed a bug that could cause an intermittent crash
+			in validator.c when validating a negative cache
+			entry. [GL #1561]
+
+5346.	[bug]		Make hazard pointer array allocations dynamic, fixing
+			a bug that caused named to crash on machines with more
+			than 40 cores. [GL #1493]
+
+5345.	[func]		Key-style trust anchors and DS-style trust anchors
+			can now both be used for the same name. [GL #1237]
+
+5344.	[bug]		Handle accept() errors properly in netmgr. [GL !2880]
+
+5343.	[func]		Add statistics counters to the netmgr. [GL #1311]
+
+5342.	[bug]		Disable pktinfo for IPv6 and bind to each interface
+			explicitly instead, because libuv doesn't support
+			pktinfo control messages. [GL #1558]
+
+5341.	[func]		Simplify passing the bound TCP socket to child
+			threads by using isc_uv_export/import functions.
+			[GL !2825]
+
+5340.	[bug]		Don't deadlock when binding to a TCP socket fails.
+			[GL #1499]
+
+5339.	[bug]		With some libmaxminddb versions, named could erroneously
+			match an IP address not belonging to any subnet defined
+			in a given GeoIP2 database to one of the existing
+			entries in that database. [GL #1552]
+
+5338.	[bug]		Fix line spacing in `rndc secroots`.
+			Thanks to Tony Finch. [GL !2478]
+
+5337.	[func]		'named -V' now reports maxminddb and protobuf-c
+			versions. [GL !2686]
+
+	--- 9.15.7 released ---
+
+5336.	[bug]		The TCP high-water statistic could report an
+			incorrect value on startup. [GL #1392]
+
+5335.	[func]		Make TCP listening code multithreaded. [GL !2659]
+
+5334.	[doc]		Update documentation with dnssec-policy clarifications.
+			Also change some defaults. [GL !2711]
+
+5333.	[bug]		Fix duration printing on Solaris when value is not
+			an ISO 8601 duration. [GL #1460]
+
+5332.	[func]		Renamed "dnssec-keys" configuration statement
+			to the more descriptive "trust-anchors". [GL !2702]
+
+5331.	[func]		Use compiler-provided mechanisms for thread local
+			storage, and make the requirement for such mechanisms
+			explicit in configure. [GL #1444]
+
+5330.	[bug]		'configure --without-python' was ineffective if
+			PYTHON was set in the environment. [GL #1434]
+
+5329.	[bug]		Reconfiguring named caused memory to be leaked when any
+			GeoIP2 database was in use. [GL #1445]
+
+5328.	[bug]		rbtdb.c:rdataset_{get,set}ownercase failed to obtain
+			a node lock. [GL #1417]
+
+5327.	[func]		Added a statistics counter to track queries
+			dropped because the recursive-clients quota was
+			exceeded. [GL #1399]
+
+5326.	[bug]		Add Python dependency on 'distutils.core' to configure.
+			'distutils.core' is required for installation.
+			[GL #1397]
+
+5325.	[bug]		Addressed several issues with TCP connections in
+			the netmgr: restored support for TCP connection
+			timeouts, restored TCP backlog support, actively
+			close all open sockets during shutdown. [GL #1312]
+
+5324.	[bug]		Change the category of some log messages from general
+			to the more appropriate catergory of xfer-in. [GL #1394]
+
+5323.	[bug]		Fix a bug in DNSSEC trust anchor verification.
+			[GL !2609]
+
+5322.	[placeholder]
+
+5321.	[bug]		Obtain write lock before updating version->records
+			and version->bytes. [GL #1341]
+
+5320.	[cleanup]	Silence TSAN on header->count. [GL #1344]
+
+	--- 9.15.6 released ---
+
+5319.	[func]		Trust anchors can now be configured using DS
+			format to represent a key digest, by using the
+			new "initial-ds" or "static-ds" keywords in
+			the "dnssec-keys" statement.
+
+			Note: DNSKEY-format and DS-format trust anchors
+			cannot both be used for the same domain name.
+			[GL #622]
+
+5318.	[cleanup]	The DNSSEC validation code has been refactored
+			for clarity and to reduce code duplication.
+			[GL #622]
+
+5317.	[func]		A new asynchronous network communications system
+			based on libuv is now used for listening for
+			incoming requests and responding to them. (The
+			old isc_socket API remains in use for sending
+			iterative queries and processing responses; this
+			will be changed too in a later release.)
+
+			This change will make it easier to improve
+			performance and implement new protocol layers
+			(e.g., DNS over TLS) in the future. [GL #29]
+
+5316.	[func]		A new "dnssec-policy" option has been added to
+			named.conf to implement a key and signing policy
+			(KASP) for zones. When this option is in use,
+			named can generate new keys as needed and
+			automatically roll both ZSK and KSK keys. (Note
+			that the syntax for this statement differs from
+			the dnssec policy used by dnssec-keymgr.)
+
+			See the ARM for configuration details. [GL #1134]
+
+5315.	[bug]		Apply the initial RRSIG expiration spread fixed
+			to all dynamically created records in the zone
+			including NSEC3. Also fix the signature clusters
+			when the server has been offline for prolonged
+			period of times. [GL #1256]
+
+5314.	[func]		Added a new statistics variable "tcp-highwater"
+			that reports the maximum number of simultaneous TCP
+			clients BIND has handled while running. [GL #1206]
+
+5313.	[bug]		The default GeoIP2 database location did not match
+			the ARM.  'named -V' now reports the default
+			location. [GL #1301]
+
+5312.	[bug]		Do not flush the cache for `rndc validation status`.
+			Thanks to Tony Finch. [GL !2462]
+
+5311.	[cleanup]	Include all views in output of `rndc validation status`.
+			Thanks to Tony Finch. [GL !2461]
+
+5310.	[bug]		TCP failures were affecting EDNS statistics. [GL #1059]
+
+5309.	[placeholder]
+
+5308.	[bug]		Don't log DNS_R_UNCHANGED from sync_secure_journal()
+			at ERROR level in receive_secure_serial(). [GL #1288]
+
+5307.	[bug]		Fix hang when named-compilezone output is sent to pipe.
+			Thanks to Tony Finch. [GL !2481]
+
+5306.	[security]	Set a limit on number of simultaneous pipelined TCP
+			queries. (CVE-2019-6477) [GL #1264]
+
+5305.	[bug]		NSEC Aggressive Cache ("synth-from-dnssec") has been
+			disabled by default because it was found to have
+			a significant performance impact on the recursive
+			service. [GL #1265]
+
+5304.	[bug]		"dnskey-sig-validity 0;" was not being accepted.
+			[GL #876]
+
+5303.	[placeholder]
+
+5302.	[bug]		Fix checking that "dnstap-output" is defined when
+			"dnstap" is specified in a view. [GL #1281]
+
+5301.	[bug]		Detect partial prefixes / incomplete IPv4 address in
+			acls. [GL #1143]
+
+5300.	[bug]		dig/mdig/delv: Add a colon after EDNS option names,
+			even when the option is empty, to improve
+			readability and allow correct parsing of YAML
+			output. [GL #1226]
+
+	--- 9.15.5 released ---
+
+5299.	[security]	A flaw in DNSSEC verification when transferring
+			mirror zones could allow data to be incorrectly
+			marked valid. (CVE-2019-6475) [GL #1252]
+
+5298.	[security]	Named could assert if a forwarder returned a
+			referral, rather than resolving the query, when QNAME
+			minimization was enabled. (CVE-2019-6476) [GL #1051]
+
+5297.	[bug]		Check whether a previous QNAME minimization fetch
+			is still running before starting a new one; return
+			SERVFAIL and log an error if so. [GL #1191]
+
+5296.	[placeholder]
+
+5295.	[cleanup]	Split dns_name_copy() calls into dns_name_copy() and
+			dns_name_copynf() for those calls that can potentially
+			fail and those that should not fail respectively.
+			[GL !2265]
+
+5294.	[func]		Fallback to ACE name on output in locale, which does not
+			support converting it to unicode.  [GL #846]
+
+5293.	[bug]		On Windows, named crashed upon any attempt to fetch XML
+			statistics from it. [GL #1245]
+
+5292.	[bug]		Queue 'rndc nsec3param' requests while signing inline
+			zone changes. [GL #1205]
+
+	--- 9.15.4 released ---
+
+5291.	[placeholder]
+
+5290.	[placeholder]
+
+5289.	[bug]		Address NULL pointer dereference in rpz.c:rpz_detach.
+			[GL #1210]
+
+5288.	[bug]		dnssec-must-be-secure was not always honored.
+			[GL #1209]
+
+5287.	[placeholder]
+
+5286.	[contrib]	Address potential NULL pointer dereferences in
+			dlz_mysqldyn_mod.c. [GL #1207]
+
+5285.	[port]		win32: implement "-T maxudpXXX". [GL #837]
+
+5284.	[func]		Added +unexpected command line option to dig.
+			By default, dig won't accept a reply from a source
+			other than the one to which it sent the query.
+			Invoking dig with +unexpected argument will allow it
+			to process replies from unexpected sources.
+
+5283.	[bug]		When a response-policy zone expires, ensure that
+			its policies are removed from the RPZ summary
+			database. [GL #1146]
+
+5282.	[bug]		Fixed a bug in searching for possible wildcard matches
+			for query names in the RPZ summary database. [GL #1146]
+
+5281.	[cleanup]	Don't escape commas when reporting named's command
+			line. [GL #1189]
+
+5280.	[protocol]	Add support for displaying EDNS option LLQ. [GL #1201]
+
+5279.	[bug]		When loading, reject zones containing CDS or CDNSKEY
+			RRsets at the zone apex if they would cause DNSSEC
+			validation failures if published in the parent zone
+			as the DS RRset.  [GL #1187]
+
+5278.	[func]		Add YAML output formats for dig, mdig and delv;
+			use the "+yaml" option to enable. [GL #1145]
+
+	--- 9.15.3 released ---
+
+5277.	[bug]		Cache DB statistics could underflow when serve-stale
+			was in use, because of a bug in counter maintenance
+			when RRsets become stale.
+
+			Functions for dumping statistics have been updated
+			to dump active, stale, and ancient statistic
+			counters.  Ancient RRset counters are prefixed
+			with '~'; stale RRset counters are still prefixed
+			with '#'. [GL #602]
+
+5276.	[func]		DNSSEC Lookaside Validation (DLV) is now obsolete;
+			all code enabling its use has been removed from the
+			validator, "delv", and the DNSSEC tools. [GL #7]
+
+5275.	[bug]		Mark DS records included in referral messages
+			with trust level "pending" so that they can be
+			validated and cached immediately, with no need to
+			re-query. [GL #964]
+
+5274.	[bug]		Address potential use after free race when shutting
+			down rpz. [GL #1175]
+
+5273.	[bug]		Check that bits [64..71] of a dns64 prefix are zero.
+			[GL #1159]
+
+5272.	[cleanup]	Remove isc-config.sh script as the BIND 9 libraries
+			are now purely internal. [GL #1123]
+
+5271.	[func]		The normal (non-debugging) output of dnssec-signzone
+			and dnssec-verify tools now goes to stdout, instead of
+			the combination of stderr and stdout.
+
+5270.	[bug]		'dig +expandaaaa +short' did not work. [GL #1152]
+
+5269.	[port]		cygwin: can return ETIMEDOUT on connect() with a
+			non-blocking socket. [GL #1133]
+
+5268.	[placeholder]
+
+5267.	[func]		Allow statistics groups display to be toggle-able.
+			[GL #1030]
+
+5266.	[bug]		named-checkconf failed to report dnstap-output
+			missing from named.conf when dnstap was specified.
+			[GL #1136]
+
+5265.	[bug]		DNS64 and RPZ nodata (CNAME *.) rules interacted badly
+			[GL #1106]
+
+5264.	[func]		New DNS Cookie algorithm - siphash24 - has been added
+			to BIND 9, and the old HMAC-SHA DNS Cookie algorithms
+			have been removed. [GL #605]
+
+	--- 9.15.2 released ---
+
+5263.	[cleanup]	Use atomics and isc_refcount_t wherever possible.
+			[GL #1038]
+
+5262.	[func]		Removed support for the legacy GeoIP API. [GL #1112]
+
+5261.	[cleanup]	Remove SO_BSDCOMPAT socket option usage.
+
+5260.	[bug]		dnstap-read was producing malformed output for large
+			packets. [GL #1093]
+
+5259.	[func]		New option '-i' for 'named-checkconf' to ignore
+			warnings about deprecated options. [GL #1101]
+
+5258.	[func]		Added support for the GeoIP2 API from MaxMind. This
+			will be compiled in by default if the "libmaxminddb"
+			library is found at compile time, but can be
+			suppressed using "configure --disable-geoip".
+
+			Certain geoip ACL settings that were available with
+			legacy GeoIP are not available when using GeoIP2.
+			[GL #182]
+
+5257.	[bug]		Some statistics data was not being displayed.
+			Add shading to the zone tables. [GL #1030]
+
+5256.	[bug]		Ensure that glue records are included in root
+			priming responses if "minimal-responses" is not
+			set to "yes". [GL #1092]
+
+5255.	[bug]		Errors encountered while reloading inline-signing
+			zones could be ignored, causing the zone content to
+			be left in an incompletely updated state rather than
+			reverted. [GL #1109]
+
+5254.	[func]		Collect metrics to report to the statistics-channel
+			DNSSEC signing operations (dnssec-sign) and refresh
+			operations (dnssec-refresh) per zone and per keytag.
+			[GL #513]
+
+5253.	[port]		Support platforms that don't define ULLONG_MAX.
+			[GL #1098]
+
+5252.	[func]		Report if the last 'rndc reload/reconfig' failed in
+			rndc status. [GL !2040]
+
+5251.	[bug]		Statistics were broken in x86 Windows builds.
+			[GL #1081]
+
+5250.	[func]		The default size for RSA keys is now 2048 bits,
+			for both ZSKs and KSKs. [GL #1097]
+
+5249.	[bug]		Fix a possible underflow in recursion clients
+			statistics when hitting recursive clients
+			soft quota. [GL #1067]
+
+	--- 9.15.1 released ---
+
+5248.	[func]		To clarify the configuration of DNSSEC keys,
+			the "managed-keys" and "trusted-keys" options
+			have both been deprecated.  The new "dnssec-keys"
+			statement can now be used for all trust anchors,
+			with the keywords "iniital-key" or "static-key"
+			to indicate whether the configured trust anchor
+			should be used for initialization of RFC 5011 key
+			management, or as a permanent trust anchor.
+
+			The "static-key" keyword will generate a warning if
+			used for the root zone.
+
+			Configurations using "trusted-keys" or "managed-keys"
+			will continue to work with no changes, but will
+			generate warnings in the log. In a future release,
+			these options will be marked obsolete. [GL #6]
+
+5247.	[cleanup]	The 'cleaning-interval' option has been removed.
+			[GL !1731]
+
+5246.	[func]		Log TSIG if appropriate in 'sending notify to' message.
+			[GL #1058]
+
+5245.	[cleanup]	Reduce logging level for IXFR up-to-date poll
+			responses. [GL #1009]
+
+5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
+			that could cause an assertion failure if a
+			significant number of incoming packets were
+			rejected. (CVE-2019-6471) [GL #942]
+
+5243.	[bug]		Fix a possible race between dispatcher and socket
+			code in a high-load cold-cache resolver scenario.
+			[GL #943]
+
+5242.	[bug]		In relaxed qname minimization mode, fall back to
+			normal resolution when encountering a lame
+			delegation, and use _.domain/A queries rather
+			than domain/NS. [GL #1055]
+
+5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
+			[GL #225]
+
+5240.	[bug]		Remove key id calculation for RSAMD5. [GL #996]
+
+5239.	[func]		Change the json-c detection to pkg-config. [GL #855]
+
+5238.	[bug]		Fix a possible deadlock in TCP code. [GL #1046]
+
+5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
+			[GL #1028]
+
+5236.	[func]		Add SipHash 2-4 implementation in lib/isc/siphash.c
+			and switch isc_hash_function() to use SipHash 2-4.
+			[GL #605]
+
+5235.	[cleanup]	Refactor lib/isc/app.c to be thread-safe, unused
+			parts of the API has been removed and the
+			isc_appctx_t data type has been changed to be
+			fully opaque. [GL #1023]
+
+5234.	[port]		arm: just use the compiler's default support for
+			yield. [GL #981]
+
+	--- 9.15.0 released ---
+
+5233.	[bug]		Negative trust anchors did not work with "forward only;"
+			to validating resolvers. [GL #997]
+
+5232.	[placeholder]
+
+5231.	[protocol]	Add support for displaying CLIENT-TAG and SERVER-TAG.
+			[GL #960]
+
+5230.	[protocol]	The SHA-1 hash algorithm is no longer used when
+			generating DS and CDS records. [GL #1015]
+
+5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
+
+5228.	[func]		If trusted-keys and managed-keys were configured
+			simultaneously for the same name, the key could
+			not be be rolled automatically. This is now
+			a fatal configuration error. [GL #868]
+
+5227.	[placeholder]
+
+5226.	[placeholder]
+
+5225.	[func]		Allow dig to print out AAAA record fully expanded.
+			with +[no]expandaaaa. [GL #765]
+
+5224.	[bug]		Only test provide-ixfr on TCP streams. [GL #991]
+
+5223.	[bug]		Fixed a race in the filter-aaaa plugin accessing
+			the hash table. [GL #1005]
+
+5222.	[bug]		'delv -t ANY' could leak memory. [GL #983]
+
+5221.	[test]		Enable parallel execution of system tests on
+			Windows. [GL !4101]
+
+5220.	[cleanup]	Refactor the isc_stat structure to take advantage
+			of stdatomic. [GL !1493]
+
+5219.	[bug]		Fixed a race in the filter-aaaa plugin that could
+			trigger a crash when returning an instance object
+			to the memory pool. [GL #982]
+
+5218.	[bug]		Conditionally include <dlfcn.h>. [GL #995]
+
+5217.	[bug]		Restore key id calculation for RSAMD5. [GL #996]
+
+5216.	[bug]		Fetches-per-zone counter wasn't updated correctly
+			when doing qname minimization. [GL #992]
+
+5215.	[bug]		Change #5124 was incomplete; named could still
+			return FORMERR instead of SERVFAIL in some cases.
+			[GL #990]
+
+5214.	[bug]		win32: named now removes its lock file upon shutdown.
+			[GL #979]
+
+5213.	[bug]		win32: Eliminated a race which allowed named.exe running
+			as a service to be killed prematurely during shutdown.
+			[GL #978]
+
+5212.	[placeholder]
+
+5211.	[bug]		Allow out-of-zone additional data to be included
+			in authoritative responses if recursion is allowed
+			and "minimal-responses" is disabled.  This behavior
+			was inadvertently removed in change #4605. [GL #817]
+
+5210.	[bug]		When dnstap is enabled and recursion is not
+			available, incoming queries are now logged
+			as "auth". Previously, this depended on whether
+			recursion was requested by the client, not on
+			whether recursion was available. [GL #963]
+
+5209.	[bug]		When update-check-ksk is true, add_sigs was not
+			considering offline keys, leaving record sets signed
+			with the incorrect type key. [GL #763]
+
+5208.	[test]		Run valid rdata wire encodings through totext+fromtext
+			and tofmttext+fromtext methods to check these methods.
+			[GL #899]
+
+5207.	[test]		Check delv and dig TTL values. [GL #965]
+
+5206.	[bug]		Delv could print out bad TTLs. [GL #965]
+
+5205.	[bug]		Enforce that a DS hash exists. [GL #899]
+
+5204.	[test]		Check that dns_rdata_fromtext() produces a record that
+			will be accepted by dns_rdata_fromwire(). [GL #852]
+
+5203.	[bug]		Enforce whether key rdata exists or not in KEY,
+			DNSKEY, CDNSKEY and RKEY. [GL #899]
+
+5202.	[bug]		<dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
+
+5201.	[bug]		Fix a possible deadlock in RPZ update code. [GL #973]
+
+5200.	[security]	tcp-clients settings could be exceeded in some cases,
+			which could lead to exhaustion of file descriptors.
+			(CVE-2018-5743) [GL #615]
+
+5199.	[security]	In certain configurations, named could crash
+			if nxdomain-redirect was in use and a redirected
+			query resulted in an NXDOMAIN from the cache.
+			(CVE-2019-6467) [GL #880]
+
+5198.	[bug]		If a fetch context was being shut down and, at the same
+			time, we returned from qname minimization, an INSIST
+			could be hit. [GL #966]
+
+5197.	[bug]		dig could die in best effort mode on multiple SIG(0)
+			records. Similarly on multiple OPT and multiple TSIG
+			records. [GL #920]
+
+5196.	[bug]		make install failed with --with-dlopen=no. [GL #955]
+
+5195.	[bug]		"allow-update" and "allow-update-forwarding" were
+			treated as configuration errors if used at the
+			options or view level. [GL #913]
+
+5194.	[bug]		Enforce non empty ZOMEMD hash. [GL #899]
+
+5193.	[bug]		EID and NIMLOC failed to do multi-line output
+			correctly. [GL #899]
+
+5192.	[placeholder]
+
+5191.	[placeholder]
+
+5190.	[bug]		Ignore trust anchors using disabled algorithms.
+			[GL #806]
+
+5189.	[cleanup]	Remove revoked root DNSKEY from bind.keys. [GL #945]
+
+5188.	[func]		The "dnssec-enable" option is deprecated and no
+			longer has any effect; DNSSEC responses are
+			always enabled. [GL #866]
+
+5187.	[test]		Set time zone before running any tests in dnstap_test.
+			[GL #940]
+
+5186.	[cleanup]	More dnssec-keygen manual tidying. [GL !1678]
+
+5185.	[placeholder]
+
+5184.	[bug]		Missing unlocks in sdlz.c. [GL #936]
+
+5183.	[bug]		Reinitialize ECS data before reusing client
+			structures. [GL #881]
+
+5182.	[bug]		Fix a high-load race/crash in handling of
+			isc_socket_close() in resolver. [GL #834]
+
+5181.	[func]		Add a mechanism for a DLZ module to signal that
+			the view's allow-transfer ACL should be used to
+			determine whether transfers are allowed. [GL #803]
+
+5180.	[bug]		delv now honors the operating system's preferred
+			ephemeral port range. [GL #925]
+
+5179.	[cleanup]	Replace some vague type declarations with the more
+			specific dns_secalg_t and dns_dsdigest_t.
+			Thanks to Tony Finch. [GL !1498]
+
+5178.	[bug]		Handle EDQUOT (disk quota) and ENOSPC (disk full)
+			errors when writing files. [GL #902]
+
+5177.	[func]		Add the ability to specify in named.conf whether a
+			response-policy zone's SOA record should be added
+			to the additional section (add-soa yes/no). [GL #865]
+
+5176.	[tests]		Remove a dependency on libxml in statschannel system
+			test. [GL #926]
+
+5175.	[bug]		Fixed a problem with file input in dnssec-keymgr,
+			dnssec-coverage and dnssec-checkds when using
+			python3. [GL #882]
+
+5174.	[doc]		Tidy dnssec-keygen manual. [GL !1557]
+
+5173.	[bug]		Fixed a race in socket code that could occur when
+			accept, send, or recv were called from an event
+			loop but the socket had been closed by another
+			thread. [RT #874]
+
+5172.	[bug]		nsupdate now honors the operating system's preferred
+			ephemeral port range. [GL #905]
+
+5171.	[func]		named plugins are now installed into a separate
+			directory.  Supplying a filename (a string without path
+			separators) in a "plugin" configuration stanza now
+			causes named to look for that plugin in that directory.
+			[GL #878]
+
+5170.	[test]		Added --with-dlz-filesystem to feature-test. [GL !1587]
+
+5169.	[bug]		The presence of certain types in an otherwise
+			empty node could cause a crash while processing a
+			type ANY query. [GL #901]
+
+5168.	[bug]		Do not crash on shutdown when RPZ fails to load.  Also,
+			keep previous version of the database if RPZ fails to
+			load. [GL #813]
+
+5167.	[bug]		nxdomain-redirect could sometimes lookup the wrong
+			redirect name. [GL #892]
+
+5166.	[placeholder]
+
+5165.	[contrib]	Removed SDB drivers from contrib; they're obsolete.
+			[GL #428]
+
+5164.	[bug]		Correct errno to result translation in dlz filesystem
+			modules. [GL #884]
+
+5163.	[cleanup]	Out-of-tree builds failed --enable-dnstap. [GL #836]
+
+5162.	[cleanup]	Improve dnssec-keymgr manual. Thanks to Tony Finch.
+			[GL !1518]
+
+5161.	[bug]		Do not require the SEP bit to be set for mirror zone
+			trust anchors. [GL #873]
+
+5160.	[contrib]	Added DNAME support to the DLZ LDAP schema. Also
+			fixed a compilation bug affecting several DLZ
+			modules. [GL #872]
+
+5159.	[bug]		dnssec-coverage was incorrectly ignoring
+			names specified on the command line without
+			trailing dots. [GL !1478]
+
+5158.	[protocol]	Add support for AMTRELAY and ZONEMD. [GL #867]
+
+5157.	[bug]		Nslookup now errors out if there are extra command
+			line arguments. [GL #207]
+
+5156.	[doc]		Extended and refined the section of the ARM describing
+			mirror zones. [GL #774]
+
+5155.	[func]		"named -V" now outputs the default paths to
+			named.conf, rndc.conf, bind.keys, and other
+			files used or created by named and other tools, so
+			that the correct paths to these files can quickly be
+			determined regardless of the configure settings
+			used when BIND was built. [GL #859]
+
+5154.	[bug]		dig: process_opt could be called twice on the same
+			message leading to a assertion failure. [GL #860]
+
+5153.	[func]		Zone transfer statistics (size, number of records, and
+			number of messages) are now logged for outgoing
+			transfers as well as incoming ones. [GL #513]
+
+5152.	[func]		Improved logging of DNSSEC key events:
+			- Zone signing and DNSKEY maintenance events are
+			  now logged to the "dnssec" category
+			- Messages are now logged when DNSSEC keys are
+			  published, activated, inactivated, deleted,
+			  or revoked.
+			[GL #714]
+
+5151.	[func]		Options that have been been marked as obsolete in
+			named.conf for a very long time are now fatal
+			configuration errors. [GL #358]
+
+5150.	[cleanup]	Remove the ability to compile BIND with assertions
+			disabled. [GL #735]
+
+5149.	[func]		"rndc dumpdb" now prints a line above a stale RRset
+			indicating how long the data will be retained in the
+			cache for emergency use. [GL #101]
+
+5148.	[bug]		named did not sign the TKEY response. [GL #821]
+
+5147.	[bug]		dnssec-keymgr: Add a five-minute margin to better
+			handle key events close to 'now'. [GL #848]
+
+5146.	[placeholder]
+
+5145.	[func]		Use atomics instead of locked variables for isc_quota
+			and isc_counter. [GL !1389]
+
+5144.	[bug]		dig now returns a non-zero exit code when a TCP
+			connection is prematurely closed by a peer more than
+			once for the same lookup.  [GL #820]
+
+5143.	[bug]		dnssec-keymgr and dnssec-coverage failed to find
+			key files for zone names ending in ".". [GL #560]
+
+5142.	[cleanup]	Removed "configure --disable-rpz-nsip" and
+			"--disable-rpz-nsdname" options. "nsip-enable"
+			and "nsdname-enable" both now default to yes,
+			regardless of compile-time settings. [GL #824]
+
+5141.	[security]	Zone transfer controls for writable DLZ zones were
+			not effective as the allowzonexfr method was not being
+			called for such zones. (CVE-2019-6465) [GL #790]
+
+5140.	[bug]		Don't immediately mark existing keys as inactive and
+			deleted when running dnssec-keymgr for the first
+			time. [GL #117]
+
+5139.	[bug]		If possible, don't use forwarders when priming.
+			This ensures we can get root server IP addresses
+			from priming query response glue, which may not
+			be present if the forwarding server is returning
+			minimal responses. [GL #752]
+
+5138.	[bug]		Under some circumstances named could hit an assertion
+			failure when doing qname minimization when using
+			forwarders. [GL #797]
+
+5137.	[func]		named now logs messages whenever a mirror zone becomes
+			usable or unusable for resolution purposes. [GL #818]
+
+5136.	[cleanup]	Check in named-checkconf that allow-update and
+			allow-update-forwarding are not set at the
+			view/options level; fix documentation. [GL #512]
+
+5135.	[port]		sparc: Use smt_pause() instead of pause. [GL #816]
+
+5134.	[bug]		win32: WSAStartup was not called before getservbyname
+			was called. [GL #590]
+
+5133.	[bug]		'rndc managed-keys' didn't handle class and view
+			correctly and failed to add new lines between each
+			view. [GL !1327]
+
+5132.	[bug]		Fix race condition in cleanup part of dns_dt_create().
+			[GL !1323]
+
+5131.	[cleanup]	Address Coverity warnings. [GL #801]
+
+5130.	[cleanup]	Remove support for l10n message catalogs. [GL #709]
+
+5129.	[contrib]	sdlz_helper.c:build_querylist was not properly
+			splitting the query string. [GL #798]
+
+5128.	[bug]		Refreshkeytime was not being updated for managed
+			keys zones. [GL #784]
+
+5127.	[bug]		rcode.c:maybe_numeric failed to handle NUL in text
+			regions. [GL #807]
+
+5126.	[bug]		Named incorrectly accepted empty base64 and hex encoded
+			fields when reading master files. [GL #807]
+
+5125.	[bug]		Allow for up to 100 records or 64k of data when caching
+			a negative response. [GL #804]
+
+5124.	[bug]		Named could incorrectly return FORMERR rather than
+			SERVFAIL. [GL #804]
+
+5123.	[bug]		dig could hang indefinitely after encountering an error
+			before creating a TCP socket. [GL #692]
+
+5122.	[bug]		In a "forward first;" configuration, a forwarder
+			timeout did not prevent that forwarder from being
+			queried again after falling back to full recursive
+			resolution. [GL #315]
+
+5121.	[contrib]	dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
+			matching zone names. [GL !1299]
+
+5120.	[placeholder]
+
+5119.	[placeholder]
+
+5118.	[security]	Named could crash if it is managing a key with
+			`managed-keys` and the authoritative zone is rolling
+			the key to an unsupported algorithm. (CVE-2018-5745)
+			[GL #780]
+
+5117.	[placeholder]
+
+5116.	[bug]		Named/named-checkconf triggered a assertion when
+			a mirror zone's name is bad. [GL #778]
+
+5115.	[bug]		Allow unsupported algorithms in zone when not used for
+			signing with dnssec-signzone. [GL #783]
+
+5114.	[func]		Include a 'reconfig/reload in progress' status line
+			in rndc status, use it in tests.
+
+5113.	[port]		Fixed a Windows build error.
+
+5112.	[bug]		Named/named-checkconf could dump core if there was
+			a missing masters clause and a bad notify clause.
+			[GL #779]
+
+5111.	[bug]		Occluded DNSKEY records could make it into the
+			delegating NSEC/NSEC3 bitmap. [GL #742]
+
+5110.	[security]	Named leaked memory if there were multiple Key Tag
+			EDNS options present. (CVE-2018-5744) [GL #772]
+
+5109.	[cleanup]	Remove support for RSAMD5 algorithm. [GL #628]
+
+	--- 9.13.5 released ---
+
+5108.	[bug]		Named could fail to determine bottom of zone when
+			removing out of date keys leading to invalid NSEC
+			and NSEC3 records being added to the zone. [GL #771]
+
+5107.	[bug]		'host -U' did not work. [GL #769]
+
+5106.	[experimental]	A new "plugin" mechanism has been added to allow
+			extension of query processing functionality through
+			the use of dynamically loadable libraries. A
+			"filter-aaaa.so" plugin has been implemented,
+			replacing the filter-aaaa feature that was formerly
+			implemented as a native part of BIND.
+
+			The "filter-aaaa", "filter-aaaa-on-v4" and
+			"filter-aaaa-on-v6" options can no longer be
+			configured using native named.conf syntax. However,
+			loading the filter-aaaa.so plugin and setting its
+			parameters provides identical functionality.
+
+			Note that the plugin API is a work in progress and
+			is likely to evolve as further plugins are
+			implemented. [GL #15]
+
+5105.	[bug]		Fix a race between process_fd and socketclose in
+			unix socket code. [GL #744]
+
+5104.	[cleanup]	Log clearer informational message when a catz zone
+			is overridden by a zone in named.conf.
+			Thanks to Tony Finch. [GL !1157]
+
+5103.	[bug]		Add missing design by contract tests to dns_catz*.
+			[GL #748]
+
+5102.	[bug]		dnssec-coverage failed to use the default TTL when
+			checking KSK deletion times leading to a exception.
+			[GL #585]
+
+5101.	[bug]		Fix default installation path for Python modules and
+			remove the dnspython dependency accidentally introduced
+			by change 4970. [GL #730]
+
+5100.	[func]		Pin resolver tasks to specific task queues. [GL !1117]
+
+5099.	[func]		Failed mutex and conditional creations are always
+			fatal. [GL #674]
+
+	--- 9.13.4 released ---
+
+5098.	[func]		Failed memory allocations are now fatal. [GL #674]
+
+5097.	[cleanup]	Remove embedded ATF unit testing framework
+			from BIND source distribution.  [GL !875]
+
+5096.	[func]		Use multiple event loops in socket code, and
+			make network threads CPU-affinitive.  This
+			significantly improves performance on large
+			systems. [GL #666]
+
+5095.	[test]		Converted all unit tests from ATF to CMocka;
+			removed the source code for the ATF libraries.
+			Build with "configure --with-cmocka" to enable
+			unit testing. [GL #620]
+
+5094.	[func]		Add 'dig -r' to disable reading of .digrc. [GL !970]
+
+5093.	[bug]		Log lame qname-minimization servers only if they're
+			really lame. [GL #671]
+
+5092.	[bug]		Address memory leak on SIGTERM in nsupdate when using
+			GSS-TSIG. [GL #558]
+
+5091.	[func]		Two new global and per-view options min-cache-ttl
+			and min-ncache-ttl [GL #613]
+
+5090.	[bug]		dig and mdig failed to properly pre-parse dash value
+			pairs when value was a separate argument and started
+			with a dash. [GL #584]
+
+5089.	[bug]		Restore localhost fallback in dig and host which is
+			used when no nameserver addresses present in
+			/etc/resolv.conf are usable due to the requested
+			address family restrictions. [GL #433]
+
+5088.	[bug]		dig/host/nslookup could crash when interrupted close to
+			a query timeout. [GL #599]
+
+5087.	[test]		Check that result tables are complete. [GL #676]
+
+5086.	[func]		Log of RPZ now includes the QTYPE and QCLASS. [GL #623]
+
+5085.	[bug]		win32: Restore looking up nameservers, search list,
+			etc. [GL #186]
+
+5084.	[placeholder]
+
+5083.	[func]		Add autoconf macro AX_POSIX_SHELL, so we
+			can use POSIX-compatible shell features
+			in the scripts.
+
+5082.	[bug]		Fixed a race that could cause a crash in
+			dig/host/nslookup. [GL #650]
+
+5081.	[func]		Use per-worker queues in task manager, make task
+			runners CPU-affine. [GL #659]
+
+5080.	[func]		Improvements to "rndc nta" user interface:
+			- catch and report invalid command line options
+			- when removing an NTA from all views, do not
+			  abort with an error if the NTA was not found
+			  in one of the views
+			- include the view name in "rndc nta -dump"
+			  output, for consistency with the add and remove
+			  actions
+			Thanks to Tony Finch. [GL !816]
+
+5079.	[func]		Disable IDN processing in dig and nslookup
+			when not on a tty. [GL #653]
+
+5078.	[cleanup]	Require python components to be explicitly disabled if
+			python is not available on unix platforms. [GL #601]
+
+5077.	[cleanup]	Remove ip6.int support (-i) from dig and mdig.
+			[GL !969]
+
+5076.	[bug]		"require-server-cookie" was not effective if
+			"rate-limit" was configured. [GL #617]
+
+5075.	[bug]		Refresh nameservers from cache when sending final
+			query in qname minimization. [GL #16]
+
+5074.	[cleanup]	Remove vector socket functions - isc_socket_recvv(),
+			isc_socket_sendtov(), isc_socket_sendtov2(),
+			isc_socket_sendv() - in order to simplify socket code.
+			[GL #645]
+
+5073.	[bug]		Destroy a task first when destroying rpzs and catzs.
+			[GL #84]
+
+5072.	[bug]		Add unit tests for isc_buffer_copyregion() and fix its
+			behavior for auto-reallocated buffers. [GL #644]
+
+5071.	[bug]		Comparison of NXT records was broken. [GL #631]
+
+5070.	[bug]		Record types which support a empty rdata field were
+			not handling the empty rdata field case. [GL #638]
+
+5069.	[bug]		Fix a hang on in RPZ when named is shutdown during RPZ
+			zone update. [GL !907]
+
+5068.	[bug]		Fix a race in RPZ with min-update-interval set to 0.
+			[GL #643]
+
+5067.	[bug]		Don't minimize qname when sending the query
+			to a forwarder. [GL #361]
+
+5066.	[cleanup]	Allow unquoted strings to be used as a zone names
+			in response-policy statements. [GL #641]
+
+5065.	[bug]		Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
+
+5064.	[test]		Initialize TZ environment variable before calling
+			dns_test_begin in dnstap_test. [GL #624]
+
+5063.	[test]		In statschannel test try a few times before failing
+			when checking if the compressed output is the same as
+			uncompressed. [GL !909]
+
+5062.	[func]		Use non-crypto-secure PRNG to generate nonces for
+			cookies. [GL !887]
+
+5061.	[protocol]	Add support for EID and NIMLOC. [GL #626]
+
+5060.	[bug]		GID, UID and UINFO could not be loaded using unknown
+			record format. [GL #627]
+
+5059.	[bug]		Display a per-view list of zones in the web interface.
+			[GL #427]
+
+5058.	[func]		Replace old message digest and hmac APIs with more
+			generic isc_md and isc_hmac APIs, and convert their
+			respective tests to cmocka. [GL #305]
+
+5057.	[protocol]	Add support for ATMA. [GL #619]
+
+5056.	[placeholder]
+
+5055.	[func]		A default list of primary servers for the root zone is
+			now built into named, allowing the "masters" statement
+			to be omitted when configuring an IANA root zone
+			mirror. [GL #564]
+
+5054.	[func]		Attempts to use mirror zones with recursion disabled
+			are now considered a configuration error. [GL #564]
+
+5053.	[func]		The only valid zone-level NOTIFY settings for mirror
+			zones are now "notify no;" and "notify explicit;".
+			[GL #564]
+
+5052.	[func]		Mirror zones are now configured using "type mirror;"
+			rather than "mirror yes;". [GL #564]
+
+5051.	[doc]		Documentation incorrectly stated that the
+			"server-addresses" static-stub zone option accepts
+			custom port numbers. [GL #582]
+
+5050.	[bug]		The libirs version of getaddrinfo() was unable to parse
+			scoped IPv6 addresses present in /etc/resolv.conf.
+			[GL #187]
+
+5049.	[cleanup]	QNAME minimization has been deeply refactored. [GL #16]
+
+5048.	[func]		Add configure option to enable and enforce FIPS mode
+			in BIND 9. [GL #506]
+
+5047.	[bug]		Messages logged for certain query processing failures
+			now include a more specific error description if it is
+			available. [GL #572]
+
+5046.	[bug]		named could crash during shutdown if an RPZ
+			reload was in progress. [RT #46210]
+
+5045.	[func]		Remove support for DNSSEC algorithms 3 (DSA)
+			and 6 (DSA-NSEC3-SHA1). [GL #22]
+
+5044.	[cleanup]	If "dnssec-enable" is no, then "dnssec-validation"
+			now also defaults to no.  [GL #388]
+
+5043.	[bug]		Fix creating and validating EdDSA signatures. [GL #579]
+
+5042.	[test]		Make the chained delegations in reclimit behave
+			like they would in a regular name server. [GL #578]
+
+5041.	[test]		The chain test contains a incomplete delegation.
+			[GL #568]
+
+5040.	[func]		Extended dnstap so that it can log UPDATE requests
+			and responses as separate message types. Thanks
+			to Greg Rabil. [GL #570]
+
+5039.	[bug]		Named could fail to preserve owner name case of new
+			RRset. [GL #420]
+
+5038.	[bug]		Chaosnet addresses were compared incorrectly.
+			[GL #562]
+
+5037.	[func]		"allow-recursion-on" and "allow-query-cache-on"
+			each now default to the other if only one of them
+			is set, in order to be more consistent with the way
+			"allow-recursion" and "allow-query-cache" work.
+			Also we now ensure that both query-cache ACLs are
+			checked when determining cache access. [GL #319]
+
+5036.	[cleanup]	Fixed a spacing/formatting error in some RPZ-related
+			error messages in the log. [GL !805]
+
+5035.	[test]		Fixed errors that prevented the DNSRPS subtests
+			from running in the rpz and rpzrecurse system
+			tests. [GL #503]
+
+5034.	[bug]		A race between threads could prevent zone maintenance
+			scheduled immediately after zone load from being
+			performed. [GL #542]
+
+5033.	[bug]		When adding NTAs to multiple views using "rndc nta",
+			the text returned via rndc was incorrectly terminated
+			after the first line, making it look as if only one
+			NTA had been added. Also, it was not possible to
+			differentiate between views with the same name but
+			different classes; this has been corrected with the
+			addition of a "-class" option. [GL #105]
+
+5032.	[func]		Add krb5-selfsub and ms-selfsub update policy rules.
+			[GL #511]
+
+5031.	[cleanup]	Various defines in platform.h has been either dropped
+			if always or never triggered on supported platforms
+			or replaced with config.h equivalents if the defines
+			didn't have any impact on public headers.  Workarounds
+			for LinuxThreads have been removed because NPTL is
+			available since Linux kernel 2.6.0.  [GL #525]
+
+5030.	[bug]		Align CMSG buffers to a 64-bit boundary, fixes crash
+			on architectures with strict alignment. [GL #521]
+
+	--- 9.13.3 released ---
+
+5029.	[func]		Workarounds for servers that misbehave when queried
+			with EDNS have been removed, because these broken
+			servers and the workarounds for their noncompliance
+			cause unnecessary delays, increase code complexity,
+			and prevent deployment of new DNS features. See
+			https://dnsflagday.net for further details. [GL #150]
+
+5028.	[bug]		Spread the initial RRSIG expiration times over the
+			entire working sig-validity-interval when signing a
+			zone in named to even out re-signing and transfer
+			loads. [GL #418]
+
+5027.	[func]		Set SO_SNDBUF size on sockets. [GL #74]
+
+5026.	[bug]		rndc reconfig should not touch already loaded zones.
+			[GL #276]
+
+5025.	[cleanup]	Remove isc_keyboard family of functions. [GL #178]
+
+5024.	[func]		Replace custom assembly for atomic operations with
+			atomic support from the compiler. The code will now use
+			C11 stdatomic, or __atomic, or __sync builtins with GCC
+			or Clang compilers, and Interlocked functions with MSVC.
+			[GL #10]
+
+5023.	[cleanup]	Remove wrappers that try to fix broken or incomplete
+			implementations of IPv6, pthreads and other core
+			functionality required and used by BIND. [GL #192]
+
+5022.	[doc]		Update ms-self, ms-subdomain, krb5-self, and
+			krb5-subdomain documentation. [GL !708]
+
+5021.	[bug]		dig returned a non-zero exit code when it received a
+			reply over TCP after a retry. [GL #487]
+
+5020.	[func]		RNG uses thread-local storage instead of locks, if
+			supported by platform. [GL #496]
+
+5019.	[cleanup]	A message is now logged when ixfr-from-differences is
+			set at zone level for an inline-signed zone. [GL #470]
+
+5018.	[bug]		Fix incorrect sizeof arguments in lib/isc/pk11.c.
+			[GL !588]
+
+5017.	[bug]		lib/isc/pk11.c failed to unlink the session before
+			releasing the lock which is unsafe. [GL !589]
+
+5016.	[bug]		Named could assert with overlapping filter-aaaa and
+			dns64 acls. [GL #445]
+
+5015.	[bug]		Reloading all zones caused zone maintenance to cease
+			for inline-signed zones. [GL #435]
+
+5014.	[bug]		Signatures loaded from the journal for the signed
+			version of an inline-signed zone were not scheduled for
+			refresh. [GL #482]
+
+5013.	[bug]		A referral response with a non-empty ANSWER section was
+			inadvertently being treated as an error. [GL #390]
+
+5012.	[bug]		Fix lock order reversal in pk11_initialize. [GL !590]
+
+5011.	[func]		Remove support for unthreaded named. [GL #478]
+
+5010.	[func]		New "validate-except" option specifies a list of
+			domains beneath which DNSSEC validation should not
+			be performed. [GL #237]
+
+5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
+			error queue was not logged. [GL #476]
+
+5008.	[bug]		"rndc signing -nsec3param ..." requests were silently
+			ignored for zones which were not yet loaded or
+			transferred. [GL #468]
+
+5007.	[cleanup]	Replace custom ISC boolean and integer data types
+			with C99 stdint.h and stdbool.h types. [GL #9]
+
+5006.	[cleanup]	Code preparing a delegation response was extracted from
+			query_delegation() and query_zone_delegation() into a
+			separate function in order to decrease code
+			duplication. [GL #431]
+
+5005.	[bug]		dnssec-verify, and dnssec-signzone at the verification
+			step, failed on some validly signed zones. [GL #442]
+
+5004.	[bug]		'rndc reconfig' could cause inline zones to stop
+			re-signing. [GL #439]
+
+5003.	[bug]		dns_acl_isinsecure did not handle geoip elements.
+			[GL #406]
+
+5002.	[bug]		mdig: Handle malformed +ednsopt option, support 100
+			+ednsopt options per query rather than 100 total and
+			address memory leaks if +ednsopt was specified.
+			[GL #410]
+
+5001.	[bug]		Fix refcount errors on error paths. [GL !563]
+
+5000.	[bug]		named_server_servestale() could leave the server in
+			exclusive mode if an error occurred. [GL #441]
+
+4999.	[cleanup]	Remove custom printf implementation in lib/isc/print.c.
+			[GL #261]
+
+4998.	[test]		Make resolver and cacheclean tests more civilized.
+
+4997.	[security]	named could crash during recursive processing
+			of DNAME records when "deny-answer-aliases" was
+			in use. (CVE-2018-5740) [GL #387]
+
+4996.	[bug]		dig: Handle malformed +ednsopt option. [GL #403]
+
+4995.	[test]		Add tests for "tcp-self" update policy. [GL !282]
+
+4994.	[bug]		Trust anchor telemetry queries were not being sent
+			upstream for locally served zones. [GL #392]
+
+4993.	[cleanup]	Remove support for silently ignoring 'no-change' deltas
+			from BIND 8 when processing an IXFR stream. 'no-change'
+			deltas will now trigger a fallback to AXFR as the
+			recovery mechanism. [GL #369]
+
+4992.	[bug]		The wrong address was being logged for trust anchor
+			telemetry queries. [GL #379]
+
+4991.	[bug]		"rndc reconfig" was incorrectly handling zones whose
+			"mirror" setting was changed. [GL #381]
+
+4990.	[bug]		Prevent a possible NULL reference in pkcs11-keygen.
+			[GL #401]
+
+4989.	[cleanup]	IDN support in dig has been reworked.  IDNA2003
+			fallbacks were removed in the process. [GL #384]
+
+4988.	[bug]		Don't synthesize NXDOMAIN from NSEC for records under
+			a DNAME.
+
+	--- 9.13.2 released ---
+
+4987.	[cleanup]	dns_rdataslab_tordataset() and its related
+			dns_rdatasetmethods_t callbacks were removed as they
+			were not being used by anything in BIND. [GL #371]
+
+4986.	[func]		When built on Linux, BIND now requires the libcap
+			library to set process privileges, unless capability
+			support is explicitly overridden with "configure
+			--disable-linux-caps". [GL #321]
+
+4985.	[func]		Add a new slave zone option, "mirror", to enable
+			serving a non-authoritative copy of a zone that
+			is subject to DNSSEC validation before being
+			used.  For now, this option is only meant to
+			facilitate deployment of an RFC 7706-style local
+			copy of the root zone. [GL #33]
+
+4984.	[bug]		Improve handling of very large incremental
+			zone transfers to prevent journal corruption. [GL #339]
+
+4983.	[func]		Add the ability to not return a DNS COOKIE option
+			when one is present in the request (answer-cookie no;).
+			[GL #173]
+
+4982.	[cleanup]	Return FORMERR if the question section is empty
+			and no COOKIE option is present; this restores
+			older behavior except in the newly specified
+			COOKIE case. [GL #260]
+
+4981.	[bug]		Fix race in cmsg buffer usage in socket code.
+			[GL #180]
+
+4980.	[bug]		Named-checkconf failed to detect bad in-view targets.
+			[GL #288]
+
+4979.	[placeholder]
+
+4978.	[test]		Fix error handling and resolver configuration in the
+			"rpz" system test. [GL #312]
+
+4977.	[func]		When starting up, log the same details that
+			would be reported by 'named -V'. [GL #247]
+
+4976.	[bug]		Log the label with invalid prefix length correctly
+			when loading RPZ zones. [GL #254]
+
+4975.	[bug]		The server cookie computation for sha1 and sha256 did
+			not match the method described in RFC 7873. [GL #356]
+
+4974.	[bug]		Restore default rrset-order to random. [GL #336]
+
+4973.	[func]		verifyzone() and the functions it uses were moved to
+			libdns and refactored to prevent exit() from being
+			called upon failure.  A side effect of that is that
+			dnssec-signzone and dnssec-verify now check for memory
+			leaks upon shutdown. [GL #266]
+
+4972.	[func]		Declare the 'rdata' argument for dns_rdata_tostruct()
+			to be const. [GL #341]
+
+4971.	[bug]		dnssec-signzone and dnssec-verify did not treat records
+			below a DNAME as out-of-zone data. [GL #298]
+
+4970.	[func]		Add QNAME minimization option to resolver. [GL #16]
+
+4969.	[cleanup]	Refactor zone logging functions. [GL #269]
+
+	--- 9.13.1 released ---
+
+4968.	[bug]		If glue records are signed, attempt to validate them.
+			[GL #209]
+
+4967.	[cleanup]	Add "answer-cookie" to the parser, marked obsolete.
+
+4966.	[placeholder]
+
+4965.	[func]		Add support for marking options as deprecated.
+			[GL #322]
+
+4964.	[bug]		Reduce the probability of double signature when deleting
+			a DNSKEY by checking if the node is otherwise signed
+			by the algorithm of the key to be deleted. [GL #240]
+
+4963.	[test]		ifconfig.sh now uses "ip" instead of "ifconfig",
+			if available, to configure the test interfaces on
+			linux.  [GL #302]
+
+4962.	[cleanup]	Move 'named -T' processing to its own function.
+			[GL #316]
+
+4961.	[protocol]	Remove support for ECC-GOST (GOST R 34.11-94).
+			[GL #295]
+
+4960.	[security]	When recursion is enabled, but the "allow-recursion"
+			and "allow-query-cache" ACLs are not specified,
+			they should be limited to local networks,
+			but were inadvertently set to match the default
+			"allow-query", thus allowing remote queries.
+			(CVE-2018-5738) [GL #309]
+
+4959.	[func]		NSID logging (enabled by the "request-nsid" option)
+			now has its own "nsid" category, instead of using the
+			"resolver" category. [GL !332]
+
+4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]
+
+4957.	[func]		The default setting for "dnssec-validation" is now
+			"auto", which activates DNSSEC validation using the
+			IANA root key. (The default can be changed back to
+			"yes", which activates DNSSEC validation only when keys
+			are explicitly configured in named.conf, by building
+			BIND with "configure --disable-auto-validation".)
+			[GL #30]
+
+4956.	[func]		Change isc_random() to be just PRNG using xoshiro128**,
+			and add isc_nonce_buf() that uses CSPRNG. [GL #289]
+
+4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
+			[GL #286]
+
+4954.	[func]		Messages about serving of stale answers are now
+			directed to the "serve-stale" logging category.
+			Also clarified serve-stale documentation. [GL !323]
+
+4953.	[bug]		Removed the option to build the red black tree
+			database without a hash table; the non-hashing
+			version was buggy and is not needed. [GL #184]
+
+4952.	[func]		Authoritative server support in named for the
+			EDNS CLIENT-SUBNET option (which was experimental
+			and not practical to deploy) has been removed.
+
+			The ECS option is still supported in dig and mdig
+			via the +subnet option, and can be parsed and logged
+			when received by named, but it is no longer used
+			for ACL processing. The "geoip-use-ecs" option
+			is now obsolete; a warning will be logged if it is
+			used in named.conf. "ecs" tags in an ACL definition
+			are also obsolete and will cause the configuration
+			to fail to load.  [GL #32]
+
+4951.	[protocol]	Add "HOME.ARPA" to list of built in empty zones as
+			per RFC 8375. [GL #273]
+
+	--- 9.13.0 released ---
+
+4950.	[bug]		ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]
+
+4949.	[placeholder]
+
+4948.	[bug]		When request-nsid is turned on, EDNS NSID options
+			should be logged at level info. Since change 3741
+			they have been logged at debug(3) by mistake.
+			[GL !290]
+
+4947.	[func]		Replace all random functions with isc_random(),
+			isc_random_buf() and isc_random_uniform() API.
+			[GL #221]
+
+4946.	[bug]		Additional glue was not being returned by resolver
+			for unsigned zones since change 4596. [GL #209]
+
+4945.	[func]		BIND can no longer be built without DNSSEC support.
+			A cryptography provider (i.e., OpenSSL or a hardware
+			service module with PKCS#11 support) must be
+			available. [GL #244]
+
+4944.	[cleanup]	Silence cppcheck portability warnings in
+			lib/isc/tests/buffer_test.c. [GL #239]
+
+4943.	[bug]		Change 4687 consumed too much memory when running
+			system tests with --with-tuning=large.  Reduced the
+			hash table size to 512 entries for 'named -m record'
+			restoring the previous memory footprint. [GL #248]
+
+4942.	[cleanup]	Consolidate multiple instances of splitting of
+			batchline in dig into a single function. [GL #196]
+
+4941.	[cleanup]	Silence clang static analyzer warnings. [GL #196]
+
+4940.	[cleanup]	Extract the loop in dns__zone_updatesigs() into
+			separate functions to improve code readability.
+			[GL #135]
+
+4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]
+
+4938.	[placeholder]
+
+4937.	[func]		Remove support for OpenSSL < 1.0.0 [GL #191]
+
+4936.	[func]		Always use OpenSSL or PKCS#11 random data providers,
+			and remove the --{enable,disable}-crypto-rand configure
+			options. [GL #165]
+
+4935.	[func]		Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
+			call were added). [GL #191]
+
+4934.	[security]	The serve-stale feature could cause an assertion failure
+			in rbtdb.c even when stale-answer-enable was false.
+			Simultaneous use of stale cache records and NSEC
+			aggressive negative caching could trigger a recursion
+			loop. (CVE-2018-5737) [GL #185]
+
+4933.	[bug]		Not creating signing keys for an inline signed zone
+			prevented changes applied to the raw zone from being
+			reflected in the secure zone until signing keys were
+			made available. [GL #159]
+
+4932.	[bug]		Bumped signed serial of an inline signed zone was
+			logged even when an error occurred while updating
+			signatures. [GL #159]
+
+4931.	[func]		Removed the "rbtdb64" database implementation.
+			[GL #217]
+
+4930.	[bug]		Remove a bogus check in nslookup command line
+			argument processing. [GL #206]
+
+4929.	[func]		Add the ability to set RA and TC in queries made by
+			dig (+[no]raflag, +[no]tcflag). [GL #213]
+
+4928.	[func]		The "dnskey-sig-validity" option allows
+			"sig-validity-interval" to be overridden for signatures
+			covering DNSKEY RRsets. [GL #145]
+
+4927.	[placeholder]
+
+4926.	[func]		Add root key sentinel support.  To disable, add
+			'root-key-sentinel no;' to named.conf. [GL #37]
+
+4925.	[func]		Several configuration options that define intervals
+			can now take TTL value suffixes (for example, 2h or 1d)
+			in addition to integer parameters. These include
+			max-cache-ttl, max-ncache-ttl, max-policy-ttl,
+			fstrm-set-reopen-interval, interface-interval, and
+			min-update-interval. [GL #203]
+
+4924.	[cleanup]	Clean up the isc_string_* namespace and leave
+			only strlcpy and strlcat. [GL #178]
+
+4923.	[cleanup]	Refactor socket and socket event options into
+			enum types. [GL !135]
+
+4922.	[bug]		dnstap: Log the destination address of client
+			packets rather than the interface address.
+			[GL #197]
+
+4921.	[cleanup]	Add dns_fixedname_initname() and refactor the caller
+			code to make usage of the new function, as a part of
+			refactoring dns_fixedname_*() macros were turned into
+			functions. [GL #183]
+
+4920.	[cleanup]	Clean up libdns removing most of the backwards
+			compatibility wrappers.
+
+4919.	[cleanup]	Clean up the isc_hash_* namespace and leave only
+			the FNV-1a hash implementation. [GL #178]
+
+4918.	[bug]		Fix double free after keygen error in dnssec-keygen
+			when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
+			fails. [GL #109]
+
+4917.	[func]		Support 64 RPZ policy zones by default. [GL #123]
+
+4916.	[func]		Remove IDNA2003 support and the bundled idnkit-1.0
+			library.
+
+4915.	[func]		Implement IDNA2008 support in dig by adding support
+			for libidn2.  New dig option +idnin has been added,
+			which allows to process invalid domain names much
+			like dig without IDN support.  libidn2 version 2.0
+			or higher is needed for +idnout enabled by default.
+
+4914.	[security]	A bug in zone database reference counting could lead to
+			a crash when multiple versions of a slave zone were
+			transferred from a master in close succession.
+			(CVE-2018-5736) [GL #134]
+
+4913.	[test]		Re-implemented older unit tests in bin/tests as ATF,
+			removed the lib/tests unit testing library. [GL #115]
+
+4912.	[test]		Improved the reliability of the 'cds' system test.
+			[GL #136]
+
+4911.	[test]		Improved the reliability of the 'mkeys' system test.
+			[GL #128]
+
+4910.	[func]		Update util/check-changes to work on release branches.
+			[GL #113]
+
+4909.	[bug]		named-checkconf did not detect in-view zone collisions.
+			[GL #125]
+
+4908.	[test]		Eliminated unnecessary waiting in the allow_query
+			system test. Also changed its name to allow-query.
+			[GL #81]
+
+4907.	[test]		Improved the reliability of the 'notify' system
+			test. [GL #59]
+
+4906.	[func]		Replace getquad() with inet_pton(), completing
+			change #4900. [GL #56]
+
+4905.	[bug]		irs_resconf_load() ignored resolv.conf syntax errors
+			when "domain" or "search" options were present in that
+			file. [GL #110]
+
+4904.	[bug]		Temporarily revert change #4859. [GL #124]
+
+4903.	[bug]		"check-mx fail;" did not prevent MX records containing
+			IP addresses from being added to a zone by a dynamic
+			update. [GL #112]
+
+4902.	[test]		Improved the reliability of the 'ixfr' system
+			test. [GL #66]
+
+4901.	[func]		"dig +nssearch" now lists the name servers
+			for a domain that time out, as well as the servers
+			that respond. [GL #64]
+
+4900.	[func]		Remove all uses of inet_aton().  As a result of this
+			change, IPv4 addresses are now only accepted in
+			dotted-quad format. [GL #13]
+
+4899.	[test]		Convert most of the remaining system tests to be able
+			to run in parallel, continuing the work from change
+			#4895. To take advantage of this, use "make -jN check",
+			where N is the number of processors to use. [GL #91]
+
+4898.	[func]		Remove libseccomp based system-call filtering. [GL #93]
+
+4897.	[test]		Update to rpz system test so that it doesn't recurse.
+			[GL #68]
+
+4896.	[test]		cacheclean system test was not robust. [GL #82]
+
+4895.	[test]		Allow some system tests to run in parallel.
+			[RT #46602]
+
+4894.	[bug]		named could crash while rolling a dnstap output file.
+			[RT #46942]
+
+4893.	[bug]		Address various issues reported by cppcheck. [GL #51]
+
+4892.	[bug]		named could leak memory when "rndc reload" was invoked
+			before all zone loading actions triggered by a previous
+			"rndc reload" command were completed. [RT #47076]
+
+4891.	[placeholder]
+
+4890.	[func]		Remove unused ondestroy callback from libisc.
+			[isc-projects/bind9!3]
+
+4889.	[func]		Warn about the use of old root keys without the new
+			root key being present.  Warn about dlv.isc.org's
+			key being present. Warn about both managed and
+			trusted root keys being present. [RT #43670]
+
+4888.	[test]		Initialize sockets correctly in sample-update so
+			that the nsupdate system test will run on Windows.
+			[RT #47097]
+
+4887.	[test]		Enable the rpzrecurse test to run on Windows.
+			[RT #47093]
+
+4886.	[doc]		Document dig -u in manpage. [RT #47150]
+
+4885.	[security]	update-policy rules that otherwise ignore the name
+			field now require that it be set to "." to ensure
+			that any type list present is properly interpreted.
+			[RT #47126]
+
+4884.	[bug]		named could crash on shutdown due to a race between
+			shutdown_server() and ns__client_request(). [RT #47120]
+
+4883.	[cleanup]	Improved debugging output from dnssec-cds. [RT #47026]
+
+4882.	[bug]		Address potential memory leak in
+			dns_update_signaturesinc. [RT #47084]
+
+4881.	[bug]		Only include dst_openssl.h when OpenSSL is required.
+			[RT #47068]
+
+4880.	[bug]		Named wasn't returning the target of a cross-zone
+			CNAME between two served zones when recursion was
+			desired and available (RD=1, RA=1). (When this is
+			not the case, the CNAME target is deliberately
+			withheld to prevent accidental cache poisoning.)
+			[RT #47078]
+
+4879.	[bug]		dns_rdata_caa:value_len field was too small.
+			[RT #47086]
+
+4878.	[bug]		List 'ply' as a requirement for the 'isc' python
+			package. [RT #47065]
+
+4877.	[bug]		Address integer overflow when exponentially
+			backing off retry intervals. [RT #47041]
+
+4876.	[bug]		Address deadlock with accessing a keytable. [RT #47000]
+
+4875.	[bug]		Address compile failures on older systems. [RT #47015]
+
+4874.	[bug]		Wrong time display when reporting new keywarntime.
+			[RT #47042]
+
+4873.	[doc]		Grammars for named.conf included in the ARM are now
+			automatically generated by the configuration parser
+			itself.  As a side effect of the work needed to
+			separate zone type grammars from each other, this
+			also makes checking of zone statements in
+			named-checkconf more correct and consistent.
+			[RT #36957]
+
+4872.	[bug]		Don't permit loading meta RR types such as TKEY
+			from master files. [RT #47009]
+
+4871.	[bug]		Fix configure glitch in detecting stdatomic.h
+			support on systems with multiple compilers.
+			[RT #46959]
+
+4870.	[test]		Update included ATF library to atf-0.21 preserving
+			the ATF tool. [RT #46967]
+
+4869.	[bug]		Address some cases where NULL with zero length could
+			be passed to memmove which is undefined behavior and
+			can lead to bad optimization. [RT #46888]
+
+4868.	[func]		dnssec-keygen can no longer generate HMAC keys.
+			Use tsig-keygen instead. [RT #46404]
+
+4867.	[cleanup]	Normalize rndc on/off commands (validation,
+			querylog, serve-stale) so they all accept the
+			same synonyms for on/off (yes/no, true/false,
+			enable/disable). Thanks to Tony Finch. [RT #47022]
+
+4866.	[port]		DST library initialization verifies MD5 (when MD5
+			was not disabled) and SHA-1 hash and HMAC support.
+			[RT #46764]
+
+4865.	[cleanup]	Simplify handling isc_socket_sendto2() return values.
+			[RT #46986]
+
+4864.	[bug]		named acting as a slave for a catalog zone crashed if
+			the latter contained a master definition without an IP
+			address. [RT #45999]
+
+4863.	[bug]		Fix various other bugs reported by Valgrind's
+			memcheck tool. [RT #46978]
+
+4862.	[bug]		The rdata flags for RRSIG were not being properly set
+			when constructing a rdataslab. [RT #46978]
+
+4861.	[bug]		The isc_crc64 unit test was not endian independent.
+			[RT #46973]
+
+4860.	[bug]		isc_int8_t should be signed char.  [RT #46973]
+
+4859.	[bug]		A loop was possible when attempting to validate
+			unsigned CNAME responses from secure zones;
+			this caused a delay in returning SERVFAIL and
+			also increased the chances of encountering
+			CVE-2017-3145. [RT #46839]
+
+4858.	[security]	Addresses could be referenced after being freed
+			in resolver.c, causing an assertion failure.
+			(CVE-2017-3145) [RT #46839]
+
+4857.	[bug]		Maintain attach/detach semantics for event->db,
+			event->node, event->rdataset and event->sigrdataset
+			in query.c. [RT #46891]
+
+4856.	[bug]		'rndc zonestatus' reported the wrong underlying type
+			for a inline slave zone. [RT #46875]
+
+4855.	[bug]		isc_time_formatshorttimestamp produced incorrect
+			output. [RT #46938]
+
+4854.	[bug]		query_synthcnamewildcard should stop generating the
+			response if query_synthwildcard fails. [RT #46939]
+
+4853.	[bug]		Add REQUIRE's and INSIST's to isc_time_formatISO8601L
+			and isc_time_formatISO8601Lms. [RT #46916]
+
+4852.	[bug]		Handle strftime() failing in isc_time_formatISO8601ms.
+			Add REQUIRE's and INSIST's to isc_time_formattimestamp,
+			isc_time_formathttptimestamp, isc_time_formatISO8601,
+			isc_time_formatISO8601ms. [RT #46892]
+
+4851.	[port]		Support using kyua as well as atf-run to run the unit
+			tests. [RT #46853]
+
+4850.	[bug]		Named failed to restart with multiple added zones in
+			lmdb database. [RT #46889]
+
+4849.	[bug]		Duplicate zones could appear in the .nzf file if
+			addzone failed. [RT #46435]
+
+4848.	[func]		Zone types "primary" and "secondary" can now be used
+			as synonyms for "master" and "slave" in named.conf.
+			[RT #46713]
+
+4847.	[bug]		dnssec-dnskey-kskonly was not being honored for
+			CDS and CDNSKEY. [RT #46755]
+
+4846.	[test]		Adjust timing values in runtime system test. Address
+			named.pid removal races in runtime system test.
+			[RT #46800]
+
+4845.	[bug]		Dig (non iOS) should exit on malformed names.
+			[RT #46806]
+
+4844.	[test]		Address memory leaks in libatf-c. [RT #46798]
+
+4843.	[bug]		dnssec-signzone free hashlist on exit. [RT #46791]
+
+4842.	[bug]		Conditionally compile opensslecdsa_link.c to avoid
+			warnings about unused function. [RT #46790]
+
+	--- 9.12.0rc1 released ---
+
+4841.	[bug]		Address -fsanitize=undefined warnings. [RT #46786]
+
+4840.	[test]		Add tests to cover fallback to using ZSK on inactive
+			KSK. [RT #46787]
+
+4839.	[bug]		zone.c:zone_sign was not properly determining
+			if there were active KSK and ZSK keys for
+			a algorithm when update-check-ksk is true
+			(default) leaving records unsigned with one or
+			more DNSKEY algorithms. [RT #46774]
+
+4838.	[bug]		zone.c:add_sigs was not properly determining
+			if there were active KSK and ZSK keys for
+			a algorithm when update-check-ksk is true
+			(default) leaving records unsigned with one or
+			more DNSKEY algorithms. [RT #46754]
+
+4837.	[bug]		dns_update_signatures{inc} (add_sigs) was not
+			properly determining if there were active KSK and
+			ZSK keys for a algorithm when update-check-ksk is
+			true (default) leaving records unsigned when there
+			were multiple DNSKEY algorithms for the zone.
+			[RT #46743]
+
+4836.	[bug]		Zones created using "rndc addzone" could
+			temporarily fail to inherit an "allow-transfer"
+			ACL that had been configured in the options
+			statement. [RT #46603]
+
+4835.	[cleanup]	Clean up and refactor LMDB-related code. [RT #46718]
+
+4834.	[port]		Fix LMDB support on OpenBSD. [RT #46718]
+
+4833.	[bug]		isc_event_free should check that the event is not
+			linked when called. [RT #46725]
+
+4832.	[bug]		Events were not being removed from zone->rss_events.
+			[RT #46725]
+
+4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
+			comparisons in diff.c:resign. [RT #46710]
+
+4830.	[bug]		Failure to configure ATF when requested did not cause
+			an error in top-level configure script. [RT #46655]
+
+4829.	[bug]		isc_heap_delete did not zero the index value when
+			the heap was created with a callback to do that.
+			[RT #46709]
+
+4828.	[bug]		Do not use thread-local storage for storing LMDB reader
+			locktable slots. [RT #46556]
+
+4827.	[misc]		Add a precommit check script util/checklibs.sh
+			[RT #46215]
+
+4826.	[cleanup]	Prevent potential build failures in bin/confgen/ and
+			bin/named/ when using parallel make. [RT #46648]
+
+4825.	[bug]		Prevent a bogus "error during managed-keys processing
+			(no more)" warning from being logged. [RT #46645]
+
+4824.	[port]		Add iOS hooks to dig. [RT #42011]
+
+4823.	[test]		Refactor reclimit system test to improve its
+			reliability and speed. [RT #46632]
+
+4822.	[bug]		Use resign_sooner in dns_db_setsigningtime. [RT #46473]
+
+4821.	[bug]		When resigning ensure that the SOA's expire time is
+			always later that the resigning time of other records.
+			[RT #46473]
+
+4820.	[bug]		dns_db_subtractrdataset should transfer the resigning
+			information to the new header. [RT #46473]
+
+4819.	[bug]		Fully backout the transaction when adding a RRset
+			to the resigning / removal heaps fails. [RT #46473]
+
+4818.	[test]		The logfileconfig system test could intermittently
+			report false negatives on some platforms. [RT #46615]
+
+4817.	[cleanup]	Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
+			[RT #45433]
+
+4816.	[bug]		Don't use a common array for storing EDNS options
+			in DiG as it could fill up. [RT #45611]
+
+4815.	[bug]		rbt_test.c:insert_and_delete needed to call
+			dns_rbt_addnode instead of dns_rbt_addname. [RT #46553]
+
+4814.	[cleanup]	Use AS_HELP_STRING for consistent help text. [RT #46521]
+
+4813.	[bug]		Address potential read after free errors from
+			query_synthnodata, query_synthwildcard and
+			query_synthnxdomain. [RT #46547]
+
+4812.	[bug]		Minor improvements to stability and consistency of code
+			handling managed keys. [RT #46468]
+
+4811.	[bug]		Revert api changes to use <isc/buffer.h> inline
+			macros.  Provide a alternative mechanism to turn
+			on the use of inline macros when building BIND.
+			[RT #46520]
+
+4810.	[test]		The chain system test failed if the IPv6 interfaces
+			were not configured. [RT #46508]
+
+	--- 9.12.0b2 released ---
+
+4809.	[port]		Check at configure time whether -latomic is needed
+			for stdatomic.h. [RT #46324]
+
+4808.	[bug]		Properly test for zlib.h. [RT #46504]
+
+4807.	[cleanup]	isc_rng_randombytes() returns a specified number of
+			bytes from the PRNG; this is now used instead of
+			calling isc_rng_random() multiple times. [RT #46230]
+
+4806.	[func]		Log messages related to loading of zones are now
+			directed to the "zoneload" logging category.
+			[RT #41640]
+
+4805.	[bug]		TCP4Active and TCP6Active weren't being updated
+			correctly. [RT #46454]
+
+4804.	[port]		win32: access() does not work on directories as
+			required by POSIX.  Supply a alternative in
+			isc_file_isdirwritable. [RT #46394]
+
+4803.	[placeholder]
+
+4802.	[test]		Refactor mkeys system test to make it quicker and more
+			reliable. [RT #45293]
+
+4801.	[func]		'dnssec-lookaside auto;' and 'dnssec-lookaside .
+			trust-anchor dlv.isc.org;' now elicit warnings rather
+			than being fatal configuration errors. [RT #46410]
+
+4800.	[bug]		When processing delzone, write one zone config per
+			line to the NZF. [RT #46323]
+
+4799.	[cleanup]	Improve clarity of keytable unit tests. [RT #46407]
+
+4798.	[func]		Keys specified in "managed-keys" statements
+			are tagged as "initializing" until they have been
+			updated by a key refresh query. If initialization
+			fails it will be visible from "rndc secroots".
+			[RT #46267]
+
+4797.	[func]		Removed "isc-hmac-fixup", as the versions of BIND that
+			had the bug it worked around are long past end of
+			life. [RT #46411]
+
+4796.	[bug]		Increase the maximum configurable TCP keepalive
+			timeout to 65535. [RT #44710]
+
+4795.	[func]		A new statistics counter has been added to track
+			priming queries. [RT #46313]
+
+4794.	[func]		"dnssec-checkds -s" specifies a file from which
+			to read a DS set rather than querying the parent.
+			[RT #44667]
+
+4793.	[bug]		nsupdate -[46] could overflow the array of server
+			addresses. [RT #46402]
+
+4792.	[bug]		Fix map file header correctness check. [RT #38418]
+
+4791.	[doc]		Fixed outdated documentation about export libraries.
+			[RT #46341]
+
+4790.	[bug]		nsupdate could trigger a require when sending a
+			update to the second address of the server.
+			[RT #45731]
+
+4789.	[cleanup]	Check writability of new-zones-directory. [RT #46308]
+
+4788.	[cleanup]	When using "update-policy local", log a warning
+			when an update matching the session key is received
+			from a remote host. [RT #46213]
+
+4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
+			dns_nsec3param_salttotext(), and add unit tests for it.
+			[RT #46289]
+
+4786.	[func]		The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
+			options are no longer conditionally compiled.
+			[RT #46340]
+
+4785.	[func]		The hmac-md5 algorithm is no longer recommended for
+			use with RNDC keys.  The default in rndc-confgen
+			is now hmac-sha256. [RT #42272]
+
+4784.	[func]		The use of dnssec-keygen to generate HMAC keys is
+			deprecated in favor of tsig-keygen.  dnssec-keygen
+			will print a warning when used for this purpose.
+			All HMAC algorithms will be removed from
+			dnssec-keygen in a future release. [RT #42272]
+
+4783.	[test]		dnssec: 'check that NOTIFY is sent at the end of
+			NSEC3 chain generation failed' required more time
+			on some machines for the IXFR to complete. [RT #46388]
+
+4782.	[test]		dnssec: 'checking positive and negative validation
+			with negative trust anchors' required more time to
+			complete on some machines. [RT #46386]
+
+4781.	[maint]		B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]
+
+4780.	[bug]		When answering ANY queries, don't include the NS
+			RRset in the authority section if it was already
+			in the answer section. [RT #44543]
+
+4779.	[bug]		Expire NTA at the start of the second. Don't update
+			the expiry value if the record has already expired
+			after a successful check. [RT #46368]
+
+4778.	[test]		Improve synth-from-dnssec testing. [RT #46352]
+
+4777.	[cleanup]	Removed a redundant call to configure_view_acl().
+			[RT #46369]
+
+4776.	[bug]		Improve portability of ht_test. [RT #46333]
+
+4775.	[bug]		Address Coverity warnings in ht_test.c and mem_test.c
+			[RT #46281]
+
+4774.	[bug]		<isc/util.h> was incorrectly included in several
+			header files. [RT #46311]
+
+4773.	[doc]		Fixed generating Doxygen documentation for functions
+			annotated using certain macros.  Miscellaneous
+			Doxygen-related cleanups. [RT #46276]
+
+	--- 9.12.0b1 released ---
+
+4772.	[test]		Expanded unit testing framework for libns, using
+			hooks to interrupt query flow and inspect state
+			at specified locations. [RT #46173]
+
+4771.	[bug]		When sending RFC 5011 refresh queries, disregard
+			cached DNSKEY rrsets. [RT #46251]
+
+4770.	[bug]		Cache additional data from priming queries as glue.
+			Previously they were ignored as unsigned
+			non-answer data from a secure zone, and never
+			actually got added to the cache, causing hints
+			to be used frequently for root-server
+			addresses, which triggered re-priming. [RT #45241]
+
+4769.	[func]		The working directory and managed-keys directory has
+			to be writeable (and seekable). [RT #46077]
+
+4768.	[func]		By default, memory is no longer filled with tag values
+			when it is allocated or freed; this improves
+			performance but makes debugging of certain memory
+			issues more difficult. "named -M fill" turns memory
+			filling back on. (Building "configure
+			--enable-developer", turns memory fill on by
+			default again; it can then be disabled with
+			"named -M nofill".) [RT #45123]
+
+4767.	[func]		Add a new function, isc_buffer_printf(), which can be
+			used to append a formatted string to the used region of
+			a buffer. [RT #46201]
+
+4766.	[cleanup]	Address Coverity warnings. [RT #46150]
+
+4765.	[bug]		Address potential INSIST in dnssec-cds. [RT #46150]
+
+4764.	[bug]		Address portability issues in cds system test.
+			[RT #46214]
+
+4763.	[contrib]	Improve compatibility when building MySQL DLZ
+			module by using mysql_config if available.
+			[RT #45558]
+
+4762.	[func]		"update-policy local" is now restricted to updates
+			from local addresses. (Previously, other addresses
+			were allowed so long as updates were signed by the
+			local session key.) [RT #45492]
+
+4761.	[protocol]	Add support for DOA. [RT #45612]
+
+4760.	[func]		Add glue cache statistics counters. [RT #46028]
+
+4759.	[func]		Add logging channel "trust-anchor-telemetry" to
+			record trust-anchor-telemetry in incoming requests.
+			Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
+			are logged.  [RT #46124]
+
+4758.	[doc]		Remove documentation of unimplemented "topology".
+			[RT #46161]
+
+4757.	[func]		New "dnssec-cds" command creates a new parent DS
+			RRset based on CDS or CDNSKEY RRsets found in
+			a child zone, and generates either a dsset file
+			or stream of nsupdate commands to update the
+			parent. Thanks to Tony Finch. [RT #46090]
+
+4756.	[bug]		Interrupting dig could lead to an INSIST failure after
+			certain errors were encountered while querying a host
+			whose name resolved to more than one address.  Change
+			4537 increased the odds of triggering this issue by
+			causing dig to hang indefinitely when certain error
+			paths were evaluated.  dig now also retries TCP queries
+			(once) if the server gracefully closes the connection
+			before sending a response. [RT #42832, #45159]
+
+4755.	[cleanup]	Silence unnecessary log message when NZF file doesn't
+			exist. [RT #46186]
+
+4754.	[bug]		dns_zone_setview needs a two stage commit to properly
+			handle errors. [RT #45841]
+
+4753.	[contrib]	Software obtainable from known upstream locations
+			(i.e., zkt, nslint, query-loc) has been removed.
+			Links to these and other packages can be found at
+			https://www.isc.org/community/tools [RT #46182]
+
+4752.	[test]		Add unit test for isc_net_pton. [RT #46171]
+
+4751.	[func]		"dnssec-signzone -S" can now automatically add parent
+			synchronization records (CDS and CDNSKEY) according
+			to key metadata set using the -Psync and -Dsync
+			options to dnssec-keygen and dnssec-settime.
+			[RT #46149]
+
+4750.	[func]		"rndc managed-keys destroy" shuts down RFC 5011 key
+			maintenance and deletes the managed-keys database.
+			If followed by "rndc reconfig" or a server restart,
+			key maintenance is reinitialized from scratch.
+			This is primarily intended for testing. [RT #32456]
+
+4749.	[func]		The ISC DLV service has been shut down, and all
+			DLV records have been removed from dlv.isc.org.
+			- Removed references to ISC DLV in documentation
+			- Removed DLV key from bind.keys
+			- No longer use ISC DLV by default in delv
+			- "dnssec-lookaside auto" and configuration of
+			  "dnssec-lookaide" with dlv.isc.org as the trust
+			  anchor are both now fatal errors.
+			[RT #46155]
+
+4748.	[cleanup]	Sprintf to snprintf coversions. [RT #46132]
+
+4747.	[func]		Synthesis of responses from DNSSEC-verified records.
+			Stage 3 - synthesize NODATA responses. [RT #40138]
+
+4746.	[cleanup]	Add configured prefixes to configure summary
+			output. [RT #46153]
+
+4745.	[test]		Add color-coded pass/fail messages to system
+			tests when running on terminals that support them.
+			[RT #45977]
+
+4744.	[bug]		Suppress trust-anchor-telemetry queries if
+			validation is disabled. [RT #46131]
+
+4743.	[func]		Exclude trust-anchor-telemetry queries from
+			synth-from-dnssec processing. [RT #46123]
+
+4742.	[func]		Synthesis of responses from DNSSEC-verified records.
+			Stage 2 - synthesis of records from wildcard data.
+			If the dns64 or filter-aaaa* is configured then the
+			involved lookups are currently excluded. [RT #40138]
+
+4741.	[bug]		Make isc_refcount_current() atomically read the
+			counter value. [RT #46074]
+
+4740.	[cleanup]	Avoid triggering format-truncated warnings. [RT #46107]
+
+4739.	[cleanup]	Address clang static analysis warnings. [RT #45952]
+
+4738.	[port]		win32: strftime mishandles %Z. [RT #46039]
+
+4737.	[cleanup]	Address Coverity warnings. [RT #46012]
+
+4736.	[cleanup]	(a) Added comments to NSEC3-related functions in
+			lib/dns/zone.c.  (b) Refactored NSEC3 salt formatting
+			code.  (c) Minor tweaks to lock and result handling.
+			[RT #46053]
+
+4735.	[bug]		Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]
+
+4734.	[contrib]	Added sample configuration for DNS-over-TLS in
+			contrib/dnspriv.
+
+4733.	[bug]		Change #4706 introduced a bug causing TCP clients
+			not be reused correctly, leading to unconstrained
+			memory growth. [RT #46029]
+
+4732.	[func]		Change default minimal-responses setting to
+			no-auth-recursive. [RT #46016]
+
+4731.	[bug]		Fix use after free when closing an LMDB. [RT #46000]
+
+4730.	[bug]		Fix out of bounds access in DHCID totext() method.
+			[RT #46001]
+
+4729.	[bug]		Don't use memset() to wipe memory, as it may be
+			removed by compiler optimizations when the
+			memset() occurs on automatic stack allocation
+			just before function return. [RT #45947]
+
+4728.	[func]		Use C11's stdatomic.h instead of isc_atomic
+			where available. [RT #40668]
+
+4727.	[bug]		Retransferring an inline-signed slave using NSEC3
+			around the time its NSEC3 salt was changed could result
+			in an infinite signing loop. [RT #45080]
+
+4726.	[port]		Prevent setsockopt() errors related to TCP_FASTOPEN
+			from being logged on FreeBSD if the kernel does not
+			support it.  Notify the user when the kernel does
+			support TCP_FASTOPEN, but it is disabled by sysctl.
+			Add a new configure option, --disable-tcp-fastopen, to
+			disable use of TCP_FASTOPEN altogether. [RT #44754]
+
+4725.	[bug]		Nsupdate: "recvsoa" was incorrectly reported for
+			failures in sending the update message.  The correct
+			location to be reported is "update_completed".
+			[RT #46014]
+
+4724.	[func]		By default, BIND now uses the random number
+			functions provided by the crypto library (i.e.,
+			OpenSSL or a PKCS#11 provider) as a source of
+			randomness rather than /dev/random.  This is
+			suitable for virtual machine environments
+			which have limited entropy pools and lack
+			hardware random number generators.
+
+			This can be overridden by specifying another
+			entropy source via the "random-device" option
+			in named.conf, or via the -r command line option;
+			however, for functions requiring full cryptographic
+			strength, such as DNSSEC key generation, this
+			cannot be overridden. In particular, the -r
+			command line option no longer has any effect on
+			dnssec-keygen.
+
+			This can be disabled by building with
+			"configure --disable-crypto-rand".
+			[RT #31459] [RT #46047]
+
+4723.	[bug]		Statistics counter DNSTAPdropped was misidentified
+			as DNSSECdropped. [RT #46002]
+
+4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
+			strlcpy() and strlcat() for safety. [RT #45981]
+
+4721.	[func]		'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
+			options now apply to CDNSKEY and DS records as well
+			as DNSKEY. Thanks to Tony Finch. [RT #45689]
+
+4720.	[func]		Added a statistics counter to track prefetch
+			queries. [RT #45847]
+
+4719.	[bug]		Address PVS static analyzer warnings. [RT #45946]
+
+4718.	[func]		Avoid searching for a owner name compression pointer
+			more than once when writing out a RRset. [RT #45802]
+
+4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
+			FORMERR if TC=0, and log the error correctly.
+			[RT #45836]
+
+4716.	[placeholder]
+
+	--- 9.12.0a1 released ---
+
+4715.	[bug]		TreeMemMax was mis-identified as a second HeapMemMax
+			in the Json cache statistics. [RT #45980]
+
+4714.	[port]		openbsd/libressl: add support for building with
+			--enable-openssl-hash. [RT #45982]
+
+4713.	[func]		Added support for the DNS Response Policy Service
+			(DNSRPS) API, which allows named to use an external
+			response policy daemon when built with
+			"configure --enable-dnsrps". Thanks to Farsight
+			Security. [RT #43376]
+
+4712.	[bug]		"dig +domain" and "dig +search" didn't retain the
+			search domain when retrying with TCP. [RT #45547]
+
+4711.	[test]		Some RR types were missing from genzones.sh.
+			[RT #45782]
+
+4710.	[cleanup]	Changed the --enable-openssl-hash default to yes.
+			[RT #45019]
+
+4709.	[cleanup]	Use dns_name_fullhash() to hash names for RRL.
+			[RT #45435]
+
+4708.	[cleanup]	Legacy Windows builds (i.e. for XP and earlier)
+			are no longer supported. [RT #45186]
+
+4707.	[func]		The lightweight resolver daemon and library (lwresd
+			and liblwres) have been removed. [RT #45186]
+
+4706.	[func]		Code implementing name server query processing has
+			been moved from bin/named to a new library "libns".
+			Functions remaining in bin/named are now prefixed
+			with "named_" rather than "ns_".  This will make it
+			easier to write unit tests for name server code, or
+			link name server functionality into new tools.
+			[RT #45186]
+
+4705.	[placeholder]
+
+4704.	[cleanup]	Silence Visual Studio compiler warnings. [RT #45898]
+
+4703.	[bug]		BINDInstall.exe was missing some buffer length checks.
+			[RT #45898]
+
+4702.	[func]		Update function declarations to use
+			dns_masterstyle_flags_t for style flags. [RT #45924]
+
+4701.	[cleanup]	Refactored lib/dns/tsig.c to reduce code
+			duplication and simplify the disabling of MD5.
+			[RT #45490]
+
+4700.	[func]		Serving of stale answers is now supported. This
+			allows named to provide stale cached answers when
+			the authoritative server is under attack.
+			See max-stale-ttl, stale-answer-enable,
+			stale-answer-ttl. [RT #44790]
+
+4699.	[func]		Multiple cookie-secret clauses can now be specified.
+			The first one specified is used to generate new
+			server cookies.  [RT #45672]
+
+4698.	[port]		Add --with-python-install-dir configure option to allow
+			specifying a nonstandard installation directory for
+			Python modules. [RT #45407]
+
+4697.	[bug]		Restore workaround for Microsoft Windows TSIG hash
+			computation bug. [RT #45854]
+
+4696.	[port]		Enable filter-aaaa support by default on Windows
+			builds. [RT #45883]
+
+4695.	[bug]		cookie-secrets were not being properly checked by
+			named-checkconf. [RT #45886]
+
+4694.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
+			the signing algorithm must be specified on
+			the command line with the "-a" option.  Signing
+			scripts that rely on the existing default behavior
+			will break; use "dnssec-keygen -a RSASHA1" to
+			repair them. (The goal of this change is to make
+			it easier to find scripts using RSASHA1 so they
+			can be changed in the event of that algorithm
+			being deprecated in the future.) [RT #44755]
+
+4693.	[func]		Synthesis of responses from DNSSEC-verified records.
+			Stage 1 covers NXDOMAIN synthesis from NSEC records.
+			This is controlled by synth-from-dnssec and is enabled
+			by default. [RT #40138]
+
+4692.	[bug]		Fix build failures with libressl introduced in 4676.
+			[RT #45879]
+
+4691.	[func]		Add -4/-6 command line options to nsupdate and rndc.
+			[RT #45632]
+
+4690.	[bug]		Command line options -4/-6 were handled inconsistently
+			between tools. [RT #45632]
+
+4689.	[cleanup]	Turn on minimal responses for CDNSKEY and CDS in
+			addition to DNSKEY and DS. Thanks to Tony Finch.
+			[RT #45690]
+
+4688.	[protocol]	Check and display EDNS KEY TAG options (RFC 8145) in
+			messages. [RT #44804]
+
+4687.	[func]		Refactor tracklines code. [RT #45126]
+
+4686.	[bug]		dnssec-settime -p could print a bogus warning about
+			key deletion scheduled before its inactivation when a
+			key had an inactivation date set but no deletion date
+			set. [RT #45807]
+
+4685.	[bug]		dnssec-settime incorrectly calculated publication and
+			activation dates for a successor key. [RT #45806]
+
+4684.	[bug]		delv could send bogus DNS queries when an explicit
+			server address was specified on the command line along
+			with -4/-6. [RT #45804]
+
+4683.	[bug]		Prevent nsupdate from immediately exiting on invalid
+			user input in interactive mode. [RT #28194]
+
+4682.	[bug]		Don't report errors on records below a DNAME.
+			[RT #44880]
+
+4681.	[bug]		Log messages from the validator now include the
+			associated view unless the view is "_default/IN"
+			or "_dnsclient/IN". [RT #45770]
+
+4680.	[bug]		Fix failing over to another master server address when
+			nsupdate is used with GSS-API. [RT #45380]
+
+4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
+			not at top of zone and -o is not used. [RT #45519]
+
+4678.	[bug]		geoip-use-ecs has the wrong type when geoip support
+			is disabled at configure time. [RT #45763]
+
+4677.	[cleanup]	Split up the main function in dig to better support
+			the iOS app version. [RT #45508]
+
+4676.	[cleanup]	Allow BIND to be built using OpenSSL 1.0.X with
+			deprecated functions removed. [RT #45706]
+
+4675.	[cleanup]	Don't use C++ keyword class. [RT #45726]
+
+4674.	[func]		"dig +sigchase", and related options "+topdown" and
+			"+trusted-keys", have been removed. Use "delv" for
+			queries with DNSSEC validation. [RT #42793]
+
+4673.	[port]		Silence GCC 7 warnings. [RT #45592]
+
+4672.	[placeholder]
+
+4671.	[bug]		Fix a race condition that could cause the
+			resolver to crash with assertion failure when
+			chasing DS in specific conditions with a very
+			short RTT to the upstream nameserver. [RT #45168]
+
+4670.	[cleanup]	Ensure that a request MAC is never sent back
+			in an XFR response unless the signature was
+			verified. [RT #45494]
+
+4669.	[func]		Iterative query logic in resolver.c has been
+			refactored into smaller functions and commented,
+			for improved readability, maintainability and
+			testability. [RT #45362]
+
+4668.	[bug]		Use localtime_r and gmtime_r for thread safety.
+			[RT #45664]
+
+4667.	[cleanup]	Refactor RDATA unit tests. [RT #45610]
+
+4666.	[bug]		dnssec-keymgr: Domain names beginning with digits (0-9)
+			could cause a parser error when reading the policy
+			file. This now works correctly so long as the domain
+			name is quoted. [RT #45641]
+
+4665.	[protocol]	Added support for ED25519 and ED448 DNSSEC signing
+			algorithms (RFC 8080). (Note: these algorithms
+			depend on code currently in the development branch
+			of OpenSSL which has not yet been released.)
+			[RT #44696]
+
+4664.	[func]		Add a "glue-cache" option to enable or disable the
+			glue cache. The default is "yes". [RT #45125]
+
+4663.	[cleanup]	Clarify error message printed by dnssec-dsfromkey.
+			[RT #21731]
+
+4662.	[performance]	Improve cache memory cleanup of zero TTL records
+			by putting them at the tail of LRU header lists.
+			[RT #45274]
+
+4661.	[bug]		A race condition could occur if a zone was reloaded
+			while resigning, triggering a crash in
+			rbtdb.c:closeversion(). [RT #45276]
+
+4660.	[bug]		Remove spurious "peer" from Windows socket log
+			messages. [RT #45617]
+
+4659.	[bug]		Remove spurious log message about lmdb-mapsize
+			not being supported when parsing builtin
+			configuration file. [RT #45618]
+
+4658.	[bug]		Clean up build directory created by "setup.py install"
+			immediately.  [RT #45628]
+
+4657.	[bug]		rrchecker system test result could be improperly
+			determined. [RT #45602]
+
+4656.	[bug]		Apply "port" and "dscp" values specified in catalog
+			zone's "default-masters" option to the generated
+			configuration of its member zones. [RT #45545]
+
+4655.	[bug]		Lack of seccomp could be falsely reported. [RT #45599]
+
+4654.	[cleanup]	Don't use C++ keywords delete, new and namespace.
+			[RT #45538]
+
+4653.	[bug]		Reorder includes to move @DST_OPENSSL_INC@ and
+			@ISC_OPENSSL_INC@ after shipped include directories.
+			[RT #45581]
+
+4652.	[bug]		Nsupdate could attempt to use a zeroed address on
+			server timeout. [RT #45417]
+
+4651.	[test]		Silence coverity warnings in tsig_test.c. [RT #45528]
+
+4650.	[placeholder]
+
+4649.	[bug]		The wrong zone was logged when a catalog zone is added.
+			[RT #45520]
+
+4648.	[bug]		"rndc reconfig" on a slave no longer causes all member
+			zones of configured catalog zones to be removed from
+			configuration. [RT #45310]
+
+4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
+			message sequences where not all the messages contain
+			TSIG records.  These may be used in AXFR and IXFR
+			responses. [RT #45509]
+
+4646.	[placeholder]
+
+4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
+			[RT #45300]
+
+4644.	[placeholder]
+
+4643.	[security]	An error in TSIG handling could permit unauthorized
+			zone transfers or zone updates. (CVE-2017-3142)
+			(CVE-2017-3143) [RT #45383]
+
+4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
+			status of managed keys: newly observed keys,
+			deletion of revoked keys, etc. [RT #45354]
+
+4641.	[cleanup]	Parallel builds (make -j) could fail with --with-atf /
+			--enable-developer. [RT #45373]
+
+4640.	[bug]		If query_findversion failed in query_getdb due to
+			memory failure the error status was incorrectly
+			discarded. [RT #45331]
+
+4639.	[bug]		Fix a regression in --with-tuning reporting introduced
+			by change 4488. [RT #45396]
+
+4638.	[bug]		Reloading or reconfiguring named could fail on
+			some platforms when LMDB was in use. [RT #45203]
+
+4637.	[func]		"nsec3hash -r" option ("rdata order") takes arguments
+			in the same order as they appear in NSEC3 or
+			NSEC3PARAM records, so that NSEC3 parameters can
+			be cut and pasted from an existing record. Thanks
+			to Tony Finch for the contribution. [RT #45183]
+
+4636.	[bug]		Normalize rpz policy zone names when checking for
+			existence. [RT #45358]
+
+4635.	[bug]		Fix RPZ NSDNAME logging that was logging
+			failures as NSIP. [RT #45052]
+
+4634.	[contrib]	check5011.pl needs to handle optional space before
+			semi-colon in +multi-line output. [RT #45352]
+
+4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
+
+4632.	[security]	The BIND installer on Windows used an unquoted
+			service path, which can enable privilege escalation.
+			(CVE-2017-3141) [RT #45229]
+
+4631.	[security]	Some RPZ configurations could go into an infinite
+			query loop when encountering responses with TTL=0.
+			(CVE-2017-3140) [RT #45181]
+
+4630.	[bug]		"dyndb" is dependent on dlopen existing / being
+			enabled. [RT #45291]
+
+4629.	[bug]		dns_client_startupdate could not be called with a
+			running client. [RT #45277]
+
+4628.	[bug]		Fixed a potential reference leak in query_getdb().
+			[RT #45247]
+
+4627.	[placeholder]
+
+4626.	[test]		Added more tests for handling of different record
+			ordering in CNAME and DNAME responses. [QA #430]
+
+4625.	[bug]		Running "rndc addzone" and "rndc delzone" at close
+			to the same time could trigger a deadlock if using
+			LMDB. [RT #45209]
+
+4624.	[placeholder]
+
+4623.	[bug]		Use --with-protobuf-c and --with-libfstrm to find
+			protoc-c and fstrm_capture. [RT #45187]
+
+4622.	[bug]		Remove unnecessary escaping of semicolon in CAA and
+			URI records. [RT #45216]
+
+4621.	[port]		Force alignment of oid arrays to silence loader
+			warnings. [RT #45131]
+
+4620.	[port]		Handle EPFNOSUPPORT being returned when probing
+			to see if a socket type is supported. [RT #45214]
+
+4619.	[bug]		Call isc_mem_put instead of isc_mem_free in
+			bin/named/server.c:setup_newzones. [RT #45202]
+
+4618.	[bug]		Check isc_mem_strdup results in dns_view_setnewzones.
+			Add logging for lmdb call failures. [RT #45204]
+
+4617.	[test]		Update rndc system test to be more delay tolerant.
+			[RT #45177]
+
+4616.	[bug]		When using LMDB, zones deleted using "rndc delzone"
+			were not correctly removed from the new-zone
+			database. [RT #45185]
+
+4615.	[bug]		AD could be set on truncated answer with no records
+			present in the answer and authority sections.
+			[RT #45140]
+
+4614.	[test]		Fixed an error in the sockaddr unit test. [RT #45146]
+
+4613.	[func]		By default, the maximum size of a zone journal file
+			is now twice the size of the zone's contents (there
+			is little benefit to a journal larger than this).
+			This can be overridden by setting "max-journal-size"
+			to "unlimited" or to an explicit value up to 2G.
+			Thanks to Tony Finch. [RT #38324]
+
+4612.	[bug]		Silence 'may be use uninitalised' warning and simplify
+			the code in lwres/getaddinfo:process_answer.
+			[RT #45158]
+
+4611.	[bug]		The default LMDB mapsize was too low and caused
+			errors after few thousand zones were added using
+			rndc addzone. A new config option "lmdb-mapsize"
+			has been introduced to configure the LMDB
+			mapsize depending on operational needs.
+			[RT #44954]
+
+4610.	[func]		The "new-zones-directory" option specifies the
+			location of NZF or NZD files for storing
+			configuration of zones added by "rndc addzone".
+			Thanks to Petr Menšík. [RT #44853]
+
+4609.	[cleanup]	Rearrange makefiles to enable parallel execution
+			(i.e. "make -j"). [RT #45078]
+
+4608.	[func]		DiG now warns about .local queries which are reserved
+			for Multicast DNS. [RT #44783]
+
+4607.	[bug]		The memory context's malloced and maxmalloced counters
+			were being updated without the appropriate lock being
+			held.  [RT #44869]
+
+4606.	[port]		Stop using experimental "Experimental keys on scalar"
+			feature of perl as it has been removed. [RT #45012]
+
+4605.	[performance]	Improve performance for delegation heavy answers
+			and also general query performance. Removes the
+			acache feature that didn't significantly improve
+			performance. Adds a glue cache. Removes
+			additional-from-cache and additional-from-auth
+			features. Enables minimal-responses by
+			default. Improves performance of compression
+			code, owner case restoration, hash function,
+			etc. Uses inline buffer implementation by
+			default. Many other performance changes and fixes.
+			[RT #44029]
+
+4604.	[bug]		Don't use ERR_load_crypto_strings() when building
+			with OpenSSL 1.1.0. [RT #45117]
+
+4603.	[doc]		Automatically generate named.conf(5) man page
+			from doc/misc/options. Thanks to Tony Finch.
+			[RT #43525]
+
+4602.	[func]		Threads are now set to human-readable
+			names to assist debugging, when supported by
+			the OS. [RT #43234]
+
+4601.	[bug]		Reject incorrect RSA key lengths during key
+			generation and and sign/verify context
+			creation. [RT #45043]
+
+4600.	[bug]		Adjust RPZ trigger counts only when the entry
+			being deleted exists. [RT #43386]
+
+4599.	[bug]		Fix inconsistencies in inline signing time
+			comparison that were introduced with the
+			introduction of rdatasetheader->resign_lsb.
+			[RT #42112]
+
+4598.	[func]		Update fuzzing code to (1) reply to a DNSKEY
+			query from named with appropriate DNSKEY used in
+			fuzzing; (2) patch the QTYPE correctly in
+			resolver fuzzing; (3) comment things so the rest
+			of us are able to understand how fuzzing is
+			implemented in named; (4) Coding style changes,
+			cleanup, etc. [RT #44787]
+
+4597.	[bug]		The validator now ignores SHA-1 DS digest type
+			when a DS record with SHA-384 digest type is
+			present and is a supported digest type.
+			[RT #45017]
+
+4596.	[bug]		Validate glue before adding it to the additional
+			section. This also fixes incorrect TTL capping
+			when the RRSIG expired earlier than the TTL.
+			[RT #45062]
+
+4595.	[func]		dnssec-keygen will no longer generate RSA keys
+			less than 1024 bits in length. dnssec-keymgr
+			was similarly updated. [RT #36895]
+
+4594.	[func]		"dnstap-read -x" prints a hex dump of the wire
+			format of each logged DNS message. [RT #44816]
+
+4593.	[doc]		Update README using markdown, remove outdated FAQ
+			file in favor of the knowledge base.
+
+4592.	[bug]		A race condition on shutdown could trigger an
+			assertion failure in dispatch.c. [RT #43822]
+
+4591.	[port]		Addressed some python 3 compatibility issues.
+			Thanks to Ville Skytta. [RT #44955] [RT #44956]
+
+4590.	[bug]		Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being
+			properly detected. [RT #44871]
+
+4589.	[cleanup]	"configure -q" is now silent. [RT #44829]
+
+4588.	[bug]		nsupdate could send queries for TKEY to the wrong
+			server when using GSSAPI. Thanks to Tomas Hozza.
+			[RT #39893]
+
+4587.	[bug]		named-checkzone failed to handle occulted data below
+			DNAMEs correctly. [RT #44877]
+
+4586.	[func]		dig, host and nslookup now use TCP for ANY queries.
+			[RT #44687]
+
+4585.	[port]		win32: Set CompileAS value. [RT #42474]
+
+4584.	[bug]		A number of memory usage statistics were not properly
+			reported when they exceeded 4G.  [RT #44750]
+
+4583.	[func]		"host -A" returns most records for a name but
+			omits RRSIG, NSEC and NSEC3. (Thanks to Tony Finch.)
+			[RT #43032]
+
+4582.	[security]	'rndc ""' could trigger a assertion failure in named.
+			(CVE-2017-3138) [RT #44924]
+
+4581.	[port]		Linux: Add getpid and getrandom to the list of system
+			calls named uses for seccomp. [RT #44883]
+
+4580.	[bug]		4578 introduced a regression when handling CNAME to
+			referral below the current domain. [RT #44850]
+
+4579.	[func]		Logging channels and dnstap output files can now
+			be configured with a "suffix" option, set to
+			either "increment" or "timestamp", indicating
+			whether to use incrementing numbers or timestamps
+			as the file suffix when rolling over a log file.
+			[RT #42838]
+
+4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
+			queries could trigger assertion failures.
+			(CVE-2017-3137) [RT #44734]
+
+4577.	[func]		Make qtype of resolver fuzzing packet configurable
+			via command line. [RT #43540]
+
+4576.	[func]		The RPZ implementation has been substantially
+			refactored for improved performance and reliability.
+			[RT #43449]
+
+4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
+			assertion failure. (CVE-2017-3136) [RT #44653]
+
+4574.	[bug]		Dig leaked memory with multiple +subnet options.
+			[RT #44683]
+
+4573.	[func]		Query logic has been substantially refactored (e.g.
+			query_find function has been split into smaller
+			functions) for improved readability, maintainability
+			and testability. [RT #43929]
+
+4572.	[func]		The "dnstap-output" option can now take "size" and
+			"versions" parameters to indicate the maximum size
+			a dnstap log file can grow before rolling to a new
+			file, and how many old files to retain. [RT #44502]
+
+4571.	[bug]		Out-of-tree builds of backtrace_test failed.
+
+4570.	[cleanup]	named did not correctly fall back to the built-in
+			initializing keys if the bind.keys file was present
+			but empty. [RT #44531]
+
+4569.	[func]		Store both local and remote addresses in dnstap
+			logging, and modify dnstap-read output format to
+			print them. [RT #43595]
+
+4568.	[contrib]	Added a --with-bind option to the dnsperf configure
+			script to specify BIND prefix path.
+
+4567.	[port]		Call getprotobyname and getservbyname prior to calling
+			chroot so that shared libraries get loaded. [RT #44537]
+
+4566.	[func]		Query logging now includes the ECS option if one
+			was included in the query. [RT #44476]
+
+4565.	[cleanup]	The inline macro versions of isc_buffer_put*()
+			did not implement automatic buffer reallocation.
+			[RT #44216]
+
+4564.	[maint]		Update the built in managed keys to include the
+			upcoming root KSK. [RT #44579]
+
+4563.	[bug]		Modified zones would occasionally fail to reload.
+			[RT #39424]
+
+4562.	[func]		Add additional memory statistics currently malloced
+			and maxmalloced per memory context. [RT #43593]
+
+4561.	[port]		Silence a warning in strict C99 compilers. [RT #44414]
+
+4560.	[bug]		mdig: add -m option to enable memory debugging rather
+			than having it on all the time. [RT #44509]
+
+4559.	[bug]		openssl_link.c didn't compile if ISC_MEM_TRACKLINES
+			was turned off.  [RT #44509]
+
+4558.	[bug]		Synthesised CNAME before matching DNAME was still
+			being cached when it should not have been.  [RT #44318]
+
+4557.	[security]	Combining dns64 and rpz can result in dereferencing
+			a NULL pointer (read).  (CVE-2017-3135) [RT#44434]
+
+4556.	[bug]		Sending an EDNS Padding option using "dig
+			+ednsopt" could cause a crash in dig. [RT #44462]
+
+4555.	[func]		dig +ednsopt: EDNS options can now be specified by
+			name in addition to numeric value. [RT #44461]
+
+4554.	[bug]		Remove double unlock in dns_dispatchmgr_setudp.
+			[RT #44336]
+
+4553.	[bug]		Named could deadlock there were multiple changes to
+			NSEC/NSEC3 parameters for a zone being processed at
+			the same time. [RT #42770]
+
+4552.	[bug]		Named could trigger a assertion when sending notify
+			messages. [RT #44019]
+
+4551.	[test]		Add system tests for integrity checks of MX and
+			SRV records. [RT #43953]
+
+4550.	[cleanup]	Increased the number of available master file
+			output style flags from 32 to 64. [RT #44043]
+
+4549.	[func]		Added support for the EDNS TCP Keepalive option
+			(RFC 7828). [RT #42126]
+
+4548.	[func]		Added support for the EDNS Padding option (RFC 7830).
+			[RT #42094]
+
+4547.	[port]		Add support for --enable-native-pkcs11 on the AEP
+			Keyper HSM. [RT #42463]
+
+4546.	[func]		Extend the use of const declarations. [RT #43379]
+
+4545.	[func]		Expand YAML output from dnstap-read to include
+			a detailed breakdown of the DNS message contents.
+			[RT #43642]
+
+4544.	[bug]		Add message/payload size to dnstap-read YAML output.
+			[RT #43622]
+
+4543.	[bug]		dns_client_startupdate now delays sending the update
+			request until isc_app_ctxrun has been called.
+			[RT #43976]
+
+4542.	[func]		Allow rndc to manipulate redirect zones with using
+			-redirect as the zone name (use "-redirect." to
+			manipulate a zone named "-redirect"). [RT #43971]
+
+4541.	[bug]		rndc addzone should properly reject non master/slave
+			zones. [RT #43665]
+
+4540.	[bug]		Correctly handle ecs entries in dns_acl_isinsecure.
+			[RT #43601]
+
+4539.	[bug]		Referencing a nonexistent zone with RPZ could lead
+			to a assertion failure when configuring. [RT #43787]
+
+4538.	[bug]		Call dns_client_startresolve from client->task.
+			[RT #43896]
+
+4537.	[bug]		Handle timeouts better in dig/host/nslookup. [RT #43576]
+
+4536.	[bug]		ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
+			when reusing the event structure. [RT #43885]
+
+4535.	[bug]		Address race condition in setting / testing of
+			DNS_REQUEST_F_SENDING. [RT #43889]
+
+4534.	[bug]		Only set RD, RA and CD in QUERY responses. [RT #43879]
+
+4533.	[bug]		dns_client_update should terminate on prerequisite
+			failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
+			and also on BADZONE.  [RT #43865]
+
+4532.	[contrib]	Make gen-data-queryperf.py python 3 compatible.
+			[RT #43836]
+
+4531.	[security]	'is_zone' was not being properly updated by redirect2
+			and subsequently preserved leading to an assertion
+			failure. (CVE-2016-9778) [RT #43837]
+
+4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
+			in responses resulting in SERVFAIL being returned.
+			[RT #43779]
+
+4529.	[cleanup]	Silence noisy log warning when DSCP probe fails
+			due to firewall rules. [RT #43847]
+
+4528.	[bug]		Only set the flag bits for the i/o we are waiting
+			for on EPOLLERR or EPOLLHUP. [RT #43617]
+
+4527.	[doc]		Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
+
+4526.	[doc]		Corrected errors and improved formatting of
+			grammar definitions in the ARM. [RT #43739]
+
+4525.	[doc]		Fixed outdated documentation on managed-keys.
+			[RT #43810]
+
+4524.	[bug]		The net zero test was broken causing IPv4 servers
+			with addresses ending in .0 to be rejected. [RT #43776]
+
+4523.	[doc]		Expand config doc for <querysource4> and
+			<querysource6>. [RT #43768]
+
+4522.	[bug]		Handle big gaps in log file version numbers better.
+			[RT #38688]
+
+4521.	[cleanup]	Log it as an error if an entropy source is not
+			found and there is no fallback available. [RT #43659]
+
+4520.	[cleanup]	Alphabetize more of the grammar when printing it
+			out. Fix unbalanced indenting. [RT #43755]
+
+4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]
+
+4518.	[func]		The "print-time" option in the logging configuration
+			can now take arguments "local", "iso8601" or
+			"iso8601-utc" to indicate the format in which the
+			date and time should be logged. For backward
+			compatibility, "yes" is a synonym for "local".
+			[RT #42585]
+
+4517.	[security]	Named could mishandle authority sections that were
+			missing RRSIGs triggering an assertion failure.
+			(CVE-2016-9444) [RT # 43632]
+
+4516.	[bug]		isc_socketmgr_renderjson was missing from the
+			windows build. [RT #43602]
+
+4515.	[port]		FreeBSD: Find readline headers when they are in
+			edit/readline/ instead of readline/. [RT #43658]
+
+4514.	[port]		NetBSD: strip -WL, from ld command line. [RT #43204]
+
+4513.	[cleanup]	Minimum Python versions are now 2.7 and 3.2.
+			[RT #43566]
+
+4512.	[bug]		win32: @GEOIP_INC@ missing from delv.vcxproj.in.
+			[RT #43556]
+
+4511.	[bug]		win32: mdig.exe-BNFT was missing Configure. [RT #43554]
+
+4510.	[security]	Named mishandled some responses where covering RRSIG
+			records are returned without the requested data
+			resulting in a assertion failure. (CVE-2016-9147)
+			[RT #43548]
+
+4509.	[test]		Make the rrl system test more reliable on slower
+			machines by using mdig instead of dig. [RT #43280]
+
+4508.	[security]	Named incorrectly tried to cache TKEY records which
+			could trigger a assertion failure when there was
+			a class mismatch. (CVE-2016-9131) [RT #43522]
+
+4507.	[bug]		Named could incorrectly log 'allows updates by IP
+			address, which is insecure' [RT #43432]
+
+4506.	[func]		'named-checkconf -l' will now list the zones found in
+			named.conf. [RT #43154]
+
+4505.	[port]		Use IP_PMTUDISC_OMIT if available. [RT #35494]
+
+4504.	[security]	Allow the maximum number of records in a zone to
+			be specified.  This provides a control for issues
+			raised in CVE-2016-6170. [RT #42143]
+
+4503.	[cleanup]	"make uninstall" now removes files installed by
+			BIND. (This currently excludes Python files
+			due to lack of support in setup.py.) [RT #42192]
+
+4502.	[func]		Report multiple and experimental options when printing
+			grammar. [RT #43134]
+
+4501.	[placeholder]
+
+4500.	[bug]		Support modifier I64 in isc__print_printf. [RT #43526]
+
+4499.	[port]		MacOSX: silence deprecated function warning
+			by using arc4random_stir() when available
+			instead of arc4random_addrandom(). [RT #43503]
+
+4498.	[test]		Simplify prerequisite checks in system tests.
+			[RT #43516]
+
+4497.	[port]		Add support for OpenSSL 1.1.0. [RT #41284]
+
+4496.	[func]		dig: add +idnout to control whether labels are
+			display in punycode or not.  Requires idn support
+			to be enabled at compile time. [RT #43398]
+
+4495.	[bug]		A isc_mutex_init call was not being checked.
+			[RT #43391]
+
+4494.	[bug]		Look for <editline/readline.h>. [RT #43429]
+
+4493.	[bug]		bin/tests/system/dyndb/driver/Makefile.in should use
+			SO_TARGETS. [RT# 43336]
+
+4492.	[bug]		irs_resconf_load failed to initialize sortlistnxt
+			causing bad writes if resolv.conf contained a
+			sortlist directive. [RT #43459]
+
+4491.	[bug]		Improve message emitted when testing whether sendmsg
+			works with TOS/TCLASS fails. [RT #43483]
+
+4490.	[maint]		Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
+
+4489.	[security]	It was possible to trigger assertions when processing
+			a response containing a DNAME answer. (CVE-2016-8864)
+			[RT #43465]
+
+4488.	[port]		Darwin: use -framework for Kerberos. [RT #43418]
+
+4487.	[test]		Make system tests work on Windows. [RT #42931]
+
+4486.	[bug]		Look in $prefix/lib/pythonX.Y/site-packages for
+			the python modules we install. [RT #43330]
+
+4485.	[bug]		Failure to find readline when requested should be
+			fatal to configure. [RT #43328]
+
+4484.	[func]		Check prefixes in acls to make sure the address and
+			prefix lengths are consistent.  Warn only in
+			BIND 9.11 and earlier. [RT #43367]
+
+4483.	[bug]		Address use before require check and remove extraneous
+			dns_message_gettsigkey call in dns_tsig_sign.
+			[RT #43374]
+
+4482.	[cleanup]	Change #4455 was incomplete. [RT #43252]
+
+4481.	[func]		dig: make +class, +crypto, +multiline, +rrcomments,
+			+onesoa, +qr, +ttlid, +ttlunits and -u per lookup
+			rather than global. [RT #42450]
+
+4480.	[placeholder]
+
+4479.	[placeholder]
+
+4478.	[func]		Add +continue option to mdig, allow continue on socket
+			errors. [RT #43281]
+
+4477.	[test]		Fix mkeys test timing issues. [RT #41028]
+
+4476.	[test]		Fix reclimit test on slower machines. [RT #43283]
+
+4475.	[doc]		Update named-checkconf documentation. [RT #43153]
+
+4474.	[bug]		win32: call WSAStartup in fromtext_in_wks so that
+			getprotobyname and getservbyname work.  [RT #43197]
+
+4473.	[bug]		Only call fsync / _commit on regular files. [RT #43196]
+
+4472.	[bug]		Named could fail to find the correct NSEC3 records when
+			a zone was updated between looking for the answer and
+			looking for the NSEC3 records proving nonexistence
+			of the answer. [RT #43247]
+
+	--- 9.11.0 released ---
+
+	--- 9.11.0rc3 released ---
+
+4471.	[cleanup]	Render client/query logging format consistent for
+			ease of log file parsing. (Note that this affects
+			"querylog" format: there is now an additional field
+			indicating the client object address.) [RT #43238]
+
+4470.	[bug]		Reset message with intent parse before
+			calling dns_dispatch_getnext. [RT #43229]
+
+4469.	[placeholder]
+
+	--- 9.11.0rc2 released ---
+
+4468.	[bug]		Address ECS option handling issues. [RT #43191]
+
+4467.	[security]	It was possible to trigger an assertion when
+			rendering a message. (CVE-2016-2776) [RT #43139]
+
+4466.	[bug]		Interface scanning didn't work on a Windows system
+			without a non local IPv6 addresses. [RT #43130]
+
+4465.	[bug]		Don't use "%z" as Windows doesn't support it.
+			[RT #43131]
+
+4464.	[bug]		Fix windows python support. [RT #43173]
+
+4463.	[bug]		The dnstap system test failed on some systems.
+			[RT #43129]
+
+4462.	[bug]		Don't describe a returned EDNS COOKIE as "good"
+			when there isn't a valid server cookie. [RT #43167]
+
+4461.	[bug]		win32: not all external data was properly marked
+			as external data for windows dll. [RT #43161]
+
+	--- 9.11.0rc1 released ---
+
+4460.	[test]		Add system test for dnstap using unix domain sockets.
+			[RT #42926]
+
+4459.	[bug]		TCP client objects created to handle pipeline queries
+			were not cleaned up correctly, causing uncontrolled
+			memory growth. [RT #43106]
+
+4458.	[cleanup]	Update assertions to be more correct, and also remove
+			use of a reserved word. [RT #43090]
+
+4457.	[maint]		Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
+
+4456.	[doc]		Add DOCTYPE and lang attribute to <html> tags.
+			[RT #42587]
+
+4455.	[cleanup]	Allow dyndb modules to correctly log the filename
+			and line number when processing configuration text
+			from named.conf. [RT #43050]
+
+4454.	[bug]		'rndc dnstap -reopen' had a race issue. [RT #43089]
+
+4453.	[bug]		Prefetching of DS records failed to update their
+			RRSIGs. [RT #42865]
+
+4452.	[bug]		The default key manager policy file is now
+			<sysdir>/dnssec-policy.conf (usually
+			/etc/dnssec-policy.conf). [RT #43064]
+
+4451.	[cleanup]	Log more useful information if a PKCS#11 provider
+			library cannot be loaded. [RT #43076]
+
+4450.	[port]		Provide more nuanced HSM support which better matches
+			the specific PKCS11 providers capabilities. [RT #42458]
+
+4449.	[test]		Fix catalog zones test on slower systems. [RT #42997]
+
+4448.	[bug]		win32: ::1 was not being found when iterating
+			interfaces. [RT #42993]
+
+4447.	[tuning]	Allow the fstrm_iothr_init() options to be set using
+			named.conf to control how dnstap manages the data
+			flow. [RT #42974]
+
+4446.	[bug]		The cache_find() and _findrdataset() functions
+			could find rdatasets that had been marked stale.
+			[RT #42853]
+
+4445.	[cleanup]	isc_errno_toresult() can now be used to call the
+			formerly private function isc__errno2result().
+			[RT #43050]
+
+4444.	[bug]		Fixed some issues related to dyndb: A bug caused
+			braces to be omitted when passing configuration text
+			from named.conf to a dyndb driver, and there was a
+			use-after-free in the sample dyndb driver. [RT #43050]
+
+4443.	[func]		Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
+			TCP sockets. [RT #42864]
+
+4442.	[bug]		Fix RPZ CIDR tree insertion bug that corrupted
+			tree data structure with overlapping networks
+			(longest prefix match was ineffective).
+			[RT #43035]
+
+4441.	[cleanup]	Alphabetize host's help output. [RT #43031]
+
+4440.	[func]		Enable TCP fast open support when available on the
+			server side. [RT #42866]
+
+4439.	[bug]		Address race conditions getting ownernames of nodes.
+			[RT #43005]
+
+4438.	[func]		Use LIFO rather than FIFO when processing startup
+			notify and refresh queries. [RT #42825]
+
+4437.	[func]		Minimal-responses now has two additional modes
+			no-auth and no-auth-recursive which suppress
+			adding the NS records to the authority section
+			as well as the associated address records for the
+			nameservers. [RT #42005]
+
+4436.	[func]		Return TLSA records as additional data for MX and SRV
+			lookups. [RT #42894]
+
+4435.	[tuning]	Only set IPV6_USE_MIN_MTU for UDP when the message
+			will not fit into a single IPv4 encapsulated IPv6
+			UDP packet when transmitted over a Ethernet link.
+			[RT #42871]
+
+4434.	[protocol]	Return EDNS EXPIRE option for master zones in addition
+			to slave zones. [RT #43008]
+
+4433.	[cleanup]	Report an error when passing an invalid option or
+			view name to "rndc dumpdb". [RT #42958]
+
+4432.	[test]		Hide rndc output on expected failures in logfileconfig
+			system test. [RT #27996]
+
+4431.	[bug]		named-checkconf now checks the rate-limit clause.
+			[RT #42970]
+
+4430.	[bug]		Lwresd died if a search list was not defined.
+			Found by 0x710DDDD At Alibaba Security. [RT #42895]
+
+4429.	[bug]		Address potential use after free on fclose() error.
+			[RT #42976]
+
+4428.	[bug]		The "test dispatch getnext" unit test could fail
+			in a threaded build. [RT #42979]
+
+4427.	[bug]		The "query" and "response" parameters to the
+			"dnstap" option had their functions reversed.
+
+	--- 9.11.0b3 released ---
+
+4426.	[bug]		Addressed Coverity warnings. [RT #42908]
+
+4425.	[bug]		arpaname, dnstap-read and named-rrchecker were not
+			being installed into ${prefix}/bin.  Tidy up
+			installation issues with CHANGE 4421. [RT #42910]
+
+4424.	[experimental]	Named now sends _ta-XXXX.<trust-anchor>/NULL queries
+			to provide feedback to the trust-anchor administrators
+			about how key rollovers are progressing as per
+			draft-ietf-dnsop-edns-key-tag-02.  This can be
+			disabled using 'trust-anchor-telemetry no;'.
+			[RT #40583]
+
+4423.	[maint]		Added missing IPv6 address 2001:500:84::b for
+			B.ROOT-SERVERS.NET. [RT #42898]
+
+4422.	[port]		Silence clang warnings in dig.c and dighost.c.
+			[RT #42451]
+
+4421.	[func]		When built with LMDB (Lightning Memory-mapped
+			Database), named will now use a database to store
+			the configuration for zones added by "rndc addzone"
+			instead of using a flat NZF file. This improves
+			performance of "rndc delzone" and "rndc modzone"
+			significantly. Existing NZF files will
+			automatically by converted to NZD databases.
+			To view the contents of an NZD or to roll back to
+			NZF format, use "named-nzd2nzf". To disable
+			this feature, use "configure --without-lmdb".
+			[RT #39837]
+
+4420.	[func]		nslookup now looks for AAAA as well as A by default.
+			[RT #40420]
+
+4419.	[bug]		Don't cause undefined result if the label of an
+			entry in catalog zone is changed. [RT #42708]
+
+4418.	[bug]		Fix a compiler warning in GSSAPI code. [RT #42879]
+
+4417.	[bug]		dnssec-keymgr could fail to create successor keys
+			if the prepublication interval was set to a value
+			smaller than the default. [RT #42820]
+
+4416.	[bug]		dnssec-keymgr: Domain names in policy files could
+			fail to match due to trailing dots. [RT #42807]
+
+4415.	[bug]		dnssec-keymgr: Expired/deleted keys were not always
+			excluded. [RT #42884]
+
+4414.	[bug]		Corrected a bug in the MIPS implementation of
+			isc_atomic_xadd(). [RT #41965]
+
+4413.	[bug]		GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
+			was returned. [RT #42733]
+
+	--- 9.11.0b2 released ---
+
+4412.	[cleanup]	Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
+			removed. [RT #42721]
+
+4411.	[func]		"rndc dnstap -roll" automatically rolls the
+			dnstap output file; the previous version is
+			saved with ".0" suffix, and earlier versions
+			with ".1" and so on. An optional numeric argument
+			indicates how many prior files to save. [RT #42830]
+
+4410.	[bug]		Address use after free and memory leak with dnstap.
+			[RT #42746]
+
+4409.	[bug]		DNS64 should exclude mapped addresses by default when
+			an exclude acl is not defined. [RT #42810]
+
+4408.	[func]		Continue waiting for expected response when we the
+			response we get does not match the request. [RT #41026]
+
+4407.	[performance]	Use GCC builtin for clz in RPZ lookup code.
+			[RT #42818]
+
+4406.	[security]	getrrsetbyname with a non absolute name could
+			trigger an infinite recursion bug in lwresd
+			and named with lwres configured if when combined
+			with a search list entry the resulting name is
+			too long. (CVE-2016-2775) [RT #42694]
+
+4405.	[bug]		Change 4342 introduced a regression where you could
+			not remove a delegation in a NSEC3 signed zone using
+			OPTOUT via nsupdate. [RT #42702]
+
+4404.	[misc]		Allow krb5-config to be used when configuring gssapi.
+			[RT #42580]
+
+4403.	[bug]		Rename variables and arguments that shadow: basename,
+			clone and gai_error.
+
+4402.	[bug]		protoc-c is now a hard requirement for --enable-dnstap.
+
+	--- 9.11.0b1 released ---
+
+4401.	[misc]		Change LICENSE to MPL 2.0.
+
+4400.	[bug]		ttl policy was not being inherited in policy.py.
+			[RT #42718]
+
+4399.	[bug]		policy.py 'ECCGOST', 'ECDSAP256SHA256', and
+			'ECDSAP384SHA384' don't have settable keysize.
+			[RT #42718]
+
+4398.	[bug]		Correct spelling of ECDSAP256SHA256 in policy.py.
+			[RT #42718]
+
+4397.	[bug]		Update Windows python support. [RT #42538]
+
+4396.	[func]		dnssec-keymgr now takes a '-r randomfile' option.
+			[RT #42455]
+
+4395.	[bug]		Improve out-of-tree installation of python modules.
+			[RT #42586]
+
+4394.	[func]		Add rndc command "dnstap-reopen" to close and
+			reopen dnstap output files. [RT #41803]
+
+4393.	[bug]		Address potential NULL pointer dereferences in
+			dnstap code.
+
+4392.	[func]		Collect statistics for RSSAC02v3 traffic-volume,
+			traffic-sizes and rcode-volume reporting. [RT #41475]
+
+4391.	[contrib]	Fix leaks in contrib DLZ code. [RT #42707]
+
+4390.	[doc]		Description of masters with TSIG, allow-query and
+			allow-transfer options in catalog zones. [RT #42692]
+
+4389.	[test]		Rewritten test suite for catalog zones. [RT #42676]
+
+4388.	[func]		Support for master entries with TSIG keys in catalog
+			zones. [RT #42577]
+
+4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
+			being return as NS records expired. [RT #42683]
+
+4386.	[bug]		Remove shadowed overmem function/variable. [RT #42706]
+
+4385.	[func]		Add support for allow-query and allow-transfer ACLs
+			to catalog zones. [RT #42578]
+
+4384.	[bug]		Change 4256 accidentally disabled logging of the
+			rndc command. [RT #42654]
+
+4383.	[bug]		Correct spelling error in stats channel description of
+			"EDNS client subnet option received". [RT #42633]
+
+4382.	[bug]		rndc {addzone,modzone,delzone,showzone} should all
+			compare the zone name using a canonical format.
+			[RT #42630]
+
+4381.	[bug]		Missing "zone-directory" option in catalog zone
+			definition caused BIND to crash. [RT #42579]
+
+	--- 9.11.0a3 released ---
+
+4380.	[experimental]	Added a "zone-directory" option to "catalog-zones"
+			syntax, allowing local masterfiles for slaves
+			that are provisioned by catalog zones to be stored
+			in a directory other than the server's working
+			directory. [RT #42527]
+
+4379.	[bug]		An INSIST could be triggered if a zone contains
+			RRSIG records with expiry fields that loop
+			using serial number arithmetic. [RT #40571]
+
+4378.	[contrib]	#include <isc/string.h> for strlcat in zone2ldap.c.
+			[RT #42525]
+
+4377.	[bug]		Don't reuse zero TTL responses beyond the current
+			client set (excludes ANY/SIG/RRSIG queries).
+			[RT #42142]
+
+4376.	[experimental]	Added support for Catalog Zones, a new method for
+			provisioning secondary servers in which a list of
+			zones to be served is stored in a DNS zone and can
+			be propagated to slaves via AXFR/IXFR. [RT #41581]
+
+4375.	[func]		Add support for automatic reallocation of isc_buffer
+			to isc_buffer_put* functions. [RT #42394]
+
+4374.	[bug]		Use SAVE/RESTORE macros in query.c to reduce the
+			probability of reference counting errors as seen
+			in 4365. [RT #42405]
+
+4373.	[bug]		Address undefined behavior in getaddrinfo. [RT #42479]
+
+4372.	[bug]		Address undefined behavior in libt_api. [RT #42480]
+
+4371.	[func]		New "minimal-any" option reduces the size of UDP
+			responses for qtype ANY by returning a single
+			arbitrarily selected RRset instead of all RRsets.
+			Thanks to Tony Finch. [RT #41615]
+
+4370.	[bug]		Address python3 compatibility issues with RNDC module.
+			[RT #42499] [RT #42506]
+
+	--- 9.11.0a2 released ---
+
+4369.	[bug]		Fix 'make' and 'make install' out-of-tree python
+			support. [RT #42484]
+
+4368.	[bug]		Fix a crash when calling "rndc stats" on some
+			Windows builds because some Visual Studio compilers
+			generated crashing code for the "%z" printf()
+			format specifier. [RT #42380]
+
+4367.	[bug]		Remove unnecessary assignment of loadtime in
+			zone_touched. [RT #42440]
+
+4366.	[bug]		Address race condition when updating rbtnode bit
+			fields. [RT #42379]
+
+4365.	[bug]		Address zone reference counting errors involving
+			nxdomain-redirect. [RT #42258]
+
+4364.	[port]		freebsd: add -Wl,-E to loader flags [RT #41690]
+
+4363.	[port]		win32: Disable explicit triggering UAC when running
+			BINDInstall.
+
+4362.	[func]		Changed rndc reconfig behavior so that newly added
+			zones are loaded asynchronously and the loading does
+			not block the server. [RT #41934]
+
+4361.	[cleanup]	Where supported, file modification times returned
+			by isc_file_getmodtime() are now accurate to the
+			nanosecond. [RT #41968]
+
+4360.	[bug]		Silence spurious 'bad key type' message when there is
+			a existing TSIG key. [RT #42195]
+
+4359.	[bug]		Inherited 'also-notify' lists were not being checked
+			by named-checkconf. [RT #42174]
+
+4358.	[test]		Added American Fuzzy Lop harness that allows
+			feeding fuzzed packets into BIND.
+			[RT #41723]
+
+4357.	[func]		Add the python RNDC module. [RT #42093]
+
+4356.	[func]		Add the ability to specify whether to wait for
+			nameserver addresses to be looked up or not to
+			RPZ with a new modifying directive 'nsip-wait-recurse'.
+			[RT #35009]
+
+4355.	[func]		"pkcs11-list" now displays the extractability
+			attribute of private or secret keys stored in
+			an HSM, as either "true", "false", or "never"
+			Thanks to Daniel Stirnimann. [RT #36557]
+
+4354.	[bug]		Check that the received HMAC length matches the
+			expected length prior to check the contents on the
+			control channel.  This prevents a OOB read error.
+			This was reported by Lian Yihan, <lianyihan@360.cn>.
+			[RT #42215]
+
+4353.	[cleanup]	Update PKCS#11 header files. [RT #42175]
+
+4352.	[cleanup]	The ISC DNSSEC Lookaside Validation (DLV) service
+			is scheduled to be disabled in 2017.  A warning is
+			now logged when named is configured to use it,
+			either explicitly or via "dnssec-lookaside auto;"
+			[RT #42207]
+
+4351.	[bug]		'dig +noignore' didn't work. [RT #42273]
+
+4350.	[contrib]	Declare result in  dlz_filesystem_dynamic.c.
+
+4349.	[contrib]	kasp2policy: A python script to create a DNSSEC
+			policy file from an OpenDNSSEC KASP XML file.
+
+4348.	[func]		dnssec-keymgr: A new python-based DNSSEC key
+			management utility, which reads a policy definition
+			file and can create or update DNSSEC keys as needed
+			to ensure that a zone's keys match policy, roll over
+			correctly on schedule, etc.  Thanks to Sebastian
+			Castro for assistance in development. [RT #39211]
+
+4347.	[port]		Corrected a build error on x86_64 Solaris. [RT #42150]
+
+4346.	[bug]		Fixed a regression introduced in change #4337 which
+			caused signed domains with revoked KSKs to fail
+			validation. [RT #42147]
+
+4345.	[contrib]	perftcpdns mishandled the return values from
+			clock_nanosleep. [RT #42131]
+
+4344.	[port]		Address openssl version differences. [RT #42059]
+
+4343.	[bug]		dns_dnssec_syncupdate mis-declared in <dns/dnssec.h>.
+			[RT #42090]
+
+4342.	[bug]		'rndc flushtree' could fail to clean the tree if there
+			wasn't a node at the specified name. [RT #41846]
+
+	--- 9.11.0a1 released ---
+
+4341.	[bug]		Correct the handling of ECS options with
+			address family 0. [RT #41377]
+
+4340.	[performance]	Implement adaptive read-write locks, reducing the
+			overhead of locks that are only held briefly.
+			[RT #37329]
+
+4339.	[test]		Use "mdig" to test pipelined queries. [RT #41929]
+
+4338.	[bug]		Reimplement change 4324 as it wasn't properly doing
+			all the required book keeping. [RT #41941]
+
+4337.	[bug]		The previous change exposed a latent flaw in
+			key refresh queries for managed-keys when
+			a cached DNSKEY had TTL 0. [RT #41986]
+
+4336.	[bug]		Don't emit records with zero ttl unless the records
+			were learnt with a zero ttl. [RT #41687]
+
+4335.	[bug]		zone->view could be detached too early. [RT #41942]
+
+4334.	[func]		'named -V' now reports zlib version. [RT #41913]
+
+4333.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42 and
+			2001:500:9f::42.
+
+4332.	[placeholder]
+
+4331.	[func]		When loading managed signed zones detect if the
+			RRSIG's inception time is in the future and regenerate
+			the RRSIG immediately. [RT #41808]
+
+4330.	[protocol]	Identify the PAD option as "PAD" when printing out
+			a message.
+
+4329.	[func]		Warn about a common misconfiguration when forwarding
+			RFC 1918 zones. [RT #41441]
+
+4328.	[performance]	Add dns_name_fromwire() benchmark test. [RT #41694]
+
+4327.	[func]		Log query and depth counters during fetches when
+			querytrace (./configure --enable-querytrace) is
+			enabled (helps in diagnosing).  [RT #41787]
+
+4326.	[protocol]	Add support for AVC. [RT #41819]
+
+4325.	[func]		Add a line to "rndc status" indicating the
+			hostname and operating system details. [RT #41610]
+
+4324.	[bug]		When deleting records from a zone database, interior
+			nodes could be left empty but not deleted, damaging
+			search performance afterward. [RT #40997]
+
+4323.	[bug]		Improve HTTP header processing on statschannel.
+			[RT #41674]
+
+4322.	[security]	Duplicate EDNS COOKIE options in a response could
+			trigger an assertion failure. (CVE-2016-2088)
+			[RT #41809]
+
+4321.	[bug]		Zones using mapped files containing out-of-zone data
+			could return SERVFAIL instead of the expected NODATA
+			or NXDOMAIN results. [RT #41596]
+
+4320.	[bug]		Insufficient memory allocation when handling
+			"none" ACL could cause an assertion failure in
+			named when parsing ACL configuration. [RT #41745]
+
+4319.	[security]	Fix resolver assertion failure due to improper
+			DNAME handling when parsing fetch reply messages.
+			(CVE-2016-1286) [RT #41753]
+
+4318.	[security]	Malformed control messages can trigger assertions
+			in named and rndc. (CVE-2016-1285) [RT #41666]
+
+4317.	[bug]		Age all unused servers on fetch timeout. [RT #41597]
+
+4316.	[func]		Add option to tools to print RRs in unknown
+			presentation format [RT #41595].
+
+4315.	[bug]		Check that configured view class isn't a meta class.
+			[RT #41572].
+
+4314.	[contrib]	Added 'dnsperf-2.1.0.0-1', a set of performance
+			testing tools provided by Nominum, Inc.
+
+4313.	[bug]		Handle ns_client_replace failures in test mode.
+			[RT #41190]
+
+4312.	[bug]		dig's unknown DNS and EDNS flags (MBZ value) logging
+			was not consistent. [RT #41600]
+
+4311.	[bug]		Prevent "rndc delzone" from being used on
+			response-policy zones. [RT #41593]
+
+4310.	[performance]	Use __builtin_expect() where available to annotate
+			conditions with known behavior. [RT #41411]
+
+4309.	[cleanup]	Remove the spurious "none" filename from log messages
+			when processing built-in configuration. [RT #41594]
+
+4308.	[func]		Added operating system details to "named -V"
+			output. [RT #41452]
+
+4307.	[bug]		"dig +subnet" and "mdig +subnet" could send
+			incorrectly-formatted Client Subnet options
+			if the prefix length was not divisible by 8.
+			Also fixed a memory leak in "mdig". [RT #45178]
+
+4306.	[maint]		Added a PKCS#11 openssl patch supporting
+			version 1.0.2f [RT #38312]
+
+4305.	[bug]		dnssec-signzone was not removing unnecessary rrsigs
+			from the zone's apex. [RT #41483]
+
+4304.	[port]		xfer system test failed as 'tail -n +value' is not
+			portable. [RT #41315]
+
+4303.	[bug]		"dig +subnet" was unable to send a prefix length of
+			zero, as it was incorrectly changed to 32 for v4
+			prefixes or 128 for v6 prefixes. In addition to
+			fixing this, "dig +subnet=0" has been added as a
+			short form for 0.0.0.0/0. The same changes have
+			also been made in "mdig". [RT #41553]
+
+4302.	[port]		win32: fixed a build error in VS 2015. [RT #41426]
+
+4301.	[bug]		dnssec-settime -p [DP]sync was not working. [RT #41534]
+
+4300.	[bug]		A flag could be set in the wrong field when setting
+			up non-recursive queries; this could cause the
+			SERVFAIL cache to cache responses it shouldn't.
+			New querytrace logging has been added which
+			identified this error. [RT #41155]
+
+4299.	[bug]		Check that exactly totallen bytes are read when
+			reading a RRset from raw files in both single read
+			and incremental modes. [RT #41402]
+
+4298.	[bug]		dns_rpz_add errors in loadzone were not being
+			propagated up the call stack. [RT #41425]
+
+4297.	[test]		Ensure delegations in RPZ zones fail robustly.
+			[RT #41518]
+
+4296.	[bug]		TCP packet sizes were calculated incorrectly in the
+			stats channel; they could be counted in the wrong
+			histogram bucket. [RT #40587]
+
+4295.	[bug]		An unchecked result in dns_message_pseudosectiontotext()
+			could allow incorrect text formatting of EDNS EXPIRE
+			options. [RT #41437]
+
+4294.	[bug]		Fixed a regression in which "rndc stop -p" failed
+			to print the PID. [RT #41513]
+
+4293.	[bug]		Address memory leak on priming query creation failure.
+			[RT #41512]
+
+4292.	[placeholder]
+
+4291.	[cleanup]	Added a required include to dns/forward.h. [RT #41474]
+
+4290.	[func]		The timers returned by the statistics channel
+			(indicating current time, server boot time, and
+			most recent reconfiguration time) are now reported
+			with millisecond accuracy. [RT #40082]
+
+4289.	[bug]		The server could crash due to memory being used
+			after it was freed if a zone transfer timed out.
+			[RT #41297]
+
+4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
+			which caused known-bogus servers to be queried
+			anyway. [RT #41321]
+
+4287.	[bug]		Silence an overly noisy log message when message
+			parsing fails. [RT #41374]
+
+4286.	[security]	render_ecs errors were mishandled when printing out
+			a OPT record resulting in a assertion failure.
+			(CVE-2015-8705) [RT #41397]
+
+4285.	[security]	Specific APL data could trigger a INSIST.
+			(CVE-2015-8704) [RT #41396]
+
+4284.	[bug]		Some GeoIP options were incorrectly documented
+			using abbreviated forms which were not accepted by
+			named.  The code has been updated to allow both
+			long and abbreviated forms. [RT #41381]
+
+4283.	[bug]		OPENSSL_config is no longer re-callable. [RT #41348]
+
+4282.	[func]		'dig +[no]mapped' determine whether the use of mapped
+			IPv4 addresses over IPv6 is permitted or not.  The
+			default is +mapped.  [RT #41307]
+
+4281.	[bug]		Teach dns_message_totext about BADCOOKIE. [RT #41257]
+
+4280.	[performance]	Use optimal message sizes to improve compression
+			in AXFRs. This reduces network traffic. [RT #40996]
+
+4279.	[test]		Don't use fixed ports when unit testing. [RT #41194]
+
+4278.	[bug]		'delv +short +[no]split[=##]' didn't work as expected.
+			[RT #41238]
+
+4277.	[performance]	Improve performance of the RBT, the central zone
+			datastructure: The aux hashtable was improved,
+			hash function was updated to perform more
+			uniform mapping, uppernode was added to
+			dns_rbtnode, and other cleanups and performance
+			improvements were made. [RT #41165]
+
+4276.	[protocol]	Add support for SMIMEA. [RT #40513]
+
+4275.	[performance]	Lazily initialize dns_compress->table only when
+			compression is enabled. [RT #41189]
+
+4274.	[performance]	Speed up typemap processing from text. [RT #41196]
+
+4273.	[bug]		Only call dns_test_begin() and dns_test_end() once each
+			in nsec3_test as it fails with GOST if called multiple
+			times.
+
+4272.	[bug]		dig: the +norrcomments option didn't work with +multi.
+			[RT #41234]
+
+4271.	[test]		Unit tests could deadlock in isc__taskmgr_pause().
+			[RT #41235]
+
+4270.	[security]	Update allowed OpenSSL versions as named is
+			potentially vulnerable to CVE-2015-3193.
+
+4269.	[bug]		Zones using "map" format master files currently
+			don't work as policy zones.  This limitation has
+			now been documented; attempting to use such zones
+			in "response-policy" statements is now a
+			configuration error.  [RT #38321]
+
+4268.	[func]		"rndc status" now reports the path to the
+			configuration file. [RT #36470]
+
+4267.	[test]		Check sdlz error handling. [RT #41142]
+
+4266.	[placeholder]
+
+4265.	[bug]		Address unchecked isc_mem_get calls. [RT #41187]
+
+4264.	[bug]		Check const of strchr/strrchr assignments match
+			argument's const status. [RT #41150]
+
+4263.	[contrib]	Address compiler warnings in mysqldyn module.
+			[RT #41130]
+
+4262.	[bug]		Fixed a bug in epoll socket code that caused
+			sockets to not be registered for ready
+			notification in some cases, causing named to not
+			read from or write to them, resulting in what
+			appear to the user as blocked connections.
+			[RT #41067]
+
+4261.	[maint]		H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
+			[RT #40556]
+
+4260.	[security]	Insufficient testing when parsing a message allowed
+			records with an incorrect class to be be accepted,
+			triggering a REQUIRE failure when those records
+			were subsequently cached. (CVE-2015-8000) [RT #40987]
+
+4259.	[func]		Add an option for non-destructive control channel
+			access using a "read-only" clause. In such
+			cases, a restricted set of rndc commands are
+			allowed for querying information from named.
+			[RT #40498]
+
+4258.	[bug]		Limit rndc query message sizes to 32 KiB. This should
+			not break any legitimate rndc commands, but will
+			prevent a rogue rndc query from allocating too
+			much memory. [RT #41073]
+
+4257.	[cleanup]	Python scripts reported incorrect version. [RT #41080]
+
+4256.	[bug]		Allow rndc command arguments to be quoted so as
+			to allow spaces. [RT #36665]
+
+4255.	[performance]	Add 'message-compression' option to disable DNS
+			compression in responses. [RT #40726]
+
+4254.	[bug]		Address missing lock when getting zone's serial.
+			[RT #41072]
+
+4253.	[security]	Address fetch context reference count handling error
+			on socket error. (CVE-2015-8461)  [RT#40945]
+
+4252.	[func]		Add support for automating the generation CDS and
+			CDNSKEY rrsets to named and dnssec-signzone.
+			[RT #40424]
+
+4251.	[bug]		NTAs were deleted when the server was reconfigured
+			or reloaded. [RT #41058]
+
+4250.	[func]		Log the TSIG key in use during inbound zone
+			transfers. [RT #41075]
+
+4249.	[func]		Improve error reporting of TSIG / SIG(0) records in
+			the wrong location. [RT #41030]
+
+4248.	[performance]	Add an isc_atomic_storeq() function, use it in
+			stats counters to improve performance.
+			[RT #39972] [RT #39979]
+
+4247.	[port]		Require both HAVE_JSON and JSON_C_VERSION to be
+			defined to report json library version. [RT #41045]
+
+4246.	[test]		Ensure the statschannel system test runs when BIND
+			is not built with libjson. [RT #40944]
+
+4245.	[placeholder]
+
+4244.	[bug]		The parser was not reporting that use-ixfr is obsolete.
+			[RT #41010]
+
+4243.	[func]		Improved stats reporting from Timothe Litt. [RT #38941]
+
+4242.	[bug]		Replace the client if not already replaced when
+			prefetching. [RT #41001]
+
+4241.	[doc]		Improved the TSIG, TKEY, and SIG(0) sections in
+			the ARM. [RT #40955]
+
+4240.	[port]		Fix LibreSSL compatibility. [RT #40977]
+
+4239.	[func]		Changed default servfail-ttl value to 1 second from 10.
+			Also, the maximum value is now 30 instead of 300.
+			[RT #37556]
+
+4238.	[bug]		Don't send to servers on net zero (0.0.0.0/8).
+			[RT #40947]
+
+4237.	[doc]		Upgraded documentation toolchain to use DocBook 5
+			and dblatex. [RT #40766]
+
+4236.	[performance]	On machines with 2 or more processors (CPU), the
+			default value for the number of UDP listeners
+			has been changed to the number of detected
+			processors minus one. [RT #40761]
+
+4235.	[func]		Added support in named for "dnstap", a fast method of
+			capturing and logging DNS traffic, and a new command
+			"dnstap-read" to read a dnstap log file.  Use
+			"configure --enable-dnstap" to enable this
+			feature (note that this requires libprotobuf-c
+			and libfstrm). See the ARM for configuration details.
+
+			Thanks to Robert Edmonds of Farsight Security.
+			[RT #40211]
+
+4234.	[func]		Add deflate compression in statistics channel HTTP
+			server. [RT #40861]
+
+4233.	[test]		Add tests for CDS and CDNSKEY with delegation-only.
+			[RT #40597]
+
+4232.	[contrib]	Address unchecked memory allocation calls in
+			query-loc and zone2ldap. [RT #40789]
+
+4231.	[contrib]	Address unchecked calloc call in dlz_mysqldyn_mod.c.
+			[RT #40840]
+
+4230.	[contrib]	dlz_wildcard_dynamic.c:dlz_create could return a
+			uninitialized result. [RT #40839]
+
+4229.	[bug]		A variable could be used uninitialized in
+			dns_update_signaturesinc. [RT #40784]
+
+4228.	[bug]		Address race condition in dns_client_destroyrestrans.
+			[RT #40605]
+
+4227.	[bug]		Silence static analysis warnings. [RT #40828]
+
+4226.	[bug]		Address a theoretical shutdown race in
+			zone.c:notify_send_queue(). [RT #38958]
+
+4225.	[port]		freebsd/openbsd:  Use '${CC} -shared' for building
+			shared libraries. [RT #39557]
+
+4224.	[func]		Added support for "dyndb", a new interface for loading
+			zone data from an external database, developed by
+			Red Hat for the FreeIPA project.
+
+			DynDB drivers fully implement the BIND database
+			API, and are capable of significantly better
+			performance and functionality than DLZ drivers,
+			while taking advantage of advanced database
+			features not available in BIND such as multi-master
+			replication.
+
+			Thanks to Adam Tkac and Petr Spacek of Red Hat.
+			[RT #35271]
+
+4223.	[func]		Add support for setting max-cache-size to percentage
+			of available physical memory, set default to 90%.
+			[RT #38442]
+
+4222.	[func]		Bias IPv6 servers when selecting the next server to
+			query. [RT #40836]
+
+4221.	[bug]		Resource leak on DNS_R_NXDOMAIN in fctx_create.
+			[RT #40583]
+
+4220.	[doc]		Improve documentation for zone-statistics.
+			[RT #36955]
+
+4219.	[bug]		Set event->result to ISC_R_WOULDBLOCK on EWOULDBLOCK,
+			EGAIN when these soft error are not retried for
+			isc_socket_send*().
+
+4218.	[bug]		Potential null pointer dereference on out of memory
+			if mmap is not supported. [RT #40777]
+
+4217.	[protocol]	Add support for CSYNC. [RT #40532]
+
+4216.	[cleanup]	Silence static analysis warnings. [RT #40649]
+
+4215.	[bug]		nsupdate: skip to next request on GSSTKEY create
+			failure. [RT #40685]
+
+4214.	[protocol]	Add support for TALINK.  [RT #40544]
+
+4213.	[bug]		Don't reuse a cache across multiple classes.
+			[RT #40205]
+
+4212.	[func]		Re-query if we get a bad client cookie returned over
+			UDP. [RT #40748]
+
+4211.	[bug]		Ensure that lwresd gets at least one task to work
+			with if enabled. [RT #40652]
+
+4210.	[cleanup]	Silence use after free false positive. [RT #40743]
+
+4209.	[bug]		Address resource leaks in dlz modules. [RT #40654]
+
+4208.	[bug]		Address null pointer dereferences on out of memory.
+			[RT #40764]
+
+4207.	[bug]		Handle class mismatches with raw zone files.
+			[RT #40746]
+
+4206.	[bug]		contrib: fixed a possible NULL dereference in
+			DLZ wildcard module. [RT #40745]
+
+4205.	[bug]		'named-checkconf -p' could include unwanted spaces
+			when printing tuples with unset optional fields.
+			[RT #40731]
+
+4204.	[bug]		'dig +trace' failed to lookup the correct type if
+			the initial root NS query was retried. [RT #40296]
+
+4203.	[test]		The rrchecker system test now tests conversion
+			to and from unknown-type format. [RT #40584]
+
+4202.	[bug]		isccc_cc_fromwire() could return an incorrect
+			result. [RT #40614]
+
+4201.	[func]		The default preferred-glue is now the address record
+			type of the transport the query was received
+			over.  [RT #40468]
+
+4200.	[cleanup]	win32: update BINDinstall to be BIND release
+			independent. [RT #38915]
+
+4199.	[protocol]	Add support for NINFO, RKEY, SINK, TA.
+			[RT #40545] [RT #40547] [RT #40561] [RT #40563]
+
+4198.	[placeholder]
+
+4197.	[bug]		'named-checkconf -z' didn't handle 'in-view' clauses.
+			[RT #40603]
+
+4196.	[doc]		Improve how "enum + other" types are documented.
+			[RT #40608]
+
+4195.	[bug]		'max-zone-ttl unlimited;' was broken. [RT #40608]
+
+4194.	[bug]		named-checkconf -p failed to properly print a port
+			range.  [RT #40634]
+
+4193.	[bug]		Handle broken servers that return BADVERS incorrectly.
+			[RT #40427]
+
+4192.	[bug]		The default rrset-order of random was not always being
+			applied. [RT #40456]
+
+4191.	[protocol]	Accept DNS-SD non LDH PTR records in reverse zones
+			as per RFC 6763. [RT #37889]
+
+4190.	[protocol]	Accept Active Directory gc._msdcs.<forest> name as
+			valid with check-names.  <forest> still needs to be
+			LDH. [RT #40399]
+
+4189.	[cleanup]	Don't exit on overly long tokens in named.conf.
+			[RT #40418]
+
+4188.	[bug]		Support HTTP/1.0 client properly on the statistics
+			channel. [RT #40261]
+
+4187.	[func]		When any RR type implementation doesn't
+			implement totext() for the RDATA's wire
+			representation and returns ISC_R_NOTIMPLEMENTED,
+			such RDATA is now printed in unknown
+			presentation format (RFC 3597). RR types affected
+			include LOC(29) and APL(42). [RT #40317].
+
+4186.	[bug]		Fixed an RPZ bug where a QNAME would be matched
+			against a policy RR with wildcard owner name
+			(trigger) where the QNAME was the wildcard owner
+			name's parent. For example, the bug caused a query
+			with QNAME "example.com" to match a policy RR with
+			"*.example.com" as trigger. [RT #40357]
+
+4185.	[bug]		Fixed an RPZ bug where a policy RR with wildcard
+			owner name (trigger) would prevent another policy RR
+			with its parent owner name from being
+			loaded. For example, the bug caused a policy RR
+			with trigger "example.com" to not have any
+			effect when a previous policy RR with trigger
+			"*.example.com" existed in that RPZ zone.
+			[RT #40357]
+
+4184.	[bug]		Fixed a possible memory leak in name compression
+			when rendering long messages. (Also, improved
+			wire_test for testing such messages.) [RT #40375]
+
+4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
+			code. Also, the timing-safe comparison functions have
+			been renamed to avoid possible confusion with
+			memcmp(). Thanks to Loganaden Velvindron of
+			AFRINIC. [RT #40148]
+
+4182.	[cleanup]	Use mnemonics for RR class and type comparisons.
+			[RT #40297]
+
+4181.	[bug]		Queued notify messages could be dequeued from the
+			wrong rate limiter queue. [RT #40350]
+
+4180.	[bug]		Error responses in pipelined queries could
+			cause a crash in client.c. [RT #40289]
+
+4179.	[bug]		Fix double frees in getaddrinfo() in libirs.
+			[RT #40209]
+
+4178.	[bug]		Fix assertion failure in parsing UNSPEC(103) RR from
+			text. [RT #40274]
+
+4177.	[bug]		Fix assertion failure in parsing NSAP records from
+			text. [RT #40285]
+
+4176.	[bug]		Address race issues with lwresd. [RT #40284]
+
+4175.	[bug]		TKEY with GSS-API keys needed bigger buffers.
+			[RT #40333]
+
+4174.	[bug]		"dnssec-coverage -r" didn't handle time unit
+			suffixes correctly. [RT #38444]
+
+4173.	[bug]		dig +sigchase was not properly matching the trusted
+			key. [RT #40188]
+
+4172.	[bug]		Named / named-checkconf didn't handle a view of CLASS0.
+			[RT #40265]
+
+4171.	[bug]		Fixed incorrect class checks in TSIG RR
+			implementation. [RT #40287]
+
+4170.	[security]	An incorrect boundary check in the OPENPGPKEY
+			rdatatype could trigger an assertion failure.
+			(CVE-2015-5986) [RT #40286]
+
+4169.	[test]		Added a 'wire_test -d' option to read input as
+			raw binary data, for use as a fuzzing harness.
+			[RT #40312]
+
+4168.	[security]	A buffer accounting error could trigger an
+			assertion failure when parsing certain malformed
+			DNSSEC keys. (CVE-2015-5722) [RT #40212]
+
+4167.	[func]		Update rndc's usage output to include recently added
+			commands. Thanks to Tony Finch for submitting a
+			patch. [RT #40010]
+
+4166.	[func]		Print informative output from rndc showzone when
+			allow-new-zones is not enabled for a view. Thanks to
+			Tony Finch for submitting a patch. [RT #40009]
+
+4165.	[security]	A failure to reset a value to NULL in tkey.c could
+			result in an assertion failure. (CVE-2015-5477)
+			[RT #40046]
+
+4164.	[bug]		Don't rename slave files and journals on out of memory.
+			[RT #40033]
+
+4163.	[bug]		Address compiler warnings. [RT #40024]
+
+4162.	[bug]		httpdmgr->flags was not being initialized. [RT #40017]
+
+4161.	[test]		Add JSON test for traffic size stats; also test
+			for consistency between "rndc stats" and the XML
+			and JSON statistics channel contents. [RT #38700]
+
+4160.	[placeholder]
+
+4159.	[cleanup]	Alphabetize dig's help output. [RT #39966]
+
+4158.	[placeholder]
+
+4157.	[placeholder]
+
+4156.	[func]		Added statistics counters to track the sizes
+			of incoming queries and outgoing responses in
+			histogram buckets, as specified in RSSAC002.
+			[RT #39049]
+
+4155.	[func]		Allow RPZ rewrite logging to be configured on a
+			per-zone basis using a newly introduced log clause in
+			the response-policy option. [RT #39754]
+
+4154.	[bug]		A OPT record should be included with the FORMERR
+			response when there is a malformed EDNS option.
+			[RT #39647]
+
+4153.	[bug]		Dig should zero non significant +subnet bits.  Check
+			that non significant ECS bits are zero on receipt.
+			[RT #39647]
+
+4152.	[func]		Implement DNS COOKIE option.  This replaces the
+			experimental SIT option of BIND 9.10.  The following
+			named.conf directives are available: send-cookie,
+			cookie-secret, cookie-algorithm, nocookie-udp-size
+			and require-server-cookie.  The following dig options
+			are available: +[no]cookie[=value] and +[no]badcookie.
+			[RT #39928]
+
+4151.	[bug]		'rndc flush' could cause a deadlock. [RT #39835]
+
+4150.	[bug]		win32: listen-on-v6 { any; }; was not working.  Apply
+			minimal fix.  [RT #39667]
+
+4149.	[bug]		Fixed a race condition in the getaddrinfo()
+			implementation in libirs, which caused the delv
+			utility to crash with an assertion failure when using
+			the '@server' syntax with a hostname argument.
+			[RT #39899]
+
+4148.	[bug]		Fix a bug when printing zone names with '/' character
+			in XML and JSON statistics output. [RT #39873]
+
+4147.	[bug]		Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6
+			was returning referrals rather than nodata responses
+			when the AAAA records were filtered.  [RT #39843]
+
+4146.	[bug]		Address reference leak that could prevent a clean
+			shutdown. [RT #37125]
+
+4145.	[bug]		Not all unassociated adb entries where being printed.
+			[RT #37125]
+
+4144.	[func]		Add statistics counters for nxdomain redirections.
+			[RT #39790]
+
+4143.	[placeholder]
+
+4142.	[bug]		rndc addzone with view specified saved NZF config
+			that could not be read back by named. This has now
+			been fixed. [RT #39845]
+
+4141.	[bug]		A formatting bug caused rndc zonestatus to print
+			negative numbers for large serial values. This has
+			now been fixed. [RT #39854]
+
+4140.	[cleanup]	Remove redundant nzf_remove() call during delzone.
+			[RT #39844]
+
+4139.	[doc]		Fix rpz-client-ip documentation. [RT #39783]
+
+4138.	[security]	An uninitialized value in validator.c could result
+			in an assertion failure. (CVE-2015-4620) [RT #39795]
+
+4137.	[bug]		Make rndc reconfig report configuration errors the
+			same way rndc reload does. [RT #39635]
+
+4136.	[bug]		Stale statistics counters with the leading
+			'#' prefix (such as #NXDOMAIN) were not being
+			updated correctly. This has been fixed. [RT #39141]
+
+4135.	[cleanup]	Log expired NTA at startup. [RT #39680]
+
+4134.	[cleanup]	Include client-ip rules when logging the number
+			of RPZ rules of each type. [RT #39670]
+
+4133.	[port]		Update how various json libraries are handled.
+			[RT #39646]
+
+4132.	[cleanup]	dig: added +rd as a synonym for +recurse,
+			added +class as an unabbreviated alternative
+			to +cl. [RT #39686]
+
+4131.	[bug]		Addressed further problems with reloading RPZ
+			zones. [RT #39649]
+
+4130.	[bug]		The compatibility shim for *printf() misprinted some
+			large numbers. [RT #39586]
+
+4129.	[port]		Address API changes in OpenSSL 1.1.0. [RT #39532]
+
+4128.	[bug]		Address issues raised by Coverity 7.6. [RT #39537]
+
+4127.	[protocol]	CDS and CDNSKEY need to be signed by the key signing
+			key as per RFC 7344, Section 4.1. [RT #37215]
+
+4126.	[bug]		Addressed a regression introduced in change #4121.
+			[RT #39611]
+
+4125.	[test]		Added tests for dig, renamed delv test to digdelv.
+			[RT #39490]
+
+4124.	[func]		Log errors or warnings encountered when parsing the
+			internal default configuration.  Clarify the logging
+			of errors and warnings encountered in rndc
+			addzone or modzone parameters. [RT #39440]
+
+4123.	[port]		Added %z (size_t) format options to the portable
+			internal printf/sprintf implementation. [RT #39586]
+
+4122.	[bug]		The server could match a shorter prefix than what was
+			available in CLIENT-IP policy triggers, and so, an
+			unexpected action could be taken. This has been
+			corrected. [RT #39481]
+
+4121.	[bug]		On servers with one or more policy zones
+			configured as slaves, if a policy zone updated
+			during regular operation (rather than at
+			startup) using a full zone reload, such as via
+			AXFR, a bug could allow the RPZ summary data to
+			fall out of sync, potentially leading to an
+			assertion failure in rpz.c when further
+			incremental updates were made to the zone, such
+			as via IXFR. [RT #39567]
+
+4120.	[bug]		A bug in RPZ could cause the server to crash if
+			policy zones were updated while recursion was
+			pending for RPZ processing of an active query.
+			[RT #39415]
+
+4119.	[test]		Allow dig to set the message opcode. [RT #39550]
+
+4118.	[bug]		Teach isc-config.sh about irs. [RT #39213]
+
+4117.	[protocol]	Add EMPTY.AS112.ARPA as per RFC 7534.
+
+4116.	[bug]		Fix a bug in RPZ that could cause some policy
+			zones that did not specifically require
+			recursion to be treated as if they did;
+			consequently, setting qname-wait-recurse no; was
+			sometimes ineffective. [RT #39229]
+
+4115.	[func]		"rndc -r" now prints the result code (e.g.,
+			ISC_R_SUCCESS, ISC_R_TIMEOUT, etc) after
+			running the requested command. [RT #38913]
+
+4114.	[bug]		Fix a regression in radix tree implementation
+			introduced by ECS code. This bug was never
+			released, but it was reported by a user testing
+			master. [RT #38983]
+
+4113.	[test]		Check for Net::DNS is some system test
+			prerequisites. [RT #39369]
+
+4112.	[bug]		Named failed to load when "root-delegation-only"
+			was used without a list of domains to exclude.
+			[RT #39380]
+
+4111.	[doc]		Alphabetize rndc man page. [RT #39360]
+
+4110.	[bug]		Address memory leaks / null pointer dereferences
+			on out of memory. [RT #39310]
+
+4109.	[port]		linux: support reading the local port range from
+			net.ipv4.ip_local_port_range. [RT # 39379]
+
+4108.	[func]		An additional NXDOMAIN redirect method (option
+			"nxdomain-redirect") has been added, allowing
+			redirection to a specified DNS namespace instead
+			of a single redirect zone. [RT #37989]
+
+4107.	[bug]		Address potential deadlock when updating zone content.
+			[RT #39269]
+
+4106.	[port]		Improve readline support. [RT #38938]
+
+4105.	[port]		Misc fixes for Microsoft Visual Studio
+			2015 CTP6 in 64 bit mode. [RT #39308]
+
+4104.	[bug]		Address uninitialized elements. [RT #39252]
+
+4103.	[port]		Misc fixes for Microsoft Visual Studio
+			2015 CTP6. [RT #39267]
+
+4102.	[bug]		Fix a use after free bug introduced in change
+			#4094.  [RT #39281]
+
+4101.	[bug]		dig: the +split and +rrcomments options didn't
+			work with +short. [RT #39291]
+
+4100.	[bug]		Inherited owernames on the line immediately following
+			a $INCLUDE were not working.  [RT #39268]
+
+4099.	[port]		clang: make unknown commandline options hard errors
+			when determining what options are supported.
+			[RT #39273]
+
+4098.	[bug]		Address use-after-free issue when using a
+			predecessor key with dnssec-settime. [RT #39272]
+
+4097.	[func]		Add additional logging about xfrin transfer status.
+			[RT #39170]
+
+4096.	[bug]		Fix a use after free of query->sendevent.
+			[RT #39132]
+
+4095.	[bug]		zone->options2 was not being properly initialized.
+			[RT #39228]
+
+4094.	[bug]		A race during shutdown or reconfiguration could
+			cause an assertion in mem.c. [RT #38979]
+
+4093.	[func]		Dig now learns the SIT value from truncated
+			responses when it retries over TCP. [RT #39047]
+
+4092.	[bug]		'in-view' didn't work for zones beneath a empty zone.
+			[RT #39173]
+
+4091.	[cleanup]	Some cleanups in isc mem code. [RT #38896]
+
+4090.	[bug]		Fix a crash while parsing malformed CAA RRs in
+			presentation format, i.e., from text such as
+			from master files. Thanks to John Van de
+			Meulebrouck Brendgard for discovering and
+			reporting this problem. [RT #39003]
+
+4089.	[bug]		Send notifies immediately for slave zones during
+			startup. [RT #38843]
+
+4088.	[port]		Fixed errors when building with libressl. [RT #38899]
+
+4087.	[bug]		Fix a crash due to use-after-free due to sequencing
+			of tasks actions. [RT #38495]
+
+4086.	[bug]		Fix out-of-srcdir build with native pkcs11. [RT #38831]
+
+4085.	[bug]		ISC_PLATFORM_HAVEXADDQ could be inconsistently set.
+			[RT #38828]
+
+4084.	[bug]		Fix a possible race in updating stats counters.
+			[RT #38826]
+
+4083.	[cleanup]	Print the number of CPUs and UDP listeners
+			consistently in the log and in "rndc status"
+			output; indicate whether threads are supported
+			in "named -V" output. [RT #38811]
+
+4082.	[bug]		Incrementally sign large inline zone deltas.
+			[RT #37927]
+
+4081.	[cleanup]	Use dns_rdatalist_init consistently. [RT #38759]
+
+4080.	[func]		Completed change #4022, adding a "lock-file" option
+			to named.conf to override the default lock file,
+			in addition to the "named -X <filename>" command
+			line option.  Setting the lock file to "none"
+			using either method disables the check completely.
+			[RT #37908]
+
+4079.	[func]		Preserve the case of the owner name of records to
+			the RRset level. [RT #37442]
+
+4078.	[bug]		Handle the case where CMSG_SPACE(sizeof(int)) !=
+			CMSG_SPACE(sizeof(char)). [RT #38621]
+
+4077.	[test]		Add static-stub regression test for DS NXDOMAIN
+			return making the static stub disappear. [RT #38564]
+
+4076.	[bug]		Named could crash on shutdown with outstanding
+			reload / reconfig events. [RT #38622]
+
+4075.	[placeholder]
+
+4074.	[cleanup]	Cleaned up more warnings from gcc -Wshadow. [RT #38708]
+
+4073.	[cleanup]	Add libjson-c version number reporting to
+			"named -V"; normalize version number formatting.
+			[RT #38056]
+
+4072.	[func]		Add a --enable-querytrace configure switch for
+			very verbose query trace logging. (This option
+			has a negative performance impact and should be
+			used only for debugging.) [RT #37520]
+
+4071.	[cleanup]	Initialize pthread mutex attrs just once, instead of
+			doing it per mutex creation. [RT #38547]
+
+4070.	[bug]		Fix a segfault in nslookup in a query such as
+			"nslookup isc.org AMS.SNS-PB.ISC.ORG -all".
+			[RT #38548]
+
+4069.	[doc]		Reorganize options in the nsupdate man page.
+			[RT #38515]
+
+4068.	[bug]		Omit unknown serial number from JSON zone statistics.
+			[RT #38604]
+
+4067.	[cleanup]	Reduce noise from RRL when query logging is
+			disabled. [RT #38648]
+
+4066.	[doc]		Reorganize options in the dig man page. [RT #38516]
+
+4065.	[test]		Additional RFC 5011 tests. [RT #38569]
+
+4064.	[contrib]	dnssec-keyset.sh: Generates a specified number
+			of DNSSEC keys with timing set to implement a
+			pre-publication key rollover strategy. Thanks
+			to Jeffry A. Spain. [RT #38459]
+
+4063.	[bug]		Asynchronous zone loads were not handled
+			correctly when the zone load was already in
+			progress; this could trigger a crash in zt.c.
+			[RT #37573]
+
+4062.	[bug]		Fix an out-of-bounds read in RPZ code. If the
+			read succeeded, it doesn't result in a bug
+			during operation. If the read failed, named
+			could segfault. [RT #38559]
+
+4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
+
+4060.	[bug]		dns_rdata_freestruct could be called on a
+			uninitialized structure when handling a error.
+			[RT #38568]
+
+4059.	[bug]		Addressed valgrind warnings. [RT #38549]
+
+4058.	[bug]		UDP dispatches could use the wrong pseudorandom
+			number generator context. [RT #38578]
+
+4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
+			[RT #38565]
+
+4056.	[bug]		Expanded automatic testing of trust anchor
+			management and fixed several small bugs including
+			a memory leak and a possible loss of key state
+			information. [RT #38458]
+
+4055.	[func]		"rndc managed-keys" can be used to check status
+			of trust anchors or to force keys to be refreshed,
+			Also, the managed keys data file has easier-to-read
+			comments.  [RT #38458]
+
+4054.	[func]		Added a new tool 'mdig', a lightweight clone of
+			dig able to send multiple pipelined queries.
+			[RT #38261]
+
+4053.	[security]	Revoking a managed trust anchor and supplying
+			an untrusted replacement could cause named
+			to crash with an assertion failure.
+			(CVE-2015-1349) [RT #38344]
+
+4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]
+
+4051.	[bug]		Fix a leak of pthread_mutexattr_t. [RT #38454]
+
+4050.	[bug]		RPZ could send spurious SERVFAILs in response
+			to duplicate queries. [RT #38510]
+
+4049.	[bug]		CDS and CDNSKEY had the wrong attributes. [RT #38491]
+
+4048.	[bug]		adb hash table was not being grown. [RT #38470]
+
+4047.	[cleanup]	"named -V" now reports the current running versions
+			of OpenSSL and the libxml2 libraries, in addition to
+			the versions that were in use at build time.
+
+4046.	[bug]		Accounting of "total use" in memory context
+			statistics was not correct. [RT #38370]
+
+4045.	[bug]		Skip to next master on dns_request_createvia4 failure.
+			[RT #25185]
+
+4044.	[bug]		Change 3955 was not complete, resulting in an assertion
+			failure if the timing was just right. [RT #38352]
+
+4043.	[func]		"rndc modzone" can be used to modify the
+			configuration of an existing zone, using similar
+			syntax to "rndc addzone". [RT #37895]
+
+4042.	[bug]		zone.c:iszonesecure was being called too late.
+			[RT #38371]
+
+4041.	[func]		TCP sockets can now be shared while connecting.
+			(This will be used to enable client-side support
+			of pipelined queries.) [RT #38231]
+
+4040.	[func]		Added server-side support for pipelined TCP
+			queries. Clients may continue sending queries via
+			TCP while previous queries are being processed
+			in parallel.  (The new "keep-response-order"
+			option allows clients to be specified for which
+			the old behavior will still be used.) [RT #37821]
+
+4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
+
+4038.	[bug]		Add 'rpz' flag to node and use it to determine whether
+			to call dns_rpz_delete.  This should prevent unbalanced
+			add / delete calls. [RT #36888]
+
+4037.	[bug]		also-notify was ignoring the tsig key when checking
+			for duplicates resulting in some expected notify
+			messages not being sent. [RT #38369]
+
+4036.	[bug]		Make call to open a temporary file name safe during
+			NZF creation. [RT #38331]
+
+4035.	[bug]		Close temporary and NZF FILE pointers before moving
+			the former into the latter's place, as required on
+			Windows. [RT #38332]
+
+4034.	[func]		When added, negative trust anchors (NTA) are now
+			saved to files (viewname.nta), in order to
+			persist across restarts of the named server.
+			[RT #37087]
+
+4033.	[bug]		Missing out of memory check in request.c:req_send.
+			[RT #38311]
+
+4032.	[bug]		Built-in "empty" zones did not correctly inherit the
+			"allow-transfer" ACL from the options or view.
+			[RT #38310]
+
+4031.	[bug]		named-checkconf -z failed to report a missing file
+			with a hint zone. [RT #38294]
+
+4030.	[func]		"rndc delzone" is now applicable to zones that were
+			configured in named.conf, as well as zones that
+			were added via "rndc addzone". (Note, however, that
+			if named.conf is not also modified, the deleted zone
+			will return when named is reloaded.) [RT #37887]
+
+4029.	[func]		"rndc showzone" displays the current configuration
+			of a specified zone. [RT #37887]
+
+4028.	[bug]		$GENERATE with a zero step was not being caught as a
+			error.  A $GENERATE with a / but no step was not being
+			caught as a error. [RT #38262]
+
+4027.	[port]		Net::DNS 0.81 compatibility. [RT #38165]
+
+4026.	[bug]		Fix RFC 3658 reference in dig +sigchase. [RT #38173]
+
+4025.	[port]		bsdi: failed to build. [RT #38047]
+
+4024.	[bug]		dns_rdata_opt_first, dns_rdata_opt_next,
+			dns_rdata_opt_current, dns_rdata_txt_first,
+			dns_rdata_txt_next and dns_rdata_txt_current were
+			documented but not implemented.  These have now been
+			implemented.
+
+			dns_rdata_spf_first, dns_rdata_spf_next and
+			dns_rdata_spf_current were documented but not
+			implemented.  The prototypes for these
+			functions have been removed. [RT #38068]
+
+4023.	[bug]		win32: socket handling with explicit ports and
+			invoking named with -4 was broken for some
+			configurations. [RT #38068]
+
+4022.	[func]		Stop multiple spawns of named by limiting number of
+			processes to 1. This is done by using a lockfile and
+			checking whether we can listen on any configured
+			TCP interfaces. [RT #37908]
+
+4021.	[bug]		Adjust max-recursion-queries to accommodate
+			the need for more queries when the cache is
+			empty. [RT #38104]
+
+4020.	[bug]		Change 3736 broke nsupdate's SOA MNAME discovery
+			resulting in updates being sent to the wrong server.
+			[RT #37925]
+
+4019.	[func]		If named is not configured to validate the answer
+			then allow fallback to plain DNS on timeout even
+			when we know the server supports EDNS. [RT #37978]
+
+4018.	[placeholder]
+
+4017.	[test]		Add system test to check lookups to legacy servers
+			with broken DNS behavior. [RT #37965]
+
+4016.	[bug]		Fix a dig segfault due to bad linked list usage.
+			[RT #37591]
+
+4015.	[bug]		Nameservers that are skipped due to them being
+			CNAMEs were not being logged. They are now logged
+			to category 'cname' as per BIND 8. [RT #37935]
+
+4014.	[bug]		When including a master file origin_changed was
+			not being properly set leading to a potentially
+			spurious 'inherited owner' warning. [RT #37919]
+
+4013.	[func]		Add a new tcp-only option to server (config) /
+			peer (struct) to use TCP transport to send
+			queries (in place of UDP transport with a
+			TCP fallback on truncated (TC set) response).
+			[RT #37800]
+
+4012.	[cleanup]	Check returned status of OpenSSL digest and HMAC
+			functions when they return one. Note this applies
+			only to FIPS capable OpenSSL libraries put in
+			FIPS mode and MD5. [RT #37944]
+
+4011.	[bug]		master's list port and dscp inheritance was not
+			properly implemented. [RT #37792]
+
+4010.	[cleanup]	Clear the prefetchable state when initiating a
+			prefetch. [RT #37399]
+
+4009.	[func]		delv: added a +tcp option. [RT #37855]
+
+4008.	[contrib]	Updated zkt to latest version (1.1.3). [RT #37886]
+
+4007.	[doc]		Remove acl forward reference restriction. [RT #37772]
+
+4006.	[security]	A flaw in delegation handling could be exploited
+			to put named into an infinite loop.  This has
+			been addressed by placing limits on the number
+			of levels of recursion named will allow (default 7),
+			and the number of iterative queries that it will
+			send (default 50) before terminating a recursive
+			query (CVE-2014-8500).
+
+			The recursion depth limit is configured via the
+			"max-recursion-depth" option, and the query limit
+			via the "max-recursion-queries" option.  [RT #37580]
+
+4005.	[func]		The buffer used for returning text from rndc
+			commands is now dynamically resizable, allowing
+			arbitrarily large amounts of text to be sent back
+			to the client. (Prior to this change, it was
+			possible for the output of "rndc tsig-list" to be
+			truncated.) [RT #37731]
+
+4004.	[bug]		When delegations had AAAA glue but not A, a
+			reference could be leaked causing an assertion
+			failure on shutdown. [RT #37796]
+
+4003.	[security]	When geoip-directory was reconfigured during
+			named run-time, the previously loaded GeoIP
+			data could remain, potentially causing wrong
+			ACLs to be used or wrong results to be served
+			based on geolocation (CVE-2014-8680). [RT #37720]
+
+4002.	[security]	Lookups in GeoIP databases that were not
+			loaded could cause an assertion failure
+			(CVE-2014-8680). [RT #37679]
+
+4001.	[security]	The caching of GeoIP lookups did not always
+			handle address families correctly, potentially
+			resulting in an assertion failure (CVE-2014-8680).
+			[RT #37672]
+
+4000.	[bug]		NXDOMAIN redirection incorrectly handled NXRRSET
+			from the redirect zone. [RT #37722]
+
+3999.	[func]		"mkeys" and "nzf" files are now named after
+			their corresponding views, unless the view name
+			contains characters that would be incompatible
+			with use in a filename (i.e., slash, backslash,
+			or capital letters). If a view name does contain
+			these characters, the files will still be named
+			using a cryptographic hash of the view name.
+			Regardless of this, if a file using the old name
+			format is found to exist, it will continue to be
+			used. [RT #37704]
+
+3998.	[bug]		isc_radix_search was returning matches that were
+			too precise. [RT #37680]
+
+3997.	[protocol]	Add OPENGPGKEY record. [RT# 37671]
+
+3996.	[bug]		Address use after free on out of memory error in
+			keyring_add. [RT #37639]
+
+3995.	[bug]		receive_secure_serial holds the zone lock for too
+			long. [RT #37626]
+
+3994.	[func]		Dig now supports setting the last unassigned DNS
+			header flag bit (dig +zflag). [RT #37421]
+
+3993.	[func]		Dig now supports EDNS negotiation by default.
+			(dig +[no]ednsnegotiation).
+
+			Note:  This is disabled by default in BIND 9.10
+			and enabled by default in BIND 9.11.  [RT #37604]
+
+3992.	[func]		DiG can now send queries without questions
+			(dig +header-only). [RT #37599]
+
+3991.	[func]		Add the ability to buffer logging output by specifying
+			"buffered yes;" when defining a channel. [RT #26561]
+
+3990.	[test]		Add tests for unknown DNSSEC algorithm handling.
+			[RT #37541]
+
+3989.	[cleanup]	Remove redundant dns_db_resigned calls. [RT #35748]
+
+3988.	[func]		Allow the zone serial of a dynamically updatable
+			zone to be updated via "rndc signing -serial".
+			[RT #37404]
+
+3987.	[port]		Handle future Visual Studio 14 incompatible changes.
+			[RT #37380]
+
+3986.	[doc]		Add the BIND version number to page footers
+			in the ARM. [RT #37398]
+
+3985.	[doc]		Describe how +ndots and +search interact in dig.
+			[RT #37529]
+
+3984.	[func]		Accept 256 byte long PINs in native PKCS#11
+			crypto. [RT #37410]
+
+3983.	[bug]		Change #3940 was incomplete: negative trust anchors
+			could be set to last up to a week, but the
+			"nta-lifetime" and "nta-recheck" options were
+			still limited to one day. [RT #37522]
+
+3982.	[doc]		Include release notes in product documentation.
+			[RT #37272]
+
+3981.	[bug]		Cache DS/NXDOMAIN independently of other query types.
+			[RT #37467]
+
+3980.	[bug]		Improve --with-tuning=large by self tuning of SO_RCVBUF
+			size. [RT #37187]
+
+3979.	[bug]		Negative trust anchor fetches were not properly
+			managed. [RT #37488]
+
+3978.	[test]		Added a unit test for Diffie-Hellman key
+			computation, completing change #3974. [RT #37477]
+
+3977.	[cleanup]	"rndc secroots" reported a "not found" error when
+			there were no negative trust anchors set. [RT #37506]
+
+3976.	[bug]		When refreshing managed-key trust anchors, clear
+			any cached trust so that they will always be
+			revalidated with the current set of secure
+			roots. [RT #37506]
+
+3975.	[bug]		Don't populate or use the bad cache for queries that
+			don't request or use recursion. [RT #37466]
+
+3974.	[bug]		Handle DH_compute_key() failure correctly in
+			openssldh_link.c. [RT #37477]
+
+3973.	[test]		Added hooks for Google Performance Tools CPU profiler,
+			including real-time/wall-clock profiling. Use
+			"configure --with-gperftools-profiler" to enable.
+			[RT #37339]
+
+3972.	[bug]		Fix host's usage statement. [RT #37397]
+
+3971.	[bug]		Reduce the cascading failures due to a bad $TTL line
+			in named-checkconf / named-checkzone. [RT #37138]
+
+3970.	[contrib]	Fixed a use after free bug in the SDB LDAP driver.
+			[RT #37237]
+
+3969.	[test]		Added 'delv' system test. [RT #36901]
+
+3968.	[bug]		Silence spurious log messages when using 'named -[46]'.
+			[RT #37308]
+
+3967.	[test]		Add test for inlined signed zone in multiple views
+			with different DNSKEY sets. [RT #35759]
+
+3966.	[bug]		Missing dns_db_closeversion call in receive_secure_db.
+			[RT #35746]
+
+3965.	[func]		Log outgoing packets and improve packet logging to
+			support logging the remote address. [RT #36624]
+
+3964.	[func]		nsupdate now performs check-names processing.
+			[RT #36266]
+
+3963.	[test]		Added NXRRSET test cases to the "dlzexternal"
+			system test. [RT #37344]
+
+3962.	[bug]		'dig +topdown +trace +sigchase' address unhandled error
+			conditions. [RT #34663]
+
+3961.	[bug]		Forwarding of SIG(0) signed UPDATE messages failed with
+			BADSIG.  [RT #37216]
+
+3960.	[bug]		'dig +sigchase' could loop forever. [RT #37220]
+
+3959.	[bug]		Updates could be lost if they arrived immediately
+			after a rndc thaw. [RT #37233]
+
+3958.	[bug]		Detect when writeable files have multiple references
+			in named.conf. [RT #37172]
+
+3957.	[bug]		"dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
+			and ECDSAP384SHA384. [RT #37183]
+
+3956.	[func]		Notify messages are now rate limited by notify-rate and
+			startup-notify-rate instead of serial-query-rate.
+			[RT #24454]
+
+3955.	[bug]		Notify messages due to changes are no longer queued
+			behind startup notify messages. [RT #24454]
+
+3954.	[bug]		Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
+
+3953.	[bug]		Don't escape semi-colon in TXT fields. [RT #37159]
+
+3952.	[bug]		dns_name_fullcompare failed to set *nlabelsp when the
+			two name pointers were the same. [RT #37176]
+
+3951.	[func]		Add the ability to set yet-to-be-defined EDNS flags
+			to dig (+ednsflags=#). [RT #37142]
+
+3950.	[port]		Changed the bin/python Makefile to work around a
+			bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
+
+3949.	[experimental]	Experimental support for draft-andrews-edns1 by sending
+			EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
+			building).  Add support for limiting the EDNS version
+			advertised to servers: server { edns-version 0; };
+			Log the EDNS version received in the query log.
+			[RT #35864]
+
+3948.	[port]		solaris: RCVBUFSIZE was too large on Solaris with
+			--with-tuning=large. [RT #37059]
+
+3947.	[cleanup]	Set the executable bit on libraries when using
+			libtool. [RT #36786]
+
+3946.	[cleanup]	Improved "configure" search for a python interpreter.
+			[RT #36992]
+
+3945.	[bug]		Invalid wildcard expansions could be incorrectly
+			accepted by the validator. [RT #37093]
+
+3944.	[test]		Added a regression test for "server-id". [RT #37057]
+
+3943.	[func]		SERVFAIL responses can now be cached for a
+			limited time (configured by "servfail-ttl",
+			default 10 seconds, limit 30). This can reduce
+			the frequency of retries when an authoritative
+			server is known to be failing, e.g., due to
+			ongoing DNSSEC validation problems. [RT #21347]
+
+3942.	[bug]		Wildcard responses from a optout range should be
+			marked as insecure. [RT #37072]
+
+3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]
+
+3940.	[func]		"rndc nta" now allows negative trust anchors to be
+			set for up to one week. [RT #37069]
+
+3939.	[func]		Improve UPDATE forwarding performance by allowing TCP
+			connections to be shared. [RT #37039]
+
+3938.	[func]		Added quotas to be used in recursive resolvers
+			that are under high query load for names in zones
+			whose authoritative servers are nonresponsive or
+			are experiencing a denial of service attack.
+
+			- "fetches-per-server" limits the number of
+			  simultaneous queries that can be sent to any
+			  single authoritative server.  The configured
+			  value is a starting point; it is automatically
+			  adjusted downward if the server is partially or
+			  completely non-responsive. The algorithm used to
+			  adjust the quota can be configured via the
+			  "fetch-quota-params" option.
+			- "fetches-per-zone" limits the number of
+			  simultaneous queries that can be sent for names
+			  within a single domain.  (Note: Unlike
+			  "fetches-per-server", this value is not
+			  self-tuning.)
+			- New stats counters have been added to count
+			  queries spilled due to these quotas.
+
+			See the ARM for details of these options. [RT #37125]
+
+3937.	[func]		Added some debug logging to better indicate the
+			conditions causing SERVFAILs when resolving.
+			[RT #35538]
+
+3936.	[func]		Added authoritative support for the EDNS Client
+			Subnet (ECS) option.
+
+			ACLs can now include "ecs" elements which specify
+			an address or network prefix; if an ECS option is
+			included in a DNS query, then the address encoded
+			in the option will be matched against "ecs" ACL
+			elements.
+
+			Also, if an ECS address is included in a query,
+			then it will be used instead of the client source
+			address when matching "geoip" ACL elements.  This
+			behavior can be overridden with "geoip-use-ecs no;".
+			(Note: to enable "geoip" ACLs, use "configure
+			--with-geoip". This requires libGeoIP version
+			1.5.0 or higher.)
+
+			When "ecs" or "geoip" ACL elements are used to
+			select a view for a query, the response will include
+			an ECS option to indicate which client network the
+			answer is valid for.
+
+			(Thanks to Vincent Bernat.) [RT #36781]
+
+3935.	[bug]		"geoip asnum" ACL elements would not match unless
+			the full organization name was specified.  They
+			can now match against the AS number alone (e.g.,
+			AS1234). [RT #36945]
+
+3934.	[bug]		Catch bad 'sit-secret' in named-checkconf.  Improve
+			sit-secret documentation. [RT #36980]
+
+3933.	[bug]		Corrected the implementation of dns_rdata_casecompare()
+			for the HIP rdata type.  [RT #36911]
+
+3932.	[test]		Improved named-checkconf tests. [RT #36911]
+
+3931.	[cleanup]	Cleanup how dlz grammar is defined. [RT #36879]
+
+3930.	[bug]		"rndc nta -r" could cause a server hang if the
+			NTA was not found. [RT #36909]
+
+3929.	[bug]		'host -a' needed to clear idnoptions. [RT #36963]
+
+3928.	[test]		Improve rndc system test. [RT #36898]
+
+3927.	[bug]		dig: report PKCS#11 error codes correctly when
+			compiled with --enable-native-pkcs11. [RT #36956]
+
+3926.	[doc]		Added doc for geoip-directory. [RT #36877]
+
+3925.	[bug]		DS lookup of RFC 1918 empty zones failed. [RT #36917]
+
+3924.	[bug]		Improve 'rndc addzone' error reporting. [RT #35187]
+
+3923.	[bug]		Sanity check the xml2-config output. [RT #22246]
+
+3922.	[bug]		When resigning, dnssec-signzone was removing
+			all signatures from delegation nodes. It now
+			retains DS and (if applicable) NSEC signatures.
+			[RT #36946]
+
+3921.	[bug]		AD was inappropriately set on RPZ responses. [RT #36833]
+
+3920.	[doc]		Added doc for masterfile-style. [RT #36823]
+
+3919.	[bug]		dig: continue to next line if a address lookup fails
+			in batch mode. [RT #36755]
+
+3918.	[doc]		Update check-spf documentation. [RT #36910]
+
+3917.	[bug]		dig, nslookup and host now continue on names that are
+			too long after applying a search list elements.
+			[RT #36892]
+
+3916.	[contrib]	zone2sqlite checked wrong result code.  Address
+			compiler warnings. [RT #36931]
+
+3915.	[bug]		Address a assertion if a route event arrived while
+			shutting down. [RT #36887]
+
+3914.	[bug]		Allow the URI target and CAA value fields to
+			be zero length. [RT #36737]
+
+3913.	[bug]		Address race issue in dispatch. [RT #36731]
+
+3912.	[bug]		Address some unrecoverable lookup failures. [RT #36330]
+
+3911.	[func]		Implement EDNS EXPIRE option client side, allowing
+			a slave server to set the expiration timer correctly
+			when transferring zone data from another slave
+			server. [RT #35925]
+
+3910.	[bug]		Fix races to free event during shutdown. [RT #36720]
+
+3909.	[bug]		When computing the number of elements required for a
+			acl count_acl_elements could have a short count leading
+			to a assertion failure.  Also zero out new acl elements
+			in dns_acl_merge.  [RT #36675]
+
+3908.	[bug]		rndc now differentiates between a zone in multiple
+			views and a zone that doesn't exist at all. [RT #36691]
+
+3907.	[cleanup]	Alphabetize rndc help. [RT #36683]
+
+3906.	[protocol]	Update URI record format to comply with
+			draft-faltstrom-uri-08. [RT #36642]
+
+3905.	[bug]		Address deadlock between view.c and adb.c. [RT #36341]
+
+3904.	[func]		Add the RPZ SOA to the additional section. [RT36507]
+
+3903.	[bug]		Improve the accuracy of DiG's reported round trip
+			time. [RT 36611]
+
+3902.	[bug]		liblwres wasn't handling link-local addresses in
+			nameserver clauses in resolv.conf. [RT #36039]
+
+3901.	[protocol]	Added support for CAA record type (RFC 6844).
+			[RT #36625]
+
+3900.	[bug]		Fix a crash in PostgreSQL DLZ driver. [RT #36637]
+
+3899.	[bug]		"request-ixfr" is only applicable to slave and redirect
+			zones. [RT #36608]
+
+3898.	[bug]		Too small a buffer in tohexstr() calls in test code.
+			[RT #36598]
+
+3897.	[bug]		RPZ summary information was not properly being updated
+			after a AXFR resulting in changes sometimes being
+			ignored.  [RT #35885]
+
+3896.	[bug]		Address performance issues with DSCP code on some
+			platforms. [RT #36534]
+
+3895.	[func]		Add the ability to set the DSCP code point to dig.
+			[RT #36546]
+
+3894.	[bug]		Buffers in isc_print_vsnprintf were not properly
+			initialized leading to potential overflows when
+			printing out quad values. [RT #36505]
+
+3893.	[bug]		Peer DSCP values could be returned without being set.
+			[RT #36538]
+
+3892.	[bug]		Setting '-t aaaa' in .digrc had unintended side
+			effects. [RT #36452]
+
+3891.	[bug]		Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
+			to install python programs.
+
+3890.	[bug]		RRSIG sets that were not loaded in a single transaction
+			at start up where not being correctly added to
+			re-signing heaps.  [RT #36302]
+
+3889.	[port]		hurd: configure fixes as per:
+			https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
+
+3888.	[func]		'rndc status' now reports the number of automatic
+			zones. [RT #36015]
+
+3887.	[cleanup]	Make all static symbols in rbtdb64 end in "64" so
+			they are easier to use in a debugger. [RT #36373]
+
+3886.	[bug]		rbtdb_write_header should use a once to initialize
+			FILE_VERSION. [RT #36374]
+
+3885.	[port]		Use 'open()' rather than 'file()' to open files in
+			python.
+
+3884.	[protocol]	Add CDS and CDNSKEY record types. [RT #36333]
+
+3883.	[placeholder]
+
+3882.	[func]		By default, negative trust anchors will be tested
+			periodically to see whether data below them can be
+			validated, and if so, they will be allowed to
+			expire early. The "rndc nta -force" option
+			overrides this behavior.  The default NTA lifetime
+			and the recheck frequency can be configured by the
+			"nta-lifetime" and "nta-recheck" options. [RT #36146]
+
+3881.	[bug]		Address memory leak with UPDATE error handling.
+			[RT #36303]
+
+3880.	[test]		Update ans.pl to work with new TSIG support in
+			Net::DNS; add additional Net::DNS version prerequisite
+			checks. [RT #36327]
+
+3879.	[func]		Add version printing option to various BIND utilities.
+			[RT #10686]
+
+3878.	[bug]		Using the incorrect filename for a DLZ module
+			caused a segmentation fault on startup. [RT #36286]
+
+3877.	[bug]		Inserting and deleting parent and child nodes
+			in response policy zones could trigger an assertion
+			failure. [RT #36272]
+
+3876.	[bug]		Improve efficiency of DLZ redirect zones by
+			suppressing unnecessary database lookups. [RT #35835]
+
+3875.	[cleanup]	Clarify log message when unable to read private
+			key files. [RT #24702]
+
+3874.	[test]		Check that only "check-names master" is needed for
+			updates to be accepted.
+
+3873.	[protocol]	Only warn for SPF without TXT spf record. [RT #36210]
+
+3872.	[bug]		Address issues found by static analysis. [RT #36209]
+
+3871.	[bug]		Don't publish an activated key automatically before
+			its publish time. [RT #35063]
+
+3870.	[func]		Updated the random number generator used in
+			the resolver to use the updated ChaCha based one
+			(similar to OpenBSD's changes). Also moved the
+			RNG to libisc and added unit tests for it.
+			[RT #35942]
+
+3869.	[doc]		Document that in-view zones cannot be used for
+			response policy zones. [RT #35941]
+
+3868.	[bug]		isc_mem_setwater incorrectly cleared hi_called
+			potentially leaving over memory cleaner running.
+			[RT #35270]
+
+3867.	[func]		"rndc nta" can now be used to set a temporary
+			negative trust anchor, which disables DNSSEC
+			validation below a specified name for a specified
+			period of time (not exceeding 24 hours).  This
+			can be used when validation for a domain is known
+			to be failing due to a configuration error on
+			the part of the domain owner rather than a
+			spoofing attack. [RT #29358]
+
+3866.	[bug]		Named could die on disk full in generate_session_key.
+			[RT #36119]
+
+3865.	[test]		Improved testability of the red-black tree
+			implementation and added unit tests. [RT #35904]
+
+3864.	[bug]		RPZ didn't work well when being used as forwarder.
+			[RT #36060]
+
+3863.	[bug]		The "E" flag was missing from the query log as a
+			unintended side effect of code rearrangement to
+			support EDNS EXPIRE. [RT #36117]
+
+3862.	[cleanup]	Return immediately if we are not going to log the
+			message in ns_client_dumpmessage.
+
+3861.	[security]	Missing isc_buffer_availablelength check results
+			in a REQUIRE assertion when printing out a packet
+			(CVE-2014-3859).  [RT #36078]
+
+3860.	[bug]		ioctl(DP_POLL) array size needs to be determined
+			at run time as it is limited to {OPEN_MAX}.
+			[RT #35878]
+
+3859.	[placeholder]
+
+3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
+			[RT #35968]
+
+3857.	[bug]		Make it harder for a incorrect NOEDNS classification
+			to be made. [RT #36020]
+
+3856.	[bug]		Configuring libjson without also configuring libxml
+			resulted in a REQUIRE assertion when retrieving
+			statistics using json. [RT #36009]
+
+3855.	[bug]		Limit smoothed round trip time aging to no more than
+			once a second. [RT #32909]
+
+3854.	[cleanup]	Report unrecognized options, if any, in the final
+			configure summary. [RT #36014]
+
+3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to separate out
+			the handling of a rdataset with no records. [RT #35968]
+
+3852.	[func]		Increase the default number of clients available
+			for servicing lightweight resolver queries, and
+			make them configurable via the "lwres-tasks" and
+			"lwres-clients" options.  (Thanks to Tomas Hozza.)
+			[RT #35857]
+
+3851.	[func]		Allow libseccomp based system-call filtering
+			on Linux; use "configure --enable-seccomp" to
+			turn it on.  Thanks to Loganaden Velvindron
+			of AFRINIC for the contribution. [RT #35347]
+
+3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
+			[RT #35979]
+
+3849.	[doc]		Alphabetized dig's +options. [RT #35992]
+
+3848.	[bug]		Adjust 'statistics-channels specified but not effective'
+			error message to account for JSON support. [RT #36008]
+
+3847.	[bug]		'configure --with-dlz-postgres' failed to fail when
+			there is not support available.
+
+3846.	[bug]		"dig +notcp ixfr=<serial>" should result in a UDP
+			ixfr query. [RT #35980]
+
+3845.	[placeholder]
+
+3844.	[bug]		Use the x64 version of the Microsoft Visual C++
+			Redistributable when built for 64 bit Windows.
+			[RT #35973]
+
+3843.	[protocol]	Check EDNS EXPIRE option in dns_rdata_fromwire.
+			[RT #35969]
+
+3842.	[bug]		Adjust RRL log-only logging category. [RT #35945]
+
+3841.	[cleanup]	Refactor zone.c:add_opt to use dns_message_buildopt.
+			[RT #35924]
+
+3840.	[port]		Check for arc4random_addrandom() before using it;
+			it's been removed from OpenBSD 5.5. [RT #35907]
+
+3839.	[test]		Use only posix-compatible shell in system tests.
+			[RT #35625]
+
+3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.
+
+3837.	[security]	A NULL pointer is passed to query_prefetch resulting
+			a REQUIRE assertion failure when a fetch is actually
+			initiated (CVE-2014-3214).  [RT #35899]
+
+3836.	[bug]		Address C++ keyword usage in header file.
+
+3835.	[bug]		Geoip ACL elements didn't work correctly when
+			referenced via named or nested ACLs. [RT #35879]
+
+3834.	[bug]		The re-signing heaps were not being updated soon enough
+			leading to multiple re-generations of the same RRSIG
+			when a zone transfer was in progress. [RT #35273]
+
+3833.	[bug]		Cross compiling was broken due to calling genrandom at
+			build time. [RT #35869]
+
+3832.	[func]		"named -L <filename>" causes named to send log
+			messages to the specified file by default instead
+			of to the system log. (Thanks to Tony Finch.)
+			[RT #35845]
+
+3831.	[cleanup]	Reduce logging noise when EDNS state changes occur.
+			[RT #35843]
+
+3830.	[func]		When query logging is enabled, log query errors at
+			the same level ('info') as the queries themselves.
+			[RT #35844]
+
+3829.	[func]		"dig +ttlunits" causes dig to print TTL values
+			with time-unit suffixes: w, d, h, m, s for
+			weeks, days, hours, minutes, and seconds. (Thanks
+			to Tony Finch.) [RT #35823]
+
+3828.	[func]		"dnssec-signzone -N date" updates serial number
+			to the current date in YYYYMMDDNN format.
+			[RT #35800]
+
+3827.	[placeholder]
+
+3826.	[bug]		Corrected bad INSIST logic in isc_radix_remove().
+			[RT #35870]
+
+3825.	[bug]		Address sign extension bug in isc_regex_validate.
+			[RT #35758]
+
+3824.	[bug]		A collision between two flag values could cause
+			problems with cache cleaning when SIT was enabled.
+			[RT #35858]
+
+3823.	[func]		Log the rpz cname target when rewriting. [RT #35667]
+
+3822.	[bug]		Log the correct type of static-stub zones when
+			removing them. [RT #35842]
+
+3821.	[contrib]	Added a new "mysqldyn" DLZ module with dynamic
+			update and transaction support. Thanks to Marty
+			Lee for the contribution. [RT #35656]
+
+3820.	[func]		The DLZ API doesn't pass the database version to
+			the lookup() function; this can cause DLZ modules
+			that allow dynamic updates to mishandle prerequisite
+			checks. This has been corrected by adding a
+			'dbversion' field to the dns_clientinfo_t
+			structure. [RT #35656]
+
+3819.	[bug]		NSEC3 hashes need to be able to be entered and
+			displayed without padding.  This is not a issue for
+			currently defined algorithms but may be for future
+			hash algorithms. [RT #27925]
+
+3818.	[bug]		Stop lying to the optimizer that 'void *arg' is a
+			constant in isc_event_allocate.
+
+3817.	[func]		The "delve" command is now spelled "delv" to avoid
+			a namespace collision with the Xapian project.
+			[RT #35801]
+
+3816.	[func]		"dig +qr" now reports query size. (Thanks to
+			Tony Finch.) [RT #35822]
+
+3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]
+
+3814.	[func]		The "masterfile-style" zone option controls the
+			formatting of dumped zone files. Options are
+			"relative" (multiline format) and "full" (one
+			record per line). The default is "relative".
+			[RT #20798]
+
+3813.	[func]		"host" now recognizes the "timeout", "attempts" and
+			"debug" options when set in /etc/resolv.conf.
+			(Thanks to Adam Tkac at RedHat.) [RT #21885]
+
+3812.	[func]		Dig now supports sending arbitrary EDNS options from
+			the command line (+ednsopt=code[:value]). [RT #35584]
+
+3811.	[func]		"serial-update-method date;" sets serial number
+			on dynamic update to today's date in YYYYMMDDNN
+			format. (Thanks to Bradley Forschinger.) [RT #24903]
+
+3810.	[bug]		Work around broken nameservers that fail to ignore
+			unknown EDNS options. [RT #35766]
+
+3809.	[doc]		Fix SIT and NSID documentation.
+
+3808.	[doc]		Clean up "prefetch" documentation. [RT #35751]
+
+3807.	[bug]		Fix sign extension bug in dns_name_fromtext when
+			lowercase is set. [RT #35743]
+
+3806.	[test]		Improved system test portability. [RT #35625]
+
+3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
+			for DNS over TCP. [RT #35710]
+
+	--- 9.10.0rc1 released ---
+
+3804.	[bug]		Corrected a race condition in dispatch.c in which
+			portentry could be reset leading to an assertion
+			failure in socket_search(). (Change #3708
+			addressed the same issue but was incomplete.)
+			[RT #35128]
+
+3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
+			using alternate data sources for not having a "file"
+			option. [RT #35685]
+
+3802.	[bug]		Various header files were not being installed.
+
+3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]
+
+3800.	[bug]		A pending event on the route socket could cause an
+			assertion failure when shutting down named. [RT #35674]
+
+3799.	[bug]		Improve named's command line error reporting.
+			[RT #35603]
+
+3798.	[bug]		'rndc zonestatus' was reporting the wrong re-signing
+			time. [RT #35659]
+
+3797.	[port]		netbsd: geoip support probing was broken. [RT #35642]
+
+3796.	[bug]		Register dns and pkcs#11 error codes. [RT #35629]
+
+3795.	[bug]		Make named-checkconf detect raw masterfiles for
+			hint zones and reject them. [RT #35268]
+
+3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.
+
+3793.	[bug]		zone.c:save_nsec3param() could assert when out of
+			memory. [RT #35621]
+
+3792.	[func]		Provide links to the alternate statistics views when
+			displaying in a browser.  [RT #35605]
+
+3791.	[placeholder]
+
+3790.	[bug]		Handle broken nameservers that send BADVERS in
+			response to unknown EDNS options.  Maintain
+			statistics on BADVERS responses.
+
+3789.	[bug]		Null pointer dereference on rbt creation failure.
+
+3788.	[bug]		dns_peer_getrequestsit was returning request_nsid by
+			mistake.
+
+	--- 9.10.0b2 released ---
+
+3787.	[bug]		The code that checks whether "auto-dnssec" is
+			allowed was ignoring "allow-update" ACLs set at
+			the options or view level. [RT #29536]
+
+3786.	[func]		Provide more detailed error codes when using
+			native PKCS#11. "pkcs11-tokens" now fails robustly
+			rather than asserting when run against an HSM with
+			an incomplete PKCS#11 API implementation. [RT #35479]
+
+3785.	[bug]		Debugging code dumphex didn't accept arbitrarily long
+			input (only compiled with -DDEBUG). [RT #35544]
+
+3784.	[bug]		Using "rrset-order fixed" when it had not been
+			enabled at compile time caused inconsistent
+			results. It now works as documented, defaulting
+			to cyclic mode. [RT #28104]
+
+3783.	[func]		"tsig-keygen" is now available as an alternate
+			command name for "ddns-confgen".  It generates
+			a TSIG key in named.conf format without comments.
+			[RT #35503]
+
+3782.	[func]		Specifying "auto" as the salt when using
+			"rndc signing -nsec3param" causes named to
+			generate a 64-bit salt at random. [RT #35322]
+
+3781.	[tuning]	Use adaptive mutex locks when available; this
+			has been found to improve performance under load
+			on many systems. "configure --with-locktype=standard"
+			restores conventional mutex locks. [RT #32576]
+
+3780.	[bug]		$GENERATE handled negative numbers incorrectly.
+			[RT #25528]
+
+3779.	[cleanup]	Clarify the error message when using an option
+			that was not enabled at compile time. [RT #35504]
+
+3778.	[bug]		Log a warning when the wrong address family is
+			used in "listen-on" or "listen-on-v6". [RT #17848]
+
+3777.	[bug]		EDNS EXPIRE code could dump core when processing
+			DLZ queries. [RT #35493]
+
+3776.	[func]		"rndc -q" suppresses output from successful
+			rndc commands. Errors are printed on stderr.
+			[RT #21393]
+
+3775.	[bug]		dlz_dlopen driver could return the wrong error
+			code on API version mismatch, leading to a segfault.
+			[RT #35495]
+
+3774.	[func]		When using "request-nsid", log the NSID value in
+			printable form as well as hex. [RT #20864]
+
+3773.	[func]		"host", "nslookup" and "nsupdate" now have
+			options to print the version number and exit.
+			[RT #26057]
+
+3772.	[contrib]	Added sqlite3 dynamically-loadable DLZ module.
+			(Based in part on a contribution from Tim Tessier.)
+			[RT #20822]
+
+3771.	[cleanup]	Adjusted log level for "using built-in key"
+			messages. [RT #24383]
+
+3770.	[bug]		"dig +trace" could fail with an assertion when it
+			needed to fall back to TCP due to a truncated
+			response. [RT #24660]
+
+3769.	[doc]		Improved documentation of "rndc signing -list".
+			[RT #30652]
+
+3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
+			algorithm. [RT #34000]
+
+3767.	[func]		Log explicitly when using rndc.key to configure
+			command channel. [RT #35316]
+
+3766.	[cleanup]	Fixed problems with building outside the source
+			tree when using native PKCS#11. [RT #35459]
+
+3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
+			named when dumping an empty keynode. [RT #35469]
+
+3764.	[bug]		The dnssec-keygen/settime -S and -i options
+			(to set up a successor key and set the prepublication
+			interval) were missing from dnssec-keyfromlabel.
+			[RT #35394]
+
+3763.	[bug]		delve: Cache DNSSEC records to avoid the need to
+			re-fetch them when restarting validation. [RT #35476]
+
+3762.	[bug]		Address build problems with --pkcs11-native +
+			--with-openssl with ECDSA support. [RT #35467]
+
+3761.	[bug]		Address dangling reference bug in dns_keytable_add.
+			[RT #35471]
+
+3760.	[bug]		Improve SIT with native PKCS#11 and on Windows.
+			[RT #35433]
+
+3759.	[port]		Enable delve on Windows. [RT #35441]
+
+3758.	[port]		Enable export library APIs on Windows. [RT #35382]
+
+3757.	[port]		Enable Python tools (dnssec-coverage,
+			dnssec-checkds) to run on Windows. [RT #34355]
+
+3756.	[bug]		GSSAPI Kerberos realm checking was broken in
+			check_config leading to spurious messages being
+			logged.  [RT #35443]
+
+	--- 9.10.0b1 released ---
+
+3755.	[func]		Add stats counters for known EDNS options + others.
+			[RT #35447]
+
+3754.	[cleanup]	win32: Installer now places files in the
+			Program Files area rather than system services.
+			[RT #35361]
+
+3753.	[bug]		allow-notify was ignoring keys. [RT #35425]
+
+3752.	[bug]		Address potential REQUIRE failure if
+			DNS_STYLEFLAG_COMMENTDATA is set when printing out
+			a rdataset.
+
+3751.	[tuning]	The default setting for the -U option (setting
+			the number of UDP listeners per interface) has
+			been adjusted to improve performance. [RT #35417]
+
+3750.	[experimental]	Partially implement EDNS EXPIRE option as described
+			in draft-andrews-dnsext-expire-00.  Retrieval of
+			the remaining time until expiry for slave zones
+			is supported.
+
+			EXPIRE uses an experimental option code (65002),
+			which is subject to change. [RT #35416]
+
+3749.	[func]		"dig +subnet" sends an EDNS client subnet option
+			containing the specified address/prefix when
+			querying. (Thanks to Wilmer van der Gaast.)
+			[RT #35415]
+
+3748.	[test]		Use delve to test dns_client interfaces. [RT #35383]
+
+3747.	[bug]		A race condition could lead to a core dump when
+			destroying a resolver fetch object. [RT #35385]
+
+3746.	[func]		New "max-zone-ttl" option enforces maximum
+			TTLs for zones. If loading a zone containing a
+			higher TTL, the load fails. DDNS updates with
+			higher TTLs are accepted but the TTL is truncated.
+			(Note: Currently supported for master zones only;
+			inline-signing slaves will be added.) [RT #38405]
+
+3745.	[func]		"configure --with-tuning=large" adjusts various
+			compiled-in constants and default settings to
+			values suited to large servers with abundant
+			memory. [RT #29538]
+
+3744.	[experimental]	SIT: send and process Source Identity Tokens
+			(similar to DNS Cookies by Donald Eastlake 3rd),
+			which are designed to help clients detect off-path
+			spoofed responses and for servers to identify
+			legitimate clients.
+
+			SIT uses an experimental EDNS option code (65001),
+			which will be changed to an IANA-assigned value
+			if the experiment is deemed a success.
+
+			SIT can be enabled via "configure --enable-sit" (or
+			--enable-developer). It is enabled by default in
+			Windows.
+
+			Servers can be configured to send smaller responses
+			to clients that have not identified themselves via
+			SIT.  RRL processing has also been updated;
+			legitimate clients are not subject to rate
+			limiting. [RT #35389]
+
+3743.	[bug]		delegation-only flag wasn't working in forward zone
+			declarations despite being documented.  This is
+			needed to support turning off forwarding and turning
+			on delegation only at the same name.  [RT #35392]
+
+3742.	[port]		linux: libcap support: declare curval at start of
+			block. [RT #35387]
+
+3741.	[func]		"delve" (domain entity lookup and validation engine):
+			A new tool with dig-like semantics for performing DNS
+			lookups, with internal DNSSEC validation, using the
+			same resolver and validator logic as named. This
+			allows easy validation of DNSSEC data in environments
+			with untrustworthy resolvers, and assists with
+			troubleshooting of DNSSEC problems. [RT #32406]
+
+3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
+			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
+
+3739.	[func]		Added per-zone stats counters to track TCP and
+			UDP queries. [RT #35375]
+
+3738.	[bug]		--enable-openssl-hash failed to build. [RT #35343]
+
+3737.	[bug]		'rndc retransfer' could trigger a assertion failure
+			with inline zones. [RT #35353]
+
+3736.	[bug]		nsupdate: When specifying a server by name,
+			fall back to alternate addresses if the first
+			address for that name is not reachable. [RT #25784]
+
+3735.	[cleanup]	Merged the libiscpk11 library into libisc
+			to simplify dependencies. [RT #35205]
+
+3734.	[bug]		Improve building with libtool. [RT #35314]
+
+3733.	[func]		Improve interface scanning support.  Interface
+			information will be automatically updated if the
+			OS supports routing sockets (MacOS, *BSD, Linux).
+			Use "automatic-interface-scan no;" to disable.
+
+			Add "rndc scan" to trigger a scan. [RT #23027]
+
+3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
+			driver to dump core on 64-bit systems. [RT #35324]
+
+3731.	[func]		Added a "no-case-compress" ACL, which causes
+			named to use case-insensitive compression
+			(disabling change #3645) for specified
+			clients. (This is useful when dealing
+			with broken client implementations that
+			use case-sensitive name comparisons,
+			rejecting responses that fail to match the
+			capitalization of the query that was sent.)
+			[RT #35300]
+
+3730.	[cleanup]	Added "never" as a synonym for "none" when
+			configuring key event dates in the dnssec tools.
+			[RT #35277]
+
+3729.	[bug]		dnssec-keygen could set the publication date
+			incorrectly when only the activation date was
+			specified on the command line. [RT #35278]
+
+3728.	[doc]		Expanded native-PKCS#11 documentation,
+			specifically pkcs11: URI labels. [RT #35287]
+
+3727.	[func]		The isc_bitstring API is no longer used and
+			has been removed from libisc. [RT #35284]
+
+3726.	[cleanup]	Clarified the error message when attempting
+			to configure more than 32 response-policy zones.
+			[RT #35283]
+
+3725.	[contrib]	Updated zkt and nslint to newest versions,
+			cleaned up and rearranged the contrib
+			directory, and added a README.
+
+	--- 9.10.0a2 released ---
+
+3724.	[bug]		win32: Fixed a bug that prevented dig and
+			host from exiting properly after completing
+			a UDP query. [RT #35288]
+
+3723.	[cleanup]	Imported keys are now handled the same way
+			regardless of DNSSEC algorithm. [RT #35215]
+
+3722.	[bug]		Using geoip ACLs in a blackhole statement
+			could cause a segfault. [RT #35272]
+
+3721.	[doc]		Improved documentation of the EDNS processing
+			enhancements introduced in change #3593. [RT #35275]
+
+3720.	[bug]		Address compiler warnings. [RT #35261]
+
+3719.	[bug]		Address memory leak in in peer.c. [RT #35255]
+
+3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]
+
+3717.	[port]		hpux: Treat EOPNOTSUPP as a expected error code when
+			probing to see if it is possible to set dscp values
+			on a per packet basis. [RT #35252]
+
+3716.	[bug]		The dns_request code was setting dcsp values when not
+			requested.  [RT #35252]
+
+3715.	[bug]		The region and city databases could fail to
+			initialize when using some versions of libGeoIP,
+			causing assertion failures when named was
+			configured to use them. [RT #35427]
+
+3714.	[test]		System tests that need to test for cryptography
+			support before running can now use a common
+			"testcrypto.sh" script to do so. [RT #35213]
+
+3713.	[bug]		Save memory by not storing "also-notify" addresses
+			in zone objects that are configured not to send
+			notify requests. [RT #35195]
+
+3712.	[placeholder]
+
+3711.	[placeholder]
+
+3710.	[bug]		Address double dns_zone_detach when switching to
+			using automatic empty zones from regular zones.
+			[RT #35177]
+
+3709.	[port]		Use built-in versions of strptime() and timegm()
+			on all platforms to avoid portability issues.
+			[RT #35183]
+
+3708.	[bug]		Address a portentry locking issue in dispatch.c.
+			[RT #35128]
+
+3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
+			on a missing resolv.conf file and initializes the
+			structure as if it had been configured with:
+
+				nameserver ::1
+				nameserver 127.0.0.1
+
+			Note: Callers will need to be updated to treat
+			ISC_R_FILENOTFOUND as a qualified success or else
+			they will leak memory. The following code fragment
+			will work with both old and new versions without
+			changing the behaviour of the existing code.
+
+			resconf = NULL;
+			result = irs_resconf_load(mctx, "/etc/resolv.conf",
+						  &resconf);
+			if (result != ISC_SUCCESS) {
+				if (resconf != NULL)
+					irs_resconf_destroy(&resconf);
+				....
+			}
+
+			[RT #35194]
+
+3706.	[contrib]	queryperf: Fixed a possible integer overflow when
+			printing results. [RT #35182]
+
+3705.	[func]		"configure --enable-native-pkcs11" enables BIND
+			to use the PKCS#11 API for all cryptographic
+			functions, so that it can drive a hardware service
+			module directly without the need to use a modified
+			OpenSSL as intermediary (so long as the HSM's vendor
+			provides a complete-enough implementation of the
+			PKCS#11 interface). This has been tested successfully
+			with the Thales nShield HSM and with SoftHSMv2 from
+			the OpenDNSSEC project. [RT #29031]
+
+3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]
+
+3703.	[func]		To improve recursive resolver performance, cache
+			records which are still being requested by clients
+			can now be automatically refreshed from the
+			authoritative server before they expire, reducing
+			or eliminating the time window in which no answer
+			is available in the cache. See the "prefetch" option
+			for more details. [RT #35041]
+
+3702.	[func]		'dnssec-coverage -l' option specifies a length
+			of time to check for coverage; events further into
+			the future are ignored.  'dnssec-coverage -z'
+			checks only ZSK events, and 'dnssec-coverage -k'
+			checks only KSK events.  (Thanks to Peter Palfrader.)
+			[RT #35168]
+
+3701.	[func]		named-checkconf can now obscure shared secrets
+			when printing by specifying '-x'. [RT #34465]
+
+3700.	[func]		Allow access to subgroups of XML statistics via
+			special URLs http://<server>:<port>/xml/v3/server,
+			/zones, /net, /tasks, /mem, and /status.  [RT #35115]
+
+3699.	[bug]		Improvements to statistics channel XSL stylesheet:
+			the stylesheet can now be cached by the browser;
+			section headers are omitted from the stats display
+			when there is no data in those sections to be
+			displayed; counters are now right-justified for
+			easier readability. [RT #35117]
+
+3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
+			[RT #35120]
+
+3697.	[bug]		Handle "." as a search list element when IDN support
+			is enabled. [RT #35133]
+
+3696.	[bug]		dig failed to handle AXFR style IXFR responses which
+			span multiple messages. [RT #35137]
+
+3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]
+
+3694.	[bug]		Warn when a key-directory is configured for a zone,
+			but does not exist or is not a directory. [RT #35108]
+
+3693.	[security]	memcpy was incorrectly called with overlapping
+			ranges resulting in malformed names being generated
+			on some platforms.  This could cause INSIST failures
+			when serving NSEC3 signed zones (CVE-2014-0591).
+			[RT #35120]
+
+3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
+			was no data at the node. [RT #35080]
+
+3691.	[contrib]	Address null pointer dereference in LDAP and
+			MySQL DLZ modules.
+
+3690.	[bug]		Iterative responses could be missed when the source
+			port for an upstream query was the same as the
+			listener port (53). [RT #34925]
+
+3689.	[bug]		Fixed a bug causing an insecure delegation from one
+			static-stub zone to another to fail with a broken
+			trust chain. [RT #35081]
+
+3688.	[bug]		loadnode could return a freed node on out of memory.
+			[RT #35106]
+
+3687.	[bug]		Address null pointer dereference in zone_xfrdone.
+			[RT #35042]
+
+3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
+			that are still published but no longer active.
+			[RT #34990]
+
+3685.	[bug]		"rndc refresh" didn't work correctly with slave
+			zones using inline-signing. [RT #35105]
+
+3684.	[bug]		The list of included files would grow on reload.
+			[RT 35090]
+
+3683.	[cleanup]	Add a more detailed "not found" message to rndc
+			commands which specify a zone name. [RT #35059]
+
+3682.	[bug]		Correct the behavior of rndc retransfer to allow
+			inline-signing slave zones to retain NSEC3 parameters
+			instead of reverting to NSEC. [RT #34745]
+
+3681.	[port]		Update the Windows build system to support feature
+			selection and WIN64 builds.  This is a work in
+			progress. [RT #34160]
+
+3680.	[bug]		Ensure buffer space is available in "rndc zonestatus".
+			[RT #35084]
+
+3679.	[bug]		dig could fail to clean up TCP sockets still
+			waiting on connect(). [RT #35074]
+
+3678.	[port]		Update config.guess and config.sub. [RT #35060]
+
+3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
+			times.  [RT #35073]
+
+3676.	[bug]		"named-checkconf -z" now checks zones of type
+			hint and redirect as well as master. [RT #35046]
+
+3675.	[misc]		Provide a place for third parties to add version
+			information for their extensions in the version
+			file by setting the EXTENSIONS variable.
+
+	--- 9.10.0a1 released ---
+
+3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]
+
+3673.	[func]		New "in-view" zone option allows direct sharing
+			of zones between views. [RT #32968]
+
+3672.	[func]		Local address can now be specified when using
+			dns_client API. [RT #34811]
+
+3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
+			non-imported private key.
+
+3670.	[bug]		Address read after free in server side of
+			lwres_getrrsetbyname. [RT #29075]
+
+3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]
+
+3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
+			[RT #34993]
+
+3667.	[test]		dig: add support to keep the TCP socket open between
+			successive queries (+[no]keepopen).  [RT #34918]
+
+3666.	[func]		Add a tool, named-rrchecker, for checking the syntax
+			of individual resource records.  This tool is intended
+			to be called by provisioning systems so that the front
+			end does not need to be upgraded to support new DNS
+			record types. [RT #34778]
+
+3665.	[bug]		Failure to release lock on error in receive_secure_db.
+			[RT #34944]
+
+3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
+			locking and other bugs. [RT #34855]
+
+3663.	[bug]		Address bugs in dns_rdata_fromstruct and
+			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
+
+3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
+
+3661.	[bug]		Address lock order reversal deadlock with inline zones.
+			[RT #34856]
+
+3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
+			[RT #23825]
+
+3659.	[port]		solaris: don't add explicit dependencies/rules for
+			python programs as make won't use the implicit rules.
+			[RT #34835]
+
+3658.	[port]		linux: Address platform specific compilation issue
+			when libcap-devel is installed. [RT #34838]
+
+3657.	[port]		Some readline clones don't accept NULL pointers when
+			calling add_history. [RT #34842]
+
+3656.	[security]	Treat an all zero netmask as invalid when generating
+			the localnets acl. (The prior behavior could
+			allow unexpected matches when using some versions
+			of Winsock: CVE-2013-6320.) [RT #34687]
+
+3655.	[cleanup]	Simplify TCP message processing when requesting a
+			zone transfer.  [RT #34825]
+
+3654.	[bug]		Address race condition with manual notify requests.
+			[RT #34806]
+
+3653.	[func]		Create delegations for all "children" of empty zones
+			except "forward first". [RT #34826]
+
+3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]
+
+3651.	[tuning]	Adjust when a master server is deemed unreachable.
+			[RT #27075]
+
+3650.	[tuning]	Use separate rate limiting queues for refresh and
+			notify requests. [RT #30589]
+
+3649.	[cleanup]	Include a comment in .nzf files, giving the name of
+			the associated view. [RT #34765]
+
+3648.	[test]		Updated the ATF test framework to version 0.17.
+			[RT #25627]
+
+3647.	[bug]		Address a race condition when shutting down a zone.
+			[RT #34750]
+
+3646.	[bug]		Journal filename string could be set incorrectly,
+			causing garbage in log messages. [RT #34738]
+
+3645.	[protocol]	Use case sensitive compression when responding to
+			queries. [RT #34737]
+
+3644.	[protocol]	Check that EDNS subnet client options are well formed.
+			[RT #34718]
+
+3643.	[doc]		Clarify RRL "slip" documentation.
+
+3642.	[func]		Allow externally generated DNSKEY to be imported
+			into the DNSKEY management framework.  A new tool
+			dnssec-importkey is used to do this. [RT #34698]
+
+3641.	[bug]		Handle changes to sig-validity-interval settings
+			better. [RT #34625]
+
+3640.	[bug]		ndots was not being checked when searching.  Only
+			continue searching on NXDOMAIN responses.  Add the
+			ability to specify ndots to nslookup. [RT #34711]
+
+3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
+			in a key zone. [RT #34238]
+
+3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
+			encountered. [RT #34668]
+
+3637.	[bug]		'allow-query-on' was checking the source address
+			rather than the destination address. [RT #34590]
+
+3636.	[bug]		Automatic empty zones now behave better with
+			forward only "zones" beneath them. [RT #34583]
+
+3635.	[bug]		Signatures were not being removed from a zone with
+			only KSK keys for a algorithm. [RT #34439]
+
+3634.	[func]		Report build-id in rndc status. Report build-id
+			when building from a git repository. [RT #20422]
+
+3633.	[cleanup]	Refactor OPT processing in named to make it easier
+			to support new EDNS options. [RT #34414]
+
+3632.	[bug]		Signature from newly inactive keys were not being
+			removed. [RT #32178]
+
+3631.	[bug]		Remove spurious warning about missing signatures when
+			qtype is SIG. [RT #34600]
+
+3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]
+
+3629.	[func]		Allow the printing of cryptographic fields in DNSSEC
+			records by dig to be suppressed (dig +nocrypto).
+			[RT #34534]
+
+3628.	[func]		Report DNSKEY key id's when dumping the cache.
+			[RT #34533]
+
+3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]
+
+3626.	[func]		dig: NSID output now easier to read. [RT #21160]
+
+3625.	[bug]		Don't send notify messages to machines outside of the
+			test setup.
+
+3624.	[bug]		Look for 'json_object_new_int64' when looking for a
+			the json library. [RT #34449]
+
+3623.	[placeholder]
+
+3622.	[tuning]	Eliminate an unnecessary lock when incrementing
+			cache statistics. [RT #34339]
+
+3621.	[security]	Incorrect bounds checking on private type 'keydata'
+			can lead to a remotely triggerable REQUIRE failure
+			(CVE-2013-4854). [RT #34238]
+
+3620.	[func]		Added "rpz-client-ip" policy triggers, enabling
+			RPZ responses to be configured on the basis of
+			the client IP address; this can be used, for
+			example, to blacklist misbehaving recursive
+			or stub resolvers. [RT #33605]
+
+3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
+			[RT #33776]
+
+3618.	[func]		"rndc reload" now checks modification times of
+			include files as well as master files to determine
+			whether to skip reloading a zone. [RT #33936]
+
+3617.	[bug]		Named was failing to answer queries during
+			"rndc reload" [RT #34098]
+
+3616.	[bug]		Change #3613 was incomplete. [RT #34177]
+
+3615.	[cleanup]	"configure" now finishes by printing a summary
+			of optional BIND features and whether they are
+			active or inactive. ("configure --enable-full-report"
+			increases the verbosity of the summary.) [RT #31777]
+
+3614.	[port]		Check for <linux/types.h>. [RT #34162]
+
+3613.	[bug]		named could crash when deleting inline-signing
+			zones with "rndc delzone". [RT #34066]
+
+3612.	[port]		Check whether to use -ljson or -ljson-c. [RT #34115]
+
+3611.	[bug]		Improved resistance to a theoretical authentication
+			attack based on differential timing.  [RT #33939]
+
+3610.	[cleanup]	win32: Some executables had been omitted from the
+			installer. [RT #34116]
+
+3609.	[bug]		Corrected a possible deadlock in applications using
+			the export version of the isc_app API. [RT #33967]
+
+3608.	[port]		win32: added todos.pl script to ensure all text files
+			the win32 build depends on are converted to DOS
+			newline format. [RT #22067]
+
+3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
+			message. [RT #34045]
+
+3606.	[func]		"rndc flushtree" now flushes matching
+			records in the address database and bad cache
+			as well as the DNS cache. (Previously only the
+			DNS cache was flushed.) [RT #33970]
+
+3605.	[port]		win32: Addressed several compatibility issues
+			with newer versions of Visual Studio. [RT #33916]
+
+3604.	[bug]		Fixed a compile-time error when building with
+			JSON but not XML. [RT #33959]
+
+3603.	[bug]		Install <isc/stat.h>. [RT #33956]
+
+3602.	[contrib]	Added DLZ Perl module, allowing Perl scripts to
+			integrate with named and serve DNS data.
+			(Contributed by John Eaglesham of Yahoo.)
+
+3601.	[bug]		Added to PKCS#11 openssl patches a value len
+			attribute in DH derive key. [RT #33928]
+
+3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
+			an oversized response. [RT #33910]
+
+3599.	[tuning]	Check for pointer equivalence in name comparisons.
+			[RT #18125]
+
+3598.	[cleanup]	Improved portability of map file code. [RT #33820]
+
+3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
+			when loading zones in map format. [RT #33381]
+
+3596.	[port]		Updated win32 build documentation, added
+			dnssec-verify. [RT #22067]
+
+3595.	[port]		win32: Fix build problems introduced by change #3550.
+			[RT #33807]
+
+3594.	[maint]		Update config.guess and config.sub. [RT #33816]
+
+3593.	[func]		Update EDNS processing to better track remote server
+			capabilities. [RT #30655]
+
+3592.	[doc]		Moved documentation of rndc command options to the
+			rndc man page. [RT #33506]
+
+3591.	[func]		Use CRC-64 to detect map file corruption at load
+			time. [RT #33746]
+
+3590.	[bug]		When using RRL on recursive servers, defer
+			rate-limiting until after recursion is complete;
+			also, use correct rcode for slipped NXDOMAIN
+			responses.  [RT #33604]
+
+3589.	[func]		Report serial numbers in when starting zone transfers.
+			Report accepted NOTIFY requests including serial.
+			[RT #33037]
+
+3588.	[bug]		dig: addressed a memory leak in the sigchase code
+			that could cause a shutdown crash.  [RT #33733]
+
+3587.	[func]		'named -g' now checks the logging configuration but
+			does not use it. [RT #33473]
+
+3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
+
+3585.	[func]		"rndc delzone -clean" option removes zone files
+			when deleting a zone. [RT #33570]
+
+3584.	[security]	Caching data from an incompletely signed zone could
+			trigger an assertion failure in resolver.c
+			(CVE-2013-3919). [RT #33690]
+
+3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]
+
+3582.	[bug]		Silence false positive warning regarding missing file
+			directive for inline slave zones.  [RT #33662]
+
+3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]
+
+3580.	[bug]		Addressed a possible race in acache.c [RT #33602]
+
+3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
+			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
+
+3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
+			[RT #33571]
+
+3577.	[bug]		Handle zero TTL values better. [RT #33411]
+
+3576.	[bug]		Address a shutdown race when validating. [RT #33573]
+
+3575.	[func]		Changed the logging category for RRL events from
+			'queries' to 'query-errors'. [RT #33540]
+
+3574.	[doc]		The 'hostname' keyword was missing from server-id
+			description in the named.conf man page. [RT #33476]
+
+3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
+			zone names containing punctuation marks and other
+			nonstandard characters. [RT #33419]
+
+3572.	[func]		Threads are now enabled by default on most
+			operating systems. [RT #25483]
+
+3571.	[bug]		Address race condition in dns_client_startresolve().
+			[RT #33234]
+
+3570.	[bug]		Check internal pointers are valid when loading map
+			files. [RT #33403]
+
+3569.	[contrib]	Ported mysql DLZ driver to dynamically-loadable
+			module, and added multithread support. [RT #33394]
+
+3568.	[cleanup]	Add a product description line to the version file,
+			to be reported by named -v/-V. [RT #33366]
+
+3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
+
+3566.	[func]		Log when forwarding updates to master. [RT #33240]
+
+3565.	[placeholder]
+
+3564.	[bug]		Improved handling of corrupted map files. [RT #33380]
+
+3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
+
+3562.	[func]		Update map file header format to include a SHA-1 hash
+			of the database content, so that corrupted map files
+			can be rejected at load time. [RT #32459]
+
+3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
+			or NOTIMP.  Adjust usage message. [RT #33363]
+
+3560.	[bug]		isc-config.sh did not honor includedir and libdir
+			when set via configure. [RT #33345]
+
+3559.	[func]		Check that both forms of Sender Policy Framework
+			records exist or do not exist. [RT #33355]
+
+3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
+
+3557.	[bug]		Reloading redirect zones was broken. [RT #33292]
+
+3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
+
+3555.	[bug]		Address theoretical race conditions in acache.c
+			(change #3553 was incomplete). [RT #33252]
+
+3554.	[bug]		RRL failed to correctly rate-limit upward
+			referrals and failed to count dropped error
+			responses in the statistics. [RT #33225]
+
+3553.	[bug]		Address suspected double free in acache. [RT #33252]
+
+3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
+			[RT #33280]
+
+3551.	[bug]		resolver.querydscp[46] were uninitialized.  [RT #32686]
+
+3550.	[func]		Unified the internal and export versions of the
+			BIND libraries, allowing external clients to use
+			the same libraries as BIND. [RT #33131]
+
+3549.	[doc]		Documentation for "request-nsid" was missing.
+			[RT #33153]
+
+3548.	[bug]		The NSID request code in resolver.c was broken
+			resulting in invalid EDNS options being sent.
+			[RT #33153]
+
+3547.	[bug]		Some malformed unknown rdata records were not properly
+			detected and rejected. [RT #33129]
+
+3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
+
+3545.	[bug]		RRL slip behavior was incorrect when set to 1.
+			[RT #33111]
+
+3544.	[contrib]	check5011.pl: Script to report the status of
+			managed keys as recorded in managed-keys.bind.
+			Contributed by Tony Finch <dot@dotat.at>
+
+3543.	[bug]		Update socket structure before attaching to socket
+			manager after accept. [RT #33084]
+
+3542.	[placeholder]
+
+3541.	[bug]		Parts of libdns were not properly initialized when
+			built in libexport mode. [RT #33028]
+
+3540.	[test]		libt_api: t_info and t_assert were not thread safe.
+
+3539.	[port]		win32: timestamp format didn't match other platforms.
+
+3538.	[test]		Running "make test" now requires loopback interfaces
+			to be set up. [RT #32452]
+
+3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
+			to peers before being dumped to disk rather than
+			after. [RT #27242]
+
+3536.	[func]		Add support for setting Differentiated Services Code
+			Point (DSCP) values in named.  Most configuration
+			options which take a "port" option (e.g.,
+			listen-on, forwarders, also-notify, masters,
+			notify-source, etc) can now also take a "dscp"
+			option specifying a code point for use with
+			outgoing traffic, if supported by the underlying
+			OS. [RT #27596]
+
+3535.	[bug]		Minor win32 cleanups. [RT #32962]
+
+3534.	[bug]		Extra text after an embedded NULL was ignored when
+			parsing zone files. [RT #32699]
+
+3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
+
+3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
+
+3531.	[bug]		win32: A uninitialized value could be returned on out
+			of memory. [RT #32960]
+
+3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
+
+3529.	[func]		Named now listens on both IPv4 and IPv6 interfaces
+			by default.  Named previously only listened on IPv4
+			interfaces by default unless named was running in
+			IPv6 only mode.  [RT #32945]
+
+3528.	[func]		New "dnssec-coverage" command scans the timing
+			metadata for a set of DNSSEC keys and reports if a
+			lapse in signing coverage has been scheduled
+			inadvertently. (Note: This tool depends on python;
+			it will not be built or installed on systems that
+			do not have a python interpreter.) [RT #28098]
+
+3527.	[compat]	Add a URI to allow applications to explicitly
+			request a particular XML schema from the statistics
+			channel, returning 404 if not supported. [RT #32481]
+
+3526.	[cleanup]	Set up dependencies for unit tests correctly during
+			build. [RT #32803]
+
+3525.	[func]		Support for additional signing algorithms in rndc:
+			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
+			The -A option to rndc-confgen can be used to
+			select the algorithm for the generated key.
+			(The default is still hmac-md5; this may
+			change in a future release.) [RT #20363]
+
+3524.	[func]		Added an alternate statistics channel in JSON format,
+			when the server is built with the json-c library:
+			http://[address]:[port]/json. [RT #32630]
+
+3523.	[contrib]	Ported filesystem and ldap DLZ drivers to
+			dynamically-loadable modules, and added the
+			"wildcard" module based on a contribution from
+			Vadim Goncharov <vgoncharov@nic.ru>. [RT #23569]
+
+3522.	[bug]		DLZ lookups could fail to return SERVFAIL when
+			they ought to. [RT #32685]
+
+3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
+
+3520.	[bug]		'mctx' was not being referenced counted in some places
+			where it should have been.  [RT #32794]
+
+3519.	[func]		Full replay protection via four-way handshake is
+			now mandatory for rndc clients. Very old versions
+			of rndc will no longer work. [RT #32798]
+
+3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
+			so that all dns_rrl_rtype_t enum values fit regardless
+			of whether it is treated as signed or unsigned by
+			the compiler. [RT #32792]
+
+3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
+
+3516.	[placeholder]
+
+3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
+
+3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
+			rndc-confgen were too constrained. Keys up to 512
+			bits are now allowed for most algorithms, and up
+			to 1024 bits for hmac-sha384 and hmac-sha512.
+			[RT #32753]
+
+3513.	[func]		"dig -u" prints times in microseconds rather than
+			milliseconds. [RT #32704]
+
+3512.	[func]		"rndc validation check" reports the current status
+			of DNSSEC validation. [RT #21397]
+
+3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
+
+3510.	[func]		"rndc status" and XML statistics channel now report
+			server start and reconfiguration times. [RT #21048]
+
+3509.	[cleanup]	Added a product line to version file to allow for
+			easy naming of different products (BIND
+			vs BIND ESV, for example). [RT #32755]
+
+3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
+			[RT #32338]
+
+3507.	[bug]		Statistics channel XSL had a glitch when attempting
+			to chart query data before any queries had been
+			received. [RT #32620]
+
+3506.	[func]		When setting "max-cache-size" and "max-acache-size",
+			the keyword "unlimited" is no longer defined as equal
+			to 4 gigabytes (except on 32-bit platforms); it
+			means literally unlimited. [RT #32358]
+
+3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
+			larger values than 4 gigabytes could not be set
+			explicitly, though larger sizes were available
+			when setting cache size to 0. This has been
+			corrected; the full range is now available.
+			[RT #32358]
+
+3504.	[func]		Add support for ACLs based on geographic location,
+			using MaxMind GeoIP databases. Based on code
+			contributed by Ken Brownfield <kb@slide.com>.
+			[RT #30681]
+
+3503.	[doc]		Clarify size_spec syntax. [RT #32449]
+
+3502.	[func]		zone-statistics: "no" is now a synonym for "none",
+			instead of "terse". [RT #29165]
+
+3501.	[func]		zone-statistics now takes three options: full,
+			terse, and none. "yes" and "no" are retained as
+			synonyms for full and terse, respectively. [RT #29165]
+
+3500.	[security]	Support NAPTR regular expression validation on
+			all platforms without using libregex, which
+			can be vulnerable to memory exhaustion attack
+			(CVE-2013-2266). [RT #32688]
+
+3499.	[doc]		Corrected ARM documentation of built-in zones.
+			[RT #32694]
+
+3498.	[bug]		zone statistics for zones which matched a potential
+			empty zone could have their zone-statistics setting
+			overridden.
+
+3497.	[func]		When deleting a slave/stub zone using 'rndc delzone'
+			report the files that were being used so they can
+			be cleaned up if desired. [RT #27899]
+
+3496.	[placeholder]
+
+3495.	[func]		Support multiple response-policy zones (up to 32),
+			while improving RPZ performance.  "response-policy"
+			syntax now includes a "min-ns-dots" clause, with
+			default 1, to exclude top-level domains from
+			NSIP and NSDNAME checking. --enable-rpz-nsip and
+			--enable-rpz-nsdname are now the default. [RT #32251]
+
+3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
+			amplification attacks by rate-limiting substantially-
+			identical responses. [RT #28130]
+
+3493.	[contrib]	Added BDBHPT dynamically-loadable DLZ module,
+			contributed by Mark Goldfinch. [RT #32549]
+
+3492.	[bug]		Fixed a regression in zone loading performance
+			due to lock contention. [RT #30399]
+
+3491.	[bug]		Slave zones using inline-signing must specify a
+			file name. [RT #31946]
+
+3490.	[bug]		When logging RDATA during update, truncate if it's
+			too long. [RT #32365]
+
+3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
+			dns_dlzcreate() failed to properly initialize
+			dlzdb.link.  When cloning a rdataset do not copy
+			the link contents.  [RT #32651]
+
+3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
+
+3487.	[bug]		Change 3444 was not complete.  There was a additional
+			place where the NOQNAME proof needed to be saved.
+			[RT #32629]
+
+3486.	[bug]		named could crash when using TKEY-negotiated keys
+			that had been deleted and then recreated. [RT #32506]
+
+3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
+
+3484.	[bug]		Some statistics were incorrectly rendered in XML.
+			[RT #32587]
+
+3483.	[placeholder]
+
+3482.	[func]		dig +nssearch now prints name servers that don't
+			have address records (missing AAAA or A, or the name
+			doesn't exist). [RT #29348]
+
+3481.	[cleanup]	Removed use of const const in atf.
+
+3480.	[bug]		Silence logging noise when setting up zone
+			statistics. [RT #32525]
+
+3479.	[bug]		Address potential memory leaks in gssapi support
+			code. [RT #32405]
+
+3478.	[port]		Fix a build failure in strict C99 environments
+			[RT #32475]
+
+3477.	[func]		Expand logging when adding records via DDNS update
+			[RT #32365]
+
+3476.	[bug]		"rndc zonestatus" could report a spurious "not
+			found" error on inline-signing zones. [RT #29226]
+
+3475.	[cleanup]	Changed name of 'map' zone file format (previously
+			'fast'). [RT #32458]
+
+3474.	[bug]		nsupdate could assert when the local and remote
+			address families didn't match. [RT #22897]
+
+3473.	[bug]		dnssec-signzone/verify could incorrectly report
+			an error condition due to an empty node above an
+			opt-out delegation lacking an NSEC3. [RT #32072]
+
+3472.	[bug]		The active-connections counter in the socket
+			statistics could underflow. [RT #31747]
+
+3471.	[bug]		The number of UDP dispatches now defaults to
+			the number of CPUs even if -n has been set to
+			a higher value. [RT #30964]
+
+3470.	[bug]		Slave zones could fail to dump when successfully
+			refreshing after an initial failure. [RT #31276]
+
+3469.	[bug]		Handle DLZ lookup failures more gracefully. Improve
+			backward compatibility between versions of DLZ dlopen
+			API. [RT #32275]
+
+3468.	[security]	RPZ rules to generate A records (but not AAAA records)
+			could trigger an assertion failure when used in
+			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
+
+3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
+			to check for delete date < inactive date. [RT #31719]
+
+3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
+			in DLZ example driver. [RT #32275]
+
+3465.	[bug]		Handle isolated reserved ports. [RT #31778]
+
+3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
+			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
+
+3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
+
+3462.	[doc]		Clarify server selection behavior of dig when using
+			-4 or -6 options. [RT #32181]
+
+3461.	[bug]		Negative responses could incorrectly have AD=1
+			set. [RT #32237]
+
+3460.	[bug]		Only link against readline where needed. [RT #29810]
+
+3459.	[func]		Added -J option to named-checkzone/named-compilezone
+			to specify the path to the journal file. [RT #30958]
+
+3458.	[bug]		Return FORMERR when presented with a overly long
+			domain named in a request. [RT #29682]
+
+3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
+
+3456.	[port]		g++47: ATF failed to compile. [RT #32012]
+
+3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
+
+3454.	[port]		sparc64: improve atomic support. [RT #25182]
+
+3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
+			failed. [RT #31960]
+
+3452.	[bug]		Accept duplicate singleton records. [RT #32329]
+
+3451.	[port]		Increase per thread stack size from 64K to 1M.
+			[RT #32230]
+
+3450.	[bug]		Stop logfileconfig system test spam system logs.
+			[RT #32315]
+
+3449.	[bug]		gen.c: use the pre-processor to construct format
+			strings so that compiler can perform sanity checks;
+			check the snprintf results. [RT #17576]
+
+3448.	[bug]		The allow-query-on ACL was not processed correctly.
+			[RT #29486]
+
+3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
+
+3446.	[port]		win32: Add source ID (see change #3400) to build.
+			[RT #31683]
+
+3445.	[bug]		Warn about zone files with blank owner names
+			immediately after $ORIGIN directives. [RT #31848]
+
+3444.	[bug]		The NOQNAME proof was not being returned from cached
+			insecure responses. [RT #21409]
+
+3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
+			rejected when generating keys. [RT #31927]
+
+3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
+			change. [RT #32216]
+
+3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
+
+3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
+			cleaning up due to out of memory error. [RT #32131]
+
+3439.	[placeholder]
+
+3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
+
+3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
+			buffers with constant data. [RT #32064]
+
+3436.	[bug]		Check malloc/calloc return values. [RT #32088]
+
+3435.	[bug]		Cross compilation support in configure was broken.
+			[RT #32078]
+
+3434.	[bug]		Pass client info to the DLZ findzone() entry
+			point in addition to lookup().  This makes it
+			possible for a database to answer differently
+			whether it's authoritative for a name depending
+			on the address of the client.  [RT #31775]
+
+3433.	[bug]		dlz_findzone() did not correctly handle
+			ISC_R_NOMORE. [RT #31172]
+
+3432.	[func]		Multiple DLZ databases can now be configured.
+			DLZ databases are searched in the order configured,
+			unless set to "search no", in which case a
+			zone can be configured to be retrieved from a
+			particular DLZ database by using a "dlz <name>"
+			option in the zone statement.  DLZ databases can
+			support type "master" and "redirect" zones.
+			[RT #27597]
+
+3431.	[bug]		ddns-confgen: Some valid key algorithms were
+			not accepted. [RT #31927]
+
+3430.	[bug]		win32: isc_time_formatISO8601 was missing the
+			'T' between the date and time. [RT #32044]
+
+3429.	[bug]		dns_zone_getserial2 could a return success without
+			returning a valid serial. [RT #32007]
+
+3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
+
+3427.	[bug]		dig +trace incorrectly displayed name server
+			addresses instead of names. [RT #31641]
+
+3426.	[bug]		dnssec-checkds: Clearer output when records are not
+			found. [RT #31968]
+
+3425.	[bug]		"acacheentry" reference counting was broken resulting
+			in use after free. [RT #31908]
+
+3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
+			[RT #31951]
+
+3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
+			range of possible values.  Address portability issues.
+			[RT #31938]
+
+3422.	[bug]		Added a clear error message for when the SOA does not
+			match the referral. [RT #31281]
+
+3421.	[bug]		Named loops when re-signing if all keys are offline.
+			[RT #31916]
+
+3420.	[bug]		Address VPATH compilation issues. [RT #31879]
+
+3419.	[bug]		Memory leak on validation cancel. [RT #31869]
+
+3418.	[func]		New XML schema (version 3.0) for the statistics channel
+			adds query type statistics at the zone level, and
+			flattens the XML tree and uses compressed format to
+			optimize parsing. Includes new XSL that permits
+			charting via the Google Charts API on browsers that
+			support javascript in XSL.  The old XML schema has been
+			deprecated. [RT #30023]
+
+3417.	[placeholder]
+
+3416.	[bug]		Named could die on shutdown if running with 128 UDP
+			dispatches per interface. [RT #31743]
+
+3415.	[bug]		named could die with a REQUIRE failure if a validation
+			was canceled. [RT #31804]
+
+3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
+
+3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
+			synthesized. [RT #27636]
+
+3412.	[bug]		Copy timeval structure from control message data.
+			[RT #31548]
+
+3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
+			to UDP. [RT #31690]
+
+3410.	[bug]		Addressed Coverity warnings. [RT #31626]
+
+3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
+			from X.509 certificates, for use with DANE
+			(DNS-based Authentication of Named Entities).
+			[RT #30513]
+
+3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
+			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
+			are now legal in slave zones as long as
+			inline-signing is in use. [RT #31078]
+
+3407.	[placeholder]
+
+3406.	[bug]		mem.c: Fix compilation errors when building with
+			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
+			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
+
+3405.	[bug]		Handle time going backwards in acache. [RT #31253]
+
+3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
+			RRSIG and NSEC records from nodes that used to be
+			in-zone but are now below a zone cut. [RT #31556]
+
+3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
+
+3402.	[test]		The IPv6 interface numbers used for system
+			tests were incorrect on some platforms. [RT #25085]
+
+3401.	[bug]		Addressed Coverity warnings. [RT #31484]
+
+3400.	[cleanup]	"named -V" can now report a source ID string, defined
+			in the "srcid" file in the build tree and normally set
+			to the most recent git hash.  [RT #31494]
+
+3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
+			clash.  [RT #31515]
+
+3398.	[bug]		SOA parameters were not being updated with inline
+			signed zones if the zone was modified while the
+			server was offline. [RT #29272]
+
+3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
+
+3396.	[bug]		OPT records were incorrectly removed from signed,
+			truncated responses. [RT #31439]
+
+3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
+			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
+			[RT #31336]
+
+3394.	[bug]		Adjust 'successfully validated after lower casing
+			signer' log level and category. [RT #31414]
+
+3393.	[bug]		'host -C' could core dump if REFUSED was received.
+			[RT #31381]
+
+3392.	[func]		Keep statistics on REFUSED responses. [RT #31412]
+
+3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
+			[RT #31262]
+
+3390.	[bug]		Silence clang compiler warnings. [RT #30417]
+
+3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
+
+3388.	[bug]		Fixed several Coverity warnings.
+			Note: This change includes a fix for a bug that
+			was subsequently determined to be an exploitable
+			security vulnerability, CVE-2012-5688: named could
+			die on specific queries with dns64 enabled.
+			[RT #30996]
+
+3387.	[func]		DS digest can be disabled at runtime with
+			disable-ds-digests. [RT #21581]
+
+3386.	[bug]		Address locking violation when generating new NSEC /
+			NSEC3 chains. [RT #31224]
+
+3385.	[bug]		named-checkconf didn't detect missing master lists
+			in also-notify clauses. [RT #30810]
+
+3384.	[bug]		Improved logging of crypto errors. [RT #30963]
+
+3383.	[security]	A certain combination of records in the RBT could
+			cause named to hang while populating the additional
+			section of a response. [RT #31090]
+
+3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
+			if set, regardless of the address family in use.
+			[RT #24173]
+
+3381.	[contrib]	Update queryperf to support more RR types.
+			[RT #30762]
+
+3380.	[bug]		named could die if a nonexistent master list was
+			referenced in a also-notify. [RT #31004]
+
+3379.	[bug]		isc_interval_zero and isc_time_epoch should be
+			"const (type)* const". [RT #31069]
+
+3378.	[bug]		Handle missing 'managed-keys-directory' better.
+			[RT #30625]
+
+3377.	[bug]		Removed spurious newline from NSEC3 multiline
+			output. [RT #31044]
+
+3376.	[bug]		Lack of EDNS support was being recorded without a
+			successful response. [RT #30811]
+
+3375.	[bug]		'rndc dumpdb' failed on empty caches. [RT #30808]
+
+3374.	[bug]		isc_parse_uint32 failed to return a range error on
+			systems with 64 bit longs. [RT #30232]
+
+3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
+
+3372.	[bug]		Silence spurious "deleted from unreachable cache"
+			messages.  [RT #30501]
+
+3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
+			add NS RRsets to the additional section or not.
+			[RT #30479]
+
+3370.	[bug]		Address use after free while shutting down. [RT #30241]
+
+3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
+			if built with readline support. [RT #29550]
+
+3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
+			were not C++ safe.
+
+3367.	[bug]		dns_dnsseckey_create() result was not being checked.
+			[RT #30685]
+
+3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
+			atomic operations. [RT #25181]
+
+3365.	[bug]		Removed spurious newlines from log messages in
+			zone.c [RT #30675]
+
+3364.	[security]	Named could die on specially crafted record.
+			[RT #30416]
+
+3363.	[bug]		Need to allow "forward" and "fowarders" options
+			in static-stub zones; this had been overlooked.
+			[RT #30482]
+
+3362.	[bug]		Setting some option values to 0 in named.conf
+			could trigger an assertion failure on startup.
+			[RT #27730]
+
+3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
+			when salt was set to '-' (no salt). [RT #30099]
+
+3360.	[bug]		'host -w' could die.  [RT #18723]
+
+3359.	[bug]		An improperly-formed TSIG secret could cause a
+			memory leak. [RT #30607]
+
+3358.	[placeholder]
+
+3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
+
+3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
+			approaching their expiry, so they don't remain
+			in caches after expiry. [RT #26429]
+
+3355.	[port]		Use more portable awk in verify system test.
+
+3354.	[func]		Improve OpenSSL error logging. [RT #29932]
+
+3353.	[bug]		Use a single task for task exclusive operations.
+			[RT #29872]
+
+3352.	[bug]		Ensure that learned server attributes timeout of the
+			adb cache. [RT #29856]
+
+3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
+			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
+			memory debugging flags are set. [RT #30243]
+
+3350.	[bug]		Memory read overrun in isc___mem_reallocate if
+			ISC_MEM_DEBUGCTX memory debugging flag is set.
+			[RT #30240]
+
+3349.	[bug]		Change #3345 was incomplete. [RT #30233]
+
+3348.	[bug]		Prevent RRSIG data from being cached if a negative
+			record matching the covering type exists at a higher
+			trust level. Such data already can't be retrieved from
+			the cache since change 3218 -- this prevents it
+			being inserted into the cache as well. [RT #26809]
+
+3347.	[bug]		dnssec-settime: Issue a warning when writing a new
+			private key file would cause a change in the
+			permissions of the existing file. [RT #27724]
+
+3346.	[security]	Bad-cache data could be used before it was
+			initialized, causing an assert. [RT #30025]
+
+3345.	[bug]		Addressed race condition when removing the last item
+			or inserting the first item in an ISC_QUEUE.
+			[RT #29539]
+
+3344.	[func]		New "dnssec-checkds" command checks a zone to
+			determine which DS records should be published
+			in the parent zone, or which DLV records should be
+			published in a DLV zone, and queries the DNS to
+			ensure that it exists. (Note: This tool depends
+			on python; it will not be built or installed on
+			systems that do not have a python interpreter.)
+			[RT #28099]
+
+3343.	[placeholder]
+
+3342.	[bug]		Change #3314 broke saving of stub zones to disk
+			resulting in excessive cpu usage in some cases.
+			[RT #29952]
+
+3341.	[func]		New "dnssec-verify" command checks a signed zone
+			to ensure correctness of signatures and of NSEC/NSEC3
+			chains. [RT #23673]
+
+3340.	[func]		Added new 'map' zone file format, which is an image
+			of a zone database that can be loaded directly into
+			memory via mmap(), allowing much faster zone loading.
+			(Note: Because of pointer sizes and other
+			considerations, this file format is platform-dependent;
+			'map' zone files cannot always be transferred from one
+			server to another.) [RT #25419]
+
+3339.	[func]		Allow the maximum supported rsa exponent size to be
+			specified: "max-rsa-exponent-size <value>;" [RT #29228]
+
+3338.	[bug]		Address race condition in units tests: asyncload_zone
+			and asyncload_zt. [RT #26100]
+
+3337.	[bug]		Change #3294 broke support for the multiple keys
+			in controls. [RT #29694]
+
+3336.	[func]		Maintain statistics for RRsets tagged as "stale".
+			[RT #29514]
+
+3335.	[func]		nslookup: return a nonzero exit code when unable
+			to get an answer. [RT #29492]
+
+3334.	[bug]		Hold a zone table reference while performing a
+			asynchronous load of a zone. [RT #28326]
+
+3333.	[bug]		Setting resolver-query-timeout too low can cause
+			named to not recover if it loses connectivity.
+			[RT #29623]
+
+3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
+
+3331.	[security]	dns_rdataslab_fromrdataset could produce bad
+			rdataslabs. [RT #29644]
+
+3330.	[func]		Fix missing signatures on NOERROR results despite
+			RPZ rewriting.  Also
+			 - add optional "recursive-only yes|no" to the
+			   response-policy statement
+			 - add optional "max-policy-ttl" to the response-policy
+			    statement to limit the false data that
+			    "recursive-only no" can introduce into
+			    resolvers' caches
+			 - add a RPZ performance test to bin/tests/system/rpz
+			     when queryperf is available.
+			 - the encoding of PASSTHRU action to "rpz-passthru".
+			     (The old encoding is still accepted.)
+			[RT #26172]
+
+
+3329.	[bug]		Handle RRSIG signer-name case consistently: We
+			generate RRSIG records with the signer-name in
+			lower case.  We accept them with any case, but if
+			they fail to validate, we try again in lower case.
+			[RT #27451]
+
+3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
+			[RT #29401]
+
+3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
+			to 'filter-aaaa-on-v4' but applies to IPv6
+			connections.  (Use "configure --enable-filter-aaaa"
+			to enable this option.)  [RT #27308]
+
+3326.	[func]		Added task list statistics: task model, worker
+			threads, quantum, tasks running, tasks ready.
+			[RT #27678]
+
+3325.	[func]		Report cache statistics: memory use, number of
+			nodes, number of hash buckets, hit and miss counts.
+			[RT #27056]
+
+3324.	[test]		Add better tests for ADB stats [RT #27057]
+
+3323.	[func]		Report the number of buckets the resolver is using.
+			[RT #27020]
+
+3322.	[func]		Monitor the number of active TCP and UDP dispatches.
+			[RT #27055]
+
+3321.	[func]		Monitor the number of recursive fetches and the
+			number of open sockets, and report these values in
+			the statistics channel. [RT #27054]
+
+3320.	[func]		Added support for monitoring of recursing client
+			count. [RT #27009]
+
+3319.	[func]		Added support for monitoring of ADB entry count and
+			hash size. [RT #27057]
+
+3318.	[tuning]	Reduce the amount of work performed while holding a
+			bucket lock when finished with a fetch context.
+			[RT #29239]
+
+3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
+
+3316.	[tuning]	Improved locking performance when recursing.
+			[RT #28836]
+
+3315.	[tuning]	Use multiple dispatch objects for sending upstream
+			queries; this can improve performance on busy
+			multiprocessor systems by reducing lock contention.
+			[RT #28605]
+
+3314.	[bug]		The masters list could be updated while stub_callback
+			or refresh_callback were using it. [RT #26732]
+
+3313.	[protocol]	Add TLSA record type. [RT #28989]
+
+3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
+			[RT #27631]
+
+3311.	[bug]		Abort the zone dump if zone->db is NULL in
+			zone.c:zone_gotwritehandle. [RT #29028]
+
+3310.	[test]		Increase table size for mutex profiling. [RT #28809]
+
+3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
+			[RT #27995]
+
+3308.	[placeholder]
+
+3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
+			[RT #28956]
+
+3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]
+
+3305.	[func]		Add wire format lookup method to sdb. [RT #28563]
+
+3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
+			[RT #28571]
+
+3303.	[bug]		named could die when reloading. [RT #28606]
+
+3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
+			keys if the zone name contained character that
+			required special mappings. [RT #28600]
+
+3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
+			for non-recursive queries. [RT #28565]
+
+3300.	[bug]		Named could die if gssapi was enabled in named.conf
+			but was not compiled in. [RT #28338]
+
+3299.	[bug]		Make SDB handle errors from database drivers better.
+			[RT #28534]
+
+3298.	[bug]		Named could dereference a NULL pointer in
+			zmgr_start_xfrin_ifquota if the zone was being removed.
+			[RT #28419]
+
+3297.	[bug]		Named could die on a malformed master file. [RT #28467]
+
+3296.	[bug]		Named could die with a INSIST failure in
+			client.c:exit_check. [RT #28346]
+
+3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
+			portable. [RT # 26542]
+
+3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
+			error. [RT #28265]
+
+3293.	[func]		nsupdate: list supported type. [RT #28261]
+
+3292.	[func]		Log messages in the axfr stream at debug 10.
+			[RT #28040]
+
+3291.	[port]		Fixed a build error on systems without ENOTSUP.
+			[RT #28200]
+
+3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]
+
+3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]
+
+3288.	[bug]		dlz_destroy() function wasn't correctly registered
+			by the DLZ dlopen driver. [RT #28056]
+
+3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]
+
+3286.	[bug]		Managed key maintenance timer could fail to start
+			after 'rndc reconfig'. [RT #26786]
+
+3285.	[bug]		val-frdataset was incorrectly disassociated in
+			proveunsecure after calling startfinddlvsep.
+			[RT #27928]
+
+3284.	[bug]		Address race conditions with the handling of
+			rbtnode.deadlink. [RT #27738]
+
+3283.	[bug]		Raw zones with with more than 512 records in a RRset
+			failed to load. [RT #27863]
+
+3282.	[bug]		Restrict the TTL of NS RRset to no more than that
+			of the old NS RRset when replacing it.
+			[RT #27792] [RT #27884]
+
+3281.	[bug]		SOA refresh queries could be treated as cancelled
+			despite succeeding over the loopback interface.
+			[RT #27782]
+
+3280.	[bug]		Potential double free of a rdataset on out of memory
+			with DNS64. [RT #27762]
+
+3279.	[bug]		Hold a internal reference to the zone while performing
+			a asynchronous load.  Address potential memory leak
+			if the asynchronous is cancelled. [RT #27750]
+
+3278.	[bug]		Make sure automatic key maintenance is started
+			when "auto-dnssec maintain" is turned on during
+			"rndc reconfig". [RT #26805]
+
+3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
+
+3276.	[bug]		win32: ns_os_openfile failed to return NULL on
+			safe_open failure. [RT #27696]
+
+3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
+			option had been misspelled as '-clear'.  (To avoid
+			future confusion, both options now work.) [RT #27173]
+
+3274.	[placeholder]
+
+3273.	[bug]		AAAA responses could be returned in the additional
+			section even when filter-aaaa-on-v4 was in use.
+			[RT #27292]
+
+3272.	[func]		New "rndc zonestatus" command prints information
+			about the specified zone. [RT #21671]
+
+3271.	[port]		darwin: mksymtbl is not always stable, loop several
+			times before giving up.  mksymtbl was using non
+			portable perl to covert 64 bit hex strings. [RT #27653]
+
+	--- 9.9.0rc2 released ---
+
+3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
+			when inline-signing was in use. [RT #27650]
+
+3269.	[port]		darwin 11 and later now built threaded by default.
+
+3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
+			out the earliest expiry time. [RT #23311]
+
+3267.	[bug]		Memory allocation failures could be mis-reported as
+			unexpected error.  New ISC_R_UNSET result code.
+			[RT #27336]
+
+3266.	[bug]		The maximum number of NSEC3 iterations for a
+			DNSKEY RRset was not being properly computed.
+			[RT #26543]
+
+3265.	[bug]		Corrected a problem with lock ordering in the
+			inline-signing code. [RT #27557]
+
+3264.	[bug]		Automatic regeneration of signatures in an
+			inline-signing zone could stall when the server
+			was restarted. [RT #27344]
+
+3263.	[bug]		"rndc sync" did not affect the unsigned side of an
+			inline-signing zone. [RT #27337]
+
+3262.	[bug]		Signed responses were handled incorrectly by RPZ.
+			[RT #27316]
+
+3261.	[func]		RRset ordering now defaults to random. [RT #27174]
+
+3260.	[bug]		"rrset-order cyclic" could appear not to rotate
+			for some query patterns.  [RT #27170/27185]
+
+	--- 9.9.0rc1 released ---
+
+3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
+			message when writing to stdout. [RT #27109]
+
+3258.	[test]		Add "forcing full sign with unreadable keys" test.
+			[RT #27153]
+
+3257.	[bug]		Do not generate a error message when calling fsync()
+			in a pipe or socket. [RT #27109]
+
+3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]
+
+3255.	[func]		No longer require that a empty zones be explicitly
+			enabled or that a empty zone is disabled for
+			RFC 1918 empty zones to be configured. [RT #27139]
+
+3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
+			[RT #22249]
+
+3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
+			too long. [RT #26956]
+
+3252.	[bug]		When master zones using inline-signing were
+			updated while the server was offline, the source
+			zone could fall out of sync with the signed
+			copy. They can now resynchronize. [RT #26676]
+
+3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
+			memory dns_sdlz_putrr() can allocate per record to
+			prevent run away memory consumption on ISC_R_NOSPACE.
+			[RT #26956]
+
+3250.	[func]		'configure --enable-developer'; turn on various
+			configure options, normally off by default, that
+			we want developers to build and test with. [RT #27103]
+
+3249.	[bug]		Update log message when saving slave zones files for
+			analysis after load failures. [RT #27087]
+
+3248.	[bug]		Configure options --enable-fixed-rrset and
+			--enable-exportlib were incompatible with each
+			other. [RT #27087]
+
+3247.	[bug]		'raw' format zones failed to preserve load order
+			breaking 'fixed' sort order. [RT #27087]
+
+3246.	[bug]		Named failed to start with a empty also-notify list.
+			[RT #27087]
+
+3245.	[bug]		Don't report a error unchanged serials unless there
+			were other changes when thawing a zone with
+			ixfr-fromdifferences. [RT #26845]
+
+3244.	[func]		Added readline support to nslookup and nsupdate.
+			Also simplified nsupdate syntax to make "update"
+			and "prereq" optional. [RT #24659]
+
+3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
+			being properly set.
+
+3242.	[func]		Extended the header of raw-format master files to
+			include the serial number of the zone from which
+			they were generated, if different (as in the case
+			of inline-signing zones).  This is to be used in
+			inline-signing zones, to track changes between the
+			unsigned and signed versions of the zone, which may
+			have different serial numbers.
+
+			(Note: raw zonefiles generated by this version of
+			BIND are no longer compatible with prior versions.
+			To generate a backward-compatible raw zonefile
+			using dnssec-signzone or named-compilezone, specify
+			output format "raw=0" instead of simply "raw".)
+			[RT #26587]
+
+3241.	[bug]		Address race conditions in the resolver code.
+			[RT #26889]
+
+3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]
+
+3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
+			timestamp. [RT #26883]
+
+3238.	[bug]		keyrdata was not being reinitialized in
+			lib/dns/rbtdb.c:iszonesecure. [RT #26913]
+
+3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]
+
+3236.	[bug]		Backed out changes #3182 and #3202, related to
+			EDNS(0) fallback behavior. [RT #26416]
+
+3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
+			the generated diff and optionally writes it to a
+			journal. [RT #26386]
+
+3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
+
+3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
+			[RT #26632]
+
+3232.	[bug]		Zero zone->curmaster before return in
+			dns_zone_setmasterswithkeys(). [RT #26732]
+
+3231.	[bug]		named could fail to send a incompressible zone.
+			[RT #26796]
+
+3230.	[bug]		'dig axfr' failed to properly handle a multi-message
+			axfr with a serial of 0. [RT #26796]
+
+3229.	[bug]		Fix local variable to struct var assignment
+			found by CLANG warning.
+
+3228.	[tuning]	Dynamically grow symbol table to improve zone
+			loading performance. [RT #26523]
+
+3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
+			and getservbyname() self thread safe. [RT #26232]
+
+3226.	[bug]		Address minor resource leakages. [RT #26624]
+
+3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
+			messages. [RT #26507]
+
+3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]
+
+3223.	[bug]		'task_test privilege_drop' generated false positives.
+			[RT #26766]
+
+3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
+			dns_journal_{get,set}_sourceserial. [RT #26634]
+
+3221.	[bug]		Fixed a potential core dump on shutdown due to
+			referencing fetch context after it's been freed.
+			[RT #26720]
+
+	--- 9.9.0b2 released ---
+
+3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
+			could fail to set the database version correctly,
+			causing an assertion failure. [RT #26180]
+
+3219.	[bug]		Disable NOEDNS caching following a timeout.
+
+3218.	[security]	Cache lookup could return RRSIG data associated with
+			nonexistent records, leading to an assertion
+			failure. [RT #26590]
+
+3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]
+
+3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
+
+3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]
+
+3214.	[func]		Add 'named -U' option to set the number of UDP
+			listener threads per interface. [RT #26485]
+
+3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]
+
+3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
+			list prior to adding a reference to it leading a
+			possible assertion failure. [RT #23219]
+
+3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
+			option prints in single-line-per-record format.
+			[RT #20287]
+
+3210.	[bug]		Canceling the oldest query due to recursive-client
+			overload could trigger an assertion failure. [RT #26463]
+
+3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
+
+3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
+			[RT #25522]
+
+3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
+
+3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]
+
+3205.	[func]		Upgrade dig's defaults to better reflect modern
+			nameserver behavior.  Enable "dig +adflag" and
+			"dig +edns=0" by default.  Enable "+dnssec" when
+			running "dig +trace". [RT #23497]
+
+3204.	[bug]		When a master server that has been marked as
+			unreachable sends a NOTIFY, mark it reachable
+			again. [RT #25960]
+
+3203.	[bug]		Increase log level to 'info' for validation failures
+			from expired or not-yet-valid RRSIGs. [RT #21796]
+
+3202.	[bug]		NOEDNS caching on timeout was too aggressive.
+			[RT #26416]
+
+3201.	[func]		'rndc querylog' can now be given an on/off parameter
+			instead of only being used as a toggle. [RT #18351]
+
+3200.	[doc]		Some rndc functions were undocumented or were
+			missing from 'rndc -h' output. [RT #25555]
+
+3199.	[func]		When logging client information, include the name
+			being queried. [RT #25944]
+
+3198.	[doc]		Clarified that dnssec-settime can alter keyfile
+			permissions. [RT #24866]
+
+3197.	[bug]		Don't try to log the filename and line number when
+			the config parser can't open a file. [RT #22263]
+
+3196.	[bug]		nsupdate: return nonzero exit code when target zone
+			doesn't exist. [RT #25783]
+
+3195.	[cleanup]	Silence "file not found" warnings when loading
+			managed-keys zone. [RT #26340]
+
+3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
+			documentation. [RT #25203]
+
+3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
+			dnssec.h. [RT #26415]
+
+3192.	[bug]		A query structure could be used after being freed.
+			[RT #22208]
+
+3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]
+
+3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
+			[RT #26397]
+
+3189.	[test]		Added a summary report after system tests. [RT #25517]
+
+3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
+			references correctly when errors occurred, causing
+			a hang on shutdown. [RT #26372]
+
+3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
+
+	--- 9.9.0b1 released ---
+
+3186.	[bug]		Version/db mismatch in rpz code. [RT #26180]
+
+3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
+			 - 'rndc signing -list' displays the current
+			   state of signing operations
+			 - 'rndc signing -clear' clears the signing state
+			   records for keys that have fully signed the zone
+			 - 'rndc signing -nsec3param' sets the NSEC3
+			   parameters for the zone
+			The 'rndc keydone' syntax is removed. [RT #23729]
+
+3184.	[bug]		named had excessive cpu usage when a redirect zone was
+			configured. [RT #26013]
+
+3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
+
+3182.	[bug]		Auth servers behind firewalls which block packets
+			greater than 512 bytes may cause other servers to
+			perform poorly. Now, adb retains edns information
+			and caches noedns servers. [RT #23392/24964]
+
+3181.	[func]		Inline-signing is now supported for master zones.
+			[RT #26224]
+
+3180.	[func]		Local copies of slave zones are now saved in raw
+			format by default, to improve startup performance.
+			'masterfile-format text;' can be used to override
+			the default, if desired. [RT #25867]
+
+3179.	[port]		kfreebsd: build issues. [RT #26273]
+
+3178.	[bug]		A race condition introduced by change #3163 could
+			cause an assertion failure on shutdown. [RT #26271]
+
+3177.	[func]		'rndc keydone', remove the indicator record that
+			named has finished signing the zone with the
+			corresponding key.  [RT #26206]
+
+3176.	[doc]		Corrected example code and added a README to the
+			sample external DLZ module in contrib/dlz/example.
+			[RT #26215]
+
+3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
+			NSEC3 signed zone are validated.  Stop sending a
+			unnecessary NSEC3 record when generating such
+			responses. [RT #26200]
+
+3174.	[bug]		Always compute to revoked key tag from scratch.
+			[RT #26186]
+
+3173.	[port]		Correctly validate root DS responses. [RT #25726]
+
+3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
+			default.
+
+3171.	[bug]		Exclusively lock the task when adding a zone using
+			'rndc addzone'.  [RT #25600]
+
+	--- 9.9.0a3 released ---
+
+3170.	[func]		RPZ update:
+			- fix precedence among competing rules
+			- improve ARM text including documenting rule precedence
+			- try to rewrite CNAME chains until first hit
+			- new "rpz" logging channel
+			- RDATA for CNAME rules can include wildcards
+			- replace "NO-OP" named.conf policy override with
+			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
+			  is still recognized)
+			[RT #25172]
+
+3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
+			[RT #26017]
+
+3168.	[bug]		Nxdomain redirection could trigger an assert with
+			a ANY query. [RT #26017]
+
+3167.	[bug]		Negative answers from forwarders were not being
+			correctly tagged making them appear to not be cached.
+			[RT #25380]
+
+3166.	[bug]		Upgrading a zone to support inline-signing failed.
+			[RT #26014]
+
+3165.	[bug]		dnssec-signzone could generate new signatures when
+			resigning, even when valid signatures were already
+			present. [RT #26025]
+
+3164.	[func]		Enable DLZ modules to retrieve client information,
+			so that responses can be changed depending on the
+			source address of the query. [RT #25768]
+
+3163.	[bug]		Use finer-grained locking in client.c to address
+			concurrency problems with large numbers of threads.
+			[RT #26044]
+
+3162.	[test]		start.pl: modified to allow for "named.args" in
+			ns*/ subdirectory to override stock arguments to
+			named. Largely from RT #26044, but no separate ticket.
+
+3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
+			assertion failures. [RT #25880]
+
+3160.	[bug]		When printing out a NSEC3 record in multiline form
+			the newline was not being printed causing type codes
+			to be run together. [RT #25873]
+
+3159.	[bug]		On some platforms, named could assert on startup
+			when running in a chrooted environment without
+			/proc. [RT #25863]
+
+3158.	[bug]		Recursive servers would prefer a particular UDP
+			socket instead of using all available sockets.
+			[RT #26038]
+
+3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
+			the config file before pausing the server. [RT #21373]
+
+3156.	[placeholder]
+
+	--- 9.9.0a2 released ---
+
+3155.	[bug]		Fixed a build failure when using contrib DLZ
+			drivers (e.g., mysql, postgresql, etc). [RT #25710]
+
+3154.	[bug]		Attempting to print an empty rdataset could trigger
+			an assert. [RT #25452]
+
+3153.	[func]		Extend request-ixfr to zone level and remove the
+			side effect of forcing an AXFR. [RT #25156]
+
+3152.	[cleanup]	Some versions of gcc and clang failed due to
+			incorrect use of __builtin_expect. [RT #25183]
+
+3151.	[bug]		Queries for type RRSIG or SIG could be handled
+			incorrectly.  [RT #21050]
+
+3150.	[func]		Improved startup and reconfiguration time by
+			enabling zones to load in multiple threads. [RT #25333]
+
+3149.	[placeholder]
+
+3148.	[bug]		Processing of normal queries could be stalled when
+			forwarding a UPDATE message. [RT #24711]
+
+3147.	[func]		Initial inline signing support.  [RT #23657]
+
+	--- 9.9.0a1 released ---
+
+3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
+
+3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
+			there were any errors while running them. [RT #25527]
+
+3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
+			used with a nonexistent database node. [RT #25358]
+
+3143.	[bug]		Silence clang compiler warnings. [RT #25174]
+
+3142.	[bug]		NAPTR is class agnostic. [RT #25429]
+
+3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
+			associated with empty zones. [RT #25079]
+
+3140.	[func]		New command "rndc flushtree <name>" clears the
+			specified name from the server cache along with
+			all names under it. [RT #19970]
+
+3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
+			for the hashing algorithms (md5, sha1 - sha512, and
+			their hmac counterparts).  [RT #25067]
+
+3138.	[bug]		Address memory leaks and out-of-order operations when
+			shutting named down. [RT #25210]
+
+3137.	[func]		Improve hardware scalability by allowing multiple
+			worker threads to process incoming UDP packets.
+			This can significantly increase query throughput
+			on some systems.  [RT #22992]
+
+3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
+			empty zones switched on by the 'empty-zones-enable'
+			option. [RT #24990]
+
+3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
+			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
+			[RT #24950]
+
+3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
+			statistics. [RT #16030]
+
+3133.	[bug]		Change #3114 was incomplete. [RT #24577]
+
+3132.	[placeholder]
+
+3131.	[tuning]	Improve scalability by allocating one zone task
+			per 100 zones at startup time, rather than using a
+			fixed-size task table. [RT #24406]
+
+3130.	[func]		Support alternate methods for managing a dynamic
+			zone's serial number.  Two methods are currently
+			defined using serial-update-method, "increment"
+			(default) and "unixtime".  [RT #23849]
+
+3129.	[bug]		Named could crash on 'rndc reconfig' when
+			allow-new-zones was set to yes and named ACLs
+			were used. [RT #22739]
+
+3128.	[func]		Inserting an NSEC3PARAM via dynamic update in an
+			auto-dnssec zone that has not been signed yet
+			will cause it to be signed with the specified NSEC3
+			parameters when keys are activated.  The
+			NSEC3PARAM record will not appear in the zone until
+			it is signed, but the parameters will be stored.
+			[RT #23684]
+
+3127.	[bug]		'rndc thaw' will now remove a zone's journal file
+			if the zone serial number has been changed and
+			ixfr-from-differences is not in use.  [RT #24687]
+
+3126.	[security]	Using DNAME record to generate replacements caused
+			RPZ to exit with a assertion failure. [RT #24766]
+
+3125.	[security]	Using wildcard CNAME records as a replacement with
+			RPZ caused named to exit with a assertion failure.
+			[RT #24715]
+
+3124.	[bug]		Use an rdataset attribute flag to indicate
+			negative-cache records rather than using rrtype 0;
+			this will prevent problems when that rrtype is
+			used in actual DNS packets. [RT #24777]
+
+3123.	[security]	Change #2912 exposed a latent flaw in
+			dns_rdataset_totext() that could cause named to
+			crash with an assertion failure. [RT #24777]
+
+3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]
+
+3121.	[security]	An authoritative name server sending a negative
+			response containing a very large RRset could
+			trigger an off-by-one error in the ncache code
+			and crash named. [RT #24650]
+
+3120.	[bug]		Named could fail to validate zones listed in a DLV
+			that validated insecure without using DLV and had
+			DS records in the parent zone. [RT #24631]
+
+3119.	[bug]		When rolling to a new DNSSEC key, a private-type
+			record could be created and never marked complete.
+			[RT #23253]
+
+3118.	[bug]		nsupdate could dump core on shutdown when using
+			SIG(0) keys. [RT #24604]
+
+3117.	[cleanup]	Remove doc and parser references to the
+			never-implemented 'auto-dnssec create' option.
+			[RT #24533]
+
+3116.	[func]		New 'dnssec-update-mode' option controls updates
+			of DNSSEC records in signed dynamic zones.  Set to
+			'no-resign' to disable automatic RRSIG regeneration
+			while retaining the ability to sign new or changed
+			data. [RT #24533]
+
+3115.	[bug]		Named could fail to return requested data when
+			following a CNAME that points into the same zone.
+			[RT #24455]
+
+3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
+			inactive and there is no replacement key. [RT #23136]
+
+3113.	[doc]		Document the relationship between serial-query-rate
+			and NOTIFY messages.
+
+3112.	[doc]		Add missing descriptions of the update policy name
+			types "ms-self", "ms-subdomain", "krb5-self" and
+			"krb5-subdomain", which allow machines to update
+			their own records, to the BIND 9 ARM.
+
+3111.	[bug]		Improved consistency checks for dnssec-enable and
+			dnssec-validation, added test cases to the
+			checkconf system test. [RT #24398]
+
+3110.	[bug]		dnssec-signzone: Wrong error message could appear
+			when attempting to sign with no KSK. [RT #24369]
+
+3109.	[func]		The also-notify option now uses the same syntax
+			as a zone's masters clause.  This means it is
+			now possible to specify a TSIG key to use when
+			sending notifies to a given server, or to include
+			an explicit named masters list in an also-notify
+			statement.  [RT #23508]
+
+3108.	[cleanup]	dnssec-signzone: Clarified some error and
+			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
+			code (use -P instead). [RT #20852]
+
+3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
+			when using -x. [RT #20852]
+
+3106.	[func]		When logging client requests, include the name of
+			the TSIG key if any. [RT #23619]
+
+3105.	[bug]		GOST support can be suppressed by "configure
+			--without-gost" [RT #24367]
+
+3104.	[bug]		Better support for cross-compiling. [RT #24367]
+
+3103.	[bug]		Configuring 'dnssec-validation auto' in a view
+			instead of in the options statement could trigger
+			an assertion failure in named-checkconf. [RT #24382]
+
+3102.	[func]		New 'dnssec-loadkeys-interval' option configures
+			how often, in minutes, to check the key repository
+			for updates when using automatic key maintenance.
+			Default is every 60 minutes (formerly hard-coded
+			to 12 hours). [RT #23744]
+
+3101.	[bug]		Zones using automatic key maintenance could fail
+			to check the key repository for updates. [RT #23744]
+
+3100.	[security]	Certain response policy zone configurations could
+			trigger an INSIST when receiving a query of type
+			RRSIG. [RT #24280]
+
+3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
+			not compiled with --with-dlz-filesystem.  [RT #24146]
+
+3098.	[bug]		DLZ zones were answering without setting the AA bit.
+			[RT #24146]
+
+3097.	[test]		Add a tool to test handling of malformed packets.
+			[RT #24096]
+
+3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
+			dst_gssapi_acceptctx(). [RT #24004]
+
+3095.	[bug]		Handle isolated reserved ports in the port range.
+			[RT #23957]
+
+3094.	[doc]		Expand dns64 documentation.
+
+3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
+
+3092.	[bug]		Signatures for records at the zone apex could go
+			stale due to an incorrect timer setting. [RT #23769]
+
+3091.	[bug]		Fixed a bug in which zone keys that were published
+			and then subsequently activated could fail to trigger
+			automatic signing. [RT #22911]
+
+3090.	[func]		Make --with-gssapi default [RT #23738]
+
+3089.	[func]		dnssec-dsfromkey now supports reading keys from
+			standard input "dnssec-dsfromkey -f -". [RT #20662]
+
+3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
+			and add setup.sh in order to resolve changing
+			named.conf issue.  [RT #23687]
+
+3087.	[bug]		DDNS updates using SIG(0) with update-policy match
+			type "external" could cause a crash. [RT #23735]
+
+3086.	[bug]		Running dnssec-settime -f on an old-style key will
+			now force an update to the new key format even if no
+			other change has been specified, using "-P now -A now"
+			as default values.  [RT #22474]
+
+3085.	[func]		New '-R' option in dnssec-signzone forces removal
+			of signatures which have not yet expired but
+			were generated by a key that no longer exists.
+			[RT #22471]
+
+3084.	[func]		A new command "rndc sync" dumps pending changes in
+			a dynamic zone to disk; "rndc sync -clean" also
+			removes the journal file after syncing.  Also,
+			"rndc freeze" no longer removes journal files.
+			[RT #22473]
+
+3083.	[bug]		NOTIFY messages were not being sent when generating
+			a NSEC3 chain incrementally. [RT #23702]
+
+3082.	[port]		strtok_r is threads only. [RT #23747]
+
+3081.	[bug]		Failure of DNAME substitution did not return
+			YXDOMAIN. [RT #23591]
+
+3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
+			[RT #23587]
+
+3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
+			[RT #23572]
+
+3078.	[func]		Added a new include file with function typedefs
+			for the DLZ "dlopen" driver. [RT #23629]
+
+3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
+			dns_zone_attach(), use zone->irefs instead. [RT #23303]
+
+3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
+			dnssec-keyfromlabel sets the default TTL of the
+			key.  When possible, automatic signing will use that
+			TTL when the key is published.  [RT #23304]
+
+3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
+			timestamp when determining which keys are active.
+			[RT #23642]
+
+3074.	[bug]		Make the adb cache read through for zone data and
+			glue learn for zone named is authoritative for.
+			[RT #22842]
+
+3073.	[bug]		managed-keys changes were not properly being recorded.
+			[RT #20256]
+
+3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
+			[RT #20256]
+
+3071.	[bug]		has_nsec could be used uninitialized in
+			update.c:next_active. [RT #20256]
+
+3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
+			[RT #20256]
+
+3069.	[cleanup]	Silence warnings messages from clang static analysis.
+			[RT #20256]
+
+3068.	[bug]		Named failed to build with a OpenSSL without engine
+			support. [RT #23473]
+
+3067.	[bug]		ixfr-from-differences {master|slave}; failed to
+			select the master/slave zones.  [RT #23580]
+
+3066.	[func]		The DLZ "dlopen" driver is now built by default,
+			no longer requiring a configure option.  To
+			disable it, use "configure --without-dlopen".
+			Driver also supported on win32.  [RT #23467]
+
+3065.	[bug]		RRSIG could have time stamps too far in the future.
+			[RT #23356]
+
+3064.	[bug]		powerpc: add sync instructions to the end of atomic
+			operations. [RT #23469]
+
+3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]
+
+3062.	[func]		Made several changes to enhance human readability
+			of DNSSEC data in dig output and in generated
+			zone files:
+			 - DNSKEY record comments are more verbose, no
+			   longer used in multiline mode only
+			 - multiline RRSIG records reformatted
+			 - multiline output mode for NSEC3PARAM records
+			 - "dig +norrcomments" suppresses DNSKEY comments
+			 - "dig +split=X" breaks hex/base64 records into
+			   fields of width X; "dig +nosplit" disables this.
+			[RT #22820]
+
+3061.	[func]		New option "dnssec-signzone -D", only write out
+			generated DNSSEC records. [RT #22896]
+
+3060.	[func]		New option "dnssec-signzone -X <date>" allows
+			specification of a separate expiration date
+			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
+
+3059.	[test]		Added a regression test for change #3023.
+
+3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
+			reload to fail, if a log file specified in the conf
+			file isn't a plain file. [RT #22771]
+
+3057.	[bug]		"rndc secroots" would abort after the first error
+			and so could miss some views. [RT #23488]
+
+3056.	[func]		Added support for URI resource record. [RT #23386]
+
+3055.	[placeholder]
+
+3054.	[bug]		Added elliptic curve support check in
+			GOST OpenSSL engine detection. [RT #23485]
+
+3053.	[bug]		Under a sustained high query load with a finite
+			max-cache-size, it was possible for cache memory
+			to be exhausted and not recovered. [RT #23371]
+
+3052.	[test]		Fixed last autosign test report. [RT #23256]
+
+3051.	[bug]		NS records obscure DNAME records at the bottom of the
+			zone if both are present. [RT #23035]
+
+3050.	[bug]		The autosign system test was timing dependent.
+			Wait for the initial autosigning to complete
+			before running the rest of the test. [RT #23035]
+
+3049.	[bug]		Save and restore the gid when creating creating
+			named.pid at startup. [RT #23290]
+
+3048.	[bug]		Fully separate view key management. [RT #23419]
+
+3047.	[bug]		DNSKEY NODATA responses not cached fixed in
+			validator.c. Tests added to dnssec system test.
+			[RT #22908]
+
+3046.	[bug]		Use RRSIG original TTL to compute validated RRset
+			and RRSIG TTL. [RT #23332]
+
+3045.	[removed]	Replaced by change #3050.
+
+3044.	[bug]		Hold the socket manager lock while freeing the socket.
+			[RT #23333]
+
+3043.	[test]		Merged in the NetBSD ATF test framework (currently
+			version 0.12) for development of future unit tests.
+			Use configure --with-atf to build ATF internally
+			or configure --with-atf=prefix to use an external
+			copy.  [RT #23209]
+
+3042.	[bug]		dig +trace could fail attempting to use IPv6
+			addresses on systems with only IPv4 connectivity.
+			[RT #23297]
+
+3041.	[bug]		dnssec-signzone failed to generate new signatures on
+			ttl changes. [RT #23330]
+
+3040.	[bug]		Named failed to validate insecure zones where a node
+			with a CNAME existed between the trust anchor and the
+			top of the zone. [RT #23338]
+
+3039.	[func]		Redirect on NXDOMAIN support. [RT #23146]
+
+3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
+
+3037.	[doc]		Update COPYRIGHT to contain all the individual
+			copyright notices that cover various parts.
+
+3036.	[bug]		Check built-in zone arguments to see if the zone
+			is re-usable or not. [RT #21914]
+
+3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
+
+3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
+
+3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
+			[RT #22521]
+
+3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]
+
+3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
+			[RT #22521]
+
+3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
+			[RT #22521]
+
+3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
+			[RT #22521]
+
+3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
+			[RT #22521]
+
+3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
+			catch NULL pointer dereferences before they happen.
+			[RT #22521]
+
+3026.	[bug]		lib/isc/httpd.c: check that we have enough space
+			after calling grow_headerspace() and if not
+			re-call grow_headerspace() until we do. [RT #22521]
+
+3025.	[bug]		Fixed a possible deadlock due to zone resigning.
+			[RT #22964]
+
+3024.	[func]		RTT Banding removed due to minor security increase
+			but major impact on resolver latency. [RT #23310]
+
+3023.	[bug]		Named could be left in an inconsistent state when
+			receiving multiple AXFR response messages that were
+			not all TSIG-signed. [RT #23254]
+
+3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
+			[RT #23246]
+
+3021.	[bug]		Change #3010 was incomplete. [RT #22296]
+
+3020.	[bug]		auto-dnssec failed to correctly update the zone when
+			changing the DNSKEY RRset. [RT #23232]
+
+3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
+			record via UPDATE. [RT #23229]
+
+3018.	[bug]		Named failed to check for the "none;" acl when deciding
+			if a zone may need to be re-signed. [RT #23120]
+
+3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
+			[RT #22887]
+
+3016.	[bug]		rndc usage missing '-b'. [RT #22937]
+
+3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
+			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
+
+3014.	[placeholder]
+
+3013.	[bug]		The DNS64 ttl was not always being set as expected.
+			[RT #23034]
+
+3012.	[bug]		Remove DNSKEY TTL change pairs before generating
+			signing records for any remaining DNSKEY changes.
+			[RT #22590]
+
+3011.	[func]		Change the default query timeout from 30 seconds
+			to 10.  Allow setting this in named.conf using the new
+			'resolver-query-timeout' option, which specifies a max
+			time in seconds.  0 means 'default' and anything longer
+			than 30 will be silently set to 30. [RT #22852]
+
+3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
+			for refreshing managed-keys. [RT #22296]
+
+3009.	[bug]		clients-per-query code didn't work as expected with
+			particular query patterns. [RT #22972]
+
+	--- 9.8.0b1 released ---
+
+3008.	[func]		Response policy zones (RPZ) support. [RT #21726]
+
+3007.	[bug]		Named failed to preserve the case of domain names in
+			rdata which is not compressible when writing master
+			files.  [RT #22863]
+
+3006.	[func]		Allow dynamically generated TSIG keys to be preserved
+			across restarts of named.  Initially this is for
+			TSIG keys generated using GSSAPI. [RT #22639]
+
+3005.	[port]		Solaris: Work around the lack of
+			gsskrb5_register_acceptor_identity() by setting
+			the KRB5_KTNAME environment variable to the
+			contents of tkey-gssapi-keytab.  Also fixed
+			test errors on MacOSX.  [RT #22853]
+
+3004.	[func]		DNS64 reverse support. [RT #22769]
+
+3003.	[experimental]	Added update-policy match type "external",
+			enabling named to defer the decision of whether to
+			allow a dynamic update to an external daemon.
+			(Contributed by Andrew Tridgell.) [RT #22758]
+
+3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
+			[RT #22766]
+
+3001.	[func]		Added a default trust anchor for the root zone, which
+			can be switched on by setting "dnssec-validation auto;"
+			in the named.conf options. [RT #21727]
+
+3000.	[bug]		More TKEY/GSS fixes:
+			 - nsupdate can now get the default realm from
+			   the user's Kerberos principal
+			 - corrected gsstest compilation flags
+			 - improved documentation
+			 - fixed some NULL dereferences
+			[RT #22795]
+
+2999.	[func]		Add GOST support (RFC 5933). [RT #20639]
+
+2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
+			to the task api. [RT #22776]
+
+2997.	[func]		named -V now reports the OpenSSL and libxml2 versions
+			it was compiled against. [RT #22687]
+
+2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
+			[RT #22589]
+
+2995.	[bug]		The Kerberos realm was not being correctly extracted
+			from the signer's identity. [RT #22770]
+
+2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
+			do not use threads on earlier versions.  Also kill
+			the unproven-pthreads, mit-pthreads, and ptl2 support.
+
+2993.	[func]		Dynamically grow adb hash tables. [RT #21186]
+
+2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
+			for looking at a secure delegation. [RT #22059]
+
+2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
+			dynamic zones. [RT #22365]
+
+2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
+			interval validity when the interval is set to 0.
+			[RT #22761]
+
+2989.	[func]		Added support for writable DLZ zones. (Contributed
+			by Andrew Tridgell of the Samba project.) [RT #22629]
+
+2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
+			of external DLZ drivers that can be loaded as
+			shared objects at runtime rather than linked with
+			named.  Currently this is switched on via a
+			compile-time option, "configure --with-dlz-dlopen".
+			Note: the syntax for configuring DLZ zones
+			is likely to be refined in future releases.
+			(Contributed by Andrew Tridgell of the Samba
+			project.) [RT #22629]
+
+2987.	[func]		Improve ease of configuring TKEY/GSS updates by
+			adding a "tkey-gssapi-keytab" option.  If set,
+			updates will be allowed with any key matching
+			a principal in the specified keytab file.
+			"tkey-gssapi-credential" is no longer required
+			and is expected to be deprecated.  (Contributed
+			by Andrew Tridgell of the Samba project.)
+			[RT #22629]
+
+2986.	[func]		Add new zone type "static-stub".  It's like a stub
+			zone, but the nameserver names and/or their IP
+			addresses are statically configured. [RT #21474]
+
+2985.	[bug]		Add a regression test for change #2896. [RT #21324]
+
+2984.	[bug]		Don't run MX checks when the target of the MX record
+			is ".".  [RT #22645]
+
+2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]
+
+	--- 9.8.0a1 released ---
+
+2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
+			increment the reference count.
+
+			Note: dns_tsigkey_createfromkey() callers should now
+			always call dst_key_free() rather than setting it
+			to NULL on success. [RT #22672]
+
+2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
+
+2980.	[bug]		named didn't properly handle UPDATES that changed the
+			TTL of the NSEC3PARAM RRset. [RT #22363]
+
+2979.	[bug]		named could deadlock during shutdown if two
+			"rndc stop" commands were issued at the same
+			time. [RT #22108]
+
+2978.	[port]		hpux: look for <devpoll.h> [RT #21919]
+
+2977.	[bug]		'nsupdate -l' report if the session key is missing.
+			[RT #21670]
+
+2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
+			key. [RT #22573]
+
+2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
+			wrong lock which could lead to server deadlock.
+			[RT #22614]
+
+2974.	[bug]		Some valid UPDATE requests could fail due to a
+			consistency check examining the existing version
+			of the zone rather than the new version resulting
+			from the UPDATE. [RT #22413]
+
+2973.	[bug]		bind.keys.h was being removed by the "make clean"
+			at the end of configure resulting in build failures
+			where there is very old version of perl installed.
+			Move it to "make maintainer-clean". [RT #22230]
+
+2972.	[bug]		win32: address windows socket errors. [RT #21906]
+
+2971.	[bug]		Fixed a bug that caused journal files not to be
+			compacted on Windows systems as a result of
+			non-POSIX-compliant rename() semantics. [RT #22434]
+
+2970.	[security]	Adding a NO DATA negative cache entry failed to clear
+			any matching RRSIG records.  A subsequent lookup of
+			of NO DATA cache entry could trigger a INSIST when the
+			unexpected RRSIG was also returned with the NO DATA
+			cache entry.
+
+			CVE-2010-3613, VU#706148. [RT #22288]
+
+2969.	[security]	Fix acl type processing so that allow-query works
+			in options and view statements.  Also add a new
+			set of tests to verify proper functioning.
+
+			CVE-2010-3615, VU#510208. [RT #22418]
+
+2968.	[security]	Named could fail to prove a data set was insecure
+			before marking it as insecure.  One set of conditions
+			that can trigger this occurs naturally when rolling
+			DNSKEY algorithms.
+
+			CVE-2010-3614, VU#837744. [RT #22309]
+
+2967.	[bug]		'host -D' now turns on debugging messages earlier.
+			[RT #22361]
+
+2966.	[bug]		isc_print_vsnprintf() failed to check if there was
+			space available in the buffer when adding a left
+			justified character with a non zero width,
+			(e.g. "%-1c"). [RT #22270]
+
+2965.	[func]		Test HMAC functions using test data from RFC 2104 and
+			RFC 4634. [RT #21702]
+
+2964.	[placeholder]
+
+2963.	[security]	The allow-query acl was being applied instead of the
+			allow-query-cache acl to cache lookups. [RT #22114]
+
+2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
+			[RT #22062]
+
+2961.	[bug]		Be still more selective about the non-authoritative
+			answers we apply change 2748 to. [RT #22074]
+
+2960.	[func]		Check that named accepts non-authoritative answers.
+			[RT #21594]
+
+2959.	[func]		Check that named starts with a missing masterfile.
+			[RT #22076]
+
+2958.	[bug]		named failed to start with a missing master file.
+			[RT #22076]
+
+2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
+			the API for RAND_bytes() and RAND_pseudo_bytes()
+			respectively. [RT #21962]
+
+2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
+
+2955.	[func]		Provide more detail in the recursing log. [RT #22043]
+
+2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
+			build_sqldbinstance failure. [RT #21623]
+
+2953.	[bug]		Silence spurious "expected covering NSEC3, got an
+			exact match" message when returning a wildcard
+			no data response. [RT #21744]
+
+2952.	[port]		win32: named-checkzone and named-checkconf failed
+			to initialize winsock. [RT #21932]
+
+2951.	[bug]		named failed to generate a correct signed response
+			in a optout, delegation only zone with no secure
+			delegations. [RT #22007]
+
+2950.	[bug]		named failed to perform a SOA up to date check when
+			falling back to TCP on UDP timeouts when
+			ixfr-from-differences was set. [RT #21595]
+
+2949.	[bug]		dns_view_setnewzones() contained a memory leak if
+			it was called multiple times. [RT #21942]
+
+2948.	[port]		MacOS: provide a mechanism to configure the test
+			interfaces at reboot. See bin/tests/system/README
+			for details.
+
+2947.	[placeholder]
+
+2946.	[doc]		Document the default values for the minimum and maximum
+			zone refresh and retry values in the ARM. [RT #21886]
+
+2945.	[doc]		Update empty-zones list in ARM. [RT #21772]
+
+2944.	[maint]		Remove ORCHID prefix from built in empty zones.
+			[RT #21772]
+
+2943.	[func]		Add support to load new keys into managed zones
+			without signing immediately with "rndc loadkeys".
+			Add support to link keys with "dnssec-keygen -S"
+			and "dnssec-settime -S".  [RT #21351]
+
+2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
+			[RT #21610]
+
+2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
+			DNAME at the zone apex.  [RT #21610]
+
+2940.	[port]		Remove connection aborted error message on
+			Windows. [RT #21549]
+
+2939.	[func]		Check that named successfully skips NSEC3 records
+			that fail to match the NSEC3PARAM record currently
+			in use. [RT #21868]
+
+2938.	[bug]		When generating signed responses, from a signed zone
+			that uses NSEC3, named would use a uninitialized
+			pointer if it needed to skip a NSEC3 record because
+			it didn't match the selected NSEC3PARAM record for
+			zone. [RT #21868]
+
+2937.	[bug]		Worked around an apparent race condition in over
+			memory conditions.  Without this fix a DNS cache DB or
+			ADB could incorrectly stay in an over memory state,
+			effectively refusing further caching, which
+			subsequently made a BIND 9 caching server unworkable.
+			This fix prevents this problem from happening by
+			polling the state of the memory context, rather than
+			making a copy of the state, which appeared to cause
+			a race.  This is a "workaround" in that it doesn't
+			solve the possible race per se, but several experiments
+			proved this change solves the symptom.  Also, the
+			polling overhead hasn't been reported to be an issue.
+			This bug should only affect a caching server that
+			specifies a finite max-cache-size.  It's also quite
+			likely that the bug happens only when enabling threads,
+			but it's not confirmed yet. [RT #21818]
+
+2936.	[func]		Improved configuration syntax and multiple-view
+			support for addzone/delzone feature (see change
+			#2930).  Removed "new-zone-file" option, replaced
+			with "allow-new-zones (yes|no)".  The new-zone-file
+			for each view is now created automatically, with
+			a filename generated from a hash of the view name.
+			It is no longer necessary to "include" the
+			new-zone-file in named.conf; this happens
+			automatically.  Zones that were not added via
+			"rndc addzone" can no longer be removed with
+			"rndc delzone". [RT #19447]
+
+2935.	[bug]		nsupdate: improve 'file not found' error message.
+			[RT #21871]
+
+2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
+			[RT #21871]
+
+2933.	[bug]		'dig +nsid' used stack memory after it went out of
+			scope.  This could potentially result in a unknown,
+			potentially malformed, EDNS option being sent instead
+			of the desired NSID option. [RT #21781]
+
+2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
+			[RT #21597]
+
+2931.	[bug]		Temporarily and partially disable change 2864
+			because it would cause infinite attempts of RRSIG
+			queries.  This is an urgent care fix; we'll
+			revisit the issue and complete the fix later.
+			[RT #21710]
+
+2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
+			allow dynamic addition and deletion of zones.
+			To enable this feature, specify a "new-zone-file"
+			option at the view or options level in named.conf.
+			Zone configuration information for the new zones
+			will be written into that file.  To make the new
+			zones persist after a restart, "include" the file
+			into named.conf in the appropriate view.  (Note:
+			This feature is not yet documented, and its syntax
+			is expected to change.) [RT #19447]
+
+2929.	[bug]		Improved handling of GSS security contexts:
+			 - added LRU expiration for generated TSIGs
+			 - added the ability to use a non-default realm
+			 - added new "realm" keyword in nsupdate
+			 - limited lifetime of generated keys to 1 hour
+			   or the lifetime of the context (whichever is
+			   smaller)
+			[RT #19737]
+
+2928.	[bug]		Be more selective about the non-authoritative
+			answer we apply change 2748 to. [RT #21594]
+
+2927.	[placeholder]
+
+2926.	[placeholder]
+
+2925.	[bug]		Named failed to accept uncachable negative responses
+			from insecure zones. [RT #21555]
+
+2924.	[func]		'rndc  secroots'  dump a combined summary of the
+			current managed keys combined with trusted keys.
+			[RT #20904]
+
+2923.	[bug]		'dig +trace' could drop core after "connection
+			timeout". [RT #21514]
+
+2922.	[contrib]	Update zkt to version 1.0.
+
+2921.	[bug]		The resolver could attempt to destroy a fetch context
+			too soon.  [RT #19878]
+
+2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
+			to IPv4 clients.  New acl 'filter-aaaa' (default any).
+
+2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
+			[RT #20840]
+
+2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
+
+2917.	[func]		Virtual time test framework. [RT #20801]
+
+2916.	[func]		Add framework to use IPv6 in tests.
+			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
+
+2915.	[cleanup]	Be smarter about which objects we attempt to compile
+			based on configure options. [RT #21444]
+
+2914.	[bug]		Make the "autosign" system test more portable.
+			[RT #20997]
+
+2913.	[func]		Add pkcs#11 system tests. [RT #20784]
+
+2912.	[func]		Windows clients don't like UPDATE responses that clear
+			the zone section. [RT #20986]
+
+2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
+			[RT #21367]
+
+2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
+
+2909.	[bug]		named-checkconf -p could die if "update-policy local;"
+			was specified in named.conf. [RT #21416]
+
+2908.	[bug]		It was possible for re-signing to stop after removing
+			a DNSKEY. [RT #21384]
+
+2907.	[bug]		The export version of libdns had undefined references.
+			[RT #21444]
+
+2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
+
+2905.	[port]		aix: set use_atomic=yes with native compiler.
+			[RT #21402]
+
+2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
+			could be incorrectly marked as insecure instead of
+			secure leading to negative proofs failing.  This was
+			a unintended outcome from change 2890. [RT #21392]
+
+2903.	[bug]		managed-keys-directory missing from namedconf.c.
+			[RT #21370]
+
+2902.	[func]		Add regression test for change 2897. [RT #21040]
+
+2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
+
+2900.	[bug]		The placeholder negative caching element was not
+			properly constructed triggering a INSIST in
+			dns_ncache_towire(). [RT #21346]
+
+2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
+
+2898.	[bug]		nslookup leaked memory when -domain=value was
+			specified. [RT #21301]
+
+2897.	[bug]		NSEC3 chains could be left behind when transitioning
+			to insecure. [RT #21040]
+
+2896.	[bug]		"rndc sign" failed to properly update the zone
+			when adding a DNSKEY for publication only. [RT #21045]
+
+2895.	[func]		genrandom: add support for the generation of multiple
+			files.  [RT #20917]
+
+2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
+
+2893.	[bug]		Improve managed keys support.  New named.conf option
+			managed-keys-directory. [RT #20924]
+
+2892.	[bug]		Handle REVOKED keys better. [RT #20961]
+
+2891.	[maint]		Update empty-zones list to match
+			draft-ietf-dnsop-default-local-zones-13. [RT #21099]
+
+2890.	[bug]		Handle the introduction of new trusted-keys and
+			DS, DLV RRsets better. [RT #21097]
+
+2889.	[bug]		Elements of the grammar where not properly reported.
+			[RT #21046]
+
+2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
+
+2887.	[bug]		Report the keytag times in UTC in the .key file,
+			local time is presented as a comment within the
+			comment.  [RT #21223]
+
+2886.	[bug]		ctime() is not thread safe. [RT #21223]
+
+2885.	[bug]		Improve -fno-strict-aliasing support probing in
+			configure. [RT #21080]
+
+2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
+			[RT #21283]
+
+2883.	[bug]		'dig +short' failed to handle really large datasets.
+			[RT #21113]
+
+2882.	[bug]		Remove memory context from list of active contexts
+			before clearing 'magic'. [RT #21274]
+
+2881.	[bug]		Reduce the amount of time the rbtdb write lock
+			is held when closing a version. [RT #21198]
+
+2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
+			consistent. [RT #21078]
+
+2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
+			[RT #21106]
+
+2878.	[func]		Incrementally write the master file after performing
+			a AXFR.  [RT #21010]
+
+2877.	[bug]		The validator failed to skip obviously mismatching
+			RRSIGs. [RT #21138]
+
+2876.	[bug]		Named could return SERVFAIL for negative responses
+			from unsigned zones. [RT #21131]
+
+2875.	[bug]		dns_time64_fromtext() could accept non digits.
+			[RT #21033]
+
+2874.	[bug]		Cache lack of EDNS support only after the server
+			successfully responds to the query using plain DNS.
+			[RT #20930]
+
+2873.	[bug]		Canceling a dynamic update via the dns/client module
+			could trigger an assertion failure. [RT #21133]
+
+2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
+			require one of IPv4 or IPv6 rather than both.
+			[RT #21122]
+
+2871.	[bug]		Type mismatch in mem_api.c between the definition and
+			the header file, causing build failure with
+			--enable-exportlib. [RT #21138]
+
+2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
+
+2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
+			[RT #20877]
+
+2868.	[cleanup]	Run "make clean" at the end of configure to ensure
+			any changes made by configure are integrated.
+			Use --with-make-clean=no to disable.  [RT #20994]
+
+2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
+			don't like it.  [RT #20986]
+
+2866.	[bug]		Windows does not like the TSIG name being compressed.
+			[RT #20986]
+
+2865.	[bug]		memset to zero event.data.  [RT #20986]
+
+2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
+			[RT #21050]
+
+2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
+			[RT #21056]
+
+2862.	[bug]		nsupdate didn't default to the parent zone when
+			updating DS records. [RT #20896]
+
+2861.	[doc]		dnssec-settime man pages didn't correctly document the
+			inactivation time. [RT #21039]
+
+2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
+
+2859.	[bug]		When canceling validation it was possible to leak
+			memory. [RT #20800]
+
+2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
+			[RT #20772]
+
+2857.	[bug]		named-checkconf did not fail on a bad trusted key.
+			[RT #20705]
+
+2856.	[bug]		The size of a memory allocation was not always properly
+			recorded. [RT #20927]
+
+2855.	[func]		nsupdate will now preserve the entered case of domain
+			names in update requests it sends. [RT #20928]
+
+2854.	[func]		dig: allow the final soa record in a axfr response to
+			be suppressed, dig +onesoa. [RT #20929]
+
+2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
+
+2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
+
+2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
+			source as it produced bad nroff.  [RT #21007]
+
+2850.	[bug]		If isc_heap_insert() failed due to memory shortage
+			the heap would have corrupted entries. [RT #20951]
+
+2849.	[bug]		Don't treat errors from the xml2 library as fatal.
+			[RT #20945]
+
+2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
+			README.rfc5011 into the ARM. [RT #20899]
+
+2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
+
+2846.	[bug]		EOF on unix domain sockets was not being handled
+			correctly. [RT #20731]
+
+2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
+
+2844.	[doc]		notify-delay default in ARM was wrong.  It should have
+			been five (5) seconds.
+
+2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
+			creating key files if there is a chance that the new
+			key ID will collide with an existing one after
+			either of the keys has been revoked.  (To override
+			this in the case of dnssec-keyfromlabel, use the -y
+			option.  dnssec-keygen will simply create a
+			different, non-colliding key, so an override is
+			not necessary.) [RT #20838]
+
+2842.	[func]		Added "smartsign" and improved "autosign" and
+			"dnssec" regression tests. [RT #20865]
+
+2841.	[bug]		Change 2836 was not complete. [RT #20883]
+
+2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
+			[RT #20760]
+
+2839.	[bug]		A KSK revoked by named could not be deleted.
+			[RT #20881]
+
+2838.	[placeholder]
+
+2837.	[port]		Prevent Linux spurious warnings about fwrite().
+			[RT #20812]
+
+2836.	[bug]		Keys that were scheduled to become active could
+			be delayed. [RT #20874]
+
+2835.	[bug]		Key inactivity dates were inadvertently stored in
+			the private key file with the outdated tag
+			"Unpublish" rather than "Inactive".  This has been
+			fixed; however, any existing keys that had Inactive
+			dates set will now need to have them reset, using
+			'dnssec-settime -I'. [RT #20868]
+
+2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
+			digest length were used incorrectly, leading to
+			interoperability problems with other DNS
+			implementations.  This has been corrected.
+			(Note: If an oversize key is in use, and
+			compatibility is needed with an older release of
+			BIND, the new tool "isc-hmac-fixup" can convert
+			the key secret to a form that will work with all
+			versions.) [RT #20751]
+
+2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
+			[RT #20851]
+
+2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
+			to avoid redefinition in some OSs [RT 20831]
+
+2831.	[security]	Do not attempt to validate or cache
+			out-of-bailiwick data returned with a secure
+			answer; it must be re-fetched from its original
+			source and validated in that context. [RT #20819]
+
+2830.	[bug]		Changing the OPTOUT setting could take multiple
+			passes. [RT #20813]
+
+2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
+			[RT #20808]
+
+2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
+			without DNSSEC validation. [RT #20737]
+
+2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
+
+2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
+			being released.  [RT #20740]
+
+2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
+			was in the process of being created was not properly
+			recorded in the zone. [RT #20786]
+
+2824.	[bug]		"rndc sign" was not being run by the correct task.
+			[RT #20759]
+
+2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
+
+2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
+			[RT #20802]
+
+2821.	[doc]		Add note that named-checkconf doesn't automatically
+			read rndc.key and bind.keys [RT #20758]
+
+2820.	[func]		Handle read access failure of OpenSSL configuration
+			file more user friendly (PKCS#11 engine patch).
+			[RT #20668]
+
+2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
+			[RT #20771]
+
+2818.	[cleanup]	rndc could return an incorrect error code
+			when a zone was not found. [RT #20767]
+
+2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
+			[RT #20768]
+
+2816.	[bug]		previous_closest_nsec() could fail to return
+			data for NSEC3 nodes [RT #29730]
+
+2815.	[bug]		Exclusively lock the task when freezing a zone.
+			[RT #19838]
+
+2814.	[func]		Provide a definitive error message when a master
+			zone is not loaded. [RT #20757]
+
+2813.	[bug]		Better handling of unreadable DNSSEC key files.
+			[RT #20710]
+
+2812.	[bug]		Make sure updates can't result in a zone with
+			NSEC-only keys and NSEC3 records. [RT #20748]
+
+2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
+			output. [RT #20733]
+
+2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
+			to insecure. [RT #20746]
+
+2809.	[cleanup]	Restored accidentally-deleted text in usage output
+			in dnssec-settime and dnssec-revoke [RT #20739]
+
+2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
+			atomic.h is correctly installed by the architecture
+			specific subdirectories.  [RT #20722]
+
+2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
+			keys. [RT #20720]
+
+	--- 9.7.0rc1 released ---
+
+2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
+			when it had changed. [RT #20703]
+
+2805.	[bug]		Fixed namespace problems encountered when building
+			external programs using non-exported BIND9 libraries
+			(i.e., built without --enable-exportlib). [RT #20679]
+
+2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
+			or as a result of a scheduled key change. [RT #20700]
+
+2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
+			and genrandom under windows. [RT #20670]
+
+2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]
+
+2801.	[func]		Detect and report records that are different according
+			to DNSSEC but are semantically equal according to plain
+			DNS.  Apply plain DNS comparisons rather than DNSSEC
+			comparisons when processing UPDATE requests.
+			dnssec-signzone now removes such semantically duplicate
+			records prior to signing the RRset.
+
+			named-checkzone -r {ignore|warn|fail} (default warn)
+			named-compilezone -r {ignore|warn|fail} (default warn)
+
+			named.conf: check-dup-records {ignore|warn|fail};
+
+2800.	[func]		Reject zones which have NS records which refer to
+			CNAMEs, DNAMEs or don't have address record (class IN
+			only).  Reject UPDATEs which would cause the zone
+			to fail the above checks if committed. [RT #20678]
+
+2799.	[cleanup]	Changed the "secure-to-insecure" option to
+			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
+			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
+
+2798.	[bug]		Addressed bugs in managed-keys initialization
+			and rollover. [RT #20683]
+
+2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
+			[RT #20613]
+
+2796.	[bug]		Missing dns_rdataset_disassociate() call in
+			dns_nsec3_delnsec3sx(). [RT #20681]
+
+2795.	[cleanup]	Add text to differentiate "update with no effect"
+			log messages. [RT #18889]
+
+2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]
+
+2793.	[func]		Add "autosign" and "metadata" tests to the
+			automatic tests. [RT #19946]
+
+2792.	[func]		"filter-aaaa-on-v4" can now be set in view
+			options (if compiled in).  [RT #20635]
+
+2791.	[bug]		The installation of isc-config.sh was broken.
+			[RT #20667]
+
+2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
+
+2789.	[bug]		Fixed an INSIST in dispatch.c [RT #20576]
+
+2788.	[bug]		dnssec-signzone could sign with keys that were
+			not requested [RT #20625]
+
+2787.	[bug]		Spurious log message when zone keys were
+			dynamically reconfigured. [RT #20659]
+
+2786.	[bug]		Additional could be promoted to answer. [RT #20663]
+
+	--- 9.7.0b3 released ---
+
+2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]
+
+2784.	[bug]		TC was not always being set when required glue was
+			dropped. [RT #20655]
+
+2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
+			buffer size of 512 or less.  [RT #20654]
+
+2782.	[port]		win32: use getaddrinfo() for hostname lookups.
+			[RT #20650]
+
+2781.	[bug]		Inactive keys could be used for signing. [RT #20649]
+
+2780.	[bug]		dnssec-keygen -A none didn't properly unset the
+			activation date in all cases. [RT #20648]
+
+2779.	[bug]		Dynamic key revocation could fail. [RT #20644]
+
+2778.	[bug]		dnssec-signzone could fail when a key was revoked
+			without deleting the unrevoked version. [RT #20638]
+
+2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.
+
+2776.	[bug]		Change #2762 was not correct. [RT #20647]
+
+2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
+			in dnssec-keyfromlabel. [RT #20643]
+
+2774.	[bug]		Existing cache DB wasn't being reused after
+			reconfiguration. [RT #20629]
+
+2773.	[bug]		In autosigned zones, the SOA could be signed
+			with the KSK. [RT #20628]
+
+2772.	[security]	When validating, track whether pending data was from
+			the additional section or not and only return it if
+			validates as secure. [RT #20438]
+
+2771.	[bug]		dnssec-signzone: DNSKEY records could be
+			corrupted when importing from key files [RT #20624]
+
+2770.	[cleanup]	Add log messages to resolver.c to indicate events
+			causing FORMERR responses. [RT #20526]
+
+2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]
+
+2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]
+
+2767.	[bug]		named could crash on startup if a zone was
+			configured with auto-dnssec and there was no
+			key-directory. [RT #20615]
+
+2766.	[bug]		isc_socket_fdwatchpoke() should only update the
+			socketmgr state if the socket is not pending on a
+			read or write.  [RT #20603]
+
+2765.	[bug]		Skip masters for which the TSIG key cannot be found.
+			[RT #20595]
+
+2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
+
+2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]
+
+2762.	[bug]		DLV validation failed with a local slave DLV zone.
+			[RT #20577]
+
+2761.	[cleanup]	Enable internal symbol table for backtrace only for
+			systems that are known to work.  Currently, BSD
+			variants, Linux and Solaris are supported. [RT #20202]
+
+2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]
+
+2759.	[doc]		Add information about .jbk/.jnw files to
+			the ARM. [RT #20303]
+
+2758.	[bug]		win32: Added a workaround for a windows 2008 bug
+			that could cause the UDP client handler to shut
+			down. [RT #19176]
+
+2757.	[bug]		dig: assertion failure could occur in connect
+			timeout. [RT #20599]
+
+2756.	[bug]		Fixed corrupt logfile message in update.c. [RT #20597]
+
+2755.	[placeholder]
+
+2754.	[bug]		Secure-to-insecure transitions failed when zone
+			was signed with NSEC3. [RT #20587]
+
+2753.	[bug]		Removed an unnecessary warning that could appear when
+			building an NSEC chain. [RT #20589]
+
+2752.	[bug]		Locking violation. [RT #20587]
+
+2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
+
+2750.	[bug]		dig: assertion failure could occur when a server
+			didn't have an address. [RT #20579]
+
+2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
+			for NSEC3 signed zones. [RT #20452]
+
+2748.	[func]		Identify bad answers from GTLD servers and treat them
+			as referrals. [RT #18884]
+
+2747.	[bug]		Journal roll forwards failed to set the re-signing
+			time of RRSIGs correctly. [RT #20541]
+
+2746.	[port]		hpux: address signed/unsigned expansion mismatch of
+			dns_rbtnode_t.nsec. [RT #20542]
+
+2745.	[bug]		configure script didn't probe the return type of
+			gai_strerror(3) correctly. [RT #20573]
+
+2744.	[func]		Log if a query was over TCP. [RT #19961]
+
+2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
+			for a insecure delegation.
+
+	--- 9.7.0b2 released ---
+
+2742.	[cleanup]	Clarify some DNSSEC-related log messages in
+			validator.c. [RT #19589]
+
+2741.	[func]		Allow the dnssec-keygen progress messages to be
+			suppressed (dnssec-keygen -q).  Automatically
+			suppress the progress messages when stdin is not
+			a tty. [RT #20474]
+
+2740.	[placeholder]
+
+2739.	[cleanup]	Clean up API for initializing and clearing trust
+			anchors for a view. [RT #20211]
+
+2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
+			test. [RT #20453]
+
+2737.	[func]		UPDATE requests can leak existence information.
+			[RT #17261]
+
+2736.	[func]		Improve the performance of NSEC signed zones with
+			more than a normal amount of glue below a delegation.
+			[RT #20191]
+
+2735.	[bug]		dnssec-signzone could fail to read keys
+			that were specified on the command line with
+			full paths, but weren't in the current
+			directory. [RT #20421]
+
+2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
+
+2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
+
+2732.	[func]		Add optional filter-aaaa-on-v4 option, available
+			if built with './configure --enable-filter-aaaa'.
+			Filters out AAAA answers to clients connecting
+			via IPv4.  (This is NOT recommended for general
+			use.) [RT #20339]
+
+2731.	[func]		Additional work on change 2709.  The key parser
+			will now ignore unrecognized fields when the
+			minor version number of the private key format
+			has been increased.  It will reject any key with
+			the major version number increased. [RT #20310]
+
+2730.	[func]		Have dnssec-keygen display a progress indication
+			a la 'openssl genrsa' on standard error. Note
+			when the first '.' is followed by a long stop
+			one has the choice between slow generation vs.
+			poor random quality, i.e., '-r /dev/urandom'.
+			[RT #20284]
+
+2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
+			TTL. [RT #20451]
+
+2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
+			dnssec-signzone now warn immediately if asked to
+			write into a nonexistent directory. [RT #20278]
+
+2727.	[func]		The 'key-directory' option can now specify a relative
+			path. [RT #20154]
+
+2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
+			RSASHA256 and RSASHA512. [RT #20023]
+
+2725.	[doc]		Added information about the file "managed-keys.bind"
+			to the ARM. [RT #20235]
+
+2724.	[bug]		Updates to a existing node in secure zone using NSEC
+			were failing. [RT #20448]
+
+2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
+			isc_base64_totext(), didn't always mark regions of
+			memory as fully consumed after conversion.  [RT #20445]
+
+2722.	[bug]		Ensure that the memory associated with the name of
+			a node in a rbt tree is not altered during the life
+			of the node. [RT #20431]
+
+2721.	[port]		Have dst__entropy_status() prime the random number
+			generator. [RT #20369]
+
+2720.	[bug]		RFC 5011 trust anchor updates could trigger an
+			assert if the DNSKEY record was unsigned. [RT #20406]
+
+2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
+			[RT #20392]
+
+2718.	[bug]		The space calculations in opensslrsa_todns() were
+			incorrect. [RT #20394]
+
+2717.	[bug]		named failed to update the NSEC/NSEC3 record when
+			the last private type record was removed as a result
+			of completing the signing the zone with a key.
+			[RT #20399]
+
+2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
+
+	--- 9.7.0b1 released ---
+
+2715.	[bug]		Require OpenSSL support to be explicitly disabled.
+			[RT #20288]
+
+2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
+			flags.
+
+2713.	[bug]		powerpc: atomic operations missing asm("ics") /
+			__isync() calls.
+
+2712.	[func]		New 'auto-dnssec' zone option allows zone signing
+			to be fully automated in zones configured for
+			dynamic DNS.  'auto-dnssec allow;' permits a zone
+			to be signed by creating keys for it in the
+			key-directory and using 'rndc sign <zone>'.
+			'auto-dnssec maintain;' allows that too, plus it
+			also keeps the zone's DNSSEC keys up to date
+			according to their timing metadata. [RT #19943]
+
+2711.	[port]		win32: Add the bin/pkcs11 tools into the full
+			build. [RT #20372]
+
+2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
+			zone option cause a zone to be signed with only KSKs
+			signing the DNSKEY RRset, not ZSKs.  This reduces
+			the size of a DNSKEY answer.  [RT #20340]
+
+2709.	[func]		Added some data fields, currently unused, to the
+			private key file format, to allow implementation
+			of explicit key rollover in a future release
+			without impairing backward or forward compatibility.
+			[RT #20310]
+
+2708.	[func]		Insecure to secure and NSEC3 parameter changes via
+			update are now fully supported and no longer require
+			defines to enable.  We now no longer overload the
+			NSEC3PARAM flag field, nor the NSEC OPT bit at the
+			apex.  Secure to insecure changes are controlled by
+			by the named.conf option 'secure-to-insecure'.
+
+			Warning: If you had previously enabled support by
+			adding defines at compile time to BIND 9.6 you should
+			ensure that all changes that are in progress have
+			completed prior to upgrading to BIND 9.7.  BIND 9.7
+			is not backwards compatible.
+
+2707.	[func]		dnssec-keyfromlabel no longer require engine name
+			to be specified in the label if there is a default
+			engine or the -E option has been used.  Also, it
+			now uses default algorithms as dnssec-keygen does
+			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
+			[RT #20371]
+
+2706.	[bug]		Loading a zone with a very large NSEC3 salt could
+			trigger an assert. [RT #20368]
+
+2705.	[placeholder]
+
+2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
+			with their SOA serial.  [RT #19387]
+
+2703.	[func]		Introduce an OpenSSL "engine" argument with -E
+			for all binaries which can take benefit of
+			crypto hardware. [RT #20230]
+
+2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
+
+2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
+			supported TSIG key algorithm. [RT #18046]
+
+2700.	[doc]		The match-mapped-addresses option is discouraged.
+			[RT #12252]
+
+2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]
+
+2698.	[placeholder]
+
+2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
+			S_IFREG are defined after including <isc/stat.h>.
+			[RT #20309]
+
+2696.	[bug]		named failed to successfully process some valid
+			acl constructs. [RT #20308]
+
+2695.	[func]		DHCP/DDNS - update fdwatch code for use by
+			DHCP.  Modify the api to isc_sockfdwatch_t (the
+			callback function for isc_socket_fdwatchcreate)
+			to include information about the direction (read
+			or write) and add isc_socket_fdwatchpoke.
+			[RT #20253]
+
+2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
+			[RT #19970]
+
+2693.	[port]		Add some noreturn attributes. [RT #20257]
+
+2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
+
+2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
+			chain when re-signing a previously-signed zone.
+			Use -u to modify NSEC3 parameters or switch
+			between NSEC and NSEC3. [RT #20304]
+
+2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
+			[RT #20315]
+
+2689.	[bug]		Correctly handle snprintf result. [RT #20306]
+
+2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
+			to decide to fetch the destination address. [RT #20305]
+
+2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
+			Also, added warnings when revoking a ZSK, as this is
+			not defined by protocol (but is legal).  [RT #19943]
+
+2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
+			signing with NSEC3 and vice versa. [RT #20301]
+
+2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
+
+2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
+			+adflag and +cdflag.  [RT #19305]
+
+2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
+			the NSEC3 parameters used to sign the zone change.
+			[RT #20246]
+
+2682.	[bug]		"configure --enable-symtable=all" failed to
+			build. [RT #20282]
+
+2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
+			decoded. [RT #20269]
+
+2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
+
+2679.	[func]		dig -k can now accept TSIG keys in named.conf
+			format.  [RT #20031]
+
+2678.	[func]		Treat DS queries as if "minimal-response yes;"
+			was set. [RT #20258]
+
+2677.	[func]		Changes to key metadata behavior:
+			- Keys without "publish" or "active" dates set will
+			  no longer be used for smart signing.  However,
+			  those dates will be set to "now" by default when
+			  a key is created; to generate a key but not use
+			  it yet, use dnssec-keygen -G.
+			- New "inactive" date (dnssec-keygen/settime -I)
+			  sets the time when a key is no longer used for
+			  signing but is still published.
+			- The "unpublished" date (-U) is deprecated in
+			  favor of "deleted" (-D).
+			[RT #20247]
+
+2676.	[bug]		--with-export-installdir should have been
+			--with-export-includedir. [RT #20252]
+
+2675.	[bug]		dnssec-signzone could crash if the key directory
+			did not exist. [RT #20232]
+
+	--- 9.7.0a3 released ---
+
+2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
+			without openssl. [RT #20231]
+
+2673.	[bug]		The managed-keys.bind zone file could fail to
+			load due to a spurious result from sync_keyzone()
+			[RT #20045]
+
+2672.	[bug]		Don't enable searching in 'host' when doing reverse
+			lookups. [RT #20218]
+
+2671.	[bug]		Add support for PKCS#11 providers not returning
+			the public exponent in RSA private keys
+			(OpenCryptoki for instance) in
+			dnssec-keyfromlabel. [RT #19294]
+
+2670.	[bug]		Unexpected connect failures failed to log enough
+			information to be useful. [RT #20205]
+
+2669.	[func]		Update PKCS#11 support to support Keyper HSM.
+			Update PKCS#11 patch to be against openssl-0.9.8i.
+
+2668.	[func]		Several improvements to dnssec-* tools, including:
+			- dnssec-keygen and dnssec-settime can now set key
+			  metadata fields 0 (to unset a value, use "none")
+			- dnssec-revoke sets the revocation date in
+			  addition to the revoke bit
+			- dnssec-settime can now print individual metadata
+			  fields instead of always printing all of them,
+			  and can print them in unix epoch time format for
+			  use by scripts
+			[RT #19942]
+
+2667.	[func]		Add support for logging stack backtrace on assertion
+			failure (not available for all platforms). [RT #19780]
+
+2666.	[func]		Added an 'options' argument to dns_name_fromstring()
+			(API change from 9.7.0a2). [RT #20196]
+
+2665.	[func]		Clarify syntax for managed-keys {} statement, add
+			ARM documentation about RFC 5011 support. [RT #19874]
+
+2664.	[bug]		create_keydata() and minimal_update() in zone.c
+			didn't properly check return values for some
+			functions.  [RT #19956]
+
+2663.	[func]		win32:  allow named to run as a service using
+			"NT AUTHORITY\LocalService" as the account. [RT #19977]
+
+2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
+			returned a misleading error code when lwresd was
+			down. [RT #20028]
+
+2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
+			creating lwres context. [RT #20029]
+
+2660.	[func]		Add a new set of DNS libraries for non-BIND9
+			applications.  See README.libdns. [RT #19369]
+
+2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
+			name for DNSSEC keys. [RT #19938]
+
+2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
+			key file paths correctly. [RT #20078]
+
+2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
+			log level to debug 1. [RT #20058]
+
+2656.	[func]		win32: add a "tools only" check box to the installer
+			which causes it to only install dig, host, nslookup,
+			nsupdate and relevant DLLs.  [RT #19998]
+
+2655.	[doc]		Document that key-directory does not affect
+			bind.keys, rndc.key or session.key.  [RT #20155]
+
+2654.	[bug]		Improve error reporting on duplicated names for
+			deny-answer-xxx. [RT #20164]
+
+2653.	[bug]		Treat ENGINE_load_private_key() failures as key
+			not found rather than out of memory.  [RT #18033]
+
+2652.	[func]		Provide more detail about what record is being
+			deleted. [RT #20061]
+
+2651.	[bug]		Dates could print incorrectly in K*.key files on
+			64-bit systems. [RT #20076]
+
+2650.	[bug]		Assertion failure in dnssec-signzone when trying
+			to read keyset-* files. [RT #20075]
+
+2649.	[bug]		Set the domain for forward only zones. [RT #19944]
+
+2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]
+
+2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
+			added. [RT #19913]
+
+2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]
+
+2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
+			which default to 64 bits. [RT #19927]
+
+	--- 9.7.0a2 released ---
+
+2644.	[bug]		Change #2628 caused a regression on some systems;
+			named was unable to write the PID file and would
+			fail on startup. [RT #20001]
+
+2643.	[bug]		Stub zones interacted badly with NSEC3 support.
+			[RT #19777]
+
+2642.	[bug]		nsupdate could dump core on solaris when reading
+			improperly formatted key files.  [RT #20015]
+
+2641.	[bug]		Fixed an error in parsing update-policy syntax,
+			added a regression test to check it. [RT #20007]
+
+2640.	[security]	A specially crafted update packet will cause named
+			to exit. [RT #20000]
+
+2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]
+
+2638.	[bug]		Install arpaname. [RT #19957]
+
+2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
+			[RT #19959]
+
+2636.	[func]		Simplify zone signing and key maintenance with the
+			dnssec-* tools.  Major changes:
+			- all dnssec-* tools now take a -K option to
+			  specify a directory in which key files will be
+			  stored
+			- DNSSEC can now store metadata indicating when
+			  they are scheduled to be published, activated,
+			  revoked or removed; these values can be set by
+			  dnssec-keygen or overwritten by the new
+			  dnssec-settime command
+			- dnssec-signzone -S (for "smart") option reads key
+			  metadata and uses it to determine automatically
+			  which keys to publish to the zone, use for
+			  signing, revoke, or remove from the zone
+			[RT #19816]
+
+2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
+			[RT #19716]
+
+2634.	[port]		win32: Add support for libxml2, enable
+			statschannel. [RT #19773]
+
+2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]
+
+2632.	[func]		util/kit.sh: warn if documentation appears to be out of
+			date.  [RT #19922]
+
+2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
+			[RT #19926 ]
+
+2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
+			"update-policy local;" to switch on local DDNS in a
+			zone. (The "ddns-autoconf" option has been removed.)
+			[RT #19875]
+
+2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
+			setresgid() if not present. [RT #19932]
+
+2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
+			at startup with reduced capabilities in operation.
+			[RT #19884]
+
+2627.	[bug]		Named aborted if the same key was included in
+			trusted-keys more than once. [RT #19918]
+
+2626.	[bug]		Multiple trusted-keys could trigger an assertion
+			failure. [RT #19914]
+
+2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]
+
+2624.	[func]		'named-checkconf -p' will print out the parsed
+			configuration. [RT #18871]
+
+2623.	[bug]		Named started searches for DS non-optimally. [RT #19915]
+
+2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
+
+2621.	[doc]		Made copyright boilerplate consistent.  [RT #19833]
+
+2620.	[bug]		Delay thawing the zone until the reload of it has
+			completed successfully.  [RT #19750]
+
+2619.	[func]		Add support for RFC 5011, automatic trust anchor
+			maintenance.  The new "managed-keys" statement can
+			be used in place of "trusted-keys" for zones which
+			support this protocol.  (Note: this syntax is
+			expected to change prior to 9.7.0 final.) [RT #19248]
+
+2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
+			loop infinitely. [RT #19847]
+
+2617.	[bug]		ifconfig.sh failed to emit an error message when
+			run from the wrong location. [RT #19375]
+
+2616.	[bug]		'host' used the nameservers from resolv.conf even
+			when a explicit nameserver was specified. [RT #19852]
+
+2615.	[bug]		"__attribute__((unused))" was in the wrong place
+			for ia64 gcc builds. [RT #19854]
+
+2614.	[port]		win32: 'named -v' should automatically be executed
+			in the foreground. [RT #19844]
+
+2613.	[placeholder]
+
+	--- 9.7.0a1 released ---
+
+2612.	[func]		Add default values for the arguments to
+			dnssec-keygen.  Without arguments, it will now
+			generate a 1024-bit RSASHA1 zone-signing key,
+			or with the -f KSK option, a 2048-bit RSASHA1
+			key-signing key. [RT #19300]
+
+2611.	[func]		Add -l option to dnssec-dsfromkey to generate
+			DLV records instead of DS records. [RT #19300]
+
+2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]
+
+2609.	[func]		Simplify the configuration of dynamic zones:
+			- add ddns-confgen command to generate
+			  configuration text for named.conf
+			- add zone option "ddns-autoconf yes;", which
+			  causes named to generate a TSIG session key
+			  and allow updates to the zone using that key
+			- add '-l' (localhost) option to nsupdate, which
+			  causes nsupdate to connect to a locally-running
+			  named process using the session key generated
+			  by named
+			[RT #19284]
+
+2608.	[func]		Perform post signing verification checks in
+			dnssec-signzone.  These can be disabled with -P.
+
+			The post sign verification test ensures that for each
+			algorithm in use there is at least one non revoked
+			self signed KSK key.  That all revoked KSK keys are
+			self signed.  That all records in the zone are signed
+			by the algorithm.  [RT #19653]
+
+2607.	[bug]		named could incorrectly delete NSEC3 records for
+			empty nodes when processing a update request.
+			[RT #19749]
+
+2606.	[bug]		"delegation-only" was not being accepted in
+			delegation-only type zones. [RT #19717]
+
+2605.	[bug]		Accept DS responses from delegation only zones.
+			[RT # 19296]
+
+2604.	[func]		Add support for DNS rebinding attack prevention through
+			new options, deny-answer-addresses and
+			deny-answer-aliases.  Based on contributed code from
+			JD Nurmi, Google. [RT #18192]
+
+2603.	[port]		win32: handle .exe extension of named-checkzone and
+			named-comilezone argv[0] names under windows.
+			[RT #19767]
+
+2602.	[port]		win32: fix debugging command line build of libisccfg.
+			[RT #19767]
+
+2601.	[doc]		Mention file creation mode mask in the
+			named manual page.
+
+2600.	[doc]		ARM: miscellaneous reformatting for different
+			page widths. [RT #19574]
+
+2599.	[bug]		Address rapid memory growth when validation fails.
+			[RT #19654]
+
+2598.	[func]		Reserve the -F flag. [RT #19657]
+
+2597.	[bug]		Handle a validation failure with a insecure delegation
+			from a NSEC3 signed master/slave zone.  [RT #19464]
+
+2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
+			long, leading to inefficient memory usage or rejecting
+			newer cache entries in the worst case. [RT #19563]
+
+2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
+
+2594.	[func]		Have rndc warn if using its default configuration
+			file when the key file also exists. [RT #19424]
+
+2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
+
+2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
+
+2591.	[bug]		named could die when processing a update in
+			removed_orphaned_ds(). [RT #19507]
+
+2590.	[func]		Report zone/class of "update with no effect".
+			[RT #19542]
+
+2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
+			[RT #19626]
+
+2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
+			of bind(2) call.  This should be rare and mostly
+			harmless, but may cause interference with other
+			processes that happen to use the same port. [RT #19642]
+
+2587.	[func]		Improve logging by reporting serial numbers for
+			when zone serial has gone backwards or unchanged.
+			[RT #19506]
+
+2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
+			or SDB. [RT #19577]
+
+2585.	[bug]		Uninitialized socket name could be referenced via a
+			statistics channel, triggering an assertion failure in
+			XML rendering. [RT #19427]
+
+2584.	[bug]		alpha: gcc optimization could break atomic operations.
+			[RT #19227]
+
+2583.	[port]		netbsd: provide a control to not add the compile
+			date to the version string, -DNO_VERSION_DATE.
+
+2582.	[bug]		Don't emit warning log message when we attempt to
+			remove non-existent journal. [RT #19516]
+
+2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
+			Requires MySQL 5.0.19 or later. [RT #19084]
+
+2580.	[bug]		UpdateRej statistics counter could be incremented twice
+			for one rejection. [RT #19476]
+
+2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
+			algorithms. [RT #19479]
+
+2578.	[bug]		Changed default sig-signing-type to 65534, because
+			65535 turns out to be reserved.  [RT #19477]
+
+2577.	[doc]		Clarified some statistics counters. [RT #19454]
+
+2576.	[bug]		NSEC record were not being correctly signed when
+			a zone transitions from insecure to secure.
+			Handle such incorrectly signed zones. [RT #19114]
+
+2575.	[func]		New functions dns_name_fromstring() and
+			dns_name_tostring(), to simplify conversion
+			of a string to a dns_name structure and vice
+			versa. [RT #19451]
+
+2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
+
+2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
+			single transaction in a signed zone failed. [RT #19397]
+
+2572.	[func]		Simplify DLV configuration, with a new option
+			"dnssec-lookaside auto;"  This is the equivalent
+			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
+			plus setting a trusted-key for dlv.isc.org.
+
+			Note: The trusted key is hard-coded into named,
+			but is also stored in (and can be overridden
+			by) $sysconfdir/bind.keys.  As the ISC DLV key
+			rolls over it can be kept up to date by replacing
+			the bind.keys file with a key downloaded from
+			https://www.isc.org/solutions/dlv. [RT #18685]
+
+2571.	[func]		Add a new tool "arpaname" which translates IP addresses
+			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
+			[RT #18976]
+
+2570.	[func]		Log the destination address the query was sent to.
+			[RT #19209]
+
+2569.	[func]		Move journalprint, nsec3hash, and genrandom
+			commands from bin/tests into bin/tools;
+			"make install" will put them in $sbindir. [RT #19301]
+
+2568.	[bug]		Report when the write to indicate a otherwise
+			successful start fails. [RT #19360]
+
+2567.	[bug]		dst__privstruct_writefile() could miss write errors.
+			write_public_key() could miss write errors.
+			dnssec-dsfromkey could miss write errors.
+			[RT #19360]
+
+2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
+			response arrives from a zone thought to be secure:
+			"insecurity proof failed" instead of "not
+			insecure". [RT #19400]
+
+2565.	[func]		Add support for HIP record.  Includes new functions
+			dns_rdata_hip_first(), dns_rdata_hip_next()
+			and dns_rdata_hip_current().  [RT #19384]
+
+2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
+			[RT #19405]
+
+2563.	[bug]		Dig could leak a socket causing it to wait forever
+			to exit. [RT #19359]
+
+2562.	[doc]		ARM: miscellaneous improvements, reorganization,
+			and some new content.
+
+2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
+
+2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
+
+2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
+			reading from a K* files.  [RT #19357]
+
+2558.	[func]		Set the ownership of missing directories created
+			for pid-file if -u has been specified on the command
+			line. [RT #19328]
+
+2557.	[cleanup]	PCI compliance:
+			* new libisc log module file
+			* isc_dir_chroot() now also changes the working
+			  directory to "/".
+			* additional INSISTs
+			* additional logging when files can't be removed.
+
+2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
+			error checks in the correct order resulting in the
+			wrong error code sometimes being returned. [RT #19249]
+
+2555.	[func]		dig: when emitting a hex dump also display the
+			corresponding characters. [RT #19258]
+
+2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
+			fail. [RT #19297]
+
+2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
+
+2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
+			[RT #19340]
+
+2551.	[bug]		Potential Reference leak on return. [RT #19341]
+
+2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
+			[RT #19343]
+
+2549.	[port]		linux: define NR_OPEN if not currently defined.
+			[RT #19344]
+
+2548.	[bug]		Install iterated_hash.h. [RT #19335]
+
+2547.	[bug]		openssl_link.c:mem_realloc() could reference an
+			out-of-range area of the source buffer.  New public
+			function isc_mem_reallocate() was introduced to address
+			this bug. [RT #19313]
+
+2546.	[func]		Add --enable-openssl-hash configure flag to use
+			OpenSSL (in place of internal routine) for hash
+			functions (MD5, SHA[12] and HMAC). [RT #18815]
+
+2545.	[doc]		ARM: Legal hostname checking (check-names) is
+			for SRV RDATA too. [RT #19304]
+
+2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]
+
+2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]
+
+2542.	[doc]		Update the description of dig +adflag. [RT #19290]
+
+2541.	[bug]		Conditionally update dispatch manager statistics.
+			[RT #19247]
+
+2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]
+
+2539.	[security]	Update the interaction between recursion, allow-query,
+			allow-query-cache and allow-recursion.  [RT #19198]
+
+2538.	[bug]		cache/ADB memory could grow over max-cache-size,
+			especially with threads and smaller max-cache-size
+			values. [RT #19240]
+
+2537.	[func]		Added more statistics counters including those on socket
+			I/O events and query RTT histograms. [RT #18802]
+
+2536.	[cleanup]	Silence some warnings when -Werror=format-security is
+			specified. [RT #19083]
+
+2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
+
+2534.	[func]		Check NAPTR records regular expressions and
+			replacement strings to ensure they are syntactically
+			valid and consistent. [RT #18168]
+
+2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
+
+2532.	[bug]		dig: check the question section of the response to
+			see if it matches the asked question. [RT #18495]
+
+2531.	[bug]		Change #2207 was incomplete. [RT #19098]
+
+2530.	[bug]		named failed to reject insecure to secure transitions
+			via UPDATE. [RT #19101]
+
+2529.	[cleanup]	Upgrade libtool to silence complaints from recent
+			version of autoconf. [RT #18657]
+
+2528.	[cleanup]	Silence spurious configure warning about
+			--datarootdir [RT #19096]
+
+2527.	[placeholder]
+
+2526.	[func]		New named option "attach-cache" that allows multiple
+			views to share a single cache to save memory and
+			improve lookup efficiency.  Based on contributed code
+			from Barclay Osborn, Google. [RT #18905]
+
+2525.	[func]		New logging category "query-errors" to provide detailed
+			internal information about query failures, especially
+			about server failures. [RT #19027]
+
+2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]
+
+2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
+			[RT #19112]
+
+2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
+
+2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
+
+2520.	[bug]		Update xml statistics version number to 2.0 as change
+			#2388 made the schema incompatible to the previous
+			version. [RT #19080]
+
+2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
+			nameserver addresses of the excluded address family
+			preceded in resolv.conf. [RT #19081]
+
+2518.	[func]		Add support for the new CERT types from RFC 4398.
+			[RT #19077]
+
+2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
+			nameserver address of the excluded address type.
+			[RT #18843]
+
+2516.	[bug]		glue sort for responses was performed even when not
+			needed. [RT #19039]
+
+2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
+			[RT #19063]
+
+2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
+			a nameserver of the excluded address family.
+			[RT #18848]
+
+2513.	[bug]		Fix windows cli build. [RT #19062]
+
+2512.	[func]		Print a summary of the cached records which make up
+			the negative response.  [RT #18885]
+
+2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
+			[RT #18885]
+
+2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
+			[RT #19033]
+
+2509.	[bug]		Specifying a fixed query source port was broken.
+			[RT #19051]
+
+2508.	[placeholder]
+
+2507.	[func]		Log the recursion quota values when killing the
+			oldest query or refusing to recurse due to quota.
+			[RT #19022]
+
+2506.	[port]		solaris: Check at configure time if
+			hack_shutup_pthreadonceinit is needed. [RT #19037]
+
+2505.	[port]		Treat amd64 similarly to x86_64 when determining
+			atomic operation support. [RT #19031]
+
+2504.	[bug]		Address race condition in the socket code. [RT #18899]
+
+2503.	[port]		linux: improve compatibility with Linux Standard
+			Base. [RT #18793]
+
+2502.	[cleanup]	isc_radix: Improve compliance with coding style,
+			document function in <isc/radix.h>. [RT #18534]
+
+2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
+			rdata types need to be quoted.  See the ARM for
+			details. [RT #18368]
+
+2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
+			function. [RT #18582]
+
+2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
+			[RT #18837]
+
+	--- 9.6.0rc1 released ---
+
+2498.	[bug]		Removed a bogus function argument used with
+			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
+			warning or crash named with the debug 1 level
+			of logging. [RT #18917]
+
+2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
+			delegation.
+
+2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]
+
+2495.	[bug]		Tighten RRSIG checks. [RT #18795]
+
+2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
+			installed. [RT #18826]
+
+2493.	[bug]		The linux capabilities code was not correctly cleaning
+			up after itself. [RT #18767]
+
+2492.	[func]		Rndc status now reports the number of cpus discovered
+			and the number of worker threads when running
+			multi-threaded. [RT #18273]
+
+2491.	[func]		Attempt to re-use a local port if we are already using
+			the port. [RT #18548]
+
+2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
+			is cleared when IPV6_V6ONLY is set. [RT #18785]
+
+2489.	[port]		solaris: Workaround Solaris's kernel bug about
+			/dev/poll:
+			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
+			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
+			this workaround. [RT #18870]
+
+2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
+			from keyset and .key files. [RT #18694]
+
+2487.	[bug]		Give TCP connections longer to complete. [RT #18675]
+
+2486.	[func]		The default locations for named.pid and lwresd.pid
+			are now /var/run/named/named.pid and
+			/var/run/lwresd/lwresd.pid respectively.
+
+			This allows the owner of the containing directory
+			to be set, for "named -u" support, and allows there
+			to be a permanent symbolic link in the path, for
+			"named -t" support.  [RT #18306]
+
+2485.	[bug]		Change update's the handling of obscured RRSIG
+			records.  Not all orphaned DS records were being
+			removed. [RT #18828]
+
+2484.	[bug]		It was possible to trigger a REQUIRE failure when
+			adding NSEC3 proofs to the response in
+			query_addwildcardproof().  [RT #18828]
+
+2483.	[port]		win32: chroot() is not supported. [RT #18805]
+
+2482.	[port]		libxml2: support versions 2.7.* in addition
+			to 2.6.*. [RT #18806]
+
+	--- 9.6.0b1 released ---
+
+2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
+			collisions.  [RT #18812]
+
+2480.	[bug]		named could fail to emit all the required NSEC3
+			records.  [RT #18812]
+
+2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
+
+2478.	[bug]		'addresses' could be used uninitialized in
+			configure_forward(). [RT #18800]
+
+2477.	[bug]		dig: the global option to print the command line is
+			+cmd not print_cmd.  Update the output to reflect
+			this. [RT #17008]
+
+2476.	[doc]		ARM: improve documentation for max-journal-size and
+			ixfr-from-differences. [RT #15909] [RT #18541]
+
+2475.	[bug]		LRU cache cleanup under overmem condition could purge
+			particular entries more aggressively. [RT #17628]
+
+2474.	[bug]		ACL structures could be allocated with insufficient
+			space, causing an array overrun. [RT #18765]
+
+2473.	[port]		linux: raise the limit on open files to the possible
+			maximum value before spawning threads; 'files'
+			specified in named.conf doesn't seem to work with
+			threads as expected. [RT #18784]
+
+2472.	[port]		linux: check the number of available cpu's before
+			calling chroot as it depends on "/proc". [RT #16923]
+
+2471.	[bug]		named-checkzone was not reporting missing mandatory
+			glue when sibling checks were disabled. [RT #18768]
+
+2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
+			overwritten.  [RT #18719]
+
+2469.	[port]		solaris: Work around Solaris's select() limitations.
+			[RT #18769]
+
+2468.	[bug]		Resolver could try unreachable servers multiple times.
+			[RT #18739]
+
+2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
+
+2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
+			[RT #18302]
+
+2465.	[bug]		Adb's handling of lame addresses was different
+			for IPv4 and IPv6. [RT #18738]
+
+2464.	[port]		linux: check that a capability is present before
+			trying to set it. [RT #18135]
+
+2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
+			API and glibc hides parts of the IPv6 Advanced Socket
+			API as a result.  This is stupid as it breaks how the
+			two halves (Basic and Advanced) of the IPv6 Socket API
+			were designed to be used but we have to live with it.
+			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
+			API. [RT #18388]
+
+2462.	[doc]		Document -m (enable memory usage debugging)
+			option for dig. [RT #18757]
+
+2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]
+
+	--- 9.6.0a1 released ---
+
+2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
+			[RT #18697]
+
+2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]
+
+2458.	[doc]		ARM: update and correction for max-cache-size.
+			[RT #18294]
+
+2457.	[tuning]	max-cache-size is reverted to 0, the previous
+			default.  It should be safe because expired cache
+			entries are also purged. [RT #18684]
+
+2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
+			address, regardless of family.  They now correctly
+			distinguish IPv4 from IPv6.  [RT #18559]
+
+2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
+			[RT #18639]
+
+2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]
+
+2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
+			[RT #18316]
+
+2452.	[func]		Improve bin/test/journalprint. [RT #18316]
+
+2451.	[port]		solaris: handle runtime linking better. [RT #18356]
+
+2450.	[doc]		Fix lwresd docbook problem for manual page.
+			[RT #18672]
+
+2449.	[placeholder]
+
+2448.	[func]		Add NSEC3 support. [RT #15452]
+
+2447.	[cleanup]	libbind has been split out as a separate product.
+
+2446.	[func]		Add a new log message about build options on startup.
+			A new command-line option '-V' for named is also
+			provided to show this information. [RT #18645]
+
+2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
+			RFC1918 address, but these are not yet compiled in).
+			[RT #18578]
+
+2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
+			(clear DF) for UDP responses and requests.
+
+2443.	[bug]		win32: UDP connect() would not generate an event,
+			and so connected UDP sockets would never clean up.
+			Fix this by doing an immediate WSAConnect() rather
+			than an io completion port type for UDP.
+
+2442.	[bug]		A lock could be destroyed twice. [RT #18626]
+
+2441.	[bug]		isc_radix_insert() could copy radix tree nodes
+			incompletely. [RT #18573]
+
+2440.	[bug]		named-checkconf used an incorrect test to determine
+			if an ACL was set to none.
+
+2439.	[bug]		Potential NULL dereference in dns_acl_isanyornone().
+			[RT #18559]
+
+2438.	[bug]		Timeouts could be logged incorrectly under win32.
+
+2437.	[bug]		Sockets could be closed too early, leading to
+			inconsistent states in the socket module. [RT #18298]
+
+2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
+
+2435.	[bug]		Fixed an ACL memory leak affecting win32.
+
+2434.	[bug]		Fixed a minor error-reporting bug in
+			lib/isc/win32/socket.c.
+
+2433.	[tuning]	Set initial timeout to 800ms.
+
+2432.	[bug]		More Windows socket handling improvements.  Stop
+			using I/O events and use IO Completion Ports
+			throughout.  Rewrite the receive path logic to make
+			it easier to support multiple simultaneous
+			requesters in the future.  Add stricter consistency
+			checking as a compile-time option (define
+			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
+
+2431.	[bug]		Acl processing could leak memory. [RT #18323]
+
+2430.	[bug]		win32: isc_interval_set() could round down to
+			zero if the input was less than NS_INTERVAL
+			nanoseconds.  Round up instead. [RT #18549]
+
+2429.	[doc]		nsupdate should be in section 1 of the man pages.
+			[RT #18283]
+
+2428.	[bug]		dns_iptable_merge() mishandled merges of negative
+			tables. [RT #18409]
+
+2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
+			was set. [RT #18528]
+
+2426.	[bug]		libbind: inet_net_pton() can sometimes return the
+			wrong value if excessively large net masks are
+			supplied. [RT #18512]
+
+2425.	[bug]		named didn't detect unavailable query source addresses
+			at load time. [RT #18536]
+
+2424.	[port]		configure now probes for a working epoll
+			implementation.  Allow the use of kqueue,
+			epoll and /dev/poll to be selected at compile
+			time. [RT #18277]
+
+2423.	[security]	Randomize server selection on queries, so as to
+			make forgery a little more difficult.  Instead of
+			always preferring the server with the lowest RTT,
+			pick a server with RTT within the same 128
+			millisecond band.  [RT #18441]
+
+2422.	[bug]		Handle the special return value of a empty node as
+			if it was a NXRRSET in the validator. [RT #18447]
+
+2421.	[func]		Add new command line option '-S' for named to specify
+			the max number of sockets. [RT #18493]
+			Use caution: this option may not work for some
+			operating systems without rebuilding named.
+
+2420.	[bug]		Windows socket handling cleanup.  Let the io
+			completion event send out canceled read/write
+			done events, which keeps us from writing to memory
+			we no longer have ownership of.  Add debugging
+			socket_log() function.  Rework TCP socket handling
+			to not leak sockets.
+
+2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
+			should not be used for isc_sockettype_fdwatch sockets.
+			[RT #18521]
+
+2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
+			[RT #18430]
+
+2417.	[bug]		Connecting UDP sockets for outgoing queries could
+			unexpectedly fail with an 'address already in use'
+			error. [RT #18411]
+
+2416.	[func]		Log file descriptors that cause exceeding the
+			internal maximum. [RT #18460]
+
+2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
+			in rbtdb.c. [RT #18455]
+
+2414.	[bug]		A masterdump context held the database lock too long,
+			causing various troubles such as dead lock and
+			recursive lock acquisition. [RT #18311, #18456]
+
+2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]
+
+2412.	[bug]		win32: address a resource leak. [RT #18374]
+
+2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
+			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
+			at compilation time.  [RT #18433]
+
+			Note: with changes #2469 and #2421 above, there is no
+			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
+			any more.
+
+2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]
+
+2409.	[bug]		Only log that we disabled EDNS processing if we were
+			subsequently successful.  [RT #18029]
+
+2408.	[bug]		A duplicate TCP dispatch event could be sent, which
+			could then trigger an assertion failure in
+			resquery_response().  [RT #18275]
+
+2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]
+
+2406.	[placeholder]
+
+2405.	[cleanup]	The default value for dnssec-validation was changed to
+			"yes" in 9.5.0-P1 and all subsequent releases; this
+			was inadvertently omitted from CHANGES at the time.
+
+2404.	[port]		hpux: files unlimited support.
+
+2403.	[bug]		TSIG context leak. [RT #18341]
+
+2402.	[port]		Support Solaris 2.11 and over. [RT #18362]
+
+2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
+			(from accept() or fcntl() system calls). [RT #18358]
+
+2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
+			[RT #18297]
+
+2399.	[placeholder]
+
+2398.	[bug]		Improve file descriptor management.  New,
+			temporary, named.conf option reserved-sockets,
+			default 512. [RT #18344]
+
+2397.	[bug]		gssapi_functions had too many elements. [RT #18355]
+
+2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
+			[RT #18336]
+
+2395.	[port]		Avoid warning and no effect from "files unlimited"
+			on Linux when running as root. [RT #18335]
+
+2394.	[bug]		Default configuration options set the limit for
+			open files to 'unlimited' as described in the
+			documentation. [RT #18331]
+
+2393.	[bug]		nested acls containing keys could trigger an
+			assertion in acl.c. [RT #18166]
+
+2392.	[bug]		remove 'grep -q' from acl test script, some platforms
+			don't support it. [RT #18253]
+
+2391.	[port]		hpux: cover additional recvmsg() error codes.
+			[RT #18301]
+
+2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
+			[RT #18301].
+
+2389.	[bug]		Move the "working directory writable" check to after
+			the ns_os_changeuser() call. [RT #18326]
+
+2388.	[bug]		Avoid using tables for layout purposes in
+			statistics XSL [RT #18159].
+
+2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
+			[RT #18147] [RT #18258]
+
+2386.	[func]		Add warning about too small 'open files' limit.
+			[RT #18269]
+
+2385.	[bug]		A condition variable in socket.c could leak in
+			rare error handling [RT #17968].
+
+2384.	[security]	Fully randomize UDP query ports to improve
+			forgery resilience. [RT #17949, #18098]
+
+2383.	[bug]		named could double queries when they resulted in
+			SERVFAIL due to overkilling EDNS0 failure detection.
+			[RT #18182]
+
+2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
+			to ARM.
+
+2381.	[port]		dlz/mysql: support multiple install layouts for
+			mysql.  <prefix>/include/{,mysql/}mysql.h and
+			<prefix>/lib/{,mysql/}. [RT #18152]
+
+2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
+			proofs which, in turn, caused validation failures
+			for insecure zones immediately below a secure zone
+			the server was authoritative for. [RT #18112]
+
+2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
+			TLDs and supported RRs with TTLs [RT #17972]
+
+2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
+			[RT #18169]
+
+2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]
+
+2376.	[bug]		Change #2144 was not complete.
+
+2375.	[placeholder]
+
+2374.	[bug]		"blackhole" ACLs could cause named to segfault due
+			to some uninitialized memory. [RT #18095]
+
+2373.	[bug]		Default values of zone ACLs were re-parsed each time a
+			new zone was configured, causing an overconsumption
+			of memory. [RT #18092]
+
+2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
+
+2371.	[doc]		Add +nsid option to dig man page. [RT #18039]
+
+2370.	[bug]		"rndc freeze" could trigger an assertion in named
+			when called on a nonexistent zone. [RT #18050]
+
+2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
+			[RT #18054]
+
+2368.	[port]		Linux: use libcap for capability management if
+			possible. [RT #18026]
+
+2367.	[bug]		Improve counting of dns_resstatscounter_retry
+			[RT #18030]
+
+2366.	[bug]		Adb shutdown race. [RT #18021]
+
+2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
+			spurious results. [RT #18000]
+
+2364.	[bug]		named could trigger a assertion when serving a
+			malformed signed zone. [RT #17828]
+
+2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
+			[RT #17513]
+
+2362.	[cleanup]	Make "rrset-order fixed" a compile-time option.
+			settable by "./configure --enable-fixed-rrset".
+			Disabled by default. [RT #17977]
+
+2361.	[bug]		"recursion" statistics counter could be counted
+			multiple times for a single query.  [RT #17990]
+
+2360.	[bug]		Fix a condition where we release a database version
+			(which may acquire a lock) while holding the lock.
+
+2359.	[bug]		Fix NSID bug. [RT #17942]
+
+2358.	[doc]		Update host's default query description. [RT #17934]
+
+2357.	[port]		Don't use OpenSSL's engine support in versions before
+			OpenSSL 0.9.7f. [RT #17922]
+
+2356.	[bug]		Built in mutex profiler was not scalable enough.
+			[RT #17436]
+
+2355.	[func]		Extend the number statistics counters available.
+			[RT #17590]
+
+2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
+			[RT #17927]
+
+2353.	[func]		Add support for Name Server ID (RFC 5001).
+			'dig +nsid' requests NSID from server.
+			'request-nsid yes;' causes recursive server to send
+			NSID requests to upstream servers.  Server responds
+			to NSID requests with the string configured by
+			'server-id' option.  [RT #17091]
+
+2352.	[bug]		Various GSS_API fixups. [RT #17729]
+
+2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]
+
+2350.	[port]		win32: IPv6 support. [RT #17797]
+
+2349.	[func]		Provide incremental re-signing support for secure
+			dynamic zones. [RT #1091]
+
+2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
+			Documentation is in the new README.pkcs11 file.
+			New tool, dnssec-keyfromlabel, which takes the
+			label of a key pair in a HSM and constructs a DNS
+			key pair for use by named and dnssec-signzone.
+			[RT #16844]
+
+2347.	[bug]		Delete now traverses the RB tree in the canonical
+			order. [RT #17451]
+
+2346.	[func]		Memory statistics now cover all active memory contexts
+			in increased detail. [RT #17580]
+
+2345.	[bug]		named-checkconf failed to detect when forwarders
+			were set at both the options/view level and in
+			a root zone. [RT #17671]
+
+2344.	[bug]		Improve "logging{ file ...; };" documentation.
+			[RT #17888]
+
+2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
+			created in ADB. [RT #17837]
+
+2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]
+
+2341.	[bug]		libbind: add missing -I../include for off source
+			tree builds. [RT #17606]
+
+2340.	[port]		openbsd: interface configuration. [RT #17700]
+
+2339.	[port]		tru64: support for libbind. [RT #17589]
+
+2338.	[bug]		check_ds() could be called with a non DS rdataset.
+			[RT #17598]
+
+2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
+
+2336.	[func]		If "named -6" is specified then listen on all IPv6
+			interfaces if there are not listen-on-v6 clauses in
+			named.conf.  [RT #17581]
+
+2335.	[port]		sunos:  libbind and *printf() support for long long.
+			[RT #17513]
+
+2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
+			bug in fromstruct_txt(). [RT #17609]
+
+2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
+			[RT #17608]
+
+2332.	[contrib]	query-loc-0.4.0. [RT #17602]
+
+2331.	[bug]		Failure to regenerate any signatures was not being
+			reported nor being past back to the UPDATE client.
+			[RT #17570]
+
+2330.	[bug]		Remove potential race condition when handling
+			over memory events. [RT #17572]
+
+			WARNING: API CHANGE: over memory callback
+			function now needs to call isc_mem_waterack().
+			See <isc/mem.h> for details.
+
+2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.
+
+2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
+			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
+			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
+			M.ROOT-SERVERS.NET.
+
+2327.	[bug]		It was possible to dereference a NULL pointer in
+			rbtdb.c.  Implement dead node processing in zones as
+			we do for caches. [RT #17312]
+
+2326.	[bug]		It was possible to trigger a INSIST in the acache
+			processing.
+
+2325.	[port]		Linux: use capset() function if available. [RT #17557]
+
+2324.	[bug]		Fix IPv6 matching against "any;". [RT #17533]
+
+2323.	[port]		tru64: namespace clash. [RT #17547]
+
+2322.	[port]		MacOS: work around the limitation of setrlimit()
+			for RLIMIT_NOFILE. [RT #17526]
+
+2321.	[placeholder]
+
+2320.	[func]		Make statistics counters thread-safe for platforms
+			that support certain atomic operations. [RT #17466]
+
+2319.	[bug]		Silence Coverity warnings in
+			lib/dns/rdata/in_1/apl_42.c. [RT #17469]
+
+2318.	[port]		sunos fixes for libbind.  [RT #17514]
+
+2317.	[bug]		"make distclean" removed bind9.xsl.h. [RT #17518]
+
+2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
+			[RT #17513]
+
+2315.	[bug]		Used incorrect address family for mapped IPv4
+			addresses in acl.c. [RT #17519]
+
+2314.	[bug]		Uninitialized memory use on error path in
+			bin/named/lwdnoop.c.  [RT #17476]
+
+2313.	[cleanup]	Silence Coverity warnings. Handle private stacks.
+			[RT #17447] [RT #17478]
+
+2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
+			[RT #17458]
+
+2311.	[bug]		IPv6 addresses could match IPv4 ACL entries and
+			vice versa. [RT #17462]
+
+2310.	[bug]		dig, host, nslookup: flush stdout before emitting
+			debug/fatal messages.  [RT #17501]
+
+2309.	[cleanup]	Fix Coverity warnings in lib/dns/acl.c and iptable.c.
+			[RT #17455]
+
+2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
+			[RT #17495]
+
+2307.	[bug]		Remove infinite loop from lib/dns/sdb.c. [RT #17496]
+
+2306.	[bug]		Remove potential race from lib/dns/resolver.c.
+			[RT #17470]
+
+2305.	[security]	inet_network() buffer overflow. CVE-2008-0122.
+
+2304.	[bug]		Check returns from all dns_rdata_tostruct() calls.
+			[RT #17460]
+
+2303.	[bug]		Remove unnecessary code from bin/named/lwdgnba.c.
+			[RT #17471]
+
+2302.	[bug]		Fix memset() calls in lib/tests/t_api.c. [RT #17472]
+
+2301.	[bug]		Remove resource leak and fix error messages in
+			bin/tests/system/lwresd/lwtest.c. [RT #17474]
+
+2300.	[bug]		Fixed failure to close open file in
+			bin/tests/names/t_names.c. [RT #17473]
+
+2299.	[bug]		Remove unnecessary NULL check in
+			bin/nsupdate/nsupdate.c. [RT #17475]
+
+2298.	[bug]		isc_mutex_lock() failure not caught in
+			bin/tests/timers/t_timers.c. [RT #17468]
+
+2297.	[bug]		isc_entropy_createfilesource() failure not caught in
+			bin/tests/dst/t_dst.c. [RT #17467]
+
+2296.	[port]		Allow docbook stylesheet location to be specified to
+			configure. [RT #17457]
+
+2295.	[bug]		Silence static overrun error in bin/named/lwaddr.c.
+			[RT #17459]
+
+2294.	[func]		Allow the experimental statistics channels to have
+			multiple connections and ACL.
+			Note: the stats-server and stats-server-v6 options
+			available in the previous beta releases are replaced
+			with the generic statistics-channels statement.
+
+2293.	[func]		Add ACL regression test. [RT #17375]
+
+2292.	[bug]		Log if the working directory is not writable.
+			[RT #17312]
+
+2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
+			failure to set PR_SET_DUMPABLE. [RT #17312]
+
+2290.	[bug]		Let AD in the query signal that the client wants AD
+			set in the response. [RT #17301]
+
+2289.	[func]		named-checkzone now reports the out-of-zone CNAME
+			found. [RT #17309]
+
+2288.	[port]		win32: mark service as running when we have finished
+			loading.  [RT #17441]
+
+2287.	[bug]		Use 'volatile' if the compiler supports it. [RT #17413]
+
+2286.	[func]		Allow a TCP connection to be used as a weak
+			authentication method for reverse zones.
+			New update-policy methods tcp-self and 6to4-self.
+			[RT #17378]
+
+2285.	[func]		Test framework for client memory context management.
+			[RT #17377]
+
+2284.	[bug]		Memory leak in UPDATE prerequisite processing.
+			[RT #17377]
+
+2283.	[bug]		TSIG keys were not attaching to the memory
+			context.  TSIG keys should use the rings
+			memory context rather than the clients memory
+			context. [RT #17377]
+
+2282.	[bug]		Acl code fixups. [RT #17346] [RT #17374]
+
+2281.	[bug]		Attempts to use undefined acls were not being logged.
+			[RT #17307]
+
+2280.	[func]		Allow the experimental http server to be reached
+			over IPv6 as well as IPv4. [RT #17332]
+
+2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
+			to protect applications from receiving spurious
+			SIGPIPE signals when using the resolver.
+
+2278.	[bug]		win32: handle the case where Windows returns no
+			search list or DNS suffix. [RT #17354]
+
+2277.	[bug]		Empty zone names were not correctly being caught at
+			in the post parse checks. [RT #17357]
+
+2276.	[bug]		Install <dst/gssapi.h>.  [RT #17359]
+
+2275.	[func]		Add support to dig to perform IXFR queries over UDP.
+			[RT #17235]
+
+2274.	[func]		Log zone transfer statistics. [RT #17336]
+
+2273.	[bug]		Adjust log level to WARNING when saving inconsistent
+			stub/slave master and journal files. [RT #17279]
+
+2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
+			[RT #17262]
+
+2271.	[bug]		Fix a memory leak in http server code [RT #17100]
+
+2270.	[bug]		dns_db_closeversion() version->writer could be reset
+			before it is tested. [RT #17290]
+
+2269.	[contrib]	dbus memory leaks and missing va_end calls. [RT #17232]
+
+2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
+			list.
+
+	--- 9.5.0b1 released ---
+
+2267.	[bug]		Radix tree node_num value could be set incorrectly,
+			causing positive ACL matches to look like negative
+			ones.  [RT #17311]
+
+2266.	[bug]		client.c:get_clientmctx() returned the same mctx
+			once the pool of mctx's was filled. [RT #17218]
+
+2265.	[bug]		Test that the memory context's basic_table is non NULL
+			before freeing.  [RT #17265]
+
+2264.	[bug]		Server prefix length was being ignored. [RT #17308]
+
+2263.	[bug]		"named-checkconf -z" failed to set default value
+			for "check-integrity".  [RT #17306]
+
+2262.	[bug]		Error status from all but the last view could be
+			lost. [RT #17292]
+
+2261.	[bug]		Fix memory leak with "any" and "none" ACLs [RT #17272]
+
+2260.	[bug]		Reported wrong clients-per-query when increasing the
+			value. [RT #17236]
+
+2259.	[placeholder]
+
+	--- 9.5.0a7 released ---
+
+2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
+			[RT #17241]
+
+2257.	[bug]		win32: Use the full path to vcredist_x86.exe when
+			calling it. [RT #17222]
+
+2256.	[bug]		win32: Correctly register the installation location of
+			bindevt.dll. [RT #17159]
+
+2255.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42.
+
+2254.	[bug]		timer.c:dispatch() failed to lock timer->lock
+			when reading timer->idle allowing it to see
+			intermediate values as timer->idle was reset by
+			isc_timer_touch(). [RT #17243]
+
+2253.	[func]		"max-cache-size" defaults to 32M.
+			"max-acache-size" defaults to 16M.
+
+2252.	[bug]		Fixed errors in sortlist code [RT #17216]
+
+2251.	[placeholder]
+
+2250.	[func]		New flag 'memstatistics' to state whether the
+			memory statistics file should be written or not.
+			Additionally named's -m option will cause the
+			statistics file to be written. [RT #17113]
+
+2249.	[bug]		Only set Authentic Data bit if client requested
+			DNSSEC, per RFC 3655 [RT #17175]
+
+2248.	[cleanup]	Fix several errors reported by Coverity. [RT #17160]
+
+2247.	[doc]		Sort doc/misc/options. [RT #17067]
+
+2246.	[bug]		Make the startup of test servers (ans.pl) more
+			robust. [RT #17147]
+
+2245.	[bug]		Validating lack of DS records at trust anchors wasn't
+			working. [RT #17151]
+
+2244.	[func]		Allow the check of nameserver names against the
+			SOA MNAME field to be disabled by specifying
+			'notify-to-soa yes;'.  [RT #17073]
+
+2243.	[func]		Configuration files without a newline at the end now
+			parse without error. [RT #17120]
+
+2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
+			library could require a source of random data.
+			[RT #17127]
+
+2241.	[func]		nsupdate: add a interactive 'help' command. [RT #17099]
+
+2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
+			a number of INSIST()s into plain fatal() errors
+			which report the triggering result code.
+			The 'key' command wasn't disabling GSS-TSIG.
+			[RT #17099]
+
+2239.	[func]		Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
+
+2238.	[bug]		It was possible to trigger a REQUIRE when a
+			validation was canceled. [RT #17106]
+
+2237.	[bug]		libbind: res_init() was not thread aware. [RT #17123]
+
+2236.	[bug]		dnssec-signzone failed to preserve the case of
+			of wildcard owner names. [RT #17085]
+
+2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]
+
+2234.	[port]		Correct some compiler warnings on SCO OSr5 [RT #17134]
+
+2233.	[func]		Add support for O(1) ACL processing, based on
+			radix tree code originally written by Kevin
+			Brintnall. [RT #16288]
+
+2232.	[bug]		dns_adb_findaddrinfo() could fail and return
+			ISC_R_SUCCESS. [RT #17137]
+
+2231.	[bug]		Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
+			[RT #17088]
+
+2230.	[bug]		We could INSIST reading a corrupted journal.
+			[RT #17132]
+
+2229.	[bug]		Null pointer dereference on query pool creation
+			failure. [RT #17133]
+
+2228.	[contrib]	contrib: Change 2188 was incomplete.
+
+2227.	[cleanup]	Tidied up the FAQ. [RT #17121]
+
+2226.	[placeholder]
+
+2225.	[bug]		More support for systems with no IPv4 addresses.
+			[RT #17111]
+
+2224.	[bug]		Defer journal compaction if a xfrin is in progress.
+			[RT #17119]
+
+2223.	[bug]		Make a new journal when compacting. [RT #17119]
+
+2222.	[func]		named-checkconf now checks server key references.
+			[RT #17097]
+
+2221.	[bug]		Set the event result code to reflect the actual
+			record turned to caller when a cache update is
+			rejected due to a more credible answer existing.
+			[RT #17017]
+
+2220.	[bug]		win32: Address a race condition in final shutdown of
+			the Windows socket code. [RT #17028]
+
+2219.	[bug]		Apply zone consistency checks to additions, not
+			removals, when updating. [RT #17049]
+
+2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
+			[RT #16976]
+
+2217.	[func]		Adjust update log levels. [RT #17092]
+
+2216.	[cleanup]	Fix a number of errors reported by Coverity.
+			[RT #17094]
+
+2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
+
+2214.	[bug]		Deregister OpenSSL lock callback when cleaning
+			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
+			is called before the locks are destroyed. [RT #17098]
+
+2213.	[bug]		SIG0 diagnostic failure messages were looking at the
+			wrong status code. [RT #17101]
+
+2212.	[func]		'host -m' now causes memory statistics and active
+			memory to be printed at exit. [RT 17028]
+
+2211.	[func]		Update "dynamic update temporarily disabled" message.
+			[RT #17065]
+
+2210.	[bug]		Deleting class specific records via UPDATE could
+			fail.  [RT #17074]
+
+2209.	[port]		osx: linking against user supplied static OpenSSL
+			libraries failed as the system ones were still being
+			found. [RT #17078]
+
+2208.	[port]		win32: make sure both build methods produce the
+			same output. [RT #17058]
+
+2207.	[port]		Some implementations of getaddrinfo() fail to set
+			ai_canonname correctly. [RT #17061]
+
+	--- 9.5.0a6 released ---
+
+2206.	[security]	"allow-query-cache" and "allow-recursion" now
+			cross inherit from each other.
+
+			If allow-query-cache is not set in named.conf then
+			allow-recursion is used if set, otherwise allow-query
+			is used if set, otherwise the default (localnets;
+			localhost;) is used.
+
+			If allow-recursion is not set in named.conf then
+			allow-query-cache is used if set, otherwise allow-query
+			is used if set, otherwise the default (localnets;
+			localhost;) is used.
+
+			[RT #16987]
+
+2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
+
+2204.	[bug]		"rndc flushname name unknown-view" caused named
+			to crash. [RT #16984]
+
+2203.	[security]	Query id generation was cryptographically weak.
+			[RT # 16915]
+
+2202.	[security]	The default acls for allow-query-cache and
+			allow-recursion were not being applied. [RT #16960]
+
+2201.	[bug]		The build failed in a separate object directory.
+			[RT #16943]
+
+2200.	[bug]		The search for cached NSEC records was stopping to
+			early leading to excessive DLV queries. [RT #16930]
+
+2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
+			[RT #16911]
+
+2198.	[bug]		win32: RegCloseKey() could be called when
+			RegOpenKeyEx() failed. [RT #16911]
+
+2197.	[bug]		Add INSIST to catch negative responses which are
+			not setting the event result code appropriately.
+			[RT #16909]
+
+2196.	[port]		win32: yield processor while waiting for once to
+			to complete. [RT #16958]
+
+2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
+			when generating DNSKEYs. [RT #16954]
+
+2194.	[bug]		Close journal before calling 'done' in xfrin.c.
+
+	--- 9.5.0a5 released ---
+
+2193.	[port]		win32: BINDInstall.exe is now linked statically.
+			[RT #16906]
+
+2192.	[port]		win32: use vcredist_x86.exe to install Visual
+			Studio's redistributable dlls if building with
+			Visual Stdio 2005 or later.
+
+2191.	[func]		named-checkzone now allows dumping to stdout (-).
+			named-checkconf now has -h for help.
+			named-checkzone now has -h for help.
+			rndc now has -h for help.
+			Better handling of '-?' for usage summaries.
+			[RT #16707]
+
+2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
+			more visible.  New logging category "edns-disabled".
+			[RT #16871]
+
+2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
+
+2188.	[contrib]	queryperf: autoconf changes to make the search for
+			libresolv or libbind more robust. [RT #16299]
+
+2187.	[bug]		query_addds(), query_addwildcardproof() and
+			query_addnxrrsetnsec() should take a version
+			argument. [RT #16368]
+
+2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
+			independently of IPv6. [RT #16482]
+
+2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
+			memchr(). [RT #16463]
+
+2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
+			[RT #16830]
+
+2183.	[bug]		dnssec-signzone didn't handle offline private keys
+			well.  [RT #16832]
+
+2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
+			could return ISC_R_SUCCESS when they ran out of
+			memory. [RT #16365]
+
+2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]
+
+2180.	[cleanup]	Remove bit test from 'compress_test' as they
+			are no longer needed. [RT #16497]
+
+2179.	[func]		'rndc command zone' will now find 'zone' if it is
+			unique to all the views. [RT #16821]
+
+2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
+			a reference leak. [RT #16867]
+
+2177.	[bug]		Array bounds overrun on read (rcodetext) at
+			debug level 10+. [RT #16798]
+
+2176.	[contrib]	dbus update to handle race condition during
+			initialization (Bugzilla 235809). [RT #16842]
+
+2175.	[bug]		win32: windows broadcast condition variable support
+			was broken. [RT #16592]
+
+2174.	[bug]		I/O errors should always be fatal when reading
+			master files. [RT #16825]
+
+2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
+			need to ship Microsoft.VC80.MFCLOC.
+
+	--- 9.5.0a4 released ---
+
+2172.	[bug]		query_addsoa() was being called with a non zone db.
+			[RT #16834]
+
+2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
+			servers are not DS aware (DS queries to the parent
+			return a referral to the child).
+
+2170.	[func]		Add acache processing to test suite. [RT #16711]
+
+2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
+			given name and not the last name searched for.
+			[RT #16763]
+
+2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
+			as fatal errors. [RT #16785]
+
+2167.	[bug]		When re-using a automatic zone named failed to
+			attach it to the new view. [RT #16786]
+
+	--- 9.5.0a3 released ---
+
+2166.	[bug]		When running in batch mode, dig could misinterpret
+			a server address as a name to be looked up, causing
+			unexpected output. [RT #16743]
+
+2165.	[func]		Allow the destination address of a query to determine
+			if we will answer the query or recurse.
+			allow-query-on, allow-recursion-on and
+			allow-query-cache-on. [RT #16291]
+
+2164.	[bug]		The code to determine how named-checkzone /
+			named-compilezone was called failed under windows.
+			[RT #16764]
+
+2163.	[bug]		If only one of query-source and query-source-v6
+			specified a port the query pools code broke (change
+			2129).  [RT #16768]
+
+2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
+			time. [RT #16665]
+
+2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
+			[RT #16698]
+
+2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
+			from getifaddrs(). [RT #16708]
+
+	--- 9.5.0a2 released ---
+
+2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]
+
+2158.	[bug]		ns_client_isself() failed to initialize key
+			leading to a REQUIRE failure. [RT #16688]
+
+2157.	[func]		dns_db_transfernode() created. [RT #16685]
+
+2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
+			resolver.c:validated() and resolver.c:cache_name().
+			Fix a memory leak in rbtdb.c:free_noqname().
+			Make lookup.c:lookup_find() robust against
+			event leaks. [RT #16685]
+
+2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
+			[RT #16694]
+
+2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
+			matched in acls by omitting the scope. [RT #16599]
+
+2153.	[bug]		nsupdate could leak memory. [RT #16691]
+
+2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
+			dighost.c:get_trusted_key(). [RT #16678]
+
+2151.	[bug]		Missing newline in usage message for journalprint.
+			[RT #16679]
+
+2150.	[bug]		'rrset-order cyclic' uniformly distribute the
+			starting point for the first response for a given
+			RRset. [RT #16655]
+
+2149.	[bug]		isc_mem_checkdestroyed() failed to abort on
+			if there were still active memory contexts.
+			[RT #16672]
+
+2148.	[func]		Add positive logging for rndc commands. [RT #14623]
+
+2147.	[bug]		libbind: remove potential buffer overflow from
+			hmac_link.c. [RT #16437]
+
+2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
+			SO_BSDCOMPAT" message. [RT #16641]
+
+2145.	[bug]		Check DS/DLV digest lengths for known digests.
+			[RT #16622]
+
+2144.	[cleanup]	Suppress logging of SERVFAIL from forwarders.
+			[RT #16619]
+
+2143.	[bug]		We failed to restart the IPv6 client when the
+			kernel failed to return the destination the
+			packet was sent to. [RT #16613]
+
+2142.	[bug]		Handle master files with a modification time that
+			matches the epoch. [RT #16612]
+
+2141.	[bug]		dig/host should not be setting IDN_ASCCHECK (IDN
+			equivalent of LDH checks).  [RT #16609]
+
+2140.	[bug]		libbind: missing unlock on pthread_key_create()
+			failures. [RT #16654]
+
+2139.	[bug]		dns_view_find() was being called with wrong type
+			in adb.c. [RT #16670]
+
+2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
+
+2137.	[port]		Mips little endian and/or mips 64 bit are now
+			supported for atomic operations. [RT #16648]
+
+2136.	[bug]		nslookup/host looped if there was no search list
+			and the host didn't exist. [RT #16657]
+
+2135.	[bug]		Uninitialized rdataset in sdlz.c. [RT #16656]
+
+2134.	[func]		Additional statistics support. [RT #16666]
+
+2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
+			assembler syntaxes. [RT #16647]
+
+2132.	[bug]		Missing unlock on out of memory in
+			dns_dispatchmgr_setudp().
+
+2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
+
+2130.	[func]		Log if CD or DO were set. [RT #16640]
+
+2129.	[func]		Provide a pool of UDP sockets for queries to be
+			made over. See use-queryport-pool, queryport-pool-ports
+			and queryport-pool-updateinterval.  [RT #16415]
+
+2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
+
+2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
+
+2126.	[security]	Serialize validation of type ANY responses. [RT #16555]
+
+2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
+			was defined. [RT #16574]
+
+2124.	[security]	It was possible to dereference a freed fetch
+			context. [RT #16584]
+
+	--- 9.5.0a1 released ---
+
+2123.	[func]		Use Doxygen to generate internal documentation.
+			[RT #11398]
+
+2122.	[func]		Experimental http server and statistics support
+			for named via xml.
+
+2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
+			second timeout. [RT #16553]
+
+2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
+
+2119.	[compat]	libbind: allow res_init() to succeed enough to
+			return the default domain even if it was unable
+			to allocate memory.
+
+2118.	[bug]		Handle response with long chains of domain name
+			compression pointers which point to other compression
+			pointers. [RT #16427]
+
+2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
+			which could lead to validation failures.  named didn't
+			handle negative DS responses that were in the process
+			of being validated.  Check CNAME bit before accepting
+			NODATA proof. To be able to ignore a child NSEC there
+			must be SOA (and NS) set in the bitmap. [RT #16399]
+
+2116.	[bug]		'rndc reload' could cause the cache to continually
+			be cleaned. [RT #16401]
+
+2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
+			number of masters for a zone was reduced. [RT #16444]
+
+2114.	[bug]		dig/host/nslookup: searches for names with multiple
+			labels were failing. [RT #16447]
+
+2113.	[bug]		nsupdate: if a zone is specified it should be used
+			for server discover. [RT #16455]
+
+2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]
+
+2111.	[bug]		Fix a number of errors reported by Coverity.
+			[RT #16507]
+
+2110.	[bug]		"minimal-responses yes;" interacted badly with BIND 8
+			priming queries. [RT #16491]
+
+2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
+
+2108.	[func]		DHCID support. [RT #16456]
+
+2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
+
+2106.	[func]		'rndc status' now reports named's version. [RT #16426]
+
+2105.	[func]		GSS-TSIG support (RFC 3645).
+
+2104.	[port]		Fix Solaris SMF error message.
+
+2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
+			under Solaris.
+
+2102.	[port]		Silence Solaris 10 warnings.
+
+2101.	[bug]		OpenSSL version checks were not quite right.
+			[RT #16476]
+
+2100.	[port]		win32: copy libeay32.dll to Build\Debug.
+			Copy Debug\named-checkzone to Debug\named-compilezone.
+
+2099.	[port]		win32: more manifest issues.
+
+2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
+			triggered an INSIST failure about the node lock
+			reference.  [RT #16411]
+
+2097.	[bug]		named could reference a destroyed memory context
+			after being reloaded / reconfigured. [RT #16428]
+
+2096.	[bug]		libbind: handle applications that fail to detect
+			res_init() failures better.
+
+2095.	[port]		libbind: always prototype inet_cidr_ntop_ipv6() and
+			net_cidr_ntop_ipv6(). [RT #16388]
+
+2094.	[contrib]	Update named-bootconf.  [RT #16404]
+
+2093.	[bug]		named-checkzone -s was broken.
+
+2092.	[bug]		win32: dig, host, nslookup.  Use registry config
+			if resolv.conf does not exist or no nameservers
+			listed. [RT #15877]
+
+2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
+
+2090.	[port]		win32: Visual C++ 2005 command line manifest support.
+			[RT #16417]
+
+2089.	[security]	Raise the minimum safe OpenSSL versions to
+			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
+			prior to these have known security flaws which
+			are (potentially) exploitable in named. [RT #16391]
+
+2088.	[security]	Change the default RSA exponent from 3 to 65537.
+			[RT #16391]
+
+2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
+			[RT #16382]
+
+2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
+			[RT #16403]
+
+2085.	[doc]		win32: added index.html and README to zip. [RT #16201]
+
+2084.	[contrib]	dbus update for 9.3.3rc2.
+
+2083.	[port]		win32: Visual C++ 2005 support.
+
+2082.	[doc]		Document 'cache-file' as a test only option.
+
+2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
+			[RT #16360]
+
+2080.	[port]		libbind: res_init.c did not compile on older versions
+			of Solaris. [RT #16363]
+
+2079.	[bug]		The lame cache was not handling multiple types
+			correctly. [RT #16361]
+
+2078.	[bug]		dnssec-checkzone output style "default" was badly
+			named.  It is now called "relative". [RT #16326]
+
+2077.	[bug]		'dnssec-signzone -O raw' wasn't outputting the
+			complete signed zone. [RT #16326]
+
+2076.	[bug]		Several files were missing #include <config.h>
+			causing build failures on OSF. [RT #16341]
+
+2075.	[bug]		The spillat timer event handler could leak memory.
+			[RT #16357]
+
+2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
+			dns_request_createraw2() and dns_request_createraw3()
+			failed to send multiple UDP requests. [RT #16349]
+
+2073.	[bug]		Incorrect semantics check for update policy "wildcard".
+			[RT #16353]
+
+2072.	[bug]		We were not generating valid HMAC SHA digests.
+			[RT #16320]
+
+2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
+			[RT #16324]
+
+2070.	[bug]		The remote address was not always displayed when
+			reporting dispatch failures. [RT #16315]
+
+2069.	[bug]		Cross compiling was not working. [RT #16330]
+
+2068.	[cleanup]	Lower incremental tuning message to debug 1.
+			[RT #16319]
+
+2067.	[bug]		'rndc' could close the socket too early triggering
+			a INSIST under Windows. [RT #16317]
+
+2066.	[security]	Handle SIG queries gracefully. [RT #16300]
+
+2065.	[bug]		libbind: probe for HPUX prototypes for
+			endprotoent_r() and endservent_r().  [RT 16313]
+
+2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]
+
+2063.	[bug]		Change #1955 introduced a bug which caused the first
+			'rndc flush' call to not free memory. [RT #16244]
+
+2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
+			been returned by the socket code. [RT #16307]
+
+2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]
+
+2060.	[bug]		Enabling DLZ support could leave views partially
+			configured. [RT #16295]
+
+2059.	[bug]		Search into cache rbtdb could trigger an INSIST
+			failure while cleaning up a stale rdataset.
+			[RT #16292]
+
+2058.	[bug]		Adjust how we calculate rtt estimates in the presence
+			of authoritative servers that drop EDNS and/or CD
+			requests.  Also fallback to EDNS/512 and plain DNS
+			faster for zones with less than 3 servers.  [RT #16187]
+
+2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
+			and allow-recursion. [RT #16290]
+
+2056.	[bug]		dig: ixfr= was not being treated case insensitively
+			at all times. [RT #15955]
+
+2055.	[bug]		Missing goto after dropping multicast query.
+			[RT #15944]
+
+2054.	[port]		freebsd: do not explicitly link against -lpthread.
+			[RT #16170]
+
+2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]
+
+2052.	[bug]		'rndc' improve connect failed message to report
+			the failing address. [RT #15978]
+
+2051.	[port]		More strtol() fixes. [RT #16249]
+
+2050.	[bug]		Parsing of NSAP records was not case insensitive.
+			[RT #16287]
+
+2049.	[bug]		Restore SOA before AXFR when falling back from
+			a attempted IXFR when transferring in a zone.
+			Allow a initial SOA query before attempting
+			a AXFR to be requested. [RT #16156]
+
+2048.	[bug]		It was possible to loop forever when using
+			avoid-v4-udp-ports / avoid-v6-udp-ports when
+			the OS always returned the same local port.
+			[RT #16182]
+
+2047.	[bug]		Failed to initialize the interface flags to zero.
+			[RT #16245]
+
+2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
+			cleanup [RT #16247].
+
+2045.	[func]		Use lock buckets for acache entries to limit memory
+			consumption. [RT #16183]
+
+2044.	[port]		Add support for atomic operations for Itanium.
+			[RT #16179]
+
+2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
+			for interactive sessions. [RT #16148]
+
+2042.	[bug]		named-checkconf was incorrectly rejecting the
+			logging category "config". [RT #16117]
+
+2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
+			set of libraries to be linked. [RT #16129]
+
+2040.	[bug]		rbtdb no_references() could trigger an INSIST
+			failure with --enable-atomic.  [RT #16022]
+
+2039.	[func]		Check that all buffers passed to the socket code
+			have been retrieved when the socket event is freed.
+			[RT #16122]
+
+2038.	[bug]		dig/nslookup/host was unlinking from wrong list
+			when handling errors. [RT #16122]
+
+2037.	[func]		When unlinking the first or last element in a list
+			check that the list head points to the element to
+			be unlinked. [RT #15959]
+
+2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
+			[RT #16075]
+
+2035.	[func]		Make falling back to TCP on UDP refresh failure
+			optional. Default "try-tcp-refresh yes;" for BIND 8
+			compatibility. [RT #16123]
+
+2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
+
+2033.	[bug]		We weren't creating multiple client memory contexts
+			on demand as expected. [RT #16095]
+
+2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
+
+2031.	[bug]		Emit a error message when "rndc refresh" is called on
+			a non slave/stub zone. [RT # 16073]
+
+2030.	[bug]		We were being overly conservative when disabling
+			openssl engine support. [RT #16030]
+
+2029.	[bug]		host printed out the server multiple times when
+			specified on the command line. [RT #15992]
+
+2028.	[port]		linux: socket.c compatibility for old systems.
+			[RT #16015]
+
+2027.	[port]		libbind: Solaris x86 support. [RT #16020]
+
+2026.	[bug]		Rate limit the two recursive client exceeded messages.
+			[RT #16044]
+
+2025.	[func]		Update "zone serial unchanged" message. [RT #16026]
+
+2024.	[bug]		named emitted spurious "zone serial unchanged"
+			messages on reload. [RT #16027]
+
+2023.	[bug]		"make install" should create ${localstatedir}/run and
+			${sysconfdir} if they do not exist. [RT #16033]
+
+2022.	[bug]		If dnssec validation is disabled only assert CD if
+			CD was requested. [RT #16037]
+
+2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]
+
+2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
+
+2019.	[tuning]	Reduce the amount of work performed per quantum
+			when cleaning the cache. [RT #15986]
+
+2018.	[bug]		Checking if the HMAC MD5 private file was broken.
+			[RT #15960]
+
+2017.	[bug]		allow-query default was not correct. [RT #15946]
+
+2016.	[bug]		Return a partial answer if recursion is not
+			allowed but requested and we had the answer
+			to the original qname. [RT #15945]
+
+2015.	[cleanup]	use-additional-cache is now acache-enable for
+			consistency.  Default acache-enable off in BIND 9.4
+			as it requires memory usage to be configured.
+			It may be enabled by default in BIND 9.5 once we
+			have more experience with it.
+
+2014.	[func]		Statistics about acache now recorded and sent
+			to log. [RT #15976]
+
+2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
+			responses more gracefully. [RT #15941]
+
+2012.	[func]		Don't insert new acache entries if acache is full.
+			[RT #15970]
+
+2011.	[func]		dnssec-signzone can now update the SOA record of
+			the signed zone, either as an increment or as the
+			system time(). [RT #15633]
+
+2010.	[placeholder]	rt15958
+
+2009.	[bug]		libbind: Coverity fixes. [RT #15808]
+
+2008.	[func]		It is now possible to enable/disable DNSSEC
+			validation from rndc.  This is useful for the
+			mobile hosts where the current connection point
+			breaks DNSSEC (firewall/proxy).  [RT #15592]
+
+				rndc validation newstate [view]
+
+2007.	[func]		It is now possible to explicitly enable DNSSEC
+			validation.  default dnssec-validation no; to
+			be changed to yes in 9.5.0.  [RT #15674]
+
+2006.	[security]	Allow-query-cache and allow-recursion now default
+			to the built in acls "localnets" and "localhost".
+
+			This is being done to make caching servers less
+			attractive as reflective amplifying targets for
+			spoofed traffic.  This still leave authoritative
+			servers exposed.
+
+			The best fix is for full BCP 38 deployment to
+			remove spoofed traffic.
+
+2005.	[bug]		libbind: Retransmission timeouts should be
+			based on which attempt it is to the nameserver
+			and not the nameserver itself. [RT #13548]
+
+2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
+			dst_context_destroy() when cleaning up after a
+			error. [RT #15835]
+
+2003.	[bug]		libbind: The DNS name/address lookup functions could
+			occasionally follow a random pointer due to
+			structures not being completely zeroed. [RT #15806]
+
+2002.	[bug]		libbind: tighten the constraints on when
+			struct addrinfo._ai_pad exists.  [RT #15783]
+
+2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
+			New zone option "update-check-ksk yes;".  [RT #15817]
+
+2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
+
+1999.	[func]		Implement "rrset-order fixed". [RT #13662]
+
+1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
+			This allows named to connect to entropy gathering
+			daemons that use fifos instead of sockets. [RT #15840]
+
+1997.	[bug]		Named was failing to replace negative cache entries
+			when a positive one for the type was learnt.
+			[RT #15818]
+
+1996.	[bug]		nsupdate: if a zone has been specified it should
+			appear in the output of 'show'. [RT #15797]
+
+1995.	[bug]		'host' was reporting multiple "is an alias" messages.
+			[RT #15702]
+
+1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
+
+1993.	[bug]		Log messages, via syslog, were missing the space
+			after the timestamp if "print-time yes" was specified.
+			[RT #15844]
+
+1992.	[bug]		Not all incoming zone transfer messages included the
+			view.  [RT #15825]
+
+1991.	[cleanup]	The configuration data, once read, should be treated
+			as read only.  Expand the use of const to enforce this
+			at compile time. [RT #15813]
+
+1990.	[bug]		libbind:  isc's override of broken gettimeofday()
+			implementations was not always effective.
+			[RT #15709]
+
+1989.	[bug]		win32: don't check the service password when
+			re-installing. [RT #15882]
+
+1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
+			[RT #15878]
+
+1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]
+
+1986.	[func]		Report when a zone is removed. [RT #15849]
+
+1985.	[protocol]	DLV has now been assigned a official type code of
+			32769. [RT #15807]
+
+			Note: care should be taken to ensure you upgrade
+			both named and dnssec-signzone at the same time for
+			zones with DLV records where named is the master
+			server for the zone.  Also any zones that contain
+			DLV records should be removed when upgrading a slave
+			zone.  You do not however have to upgrade all
+			servers for a zone with DLV records simultaneously.
+
+1984.	[func]		dig, nslookup and host now advertise a 4096 byte
+			EDNS UDP buffer size by default. [RT #15855]
+
+1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
+			[RT #12895]
+
+1982.	[bug]		DNSKEY was being accepted on the parent side of
+			a delegation.  KEY is still accepted there for
+			RFC 3007 validated updates. [RT #15620]
+
+1981.	[bug]		win32: condition.c:wait() could fail to reattain
+			the mutex lock.
+
+1980.	[func]		dnssec-signzone: output the SOA record as the
+			first record in the signed zone. [RT #15758]
+
+1979.	[port]		linux: allow named to drop core after changing
+			user ids. [RT #15753]
+
+1978.	[port]		Handle systems which have a broken recvmsg().
+			[RT #15742]
+
+1977.	[bug]		Silence noisy log message. [RT #15704]
+
+1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
+
+1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
+			hex strings with comments. [RT #15814]
+
+1974.	[doc]		List each of the zone types and associated zone
+			options separately in the ARM.
+
+1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
+			HMACSHA512 support. [RT #13606]
+
+1972.	[contrib]	DBUS dynamic forwarders integration from
+			Jason Vas Dias <jvdias@redhat.com>.
+
+1971.	[port]		linux: make detection of missing IF_NAMESIZE more
+			robust. [RT #15443]
+
+1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
+			unsigned SOA query. [RT #15775]
+
+1969.	[bug]		win32: the socket code was freeing the socket
+			structure too early. [RT #15776]
+
+1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]
+
+1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]
+
+1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
+			[RT #15727]
+
+1965.	[func]		Suppress spurious "recursion requested but not
+			available" warning with 'dig +qr'. [RT #15780].
+
+1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
+
+1963.	[port]		Tru64 4.0E doesn't support send() and recv().
+			[RT #15586]
+
+1962.	[bug]		Named failed to clear old update-policy when it
+			was removed. [RT #15491]
+
+1961.	[bug]		Check the port and address of responses forwarded
+			to dispatch. [RT #15474]
+
+1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
+			[RT #15465]
+
+1959.	[func]		Control the zeroing of the negative response TTL to
+			a soa query.  Defaults "zero-no-soa-ttl yes;" and
+			"zero-no-soa-ttl-cache no;". [RT #15460]
+
+1958.	[bug]		Named failed to update the zone's secure state
+			until the zone was reloaded. [RT #15412]
+
+1957.	[bug]		Dig mishandled responses to class ANY queries.
+			[RT #15402]
+
+1956.	[bug]		Improve cross compile support, 'gen' is now built
+			by native compiler.  See README for additional
+			cross compile support information. [RT #15148]
+
+1955.	[bug]		Pre-allocate the cache cleaning iterator. [RT #14998]
+
+1954.	[func]		Named now falls back to advertising EDNS with a
+			512 byte receive buffer if the initial EDNS queries
+			fail.  [RT #14852]
+
+1953.	[func]		The maximum EDNS UDP response named will send can
+			now be set in named.conf (max-udp-size).  This is
+			independent of the advertised receive buffer
+			(edns-udp-size). [RT #14852]
+
+1952.	[port]		hpux: tell the linker to build a runtime link
+			path "-Wl,+b:". [RT #14816].
+
+1951.	[security]	Drop queries from particular well known ports.
+			Don't return FORMERR to queries from particular
+			well known ports.  [RT #15636]
+
+1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
+			a TCP socket. This prevents the source address being
+			set for TCP connections. [RT #15628]
+
+1949.	[func]		Addition memory leakage checks. [RT #15544]
+
+1948.	[bug]		If was possible to trigger a REQUIRE failure in
+			xfrin.c:maybe_free() if named ran out of memory.
+			[RT #15568]
+
+1947.	[func]		It is now possible to configure named to accept
+			expired RRSIGs.  Default "dnssec-accept-expired no;".
+			Setting "dnssec-accept-expired yes;" leaves named
+			vulnerable to replay attacks.  [RT #14685]
+
+1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
+			when using forwarders. [RT #15549]
+
+1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is no longer recommended.
+			To generate a RSAMD5 key you must explicitly request
+			RSAMD5. [RT #13780]
+
+1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
+			[RT #15522]
+
+1943.	[bug]		Set the loadtime after rolling forward the journal.
+			[RT #15647]
+
+1942.	[bug]		If the name of a DNSKEY match that of one in
+			trusted-keys do not attempt to validate the DNSKEY
+			using the parents DS RRset. [RT #15649]
+
+1941.	[bug]		ncache_adderesult() should set eresult even if no
+			rdataset is passed to it. [RT #15642]
+
+1940.	[bug]		Fixed a number of error conditions reported by
+			Coverity.
+
+1939.	[bug]		The resolver could dereference a null pointer after
+			validation if all the queries have timed out.
+			[RT #15528]
+
+1938.	[bug]		The validator was not correctly handling unsecure
+			negative responses at or below a SEP. [RT #15528]
+
+1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]
+
+1936.	[bug]		The validator could leak memory. [RT #15544]
+
+1935.	[bug]		'acache' was DO sensitive. [RT #15430]
+
+1934.	[func]		Validate pending NS RRsets, in the authority section,
+			prior to returning them if it can be done without
+			requiring DNSKEYs to be fetched.  [RT #15430]
+
+1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
+
+1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
+
+1931.	[bug]		Per-client mctx could require a huge amount of memory,
+			particularly for a busy caching server. [RT #15519]
+
+1930.	[port]		HPUX: ia64 support. [RT #15473]
+
+1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
+
+1928.	[bug]		Race in rbtdb.c:currentversion(). [RT #15517]
+
+1927.	[bug]		Access to soanode or nsnode in rbtdb violated the
+			lock order rule and could cause a dead lock.
+			[RT #15518]
+
+1926.	[bug]		The Windows installer did not check for empty
+			passwords.  BINDinstall was being installed in
+			the wrong place. [RT #15483]
+
+1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
+			defaults. [RT #15469]
+
+1924.	[port]		libbind: hpux ia64 support. [RT #15473]
+
+1923.	[bug]		ns_client_detach() called too early. [RT #15499]
+
+1922.	[bug]		check-tool.c:setup_logging() missing call to
+			dns_log_setcontext().
+
+1921.	[bug]		Client memory contexts were not using internal
+			malloc. [RT #15434]
+
+1920.	[bug]		The cache rbtdb lock array was too small to
+			have the desired performance characteristics.
+			[RT #15454]
+
+1919.	[contrib]	queryperf: a set of new features: collecting/printing
+			response delays, printing intermediate results, and
+			adjusting query rate for the "target" qps.
+
+1918.	[bug]		Memory leak when checking acls. [RT #15391]
+
+1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
+			when generating man pages. [RT #15385]
+
+1916.	[func]		Integrate contributed IDN code from JPNIC. [RT #15383]
+
+1915.	[bug]		dig +ndots was broken. [RT #15215]
+
+1914.	[protocol]	DS is required to accept mnemonic algorithms
+			(RFC 4034).  Still emit numeric algorithms for
+			compatibility with RFC 3658. [RT #15354]
+
+1913.	[func]		Integrate contributed DLZ code into named. [RT #11382]
+
+1912.	[port]		aix: atomic locking for powerpc. [RT #15020]
+
+1911.	[bug]		Update windows socket code. [RT #14965]
+
+1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]
+
+1909.	[bug]		The DLV code has been re-worked to make no longer
+			query order sensitive. [RT #14933]
+
+1908.	[func]		dig now warns if 'RA' is not set in the answer when
+			'RD' was set in the query.  host/nslookup skip servers
+			that fail to set 'RA' when 'RD' is set unless a server
+			is explicitly set.  [RT #15005]
+
+1907.	[func]		host/nslookup now continue (default)/fail on SERVFAIL.
+			[RT #15006]
+
+1906.	[func]		dig now has a '-q queryname' and '+showsearch' options.
+			[RT #15034]
+
+1905.	[bug]		Strings returned from cfg_obj_asstring() should be
+			treated as read-only.  The prototype for
+			cfg_obj_asstring() has been updated to reflect this.
+			[RT #15256]
+
+1904.	[func]		Automatic empty zone creation for D.F.IP6.ARPA and
+			friends.  Note: RFC 1918 zones are not yet covered by
+			this but are likely to be in a future release.
+
+			New options: empty-server, empty-contact,
+			empty-zones-enable and disable-empty-zone.
+
+1903.	[func]		ISC string copy API.
+
+1902.	[func]		Attempt to make the amount of work performed in a
+			iteration self tuning.  The covers nodes clean from
+			the cache per iteration, nodes written to disk when
+			rewriting a master file and nodes destroyed per
+			iteration when destroying a zone or a cache.
+			[RT #14996]
+
+1901.	[cleanup]	Don't add DNSKEY records to the additional section.
+
+1900.	[bug]		ixfr-from-differences failed to ensure that the
+			serial number increased. [RT #15036]
+
+1899.	[func]		named-checkconf now validates update-policy entries.
+			[RT #14963]
+
+1898.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
+			ISC_NETADDR_FORMATSIZE to allow for scope details.
+
+1897.	[func]		x86 and x86_64 now have separate atomic locking
+			implementations.
+
+1896.	[bug]		Recursive clients soft quota support wasn't working
+			as expected. [RT #15103]
+
+1895.	[bug]		A escaped character is, potentially, converted to
+			the output character set too early. [RT #14666]
+
+1894.	[doc]		Review ARM for BIND 9.4.
+
+1893.	[port]		Use uintptr_t if available. [RT #14606]
+
+1892.	[func]		Support for SPF rdata type. [RT #15033]
+
+1891.	[port]		freebsd: pthread_mutex_init can fail if it runs out
+			of memory. [RT #14995]
+
+1890.	[func]		Raise the UDP receive buffer size to 32k if it is
+			less than 32k. [RT #14953]
+
+1889.	[port]		sunos: non blocking i/o support. [RT #14951]
+
+1888.	[func]		Support for IPSECKEY rdata type. [RT #14967]
+
+1887.	[bug]		The cache could delete expired records too fast for
+			clients with a virtual time in the past. [RT #14991]
+
+1886.	[bug]		fctx_create() could return success even though it
+			failed. [RT #14993]
+
+1885.	[func]		dig: report the number of extra bytes still left in
+			the packet after processing all the records.
+
+1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.
+
+1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
+			levels. [RT #14962]
+
+1882.	[func]		Limit the number of recursive clients that can be
+			waiting for a single query (<qname,qtype,qclass>) to
+			resolve.  New options clients-per-query and
+			max-clients-per-query.
+
+1881.	[func]		Add a system test for named-checkconf. [RT #14931]
+
+1880.	[func]		The lame cache is now done on a <qname,qclass,qtype>
+			basis as some servers only appear to be lame for
+			certain query types.  [RT #14916]
+
+1879.	[func]		"USE INTERNAL MALLOC" is now runtime selectable.
+			[RT #14892]
+
+1878.	[func]		Detect duplicates of UDP queries we are recursing on
+			and drop them.  New stats category "duplicate".
+			[RT #2471]
+
+1877.	[bug]		Fix unreasonably low quantum on call to
+			dns_rbt_destroy2().  Remove unnecessary unhash_node()
+			call. [RT #14919]
+
+1876.	[func]		Additional memory debugging support to track size
+			and mctx arguments. [RT #14814]
+
+1875.	[bug]		process_dhtkey() was using the wrong memory context
+			to free some memory. [RT #14890]
+
+1874.	[port]		sunos: portability fixes. [RT #14814]
+
+1873.	[port]		win32: isc__errno2result() now reports its caller.
+			[RT #13753]
+
+1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
+
+1871.	[placeholder]
+
+1870.	[func]		Added framework for handling multiple EDNS versions.
+			[RT #14873]
+
+1869.	[func]		dig can now specify the EDNS version when making
+			a query. [RT #14873]
+
+1868.	[func]		edns-udp-size can now be overridden on a per
+			server basis. [RT #14851]
+
+1867.	[bug]		It was possible to trigger a INSIST in
+			dlv_validatezonekey(). [RT #14846]
+
+1866.	[bug]		resolv.conf parse errors were being ignored by
+			dig/host/nslookup. [RT #14841]
+
+1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
+			bad addresses. [RT #14841]
+
+1864.	[bug]		Don't try the alternative transfer source if you
+			got a answer / transfer with the main source
+			address. [RT #14802]
+
+1863.	[bug]		rrset-order "fixed" error messages not complete.
+
+1862.	[func]		Add additional zone data constancy checks.
+			named-checkzone has extended checking of NS, MX and
+			SRV record and the hosts they reference.
+			named has extended post zone load checks.
+			New zone options: check-mx and integrity-check.
+			[RT #4940]
+
+1861.	[bug]		dig could trigger a INSIST on certain malformed
+			responses. [RT #14801]
+
+1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
+			incorrectly set. [RT #14775]
+
+1859.	[func]		Add support for CH A record. [RT #14695]
+
+1858.	[bug]		The flush-zones-on-shutdown option wasn't being
+			parsed. [RT #14686]
+
+1857.	[bug]		named could trigger a INSIST() if reconfigured /
+			reloaded too fast.  [RT #14673]
+
+1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
+			[RT #11398]
+
+1855.	[bug]		ixfr-from-differences was failing to detect changes
+			of ttl due to dns_diff_subtract() was ignoring the ttl
+			of records.  [RT #14616]
+
+1854.	[bug]		lwres also needs to know the print format for
+			(long long).  [RT #13754]
+
+1853.	[bug]		Rework how DLV interacts with proveunsecure().
+			[RT #13605]
+
+1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
+			dnssec-makekeyset (removed from Makefile years ago).
+
+1851.	[doc]		Doxygen comment markup. [RT #11398]
+
+1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]
+
+1849.	[doc]		All forms of the man pages (docbook, man, html) should
+			have consistent copyright dates.
+
+1848.	[bug]		Improve SMF integration. [RT #13238]
+
+1847.	[bug]		isc_ondestroy_init() is called too late in
+			dns_rbtdb_create()/dns_rbtdb64_create().
+			[RT #13661]
+
+1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
+			<bortzmeyer@nic.fr>.
+
+1845.	[bug]		Improve error reporting to distinguish between
+			accept()/fcntl() and socket()/fcntl() errors.
+			[RT #13745]
+
+1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
+			for each 16 bit piece of the IPv6 address.  The text
+			representation of a IPv6 address has been tightened
+			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
+			[RT #5662]
+
+1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
+			when CFLAGS contains "-I /usr/local/include"
+			resulting in old header files being used.
+
+1842.	[port]		cmsg_len() could produce incorrect results on
+			some platform. [RT #13744]
+
+1841.	[bug]		"dig +nssearch" now makes a recursive query to
+			find the list of nameservers to query. [RT #13694]
+
+1840.	[func]		dnssec-signzone can now randomize signature end times
+			(dnssec-signzone -j jitter). [RT #13609]
+
+1839.	[bug]		<isc/hash.h> was not being installed.
+
+1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
+			[RT #13707]
+
+1837.	[bug]		Compile time option ISC_FACILITY was not effective
+			for 'named -u <user>'.  [RT #13714]
+
+1836.	[cleanup]	Silence compiler warnings in hash_test.c.
+
+1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]
+
+1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]
+
+1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]
+
+1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
+			[RT #13620]
+
+1831.	[doc]		Update named-checkzone documentation. [RT #13604]
+
+1830.	[bug]		adb lame cache has sense of test reversed. [RT #13600]
+
+1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]
+
+1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
+			encountered a error. [RT #13549]
+
+1827.	[bug]		host: update usage message for '-a'. [RT #37116]
+
+1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
+			of memory error. [RT #13537]
+
+1825.	[bug]		Missing UNLOCK() on out of memory error from in
+			rbtdb.c:subtractrdataset(). [RT #13519]
+
+1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
+			[RT #13510]
+
+1823.	[bug]		Wrong macro used to check for point to point interface.
+			[RT #13418]
+
+1822.	[bug]		check-names test for RT was reversed. [RT #13382]
+
+1821.	[placeholder]
+
+1820.	[bug]		Gracefully handle acl loops. [RT #13659]
+
+1819.	[bug]		The validator needed to check both the algorithm and
+			digest types of the DS to determine if it could be
+			used to introduce a secure zone. [RT #13593]
+
+1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]
+
+1817.	[func]		Add support for additional zone file formats for
+			improving loading performance.  The masterfile-format
+			option in named.conf can be used to specify a
+			non-default format.  A separate command
+			named-compilezone was provided to generate zone files
+			in the new format.  Additionally, the -I and -O options
+			for dnssec-signzone specify the input and output
+			formats.
+
+1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
+			[RT #13597]
+
+1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
+			without also setting the zone and it encountered
+			a CNAME and was using TSIG.  [RT #13086]
+
+1814.	[func]		UNIX domain controls are now supported.
+
+1813.	[func]		Restructured the data locking framework using
+			architecture dependent atomic operations (when
+			available), improving response performance on
+			multi-processor machines significantly.
+			x86, x86_64, alpha, powerpc, and mips are currently
+			supported.
+
+1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
+			[RT #13453]
+
+1811.	[func]		Preserve the case of domain names in rdata during
+			zone transfers. [RT #13547]
+
+1810.	[bug]		configure, lib/bind/configure make different default
+			decisions about whether to do a threaded build.
+			[RT #13212]
+
+1809.	[bug]		"make distclean" failed for libbind if the platform
+			is not supported.
+
+1808.	[bug]		zone.c:notify_zone() contained a race condition,
+			zone->db could change underneath it.  [RT #13511]
+
+1807.	[bug]		When forwarding (forward only) set the active domain
+			from the forward zone name. [RT #13526]
+
+1806.	[bug]		The resolver returned the wrong result when a CNAME /
+			DNAME was encountered when fetching glue from a
+			secure namespace. [RT #13501]
+
+1805.	[bug]		Pending status was not being cleared when DLV was
+			active. [RT #13501]
+
+1804.	[bug]		Ensure that if we are queried for glue that it fits
+			in the additional section or TC is set to tell the
+			client to retry using TCP. [RT #10114]
+
+1803.	[bug]		dnssec-signzone sometimes failed to remove old
+			RRSIGs. [RT #13483]
+
+1802.	[bug]		Handle connection resets better. [RT #11280]
+
+1801.	[func]		Report differences between hints and real NS rrset
+			and associated address records.
+
+1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
+			[RT #13428]
+
+1799.	[bug]		'rndc flushname' failed to flush negative cache
+			entries. [RT #13438]
+
+1798.	[func]		The server syntax has been extended to support a
+			range of servers.  [RT #11132]
+
+1797.	[func]		named-checkconf now check acls to verify that they
+			only refer to existing acls. [RT #13101]
+
+1796.	[func]		"rndc freeze/thaw" now freezes/thaws all zones.
+
+1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
+			formatting issues with "rndc dumpdb -all".  [RT #13396]
+
+1794.	[func]		Named and named-checkzone can now both check for
+			non-terminal wildcard records.
+
+1793.	[func]		Extend adjusting TTL warning messages. [RT #13378]
+
+1792.	[func]		New zone option "notify-delay".  Specify a minimum
+			delay between sets of NOTIFY messages.
+
+1791.	[bug]		'host -t a' still printed out AAAA and MX records.
+			[RT #13230]
+
+1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
+			allow parallel make to succeed.
+
+1789.	[bug]		Prerequisite test for tkey and dnssec could fail
+			with "configure --with-libtool".
+
+1788.	[bug]		libbind9.la/libbind9.so needs to link against
+			libisccfg.la/libisccfg.so.
+
+1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
+
+1786.	[port]		AIX: libt_api needs to be taught to look for
+			T_testlist in the main executable (--with-libtool).
+			[RT #13239]
+
+1785.	[bug]		libbind9.la/libbind9.so needs to link against
+			libisc.la/libisc.so.
+
+1784.	[cleanup]	"libtool -allow-undefined" is the default.
+			Leave hooks in configure to allow it to be set
+			if needed in the future.
+
+1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
+			source tree.
+
+1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
+			__evOptMonoTime.  [RT #13219]
+
+1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
+
+1780.	[bug]		Update libtool to 1.5.10.
+
+1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
+
+1778.	[port]		HUX 11.11: fix broken IN6ADDR_ANY_INIT and
+			IN6ADDR_LOOPBACK_INIT macros.
+
+1777.	[port]		OSF 5.1: fix broken IN6ADDR_ANY_INIT and
+			IN6ADDR_LOOPBACK_INIT macros.
+
+1776.	[port]		Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
+			IN6ADDR_LOOPBACK_INIT macros.
+
+1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
+
+1774.	[port]		Aix: Silence compiler warnings / build failures.
+			[RT #13154]
+
+1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]
+
+1772.	[placeholder]
+
+1771.	[placeholder]
+
+1770.	[bug]		named-checkconf failed to report missing a missing
+			file clause for rbt{64} master/hint zones. [RT #13009]
+
+1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
+			/MT ==> /MD.
+
+1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
+			rdataset. [RT #12907]
+
+1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
+			support for (struct in6_pktinfo) failed.  [RT #13077]
+
+1766.	[bug]		Update the master file timestamp on successful refresh
+			as well as the journal's timestamp. [RT #13062]
+
+1765.	[bug]		configure --with-openssl=auto failed. [RT #12937]
+
+1764.	[bug]		dns_zone_replacedb failed to emit a error message
+			if there was no SOA record in the replacement db.
+			[RT #13016]
+
+1763.	[func]		Perform sanity checks on NS records which refer to
+			'in zone' names. [RT #13002]
+
+1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
+			even when it failed. [RT #12995]
+
+1761.	[bug]		'rndc dumpdb' didn't report unassociated entries.
+			[RT #12971]
+
+1760.	[bug]		Host / net unreachable was not penalising rtt
+			estimates. [RT #12970]
+
+1759.	[bug]		Named failed to startup if the OS supported IPv6
+			but had no IPv6 interfaces configured. [RT #12942]
+
+1758.	[func]		Don't send notify messages to self. [RT #12933]
+
+1757.	[func]		host now can turn on memory debugging flags with '-m'.
+
+1756.	[func]		named-checkconf now checks the logging configuration.
+			[RT #12352]
+
+1755.	[func]		allow-update is now settable at the options / view
+			level. [RT #6636]
+
+1754.	[bug]		We weren't always attempting to query the parent
+			server for the DS records at the zone cut.
+			[RT #12774]
+
+1753.	[bug]		Don't serve a slave zone which has no NS records.
+			[RT #12894]
+
+1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
+			as some fork() implementations unblock the signals
+			that are blocked by isc_app_start(). [RT #12810]
+
+1751.	[bug]		--enable-getifaddrs failed under linux. [RT #12867]
+
+1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
+			[RT #12864]
+
+1749.	[bug]		'check-names response ignore;' failed to ignore.
+			[RT #12866]
+
+1748.	[func]		dig now returns the byte count for axfr/ixfr.
+
+1747.	[bug]		BIND 8 compatibility: named/named-checkconf failed
+			to parse "host-statistics-max" in named.conf.
+
+1746.	[func]		Make public the function to read a key file,
+			dst_key_read_public(). [RT #12450]
+
+1745.	[bug]		Dig/host/nslookup accept replies from link locals
+			regardless of scope if no scope was specified when
+			query was sent. [RT #12745]
+
+1744.	[bug]		If tuple2msgname() failed to convert a tuple to
+			a name a REQUIRE could be triggered. [RT #12796]
+
+1743.	[bug]		If isc_taskmgr_create() was not able to create the
+			requested number of worker threads then destruction
+			of the manager would trigger an INSIST() failure.
+			[RT #12790]
+
+1742.	[bug]		Deleting all records at a node then adding a
+			previously existing record, in a single UPDATE
+			transaction, failed to leave / regenerate the
+			associated RRSIG records. [RT #12788]
+
+1741.	[bug]		Deleting all records at a node in a secure zone
+			using a update-policy grant failed. [RT #12787]
+
+1740.	[bug]		Replace rbt's hash algorithm as it performed badly
+			with certain zones. [RT #12729]
+
+			NOTE: a hash context now needs to be established
+			via isc_hash_create() if the application was not
+			already doing this.
+
+1739.	[bug]		dns_rbt_deletetree() could incorrectly return
+			ISC_R_QUOTA.  [RT #12695]
+
+1738.	[bug]		Enable overrun checking by default. [RT #12695]
+
+1737.	[bug]		named failed if more than 16 masters were specified.
+			[RT #12627]
+
+1736.	[bug]		dst_key_fromnamedfile() could fail to read a
+			public key. [RT #12687]
+
+1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
+			[RE #12688]
+
+1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
+			[RT #12588]
+
+1733.	[bug]		Return non-zero exit status on initial load failure.
+			[RT #12658]
+
+1732.	[bug]		'rrset-order name "*"' wasn't being applied to ".".
+			[RT #12467]
+
+1731.	[port]		darwin: relax version test in ifconfig.sh.
+			[RT #12581]
+
+1730.	[port]		Determine the length type used by the socket API.
+			[RT #12581]
+
+1729.	[func]		Improve check-names error messages.
+
+1728.	[doc]		Update check-names documentation.
+
+1727.	[bug]		named-checkzone: check-names support didn't match
+			documentation.
+
+1726.	[port]		aix5: add support for aix5.
+
+1725.	[port]		linux: update error message on interaction of threads,
+			capabilities and setuid support (named -u). [RT #12541]
+
+1724.	[bug]		Look for DNSKEY records with "dig +sigtrace".
+			[RT #12557]
+
+1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]
+
+1722.	[bug]		Don't commit the journal on malformed ixfr streams.
+			[RT #12519]
+
+1721.	[bug]		Error message from the journal processing were not
+			always identifying the relevant journal. [RT #12519]
+
+1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
+			negative response. [RT #12506]
+
+1719.	[bug]		named was not correctly caching a RFC 2308 Type 1
+			negative response. [RT #12506]
+
+1718.	[bug]		nsupdate was not handling RFC 2308 Type 3 negative
+			responses when looking for the zone / master server.
+			[RT #12506]
+
+1717.	[port]		solaris: ifconfig.sh did not support Solaris 10.
+			"ifconfig.sh down" didn't work for Solaris 9.
+
+1716.	[doc]		named.conf(5) was being installed in the wrong
+			location.  [RT #12441]
+
+1715.	[func]		'dig +trace' now randomly selects the next servers
+			to try.  Report if there is a bad delegation.
+
+1714.	[bug]		dig/host/nslookup were only trying the first
+			address when a nameserver was specified by name.
+			[RT #12286]
+
+1713.	[port]		linux: extend capset failure message to say:
+			please ensure that the capset kernel module is
+			loaded.  see insmod(8)
+
+1712.	[bug]		Missing FULLCHECK for "trusted-key" in dig.
+
+1711.	[func]		'rndc unfreeze' has been deprecated by 'rndc thaw'.
+
+1710.	[func]		'rndc notify zone [class [view]]' resend the NOTIFY
+			messages for the specified zone. [RT #9479]
+
+1709.	[port]		solaris: add SMF support from Sun.
+
+1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
+			for conformance to the name space convention.  Binary
+			backward compatibility to the old function name is
+			provided. [RT #12376]
+
+1707.	[contrib]	sdb/ldap updated to version 1.0-beta.
+
+1706.	[bug]		'rndc stop' failed to cause zones to be flushed
+			sometimes. [RT #12328]
+
+1705.	[func]		Allow the journal's name to be changed via named.conf.
+
+1704.	[port]		lwres needed a snprintf() implementation for
+			platforms without snprintf().  Add missing
+			"#include <isc/print.h>". [RT #12321]
+
+1703.	[bug]		named would loop sending NOTIFY messages when it
+			failed to receive a response. [RT #12322]
+
+1702.	[bug]		also-notify should not be applied to built in zones.
+			[RT #12323]
+
+1701.	[doc]		A minimal named.conf man page.
+
+1700.	[func]		nslookup is no longer to be treated as deprecated.
+			Remove "deprecated" warning message.  Add man page.
+
+1699.	[bug]		dnssec-signzone can generate "not exact" errors
+			when resigning. [RT #12281]
+
+1698.	[doc]		Use reserved IPv6 documentation prefix.
+
+1697.	[bug]		xxx-source{,-v6} was not effective when it
+			specified one of listening addresses and a
+			different port than the listening port. [RT #12257]
+
+1696.	[bug]		dnssec-signzone failed to clean out nodes that
+			consisted of only NSEC and RRSIG records.
+			[RT #12154]
+
+1695.	[bug]		DS records when forwarding require special handling.
+			[RT #12133]
+
+1694.	[bug]		Report if the builtin views of "_default" / "_bind"
+			are defined in named.conf. [RT #12023]
+
+1693.	[bug]		max-journal-size was not effective for master zones
+			with ixfr-from-differences set. [RT #12024]
+
+1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
+			/usr/lib. [RT #11971]
+
+1691.	[bug]		sdb's attachversion was not complete. [RT #11990]
+
+1690.	[bug]		Delay detaching view from the client until UPDATE
+			processing completes when shutting down. [RT #11714]
+
+1689.	[bug]		DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
+			contained gratuitous semicolons. [RT #11707]
+
+1688.	[bug]		LDFLAGS was not supported.
+
+1687.	[bug]		Race condition in dispatch. [RT #10272]
+
+1686.	[bug]		Named sent a extraneous NOTIFY when it received a
+			redundant UPDATE request. [RT #11943]
+
+1685.	[bug]		Change #1679 loop tests weren't quite right.
+
+1684.	[func]		ixfr-from-differences now takes master and slave in
+			addition to yes and no at the options and view levels.
+
+1683.	[bug]		dig +sigchase could leak memory. [RT #11445]
+
+1682.	[port]		Update configure test for (long long) printf format.
+			[RT #5066]
+
+1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
+			isc_socket_bind(). [RT #11742]
+
+1680.	[func]		rndc: the source address can now be specified.
+
+1679.	[bug]		When there was a single nameserver with multiple
+			addresses for a zone not all addresses were tried.
+			[RT #11706]
+
+1678.	[bug]		RRSIG should use TYPEXXXXX for unknown types.
+
+1677.	[bug]		dig: +aaonly didn't work, +aaflag undocumented.
+
+1676.	[func]		New option "allow-query-cache".  This lets
+			allow-query be used to specify the default zone
+			access level rather than having to have every
+			zone override the global value.  allow-query-cache
+			can be set at both the options and view levels.
+			If allow-query-cache is not set allow-query applies.
+
+1675.	[bug]		named would sometimes add extra NSEC records to
+			the authority section.
+
+1674.	[port]		linux: increase buffer size used to scan
+			/proc/net/if_inet6.
+
+1673.	[port]		linux: issue a error messages if IPv6 interface
+			scans fails.
+
+1672.	[cleanup]	Tests which only function in a threaded build
+			now return R:THREADONLY (rather than R:UNTESTED)
+			in a non-threaded build.
+
+1671.	[contrib]	queryperf: add NAPTR to the list of known types.
+
+1670.	[func]		Log UPDATE requests to slave zones without an acl as
+			"disabled" at debug level 3. [RT #11657]
+
+1669.	[placeholder]
+
+1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.
+
+1667.	[port]		linux: not all versions have IF_NAMESIZE.
+
+1666.	[bug]		The optional port on hostnames in dual-stack-servers
+			was being ignored.
+
+1665.	[func]		rndc now allows addresses to be set in the
+			server clauses.
+
+1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.
+
+1663.	[func]		Look for OpenSSL by default.
+
+1662.	[bug]		Change #1658 failed to change one use of 'type'
+			to 'keytype'.
+
+1661.	[bug]		Restore dns_name_concatenate() call in
+			adb.c:set_target().  [RT #11582]
+
+1660.	[bug]		win32: connection_reset_fix() was being called
+			unconditionally.  [RT #11595]
+
+1659.	[cleanup]	Cleanup some messages that were referring to KEY vs
+			DNSKEY, NXT vs NSEC and SIG vs RRSIG.
+
+1658.	[func]		Update dnssec-keygen to default to KEY for HMAC-MD5
+			and DH.  Tighten which options apply to KEY and
+			DNSKEY records.
+
+1657.	[doc]		ARM: document query log output.
+
+1656.	[doc]		Update DNSSEC description in ARM to cover DS, NSEC
+			DNSKEY and RRSIG.  [RT #11542]
+
+1655.	[bug]		Logging multiple versions w/o a size was broken.
+			[RT #11446]
+
+1654.	[bug]		isc_result_totext() contained array bounds read
+			error.
+
+1653.	[func]		Add key type checking to dst_key_fromfilename(),
+			DST_TYPE_KEY should be used to read TSIG, TKEY and
+			SIG(0) keys.
+
+1652.	[bug]		TKEY still uses KEY.
+
+1651.	[bug]		dig: process multiple dash options.
+
+1650.	[bug]		dig, nslookup: flush standard out after each command.
+
+1649.	[bug]		Silence "unexpected non-minimal diff" message.
+			[RT #11206]
+
+1648.	[func]		Update dnssec-lookaside named.conf syntax to support
+			multiple dnssec-lookaside namespaces (not yet
+			implemented).
+
+1647.	[bug]		It was possible trigger a INSIST when chasing a DS
+			record that required walking back over a empty node.
+			[RT #11445]
+
+1646.	[bug]		win32: logging file versions didn't work with
+			non-UNC filenames.  [RT #11486]
+
+1645.	[bug]		named could trigger a REQUIRE failure if multiple
+			masters with keys are specified.
+
+1644.	[bug]		Update the journal modification time after a
+			successful refresh query. [RT #11436]
+
+1643.	[bug]		dns_db_closeversion() could leak memory / node
+			references. [RT #11163]
+
+1642.	[port]		Support OpenSSL implementations which don't have
+			DSA support. [RT #11360]
+
+1641.	[bug]		Update the check-names description in ARM. [RT #11389]
+
+1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
+			incorrectly closing the socket.  [RT #11291]
+
+1639.	[func]		Initial dlv system test.
+
+1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
+			failure if the journal open failed. [RT #11347]
+
+1637.	[bug]		Node reference leak on error in addnoqname().
+
+1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
+			a error had occurred.  The database version no longer
+			matched the version of the database that was dumped.
+
+1635.	[bug]		Memory leak on error in query_addds().
+
+1634.	[bug]		named didn't supply a useful error message when it
+			detected duplicate views.  [RT #11208]
+
+1633.	[bug]		named should return NOTIMP to update requests to a
+			slaves without a allow-update-forwarding acl specified.
+			[RT #11331]
+
+1632.	[bug]		nsupdate failed to send prerequisite only UPDATE
+			messages. [RT #11288]
+
+1631.	[bug]		dns_journal_compact() could sometimes corrupt the
+			journal. [RT #11124]
+
+1630.	[contrib]	queryperf: add support for IPv6 transport.
+
+1629.	[func]		dig now supports IPv6 scoped addresses with the
+			extended format in the local-server part. [RT #8753]
+
+1628.	[bug]		Typo in Compaq Trucluster support. [RT #11264]
+
+1627.	[bug]		win32: sockets were not being closed when the
+			last external reference was removed. [RT #11179]
+
+1626.	[bug]		--enable-getifaddrs was broken. [RT #11259]
+
+1625.	[bug]		named failed to load/transfer RFC2535 signed zones
+			which contained CNAMES. [RT #11237]
+
+1624.	[bug]		zonemgr_putio() call should be locked. [RT #11163]
+
+1623.	[bug]		A serial number of zero was being displayed in the
+			"sending notifies" log message when also-notify was
+			used. [RT #11177]
+
+1622.	[func]		probe the system to see if IPV6_(RECV)PKTINFO is
+			available, and suppress wildcard binding if not.
+
+1621.	[bug]		match-destinations did not work for IPv6 TCP queries.
+			[RT #11156]
+
+1620.	[func]		When loading a zone report if it is signed. [RT #11149]
+
+1619.	[bug]		Missing ISC_LIST_UNLINK in end_reserved_dispatches().
+			[RT #11118]
+
+1618.	[bug]		Fencepost errors in dns_name_ishostname() and
+			dns_name_ismailbox() could trigger a INSIST().
+
+1617.	[port]		win32: VC++ 6.0 support.
+
+1616.	[compat]	Ensure that named's version is visible in the core
+			dump. [RT #11127]
+
+1615.	[port]		Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
+			it is defined.
+
+1614.	[port]		win32: silence resource limit messages. [RT #11101]
+
+1613.	[bug]		Builds would fail on machines w/o a if_nametoindex().
+			Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
+			[RT #11119]
+
+1612.	[bug]		check-names at the option/view level could trigger
+			an INSIST. [RT #11116]
+
+1611.	[bug]		solaris: IPv6 interface scanning failed to cope with
+			no active IPv6 interfaces.
+
+1610.	[bug]		On dual stack machines "dig -b" failed to set the
+			address type to be looked up with "@server".
+			[RT #11069]
+
+1609.	[func]		dig now has support to chase DNSSEC signature chains.
+			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
+
+			DNSSEC validation code in dig coded by Olivier Courtay
+			(olivier.courtay@irisa.fr) for the IDsA project
+			(http://idsa.irisa.fr).
+
+1608.	[func]		dig and host now accept -4/-6 to select IP transport
+			to use when making queries.
+
+1607.	[bug]		dig, host and nslookup were still using random()
+			to generate query ids. [RT #11013]
+
+1606.	[bug]		DLV insecurity proof was failing.
+
+1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
+
+1604.	[bug]		A xfrout_ctx_create() failure would result in
+			xfrout_ctx_destroy() being called with a
+			partially initialized structure.
+
+1603.	[bug]		nsupdate: set interactive based on isatty().
+			[RT #10929]
+
+1602.	[bug]		Logging to a file failed unless a size was specified.
+			[RT #10925]
+
+1601.	[bug]		Silence spurious warning 'both "recursion no;" and
+			"allow-recursion" active' warning from view "_bind".
+			[RT #10920]
+
+1600.	[bug]		Duplicate zone pre-load checks were not case
+			insensitive.
+
+1599.	[bug]		Fix memory leak on error path when checking named.conf.
+
+1598.	[func]		Specify that certain parts of the namespace must
+			be secure (dnssec-must-be-secure).
+
+1597.	[func]		Allow notify-source and query-source to be specified
+			on a per server basis similar to transfer-source.
+			[RT #6496]
+
+1596.	[func]		Accept 'notify-source' style syntax for query-source.
+
+1595.	[func]		New notify type 'master-only'.  Enable notify for
+			master zones only.
+
+1594.	[bug]		'rndc dumpdb' could prevent named from answering
+			queries while the dump was in progress.  [RT #10565]
+
+1593.	[bug]		rndc should return "unknown command" to unknown
+			commands. [RT #10642]
+
+1592.	[bug]		configure_view() could leak a dispatch. [RT #10675]
+
+1591.	[bug]		libbind: updated to BIND 8.4.5.
+
+1590.	[port]		netbsd: update thread support.
+
+1589.	[func]		DNSSEC lookaside validation.
+
+1588.	[bug]		win32: TCP sockets could become blocked. [RT #10115]
+
+1587.	[bug]		dns_message_settsigkey() failed to clear existing key.
+			[RT #10590]
+
+1586.	[func]		"check-names" is now implemented.
+
+1585.	[placeholder]
+
+1584.	[bug]		"make test" failed with a read only source tree.
+			[RT #10461]
+
+1583.	[bug]		Records add via UPDATE failed to get the correct trust
+			level. [RT #10452]
+
+1582.	[bug]		rrset-order failed to work on RRsets with more
+			than 32 elements. [RT #10381]
+
+1581.	[func]		Disable DNSSEC support by default.  To enable
+			DNSSEC specify "dnssec-enable yes;" in named.conf.
+
+1580.	[bug]		Zone destruction on final detach takes a long time.
+			[RT #3746]
+
+1579.	[bug]		Multiple task managers could not be created.
+
+1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
+			[RT #10346]
+
+1577.	[bug]		Use isc_uint32_t in ultrasparc optimizer bug
+			workaround code. [RT #10331]
+
+1576.	[bug]		Race condition in dns_dispatch_addresponse().
+			[RT #10272]
+
+1575.	[func]		Log TSIG name on TSIG verify failure. [RT #4404]
+
+1574.	[bug]		Don't attempt to open the controls socket(s) when
+			running tests. [RT #9091]
+
+1573.	[port]		linux: update to libtool 1.5.2 so that
+			"make install DESTDIR=/xx" works with
+			"configure --with-libtool".  [RT #9941]
+
+1572.	[bug]		nsupdate: sign the soa query to find the enclosing
+			zone if the server is specified. [RT #10148]
+
+1571.	[bug]		rbt:hash_node() could fail leaving the hash table
+			in an inconsistent state.  [RT #10208]
+
+1570.	[bug]		nsupdate failed to handle classes other than IN.
+			New keyword 'class' which sets the default class.
+			[RT #10202]
+
+1569.	[func]		nsupdate new command 'answer' which displays the
+			complete answer message to the last update.
+
+1568.	[bug]		nsupdate now reports that the update failed in
+			interactive mode. [RT #10236]
+
+1567.	[maint]		B.ROOT-SERVERS.NET is now 192.228.79.201.
+
+1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
+			This also solved the problem that match-destinations
+			for IPv6 addresses did not work on these systems.
+			[RT #10221]
+
+1565.	[bug]		CD flag should be copied to outgoing queries unless
+			the query is under a secure entry point in which case
+			CD should be set.
+
+1564.	[func]		Attempt to provide a fallback entropy source to be
+			used if named is running chrooted and named is unable
+			to open entropy source within the chroot area.
+			[RT #10133]
+
+1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
+			nor an IPv6 dispatch. [RT #10230]
+
+1562.	[bug]		isc_socket_create() and isc_socket_accept() could
+			leak memory under error conditions. [RT #10230]
+
+1561.	[bug]		It was possible to release the same name twice if
+			named ran out of memory. [RT #10197]
+
+1560.	[port]		FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
+			and EAI_NONAME to the same value.
+
+1559.	[port]		named should ignore SIGFSZ.
+
+1558.	[func]		New DNSSEC 'disable-algorithms'.  Support entry into
+			child zones for which we don't have a supported
+			algorithm.  Such child zones are treated as unsigned.
+
+1557.	[func]		Implement missing DNSSEC tests for
+			* NOQNAME proof with wildcard answers.
+			* NOWILDARD proof with NXDOMAIN.
+			Cache and return NOQNAME with wildcard answers.
+
+1556.	[bug]		nsupdate now treats all names as fully qualified.
+			[RT #6427]
+
+1555.	[func]		'rrset-order cyclic' no longer has a random starting
+			point per query. [RT #7572]
+
+1554.	[bug]		dig, host, nslookup failed when no nameservers
+			were specified in /etc/resolv.conf. [RT #8232]
+
+1553.	[bug]		The windows socket code could stop accepting
+			connections. [RT #10115]
+
+1552.	[bug]		Accept NOTIFY requests from mapped masters if
+			matched-mapped is set. [RT #10049]
+
+1551.	[port]		Open "/dev/null" before calling chroot().
+
+1550.	[port]		Call tzset(), if available, before calling chroot().
+
+1549.	[func]		named-checkzone can now write out the zone contents
+			in a easily parsable format (-D and -o).
+
+1548.	[bug]		When parsing APL records it was possible to silently
+			accept out of range ADDRESSFAMILY values. [RT #9979]
+
+1547.	[bug]		Named wasted memory recording duplicate lame zone
+			entries. [RT #9341]
+
+1546.	[bug]		We were rejecting valid secure CNAME to negative
+			answers.
+
+1545.	[bug]		It was possible to leak memory if named was unable to
+			bind to the specified transfer source and TSIG was
+			being used. [RT #10120]
+
+1544.	[bug]		Named would logged a single entry to a file despite it
+			being over the specified size limit.
+
+1543.	[bug]		Logging using "versions unlimited" did not work.
+
+1542.	[placeholder]
+
+1541.	[func]		NSEC now uses new bitmap format.
+
+1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
+			[RT #8934]
+
+1539.	[bug]		Open UDP sockets for notify-source and transfer-source
+			that use reserved ports at startup. [RT #9475]
+
+1538.	[placeholder]	rt9997
+
+1537.	[func]		New option "querylog".  If set specify whether query
+			logging is to be enabled or disabled at startup.
+
+1536.	[bug]		Windows socket code failed to log a error description
+			when returning ISC_R_UNEXPECTED. [RT #9998]
+
+1535.	[placeholder]
+
+1534.	[bug]		Race condition when priming cache. [RT #9940]
+
+1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
+			are active. [RT #4389]
+
+1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
+			requires <sys/param.h>.
+
+1531.	[port]		AIX more libtool fixes.
+
+1530.	[bug]		It was possible to trigger a INSIST() failure if a
+			slave master file was removed at just the correct
+			moment. [RT #9462]
+
+1529.	[bug]		"notify explicit;" failed to log that NOTIFY messages
+			were being sent for the zone. [RT #9442]
+
+1528.	[cleanup]	Simplify some dns_name_ functions based on the
+			deprecation of bitstring labels.
+
+1527.	[cleanup]	Reduce the number of gettimeofday() calls without
+			losing necessary timer granularity.
+
+1526.	[func]		Implemented "additional section caching (or acache)",
+			an internal cache framework for additional section
+			content to improve response performance.  Several
+			configuration options were provided to control the
+			behavior.
+
+1525.	[bug]		dns_cache_create() could trigger a REQUIRE
+			failure in isc_mem_put() during error cleanup.
+			[RT #9360]
+
+1524.	[port]		AIX needs to be able to resolve all symbols when
+			creating shared libraries (--with-libtool).
+
+1523.	[bug]		Fix race condition in rbtdb. [RT #9189]
+
+1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
+			[RT #9286]
+
+1521.	[bug]		dns_view_createresolver() failed to check the
+			result from isc_mem_create(). [RT #9294]
+
+1520.	[protocol]	Add SSHFP (SSH Finger Print) type.
+
+1519.	[bug]		dnssec-signzone:nsec_setbit() computed the wrong
+			length of the new bitmap.
+
+1518.	[bug]		dns_nsec_buildrdata(), and hence dns_nsec_build(),
+			contained a off-by-one error when working out the
+			number of octets in the bitmap.
+
+1517.	[port]		Support for IPv6 interface scanning on HP/UX and
+			TrueUNIX 5.1.
+
+1516.	[func]		Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
+
+1515.	[func]		Allow transfer source to be set in a server statement.
+			[RT #6496]
+
+1514.	[bug]		named: isc_hash_destroy() was being called too early.
+			[RT #9160]
+
+1513.	[doc]		Add "US" to root-delegation-only exclude list.
+
+1512.	[bug]		Extend the delegation-only logging to return query
+			type, class and responding nameserver.
+
+1511.	[bug]		delegation-only was generating false positives
+			on negative answers from sub-zones.
+
+1510.	[func]		New view option "root-delegation-only".  Apply
+			delegation-only check to all TLDs and root.
+			Note there are some TLDs that are NOT delegation
+			only (e.g. DE, LV, US and MUSEUM) these can be excluded
+			from the checks by using exclude.
+
+			root-delegation-only exclude {
+				"DE"; "LV"; "US"; "MUSEUM";
+			};
+
+1509.	[bug]		Hint zones should accept delegation-only.  Forward
+			zone should not accept delegation-only.
+
+1508.	[bug]		Don't apply delegation-only checks to answers from
+			forwarders.
+
+1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
+			when making delegation-only checks.
+
+1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
+
+1505.	[bug]		Uninitialized rdataset in sdb. [RT #8750]
+
+1504.	[func]		New zone type "delegation-only".
+
+1503.	[port]		win32: install libeay32.dll outside of system32.
+
+1502.	[bug]		nsupdate: adjust timeouts for UPDATE requests over TCP.
+
+1501.	[func]		Allow TCP queue length to be specified via
+			named.conf, tcp-listen-queue.
+
+1500.	[bug]		host failed to lookup MX records.  Also look up
+			AAAA records.
+
+1499.	[bug]		isc_random need to be seeded better if arc4random()
+			is not used.
+
+1498.	[port]		bsdos: 5.x support.
+
+1497.	[placeholder]
+
+1496.	[port]		test for pthread_attr_setstacksize().
+
+1495.	[cleanup]	Replace hash functions with universal hash.
+
+1494.	[security]	Turn on RSA BLINDING as a precaution.
+
+1493.	[placeholder]
+
+1492.	[cleanup]	Preserve rwlock quota context when upgrading /
+			downgrading. [RT #5599]
+
+1491.	[bug]		dns_master_dump*() would produce extraneous $ORIGIN
+			lines. [RT #6206]
+
+1490.	[bug]		Accept reading state as well as working state in
+			ns_client_next(). [RT #6813]
+
+1489.	[compat]	Treat 'allow-update' on slave zones as a warning.
+			[RT #3469]
+
+1488.	[bug]		Don't override trust levels for glue addresses.
+			[RT #5764]
+
+1487.	[bug]		A REQUIRE() failure could be triggered if a zone was
+			queued for transfer and the zone was then removed.
+			[RT #6189]
+
+1486.	[bug]		isc_print_snprintf() '%%' consumed one too many format
+			characters. [RT #8230]
+
+1485.	[bug]		gen failed to handle high type values. [RT #6225]
+
+1484.	[bug]		The number of records reported after a AXFR was wrong.
+			[RT #6229]
+
+1483.	[bug]		dig axfr failed if the message id in the answer failed
+			to match that in the request.  Only the id in the first
+			message is required to match. [RT #8138]
+
+1482.	[bug]		named could fail to start if the kernel supports
+			IPv6 but no interfaces are configured.  Similarly
+			for IPv4. [RT #6229]
+
+1481.	[bug]		Refresh and stub queries failed to use masters keys
+			if specified. [RT #7391]
+
+1480.	[bug]		Provide replay protection for rndc commands.  Full
+			replay protection requires both rndc and named to
+			be updated.  Partial replay protection (limited
+			exposure after restart) is provided if just named
+			is updated.
+
+1479.	[bug]		cfg_create_tuple() failed to handle out of
+			memory cleanup.  parse_list() would leak memory
+			on syntax errors.
+
+1478.	[port]		ifconfig.sh didn't account for other virtual
+			interfaces.  It now takes a optional argument
+			to specify the first interface number. [RT #3907]
+
+1477.	[bug]		memory leak using stub zones and TSIG.
+
+1476.	[placeholder]
+
+1475.	[port]		Probe for old sprintf().
+
+1474.	[port]		Provide strtoul() and memmove() for platforms
+			without them.
+
+1473.	[bug]		create_map() and create_string() failed to handle out
+			of memory cleanup.  [RT #6813]
+
+1472.	[contrib]	idnkit-1.0 from JPNIC, replaces mdnkit.
+
+1471.	[bug]		libbind: updated to BIND 8.4.0.
+
+1470.	[bug]		Incorrect length passed to snprintf. [RT #5966]
+
+1469.	[func]		Log end of outgoing zone transfer at same level
+			as the start of transfer is logged. [RT #4441]
+
+1468.	[func]		Internal zones are no longer counted for
+			'rndc status'.  [RT #4706]
+
+1467.	[func]		$GENERATES now supports optional class and ttl.
+
+1466.	[bug]		lwresd configuration errors resulted in memory
+			and lock leaks.  [RT #5228]
+
+1465.	[bug]		isc_base64_decodestring() and isc_base64_tobuffer()
+			failed to check that trailing bits were zero allowing
+			some invalid base64 strings to be accepted.  [RT #5397]
+
+1464.	[bug]		Preserve "out of zone" data for outgoing zone
+			transfers. [RT #5192]
+
+1463.	[bug]		dns_rdata_from{wire,struct}() failed to catch bad
+			NXT bit maps. [RT #5577]
+
+1462.	[bug]		parse_sizeval() failed to check the token type.
+			[RT #5586]
+
+1461.	[bug]		Remove deadlock from rbtdb code. [RT #5599]
+
+1460.	[bug]		inet_pton() failed to reject certain malformed
+			IPv6 literals.
+
+1459.	[placeholder]
+
+1458.	[cleanup]	sprintf() -> snprintf().
+
+1457.	[port]		Provide strlcat() and strlcpy() for platforms without
+			them.
+
+1456.	[contrib]	gen-data-queryperf.py from Stephane Bortzmeyer.
+
+1455.	[bug]		<netaddr> missing from server grammar in
+			doc/misc/options. [RT #5616]
+
+1454.	[port]		Use getifaddrs() if available for interface scanning.
+			--disable-getifaddrs to override.  Glibc currently
+			has a getifaddrs() that does not support IPv6.
+			Use --enable-getifaddrs=glibc to force the use of
+			this version under linux machines.
+
+1453.	[doc]		ARM: $GENERATE example wasn't accurate. [RT #5298]
+
+1452.	[placeholder]
+
+1451.	[bug]		rndc-confgen didn't exit with a error code for all
+			failures. [RT #5209]
+
+1450.	[bug]		Fetching expired glue failed under certain
+			circumstances.  [RT #5124]
+
+1449.	[bug]		query_addbestns() didn't handle running out of memory
+			gracefully.
+
+1448.	[bug]		Handle empty wildcards labels.
+
+1447.	[bug]		We were casting (unsigned int) to and from (void *).
+			rdataset->private4 is now rdataset->privateuint4
+			to reflect a type change.
+
+1446.	[func]		Implemented undocumented alternate transfer sources
+			from BIND 8.  See use-alt-transfer-source,
+			alt-transfer-source and alt-transfer-source-v6.
+
+			SECURITY: use-alt-transfer-source is ENABLED unless
+			you are using views.  This may cause a security risk
+			resulting in accidental disclosure of wrong zone
+			content if the master supplying different source
+			content based on IP address.  If you are not certain
+			ISC recommends setting use-alt-transfer-source no;
+
+1445.	[bug]		DNS_ADBFIND_STARTATROOT broke stub zones.  This has
+			been replaced with DNS_ADBFIND_STARTATZONE which
+			causes the search to start using the closest zone.
+
+1444.	[func]		dns_view_findzonecut2() allows you to specify if the
+			cache should be searched for zone cuts.
+
+1443.	[func]		Masters lists can now be specified and referenced
+			in zone masters clauses and other masters lists.
+
+1442.	[func]		New functions for manipulating port lists:
+			dns_portlist_create(), dns_portlist_add(),
+			dns_portlist_remove(), dns_portlist_match(),
+			dns_portlist_attach() and dns_portlist_detach().
+
+1441.	[func]		It is now possible to tell dig to bind to a specific
+			source port.
+
+1440.	[func]		It is now possible to tell named to avoid using
+			certain source ports (avoid-v4-udp-ports,
+			avoid-v6-udp-ports).
+
+1439.	[bug]		Named could return NOERROR with certain NOTIFY
+			failures.  Return NOTAUTH if the NOTIFY zone is
+			not being served.
+
+1438.	[func]		Log TSIG (if any) when logging NOTIFY requests.
+
+1437.	[bug]		Leave space for stdio to work in. [RT #5033]
+
+1436.	[func]		dns_zonemgr_resumexfrs() can be used to restart
+			stalled transfers.
+
+1435.	[bug]		zmgr_resume_xfrs() was being called read locked
+			rather than write locked.  zmgr_resume_xfrs()
+			was not being called if the zone was being
+			shutdown.
+
+1434.	[bug]		"rndc reconfig" failed to initiate the initial
+			zone transfer of new slave zones.
+
+1433.	[bug]		named could trigger a REQUIRE failure if it could
+			not get a file descriptor when attempting to write
+			a master file. [RT #4347]
+
+1432.	[func]		The advertised EDNS UDP buffer size can now be set
+			via named.conf (edns-udp-size).
+
+1431.	[bug]		isc_print_snprintf() "%s" with precision could walk off
+			end of argument. [RT #5191]
+
+1430.	[port]		linux: IPv6 interface scanning support.
+
+1429.	[bug]		Prevent the cache getting locked to old servers.
+
+1428.	[placeholder]
+
+1427.	[bug]		Race condition in adb with threaded build.
+
+1426.	[placeholder]
+
+1425.	[port]		linux/libbind: define __USE_MISC when testing *_r()
+			function prototypes in netdb.h.  [RT #4921]
+
+1424.	[bug]		EDNS version not being correctly printed.
+
+1423.	[contrib]	queryperf: added A6 and SRV.
+
+1422.	[func]		Log name/type/class when denying a query.  [RT #4663]
+
+1421.	[func]		Differentiate updates that don't succeed due to
+			prerequisites (unsuccessful) vs other reasons
+			(failed).
+
+1420.	[port]		solaris: work around gcc optimizer bug.
+
+1419.	[port]		openbsd: use /dev/arandom. [RT #4950]
+
+1418.	[bug]		'rndc reconfig' did not cause new slaves to load.
+
+1417.	[func]		ID.SERVER/CHAOS is now a built in zone.
+			See "server-id" for how to configure.
+
+1416.	[bug]		Empty node should return NOERROR NODATA, not NXDOMAIN.
+			[RT #4715]
+
+1415.	[func]		DS TTL now derived from NS ttl.  NXT TTL now derived
+			from SOA MINIMUM.
+
+1414.	[func]		Support for KSK flag.
+
+1413.	[func]		Explicitly request the (re-)generation of DS records
+			from keysets (dnssec-signzone -g).
+
+1412.	[func]		You can now specify servers to be tried if a nameserver
+			has IPv6 address and you only support IPv4 or the
+			reverse. See dual-stack-servers.
+
+1411.	[bug]		empty nodes should stop wildcard matches. [RT #4802]
+
+1410.	[func]		Handle records that live in the parent zone, e.g. DS.
+
+1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
+
+1408.	[bug]		"make distclean" was not complete. [RT #4700]
+
+1407.	[bug]		lfsr incorrectly implements the shift register.
+			[RT #4617]
+
+1406.	[bug]		dispatch initializes one of the LFSR's with a incorrect
+			polynomial.  [RT #4617]
+
+1405.	[func]		Use arc4random() if available.
+
+1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
+			buffer.
+
+1403.	[func]		dnssec-signzone, dnssec-keygen, dnssec-makekeyset
+			dnssec-signkey now report their version in the
+			usage message.
+
+1402.	[cleanup]	A6 has been moved to experimental and is no longer
+			fully supported.
+
+1401.	[bug]		adb wasn't clearing state when the timer expired.
+
+1400.	[bug]		Block the addition of wildcard NS records by IXFR
+			or UPDATE. [RT #3502]
+
+1399.	[bug]		Use serial number arithmetic when testing SIG
+			timestamps. [RT #4268]
+
+1398.	[doc]		ARM: notify-also should have been also-notify.
+			[RT #4345]
+
+1397.	[maint]		J.ROOT-SERVERS.NET is now 192.58.128.30.
+
+1396.	[func]		dnssec-signzone: adjust the default signing time by
+			1 hour to allow for clock skew.
+
+1395.	[port]		OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
+			have a working implementation.  [RT #4079]
+
+1394.	[func]		It is now possible to check if a particular element is
+			in a acl.  Remove duplicate entries from the localnets
+			acl.
+
+1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
+			is not available in the kernel to prevent accidentally
+			listening on IPv4 interfaces.
+
+1392.	[bug]		named-checkzone: update usage.
+
+1391.	[func]		Add support for IPv6 scoped addresses in named.
+
+1390.	[func]		host now supports ixfr.
+
+1389.	[bug]		named could fail to rotate long log files.  [RT #3666]
+
+1388.	[port]		irix: check for sys/sysctl.h and NET_RT_IFLIST before
+			defining HAVE_IFLIST_SYSCTL. [RT #3770]
+
+1387.	[bug]		named could crash due to an access to invalid memory
+			space (which caused an assertion failure) in
+			incremental cleaning.  [RT #3588]
+
+1386.	[bug]		named-checkzone -z stopped on errors in a zone.
+			[RT #3653]
+
+1385.	[bug]		Setting serial-query-rate to 10 would trigger a
+			REQUIRE failure.
+
+1384.	[bug]		host was incompatible with BIND 8 in its exit code and
+			in the output with the -l option.  [RT #3536]
+
+1383.	[func]		Track the serial number in a IXFR response and log if
+			a mismatch occurs.  This is a more specific error than
+			"not exact". [RT #3445]
+
+1382.	[bug]		make install failed with --enable-libbind. [RT #3656]
+
+1381.	[bug]		named failed to correctly process answers that
+			contained DNAME records where the resulting CNAME
+			resulted in a negative answer.
+
+1380.	[func]		'rndc recursing' dump recursing queries to
+			'recursing-file = "named.recursing";'.
+
+1379.	[func]		'rndc status' now reports tcp and recursion quota
+			states.
+
+1378.	[func]		Improved positive feedback for 'rndc {reload|refresh}.
+
+1377.	[func]		dns_zone_load{new}() now reports if the zone was
+			loaded, queued for loading to up to date.
+
+1376.	[func]		New function dns_zone_logc() to log to specified
+			category.
+
+1375.	[func]		'rndc dumpdb' now dumps the adb cache along with the
+			data cache.
+
+1374.	[func]		dns_adb_dump() now logs the lame zones associated
+			with each server.
+
+1373.	[bug]		Recovery from expired glue failed under certain
+			circumstances.
+
+1372.	[bug]		named crashes with an assertion failure on exit when
+			sharing the same port for listening and querying, and
+			changing listening addresses several times. [RT #3509]
+
+1371.	[bug]		notify-source-v6, transfer-source-v6 and
+			query-source-v6 with explicit addresses and using the
+			same ports as named was listening on could interfere
+			with named's ability to answer queries sent to those
+			addresses.
+
+1370.	[bug]		dig '+[no]recurse' was incorrectly documented.
+
+1369.	[bug]		Adding an NS record as the lexicographically last
+			record in a secure zone didn't work.
+
+1368.	[func]		remove support for bitstring labels.
+
+1367.	[func]		Use response times to select forwarders.
+
+1366.	[contrib]	queryperf usage was incomplete.  Add '-h' for help.
+
+1365.	[func]		"localhost" and "localnets" acls now include IPv6
+			addresses / prefixes.
+
+1364.	[func]		Log file name when unable to open memory statistics
+			and dump database files. [RT #3437]
+
+1363.	[func]		Listen-on-v6 now supports specific addresses.
+
+1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
+
+1361.	[func]		log the reason for rejecting a server when resolving
+			queries.
+
+1360.	[bug]		--enable-libbind would fail when not built in the
+			source tree for certain OS's.
+
+1359.	[security]	Support patches OpenSSL libraries.
+			http://www.cert.org/advisories/CA-2002-23.html
+
+1358.	[bug]		It was possible to trigger a INSIST when debugging
+			large dynamic updates. [RT #3390]
+
+1357.	[bug]		nsupdate was extremely wasteful of memory.
+
+1356.	[tuning]	Reduce the number of events / quantum for zone tasks.
+
+1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
+
+1354.	[doc]		lwres man pages had illegal nroff.
+
+1353.	[contrib]	sdb/ldap to version 0.9.
+
+1352.	[bug]		dig, host, nslookup when falling back to TCP use the
+			current search entry (if any). [RT #3374]
+
+1351.	[bug]		lwres_getipnodebyname() returned the wrong name
+			when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
+			was set.
+
+1350.	[bug]		dns_name_fromtext() failed to handle too many labels
+			gracefully.
+
+1349.	[security]	Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
+			http://www.cert.org/advisories/CA-2002-23.html
+
+1348.	[port]		win32: Rewrote code to use I/O Completion Ports
+			in socket.c and eliminating a host of socket
+			errors. Performance is enhanced.
+
+1347.	[placeholder]
+
+1346.	[placeholder]
+
+1345.	[port]		Use a explicit -Wformat with gcc.  Not all versions
+			include it in -Wall.
+
+1344.	[func]		Log if the serial number on the master has gone
+			backwards.
+			If you have multiple machines specified in the masters
+			clause you may want to set 'multi-master yes;' to
+			suppress this warning.
+
+1343.	[func]		Log successful notifies received (info).  Adjust log
+			level for failed notifies to notice.
+
+1342.	[func]		Log remote address with TCP dispatch failures.
+
+1341.	[func]		Allow a rate limiter to be stalled.
+
+1340.	[bug]		Delay and spread out the startup refresh load.
+
+1339.	[func]		dig, host and nslookup now use IP6.ARPA for nibble
+			lookups.  Bit string lookups are no longer attempted.
+
+1338.	[placeholder]
+
+1337.	[placeholder]
+
+1336.	[func]		Nibble lookups under IP6.ARPA are now supported by
+			dns_byaddr_create().  dns_byaddr_createptrname() is
+			deprecated, use dns_byaddr_createptrname2() instead.
+
+1335.	[bug]		When performing a nonexistence proof, the validator
+			should discard parent NXTs from higher in the DNS.
+
+1334.	[bug]		When signing/verifying rdatasets, duplicate rdatas
+			need to be suppressed.
+
+1333.	[contrib]	queryperf now reports a summary of returned
+			rcodes (-c), rcodes are printed in mnemonic form (-v).
+
+1332.	[func]		Report the current serial with periodic commits when
+			rolling forward the journal.
+
+1331.	[func]		Generate DNSSEC wildcard proofs.
+
+1330.	[bug]		When processing events (non-threaded) only allow
+			the task one chance to use to use its quantum.
+
+1329.	[func]		named-checkzone will now check if nameservers that
+			appear to be IP addresses.  Available modes "fail",
+			"warn" (default) and "ignore" the results of the
+			check.
+
+1328.	[bug]		The validator could incorrectly verify an invalid
+			negative proof.
+
+1327.	[bug]		The validator would incorrectly mark data as insecure
+			when seeing a bogus signature before a correct
+			signature.
+
+1326.	[bug]		DNAME/CNAME signatures were not being cached when
+			validation was not being performed. [RT #3284]
+
+1325.	[bug]		If the tcpquota was exhausted it was possible to
+			to trigger a INSIST() failure.
+
+1324.	[port]		darwin: ifconfig.sh now supports darwin.
+
+1323.	[port]		linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
+
+1322.	[bug]		dnssec-signzone usage message was misleading.
+
+1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
+			would incorrectly duplicate its output and sign it.
+
+1320.	[doc]		query-source-v6 was missing from options section.
+			[RT #3218]
+
+1319.	[func]		libbind: log attempts to exploit #1318.
+
+1318.	[bug]		libbind: Remote buffer overrun.
+
+1317.	[port]		libbind: TrueUNIX 5.1 does not like __align as a
+			element name.
+
+1316.	[bug]		libbind: gethostans() could get out of sync parsing
+			the response if there was a very long CNAME chain.
+
+1315.	[bug]		Options should apply to the internal _bind view.
+
+1314.	[port]		Handle ECONNRESET from sendmsg() [unix].
+
+1313.	[func]		Query log now says if the query was signed (S) or
+			if EDNS was used (E).
+
+1312.	[func]		Log TSIG key used w/ outgoing zone transfers.
+
+1311.	[bug]		lwres_getrrsetbyname leaked memory.  [RT #3159]
+
+1310.	[bug]		'rndc stop' failed to cause zones to be flushed
+			sometimes. [RT #3157]
+
+1309.	[func]		Log that a zone transfer was covered by a TSIG.
+
+1308.	[func]		DS (delegation signer) support.
+
+1307.	[bug]		nsupdate: allow white space base64 key data.
+
+1306.	[bug]		Badly encoded LOC record when the size, horizontal
+			precision or vertical precision was 0.1m.
+
+1305.	[bug]		Document that internal zones are included in the
+			rndc status results.
+
+1304.	[func]		New function: dns_zone_name().
+
+1303.	[func]		Option 'flush-zones-on-shutdown <boolean>;'.
+
+1302.	[func]		Extended rndc dumpdb to support dumping of zones and
+			view selection: 'dumpdb [-all|-zones|-cache] [view]'.
+
+1301.	[func]		New category 'update-security'.
+
+1300.	[port]		Compaq Trucluster support.
+
+1299.	[bug]		Set AI_ADDRCONFIG when looking up addresses
+			via getaddrinfo() (affects dig, host, nslookup, rndc
+			and nsupdate).
+
+1298.	[bug]		The CINCLUDES macro in lib/dns/sec/dst/Makefile
+			could be left with a trailing "\" after configure
+			has been run.
+
+1297.	[port]		linux: make handling EINVAL from socket() no longer
+			conditional on #ifdef LINUX.
+
+1296.	[bug]		isc_log_closefilelogs() needed to lock the log
+			context.
+
+1295.	[bug]		isc_log_setdebuglevel() needed to lock the log
+			context.
+
+1294.	[func]		libbind: no longer attempts bit string labels for
+			IPv6 reverse resolution.  Try IP6.ARPA then IP6.INT
+			for nibble style resolution.
+
+1293.	[func]		Entropy can now be retrieved from EGDs. [RT #2438]
+
+1292.	[func]		Enable IPv6 support when using ioctl style interface
+			scanning and OS supports SIOCGLIFADDR using struct
+			if_laddrreq.
+
+1291.	[func]		Enable IPv6 support when using sysctl style interface
+			scanning.
+
+1290.	[func]		"dig axfr" now reports the number of messages
+			as well as the number of records.
+
+1289.	[port]		See if -ldl is required for OpenSSL? [RT #2672]
+
+1288.	[bug]		Adjusted REQUIRE's in lib/dns/name.c to better
+			reflect written requirements.
+
+1287.	[bug]		REQUIRE that DNS_DBADD_MERGE only be set when adding
+			a rdataset to a zone db in the rbtdb implementation of
+			addrdataset.
+
+1286.	[bug]		dns_name_downcase() enforce requirement that
+			target != NULL or name->buffer != NULL.
+
+1285.	[func]		lwres: probe the system to see what address families
+			are currently in use.
+
+1284.	[bug]		The RTT estimate on unused servers was not aged.
+			[RT #2569]
+
+1283.	[func]		Use "dataready" accept filter if available.
+
+1282.	[port]		libbind: hpux 11.11 interface scanning.
+
+1281.	[func]		Log zone when unable to get private keys to update
+			zone.  Log zone when NXT records are missing from
+			secure zone.
+
+1280.	[bug]		libbind: escape '(' and ')' when converting to
+			presentation form.
+
+1279.	[port]		Darwin uses (unsigned long) for size_t. [RT #2590]
+
+1278.	[func]		dig: now supports +[no]cl +[no]ttlid.
+
+1277.	[func]		You can now create your own customized printing
+			styles: dns_master_stylecreate() and
+			dns_master_styledestroy().
+
+1276.	[bug]		libbind: const pointer conflicts in res_debug.c.
+
+1275.	[port]		libbind: hpux: treat all hpux systems as BIG_ENDIAN.
+
+1274.	[bug]		Memory leak in lwres_gnbarequest_parse().
+
+1273.	[port]		libbind: solaris: 64 bit binary compatibility.
+
+1272.	[contrib]	Berkeley DB 4.0 sdb implementation from
+			Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
+
+1271.	[bug]		"recursion available: {denied,approved}" was too
+			confusing.
+
+1270.	[bug]		Check that system inet_pton() and inet_ntop() support
+			AF_INET6.
+
+1269.	[port]		Openserver: ifconfig.sh support.
+
+1268.	[port]		Openserver: the value FD_SETSIZE depends on whether
+			<sys/param.h> is included or not.  Be consistent.
+
+1267.	[func]		isc_file_openunique() now creates file using mode
+			0666 rather than 0600.
+
+1266.	[bug]		ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
+			__ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
+			are not C++ compatible, use *_TYPE versions instead.
+
+1265.	[bug]		libbind: LINK_INIT and UNLINK were not compatible with
+			C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
+
+1264.	[placeholder]
+
+1263.	[bug]		Reference after free error if dns_dispatchmgr_create()
+			failed.
+
+1262.	[bug]		ns_server_destroy() failed to set *serverp to NULL.
+
+1261.	[func]		libbind: ns_sign2() and ns_sign_tcp() now provide
+			support for compressed TSIG owner names.
+
+1260.	[func]		libbind: res_update can now update IPv6 servers,
+			new function res_findzonecut2().
+
+1259.	[bug]		libbind: get_salen() IPv6 support was broken for OSs
+			w/o sa_len.
+
+1258.	[bug]		libbind: res_nametotype() and res_nametoclass() were
+			broken.
+
+1257.	[bug]		Failure to write pid-file should not be fatal on
+			reload. [RT #2861]
+
+1256.	[contrib]	'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
+
+1255.	[bug]		When verifying that an NXT proves nonexistence, check
+			the rcode of the message and only do the matching NXT
+			check.  That is, for NXDOMAIN responses, check that
+			the name is in the range between the NXT owner and
+			next name, and for NOERROR NODATA responses, check
+			that the type is not present in the NXT bitmap.
+
+1254.	[func]		preferred-glue option from BIND 8.3.
+
+1253.	[bug]		The dnssec system test failed to remove the correct
+			files.
+
+1252.	[bug]		Dig, host and nslookup were not checking the address
+			the answer was coming from against the address it was
+			sent to. [RT #2692]
+
+1251.	[port]		win32: a make file contained absolute version specific
+			references.
+
+1250.	[func]		Nsupdate will report the address the update was
+			sent to.
+
+1249.	[bug]		Missing masters clause was not handled gracefully.
+			[RT #2703]
+
+1248.	[bug]		DESTDIR was not being propagated between makes.
+
+1247.	[bug]		Don't reset the interface index for link/site local
+			addresses. [RT #2576]
+
+1246.	[func]		New functions isc_sockaddr_issitelocal(),
+			isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
+			and isc_netaddr_islinklocal().
+
+1245.	[bug]		Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
+			accept().
+
+1244.	[bug]		Receiving a TCP message from a blackhole address would
+			prevent further messages being received over that
+			interface.
+
+1243.	[bug]		It was possible to trigger a REQUIRE() in
+			dns_message_findtype(). [RT #2659]
+
+1242.	[bug]		named-checkzone failed if a journal existed. [RT #2657]
+
+1241.	[bug]		Drop received UDP messages with a zero source port
+			as these are invariably forged. [RT #2621]
+
+1240.	[bug]		It was possible to leak zone references by
+			specifying an incorrect zone to rndc.
+
+1239.	[bug]		Under certain circumstances named could continue to
+			use a name after it had been freed triggering
+			INSIST() failures.  [RT #2614]
+
+1238.	[bug]		It is possible to lockup the server when shutting down
+			if notifies were being processed. [RT #2591]
+
+1237.	[bug]		nslookup: "set q=type" failed.
+
+1236.	[bug]		dns_rdata{class,type}_fromtext() didn't handle non
+			NULL terminated text regions. [RT #2588]
+
+1235.	[func]		Report 'out of memory' errors from openssl.
+
+1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
+			dns_result_register().  DNS_R_SEENINCLUDE should not
+			be fatal.
+
+1233.	[bug]		The flags field of a KEY record can be expressed in
+			hex as well as decimal.
+
+1232.	[bug]		unix/errno2result() didn't handle EADDRNOTAVAIL.
+
+1231.	[port]		HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
+
+1230.	[bug]		isccc_cc_isreply() and isccc_cc_isack() were broken.
+
+1229.	[bug]		named would crash if it received a TSIG signed
+			query as part of an AXFR response. [RT #2570]
+
+1228.	[bug]		'make install' did not depend on 'make all'. [RT #2559]
+
+1227.	[bug]		dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
+			if a number was expected and some other token was
+			found. [RT #2532]
+
+1226.	[func]		Use EDNS for zone refresh queries. [RT #2551]
+
+1225.	[func]		dns_message_setopt() no longer requires that
+			dns_message_renderbegin() to have been called.
+
+1224.	[bug]		'rrset-order' and 'sortlist' should be additive
+			not exclusive.
+
+1223.	[func]		'rrset-order' partially works 'cyclic' and 'random'
+			are supported.
+
+1222.	[bug]		Specifying 'port *' did not always result in a system
+			selected (non-reserved) port being used. [RT #2537]
+
+1221.	[bug]		Zone types 'master', 'slave' and 'stub' were not being
+			compared case insensitively. [RT #2542]
+
+1220.	[func]		Support for APL rdata type.
+
+1219.	[func]		Named now reports the TSIG extended error code when
+			signature verification fails. [RT #1651]
+
+1218.	[bug]		Named incorrectly returned SERVFAIL rather than
+			NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
+
+1217.	[func]		Report locations of previous key definition when a
+			duplicate is detected.
+
+1216.	[bug]		Multiple server clauses for the same server were not
+			reported.  [RT #2514]
+
+1215.	[port]		solaris: add support to ifconfig.sh for x86 2.5.1
+
+1214.	[bug]		Win32: isc_file_renameunique() could leave zero length
+			files behind.
+
+1213.	[func]		Report view associated with client if it is not a
+			standard view (_default or _bind).
+
+1212.	[port]		libbind: 64k answer buffers were causing stack space
+			to be exceeded for certain OS.  Use heap space instead.
+
+1211.	[bug]		dns_name_fromtext() incorrectly handled certain
+			valid octal bitlabels. [RT #2483]
+
+1210.	[bug]		libbind: getnameinfo() failed to lookup IPv4 mapped /
+			compatible addresses. [RT #2461]
+
+1209.	[bug]		Dig, host, nslookup were not checking the message ids
+			on the responses. [RT #2454]
+
+1208.	[bug]		dns_master_load*() failed to log a error message if
+			an error was detected when parsing the owner name of
+			a record.  [RT #2448]
+
+1207.	[bug]		libbind: getaddrinfo() could call freeaddrinfo() with
+			an invalid pointer.
+
+1206.	[bug]		SERVFAIL and NOTIMP responses to an EDNS query should
+			trigger a non-EDNS retry.
+
+1205.	[bug]		OPT, TSIG and TKEY cannot be used to set the "class"
+			of the message. [RT #2449]
+
+1204.	[bug]		libbind: res_nupdate() failed to update the name
+			server addresses before sending the update.
+
+1203.	[func]		Report locations of previous acl and zone definitions
+			when a duplicate is detected.
+
+1202.	[func]		New functions: cfg_obj_line() and cfg_obj_file().
+
+1201.	[bug]		Require that if 'callbacks' is passed to
+			dns_rdata_fromtext(), callbacks->error and
+			callbacks->warn are initialized.
+
+1200.	[bug]		Log 'errno' that we are unable to convert to
+			isc_result_t. [RT #2404]
+
+1199.	[doc]		ARM reference to RFC 2157 should have been RFC 1918.
+			[RT #2436]
+
+1198.	[bug]		OPT printing style was not consistent with the way the
+			header fields are printed.  The DO bit was not reported
+			if set.  Report if any of the MBZ bits are set.
+
+1197.	[bug]		Attempts to define the same acl multiple times were not
+			detected.
+
+1196.	[contrib]	update mdnkit to 2.2.3.
+
+1195.	[bug]		Attempts to redefine builtin acls should be caught.
+			[RT #2403]
+
+1194.	[bug]		Not all duplicate zone definitions were being detected
+			at the named.conf checking stage. [RT #2431]
+
+1193.	[bug]		dig +besteffort parsing didn't handle packet
+			truncation.  dns_message_parse() has new flag
+			DNS_MESSAGE_IGNORETRUNCATION.
+
+1192.	[bug]		The seconds fields in LOC records were restricted
+			to three decimal places.  More decimal places should
+			be allowed but warned about.
+
+1191.	[bug]		A dynamic update removing the last non-apex name in
+			a secure zone would fail. [RT #2399]
+
+1190.	[func]		Add the "rndc freeze" and "rndc unfreeze" commands.
+			[RT #2394]
+
+1189.	[bug]		On some systems, malloc(0) returns NULL, which
+			could cause the caller to report an out of memory
+			error. [RT #2398]
+
+1188.	[bug]		Dynamic updates of a signed zone would fail if
+			some of the zone private keys were unavailable.
+
+1187.	[bug]		named was incorrectly returning DNSSEC records
+			in negative responses when the DO bit was not set.
+
+1186.	[bug]		isc_hex_tobuffer(,,length = 0) failed to unget the
+			EOL token when reading to end of line.
+
+1185.	[bug]		libbind: don't assume statp->_u._ext.ext is valid
+			unless RES_INIT is set when calling res_*init().
+
+1184.	[bug]		libbind: call res_ndestroy() if RES_INIT is set
+			when res_*init() is called.
+
+1183.	[bug]		Handle ENOSR error when writing to the internal
+			control pipe. [RT #2395]
+
+1182.	[bug]		The server could throw an assertion failure when
+			constructing a negative response packet.
+
+1181.	[func]		Add the "key-directory" configuration statement,
+			which allows the server to look for online signing
+			keys in alternate directories.
+
+1180.	[func]		dnssec-keygen should always generate keys with
+			protocol 3 (DNSSEC), since it's less confusing
+			that way.
+
+1179.	[func]		Add SIG(0) support to nsupdate.
+
+1178.	[bug]		Follow and cache (if appropriate) A6 and other
+			data chains to completion in the additional section.
+
+1177.	[func]		Report view when loading zones if it is not a
+			standard view (_default or _bind). [RT #2270]
+
+1176.	[doc]		Document that allow-v6-synthesis is only performed
+			for clients that are supplied recursive service.
+			[RT #2260]
+
+1175.	[bug]		named-checkzone and named-checkconf failed to call
+			dns_result_register() at startup which could
+			result in runtime exceptions when printing
+			"out of memory" errors. [RT #2335]
+
+1174.	[bug]		Win32: add WSAECONNRESET to the expected errors
+			from connect(). [RT #2308]
+
+1173.	[bug]		Potential memory leaks in isc_log_create() and
+			isc_log_settag(). [RT #2336]
+
+1172.	[doc]		Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
+			table of RR types in ARM.
+
+1171.	[func]		Added function isc_region_compare(), updated files in
+			lib/dns to use this function instead of local one.
+
+1170.	[bug]		Don't attempt to print the token when a I/O error
+			occurs when parsing named.conf. [RT #2275]
+
+1169.	[func]		Identify recursive queries in the query log.
+
+1168.	[bug]		Empty also-notify clauses were not handled. [RT #2309]
+
+1167.	[contrib]	nslint-2.1a3 (from author).
+
+1166.	[bug]		"Not Implemented" should be reported as NOTIMP,
+			not NOTIMPL. [RT #2281]
+
+1165.	[bug]		We were rejecting notify-source{-v6} in zone clauses.
+
+1164.	[bug]		Empty masters clauses in slave / stub zones were not
+			handled gracefully. [RT #2262]
+
+1163.	[func]		isc_time_formattimestamp() now includes the year.
+
+1162.	[bug]		The allow-notify option was not accepted in slave
+			zone statements.
+
+1161.	[bug]		named-checkzone looped on unbalanced brackets.
+			[RT #2248]
+
+1160.	[bug]		Generating Diffie-Hellman keys longer than 1024
+			bits could fail. [RT #2241]
+
+1159.	[bug]		MD and MF are not permitted to be loaded by RFC1123.
+
+1158.	[func]		Report the client's address when logging notify
+			messages.
+
+1157.	[func]		match-clients and match-destinations now accept
+			keys. [RT #2045]
+
+1156.	[port]		The configure test for strsep() incorrectly
+			succeeded on certain patched versions of
+			AIX 4.3.3. [RT #2190]
+
+1155.	[func]		Recover from master files being removed from under
+			us.
+
+1154.	[bug]		Don't attempt to obtain the netmask of a interface
+			if there is no address configured. [RT #2176]
+
+1153.	[func]		'rndc {stop|halt} -p' now reports the process id
+			of the instance of named being shutdown.
+
+1152.	[bug]		libbind: read buffer overflows.
+
+1151.	[bug]		nslookup failed to check that the arguments to
+			the port, timeout, and retry options were
+			valid integers and in range. [RT #2099]
+
+1150.	[bug]		named incorrectly accepted TTL values
+			containing plus or minus signs, such as
+			1d+1h-1s.
+
+1149.	[func]		New function isc_parse_uint32().
+
+1148.	[func]		'rndc-confgen -a' now provides positive feedback.
+
+1147.	[func]		Set IPV6_V6ONLY on IPv6 sockets if supported by
+			the OS.  listen-on-v6 { any; }; should no longer
+			result in IPv4 queries be accepted.  Similarly
+			control { inet :: ... }; should no longer result
+			in IPv4 connections being accepted.  This can be
+			overridden at compile time by defining
+			ISC_ALLOW_MAPPED=1.
+
+1146.	[func]		Allow IPV6_IPV6ONLY to be set/cleared on a socket if
+			supported by the OS by a new function
+			isc_socket_ipv6only().
+
+1145.	[func]		"host" no longer reports a NOERROR/NODATA response
+			by printing nothing. [RT #2065]
+
+1144.	[bug]		rndc-confgen would crash if both the -a and -t
+			options were specified. [RT #2159]
+
+1143.	[bug]		When a trusted-keys statement was present and named
+			was built without crypto support, it would leak memory.
+
+1142.	[bug]		dnssec-signzone would fail to delete temporary files
+			in some failure cases. [RT #2144]
+
+1141.	[bug]		When named rejected a control message, it would
+			leak a file descriptor and memory.  It would also
+			fail to respond, causing rndc to hang.
+			[RT #2139, #2164]
+
+1140.	[bug]		rndc-confgen did not accept IPv6 addresses as arguments
+			to the -s option. [RT #2138]
+
+1139.	[func]		It is now possible to flush a given name from the
+			cache(s) via 'rndc flushname name [view]'. [RT #2051]
+
+1138.	[func]		It is now possible to flush a given name from the
+			cache by calling the new function
+			dns_cache_flushname().
+
+1137.	[func]		It is now possible to flush a given name from the
+			ADB by calling the new function dns_adb_flushname().
+
+1136.	[bug]		CNAME records synthesized from DNAMEs did not
+			have a TTL of zero as required by RFC2672.
+			[RT #2129]
+
+1135.	[func]		You can now override the default syslog() facility for
+			named/lwresd at compile time. [RT #1982]
+
+1134.	[bug]		Multi-threaded servers could deadlock in ferror()
+			when reloading zone files. [RT #1951, #1998]
+
+1133.	[bug]		IN6_IS_ADDR_LOOPBACK was not portably defined on
+			platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
+
+1132.	[func]		Improve UPDATE prerequisite failure diagnostic messages.
+
+1131.	[bug]		The match-destinations view option did not work with
+			IPv6 destinations. [RT #2073, #2074]
+
+1130.	[bug]		Log messages reporting an out-of-range serial number
+			did not include the out-of-range number but the
+			following token. [RT #2076]
+
+1129.	[bug]		Multi-threaded servers could crash under heavy
+			resolution load due to a race condition. [RT #2018]
+
+1128.	[func]		sdb drivers can now provide RR data in either text
+			or wire format, the latter using the new functions
+			dns_sdb_putrdata() and dns_sdb_putnamedrdata().
+
+1127.	[func]		rndc: If the server to contact has multiple addresses,
+			try all of them.
+
+1126.	[bug]		The server could access a freed event if shut
+			down while a client start event was pending
+			delivery. [RT #2061]
+
+1125.	[bug]		rndc: -k option was missing from usage message.
+			[RT #2057]
+
+1124.	[doc]		dig: +[no]dnssec, +[no]besteffort and +[no]fail
+			are now documented. [RT #2052]
+
+1123.	[bug]		dig +[no]fail did not match description. [RT #2052]
+
+1122.	[tuning]	Resolution timeout reduced from 90 to 30 seconds.
+			[RT #2046]
+
+1121.	[bug]		The server could attempt to access a NULL zone
+			table if shut down while resolving.
+			[RT #1587, #2054]
+
+1120.	[bug]		Errors in options were not fatal. [RT #2002]
+
+1119.	[func]		Added support in Win32 for NTFS file/directory ACL's
+			for access control.
+
+1118.	[bug]		On multi-threaded servers, a race condition
+			could cause an assertion failure in resolver.c
+			during resolver shutdown. [RT #2029]
+
+1117.	[port]		The configure check for in6addr_loopback incorrectly
+			succeeded on AIX 4.3 when compiling with -O2
+			because the test code was optimized away.
+			[RT #2016]
+
+1116.	[bug]		Setting transfers in a server clause, transfers-in,
+			or transfers-per-ns to a value greater than
+			2147483647 disabled transfers. [RT #2002]
+
+1115.	[func]		Set maximum values for cleaning-interval,
+			heartbeat-interval, interface-interval,
+			max-transfer-idle-in, max-transfer-idle-out,
+			max-transfer-time-in, max-transfer-time-out,
+			statistics-interval of 28 days and
+			sig-validity-interval of 3660 days. [RT #2002]
+
+1114.	[port]		Ignore more accept() errors. [RT #2021]
+
+1113.	[bug]		The allow-update-forwarding option was ignored
+			when specified in a view. [RT #2014]
+
+1112.	[placeholder]
+
+1111.	[bug]		Multi-threaded servers could deadlock processing
+			recursive queries due to a locking hierarchy
+			violation in adb.c. [RT #2017]
+
+1110.	[bug]		dig should only accept valid abbreviations of +options.
+			[RT #2003]
+
+1109.	[bug]		nsupdate accepted illegal ttl values.
+
+1108.	[bug]		On Win32, rndc was hanging when named was not running
+			due to failure to select for exceptional conditions
+			in select(). [RT #1870]
+
+1107.	[bug]		nsupdate could catch an assertion failure if an
+			invalid domain name was given as the argument to
+			the "zone" command.
+
+1106.	[bug]		After seeing an out of range TTL, nsupdate would
+			treat all TTLs as out of range. [RT #2001]
+
+1105.	[port]		OpenUNIX 8 enable threads by default. [RT #1970]
+
+1104.	[bug]		Invalid arguments to the transfer-format option
+			could cause an assertion failure. [RT #1995]
+
+1103.	[port]		OpenUNIX 8 support (ifconfig.sh). [RT #1970]
+
+1102.	[doc]		Note that query logging is enabled by directing the
+			queries category to a channel.
+
+1101.	[bug]		Array bounds read error in lwres_gai_strerror.
+
+1100.	[bug]		libbind: DNSSEC key ids were computed incorrectly.
+
+1099.	[cleanup]	libbind: defining REPORT_ERRORS in lib/bind/dst caused
+			compile time errors.
+
+1098.	[bug]		libbind: HMAC-MD5 key files are now mode 0600.
+
+1097.	[func]		libbind: RES_PRF_TRUNC for dig.
+
+1096.	[func]		libbind: "DNSSEC OK" (DO) support.
+
+1095.	[func]		libbind: resolver option: no-tld-query.  disables
+			trying unqualified as a tld.  no_tld_query is also
+			supported for FreeBSD compatibility.
+
+1094.	[func]		libbind: add support gcc's format string checking.
+
+1093.	[doc]		libbind: miscellaneous nroff fixes.
+
+1092.	[bug]		libbind: get*by*() failed to check if res_init() had
+			been called.
+
+1091.	[bug]		libbind: misplaced va_end().
+
+1090.	[bug]		libbind: dns_ho.c:add_hostent() was not returning
+			the amount of memory consumed resulting in garbage
+			address being returned.  Alignment calculations were
+			wasting space.  We weren't suppressing duplicate
+			addresses.
+
+1089.	[func]		libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
+			support.
+
+1088.	[port]		libbind: MPE/iX C.70 (incomplete)
+
+1087.	[bug]		libbind: struct __res_state too large on 64 bit arch.
+
+1086.	[port]		libbind: sunos: old sprintf.
+
+1085.	[port]		libbind: solaris: sys_nerr and sys_errlist do not
+			exist when compiling in 64 bit mode.
+
+1084.	[cleanup]	libbind: gai_strerror() rewritten.
+
+1083.	[bug]		The default control channel listened on the
+			wildcard address, not the loopback as documented.
+			[RT #1975]
+
+1082.	[bug]		The -g option to named incorrectly caused logging
+			to be sent to syslog in addition to stderr.
+			[RT #1974]
+
+1081.	[bug]		Multicast queries were incorrectly identified
+			based on the source address, not the destination
+			address.
+
+1080.	[bug]		BIND 8 compatibility: accept bare IP prefixes
+			as the second element of a two-element top level
+			sort list statement. [RT #1964]
+
+1079.	[bug]		BIND 8 compatibility: accept bare elements at top
+			level of sort list treating them as if they were
+			a single element list. [RT #1963]
+
+1078.	[bug]		We failed to correct bad tv_usec values in one case.
+			[RT #1966]
+
+1077.	[func]		Do not accept further recursive clients when
+			the total number of recursive lookups being
+			processed exceeds max-recursive-clients, even
+			if some of the lookups are internally generated.
+			[RT #1915, #1938]
+
+1076.	[bug]		A badly defined global key could trigger an assertion
+			on load/reload if views were used. [RT #1947]
+
+1075.	[bug]		Out-of-range network prefix lengths were not
+			reported. [RT #1954]
+
+1074.	[bug]		Running out of memory in dump_rdataset() could
+			cause an assertion failure. [RT #1946]
+
+1073.	[bug]		The ADB cache cleaning should also be space driven.
+			[RT #1915, #1938]
+
+1072.	[bug]		The TCP client quota could be exceeded when
+			recursion occurred. [RT #1937]
+
+1071.	[bug]		Sockets listening for TCP DNS connections
+			specified an excessive listen backlog. [RT #1937]
+
+1070.	[bug]		Copy DNSSEC OK (DO) to response as specified by
+			draft-ietf-dnsext-dnssec-okbit-03.txt.
+
+1069.	[placeholder]
+
+1068.	[bug]		errno could be overwritten by catgets(). [RT #1921]
+
+1067.	[func]		Allow quotas to be soft, isc_quota_soft().
+
+1066.	[bug]		Provide a thread safe wrapper for strerror().
+			[RT #1689]
+
+1065.	[func]		Runtime support to select new / old style interface
+			scanning using ioctls.
+
+1064.	[bug]		Do not shut down active network interfaces if we
+			are unable to scan the interface list. [RT #1921]
+
+1063.	[bug]		libbind: "make install" was failing on IRIX.
+			[RT #1919]
+
+1062.	[bug]		If the control channel listener socket was shut
+			down before server exit, the listener object could
+			be freed twice. [RT #1916]
+
+1061.	[bug]		If periodic cache cleaning happened to start
+			while cleaning due to reaching the configured
+			maximum cache size was in progress, the server
+			could catch an assertion failure. [RT #1912]
+
+1060.	[func]		Move refresh, stub and notify UDP retry processing
+			into dns_request.
+
+1059.	[func]		dns_request now support will now retry UDP queries,
+			dns_request_createvia2() and dns_request_createraw2().
+
+1058.	[func]		Limited lifetime ticker timers are now available,
+			isc_timertype_limited.
+
+1057.	[bug]		Reloading the server after adding a "file" clause
+			to a zone statement could cause the server to
+			crash due to a typo in change 1016.
+
+1056.	[bug]		Rndc could catch an assertion failure on SIGINT due
+			to an uninitialized variable. [RT #1908]
+
+1055.	[func]		Version and hostname queries can now be disabled
+			using "version none;" and "hostname none;",
+			respectively.
+
+1054.	[bug]		On Win32, cfg_categories and cfg_modules need to be
+			exported from the libisccfg DLL.
+
+1053.	[bug]		Dig did not increase its timeout when receiving
+			AXFRs unless the +time option was used. [RT #1904]
+
+1052.	[bug]		Journals were not being created in binary mode
+			resulting in "journal format not recognized" error
+			under Win32. [RT #1889]
+
+1051.	[bug]		Do not ignore a network interface completely just
+			because it has a noncontiguous netmask.  Instead,
+			omit it from the localnets ACL and issue a warning.
+			[RT #1891]
+
+1050.	[bug]		Log messages reporting malformed IP addresses in
+			address lists such as that of the forwarders option
+			failed to include the correct error code, file
+			name, and line number. [RT #1890]
+
+1049.	[func]		"pid-file none;" will disable writing a pid file.
+			[RT #1848]
+
+1048.	[bug]		Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
+			didn't work.
+
+1047.	[bug]		named was incorrectly refusing all requests signed
+			with a TSIG key derived from an unsigned TKEY
+			negotiation with a NOERROR response. [RT #1886]
+
+1046.	[bug]		The help message for the --with-openssl configure
+			option was inaccurate. [RT #1880]
+
+1045.	[bug]		It was possible to skip saving glue for a nameserver
+			for a stub zone.
+
+1044.	[bug]		Specifying allow-transfer, notify-source, or
+			notify-source-v6 in a stub zone was not treated
+			as an error.
+
+1043.	[bug]		Specifying a transfer-source or transfer-source-v6
+			option in the zone statement for a master zone was
+			not treated as an error. [RT #1876]
+
+1042.	[bug]		The "config" logging category did not work properly.
+			[RT #1873]
+
+1041.	[bug]		Dig/host/nslookup could catch an assertion failure
+			on SIGINT due to an uninitialized variable. [RT #1867]
+
+1040.	[bug]		Multiple listen-on-v6 options with different ports
+			were not accepted. [RT #1875]
+
+1039.	[bug]		Negative responses with CNAMEs in the answer section
+			were cached incorrectly. [RT #1862]
+
+1038.	[bug]		In servers configured with a tkey-domain option,
+			TKEY queries with an owner name other than the root
+			could cause an assertion failure. [RT #1866, #1869]
+
+1037.	[bug]		Negative responses whose authority section contain
+			SOA or NS records whose owner names are not equal
+			equal to or parents of the query name should be
+			rejected. [RT #1862]
+
+1036.	[func]		Silently drop requests received via multicast as
+			long as there is no final multicast DNS standard.
+
+1035.	[bug]		If we respond to multicast queries (which we
+			currently do not), respond from a unicast address
+			as specified in RFC 1123. [RT #137]
+
+1034.	[bug]		Ignore the RD bit on multicast queries as specified
+			in RFC 1123. [RT #137]
+
+1033.	[bug]		Always respond to requests with an unsupported opcode
+			with NOTIMP, even if we don't have a matching view
+			or cannot determine the class.
+
+1032.	[func]		hostname.bind/txt/chaos now returns the name of
+			the machine hosting the nameserver.  This is useful
+			in diagnosing problems with anycast servers.
+
+1031.	[bug]		libbind.a: isc__gettimeofday() infinite recursion.
+			[RT #1858]
+
+1030.	[bug]		On systems with no resolv.conf file, nsupdate
+			exited with an error rather than defaulting
+			to using the loopback address. [RT #1836]
+
+1029.	[bug]		Some named.conf errors did not cause the loading
+			of the configuration file to return a failure
+			status even though they were logged. [RT #1847]
+
+1028.	[bug]		On Win32, dig/host/nslookup looked for resolv.conf
+			in the wrong directory. [RT #1833]
+
+1027.	[bug]		RRs having the reserved type 0 should be rejected.
+			[RT #1471]
+
+1026.	[placeholder]
+
+1025.	[bug]		Don't use multicast addresses to resolve iterative
+			queries. [RT #101]
+
+1024.	[port]		Compilation failed on HP-UX 11.11 due to
+			incompatible use of the SIOCGLIFCONF macro
+			name. [RT #1831]
+
+1023.	[func]		Accept hints without TTLs.
+
+1022.	[bug]		Don't report empty root hints as "extra data".
+			[RT #1802]
+
+1021.	[bug]		On Win32, log message timestamps were one month
+			later than they should have been, and the server
+			would exhibit unspecified behavior in December.
+
+1020.	[bug]		IXFR log messages did not distinguish between
+			true IXFRs, AXFR-style IXFRs, and mere version
+			polls. [RT #1811]
+
+1019.	[bug]		The value of the lame-ttl option was limited to 18000
+			seconds, not 1800 seconds as documented. [RT #1803]
+
+1018.	[bug]		The default log channel was not always initialized
+			correctly. [RT #1813]
+
+1017.	[bug]		When specifying TSIG keys to dig and nsupdate using
+			the -k option, they must be HMAC-MD5 keys. [RT #1810]
+
+1016.	[bug]		Slave zones with no backup file were re-transferred
+			on every server reload.
+
+1015.	[bug]		Log channels that had a "versions" option but no
+			"size" option failed to create numbered log
+			files. [RT #1783]
+
+1014.	[bug]		Some queries would cause statistics counters to
+			increment more than once or not at all. [RT #1321]
+
+1013.	[bug]		It was possible to cancel a query twice when marking
+			a server as bogus or by having a blackhole acl.
+			[RT #1776]
+
+1012.	[bug]		The -p option to named did not behave as documented.
+
+1011.	[cleanup]	Removed isc_dir_current().
+
+1010.	[bug]		The server could attempt to execute a command channel
+			command after initiating server shutdown, causing
+			an assertion failure. [RT #1766]
+
+1009.	[port]		OpenUNIX 8 support. [RT #1728]
+
+1008.	[port]		libtool.m4, ltmain.sh from libtool-1.4.2.
+
+1007.	[port]		config.guess, config.sub from autoconf-2.52.
+
+1006.	[bug]		If a KEY RR was found missing during DNSSEC validation,
+			an assertion failure could subsequently be triggered
+			in the resolver. [RT #1763]
+
+1005.	[bug]		Don't copy nonzero RCODEs from request to response.
+			[RT #1765]
+
+1004.	[port]		Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
+
+1003.	[func]		Add the +retry option to dig.
+
+1002.	[bug]		When reporting an unknown class name in named.conf,
+			including the file name and line number. [RT #1759]
+
+1001.	[bug]		win32 socket code doio_recv was not catching a
+			WSACONNRESET error when a client was timing out
+			the request and closing its socket. [RT #1745]
+
+1000.	[bug]		BIND 8 compatibility: accept "HESIOD" as an alias
+			for class "HS". [RT #1759]
+
+ 999.	[func]		"rndc retransfer zone [class [view]]" added.
+			[RT #1752]
+
+ 998.	[func]		named-checkzone now has arguments to specify the
+			chroot directory (-t) and working directory (-w).
+			[RT #1755]
+
+ 997.	[func]		Add support for RSA-SHA1 keys (RFC3110).
+
+ 996.	[func]		Issue warning if the configuration filename contains
+			the chroot path.
+
+ 995.	[bug]		dig, host, nslookup: using a raw IPv6 address as a
+			target address should be fatal on a IPv4 only system.
+
+ 994.	[func]		Treat non-authoritative responses to queries for type
+			NS as referrals even if the NS records are in the
+			answer section, because BIND 8 servers incorrectly
+			send them that way.  This is necessary for DNSSEC
+			validation of the NS records of a secure zone to
+			succeed when the parent is a BIND 8 server. [RT #1706]
+
+ 993.	[func]		dig: -v now reports the version.
+
+ 992.	[doc]		dig: ~/.digrc is now documented.
+
+ 991.	[func]		Lower UDP refresh timeout messages to level
+			debug 1.
+
+ 990.	[bug]		The rndc-confgen man page was not installed.
+
+ 989.	[bug]		Report filename if $INCLUDE fails for file related
+			errors. [RT #1736]
+
+ 988.	[bug]		'additional-from-auth no;' did not work reliably
+			in the case of queries answered from the cache.
+			[RT #1436]
+
+ 987.	[bug]		"dig -help" didn't show "+[no]stats".
+
+ 986.	[bug]		"dig +noall" failed to clear stats and command
+			printing.
+
+ 985.	[func]		Consider network interfaces to be up iff they have
+			a nonzero IP address rather than based on the
+			IFF_UP flag. [RT #1160]
+
+ 984.	[bug]		Multi-threading should be enabled by default on
+			Solaris 2.7 and newer, but it wasn't.
+
+ 983.	[func]		The server now supports generating IXFR difference
+			sequences for non-dynamic zones by comparing zone
+			versions, when enabled using the new config
+			option "ixfr-from-differences". [RT #1727]
+
+ 982.	[func]		If "memstatistics-file" is set in options the memory
+			statistics will be written to it.
+
+ 981.	[func]		The dnssec tools can now take multiple '-r randomfile'
+			arguments.
+
+ 980.	[bug]		Incoming zone transfers restarting after an error
+			could trigger an assertion failure. [RT #1692]
+
+ 979.	[func]		Incremental master file dumping.  dns_master_dumpinc(),
+			dns_master_dumptostreaminc(), dns_dumpctx_attach(),
+			dns_dumpctx_detach(), dns_dumpctx_cancel(),
+			dns_dumpctx_db() and dns_dumpctx_version().
+
+ 978.	[bug]		dns_db_attachversion() had an invalid REQUIRE()
+			condition.
+
+ 977.	[bug]		Improve "not at top of zone" error message.
+
+ 976.	[func]		named-checkconf can now test load master zones
+			(named-checkconf -z). [RT #1468]
+
+ 975.	[bug]		"max-cache-size default;" as a view option
+			caused an assertion failure.
+
+ 974.	[bug]		"max-cache-size unlimited;" as a global option
+			was not accepted.
+
+ 973.	[bug]		Failed to log the question name when logging:
+			"bad zone transfer request: non-authoritative zone
+			(NOTAUTH)".
+
+ 972.	[bug]		The file modification time code in zone.c was using the
+			wrong epoch. [RT #1667]
+
+ 971.	[placeholder]
+
+ 970.	[func]		'max-journal-size' can now be used to set a target
+			size for a journal.
+
+ 969.	[func]		dig now supports the undocumented dig 8 feature
+			of allowing arbitrary labels, not just dotted
+			decimal quads, with the -x option.  This can be
+			used to conveniently look up RFC2317 names as in
+			"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
+
+ 968.	[bug]		On win32, the isc_time_now() function was unnecessarily
+			calling strtime(). [RT #1671]
+
+ 967.	[bug]		On win32, the link for bindevt was not including the
+			required resource file to enable the event viewer
+			to interpret the error messages in the event log,
+			[RT #1668]
+
+ 966.	[placeholder]
+
+ 965.	[bug]		Including data other than root server NS and A
+			records in the root hint file could cause a rbtdb
+			node reference leak. [RT #1581, #1618]
+
+ 964.	[func]		Warn if data other than root server NS and A records
+			are found in the root hint file. [RT #1581, #1618]
+
+ 963.	[bug]		Bad ISC_LANG_ENDDECLS. [RT #1645]
+
+ 962.	[bug]		libbind: bad "#undef", don't attempt to install
+			non-existent nlist.h. [RT #1640]
+
+ 961.	[bug]		Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
+			was not defined. [RT #1482]
+
+ 960.	[port]		liblwres failed to build on systems with support for
+			getrrsetbyname() in the OS. [RT #1592]
+
+ 959.	[port]		On FreeBSD, determine the number of CPUs by calling
+			sysctlbyname(). [RT #1584]
+
+ 958.	[port]		ssize_t is not available on all platforms. [RT #1607]
+
+ 957.	[bug]		sys/select.h inclusion was broken on older platforms.
+			[RT #1607]
+
+ 956.	[bug]		ns_g_autorndcfile changed to ns_g_keyfile
+			in named/win32/os.c due to code changes in
+			change #953. win32 .make file for rndc-confgen
+			updated to add include path for os.h header.
+
+	--- 9.2.0rc1 released ---
+
+ 955.	[bug]		When using views, the zone's class was not being
+			inherited from the view's class. [RT #1583]
+
+ 954.	[bug]		When requesting AXFRs or IXFRs using dig, host, or
+			nslookup, the RD bit should not be set as zone
+			transfers are inherently non-recursive. [RT #1575]
+
+ 953.	[func]		The /var/run/named.key file from change #843
+			has been replaced by /etc/rndc.key.  Both
+			named and rndc will look for this file and use
+			it to configure a default control channel key
+			if not already configured using a different
+			method (rndc.conf / controls).  Unlike
+			named.key, rndc.key is not created automatically;
+			it must be created by manually running
+			"rndc-confgen -a".
+
+ 952.	[bug]		The server required manual intervention to serve the
+			affected zones if it died between creating a journal
+			and committing the first change to it.
+
+ 951.	[bug]		CFLAGS was not passed to the linker when
+			linking some of the test programs under
+			bin/tests. [RT #1555].
+
+ 950.	[bug]		Explicit TTLs did not properly override $TTL
+			due to a bug in change 834. [RT #1558]
+
+ 949.	[bug]		host was unable to print records larger than 512
+			bytes. [RT #1557]
+
+	--- 9.2.0b2 released ---
+
+ 948.	[port]		Integrated support for building on Windows NT /
+			Windows 2000.
+
+ 947.	[bug]		dns_rdata_soa_t had a badly named element "mname" which
+			was really the RNAME field from RFC1035.  To avoid
+			confusion and silent errors that would occur it the
+			"origin" and "mname" elements were given their correct
+			names "mname" and "rname" respectively, the "mname"
+			element is renamed to "contact".
+
+ 946.	[cleanup]	doc/misc/options is now machine-generated from the
+			configuration parser syntax tables, and therefore
+			more likely to be correct.
+
+ 945.	[func]		Add the new view-specific options
+			"match-destinations" and "match-recursive-only".
+
+ 944.	[func]		Check for expired signatures on load.
+
+ 943.	[bug]		The server could crash when receiving a command
+			via rndc if the configuration file listed only
+			nonexistent keys in the controls statement. [RT #1530]
+
+ 942.	[port]		libbind: GETNETBYADDR_ADDR_T was not correctly
+			defined on some platforms.
+
+ 941.	[bug]		The configuration checker crashed if a slave
+			zone didn't contain a masters statement. [RT #1514]
+
+ 940.	[bug]		Double zone locking failure on error path. [RT #1510]
+
+	--- 9.2.0b1 released ---
+
+ 939.	[port]		Add the --disable-linux-caps option to configure for
+			systems that manage capabilities outside of named.
+			[RT #1503]
+
+ 938.	[placeholder]
+
+ 937.	[bug]		A race when shutting down a zone could trigger a
+			INSIST() failure. [RT #1034]
+
+ 936.	[func]		Warn about IPv4 addresses that are not complete
+			dotted quads. [RT #1084]
+
+ 935.	[bug]		inet_pton failed to reject leading zeros.
+
+ 934.	[port]		Deal with systems where accept() spuriously returns
+			ECONNRESET.
+
+ 933.	[bug]		configure failed doing libbind on platforms not
+			supported by BIND 8. [RT #1496]
+
+	--- 9.2.0a3 released ---
+
+ 932.	[bug]		Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
+			when installing isc-config.sh.
+			[RT #198, #1466]
+
+ 931.	[bug]		The controls statement only attempted to verify
+			messages using the first key in the key list.
+			(9.2.0a1/a2 only).
+
+ 930.	[func]		Query performance testing tool added as
+			contrib/queryperf.
+
+ 929.	[placeholder]
+
+ 928.	[bug]		nsupdate would send empty update packets if the
+			send (or empty line) command was run after
+			another send but before any new updates or
+			prerequisites were specified.  It should simply
+			ignore this command.
+
+ 927.	[bug]		Don't hold the zone lock for the entire dump to disk.
+			[RT #1423]
+
+ 926.	[bug]		The resolver could deadlock with the ADB when
+			shutting down (multi-threaded builds only).
+			[RT #1324]
+
+ 925.	[cleanup]	Remove openssl from the distribution; require that
+			--with-openssl be specified if DNSSEC is needed.
+
+ 924.	[port]		Extend support for pre-RFC2133 IPv6 implementation.
+			[RT #987]
+
+ 923.	[bug]		Multiline TSIG secrets (and other multiline strings)
+			were not accepted in named.conf. [RT #1469]
+
+ 922.	[func]		Added two new lwres_getrrsetbyname() result codes,
+			ERR_NONAME and ERR_NODATA.
+
+ 921.	[bug]		lwres returned an incorrect error code if it received
+			a truncated message.
+
+ 920.	[func]		Increase the lwres receive buffer size to 16K.
+			[RT #1451]
+
+ 919.	[placeholder]
+
+ 918.	[func]		In nsupdate, TSIG errors are no longer treated as
+			fatal errors.
+
+ 917.	[func]		New nsupdate command 'key', allowing TSIG keys to
+			be specified in the nsupdate command stream rather
+			than the command line.
+
+ 916.	[bug]		Specifying type ixfr to dig without specifying
+			a serial number failed in unexpected ways.
+
+ 915.	[func]		The named-checkconf and named-checkzone programs
+			now have a '-v' option for printing their version.
+			[RT #1151]
+
+ 914.	[bug]		Global 'server' statements were rejected when
+			using views, even though they were accepted
+			in 9.1. [RT #1368]
+
+ 913.	[bug]		Cache cleaning was not sufficiently aggressive.
+			[RT #1441, #1444]
+
+ 912.	[bug]		Attempts to set the 'additional-from-cache' or
+			'additional-from-auth' option to 'no' in a
+			server with recursion enabled will now
+			be ignored and cause a warning message.
+			[RT #1145]
+
+ 911.	[placeholder]
+
+ 910.	[port]		Some pre-RFC2133 IPv6 implementations do not define
+			IN6ADDR_ANY_INIT. [RT #1416]
+
+ 909.	[placeholder]
+
+ 908.	[func]		New program, rndc-confgen, to simplify setting up rndc.
+
+ 907.	[func]		The ability to get entropy from either the
+			random device, a user-provided file or from
+			the keyboard was migrated from the DNSSEC tools
+			to libisc as isc_entropy_usebestsource().
+
+ 906.	[port]		Separated the system independent portion of
+			lib/isc/unix/entropy.c into lib/isc/entropy.c
+			and added lib/isc/win32/entropy.c.
+
+ 905.	[bug]		Configuring a forward "zone" for the root domain
+			did not work. [RT #1418]
+
+ 904.	[bug]		The server would leak memory if attempting to use
+			an expired TSIG key. [RT #1406]
+
+ 903.	[bug]		dig should not crash when receiving a TCP packet
+			of length 0.
+
+ 902.	[bug]		The -d option was ignored if both -t and -g were also
+			specified.
+
+ 901.	[placeholder]
+
+ 900.	[bug]		A config.guess update changed the system identification
+			string of FreeBSD systems; configure and
+			bin/tests/system/ifconfig.sh now recognize the new
+			string.
+
+	--- 9.2.0a2 released ---
+
+ 899.	[bug]		lib/dns/soa.c failed to compile on many platforms
+			due to inappropriate use of a void value.
+			[RT #1372, #1373, #1386, #1387, #1395]
+
+ 898.	[bug]		"dig" failed to set a nonzero exit status
+			on UDP query timeout. [RT #1323]
+
+ 897.	[bug]		A config.guess update changed the system identification
+			string of UnixWare systems; configure now recognizes
+			the new string.
+
+ 896.	[bug]		If a configuration file is set on named's command line
+			and it has a relative pathname, the current directory
+			(after any possible jailing resulting from named -t)
+			will be prepended to it so that reloading works
+			properly even when a directory option is present.
+
+ 895.	[func]		New function, isc_dir_current(), akin to POSIX's
+			getcwd().
+
+ 894.	[bug]		When using the DNSSEC tools, a message intended to warn
+			when the keyboard was being used because of the lack
+			of a suitable random device was not being printed.
+
+ 893.	[func]		Removed isc_file_test() and added isc_file_exists()
+			for the basic functionality that was being added
+			with isc_file_test().
+
+ 892.	[placeholder]
+
+ 891.	[bug]		Return an error when a SIG(0) signed response to
+			an unsigned query is seen.  This should actually
+			do the verification, but it's not currently
+			possible. [RT #1391]
+
+ 890.	[cleanup]	The man pages no longer require the mandoc macros
+			and should now format cleanly using most versions of
+			nroff, and HTML versions of the man pages have been
+			added.  Both are generated from DocBook source.
+
+ 889.	[port]		Eliminated blank lines before .TH in nroff man
+			pages since they cause problems with some versions
+			of nroff. [RT #1390]
+
+ 888.	[bug]		Don't die when using TKEY to delete a nonexistent
+			TSIG key. [RT #1392]
+
+ 887.	[port]		Detect broken compilers that can't call static
+			functions from inline functions. [RT #1212]
+
+ 886.	[placeholder]
+
+ 885.	[placeholder]
+
+ 884.	[placeholder]
+
+ 883.	[placeholder]
+
+ 882.	[placeholder]
+
+ 881.	[placeholder]
+
+ 880.	[placeholder]
+
+ 879.	[placeholder]
+
+ 878.	[placeholder]
+
+ 877.	[placeholder]
+
+ 876.	[placeholder]
+
+ 875.	[placeholder]
+
+ 874.	[placeholder]
+
+ 873.	[placeholder]
+
+ 872.	[placeholder]
+
+ 871.	[placeholder]
+
+ 870.	[placeholder]
+
+ 869.	[placeholder]
+
+ 868.	[placeholder]
+
+ 867.	[placeholder]
+
+ 866.	[func]		Close debug only file channels when debug is set to
+			zero. [RT #1246]
+
+ 865.	[bug]		The new configuration parser did not allow
+			the optional debug level in a "severity debug"
+			clause of a logging channel to be omitted.
+			This is now allowed and treated as "severity
+			debug 1;" like it does in BIND 8.2.4, not as
+			"severity debug 0;" like it did in BIND 9.1.
+			[RT #1367]
+
+ 864.	[cleanup]	Multi-threading is now enabled by default on
+			OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
+
+ 863.	[bug]		If an error occurred while an outgoing zone transfer
+			was starting up, the server could access a domain
+			name that had already been freed when logging a
+			message saying that the transfer was starting.
+			[RT #1383]
+
+ 862.	[bug]		Use after realloc(), non portable pointer arithmetic in
+			grmerge().
+
+ 861.	[port]		Add support for Mac OS X, by making it equivalent
+			to Darwin.  This was derived from the config.guess
+			file shipped with Mac OS X. [RT #1355]
+
+ 860.	[func]		Drop cross class glue in zone transfers.
+
+ 859.	[bug]		Cache cleaning now won't swamp the CPU if there
+			is a persistent over limit condition.
+
+ 858.	[func]		isc_mem_setwater() no longer requires that when the
+			callback function is non-NULL then its hi_water
+			argument must be greater than its lo_water argument
+			(they can now be equal) or that they be non-zero.
+
+ 857.	[cleanup]	Use ISC_MAGIC() to define all magic numbers for
+			structs, for our friends in EBCDIC-land.
+
+ 856.	[func]		Allow partial rdatasets to be returned in answer and
+			authority sections to help non-TCP capable clients
+			recover from truncation. [RT #1301]
+
+ 855.	[bug]		Stop spurious "using RFC 1035 TTL semantics" warnings.
+
+ 854.	[bug]		The config parser didn't properly handle config
+			options that were specified in units of time other
+			than seconds. [RT #1372]
+
+ 853.	[bug]		configure_view_acl() failed to detach existing acls.
+			[RT #1374]
+
+ 852.	[bug]		Handle responses from servers which do not know
+			about IXFR.
+
+ 851.	[cleanup]	The obsolete support-ixfr option was not properly
+			ignored.
+
+	--- 9.2.0a1 released ---
+
+ 850.	[bug]		dns_rbt_findnode() would not find nodes that were
+			split on a bitstring label somewhere other than in
+			the last label of the node. [RT #1351]
+
+ 849.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined.
+
+ 848.	[func]		A minimum max-cache-size of two megabytes is enforced
+			by the cache cleaner.
+
+ 847.	[func]		Added isc_file_test(), which currently only has
+			some very basic functionality to test for the
+			existence of a file, whether a pathname is absolute,
+			or whether a pathname is the fundamental representation
+			of the current directory.  It is intended that this
+			function can be expanded to test other things a
+			programmer might want to know about a file.
+
+ 846.	[func]		A non-zero 'param' to dst_key_generate() when making an
+			hmac-md5 key means that good entropy is not required.
+
+ 845.	[bug]		The access rights on the public file of a symmetric
+			key are now restricted as soon as the file is opened,
+			rather than after it has been written and closed.
+
+ 844.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined,
+			just as <lwres/net.h> does.
+
+ 843.	[func]		If no controls statement is present in named.conf,
+			or if any inet phrase of a controls statement is
+			lacking a keys clause, then a key will be automatically
+			generated by named and an rndc.conf-style file
+			named named.key will be written that uses it.  rndc
+			will use this file only if its normal configuration
+			file, or one provided on the command line, does not
+			exist.
+
+ 842.	[func]		'rndc flush' now takes an optional view.
+
+ 841.	[bug]		When sdb modules were not declared threadsafe, their
+			create and destroy functions were not serialized.
+
+ 840.	[bug]		The config file parser could print the wrong file
+			name if an error was detected after an included file
+			was parsed. [RT #1353]
+
+ 839.	[func]		Dump packets for which there was no view or that the
+			class could not be determined to category "unmatched".
+
+ 838.	[port]		UnixWare 7.x.x is now supported by
+			bin/tests/system/ifconfig.sh.
+
+ 837.	[cleanup]	Multi-threading is now enabled by default only on
+			OSF1, Solaris 2.7 and newer, and AIX.
+
+ 836.	[func]		Upgraded libtool to 1.4.
+
+ 835.	[bug]		The dispatcher could enter a busy loop if
+			it got an I/O error receiving on a UDP socket.
+			[RT #1293]
+
+ 834.	[func]		Accept (but warn about) master files beginning with
+			an SOA record without an explicit TTL field and
+			lacking a $TTL directive, by using the SOA MINTTL
+			as a default TTL.  This is for backwards compatibility
+			with old versions of BIND 8, which accepted such
+			files without warning although they are illegal
+			according to RFC1035.
+
+ 833.	[cleanup]	Moved dns_soa_*() from <dns/journal.h> to
+			<dns/soa.h>, and extended them to support
+			all the integer-valued fields of the SOA RR.
+
+ 832.	[bug]		The default location for named.conf in named-checkconf
+			should depend on --sysconfdir like it does in named.
+			[RT #1258]
+
+ 831.	[placeholder]
+
+ 830.	[func]		Implement 'rndc status'.
+
+ 829.	[bug]		The DNS_R_ZONECUT result code should only be returned
+			when an ANY query is made with DNS_DBFIND_GLUEOK set.
+			In all other ANY query cases, returning the delegation
+			is better.
+
+ 828.	[bug]		The errno value from recvfrom() could be overwritten
+			by logging code. [RT #1293]
+
+ 827.	[bug]		When an IXFR protocol error occurs, the slave
+			should retry with AXFR.
+
+ 826.	[bug]		Some IXFR protocol errors were not detected.
+
+ 825.	[bug]		zone.c:ns_query() detached from the wrong zone
+			reference. [RT #1264]
+
+ 824.	[bug]		Correct line numbers reported by dns_master_load().
+			[RT #1263]
+
+ 823.	[func]		The output of "dig -h" now goes to stdout so that it
+			can easily be piped through "more". [RT #1254]
+
+ 822.	[bug]		Sending nxrrset prerequisites would crash nsupdate.
+			[RT #1248]
+
+ 821.	[bug]		The program name used when logging to syslog should
+			be stripped of leading path components.
+			[RT #1178, #1232]
+
+ 820.	[bug]		Name server address lookups failed to follow
+			A6 chains into the glue of local authoritative
+			zones.
+
+ 819.	[bug]		In certain cases, the resolver's attempts to
+			restart an address lookup at the root could cause
+			the fetch to deadlock (with itself) instead of
+			restarting. [RT #1225]
+
+ 818.	[bug]		Certain pathological responses to ANY queries could
+			cause an assertion failure. [RT #1218]
+
+ 817.	[func]		Adjust timeouts for dialup zone queries.
+
+ 816.	[bug]		Report potential problems with log file accessibility
+			at configuration time, since such problems can't
+			reliably be reported at the time they actually occur.
+
+ 815.	[bug]		If a log file was specified with a path separator
+			character (i.e. "/") in its name and the directory
+			did not exist, the log file's name was treated as
+			though it were the directory name. [RT #1189]
+
+ 814.	[bug]		Socket objects left over from accept() failures
+			were incorrectly destroyed, causing corruption
+			of socket manager data structures.
+
+ 813.	[bug]		File descriptors exceeding FD_SETSIZE were handled
+			badly. [RT #1192]
+
+ 812.	[bug]		dig sometimes printed incomplete IXFR responses
+			due to an uninitialized variable. [RT #1188]
+
+ 811.	[bug]		Parentheses were not quoted in zone dumps. [RT #1194]
+
+ 810.	[bug]		The signer name in SIG records was not properly
+			down-cased when signing/verifying records. [RT #1186]
+
+ 809.	[bug]		Configuring a non-local address as a transfer-source
+			could cause an assertion failure during load.
+
+ 808.	[func]		Add 'rndc flush' to flush the server's cache.
+
+ 807.	[bug]		When setting up TCP connections for incoming zone
+			transfers, the transfer-source port was not
+			ignored like it should be.
+
+ 806.	[bug]		DNS_R_SEENINCLUDE was failing to propagate back up
+			the calling stack to the zone maintenance level,
+			causing zones to not reload when an included file was
+			touched but the top-level zone file was not.
+
+ 805.	[bug]		When using "forward only", missing root hints should
+			not cause queries to fail. [RT #1143]
+
+ 804.	[bug]		Attempting to obtain entropy could fail in some
+			situations.  This would be most common on systems
+			with user-space threads. [RT #1131]
+
+ 803.	[bug]		Treat all SIG queries as if they have the CD bit set,
+			otherwise no data will be returned [RT #749]
+
+ 802.	[bug]		DNSSEC key tags were computed incorrectly in almost
+			all cases. [RT #1146]
+
+ 801.	[bug]		nsupdate should treat lines beginning with ';' as
+			comments. [RT #1139]
+
+ 800.	[bug]		dnssec-signzone produced incorrect statistics for
+			large zones. [RT #1133]
+
+ 799.	[bug]		The ADB didn't find AAAA glue in a zone unless A6
+			glue was also present.
+
+ 798.	[bug]		nsupdate should be able to reject bad input lines
+			and continue. [RT #1130]
+
+ 797.	[func]		Issue a warning if the 'directory' option contains
+			a relative path. [RT #269]
+
+ 796.	[func]		When a size limit is associated with a log file,
+			only roll it when the size is reached, not every
+			time the log file is opened. [RT #1096]
+
+ 795.	[func]		Add the +multiline option to dig. [RT #1095]
+
+ 794.	[func]		Implement the "port" and "default-port" statements
+			in rndc.conf.
+
+ 793.	[cleanup]	The DNSSEC tools could create filenames that were
+			illegal or contained shell meta-characters.  They
+			now use a different text encoding of names that
+			doesn't have these problems. [RT #1101]
+
+ 792.	[cleanup]	Replace the OMAPI command channel protocol with a
+			simpler one.
+
+ 791.	[bug]		The command channel now works over IPv6.
+
+ 790.	[bug]		Wildcards created using dynamic update or IXFR
+			could fail to match. [RT #1111]
+
+ 789.	[bug]		The "localhost" and "localnets" ACLs did not match
+			when used as the second element of a two-element
+			sortlist item.
+
+ 788.	[func]		Add the "match-mapped-addresses" option, which
+			causes IPv6 v4mapped addresses to be treated as
+			IPv4 addresses for the purpose of acl matching.
+
+ 787.	[bug]		The DNSSEC tools failed to downcase domain
+			names when mapping them into file names.
+
+ 786.	[bug]		When DNSSEC signing/verifying data, owner names were
+			not properly down-cased.
+
+ 785.	[bug]		A race condition in the resolver could cause
+			an assertion failure. [RT #673, #872, #1048]
+
+ 784.	[bug]		nsupdate and other programs would not quit properly
+			if some signals were blocked by the caller. [RT #1081]
+
+ 783.	[bug]		Following CNAMEs could cause an assertion failure
+			when either using an sdb database or under very
+			rare conditions.
+
+ 782.	[func]		Implement the "serial-query-rate" option.
+
+ 781.	[func]		Avoid error packet loops by dropping duplicate FORMERR
+			responses. [RT #1006]
+
+ 780.	[bug]		Error handling code dealing with out of memory or
+			other rare errors could lead to assertion failures
+			by calling functions on uninitialized names. [RT #1065]
+
+ 779.	[func]		Added the "minimal-responses" option.
+
+ 778.	[bug]		When starting cache cleaning, cleaning_timer_action()
+			returned without first pausing the iterator, which
+			could cause deadlock. [RT #998]
+
+ 777.	[bug]		An empty forwarders list in a zone failed to override
+			global forwarders. [RT #995]
+
+ 776.	[func]		Improved error reporting in denied messages. [RT #252]
+
+ 775.	[placeholder]
+
+ 774.	[func]		max-cache-size is implemented.
+
+ 773.	[func]		Added isc_rwlock_trylock() to attempt to lock without
+			blocking.
+
+ 772.	[bug]		Owner names could be incorrectly omitted from cache
+			dumps in the presence of negative caching entries.
+			[RT #991]
+
+ 771.	[cleanup]	TSIG errors related to unsynchronized clocks
+			are logged better. [RT #919]
+
+ 770.	[func]		Add the "edns yes_or_no" statement to the server
+			clause. [RT #524]
+
+ 769.	[func]		Improved error reporting when parsing rdata. [RT #740]
+
+ 768.	[bug]		The server did not emit an SOA when a CNAME
+			or DNAME chain ended in NXDOMAIN in an
+			authoritative zone.
+
+ 767.	[placeholder]
+
+ 766.	[bug]		A few cases in query_find() could leak fname.
+			This would trigger the mpctx->allocated == 0
+			assertion when the server exited.
+			[RT #739, #776, #798, #812, #818, #821, #845,
+			#892, #935, #966]
+
+ 765.	[func]		ACL names are once again case insensitive, like
+			in BIND 8. [RT #252]
+
+ 764.	[func]		Configuration files now allow "include" directives
+			in more places, such as inside the "view" statement.
+			[RT #377, #728, #860]
+
+ 763.	[func]		Configuration files no longer have reserved words.
+			[RT #731, #753]
+
+ 762.	[cleanup]	The named.conf and rndc.conf file parsers have
+			been completely rewritten.
+
+ 761.	[bug]		_REENTRANT was still defined when building with
+			--disable-threads.
+
+ 760.	[contrib]	Significant enhancements to the pgsql sdb driver.
+
+ 759.	[bug]		The resolver didn't turn off "avoid fetches" mode
+			when restarting, possibly causing resolution
+			to fail when it should not.  This bug only affected
+			platforms which support both IPv4 and IPv6. [RT #927]
+
+ 758.	[bug]		The "avoid fetches" code did not treat negative
+			cache entries correctly, causing fetches that would
+			be useful to be avoided.  This bug only affected
+			platforms which support both IPv4 and IPv6. [RT #927]
+
+ 757.	[func]		Log zone transfers.
+
+ 756.	[bug]		dns_zone_load() could "return" success when no master
+			file was configured.
+
+ 755.	[bug]		Fix incorrectly formatted log messages in zone.c.
+
+ 754.	[bug]		Certain failure conditions sending UDP packets
+			could cause the server to retry the transmission
+			indefinitely. [RT #902]
+
+ 753.	[bug]		dig, host, and nslookup would fail to contact a
+			remote server if getaddrinfo() returned an IPv6
+			address on a system that doesn't support IPv6.
+			[RT #917]
+
+ 752.	[func]		Correct bad tv_usec elements returned by
+			gettimeofday().
+
+ 751.	[func]		Log successful zone loads / transfers.  [RT #898]
+
+ 750.	[bug]		A query should not match a DNAME whose trust level
+			is pending. [RT #916]
+
+ 749.	[bug]		When a query matched a DNAME in a secure zone, the
+			server did not return the signature of the DNAME.
+			[RT #915]
+
+ 748.	[doc]		List supported RFCs in doc/misc/rfc-compliance.
+			[RT #781]
+
+ 747.	[bug]		The code to determine whether an IXFR was possible
+			did not properly check for a database that could
+			not have a journal. [RT #865, #908]
+
+ 746.	[bug]		The sdb didn't clone rdatasets properly, causing
+			a crash when the server followed delegations. [RT #905]
+
+ 745.	[func]		Report the owner name of records that fail
+			semantic checks while loading.
+
+ 744.	[bug]		When returning DNS_R_CNAME or DNS_R_DNAME as the
+			result of an ANY or SIG query, the resolver failed
+			to setup the return event's rdatasets, causing an
+			assertion failure in the query code. [RT #881]
+
+ 743.	[bug]		Receiving a large number of certain malformed
+			answers could cause named to stop responding.
+			[RT #861]
+
+ 742.	[placeholder]
+
+ 741.	[port]		Support openssl-engine. [RT #709]
+
+ 740.	[port]		Handle openssl library mismatches slightly better.
+
+ 739.	[port]		Look for /dev/random in configure, rather than
+			assuming it will be there for only a predefined
+			set of OSes.
+
+ 738.	[bug]		If a non-threadsafe sdb driver supported AXFR and
+			received an AXFR request, it would deadlock or die
+			with an assertion failure. [RT #852]
+
+ 737.	[port]		stdtime.c failed to compile on certain platforms.
+
+ 736.	[func]		New functions isc_task_{begin,end}exclusive().
+
+ 735.	[doc]		Add BIND 4 migration notes.
+
+ 734.	[bug]		An attempt to re-lock the zone lock could occur if
+			the server was shutdown during a zone transfer.
+			[RT #830]
+
+ 733.	[bug]		Reference counts of dns_acl_t objects need to be
+			locked but were not. [RT #801, #821]
+
+ 732.	[bug]		Glue with 0 TTL could also cause SERVFAIL. [RT #828]
+
+ 731.	[bug]		Certain zone errors could cause named-checkzone to
+			fail ungracefully. [RT #819]
+
+ 730.	[bug]		lwres_getaddrinfo() returns the correct result when
+			it fails to contact a server. [RT #768]
+
+ 729.	[port]		pthread_setconcurrency() needs to be called on Solaris.
+
+ 728.	[bug]		Fix comment processing on master file directives.
+			[RT #757]
+
+ 727.	[port]		Work around OS bug where accept() succeeds but
+			fails to fill in the peer address of the accepted
+			connection, by treating it as an error rather than
+			an assertion failure. [RT #809]
+
+ 726.	[func]		Implement the "trace" and "notrace" commands in rndc.
+
+ 725.	[bug]		Installing man pages could fail.
+
+ 724.	[func]		New libisc functions isc_netaddr_any(),
+			isc_netaddr_any6().
+
+ 723.	[bug]		Referrals whose NS RRs had a 0 TTL caused the resolver
+			to return DNS_R_SERVFAIL. [RT #783]
+
+ 722.	[func]		Allow incremental loads to be canceled.
+
+ 721.	[cleanup]	Load manager and dns_master_loadfilequota() are no
+			more.
+
+ 720.	[bug]		Server could enter infinite loop in
+			dispatch.c:do_cancel(). [RT #733]
+
+ 719.	[bug]		Rapid reloads could trigger an assertion failure.
+			[RT #743, #763]
+
+ 718.	[cleanup]	"internal" is no longer a reserved word in named.conf.
+			[RT #753, #731]
+
+ 717.	[bug]		Certain TKEY processing failure modes could
+			reference an uninitialized variable, causing the
+			server to crash. [RT #750]
+
+ 716.	[bug]		The first line of a $INCLUDE master file was lost if
+			an origin was specified. [RT #744]
+
+ 715.	[bug]		Resolving some A6 chains could cause an assertion
+			failure in adb.c. [RT #738]
+
+ 714.	[bug]		Preserve interval timers across reloads unless changed.
+			[RT #729]
+
+ 713.	[func]		named-checkconf takes '-t directory' similar to named.
+			[RT #726]
+
+ 712.	[bug]		Sending a large signed update message caused an
+			assertion failure. [RT #718]
+
+ 711.	[bug]		The libisc and liblwres implementations of
+			inet_ntop contained an off by one error.
+
+ 710.	[func]		The forwarders statement now takes an optional
+			port. [RT #418]
+
+ 709.	[bug]		ANY or SIG queries for data with a TTL of 0
+			would return SERVFAIL. [RT #620]
+
+ 708.	[bug]		When building with --with-openssl, the openssl headers
+			included with BIND 9 should not be used. [RT #702]
+
+ 707.	[func]		The "filename" argument to named-checkzone is no
+			longer optional, to reduce confusion. [RT #612]
+
+ 706.	[bug]		Zones with an explicit "allow-update { none; };"
+			were considered dynamic and therefore not reloaded
+			on SIGHUP or "rndc reload".
+
+ 705.	[port]		Work out resource limit type for use where rlim_t is
+			not available. [RT #695]
+
+ 704.	[port]		RLIMIT_NOFILE is not available on all platforms.
+			[RT #695]
+
+ 703.	[port]		sys/select.h is needed on older platforms. [RT #695]
+
+ 702.	[func]		If the address 0.0.0.0 is seen in resolv.conf,
+			use 127.0.0.1 instead. [RT #693]
+
+ 701.	[func]		Root hints are now fully optional.  Class IN
+			views use compiled-in hints by default, as
+			before.  Non-IN views with no root hints now
+			provide authoritative service but not recursion.
+			A warning is logged if a view has neither root
+			hints nor authoritative data for the root. [RT #696]
+
+ 700.	[bug]		$GENERATE range check was wrong. [RT #688]
+
+ 699.	[bug]		The lexer mishandled empty quoted strings. [RT #694]
+
+ 698.	[bug]		Aborting nsupdate with ^C would lead to several
+			race conditions.
+
+ 697.	[bug]		nsupdate was not compatible with the undocumented
+			BIND 8 behavior of ignoring TTLs in "update delete"
+			commands. [RT #693]
+
+ 696.	[bug]		lwresd would die with an assertion failure when passed
+			a zero-length name. [RT #692]
+
+ 695.	[bug]		If the resolver attempted to query a blackholed or
+			bogus server, the resolution would fail immediately.
+
+ 694.	[bug]		$GENERATE did not produce the last entry.
+			[RT #682, #683]
+
+ 693.	[bug]		An empty lwres statement in named.conf caused
+			the server to crash while loading.
+
+ 692.	[bug]		Deal with systems that have getaddrinfo() but not
+			gai_strerror(). [RT #679]
+
+ 691.	[bug]		Configuring per-view forwarders caused an assertion
+			failure. [RT #675, #734]
+
+ 690.	[func]		$GENERATE now supports DNAME. [RT #654]
+
+ 689.	[doc]		man pages are now installed. [RT #210]
+
+ 688.	[func]		"make tags" now works on systems with the
+			"Exuberant Ctags" etags.
+
+ 687.	[bug]		Only say we have IPv6, with sufficient functionality,
+			if it has actually been tested. [RT #586]
+
+ 686.	[bug]		dig and nslookup can now be properly aborted during
+			blocking operations. [RT #568]
+
+ 685.	[bug]		nslookup should use the search list/domain options
+			from resolv.conf by default. [RT #405, #630]
+
+ 684.	[bug]		Memory leak with view forwarders. [RT #656]
+
+ 683.	[bug]		File descriptor leak in isc_lex_openfile().
+
+ 682.	[bug]		nslookup displayed SOA records incorrectly. [RT #665]
+
+ 681.	[bug]		$GENERATE specifying output format was broken. [RT #653]
+
+ 680.	[bug]		dns_rdata_fromstruct() mishandled options bigger
+			than 255 octets.
+
+ 679.	[bug]		$INCLUDE could leak memory and file descriptors on
+			reload. [RT #639]
+
+ 678.	[bug]		"transfer-format one-answer;" could trigger an assertion
+			failure. [RT #646]
+
+ 677.	[bug]		dnssec-signzone would occasionally use the wrong ttl
+			for database operations and fail. [RT #643]
+
+ 676.	[bug]		Log messages about lame servers to category
+			'lame-servers' rather than 'resolver', so as not
+			to be gratuitously incompatible with BIND 8.
+
+ 675.	[bug]		TKEY queries could cause the server to leak
+			memory.
+
+ 674.	[func]		Allow messages to be TSIG signed / verified using
+			a offset from the current time.
+
+ 673.	[func]		The server can now convert RFC1886-style recursive
+			lookup requests into RFC2874-style lookups, when
+			enabled using the new option "allow-v6-synthesis".
+
+ 672.	[bug]		The wrong time was in the "time signed" field when
+			replying with BADTIME error.
+
+ 671.	[bug]		The message code was failing to parse a message with
+			no question section and a TSIG record. [RT #628]
+
+ 670.	[bug]		The lwres replacements for getaddrinfo and
+			getipnodebyname didn't properly check for the
+			existence of the sockaddr sa_len field.
+
+ 669.	[bug]		dnssec-keygen now makes the public key file
+			non-world-readable for symmetric keys. [RT #403]
+
+ 668.	[func]		named-checkzone now reports multiple errors in master
+			files.
+
+ 667.	[bug]		On Linux, running named with the -u option and a
+			non-world-readable configuration file didn't work.
+			[RT #626]
+
+ 666.	[bug]		If a request sent by dig is longer than 512 bytes,
+			use TCP.
+
+ 665.	[bug]		Signed responses were not sent when the size of the
+			TSIG + question exceeded the maximum message size.
+			[RT #628]
+
+ 664.	[bug]		The t_tasks and t_timers module tests are now skipped
+			when building without threads, since they require
+			threads.
+
+ 663.	[func]		Accept a size_spec, not just an integer, in the
+			(unimplemented and ignored) max-ixfr-log-size option
+			for compatibility with recent versions of BIND 8.
+			[RT #613]
+
+ 662.	[bug]		dns_rdata_fromtext() failed to log certain errors.
+
+ 661.	[bug]		Certain UDP IXFR requests caused an assertion failure
+			(mpctx->allocated == 0). [RT #355, #394, #623]
+
+ 660.	[port]		Detect multiple CPUs on HP-UX and IRIX.
+
+ 659.	[performance]	Rewrite the name compression code to be much faster.
+
+ 658.	[cleanup]	Remove all vestiges of 16 bit global compression.
+
+ 657.	[bug]		When a listen-on statement in an lwres block does not
+			specify a port, use 921, not 53.  Also update the
+			listen-on documentation. [RT #616]
+
+ 656.	[func]		Treat an unescaped newline in a quoted string as
+			an error.  This means that TXT records with missing
+			close quotes should have meaningful errors printed.
+
+ 655.	[bug]		Improve error reporting on unexpected eof when loading
+			zones. [RT #611]
+
+ 654.	[bug]		Origin was being forgotten in TCP retries in dig.
+			[RT #574]
+
+ 653.	[bug]		+defname option in dig was reversed in sense.
+			[RT #549]
+
+ 652.	[bug]		zone_saveunique() did not report the new name.
+
+ 651.	[func]		The AD bit in responses now has the meaning
+			specified in <draft-ietf-dnsext-ad-is-secure>.
+
+ 650.	[bug]		SIG(0) records were being generated and verified
+			incorrectly. [RT #606]
+
+ 649.	[bug]		It was possible to join to an already running fctx
+			after it had "cloned" its events, but before it sent
+			them.  In this case, the event of the newly joined
+			fetch would not contain the answer, and would
+			trigger the INSIST() in fctx_sendevents().  In
+			BIND 9.0, this bug did not trigger an INSIST(), but
+			caused the fetch to fail with a SERVFAIL result.
+			[RT #588, #597, #605, #607]
+
+ 648.	[port]		Add support for pre-RFC2133 IPv6 implementations.
+
+ 647.	[bug]		Resolver queries sent after following multiple
+			referrals had excessively long retransmission
+			timeouts due to incorrectly counting the referrals
+			as "restarts".
+
+ 646.	[bug]		The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
+			didn't _cleanly_ fix the problem it was trying to fix.
+
+ 645.	[port]		BSD/OS 3.0 needs pthread_init(). [RT #603]
+
+ 644.	[bug]		#622 needed more work. [RT #562]
+
+ 643.	[bug]		xfrin error messages made more verbose, added class
+			of the zone. [RT #599]
+
+ 642.	[bug]		Break the exit_check() race in the zone module.
+			[RT #598]
+
+	--- 9.1.0b2 released ---
+
+ 641.	[bug]		$GENERATE caused a uninitialized link to be used.
+			[RT #595]
+
+ 640.	[bug]		Memory leak in error path could cause
+			"mpctx->allocated == 0" failure. [RT #584]
+
+ 639.	[bug]		Reading entropy from the keyboard would sometimes fail.
+			[RT #591]
+
+ 638.	[port]		lib/isc/random.c needed to explicitly include time.h
+			to get a prototype for time() when pthreads was not
+			being used. [RT #592]
+
+ 637.	[port]		Use isc_u?int64_t instead of (unsigned) long long in
+			lib/isc/print.c.  Also allow lib/isc/print.c to
+			be compiled even if the platform does not need it.
+			[RT #592]
+
+ 636.	[port]		Shut up MSVC++ about a possible loss of precision
+			in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
+
+ 635.	[bug]		Reloading a server with a configured blackhole list
+			would cause an assertion. [RT #590]
+
+ 634.	[bug]		A log file will completely stop being written when
+			it reaches the maximum size in all cases, not just
+			when versioning is also enabled. [RT #570]
+
+ 633.	[port]		Cope with rlim_t missing on BSD/OS systems. [RT #575]
+
+ 632.	[bug]		The index array of the journal file was
+			corrupted as it was written to disk.
+
+ 631.	[port]		Build without thread support on systems without
+			pthreads.
+
+ 630.	[bug]		Locking failure in zone code. [RT #582]
+
+ 629.	[bug]		9.1.0b1 dereferenced a null pointer and crashed
+			when responding to a UDP IXFR request.
+
+ 628.	[bug]		If the root hints contained only AAAA addresses,
+			named would be unable to perform resolution.
+
+ 627.	[bug]		The EDNS0 blackhole detection code of change 324
+			waited for three retransmissions to each server,
+			which takes much too long when a domain has many
+			name servers and all of them drop EDNS0 queries.
+			Now we retry without EDNS0 after three consecutive
+			timeouts, even if they are all from different
+			servers. [RT #143]
+
+ 626.	[bug]		The lightweight resolver daemon no longer crashes
+			when asked for a SIG rrset. [RT #558]
+
+ 625.	[func]		Zones now inherit their class from the enclosing view.
+
+ 624.	[bug]		The zone object could get timer events after it had
+			been destroyed, causing a server crash. [RT #571]
+
+ 623.	[func]		Added "named-checkconf" and "named-checkzone" program
+			for syntax checking named.conf files and zone files,
+			respectively.
+
+ 622.	[bug]		A canceled request could be destroyed before
+			dns_request_destroy() was called. [RT #562]
+
+ 621.	[port]		Disable IPv6 at runtime if IPv6 sockets are unusable.
+			This mostly affects Red Hat Linux 7.0, which has
+			conflicts between libc and the kernel.
+
+ 620.	[bug]		dns_master_load*inc() now require 'task' and 'load'
+			to be non-null.  Also 'done' will not be called if
+			dns_master_load*inc() fails immediately. [RT #565]
+
+ 619.	[placeholder]
+
+ 618.	[bug]		Queries to a signed zone could sometimes cause
+			an assertion failure.
+
+ 617.	[bug]		When using dynamic update to add a new RR to an
+			existing RRset with a different TTL, the journal
+			entries generated from the update did not include
+			explicit deletions and re-additions of the existing
+			RRs to update their TTL to the new value.
+
+ 616.	[func]		dnssec-signzone -t output now includes performance
+			statistics.
+
+ 615.	[bug]		dnssec-signzone did not like child keysets signed
+			by multiple keys.
+
+ 614.	[bug]		Checks for uninitialized link fields were prone
+			to false positives, causing assertion failures.
+			The checks are now disabled by default and may
+			be re-enabled by defining ISC_LIST_CHECKINIT.
+
+ 613.	[bug]		"rndc reload zone" now reloads primary zones.
+			It previously only updated slave and stub zones,
+			if an SOA query indicated an out of date serial.
+
+ 612.	[cleanup]	Shutup a ridiculously noisy HP-UX compiler that
+			complains relentlessly about how its treatment
+			of 'const' has changed as well as how casting
+			sometimes tightens alignment constraints.
+
+ 611.	[func]		allow-notify can be used to permit processing of
+			notify messages from hosts other than a slave's
+			masters.
+
+ 610.	[func]		rndc dumpdb is now supported.
+
+ 609.	[bug]		getrrsetbyname() would crash lwresd if the server
+			found more SIGs than answers. [RT #554]
+
+ 608.	[func]		dnssec-signzone now adds a comment to the zone
+			with the time the file was signed.
+
+ 607.	[bug]		nsupdate would fail if it encountered a CNAME or
+			DNAME in a response to an SOA query. [RT #515]
+
+ 606.	[bug]		Compiling with --disable-threads failed due
+			to isc_thread_self() being incorrectly defined
+			as an integer rather than a function.
+
+ 605.	[func]		New function isc_lex_getlasttokentext().
+
+ 604.	[bug]		The named.conf parser could print incorrect line
+			numbers when long comments were present.
+
+ 603.	[bug]		Make dig handle multiple types or classes on the same
+			query more correctly.
+
+ 602.	[func]		Cope automatically with UnixWare's broken
+			IN6_IS_ADDR_* macros. [RT #539]
+
+ 601.	[func]		Return a non-zero exit code if an update fails
+			in nsupdate.
+
+ 600.	[bug]		Reverse lookups sometimes failed in dig, etc...
+
+ 599.	[func]		Added four new functions to the libisc log API to
+			support i18n messages.  isc_log_iwrite(),
+			isc_log_ivwrite(), isc_log_iwrite1() and
+			isc_log_ivwrite1() were added.
+
+ 598.	[bug]		An update-policy statement would cause the server
+			to assert while loading. [RT #536]
+
+ 597.	[func]		dnssec-signzone is now multi-threaded.
+
+ 596.	[bug]		DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
+			not mutually exclusive.
+
+ 595.	[port]		On Linux 2.2, socket() returns EINVAL when it
+			should return EAFNOSUPPORT.  Work around this.
+			[RT #531]
+
+ 594.	[func]		sdb drivers are now assumed to not be thread-safe
+			unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
+
+ 593.	[bug]		If a secure zone was missing all its NXTs and
+			a dynamic update was attempted, the server entered
+			an infinite loop.
+
+ 592.	[bug]		The sig-validity-interval option now specifies a
+			number of days, not seconds.  This matches the
+			documentation. [RT #529]
+
+	--- 9.1.0b1 released ---
+
+ 591.	[bug]		Work around non-reentrancy in openssl by disabling
+			pre-computation in keys.
+
+ 590.	[doc]		There are now man pages for the lwres library in
+			doc/man/lwres.
+
+ 589.	[bug]		The server could deadlock if a zone was updated
+			while being transferred out.
+
+ 588.	[bug]		ctx->in_use was not being correctly initialized when
+			when pushing a file for $INCLUDE. [RT #523]
+
+ 587.	[func]		A warning is now printed if the "allow-update"
+			option allows updates based on the source IP
+			address, to alert users to the fact that this
+			is insecure and becoming increasingly so as
+			servers capable of update forwarding are being
+			deployed.
+
+ 586.	[bug]		multiple views with the same name were fatal. [RT #516]
+
+ 585.	[func]		dns_db_addrdataset() and dns_rdataslab_merge()
+			now support 'exact' additions in a similar manner to
+			dns_db_subtractrdataset() and dns_rdataslab_subtract().
+
+ 584.	[func]		You can now say 'notify explicit'; to suppress
+			notification of the servers listed in NS records
+			and notify only those servers listed in the
+			'also-notify' option.
+
+ 583.	[func]		"rndc querylog" will now toggle logging of
+			queries, like "ndc querylog" in BIND 8.
+
+ 582.	[bug]		dns_zone_idetach() failed to lock the zone.
+			[RT #199, #463]
+
+ 581.	[bug]		log severity was not being correctly processed.
+			[RT #485]
+
+ 580.	[func]		Ignore trailing garbage on incoming DNS packets,
+			for interoperability with broken server
+			implementations. [RT #491]
+
+ 579.	[bug]		nsupdate did not take a filename to read update from.
+			[RT #492]
+
+ 578.	[func]		New config option "notify-source", to specify the
+			source address for notify messages.
+
+ 577.	[func]		Log illegal RDATA combinations. e.g. multiple
+			singleton types, cname and other data.
+
+ 576.	[doc]		isc_log_create() description did not match reality.
+
+ 575.	[bug]		isc_log_create() was not setting internal state
+			correctly to reflect the default channels created.
+
+ 574.	[bug]		TSIG signed queries sent by the resolver would fail to
+			have their responses validated and would leak memory.
+
+ 573.	[bug]		The journal files of IXFRed slave zones were
+			inadvertently discarded on server reload, causing
+			"journal out of sync with zone" errors on subsequent
+			reloads. [RT #482]
+
+ 572.	[bug]		Quoted strings were not accepted as key names in
+			address match lists.
+
+ 571.	[bug]		It was possible to create an rdataset of singleton
+			type which had more than one rdata. [RT #154]
+			[RT #279]
+
+ 570.	[bug]		rbtdb.c allowed zones containing nodes which had
+			both a CNAME and "other data". [RT #154]
+
+ 569.	[func]		The DNSSEC AD bit will not be set on queries which
+			have not requested a DNSSEC response.
+
+ 568.	[func]		Add sample simple database drivers in contrib/sdb.
+
+ 567.	[bug]		Setting the zone transfer timeout to zero caused an
+			assertion failure. [RT #302]
+
+ 566.	[func]		New public function dns_timer_setidle().
+
+ 565.	[func]		Log queries more like BIND 8: query logging is now
+			done to category "queries", level "info". [RT #169]
+
+ 564.	[func]		Add sortlist support to lwresd.
+
+ 563.	[func]		New public functions dns_rdatatype_format() and
+			dns_rdataclass_format(), for convenient formatting
+			of rdata type/class mnemonics in log messages.
+
+ 562.	[cleanup]	Moved lib/dns/*conf.c to bin/named where they belong.
+
+ 561.	[func]		The 'datasize', 'stacksize', 'coresize' and 'files'
+			clauses of the options{} statement are now implemented.
+
+ 560.	[bug]		dns_name_split did not properly the resulting prefix
+			when a maximal length bitstring label was split which
+			was preceded by another bitstring label. [RT #429]
+
+ 559.	[bug]		dns_name_split did not properly create the suffix
+			when splitting within a maximal length bitstring label.
+
+ 558.	[func]		New functions, isc_resource_getlimit and
+			isc_resource_setlimit.
+
+ 557.	[func]		Symbolic constants for libisc integral types.
+
+ 556.	[func]		The DNSSEC OK bit in the EDNS extended flags
+			is now implemented.  Responses to queries without
+			this bit set will not contain any DNSSEC records.
+
+ 555.	[bug]		A slave server attempting a zone transfer could
+			crash with an assertion failure on certain
+			malformed responses from the master. [RT #457]
+
+ 554.	[bug]		In some cases, not all of the dnssec tools were
+			properly installed.
+
+ 553.	[bug]		Incoming zone transfers deferred due to quota
+			were not started when quota was increased but
+			only when a transfer in progress finished. [RT #456]
+
+ 552.	[bug]		We were not correctly detecting the end of all c-style
+			comments. [RT #455]
+
+ 551.	[func]		Implemented the 'sortlist' option.
+
+ 550.	[func]		Support unknown rdata types and classes.
+
+ 549.	[bug]		"make" did not immediately abort the build when a
+			subdirectory make failed [RT #450].
+
+ 548.	[func]		The lexer now ungets tokens more correctly.
+
+ 547.	[placeholder]
+
+ 546.	[func]		Option 'lame-ttl' is now implemented.
+
+ 545.	[func]		Name limit and counting options removed from dig;
+			they didn't work properly, and cannot be correctly
+			implemented without significant changes.
+
+ 544.	[func]		Add statistics option, enable statistics-file option,
+			add RNDC option "dump-statistics" to write out a
+			query statistics file.
+
+ 543.	[doc]		The 'port' option is now documented.
+
+ 542.	[func]		Add support for update forwarding as required for
+			full compliance with RFC2136.  It is turned off
+			by default and can be enabled using the
+			'allow-update-forwarding' option.
+
+ 541.	[func]		Add bogus server support.
+
+ 540.	[func]		Add dialup support.
+
+ 539.	[func]		Support the blackhole option.
+
+ 538.	[bug]		fix buffer overruns by 1 in lwres_getnameinfo().
+
+ 537.	[placeholder]
+
+ 536.	[func]		Use transfer-source{-v6} when sending refresh queries.
+			Transfer-source{-v6} now take a optional port
+			parameter for setting the UDP source port.  The port
+			parameter is ignored for TCP.
+
+ 535.	[func]		Use transfer-source{-v6} when forwarding update
+			requests.
+
+ 534.	[func]		Ancestors have been removed from RBT chains.  Ancestor
+			information can be discerned via node parent pointers.
+
+ 533.	[func]		Incorporated name hashing into the RBT database to
+			improve search speed.
+
+ 532.	[func]		Implement DNS UPDATE pseudo records using
+			DNS_RDATA_UPDATE flag.
+
+ 531.	[func]		Rdata really should be initialized before being assigned
+			to (dns_rdata_fromwire(), dns_rdata_fromtext(),
+			dns_rdata_clone(), dns_rdata_fromregion()),
+			check that it is.
+
+ 530.	[func]		New function dns_rdata_invalidate().
+
+ 529.	[bug]		521 contained a bug which caused zones to always
+			reload.  [RT #410]
+
+ 528.	[func]		The ISC_LIST_XXXX macros now perform sanity checks
+			on their arguments.  ISC_LIST_XXXXUNSAFE can be use
+			to skip the checks however use with caution.
+
+ 527.	[func]		New function dns_rdata_clone().
+
+ 526.	[bug]		nsupdate incorrectly refused to add RRs with a TTL
+			of 0.
+
+ 525.	[func]		New arguments 'options' for dns_db_subtractrdataset(),
+			and 'flags' for dns_rdataslab_subtract() allowing you
+			to request that the RR's must exist prior to deletion.
+			DNS_R_NOTEXACT is returned if the condition is not met.
+
+ 524.	[func]		The 'forward' and 'forwarders' statement in
+			non-forward zones should work now.
+
+ 523.	[doc]		The source to the Administrator Reference Manual is
+			now an XML file using the DocBook DTD, and is included
+			in the distribution.  The plain text version of the
+			ARM is temporarily unavailable while we figure out
+			how to generate readable plain text from the XML.
+
+ 522.	[func]		The lightweight resolver daemon can now use
+			a real configuration file, and its functionality
+			can be provided by a name server.  Also, the -p and -P
+			options to lwresd have been reversed.
+
+ 521.	[bug]		Detect master files which contain $INCLUDE and always
+			reload. [RT #196]
+
+ 520.	[bug]		Upgraded libtool to 1.3.5, which makes shared
+			library builds almost work on AIX (and possibly
+			others).
+
+ 519.	[bug]		dns_name_split() would improperly split some bitstring
+			labels, zeroing a few of the least significant bits in
+			the prefix part.  When such an improperly created
+			prefix was returned to the RBT database, the bogus
+			label was dutifully stored, corrupting the tree.
+			[RT #369]
+
+ 518.	[bug]		The resolver did not realize that a DNAME which was
+			"the answer" to the client's query was "the answer",
+			and such queries would fail. [RT #399]
+
+ 517.	[bug]		The resolver's DNAME code would trigger an assertion
+			if there was more than one DNAME in the chain.
+			[RT #399]
+
+ 516.	[bug]		Cache lookups which had a NULL node pointer, e.g.
+			those by dns_view_find(), and which would match a
+			DNAME, would trigger an INSIST(!search.need_cleanup)
+			assertion. [RT #399]
+
+ 515.	[bug]		The ssu table was not being attached / detached
+			by dns_zone_[sg]etssutable. [RT #397]
+
+ 514.	[func]		Retry refresh and notify queries if they timeout.
+			[RT #388]
+
+ 513.	[func]		New functionality added to rdnc and server to allow
+			individual zones to be refreshed or reloaded.
+
+ 512.	[bug]		The zone transfer code could throw an exception with
+			an invalid IXFR stream.
+
+ 511.	[bug]		The message code could throw an assertion on an
+			out of memory failure. [RT #392]
+
+ 510.	[bug]		Remove spurious view notify warning. [RT #376]
+
+ 509.	[func]		Add support for write of zone files on shutdown.
+
+ 508.	[func]		dns_message_parse() can now do a best-effort
+			attempt, which should allow dig to print more invalid
+			messages.
+
+ 507.	[func]		New functions dns_zone_flush(), dns_zt_flushanddetach()
+			and dns_view_flushanddetach().
+
+ 506.	[func]		Do not fail to start on errors in zone files.
+
+ 505.	[bug]		nsupdate was printing "unknown result code". [RT #373]
+
+ 504.	[bug]		The zone was not being marked as dirty when updated via
+			IXFR.
+
+ 503.	[bug]		dumptime was not being set along with
+			DNS_ZONEFLG_NEEDDUMP.
+
+ 502.	[func]		On a SERVFAIL reply, DiG will now try the next server
+			in the list, unless the +fail option is specified.
+
+ 501.	[bug]		Incorrect port numbers were being displayed by
+			nslookup. [RT #352]
+
+ 500.	[func]		Nearly useless +details option removed from DiG.
+
+ 499.	[func]		In DiG, specifying a class with -c or type with -t
+			changes command-line parsing so that classes and
+			types are only recognized if following -c or -t.
+			This allows hosts with the same name as a class or
+			type to be looked up.
+
+ 498.	[doc]		There is now a man page for "dig"
+			in doc/man/bin/dig.1.
+
+ 497.	[bug]		The error messages printed when an IP match list
+			contained a network address with a nonzero host
+			part where not sufficiently detailed. [RT #365]
+
+ 496.	[bug]		named didn't sanity check numeric parameters. [RT #361]
+
+ 495.	[bug]		nsupdate was unable to handle large records. [RT #368]
+
+ 494.	[func]		Do not cache NXDOMAIN responses for SOA queries.
+
+ 493.	[func]		Return non-cachable (ttl = 0) NXDOMAIN responses
+			for SOA queries.  This makes it easier to locate
+			the containing zone without polluting intermediate
+			caches.
+
+ 492.	[bug]		attempting to reload a zone caused the server fail
+			to shutdown cleanly. [RT #360]
+
+ 491.	[bug]		nsupdate would segfault when sending certain
+			prerequisites with empty RDATA. [RT #356]
+
+ 490.	[func]		When a slave/stub zone has not yet successfully
+			obtained an SOA containing the zone's configured
+			retry time, perform the SOA query retries using
+			exponential backoff. [RT #337]
+
+ 489.	[func]		The zone manager now has a "i/o" queue.
+
+ 488.	[bug]		Locks weren't properly destroyed in some cases.
+
+ 487.	[port]		flockfile() is not defined on all systems.
+
+ 486.	[bug]		nslookup: "set all" and "server" commands showed
+			the incorrect port number if a port other than 53
+			was specified. [RT #352]
+
+ 485.	[func]		When dig had more than one server to query, it would
+			send all of the messages at the same time.  Add
+			rate limiting of the transmitted messages.
+
+ 484.	[bug]		When the server was reloaded after removing addresses
+			from the named.conf "listen-on" statement, sockets
+			were still listening on the removed addresses due
+			to reference count loops. [RT #325]
+
+ 483.	[bug]		nslookup: "set all" showed a "search" option but it
+			was not settable.
+
+ 482.	[bug]		nslookup: a plain "server" or "lserver" should be
+			treated as a lookup.
+
+ 481.	[bug]		nslookup:get_next_command() stack size could exceed
+			per thread limit.
+
+ 480.	[bug]		strtok() is not thread safe. [RT #349]
+
+ 479.	[func]		The test suite can now be run by typing "make check"
+			or "make test" at the top level.
+
+ 478.	[bug]		"make install" failed if the directory specified with
+			--prefix did not already exist.
+
+ 477.	[bug]		The the isc-config.sh script could be installed before
+			its directory was created. [RT #324]
+
+ 476.	[bug]		A zone could expire while a zone transfer was in
+			progress triggering a INSIST failure. [RT #329]
+
+ 475.	[bug]		query_getzonedb() sometimes returned a non-null version
+			on failure.  This caused assertion failures when
+			generating query responses where names subject to
+			additional section processing pointed to a zone
+			to which access had been denied by means of the
+			allow-query option. [RT #336]
+
+ 474.	[bug]		The mnemonic of the CHAOS class is CH according to
+			RFC1035, but it was printed and read only as CHAOS.
+			We now accept both forms as input, and print it
+			as CH. [RT #305]
+
+ 473.	[bug]		nsupdate overran the end of the list of name servers
+			when no servers could be reached, typically causing
+			it to print the error message "dns_request_create:
+			not implemented".
+
+ 472.	[bug]		Off-by-one error caused isc_time_add() to sometimes
+			produce invalid time values.
+
+ 471.	[bug]		nsupdate didn't compile on HP/UX 10.20
+
+ 470.	[func]		$GENERATE is now supported.  See also
+			doc/misc/migration.
+
+ 469.	[bug]		"query-source address * port 53;" now works.
+
+ 468.	[bug]		dns_master_load*() failed to report file and line
+			number in certain error conditions.
+
+ 467.	[bug]		dns_master_load*() failed to log an error if
+			pushfile() failed.
+
+ 466.	[bug]		dns_master_load*() could return success when it failed.
+
+ 465.	[cleanup]	Allow 0 to be set as an omapi_value_t value by
+			omapi_value_storeint().
+
+ 464.	[cleanup]	Build with openssl's RSA code instead of dnssafe.
+
+ 463.	[bug]		nsupdate sent malformed SOA queries to the second
+			and subsequent name servers in resolv.conf if the
+			query sent to the first one failed.
+
+ 462.	[bug]		--disable-ipv6 should work now.
+
+ 461.	[bug]		Specifying an unknown key in the "keys" clause of the
+			"controls" statement caused a NULL pointer dereference.
+			[RT #316]
+
+ 460.	[bug]		Much of the DNSSEC code only worked with class IN.
+
+ 459.	[bug]		Nslookup processed the "set" command incorrectly.
+
+ 458.	[bug]		Nslookup didn't properly check class and type values.
+			[RT #305]
+
+ 457.	[bug]		Dig/host/hslookup didn't properly handle connect
+			timeouts in certain situations, causing an
+			unnecessary warning message to be printed.
+
+ 456.	[bug]		Stub zones were not resetting the refresh and expire
+			counters, loadtime or clearing the DNS_ZONE_REFRESH
+			(refresh in progress) flag upon successful update.
+			This disabled further refreshing of the stub zone,
+			causing it to eventually expire. [RT #300]
+
+ 455.	[doc]		Document IPv4 prefix notation does not require a
+			dotted decimal quad but may be just dotted decimal.
+
+ 454.	[bug]		Enforce dotted decimal and dotted decimal quad where
+			documented as such in named.conf. [RT #304, RT #311]
+
+ 453.	[bug]		Warn if the obsolete option "maintain-ixfr-base"
+			is specified in named.conf. [RT #306]
+
+ 452.	[bug]		Warn if the unimplemented option "statistics-file"
+			is specified in named.conf. [RT #301]
+
+ 451.	[func]		Update forwarding implemented.
+
+ 450.	[func]		New function ns_client_sendraw().
+
+ 449.	[bug]		isc_bitstring_copy() only works correctly if the
+			two bitstrings have the same lsb0 value, but this
+			requirement was not documented, nor was there a
+			REQUIRE for it.
+
+ 448.	[bug]		Host output formatting change, to match v8. [RT #255]
+
+ 447.	[bug]		Dig didn't properly retry in TCP mode after
+			a truncated reply. [RT #277]
+
+ 446.	[bug]		Confusing notify log message. [RT #298]
+
+ 445.	[bug]		Doing a 0 bit isc_bitstring_copy() of an lsb0
+			bitstring triggered a REQUIRE statement.  The REQUIRE
+			statement was incorrect. [RT #297]
+
+ 444.	[func]		"recursion denied" messages are always logged at
+			debug level 1, now, rather than sometimes at ERROR.
+			This silences these warnings in the usual case, where
+			some clients set the RD bit in all queries.
+
+ 443.	[bug]		When loading a master file failed because of an
+			unrecognized RR type name, the error message
+			did not include the file name and line number.
+			[RT #285]
+
+ 442.	[bug]		TSIG signed messages that did not match any view
+			crashed the server. [RT #290]
+
+ 441.	[bug]		Nodes obscured by a DNAME were inaccessible even
+			when DNS_DBFIND_GLUEOK was set.
+
+ 440.	[func]		New function dns_zone_forwardupdate().
+
+ 439.	[func]		New function dns_request_createraw().
+
+ 438.	[func]		New function dns_message_getrawmessage().
+
+ 437.	[func]		Log NOTIFY activity to the notify channel.
+
+ 436.	[bug]		If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
+			which sometimes happens on Linux, named would enter
+			a busy loop.  Also, unexpected socket errors were
+			not logged at a high enough logging level to be
+			useful in diagnosing this situation. [RT #275]
+
+ 435.	[bug]		dns_zone_dump() overwrote existing zone files
+			rather than writing to a temporary file and
+			renaming.  This could lead to empty or partial
+			zone files being left around in certain error
+			conditions involving the initial transfer of a
+			slave zone, interfering with subsequent server
+			startup. [RT #282]
+
+ 434.	[func]		New function isc_file_isabsolute().
+
+ 433.	[func]		isc_base64_decodestring() now accepts newlines
+			within the base64 data.  This makes it possible
+			to break up the key data in a "trusted-keys"
+			statement into multiple lines. [RT #284]
+
+ 432.	[func]		Added refresh/retry jitter.  The actual refresh/
+			retry time is now a random value between 75% and
+			100% of the configured value.
+
+ 431.	[func]		Log at ISC_LOG_INFO when a zone is successfully
+			loaded.
+
+ 430.	[bug]		Rewrote the lightweight resolver client management
+			code to handle shutdown correctly and general
+			cleanup.
+
+ 429.	[bug]		The space reserved for a TSIG record in a response
+			was 2 bytes too short, leading to message
+			generation failures.
+
+ 428.	[bug]		rbtdb.c:find_closest_nxt() erroneously returned
+			DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
+			(e.g. glue).  This could cause SERVFAILs when
+			generating negative responses in a secure zone.
+
+ 427.	[bug]		Avoid going into an infinite loop when the validator
+			gets a negative response to a key query where the
+			records are signed by the missing key.
+
+ 426.	[bug]		Attempting to generate an oversized RSA key could
+			cause dnssec-keygen to dump core.
+
+ 425.	[bug]		Warn about the auth-nxdomain default value change
+			if there is no auth-nxdomain statement in the
+			config file. [RT #287]
+
+ 424.	[bug]		notify_createmessage() could trigger an assertion
+			failure when creating the notify message failed,
+			e.g. due to corrupt zones with multiple SOA records.
+			[RT #279]
+
+ 423.	[bug]		When responding to a recursive query, errors that occur
+			after following a CNAME should cause the query to fail.
+			[RT #274]
+
+ 422.	[func]		get rid of isc_random_t, and make isc_random_get()
+			and isc_random_jitter() use rand() internally
+			instead of local state.  Note that isc_random_*()
+			functions are only for weak, non-critical "randomness"
+			such as timing jitter and such.
+
+ 421.	[bug]		nslookup would exit when given a blank line as input.
+
+ 420.	[bug]		nslookup failed to implement the "exit" command.
+
+ 419.	[bug]		The certificate type PKIX was misspelled as SKIX.
+
+ 418.	[bug]		At debug levels >= 10, getting an unexpected
+			socket receive error would crash the server
+			while trying to log the error message.
+
+ 417.	[func]		Add isc_app_block() and isc_app_unblock(), which
+			allow an application to handle signals while
+			blocking.
+
+ 416.	[bug]		Slave zones with no master file tried to use a
+			NULL pointer for a journal file name when they
+			received an IXFR. [RT #273]
+
+ 415.	[bug]		The logging code leaked file descriptors.
+
+ 414.	[bug]		Server did not shut down until all incoming zone
+			transfers were finished.
+
+ 413.	[bug]		Notify could attempt to use the zone database after
+			it had been unloaded. [RT #267]
+
+ 412.	[bug]		named -v didn't print the version.
+
+ 411.	[bug]		A typo in the HS A code caused an assertion failure.
+
+ 410.	[bug]		lwres_gethostbyname() and company set lwres_h_errno
+			to a random value on success.
+
+ 409.	[bug]		If named was shut down early in the startup
+			process, ns_omapi_shutdown() would attempt to lock
+			an uninitialized mutex. [RT #262]
+
+ 408.	[bug]		stub zones could leak memory and reference counts if
+			all the masters were unreachable.
+
+ 407.	[bug]		isc_rwlock_lock() would needlessly block
+			readers when it reached the read quota even
+			if no writers were waiting.
+
+ 406.	[bug]		Log messages were occasionally lost or corrupted
+			due to a race condition in isc_log_doit().
+
+ 405.	[func]		Add support for selective forwarding (forward zones)
+
+ 404.	[bug]		The request library didn't completely work with IPv6.
+
+ 403.	[bug]		"host" did not use the search list.
+
+ 402.	[bug]		Treat undefined acls as errors, rather than
+			warning and then later throwing an assertion.
+			[RT #252]
+
+ 401.	[func]		Added simple database API.
+
+ 400.	[bug]		SIG(0) signing and verifying was done incorrectly.
+			[RT #249]
+
+ 399.	[bug]		When reloading the server with a config file
+			containing a syntax error, it could catch an
+			assertion failure trying to perform zone
+			maintenance on, or sending notifies from,
+			tentatively created zones whose views were
+			never fully configured and lacked an address
+			database and request manager.
+
+ 398.	[bug]		"dig" sometimes caught an assertion failure when
+			using TSIG, depending on the key length.
+
+ 397.	[func]		Added utility functions dns_view_gettsig() and
+			dns_view_getpeertsig().
+
+ 396.	[doc]		There is now a man page for "nsupdate"
+			in doc/man/bin/nsupdate.8.
+
+ 395.	[bug]		nslookup printed incorrect RR type mnemonics
+			for RRs of type >= 21 [RT #237].
+
+ 394.	[bug]		Current name was not propagated via $INCLUDE.
+
+ 393.	[func]		Initial answer while loading (awl) support.
+			Entry points: dns_master_loadfileinc(),
+			dns_master_loadstreaminc(), dns_master_loadbufferinc().
+			Note: calls to dns_master_load*inc() should be rate
+			be rate limited so as to not use up all file
+			descriptors.
+
+ 392.	[func]		Add ISC_R_FAMILYNOSUPPORT.  Returned when OS does
+			not support the given address family requested.
+
+ 391.	[clarity]	ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
+
+ 390.	[func]		The function dns_zone_setdbtype() now takes
+			an argc/argv style vector of words and sets
+			both the zone database type and its arguments,
+			making the functions dns_zone_adddbarg()
+			and dns_zone_cleardbargs() unnecessary.
+
+ 389.	[bug]		Attempting to send a request over IPv6 using
+			dns_request_create() on a system without IPv6
+			support caused an assertion failure [RT #235].
+
+ 388.	[func]		dig and host can now do reverse ipv6 lookups.
+
+ 387.	[func]		Add dns_byaddr_createptrname(), which converts
+			an address into the name used by a PTR query.
+
+ 386.	[bug]		Missing strdup() of ACL name caused random
+			ACL matching failures [RT #228].
+
+ 385.	[cleanup]	Removed functions dns_zone_equal(), dns_zone_print(),
+			and dns_zt_print().
+
+ 384.	[bug]		nsupdate was incorrectly limiting TTLs to 65535 instead
+			of 2147483647.
+
+ 383.	[func]		When writing a master file, print the SOA and NS
+			records (and their SIGs) before other records.
+
+ 382.	[bug]		named -u failed on many Linux systems where the
+			libc provided kernel headers do not match
+			the current kernel.
+
+ 381.	[bug]		Check for IPV6_RECVPKTINFO and use it instead of
+			IPV6_PKTINFO if found. [RT #229]
+
+ 380.	[bug]		nsupdate didn't work with IPv6.
+
+ 379.	[func]		New library function isc_sockaddr_anyofpf().
+
+ 378.	[func]		named and lwresd will log the command line arguments
+			they were started with in the "starting ..." message.
+
+ 377.	[bug]		When additional data lookups were refused due to
+			"allow-query", the databases were still being
+			attached causing reference leaks.
+
+ 376.	[bug]		The server should always use good entropy when
+			performing cryptographic functions needing entropy.
+
+ 375.	[bug]		Per-zone "allow-query" did not properly override the
+			view/global one for CNAME targets and additional
+			data [RT #220].
+
+ 374.	[bug]		SOA in authoritative negative responses had wrong TTL.
+
+ 373.	[func]		nslookup is now installed by "make install".
+
+ 372.	[bug]		Deal with Microsoft DNS servers appending two bytes of
+			garbage to zone transfer requests.
+
+ 371.	[bug]		At high debug levels, doing an outgoing zone transfer
+			of a very large RRset could cause an assertion failure
+			during logging.
+
+ 370.	[bug]		The error messages for roll-forward failures were
+			overly terse.
+
+ 369.	[func]		Support new named.conf options, view and zone
+			statements:
+
+				max-retry-time, min-retry-time,
+				max-refresh-time, min-refresh-time.
+
+ 368.	[func]		Restructure the internal ".bind" view so that more
+			zones can be added to it.
+
+ 367.	[bug]		Allow proper selection of server on nslookup command
+			line.
+
+ 366.	[func]		Allow use of '-' batch file in dig for stdin.
+
+ 365.	[bug]		nsupdate -k leaked memory.
+
+ 364.	[func]		Added additional-from-{cache,auth}
+
+ 363.	[placeholder]
+
+ 362.	[bug]		rndc no longer aborts if the configuration file is
+			missing an options statement. [RT #209]
+
+ 361.	[func]		When the RBT find or chain functions set the name and
+			origin for a node that stores the root label
+			the name is now set to an empty name, instead of ".",
+			to simplify later use of the name and origin by
+			dns_name_concatenate(), dns_name_totext() or
+			dns_name_format().
+
+ 360.	[func]		dns_name_totext() and dns_name_format() now allow
+			an empty name to be passed, which is formatted as "@".
+
+ 359.	[bug]		dnssec-signzone occasionally signed glue records.
+
+ 358.	[cleanup]	Rename the intermediate files used by the dnssec
+			programs.
+
+ 357.	[bug]		The zone file parser crashed if the argument
+			to $INCLUDE was a quoted string.
+
+ 356.	[cleanup]	isc_task_send no longer requires event->sender to
+			be non-null.
+
+ 355.	[func]		Added isc_dir_createunique(), similar to mkdtemp().
+
+ 354.	[doc]		Man pages for the dnssec tools are now included in
+			the distribution, in doc/man/dnssec.
+
+ 353.	[bug]		double increment in lwres/gethost.c:copytobuf().
+			[RT #187]
+
+ 352.	[bug]		Race condition in dns_client_t startup could cause
+			an assertion failure.
+
+ 351.	[bug]		Constructing a response with rcode SERVFAIL to a TSIG
+			signed query could crash the server.
+
+ 350.	[bug]		Also-notify lists specified in the global options
+			block were not correctly reference counted, causing
+			a memory leak.
+
+ 349.	[bug]		Processing a query with the CD bit set now works
+			as expected.
+
+ 348.	[func]		New boolean named.conf options 'additional-from-auth'
+			and 'additional-from-cache' now supported in view and
+			global options statement.
+
+ 347.	[bug]		Don't crash if an argument is left off options in dig.
+
+ 346.	[placeholder]
+
+ 345.	[bug]		Large-scale changes/cleanups to dig:
+			* Significantly improve structure handling
+			* Don't pre-load entire batch files
+			* Add name/rr counting/limiting
+			* Fix SIGINT handling
+			* Shorten timeouts to match v8's behavior
+
+ 344.	[bug]		When shutting down, lwresd sometimes tried
+			to shut down its client tasks twice,
+			triggering an assertion.
+
+ 343.	[bug]		Although zone maintenance SOA queries and
+			notify requests were signed with TSIG keys
+			when configured for the server in case,
+			the TSIG was not verified on the response.
+
+ 342.	[bug]		The wrong name was being passed to
+			dns_name_dup() when generating a TSIG
+			key using TKEY.
+
+ 341.	[func]		Support 'key' clause in named.conf zone masters
+			statement to allow authentication via TSIG keys:
+
+				masters {
+					10.0.0.1 port 5353 key "foo";
+					10.0.0.2 ;
+				};
+
+ 340.	[bug]		The top-level COPYRIGHT file was missing from
+			the distribution.
+
+ 339.	[bug]		DNSSEC validation of the response to an ANY
+			query at a name with a CNAME RR in a secure
+			zone triggered an assertion failure.
+
+ 338.	[bug]		lwresd logged to syslog as named, not lwresd.
+
+ 337.	[bug]		"dig" did not recognize "nsap-ptr" as an RR type
+			on the command line.
+
+ 336.	[bug]		"dig -f" used 64 k of memory for each line in
+			the file.  It now uses much less, though still
+			proportionally to the file size.
+
+ 335.	[bug]		named would occasionally attempt recursion when
+			it was disallowed or undesired.
+
+ 334.	[func]		Added hmac-md5 to libisc.
+
+ 333.	[bug]		The resolver incorrectly accepted referrals to
+			domains that were not parents of the query name,
+			causing assertion failures.
+
+ 332.	[func]		New function dns_name_reset().
+
+ 331.	[bug]		Only log "recursion denied" if RD is set. [RT #178]
+
+ 330.	[bug]		Many debugging messages were partially formatted
+			even when debugging was turned off, causing a
+			significant decrease in query performance.
+
+ 329.	[func]		omapi_auth_register() now takes a size_t argument for
+			the length of a key's secret data.  Previously
+			OMAPI only stored secrets up to the first NUL byte.
+
+ 328.	[func]		Added isc_base64_decodestring().
+
+ 327.	[bug]		rndc.conf parser wasn't correctly recognizing an IP
+			address where a host specification was required.
+
+ 326.	[func]		'keys' in an 'inet' control statement is now
+			required and must have at least one item in it.
+			A "not supported" warning is now issued if a 'unix'
+			control channel is defined.
+
+ 325.	[bug]		isc_lex_gettoken was processing octal strings when
+			ISC_LEXOPT_CNUMBER was not set.
+
+ 324.	[func]		In the resolver, turn EDNS0 off if there is no
+			response after a number of retransmissions.
+			This is to allow queries some chance of succeeding
+			even if all the authoritative servers of a zone
+			silently discard EDNS0 requests instead of
+			sending an error response like they ought to.
+
+ 323.	[bug]		dns_rbt_findname() did not ignore empty rbt nodes.
+			Because of this, servers authoritative for a parent
+			and grandchild zone but not authoritative for the
+			intervening child zone did not correctly issue
+			referrals to the servers of the child zone.
+
+ 322.	[bug]		Queries for KEY RRs are now sent to the parent
+			server before the authoritative one, making
+			DNSSEC insecurity proofs work in many cases
+			where they previously didn't.
+
+ 321.	[bug]		When synthesizing a CNAME RR for a DNAME
+			response, query_addcname() failed to initialize
+			the type and class of the CNAME dns_rdata_t,
+			causing random failures.
+
+ 320.	[func]		Multiple rndc changes: parses an rndc.conf file,
+			uses authentication to talk to named, command
+			line syntax changed.  This will all be described
+			in the ARM.
+
+ 319.	[func]		The named.conf "controls" statement is now used
+			to configure the OMAPI command channel.
+
+ 318.	[func]		dns_c_ndcctx_destroy() could never return anything
+			except ISC_R_SUCCESS; made it have void return instead.
+
+ 317.	[func]		Use callbacks from libomapi to determine if a
+			new connection is valid, and if a key requested
+			to be used with that connection is valid.
+
+ 316.	[bug]		Generate a warning if we detect an unexpected <eof>
+			but treat as <eol><eof>.
+
+ 315.	[bug]		Handle non-empty blanks lines. [RT #163]
+
+ 314.	[func]		The named.conf controls statement can now have
+			more than one key specified for the inet clause.
+
+ 313.	[bug]		When parsing resolv.conf, don't terminate on an
+			error.  Instead, parse as much as possible, but
+			still return an error if one was found.
+
+ 312.	[bug]		Increase the number of allowed elements in the
+			resolv.conf search path from 6 to 8.  If there
+			are more than this, ignore the remainder rather
+			than returning a failure in lwres_conf_parse.
+
+ 311.	[bug]		lwres_conf_parse failed when the first line of
+			resolv.conf was empty or a comment.
+
+ 310.	[func]		Changes to named.conf "controls" statement (inet
+			subtype only)
+
+			  - support "keys" clause
+
+				controls {
+				   inet * port 1024
+					allow { any; } keys { "foo"; }
+				}
+
+			  - allow "port xxx" to be left out of statement,
+			    in which case it defaults to omapi's default port
+			    of 953.
+
+ 309.	[bug]		When sending a referral, the server did not look
+			for name server addresses as glue in the zone
+			holding the NS RRset in the case where this zone
+			was not the same as the one where it looked for
+			name server addresses as authoritative data.
+
+ 308.	[bug]		Treat a SOA record not at top of zone as an error
+			when loading a zone. [RT #154]
+
+ 307.	[bug]		When canceling a query, the resolver didn't check for
+			isc_socket_sendto() calls that did not yet have their
+			completion events posted, so it could (rarely) end up
+			destroying the query context and then want to use
+			it again when the send event posted, triggering an
+			assertion as it tried to cancel an already-canceled
+			query.  [RT #77]
+
+ 306.	[bug]		Reading HMAC-MD5 private key files didn't work.
+
+ 305.	[bug]		When reloading the server with a config file
+			containing a syntax error, it could catch an
+			assertion failure trying to perform zone
+			maintenance on tentatively created zones whose
+			views were never fully configured and lacked
+			an address database.
+
+ 304.	[bug]		If more than LWRES_CONFMAXNAMESERVERS servers
+			are listed in resolv.conf, silently ignore them
+			instead of returning failure.
+
+ 303.	[bug]		Add additional sanity checks to differentiate a AXFR
+			response vs a IXFR response. [RT #157]
+
+ 302.	[bug]		In dig, host, and nslookup, MXNAME should be large
+			enough to hold any legal domain name in presentation
+			format + terminating NULL.
+
+ 301.	[bug]		Uninitialized pointer in host:printmessage(). [RT #159]
+
+ 300.	[bug]		Using both <isc/net.h> and <lwres/net.h> didn't work
+			on platforms lacking IPv6 because each included their
+			own ipv6 header file for the missing definitions.  Now
+			each library's ipv6.h defines the wrapper symbol of
+			the other (ISC_IPV6_H and LWRES_IPV6_H).
+
+ 299.	[cleanup]	Get the user and group information before changing the
+			root directory, so the administrator does not need to
+			keep a copy of the user and group databases in the
+			chroot'ed environment.  Suggested by Hakan Olsson.
+
+ 298.	[bug]		A mutex deadlock occurred during shutdown of the
+			interface manager under certain conditions.
+			Digital Unix systems were the most affected.
+
+ 297.	[bug]		Specifying a key name that wasn't fully qualified
+			in certain parts of the config file could cause
+			an assertion failure.
+
+ 296.	[bug]		"make install" from a separate build directory
+			failed unless configure had been run in the source
+			directory, too.
+
+ 295.	[bug]		When invoked with type==CNAME and a message
+			not constructed by dns_message_parse(),
+			dns_message_findname() failed to find anything
+			due to checking for attribute bits that are set
+			only in dns_message_parse().  This caused an
+			infinite loop when constructing the response to
+			an ANY query at a CNAME in a secure zone.
+
+ 294.	[bug]		If we run out of space in while processing glue
+			when reading a master file and commit "current name"
+			reverts to "name_current" instead of staying as
+			"name_glue".
+
+ 293.	[port]		Add support for FreeBSD 4.0 system tests.
+
+ 292.	[bug]		Due to problems with the way some operating systems
+			handle simultaneous listening on IPv4 and IPv6
+			addresses, the server no longer listens on IPv6
+			addresses by default.  To revert to the previous
+			behavior, specify "listen-on-v6 { any; };" in
+			the config file.
+
+ 291.	[func]		Caching servers no longer send outgoing queries
+			over TCP just because the incoming recursive query
+			was a TCP one.
+
+ 290.	[cleanup]	+twiddle option to dig (for testing only) removed.
+
+ 289.	[cleanup]	dig is now installed in $bindir instead of $sbindir.
+			host is now installed in $bindir.  (Be sure to remove
+			any $sbindir/dig from a previous release.)
+
+ 288.	[func]		rndc is now installed by "make install" into $sbindir.
+
+ 287.	[bug]		rndc now works again as "rndc 127.1 reload" (for
+			only that task).  Parsing its configuration file and
+			using digital signatures for authentication has been
+			disabled until named supports the "controls" statement,
+			post-9.0.0.
+
+ 286.	[bug]		On Solaris 2, when named inherited a signal state
+			where SIGHUP had the SIG_IGN action, SIGHUP would
+			be ignored rather than causing the server to reload
+			its configuration.
+
+ 285.	[bug]		A change made to the dst API for beta4 inadvertently
+			broke OMAPI's creation of a dst key from an incoming
+			message, causing an assertion to be triggered.  Fixed.
+
+ 284.	[func]		The DNSSEC key generation and signing tools now
+			generate randomness from keyboard input on systems
+			that lack /dev/random.
+
+ 283.	[cleanup]	The 'lwresd' program is now a link to 'named'.
+
+ 282.	[bug]		The lexer now returns ISC_R_RANGE if parsed integer is
+			too big for an unsigned long.
+
+ 281.	[bug]		Fixed list of recognized config file category names.
+
+ 280.	[func]		Add isc-config.sh, which can be used to more
+			easily build applications that link with
+			our libraries.
+
+ 279.	[bug]		Private omapi function symbols shared between
+			two or more files in libomapi.a were not namespace
+			protected using the ISC convention of starting with
+			the library name and two underscores ("omapi__"...)
+
+ 278.	[bug]		bin/named/logconf.c:category_fromconf() didn't take
+			note of when isc_log_categorybyname() wasn't able
+			to find the category name and would then apply the
+			channel list of the unknown category to all categories.
+
+ 277.	[bug]		isc_log_categorybyname() and isc_log_modulebyname()
+			would fail to find the first member of any category
+			or module array apart from the internal defaults.
+			Thus, for example, the "notify" category was improperly
+			configured by named.
+
+ 276.	[bug]		dig now supports maximum sized TCP messages.
+
+ 275.	[bug]		The definition of lwres_gai_strerror() was missing
+			the lwres_ prefix.
+
+ 274.	[bug]		TSIG AXFR verify failed when talking to a BIND 8
+			server.
+
+ 273.	[func]		The default for the 'transfer-format' option is
+			now 'many-answers'.  This will break zone transfers
+			to BIND 4.9.5 and older unless there is an explicit
+			'one-answer' configuration.
+
+ 272.	[bug]		The sending of large TCP responses was canceled
+			in mid-transmission due to a race condition
+			caused by the failure to set the client object's
+			"newstate" variable correctly when transitioning
+			to the "working" state.
+
+ 271.	[func]		Attempt to probe the number of cpus in named
+			if unspecified rather than defaulting to 1.
+
+ 270.	[func]		Allow maximum sized TCP answers.
+
+ 269.	[bug]		Failed DNSSEC validations could cause an assertion
+			failure by causing clone_results() to be called with
+			with hevent->node == NULL.
+
+ 268.	[doc]		A plain text version of the Administrator
+			Reference Manual is now included in the distribution,
+			as doc/arm/Bv9ARM.txt.
+
+ 267.	[func]		Nsupdate is now provided in the distribution.
+
+ 266.	[bug]		zone.c:save_nsrrset() node was not initialized.
+
+ 265.	[bug]		dns_request_create() now works for TCP.
+
+ 264.	[func]		Dispatch can not take TCP sockets in connecting
+			state.  Set DNS_DISPATCHATTR_CONNECTED when calling
+			dns_dispatch_createtcp() for connected TCP sockets
+			or call dns_dispatch_starttcp() when the socket is
+			connected.
+
+ 263.	[func]		New logging channel type 'stderr'
+
+				channel some-name {
+					stderr;
+					severity error;
+				}
+
+ 262.	[bug]		'master' was not initialized in zone.c:stub_callback().
+
+ 261.	[func]		Add dns_zone_markdirty().
+
+ 260.	[bug]		Running named as a non-root user failed on Linux
+			kernels new enough to support retaining capabilities
+			after setuid().
+
+ 259.	[func]		New random-device and random-seed-file statements
+			for global options block of named.conf. Both accept
+			a single string argument.
+
+ 258.	[bug]		Fixed printing of lwres_addr_t.address field.
+
+ 257.	[bug]		The server detached the last zone manager reference
+			too early, while it could still be in use by queries.
+			This manifested itself as assertion failures during the
+			shutdown process for busy name servers. [RT #133]
+
+ 256.	[func]		isc_ratelimiter_t now has attach/detach semantics, and
+			isc_ratelimiter_shutdown guarantees that the rate
+			limiter is detached from its task.
+
+ 255.	[func]		New function dns_zonemgr_attach().
+
+ 254.	[bug]		Suppress "query denied" messages on additional data
+			lookups.
+
+	--- 9.0.0b4 released ---
+
+ 253.	[func]		resolv.conf parser now recognizes ';' and '#' as
+			comments (anywhere in line, not just as the beginning).
+
+ 252.	[bug]		resolv.conf parser mishandled masks on sortlists.
+			It also aborted when an unrecognized keyword was seen,
+			now it silently ignores the entire line.
+
+ 251.	[bug]		lwresd caught an assertion failure on startup.
+
+ 250.	[bug]		fixed handling of size+unit when value would be too
+			large for internal representation.
+
+ 249.	[cleanup]	max-cache-size config option now takes a size-spec
+			like 'datasize', except 'default' is not allowed.
+
+ 248.	[bug]		global lame-ttl option was not being printed when
+			config structures were written out.
+
+ 247.	[cleanup]	Rename cache-size config option to max-cache-size.
+
+ 246.	[func]		Rename global option cachesize to cache-size and
+			add corresponding option to view statement.
+
+ 245.	[bug]		If an uncompressed name will take more than 255
+			bytes and the buffer is sufficiently long,
+			dns_name_fromwire should return DNS_R_FORMERR,
+			not ISC_R_NOSPACE.  This bug caused cause the
+			server to catch an assertion failure when it
+			received a query for a name longer than 255
+			bytes.
+
+ 244.	[bug]		empty named.conf file and empty options statement are
+			now parsed properly.
+
+ 243.	[func]		new cachesize option for named.conf
+
+ 242.	[cleanup]	fixed incorrect warning about auth-nxdomain usage.
+
+ 241.	[cleanup]	nscount and soacount have been removed from the
+			dns_master_*() argument lists.
+
+ 240.	[func]		databases now come in three flavours: zone, cache
+			and stub.
+
+ 239.	[func]		If ISC_MEM_DEBUG is enabled, the variable
+			isc_mem_debugging controls whether messages
+			are printed or not.
+
+ 238.	[cleanup]	A few more compilation warnings have been quieted:
+			+ missing sigwait prototype on BSD/OS 4.0/4.0.1.
+			+ PTHREAD_ONCE_INIT unbraced initializer warnings on
+				Solaris 2.8.
+			+ IN6ADDR_ANY_INIT unbraced initializer warnings on
+				BSD/OS 4.*, Linux and Solaris 2.8.
+
+ 237.	[bug]		If connect() returned ENOBUFS when the resolver was
+			initiating a TCP query, the socket didn't get
+			destroyed, and the server did not shut down cleanly.
+
+ 236.	[func]		Added new listen-on-v6 config file statement.
+
+ 235.	[func]		Consider it a config file error if a listen-on
+			statement has an IPv6 address in it, or a
+			listen-on-v6 statement has an IPv4 address in it.
+
+ 234.	[bug]		Allow a trusted-key's first field (domain-name) be
+			either a quoted or an unquoted string, instead of
+			requiring a quoted string.
+
+ 233.	[cleanup]	Convert all config structure integer values to unsigned
+			integer (isc_uint32_t) to match grammar.
+
+ 232.	[bug]		Allow slave zones to not have a file.
+
+ 231.	[func]		Support new 'port' clause in config file options
+			section. Causes 'listen-on', 'masters' and
+			'also-notify' statements to use its value instead of
+			default (53).
+
+ 230.	[func]		Replace the dst sign/verify API with a cleaner one.
+
+ 229.	[func]		Support config file sig-validity-interval statement
+			in options, views and zone statements (master
+			zones only).
+
+ 228.	[cleanup]	Logging messages in config module stripped of
+			trailing period.
+
+ 227.	[cleanup]	The enumerated identifiers dns_rdataclass_*,
+			dns_rcode_*, dns_opcode_*, and dns_trust_* are
+			also now cast to their appropriate types, as with
+			dns_rdatatype_* in item number 225 below.
+
+ 226.	[func]		dns_name_totext() now always prints the root name as
+			'.', even when omit_final_dot is true.
+
+ 225.	[cleanup]	The enumerated dns_rdatatype_* identifiers are now
+			cast to dns_rdatatype_t via macros of their same name
+			so that they are of the proper integral type wherever
+			a dns_rdatatype_t is needed.
+
+ 224.	[cleanup]	The entire project builds cleanly with gcc's
+			-Wcast-qual and -Wwrite-strings warnings enabled,
+			which is now the default when using gcc.  (Warnings
+			from confparser.c, because of yacc's code, are
+			unfortunately to be expected.)
+
+ 223.	[func]		Several functions were re-prototyped to qualify one
+			or more of their arguments with "const".  Similarly,
+			several functions that return pointers now have
+			those pointers qualified with const.
+
+ 222.	[bug]		The global 'also-notify' option was ignored.
+
+ 221.	[bug]		An uninitialized variable was sometimes passed to
+			dns_rdata_freestruct() when loading a zone, causing
+			an assertion failure.
+
+ 220.	[cleanup]	Set the default outgoing port in the view, and
+			set it in sockaddrs returned from the ADB.
+			[31-May-2000 explorer]
+
+ 219.	[bug]		Signed truncated messages more correctly follow
+			the respective specs.
+
+ 218.	[func]		When an rdataset is signed, its ttl is normalized
+			based on the signature validity period.
+
+ 217.	[func]		Also-notify and trusted-keys can now be used in
+			the 'view' statement.
+
+ 216.	[func]		The 'max-cache-ttl' and 'max-ncache-ttl' options
+			now work.
+
+ 215.	[bug]		Failures at certain points in request processing
+			could cause the assertion INSIST(client->lockview
+			== NULL) to be triggered.
+
+ 214.	[func]		New public function isc_netaddr_format(), for
+			formatting network addresses in log messages.
+
+ 213.	[bug]		Don't leak memory when reloading the zone if
+			an update-policy clause was present in the old zone.
+
+ 212.	[func]		Added dns_message_get/settsigkey, to make TSIG
+			key management reasonable.
+
+ 211.	[func]		The 'key' and 'server' statements can now occur
+			inside 'view' statements.
+
+ 210.	[bug]		The 'allow-transfer' option was ignored for slave
+			zones, and the 'transfers-per-ns' option was
+			was ignored for all zones.
+
+ 209.	[cleanup]	Upgraded openssl files to new version 0.9.5a
+
+ 208.	[func]		Added ISC_OFFSET_MAXIMUM for the maximum value
+			of an isc_offset_t.
+
+ 207.	[func]		The dnssec tools properly use the logging subsystem.
+
+ 206.	[cleanup]	dst now stores the key name as a dns_name_t, not
+			a char *.
+
+ 205.	[cleanup]	On IRIX, turn off the mostly harmless warnings 1692
+			("prototyped function redeclared without prototype")
+			and 1552 ("variable ... set but not used") when
+			compiling in the lib/dns/sec/{dnssafe,openssl}
+			directories, which contain code imported from outside
+			sources.
+
+ 204.	[cleanup]	On HP/UX, pass +vnocompatwarnings to the linker
+			to quiet the warnings that "The linked output may not
+			run on a PA 1.x system."
+
+ 203.	[func]		notify and zone soa queries are now tsig signed when
+			appropriate.
+
+ 202.	[func]		isc_lex_getsourceline() changed from returning int
+			to returning unsigned long, the type of its underlying
+			counter.
+
+ 201.	[cleanup]	Removed the test/sdig program, it has been
+			replaced by bin/dig/dig.
+
+	--- 9.0.0b3 released ---
+
+ 200.	[bug]		Failures in sending query responses to clients
+			(e.g., running out of network buffers) were
+			not logged.
+
+ 199.	[bug]		isc_heap_delete() sometimes violated the heap
+			invariant, causing timer events not to be posted
+			when due.
+
+ 198.	[func]		Dispatch managers hold memory pools which
+			any managed dispatcher may use.  This allows
+			us to avoid dipping into the memory context for
+			most allocations. [19-May-2000 explorer]
+
+ 197.	[bug]		When an incoming AXFR or IXFR completes, the
+			zone's internal state is refreshed from the
+			SOA data. [19-May-2000 explorer]
+
+ 196.	[func]		Dispatchers can be shared easily between views
+			and/or interfaces. [19-May-2000 explorer]
+
+ 195.	[bug]		Including the NXT record of the root domain
+			in a negative response caused an assertion
+			failure.
+
+ 194.	[doc]		The PDF version of the Administrator's Reference
+			Manual is no longer included in the ISC BIND9
+			distribution.
+
+ 193.	[func]		changed dst_key_free() prototype.
+
+ 192.	[bug]		Zone configuration validation is now done at end
+			of config file parsing, and before loading
+			callbacks.
+
+ 191.	[func]		Patched to compile on UnixWare 7.x.  This platform
+			is not directly supported by the ISC.
+
+ 190.	[cleanup]	The DNSSEC tools have been moved to a separate
+			directory dnssec/ and given the following new,
+			more descriptive names:
+
+			      dnssec-keygen
+			      dnssec-signzone
+			      dnssec-signkey
+			      dnssec-makekeyset
+
+			Their command line arguments have also been changed to
+			be more consistent.  dnssec-keygen now prints the
+			name of the generated key files (sans extension)
+			on standard output to simplify its use in automated
+			scripts.
+
+ 189.	[func]		isc_time_secondsastimet(), a new function, will ensure
+			that the number of seconds in an isc_time_t does not
+			exceed the range of a time_t, or return ISC_R_RANGE.
+			Similarly, isc_time_now(), isc_time_nowplusinterval(),
+			isc_time_add() and isc_time_subtract() now check the
+			range for overflow/underflow.  In the case of
+			isc_time_subtract, this changed a calling requirement
+			(ie, something that could generate an assertion)
+			into merely a condition that returns an error result.
+			isc_time_add() and isc_time_subtract() were void-
+			valued before but now return isc_result_t.
+
+ 188.	[func]		Log a warning message when an incoming zone transfer
+			contains out-of-zone data.
+
+ 187.	[func]		isc_ratelimiter_enqueue() has an additional argument
+			'task'.
+
+ 186.	[func]		dns_request_getresponse() has an additional argument
+			'preserve_order'.
+
+ 185.	[bug]		Fixed up handling of ISC_MEMCLUSTER_LEGACY.  Several
+			public functions did not have an isc__ prefix, and
+			referred to functions that had previously been
+			renamed.
+
+ 184.	[cleanup]	Variables/functions which began with two leading
+			underscores were made to conform to the ANSI/ISO
+			standard, which says that such names are reserved.
+
+ 183.	[func]		ISC_LOG_PRINTTAG option for log channels.  Useful
+			for logging the program name or other identifier.
+
+ 182.	[cleanup]	New command-line parameters for dnssec tools
+
+ 181.	[func]		Added dst_key_buildfilename and dst_key_parsefilename
+
+ 180.	[func]		New isc_result_t ISC_R_RANGE.  Supersedes DNS_R_RANGE.
+
+ 179.	[func]		options named.conf statement *must* now come
+			before any zone or view statements.
+
+ 178.	[func]		Post-load of named.conf check verifies a slave zone
+			has non-empty list of masters defined.
+
+ 177.	[func]		New per-zone boolean:
+
+				enable-zone yes | no ;
+
+			intended to let a zone be disabled without having
+			to comment out the entire zone statement.
+
+ 176.	[func]		New global and per-view option:
+
+				max-cache-ttl number
+
+ 175.	[func]		New global and per-view option:
+
+				additional-data internal | minimal | maximal;
+
+ 174.	[func]		New public function isc_sockaddr_format(), for
+			formatting socket addresses in log messages.
+
+ 173.	[func]		Keep a queue of zones waiting for zone transfer
+			quota so that a new transfer can be dispatched
+			immediately whenever quota becomes available.
+
+ 172.	[bug]		$TTL directive was sometimes missing from dumped
+			master files because totext_ctx_init() failed to
+			initialize ctx->current_ttl_valid.
+
+ 171.	[cleanup]	On NetBSD systems, the mit-pthreads or
+			unproven-pthreads library is now always used
+			unless --with-ptl2 is explicitly specified on
+			the configure command line.  The
+			--with-mit-pthreads option is no longer needed
+			and has been removed.
+
+ 170.	[cleanup]	Remove inter server consistency checks from zone,
+			these should return as a separate module in 9.1.
+			dns_zone_checkservers(), dns_zone_checkparents(),
+			dns_zone_checkchildren(), dns_zone_checkglue().
+
+			Remove dns_zone_setadb(), dns_zone_setresolver(),
+			dns_zone_setrequestmgr() these should now be found
+			via the view.
+
+ 169.	[func]		ratelimiter can now process N events per interval.
+
+ 168.	[bug]		include statements in named.conf caused syntax errors
+			due to not consuming the semicolon ending the include
+			statement before switching input streams.
+
+ 167.	[bug]		Make lack of masters for a slave zone a soft error.
+
+ 166.	[bug]		Keygen was overwriting existing keys if key_id
+			conflicted, now it will retry, and non-null keys
+			with key_id == 0 are not generated anymore.  Key
+			was not able to generate NOAUTHCONF DSA key,
+			increased RSA key size to 2048 bits.
+
+ 165.	[cleanup]	Silence "end-of-loop condition not reached" warnings
+			from Solaris compiler.
+
+ 164.	[func]		Added functions isc_stdio_open(), isc_stdio_close(),
+			isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
+			isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
+			to encapsulate nonportable usage of errno and sync.
+
+ 163.	[func]		Added result codes ISC_R_FILENOTFOUND and
+			ISC_R_FILEEXISTS.
+
+ 162.	[bug]		Ensure proper range for arguments to ctype.h functions.
+
+ 161.	[cleanup]	error in yyparse prototype that only HPUX caught.
+
+ 160.	[cleanup]	getnet*() are not going to be implemented at this
+			stage.
+
+ 159.	[func]		Redefinition of config file elements is now an
+			error (instead of a warning).
+
+ 158.	[bug]		Log channel and category list copy routines
+			weren't assigning properly to output parameter.
+
+ 157.	[port]		Fix missing prototype for getopt().
+
+ 156.	[func]		Support new 'database' statement in zone.
+
+				database "quoted-string";
+
+ 155.	[bug]		ns_notify_start() was not detaching the found zone.
+
+ 154.	[func]		The signer now logs libdns warnings to stderr even when
+			not verbose, and in a nicer format.
+
+ 153.	[func]		dns_rdata_tostruct() 'mctx' is now optional.  If 'mctx'
+			is NULL then you need to preserve the 'rdata' until
+			you have finished using the structure as there may be
+			references to the associated memory.  If 'mctx' is
+			non-NULL it is guaranteed that there are no references
+			to memory associated with 'rdata'.
+
+			dns_rdata_freestruct() must be called if 'mctx' was
+			non-NULL and may safely be called if 'mctx' was NULL.
+
+ 152.	[bug]		keygen dumped core if domain name argument was omitted
+			from command line.
+
+ 151.	[func]		Support 'disabled' statement in zone config (causes
+			zone to be parsed and then ignored). Currently must
+			come after the 'type' clause.
+
+ 150.	[func]		Support optional ports in masters and also-notify
+			statements:
+
+				masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
+
+ 149.	[cleanup]	Removed unused argument 'olist' from
+			dns_c_view_unsetordering().
+
+ 148.	[cleanup]	Stop issuing some warnings about some configuration
+			file statements that were not implemented, but now are.
+
+ 147.	[bug]		Changed yacc union size to be smaller for yaccs that
+			put yacc-stack on the real stack.
+
+ 146.	[cleanup]	More general redundant header file cleanup.  Rather
+			than continuing to itemize every header which changed,
+			this changelog entry just notes that if a header file
+			did not need another header file that it was including
+			in order to provide its advertised functionality, the
+			inclusion of the other header file was removed.  See
+			util/check-includes for how this was tested.
+
+ 145.	[cleanup]	Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
+			ISC_LANG_ENDDECLS to header files that had function
+			prototypes, and removed it from those that did not.
+
+ 144.	[cleanup]	libdns header files too numerous to name were made
+			to conform to the same style for multiple inclusion
+			protection.
+
+ 143.	[func]		Added function dns_rdatatype_isknown().
+
+ 142.	[cleanup]	<isc/stdtime.h> does not need <time.h> or
+			<isc/result.h>.
+
+ 141.	[bug]		Corrupt requests with multiple questions could
+			cause an assertion failure.
+
+ 140.	[cleanup]	<isc/time.h> does not need <time.h> or <isc/result.h>.
+
+ 139.	[cleanup]	<isc/net.h> now includes <isc/types.h> instead of
+			<isc/int.h> and <isc/result.h>.
+
+ 138.	[cleanup]	isc_strtouq moved from str.[ch] to string.[ch] and
+			renamed isc_string_touint64.  isc_strsep moved from
+			strsep.c to string.c and renamed isc_string_separate.
+
+ 137.	[cleanup]	<isc/commandline.h>, <isc/mem.h>, <isc/print.h>
+			<isc/serial.h>, <isc/string.h> and <isc/offset.h>
+			made to conform to the same style for multiple
+			inclusion protection.
+
+ 136.	[cleanup]	<isc/commandline.h>, <isc/interfaceiter.h>,
+			<isc/net.h> and Win32's <isc/thread.h> needed
+			ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
+
+ 135.	[cleanup]	Win32's <isc/condition.h> did not need <isc/result.h>
+			or <isc/boolean.h>, now uses <isc/types.h> in place
+			of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
+			and ISC_LANG_ENDDECLS.
+
+ 134.	[cleanup]	<isc/dir.h> does not need <limits.h>.
+
+ 133.	[cleanup]	<isc/ipv6.h> needs <isc/platform.h>.
+
+ 132.	[cleanup]	<isc/app.h> does not need <isc/task.h>, but does
+			need <isc/eventclass.h>.
+
+ 131.	[cleanup]	<isc/mutex.h> and <isc/util.h> need <isc/result.h>
+			for ISC_R_* codes used in macros.
+
+ 130.	[cleanup]	<isc/condition.h> does not need <pthread.h> or
+			<isc/boolean.h>, and now includes <isc/types.h>
+			instead of <isc/time.h>.
+
+ 129.	[bug]		The 'default_debug' log channel was not set up when
+			'category default' was present in the config file
+
+ 128.	[cleanup]	<isc/dir.h> had ISC_LANG_BEGINDECLS instead of
+			ISC_LANG_ENDDECLS at end of header.
+
+ 127.	[cleanup]	The contracts for the comparison routines
+			dns_name_fullcompare(), dns_name_compare(),
+			dns_name_rdatacompare(), and dns_rdata_compare() now
+			specify that the order value returned is < 0, 0, or > 0
+			instead of -1, 0, or 1.
+
+ 126.	[cleanup]	<isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
+
+ 125.	[cleanup]	<isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
+			<isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
+			<isc/resultclass.h> do not need <isc/lang.h>.
+
+ 124.	[func]		signer now imports parent's zone key signature
+			and creates null keys/sets zone status bit for
+			children when necessary
+
+ 123.	[cleanup]	<isc/event.h> does not need <stddef.h>.
+
+ 122.	[cleanup]	<isc/task.h> does not need <isc/mem.h> or
+			<isc/result.h>.
+
+ 121.	[cleanup]	<isc/symtab.h> does not need <isc/mem.h> or
+			<isc/result.h>.  Multiple inclusion protection
+			symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
+			isc_symtab_t moved to <isc/types.h>.
+
+ 120.	[cleanup]	<isc/socket.h> does not need <isc/boolean.h>,
+			<isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
+			<isc/net.h>.
+
+ 119.	[cleanup]	structure definitions for generic rdata structures do
+			not have _generic_ in their names.
+
+ 118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
+			YACC crust (yyparse, etc) [2000-apr-27 explorer]
+
+ 117.	[cleanup]	libdns.a changes:
+			dns_zone_clearnotify() and dns_zone_addnotify()
+			are replaced by dns_zone_setnotifyalso().
+			dns_zone_clearmasters() and dns_zone_addmaster()
+			are replaced by dns_zone_setmasters().
+
+ 116.	[func]		Added <isc/offset.h> for isc_offset_t (aka off_t
+			on Unix systems).
+
+ 115.	[port]		Shut up the -Wmissing-declarations warning about
+			<stdio.h>'s __sputaux on BSD/OS pre-4.1.
+
+ 114.	[cleanup]	<isc/sockaddr.h> does not need <isc/buffer.h> or
+			<isc/list.h>.
+
+ 113.	[func]		Utility programs dig and host added.
+
+ 112.	[cleanup]	<isc/serial.h> does not need <isc/boolean.h>.
+
+ 111.	[cleanup]	<isc/rwlock.h> does not need <isc/result.h> or
+			<isc/mutex.h>.
+
+ 110.	[cleanup]	<isc/result.h> does not need <isc/boolean.h> or
+			<isc/list.h>.
+
+ 109.	[bug]		"make depend" did nothing for
+			bin/tests/{db,mem,sockaddr,tasks,timers}/.
+
+ 108.	[cleanup]	DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
+			<dns/types.h> to <dns/bit.h> and renamed to
+			DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
+
+ 107.	[func]		Add keysigner and keysettool.
+
+ 106.	[func]		Allow dnssec verifications to ignore the validity
+			period.  Used by several of the dnssec tools.
+
+ 105.	[doc]		doc/dev/coding.html expanded with other
+			implicit conventions the developers have used.
+
+ 104.	[bug]		Made compress_add and compress_find static to
+			lib/dns/compress.c.
+
+ 103.	[func]		libisc buffer API changes for <isc/buffer.h>:
+			Added:
+				isc_buffer_base(b)          (pointer)
+				isc_buffer_current(b)       (pointer)
+				isc_buffer_active(b)        (pointer)
+				isc_buffer_used(b)          (pointer)
+				isc_buffer_length(b)            (int)
+				isc_buffer_usedlength(b)        (int)
+				isc_buffer_consumedlength(b)    (int)
+				isc_buffer_remaininglength(b)   (int)
+				isc_buffer_activelength(b)      (int)
+				isc_buffer_availablelength(b)   (int)
+			Removed:
+				ISC_BUFFER_USEDCOUNT(b)
+				ISC_BUFFER_AVAILABLECOUNT(b)
+				isc_buffer_type(b)
+			Changed names:
+				isc_buffer_used(b, r) ->
+					isc_buffer_usedregion(b, r)
+				isc_buffer_available(b, r) ->
+					isc_buffer_available_region(b, r)
+				isc_buffer_consumed(b, r) ->
+					isc_buffer_consumedregion(b, r)
+				isc_buffer_active(b, r) ->
+					isc_buffer_activeregion(b, r)
+				isc_buffer_remaining(b, r) ->
+					isc_buffer_remainingregion(b, r)
+
+			Buffer types were removed, so the ISC_BUFFERTYPE_*
+			macros are no more, and the type argument to
+			isc_buffer_init and isc_buffer_allocate were removed.
+			isc_buffer_putstr is now void (instead of isc_result_t)
+			and requires that the caller ensure that there
+			is enough available buffer space for the string.
+
+ 102.	[port]		Correctly detect inet_aton, inet_pton and inet_ptop
+			on BSD/OS 4.1.
+
+ 101.	[cleanup]	Quieted EGCS warnings from lib/isc/print.c.
+
+ 100.	[cleanup]	<isc/random.h> does not need <isc/int.h> or
+			<isc/mutex.h>.  isc_random_t moved to <isc/types.h>.
+
+  99.	[cleanup]	Rate limiter now has separate shutdown() and
+			destroy() functions, and it guarantees that all
+			queued events are delivered even in the shutdown case.
+
+  98.	[cleanup]	<isc/print.h> does not need <stdarg.h> or <stddef.h>
+			unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
+
+  97.	[cleanup]	<isc/ondestroy.h> does not need <stddef.h> or
+			<isc/event.h>.
+
+  96.	[cleanup]	<isc/mutex.h> does not need <isc/result.h>.
+
+  95.	[cleanup]	<isc/mutexblock.h> does not need <isc/result.h>.
+
+  94.	[cleanup]	Some installed header files did not compile as C++.
+
+  93.	[cleanup]	<isc/msgcat.h> does not need <isc/result.h>.
+
+  92.	[cleanup]	<isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
+			or <isc/result.h>.
+
+  91.	[cleanup]	<isc/log.h> does not need <sys/types.h> or
+			<isc/result.h>.
+
+  90.	[cleanup]	Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
+			from <named/listenlist.h>.
+
+  89.	[cleanup]	<isc/lex.h> does not need <stddef.h>.
+
+  88.	[cleanup]	<isc/interfaceiter.h> does not need <isc/result.h> or
+			<isc/mem.h>.  isc_interface_t and isc_interfaceiter_t
+			moved to <isc/types.h>.
+
+  87.	[cleanup]	<isc/heap.h> does not need <isc/boolean.h>,
+			<isc/mem.h> or <isc/result.h>.
+
+  86.	[cleanup]	isc_bufferlist_t moved from <isc/bufferlist.h> to
+			<isc/types.h>.
+
+  85.	[cleanup]	<isc/bufferlist.h> does not need <isc/buffer.h>,
+			<isc/list.h>, <isc/mem.h>, <isc/region.h> or
+			<isc/int.h>.
+
+  84.	[func]		allow-query ACL checks now apply to all data
+			added to a response.
+
+  83.	[func]		If the server is authoritative for both a
+			delegating zone and its (nonsecure) delegatee, and
+			a query is made for a KEY RR at the top of the
+			delegatee, then the server will look for a KEY
+			in the delegator if it is not found in the delegatee.
+
+  82.	[cleanup]	<isc/buffer.h> does not need <isc/list.h>.
+
+  81.	[cleanup]	<isc/int.h> and <isc/boolean.h> do not need
+			<isc/lang.h>.
+
+  80.	[cleanup]	<isc/print.h> does not need <stdio.h> or <stdlib.h>.
+
+  79.	[cleanup]	<dns/callbacks.h> does not need <stdio.h>.
+
+  78.	[cleanup]	lwres_conftest renamed to lwresconf_test for
+			consistency with other *_test programs.
+
+  77.	[cleanup]	typedef of isc_time_t and isc_interval_t moved from
+			<isc/time.h> to <isc/types.h>.
+
+  76.	[cleanup]	Rewrote keygen.
+
+  75.	[func]		Don't load a zone if its database file is older
+			than the last time the zone was loaded.
+
+  74.	[cleanup]	Removed mktemplate.o and ufile.o from libisc.a,
+			subsumed by file.o.
+
+  73.	[func]		New "file" API in libisc, including new function
+			isc_file_getmodtime, isc_mktemplate renamed to
+			isc_file_mktemplate and isc_ufile renamed to
+			isc_file_openunique.  By no means an exhaustive API,
+			it is just what's needed for now.
+
+  72.	[func]		DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
+			added for dns_rbt_findnode, the former to disable the
+			setting of the chain to the predecessor, and the
+			latter to make clear when no options are set.
+
+  71.	[cleanup]	Made explicit the implicit REQUIREs of
+			isc_time_seconds, isc_time_nanoseconds, and
+			isc_time_subtract.
+
+  70.	[func]		isc_time_set() added.
+
+  69.	[bug]		The zone object's master and also-notify lists grew
+			longer with each server reload.
+
+  68.	[func]		Partial support for SIG(0) on incoming messages.
+
+  67.	[performance]	Allow use of alternate (compile-time supplied)
+			OpenSSL libraries/headers.
+
+  66.	[func]		Data in authoritative zones should have a trust level
+			beyond secure.
+
+  65.	[cleanup]	Removed obsolete typedef of dns_zone_callbackarg_t
+			from <dns/types.h>.
+
+  64.	[func]		The RBT, DB, and zone table APIs now allow the
+			caller find the most-enclosing superdomain of
+			a name.
+
+  63.	[func]		Generate NOTIFY messages.
+
+  62.	[func]		Add UDP refresh support.
+
+  61.	[cleanup]	Use single quotes consistently in log messages.
+
+  60.	[func]		Catch and disallow singleton types on message
+			parse.
+
+  59.	[bug]		Cause net/host unreachable to be a hard error
+			when sending and receiving.
+
+  58.	[bug]		bin/named/query.c could sometimes trigger the
+			(client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
+			== 0 assertion in query_newname().
+
+  57.	[func]		Added dns_nxt_typepresent()
+
+  56.	[bug]		SIG records were not properly returned in cached
+			negative answers.
+
+  55.	[bug]		Responses containing multiple names in the authority
+			section were not negatively cached.
+
+  54.	[bug]		If a fetch with sigrdataset==NULL joined one with
+			sigrdataset!=NULL or vice versa, the resolver
+			could catch an assertion or lose signature data,
+			respectively.
+
+  53.	[port]		freebsd 4.0: lib/isc/unix/socket.c requires
+			<sys/param.h>.
+
+  52.	[bug]		rndc: taskmgr and socketmgr were not initialized
+			to NULL.
+
+  51.	[cleanup]	dns/compress.h and dns/zt.h did not need to include
+			dns/rbt.h; it was needed only by compress.c and zt.c.
+
+  50.	[func]		RBT deletion no longer requires a valid chain to work,
+			and dns_rbt_deletenode was added.
+
+  49.	[func]		Each cache now has its own mctx.
+
+  48.	[func]		isc_task_create() no longer takes an mctx.
+			isc_task_mem() has been eliminated.
+
+  47.	[func]		A number of modules now use memory context reference
+			counting.
+
+  46.	[func]		Memory contexts are now reference counted.
+			Added isc_mem_inuse() and isc_mem_preallocate().
+			Renamed isc_mem_destroy_check() to
+			isc_mem_setdestroycheck().
+
+  45.	[bug]		The trusted-key statement incorrectly loaded keys.
+
+  44.	[bug]		Don't include authority data if it would force us
+			to unset the AD bit in the message.
+
+  43.	[bug]		DNSSEC verification of cached rdatasets was failing.
+
+  42.	[cleanup]	Simplified logging of messages with embedded domain
+			names by introducing a new convenience function
+			dns_name_format().
+
+  41.	[func]		Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
+			to allow 'named' to run as a non-root user while
+			retaining the ability to bind() to privileged
+			ports.
+
+  40.	[func]		Introduced new logging category "dnssec" and
+			logging module "dns/validator".
+
+  39.	[cleanup]	Moved the typedefs for isc_region_t, isc_textregion_t,
+			and isc_lex_t to <isc/types.h>.
+
+  38.	[bug]		TSIG signed incoming zone transfers work now.
+
+  37.	[bug]		If the first RR in an incoming zone transfer was
+			not an SOA, the server died with an assertion failure
+			instead of just reporting an error.
+
+  36.	[cleanup]	Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
+
+  35.	[performance]	Log messages which are of a level too high to be
+			logged by any channel in the logging configuration
+			will not cause the log mutex to be locked.
+
+  34.	[bug]		Recursion was allowed even with 'recursion no'.
+
+  33.	[func]		The RBT now maintains a parent pointer at each node.
+
+  32.	[cleanup]	bin/lwresd/client.c needs <string.h> for memset()
+			prototype.
+
+  31.	[bug]		Use ${LIBTOOL} to compile bin/named/main.@O@.
+
+  30.	[func]		config file grammar change to support optional
+			class type for a view.
+
+  29.	[func]		support new config file view options:
+
+				auth-nxdomain recursion query-source
+				query-source-v6 transfer-source
+				transfer-source-v6 max-transfer-time-out
+				max-transfer-idle-out transfer-format
+				request-ixfr provide-ixfr cleaning-interval
+				fetch-glue notify rfc2308-type1 lame-ttl
+				max-ncache-ttl min-roots
+
+  28.	[func]		support lame-ttl, min-roots and serial-queries
+			config global options.
+
+  27.	[bug]		Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
+			Including it on other platforms (eg, NetBSD) can
+			cause a forced #error from the C preprocessor.
+
+  26.	[func]		new match-clients statement in config file view.
+
+  25.	[bug]		make install failed to install <isc/log.h> and
+			<isc/ondestroy.h>.
+
+  24.	[cleanup]	Eliminate some unnecessary #includes of header
+			files from header files.
+
+  23.	[cleanup]	Provide more context in log messages about client
+			requests, using a new function ns_client_log().
+
+  22.	[bug]		SIGs weren't returned in the answer section when
+			the query resulted in a fetch.
+
+  21.	[port]		Look at STD_CINCLUDES after CINCLUDES during
+			compilation, so additional system include directories
+			can be searched but header files in the bind9 source
+			tree with conflicting names take precedence.  This
+			avoids issues with installed versions of dnssafe and
+			openssl.
+
+  20.	[func]		Configuration file post-load validation of zones
+			failed if there were no zones.
+
+  19.	[bug]		dns_zone_notifyreceive() failed to unlock the zone
+			lock in certain error cases.
+
+  18.	[bug]		Use AC_TRY_LINK rather than AC_TRY_COMPILE in
+			configure.in to check for presence of in6addr_any.
+
+  17.	[func]		Do configuration file post-load validation of zones.
+
+  16.	[bug]		put quotes around key names on config file
+			output to avoid possible keyword clashes.
+
+  15.	[func]		Add dns_name_dupwithoffsets().  This function is
+			improves comparison performance for duped names.
+
+  14.	[bug]		free_rbtdb() could have 'put' unallocated memory in
+			an unlikely error path.
+
+  13.	[bug]		lib/dns/master.c and lib/dns/xfrin.c didn't ignore
+			out-of-zone data.
+
+  12.	[bug]		Fixed possible uninitialized variable error.
+
+  11.	[bug]		axfr_rrstream_first() didn't check the result code of
+			db_rr_iterator_first(), possibly causing an assertion
+			to be triggered later.
+
+  10.	[bug]		A bug in the code which makes EDNS0 OPT records in
+			bin/named/client.c and lib/dns/resolver.c could
+			trigger an assertion.
+
+   9.	[cleanup]	replaced bit-setting code in confctx.c and replaced
+			repeated code with macro calls.
+
+   8.	[bug]		Shutdown of incoming zone transfer accessed
+			freed memory.
+
+   7.	[cleanup]	removed 'listen-on' from view statement.
+
+   6.	[bug]		quote RR names when generating config file to
+			prevent possible clash with config file keywords
+			(such as 'key').
+
+   5.	[func]		syntax change to named.conf file: new ssu grant/deny
+			statements must now be enclosed by an 'update-policy'
+			block.
+
+   4.	[port]		bin/named/unix/os.c didn't compile on systems with
+			linux 2.3 kernel includes due to conflicts between
+			C library includes and the kernel includes.  We now
+			get only what we need from <linux/capability.h>, and
+			avoid pulling in other linux kernel .h files.
+
+   3.	[bug]		TKEYs go in the answer section of responses, not
+			the additional section.
+
+   2.	[bug]		Generating cryptographic randomness failed on
+			systems without /dev/random.
+
+   1.	[bug]		The installdirs rule in
+			lib/isc/unix/include/isc/Makefile.in had a typo which
+			prevented the isc directory from being created if it
+			didn't exist.
+
+	--- 9.0.0b2 released ---
+
+# This tells Emacs to use hard tabs in this file.
+# Local Variables:
+# indent-tabs-mode: t
+# End:
diff --git a/CODE_OF_CONDUCT b/CODE_OF_CONDUCT
new file mode 100644
index 0000000..b5a630a
--- /dev/null
+++ b/CODE_OF_CONDUCT
@@ -0,0 +1,79 @@
+CODE OF CONDUCT
+
+BIND 9 Code of Conduct
+
+Like the technical community as a whole, the BIND 9 team and community is
+made up of a mixture of professionals and volunteers from all over the
+world, working on every aspect of the mission - including mentorship,
+teaching, and connecting people.
+
+Diversity is one of our huge strengths, but it can also lead to
+communication issues and unhappiness. To that end, we have a few ground
+rules that we ask people to adhere to. This code applies equally to the
+core development team, open source contributors and those seeking help and
+guidance.
+
+This isn't an exhaustive list of things that you can't do. Rather, take it
+in the spirit in which it's intended - a guide to make it easier to enrich
+all of us and the technical communities in which we participate.
+
+This code of conduct applies to all spaces managed by the BIND 9 project
+or Internet Systems Consortium. This includes chat, the mailing lists, the
+issue tracker, and any other fora created by the project team which the
+community uses for communication. In addition, violations of this code
+outside these spaces may affect a person's ability to participate within
+them.
+
+If you believe someone is violating the code of conduct, we ask that you
+report it by emailing conduct@isc.org. For more details please see our
+Reporting Guidelines.
+
+  * Be friendly and patient.
+  * Be welcoming. We strive to be a community that welcomes and supports
+    people of all backgrounds and identities. This includes, but is not
+    limited to members of any race, ethnicity, culture, national origin,
+    colour, immigration status, social and economic class, educational
+    level, sex, sexual orientation, gender identity and expression, age,
+    size, family status, political belief, religion, and mental and
+    physical ability.
+  * Be considerate. Your work will be used by other people, and you in
+    turn will depend on the work of others. Any decision you take will
+    affect users and colleagues, and you should take those consequences
+    into account when making decisions. Remember that we're a world-wide
+    community, so you might not be communicating in someone else's primary
+    language.
+  * Be respectful. Not all of us will agree all the time, but disagreement
+    is no excuse for poor behavior and poor manners. We might all
+    experience some frustration now and then, but we cannot allow that
+    frustration to turn into a personal attack. It's important to remember
+    that a community where people feel uncomfortable or threatened is not
+    a productive one. Members of the BIND 9 community should be respectful
+    when dealing with other members as well as with people outside the
+    BIND 9 community.
+  * Be careful in the words that you choose. We are a community of
+    professionals, and we conduct ourselves professionally. Be kind to
+    others. Do not insult or put down other participants. Harassment and
+    other exclusionary behavior aren't acceptable. This includes, but is
+    not limited to:
+      + Violent threats or language directed against another person.
+      + Discriminatory jokes and language.
+      + Posting sexually explicit or violent material.
+      + Posting (or threatening to post) other people's personally
+        identifying information ("doxing").
+      + Personal insults, especially those using racist or sexist terms.
+      + Unwelcome sexual attention.
+      + Advocating for, or encouraging, any of the above behavior.
+      + Repeated harassment of others. In general, if someone asks you to
+        stop, then stop.
+  * When we disagree, try to understand why. Disagreements, both social
+    and technical, happen all the time and BIND 9 is no exception. It is
+    important that we resolve disagreements and differing views
+    constructively. Remember that we're different. The strength of BIND 9
+    comes from its varied community, people from a wide range of
+    backgrounds. Different people have different perspectives on issues.
+    Being unable to understand why someone holds a viewpoint doesn't mean
+    that they're wrong. Don't forget that it is human to err and blaming
+    each other doesn't get us anywhere. Instead, focus on helping to
+    resolve issues and learning from mistakes.
+
+Original text courtesy of the Django Code of Conduct project.
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..153305e
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,84 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+
+# BIND 9 Code of Conduct
+
+Like the technical community as a whole, the BIND 9 team and community is made
+up of a mixture of professionals and volunteers from all over the world, working
+on every aspect of the mission - including mentorship, teaching, and connecting
+people.
+
+Diversity is one of our huge strengths, but it can also lead to communication
+issues and unhappiness. To that end, we have a few ground rules that we ask
+people to adhere to. This code applies equally to the core development team,
+open source contributors and those seeking help and guidance.
+
+This isn't an exhaustive list of things that you can't do. Rather, take it in
+the spirit in which it's intended - a guide to make it easier to enrich all of
+us and the technical communities in which we participate.
+
+This code of conduct applies to all spaces managed by the BIND 9 project or
+Internet Systems Consortium. This includes chat, the mailing lists, the issue
+tracker, and any other fora created by the project team which the
+community uses for communication. In addition, violations of this code outside
+these spaces may affect a person's ability to participate within them.
+
+If you believe someone is violating the code of conduct, we ask that you report
+it by emailing [conduct@isc.org](conduct@isc.org). For more details please see
+our [Reporting Guidelines](https://www.isc.org/conductreporting/).
+
+* **Be friendly and patient.**
+* **Be welcoming.** We strive to be a community that welcomes and supports
+  people of all backgrounds and identities. This includes, but is not limited to
+  members of any race, ethnicity, culture, national origin, colour, immigration
+  status, social and economic class, educational level, sex, sexual orientation,
+  gender identity and expression, age, size, family status, political belief,
+  religion, and mental and physical ability.
+* **Be considerate.** Your work will be used by other people, and you in turn
+  will depend on the work of others. Any decision you take will affect users and
+  colleagues, and you should take those consequences into account when making
+  decisions. Remember that we're a world-wide community, so you might not be
+  communicating in someone else's primary language.
+* **Be respectful.** Not all of us will agree all the time, but disagreement is
+  no excuse for poor behavior and poor manners. We might all experience some
+  frustration now and then, but we cannot allow that frustration to turn into a
+  personal attack. It's important to remember that a community where people feel
+  uncomfortable or threatened is not a productive one. Members of the BIND 9
+  community should be respectful when dealing with other members as well as with
+  people outside the BIND 9 community.
+* **Be careful in the words that you choose.** We are a community of
+  professionals, and we conduct ourselves professionally. Be kind to others. Do
+  not insult or put down other participants. Harassment and other exclusionary
+  behavior aren't acceptable. This includes, but is not limited to:
+  * Violent threats or language directed against another person.
+  * Discriminatory jokes and language.
+  * Posting sexually explicit or violent material.
+  * Posting (or threatening to post) other people's personally identifying
+    information ("doxing").
+  * Personal insults, especially those using racist or sexist terms.
+  * Unwelcome sexual attention.
+  * Advocating for, or encouraging, any of the above behavior.
+  * Repeated harassment of others. In general, if someone asks you to stop, then
+    stop.
+* **When we disagree, try to understand why.** Disagreements, both social and
+  technical, happen all the time and BIND 9 is no exception. It is important
+  that we resolve disagreements and differing views constructively. Remember
+  that we're different. The strength of BIND 9 comes from its varied community,
+  people from a wide range of backgrounds. Different people have different
+  perspectives on issues. Being unable to understand why someone holds a
+  viewpoint doesn't mean that they're wrong. Don't forget that it is human to
+  err and blaming each other doesn't get us anywhere. Instead, focus on helping
+  to resolve issues and learning from mistakes.
+
+Original text courtesy of the [Django Code of Conduct](https://www.djangoproject.com/conduct/)
+project.
diff --git a/CONTRIBUTING b/CONTRIBUTING
new file mode 100644
index 0000000..928ee67
--- /dev/null
+++ b/CONTRIBUTING
@@ -0,0 +1,189 @@
+CONTRIBUTING
+
+BIND 9 Source Access and Contributor Guidelines
+
+May 28, 2020
+
+Contents
+
+ 1. Access to source code
+ 2. Reporting bugs
+ 3. Contributing code
+
+Introduction
+
+Thank you for using BIND 9!
+
+BIND is open source software that implements the Domain Name System (DNS)
+protocols for the Internet. It is a reference implementation of those
+protocols, but it is also production-grade software, suitable for use in
+high-volume and high-reliability applications. It is very widely used DNS
+software, providing a robust and stable platform on top of which
+organizations can build distributed computing systems with the knowledge
+that those systems are fully compliant with published DNS standards.
+
+BIND is and will always remain free and openly available. It can be used
+and modified in any way by anyone.
+
+BIND is maintained by Internet Systems Consortium, a public-benefit 501(c)
+(3) nonprofit, using a "managed open source" approach: anyone can see the
+source, but only ISC employees have commit access. In the past, the source
+could only be seen once ISC had published a release; read access to the
+source repository was restricted just as commit access was. That has
+changed, as ISC now provides a public git repository of the BIND source
+tree (see below).
+
+At ISC, we're committed to building communities that are welcoming and
+inclusive: environments where people are encouraged to share ideas, treat
+each other with respect, and collaborate towards the best solutions. To
+reinforce our commitment, ISC has adopted a slightly modified version of
+the Django Code of Conduct for the BIND 9 project, as well as for the
+conduct of our developers throughout the industry.
+
+Access to source code
+
+Public BIND releases are always available from the ISC FTP site.
+
+A public-access git repository is also available at https://gitlab.isc.org
+. This repository contains all public release branches. Upcoming releases
+can be viewed in their current state at any time. Short-lived development
+branches contain unreviewed work in progress. Commits which address
+security vulnerablilities are withheld until after public disclosure.
+
+You can browse the source online via https://gitlab.isc.org/isc-projects/
+bind9
+
+To clone the repository, use:
+
+      $ git clone https://gitlab.isc.org/isc-projects/bind9.git
+
+Release branch names are of the form bind-9.X, where X represents the
+second number in the BIND 9 version number. So, to check out the BIND 9.18
+branch, use:
+
+      $ git checkout bind-9.18
+
+Whenever a branch is ready for publication, a tag is placed of the form
+v9.X.Y. The 9.18.0 release, for instance, is tagged as v9.18.0.
+
+The branch in which the next major release is being developed is called
+main.
+
+Reporting bugs
+
+Reports of flaws in the BIND package, including software bugs, errors in
+the documentation, missing files in the tarball, suggested changes or
+requests for new features, etc., can be filed using https://gitlab.isc.org
+/isc-projects/bind9/issues.
+
+Due to a large ticket backlog, we are sometimes slow to respond,
+especially if a bug is cosmetic or if a feature request is vague or low in
+priority, but we try at least to acknowledge legitimate bug reports within
+a week.
+
+ISC's GitLab system is publicly readable; however, you must have an
+account to create a new issue. You can either register locally or use
+credentials from an existing account at GitHub, GitLab, Google, Twitter,
+or Facebook.
+
+Reporting possible security issues
+
+If you think you may be seeing a potential security vulnerability in BIND
+(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
+report it immediately by emailing to security-officer@isc.org. Plain-text
+e-mail is not a secure choice for communications concerning undisclosed
+security issues so please encrypt your communications to us if possible,
+using the ISC Security Officer public key.
+
+Do not discuss undisclosed security vulnerabilities on any public mailing
+list. ISC has a long history of handling reported vulnerabilities promptly
+and effectively and we respect and acknowledge responsible reporters.
+
+ISC's Security Vulnerability Disclosure Policy is documented at https://
+kb.isc.org/docs/aa-00861.
+
+If you have a crash, you may want to consult "What to do if your BIND or
+DHCP server has crashed."
+
+Contributing code
+
+BIND is licensed under the Mozilla Public License 2.0. Earlier versions
+(BIND 9.10 and earlier) were licensed under the ISC License
+
+ISC does not require an explicit copyright assignment for patch
+contributions. However, by submitting a patch to ISC, you implicitly
+certify that you are the author of the code, that you intend to relinquish
+exclusive copyright, and that you grant permission to publish your work
+under the open source license used for the BIND version(s) to which your
+patch will be applied.
+
+BIND code
+
+Patches for BIND may be submitted directly via merge requests in ISC's
+GitLab source repository for BIND.
+
+Patches can also be submitted as diffs against a specific version of BIND
+-- preferably the current top of the main branch. Diffs may be generated
+using either git format-patch or git diff.
+
+Those wanting to write code for BIND may be interested in the developer
+information page, which includes information about BIND design and coding
+practices, including discussion of internal APIs and overall system
+architecture.
+
+Every patch submitted is reviewed by ISC engineers following our code
+review process before it is merged.
+
+It may take considerable time to review patch submissions, especially if
+they don't meet ISC style and quality guidelines. If a patch is a good
+idea, we can and will do additional work to bring it up to par, but if
+we're busy with other work, it may take us a long time to get to it.
+
+To ensure your patch is acted on as promptly as possible, please:
+
+  * Try to adhere to the BIND 9 coding style.
+  * Run make check to ensure your change hasn't caused any functional
+    regressions.
+  * Document your work, both in the patch itself and in the accompanying
+    email.
+  * In patches that make non-trivial functional changes, include system
+    tests if possible; when introducing or substantially altering a
+    library API, include unit tests. See Testing for more information.
+
+Changes to configure
+
+If you need to make changes to configure, you should not edit it directly;
+instead, edit configure.in, then run autoconf. Similarly, instead of
+editing config.h.in directly, edit configure.in and run autoheader.
+
+When submitting a patch as a diff, it's fine to omit the configure diffs
+to save space. Just send the configure.in diffs and we'll generate the new
+configure during the review process.
+
+Documentation
+
+All functional changes should be documented. There are three types of
+documentation in the BIND source tree:
+
+  * Man pages are kept alongside the source code for the commands they
+    document, in files ending in .rst: for example, the named man page is
+    bin/named/named.rst.
+  * The BIND 9 Administrator Reference Manual is in the .rst files in doc/
+    arm/; the PDF and HTML versions are automatically generated from the
+    .rst files.
+  * API documentation is in the header file describing the API, in
+    Doxygen-formatted comments.
+
+Patches to improve existing documentation are also very welcome!
+
+Tests
+
+BIND is a large and complex project. We rely heavily on continuous
+automated testing and cannot merge new code without adequate test
+coverage. Please see the "Testing" section of doc/dev/dev.md for more
+information.
+
+Thanks
+
+Thank you for your interest in contributing to the ongoing development of
+BIND 9.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..4b3db89
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,208 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+## BIND 9 Source Access and Contributor Guidelines
+*May 28, 2020*
+
+### Contents
+
+1. [Access to source code](#access)
+1. [Reporting bugs](#bugs)
+1. [Contributing code](#contrib)
+
+### Introduction
+
+Thank you for using BIND 9!
+
+BIND is open source software that implements the Domain Name System (DNS)
+protocols for the Internet. It is a reference implementation of those
+protocols, but it is also production-grade software, suitable for use in
+high-volume and high-reliability applications.  It is very
+widely used DNS software, providing a robust and stable platform on top of
+which organizations can build distributed computing systems with the
+knowledge that those systems are fully compliant with published DNS
+standards.
+
+BIND is and will always remain free and openly available.  It can be
+used and modified in any way by anyone.
+
+BIND is maintained by [Internet Systems Consortium](https://www.isc.org),
+a public-benefit 501(c)(3) nonprofit, using a "managed open source" approach:
+anyone can see the source, but only ISC employees have commit access.
+In the past, the source could only be seen once ISC had published
+a release; read access to the source repository was restricted just
+as commit access was.  That has changed, as ISC now provides a
+public git repository of the BIND source tree (see below).
+
+At ISC, we're committed to
+building communities that are welcoming and inclusive: environments where people
+are encouraged to share ideas, treat each other with respect, and collaborate
+towards the best solutions. To reinforce our commitment, ISC
+has adopted a slightly modified version of the Django
+[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CODE_OF_CONDUCT.md)
+for the BIND 9 project, as well as for the conduct of our developers throughout
+the industry.
+
+### <a name="access"></a>Access to source code
+
+Public BIND releases are always available from the
+[ISC FTP site](ftp://ftp.isc.org/isc/bind9).
+
+A public-access git repository is also available at
+[https://gitlab.isc.org](https://gitlab.isc.org).  This repository
+contains all public release branches. Upcoming releases can be viewed in
+their current state at any time.  Short-lived development branches
+contain unreviewed work in progress.  Commits which address security
+vulnerablilities are withheld until after public disclosure.
+
+You can browse the source online via
+[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9)
+
+To clone the repository, use:
+
+>       $ git clone https://gitlab.isc.org/isc-projects/bind9.git
+
+Release branch names are of the form `bind-9.X`, where X represents the second
+number in the BIND 9 version number.  So, to check out the BIND 9.18
+branch, use:
+
+>       $ git checkout bind-9.18
+
+Whenever a branch is ready for publication, a tag is placed of the
+form `v9.X.Y`.  The 9.18.0 release, for instance, is tagged as `v9.18.0`.
+
+The branch in which the next major release is being developed is called
+`main`.
+
+### <a name="bugs"></a>Reporting bugs
+
+Reports of flaws in the BIND package, including software bugs, errors
+in the documentation, missing files in the tarball, suggested changes
+or requests for new features, etc., can be filed using
+[https://gitlab.isc.org/isc-projects/bind9/issues](https://gitlab.isc.org/isc-projects/bind9/issues).
+
+Due to a large ticket backlog, we are sometimes slow to respond,
+especially if a bug is cosmetic or if a feature request is vague or
+low in priority, but we try at least to acknowledge legitimate
+bug reports within a week.
+
+ISC's GitLab system is publicly readable; however, you must have
+an account to create a new issue. You can either register locally or
+use credentials from an existing account at GitHub, GitLab, Google,
+Twitter, or Facebook.
+
+### Reporting possible security issues
+
+If you think you may be seeing a potential security vulnerability in BIND
+(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
+report it immediately by emailing to security-officer@isc.org. Plain-text
+e-mail is not a secure choice for communications concerning undisclosed
+security issues so please encrypt your communications to us if possible,
+using the [ISC Security Officer public key](https://www.isc.org/pgpkey/).
+
+Do not discuss undisclosed security vulnerabilities on any public mailing list.
+ISC has a long history of handling reported vulnerabilities promptly and
+effectively and we respect and acknowledge responsible reporters.
+
+ISC's Security Vulnerability Disclosure Policy is documented at
+[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
+
+If you have a crash, you may want to consult
+["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
+
+### <a name="contrib"></a>Contributing code
+
+BIND is licensed under the
+[Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
+Earlier versions (BIND 9.10 and earlier) were licensed under the
+[ISC License](https://www.isc.org/licenses/)
+
+ISC does not require an explicit copyright assignment for patch
+contributions.  However, by submitting a patch to ISC, you implicitly
+certify that you are the author of the code, that you intend to relinquish
+exclusive copyright, and that you grant permission to publish your work
+under the open source license used for the BIND version(s) to which your
+patch will be applied.
+
+#### <a name="bind"></a>BIND code
+
+Patches for BIND may be submitted directly via merge requests in
+[ISC's GitLab](https://gitlab.isc.org/isc-projects/bind9/) source
+repository for BIND.
+
+Patches can also be submitted as diffs against a specific version of
+BIND -- preferably the current top of the `main` branch.  Diffs may
+be generated using either `git format-patch` or `git diff`.
+
+Those wanting to write code for BIND may be interested in the
+[developer information](doc/dev/dev.md) page, which includes information
+about BIND design and coding practices, including discussion of internal
+APIs and overall system architecture.
+
+Every patch submitted is reviewed by ISC engineers following our
+[code review process](doc/dev/dev.md#reviews) before it is merged.
+
+It may take considerable time to review patch submissions, especially if
+they don't meet ISC style and quality guidelines.  If a patch is a good
+idea, we can and will do additional work to bring it up to par, but if
+we're busy with other work, it may take us a long time to get to it.
+
+To ensure your patch is acted on as promptly as possible, please:
+
+* Try to adhere to the [BIND 9 coding style](doc/dev/style.md).
+* Run `make check` to ensure your change hasn't caused any
+  functional regressions.
+* Document your work, both in the patch itself and in the
+  accompanying email.
+* In patches that make non-trivial functional changes, include system
+  tests if possible; when introducing or substantially altering a
+  library API, include unit tests. See [Testing](doc/dev/dev.md#testing)
+  for more information.
+
+##### Changes to `configure`
+
+If you need to make changes to `configure`, you should not edit it
+directly; instead, edit `configure.in`, then run `autoconf`.  Similarly,
+instead of editing `config.h.in` directly, edit `configure.in` and run
+`autoheader`.
+
+When submitting a patch as a diff, it's fine to omit the `configure`
+diffs to save space.  Just send the `configure.in` diffs and we'll
+generate the new `configure` during the review process.
+
+##### Documentation
+
+All functional changes should be documented. There are three types
+of documentation in the BIND source tree:
+
+* Man pages are kept alongside the source code for the commands
+  they document, in files ending in `.rst`: for example, the
+  `named` man page is `bin/named/named.rst`.
+* The *BIND 9 Administrator Reference Manual* is in the .rst files in
+  `doc/arm/`; the PDF and HTML versions are automatically generated from
+  the `.rst` files.
+* API documentation is in the header file describing the API, in
+  Doxygen-formatted comments.
+
+Patches to improve existing documentation are also very welcome!
+
+##### Tests
+
+BIND is a large and complex project. We rely heavily on continuous
+automated testing and cannot merge new code without adequate test coverage.
+Please see [the "Testing" section of doc/dev/dev.md](doc/dev/dev.md#testing)
+for more information.
+
+#### Thanks
+
+Thank you for your interest in contributing to the ongoing development
+of BIND 9.
diff --git a/COPYRIGHT b/COPYRIGHT
new file mode 100644
index 0000000..c6e4d03
--- /dev/null
+++ b/COPYRIGHT
@@ -0,0 +1,369 @@
+Copyright (C) 1996-2023  Internet Systems Consortium, Inc. ("ISC")
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+ -----------------------------------------------------------------------------
+
+	Portions of this code release fall under one or more of the
+	following Copyright notices.  Please see individual source
+	files for details.
+
+	For binary releases also see: OpenSSL-LICENSE.
+
+Copyright (C) 1996-2001  Nominum, Inc.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (C) 1995-2000 by Network Associates, Inc.
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the
+above copyright notice and this permission notice appear in all
+copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+USE OR PERFORMANCE OF THIS SOFTWARE.
+
+The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+conceived and contributed by Rob Butler.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the
+above copyright notice and this permission notice appear in all
+copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (c) 1987, 1990, 1993, 1994
+     The Regents of the University of California.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of the University nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (C) The Internet Society 2005.  This version of
+this module is part of RFC 4178; see the RFC itself for
+full legal notices.
+
+(The above copyright notice is per RFC 3978 5.6 (a), q.v.)
+
+ -----------------------------------------------------------------------------
+
+Copyright (c) 2004 Masarykova universita
+(Masaryk University, Brno, Czech Republic)
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+   this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the University nor the names of its contributors may
+   be used to endorse or promote products derived from this software
+   without specific prior written permission.
+ 
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+(Royal Institute of Technology, Stockholm, Sweden). 
+All rights reserved. 
+
+Redistribution and use in source and binary forms, with or without 
+modification, are permitted provided that the following conditions 
+are met: 
+
+1. Redistributions of source code must retain the above copyright 
+   notice, this list of conditions and the following disclaimer. 
+
+2. Redistributions in binary form must reproduce the above copyright 
+   notice, this list of conditions and the following disclaimer in the 
+   documentation and/or other materials provided with the distribution. 
+
+3. Neither the name of the Institute nor the names of its contributors 
+   may be used to endorse or promote products derived from this software 
+   without specific prior written permission. 
+
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+SUCH DAMAGE. 
+
+ -----------------------------------------------------------------------------
+
+Copyright (c) 1993 by Digital Equipment Corporation.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies, and that
+the name of Digital Equipment Corporation not be used in advertising or
+publicity pertaining to distribution of the document or software without
+specific, written prior permission.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+SOFTWARE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of the project nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (c) 1999-2000 by Nortel Networks Corporation
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
+ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
+BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
+OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+SOFTWARE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (C) 2004  Nominet, Ltd.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+
+ -----------------------------------------------------------------------------
+
+Copyright (c) 1996, David Mazieres <dm@uun.org>
+Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+-----------------------------------------------------------------------------
+
+Copyright (c) 1995, 1997, 1998 The NetBSD Foundation, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+-----------------------------------------------------------------------------
+
+Copyright (C) 2008-2011  Red Hat, Inc.
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS.  IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+
+-----------------------------------------------------------------------------
+
+Copyright (c) 2013-2014, Farsight Security, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+-----------------------------------------------------------------------------
+
+Copyright (c) 2014 by Farsight Security, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/HISTORY b/HISTORY
new file mode 100644
index 0000000..0485c38
--- /dev/null
+++ b/HISTORY
@@ -0,0 +1,600 @@
+HISTORY
+
+Functional enhancements from prior major releases of BIND 9
+
+BIND 9.14
+
+BIND 9.14 (a stable branch based on the 9.13 development branch) includes
+a number of changes from BIND 9.12 and earlier releases. New features
+include:
+
+  * A new "plugin" mechanism has been added to allow query functionality
+    to be extended using dynamically loadable libraries. The "filter-aaaa"
+    feature has been removed from named and is now implemented as a
+    plugin.
+  * Socket and task code has been refactored to improve performance.
+  * QNAME minimization, as described in RFC 7816, is now supported.
+  * "Root key sentinel" support, enabling validating resolvers to indicate
+    via a special query which trust anchors are configured for the root
+    zone.
+  * Secondary zones can now be configured as "mirror" zones; their
+    contents are transferred in as with traditional slave zones, but are
+    subject to DNSSEC validation and are not treated as authoritative data
+    when answering. This makes it easier to configure a local copy of the
+    root zone as described in RFC 7706.
+  * The "validate-except" option allows configuration of domains below
+    which DNSSEC validation should not be performed.
+  * The default value of "dnssec-validation" is now "auto".
+  * IDNA2008 is now supported when linking with libidn2.
+  * "named -V" now outputs the default paths for files used by named and
+    other tools.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See https://dnsflagday.net for more details.
+
+Cryptographic support has been modernized. BIND now uses the best
+available pseudo-random number generator for the platform on which it's
+built. Very old versions of OpenSSL are no longer supported. Cryptography
+is now mandatory: building BIND without DNSSEC is no longer supported.
+
+Special code to support certain legacy operating systems has also been
+removed; see the doc/arm/platforms.rst file for details of supported
+platforms. In addition to OpenSSL, BIND now requires support for IPv6,
+threads, and standard atomic operations provided by the C compiler.
+
+BIND 9.12
+
+BIND 9.12 includes a number of changes from BIND 9.11 and earlier
+releases. New features include:
+
+  * named and related libraries have been substantially refactored for
+    improved query performance -- particularly on delegation heavy zones
+    -- and for improved readability, maintainability, and testability.
+  * Code implementing the name server query processing logic has been
+    moved into a new libns library, for easier testing and use in tools
+    other than named.
+  * Cached, validated NSEC and other records can now be used to synthesize
+    NXDOMAIN responses.
+  * The DNS Response Policy Service API (DNSRPS) is now supported.
+  * Setting 'max-journal-size default' now limits the size of journal
+    files to twice the size of the zone.
+  * dnstap-read -x prints a hex dump of the wire format of each logged DNS
+    message.
+  * dnstap output files can now be configured to roll automatically when
+    reaching a given size.
+  * Log file timestamps can now also be formatted in ISO 8601 (local) or
+    ISO 8601 (UTC) formats.
+  * Logging channels and dnstap output files can now be configured to use
+    a timestamp as the suffix when rolling to a new file.
+  * 'named-checkconf -l' lists zones found in named.conf.
+  * Added support for the EDNS Padding and Keepalive options.
+  * 'new-zones-directory' option sets the location where the configuration
+    data for zones added by rndc addzone is stored.
+  * The default key algorithm in rndc-confgen is now hmac-sha256.
+  * filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
+    default without a configure option.
+  * The obsolete isc-hmac-fixup command has been removed.
+
+BIND 9.11
+
+BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
+releases. New features include:
+
+  * Added support for Catalog Zones, a new method for provisioning
+    servers: a list of zones to be served is stored in a DNS zone, along
+    with their configuration parameters. Changes to the catalog zone are
+    propagated to slaves via normal AXFR/IXFR, whereupon the zones that
+    are listed in it are automatically added, deleted or reconfigured.
+  * Added support for "dnstap", a fast and flexible method of capturing
+    and logging DNS traffic.
+  * Added support for "dyndb", a new API for loading zone data from an
+    external database, developed by Red Hat for the FreeIPA project.
+  * "fetchlimit" quotas are now compiled in by default. These are for the
+    use of recursive resolvers that are are under high query load for
+    domains whose authoritative servers are nonresponsive or are
+    experiencing a denial of service attack:
+      + "fetches-per-server" limits the number of simultaneous queries
+        that can be sent to any single authoritative server. The
+        configured value is a starting point; it is automatically adjusted
+        downward if the server is partially or completely non-responsive.
+        The algorithm used to adjust the quota can be configured via the
+        "fetch-quota-params" option.
+      + "fetches-per-zone" limits the number of simultaneous queries that
+        can be sent for names within a single domain. (Note: Unlike
+        "fetches-per-server", this value is not self-tuning.)
+      + New stats counters have been added to count queries spilled due to
+        these quotas.
+  * Added a new "dnssec-keymgr" key mainenance utility, which can generate
+    or update keys as needed to ensure that a zone's keys match a defined
+    DNSSEC policy.
+  * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
+    and is no longer optional. EDNS COOKIE is a mechanism enabling clients
+    to detect off-path spoofed responses, and servers to detect
+    spoofed-source queries. Clients that identify themselves using COOKIE
+    options are not subject to response rate limiting (RRL) and can
+    receive larger UDP responses.
+  * SERVFAIL responses can now be cached for a limited time (defaulting to
+    1 second, with an upper limit of 30). This can reduce the frequency of
+    retries when a query is persistently failing.
+  * Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to
+    be skipped if a name server IP address isn't in the cache yet; the
+    address will be looked up and the rule will be applied on future
+    queries.
+  * Added a Python RNDC module. This allows multiple commands to sent over
+    a persistent RNDC channel, which saves time.
+  * The "controls" block in named.conf can now grant read-only "rndc"
+    access to specified clients or keys. Read-only clients could, for
+    example, check "rndc status" but could not reconfigure or shut down
+    the server.
+  * "rndc" commands can now return arbitrarily large amounts of text to
+    the caller.
+  * The zone serial number of a dynamically updatable zone can now be set
+    via "rndc signing -serial ". This allows inline-signing zones to be
+    set to a specific serial number.
+  * The new "rndc nta" command can be used to set a Negative Trust Anchor
+    (NTA), disabling DNSSEC validation for a specific domain; this can be
+    used when responses from a domain are known to be failing validation
+    due to administrative error rather than because of a spoofing attack.
+    Negative trust anchors are strictly temporary; by default they expire
+    after one hour, but can be configured to last up to one week.
+  * "rndc delzone" can now be used on zones that were not originally
+    created by "rndc addzone".
+  * "rndc modzone" reconfigures a single zone, without requiring the
+    entire server to be reconfigured.
+  * "rndc showzone" displays the current configuration of a zone.
+  * "rndc managed-keys" can be used to check the status of RFC 5011
+    managed trust anchors, or to force trust anchors to be refreshed.
+  * "max-cache-size" can now be set to a percentage of available memory.
+    The default is 90%.
+  * Update forwarding performance has been improved by allowing a single
+    TCP connection to be shared by multiple updates.
+  * The EDNS Client Subnet (ECS) option is now supported for authoritative
+    servers; if a query contains an ECS option then ACLs containing
+    "geoip" or "ecs" elements can match against the the address encoded in
+    the option. This can be used to select a view for a query, so that
+    different answers can be provided depending on the client network.
+  * The EDNS EXPIRE option has been implemented on the client side,
+    allowing a slave server to set the expiration timer correctly when
+    transferring zone data from another slave server.
+  * The key generation and manipulation tools (dnssec-keygen,
+    dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take
+    "-Psync" and "-Dsync" options to set the publication and deletion
+    times of CDS and CDNSKEY parent-synchronization records. Both named
+    and dnssec-signzone can now publish and remove these records at the
+    scheduled times.
+  * A new "minimal-any" option reduces the size of UDP responses for query
+    type ANY by returning a single arbitrarily selected RRset instead of
+    all RRsets.
+  * A new "masterfile-style" zone option controls the formatting of text
+    zone files: When set to "full", a zone file is dumped in
+    single-line-per-record format.
+  * "serial-update-method" can now be set to "date". On update, the serial
+    number will be set to the current date in YYYYMMDDNN format.
+  * "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
+  * "named -L " causes named to send log messages to the specified file by
+    default instead of to the system log.
+  * "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m,
+    s for weeks, days, hours, minutes, and seconds.
+  * "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
+    presentation format.
+  * "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
+  * "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
+    requests.
+  * "mdig" is an alternate version of dig which sends multiple pipelined
+    TCP queries to a server. Instead of waiting for a response after
+    sending a query, it sends all queries immediately and displays
+    responses in the order received.
+  * "serial-query-rate" no longer controls NOTIFY messages. These are
+    separately controlled by "notify-rate" and "startup-notify-rate".
+  * "nsupdate" now performs "check-names" processing by default on records
+    to be added. This can be disabled with "check-names no".
+  * The statistics channel now supports DEFLATE compression, reducing the
+    size of the data sent over the network when querying statistics.
+  * New counters have been added to the statistics channel to track the
+    sizes of incoming queries and outgoing responses in histogram buckets,
+    as specified in RSSAC002.
+  * A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
+    added, allowing redirection to a specified DNS namespace instead of a
+    single redirect zone.
+  * When starting up, named now ensures that no other named process is
+    already running.
+  * Files created by named to store information, including "mkeys" and
+    "nzf" files, are now named after their corresponding views unless the
+    view name contains characters incompatible with use as a filename. Old
+    style filenames (based on the hash of the view name) will still work.
+
+BIND 9.10.0
+
+BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
+releases. New features include:
+
+  * DNS Response-rate limiting (DNS RRL), which blunts the impact of
+    reflection and amplification attacks, is always compiled in and no
+    longer requires a compile-time option to enable it.
+  * An experimental "Source Identity Token" (SIT) EDNS option is now
+    available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
+    these are designed to enable clients to detect off-path spoofed
+    responses, and to enable servers to detect spoofed-source queries.
+    Servers can be configured to send smaller responses to clients that
+    have not identified themselves using a SIT option, reducing the
+    effectiveness of amplification attacks. RRL processing has also been
+    updated; clients proven to be legitimate via SIT are not subject to
+    rate limiting. Use "configure --enable-sit" to enable this feature in
+    BIND.
+  * A new zone file format, "map", stores zone data in a format that can
+    be mapped directly into memory, allowing significantly faster zone
+    loading.
+  * "delv" (domain entity lookup and validation) is a new tool with
+    dig-like semantics for looking up DNS data and performing internal
+    DNSSEC validation. This allows easy validation in environments where
+    the resolver may not be trustworthy, and assists with troubleshooting
+    of DNSSEC problems. (NOTE: In previous development releases of BIND
+    9.10, this utility was called "delve". The spelling has been changed
+    to avoid confusion with the "delve" utility included with the Xapian
+    search engine.)
+  * Improved EDNS(0) processing for better resolver performance and
+    reliability over slow or lossy connections.
+  * A new "configure --with-tuning=large" option tunes certain compiled-in
+    constants and default settings to values better suited to large
+    servers with abundant memory. This can improve performance on such
+    servers, but will consume more memory and may degrade performance on
+    smaller systems.
+  * Substantial improvement in response-policy zone (RPZ) performance. Up
+    to 32 response-policy zones can be configured with minimal performance
+    loss.
+  * To improve recursive resolver performance, cache records which are
+    still being requested by clients can now be automatically refreshed
+    from the authoritative server before they expire, reducing or
+    eliminating the time window in which no answer is available in the
+    cache.
+  * New "rpz-client-ip" triggers and drop policies allowing response
+    policies based on the IP address of the client.
+  * ACLs can now be specified based on geographic location using the
+    MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
+  * Zone data can now be shared between views, allowing multiple views to
+    serve the same zones authoritatively without storing multiple copies
+    in memory.
+  * New XML schema (version 3) for the statistics channel includes many
+    new statistics and uses a flattened XML tree for faster parsing. The
+    older schema is now deprecated.
+  * A new stylesheet, based on the Google Charts API, displays XML
+    statistics in charts and graphs on javascript-enabled browsers.
+  * The statistics channel can now provide data in JSON format as well as
+    XML.
+  * New stats counters track TCP and UDP queries received per zone, and
+    EDNS options received in total.
+  * The internal and export versions of the BIND libraries (libisc,
+    libdns, etc) have been unified so that external library clients can
+    use the same libraries as BIND itself.
+  * A new compile-time option, "configure --enable-native-pkcs11", allows
+    BIND 9 cryptography functions to use the PKCS#11 API natively, so that
+    BIND can drive a cryptographic hardware service module (HSM) directly
+    instead of using a modified OpenSSL as an intermediary. (Note: This
+    feature requires an HSM to have a full implementation of the PKCS#11
+    API; many current HSMs only have partial implementations. The new
+    "pkcs11-tokens" command can be used to check API completeness. Native
+    PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
+    version 2 from the Open DNSSEC project.)
+  * The new "max-zone-ttl" option enforces maximum TTLs for zones. This
+    can simplify the process of rolling DNSSEC keys by guaranteeing that
+    cached signatures will have expired within the specified amount of
+    time.
+  * "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
+  * "dig +expire" sends an EDNS EXPIRE option when querying. When this
+    option is sent with an SOA query to a server that supports it, it will
+    report the expiry time of a slave zone.
+  * New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
+    report if a lapse in signing coverage has been inadvertently
+    scheduled.
+  * Signing algorithm flexibility and other improvements for the "rndc"
+    control channel.
+  * "named-checkzone" and "named-compilezone" can now read journal files,
+    allowing them to process dynamic zones.
+  * Multiple DLZ databases can now be configured. Individual zones can be
+    configured to be served from a specific DLZ database. DLZ databases
+    now serve zones of type "master" and "redirect".
+  * "rndc zonestatus" reports information about a specified zone.
+  * "named" now listens on IPv6 as well as IPv4 interfaces by default.
+  * "named" now preserves the capitalization of names when responding to
+    queries: for instance, a query for "example.com" may be answered with
+    "example.COM" if the name was configured that way in the zone file.
+    Some clients have a bug causing them to depend on the older behavior,
+    in which the case of the answer always matched the case of the query,
+    rather than the case of the name configured in the DNS. Such clients
+    can now be specified in the new "no-case-compress" ACL; this will
+    restore the older behavior of "named" for those clients only.
+  * new "dnssec-importkey" command allows the use of offline DNSSEC keys
+    with automatic DNSKEY management.
+  * New "named-rrchecker" tool to verify the syntactic correctness of
+    individual resource records.
+  * When re-signing a zone, the new "dnssec-signzone -Q" option drops
+    signatures from keys that are still published but are no longer
+    active.
+  * "named-checkconf -px" will print the contents of configuration files
+    with the shared secrets obscured, making it easier to share
+    configuration (e.g. when submitting a bug report) without revealing
+    private information.
+  * "rndc scan" causes named to re-scan network interfaces for changes in
+    local addresses.
+  * On operating systems with support for routing sockets, network
+    interfaces are re-scanned automatically whenever they change.
+  * "tsig-keygen" is now available as an alternate command name to use for
+    "ddns-confgen".
+
+BIND 9.9.0
+
+BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+releases. New features include:
+
+  * Inline signing, allowing automatic DNSSEC signing of master zones
+    without modification of the zonefile, or "bump in the wire" signing in
+    slaves.
+  * NXDOMAIN redirection.
+  * New 'rndc flushtree' command clears all data under a given name from
+    the DNS cache.
+  * New 'rndc sync' command dumps pending changes in a dynamic zone to
+    disk without a freeze/thaw cycle.
+  * New 'rndc signing' command displays or clears signing status records
+    in 'auto-dnssec' zones.
+  * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
+    signing, eliminating the need to initially sign with NSEC.
+  * Startup time improvements on large authoritative servers.
+  * Slave zones are now saved in raw format by default.
+  * Several improvements to response policy zones (RPZ).
+  * Improved hardware scalability by using multiple threads to listen for
+    queries and using finer-grained client locking
+  * The 'also-notify' option now takes the same syntax as 'masters', so it
+    can used named masterlists and TSIG keys.
+  * 'dnssec-signzone -D' writes an output file containing only DNSSEC
+    data, which can be included by the primary zone file.
+  * 'dnssec-signzone -R' forces removal of signatures that are not expired
+    but were created by a key which no longer exists.
+  * 'dnssec-signzone -X' allows a separate expiration date to be specified
+    for DNSKEY signatures from other signatures.
+  * New '-L' option to dnssec-keygen, dnssec-settime, and
+    dnssec-keyfromlabel sets the default TTL for the key.
+  * dnssec-dsfromkey now supports reading from standard input, to make it
+    easier to convert DNSKEY to DS.
+  * RFC 1918 reverse zones have been added to the empty-zones table per
+    RFC 6303.
+  * Dynamic updates can now optionally set the zone's SOA serial number to
+    the current UNIX time.
+  * DLZ modules can now retrieve the source IP address of the querying
+    client.
+  * 'request-ixfr' option can now be set at the per-zone level.
+  * 'dig +rrcomments' turns on comments about DNSKEY records, indicating
+    their key ID, algorithm and function
+  * Simplified nsupdate syntax and added readline support
+
+BIND 9.8.0
+
+BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+releases. New features include:
+
+  * Built-in trust anchor for the root zone, which can be switched on via
+    "dnssec-validation auto;"
+  * Support for DNS64.
+  * Support for response policy zones (RPZ).
+  * Support for writable DLZ zones.
+  * Improved ease of configuration of GSS/TSIG for interoperability with
+    Active Directory
+  * Support for GOST signing algorithm for DNSSEC.
+  * Removed RTT Banding from server selection algorithm.
+  * New "static-stub" zone type.
+  * Allow configuration of resolver timeouts via "resolver-query-timeout"
+    option.
+  * The DLZ "dlopen" driver is now built by default.
+  * Added a new include file with function typedefs for the DLZ "dlopen"
+    driver.
+  * Made "--with-gssapi" default.
+  * More verbose error reporting from DLZ LDAP.
+
+BIND 9.7.0
+
+BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+releases. Most are intended to simplify DNSSEC configuration. New features
+include:
+
+  * Fully automatic signing of zones by "named".
+  * Simplified configuration of DNSSEC Lookaside Validation (DLV).
+  * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+    command line tool or the "local" update-policy option. (As a side
+    effect, this also makes it easier to configure automatic zone
+    re-signing.)
+  * New named option "attach-cache" that allows multiple views to share a
+    single cache.
+  * DNS rebinding attack prevention.
+  * New default values for dnssec-keygen parameters.
+  * Support for RFC 5011 automated trust anchor maintenance
+  * Smart signing: simplified tools for zone signing and key maintenance.
+  * The "statistics-channels" option is now available on Windows.
+  * A new DNSSEC-aware libdns API for use by non-BIND9 applications
+  * On some platforms, named and other binaries can now print out a stack
+    backtrace on assertion failure, to aid in debugging.
+  * A "tools only" installation mode on Windows, which only installs dig,
+    host, nslookup and nsupdate.
+  * Improved PKCS#11 support, including Keyper support and explicit
+    OpenSSL engine selection.
+
+BIND 9.6.0
+
+  * Full NSEC3 support
+  * Automatic zone re-signing
+  * New update-policy methods tcp-self and 6to4-self
+  * The BIND 8 resolver library, libbind, has been removed from the BIND 9
+    distribution and is now available as a separate download.
+  * Change the default pid file location from /var/run to /var/run/
+    {named,lwresd} for improved chroot/setuid support.
+
+BIND 9.5.0
+
+  * GSS-TSIG support (RFC 3645).
+  * DHCID support.
+  * Experimental http server and statistics support for named via xml.
+  * More detailed statistics counters including those supported in BIND 8.
+  * Faster ACL processing.
+  * Use Doxygen to generate internal documentation.
+  * Efficient LRU cache-cleaning mechanism.
+  * NSID support.
+
+BIND 9.4.0
+
+  * Implemented "additional section caching (or acache)", an internal
+    cache framework for additional section content to improve response
+    performance. Several configuration options were provided to control
+    the behavior.
+  * New notify type 'master-only'. Enable notify for master zones only.
+  * Accept 'notify-source' style syntax for query-source.
+  * rndc now allows addresses to be set in the server clauses.
+  * New option "allow-query-cache". This lets "allow-query" be used to
+    specify the default zone access level rather than having to have every
+    zone override the global value. "allow-query-cache" can be set at both
+    the options and view levels. If "allow-query-cache" is not set then
+    "allow-recursion" is used if set, otherwise "allow-query" is used if
+    set unless "recursion no;" is set in which case "none;" is used,
+    otherwise the default (localhost; localnets;) is used.
+  * rndc: the source address can now be specified.
+  * ixfr-from-differences now takes master and slave in addition to yes
+    and no at the options and view levels.
+  * Allow the journal's name to be changed via named.conf.
+  * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
+    specified zone.
+  * 'dig +trace' now randomly selects the next servers to try. Report if
+    there is a bad delegation.
+  * Improve check-names error messages.
+  * Make public the function to read a key file, dst_key_read_public().
+  * dig now returns the byte count for axfr/ixfr.
+  * allow-update is now settable at the options / view level.
+  * named-checkconf now checks the logging configuration.
+  * host now can turn on memory debugging flags with '-m'.
+  * Don't send notify messages to self.
+  * Perform sanity checks on NS records which refer to 'in zone' names.
+  * New zone option "notify-delay". Specify a minimum delay between sets
+    of NOTIFY messages.
+  * Extend adjusting TTL warning messages.
+  * Named and named-checkzone can now both check for non-terminal wildcard
+    records.
+  * "rndc freeze/thaw" now freezes/thaws all zones.
+  * named-checkconf now check acls to verify that they only refer to
+    existing acls.
+  * The server syntax has been extended to support a range of servers.
+  * Report differences between hints and real NS rrset and associated
+    address records.
+  * Preserve the case of domain names in rdata during zone transfers.
+  * Restructured the data locking framework using architecture dependent
+    atomic operations (when available), improving response performance on
+    multi-processor machines significantly. x86, x86_64, alpha, powerpc,
+    and mips are currently supported.
+  * UNIX domain controls are now supported.
+  * Add support for additional zone file formats for improving loading
+    performance. The masterfile-format option in named.conf can be used to
+    specify a non-default format. A separate command named-compilezone was
+    provided to generate zone files in the new format. Additionally, the
+    -I and -O options for dnssec-signzone specify the input and output
+    formats.
+  * dnssec-signzone can now randomize signature end times (dnssec-signzone
+    -j jitter).
+  * Add support for CH A record.
+  * Add additional zone data constancy checks. named-checkzone has
+    extended checking of NS, MX and SRV record and the hosts they
+    reference. named has extended post zone load checks. New zone options:
+    check-mx and integrity-check.
+  * edns-udp-size can now be overridden on a per server basis.
+  * dig can now specify the EDNS version when making a query.
+  * Added framework for handling multiple EDNS versions.
+  * Additional memory debugging support to track size and mctx arguments.
+  * Detect duplicates of UDP queries we are recursing on and drop them.
+    New stats category "duplicates".
+  * "USE INTERNAL MALLOC" is now runtime selectable.
+  * The lame cache is now done on a <qname,qclass,qtype> basis as some
+    servers only appear to be lame for certain query types.
+  * Limit the number of recursive clients that can be waiting for a single
+    query (<qname,qtype,qclass>) to resolve. New options clients-per-query
+    and max-clients-per-query.
+  * dig: report the number of extra bytes still left in the packet after
+    processing all the records.
+  * Support for IPSECKEY rdata type.
+  * Raise the UDP receive buffer size to 32k if it is less than 32k.
+  * x86 and x86_64 now have separate atomic locking implementations.
+  * named-checkconf now validates update-policy entries.
+  * Attempt to make the amount of work performed in a iteration self
+    tuning. The covers nodes clean from the cache per iteration, nodes
+    written to disk when rewriting a master file and nodes destroyed per
+    iteration when destroying a zone or a cache.
+  * ISC string copy API.
+  * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
+    1918 zones are not yet covered by this but are likely to be in a
+    future release.
+  * New options: empty-server, empty-contact, empty-zones-enable and
+    disable-empty-zone.
+  * dig now has a '-q queryname' and '+showsearch' options.
+  * host/nslookup now continue (default)/fail on SERVFAIL.
+  * dig now warns if 'RA' is not set in the answer when 'RD' was set in
+    the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
+    is set unless a server is explicitly set.
+  * Integrate contributed DLZ code into named.
+  * Integrate contributed IDN code from JPNIC.
+  * libbind: corresponds to that from BIND 8.4.7.
+
+BIND 9.3.0
+
+  * DNSSEC is now DS based (RFC 3658).
+  * DNSSEC lookaside validation.
+  * check-names is now implemented.
+  * rrset-order is more complete.
+  * IPv4/IPv6 transition support, dual-stack-servers.
+  * IXFR deltas can now be generated when loading master files,
+    ixfr-from-differences.
+  * It is now possible to specify the size of a journal, max-journal-size.
+  * It is now possible to define a named set of master servers to be used
+    in masters clause, masters.
+  * The advertised EDNS UDP size can now be set, edns-udp-size.
+  * allow-v6-synthesis has been obsoleted.
+  * Zones containing MD and MF will now be rejected.
+  * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
+    NOTIMPL. This will have impact on scripts that are looking for
+    NOTIMPL.
+  * libbind: corresponds to that from BIND 8.4.5.
+
+BIND 9.2.0
+
+  * The size of the cache can now be limited using the "max-cache-size"
+    option.
+  * The server can now automatically convert RFC1886-style recursive
+    lookup requests into RFC2874-style lookups, when enabled using the new
+    option "allow-v6-synthesis". This allows stub resolvers that support
+    AAAA records but not A6 record chains or binary labels to perform
+    lookups in domains that make use of these IPv6 DNS features.
+  * Performance has been improved.
+  * The man pages now use the more portable "man" macros rather than the
+    "mandoc" macros, and are installed by "make install".
+  * The named.conf parser has been completely rewritten. It now supports
+    "include" directives in more places such as inside "view" statements,
+    and it no longer has any reserved words.
+  * The "rndc status" command is now implemented.
+  * rndc can now be configured automatically.
+  * A BIND 8 compatible stub resolver library is now included in lib/bind.
+  * OpenSSL has been removed from the distribution. This means that to use
+    DNSSEC, OpenSSL must be installed and the --with-openssl option must
+    be supplied to configure. This does not apply to the use of TSIG,
+    which does not require OpenSSL.
+  * The source distribution now builds on Windows. See win32utils/
+    readme1.txt and win32utils/win32-build.txt for details.
+  * This distribution also includes a new lightweight stub resolver
+    library and associated resolver daemon that fully support forward and
+    reverse lookups of both IPv4 and IPv6 addresses. This library is
+    considered experimental and is not a complete replacement for the BIND
+    8 resolver library. Applications that use the BIND 8 res_* functions
+    to perform DNS lookups or dynamic updates still need to be linked
+    against the BIND 8 libraries. For DNS lookups, they can also use the
+    new "getrrsetbyname()" API.
+  * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+    secured zones. This functionality is believed to be stable and
+    complete except for lacking support for verifications involving
+    wildcard records in secure zones.
+  * When acting as a caching server, BIND 9.2 can be configured to perform
+    DNSSEC secure resolution on behalf of its clients. This part of the
+    DNSSEC implementation is still considered experimental. For detailed
+    information about the state of the DNSSEC implementation, see the file
+    doc/misc/dnssec.
diff --git a/HISTORY.md b/HISTORY.md
new file mode 100644
index 0000000..3a0f897
--- /dev/null
+++ b/HISTORY.md
@@ -0,0 +1,617 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+### Functional enhancements from prior major releases of BIND 9
+
+#### BIND 9.14
+
+BIND 9.14 (a stable branch based on the 9.13 development branch)
+includes a number of changes from BIND 9.12 and earlier releases.
+New features include:
+
+* A new "plugin" mechanism has been added to allow query functionality
+  to be extended using dynamically loadable libraries. The "filter-aaaa"
+  feature has been removed from named and is now implemented as a plugin.
+* Socket and task code has been refactored to improve performance.
+* QNAME minimization, as described in RFC 7816, is now supported.
+* "Root key sentinel" support, enabling validating resolvers to indicate
+  via a special query which trust anchors are configured for the root zone.
+* Secondary zones can now be configured as "mirror" zones; their contents
+  are transferred in as with traditional slave zones, but are subject to
+  DNSSEC validation and are not treated as authoritative data when
+  answering. This makes it easier to configure a local copy of the root
+  zone as described in RFC 7706.
+* The "validate-except" option allows configuration of domains below which
+  DNSSEC validation should not be performed.
+* The default value of "dnssec-validation" is now "auto".
+* IDNA2008 is now supported when linking with `libidn2`.
+* "named -V" now outputs the default paths for files used by named
+  and other tools.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
+for more details.
+
+Cryptographic support has been modernized. BIND now uses the
+best available pseudo-random number generator for the platform on which
+it's built. Very old versions of OpenSSL are no longer supported.
+Cryptography is now mandatory: building BIND without DNSSEC is no
+longer supported.
+
+Special code to support certain legacy operating systems has also
+been removed; see the [doc/arm/platforms.rst](platforms) file for details
+of supported platforms. In addition to OpenSSL, BIND now requires
+support for IPv6, threads, and standard atomic operations provided
+by the C compiler.
+
+#### BIND 9.12
+
+BIND 9.12 includes a number of changes from BIND 9.11 and earlier releases.
+New features include:
+
+* `named` and related libraries have been substantially refactored for
+  improved query performance -- particularly on delegation heavy zones --
+  and for improved readability, maintainability, and testability.
+* Code implementing the name server query processing logic has been moved
+  into a new `libns` library, for easier testing and use in tools other
+  than `named`.
+* Cached, validated NSEC and other records can now be used to synthesize
+  NXDOMAIN responses.
+* The DNS Response Policy Service API (DNSRPS) is now supported.
+* Setting `'max-journal-size default'` now limits the size of journal files
+  to twice the size of the zone.
+* `dnstap-read -x` prints a hex dump of the wire format of each logged
+  DNS message.
+* `dnstap` output files can now be configured to roll automatically when
+  reaching a given size.
+* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
+  8601 (UTC) formats.
+* Logging channels and `dnstap` output files can now be configured to use a
+  timestamp as the suffix when rolling to a new file.
+* `'named-checkconf -l'` lists zones found in `named.conf`.
+* Added support for the EDNS Padding and Keepalive options.
+* 'new-zones-directory' option sets the location where the configuration
+  data for zones added by rndc addzone is stored.
+* The default key algorithm in `rndc-confgen` is now hmac-sha256.
+* `filter-aaaa-on-v4` and `filter-aaaa-on-v6` options are now available
+  by default without a configure option.
+* The obsolete `isc-hmac-fixup` command has been removed.
+
+#### BIND 9.11
+
+BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
+releases.  New features include:
+
+- Added support for Catalog Zones, a new method for provisioning servers: a
+  list of zones to be served is stored in a DNS zone, along with their
+  configuration parameters. Changes to the catalog zone are propagated to
+  slaves via normal AXFR/IXFR, whereupon the zones that are listed in it
+  are automatically added, deleted or reconfigured.
+- Added support for "dnstap", a fast and flexible method of capturing and
+  logging DNS traffic.
+- Added support for "dyndb", a new API for loading zone data from an
+  external database, developed by Red Hat for the FreeIPA project.
+- "fetchlimit" quotas are now compiled in by default.  These are for the
+  use of recursive resolvers that are are under high query load for domains
+  whose authoritative servers are nonresponsive or are experiencing a
+  denial of service attack:
+    - "fetches-per-server" limits the number of simultaneous queries that
+      can be sent to any single authoritative server.  The configured value
+      is a starting point; it is automatically adjusted downward if the
+      server is partially or completely non-responsive. The algorithm used
+      to adjust the quota can be configured via the "fetch-quota-params"
+      option.
+    - "fetches-per-zone" limits the number of simultaneous queries that can
+      be sent for names within a single domain.  (Note: Unlike
+      "fetches-per-server", this value is not self-tuning.)
+    - New stats counters have been added to count queries spilled due to
+      these quotas.
+- Added a new "dnssec-keymgr" key mainenance utility, which can generate or
+  update keys as needed to ensure that a zone's keys match a defined DNSSEC
+  policy.
+- The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" and
+  is no longer optional. EDNS COOKIE is a mechanism enabling clients to
+  detect off-path spoofed responses, and servers to detect spoofed-source
+  queries.  Clients that identify themselves using COOKIE options are not
+  subject to response rate limiting (RRL) and can receive larger UDP
+  responses.
+- SERVFAIL responses can now be cached for a limited time (defaulting to 1
+  second, with an upper limit of 30).  This can reduce the frequency of
+  retries when a query is persistently failing.
+- Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to be
+  skipped if a name server IP address isn't in the cache yet; the address
+  will be looked up and the rule will be applied on future queries.
+- Added a Python RNDC module. This allows multiple commands to sent over a
+  persistent RNDC channel, which saves time.
+- The "controls" block in named.conf can now grant read-only "rndc" access
+  to specified clients or keys. Read-only clients could, for example, check
+  "rndc status" but could not reconfigure or shut down the server.
+- "rndc" commands can now return arbitrarily large amounts of text to the
+  caller.
+- The zone serial number of a dynamically updatable zone can now be set via
+  "rndc signing -serial <number> <zonename>".  This allows inline-signing
+  zones to be set to a specific serial number.
+- The new "rndc nta" command can be used to set a Negative Trust Anchor
+  (NTA), disabling DNSSEC validation for a specific domain; this can be
+  used when responses from a domain are known to be failing validation due
+  to administrative error rather than because of a spoofing attack.
+  Negative trust anchors are strictly temporary; by default they expire
+  after one hour, but can be configured to last up to one week.
+- "rndc delzone" can now be used on zones that were not originally created
+  by "rndc addzone".
+- "rndc modzone" reconfigures a single zone, without requiring the entire
+  server to be reconfigured.
+- "rndc showzone" displays the current configuration of a zone.
+- "rndc managed-keys" can be used to check the status of RFC 5011 managed
+  trust anchors, or to force trust anchors to be refreshed.
+- "max-cache-size" can now be set to a percentage of available memory. The
+  default is 90%.
+- Update forwarding performance has been improved by allowing a single TCP
+  connection to be shared by multiple updates.
+- The EDNS Client Subnet (ECS) option is now supported for authoritative
+  servers; if a query contains an ECS option then ACLs containing "geoip"
+  or "ecs" elements can match against the the address encoded in the
+  option.  This can be used to select a view for a query, so that different
+  answers can be provided depending on the client network.
+- The EDNS EXPIRE option has been implemented on the client side, allowing
+  a slave server to set the expiration timer correctly when transferring
+  zone data from another slave server.
+- The key generation and manipulation tools (dnssec-keygen, dnssec-settime,
+  dnssec-importkey, dnssec-keyfromlabel) now take "-Psync" and "-Dsync"
+  options to set the publication and deletion times of CDS and CDNSKEY
+  parent-synchronization records.  Both named and dnssec-signzone can now
+  publish and remove these records at the scheduled times.
+- A new "minimal-any" option reduces the size of UDP responses for query
+  type ANY by returning a single arbitrarily selected RRset instead of all
+  RRsets.
+- A new "masterfile-style" zone option controls the formatting of text zone
+  files:  When set to "full", a zone file is dumped in
+  single-line-per-record format.
+- "serial-update-method" can now be set to "date". On update, the serial
+  number will be set to the current date in YYYYMMDDNN format.
+- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
+- "named -L <filename>" causes named to send log messages to the specified
+  file by default instead of to the system log.
+- "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m, s
+  for weeks, days, hours, minutes, and seconds.
+- "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
+  presentation format.
+- "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
+- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
+  requests.
+- "mdig" is an alternate version of dig which sends multiple pipelined TCP
+  queries to a server.  Instead of waiting for a response after sending a
+  query, it sends all queries immediately and displays responses in the
+  order received.
+- "serial-query-rate" no longer controls NOTIFY messages.  These are
+  separately controlled by "notify-rate" and "startup-notify-rate".
+- "nsupdate" now performs "check-names" processing by default on records to
+  be added.  This can be disabled with "check-names no".
+- The statistics channel now supports DEFLATE compression, reducing the
+  size of the data sent over the network when querying statistics.
+- New counters have been added to the statistics channel to track the sizes
+  of incoming queries and outgoing responses in histogram buckets, as
+  specified in RSSAC002.
+- A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
+  added, allowing redirection to a specified DNS namespace instead of a
+  single redirect zone.
+- When starting up, named now ensures that no other named process is
+  already running.
+- Files created by named to store information, including "mkeys" and "nzf"
+  files, are now named after their corresponding views unless the view name
+  contains characters incompatible with use as a filename. Old style
+  filenames (based on the hash of the view name) will still work.
+
+#### BIND 9.10.0
+
+BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
+releases.  New features include:
+
+ - DNS Response-rate limiting (DNS RRL), which blunts the
+   impact of reflection and amplification attacks, is always
+   compiled in and no longer requires a compile-time option
+   to enable it.
+ - An experimental "Source Identity Token" (SIT) EDNS option
+   is now available.  Similar to DNS Cookies as invented by
+   Donald Eastlake 3rd, these are designed to enable clients
+   to detect off-path spoofed responses, and to enable servers
+   to detect spoofed-source queries.  Servers can be configured
+   to send smaller responses to clients that have not identified
+   themselves using a SIT option, reducing the effectiveness of
+   amplification attacks.  RRL processing has also been updated;
+   clients proven to be legitimate via SIT are not subject to
+   rate limiting.  Use "configure --enable-sit" to enable this
+   feature in BIND.
+ - A new zone file format, "map", stores zone data in a
+   format that can be mapped directly into memory, allowing
+   significantly faster zone loading.
+ - "delv" (domain entity lookup and validation) is a new tool
+   with dig-like semantics for looking up DNS data and performing
+   internal DNSSEC validation.  This allows easy validation in
+   environments where the resolver may not be trustworthy, and
+   assists with troubleshooting of DNSSEC problems. (NOTE:
+   In previous development releases of BIND 9.10, this utility
+   was called "delve". The spelling has been changed to avoid
+   confusion with the "delve" utility included with the Xapian
+   search engine.)
+ - Improved EDNS(0) processing for better resolver performance
+   and reliability over slow or lossy connections.
+ - A new "configure --with-tuning=large" option tunes certain
+   compiled-in constants and default settings to values better
+   suited to large servers with abundant memory.  This can
+   improve performance on such servers, but will consume more
+   memory and may degrade performance on smaller systems.
+ - Substantial improvement in response-policy zone (RPZ)
+   performance.  Up to 32 response-policy zones can be
+   configured with minimal performance loss.
+ - To improve recursive resolver performance, cache records
+   which are still being requested by clients can now be
+   automatically refreshed from the authoritative server
+   before they expire, reducing or eliminating the time
+   window in which no answer is available in the cache.
+ - New "rpz-client-ip" triggers and drop policies allowing
+   response policies based on the IP address of the client.
+ - ACLs can now be specified based on geographic location
+   using the MaxMind GeoIP databases.  Use "configure
+   --with-geoip" to enable.
+ - Zone data can now be shared between views, allowing
+   multiple views to serve the same zones authoritatively
+   without storing multiple copies in memory.
+ - New XML schema (version 3) for the statistics channel
+   includes many new statistics and uses a flattened XML tree
+   for faster parsing. The older schema is now deprecated.
+ - A new stylesheet, based on the Google Charts API, displays
+   XML statistics in charts and graphs on javascript-enabled
+   browsers.
+ - The statistics channel can now provide data in JSON
+   format as well as XML.
+ - New stats counters track TCP and UDP queries received
+   per zone, and EDNS options received in total.
+ - The internal and export versions of the BIND libraries
+   (libisc, libdns, etc) have been unified so that external
+   library clients can use the same libraries as BIND itself.
+ - A new compile-time option, "configure --enable-native-pkcs11",
+   allows BIND 9 cryptography functions to use the PKCS#11 API
+   natively, so that BIND can drive a cryptographic hardware
+   service module (HSM) directly instead of using a modified
+   OpenSSL as an intermediary. (Note: This feature requires an
+   HSM to have a full implementation of the PKCS#11 API; many
+   current HSMs only have partial implementations. The new
+   "pkcs11-tokens" command can be used to check API completeness.
+   Native PKCS#11 is known to work with the Thales nShield HSM
+   and with SoftHSM version 2 from the Open DNSSEC project.)
+ - The new "max-zone-ttl" option enforces maximum TTLs for
+   zones. This can simplify the process of rolling DNSSEC keys
+   by guaranteeing that cached signatures will have expired
+   within the specified amount of time.
+ - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
+   querying.
+ - "dig +expire" sends an EDNS EXPIRE option when querying.
+   When this option is sent with an SOA query to a server
+   that supports it, it will report the expiry time of
+   a slave zone.
+ - New "dnssec-coverage" tool to check DNSSEC key coverage
+   for a zone and report if a lapse in signing coverage has
+   been inadvertently scheduled.
+ - Signing algorithm flexibility and other improvements
+   for the "rndc" control channel.
+ - "named-checkzone" and "named-compilezone" can now read
+   journal files, allowing them to process dynamic zones.
+ - Multiple DLZ databases can now be configured.  Individual
+   zones can be configured to be served from a specific DLZ
+   database.  DLZ databases now serve zones of type "master"
+   and "redirect".
+ - "rndc zonestatus" reports information about a specified zone.
+ - "named" now listens on IPv6 as well as IPv4 interfaces
+   by default.
+ - "named" now preserves the capitalization of names
+   when responding to queries: for instance, a query for
+   "example.com" may be answered with "example.COM" if the
+   name was configured that way in the zone file.  Some
+   clients have a bug causing them to depend on the older
+   behavior, in which the case of the answer always matched
+   the case of the query, rather than the case of the name
+   configured in the DNS.  Such clients can now be specified
+   in the new "no-case-compress" ACL; this will restore the
+   older behavior of "named" for those clients only.
+ - new "dnssec-importkey" command allows the use of offline
+   DNSSEC keys with automatic DNSKEY management.
+ - New "named-rrchecker" tool to verify the syntactic
+   correctness of individual resource records.
+ - When re-signing a zone, the new "dnssec-signzone -Q" option
+   drops signatures from keys that are still published but are
+   no longer active.
+ - "named-checkconf -px" will print the contents of configuration
+   files with the shared secrets obscured, making it easier to
+   share configuration (e.g. when submitting a bug report)
+   without revealing private information.
+ - "rndc scan" causes named to re-scan network interfaces for
+   changes in local addresses.
+ - On operating systems with support for routing sockets,
+   network interfaces are re-scanned automatically whenever
+   they change.
+ - "tsig-keygen" is now available as an alternate command
+   name to use for "ddns-confgen".
+
+#### BIND 9.9.0
+
+BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+releases.  New features include:
+
+- Inline signing, allowing automatic DNSSEC signing of
+  master zones without modification of the zonefile, or
+  "bump in the wire" signing in slaves.
+- NXDOMAIN redirection.
+- New 'rndc flushtree' command clears all data under a given
+  name from the DNS cache.
+- New 'rndc sync' command dumps pending changes in a dynamic
+  zone to disk without a freeze/thaw cycle.
+- New 'rndc signing' command displays or clears signing status
+  records in 'auto-dnssec' zones.
+- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
+  to signing, eliminating the need to initially sign with NSEC.
+- Startup time improvements on large authoritative servers.
+- Slave zones are now saved in raw format by default.
+- Several improvements to response policy zones (RPZ).
+- Improved hardware scalability by using multiple threads
+  to listen for queries and using finer-grained client locking
+- The 'also-notify' option now takes the same syntax as
+  'masters', so it can used named masterlists and TSIG keys.
+- 'dnssec-signzone -D' writes an output file containing only DNSSEC
+  data, which can be included by the primary zone file.
+- 'dnssec-signzone -R' forces removal of signatures that are
+  not expired but were created by a key which no longer exists.
+- 'dnssec-signzone -X' allows a separate expiration date to
+  be specified for DNSKEY signatures from other signatures.
+- New '-L' option to dnssec-keygen, dnssec-settime, and
+  dnssec-keyfromlabel sets the default TTL for the key.
+- dnssec-dsfromkey now supports reading from standard input,
+  to make it easier to convert DNSKEY to DS.
+- RFC 1918 reverse zones have been added to the empty-zones
+  table per RFC 6303.
+- Dynamic updates can now optionally set the zone's SOA serial
+  number to the current UNIX time.
+- DLZ modules can now retrieve the source IP address of
+  the querying client.
+- 'request-ixfr' option can now be set at the per-zone level.
+- 'dig +rrcomments' turns on comments about DNSKEY records,
+  indicating their key ID, algorithm and function
+- Simplified nsupdate syntax and added readline support
+
+#### BIND 9.8.0
+
+BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+releases.  New features include:
+
+- Built-in trust anchor for the root zone, which can be
+  switched on via "dnssec-validation auto;"
+- Support for DNS64.
+- Support for response policy zones (RPZ).
+- Support for writable DLZ zones.
+- Improved ease of configuration of GSS/TSIG for
+  interoperability with Active Directory
+- Support for GOST signing algorithm for DNSSEC.
+- Removed RTT Banding from server selection algorithm.
+- New "static-stub" zone type.
+- Allow configuration of resolver timeouts via
+  "resolver-query-timeout" option.
+- The DLZ "dlopen" driver is now built by default.
+- Added a new include file with function typedefs
+  for the DLZ "dlopen" driver.
+- Made "--with-gssapi" default.
+- More verbose error reporting from DLZ LDAP.
+
+#### BIND 9.7.0
+
+BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+releases.  Most are intended to simplify DNSSEC configuration.
+New features include:
+
+- Fully automatic signing of zones by "named".
+- Simplified configuration of DNSSEC Lookaside Validation (DLV).
+- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+  command line tool or the "local" update-policy option.  (As a side
+  effect, this also makes it easier to configure automatic zone
+  re-signing.)
+- New named option "attach-cache" that allows multiple views to
+  share a single cache.
+- DNS rebinding attack prevention.
+- New default values for dnssec-keygen parameters.
+- Support for RFC 5011 automated trust anchor maintenance
+- Smart signing: simplified tools for zone signing and key
+  maintenance.
+- The "statistics-channels" option is now available on Windows.
+- A new DNSSEC-aware libdns API for use by non-BIND9 applications
+- On some platforms, named and other binaries can now print out
+  a stack backtrace on assertion failure, to aid in debugging.
+- A "tools only" installation mode on Windows, which only installs
+  dig, host, nslookup and nsupdate.
+- Improved PKCS#11 support, including Keyper support and explicit
+  OpenSSL engine selection.
+
+#### BIND 9.6.0
+
+- Full NSEC3 support
+- Automatic zone re-signing
+- New update-policy methods tcp-self and 6to4-self
+- The BIND 8 resolver library, libbind, has been removed from the BIND 9
+  distribution and is now available as a separate download.
+- Change the default pid file location from /var/run to
+  /var/run/{named,lwresd} for improved chroot/setuid support.
+
+#### BIND 9.5.0
+
+- GSS-TSIG support (RFC 3645).
+- DHCID support.
+- Experimental http server and statistics support for named via xml.
+- More detailed statistics counters including those supported in BIND 8.
+- Faster ACL processing.
+- Use Doxygen to generate internal documentation.
+- Efficient LRU cache-cleaning mechanism.
+- NSID support.
+
+BIND 9.4.0
+
+- Implemented "additional section caching (or acache)", an internal cache
+  framework for additional section content to improve response performance.
+  Several configuration options were provided to control the behavior.
+- New notify type 'master-only'.  Enable notify for master zones only.
+- Accept 'notify-source' style syntax for query-source.
+- rndc now allows addresses to be set in the server clauses.
+- New option "allow-query-cache".  This lets "allow-query" be used to
+  specify the default zone access level rather than having to have every
+  zone override the global value.  "allow-query-cache" can be set at both
+  the options and view levels.  If "allow-query-cache" is not set then
+  "allow-recursion" is used if set, otherwise "allow-query" is used if set
+  unless "recursion no;" is set in which case "none;" is used, otherwise
+  the default (localhost; localnets;) is used.
+- rndc: the source address can now be specified.
+- ixfr-from-differences now takes master and slave in addition to yes and
+  no at the options and view levels.
+- Allow the journal's name to be changed via named.conf.
+- 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
+  specified zone.
+- 'dig +trace' now randomly selects the next servers to try.  Report if
+  there is a bad delegation.
+- Improve check-names error messages.
+- Make public the function to read a key file, dst_key_read_public().
+- dig now returns the byte count for axfr/ixfr.
+- allow-update is now settable at the options / view level.
+- named-checkconf now checks the logging configuration.
+- host now can turn on memory debugging flags with '-m'.
+- Don't send notify messages to self.
+- Perform sanity checks on NS records which refer to 'in zone' names.
+- New zone option "notify-delay".  Specify a minimum delay between sets of
+  NOTIFY messages.
+- Extend adjusting TTL warning messages.
+- Named and named-checkzone can now both check for non-terminal wildcard
+  records.
+- "rndc freeze/thaw" now freezes/thaws all zones.
+- named-checkconf now check acls to verify that they only refer to existing
+  acls.
+- The server syntax has been extended to support a range of servers.
+- Report differences between hints and real NS rrset and associated address
+  records.
+- Preserve the case of domain names in rdata during zone transfers.
+- Restructured the data locking framework using architecture dependent
+  atomic operations (when available), improving response performance on
+  multi-processor machines significantly.  x86, x86_64, alpha, powerpc, and
+  mips are currently supported.
+- UNIX domain controls are now supported.
+- Add support for additional zone file formats for improving loading
+  performance.  The masterfile-format option in named.conf can be used to
+  specify a non-default format.  A separate command named-compilezone was
+  provided to generate zone files in the new format.  Additionally, the -I
+  and -O options for dnssec-signzone specify the input and output formats.
+- dnssec-signzone can now randomize signature end times (dnssec-signzone -j
+  jitter).
+- Add support for CH A record.
+- Add additional zone data constancy checks.  named-checkzone has extended
+  checking of NS, MX and SRV record and the hosts they reference.  named
+  has extended post zone load checks.  New zone options: check-mx and
+  integrity-check.
+- edns-udp-size can now be overridden on a per server basis.
+- dig can now specify the EDNS version when making a query.
+- Added framework for handling multiple EDNS versions.
+- Additional memory debugging support to track size and mctx arguments.
+- Detect duplicates of UDP queries we are recursing on and drop them.  New
+  stats category "duplicates".
+- "USE INTERNAL MALLOC" is now runtime selectable.
+- The lame cache is now done on a <qname,qclass,qtype> basis as some
+  servers only appear to be lame for certain query types.
+- Limit the number of recursive clients that can be waiting for a single
+  query (<qname,qtype,qclass>) to resolve.  New options clients-per-query
+  and max-clients-per-query.
+- dig: report the number of extra bytes still left in the packet after
+  processing all the records.
+- Support for IPSECKEY rdata type.
+- Raise the UDP receive buffer size to 32k if it is less than 32k.
+- x86 and x86_64 now have separate atomic locking implementations.
+- named-checkconf now validates update-policy entries.
+- Attempt to make the amount of work performed in a iteration self tuning.
+  The covers nodes clean from the cache per iteration, nodes written to
+  disk when rewriting a master file and nodes destroyed per iteration when
+  destroying a zone or a cache.
+- ISC string copy API.
+- Automatic empty zone creation for D.F.IP6.ARPA and friends.  Note: RFC
+  1918 zones are not yet covered by this but are likely to be in a future
+  release.
+- New options: empty-server, empty-contact, empty-zones-enable and
+  disable-empty-zone.
+- dig now has a '-q queryname' and '+showsearch' options.
+- host/nslookup now continue (default)/fail on SERVFAIL.
+- dig now warns if 'RA' is not set in the answer when 'RD' was set in the
+  query.  host/nslookup skip servers that fail to set 'RA' when 'RD' is set
+  unless a server is explicitly set.
+- Integrate contributed DLZ code into named.
+- Integrate contributed IDN code from JPNIC.
+- libbind: corresponds to that from BIND 8.4.7.
+
+#### BIND 9.3.0
+
+- DNSSEC is now DS based (RFC 3658).
+- DNSSEC lookaside validation.
+- check-names is now implemented.
+- rrset-order is more complete.
+- IPv4/IPv6 transition support, dual-stack-servers.
+- IXFR deltas can now be generated when loading master files,
+  ixfr-from-differences.
+- It is now possible to specify the size of a journal, max-journal-size.
+- It is now possible to define a named set of master servers to be used in
+  masters clause, masters.
+- The advertised EDNS UDP size can now be set, edns-udp-size.
+- allow-v6-synthesis has been obsoleted.
+- Zones containing MD and MF will now be rejected.
+- dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
+  NOTIMPL.  This will have impact on scripts that are looking for NOTIMPL.
+- libbind: corresponds to that from BIND 8.4.5.
+
+#### BIND 9.2.0
+
+- The size of the cache can now be limited using the "max-cache-size"
+  option.
+- The server can now automatically convert RFC1886-style recursive lookup
+  requests into RFC2874-style lookups, when enabled using the new option
+  "allow-v6-synthesis".  This allows stub resolvers that support AAAA
+  records but not A6 record chains or binary labels to perform lookups in
+  domains that make use of these IPv6 DNS features.
+- Performance has been improved.
+- The man pages now use the more portable "man" macros rather than the
+  "mandoc" macros, and are installed by "make install".
+- The named.conf parser has been completely rewritten.  It now supports
+  "include" directives in more places such as inside "view" statements, and
+  it no longer has any reserved words.
+- The "rndc status" command is now implemented.
+- rndc can now be configured automatically.
+- A BIND 8 compatible stub resolver library is now included in lib/bind.
+- OpenSSL has been removed from the distribution.  This means that to use
+  DNSSEC, OpenSSL must be installed and the --with-openssl option must be
+  supplied to configure.  This does not apply to the use of TSIG, which
+  does not require OpenSSL.
+- The source distribution now builds on Windows.  See
+  win32utils/readme1.txt and win32utils/win32-build.txt for details.
+- This distribution also includes a new lightweight stub resolver library
+  and associated resolver daemon that fully support forward and reverse
+  lookups of both IPv4 and IPv6 addresses.  This library is considered
+  experimental and is not a complete replacement for the BIND 8 resolver
+  library.  Applications that use the BIND 8 `res_*` functions to perform
+  DNS lookups or dynamic updates still need to be linked against the BIND 8
+  libraries.  For DNS lookups, they can also use the new "getrrsetbyname()"
+  API.
+- BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+  secured zones.  This functionality is believed to be stable and complete
+  except for lacking support for verifications involving wildcard records
+  in secure zones.
+- When acting as a caching server, BIND 9.2 can be configured to perform
+  DNSSEC secure resolution on behalf of its clients.  This part of the
+  DNSSEC implementation is still considered experimental.  For detailed
+  information about the state of the DNSSEC implementation, see the file
+  doc/misc/dnssec.
diff --git a/Kyuafile b/Kyuafile
new file mode 100644
index 0000000..083136a
--- /dev/null
+++ b/Kyuafile
@@ -0,0 +1,15 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+include('lib/Kyuafile')
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..7bad356
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,362 @@
+Mozilla Public License, version 2.0
+
+1. Definitions
+
+1.1. "Contributor"
+
+     means each individual or legal entity that creates, contributes to the
+     creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+
+     means the combination of the Contributions of others (if any) used by a
+     Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+
+     means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+
+     means Source Code Form to which the initial Contributor has attached the
+     notice in Exhibit A, the Executable Form of such Source Code Form, and
+     Modifications of such Source Code Form, in each case including portions
+     thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+     means
+
+     a. that the initial Contributor has attached the notice described in
+        Exhibit B to the Covered Software; or
+
+     b. that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the terms of
+        a Secondary License.
+
+1.6. "Executable Form"
+
+     means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+
+     means a work that combines Covered Software with other material, in a
+     separate file or files, that is not Covered Software.
+
+1.8. "License"
+
+     means this document.
+
+1.9. "Licensable"
+
+     means having the right to grant, to the maximum extent possible, whether
+     at the time of the initial grant or subsequently, any and all of the
+     rights conveyed by this License.
+
+1.10. "Modifications"
+
+     means any of the following:
+
+     a. any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered Software; or
+
+     b. any new file in Source Code Form that contains any Covered Software.
+
+1.11. "Patent Claims" of a Contributor
+
+      means any patent claim(s), including without limitation, method,
+      process, and apparatus claims, in any patent Licensable by such
+      Contributor that would be infringed, but for the grant of the License,
+      by the making, using, selling, offering for sale, having made, import,
+      or transfer of either its Contributions or its Contributor Version.
+
+1.12. "Secondary License"
+
+      means either the GNU General Public License, Version 2.0, the GNU Lesser
+      General Public License, Version 2.1, the GNU Affero General Public
+      License, Version 3.0, or any later versions of those licenses.
+
+1.13. "Source Code Form"
+
+      means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+
+      means an individual or a legal entity exercising rights under this
+      License. For legal entities, "You" includes any entity that controls, is
+      controlled by, or is under common control with You. For purposes of this
+      definition, "control" means (a) the power, direct or indirect, to cause
+      the direction or management of such entity, whether by contract or
+      otherwise, or (b) ownership of more than fifty percent (50%) of the
+      outstanding shares or beneficial ownership of such entity.
+
+
+2. License Grants and Conditions
+
+2.1. Grants
+
+     Each Contributor hereby grants You a world-wide, royalty-free,
+     non-exclusive license:
+
+     a. under intellectual property rights (other than patent or trademark)
+        Licensable by such Contributor to use, reproduce, make available,
+        modify, display, perform, distribute, and otherwise exploit its
+        Contributions, either on an unmodified basis, with Modifications, or
+        as part of a Larger Work; and
+
+     b. under Patent Claims of such Contributor to make, use, sell, offer for
+        sale, have made, import, and otherwise transfer either its
+        Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+     The licenses granted in Section 2.1 with respect to any Contribution
+     become effective for each Contribution on the date the Contributor first
+     distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+     The licenses granted in this Section 2 are the only rights granted under
+     this License. No additional rights or licenses will be implied from the
+     distribution or licensing of Covered Software under this License.
+     Notwithstanding Section 2.1(b) above, no patent license is granted by a
+     Contributor:
+
+     a. for any code that a Contributor has removed from Covered Software; or
+
+     b. for infringements caused by: (i) Your and any other third party's
+        modifications of Covered Software, or (ii) the combination of its
+        Contributions with other software (except as part of its Contributor
+        Version); or
+
+     c. under Patent Claims infringed by Covered Software in the absence of
+        its Contributions.
+
+     This License does not grant any rights in the trademarks, service marks,
+     or logos of any Contributor (except as may be necessary to comply with
+     the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+     No Contributor makes additional grants as a result of Your choice to
+     distribute the Covered Software under a subsequent version of this
+     License (see Section 10.2) or under the terms of a Secondary License (if
+     permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+     Each Contributor represents that the Contributor believes its
+     Contributions are its original creation(s) or it has sufficient rights to
+     grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+     This License is not intended to limit any rights You have under
+     applicable copyright doctrines of fair use, fair dealing, or other
+     equivalents.
+
+2.7. Conditions
+
+     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
+     Section 2.1.
+
+
+3. Responsibilities
+
+3.1. Distribution of Source Form
+
+     All distribution of Covered Software in Source Code Form, including any
+     Modifications that You create or to which You contribute, must be under
+     the terms of this License. You must inform recipients that the Source
+     Code Form of the Covered Software is governed by the terms of this
+     License, and how they can obtain a copy of this License. You may not
+     attempt to alter or restrict the recipients' rights in the Source Code
+     Form.
+
+3.2. Distribution of Executable Form
+
+     If You distribute Covered Software in Executable Form then:
+
+     a. such Covered Software must also be made available in Source Code Form,
+        as described in Section 3.1, and You must inform recipients of the
+        Executable Form how they can obtain a copy of such Source Code Form by
+        reasonable means in a timely manner, at a charge no more than the cost
+        of distribution to the recipient; and
+
+     b. You may distribute such Executable Form under the terms of this
+        License, or sublicense it under different terms, provided that the
+        license for the Executable Form does not attempt to limit or alter the
+        recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+     You may create and distribute a Larger Work under terms of Your choice,
+     provided that You also comply with the requirements of this License for
+     the Covered Software. If the Larger Work is a combination of Covered
+     Software with a work governed by one or more Secondary Licenses, and the
+     Covered Software is not Incompatible With Secondary Licenses, this
+     License permits You to additionally distribute such Covered Software
+     under the terms of such Secondary License(s), so that the recipient of
+     the Larger Work may, at their option, further distribute the Covered
+     Software under the terms of either this License or such Secondary
+     License(s).
+
+3.4. Notices
+
+     You may not remove or alter the substance of any license notices
+     (including copyright notices, patent notices, disclaimers of warranty, or
+     limitations of liability) contained within the Source Code Form of the
+     Covered Software, except that You may alter any license notices to the
+     extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+     You may choose to offer, and to charge a fee for, warranty, support,
+     indemnity or liability obligations to one or more recipients of Covered
+     Software. However, You may do so only on Your own behalf, and not on
+     behalf of any Contributor. You must make it absolutely clear that any
+     such warranty, support, indemnity, or liability obligation is offered by
+     You alone, and You hereby agree to indemnify every Contributor for any
+     liability incurred by such Contributor as a result of warranty, support,
+     indemnity or liability terms You offer. You may include additional
+     disclaimers of warranty and limitations of liability specific to any
+     jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+
+   If it is impossible for You to comply with any of the terms of this License
+   with respect to some or all of the Covered Software due to statute,
+   judicial order, or regulation then You must: (a) comply with the terms of
+   this License to the maximum extent possible; and (b) describe the
+   limitations and the code they affect. Such description must be placed in a
+   text file included with all distributions of the Covered Software under
+   this License. Except to the extent prohibited by statute or regulation,
+   such description must be sufficiently detailed for a recipient of ordinary
+   skill to be able to understand it.
+
+5. Termination
+
+5.1. The rights granted under this License will terminate automatically if You
+     fail to comply with any of its terms. However, if You become compliant,
+     then the rights granted under this License from a particular Contributor
+     are reinstated (a) provisionally, unless and until such Contributor
+     explicitly and finally terminates Your grants, and (b) on an ongoing
+     basis, if such Contributor fails to notify You of the non-compliance by
+     some reasonable means prior to 60 days after You have come back into
+     compliance. Moreover, Your grants from a particular Contributor are
+     reinstated on an ongoing basis if such Contributor notifies You of the
+     non-compliance by some reasonable means, this is the first time You have
+     received notice of non-compliance with this License from such
+     Contributor, and You become compliant prior to 30 days after Your receipt
+     of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+     infringement claim (excluding declaratory judgment actions,
+     counter-claims, and cross-claims) alleging that a Contributor Version
+     directly or indirectly infringes any patent, then the rights granted to
+     You by any and all Contributors for the Covered Software under Section
+     2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
+     license agreements (excluding distributors and resellers) which have been
+     validly granted by You or Your distributors under this License prior to
+     termination shall survive termination.
+
+6. Disclaimer of Warranty
+
+   Covered Software is provided under this License on an "as is" basis,
+   without warranty of any kind, either expressed, implied, or statutory,
+   including, without limitation, warranties that the Covered Software is free
+   of defects, merchantable, fit for a particular purpose or non-infringing.
+   The entire risk as to the quality and performance of the Covered Software
+   is with You. Should any Covered Software prove defective in any respect,
+   You (not any Contributor) assume the cost of any necessary servicing,
+   repair, or correction. This disclaimer of warranty constitutes an essential
+   part of this License. No use of  any Covered Software is authorized under
+   this License except under this disclaimer.
+
+7. Limitation of Liability
+
+   Under no circumstances and under no legal theory, whether tort (including
+   negligence), contract, or otherwise, shall any Contributor, or anyone who
+   distributes Covered Software as permitted above, be liable to You for any
+   direct, indirect, special, incidental, or consequential damages of any
+   character including, without limitation, damages for lost profits, loss of
+   goodwill, work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses, even if such party shall have been
+   informed of the possibility of such damages. This limitation of liability
+   shall not apply to liability for death or personal injury resulting from
+   such party's negligence to the extent applicable law prohibits such
+   limitation. Some jurisdictions do not allow the exclusion or limitation of
+   incidental or consequential damages, so this exclusion and limitation may
+   not apply to You.
+
+8. Litigation
+
+   Any litigation relating to this License may be brought only in the courts
+   of a jurisdiction where the defendant maintains its principal place of
+   business and such litigation shall be governed by laws of that
+   jurisdiction, without reference to its conflict-of-law provisions. Nothing
+   in this Section shall prevent a party's ability to bring cross-claims or
+   counter-claims.
+
+9. Miscellaneous
+
+   This License represents the complete agreement concerning the subject
+   matter hereof. If any provision of this License is held to be
+   unenforceable, such provision shall be reformed only to the extent
+   necessary to make it enforceable. Any law or regulation which provides that
+   the language of a contract shall be construed against the drafter shall not
+   be used to construe this License against a Contributor.
+
+
+10. Versions of the License
+
+10.1. New Versions
+
+      Mozilla Foundation is the license steward. Except as provided in Section
+      10.3, no one other than the license steward has the right to modify or
+      publish new versions of this License. Each version will be given a
+      distinguishing version number.
+
+10.2. Effect of New Versions
+
+      You may distribute the Covered Software under the terms of the version
+      of the License under which You originally received the Covered Software,
+      or under the terms of any subsequent version published by the license
+      steward.
+
+10.3. Modified Versions
+
+      If you create software not governed by this License, and you want to
+      create a new license for such software, you may create and use a
+      modified version of this License if you rename the license and remove
+      any references to the name of the license steward (except to note that
+      such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+      Licenses If You choose to distribute Source Code Form that is
+      Incompatible With Secondary Licenses under the terms of this version of
+      the License, the notice described in Exhibit B of this License must be
+      attached.
+
+Exhibit A - Source Code Form License Notice
+
+      This Source Code Form is subject to the
+      terms of the Mozilla Public License, v.
+      2.0. If a copy of the MPL was not
+      distributed with this file, You can
+      obtain one at
+      https://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular file,
+then You may include the notice in a location (such as a LICENSE file in a
+relevant directory) where a recipient would be likely to look for such a
+notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+
+      This Source Code Form is "Incompatible
+      With Secondary Licenses", as defined by
+      the Mozilla Public License, v. 2.0.
diff --git a/LICENSES/Apache-2.0.txt b/LICENSES/Apache-2.0.txt
new file mode 100644
index 0000000..137069b
--- /dev/null
+++ b/LICENSES/Apache-2.0.txt
@@ -0,0 +1,73 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.
+
+"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
+
+     (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
+
+     (b) You must cause any modified files to carry prominent notices stating that You changed the files; and
+
+     (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
+
+     (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
+
+     You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!)  The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/LICENSES/Autoconf-exception-3.0.txt b/LICENSES/Autoconf-exception-3.0.txt
new file mode 100644
index 0000000..f212f9c
--- /dev/null
+++ b/LICENSES/Autoconf-exception-3.0.txt
@@ -0,0 +1,26 @@
+AUTOCONF CONFIGURE SCRIPT EXCEPTION
+
+Version 3.0, 18 August 2009
+Copyright © 2009 Free Software Foundation, Inc. <http://fsf.org/>
+
+Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
+
+This Exception is an additional permission under section 7 of the GNU General Public License, version 3 ("GPLv3"). It applies to a given file that bears a notice placed by the copyright holder of the file stating that the file is governed by GPLv3 along with this Exception.
+
+The purpose of this Exception is to allow distribution of Autoconf's typical output under terms of the recipient's choice (including proprietary).
+
+0. Definitions.
+
+"Covered Code" is the source or object code of a version of Autoconf that is a covered work under this License.
+
+"Normally Copied Code" for a version of Autoconf means all parts of its Covered Code which that version can copy from its code (i.e., not from its input file) into its minimally verbose, non-debugging and non-tracing output.
+
+"Ineligible Code" is Covered Code that is not Normally Copied Code.
+
+1. Grant of Additional Permission.
+
+You have permission to propagate output of Autoconf, even if such propagation would otherwise violate the terms of GPLv3. However, if by modifying Autoconf you cause any Ineligible Code of the version you received to become Normally Copied Code of your modified version, then you void this Exception for the resulting covered work. If you convey that resulting covered work, you must remove this Exception in accordance with the second paragraph of Section 7 of GPLv3.
+
+2. No Weakening of Autoconf Copyleft.
+
+The availability of this Exception does not imply any general presumption that third-party software is unaffected by the copyleft requirements of the license of Autoconf.
diff --git a/LICENSES/BSD-2-Clause.txt b/LICENSES/BSD-2-Clause.txt
new file mode 100644
index 0000000..b0e20f5
--- /dev/null
+++ b/LICENSES/BSD-2-Clause.txt
@@ -0,0 +1,9 @@
+Copyright (c) <year> <owner> All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/LICENSES/BSD-3-Clause.txt b/LICENSES/BSD-3-Clause.txt
new file mode 100644
index 0000000..6c9eef8
--- /dev/null
+++ b/LICENSES/BSD-3-Clause.txt
@@ -0,0 +1,11 @@
+Copyright (c) <year> <owner>. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/LICENSES/CC0-1.0.txt b/LICENSES/CC0-1.0.txt
new file mode 100644
index 0000000..0e259d4
--- /dev/null
+++ b/LICENSES/CC0-1.0.txt
@@ -0,0 +1,121 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.
diff --git a/LICENSES/FSFAP.txt b/LICENSES/FSFAP.txt
new file mode 100644
index 0000000..32bc8a8
--- /dev/null
+++ b/LICENSES/FSFAP.txt
@@ -0,0 +1 @@
+Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.  This file is offered as-is, without any warranty.
diff --git a/LICENSES/GPL-3.0-or-later.txt b/LICENSES/GPL-3.0-or-later.txt
new file mode 100644
index 0000000..d41c0bd
--- /dev/null
+++ b/LICENSES/GPL-3.0-or-later.txt
@@ -0,0 +1,232 @@
+GNU GENERAL PUBLIC LICENSE
+Version 3, 29 June 2007
+
+Copyright © 2007 Free Software Foundation, Inc. <http://fsf.org/>
+
+Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
+
+Preamble
+
+The GNU General Public License is a free, copyleft license for software and other kinds of works.
+
+The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too.
+
+When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things.
+
+To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others.
+
+For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
+
+Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it.
+
+For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions.
+
+Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users.
+
+Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free.
+
+The precise terms and conditions for copying, distribution and modification follow.
+
+TERMS AND CONDITIONS
+
+0. Definitions.
+
+“This License� refers to version 3 of the GNU General Public License.
+
+“Copyright� also means copyright-like laws that apply to other kinds of works, such as semiconductor masks.
+
+“The Program� refers to any copyrightable work licensed under this License. Each licensee is addressed as “you�. “Licensees� and “recipients� may be individuals or organizations.
+
+To “modify� a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a “modified version� of the earlier work or a work “based on� the earlier work.
+
+A “covered work� means either the unmodified Program or a work based on the Program.
+
+To “propagate� a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.
+
+To “convey� a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.
+
+An interactive user interface displays “Appropriate Legal Notices� to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion.
+
+1. Source Code.
+The “source code� for a work means the preferred form of the work for making modifications to it. “Object code� means any non-source form of a work.
+
+A “Standard Interface� means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language.
+
+The “System Libraries� of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A “Major Component�, in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.
+
+The “Corresponding Source� for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.
+
+The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source.
+
+The Corresponding Source for a work in source code form is that same work.
+
+2. Basic Permissions.
+All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law.
+
+You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary.
+
+3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures.
+
+When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.
+
+4. Conveying Verbatim Copies.
+You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee.
+
+5. Conveying Modified Source Versions.
+You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
+
+     a) The work must carry prominent notices stating that you modified it, and giving a relevant date.
+
+     b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices�.
+
+     c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.
+
+     d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.
+
+A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate� if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.
+
+6. Conveying Non-Source Forms.
+You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:
+
+     a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange.
+
+     b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge.
+
+     c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b.
+
+     d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.
+
+     e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d.
+
+A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.
+
+A “User Product� is either (1) a “consumer product�, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, “normally used� refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.
+
+“Installation Information� for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
+
+If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).
+
+The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.
+
+Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying.
+
+7. Additional Terms.
+“Additional permissions� are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.
+
+Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:
+
+     a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or
+
+     b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or
+
+     c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or
+
+     d) Limiting the use for publicity purposes of names of licensors or authors of the material; or
+
+     e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or
+
+     f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors.
+
+All other non-permissive additional terms are considered “further restrictions� within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way.
+
+8. Termination.
+You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11).
+
+However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
+
+Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10.
+
+9. Acceptance Not Required for Having Copies.
+You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.
+
+10. Automatic Licensing of Downstream Recipients.
+Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License.
+
+An “entity transaction� is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it.
+
+11. Patents.
+A “contributor� is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's “contributor version�.
+
+A contributor's “essential patent claims� are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, “control� includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.
+
+In the following three paragraphs, a “patent license� is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To “grant� such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. “Knowingly relying� means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it.
+
+A patent license is “discriminatory� if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law.
+
+12. No Surrender of Others' Freedom.
+If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.
+
+13. Use with the GNU Affero General Public License.
+Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.
+
+14. Revised Versions of this License.
+The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License “or any later version� applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation.
+
+If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program.
+
+Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version.
+
+15. Disclaimer of Warranty.
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS� WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+16. Limitation of Liability.
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+17. Interpretation of Sections 15 and 16.
+If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.
+
+END OF TERMS AND CONDITIONS
+
+How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
+
+To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the “copyright� line and a pointer to where the full notice is found.
+
+     <one line to give the program's name and a brief idea of what it does.>
+     Copyright (C) <year>  <name of author>
+
+     This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+
+     This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode:
+
+     <program>  Copyright (C) <year>  <name of author>
+     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+     This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an “about box�.
+
+You should also get your employer (if you work as a programmer) or school, if any, to sign a “copyright disclaimer� for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see <http://www.gnu.org/licenses/>.
+
+The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read <http://www.gnu.org/philosophy/why-not-lgpl.html>.
diff --git a/LICENSES/ISC.txt b/LICENSES/ISC.txt
new file mode 100644
index 0000000..b9c199c
--- /dev/null
+++ b/LICENSES/ISC.txt
@@ -0,0 +1,8 @@
+ISC License:
+
+Copyright (c) 2004-2010 by Internet Systems Consortium, Inc. ("ISC")
+Copyright (c) 1995-2003 by Internet Software Consortium
+
+Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/LICENSES/LLVM-exception.txt b/LICENSES/LLVM-exception.txt
new file mode 100644
index 0000000..fa4b725
--- /dev/null
+++ b/LICENSES/LLVM-exception.txt
@@ -0,0 +1,15 @@
+---- LLVM Exceptions to the Apache 2.0 License ----
+
+   As an exception, if, as a result of your compiling your source code, portions
+   of this Software are embedded into an Object form of such source code, you
+   may redistribute such embedded portions in such Object form without complying
+   with the conditions of Sections 4(a), 4(b) and 4(d) of the License.
+
+   In addition, if you combine or link compiled forms of this Software with
+   software that is licensed under the GPLv2 ("Combined Software") and if a
+   court of competent jurisdiction determines that the patent provision (Section
+   3), the indemnity provision (Section 9) or other Section of the License
+   conflicts with the conditions of the GPLv2, you may retroactively and
+   prospectively choose to deem waived or otherwise exclude such Section(s) of
+   the License, but only in their entirety and only with respect to the Combined
+   Software.
diff --git a/LICENSES/MIT.txt b/LICENSES/MIT.txt
new file mode 100644
index 0000000..2071b23
--- /dev/null
+++ b/LICENSES/MIT.txt
@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) <year> <copyright holders>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/LICENSES/MPL-2.0.txt b/LICENSES/MPL-2.0.txt
new file mode 100644
index 0000000..6c949ea
--- /dev/null
+++ b/LICENSES/MPL-2.0.txt
@@ -0,0 +1,144 @@
+Mozilla Public License Version 2.0
+
+1. Definitions
+
+     1.1. "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.
+
+     1.2. "Contributor Version" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.
+
+     1.3. "Contribution" means Covered Software of a particular Contributor.
+
+     1.4. "Covered Software" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.
+
+     1.5. "Incompatible With Secondary Licenses" means
+
+          (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or
+
+          (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.
+
+     1.6. "Executable Form" means any form of the work other than Source Code Form.
+
+     1.7. "Larger Work" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.
+
+     1.8. "License" means this document.
+
+     1.9. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.
+
+     1.10. "Modifications" means any of the following:
+
+          (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or
+
+          (b) any new file in Source Code Form that contains any Covered Software.
+
+     1.11. "Patent Claims" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.
+
+     1.12. "Secondary License" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.
+
+     1.13. "Source Code Form" means the form of the work preferred for making modifications.
+
+     1.14. "You" (or "Your") means an individual or a legal entity exercising rights under this License. For legal entities, "You" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.
+
+2. License Grants and Conditions
+
+     2.1. Grants
+     Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:
+
+          (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and
+
+          (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.
+
+     2.2. Effective Date
+     The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.
+
+     2.3. Limitations on Grant Scope
+     The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:
+
+          (a) for any code that a Contributor has removed from Covered Software; or
+
+          (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or
+
+          (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.
+
+     This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).
+
+     2.4. Subsequent Licenses
+     No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).
+
+     2.5. Representation
+     Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.
+
+     2.6. Fair Use
+     This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.
+
+     2.7. Conditions
+     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.
+
+3. Responsibilities
+
+     3.1. Distribution of Source Form
+     All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.
+
+     3.2. Distribution of Executable Form
+     If You distribute Covered Software in Executable Form then:
+
+          (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and
+
+          (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.
+
+     3.3. Distribution of a Larger Work
+     You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).
+
+     3.4. Notices
+     You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.
+
+     3.5. Application of Additional Terms
+     You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.
+
+5. Termination
+
+     5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.
+
+     5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.
+
+     5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.
+
+6. Disclaimer of Warranty
+Covered Software is provided under this License on an "as is" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.
+
+7. Limitation of Liability
+Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.
+
+8. Litigation
+Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.
+
+9. Miscellaneous
+This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+
+     10.1. New Versions
+     Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.
+
+     10.2. Effect of New Versions
+     You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.
+
+     10.3. Modified Versions
+     If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).
+
+     10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
+     If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+
+     This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a relevant directory) where a recipient would be likely to look for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+
+     This Source Code Form is "Incompatible With Secondary Licenses", as defined by the Mozilla Public License, v. 2.0.
diff --git a/Makefile.in b/Makefile.in
new file mode 100644
index 0000000..282415d
--- /dev/null
+++ b/Makefile.in
@@ -0,0 +1,111 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+top_builddir =  @top_builddir@
+
+PANDOC = @PANDOC@
+W3M = @W3M@
+
+VERSION=@BIND9_VERSION@
+
+SUBDIRS =	make lib fuzz bin doc
+TARGETS =
+PREREQS =	bind.keys.h
+
+MANOBJS =	README HISTORY OPTIONS CONTRIBUTING CODE_OF_CONDUCT
+
+@BIND9_MAKE_RULES@
+
+newrr:
+	cd lib/dns; ${MAKE} newrr
+
+bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
+	${PERL} ${srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
+
+distclean::
+	rm -f config.cache config.h config.log config.status TAGS
+	rm -f libtool configure.lineno
+	rm -f util/conf.sh docutil/docbook2man-wrapper.sh
+
+# XXX we should clean libtool stuff too.  Only do this after we add rules
+# to make it.
+maintainer-clean::
+	rm -f configure
+	rm -f bind.keys.h
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+doc man:: ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sysconfdir}
+
+install:: installdirs
+	${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
+
+uninstall::
+	rm -f ${DESTDIR}${sysconfdir}/bind.keys
+
+test check:
+	@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>/dev/null || echo fail`"; then \
+	echo I: NOTE: The tests were not run because they require that; \
+	echo I:	the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
+	echo I:	as alias addresses on the loopback interface.  Please run; \
+	echo I:	\'bin/tests/system/ifconfig.sh up\' as root to configure; \
+	echo I:	them, then rerun the tests. Run make force-test to run the; \
+	echo I:	tests anyway.; \
+	exit 1; \
+	fi
+	${MAKE} test-force
+
+force-test: test-force
+
+test-force:
+	status=0; \
+	(cd fuzz && ${MAKE} check) || status=1; \
+	(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
+	(test -f ${top_builddir}/unit/unittest.sh && \
+		$(SHELL) ${top_builddir}/unit/unittest.sh) || status=1; \
+	exit $$status
+
+README: README.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="README" -f markdown-smart -t html README.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+HISTORY: HISTORY.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="HISTORY" -f markdown-smart -t html HISTORY.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+OPTIONS: OPTIONS.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="OPTIONS" -f markdown-smart -t html OPTIONS.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+CONTRIBUTING: CONTRIBUTING.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="CONTRIBUTING" -f markdown-smart -t html CONTRIBUTING.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+CODE_OF_CONDUCT: CODE_OF_CONDUCT.md
+	${PANDOC} --email-obfuscation=none -s --metadata title="CODE OF CONDUCT" -f markdown-smart -t html CODE_OF_CONDUCT.md | \
+		${W3M} -dump -cols 75 -O ascii -T text/html | \
+		sed -e '$${/^$$/d;}' > $@
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean::
diff --git a/OPTIONS b/OPTIONS
new file mode 100644
index 0000000..811cf7c
--- /dev/null
+++ b/OPTIONS
@@ -0,0 +1,28 @@
+OPTIONS
+
+Setting the STD_CDEFINES environment variable before running configure can
+be used to enable certain compile-time options that are not explicitly
+defined in configure.
+
+Some of these settings are:
+
+         Setting                            Description
+                          Overwrite memory with tag values when allocating
+-DISC_MEM_DEFAULTFILL=1   or freeing it; this impairs performance but
+                          makes debugging of memory problems easier.
+                          Don't track memory allocations by file and line
+-DISC_MEM_TRACKLINES=0    number; this improves performance but makes
+                          debugging more difficult.
+-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
+-DNS_CLIENT_DROPPORT=0    Disable dropping queries from particular
+                          well-known ports:
+-DCHECK_SIBLING=0         Don't check sibling glue in named-checkzone
+-DCHECK_LOCAL=0           Don't check out-of-zone addresses in
+                          named-checkzone
+-DNS_RUN_PID_DIR=0        Create default PID files in ${localstatedir}/run
+                          rather than ${localstatedir}/run/named/
+                          Disable the use of inline functions to implement
+-DISC_BUFFER_USEINLINE=0  the isc_buffer API: this reduces performance but
+                          may be useful when debugging
+-DISC_HEAP_CHECK          Test heap consistency after every heap
+                          operation; used when debugging
diff --git a/OPTIONS.md b/OPTIONS.md
new file mode 100644
index 0000000..16029e7
--- /dev/null
+++ b/OPTIONS.md
@@ -0,0 +1,29 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+Setting the `STD_CDEFINES` environment variable before running `configure`
+can be used to enable certain compile-time options that are not explicitly
+defined in `configure`.
+
+Some of these settings are:
+
+|Setting                            |Description |
+|-----------------------------------|----------------------------------------|
+|`-DISC_MEM_DEFAULTFILL=1`|Overwrite memory with tag values when allocating or freeing it; this impairs performance but makes debugging of memory problems easier.|
+|`-DISC_MEM_TRACKLINES=0`|Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult.|
+|<nobr>`-DISC_FACILITY=LOG_LOCAL0`</nobr>|Change the default syslog facility for `named`|
+|`-DNS_CLIENT_DROPPORT=0`|Disable dropping queries from particular well-known ports:|
+|`-DCHECK_SIBLING=0`|Don't check sibling glue in `named-checkzone`|
+|`-DCHECK_LOCAL=0`|Don't check out-of-zone addresses in `named-checkzone`|
+|`-DNS_RUN_PID_DIR=0`|Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/`|
+|`-DISC_BUFFER_USEINLINE=0`|Disable the use of inline functions to implement the `isc_buffer` API: this reduces performance but may be useful when debugging |
+|`-DISC_HEAP_CHECK`|Test heap consistency after every heap operation; used when debugging|
diff --git a/README b/README
new file mode 100644
index 0000000..cac2dd0
--- /dev/null
+++ b/README
@@ -0,0 +1,244 @@
+README
+
+BIND 9
+
+Contents
+
+ 1. Introduction
+ 2. Reporting bugs and getting help
+ 3. Contributing to BIND
+ 4. BIND 9.16 features
+ 5. Building BIND
+ 6. macOS
+ 7. Dependencies
+ 8. Compile-time options
+ 9. Automated testing
+10. Documentation
+11. Change log
+12. Acknowledgments
+
+Introduction
+
+BIND (Berkeley Internet Name Domain) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
+
+The BIND name server, named, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously. It
+implements views for split-horizon DNS, automatic DNSSEC zone signing and
+key management, catalog zones to facilitate provisioning of zone data
+throughout a name server constellation, response policy zones (RPZ) to
+protect clients from malicious data, response rate limiting (RRL) and
+recursive query limits to reduce distributed denial of service attacks,
+and many other advanced DNS features. BIND also includes a suite of
+administrative tools, including the dig and delv DNS lookup tools,
+nsupdate for dynamic DNS zone updates, rndc for remote name server
+administration, and more.
+
+BIND 9 began as a complete re-write of the BIND architecture that was used
+in versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a
+501(c)(3) public benefit corporation dedicated to providing software and
+services in support of the Internet infrastructure, developed BIND 9 and
+is responsible for its ongoing maintenance and improvement. BIND is open
+source software licensed under the terms of the Mozilla Public License,
+version 2.0.
+
+For a summary of features introduced in past major releases of BIND, see
+the file HISTORY.
+
+For a detailed list of changes made throughout the history of BIND 9, see
+the file CHANGES. See below for details on the CHANGES file format.
+
+For up-to-date versions and release notes, see https://www.isc.org/
+download/.
+
+For information about supported platforms, see the "Supported Platforms"
+section in the BIND 9 Administrator Reference Manual.
+
+Reporting bugs and getting help
+
+To report non-security-sensitive bugs or request new features, you may
+open an Issue in the BIND 9 project on the ISC GitLab server at https://
+gitlab.isc.org/isc-projects/bind9.
+
+Please note that, unless you explicitly mark the newly created Issue as
+"confidential", it will be publicly readable. Please do not include any
+information in bug reports that you consider to be confidential unless the
+issue has been marked as such. In particular, if submitting the contents
+of your configuration file in a non-confidential Issue, it is advisable to
+obscure key secrets: this can be done automatically by using
+named-checkconf -px.
+
+If the bug you are reporting is a potential security issue, such as an
+assertion failure or other crash in named, please do NOT use GitLab to
+report it. Instead, send mail to security-officer@isc.org using our
+OpenPGP key to secure your message. (Information about OpenPGP and links
+to our key can be found at https://www.isc.org/pgpkey.) Please do not
+discuss the bug on any public mailing list.
+
+For a general overview of ISC security policies, read the Knowledge Base
+article at https://kb.isc.org/docs/aa-00861.
+
+Professional support and training for BIND are available from ISC at
+https://www.isc.org/support.
+
+To join the BIND Users mailing list, or view the archives, visit https://
+lists.isc.org/mailman/listinfo/bind-users.
+
+If you're planning on making changes to the BIND 9 source code, you may
+also want to join the BIND Workers mailing list, at https://lists.isc.org/
+mailman/listinfo/bind-workers.
+
+Contributing to BIND
+
+ISC maintains a public git repository for BIND; details can be found at
+http://www.isc.org/git/.
+
+Information for BIND contributors can be found in the following files: -
+General information: CONTRIBUTING.md - Code of Conduct: CODE_OF_CONDUCT.md
+- BIND 9 code style: doc/dev/style.md - BIND architecture and developer
+guide: doc/dev/dev.md
+
+Patches for BIND may be submitted as merge requests in the ISC GitLab
+server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
+
+By default, external contributors don't have ability to fork BIND in the
+GitLab server, but if you wish to contribute code to BIND, you may request
+permission to do so. Thereafter, you can create git branches and directly
+submit requests that they be reviewed and merged.
+
+If you prefer, you may also submit code by opening a GitLab Issue and
+including your patch as an attachment, preferably generated by git
+format-patch.
+
+BIND 9.16 features
+
+BIND 9.16 is the current stable branch of BIND 9. It includes all changes
+from the 9.15 development branch, updating the previous stable branch,
+9.14. New features include:
+
+  * New dnssec-policy statement to configure a key and signing policy for
+    zones, enabling automatic key regeneration and rollover.
+  * New network manager based on libuv.
+  * Added support for the new GeoIP2 geolocation API, libmaxminddb.
+  * Improved DNSSEC trust anchor configuration using the trust-anchors
+    statement, permitting configuration of trust anchors in DS as well as
+    DNSKEY format.
+  * YAML output for dig, mdig, and delv.
+
+Building BIND
+
+For information about building BIND 9, see the "Building BIND 9" section
+in the BIND 9 Administrator Reference Manual.
+
+Automated testing
+
+A system test suite can be run with make test. The system tests require
+you to configure a set of virtual IP addresses on your system (this allows
+multiple servers to run locally and communicate with one another). These
+IP addresses can be configured by running the command bin/tests/system/
+ifconfig.sh up as root.
+
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
+and will be skipped if these are not available. Some tests require Python
+and the dnspython module and will be skipped if these are not available.
+See bin/tests/system/README for further details.
+
+Unit tests are implemented using the CMocka unit testing framework. To
+build them, use configure --with-cmocka. Execution of tests is done by the
+Kyua test execution engine; if the kyua command is available, then unit
+tests can be run via make test or make unit.
+
+Documentation
+
+The BIND 9 Administrator Reference Manual is included with the source
+distribution, in DocBook XML, HTML, and PDF format, in the doc/arm
+directory.
+
+Some of the programs in the BIND 9 distribution have man pages in their
+directories. In particular, the command line options of named are
+documented in bin/named/named.8.
+
+Frequently (and not-so-frequently) asked questions and their answers can
+be found in the ISC Knowledge Base at https://kb.isc.org.
+
+Additional information on various subjects can be found in other README
+files throughout the source tree.
+
+Change log
+
+A detailed list of all changes that have been made throughout the
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first. Change notes include tags indicating the category of
+the change that was made; these categories are:
+
+   Category                            Description
+[func]         New feature
+[bug]          General bug fix
+[security]     Fix for a significant security flaw
+[experimental] Used for new features when the syntax or other aspects of
+               the design are still in flux and may change
+[port]         Portability enhancement
+[maint]        Updates to built-in data such as root server addresses and
+               keys
+[tuning]       Changes to built-in configuration defaults and constants to
+               improve performance
+[performance]  Other changes to improve server performance
+[protocol]     Updates to the DNS protocol such as new RR types
+[test]         Changes to the automatic tests, not affecting server
+               functionality
+[cleanup]      Minor corrections and refactoring
+[doc]          Documentation
+[contrib]      Changes to the contributed tools and libraries in the
+               'contrib' subdirectory
+               Used in the main development branch to reserve change
+[placeholder]  numbers for use in other branches, e.g., when fixing a bug
+               that only exists in older releases
+
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero). Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently-supported releases.
+
+Bug report identifiers
+
+Most notes in the CHANGES file include a reference to a bug report or
+issue number. Prior to 2018, these were usually of the form [RT #NNN] and
+referred to entries in the "bind9-bugs" RT database, which was not open to
+the public. More recent entries use the form [GL #NNN] or, less often, [GL
+!NNN], which, respectively, refer to issues or merge requests in the
+GitLab database. Most of these are publicly readable, unless they include
+information which is confidential or security sensitive.
+
+To look up a GitLab issue by its number, use the URL https://
+gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
+use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
+
+In rare cases, an issue or merge request number may be followed with the
+letter "P". This indicates that the information is in the private ISC
+GitLab instance, which is not visible to the public.
+
+Acknowledgments
+
+  * The original development of BIND 9 was underwritten by the following
+    organizations:
+
+      Sun Microsystems, Inc.
+      Hewlett Packard
+      Compaq Computer Corporation
+      IBM
+      Process Software Corporation
+      Silicon Graphics, Inc.
+      Network Associates, Inc.
+      U.S. Defense Information Systems Agency
+      USENIX Association
+      Stichting NLnet - NLnet Foundation
+      Nominum, Inc.
+
+  * This product includes software developed by the OpenSSL Project for
+    use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+
+  * This product includes cryptographic software written by Eric Young
+    (eay@cryptsoft.com)
+
+  * This product includes software written by Tim Hudson
+    (tjh@cryptsoft.com)
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9a6ff6e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,259 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+# BIND 9
+
+### Contents
+
+1. [Introduction](#intro)
+1. [Reporting bugs and getting help](#help)
+1. [Contributing to BIND](#contrib)
+1. [BIND 9.16 features](#features)
+1. [Building BIND](#build)
+1. [macOS](#macos)
+1. [Dependencies](#dependencies)
+1. [Compile-time options](#opts)
+1. [Automated testing](#testing)
+1. [Documentation](#doc)
+1. [Change log](#changes)
+1. [Acknowledgments](#ack)
+
+### <a name="intro"/> Introduction
+
+BIND (Berkeley Internet Name Domain) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
+
+The BIND name server, `named`, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously.  It
+implements views for split-horizon DNS, automatic DNSSEC zone signing and
+key management, catalog zones to facilitate provisioning of zone data
+throughout a name server constellation, response policy zones (RPZ) to
+protect clients from malicious data, response rate limiting (RRL) and
+recursive query limits to reduce distributed denial of service attacks,
+and many other advanced DNS features.  BIND also includes a suite of
+administrative tools, including the `dig` and `delv` DNS lookup tools,
+`nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
+administration, and more.
+
+BIND 9 began as a complete re-write of the BIND architecture that was
+used in versions 4 and 8.  Internet Systems Consortium
+([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
+corporation dedicated to providing software and services in support of the
+Internet infrastructure, developed BIND 9 and is responsible for its
+ongoing maintenance and improvement.  BIND is open source software
+licensed under the terms of the Mozilla Public License, version 2.0.
+
+For a summary of features introduced in past major releases of BIND,
+see the file [HISTORY](HISTORY.md).
+
+For a detailed list of changes made throughout the history of BIND 9, see
+the file [CHANGES](CHANGES). See [below](#changes) for details on the
+CHANGES file format.
+
+For up-to-date versions and release notes, see
+[https://www.isc.org/download/](https://www.isc.org/download/).
+
+For information about supported platforms, see the
+["Supported Platforms"](doc/arm/platforms.rst) section in the BIND 9
+Administrator Reference Manual.
+
+### <a name="help"/> Reporting bugs and getting help
+
+To report non-security-sensitive bugs or request new features, you may
+open an Issue in the BIND 9 project on the
+[ISC GitLab server](https://gitlab.isc.org) at
+[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9).
+
+Please note that, unless you explicitly mark the newly created Issue as
+"confidential", it will be publicly readable.  Please do not include any
+information in bug reports that you consider to be confidential unless
+the issue has been marked as such.  In particular, if submitting the
+contents of your configuration file in a non-confidential Issue, it is
+advisable to obscure key secrets: this can be done automatically by
+using `named-checkconf -px`.
+
+If the bug you are reporting is a potential security issue, such as an
+assertion failure or other crash in `named`, please do *NOT* use GitLab to
+report it. Instead, send mail to
+[security-officer@isc.org](mailto:security-officer@isc.org) using our
+OpenPGP key to secure your message. (Information about OpenPGP and links
+to our key can be found at
+[https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
+discuss the bug on any public mailing list.
+
+For a general overview of ISC security policies, read the Knowledge Base
+article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
+
+Professional support and training for BIND are available from
+ISC at [https://www.isc.org/support](https://www.isc.org/support).
+
+To join the __BIND Users__ mailing list, or view the archives, visit
+[https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
+
+If you're planning on making changes to the BIND 9 source code, you
+may also want to join the __BIND Workers__ mailing list, at
+[https://lists.isc.org/mailman/listinfo/bind-workers](https://lists.isc.org/mailman/listinfo/bind-workers).
+
+### <a name="contrib"/> Contributing to BIND
+
+ISC maintains a public git repository for BIND; details can be found
+at [http://www.isc.org/git/](http://www.isc.org/git/).
+
+Information for BIND contributors can be found in the following files:
+- General information: [CONTRIBUTING.md](CONTRIBUTING.md)
+- Code of Conduct: [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
+- BIND 9 code style: [doc/dev/style.md](doc/dev/style.md)
+- BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
+
+Patches for BIND may be submitted as
+[merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
+in the [ISC GitLab server](https://gitlab.isc.org) at
+at [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
+
+By default, external contributors don't have ability to fork BIND in the
+GitLab server, but if you wish to contribute code to BIND, you may request
+permission to do so. Thereafter, you can create git branches and directly
+submit requests that they be reviewed and merged.
+
+If you prefer, you may also submit code by opening a
+[GitLab Issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
+including your patch as an attachment, preferably generated by
+`git format-patch`.
+
+### <a name="features"/> BIND 9.16 features
+
+BIND 9.16 is the current stable branch of BIND 9. It includes all
+changes from the 9.15 development branch, updating the previous stable
+branch, 9.14. New features include:
+
+* New `dnssec-policy` statement to configure a key and signing policy
+  for zones, enabling automatic key regeneration and rollover.
+* New network manager based on `libuv`.
+* Added support for the new GeoIP2 geolocation API, `libmaxminddb`.
+* Improved DNSSEC trust anchor configuration using the `trust-anchors`
+  statement, permitting configuration of trust anchors in DS as well as
+  DNSKEY format.
+* YAML output for `dig`, `mdig`, and `delv`.
+
+### <a name="build"/> Building BIND
+
+For information about building BIND 9, see the
+["Building BIND 9"](doc/arm/build.rst) section in the BIND 9
+Administrator Reference Manual.
+
+### <a name="testing"/> Automated testing
+
+A system test suite can be run with `make test`.  The system tests require
+you to configure a set of virtual IP addresses on your system (this allows
+multiple servers to run locally and communicate with one another).  These
+IP addresses can be configured by running the command
+`bin/tests/system/ifconfig.sh up` as root.
+
+Some tests require Perl and the `Net::DNS` and/or `IO::Socket::INET6` modules,
+and will be skipped if these are not available. Some tests require Python
+and the `dnspython` module and will be skipped if these are not available.
+See bin/tests/system/README for further details.
+
+Unit tests are implemented using the [CMocka unit testing framework](https://cmocka.org/).
+To build them, use `configure --with-cmocka`. Execution of tests is done
+by the [Kyua test execution engine](https://github.com/jmmv/kyua); if the
+`kyua` command is available, then unit tests can be run via `make test`
+or `make unit`.
+
+### <a name="doc"/> Documentation
+
+The *BIND 9 Administrator Reference Manual* is included with the source
+distribution, in DocBook XML, HTML, and PDF format, in the `doc/arm`
+directory.
+
+Some of the programs in the BIND 9 distribution have man pages in their
+directories.  In particular, the command line options of `named` are
+documented in `bin/named/named.8`.
+
+Frequently (and not-so-frequently) asked questions and their answers
+can be found in the ISC Knowledge Base at
+[https://kb.isc.org](https://kb.isc.org).
+
+Additional information on various subjects can be found in other
+`README` files throughout the source tree.
+
+### <a name="changes"/> Change log
+
+A detailed list of all changes that have been made throughout the
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first.  Change notes include tags indicating the category of
+the change that was made; these categories are:
+
+|Category	|Description	        			|
+|--------------	|-----------------------------------------------|
+| [func] | New feature |
+| [bug] | General bug fix |
+| [security] | Fix for a significant security flaw |
+| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
+| [port] | Portability enhancement |
+| [maint] | Updates to built-in data such as root server addresses and keys |
+| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
+| [performance] | Other changes to improve server performance |
+| [protocol] | Updates to the DNS protocol such as new RR types |
+| [test] | Changes to the automatic tests, not affecting server functionality |
+| [cleanup] | Minor corrections and refactoring |
+| [doc] | Documentation |
+| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
+| [placeholder] | Used in the main development branch to reserve change numbers for use in other branches, e.g., when fixing a bug that only exists in older releases |
+
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero).  Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently-supported releases.
+
+#### Bug report identifiers
+
+Most notes in the CHANGES file include a reference to a bug report or
+issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
+and referred to entries in the "bind9-bugs" RT database, which was not open
+to the public. More recent entries use the form `[GL #NNN]` or, less often,
+`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
+GitLab database. Most of these are publicly readable, unless they include
+information which is confidential or security sensitive.
+
+To look up a GitLab issue by its number, use the URL
+[https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
+To look up a merge request, use
+[https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
+
+In rare cases, an issue or merge request number may be followed with the
+letter "P". This indicates that the information is in the private ISC
+GitLab instance, which is not visible to the public.
+
+### <a name="ack"/> Acknowledgments
+
+* The original development of BIND 9 was underwritten by the
+  following organizations:
+
+		Sun Microsystems, Inc.
+		Hewlett Packard
+		Compaq Computer Corporation
+		IBM
+		Process Software Corporation
+		Silicon Graphics, Inc.
+		Network Associates, Inc.
+		U.S. Defense Information Systems Agency
+		USENIX Association
+		Stichting NLnet - NLnet Foundation
+		Nominum, Inc.
+
+* This product includes software developed by the OpenSSL Project for use
+  in the OpenSSL Toolkit.
+  [http://www.OpenSSL.org/](http://www.OpenSSL.org/)
+* This product includes cryptographic software written by Eric Young
+  (eay@cryptsoft.com)
+* This product includes software written by Tim Hudson (tjh@cryptsoft.com)
diff --git a/aclocal.m4 b/aclocal.m4
new file mode 100644
index 0000000..6977695
--- /dev/null
+++ b/aclocal.m4
@@ -0,0 +1,388 @@
+# generated automatically by aclocal 1.16.3 -*- Autoconf -*-
+
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
+
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
+# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
+# serial 12 (pkg-config-0.29.2)
+
+dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
+dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
+dnl
+dnl This program is free software; you can redistribute it and/or modify
+dnl it under the terms of the GNU General Public License as published by
+dnl the Free Software Foundation; either version 2 of the License, or
+dnl (at your option) any later version.
+dnl
+dnl This program is distributed in the hope that it will be useful, but
+dnl WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+dnl General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU General Public License
+dnl along with this program; if not, write to the Free Software
+dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+dnl 02111-1307, USA.
+dnl
+dnl As a special exception to the GNU General Public License, if you
+dnl distribute this file as part of a program that contains a
+dnl configuration script generated by Autoconf, you may include it under
+dnl the same distribution terms that you use for the rest of that
+dnl program.
+
+dnl PKG_PREREQ(MIN-VERSION)
+dnl -----------------------
+dnl Since: 0.29
+dnl
+dnl Verify that the version of the pkg-config macros are at least
+dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's
+dnl installed version of pkg-config, this checks the developer's version
+dnl of pkg.m4 when generating configure.
+dnl
+dnl To ensure that this macro is defined, also add:
+dnl m4_ifndef([PKG_PREREQ],
+dnl     [m4_fatal([must install pkg-config 0.29 or later before running autoconf/autogen])])
+dnl
+dnl See the "Since" comment for each macro you use to see what version
+dnl of the macros you require.
+m4_defun([PKG_PREREQ],
+[m4_define([PKG_MACROS_VERSION], [0.29.2])
+m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
+    [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])])
+])dnl PKG_PREREQ
+
+dnl PKG_PROG_PKG_CONFIG([MIN-VERSION])
+dnl ----------------------------------
+dnl Since: 0.16
+dnl
+dnl Search for the pkg-config tool and set the PKG_CONFIG variable to
+dnl first found in the path. Checks that the version of pkg-config found
+dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is
+dnl used since that's the first version where most current features of
+dnl pkg-config existed.
+AC_DEFUN([PKG_PROG_PKG_CONFIG],
+[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
+m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
+m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
+AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
+AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
+AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
+
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+	AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
+fi
+if test -n "$PKG_CONFIG"; then
+	_pkg_min_version=m4_default([$1], [0.9.0])
+	AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+		AC_MSG_RESULT([yes])
+	else
+		AC_MSG_RESULT([no])
+		PKG_CONFIG=""
+	fi
+fi[]dnl
+])dnl PKG_PROG_PKG_CONFIG
+
+dnl PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+dnl -------------------------------------------------------------------
+dnl Since: 0.18
+dnl
+dnl Check to see whether a particular set of modules exists. Similar to
+dnl PKG_CHECK_MODULES(), but does not set variables or print errors.
+dnl
+dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+dnl only at the first occurence in configure.ac, so if the first place
+dnl it's called might be skipped (such as if it is within an "if", you
+dnl have to call PKG_CHECK_EXISTS manually
+AC_DEFUN([PKG_CHECK_EXISTS],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+if test -n "$PKG_CONFIG" && \
+    AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
+  m4_default([$2], [:])
+m4_ifvaln([$3], [else
+  $3])dnl
+fi])
+
+dnl _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
+dnl ---------------------------------------------
+dnl Internal wrapper calling pkg-config via PKG_CONFIG and setting
+dnl pkg_failed based on the result.
+m4_define([_PKG_CONFIG],
+[if test -n "$$1"; then
+    pkg_cv_[]$1="$$1"
+ elif test -n "$PKG_CONFIG"; then
+    PKG_CHECK_EXISTS([$3],
+                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes ],
+		     [pkg_failed=yes])
+ else
+    pkg_failed=untried
+fi[]dnl
+])dnl _PKG_CONFIG
+
+dnl _PKG_SHORT_ERRORS_SUPPORTED
+dnl ---------------------------
+dnl Internal check to see if pkg-config supports short errors.
+AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi[]dnl
+])dnl _PKG_SHORT_ERRORS_SUPPORTED
+
+
+dnl PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
+dnl   [ACTION-IF-NOT-FOUND])
+dnl --------------------------------------------------------------
+dnl Since: 0.4.0
+dnl
+dnl Note that if there is a possibility the first call to
+dnl PKG_CHECK_MODULES might not happen, you should be sure to include an
+dnl explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
+AC_DEFUN([PKG_CHECK_MODULES],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
+AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
+
+pkg_failed=no
+AC_MSG_CHECKING([for $2])
+
+_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
+_PKG_CONFIG([$1][_LIBS], [libs], [$2])
+
+m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
+and $1[]_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.])
+
+if test $pkg_failed = yes; then
+        AC_MSG_RESULT([no])
+        _PKG_SHORT_ERRORS_SUPPORTED
+        if test $_pkg_short_errors_supported = yes; then
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
+        else
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
+
+	m4_default([$4], [AC_MSG_ERROR(
+[Package requirements ($2) were not met:
+
+$$1_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+_PKG_TEXT])[]dnl
+        ])
+elif test $pkg_failed = untried; then
+        AC_MSG_RESULT([no])
+	m4_default([$4], [AC_MSG_FAILURE(
+[The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+_PKG_TEXT
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
+        ])
+else
+	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
+	$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
+        AC_MSG_RESULT([yes])
+	$3
+fi[]dnl
+])dnl PKG_CHECK_MODULES
+
+
+dnl PKG_CHECK_MODULES_STATIC(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
+dnl   [ACTION-IF-NOT-FOUND])
+dnl ---------------------------------------------------------------------
+dnl Since: 0.29
+dnl
+dnl Checks for existence of MODULES and gathers its build flags with
+dnl static libraries enabled. Sets VARIABLE-PREFIX_CFLAGS from --cflags
+dnl and VARIABLE-PREFIX_LIBS from --libs.
+dnl
+dnl Note that if there is a possibility the first call to
+dnl PKG_CHECK_MODULES_STATIC might not happen, you should be sure to
+dnl include an explicit call to PKG_PROG_PKG_CONFIG in your
+dnl configure.ac.
+AC_DEFUN([PKG_CHECK_MODULES_STATIC],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+_save_PKG_CONFIG=$PKG_CONFIG
+PKG_CONFIG="$PKG_CONFIG --static"
+PKG_CHECK_MODULES($@)
+PKG_CONFIG=$_save_PKG_CONFIG[]dnl
+])dnl PKG_CHECK_MODULES_STATIC
+
+
+dnl PKG_INSTALLDIR([DIRECTORY])
+dnl -------------------------
+dnl Since: 0.27
+dnl
+dnl Substitutes the variable pkgconfigdir as the location where a module
+dnl should install pkg-config .pc files. By default the directory is
+dnl $libdir/pkgconfig, but the default can be changed by passing
+dnl DIRECTORY. The user can override through the --with-pkgconfigdir
+dnl parameter.
+AC_DEFUN([PKG_INSTALLDIR],
+[m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])])
+m4_pushdef([pkg_description],
+    [pkg-config installation directory @<:@]pkg_default[@:>@])
+AC_ARG_WITH([pkgconfigdir],
+    [AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],,
+    [with_pkgconfigdir=]pkg_default)
+AC_SUBST([pkgconfigdir], [$with_pkgconfigdir])
+m4_popdef([pkg_default])
+m4_popdef([pkg_description])
+])dnl PKG_INSTALLDIR
+
+
+dnl PKG_NOARCH_INSTALLDIR([DIRECTORY])
+dnl --------------------------------
+dnl Since: 0.27
+dnl
+dnl Substitutes the variable noarch_pkgconfigdir as the location where a
+dnl module should install arch-independent pkg-config .pc files. By
+dnl default the directory is $datadir/pkgconfig, but the default can be
+dnl changed by passing DIRECTORY. The user can override through the
+dnl --with-noarch-pkgconfigdir parameter.
+AC_DEFUN([PKG_NOARCH_INSTALLDIR],
+[m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])])
+m4_pushdef([pkg_description],
+    [pkg-config arch-independent installation directory @<:@]pkg_default[@:>@])
+AC_ARG_WITH([noarch-pkgconfigdir],
+    [AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],,
+    [with_noarch_pkgconfigdir=]pkg_default)
+AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir])
+m4_popdef([pkg_default])
+m4_popdef([pkg_description])
+])dnl PKG_NOARCH_INSTALLDIR
+
+
+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+dnl -------------------------------------------
+dnl Since: 0.28
+dnl
+dnl Retrieves the value of the pkg-config variable for the given module.
+AC_DEFUN([PKG_CHECK_VAR],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
+
+_PKG_CONFIG([$1], [variable="][$3]["], [$2])
+AS_VAR_COPY([$1], [pkg_cv_][$1])
+
+AS_VAR_IF([$1], [""], [$5], [$4])dnl
+])dnl PKG_CHECK_VAR
+
+# AM_CONDITIONAL                                            -*- Autoconf -*-
+
+# Copyright (C) 1997-2020 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_CONDITIONAL(NAME, SHELL-CONDITION)
+# -------------------------------------
+# Define a conditional.
+AC_DEFUN([AM_CONDITIONAL],
+[AC_PREREQ([2.52])dnl
+ m4_if([$1], [TRUE],  [AC_FATAL([$0: invalid condition: $1])],
+       [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
+AC_SUBST([$1_TRUE])dnl
+AC_SUBST([$1_FALSE])dnl
+_AM_SUBST_NOTMAKE([$1_TRUE])dnl
+_AM_SUBST_NOTMAKE([$1_FALSE])dnl
+m4_define([_AM_COND_VALUE_$1], [$2])dnl
+if $2; then
+  $1_TRUE=
+  $1_FALSE='#'
+else
+  $1_TRUE='#'
+  $1_FALSE=
+fi
+AC_CONFIG_COMMANDS_PRE(
+[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
+  AC_MSG_ERROR([[conditional "$1" was never defined.
+Usually this means the macro was only invoked conditionally.]])
+fi])])
+
+# Add --enable-maintainer-mode option to configure.         -*- Autoconf -*-
+# From Jim Meyering
+
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_MAINTAINER_MODE([DEFAULT-MODE])
+# ----------------------------------
+# Control maintainer-specific portions of Makefiles.
+# Default is to disable them, unless 'enable' is passed literally.
+# For symmetry, 'disable' may be passed as well.  Anyway, the user
+# can override the default with the --enable/--disable switch.
+AC_DEFUN([AM_MAINTAINER_MODE],
+[m4_case(m4_default([$1], [disable]),
+       [enable], [m4_define([am_maintainer_other], [disable])],
+       [disable], [m4_define([am_maintainer_other], [enable])],
+       [m4_define([am_maintainer_other], [enable])
+        m4_warn([syntax], [unexpected argument to AM@&t@_MAINTAINER_MODE: $1])])
+AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
+  dnl maintainer-mode's default is 'disable' unless 'enable' is passed
+  AC_ARG_ENABLE([maintainer-mode],
+    [AS_HELP_STRING([--]am_maintainer_other[-maintainer-mode],
+      am_maintainer_other[ make rules and dependencies not useful
+      (and sometimes confusing) to the casual installer])],
+    [USE_MAINTAINER_MODE=$enableval],
+    [USE_MAINTAINER_MODE=]m4_if(am_maintainer_other, [enable], [no], [yes]))
+  AC_MSG_RESULT([$USE_MAINTAINER_MODE])
+  AM_CONDITIONAL([MAINTAINER_MODE], [test $USE_MAINTAINER_MODE = yes])
+  MAINT=$MAINTAINER_MODE_TRUE
+  AC_SUBST([MAINT])dnl
+]
+)
+
+# Copyright (C) 2006-2020 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# _AM_SUBST_NOTMAKE(VARIABLE)
+# ---------------------------
+# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
+# This macro is traced by Automake.
+AC_DEFUN([_AM_SUBST_NOTMAKE])
+
+# AM_SUBST_NOTMAKE(VARIABLE)
+# --------------------------
+# Public sister of _AM_SUBST_NOTMAKE.
+AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
+
+m4_include([m4/ax_check_compile_flag.m4])
+m4_include([m4/ax_check_openssl.m4])
+m4_include([m4/ax_gcc_func_attribute.m4])
+m4_include([m4/ax_posix_shell.m4])
+m4_include([m4/ax_pthread.m4])
+m4_include([m4/ax_restore_flags.m4])
+m4_include([m4/ax_save_flags.m4])
+m4_include([m4/libtool.m4])
+m4_include([m4/ltoptions.m4])
+m4_include([m4/ltsugar.m4])
+m4_include([m4/ltversion.m4])
+m4_include([m4/lt~obsolete.m4])
diff --git a/autogen.sh b/autogen.sh
new file mode 100755
index 0000000..2562151
--- /dev/null
+++ b/autogen.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Run this script after modifying configure.in to generate configure
+autoreconf -f -i
diff --git a/bin/Makefile.in b/bin/Makefile.in
new file mode 100644
index 0000000..4eb2f34
--- /dev/null
+++ b/bin/Makefile.in
@@ -0,0 +1,20 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
+		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
new file mode 100644
index 0000000..e907c7d
--- /dev/null
+++ b/bin/check/Makefile.in
@@ -0,0 +1,88 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} \
+		${ISCCFG_INCLUDES} ${ISC_INCLUDES} ${OPENSSL_CFLAGS}
+
+CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+NSLIBS =	../../lib/ns/libns.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+NSDEPENDLIBS =	../../lib/ns/libns.@A@
+
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
+
+SUBDIRS =
+
+# Alphabetically
+TARGETS =	named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
+
+# Alphabetically
+SRCS =		named-checkconf.c named-checkzone.c check-tool.c
+
+@BIND9_MAKE_RULES@
+
+named-checkconf.@O@: named-checkconf.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/named-checkconf.c
+
+named-checkzone.@O@: named-checkzone.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/named-checkzone.c
+
+named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
+		${NSDEPENDLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
+	export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
+	export LIBS0="${BIND9LIBS} ${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} \
+		${NSDEPENDLIBS} ${DNSDEPLIBS}
+	export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
+	export LIBS0="${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
+	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
+
+uninstall::
+	rm -f ${DESTDIR}${sbindir}/named-compilezone@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkconf@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkzone@EXEEXT@
+
+clean distclean::
+	rm -f ${TARGETS} r1.htm
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c
new file mode 100644
index 0000000..cad2185
--- /dev/null
+++ b/bin/check/check-tool.c
@@ -0,0 +1,812 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+
+#ifdef _WIN32
+#include <Winsock2.h>
+#endif /* ifdef _WIN32 */
+
+#include <isc/buffer.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netdb.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/symtab.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/zone.h>
+
+#include <isccfg/log.h>
+
+#include <ns/log.h>
+
+#include "check-tool.h"
+
+#ifndef CHECK_SIBLING
+#define CHECK_SIBLING 1
+#endif /* ifndef CHECK_SIBLING */
+
+#ifndef CHECK_LOCAL
+#define CHECK_LOCAL 1
+#endif /* ifndef CHECK_LOCAL */
+
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+#define ERR_IS_CNAME	   1
+#define ERR_NO_ADDRESSES   2
+#define ERR_LOOKUP_FAILURE 3
+#define ERR_EXTRA_A	   4
+#define ERR_EXTRA_AAAA	   5
+#define ERR_MISSING_GLUE   5
+#define ERR_IS_MXCNAME	   6
+#define ERR_IS_SRVCNAME	   7
+
+static const char *dbtype[] = { "rbt" };
+
+int debug = 0;
+const char *journal = NULL;
+bool nomerge = true;
+#if CHECK_LOCAL
+bool docheckmx = true;
+bool dochecksrv = true;
+bool docheckns = true;
+#else  /* if CHECK_LOCAL */
+bool docheckmx = false;
+bool dochecksrv = false;
+bool docheckns = false;
+#endif /* if CHECK_LOCAL */
+dns_zoneopt_t zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_CHECKMX |
+			     DNS_ZONEOPT_MANYERRORS | DNS_ZONEOPT_CHECKNAMES |
+			     DNS_ZONEOPT_CHECKINTEGRITY |
+#if CHECK_SIBLING
+			     DNS_ZONEOPT_CHECKSIBLING |
+#endif /* if CHECK_SIBLING */
+			     DNS_ZONEOPT_CHECKWILDCARD |
+			     DNS_ZONEOPT_WARNMXCNAME | DNS_ZONEOPT_WARNSRVCNAME;
+
+/*
+ * This needs to match the list in bin/named/log.c.
+ */
+static isc_logcategory_t categories[] = { { "", 0 },
+					  { "unmatched", 0 },
+					  { NULL, 0 } };
+
+static isc_symtab_t *symtab = NULL;
+static isc_mem_t *sym_mctx;
+
+static void
+freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
+	UNUSED(type);
+	UNUSED(value);
+	isc_mem_free(userarg, key);
+}
+
+static void
+add(char *key, int value) {
+	isc_result_t result;
+	isc_symvalue_t symvalue;
+
+	if (sym_mctx == NULL) {
+		isc_mem_create(&sym_mctx);
+	}
+
+	if (symtab == NULL) {
+		result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
+					   false, &symtab);
+		if (result != ISC_R_SUCCESS) {
+			return;
+		}
+	}
+
+	key = isc_mem_strdup(sym_mctx, key);
+
+	symvalue.as_pointer = NULL;
+	result = isc_symtab_define(symtab, key, value, symvalue,
+				   isc_symexists_reject);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_free(sym_mctx, key);
+	}
+}
+
+static bool
+logged(char *key, int value) {
+	isc_result_t result;
+
+	if (symtab == NULL) {
+		return (false);
+	}
+
+	result = isc_symtab_lookup(symtab, key, value, NULL);
+	if (result == ISC_R_SUCCESS) {
+		return (true);
+	}
+	return (false);
+}
+
+static bool
+checkns(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner,
+	dns_rdataset_t *a, dns_rdataset_t *aaaa) {
+	dns_rdataset_t *rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct addrinfo hints, *ai, *cur;
+	char namebuf[DNS_NAME_FORMATSIZE + 1];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char addrbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
+	bool answer = true;
+	bool match;
+	const char *type;
+	void *ptr = NULL;
+	int result;
+
+	REQUIRE(a == NULL || !dns_rdataset_isassociated(a) ||
+		a->type == dns_rdatatype_a);
+	REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
+		aaaa->type == dns_rdatatype_aaaa);
+
+	if (a == NULL || aaaa == NULL) {
+		return (answer);
+	}
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_CANONNAME;
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	/*
+	 * Turn off search.
+	 */
+	if (dns_name_countlabels(name) > 1U) {
+		strlcat(namebuf, ".", sizeof(namebuf));
+	}
+	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
+
+	result = getaddrinfo(namebuf, NULL, &hints, &ai);
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	switch (result) {
+	case 0:
+		/*
+		 * Work around broken getaddrinfo() implementations that
+		 * fail to set ai_canonname on first entry.
+		 */
+		cur = ai;
+		while (cur != NULL && cur->ai_canonname == NULL &&
+		       cur->ai_next != NULL)
+		{
+			cur = cur->ai_next;
+		}
+		if (cur != NULL && cur->ai_canonname != NULL &&
+		    strcasecmp(cur->ai_canonname, namebuf) != 0 &&
+		    !logged(namebuf, ERR_IS_CNAME))
+		{
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' (out of zone) "
+				     "is a CNAME '%s' (illegal)",
+				     ownerbuf, namebuf, cur->ai_canonname);
+			/* XXX950 make fatal for 9.5.0 */
+			/* answer = false; */
+			add(namebuf, ERR_IS_CNAME);
+		}
+		break;
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
+		/* XXX950 make fatal for 9.5.0 */
+		return (true);
+
+	default:
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "getaddrinfo(%s) failed: %s", namebuf,
+				     gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
+		return (true);
+	}
+
+	/*
+	 * Check that all glue records really exist.
+	 */
+	if (!dns_rdataset_isassociated(a)) {
+		goto checkaaaa;
+	}
+	result = dns_rdataset_first(a);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(a, &rdata);
+		match = false;
+		for (cur = ai; cur != NULL; cur = cur->ai_next) {
+			if (cur->ai_family != AF_INET) {
+				continue;
+			}
+			ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
+			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
+				match = true;
+				break;
+			}
+		}
+		if (!match && !logged(namebuf, ERR_EXTRA_A)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' "
+				     "extra GLUE A record (%s)",
+				     ownerbuf, namebuf,
+				     inet_ntop(AF_INET, rdata.data, addrbuf,
+					       sizeof(addrbuf)));
+			add(namebuf, ERR_EXTRA_A);
+			/* XXX950 make fatal for 9.5.0 */
+			/* answer = false; */
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(a);
+	}
+
+checkaaaa:
+	if (!dns_rdataset_isassociated(aaaa)) {
+		goto checkmissing;
+	}
+	result = dns_rdataset_first(aaaa);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(aaaa, &rdata);
+		match = false;
+		for (cur = ai; cur != NULL; cur = cur->ai_next) {
+			if (cur->ai_family != AF_INET6) {
+				continue;
+			}
+			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))
+				       ->sin6_addr;
+			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
+				match = true;
+				break;
+			}
+		}
+		if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' "
+				     "extra GLUE AAAA record (%s)",
+				     ownerbuf, namebuf,
+				     inet_ntop(AF_INET6, rdata.data, addrbuf,
+					       sizeof(addrbuf)));
+			add(namebuf, ERR_EXTRA_AAAA);
+			/* XXX950 make fatal for 9.5.0. */
+			/* answer = false; */
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(aaaa);
+	}
+
+checkmissing:
+	/*
+	 * Check that all addresses appear in the glue.
+	 */
+	if (!logged(namebuf, ERR_MISSING_GLUE)) {
+		bool missing_glue = false;
+		for (cur = ai; cur != NULL; cur = cur->ai_next) {
+			switch (cur->ai_family) {
+			case AF_INET:
+				rdataset = a;
+				ptr = &((struct sockaddr_in *)(cur->ai_addr))
+					       ->sin_addr;
+				type = "A";
+				break;
+			case AF_INET6:
+				rdataset = aaaa;
+				ptr = &((struct sockaddr_in6 *)(cur->ai_addr))
+					       ->sin6_addr;
+				type = "AAAA";
+				break;
+			default:
+				continue;
+			}
+			match = false;
+			if (dns_rdataset_isassociated(rdataset)) {
+				result = dns_rdataset_first(rdataset);
+			} else {
+				result = ISC_R_FAILURE;
+			}
+			while (result == ISC_R_SUCCESS && !match) {
+				dns_rdataset_current(rdataset, &rdata);
+				if (memcmp(ptr, rdata.data, rdata.length) == 0)
+				{
+					match = true;
+				}
+				dns_rdata_reset(&rdata);
+				result = dns_rdataset_next(rdataset);
+			}
+			if (!match) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "%s/NS '%s' "
+					     "missing GLUE %s record (%s)",
+					     ownerbuf, namebuf, type,
+					     inet_ntop(cur->ai_family, ptr,
+						       addrbuf,
+						       sizeof(addrbuf)));
+				/* XXX950 make fatal for 9.5.0. */
+				/* answer = false; */
+				missing_glue = true;
+			}
+		}
+		if (missing_glue) {
+			add(namebuf, ERR_MISSING_GLUE);
+		}
+	}
+	freeaddrinfo(ai);
+	return (answer);
+}
+
+static bool
+checkmx(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
+	struct addrinfo hints, *ai, *cur;
+	char namebuf[DNS_NAME_FORMATSIZE + 1];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	int result;
+	int level = ISC_LOG_ERROR;
+	bool answer = true;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_CANONNAME;
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	/*
+	 * Turn off search.
+	 */
+	if (dns_name_countlabels(name) > 1U) {
+		strlcat(namebuf, ".", sizeof(namebuf));
+	}
+	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
+
+	result = getaddrinfo(namebuf, NULL, &hints, &ai);
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	switch (result) {
+	case 0:
+		/*
+		 * Work around broken getaddrinfo() implementations that
+		 * fail to set ai_canonname on first entry.
+		 */
+		cur = ai;
+		while (cur != NULL && cur->ai_canonname == NULL &&
+		       cur->ai_next != NULL)
+		{
+			cur = cur->ai_next;
+		}
+		if (cur != NULL && cur->ai_canonname != NULL &&
+		    strcasecmp(cur->ai_canonname, namebuf) != 0)
+		{
+			if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0) {
+				level = ISC_LOG_WARNING;
+			}
+			if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
+				if (!logged(namebuf, ERR_IS_MXCNAME)) {
+					dns_zone_log(zone, level,
+						     "%s/MX '%s' (out of zone)"
+						     " is a CNAME '%s' "
+						     "(illegal)",
+						     ownerbuf, namebuf,
+						     cur->ai_canonname);
+					add(namebuf, ERR_IS_MXCNAME);
+				}
+				if (level == ISC_LOG_ERROR) {
+					answer = false;
+				}
+			}
+		}
+		freeaddrinfo(ai);
+		return (answer);
+
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/MX '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
+		/* XXX950 make fatal for 9.5.0. */
+		return (true);
+
+	default:
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "getaddrinfo(%s) failed: %s", namebuf,
+				     gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
+		return (true);
+	}
+}
+
+static bool
+checksrv(dns_zone_t *zone, const dns_name_t *name, const dns_name_t *owner) {
+	struct addrinfo hints, *ai, *cur;
+	char namebuf[DNS_NAME_FORMATSIZE + 1];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	int result;
+	int level = ISC_LOG_ERROR;
+	bool answer = true;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_CANONNAME;
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	/*
+	 * Turn off search.
+	 */
+	if (dns_name_countlabels(name) > 1U) {
+		strlcat(namebuf, ".", sizeof(namebuf));
+	}
+	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
+
+	result = getaddrinfo(namebuf, NULL, &hints, &ai);
+	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
+	switch (result) {
+	case 0:
+		/*
+		 * Work around broken getaddrinfo() implementations that
+		 * fail to set ai_canonname on first entry.
+		 */
+		cur = ai;
+		while (cur != NULL && cur->ai_canonname == NULL &&
+		       cur->ai_next != NULL)
+		{
+			cur = cur->ai_next;
+		}
+		if (cur != NULL && cur->ai_canonname != NULL &&
+		    strcasecmp(cur->ai_canonname, namebuf) != 0)
+		{
+			if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0) {
+				level = ISC_LOG_WARNING;
+			}
+			if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
+				if (!logged(namebuf, ERR_IS_SRVCNAME)) {
+					dns_zone_log(zone, level,
+						     "%s/SRV '%s'"
+						     " (out of zone) is a "
+						     "CNAME '%s' (illegal)",
+						     ownerbuf, namebuf,
+						     cur->ai_canonname);
+					add(namebuf, ERR_IS_SRVCNAME);
+				}
+				if (level == ISC_LOG_ERROR) {
+					answer = false;
+				}
+			}
+		}
+		freeaddrinfo(ai);
+		return (answer);
+
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/SRV '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
+		/* XXX950 make fatal for 9.5.0. */
+		return (true);
+
+	default:
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "getaddrinfo(%s) failed: %s", namebuf,
+				     gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
+		return (true);
+	}
+}
+
+isc_result_t
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+	isc_log_t *log = NULL;
+
+	isc_log_create(mctx, &log, &logconfig);
+	isc_log_registercategories(log, categories);
+	isc_log_setcontext(log);
+	dns_log_init(log);
+	dns_log_setcontext(log);
+	cfg_log_init(log);
+	ns_log_init(log);
+
+	destination.file.stream = errout;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, 0);
+
+	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL) ==
+		      ISC_R_SUCCESS);
+
+	*logp = log;
+	return (ISC_R_SUCCESS);
+}
+
+/*% scan the zone for oversize TTLs */
+static isc_result_t
+check_ttls(dns_zone_t *zone, dns_ttl_t maxttl) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbiterator_t *dbiter = NULL;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	name = dns_fixedname_initname(&fname);
+	dns_rdataset_init(&rdataset);
+
+	CHECK(dns_zone_getdb(zone, &db));
+	INSIST(db != NULL);
+
+	CHECK(dns_db_newversion(db, &version));
+	CHECK(dns_db_createiterator(db, 0, &dbiter));
+
+	for (result = dns_dbiterator_first(dbiter); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter))
+	{
+		result = dns_dbiterator_current(dbiter, &node, name);
+		if (result == DNS_R_NEWORIGIN) {
+			result = ISC_R_SUCCESS;
+		}
+		CHECK(result);
+
+		CHECK(dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter));
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter))
+		{
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			if (rdataset.ttl > maxttl) {
+				char nbuf[DNS_NAME_FORMATSIZE];
+				char tbuf[255];
+				isc_buffer_t b;
+				isc_region_t r;
+
+				dns_name_format(name, nbuf, sizeof(nbuf));
+				isc_buffer_init(&b, tbuf, sizeof(tbuf) - 1);
+				CHECK(dns_rdatatype_totext(rdataset.type, &b));
+				isc_buffer_usedregion(&b, &r);
+				r.base[r.length] = 0;
+
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "%s/%s TTL %d exceeds "
+					     "maximum TTL %d",
+					     nbuf, tbuf, rdataset.ttl, maxttl);
+				dns_rdataset_disassociate(&rdataset);
+				CHECK(ISC_R_RANGE);
+			}
+			dns_rdataset_disassociate(&rdataset);
+		}
+		if (result == ISC_R_NOMORE) {
+			result = ISC_R_SUCCESS;
+		}
+		CHECK(result);
+
+		dns_rdatasetiter_destroy(&rdsiter);
+		dns_db_detachnode(db, &node);
+	}
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (rdsiter != NULL) {
+		dns_rdatasetiter_destroy(&rdsiter);
+	}
+	if (dbiter != NULL) {
+		dns_dbiterator_destroy(&dbiter);
+	}
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	return (result);
+}
+
+/*% load the zone */
+isc_result_t
+load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
+	  dns_masterformat_t fileformat, const char *classname,
+	  dns_ttl_t maxttl, dns_zone_t **zonep) {
+	isc_result_t result;
+	dns_rdataclass_t rdclass;
+	isc_textregion_t region;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+	dns_zone_t *zone = NULL;
+
+	REQUIRE(zonep == NULL || *zonep == NULL);
+
+	if (debug) {
+		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
+			zonename, filename, classname);
+	}
+
+	CHECK(dns_zone_create(&zone, mctx));
+
+	dns_zone_settype(zone, dns_zone_primary);
+
+	isc_buffer_constinit(&buffer, zonename, strlen(zonename));
+	isc_buffer_add(&buffer, strlen(zonename));
+	origin = dns_fixedname_initname(&fixorigin);
+	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
+	CHECK(dns_zone_setorigin(zone, origin));
+	dns_zone_setdbtype(zone, 1, (const char *const *)dbtype);
+	CHECK(dns_zone_setfile(zone, filename, fileformat,
+			       &dns_master_style_default));
+	if (journal != NULL) {
+		CHECK(dns_zone_setjournal(zone, journal));
+	}
+
+	DE_CONST(classname, region.base);
+	region.length = strlen(classname);
+	CHECK(dns_rdataclass_fromtext(&rdclass, &region));
+
+	dns_zone_setclass(zone, rdclass);
+	dns_zone_setoption(zone, zone_options, true);
+	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
+
+	dns_zone_setmaxttl(zone, maxttl);
+
+	if (docheckmx) {
+		dns_zone_setcheckmx(zone, checkmx);
+	}
+	if (docheckns) {
+		dns_zone_setcheckns(zone, checkns);
+	}
+	if (dochecksrv) {
+		dns_zone_setchecksrv(zone, checksrv);
+	}
+
+	CHECK(dns_zone_load(zone, false));
+
+	/*
+	 * When loading map files we can't catch oversize TTLs during
+	 * load, so we check for them here.
+	 */
+	if (fileformat == dns_masterformat_map && maxttl != 0) {
+		CHECK(check_ttls(zone, maxttl));
+	}
+
+	if (zonep != NULL) {
+		*zonep = zone;
+		zone = NULL;
+	}
+
+cleanup:
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	return (result);
+}
+
+/*% dump the zone */
+isc_result_t
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
+	  dns_masterformat_t fileformat, const dns_master_style_t *style,
+	  const uint32_t rawversion) {
+	isc_result_t result;
+	FILE *output = stdout;
+	const char *flags;
+
+	flags = (fileformat == dns_masterformat_text) ? "w" : "wb";
+
+	if (debug) {
+		if (filename != NULL && strcmp(filename, "-") != 0) {
+			fprintf(stderr, "dumping \"%s\" to \"%s\"\n", zonename,
+				filename);
+		} else {
+			fprintf(stderr, "dumping \"%s\"\n", zonename);
+		}
+	}
+
+	if (filename != NULL && strcmp(filename, "-") != 0) {
+		result = isc_stdio_open(filename, flags, &output);
+
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr,
+				"could not open output "
+				"file \"%s\" for writing\n",
+				filename);
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	result = dns_zone_dumptostream(zone, output, fileformat, style,
+				       rawversion);
+	if (output != stdout) {
+		(void)isc_stdio_close(output);
+	}
+
+	return (result);
+}
+
+#ifdef _WIN32
+void
+InitSockets(void) {
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	int err;
+
+	wVersionRequested = MAKEWORD(2, 0);
+
+	err = WSAStartup(wVersionRequested, &wsaData);
+	if (err != 0) {
+		fprintf(stderr, "WSAStartup() failed: %d\n", err);
+		exit(1);
+	}
+}
+
+void
+DestroySockets(void) {
+	WSACleanup();
+}
+#endif /* ifdef _WIN32 */
diff --git a/bin/check/check-tool.h b/bin/check/check-tool.h
new file mode 100644
index 0000000..735ad43
--- /dev/null
+++ b/bin/check/check-tool.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef CHECK_TOOL_H
+#define CHECK_TOOL_H
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/stdio.h>
+#include <isc/types.h>
+
+#include <dns/masterdump.h>
+#include <dns/types.h>
+#include <dns/zone.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp);
+
+isc_result_t
+load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
+	  dns_masterformat_t fileformat, const char *classname,
+	  dns_ttl_t maxttl, dns_zone_t **zonep);
+
+isc_result_t
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
+	  dns_masterformat_t fileformat, const dns_master_style_t *style,
+	  const uint32_t rawversion);
+
+#ifdef _WIN32
+void
+InitSockets(void);
+void
+DestroySockets(void);
+#endif /* ifdef _WIN32 */
+
+extern int debug;
+extern const char *journal;
+extern bool nomerge;
+extern bool docheckmx;
+extern bool docheckns;
+extern bool dochecksrv;
+extern dns_zoneopt_t zone_options;
+
+ISC_LANG_ENDDECLS
+
+#endif /* ifndef CHECK_TOOL_H */
diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
new file mode 100644
index 0000000..9e54d34
--- /dev/null
+++ b/bin/check/named-checkconf.c
@@ -0,0 +1,771 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/commandline.h>
+#include <isc/dir.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/rootns.h>
+#include <dns/zone.h>
+
+#include <isccfg/grammar.h>
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
+
+#include "check-tool.h"
+
+static const char *program = "named-checkconf";
+
+static bool loadplugins = true;
+
+isc_log_t *logc = NULL;
+
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+/*% usage */
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr,
+		"usage: %s [-chijlvz] [-p [-x]] [-t directory] "
+		"[named.conf]\n",
+		program);
+	exit(1);
+}
+
+/*% directory callback */
+static isc_result_t
+directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
+	isc_result_t result;
+	const char *directory;
+
+	REQUIRE(strcasecmp("directory", clausename) == 0);
+
+	UNUSED(arg);
+	UNUSED(clausename);
+
+	/*
+	 * Change directory.
+	 */
+	directory = cfg_obj_asstring(obj);
+	result = isc_dir_chdir(directory);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logc, ISC_LOG_ERROR,
+			    "change directory to '%s' failed: %s\n", directory,
+			    isc_result_totext(result));
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
+	int i;
+	for (i = 0;; i++) {
+		if (maps[i] == NULL) {
+			return (false);
+		}
+		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) {
+			return (true);
+		}
+	}
+}
+
+static bool
+get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *checknames;
+	const cfg_obj_t *type;
+	const cfg_obj_t *value;
+	isc_result_t result;
+	int i;
+
+	for (i = 0;; i++) {
+		if (maps[i] == NULL) {
+			return (false);
+		}
+		checknames = NULL;
+		result = cfg_map_get(maps[i], "check-names", &checknames);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		if (checknames != NULL && !cfg_obj_islist(checknames)) {
+			*obj = checknames;
+			return (true);
+		}
+		for (element = cfg_list_first(checknames); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			value = cfg_listelt_value(element);
+			type = cfg_tuple_get(value, "type");
+			if ((strcasecmp(cfg_obj_asstring(type), "primary") !=
+			     0) &&
+			    (strcasecmp(cfg_obj_asstring(type), "master") != 0))
+			{
+				continue;
+			}
+			*obj = cfg_tuple_get(value, "mode");
+			return (true);
+		}
+	}
+}
+
+static isc_result_t
+configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_rdataclass_t rdclass;
+	isc_textregion_t r;
+
+	if (zfile == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	DE_CONST(zclass, r.base);
+	r.length = strlen(zclass);
+	result = dns_rdataclass_fromtext(&rdclass, &r);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_rootns_create(mctx, rdclass, zfile, &db);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_db_detach(&db);
+	return (ISC_R_SUCCESS);
+}
+
+/*% configure the zone */
+static isc_result_t
+configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
+	       const cfg_obj_t *vconfig, const cfg_obj_t *config,
+	       isc_mem_t *mctx, bool list) {
+	int i = 0;
+	isc_result_t result;
+	const char *zclass;
+	const char *zname;
+	const char *zfile = NULL;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *primariesobj = NULL;
+	const cfg_obj_t *inviewobj = NULL;
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *classobj = NULL;
+	const cfg_obj_t *typeobj = NULL;
+	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *dlzobj = NULL;
+	const cfg_obj_t *dbobj = NULL;
+	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *fmtobj = NULL;
+	dns_masterformat_t masterformat;
+	dns_ttl_t maxttl = 0;
+
+	zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS;
+
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+	classobj = cfg_tuple_get(zconfig, "class");
+	if (!cfg_obj_isstring(classobj)) {
+		zclass = vclass;
+	} else {
+		zclass = cfg_obj_asstring(classobj);
+	}
+
+	zoptions = cfg_tuple_get(zconfig, "options");
+	maps[i++] = zoptions;
+	if (vconfig != NULL) {
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	}
+	if (config != NULL) {
+		cfg_map_get(config, "options", &obj);
+		if (obj != NULL) {
+			maps[i++] = obj;
+		}
+	}
+	maps[i] = NULL;
+
+	cfg_map_get(zoptions, "in-view", &inviewobj);
+	if (inviewobj != NULL && list) {
+		const char *inview = cfg_obj_asstring(inviewobj);
+		printf("%s %s %s in-view %s\n", zname, zclass, view, inview);
+	}
+	if (inviewobj != NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	cfg_map_get(zoptions, "type", &typeobj);
+	if (typeobj == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (list) {
+		const char *ztype = cfg_obj_asstring(typeobj);
+		printf("%s %s %s %s\n", zname, zclass, view, ztype);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Skip checks when using an alternate data source.
+	 */
+	cfg_map_get(zoptions, "database", &dbobj);
+	if (dbobj != NULL && strcmp("rbt", cfg_obj_asstring(dbobj)) != 0 &&
+	    strcmp("rbt64", cfg_obj_asstring(dbobj)) != 0)
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	cfg_map_get(zoptions, "dlz", &dlzobj);
+	if (dlzobj != NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	cfg_map_get(zoptions, "file", &fileobj);
+	if (fileobj != NULL) {
+		zfile = cfg_obj_asstring(fileobj);
+	}
+
+	/*
+	 * Check hints files for hint zones.
+	 * Skip loading checks for any type other than
+	 * master and redirect
+	 */
+	if (strcasecmp(cfg_obj_asstring(typeobj), "hint") == 0) {
+		return (configure_hint(zfile, zclass, mctx));
+	} else if ((strcasecmp(cfg_obj_asstring(typeobj), "primary") != 0) &&
+		   (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0) &&
+		   (strcasecmp(cfg_obj_asstring(typeobj), "redirect") != 0))
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Is the redirect zone configured as a slave?
+	 */
+	if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
+		cfg_map_get(zoptions, "primaries", &primariesobj);
+		if (primariesobj == NULL) {
+			cfg_map_get(zoptions, "masters", &primariesobj);
+		}
+
+		if (primariesobj != NULL) {
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	if (zfile == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-dup-records", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+			zone_options |= DNS_ZONEOPT_CHECKDUPRRFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
+			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+		} else {
+			UNREACHABLE();
+		}
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+		zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-mx", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKMX;
+			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKMX;
+			zone_options |= DNS_ZONEOPT_CHECKMXFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKMX;
+			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+		} else {
+			UNREACHABLE();
+		}
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKMX;
+		zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-integrity", &obj)) {
+		if (cfg_obj_asboolean(obj)) {
+			zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+		} else {
+			zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
+		}
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-mx-cname", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+			zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
+		} else {
+			UNREACHABLE();
+		}
+	} else {
+		zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+		zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-srv-cname", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
+			zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+			zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
+		} else {
+			UNREACHABLE();
+		}
+	} else {
+		zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+		zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-sibling", &obj)) {
+		if (cfg_obj_asboolean(obj)) {
+			zone_options |= DNS_ZONEOPT_CHECKSIBLING;
+		} else {
+			zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+		}
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-spf", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKSPF;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
+		} else {
+			UNREACHABLE();
+		}
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKSPF;
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "check-wildcard", &obj)) {
+		if (cfg_obj_asboolean(obj)) {
+			zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
+		} else {
+			zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
+		}
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
+	}
+
+	obj = NULL;
+	if (get_checknames(maps, &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKNAMES;
+			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKNAMES;
+			zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
+			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
+		} else {
+			UNREACHABLE();
+		}
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKNAMES;
+		zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
+	}
+
+	masterformat = dns_masterformat_text;
+	fmtobj = NULL;
+	if (get_maps(maps, "masterfile-format", &fmtobj)) {
+		const char *masterformatstr = cfg_obj_asstring(fmtobj);
+		if (strcasecmp(masterformatstr, "text") == 0) {
+			masterformat = dns_masterformat_text;
+		} else if (strcasecmp(masterformatstr, "raw") == 0) {
+			masterformat = dns_masterformat_raw;
+		} else if (strcasecmp(masterformatstr, "map") == 0) {
+			masterformat = dns_masterformat_map;
+		} else {
+			UNREACHABLE();
+		}
+	}
+
+	obj = NULL;
+	if (get_maps(maps, "max-zone-ttl", &obj)) {
+		maxttl = cfg_obj_asduration(obj);
+		zone_options |= DNS_ZONEOPT_CHECKTTL;
+	}
+
+	result = load_zone(mctx, zname, zfile, masterformat, zclass, maxttl,
+			   NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
+			dns_result_totext(result));
+	}
+	return (result);
+}
+
+/*% configure a view */
+static isc_result_t
+configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, bool list) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *voptions;
+	const cfg_obj_t *zonelist;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	voptions = NULL;
+	if (vconfig != NULL) {
+		voptions = cfg_tuple_get(vconfig, "options");
+	}
+
+	zonelist = NULL;
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "zone", &zonelist);
+	} else {
+		(void)cfg_map_get(config, "zone", &zonelist);
+	}
+
+	for (element = cfg_list_first(zonelist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *zconfig = cfg_listelt_value(element);
+		tresult = configure_zone(vclass, view, zconfig, vconfig, config,
+					 mctx, list);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
+		dns_rdataclass_t *classp) {
+	isc_textregion_t r;
+
+	if (!cfg_obj_isstring(classobj)) {
+		*classp = defclass;
+		return (ISC_R_SUCCESS);
+	}
+	DE_CONST(cfg_obj_asstring(classobj), r.base);
+	r.length = strlen(r.base);
+	return (dns_rdataclass_fromtext(classp, &r));
+}
+
+/*% load zones from the configuration */
+static isc_result_t
+load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
+		      bool list_zones) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *views;
+	const cfg_obj_t *vconfig;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	views = NULL;
+
+	(void)cfg_map_get(config, "view", &views);
+	for (element = cfg_list_first(views); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *classobj;
+		dns_rdataclass_t viewclass;
+		const char *vname;
+		char buf[sizeof("CLASS65535")];
+
+		vconfig = cfg_listelt_value(element);
+		if (vconfig == NULL) {
+			continue;
+		}
+
+		classobj = cfg_tuple_get(vconfig, "class");
+		tresult = config_getclass(classobj, dns_rdataclass_in,
+					  &viewclass);
+		if (tresult != ISC_R_SUCCESS) {
+			CHECK(tresult);
+		}
+
+		if (dns_rdataclass_ismeta(viewclass)) {
+			CHECK(ISC_R_FAILURE);
+		}
+
+		dns_rdataclass_format(viewclass, buf, sizeof(buf));
+		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
+		tresult = configure_view(buf, vname, config, vconfig, mctx,
+					 list_zones);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	if (views == NULL) {
+		tresult = configure_view("IN", "_default", config, NULL, mctx,
+					 list_zones);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+cleanup:
+	return (result);
+}
+
+static void
+output(void *closure, const char *text, int textlen) {
+	UNUSED(closure);
+	if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
+		perror("fwrite");
+		exit(1);
+	}
+}
+
+/*% The main processing routine */
+int
+main(int argc, char **argv) {
+	int c;
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *config = NULL;
+	const char *conffile = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	int exit_status = 0;
+	bool load_zones = false;
+	bool list_zones = false;
+	bool print = false;
+	bool nodeprecate = false;
+	unsigned int flags = 0;
+
+	isc_commandline_errprint = false;
+
+	/*
+	 * Process memory debugging argument first.
+	 */
+#define CMDLINE_FLAGS "cdhijlm:t:pvxz"
+	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (c) {
+		case 'm':
+			if (strcasecmp(isc_commandline_argument, "record") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			}
+			if (strcasecmp(isc_commandline_argument, "trace") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			}
+			if (strcasecmp(isc_commandline_argument, "usage") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			}
+			if (strcasecmp(isc_commandline_argument, "size") == 0) {
+				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+			}
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0) {
+				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+			}
+			break;
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = true;
+
+	isc_mem_create(&mctx);
+
+	while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
+		switch (c) {
+		case 'c':
+			loadplugins = false;
+			break;
+
+		case 'd':
+			debug++;
+			break;
+
+		case 'i':
+			nodeprecate = true;
+			break;
+
+		case 'j':
+			nomerge = false;
+			break;
+
+		case 'l':
+			list_zones = true;
+			break;
+
+		case 'm':
+			break;
+
+		case 't':
+			result = isc_dir_chroot(isc_commandline_argument);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chroot: %s\n",
+					isc_result_totext(result));
+				exit(1);
+			}
+			break;
+
+		case 'p':
+			print = true;
+			break;
+
+		case 'v':
+			printf(VERSION "\n");
+			exit(0);
+
+		case 'x':
+			flags |= CFG_PRINTER_XKEY;
+			break;
+
+		case 'z':
+			load_zones = true;
+			docheckmx = false;
+			docheckns = false;
+			dochecksrv = false;
+			break;
+
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			}
+			FALLTHROUGH;
+		case 'h':
+			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (((flags & CFG_PRINTER_XKEY) != 0) && !print) {
+		fprintf(stderr, "%s: -x cannot be used without -p\n", program);
+		exit(1);
+	}
+	if (print && list_zones) {
+		fprintf(stderr, "%s: -l cannot be used with -p\n", program);
+		exit(1);
+	}
+
+	if (isc_commandline_index + 1 < argc) {
+		usage();
+	}
+	if (argv[isc_commandline_index] != NULL) {
+		conffile = argv[isc_commandline_index];
+	}
+	if (conffile == NULL || conffile[0] == '\0') {
+		conffile = NAMED_CONFFILE;
+	}
+
+#ifdef _WIN32
+	InitSockets();
+#endif /* ifdef _WIN32 */
+
+	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
+
+	dns_result_register();
+
+	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
+
+	if (nodeprecate) {
+		cfg_parser_setflags(parser, CFG_PCTX_NODEPRECATED, true);
+	}
+	cfg_parser_setcallback(parser, directory_callback, NULL);
+
+	if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
+	    ISC_R_SUCCESS)
+	{
+		exit(1);
+	}
+
+	result = bind9_check_namedconf(config, loadplugins, logc, mctx);
+	if (result != ISC_R_SUCCESS) {
+		exit_status = 1;
+	}
+
+	if (result == ISC_R_SUCCESS && (load_zones || list_zones)) {
+		result = load_zones_fromconfig(config, mctx, list_zones);
+		if (result != ISC_R_SUCCESS) {
+			exit_status = 1;
+		}
+	}
+
+	if (print && exit_status == 0) {
+		cfg_printx(config, flags, output, NULL);
+	}
+	cfg_obj_destroy(parser, &config);
+
+	cfg_parser_destroy(&parser);
+
+	isc_log_destroy(&logc);
+
+	isc_mem_destroy(&mctx);
+
+#ifdef _WIN32
+	DestroySockets();
+#endif /* ifdef _WIN32 */
+
+	return (exit_status);
+}
diff --git a/bin/check/named-checkconf.rst b/bin/check/named-checkconf.rst
new file mode 100644
index 0000000..3cb7d74
--- /dev/null
+++ b/bin/check/named-checkconf.rst
@@ -0,0 +1,95 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_named-checkconf:
+
+named-checkconf - named configuration file syntax checking tool
+---------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named-checkconf` [**-chjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
+
+Description
+~~~~~~~~~~~
+
+``named-checkconf`` checks the syntax, but not the semantics, of a
+``named`` configuration file. The file, along with all files included by it, is parsed and checked for syntax
+errors. If no file is specified,
+``/etc/named.conf`` is read by default.
+
+Note: files that ``named`` reads in separate parser contexts, such as
+``rndc.key`` and ``bind.keys``, are not automatically read by
+``named-checkconf``. Configuration errors in these files may cause
+``named`` to fail to run, even if ``named-checkconf`` was successful.
+However, ``named-checkconf`` can be run on these files explicitly.
+
+Options
+~~~~~~~
+
+``-h``
+   This option prints the usage summary and exits.
+
+``-j``
+   When loading a zonefile, this option instructs ``named`` to read the journal if it exists.
+
+``-l``
+   This option lists all the configured zones. Each line of output contains the zone
+   name, class (e.g. IN), view, and type (e.g. primary or secondary).
+
+``-c``
+   This option specifies that only the "core" configuration should be checked. This suppresses the loading of
+   plugin modules, and causes all parameters to ``plugin`` statements to
+   be ignored.
+
+``-i``
+   This option ignores warnings on deprecated options.
+
+``-p``
+   This option prints out the ``named.conf`` and included files in canonical form if
+   no errors were detected. See also the ``-x`` option.
+
+``-t directory``
+   This option instructs ``named`` to chroot to ``directory``, so that ``include`` directives in the
+   configuration file are processed as if run by a similarly chrooted
+   ``named``.
+
+``-v``
+   This option prints the version of the ``named-checkconf`` program and exits.
+
+``-x``
+   When printing the configuration files in canonical form, this option obscures
+   shared secrets by replacing them with strings of question marks
+   (``?``). This allows the contents of ``named.conf`` and related files
+   to be shared - for example, when submitting bug reports -
+   without compromising private data. This option cannot be used without
+   ``-p``.
+
+``-z``
+   This option performs a test load of all zones of type ``primary`` found in ``named.conf``.
+
+``filename``
+   This indicates the name of the configuration file to be checked. If not specified,
+   it defaults to ``/etc/named.conf``.
+
+Return Values
+~~~~~~~~~~~~~
+
+``named-checkconf`` returns an exit status of 1 if errors were detected
+and 0 otherwise.
+
+See Also
+~~~~~~~~
+
+:manpage:`named(8)`, :manpage:`named-checkzone(8)`, BIND 9 Administrator Reference Manual.
diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c
new file mode 100644
index 0000000..6a63a1f
--- /dev/null
+++ b/bin/check/named-checkzone.c
@@ -0,0 +1,569 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/dir.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/zone.h>
+
+#include "check-tool.h"
+
+static int quiet = 0;
+static isc_mem_t *mctx = NULL;
+dns_zone_t *zone = NULL;
+dns_zonetype_t zonetype = dns_zone_primary;
+static int dumpzone = 0;
+static const char *output_filename;
+static const char *prog_name = NULL;
+static const dns_master_style_t *outputstyle = NULL;
+static enum { progmode_check, progmode_compile } progmode;
+
+#define ERRRET(result, function)                                              \
+	do {                                                                  \
+		if (result != ISC_R_SUCCESS) {                                \
+			if (!quiet)                                           \
+				fprintf(stderr, "%s() returned %s\n",         \
+					function, dns_result_totext(result)); \
+			return (result);                                      \
+		}                                                             \
+	} while (0)
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr,
+		"usage: %s [-djqvD] [-c class] "
+		"[-f inputformat] [-F outputformat] [-J filename] "
+		"[-s (full|relative)] [-t directory] [-w directory] "
+		"[-k (ignore|warn|fail)] [-m (ignore|warn|fail)] "
+		"[-n (ignore|warn|fail)] [-r (ignore|warn|fail)] "
+		"[-i (full|full-sibling|local|local-sibling|none)] "
+		"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
+		"[-W (ignore|warn)] "
+		"%s zonename filename\n",
+		prog_name,
+		progmode == progmode_check ? "[-o filename]" : "-o filename");
+	exit(1);
+}
+
+static void
+destroy(void) {
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+}
+
+/*% main processing routine */
+int
+main(int argc, char **argv) {
+	int c;
+	char *origin = NULL;
+	char *filename = NULL;
+	isc_log_t *lctx = NULL;
+	isc_result_t result;
+	char classname_in[] = "IN";
+	char *classname = classname_in;
+	const char *workdir = NULL;
+	const char *inputformatstr = NULL;
+	const char *outputformatstr = NULL;
+	dns_masterformat_t inputformat = dns_masterformat_text;
+	dns_masterformat_t outputformat = dns_masterformat_text;
+	dns_masterrawheader_t header;
+	uint32_t rawversion = 1, serialnum = 0;
+	dns_ttl_t maxttl = 0;
+	bool snset = false;
+	bool logdump = false;
+	FILE *errout = stdout;
+	char *endp;
+
+	/*
+	 * Uncomment the following line if memory debugging is needed:
+	 * isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+	 */
+
+	outputstyle = &dns_master_style_full;
+
+	prog_name = strrchr(argv[0], '/');
+	if (prog_name == NULL) {
+		prog_name = strrchr(argv[0], '\\');
+	}
+	if (prog_name != NULL) {
+		prog_name++;
+	} else {
+		prog_name = argv[0];
+	}
+	/*
+	 * Libtool doesn't preserve the program name prior to final
+	 * installation.  Remove the libtool prefix ("lt-").
+	 */
+	if (strncmp(prog_name, "lt-", 3) == 0) {
+		prog_name += 3;
+	}
+
+#define PROGCMP(X) \
+	(strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
+
+	if (PROGCMP("named-checkzone")) {
+		progmode = progmode_check;
+	} else if (PROGCMP("named-compilezone")) {
+		progmode = progmode_compile;
+	} else {
+		UNREACHABLE();
+	}
+
+	/* Compilation specific defaults */
+	if (progmode == progmode_compile) {
+		zone_options |= (DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_FATALNS |
+				 DNS_ZONEOPT_CHECKSPF | DNS_ZONEOPT_CHECKDUPRR |
+				 DNS_ZONEOPT_CHECKNAMES |
+				 DNS_ZONEOPT_CHECKNAMESFAIL |
+				 DNS_ZONEOPT_CHECKWILDCARD);
+	} else {
+		zone_options |= (DNS_ZONEOPT_CHECKDUPRR | DNS_ZONEOPT_CHECKSPF);
+	}
+
+#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
+
+	isc_commandline_errprint = false;
+
+	while ((c = isc_commandline_parse(argc, argv,
+					  "c:df:hi:jJ:k:L:l:m:n:qr:s:t:o:vw:DF:"
+					  "M:S:T:W:")) != EOF)
+	{
+		switch (c) {
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+
+		case 'd':
+			debug++;
+			break;
+
+		case 'i':
+			if (ARGCMP("full")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY |
+						DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = true;
+				docheckns = true;
+				dochecksrv = true;
+			} else if (ARGCMP("full-sibling")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = true;
+				docheckns = true;
+				dochecksrv = true;
+			} else if (ARGCMP("local")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options |= DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = false;
+				docheckns = false;
+				dochecksrv = false;
+			} else if (ARGCMP("local-sibling")) {
+				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = false;
+				docheckns = false;
+				dochecksrv = false;
+			} else if (ARGCMP("none")) {
+				zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
+				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
+				docheckmx = false;
+				docheckns = false;
+				dochecksrv = false;
+			} else {
+				fprintf(stderr, "invalid argument to -i: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'f':
+			inputformatstr = isc_commandline_argument;
+			break;
+
+		case 'F':
+			outputformatstr = isc_commandline_argument;
+			break;
+
+		case 'j':
+			nomerge = false;
+			break;
+
+		case 'J':
+			journal = isc_commandline_argument;
+			nomerge = false;
+			break;
+
+		case 'k':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKNAMES;
+				zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
+			} else if (ARGCMP("fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKNAMES |
+						DNS_ZONEOPT_CHECKNAMESFAIL;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~(DNS_ZONEOPT_CHECKNAMES |
+						  DNS_ZONEOPT_CHECKNAMESFAIL);
+			} else {
+				fprintf(stderr, "invalid argument to -k: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'L':
+			snset = true;
+			endp = NULL;
+			serialnum = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fprintf(stderr, "source serial number "
+						"must be numeric");
+				exit(1);
+			}
+			break;
+
+		case 'l':
+			zone_options |= DNS_ZONEOPT_CHECKTTL;
+			endp = NULL;
+			maxttl = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fprintf(stderr, "maximum TTL "
+						"must be numeric");
+				exit(1);
+			}
+			break;
+
+		case 'n':
+			if (ARGCMP("ignore")) {
+				zone_options &= ~(DNS_ZONEOPT_CHECKNS |
+						  DNS_ZONEOPT_FATALNS);
+			} else if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKNS;
+				zone_options &= ~DNS_ZONEOPT_FATALNS;
+			} else if (ARGCMP("fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKNS |
+						DNS_ZONEOPT_FATALNS;
+			} else {
+				fprintf(stderr, "invalid argument to -n: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'm':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKMX;
+				zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
+			} else if (ARGCMP("fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKMX |
+						DNS_ZONEOPT_CHECKMXFAIL;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~(DNS_ZONEOPT_CHECKMX |
+						  DNS_ZONEOPT_CHECKMXFAIL);
+			} else {
+				fprintf(stderr, "invalid argument to -m: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'o':
+			output_filename = isc_commandline_argument;
+			break;
+
+		case 'q':
+			quiet++;
+			break;
+
+		case 'r':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+				zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+			} else if (ARGCMP("fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKDUPRR |
+						DNS_ZONEOPT_CHECKDUPRRFAIL;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~(DNS_ZONEOPT_CHECKDUPRR |
+						  DNS_ZONEOPT_CHECKDUPRRFAIL);
+			} else {
+				fprintf(stderr, "invalid argument to -r: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 's':
+			if (ARGCMP("full")) {
+				outputstyle = &dns_master_style_full;
+			} else if (ARGCMP("relative")) {
+				outputstyle = &dns_master_style_default;
+			} else {
+				fprintf(stderr,
+					"unknown or unsupported style: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 't':
+			result = isc_dir_chroot(isc_commandline_argument);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
+					isc_commandline_argument,
+					isc_result_totext(result));
+				exit(1);
+			}
+			break;
+
+		case 'v':
+			printf(VERSION "\n");
+			exit(0);
+
+		case 'w':
+			workdir = isc_commandline_argument;
+			break;
+
+		case 'D':
+			dumpzone++;
+			break;
+
+		case 'M':
+			if (ARGCMP("fail")) {
+				zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+			} else if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
+			} else if (ARGCMP("ignore")) {
+				zone_options |= DNS_ZONEOPT_WARNMXCNAME;
+				zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
+			} else {
+				fprintf(stderr, "invalid argument to -M: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'S':
+			if (ARGCMP("fail")) {
+				zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+			} else if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+				zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
+			} else if (ARGCMP("ignore")) {
+				zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
+				zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
+			} else {
+				fprintf(stderr, "invalid argument to -S: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'T':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKSPF;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~DNS_ZONEOPT_CHECKSPF;
+			} else {
+				fprintf(stderr, "invalid argument to -T: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'W':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
+			}
+			break;
+
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					prog_name, isc_commandline_option);
+			}
+			FALLTHROUGH;
+		case 'h':
+			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", prog_name,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (workdir != NULL) {
+		result = isc_dir_chdir(workdir);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "isc_dir_chdir: %s: %s\n", workdir,
+				isc_result_totext(result));
+			exit(1);
+		}
+	}
+
+	if (inputformatstr != NULL) {
+		if (strcasecmp(inputformatstr, "text") == 0) {
+			inputformat = dns_masterformat_text;
+		} else if (strcasecmp(inputformatstr, "raw") == 0) {
+			inputformat = dns_masterformat_raw;
+		} else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
+			inputformat = dns_masterformat_raw;
+			fprintf(stderr, "WARNING: input format raw, version "
+					"ignored\n");
+		} else if (strcasecmp(inputformatstr, "map") == 0) {
+			inputformat = dns_masterformat_map;
+		} else {
+			fprintf(stderr, "unknown file format: %s\n",
+				inputformatstr);
+			exit(1);
+		}
+	}
+
+	if (outputformatstr != NULL) {
+		if (strcasecmp(outputformatstr, "text") == 0) {
+			outputformat = dns_masterformat_text;
+		} else if (strcasecmp(outputformatstr, "raw") == 0) {
+			outputformat = dns_masterformat_raw;
+		} else if (strncasecmp(outputformatstr, "raw=", 4) == 0) {
+			char *end;
+
+			outputformat = dns_masterformat_raw;
+			rawversion = strtol(outputformatstr + 4, &end, 10);
+			if (end == outputformatstr + 4 || *end != '\0' ||
+			    rawversion > 1U)
+			{
+				fprintf(stderr, "unknown raw format version\n");
+				exit(1);
+			}
+		} else if (strcasecmp(outputformatstr, "map") == 0) {
+			outputformat = dns_masterformat_map;
+		} else {
+			fprintf(stderr, "unknown file format: %s\n",
+				outputformatstr);
+			exit(1);
+		}
+	}
+
+	if (progmode == progmode_compile) {
+		dumpzone = 1; /* always dump */
+		logdump = !quiet;
+		if (output_filename == NULL) {
+			fprintf(stderr, "output file required, but not "
+					"specified\n");
+			usage();
+		}
+	}
+
+	if (output_filename != NULL) {
+		dumpzone = 1;
+	}
+
+	/*
+	 * If we are printing to stdout then send the informational
+	 * output to stderr.
+	 */
+	if (dumpzone &&
+	    (output_filename == NULL || strcmp(output_filename, "-") == 0 ||
+	     strcmp(output_filename, "/dev/fd/1") == 0 ||
+	     strcmp(output_filename, "/dev/stdout") == 0))
+	{
+		errout = stderr;
+		logdump = false;
+	}
+
+	if (isc_commandline_index + 2 != argc) {
+		usage();
+	}
+
+#ifdef _WIN32
+	InitSockets();
+#endif /* ifdef _WIN32 */
+
+	isc_mem_create(&mctx);
+	if (!quiet) {
+		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx) ==
+			      ISC_R_SUCCESS);
+	}
+
+	dns_result_register();
+
+	origin = argv[isc_commandline_index++];
+	filename = argv[isc_commandline_index++];
+	result = load_zone(mctx, origin, filename, inputformat, classname,
+			   maxttl, &zone);
+
+	if (snset) {
+		dns_master_initrawheader(&header);
+		header.flags = DNS_MASTERRAW_SOURCESERIALSET;
+		header.sourceserial = serialnum;
+		dns_zone_setrawdata(zone, &header);
+	}
+
+	if (result == ISC_R_SUCCESS && dumpzone) {
+		if (logdump) {
+			fprintf(errout, "dump zone to %s...", output_filename);
+			fflush(errout);
+		}
+		result = dump_zone(origin, zone, output_filename, outputformat,
+				   outputstyle, rawversion);
+		if (logdump) {
+			fprintf(errout, "done\n");
+		}
+	}
+
+	if (!quiet && result == ISC_R_SUCCESS) {
+		fprintf(errout, "OK\n");
+	}
+	destroy();
+	if (lctx != NULL) {
+		isc_log_destroy(&lctx);
+	}
+	isc_mem_destroy(&mctx);
+#ifdef _WIN32
+	DestroySockets();
+#endif /* ifdef _WIN32 */
+	return ((result == ISC_R_SUCCESS) ? 0 : 1);
+}
diff --git a/bin/check/named-checkzone.rst b/bin/check/named-checkzone.rst
new file mode 100644
index 0000000..dae72dc
--- /dev/null
+++ b/bin/check/named-checkzone.rst
@@ -0,0 +1,193 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. BEWARE: Do not forget to edit also named-compilezone.rst!
+
+.. _man_named-checkzone:
+
+named-checkzone - zone file validation tool
+-------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
+
+Description
+~~~~~~~~~~~
+
+``named-checkzone`` checks the syntax and integrity of a zone file. It
+performs the same checks as ``named`` does when loading a zone. This
+makes ``named-checkzone`` useful for checking zone files before
+configuring them into a name server.
+
+Options
+~~~~~~~
+
+``-d``
+   This option enables debugging.
+
+``-h``
+   This option prints the usage summary and exits.
+
+``-q``
+   This option sets quiet mode, which only sets an exit code to indicate
+   successful or failed completion.
+
+``-v``
+   This option prints the version of the ``named-checkzone`` program and exits.
+
+``-j``
+   When loading a zone file, this option tells ``named`` to read the journal if it exists. The journal
+   file name is assumed to be the zone file name with the
+   string ``.jnl`` appended.
+
+``-J filename``
+   When loading the zone file, this option tells ``named`` to read the journal from the given file, if
+   it exists. This implies ``-j``.
+
+``-c class``
+   This option specifies the class of the zone. If not specified, ``IN`` is assumed.
+
+``-i mode``
+   This option performs post-load zone integrity checks. Possible modes are
+   ``full`` (the default), ``full-sibling``, ``local``,
+   ``local-sibling``, and ``none``.
+
+   Mode ``full`` checks that MX records refer to A or AAAA records
+   (both in-zone and out-of-zone hostnames). Mode ``local`` only
+   checks MX records which refer to in-zone hostnames.
+
+   Mode ``full`` checks that SRV records refer to A or AAAA records
+   (both in-zone and out-of-zone hostnames). Mode ``local`` only
+   checks SRV records which refer to in-zone hostnames.
+
+   Mode ``full`` checks that delegation NS records refer to A or AAAA
+   records (both in-zone and out-of-zone hostnames). It also checks that
+   glue address records in the zone match those advertised by the child.
+   Mode ``local`` only checks NS records which refer to in-zone
+   hostnames or verifies that some required glue exists, i.e., when the
+   name server is in a child zone.
+
+   Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
+   checks, but are otherwise the same as ``full`` and ``local``,
+   respectively.
+
+   Mode ``none`` disables the checks.
+
+``-f format``
+   This option specifies the format of the zone file. Possible formats are
+   ``text`` (the default), ``raw``, and ``map``.
+
+``-F format``
+   This option specifies the format of the output file specified. For
+   ``named-checkzone``, this does not have any effect unless it dumps
+   the zone contents.
+
+   Possible formats are ``text`` (the default), which is the standard
+   textual representation of the zone, and ``map``, ``raw``, and ``raw=N``, which
+   store the zone in a binary format for rapid loading by ``named``.
+   ``raw=N`` specifies the format version of the raw zone file: if ``N`` is
+   0, the raw file can be read by any version of ``named``; if N is 1, the
+   file can only be read by release 9.9.0 or higher. The default is 1.
+
+``-k mode``
+   This option performs ``check-names`` checks with the specified failure mode.
+   Possible modes are ``fail``, ``warn`` (the default), and ``ignore``.
+
+``-l ttl``
+   This option sets a maximum permissible TTL for the input file. Any record with a
+   TTL higher than this value causes the zone to be rejected. This
+   is similar to using the ``max-zone-ttl`` option in ``named.conf``.
+
+``-L serial``
+   When compiling a zone to ``raw`` or ``map`` format, this option sets the "source
+   serial" value in the header to the specified serial number. This is
+   expected to be used primarily for testing purposes.
+
+``-m mode``
+   This option specifies whether MX records should be checked to see if they are
+   addresses. Possible modes are ``fail``, ``warn`` (the default), and
+   ``ignore``.
+
+``-M mode``
+   This option checks whether a MX record refers to a CNAME. Possible modes are
+   ``fail``, ``warn`` (the default), and ``ignore``.
+
+``-n mode``
+   This option specifies whether NS records should be checked to see if they are
+   addresses. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``.
+
+``-o filename``
+   This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
+   the zone output is written to standard output.
+
+``-r mode``
+   This option checks for records that are treated as different by DNSSEC but are
+   semantically equal in plain DNS. Possible modes are ``fail``,
+   ``warn`` (the default), and ``ignore``.
+
+``-s style``
+   This option specifies the style of the dumped zone file. Possible styles are
+   ``full`` (the default) and ``relative``. The ``full`` format is most
+   suitable for processing automatically by a separate script.
+   The relative format is more human-readable and is thus
+   suitable for editing by hand. This does not have any effect unless it dumps
+   the zone contents. It also does not have any meaning if the output format
+   is not text.
+
+``-S mode``
+   This option checks whether an SRV record refers to a CNAME. Possible modes are
+   ``fail``, ``warn`` (the default), and ``ignore``.
+
+``-t directory``
+   This option tells ``named`` to chroot to ``directory``, so that ``include`` directives in the
+   configuration file are processed as if run by a similarly chrooted
+   ``named``.
+
+``-T mode``
+   This option checks whether Sender Policy Framework (SPF) records exist and issues a
+   warning if an SPF-formatted TXT record is not also present. Possible
+   modes are ``warn`` (the default) and ``ignore``.
+
+``-w directory``
+   This option instructs ``named`` to chdir to ``directory``, so that relative filenames in master file
+   ``$INCLUDE`` directives work. This is similar to the directory clause in
+   ``named.conf``.
+
+``-D``
+   This option dumps the zone file in canonical format.
+
+``-W mode``
+   This option specifies whether to check for non-terminal wildcards. Non-terminal
+   wildcards are almost always the result of a failure to understand the
+   wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn``
+   (the default) and ``ignore``.
+
+``zonename``
+   This indicates the domain name of the zone being checked.
+
+``filename``
+   This is the name of the zone file.
+
+Return Values
+~~~~~~~~~~~~~
+
+``named-checkzone`` returns an exit status of 1 if errors were detected
+and 0 otherwise.
+
+See Also
+~~~~~~~~
+
+:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :manpage:`named-compilezone(8)`,
+:rfc:`1035`, BIND 9 Administrator Reference Manual.
diff --git a/bin/check/named-compilezone.rst b/bin/check/named-compilezone.rst
new file mode 100644
index 0000000..e56d264
--- /dev/null
+++ b/bin/check/named-compilezone.rst
@@ -0,0 +1,195 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. BEWARE: Do not forget to edit also named-checkzone.rst!
+
+.. _man_named-compilezone:
+
+named-compilezone - zone file converting tool
+---------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named-compilezone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
+
+Description
+~~~~~~~~~~~
+
+``named-compilezone`` checks the syntax and integrity of a zone file,
+and dumps the zone contents to a specified file in a specified format.
+It applies strict check levels by default, since the
+dump output is used as an actual zone file loaded by ``named``.
+When manually specified otherwise, the check levels must at least be as
+strict as those specified in the ``named`` configuration file.
+
+Options
+~~~~~~~
+
+``-d``
+   This option enables debugging.
+
+``-h``
+   This option prints the usage summary and exits.
+
+``-q``
+   This option sets quiet mode, which only sets an exit code to indicate
+   successful or failed completion.
+
+``-v``
+   This option prints the version of the ``named-checkzone`` program and exits.
+
+``-j``
+   When loading a zone file, this option tells ``named`` to read the journal if it exists. The journal
+   file name is assumed to be the zone file name with the
+   string ``.jnl`` appended.
+
+``-J filename``
+   When loading the zone file, this option tells ``named`` to read the journal from the given file, if
+   it exists. This implies ``-j``.
+
+``-c class``
+   This option specifies the class of the zone. If not specified, ``IN`` is assumed.
+
+``-i mode``
+   This option performs post-load zone integrity checks. Possible modes are
+   ``full`` (the default), ``full-sibling``, ``local``,
+   ``local-sibling``, and ``none``.
+
+   Mode ``full`` checks that MX records refer to A or AAAA records
+   (both in-zone and out-of-zone hostnames). Mode ``local`` only
+   checks MX records which refer to in-zone hostnames.
+
+   Mode ``full`` checks that SRV records refer to A or AAAA records
+   (both in-zone and out-of-zone hostnames). Mode ``local`` only
+   checks SRV records which refer to in-zone hostnames.
+
+   Mode ``full`` checks that delegation NS records refer to A or AAAA
+   records (both in-zone and out-of-zone hostnames). It also checks that
+   glue address records in the zone match those advertised by the child.
+   Mode ``local`` only checks NS records which refer to in-zone
+   hostnames or verifies that some required glue exists, i.e., when the
+   name server is in a child zone.
+
+   Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
+   checks, but are otherwise the same as ``full`` and ``local``,
+   respectively.
+
+   Mode ``none`` disables the checks.
+
+``-f format``
+   This option specifies the format of the zone file. Possible formats are
+   ``text`` (the default), ``raw``, and ``map``.
+
+``-F format``
+   This option specifies the format of the output file specified. For
+   ``named-checkzone``, this does not have any effect unless it dumps
+   the zone contents.
+
+   Possible formats are ``text`` (the default), which is the standard
+   textual representation of the zone, and ``map``, ``raw``, and ``raw=N``, which
+   store the zone in a binary format for rapid loading by ``named``.
+   ``raw=N`` specifies the format version of the raw zone file: if ``N`` is
+   0, the raw file can be read by any version of ``named``; if N is 1, the
+   file can only be read by release 9.9.0 or higher. The default is 1.
+
+``-k mode``
+   This option performs ``check-names`` checks with the specified failure mode.
+   Possible modes are ``fail`` (the default), ``warn``, and ``ignore``.
+
+``-l ttl``
+   This option sets a maximum permissible TTL for the input file. Any record with a
+   TTL higher than this value causes the zone to be rejected. This
+   is similar to using the ``max-zone-ttl`` option in ``named.conf``.
+
+``-L serial``
+   When compiling a zone to ``raw`` or ``map`` format, this option sets the "source
+   serial" value in the header to the specified serial number. This is
+   expected to be used primarily for testing purposes.
+
+``-m mode``
+   This option specifies whether MX records should be checked to see if they are
+   addresses. Possible modes are ``fail``, ``warn`` (the default), and
+   ``ignore``.
+
+``-M mode``
+   This option checks whether a MX record refers to a CNAME. Possible modes are
+   ``fail``, ``warn`` (the default), and ``ignore``.
+
+``-n mode``
+   This option specifies whether NS records should be checked to see if they are
+   addresses. Possible modes are ``fail`` (the default), ``warn``,  and
+   ``ignore``.
+
+``-o filename``
+   This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
+   the zone output is written to standard output. This is mandatory for ``named-compilezone``.
+
+``-r mode``
+   This option checks for records that are treated as different by DNSSEC but are
+   semantically equal in plain DNS. Possible modes are ``fail``,
+   ``warn`` (the default), and ``ignore``.
+
+``-s style``
+   This option specifies the style of the dumped zone file. Possible styles are
+   ``full`` (the default) and ``relative``. The ``full`` format is most
+   suitable for processing automatically by a separate script.
+   The relative format is more human-readable and is thus
+   suitable for editing by hand.
+
+``-S mode``
+   This option checks whether an SRV record refers to a CNAME. Possible modes are
+   ``fail``, ``warn`` (the default), and ``ignore``.
+
+``-t directory``
+   This option tells ``named`` to chroot to ``directory``, so that ``include`` directives in the
+   configuration file are processed as if run by a similarly chrooted
+   ``named``.
+
+``-T mode``
+   This option checks whether Sender Policy Framework (SPF) records exist and issues a
+   warning if an SPF-formatted TXT record is not also present. Possible
+   modes are ``warn`` (the default) and ``ignore``.
+
+``-w directory``
+   This option instructs ``named`` to chdir to ``directory``, so that relative filenames in master file
+   ``$INCLUDE`` directives work. This is similar to the directory clause in
+   ``named.conf``.
+
+``-D``
+   This option dumps the zone file in canonical format. This is always enabled for
+   ``named-compilezone``.
+
+``-W mode``
+   This option specifies whether to check for non-terminal wildcards. Non-terminal
+   wildcards are almost always the result of a failure to understand the
+   wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn``
+   (the default) and ``ignore``.
+
+``zonename``
+   This indicates the domain name of the zone being checked.
+
+``filename``
+   This is the name of the zone file.
+
+Return Values
+~~~~~~~~~~~~~
+
+``named-compilezone`` returns an exit status of 1 if errors were detected
+and 0 otherwise.
+
+See Also
+~~~~~~~~
+
+:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :manpage:`named-checkzone(8)`,
+:rfc:`1035`, BIND 9 Administrator Reference Manual.
diff --git a/bin/check/win32/checkconf.vcxproj.filters.in b/bin/check/win32/checkconf.vcxproj.filters.in
new file mode 100644
index 0000000..7d0bc52
--- /dev/null
+++ b/bin/check/win32/checkconf.vcxproj.filters.in
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\check-tool.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-checkconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/check/win32/checkconf.vcxproj.in b/bin/check/win32/checkconf.vcxproj.in
new file mode 100644
index 0000000..1391d5a
--- /dev/null
+++ b/bin/check/win32/checkconf.vcxproj.in
@@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{03A96113-CB14-43AA-AEB2-48950E3915C5}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>checkconf</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\check-tool.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-checkconf.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/check/win32/checkconf.vcxproj.user b/bin/check/win32/checkconf.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/check/win32/checkconf.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/check/win32/checktool.vcxproj.filters.in b/bin/check/win32/checktool.vcxproj.filters.in
new file mode 100644
index 0000000..34fc8c6
--- /dev/null
+++ b/bin/check/win32/checktool.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\check-tool.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/check/win32/checktool.vcxproj.in b/bin/check/win32/checktool.vcxproj.in
new file mode 100644
index 0000000..26c8423
--- /dev/null
+++ b/bin/check/win32/checktool.vcxproj.in
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\check-tool.c" />
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>checktool</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <OutDir>.\$(Configuration)\</OutDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <OutDir>.\$(Configuration)\</OutDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Lib>
+      <OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Lib>
+      <OutputFile>.\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/check/win32/checktool.vcxproj.user b/bin/check/win32/checktool.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/check/win32/checktool.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/check/win32/checkzone.vcxproj.filters.in b/bin/check/win32/checkzone.vcxproj.filters.in
new file mode 100644
index 0000000..4f3396c
--- /dev/null
+++ b/bin/check/win32/checkzone.vcxproj.filters.in
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\check-tool.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-checkzone.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/check/win32/checkzone.vcxproj.in b/bin/check/win32/checkzone.vcxproj.in
new file mode 100644
index 0000000..063f673
--- /dev/null
+++ b/bin/check/win32/checkzone.vcxproj.in
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{66028555-7DD5-4016-B601-9EF9A1EE8BFA}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>checkzone</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+    <PostBuildEvent>
+      <Command>cd ..\..\..\Build\$(Configuration)
+copy /Y named-checkzone.exe named-compilezone.exe
+copy /Y named-checkzone.ilk named-compilezone.ilk
+</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+    <PostBuildEvent>
+      <Command>cd ..\..\..\Build\$(Configuration)
+copy /Y named-checkzone.exe named-compilezone.exe
+</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\check-tool.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-checkzone.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/check/win32/checkzone.vcxproj.user b/bin/check/win32/checkzone.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/check/win32/checkzone.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
new file mode 100644
index 0000000..daab83a
--- /dev/null
+++ b/bin/confgen/Makefile.in
@@ -0,0 +1,97 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+
+RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+SRCS=		rndc-confgen.c ddns-confgen.c
+
+SUBDIRS =	unix
+
+TARGETS =	rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
+
+UOBJS =		unix/os.@O@
+
+@BIND9_MAKE_RULES@
+
+rndc-confgen.@O@: rndc-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+		-c ${srcdir}/rndc-confgen.c
+
+ddns-confgen.@O@: ddns-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
+
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
+	export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
+
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
+	export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
+
+# make a link in the build directory to assist with testing
+tsig-keygen@EXEEXT@: ddns-confgen@EXEEXT@
+	rm -f tsig-keygen@EXEEXT@
+	${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
+
+uninstall::
+	rm -f ${DESTDIR}${sbindir}/tsig-keygen@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/ddns-confgen@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/rndc-confgen@EXEEXT@
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/bin/confgen/ddns-confgen.c b/bin/confgen/ddns-confgen.c
new file mode 100644
index 0000000..0afe087
--- /dev/null
+++ b/bin/confgen/ddns-confgen.c
@@ -0,0 +1,311 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/**
+ * ddns-confgen generates configuration files for dynamic DNS. It can
+ * be used as a convenient alternative to writing the ddns.key file
+ * and the corresponding key and update-policy statements in named.conf.
+ */
+
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/assertions.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include <confgen/os.h>
+
+#include "keygen.h"
+#include "util.h"
+
+#define KEYGEN_DEFAULT	"tsig-key"
+#define CONFGEN_DEFAULT "ddns-key"
+
+static char program[256];
+const char *progname;
+static enum { progmode_keygen, progmode_confgen } progmode;
+bool verbose = false; /* needed by util.c but not used here */
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(int status) {
+	if (progmode == progmode_confgen) {
+		fprintf(stderr, "\
+Usage:\n\
+ %s [-a alg] [-k keyname] [-q] [-s name | -z zone]\n\
+  -a alg:        algorithm (default hmac-sha256)\n\
+  -k keyname:    name of the key as it will be used in named.conf\n\
+  -s name:       domain name to be updated using the created key\n\
+  -z zone:       name of the zone as it will be used in named.conf\n\
+  -q:            quiet mode: print the key, with no explanatory text\n",
+			progname);
+	} else {
+		fprintf(stderr, "\
+Usage:\n\
+ %s [-a alg] [keyname]\n\
+  -a alg:        algorithm (default hmac-sha256)\n\n",
+			progname);
+	}
+
+	exit(status);
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool show_final_mem = false;
+	bool quiet = false;
+	isc_buffer_t key_txtbuffer;
+	char key_txtsecret[256];
+	isc_mem_t *mctx = NULL;
+	const char *keyname = NULL;
+	const char *zone = NULL;
+	const char *self_domain = NULL;
+	char *keybuf = NULL;
+	dns_secalg_t alg = DST_ALG_HMACSHA256;
+	const char *algname;
+	int keysize = 256;
+	int len = 0;
+	int ch;
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	result = isc_file_progname(*argv, program, sizeof(program));
+	if (result != ISC_R_SUCCESS) {
+		memmove(program, "tsig-keygen", 11);
+	}
+	progname = program;
+
+	/*
+	 * Libtool doesn't preserve the program name prior to final
+	 * installation.  Remove the libtool prefix ("lt-").
+	 */
+	if (strncmp(progname, "lt-", 3) == 0) {
+		progname += 3;
+	}
+
+#define PROGCMP(X) \
+	(strcasecmp(progname, X) == 0 || strcasecmp(progname, X ".exe") == 0)
+
+	if (PROGCMP("tsig-keygen")) {
+		progmode = progmode_keygen;
+		quiet = true;
+	} else if (PROGCMP("ddns-confgen")) {
+		progmode = progmode_confgen;
+	} else {
+		UNREACHABLE();
+	}
+
+	isc_commandline_errprint = false;
+
+	while ((ch = isc_commandline_parse(argc, argv, "a:hk:Mmr:qs:y:z:")) !=
+	       -1)
+	{
+		switch (ch) {
+		case 'a':
+			algname = isc_commandline_argument;
+			alg = alg_fromtext(algname);
+			if (alg == DST_ALG_UNKNOWN) {
+				fatal("Unsupported algorithm '%s'", algname);
+			}
+			keysize = alg_bits(alg);
+			break;
+		case 'h':
+			usage(0);
+		case 'k':
+		case 'y':
+			if (progmode == progmode_confgen) {
+				keyname = isc_commandline_argument;
+			} else {
+				usage(1);
+			}
+			break;
+		case 'M':
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+			break;
+		case 'm':
+			show_final_mem = true;
+			break;
+		case 'q':
+			if (progmode == progmode_confgen) {
+				quiet = true;
+			} else {
+				usage(1);
+			}
+			break;
+		case 'r':
+			fatal("The -r option has been deprecated.");
+			break;
+		case 's':
+			if (progmode == progmode_confgen) {
+				self_domain = isc_commandline_argument;
+			} else {
+				usage(1);
+			}
+			break;
+		case 'z':
+			if (progmode == progmode_confgen) {
+				zone = isc_commandline_argument;
+			} else {
+				usage(1);
+			}
+			break;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			} else {
+				usage(0);
+			}
+			break;
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (progmode == progmode_keygen) {
+		keyname = argv[isc_commandline_index++];
+	}
+
+	POST(argv);
+
+	if (self_domain != NULL && zone != NULL) {
+		usage(1); /* -s and -z cannot coexist */
+	}
+
+	if (argc > isc_commandline_index) {
+		usage(1);
+	}
+
+	/* Use canonical algorithm name */
+	algname = alg_totext(alg);
+
+	isc_mem_create(&mctx);
+
+	if (keyname == NULL) {
+		const char *suffix = NULL;
+
+		keyname = ((progmode == progmode_keygen) ? KEYGEN_DEFAULT
+							 : CONFGEN_DEFAULT);
+		if (self_domain != NULL) {
+			suffix = self_domain;
+		} else if (zone != NULL) {
+			suffix = zone;
+		}
+		if (suffix != NULL) {
+			len = strlen(keyname) + strlen(suffix) + 2;
+			keybuf = isc_mem_get(mctx, len);
+			snprintf(keybuf, len, "%s.%s", keyname, suffix);
+			keyname = (const char *)keybuf;
+		}
+	}
+
+	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+
+	generate_key(mctx, alg, keysize, &key_txtbuffer);
+
+	if (!quiet) {
+		printf("\
+# To activate this key, place the following in named.conf, and\n\
+# in a separate keyfile on the system or systems from which nsupdate\n\
+# will be run:\n");
+	}
+
+	printf("\
+key \"%s\" {\n\
+	algorithm %s;\n\
+	secret \"%.*s\";\n\
+};\n",
+	       keyname, algname, (int)isc_buffer_usedlength(&key_txtbuffer),
+	       (char *)isc_buffer_base(&key_txtbuffer));
+
+	if (!quiet) {
+		if (self_domain != NULL) {
+			printf("\n\
+# Then, in the \"zone\" statement for the zone containing the\n\
+# name \"%s\", place an \"update-policy\" statement\n\
+# like this one, adjusted as needed for your preferred permissions:\n\
+update-policy {\n\
+	  grant %s name %s ANY;\n\
+};\n",
+			       self_domain, keyname, self_domain);
+		} else if (zone != NULL) {
+			printf("\n\
+# Then, in the \"zone\" definition statement for \"%s\",\n\
+# place an \"update-policy\" statement like this one, adjusted as \n\
+# needed for your preferred permissions:\n\
+update-policy {\n\
+	  grant %s zonesub ANY;\n\
+};\n",
+			       zone, keyname);
+		} else {
+			printf("\n\
+# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
+# update, place an \"update-policy\" statement granting update permission\n\
+# to this key.  For example, the following statement grants this key\n\
+# permission to update any name within the zone:\n\
+update-policy {\n\
+	grant %s zonesub ANY;\n\
+};\n",
+			       keyname);
+		}
+
+		printf("\n\
+# After the keyfile has been placed, the following command will\n\
+# execute nsupdate using this key:\n\
+nsupdate -k <keyfile>\n");
+	}
+
+	if (keybuf != NULL) {
+		isc_mem_put(mctx, keybuf, len);
+	}
+
+	if (show_final_mem) {
+		isc_mem_stats(mctx, stderr);
+	}
+
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/confgen/ddns-confgen.rst b/bin/confgen/ddns-confgen.rst
new file mode 100644
index 0000000..52ae412
--- /dev/null
+++ b/bin/confgen/ddns-confgen.rst
@@ -0,0 +1,88 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. BEWARE: Do not forget to edit also tsig-keygen.rst!
+
+.. _man_ddns-confgen:
+
+ddns-confgen - TSIG key generation tool
+---------------------------------------
+
+Synopsis
+~~~~~~~~
+:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-s** name] [**-z** zone]
+
+Description
+~~~~~~~~~~~
+
+``ddns-confgen`` is an utility that generates keys for use in TSIG signing.
+The resulting keys can be used, for example, to secure dynamic DNS updates
+to a zone, or for the ``rndc`` command channel.
+
+The key name can specified using ``-k`` parameter and defaults to ``ddns-key``.
+The generated key is accompanied by configuration text and instructions that
+can be used with ``nsupdate`` and ``named`` when setting up dynamic DNS,
+including an example ``update-policy`` statement.
+(This usage is similar to the ``rndc-confgen`` command for setting up
+command-channel security.)
+
+Note that ``named`` itself can configure a local DDNS key for use with
+``nsupdate -l``; it does this when a zone is configured with
+``update-policy local;``. ``ddns-confgen`` is only needed when a more
+elaborate configuration is required: for instance, if ``nsupdate`` is to
+be used from a remote system.
+
+Options
+~~~~~~~
+
+``-a algorithm``
+   This option specifies the algorithm to use for the TSIG key. Available
+   choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
+   and hmac-sha512. The default is hmac-sha256. Options are
+   case-insensitive, and the "hmac-" prefix may be omitted.
+
+``-h``
+   This option prints a short summary of options and arguments.
+
+``-k keyname``
+   This option specifies the key name of the DDNS authentication key. The
+   default is ``ddns-key`` when neither the ``-s`` nor ``-z`` option is
+   specified; otherwise, the default is ``ddns-key`` as a separate label
+   followed by the argument of the option, e.g., ``ddns-key.example.com.``
+   The key name must have the format of a valid domain name, consisting of
+   letters, digits, hyphens, and periods.
+
+``-q``
+   This option enables quiet mode, which prints only the key, with no
+   explanatory text or usage examples. This is essentially identical to
+   ``tsig-keygen``.
+
+``-s name``
+   This option generates a configuration example to allow dynamic updates
+   of a single hostname. The example ``named.conf`` text shows how to set
+   an update policy for the specified name using the "name" nametype. The
+   default key name is ``ddns-key.name``. Note that the "self" nametype
+   cannot be used, since the name to be updated may differ from the key
+   name. This option cannot be used with the ``-z`` option.
+
+``-z zone``
+   This option generates a configuration example to allow
+   dynamic updates of a zone. The example ``named.conf`` text shows how
+   to set an update policy for the specified zone using the "zonesub"
+   nametype, allowing updates to all subdomain names within that zone.
+   This option cannot be used with the ``-s`` option.
+
+See Also
+~~~~~~~~
+
+:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.
diff --git a/bin/confgen/include/.clang-format b/bin/confgen/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/bin/confgen/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/bin/confgen/include/confgen/os.h b/bin/confgen/include/confgen/os.h
new file mode 100644
index 0000000..9754c17
--- /dev/null
+++ b/bin/confgen/include/confgen/os.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifndef RNDC_OS_H
+#define RNDC_OS_H 1
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+int
+set_user(FILE *fd, const char *user);
+/*%<
+ * Set the owner of the file referenced by 'fd' to 'user'.
+ * Returns:
+ *   0 		success
+ *   -1 	insufficient permissions, or 'user' does not exist.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ifndef RNDC_OS_H */
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
new file mode 100644
index 0000000..73f976c
--- /dev/null
+++ b/bin/confgen/keygen.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include "keygen.h"
+#include <stdarg.h>
+#include <stdlib.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+
+#include <pk11/site.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+
+#include <confgen/os.h>
+
+#include "util.h"
+
+/*%
+ * Convert algorithm type to string.
+ */
+const char *
+alg_totext(dns_secalg_t alg) {
+	switch (alg) {
+	case DST_ALG_HMACMD5:
+		return ("hmac-md5");
+	case DST_ALG_HMACSHA1:
+		return ("hmac-sha1");
+	case DST_ALG_HMACSHA224:
+		return ("hmac-sha224");
+	case DST_ALG_HMACSHA256:
+		return ("hmac-sha256");
+	case DST_ALG_HMACSHA384:
+		return ("hmac-sha384");
+	case DST_ALG_HMACSHA512:
+		return ("hmac-sha512");
+	default:
+		return ("(unknown)");
+	}
+}
+
+/*%
+ * Convert string to algorithm type.
+ */
+dns_secalg_t
+alg_fromtext(const char *name) {
+	const char *p = name;
+	if (strncasecmp(p, "hmac-", 5) == 0) {
+		p = &name[5];
+	}
+
+	if (strcasecmp(p, "md5") == 0) {
+		return (DST_ALG_HMACMD5);
+	}
+	if (strcasecmp(p, "sha1") == 0) {
+		return (DST_ALG_HMACSHA1);
+	}
+	if (strcasecmp(p, "sha224") == 0) {
+		return (DST_ALG_HMACSHA224);
+	}
+	if (strcasecmp(p, "sha256") == 0) {
+		return (DST_ALG_HMACSHA256);
+	}
+	if (strcasecmp(p, "sha384") == 0) {
+		return (DST_ALG_HMACSHA384);
+	}
+	if (strcasecmp(p, "sha512") == 0) {
+		return (DST_ALG_HMACSHA512);
+	}
+	return (DST_ALG_UNKNOWN);
+}
+
+/*%
+ * Return default keysize for a given algorithm type.
+ */
+int
+alg_bits(dns_secalg_t alg) {
+	switch (alg) {
+	case DST_ALG_HMACMD5:
+		return (128);
+	case DST_ALG_HMACSHA1:
+		return (160);
+	case DST_ALG_HMACSHA224:
+		return (224);
+	case DST_ALG_HMACSHA256:
+		return (256);
+	case DST_ALG_HMACSHA384:
+		return (384);
+	case DST_ALG_HMACSHA512:
+		return (512);
+	default:
+		return (0);
+	}
+}
+
+/*%
+ * Generate a key of size 'keysize' and place it in 'key_txtbuffer'
+ */
+void
+generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
+	     isc_buffer_t *key_txtbuffer) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_buffer_t key_rawbuffer;
+	isc_region_t key_rawregion;
+	char key_rawsecret[64];
+	dst_key_t *key = NULL;
+
+	switch (alg) {
+	case DST_ALG_HMACMD5:
+	case DST_ALG_HMACSHA1:
+	case DST_ALG_HMACSHA224:
+	case DST_ALG_HMACSHA256:
+		if (keysize < 1 || keysize > 512) {
+			fatal("keysize %d out of range (must be 1-512)\n",
+			      keysize);
+		}
+		break;
+	case DST_ALG_HMACSHA384:
+	case DST_ALG_HMACSHA512:
+		if (keysize < 1 || keysize > 1024) {
+			fatal("keysize %d out of range (must be 1-1024)\n",
+			      keysize);
+		}
+		break;
+	default:
+		fatal("unsupported algorithm %d\n", alg);
+	}
+
+	DO("initialize dst library", dst_lib_init(mctx, NULL));
+
+	DO("generate key",
+	   dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY,
+			    dns_rdataclass_in, mctx, &key, NULL));
+
+	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+
+	DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
+
+	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+
+	DO("bsse64 encode secret",
+	   isc_base64_totext(&key_rawregion, -1, "", key_txtbuffer));
+
+	if (key != NULL) {
+		dst_key_free(&key);
+	}
+
+	dst_lib_destroy();
+}
+
+/*%
+ * Write a key file to 'keyfile'.  If 'user' is non-NULL,
+ * make that user the owner of the file.  The key will have
+ * the name 'keyname' and the secret in the buffer 'secret'.
+ */
+void
+write_key_file(const char *keyfile, const char *user, const char *keyname,
+	       isc_buffer_t *secret, dns_secalg_t alg) {
+	isc_result_t result;
+	const char *algname = alg_totext(alg);
+	FILE *fd = NULL;
+
+	DO("create keyfile", isc_file_safecreate(keyfile, &fd));
+
+	if (user != NULL) {
+		if (set_user(fd, user) == -1) {
+			fatal("unable to set file owner\n");
+		}
+	}
+
+	fprintf(fd,
+		"key \"%s\" {\n\talgorithm %s;\n"
+		"\tsecret \"%.*s\";\n};\n",
+		keyname, algname, (int)isc_buffer_usedlength(secret),
+		(char *)isc_buffer_base(secret));
+	fflush(fd);
+	if (ferror(fd)) {
+		fatal("write to %s failed\n", keyfile);
+	}
+	if (fclose(fd)) {
+		fatal("fclose(%s) failed\n", keyfile);
+	}
+	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
+}
diff --git a/bin/confgen/keygen.h b/bin/confgen/keygen.h
new file mode 100644
index 0000000..6519b20
--- /dev/null
+++ b/bin/confgen/keygen.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RNDC_KEYGEN_H
+#define RNDC_KEYGEN_H 1
+
+/*! \file */
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/mem.h>
+
+#include <dns/secalg.h>
+
+ISC_LANG_BEGINDECLS
+
+void
+generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
+	     isc_buffer_t *key_txtbuffer);
+
+void
+write_key_file(const char *keyfile, const char *user, const char *keyname,
+	       isc_buffer_t *secret, dns_secalg_t alg);
+
+const char *
+alg_totext(dns_secalg_t alg);
+dns_secalg_t
+alg_fromtext(const char *name);
+int
+alg_bits(dns_secalg_t alg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_KEYGEN_H */
diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
new file mode 100644
index 0000000..cfbb295
--- /dev/null
+++ b/bin/confgen/rndc-confgen.c
@@ -0,0 +1,284 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/**
+ * rndc-confgen generates configuration files for rndc. It can be used
+ * as a convenient alternative to writing the rndc.conf file and the
+ * corresponding controls and key statements in named.conf by hand.
+ * Alternatively, it can be run with the -a option to set up a
+ * rndc.key file and avoid the need for a rndc.conf file and a
+ * controls statement altogether.
+ */
+
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/assertions.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+
+#include <confgen/os.h>
+
+#include "keygen.h"
+#include "util.h"
+
+#define DEFAULT_KEYNAME "rndc-key"
+#define DEFAULT_SERVER	"127.0.0.1"
+#define DEFAULT_PORT	953
+
+static char program[256];
+const char *progname;
+
+bool verbose = false;
+
+const char *keyfile, *keydef;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(int status) {
+	fprintf(stderr, "\
+Usage:\n\
+ %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] \
+[-s addr] [-t chrootdir] [-u user]\n\
+  -a:		 generate just the key clause and write it to keyfile (%s)\n\
+  -A alg:	 algorithm (default hmac-sha256)\n\
+  -b bits:	 from 1 through 512, default 256; total length of the secret\n\
+  -c keyfile:	 specify an alternate key file (requires -a)\n\
+  -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
+  -p port:	 the port named will listen on and rndc will connect to\n\
+  -s addr:	 the address to which rndc should connect\n\
+  -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
+  -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
+		progname, keydef);
+
+	exit(status);
+}
+
+int
+main(int argc, char **argv) {
+	bool show_final_mem = false;
+	isc_buffer_t key_txtbuffer;
+	char key_txtsecret[256];
+	isc_mem_t *mctx = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	const char *keyname = NULL;
+	const char *serveraddr = NULL;
+	dns_secalg_t alg;
+	const char *algname;
+	char *p;
+	int ch;
+	int port;
+	int keysize = -1;
+	struct in_addr addr4_dummy;
+	struct in6_addr addr6_dummy;
+	char *chrootdir = NULL;
+	char *user = NULL;
+	bool keyonly = false;
+	int len;
+
+	keydef = keyfile = RNDC_KEYFILE;
+
+	result = isc_file_progname(*argv, program, sizeof(program));
+	if (result != ISC_R_SUCCESS) {
+		memmove(program, "rndc-confgen", 13);
+	}
+	progname = program;
+
+	keyname = DEFAULT_KEYNAME;
+	alg = DST_ALG_HMACSHA256;
+	serveraddr = DEFAULT_SERVER;
+	port = DEFAULT_PORT;
+
+	isc_commandline_errprint = false;
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
+	{
+		switch (ch) {
+		case 'a':
+			keyonly = true;
+			break;
+		case 'A':
+			algname = isc_commandline_argument;
+			alg = alg_fromtext(algname);
+			if (alg == DST_ALG_UNKNOWN) {
+				fatal("Unsupported algorithm '%s'", algname);
+			}
+			break;
+		case 'b':
+			keysize = strtol(isc_commandline_argument, &p, 10);
+			if (*p != '\0' || keysize < 0) {
+				fatal("-b requires a non-negative number");
+			}
+			break;
+		case 'c':
+			keyfile = isc_commandline_argument;
+			break;
+		case 'h':
+			usage(0);
+		case 'k':
+		case 'y': /* Compatible with rndc -y. */
+			keyname = isc_commandline_argument;
+			break;
+		case 'M':
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+			break;
+
+		case 'm':
+			show_final_mem = true;
+			break;
+		case 'p':
+			port = strtol(isc_commandline_argument, &p, 10);
+			if (*p != '\0' || port < 0 || port > 65535) {
+				fatal("port '%s' out of range",
+				      isc_commandline_argument);
+			}
+			break;
+		case 'r':
+			fatal("The -r option has been deprecated.");
+			break;
+		case 's':
+			serveraddr = isc_commandline_argument;
+			if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 &&
+			    inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1)
+			{
+				fatal("-s should be an IPv4 or IPv6 address");
+			}
+			break;
+		case 't':
+			chrootdir = isc_commandline_argument;
+			break;
+		case 'u':
+			user = isc_commandline_argument;
+			break;
+		case 'V':
+			verbose = true;
+			break;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			} else {
+				usage(0);
+			}
+			break;
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	POST(argv);
+
+	if (argc > 0) {
+		usage(1);
+	}
+
+	if (alg == DST_ALG_HMACMD5) {
+		fprintf(stderr, "warning: use of hmac-md5 for RNDC keys "
+				"is deprecated; hmac-sha256 is now "
+				"recommended.\n");
+	}
+
+	if (keysize < 0) {
+		keysize = alg_bits(alg);
+	}
+	algname = alg_totext(alg);
+
+	isc_mem_create(&mctx);
+	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+
+	generate_key(mctx, alg, keysize, &key_txtbuffer);
+
+	if (keyonly) {
+		write_key_file(keyfile, chrootdir == NULL ? user : NULL,
+			       keyname, &key_txtbuffer, alg);
+
+		if (chrootdir != NULL) {
+			char *buf;
+			len = strlen(chrootdir) + strlen(keyfile) + 2;
+			buf = isc_mem_get(mctx, len);
+			snprintf(buf, len, "%s%s%s", chrootdir,
+				 (*keyfile != '/') ? "/" : "", keyfile);
+
+			write_key_file(buf, user, keyname, &key_txtbuffer, alg);
+			isc_mem_put(mctx, buf, len);
+		}
+	} else {
+		printf("\
+# Start of rndc.conf\n\
+key \"%s\" {\n\
+	algorithm %s;\n\
+	secret \"%.*s\";\n\
+};\n\
+\n\
+options {\n\
+	default-key \"%s\";\n\
+	default-server %s;\n\
+	default-port %d;\n\
+};\n\
+# End of rndc.conf\n\
+\n\
+# Use with the following in named.conf, adjusting the allow list as needed:\n\
+# key \"%s\" {\n\
+# 	algorithm %s;\n\
+# 	secret \"%.*s\";\n\
+# };\n\
+# \n\
+# controls {\n\
+# 	inet %s port %d\n\
+# 		allow { %s; } keys { \"%s\"; };\n\
+# };\n\
+# End of named.conf\n",
+		       keyname, algname,
+		       (int)isc_buffer_usedlength(&key_txtbuffer),
+		       (char *)isc_buffer_base(&key_txtbuffer), keyname,
+		       serveraddr, port, keyname, algname,
+		       (int)isc_buffer_usedlength(&key_txtbuffer),
+		       (char *)isc_buffer_base(&key_txtbuffer), serveraddr,
+		       port, serveraddr, keyname);
+	}
+
+	if (show_final_mem) {
+		isc_mem_stats(mctx, stderr);
+	}
+
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/confgen/rndc-confgen.rst b/bin/confgen/rndc-confgen.rst
new file mode 100644
index 0000000..d90acba
--- /dev/null
+++ b/bin/confgen/rndc-confgen.rst
@@ -0,0 +1,106 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_rndc-confgen:
+
+rndc-confgen - rndc key generation tool
+---------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`rndc-confgen` [**-a**] [**-A** algorithm] [**-b** keysize] [**-c** keyfile] [**-h**] [**-k** keyname] [**-p** port] [**-s** address] [**-t** chrootdir] [**-u** user]
+
+Description
+~~~~~~~~~~~
+
+``rndc-confgen`` generates configuration files for ``rndc``. It can be
+used as a convenient alternative to writing the ``rndc.conf`` file and
+the corresponding ``controls`` and ``key`` statements in ``named.conf``
+by hand. Alternatively, it can be run with the ``-a`` option to set up a
+``rndc.key`` file and avoid the need for a ``rndc.conf`` file and a
+``controls`` statement altogether.
+
+Options
+~~~~~~~
+
+``-a``
+   This option sets automatic ``rndc`` configuration, which creates a file ``rndc.key``
+   in ``/etc`` (or a different ``sysconfdir`` specified when BIND
+   was built) that is read by both ``rndc`` and ``named`` on startup.
+   The ``rndc.key`` file defines a default command channel and
+   authentication key allowing ``rndc`` to communicate with ``named`` on
+   the local host with no further configuration.
+
+   If a more elaborate configuration than that generated by
+   ``rndc-confgen -a`` is required, for example if rndc is to be used
+   remotely, run ``rndc-confgen`` without the ``-a`` option
+   and set up ``rndc.conf`` and ``named.conf`` as directed.
+
+``-A algorithm``
+   This option specifies the algorithm to use for the TSIG key. Available choices
+   are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and
+   hmac-sha512. The default is hmac-sha256.
+
+``-b keysize``
+   This option specifies the size of the authentication key in bits. The size must be between
+   1 and 512 bits; the default is the hash size.
+
+``-c keyfile``
+   This option is used with the ``-a`` option to specify an alternate location for
+   ``rndc.key``.
+
+``-h``
+   This option prints a short summary of the options and arguments to
+   ``rndc-confgen``.
+
+``-k keyname``
+   This option specifies the key name of the ``rndc`` authentication key. This must be a
+   valid domain name. The default is ``rndc-key``.
+
+``-p port``
+   This option specifies the command channel port where ``named`` listens for
+   connections from ``rndc``. The default is 953.
+
+``-s address``
+   This option specifies the IP address where ``named`` listens for command-channel
+   connections from ``rndc``. The default is the loopback address
+   127.0.0.1.
+
+``-t chrootdir``
+   This option is used with the ``-a`` option to specify a directory where ``named``
+   runs chrooted. An additional copy of the ``rndc.key`` is
+   written relative to this directory, so that it is found by the
+   chrooted ``named``.
+
+``-u user``
+   This option is used with the ``-a`` option to set the owner of the generated ``rndc.key`` file.
+   If ``-t`` is also specified, only the file in the chroot
+   area has its owner changed.
+
+Examples
+~~~~~~~~
+
+To allow ``rndc`` to be used with no manual configuration, run:
+
+``rndc-confgen -a``
+
+To print a sample ``rndc.conf`` file and the corresponding ``controls`` and
+``key`` statements to be manually inserted into ``named.conf``, run:
+
+``rndc-confgen``
+
+See Also
+~~~~~~~~
+
+:manpage:`rndc(8)`, :manpage:`rndc.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.
diff --git a/bin/confgen/tsig-keygen.rst b/bin/confgen/tsig-keygen.rst
new file mode 100644
index 0000000..a127407
--- /dev/null
+++ b/bin/confgen/tsig-keygen.rst
@@ -0,0 +1,50 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. BEWARE: Do not forget to edit also ddns-confgen.rst!
+
+.. _man_tsig-keygen:
+
+tsig-keygen - TSIG key generation tool
+--------------------------------------
+
+Synopsis
+~~~~~~~~
+:program:`tsig-keygen` [**-a** algorithm] [**-h**] [name]
+
+Description
+~~~~~~~~~~~
+
+``tsig-keygen`` is an utility that generates keys for use in TSIG signing.
+The resulting keys can be used, for example, to secure dynamic DNS updates
+to a zone, or for the ``rndc`` command channel.
+
+A domain name can be specified on the command line to be used as the name
+of the generated key. If no name is specified, the default is ``tsig-key``.
+
+Options
+~~~~~~~
+
+``-a algorithm``
+   This option specifies the algorithm to use for the TSIG key. Available
+   choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
+   and hmac-sha512. The default is hmac-sha256. Options are
+   case-insensitive, and the "hmac-" prefix may be omitted.
+
+``-h``
+   This option prints a short summary of options and arguments.
+
+See Also
+~~~~~~~~
+
+:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.
diff --git a/bin/confgen/unix/Makefile.in b/bin/confgen/unix/Makefile.in
new file mode 100644
index 0000000..cad563e
--- /dev/null
+++ b/bin/confgen/unix/Makefile.in
@@ -0,0 +1,30 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
+		${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		os.@O@
+
+SRCS =		os.c
+
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/bin/confgen/unix/os.c b/bin/confgen/unix/os.c
new file mode 100644
index 0000000..445d64b
--- /dev/null
+++ b/bin/confgen/unix/os.c
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <confgen/os.h>
+
+int
+set_user(FILE *fd, const char *user) {
+	struct passwd *pw;
+
+	pw = getpwnam(user);
+	if (pw == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+	return (fchown(fileno(fd), pw->pw_uid, -1));
+}
diff --git a/bin/confgen/util.c b/bin/confgen/util.c
new file mode 100644
index 0000000..3b3587c
--- /dev/null
+++ b/bin/confgen/util.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include "util.h"
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/print.h>
+
+extern bool verbose;
+extern const char *progname;
+
+void
+notify(const char *fmt, ...) {
+	va_list ap;
+
+	if (verbose) {
+		va_start(ap, fmt);
+		vfprintf(stderr, fmt, ap);
+		va_end(ap);
+		fputs("\n", stderr);
+	}
+}
+
+void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
diff --git a/bin/confgen/util.h b/bin/confgen/util.h
new file mode 100644
index 0000000..2d3c664
--- /dev/null
+++ b/bin/confgen/util.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RNDC_UTIL_H
+#define RNDC_UTIL_H 1
+
+/*! \file */
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+#define NS_CONTROL_PORT 953
+
+#undef DO
+#define DO(name, function)                                                \
+	do {                                                              \
+		result = function;                                        \
+		if (result != ISC_R_SUCCESS)                              \
+			fatal("%s: %s", name, isc_result_totext(result)); \
+		else                                                      \
+			notify("%s", name);                               \
+	} while (0)
+
+ISC_LANG_BEGINDECLS
+
+void
+notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+ISC_PLATFORM_NORETURN_PRE void
+fatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_UTIL_H */
diff --git a/bin/confgen/win32/confgentool.vcxproj.filters.in b/bin/confgen/win32/confgentool.vcxproj.filters.in
new file mode 100644
index 0000000..231e4e1
--- /dev/null
+++ b/bin/confgen/win32/confgentool.vcxproj.filters.in
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\keygen.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\util.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\confgen\os.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\keygen.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\util.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="os.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/confgen/win32/confgentool.vcxproj.in b/bin/confgen/win32/confgentool.vcxproj.in
new file mode 100644
index 0000000..26e4461
--- /dev/null
+++ b/bin/confgen/win32/confgentool.vcxproj.in
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{64964B03-4815-41F0-9057-E766A94AF197}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>confgentool</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>.\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>.\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <LinkTimeCodeGeneration>false</LinkTimeCodeGeneration>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\confgen\os.h" />
+    <ClInclude Include="..\keygen.h" />
+    <ClInclude Include="..\util.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\keygen.c" />
+    <ClCompile Include="..\util.c" />
+    <ClCompile Include="os.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/confgen/win32/confgentool.vcxproj.user b/bin/confgen/win32/confgentool.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/confgen/win32/confgentool.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/confgen/win32/ddnsconfgen.vcxproj.filters.in b/bin/confgen/win32/ddnsconfgen.vcxproj.filters.in
new file mode 100644
index 0000000..ccdaa81
--- /dev/null
+++ b/bin/confgen/win32/ddnsconfgen.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\ddns-confgen.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/confgen/win32/ddnsconfgen.vcxproj.in b/bin/confgen/win32/ddnsconfgen.vcxproj.in
new file mode 100644
index 0000000..ce37aed
--- /dev/null
+++ b/bin/confgen/win32/ddnsconfgen.vcxproj.in
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>ddnsconfgen</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>ddns-confgen</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>ddns-confgen</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+    <PostBuildEvent>
+      <Command>cd ..\..\..\Build\$(Configuration)
+copy /Y ddns-confgen.exe tsig-keygen.exe
+copy /Y ddns-confgen.ilk tsig-keygen.ilk
+</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+    <PostBuildEvent>
+      <Command>cd ..\..\..\Build\$(Configuration)
+copy /Y ddns-confgen.exe tsig-keygen.exe
+</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\ddns-confgen.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/confgen/win32/ddnsconfgen.vcxproj.user b/bin/confgen/win32/ddnsconfgen.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/confgen/win32/ddnsconfgen.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/confgen/win32/os.c b/bin/confgen/win32/os.c
new file mode 100644
index 0000000..ee8314e
--- /dev/null
+++ b/bin/confgen/win32/os.c
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <io.h>
+#include <stdio.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <confgen/os.h>
+
+int
+set_user(FILE *fd, const char *user) {
+	return (0);
+}
diff --git a/bin/confgen/win32/rndcconfgen.vcxproj.filters.in b/bin/confgen/win32/rndcconfgen.vcxproj.filters.in
new file mode 100644
index 0000000..20f6b5a
--- /dev/null
+++ b/bin/confgen/win32/rndcconfgen.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\rndc-confgen.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/confgen/win32/rndcconfgen.vcxproj.in b/bin/confgen/win32/rndcconfgen.vcxproj.in
new file mode 100644
index 0000000..5ddabd1
--- /dev/null
+++ b/bin/confgen/win32/rndcconfgen.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{1E2C1635-3093-4D59-80E7-4743AC10F22F}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>rndcconfgen</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>rndc-confgen</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>rndc-confgen</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\rndc-confgen.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/confgen/win32/rndcconfgen.vcxproj.user b/bin/confgen/win32/rndcconfgen.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/confgen/win32/rndcconfgen.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
new file mode 100644
index 0000000..f02600d
--- /dev/null
+++ b/bin/delv/Makefile.in
@@ -0,0 +1,70 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =	-DVERSION=\"${VERSION}\" \
+		-DSYSCONFDIR=\"${sysconfdir}\"
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+IRSLIBS =	../../lib/irs/libirs.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+IRSDEPLIBS =	../../lib/irs/libirs.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${IRSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+NOSYMLIBS =	${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	delv@EXEEXT@
+
+OBJS =		delv.@O@
+
+SRCS =		delv.c
+
+@BIND9_MAKE_RULES@
+
+delv@EXEEXT@: delv.@O@ ${DEPLIBS}
+	export BASEOBJS="delv.@O@"; \
+	export LIBS0="${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+
+install:: delv@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		delv@EXEEXT@ ${DESTDIR}${bindir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/delv@EXEEXT@
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/bin/delv/delv.c b/bin/delv/delv.c
new file mode 100644
index 0000000..daf0239
--- /dev/null
+++ b/bin/delv/delv.c
@@ -0,0 +1,1889 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <bind.keys.h>
+
+#ifndef WIN32
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <signal.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#endif /* ifndef WIN32 */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/lib.h>
+#include <isc/log.h>
+#include <isc/managers.h>
+#include <isc/md.h>
+#include <isc/mem.h>
+#ifdef WIN32
+#include <isc/ntpaths.h>
+#endif /* ifdef WIN32 */
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/keytable.h>
+#include <dns/keyvalues.h>
+#include <dns/lib.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/view.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#include <isccfg/log.h>
+#include <isccfg/namedconf.h>
+
+#include <irs/resconf.h>
+
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+#define MAXNAME (DNS_NAME_MAXTEXT + 1)
+
+/* Variables used internally by delv. */
+char *progname;
+static isc_mem_t *mctx = NULL;
+static isc_log_t *lctx = NULL;
+
+/* Configurables */
+static char *server = NULL;
+static const char *port = "53";
+static isc_sockaddr_t *srcaddr4 = NULL, *srcaddr6 = NULL;
+static isc_sockaddr_t a4, a6;
+static char *curqname = NULL, *qname = NULL;
+static bool classset = false;
+static dns_rdatatype_t qtype = dns_rdatatype_none;
+static bool typeset = false;
+
+static unsigned int styleflags = 0;
+static uint32_t splitwidth = 0xffffffff;
+static bool showcomments = true, showdnssec = true, showtrust = true,
+	    rrcomments = true, noclass = false, nocrypto = false, nottl = false,
+	    multiline = false, short_form = false, print_unknown_format = false,
+	    yaml = false;
+
+static bool resolve_trace = false, validator_trace = false,
+	    message_trace = false;
+
+static bool use_ipv4 = true, use_ipv6 = true;
+
+static bool cdflag = false, no_sigs = false, root_validation = true;
+
+static bool use_tcp = false;
+
+static char *anchorfile = NULL;
+static char *trust_anchor = NULL;
+static int num_keys = 0;
+
+static dns_fixedname_t afn;
+static dns_name_t *anchor_name = NULL;
+
+/* Default bind.keys contents */
+static char anchortext[] = TRUST_ANCHORS;
+
+/*
+ * Static function prototypes
+ */
+static isc_result_t
+get_reverse(char *reverse, size_t len, char *value, bool strict);
+
+static isc_result_t
+parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
+
+static void
+usage(void) {
+	fputs("Usage:  delv [@server] {q-opt} {d-opt} [domain] [q-type] "
+	      "[q-class]\n"
+	      "Where:  domain	  is in the Domain Name System\n"
+	      "        q-class  is one of (in,hs,ch,...) [default: in]\n"
+	      "        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) "
+	      "[default:a]\n"
+	      "        q-opt    is one of:\n"
+	      "                 -4                  (use IPv4 query transport "
+	      "only)\n"
+	      "                 -6                  (use IPv6 query transport "
+	      "only)\n"
+	      "                 -a anchor-file      (specify root trust "
+	      "anchor)\n"
+	      "                 -b address[#port]   (bind to source "
+	      "address/port)\n"
+	      "                 -c class            (option included for "
+	      "compatibility;\n"
+	      "                 -d level            (set debugging level)\n"
+	      "                 -h                  (print help and exit)\n"
+	      "                 -i                  (disable DNSSEC "
+	      "validation)\n"
+	      "                 -m                  (enable memory usage "
+	      "debugging)\n"
+	      "                 -p port             (specify port number)\n"
+	      "                 -q name             (specify query name)\n"
+	      "                 -t type             (specify query type)\n"
+	      "                                      only IN is supported)\n"
+	      "                 -v                  (print version and exit)\n"
+	      "                 -x dot-notation     (shortcut for reverse "
+	      "lookups)\n"
+	      "        d-opt    is of the form +keyword[=value], where keyword "
+	      "is:\n"
+	      "                 +[no]all            (Set or clear all display "
+	      "flags)\n"
+	      "                 +[no]class          (Control display of "
+	      "class)\n"
+	      "                 +[no]comments       (Control display of "
+	      "comment lines)\n"
+	      "                 +[no]crypto         (Control display of "
+	      "cryptographic\n"
+	      "                                      fields in records)\n"
+	      "                 +[no]dlv            (Obsolete)\n"
+	      "                 +[no]dnssec         (Display DNSSEC records)\n"
+	      "                 +[no]mtrace         (Trace messages received)\n"
+	      "                 +[no]multiline      (Print records in an "
+	      "expanded format)\n"
+	      "                 +[no]root           (DNSSEC validation trust "
+	      "anchor)\n"
+	      "                 +[no]rrcomments     (Control display of "
+	      "per-record "
+	      "comments)\n"
+	      "                 +[no]rtrace         (Trace resolver fetches)\n"
+	      "                 +[no]short          (Short form answer)\n"
+	      "                 +[no]split=##       (Split hex/base64 fields "
+	      "into chunks)\n"
+	      "                 +[no]tcp            (TCP mode)\n"
+	      "                 +[no]ttl            (Control display of ttls "
+	      "in records)\n"
+	      "                 +[no]trust          (Control display of trust "
+	      "level)\n"
+	      "                 +[no]unknownformat  (Print RDATA in RFC 3597 "
+	      "\"unknown\" format)\n"
+	      "                 +[no]vtrace         (Trace validation "
+	      "process)\n"
+	      "                 +[no]yaml           (Present the results as "
+	      "YAML)\n",
+	      stderr);
+	exit(1);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fflush(stdout);
+	fprintf(stderr, "%s: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static void
+warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+static void
+warn(const char *format, ...) {
+	va_list args;
+
+	fflush(stdout);
+	fprintf(stderr, "%s: warning: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+}
+
+static isc_logcategory_t categories[] = { { "delv", 0 }, { NULL, 0 } };
+#define LOGCATEGORY_DEFAULT (&categories[0])
+#define LOGMODULE_DEFAULT   (&modules[0])
+
+static isc_logmodule_t modules[] = { { "delv", 0 }, { NULL, 0 } };
+
+static void
+delv_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+
+static void
+delv_log(int level, const char *fmt, ...) {
+	va_list ap;
+	char msgbuf[2048];
+
+	if (!isc_log_wouldlog(lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	isc_log_write(lctx, LOGCATEGORY_DEFAULT, LOGMODULE_DEFAULT, level, "%s",
+		      msgbuf);
+	va_end(ap);
+}
+
+static int loglevel = 0;
+
+static void
+setup_logging(FILE *errout) {
+	isc_result_t result;
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+
+	isc_log_create(mctx, &lctx, &logconfig);
+	isc_log_registercategories(lctx, categories);
+	isc_log_registermodules(lctx, modules);
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+	cfg_log_init(lctx);
+
+	destination.file.stream = errout;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination,
+			      ISC_LOG_PRINTPREFIX);
+
+	isc_log_setdebuglevel(lctx, loglevel);
+	isc_log_settag(logconfig, ";; ");
+
+	result = isc_log_usechannel(logconfig, "stderr",
+				    ISC_LOGCATEGORY_DEFAULT, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("Couldn't attach to log channel 'stderr'");
+	}
+
+	if (resolve_trace && loglevel < 1) {
+		isc_log_createchannel(logconfig, "resolver", ISC_LOG_TOFILEDESC,
+				      ISC_LOG_DEBUG(1), &destination,
+				      ISC_LOG_PRINTPREFIX);
+
+		result = isc_log_usechannel(logconfig, "resolver",
+					    DNS_LOGCATEGORY_RESOLVER,
+					    DNS_LOGMODULE_RESOLVER);
+		if (result != ISC_R_SUCCESS) {
+			fatal("Couldn't attach to log channel 'resolver'");
+		}
+	}
+
+	if (validator_trace && loglevel < 3) {
+		isc_log_createchannel(logconfig, "validator",
+				      ISC_LOG_TOFILEDESC, ISC_LOG_DEBUG(3),
+				      &destination, ISC_LOG_PRINTPREFIX);
+
+		result = isc_log_usechannel(logconfig, "validator",
+					    DNS_LOGCATEGORY_DNSSEC,
+					    DNS_LOGMODULE_VALIDATOR);
+		if (result != ISC_R_SUCCESS) {
+			fatal("Couldn't attach to log channel 'validator'");
+		}
+	}
+
+	if (message_trace && loglevel < 10) {
+		isc_log_createchannel(logconfig, "messages", ISC_LOG_TOFILEDESC,
+				      ISC_LOG_DEBUG(10), &destination,
+				      ISC_LOG_PRINTPREFIX);
+
+		result = isc_log_usechannel(logconfig, "messages",
+					    DNS_LOGCATEGORY_RESOLVER,
+					    DNS_LOGMODULE_PACKETS);
+		if (result != ISC_R_SUCCESS) {
+			fatal("Couldn't attach to log channel 'messagse'");
+		}
+	}
+}
+
+static void
+print_status(dns_rdataset_t *rdataset) {
+	char buf[1024] = { 0 };
+
+	REQUIRE(rdataset != NULL);
+
+	if (!showtrust || !dns_rdataset_isassociated(rdataset)) {
+		return;
+	}
+
+	buf[0] = '\0';
+
+	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+		strlcat(buf, "negative response", sizeof(buf));
+		strlcat(buf, (yaml ? "_" : ", "), sizeof(buf));
+	}
+
+	switch (rdataset->trust) {
+	case dns_trust_none:
+		strlcat(buf, "untrusted", sizeof(buf));
+		break;
+	case dns_trust_pending_additional:
+		strlcat(buf, "signed additional data", sizeof(buf));
+		if (!yaml) {
+			strlcat(buf, ", ", sizeof(buf));
+		}
+		strlcat(buf, "pending validation", sizeof(buf));
+		break;
+	case dns_trust_pending_answer:
+		strlcat(buf, "signed answer", sizeof(buf));
+		if (!yaml) {
+			strlcat(buf, ", ", sizeof(buf));
+		}
+		strlcat(buf, "pending validation", sizeof(buf));
+		break;
+	case dns_trust_additional:
+		strlcat(buf, "unsigned additional data", sizeof(buf));
+		break;
+	case dns_trust_glue:
+		strlcat(buf, "glue data", sizeof(buf));
+		break;
+	case dns_trust_answer:
+		if (root_validation) {
+			strlcat(buf, "unsigned answer", sizeof(buf));
+		} else {
+			strlcat(buf, "answer not validated", sizeof(buf));
+		}
+		break;
+	case dns_trust_authauthority:
+		strlcat(buf, "authority data", sizeof(buf));
+		break;
+	case dns_trust_authanswer:
+		strlcat(buf, "authoritative", sizeof(buf));
+		break;
+	case dns_trust_secure:
+		strlcat(buf, "fully validated", sizeof(buf));
+		break;
+	case dns_trust_ultimate:
+		strlcat(buf, "ultimate trust", sizeof(buf));
+		break;
+	}
+
+	if (yaml) {
+		char *p;
+
+		/* Convert spaces to underscores for YAML */
+		for (p = buf; p != NULL && *p != '\0'; p++) {
+			if (*p == ' ') {
+				*p = '_';
+			}
+		}
+
+		printf("  - %s:\n", buf);
+	} else {
+		printf("; %s\n", buf);
+	}
+}
+
+static isc_result_t
+printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
+	  dns_master_style_t *style) {
+	isc_result_t result = ISC_R_SUCCESS;
+	static dns_trust_t trust;
+	static bool first = true;
+	isc_buffer_t target;
+	isc_region_t r;
+	char *t = NULL;
+	int len = 2048;
+
+	if (!dns_rdataset_isassociated(rdataset)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(owner, namebuf, sizeof(namebuf));
+		delv_log(ISC_LOG_DEBUG(4), "WARN: empty rdataset %s", namebuf);
+		return (ISC_R_SUCCESS);
+	}
+
+	if (!showdnssec && rdataset->type == dns_rdatatype_rrsig) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (first || rdataset->trust != trust) {
+		if (!first && showtrust && !short_form && !yaml) {
+			putchar('\n');
+		}
+		print_status(rdataset);
+		trust = rdataset->trust;
+		first = false;
+	}
+
+	do {
+		t = isc_mem_get(mctx, len);
+
+		isc_buffer_init(&target, t, len);
+		if (short_form) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset))
+			{
+				if ((rdataset->attributes &
+				     DNS_RDATASETATTR_NEGATIVE) != 0)
+				{
+					continue;
+				}
+
+				dns_rdataset_current(rdataset, &rdata);
+				result = dns_rdata_tofmttext(
+					&rdata, dns_rootname, styleflags, 0,
+					splitwidth, " ", &target);
+				if (result != ISC_R_SUCCESS) {
+					break;
+				}
+
+				if (isc_buffer_availablelength(&target) < 1) {
+					result = ISC_R_NOSPACE;
+					break;
+				}
+
+				isc_buffer_putstr(&target, "\n");
+
+				dns_rdata_reset(&rdata);
+			}
+		} else {
+			dns_indent_t indent = { "  ", 2 };
+			if (!yaml && (rdataset->attributes &
+				      DNS_RDATASETATTR_NEGATIVE) != 0)
+			{
+				isc_buffer_putstr(&target, "; ");
+			}
+			result = dns_master_rdatasettotext(
+				owner, rdataset, style, yaml ? &indent : NULL,
+				&target);
+		}
+
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(mctx, t, len);
+			len += 1024;
+		} else if (result == ISC_R_NOMORE) {
+			result = ISC_R_SUCCESS;
+		} else {
+			CHECK(result);
+		}
+	} while (result == ISC_R_NOSPACE);
+
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+cleanup:
+	if (t != NULL) {
+		isc_mem_put(mctx, t, len);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+setup_style(dns_master_style_t **stylep) {
+	isc_result_t result;
+	dns_master_style_t *style = NULL;
+
+	REQUIRE(stylep != NULL && *stylep == NULL);
+
+	styleflags |= DNS_STYLEFLAG_REL_OWNER;
+	if (yaml) {
+		styleflags |= DNS_STYLEFLAG_YAML;
+	} else {
+		if (showcomments) {
+			styleflags |= DNS_STYLEFLAG_COMMENT;
+		}
+		if (print_unknown_format) {
+			styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
+		}
+		if (rrcomments) {
+			styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+		}
+		if (nottl) {
+			styleflags |= DNS_STYLEFLAG_NO_TTL;
+		}
+		if (noclass) {
+			styleflags |= DNS_STYLEFLAG_NO_CLASS;
+		}
+		if (nocrypto) {
+			styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+		}
+		if (multiline) {
+			styleflags |= DNS_STYLEFLAG_MULTILINE;
+			styleflags |= DNS_STYLEFLAG_COMMENT;
+		}
+	}
+
+	if (multiline || (nottl && noclass)) {
+		result = dns_master_stylecreate(&style, styleflags, 24, 24, 24,
+						32, 80, 8, splitwidth, mctx);
+	} else if (nottl || noclass) {
+		result = dns_master_stylecreate(&style, styleflags, 24, 24, 32,
+						40, 80, 8, splitwidth, mctx);
+	} else {
+		result = dns_master_stylecreate(&style, styleflags, 24, 32, 40,
+						48, 80, 8, splitwidth, mctx);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		*stylep = style;
+	}
+	return (result);
+}
+
+static isc_result_t
+convert_name(dns_fixedname_t *fn, dns_name_t **name, const char *text) {
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_name_t *n;
+	unsigned int len;
+
+	REQUIRE(fn != NULL && name != NULL && text != NULL);
+	len = strlen(text);
+
+	isc_buffer_constinit(&b, text, len);
+	isc_buffer_add(&b, len);
+	n = dns_fixedname_initname(fn);
+
+	result = dns_name_fromtext(n, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		delv_log(ISC_LOG_ERROR, "failed to convert QNAME %s: %s", text,
+			 isc_result_totext(result));
+		return (result);
+	}
+
+	*name = n;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_ds_t ds;
+	uint32_t rdata1, rdata2, rdata3;
+	const char *datastr = NULL, *keynamestr = NULL, *atstr = NULL;
+	unsigned char data[4096];
+	isc_buffer_t databuf;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_region_t r;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname;
+	isc_result_t result;
+	bool match_root = false;
+	enum {
+		INITIAL_KEY,
+		STATIC_KEY,
+		INITIAL_DS,
+		STATIC_DS,
+		TRUSTED
+	} anchortype;
+	const cfg_obj_t *obj;
+
+	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
+	CHECK(convert_name(&fkeyname, &keyname, keynamestr));
+
+	if (!root_validation) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (anchor_name) {
+		match_root = dns_name_equal(keyname, anchor_name);
+	}
+
+	if (!match_root) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (!root_validation) {
+		return (ISC_R_SUCCESS);
+	}
+
+	delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s", trust_anchor);
+
+	/* if DNSKEY, flags; if DS, key tag */
+	rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
+
+	/* if DNSKEY, protocol; if DS, algorithm */
+	rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
+
+	/* if DNSKEY, algorithm; if DS, digest type */
+	rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
+
+	/* What type of trust anchor is this? */
+	obj = cfg_tuple_get(key, "anchortype");
+	if (cfg_obj_isvoid(obj)) {
+		/*
+		 * "anchortype" is not defined, this must be a static-key
+		 * configured with trusted-keys.
+		 */
+		anchortype = STATIC_KEY;
+	} else {
+		atstr = cfg_obj_asstring(obj);
+		if (strcasecmp(atstr, "static-key") == 0) {
+			anchortype = STATIC_KEY;
+		} else if (strcasecmp(atstr, "static-ds") == 0) {
+			anchortype = STATIC_DS;
+		} else if (strcasecmp(atstr, "initial-key") == 0) {
+			anchortype = INITIAL_KEY;
+		} else if (strcasecmp(atstr, "initial-ds") == 0) {
+			anchortype = INITIAL_DS;
+		} else {
+			delv_log(ISC_LOG_ERROR,
+				 "key '%s': invalid initialization method '%s'",
+				 keynamestr, atstr);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+	}
+
+	isc_buffer_init(&databuf, data, sizeof(data));
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+
+	if (rdata1 > 0xffff) {
+		CHECK(ISC_R_RANGE);
+	}
+	if (rdata2 > 0xff) {
+		CHECK(ISC_R_RANGE);
+	}
+	if (rdata3 > 0xff) {
+		CHECK(ISC_R_RANGE);
+	}
+
+	switch (anchortype) {
+	case STATIC_KEY:
+	case INITIAL_KEY:
+	case TRUSTED:
+		dnskey.common.rdclass = dns_rdataclass_in;
+		dnskey.common.rdtype = dns_rdatatype_dnskey;
+		dnskey.mctx = NULL;
+
+		ISC_LINK_INIT(&dnskey.common, link);
+
+		dnskey.flags = (uint16_t)rdata1;
+		dnskey.protocol = (uint8_t)rdata2;
+		dnskey.algorithm = (uint8_t)rdata3;
+
+		datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
+		CHECK(isc_base64_decodestring(datastr, &databuf));
+		isc_buffer_usedregion(&databuf, &r);
+		dnskey.datalen = r.length;
+		dnskey.data = r.base;
+
+		CHECK(dns_rdata_fromstruct(NULL, dnskey.common.rdclass,
+					   dnskey.common.rdtype, &dnskey,
+					   &rrdatabuf));
+		CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
+					       dns_rdatatype_dnskey, keyname,
+					       &rrdatabuf));
+		break;
+	case INITIAL_DS:
+	case STATIC_DS:
+		ds.common.rdclass = dns_rdataclass_in;
+		ds.common.rdtype = dns_rdatatype_ds;
+		ds.mctx = NULL;
+
+		ISC_LINK_INIT(&ds.common, link);
+
+		ds.key_tag = (uint16_t)rdata1;
+		ds.algorithm = (uint8_t)rdata2;
+		ds.digest_type = (uint8_t)rdata3;
+
+		datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
+		CHECK(isc_hex_decodestring(datastr, &databuf));
+		isc_buffer_usedregion(&databuf, &r);
+
+		switch (ds.digest_type) {
+		case DNS_DSDIGEST_SHA1:
+			if (r.length != ISC_SHA1_DIGESTLENGTH) {
+				CHECK(ISC_R_UNEXPECTEDEND);
+			}
+			break;
+		case DNS_DSDIGEST_SHA256:
+			if (r.length != ISC_SHA256_DIGESTLENGTH) {
+				CHECK(ISC_R_UNEXPECTEDEND);
+			}
+			break;
+		case DNS_DSDIGEST_SHA384:
+			if (r.length != ISC_SHA384_DIGESTLENGTH) {
+				CHECK(ISC_R_UNEXPECTEDEND);
+			}
+			break;
+		}
+
+		ds.length = r.length;
+		ds.digest = r.base;
+
+		CHECK(dns_rdata_fromstruct(NULL, ds.common.rdclass,
+					   ds.common.rdtype, &ds, &rrdatabuf));
+		CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
+					       dns_rdatatype_ds, keyname,
+					       &rrdatabuf));
+	}
+
+	num_keys++;
+
+cleanup:
+	if (result == DST_R_NOCRYPTO) {
+		cfg_obj_log(key, lctx, ISC_LOG_ERROR, "no crypto support");
+	} else if (result == DST_R_UNSUPPORTEDALG) {
+		cfg_obj_log(key, lctx, ISC_LOG_WARNING,
+			    "skipping trusted key '%s': %s", keynamestr,
+			    isc_result_totext(result));
+		result = ISC_R_SUCCESS;
+	} else if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(key, lctx, ISC_LOG_ERROR,
+			    "failed to add trusted key '%s': %s", keynamestr,
+			    isc_result_totext(result));
+		result = ISC_R_FAILURE;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+load_keys(const cfg_obj_t *keys, dns_client_t *client) {
+	const cfg_listelt_t *elt, *elt2;
+	const cfg_obj_t *key, *keylist;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (elt = cfg_list_first(keys); elt != NULL; elt = cfg_list_next(elt))
+	{
+		keylist = cfg_listelt_value(elt);
+
+		for (elt2 = cfg_list_first(keylist); elt2 != NULL;
+		     elt2 = cfg_list_next(elt2))
+		{
+			key = cfg_listelt_value(elt2);
+			CHECK(key_fromconfig(key, client));
+		}
+	}
+
+cleanup:
+	if (result == DST_R_NOCRYPTO) {
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+static isc_result_t
+setup_dnsseckeys(dns_client_t *client) {
+	isc_result_t result;
+	cfg_parser_t *parser = NULL;
+	const cfg_obj_t *trusted_keys = NULL;
+	const cfg_obj_t *managed_keys = NULL;
+	const cfg_obj_t *trust_anchors = NULL;
+	cfg_obj_t *bindkeys = NULL;
+	const char *filename = anchorfile;
+
+	if (!root_validation) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (filename == NULL) {
+#ifndef WIN32
+		filename = SYSCONFDIR "/bind.keys";
+#else  /* ifndef WIN32 */
+		static char buf[MAX_PATH];
+		strlcpy(buf, isc_ntpaths_get(SYS_CONF_DIR), sizeof(buf));
+		strlcat(buf, "\\bind.keys", sizeof(buf));
+		filename = buf;
+#endif /* ifndef WIN32 */
+	}
+
+	if (trust_anchor == NULL) {
+		trust_anchor = isc_mem_strdup(mctx, ".");
+	}
+
+	if (trust_anchor != NULL) {
+		CHECK(convert_name(&afn, &anchor_name, trust_anchor));
+	}
+
+	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
+
+	if (access(filename, R_OK) != 0) {
+		if (anchorfile != NULL) {
+			fatal("Unable to read key file '%s'", anchorfile);
+		}
+	} else {
+		result = cfg_parse_file(parser, filename, &cfg_type_bindkeys,
+					&bindkeys);
+		if (result != ISC_R_SUCCESS) {
+			if (anchorfile != NULL) {
+				fatal("Unable to load keys from '%s'",
+				      anchorfile);
+			}
+		}
+	}
+
+	if (bindkeys == NULL) {
+		isc_buffer_t b;
+
+		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
+		isc_buffer_add(&b, sizeof(anchortext) - 1);
+		cfg_parser_reset(parser);
+		result = cfg_parse_buffer(parser, &b, NULL, 0,
+					  &cfg_type_bindkeys, 0, &bindkeys);
+		if (result != ISC_R_SUCCESS) {
+			fatal("Unable to parse built-in keys");
+		}
+	}
+
+	INSIST(bindkeys != NULL);
+	cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
+	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
+	cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
+
+	if (trusted_keys != NULL) {
+		CHECK(load_keys(trusted_keys, client));
+	}
+	if (managed_keys != NULL) {
+		CHECK(load_keys(managed_keys, client));
+	}
+	if (trust_anchors != NULL) {
+		CHECK(load_keys(trust_anchors, client));
+	}
+	result = ISC_R_SUCCESS;
+
+	if (num_keys == 0) {
+		fatal("No trusted keys were loaded");
+	}
+
+cleanup:
+	if (bindkeys != NULL) {
+		cfg_obj_destroy(parser, &bindkeys);
+	}
+	if (parser != NULL) {
+		cfg_parser_destroy(&parser);
+	}
+	if (result != ISC_R_SUCCESS) {
+		delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
+			 isc_result_totext(result));
+	}
+	return (result);
+}
+
+static isc_result_t
+addserver(dns_client_t *client) {
+	struct addrinfo hints, *res, *cur;
+	int gaierror;
+	struct in_addr in4;
+	struct in6_addr in6;
+	isc_sockaddr_t *sa;
+	isc_sockaddrlist_t servers;
+	uint32_t destport;
+	isc_result_t result;
+	dns_name_t *name = NULL;
+
+	result = parse_uint(&destport, port, 0xffff, "port");
+	if (result != ISC_R_SUCCESS) {
+		fatal("Couldn't parse port number");
+	}
+
+	ISC_LIST_INIT(servers);
+
+	if (inet_pton(AF_INET, server, &in4) == 1) {
+		if (!use_ipv4) {
+			fatal("Use of IPv4 disabled by -6");
+		}
+		sa = isc_mem_get(mctx, sizeof(*sa));
+		ISC_LINK_INIT(sa, link);
+		isc_sockaddr_fromin(sa, &in4, destport);
+		ISC_LIST_APPEND(servers, sa, link);
+	} else if (inet_pton(AF_INET6, server, &in6) == 1) {
+		if (!use_ipv6) {
+			fatal("Use of IPv6 disabled by -4");
+		}
+		sa = isc_mem_get(mctx, sizeof(*sa));
+		ISC_LINK_INIT(sa, link);
+		isc_sockaddr_fromin6(sa, &in6, destport);
+		ISC_LIST_APPEND(servers, sa, link);
+	} else {
+		memset(&hints, 0, sizeof(hints));
+		if (!use_ipv6) {
+			hints.ai_family = AF_INET;
+		} else if (!use_ipv4) {
+			hints.ai_family = AF_INET6;
+		} else {
+			hints.ai_family = AF_UNSPEC;
+		}
+		hints.ai_socktype = SOCK_DGRAM;
+		hints.ai_protocol = IPPROTO_UDP;
+		gaierror = getaddrinfo(server, port, &hints, &res);
+		if (gaierror != 0) {
+			delv_log(ISC_LOG_ERROR, "getaddrinfo failed: %s",
+				 gai_strerror(gaierror));
+			return (ISC_R_FAILURE);
+		}
+
+		result = ISC_R_SUCCESS;
+		for (cur = res; cur != NULL; cur = cur->ai_next) {
+			if (cur->ai_family != AF_INET &&
+			    cur->ai_family != AF_INET6)
+			{
+				continue;
+			}
+			sa = isc_mem_get(mctx, sizeof(*sa));
+			memset(sa, 0, sizeof(*sa));
+			ISC_LINK_INIT(sa, link);
+			memmove(&sa->type, cur->ai_addr, cur->ai_addrlen);
+			sa->length = (unsigned int)cur->ai_addrlen;
+			ISC_LIST_APPEND(servers, sa, link);
+		}
+		freeaddrinfo(res);
+		CHECK(result);
+	}
+
+	CHECK(dns_client_setservers(client, dns_rdataclass_in, name, &servers));
+
+cleanup:
+	while (!ISC_LIST_EMPTY(servers)) {
+		sa = ISC_LIST_HEAD(servers);
+		ISC_LIST_UNLINK(servers, sa, link);
+		isc_mem_put(mctx, sa, sizeof(*sa));
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		delv_log(ISC_LOG_ERROR, "addserver: %s",
+			 isc_result_totext(result));
+	}
+
+	return (result);
+}
+
+static isc_result_t
+findserver(dns_client_t *client) {
+	isc_result_t result;
+	irs_resconf_t *resconf = NULL;
+	isc_sockaddrlist_t *nameservers;
+	isc_sockaddr_t *sa, *next;
+	uint32_t destport;
+
+	result = parse_uint(&destport, port, 0xffff, "port");
+	if (result != ISC_R_SUCCESS) {
+		fatal("Couldn't parse port number");
+	}
+
+	result = irs_resconf_load(mctx, "/etc/resolv.conf", &resconf);
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		delv_log(ISC_LOG_ERROR, "irs_resconf_load: %s",
+			 isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/* Get nameservers from resolv.conf */
+	nameservers = irs_resconf_getnameservers(resconf);
+	for (sa = ISC_LIST_HEAD(*nameservers); sa != NULL; sa = next) {
+		next = ISC_LIST_NEXT(sa, link);
+
+		/* Set destination port */
+		if (sa->type.sa.sa_family == AF_INET && use_ipv4) {
+			sa->type.sin.sin_port = htons(destport);
+			continue;
+		}
+		if (sa->type.sa.sa_family == AF_INET6 && use_ipv6) {
+			sa->type.sin6.sin6_port = htons(destport);
+			continue;
+		}
+
+		/* Incompatible protocol family */
+		ISC_LIST_UNLINK(*nameservers, sa, link);
+		isc_mem_put(mctx, sa, sizeof(*sa));
+	}
+
+	/* None found, use localhost */
+	if (ISC_LIST_EMPTY(*nameservers)) {
+		if (use_ipv4) {
+			struct in_addr localhost;
+			localhost.s_addr = htonl(INADDR_LOOPBACK);
+			sa = isc_mem_get(mctx, sizeof(*sa));
+			isc_sockaddr_fromin(sa, &localhost, destport);
+
+			ISC_LINK_INIT(sa, link);
+			ISC_LIST_APPEND(*nameservers, sa, link);
+		}
+
+		if (use_ipv6) {
+			sa = isc_mem_get(mctx, sizeof(*sa));
+			isc_sockaddr_fromin6(sa, &in6addr_loopback, destport);
+
+			ISC_LINK_INIT(sa, link);
+			ISC_LIST_APPEND(*nameservers, sa, link);
+		}
+	}
+
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       nameservers);
+	if (result != ISC_R_SUCCESS) {
+		delv_log(ISC_LOG_ERROR, "dns_client_setservers: %s",
+			 isc_result_totext(result));
+	}
+
+cleanup:
+	if (resconf != NULL) {
+		irs_resconf_destroy(&resconf);
+	}
+	return (result);
+}
+
+static isc_result_t
+parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc) {
+	uint32_t n;
+	isc_result_t result = isc_parse_uint32(&n, value, 10);
+	if (result == ISC_R_SUCCESS && n > max) {
+		result = ISC_R_RANGE;
+	}
+	if (result != ISC_R_SUCCESS) {
+		printf("invalid %s '%s': %s\n", desc, value,
+		       isc_result_totext(result));
+		return (result);
+	}
+	*uip = n;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+plus_option(char *option) {
+	isc_result_t result;
+	char *cmd, *value, *last = NULL;
+	bool state = true;
+
+	INSIST(option != NULL);
+
+	cmd = strtok_r(option, "=", &last);
+	if (cmd == NULL) {
+		printf(";; Invalid option %s\n", option);
+		return;
+	}
+	if (strncasecmp(cmd, "no", 2) == 0) {
+		cmd += 2;
+		state = false;
+	}
+
+	value = strtok_r(NULL, "\0", &last);
+
+#define FULLCHECK(A)                                                 \
+	do {                                                         \
+		size_t _l = strlen(cmd);                             \
+		if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \
+			goto invalid_option;                         \
+	} while (0)
+
+	switch (cmd[0]) {
+	case 'a': /* all */
+		FULLCHECK("all");
+		showcomments = state;
+		rrcomments = state;
+		showtrust = state;
+		break;
+	case 'c':
+		switch (cmd[1]) {
+		case 'd': /* cdflag */
+			FULLCHECK("cdflag");
+			cdflag = state;
+			break;
+		case 'l': /* class */
+			FULLCHECK("class");
+			noclass = !state;
+			break;
+		case 'o': /* comments */
+			FULLCHECK("comments");
+			showcomments = state;
+			break;
+		case 'r': /* crypto */
+			FULLCHECK("crypto");
+			nocrypto = !state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'd':
+		switch (cmd[1]) {
+		case 'l': /* dlv */
+			FULLCHECK("dlv");
+			if (state) {
+				fprintf(stderr, "Invalid option: "
+						"+dlv is obsolete\n");
+				exit(1);
+			}
+			break;
+		case 'n': /* dnssec */
+			FULLCHECK("dnssec");
+			showdnssec = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'm':
+		switch (cmd[1]) {
+		case 't': /* mtrace */
+			message_trace = state;
+			if (state) {
+				resolve_trace = state;
+			}
+			break;
+		case 'u': /* multiline */
+			FULLCHECK("multiline");
+			multiline = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'r':
+		switch (cmd[1]) {
+		case 'o': /* root */
+			FULLCHECK("root");
+			if (state && no_sigs) {
+				break;
+			}
+			root_validation = state;
+			if (value != NULL) {
+				trust_anchor = isc_mem_strdup(mctx, value);
+			}
+			break;
+		case 'r': /* rrcomments */
+			FULLCHECK("rrcomments");
+			rrcomments = state;
+			break;
+		case 't': /* rtrace */
+			FULLCHECK("rtrace");
+			resolve_trace = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 's':
+		switch (cmd[1]) {
+		case 'h': /* short */
+			FULLCHECK("short");
+			short_form = state;
+			if (short_form) {
+				multiline = false;
+				showcomments = false;
+				showtrust = false;
+				showdnssec = false;
+			}
+			break;
+		case 'p': /* split */
+			FULLCHECK("split");
+			if (value != NULL && !state) {
+				goto invalid_option;
+			}
+			if (!state) {
+				splitwidth = 0;
+				break;
+			} else if (value == NULL) {
+				break;
+			}
+
+			result = parse_uint(&splitwidth, value, 1023, "split");
+			if (splitwidth % 4 != 0) {
+				splitwidth = ((splitwidth + 3) / 4) * 4;
+				warn("split must be a multiple of 4; "
+				     "adjusting to %d",
+				     splitwidth);
+			}
+			/*
+			 * There is an adjustment done in the
+			 * totext_<rrtype>() functions which causes
+			 * splitwidth to shrink.  This is okay when we're
+			 * using the default width but incorrect in this
+			 * case, so we correct for it
+			 */
+			if (splitwidth) {
+				splitwidth += 3;
+			}
+			if (result != ISC_R_SUCCESS) {
+				fatal("Couldn't parse split");
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'u':
+		FULLCHECK("unknownformat");
+		print_unknown_format = state;
+		break;
+	case 't':
+		switch (cmd[1]) {
+		case 'c': /* tcp */
+			FULLCHECK("tcp");
+			use_tcp = state;
+			break;
+		case 'r': /* trust */
+			FULLCHECK("trust");
+			showtrust = state;
+			break;
+		case 't': /* ttl */
+			FULLCHECK("ttl");
+			nottl = !state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'v': /* vtrace */
+		FULLCHECK("vtrace");
+		validator_trace = state;
+		if (state) {
+			resolve_trace = state;
+		}
+		break;
+	case 'y': /* yaml */
+		FULLCHECK("yaml");
+		yaml = state;
+		if (state) {
+			rrcomments = false;
+		}
+		break;
+	default:
+	invalid_option:
+		/*
+		 * We can also add a "need_value:" case here if we ever
+		 * add a plus-option that requires a specified value
+		 */
+		fprintf(stderr, "Invalid option: +%s\n", option);
+		usage();
+	}
+	return;
+}
+
+/*
+ * options: "46a:b:c:d:himp:q:t:vx:";
+ */
+static const char *single_dash_opts = "46himv";
+static const char *dash_opts = "46abcdhimpqtvx";
+
+static bool
+dash_option(char *option, char *next, bool *open_type_class) {
+	char opt, *value;
+	isc_result_t result;
+	bool value_from_next;
+	isc_textregion_t tr;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	char textname[MAXNAME];
+	struct in_addr in4;
+	struct in6_addr in6;
+	in_port_t srcport;
+	uint32_t num;
+	char *hash;
+
+	while (strpbrk(option, single_dash_opts) == &option[0]) {
+		/*
+		 * Since the -[46himv] options do not take an argument,
+		 * account for them (in any number and/or combination)
+		 * if they appear as the first character(s) of a q-opt.
+		 */
+		opt = option[0];
+		switch (opt) {
+		case '4':
+			if (isc_net_probeipv4() != ISC_R_SUCCESS) {
+				fatal("IPv4 networking not available");
+			}
+			if (use_ipv6) {
+				isc_net_disableipv6();
+				use_ipv6 = false;
+			}
+			break;
+		case '6':
+			if (isc_net_probeipv6() != ISC_R_SUCCESS) {
+				fatal("IPv6 networking not available");
+			}
+			if (use_ipv4) {
+				isc_net_disableipv4();
+				use_ipv4 = false;
+			}
+			break;
+		case 'h':
+			usage();
+			exit(0);
+		case 'i':
+			no_sigs = true;
+			root_validation = false;
+			break;
+		case 'm':
+			/* handled in preparse_args() */
+			break;
+		case 'v':
+			fputs("delv " VERSION "\n", stderr);
+			exit(0);
+		default:
+			UNREACHABLE();
+		}
+		if (strlen(option) > 1U) {
+			option = &option[1];
+		} else {
+			return (false);
+		}
+	}
+	opt = option[0];
+	if (strlen(option) > 1U) {
+		value_from_next = false;
+		value = &option[1];
+	} else {
+		value_from_next = true;
+		value = next;
+	}
+	if (value == NULL) {
+		goto invalid_option;
+	}
+	switch (opt) {
+	case 'a':
+		anchorfile = isc_mem_strdup(mctx, value);
+		return (value_from_next);
+	case 'b':
+		hash = strchr(value, '#');
+		if (hash != NULL) {
+			result = parse_uint(&num, hash + 1, 0xffff, "port");
+			if (result != ISC_R_SUCCESS) {
+				fatal("Couldn't parse port number");
+			}
+			srcport = num;
+			*hash = '\0';
+		} else {
+			srcport = 0;
+		}
+
+		if (inet_pton(AF_INET, value, &in4) == 1) {
+			if (srcaddr4 != NULL) {
+				fatal("Only one local address per family "
+				      "can be specified\n");
+			}
+			isc_sockaddr_fromin(&a4, &in4, srcport);
+			srcaddr4 = &a4;
+		} else if (inet_pton(AF_INET6, value, &in6) == 1) {
+			if (srcaddr6 != NULL) {
+				fatal("Only one local address per family "
+				      "can be specified\n");
+			}
+			isc_sockaddr_fromin6(&a6, &in6, srcport);
+			srcaddr6 = &a6;
+		} else {
+			if (hash != NULL) {
+				*hash = '#';
+			}
+			fatal("Invalid address %s", value);
+		}
+		if (hash != NULL) {
+			*hash = '#';
+		}
+		return (value_from_next);
+	case 'c':
+		if (classset) {
+			warn("extra query class");
+		}
+
+		*open_type_class = false;
+		tr.base = value;
+		tr.length = strlen(value);
+		result = dns_rdataclass_fromtext(&rdclass,
+						 (isc_textregion_t *)&tr);
+		if (result == ISC_R_SUCCESS) {
+			classset = true;
+		} else if (rdclass != dns_rdataclass_in) {
+			warn("ignoring non-IN query class");
+		} else {
+			warn("ignoring invalid class");
+		}
+		return (value_from_next);
+	case 'd':
+		result = parse_uint(&num, value, 99, "debug level");
+		if (result != ISC_R_SUCCESS) {
+			fatal("Couldn't parse debug level");
+		}
+		loglevel = num;
+		return (value_from_next);
+	case 'p':
+		port = value;
+		return (value_from_next);
+	case 'q':
+		if (curqname != NULL) {
+			warn("extra query name");
+			isc_mem_free(mctx, curqname);
+		}
+		curqname = isc_mem_strdup(mctx, value);
+		return (value_from_next);
+	case 't':
+		*open_type_class = false;
+		tr.base = value;
+		tr.length = strlen(value);
+		result = dns_rdatatype_fromtext(&rdtype,
+						(isc_textregion_t *)&tr);
+		if (result == ISC_R_SUCCESS) {
+			if (typeset) {
+				warn("extra query type");
+			}
+			if (rdtype == dns_rdatatype_ixfr ||
+			    rdtype == dns_rdatatype_axfr)
+			{
+				fatal("Transfer not supported");
+			}
+			qtype = rdtype;
+			typeset = true;
+		} else {
+			warn("ignoring invalid type");
+		}
+		return (value_from_next);
+	case 'x':
+		result = get_reverse(textname, sizeof(textname), value, false);
+		if (result == ISC_R_SUCCESS) {
+			if (curqname != NULL) {
+				isc_mem_free(mctx, curqname);
+				warn("extra query name");
+			}
+			curqname = isc_mem_strdup(mctx, textname);
+			if (typeset) {
+				warn("extra query type");
+			}
+			qtype = dns_rdatatype_ptr;
+			typeset = true;
+		} else {
+			fprintf(stderr, "Invalid IP address %s\n", value);
+			exit(1);
+		}
+		return (value_from_next);
+	invalid_option:
+	default:
+		fprintf(stderr, "Invalid option: -%s\n", option);
+		usage();
+	}
+	UNREACHABLE();
+	return (false);
+}
+
+/*
+ * Check for -m first to determine whether to enable
+ * memory debugging when setting up the memory context.
+ */
+static void
+preparse_args(int argc, char **argv) {
+	bool ipv4only = false, ipv6only = false;
+	char *option;
+
+	for (argc--, argv++; argc > 0; argc--, argv++) {
+		if (argv[0][0] != '-') {
+			continue;
+		}
+
+		option = &argv[0][1];
+		while (strpbrk(option, single_dash_opts) == &option[0]) {
+			switch (option[0]) {
+			case 'm':
+				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
+						    ISC_MEM_DEBUGRECORD;
+				break;
+			case '4':
+				if (ipv6only) {
+					fatal("only one of -4 and -6 allowed");
+				}
+				ipv4only = true;
+				break;
+			case '6':
+				if (ipv4only) {
+					fatal("only one of -4 and -6 allowed");
+				}
+				ipv6only = true;
+				break;
+			}
+			option = &option[1];
+		}
+
+		if (strlen(option) == 0U) {
+			continue;
+		}
+
+		/* Look for dash value option. */
+		if (strpbrk(option, dash_opts) != &option[0] ||
+		    strlen(option) > 1U)
+		{
+			/* Error or value in option. */
+			continue;
+		}
+
+		/* Dash value is next argument so we need to skip it. */
+		argc--;
+		argv++;
+
+		/* Handle missing argument */
+		if (argc == 0) {
+			break;
+		}
+	}
+}
+
+/*
+ * Argument parsing is based on dig, but simplified: only one
+ * QNAME/QCLASS/QTYPE tuple can be specified, and options have
+ * been removed that aren't applicable to delv. The interface
+ * should be familiar to dig users, however.
+ */
+static void
+parse_args(int argc, char **argv) {
+	isc_result_t result;
+	isc_textregion_t tr;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	bool open_type_class = true;
+
+	for (; argc > 0; argc--, argv++) {
+		if (argv[0][0] == '@') {
+			server = &argv[0][1];
+		} else if (argv[0][0] == '+') {
+			plus_option(&argv[0][1]);
+		} else if (argv[0][0] == '-') {
+			if (argc <= 1) {
+				if (dash_option(&argv[0][1], NULL,
+						&open_type_class))
+				{
+					argc--;
+					argv++;
+				}
+			} else {
+				if (dash_option(&argv[0][1], argv[1],
+						&open_type_class))
+				{
+					argc--;
+					argv++;
+				}
+			}
+		} else {
+			/*
+			 * Anything which isn't an option
+			 */
+			if (open_type_class) {
+				tr.base = argv[0];
+				tr.length = strlen(argv[0]);
+				result = dns_rdatatype_fromtext(
+					&rdtype, (isc_textregion_t *)&tr);
+				if (result == ISC_R_SUCCESS) {
+					if (typeset) {
+						warn("extra query type");
+					}
+					if (rdtype == dns_rdatatype_ixfr ||
+					    rdtype == dns_rdatatype_axfr)
+					{
+						fatal("Transfer not supported");
+					}
+					qtype = rdtype;
+					typeset = true;
+					continue;
+				}
+				result = dns_rdataclass_fromtext(
+					&rdclass, (isc_textregion_t *)&tr);
+				if (result == ISC_R_SUCCESS) {
+					if (classset) {
+						warn("extra query class");
+					} else if (rdclass != dns_rdataclass_in)
+					{
+						warn("ignoring non-IN "
+						     "query class");
+					}
+					continue;
+				}
+			}
+
+			if (curqname == NULL) {
+				curqname = isc_mem_strdup(mctx, argv[0]);
+			}
+		}
+	}
+
+	/*
+	 * If no qname or qtype specified, search for root/NS
+	 * If no qtype specified, use A
+	 */
+	if (!typeset) {
+		qtype = dns_rdatatype_a;
+	}
+
+	if (curqname == NULL) {
+		qname = isc_mem_strdup(mctx, ".");
+
+		if (!typeset) {
+			qtype = dns_rdatatype_ns;
+		}
+	} else {
+		qname = curqname;
+	}
+}
+
+static isc_result_t
+append_str(const char *text, int len, char **p, char *end) {
+	if (len > end - *p) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(*p, text, len);
+	*p += len;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+reverse_octets(const char *in, char **p, char *end) {
+	char *dot = strchr(in, '.');
+	int len;
+	if (dot != NULL) {
+		isc_result_t result;
+		result = reverse_octets(dot + 1, p, end);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		result = append_str(".", 1, p, end);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		len = (int)(dot - in);
+	} else {
+		len = strlen(in);
+	}
+	return (append_str(in, len, p, end));
+}
+
+static isc_result_t
+get_reverse(char *reverse, size_t len, char *value, bool strict) {
+	int r;
+	isc_result_t result;
+	isc_netaddr_t addr;
+
+	addr.family = AF_INET6;
+	r = inet_pton(AF_INET6, value, &addr.type.in6);
+	if (r > 0) {
+		/* This is a valid IPv6 address. */
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		unsigned int options = 0;
+
+		name = dns_fixedname_initname(&fname);
+		result = dns_byaddr_createptrname(&addr, options, name);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dns_name_format(name, reverse, (unsigned int)len);
+		return (ISC_R_SUCCESS);
+	} else {
+		/*
+		 * Not a valid IPv6 address.  Assume IPv4.
+		 * If 'strict' is not set, construct the
+		 * in-addr.arpa name by blindly reversing
+		 * octets whether or not they look like integers,
+		 * so that this can be used for RFC2317 names
+		 * and such.
+		 */
+		char *p = reverse;
+		char *end = reverse + len;
+		if (strict && inet_pton(AF_INET, value, &addr.type.in) != 1) {
+			return (DNS_R_BADDOTTEDQUAD);
+		}
+		result = reverse_octets(value, &p, end);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		result = append_str(".in-addr.arpa.", 15, &p, end);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		return (ISC_R_SUCCESS);
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	dns_client_t *client = NULL;
+	isc_result_t result;
+	dns_fixedname_t qfn;
+	dns_name_t *query_name, *response_name;
+	char namestr[DNS_NAME_FORMATSIZE];
+	dns_rdataset_t *rdataset;
+	dns_namelist_t namelist;
+	unsigned int resopt, clopt;
+	isc_appctx_t *actx = NULL;
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	dns_master_style_t *style = NULL;
+#ifndef WIN32
+	struct sigaction sa;
+#endif /* ifndef WIN32 */
+
+	progname = argv[0];
+	preparse_args(argc, argv);
+
+	argc--;
+	argv++;
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fatal("dns_lib_init failed: %d", result);
+	}
+
+	isc_mem_create(&mctx);
+
+	CHECK(isc_appctx_create(mctx, &actx));
+	CHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr));
+	CHECK(isc_socketmgr_create(mctx, &socketmgr));
+	CHECK(isc_timermgr_create(mctx, &timermgr));
+
+	parse_args(argc, argv);
+
+	CHECK(setup_style(&style));
+
+	setup_logging(stderr);
+
+	CHECK(isc_app_ctxstart(actx));
+
+#ifndef WIN32
+	/* Unblock SIGINT if it's been blocked by isc_app_ctxstart() */
+	memset(&sa, 0, sizeof(sa));
+	sa.sa_handler = SIG_DFL;
+	if (sigfillset(&sa.sa_mask) != 0 || sigaction(SIGINT, &sa, NULL) < 0) {
+		fatal("Couldn't set up signal handler");
+	}
+#endif /* ifndef WIN32 */
+
+	/* Create client */
+	clopt = DNS_CLIENTCREATEOPT_USECACHE;
+	result = dns_client_create(mctx, actx, taskmgr, socketmgr, timermgr,
+				   clopt, &client, srcaddr4, srcaddr6);
+	if (result != ISC_R_SUCCESS) {
+		delv_log(ISC_LOG_ERROR, "dns_client_create: %s",
+			 isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/* Set the nameserver */
+	if (server != NULL) {
+		addserver(client);
+	} else {
+		findserver(client);
+	}
+
+	CHECK(setup_dnsseckeys(client));
+
+	/* Construct QNAME */
+	CHECK(convert_name(&qfn, &query_name, qname));
+
+	/* Set up resolution options */
+	resopt = DNS_CLIENTRESOPT_NOCDFLAG;
+	if (no_sigs) {
+		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
+	}
+	if (!root_validation) {
+		resopt |= DNS_CLIENTRESOPT_NOVALIDATE;
+	}
+	if (cdflag) {
+		resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG;
+	}
+	if (use_tcp) {
+		resopt |= DNS_CLIENTRESOPT_TCP;
+	}
+
+	/* Perform resolution */
+	ISC_LIST_INIT(namelist);
+	result = dns_client_resolve(client, query_name, dns_rdataclass_in,
+				    qtype, resopt, &namelist);
+	if (result != ISC_R_SUCCESS && !yaml) {
+		delv_log(ISC_LOG_ERROR, "resolution failed: %s",
+			 isc_result_totext(result));
+	}
+
+	if (yaml) {
+		printf("type: DELV_RESULT\n");
+		dns_name_format(query_name, namestr, sizeof(namestr));
+		printf("query_name: %s\n", namestr);
+		printf("status: %s\n", isc_result_totext(result));
+		printf("records:\n");
+	}
+
+	for (response_name = ISC_LIST_HEAD(namelist); response_name != NULL;
+	     response_name = ISC_LIST_NEXT(response_name, link))
+	{
+		for (rdataset = ISC_LIST_HEAD(response_name->list);
+		     rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			result = printdata(rdataset, response_name, style);
+			if (result != ISC_R_SUCCESS) {
+				delv_log(ISC_LOG_ERROR, "print data failed");
+			}
+		}
+	}
+
+	dns_client_freeresanswer(client, &namelist);
+
+cleanup:
+	if (trust_anchor != NULL) {
+		isc_mem_free(mctx, trust_anchor);
+	}
+	if (anchorfile != NULL) {
+		isc_mem_free(mctx, anchorfile);
+	}
+	if (qname != NULL) {
+		isc_mem_free(mctx, qname);
+	}
+	if (style != NULL) {
+		dns_master_styledestroy(&style, mctx);
+	}
+	if (client != NULL) {
+		dns_client_destroy(&client);
+	}
+	if (taskmgr != NULL) {
+		isc_managers_destroy(&netmgr, &taskmgr);
+	}
+	if (timermgr != NULL) {
+		isc_timermgr_destroy(&timermgr);
+	}
+	if (socketmgr != NULL) {
+		isc_socketmgr_destroy(&socketmgr);
+	}
+	if (actx != NULL) {
+		isc_appctx_destroy(&actx);
+	}
+	if (lctx != NULL) {
+		isc_log_destroy(&lctx);
+	}
+	isc_mem_detach(&mctx);
+
+	dns_lib_shutdown();
+
+	return (0);
+}
diff --git a/bin/delv/delv.rst b/bin/delv/delv.rst
new file mode 100644
index 0000000..0936236
--- /dev/null
+++ b/bin/delv/delv.rst
@@ -0,0 +1,326 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_delv:
+
+delv - DNS lookup and validation utility
+----------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
+
+:program:`delv` [**-h**]
+
+:program:`delv` [**-v**]
+
+:program:`delv` [queryopt...] [query...]
+
+Description
+~~~~~~~~~~~
+
+``delv`` is a tool for sending DNS queries and validating the results,
+using the same internal resolver and validator logic as ``named``.
+
+``delv`` sends to a specified name server all queries needed to
+fetch and validate the requested data; this includes the original
+requested query, subsequent queries to follow CNAME or DNAME chains,
+queries for DNSKEY, and DS records to establish a chain of trust for
+DNSSEC validation. It does not perform iterative resolution, but
+simulates the behavior of a name server configured for DNSSEC validating
+and forwarding.
+
+By default, responses are validated using the built-in DNSSEC trust anchor
+for the root zone ("."). Records returned by ``delv`` are either fully
+validated or were not signed. If validation fails, an explanation of the
+failure is included in the output; the validation process can be traced
+in detail. Because ``delv`` does not rely on an external server to carry
+out validation, it can be used to check the validity of DNS responses in
+environments where local name servers may not be trustworthy.
+
+Unless it is told to query a specific name server, ``delv`` tries
+each of the servers listed in ``/etc/resolv.conf``. If no usable server
+addresses are found, ``delv`` sends queries to the localhost
+addresses (127.0.0.1 for IPv4, ::1 for IPv6).
+
+When no command-line arguments or options are given, ``delv``
+performs an NS query for "." (the root zone).
+
+Simple Usage
+~~~~~~~~~~~~
+
+A typical invocation of ``delv`` looks like:
+
+::
+
+    delv @server name type
+
+where:
+
+``server``
+   is the name or IP address of the name server to query. This can be an
+   IPv4 address in dotted-decimal notation or an IPv6 address in
+   colon-delimited notation. When the supplied ``server`` argument is a
+   hostname, ``delv`` resolves that name before querying that name
+   server (note, however, that this initial lookup is *not* validated by
+   DNSSEC).
+
+   If no ``server`` argument is provided, ``delv`` consults
+   ``/etc/resolv.conf``; if an address is found there, it queries the
+   name server at that address. If either of the ``-4`` or ``-6``
+   options is in use, then only addresses for the corresponding
+   transport are tried. If no usable addresses are found, ``delv``
+   sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
+   for IPv6).
+
+``name``
+   is the domain name to be looked up.
+
+``type``
+   indicates what type of query is required - ANY, A, MX, etc.
+   ``type`` can be any valid query type. If no ``type`` argument is
+   supplied, ``delv`` performs a lookup for an A record.
+
+Options
+~~~~~~~
+
+``-a anchor-file``
+   This option specifies a file from which to read DNSSEC trust anchors. The default
+   is ``/etc/bind.keys``, which is included with BIND 9 and contains one
+   or more trust anchors for the root zone (".").
+
+   Keys that do not match the root zone name are ignored. An alternate
+   key name can be specified using the ``+root=NAME`` options.
+
+   Note: When reading the trust anchor file, ``delv`` treats ``trust-anchors``,
+   ``initial-key``, and ``static-key`` identically. That is, for a managed key,
+   it is the *initial* key that is trusted; :rfc:`5011` key management is not
+   supported. ``delv`` does not consult the managed-keys database maintained by
+   ``named``, which means that if either of the keys in ``/etc/bind.keys`` is
+   revoked and rolled over, ``/etc/bind.keys`` must be updated to
+   use DNSSEC validation in ``delv``.
+
+``-b address``
+   This option sets the source IP address of the query to ``address``. This must be
+   a valid address on one of the host's network interfaces, or ``0.0.0.0``,
+   or ``::``. An optional source port may be specified by appending
+   ``#<port>``
+
+``-c class``
+   This option sets the query class for the requested data. Currently, only class
+   "IN" is supported in ``delv`` and any other value is ignored.
+
+``-d level``
+   This option sets the systemwide debug level to ``level``. The allowed range is
+   from 0 to 99. The default is 0 (no debugging). Debugging traces from
+   ``delv`` become more verbose as the debug level increases. See the
+   ``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for
+   additional debugging details.
+
+``-h``
+   This option displays the ``delv`` help usage output and exits.
+
+``-i``
+   This option sets insecure mode, which disables internal DNSSEC validation. (Note,
+   however, that this does not set the CD bit on upstream queries. If the
+   server being queried is performing DNSSEC validation, then it does
+   not return invalid data; this can cause ``delv`` to time out. When it
+   is necessary to examine invalid data to debug a DNSSEC problem, use
+   ``dig +cd``.)
+
+``-m``
+   This option enables memory usage debugging.
+
+``-p port#``
+   This option specifies a destination port to use for queries, instead of the
+   standard DNS port number 53. This option is used with a name
+   server that has been configured to listen for queries on a
+   non-standard port number.
+
+``-q name``
+   This option sets the query name to ``name``. While the query name can be
+   specified without using the ``-q`` option, it is sometimes necessary to
+   disambiguate names from types or classes (for example, when looking
+   up the name "ns", which could be misinterpreted as the type NS, or
+   "ch", which could be misinterpreted as class CH).
+
+``-t type``
+   This option sets the query type to ``type``, which can be any valid query type
+   supported in BIND 9 except for zone transfer types AXFR and IXFR. As
+   with ``-q``, this is useful to distinguish query-name types or classes
+   when they are ambiguous. It is sometimes necessary to disambiguate
+   names from types.
+
+   The default query type is "A", unless the ``-x`` option is supplied
+   to indicate a reverse lookup, in which case it is "PTR".
+
+``-v``
+   This option prints the ``delv`` version and exits.
+
+``-x addr``
+   This option performs a reverse lookup, mapping an address to a name. ``addr``
+   is an IPv4 address in dotted-decimal notation, or a colon-delimited
+   IPv6 address. When ``-x`` is used, there is no need to provide the
+   ``name`` or ``type`` arguments; ``delv`` automatically performs a
+   lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the
+   query type to PTR. IPv6 addresses are looked up using nibble format
+   under the IP6.ARPA domain.
+
+``-4``
+   This option forces ``delv`` to only use IPv4.
+
+``-6``
+   This option forces ``delv`` to only use IPv6.
+
+Query Options
+~~~~~~~~~~~~~
+
+``delv`` provides a number of query options which affect the way results
+are displayed, and in some cases the way lookups are performed.
+
+Each query option is identified by a keyword preceded by a plus sign
+(``+``). Some keywords set or reset an option. These may be preceded by
+the string ``no`` to negate the meaning of that keyword. Other keywords
+assign values to options like the timeout interval. They have the form
+``+keyword=value``. The query options are:
+
+``+[no]cdflag``
+   This option controls whether to set the CD (checking disabled) bit in queries
+   sent by ``delv``. This may be useful when troubleshooting DNSSEC
+   problems from behind a validating resolver. A validating resolver
+   blocks invalid responses, making it difficult to retrieve them
+   for analysis. Setting the CD flag on queries causes the resolver
+   to return invalid responses, which ``delv`` can then validate
+   internally and report the errors in detail.
+
+``+[no]class``
+   This option controls whether to display the CLASS when printing a record. The
+   default is to display the CLASS.
+
+``+[no]ttl``
+   This option controls whether to display the TTL when printing a record. The
+   default is to display the TTL.
+
+``+[no]rtrace``
+   This option toggles resolver fetch logging. This reports the name and type of each
+   query sent by ``delv`` in the process of carrying out the resolution
+   and validation process, including the original query
+   and all subsequent queries to follow CNAMEs and to establish a chain
+   of trust for DNSSEC validation.
+
+   This is equivalent to setting the debug level to 1 in the "resolver"
+   logging category. Setting the systemwide debug level to 1 using the
+   ``-d`` option produces the same output, but affects other
+   logging categories as well.
+
+``+[no]mtrace``
+   This option toggles message logging. This produces a detailed dump of the
+   responses received by ``delv`` in the process of carrying out the
+   resolution and validation process.
+
+   This is equivalent to setting the debug level to 10 for the "packets"
+   module of the "resolver" logging category. Setting the systemwide
+   debug level to 10 using the ``-d`` option produces the same
+   output, but affects other logging categories as well.
+
+``+[no]vtrace``
+   This option toggles validation logging. This shows the internal process of the
+   validator as it determines whether an answer is validly signed,
+   unsigned, or invalid.
+
+   This is equivalent to setting the debug level to 3 for the
+   "validator" module of the "dnssec" logging category. Setting the
+   systemwide debug level to 3 using the ``-d`` option produces the
+   same output, but affects other logging categories as well.
+
+``+[no]short``
+   This option toggles between verbose and terse answers. The default is to print the answer in a
+   verbose form.
+
+``+[no]comments``
+   This option toggles the display of comment lines in the output. The default is to
+   print comments.
+
+``+[no]rrcomments``
+   This option toggles the display of per-record comments in the output (for example,
+   human-readable key information about DNSKEY records). The default is
+   to print per-record comments.
+
+``+[no]crypto``
+   This option toggles the display of cryptographic fields in DNSSEC records. The
+   contents of these fields are unnecessary to debug most DNSSEC
+   validation failures and removing them makes it easier to see the
+   common failures. The default is to display the fields. When omitted,
+   they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
+   key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
+
+``+[no]trust``
+   This option controls whether to display the trust level when printing a record.
+   The default is to display the trust level.
+
+``+[no]split[=W]``
+   This option splits long hex- or base64-formatted fields in resource records into
+   chunks of ``W`` characters (where ``W`` is rounded up to the nearest
+   multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
+   split at all. The default is 56 characters, or 44 characters when
+   multiline mode is active.
+
+``+[no]all``
+   This option sets or clears the display options ``+[no]comments``,
+   ``+[no]rrcomments``, and ``+[no]trust`` as a group.
+
+``+[no]multiline``
+   This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
+   verbose multi-line format with human-readable comments. The default
+   is to print each record on a single line, to facilitate machine
+   parsing of the ``delv`` output.
+
+``+[no]dnssec``
+   This option indicates whether to display RRSIG records in the ``delv`` output.
+   The default is to do so. Note that (unlike in ``dig``) this does
+   *not* control whether to request DNSSEC records or to
+   validate them. DNSSEC records are always requested, and validation
+   always occurs unless suppressed by the use of ``-i`` or
+   ``+noroot``.
+
+``+[no]root[=ROOT]``
+   This option indicates whether to perform conventional DNSSEC validation, and if so,
+   specifies the name of a trust anchor. The default is to validate using a
+   trust anchor of "." (the root zone), for which there is a built-in key. If
+   specifying a different trust anchor, then ``-a`` must be used to specify a
+   file containing the key.
+
+``+[no]tcp``
+   This option controls whether to use TCP when sending queries. The default is to
+   use UDP unless a truncated response has been received.
+
+``+[no]unknownformat``
+   This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`).
+   The default is to print RDATA for known types in the type's
+   presentation format.
+
+``+[no]yaml``
+   This option prints response data in YAML format.
+
+Files
+~~~~~
+
+``/etc/bind.keys``
+
+``/etc/resolv.conf``
+
+See Also
+~~~~~~~~
+
+:manpage:`dig(1)`, :manpage:`named(8)`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`.
diff --git a/bin/delv/win32/delv.vcxproj.filters.in b/bin/delv/win32/delv.vcxproj.filters.in
new file mode 100644
index 0000000..c1af2f3
--- /dev/null
+++ b/bin/delv/win32/delv.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\delv.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
diff --git a/bin/delv/win32/delv.vcxproj.in b/bin/delv/win32/delv.vcxproj.in
new file mode 100644
index 0000000..a1f84fb
--- /dev/null
+++ b/bin/delv/win32/delv.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>delv</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\win32\include;..\..\..\lib\dns\include;..\..\..\lib\irs\win32\include;..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\delv.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/delv/win32/delv.vcxproj.user b/bin/delv/win32/delv.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/delv/win32/delv.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
new file mode 100644
index 0000000..c329502
--- /dev/null
+++ b/bin/dig/Makefile.in
@@ -0,0 +1,98 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+READLINE_LIB = @READLINE_LIB@
+
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
+		${BIND9_INCLUDES} ${ISC_INCLUDES} \
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =	-DVERSION=\"${VERSION}\"
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+IRSLIBS =	../../lib/irs/libirs.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+IRSDEPLIBS =	../../lib/irs/libirs.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${IRSDEPLIBS} ${BIND9DEPLIBS} \
+		${ISCDEPLIBS} ${ISCCFGDEPLIBS}
+
+LIBS =		${DNSLIBS} ${IRSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+		${ISCLIBS} @LIBIDN2_LIBS@ @LIBS@
+
+NOSYMLIBS =	${DNSLIBS} ${IRSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+		${ISCNOSYMLIBS} @LIBIDN2_LIBS@ @LIBS@
+
+SUBDIRS =
+
+TARGETS =	dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
+
+OBJS =		dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
+
+UOBJS =
+
+SRCS =		dig.c dighost.c host.c nslookup.c
+
+@BIND9_MAKE_RULES@
+
+LDFLAGS =	@LDFLAGS@ @LIBIDN2_LDFLAGS@
+
+dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
+	export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
+	${FINALBUILDCMD}
+
+host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
+	export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
+	${FINALBUILDCMD}
+
+nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \
+	export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
+	${FINALBUILDCMD}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		dig@EXEEXT@ ${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		host@EXEEXT@ ${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		nslookup@EXEEXT@ ${DESTDIR}${bindir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/nslookup@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/host@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/dig@EXEEXT@
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
new file mode 100644
index 0000000..423bf7d
--- /dev/null
+++ b/bin/dig/dig.c
@@ -0,0 +1,2728 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>
+
+#include <isc/app.h>
+#include <isc/netaddr.h>
+#include <isc/parseint.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/byaddr.h>
+#include <dns/fixedname.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#include <dig/dig.h>
+
+#define ADD_STRING(b, s)                                          \
+	{                                                         \
+		if (strlen(s) >= isc_buffer_availablelength(b)) { \
+			return (ISC_R_NOSPACE);                   \
+		} else {                                          \
+			isc_buffer_putstr(b, s);                  \
+		}                                                 \
+	}
+
+#define DIG_MAX_ADDRESSES 20
+
+dig_lookup_t *default_lookup = NULL;
+
+static atomic_uintptr_t batchname = 0;
+static FILE *batchfp = NULL;
+static char *argv0;
+static int addresscount = 0;
+
+static char domainopt[DNS_NAME_MAXTEXT];
+static char hexcookie[81];
+
+static bool short_form = false, printcmd = true, plusquest = false,
+	    pluscomm = false, ipv4only = false, ipv6only = false, digrc = true;
+static uint32_t splitwidth = 0xffffffff;
+
+/*% opcode text */
+static const char *const opcodetext[] = {
+	"QUERY",      "IQUERY",	    "STATUS",	  "RESERVED3",
+	"NOTIFY",     "UPDATE",	    "RESERVED6",  "RESERVED7",
+	"RESERVED8",  "RESERVED9",  "RESERVED10", "RESERVED11",
+	"RESERVED12", "RESERVED13", "RESERVED14", "RESERVED15"
+};
+
+static const char *
+rcode_totext(dns_rcode_t rcode) {
+	static char buf[64];
+	isc_buffer_t b;
+	isc_result_t result;
+
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&b, buf + 1, sizeof(buf) - 2);
+	result = dns_rcode_totext(rcode, &b);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	if (strspn(buf + 1, "0123456789") == strlen(buf + 1)) {
+		buf[0] = '?';
+		return (buf);
+	}
+	return (buf + 1);
+}
+
+/*% print usage */
+static void
+print_usage(FILE *fp) {
+	fputs("Usage:  dig [@global-server] [domain] [q-type] [q-class] "
+	      "{q-opt}\n"
+	      "            {global-d-opt} host [@local-server] {local-d-opt}\n"
+	      "            [ host [@local-server] {local-d-opt} [...]]\n",
+	      fp);
+}
+
+#if TARGET_OS_IPHONE
+static void
+usage(void) {
+	fprintf(stderr, "Press <Help> for complete list of options\n");
+}
+#else  /* if TARGET_OS_IPHONE */
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	print_usage(stderr);
+	fputs("\nUse \"dig -h\" (or \"dig -h | more\") "
+	      "for complete list of options\n",
+	      stderr);
+	exit(1);
+}
+#endif /* if TARGET_OS_IPHONE */
+
+/*% version */
+static void
+version(void) {
+	fputs("DiG " VERSION "\n", stderr);
+}
+
+/*% help */
+static void
+help(void) {
+	print_usage(stdout);
+	fputs("Where:  domain	  is in the Domain Name System\n"
+	      "        q-class  is one of (in,hs,ch,...) [default: in]\n"
+	      "        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) "
+	      "[default:a]\n"
+	      "                 (Use ixfr=version for type ixfr)\n"
+	      "        q-opt    is one of:\n"
+	      "                 -4                  (use IPv4 query transport "
+	      "only)\n"
+	      "                 -6                  (use IPv6 query transport "
+	      "only)\n"
+	      "                 -b address[#port]   (bind to source "
+	      "address/port)\n"
+	      "                 -c class            (specify query class)\n"
+	      "                 -f filename         (batch mode)\n"
+	      "                 -k keyfile          (specify tsig key file)\n"
+	      "                 -m                  (enable memory usage "
+	      "debugging)\n"
+	      "                 -p port             (specify port number)\n"
+	      "                 -q name             (specify query name)\n"
+	      "                 -r                  (do not read ~/.digrc)\n"
+	      "                 -t type             (specify query type)\n"
+	      "                 -u                  (display times in usec "
+	      "instead of msec)\n"
+	      "                 -x dot-notation     (shortcut for reverse "
+	      "lookups)\n"
+	      "                 -y [hmac:]name:key  (specify named base64 tsig "
+	      "key)\n"
+	      "        d-opt    is of the form +keyword[=value], where keyword "
+	      "is:\n"
+	      "                 +[no]aaflag         (Set AA flag in query "
+	      "(+[no]aaflag))\n"
+	      "                 +[no]aaonly         (Set AA flag in query "
+	      "(+[no]aaflag))\n"
+	      "                 +[no]additional     (Control display of "
+	      "additional section)\n"
+	      "                 +[no]adflag         (Set AD flag in query "
+	      "(default on))\n"
+	      "                 +[no]all            (Set or clear all display "
+	      "flags)\n"
+	      "                 +[no]answer         (Control display of answer "
+	      "section)\n"
+	      "                 +[no]authority      (Control display of "
+	      "authority section)\n"
+	      "                 +[no]badcookie      (Retry BADCOOKIE "
+	      "responses)\n"
+	      "                 +[no]besteffort     (Try to parse even illegal "
+	      "messages)\n"
+	      "                 +bufsize[=###]      (Set EDNS0 Max UDP packet "
+	      "size)\n"
+	      "                 +[no]cdflag         (Set checking disabled "
+	      "flag in query)\n"
+	      "                 +[no]class          (Control display of class "
+	      "in records)\n"
+	      "                 +[no]cmd            (Control display of "
+	      "command line -\n"
+	      "                                      global option)\n"
+	      "                 +[no]comments       (Control display of packet "
+	      "header\n"
+	      "                                      and section name "
+	      "comments)\n"
+	      "                 +[no]cookie         (Add a COOKIE option to "
+	      "the request)\n"
+	      "                 +[no]crypto         (Control display of "
+	      "cryptographic\n"
+	      "                                      fields in records)\n"
+	      "                 +[no]defname        (Use search list "
+	      "(+[no]search))\n"
+	      "                 +[no]dnssec         (Request DNSSEC records)\n"
+	      "                 +domain=###         (Set default domainname)\n"
+	      "                 +[no]dscp[=###]     (Set the DSCP value to ### "
+	      "[0..63])\n"
+	      "                 +[no]edns[=###]     (Set EDNS version) [0]\n"
+	      "                 +ednsflags=###      (Set EDNS flag bits)\n"
+	      "                 +[no]ednsnegotiation (Set EDNS version "
+	      "negotiation)\n"
+	      "                 +ednsopt=###[:value] (Send specified EDNS "
+	      "option)\n"
+	      "                 +noednsopt          (Clear list of +ednsopt "
+	      "options)\n"
+	      "                 +[no]expandaaaa     (Expand AAAA records)\n"
+	      "                 +[no]expire         (Request time to expire)\n"
+	      "                 +[no]fail           (Don't try next server on "
+	      "SERVFAIL)\n"
+	      "                 +[no]header-only    (Send query without a "
+	      "question section)\n"
+	      "                 +[no]identify       (ID responders in short "
+	      "answers)\n"
+#ifdef HAVE_LIBIDN2
+	      "                 +[no]idnin          (Parse IDN names "
+	      "[default=on on tty])\n"
+	      "                 +[no]idnout         (Convert IDN response "
+	      "[default=on on tty])\n"
+#endif /* ifdef HAVE_LIBIDN2 */
+	      "                 +[no]ignore         (Don't revert to TCP for "
+	      "TC responses.)\n"
+	      "                 +[no]keepalive      (Request EDNS TCP "
+	      "keepalive)\n"
+	      "                 +[no]keepopen       (Keep the TCP socket open "
+	      "between "
+	      "queries)\n"
+	      "                 +[no]mapped         (Allow mapped IPv4 over "
+	      "IPv6)\n"
+	      "                 +[no]multiline      (Print records in an "
+	      "expanded format)\n"
+	      "                 +ndots=###          (Set search NDOTS value)\n"
+	      "                 +[no]nsid           (Request Name Server ID)\n"
+	      "                 +[no]nssearch       (Search all authoritative "
+	      "nameservers)\n"
+	      "                 +[no]onesoa         (AXFR prints only one soa "
+	      "record)\n"
+	      "                 +[no]opcode=###     (Set the opcode of the "
+	      "request)\n"
+	      "                 +padding=###        (Set padding block size "
+	      "[0])\n"
+	      "                 +[no]qr             (Print question before "
+	      "sending)\n"
+	      "                 +[no]question       (Control display of "
+	      "question section)\n"
+	      "                 +[no]raflag         (Set RA flag in query "
+	      "(+[no]raflag))\n"
+	      "                 +[no]rdflag         (Recursive mode "
+	      "(+[no]recurse))\n"
+	      "                 +[no]recurse        (Recursive mode "
+	      "(+[no]rdflag))\n"
+	      "                 +retry=###          (Set number of UDP "
+	      "retries) [2]\n"
+	      "                 +[no]rrcomments     (Control display of "
+	      "per-record "
+	      "comments)\n"
+	      "                 +[no]search         (Set whether to use "
+	      "searchlist)\n"
+	      "                 +[no]short          (Display nothing except "
+	      "short\n"
+	      "                                      form of answers - global "
+	      "option)\n"
+	      "                 +[no]showsearch     (Search with intermediate "
+	      "results)\n"
+	      "                 +[no]split=##       (Split hex/base64 fields "
+	      "into chunks)\n"
+	      "                 +[no]stats          (Control display of "
+	      "statistics)\n"
+	      "                 +subnet=addr        (Set edns-client-subnet "
+	      "option)\n"
+	      "                 +[no]tcflag         (Set TC flag in query "
+	      "(+[no]tcflag))\n"
+	      "                 +[no]tcp            (TCP mode (+[no]vc))\n"
+	      "                 +timeout=###        (Set query timeout) [5]\n"
+	      "                 +[no]trace          (Trace delegation down "
+	      "from root "
+	      "[+dnssec])\n"
+	      "                 +tries=###          (Set number of UDP "
+	      "attempts) [3]\n"
+	      "                 +[no]ttlid          (Control display of ttls "
+	      "in records)\n"
+	      "                 +[no]ttlunits       (Display TTLs in "
+	      "human-readable units)\n"
+	      "                 +[no]unexpected     (Print replies from "
+	      "unexpected sources\n"
+	      "                                      default=off)\n"
+	      "                 +[no]unknownformat  (Print RDATA in RFC 3597 "
+	      "\"unknown\" "
+	      "format)\n"
+	      "                 +[no]vc             (TCP mode (+[no]tcp))\n"
+	      "                 +[no]yaml           (Present the results as "
+	      "YAML)\n"
+	      "                 +[no]zflag          (Set Z flag in query)\n"
+	      "        global d-opts and servers (before host name) affect all "
+	      "queries.\n"
+	      "        local d-opts and servers (after host name) affect only "
+	      "that lookup.\n"
+	      "        -h                           (print help and exit)\n"
+	      "        -v                           (print version and exit)\n",
+	      stdout);
+}
+
+/*%
+ * Callback from dighost.c to print the received message.
+ */
+static void
+received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
+	uint64_t diff;
+	time_t tnow;
+	struct tm tmnow;
+#ifdef WIN32
+	wchar_t time_str[100];
+#else  /* ifdef WIN32 */
+	char time_str[100];
+#endif /* ifdef WIN32 */
+	char fromtext[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
+
+	if (short_form || yaml) {
+		return;
+	}
+
+	if (query->lookup->stats) {
+		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
+		if (query->lookup->use_usec) {
+			printf(";; Query time: %ld usec\n", (long)diff);
+		} else {
+			printf(";; Query time: %ld msec\n", (long)diff / 1000);
+		}
+		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
+		time(&tnow);
+		(void)localtime_r(&tnow, &tmnow);
+
+#ifdef WIN32
+		/*
+		 * On Windows, time zone name ("%Z") may be a localized
+		 * wide-character string, which strftime() handles incorrectly.
+		 */
+		if (wcsftime(time_str, sizeof(time_str) / sizeof(time_str[0]),
+			     L"%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
+		{
+			printf(";; WHEN: %ls\n", time_str);
+		}
+#else  /* ifdef WIN32 */
+		if (strftime(time_str, sizeof(time_str),
+			     "%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
+		{
+			printf(";; WHEN: %s\n", time_str);
+		}
+#endif /* ifdef WIN32 */
+		if (query->lookup->doing_xfr) {
+			printf(";; XFR size: %u records (messages %u, "
+			       "bytes %" PRIu64 ")\n",
+			       query->rr_count, query->msg_count,
+			       query->byte_count);
+		} else {
+			printf(";; MSG SIZE  rcvd: %u\n", bytes);
+		}
+		if (tsigkey != NULL) {
+			if (!validated) {
+				puts(";; WARNING -- Some TSIG could not "
+				     "be validated");
+			}
+		}
+		if ((tsigkey == NULL) && (keysecret[0] != 0)) {
+			puts(";; WARNING -- TSIG key was not used.");
+		}
+		puts("");
+	} else if (query->lookup->identify) {
+		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
+		if (query->lookup->use_usec) {
+			printf(";; Received %" PRIu64 " bytes "
+			       "from %s(%s) in %ld us\n\n",
+			       query->lookup->doing_xfr ? query->byte_count
+							: (uint64_t)bytes,
+			       fromtext, query->userarg, (long)diff);
+		} else {
+			printf(";; Received %" PRIu64 " bytes "
+			       "from %s(%s) in %ld ms\n\n",
+			       query->lookup->doing_xfr ? query->byte_count
+							: (uint64_t)bytes,
+			       fromtext, query->userarg, (long)diff / 1000);
+		}
+	}
+}
+
+/*
+ * Callback from dighost.c to print that it is trying a server.
+ * Not used in dig.
+ * XXX print_trying
+ */
+static void
+trying(char *frm, dig_lookup_t *lookup) {
+	UNUSED(frm);
+	UNUSED(lookup);
+}
+
+/*%
+ * Internal print routine used to print short form replies.
+ */
+static isc_result_t
+say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
+	isc_result_t result;
+	uint64_t diff;
+	char store[sizeof(" in 18446744073709551616 us.")];
+	unsigned int styleflags = 0;
+
+	if (query->lookup->trace || query->lookup->ns_search_only) {
+		result = dns_rdatatype_totext(rdata->type, buf);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		ADD_STRING(buf, " ");
+	}
+
+	/* Turn on rrcomments if explicitly enabled */
+	if (query->lookup->rrcomments > 0) {
+		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+	}
+	if (query->lookup->nocrypto) {
+		styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+	}
+	if (query->lookup->print_unknown_format) {
+		styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
+	}
+	if (query->lookup->expandaaaa) {
+		styleflags |= DNS_STYLEFLAG_EXPANDAAAA;
+	}
+	result = dns_rdata_tofmttext(rdata, NULL, styleflags, 0, splitwidth,
+				     " ", buf);
+	if (result == ISC_R_NOSPACE) {
+		return (result);
+	}
+	check_result(result, "dns_rdata_totext");
+	if (query->lookup->identify) {
+		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
+		ADD_STRING(buf, " from server ");
+		ADD_STRING(buf, query->servname);
+		if (query->lookup->use_usec) {
+			snprintf(store, sizeof(store), " in %" PRIu64 " us.",
+				 diff);
+		} else {
+			snprintf(store, sizeof(store), " in %" PRIu64 " ms.",
+				 diff / 1000);
+		}
+		ADD_STRING(buf, store);
+	}
+	ADD_STRING(buf, "\n");
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * short_form message print handler.  Calls above say_message()
+ */
+static isc_result_t
+short_answer(dns_message_t *msg, dns_messagetextflag_t flags, isc_buffer_t *buf,
+	     dig_query_t *query) {
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result, loopresult;
+	dns_name_t empty_name;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	UNUSED(flags);
+
+	dns_name_init(&empty_name, NULL);
+	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
+	if (result == ISC_R_NOMORE) {
+		return (ISC_R_SUCCESS);
+	} else if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			loopresult = dns_rdataset_first(rdataset);
+			while (loopresult == ISC_R_SUCCESS) {
+				dns_rdataset_current(rdataset, &rdata);
+				result = say_message(&rdata, query, buf);
+				if (result == ISC_R_NOSPACE) {
+					return (result);
+				}
+				check_result(result, "say_message");
+				loopresult = dns_rdataset_next(rdataset);
+				dns_rdata_reset(&rdata);
+			}
+		}
+		result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
+		if (result == ISC_R_NOMORE) {
+			break;
+		} else if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+isdotlocal(dns_message_t *msg) {
+	isc_result_t result;
+	static unsigned char local_ndata[] = { "\005local" };
+	static unsigned char local_offsets[] = { 0, 6 };
+	static dns_name_t local = DNS_NAME_INITABSOLUTE(local_ndata,
+							local_offsets);
+
+	for (result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(msg, DNS_SECTION_QUESTION))
+	{
+		dns_name_t *name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_QUESTION, &name);
+		if (dns_name_issubdomain(name, &local)) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+/*
+ * Callback from dighost.c to print the reply from a server
+ */
+static isc_result_t
+printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
+	     bool headers) {
+	isc_result_t result;
+	dns_messagetextflag_t flags;
+	isc_buffer_t *buf = NULL;
+	unsigned int len = OUTPUTBUF;
+	dns_master_style_t *style = NULL;
+	unsigned int styleflags = 0;
+	bool isquery = (msg == query->lookup->sendmsg);
+
+	UNUSED(msgbuf);
+
+	styleflags |= DNS_STYLEFLAG_REL_OWNER;
+	if (yaml) {
+		msg->indent.string = "  ";
+		msg->indent.count = 3;
+		styleflags |= DNS_STYLEFLAG_YAML;
+	} else {
+		if (query->lookup->comments) {
+			styleflags |= DNS_STYLEFLAG_COMMENT;
+		}
+		if (query->lookup->print_unknown_format) {
+			styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
+		}
+		/* Turn on rrcomments if explicitly enabled */
+		if (query->lookup->rrcomments > 0) {
+			styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+		}
+		if (query->lookup->ttlunits) {
+			styleflags |= DNS_STYLEFLAG_TTL_UNITS;
+		}
+		if (query->lookup->nottl) {
+			styleflags |= DNS_STYLEFLAG_NO_TTL;
+		}
+		if (query->lookup->noclass) {
+			styleflags |= DNS_STYLEFLAG_NO_CLASS;
+		}
+		if (query->lookup->nocrypto) {
+			styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+		}
+		if (query->lookup->expandaaaa) {
+			styleflags |= DNS_STYLEFLAG_EXPANDAAAA;
+		}
+		if (query->lookup->multiline) {
+			styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
+			styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
+			styleflags |= DNS_STYLEFLAG_REL_DATA;
+			styleflags |= DNS_STYLEFLAG_OMIT_TTL;
+			styleflags |= DNS_STYLEFLAG_TTL;
+			styleflags |= DNS_STYLEFLAG_MULTILINE;
+			/* Turn on rrcomments unless explicitly disabled */
+			if (query->lookup->rrcomments >= 0) {
+				styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+			}
+		}
+	}
+	if (query->lookup->multiline ||
+	    (query->lookup->nottl && query->lookup->noclass))
+	{
+		result = dns_master_stylecreate(&style, styleflags, 24, 24, 24,
+						32, 80, 8, splitwidth, mctx);
+	} else if (query->lookup->nottl || query->lookup->noclass) {
+		result = dns_master_stylecreate(&style, styleflags, 24, 24, 32,
+						40, 80, 8, splitwidth, mctx);
+	} else {
+		result = dns_master_stylecreate(&style, styleflags, 24, 32, 40,
+						48, 80, 8, splitwidth, mctx);
+	}
+	check_result(result, "dns_master_stylecreate");
+
+	if (query->lookup->cmdline[0] != 0) {
+		if (!short_form && printcmd) {
+			fputs(query->lookup->cmdline, stdout);
+		}
+		query->lookup->cmdline[0] = '\0';
+	}
+	debug("printmessage(%s %s %s)", headers ? "headers" : "noheaders",
+	      query->lookup->comments ? "comments" : "nocomments",
+	      short_form ? "short_form" : "long_form");
+
+	flags = 0;
+	if (!headers) {
+		flags |= DNS_MESSAGETEXTFLAG_NOHEADERS;
+		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
+	}
+	if (query->lookup->onesoa &&
+	    query->lookup->rdtype == dns_rdatatype_axfr)
+	{
+		flags |= (query->msg_count == 0) ? DNS_MESSAGETEXTFLAG_ONESOA
+						 : DNS_MESSAGETEXTFLAG_OMITSOA;
+	}
+	if (!query->lookup->comments) {
+		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
+	}
+
+	isc_buffer_allocate(mctx, &buf, len);
+
+	if (yaml) {
+		enum { Q = 0x1, R = 0x2 }; /* Q:query; R:ecursive */
+		unsigned int tflag = 0;
+		isc_sockaddr_t saddr;
+		char sockstr[ISC_SOCKADDR_FORMATSIZE];
+		uint16_t sport;
+		char *hash;
+		int pf;
+
+		printf("-\n");
+		printf("  type: MESSAGE\n");
+		printf("  message:\n");
+
+		if (isquery) {
+			tflag |= Q;
+			if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
+				tflag |= R;
+			}
+		} else if (((msg->flags & DNS_MESSAGEFLAG_RD) != 0) &&
+			   ((msg->flags & DNS_MESSAGEFLAG_RA) != 0))
+		{
+			tflag |= R;
+		}
+
+		if (tflag == (Q | R)) {
+			printf("    type: RECURSIVE_QUERY\n");
+		} else if (tflag == Q) {
+			printf("    type: AUTH_QUERY\n");
+		} else if (tflag == R) {
+			printf("    type: RECURSIVE_RESPONSE\n");
+		} else {
+			printf("    type: AUTH_RESPONSE\n");
+		}
+
+		if (!isc_time_isepoch(&query->time_sent)) {
+			char tbuf[100];
+			if (query->lookup->use_usec) {
+				isc_time_formatISO8601us(&query->time_sent,
+							 tbuf, sizeof(tbuf));
+			} else {
+				isc_time_formatISO8601ms(&query->time_sent,
+							 tbuf, sizeof(tbuf));
+			}
+			printf("    query_time: !!timestamp %s\n", tbuf);
+		}
+
+		if (!isquery && !isc_time_isepoch(&query->time_recv)) {
+			char tbuf[100];
+			if (query->lookup->use_usec) {
+				isc_time_formatISO8601us(&query->time_recv,
+							 tbuf, sizeof(tbuf));
+			} else {
+				isc_time_formatISO8601ms(&query->time_recv,
+							 tbuf, sizeof(tbuf));
+			}
+			printf("    response_time: !!timestamp %s\n", tbuf);
+		}
+
+		printf("    message_size: %ub\n",
+		       isc_buffer_usedlength(msgbuf));
+
+		pf = isc_sockaddr_pf(&query->sockaddr);
+		if (pf == PF_INET || pf == PF_INET6) {
+			printf("    socket_family: %s\n",
+			       pf == PF_INET ? "INET" : "INET6");
+
+			printf("    socket_protocol: %s\n",
+			       query->lookup->tcp_mode ? "TCP" : "UDP");
+
+			sport = isc_sockaddr_getport(&query->sockaddr);
+			isc_sockaddr_format(&query->sockaddr, sockstr,
+					    sizeof(sockstr));
+			hash = strchr(sockstr, '#');
+			if (hash != NULL) {
+				*hash = '\0';
+			}
+			if (strcmp(sockstr, "::") == 0) {
+				strlcat(sockstr, "0", sizeof(sockstr));
+			}
+
+			printf("    response_address: \"%s\"\n", sockstr);
+			printf("    response_port: %u\n", sport);
+		}
+
+		if (query->sock != NULL &&
+		    isc_socket_getsockname(query->sock, &saddr) ==
+			    ISC_R_SUCCESS)
+		{
+			sport = isc_sockaddr_getport(&saddr);
+			isc_sockaddr_format(&saddr, sockstr, sizeof(sockstr));
+			hash = strchr(sockstr, '#');
+			if (hash != NULL) {
+				*hash = '\0';
+			}
+			if (strcmp(sockstr, "::") == 0) {
+				strlcat(sockstr, "0", sizeof(sockstr));
+			}
+
+			printf("    query_address: \"%s\"\n", sockstr);
+			printf("    query_port: %u\n", sport);
+		}
+
+		printf("    %s:\n", isquery ? "query_message_data"
+					    : "response_message_data");
+		result = dns_message_headertotext(msg, style, flags, buf);
+	} else if (query->lookup->comments && !short_form) {
+		if (query->lookup->cmdline[0] != '\0' && printcmd) {
+			printf("; %s\n", query->lookup->cmdline);
+		}
+		if (msg == query->lookup->sendmsg) {
+			printf(";; Sending:\n");
+		} else {
+			printf(";; Got answer:\n");
+		}
+
+		if (headers) {
+			if (isdotlocal(msg)) {
+				printf(";; WARNING: .local is reserved for "
+				       "Multicast DNS\n;; You are currently "
+				       "testing what happens when an mDNS "
+				       "query is leaked to DNS\n");
+			}
+			printf(";; ->>HEADER<<- opcode: %s, status: %s, "
+			       "id: %u\n",
+			       opcodetext[msg->opcode],
+			       rcode_totext(msg->rcode), msg->id);
+			printf(";; flags:");
+			if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
+				printf(" qr");
+			}
+			if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
+				printf(" aa");
+			}
+			if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+				printf(" tc");
+			}
+			if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
+				printf(" rd");
+			}
+			if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
+				printf(" ra");
+			}
+			if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
+				printf(" ad");
+			}
+			if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
+				printf(" cd");
+			}
+			if ((msg->flags & 0x0040U) != 0) {
+				printf("; MBZ: 0x4");
+			}
+
+			printf("; QUERY: %u, ANSWER: %u, "
+			       "AUTHORITY: %u, ADDITIONAL: %u\n",
+			       msg->counts[DNS_SECTION_QUESTION],
+			       msg->counts[DNS_SECTION_ANSWER],
+			       msg->counts[DNS_SECTION_AUTHORITY],
+			       msg->counts[DNS_SECTION_ADDITIONAL]);
+
+			if (msg != query->lookup->sendmsg &&
+			    (msg->flags & DNS_MESSAGEFLAG_RD) != 0 &&
+			    (msg->flags & DNS_MESSAGEFLAG_RA) == 0)
+			{
+				printf(";; WARNING: recursion requested "
+				       "but not available\n");
+			}
+		}
+		if (msg != query->lookup->sendmsg &&
+		    query->lookup->edns != -1 && msg->opt == NULL &&
+		    (msg->rcode == dns_rcode_formerr ||
+		     msg->rcode == dns_rcode_notimp))
+		{
+			printf("\n;; WARNING: EDNS query returned status "
+			       "%s - retry with '%s+noedns'\n",
+			       rcode_totext(msg->rcode),
+			       query->lookup->dnssec ? "+nodnssec " : "");
+		}
+		if (msg != query->lookup->sendmsg && extrabytes != 0U) {
+			printf(";; WARNING: Message has %u extra byte%s at "
+			       "end\n",
+			       extrabytes, extrabytes != 0 ? "s" : "");
+		}
+	}
+
+repopulate_buffer:
+
+	if (query->lookup->comments && headers && !short_form) {
+		result = dns_message_pseudosectiontotext(
+			msg, DNS_PSEUDOSECTION_OPT, style, flags, buf);
+		if (result == ISC_R_NOSPACE) {
+		buftoosmall:
+			len += OUTPUTBUF;
+			isc_buffer_free(&buf);
+			isc_buffer_allocate(mctx, &buf, len);
+			goto repopulate_buffer;
+		}
+		check_result(result, "dns_message_pseudosectiontotext");
+	}
+
+	if (query->lookup->section_question && headers) {
+		if (!short_form) {
+			result = dns_message_sectiontotext(
+				msg, DNS_SECTION_QUESTION, style, flags, buf);
+			if (result == ISC_R_NOSPACE) {
+				goto buftoosmall;
+			}
+			check_result(result, "dns_message_sectiontotext");
+		}
+	}
+	if (query->lookup->section_answer) {
+		if (!short_form) {
+			result = dns_message_sectiontotext(
+				msg, DNS_SECTION_ANSWER, style, flags, buf);
+			if (result == ISC_R_NOSPACE) {
+				goto buftoosmall;
+			}
+			check_result(result, "dns_message_sectiontotext");
+		} else {
+			result = short_answer(msg, flags, buf, query);
+			if (result == ISC_R_NOSPACE) {
+				goto buftoosmall;
+			}
+			check_result(result, "short_answer");
+		}
+	}
+	if (query->lookup->section_authority) {
+		if (!short_form) {
+			result = dns_message_sectiontotext(
+				msg, DNS_SECTION_AUTHORITY, style, flags, buf);
+			if (result == ISC_R_NOSPACE) {
+				goto buftoosmall;
+			}
+			check_result(result, "dns_message_sectiontotext");
+		}
+	}
+	if (query->lookup->section_additional) {
+		if (!short_form) {
+			result = dns_message_sectiontotext(
+				msg, DNS_SECTION_ADDITIONAL, style, flags, buf);
+			if (result == ISC_R_NOSPACE) {
+				goto buftoosmall;
+			}
+			check_result(result, "dns_message_sectiontotext");
+			/*
+			 * Only print the signature on the first record.
+			 */
+			if (headers) {
+				result = dns_message_pseudosectiontotext(
+					msg, DNS_PSEUDOSECTION_TSIG, style,
+					flags, buf);
+				if (result == ISC_R_NOSPACE) {
+					goto buftoosmall;
+				}
+				check_result(result, "dns_message_"
+						     "pseudosectiontotext");
+				result = dns_message_pseudosectiontotext(
+					msg, DNS_PSEUDOSECTION_SIG0, style,
+					flags, buf);
+				if (result == ISC_R_NOSPACE) {
+					goto buftoosmall;
+				}
+				check_result(result, "dns_message_"
+						     "pseudosectiontotext");
+			}
+		}
+	}
+
+	if (headers && query->lookup->comments && !short_form && !yaml) {
+		printf("\n");
+	}
+
+	printf("%.*s", (int)isc_buffer_usedlength(buf),
+	       (char *)isc_buffer_base(buf));
+	isc_buffer_free(&buf);
+
+	if (style != NULL) {
+		dns_master_styledestroy(&style, mctx);
+	}
+	return (result);
+}
+
+/*%
+ * print the greeting message when the program first starts up.
+ */
+static void
+printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
+	int i;
+	static bool first = true;
+	char append[MXNAME];
+
+	if (printcmd) {
+		snprintf(lookup->cmdline, sizeof(lookup->cmdline),
+			 "%s; <<>> DiG " VERSION " <<>>", first ? "\n" : "");
+		i = 1;
+		while (i < argc) {
+			snprintf(append, sizeof(append), " %s", argv[i++]);
+			strlcat(lookup->cmdline, append,
+				sizeof(lookup->cmdline));
+		}
+		strlcat(lookup->cmdline, "\n", sizeof(lookup->cmdline));
+		if (first && addresscount != 0) {
+			snprintf(append, sizeof(append),
+				 "; (%d server%s found)\n", addresscount,
+				 addresscount > 1 ? "s" : "");
+			strlcat(lookup->cmdline, append,
+				sizeof(lookup->cmdline));
+		}
+		if (first) {
+			snprintf(append, sizeof(append),
+				 ";; global options:%s%s\n",
+				 short_form ? " +short" : "",
+				 printcmd ? " +cmd" : "");
+			first = false;
+			strlcat(lookup->cmdline, append,
+				sizeof(lookup->cmdline));
+		}
+	}
+}
+
+/*%
+ * We're not using isc_commandline_parse() here since the command line
+ * syntax of dig is quite a bit different from that which can be described
+ * by that routine.
+ * XXX doc options
+ */
+
+static void
+plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
+	isc_result_t result;
+	char *cmd, *value, *last = NULL, *code, *extra;
+	uint32_t num;
+	bool state = true;
+	size_t n;
+
+	INSIST(option != NULL);
+
+	if ((cmd = strtok_r(option, "=", &last)) == NULL) {
+		printf(";; Invalid option %s\n", option);
+		return;
+	}
+	if (strncasecmp(cmd, "no", 2) == 0) {
+		cmd += 2;
+		state = false;
+	}
+	/* parse the rest of the string */
+	value = strtok_r(NULL, "", &last);
+
+#define FULLCHECK(A)                                                 \
+	do {                                                         \
+		size_t _l = strlen(cmd);                             \
+		if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \
+			goto invalid_option;                         \
+	} while (0)
+#define FULLCHECK2(A, B)                                                 \
+	do {                                                             \
+		size_t _l = strlen(cmd);                                 \
+		if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \
+		    (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0))   \
+			goto invalid_option;                             \
+	} while (0)
+
+	switch (cmd[0]) {
+	case 'a':
+		switch (cmd[1]) {
+		case 'a': /* aaonly / aaflag */
+			FULLCHECK2("aaonly", "aaflag");
+			lookup->aaonly = state;
+			break;
+		case 'd':
+			switch (cmd[2]) {
+			case 'd': /* additional */
+				FULLCHECK("additional");
+				lookup->section_additional = state;
+				break;
+			case 'f':  /* adflag */
+			case '\0': /* +ad is a synonym for +adflag */
+				FULLCHECK("adflag");
+				lookup->adflag = state;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'l': /* all */
+			FULLCHECK("all");
+			lookup->section_question = state;
+			lookup->section_authority = state;
+			lookup->section_answer = state;
+			lookup->section_additional = state;
+			lookup->comments = state;
+			lookup->stats = state;
+			printcmd = state;
+			break;
+		case 'n': /* answer */
+			FULLCHECK("answer");
+			lookup->section_answer = state;
+			break;
+		case 'u': /* authority */
+			FULLCHECK("authority");
+			lookup->section_authority = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'b':
+		switch (cmd[1]) {
+		case 'a': /* badcookie */
+			FULLCHECK("badcookie");
+			lookup->badcookie = state;
+			break;
+		case 'e': /* besteffort */
+			FULLCHECK("besteffort");
+			lookup->besteffort = state;
+			break;
+		case 'u': /* bufsize */
+			FULLCHECK("bufsize");
+			if (!state) {
+				goto invalid_option;
+			}
+			if (value == NULL) {
+				lookup->udpsize = DEFAULT_EDNS_BUFSIZE;
+				break;
+			}
+			result = parse_uint(&num, value, COMMSIZE,
+					    "buffer size");
+			if (result != ISC_R_SUCCESS) {
+				warn("Couldn't parse buffer size");
+				goto exit_or_usage;
+			}
+			lookup->udpsize = num;
+			if (lookup->udpsize == 0) {
+				lookup->edns = -1;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'c':
+		switch (cmd[1]) {
+		case 'd': /* cdflag */
+			switch (cmd[2]) {
+			case 'f':  /* cdflag */
+			case '\0': /* +cd is a synonym for +cdflag */
+				FULLCHECK("cdflag");
+				lookup->cdflag = state;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'l': /* class */
+			/* keep +cl for backwards compatibility */
+			FULLCHECK2("cl", "class");
+			lookup->noclass = !state;
+			break;
+		case 'm': /* cmd */
+			FULLCHECK("cmd");
+			printcmd = state;
+			break;
+		case 'o': /* comments */
+			switch (cmd[2]) {
+			case 'm':
+				FULLCHECK("comments");
+				lookup->comments = state;
+				if (lookup == default_lookup) {
+					pluscomm = state;
+				}
+				break;
+			case 'o': /* cookie */
+				FULLCHECK("cookie");
+				if (state && lookup->edns == -1) {
+					lookup->edns = DEFAULT_EDNS_VERSION;
+				}
+				lookup->sendcookie = state;
+				if (value != NULL) {
+					n = strlcpy(hexcookie, value,
+						    sizeof(hexcookie));
+					if (n >= sizeof(hexcookie)) {
+						warn("COOKIE data too large");
+						goto exit_or_usage;
+					}
+					lookup->cookie = hexcookie;
+				} else {
+					lookup->cookie = NULL;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'r':
+			FULLCHECK("crypto");
+			lookup->nocrypto = !state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'd':
+		switch (cmd[1]) {
+		case 'e': /* defname */
+			FULLCHECK("defname");
+			if (!lookup->trace) {
+				usesearch = state;
+			}
+			break;
+		case 'n': /* dnssec */
+			FULLCHECK("dnssec");
+		dnssec:
+			if (state && lookup->edns == -1) {
+				lookup->edns = DEFAULT_EDNS_VERSION;
+			}
+			lookup->dnssec = state;
+			break;
+		case 'o': /* domain ... but treat "do" as synonym for dnssec */
+			if (cmd[2] == '\0') {
+				goto dnssec;
+			}
+			FULLCHECK("domain");
+			if (value == NULL) {
+				goto need_value;
+			}
+			if (!state) {
+				goto invalid_option;
+			}
+			strlcpy(domainopt, value, sizeof(domainopt));
+			break;
+		case 's': /* dscp */
+			FULLCHECK("dscp");
+			if (!state) {
+				lookup->dscp = -1;
+				break;
+			}
+			if (value == NULL) {
+				goto need_value;
+			}
+			result = parse_uint(&num, value, 0x3f, "DSCP");
+			if (result != ISC_R_SUCCESS) {
+				warn("Couldn't parse DSCP value");
+				goto exit_or_usage;
+			}
+			lookup->dscp = num;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'e':
+		switch (cmd[1]) {
+		case 'd':
+			switch (cmd[2]) {
+			case 'n':
+				switch (cmd[3]) {
+				case 's':
+					switch (cmd[4]) {
+					case 0:
+						FULLCHECK("edns");
+						if (!state) {
+							lookup->edns = -1;
+							break;
+						}
+						if (value == NULL) {
+							lookup->edns =
+								DEFAULT_EDNS_VERSION;
+							break;
+						}
+						result = parse_uint(&num, value,
+								    255,
+								    "edns");
+						if (result != ISC_R_SUCCESS) {
+							warn("Couldn't parse "
+							     "edns");
+							goto exit_or_usage;
+						}
+						lookup->edns = num;
+						break;
+					case 'f':
+						FULLCHECK("ednsflags");
+						if (!state) {
+							lookup->ednsflags = 0;
+							break;
+						}
+						if (value == NULL) {
+							lookup->ednsflags = 0;
+							break;
+						}
+						result = parse_xint(
+							&num, value, 0xffff,
+							"ednsflags");
+						if (result != ISC_R_SUCCESS) {
+							warn("Couldn't parse "
+							     "ednsflags");
+							goto exit_or_usage;
+						}
+						lookup->ednsflags = num;
+						break;
+					case 'n':
+						FULLCHECK("ednsnegotiation");
+						lookup->ednsneg = state;
+						break;
+					case 'o':
+						FULLCHECK("ednsopt");
+						if (!state) {
+							lookup->ednsoptscnt = 0;
+							break;
+						}
+						code = NULL;
+						if (value != NULL) {
+							code = strtok_r(value,
+									":",
+									&last);
+						}
+						if (code == NULL) {
+							warn("ednsopt no "
+							     "code point "
+							     "specified");
+							goto exit_or_usage;
+						}
+						extra = strtok_r(NULL, "\0",
+								 &last);
+						save_opt(lookup, code, extra);
+						break;
+					default:
+						goto invalid_option;
+					}
+					break;
+				default:
+					goto invalid_option;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'x':
+			switch (cmd[2]) {
+			case 'p':
+				switch (cmd[3]) {
+				case 'a':
+					FULLCHECK("expandaaaa");
+					lookup->expandaaaa = state;
+					break;
+				case 'i':
+					FULLCHECK("expire");
+					lookup->expire = state;
+					break;
+				default:
+					goto invalid_option;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'f': /* fail */
+		FULLCHECK("fail");
+		lookup->servfail_stops = state;
+		break;
+	case 'h':
+		FULLCHECK("header-only");
+		lookup->header_only = state;
+		break;
+	case 'i':
+		switch (cmd[1]) {
+		case 'd': /* identify */
+			switch (cmd[2]) {
+			case 'e':
+				FULLCHECK("identify");
+				lookup->identify = state;
+				break;
+			case 'n':
+				switch (cmd[3]) {
+				case 'i':
+					FULLCHECK("idnin");
+#ifndef HAVE_LIBIDN2
+					fprintf(stderr, ";; IDN input support"
+							" not enabled\n");
+#else  /* ifndef HAVE_LIBIDN2 */
+					lookup->idnin = state;
+#endif /* ifndef HAVE_LIBIDN2 */
+					break;
+				case 'o':
+					FULLCHECK("idnout");
+#ifndef HAVE_LIBIDN2
+					fprintf(stderr, ";; IDN output support"
+							" not enabled\n");
+#else  /* ifndef HAVE_LIBIDN2 */
+					lookup->idnout = state;
+#endif /* ifndef HAVE_LIBIDN2 */
+					break;
+				default:
+					goto invalid_option;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'g': /* ignore */
+		default:  /*
+			   * Inherits default for compatibility (+[no]i*).
+			   */
+			FULLCHECK("ignore");
+			lookup->ignore = state;
+		}
+		break;
+	case 'k':
+		switch (cmd[1]) {
+		case 'e':
+			switch (cmd[2]) {
+			case 'e':
+				switch (cmd[3]) {
+				case 'p':
+					switch (cmd[4]) {
+					case 'a':
+						FULLCHECK("keepalive");
+						lookup->tcp_keepalive = state;
+						break;
+					case 'o':
+						FULLCHECK("keepopen");
+						keep_open = state;
+						break;
+					default:
+						goto invalid_option;
+					}
+					break;
+				default:
+					goto invalid_option;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'm': /* multiline */
+		switch (cmd[1]) {
+		case 'a':
+			FULLCHECK("mapped");
+			lookup->mapped = state;
+			break;
+		case 'u':
+			FULLCHECK("multiline");
+			lookup->multiline = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'n':
+		switch (cmd[1]) {
+		case 'd': /* ndots */
+			FULLCHECK("ndots");
+			if (value == NULL) {
+				goto need_value;
+			}
+			if (!state) {
+				goto invalid_option;
+			}
+			result = parse_uint(&num, value, MAXNDOTS, "ndots");
+			if (result != ISC_R_SUCCESS) {
+				warn("Couldn't parse ndots");
+				goto exit_or_usage;
+			}
+			ndots = num;
+			break;
+		case 's':
+			switch (cmd[2]) {
+			case 'i': /* nsid */
+				FULLCHECK("nsid");
+				if (state && lookup->edns == -1) {
+					lookup->edns = DEFAULT_EDNS_VERSION;
+				}
+				lookup->nsid = state;
+				break;
+			case 's': /* nssearch */
+				FULLCHECK("nssearch");
+				lookup->ns_search_only = state;
+				if (state) {
+					lookup->trace_root = true;
+					lookup->recurse = true;
+					lookup->identify = true;
+					lookup->stats = false;
+					lookup->comments = false;
+					lookup->section_additional = false;
+					lookup->section_authority = false;
+					lookup->section_question = false;
+					lookup->rdtype = dns_rdatatype_ns;
+					lookup->rdtypeset = true;
+					short_form = true;
+					lookup->rrcomments = 0;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'o':
+		switch (cmd[1]) {
+		case 'n':
+			FULLCHECK("onesoa");
+			lookup->onesoa = state;
+			break;
+		case 'p':
+			FULLCHECK("opcode");
+			if (!state) {
+				lookup->opcode = 0; /* default - query */
+				break;
+			}
+			if (value == NULL) {
+				goto need_value;
+			}
+			for (num = 0;
+			     num < sizeof(opcodetext) / sizeof(opcodetext[0]);
+			     num++)
+			{
+				if (strcasecmp(opcodetext[num], value) == 0) {
+					break;
+				}
+			}
+			if (num < 16) {
+				lookup->opcode = (dns_opcode_t)num;
+				break;
+			}
+			result = parse_uint(&num, value, 15, "opcode");
+			if (result != ISC_R_SUCCESS) {
+				warn("Couldn't parse opcode");
+				goto exit_or_usage;
+			}
+			lookup->opcode = (dns_opcode_t)num;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'p':
+		FULLCHECK("padding");
+		if (state && lookup->edns == -1) {
+			lookup->edns = DEFAULT_EDNS_VERSION;
+		}
+		if (value == NULL) {
+			goto need_value;
+		}
+		result = parse_uint(&num, value, 512, "padding");
+		if (result != ISC_R_SUCCESS) {
+			warn("Couldn't parse padding");
+			goto exit_or_usage;
+		}
+		lookup->padding = (uint16_t)num;
+		break;
+	case 'q':
+		switch (cmd[1]) {
+		case 'r': /* qr */
+			FULLCHECK("qr");
+			lookup->qr = state;
+			break;
+		case 'u': /* question */
+			FULLCHECK("question");
+			lookup->section_question = state;
+			if (lookup == default_lookup) {
+				plusquest = state;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'r':
+		switch (cmd[1]) {
+		case 'a': /* raflag */
+			FULLCHECK("raflag");
+			lookup->raflag = state;
+			break;
+		case 'd': /* rdflag */
+			FULLCHECK("rdflag");
+			lookup->recurse = state;
+			break;
+		case 'e':
+			switch (cmd[2]) {
+			case 'c': /* recurse */
+				FULLCHECK("recurse");
+				lookup->recurse = state;
+				break;
+			case 't': /* retry / retries */
+				FULLCHECK2("retry", "retries");
+				if (value == NULL) {
+					goto need_value;
+				}
+				if (!state) {
+					goto invalid_option;
+				}
+				result = parse_uint(&lookup->retries, value,
+						    MAXTRIES - 1, "retries");
+				if (result != ISC_R_SUCCESS) {
+					warn("Couldn't parse retries");
+					goto exit_or_usage;
+				}
+				lookup->retries++;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'r': /* rrcomments */
+			FULLCHECK("rrcomments");
+			lookup->rrcomments = state ? 1 : -1;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 's':
+		switch (cmd[1]) {
+		case 'e': /* search */
+			FULLCHECK("search");
+			if (!lookup->trace) {
+				usesearch = state;
+			}
+			break;
+		case 'h':
+			if (cmd[2] != 'o') {
+				goto invalid_option;
+			}
+			switch (cmd[3]) {
+			case 'r': /* short */
+				FULLCHECK("short");
+				short_form = state;
+				if (state) {
+					printcmd = false;
+					lookup->section_additional = false;
+					lookup->section_answer = true;
+					lookup->section_authority = false;
+					lookup->section_question = false;
+					lookup->comments = false;
+					lookup->stats = false;
+					lookup->rrcomments = -1;
+				}
+				break;
+			case 'w': /* showsearch */
+				FULLCHECK("showsearch");
+				if (!lookup->trace) {
+					showsearch = state;
+					usesearch = state;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'i': /* sigchase */
+			FULLCHECK("sigchase");
+			fprintf(stderr, ";; +sigchase option is deprecated");
+			break;
+		case 'p': /* split */
+			FULLCHECK("split");
+			if (value != NULL && !state) {
+				goto invalid_option;
+			}
+			if (!state) {
+				splitwidth = 0;
+				break;
+			} else if (value == NULL) {
+				break;
+			}
+
+			result = parse_uint(&splitwidth, value, 1023, "split");
+			if ((splitwidth % 4) != 0U) {
+				splitwidth = ((splitwidth + 3) / 4) * 4;
+				fprintf(stderr,
+					";; Warning, split must be "
+					"a multiple of 4; adjusting "
+					"to %u\n",
+					splitwidth);
+			}
+			/*
+			 * There is an adjustment done in the
+			 * totext_<rrtype>() functions which causes
+			 * splitwidth to shrink.  This is okay when we're
+			 * using the default width but incorrect in this
+			 * case, so we correct for it
+			 */
+			if (splitwidth) {
+				splitwidth += 3;
+			}
+			if (result != ISC_R_SUCCESS) {
+				warn("Couldn't parse split");
+				goto exit_or_usage;
+			}
+			break;
+		case 't': /* stats */
+			FULLCHECK("stats");
+			lookup->stats = state;
+			break;
+		case 'u': /* subnet */
+			FULLCHECK("subnet");
+			if (state && value == NULL) {
+				goto need_value;
+			}
+			if (!state) {
+				if (lookup->ecs_addr != NULL) {
+					isc_mem_free(mctx, lookup->ecs_addr);
+					lookup->ecs_addr = NULL;
+				}
+				break;
+			}
+			if (lookup->edns == -1) {
+				lookup->edns = DEFAULT_EDNS_VERSION;
+			}
+			if (lookup->ecs_addr != NULL) {
+				isc_mem_free(mctx, lookup->ecs_addr);
+				lookup->ecs_addr = NULL;
+			}
+			result = parse_netprefix(&lookup->ecs_addr, value);
+			if (result != ISC_R_SUCCESS) {
+				warn("Couldn't parse client");
+				goto exit_or_usage;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 't':
+		switch (cmd[1]) {
+		case 'c': /* tcp */
+			switch (cmd[2]) {
+			case 'f':
+				FULLCHECK("tcflag");
+				lookup->tcflag = state;
+				break;
+			case 'p':
+				FULLCHECK("tcp");
+				if (!is_batchfile) {
+					lookup->tcp_mode = state;
+					lookup->tcp_mode_set = true;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'i': /* timeout */
+			FULLCHECK("timeout");
+			if (value == NULL) {
+				goto need_value;
+			}
+			if (!state) {
+				goto invalid_option;
+			}
+			result = parse_uint(&timeout, value, MAXTIMEOUT,
+					    "timeout");
+			if (result != ISC_R_SUCCESS) {
+				warn("Couldn't parse timeout");
+				goto exit_or_usage;
+			}
+			if (timeout == 0) {
+				timeout = 1;
+			}
+			break;
+		case 'o':
+			FULLCHECK("topdown");
+			fprintf(stderr, ";; +topdown option is deprecated");
+			break;
+		case 'r':
+			switch (cmd[2]) {
+			case 'a': /* trace */
+				FULLCHECK("trace");
+				lookup->trace = state;
+				lookup->trace_root = state;
+				if (state) {
+					lookup->recurse = true;
+					lookup->identify = true;
+					lookup->comments = false;
+					lookup->rrcomments = 0;
+					lookup->stats = false;
+					lookup->section_additional = false;
+					lookup->section_authority = true;
+					lookup->section_question = false;
+					lookup->dnssec = true;
+					lookup->sendcookie = true;
+					usesearch = false;
+				}
+				break;
+			case 'i': /* tries */
+				FULLCHECK("tries");
+				if (value == NULL) {
+					goto need_value;
+				}
+				if (!state) {
+					goto invalid_option;
+				}
+				result = parse_uint(&lookup->retries, value,
+						    MAXTRIES, "tries");
+				if (result != ISC_R_SUCCESS) {
+					warn("Couldn't parse tries");
+					goto exit_or_usage;
+				}
+				if (lookup->retries == 0) {
+					lookup->retries = 1;
+				}
+				break;
+			case 'u': /* trusted-key */
+				FULLCHECK("trusted-key");
+				fprintf(stderr, ";; +trusted-key option is "
+						"deprecated");
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 't':
+			switch (cmd[2]) {
+			case 'l':
+				switch (cmd[3]) {
+				case 0:
+				case 'i': /* ttlid */
+					FULLCHECK2("ttl", "ttlid");
+					lookup->nottl = !state;
+					break;
+				case 'u': /* ttlunits */
+					FULLCHECK("ttlunits");
+					lookup->nottl = false;
+					lookup->ttlunits = state;
+					break;
+				default:
+					goto invalid_option;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'u':
+		switch (cmd[1]) {
+		case 'n':
+			switch (cmd[2]) {
+			case 'e':
+				FULLCHECK("unexpected");
+				lookup->accept_reply_unexpected_src = state;
+				break;
+			case 'k':
+				FULLCHECK("unknownformat");
+				lookup->print_unknown_format = state;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+
+		break;
+	case 'v':
+		FULLCHECK("vc");
+		if (!is_batchfile) {
+			lookup->tcp_mode = state;
+			lookup->tcp_mode_set = true;
+		}
+		break;
+	case 'y': /* yaml */
+		FULLCHECK("yaml");
+		yaml = state;
+		if (state) {
+			printcmd = false;
+			lookup->stats = false;
+			lookup->rrcomments = -1;
+		}
+		break;
+	case 'z': /* zflag */
+		FULLCHECK("zflag");
+		lookup->zflag = state;
+		break;
+	default:
+	invalid_option:
+	need_value:
+#if TARGET_OS_IPHONE
+	exit_or_usage:
+#endif /* if TARGET_OS_IPHONE */
+		fprintf(stderr, "Invalid option: +%s\n", option);
+		usage();
+	}
+	return;
+
+#if !TARGET_OS_IPHONE
+exit_or_usage:
+	digexit();
+#endif /* if !TARGET_OS_IPHONE */
+}
+
+/*%
+ * #true returned if value was used
+ */
+static const char *single_dash_opts = "46dhimnruv";
+static const char *dash_opts = "46bcdfhikmnpqrtvyx";
+static bool
+dash_option(char *option, char *next, dig_lookup_t **lookup,
+	    bool *open_type_class, bool *need_clone, bool config_only, int argc,
+	    char **argv, bool *firstarg) {
+	char opt, *value, *ptr, *ptr2, *ptr3, *last;
+	isc_result_t result;
+	bool value_from_next;
+	isc_textregion_t tr;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	char textname[MXNAME];
+	struct in_addr in4;
+	struct in6_addr in6;
+	in_port_t srcport;
+	char *hash, *cmd;
+	uint32_t num;
+
+	while (strpbrk(option, single_dash_opts) == &option[0]) {
+		/*
+		 * Since the -[46dhimnuv] options do not take an argument,
+		 * account for them (in any number and/or combination)
+		 * if they appear as the first character(s) of a q-opt.
+		 */
+		opt = option[0];
+		switch (opt) {
+		case '4':
+			if (have_ipv4) {
+				isc_net_disableipv6();
+				have_ipv6 = false;
+			} else {
+				fatal("can't find IPv4 networking");
+				UNREACHABLE();
+				return (false);
+			}
+			break;
+		case '6':
+			if (have_ipv6) {
+				isc_net_disableipv4();
+				have_ipv4 = false;
+			} else {
+				fatal("can't find IPv6 networking");
+				UNREACHABLE();
+				return (false);
+			}
+			break;
+		case 'd':
+			ptr = strpbrk(&option[1], dash_opts);
+			if (ptr != &option[1]) {
+				cmd = option;
+				FULLCHECK("debug");
+				debugging = true;
+				return (false);
+			} else {
+				debugging = true;
+			}
+			break;
+		case 'h':
+			help();
+			exit(0);
+			break;
+		case 'i':
+			/* deprecated */
+			break;
+		case 'm': /* memdebug */
+			/* memdebug is handled in preparse_args() */
+			break;
+		case 'n':
+			/* deprecated */
+			break;
+		case 'r':
+			debug("digrc (late)");
+			digrc = false;
+			break;
+		case 'u':
+			(*lookup)->use_usec = true;
+			break;
+		case 'v':
+			version();
+			exit(0);
+			break;
+		}
+		if (strlen(option) > 1U) {
+			option = &option[1];
+		} else {
+			return (false);
+		}
+	}
+	opt = option[0];
+	if (strlen(option) > 1U) {
+		value_from_next = false;
+		value = &option[1];
+	} else {
+		value_from_next = true;
+		value = next;
+	}
+	if (value == NULL) {
+		goto invalid_option;
+	}
+	switch (opt) {
+	case 'b':
+		hash = strchr(value, '#');
+		if (hash != NULL) {
+			result = parse_uint(&num, hash + 1, MAXPORT,
+					    "port number");
+			if (result != ISC_R_SUCCESS) {
+				fatal("Couldn't parse port number");
+			}
+			srcport = num;
+			*hash = '\0';
+		} else {
+			srcport = 0;
+		}
+		if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1) {
+			isc_sockaddr_fromin6(&bind_address, &in6, srcport);
+			isc_net_disableipv4();
+		} else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1) {
+			isc_sockaddr_fromin(&bind_address, &in4, srcport);
+			isc_net_disableipv6();
+		} else {
+			if (hash != NULL) {
+				*hash = '#';
+			}
+			fatal("invalid address %s", value);
+		}
+		if (hash != NULL) {
+			*hash = '#';
+		}
+		specified_source = true;
+		return (value_from_next);
+	case 'c':
+		if ((*lookup)->rdclassset) {
+			fprintf(stderr, ";; Warning, extra class option\n");
+		}
+		*open_type_class = false;
+		tr.base = value;
+		tr.length = (unsigned int)strlen(value);
+		result = dns_rdataclass_fromtext(&rdclass,
+						 (isc_textregion_t *)&tr);
+		if (result == ISC_R_SUCCESS) {
+			(*lookup)->rdclass = rdclass;
+			(*lookup)->rdclassset = true;
+		} else {
+			fprintf(stderr,
+				";; Warning, ignoring "
+				"invalid class %s\n",
+				value);
+		}
+		return (value_from_next);
+	case 'f':
+		atomic_store(&batchname, (uintptr_t)value);
+		return (value_from_next);
+	case 'k':
+		strlcpy(keyfile, value, sizeof(keyfile));
+		return (value_from_next);
+	case 'p':
+		result = parse_uint(&num, value, MAXPORT, "port number");
+		if (result != ISC_R_SUCCESS) {
+			fatal("Couldn't parse port number");
+		}
+		port = num;
+		return (value_from_next);
+	case 'q':
+		if (!config_only) {
+			if (*need_clone) {
+				(*lookup) = clone_lookup(default_lookup, true);
+			}
+			*need_clone = true;
+			strlcpy((*lookup)->textname, value,
+				sizeof((*lookup)->textname));
+			(*lookup)->trace_root = ((*lookup)->trace ||
+						 (*lookup)->ns_search_only);
+			(*lookup)->new_search = true;
+			if (*firstarg) {
+				printgreeting(argc, argv, *lookup);
+				*firstarg = false;
+			}
+			ISC_LIST_APPEND(lookup_list, (*lookup), link);
+			debug("looking up %s", (*lookup)->textname);
+		}
+		return (value_from_next);
+	case 't':
+		*open_type_class = false;
+		if (strncasecmp(value, "ixfr=", 5) == 0) {
+			rdtype = dns_rdatatype_ixfr;
+			result = ISC_R_SUCCESS;
+		} else {
+			tr.base = value;
+			tr.length = (unsigned int)strlen(value);
+			result = dns_rdatatype_fromtext(
+				&rdtype, (isc_textregion_t *)&tr);
+			if (result == ISC_R_SUCCESS &&
+			    rdtype == dns_rdatatype_ixfr)
+			{
+				result = DNS_R_UNKNOWN;
+			}
+		}
+		if (result == ISC_R_SUCCESS) {
+			if ((*lookup)->rdtypeset) {
+				fprintf(stderr, ";; Warning, "
+						"extra type option\n");
+			}
+			if (rdtype == dns_rdatatype_ixfr) {
+				uint32_t serial;
+				(*lookup)->rdtype = dns_rdatatype_ixfr;
+				(*lookup)->rdtypeset = true;
+				result = parse_uint(&serial, &value[5],
+						    MAXSERIAL, "serial number");
+				if (result != ISC_R_SUCCESS) {
+					fatal("Couldn't parse serial number");
+				}
+				(*lookup)->ixfr_serial = serial;
+				(*lookup)->section_question = plusquest;
+				(*lookup)->comments = pluscomm;
+				if (!(*lookup)->tcp_mode_set) {
+					(*lookup)->tcp_mode = true;
+				}
+			} else {
+				(*lookup)->rdtype = rdtype;
+				if (!config_only) {
+					(*lookup)->rdtypeset = true;
+				}
+				if (rdtype == dns_rdatatype_axfr) {
+					(*lookup)->section_question = plusquest;
+					(*lookup)->comments = pluscomm;
+				} else if (rdtype == dns_rdatatype_any) {
+					if (!(*lookup)->tcp_mode_set) {
+						(*lookup)->tcp_mode = true;
+					}
+				}
+				(*lookup)->ixfr_serial = false;
+			}
+		} else {
+			fprintf(stderr,
+				";; Warning, ignoring "
+				"invalid type %s\n",
+				value);
+		}
+		return (value_from_next);
+	case 'y':
+		if ((ptr = strtok_r(value, ":", &last)) == NULL) {
+			usage();
+		}
+		if ((ptr2 = strtok_r(NULL, ":", &last)) == NULL) { /* name or
+								    * secret */
+			usage();
+		}
+		if ((ptr3 = strtok_r(NULL, ":", &last)) != NULL) { /* secret or
+								    * NULL */
+			parse_hmac(ptr);
+			ptr = ptr2;
+			ptr2 = ptr3;
+		} else {
+			hmacname = DNS_TSIG_HMACMD5_NAME;
+			digestbits = 0;
+		}
+		/* XXXONDREJ: FIXME */
+		strlcpy(keynametext, ptr, sizeof(keynametext));
+		strlcpy(keysecret, ptr2, sizeof(keysecret));
+		return (value_from_next);
+	case 'x':
+		if (*need_clone) {
+			*lookup = clone_lookup(default_lookup, true);
+		}
+		*need_clone = true;
+		if (get_reverse(textname, sizeof(textname), value, false) ==
+		    ISC_R_SUCCESS)
+		{
+			strlcpy((*lookup)->textname, textname,
+				sizeof((*lookup)->textname));
+			debug("looking up %s", (*lookup)->textname);
+			(*lookup)->trace_root = ((*lookup)->trace ||
+						 (*lookup)->ns_search_only);
+			if (!(*lookup)->rdtypeset) {
+				(*lookup)->rdtype = dns_rdatatype_ptr;
+			}
+			if (!(*lookup)->rdclassset) {
+				(*lookup)->rdclass = dns_rdataclass_in;
+			}
+			(*lookup)->new_search = true;
+			if (*firstarg) {
+				printgreeting(argc, argv, *lookup);
+				*firstarg = false;
+			}
+			ISC_LIST_APPEND(lookup_list, *lookup, link);
+		} else {
+			fprintf(stderr, "Invalid IP address %s\n", value);
+			exit(1);
+		}
+		return (value_from_next);
+	invalid_option:
+	default:
+		fprintf(stderr, "Invalid option: -%s\n", option);
+		usage();
+	}
+	UNREACHABLE();
+	return (false);
+}
+
+/*%
+ * Because we may be trying to do memory allocation recording, we're going
+ * to need to parse the arguments for the -m *before* we start the main
+ * argument parsing routine.
+ *
+ * I'd prefer not to have to do this, but I am not quite sure how else to
+ * fix the problem.  Argument parsing in dig involves memory allocation
+ * by its nature, so it can't be done in the main argument parser.
+ */
+static void
+preparse_args(int argc, char **argv) {
+	int rc;
+	char **rv;
+	char *option;
+
+	rc = argc;
+	rv = argv;
+	for (rc--, rv++; rc > 0; rc--, rv++) {
+		if (rv[0][0] != '-') {
+			continue;
+		}
+		option = &rv[0][1];
+		while (strpbrk(option, single_dash_opts) == &option[0]) {
+			switch (option[0]) {
+			case 'd':
+				/* For debugging early startup */
+				debugging = true;
+				break;
+			case 'm':
+				memdebugging = true;
+				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
+						    ISC_MEM_DEBUGRECORD;
+				break;
+			case 'r':
+				/*
+				 * Must be done early, because ~/.digrc
+				 * is read before command line parsing
+				 */
+				debug("digrc (early)");
+				digrc = false;
+				break;
+			case '4':
+				if (ipv6only) {
+					fatal("only one of -4 and -6 allowed");
+				}
+				ipv4only = true;
+				break;
+			case '6':
+				if (ipv4only) {
+					fatal("only one of -4 and -6 allowed");
+				}
+				ipv6only = true;
+				break;
+			}
+			option = &option[1];
+		}
+		if (strlen(option) == 0U) {
+			continue;
+		}
+		/* Look for dash value option. */
+		if (strpbrk(option, dash_opts) != &option[0]) {
+			goto invalid_option;
+		}
+		if (strlen(option) > 1U) {
+			/* value in option. */
+			continue;
+		}
+		/* Dash value is next argument so we need to skip it. */
+		rc--, rv++;
+		/* Handle missing argument */
+		if (rc == 0) {
+		invalid_option:
+			fprintf(stderr, "Invalid option: -%s\n", option);
+			usage();
+		}
+	}
+}
+
+static int
+split_batchline(char *batchline, char **bargv, int len, const char *msg) {
+	int bargc;
+	char *last = NULL;
+
+	REQUIRE(batchline != NULL);
+
+	for (bargc = 1, bargv[bargc] = strtok_r(batchline, " \t\r\n", &last);
+	     bargc < len && bargv[bargc];
+	     bargv[++bargc] = strtok_r(NULL, " \t\r\n", &last))
+	{
+		debug("%s %d: %s", msg, bargc, bargv[bargc]);
+	}
+	return (bargc);
+}
+
+static void
+parse_args(bool is_batchfile, bool config_only, int argc, char **argv) {
+	isc_result_t result;
+	isc_textregion_t tr;
+	bool firstarg = true;
+	dig_lookup_t *lookup = NULL;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	bool open_type_class = true;
+	char batchline[MXNAME];
+	int bargc;
+	char *bargv[64];
+	int rc;
+	char **rv;
+#ifndef NOPOSIX
+	char *homedir;
+	char rcfile[PATH_MAX];
+#endif /* ifndef NOPOSIX */
+	bool need_clone = true;
+
+	/*
+	 * The semantics for parsing the args is a bit complex; if
+	 * we don't have a host yet, make the arg apply globally,
+	 * otherwise make it apply to the latest host.  This is
+	 * a bit different than the previous versions, but should
+	 * form a consistent user interface.
+	 *
+	 * First, create a "default lookup" which won't actually be used
+	 * anywhere, except for cloning into new lookups
+	 */
+
+	debug("parse_args()");
+	if (!is_batchfile) {
+		debug("making new lookup");
+		default_lookup = make_empty_lookup();
+		default_lookup->adflag = true;
+		default_lookup->edns = DEFAULT_EDNS_VERSION;
+		default_lookup->sendcookie = true;
+
+#ifndef NOPOSIX
+		/*
+		 * Treat ${HOME}/.digrc as a special batchfile
+		 */
+		INSIST(batchfp == NULL);
+		homedir = getenv("HOME");
+		if (homedir != NULL && digrc) {
+			unsigned int n;
+			debug("digrc (open)");
+			n = snprintf(rcfile, sizeof(rcfile), "%s/.digrc",
+				     homedir);
+			if (n < sizeof(rcfile)) {
+				batchfp = fopen(rcfile, "r");
+			}
+		}
+		if (batchfp != NULL) {
+			while (fgets(batchline, sizeof(batchline), batchfp) !=
+			       0)
+			{
+				debug("config line %s", batchline);
+				bargc = split_batchline(batchline, bargv, 62,
+							".digrc argv");
+				bargv[0] = argv[0];
+				argv0 = argv[0];
+				parse_args(true, true, bargc, (char **)bargv);
+			}
+			fclose(batchfp);
+		}
+#endif /* ifndef NOPOSIX */
+	}
+
+	if (is_batchfile && !config_only) {
+		/* Processing '-f batchfile'. */
+		lookup = clone_lookup(default_lookup, true);
+		need_clone = false;
+	} else {
+		lookup = default_lookup;
+	}
+
+	rc = argc;
+	rv = argv;
+	for (rc--, rv++; rc > 0; rc--, rv++) {
+		debug("main parsing %s", rv[0]);
+		if (strncmp(rv[0], "%", 1) == 0) {
+			break;
+		}
+		if (rv[0][0] == '@') {
+			if (is_batchfile && !config_only) {
+				addresscount = getaddresses(lookup, &rv[0][1],
+							    &result);
+				if (addresscount == 0) {
+					fprintf(stderr,
+						"couldn't get address "
+						"for '%s': %s: skipping "
+						"lookup\n",
+						&rv[0][1],
+						isc_result_totext(result));
+					if (ISC_LINK_LINKED(lookup, link)) {
+						ISC_LIST_DEQUEUE(lookup_list,
+								 lookup, link);
+					}
+					destroy_lookup(lookup);
+					return;
+				}
+			} else {
+				addresscount = getaddresses(lookup, &rv[0][1],
+							    NULL);
+				if (addresscount == 0) {
+					fatal("no valid addresses for '%s'\n",
+					      &rv[0][1]);
+				}
+			}
+		} else if (rv[0][0] == '+') {
+			plus_option(&rv[0][1], is_batchfile, lookup);
+		} else if (rv[0][0] == '-') {
+			if (rc <= 1) {
+				if (dash_option(&rv[0][1], NULL, &lookup,
+						&open_type_class, &need_clone,
+						config_only, argc, argv,
+						&firstarg))
+				{
+					rc--;
+					rv++;
+				}
+			} else {
+				if (dash_option(&rv[0][1], rv[1], &lookup,
+						&open_type_class, &need_clone,
+						config_only, argc, argv,
+						&firstarg))
+				{
+					rc--;
+					rv++;
+				}
+			}
+		} else {
+			/*
+			 * Anything which isn't an option
+			 */
+			if (open_type_class) {
+				if (strncasecmp(rv[0], "ixfr=", 5) == 0) {
+					rdtype = dns_rdatatype_ixfr;
+					result = ISC_R_SUCCESS;
+				} else {
+					tr.base = rv[0];
+					tr.length = (unsigned int)strlen(rv[0]);
+					result = dns_rdatatype_fromtext(
+						&rdtype,
+						(isc_textregion_t *)&tr);
+					if (result == ISC_R_SUCCESS &&
+					    rdtype == dns_rdatatype_ixfr)
+					{
+						fprintf(stderr, ";; Warning, "
+								"ixfr requires "
+								"a "
+								"serial "
+								"number\n");
+						continue;
+					}
+				}
+				if (result == ISC_R_SUCCESS) {
+					if (lookup->rdtypeset) {
+						fprintf(stderr, ";; Warning, "
+								"extra type "
+								"option\n");
+					}
+					if (rdtype == dns_rdatatype_ixfr) {
+						uint32_t serial;
+						lookup->rdtype =
+							dns_rdatatype_ixfr;
+						lookup->rdtypeset = true;
+						result = parse_uint(&serial,
+								    &rv[0][5],
+								    MAXSERIAL,
+								    "serial "
+								    "number");
+						if (result != ISC_R_SUCCESS) {
+							fatal("Couldn't parse "
+							      "serial number");
+						}
+						lookup->ixfr_serial = serial;
+						lookup->section_question =
+							plusquest;
+						lookup->comments = pluscomm;
+						if (!lookup->tcp_mode_set) {
+							lookup->tcp_mode = true;
+						}
+					} else {
+						lookup->rdtype = rdtype;
+						lookup->rdtypeset = true;
+						if (rdtype ==
+						    dns_rdatatype_axfr)
+						{
+							lookup->section_question =
+								plusquest;
+							lookup->comments =
+								pluscomm;
+						}
+						if (rdtype ==
+							    dns_rdatatype_any &&
+						    !lookup->tcp_mode_set)
+						{
+							lookup->tcp_mode = true;
+						}
+						lookup->ixfr_serial = false;
+					}
+					continue;
+				}
+				result = dns_rdataclass_fromtext(
+					&rdclass, (isc_textregion_t *)&tr);
+				if (result == ISC_R_SUCCESS) {
+					if (lookup->rdclassset) {
+						fprintf(stderr, ";; Warning, "
+								"extra class "
+								"option\n");
+					}
+					lookup->rdclass = rdclass;
+					lookup->rdclassset = true;
+					continue;
+				}
+			}
+
+			if (!config_only) {
+				if (need_clone) {
+					lookup = clone_lookup(default_lookup,
+							      true);
+				}
+				need_clone = true;
+				strlcpy(lookup->textname, rv[0],
+					sizeof(lookup->textname));
+				lookup->trace_root = (lookup->trace ||
+						      lookup->ns_search_only);
+				lookup->new_search = true;
+				if (firstarg) {
+					printgreeting(argc, argv, lookup);
+					firstarg = false;
+				}
+				ISC_LIST_APPEND(lookup_list, lookup, link);
+				debug("looking up %s", lookup->textname);
+			}
+			/* XXX Error message */
+		}
+	}
+
+	/*
+	 * If we have a batchfile, seed the lookup list with the
+	 * first entry, then trust the callback in dighost_shutdown
+	 * to get the rest
+	 */
+	char *filename = (char *)atomic_load(&batchname);
+	if ((filename != NULL) && !(is_batchfile)) {
+		if (strcmp(filename, "-") == 0) {
+			batchfp = stdin;
+		} else {
+			batchfp = fopen(filename, "r");
+		}
+		if (batchfp == NULL) {
+			perror(filename);
+			if (exitcode < 8) {
+				exitcode = 8;
+			}
+			fatal("couldn't open specified batch file");
+		}
+		/* XXX Remove code dup from shutdown code */
+	next_line:
+		if (fgets(batchline, sizeof(batchline), batchfp) != 0) {
+			debug("batch line %s", batchline);
+			if (batchline[0] == '\r' || batchline[0] == '\n' ||
+			    batchline[0] == '#' || batchline[0] == ';')
+			{
+				goto next_line;
+			}
+			bargc = split_batchline(batchline, bargv, 14,
+						"batch argv");
+			bargv[0] = argv[0];
+			argv0 = argv[0];
+			parse_args(true, false, bargc, (char **)bargv);
+			return;
+		}
+		return;
+	}
+	/*
+	 * If no lookup specified, search for root
+	 */
+	if ((lookup_list.head == NULL) && !config_only) {
+		if (need_clone) {
+			lookup = clone_lookup(default_lookup, true);
+		}
+		need_clone = true;
+		lookup->trace_root = (lookup->trace || lookup->ns_search_only);
+		lookup->new_search = true;
+		strlcpy(lookup->textname, ".", sizeof(lookup->textname));
+		lookup->rdtype = dns_rdatatype_ns;
+		lookup->rdtypeset = true;
+		if (firstarg) {
+			printgreeting(argc, argv, lookup);
+			firstarg = false;
+		}
+		ISC_LIST_APPEND(lookup_list, lookup, link);
+	}
+	if (!need_clone) {
+		destroy_lookup(lookup);
+	}
+}
+
+/*
+ * Callback from dighost.c to allow program-specific shutdown code.
+ * Here, we're possibly reading from a batch file, then shutting down
+ * for real if there's nothing in the batch file to read.
+ */
+static void
+query_finished(void) {
+	char batchline[MXNAME];
+	int bargc;
+	char *bargv[16];
+
+	if (atomic_load(&batchname) == 0) {
+		isc_app_shutdown();
+		return;
+	}
+
+	fflush(stdout);
+	if (feof(batchfp)) {
+		atomic_store(&batchname, 0);
+		isc_app_shutdown();
+		if (batchfp != stdin) {
+			fclose(batchfp);
+		}
+		return;
+	}
+
+	if (fgets(batchline, sizeof(batchline), batchfp) != 0) {
+		debug("batch line %s", batchline);
+		bargc = split_batchline(batchline, bargv, 14, "batch argv");
+		bargv[0] = argv0;
+		parse_args(true, false, bargc, (char **)bargv);
+		start_lookup();
+	} else {
+		atomic_store(&batchname, 0);
+		if (batchfp != stdin) {
+			fclose(batchfp);
+		}
+		isc_app_shutdown();
+		return;
+	}
+}
+
+static void
+dig_error(const char *format, ...) {
+	va_list args;
+
+	if (yaml) {
+		printf("-\n");
+		printf("  type: DIG_ERROR\n");
+
+		/*
+		 * Print an indent before a literal block quote.
+		 * Note: this will break if used to print more than
+		 * one line of text as only the first line would be
+		 * indented.
+		 */
+		printf("  message: |\n");
+		printf("    ");
+	} else {
+		printf(";; ");
+	}
+
+	va_start(args, format);
+	vprintf(format, args);
+	va_end(args);
+
+	if (!yaml) {
+		printf("\n");
+	}
+}
+
+static void
+dig_warning(const char *format, ...) {
+	va_list args;
+
+	if (!yaml) {
+		printf(";; ");
+
+		va_start(args, format);
+		vprintf(format, args);
+		va_end(args);
+
+		printf("\n");
+	}
+}
+
+static void
+dig_comments(dig_lookup_t *lookup, const char *format, ...) {
+	va_list args;
+
+	if (lookup->comments && !yaml) {
+		printf(";; ");
+
+		va_start(args, format);
+		vprintf(format, args);
+		va_end(args);
+
+		printf("\n");
+	}
+}
+
+void
+dig_setup(int argc, char **argv) {
+	isc_result_t result;
+
+	ISC_LIST_INIT(lookup_list);
+	ISC_LIST_INIT(server_list);
+	ISC_LIST_INIT(search_list);
+
+	debug("dig_setup()");
+
+	/* setup dighost callbacks */
+	dighost_printmessage = printmessage;
+	dighost_received = received;
+	dighost_trying = trying;
+	dighost_shutdown = query_finished;
+	dighost_error = dig_error;
+	dighost_warning = dig_warning;
+	dighost_comments = dig_comments;
+
+	progname = argv[0];
+	preparse_args(argc, argv);
+
+	result = isc_app_start();
+	check_result(result, "isc_app_start");
+
+	setup_libs();
+	setup_system(ipv4only, ipv6only);
+}
+
+void
+dig_query_setup(bool is_batchfile, bool config_only, int argc, char **argv) {
+	debug("dig_query_setup");
+
+	parse_args(is_batchfile, config_only, argc, argv);
+	if (keyfile[0] != 0) {
+		setup_file_key();
+	} else if (keysecret[0] != 0) {
+		setup_text_key();
+	}
+	if (domainopt[0] != '\0') {
+		set_search_domain(domainopt);
+		usesearch = true;
+	}
+}
+
+void
+dig_startup() {
+	isc_result_t result;
+
+	debug("dig_startup()");
+
+	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
+	check_result(result, "isc_app_onrun");
+	isc_app_run();
+}
+
+void
+dig_query_start() {
+	start_lookup();
+}
+
+void
+dig_shutdown() {
+	destroy_lookup(default_lookup);
+	if (atomic_load(&batchname) != 0) {
+		if (batchfp != stdin) {
+			fclose(batchfp);
+		}
+		atomic_store(&batchname, 0);
+	}
+	cancel_all();
+	destroy_libs();
+	isc_app_finish();
+}
+
+/*% Main processing routine for dig */
+int
+main(int argc, char **argv) {
+	dig_setup(argc, argv);
+	dig_query_setup(false, false, argc, argv);
+	dig_startup();
+	dig_shutdown();
+
+	return (exitcode);
+}
diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst
new file mode 100644
index 0000000..d27b1fd
--- /dev/null
+++ b/bin/dig/dig.rst
@@ -0,0 +1,645 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dig:
+
+dig - DNS lookup utility
+------------------------
+
+Synopsis
+~~~~~~~~
+:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
+
+:program:`dig` [**-h**]
+
+:program:`dig` [global-queryopt...] [query...]
+
+Description
+~~~~~~~~~~~
+
+``dig`` is a flexible tool for interrogating DNS name servers. It
+performs DNS lookups and displays the answers that are returned from the
+name server(s) that were queried. Most DNS administrators use ``dig`` to
+troubleshoot DNS problems because of its flexibility, ease of use, and
+clarity of output. Other lookup tools tend to have less functionality
+than ``dig``.
+
+Although ``dig`` is normally used with command-line arguments, it also
+has a batch mode of operation for reading lookup requests from a file. A
+brief summary of its command-line arguments and options is printed when
+the ``-h`` option is given. The BIND 9
+implementation of ``dig`` allows multiple lookups to be issued from the
+command line.
+
+Unless it is told to query a specific name server, ``dig`` tries each
+of the servers listed in ``/etc/resolv.conf``. If no usable server
+addresses are found, ``dig`` sends the query to the local host.
+
+When no command-line arguments or options are given, ``dig``
+performs an NS query for "." (the root).
+
+It is possible to set per-user defaults for ``dig`` via
+``${HOME}/.digrc``. This file is read and any options in it are applied
+before the command-line arguments. The ``-r`` option disables this
+feature, for scripts that need predictable behavior.
+
+The IN and CH class names overlap with the IN and CH top-level domain
+names. Either use the ``-t`` and ``-c`` options to specify the type and
+class, use the ``-q`` to specify the domain name, or use "IN." and
+"CH." when looking up these top-level domains.
+
+Simple Usage
+~~~~~~~~~~~~
+
+A typical invocation of ``dig`` looks like:
+
+::
+
+    dig @server name type
+
+where:
+
+``server``
+   is the name or IP address of the name server to query. This can be an
+   IPv4 address in dotted-decimal notation or an IPv6 address in
+   colon-delimited notation. When the supplied ``server`` argument is a
+   hostname, ``dig`` resolves that name before querying that name
+   server.
+
+   If no ``server`` argument is provided, ``dig`` consults
+   ``/etc/resolv.conf``; if an address is found there, it queries the
+   name server at that address. If either of the ``-4`` or ``-6``
+   options are in use, then only addresses for the corresponding
+   transport are tried. If no usable addresses are found, ``dig``
+   sends the query to the local host. The reply from the name server
+   that responds is displayed.
+
+``name``
+   is the name of the resource record that is to be looked up.
+
+``type``
+   indicates what type of query is required - ANY, A, MX, SIG, etc.
+   ``type`` can be any valid query type. If no ``type`` argument is
+   supplied, ``dig`` performs a lookup for an A record.
+
+Options
+~~~~~~~
+
+``-4``
+   This option indicates that only IPv4 should be used.
+
+``-6``
+   This option indicates that only IPv6 should be used.
+
+``-b address[#port]``
+   This option sets the source IP address of the query. The ``address`` must be a
+   valid address on one of the host's network interfaces, or "0.0.0.0"
+   or "::". An optional port may be specified by appending ``#port``.
+
+``-c class``
+   This option sets the query class. The default ``class`` is IN; other classes are
+   HS for Hesiod records or CH for Chaosnet records.
+
+``-f file``
+   This option sets batch mode, in which ``dig`` reads a list of lookup requests to process from
+   the given ``file``. Each line in the file should be organized in the
+   same way it would be presented as a query to ``dig`` using the
+   command-line interface.
+
+``-k keyfile``
+   This option tells ``named`` to sign queries using TSIG using a key read from the given file. Key
+   files can be generated using ``tsig-keygen``. When using TSIG
+   authentication with ``dig``, the name server that is queried needs to
+   know the key and algorithm that is being used. In BIND, this is done
+   by providing appropriate ``key`` and ``server`` statements in
+   ``named.conf``.
+
+``-m``
+   This option enables memory usage debugging.
+
+``-p port``
+   This option sends the query to a non-standard port on the server, instead of the
+   default port 53. This option is used to test a name server that
+   has been configured to listen for queries on a non-standard port
+   number.
+
+``-q name``
+   This option specifies the domain name to query. This is useful to distinguish the ``name``
+   from other arguments.
+
+``-r``
+   This option indicates that options from ``${HOME}/.digrc`` should not be read. This is useful for
+   scripts that need predictable behavior.
+
+``-t type``
+   This option indicates the resource record type to query, which can be any valid query type. If
+   it is a resource record type supported in BIND 9, it can be given by
+   the type mnemonic (such as ``NS`` or ``AAAA``). The default query type is
+   ``A``, unless the ``-x`` option is supplied to indicate a reverse
+   lookup. A zone transfer can be requested by specifying a type of
+   AXFR. When an incremental zone transfer (IXFR) is required, set the
+   ``type`` to ``ixfr=N``. The incremental zone transfer contains
+   all changes made to the zone since the serial number in the zone's
+   SOA record was ``N``.
+
+   All resource record types can be expressed as ``TYPEnn``, where ``nn`` is
+   the number of the type. If the resource record type is not supported
+   in BIND 9, the result is displayed as described in :rfc:`3597`.
+
+``-u``
+   This option indicates that print query times should be provided in microseconds instead of milliseconds.
+
+``-v``
+   This option prints the version number and exits.
+
+``-x addr``
+   This option sets simplified reverse lookups, for mapping addresses to names. The
+   ``addr`` is an IPv4 address in dotted-decimal notation, or a
+   colon-delimited IPv6 address. When the ``-x`` option is used, there is no
+   need to provide the ``name``, ``class``, and ``type`` arguments.
+   ``dig`` automatically performs a lookup for a name like
+   ``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
+   and IN respectively. IPv6 addresses are looked up using nibble format
+   under the IP6.ARPA domain.
+
+``-y [hmac:]keyname:secret``
+   This option signs queries using TSIG with the given authentication key.
+   ``keyname`` is the name of the key, and ``secret`` is the
+   base64-encoded shared secret. ``hmac`` is the name of the key algorithm;
+   valid choices are ``hmac-md5``, ``hmac-sha1``, ``hmac-sha224``,
+   ``hmac-sha256``, ``hmac-sha384``, or ``hmac-sha512``. If ``hmac`` is
+   not specified, the default is ``hmac-md5``; if MD5 was disabled, the default is
+   ``hmac-sha256``.
+
+.. note:: Only the ``-k`` option should be used, rather than the ``-y`` option,
+   because with ``-y`` the shared secret is supplied as a command-line
+   argument in clear text. This may be visible in the output from ``ps1`` or
+   in a history file maintained by the user's shell.
+
+Query Options
+~~~~~~~~~~~~~
+
+``dig`` provides a number of query options which affect the way in which
+lookups are made and the results displayed. Some of these set or reset
+flag bits in the query header, some determine which sections of the
+answer get printed, and others determine the timeout and retry
+strategies.
+
+Each query option is identified by a keyword preceded by a plus sign
+(``+``). Some keywords set or reset an option; these may be preceded by
+the string ``no`` to negate the meaning of that keyword. Other keywords
+assign values to options, like the timeout interval. They have the form
+``+keyword=value``. Keywords may be abbreviated, provided the
+abbreviation is unambiguous; for example, ``+cd`` is equivalent to
+``+cdflag``. The query options are:
+
+``+[no]aaflag``
+   This option is a synonym for ``+[no]aaonly``.
+
+``+[no]aaonly``
+   This option sets the ``aa`` flag in the query.
+
+``+[no]additional``
+   This option displays [or does not display] the additional section of a reply. The
+   default is to display it.
+
+``+[no]adflag``
+   This option sets [or does not set] the AD (authentic data) bit in the query. This
+   requests the server to return whether all of the answer and authority
+   sections have been validated as secure, according to the security
+   policy of the server. ``AD=1`` indicates that all records have been
+   validated as secure and the answer is not from a OPT-OUT range. ``AD=0``
+   indicates that some part of the answer was insecure or not validated.
+   This bit is set by default.
+
+``+[no]all``
+   This option sets or clears all display flags.
+
+``+[no]answer``
+   This option displays [or does not display] the answer section of a reply. The default
+   is to display it.
+
+``+[no]authority``
+   This option displays [or does not display] the authority section of a reply. The
+   default is to display it.
+
+``+[no]badcookie``
+   This option retries the lookup with a new server cookie if a BADCOOKIE response is
+   received.
+
+``+[no]besteffort``
+   This option attempts to display the contents of messages which are malformed. The
+   default is to not display malformed answers.
+
+``+bufsize[=B]``
+   This option sets the UDP message buffer size advertised using EDNS0
+   to ``B`` bytes.  The maximum and minimum sizes of this buffer are
+   65535 and 0, respectively.  ``+bufsize=0`` disables EDNS (use
+   ``+bufsize=0 +edns`` to send an EDNS message with an advertised size
+   of 0 bytes). ``+bufsize`` restores the default buffer size.
+
+``+[no]cdflag``
+   This option sets [or does not set] the CD (checking disabled) bit in the query. This
+   requests the server to not perform DNSSEC validation of responses.
+
+``+[no]class``
+   This option displays [or does not display] the CLASS when printing the record.
+
+``+[no]cmd``
+   This option toggles the printing of the initial comment in the output, identifying the
+   version of ``dig`` and the query options that have been applied. This option
+   always has a global effect; it cannot be set globally and then overridden on a
+   per-lookup basis. The default is to print this comment.
+
+``+[no]comments``
+   This option toggles the display of some comment lines in the output, with
+   information about the packet header and OPT pseudosection, and the names of
+   the response section. The default is to print these comments.
+
+   Other types of comments in the output are not affected by this option, but
+   can be controlled using other command-line switches. These include
+   ``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
+
+``+[no]cookie=####``
+   This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
+   from a previous response allows the server to identify a previous
+   client. The default is ``+cookie``.
+
+   ``+cookie`` is also set when ``+trace`` is set to better emulate the
+   default queries from a nameserver.
+
+``+[no]crypto``
+   This option toggles the display of cryptographic fields in DNSSEC records. The
+   contents of these fields are unnecessary for debugging most DNSSEC
+   validation failures and removing them makes it easier to see the
+   common failures. The default is to display the fields. When omitted,
+   they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
+   key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
+
+``+[no]defname``
+   This option, which is deprecated, is treated as a synonym for ``+[no]search``.
+
+``+[no]dnssec``
+   This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
+   the OPT record in the additional section of the query.
+
+``+domain=somename``
+   This option sets the search list to contain the single domain ``somename``, as if
+   specified in a ``domain`` directive in ``/etc/resolv.conf``, and
+   enables search list processing as if the ``+search`` option were
+   given.
+
+``+dscp=value``
+   This option sets the DSCP code point to be used when sending the query. Valid DSCP
+   code points are in the range [0...63]. By default no code point is
+   explicitly set.
+
+``+[no]edns[=#]``
+   This option specifies the EDNS version to query with. Valid values are 0 to 255.
+   Setting the EDNS version causes an EDNS query to be sent.
+   ``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
+   default.
+
+``+[no]ednsflags[=#]``
+   This option sets the must-be-zero EDNS flags bits (Z bits) to the specified value.
+   Decimal, hex, and octal encodings are accepted. Setting a named flag
+   (e.g., DO) is silently ignored. By default, no Z bits are set.
+
+``+[no]ednsnegotiation``
+   This option enables/disables EDNS version negotiation. By default, EDNS version
+   negotiation is enabled.
+
+``+[no]ednsopt[=code[:value]]``
+   This option specifies the EDNS option with code point ``code`` and an optional payload
+   of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
+   option name (for example, ``NSID`` or ``ECS``) or an arbitrary
+   numeric value. ``+noednsopt`` clears the EDNS options to be sent.
+
+``+[no]expire``
+   This option sends an EDNS Expire option.
+
+``+[no]fail``
+   This option indicates that ``named`` should try [or not try] the next server if a SERVFAIL is received. The default is
+   to not try the next server, which is the reverse of normal stub
+   resolver behavior.
+
+``+[no]header-only``
+   This option sends a query with a DNS header without a question section. The
+   default is to add a question section. The query type and query name
+   are ignored when this is set.
+
+``+[no]identify``
+   This option shows [or does not show] the IP address and port number that supplied
+   the answer, when the ``+short`` option is enabled. If short form
+   answers are requested, the default is not to show the source address
+   and port number of the server that provided the answer.
+
+``+[no]idnin``
+   This option processes [or does not process] IDN domain names on input. This requires
+   ``IDN SUPPORT`` to have been enabled at compile time.
+
+   The default is to process IDN input when standard output is a tty.
+   The IDN processing on input is disabled when ``dig`` output is redirected
+   to files, pipes, and other non-tty file descriptors.
+
+``+[no]idnout``
+   This option converts [or does not convert] puny code on output. This requires
+   ``IDN SUPPORT`` to have been enabled at compile time.
+
+   The default is to process puny code on output when standard output is
+   a tty. The puny code processing on output is disabled when ``dig`` output
+   is redirected to files, pipes, and other non-tty file descriptors.
+
+``+[no]ignore``
+   This option ignores [or does not ignore] truncation in UDP responses instead of retrying with TCP. By
+   default, TCP retries are performed.
+
+``+[no]keepalive``
+   This option sends [or does not send] an EDNS Keepalive option.
+
+``+[no]keepopen``
+   This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than
+   creating a new TCP socket for each lookup. The default is
+   ``+nokeepopen``.
+
+``+[no]mapped``
+   This option allows [or does not allow] mapped IPv4-over-IPv6 addresses to be used. The default is
+   ``+mapped``.
+
+``+[no]multiline``
+   This option prints [or does not print] records, like the SOA records, in a verbose multi-line format
+   with human-readable comments. The default is to print each record on
+   a single line to facilitate machine parsing of the ``dig`` output.
+
+``+ndots=D``
+   This option sets the number of dots (``D``) that must appear in ``name`` for
+   it to be considered absolute. The default value is that defined using
+   the ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots``
+   statement is present. Names with fewer dots are interpreted as
+   relative names, and are searched for in the domains listed in the
+   ``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
+   ``+search`` is set.
+
+``+[no]nsid``
+   When enabled, this option includes an EDNS name server ID request when sending a query.
+
+``+[no]nssearch``
+   When this option is set, ``dig`` attempts to find the authoritative
+   name servers for the zone containing the name being looked up, and
+   display the SOA record that each name server has for the zone.
+   Addresses of servers that did not respond are also printed.
+
+``+[no]onesoa``
+   When enabled, this option prints only one (starting) SOA record when performing an AXFR. The
+   default is to print both the starting and ending SOA records.
+
+``+[no]opcode=value``
+   When enabled, this option sets (restores) the DNS message opcode to the specified value. The
+   default value is QUERY (0).
+
+``+padding=value``
+   This option pads the size of the query packet using the EDNS Padding option to
+   blocks of ``value`` bytes. For example, ``+padding=32`` causes a
+   48-byte query to be padded to 64 bytes. The default block size is 0,
+   which disables padding; the maximum is 512. Values are ordinarily
+   expected to be powers of two, such as 128; however, this is not
+   mandatory. Responses to padded queries may also be padded, but only
+   if the query uses TCP or DNS COOKIE.
+
+``+[no]qr``
+   This option toggles the display of the query message as it is sent. By default, the query
+   is not printed.
+
+``+[no]question``
+   This option toggles the display of the question section of a query when an answer is
+   returned. The default is to print the question section as a comment.
+
+``+[no]raflag``
+   This option sets [or does not set] the RA (Recursion Available) bit in the query. The
+   default is ``+noraflag``. This bit is ignored by the server for
+   QUERY.
+
+``+[no]rdflag``
+   This option is a synonym for ``+[no]recurse``.
+
+``+[no]recurse``
+   This option toggles the setting of the RD (recursion desired) bit in the query.
+   This bit is set by default, which means ``dig`` normally sends
+   recursive queries. Recursion is automatically disabled when the
+   ``+nssearch`` or ``+trace`` query option is used.
+
+``+retry=T``
+   This option sets the number of times to retry UDP and TCP queries to server to ``T``
+   instead of the default, 2.  Unlike ``+tries``, this does not include
+   the initial query.
+
+``+[no]rrcomments``
+   This option toggles the display of per-record comments in the output (for example,
+   human-readable key information about DNSKEY records). The default is
+   not to print record comments unless multiline mode is active.
+
+``+[no]search``
+   This option uses [or does not use] the search list defined by the searchlist or domain
+   directive in ``resolv.conf``, if any. The search list is not used by
+   default.
+
+   ``ndots`` from ``resolv.conf`` (default 1), which may be overridden by
+   ``+ndots``, determines whether the name is treated as relative
+   and hence whether a search is eventually performed.
+
+``+[no]short``
+   This option toggles whether a terse answer is provided. The default is to print the answer in a verbose
+   form. This option always has a global effect; it cannot be set globally and
+   then overridden on a per-lookup basis.
+
+``+[no]showsearch``
+   This option performs [or does not perform] a search showing intermediate results.
+
+``+[no]sigchase``
+   This feature is now obsolete and has been removed; use ``delv``
+   instead.
+
+``+split=W``
+   This option splits long hex- or base64-formatted fields in resource records into
+   chunks of ``W`` characters (where ``W`` is rounded up to the nearest
+   multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
+   split at all. The default is 56 characters, or 44 characters when
+   multiline mode is active.
+
+``+[no]stats``
+   This option toggles the printing of statistics: when the query was made, the size of the
+   reply, etc. The default behavior is to print the query statistics as a
+   comment after each lookup.
+
+``+[no]subnet=addr[/prefix-length]``
+   This option sends [or does not send] an EDNS CLIENT-SUBNET option with the specified IP
+   address or network prefix.
+
+   ``dig +subnet=0.0.0.0/0``, or simply ``dig +subnet=0`` for short,
+   sends an EDNS CLIENT-SUBNET option with an empty address and a source
+   prefix-length of zero, which signals a resolver that the client's
+   address information must *not* be used when resolving this query.
+
+``+[no]tcflag``
+   This option sets [or does not set] the TC (TrunCation) bit in the query. The default is
+   ``+notcflag``. This bit is ignored by the server for QUERY.
+
+``+[no]tcp``
+   This option uses [or does not use] TCP when querying name servers.
+   The default behavior is to use UDP unless a type ``any`` or
+   ``ixfr=N`` query is requested, in which case the default is TCP.
+   AXFR queries always use TCP. To prevent retry over TCP when TC=1
+   is returned from a UDP query, use ``+ignore``.
+
+``+timeout=T``
+   This option sets the timeout for a query to ``T`` seconds. The default timeout is
+   5 seconds. An attempt to set ``T`` to less than 1 is silently set to 1.
+
+``+[no]topdown``
+   This feature is related to ``dig +sigchase``, which is obsolete and
+   has been removed. Use ``delv`` instead.
+
+``+[no]trace``
+   This option toggles tracing of the delegation path from the root name servers for
+   the name being looked up. Tracing is disabled by default. When
+   tracing is enabled, ``dig`` makes iterative queries to resolve the
+   name being looked up. It follows referrals from the root servers,
+   showing the answer from each server that was used to resolve the
+   lookup.
+
+   If ``@server`` is also specified, it affects only the initial query for
+   the root zone name servers.
+
+   ``+dnssec`` is also set when ``+trace`` is set, to better emulate the
+   default queries from a name server.
+
+``+tries=T``
+   This option sets the number of times to try UDP and TCP queries to server to ``T``
+   instead of the default, 3. If ``T`` is less than or equal to zero,
+   the number of tries is silently rounded up to 1.
+
+``+trusted-key=####``
+   This option formerly specified trusted keys for use with ``dig +sigchase``. This
+   feature is now obsolete and has been removed; use ``delv`` instead.
+
+``+[no]ttlid``
+   This option displays [or does not display] the TTL when printing the record.
+
+``+[no]ttlunits``
+   This option displays [or does not display] the TTL in friendly human-readable time
+   units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes,
+   hours, days, and weeks. This implies ``+ttlid``.
+
+``+[no]unexpected``
+   This option accepts [or does not accept] answers from unexpected sources.  By default, ``dig``
+   will not accept a reply from a source other than the one to which it sent the
+   query.
+
+``+[no]unknownformat``
+   This option prints all RDATA in unknown RR type presentation format (:rfc:`3597`).
+   The default is to print RDATA for known types in the type's
+   presentation format.
+
+``+[no]vc``
+   This option uses [or does not use] TCP when querying name servers. This alternate
+   syntax to ``+[no]tcp`` is provided for backwards compatibility. The
+   ``vc`` stands for "virtual circuit."
+
+``+[no]yaml``
+   When enabled, this option prints the responses (and, if ``+qr`` is in use, also the
+   outgoing queries) in a detailed YAML format.
+
+``+[no]zflag``
+   This option sets [or does not set] the last unassigned DNS header flag in a DNS query.
+   This flag is off by default.
+
+Multiple Queries
+~~~~~~~~~~~~~~~~
+
+The BIND 9 implementation of ``dig`` supports specifying multiple
+queries on the command line (in addition to supporting the ``-f`` batch
+file option). Each of those queries can be supplied with its own set of
+flags, options, and query options.
+
+In this case, each ``query`` argument represents an individual query in
+the command-line syntax described above. Each consists of any of the
+standard options and flags, the name to be looked up, an optional query
+type and class, and any query options that should be applied to that
+query.
+
+A global set of query options, which should be applied to all queries,
+can also be supplied. These global query options must precede the first
+tuple of name, class, type, options, flags, and query options supplied
+on the command line. Any global query options (except ``+[no]cmd`` and
+``+[no]short`` options) can be overridden by a query-specific set of
+query options. For example:
+
+::
+
+   dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+
+shows how ``dig`` can be used from the command line to make three
+lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1,
+and a query for the NS records of ``isc.org``. A global query option of
+``+qr`` is applied, so that ``dig`` shows the initial query it made for
+each lookup. The final query has a local query option of ``+noqr`` which
+means that ``dig`` does not print the initial query when it looks up the
+NS records for ``isc.org``.
+
+IDN Support
+~~~~~~~~~~~
+
+If ``dig`` has been built with IDN (internationalized domain name)
+support, it can accept and display non-ASCII domain names. ``dig``
+appropriately converts character encoding of a domain name before sending
+a request to a DNS server or displaying a reply from the server.
+To turn off IDN support, use the parameters
+``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment
+variable.
+
+Return Codes
+~~~~~~~~~~~~
+
+``dig`` return codes are:
+
+``0``
+   DNS response received, including NXDOMAIN status
+
+``1``
+   Usage error
+
+``8``
+   Couldn't open batch file
+
+``9``
+   No reply from server
+
+``10``
+   Internal error
+
+Files
+~~~~~
+
+``/etc/resolv.conf``
+
+``${HOME}/.digrc``
+
+See Also
+~~~~~~~~
+
+:manpage:`delv(1)`, :manpage:`host(1)`, :manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :rfc:`1035`.
+
+Bugs
+~~~~
+
+There are probably too many query options.
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
new file mode 100644
index 0000000..ac7e1fb
--- /dev/null
+++ b/bin/dig/dighost.c
@@ -0,0 +1,4604 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ *  \note
+ * Notice to programmers:  Do not use this code as an example of how to
+ * use the ISC library to perform DNS lookups.  Dig and Host both operate
+ * on the request level, since they allow fine-tuning of output and are
+ * intended as debugging tools.  As a result, they perform many of the
+ * functions which could be better handled using the dns_resolver
+ * functions in most applications.
+ */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#ifdef HAVE_LOCALE_H
+#include <locale.h>
+#endif /* ifdef HAVE_LOCALE_H */
+
+#ifdef HAVE_LIBIDN2
+#include <idn2.h>
+#endif /* HAVE_LIBIDN2 */
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/lang.h>
+#include <isc/log.h>
+#include <isc/managers.h>
+#include <isc/netaddr.h>
+#include <isc/netdb.h>
+#include <isc/nonce.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/result.h>
+#include <isc/safe.h>
+#include <isc/serial.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/byaddr.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/opcode.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#include <isccfg/namedconf.h>
+
+#include <irs/resconf.h>
+
+#include <bind9/getaddresses.h>
+
+#include <dig/dig.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#if !defined(NS_INADDRSZ)
+#define NS_INADDRSZ 4
+#endif /* if !defined(NS_INADDRSZ) */
+
+#if !defined(NS_IN6ADDRSZ)
+#define NS_IN6ADDRSZ 16
+#endif /* if !defined(NS_IN6ADDRSZ) */
+
+#if HAVE_SETLOCALE
+#define systemlocale(l) (void)setlocale(l, "")
+#define resetlocale(l)	(void)setlocale(l, "C")
+#else
+#define systemlocale(l)
+#define resetlocale(l)
+#endif /* HAVE_SETLOCALE */
+
+dig_lookuplist_t lookup_list;
+dig_serverlist_t server_list;
+dig_searchlistlist_t search_list;
+
+bool check_ra = false, have_ipv4 = false, have_ipv6 = false,
+     specified_source = false, free_now = false, cancel_now = false,
+     usesearch = false, showsearch = false, is_dst_up = false,
+     keep_open = false, verbose = false, yaml = false;
+in_port_t port = 53;
+unsigned int timeout = 0;
+unsigned int extrabytes;
+isc_mem_t *mctx = NULL;
+isc_log_t *lctx = NULL;
+isc_nm_t *netmgr = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_task_t *global_task = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_socketmgr_t *socketmgr = NULL;
+isc_sockaddr_t bind_address;
+isc_sockaddr_t bind_any;
+int sendcount = 0;
+int recvcount = 0;
+int sockcount = 0;
+int ndots = -1;
+int tries = 3;
+int lookup_counter = 0;
+
+static char servercookie[256];
+
+#ifdef HAVE_LIBIDN2
+static void
+idn_locale_to_ace(const char *src, char *dst, size_t dstlen);
+static void
+idn_ace_to_locale(const char *src, char **dst);
+static isc_result_t
+idn_output_filter(isc_buffer_t *buffer, unsigned int used_org);
+#endif /* HAVE_LIBIDN2 */
+
+isc_socket_t *keep = NULL;
+isc_sockaddr_t keepaddr;
+
+/*%
+ * Exit Codes:
+ *
+ *\li	0   Everything went well, including things like NXDOMAIN
+ *\li	1   Usage error
+ *\li	7   Got too many RR's or Names
+ *\li	8   Couldn't open batch file
+ *\li	9   No reply from server
+ *\li	10  Internal error
+ */
+int exitcode = 0;
+int fatalexit = 0;
+char keynametext[MXNAME];
+char keyfile[MXNAME] = "";
+char keysecret[MXNAME] = "";
+unsigned char cookie_secret[33];
+unsigned char cookie[8];
+const dns_name_t *hmacname = NULL;
+unsigned int digestbits = 0;
+isc_buffer_t *namebuf = NULL;
+dns_tsigkey_t *tsigkey = NULL;
+bool validated = true;
+bool debugging = false;
+bool debugtiming = false;
+bool memdebugging = false;
+char *progname = NULL;
+isc_mutex_t lookup_lock;
+dig_lookup_t *current_lookup = NULL;
+
+#define DIG_MAX_ADDRESSES 20
+
+/*%
+ * Apply and clear locks at the event level in global task.
+ * Can I get rid of these using shutdown events?  XXX
+ */
+#define LOCK_LOOKUP                                                       \
+	{                                                                 \
+		debug("lock_lookup %s:%d", __FILE__, __LINE__);           \
+		check_result(isc_mutex_lock((&lookup_lock)), "isc_mutex_" \
+							     "lock");     \
+		debug("success");                                         \
+	}
+#define UNLOCK_LOOKUP                                                       \
+	{                                                                   \
+		debug("unlock_lookup %s:%d", __FILE__, __LINE__);           \
+		check_result(isc_mutex_unlock((&lookup_lock)), "isc_mutex_" \
+							       "unlock");   \
+	}
+
+static void
+default_warnerr(const char *format, ...) {
+	va_list args;
+
+	printf(";; ");
+	va_start(args, format);
+	vprintf(format, args);
+	va_end(args);
+	printf("\n");
+}
+
+static void
+default_comments(dig_lookup_t *lookup, const char *format, ...) {
+	va_list args;
+
+	if (lookup->comments) {
+		printf(";; ");
+		va_start(args, format);
+		vprintf(format, args);
+		va_end(args);
+		printf("\n");
+	}
+}
+
+/* dynamic callbacks */
+
+isc_result_t (*dighost_printmessage)(dig_query_t *query,
+				     const isc_buffer_t *msgbuf,
+				     dns_message_t *msg, bool headers);
+
+void (*dighost_error)(const char *format, ...) = default_warnerr;
+
+void (*dighost_warning)(const char *format, ...) = default_warnerr;
+
+void (*dighost_comments)(dig_lookup_t *lookup, const char *format,
+			 ...) = default_comments;
+
+void (*dighost_received)(unsigned int bytes, isc_sockaddr_t *from,
+			 dig_query_t *query);
+
+void (*dighost_trying)(char *frm, dig_lookup_t *lookup);
+
+void (*dighost_shutdown)(void);
+
+/* forward declarations */
+
+static void
+cancel_lookup(dig_lookup_t *lookup);
+
+static void
+recv_done(isc_task_t *task, isc_event_t *event);
+
+static void
+send_udp(dig_query_t *query);
+
+static void
+connect_timeout(isc_task_t *task, isc_event_t *event);
+
+static void
+launch_next_query(dig_query_t *query, bool include_question);
+
+static void
+check_next_lookup(dig_lookup_t *lookup);
+
+static bool
+next_origin(dig_lookup_t *oldlookup);
+
+static int
+count_dots(char *string) {
+	char *s;
+	int i = 0;
+
+	s = string;
+	while (*s != '\0') {
+		if (*s == '.') {
+			i++;
+		}
+		s++;
+	}
+	return (i);
+}
+
+static void
+hex_dump(isc_buffer_t *b) {
+	unsigned int len, i;
+	isc_region_t r;
+
+	isc_buffer_usedregion(b, &r);
+
+	printf("%u bytes\n", r.length);
+	for (len = 0; len < r.length; len++) {
+		printf("%02x ", r.base[len]);
+		if (len % 16 == 15) {
+			fputs("         ", stdout);
+			for (i = len - 15; i <= len; i++) {
+				if (r.base[i] >= '!' && r.base[i] <= '}') {
+					putchar(r.base[i]);
+				} else {
+					putchar('.');
+				}
+			}
+			printf("\n");
+		}
+	}
+	if (len % 16 != 0) {
+		for (i = len; (i % 16) != 0; i++) {
+			fputs("   ", stdout);
+		}
+		fputs("         ", stdout);
+		for (i = ((len >> 4) << 4); i < len; i++) {
+			if (r.base[i] >= '!' && r.base[i] <= '}') {
+				putchar(r.base[i]);
+			} else {
+				putchar('.');
+			}
+		}
+		printf("\n");
+	}
+}
+
+/*%
+ * Append 'len' bytes of 'text' at '*p', failing with
+ * ISC_R_NOSPACE if that would advance p past 'end'.
+ */
+static isc_result_t
+append(const char *text, size_t len, char **p, char *end) {
+	if (*p + len > end) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(*p, text, len);
+	*p += len;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+reverse_octets(const char *in, char **p, char *end) {
+	const char *dot = strchr(in, '.');
+	size_t len;
+	if (dot != NULL) {
+		isc_result_t result;
+		result = reverse_octets(dot + 1, p, end);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		result = append(".", 1, p, end);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		len = (int)(dot - in);
+	} else {
+		len = (int)strlen(in);
+	}
+	return (append(in, len, p, end));
+}
+
+isc_result_t
+get_reverse(char *reverse, size_t len, char *value, bool strict) {
+	int r;
+	isc_result_t result;
+	isc_netaddr_t addr;
+
+	addr.family = AF_INET6;
+	r = inet_pton(AF_INET6, value, &addr.type.in6);
+	if (r > 0) {
+		/* This is a valid IPv6 address. */
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		unsigned int options = 0;
+
+		name = dns_fixedname_initname(&fname);
+		result = dns_byaddr_createptrname(&addr, options, name);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dns_name_format(name, reverse, (unsigned int)len);
+		return (ISC_R_SUCCESS);
+	} else {
+		/*
+		 * Not a valid IPv6 address.  Assume IPv4.
+		 * If 'strict' is not set, construct the
+		 * in-addr.arpa name by blindly reversing
+		 * octets whether or not they look like integers,
+		 * so that this can be used for RFC2317 names
+		 * and such.
+		 */
+		char *p = reverse;
+		char *end = reverse + len;
+		if (strict && inet_pton(AF_INET, value, &addr.type.in) != 1) {
+			return (DNS_R_BADDOTTEDQUAD);
+		}
+		result = reverse_octets(value, &p, end);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		/* Append .in-addr.arpa. and a terminating NUL. */
+		result = append(".in-addr.arpa.", 15, &p, end);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		return (ISC_R_SUCCESS);
+	}
+}
+
+void (*dighost_pre_exit_hook)(void) = NULL;
+
+#if TARGET_OS_IPHONE
+void
+warn(const char *format, ...) {
+	va_list args;
+
+	fflush(stdout);
+	fprintf(stderr, ";; Warning: ");
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+}
+#else  /* if TARGET_OS_IPHONE */
+void
+warn(const char *format, ...) {
+	va_list args;
+
+	fflush(stdout);
+	fprintf(stderr, "%s: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+}
+#endif /* if TARGET_OS_IPHONE */
+
+void
+digexit(void) {
+	if (exitcode < 10) {
+		exitcode = 10;
+	}
+	if (fatalexit != 0) {
+		exitcode = fatalexit;
+	}
+	if (dighost_pre_exit_hook != NULL) {
+		dighost_pre_exit_hook();
+	}
+	exit(exitcode);
+}
+
+void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fflush(stdout);
+	fprintf(stderr, "%s: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	digexit();
+}
+
+void
+debug(const char *format, ...) {
+	va_list args;
+	isc_time_t t;
+
+	if (debugging) {
+		fflush(stdout);
+		if (debugtiming) {
+			TIME_NOW(&t);
+			fprintf(stderr, "%u.%06u: ", isc_time_seconds(&t),
+				isc_time_nanoseconds(&t) / 1000);
+		}
+		va_start(args, format);
+		vfprintf(stderr, format, args);
+		va_end(args);
+		fprintf(stderr, "\n");
+	}
+}
+
+void
+check_result(isc_result_t result, const char *msg) {
+	if (result != ISC_R_SUCCESS) {
+		fatal("%s: %s", msg, isc_result_totext(result));
+	}
+}
+
+/*%
+ * Create a server structure, which is part of the lookup structure.
+ * This is little more than a linked list of servers to query in hopes
+ * of finding the answer the user is looking for
+ */
+dig_server_t *
+make_server(const char *servname, const char *userarg) {
+	dig_server_t *srv;
+
+	REQUIRE(servname != NULL);
+
+	debug("make_server(%s)", servname);
+	srv = isc_mem_allocate(mctx, sizeof(struct dig_server));
+	strlcpy(srv->servername, servname, MXNAME);
+	strlcpy(srv->userarg, userarg, MXNAME);
+	ISC_LINK_INIT(srv, link);
+	return (srv);
+}
+
+/*%
+ * Create a copy of the server list from the resolver configuration structure.
+ * The dest list must have already had ISC_LIST_INIT applied.
+ */
+static void
+get_server_list(irs_resconf_t *resconf) {
+	isc_sockaddrlist_t *servers;
+	isc_sockaddr_t *sa;
+	dig_server_t *newsrv;
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255") +
+		 sizeof("%4000000000")];
+	debug("get_server_list()");
+	servers = irs_resconf_getnameservers(resconf);
+	for (sa = ISC_LIST_HEAD(*servers); sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link))
+	{
+		int pf = isc_sockaddr_pf(sa);
+		isc_netaddr_t na;
+		isc_result_t result;
+		isc_buffer_t b;
+
+		if (pf == AF_INET && !have_ipv4) {
+			continue;
+		}
+		if (pf == AF_INET6 && !have_ipv6) {
+			continue;
+		}
+
+		isc_buffer_init(&b, tmp, sizeof(tmp));
+		isc_netaddr_fromsockaddr(&na, sa);
+		result = isc_netaddr_totext(&na, &b);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		isc_buffer_putuint8(&b, 0);
+		if (pf == AF_INET6 && na.zone != 0) {
+			char buf[sizeof("%4000000000")];
+			snprintf(buf, sizeof(buf), "%%%u", na.zone);
+			strlcat(tmp, buf, sizeof(tmp));
+		}
+		newsrv = make_server(tmp, tmp);
+		ISC_LINK_INIT(newsrv, link);
+		ISC_LIST_APPEND(server_list, newsrv, link);
+	}
+}
+
+void
+flush_server_list(void) {
+	dig_server_t *s, *ps;
+
+	debug("flush_server_list()");
+	s = ISC_LIST_HEAD(server_list);
+	while (s != NULL) {
+		ps = s;
+		s = ISC_LIST_NEXT(s, link);
+		ISC_LIST_DEQUEUE(server_list, ps, link);
+		isc_mem_free(mctx, ps);
+	}
+}
+
+void
+set_nameserver(char *opt) {
+	isc_result_t result;
+	isc_sockaddr_t sockaddrs[DIG_MAX_ADDRESSES];
+	isc_netaddr_t netaddr;
+	int count, i;
+	dig_server_t *srv;
+	char tmp[ISC_NETADDR_FORMATSIZE];
+
+	if (opt == NULL) {
+		return;
+	}
+
+	result = bind9_getaddresses(opt, 0, sockaddrs, DIG_MAX_ADDRESSES,
+				    &count);
+	if (result != ISC_R_SUCCESS) {
+		fatal("couldn't get address for '%s': %s", opt,
+		      isc_result_totext(result));
+	}
+
+	flush_server_list();
+
+	for (i = 0; i < count; i++) {
+		isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]);
+		isc_netaddr_format(&netaddr, tmp, sizeof(tmp));
+		srv = make_server(tmp, opt);
+		if (srv == NULL) {
+			fatal("memory allocation failure");
+		}
+		ISC_LIST_APPEND(server_list, srv, link);
+	}
+}
+
+/*%
+ * Produce a cloned server list.  The dest list must have already had
+ * ISC_LIST_INIT applied.
+ */
+void
+clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest) {
+	dig_server_t *srv, *newsrv;
+
+	debug("clone_server_list()");
+	srv = ISC_LIST_HEAD(src);
+	while (srv != NULL) {
+		newsrv = make_server(srv->servername, srv->userarg);
+		ISC_LINK_INIT(newsrv, link);
+		ISC_LIST_ENQUEUE(*dest, newsrv, link);
+		srv = ISC_LIST_NEXT(srv, link);
+	}
+}
+
+/*%
+ * Create an empty lookup structure, which holds all the information needed
+ * to get an answer to a user's question.  This structure contains two
+ * linked lists: the server list (servers to query) and the query list
+ * (outstanding queries which have been made to the listed servers).
+ */
+dig_lookup_t *
+make_empty_lookup(void) {
+	dig_lookup_t *looknew;
+
+	debug("make_empty_lookup()");
+
+	INSIST(!free_now);
+
+	looknew = isc_mem_allocate(mctx, sizeof(struct dig_lookup));
+	looknew->pending = true;
+	looknew->textname[0] = 0;
+	looknew->cmdline[0] = 0;
+	looknew->rdtype = dns_rdatatype_a;
+	looknew->qrdtype = dns_rdatatype_a;
+	looknew->rdclass = dns_rdataclass_in;
+	looknew->rdtypeset = false;
+	looknew->rdclassset = false;
+	looknew->sendspace = NULL;
+	looknew->sendmsg = NULL;
+	looknew->name = NULL;
+	looknew->oname = NULL;
+	looknew->xfr_q = NULL;
+	looknew->current_query = NULL;
+	looknew->doing_xfr = false;
+	looknew->ixfr_serial = 0;
+	looknew->trace = false;
+	looknew->trace_root = false;
+	looknew->identify = false;
+	looknew->identify_previous_line = false;
+	looknew->ignore = false;
+	looknew->servfail_stops = true;
+	looknew->besteffort = true;
+	looknew->dnssec = false;
+	looknew->ednsflags = 0;
+	looknew->opcode = dns_opcode_query;
+	looknew->expire = false;
+	looknew->nsid = false;
+	looknew->tcp_keepalive = false;
+	looknew->padding = 0;
+	looknew->header_only = false;
+	looknew->sendcookie = false;
+	looknew->seenbadcookie = false;
+	looknew->badcookie = true;
+	looknew->multiline = false;
+	looknew->nottl = false;
+	looknew->noclass = false;
+	looknew->onesoa = false;
+	looknew->use_usec = false;
+	looknew->nocrypto = false;
+	looknew->ttlunits = false;
+	looknew->expandaaaa = false;
+	looknew->qr = false;
+	looknew->accept_reply_unexpected_src = false;
+#ifdef HAVE_LIBIDN2
+	looknew->idnin = isatty(1) ? (getenv("IDN_DISABLE") == NULL) : false;
+	looknew->idnout = looknew->idnin;
+#else  /* ifdef HAVE_LIBIDN2 */
+	looknew->idnin = false;
+	looknew->idnout = false;
+#endif /* HAVE_LIBIDN2 */
+	looknew->udpsize = -1;
+	looknew->edns = -1;
+	looknew->recurse = true;
+	looknew->aaonly = false;
+	looknew->adflag = false;
+	looknew->cdflag = false;
+	looknew->raflag = false;
+	looknew->tcflag = false;
+	looknew->print_unknown_format = false;
+	looknew->zflag = false;
+	looknew->ns_search_only = false;
+	looknew->origin = NULL;
+	looknew->tsigctx = NULL;
+	looknew->querysig = NULL;
+	looknew->retries = tries;
+	looknew->nsfound = 0;
+	looknew->tcp_mode = false;
+	looknew->tcp_mode_set = false;
+	looknew->comments = true;
+	looknew->stats = true;
+	looknew->section_question = true;
+	looknew->section_answer = true;
+	looknew->section_authority = true;
+	looknew->section_additional = true;
+	looknew->new_search = false;
+	looknew->done_as_is = false;
+	looknew->need_search = false;
+	looknew->ecs_addr = NULL;
+	looknew->cookie = NULL;
+	looknew->ednsopts = NULL;
+	looknew->ednsoptscnt = 0;
+	looknew->ednsneg = true;
+	looknew->mapped = true;
+	looknew->dscp = -1;
+	looknew->rrcomments = 0;
+	looknew->eoferr = 0;
+	dns_fixedname_init(&looknew->fdomain);
+	ISC_LINK_INIT(looknew, link);
+	ISC_LIST_INIT(looknew->q);
+	ISC_LIST_INIT(looknew->connecting);
+	ISC_LIST_INIT(looknew->my_server_list);
+	return (looknew);
+}
+
+#define EDNSOPT_OPTIONS 100U
+
+static void
+cloneopts(dig_lookup_t *looknew, dig_lookup_t *lookold) {
+	size_t len = sizeof(looknew->ednsopts[0]) * EDNSOPT_OPTIONS;
+	size_t i;
+	looknew->ednsopts = isc_mem_allocate(mctx, len);
+	for (i = 0; i < EDNSOPT_OPTIONS; i++) {
+		looknew->ednsopts[i].code = 0;
+		looknew->ednsopts[i].length = 0;
+		looknew->ednsopts[i].value = NULL;
+	}
+	looknew->ednsoptscnt = 0;
+	if (lookold == NULL || lookold->ednsopts == NULL) {
+		return;
+	}
+
+	for (i = 0; i < lookold->ednsoptscnt; i++) {
+		len = lookold->ednsopts[i].length;
+		if (len != 0) {
+			INSIST(lookold->ednsopts[i].value != NULL);
+			looknew->ednsopts[i].value = isc_mem_allocate(mctx,
+								      len);
+			memmove(looknew->ednsopts[i].value,
+				lookold->ednsopts[i].value, len);
+		}
+		looknew->ednsopts[i].code = lookold->ednsopts[i].code;
+		looknew->ednsopts[i].length = len;
+	}
+	looknew->ednsoptscnt = lookold->ednsoptscnt;
+}
+
+/*%
+ * Clone a lookup, perhaps copying the server list.  This does not clone
+ * the query list, since it will be regenerated by the setup_lookup()
+ * function, nor does it queue up the new lookup for processing.
+ * Caution: If you don't clone the servers, you MUST clone the server
+ * list separately from somewhere else, or construct it by hand.
+ */
+dig_lookup_t *
+clone_lookup(dig_lookup_t *lookold, bool servers) {
+	dig_lookup_t *looknew;
+
+	debug("clone_lookup(%p)", lookold);
+
+	INSIST(!free_now);
+
+	looknew = make_empty_lookup();
+	INSIST(looknew != NULL);
+	strlcpy(looknew->textname, lookold->textname, MXNAME);
+	strlcpy(looknew->cmdline, lookold->cmdline, MXNAME);
+	looknew->textname[MXNAME - 1] = 0;
+	looknew->rdtype = lookold->rdtype;
+	looknew->qrdtype = lookold->qrdtype;
+	looknew->rdclass = lookold->rdclass;
+	looknew->rdtypeset = lookold->rdtypeset;
+	looknew->rdclassset = lookold->rdclassset;
+	looknew->doing_xfr = lookold->doing_xfr;
+	looknew->ixfr_serial = lookold->ixfr_serial;
+	looknew->trace = lookold->trace;
+	looknew->trace_root = lookold->trace_root;
+	looknew->identify = lookold->identify;
+	looknew->identify_previous_line = lookold->identify_previous_line;
+	looknew->ignore = lookold->ignore;
+	looknew->servfail_stops = lookold->servfail_stops;
+	looknew->besteffort = lookold->besteffort;
+	looknew->dnssec = lookold->dnssec;
+	looknew->ednsflags = lookold->ednsflags;
+	looknew->opcode = lookold->opcode;
+	looknew->expire = lookold->expire;
+	looknew->nsid = lookold->nsid;
+	looknew->tcp_keepalive = lookold->tcp_keepalive;
+	looknew->header_only = lookold->header_only;
+	looknew->sendcookie = lookold->sendcookie;
+	looknew->seenbadcookie = lookold->seenbadcookie;
+	looknew->badcookie = lookold->badcookie;
+	looknew->cookie = lookold->cookie;
+	if (lookold->ednsopts != NULL) {
+		cloneopts(looknew, lookold);
+	} else {
+		looknew->ednsopts = NULL;
+		looknew->ednsoptscnt = 0;
+	}
+	looknew->ednsneg = lookold->ednsneg;
+	looknew->padding = lookold->padding;
+	looknew->mapped = lookold->mapped;
+	looknew->multiline = lookold->multiline;
+	looknew->nottl = lookold->nottl;
+	looknew->noclass = lookold->noclass;
+	looknew->onesoa = lookold->onesoa;
+	looknew->use_usec = lookold->use_usec;
+	looknew->nocrypto = lookold->nocrypto;
+	looknew->ttlunits = lookold->ttlunits;
+	looknew->expandaaaa = lookold->expandaaaa;
+	looknew->qr = lookold->qr;
+	looknew->accept_reply_unexpected_src =
+		lookold->accept_reply_unexpected_src;
+	looknew->idnin = lookold->idnin;
+	looknew->idnout = lookold->idnout;
+	looknew->udpsize = lookold->udpsize;
+	looknew->edns = lookold->edns;
+	looknew->recurse = lookold->recurse;
+	looknew->aaonly = lookold->aaonly;
+	looknew->adflag = lookold->adflag;
+	looknew->cdflag = lookold->cdflag;
+	looknew->raflag = lookold->raflag;
+	looknew->tcflag = lookold->tcflag;
+	looknew->print_unknown_format = lookold->print_unknown_format;
+	looknew->zflag = lookold->zflag;
+	looknew->ns_search_only = lookold->ns_search_only;
+	looknew->tcp_mode = lookold->tcp_mode;
+	looknew->tcp_mode_set = lookold->tcp_mode_set;
+	looknew->comments = lookold->comments;
+	looknew->stats = lookold->stats;
+	looknew->section_question = lookold->section_question;
+	looknew->section_answer = lookold->section_answer;
+	looknew->section_authority = lookold->section_authority;
+	looknew->section_additional = lookold->section_additional;
+	looknew->origin = lookold->origin;
+	looknew->retries = lookold->retries;
+	looknew->tsigctx = NULL;
+	looknew->need_search = lookold->need_search;
+	looknew->done_as_is = lookold->done_as_is;
+	looknew->dscp = lookold->dscp;
+	looknew->rrcomments = lookold->rrcomments;
+	looknew->eoferr = lookold->eoferr;
+
+	if (lookold->ecs_addr != NULL) {
+		size_t len = sizeof(isc_sockaddr_t);
+		looknew->ecs_addr = isc_mem_allocate(mctx, len);
+		memmove(looknew->ecs_addr, lookold->ecs_addr, len);
+	}
+
+	dns_name_copynf(dns_fixedname_name(&lookold->fdomain),
+			dns_fixedname_name(&looknew->fdomain));
+
+	if (servers) {
+		clone_server_list(lookold->my_server_list,
+				  &looknew->my_server_list);
+	}
+	return (looknew);
+}
+
+/*%
+ * Requeue a lookup for further processing, perhaps copying the server
+ * list.  The new lookup structure is returned to the caller, and is
+ * queued for processing.  If servers are not cloned in the requeue, they
+ * must be added before allowing the current event to complete, since the
+ * completion of the event may result in the next entry on the lookup
+ * queue getting run.
+ */
+dig_lookup_t *
+requeue_lookup(dig_lookup_t *lookold, bool servers) {
+	dig_lookup_t *looknew;
+
+	debug("requeue_lookup(%p)", lookold);
+
+	lookup_counter++;
+	if (lookup_counter > LOOKUP_LIMIT) {
+		fatal("too many lookups");
+	}
+
+	looknew = clone_lookup(lookold, servers);
+	INSIST(looknew != NULL);
+
+	debug("before insertion, init@%p -> %p, new@%p -> %p", lookold,
+	      lookold->link.next, looknew, looknew->link.next);
+	ISC_LIST_PREPEND(lookup_list, looknew, link);
+	debug("after insertion, init -> %p, new = %p, new -> %p", lookold,
+	      looknew, looknew->link.next);
+	return (looknew);
+}
+
+void
+setup_text_key(void) {
+	isc_result_t result;
+	dns_name_t keyname;
+	isc_buffer_t secretbuf;
+	unsigned int secretsize;
+	unsigned char *secretstore;
+
+	debug("setup_text_key()");
+	isc_buffer_allocate(mctx, &namebuf, MXNAME);
+	dns_name_init(&keyname, NULL);
+	isc_buffer_putstr(namebuf, keynametext);
+	secretsize = (unsigned int)strlen(keysecret) * 3 / 4;
+	secretstore = isc_mem_allocate(mctx, secretsize);
+	isc_buffer_init(&secretbuf, secretstore, secretsize);
+	result = isc_base64_decodestring(keysecret, &secretbuf);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	secretsize = isc_buffer_usedlength(&secretbuf);
+
+	if (hmacname == NULL) {
+		result = DST_R_UNSUPPORTEDALG;
+		goto failure;
+	}
+
+	result = dns_name_fromtext(&keyname, namebuf, dns_rootname, 0, namebuf);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	result = dns_tsigkey_create(&keyname, hmacname, secretstore,
+				    (int)secretsize, false, NULL, 0, 0, mctx,
+				    NULL, &tsigkey);
+failure:
+	if (result != ISC_R_SUCCESS) {
+		printf(";; Couldn't create key %s: %s\n", keynametext,
+		       isc_result_totext(result));
+	} else {
+		dst_key_setbits(tsigkey->key, digestbits);
+	}
+
+	isc_mem_free(mctx, secretstore);
+	dns_name_invalidate(&keyname);
+	isc_buffer_free(&namebuf);
+}
+
+static isc_result_t
+parse_uint_helper(uint32_t *uip, const char *value, uint32_t max,
+		  const char *desc, int base) {
+	uint32_t n;
+	isc_result_t result = isc_parse_uint32(&n, value, base);
+	if (result == ISC_R_SUCCESS && n > max) {
+		result = ISC_R_RANGE;
+	}
+	if (result != ISC_R_SUCCESS) {
+		printf("invalid %s '%s': %s\n", desc, value,
+		       isc_result_totext(result));
+		return (result);
+	}
+	*uip = n;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc) {
+	return (parse_uint_helper(uip, value, max, desc, 10));
+}
+
+isc_result_t
+parse_xint(uint32_t *uip, const char *value, uint32_t max, const char *desc) {
+	return (parse_uint_helper(uip, value, max, desc, 0));
+}
+
+static uint32_t
+parse_bits(char *arg, const char *desc, uint32_t max) {
+	isc_result_t result;
+	uint32_t tmp;
+
+	result = parse_uint(&tmp, arg, max, desc);
+	if (result != ISC_R_SUCCESS) {
+		fatal("couldn't parse digest bits");
+	}
+	tmp = (tmp + 7) & ~0x7U;
+	return (tmp);
+}
+
+isc_result_t
+parse_netprefix(isc_sockaddr_t **sap, const char *value) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_sockaddr_t *sa = NULL;
+	struct in_addr in4;
+	struct in6_addr in6;
+	uint32_t prefix_length = 0xffffffff;
+	char *slash = NULL;
+	bool parsed = false;
+	bool prefix_parsed = false;
+	char buf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX/128")];
+
+	REQUIRE(sap != NULL && *sap == NULL);
+
+	if (strlcpy(buf, value, sizeof(buf)) >= sizeof(buf)) {
+		fatal("invalid prefix '%s'\n", value);
+	}
+
+	sa = isc_mem_allocate(mctx, sizeof(*sa));
+	memset(sa, 0, sizeof(*sa));
+
+	if (strcmp(buf, "0") == 0) {
+		sa->type.sa.sa_family = AF_UNSPEC;
+		prefix_length = 0;
+		goto done;
+	}
+
+	slash = strchr(buf, '/');
+	if (slash != NULL) {
+		*slash = '\0';
+		result = isc_parse_uint32(&prefix_length, slash + 1, 10);
+		if (result != ISC_R_SUCCESS) {
+			fatal("invalid prefix length in '%s': %s\n", value,
+			      isc_result_totext(result));
+		}
+		prefix_parsed = true;
+	}
+
+	if (inet_pton(AF_INET6, buf, &in6) == 1) {
+		parsed = true;
+		isc_sockaddr_fromin6(sa, &in6, 0);
+		if (prefix_length > 128) {
+			prefix_length = 128;
+		}
+	} else if (inet_pton(AF_INET, buf, &in4) == 1) {
+		parsed = true;
+		isc_sockaddr_fromin(sa, &in4, 0);
+		if (prefix_length > 32) {
+			prefix_length = 32;
+		}
+	} else if (prefix_parsed) {
+		int i;
+
+		for (i = 0; i < 3 && strlen(buf) < sizeof(buf) - 2; i++) {
+			strlcat(buf, ".0", sizeof(buf));
+			if (inet_pton(AF_INET, buf, &in4) == 1) {
+				parsed = true;
+				isc_sockaddr_fromin(sa, &in4, 0);
+				break;
+			}
+		}
+
+		if (prefix_length > 32) {
+			prefix_length = 32;
+		}
+	}
+
+	if (!parsed) {
+		fatal("invalid address '%s'", value);
+	}
+
+done:
+	sa->length = prefix_length;
+	*sap = sa;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Parse HMAC algorithm specification
+ */
+void
+parse_hmac(const char *hmac) {
+	char buf[20];
+	size_t len;
+
+	REQUIRE(hmac != NULL);
+
+	len = strlen(hmac);
+	if (len >= sizeof(buf)) {
+		fatal("unknown key type '%.*s'", (int)len, hmac);
+	}
+	strlcpy(buf, hmac, sizeof(buf));
+
+	digestbits = 0;
+
+	if (strcasecmp(buf, "hmac-md5") == 0) {
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
+	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		digestbits = 0;
+	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160);
+	} else if (strcasecmp(buf, "hmac-sha224") == 0) {
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+	} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224);
+	} else if (strcasecmp(buf, "hmac-sha256") == 0) {
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+	} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256);
+	} else if (strcasecmp(buf, "hmac-sha384") == 0) {
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+	} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384);
+	} else if (strcasecmp(buf, "hmac-sha512") == 0) {
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+	} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512);
+	} else {
+		fprintf(stderr,
+			";; Warning, ignoring "
+			"invalid TSIG algorithm %s\n",
+			buf);
+	}
+}
+
+/*
+ * Get a key from a named.conf format keyfile
+ */
+static isc_result_t
+read_confkey(void) {
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *file = NULL;
+	const cfg_obj_t *keyobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
+	const char *keyname;
+	const char *secretstr;
+	const char *algorithm;
+	isc_result_t result;
+
+	if (!isc_file_exists(keyfile)) {
+		return (ISC_R_FILENOTFOUND);
+	}
+
+	result = cfg_parser_create(mctx, NULL, &pctx);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = cfg_parse_file(pctx, keyfile, &cfg_type_sessionkey, &file);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = cfg_map_get(file, "key", &keyobj);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	(void)cfg_map_get(keyobj, "secret", &secretobj);
+	(void)cfg_map_get(keyobj, "algorithm", &algorithmobj);
+	if (secretobj == NULL || algorithmobj == NULL) {
+		fatal("key must have algorithm and secret");
+	}
+
+	keyname = cfg_obj_asstring(cfg_map_getname(keyobj));
+	secretstr = cfg_obj_asstring(secretobj);
+	algorithm = cfg_obj_asstring(algorithmobj);
+
+	strlcpy(keynametext, keyname, sizeof(keynametext));
+	strlcpy(keysecret, secretstr, sizeof(keysecret));
+	parse_hmac(algorithm);
+	setup_text_key();
+
+cleanup:
+	if (pctx != NULL) {
+		if (file != NULL) {
+			cfg_obj_destroy(pctx, &file);
+		}
+		cfg_parser_destroy(&pctx);
+	}
+
+	return (result);
+}
+
+void
+setup_file_key(void) {
+	isc_result_t result;
+	dst_key_t *dstkey = NULL;
+
+	debug("setup_file_key()");
+
+	/* Try reading the key from a K* pair */
+	result = dst_key_fromnamedfile(
+		keyfile, NULL, DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey);
+
+	/* If that didn't work, try reading it as a session.key keyfile */
+	if (result != ISC_R_SUCCESS) {
+		result = read_confkey();
+		if (result == ISC_R_SUCCESS) {
+			return;
+		}
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "Couldn't read key from %s: %s\n", keyfile,
+			isc_result_totext(result));
+		goto failure;
+	}
+
+	switch (dst_key_alg(dstkey)) {
+	case DST_ALG_HMACMD5:
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		break;
+	case DST_ALG_HMACSHA1:
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		break;
+	case DST_ALG_HMACSHA224:
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		break;
+	case DST_ALG_HMACSHA256:
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		break;
+	case DST_ALG_HMACSHA384:
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		break;
+	case DST_ALG_HMACSHA512:
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		break;
+	default:
+		printf(";; Couldn't create key %s: bad algorithm\n",
+		       keynametext);
+		goto failure;
+	}
+	result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
+					   dstkey, false, NULL, 0, 0, mctx,
+					   NULL, &tsigkey);
+	if (result != ISC_R_SUCCESS) {
+		printf(";; Couldn't create key %s: %s\n", keynametext,
+		       isc_result_totext(result));
+		goto failure;
+	}
+failure:
+	if (dstkey != NULL) {
+		dst_key_free(&dstkey);
+	}
+}
+
+static dig_searchlist_t *
+make_searchlist_entry(char *domain) {
+	dig_searchlist_t *search;
+	search = isc_mem_allocate(mctx, sizeof(*search));
+	strlcpy(search->origin, domain, MXNAME);
+	search->origin[MXNAME - 1] = 0;
+	ISC_LINK_INIT(search, link);
+	return (search);
+}
+
+static void
+clear_searchlist(void) {
+	dig_searchlist_t *search;
+	while ((search = ISC_LIST_HEAD(search_list)) != NULL) {
+		ISC_LIST_UNLINK(search_list, search, link);
+		isc_mem_free(mctx, search);
+	}
+}
+
+static void
+create_search_list(irs_resconf_t *resconf) {
+	irs_resconf_searchlist_t *list;
+	irs_resconf_search_t *entry;
+	dig_searchlist_t *search;
+
+	debug("create_search_list()");
+	clear_searchlist();
+
+	list = irs_resconf_getsearchlist(resconf);
+	for (entry = ISC_LIST_HEAD(*list); entry != NULL;
+	     entry = ISC_LIST_NEXT(entry, link))
+	{
+		search = make_searchlist_entry(entry->domain);
+		ISC_LIST_APPEND(search_list, search, link);
+	}
+}
+
+/*%
+ * Append 'addr' to the list of servers to be queried.  This function is only
+ * called when no server addresses are explicitly specified and either libirs
+ * returns an empty list of servers to use or none of the addresses returned by
+ * libirs are usable due to the specified address family restrictions.
+ */
+static void
+add_fallback_nameserver(const char *addr) {
+	dig_server_t *server = make_server(addr, addr);
+	ISC_LINK_INIT(server, link);
+	ISC_LIST_APPEND(server_list, server, link);
+}
+
+/*%
+ * Setup the system as a whole, reading key information and resolv.conf
+ * settings.
+ */
+void
+setup_system(bool ipv4only, bool ipv6only) {
+	irs_resconf_t *resconf = NULL;
+	isc_result_t result;
+
+	debug("setup_system()");
+
+	if (ipv4only) {
+		if (have_ipv4) {
+			isc_net_disableipv6();
+			have_ipv6 = false;
+		} else {
+			fatal("can't find IPv4 networking");
+		}
+	}
+
+	if (ipv6only) {
+		if (have_ipv6) {
+			isc_net_disableipv4();
+			have_ipv4 = false;
+		} else {
+			fatal("can't find IPv6 networking");
+		}
+	}
+
+	result = irs_resconf_load(mctx, RESOLV_CONF, &resconf);
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		fatal("parse of %s failed", RESOLV_CONF);
+	}
+
+	create_search_list(resconf);
+	if (ndots == -1) {
+		ndots = irs_resconf_getndots(resconf);
+		debug("ndots is %d.", ndots);
+	}
+
+	/* If user doesn't specify server use nameservers from resolv.conf. */
+	if (ISC_LIST_EMPTY(server_list)) {
+		get_server_list(resconf);
+	}
+
+	/* If we don't find a nameserver fall back to localhost */
+	if (ISC_LIST_EMPTY(server_list)) {
+		if (have_ipv6) {
+			add_fallback_nameserver("::1");
+		}
+		if (have_ipv4) {
+			add_fallback_nameserver("127.0.0.1");
+		}
+	}
+
+	irs_resconf_destroy(&resconf);
+
+	if (keyfile[0] != 0) {
+		setup_file_key();
+	} else if (keysecret[0] != 0) {
+		setup_text_key();
+	}
+
+	isc_nonce_buf(cookie_secret, sizeof(cookie_secret));
+}
+
+/*%
+ * Override the search list derived from resolv.conf by 'domain'.
+ */
+void
+set_search_domain(char *domain) {
+	dig_searchlist_t *search;
+
+	clear_searchlist();
+	search = make_searchlist_entry(domain);
+	ISC_LIST_APPEND(search_list, search, link);
+}
+
+/*%
+ * Setup the ISC and DNS libraries for use by the system.
+ */
+void
+setup_libs(void) {
+	isc_result_t result;
+	isc_logconfig_t *logconfig = NULL;
+
+	debug("setup_libs()");
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	result = isc_net_probeipv4();
+	if (result == ISC_R_SUCCESS) {
+		have_ipv4 = true;
+	}
+
+	result = isc_net_probeipv6();
+	if (result == ISC_R_SUCCESS) {
+		have_ipv6 = true;
+	}
+	if (!have_ipv6 && !have_ipv4) {
+		fatal("can't find either v4 or v6 networking");
+	}
+
+	isc_mem_create(&mctx);
+	isc_mem_setname(mctx, "dig", NULL);
+
+	isc_log_create(mctx, &lctx, &logconfig);
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
+	check_result(result, "isc_log_usechannel");
+
+	isc_log_setdebuglevel(lctx, 0);
+
+	result = isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr);
+	check_result(result, "isc_managers_create");
+
+	result = isc_task_create(taskmgr, 0, &global_task);
+	check_result(result, "isc_task_create");
+	isc_task_setname(global_task, "dig", NULL);
+
+	result = isc_timermgr_create(mctx, &timermgr);
+	check_result(result, "isc_timermgr_create");
+
+	result = isc_socketmgr_create(mctx, &socketmgr);
+	check_result(result, "isc_socketmgr_create");
+
+	result = dst_lib_init(mctx, NULL);
+	check_result(result, "dst_lib_init");
+	is_dst_up = true;
+
+	isc_mutex_init(&lookup_lock);
+}
+
+typedef struct dig_ednsoptname {
+	uint32_t code;
+	const char *name;
+} dig_ednsoptname_t;
+
+dig_ednsoptname_t optnames[] = {
+	{ 1, "LLQ" },	       /* draft-sekar-dns-llq */
+	{ 3, "NSID" },	       /* RFC 5001 */
+	{ 5, "DAU" },	       /* RFC 6975 */
+	{ 6, "DHU" },	       /* RFC 6975 */
+	{ 7, "N3U" },	       /* RFC 6975 */
+	{ 8, "ECS" },	       /* RFC 7871 */
+	{ 9, "EXPIRE" },       /* RFC 7314 */
+	{ 10, "COOKIE" },      /* RFC 7873 */
+	{ 11, "KEEPALIVE" },   /* RFC 7828 */
+	{ 12, "PADDING" },     /* RFC 7830 */
+	{ 12, "PAD" },	       /* shorthand */
+	{ 13, "CHAIN" },       /* RFC 7901 */
+	{ 14, "KEY-TAG" },     /* RFC 8145 */
+	{ 15, "EDE" },	       /* ietf-dnsop-extended-error-16 */
+	{ 16, "CLIENT-TAG" },  /* draft-bellis-dnsop-edns-tags */
+	{ 17, "SERVER-TAG" },  /* draft-bellis-dnsop-edns-tags */
+	{ 26946, "DEVICEID" }, /* Brian Hartvigsen */
+};
+
+#define N_EDNS_OPTNAMES (sizeof(optnames) / sizeof(optnames[0]))
+
+void
+save_opt(dig_lookup_t *lookup, char *code, char *value) {
+	isc_result_t result;
+	uint32_t num = 0;
+	isc_buffer_t b;
+	bool found = false;
+	unsigned int i;
+
+	if (lookup->ednsoptscnt >= EDNSOPT_OPTIONS) {
+		fatal("too many ednsopts");
+	}
+
+	for (i = 0; i < N_EDNS_OPTNAMES; i++) {
+		if (strcasecmp(code, optnames[i].name) == 0) {
+			num = optnames[i].code;
+			found = true;
+			break;
+		}
+	}
+
+	if (!found) {
+		result = parse_uint(&num, code, 65535, "ednsopt");
+		if (result != ISC_R_SUCCESS) {
+			fatal("bad edns code point: %s", code);
+		}
+	}
+
+	if (lookup->ednsopts == NULL) {
+		cloneopts(lookup, NULL);
+	}
+
+	if (lookup->ednsopts[lookup->ednsoptscnt].value != NULL) {
+		isc_mem_free(mctx, lookup->ednsopts[lookup->ednsoptscnt].value);
+	}
+
+	lookup->ednsopts[lookup->ednsoptscnt].code = num;
+	lookup->ednsopts[lookup->ednsoptscnt].length = 0;
+	lookup->ednsopts[lookup->ednsoptscnt].value = NULL;
+
+	if (value != NULL) {
+		char *buf;
+		buf = isc_mem_allocate(mctx, strlen(value) / 2 + 1);
+		isc_buffer_init(&b, buf, (unsigned int)strlen(value) / 2 + 1);
+		result = isc_hex_decodestring(value, &b);
+		check_result(result, "isc_hex_decodestring");
+		lookup->ednsopts[lookup->ednsoptscnt].value =
+			isc_buffer_base(&b);
+		lookup->ednsopts[lookup->ednsoptscnt].length =
+			isc_buffer_usedlength(&b);
+	}
+
+	lookup->ednsoptscnt++;
+}
+
+/*%
+ * Add EDNS0 option record to a message.  Currently, the only supported
+ * options are UDP buffer size, the DO bit, and EDNS options
+ * (e.g., NSID, COOKIE, client-subnet)
+ */
+static void
+add_opt(dns_message_t *msg, uint16_t udpsize, uint16_t edns, unsigned int flags,
+	dns_ednsopt_t *opts, size_t count) {
+	dns_rdataset_t *rdataset = NULL;
+	isc_result_t result;
+
+	debug("add_opt()");
+	result = dns_message_buildopt(msg, &rdataset, edns, udpsize, flags,
+				      opts, count);
+	check_result(result, "dns_message_buildopt");
+	result = dns_message_setopt(msg, rdataset);
+	check_result(result, "dns_message_setopt");
+}
+
+/*%
+ * Add a question section to a message, asking for the specified name,
+ * type, and class.
+ */
+static void
+add_question(dns_message_t *message, dns_name_t *name, dns_rdataclass_t rdclass,
+	     dns_rdatatype_t rdtype) {
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	debug("add_question()");
+	rdataset = NULL;
+	result = dns_message_gettemprdataset(message, &rdataset);
+	check_result(result, "dns_message_gettemprdataset()");
+	dns_rdataset_makequestion(rdataset, rdclass, rdtype);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+}
+
+/*%
+ * Check if we're done with all the queued lookups, which is true iff
+ * all sockets, sends, and recvs are accounted for (counters == 0),
+ * and the lookup list is empty.
+ * If we are done, pass control back out to dighost_shutdown() (which is
+ * part of dig.c, host.c, or nslookup.c) to either shutdown the system as
+ * a whole or reseed the lookup list.
+ */
+static void
+check_if_done(void) {
+	debug("check_if_done()");
+	debug("list %s", ISC_LIST_EMPTY(lookup_list) ? "empty" : "full");
+	if (ISC_LIST_EMPTY(lookup_list) && current_lookup == NULL &&
+	    sendcount == 0)
+	{
+		INSIST(sockcount == 0);
+		INSIST(recvcount == 0);
+		debug("shutting down");
+		dighost_shutdown();
+	}
+}
+
+/*%
+ * Clear out a query when we're done with it.  WARNING: This routine
+ * WILL invalidate the query pointer.
+ */
+static void
+clear_query(dig_query_t *query) {
+	dig_lookup_t *lookup;
+
+	REQUIRE(query != NULL);
+
+	debug("clear_query(%p)", query);
+
+	if (query->timer != NULL) {
+		isc_timer_destroy(&query->timer);
+	}
+	lookup = query->lookup;
+
+	if (lookup->current_query == query) {
+		lookup->current_query = NULL;
+	}
+
+	if (ISC_LINK_LINKED(query, link)) {
+		query->saved_next = ISC_LIST_NEXT(query, link);
+		ISC_LIST_UNLINK(lookup->q, query, link);
+	}
+	if (ISC_LINK_LINKED(query, clink)) {
+		ISC_LIST_UNLINK(lookup->connecting, query, clink);
+	}
+	INSIST(query->recvspace != NULL);
+
+	if (query->sock != NULL) {
+		isc_socket_detach(&query->sock);
+		sockcount--;
+		debug("sockcount=%d", sockcount);
+	}
+	isc_mem_put(mctx, query->recvspace, COMMSIZE);
+	isc_mem_put(mctx, query->tmpsendspace, COMMSIZE);
+	isc_buffer_invalidate(&query->recvbuf);
+	isc_buffer_invalidate(&query->lengthbuf);
+
+	if (query->waiting_senddone) {
+		debug("waiting senddone, delay freeing query");
+		query->pending_free = true;
+	} else {
+		query->magic = 0;
+		isc_mem_free(mctx, query);
+	}
+}
+
+/*%
+ * Try and clear out a lookup if we're done with it.  Return true if
+ * the lookup was successfully cleared.  If true is returned, the
+ * lookup pointer has been invalidated.
+ */
+static bool
+try_clear_lookup(dig_lookup_t *lookup) {
+	dig_query_t *q;
+
+	REQUIRE(lookup != NULL);
+
+	debug("try_clear_lookup(%p)", lookup);
+
+	if (ISC_LIST_HEAD(lookup->q) != NULL ||
+	    ISC_LIST_HEAD(lookup->connecting) != NULL)
+	{
+		if (debugging) {
+			q = ISC_LIST_HEAD(lookup->q);
+			while (q != NULL) {
+				debug("query to %s still pending", q->servname);
+				q = ISC_LIST_NEXT(q, link);
+			}
+
+			q = ISC_LIST_HEAD(lookup->connecting);
+			while (q != NULL) {
+				debug("query to %s still connecting",
+				      q->servname);
+				q = ISC_LIST_NEXT(q, clink);
+			}
+		}
+		return (false);
+	}
+
+	/*
+	 * At this point, we know there are no queries on the lookup,
+	 * so can make it go away also.
+	 */
+	destroy_lookup(lookup);
+	return (true);
+}
+
+void
+destroy_lookup(dig_lookup_t *lookup) {
+	dig_server_t *s;
+	void *ptr;
+
+	debug("destroy");
+	s = ISC_LIST_HEAD(lookup->my_server_list);
+	while (s != NULL) {
+		debug("freeing server %p belonging to %p", s, lookup);
+		ptr = s;
+		s = ISC_LIST_NEXT(s, link);
+		ISC_LIST_DEQUEUE(lookup->my_server_list, (dig_server_t *)ptr,
+				 link);
+		isc_mem_free(mctx, ptr);
+	}
+	if (lookup->sendmsg != NULL) {
+		dns_message_detach(&lookup->sendmsg);
+	}
+	if (lookup->querysig != NULL) {
+		debug("freeing buffer %p", lookup->querysig);
+		isc_buffer_free(&lookup->querysig);
+	}
+	if (lookup->sendspace != NULL) {
+		isc_mem_put(mctx, lookup->sendspace, COMMSIZE);
+	}
+
+	if (lookup->tsigctx != NULL) {
+		dst_context_destroy(&lookup->tsigctx);
+	}
+
+	if (lookup->ecs_addr != NULL) {
+		isc_mem_free(mctx, lookup->ecs_addr);
+	}
+
+	if (lookup->ednsopts != NULL) {
+		size_t i;
+		for (i = 0; i < EDNSOPT_OPTIONS; i++) {
+			if (lookup->ednsopts[i].value != NULL) {
+				isc_mem_free(mctx, lookup->ednsopts[i].value);
+			}
+		}
+		isc_mem_free(mctx, lookup->ednsopts);
+	}
+
+	isc_mem_free(mctx, lookup);
+}
+
+/*%
+ * If we can, start the next lookup in the queue running.
+ * This assumes that the lookup on the head of the queue hasn't been
+ * started yet.  It also removes the lookup from the head of the queue,
+ * setting the current_lookup pointer pointing to it.
+ */
+void
+start_lookup(void) {
+	debug("start_lookup()");
+	if (cancel_now) {
+		return;
+	}
+
+	/*
+	 * If there's a current lookup running, we really shouldn't get
+	 * here.
+	 */
+	INSIST(current_lookup == NULL);
+
+	current_lookup = ISC_LIST_HEAD(lookup_list);
+	/*
+	 * Put the current lookup somewhere so cancel_all can find it
+	 */
+	if (current_lookup != NULL) {
+		ISC_LIST_DEQUEUE(lookup_list, current_lookup, link);
+		if (setup_lookup(current_lookup)) {
+			do_lookup(current_lookup);
+		} else if (next_origin(current_lookup)) {
+			check_next_lookup(current_lookup);
+		}
+	} else {
+		check_if_done();
+	}
+}
+
+/*%
+ * If we can, clear the current lookup and start the next one running.
+ * This calls try_clear_lookup, so may invalidate the lookup pointer.
+ */
+static void
+check_next_lookup(dig_lookup_t *lookup) {
+	INSIST(!free_now);
+
+	debug("check_next_lookup(%p)", lookup);
+
+	if (ISC_LIST_HEAD(lookup->q) != NULL) {
+		debug("still have a worker");
+		return;
+	}
+	if (try_clear_lookup(lookup)) {
+		current_lookup = NULL;
+		start_lookup();
+	}
+}
+
+/*%
+ * Create and queue a new lookup as a followup to the current lookup,
+ * based on the supplied message and section.  This is used in trace and
+ * name server search modes to start a new lookup using servers from
+ * NS records in a reply. Returns the number of followup lookups made.
+ */
+static int
+followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) {
+	dig_lookup_t *lookup = NULL;
+	dig_server_t *srv = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_name_t *name = NULL;
+	isc_result_t result;
+	bool success = false;
+	int numLookups = 0;
+	int num;
+	isc_result_t lresult, addresses_result;
+	char bad_namestr[DNS_NAME_FORMATSIZE];
+	dns_name_t *domain;
+	bool horizontal = false, bad = false;
+
+	INSIST(!free_now);
+
+	debug("following up %s", query->lookup->textname);
+
+	addresses_result = ISC_R_SUCCESS;
+	bad_namestr[0] = '\0';
+	for (result = dns_message_firstname(msg, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(msg, section))
+	{
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+
+		if (section == DNS_SECTION_AUTHORITY) {
+			rdataset = NULL;
+			result = dns_message_findtype(name, dns_rdatatype_soa,
+						      0, &rdataset);
+			if (result == ISC_R_SUCCESS) {
+				return (0);
+			}
+		}
+		rdataset = NULL;
+		result = dns_message_findtype(name, dns_rdatatype_ns, 0,
+					      &rdataset);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		debug("found NS set");
+
+		if (query->lookup->trace && !query->lookup->trace_root) {
+			dns_namereln_t namereln;
+			unsigned int nlabels;
+			int order;
+
+			domain = dns_fixedname_name(&query->lookup->fdomain);
+			namereln = dns_name_fullcompare(name, domain, &order,
+							&nlabels);
+			if (namereln == dns_namereln_equal) {
+				if (!horizontal) {
+					dighost_warning("BAD (HORIZONTAL) "
+							"REFERRAL");
+				}
+				horizontal = true;
+			} else if (namereln != dns_namereln_subdomain) {
+				if (!bad) {
+					dighost_warning("BAD REFERRAL");
+				}
+				bad = true;
+				continue;
+			}
+		}
+
+		for (result = dns_rdataset_first(rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(rdataset))
+		{
+			char namestr[DNS_NAME_FORMATSIZE];
+			dns_rdata_ns_t ns;
+
+			if (query->lookup->trace_root &&
+			    query->lookup->nsfound >= MXSERV)
+			{
+				break;
+			}
+
+			dns_rdataset_current(rdataset, &rdata);
+
+			query->lookup->nsfound++;
+			result = dns_rdata_tostruct(&rdata, &ns, NULL);
+			check_result(result, "dns_rdata_tostruct");
+			dns_name_format(&ns.name, namestr, sizeof(namestr));
+			dns_rdata_freestruct(&ns);
+
+			/* Initialize lookup if we've not yet */
+			debug("found NS %s", namestr);
+			if (!success) {
+				success = true;
+				lookup_counter++;
+				lookup = requeue_lookup(query->lookup, false);
+				cancel_lookup(query->lookup);
+				lookup->doing_xfr = false;
+				if (!lookup->trace_root &&
+				    section == DNS_SECTION_ANSWER)
+				{
+					lookup->trace = false;
+				} else {
+					lookup->trace = query->lookup->trace;
+				}
+				lookup->ns_search_only =
+					query->lookup->ns_search_only;
+				lookup->trace_root = false;
+				if (lookup->ns_search_only) {
+					lookup->recurse = false;
+				}
+				domain = dns_fixedname_name(&lookup->fdomain);
+				dns_name_copynf(name, domain);
+			}
+			debug("adding server %s", namestr);
+			num = getaddresses(lookup, namestr, &lresult);
+			if (lresult != ISC_R_SUCCESS) {
+				printf("couldn't get address for '%s': %s\n",
+				       namestr, isc_result_totext(lresult));
+				if (addresses_result == ISC_R_SUCCESS) {
+					addresses_result = lresult;
+					strlcpy(bad_namestr, namestr,
+						sizeof(bad_namestr));
+				}
+			}
+			numLookups += num;
+			dns_rdata_reset(&rdata);
+		}
+	}
+	if (numLookups == 0 && addresses_result != ISC_R_SUCCESS) {
+		fatal("couldn't get address for '%s': %s", bad_namestr,
+		      isc_result_totext(result));
+	}
+
+	if (lookup == NULL && section == DNS_SECTION_ANSWER &&
+	    (query->lookup->trace || query->lookup->ns_search_only))
+	{
+		return (followup_lookup(msg, query, DNS_SECTION_AUTHORITY));
+	}
+
+	/*
+	 * Randomize the order the nameserver will be tried.
+	 */
+	if (numLookups > 1) {
+		uint32_t i, j;
+		dig_serverlist_t my_server_list;
+		dig_server_t *next;
+
+		ISC_LIST_INIT(my_server_list);
+
+		i = numLookups;
+		for (srv = ISC_LIST_HEAD(lookup->my_server_list); srv != NULL;
+		     srv = ISC_LIST_HEAD(lookup->my_server_list))
+		{
+			INSIST(i > 0);
+			j = isc_random_uniform(i);
+			next = ISC_LIST_NEXT(srv, link);
+			while (j-- > 0 && next != NULL) {
+				srv = next;
+				next = ISC_LIST_NEXT(srv, link);
+			}
+			ISC_LIST_DEQUEUE(lookup->my_server_list, srv, link);
+			ISC_LIST_APPEND(my_server_list, srv, link);
+			i--;
+		}
+		ISC_LIST_APPENDLIST(lookup->my_server_list, my_server_list,
+				    link);
+	}
+
+	return (numLookups);
+}
+
+/*%
+ * Create and queue a new lookup using the next origin from the search
+ * list, read in setup_system().
+ *
+ * Return true iff there was another searchlist entry.
+ */
+static bool
+next_origin(dig_lookup_t *oldlookup) {
+	dig_lookup_t *newlookup;
+	dig_searchlist_t *search;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_result_t result;
+
+	INSIST(!free_now);
+
+	debug("next_origin(%p)", oldlookup);
+	debug("following up %s", oldlookup->textname);
+
+	if (!usesearch) {
+		/*
+		 * We're not using a search list, so don't even think
+		 * about finding the next entry.
+		 */
+		return (false);
+	}
+
+	/*
+	 * Check for a absolute name or ndots being met.
+	 */
+	name = dns_fixedname_initname(&fixed);
+	result = dns_name_fromstring2(name, oldlookup->textname, NULL, 0, NULL);
+	if (result == ISC_R_SUCCESS &&
+	    (dns_name_isabsolute(name) ||
+	     (int)dns_name_countlabels(name) > ndots))
+	{
+		return (false);
+	}
+
+	if (oldlookup->origin == NULL && !oldlookup->need_search) {
+		/*
+		 * Then we just did rootorg; there's nothing left.
+		 */
+		return (false);
+	}
+	if (oldlookup->origin == NULL && oldlookup->need_search) {
+		newlookup = requeue_lookup(oldlookup, true);
+		newlookup->origin = ISC_LIST_HEAD(search_list);
+		newlookup->need_search = false;
+	} else {
+		search = ISC_LIST_NEXT(oldlookup->origin, link);
+		if (search == NULL && oldlookup->done_as_is) {
+			return (false);
+		}
+		newlookup = requeue_lookup(oldlookup, true);
+		newlookup->origin = search;
+	}
+	cancel_lookup(oldlookup);
+	return (true);
+}
+
+/*%
+ * Insert an SOA record into the sendmessage in a lookup.  Used for
+ * creating IXFR queries.
+ */
+static void
+insert_soa(dig_lookup_t *lookup) {
+	isc_result_t result;
+	dns_rdata_soa_t soa;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_name_t *soaname = NULL;
+
+	debug("insert_soa(%p)", lookup);
+	soa.mctx = mctx;
+	soa.serial = lookup->ixfr_serial;
+	soa.refresh = 0;
+	soa.retry = 0;
+	soa.expire = 0;
+	soa.minimum = 0;
+	soa.common.rdclass = lookup->rdclass;
+	soa.common.rdtype = dns_rdatatype_soa;
+
+	dns_name_init(&soa.origin, NULL);
+	dns_name_init(&soa.contact, NULL);
+
+	dns_name_clone(dns_rootname, &soa.origin);
+	dns_name_clone(dns_rootname, &soa.contact);
+
+	isc_buffer_init(&lookup->rdatabuf, lookup->rdatastore,
+			sizeof(lookup->rdatastore));
+
+	result = dns_message_gettemprdata(lookup->sendmsg, &rdata);
+	check_result(result, "dns_message_gettemprdata");
+
+	result = dns_rdata_fromstruct(rdata, lookup->rdclass, dns_rdatatype_soa,
+				      &soa, &lookup->rdatabuf);
+	check_result(result, "isc_rdata_fromstruct");
+
+	result = dns_message_gettemprdatalist(lookup->sendmsg, &rdatalist);
+	check_result(result, "dns_message_gettemprdatalist");
+
+	result = dns_message_gettemprdataset(lookup->sendmsg, &rdataset);
+	check_result(result, "dns_message_gettemprdataset");
+
+	dns_rdatalist_init(rdatalist);
+	rdatalist->type = dns_rdatatype_soa;
+	rdatalist->rdclass = lookup->rdclass;
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+
+	result = dns_message_gettempname(lookup->sendmsg, &soaname);
+	check_result(result, "dns_message_gettempname");
+	dns_name_clone(lookup->name, soaname);
+	ISC_LIST_INIT(soaname->list);
+	ISC_LIST_APPEND(soaname->list, rdataset, link);
+	dns_message_addname(lookup->sendmsg, soaname, DNS_SECTION_AUTHORITY);
+}
+
+static void
+compute_cookie(unsigned char *clientcookie, size_t len) {
+	/* XXXMPA need to fix, should be per server. */
+	INSIST(len >= 8U);
+	memmove(clientcookie, cookie_secret, 8);
+}
+
+/*%
+ * Setup the supplied lookup structure, making it ready to start sending
+ * queries to servers.  Create and initialize the message to be sent as
+ * well as the query structures and buffer space for the replies.  If the
+ * server list is empty, clone it from the system default list.
+ */
+bool
+setup_lookup(dig_lookup_t *lookup) {
+	isc_result_t result;
+	unsigned int len;
+	dig_server_t *serv;
+	dig_query_t *query;
+	isc_buffer_t b;
+	dns_compress_t cctx;
+	char store[MXNAME];
+	char ecsbuf[20];
+	char cookiebuf[256];
+	char *origin = NULL;
+	char *textname = NULL;
+
+	REQUIRE(lookup != NULL);
+
+#ifdef HAVE_LIBIDN2
+	char idn_origin[MXNAME], idn_textname[MXNAME];
+
+	result = dns_name_settotextfilter(lookup->idnout ? idn_output_filter
+							 : NULL);
+	check_result(result, "dns_name_settotextfilter");
+#endif /* HAVE_LIBIDN2 */
+
+	INSIST(!free_now);
+
+	debug("setup_lookup(%p)", lookup);
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &lookup->sendmsg);
+
+	if (lookup->new_search) {
+		debug("resetting lookup counter.");
+		lookup_counter = 0;
+	}
+
+	if (ISC_LIST_EMPTY(lookup->my_server_list)) {
+		debug("cloning server list");
+		clone_server_list(server_list, &lookup->my_server_list);
+	}
+	result = dns_message_gettempname(lookup->sendmsg, &lookup->name);
+	check_result(result, "dns_message_gettempname");
+
+	isc_buffer_init(&lookup->namebuf, lookup->name_space,
+			sizeof(lookup->name_space));
+	isc_buffer_init(&lookup->onamebuf, lookup->oname_space,
+			sizeof(lookup->oname_space));
+
+	/*
+	 * We cannot convert `textname' and `origin' separately.
+	 * `textname' doesn't contain TLD, but local mapping needs
+	 * TLD.
+	 */
+	textname = lookup->textname;
+#ifdef HAVE_LIBIDN2
+	if (lookup->idnin) {
+		idn_locale_to_ace(textname, idn_textname, sizeof(idn_textname));
+		debug("idn_textname: %s", idn_textname);
+		textname = idn_textname;
+	}
+#endif /* HAVE_LIBIDN2 */
+
+	/*
+	 * If the name has too many dots, force the origin to be NULL
+	 * (which produces an absolute lookup).  Otherwise, take the origin
+	 * we have if there's one in the struct already.  If it's NULL,
+	 * take the first entry in the searchlist iff either usesearch
+	 * is TRUE or we got a domain line in the resolv.conf file.
+	 */
+	if (lookup->new_search) {
+		if ((count_dots(textname) >= ndots) || !usesearch) {
+			lookup->origin = NULL; /* Force abs lookup */
+			lookup->done_as_is = true;
+			lookup->need_search = usesearch;
+		} else if (lookup->origin == NULL && usesearch) {
+			lookup->origin = ISC_LIST_HEAD(search_list);
+			lookup->need_search = false;
+		}
+	}
+
+	if (lookup->origin != NULL) {
+		debug("trying origin %s", lookup->origin->origin);
+		result = dns_message_gettempname(lookup->sendmsg,
+						 &lookup->oname);
+		check_result(result, "dns_message_gettempname");
+		/* XXX Helper funct to conv char* to name? */
+		origin = lookup->origin->origin;
+#ifdef HAVE_LIBIDN2
+		if (lookup->idnin) {
+			idn_locale_to_ace(origin, idn_origin,
+					  sizeof(idn_origin));
+			debug("trying idn origin %s", idn_origin);
+			origin = idn_origin;
+		}
+#endif /* HAVE_LIBIDN2 */
+		len = (unsigned int)strlen(origin);
+		isc_buffer_init(&b, origin, len);
+		isc_buffer_add(&b, len);
+		result = dns_name_fromtext(lookup->oname, &b, dns_rootname, 0,
+					   &lookup->onamebuf);
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(lookup->sendmsg, &lookup->name);
+			dns_message_puttempname(lookup->sendmsg,
+						&lookup->oname);
+			fatal("'%s' is not in legal name syntax (%s)", origin,
+			      isc_result_totext(result));
+		}
+		if (lookup->trace && lookup->trace_root) {
+			dns_name_clone(dns_rootname, lookup->name);
+		} else {
+			dns_fixedname_t fixed;
+			dns_name_t *name;
+
+			name = dns_fixedname_initname(&fixed);
+			len = (unsigned int)strlen(textname);
+			isc_buffer_init(&b, textname, len);
+			isc_buffer_add(&b, len);
+			result = dns_name_fromtext(name, &b, NULL, 0, NULL);
+			if (result == ISC_R_SUCCESS) {
+				if (!dns_name_isabsolute(name)) {
+					result = dns_name_concatenate(
+						name, lookup->oname,
+						lookup->name, &lookup->namebuf);
+				} else {
+					result = dns_name_copy(
+						name, lookup->name,
+						&lookup->namebuf);
+				}
+			}
+			if (result != ISC_R_SUCCESS) {
+				dns_message_puttempname(lookup->sendmsg,
+							&lookup->name);
+				dns_message_puttempname(lookup->sendmsg,
+							&lookup->oname);
+				if (result == DNS_R_NAMETOOLONG) {
+					return (false);
+				}
+				fatal("'%s' is not in legal name syntax (%s)",
+				      lookup->textname,
+				      isc_result_totext(result));
+			}
+		}
+		dns_message_puttempname(lookup->sendmsg, &lookup->oname);
+	} else {
+		debug("using root origin");
+		if (lookup->trace && lookup->trace_root) {
+			dns_name_clone(dns_rootname, lookup->name);
+		} else {
+			len = (unsigned int)strlen(textname);
+			isc_buffer_init(&b, textname, len);
+			isc_buffer_add(&b, len);
+			result = dns_name_fromtext(lookup->name, &b,
+						   dns_rootname, 0,
+						   &lookup->namebuf);
+		}
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(lookup->sendmsg, &lookup->name);
+			warn("'%s' is not a legal name "
+			     "(%s)",
+			     lookup->textname, isc_result_totext(result));
+#if TARGET_OS_IPHONE
+			check_next_lookup(current_lookup);
+			return (false);
+#else  /* if TARGET_OS_IPHONE */
+			digexit();
+#endif /* if TARGET_OS_IPHONE */
+		}
+	}
+	dns_name_format(lookup->name, store, sizeof(store));
+	dighost_trying(store, lookup);
+	INSIST(dns_name_isabsolute(lookup->name));
+
+	lookup->sendmsg->id = (dns_messageid_t)isc_random16();
+	lookup->sendmsg->opcode = lookup->opcode;
+	lookup->msgcounter = 0;
+
+	/*
+	 * If this is a trace request, completely disallow recursion after
+	 * looking up the root name servers, since it's meaningless for traces.
+	 */
+	if ((lookup->trace || lookup->ns_search_only) && !lookup->trace_root) {
+		lookup->recurse = false;
+	}
+
+	if (lookup->recurse && lookup->rdtype != dns_rdatatype_axfr &&
+	    lookup->rdtype != dns_rdatatype_ixfr)
+	{
+		debug("recursive query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_RD;
+	}
+
+	/* XXX aaflag */
+	if (lookup->aaonly) {
+		debug("AA query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AA;
+	}
+
+	if (lookup->adflag) {
+		debug("AD query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AD;
+	}
+
+	if (lookup->cdflag) {
+		debug("CD query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_CD;
+	}
+
+	if (lookup->raflag) {
+		debug("RA query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_RA;
+	}
+
+	if (lookup->tcflag) {
+		debug("TC query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_TC;
+	}
+
+	if (lookup->zflag) {
+		debug("Z query");
+		lookup->sendmsg->flags |= 0x0040U;
+	}
+
+	dns_message_addname(lookup->sendmsg, lookup->name,
+			    DNS_SECTION_QUESTION);
+
+	if (lookup->trace && lookup->trace_root) {
+		lookup->qrdtype = lookup->rdtype;
+		lookup->rdtype = dns_rdatatype_ns;
+	}
+
+	if ((lookup->rdtype == dns_rdatatype_axfr) ||
+	    (lookup->rdtype == dns_rdatatype_ixfr))
+	{
+		/*
+		 * Force TCP mode if we're doing an axfr.
+		 */
+		if (lookup->rdtype == dns_rdatatype_axfr) {
+			lookup->doing_xfr = true;
+			lookup->tcp_mode = true;
+		} else if (lookup->tcp_mode) {
+			lookup->doing_xfr = true;
+		}
+	}
+
+	if (!lookup->header_only) {
+		add_question(lookup->sendmsg, lookup->name, lookup->rdclass,
+			     lookup->rdtype);
+	}
+
+	/* add_soa */
+	if (lookup->rdtype == dns_rdatatype_ixfr) {
+		insert_soa(lookup);
+	}
+
+	/* XXX Insist this? */
+	lookup->tsigctx = NULL;
+	lookup->querysig = NULL;
+	if (tsigkey != NULL) {
+		debug("initializing keys");
+		result = dns_message_settsigkey(lookup->sendmsg, tsigkey);
+		check_result(result, "dns_message_settsigkey");
+	}
+
+	lookup->sendspace = isc_mem_get(mctx, COMMSIZE);
+
+	result = dns_compress_init(&cctx, -1, mctx);
+	check_result(result, "dns_compress_init");
+
+	debug("starting to render the message");
+	isc_buffer_init(&lookup->renderbuf, lookup->sendspace, COMMSIZE);
+	result = dns_message_renderbegin(lookup->sendmsg, &cctx,
+					 &lookup->renderbuf);
+	check_result(result, "dns_message_renderbegin");
+	if (lookup->udpsize > 0 || lookup->dnssec || lookup->edns > -1 ||
+	    lookup->ecs_addr != NULL)
+	{
+#define MAXOPTS (EDNSOPT_OPTIONS + DNS_EDNSOPTIONS)
+		dns_ednsopt_t opts[MAXOPTS];
+		unsigned int flags;
+		unsigned int i = 0;
+
+		/*
+		 * There can't be more than MAXOPTS options to send:
+		 * a maximum of EDNSOPT_OPTIONS set by +ednsopt
+		 * and DNS_EDNSOPTIONS set by other arguments
+		 * (+nsid, +cookie, etc).
+		 */
+		if (lookup->udpsize < 0) {
+			lookup->udpsize = DEFAULT_EDNS_BUFSIZE;
+		}
+		if (lookup->edns < 0) {
+			lookup->edns = DEFAULT_EDNS_VERSION;
+		}
+
+		if (lookup->nsid) {
+			INSIST(i < MAXOPTS);
+			opts[i].code = DNS_OPT_NSID;
+			opts[i].length = 0;
+			opts[i].value = NULL;
+			i++;
+		}
+
+		if (lookup->ecs_addr != NULL) {
+			uint8_t addr[16];
+			uint16_t family = 0;
+			uint32_t plen;
+			struct sockaddr *sa;
+			struct sockaddr_in *sin;
+			struct sockaddr_in6 *sin6;
+			size_t addrl;
+
+			sa = &lookup->ecs_addr->type.sa;
+			plen = lookup->ecs_addr->length;
+
+			/* Round up prefix len to a multiple of 8 */
+			addrl = (plen + 7) / 8;
+
+			INSIST(i < MAXOPTS);
+			opts[i].code = DNS_OPT_CLIENT_SUBNET;
+			opts[i].length = (uint16_t)addrl + 4;
+			check_result(result, "isc_buffer_allocate");
+
+			/*
+			 * XXXMUKS: According to RFC7871, "If there is
+			 * no ADDRESS set, i.e., SOURCE PREFIX-LENGTH is
+			 * set to 0, then FAMILY SHOULD be set to the
+			 * transport over which the query is sent."
+			 *
+			 * However, at this point we don't know what
+			 * transport(s) we'll be using, so we can't
+			 * set the value now. For now, we're using
+			 * IPv4 as the default the +subnet option
+			 * used an IPv4 prefix, or for +subnet=0,
+			 * and IPv6 if the +subnet option used an
+			 * IPv6 prefix.
+			 *
+			 * (For future work: preserve the offset into
+			 * the buffer where the family field is;
+			 * that way we can update it in send_udp()
+			 * or send_tcp_connect() once we know
+			 * what it outght to be.)
+			 */
+			switch (sa->sa_family) {
+			case AF_UNSPEC:
+				INSIST(plen == 0);
+				family = 1;
+				break;
+			case AF_INET:
+				INSIST(plen <= 32);
+				family = 1;
+				sin = (struct sockaddr_in *)sa;
+				memmove(addr, &sin->sin_addr, addrl);
+				break;
+			case AF_INET6:
+				INSIST(plen <= 128);
+				family = 2;
+				sin6 = (struct sockaddr_in6 *)sa;
+				memmove(addr, &sin6->sin6_addr, addrl);
+				break;
+			default:
+				UNREACHABLE();
+			}
+
+			isc_buffer_init(&b, ecsbuf, sizeof(ecsbuf));
+			/* family */
+			isc_buffer_putuint16(&b, family);
+			/* source prefix-length */
+			isc_buffer_putuint8(&b, plen);
+			/* scope prefix-length */
+			isc_buffer_putuint8(&b, 0);
+
+			/* address */
+			if (addrl > 0) {
+				/* Mask off last address byte */
+				if ((plen % 8) != 0) {
+					addr[addrl - 1] &= ~0U
+							   << (8 - (plen % 8));
+				}
+				isc_buffer_putmem(&b, addr, (unsigned)addrl);
+			}
+
+			opts[i].value = (uint8_t *)ecsbuf;
+			i++;
+		}
+
+		if (lookup->sendcookie) {
+			INSIST(i < MAXOPTS);
+			opts[i].code = DNS_OPT_COOKIE;
+			if (lookup->cookie != NULL) {
+				isc_buffer_init(&b, cookiebuf,
+						sizeof(cookiebuf));
+				result = isc_hex_decodestring(lookup->cookie,
+							      &b);
+				check_result(result, "isc_hex_decodestring");
+				opts[i].value = isc_buffer_base(&b);
+				opts[i].length = isc_buffer_usedlength(&b);
+			} else {
+				compute_cookie(cookie, sizeof(cookie));
+				opts[i].length = 8;
+				opts[i].value = cookie;
+			}
+			i++;
+		}
+
+		if (lookup->expire) {
+			INSIST(i < MAXOPTS);
+			opts[i].code = DNS_OPT_EXPIRE;
+			opts[i].length = 0;
+			opts[i].value = NULL;
+			i++;
+		}
+
+		if (lookup->tcp_keepalive) {
+			INSIST(i < MAXOPTS);
+			opts[i].code = DNS_OPT_TCP_KEEPALIVE;
+			opts[i].length = 0;
+			opts[i].value = NULL;
+			i++;
+		}
+
+		if (lookup->ednsoptscnt != 0) {
+			INSIST(i + lookup->ednsoptscnt <= MAXOPTS);
+			memmove(&opts[i], lookup->ednsopts,
+				sizeof(dns_ednsopt_t) * lookup->ednsoptscnt);
+			i += lookup->ednsoptscnt;
+		}
+
+		if (lookup->padding != 0 && (i >= MAXOPTS)) {
+			debug("turned off padding because of EDNS overflow");
+			lookup->padding = 0;
+		}
+
+		if (lookup->padding != 0) {
+			INSIST(i < MAXOPTS);
+			opts[i].code = DNS_OPT_PAD;
+			opts[i].length = 0;
+			opts[i].value = NULL;
+			i++;
+			dns_message_setpadding(lookup->sendmsg,
+					       lookup->padding);
+		}
+
+		flags = lookup->ednsflags;
+		flags &= ~DNS_MESSAGEEXTFLAG_DO;
+		if (lookup->dnssec) {
+			flags |= DNS_MESSAGEEXTFLAG_DO;
+		}
+		add_opt(lookup->sendmsg, lookup->udpsize, lookup->edns, flags,
+			opts, i);
+	}
+
+	result = dns_message_rendersection(lookup->sendmsg,
+					   DNS_SECTION_QUESTION, 0);
+	check_result(result, "dns_message_rendersection");
+	result = dns_message_rendersection(lookup->sendmsg,
+					   DNS_SECTION_AUTHORITY, 0);
+	check_result(result, "dns_message_rendersection");
+	result = dns_message_renderend(lookup->sendmsg);
+	check_result(result, "dns_message_renderend");
+	debug("done rendering");
+
+	dns_compress_invalidate(&cctx);
+
+	/*
+	 * Force TCP mode if the request is larger than 512 bytes.
+	 */
+	if (isc_buffer_usedlength(&lookup->renderbuf) > 512) {
+		lookup->tcp_mode = true;
+	}
+
+	lookup->pending = false;
+
+	for (serv = ISC_LIST_HEAD(lookup->my_server_list); serv != NULL;
+	     serv = ISC_LIST_NEXT(serv, link))
+	{
+		query = isc_mem_allocate(mctx, sizeof(dig_query_t));
+		debug("create query %p linked to lookup %p", query, lookup);
+		query->lookup = lookup;
+		query->timer = NULL;
+		query->waiting_connect = false;
+		query->waiting_senddone = false;
+		query->pending_free = false;
+		query->recv_made = false;
+		query->first_pass = true;
+		query->first_soa_rcvd = false;
+		query->second_rr_rcvd = false;
+		query->first_repeat_rcvd = false;
+		query->warn_id = true;
+		query->timedout = false;
+		query->first_rr_serial = 0;
+		query->second_rr_serial = 0;
+		query->servname = serv->servername;
+		query->userarg = serv->userarg;
+		query->rr_count = 0;
+		query->msg_count = 0;
+		query->byte_count = 0;
+		query->ixfr_axfr = false;
+		query->sock = NULL;
+		query->recvspace = isc_mem_get(mctx, COMMSIZE);
+		query->tmpsendspace = isc_mem_get(mctx, COMMSIZE);
+		if (query->recvspace == NULL) {
+			fatal("memory allocation failure");
+		}
+
+		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
+		isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
+		isc_buffer_init(&query->tmpsendbuf, query->tmpsendspace,
+				COMMSIZE);
+		query->sendbuf = lookup->renderbuf;
+
+		isc_time_settoepoch(&query->time_sent);
+		isc_time_settoepoch(&query->time_recv);
+
+		ISC_LINK_INIT(query, clink);
+		ISC_LINK_INIT(query, link);
+		query->saved_next = NULL;
+
+		query->magic = DIG_QUERY_MAGIC;
+
+		ISC_LIST_ENQUEUE(lookup->q, query, link);
+	}
+
+	return (true);
+}
+
+/*%
+ * Event handler for send completion.  Track send counter, and clear out
+ * the query if the send was canceled.
+ */
+static void
+send_done(isc_task_t *_task, isc_event_t *event) {
+	dig_query_t *query, *next;
+	dig_lookup_t *l;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+
+	UNUSED(_task);
+
+	LOCK_LOOKUP;
+
+	debug("send_done(%p)", event->ev_arg);
+	sendcount--;
+	debug("sendcount=%d", sendcount);
+	INSIST(sendcount >= 0);
+
+	query = event->ev_arg;
+	REQUIRE(DIG_VALID_QUERY(query));
+	query->waiting_senddone = false;
+	l = query->lookup;
+
+	if (l == current_lookup && l->ns_search_only && !l->trace_root &&
+	    !l->tcp_mode)
+	{
+		debug("sending next, since searching");
+		next = query->pending_free ? query->saved_next
+					   : ISC_LIST_NEXT(query, link);
+		if (next != NULL) {
+			send_udp(next);
+		}
+	}
+
+	isc_event_free(&event);
+
+	if (query->pending_free) {
+		query->magic = 0;
+		isc_mem_free(mctx, query);
+	}
+
+	check_if_done();
+	UNLOCK_LOOKUP;
+}
+
+/*%
+ * Cancel a lookup, sending isc_socket_cancel() requests to all outstanding
+ * IO sockets.  The cancel handlers should take care of cleaning up the
+ * query and lookup structures
+ */
+static void
+cancel_lookup(dig_lookup_t *lookup) {
+	dig_query_t *query, *next;
+
+	debug("cancel_lookup(%p)", lookup);
+	query = ISC_LIST_HEAD(lookup->q);
+	while (query != NULL) {
+		REQUIRE(DIG_VALID_QUERY(query));
+		next = ISC_LIST_NEXT(query, link);
+		if (query->sock != NULL) {
+			isc_socket_cancel(query->sock, global_task,
+					  ISC_SOCKCANCEL_ALL);
+			check_if_done();
+		} else {
+			clear_query(query);
+		}
+		query = next;
+	}
+	lookup->pending = false;
+	lookup->retries = 0;
+}
+
+static void
+bringup_timer(dig_query_t *query, unsigned int default_timeout) {
+	dig_lookup_t *l;
+	unsigned int local_timeout;
+	isc_result_t result;
+	REQUIRE(DIG_VALID_QUERY(query));
+
+	debug("bringup_timer(%p)", query);
+	/*
+	 * If the timer already exists, that means we're calling this
+	 * a second time (for a retry).  Don't need to recreate it,
+	 * just reset it.
+	 */
+	l = query->lookup;
+	if (ISC_LINK_LINKED(query, link) && ISC_LIST_NEXT(query, link) != NULL)
+	{
+		local_timeout = SERVER_TIMEOUT;
+	} else {
+		if (timeout == 0) {
+			local_timeout = default_timeout;
+		} else {
+			local_timeout = timeout;
+		}
+	}
+	debug("have local timeout of %d", local_timeout);
+	isc_interval_set(&l->interval, local_timeout, 0);
+	if (query->timer != NULL) {
+		isc_timer_destroy(&query->timer);
+	}
+	result = isc_timer_create(timermgr, isc_timertype_once, NULL,
+				  &l->interval, global_task, connect_timeout,
+				  query, &query->timer);
+	check_result(result, "isc_timer_create");
+}
+
+static void
+force_timeout(dig_query_t *query) {
+	isc_event_t *event;
+
+	debug("force_timeout(%p)", query);
+	event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE,
+				   connect_timeout, query, sizeof(isc_event_t));
+	isc_task_send(global_task, &event);
+
+	/*
+	 * The timer may have expired if, for example, get_address() takes
+	 * long time and the timer was running on a different thread.
+	 * We need to cancel the possible timeout event not to confuse
+	 * ourselves due to the duplicate events.
+	 */
+	if (query->timer != NULL) {
+		isc_timer_destroy(&query->timer);
+	}
+}
+
+static void
+connect_done(isc_task_t *task, isc_event_t *event);
+
+/*%
+ * Unlike send_udp, this can't be called multiple times with the same
+ * query.  When we retry TCP, we requeue the whole lookup, which should
+ * start anew.
+ */
+static void
+send_tcp_connect(dig_query_t *query) {
+	isc_result_t result;
+	dig_query_t *next;
+	dig_lookup_t *l;
+	REQUIRE(DIG_VALID_QUERY(query));
+
+	debug("send_tcp_connect(%p)", query);
+
+	l = query->lookup;
+	query->waiting_connect = true;
+	query->lookup->current_query = query;
+	result = get_address(query->servname, port, &query->sockaddr);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * This servname doesn't have an address.  Try the next server
+		 * by triggering an immediate 'timeout' (we lie, but the effect
+		 * is the same).
+		 */
+		force_timeout(query);
+		return;
+	}
+
+	if (!l->mapped && isc_sockaddr_pf(&query->sockaddr) == AF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&query->sockaddr.type.sin6.sin6_addr))
+	{
+		isc_netaddr_t netaddr;
+		char buf[ISC_NETADDR_FORMATSIZE];
+
+		isc_netaddr_fromsockaddr(&netaddr, &query->sockaddr);
+		isc_netaddr_format(&netaddr, buf, sizeof(buf));
+		dighost_warning("Skipping mapped address '%s'", buf);
+
+		query->waiting_connect = false;
+		if (ISC_LINK_LINKED(query, link)) {
+			next = ISC_LIST_NEXT(query, link);
+		} else {
+			next = NULL;
+		}
+		l = query->lookup;
+		clear_query(query);
+		if (next == NULL) {
+			dighost_warning("No acceptable nameservers");
+			check_next_lookup(l);
+			return;
+		}
+		send_tcp_connect(next);
+		return;
+	}
+
+	INSIST(query->sock == NULL);
+
+	if (keep != NULL && isc_sockaddr_equal(&keepaddr, &query->sockaddr)) {
+		sockcount++;
+		isc_socket_attach(keep, &query->sock);
+		query->waiting_connect = false;
+		launch_next_query(query, true);
+		goto search;
+	}
+
+	result = isc_socket_create(socketmgr, isc_sockaddr_pf(&query->sockaddr),
+				   isc_sockettype_tcp, &query->sock);
+	check_result(result, "isc_socket_create");
+	sockcount++;
+	debug("sockcount=%d", sockcount);
+	if (query->lookup->dscp != -1) {
+		isc_socket_dscp(query->sock, query->lookup->dscp);
+	}
+	isc_socket_ipv6only(query->sock, !query->lookup->mapped);
+	if (specified_source) {
+		result = isc_socket_bind(query->sock, &bind_address,
+					 ISC_SOCKET_REUSEADDRESS);
+	} else {
+		if ((isc_sockaddr_pf(&query->sockaddr) == AF_INET) && have_ipv4)
+		{
+			isc_sockaddr_any(&bind_any);
+		} else {
+			isc_sockaddr_any6(&bind_any);
+		}
+		result = isc_socket_bind(query->sock, &bind_any, 0);
+	}
+	check_result(result, "isc_socket_bind");
+	bringup_timer(query, TCP_TIMEOUT);
+	result = isc_socket_connect(query->sock, &query->sockaddr, global_task,
+				    connect_done, query);
+	check_result(result, "isc_socket_connect");
+search:
+	/*
+	 * If we're at the endgame of a nameserver search, we need to
+	 * immediately bring up all the queries.  Do it here.
+	 */
+	if (l->ns_search_only && !l->trace_root) {
+		debug("sending next, since searching");
+		if (ISC_LINK_LINKED(query, link)) {
+			next = ISC_LIST_NEXT(query, link);
+			ISC_LIST_DEQUEUE(l->q, query, link);
+		} else {
+			next = NULL;
+		}
+		ISC_LIST_ENQUEUE(l->connecting, query, clink);
+		if (next != NULL) {
+			send_tcp_connect(next);
+		}
+	}
+}
+
+static void
+print_query_size(dig_query_t *query) {
+	if (!yaml) {
+		printf(";; QUERY SIZE: %u\n\n",
+		       isc_buffer_usedlength(&query->lookup->renderbuf));
+	}
+}
+
+/*%
+ * Send a UDP packet to the remote nameserver, possible starting the
+ * recv action as well.  Also make sure that the timer is running and
+ * is properly reset.
+ */
+static void
+send_udp(dig_query_t *query) {
+	dig_lookup_t *l = NULL;
+	isc_result_t result;
+	dig_query_t *next;
+	isc_region_t r;
+	isc_socketevent_t *sevent;
+	REQUIRE(DIG_VALID_QUERY(query));
+
+	debug("send_udp(%p)", query);
+
+	l = query->lookup;
+	bringup_timer(query, UDP_TIMEOUT);
+	l->current_query = query;
+	debug("working on lookup %p, query %p", query->lookup, query);
+	if (!query->recv_made) {
+		/* XXX Check the sense of this, need assertion? */
+		query->waiting_connect = false;
+		result = get_address(query->servname, port, &query->sockaddr);
+		if (result != ISC_R_SUCCESS) {
+			/* This servname doesn't have an address. */
+			force_timeout(query);
+			return;
+		}
+
+		if (!l->mapped &&
+		    isc_sockaddr_pf(&query->sockaddr) == AF_INET6 &&
+		    IN6_IS_ADDR_V4MAPPED(&query->sockaddr.type.sin6.sin6_addr))
+		{
+			isc_netaddr_t netaddr;
+			char buf[ISC_NETADDR_FORMATSIZE];
+
+			isc_netaddr_fromsockaddr(&netaddr, &query->sockaddr);
+			isc_netaddr_format(&netaddr, buf, sizeof(buf));
+			dighost_warning("Skipping mapped address '%s'", buf);
+			next = ISC_LIST_NEXT(query, link);
+			l = query->lookup;
+			clear_query(query);
+			if (next == NULL) {
+				dighost_warning("No acceptable nameservers");
+				check_next_lookup(l);
+			} else {
+				send_udp(next);
+			}
+			return;
+		}
+
+		result = isc_socket_create(socketmgr,
+					   isc_sockaddr_pf(&query->sockaddr),
+					   isc_sockettype_udp, &query->sock);
+		check_result(result, "isc_socket_create");
+		sockcount++;
+		debug("sockcount=%d", sockcount);
+		if (query->lookup->dscp != -1) {
+			isc_socket_dscp(query->sock, query->lookup->dscp);
+		}
+		isc_socket_ipv6only(query->sock, !query->lookup->mapped);
+		if (specified_source) {
+			result = isc_socket_bind(query->sock, &bind_address,
+						 ISC_SOCKET_REUSEADDRESS);
+		} else {
+			isc_sockaddr_anyofpf(&bind_any,
+					     isc_sockaddr_pf(&query->sockaddr));
+			result = isc_socket_bind(query->sock, &bind_any, 0);
+		}
+		check_result(result, "isc_socket_bind");
+
+		query->recv_made = true;
+		isc_buffer_availableregion(&query->recvbuf, &r);
+		debug("recving with lookup=%p, query=%p, sock=%p",
+		      query->lookup, query, query->sock);
+		result = isc_socket_recv(query->sock, &r, 1, global_task,
+					 recv_done, query);
+		check_result(result, "isc_socket_recv");
+		recvcount++;
+		debug("recvcount=%d", recvcount);
+	}
+	isc_buffer_usedregion(&query->sendbuf, &r);
+	debug("sending a request");
+	if (query->lookup->use_usec) {
+		TIME_NOW_HIRES(&query->time_sent);
+	} else {
+		TIME_NOW(&query->time_sent);
+	}
+	INSIST(query->sock != NULL);
+	query->waiting_senddone = true;
+	sevent = isc_socket_socketevent(
+		mctx, query->sock, ISC_SOCKEVENT_SENDDONE, send_done, query);
+	result = isc_socket_sendto2(query->sock, &r, global_task,
+				    &query->sockaddr, NULL, sevent,
+				    ISC_SOCKFLAG_NORETRY);
+	check_result(result, "isc_socket_sendto2");
+	sendcount++;
+
+	/* XXX qrflag, print_query, etc... */
+	if (!ISC_LIST_EMPTY(query->lookup->q) && query->lookup->qr) {
+		extrabytes = 0;
+		dighost_printmessage(ISC_LIST_HEAD(query->lookup->q),
+				     &query->lookup->renderbuf,
+				     query->lookup->sendmsg, true);
+		if (query->lookup->stats) {
+			print_query_size(query);
+		}
+	}
+}
+
+/*%
+ * If there are more servers available for querying within 'lookup', initiate a
+ * TCP or UDP query to the next available server and return true; otherwise,
+ * return false.
+ */
+static bool
+try_next_server(dig_lookup_t *lookup) {
+	dig_query_t *current_query, *next_query;
+
+	current_query = lookup->current_query;
+	if (current_query == NULL || !ISC_LINK_LINKED(current_query, link)) {
+		return (false);
+	}
+
+	next_query = ISC_LIST_NEXT(current_query, link);
+	if (next_query == NULL) {
+		return (false);
+	}
+
+	debug("trying next server...");
+
+	if (lookup->tcp_mode) {
+		send_tcp_connect(next_query);
+	} else {
+		send_udp(next_query);
+	}
+
+	return (true);
+}
+
+/*%
+ * IO timeout handler, used for both connect and recv timeouts.  If
+ * retries are still allowed, either resend the UDP packet or queue a
+ * new TCP lookup.  Otherwise, cancel the lookup.
+ */
+static void
+connect_timeout(isc_task_t *task, isc_event_t *event) {
+	dig_lookup_t *l = NULL;
+	dig_query_t *query = NULL;
+
+	UNUSED(task);
+	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
+
+	debug("connect_timeout(%p)", event->ev_arg);
+
+	LOCK_LOOKUP;
+	query = event->ev_arg;
+	REQUIRE(DIG_VALID_QUERY(query));
+	l = query->lookup;
+	isc_event_free(&event);
+
+	INSIST(!free_now);
+
+	if (cancel_now) {
+		UNLOCK_LOOKUP;
+		return;
+	}
+
+	if (try_next_server(l)) {
+		if (l->tcp_mode) {
+			if (query->sock != NULL) {
+				isc_socket_cancel(query->sock, NULL,
+						  ISC_SOCKCANCEL_ALL);
+			} else {
+				clear_query(query);
+			}
+		}
+		UNLOCK_LOOKUP;
+		return;
+	}
+
+	if (l->tcp_mode && query->sock != NULL) {
+		query->timedout = true;
+		isc_socket_cancel(query->sock, NULL, ISC_SOCKCANCEL_ALL);
+	}
+
+	if (l->retries > 1) {
+		if (!l->tcp_mode) {
+			l->retries--;
+			debug("resending UDP request to first server");
+			send_udp(ISC_LIST_HEAD(l->q));
+		} else {
+			debug("making new TCP request, %d tries left",
+			      l->retries);
+			l->retries--;
+			requeue_lookup(l, true);
+			cancel_lookup(l);
+			check_next_lookup(l);
+		}
+	} else {
+		if (l->ns_search_only) {
+			isc_netaddr_t netaddr;
+			char buf[ISC_NETADDR_FORMATSIZE];
+
+			isc_netaddr_fromsockaddr(&netaddr, &query->sockaddr);
+			isc_netaddr_format(&netaddr, buf, sizeof(buf));
+
+			dighost_error("no response from %s\n", buf);
+		} else {
+			fputs(l->cmdline, stdout);
+			dighost_error("connection timed out; "
+				      "no servers could be reached\n");
+		}
+		cancel_lookup(l);
+		check_next_lookup(l);
+		if (exitcode < 9) {
+			exitcode = 9;
+		}
+	}
+	UNLOCK_LOOKUP;
+}
+
+/*%
+ * Called when a peer closes a TCP socket prematurely.
+ */
+static void
+requeue_or_update_exitcode(dig_lookup_t *lookup) {
+	if (lookup->eoferr == 0U && lookup->retries > 1) {
+		--lookup->retries;
+		/*
+		 * Peer closed the connection prematurely for the first time
+		 * for this lookup.  Try again, keeping track of this failure.
+		 */
+		dig_lookup_t *requeued_lookup = requeue_lookup(lookup, true);
+		requeued_lookup->eoferr++;
+	} else {
+		/*
+		 * Peer closed the connection prematurely and it happened
+		 * previously for this lookup.  Indicate an error.
+		 */
+		exitcode = 9;
+	}
+}
+
+/*%
+ * Event handler for the TCP recv which gets the length header of TCP
+ * packets.  Start the next recv of length bytes.
+ */
+static void
+tcp_length_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	dig_query_t *query = NULL;
+	dig_lookup_t *l;
+	uint16_t length;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
+	INSIST(!free_now);
+
+	UNUSED(task);
+
+	debug("tcp_length_done(%p)", event->ev_arg);
+
+	LOCK_LOOKUP;
+	sevent = (isc_socketevent_t *)event;
+	query = event->ev_arg;
+	REQUIRE(DIG_VALID_QUERY(query));
+
+	recvcount--;
+	INSIST(recvcount >= 0);
+
+	if (sevent->result == ISC_R_CANCELED) {
+		isc_event_free(&event);
+		l = query->lookup;
+		clear_query(query);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+	if (sevent->result != ISC_R_SUCCESS) {
+		char sockstr[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
+		dighost_error("communications error to %s: %s\n", sockstr,
+			      isc_result_totext(sevent->result));
+		if (keep != NULL) {
+			isc_socket_detach(&keep);
+		}
+		l = query->lookup;
+		isc_socket_detach(&query->sock);
+		sockcount--;
+		debug("sockcount=%d", sockcount);
+		INSIST(sockcount >= 0);
+		if (sevent->result == ISC_R_EOF) {
+			requeue_or_update_exitcode(l);
+		}
+		isc_event_free(&event);
+		clear_query(query);
+		cancel_lookup(l);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+	isc_buffer_init(&b, sevent->region.base, sevent->n);
+	isc_buffer_add(&b, sevent->n);
+	length = isc_buffer_getuint16(&b);
+
+	if (length == 0) {
+		isc_event_free(&event);
+		launch_next_query(query, false);
+		UNLOCK_LOOKUP;
+		return;
+	}
+
+	/*
+	 * Even though the buffer was already init'ed, we need
+	 * to redo it now, to force the length we want.
+	 */
+	isc_buffer_invalidate(&query->recvbuf);
+	isc_buffer_init(&query->recvbuf, query->recvspace, length);
+	isc_buffer_availableregion(&query->recvbuf, &r);
+	debug("recving with lookup=%p, query=%p", query->lookup, query);
+	result = isc_socket_recv(query->sock, &r, length, task, recv_done,
+				 query);
+	check_result(result, "isc_socket_recv");
+	recvcount++;
+	debug("resubmitted recv request with length %d, recvcount=%d", length,
+	      recvcount);
+	isc_event_free(&event);
+	UNLOCK_LOOKUP;
+}
+
+/*%
+ * For transfers that involve multiple recvs (XFR's in particular),
+ * launch the next recv.
+ */
+static void
+launch_next_query(dig_query_t *query, bool include_question) {
+	isc_result_t result;
+	dig_lookup_t *l;
+	isc_region_t r;
+	REQUIRE(DIG_VALID_QUERY(query));
+
+	INSIST(!free_now);
+
+	debug("launch_next_query(%p)", query);
+
+	if (!query->lookup->pending) {
+		debug("ignoring launch_next_query because !pending");
+		isc_socket_detach(&query->sock);
+		sockcount--;
+		debug("sockcount=%d", sockcount);
+		INSIST(sockcount >= 0);
+		query->waiting_connect = false;
+		l = query->lookup;
+		clear_query(query);
+		check_next_lookup(l);
+		return;
+	}
+
+	isc_buffer_clear(&query->lengthbuf);
+	isc_buffer_availableregion(&query->lengthbuf, &r);
+	result = isc_socket_recv(query->sock, &r, 0, global_task,
+				 tcp_length_done, query);
+	check_result(result, "isc_socket_recv");
+	recvcount++;
+	debug("recvcount=%d", recvcount);
+	if (!query->first_soa_rcvd) {
+		debug("sending a request in launch_next_query");
+		if (query->lookup->use_usec) {
+			TIME_NOW_HIRES(&query->time_sent);
+		} else {
+			TIME_NOW(&query->time_sent);
+		}
+		query->waiting_senddone = true;
+		isc_buffer_clear(&query->tmpsendbuf);
+		isc_buffer_putuint16(&query->tmpsendbuf,
+				     isc_buffer_usedlength(&query->sendbuf));
+		if (include_question) {
+			isc_buffer_usedregion(&query->sendbuf, &r);
+			isc_buffer_copyregion(&query->tmpsendbuf, &r);
+		}
+		isc_buffer_usedregion(&query->tmpsendbuf, &r);
+		result = isc_socket_send(query->sock, &r, global_task,
+					 send_done, query);
+		check_result(result, "isc_socket_send");
+		sendcount++;
+		debug("sendcount=%d", sendcount);
+
+		/* XXX qrflag, print_query, etc... */
+		if (!ISC_LIST_EMPTY(query->lookup->q) && query->lookup->qr) {
+			extrabytes = 0;
+			dighost_printmessage(ISC_LIST_HEAD(query->lookup->q),
+					     &query->lookup->renderbuf,
+					     query->lookup->sendmsg, true);
+			if (query->lookup->stats) {
+				print_query_size(query);
+			}
+		}
+	}
+	query->waiting_connect = false;
+#if 0
+	check_next_lookup(query->lookup);
+#endif /* if 0 */
+	return;
+}
+
+/*%
+ * Event handler for TCP connect complete.  Make sure the connection was
+ * successful, then pass into launch_next_query to actually send the
+ * question.
+ */
+static void
+connect_done(isc_task_t *task, isc_event_t *event) {
+	char sockstr[ISC_SOCKADDR_FORMATSIZE];
+	isc_socketevent_t *sevent = NULL;
+	dig_query_t *query = NULL, *next;
+	dig_lookup_t *l;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	INSIST(!free_now);
+
+	debug("connect_done(%p)", event->ev_arg);
+
+	LOCK_LOOKUP;
+	sevent = (isc_socketevent_t *)event;
+	query = sevent->ev_arg;
+	REQUIRE(DIG_VALID_QUERY(query));
+
+	INSIST(query->waiting_connect);
+
+	query->waiting_connect = false;
+
+	if (sevent->result == ISC_R_CANCELED) {
+		debug("in cancel handler");
+		isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
+		if (query->timedout) {
+			dighost_warning("Connection to %s(%s) for %s failed: "
+					"%s.",
+					sockstr, query->servname,
+					query->lookup->textname,
+					isc_result_totext(ISC_R_TIMEDOUT));
+		}
+		isc_socket_detach(&query->sock);
+		INSIST(sockcount > 0);
+		sockcount--;
+		debug("sockcount=%d", sockcount);
+		query->waiting_connect = false;
+		isc_event_free(&event);
+		l = query->lookup;
+		clear_query(query);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+	if (sevent->result != ISC_R_SUCCESS) {
+		debug("unsuccessful connection: %s",
+		      isc_result_totext(sevent->result));
+		isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
+		if (sevent->result != ISC_R_CANCELED) {
+			dighost_warning("Connection to %s(%s) for %s failed: "
+					"%s.",
+					sockstr, query->servname,
+					query->lookup->textname,
+					isc_result_totext(sevent->result));
+		}
+		isc_socket_detach(&query->sock);
+		INSIST(sockcount > 0);
+		sockcount--;
+		/* XXX Clean up exitcodes */
+		if (exitcode < 9) {
+			exitcode = 9;
+		}
+		debug("sockcount=%d", sockcount);
+		query->waiting_connect = false;
+		isc_event_free(&event);
+		l = query->lookup;
+		if ((l->current_query != NULL) &&
+		    (ISC_LINK_LINKED(l->current_query, link)))
+		{
+			next = ISC_LIST_NEXT(l->current_query, link);
+		} else {
+			next = NULL;
+		}
+		clear_query(query);
+		if (next != NULL) {
+			bringup_timer(next, TCP_TIMEOUT);
+			send_tcp_connect(next);
+		} else {
+			check_next_lookup(l);
+		}
+		UNLOCK_LOOKUP;
+		return;
+	}
+	exitcode = 0;
+	if (keep_open) {
+		if (keep != NULL) {
+			isc_socket_detach(&keep);
+		}
+		isc_socket_attach(query->sock, &keep);
+		keepaddr = query->sockaddr;
+	}
+	launch_next_query(query, true);
+	isc_event_free(&event);
+	UNLOCK_LOOKUP;
+}
+
+/*%
+ * Check if the ongoing XFR needs more data before it's complete, using
+ * the semantics of IXFR and AXFR protocols.  Much of the complexity of
+ * this routine comes from determining when an IXFR is complete.
+ * false means more data is on the way, and the recv has been issued.
+ */
+static bool
+check_for_more_data(dig_query_t *query, dns_message_t *msg,
+		    isc_socketevent_t *sevent) {
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	uint32_t ixfr_serial = query->lookup->ixfr_serial, serial;
+	isc_result_t result;
+	bool ixfr = query->lookup->rdtype == dns_rdatatype_ixfr;
+	bool axfr = query->lookup->rdtype == dns_rdatatype_axfr;
+
+	if (ixfr) {
+		axfr = query->ixfr_axfr;
+	}
+
+	debug("check_for_more_data(%p)", query);
+
+	/*
+	 * By the time we're in this routine, we know we're doing
+	 * either an AXFR or IXFR.  If there's no second_rr_type,
+	 * then we don't yet know which kind of answer we got back
+	 * from the server.  Here, we're going to walk through the
+	 * rr's in the message, acting as necessary whenever we hit
+	 * an SOA rr.
+	 */
+
+	query->msg_count++;
+	query->byte_count += sevent->n;
+	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
+	if (result != ISC_R_SUCCESS) {
+		puts("; Transfer failed.");
+		return (true);
+	}
+	do {
+		dns_name_t *name;
+		name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			result = dns_rdataset_first(rdataset);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+			do {
+				query->rr_count++;
+				dns_rdata_reset(&rdata);
+				dns_rdataset_current(rdataset, &rdata);
+				/*
+				 * If this is the first rr, make sure
+				 * it's an SOA
+				 */
+				if ((!query->first_soa_rcvd) &&
+				    (rdata.type != dns_rdatatype_soa))
+				{
+					puts("; Transfer failed.  "
+					     "Didn't start with SOA answer.");
+					return (true);
+				}
+				if ((!query->second_rr_rcvd) &&
+				    (rdata.type != dns_rdatatype_soa))
+				{
+					query->second_rr_rcvd = true;
+					query->second_rr_serial = 0;
+					debug("got the second rr as nonsoa");
+					axfr = query->ixfr_axfr = true;
+					goto next_rdata;
+				}
+
+				/*
+				 * If the record is anything except an SOA
+				 * now, just continue on...
+				 */
+				if (rdata.type != dns_rdatatype_soa) {
+					goto next_rdata;
+				}
+
+				/* Now we have an SOA.  Work with it. */
+				debug("got an SOA");
+				result = dns_rdata_tostruct(&rdata, &soa, NULL);
+				check_result(result, "dns_rdata_tostruct");
+				serial = soa.serial;
+				dns_rdata_freestruct(&soa);
+				if (!query->first_soa_rcvd) {
+					query->first_soa_rcvd = true;
+					query->first_rr_serial = serial;
+					debug("this is the first serial %u",
+					      serial);
+					if (ixfr &&
+					    isc_serial_ge(ixfr_serial, serial))
+					{
+						debug("got up to date "
+						      "response");
+						goto doexit;
+					}
+					goto next_rdata;
+				}
+				if (axfr) {
+					debug("doing axfr, got second SOA");
+					goto doexit;
+				}
+				if (!query->second_rr_rcvd) {
+					if (query->first_rr_serial == serial) {
+						debug("doing ixfr, got "
+						      "empty zone");
+						goto doexit;
+					}
+					debug("this is the second serial %u",
+					      serial);
+					query->second_rr_rcvd = true;
+					query->second_rr_serial = serial;
+					goto next_rdata;
+				}
+				/*
+				 * If we get to this point, we're doing an
+				 * IXFR and have to start really looking
+				 * at serial numbers.
+				 */
+				if (query->first_rr_serial == serial) {
+					debug("got a match for ixfr");
+					if (!query->first_repeat_rcvd) {
+						query->first_repeat_rcvd = true;
+						goto next_rdata;
+					}
+					debug("done with ixfr");
+					goto doexit;
+				}
+				debug("meaningless soa %u", serial);
+			next_rdata:
+				result = dns_rdataset_next(rdataset);
+			} while (result == ISC_R_SUCCESS);
+		}
+		result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
+	} while (result == ISC_R_SUCCESS);
+	launch_next_query(query, false);
+	return (false);
+doexit:
+	dighost_received(sevent->n, &sevent->address, query);
+	return (true);
+}
+
+static void
+process_cookie(dig_lookup_t *l, dns_message_t *msg, isc_buffer_t *optbuf,
+	       size_t optlen) {
+	char bb[256];
+	isc_buffer_t hexbuf;
+	size_t len;
+	const unsigned char *sent;
+	bool copy = true;
+	isc_result_t result;
+
+	if (l->cookie != NULL) {
+		isc_buffer_init(&hexbuf, bb, sizeof(bb));
+		result = isc_hex_decodestring(l->cookie, &hexbuf);
+		check_result(result, "isc_hex_decodestring");
+		sent = isc_buffer_base(&hexbuf);
+		len = isc_buffer_usedlength(&hexbuf);
+	} else {
+		sent = cookie;
+		len = sizeof(cookie);
+	}
+
+	INSIST(msg->cc_ok == 0 && msg->cc_bad == 0);
+	if (len >= 8 && optlen >= 8U) {
+		if (isc_safe_memequal(isc_buffer_current(optbuf), sent, 8)) {
+			msg->cc_ok = 1;
+		} else {
+			dighost_warning("Warning: Client COOKIE mismatch");
+			msg->cc_bad = 1;
+			copy = false;
+		}
+	} else {
+		dighost_warning("Warning: COOKIE bad token (too short)");
+		msg->cc_bad = 1;
+		copy = false;
+	}
+	if (copy) {
+		isc_region_t r;
+
+		r.base = isc_buffer_current(optbuf);
+		r.length = (unsigned int)optlen;
+		isc_buffer_init(&hexbuf, servercookie, sizeof(servercookie));
+		result = isc_hex_totext(&r, 2, "", &hexbuf);
+		check_result(result, "isc_hex_totext");
+		if (isc_buffer_availablelength(&hexbuf) > 0) {
+			isc_buffer_putuint8(&hexbuf, 0);
+			l->cookie = servercookie;
+		}
+	}
+	isc_buffer_forward(optbuf, (unsigned int)optlen);
+}
+
+static void
+process_opt(dig_lookup_t *l, dns_message_t *msg) {
+	dns_rdata_t rdata;
+	isc_result_t result;
+	isc_buffer_t optbuf;
+	uint16_t optcode, optlen;
+	dns_rdataset_t *opt = msg->opt;
+	bool seen_cookie = false;
+
+	result = dns_rdataset_first(opt);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(opt, &rdata);
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) >= 4) {
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+			switch (optcode) {
+			case DNS_OPT_COOKIE:
+				/*
+				 * Only process the first cookie option.
+				 */
+				if (seen_cookie) {
+					isc_buffer_forward(&optbuf, optlen);
+					break;
+				}
+				process_cookie(l, msg, &optbuf, optlen);
+				seen_cookie = true;
+				break;
+			default:
+				isc_buffer_forward(&optbuf, optlen);
+				break;
+			}
+		}
+	}
+}
+
+static int
+ednsvers(dns_rdataset_t *opt) {
+	return ((opt->ttl >> 16) & 0xff);
+}
+
+/*%
+ * Event handler for recv complete.  Perform whatever actions are necessary,
+ * based on the specifics of the user's request.
+ */
+static void
+recv_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = NULL;
+	isc_region_t r;
+	dig_query_t *query = NULL;
+	isc_buffer_t b;
+	dns_message_t *msg = NULL;
+	isc_result_t result;
+	dig_lookup_t *n, *l;
+	bool docancel = false;
+	bool match = true;
+	bool done_process_opt = false;
+	unsigned int parseflags;
+	dns_messageid_t id;
+	unsigned int msgflags;
+	int newedns;
+
+	UNUSED(task);
+	INSIST(!free_now);
+
+	debug("recv_done(%p)", event->ev_arg);
+
+	LOCK_LOOKUP;
+	recvcount--;
+	debug("recvcount=%d", recvcount);
+	INSIST(recvcount >= 0);
+
+	query = event->ev_arg;
+	if (query->lookup->use_usec) {
+		TIME_NOW_HIRES(&query->time_recv);
+	} else {
+		TIME_NOW(&query->time_recv);
+	}
+
+	l = query->lookup;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
+	sevent = (isc_socketevent_t *)event;
+
+	isc_buffer_init(&b, sevent->region.base, sevent->n);
+	isc_buffer_add(&b, sevent->n);
+
+	if ((l->tcp_mode) && (query->timer != NULL)) {
+		isc_timer_touch(query->timer);
+	}
+	if ((!l->pending && !l->ns_search_only) || cancel_now) {
+		debug("no longer pending.  Got %s",
+		      isc_result_totext(sevent->result));
+		query->waiting_connect = false;
+
+		isc_event_free(&event);
+		clear_query(query);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+
+	if (sevent->result != ISC_R_SUCCESS) {
+		if (sevent->result == ISC_R_CANCELED) {
+			debug("in recv cancel handler");
+			query->waiting_connect = false;
+		} else {
+			dighost_error("communications error: %s\n",
+				      isc_result_totext(sevent->result));
+			if (keep != NULL) {
+				isc_socket_detach(&keep);
+			}
+			isc_socket_detach(&query->sock);
+			sockcount--;
+			debug("sockcount=%d", sockcount);
+			INSIST(sockcount >= 0);
+		}
+		if (sevent->result == ISC_R_EOF) {
+			requeue_or_update_exitcode(l);
+		}
+		isc_event_free(&event);
+		clear_query(query);
+		cancel_lookup(l);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+
+	if (!l->tcp_mode &&
+	    !isc_sockaddr_compare(&sevent->address, &query->sockaddr,
+				  ISC_SOCKADDR_CMPADDR | ISC_SOCKADDR_CMPPORT |
+					  ISC_SOCKADDR_CMPSCOPE |
+					  ISC_SOCKADDR_CMPSCOPEZERO))
+	{
+		char buf1[ISC_SOCKADDR_FORMATSIZE];
+		char buf2[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_t any;
+
+		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET) {
+			isc_sockaddr_any(&any);
+		} else {
+			isc_sockaddr_any6(&any);
+		}
+
+		/*
+		 * We don't expect a match when the packet is
+		 * sent to 0.0.0.0, :: or to a multicast addresses.
+		 * XXXMPA broadcast needs to be handled here as well.
+		 */
+		if ((!isc_sockaddr_eqaddr(&query->sockaddr, &any) &&
+		     !isc_sockaddr_ismulticast(&query->sockaddr)) ||
+		    isc_sockaddr_getport(&query->sockaddr) !=
+			    isc_sockaddr_getport(&sevent->address))
+		{
+			isc_sockaddr_format(&sevent->address, buf1,
+					    sizeof(buf1));
+			isc_sockaddr_format(&query->sockaddr, buf2,
+					    sizeof(buf2));
+			dighost_warning("reply from unexpected source: %s,"
+					" expected %s\n",
+					buf1, buf2);
+			if (!l->accept_reply_unexpected_src) {
+				match = false;
+			}
+		}
+	}
+
+	result = dns_message_peekheader(&b, &id, &msgflags);
+	if (result != ISC_R_SUCCESS || l->sendmsg->id != id) {
+		match = false;
+		if (l->tcp_mode) {
+			bool fail = true;
+			if (result == ISC_R_SUCCESS) {
+				if ((!query->first_soa_rcvd || query->warn_id))
+				{
+					dighost_warning("%s: ID mismatch: "
+							"expected ID %u, got "
+							"%u",
+							query->first_soa_rcvd
+								? "WARNING"
+								: "ERROR",
+							l->sendmsg->id, id);
+				}
+				if (query->first_soa_rcvd) {
+					fail = false;
+				}
+				query->warn_id = false;
+			} else {
+				dighost_warning("ERROR: short (< header size) "
+						"message");
+			}
+			if (fail) {
+				isc_event_free(&event);
+				clear_query(query);
+				cancel_lookup(l);
+				check_next_lookup(l);
+				UNLOCK_LOOKUP;
+				return;
+			}
+			match = true;
+		} else if (result == ISC_R_SUCCESS) {
+			dighost_warning("Warning: ID mismatch: expected ID %u,"
+					" got %u",
+					l->sendmsg->id, id);
+		} else {
+			dighost_warning("Warning: short (< header size) "
+					"message received");
+		}
+	}
+
+	if (result == ISC_R_SUCCESS && (msgflags & DNS_MESSAGEFLAG_QR) == 0) {
+		dighost_warning("Warning: query response not set");
+	}
+
+	if (!match) {
+		goto udp_mismatch;
+	}
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+
+	if (tsigkey != NULL) {
+		if (l->querysig == NULL) {
+			debug("getting initial querysig");
+			result = dns_message_getquerytsig(l->sendmsg, mctx,
+							  &l->querysig);
+			check_result(result, "dns_message_getquerytsig");
+		}
+		result = dns_message_setquerytsig(msg, l->querysig);
+		check_result(result, "dns_message_setquerytsig");
+		result = dns_message_settsigkey(msg, tsigkey);
+		check_result(result, "dns_message_settsigkey");
+		msg->tsigctx = l->tsigctx;
+		l->tsigctx = NULL;
+		if (l->msgcounter != 0) {
+			msg->tcp_continuation = 1;
+		}
+		l->msgcounter++;
+	}
+
+	debug("before parse starts");
+	parseflags = DNS_MESSAGEPARSE_PRESERVEORDER;
+	if (l->besteffort) {
+		parseflags |= DNS_MESSAGEPARSE_BESTEFFORT;
+		parseflags |= DNS_MESSAGEPARSE_IGNORETRUNCATION;
+	}
+	result = dns_message_parse(msg, &b, parseflags);
+	if (result == DNS_R_RECOVERABLE) {
+		dighost_warning("Warning: Message parser reports malformed "
+				"message packet.");
+		result = ISC_R_SUCCESS;
+	}
+	if (result != ISC_R_SUCCESS) {
+		if (!yaml) {
+			printf(";; Got bad packet: %s\n",
+			       isc_result_totext(result));
+			hex_dump(&b);
+		}
+		query->waiting_connect = false;
+		dns_message_detach(&msg);
+		isc_event_free(&event);
+		clear_query(query);
+		cancel_lookup(l);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+	if (msg->opcode != l->opcode) {
+		char expect[20] = { 0 }, got[20] = { 0 };
+
+		isc_buffer_init(&b, &expect, sizeof(expect));
+		result = dns_opcode_totext(l->opcode, &b);
+		check_result(result, "dns_opcode_totext");
+
+		isc_buffer_init(&b, &got, sizeof(got));
+		result = dns_opcode_totext(msg->opcode, &b);
+		check_result(result, "dns_opcode_totext");
+
+		dighost_warning("Warning: Opcode mismatch: expected %s, got %s",
+				expect, got);
+
+		dns_message_detach(&msg);
+		if (l->tcp_mode) {
+			isc_event_free(&event);
+			clear_query(query);
+			cancel_lookup(l);
+			check_next_lookup(l);
+			UNLOCK_LOOKUP;
+			return;
+		} else {
+			goto udp_mismatch;
+		}
+	}
+	if (msg->counts[DNS_SECTION_QUESTION] != 0) {
+		match = true;
+		for (result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
+		     result == ISC_R_SUCCESS && match;
+		     result = dns_message_nextname(msg, DNS_SECTION_QUESTION))
+		{
+			dns_name_t *name = NULL;
+			dns_rdataset_t *rdataset;
+
+			dns_message_currentname(msg, DNS_SECTION_QUESTION,
+						&name);
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (l->rdtype != rdataset->type ||
+				    l->rdclass != rdataset->rdclass ||
+				    !dns_name_equal(l->name, name))
+				{
+					char namestr[DNS_NAME_FORMATSIZE];
+					char typebuf[DNS_RDATATYPE_FORMATSIZE];
+					char classbuf[DNS_RDATACLASS_FORMATSIZE];
+					dns_name_format(name, namestr,
+							sizeof(namestr));
+					dns_rdatatype_format(rdataset->type,
+							     typebuf,
+							     sizeof(typebuf));
+					dns_rdataclass_format(rdataset->rdclass,
+							      classbuf,
+							      sizeof(classbuf));
+					dighost_warning(";; Question section "
+							"mismatch: got "
+							"%s/%s/%s",
+							namestr, typebuf,
+							classbuf);
+					match = false;
+				}
+			}
+		}
+		if (!match) {
+			dns_message_detach(&msg);
+			if (l->tcp_mode) {
+				isc_event_free(&event);
+				clear_query(query);
+				cancel_lookup(l);
+				check_next_lookup(l);
+				UNLOCK_LOOKUP;
+				return;
+			} else {
+				goto udp_mismatch;
+			}
+		}
+	}
+	if (msg->rcode == dns_rcode_badvers && msg->opt != NULL &&
+	    (newedns = ednsvers(msg->opt)) < l->edns && l->ednsneg)
+	{
+		/*
+		 * Add minimum EDNS version required checks here if needed.
+		 */
+		dighost_comments(l, "BADVERS, retrying with EDNS version %u.",
+				 (unsigned int)newedns);
+		l->edns = newedns;
+		n = requeue_lookup(l, true);
+		if (l->trace && l->trace_root) {
+			n->rdtype = l->qrdtype;
+		}
+		dns_message_detach(&msg);
+		isc_event_free(&event);
+		clear_query(query);
+		cancel_lookup(l);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 && !l->ignore &&
+	    !l->tcp_mode)
+	{
+		if (l->cookie == NULL && l->sendcookie && msg->opt != NULL) {
+			process_opt(l, msg);
+		}
+		dighost_comments(l, "Truncated, retrying in TCP mode.");
+		n = requeue_lookup(l, true);
+		n->tcp_mode = true;
+		if (l->trace && l->trace_root) {
+			n->rdtype = l->qrdtype;
+		}
+		dns_message_detach(&msg);
+		isc_event_free(&event);
+		clear_query(query);
+		cancel_lookup(l);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+	if (msg->rcode == dns_rcode_badcookie && !l->tcp_mode &&
+	    l->sendcookie && l->badcookie)
+	{
+		process_opt(l, msg);
+		if (msg->cc_ok) {
+			dighost_comments(l, "BADCOOKIE, retrying%s.",
+					 l->seenbadcookie ? " in TCP mode"
+							  : "");
+			n = requeue_lookup(l, true);
+			if (l->seenbadcookie) {
+				n->tcp_mode = true;
+			}
+			n->seenbadcookie = true;
+			if (l->trace && l->trace_root) {
+				n->rdtype = l->qrdtype;
+			}
+			dns_message_detach(&msg);
+			isc_event_free(&event);
+			clear_query(query);
+			cancel_lookup(l);
+			check_next_lookup(l);
+			UNLOCK_LOOKUP;
+			return;
+		}
+		done_process_opt = true;
+	}
+	if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
+	    (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
+	{
+		dig_query_t *next = ISC_LIST_NEXT(query, link);
+		if (l->current_query == query) {
+			l->current_query = NULL;
+		}
+		if (next != NULL) {
+			debug("sending query %p\n", next);
+			if (l->tcp_mode) {
+				send_tcp_connect(next);
+			} else {
+				send_udp(next);
+			}
+		}
+		/*
+		 * If our query is at the head of the list and there
+		 * is no next, we're the only one left, so fall
+		 * through to print the message.
+		 */
+		if ((ISC_LIST_HEAD(l->q) != query) ||
+		    (ISC_LIST_NEXT(query, link) != NULL))
+		{
+			dighost_comments(l,
+					 "Got %s from %s, trying next "
+					 "server",
+					 msg->rcode == dns_rcode_servfail
+						 ? "SERVFAIL reply"
+						 : "recursion not available",
+					 query->servname);
+			clear_query(query);
+			check_next_lookup(l);
+			dns_message_detach(&msg);
+			isc_event_free(&event);
+			UNLOCK_LOOKUP;
+			return;
+		}
+	}
+
+	if (tsigkey != NULL) {
+		result = dns_tsig_verify(&b, msg, NULL, NULL);
+		if (result != ISC_R_SUCCESS) {
+			dighost_warning("Couldn't verify signature: %s",
+					isc_result_totext(result));
+			validated = false;
+		}
+		l->tsigctx = msg->tsigctx;
+		msg->tsigctx = NULL;
+		if (l->querysig != NULL) {
+			debug("freeing querysig buffer %p", l->querysig);
+			isc_buffer_free(&l->querysig);
+		}
+		result = dns_message_getquerytsig(msg, mctx, &l->querysig);
+		check_result(result, "dns_message_getquerytsig");
+	}
+
+	extrabytes = isc_buffer_remaininglength(&b);
+
+	debug("after parse");
+	if (l->doing_xfr && l->xfr_q == NULL) {
+		l->xfr_q = query;
+		/*
+		 * Once we are in the XFR message, increase
+		 * the timeout to much longer, so brief network
+		 * outages won't cause the XFR to abort
+		 */
+		if (timeout != INT_MAX && query->timer != NULL) {
+			unsigned int local_timeout;
+
+			if (timeout == 0) {
+				if (l->tcp_mode) {
+					local_timeout = TCP_TIMEOUT * 4;
+				} else {
+					local_timeout = UDP_TIMEOUT * 4;
+				}
+			} else {
+				if (timeout < (INT_MAX / 4)) {
+					local_timeout = timeout * 4;
+				} else {
+					local_timeout = INT_MAX;
+				}
+			}
+			debug("have local timeout of %d", local_timeout);
+			isc_interval_set(&l->interval, local_timeout, 0);
+			result = isc_timer_reset(query->timer,
+						 isc_timertype_once, NULL,
+						 &l->interval, false);
+			check_result(result, "isc_timer_reset");
+		}
+	}
+
+	if (!done_process_opt) {
+		if (l->cookie != NULL) {
+			if (msg->opt == NULL) {
+				dighost_warning("expected opt record in "
+						"response");
+			} else {
+				process_opt(l, msg);
+			}
+		} else if (l->sendcookie && msg->opt != NULL) {
+			process_opt(l, msg);
+		}
+	}
+	if (!l->doing_xfr || l->xfr_q == query) {
+		if (msg->rcode == dns_rcode_nxdomain &&
+		    (l->origin != NULL || l->need_search))
+		{
+			if (!next_origin(query->lookup) || showsearch) {
+				dighost_printmessage(query, &b, msg, true);
+				dighost_received(isc_buffer_usedlength(&b),
+						 &sevent->address, query);
+			}
+		} else if (!l->trace && !l->ns_search_only) {
+			dighost_printmessage(query, &b, msg, true);
+		} else if (l->trace) {
+			int nl = 0;
+			int count = msg->counts[DNS_SECTION_ANSWER];
+
+			debug("in TRACE code");
+			if (!l->ns_search_only) {
+				dighost_printmessage(query, &b, msg, true);
+			}
+
+			l->rdtype = l->qrdtype;
+			if (l->trace_root || (l->ns_search_only && count > 0)) {
+				if (!l->trace_root) {
+					l->rdtype = dns_rdatatype_soa;
+				}
+				nl = followup_lookup(msg, query,
+						     DNS_SECTION_ANSWER);
+				l->trace_root = false;
+			} else if (count == 0) {
+				nl = followup_lookup(msg, query,
+						     DNS_SECTION_AUTHORITY);
+			}
+			if (nl == 0) {
+				docancel = true;
+			}
+		} else {
+			debug("in NSSEARCH code");
+
+			if (l->trace_root) {
+				/*
+				 * This is the initial NS query.
+				 */
+				int nl;
+
+				l->rdtype = dns_rdatatype_soa;
+				nl = followup_lookup(msg, query,
+						     DNS_SECTION_ANSWER);
+				if (nl == 0) {
+					docancel = true;
+				}
+				l->trace_root = false;
+				usesearch = false;
+			} else {
+				dighost_printmessage(query, &b, msg, true);
+			}
+		}
+	}
+
+	if (l->pending) {
+		debug("still pending.");
+	}
+	if (l->doing_xfr) {
+		if (query != l->xfr_q) {
+			dns_message_detach(&msg);
+			isc_event_free(&event);
+			query->waiting_connect = false;
+			UNLOCK_LOOKUP;
+			return;
+		}
+		if (!docancel) {
+			docancel = check_for_more_data(query, msg, sevent);
+		}
+		if (docancel) {
+			dns_message_detach(&msg);
+			clear_query(query);
+			cancel_lookup(l);
+			check_next_lookup(l);
+		}
+	} else {
+		if (msg->rcode == dns_rcode_noerror || l->origin == NULL) {
+			dighost_received(isc_buffer_usedlength(&b),
+					 &sevent->address, query);
+		}
+
+		if (!query->lookup->ns_search_only) {
+			query->lookup->pending = false;
+		}
+		if (!query->lookup->ns_search_only ||
+		    query->lookup->trace_root || docancel)
+		{
+			dns_message_detach(&msg);
+			cancel_lookup(l);
+		}
+		clear_query(query);
+		check_next_lookup(l);
+	}
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	isc_event_free(&event);
+	UNLOCK_LOOKUP;
+	return;
+
+udp_mismatch:
+	isc_buffer_invalidate(&query->recvbuf);
+	isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
+	isc_buffer_availableregion(&query->recvbuf, &r);
+	result = isc_socket_recv(query->sock, &r, 1, global_task, recv_done,
+				 query);
+	check_result(result, "isc_socket_recv");
+	recvcount++;
+	isc_event_free(&event);
+	UNLOCK_LOOKUP;
+	return;
+}
+
+/*%
+ * Turn a name into an address, using system-supplied routines.  This is
+ * used in looking up server names, etc... and needs to use system-supplied
+ * routines, since they may be using a non-DNS system for these lookups.
+ */
+isc_result_t
+get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr) {
+	int count;
+	isc_result_t result;
+	bool is_running;
+
+	is_running = isc_app_isrunning();
+	if (is_running) {
+		isc_app_block();
+	}
+	result = bind9_getaddresses(host, myport, sockaddr, 1, &count);
+	if (is_running) {
+		isc_app_unblock();
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	INSIST(count == 1);
+
+	return (ISC_R_SUCCESS);
+}
+
+int
+getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) {
+	isc_result_t result;
+	isc_sockaddr_t sockaddrs[DIG_MAX_ADDRESSES];
+	isc_netaddr_t netaddr;
+	int count, i;
+	dig_server_t *srv;
+	char tmp[ISC_NETADDR_FORMATSIZE];
+
+	result = bind9_getaddresses(host, 0, sockaddrs, DIG_MAX_ADDRESSES,
+				    &count);
+	if (resultp != NULL) {
+		*resultp = result;
+	}
+	if (result != ISC_R_SUCCESS) {
+		if (resultp == NULL) {
+			fatal("couldn't get address for '%s': %s", host,
+			      isc_result_totext(result));
+		}
+		return (0);
+	}
+
+	for (i = 0; i < count; i++) {
+		isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]);
+		isc_netaddr_format(&netaddr, tmp, sizeof(tmp));
+		srv = make_server(tmp, host);
+		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
+	}
+
+	return (count);
+}
+
+/*%
+ * Initiate either a TCP or UDP lookup
+ */
+void
+do_lookup(dig_lookup_t *lookup) {
+	dig_query_t *query;
+
+	REQUIRE(lookup != NULL);
+
+	debug("do_lookup(%p)", lookup);
+	lookup->pending = true;
+	query = ISC_LIST_HEAD(lookup->q);
+	if (query != NULL) {
+		REQUIRE(DIG_VALID_QUERY(query));
+		if (lookup->tcp_mode) {
+			send_tcp_connect(query);
+		} else {
+			send_udp(query);
+		}
+	}
+}
+
+/*%
+ * Start everything in action upon task startup.
+ */
+void
+onrun_callback(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	isc_event_free(&event);
+	LOCK_LOOKUP;
+	start_lookup();
+	UNLOCK_LOOKUP;
+}
+
+/*%
+ * Make everything on the lookup queue go away.  Mainly used by the
+ * SIGINT handler.
+ */
+void
+cancel_all(void) {
+	dig_lookup_t *l, *n;
+	dig_query_t *q, *nq;
+
+	debug("cancel_all()");
+
+	LOCK_LOOKUP;
+	if (free_now) {
+		UNLOCK_LOOKUP;
+		return;
+	}
+	cancel_now = true;
+	if (current_lookup != NULL) {
+		for (q = ISC_LIST_HEAD(current_lookup->q); q != NULL; q = nq) {
+			nq = ISC_LIST_NEXT(q, link);
+			debug("canceling pending query %p, belonging to %p", q,
+			      current_lookup);
+			if (q->sock != NULL) {
+				isc_socket_cancel(q->sock, NULL,
+						  ISC_SOCKCANCEL_ALL);
+			} else {
+				clear_query(q);
+			}
+		}
+		for (q = ISC_LIST_HEAD(current_lookup->connecting); q != NULL;
+		     q = nq)
+		{
+			nq = ISC_LIST_NEXT(q, clink);
+			debug("canceling connecting query %p, belonging to %p",
+			      q, current_lookup);
+			if (q->sock != NULL) {
+				isc_socket_cancel(q->sock, NULL,
+						  ISC_SOCKCANCEL_ALL);
+			} else {
+				clear_query(q);
+			}
+		}
+	}
+	l = ISC_LIST_HEAD(lookup_list);
+	while (l != NULL) {
+		n = ISC_LIST_NEXT(l, link);
+		ISC_LIST_DEQUEUE(lookup_list, l, link);
+		try_clear_lookup(l);
+		l = n;
+	}
+	UNLOCK_LOOKUP;
+}
+
+/*%
+ * Destroy all of the libs we are using, and get everything ready for a
+ * clean shutdown.
+ */
+void
+destroy_libs(void) {
+#ifdef HAVE_LIBIDN2
+	isc_result_t result;
+#endif /* HAVE_LIBIDN2 */
+
+	if (keep != NULL) {
+		isc_socket_detach(&keep);
+	}
+	debug("destroy_libs()");
+	if (global_task != NULL) {
+		debug("freeing task");
+		isc_task_detach(&global_task);
+	}
+
+	if (taskmgr != NULL) {
+		debug("freeing taskmgr");
+		isc_managers_destroy(&netmgr, &taskmgr);
+	}
+	LOCK_LOOKUP;
+	REQUIRE(sockcount == 0);
+	REQUIRE(recvcount == 0);
+	REQUIRE(sendcount == 0);
+
+	INSIST(ISC_LIST_HEAD(lookup_list) == NULL);
+	INSIST(current_lookup == NULL);
+	INSIST(!free_now);
+
+	free_now = true;
+
+	flush_server_list();
+
+	clear_searchlist();
+
+#ifdef HAVE_LIBIDN2
+	result = dns_name_settotextfilter(NULL);
+	check_result(result, "dns_name_settotextfilter");
+#endif /* HAVE_LIBIDN2 */
+
+	if (socketmgr != NULL) {
+		debug("freeing socketmgr");
+		isc_socketmgr_destroy(&socketmgr);
+	}
+	if (timermgr != NULL) {
+		debug("freeing timermgr");
+		isc_timermgr_destroy(&timermgr);
+	}
+	if (tsigkey != NULL) {
+		debug("freeing key %p", tsigkey);
+		dns_tsigkey_detach(&tsigkey);
+	}
+	if (namebuf != NULL) {
+		isc_buffer_free(&namebuf);
+	}
+
+	if (is_dst_up) {
+		debug("destroy DST lib");
+		dst_lib_destroy();
+		is_dst_up = false;
+	}
+
+	UNLOCK_LOOKUP;
+	isc_mutex_destroy(&lookup_lock);
+	debug("Removing log context");
+	isc_log_destroy(&lctx);
+
+	debug("Destroy memory");
+	if (memdebugging != 0) {
+		isc_mem_stats(mctx, stderr);
+	}
+	if (mctx != NULL) {
+		isc_mem_destroy(&mctx);
+	}
+}
+
+#ifdef HAVE_LIBIDN2
+static isc_result_t
+idn_output_filter(isc_buffer_t *buffer, unsigned int used_org) {
+	char src[MXNAME], *dst = NULL;
+	size_t srclen, dstlen;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	/*
+	 * Copy name from 'buffer' to 'src' and terminate it with NULL.
+	 */
+	srclen = isc_buffer_usedlength(buffer) - used_org;
+	if (srclen >= sizeof(src)) {
+		warn("Input name too long to perform IDN conversion");
+		goto cleanup;
+	}
+	memmove(src, (char *)isc_buffer_base(buffer) + used_org, srclen);
+	src[srclen] = '\0';
+
+	systemlocale(LC_ALL);
+
+	/*
+	 * Convert 'src' to the current locale's character encoding.
+	 */
+	idn_ace_to_locale(src, &dst);
+
+	resetlocale(LC_ALL);
+
+	/*
+	 * Check whether the converted name will fit back into 'buffer'.
+	 */
+	dstlen = strlen(dst);
+	if (isc_buffer_length(buffer) < used_org + dstlen) {
+		result = ISC_R_NOSPACE;
+		goto cleanup;
+	}
+
+	/*
+	 * Put the converted name back into 'buffer'.
+	 */
+	isc_buffer_subtract(buffer, srclen);
+	memmove(isc_buffer_used(buffer), dst, dstlen);
+	isc_buffer_add(buffer, dstlen);
+
+	/*
+	 * Clean up.
+	 */
+cleanup:
+	if (dst != NULL) {
+		idn2_free(dst);
+	}
+
+	return (result);
+}
+
+/*%
+ * Convert 'src', which is a string using the current locale's character
+ * encoding, into an ACE string suitable for use in the DNS, storing the
+ * conversion result in 'dst', which is 'dstlen' bytes large.
+ *
+ * 'dst' MUST be large enough to hold any valid domain name.
+ */
+static void
+idn_locale_to_ace(const char *src, char *dst, size_t dstlen) {
+	const char *final_src;
+	char *ascii_src;
+	int res;
+
+	systemlocale(LC_ALL);
+
+	/*
+	 * We trust libidn2 to return an error if 'src' is too large to be a
+	 * valid domain name.
+	 */
+	res = idn2_to_ascii_lz(src, &ascii_src, IDN2_NONTRANSITIONAL);
+	if (res == IDN2_DISALLOWED) {
+		res = idn2_to_ascii_lz(src, &ascii_src, IDN2_TRANSITIONAL);
+	}
+	if (res != IDN2_OK) {
+		fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnin",
+		      src, idn2_strerror(res));
+	}
+
+	/*
+	 * idn2_to_ascii_lz() normalizes all strings to lower case, but we
+	 * generally don't want to lowercase all input strings; make sure to
+	 * return the original case if the two strings differ only in case.
+	 */
+	final_src = (strcasecmp(src, ascii_src) == 0 ? src : ascii_src);
+
+	(void)strlcpy(dst, final_src, dstlen);
+
+	idn2_free(ascii_src);
+
+	resetlocale(LC_ALL);
+}
+
+/*%
+ * Convert 'src', which is an ACE string suitable for use in the DNS, into a
+ * string using the current locale's character encoding, storing the conversion
+ * result in 'dst'.
+ *
+ * The caller MUST subsequently release 'dst' using idn2_free().
+ */
+static void
+idn_ace_to_locale(const char *src, char **dst) {
+	char *local_src, *utf8_src;
+	int res;
+
+	systemlocale(LC_ALL);
+
+	/*
+	 * We need to:
+	 *
+	 *  1) check whether 'src' is a valid IDNA2008 name,
+	 *  2) if it is, output it in the current locale's character encoding.
+	 *
+	 * Unlike idn2_to_ascii_*(), idn2_to_unicode_*() functions are unable
+	 * to perform IDNA2008 validity checks.  Thus, we need to decode any
+	 * Punycode in 'src', check if the resulting name is a valid IDNA2008
+	 * name, and only once we ensure it is, output that name in the current
+	 * locale's character encoding.
+	 *
+	 * We could just use idn2_to_unicode_8zlz() + idn2_to_ascii_lz(), but
+	 * then we would not be able to universally tell invalid names and
+	 * character encoding errors apart (if the current locale uses ASCII
+	 * for character encoding, the former function would fail even for a
+	 * valid IDNA2008 name, as long as it contained any non-ASCII
+	 * character).  Thus, we need to take a longer route.
+	 *
+	 * First, convert 'src' to UTF-8, ignoring the current locale.
+	 */
+	res = idn2_to_unicode_8z8z(src, &utf8_src, 0);
+	if (res != IDN2_OK) {
+		fatal("Bad ACE string '%s' (%s), use +noidnout", src,
+		      idn2_strerror(res));
+	}
+
+	/*
+	 * Then, check whether decoded 'src' is a valid IDNA2008 name
+	 * and if disallowed character is found, fallback to IDNA2003.
+	 */
+	res = idn2_to_ascii_8z(utf8_src, NULL, IDN2_NONTRANSITIONAL);
+	if (res == IDN2_DISALLOWED) {
+		res = idn2_to_ascii_8z(utf8_src, NULL, IDN2_TRANSITIONAL);
+	}
+	if (res != IDN2_OK) {
+		fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnout",
+		      src, idn2_strerror(res));
+	}
+
+	/*
+	 * Finally, try converting the decoded 'src' into the current locale's
+	 * character encoding.
+	 */
+	res = idn2_to_unicode_8zlz(utf8_src, &local_src, 0);
+	if (res != IDN2_OK) {
+		static bool warned = false;
+
+		res = idn2_to_ascii_8z(utf8_src, &local_src, 0);
+		if (res != IDN2_OK) {
+			fatal("Cannot represent '%s' "
+			      "in the current locale nor ascii (%s), "
+			      "use +noidnout or a different locale",
+			      src, idn2_strerror(res));
+		} else if (!warned) {
+			fprintf(stderr,
+				";; Warning: cannot represent '%s' "
+				"in the current locale",
+				local_src);
+			warned = true;
+		}
+	}
+
+	/*
+	 * Free the interim conversion result.
+	 */
+	idn2_free(utf8_src);
+
+	*dst = local_src;
+
+	resetlocale(LC_ALL);
+}
+#endif /* HAVE_LIBIDN2 */
diff --git a/bin/dig/host.c b/bin/dig/host.c
new file mode 100644
index 0000000..db2e8d4
--- /dev/null
+++ b/bin/dig/host.c
@@ -0,0 +1,927 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <limits.h>
+#include <locale.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/fixedname.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+
+#include <dig/dig.h>
+
+static bool short_form = true, listed_server = false;
+static bool default_lookups = true;
+static int seen_error = -1;
+static bool list_addresses = true;
+static bool list_almost_all = false;
+static dns_rdatatype_t list_type = dns_rdatatype_a;
+static bool printed_server = false;
+static bool ipv4only = false, ipv6only = false;
+
+static const char *opcodetext[] = { "QUERY",	  "IQUERY",	"STATUS",
+				    "RESERVED3",  "NOTIFY",	"UPDATE",
+				    "RESERVED6",  "RESERVED7",	"RESERVED8",
+				    "RESERVED9",  "RESERVED10", "RESERVED11",
+				    "RESERVED12", "RESERVED13", "RESERVED14",
+				    "RESERVED15" };
+
+static const char *rcodetext[] = { "NOERROR",	 "FORMERR",    "SERVFAIL",
+				   "NXDOMAIN",	 "NOTIMP",     "REFUSED",
+				   "YXDOMAIN",	 "YXRRSET",    "NXRRSET",
+				   "NOTAUTH",	 "NOTZONE",    "RESERVED11",
+				   "RESERVED12", "RESERVED13", "RESERVED14",
+				   "RESERVED15", "BADVERS" };
+
+struct rtype {
+	unsigned int type;
+	const char *text;
+};
+
+struct rtype rtypes[] = { { 1, "has address" },
+			  { 2, "name server" },
+			  { 5, "is an alias for" },
+			  { 11, "has well known services" },
+			  { 12, "domain name pointer" },
+			  { 13, "host information" },
+			  { 15, "mail is handled by" },
+			  { 16, "descriptive text" },
+			  { 19, "x25 address" },
+			  { 20, "ISDN address" },
+			  { 24, "has signature" },
+			  { 25, "has key" },
+			  { 28, "has IPv6 address" },
+			  { 29, "location" },
+			  { 0, NULL } };
+
+static char *
+rcode_totext(dns_rcode_t rcode) {
+	static char buf[sizeof("?65535")];
+	union {
+		const char *consttext;
+		char *deconsttext;
+	} totext;
+
+	if (rcode >= (sizeof(rcodetext) / sizeof(rcodetext[0]))) {
+		snprintf(buf, sizeof(buf), "?%u", rcode);
+		totext.deconsttext = buf;
+	} else {
+		totext.consttext = rcodetext[rcode];
+	}
+	return (totext.deconsttext);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+show_usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+show_usage(void) {
+	fputs("Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W "
+	      "time]\n"
+	      "            [-R number] [-m flag] [-p port] hostname [server]\n"
+	      "       -a is equivalent to -v -t ANY\n"
+	      "       -A is like -a but omits RRSIG, NSEC, NSEC3\n"
+	      "       -c specifies query class for non-IN data\n"
+	      "       -C compares SOA records on authoritative nameservers\n"
+	      "       -d is equivalent to -v\n"
+	      "       -l lists all hosts in a domain, using AXFR\n"
+	      "       -m set memory debugging flag (trace|record|usage)\n"
+	      "       -N changes the number of dots allowed before root lookup "
+	      "is done\n"
+	      "       -p specifies the port on the server to query\n"
+	      "       -r disables recursive processing\n"
+	      "       -R specifies number of retries for UDP packets\n"
+	      "       -s a SERVFAIL response should stop query\n"
+	      "       -t specifies the query type\n"
+	      "       -T enables TCP/IP mode\n"
+	      "       -U enables UDP mode\n"
+	      "       -v enables verbose output\n"
+	      "       -V print version number and exit\n"
+	      "       -w specifies to wait forever for a reply\n"
+	      "       -W specifies how long to wait for a reply\n"
+	      "       -4 use IPv4 query transport only\n"
+	      "       -6 use IPv6 query transport only\n",
+	      stderr);
+	exit(1);
+}
+
+static void
+host_shutdown(void) {
+	(void)isc_app_shutdown();
+}
+
+static void
+received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
+	isc_time_t now;
+	int diff;
+
+	if (!short_form) {
+		char fromtext[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_format(from, fromtext, sizeof(fromtext));
+		if (query->lookup->use_usec) {
+			TIME_NOW_HIRES(&now);
+		} else {
+			TIME_NOW(&now);
+		}
+		diff = (int)isc_time_microdiff(&now, &query->time_sent);
+		printf("Received %u bytes from %s in %d ms\n", bytes, fromtext,
+		       diff / 1000);
+	}
+}
+
+static void
+trying(char *frm, dig_lookup_t *lookup) {
+	UNUSED(lookup);
+
+	if (!short_form) {
+		printf("Trying \"%s\"\n", frm);
+	}
+}
+
+static void
+say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
+	    dig_query_t *query) {
+	isc_buffer_t *b = NULL;
+	char namestr[DNS_NAME_FORMATSIZE];
+	isc_region_t r;
+	isc_result_t result;
+	unsigned int bufsize = BUFSIZ;
+
+	dns_name_format(name, namestr, sizeof(namestr));
+retry:
+	isc_buffer_allocate(mctx, &b, bufsize);
+	result = dns_rdata_totext(rdata, NULL, b);
+	if (result == ISC_R_NOSPACE) {
+		isc_buffer_free(&b);
+		bufsize *= 2;
+		goto retry;
+	}
+	check_result(result, "dns_rdata_totext");
+	isc_buffer_usedregion(b, &r);
+	if (query->lookup->identify_previous_line) {
+		printf("Nameserver %s:\n\t", query->servname);
+	}
+	printf("%s %s %.*s", namestr, msg, (int)r.length, (char *)r.base);
+	if (query->lookup->identify) {
+		printf(" on server %s", query->servname);
+	}
+	printf("\n");
+	isc_buffer_free(&b);
+}
+
+static isc_result_t
+printsection(dns_message_t *msg, dns_section_t sectionid,
+	     const char *section_name, bool headers, dig_query_t *query) {
+	dns_name_t *name, *print_name;
+	dns_rdataset_t *rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t target;
+	isc_result_t result, loopresult;
+	isc_region_t r;
+	dns_name_t empty_name;
+	char tbuf[4096] = { 0 };
+	bool first;
+	bool no_rdata = (sectionid == DNS_SECTION_QUESTION);
+
+	if (headers) {
+		printf(";; %s SECTION:\n", section_name);
+	}
+
+	dns_name_init(&empty_name, NULL);
+
+	result = dns_message_firstname(msg, sectionid);
+	if (result == ISC_R_NOMORE) {
+		return (ISC_R_SUCCESS);
+	} else if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, sectionid, &name);
+
+		isc_buffer_init(&target, tbuf, sizeof(tbuf));
+		first = true;
+		print_name = name;
+
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (query->lookup->rdtype == dns_rdatatype_axfr &&
+			    !((!list_addresses &&
+			       (list_type == dns_rdatatype_any ||
+				rdataset->type == list_type)) ||
+			      (list_addresses &&
+			       (rdataset->type == dns_rdatatype_a ||
+				rdataset->type == dns_rdatatype_aaaa ||
+				rdataset->type == dns_rdatatype_ns ||
+				rdataset->type == dns_rdatatype_ptr))))
+			{
+				continue;
+			}
+			if (list_almost_all &&
+			    (rdataset->type == dns_rdatatype_rrsig ||
+			     rdataset->type == dns_rdatatype_nsec ||
+			     rdataset->type == dns_rdatatype_nsec3))
+			{
+				continue;
+			}
+			if (!short_form) {
+				result = dns_rdataset_totext(rdataset,
+							     print_name, false,
+							     no_rdata, &target);
+				if (result != ISC_R_SUCCESS) {
+					return (result);
+				}
+#ifdef USEINITALWS
+				if (first) {
+					print_name = &empty_name;
+					first = false;
+				}
+#else  /* ifdef USEINITALWS */
+				UNUSED(first); /* Shut up compiler. */
+#endif /* ifdef USEINITALWS */
+			} else {
+				loopresult = dns_rdataset_first(rdataset);
+				while (loopresult == ISC_R_SUCCESS) {
+					struct rtype *t;
+					const char *rtt;
+					char typebuf[DNS_RDATATYPE_FORMATSIZE];
+					char typebuf2[DNS_RDATATYPE_FORMATSIZE +
+						      20];
+					dns_rdataset_current(rdataset, &rdata);
+
+					for (t = rtypes; t->text != NULL; t++) {
+						if (t->type == rdata.type) {
+							rtt = t->text;
+							goto found;
+						}
+					}
+
+					dns_rdatatype_format(rdata.type,
+							     typebuf,
+							     sizeof(typebuf));
+					snprintf(typebuf2, sizeof(typebuf2),
+						 "has %s record", typebuf);
+					rtt = typebuf2;
+				found:
+					say_message(print_name, rtt, &rdata,
+						    query);
+					dns_rdata_reset(&rdata);
+					loopresult =
+						dns_rdataset_next(rdataset);
+				}
+			}
+		}
+		if (!short_form) {
+			isc_buffer_usedregion(&target, &r);
+			if (no_rdata) {
+				printf(";%.*s", (int)r.length, (char *)r.base);
+			} else {
+				printf("%.*s", (int)r.length, (char *)r.base);
+			}
+		}
+
+		result = dns_message_nextname(msg, sectionid);
+		if (result == ISC_R_NOMORE) {
+			break;
+		} else if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+printrdata(dns_message_t *msg, dns_rdataset_t *rdataset,
+	   const dns_name_t *owner, const char *set_name, bool headers) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char tbuf[4096];
+
+	UNUSED(msg);
+	if (headers) {
+		printf(";; %s SECTION:\n", set_name);
+	}
+
+	isc_buffer_init(&target, tbuf, sizeof(tbuf));
+
+	result = dns_rdataset_totext(rdataset, owner, false, false, &target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
+	isc_result_t result;
+	dns_rdataset_t *rdataset;
+	dns_rdata_cname_t cname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int i = msg->counts[DNS_SECTION_ANSWER];
+
+	while (i-- > 0) {
+		rdataset = NULL;
+		result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+					      dns_rdatatype_cname, 0, NULL,
+					      &rdataset);
+		if (result != ISC_R_SUCCESS) {
+			return;
+		}
+		result = dns_rdataset_first(rdataset);
+		check_result(result, "dns_rdataset_first");
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		dns_name_copynf(&cname.cname, qname);
+		dns_rdata_freestruct(&cname);
+	}
+}
+
+static isc_result_t
+printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
+	     bool headers) {
+	bool did_flag = false;
+	dns_rdataset_t *opt, *tsig = NULL;
+	const dns_name_t *tsigname;
+	isc_result_t result = ISC_R_SUCCESS;
+	int force_error;
+
+	UNUSED(msgbuf);
+	UNUSED(headers);
+
+	/*
+	 * We get called multiple times.
+	 * Preserve any existing error status.
+	 */
+	force_error = (seen_error == 1) ? 1 : 0;
+	seen_error = 1;
+	if (listed_server && !printed_server) {
+		char sockstr[ISC_SOCKADDR_FORMATSIZE];
+
+		printf("Using domain server:\n");
+		printf("Name: %s\n", query->userarg);
+		isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
+		printf("Address: %s\n", sockstr);
+		printf("Aliases: \n\n");
+		printed_server = true;
+	}
+
+	if (msg->rcode != 0) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
+
+		if (query->lookup->identify_previous_line) {
+			printf("Nameserver %s:\n\t%s not found: %d(%s)\n",
+			       query->servname,
+			       (msg->rcode != dns_rcode_nxdomain)
+				       ? namestr
+				       : query->lookup->textname,
+			       msg->rcode, rcode_totext(msg->rcode));
+		} else {
+			printf("Host %s not found: %d(%s)\n",
+			       (msg->rcode != dns_rcode_nxdomain)
+				       ? namestr
+				       : query->lookup->textname,
+			       msg->rcode, rcode_totext(msg->rcode));
+		}
+		return (ISC_R_SUCCESS);
+	}
+
+	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dig_lookup_t *lookup;
+		dns_fixedname_t fixed;
+		dns_name_t *name;
+
+		/* Add AAAA and MX lookups. */
+		name = dns_fixedname_initname(&fixed);
+		dns_name_copynf(query->lookup->name, name);
+		chase_cnamechain(msg, name);
+		dns_name_format(name, namestr, sizeof(namestr));
+		lookup = clone_lookup(query->lookup, false);
+		if (lookup != NULL) {
+			strlcpy(lookup->textname, namestr,
+				sizeof(lookup->textname));
+			lookup->rdtype = dns_rdatatype_aaaa;
+			lookup->rdtypeset = true;
+			lookup->origin = NULL;
+			lookup->retries = tries;
+			ISC_LIST_APPEND(lookup_list, lookup, link);
+		}
+		lookup = clone_lookup(query->lookup, false);
+		if (lookup != NULL) {
+			strlcpy(lookup->textname, namestr,
+				sizeof(lookup->textname));
+			lookup->rdtype = dns_rdatatype_mx;
+			lookup->rdtypeset = true;
+			lookup->origin = NULL;
+			lookup->retries = tries;
+			ISC_LIST_APPEND(lookup_list, lookup, link);
+		}
+	}
+
+	if (!short_form) {
+		printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
+		       opcodetext[msg->opcode], rcode_totext(msg->rcode),
+		       msg->id);
+		printf(";; flags: ");
+		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
+			printf("qr");
+			did_flag = true;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
+			printf("%saa", did_flag ? " " : "");
+			did_flag = true;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+			printf("%stc", did_flag ? " " : "");
+			did_flag = true;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
+			printf("%srd", did_flag ? " " : "");
+			did_flag = true;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
+			printf("%sra", did_flag ? " " : "");
+			did_flag = true;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
+			printf("%sad", did_flag ? " " : "");
+			did_flag = true;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
+			printf("%scd", did_flag ? " " : "");
+			did_flag = true;
+			POST(did_flag);
+		}
+		printf("; QUERY: %u, ANSWER: %u, "
+		       "AUTHORITY: %u, ADDITIONAL: %u\n",
+		       msg->counts[DNS_SECTION_QUESTION],
+		       msg->counts[DNS_SECTION_ANSWER],
+		       msg->counts[DNS_SECTION_AUTHORITY],
+		       msg->counts[DNS_SECTION_ADDITIONAL]);
+		opt = dns_message_getopt(msg);
+		if (opt != NULL) {
+			printf(";; EDNS: version: %u, udp=%u\n",
+			       (unsigned int)((opt->ttl & 0x00ff0000) >> 16),
+			       (unsigned int)opt->rdclass);
+		}
+		tsigname = NULL;
+		tsig = dns_message_gettsig(msg, &tsigname);
+		if (tsig != NULL) {
+			printf(";; PSEUDOSECTIONS: TSIG\n");
+		}
+	}
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION]) && !short_form)
+	{
+		printf("\n");
+		result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
+				      true, query);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
+		if (!short_form) {
+			printf("\n");
+		}
+		result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
+				      !short_form, query);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
+	    !short_form)
+	{
+		printf("\n");
+		result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
+				      true, query);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
+	    !short_form)
+	{
+		printf("\n");
+		result = printsection(msg, DNS_SECTION_ADDITIONAL, "ADDITIONAL",
+				      true, query);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	if ((tsig != NULL) && !short_form) {
+		printf("\n");
+		result = printrdata(msg, tsig, tsigname, "PSEUDOSECTION TSIG",
+				    true);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	if (!short_form) {
+		printf("\n");
+	}
+
+	if (short_form && !default_lookups &&
+	    ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]))
+	{
+		char namestr[DNS_NAME_FORMATSIZE];
+		char typestr[DNS_RDATATYPE_FORMATSIZE];
+		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
+		dns_rdatatype_format(query->lookup->rdtype, typestr,
+				     sizeof(typestr));
+		printf("%s has no %s record\n", namestr, typestr);
+	}
+	seen_error = force_error;
+	return (result);
+}
+
+static const char *optstring = "46aAc:dilnm:p:rst:vVwCDN:R:TUW:";
+
+/*% version */
+static void
+version(void) {
+	fputs("host " VERSION "\n", stderr);
+}
+
+static void
+pre_parse_args(int argc, char **argv) {
+	int c;
+
+	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
+		switch (c) {
+		case 'm':
+			memdebugging = true;
+			if (strcasecmp("trace", isc_commandline_argument) == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			} else if (strcasecmp("record",
+					      isc_commandline_argument) == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			} else if (strcasecmp("usage",
+					      isc_commandline_argument) == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			}
+			break;
+
+		case '4':
+			if (ipv6only) {
+				fatal("only one of -4 and -6 allowed");
+			}
+			ipv4only = true;
+			break;
+		case '6':
+			if (ipv4only) {
+				fatal("only one of -4 and -6 allowed");
+			}
+			ipv6only = true;
+			break;
+		case 'a':
+			break;
+		case 'A':
+			break;
+		case 'c':
+			break;
+		case 'C':
+			break;
+		case 'd':
+			break;
+		case 'D':
+			if (debugging) {
+				debugtiming = true;
+			}
+			debugging = true;
+			break;
+		case 'i':
+			break;
+		case 'l':
+			break;
+		case 'n':
+			break;
+		case 'N':
+			break;
+		case 'p':
+			break;
+		case 'r':
+			break;
+		case 'R':
+			break;
+		case 's':
+			break;
+		case 't':
+			break;
+		case 'T':
+			break;
+		case 'U':
+			break;
+		case 'v':
+			break;
+		case 'V':
+			version();
+			exit(0);
+			break;
+		case 'w':
+			break;
+		case 'W':
+			break;
+		default:
+			show_usage();
+		}
+	}
+	isc_commandline_reset = true;
+	isc_commandline_index = 1;
+}
+
+static void
+parse_args(bool is_batchfile, int argc, char **argv) {
+	char hostname[MXNAME];
+	dig_lookup_t *lookup;
+	int c;
+	char store[MXNAME];
+	isc_textregion_t tr;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	uint32_t serial = 0;
+
+	UNUSED(is_batchfile);
+
+	lookup = make_empty_lookup();
+
+	lookup->servfail_stops = false;
+	lookup->besteffort = false;
+	lookup->comments = false;
+	short_form = !verbose;
+
+	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
+		switch (c) {
+		case 'l':
+			lookup->tcp_mode = true;
+			lookup->rdtype = dns_rdatatype_axfr;
+			lookup->rdtypeset = true;
+			fatalexit = 3;
+			break;
+		case 'v':
+		case 'd':
+			short_form = false;
+			break;
+		case 'r':
+			lookup->recurse = false;
+			break;
+		case 't':
+			if (strncasecmp(isc_commandline_argument, "ixfr=", 5) ==
+			    0)
+			{
+				rdtype = dns_rdatatype_ixfr;
+				/* XXXMPA add error checking */
+				serial = strtoul(isc_commandline_argument + 5,
+						 NULL, 10);
+				result = ISC_R_SUCCESS;
+			} else {
+				tr.base = isc_commandline_argument;
+				tr.length = strlen(isc_commandline_argument);
+				result = dns_rdatatype_fromtext(
+					&rdtype, (isc_textregion_t *)&tr);
+			}
+
+			if (result != ISC_R_SUCCESS) {
+				fatalexit = 2;
+				fatal("invalid type: %s\n",
+				      isc_commandline_argument);
+			}
+			if (!lookup->rdtypeset ||
+			    lookup->rdtype != dns_rdatatype_axfr)
+			{
+				lookup->rdtype = rdtype;
+			}
+			lookup->rdtypeset = true;
+			if (rdtype == dns_rdatatype_axfr) {
+				/* -l -t any -v */
+				list_type = dns_rdatatype_any;
+				short_form = false;
+				lookup->tcp_mode = true;
+			} else if (rdtype == dns_rdatatype_ixfr) {
+				lookup->ixfr_serial = serial;
+				lookup->tcp_mode = true;
+				list_type = rdtype;
+			} else if (rdtype == dns_rdatatype_any) {
+				if (!lookup->tcp_mode_set) {
+					lookup->tcp_mode = true;
+				}
+			} else {
+				list_type = rdtype;
+			}
+			list_addresses = false;
+			default_lookups = false;
+			break;
+		case 'c':
+			tr.base = isc_commandline_argument;
+			tr.length = strlen(isc_commandline_argument);
+			result = dns_rdataclass_fromtext(
+				&rdclass, (isc_textregion_t *)&tr);
+
+			if (result != ISC_R_SUCCESS) {
+				fatalexit = 2;
+				fatal("invalid class: %s\n",
+				      isc_commandline_argument);
+			} else {
+				lookup->rdclass = rdclass;
+				lookup->rdclassset = true;
+			}
+			default_lookups = false;
+			break;
+		case 'A':
+			list_almost_all = true;
+			FALLTHROUGH;
+		case 'a':
+			if (!lookup->rdtypeset ||
+			    lookup->rdtype != dns_rdatatype_axfr)
+			{
+				lookup->rdtype = dns_rdatatype_any;
+			}
+			list_type = dns_rdatatype_any;
+			list_addresses = false;
+			lookup->rdtypeset = true;
+			short_form = false;
+			default_lookups = false;
+			break;
+		case 'i':
+			/* deprecated */
+			break;
+		case 'n':
+			/* deprecated */
+			break;
+		case 'm':
+			/* Handled by pre_parse_args(). */
+			break;
+		case 'w':
+			/*
+			 * The timer routines are coded such that
+			 * timeout==MAXINT doesn't enable the timer
+			 */
+			timeout = INT_MAX;
+			break;
+		case 'W':
+			timeout = atoi(isc_commandline_argument);
+			if (timeout < 1) {
+				timeout = 1;
+			}
+			break;
+		case 'R':
+			tries = atoi(isc_commandline_argument) + 1;
+			if (tries < 2) {
+				tries = 2;
+			}
+			break;
+		case 'T':
+			lookup->tcp_mode = true;
+			lookup->tcp_mode_set = true;
+			break;
+		case 'U':
+			lookup->tcp_mode = false;
+			lookup->tcp_mode_set = true;
+			break;
+		case 'C':
+			debug("showing all SOAs");
+			lookup->rdtype = dns_rdatatype_ns;
+			lookup->rdtypeset = true;
+			lookup->rdclass = dns_rdataclass_in;
+			lookup->rdclassset = true;
+			lookup->ns_search_only = true;
+			lookup->trace_root = true;
+			lookup->identify_previous_line = true;
+			default_lookups = false;
+			break;
+		case 'N':
+			debug("setting NDOTS to %s", isc_commandline_argument);
+			ndots = atoi(isc_commandline_argument);
+			break;
+		case 'D':
+			/* Handled by pre_parse_args(). */
+			break;
+		case '4':
+			/* Handled by pre_parse_args(). */
+			break;
+		case '6':
+			/* Handled by pre_parse_args(). */
+			break;
+		case 's':
+			lookup->servfail_stops = true;
+			break;
+		case 'p':
+			port = atoi(isc_commandline_argument);
+			break;
+		}
+	}
+
+	lookup->retries = tries;
+
+	if (isc_commandline_index >= argc) {
+		show_usage();
+	}
+
+	strlcpy(hostname, argv[isc_commandline_index], sizeof(hostname));
+
+	if (argc > isc_commandline_index + 1) {
+		set_nameserver(argv[isc_commandline_index + 1]);
+		debug("server is %s", argv[isc_commandline_index + 1]);
+		listed_server = true;
+	} else {
+		check_ra = true;
+	}
+
+	lookup->pending = false;
+	if (get_reverse(store, sizeof(store), hostname, true) == ISC_R_SUCCESS)
+	{
+		strlcpy(lookup->textname, store, sizeof(lookup->textname));
+		lookup->rdtype = dns_rdatatype_ptr;
+		lookup->rdtypeset = true;
+		default_lookups = false;
+	} else {
+		strlcpy(lookup->textname, hostname, sizeof(lookup->textname));
+		usesearch = true;
+	}
+	lookup->new_search = true;
+	ISC_LIST_APPEND(lookup_list, lookup, link);
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+
+	tries = 2;
+
+	ISC_LIST_INIT(lookup_list);
+	ISC_LIST_INIT(server_list);
+	ISC_LIST_INIT(search_list);
+
+	fatalexit = 1;
+
+	/* setup dighost callbacks */
+	dighost_printmessage = printmessage;
+	dighost_received = received;
+	dighost_trying = trying;
+	dighost_shutdown = host_shutdown;
+
+	debug("main()");
+	progname = argv[0];
+	pre_parse_args(argc, argv);
+	result = isc_app_start();
+	check_result(result, "isc_app_start");
+	setup_libs();
+	setup_system(ipv4only, ipv6only);
+	parse_args(false, argc, argv);
+	if (keyfile[0] != 0) {
+		setup_file_key();
+	} else if (keysecret[0] != 0) {
+		setup_text_key();
+	}
+	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
+	check_result(result, "isc_app_onrun");
+	isc_app_run();
+	cancel_all();
+	destroy_libs();
+	isc_app_finish();
+	return ((seen_error == 0) ? 0 : 1);
+}
diff --git a/bin/dig/host.rst b/bin/dig/host.rst
new file mode 100644
index 0000000..8e855c3
--- /dev/null
+++ b/bin/dig/host.rst
@@ -0,0 +1,171 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_host:
+
+host - DNS lookup utility
+-------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`host` [**-aACdlnrsTUwv**] [**-c** class] [**-N** ndots] [**-p** port] [**-R** number] [**-t** type] [**-W** wait] [**-m** flag] [ [**-4**] | [**-6**] ] [**-v**] [**-V**] {name} [server]
+
+Description
+~~~~~~~~~~~
+
+``host`` is a simple utility for performing DNS lookups. It is normally
+used to convert names to IP addresses and vice versa. When no arguments
+or options are given, ``host`` prints a short summary of its
+command-line arguments and options.
+
+``name`` is the domain name that is to be looked up. It can also be a
+dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which
+case ``host`` by default performs a reverse lookup for that address.
+``server`` is an optional argument which is either the name or IP
+address of the name server that ``host`` should query instead of the
+server or servers listed in ``/etc/resolv.conf``.
+
+Options
+~~~~~~~
+
+``-4``
+   This option specifies that only IPv4 should be used for query transport. See also the ``-6`` option.
+
+``-6``
+   This option specifies that only IPv6 should be used for query transport. See also the ``-4`` option.
+
+``-a``
+   The ``-a`` ("all") option is normally equivalent to ``-v -t ANY``. It
+   also affects the behavior of the ``-l`` list zone option.
+
+``-A``
+   The ``-A`` ("almost all") option is equivalent to ``-a``, except that RRSIG,
+   NSEC, and NSEC3 records are omitted from the output.
+
+``-c class``
+   This option specifies the query class, which can be used to lookup HS (Hesiod) or CH (Chaosnet)
+   class resource records. The default class is IN (Internet).
+
+``-C``
+   This option indicates that ``named`` should check consistency, meaning that ``host`` queries the SOA records for zone
+   ``name`` from all the listed authoritative name servers for that
+   zone. The list of name servers is defined by the NS records that are
+   found for the zone.
+
+``-d``
+   This option prints debugging traces, and is equivalent to the ``-v`` verbose option.
+
+``-l``
+   This option tells ``named`` to list the zone, meaning the ``host`` command performs a zone transfer of zone
+   ``name`` and prints out the NS, PTR, and address records (A/AAAA).
+
+   Together, the ``-l -a`` options print all records in the zone.
+
+``-N ndots``
+   This option specifies the number of dots (``ndots``) that have to be in ``name`` for it to be
+   considered absolute. The default value is that defined using the
+   ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots`` statement
+   is present. Names with fewer dots are interpreted as relative names,
+   and are searched for in the domains listed in the ``search`` or
+   ``domain`` directive in ``/etc/resolv.conf``.
+
+``-p port``
+   This option specifies the port to query on the server. The default is 53.
+
+``-r``
+   This option specifies a non-recursive query; setting this option clears the RD (recursion
+   desired) bit in the query. This means that the name server
+   receiving the query does not attempt to resolve ``name``. The ``-r``
+   option enables ``host`` to mimic the behavior of a name server by
+   making non-recursive queries, and expecting to receive answers to
+   those queries that can be referrals to other name servers.
+
+``-R number``
+   This option specifies the number of retries for UDP queries. If ``number`` is negative or zero,
+   the number of retries is silently set to 1. The default value is 1, or
+   the value of the ``attempts`` option in ``/etc/resolv.conf``, if set.
+
+``-s``
+   This option tells ``named`` *not* to send the query to the next nameserver if any server responds
+   with a SERVFAIL response, which is the reverse of normal stub
+   resolver behavior.
+
+``-t type``
+   This option specifies the query type. The ``type`` argument can be any recognized query type:
+   CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
+
+   When no query type is specified, ``host`` automatically selects an
+   appropriate query type. By default, it looks for A, AAAA, and MX
+   records. If the ``-C`` option is given, queries are made for SOA
+   records. If ``name`` is a dotted-decimal IPv4 address or
+   colon-delimited IPv6 address, ``host`` queries for PTR records.
+
+   If a query type of IXFR is chosen, the starting serial number can be
+   specified by appending an equals sign (=), followed by the starting serial
+   number, e.g., ``-t IXFR=12345678``.
+
+``-T``; ``-U``
+   This option specifies TCP or UDP. By default, ``host`` uses UDP when making queries; the
+   ``-T`` option makes it use a TCP connection when querying the name
+   server. TCP is automatically selected for queries that require
+   it, such as zone transfer (AXFR) requests. Type ``ANY`` queries default
+   to TCP, but can be forced to use UDP initially via ``-U``.
+
+``-m flag``
+   This option sets memory usage debugging: the flag can be ``record``, ``usage``, or
+   ``trace``. The ``-m`` option can be specified more than once to set
+   multiple flags.
+
+``-v``
+   This option sets verbose output, and is equivalent to the ``-d`` debug option. Verbose output
+   can also be enabled by setting the ``debug`` option in
+   ``/etc/resolv.conf``.
+
+``-V``
+   This option prints the version number and exits.
+
+``-w``
+   This option sets "wait forever": the query timeout is set to the maximum possible. See
+   also the ``-W`` option.
+
+``-W wait``
+   This options sets the length of the wait timeout, indicating that ``named`` should wait for up to ``wait`` seconds for a reply. If ``wait`` is
+   less than 1, the wait interval is set to 1 second.
+
+   By default, ``host`` waits for 5 seconds for UDP responses and 10
+   seconds for TCP connections. These defaults can be overridden by the
+   ``timeout`` option in ``/etc/resolv.conf``.
+
+   See also the ``-w`` option.
+
+IDN Support
+~~~~~~~~~~~
+
+If ``host`` has been built with IDN (internationalized domain name)
+support, it can accept and display non-ASCII domain names. ``host``
+appropriately converts character encoding of a domain name before sending
+a request to a DNS server or displaying a reply from the server.
+To turn off IDN support, define the ``IDN_DISABLE``
+environment variable. IDN support is disabled if the variable is set
+when ``host`` runs.
+
+Files
+~~~~~
+
+``/etc/resolv.conf``
+
+See Also
+~~~~~~~~
+
+:manpage:`dig(1)`, :manpage:`named(8)`.
diff --git a/bin/dig/include/.clang-format b/bin/dig/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/bin/dig/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
new file mode 100644
index 0000000..8bf9613
--- /dev/null
+++ b/bin/dig/include/dig/dig.h
@@ -0,0 +1,425 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DIG_H
+#define DIG_H
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/list.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+
+#include <dns/rdatalist.h>
+
+#include <dst/dst.h>
+
+#ifdef __APPLE__
+#include <TargetConditionals.h>
+#endif /* ifdef __APPLE__ */
+
+#define MXSERV 20
+#define MXNAME (DNS_NAME_MAXTEXT + 1)
+#define MXRD   32
+/*% Buffer Size */
+#define BUFSIZE	 512
+#define COMMSIZE 0xffff
+#ifndef RESOLV_CONF
+/*% location of resolve.conf */
+#define RESOLV_CONF "/etc/resolv.conf"
+#endif /* ifndef RESOLV_CONF */
+/*% output buffer */
+#define OUTPUTBUF 32767
+/*% Max RR Limit */
+#define MAXRRLIMIT 0xffffffff
+#define MAXTIMEOUT 0xffff
+/*% Max number of tries */
+#define MAXTRIES 0xffffffff
+/*% Max number of dots */
+#define MAXNDOTS 0xffff
+/*% Max number of ports */
+#define MAXPORT 0xffff
+/*% Max serial number */
+#define MAXSERIAL 0xffffffff
+
+/*% Default TCP Timeout */
+#define TCP_TIMEOUT 10
+/*% Default UDP Timeout */
+#define UDP_TIMEOUT 5
+
+#define SERVER_TIMEOUT 1
+
+#define LOOKUP_LIMIT 64
+
+#define DEFAULT_EDNS_VERSION 0
+#define DEFAULT_EDNS_BUFSIZE 4096
+
+/*%
+ * Lookup_limit is just a limiter, keeping too many lookups from being
+ * created.  It's job is mainly to prevent the program from running away
+ * in a tight loop of constant lookups.  It's value is arbitrary.
+ */
+
+ISC_LANG_BEGINDECLS
+
+typedef struct dig_lookup dig_lookup_t;
+typedef struct dig_query  dig_query_t;
+typedef struct dig_server dig_server_t;
+typedef ISC_LIST(dig_server_t) dig_serverlist_t;
+typedef struct dig_searchlist dig_searchlist_t;
+
+#define DIG_QUERY_MAGIC ISC_MAGIC('D', 'i', 'g', 'q')
+
+#define DIG_VALID_QUERY(x) ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
+
+/*% The dig_lookup structure */
+struct dig_lookup {
+	bool pending, /*%< Pending a successful answer */
+		waiting_connect, doing_xfr, ns_search_only, /*%< dig
+							     * +nssearch,
+							     * host -C */
+		identify, /*%< Append an "on server <foo>" message */
+		identify_previous_line, /*% Prepend a "Nameserver <foo>:"
+					 * message, with newline and tab */
+		ignore, recurse, aaonly, adflag, cdflag, raflag, tcflag, zflag,
+		trace,	    /*% dig +trace */
+		trace_root, /*% initial query for either +trace or +nssearch
+			     * */
+		tcp_mode, tcp_mode_set, comments, stats, section_question,
+		section_answer, section_authority, section_additional,
+		servfail_stops, new_search, need_search, done_as_is, besteffort,
+		dnssec, expire, sendcookie, seenbadcookie, badcookie,
+		nsid, /*% Name Server ID (RFC 5001) */
+		tcp_keepalive, header_only, ednsneg, mapped,
+		print_unknown_format, multiline, nottl, noclass, onesoa,
+		use_usec, nocrypto, ttlunits, idnin, idnout, expandaaaa, qr,
+		accept_reply_unexpected_src; /*%  print replies from
+					      * unexpected
+					      *   sources. */
+	char textname[MXNAME];		     /*% Name we're going to be
+					      * looking up */
+	char		 cmdline[MXNAME];
+	dns_rdatatype_t	 rdtype;
+	dns_rdatatype_t	 qrdtype;
+	dns_rdataclass_t rdclass;
+	bool		 rdtypeset;
+	bool		 rdclassset;
+	char		 name_space[BUFSIZE];
+	char		 oname_space[BUFSIZE];
+	isc_buffer_t	 namebuf;
+	isc_buffer_t	 onamebuf;
+	isc_buffer_t	 renderbuf;
+	char		*sendspace;
+	dns_name_t	*name;
+	isc_interval_t	 interval;
+	dns_message_t	*sendmsg;
+	dns_name_t	*oname;
+	ISC_LINK(dig_lookup_t) link;
+	ISC_LIST(dig_query_t) q;
+	ISC_LIST(dig_query_t) connecting;
+	dig_query_t	 *current_query;
+	dig_serverlist_t  my_server_list;
+	dig_searchlist_t *origin;
+	dig_query_t	 *xfr_q;
+	uint32_t	  retries;
+	int		  nsfound;
+	int16_t		  udpsize;
+	int16_t		  edns;
+	int16_t		  padding;
+	uint32_t	  ixfr_serial;
+	isc_buffer_t	  rdatabuf;
+	char		  rdatastore[MXNAME];
+	dst_context_t	 *tsigctx;
+	isc_buffer_t	 *querysig;
+	uint32_t	  msgcounter;
+	dns_fixedname_t	  fdomain;
+	isc_sockaddr_t	 *ecs_addr;
+	char		 *cookie;
+	dns_ednsopt_t	 *ednsopts;
+	unsigned int	  ednsoptscnt;
+	isc_dscp_t	  dscp;
+	unsigned int	  ednsflags;
+	dns_opcode_t	  opcode;
+	int		  rrcomments;
+	unsigned int	  eoferr;
+};
+
+/*% The dig_query structure */
+struct dig_query {
+	unsigned int  magic;
+	dig_lookup_t *lookup;
+	bool waiting_connect, pending_free, waiting_senddone, first_pass,
+		first_soa_rcvd, second_rr_rcvd, first_repeat_rcvd, recv_made,
+		warn_id, timedout;
+	uint32_t      first_rr_serial;
+	uint32_t      second_rr_serial;
+	uint32_t      msg_count;
+	uint32_t      rr_count;
+	bool	      ixfr_axfr;
+	char	     *servname;
+	char	     *userarg;
+	isc_buffer_t  recvbuf, lengthbuf, tmpsendbuf, sendbuf;
+	char	     *recvspace, *tmpsendspace, lengthspace[4];
+	isc_socket_t *sock;
+	ISC_LINK(dig_query_t) link;
+	ISC_LINK(dig_query_t) clink;
+	dig_query_t   *saved_next;
+	isc_sockaddr_t sockaddr;
+	isc_time_t     time_sent;
+	isc_time_t     time_recv;
+	uint64_t       byte_count;
+	isc_timer_t   *timer;
+};
+
+struct dig_server {
+	char servername[MXNAME];
+	char userarg[MXNAME];
+	ISC_LINK(dig_server_t) link;
+};
+
+struct dig_searchlist {
+	char origin[MXNAME];
+	ISC_LINK(dig_searchlist_t) link;
+};
+
+typedef ISC_LIST(dig_searchlist_t) dig_searchlistlist_t;
+typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
+
+/*
+ * Externals from dighost.c
+ */
+
+extern dig_lookuplist_t	    lookup_list;
+extern dig_serverlist_t	    server_list;
+extern dig_searchlistlist_t search_list;
+extern unsigned int	    extrabytes;
+
+extern bool check_ra, have_ipv4, have_ipv6, specified_source, usesearch,
+	showsearch, yaml;
+extern in_port_t	 port;
+extern unsigned int	 timeout;
+extern isc_mem_t	*mctx;
+extern int		 sendcount;
+extern int		 ndots;
+extern int		 lookup_counter;
+extern int		 exitcode;
+extern isc_sockaddr_t	 bind_address;
+extern char		 keynametext[MXNAME];
+extern char		 keyfile[MXNAME];
+extern char		 keysecret[MXNAME];
+extern const dns_name_t *hmacname;
+extern unsigned int	 digestbits;
+extern dns_tsigkey_t	*tsigkey;
+extern bool		 validated;
+extern isc_taskmgr_t	*taskmgr;
+extern isc_task_t	*global_task;
+extern bool		 free_now;
+extern bool		 debugging, debugtiming, memdebugging;
+extern bool		 keep_open;
+
+extern char *progname;
+extern int   tries;
+extern int   fatalexit;
+extern bool  verbose;
+
+/*
+ * Routines in dighost.c.
+ */
+isc_result_t
+get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr);
+
+int
+getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
+
+isc_result_t
+get_reverse(char *reverse, size_t len, char *value, bool strict);
+
+ISC_PLATFORM_NORETURN_PRE void
+fatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+
+void
+warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+ISC_PLATFORM_NORETURN_PRE void
+digexit(void) ISC_PLATFORM_NORETURN_POST;
+
+void
+debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+void
+check_result(isc_result_t result, const char *msg);
+
+bool
+setup_lookup(dig_lookup_t *lookup);
+
+void
+destroy_lookup(dig_lookup_t *lookup);
+
+void
+do_lookup(dig_lookup_t *lookup);
+
+void
+start_lookup(void);
+
+void
+onrun_callback(isc_task_t *task, isc_event_t *event);
+
+int
+dhmain(int argc, char **argv);
+
+void
+setup_libs(void);
+
+void
+setup_system(bool ipv4only, bool ipv6only);
+
+isc_result_t
+parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
+
+isc_result_t
+parse_xint(uint32_t *uip, const char *value, uint32_t max, const char *desc);
+
+isc_result_t
+parse_netprefix(isc_sockaddr_t **sap, const char *value);
+
+void
+parse_hmac(const char *hmacstr);
+
+dig_lookup_t *
+requeue_lookup(dig_lookup_t *lookold, bool servers);
+
+dig_lookup_t *
+make_empty_lookup(void);
+
+dig_lookup_t *
+clone_lookup(dig_lookup_t *lookold, bool servers);
+
+dig_server_t *
+make_server(const char *servname, const char *userarg);
+
+void
+flush_server_list(void);
+
+void
+set_nameserver(char *opt);
+
+void
+clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest);
+
+void
+cancel_all(void);
+
+void
+destroy_libs(void);
+
+void
+set_search_domain(char *domain);
+
+/*
+ * Routines to be defined in dig.c, host.c, and nslookup.c. and
+ * then assigned to the appropriate function pointer
+ */
+extern isc_result_t (*dighost_printmessage)(dig_query_t	       *query,
+					    const isc_buffer_t *msgbuf,
+					    dns_message_t *msg, bool headers);
+
+/*
+ * Print an error message in the appropriate format.
+ */
+extern void (*dighost_error)(const char *format, ...);
+
+/*
+ * Print a warning message in the appropriate format.
+ */
+extern void (*dighost_warning)(const char *format, ...);
+
+/*
+ * Print a comment in the appropriate format.
+ */
+extern void (*dighost_comments)(dig_lookup_t *lookup, const char *format, ...);
+
+/*%<
+ * Print the final result of the lookup.
+ */
+
+extern void (*dighost_received)(unsigned int bytes, isc_sockaddr_t *from,
+				dig_query_t *query);
+/*%<
+ * Print a message about where and when the response
+ * was received from, like the final comment in the
+ * output of "dig".
+ */
+
+extern void (*dighost_trying)(char *frm, dig_lookup_t *lookup);
+
+extern void (*dighost_shutdown)(void);
+
+extern void (*dighost_pre_exit_hook)(void);
+
+void
+save_opt(dig_lookup_t *lookup, char *code, char *value);
+
+void
+setup_file_key(void);
+void
+setup_text_key(void);
+
+/*
+ * Routines exported from dig.c for use by dig for iOS
+ */
+
+/*%<
+ * Call once only to set up libraries, parse global
+ * parameters and initial command line query parameters
+ */
+void
+dig_setup(int argc, char **argv);
+
+/*%<
+ * Call to supply new parameters for the next lookup
+ */
+void
+dig_query_setup(bool, bool, int argc, char **argv);
+
+/*%<
+ * set the main application event cycle running
+ */
+void
+dig_startup(void);
+
+/*%<
+ * Initiates the next lookup cycle
+ */
+void
+dig_query_start(void);
+
+/*%<
+ * Cleans up the application
+ */
+void
+dig_shutdown(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ifndef DIG_H */
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
new file mode 100644
index 0000000..0fa691d
--- /dev/null
+++ b/bin/dig/nslookup.c
@@ -0,0 +1,1047 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/event.h>
+#include <isc/netaddr.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/fixedname.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+
+#include <dig/dig.h>
+
+#if defined(HAVE_READLINE)
+#if defined(HAVE_EDIT_READLINE_READLINE_H)
+#include <edit/readline/readline.h>
+#if defined(HAVE_EDIT_READLINE_HISTORY_H)
+#include <edit/readline/history.h>
+#endif /* if defined(HAVE_EDIT_READLINE_HISTORY_H) */
+#elif defined(HAVE_EDITLINE_READLINE_H)
+#include <editline/readline.h>
+#elif defined(HAVE_READLINE_READLINE_H)
+/* Prevent deprecated functions being declared. */
+#define _FUNCTION_DEF 1
+/* Ensure rl_message() gets prototype. */
+#define USE_VARARGS   1
+#define PREFER_STDARG 1
+#include <readline/readline.h>
+#if defined(HAVE_READLINE_HISTORY_H)
+#include <readline/history.h>
+#endif /* if defined(HAVE_READLINE_HISTORY_H) */
+#endif /* if defined(HAVE_EDIT_READLINE_READLINE_H) */
+#endif /* if defined(HAVE_READLINE) */
+
+static bool short_form = true, tcpmode = false, tcpmode_set = false,
+	    identify = false, stats = true, comments = true,
+	    section_question = true, section_answer = true,
+	    section_authority = true, section_additional = true, recurse = true,
+	    aaonly = false, nofail = true, default_lookups = true,
+	    a_noanswer = false;
+
+static bool interactive;
+
+static bool in_use = false;
+static char defclass[MXRD] = "IN";
+static char deftype[MXRD] = "A";
+static isc_event_t *global_event = NULL;
+static int query_error = 1, print_error = 0;
+
+static char domainopt[DNS_NAME_MAXTEXT];
+
+static const char *rcodetext[] = { "NOERROR",	 "FORMERR",    "SERVFAIL",
+				   "NXDOMAIN",	 "NOTIMP",     "REFUSED",
+				   "YXDOMAIN",	 "YXRRSET",    "NXRRSET",
+				   "NOTAUTH",	 "NOTZONE",    "RESERVED11",
+				   "RESERVED12", "RESERVED13", "RESERVED14",
+				   "RESERVED15", "BADVERS" };
+
+static const char *rtypetext[] = {
+	"rtype_0 = ",	       /* 0 */
+	"internet address = ", /* 1 */
+	"nameserver = ",       /* 2 */
+	"md = ",	       /* 3 */
+	"mf = ",	       /* 4 */
+	"canonical name = ",   /* 5 */
+	"soa = ",	       /* 6 */
+	"mb = ",	       /* 7 */
+	"mg = ",	       /* 8 */
+	"mr = ",	       /* 9 */
+	"rtype_10 = ",	       /* 10 */
+	"protocol = ",	       /* 11 */
+	"name = ",	       /* 12 */
+	"hinfo = ",	       /* 13 */
+	"minfo = ",	       /* 14 */
+	"mail exchanger = ",   /* 15 */
+	"text = ",	       /* 16 */
+	"rp = ",	       /* 17 */
+	"afsdb = ",	       /* 18 */
+	"x25 address = ",      /* 19 */
+	"isdn address = ",     /* 20 */
+	"rt = ",	       /* 21 */
+	"nsap = ",	       /* 22 */
+	"nsap_ptr = ",	       /* 23 */
+	"signature = ",	       /* 24 */
+	"key = ",	       /* 25 */
+	"px = ",	       /* 26 */
+	"gpos = ",	       /* 27 */
+	"has AAAA address ",   /* 28 */
+	"loc = ",	       /* 29 */
+	"next = ",	       /* 30 */
+	"rtype_31 = ",	       /* 31 */
+	"rtype_32 = ",	       /* 32 */
+	"service = ",	       /* 33 */
+	"rtype_34 = ",	       /* 34 */
+	"naptr = ",	       /* 35 */
+	"kx = ",	       /* 36 */
+	"cert = ",	       /* 37 */
+	"v6 address = ",       /* 38 */
+	"dname = ",	       /* 39 */
+	"rtype_40 = ",	       /* 40 */
+	"optional = "	       /* 41 */
+};
+
+#define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
+
+static void
+flush_lookup_list(void);
+static void
+getinput(isc_task_t *task, isc_event_t *event);
+
+static char *
+rcode_totext(dns_rcode_t rcode) {
+	static char buf[sizeof("?65535")];
+	union {
+		const char *consttext;
+		char *deconsttext;
+	} totext;
+
+	if (rcode >= (sizeof(rcodetext) / sizeof(rcodetext[0]))) {
+		snprintf(buf, sizeof(buf), "?%u", rcode);
+		totext.deconsttext = buf;
+	} else {
+		totext.consttext = rcodetext[rcode];
+	}
+	return (totext.deconsttext);
+}
+
+static void
+query_finished(void) {
+	isc_event_t *event = global_event;
+
+	flush_lookup_list();
+	debug("dighost_shutdown()");
+
+	if (!in_use) {
+		isc_app_shutdown();
+		return;
+	}
+
+	isc_task_send(global_task, &event);
+}
+
+static void
+printsoa(dns_rdata_t *rdata) {
+	dns_rdata_soa_t soa;
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	result = dns_rdata_tostruct(rdata, &soa, NULL);
+	check_result(result, "dns_rdata_tostruct");
+
+	dns_name_format(&soa.origin, namebuf, sizeof(namebuf));
+	printf("\torigin = %s\n", namebuf);
+	dns_name_format(&soa.contact, namebuf, sizeof(namebuf));
+	printf("\tmail addr = %s\n", namebuf);
+	printf("\tserial = %u\n", soa.serial);
+	printf("\trefresh = %u\n", soa.refresh);
+	printf("\tretry = %u\n", soa.retry);
+	printf("\texpire = %u\n", soa.expire);
+	printf("\tminimum = %u\n", soa.minimum);
+	dns_rdata_freestruct(&soa);
+}
+
+static void
+printaddr(dns_rdata_t *rdata) {
+	isc_result_t result;
+	char text[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
+	isc_buffer_t b;
+
+	isc_buffer_init(&b, text, sizeof(text));
+	result = dns_rdata_totext(rdata, NULL, &b);
+	check_result(result, "dns_rdata_totext");
+	printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b),
+	       (char *)isc_buffer_base(&b));
+}
+
+static void
+printrdata(dns_rdata_t *rdata) {
+	isc_result_t result;
+	isc_buffer_t *b = NULL;
+	unsigned int size = 1024;
+	bool done = false;
+
+	if (rdata->type < N_KNOWN_RRTYPES) {
+		printf("%s", rtypetext[rdata->type]);
+	} else {
+		printf("rdata_%d = ", rdata->type);
+	}
+
+	while (!done) {
+		isc_buffer_allocate(mctx, &b, size);
+		result = dns_rdata_totext(rdata, NULL, b);
+		if (result == ISC_R_SUCCESS) {
+			printf("%.*s\n", (int)isc_buffer_usedlength(b),
+			       (char *)isc_buffer_base(b));
+			done = true;
+		} else if (result != ISC_R_NOSPACE) {
+			check_result(result, "dns_rdata_totext");
+		}
+		isc_buffer_free(&b);
+		size *= 2;
+	}
+}
+
+static isc_result_t
+printsection(dig_query_t *query, dns_message_t *msg, bool headers,
+	     dns_section_t section) {
+	isc_result_t result, loopresult;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	UNUSED(query);
+	UNUSED(headers);
+
+	debug("printsection()");
+
+	result = dns_message_firstname(msg, section);
+	if (result == ISC_R_NOMORE) {
+		return (ISC_R_SUCCESS);
+	} else if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			loopresult = dns_rdataset_first(rdataset);
+			while (loopresult == ISC_R_SUCCESS) {
+				dns_rdataset_current(rdataset, &rdata);
+				switch (rdata.type) {
+				case dns_rdatatype_a:
+				case dns_rdatatype_aaaa:
+					if (section != DNS_SECTION_ANSWER) {
+						goto def_short_section;
+					}
+					dns_name_format(name, namebuf,
+							sizeof(namebuf));
+					printf("Name:\t%s\n", namebuf);
+					printaddr(&rdata);
+					break;
+				case dns_rdatatype_soa:
+					dns_name_format(name, namebuf,
+							sizeof(namebuf));
+					printf("%s\n", namebuf);
+					printsoa(&rdata);
+					break;
+				default:
+				def_short_section:
+					dns_name_format(name, namebuf,
+							sizeof(namebuf));
+					printf("%s\t", namebuf);
+					printrdata(&rdata);
+					break;
+				}
+				dns_rdata_reset(&rdata);
+				loopresult = dns_rdataset_next(rdataset);
+			}
+		}
+		result = dns_message_nextname(msg, section);
+		if (result == ISC_R_NOMORE) {
+			break;
+		} else if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+detailsection(dig_query_t *query, dns_message_t *msg, bool headers,
+	      dns_section_t section) {
+	isc_result_t result, loopresult;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	UNUSED(query);
+
+	debug("detailsection()");
+
+	if (headers) {
+		switch (section) {
+		case DNS_SECTION_QUESTION:
+			puts("    QUESTIONS:");
+			break;
+		case DNS_SECTION_ANSWER:
+			puts("    ANSWERS:");
+			break;
+		case DNS_SECTION_AUTHORITY:
+			puts("    AUTHORITY RECORDS:");
+			break;
+		case DNS_SECTION_ADDITIONAL:
+			puts("    ADDITIONAL RECORDS:");
+			break;
+		}
+	}
+
+	result = dns_message_firstname(msg, section);
+	if (result == ISC_R_NOMORE) {
+		return (ISC_R_SUCCESS);
+	} else if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (section == DNS_SECTION_QUESTION) {
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				printf("\t%s, ", namebuf);
+				dns_rdatatype_format(rdataset->type, namebuf,
+						     sizeof(namebuf));
+				printf("type = %s, ", namebuf);
+				dns_rdataclass_format(rdataset->rdclass,
+						      namebuf, sizeof(namebuf));
+				printf("class = %s\n", namebuf);
+			}
+			loopresult = dns_rdataset_first(rdataset);
+			while (loopresult == ISC_R_SUCCESS) {
+				dns_rdataset_current(rdataset, &rdata);
+
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				printf("    ->  %s\n", namebuf);
+
+				switch (rdata.type) {
+				case dns_rdatatype_soa:
+					printsoa(&rdata);
+					break;
+				default:
+					printf("\t");
+					printrdata(&rdata);
+				}
+				dns_rdata_reset(&rdata);
+				printf("\tttl = %u\n", rdataset->ttl);
+				loopresult = dns_rdataset_next(rdataset);
+			}
+		}
+		result = dns_message_nextname(msg, section);
+		if (result == ISC_R_NOMORE) {
+			break;
+		} else if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static void
+received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
+	UNUSED(bytes);
+	UNUSED(from);
+	UNUSED(query);
+}
+
+static void
+trying(char *frm, dig_lookup_t *lookup) {
+	UNUSED(frm);
+	UNUSED(lookup);
+}
+
+static void
+chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
+	isc_result_t result;
+	dns_rdataset_t *rdataset;
+	dns_rdata_cname_t cname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int i = msg->counts[DNS_SECTION_ANSWER];
+
+	while (i-- > 0) {
+		rdataset = NULL;
+		result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+					      dns_rdatatype_cname, 0, NULL,
+					      &rdataset);
+		if (result != ISC_R_SUCCESS) {
+			return;
+		}
+		result = dns_rdataset_first(rdataset);
+		check_result(result, "dns_rdataset_first");
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		dns_name_copynf(&cname.cname, qname);
+		dns_rdata_freestruct(&cname);
+	}
+}
+
+static isc_result_t
+printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
+	     bool headers) {
+	char servtext[ISC_SOCKADDR_FORMATSIZE];
+
+	UNUSED(msgbuf);
+
+	/* I've we've gotten this far, we've reached a server. */
+	query_error = 0;
+
+	debug("printmessage()");
+
+	if (!default_lookups || query->lookup->rdtype == dns_rdatatype_a) {
+		isc_sockaddr_format(&query->sockaddr, servtext,
+				    sizeof(servtext));
+		printf("Server:\t\t%s\n", query->userarg);
+		printf("Address:\t%s\n", servtext);
+
+		puts("");
+	}
+
+	if (!short_form) {
+		puts("------------");
+		/*		detailheader(query, msg);*/
+		detailsection(query, msg, true, DNS_SECTION_QUESTION);
+		detailsection(query, msg, true, DNS_SECTION_ANSWER);
+		detailsection(query, msg, true, DNS_SECTION_AUTHORITY);
+		detailsection(query, msg, true, DNS_SECTION_ADDITIONAL);
+		puts("------------");
+	}
+
+	if (msg->rcode != 0) {
+		char nametext[DNS_NAME_FORMATSIZE];
+		dns_name_format(query->lookup->name, nametext,
+				sizeof(nametext));
+		printf("** server can't find %s: %s\n", nametext,
+		       rcode_totext(msg->rcode));
+		debug("returning with rcode == 0");
+
+		/* the lookup failed */
+		print_error |= 1;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dig_lookup_t *lookup;
+		dns_fixedname_t fixed;
+		dns_name_t *name;
+
+		/* Add AAAA lookup. */
+		name = dns_fixedname_initname(&fixed);
+		dns_name_copynf(query->lookup->name, name);
+		chase_cnamechain(msg, name);
+		dns_name_format(name, namestr, sizeof(namestr));
+		lookup = clone_lookup(query->lookup, false);
+		if (lookup != NULL) {
+			strlcpy(lookup->textname, namestr,
+				sizeof(lookup->textname));
+			lookup->rdtype = dns_rdatatype_aaaa;
+			lookup->rdtypeset = true;
+			lookup->origin = NULL;
+			lookup->retries = tries;
+			ISC_LIST_APPEND(lookup_list, lookup, link);
+		}
+	}
+
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0 &&
+	    (!default_lookups || query->lookup->rdtype == dns_rdatatype_a))
+	{
+		puts("Non-authoritative answer:");
+	}
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
+		printsection(query, msg, headers, DNS_SECTION_ANSWER);
+	} else {
+		if (default_lookups && query->lookup->rdtype == dns_rdatatype_a)
+		{
+			a_noanswer = true;
+		} else if (!default_lookups ||
+			   (query->lookup->rdtype == dns_rdatatype_aaaa &&
+			    a_noanswer))
+		{
+			printf("*** Can't find %s: No answer\n",
+			       query->lookup->textname);
+		}
+	}
+
+	if (((msg->flags & DNS_MESSAGEFLAG_AA) == 0) &&
+	    (query->lookup->rdtype != dns_rdatatype_a) &&
+	    (query->lookup->rdtype != dns_rdatatype_aaaa))
+	{
+		puts("\nAuthoritative answers can be found from:");
+		printsection(query, msg, headers, DNS_SECTION_AUTHORITY);
+		printsection(query, msg, headers, DNS_SECTION_ADDITIONAL);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static void
+show_settings(bool full, bool serv_only) {
+	dig_server_t *srv;
+	isc_sockaddr_t sockaddr;
+	dig_searchlist_t *listent;
+	isc_result_t result;
+
+	srv = ISC_LIST_HEAD(server_list);
+
+	while (srv != NULL) {
+		char sockstr[ISC_SOCKADDR_FORMATSIZE];
+
+		result = get_address(srv->servername, port, &sockaddr);
+		check_result(result, "get_address");
+
+		isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr));
+		printf("Default server: %s\nAddress: %s\n", srv->userarg,
+		       sockstr);
+		if (!full) {
+			return;
+		}
+		srv = ISC_LIST_NEXT(srv, link);
+	}
+	if (serv_only) {
+		return;
+	}
+	printf("\nSet options:\n");
+	printf("  %s\t\t\t%s\t\t%s\n", tcpmode ? "vc" : "novc",
+	       short_form ? "nodebug" : "debug", debugging ? "d2" : "nod2");
+	printf("  %s\t\t%s\n", usesearch ? "search" : "nosearch",
+	       recurse ? "recurse" : "norecurse");
+	printf("  timeout = %u\t\tretry = %d\tport = %u\tndots = %d\n", timeout,
+	       tries, port, ndots);
+	printf("  querytype = %-8s\tclass = %s\n", deftype, defclass);
+	printf("  srchlist = ");
+	for (listent = ISC_LIST_HEAD(search_list); listent != NULL;
+	     listent = ISC_LIST_NEXT(listent, link))
+	{
+		printf("%s", listent->origin);
+		if (ISC_LIST_NEXT(listent, link) != NULL) {
+			printf("/");
+		}
+	}
+	printf("\n");
+}
+
+static bool
+testtype(char *typetext) {
+	isc_result_t result;
+	isc_textregion_t tr;
+	dns_rdatatype_t rdtype;
+
+	tr.base = typetext;
+	tr.length = strlen(typetext);
+	result = dns_rdatatype_fromtext(&rdtype, &tr);
+	if (result == ISC_R_SUCCESS) {
+		return (true);
+	} else {
+		printf("unknown query type: %s\n", typetext);
+		return (false);
+	}
+}
+
+static bool
+testclass(char *typetext) {
+	isc_result_t result;
+	isc_textregion_t tr;
+	dns_rdataclass_t rdclass;
+
+	tr.base = typetext;
+	tr.length = strlen(typetext);
+	result = dns_rdataclass_fromtext(&rdclass, &tr);
+	if (result == ISC_R_SUCCESS) {
+		return (true);
+	} else {
+		printf("unknown query class: %s\n", typetext);
+		return (false);
+	}
+}
+
+static void
+set_port(const char *value) {
+	uint32_t n;
+	isc_result_t result = parse_uint(&n, value, 65535, "port");
+	if (result == ISC_R_SUCCESS) {
+		port = (uint16_t)n;
+	}
+}
+
+static void
+set_timeout(const char *value) {
+	uint32_t n;
+	isc_result_t result = parse_uint(&n, value, UINT_MAX, "timeout");
+	if (result == ISC_R_SUCCESS) {
+		timeout = n;
+	}
+}
+
+static void
+set_tries(const char *value) {
+	uint32_t n;
+	isc_result_t result = parse_uint(&n, value, INT_MAX, "tries");
+	if (result == ISC_R_SUCCESS) {
+		tries = n;
+	}
+}
+
+static void
+set_ndots(const char *value) {
+	uint32_t n;
+	isc_result_t result = parse_uint(&n, value, 128, "ndots");
+	if (result == ISC_R_SUCCESS) {
+		ndots = n;
+	}
+}
+
+static void
+version(void) {
+	fputs("nslookup " VERSION "\n", stderr);
+}
+
+static void
+setoption(char *opt) {
+	size_t l = strlen(opt);
+
+#define CHECKOPT(A, N) \
+	((l >= N) && (l < sizeof(A)) && (strncasecmp(opt, A, l) == 0))
+
+	if (CHECKOPT("all", 3)) {
+		show_settings(true, false);
+	} else if (strncasecmp(opt, "class=", 6) == 0) {
+		if (testclass(&opt[6])) {
+			strlcpy(defclass, &opt[6], sizeof(defclass));
+		}
+	} else if (strncasecmp(opt, "cl=", 3) == 0) {
+		if (testclass(&opt[3])) {
+			strlcpy(defclass, &opt[3], sizeof(defclass));
+		}
+	} else if (strncasecmp(opt, "type=", 5) == 0) {
+		if (testtype(&opt[5])) {
+			strlcpy(deftype, &opt[5], sizeof(deftype));
+			default_lookups = false;
+		}
+	} else if (strncasecmp(opt, "ty=", 3) == 0) {
+		if (testtype(&opt[3])) {
+			strlcpy(deftype, &opt[3], sizeof(deftype));
+			default_lookups = false;
+		}
+	} else if (strncasecmp(opt, "querytype=", 10) == 0) {
+		if (testtype(&opt[10])) {
+			strlcpy(deftype, &opt[10], sizeof(deftype));
+			default_lookups = false;
+		}
+	} else if (strncasecmp(opt, "query=", 6) == 0) {
+		if (testtype(&opt[6])) {
+			strlcpy(deftype, &opt[6], sizeof(deftype));
+			default_lookups = false;
+		}
+	} else if (strncasecmp(opt, "qu=", 3) == 0) {
+		if (testtype(&opt[3])) {
+			strlcpy(deftype, &opt[3], sizeof(deftype));
+			default_lookups = false;
+		}
+	} else if (strncasecmp(opt, "q=", 2) == 0) {
+		if (testtype(&opt[2])) {
+			strlcpy(deftype, &opt[2], sizeof(deftype));
+			default_lookups = false;
+		}
+	} else if (strncasecmp(opt, "domain=", 7) == 0) {
+		strlcpy(domainopt, &opt[7], sizeof(domainopt));
+		set_search_domain(domainopt);
+		usesearch = true;
+	} else if (strncasecmp(opt, "do=", 3) == 0) {
+		strlcpy(domainopt, &opt[3], sizeof(domainopt));
+		set_search_domain(domainopt);
+		usesearch = true;
+	} else if (strncasecmp(opt, "port=", 5) == 0) {
+		set_port(&opt[5]);
+	} else if (strncasecmp(opt, "po=", 3) == 0) {
+		set_port(&opt[3]);
+	} else if (strncasecmp(opt, "timeout=", 8) == 0) {
+		set_timeout(&opt[8]);
+	} else if (strncasecmp(opt, "t=", 2) == 0) {
+		set_timeout(&opt[2]);
+	} else if (CHECKOPT("recurse", 3)) {
+		recurse = true;
+	} else if (CHECKOPT("norecurse", 5)) {
+		recurse = false;
+	} else if (strncasecmp(opt, "retry=", 6) == 0) {
+		set_tries(&opt[6]);
+	} else if (strncasecmp(opt, "ret=", 4) == 0) {
+		set_tries(&opt[4]);
+	} else if (CHECKOPT("defname", 3)) {
+		usesearch = true;
+	} else if (CHECKOPT("nodefname", 5)) {
+		usesearch = false;
+	} else if (CHECKOPT("vc", 2)) {
+		tcpmode = true;
+		tcpmode_set = true;
+	} else if (CHECKOPT("novc", 4)) {
+		tcpmode = false;
+		tcpmode_set = true;
+	} else if (CHECKOPT("debug", 3)) {
+		short_form = false;
+		showsearch = true;
+	} else if (CHECKOPT("nodebug", 5)) {
+		short_form = true;
+		showsearch = false;
+	} else if (CHECKOPT("d2", 2)) {
+		debugging = true;
+	} else if (CHECKOPT("nod2", 4)) {
+		debugging = false;
+	} else if (CHECKOPT("search", 3)) {
+		usesearch = true;
+	} else if (CHECKOPT("nosearch", 5)) {
+		usesearch = false;
+	} else if (CHECKOPT("sil", 3)) {
+		/* deprecation_msg = false; */
+	} else if (CHECKOPT("fail", 3)) {
+		nofail = false;
+	} else if (CHECKOPT("nofail", 5)) {
+		nofail = true;
+	} else if (strncasecmp(opt, "ndots=", 6) == 0) {
+		set_ndots(&opt[6]);
+	} else {
+		printf("*** Invalid option: %s\n", opt);
+	}
+}
+
+static void
+addlookup(char *opt) {
+	dig_lookup_t *lookup;
+	isc_result_t result;
+	isc_textregion_t tr;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	char store[MXNAME];
+
+	debug("addlookup()");
+
+	a_noanswer = false;
+
+	tr.base = deftype;
+	tr.length = strlen(deftype);
+	result = dns_rdatatype_fromtext(&rdtype, &tr);
+	if (result != ISC_R_SUCCESS) {
+		printf("unknown query type: %s\n", deftype);
+		rdclass = dns_rdatatype_a;
+	}
+	tr.base = defclass;
+	tr.length = strlen(defclass);
+	result = dns_rdataclass_fromtext(&rdclass, &tr);
+	if (result != ISC_R_SUCCESS) {
+		printf("unknown query class: %s\n", defclass);
+		rdclass = dns_rdataclass_in;
+	}
+	lookup = make_empty_lookup();
+	if (get_reverse(store, sizeof(store), opt, true) == ISC_R_SUCCESS) {
+		strlcpy(lookup->textname, store, sizeof(lookup->textname));
+		lookup->rdtype = dns_rdatatype_ptr;
+		lookup->rdtypeset = true;
+	} else {
+		strlcpy(lookup->textname, opt, sizeof(lookup->textname));
+		lookup->rdtype = rdtype;
+		lookup->rdtypeset = true;
+	}
+	lookup->rdclass = rdclass;
+	lookup->rdclassset = true;
+	lookup->trace = false;
+	lookup->trace_root = lookup->trace;
+	lookup->ns_search_only = false;
+	lookup->identify = identify;
+	lookup->recurse = recurse;
+	lookup->aaonly = aaonly;
+	lookup->retries = tries;
+	lookup->comments = comments;
+	if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set) {
+		lookup->tcp_mode = true;
+	} else {
+		lookup->tcp_mode = tcpmode;
+	}
+	lookup->stats = stats;
+	lookup->section_question = section_question;
+	lookup->section_answer = section_answer;
+	lookup->section_authority = section_authority;
+	lookup->section_additional = section_additional;
+	lookup->new_search = true;
+	lookup->besteffort = false;
+	if (nofail) {
+		lookup->servfail_stops = false;
+	}
+	ISC_LIST_INIT(lookup->q);
+	ISC_LINK_INIT(lookup, link);
+	ISC_LIST_APPEND(lookup_list, lookup, link);
+	lookup->origin = NULL;
+	ISC_LIST_INIT(lookup->my_server_list);
+	debug("looking up %s", lookup->textname);
+}
+
+static void
+do_next_command(char *input) {
+	char *ptr, *arg, *last;
+
+	if ((ptr = strtok_r(input, " \t\r\n", &last)) == NULL) {
+		return;
+	}
+	arg = strtok_r(NULL, " \t\r\n", &last);
+	if ((strcasecmp(ptr, "set") == 0) && (arg != NULL)) {
+		setoption(arg);
+	} else if ((strcasecmp(ptr, "server") == 0) ||
+		   (strcasecmp(ptr, "lserver") == 0))
+	{
+		isc_app_block();
+		set_nameserver(arg);
+		check_ra = false;
+		isc_app_unblock();
+		show_settings(true, true);
+	} else if (strcasecmp(ptr, "exit") == 0) {
+		in_use = false;
+	} else if (strcasecmp(ptr, "help") == 0 || strcasecmp(ptr, "?") == 0) {
+		printf("The '%s' command is not yet implemented.\n", ptr);
+	} else if (strcasecmp(ptr, "finger") == 0 ||
+		   strcasecmp(ptr, "root") == 0 || strcasecmp(ptr, "ls") == 0 ||
+		   strcasecmp(ptr, "view") == 0)
+	{
+		printf("The '%s' command is not implemented.\n", ptr);
+	} else {
+		addlookup(ptr);
+	}
+}
+
+static void
+get_next_command(void) {
+	char *buf;
+	char *ptr;
+
+	fflush(stdout);
+	buf = isc_mem_allocate(mctx, COMMSIZE);
+	isc_app_block();
+	if (interactive) {
+#ifdef HAVE_READLINE
+		ptr = readline("> ");
+		if (ptr != NULL) {
+			add_history(ptr);
+		}
+#else  /* ifdef HAVE_READLINE */
+		fputs("> ", stderr);
+		fflush(stderr);
+		ptr = fgets(buf, COMMSIZE, stdin);
+#endif /* ifdef HAVE_READLINE */
+	} else {
+		ptr = fgets(buf, COMMSIZE, stdin);
+	}
+	isc_app_unblock();
+	if (ptr == NULL) {
+		in_use = false;
+	} else {
+		do_next_command(ptr);
+	}
+#ifdef HAVE_READLINE
+	if (interactive) {
+		free(ptr);
+	}
+#endif /* ifdef HAVE_READLINE */
+	isc_mem_free(mctx, buf);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "   nslookup [-opt ...]             # interactive mode "
+			"using default server\n");
+	fprintf(stderr, "   nslookup [-opt ...] - server    # interactive mode "
+			"using 'server'\n");
+	fprintf(stderr, "   nslookup [-opt ...] host        # just look up "
+			"'host' using default server\n");
+	fprintf(stderr, "   nslookup [-opt ...] host server # just look up "
+			"'host' using 'server'\n");
+	exit(1);
+}
+
+static void
+parse_args(int argc, char **argv) {
+	bool have_lookup = false;
+
+	usesearch = true;
+	for (argc--, argv++; argc > 0 && argv[0] != NULL; argc--, argv++) {
+		debug("main parsing %s", argv[0]);
+		if (argv[0][0] == '-') {
+			if (strncasecmp(argv[0], "-ver", 4) == 0) {
+				version();
+				exit(0);
+			} else if (argv[0][1] != 0) {
+				setoption(&argv[0][1]);
+			} else {
+				have_lookup = true;
+			}
+		} else {
+			if (!have_lookup) {
+				have_lookup = true;
+				in_use = true;
+				addlookup(argv[0]);
+			} else {
+				if (argv[1] != NULL) {
+					usage();
+				}
+				set_nameserver(argv[0]);
+				check_ra = false;
+			}
+		}
+	}
+}
+
+static void
+flush_lookup_list(void) {
+	dig_lookup_t *l, *lp;
+	dig_query_t *q, *qp;
+	dig_server_t *s, *sp;
+
+	lookup_counter = 0;
+	l = ISC_LIST_HEAD(lookup_list);
+	while (l != NULL) {
+		q = ISC_LIST_HEAD(l->q);
+		while (q != NULL) {
+			if (q->sock != NULL) {
+				isc_socket_cancel(q->sock, NULL,
+						  ISC_SOCKCANCEL_ALL);
+				isc_socket_detach(&q->sock);
+			}
+			isc_buffer_invalidate(&q->recvbuf);
+			isc_buffer_invalidate(&q->lengthbuf);
+			qp = q;
+			q = ISC_LIST_NEXT(q, link);
+			ISC_LIST_DEQUEUE(l->q, qp, link);
+			isc_mem_free(mctx, qp);
+		}
+		s = ISC_LIST_HEAD(l->my_server_list);
+		while (s != NULL) {
+			sp = s;
+			s = ISC_LIST_NEXT(s, link);
+			ISC_LIST_DEQUEUE(l->my_server_list, sp, link);
+			isc_mem_free(mctx, sp);
+		}
+		if (l->sendmsg != NULL) {
+			dns_message_detach(&l->sendmsg);
+		}
+		lp = l;
+		l = ISC_LIST_NEXT(l, link);
+		ISC_LIST_DEQUEUE(lookup_list, lp, link);
+		isc_mem_free(mctx, lp);
+	}
+}
+
+static void
+getinput(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+	if (global_event == NULL) {
+		global_event = event;
+	}
+	while (in_use) {
+		get_next_command();
+		if (ISC_LIST_HEAD(lookup_list) != NULL) {
+			start_lookup();
+			return;
+		}
+	}
+	isc_app_shutdown();
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+
+	interactive = isatty(0);
+
+	ISC_LIST_INIT(lookup_list);
+	ISC_LIST_INIT(server_list);
+	ISC_LIST_INIT(search_list);
+
+	check_ra = true;
+
+	/* setup dighost callbacks */
+	dighost_printmessage = printmessage;
+	dighost_received = received;
+	dighost_trying = trying;
+	dighost_shutdown = query_finished;
+
+	result = isc_app_start();
+	check_result(result, "isc_app_start");
+
+	setup_libs();
+	progname = argv[0];
+
+	setup_system(false, false);
+	parse_args(argc, argv);
+	if (keyfile[0] != 0) {
+		setup_file_key();
+	} else if (keysecret[0] != 0) {
+		setup_text_key();
+	}
+	if (domainopt[0] != '\0') {
+		set_search_domain(domainopt);
+	}
+	if (in_use) {
+		result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
+	} else {
+		result = isc_app_onrun(mctx, global_task, getinput, NULL);
+	}
+	check_result(result, "isc_app_onrun");
+	in_use = !in_use;
+
+	(void)isc_app_run();
+
+	puts("");
+	debug("done, and starting to shut down");
+	if (global_event != NULL) {
+		isc_event_free(&global_event);
+	}
+	cancel_all();
+	destroy_libs();
+	isc_app_finish();
+
+	return (query_error | print_error);
+}
diff --git a/bin/dig/nslookup.rst b/bin/dig/nslookup.rst
new file mode 100644
index 0000000..2d1e123
--- /dev/null
+++ b/bin/dig/nslookup.rst
@@ -0,0 +1,206 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_nslookup:
+
+nslookup - query Internet name servers interactively
+----------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`nslookup` [-option] [name | -] [server]
+
+Description
+~~~~~~~~~~~
+
+``nslookup`` is a program to query Internet domain name servers.
+``nslookup`` has two modes: interactive and non-interactive. Interactive
+mode allows the user to query name servers for information about various
+hosts and domains or to print a list of hosts in a domain.
+Non-interactive mode prints just the name and requested
+information for a host or domain.
+
+Arguments
+~~~~~~~~~
+
+Interactive mode is entered in the following cases:
+
+a. when no arguments are given (the default name server is used);
+
+b. when the first argument is a hyphen (-) and the second argument is
+   the host name or Internet address of a name server.
+
+Non-interactive mode is used when the name or Internet address of the
+host to be looked up is given as the first argument. The optional second
+argument specifies the host name or address of a name server.
+
+Options can also be specified on the command line if they precede the
+arguments and are prefixed with a hyphen. For example, to change the
+default query type to host information, with an initial timeout of 10
+seconds, type:
+
+::
+
+   nslookup -query=hinfo  -timeout=10
+
+The ``-version`` option causes ``nslookup`` to print the version number
+and immediately exit.
+
+Interactive Commands
+~~~~~~~~~~~~~~~~~~~~
+
+``host [server]``
+   This command looks up information for ``host`` using the current default server or
+   using ``server``, if specified. If ``host`` is an Internet address and the
+   query type is A or PTR, the name of the host is returned. If ``host`` is
+   a name and does not have a trailing period (``.``), the search list is used
+   to qualify the name.
+
+   To look up a host not in the current domain, append a period to the
+   name.
+
+``server domain`` | ``lserver domain``
+   These commands change the default server to ``domain``; ``lserver`` uses the initial
+   server to look up information about ``domain``, while ``server`` uses the
+   current default server. If an authoritative answer cannot be found,
+   the names of servers that might have the answer are returned.
+
+``root``
+   This command is not implemented.
+
+``finger``
+   This command is not implemented.
+
+``ls``
+   This command is not implemented.
+
+``view``
+   This command is not implemented.
+
+``help``
+   This command is not implemented.
+
+``?``
+   This command is not implemented.
+
+``exit``
+   This command exits the program.
+
+``set keyword[=value]``
+   This command is used to change state information that affects the
+   lookups. Valid keywords are:
+
+   ``all``
+      This keyword prints the current values of the frequently used options to
+      ``set``. Information about the current default server and host is
+      also printed.
+
+   ``class=value``
+      This keyword changes the query class to one of:
+
+      ``IN``
+         the Internet class
+
+      ``CH``
+         the Chaos class
+
+      ``HS``
+         the Hesiod class
+
+      ``ANY``
+         wildcard
+
+      The class specifies the protocol group of the information. The default
+      is ``IN``; the abbreviation for this keyword is ``cl``.
+
+   ``nodebug``
+      This keyword turns on or off the display of the full response packet, and any
+      intermediate response packets, when searching. The default for this keyword is
+      ``nodebug``; the abbreviation for this keyword is ``[no]deb``.
+
+   ``nod2``
+      This keyword turns debugging mode on or off. This displays more about what
+      nslookup is doing. The default is ``nod2``.
+
+   ``domain=name``
+      This keyword sets the search list to ``name``.
+
+   ``nosearch``
+      If the lookup request contains at least one period, but does not end
+      with a trailing period, this keyword appends the domain names in the domain
+      search list to the request until an answer is received. The default is ``search``.
+
+   ``port=value``
+      This keyword changes the default TCP/UDP name server port to ``value`` from
+      its default, port 53. The abbreviation for this keyword is ``po``.
+
+   ``querytype=value`` | ``type=value``
+      This keyword changes the type of the information query to ``value``. The
+      defaults are A and then AAAA; the abbreviations for these keywords are
+      ``q`` and ``ty``.
+
+      Please note that it is only possible to specify one query type. Only the default
+      behavior looks up both when an alternative is not specified.
+
+   ``norecurse``
+      This keyword tells the name server to query other servers if it does not have
+      the information. The default is ``recurse``; the abbreviation for this
+      keyword is ``[no]rec``.
+
+   ``ndots=number``
+      This keyword sets the number of dots (label separators) in a domain that
+      disables searching. Absolute names always stop searching.
+
+   ``retry=number``
+      This keyword sets the number of retries to ``number``.
+
+   ``timeout=number``
+      This keyword changes the initial timeout interval to wait for a reply to
+      ``number``, in seconds.
+
+   ``novc``
+      This keyword indicates that a virtual circuit should always be used when sending requests to the server.
+      ``novc`` is the default.
+
+   ``nofail``
+      This keyword tries the next nameserver if a nameserver responds with SERVFAIL or
+      a referral (nofail), or terminates the query (fail) on such a response. The
+      default is ``nofail``.
+
+Return Values
+~~~~~~~~~~~~~
+
+``nslookup`` returns with an exit status of 1 if any query failed, and 0
+otherwise.
+
+IDN Support
+~~~~~~~~~~~
+
+If ``nslookup`` has been built with IDN (internationalized domain name)
+support, it can accept and display non-ASCII domain names. ``nslookup``
+appropriately converts character encoding of a domain name before sending
+a request to a DNS server or displaying a reply from the server.
+To turn off IDN support, define the ``IDN_DISABLE``
+environment variable. IDN support is disabled if the variable is set
+when ``nslookup`` runs, or when the standard output is not a tty.
+
+Files
+~~~~~
+
+``/etc/resolv.conf``
+
+See Also
+~~~~~~~~
+
+:manpage:`dig(1)`, :manpage:`host(1)`, :manpage:`named(8)`.
diff --git a/bin/dig/win32/dig.vcxproj.filters.in b/bin/dig/win32/dig.vcxproj.filters.in
new file mode 100644
index 0000000..1d92732
--- /dev/null
+++ b/bin/dig/win32/dig.vcxproj.filters.in
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\dig\dig.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dig.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dig/win32/dig.vcxproj.in b/bin/dig/win32/dig.vcxproj.in
new file mode 100644
index 0000000..c65a103
--- /dev/null
+++ b/bin/dig/win32/dig.vcxproj.in
@@ -0,0 +1,122 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{F938F9B8-D395-4A40-BEC7-0122D289C692}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>dig</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;@IDN_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\dig\dig.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dig.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dig/win32/dig.vcxproj.user b/bin/dig/win32/dig.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dig/win32/dig.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dig/win32/dighost.vcxproj.filters.in b/bin/dig/win32/dighost.vcxproj.filters.in
new file mode 100644
index 0000000..d108bfb
--- /dev/null
+++ b/bin/dig/win32/dighost.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dighost.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dig/win32/dighost.vcxproj.in b/bin/dig/win32/dighost.vcxproj.in
new file mode 100644
index 0000000..1ed120c
--- /dev/null
+++ b/bin/dig/win32/dighost.vcxproj.in
@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{140DE800-E552-43CC-B0C7-A33A92E368CA}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>dighost</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>.\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>.\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>false</LinkTimeCodeGeneration>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dighost.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dig/win32/dighost.vcxproj.user b/bin/dig/win32/dighost.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dig/win32/dighost.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dig/win32/host.vcxproj.filters.in b/bin/dig/win32/host.vcxproj.filters.in
new file mode 100644
index 0000000..56e7818
--- /dev/null
+++ b/bin/dig/win32/host.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\host.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dig/win32/host.vcxproj.in b/bin/dig/win32/host.vcxproj.in
new file mode 100644
index 0000000..091b4fb
--- /dev/null
+++ b/bin/dig/win32/host.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{BA1048A8-6961-4A20-BE12-08BE20611C9D}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>host</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@IDN_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dighost.lib;@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\host.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dig/win32/host.vcxproj.user b/bin/dig/win32/host.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dig/win32/host.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dig/win32/nslookup.vcxproj.filters.in b/bin/dig/win32/nslookup.vcxproj.filters.in
new file mode 100644
index 0000000..7f4756e
--- /dev/null
+++ b/bin/dig/win32/nslookup.vcxproj.filters.in
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dighost.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\nslookup.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dig/win32/nslookup.vcxproj.in b/bin/dig/win32/nslookup.vcxproj.in
new file mode 100644
index 0000000..565eb96
--- /dev/null
+++ b/bin/dig/win32/nslookup.vcxproj.in
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C15A6E1A-94CE-4686-99F9-6BC5FD623EB5}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>nslookup</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@READLINE_LIBD@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;USE_READLINE_STATIC;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@READLINE_LIB@@IDN_LIB@libisc.lib;libisccfg.lib;libirs.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dighost.c" />
+    <ClCompile Include="..\nslookup.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dig/win32/nslookup.vcxproj.user b/bin/dig/win32/nslookup.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dig/win32/nslookup.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
new file mode 100644
index 0000000..f49f775
--- /dev/null
+++ b/bin/dnssec/Makefile.in
@@ -0,0 +1,112 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+
+NOSYMLIBS =	${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+# Alphabetically
+TARGETS =	dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
+		dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
+		dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
+		dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
+		dnssec-verify@EXEEXT@
+
+OBJS =		dnssectool.@O@
+
+SRCS =		dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
+		dnssec-keyfromlabel.c dnssec-keygen.c dnssec-revoke.c \
+		dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
+		dnssectool.c
+
+@BIND9_MAKE_RULES@
+
+dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-signzone.@O@: dnssec-signzone.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/dnssec-signzone.c
+
+dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-verify.@O@: dnssec-verify.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/dnssec-verify.c
+
+dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-revoke.@O@ ${OBJS} ${LIBS}
+
+dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-settime.@O@ ${OBJS} ${LIBS}
+
+dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-importkey.@O@ ${OBJS} ${LIBS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs
+	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
+
+uninstall::
+	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
+
+clean distclean::
+	rm -f ${TARGETS}
diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c
new file mode 100644
index 0000000..15f9f4e
--- /dev/null
+++ b/bin/dnssec/dnssec-cds.c
@@ -0,0 +1,1314 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Written by Tony Finch <dot@dotat.at> <fanf2@cam.ac.uk>
+ * at Cambridge University Information Services
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dnssec.h>
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/time.h>
+
+#include <dst/dst.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-cds";
+
+/*
+ * Infrastructure
+ */
+static isc_log_t *lctx = NULL;
+static isc_mem_t *mctx = NULL;
+
+/*
+ * The domain we are working on
+ */
+static const char *namestr = NULL;
+static dns_fixedname_t fixed;
+static dns_name_t *name = NULL;
+static dns_rdataclass_t rdclass = dns_rdataclass_in;
+
+static const char *startstr = NULL; /* from which we derive notbefore */
+static isc_stdtime_t notbefore = 0; /* restrict sig inception times */
+static dns_rdata_rrsig_t oldestsig; /* for recording inception time */
+
+static int nkey; /* number of child zone DNSKEY records */
+
+/*
+ * The validation strategy of this program is top-down.
+ *
+ * We start with an implicitly trusted authoritative dsset.
+ *
+ * The child DNSKEY RRset is scanned to find out which keys are
+ * authenticated by DS records, and the result is recorded in a key
+ * table as described later in this comment.
+ *
+ * The key table is used up to three times to verify the signatures on
+ * the child DNSKEY, CDNSKEY, and CDS RRsets. In this program, only keys
+ * that have matching DS records are used for validating signatures.
+ *
+ * For replay attack protection, signatures are ignored if their inception
+ * time is before the previously recorded inception time. We use the earliest
+ * signature so that another run of dnssec-cds with the same records will
+ * still accept all the signatures.
+ *
+ * A key table is an array of nkey keyinfo structures, like
+ *
+ *	keyinfo_t key_tbl[nkey];
+ *
+ * Each key is decoded into more useful representations, held in
+ *	keyinfo->rdata
+ *	keyinfo->dst
+ *
+ * If a key has no matching DS record then keyinfo->dst is NULL.
+ *
+ * The key algorithm and ID are saved in keyinfo->algo and
+ * keyinfo->tag for quicky skipping DS and RRSIG records that can't
+ * match.
+ */
+typedef struct keyinfo {
+	dns_rdata_t rdata;
+	dst_key_t *dst;
+	dns_secalg_t algo;
+	dns_keytag_t tag;
+} keyinfo_t;
+
+/* A replaceable function that can generate a DS RRset from some input */
+typedef isc_result_t
+ds_maker_func_t(dns_rdatalist_t *dslist, isc_buffer_t *buf, dns_rdata_t *rdata);
+
+static dns_rdataset_t cdnskey_set, cdnskey_sig;
+static dns_rdataset_t cds_set, cds_sig;
+static dns_rdataset_t dnskey_set, dnskey_sig;
+static dns_rdataset_t old_ds_set, new_ds_set;
+
+static keyinfo_t *old_key_tbl, *new_key_tbl;
+
+isc_buffer_t *new_ds_buf = NULL; /* backing store for new_ds_set */
+
+static void
+verbose_time(int level, const char *msg, isc_stdtime_t time) {
+	isc_result_t result;
+	isc_buffer_t timebuf;
+	char timestr[32];
+
+	if (verbose < level) {
+		return;
+	}
+
+	isc_buffer_init(&timebuf, timestr, sizeof(timestr));
+	result = dns_time64_totext(time, &timebuf);
+	check_result(result, "dns_time64_totext()");
+	isc_buffer_putuint8(&timebuf, 0);
+	if (verbose < 3) {
+		vbprintf(level, "%s %s\n", msg, timestr);
+	} else {
+		vbprintf(level, "%s %s (%" PRIu32 ")\n", msg, timestr, time);
+	}
+}
+
+static void
+initname(char *setname) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	name = dns_fixedname_initname(&fixed);
+	namestr = setname;
+
+	isc_buffer_init(&buf, setname, strlen(setname));
+	isc_buffer_add(&buf, strlen(setname));
+	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("could not initialize name %s", setname);
+	}
+}
+
+static void
+findset(dns_db_t *db, dns_dbnode_t *node, dns_rdatatype_t type,
+	dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	isc_result_t result;
+
+	dns_rdataset_init(rdataset);
+	if (sigrdataset != NULL) {
+		dns_rdataset_init(sigrdataset);
+	}
+	result = dns_db_findrdataset(db, node, NULL, type, 0, 0, rdataset,
+				     sigrdataset);
+	if (result != ISC_R_NOTFOUND) {
+		check_result(result, "dns_db_findrdataset()");
+	}
+}
+
+static void
+freeset(dns_rdataset_t *rdataset) {
+	if (dns_rdataset_isassociated(rdataset)) {
+		dns_rdataset_disassociate(rdataset);
+	}
+}
+
+static void
+freelist(dns_rdataset_t *rdataset) {
+	dns_rdatalist_t *rdlist;
+	dns_rdata_t *rdata;
+
+	if (!dns_rdataset_isassociated(rdataset)) {
+		return;
+	}
+
+	dns_rdatalist_fromrdataset(rdataset, &rdlist);
+
+	for (rdata = ISC_LIST_HEAD(rdlist->rdata); rdata != NULL;
+	     rdata = ISC_LIST_HEAD(rdlist->rdata))
+	{
+		ISC_LIST_UNLINK(rdlist->rdata, rdata, link);
+		isc_mem_put(mctx, rdata, sizeof(*rdata));
+	}
+	isc_mem_put(mctx, rdlist, sizeof(*rdlist));
+	dns_rdataset_disassociate(rdataset);
+}
+
+static void
+free_all_sets(void) {
+	freeset(&cdnskey_set);
+	freeset(&cdnskey_sig);
+	freeset(&cds_set);
+	freeset(&cds_sig);
+	freeset(&dnskey_set);
+	freeset(&dnskey_sig);
+	freeset(&old_ds_set);
+	freelist(&new_ds_set);
+	if (new_ds_buf != NULL) {
+		isc_buffer_free(&new_ds_buf);
+	}
+}
+
+static void
+load_db(const char *filename, dns_db_t **dbp, dns_dbnode_t **nodep) {
+	isc_result_t result;
+
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, dbp);
+	check_result(result, "dns_db_create()");
+
+	result = dns_db_load(*dbp, filename, dns_masterformat_text,
+			     DNS_MASTER_HINT);
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+		fatal("can't load %s: %s", filename, isc_result_totext(result));
+	}
+
+	result = dns_db_findnode(*dbp, name, false, nodep);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't find %s node in %s", namestr, filename);
+	}
+}
+
+static void
+free_db(dns_db_t **dbp, dns_dbnode_t **nodep) {
+	dns_db_detachnode(*dbp, nodep);
+	dns_db_detach(dbp);
+}
+
+static void
+load_child_sets(const char *file) {
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+
+	load_db(file, &db, &node);
+	findset(db, node, dns_rdatatype_dnskey, &dnskey_set, &dnskey_sig);
+	findset(db, node, dns_rdatatype_cdnskey, &cdnskey_set, &cdnskey_sig);
+	findset(db, node, dns_rdatatype_cds, &cds_set, &cds_sig);
+	free_db(&db, &node);
+}
+
+static void
+get_dsset_name(char *filename, size_t size, const char *path,
+	       const char *suffix) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	size_t len;
+
+	isc_buffer_init(&buf, filename, size);
+
+	len = strlen(path);
+
+	/* allow room for a trailing slash */
+	if (isc_buffer_availablelength(&buf) <= len) {
+		fatal("%s: pathname too long", path);
+	}
+	isc_buffer_putstr(&buf, path);
+
+	if (isc_file_isdirectory(path) == ISC_R_SUCCESS) {
+		const char *prefix = "dsset-";
+
+		if (path[len - 1] != '/') {
+			isc_buffer_putstr(&buf, "/");
+		}
+
+		if (isc_buffer_availablelength(&buf) < strlen(prefix)) {
+			fatal("%s: pathname too long", path);
+		}
+		isc_buffer_putstr(&buf, prefix);
+
+		result = dns_name_tofilenametext(name, false, &buf);
+		check_result(result, "dns_name_tofilenametext()");
+		if (isc_buffer_availablelength(&buf) == 0) {
+			fatal("%s: pathname too long", path);
+		}
+	}
+	/* allow room for a trailing nul */
+	if (isc_buffer_availablelength(&buf) <= strlen(suffix)) {
+		fatal("%s: pathname too long", path);
+	}
+	isc_buffer_putstr(&buf, suffix);
+	isc_buffer_putuint8(&buf, 0);
+}
+
+static void
+load_parent_set(const char *path) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	isc_time_t modtime;
+	char filename[PATH_MAX + 1];
+
+	get_dsset_name(filename, sizeof(filename), path, "");
+
+	result = isc_file_getmodtime(filename, &modtime);
+	if (result != ISC_R_SUCCESS) {
+		fatal("could not get modification time of %s: %s", filename,
+		      isc_result_totext(result));
+	}
+	notbefore = isc_time_seconds(&modtime);
+	if (startstr != NULL) {
+		isc_stdtime_t now;
+		isc_stdtime_get(&now);
+		notbefore = strtotime(startstr, now, notbefore, NULL);
+	}
+	verbose_time(1, "child records must not be signed before", notbefore);
+
+	load_db(filename, &db, &node);
+	findset(db, node, dns_rdatatype_ds, &old_ds_set, NULL);
+
+	if (!dns_rdataset_isassociated(&old_ds_set)) {
+		fatal("could not find DS records for %s in %s", namestr,
+		      filename);
+	}
+
+	free_db(&db, &node);
+}
+
+#define MAX_CDS_RDATA_TEXT_SIZE DNS_RDATA_MAXLENGTH * 2
+
+static isc_buffer_t *
+formatset(dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	isc_buffer_t *buf = NULL;
+	dns_master_style_t *style = NULL;
+	unsigned int styleflags;
+
+	styleflags = (rdataset->ttl == 0) ? DNS_STYLEFLAG_NO_TTL : 0;
+
+	/*
+	 * This style is for consistency with the output of dnssec-dsfromkey
+	 * which just separates fields with spaces. The huge tab stop width
+	 * eliminates any tab characters.
+	 */
+	result = dns_master_stylecreate(&style, styleflags, 0, 0, 0, 0, 0,
+					1000000, 0, mctx);
+	check_result(result, "dns_master_stylecreate2 failed");
+
+	isc_buffer_allocate(mctx, &buf, MAX_CDS_RDATA_TEXT_SIZE);
+	result = dns_master_rdatasettotext(name, rdataset, style, NULL, buf);
+
+	if ((result == ISC_R_SUCCESS) && isc_buffer_availablelength(buf) < 1) {
+		result = ISC_R_NOSPACE;
+	}
+
+	check_result(result, "dns_rdataset_totext()");
+
+	isc_buffer_putuint8(buf, 0);
+
+	dns_master_styledestroy(&style, mctx);
+
+	return (buf);
+}
+
+static void
+write_parent_set(const char *path, const char *inplace, bool nsupdate,
+		 dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	isc_buffer_t *buf = NULL;
+	isc_region_t r;
+	isc_time_t filetime;
+	char backname[PATH_MAX + 1];
+	char filename[PATH_MAX + 1];
+	char tmpname[PATH_MAX + 1];
+	FILE *fp = NULL;
+
+	if (nsupdate && inplace == NULL) {
+		return;
+	}
+
+	buf = formatset(rdataset);
+	isc_buffer_usedregion(buf, &r);
+
+	/*
+	 * Try to ensure a write error doesn't make a zone go insecure!
+	 */
+	if (inplace == NULL) {
+		printf("%s", (char *)r.base);
+		isc_buffer_free(&buf);
+		if (fflush(stdout) == EOF) {
+			fatal("error writing to stdout: %s", strerror(errno));
+		}
+		return;
+	}
+
+	if (inplace[0] != '\0') {
+		get_dsset_name(backname, sizeof(backname), path, inplace);
+	}
+	get_dsset_name(filename, sizeof(filename), path, "");
+	get_dsset_name(tmpname, sizeof(tmpname), path, "-XXXXXXXXXX");
+
+	result = isc_file_openunique(tmpname, &fp);
+	if (result != ISC_R_SUCCESS) {
+		fatal("open %s: %s", tmpname, isc_result_totext(result));
+	}
+	fprintf(fp, "%s", (char *)r.base);
+	isc_buffer_free(&buf);
+	if (fclose(fp) == EOF) {
+		int err = errno;
+		isc_file_remove(tmpname);
+		fatal("error writing to %s: %s", tmpname, strerror(err));
+	}
+
+	isc_time_set(&filetime, oldestsig.timesigned, 0);
+	result = isc_file_settime(tmpname, &filetime);
+	if (result != ISC_R_SUCCESS) {
+		isc_file_remove(tmpname);
+		fatal("can't set modification time of %s: %s", tmpname,
+		      isc_result_totext(result));
+	}
+
+	if (inplace[0] != '\0') {
+		isc_file_rename(filename, backname);
+	}
+	isc_file_rename(tmpname, filename);
+}
+
+typedef enum { LOOSE, TIGHT } strictness_t;
+
+/*
+ * Find out if any (C)DS record matches a particular (C)DNSKEY.
+ */
+static bool
+match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness) {
+	isc_result_t result;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+
+	for (result = dns_rdataset_first(dsset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(dsset))
+	{
+		dns_rdata_ds_t ds;
+		dns_rdata_t dsrdata = DNS_RDATA_INIT;
+		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+		bool c;
+
+		dns_rdataset_current(dsset, &dsrdata);
+		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+		check_result(result, "dns_rdata_tostruct(DS)");
+
+		if (ki->tag != ds.key_tag || ki->algo != ds.algorithm) {
+			continue;
+		}
+
+		result = dns_ds_buildrdata(name, &ki->rdata, ds.digest_type,
+					   dsbuf, &newdsrdata);
+		if (result != ISC_R_SUCCESS) {
+			vbprintf(3,
+				 "dns_ds_buildrdata("
+				 "keytag=%d, algo=%d, digest=%d): %s\n",
+				 ds.key_tag, ds.algorithm, ds.digest_type,
+				 dns_result_totext(result));
+			continue;
+		}
+		/* allow for both DS and CDS */
+		c = dsrdata.type != dns_rdatatype_ds;
+		dsrdata.type = dns_rdatatype_ds;
+		if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0) {
+			vbprintf(1, "found matching %s %d %d %d\n",
+				 c ? "CDS" : "DS", ds.key_tag, ds.algorithm,
+				 ds.digest_type);
+			return (true);
+		} else if (strictness == TIGHT) {
+			vbprintf(0,
+				 "key does not match %s %d %d %d "
+				 "when it looks like it should\n",
+				 c ? "CDS" : "DS", ds.key_tag, ds.algorithm,
+				 ds.digest_type);
+			return (false);
+		}
+	}
+
+	vbprintf(1, "no matching %s for %s %d %d\n",
+		 dsset->type == dns_rdatatype_cds ? "CDS" : "DS",
+		 ki->rdata.type == dns_rdatatype_cdnskey ? "CDNSKEY" : "DNSKEY",
+		 ki->tag, ki->algo);
+
+	return (false);
+}
+
+/*
+ * Find which (C)DNSKEY records match a (C)DS RRset.
+ * This creates a keyinfo_t key_tbl[nkey] array.
+ */
+static keyinfo_t *
+match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
+		   strictness_t strictness) {
+	isc_result_t result;
+	keyinfo_t *keytable;
+	int i;
+
+	nkey = dns_rdataset_count(keyset);
+
+	keytable = isc_mem_get(mctx, sizeof(keyinfo_t) * nkey);
+
+	for (result = dns_rdataset_first(keyset), i = 0;
+	     result == ISC_R_SUCCESS; result = dns_rdataset_next(keyset), i++)
+	{
+		keyinfo_t *ki;
+		dns_rdata_dnskey_t dnskey;
+		dns_rdata_t *keyrdata;
+		isc_region_t r;
+
+		INSIST(i < nkey);
+		ki = &keytable[i];
+		keyrdata = &ki->rdata;
+
+		dns_rdata_init(keyrdata);
+		dns_rdataset_current(keyset, keyrdata);
+
+		result = dns_rdata_tostruct(keyrdata, &dnskey, NULL);
+		check_result(result, "dns_rdata_tostruct(DNSKEY)");
+		ki->algo = dnskey.algorithm;
+
+		dns_rdata_toregion(keyrdata, &r);
+		ki->tag = dst_region_computeid(&r);
+
+		ki->dst = NULL;
+		if (!match_key_dsset(ki, dsset, strictness)) {
+			continue;
+		}
+
+		result = dns_dnssec_keyfromrdata(name, keyrdata, mctx,
+						 &ki->dst);
+		if (result != ISC_R_SUCCESS) {
+			vbprintf(3,
+				 "dns_dnssec_keyfromrdata("
+				 "keytag=%d, algo=%d): %s\n",
+				 ki->tag, ki->algo, dns_result_totext(result));
+		}
+	}
+
+	return (keytable);
+}
+
+static void
+free_keytable(keyinfo_t **keytable_p) {
+	keyinfo_t *keytable = *keytable_p;
+	*keytable_p = NULL;
+	keyinfo_t *ki;
+	int i;
+
+	for (i = 0; i < nkey; i++) {
+		ki = &keytable[i];
+		if (ki->dst != NULL) {
+			dst_key_free(&ki->dst);
+		}
+	}
+
+	isc_mem_put(mctx, keytable, sizeof(keyinfo_t) * nkey);
+}
+
+/*
+ * Find out which keys have signed an RRset. Keys that do not match a
+ * DS record are skipped.
+ *
+ * The return value is an array with nkey elements, one for each key,
+ * either zero if the key was skipped or did not sign the RRset, or
+ * otherwise the key algorithm. This is used by the signature coverage
+ * check functions below.
+ */
+static dns_secalg_t *
+matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
+	      dns_rdataset_t *sigset) {
+	isc_result_t result;
+	dns_secalg_t *algo;
+	int i;
+
+	algo = isc_mem_get(mctx, nkey);
+	memset(algo, 0, nkey);
+
+	for (result = dns_rdataset_first(sigset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(sigset))
+	{
+		dns_rdata_t sigrdata = DNS_RDATA_INIT;
+		dns_rdata_rrsig_t sig;
+
+		dns_rdataset_current(sigset, &sigrdata);
+		result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+		check_result(result, "dns_rdata_tostruct(RRSIG)");
+
+		/*
+		 * Replay attack protection: check against current age limit
+		 */
+		if (isc_serial_lt(sig.timesigned, notbefore)) {
+			vbprintf(1, "skip RRSIG by key %d: too old\n",
+				 sig.keyid);
+			continue;
+		}
+
+		for (i = 0; i < nkey; i++) {
+			keyinfo_t *ki = &keytbl[i];
+			if (sig.keyid != ki->tag || sig.algorithm != ki->algo ||
+			    !dns_name_equal(&sig.signer, name))
+			{
+				continue;
+			}
+			if (ki->dst == NULL) {
+				vbprintf(1,
+					 "skip RRSIG by key %d:"
+					 " no matching (C)DS\n",
+					 sig.keyid);
+				continue;
+			}
+
+			result = dns_dnssec_verify(name, rdataset, ki->dst,
+						   false, 0, mctx, &sigrdata,
+						   NULL);
+
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_FROMWILDCARD)
+			{
+				vbprintf(1,
+					 "skip RRSIG by key %d:"
+					 " verification failed: %s\n",
+					 sig.keyid, isc_result_totext(result));
+				continue;
+			}
+
+			vbprintf(1, "found RRSIG by key %d\n", ki->tag);
+			algo[i] = sig.algorithm;
+
+			/*
+			 * Replay attack protection: work out next age limit,
+			 * only after the signature has been verified
+			 */
+			if (oldestsig.timesigned == 0 ||
+			    isc_serial_lt(sig.timesigned, oldestsig.timesigned))
+			{
+				verbose_time(2, "this is the oldest so far",
+					     sig.timesigned);
+				oldestsig = sig;
+			}
+		}
+	}
+
+	return (algo);
+}
+
+/*
+ * Consume the result of matching_sigs(). When checking records
+ * fetched from the child zone, any working signature is enough.
+ */
+static bool
+signed_loose(dns_secalg_t *algo) {
+	bool ok = false;
+	int i;
+	for (i = 0; i < nkey; i++) {
+		if (algo[i] != 0) {
+			ok = true;
+		}
+	}
+	isc_mem_put(mctx, algo, nkey);
+	return (ok);
+}
+
+/*
+ * Consume the result of matching_sigs(). To ensure that the new DS
+ * RRset does not break the chain of trust to the DNSKEY RRset, every
+ * key algorithm in the DS RRset must have a signature in the DNSKEY
+ * RRset.
+ */
+static bool
+signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
+	isc_result_t result;
+	bool all_ok = true;
+
+	for (result = dns_rdataset_first(dsset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(dsset))
+	{
+		dns_rdata_t dsrdata = DNS_RDATA_INIT;
+		dns_rdata_ds_t ds;
+		bool ds_ok;
+		int i;
+
+		dns_rdataset_current(dsset, &dsrdata);
+		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+		check_result(result, "dns_rdata_tostruct(DS)");
+
+		ds_ok = false;
+		for (i = 0; i < nkey; i++) {
+			if (algo[i] == ds.algorithm) {
+				ds_ok = true;
+			}
+		}
+		if (!ds_ok) {
+			vbprintf(0,
+				 "missing signature for algorithm %d "
+				 "(key %d)\n",
+				 ds.algorithm, ds.key_tag);
+			all_ok = false;
+		}
+	}
+
+	isc_mem_put(mctx, algo, nkey);
+	return (all_ok);
+}
+
+static dns_rdata_t *
+rdata_get(void) {
+	dns_rdata_t *rdata;
+
+	rdata = isc_mem_get(mctx, sizeof(*rdata));
+	dns_rdata_init(rdata);
+
+	return (rdata);
+}
+
+static isc_result_t
+rdata_put(isc_result_t result, dns_rdatalist_t *rdlist, dns_rdata_t *rdata) {
+	if (result == ISC_R_SUCCESS) {
+		ISC_LIST_APPEND(rdlist->rdata, rdata, link);
+	} else {
+		isc_mem_put(mctx, rdata, sizeof(*rdata));
+	}
+
+	return (result);
+}
+
+/*
+ * This basically copies the rdata into the buffer, but going via the
+ * unpacked struct has the side-effect of changing the rdatatype. The
+ * dns_rdata_cds_t and dns_rdata_ds_t types are aliases.
+ */
+static isc_result_t
+ds_from_cds(dns_rdatalist_t *dslist, isc_buffer_t *buf, dns_rdata_t *cds) {
+	isc_result_t result;
+	dns_rdata_ds_t ds;
+	dns_rdata_t *rdata;
+
+	REQUIRE(buf != NULL);
+
+	rdata = rdata_get();
+
+	result = dns_rdata_tostruct(cds, &ds, NULL);
+	check_result(result, "dns_rdata_tostruct(CDS)");
+	ds.common.rdtype = dns_rdatatype_ds;
+
+	result = dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_ds, &ds,
+				      buf);
+
+	return (rdata_put(result, dslist, rdata));
+}
+
+static isc_result_t
+ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
+		dns_rdata_t *cdnskey) {
+	isc_result_t result;
+	unsigned i, n;
+
+	REQUIRE(buf != NULL);
+
+	n = sizeof(dtype) / sizeof(dtype[0]);
+	for (i = 0; i < n; i++) {
+		if (dtype[i] != 0) {
+			dns_rdata_t *rdata;
+			isc_region_t r;
+
+			isc_buffer_availableregion(buf, &r);
+			if (r.length < DNS_DS_BUFFERSIZE) {
+				return (ISC_R_NOSPACE);
+			}
+
+			rdata = rdata_get();
+			result = dns_ds_buildrdata(name, cdnskey, dtype[i],
+						   r.base, rdata);
+			if (result == ISC_R_SUCCESS) {
+				isc_buffer_add(buf, DNS_DS_BUFFERSIZE);
+			}
+
+			result = rdata_put(result, dslist, rdata);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+make_new_ds_set(ds_maker_func_t *ds_from_rdata, uint32_t ttl,
+		dns_rdataset_t *rdset) {
+	unsigned int size = 16;
+	for (;;) {
+		isc_result_t result;
+		dns_rdatalist_t *dslist;
+
+		dslist = isc_mem_get(mctx, sizeof(*dslist));
+
+		dns_rdatalist_init(dslist);
+		dslist->rdclass = rdclass;
+		dslist->type = dns_rdatatype_ds;
+		dslist->ttl = ttl;
+
+		dns_rdataset_init(&new_ds_set);
+		result = dns_rdatalist_tordataset(dslist, &new_ds_set);
+		check_result(result, "dns_rdatalist_tordataset(dslist)");
+
+		isc_buffer_allocate(mctx, &new_ds_buf, size);
+
+		for (result = dns_rdataset_first(rdset);
+		     result == ISC_R_SUCCESS; result = dns_rdataset_next(rdset))
+		{
+			isc_result_t tresult;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(rdset, &rdata);
+
+			tresult = ds_from_rdata(dslist, new_ds_buf, &rdata);
+			if (tresult == ISC_R_NOSPACE) {
+				vbprintf(20, "DS list buffer size %u\n", size);
+				freelist(&new_ds_set);
+				isc_buffer_free(&new_ds_buf);
+				size *= 2;
+				break;
+			}
+
+			check_result(tresult, "ds_from_rdata()");
+		}
+
+		if (result == ISC_R_NOMORE) {
+			break;
+		}
+	}
+}
+
+static int
+rdata_cmp(const void *rdata1, const void *rdata2) {
+	return (dns_rdata_compare((const dns_rdata_t *)rdata1,
+				  (const dns_rdata_t *)rdata2));
+}
+
+/*
+ * Ensure that every key identified by the DS RRset has the same set of
+ * digest types.
+ */
+static bool
+consistent_digests(dns_rdataset_t *dsset) {
+	isc_result_t result;
+	dns_rdata_t *arrdata;
+	dns_rdata_ds_t *ds;
+	dns_keytag_t key_tag;
+	dns_secalg_t algorithm;
+	bool match;
+	int i, j, n, d;
+
+	/*
+	 * First sort the dsset. DS rdata fields are tag, algorithm, digest,
+	 * so sorting them brings together all the records for each key.
+	 */
+
+	n = dns_rdataset_count(dsset);
+
+	arrdata = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
+
+	for (result = dns_rdataset_first(dsset), i = 0; result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(dsset), i++)
+	{
+		dns_rdata_init(&arrdata[i]);
+		dns_rdataset_current(dsset, &arrdata[i]);
+	}
+
+	qsort(arrdata, n, sizeof(dns_rdata_t), rdata_cmp);
+
+	/*
+	 * Convert sorted arrdata to more accessible format
+	 */
+	ds = isc_mem_get(mctx, n * sizeof(dns_rdata_ds_t));
+
+	for (i = 0; i < n; i++) {
+		result = dns_rdata_tostruct(&arrdata[i], &ds[i], NULL);
+		check_result(result, "dns_rdata_tostruct(DS)");
+	}
+
+	/*
+	 * Count number of digest types (d) for first key
+	 */
+	key_tag = ds[0].key_tag;
+	algorithm = ds[0].algorithm;
+	for (d = 0, i = 0; i < n; i++, d++) {
+		if (ds[i].key_tag != key_tag || ds[i].algorithm != algorithm) {
+			break;
+		}
+	}
+
+	/*
+	 * Check subsequent keys match the first one
+	 */
+	match = true;
+	while (i < n) {
+		key_tag = ds[i].key_tag;
+		algorithm = ds[i].algorithm;
+		for (j = 0; j < d && i + j < n; j++) {
+			if (ds[i + j].key_tag != key_tag ||
+			    ds[i + j].algorithm != algorithm ||
+			    ds[i + j].digest_type != ds[j].digest_type)
+			{
+				match = false;
+			}
+		}
+		i += d;
+	}
+
+	/*
+	 * Done!
+	 */
+	isc_mem_put(mctx, ds, n * sizeof(dns_rdata_ds_t));
+	isc_mem_put(mctx, arrdata, n * sizeof(dns_rdata_t));
+
+	return (match);
+}
+
+static void
+print_diff(const char *cmd, dns_rdataset_t *rdataset) {
+	isc_buffer_t *buf;
+	isc_region_t r;
+	unsigned char *nl;
+	size_t len;
+
+	buf = formatset(rdataset);
+	isc_buffer_usedregion(buf, &r);
+
+	while ((nl = memchr(r.base, '\n', r.length)) != NULL) {
+		len = nl - r.base + 1;
+		printf("update %s %.*s", cmd, (int)len, (char *)r.base);
+		isc_region_consume(&r, len);
+	}
+
+	isc_buffer_free(&buf);
+}
+
+static void
+update_diff(const char *cmd, uint32_t ttl, dns_rdataset_t *addset,
+	    dns_rdataset_t *delset) {
+	isc_result_t result;
+	dns_db_t *db;
+	dns_dbnode_t *node;
+	dns_dbversion_t *ver;
+	dns_rdataset_t diffset;
+	uint32_t save;
+
+	db = NULL;
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, &db);
+	check_result(result, "dns_db_create()");
+
+	ver = NULL;
+	result = dns_db_newversion(db, &ver);
+	check_result(result, "dns_db_newversion()");
+
+	node = NULL;
+	result = dns_db_findnode(db, name, true, &node);
+	check_result(result, "dns_db_findnode()");
+
+	dns_rdataset_init(&diffset);
+
+	result = dns_db_addrdataset(db, node, ver, 0, addset, DNS_DBADD_MERGE,
+				    NULL);
+	check_result(result, "dns_db_addrdataset()");
+
+	result = dns_db_subtractrdataset(db, node, ver, delset, 0, &diffset);
+	if (result == DNS_R_UNCHANGED) {
+		save = addset->ttl;
+		addset->ttl = ttl;
+		print_diff(cmd, addset);
+		addset->ttl = save;
+	} else if (result != DNS_R_NXRRSET) {
+		check_result(result, "dns_db_subtractrdataset()");
+		diffset.ttl = ttl;
+		print_diff(cmd, &diffset);
+		dns_rdataset_disassociate(&diffset);
+	}
+
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &ver, false);
+	dns_db_detach(&db);
+}
+
+static void
+nsdiff(uint32_t ttl, dns_rdataset_t *oldset, dns_rdataset_t *newset) {
+	if (ttl == 0) {
+		vbprintf(1, "warning: no TTL in nsupdate script\n");
+	}
+	update_diff("add", ttl, newset, oldset);
+	update_diff("del", 0, oldset, newset);
+	if (verbose > 0) {
+		printf("show\nsend\nanswer\n");
+	} else {
+		printf("send\n");
+	}
+	if (fflush(stdout) == EOF) {
+		fatal("write stdout: %s", strerror(errno));
+	}
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr,
+		"    %s options [options] -f <file> -d <path> <domain>\n",
+		program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "Options:\n"
+			"    -a <algorithm>     digest algorithm (SHA-1 / "
+			"SHA-256 / SHA-384)\n"
+			"    -c <class>         of domain (default IN)\n"
+			"    -D                 prefer CDNSKEY records instead "
+			"of CDS\n"
+			"    -d <file|dir>      where to find parent dsset- "
+			"file\n"
+			"    -f <file>          child DNSKEY+CDNSKEY+CDS+RRSIG "
+			"records\n"
+			"    -i[extension]      update dsset- file in place\n"
+			"    -s <start-time>    oldest permitted child "
+			"signatures\n"
+			"    -u                 emit nsupdate script\n"
+			"    -T <ttl>           TTL of DS records\n"
+			"    -V                 print version\n"
+			"    -v <verbosity>\n");
+	exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+	const char *child_path = NULL;
+	const char *ds_path = NULL;
+	const char *inplace = NULL;
+	isc_result_t result;
+	bool prefer_cdnskey = false;
+	bool nsupdate = false;
+	uint32_t ttl = 0;
+	int ch;
+	char *endp;
+
+	isc_mem_create(&mctx);
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	isc_commandline_errprint = false;
+
+#define OPTIONS "a:c:Dd:f:i:ms:T:uv:V"
+	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
+		switch (ch) {
+		case 'a':
+			add_dtype(strtodsdigest(isc_commandline_argument));
+			break;
+		case 'c':
+			rdclass = strtoclass(isc_commandline_argument);
+			break;
+		case 'D':
+			prefer_cdnskey = true;
+			break;
+		case 'd':
+			ds_path = isc_commandline_argument;
+			break;
+		case 'f':
+			child_path = isc_commandline_argument;
+			break;
+		case 'i':
+			/*
+			 * This is a bodge to make the argument optional,
+			 * so that it works just like sed(1).
+			 */
+			if (isc_commandline_argument ==
+			    argv[isc_commandline_index - 1])
+			{
+				isc_commandline_index--;
+				inplace = "";
+			} else {
+				inplace = isc_commandline_argument;
+			}
+			break;
+		case 'm':
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE |
+					    ISC_MEM_DEBUGRECORD;
+			break;
+		case 's':
+			startstr = isc_commandline_argument;
+			break;
+		case 'T':
+			ttl = strtottl(isc_commandline_argument);
+			break;
+		case 'u':
+			nsupdate = true;
+			break;
+		case 'V':
+			/* Does not return. */
+			version(program);
+			break;
+		case 'v':
+			verbose = strtoul(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("-v must be followed by a number");
+			}
+			break;
+		default:
+			usage();
+			break;
+		}
+	}
+	argv += isc_commandline_index;
+	argc -= isc_commandline_index;
+
+	if (argc != 1) {
+		usage();
+	}
+	initname(argv[0]);
+
+	/*
+	 * Default digest type if none specified.
+	 */
+	if (dtype[0] == 0) {
+		dtype[0] = DNS_DSDIGEST_SHA256;
+	}
+
+	setup_logging(mctx, &lctx);
+
+	result = dst_lib_init(mctx, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
+	}
+
+	if (ds_path == NULL) {
+		fatal("missing -d DS pathname");
+	}
+	load_parent_set(ds_path);
+
+	/*
+	 * Preserve the TTL if it wasn't overridden.
+	 */
+	if (ttl == 0) {
+		ttl = old_ds_set.ttl;
+	}
+
+	if (child_path == NULL) {
+		fatal("path to file containing child data must be specified");
+	}
+
+	load_child_sets(child_path);
+
+	/*
+	 * Check child records have accompanying RRSIGs and DNSKEYs
+	 */
+
+	if (!dns_rdataset_isassociated(&dnskey_set) ||
+	    !dns_rdataset_isassociated(&dnskey_sig))
+	{
+		fatal("could not find signed DNSKEY RRset for %s", namestr);
+	}
+
+	if (dns_rdataset_isassociated(&cdnskey_set) &&
+	    !dns_rdataset_isassociated(&cdnskey_sig))
+	{
+		fatal("missing RRSIG CDNSKEY records for %s", namestr);
+	}
+	if (dns_rdataset_isassociated(&cds_set) &&
+	    !dns_rdataset_isassociated(&cds_sig))
+	{
+		fatal("missing RRSIG CDS records for %s", namestr);
+	}
+
+	vbprintf(1, "which child DNSKEY records match parent DS records?\n");
+	old_key_tbl = match_keyset_dsset(&dnskey_set, &old_ds_set, LOOSE);
+
+	/*
+	 * We have now identified the keys that are allowed to authenticate
+	 * the DNSKEY RRset (RFC 4035 section 5.2 bullet 2), and CDNSKEY and
+	 * CDS RRsets (RFC 7344 section 4.1 bullet 2).
+	 */
+
+	vbprintf(1, "verify DNSKEY signature(s)\n");
+	if (!signed_loose(matching_sigs(old_key_tbl, &dnskey_set, &dnskey_sig)))
+	{
+		fatal("could not validate child DNSKEY RRset for %s", namestr);
+	}
+
+	if (dns_rdataset_isassociated(&cdnskey_set)) {
+		vbprintf(1, "verify CDNSKEY signature(s)\n");
+		if (!signed_loose(matching_sigs(old_key_tbl, &cdnskey_set,
+						&cdnskey_sig)))
+		{
+			fatal("could not validate child CDNSKEY RRset for %s",
+			      namestr);
+		}
+	}
+	if (dns_rdataset_isassociated(&cds_set)) {
+		vbprintf(1, "verify CDS signature(s)\n");
+		if (!signed_loose(
+			    matching_sigs(old_key_tbl, &cds_set, &cds_sig)))
+		{
+			fatal("could not validate child CDS RRset for %s",
+			      namestr);
+		}
+	}
+
+	free_keytable(&old_key_tbl);
+
+	/*
+	 * Report the result of the replay attack protection checks
+	 * used for the output file timestamp
+	 */
+	if (oldestsig.timesigned != 0 && verbose > 0) {
+		char type[32];
+		dns_rdatatype_format(oldestsig.covered, type, sizeof(type));
+		verbose_time(1, "child signature inception time",
+			     oldestsig.timesigned);
+		vbprintf(2, "from RRSIG %s by key %d\n", type, oldestsig.keyid);
+	}
+
+	/*
+	 * Successfully do nothing if there's neither CDNSKEY nor CDS
+	 * RFC 7344 section 4.1 first paragraph
+	 */
+	if (!dns_rdataset_isassociated(&cdnskey_set) &&
+	    !dns_rdataset_isassociated(&cds_set))
+	{
+		vbprintf(1, "%s has neither CDS nor CDNSKEY records\n",
+			 namestr);
+		write_parent_set(ds_path, inplace, nsupdate, &old_ds_set);
+		exit(0);
+	}
+
+	/*
+	 * Make DS records from the CDS or CDNSKEY records
+	 * Prefer CDS if present, unless run with -D
+	 */
+	if (prefer_cdnskey && dns_rdataset_isassociated(&cdnskey_set)) {
+		make_new_ds_set(ds_from_cdnskey, ttl, &cdnskey_set);
+	} else if (dns_rdataset_isassociated(&cds_set)) {
+		make_new_ds_set(ds_from_cds, ttl, &cds_set);
+	} else {
+		make_new_ds_set(ds_from_cdnskey, ttl, &cdnskey_set);
+	}
+
+	/*
+	 * Now we have a candidate DS RRset, we need to check it
+	 * won't break the delegation.
+	 */
+	vbprintf(1, "which child DNSKEY records match new DS records?\n");
+	new_key_tbl = match_keyset_dsset(&dnskey_set, &new_ds_set, TIGHT);
+
+	if (!consistent_digests(&new_ds_set)) {
+		fatal("CDS records at %s do not cover each key "
+		      "with the same set of digest types",
+		      namestr);
+	}
+
+	vbprintf(1, "verify DNSKEY signature(s)\n");
+	if (!signed_strict(&new_ds_set, matching_sigs(new_key_tbl, &dnskey_set,
+						      &dnskey_sig)))
+	{
+		fatal("could not validate child DNSKEY RRset "
+		      "with new DS records for %s",
+		      namestr);
+	}
+
+	free_keytable(&new_key_tbl);
+
+	/*
+	 * OK, it's all good!
+	 */
+	if (nsupdate) {
+		nsdiff(ttl, &old_ds_set, &new_ds_set);
+	}
+
+	write_parent_set(ds_path, inplace, nsupdate, &new_ds_set);
+
+	free_all_sets();
+	cleanup_logging(&lctx);
+	dst_lib_destroy();
+	if (verbose > 10) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	exit(0);
+}
diff --git a/bin/dnssec/dnssec-cds.rst b/bin/dnssec/dnssec-cds.rst
new file mode 100644
index 0000000..4ba77fb
--- /dev/null
+++ b/bin/dnssec/dnssec-cds.rst
@@ -0,0 +1,203 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-cds:
+
+dnssec-cds - change DS records for a child zone based on CDS/CDNSKEY
+--------------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-cds` [**-a** alg...] [**-c** class] [**-D**] {**-d** dsset-file} {**-f** child-file} [**-i**[extension]] [**-s** start-time] [**-T** ttl] [**-u**] [**-v** level] [**-V**] {domain}
+
+Description
+~~~~~~~~~~~
+
+The ``dnssec-cds`` command changes DS records at a delegation point
+based on CDS or CDNSKEY records published in the child zone. If both CDS
+and CDNSKEY records are present in the child zone, the CDS is preferred.
+This enables a child zone to inform its parent of upcoming changes to
+its key-signing keys (KSKs); by polling periodically with ``dnssec-cds``, the
+parent can keep the DS records up-to-date and enable automatic rolling
+of KSKs.
+
+Two input files are required. The ``-f child-file`` option specifies a
+file containing the child's CDS and/or CDNSKEY records, plus RRSIG and
+DNSKEY records so that they can be authenticated. The ``-d path`` option
+specifies the location of a file containing the current DS records. For
+example, this could be a ``dsset-`` file generated by
+``dnssec-signzone``, or the output of ``dnssec-dsfromkey``, or the
+output of a previous run of ``dnssec-cds``.
+
+The ``dnssec-cds`` command uses special DNSSEC validation logic
+specified by :rfc:`7344`. It requires that the CDS and/or CDNSKEY records
+be validly signed by a key represented in the existing DS records. This
+is typically the pre-existing KSK.
+
+For protection against replay attacks, the signatures on the child
+records must not be older than they were on a previous run of
+``dnssec-cds``. Their age is obtained from the modification time of the
+``dsset-`` file, or from the ``-s`` option.
+
+To protect against breaking the delegation, ``dnssec-cds`` ensures that
+the DNSKEY RRset can be verified by every key algorithm in the new DS
+RRset, and that the same set of keys are covered by every DS digest
+type.
+
+By default, replacement DS records are written to the standard output;
+with the ``-i`` option the input file is overwritten in place. The
+replacement DS records are the same as the existing records, when no
+change is required. The output can be empty if the CDS/CDNSKEY records
+specify that the child zone wants to be insecure.
+
+.. warning::
+
+   Be careful not to delete the DS records when ``dnssec-cds`` fails!
+
+Alternatively, ``dnssec-cds -u`` writes an ``nsupdate`` script to the
+standard output. The ``-u`` and ``-i`` options can be used together to
+maintain a ``dsset-`` file as well as emit an ``nsupdate`` script.
+
+Options
+~~~~~~~
+
+``-a algorithm``
+   This option specifies a digest algorithm to use when converting CDNSKEY records to
+   DS records. This option can be repeated, so that multiple DS records
+   are created for each CDNSKEY record. This option has no effect when
+   using CDS records.
+
+   The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
+   are case-insensitive, and the hyphen may be omitted. If no algorithm
+   is specified, the default is SHA-256.
+
+``-c class``
+   This option specifies the DNS class of the zones.
+
+``-D``
+   This option generates DS records from CDNSKEY records if both CDS and CDNSKEY
+   records are present in the child zone. By default CDS records are
+   preferred.
+
+``-d path``
+   This specifies the location of the parent DS records. The path can be the name of a file
+   containing the DS records; if it is a directory, ``dnssec-cds``
+   looks for a ``dsset-`` file for the domain inside the directory.
+
+   To protect against replay attacks, child records are rejected if they
+   were signed earlier than the modification time of the ``dsset-``
+   file. This can be adjusted with the ``-s`` option.
+
+``-f child-file``
+   This option specifies the file containing the child's CDS and/or CDNSKEY records, plus its
+   DNSKEY records and the covering RRSIG records, so that they can be
+   authenticated.
+
+   The examples below describe how to generate this file.
+
+``-iextension``
+   This option updates the ``dsset-`` file in place, instead of writing DS records to
+   the standard output.
+
+   There must be no space between the ``-i`` and the extension. If
+   no extension is provided, the old ``dsset-`` is discarded. If an
+   extension is present, a backup of the old ``dsset-`` file is kept
+   with the extension appended to its filename.
+
+   To protect against replay attacks, the modification time of the
+   ``dsset-`` file is set to match the signature inception time of the
+   child records, provided that it is later than the file's current
+   modification time.
+
+``-s start-time``
+   This option specifies the date and time after which RRSIG records become
+   acceptable. This can be either an absolute or a relative time. An
+   absolute start time is indicated by a number in YYYYMMDDHHMMSS
+   notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
+   time relative to the ``dsset-`` file is indicated with ``-N``, which is N
+   seconds before the file modification time. A time relative to the
+   current time is indicated with ``now+N``.
+
+   If no start-time is specified, the modification time of the
+   ``dsset-`` file is used.
+
+``-T ttl``
+   This option specifies a TTL to be used for new DS records. If not specified, the
+   default is the TTL of the old DS records. If they had no explicit TTL,
+   the new DS records also have no explicit TTL.
+
+``-u``
+   This option writes an ``nsupdate`` script to the standard output, instead of
+   printing the new DS reords. The output is empty if no change is
+   needed.
+
+   Note: The TTL of new records needs to be specified: it can be done in the
+   original ``dsset-`` file, with the ``-T`` option, or using the
+   ``nsupdate`` ``ttl`` command.
+
+``-V``
+   This option prints version information.
+
+``-v level``
+   This option sets the debugging level. Level 1 is intended to be usefully verbose
+   for general users; higher levels are intended for developers.
+
+``domain``
+   This indicates the name of the delegation point/child zone apex.
+
+Exit Status
+~~~~~~~~~~~
+
+The ``dnssec-cds`` command exits 0 on success, or non-zero if an error
+occurred.
+
+If successful, the DS records may or may not need to be
+changed.
+
+Examples
+~~~~~~~~
+
+Before running ``dnssec-signzone``, ensure that the delegations
+are up-to-date by running ``dnssec-cds`` on every ``dsset-`` file.
+
+To fetch the child records required by ``dnssec-cds``, invoke
+``dig`` as in the script below. It is acceptable if the ``dig`` fails, since
+``dnssec-cds`` performs all the necessary checking.
+
+::
+
+   for f in dsset-*
+   do
+       d=${f#dsset-}
+       dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+       dnssec-cds -i -f /dev/stdin -d $f $d
+   done
+
+When the parent zone is automatically signed by ``named``,
+``dnssec-cds`` can be used with ``nsupdate`` to maintain a delegation as follows.
+The ``dsset-`` file allows the script to avoid having to fetch and
+validate the parent DS records, and it maintains the replay attack
+protection time.
+
+::
+
+   dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+   dnssec-cds -u -i -f /dev/stdin -d $f $d |
+   nsupdate -l
+
+See Also
+~~~~~~~~
+
+:manpage:`dig(1)`, :manpage:`dnssec-settime(8)`, :manpage:`dnssec-signzone(8)`, :manpage:`nsupdate(1)`, BIND 9 Administrator
+Reference Manual, :rfc:`7344`.
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
new file mode 100644
index 0000000..404239e
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -0,0 +1,568 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-dsfromkey";
+
+static dns_rdataclass_t rdclass;
+static dns_fixedname_t fixed;
+static dns_name_t *name = NULL;
+static isc_mem_t *mctx = NULL;
+static uint32_t ttl;
+static bool emitttl = false;
+
+static isc_result_t
+initname(char *setname) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	name = dns_fixedname_initname(&fixed);
+
+	isc_buffer_init(&buf, setname, strlen(setname));
+	isc_buffer_add(&buf, strlen(setname));
+	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+	return (result);
+}
+
+static void
+db_load_from_stream(dns_db_t *db, FILE *fp) {
+	isc_result_t result;
+	dns_rdatacallbacks_t callbacks;
+
+	dns_rdatacallbacks_init(&callbacks);
+	result = dns_db_beginload(db, &callbacks);
+	if (result != ISC_R_SUCCESS) {
+		fatal("dns_db_beginload failed: %s", isc_result_totext(result));
+	}
+
+	result = dns_master_loadstream(fp, name, name, rdclass, 0, &callbacks,
+				       mctx);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't load from input: %s", isc_result_totext(result));
+	}
+
+	result = dns_db_endload(db, &callbacks);
+	if (result != ISC_R_SUCCESS) {
+		fatal("dns_db_endload failed: %s", isc_result_totext(result));
+	}
+}
+
+static isc_result_t
+loadset(const char *filename, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	char setname[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(name, setname, sizeof(setname));
+
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, &db);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't create database");
+	}
+
+	if (strcmp(filename, "-") == 0) {
+		db_load_from_stream(db, stdin);
+		filename = "input";
+	} else {
+		result = dns_db_load(db, filename, dns_masterformat_text, 0);
+		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+			fatal("can't load %s: %s", filename,
+			      isc_result_totext(result));
+		}
+	}
+
+	result = dns_db_findnode(db, name, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't find %s node in %s", setname, filename);
+	}
+
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
+				     rdataset, NULL);
+
+	if (result == ISC_R_NOTFOUND) {
+		fatal("no DNSKEY RR for %s in %s", setname, filename);
+	} else if (result != ISC_R_SUCCESS) {
+		fatal("dns_db_findrdataset");
+	}
+
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	return (result);
+}
+
+static isc_result_t
+loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	char filename[PATH_MAX + 1];
+	isc_buffer_t buf;
+
+	dns_rdataset_init(rdataset);
+
+	isc_buffer_init(&buf, filename, sizeof(filename));
+	if (dirname != NULL) {
+		/* allow room for a trailing slash */
+		if (strlen(dirname) >= isc_buffer_availablelength(&buf)) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putstr(&buf, dirname);
+		if (dirname[strlen(dirname) - 1] != '/') {
+			isc_buffer_putstr(&buf, "/");
+		}
+	}
+
+	if (isc_buffer_availablelength(&buf) < 7) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putstr(&buf, "keyset-");
+
+	result = dns_name_tofilenametext(name, false, &buf);
+	check_result(result, "dns_name_tofilenametext()");
+	if (isc_buffer_availablelength(&buf) == 0) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putuint8(&buf, 0);
+
+	return (loadset(filename, rdataset));
+}
+
+static void
+loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
+	dns_rdata_t *rdata) {
+	isc_result_t result;
+	dst_key_t *key = NULL;
+	isc_buffer_t keyb;
+	isc_region_t r;
+
+	dns_rdata_init(rdata);
+
+	isc_buffer_init(&keyb, key_buf, key_buf_size);
+
+	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC, mctx,
+				       &key);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't load %s.key: %s", filename,
+		      isc_result_totext(result));
+	}
+
+	if (verbose > 2) {
+		char keystr[DST_KEY_FORMATSIZE];
+
+		dst_key_format(key, keystr, sizeof(keystr));
+		fprintf(stderr, "%s: %s\n", program, keystr);
+	}
+
+	result = dst_key_todns(key, &keyb);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't decode key");
+	}
+
+	isc_buffer_usedregion(&keyb, &r);
+	dns_rdata_fromregion(rdata, dst_key_class(key), dns_rdatatype_dnskey,
+			     &r);
+
+	rdclass = dst_key_class(key);
+
+	name = dns_fixedname_initname(&fixed);
+	dns_name_copynf(dst_key_name(key), name);
+
+	dst_key_free(&key);
+}
+
+static void
+logkey(dns_rdata_t *rdata) {
+	isc_result_t result;
+	dst_key_t *key = NULL;
+	isc_buffer_t buf;
+	char keystr[DST_KEY_FORMATSIZE];
+
+	isc_buffer_init(&buf, rdata->data, rdata->length);
+	isc_buffer_add(&buf, rdata->length);
+	result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	dst_key_format(key, keystr, sizeof(keystr));
+	fprintf(stderr, "%s: %s\n", program, keystr);
+
+	dst_key_free(&key);
+}
+
+static void
+emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
+	isc_result_t result;
+	unsigned char buf[DNS_DS_BUFFERSIZE];
+	char text_buf[DST_KEY_MAXTEXTSIZE];
+	char name_buf[DNS_NAME_MAXWIRE];
+	char class_buf[10];
+	isc_buffer_t textb, nameb, classb;
+	isc_region_t r;
+	dns_rdata_t ds;
+	dns_rdata_dnskey_t dnskey;
+
+	isc_buffer_init(&textb, text_buf, sizeof(text_buf));
+	isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
+	isc_buffer_init(&classb, class_buf, sizeof(class_buf));
+
+	dns_rdata_init(&ds);
+
+	result = dns_rdata_tostruct(rdata, &dnskey, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't convert DNSKEY");
+	}
+
+	if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
+		return;
+	}
+
+	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
+		return;
+	}
+
+	result = dns_ds_buildrdata(name, rdata, dt, buf, &ds);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't build record");
+	}
+
+	result = dns_name_totext(name, false, &nameb);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't print name");
+	}
+
+	result = dns_rdata_tofmttext(&ds, (dns_name_t *)NULL, 0, 0, 0, "",
+				     &textb);
+
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't print rdata");
+	}
+
+	result = dns_rdataclass_totext(rdclass, &classb);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't print class");
+	}
+
+	isc_buffer_usedregion(&nameb, &r);
+	printf("%.*s ", (int)r.length, r.base);
+
+	if (emitttl) {
+		printf("%u ", ttl);
+	}
+
+	isc_buffer_usedregion(&classb, &r);
+	printf("%.*s", (int)r.length, r.base);
+
+	if (cds) {
+		printf(" CDS ");
+	} else {
+		printf(" DS ");
+	}
+
+	isc_buffer_usedregion(&textb, &r);
+	printf("%.*s\n", (int)r.length, r.base);
+}
+
+static void
+emits(bool showall, bool cds, dns_rdata_t *rdata) {
+	unsigned i, n;
+
+	n = sizeof(dtype) / sizeof(dtype[0]);
+	for (i = 0; i < n; i++) {
+		if (dtype[i] != 0) {
+			emit(dtype[i], showall, cds, rdata);
+		}
+	}
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "    %s [options] keyfile\n\n", program);
+	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
+	fprintf(stderr, "    %s [options] -s dnsname\n\n", program);
+	fprintf(stderr, "    %s [-h|-V]\n\n", program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "Options:\n"
+			"    -1: digest algorithm SHA-1\n"
+			"    -2: digest algorithm SHA-256\n"
+			"    -a algorithm: digest algorithm (SHA-1, SHA-256 or "
+			"SHA-384)\n"
+			"    -A: include all keys in DS set, not just KSKs (-f "
+			"only)\n"
+			"    -c class: rdata class for DS set (default IN) (-f "
+			"or -s only)\n"
+			"    -C: print CDS records\n"
+			"    -f zonefile: read keys from a zone file\n"
+			"    -h: print help information\n"
+			"    -K directory: where to find key or keyset files\n"
+			"    -s: read keys from keyset-<dnsname> file\n"
+			"    -T: TTL of output records (omitted by default)\n"
+			"    -v level: verbosity\n"
+			"    -V: print version information\n");
+	fprintf(stderr, "Output: DS or CDS RRs\n");
+
+	exit(-1);
+}
+
+int
+main(int argc, char **argv) {
+	char *classname = NULL;
+	char *filename = NULL, *dir = NULL, *namestr;
+	char *endp, *arg1;
+	int ch;
+	bool cds = false;
+	bool usekeyset = false;
+	bool showall = false;
+	isc_result_t result;
+	isc_log_t *log = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata;
+
+	dns_rdata_init(&rdata);
+
+	if (argc == 1) {
+		usage();
+	}
+
+	isc_mem_create(&mctx);
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	isc_commandline_errprint = false;
+
+#define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV"
+	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
+		switch (ch) {
+		case '1':
+			add_dtype(DNS_DSDIGEST_SHA1);
+			break;
+		case '2':
+			add_dtype(DNS_DSDIGEST_SHA256);
+			break;
+		case 'A':
+			showall = true;
+			break;
+		case 'a':
+			add_dtype(strtodsdigest(isc_commandline_argument));
+			break;
+		case 'C':
+			cds = true;
+			break;
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+		case 'd':
+			fprintf(stderr,
+				"%s: the -d option is deprecated; "
+				"use -K\n",
+				program);
+		/* fall through */
+		case 'K':
+			dir = isc_commandline_argument;
+			if (strlen(dir) == 0U) {
+				fatal("directory must be non-empty string");
+			}
+			break;
+		case 'f':
+			filename = isc_commandline_argument;
+			break;
+		case 'l':
+			fatal("-l option (DLV lookaside) is obsolete");
+			break;
+		case 's':
+			usekeyset = true;
+			break;
+		case 'T':
+			emitttl = true;
+			ttl = strtottl(isc_commandline_argument);
+			break;
+		case 'v':
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("-v must be followed by a number");
+			}
+			break;
+		case 'F':
+			/* Reserved for FIPS mode */
+			FALLTHROUGH;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			}
+			FALLTHROUGH;
+		case 'h':
+			/* Does not return. */
+			usage();
+
+		case 'V':
+			/* Does not return. */
+			version(program);
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	rdclass = strtoclass(classname);
+
+	if (usekeyset && filename != NULL) {
+		fatal("cannot use both -s and -f");
+	}
+
+	/* When not using -f, -A is implicit */
+	if (filename == NULL) {
+		showall = true;
+	}
+
+	/* Default digest type if none specified. */
+	if (dtype[0] == 0) {
+		dtype[0] = DNS_DSDIGEST_SHA256;
+	}
+
+	/*
+	 * Use local variable arg1 so that clang can correctly analyse
+	 * reachable paths rather than 'argc < isc_commandline_index + 1'.
+	 */
+	arg1 = argv[isc_commandline_index];
+	if (arg1 == NULL && filename == NULL) {
+		fatal("the key file name was not specified");
+	}
+	if (arg1 != NULL && argv[isc_commandline_index + 1] != NULL) {
+		fatal("extraneous arguments");
+	}
+
+	result = dst_lib_init(mctx, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
+	}
+
+	setup_logging(mctx, &log);
+
+	dns_rdataset_init(&rdataset);
+
+	if (usekeyset || filename != NULL) {
+		if (arg1 == NULL) {
+			/* using file name as the zone name */
+			namestr = filename;
+		} else {
+			namestr = arg1;
+		}
+
+		result = initname(namestr);
+		if (result != ISC_R_SUCCESS) {
+			fatal("could not initialize name %s", namestr);
+		}
+
+		if (usekeyset) {
+			result = loadkeyset(dir, &rdataset);
+		} else {
+			INSIST(filename != NULL);
+			result = loadset(filename, &rdataset);
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			fatal("could not load DNSKEY set: %s\n",
+			      isc_result_totext(result));
+		}
+
+		for (result = dns_rdataset_first(&rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rdataset))
+		{
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(&rdataset, &rdata);
+
+			if (verbose > 2) {
+				logkey(&rdata);
+			}
+
+			emits(showall, cds, &rdata);
+		}
+	} else {
+		unsigned char key_buf[DST_KEY_MAXSIZE];
+
+		loadkey(arg1, key_buf, DST_KEY_MAXSIZE, &rdata);
+
+		emits(showall, cds, &rdata);
+	}
+
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	cleanup_logging(&log);
+	dst_lib_destroy();
+	if (verbose > 10) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	fflush(stdout);
+	if (ferror(stdout)) {
+		fprintf(stderr, "write error\n");
+		return (1);
+	} else {
+		return (0);
+	}
+}
diff --git a/bin/dnssec/dnssec-dsfromkey.rst b/bin/dnssec/dnssec-dsfromkey.rst
new file mode 100644
index 0000000..6396733
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.rst
@@ -0,0 +1,144 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-dsfromkey:
+
+dnssec-dsfromkey - DNSSEC DS RR generation tool
+-----------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
+
+:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
+
+Description
+~~~~~~~~~~~
+
+The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
+(RRs), or CDS (Child DS) RRs with the ``-C`` option.
+
+By default, only KSKs are converted (keys with flags = 257).  The
+``-A`` option includes ZSKs (flags = 256).  Revoked keys are never
+included.
+
+The input keys can be specified in a number of ways:
+
+By default, ``dnssec-dsfromkey`` reads a key file named in the format
+``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
+
+With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
+file or partial zone file (which can contain just the DNSKEY records).
+
+With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
+as generated by ``dnssec-keygen`` ``-C``.
+
+Options
+~~~~~~~
+
+``-1``
+   This option is an abbreviation for ``-a SHA1``.
+
+``-2``
+   This option is an abbreviation for ``-a SHA-256``.
+
+``-a algorithm``
+   This option specifies a digest algorithm to use when converting DNSKEY records to
+   DS records. This option can be repeated, so that multiple DS records
+   are created for each DNSKEY record.
+
+   The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
+   are case-insensitive, and the hyphen may be omitted. If no algorithm
+   is specified, the default is SHA-256.
+
+``-A``
+   This option indicates that ZSKs are to be included when generating DS records. Without this option, only
+   keys which have the KSK flag set are converted to DS records and
+   printed. This option is only useful in ``-f`` zone file mode.
+
+``-c class``
+   This option specifies the DNS class; the default is IN. This option is only useful in ``-s`` keyset
+   or ``-f`` zone file mode.
+
+``-C``
+   This option generates CDS records rather than DS records.
+
+``-f file``
+   This option sets zone file mode, in which the final dnsname argument of ``dnssec-dsfromkey`` is the
+   DNS domain name of a zone whose master file can be read from
+   ``file``. If the zone name is the same as ``file``, then it may be
+   omitted.
+
+   If ``file`` is ``-``, then the zone data is read from the standard
+   input. This makes it possible to use the output of the ``dig``
+   command as input, as in:
+
+   ``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
+
+``-h``
+   This option prints usage information.
+
+``-K directory``
+   This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
+
+``-s``
+   This option enables keyset mode, in which the final dnsname argument from ``dnssec-dsfromkey`` is the DNS
+   domain name used to locate a ``keyset-`` file.
+
+``-T TTL``
+   This option specifies the TTL of the DS records. By default the TTL is omitted.
+
+``-v level``
+   This option sets the debugging level.
+
+``-V``
+   This option prints version information.
+
+Example
+~~~~~~~
+
+To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile,
+issue the following command:
+
+``dnssec-dsfromkey -2 Kexample.com.+003+26160``
+
+The command returns something similar to:
+
+``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
+
+Files
+~~~~~
+
+The keyfile can be designated by the key identification
+``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
+generated by ``dnssec-keygen``.
+
+The keyset file name is built from the ``directory``, the string
+``keyset-``, and the ``dnsname``.
+
+Caveat
+~~~~~~
+
+A keyfile error may return "file not found," even if the file exists.
+
+See Also
+~~~~~~~~
+
+:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
+:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
+:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
new file mode 100644
index 0000000..8a776c1
--- /dev/null
+++ b/bin/dnssec/dnssec-importkey.c
@@ -0,0 +1,485 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-importkey";
+
+static dns_rdataclass_t rdclass;
+static dns_fixedname_t fixed;
+static dns_name_t *name = NULL;
+static isc_mem_t *mctx = NULL;
+static bool setpub = false, setdel = false;
+static bool setttl = false;
+static isc_stdtime_t pub = 0, del = 0;
+static dns_ttl_t ttl = 0;
+static isc_stdtime_t syncadd = 0, syncdel = 0;
+static bool setsyncadd = false;
+static bool setsyncdel = false;
+
+static isc_result_t
+initname(char *setname) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	name = dns_fixedname_initname(&fixed);
+
+	isc_buffer_init(&buf, setname, strlen(setname));
+	isc_buffer_add(&buf, strlen(setname));
+	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+	return (result);
+}
+
+static void
+db_load_from_stream(dns_db_t *db, FILE *fp) {
+	isc_result_t result;
+	dns_rdatacallbacks_t callbacks;
+
+	dns_rdatacallbacks_init(&callbacks);
+	result = dns_db_beginload(db, &callbacks);
+	if (result != ISC_R_SUCCESS) {
+		fatal("dns_db_beginload failed: %s", isc_result_totext(result));
+	}
+
+	result = dns_master_loadstream(fp, name, name, rdclass, 0, &callbacks,
+				       mctx);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't load from input: %s", isc_result_totext(result));
+	}
+
+	result = dns_db_endload(db, &callbacks);
+	if (result != ISC_R_SUCCESS) {
+		fatal("dns_db_endload failed: %s", isc_result_totext(result));
+	}
+}
+
+static isc_result_t
+loadset(const char *filename, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	char setname[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(name, setname, sizeof(setname));
+
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, &db);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't create database");
+	}
+
+	if (strcmp(filename, "-") == 0) {
+		db_load_from_stream(db, stdin);
+		filename = "input";
+	} else {
+		result = dns_db_load(db, filename, dns_masterformat_text,
+				     DNS_MASTER_NOTTL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+			fatal("can't load %s: %s", filename,
+			      isc_result_totext(result));
+		}
+	}
+
+	result = dns_db_findnode(db, name, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't find %s node in %s", setname, filename);
+	}
+
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
+				     rdataset, NULL);
+
+	if (result == ISC_R_NOTFOUND) {
+		fatal("no DNSKEY RR for %s in %s", setname, filename);
+	} else if (result != ISC_R_SUCCESS) {
+		fatal("dns_db_findrdataset");
+	}
+
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	return (result);
+}
+
+static void
+loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
+	dns_rdata_t *rdata) {
+	isc_result_t result;
+	dst_key_t *key = NULL;
+	isc_buffer_t keyb;
+	isc_region_t r;
+
+	dns_rdata_init(rdata);
+
+	isc_buffer_init(&keyb, key_buf, key_buf_size);
+
+	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC, mctx,
+				       &key);
+	if (result != ISC_R_SUCCESS) {
+		fatal("invalid keyfile name %s: %s", filename,
+		      isc_result_totext(result));
+	}
+
+	if (verbose > 2) {
+		char keystr[DST_KEY_FORMATSIZE];
+
+		dst_key_format(key, keystr, sizeof(keystr));
+		fprintf(stderr, "%s: %s\n", program, keystr);
+	}
+
+	result = dst_key_todns(key, &keyb);
+	if (result != ISC_R_SUCCESS) {
+		fatal("can't decode key");
+	}
+
+	isc_buffer_usedregion(&keyb, &r);
+	dns_rdata_fromregion(rdata, dst_key_class(key), dns_rdatatype_dnskey,
+			     &r);
+
+	rdclass = dst_key_class(key);
+
+	name = dns_fixedname_initname(&fixed);
+	dns_name_copynf(dst_key_name(key), name);
+
+	dst_key_free(&key);
+}
+
+static void
+emit(const char *dir, dns_rdata_t *rdata) {
+	isc_result_t result;
+	char keystr[DST_KEY_FORMATSIZE];
+	char pubname[1024];
+	char priname[1024];
+	isc_buffer_t buf;
+	dst_key_t *key = NULL, *tmp = NULL;
+
+	isc_buffer_init(&buf, rdata->data, rdata->length);
+	isc_buffer_add(&buf, rdata->length);
+	result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
+	if (result != ISC_R_SUCCESS) {
+		fatal("dst_key_fromdns: %s", isc_result_totext(result));
+	}
+
+	isc_buffer_init(&buf, pubname, sizeof(pubname));
+	result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
+	if (result != ISC_R_SUCCESS) {
+		fatal("Failed to build public key filename: %s",
+		      isc_result_totext(result));
+	}
+	isc_buffer_init(&buf, priname, sizeof(priname));
+	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
+	if (result != ISC_R_SUCCESS) {
+		fatal("Failed to build private key filename: %s",
+		      isc_result_totext(result));
+	}
+
+	result = dst_key_fromfile(
+		dst_key_name(key), dst_key_id(key), dst_key_alg(key),
+		DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, dir, mctx, &tmp);
+	if (result == ISC_R_SUCCESS) {
+		if (dst_key_isprivate(tmp) && !dst_key_isexternal(tmp)) {
+			fatal("Private key already exists in %s", priname);
+		}
+		dst_key_free(&tmp);
+	}
+
+	dst_key_setexternal(key, true);
+	if (setpub) {
+		dst_key_settime(key, DST_TIME_PUBLISH, pub);
+	}
+	if (setdel) {
+		dst_key_settime(key, DST_TIME_DELETE, del);
+	}
+	if (setsyncadd) {
+		dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
+	}
+	if (setsyncdel) {
+		dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
+	}
+
+	if (setttl) {
+		dst_key_setttl(key, ttl);
+	}
+
+	result = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, dir);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_format(key, keystr, sizeof(keystr));
+		fatal("Failed to write key %s: %s", keystr,
+		      isc_result_totext(result));
+	}
+	printf("%s\n", pubname);
+
+	isc_buffer_clear(&buf);
+	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
+	if (result != ISC_R_SUCCESS) {
+		fatal("Failed to build private key filename: %s",
+		      isc_result_totext(result));
+	}
+	printf("%s\n", priname);
+	dst_key_free(&key);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "    %s options [-K dir] keyfile\n\n", program);
+	fprintf(stderr, "    %s options -f file [keyname]\n\n", program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "    -f file: read key from zone file\n");
+	fprintf(stderr, "    -K <directory>: directory in which to store "
+			"the key files\n");
+	fprintf(stderr, "    -L ttl:             set default key TTL\n");
+	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -V: print version information\n");
+	fprintf(stderr, "    -h: print usage and exit\n");
+	fprintf(stderr, "Timing options:\n");
+	fprintf(stderr, "    -P date/[+-]offset/none: set/unset key "
+			"publication date\n");
+	fprintf(stderr, "    -P sync date/[+-]offset/none: set/unset "
+			"CDS and CDNSKEY publication date\n");
+	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
+			"deletion date\n");
+	fprintf(stderr, "    -D sync date/[+-]offset/none: set/unset "
+			"CDS and CDNSKEY deletion date\n");
+
+	exit(-1);
+}
+
+int
+main(int argc, char **argv) {
+	char *classname = NULL;
+	char *filename = NULL, *dir = NULL, *namestr;
+	char *endp;
+	int ch;
+	isc_result_t result;
+	isc_log_t *log = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata;
+	isc_stdtime_t now;
+
+	dns_rdata_init(&rdata);
+	isc_stdtime_get(&now);
+
+	if (argc == 1) {
+		usage();
+	}
+
+	isc_mem_create(&mctx);
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	isc_commandline_errprint = false;
+
+#define CMDLINE_FLAGS "D:f:hK:L:P:v:V"
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'D':
+			/* -Dsync ? */
+			if (isoptarg("sync", argv, usage)) {
+				if (setsyncdel) {
+					fatal("-D sync specified more than "
+					      "once");
+				}
+
+				syncdel = strtotime(isc_commandline_argument,
+						    now, now, &setsyncdel);
+				break;
+			}
+			/* -Ddnskey ? */
+			(void)isoptarg("dnskey", argv, usage);
+			if (setdel) {
+				fatal("-D specified more than once");
+			}
+
+			del = strtotime(isc_commandline_argument, now, now,
+					&setdel);
+			break;
+		case 'K':
+			dir = isc_commandline_argument;
+			if (strlen(dir) == 0U) {
+				fatal("directory must be non-empty string");
+			}
+			break;
+		case 'L':
+			ttl = strtottl(isc_commandline_argument);
+			setttl = true;
+			break;
+		case 'P':
+			/* -Psync ? */
+			if (isoptarg("sync", argv, usage)) {
+				if (setsyncadd) {
+					fatal("-P sync specified more than "
+					      "once");
+				}
+
+				syncadd = strtotime(isc_commandline_argument,
+						    now, now, &setsyncadd);
+				break;
+			}
+			/* -Pdnskey ? */
+			(void)isoptarg("dnskey", argv, usage);
+			if (setpub) {
+				fatal("-P specified more than once");
+			}
+
+			pub = strtotime(isc_commandline_argument, now, now,
+					&setpub);
+			break;
+		case 'f':
+			filename = isc_commandline_argument;
+			break;
+		case 'v':
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("-v must be followed by a number");
+			}
+			break;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			}
+			FALLTHROUGH;
+		case 'h':
+			/* Does not return. */
+			usage();
+
+		case 'V':
+			/* Does not return. */
+			version(program);
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	rdclass = strtoclass(classname);
+
+	if (argc < isc_commandline_index + 1 && filename == NULL) {
+		fatal("the key file name was not specified");
+	}
+	if (argc > isc_commandline_index + 1) {
+		fatal("extraneous arguments");
+	}
+
+	result = dst_lib_init(mctx, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
+	}
+
+	setup_logging(mctx, &log);
+
+	dns_rdataset_init(&rdataset);
+
+	if (filename != NULL) {
+		if (argc < isc_commandline_index + 1) {
+			/* using filename as zone name */
+			namestr = filename;
+		} else {
+			namestr = argv[isc_commandline_index];
+		}
+
+		result = initname(namestr);
+		if (result != ISC_R_SUCCESS) {
+			fatal("could not initialize name %s", namestr);
+		}
+
+		result = loadset(filename, &rdataset);
+
+		if (result != ISC_R_SUCCESS) {
+			fatal("could not load DNSKEY set: %s\n",
+			      isc_result_totext(result));
+		}
+
+		for (result = dns_rdataset_first(&rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rdataset))
+		{
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(&rdataset, &rdata);
+			emit(dir, &rdata);
+		}
+	} else {
+		unsigned char key_buf[DST_KEY_MAXSIZE];
+
+		loadkey(argv[isc_commandline_index], key_buf, DST_KEY_MAXSIZE,
+			&rdata);
+
+		emit(dir, &rdata);
+	}
+
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	cleanup_logging(&log);
+	dst_lib_destroy();
+	if (verbose > 10) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	fflush(stdout);
+	if (ferror(stdout)) {
+		fprintf(stderr, "write error\n");
+		return (1);
+	} else {
+		return (0);
+	}
+}
diff --git a/bin/dnssec/dnssec-importkey.rst b/bin/dnssec/dnssec-importkey.rst
new file mode 100644
index 0000000..9e58fce
--- /dev/null
+++ b/bin/dnssec/dnssec-importkey.rst
@@ -0,0 +1,113 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-importkey:
+
+dnssec-importkey - import DNSKEY records from external systems so they can be managed
+-------------------------------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-importkey` [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] {keyfile}
+
+:program:`dnssec-importkey` {**-f** filename} [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] [dnsname]
+
+Description
+~~~~~~~~~~~
+
+``dnssec-importkey`` reads a public DNSKEY record and generates a pair
+of .key/.private files. The DNSKEY record may be read from an
+existing .key file, in which case a corresponding .private file is
+generated, or it may be read from any other file or from the standard
+input, in which case both .key and .private files are generated.
+
+The newly created .private file does *not* contain private key data, and
+cannot be used for signing. However, having a .private file makes it
+possible to set publication (``-P``) and deletion (``-D``) times for the
+key, which means the public key can be added to and removed from the
+DNSKEY RRset on schedule even if the true private key is stored offline.
+
+Options
+~~~~~~~
+
+``-f filename``
+   This option indicates the zone file mode. Instead of a public keyfile name, the argument is the
+   DNS domain name of a zone master file, which can be read from
+   ``filename``. If the domain name is the same as ``filename``, then it may be
+   omitted.
+
+   If ``filename`` is set to ``"-"``, then the zone data is read from the
+   standard input.
+
+``-K directory``
+   This option sets the directory in which the key files are to reside.
+
+``-L ttl``
+   This option sets the default TTL to use for this key when it is converted into a
+   DNSKEY RR. This is the TTL used when the key is imported into a zone,
+   unless there was already a DNSKEY RRset in
+   place, in which case the existing TTL takes precedence. Setting the default TTL to ``0`` or ``none``
+   removes it from the key.
+
+``-h``
+   This option emits a usage message and exits.
+
+``-v level``
+   This option sets the debugging level.
+
+``-V``
+   This option prints version information.
+
+Timing Options
+~~~~~~~~~~~~~~
+
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a ``+`` or ``-``, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
+computed in years (defined as 365 24-hour days, ignoring leap years),
+months (defined as 30 24-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use ``none`` or ``never``.
+
+``-P date/offset``
+   This option sets the date on which a key is to be published to the zone. After
+   that date, the key is included in the zone but is not used
+   to sign it.
+
+``-P sync date/offset``
+   This option sets the date on which CDS and CDNSKEY records that match this key
+   are to be published to the zone.
+
+``-D date/offset``
+   This option sets the date on which the key is to be deleted. After that date, the
+   key is no longer included in the zone. (However, it may remain in the key
+   repository.)
+
+``-D sync date/offset``
+   This option sets the date on which the CDS and CDNSKEY records that match this
+   key are to be deleted.
+
+Files
+~~~~~
+
+A keyfile can be designed by the key identification ``Knnnn.+aaa+iiiii``
+or the full file name ``Knnnn.+aaa+iiiii.key``, as generated by
+``dnssec-keygen``.
+
+See Also
+~~~~~~~~
+
+:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
+:rfc:`5011`.
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
new file mode 100644
index 0000000..26d8352
--- /dev/null
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -0,0 +1,782 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include "dnssectool.h"
+
+#define MAX_RSA 4096 /* should be long enough... */
+
+const char *program = "dnssec-keyfromlabel";
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "    %s -l label [options] name\n\n", program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "Required options:\n");
+	fprintf(stderr, "    -l label: label of the key pair\n");
+	fprintf(stderr, "    name: owner of the key\n");
+	fprintf(stderr, "Other options:\n");
+	fprintf(stderr, "    -a algorithm: \n"
+			"        DH | RSASHA1 |\n"
+			"        NSEC3RSASHA1 |\n"
+			"        RSASHA256 | RSASHA512 |\n"
+			"        ECDSAP256SHA256 | ECDSAP384SHA384 |\n"
+			"        ED25519 | ED448\n");
+	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
+	fprintf(stderr, "    -c class (default: IN)\n");
+	fprintf(stderr, "    -E <engine>:\n");
+#if USE_PKCS11
+	fprintf(stderr,
+		"        path to PKCS#11 provider library "
+		"(default is %s)\n",
+		PK11_LIB_LOCATION);
+#else  /* if USE_PKCS11 */
+	fprintf(stderr, "        name of an OpenSSL engine to use\n");
+#endif /* if USE_PKCS11 */
+	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
+	fprintf(stderr, "    -K directory: directory in which to place "
+			"key files\n");
+	fprintf(stderr, "    -k: generate a TYPE=KEY key\n");
+	fprintf(stderr, "    -L ttl: default key TTL\n");
+	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | "
+			"OTHER\n");
+	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
+	fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
+	fprintf(stderr, "    -t type: "
+			"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
+			"(default: AUTHCONF)\n");
+	fprintf(stderr, "    -y: permit keys that might collide\n");
+	fprintf(stderr, "    -v verbose level\n");
+	fprintf(stderr, "    -V: print version information\n");
+	fprintf(stderr, "Date options:\n");
+	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
+	fprintf(stderr, "    -P sync date/[+-]offset: set CDS and CDNSKEY "
+			"publication date\n");
+	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
+	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
+	fprintf(stderr, "    -I date/[+-]offset: set key inactivation date\n");
+	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
+	fprintf(stderr, "    -D sync date/[+-]offset: set CDS and CDNSKEY "
+			"deletion date\n");
+	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
+	fprintf(stderr, "    -C: generate a backward-compatible key, omitting"
+			" all dates\n");
+	fprintf(stderr, "    -S <key>: generate a successor to an existing "
+			"key\n");
+	fprintf(stderr, "    -i <interval>: prepublication interval for "
+			"successor key "
+			"(default: 30 days)\n");
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
+			"K<name>+<alg>+<id>.private\n");
+
+	exit(-1);
+}
+
+int
+main(int argc, char **argv) {
+	char *algname = NULL, *freeit = NULL;
+	char *nametype = NULL, *type = NULL;
+	const char *directory = NULL;
+	const char *predecessor = NULL;
+	dst_key_t *prevkey = NULL;
+	const char *engine = NULL;
+	char *classname = NULL;
+	char *endp;
+	dst_key_t *key = NULL;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	uint16_t flags = 0, kskflag = 0, revflag = 0;
+	dns_secalg_t alg;
+	bool oldstyle = false;
+	isc_mem_t *mctx = NULL;
+	int ch;
+	int protocol = -1, signatory = 0;
+	isc_result_t ret;
+	isc_textregion_t r;
+	char filename[255];
+	isc_buffer_t buf;
+	isc_log_t *log = NULL;
+	dns_rdataclass_t rdclass;
+	int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
+	char *label = NULL;
+	dns_ttl_t ttl = 0;
+	isc_stdtime_t publish = 0, activate = 0, revoke = 0;
+	isc_stdtime_t inactive = 0, deltime = 0;
+	isc_stdtime_t now;
+	int prepub = -1;
+	bool setpub = false, setact = false;
+	bool setrev = false, setinact = false;
+	bool setdel = false, setttl = false;
+	bool unsetpub = false, unsetact = false;
+	bool unsetrev = false, unsetinact = false;
+	bool unsetdel = false;
+	bool genonly = false;
+	bool use_nsec3 = false;
+	bool avoid_collisions = true;
+	bool exact;
+	unsigned char c;
+	isc_stdtime_t syncadd = 0, syncdel = 0;
+	bool unsetsyncadd = false, setsyncadd = false;
+	bool unsetsyncdel = false, setsyncdel = false;
+
+	if (argc == 1) {
+		usage();
+	}
+
+	isc_mem_create(&mctx);
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	isc_commandline_errprint = false;
+
+	isc_stdtime_get(&now);
+
+#define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:n:P:p:R:S:t:v:Vy"
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case '3':
+			use_nsec3 = true;
+			break;
+		case 'a':
+			algname = isc_commandline_argument;
+			break;
+		case 'C':
+			oldstyle = true;
+			break;
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
+		case 'f':
+			c = (unsigned char)(isc_commandline_argument[0]);
+			if (toupper(c) == 'K') {
+				kskflag = DNS_KEYFLAG_KSK;
+			} else if (toupper(c) == 'R') {
+				revflag = DNS_KEYFLAG_REVOKE;
+			} else {
+				fatal("unknown flag '%s'",
+				      isc_commandline_argument);
+			}
+			break;
+		case 'K':
+			directory = isc_commandline_argument;
+			ret = try_dir(directory);
+			if (ret != ISC_R_SUCCESS) {
+				fatal("cannot open directory %s: %s", directory,
+				      isc_result_totext(ret));
+			}
+			break;
+		case 'k':
+			options |= DST_TYPE_KEY;
+			break;
+		case 'L':
+			ttl = strtottl(isc_commandline_argument);
+			setttl = true;
+			break;
+		case 'l':
+			label = isc_mem_strdup(mctx, isc_commandline_argument);
+			break;
+		case 'n':
+			nametype = isc_commandline_argument;
+			break;
+		case 'p':
+			protocol = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || protocol < 0 || protocol > 255) {
+				fatal("-p must be followed by a number "
+				      "[0..255]");
+			}
+			break;
+		case 't':
+			type = isc_commandline_argument;
+			break;
+		case 'v':
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("-v must be followed by a number");
+			}
+			break;
+		case 'y':
+			avoid_collisions = false;
+			break;
+		case 'G':
+			genonly = true;
+			break;
+		case 'P':
+			/* -Psync ? */
+			if (isoptarg("sync", argv, usage)) {
+				if (unsetsyncadd || setsyncadd) {
+					fatal("-P sync specified more than "
+					      "once");
+				}
+
+				syncadd = strtotime(isc_commandline_argument,
+						    now, now, &setsyncadd);
+				unsetsyncadd = !setsyncadd;
+				break;
+			}
+			/* -Pdnskey ? */
+			(void)isoptarg("dnskey", argv, usage);
+			if (setpub || unsetpub) {
+				fatal("-P specified more than once");
+			}
+
+			publish = strtotime(isc_commandline_argument, now, now,
+					    &setpub);
+			unsetpub = !setpub;
+			break;
+		case 'A':
+			if (setact || unsetact) {
+				fatal("-A specified more than once");
+			}
+
+			activate = strtotime(isc_commandline_argument, now, now,
+					     &setact);
+			unsetact = !setact;
+			break;
+		case 'R':
+			if (setrev || unsetrev) {
+				fatal("-R specified more than once");
+			}
+
+			revoke = strtotime(isc_commandline_argument, now, now,
+					   &setrev);
+			unsetrev = !setrev;
+			break;
+		case 'I':
+			if (setinact || unsetinact) {
+				fatal("-I specified more than once");
+			}
+
+			inactive = strtotime(isc_commandline_argument, now, now,
+					     &setinact);
+			unsetinact = !setinact;
+			break;
+		case 'D':
+			/* -Dsync ? */
+			if (isoptarg("sync", argv, usage)) {
+				if (unsetsyncdel || setsyncdel) {
+					fatal("-D sync specified more than "
+					      "once");
+				}
+
+				syncdel = strtotime(isc_commandline_argument,
+						    now, now, &setsyncdel);
+				unsetsyncdel = !setsyncdel;
+				break;
+			}
+			/* -Ddnskey ? */
+			(void)isoptarg("dnskey", argv, usage);
+			if (setdel || unsetdel) {
+				fatal("-D specified more than once");
+			}
+
+			deltime = strtotime(isc_commandline_argument, now, now,
+					    &setdel);
+			unsetdel = !setdel;
+			break;
+		case 'S':
+			predecessor = isc_commandline_argument;
+			break;
+		case 'i':
+			prepub = strtottl(isc_commandline_argument);
+			break;
+		case 'F':
+			/* Reserved for FIPS mode */
+			FALLTHROUGH;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			}
+			FALLTHROUGH;
+		case 'h':
+			/* Does not return. */
+			usage();
+
+		case 'V':
+			/* Does not return. */
+			version(program);
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	ret = dst_lib_init(mctx, engine);
+	if (ret != ISC_R_SUCCESS) {
+		fatal("could not initialize dst: %s", isc_result_totext(ret));
+	}
+
+	setup_logging(mctx, &log);
+
+	if (predecessor == NULL) {
+		if (label == NULL) {
+			fatal("the key label was not specified");
+		}
+		if (argc < isc_commandline_index + 1) {
+			fatal("the key name was not specified");
+		}
+		if (argc > isc_commandline_index + 1) {
+			fatal("extraneous arguments");
+		}
+
+		name = dns_fixedname_initname(&fname);
+		isc_buffer_init(&buf, argv[isc_commandline_index],
+				strlen(argv[isc_commandline_index]));
+		isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
+		ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("invalid key name %s: %s",
+			      argv[isc_commandline_index],
+			      isc_result_totext(ret));
+		}
+
+		if (strchr(label, ':') == NULL) {
+			char *l;
+			int len;
+
+			len = strlen(label) + 8;
+			l = isc_mem_allocate(mctx, len);
+			snprintf(l, len, "pkcs11:%s", label);
+			isc_mem_free(mctx, label);
+			label = l;
+		}
+
+		if (algname == NULL) {
+			fatal("no algorithm specified");
+		}
+
+		r.base = algname;
+		r.length = strlen(algname);
+		ret = dns_secalg_fromtext(&alg, &r);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("unknown algorithm %s", algname);
+		}
+		if (alg == DST_ALG_DH) {
+			options |= DST_TYPE_KEY;
+		}
+
+		if (use_nsec3) {
+			switch (alg) {
+			case DST_ALG_RSASHA1:
+				alg = DST_ALG_NSEC3RSASHA1;
+				break;
+			case DST_ALG_NSEC3RSASHA1:
+			case DST_ALG_RSASHA256:
+			case DST_ALG_RSASHA512:
+			case DST_ALG_ECDSA256:
+			case DST_ALG_ECDSA384:
+			case DST_ALG_ED25519:
+			case DST_ALG_ED448:
+				break;
+			default:
+				fatal("%s is incompatible with NSEC3; "
+				      "do not use the -3 option",
+				      algname);
+			}
+		}
+
+		if (type != NULL && (options & DST_TYPE_KEY) != 0) {
+			if (strcasecmp(type, "NOAUTH") == 0) {
+				flags |= DNS_KEYTYPE_NOAUTH;
+			} else if (strcasecmp(type, "NOCONF") == 0) {
+				flags |= DNS_KEYTYPE_NOCONF;
+			} else if (strcasecmp(type, "NOAUTHCONF") == 0) {
+				flags |= (DNS_KEYTYPE_NOAUTH |
+					  DNS_KEYTYPE_NOCONF);
+			} else if (strcasecmp(type, "AUTHCONF") == 0) {
+				/* nothing */
+			} else {
+				fatal("invalid type %s", type);
+			}
+		}
+
+		if (!oldstyle && prepub > 0) {
+			if (setpub && setact && (activate - prepub) < publish) {
+				fatal("Activation and publication dates "
+				      "are closer together than the\n\t"
+				      "prepublication interval.");
+			}
+
+			if (!setpub && !setact) {
+				setpub = setact = true;
+				publish = now;
+				activate = now + prepub;
+			} else if (setpub && !setact) {
+				setact = true;
+				activate = publish + prepub;
+			} else if (setact && !setpub) {
+				setpub = true;
+				publish = activate - prepub;
+			}
+
+			if ((activate - prepub) < now) {
+				fatal("Time until activation is shorter "
+				      "than the\n\tprepublication interval.");
+			}
+		}
+	} else {
+		char keystr[DST_KEY_FORMATSIZE];
+		isc_stdtime_t when;
+		int major, minor;
+
+		if (prepub == -1) {
+			prepub = (30 * 86400);
+		}
+
+		if (algname != NULL) {
+			fatal("-S and -a cannot be used together");
+		}
+		if (nametype != NULL) {
+			fatal("-S and -n cannot be used together");
+		}
+		if (type != NULL) {
+			fatal("-S and -t cannot be used together");
+		}
+		if (setpub || unsetpub) {
+			fatal("-S and -P cannot be used together");
+		}
+		if (setact || unsetact) {
+			fatal("-S and -A cannot be used together");
+		}
+		if (use_nsec3) {
+			fatal("-S and -3 cannot be used together");
+		}
+		if (oldstyle) {
+			fatal("-S and -C cannot be used together");
+		}
+		if (genonly) {
+			fatal("-S and -G cannot be used together");
+		}
+
+		ret = dst_key_fromnamedfile(predecessor, directory,
+					    DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+					    mctx, &prevkey);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("Invalid keyfile %s: %s", predecessor,
+			      isc_result_totext(ret));
+		}
+		if (!dst_key_isprivate(prevkey)) {
+			fatal("%s is not a private key", predecessor);
+		}
+
+		name = dst_key_name(prevkey);
+		alg = dst_key_alg(prevkey);
+		flags = dst_key_flags(prevkey);
+
+		dst_key_format(prevkey, keystr, sizeof(keystr));
+		dst_key_getprivateformat(prevkey, &major, &minor);
+		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
+			fatal("Key %s has incompatible format version %d.%d\n\t"
+			      "It is not possible to generate a successor key.",
+			      keystr, major, minor);
+		}
+
+		ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("Key %s has no activation date.\n\t"
+			      "You must use dnssec-settime -A to set one "
+			      "before generating a successor.",
+			      keystr);
+		}
+
+		ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &activate);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("Key %s has no inactivation date.\n\t"
+			      "You must use dnssec-settime -I to set one "
+			      "before generating a successor.",
+			      keystr);
+		}
+
+		publish = activate - prepub;
+		if (publish < now) {
+			fatal("Key %s becomes inactive\n\t"
+			      "sooner than the prepublication period "
+			      "for the new key ends.\n\t"
+			      "Either change the inactivation date with "
+			      "dnssec-settime -I,\n\t"
+			      "or use the -i option to set a shorter "
+			      "prepublication interval.",
+			      keystr);
+		}
+
+		ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+		if (ret != ISC_R_SUCCESS) {
+			fprintf(stderr,
+				"%s: WARNING: Key %s has no removal "
+				"date;\n\t it will remain in the zone "
+				"indefinitely after rollover.\n\t "
+				"You can use dnssec-settime -D to "
+				"change this.\n",
+				program, keystr);
+		}
+
+		setpub = setact = true;
+	}
+
+	if (nametype == NULL) {
+		if ((options & DST_TYPE_KEY) != 0) { /* KEY */
+			fatal("no nametype specified");
+		}
+		flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
+	} else if (strcasecmp(nametype, "zone") == 0) {
+		flags |= DNS_KEYOWNER_ZONE;
+	} else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
+		if (strcasecmp(nametype, "host") == 0 ||
+		    strcasecmp(nametype, "entity") == 0)
+		{
+			flags |= DNS_KEYOWNER_ENTITY;
+		} else if (strcasecmp(nametype, "user") == 0) {
+			flags |= DNS_KEYOWNER_USER;
+		} else {
+			fatal("invalid KEY nametype %s", nametype);
+		}
+	} else if (strcasecmp(nametype, "other") != 0) { /* DNSKEY */
+		fatal("invalid DNSKEY nametype %s", nametype);
+	}
+
+	rdclass = strtoclass(classname);
+
+	if (directory == NULL) {
+		directory = ".";
+	}
+
+	if ((options & DST_TYPE_KEY) != 0) { /* KEY */
+		flags |= signatory;
+	} else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
+		flags |= kskflag;
+		flags |= revflag;
+	}
+
+	if (protocol == -1) {
+		protocol = DNS_KEYPROTO_DNSSEC;
+	} else if ((options & DST_TYPE_KEY) == 0 &&
+		   protocol != DNS_KEYPROTO_DNSSEC)
+	{
+		fatal("invalid DNSKEY protocol: %d", protocol);
+	}
+
+	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
+		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0) {
+			fatal("specified null key with signing authority");
+		}
+	}
+
+	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+	    alg == DNS_KEYALG_DH)
+	{
+		fatal("a key with algorithm '%s' cannot be a zone key",
+		      algname);
+	}
+
+	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
+
+	/* associate the key */
+	ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass,
+#if USE_PKCS11
+				"pkcs11",
+#else  /* if USE_PKCS11 */
+				engine,
+#endif /* if USE_PKCS11 */
+				label, NULL, mctx, &key);
+
+	if (ret != ISC_R_SUCCESS) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		char algstr[DNS_SECALG_FORMATSIZE];
+		dns_name_format(name, namestr, sizeof(namestr));
+		dns_secalg_format(alg, algstr, sizeof(algstr));
+		fatal("failed to get key %s/%s: %s", namestr, algstr,
+		      isc_result_totext(ret));
+		UNREACHABLE();
+		exit(-1);
+	}
+
+	/*
+	 * Set key timing metadata (unless using -C)
+	 *
+	 * Publish and activation dates are set to "now" by default, but
+	 * can be overridden.  Creation date is always set to "now".
+	 */
+	if (!oldstyle) {
+		dst_key_settime(key, DST_TIME_CREATED, now);
+
+		if (genonly && (setpub || setact)) {
+			fatal("cannot use -G together with -P or -A options");
+		}
+
+		if (setpub) {
+			dst_key_settime(key, DST_TIME_PUBLISH, publish);
+		} else if (setact) {
+			dst_key_settime(key, DST_TIME_PUBLISH, activate);
+		} else if (!genonly && !unsetpub) {
+			dst_key_settime(key, DST_TIME_PUBLISH, now);
+		}
+
+		if (setact) {
+			dst_key_settime(key, DST_TIME_ACTIVATE, activate);
+		} else if (!genonly && !unsetact) {
+			dst_key_settime(key, DST_TIME_ACTIVATE, now);
+		}
+
+		if (setrev) {
+			if (kskflag == 0) {
+				fprintf(stderr,
+					"%s: warning: Key is "
+					"not flagged as a KSK, but -R "
+					"was used. Revoking a ZSK is "
+					"legal, but undefined.\n",
+					program);
+			}
+			dst_key_settime(key, DST_TIME_REVOKE, revoke);
+		}
+
+		if (setinact) {
+			dst_key_settime(key, DST_TIME_INACTIVE, inactive);
+		}
+
+		if (setdel) {
+			dst_key_settime(key, DST_TIME_DELETE, deltime);
+		}
+		if (setsyncadd) {
+			dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
+		}
+		if (setsyncdel) {
+			dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
+		}
+	} else {
+		if (setpub || setact || setrev || setinact || setdel ||
+		    unsetpub || unsetact || unsetrev || unsetinact ||
+		    unsetdel || genonly || setsyncadd || setsyncdel)
+		{
+			fatal("cannot use -C together with "
+			      "-P, -A, -R, -I, -D, or -G options");
+		}
+		/*
+		 * Compatibility mode: Private-key-format
+		 * should be set to 1.2.
+		 */
+		dst_key_setprivateformat(key, 1, 2);
+	}
+
+	/* Set default key TTL */
+	if (setttl) {
+		dst_key_setttl(key, ttl);
+	}
+
+	/*
+	 * Do not overwrite an existing key.  Warn LOUDLY if there
+	 * is a risk of ID collision due to this key or another key
+	 * being revoked.
+	 */
+	if (key_collision(key, name, directory, mctx, &exact)) {
+		isc_buffer_clear(&buf);
+		ret = dst_key_buildfilename(key, 0, directory, &buf);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("dst_key_buildfilename returned: %s\n",
+			      isc_result_totext(ret));
+		}
+		if (exact) {
+			fatal("%s: %s already exists\n", program, filename);
+		}
+
+		if (avoid_collisions) {
+			fatal("%s: %s could collide with another key upon "
+			      "revokation\n",
+			      program, filename);
+		}
+
+		fprintf(stderr,
+			"%s: WARNING: Key %s could collide with "
+			"another key upon revokation.  If you plan "
+			"to revoke keys, destroy this key and "
+			"generate a different one.\n",
+			program, filename);
+	}
+
+	ret = dst_key_tofile(key, options, directory);
+	if (ret != ISC_R_SUCCESS) {
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key, keystr, sizeof(keystr));
+		fatal("failed to write key %s: %s\n", keystr,
+		      isc_result_totext(ret));
+	}
+
+	isc_buffer_clear(&buf);
+	ret = dst_key_buildfilename(key, 0, NULL, &buf);
+	if (ret != ISC_R_SUCCESS) {
+		fatal("dst_key_buildfilename returned: %s\n",
+		      isc_result_totext(ret));
+	}
+	printf("%s\n", filename);
+	dst_key_free(&key);
+	if (prevkey != NULL) {
+		dst_key_free(&prevkey);
+	}
+
+	cleanup_logging(&log);
+	dst_lib_destroy();
+	if (verbose > 10) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_free(mctx, label);
+	isc_mem_destroy(&mctx);
+
+	if (freeit != NULL) {
+		free(freeit);
+	}
+
+	return (0);
+}
diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst
new file mode 100644
index 0000000..57ab9c8
--- /dev/null
+++ b/bin/dnssec/dnssec-keyfromlabel.rst
@@ -0,0 +1,262 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-keyfromlabel:
+
+dnssec-keyfromlabel - DNSSEC key generation tool
+------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
+
+Description
+~~~~~~~~~~~
+
+``dnssec-keyfromlabel`` generates a pair of key files that reference a
+key object stored in a cryptographic hardware service module (HSM). The
+private key file can be used for DNSSEC signing of zone data as if it
+were a conventional signing key created by ``dnssec-keygen``, but the
+key material is stored within the HSM and the actual signing takes
+place there.
+
+The ``name`` of the key is specified on the command line. This must
+match the name of the zone for which the key is being generated.
+
+Options
+~~~~~~~
+
+``-a algorithm``
+   This option selects the cryptographic algorithm. The value of ``algorithm`` must
+   be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
+   ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
+
+   These values are case-insensitive. In some cases, abbreviations are
+   supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
+   ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3``
+   option, then NSEC3RSASHA1 is used instead.
+
+   This option is mandatory except when using the
+   ``-S`` option, which copies the algorithm from the predecessory key.
+
+   .. versionchanged:: 9.12.0
+      The default value RSASHA1 for newly generated keys was removed.
+
+``-3``
+   This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
+   option is used with an algorithm that has both NSEC and NSEC3
+   versions, then the NSEC3 version is used; for example,
+   ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
+
+``-E engine``
+   This option specifies the cryptographic hardware to use.
+
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
+   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
+   defaults to the path of the PKCS#11 provider library specified via
+   ``--with-pkcs11``.
+
+``-l label``
+   This option specifies the label for a key pair in the crypto hardware.
+
+   When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
+   an arbitrary string that identifies a particular key. It may be
+   preceded by an optional OpenSSL engine name, followed by a colon, as
+   in ``pkcs11:keylabel``.
+
+   When BIND 9 is built with native PKCS#11 support, the label is a
+   PKCS#11 URI string in the format
+   ``pkcs11:keyword\ =value[;\ keyword\ =value;...]``. Keywords
+   include ``token``, which identifies the HSM; ``object``, which identifies
+   the key; and ``pin-source``, which identifies a file from which the
+   HSM's PIN code can be obtained. The label is stored in the
+   on-disk ``private`` file.
+
+   If the label contains a ``pin-source`` field, tools using the
+   generated key files are able to use the HSM for signing and other
+   operations without any need for an operator to manually enter a PIN.
+   Note: Making the HSM's PIN accessible in this manner may reduce the
+   security advantage of using an HSM; use caution
+   with this feature.
+
+``-n nametype``
+   This option specifies the owner type of the key. The value of ``nametype`` must
+   either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
+   (for a key associated with a host (KEY)), USER (for a key associated
+   with a user (KEY)), or OTHER (DNSKEY). These values are
+   case-insensitive.
+
+``-C``
+   This option enables compatibility mode, which generates an old-style key, without any metadata.
+   By default, ``dnssec-keyfromlabel`` includes the key's creation
+   date in the metadata stored with the private key; other dates may
+   be set there as well, including publication date, activation date, etc. Keys
+   that include this data may be incompatible with older versions of
+   BIND; the ``-C`` option suppresses them.
+
+``-c class``
+   This option indicates that the DNS record containing the key should have the
+   specified class. If not specified, class IN is used.
+
+``-f flag``
+   This option sets the specified flag in the ``flag`` field of the KEY/DNSKEY record.
+   The only recognized flags are KSK (Key-Signing Key) and REVOKE.
+
+``-G``
+   This option generates a key, but does not publish it or sign with it. This option is
+   incompatible with ``-P`` and ``-A``.
+
+``-h``
+   This option prints a short summary of the options and arguments to
+   ``dnssec-keyfromlabel``.
+
+``-K directory``
+   This option sets the directory in which the key files are to be written.
+
+``-k``
+   This option generates KEY records rather than DNSKEY records.
+
+``-L`` ttl
+   This option sets the default TTL to use for this key when it is converted into a
+   DNSKEY RR. This is the TTL used when the key is imported into a zone,
+   unless there was already a DNSKEY RRset in
+   place, in which case the existing TTL would take precedence. Setting
+   the default TTL to ``0`` or ``none`` removes it.
+
+``-p protocol``
+   This option sets the protocol value for the key. The protocol is a number between
+   0 and 255. The default is 3 (DNSSEC). Other possible values for this
+   argument are listed in :rfc:`2535` and its successors.
+
+``-S key``
+   This option generates a key as an explicit successor to an existing key. The name,
+   algorithm, size, and type of the key are set to match the
+   predecessor. The activation date of the new key is set to the
+   inactivation date of the existing one. The publication date is
+   set to the activation date minus the prepublication interval, which
+   defaults to 30 days.
+
+``-t type``
+   This option indicates the type of the key. ``type`` must be one of AUTHCONF,
+   NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
+   to the ability to authenticate data, and CONF to the ability to encrypt
+   data.
+
+``-v level``
+   This option sets the debugging level.
+
+``-V``
+   This option prints version information.
+
+``-y``
+   This option allows DNSSEC key files to be generated even if the key ID would
+   collide with that of an existing key, in the event of either key
+   being revoked. (This is only safe to enable if
+   :rfc:`5011` trust anchor maintenance is not used with either of the keys
+   involved.)
+
+Timing Options
+~~~~~~~~~~~~~~
+
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a ``+`` or ``-``, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
+computed in years (defined as 365 24-hour days, ignoring leap years),
+months (defined as 30 24-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use ``none`` or ``never``.
+
+``-P date/offset``
+   This option sets the date on which a key is to be published to the zone. After
+   that date, the key is included in the zone but is not used
+   to sign it. If not set, and if the ``-G`` option has not been used, the
+   default is the current date.
+
+``-P sync date/offset``
+   This option sets the date on which CDS and CDNSKEY records that match this key
+   are to be published to the zone.
+
+``-A date/offset``
+   This option sets the date on which the key is to be activated. After that date,
+   the key is included in the zone and used to sign it. If not set,
+   and if the ``-G`` option has not been used, the default is the current date.
+
+``-R date/offset``
+   This option sets the date on which the key is to be revoked. After that date, the
+   key is flagged as revoked. It is included in the zone and
+   is used to sign it.
+
+``-I date/offset``
+   This option sets the date on which the key is to be retired. After that date, the
+   key is still included in the zone, but it is not used to
+   sign it.
+
+``-D date/offset``
+   This option sets the date on which the key is to be deleted. After that date, the
+   key is no longer included in the zone. (However, it may remain in the key
+   repository.)
+
+``-D sync date/offset``
+   This option sets the date on which the CDS and CDNSKEY records that match this
+   key are to be deleted.
+
+``-i interval``
+   This option sets the prepublication interval for a key. If set, then the
+   publication and activation dates must be separated by at least this
+   much time. If the activation date is specified but the publication
+   date is not, the publication date defaults to this much time
+   before the activation date; conversely, if the publication date is
+   specified but not the activation date, activation is set to
+   this much time after publication.
+
+   If the key is being created as an explicit successor to another key,
+   then the default prepublication interval is 30 days; otherwise it is
+   zero.
+
+   As with date offsets, if the argument is followed by one of the
+   suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
+   measured in years, months, weeks, days, hours, or minutes,
+   respectively. Without a suffix, the interval is measured in seconds.
+
+Generated Key Files
+~~~~~~~~~~~~~~~~~~~
+
+When ``dnssec-keyfromlabel`` completes successfully, it prints a string
+of the form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
+identification string for the key files it has generated.
+
+-  ``nnnn`` is the key name.
+
+-  ``aaa`` is the numeric representation of the algorithm.
+
+-  ``iiiii`` is the key identifier (or footprint).
+
+``dnssec-keyfromlabel`` creates two files, with names based on the
+printed string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
+``Knnnn.+aaa+iiiii.private`` contains the private key.
+
+The ``.key`` file contains a DNS KEY record that can be inserted into a
+zone file (directly or with an $INCLUDE statement).
+
+The ``.private`` file contains algorithm-specific fields. For obvious
+security reasons, this file does not have general read permission.
+
+See Also
+~~~~~~~~
+
+:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
+:rfc:`4034`, :rfc:`7512`.
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
new file mode 100644
index 0000000..1c663e2
--- /dev/null
+++ b/bin/dnssec/dnssec-keygen.c
@@ -0,0 +1,1315 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/kasp.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/kaspconf.h>
+#include <isccfg/namedconf.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include "dnssectool.h"
+
+#define MAX_RSA 4096 /* should be long enough... */
+
+const char *program = "dnssec-keygen";
+
+isc_log_t *lctx = NULL;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+progress(int p);
+
+struct keygen_ctx {
+	const char *predecessor;
+	const char *policy;
+	const char *configfile;
+	const char *directory;
+	char *algname;
+	char *nametype;
+	char *type;
+	int generator;
+	int protocol;
+	int size;
+	int signatory;
+	dns_rdataclass_t rdclass;
+	int options;
+	int dbits;
+	dns_ttl_t ttl;
+	uint16_t kskflag;
+	uint16_t revflag;
+	dns_secalg_t alg;
+	/* timing data */
+	int prepub;
+	isc_stdtime_t now;
+	isc_stdtime_t publish;
+	isc_stdtime_t activate;
+	isc_stdtime_t inactive;
+	isc_stdtime_t revokekey;
+	isc_stdtime_t deltime;
+	isc_stdtime_t syncadd;
+	isc_stdtime_t syncdel;
+	bool setpub;
+	bool setact;
+	bool setinact;
+	bool setrev;
+	bool setdel;
+	bool setsyncadd;
+	bool setsyncdel;
+	bool unsetpub;
+	bool unsetact;
+	bool unsetinact;
+	bool unsetrev;
+	bool unsetdel;
+	/* how to generate the key */
+	bool setttl;
+	bool use_nsec3;
+	bool genonly;
+	bool showprogress;
+	bool quiet;
+	bool oldstyle;
+	/* state */
+	time_t lifetime;
+	bool ksk;
+	bool zsk;
+};
+
+typedef struct keygen_ctx keygen_ctx_t;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "    %s [options] name\n\n", program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "    name: owner of the key\n");
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "    -K <directory>: write keys into directory\n");
+	fprintf(stderr, "    -k <policy>: generate keys for dnssec-policy\n");
+	fprintf(stderr, "    -l <file>: configuration file with dnssec-policy "
+			"statement\n");
+	fprintf(stderr, "    -a <algorithm>:\n");
+	fprintf(stderr, "        RSASHA1 | NSEC3RSASHA1 |\n");
+	fprintf(stderr, "        RSASHA256 | RSASHA512 |\n");
+	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
+	fprintf(stderr, "        ED25519 | ED448 | DH\n");
+	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
+	fprintf(stderr, "    -b <key size in bits>:\n");
+	fprintf(stderr, "        RSASHA1:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA256:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA512:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "        DH:\t\t[128..4096]\n");
+	fprintf(stderr, "        ECDSAP256SHA256:\tignored\n");
+	fprintf(stderr, "        ECDSAP384SHA384:\tignored\n");
+	fprintf(stderr, "        ED25519:\tignored\n");
+	fprintf(stderr, "        ED448:\tignored\n");
+	fprintf(stderr, "        (key size defaults are set according to\n"
+			"        algorithm and usage (ZSK or KSK)\n");
+	fprintf(stderr, "    -n <nametype>: ZONE | HOST | ENTITY | "
+			"USER | OTHER\n");
+	fprintf(stderr, "        (DNSKEY generation defaults to ZONE)\n");
+	fprintf(stderr, "    -c <class>: (default: IN)\n");
+	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
+	fprintf(stderr, "    -E <engine>:\n");
+#if USE_PKCS11
+	fprintf(stderr,
+		"        path to PKCS#11 provider library "
+		"(default is %s)\n",
+		PK11_LIB_LOCATION);
+#else  /* if USE_PKCS11 */
+	fprintf(stderr, "        name of an OpenSSL engine to use\n");
+#endif /* if USE_PKCS11 */
+	fprintf(stderr, "    -f <keyflag>: KSK | REVOKE\n");
+	fprintf(stderr, "    -g <generator>: use specified generator "
+			"(DH only)\n");
+	fprintf(stderr, "    -L <ttl>: default key TTL\n");
+	fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
+	fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
+			"records with (default: 0)\n");
+	fprintf(stderr, "    -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
+			"use KEY for SIG(0))\n");
+	fprintf(stderr, "    -t <type>: "
+			"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
+			"(default: AUTHCONF)\n");
+	fprintf(stderr, "    -h: print usage and exit\n");
+	fprintf(stderr, "    -m <memory debugging mode>:\n");
+	fprintf(stderr, "       usage | trace | record | size | mctx\n");
+	fprintf(stderr, "    -v <level>: set verbosity level (0 - 10)\n");
+	fprintf(stderr, "    -V: print version information\n");
+	fprintf(stderr, "Timing options:\n");
+	fprintf(stderr, "    -P date/[+-]offset/none: set key publication date "
+			"(default: now)\n");
+	fprintf(stderr, "    -P sync date/[+-]offset/none: set CDS and CDNSKEY "
+			"publication date\n");
+	fprintf(stderr, "    -A date/[+-]offset/none: set key activation date "
+			"(default: now)\n");
+	fprintf(stderr, "    -R date/[+-]offset/none: set key "
+			"revocation date\n");
+	fprintf(stderr, "    -I date/[+-]offset/none: set key "
+			"inactivation date\n");
+	fprintf(stderr, "    -D date/[+-]offset/none: set key deletion date\n");
+	fprintf(stderr, "    -D sync date/[+-]offset/none: set CDS and CDNSKEY "
+			"deletion date\n");
+
+	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
+	fprintf(stderr, "    -C: generate a backward-compatible key, omitting "
+			"all dates\n");
+	fprintf(stderr, "    -S <key>: generate a successor to an existing "
+			"key\n");
+	fprintf(stderr, "    -i <interval>: prepublication interval for "
+			"successor key "
+			"(default: 30 days)\n");
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
+			"K<name>+<alg>+<id>.private\n");
+
+	exit(-1);
+}
+
+static void
+progress(int p) {
+	char c = '*';
+
+	switch (p) {
+	case 0:
+		c = '.';
+		break;
+	case 1:
+		c = '+';
+		break;
+	case 2:
+		c = '*';
+		break;
+	case 3:
+		c = ' ';
+		break;
+	default:
+		break;
+	}
+	(void)putc(c, stderr);
+	(void)fflush(stderr);
+}
+
+static void
+kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name,
+	       dns_kasp_t **kaspp) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *kasps = NULL;
+	dns_kasp_t *kasp = NULL, *kasp_next;
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_kasplist_t kasplist;
+
+	ISC_LIST_INIT(kasplist);
+
+	(void)cfg_map_get(config, "dnssec-policy", &kasps);
+	for (element = cfg_list_first(kasps); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *kconfig = cfg_listelt_value(element);
+		kasp = NULL;
+		if (strcmp(cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
+			   name) != 0)
+		{
+			continue;
+		}
+
+		result = cfg_kasp_fromconfig(kconfig, NULL, mctx, lctx,
+					     &kasplist, &kasp);
+		if (result != ISC_R_SUCCESS) {
+			fatal("failed to configure dnssec-policy '%s': %s",
+			      cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
+			      isc_result_totext(result));
+		}
+		INSIST(kasp != NULL);
+		dns_kasp_freeze(kasp);
+		break;
+	}
+
+	*kaspp = kasp;
+
+	/*
+	 * Cleanup kasp list.
+	 */
+	for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) {
+		kasp_next = ISC_LIST_NEXT(kasp, link);
+		ISC_LIST_UNLINK(kasplist, kasp, link);
+		dns_kasp_detach(&kasp);
+	}
+}
+
+static void
+keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
+	char filename[255];
+	char algstr[DNS_SECALG_FORMATSIZE];
+	uint16_t flags = 0;
+	int param = 0;
+	bool null_key = false;
+	bool conflict = false;
+	bool show_progress = false;
+	isc_buffer_t buf;
+	dns_name_t *name;
+	dns_fixedname_t fname;
+	isc_result_t ret;
+	dst_key_t *key = NULL;
+	dst_key_t *prevkey = NULL;
+
+	UNUSED(argc);
+
+	dns_secalg_format(ctx->alg, algstr, sizeof(algstr));
+
+	if (ctx->predecessor == NULL) {
+		if (ctx->prepub == -1) {
+			ctx->prepub = 0;
+		}
+
+		name = dns_fixedname_initname(&fname);
+		isc_buffer_init(&buf, argv[isc_commandline_index],
+				strlen(argv[isc_commandline_index]));
+		isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
+		ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("invalid key name %s: %s",
+			      argv[isc_commandline_index],
+			      isc_result_totext(ret));
+		}
+
+		if (!dst_algorithm_supported(ctx->alg)) {
+			fatal("unsupported algorithm: %s", algstr);
+		}
+
+		if (ctx->alg == DST_ALG_DH) {
+			ctx->options |= DST_TYPE_KEY;
+		}
+
+		if (ctx->use_nsec3) {
+			switch (ctx->alg) {
+			case DST_ALG_RSASHA1:
+				ctx->alg = DST_ALG_NSEC3RSASHA1;
+				break;
+			case DST_ALG_NSEC3RSASHA1:
+			case DST_ALG_RSASHA256:
+			case DST_ALG_RSASHA512:
+			case DST_ALG_ECDSA256:
+			case DST_ALG_ECDSA384:
+			case DST_ALG_ED25519:
+			case DST_ALG_ED448:
+				break;
+			default:
+				fatal("algorithm %s is incompatible with NSEC3"
+				      ", do not use the -3 option",
+				      algstr);
+			}
+		}
+
+		if (ctx->type != NULL && (ctx->options & DST_TYPE_KEY) != 0) {
+			if (strcasecmp(ctx->type, "NOAUTH") == 0) {
+				flags |= DNS_KEYTYPE_NOAUTH;
+			} else if (strcasecmp(ctx->type, "NOCONF") == 0) {
+				flags |= DNS_KEYTYPE_NOCONF;
+			} else if (strcasecmp(ctx->type, "NOAUTHCONF") == 0) {
+				flags |= (DNS_KEYTYPE_NOAUTH |
+					  DNS_KEYTYPE_NOCONF);
+				if (ctx->size < 0) {
+					ctx->size = 0;
+				}
+			} else if (strcasecmp(ctx->type, "AUTHCONF") == 0) {
+				/* nothing */
+			} else {
+				fatal("invalid type %s", ctx->type);
+			}
+		}
+
+		if (ctx->size < 0) {
+			switch (ctx->alg) {
+			case DST_ALG_RSASHA1:
+			case DST_ALG_NSEC3RSASHA1:
+			case DST_ALG_RSASHA256:
+			case DST_ALG_RSASHA512:
+				ctx->size = 2048;
+				if (verbose > 0) {
+					fprintf(stderr,
+						"key size not "
+						"specified; defaulting"
+						" to %d\n",
+						ctx->size);
+				}
+				break;
+			case DST_ALG_ECDSA256:
+			case DST_ALG_ECDSA384:
+			case DST_ALG_ED25519:
+			case DST_ALG_ED448:
+				break;
+			default:
+				fatal("key size not specified (-b option)");
+			}
+		}
+
+		if (!ctx->oldstyle && ctx->prepub > 0) {
+			if (ctx->setpub && ctx->setact &&
+			    (ctx->activate - ctx->prepub) < ctx->publish)
+			{
+				fatal("Activation and publication dates "
+				      "are closer together than the\n\t"
+				      "prepublication interval.");
+			}
+
+			if (!ctx->setpub && !ctx->setact) {
+				ctx->setpub = ctx->setact = true;
+				ctx->publish = ctx->now;
+				ctx->activate = ctx->now + ctx->prepub;
+			} else if (ctx->setpub && !ctx->setact) {
+				ctx->setact = true;
+				ctx->activate = ctx->publish + ctx->prepub;
+			} else if (ctx->setact && !ctx->setpub) {
+				ctx->setpub = true;
+				ctx->publish = ctx->activate - ctx->prepub;
+			}
+
+			if ((ctx->activate - ctx->prepub) < ctx->now) {
+				fatal("Time until activation is shorter "
+				      "than the\n\tprepublication interval.");
+			}
+		}
+	} else {
+		char keystr[DST_KEY_FORMATSIZE];
+		isc_stdtime_t when;
+		int major, minor;
+
+		if (ctx->prepub == -1) {
+			ctx->prepub = (30 * 86400);
+		}
+
+		if (ctx->alg != 0) {
+			fatal("-S and -a cannot be used together");
+		}
+		if (ctx->size >= 0) {
+			fatal("-S and -b cannot be used together");
+		}
+		if (ctx->nametype != NULL) {
+			fatal("-S and -n cannot be used together");
+		}
+		if (ctx->type != NULL) {
+			fatal("-S and -t cannot be used together");
+		}
+		if (ctx->setpub || ctx->unsetpub) {
+			fatal("-S and -P cannot be used together");
+		}
+		if (ctx->setact || ctx->unsetact) {
+			fatal("-S and -A cannot be used together");
+		}
+		if (ctx->use_nsec3) {
+			fatal("-S and -3 cannot be used together");
+		}
+		if (ctx->oldstyle) {
+			fatal("-S and -C cannot be used together");
+		}
+		if (ctx->genonly) {
+			fatal("-S and -G cannot be used together");
+		}
+
+		ret = dst_key_fromnamedfile(
+			ctx->predecessor, ctx->directory,
+			(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE),
+			mctx, &prevkey);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("Invalid keyfile %s: %s", ctx->predecessor,
+			      isc_result_totext(ret));
+		}
+		if (!dst_key_isprivate(prevkey)) {
+			fatal("%s is not a private key", ctx->predecessor);
+		}
+
+		name = dst_key_name(prevkey);
+		ctx->alg = dst_key_alg(prevkey);
+		ctx->size = dst_key_size(prevkey);
+		flags = dst_key_flags(prevkey);
+
+		dst_key_format(prevkey, keystr, sizeof(keystr));
+		dst_key_getprivateformat(prevkey, &major, &minor);
+		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
+			fatal("Key %s has incompatible format version %d.%d\n\t"
+			      "It is not possible to generate a successor key.",
+			      keystr, major, minor);
+		}
+
+		ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("Key %s has no activation date.\n\t"
+			      "You must use dnssec-settime -A to set one "
+			      "before generating a successor.",
+			      keystr);
+		}
+
+		ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE,
+				      &ctx->activate);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("Key %s has no inactivation date.\n\t"
+			      "You must use dnssec-settime -I to set one "
+			      "before generating a successor.",
+			      keystr);
+		}
+
+		ctx->publish = ctx->activate - ctx->prepub;
+		if (ctx->publish < ctx->now) {
+			fatal("Key %s becomes inactive\n\t"
+			      "sooner than the prepublication period "
+			      "for the new key ends.\n\t"
+			      "Either change the inactivation date with "
+			      "dnssec-settime -I,\n\t"
+			      "or use the -i option to set a shorter "
+			      "prepublication interval.",
+			      keystr);
+		}
+
+		ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+		if (ret != ISC_R_SUCCESS) {
+			fprintf(stderr,
+				"%s: WARNING: Key %s has no removal "
+				"date;\n\t it will remain in the zone "
+				"indefinitely after rollover.\n\t "
+				"You can use dnssec-settime -D to "
+				"change this.\n",
+				program, keystr);
+		}
+
+		ctx->setpub = ctx->setact = true;
+	}
+
+	switch (ctx->alg) {
+	case DNS_KEYALG_RSASHA1:
+	case DNS_KEYALG_NSEC3RSASHA1:
+	case DNS_KEYALG_RSASHA256:
+		if (ctx->size != 0 && (ctx->size < 1024 || ctx->size > MAX_RSA))
+		{
+			fatal("RSA key size %d out of range", ctx->size);
+		}
+		break;
+	case DNS_KEYALG_RSASHA512:
+		if (ctx->size != 0 && (ctx->size < 1024 || ctx->size > MAX_RSA))
+		{
+			fatal("RSA key size %d out of range", ctx->size);
+		}
+		break;
+	case DNS_KEYALG_DH:
+		if (ctx->size != 0 && (ctx->size < 128 || ctx->size > 4096)) {
+			fatal("DH key size %d out of range", ctx->size);
+		}
+		break;
+	case DST_ALG_ECDSA256:
+		ctx->size = 256;
+		break;
+	case DST_ALG_ECDSA384:
+		ctx->size = 384;
+		break;
+	case DST_ALG_ED25519:
+		ctx->size = 256;
+		break;
+	case DST_ALG_ED448:
+		ctx->size = 456;
+		break;
+	}
+
+	if (ctx->alg != DNS_KEYALG_DH && ctx->generator != 0) {
+		fatal("specified DH generator for a non-DH key");
+	}
+
+	if (ctx->nametype == NULL) {
+		if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
+			fatal("no nametype specified");
+		}
+		flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
+	} else if (strcasecmp(ctx->nametype, "zone") == 0) {
+		flags |= DNS_KEYOWNER_ZONE;
+	} else if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
+		if (strcasecmp(ctx->nametype, "host") == 0 ||
+		    strcasecmp(ctx->nametype, "entity") == 0)
+		{
+			flags |= DNS_KEYOWNER_ENTITY;
+		} else if (strcasecmp(ctx->nametype, "user") == 0) {
+			flags |= DNS_KEYOWNER_USER;
+		} else {
+			fatal("invalid KEY nametype %s", ctx->nametype);
+		}
+	} else if (strcasecmp(ctx->nametype, "other") != 0) { /* DNSKEY */
+		fatal("invalid DNSKEY nametype %s", ctx->nametype);
+	}
+
+	if (ctx->directory == NULL) {
+		ctx->directory = ".";
+	}
+
+	if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
+		flags |= ctx->signatory;
+	} else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
+		flags |= ctx->kskflag;
+		flags |= ctx->revflag;
+	}
+
+	if (ctx->protocol == -1) {
+		ctx->protocol = DNS_KEYPROTO_DNSSEC;
+	} else if ((ctx->options & DST_TYPE_KEY) == 0 &&
+		   ctx->protocol != DNS_KEYPROTO_DNSSEC)
+	{
+		fatal("invalid DNSKEY protocol: %d", ctx->protocol);
+	}
+
+	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
+		if (ctx->size > 0) {
+			fatal("specified null key with non-zero size");
+		}
+		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0) {
+			fatal("specified null key with signing authority");
+		}
+	}
+
+	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+	    ctx->alg == DNS_KEYALG_DH)
+	{
+		fatal("a key with algorithm %s cannot be a zone key", algstr);
+	}
+
+	switch (ctx->alg) {
+	case DNS_KEYALG_RSASHA1:
+	case DNS_KEYALG_NSEC3RSASHA1:
+	case DNS_KEYALG_RSASHA256:
+	case DNS_KEYALG_RSASHA512:
+		show_progress = true;
+		break;
+
+	case DNS_KEYALG_DH:
+		param = ctx->generator;
+		break;
+
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
+	case DST_ALG_ED25519:
+	case DST_ALG_ED448:
+		show_progress = true;
+		break;
+	}
+
+	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
+		null_key = true;
+	}
+
+	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
+
+	do {
+		conflict = false;
+
+		if (!ctx->quiet && show_progress) {
+			fprintf(stderr, "Generating key pair.");
+			ret = dst_key_generate(name, ctx->alg, ctx->size, param,
+					       flags, ctx->protocol,
+					       ctx->rdclass, mctx, &key,
+					       &progress);
+			putc('\n', stderr);
+			fflush(stderr);
+		} else {
+			ret = dst_key_generate(name, ctx->alg, ctx->size, param,
+					       flags, ctx->protocol,
+					       ctx->rdclass, mctx, &key, NULL);
+		}
+
+		if (ret != ISC_R_SUCCESS) {
+			char namestr[DNS_NAME_FORMATSIZE];
+			dns_name_format(name, namestr, sizeof(namestr));
+			fatal("failed to generate key %s/%s: %s\n", namestr,
+			      algstr, isc_result_totext(ret));
+		}
+
+		dst_key_setbits(key, ctx->dbits);
+
+		/*
+		 * Set key timing metadata (unless using -C)
+		 *
+		 * Creation date is always set to "now".
+		 *
+		 * For a new key without an explicit predecessor, publish
+		 * and activation dates are set to "now" by default, but
+		 * can both be overridden.
+		 *
+		 * For a successor key, activation is set to match the
+		 * predecessor's inactivation date.  Publish is set to 30
+		 * days earlier than that (XXX: this should be configurable).
+		 * If either of the resulting dates are in the past, that's
+		 * an error; the inactivation date of the predecessor key
+		 * must be updated before a successor key can be created.
+		 */
+		if (!ctx->oldstyle) {
+			dst_key_settime(key, DST_TIME_CREATED, ctx->now);
+
+			if (ctx->genonly && (ctx->setpub || ctx->setact)) {
+				fatal("cannot use -G together with "
+				      "-P or -A options");
+			}
+
+			if (ctx->setpub) {
+				dst_key_settime(key, DST_TIME_PUBLISH,
+						ctx->publish);
+			} else if (ctx->setact && !ctx->unsetpub) {
+				dst_key_settime(key, DST_TIME_PUBLISH,
+						ctx->activate - ctx->prepub);
+			} else if (!ctx->genonly && !ctx->unsetpub) {
+				dst_key_settime(key, DST_TIME_PUBLISH,
+						ctx->now);
+			}
+
+			if (ctx->setact) {
+				dst_key_settime(key, DST_TIME_ACTIVATE,
+						ctx->activate);
+			} else if (!ctx->genonly && !ctx->unsetact) {
+				dst_key_settime(key, DST_TIME_ACTIVATE,
+						ctx->now);
+			}
+
+			if (ctx->setrev) {
+				if (ctx->kskflag == 0) {
+					fprintf(stderr,
+						"%s: warning: Key is "
+						"not flagged as a KSK, but -R "
+						"was used. Revoking a ZSK is "
+						"legal, but undefined.\n",
+						program);
+				}
+				dst_key_settime(key, DST_TIME_REVOKE,
+						ctx->revokekey);
+			}
+
+			if (ctx->setinact) {
+				dst_key_settime(key, DST_TIME_INACTIVE,
+						ctx->inactive);
+			}
+
+			if (ctx->setdel) {
+				if (ctx->setinact &&
+				    ctx->deltime < ctx->inactive)
+				{
+					fprintf(stderr,
+						"%s: warning: Key is "
+						"scheduled to be deleted "
+						"before it is scheduled to be "
+						"made inactive.\n",
+						program);
+				}
+				dst_key_settime(key, DST_TIME_DELETE,
+						ctx->deltime);
+			}
+
+			if (ctx->setsyncadd) {
+				dst_key_settime(key, DST_TIME_SYNCPUBLISH,
+						ctx->syncadd);
+			}
+
+			if (ctx->setsyncdel) {
+				dst_key_settime(key, DST_TIME_SYNCDELETE,
+						ctx->syncdel);
+			}
+		} else {
+			if (ctx->setpub || ctx->setact || ctx->setrev ||
+			    ctx->setinact || ctx->setdel || ctx->unsetpub ||
+			    ctx->unsetact || ctx->unsetrev || ctx->unsetinact ||
+			    ctx->unsetdel || ctx->genonly || ctx->setsyncadd ||
+			    ctx->setsyncdel)
+			{
+				fatal("cannot use -C together with "
+				      "-P, -A, -R, -I, -D, or -G options");
+			}
+			/*
+			 * Compatibility mode: Private-key-format
+			 * should be set to 1.2.
+			 */
+			dst_key_setprivateformat(key, 1, 2);
+		}
+
+		/* Set the default key TTL */
+		if (ctx->setttl) {
+			dst_key_setttl(key, ctx->ttl);
+		}
+
+		/* Set dnssec-policy related metadata */
+		if (ctx->policy != NULL) {
+			dst_key_setnum(key, DST_NUM_LIFETIME, ctx->lifetime);
+			dst_key_setbool(key, DST_BOOL_KSK, ctx->ksk);
+			dst_key_setbool(key, DST_BOOL_ZSK, ctx->zsk);
+		}
+
+		/*
+		 * Do not overwrite an existing key, or create a key
+		 * if there is a risk of ID collision due to this key
+		 * or another key being revoked.
+		 */
+		if (key_collision(key, name, ctx->directory, mctx, NULL)) {
+			conflict = true;
+			if (null_key) {
+				dst_key_free(&key);
+				break;
+			}
+
+			if (verbose > 0) {
+				isc_buffer_clear(&buf);
+				ret = dst_key_buildfilename(
+					key, 0, ctx->directory, &buf);
+				if (ret == ISC_R_SUCCESS) {
+					fprintf(stderr,
+						"%s: %s already exists, or "
+						"might collide with another "
+						"key upon revokation.  "
+						"Generating a new key\n",
+						program, filename);
+				}
+			}
+
+			dst_key_free(&key);
+		}
+	} while (conflict);
+
+	if (conflict) {
+		fatal("cannot generate a null key due to possible key ID "
+		      "collision");
+	}
+
+	if (ctx->predecessor != NULL && prevkey != NULL) {
+		dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key));
+		dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey));
+
+		ret = dst_key_tofile(prevkey, ctx->options, ctx->directory);
+		if (ret != ISC_R_SUCCESS) {
+			char keystr[DST_KEY_FORMATSIZE];
+			dst_key_format(prevkey, keystr, sizeof(keystr));
+			fatal("failed to update predecessor %s: %s\n", keystr,
+			      isc_result_totext(ret));
+		}
+	}
+
+	ret = dst_key_tofile(key, ctx->options, ctx->directory);
+	if (ret != ISC_R_SUCCESS) {
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key, keystr, sizeof(keystr));
+		fatal("failed to write key %s: %s\n", keystr,
+		      isc_result_totext(ret));
+	}
+
+	isc_buffer_clear(&buf);
+	ret = dst_key_buildfilename(key, 0, NULL, &buf);
+	if (ret != ISC_R_SUCCESS) {
+		fatal("dst_key_buildfilename returned: %s\n",
+		      isc_result_totext(ret));
+	}
+	printf("%s\n", filename);
+
+	dst_key_free(&key);
+	if (prevkey != NULL) {
+		dst_key_free(&prevkey);
+	}
+}
+
+int
+main(int argc, char **argv) {
+	char *algname = NULL, *freeit = NULL;
+	char *classname = NULL;
+	char *endp;
+	isc_mem_t *mctx = NULL;
+	isc_result_t ret;
+	isc_textregion_t r;
+	const char *engine = NULL;
+	unsigned char c;
+	int ch;
+
+	keygen_ctx_t ctx = {
+		.options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC,
+		.prepub = -1,
+		.protocol = -1,
+		.size = -1,
+	};
+
+	if (argc == 1) {
+		usage();
+	}
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	isc_commandline_errprint = false;
+
+	/*
+	 * Process memory debugging argument first.
+	 */
+#define CMDLINE_FLAGS                                           \
+	"3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:k:L:l:m:n:P:p:qR:r:S:s:" \
+	"T:t:v:V"
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'm':
+			if (strcasecmp(isc_commandline_argument, "record") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			}
+			if (strcasecmp(isc_commandline_argument, "trace") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			}
+			if (strcasecmp(isc_commandline_argument, "usage") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			}
+			if (strcasecmp(isc_commandline_argument, "size") == 0) {
+				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+			}
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0) {
+				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+			}
+			break;
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = true;
+
+	isc_mem_create(&mctx);
+	isc_stdtime_get(&ctx.now);
+
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case '3':
+			ctx.use_nsec3 = true;
+			break;
+		case 'a':
+			algname = isc_commandline_argument;
+			break;
+		case 'b':
+			ctx.size = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || ctx.size < 0) {
+				fatal("-b requires a non-negative number");
+			}
+			break;
+		case 'C':
+			ctx.oldstyle = true;
+			break;
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+		case 'd':
+			ctx.dbits = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || ctx.dbits < 0) {
+				fatal("-d requires a non-negative number");
+			}
+			break;
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
+		case 'e':
+			fprintf(stderr, "phased-out option -e "
+					"(was 'use (RSA) large exponent')\n");
+			break;
+		case 'f':
+			c = (unsigned char)(isc_commandline_argument[0]);
+			if (toupper(c) == 'K') {
+				ctx.kskflag = DNS_KEYFLAG_KSK;
+			} else if (toupper(c) == 'R') {
+				ctx.revflag = DNS_KEYFLAG_REVOKE;
+			} else {
+				fatal("unknown flag '%s'",
+				      isc_commandline_argument);
+			}
+			break;
+		case 'g':
+			ctx.generator = strtol(isc_commandline_argument, &endp,
+					       10);
+			if (*endp != '\0' || ctx.generator <= 0) {
+				fatal("-g requires a positive number");
+			}
+			break;
+		case 'K':
+			ctx.directory = isc_commandline_argument;
+			ret = try_dir(ctx.directory);
+			if (ret != ISC_R_SUCCESS) {
+				fatal("cannot open directory %s: %s",
+				      ctx.directory, isc_result_totext(ret));
+			}
+			break;
+		case 'k':
+			ctx.policy = isc_commandline_argument;
+			break;
+		case 'L':
+			ctx.ttl = strtottl(isc_commandline_argument);
+			ctx.setttl = true;
+			break;
+		case 'l':
+			ctx.configfile = isc_commandline_argument;
+			break;
+		case 'n':
+			ctx.nametype = isc_commandline_argument;
+			break;
+		case 'm':
+			break;
+		case 'p':
+			ctx.protocol = strtol(isc_commandline_argument, &endp,
+					      10);
+			if (*endp != '\0' || ctx.protocol < 0 ||
+			    ctx.protocol > 255)
+			{
+				fatal("-p must be followed by a number "
+				      "[0..255]");
+			}
+			break;
+		case 'q':
+			ctx.quiet = true;
+			break;
+		case 'r':
+			fatal("The -r option has been deprecated.\n"
+			      "System random data is always used.\n");
+			break;
+		case 's':
+			ctx.signatory = strtol(isc_commandline_argument, &endp,
+					       10);
+			if (*endp != '\0' || ctx.signatory < 0 ||
+			    ctx.signatory > 15)
+			{
+				fatal("-s must be followed by a number "
+				      "[0..15]");
+			}
+			break;
+		case 'T':
+			if (strcasecmp(isc_commandline_argument, "KEY") == 0) {
+				ctx.options |= DST_TYPE_KEY;
+			} else if (strcasecmp(isc_commandline_argument,
+					      "DNSKE"
+					      "Y") == 0)
+			{
+				/* default behavior */
+			} else {
+				fatal("unknown type '%s'",
+				      isc_commandline_argument);
+			}
+			break;
+		case 't':
+			ctx.type = isc_commandline_argument;
+			break;
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("-v must be followed by a number");
+			}
+			break;
+		case 'G':
+			ctx.genonly = true;
+			break;
+		case 'P':
+			/* -Psync ? */
+			if (isoptarg("sync", argv, usage)) {
+				if (ctx.setsyncadd) {
+					fatal("-P sync specified more than "
+					      "once");
+				}
+
+				ctx.syncadd = strtotime(
+					isc_commandline_argument, ctx.now,
+					ctx.now, &ctx.setsyncadd);
+				break;
+			}
+			(void)isoptarg("dnskey", argv, usage);
+			if (ctx.setpub || ctx.unsetpub) {
+				fatal("-P specified more than once");
+			}
+
+			ctx.publish = strtotime(isc_commandline_argument,
+						ctx.now, ctx.now, &ctx.setpub);
+			ctx.unsetpub = !ctx.setpub;
+			break;
+		case 'A':
+			if (ctx.setact || ctx.unsetact) {
+				fatal("-A specified more than once");
+			}
+
+			ctx.activate = strtotime(isc_commandline_argument,
+						 ctx.now, ctx.now, &ctx.setact);
+			ctx.unsetact = !ctx.setact;
+			break;
+		case 'R':
+			if (ctx.setrev || ctx.unsetrev) {
+				fatal("-R specified more than once");
+			}
+
+			ctx.revokekey = strtotime(isc_commandline_argument,
+						  ctx.now, ctx.now,
+						  &ctx.setrev);
+			ctx.unsetrev = !ctx.setrev;
+			break;
+		case 'I':
+			if (ctx.setinact || ctx.unsetinact) {
+				fatal("-I specified more than once");
+			}
+
+			ctx.inactive = strtotime(isc_commandline_argument,
+						 ctx.now, ctx.now,
+						 &ctx.setinact);
+			ctx.unsetinact = !ctx.setinact;
+			break;
+		case 'D':
+			/* -Dsync ? */
+			if (isoptarg("sync", argv, usage)) {
+				if (ctx.setsyncdel) {
+					fatal("-D sync specified more than "
+					      "once");
+				}
+
+				ctx.syncdel = strtotime(
+					isc_commandline_argument, ctx.now,
+					ctx.now, &ctx.setsyncdel);
+				break;
+			}
+			(void)isoptarg("dnskey", argv, usage);
+			if (ctx.setdel || ctx.unsetdel) {
+				fatal("-D specified more than once");
+			}
+
+			ctx.deltime = strtotime(isc_commandline_argument,
+						ctx.now, ctx.now, &ctx.setdel);
+			ctx.unsetdel = !ctx.setdel;
+			break;
+		case 'S':
+			ctx.predecessor = isc_commandline_argument;
+			break;
+		case 'i':
+			ctx.prepub = strtottl(isc_commandline_argument);
+			break;
+		case 'F':
+			/* Reserved for FIPS mode */
+			FALLTHROUGH;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			}
+			FALLTHROUGH;
+		case 'h':
+			/* Does not return. */
+			usage();
+
+		case 'V':
+			/* Does not return. */
+			version(program);
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (!isatty(0)) {
+		ctx.quiet = true;
+	}
+
+	ret = dst_lib_init(mctx, engine);
+	if (ret != ISC_R_SUCCESS) {
+		fatal("could not initialize dst: %s", isc_result_totext(ret));
+	}
+
+	setup_logging(mctx, &lctx);
+
+	ctx.rdclass = strtoclass(classname);
+
+	if (ctx.configfile == NULL || ctx.configfile[0] == '\0') {
+		ctx.configfile = NAMED_CONFFILE;
+	}
+
+	if (ctx.predecessor == NULL) {
+		if (argc < isc_commandline_index + 1) {
+			fatal("the key name was not specified");
+		}
+		if (argc > isc_commandline_index + 1) {
+			fatal("extraneous arguments");
+		}
+	}
+
+	if (ctx.predecessor == NULL && ctx.policy == NULL) {
+		if (algname == NULL) {
+			fatal("no algorithm specified");
+		}
+		r.base = algname;
+		r.length = strlen(algname);
+		ret = dns_secalg_fromtext(&ctx.alg, &r);
+		if (ret != ISC_R_SUCCESS) {
+			fatal("unknown algorithm %s", algname);
+		}
+		if (!dst_algorithm_supported(ctx.alg)) {
+			fatal("unsupported algorithm: %s", algname);
+		}
+	}
+
+	if (ctx.policy != NULL) {
+		if (ctx.nametype != NULL) {
+			fatal("-k and -n cannot be used together");
+		}
+		if (ctx.predecessor != NULL) {
+			fatal("-k and -S cannot be used together");
+		}
+		if (ctx.oldstyle) {
+			fatal("-k and -C cannot be used together");
+		}
+		if (ctx.setttl) {
+			fatal("-k and -L cannot be used together");
+		}
+		if (ctx.prepub > 0) {
+			fatal("-k and -i cannot be used together");
+		}
+		if (ctx.size != -1) {
+			fatal("-k and -b cannot be used together");
+		}
+		if (ctx.kskflag || ctx.revflag) {
+			fatal("-k and -f cannot be used together");
+		}
+		if (ctx.options & DST_TYPE_KEY) {
+			fatal("-k and -T KEY cannot be used together");
+		}
+		if (ctx.use_nsec3) {
+			fatal("-k and -3 cannot be used together");
+		}
+
+		ctx.options |= DST_TYPE_STATE;
+
+		if (strcmp(ctx.policy, "default") == 0) {
+			ctx.use_nsec3 = false;
+			ctx.alg = DST_ALG_ECDSA256;
+			ctx.size = 0;
+			ctx.kskflag = DNS_KEYFLAG_KSK;
+			ctx.ttl = 3600;
+			ctx.setttl = true;
+			ctx.ksk = true;
+			ctx.zsk = true;
+			ctx.lifetime = 0;
+
+			keygen(&ctx, mctx, argc, argv);
+		} else {
+			cfg_parser_t *parser = NULL;
+			cfg_obj_t *config = NULL;
+			dns_kasp_t *kasp = NULL;
+			dns_kasp_key_t *kaspkey = NULL;
+
+			RUNTIME_CHECK(cfg_parser_create(mctx, lctx, &parser) ==
+				      ISC_R_SUCCESS);
+			if (cfg_parse_file(parser, ctx.configfile,
+					   &cfg_type_namedconf,
+					   &config) != ISC_R_SUCCESS)
+			{
+				fatal("unable to load dnssec-policy '%s' from "
+				      "'%s'",
+				      ctx.policy, ctx.configfile);
+			}
+
+			kasp_from_conf(config, mctx, ctx.policy, &kasp);
+			if (kasp == NULL) {
+				fatal("failed to load dnssec-policy '%s'",
+				      ctx.policy);
+			}
+			if (ISC_LIST_EMPTY(dns_kasp_keys(kasp))) {
+				fatal("dnssec-policy '%s' has no keys "
+				      "configured",
+				      ctx.policy);
+			}
+
+			ctx.ttl = dns_kasp_dnskeyttl(kasp);
+			ctx.setttl = true;
+
+			kaspkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
+
+			while (kaspkey != NULL) {
+				ctx.use_nsec3 = false;
+				ctx.alg = dns_kasp_key_algorithm(kaspkey);
+				ctx.size = dns_kasp_key_size(kaspkey);
+				ctx.kskflag = dns_kasp_key_ksk(kaspkey)
+						      ? DNS_KEYFLAG_KSK
+						      : 0;
+				ctx.ksk = dns_kasp_key_ksk(kaspkey);
+				ctx.zsk = dns_kasp_key_zsk(kaspkey);
+				ctx.lifetime = dns_kasp_key_lifetime(kaspkey);
+
+				keygen(&ctx, mctx, argc, argv);
+
+				kaspkey = ISC_LIST_NEXT(kaspkey, link);
+			}
+
+			dns_kasp_detach(&kasp);
+			cfg_obj_destroy(parser, &config);
+			cfg_parser_destroy(&parser);
+		}
+	} else {
+		keygen(&ctx, mctx, argc, argv);
+	}
+
+	cleanup_logging(&lctx);
+	dst_lib_destroy();
+	if (verbose > 10) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	if (freeit != NULL) {
+		free(freeit);
+	}
+
+	return (0);
+}
diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst
new file mode 100644
index 0000000..3b6d46d
--- /dev/null
+++ b/bin/dnssec/dnssec-keygen.rst
@@ -0,0 +1,318 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-keygen:
+
+dnssec-keygen: DNSSEC key generation tool
+-----------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-g** generator] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
+
+Description
+~~~~~~~~~~~
+
+``dnssec-keygen`` generates keys for DNSSEC (Secure DNS), as defined in
+:rfc:`2535` and :rfc:`4034`. It can also generate keys for use with TSIG
+(Transaction Signatures) as defined in :rfc:`2845`, or TKEY (Transaction
+Key) as defined in :rfc:`2930`.
+
+The ``name`` of the key is specified on the command line. For DNSSEC
+keys, this must match the name of the zone for which the key is being
+generated.
+
+The ``dnssec-keymgr`` command acts as a wrapper
+around ``dnssec-keygen``, generating and updating keys
+as needed to enforce defined security policies such as key rollover
+scheduling. Using ``dnssec-keymgr`` may be preferable
+to direct use of ``dnssec-keygen``.
+
+Options
+~~~~~~~
+
+``-3``
+   This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
+   option is used with an algorithm that has both NSEC and NSEC3
+   versions, then the NSEC3 version is selected; for example,
+   ``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
+
+``-a algorithm``
+   This option selects the cryptographic algorithm. For DNSSEC keys, the value of
+   ``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
+   RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For
+   TKEY, the value must be DH (Diffie-Hellman); specifying this value
+   automatically sets the ``-T KEY`` option as well.
+
+   These values are case-insensitive. In some cases, abbreviations are
+   supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
+   ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3``
+   option, NSEC3RSASHA1 is used instead.
+
+   This parameter *must* be specified except when using the ``-S``
+   option, which copies the algorithm from the predecessor key.
+
+   In prior releases, HMAC algorithms could be generated for use as TSIG
+   keys, but that feature was removed in BIND 9.13.0. Use
+   ``tsig-keygen`` to generate TSIG keys.
+
+``-b keysize``
+   This option specifies the number of bits in the key. The choice of key size
+   depends on the algorithm used: RSA keys must be between 1024 and 4096
+   bits; Diffie-Hellman keys must be between 128 and 4096 bits. Elliptic
+   curve algorithms do not need this parameter.
+
+   If the key size is not specified, some algorithms have pre-defined
+   defaults. For example, RSA keys for use as DNSSEC zone-signing keys
+   have a default size of 1024 bits; RSA keys for use as key-signing
+   keys (KSKs, generated with ``-f KSK``) default to 2048 bits.
+
+``-C``
+   This option enables compatibility mode, which generates an old-style key, without any timing
+   metadata. By default, ``dnssec-keygen`` includes the key's
+   creation date in the metadata stored with the private key; other
+   dates may be set there as well, including publication date, activation date,
+   etc. Keys that include this data may be incompatible with older
+   versions of BIND; the ``-C`` option suppresses them.
+
+``-c class``
+   This option indicates that the DNS record containing the key should have the
+   specified class. If not specified, class IN is used.
+
+``-d bits``
+   This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and
+   RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128
+   and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
+   ECDSAP384SHA384, ED25519, and ED448.
+
+``-E engine``
+   This option specifies the cryptographic hardware to use, when applicable.
+
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
+   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
+   defaults to the path of the PKCS#11 provider library specified via
+   ``--with-pkcs11``.
+
+``-f flag``
+   This option sets the specified flag in the flag field of the KEY/DNSKEY record.
+   The only recognized flags are KSK (Key-Signing Key) and REVOKE.
+
+``-G``
+   This option generates a key, but does not publish it or sign with it. This option is
+   incompatible with ``-P`` and ``-A``.
+
+``-g generator``
+   This option indicates the generator to use if generating a Diffie-Hellman key. Allowed
+   values are 2 and 5. If no generator is specified, a known prime from
+   :rfc:`2539` is used if possible; otherwise the default is 2.
+
+``-h``
+   This option prints a short summary of the options and arguments to
+   ``dnssec-keygen``.
+
+``-K directory``
+   This option sets the directory in which the key files are to be written.
+
+``-k policy``
+   This option creates keys for a specific ``dnssec-policy``. If a policy uses multiple keys,
+   ``dnssec-keygen`` generates multiple keys. This also
+   creates a ".state" file to keep track of the key state.
+
+   This option creates keys according to the ``dnssec-policy`` configuration, hence
+   it cannot be used at the same time as many of the other options that
+   ``dnssec-keygen`` provides.
+
+``-L ttl``
+   This option sets the default TTL to use for this key when it is converted into a
+   DNSKEY RR. This is the TTL used when the key is imported into a zone,
+   unless there was already a DNSKEY RRset in
+   place, in which case the existing TTL takes precedence. If this
+   value is not set and there is no existing DNSKEY RRset, the TTL
+   defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none``
+   is the same as leaving it unset.
+
+``-l file``
+   This option provides a configuration file that contains a ``dnssec-policy`` statement
+   (matching the policy set with ``-k``).
+
+``-n nametype``
+   This option specifies the owner type of the key. The value of ``nametype`` must
+   either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
+   (for a key associated with a host (KEY)), USER (for a key associated
+   with a user (KEY)), or OTHER (DNSKEY). These values are
+   case-insensitive. The default is ZONE for DNSKEY generation.
+
+``-p protocol``
+   This option sets the protocol value for the generated key, for use with
+   ``-T KEY``. The protocol is a number between 0 and 255. The default
+   is 3 (DNSSEC). Other possible values for this argument are listed in
+   :rfc:`2535` and its successors.
+
+``-q``
+   This option sets quiet mode, which suppresses unnecessary output, including progress
+   indication. Without this option, when ``dnssec-keygen`` is run
+   interactively to generate an RSA or DSA key pair, it prints a
+   string of symbols to ``stderr`` indicating the progress of the key
+   generation. A ``.`` indicates that a random number has been found which
+   passed an initial sieve test; ``+`` means a number has passed a single
+   round of the Miller-Rabin primality test; and a space ( ) means that the
+   number has passed all the tests and is a satisfactory key.
+
+``-S key``
+   This option creates a new key which is an explicit successor to an existing key.
+   The name, algorithm, size, and type of the key are set to match
+   the existing key. The activation date of the new key is set to
+   the inactivation date of the existing one. The publication date is
+   set to the activation date minus the prepublication interval,
+   which defaults to 30 days.
+
+``-s strength``
+   This option specifies the strength value of the key. The strength is a number
+   between 0 and 15, and currently has no defined purpose in DNSSEC.
+
+``-T rrtype``
+   This option specifies the resource record type to use for the key. ``rrtype``
+   must be either DNSKEY or KEY. The default is DNSKEY when using a
+   DNSSEC algorithm, but it can be overridden to KEY for use with
+   SIG(0).
+
+``-t type``
+   This option indicates the type of the key for use with ``-T KEY``. ``type``
+   must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+   is AUTHCONF. AUTH refers to the ability to authenticate data, and
+   CONF to the ability to encrypt data.
+
+``-V``
+   This option prints version information.
+
+``-v level``
+   This option sets the debugging level.
+
+Timing Options
+~~~~~~~~~~~~~~
+
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a ``+`` or ``-``, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
+computed in years (defined as 365 24-hour days, ignoring leap years),
+months (defined as 30 24-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use ``none`` or ``never``.
+
+``-P date/offset``
+   This option sets the date on which a key is to be published to the zone. After
+   that date, the key is included in the zone but is not used
+   to sign it. If not set, and if the ``-G`` option has not been used, the
+   default is the current date.
+
+``-P sync date/offset``
+   This option sets the date on which CDS and CDNSKEY records that match this key
+   are to be published to the zone.
+
+``-A date/offset``
+   This option sets the date on which the key is to be activated. After that date,
+   the key is included in the zone and used to sign it. If not set,
+   and if the ``-G`` option has not been used, the default is the current date. If set,
+   and ``-P`` is not set, the publication date is set to the
+   activation date minus the prepublication interval.
+
+``-R date/offset``
+   This option sets the date on which the key is to be revoked. After that date, the
+   key is flagged as revoked. It is included in the zone and
+   is used to sign it.
+
+``-I date/offset``
+   This option sets the date on which the key is to be retired. After that date, the
+   key is still included in the zone, but it is not used to
+   sign it.
+
+``-D date/offset``
+   This option sets the date on which the key is to be deleted. After that date, the
+   key is no longer included in the zone. (However, it may remain in the key
+   repository.)
+
+``-D sync date/offset``
+   This option sets the date on which the CDS and CDNSKEY records that match this
+   key are to be deleted.
+
+``-i interval``
+   This option sets the prepublication interval for a key. If set, then the
+   publication and activation dates must be separated by at least this
+   much time. If the activation date is specified but the publication
+   date is not, the publication date defaults to this much time
+   before the activation date; conversely, if the publication date is
+   specified but not the activation date, activation is set to
+   this much time after publication.
+
+   If the key is being created as an explicit successor to another key,
+   then the default prepublication interval is 30 days; otherwise it is
+   zero.
+
+   As with date offsets, if the argument is followed by one of the
+   suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
+   measured in years, months, weeks, days, hours, or minutes,
+   respectively. Without a suffix, the interval is measured in seconds.
+
+Generated Keys
+~~~~~~~~~~~~~~
+
+When ``dnssec-keygen`` completes successfully, it prints a string of the
+form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
+identification string for the key it has generated.
+
+-  ``nnnn`` is the key name.
+
+-  ``aaa`` is the numeric representation of the algorithm.
+
+-  ``iiiii`` is the key identifier (or footprint).
+
+``dnssec-keygen`` creates two files, with names based on the printed
+string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
+``Knnnn.+aaa+iiiii.private`` contains the private key.
+
+The ``.key`` file contains a DNSKEY or KEY record. When a zone is being
+signed by ``named`` or ``dnssec-signzone -S``, DNSKEY records are
+included automatically. In other cases, the ``.key`` file can be
+inserted into a zone file manually or with an ``$INCLUDE`` statement.
+
+The ``.private`` file contains algorithm-specific fields. For obvious
+security reasons, this file does not have general read permission.
+
+Example
+~~~~~~~
+
+To generate an ECDSAP256SHA256 zone-signing key for the zone
+``example.com``, issue the command:
+
+``dnssec-keygen -a ECDSAP256SHA256 example.com``
+
+The command prints a string of the form:
+
+``Kexample.com.+013+26160``
+
+In this example, ``dnssec-keygen`` creates the files
+``Kexample.com.+013+26160.key`` and ``Kexample.com.+013+26160.private``.
+
+To generate a matching key-signing key, issue the command:
+
+``dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com``
+
+See Also
+~~~~~~~~
+
+:manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, :rfc:`2539`,
+:rfc:`2845`, :rfc:`4034`.
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
new file mode 100644
index 0000000..c532463
--- /dev/null
+++ b/bin/dnssec/dnssec-revoke.c
@@ -0,0 +1,278 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-revoke";
+
+static isc_mem_t *mctx = NULL;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "    %s [options] keyfile\n\n", program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+#if USE_PKCS11
+	fprintf(stderr,
+		"    -E engine:    specify PKCS#11 provider "
+		"(default: %s)\n",
+		PK11_LIB_LOCATION);
+#else  /* if USE_PKCS11 */
+	fprintf(stderr, "    -E engine:    specify OpenSSL engine\n");
+#endif /* if USE_PKCS11 */
+	fprintf(stderr, "    -f:           force overwrite\n");
+	fprintf(stderr, "    -h:           help\n");
+	fprintf(stderr, "    -K directory: use directory for key files\n");
+	fprintf(stderr, "    -r:           remove old keyfiles after "
+			"creating revoked version\n");
+	fprintf(stderr, "    -v level:     set level of verbosity\n");
+	fprintf(stderr, "    -V:           print version information\n");
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
+			"K<name>+<alg>+<new id>.private\n");
+
+	exit(-1);
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+	const char *engine = NULL;
+	char const *filename = NULL;
+	char *dir = NULL;
+	char newname[1024], oldname[1024];
+	char keystr[DST_KEY_FORMATSIZE];
+	char *endp;
+	int ch;
+	dst_key_t *key = NULL;
+	uint32_t flags;
+	isc_buffer_t buf;
+	bool force = false;
+	bool removefile = false;
+	bool id = false;
+
+	if (argc == 1) {
+		usage();
+	}
+
+	isc_mem_create(&mctx);
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	isc_commandline_errprint = false;
+
+	while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) {
+		switch (ch) {
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
+		case 'f':
+			force = true;
+			break;
+		case 'K':
+			/*
+			 * We don't have to copy it here, but do it to
+			 * simplify cleanup later
+			 */
+			dir = isc_mem_strdup(mctx, isc_commandline_argument);
+			break;
+		case 'r':
+			removefile = true;
+			break;
+		case 'R':
+			id = true;
+			break;
+		case 'v':
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("-v must be followed by a number");
+			}
+			break;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			}
+			FALLTHROUGH;
+		case 'h':
+			/* Does not return. */
+			usage();
+
+		case 'V':
+			/* Does not return. */
+			version(program);
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (argc < isc_commandline_index + 1 ||
+	    argv[isc_commandline_index] == NULL)
+	{
+		fatal("The key file name was not specified");
+	}
+	if (argc > isc_commandline_index + 1) {
+		fatal("Extraneous arguments");
+	}
+
+	if (dir != NULL) {
+		filename = argv[isc_commandline_index];
+	} else {
+		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
+					    &dir, &filename);
+		if (result != ISC_R_SUCCESS) {
+			fatal("cannot process filename %s: %s",
+			      argv[isc_commandline_index],
+			      isc_result_totext(result));
+		}
+		if (strcmp(dir, ".") == 0) {
+			isc_mem_free(mctx, dir);
+			dir = NULL;
+		}
+	}
+
+	result = dst_lib_init(mctx, engine);
+	if (result != ISC_R_SUCCESS) {
+		fatal("Could not initialize dst: %s",
+		      isc_result_totext(result));
+	}
+
+	result = dst_key_fromnamedfile(
+		filename, dir, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, mctx, &key);
+	if (result != ISC_R_SUCCESS) {
+		fatal("Invalid keyfile name %s: %s", filename,
+		      isc_result_totext(result));
+	}
+
+	if (id) {
+		fprintf(stdout, "%u\n", dst_key_rid(key));
+		goto cleanup;
+	}
+	dst_key_format(key, keystr, sizeof(keystr));
+
+	if (verbose > 2) {
+		fprintf(stderr, "%s: %s\n", program, keystr);
+	}
+
+	if (force) {
+		set_keyversion(key);
+	} else {
+		check_keyversion(key, keystr);
+	}
+
+	flags = dst_key_flags(key);
+	if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
+		isc_stdtime_t now;
+
+		if ((flags & DNS_KEYFLAG_KSK) == 0) {
+			fprintf(stderr,
+				"%s: warning: Key is not flagged "
+				"as a KSK. Revoking a ZSK is "
+				"legal, but undefined.\n",
+				program);
+		}
+
+		isc_stdtime_get(&now);
+		dst_key_settime(key, DST_TIME_REVOKE, now);
+
+		dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
+
+		isc_buffer_init(&buf, newname, sizeof(newname));
+		dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
+
+		if (access(newname, F_OK) == 0 && !force) {
+			fatal("Key file %s already exists; "
+			      "use -f to force overwrite",
+			      newname);
+		}
+
+		result = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+					dir);
+		if (result != ISC_R_SUCCESS) {
+			dst_key_format(key, keystr, sizeof(keystr));
+			fatal("Failed to write key %s: %s", keystr,
+			      isc_result_totext(result));
+		}
+
+		isc_buffer_clear(&buf);
+		dst_key_buildfilename(key, 0, dir, &buf);
+		printf("%s\n", newname);
+
+		/*
+		 * Remove old key file, if told to (and if
+		 * it isn't the same as the new file)
+		 */
+		if (removefile) {
+			isc_buffer_init(&buf, oldname, sizeof(oldname));
+			dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
+			dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
+			if (strcmp(oldname, newname) == 0) {
+				goto cleanup;
+			}
+			(void)unlink(oldname);
+			isc_buffer_clear(&buf);
+			dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
+			(void)unlink(oldname);
+		}
+	} else {
+		dst_key_format(key, keystr, sizeof(keystr));
+		fatal("Key %s is already revoked", keystr);
+	}
+
+cleanup:
+	dst_key_free(&key);
+	dst_lib_destroy();
+	if (verbose > 10) {
+		isc_mem_stats(mctx, stdout);
+	}
+	if (dir != NULL) {
+		isc_mem_free(mctx, dir);
+	}
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/dnssec/dnssec-revoke.rst b/bin/dnssec/dnssec-revoke.rst
new file mode 100644
index 0000000..f664646
--- /dev/null
+++ b/bin/dnssec/dnssec-revoke.rst
@@ -0,0 +1,71 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-revoke:
+
+dnssec-revoke - set the REVOKED bit on a DNSSEC key
+---------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-E** engine] [**-f**] [**-R**] {keyfile}
+
+Description
+~~~~~~~~~~~
+
+``dnssec-revoke`` reads a DNSSEC key file, sets the REVOKED bit on the
+key as defined in :rfc:`5011`, and creates a new pair of key files
+containing the now-revoked key.
+
+Options
+~~~~~~~
+
+``-h``
+   This option emits a usage message and exits.
+
+``-K directory``
+   This option sets the directory in which the key files are to reside.
+
+``-r``
+   This option indicates to remove the original keyset files after writing the new keyset files.
+
+``-v level``
+   This option sets the debugging level.
+
+``-V``
+   This option prints version information.
+
+``-E engine``
+   This option specifies the cryptographic hardware to use, when applicable.
+
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
+   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
+   defaults to the path of the PKCS#11 provider library specified via
+   ``--with-pkcs11``.
+
+``-f``
+   This option indicates a forced overwrite and causes ``dnssec-revoke`` to write the new key pair,
+   even if a file already exists matching the algorithm and key ID of
+   the revoked key.
+
+``-R``
+   This option prints the key tag of the key with the REVOKE bit set, but does not
+   revoke the key.
+
+See Also
+~~~~~~~~
+
+:manpage:`dnssec-keygen(8)`, BIND 9 Administrator Reference Manual, :rfc:`5011`.
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
new file mode 100644
index 0000000..1df6af1
--- /dev/null
+++ b/bin/dnssec/dnssec-settime.c
@@ -0,0 +1,985 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-settime";
+
+static isc_mem_t *mctx = NULL;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "    %s [options] keyfile\n\n", program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "General options:\n");
+#if USE_PKCS11
+	fprintf(stderr,
+		"    -E engine:          specify PKCS#11 provider "
+		"(default: %s)\n",
+		PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
+	fprintf(stderr, "    -E engine:          specify OpenSSL engine "
+			"(default \"pkcs11\")\n");
+#else  /* if USE_PKCS11 */
+	fprintf(stderr, "    -E engine:          specify OpenSSL engine\n");
+#endif /* if USE_PKCS11 */
+	fprintf(stderr, "    -f:                 force update of old-style "
+			"keys\n");
+	fprintf(stderr, "    -K directory:       set key file location\n");
+	fprintf(stderr, "    -L ttl:             set default key TTL\n");
+	fprintf(stderr, "    -v level:           set level of verbosity\n");
+	fprintf(stderr, "    -V:                 print version information\n");
+	fprintf(stderr, "    -h:                 help\n");
+	fprintf(stderr, "Timing options:\n");
+	fprintf(stderr, "    -P date/[+-]offset/none: set/unset key "
+			"publication date\n");
+	fprintf(stderr, "    -P ds date/[+-]offset/none: set/unset "
+			"DS publication date\n");
+	fprintf(stderr, "    -P sync date/[+-]offset/none: set/unset "
+			"CDS and CDNSKEY publication date\n");
+	fprintf(stderr, "    -A date/[+-]offset/none: set/unset key "
+			"activation date\n");
+	fprintf(stderr, "    -R date/[+-]offset/none: set/unset key "
+			"revocation date\n");
+	fprintf(stderr, "    -I date/[+-]offset/none: set/unset key "
+			"inactivation date\n");
+	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
+			"deletion date\n");
+	fprintf(stderr, "    -D ds date/[+-]offset/none: set/unset "
+			"DS deletion date\n");
+	fprintf(stderr, "    -D sync date/[+-]offset/none: set/unset "
+			"CDS and CDNSKEY deletion date\n");
+	fprintf(stderr, "    -S <key>: generate a successor to an existing "
+			"key\n");
+	fprintf(stderr, "    -i <interval>: prepublication interval for "
+			"successor key "
+			"(default: 30 days)\n");
+	fprintf(stderr, "Key state options:\n");
+	fprintf(stderr, "    -s: update key state file (default no)\n");
+	fprintf(stderr, "    -g state: set the goal state for this key\n");
+	fprintf(stderr, "    -d state date/[+-]offset: set the DS state\n");
+	fprintf(stderr, "    -k state date/[+-]offset: set the DNSKEY state\n");
+	fprintf(stderr, "    -r state date/[+-]offset: set the RRSIG (KSK) "
+			"state\n");
+	fprintf(stderr, "    -z state date/[+-]offset: set the RRSIG (ZSK) "
+			"state\n");
+	fprintf(stderr, "Printing options:\n");
+	fprintf(stderr, "    -p C/P/Psync/A/R/I/D/Dsync/all: print a "
+			"particular time value or values\n");
+	fprintf(stderr, "    -u:                 print times in unix epoch "
+			"format\n");
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
+			"K<name>+<alg>+<new id>.private\n");
+
+	exit(-1);
+}
+
+static void
+printtime(dst_key_t *key, int type, const char *tag, bool epoch, FILE *stream) {
+	isc_result_t result;
+	isc_stdtime_t when;
+
+	if (tag != NULL) {
+		fprintf(stream, "%s: ", tag);
+	}
+
+	result = dst_key_gettime(key, type, &when);
+	if (result == ISC_R_NOTFOUND) {
+		fprintf(stream, "UNSET\n");
+	} else if (epoch) {
+		fprintf(stream, "%d\n", (int)when);
+	} else {
+		time_t now = when;
+		struct tm t, *tm = localtime_r(&now, &t);
+		unsigned int flen;
+		char timebuf[80];
+
+		if (tm == NULL) {
+			fprintf(stream, "INVALID\n");
+			return;
+		}
+
+		flen = strftime(timebuf, sizeof(timebuf),
+				"%a %b %e %H:%M:%S %Y", tm);
+		INSIST(flen > 0U && flen < sizeof(timebuf));
+		fprintf(stream, "%s\n", timebuf);
+	}
+}
+
+static void
+writekey(dst_key_t *key, const char *directory, bool write_state) {
+	char newname[1024];
+	char keystr[DST_KEY_FORMATSIZE];
+	isc_buffer_t buf;
+	isc_result_t result;
+	int options = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE;
+
+	if (write_state) {
+		options |= DST_TYPE_STATE;
+	}
+
+	isc_buffer_init(&buf, newname, sizeof(newname));
+	result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &buf);
+	if (result != ISC_R_SUCCESS) {
+		fatal("Failed to build public key filename: %s",
+		      isc_result_totext(result));
+	}
+
+	result = dst_key_tofile(key, options, directory);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_format(key, keystr, sizeof(keystr));
+		fatal("Failed to write key %s: %s", keystr,
+		      isc_result_totext(result));
+	}
+	printf("%s\n", newname);
+
+	isc_buffer_clear(&buf);
+	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &buf);
+	if (result != ISC_R_SUCCESS) {
+		fatal("Failed to build private key filename: %s",
+		      isc_result_totext(result));
+	}
+	printf("%s\n", newname);
+
+	if (write_state) {
+		isc_buffer_clear(&buf);
+		result = dst_key_buildfilename(key, DST_TYPE_STATE, directory,
+					       &buf);
+		if (result != ISC_R_SUCCESS) {
+			fatal("Failed to build key state filename: %s",
+			      isc_result_totext(result));
+		}
+		printf("%s\n", newname);
+	}
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+	const char *engine = NULL;
+	const char *filename = NULL;
+	char *directory = NULL;
+	char keystr[DST_KEY_FORMATSIZE];
+	char *endp, *p;
+	int ch;
+	const char *predecessor = NULL;
+	dst_key_t *prevkey = NULL;
+	dst_key_t *key = NULL;
+	dns_name_t *name = NULL;
+	dns_secalg_t alg = 0;
+	unsigned int size = 0;
+	uint16_t flags = 0;
+	int prepub = -1;
+	int options;
+	dns_ttl_t ttl = 0;
+	isc_stdtime_t now;
+	isc_stdtime_t dstime = 0, dnskeytime = 0;
+	isc_stdtime_t krrsigtime = 0, zrrsigtime = 0;
+	isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
+	isc_stdtime_t prevact = 0, previnact = 0, prevdel = 0;
+	dst_key_state_t goal = DST_KEY_STATE_NA;
+	dst_key_state_t ds = DST_KEY_STATE_NA;
+	dst_key_state_t dnskey = DST_KEY_STATE_NA;
+	dst_key_state_t krrsig = DST_KEY_STATE_NA;
+	dst_key_state_t zrrsig = DST_KEY_STATE_NA;
+	bool setgoal = false, setds = false, setdnskey = false;
+	bool setkrrsig = false, setzrrsig = false;
+	bool setdstime = false, setdnskeytime = false;
+	bool setkrrsigtime = false, setzrrsigtime = false;
+	bool setpub = false, setact = false;
+	bool setrev = false, setinact = false;
+	bool setdel = false, setttl = false;
+	bool unsetpub = false, unsetact = false;
+	bool unsetrev = false, unsetinact = false;
+	bool unsetdel = false;
+	bool printcreate = false, printpub = false;
+	bool printact = false, printrev = false;
+	bool printinact = false, printdel = false;
+	bool force = false;
+	bool epoch = false;
+	bool changed = false;
+	bool write_state = false;
+	isc_log_t *log = NULL;
+	isc_stdtime_t syncadd = 0, syncdel = 0;
+	bool unsetsyncadd = false, setsyncadd = false;
+	bool unsetsyncdel = false, setsyncdel = false;
+	bool printsyncadd = false, printsyncdel = false;
+	isc_stdtime_t dsadd = 0, dsdel = 0;
+	bool unsetdsadd = false, setdsadd = false;
+	bool unsetdsdel = false, setdsdel = false;
+	bool printdsadd = false, printdsdel = false;
+
+	options = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE;
+
+	if (argc == 1) {
+		usage();
+	}
+
+	isc_mem_create(&mctx);
+
+	setup_logging(mctx, &log);
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	isc_commandline_errprint = false;
+
+	isc_stdtime_get(&now);
+
+#define CMDLINE_FLAGS "A:D:d:E:fg:hI:i:K:k:L:P:p:R:r:S:suv:Vz:"
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'A':
+			if (setact || unsetact) {
+				fatal("-A specified more than once");
+			}
+
+			changed = true;
+			act = strtotime(isc_commandline_argument, now, now,
+					&setact);
+			unsetact = !setact;
+			break;
+		case 'D':
+			/* -Dsync ? */
+			if (isoptarg("sync", argv, usage)) {
+				if (unsetsyncdel || setsyncdel) {
+					fatal("-D sync specified more than "
+					      "once");
+				}
+
+				changed = true;
+				syncdel = strtotime(isc_commandline_argument,
+						    now, now, &setsyncdel);
+				unsetsyncdel = !setsyncdel;
+				break;
+			}
+			/* -Dds ? */
+			if (isoptarg("ds", argv, usage)) {
+				if (unsetdsdel || setdsdel) {
+					fatal("-D ds specified more than once");
+				}
+
+				changed = true;
+				dsdel = strtotime(isc_commandline_argument, now,
+						  now, &setdsdel);
+				unsetdsdel = !setdsdel;
+				break;
+			}
+			/* -Ddnskey ? */
+			(void)isoptarg("dnskey", argv, usage);
+			if (setdel || unsetdel) {
+				fatal("-D specified more than once");
+			}
+
+			changed = true;
+			del = strtotime(isc_commandline_argument, now, now,
+					&setdel);
+			unsetdel = !setdel;
+			break;
+		case 'd':
+			if (setds) {
+				fatal("-d specified more than once");
+			}
+
+			ds = strtokeystate(isc_commandline_argument);
+			setds = true;
+			/* time */
+			(void)isoptarg(isc_commandline_argument, argv, usage);
+			dstime = strtotime(isc_commandline_argument, now, now,
+					   &setdstime);
+			break;
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
+		case 'f':
+			force = true;
+			break;
+		case 'g':
+			if (setgoal) {
+				fatal("-g specified more than once");
+			}
+
+			goal = strtokeystate(isc_commandline_argument);
+			if (goal != DST_KEY_STATE_NA &&
+			    goal != DST_KEY_STATE_HIDDEN &&
+			    goal != DST_KEY_STATE_OMNIPRESENT)
+			{
+				fatal("-g must be either none, hidden, or "
+				      "omnipresent");
+			}
+			setgoal = true;
+			break;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			}
+			FALLTHROUGH;
+		case 'h':
+			/* Does not return. */
+			usage();
+		case 'I':
+			if (setinact || unsetinact) {
+				fatal("-I specified more than once");
+			}
+
+			changed = true;
+			inact = strtotime(isc_commandline_argument, now, now,
+					  &setinact);
+			unsetinact = !setinact;
+			break;
+		case 'i':
+			prepub = strtottl(isc_commandline_argument);
+			break;
+		case 'K':
+			/*
+			 * We don't have to copy it here, but do it to
+			 * simplify cleanup later
+			 */
+			directory = isc_mem_strdup(mctx,
+						   isc_commandline_argument);
+			break;
+		case 'k':
+			if (setdnskey) {
+				fatal("-k specified more than once");
+			}
+
+			dnskey = strtokeystate(isc_commandline_argument);
+			setdnskey = true;
+			/* time */
+			(void)isoptarg(isc_commandline_argument, argv, usage);
+			dnskeytime = strtotime(isc_commandline_argument, now,
+					       now, &setdnskeytime);
+			break;
+		case 'L':
+			ttl = strtottl(isc_commandline_argument);
+			setttl = true;
+			break;
+		case 'P':
+			/* -Psync ? */
+			if (isoptarg("sync", argv, usage)) {
+				if (unsetsyncadd || setsyncadd) {
+					fatal("-P sync specified more than "
+					      "once");
+				}
+
+				changed = true;
+				syncadd = strtotime(isc_commandline_argument,
+						    now, now, &setsyncadd);
+				unsetsyncadd = !setsyncadd;
+				break;
+			}
+			/* -Pds ? */
+			if (isoptarg("ds", argv, usage)) {
+				if (unsetdsadd || setdsadd) {
+					fatal("-P ds specified more than once");
+				}
+
+				changed = true;
+				dsadd = strtotime(isc_commandline_argument, now,
+						  now, &setdsadd);
+				unsetdsadd = !setdsadd;
+				break;
+			}
+			/* -Pdnskey ? */
+			(void)isoptarg("dnskey", argv, usage);
+			if (setpub || unsetpub) {
+				fatal("-P specified more than once");
+			}
+
+			changed = true;
+			pub = strtotime(isc_commandline_argument, now, now,
+					&setpub);
+			unsetpub = !setpub;
+			break;
+		case 'p':
+			p = isc_commandline_argument;
+			if (!strcasecmp(p, "all")) {
+				printcreate = true;
+				printpub = true;
+				printact = true;
+				printrev = true;
+				printinact = true;
+				printdel = true;
+				printsyncadd = true;
+				printsyncdel = true;
+				printdsadd = true;
+				printdsdel = true;
+				break;
+			}
+
+			do {
+				switch (*p++) {
+				case 'A':
+					printact = true;
+					break;
+				case 'C':
+					printcreate = true;
+					break;
+				case 'D':
+					if (!strncmp(p, "sync", 4)) {
+						p += 4;
+						printsyncdel = true;
+						break;
+					}
+					if (!strncmp(p, "ds", 2)) {
+						p += 2;
+						printdsdel = true;
+						break;
+					}
+					printdel = true;
+					break;
+				case 'I':
+					printinact = true;
+					break;
+				case 'P':
+					if (!strncmp(p, "sync", 4)) {
+						p += 4;
+						printsyncadd = true;
+						break;
+					}
+					if (!strncmp(p, "ds", 2)) {
+						p += 2;
+						printdsadd = true;
+						break;
+					}
+					printpub = true;
+					break;
+				case 'R':
+					printrev = true;
+					break;
+				case ' ':
+					break;
+				default:
+					usage();
+					break;
+				}
+			} while (*p != '\0');
+			break;
+		case 'R':
+			if (setrev || unsetrev) {
+				fatal("-R specified more than once");
+			}
+
+			changed = true;
+			rev = strtotime(isc_commandline_argument, now, now,
+					&setrev);
+			unsetrev = !setrev;
+			break;
+		case 'r':
+			if (setkrrsig) {
+				fatal("-r specified more than once");
+			}
+
+			krrsig = strtokeystate(isc_commandline_argument);
+			setkrrsig = true;
+			/* time */
+			(void)isoptarg(isc_commandline_argument, argv, usage);
+			krrsigtime = strtotime(isc_commandline_argument, now,
+					       now, &setkrrsigtime);
+			break;
+		case 'S':
+			predecessor = isc_commandline_argument;
+			break;
+		case 's':
+			write_state = true;
+			break;
+		case 'u':
+			epoch = true;
+			break;
+		case 'V':
+			/* Does not return. */
+			version(program);
+		case 'v':
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("-v must be followed by a number");
+			}
+			break;
+		case 'z':
+			if (setzrrsig) {
+				fatal("-z specified more than once");
+			}
+
+			zrrsig = strtokeystate(isc_commandline_argument);
+			setzrrsig = true;
+			(void)isoptarg(isc_commandline_argument, argv, usage);
+			zrrsigtime = strtotime(isc_commandline_argument, now,
+					       now, &setzrrsigtime);
+			break;
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (argc < isc_commandline_index + 1 ||
+	    argv[isc_commandline_index] == NULL)
+	{
+		fatal("The key file name was not specified");
+	}
+	if (argc > isc_commandline_index + 1) {
+		fatal("Extraneous arguments");
+	}
+
+	if ((setgoal || setds || setdnskey || setkrrsig || setzrrsig) &&
+	    !write_state)
+	{
+		fatal("Options -g, -d, -k, -r and -z require -s to be set");
+	}
+
+	result = dst_lib_init(mctx, engine);
+	if (result != ISC_R_SUCCESS) {
+		fatal("Could not initialize dst: %s",
+		      isc_result_totext(result));
+	}
+
+	if (predecessor != NULL) {
+		int major, minor;
+
+		if (prepub == -1) {
+			prepub = (30 * 86400);
+		}
+
+		if (setpub || unsetpub) {
+			fatal("-S and -P cannot be used together");
+		}
+		if (setact || unsetact) {
+			fatal("-S and -A cannot be used together");
+		}
+
+		result = dst_key_fromnamedfile(predecessor, directory, options,
+					       mctx, &prevkey);
+		if (result != ISC_R_SUCCESS) {
+			fatal("Invalid keyfile %s: %s", filename,
+			      isc_result_totext(result));
+		}
+		if (!dst_key_isprivate(prevkey) && !dst_key_isexternal(prevkey))
+		{
+			fatal("%s is not a private key", filename);
+		}
+
+		name = dst_key_name(prevkey);
+		alg = dst_key_alg(prevkey);
+		size = dst_key_size(prevkey);
+		flags = dst_key_flags(prevkey);
+
+		dst_key_format(prevkey, keystr, sizeof(keystr));
+		dst_key_getprivateformat(prevkey, &major, &minor);
+		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
+			fatal("Predecessor has incompatible format "
+			      "version %d.%d\n\t",
+			      major, minor);
+		}
+
+		result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact);
+		if (result != ISC_R_SUCCESS) {
+			fatal("Predecessor has no activation date. "
+			      "You must set one before\n\t"
+			      "generating a successor.");
+		}
+
+		result = dst_key_gettime(prevkey, DST_TIME_INACTIVE,
+					 &previnact);
+		if (result != ISC_R_SUCCESS) {
+			fatal("Predecessor has no inactivation date. "
+			      "You must set one before\n\t"
+			      "generating a successor.");
+		}
+
+		pub = previnact - prepub;
+		act = previnact;
+
+		if ((previnact - prepub) < now && prepub != 0) {
+			fatal("Time until predecessor inactivation is\n\t"
+			      "shorter than the prepublication interval.  "
+			      "Either change\n\t"
+			      "predecessor inactivation date, or use the -i "
+			      "option to set\n\t"
+			      "a shorter prepublication interval.");
+		}
+
+		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr,
+				"%s: warning: Predecessor has no "
+				"removal date;\n\t"
+				"it will remain in the zone "
+				"indefinitely after rollover.\n",
+				program);
+		} else if (prevdel < previnact) {
+			fprintf(stderr,
+				"%s: warning: Predecessor is "
+				"scheduled to be deleted\n\t"
+				"before it is scheduled to be "
+				"inactive.\n",
+				program);
+		}
+
+		changed = setpub = setact = true;
+	} else {
+		if (prepub < 0) {
+			prepub = 0;
+		}
+
+		if (prepub > 0) {
+			if (setpub && setact && (act - prepub) < pub) {
+				fatal("Activation and publication dates "
+				      "are closer together than the\n\t"
+				      "prepublication interval.");
+			}
+
+			if (setpub && !setact) {
+				setact = true;
+				act = pub + prepub;
+			} else if (setact && !setpub) {
+				setpub = true;
+				pub = act - prepub;
+			}
+
+			if ((act - prepub) < now) {
+				fatal("Time until activation is shorter "
+				      "than the\n\tprepublication interval.");
+			}
+		}
+	}
+
+	if (directory != NULL) {
+		filename = argv[isc_commandline_index];
+	} else {
+		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
+					    &directory, &filename);
+		if (result != ISC_R_SUCCESS) {
+			fatal("cannot process filename %s: %s",
+			      argv[isc_commandline_index],
+			      isc_result_totext(result));
+		}
+	}
+
+	result = dst_key_fromnamedfile(filename, directory, options, mctx,
+				       &key);
+	if (result != ISC_R_SUCCESS) {
+		fatal("Invalid keyfile %s: %s", filename,
+		      isc_result_totext(result));
+	}
+
+	if (!dst_key_isprivate(key) && !dst_key_isexternal(key)) {
+		fatal("%s is not a private key", filename);
+	}
+
+	dst_key_format(key, keystr, sizeof(keystr));
+
+	if (predecessor != NULL) {
+		if (!dns_name_equal(name, dst_key_name(key))) {
+			fatal("Key name mismatch");
+		}
+		if (alg != dst_key_alg(key)) {
+			fatal("Key algorithm mismatch");
+		}
+		if (size != dst_key_size(key)) {
+			fatal("Key size mismatch");
+		}
+		if (flags != dst_key_flags(key)) {
+			fatal("Key flags mismatch");
+		}
+	}
+
+	prevdel = previnact = 0;
+	if ((setdel && setinact && del < inact) ||
+	    (dst_key_gettime(key, DST_TIME_INACTIVE, &previnact) ==
+		     ISC_R_SUCCESS &&
+	     setdel && !setinact && !unsetinact && del < previnact) ||
+	    (dst_key_gettime(key, DST_TIME_DELETE, &prevdel) == ISC_R_SUCCESS &&
+	     setinact && !setdel && !unsetdel && prevdel < inact) ||
+	    (!setdel && !unsetdel && !setinact && !unsetinact && prevdel != 0 &&
+	     prevdel < previnact))
+	{
+		fprintf(stderr,
+			"%s: warning: Key is scheduled to "
+			"be deleted before it is\n\t"
+			"scheduled to be inactive.\n",
+			program);
+	}
+
+	if (force) {
+		set_keyversion(key);
+	} else {
+		check_keyversion(key, keystr);
+	}
+
+	if (verbose > 2) {
+		fprintf(stderr, "%s: %s\n", program, keystr);
+	}
+
+	/*
+	 * Set time values.
+	 */
+	if (setpub) {
+		dst_key_settime(key, DST_TIME_PUBLISH, pub);
+	} else if (unsetpub) {
+		dst_key_unsettime(key, DST_TIME_PUBLISH);
+	}
+
+	if (setact) {
+		dst_key_settime(key, DST_TIME_ACTIVATE, act);
+	} else if (unsetact) {
+		dst_key_unsettime(key, DST_TIME_ACTIVATE);
+	}
+
+	if (setrev) {
+		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0) {
+			fprintf(stderr,
+				"%s: warning: Key %s is already "
+				"revoked; changing the revocation date "
+				"will not affect this.\n",
+				program, keystr);
+		}
+		if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0) {
+			fprintf(stderr,
+				"%s: warning: Key %s is not flagged as "
+				"a KSK, but -R was used.  Revoking a "
+				"ZSK is legal, but undefined.\n",
+				program, keystr);
+		}
+		dst_key_settime(key, DST_TIME_REVOKE, rev);
+	} else if (unsetrev) {
+		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0) {
+			fprintf(stderr,
+				"%s: warning: Key %s is already "
+				"revoked; removing the revocation date "
+				"will not affect this.\n",
+				program, keystr);
+		}
+		dst_key_unsettime(key, DST_TIME_REVOKE);
+	}
+
+	if (setinact) {
+		dst_key_settime(key, DST_TIME_INACTIVE, inact);
+	} else if (unsetinact) {
+		dst_key_unsettime(key, DST_TIME_INACTIVE);
+	}
+
+	if (setdel) {
+		dst_key_settime(key, DST_TIME_DELETE, del);
+	} else if (unsetdel) {
+		dst_key_unsettime(key, DST_TIME_DELETE);
+	}
+
+	if (setsyncadd) {
+		dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
+	} else if (unsetsyncadd) {
+		dst_key_unsettime(key, DST_TIME_SYNCPUBLISH);
+	}
+
+	if (setsyncdel) {
+		dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
+	} else if (unsetsyncdel) {
+		dst_key_unsettime(key, DST_TIME_SYNCDELETE);
+	}
+
+	if (setdsadd) {
+		dst_key_settime(key, DST_TIME_DSPUBLISH, dsadd);
+	} else if (unsetdsadd) {
+		dst_key_unsettime(key, DST_TIME_DSPUBLISH);
+	}
+
+	if (setdsdel) {
+		dst_key_settime(key, DST_TIME_DSDELETE, dsdel);
+	} else if (unsetdsdel) {
+		dst_key_unsettime(key, DST_TIME_DSDELETE);
+	}
+
+	if (setttl) {
+		dst_key_setttl(key, ttl);
+	}
+
+	if (predecessor != NULL && prevkey != NULL) {
+		dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key));
+		dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey));
+	}
+
+	/*
+	 * No metadata changes were made but we're forcing an upgrade
+	 * to the new format anyway: use "-P now -A now" as the default
+	 */
+	if (force && !changed) {
+		dst_key_settime(key, DST_TIME_PUBLISH, now);
+		dst_key_settime(key, DST_TIME_ACTIVATE, now);
+		changed = true;
+	}
+
+	/*
+	 * Make sure the key state goals are written.
+	 */
+	if (write_state) {
+		if (setgoal) {
+			if (goal == DST_KEY_STATE_NA) {
+				dst_key_unsetstate(key, DST_KEY_GOAL);
+			} else {
+				dst_key_setstate(key, DST_KEY_GOAL, goal);
+			}
+			changed = true;
+		}
+		if (setds) {
+			if (ds == DST_KEY_STATE_NA) {
+				dst_key_unsetstate(key, DST_KEY_DS);
+				dst_key_unsettime(key, DST_TIME_DS);
+			} else {
+				dst_key_setstate(key, DST_KEY_DS, ds);
+				dst_key_settime(key, DST_TIME_DS, dstime);
+			}
+			changed = true;
+		}
+		if (setdnskey) {
+			if (dnskey == DST_KEY_STATE_NA) {
+				dst_key_unsetstate(key, DST_KEY_DNSKEY);
+				dst_key_unsettime(key, DST_TIME_DNSKEY);
+			} else {
+				dst_key_setstate(key, DST_KEY_DNSKEY, dnskey);
+				dst_key_settime(key, DST_TIME_DNSKEY,
+						dnskeytime);
+			}
+			changed = true;
+		}
+		if (setkrrsig) {
+			if (krrsig == DST_KEY_STATE_NA) {
+				dst_key_unsetstate(key, DST_KEY_KRRSIG);
+				dst_key_unsettime(key, DST_TIME_KRRSIG);
+			} else {
+				dst_key_setstate(key, DST_KEY_KRRSIG, krrsig);
+				dst_key_settime(key, DST_TIME_KRRSIG,
+						krrsigtime);
+			}
+			changed = true;
+		}
+		if (setzrrsig) {
+			if (zrrsig == DST_KEY_STATE_NA) {
+				dst_key_unsetstate(key, DST_KEY_ZRRSIG);
+				dst_key_unsettime(key, DST_TIME_ZRRSIG);
+			} else {
+				dst_key_setstate(key, DST_KEY_ZRRSIG, zrrsig);
+				dst_key_settime(key, DST_TIME_ZRRSIG,
+						zrrsigtime);
+			}
+			changed = true;
+		}
+	}
+
+	if (!changed && setttl) {
+		changed = true;
+	}
+
+	/*
+	 * Print out time values, if -p was used.
+	 */
+	if (printcreate) {
+		printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
+	}
+
+	if (printpub) {
+		printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
+	}
+
+	if (printact) {
+		printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
+	}
+
+	if (printrev) {
+		printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
+	}
+
+	if (printinact) {
+		printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
+	}
+
+	if (printdel) {
+		printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
+	}
+
+	if (printsyncadd) {
+		printtime(key, DST_TIME_SYNCPUBLISH, "SYNC Publish", epoch,
+			  stdout);
+	}
+
+	if (printsyncdel) {
+		printtime(key, DST_TIME_SYNCDELETE, "SYNC Delete", epoch,
+			  stdout);
+	}
+
+	if (printdsadd) {
+		printtime(key, DST_TIME_DSPUBLISH, "DS Publish", epoch, stdout);
+	}
+
+	if (printdsdel) {
+		printtime(key, DST_TIME_DSDELETE, "DS Delete", epoch, stdout);
+	}
+
+	if (changed) {
+		writekey(key, directory, write_state);
+		if (predecessor != NULL && prevkey != NULL) {
+			writekey(prevkey, directory, write_state);
+		}
+	}
+
+	if (prevkey != NULL) {
+		dst_key_free(&prevkey);
+	}
+	dst_key_free(&key);
+	dst_lib_destroy();
+	if (verbose > 10) {
+		isc_mem_stats(mctx, stdout);
+	}
+	cleanup_logging(&log);
+	isc_mem_free(mctx, directory);
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/dnssec/dnssec-settime.rst b/bin/dnssec/dnssec-settime.rst
new file mode 100644
index 0000000..9f6c428
--- /dev/null
+++ b/bin/dnssec/dnssec-settime.rst
@@ -0,0 +1,231 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-settime:
+
+dnssec-settime: set the key timing metadata for a DNSSEC key
+------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
+
+Description
+~~~~~~~~~~~
+
+``dnssec-settime`` reads a DNSSEC private key file and sets the key
+timing metadata as specified by the ``-P``, ``-A``, ``-R``, ``-I``, and
+``-D`` options. The metadata can then be used by ``dnssec-signzone`` or
+other signing software to determine when a key is to be published,
+whether it should be used for signing a zone, etc.
+
+If none of these options is set on the command line,
+``dnssec-settime`` simply prints the key timing metadata already stored
+in the key.
+
+When key metadata fields are changed, both files of a key pair
+(``Knnnn.+aaa+iiiii.key`` and ``Knnnn.+aaa+iiiii.private``) are
+regenerated.
+
+Metadata fields are stored in the private file. A
+human-readable description of the metadata is also placed in comments in
+the key file. The private file's permissions are always set to be
+inaccessible to anyone other than the owner (mode 0600).
+
+When working with state files, it is possible to update the timing metadata in
+those files as well with ``-s``.  With this option, it is also possible to update key
+states with ``-d`` (DS), ``-k`` (DNSKEY), ``-r`` (RRSIG of KSK), or ``-z``
+(RRSIG of ZSK). Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and
+UNRETENTIVE.
+
+The goal state of the key can also be set with ``-g``. This should be either
+HIDDEN or OMNIPRESENT, representing whether the key should be removed from the
+zone or published.
+
+It is NOT RECOMMENDED to manipulate state files manually, except for testing
+purposes.
+
+Options
+~~~~~~~
+
+``-f``
+   This option forces an update of an old-format key with no metadata fields. Without
+   this option, ``dnssec-settime`` fails when attempting to update a
+   legacy key. With this option, the key is recreated in the new
+   format, but with the original key data retained. The key's creation
+   date is set to the present time. If no other values are
+   specified, then the key's publication and activation dates are also
+   set to the present time.
+
+``-K directory``
+   This option sets the directory in which the key files are to reside.
+
+``-L ttl``
+   This option sets the default TTL to use for this key when it is converted into a
+   DNSKEY RR. This is the TTL used when the key is imported into a zone,
+   unless there was already a DNSKEY RRset in
+   place, in which case the existing TTL takes precedence. If this
+   value is not set and there is no existing DNSKEY RRset, the TTL
+   defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none``
+   removes it from the key.
+
+``-h``
+   This option emits a usage message and exits.
+
+``-V``
+   This option prints version information.
+
+``-v level``
+   This option sets the debugging level.
+
+``-E engine``
+   This option specifies the cryptographic hardware to use, when applicable.
+
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
+   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
+   defaults to the path of the PKCS#11 provider library specified via
+   ``--with-pkcs11``.
+
+Timing Options
+~~~~~~~~~~~~~~
+
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a ``+`` or ``-``, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
+computed in years (defined as 365 24-hour days, ignoring leap years),
+months (defined as 30 24-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use ``none`` or ``never``.
+
+``-P date/offset``
+   This option sets the date on which a key is to be published to the zone. After
+   that date, the key is included in the zone but is not used
+   to sign it.
+
+``-P ds date/offset``
+   This option Sets the date on which DS records that match this key have been
+   seen in the parent zone.
+
+``-P sync date/offset``
+   This option sets the date on which CDS and CDNSKEY records that match this key
+   are to be published to the zone.
+
+``-A date/offset``
+   This option sets the date on which the key is to be activated. After that date,
+   the key is included in the zone and used to sign it. 
+
+``-R date/offset``
+   This option sets the date on which the key is to be revoked. After that date, the
+   key is flagged as revoked. It is included in the zone and
+   is used to sign it.
+
+``-I date/offset``
+   This option sets the date on which the key is to be retired. After that date, the
+   key is still included in the zone, but it is not used to
+   sign it.
+
+``-D date/offset``
+   This option sets the date on which the key is to be deleted. After that date, the
+   key is no longer included in the zone. (However, it may remain in the key
+   repository.)
+
+``-D ds date/offset``
+   This option sets the date on which the DS records that match this key have
+   been seen removed from the parent zone.
+
+``-D sync date/offset``
+   This option sets the date on which the CDS and CDNSKEY records that match this
+   key are to be deleted.
+
+``-S predecessor key``
+   This option selects a key for which the key being modified is an explicit
+   successor. The name, algorithm, size, and type of the predecessor key
+   must exactly match those of the key being modified. The activation
+   date of the successor key is set to the inactivation date of the
+   predecessor. The publication date is set to the activation date
+   minus the prepublication interval, which defaults to 30 days.
+
+``-i interval``
+   This option sets the prepublication interval for a key. If set, then the
+   publication and activation dates must be separated by at least this
+   much time. If the activation date is specified but the publication
+   date is not, the publication date defaults to this much time
+   before the activation date; conversely, if the publication date is
+   specified but not the activation date, activation is set to
+   this much time after publication.
+
+   If the key is being created as an explicit successor to another key,
+   then the default prepublication interval is 30 days; otherwise it is
+   zero.
+
+   As with date offsets, if the argument is followed by one of the
+   suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
+   measured in years, months, weeks, days, hours, or minutes,
+   respectively. Without a suffix, the interval is measured in seconds.
+
+Key State Options
+~~~~~~~~~~~~~~~~~
+
+To test dnssec-policy it may be necessary to construct keys with artificial
+state information; these options are used by the testing framework for that
+purpose, but should never be used in production.
+
+Known key states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE.
+
+``-s``
+   This option indicates that when setting key timing data, the state file should also be updated.
+
+``-g state``
+   This option sets the goal state for this key. Must be HIDDEN or OMNIPRESENT.
+
+``-d state date/offset``
+   This option sets the DS state for this key as of the specified date, offset from the current date.
+
+``-k state date/offset``
+   This option sets the DNSKEY state for this key as of the specified date, offset from the current date.
+
+``-r state date/offset``
+   This option sets the RRSIG (KSK) state for this key as of the specified date, offset from the current date.
+
+``-z state date/offset``
+   This option sets the RRSIG (ZSK) state for this key as of the specified date, offset from the current date.
+
+Printing Options
+~~~~~~~~~~~~~~~~
+
+``dnssec-settime`` can also be used to print the timing metadata
+associated with a key.
+
+``-u``
+   This option indicates that times should be printed in Unix epoch format.
+
+``-p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all``
+   This option prints a specific metadata value or set of metadata values.
+   The ``-p`` option may be followed by one or more of the following letters or
+   strings to indicate which value or values to print: ``C`` for the
+   creation date, ``P`` for the publication date, ``Pds` for the DS publication
+   date, ``Psync`` for the CDS and CDNSKEY publication date, ``A`` for the
+   activation date, ``R`` for the revocation date, ``I`` for the inactivation
+   date, ``D`` for the deletion date, ``Dds`` for the DS deletion date,
+   and ``Dsync`` for the CDS and CDNSKEY deletion date. To print all of the
+   metadata, use ``all``.
+
+See Also
+~~~~~~~~
+
+:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
+:rfc:`5011`.
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
new file mode 100644
index 0000000..2d2c158
--- /dev/null
+++ b/bin/dnssec/dnssec-signzone.c
@@ -0,0 +1,4197 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/atomic.h>
+#include <isc/base32.h>
+#include <isc/commandline.h>
+#include <isc/event.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/hex.h>
+#include <isc/managers.h>
+#include <isc/md.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/rwlock.h>
+#include <isc/safe.h>
+#include <isc/serial.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/time.h>
+#include <dns/update.h>
+#include <dns/zoneverify.h>
+
+#include <dst/dst.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-signzone";
+
+typedef struct hashlist hashlist_t;
+
+static int nsec_datatype = dns_rdatatype_nsec;
+
+#define check_dns_dbiterator_current(result)                               \
+	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
+		     "dns_dbiterator_current()")
+
+#define IS_NSEC3  (nsec_datatype == dns_rdatatype_nsec3)
+#define OPTOUT(x) (((x)&DNS_NSEC3FLAG_OPTOUT) != 0)
+
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+
+#define BUFSIZE	  2048
+#define MAXDSKEYS 8
+
+#define SIGNER_EVENTCLASS  ISC_EVENTCLASS(0x4453)
+#define SIGNER_EVENT_WRITE (SIGNER_EVENTCLASS + 0)
+#define SIGNER_EVENT_WORK  (SIGNER_EVENTCLASS + 1)
+
+#define SOA_SERIAL_KEEP	     0
+#define SOA_SERIAL_INCREMENT 1
+#define SOA_SERIAL_UNIXTIME  2
+#define SOA_SERIAL_DATE	     3
+
+typedef struct signer_event sevent_t;
+struct signer_event {
+	ISC_EVENT_COMMON(sevent_t);
+	dns_fixedname_t *fname;
+	dns_dbnode_t *node;
+};
+
+static dns_dnsseckeylist_t keylist;
+static unsigned int keycount = 0;
+static isc_rwlock_t keylist_lock;
+static isc_stdtime_t starttime = 0, endtime = 0, dnskey_endtime = 0, now;
+static int cycle = -1;
+static int jitter = 0;
+static bool tryverify = false;
+static bool printstats = false;
+static isc_mem_t *mctx = NULL;
+static dns_ttl_t zone_soa_min_ttl;
+static dns_ttl_t soa_ttl;
+static FILE *outfp = NULL;
+static char *tempfile = NULL;
+static const dns_master_style_t *masterstyle;
+static dns_masterformat_t inputformat = dns_masterformat_text;
+static dns_masterformat_t outputformat = dns_masterformat_text;
+static uint32_t rawversion = 1, serialnum = 0;
+static bool snset = false;
+static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
+static unsigned int nverified = 0, nverifyfailed = 0;
+static const char *directory = NULL, *dsdir = NULL;
+static isc_mutex_t namelock, statslock;
+static isc_nm_t *netmgr = NULL;
+static isc_taskmgr_t *taskmgr = NULL;
+static dns_db_t *gdb;		  /* The database */
+static dns_dbversion_t *gversion; /* The database version */
+static dns_dbiterator_t *gdbiter; /* The database iterator */
+static dns_rdataclass_t gclass;	  /* The class */
+static dns_name_t *gorigin;	  /* The database origin */
+static int nsec3flags = 0;
+static dns_iterations_t nsec3iter = 10U;
+static unsigned char saltbuf[255];
+static unsigned char *gsalt = saltbuf;
+static size_t salt_length = 0;
+static isc_task_t *master = NULL;
+static unsigned int ntasks = 0;
+static atomic_bool shuttingdown;
+static atomic_bool finished;
+static bool nokeys = false;
+static bool removefile = false;
+static bool generateds = false;
+static bool ignore_kskflag = false;
+static bool keyset_kskonly = false;
+static dns_master_style_t *dsstyle = NULL;
+static unsigned int serialformat = SOA_SERIAL_KEEP;
+static unsigned int hash_length = 0;
+static bool unknownalg = false;
+static bool disable_zone_check = false;
+static bool update_chain = false;
+static bool set_keyttl = false;
+static dns_ttl_t keyttl;
+static bool smartsign = false;
+static bool remove_orphansigs = false;
+static bool remove_inactkeysigs = false;
+static bool output_dnssec_only = false;
+static bool output_stdout = false;
+static bool set_maxttl = false;
+static dns_ttl_t maxttl = 0;
+static bool no_max_check = false;
+
+#define INCSTAT(counter)            \
+	if (printstats) {           \
+		LOCK(&statslock);   \
+		counter++;          \
+		UNLOCK(&statslock); \
+	}
+
+static void
+sign(isc_task_t *task, isc_event_t *event);
+
+/*%
+ * Store a copy of 'name' in 'fzonecut' and return a pointer to that copy.
+ */
+static dns_name_t *
+savezonecut(dns_fixedname_t *fzonecut, dns_name_t *name) {
+	dns_name_t *result;
+
+	result = dns_fixedname_initname(fzonecut);
+	dns_name_copynf(name, result);
+
+	return (result);
+}
+
+static void
+dumpnode(dns_name_t *name, dns_dbnode_t *node) {
+	dns_rdataset_t rds;
+	dns_rdatasetiter_t *iter = NULL;
+	isc_buffer_t *buffer = NULL;
+	isc_region_t r;
+	isc_result_t result;
+	unsigned bufsize = 4096;
+
+	if (outputformat != dns_masterformat_text) {
+		return;
+	}
+
+	if (!output_dnssec_only) {
+		result = dns_master_dumpnodetostream(mctx, gdb, gversion, node,
+						     name, masterstyle, outfp);
+		check_result(result, "dns_master_dumpnodetostream");
+		return;
+	}
+
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &iter);
+	check_result(result, "dns_db_allrdatasets");
+
+	dns_rdataset_init(&rds);
+
+	isc_buffer_allocate(mctx, &buffer, bufsize);
+
+	for (result = dns_rdatasetiter_first(iter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdatasetiter_current(iter, &rds);
+
+		if (rds.type != dns_rdatatype_rrsig &&
+		    rds.type != dns_rdatatype_nsec &&
+		    rds.type != dns_rdatatype_nsec3 &&
+		    rds.type != dns_rdatatype_nsec3param &&
+		    (!smartsign || rds.type != dns_rdatatype_dnskey))
+		{
+			dns_rdataset_disassociate(&rds);
+			continue;
+		}
+
+		for (;;) {
+			result = dns_master_rdatasettotext(
+				name, &rds, masterstyle, NULL, buffer);
+			if (result != ISC_R_NOSPACE) {
+				break;
+			}
+
+			bufsize <<= 1;
+			isc_buffer_free(&buffer);
+			isc_buffer_allocate(mctx, &buffer, bufsize);
+		}
+		check_result(result, "dns_master_rdatasettotext");
+
+		isc_buffer_usedregion(buffer, &r);
+		result = isc_stdio_write(r.base, 1, r.length, outfp, NULL);
+		check_result(result, "isc_stdio_write");
+		isc_buffer_clear(buffer);
+
+		dns_rdataset_disassociate(&rds);
+	}
+
+	isc_buffer_free(&buffer);
+	dns_rdatasetiter_destroy(&iter);
+}
+
+/*%
+ * Sign the given RRset with given key, and add the signature record to the
+ * given tuple.
+ */
+static void
+signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
+	    dns_ttl_t ttl, dns_diff_t *add, const char *logmsg) {
+	isc_result_t result;
+	isc_stdtime_t jendtime, expiry;
+	char keystr[DST_KEY_FORMATSIZE];
+	dns_rdata_t trdata = DNS_RDATA_INIT;
+	unsigned char array[BUFSIZE];
+	isc_buffer_t b;
+	dns_difftuple_t *tuple;
+
+	dst_key_format(key, keystr, sizeof(keystr));
+	vbprintf(1, "\t%s %s\n", logmsg, keystr);
+
+	if (rdataset->type == dns_rdatatype_dnskey) {
+		expiry = dnskey_endtime;
+	} else {
+		expiry = endtime;
+	}
+
+	jendtime = (jitter != 0) ? expiry - isc_random_uniform(jitter) : expiry;
+	isc_buffer_init(&b, array, sizeof(array));
+	result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
+				 mctx, &b, &trdata);
+	if (result != ISC_R_SUCCESS) {
+		fatal("dnskey '%s' failed to sign data: %s", keystr,
+		      isc_result_totext(result));
+	}
+	INCSTAT(nsigned);
+
+	if (tryverify) {
+		result = dns_dnssec_verify(name, rdataset, key, true, 0, mctx,
+					   &trdata, NULL);
+		if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
+			vbprintf(3, "\tsignature verified\n");
+			INCSTAT(nverified);
+		} else {
+			vbprintf(3, "\tsignature failed to verify\n");
+			INCSTAT(nverifyfailed);
+		}
+	}
+
+	tuple = NULL;
+	result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name, ttl,
+				      &trdata, &tuple);
+	check_result(result, "dns_difftuple_create");
+	dns_diff_append(add, &tuple);
+}
+
+static bool
+issigningkey(dns_dnsseckey_t *key) {
+	return (key->force_sign || key->hint_sign);
+}
+
+static bool
+ispublishedkey(dns_dnsseckey_t *key) {
+	return ((key->force_publish || key->hint_publish) && !key->hint_remove);
+}
+
+static bool
+iszonekey(dns_dnsseckey_t *key) {
+	return (dns_name_equal(dst_key_name(key->key), gorigin) &&
+		dst_key_iszonekey(key->key));
+}
+
+static bool
+isksk(dns_dnsseckey_t *key) {
+	return (key->ksk);
+}
+
+static bool
+iszsk(dns_dnsseckey_t *key) {
+	return (ignore_kskflag || !key->ksk);
+}
+
+/*%
+ * Find the key that generated an RRSIG, if it is in the key list.  If
+ * so, return a pointer to it, otherwise return NULL.
+ *
+ * No locking is performed here, this must be done by the caller.
+ */
+static dns_dnsseckey_t *
+keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) {
+	dns_dnsseckey_t *key;
+
+	for (key = ISC_LIST_HEAD(keylist); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		if (rrsig->keyid == dst_key_id(key->key) &&
+		    rrsig->algorithm == dst_key_alg(key->key) &&
+		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
+		{
+			return (key);
+		}
+	}
+	return (NULL);
+}
+
+/*%
+ * Finds the key that generated a RRSIG, if possible.  First look at the keys
+ * that we've loaded already, and then see if there's a key on disk.
+ */
+static dns_dnsseckey_t *
+keythatsigned(dns_rdata_rrsig_t *rrsig) {
+	isc_result_t result;
+	dst_key_t *pubkey = NULL, *privkey = NULL;
+	dns_dnsseckey_t *key = NULL;
+
+	RWLOCK(&keylist_lock, isc_rwlocktype_read);
+	key = keythatsigned_unlocked(rrsig);
+	RWUNLOCK(&keylist_lock, isc_rwlocktype_read);
+	if (key != NULL) {
+		return (key);
+	}
+
+	/*
+	 * We did not find the key in our list.  Get a write lock now, since
+	 * we may be modifying the bits.  We could do the tryupgrade() dance,
+	 * but instead just get a write lock and check once again to see if
+	 * it is on our list.  It's possible someone else may have added it
+	 * after all.
+	 */
+	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_write);
+	key = keythatsigned_unlocked(rrsig);
+	if (key != NULL) {
+		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
+		return (key);
+	}
+
+	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
+				  rrsig->algorithm, DST_TYPE_PUBLIC, directory,
+				  mctx, &pubkey);
+	if (result != ISC_R_SUCCESS) {
+		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
+		return (NULL);
+	}
+
+	result = dst_key_fromfile(
+		&rrsig->signer, rrsig->keyid, rrsig->algorithm,
+		DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, directory, mctx, &privkey);
+	if (result == ISC_R_SUCCESS) {
+		dst_key_free(&pubkey);
+		result = dns_dnsseckey_create(mctx, &privkey, &key);
+	} else {
+		result = dns_dnsseckey_create(mctx, &pubkey, &key);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		key->force_publish = false;
+		key->force_sign = false;
+		key->index = keycount++;
+		ISC_LIST_APPEND(keylist, key, link);
+	}
+
+	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
+	return (key);
+}
+
+/*%
+ * Check to see if we expect to find a key at this name.  If we see a RRSIG
+ * and can't find the signing key that we expect to find, we drop the rrsig.
+ * I'm not sure if this is completely correct, but it seems to work.
+ */
+static bool
+expecttofindkey(dns_name_t *name) {
+	unsigned int options = DNS_DBFIND_NOWILD;
+	dns_fixedname_t fname;
+	isc_result_t result;
+	char namestr[DNS_NAME_FORMATSIZE];
+
+	dns_fixedname_init(&fname);
+	result = dns_db_find(gdb, name, gversion, dns_rdatatype_dnskey, options,
+			     0, NULL, dns_fixedname_name(&fname), NULL, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NXRRSET:
+		return (true);
+	case DNS_R_DELEGATION:
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+		return (false);
+	}
+	dns_name_format(name, namestr, sizeof(namestr));
+	fatal("failure looking for '%s DNSKEY' in database: %s", namestr,
+	      isc_result_totext(result));
+	UNREACHABLE();
+	return (false); /* removes a warning */
+}
+
+static bool
+setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+	    dns_rdata_t *rrsig) {
+	isc_result_t result;
+	result = dns_dnssec_verify(name, set, key, false, 0, mctx, rrsig, NULL);
+	if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
+		INCSTAT(nverified);
+		return (true);
+	} else {
+		INCSTAT(nverifyfailed);
+		return (false);
+	}
+}
+
+/*%
+ * Signs a set.  Goes through contortions to decide if each RRSIG should
+ * be dropped or retained, and then determines if any new SIGs need to
+ * be generated.
+ */
+static void
+signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
+	dns_rdataset_t *set) {
+	dns_rdataset_t sigset;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t rrsig;
+	dns_dnsseckey_t *key;
+	isc_result_t result;
+	bool nosigs = false;
+	bool *wassignedby, *nowsignedby;
+	int arraysize;
+	dns_difftuple_t *tuple;
+	dns_ttl_t ttl;
+	int i;
+	char namestr[DNS_NAME_FORMATSIZE];
+	char typestr[DNS_RDATATYPE_FORMATSIZE];
+	char sigstr[SIG_FORMATSIZE];
+
+	dns_name_format(name, namestr, sizeof(namestr));
+	dns_rdatatype_format(set->type, typestr, sizeof(typestr));
+
+	ttl = ISC_MIN(set->ttl, endtime - starttime);
+
+	dns_rdataset_init(&sigset);
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig,
+				     set->type, 0, &sigset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		vbprintf(2, "no existing signatures for %s/%s\n", namestr,
+			 typestr);
+		result = ISC_R_SUCCESS;
+		nosigs = true;
+	}
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed while looking for '%s RRSIG %s': %s", namestr,
+		      typestr, isc_result_totext(result));
+	}
+
+	vbprintf(1, "%s/%s:\n", namestr, typestr);
+
+	arraysize = keycount;
+	if (!nosigs) {
+		arraysize += dns_rdataset_count(&sigset);
+	}
+	wassignedby = isc_mem_get(mctx, arraysize * sizeof(bool));
+	nowsignedby = isc_mem_get(mctx, arraysize * sizeof(bool));
+
+	for (i = 0; i < arraysize; i++) {
+		wassignedby[i] = nowsignedby[i] = false;
+	}
+
+	if (nosigs) {
+		result = ISC_R_NOMORE;
+	} else {
+		result = dns_rdataset_first(&sigset);
+	}
+
+	while (result == ISC_R_SUCCESS) {
+		bool expired, future;
+		bool keep = false, resign = false;
+
+		dns_rdataset_current(&sigset, &sigrdata);
+
+		result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL);
+		check_result(result, "dns_rdata_tostruct");
+
+		future = isc_serial_lt(now, rrsig.timesigned);
+
+		key = keythatsigned(&rrsig);
+		sig_format(&rrsig, sigstr, sizeof(sigstr));
+		expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
+
+		if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
+			/* rrsig is dropped and not replaced */
+			vbprintf(2,
+				 "\trrsig by %s dropped - "
+				 "invalid validity period\n",
+				 sigstr);
+		} else if (key == NULL && !future &&
+			   expecttofindkey(&rrsig.signer))
+		{
+			/* rrsig is dropped and not replaced */
+			vbprintf(2,
+				 "\trrsig by %s dropped - "
+				 "private dnskey not found\n",
+				 sigstr);
+		} else if (key == NULL || future) {
+			keep = (!expired && !remove_orphansigs);
+			vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
+				 keep ? "retained" : "dropped", sigstr);
+		} else if (!dns_dnssec_keyactive(key->key, now) &&
+			   remove_inactkeysigs)
+		{
+			keep = false;
+			vbprintf(2, "\trrsig by %s dropped - key inactive\n",
+				 sigstr);
+		} else if (issigningkey(key)) {
+			wassignedby[key->index] = true;
+
+			if (!expired && rrsig.originalttl == set->ttl &&
+			    setverifies(name, set, key->key, &sigrdata))
+			{
+				vbprintf(2, "\trrsig by %s retained\n", sigstr);
+				keep = true;
+			} else {
+				vbprintf(2, "\trrsig by %s dropped - %s\n",
+					 sigstr,
+					 expired ? "expired"
+					 : rrsig.originalttl != set->ttl
+						 ? "ttl change"
+						 : "failed to "
+						   "verify");
+				resign = true;
+			}
+		} else if (!ispublishedkey(key) && remove_orphansigs) {
+			vbprintf(2, "\trrsig by %s dropped - dnskey removed\n",
+				 sigstr);
+		} else if (iszonekey(key)) {
+			wassignedby[key->index] = true;
+
+			if (!expired && rrsig.originalttl == set->ttl &&
+			    setverifies(name, set, key->key, &sigrdata))
+			{
+				vbprintf(2, "\trrsig by %s retained\n", sigstr);
+				keep = true;
+			} else {
+				vbprintf(2, "\trrsig by %s dropped - %s\n",
+					 sigstr,
+					 expired ? "expired"
+					 : rrsig.originalttl != set->ttl
+						 ? "ttl change"
+						 : "failed to "
+						   "verify");
+			}
+		} else if (!expired) {
+			vbprintf(2, "\trrsig by %s retained\n", sigstr);
+			keep = true;
+		} else {
+			vbprintf(2, "\trrsig by %s expired\n", sigstr);
+		}
+
+		if (keep) {
+			if (key != NULL) {
+				nowsignedby[key->index] = true;
+			}
+			INCSTAT(nretained);
+			if (sigset.ttl != ttl) {
+				vbprintf(2, "\tfixing ttl %s\n", sigstr);
+				tuple = NULL;
+				result = dns_difftuple_create(
+					mctx, DNS_DIFFOP_DELRESIGN, name,
+					sigset.ttl, &sigrdata, &tuple);
+				check_result(result, "dns_difftuple_create");
+				dns_diff_append(del, &tuple);
+				result = dns_difftuple_create(
+					mctx, DNS_DIFFOP_ADDRESIGN, name, ttl,
+					&sigrdata, &tuple);
+				check_result(result, "dns_difftuple_create");
+				dns_diff_append(add, &tuple);
+			}
+		} else {
+			tuple = NULL;
+			vbprintf(2, "\tremoving signature by %s\n", sigstr);
+			result = dns_difftuple_create(
+				mctx, DNS_DIFFOP_DELRESIGN, name, sigset.ttl,
+				&sigrdata, &tuple);
+			check_result(result, "dns_difftuple_create");
+			dns_diff_append(del, &tuple);
+			INCSTAT(ndropped);
+		}
+
+		if (resign) {
+			INSIST(!keep);
+
+			signwithkey(name, set, key->key, ttl, add,
+				    "resigning with dnskey");
+			nowsignedby[key->index] = true;
+		}
+
+		dns_rdata_reset(&sigrdata);
+		dns_rdata_freestruct(&rrsig);
+		result = dns_rdataset_next(&sigset);
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	check_result(result, "dns_rdataset_first/next");
+	if (dns_rdataset_isassociated(&sigset)) {
+		dns_rdataset_disassociate(&sigset);
+	}
+
+	for (key = ISC_LIST_HEAD(keylist); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		if (nowsignedby[key->index]) {
+			continue;
+		}
+
+		if (!issigningkey(key)) {
+			continue;
+		}
+
+		if ((set->type == dns_rdatatype_cds ||
+		     set->type == dns_rdatatype_cdnskey ||
+		     set->type == dns_rdatatype_dnskey) &&
+		    dns_name_equal(name, gorigin))
+		{
+			bool have_ksk;
+			dns_dnsseckey_t *curr;
+
+			have_ksk = isksk(key);
+			for (curr = ISC_LIST_HEAD(keylist); curr != NULL;
+			     curr = ISC_LIST_NEXT(curr, link))
+			{
+				if (dst_key_alg(key->key) !=
+				    dst_key_alg(curr->key))
+				{
+					continue;
+				}
+				if (REVOKE(curr->key)) {
+					continue;
+				}
+				if (isksk(curr)) {
+					have_ksk = true;
+				}
+			}
+			if (isksk(key) || !have_ksk ||
+			    (iszsk(key) && !keyset_kskonly))
+			{
+				signwithkey(name, set, key->key, ttl, add,
+					    "signing with dnskey");
+			}
+		} else if (iszsk(key)) {
+			/*
+			 * Sign with the ZSK unless there is a predecessor
+			 * key that already signs this RRset.
+			 */
+			bool have_pre_sig = false;
+			dns_dnsseckey_t *curr;
+			uint32_t pre;
+			isc_result_t ret = dst_key_getnum(
+				key->key, DST_NUM_PREDECESSOR, &pre);
+			if (ret == ISC_R_SUCCESS) {
+				/*
+				 * This key has a predecessor, look for the
+				 * corresponding key in the keylist. The
+				 * key we are looking for must be:
+				 * - From the same cryptographic algorithm.
+				 * - Have the ZSK type (iszsk).
+				 * - Have key ID equal to the predecessor id.
+				 * - Have a successor that matches 'key' id.
+				 */
+				for (curr = ISC_LIST_HEAD(keylist);
+				     curr != NULL;
+				     curr = ISC_LIST_NEXT(curr, link))
+				{
+					uint32_t suc;
+
+					if (dst_key_alg(key->key) !=
+						    dst_key_alg(curr->key) ||
+					    !iszsk(curr) ||
+					    dst_key_id(curr->key) != pre)
+					{
+						continue;
+					}
+					ret = dst_key_getnum(curr->key,
+							     DST_NUM_SUCCESSOR,
+							     &suc);
+					if (ret != ISC_R_SUCCESS ||
+					    dst_key_id(key->key) != suc)
+					{
+						continue;
+					}
+
+					/*
+					 * curr is the predecessor we were
+					 * looking for. Check if this key
+					 * signs this RRset.
+					 */
+					if (nowsignedby[curr->index]) {
+						have_pre_sig = true;
+					}
+				}
+			}
+
+			/*
+			 * If we have a signature of a predecessor key,
+			 * skip signing with this key.
+			 */
+			if (!have_pre_sig) {
+				signwithkey(name, set, key->key, ttl, add,
+					    "signing with dnskey");
+			}
+		}
+	}
+
+	isc_mem_put(mctx, wassignedby, arraysize * sizeof(bool));
+	isc_mem_put(mctx, nowsignedby, arraysize * sizeof(bool));
+}
+
+struct hashlist {
+	unsigned char *hashbuf;
+	size_t entries;
+	size_t size;
+	size_t length;
+};
+
+static void
+hashlist_init(hashlist_t *l, unsigned int nodes, unsigned int length) {
+	l->entries = 0;
+	l->length = length + 1;
+
+	if (nodes != 0) {
+		l->size = nodes;
+		l->hashbuf = malloc(l->size * l->length);
+		if (l->hashbuf == NULL) {
+			l->size = 0;
+		}
+	} else {
+		l->size = 0;
+		l->hashbuf = NULL;
+	}
+}
+
+static void
+hashlist_free(hashlist_t *l) {
+	if (l->hashbuf) {
+		free(l->hashbuf);
+		l->hashbuf = NULL;
+		l->entries = 0;
+		l->length = 0;
+		l->size = 0;
+	}
+}
+
+static void
+hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len) {
+	REQUIRE(len <= l->length);
+
+	if (l->entries == l->size) {
+		l->size = l->size * 2 + 100;
+		l->hashbuf = realloc(l->hashbuf, l->size * l->length);
+		if (l->hashbuf == NULL) {
+			fatal("unable to grow hashlist: out of memory");
+		}
+	}
+	memset(l->hashbuf + l->entries * l->length, 0, l->length);
+	memmove(l->hashbuf + l->entries * l->length, hash, len);
+	l->entries++;
+}
+
+static void
+hashlist_add_dns_name(hashlist_t *l,
+		      /*const*/ dns_name_t *name, unsigned int hashalg,
+		      unsigned int iterations, const unsigned char *salt,
+		      size_t salt_len, bool speculative) {
+	char nametext[DNS_NAME_FORMATSIZE];
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
+	unsigned int len;
+	size_t i;
+
+	len = isc_iterated_hash(hash, hashalg, iterations, salt, (int)salt_len,
+				name->ndata, name->length);
+	if (verbose) {
+		dns_name_format(name, nametext, sizeof nametext);
+		for (i = 0; i < len; i++) {
+			fprintf(stderr, "%02x", hash[i]);
+		}
+		fprintf(stderr, " %s\n", nametext);
+	}
+	hash[len++] = speculative ? 1 : 0;
+	hashlist_add(l, hash, len);
+}
+
+static int
+hashlist_comp(const void *a, const void *b) {
+	return (memcmp(a, b, hash_length + 1));
+}
+
+static void
+hashlist_sort(hashlist_t *l) {
+	INSIST(l->hashbuf != NULL || l->length == 0);
+	if (l->length > 0) {
+		qsort(l->hashbuf, l->entries, l->length, hashlist_comp);
+	}
+}
+
+static bool
+hashlist_hasdup(hashlist_t *l) {
+	unsigned char *current;
+	unsigned char *next = l->hashbuf;
+	size_t entries = l->entries;
+
+	/*
+	 * Skip initial speculative wild card hashes.
+	 */
+	while (entries > 0U && next[l->length - 1] != 0U) {
+		next += l->length;
+		entries--;
+	}
+
+	current = next;
+	while (entries-- > 1U) {
+		next += l->length;
+		if (next[l->length - 1] != 0) {
+			continue;
+		}
+		if (isc_safe_memequal(current, next, l->length - 1)) {
+			return (true);
+		}
+		current = next;
+	}
+	return (false);
+}
+
+static const unsigned char *
+hashlist_findnext(const hashlist_t *l,
+		  const unsigned char hash[NSEC3_MAX_HASH_LENGTH]) {
+	size_t entries = l->entries;
+	const unsigned char *next = bsearch(hash, l->hashbuf, l->entries,
+					    l->length, hashlist_comp);
+	INSIST(next != NULL);
+
+	do {
+		if (next < l->hashbuf + (l->entries - 1) * l->length) {
+			next += l->length;
+		} else {
+			next = l->hashbuf;
+		}
+		if (next[l->length - 1] == 0) {
+			break;
+		}
+	} while (entries-- > 1U);
+	INSIST(entries != 0U);
+	return (next);
+}
+
+static bool
+hashlist_exists(const hashlist_t *l,
+		const unsigned char hash[NSEC3_MAX_HASH_LENGTH]) {
+	if (bsearch(hash, l->hashbuf, l->entries, l->length, hashlist_comp)) {
+		return (true);
+	} else {
+		return (false);
+	}
+}
+
+static void
+addnowildcardhash(hashlist_t *l,
+		  /*const*/ dns_name_t *name, unsigned int hashalg,
+		  unsigned int iterations, const unsigned char *salt,
+		  size_t salt_len) {
+	dns_fixedname_t fixed;
+	dns_name_t *wild;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+	char namestr[DNS_NAME_FORMATSIZE];
+
+	wild = dns_fixedname_initname(&fixed);
+
+	result = dns_name_concatenate(dns_wildcardname, name, wild, NULL);
+	if (result == ISC_R_NOSPACE) {
+		return;
+	}
+	check_result(result, "addnowildcardhash: dns_name_concatenate()");
+
+	result = dns_db_findnode(gdb, wild, false, &node);
+	if (result == ISC_R_SUCCESS) {
+		dns_db_detachnode(gdb, &node);
+		return;
+	}
+
+	if (verbose) {
+		dns_name_format(wild, namestr, sizeof(namestr));
+		fprintf(stderr, "adding no-wildcardhash for %s\n", namestr);
+	}
+
+	hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_len,
+			      true);
+}
+
+static void
+opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
+       dns_db_t **dbp) {
+	char filename[PATH_MAX];
+	isc_buffer_t b;
+	isc_result_t result;
+
+	isc_buffer_init(&b, filename, sizeof(filename));
+	if (dsdir != NULL) {
+		/* allow room for a trailing slash */
+		if (strlen(dsdir) >= isc_buffer_availablelength(&b)) {
+			fatal("path '%s' is too long", dsdir);
+		}
+		isc_buffer_putstr(&b, dsdir);
+		if (dsdir[strlen(dsdir) - 1] != '/') {
+			isc_buffer_putstr(&b, "/");
+		}
+	}
+	if (strlen(prefix) > isc_buffer_availablelength(&b)) {
+		fatal("path '%s' is too long", dsdir);
+	}
+	isc_buffer_putstr(&b, prefix);
+	result = dns_name_tofilenametext(name, false, &b);
+	check_result(result, "dns_name_tofilenametext()");
+	if (isc_buffer_availablelength(&b) == 0) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namestr, sizeof(namestr));
+		fatal("name '%s' is too long", namestr);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       rdclass, 0, NULL, dbp);
+	check_result(result, "dns_db_create()");
+
+	result = dns_db_load(*dbp, filename, inputformat, DNS_MASTER_HINT);
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+		dns_db_detach(dbp);
+	}
+}
+
+/*%
+ * Load the DS set for a child zone, if a dsset-* file can be found.
+ * If not, try to find a keyset-* file from an earlier version of
+ * dnssec-signzone, and build DS records from that.
+ */
+static isc_result_t
+loadds(dns_name_t *name, uint32_t ttl, dns_rdataset_t *dsset) {
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+	dns_rdataset_t keyset;
+	dns_rdata_t key, ds;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	dns_diff_t diff;
+	dns_difftuple_t *tuple = NULL;
+
+	opendb("dsset-", name, gclass, &db);
+	if (db != NULL) {
+		result = dns_db_findnode(db, name, false, &node);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdataset_init(dsset);
+			result = dns_db_findrdataset(db, node, NULL,
+						     dns_rdatatype_ds, 0, 0,
+						     dsset, NULL);
+			dns_db_detachnode(db, &node);
+			if (result == ISC_R_SUCCESS) {
+				vbprintf(2, "found DS records\n");
+				dsset->ttl = ttl;
+				dns_db_detach(&db);
+				return (result);
+			}
+		}
+		dns_db_detach(&db);
+	}
+
+	/* No DS records found; try again, looking for DNSKEY records */
+	opendb("keyset-", name, gclass, &db);
+	if (db == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	result = dns_db_findnode(db, name, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detach(&db);
+		return (result);
+	}
+
+	dns_rdataset_init(&keyset);
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
+				     &keyset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		dns_db_detach(&db);
+		return (result);
+	}
+	vbprintf(2, "found DNSKEY records\n");
+
+	result = dns_db_newversion(db, &ver);
+	check_result(result, "dns_db_newversion");
+	dns_diff_init(mctx, &diff);
+
+	for (result = dns_rdataset_first(&keyset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&keyset))
+	{
+		dns_rdata_init(&key);
+		dns_rdata_init(&ds);
+		dns_rdataset_current(&keyset, &key);
+		result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256,
+					   dsbuf, &ds);
+		check_result(result, "dns_ds_buildrdata");
+
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name,
+					      ttl, &ds, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+	}
+
+	result = dns_diff_apply(&diff, db, ver);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
+
+	dns_db_closeversion(db, &ver, true);
+
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0, 0,
+				     dsset, NULL);
+	check_result(result, "dns_db_findrdataset");
+
+	dns_rdataset_disassociate(&keyset);
+	dns_db_detachnode(db, &node);
+	dns_db_detach(&db);
+	return (result);
+}
+
+static bool
+secure(dns_name_t *name, dns_dbnode_t *node) {
+	dns_rdataset_t dsset;
+	isc_result_t result;
+
+	if (dns_name_equal(name, gorigin)) {
+		return (false);
+	}
+
+	dns_rdataset_init(&dsset);
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ds, 0,
+				     0, &dsset, NULL);
+	if (dns_rdataset_isassociated(&dsset)) {
+		dns_rdataset_disassociate(&dsset);
+	}
+
+	return (result == ISC_R_SUCCESS);
+}
+
+static bool
+is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	      dns_name_t *name, dns_dbnode_t *node, uint32_t *ttlp) {
+	dns_rdataset_t nsset;
+	isc_result_t result;
+
+	if (dns_name_equal(name, origin)) {
+		return (false);
+	}
+
+	dns_rdataset_init(&nsset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_ns, 0, 0,
+				     &nsset, NULL);
+	if (dns_rdataset_isassociated(&nsset)) {
+		if (ttlp != NULL) {
+			*ttlp = nsset.ttl;
+		}
+		dns_rdataset_disassociate(&nsset);
+	}
+
+	return ((result == ISC_R_SUCCESS));
+}
+
+/*%
+ * Return true if version 'ver' of database 'db' contains a DNAME RRset at
+ * 'node'; return false otherwise.
+ */
+static bool
+has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
+	dns_rdataset_t dnameset;
+	isc_result_t result;
+
+	dns_rdataset_init(&dnameset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dname, 0, 0,
+				     &dnameset, NULL);
+	if (dns_rdataset_isassociated(&dnameset)) {
+		dns_rdataset_disassociate(&dnameset);
+	}
+
+	return ((result == ISC_R_SUCCESS));
+}
+
+/*%
+ * Signs all records at a name.
+ */
+static void
+signname(dns_dbnode_t *node, dns_name_t *name) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsiter;
+	bool isdelegation = false;
+	dns_diff_t del, add;
+	char namestr[DNS_NAME_FORMATSIZE];
+
+	dns_rdataset_init(&rdataset);
+	dns_name_format(name, namestr, sizeof(namestr));
+
+	/*
+	 * Determine if this is a delegation point.
+	 */
+	if (is_delegation(gdb, gversion, gorigin, name, node, NULL)) {
+		isdelegation = true;
+	}
+
+	/*
+	 * Now iterate through the rdatasets.
+	 */
+	dns_diff_init(mctx, &del);
+	dns_diff_init(mctx, &add);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+
+		/* If this is a RRSIG set, skip it. */
+		if (rdataset.type == dns_rdatatype_rrsig) {
+			goto skip;
+		}
+
+		/*
+		 * If this name is a delegation point, skip all records
+		 * except NSEC and DS sets.  Otherwise check that there
+		 * isn't a DS record.
+		 */
+		if (isdelegation) {
+			if (rdataset.type != nsec_datatype &&
+			    rdataset.type != dns_rdatatype_ds)
+			{
+				goto skip;
+			}
+		} else if (rdataset.type == dns_rdatatype_ds) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			fatal("'%s': found DS RRset without NS RRset\n",
+			      namebuf);
+		}
+
+		signset(&del, &add, node, name, &rdataset);
+
+	skip:
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+	if (result != ISC_R_NOMORE) {
+		fatal("rdataset iteration for name '%s' failed: %s", namestr,
+		      isc_result_totext(result));
+	}
+
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	result = dns_diff_applysilently(&del, gdb, gversion);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to delete SIGs at node '%s': %s", namestr,
+		      isc_result_totext(result));
+	}
+
+	result = dns_diff_applysilently(&add, gdb, gversion);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to add SIGs at node '%s': %s", namestr,
+		      isc_result_totext(result));
+	}
+
+	dns_diff_clear(&del);
+	dns_diff_clear(&add);
+}
+
+/*
+ * See if the node contains any non RRSIG/NSEC records and report to
+ * caller.  Clean out extraneous RRSIG records for node.
+ */
+static bool
+active_node(dns_dbnode_t *node) {
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdatasetiter_t *rdsiter2 = NULL;
+	bool active = false;
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdatatype_t type;
+	dns_rdatatype_t covers;
+	bool found;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec &&
+		    rdataset.type != dns_rdatatype_nsec3 &&
+		    rdataset.type != dns_rdatatype_rrsig)
+		{
+			active = true;
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (!active) {
+			result = dns_rdatasetiter_next(rdsiter);
+		} else {
+			result = ISC_R_NOMORE;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		fatal("rdataset iteration failed: %s",
+		      isc_result_totext(result));
+	}
+
+	if (!active && nsec_datatype == dns_rdatatype_nsec) {
+		/*%
+		 * The node is empty of everything but NSEC / RRSIG records.
+		 */
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter))
+		{
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       rdataset.type,
+						       rdataset.covers);
+			check_result(result, "dns_db_deleterdataset()");
+			dns_rdataset_disassociate(&rdataset);
+		}
+		if (result != ISC_R_NOMORE) {
+			fatal("rdataset iteration failed: %s",
+			      isc_result_totext(result));
+		}
+	} else {
+		/*
+		 * Delete RRSIGs for types that no longer exist.
+		 */
+		result = dns_db_allrdatasets(gdb, node, gversion, 0, 0,
+					     &rdsiter2);
+		check_result(result, "dns_db_allrdatasets()");
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter))
+		{
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			type = rdataset.type;
+			covers = rdataset.covers;
+			dns_rdataset_disassociate(&rdataset);
+			/*
+			 * Delete the NSEC chain if we are signing with
+			 * NSEC3.
+			 */
+			if (nsec_datatype == dns_rdatatype_nsec3 &&
+			    (type == dns_rdatatype_nsec ||
+			     covers == dns_rdatatype_nsec))
+			{
+				result = dns_db_deleterdataset(
+					gdb, node, gversion, type, covers);
+				check_result(result, "dns_db_deleterdataset("
+						     "nsec/rrsig)");
+				continue;
+			}
+			if (type != dns_rdatatype_rrsig) {
+				continue;
+			}
+			found = false;
+			for (result = dns_rdatasetiter_first(rdsiter2);
+			     !found && result == ISC_R_SUCCESS;
+			     result = dns_rdatasetiter_next(rdsiter2))
+			{
+				dns_rdatasetiter_current(rdsiter2, &rdataset);
+				if (rdataset.type == covers) {
+					found = true;
+				}
+				dns_rdataset_disassociate(&rdataset);
+			}
+			if (!found) {
+				if (result != ISC_R_NOMORE) {
+					fatal("rdataset iteration failed: %s",
+					      isc_result_totext(result));
+				}
+				result = dns_db_deleterdataset(
+					gdb, node, gversion, type, covers);
+				check_result(result, "dns_db_deleterdataset("
+						     "rrsig)");
+			} else if (result != ISC_R_NOMORE &&
+				   result != ISC_R_SUCCESS)
+			{
+				fatal("rdataset iteration failed: %s",
+				      isc_result_totext(result));
+			}
+		}
+		if (result != ISC_R_NOMORE) {
+			fatal("rdataset iteration failed: %s",
+			      isc_result_totext(result));
+		}
+		dns_rdatasetiter_destroy(&rdsiter2);
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	return (active);
+}
+
+/*%
+ * Extracts the minimum TTL from the SOA record, and the SOA record's TTL.
+ */
+static void
+get_soa_ttls(void) {
+	dns_rdataset_t soaset;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	name = dns_fixedname_initname(&fname);
+	dns_rdataset_init(&soaset);
+	result = dns_db_find(gdb, gorigin, gversion, dns_rdatatype_soa, 0, 0,
+			     NULL, name, &soaset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to find an SOA at the zone apex: %s",
+		      isc_result_totext(result));
+	}
+
+	result = dns_rdataset_first(&soaset);
+	check_result(result, "dns_rdataset_first");
+	dns_rdataset_current(&soaset, &rdata);
+	soa_ttl = soaset.ttl;
+	zone_soa_min_ttl = ISC_MIN(dns_soa_getminimum(&rdata), soa_ttl);
+	if (set_maxttl) {
+		zone_soa_min_ttl = ISC_MIN(zone_soa_min_ttl, maxttl);
+		soa_ttl = ISC_MIN(soa_ttl, maxttl);
+	}
+	dns_rdataset_disassociate(&soaset);
+}
+
+/*%
+ * Increment (or set if nonzero) the SOA serial
+ */
+static isc_result_t
+setsoaserial(uint32_t serial, dns_updatemethod_t method) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	uint32_t old_serial, new_serial = 0;
+	dns_updatemethod_t used = dns_updatemethod_none;
+
+	result = dns_db_getoriginnode(gdb, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_soa, 0,
+				     0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_rdataset_first(&rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	dns_rdataset_current(&rdataset, &rdata);
+
+	old_serial = dns_soa_getserial(&rdata);
+
+	if (method == dns_updatemethod_date ||
+	    method == dns_updatemethod_unixtime)
+	{
+		new_serial = dns_update_soaserial(old_serial, method, &used);
+	} else if (serial != 0 || method == dns_updatemethod_none) {
+		/* Set SOA serial to the value provided. */
+		new_serial = serial;
+		used = method;
+	} else {
+		new_serial = dns_update_soaserial(old_serial, method, &used);
+	}
+
+	if (method != used) {
+		fprintf(stderr,
+			"%s: warning: Serial number would not advance, "
+			"using increment method instead\n",
+			program);
+	}
+
+	/* If the new serial is not likely to cause a zone transfer
+	 * (a/ixfr) from servers having the old serial, warn the user.
+	 *
+	 * RFC1982 section 7 defines the maximum increment to be
+	 * (2^(32-1))-1.  Using u_int32_t arithmetic, we can do a single
+	 * comparison.  (5 - 6 == (2^32)-1, not negative-one)
+	 */
+	if (new_serial == old_serial || (new_serial - old_serial) > 0x7fffffffU)
+	{
+		fprintf(stderr,
+			"%s: warning: Serial number not advanced, "
+			"zone may not transfer\n",
+			program);
+	}
+
+	dns_soa_setserial(new_serial, &rdata);
+
+	result = dns_db_deleterdataset(gdb, node, gversion, dns_rdatatype_soa,
+				       0);
+	check_result(result, "dns_db_deleterdataset");
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_db_addrdataset(gdb, node, gversion, 0, &rdataset, 0, NULL);
+	check_result(result, "dns_db_addrdataset");
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+cleanup:
+	dns_rdataset_disassociate(&rdataset);
+	if (node != NULL) {
+		dns_db_detachnode(gdb, &node);
+	}
+	dns_rdata_reset(&rdata);
+
+	return (result);
+}
+
+/*%
+ * Delete any RRSIG records at a node.
+ */
+static void
+cleannode(dns_db_t *db, dns_dbversion_t *dbversion, dns_dbnode_t *node) {
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t set;
+	isc_result_t result, dresult;
+
+	if (outputformat != dns_masterformat_text || !disable_zone_check) {
+		return;
+	}
+
+	dns_rdataset_init(&set);
+	result = dns_db_allrdatasets(db, node, dbversion, 0, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets");
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		bool destroy = false;
+		dns_rdatatype_t covers = 0;
+		dns_rdatasetiter_current(rdsiter, &set);
+		if (set.type == dns_rdatatype_rrsig) {
+			covers = set.covers;
+			destroy = true;
+		}
+		dns_rdataset_disassociate(&set);
+		result = dns_rdatasetiter_next(rdsiter);
+		if (destroy) {
+			dresult = dns_db_deleterdataset(db, node, dbversion,
+							dns_rdatatype_rrsig,
+							covers);
+			check_result(dresult, "dns_db_deleterdataset");
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		fatal("rdataset iteration failed: %s",
+		      isc_result_totext(result));
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+}
+
+/*%
+ * Set up the iterator and global state before starting the tasks.
+ */
+static void
+presign(void) {
+	isc_result_t result;
+
+	gdbiter = NULL;
+	result = dns_db_createiterator(gdb, 0, &gdbiter);
+	check_result(result, "dns_db_createiterator()");
+}
+
+/*%
+ * Clean up the iterator and global state after the tasks complete.
+ */
+static void
+postsign(void) {
+	dns_dbiterator_destroy(&gdbiter);
+}
+
+/*%
+ * Sign the apex of the zone.
+ * Note the origin may not be the first node if there are out of zone
+ * records.
+ */
+static void
+signapex(void) {
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_result_t result;
+
+	name = dns_fixedname_initname(&fixed);
+	result = dns_dbiterator_seek(gdbiter, gorigin);
+	check_result(result, "dns_dbiterator_seek()");
+	result = dns_dbiterator_current(gdbiter, &node, name);
+	check_dns_dbiterator_current(result);
+	signname(node, name);
+	dumpnode(name, node);
+	cleannode(gdb, gversion, node);
+	dns_db_detachnode(gdb, &node);
+	result = dns_dbiterator_first(gdbiter);
+	if (result == ISC_R_NOMORE) {
+		atomic_store(&finished, true);
+	} else if (result != ISC_R_SUCCESS) {
+		fatal("failure iterating database: %s",
+		      isc_result_totext(result));
+	}
+}
+
+/*%
+ * Assigns a node to a worker thread.  This is protected by the master task's
+ * lock.
+ */
+static void
+assignwork(isc_task_t *task, isc_task_t *worker) {
+	dns_fixedname_t *fname;
+	dns_name_t *name;
+	dns_dbnode_t *node;
+	sevent_t *sevent;
+	dns_rdataset_t nsec;
+	bool found;
+	isc_result_t result;
+	static dns_name_t *zonecut = NULL; /* Protected by namelock. */
+	static dns_fixedname_t fzonecut;   /* Protected by namelock. */
+	static unsigned int ended = 0;	   /* Protected by namelock. */
+
+	if (atomic_load(&shuttingdown)) {
+		return;
+	}
+
+	LOCK(&namelock);
+	if (atomic_load(&finished)) {
+		ended++;
+		if (ended == ntasks) {
+			isc_task_detach(&task);
+			isc_app_shutdown();
+		}
+		goto unlock;
+	}
+
+	fname = isc_mem_get(mctx, sizeof(dns_fixedname_t));
+	name = dns_fixedname_initname(fname);
+	node = NULL;
+	found = false;
+	while (!found) {
+		result = dns_dbiterator_current(gdbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		/*
+		 * The origin was handled by signapex().
+		 */
+		if (dns_name_equal(name, gorigin)) {
+			dns_db_detachnode(gdb, &node);
+			goto next;
+		}
+		/*
+		 * Sort the zone data from the glue and out-of-zone data.
+		 * For NSEC zones nodes with zone data have NSEC records.
+		 * For NSEC3 zones the NSEC3 nodes are zone data but
+		 * outside of the zone name space.  For the rest we need
+		 * to track the bottom of zone cuts.
+		 * Nodes which don't need to be signed are dumped here.
+		 */
+		dns_rdataset_init(&nsec);
+		result = dns_db_findrdataset(gdb, node, gversion, nsec_datatype,
+					     0, 0, &nsec, NULL);
+		if (dns_rdataset_isassociated(&nsec)) {
+			dns_rdataset_disassociate(&nsec);
+		}
+		if (result == ISC_R_SUCCESS) {
+			found = true;
+		} else if (nsec_datatype == dns_rdatatype_nsec3) {
+			if (dns_name_issubdomain(name, gorigin) &&
+			    (zonecut == NULL ||
+			     !dns_name_issubdomain(name, zonecut)))
+			{
+				if (is_delegation(gdb, gversion, gorigin, name,
+						  node, NULL))
+				{
+					zonecut = savezonecut(&fzonecut, name);
+					if (!OPTOUT(nsec3flags) ||
+					    secure(name, node))
+					{
+						found = true;
+					}
+				} else if (has_dname(gdb, gversion, node)) {
+					zonecut = savezonecut(&fzonecut, name);
+					found = true;
+				} else {
+					found = true;
+				}
+			}
+		}
+
+		if (!found) {
+			dumpnode(name, node);
+			dns_db_detachnode(gdb, &node);
+		}
+
+	next:
+		result = dns_dbiterator_next(gdbiter);
+		if (result == ISC_R_NOMORE) {
+			atomic_store(&finished, true);
+			break;
+		} else if (result != ISC_R_SUCCESS) {
+			fatal("failure iterating database: %s",
+			      isc_result_totext(result));
+		}
+	}
+	if (!found) {
+		ended++;
+		if (ended == ntasks) {
+			isc_task_detach(&task);
+			isc_app_shutdown();
+		}
+		isc_mem_put(mctx, fname, sizeof(dns_fixedname_t));
+		goto unlock;
+	}
+	sevent = (sevent_t *)isc_event_allocate(mctx, task, SIGNER_EVENT_WORK,
+						sign, NULL, sizeof(sevent_t));
+
+	sevent->node = node;
+	sevent->fname = fname;
+	isc_task_send(worker, ISC_EVENT_PTR(&sevent));
+unlock:
+	UNLOCK(&namelock);
+}
+
+/*%
+ * Start a worker task
+ */
+static void
+startworker(isc_task_t *task, isc_event_t *event) {
+	isc_task_t *worker;
+
+	worker = (isc_task_t *)event->ev_arg;
+	assignwork(task, worker);
+	isc_event_free(&event);
+}
+
+/*%
+ * Write a node to the output file, and restart the worker task.
+ */
+static void
+writenode(isc_task_t *task, isc_event_t *event) {
+	isc_task_t *worker;
+	sevent_t *sevent = (sevent_t *)event;
+
+	worker = (isc_task_t *)event->ev_sender;
+	dumpnode(dns_fixedname_name(sevent->fname), sevent->node);
+	cleannode(gdb, gversion, sevent->node);
+	dns_db_detachnode(gdb, &sevent->node);
+	isc_mem_put(mctx, sevent->fname, sizeof(dns_fixedname_t));
+	assignwork(task, worker);
+	isc_event_free(&event);
+}
+
+/*%
+ *  Sign a database node.
+ */
+static void
+sign(isc_task_t *task, isc_event_t *event) {
+	dns_fixedname_t *fname;
+	dns_dbnode_t *node;
+	sevent_t *sevent, *wevent;
+
+	sevent = (sevent_t *)event;
+	node = sevent->node;
+	fname = sevent->fname;
+	isc_event_free(&event);
+
+	signname(node, dns_fixedname_name(fname));
+	wevent = (sevent_t *)isc_event_allocate(mctx, task, SIGNER_EVENT_WRITE,
+						writenode, NULL,
+						sizeof(sevent_t));
+	wevent->node = node;
+	wevent->fname = fname;
+	isc_task_send(master, ISC_EVENT_PTR(&wevent));
+}
+
+/*%
+ * Update / remove the DS RRset.  Preserve RRSIG(DS) if possible.
+ */
+static void
+add_ds(dns_name_t *name, dns_dbnode_t *node, uint32_t nsttl) {
+	dns_rdataset_t dsset;
+	dns_rdataset_t sigdsset;
+	isc_result_t result;
+
+	dns_rdataset_init(&dsset);
+	dns_rdataset_init(&sigdsset);
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ds, 0,
+				     0, &dsset, &sigdsset);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&dsset);
+		result = dns_db_deleterdataset(gdb, node, gversion,
+					       dns_rdatatype_ds, 0);
+		check_result(result, "dns_db_deleterdataset");
+	}
+
+	result = loadds(name, nsttl, &dsset);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_db_addrdataset(gdb, node, gversion, 0, &dsset, 0,
+					    NULL);
+		check_result(result, "dns_db_addrdataset");
+		dns_rdataset_disassociate(&dsset);
+		if (dns_rdataset_isassociated(&sigdsset)) {
+			dns_rdataset_disassociate(&sigdsset);
+		}
+	} else if (dns_rdataset_isassociated(&sigdsset)) {
+		result = dns_db_deleterdataset(gdb, node, gversion,
+					       dns_rdatatype_rrsig,
+					       dns_rdatatype_ds);
+		check_result(result, "dns_db_deleterdataset");
+		dns_rdataset_disassociate(&sigdsset);
+	}
+}
+
+/*
+ * Remove records of the given type and their signatures.
+ */
+static void
+remove_records(dns_dbnode_t *node, dns_rdatatype_t which, bool checknsec) {
+	isc_result_t result;
+	dns_rdatatype_t type, covers;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+
+	/*
+	 * Delete any records of the given type at the apex.
+	 */
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		type = rdataset.type;
+		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+		if (type == which || covers == which) {
+			if (which == dns_rdatatype_nsec && checknsec &&
+			    !update_chain)
+			{
+				fatal("Zone contains NSEC records.  Use -u "
+				      "to update to NSEC3.");
+			}
+			if (which == dns_rdatatype_nsec3param && checknsec &&
+			    !update_chain)
+			{
+				fatal("Zone contains NSEC3 chains.  Use -u "
+				      "to update to NSEC.");
+			}
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       type, covers);
+			check_result(result, "dns_db_deleterdataset()");
+		}
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+}
+
+/*
+ * Remove signatures covering the given type.  If type == 0,
+ * then remove all signatures, unless this is a delegation, in
+ * which case remove all signatures except for DS or nsec_datatype
+ */
+static void
+remove_sigs(dns_dbnode_t *node, bool delegation, dns_rdatatype_t which) {
+	isc_result_t result;
+	dns_rdatatype_t type, covers;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		type = rdataset.type;
+		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+
+		if (type != dns_rdatatype_rrsig) {
+			continue;
+		}
+
+		if (which == 0 && delegation &&
+		    (dns_rdatatype_atparent(covers) ||
+		     (nsec_datatype == dns_rdatatype_nsec &&
+		      covers == nsec_datatype)))
+		{
+			continue;
+		}
+
+		if (which != 0 && covers != which) {
+			continue;
+		}
+
+		result = dns_db_deleterdataset(gdb, node, gversion, type,
+					       covers);
+		check_result(result, "dns_db_deleterdataset()");
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+}
+
+/*%
+ * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
+ */
+static void
+nsecify(void) {
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node = NULL, *nextnode = NULL;
+	dns_fixedname_t fname, fnextname, fzonecut;
+	dns_name_t *name, *nextname, *zonecut;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdatatype_t type, covers;
+	bool done = false;
+	isc_result_t result;
+	uint32_t nsttl = 0;
+
+	dns_rdataset_init(&rdataset);
+	name = dns_fixedname_initname(&fname);
+	nextname = dns_fixedname_initname(&fnextname);
+	zonecut = NULL;
+
+	/*
+	 * Remove any NSEC3 chains.
+	 */
+	result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+	for (result = dns_dbiterator_first(dbiter); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter))
+	{
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		result = dns_db_allrdatasets(gdb, node, gversion, 0, 0,
+					     &rdsiter);
+		check_result(result, "dns_db_allrdatasets()");
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter))
+		{
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			type = rdataset.type;
+			covers = rdataset.covers;
+			dns_rdataset_disassociate(&rdataset);
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       type, covers);
+			check_result(result, "dns_db_deleterdataset(nsec3param/"
+					     "rrsig)");
+		}
+		dns_rdatasetiter_destroy(&rdsiter);
+		dns_db_detachnode(gdb, &node);
+	}
+	dns_dbiterator_destroy(&dbiter);
+
+	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+
+	while (!done) {
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		/*
+		 * Skip out-of-zone records.
+		 */
+		if (!dns_name_issubdomain(name, gorigin)) {
+			result = dns_dbiterator_next(dbiter);
+			if (result == ISC_R_NOMORE) {
+				done = true;
+			} else {
+				check_result(result, "dns_dbiterator_next()");
+			}
+			dns_db_detachnode(gdb, &node);
+			continue;
+		}
+
+		if (dns_name_equal(name, gorigin)) {
+			remove_records(node, dns_rdatatype_nsec3param, true);
+			/* Clean old rrsigs at apex. */
+			(void)active_node(node);
+		}
+
+		if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) {
+			zonecut = savezonecut(&fzonecut, name);
+			remove_sigs(node, true, 0);
+			if (generateds) {
+				add_ds(name, node, nsttl);
+			}
+		} else if (has_dname(gdb, gversion, node)) {
+			zonecut = savezonecut(&fzonecut, name);
+		}
+
+		result = dns_dbiterator_next(dbiter);
+		nextnode = NULL;
+		while (result == ISC_R_SUCCESS) {
+			bool active = false;
+			result = dns_dbiterator_current(dbiter, &nextnode,
+							nextname);
+			check_dns_dbiterator_current(result);
+			active = active_node(nextnode);
+			if (!active) {
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (!dns_name_issubdomain(nextname, gorigin) ||
+			    (zonecut != NULL &&
+			     dns_name_issubdomain(nextname, zonecut)))
+			{
+				remove_sigs(nextnode, false, 0);
+				remove_records(nextnode, dns_rdatatype_nsec,
+					       false);
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			dns_db_detachnode(gdb, &nextnode);
+			break;
+		}
+		if (result == ISC_R_NOMORE) {
+			dns_name_clone(gorigin, nextname);
+			done = true;
+		} else if (result != ISC_R_SUCCESS) {
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
+		}
+		dns_dbiterator_pause(dbiter);
+		result = dns_nsec_build(gdb, gversion, node, nextname,
+					zone_soa_min_ttl);
+		check_result(result, "dns_nsec_build()");
+		dns_db_detachnode(gdb, &node);
+	}
+
+	dns_dbiterator_destroy(&dbiter);
+}
+
+static void
+addnsec3param(const unsigned char *salt, size_t salt_len,
+	      dns_iterations_t iterations) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	unsigned char nsec3parambuf[5 + 255];
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	nsec3param.common.rdclass = gclass;
+	nsec3param.common.rdtype = dns_rdatatype_nsec3param;
+	ISC_LINK_INIT(&nsec3param.common, link);
+	nsec3param.mctx = NULL;
+	nsec3param.flags = 0;
+	nsec3param.hash = unknownalg ? DNS_NSEC3_UNKNOWNALG : dns_hash_sha1;
+	nsec3param.iterations = iterations;
+	nsec3param.salt_length = (unsigned char)salt_len;
+	DE_CONST(salt, nsec3param.salt);
+
+	isc_buffer_init(&b, nsec3parambuf, sizeof(nsec3parambuf));
+	result = dns_rdata_fromstruct(&rdata, gclass, dns_rdatatype_nsec3param,
+				      &nsec3param, &b);
+	check_result(result, "dns_rdata_fromstruct()");
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.type = rdata.type;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	check_result(result, "dns_rdatalist_tordataset()");
+
+	result = dns_db_findnode(gdb, gorigin, true, &node);
+	check_result(result, "dns_db_findnode(gorigin)");
+
+	/*
+	 * Delete any current NSEC3PARAM records.
+	 */
+	result = dns_db_deleterdataset(gdb, node, gversion,
+				       dns_rdatatype_nsec3param, 0);
+	if (result == DNS_R_UNCHANGED) {
+		result = ISC_R_SUCCESS;
+	}
+	check_result(result, "dddnsec3param: dns_db_deleterdataset()");
+
+	result = dns_db_addrdataset(gdb, node, gversion, 0, &rdataset,
+				    DNS_DBADD_MERGE, NULL);
+	if (result == DNS_R_UNCHANGED) {
+		result = ISC_R_SUCCESS;
+	}
+	check_result(result, "addnsec3param: dns_db_addrdataset()");
+	dns_db_detachnode(gdb, &node);
+}
+
+static void
+addnsec3(dns_name_t *name, dns_dbnode_t *node, const unsigned char *salt,
+	 size_t salt_len, unsigned int iterations, hashlist_t *hashlist,
+	 dns_ttl_t ttl) {
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	const unsigned char *nexthash;
+	unsigned char nsec3buffer[DNS_NSEC3_BUFFERSIZE];
+	dns_fixedname_t hashname;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dns_dbnode_t *nsec3node = NULL;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	size_t hash_len;
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+
+	dns_fixedname_init(&hashname);
+	dns_rdataset_init(&rdataset);
+
+	dns_name_downcase(name, name, NULL);
+	result = dns_nsec3_hashname(&hashname, hash, &hash_len, name, gorigin,
+				    dns_hash_sha1, iterations, salt, salt_len);
+	check_result(result, "addnsec3: dns_nsec3_hashname()");
+	nexthash = hashlist_findnext(hashlist, hash);
+	result = dns_nsec3_buildrdata(
+		gdb, gversion, node,
+		unknownalg ? DNS_NSEC3_UNKNOWNALG : dns_hash_sha1, nsec3flags,
+		iterations, salt, salt_len, nexthash, ISC_SHA1_DIGESTLENGTH,
+		nsec3buffer, &rdata);
+	check_result(result, "addnsec3: dns_nsec3_buildrdata()");
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.type = rdata.type;
+	rdatalist.ttl = ttl;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	check_result(result, "dns_rdatalist_tordataset()");
+	result = dns_db_findnsec3node(gdb, dns_fixedname_name(&hashname), true,
+				      &nsec3node);
+	check_result(result, "addnsec3: dns_db_findnode()");
+	result = dns_db_addrdataset(gdb, nsec3node, gversion, 0, &rdataset, 0,
+				    NULL);
+	if (result == DNS_R_UNCHANGED) {
+		result = ISC_R_SUCCESS;
+	}
+	check_result(result, "addnsec3: dns_db_addrdataset()");
+	dns_db_detachnode(gdb, &nsec3node);
+}
+
+/*%
+ * Clean out NSEC3 record and RRSIG(NSEC3) that are not in the hash list.
+ *
+ * Extract the hash from the first label of 'name' then see if it
+ * is in hashlist.  If 'name' is not in the hashlist then delete the
+ * any NSEC3 records which have the same parameters as the chain we
+ * are building.
+ *
+ * XXXMPA Should we also check that it of the form &lt;hash&gt;.&lt;origin&gt;?
+ */
+static void
+nsec3clean(dns_name_t *name, dns_dbnode_t *node, unsigned int hashalg,
+	   unsigned int iterations, const unsigned char *salt, size_t salt_len,
+	   hashlist_t *hashlist) {
+	dns_label_t label;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata, delrdata;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset, delrdataset;
+	bool delete_rrsigs = false;
+	isc_buffer_t target;
+	isc_result_t result;
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
+	bool exists;
+
+	/*
+	 * Get the first label.
+	 */
+	dns_name_getlabel(name, 0, &label);
+
+	/*
+	 * We want just the label contents.
+	 */
+	isc_region_consume(&label, 1);
+
+	/*
+	 * Decode base32hex string.
+	 */
+	isc_buffer_init(&target, hash, sizeof(hash) - 1);
+	result = isc_base32hex_decoderegion(&label, &target);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	hash[isc_buffer_usedlength(&target)] = 0;
+
+	exists = hashlist_exists(hashlist, hash);
+
+	/*
+	 * Verify that the NSEC3 parameters match the current ones
+	 * otherwise we are dealing with a different NSEC3 chain.
+	 */
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&delrdataset);
+
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_nsec3,
+				     0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	/*
+	 * Delete any NSEC3 records which are not part of the current
+	 * NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		if (exists && nsec3.hash == hashalg &&
+		    nsec3.iterations == iterations &&
+		    nsec3.salt_length == salt_len &&
+		    isc_safe_memequal(nsec3.salt, salt, salt_len))
+		{
+			continue;
+		}
+		dns_rdatalist_init(&rdatalist);
+		rdatalist.rdclass = rdata.rdclass;
+		rdatalist.type = rdata.type;
+		if (set_maxttl) {
+			rdatalist.ttl = ISC_MIN(rdataset.ttl, maxttl);
+		}
+		dns_rdata_init(&delrdata);
+		dns_rdata_clone(&rdata, &delrdata);
+		ISC_LIST_APPEND(rdatalist.rdata, &delrdata, link);
+		result = dns_rdatalist_tordataset(&rdatalist, &delrdataset);
+		check_result(result, "dns_rdatalist_tordataset()");
+		result = dns_db_subtractrdataset(gdb, node, gversion,
+						 &delrdataset, 0, NULL);
+		dns_rdataset_disassociate(&delrdataset);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NXRRSET) {
+			check_result(result, "dns_db_subtractrdataset(NSEC3)");
+		}
+		delete_rrsigs = true;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result != ISC_R_NOMORE) {
+		check_result(result, "dns_rdataset_first/next");
+	}
+
+	if (!delete_rrsigs) {
+		return;
+	}
+	/*
+	 * Delete the NSEC3 RRSIGs
+	 */
+	result = dns_db_deleterdataset(gdb, node, gversion, dns_rdatatype_rrsig,
+				       dns_rdatatype_nsec3);
+	if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) {
+		check_result(result, "dns_db_deleterdataset(RRSIG(NSEC3))");
+	}
+}
+
+static void
+rrset_cleanup(dns_name_t *name, dns_rdataset_t *rdataset, dns_diff_t *add,
+	      dns_diff_t *del) {
+	isc_result_t result;
+	unsigned int count1 = 0;
+	dns_rdataset_t tmprdataset;
+	char namestr[DNS_NAME_FORMATSIZE];
+	char typestr[DNS_RDATATYPE_FORMATSIZE];
+
+	dns_name_format(name, namestr, sizeof(namestr));
+	dns_rdatatype_format(rdataset->type, typestr, sizeof(typestr));
+
+	dns_rdataset_init(&tmprdataset);
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		unsigned int count2 = 0;
+
+		count1++;
+		dns_rdataset_current(rdataset, &rdata1);
+		dns_rdataset_clone(rdataset, &tmprdataset);
+		for (result = dns_rdataset_first(&tmprdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&tmprdataset))
+		{
+			dns_rdata_t rdata2 = DNS_RDATA_INIT;
+			dns_difftuple_t *tuple = NULL;
+			count2++;
+			dns_rdataset_current(&tmprdataset, &rdata2);
+			if (count1 < count2 &&
+			    dns_rdata_casecompare(&rdata1, &rdata2) == 0)
+			{
+				vbprintf(2, "removing duplicate at %s/%s\n",
+					 namestr, typestr);
+				result = dns_difftuple_create(
+					mctx, DNS_DIFFOP_DELRESIGN, name,
+					rdataset->ttl, &rdata2, &tuple);
+				check_result(result, "dns_difftuple_create");
+				dns_diff_append(del, &tuple);
+			} else if (set_maxttl && rdataset->ttl > maxttl) {
+				vbprintf(2,
+					 "reducing ttl of %s/%s "
+					 "from %d to %d\n",
+					 namestr, typestr, rdataset->ttl,
+					 maxttl);
+				result = dns_difftuple_create(
+					mctx, DNS_DIFFOP_DELRESIGN, name,
+					rdataset->ttl, &rdata2, &tuple);
+				check_result(result, "dns_difftuple_create");
+				dns_diff_append(del, &tuple);
+				tuple = NULL;
+				result = dns_difftuple_create(
+					mctx, DNS_DIFFOP_ADDRESIGN, name,
+					maxttl, &rdata2, &tuple);
+				check_result(result, "dns_difftuple_create");
+				dns_diff_append(add, &tuple);
+			}
+		}
+		dns_rdataset_disassociate(&tmprdataset);
+	}
+}
+
+static void
+cleanup_zone(void) {
+	isc_result_t result;
+	dns_dbiterator_t *dbiter = NULL;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_diff_t add, del;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+
+	dns_diff_init(mctx, &add);
+	dns_diff_init(mctx, &del);
+	name = dns_fixedname_initname(&fname);
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_createiterator(gdb, 0, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	for (result = dns_dbiterator_first(dbiter); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter))
+	{
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		result = dns_db_allrdatasets(gdb, node, gversion, 0, 0,
+					     &rdsiter);
+		check_result(result, "dns_db_allrdatasets()");
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter))
+		{
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			rrset_cleanup(name, &rdataset, &add, &del);
+			dns_rdataset_disassociate(&rdataset);
+		}
+		if (result != ISC_R_NOMORE) {
+			fatal("rdatasets iteration failed.");
+		}
+		dns_rdatasetiter_destroy(&rdsiter);
+		dns_db_detachnode(gdb, &node);
+	}
+	if (result != ISC_R_NOMORE) {
+		fatal("zone iteration failed.");
+	}
+
+	result = dns_diff_applysilently(&del, gdb, gversion);
+	check_result(result, "dns_diff_applysilently");
+
+	result = dns_diff_applysilently(&add, gdb, gversion);
+	check_result(result, "dns_diff_applysilently");
+
+	dns_diff_clear(&del);
+	dns_diff_clear(&add);
+	dns_dbiterator_destroy(&dbiter);
+}
+
+/*
+ * Generate NSEC3 records for the zone.
+ */
+static void
+nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
+	 const unsigned char *salt, size_t salt_len, hashlist_t *hashlist) {
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node = NULL, *nextnode = NULL;
+	dns_fixedname_t fname, fnextname, fzonecut;
+	dns_name_t *name, *nextname, *zonecut;
+	dns_rdataset_t rdataset;
+	int order;
+	bool active;
+	bool done = false;
+	isc_result_t result;
+	uint32_t nsttl = 0;
+	unsigned int count, nlabels;
+
+	dns_rdataset_init(&rdataset);
+	name = dns_fixedname_initname(&fname);
+	nextname = dns_fixedname_initname(&fnextname);
+	zonecut = NULL;
+
+	/*
+	 * Walk the zone generating the hash names.
+	 */
+	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+
+	while (!done) {
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		/*
+		 * Skip out-of-zone records.
+		 */
+		if (!dns_name_issubdomain(name, gorigin)) {
+			result = dns_dbiterator_next(dbiter);
+			if (result == ISC_R_NOMORE) {
+				done = true;
+			} else {
+				check_result(result, "dns_dbiterator_next()");
+			}
+			dns_db_detachnode(gdb, &node);
+			continue;
+		}
+
+		if (dns_name_equal(name, gorigin)) {
+			remove_records(node, dns_rdatatype_nsec, true);
+			/* Clean old rrsigs at apex. */
+			(void)active_node(node);
+		}
+
+		if (has_dname(gdb, gversion, node)) {
+			zonecut = savezonecut(&fzonecut, name);
+		}
+
+		result = dns_dbiterator_next(dbiter);
+		nextnode = NULL;
+		while (result == ISC_R_SUCCESS) {
+			result = dns_dbiterator_current(dbiter, &nextnode,
+							nextname);
+			check_dns_dbiterator_current(result);
+			active = active_node(nextnode);
+			if (!active) {
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (!dns_name_issubdomain(nextname, gorigin) ||
+			    (zonecut != NULL &&
+			     dns_name_issubdomain(nextname, zonecut)))
+			{
+				remove_sigs(nextnode, false, 0);
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (is_delegation(gdb, gversion, gorigin, nextname,
+					  nextnode, &nsttl))
+			{
+				zonecut = savezonecut(&fzonecut, nextname);
+				remove_sigs(nextnode, true, 0);
+				if (generateds) {
+					add_ds(nextname, nextnode, nsttl);
+				}
+				if (OPTOUT(nsec3flags) &&
+				    !secure(nextname, nextnode))
+				{
+					dns_db_detachnode(gdb, &nextnode);
+					result = dns_dbiterator_next(dbiter);
+					continue;
+				}
+			} else if (has_dname(gdb, gversion, nextnode)) {
+				zonecut = savezonecut(&fzonecut, nextname);
+			}
+			dns_db_detachnode(gdb, &nextnode);
+			break;
+		}
+		if (result == ISC_R_NOMORE) {
+			dns_name_copynf(gorigin, nextname);
+			done = true;
+		} else if (result != ISC_R_SUCCESS) {
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
+		}
+		dns_name_downcase(name, name, NULL);
+		hashlist_add_dns_name(hashlist, name, hashalg, iterations, salt,
+				      salt_len, false);
+		dns_db_detachnode(gdb, &node);
+		/*
+		 * Add hashes for empty nodes.  Use closest encloser logic.
+		 * The closest encloser either has data or is a empty
+		 * node for another <name,nextname> span so we don't add
+		 * it here.  Empty labels on nextname are within the span.
+		 */
+		dns_name_downcase(nextname, nextname, NULL);
+		dns_name_fullcompare(name, nextname, &order, &nlabels);
+		addnowildcardhash(hashlist, name, hashalg, iterations, salt,
+				  salt_len);
+		count = dns_name_countlabels(nextname);
+		while (count > nlabels + 1) {
+			count--;
+			dns_name_split(nextname, count, NULL, nextname);
+			hashlist_add_dns_name(hashlist, nextname, hashalg,
+					      iterations, salt, salt_len,
+					      false);
+			addnowildcardhash(hashlist, nextname, hashalg,
+					  iterations, salt, salt_len);
+		}
+	}
+	dns_dbiterator_destroy(&dbiter);
+
+	/*
+	 * We have all the hashes now so we can sort them.
+	 */
+	hashlist_sort(hashlist);
+
+	/*
+	 * Check for duplicate hashes.  If found the salt needs to
+	 * be changed.
+	 */
+	if (hashlist_hasdup(hashlist)) {
+		fatal("Duplicate hash detected. Pick a different salt.");
+	}
+
+	/*
+	 * Generate the nsec3 records.
+	 */
+	zonecut = NULL;
+	done = false;
+
+	addnsec3param(salt, salt_len, iterations);
+
+	/*
+	 * Clean out NSEC3 records which don't match this chain.
+	 */
+	result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	for (result = dns_dbiterator_first(dbiter); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter))
+	{
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		nsec3clean(name, node, hashalg, iterations, salt, salt_len,
+			   hashlist);
+		dns_db_detachnode(gdb, &node);
+	}
+	dns_dbiterator_destroy(&dbiter);
+
+	/*
+	 * Generate / complete the new chain.
+	 */
+	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+
+	while (!done) {
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		/*
+		 * Skip out-of-zone records.
+		 */
+		if (!dns_name_issubdomain(name, gorigin)) {
+			result = dns_dbiterator_next(dbiter);
+			if (result == ISC_R_NOMORE) {
+				done = true;
+			} else {
+				check_result(result, "dns_dbiterator_next()");
+			}
+			dns_db_detachnode(gdb, &node);
+			continue;
+		}
+
+		if (has_dname(gdb, gversion, node)) {
+			zonecut = savezonecut(&fzonecut, name);
+		}
+
+		result = dns_dbiterator_next(dbiter);
+		nextnode = NULL;
+		while (result == ISC_R_SUCCESS) {
+			result = dns_dbiterator_current(dbiter, &nextnode,
+							nextname);
+			check_dns_dbiterator_current(result);
+			active = active_node(nextnode);
+			if (!active) {
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (!dns_name_issubdomain(nextname, gorigin) ||
+			    (zonecut != NULL &&
+			     dns_name_issubdomain(nextname, zonecut)))
+			{
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (is_delegation(gdb, gversion, gorigin, nextname,
+					  nextnode, NULL))
+			{
+				zonecut = savezonecut(&fzonecut, nextname);
+				if (OPTOUT(nsec3flags) &&
+				    !secure(nextname, nextnode))
+				{
+					dns_db_detachnode(gdb, &nextnode);
+					result = dns_dbiterator_next(dbiter);
+					continue;
+				}
+			} else if (has_dname(gdb, gversion, nextnode)) {
+				zonecut = savezonecut(&fzonecut, nextname);
+			}
+			dns_db_detachnode(gdb, &nextnode);
+			break;
+		}
+		if (result == ISC_R_NOMORE) {
+			dns_name_copynf(gorigin, nextname);
+			done = true;
+		} else if (result != ISC_R_SUCCESS) {
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
+		}
+		/*
+		 * We need to pause here to release the lock on the database.
+		 */
+		dns_dbiterator_pause(dbiter);
+		addnsec3(name, node, salt, salt_len, iterations, hashlist,
+			 zone_soa_min_ttl);
+		dns_db_detachnode(gdb, &node);
+		/*
+		 * Add NSEC3's for empty nodes.  Use closest encloser logic.
+		 */
+		dns_name_fullcompare(name, nextname, &order, &nlabels);
+		count = dns_name_countlabels(nextname);
+		while (count > nlabels + 1) {
+			count--;
+			dns_name_split(nextname, count, NULL, nextname);
+			addnsec3(nextname, NULL, salt, salt_len, iterations,
+				 hashlist, zone_soa_min_ttl);
+		}
+	}
+	dns_dbiterator_destroy(&dbiter);
+}
+
+/*%
+ * Load the zone file from disk
+ */
+static void
+loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
+	isc_buffer_t b;
+	int len;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	len = strlen(origin);
+	isc_buffer_init(&b, origin, len);
+	isc_buffer_add(&b, len);
+
+	name = dns_fixedname_initname(&fname);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed converting name '%s' to dns format: %s", origin,
+		      isc_result_totext(result));
+	}
+
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, db);
+	check_result(result, "dns_db_create()");
+
+	result = dns_db_load(*db, file, inputformat, 0);
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+		fatal("failed loading zone from '%s': %s", file,
+		      isc_result_totext(result));
+	}
+}
+
+/*%
+ * Finds all public zone keys in the zone, and attempts to load the
+ * private keys from disk.
+ */
+static void
+loadzonekeys(bool preserve_keys, bool load_public) {
+	dns_dbnode_t *node;
+	dns_dbversion_t *currentversion = NULL;
+	isc_result_t result;
+	dns_rdataset_t rdataset, keysigs, soasigs;
+
+	node = NULL;
+	result = dns_db_findnode(gdb, gorigin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
+	}
+
+	dns_db_currentversion(gdb, &currentversion);
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&soasigs);
+	dns_rdataset_init(&keysigs);
+
+	/* Make note of the keys which signed the SOA, if any */
+	result = dns_db_findrdataset(gdb, node, currentversion,
+				     dns_rdatatype_soa, 0, 0, &rdataset,
+				     &soasigs);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/* Preserve the TTL of the DNSKEY RRset, if any */
+	dns_rdataset_disassociate(&rdataset);
+	result = dns_db_findrdataset(gdb, node, currentversion,
+				     dns_rdatatype_dnskey, 0, 0, &rdataset,
+				     &keysigs);
+
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	if (set_keyttl && keyttl != rdataset.ttl) {
+		fprintf(stderr,
+			"User-specified TTL %u conflicts "
+			"with existing DNSKEY RRset TTL.\n",
+			keyttl);
+		fprintf(stderr,
+			"Imported keys will use the RRSet "
+			"TTL %u instead.\n",
+			rdataset.ttl);
+	}
+	keyttl = rdataset.ttl;
+
+	/* Load keys corresponding to the existing DNSKEY RRset. */
+	result = dns_dnssec_keylistfromrdataset(
+		gorigin, directory, mctx, &rdataset, &keysigs, &soasigs,
+		preserve_keys, load_public, &keylist);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to load the zone keys: %s",
+		      isc_result_totext(result));
+	}
+
+cleanup:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (dns_rdataset_isassociated(&keysigs)) {
+		dns_rdataset_disassociate(&keysigs);
+	}
+	if (dns_rdataset_isassociated(&soasigs)) {
+		dns_rdataset_disassociate(&soasigs);
+	}
+	dns_db_detachnode(gdb, &node);
+	dns_db_closeversion(gdb, &currentversion, false);
+}
+
+static void
+loadexplicitkeys(char *keyfiles[], int n, bool setksk) {
+	isc_result_t result;
+	int i;
+
+	for (i = 0; i < n; i++) {
+		dns_dnsseckey_t *key = NULL;
+		dst_key_t *newkey = NULL;
+
+		result = dst_key_fromnamedfile(
+			keyfiles[i], directory,
+			DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, mctx, &newkey);
+		if (result != ISC_R_SUCCESS) {
+			fatal("cannot load dnskey %s: %s", keyfiles[i],
+			      isc_result_totext(result));
+		}
+
+		if (!dns_name_equal(gorigin, dst_key_name(newkey))) {
+			fatal("key %s not at origin\n", keyfiles[i]);
+		}
+
+		if (!dst_key_isprivate(newkey)) {
+			fatal("cannot sign zone with non-private dnskey %s",
+			      keyfiles[i]);
+		}
+
+		/* Skip any duplicates */
+		for (key = ISC_LIST_HEAD(keylist); key != NULL;
+		     key = ISC_LIST_NEXT(key, link))
+		{
+			if (dst_key_id(key->key) == dst_key_id(newkey) &&
+			    dst_key_alg(key->key) == dst_key_alg(newkey))
+			{
+				break;
+			}
+		}
+
+		if (key == NULL) {
+			/* We haven't seen this key before */
+			dns_dnsseckey_create(mctx, &newkey, &key);
+			ISC_LIST_APPEND(keylist, key, link);
+			key->source = dns_keysource_user;
+		} else {
+			dst_key_free(&key->key);
+			key->key = newkey;
+		}
+
+		key->force_publish = true;
+		key->force_sign = true;
+
+		if (setksk) {
+			key->ksk = true;
+		}
+	}
+}
+
+static void
+report(const char *format, ...) {
+	if (!quiet) {
+		FILE *out = output_stdout ? stderr : stdout;
+		char buf[4096];
+		va_list args;
+
+		va_start(args, format);
+		vsnprintf(buf, sizeof(buf), format, args);
+		va_end(args);
+		fprintf(out, "%s\n", buf);
+	}
+}
+
+static void
+clear_keylist(dns_dnsseckeylist_t *list) {
+	dns_dnsseckey_t *key;
+	while (!ISC_LIST_EMPTY(*list)) {
+		key = ISC_LIST_HEAD(*list);
+		ISC_LIST_UNLINK(*list, key, link);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+}
+
+static void
+build_final_keylist(void) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	dns_dnsseckeylist_t rmkeys, matchkeys;
+	char name[DNS_NAME_FORMATSIZE];
+	dns_rdataset_t cdsset, cdnskeyset, soaset;
+
+	ISC_LIST_INIT(rmkeys);
+	ISC_LIST_INIT(matchkeys);
+
+	dns_rdataset_init(&soaset);
+	dns_rdataset_init(&cdsset);
+	dns_rdataset_init(&cdnskeyset);
+
+	/*
+	 * Find keys that match this zone in the key repository.
+	 */
+	result = dns_dnssec_findmatchingkeys(gorigin, directory, now, mctx,
+					     &matchkeys);
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+	}
+	check_result(result, "dns_dnssec_findmatchingkeys");
+
+	result = dns_db_newversion(gdb, &ver);
+	check_result(result, "dns_db_newversion");
+
+	result = dns_db_getoriginnode(gdb, &node);
+	check_result(result, "dns_db_getoriginnode");
+
+	/* Get the CDS rdataset */
+	result = dns_db_findrdataset(gdb, node, ver, dns_rdatatype_cds,
+				     dns_rdatatype_none, 0, &cdsset, NULL);
+	if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdsset)) {
+		dns_rdataset_disassociate(&cdsset);
+	}
+
+	/* Get the CDNSKEY rdataset */
+	result = dns_db_findrdataset(gdb, node, ver, dns_rdatatype_cdnskey,
+				     dns_rdatatype_none, 0, &cdnskeyset, NULL);
+	if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdnskeyset)) {
+		dns_rdataset_disassociate(&cdnskeyset);
+	}
+
+	dns_diff_init(mctx, &diff);
+
+	/*
+	 * Update keylist with information from from the key repository.
+	 */
+	dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
+			      &diff, mctx, report);
+
+	/*
+	 * Update keylist with sync records.
+	 */
+	dns_dnssec_syncupdate(&keylist, &rmkeys, &cdsset, &cdnskeyset, now,
+			      keyttl, &diff, mctx);
+
+	dns_name_format(gorigin, name, sizeof(name));
+
+	result = dns_diff_applysilently(&diff, gdb, ver);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to update DNSKEY RRset at node '%s': %s", name,
+		      isc_result_totext(result));
+	}
+
+	dns_db_detachnode(gdb, &node);
+	dns_db_closeversion(gdb, &ver, true);
+
+	dns_diff_clear(&diff);
+
+	if (dns_rdataset_isassociated(&cdsset)) {
+		dns_rdataset_disassociate(&cdsset);
+	}
+	if (dns_rdataset_isassociated(&cdnskeyset)) {
+		dns_rdataset_disassociate(&cdnskeyset);
+	}
+
+	clear_keylist(&rmkeys);
+	clear_keylist(&matchkeys);
+}
+
+static void
+warnifallksk(dns_db_t *db) {
+	dns_dbversion_t *currentversion = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dns_rdata_dnskey_t dnskey;
+	bool have_non_ksk = false;
+
+	dns_db_currentversion(db, &currentversion);
+
+	result = dns_db_findnode(db, gorigin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
+	}
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, currentversion,
+				     dns_rdatatype_dnskey, 0, 0, &rdataset,
+				     NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to find keys at the zone apex: %s",
+		      isc_result_totext(result));
+	}
+	result = dns_rdataset_first(&rdataset);
+	check_result(result, "dns_rdataset_first");
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0) {
+			have_non_ksk = true;
+			result = ISC_R_NOMORE;
+		} else {
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdata_freestruct(&dnskey);
+	}
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &currentversion, false);
+	if (!have_non_ksk && !ignore_kskflag) {
+		if (disable_zone_check) {
+			fprintf(stderr,
+				"%s: warning: No non-KSK DNSKEY found; "
+				"supply a ZSK or use '-z'.\n",
+				program);
+		} else {
+			fatal("No non-KSK DNSKEY found; "
+			      "supply a ZSK or use '-z'.");
+		}
+	}
+}
+
+static void
+set_nsec3params(bool update, bool set_salt, bool set_optout, bool set_iter) {
+	isc_result_t result;
+	dns_dbversion_t *ver = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3_t nsec3;
+	dns_fixedname_t fname;
+	dns_name_t *hashname;
+	unsigned char orig_salt[255];
+	size_t orig_saltlen;
+	dns_hash_t orig_hash;
+	uint16_t orig_iter;
+
+	dns_db_currentversion(gdb, &ver);
+	dns_rdataset_init(&rdataset);
+
+	orig_saltlen = sizeof(orig_salt);
+	result = dns_db_getnsec3parameters(gdb, ver, &orig_hash, NULL,
+					   &orig_iter, orig_salt,
+					   &orig_saltlen);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	nsec_datatype = dns_rdatatype_nsec3;
+
+	if (!update && set_salt) {
+		if (salt_length != orig_saltlen ||
+		    !isc_safe_memequal(saltbuf, orig_salt, salt_length))
+		{
+			fatal("An NSEC3 chain exists with a different salt. "
+			      "Use -u to update it.");
+		}
+	} else if (!set_salt) {
+		salt_length = orig_saltlen;
+		memmove(saltbuf, orig_salt, orig_saltlen);
+		gsalt = saltbuf;
+	}
+
+	if (!update && set_iter) {
+		if (nsec3iter != orig_iter) {
+			fatal("An NSEC3 chain exists with different "
+			      "iterations. Use -u to update it.");
+		}
+	} else if (!set_iter) {
+		nsec3iter = orig_iter;
+	}
+
+	/*
+	 * Find an NSEC3 record to get the current OPTOUT value.
+	 * (This assumes all NSEC3 records agree.)
+	 */
+
+	hashname = dns_fixedname_initname(&fname);
+	result = dns_nsec3_hashname(&fname, NULL, NULL, gorigin, gorigin,
+				    dns_hash_sha1, orig_iter, orig_salt,
+				    orig_saltlen);
+	check_result(result, "dns_nsec3_hashname");
+
+	result = dns_db_findnsec3node(gdb, hashname, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_db_findrdataset(gdb, node, ver, dns_rdatatype_nsec3, 0, 0,
+				     &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_rdataset_first(&rdataset);
+	check_result(result, "dns_rdataset_first");
+	dns_rdataset_current(&rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+	check_result(result, "dns_rdata_tostruct");
+
+	if (!update && set_optout) {
+		if (nsec3flags != nsec3.flags) {
+			fatal("An NSEC3 chain exists with%s OPTOUT. "
+			      "Use -u -%s to %s it.",
+			      OPTOUT(nsec3.flags) ? "" : "out",
+			      OPTOUT(nsec3.flags) ? "AA" : "A",
+			      OPTOUT(nsec3.flags) ? "clear" : "set");
+		}
+	} else if (!set_optout) {
+		nsec3flags = nsec3.flags;
+	}
+
+	dns_rdata_freestruct(&nsec3);
+
+cleanup:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(gdb, &node);
+	}
+	dns_db_closeversion(gdb, &ver, false);
+}
+
+static void
+writeset(const char *prefix, dns_rdatatype_t type) {
+	char *filename;
+	char namestr[DNS_NAME_FORMATSIZE];
+	dns_db_t *db = NULL;
+	dns_dbversion_t *dbversion = NULL;
+	dns_diff_t diff;
+	dns_difftuple_t *tuple = NULL;
+	dns_name_t *name;
+	dns_rdata_t rdata, ds;
+	bool have_ksk = false;
+	bool have_non_ksk = false;
+	isc_buffer_t b;
+	isc_buffer_t namebuf;
+	isc_region_t r;
+	isc_result_t result;
+	dns_dnsseckey_t *key, *curr;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	unsigned char keybuf[DST_KEY_MAXSIZE];
+	unsigned int filenamelen;
+	const dns_master_style_t *style = (type == dns_rdatatype_dnskey)
+						  ? masterstyle
+						  : dsstyle;
+
+	isc_buffer_init(&namebuf, namestr, sizeof(namestr));
+	result = dns_name_tofilenametext(gorigin, false, &namebuf);
+	check_result(result, "dns_name_tofilenametext");
+	isc_buffer_putuint8(&namebuf, 0);
+	filenamelen = strlen(prefix) + strlen(namestr) + 1;
+	if (dsdir != NULL) {
+		filenamelen += strlen(dsdir) + 1;
+	}
+	filename = isc_mem_get(mctx, filenamelen);
+	if (dsdir != NULL) {
+		snprintf(filename, filenamelen, "%s/", dsdir);
+	} else {
+		filename[0] = 0;
+	}
+	strlcat(filename, prefix, filenamelen);
+	strlcat(filename, namestr, filenamelen);
+
+	dns_diff_init(mctx, &diff);
+
+	name = gorigin;
+
+	for (key = ISC_LIST_HEAD(keylist); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		if (REVOKE(key->key)) {
+			continue;
+		}
+		if (isksk(key)) {
+			have_ksk = true;
+			have_non_ksk = false;
+		} else {
+			have_ksk = false;
+			have_non_ksk = true;
+		}
+		for (curr = ISC_LIST_HEAD(keylist); curr != NULL;
+		     curr = ISC_LIST_NEXT(curr, link))
+		{
+			if (dst_key_alg(key->key) != dst_key_alg(curr->key)) {
+				continue;
+			}
+			if (REVOKE(curr->key)) {
+				continue;
+			}
+			if (isksk(curr)) {
+				have_ksk = true;
+			} else {
+				have_non_ksk = true;
+			}
+		}
+		if (have_ksk && have_non_ksk && !isksk(key)) {
+			continue;
+		}
+		dns_rdata_init(&rdata);
+		dns_rdata_init(&ds);
+		isc_buffer_init(&b, keybuf, sizeof(keybuf));
+		result = dst_key_todns(key->key, &b);
+		check_result(result, "dst_key_todns");
+		isc_buffer_usedregion(&b, &r);
+		dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r);
+		if (type != dns_rdatatype_dnskey) {
+			result = dns_ds_buildrdata(gorigin, &rdata,
+						   DNS_DSDIGEST_SHA256, dsbuf,
+						   &ds);
+			check_result(result, "dns_ds_buildrdata");
+			result = dns_difftuple_create(mctx,
+						      DNS_DIFFOP_ADDRESIGN,
+						      name, 0, &ds, &tuple);
+		} else {
+			result = dns_difftuple_create(
+				mctx, DNS_DIFFOP_ADDRESIGN, gorigin,
+				zone_soa_min_ttl, &rdata, &tuple);
+		}
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+	}
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       gclass, 0, NULL, &db);
+	check_result(result, "dns_db_create");
+
+	result = dns_db_newversion(db, &dbversion);
+	check_result(result, "dns_db_newversion");
+
+	result = dns_diff_apply(&diff, db, dbversion);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
+
+	result = dns_master_dump(mctx, db, dbversion, style, filename,
+				 dns_masterformat_text, NULL);
+	check_result(result, "dns_master_dump");
+
+	isc_mem_put(mctx, filename, filenamelen);
+
+	dns_db_closeversion(db, &dbversion, false);
+	dns_db_detach(&db);
+}
+
+static void
+print_time(FILE *fp) {
+	time_t currenttime = time(NULL);
+	struct tm t, *tm = localtime_r(&currenttime, &t);
+	unsigned int flen;
+	char timebuf[80];
+
+	if (tm == NULL || outputformat != dns_masterformat_text) {
+		return;
+	}
+
+	flen = strftime(timebuf, sizeof(timebuf), "%a %b %e %H:%M:%S %Y", tm);
+	INSIST(flen > 0U && flen < sizeof(timebuf));
+	fprintf(fp, "; File written on %s\n", timebuf);
+}
+
+static void
+print_version(FILE *fp) {
+	if (outputformat != dns_masterformat_text) {
+		return;
+	}
+
+	fprintf(fp, "; dnssec_signzone version " VERSION "\n");
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Version: %s\n", VERSION);
+
+	fprintf(stderr, "Options: (default value in parenthesis) \n");
+	fprintf(stderr, "\t-S:\tsmart signing: automatically finds key files\n"
+			"\t\tfor the zone and determines how they are to "
+			"be used\n");
+	fprintf(stderr, "\t-K directory:\n");
+	fprintf(stderr, "\t\tdirectory to find key files (.)\n");
+	fprintf(stderr, "\t-d directory:\n");
+	fprintf(stderr, "\t\tdirectory to find dsset-* files (.)\n");
+	fprintf(stderr, "\t-g:\t");
+	fprintf(stderr, "update DS records based on child zones' "
+			"dsset-* files\n");
+	fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n");
+	fprintf(stderr, "\t\tRRSIG start time "
+			"- absolute|offset (now - 1 hour)\n");
+	fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
+	fprintf(stderr, "\t\tRRSIG end time "
+			"- absolute|from start|from now "
+			"(now + 30 days)\n");
+	fprintf(stderr, "\t-X [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
+	fprintf(stderr, "\t\tDNSKEY RRSIG end "
+			"- absolute|from start|from now "
+			"(matches -e)\n");
+	fprintf(stderr, "\t-i interval:\n");
+	fprintf(stderr, "\t\tcycle interval - resign "
+			"if < interval from end ( (end-start)/4 )\n");
+	fprintf(stderr, "\t-j jitter:\n");
+	fprintf(stderr, "\t\trandomize signature end time up to jitter "
+			"seconds\n");
+	fprintf(stderr, "\t-v debuglevel (0)\n");
+	fprintf(stderr, "\t-q quiet\n");
+	fprintf(stderr, "\t-V:\tprint version information\n");
+	fprintf(stderr, "\t-o origin:\n");
+	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
+	fprintf(stderr, "\t-f outfile:\n");
+	fprintf(stderr, "\t\tfile the signed zone is written in "
+			"(zonefile + .signed)\n");
+	fprintf(stderr, "\t-I format:\n");
+	fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
+	fprintf(stderr, "\t-O format:\n");
+	fprintf(stderr, "\t\tfile format of signed zone file (text)\n");
+	fprintf(stderr, "\t-N format:\n");
+	fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n");
+	fprintf(stderr, "\t-D:\n");
+	fprintf(stderr, "\t\toutput only DNSSEC-related records\n");
+	fprintf(stderr, "\t-a:\t");
+	fprintf(stderr, "verify generated signatures\n");
+	fprintf(stderr, "\t-c class (IN)\n");
+	fprintf(stderr, "\t-E engine:\n");
+#if USE_PKCS11
+	fprintf(stderr,
+		"\t\tpath to PKCS#11 provider library "
+		"(default is %s)\n",
+		PK11_LIB_LOCATION);
+#else  /* if USE_PKCS11 */
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif /* if USE_PKCS11 */
+	fprintf(stderr, "\t-P:\t");
+	fprintf(stderr, "disable post-sign verification\n");
+	fprintf(stderr, "\t-Q:\t");
+	fprintf(stderr, "remove signatures from keys that are no "
+			"longer active\n");
+	fprintf(stderr, "\t-R:\t");
+	fprintf(stderr, "remove signatures from keys that no longer exist\n");
+	fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs\n");
+	fprintf(stderr, "\t-t:\t");
+	fprintf(stderr, "print statistics\n");
+	fprintf(stderr, "\t-u:\t");
+	fprintf(stderr, "update or replace an existing NSEC/NSEC3 chain\n");
+	fprintf(stderr, "\t-x:\tsign DNSKEY record with KSKs only, not ZSKs\n");
+	fprintf(stderr, "\t-z:\tsign all records with KSKs\n");
+	fprintf(stderr, "\t-C:\tgenerate a keyset file, for compatibility\n"
+			"\t\twith older versions of dnssec-signzone -g\n");
+	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
+	fprintf(stderr, "\t-k key_signing_key\n");
+	fprintf(stderr, "\t-3 NSEC3 salt\n");
+	fprintf(stderr, "\t-H NSEC3 iterations (10)\n");
+	fprintf(stderr, "\t-A NSEC3 optout\n");
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Signing Keys: ");
+	fprintf(stderr, "(default: all zone keys that have private keys)\n");
+	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
+
+	exit(0);
+}
+
+static void
+removetempfile(void) {
+	if (removefile) {
+		isc_file_remove(tempfile);
+	}
+}
+
+static void
+print_stats(isc_time_t *timer_start, isc_time_t *timer_finish,
+	    isc_time_t *sign_start, isc_time_t *sign_finish) {
+	uint64_t time_us; /* Time in microseconds */
+	uint64_t time_ms; /* Time in milliseconds */
+	uint64_t sig_ms;  /* Signatures per millisecond */
+	FILE *out = output_stdout ? stderr : stdout;
+
+	fprintf(out, "Signatures generated:               %10u\n", nsigned);
+	fprintf(out, "Signatures retained:                %10u\n", nretained);
+	fprintf(out, "Signatures dropped:                 %10u\n", ndropped);
+	fprintf(out, "Signatures successfully verified:   %10u\n", nverified);
+	fprintf(out,
+		"Signatures unsuccessfully "
+		"verified: %10u\n",
+		nverifyfailed);
+
+	time_us = isc_time_microdiff(sign_finish, sign_start);
+	time_ms = time_us / 1000;
+	fprintf(out, "Signing time in seconds:           %7u.%03u\n",
+		(unsigned int)(time_ms / 1000), (unsigned int)(time_ms % 1000));
+	if (time_us > 0) {
+		sig_ms = ((uint64_t)nsigned * 1000000000) / time_us;
+		fprintf(out, "Signatures per second:             %7u.%03u\n",
+			(unsigned int)sig_ms / 1000,
+			(unsigned int)sig_ms % 1000);
+	}
+
+	time_us = isc_time_microdiff(timer_finish, timer_start);
+	time_ms = time_us / 1000;
+	fprintf(out, "Runtime in seconds:                %7u.%03u\n",
+		(unsigned int)(time_ms / 1000), (unsigned int)(time_ms % 1000));
+}
+
+int
+main(int argc, char *argv[]) {
+	int i, ch;
+	char *startstr = NULL, *endstr = NULL, *classname = NULL;
+	char *dnskey_endstr = NULL;
+	char *origin = NULL, *file = NULL, *output = NULL;
+	char *inputformatstr = NULL, *outputformatstr = NULL;
+	char *serialformatstr = NULL;
+	char *dskeyfile[MAXDSKEYS];
+	int ndskeys = 0;
+	char *endp;
+	isc_time_t timer_start, timer_finish;
+	isc_time_t sign_start, sign_finish;
+	dns_dnsseckey_t *key;
+	isc_result_t result, vresult;
+	isc_log_t *log = NULL;
+	const char *engine = NULL;
+	bool free_output = false;
+	int tempfilelen = 0;
+	dns_rdataclass_t rdclass;
+	isc_task_t **tasks = NULL;
+	hashlist_t hashlist;
+	bool make_keyset = false;
+	bool set_salt = false;
+	bool set_optout = false;
+	bool set_iter = false;
+	bool nonsecify = false;
+
+	atomic_init(&shuttingdown, false);
+	atomic_init(&finished, false);
+
+	/* Unused letters: Bb G J q Yy (and F is reserved). */
+#define CMDLINE_FLAGS                                                         \
+	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:VX:" \
+	"xzZ:"
+
+	/*
+	 * Process memory debugging argument first.
+	 */
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'm':
+			if (strcasecmp(isc_commandline_argument, "record") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			}
+			if (strcasecmp(isc_commandline_argument, "trace") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			}
+			if (strcasecmp(isc_commandline_argument, "usage") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			}
+			if (strcasecmp(isc_commandline_argument, "size") == 0) {
+				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+			}
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0) {
+				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+			}
+			break;
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = true;
+
+#ifdef _WIN32
+	InitSockets();
+#endif /* ifdef _WIN32 */
+
+	masterstyle = &dns_master_style_explicitttl;
+
+	check_result(isc_app_start(), "isc_app_start");
+
+	isc_mem_create(&mctx);
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	isc_commandline_errprint = false;
+
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case '3':
+			set_salt = true;
+			nsec_datatype = dns_rdatatype_nsec3;
+			if (strcmp(isc_commandline_argument, "-") != 0) {
+				isc_buffer_t target;
+				char *sarg;
+
+				sarg = isc_commandline_argument;
+				isc_buffer_init(&target, saltbuf,
+						sizeof(saltbuf));
+				result = isc_hex_decodestring(sarg, &target);
+				check_result(result, "isc_hex_decodestring("
+						     "salt)");
+				salt_length = isc_buffer_usedlength(&target);
+			}
+			break;
+
+		case 'A':
+			set_optout = true;
+			if (OPTOUT(nsec3flags)) {
+				nsec3flags &= ~DNS_NSEC3FLAG_OPTOUT;
+			} else {
+				nsec3flags |= DNS_NSEC3FLAG_OPTOUT;
+			}
+			break;
+
+		case 'a':
+			tryverify = true;
+			break;
+
+		case 'C':
+			make_keyset = true;
+			break;
+
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+
+		case 'd':
+			dsdir = isc_commandline_argument;
+			if (strlen(dsdir) == 0U) {
+				fatal("DS directory must be non-empty string");
+			}
+			result = try_dir(dsdir);
+			if (result != ISC_R_SUCCESS) {
+				fatal("cannot open directory %s: %s", dsdir,
+				      isc_result_totext(result));
+			}
+			break;
+
+		case 'D':
+			output_dnssec_only = true;
+			break;
+
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
+
+		case 'e':
+			endstr = isc_commandline_argument;
+			break;
+
+		case 'f':
+			output = isc_commandline_argument;
+			if (strcmp(output, "-") == 0) {
+				output_stdout = true;
+			}
+			break;
+
+		case 'g':
+			generateds = true;
+			break;
+
+		case 'H':
+			set_iter = true;
+			/* too-many is NOT DOCUMENTED */
+			if (strcmp(isc_commandline_argument, "too-many") == 0) {
+				nsec3iter = 151;
+				no_max_check = true;
+				break;
+			}
+			nsec3iter = strtoul(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("iterations must be numeric");
+			}
+			if (nsec3iter > 0xffffU) {
+				fatal("iterations too big");
+			}
+			break;
+
+		case 'I':
+			inputformatstr = isc_commandline_argument;
+			break;
+
+		case 'i':
+			endp = NULL;
+			cycle = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0' || cycle < 0) {
+				fatal("cycle period must be numeric and "
+				      "positive");
+			}
+			break;
+
+		case 'j':
+			endp = NULL;
+			jitter = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0' || jitter < 0) {
+				fatal("jitter must be numeric and positive");
+			}
+			break;
+
+		case 'K':
+			directory = isc_commandline_argument;
+			break;
+
+		case 'k':
+			if (ndskeys == MAXDSKEYS) {
+				fatal("too many key-signing keys specified");
+			}
+			dskeyfile[ndskeys++] = isc_commandline_argument;
+			break;
+
+		case 'L':
+			snset = true;
+			endp = NULL;
+			serialnum = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fprintf(stderr, "source serial number "
+						"must be numeric");
+				exit(1);
+			}
+			break;
+
+		case 'l':
+			fatal("-l option (DLV lookaside) is obsolete");
+			break;
+
+		case 'M':
+			endp = NULL;
+			set_maxttl = true;
+			maxttl = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fprintf(stderr, "maximum TTL "
+						"must be numeric");
+				exit(1);
+			}
+			break;
+
+		case 'm':
+			break;
+
+		case 'N':
+			serialformatstr = isc_commandline_argument;
+			break;
+
+		case 'n':
+			endp = NULL;
+			ntasks = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0' || ntasks > INT32_MAX) {
+				fatal("number of cpus must be numeric");
+			}
+			break;
+
+		case 'O':
+			outputformatstr = isc_commandline_argument;
+			break;
+
+		case 'o':
+			origin = isc_commandline_argument;
+			break;
+
+		case 'P':
+			disable_zone_check = true;
+			break;
+
+		case 'p':
+			fatal("The -p option has been deprecated.\n");
+			break;
+
+		case 'Q':
+			remove_inactkeysigs = true;
+			break;
+
+		case 'R':
+			remove_orphansigs = true;
+			break;
+
+		case 'r':
+			fatal("The -r options has been deprecated.\n");
+			break;
+
+		case 'S':
+			smartsign = true;
+			break;
+
+		case 's':
+			startstr = isc_commandline_argument;
+			break;
+
+		case 'T':
+			endp = NULL;
+			set_keyttl = true;
+			keyttl = strtottl(isc_commandline_argument);
+			break;
+
+		case 't':
+			printstats = true;
+			break;
+
+		case 'U': /* Undocumented for testing only. */
+			unknownalg = true;
+			break;
+
+		case 'u':
+			update_chain = true;
+			break;
+
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("verbose level must be numeric");
+			}
+			break;
+
+		case 'q':
+			quiet = true;
+			break;
+
+		case 'X':
+			dnskey_endstr = isc_commandline_argument;
+			break;
+
+		case 'x':
+			keyset_kskonly = true;
+			break;
+
+		case 'z':
+			ignore_kskflag = true;
+			break;
+
+		case 'F':
+			/* Reserved for FIPS mode */
+			FALLTHROUGH;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			}
+			FALLTHROUGH;
+		case 'h':
+			/* Does not return. */
+			usage();
+
+		case 'V':
+			/* Does not return. */
+			version(program);
+
+		case 'Z': /* Undocumented test options */
+			if (!strcmp(isc_commandline_argument, "nonsecify")) {
+				nonsecify = true;
+			}
+			break;
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	result = dst_lib_init(mctx, engine);
+	if (result != ISC_R_SUCCESS) {
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
+	}
+
+	isc_stdtime_get(&now);
+
+	if (startstr != NULL) {
+		starttime = strtotime(startstr, now, now, NULL);
+	} else {
+		starttime = now - 3600; /* Allow for some clock skew. */
+	}
+
+	if (endstr != NULL) {
+		endtime = strtotime(endstr, now, starttime, NULL);
+	} else {
+		endtime = starttime + (30 * 24 * 60 * 60);
+	}
+
+	if (dnskey_endstr != NULL) {
+		dnskey_endtime = strtotime(dnskey_endstr, now, starttime, NULL);
+		if (endstr != NULL && dnskey_endtime == endtime) {
+			fprintf(stderr, "WARNING: -e and -X were both set, "
+					"but have identical values.\n");
+		}
+	} else {
+		dnskey_endtime = endtime;
+	}
+
+	if (cycle == -1) {
+		cycle = (endtime - starttime) / 4;
+	}
+
+	if (ntasks == 0) {
+		ntasks = isc_os_ncpus() * 2;
+	}
+	vbprintf(4, "using %d cpus\n", ntasks);
+
+	rdclass = strtoclass(classname);
+
+	if (directory == NULL) {
+		directory = ".";
+	}
+
+	setup_logging(mctx, &log);
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1) {
+		usage();
+	}
+
+	file = argv[0];
+
+	argc -= 1;
+	argv += 1;
+
+	if (origin == NULL) {
+		origin = file;
+	}
+
+	if (output == NULL) {
+		size_t size;
+		free_output = true;
+		size = strlen(file) + strlen(".signed") + 1;
+		output = isc_mem_allocate(mctx, size);
+		snprintf(output, size, "%s.signed", file);
+	}
+
+	if (inputformatstr != NULL) {
+		if (strcasecmp(inputformatstr, "text") == 0) {
+			inputformat = dns_masterformat_text;
+		} else if (strcasecmp(inputformatstr, "map") == 0) {
+			inputformat = dns_masterformat_map;
+		} else if (strcasecmp(inputformatstr, "raw") == 0) {
+			inputformat = dns_masterformat_raw;
+		} else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
+			inputformat = dns_masterformat_raw;
+			fprintf(stderr, "WARNING: input format version "
+					"ignored\n");
+		} else {
+			fatal("unknown file format: %s", inputformatstr);
+		}
+	}
+
+	if (outputformatstr != NULL) {
+		if (strcasecmp(outputformatstr, "text") == 0) {
+			outputformat = dns_masterformat_text;
+		} else if (strcasecmp(outputformatstr, "full") == 0) {
+			outputformat = dns_masterformat_text;
+			masterstyle = &dns_master_style_full;
+		} else if (strcasecmp(outputformatstr, "map") == 0) {
+			outputformat = dns_masterformat_map;
+		} else if (strcasecmp(outputformatstr, "raw") == 0) {
+			outputformat = dns_masterformat_raw;
+		} else if (strncasecmp(outputformatstr, "raw=", 4) == 0) {
+			char *end;
+
+			outputformat = dns_masterformat_raw;
+			rawversion = strtol(outputformatstr + 4, &end, 10);
+			if (end == outputformatstr + 4 || *end != '\0' ||
+			    rawversion > 1U)
+			{
+				fprintf(stderr, "unknown raw format version\n");
+				exit(1);
+			}
+		} else {
+			fatal("unknown file format: %s", outputformatstr);
+		}
+	}
+
+	if (serialformatstr != NULL) {
+		if (strcasecmp(serialformatstr, "keep") == 0) {
+			serialformat = SOA_SERIAL_KEEP;
+		} else if (strcasecmp(serialformatstr, "increment") == 0 ||
+			   strcasecmp(serialformatstr, "incr") == 0)
+		{
+			serialformat = SOA_SERIAL_INCREMENT;
+		} else if (strcasecmp(serialformatstr, "unixtime") == 0) {
+			serialformat = SOA_SERIAL_UNIXTIME;
+		} else if (strcasecmp(serialformatstr, "date") == 0) {
+			serialformat = SOA_SERIAL_DATE;
+		} else {
+			fatal("unknown soa serial format: %s", serialformatstr);
+		}
+	}
+
+	if (output_dnssec_only && outputformat != dns_masterformat_text) {
+		fatal("option -D can only be used with \"-O text\"");
+	}
+
+	if (output_dnssec_only && serialformat != SOA_SERIAL_KEEP) {
+		fatal("option -D can only be used with \"-N keep\"");
+	}
+
+	if (output_dnssec_only && set_maxttl) {
+		fatal("option -D cannot be used with -M");
+	}
+
+	result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL, 0, 24,
+					0, 0, 0, 8, 0xffffffff, mctx);
+	check_result(result, "dns_master_stylecreate");
+
+	gdb = NULL;
+	TIME_NOW(&timer_start);
+	loadzone(file, origin, rdclass, &gdb);
+	gorigin = dns_db_origin(gdb);
+	gclass = dns_db_class(gdb);
+	get_soa_ttls();
+
+	if (set_maxttl && set_keyttl && keyttl > maxttl) {
+		fprintf(stderr,
+			"%s: warning: Specified key TTL %u "
+			"exceeds maximum zone TTL; reducing to %u\n",
+			program, keyttl, maxttl);
+		keyttl = maxttl;
+	}
+
+	if (!set_keyttl) {
+		keyttl = soa_ttl;
+	}
+
+	/*
+	 * Check for any existing NSEC3 parameters in the zone,
+	 * and use them as defaults if -u was not specified.
+	 */
+	if (update_chain && !set_optout && !set_iter && !set_salt) {
+		nsec_datatype = dns_rdatatype_nsec;
+	} else {
+		set_nsec3params(update_chain, set_salt, set_optout, set_iter);
+	}
+
+	/*
+	 * We need to do this early on, as we start messing with the list
+	 * of keys rather early.
+	 */
+	ISC_LIST_INIT(keylist);
+	isc_rwlock_init(&keylist_lock, 0, 0);
+
+	/*
+	 * Fill keylist with:
+	 * 1) Keys listed in the DNSKEY set that have
+	 *    private keys associated, *if* no keys were
+	 *    set on the command line.
+	 * 2) ZSKs set on the command line
+	 * 3) KSKs set on the command line
+	 * 4) Any keys remaining in the DNSKEY set which
+	 *    do not have private keys associated and were
+	 *    not specified on the command line.
+	 */
+	if (argc == 0 || smartsign) {
+		loadzonekeys(!smartsign, false);
+	}
+	loadexplicitkeys(argv, argc, false);
+	loadexplicitkeys(dskeyfile, ndskeys, true);
+	loadzonekeys(!smartsign, true);
+
+	/*
+	 * If we're doing smart signing, look in the key repository for
+	 * key files with metadata, and merge them with the keylist
+	 * we have now.
+	 */
+	if (smartsign) {
+		build_final_keylist();
+	}
+
+	/* Now enumerate the key list */
+	for (key = ISC_LIST_HEAD(keylist); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		key->index = keycount++;
+	}
+
+	if (keycount == 0) {
+		if (disable_zone_check) {
+			fprintf(stderr,
+				"%s: warning: No keys specified "
+				"or found\n",
+				program);
+		} else {
+			fatal("No signing keys specified or found.");
+		}
+		nokeys = true;
+	}
+
+	warnifallksk(gdb);
+
+	if (IS_NSEC3) {
+		bool answer;
+
+		hash_length = dns_nsec3_hashlength(dns_hash_sha1);
+		hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2,
+			      hash_length);
+		result = dns_nsec_nseconly(gdb, gversion, &answer);
+		if (result == ISC_R_NOTFOUND) {
+			fprintf(stderr,
+				"%s: warning: NSEC3 generation "
+				"requested with no DNSKEY; ignoring\n",
+				program);
+		} else if (result != ISC_R_SUCCESS) {
+			check_result(result, "dns_nsec_nseconly");
+		} else if (answer) {
+			fatal("NSEC3 generation requested with "
+			      "NSEC-only DNSKEY");
+		}
+
+		if (nsec3iter > dns_nsec3_maxiterations()) {
+			if (no_max_check) {
+				fprintf(stderr,
+					"Ignoring max iterations check.\n");
+			} else {
+				fatal("NSEC3 iterations too big. Maximum "
+				      "iterations allowed %u.",
+				      dns_nsec3_maxiterations());
+			}
+		}
+	} else {
+		hashlist_init(&hashlist, 0, 0); /* silence clang */
+	}
+
+	gversion = NULL;
+	result = dns_db_newversion(gdb, &gversion);
+	check_result(result, "dns_db_newversion()");
+
+	switch (serialformat) {
+	case SOA_SERIAL_INCREMENT:
+		setsoaserial(0, dns_updatemethod_increment);
+		break;
+	case SOA_SERIAL_UNIXTIME:
+		setsoaserial(now, dns_updatemethod_unixtime);
+		break;
+	case SOA_SERIAL_DATE:
+		setsoaserial(now, dns_updatemethod_date);
+		break;
+	case SOA_SERIAL_KEEP:
+	default:
+		/* do nothing */
+		break;
+	}
+
+	/* Remove duplicates and cap TTLs at maxttl */
+	cleanup_zone();
+
+	if (!nonsecify) {
+		if (IS_NSEC3) {
+			nsec3ify(dns_hash_sha1, nsec3iter, gsalt, salt_length,
+				 &hashlist);
+		} else {
+			nsecify();
+		}
+	}
+
+	if (!nokeys) {
+		writeset("dsset-", dns_rdatatype_ds);
+		if (make_keyset) {
+			writeset("keyset-", dns_rdatatype_dnskey);
+		}
+	}
+
+	if (output_stdout) {
+		outfp = stdout;
+		if (outputformatstr == NULL) {
+			masterstyle = &dns_master_style_full;
+		}
+	} else {
+		tempfilelen = strlen(output) + 20;
+		tempfile = isc_mem_get(mctx, tempfilelen);
+
+		result = isc_file_mktemplate(output, tempfile, tempfilelen);
+		check_result(result, "isc_file_mktemplate");
+
+		if (outputformat == dns_masterformat_text) {
+			result = isc_file_openunique(tempfile, &outfp);
+		} else {
+			result = isc_file_bopenunique(tempfile, &outfp);
+		}
+		if (result != ISC_R_SUCCESS) {
+			fatal("failed to open temporary output file: %s",
+			      isc_result_totext(result));
+		}
+		removefile = true;
+		setfatalcallback(&removetempfile);
+	}
+
+	print_time(outfp);
+	print_version(outfp);
+
+	result = isc_managers_create(mctx, ntasks, 0, &netmgr, &taskmgr);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to create task manager: %s",
+		      isc_result_totext(result));
+	}
+
+	master = NULL;
+	result = isc_task_create(taskmgr, 0, &master);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed to create task: %s", isc_result_totext(result));
+	}
+
+	tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
+	for (i = 0; i < (int)ntasks; i++) {
+		tasks[i] = NULL;
+		result = isc_task_create(taskmgr, 0, &tasks[i]);
+		if (result != ISC_R_SUCCESS) {
+			fatal("failed to create task: %s",
+			      isc_result_totext(result));
+		}
+	}
+
+	isc_mutex_init(&namelock);
+
+	if (printstats) {
+		isc_mutex_init(&statslock);
+	}
+
+	presign();
+	TIME_NOW(&sign_start);
+	signapex();
+	if (!atomic_load(&finished)) {
+		/*
+		 * There is more work to do.  Spread it out over multiple
+		 * processors if possible.
+		 */
+		for (i = 0; i < (int)ntasks; i++) {
+			result = isc_app_onrun(mctx, master, startworker,
+					       tasks[i]);
+			if (result != ISC_R_SUCCESS) {
+				fatal("failed to start task: %s",
+				      isc_result_totext(result));
+			}
+		}
+		(void)isc_app_run();
+		if (!atomic_load(&finished)) {
+			fatal("process aborted by user");
+		}
+	} else {
+		isc_task_detach(&master);
+	}
+	atomic_store(&shuttingdown, true);
+	for (i = 0; i < (int)ntasks; i++) {
+		isc_task_detach(&tasks[i]);
+	}
+	isc_managers_destroy(&netmgr, &taskmgr);
+	isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *));
+	postsign();
+	TIME_NOW(&sign_finish);
+
+	if (disable_zone_check) {
+		vresult = ISC_R_SUCCESS;
+	} else {
+		vresult = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin,
+						NULL, mctx, ignore_kskflag,
+						keyset_kskonly, report);
+		if (vresult != ISC_R_SUCCESS) {
+			fprintf(output_stdout ? stderr : stdout,
+				"Zone verification failed (%s)\n",
+				isc_result_totext(vresult));
+		}
+	}
+
+	if (outputformat != dns_masterformat_text) {
+		dns_masterrawheader_t header;
+		dns_master_initrawheader(&header);
+		if (rawversion == 0U) {
+			header.flags = DNS_MASTERRAW_COMPAT;
+		} else if (snset) {
+			header.flags = DNS_MASTERRAW_SOURCESERIALSET;
+			header.sourceserial = serialnum;
+		}
+		result = dns_master_dumptostream(mctx, gdb, gversion,
+						 masterstyle, outputformat,
+						 &header, outfp);
+		check_result(result, "dns_master_dumptostream3");
+	}
+
+	isc_mutex_destroy(&namelock);
+	if (printstats) {
+		isc_mutex_destroy(&statslock);
+	}
+
+	if (!output_stdout) {
+		result = isc_stdio_close(outfp);
+		check_result(result, "isc_stdio_close");
+		removefile = false;
+
+		if (vresult == ISC_R_SUCCESS) {
+			result = isc_file_rename(tempfile, output);
+			if (result != ISC_R_SUCCESS) {
+				fatal("failed to rename temp file to %s: %s",
+				      output, isc_result_totext(result));
+			}
+			printf("%s\n", output);
+		} else {
+			isc_file_remove(tempfile);
+		}
+	}
+
+	dns_db_closeversion(gdb, &gversion, false);
+	dns_db_detach(&gdb);
+
+	hashlist_free(&hashlist);
+
+	while (!ISC_LIST_EMPTY(keylist)) {
+		key = ISC_LIST_HEAD(keylist);
+		ISC_LIST_UNLINK(keylist, key, link);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+
+	if (tempfilelen != 0) {
+		isc_mem_put(mctx, tempfile, tempfilelen);
+	}
+
+	if (free_output) {
+		isc_mem_free(mctx, output);
+	}
+
+	dns_master_styledestroy(&dsstyle, mctx);
+
+	cleanup_logging(&log);
+	dst_lib_destroy();
+	if (verbose > 10) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	(void)isc_app_finish();
+
+	if (printstats) {
+		TIME_NOW(&timer_finish);
+		print_stats(&timer_start, &timer_finish, &sign_start,
+			    &sign_finish);
+	}
+
+#ifdef _WIN32
+	DestroySockets();
+#endif /* ifdef _WIN32 */
+	return (vresult == ISC_R_SUCCESS ? 0 : 1);
+}
diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
new file mode 100644
index 0000000..f5056bb
--- /dev/null
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -0,0 +1,396 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-signzone:
+
+dnssec-signzone - DNSSEC zone signing tool
+------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
+
+Description
+~~~~~~~~~~~
+
+``dnssec-signzone`` signs a zone; it generates NSEC and RRSIG records
+and produces a signed version of the zone. The security status of
+delegations from the signed zone (that is, whether the child zones are
+secure) is determined by the presence or absence of a ``keyset``
+file for each child zone.
+
+Options
+~~~~~~~
+
+``-a``
+   This option verifies all generated signatures.
+
+``-c class``
+   This option specifies the DNS class of the zone.
+
+``-C``
+   This option sets compatibility mode, in which a ``keyset-zonename`` file is generated in addition
+   to ``dsset-zonename`` when signing a zone, for use by older versions
+   of ``dnssec-signzone``.
+
+``-d directory``
+   This option indicates the directory where BIND 9 should look for ``dsset-`` or ``keyset-`` files.
+
+``-D``
+   This option indicates that only those record types automatically managed by
+   ``dnssec-signzone``, i.e., RRSIG, NSEC, NSEC3 and NSEC3PARAM records, should be included in the output.
+   If smart signing (``-S``) is used, DNSKEY records are also included.
+   The resulting file can be included in the original zone file with
+   ``$INCLUDE``. This option cannot be combined with ``-O raw``,
+   ``-O map``, or serial-number updating.
+
+``-E engine``
+   This option specifies the hardware to use for cryptographic
+   operations, such as a secure key store used for signing, when applicable.
+
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
+   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
+   defaults to the path of the PKCS#11 provider library specified via
+   ``--with-pkcs11``.
+
+``-g``
+   This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``
+   file. Existing DS records are removed.
+
+``-K directory``
+   This option specifies the directory to search for DNSSEC keys. If not
+   specified, it defaults to the current directory.
+
+``-k key``
+   This option tells BIND 9 to treat the specified key as a key-signing key, ignoring any key flags. This
+   option may be specified multiple times.
+
+``-M maxttl``
+   This option sets the maximum TTL for the signed zone. Any TTL higher than ``maxttl``
+   in the input zone is reduced to ``maxttl`` in the output. This
+   provides certainty as to the largest possible TTL in the signed zone,
+   which is useful to know when rolling keys. The maxttl is the longest
+   possible time before signatures that have been retrieved by resolvers
+   expire from resolver caches. Zones that are signed with this
+   option should be configured to use a matching ``max-zone-ttl`` in
+   ``named.conf``. (Note: This option is incompatible with ``-D``,
+   because it modifies non-DNSSEC data in the output zone.)
+
+``-s start-time``
+   This option specifies the date and time when the generated RRSIG records become
+   valid. This can be either an absolute or relative time. An absolute
+   start time is indicated by a number in YYYYMMDDHHMMSS notation;
+   20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
+   start time is indicated by ``+N``, which is N seconds from the current
+   time. If no ``start-time`` is specified, the current time minus 1
+   hour (to allow for clock skew) is used.
+
+``-e end-time``
+   This option specifies the date and time when the generated RRSIG records expire. As
+   with ``start-time``, an absolute time is indicated in YYYYMMDDHHMMSS
+   notation. A time relative to the start time is indicated with ``+N``,
+   which is N seconds from the start time. A time relative to the
+   current time is indicated with ``now+N``. If no ``end-time`` is
+   specified, 30 days from the start time is the default.
+   ``end-time`` must be later than ``start-time``.
+
+``-X extended end-time``
+   This option specifies the date and time when the generated RRSIG records for the
+   DNSKEY RRset expire. This is to be used in cases when the DNSKEY
+   signatures need to persist longer than signatures on other records;
+   e.g., when the private component of the KSK is kept offline and the
+   KSK signature is to be refreshed manually.
+
+   As with ``end-time``, an absolute time is indicated in
+   YYYYMMDDHHMMSS notation. A time relative to the start time is
+   indicated with ``+N``, which is N seconds from the start time. A time
+   relative to the current time is indicated with ``now+N``. If no
+   ``extended end-time`` is specified, the value of ``end-time`` is used
+   as the default. (``end-time``, in turn, defaults to 30 days from the
+   start time.) ``extended end-time`` must be later than ``start-time``.
+
+``-f output-file``
+   This option indicates the name of the output file containing the signed zone. The default
+   is to append ``.signed`` to the input filename. If ``output-file`` is
+   set to ``-``, then the signed zone is written to the standard
+   output, with a default output format of ``full``.
+
+``-h``
+   This option prints a short summary of the options and arguments to
+   ``dnssec-signzone``.
+
+``-V``
+   This option prints version information.
+
+``-i interval``
+   This option indicates that, when a previously signed zone is passed as input, records may be
+   re-signed. The ``interval`` option specifies the cycle interval as an
+   offset from the current time, in seconds. If a RRSIG record expires
+   after the cycle interval, it is retained; otherwise, it is considered
+   to be expiring soon and it is replaced.
+
+   The default cycle interval is one quarter of the difference between
+   the signature end and start times. So if neither ``end-time`` nor
+   ``start-time`` is specified, ``dnssec-signzone`` generates
+   signatures that are valid for 30 days, with a cycle interval of 7.5
+   days. Therefore, if any existing RRSIG records are due to expire in
+   less than 7.5 days, they are replaced.
+
+``-I input-format``
+   This option sets the format of the input zone file. Possible formats are ``text``
+   (the default), ``raw``, and ``map``. This option is primarily
+   intended to be used for dynamic signed zones, so that the dumped zone
+   file in a non-text format containing updates can be signed directly.
+   This option is not useful for non-dynamic zones.
+
+``-j jitter``
+   When signing a zone with a fixed signature lifetime, all RRSIG
+   records issued at the time of signing expire simultaneously. If the
+   zone is incrementally signed, i.e., a previously signed zone is passed
+   as input to the signer, all expired signatures must be regenerated
+   at approximately the same time. The ``jitter`` option specifies a jitter
+   window that is used to randomize the signature expire time, thus
+   spreading incremental signature regeneration over time.
+
+   Signature lifetime jitter also, to some extent, benefits validators and
+   servers by spreading out cache expiration, i.e., if large numbers of
+   RRSIGs do not expire at the same time from all caches, there is
+   less congestion than if all validators need to refetch at around the
+   same time.
+
+``-L serial``
+   When writing a signed zone to "raw" or "map" format, this option sets the "source
+   serial" value in the header to the specified ``serial`` number. (This is
+   expected to be used primarily for testing purposes.)
+
+``-n ncpus``
+   This option specifies the number of threads to use. By default, one thread is
+   started for each detected CPU.
+
+``-N soa-serial-format``
+   This option sets the SOA serial number format of the signed zone. Possible formats are
+   ``keep`` (the default), ``increment``, ``unixtime``, and
+   ``date``.
+
+   **keep**
+      This format indicates that the SOA serial number should not be modified.
+
+   **increment**
+      This format increments the SOA serial number using :rfc:`1982` arithmetic.
+
+   **unixtime**
+      This format sets the SOA serial number to the number of seconds
+      since the beginning of the Unix epoch, unless the serial
+      number is already greater than or equal to that value, in
+      which case it is simply incremented by one.
+
+   **date**
+      This format sets the SOA serial number to today's date, in
+      YYYYMMDDNN format, unless the serial number is already greater
+      than or equal to that value, in which case it is simply
+      incremented by one.
+
+``-o origin``
+   This option sets the zone origin. If not specified, the name of the zone file is
+   assumed to be the origin.
+
+``-O output-format``
+   This option sets the format of the output file containing the signed zone. Possible
+   formats are ``text`` (the default), which is the standard textual
+   representation of the zone; ``full``, which is text output in a
+   format suitable for processing by external scripts; and ``map``,
+   ``raw``, and ``raw=N``, which store the zone in binary formats
+   for rapid loading by ``named``. ``raw=N`` specifies the format
+   version of the raw zone file: if N is 0, the raw file can be read by
+   any version of ``named``; if N is 1, the file can be read by release
+   9.9.0 or higher. The default is 1.
+
+``-P``
+   This option disables post-sign verification tests.
+
+   The post-sign verification tests ensure that for each algorithm in
+   use there is at least one non-revoked self-signed KSK key, that all
+   revoked KSK keys are self-signed, and that all records in the zone
+   are signed by the algorithm. This option skips these tests.
+
+``-Q``
+   This option removes signatures from keys that are no longer active.
+
+   Normally, when a previously signed zone is passed as input to the
+   signer, and a DNSKEY record has been removed and replaced with a new
+   one, signatures from the old key that are still within their validity
+   period are retained. This allows the zone to continue to validate
+   with cached copies of the old DNSKEY RRset. The ``-Q`` option forces
+   ``dnssec-signzone`` to remove signatures from keys that are no longer
+   active. This enables ZSK rollover using the procedure described in
+   :rfc:`4641#4.2.1.1` ("Pre-Publish Key Rollover").
+
+``-q``
+   This option enables quiet mode, which suppresses unnecessary output. Without this option, when
+   ``dnssec-signzone`` is run it prints three pieces of information to standard output: the number of
+   keys in use; the algorithms used to verify the zone was signed correctly and
+   other status information; and the filename containing the signed
+   zone. With the option that output is suppressed, leaving only the filename.
+
+``-R``
+   This option removes signatures from keys that are no longer published.
+
+   This option is similar to ``-Q``, except it forces
+   ``dnssec-signzone`` to remove signatures from keys that are no longer
+   published. This enables ZSK rollover using the procedure described in
+   :rfc:`4641#4.2.1.2` ("Double Signature Zone Signing Key
+   Rollover").
+
+``-S``
+   This option enables smart signing, which instructs ``dnssec-signzone`` to search the key
+   repository for keys that match the zone being signed, and to include
+   them in the zone if appropriate.
+
+   When a key is found, its timing metadata is examined to determine how
+   it should be used, according to the following rules. Each successive
+   rule takes priority over the prior ones:
+
+      If no timing metadata has been set for the key, the key is
+      published in the zone and used to sign the zone.
+
+      If the key's publication date is set and is in the past, the key
+      is published in the zone.
+
+      If the key's activation date is set and is in the past, the key is
+      published (regardless of publication date) and used to sign the
+      zone.
+
+      If the key's revocation date is set and is in the past, and the key
+      is published, then the key is revoked, and the revoked key is used
+      to sign the zone.
+
+      If either the key's unpublication or deletion date is set and
+      in the past, the key is NOT published or used to sign the zone,
+      regardless of any other metadata.
+
+      If the key's sync publication date is set and is in the past,
+      synchronization records (type CDS and/or CDNSKEY) are created.
+
+      If the key's sync deletion date is set and is in the past,
+      synchronization records (type CDS and/or CDNSKEY) are removed.
+
+``-T ttl``
+   This option specifies a TTL to be used for new DNSKEY records imported into the
+   zone from the key repository. If not specified, the default is the
+   TTL value from the zone's SOA record. This option is ignored when
+   signing without ``-S``, since DNSKEY records are not imported from
+   the key repository in that case. It is also ignored if there are any
+   pre-existing DNSKEY records at the zone apex, in which case new
+   records' TTL values are set to match them, or if any of the
+   imported DNSKEY records had a default TTL value. In the event of a
+   conflict between TTL values in imported keys, the shortest one is
+   used.
+
+``-t``
+   This option prints statistics at completion.
+
+``-u``
+   This option updates the NSEC/NSEC3 chain when re-signing a previously signed zone.
+   With this option, a zone signed with NSEC can be switched to NSEC3,
+   or a zone signed with NSEC3 can be switched to NSEC or to NSEC3 with
+   different parameters. Without this option, ``dnssec-signzone``
+   retains the existing chain when re-signing.
+
+``-v level``
+   This option sets the debugging level.
+
+``-x``
+   This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key-signing keys,
+   and should omit signatures from zone-signing keys. (This is similar to the
+   ``dnssec-dnskey-kskonly yes;`` zone option in ``named``.)
+
+``-z``
+   This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes
+   KSK-flagged keys to sign all records, not just the DNSKEY RRset.
+   (This is similar to the ``update-check-ksk no;`` zone option in
+   ``named``.)
+
+``-3 salt``
+   This option generates an NSEC3 chain with the given hex-encoded salt. A dash
+   (-) can be used to indicate that no salt is to be used when
+   generating the NSEC3 chain.
+
+   .. note::
+      ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits.
+
+``-H iterations``
+   This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
+   is 10.
+
+   .. warning::
+      Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks. The default value has not been changed because the best practices has changed only after BIND 9.16 reached Extended Support Version status.
+
+``-A``
+   This option indicates that, when generating an NSEC3 chain, BIND 9 should set the OPTOUT flag on all NSEC3
+   records and should not generate NSEC3 records for insecure delegations.
+
+   .. warning::
+      Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations.
+
+   Using this option twice (i.e., ``-AA``) turns the OPTOUT flag off for
+   all records. This is useful when using the ``-u`` option to modify an
+   NSEC3 chain which previously had OPTOUT set.
+
+``zonefile``
+   This option sets the file containing the zone to be signed.
+
+``key``
+   This option specifies which keys should be used to sign the zone. If no keys are
+   specified, the zone is examined for DNSKEY records at the
+   zone apex. If these records are found and there are matching private keys in
+   the current directory, they are used for signing.
+
+Example
+~~~~~~~
+
+The following command signs the ``example.com`` zone with the
+ECDSAP256SHA256 key generated by ``dnssec-keygen``
+(Kexample.com.+013+17247). Because the ``-S`` option is not being used,
+the zone's keys must be in the master file (``db.example.com``). This
+invocation looks for ``dsset`` files in the current directory, so that
+DS records can be imported from them (``-g``).
+
+::
+
+   % dnssec-signzone -g -o example.com db.example.com \
+   Kexample.com.+013+17247
+   db.example.com.signed
+   %
+
+In the above example, ``dnssec-signzone`` creates the file
+``db.example.com.signed``. This file should be referenced in a zone
+statement in the ``named.conf`` file.
+
+This example re-signs a previously signed zone with default parameters.
+The private keys are assumed to be in the current directory.
+
+::
+
+   % cp db.example.com.signed db.example.com
+   % dnssec-signzone -o example.com db.example.com
+   db.example.com.signed
+   %
+
+See Also
+~~~~~~~~
+
+:manpage:`dnssec-keygen(8)`, BIND 9 Administrator Reference Manual, :rfc:`4033`,
+:rfc:`4641`.
diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
new file mode 100644
index 0000000..85cc54b
--- /dev/null
+++ b/bin/dnssec/dnssec-verify.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>
+
+#include <isc/app.h>
+#include <isc/base32.h>
+#include <isc/commandline.h>
+#include <isc/event.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/hex.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/rwlock.h>
+#include <isc/serial.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/time.h>
+#include <dns/zoneverify.h>
+
+#include <dst/dst.h>
+
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-verify";
+
+static isc_stdtime_t now;
+static isc_mem_t *mctx = NULL;
+static dns_masterformat_t inputformat = dns_masterformat_text;
+static dns_db_t *gdb;		  /* The database */
+static dns_dbversion_t *gversion; /* The database version */
+static dns_rdataclass_t gclass;	  /* The class */
+static dns_name_t *gorigin;	  /* The database origin */
+static bool ignore_kskflag = false;
+static bool keyset_kskonly = false;
+
+static void
+report(const char *format, ...) {
+	if (!quiet) {
+		char buf[4096];
+		va_list args;
+
+		va_start(args, format);
+		vsnprintf(buf, sizeof(buf), format, args);
+		va_end(args);
+		fprintf(stdout, "%s\n", buf);
+	}
+}
+
+/*%
+ * Load the zone file from disk
+ */
+static void
+loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
+	isc_buffer_t b;
+	int len;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	len = strlen(origin);
+	isc_buffer_init(&b, origin, len);
+	isc_buffer_add(&b, len);
+
+	name = dns_fixedname_initname(&fname);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("failed converting name '%s' to dns format: %s", origin,
+		      isc_result_totext(result));
+	}
+
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
+			       NULL, db);
+	check_result(result, "dns_db_create()");
+
+	result = dns_db_load(*db, file, inputformat, 0);
+	switch (result) {
+	case DNS_R_SEENINCLUDE:
+	case ISC_R_SUCCESS:
+		break;
+	case DNS_R_NOTZONETOP:
+		/*
+		 * Comparing pointers (vs. using strcmp()) is intentional: we
+		 * want to check whether -o was supplied on the command line,
+		 * not whether origin and file contain the same string.
+		 */
+		if (origin == file) {
+			fatal("failed loading zone '%s' from file '%s': "
+			      "use -o to specify a different zone origin",
+			      origin, file);
+		}
+		FALLTHROUGH;
+	default:
+		fatal("failed loading zone from '%s': %s", file,
+		      isc_result_totext(result));
+	}
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Version: %s\n", VERSION);
+
+	fprintf(stderr, "Options: (default value in parenthesis) \n");
+	fprintf(stderr, "\t-v debuglevel (0)\n");
+	fprintf(stderr, "\t-q quiet\n");
+	fprintf(stderr, "\t-V:\tprint version information\n");
+	fprintf(stderr, "\t-o origin:\n");
+	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
+	fprintf(stderr, "\t-I format:\n");
+	fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
+	fprintf(stderr, "\t-c class (IN)\n");
+	fprintf(stderr, "\t-E engine:\n");
+#if USE_PKCS11
+	fprintf(stderr,
+		"\t\tpath to PKCS#11 provider library "
+		"(default is %s)\n",
+		PK11_LIB_LOCATION);
+#else  /* if USE_PKCS11 */
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif /* if USE_PKCS11 */
+	fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
+			"not ZSKs\n");
+	fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
+	exit(0);
+}
+
+int
+main(int argc, char *argv[]) {
+	char *origin = NULL, *file = NULL;
+	char *inputformatstr = NULL;
+	isc_result_t result;
+	isc_log_t *log = NULL;
+	const char *engine = NULL;
+	char *classname = NULL;
+	dns_rdataclass_t rdclass;
+	char *endp;
+	int ch;
+
+#define CMDLINE_FLAGS "c:E:hm:o:I:qv:Vxz"
+
+	/*
+	 * Process memory debugging argument first.
+	 */
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'm':
+			if (strcasecmp(isc_commandline_argument, "record") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			}
+			if (strcasecmp(isc_commandline_argument, "trace") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			}
+			if (strcasecmp(isc_commandline_argument, "usage") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			}
+			if (strcasecmp(isc_commandline_argument, "size") == 0) {
+				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+			}
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0) {
+				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+			}
+			break;
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = true;
+	check_result(isc_app_start(), "isc_app_start");
+
+	isc_mem_create(&mctx);
+
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+	dns_result_register();
+
+	isc_commandline_errprint = false;
+
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
+
+		case 'I':
+			inputformatstr = isc_commandline_argument;
+			break;
+
+		case 'm':
+			break;
+
+		case 'o':
+			origin = isc_commandline_argument;
+			break;
+
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0') {
+				fatal("verbose level must be numeric");
+			}
+			break;
+
+		case 'q':
+			quiet = true;
+			break;
+
+		case 'x':
+			keyset_kskonly = true;
+			break;
+
+		case 'z':
+			ignore_kskflag = true;
+			break;
+
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			}
+			FALLTHROUGH;
+
+		case 'h':
+			/* Does not return. */
+			usage();
+
+		case 'V':
+			/* Does not return. */
+			version(program);
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	result = dst_lib_init(mctx, engine);
+	if (result != ISC_R_SUCCESS) {
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
+	}
+
+	isc_stdtime_get(&now);
+
+	rdclass = strtoclass(classname);
+
+	setup_logging(mctx, &log);
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1) {
+		usage();
+	}
+
+	file = argv[0];
+
+	argc -= 1;
+	argv += 1;
+
+	POST(argc);
+	POST(argv);
+
+	if (origin == NULL) {
+		origin = file;
+	}
+
+	if (inputformatstr != NULL) {
+		if (strcasecmp(inputformatstr, "text") == 0) {
+			inputformat = dns_masterformat_text;
+		} else if (strcasecmp(inputformatstr, "raw") == 0) {
+			inputformat = dns_masterformat_raw;
+		} else {
+			fatal("unknown file format: %s\n", inputformatstr);
+		}
+	}
+
+	gdb = NULL;
+	report("Loading zone '%s' from file '%s'\n", origin, file);
+	loadzone(file, origin, rdclass, &gdb);
+	gorigin = dns_db_origin(gdb);
+	gclass = dns_db_class(gdb);
+
+	gversion = NULL;
+	result = dns_db_newversion(gdb, &gversion);
+	check_result(result, "dns_db_newversion()");
+
+	result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, NULL, mctx,
+				       ignore_kskflag, keyset_kskonly, report);
+
+	dns_db_closeversion(gdb, &gversion, false);
+	dns_db_detach(&gdb);
+
+	cleanup_logging(&log);
+	dst_lib_destroy();
+	if (verbose > 10) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	(void)isc_app_finish();
+
+	return (result == ISC_R_SUCCESS ? 0 : 1);
+}
diff --git a/bin/dnssec/dnssec-verify.rst b/bin/dnssec/dnssec-verify.rst
new file mode 100644
index 0000000..4a0c8e7
--- /dev/null
+++ b/bin/dnssec/dnssec-verify.rst
@@ -0,0 +1,98 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-verify:
+
+dnssec-verify - DNSSEC zone verification tool
+---------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-verify` [**-c** class] [**-E** engine] [**-I** input-format] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile}
+
+Description
+~~~~~~~~~~~
+
+``dnssec-verify`` verifies that a zone is fully signed for each
+algorithm found in the DNSKEY RRset for the zone, and that the
+NSEC/NSEC3 chains are complete.
+
+Options
+~~~~~~~
+
+``-c class``
+   This option specifies the DNS class of the zone.
+
+``-E engine``
+   This option specifies the cryptographic hardware to use, when applicable.
+
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
+   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
+   defaults to the path of the PKCS#11 provider library specified via
+   ``--with-pkcs11``.
+
+``-I input-format``
+   This option sets the format of the input zone file. Possible formats are ``text``
+   (the default) and ``raw``. This option is primarily intended to be used
+   for dynamic signed zones, so that the dumped zone file in a non-text
+   format containing updates can be verified independently.
+   This option is not useful for non-dynamic zones.
+
+``-o origin``
+   This option indicates the zone origin. If not specified, the name of the zone file is
+   assumed to be the origin.
+
+``-v level``
+   This option sets the debugging level.
+
+``-V``
+   This option prints version information.
+
+``-q``
+   This option sets quiet mode, which suppresses output.  Without this option, when ``dnssec-verify``
+   is run it prints to standard output the number of keys in use, the
+   algorithms used to verify the zone was signed correctly, and other status
+   information.  With this option, all non-error output is suppressed, and only the exit
+   code indicates success.
+
+``-x``
+   This option verifies only that the DNSKEY RRset is signed with key-signing keys.
+   Without this flag, it is assumed that the DNSKEY RRset is signed
+   by all active keys. When this flag is set, it is not an error if
+   the DNSKEY RRset is not signed by zone-signing keys. This corresponds
+   to the ``-x`` option in ``dnssec-signzone``.
+
+``-z``
+   This option indicates that the KSK flag on the keys should be ignored when determining whether the zone is
+   correctly signed. Without this flag, it is assumed that there is
+   a non-revoked, self-signed DNSKEY with the KSK flag set for each
+   algorithm, and that RRsets other than DNSKEY RRset are signed with
+   a different DNSKEY without the KSK flag set.
+
+   With this flag set, BIND 9 only requires that for each algorithm, there
+   be at least one non-revoked, self-signed DNSKEY, regardless of
+   the KSK flag state, and that other RRsets be signed by a
+   non-revoked key for the same algorithm that includes the self-signed
+   key; the same key may be used for both purposes. This corresponds to
+   the ``-z`` option in ``dnssec-signzone``.
+
+``zonefile``
+   This option indicates the file containing the zone to be signed.
+
+See Also
+~~~~~~~~
+
+:manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual, :rfc:`4033`.
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
new file mode 100644
index 0000000..ce903ca
--- /dev/null
+++ b/bin/dnssec/dnssectool.c
@@ -0,0 +1,594 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/*%
+ * DNSSEC Support Routines.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#ifdef _WIN32
+#include <Winsock2.h>
+#endif /* ifdef _WIN32 */
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/heap.h>
+#include <isc/list.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/time.h>
+
+#include "dnssectool.h"
+
+#define KEYSTATES_NVALUES 4
+static const char *keystates[KEYSTATES_NVALUES] = {
+	"hidden",
+	"rumoured",
+	"omnipresent",
+	"unretentive",
+};
+
+int verbose = 0;
+bool quiet = false;
+uint8_t dtype[8];
+
+static fatalcallback_t *fatalcallback = NULL;
+
+void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: fatal: ", program);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	if (fatalcallback != NULL) {
+		(*fatalcallback)();
+	}
+	exit(1);
+}
+
+void
+setfatalcallback(fatalcallback_t *callback) {
+	fatalcallback = callback;
+}
+
+void
+check_result(isc_result_t result, const char *message) {
+	if (result != ISC_R_SUCCESS) {
+		fatal("%s: %s", message, isc_result_totext(result));
+	}
+}
+
+void
+vbprintf(int level, const char *fmt, ...) {
+	va_list ap;
+	if (level > verbose) {
+		return;
+	}
+	va_start(ap, fmt);
+	fprintf(stderr, "%s: ", program);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+}
+
+void
+version(const char *name) {
+	fprintf(stderr, "%s %s\n", name, VERSION);
+	exit(0);
+}
+
+void
+sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
+	char namestr[DNS_NAME_FORMATSIZE];
+	char algstr[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(&sig->signer, namestr, sizeof(namestr));
+	dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
+	snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
+}
+
+void
+setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+	isc_log_t *log = NULL;
+	int level;
+
+	if (verbose < 0) {
+		verbose = 0;
+	}
+	switch (verbose) {
+	case 0:
+		/*
+		 * We want to see warnings about things like out-of-zone
+		 * data in the master file even when not verbose.
+		 */
+		level = ISC_LOG_WARNING;
+		break;
+	case 1:
+		level = ISC_LOG_INFO;
+		break;
+	default:
+		level = ISC_LOG_DEBUG(verbose - 2 + 1);
+		break;
+	}
+
+	isc_log_create(mctx, &log, &logconfig);
+	isc_log_setcontext(log);
+	dns_log_init(log);
+	dns_log_setcontext(log);
+	isc_log_settag(logconfig, program);
+
+	/*
+	 * Set up a channel similar to default_stderr except:
+	 *  - the logging level is passed in
+	 *  - the program name and logging level are printed
+	 *  - no time stamp is printed
+	 */
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC, level,
+			      &destination,
+			      ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL);
+
+	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL) ==
+		      ISC_R_SUCCESS);
+
+	*logp = log;
+}
+
+void
+cleanup_logging(isc_log_t **logp) {
+	isc_log_t *log;
+
+	REQUIRE(logp != NULL);
+
+	log = *logp;
+	*logp = NULL;
+
+	if (log == NULL) {
+		return;
+	}
+
+	isc_log_destroy(&log);
+	isc_log_setcontext(NULL);
+	dns_log_setcontext(NULL);
+}
+
+static isc_stdtime_t
+time_units(isc_stdtime_t offset, char *suffix, const char *str) {
+	switch (suffix[0]) {
+	case 'Y':
+	case 'y':
+		return (offset * (365 * 24 * 3600));
+	case 'M':
+	case 'm':
+		switch (suffix[1]) {
+		case 'O':
+		case 'o':
+			return (offset * (30 * 24 * 3600));
+		case 'I':
+		case 'i':
+			return (offset * 60);
+		case '\0':
+			fatal("'%s' ambiguous: use 'mi' for minutes "
+			      "or 'mo' for months",
+			      str);
+		default:
+			fatal("time value %s is invalid", str);
+		}
+		UNREACHABLE();
+		break;
+	case 'W':
+	case 'w':
+		return (offset * (7 * 24 * 3600));
+	case 'D':
+	case 'd':
+		return (offset * (24 * 3600));
+	case 'H':
+	case 'h':
+		return (offset * 3600);
+	case 'S':
+	case 's':
+	case '\0':
+		return (offset);
+	default:
+		fatal("time value %s is invalid", str);
+	}
+	UNREACHABLE();
+	return (0); /* silence compiler warning */
+}
+
+static bool
+isnone(const char *str) {
+	return ((strcasecmp(str, "none") == 0) ||
+		(strcasecmp(str, "never") == 0));
+}
+
+dns_ttl_t
+strtottl(const char *str) {
+	const char *orig = str;
+	dns_ttl_t ttl;
+	char *endp;
+
+	if (isnone(str)) {
+		return ((dns_ttl_t)0);
+	}
+
+	ttl = strtol(str, &endp, 0);
+	if (ttl == 0 && endp == str) {
+		fatal("TTL must be numeric");
+	}
+	ttl = time_units(ttl, endp, orig);
+	return (ttl);
+}
+
+dst_key_state_t
+strtokeystate(const char *str) {
+	if (isnone(str)) {
+		return (DST_KEY_STATE_NA);
+	}
+
+	for (int i = 0; i < KEYSTATES_NVALUES; i++) {
+		if (keystates[i] != NULL && strcasecmp(str, keystates[i]) == 0)
+		{
+			return ((dst_key_state_t)i);
+		}
+	}
+	fatal("unknown key state %s", str);
+}
+
+isc_stdtime_t
+strtotime(const char *str, int64_t now, int64_t base, bool *setp) {
+	int64_t val, offset;
+	isc_result_t result;
+	const char *orig = str;
+	char *endp;
+	size_t n;
+
+	if (isnone(str)) {
+		if (setp != NULL) {
+			*setp = false;
+		}
+		return ((isc_stdtime_t)0);
+	}
+
+	if (setp != NULL) {
+		*setp = true;
+	}
+
+	if ((str[0] == '0' || str[0] == '-') && str[1] == '\0') {
+		return ((isc_stdtime_t)0);
+	}
+
+	/*
+	 * We accept times in the following formats:
+	 *   now([+-]offset)
+	 *   YYYYMMDD([+-]offset)
+	 *   YYYYMMDDhhmmss([+-]offset)
+	 *   [+-]offset
+	 */
+	n = strspn(str, "0123456789");
+	if ((n == 8u || n == 14u) &&
+	    (str[n] == '\0' || str[n] == '-' || str[n] == '+'))
+	{
+		char timestr[15];
+
+		strlcpy(timestr, str, sizeof(timestr));
+		timestr[n] = 0;
+		if (n == 8u) {
+			strlcat(timestr, "000000", sizeof(timestr));
+		}
+		result = dns_time64_fromtext(timestr, &val);
+		if (result != ISC_R_SUCCESS) {
+			fatal("time value %s is invalid: %s", orig,
+			      isc_result_totext(result));
+		}
+		base = val;
+		str += n;
+	} else if (strncmp(str, "now", 3) == 0) {
+		base = now;
+		str += 3;
+	}
+
+	if (str[0] == '\0') {
+		return ((isc_stdtime_t)base);
+	} else if (str[0] == '+') {
+		offset = strtol(str + 1, &endp, 0);
+		offset = time_units((isc_stdtime_t)offset, endp, orig);
+		val = base + offset;
+	} else if (str[0] == '-') {
+		offset = strtol(str + 1, &endp, 0);
+		offset = time_units((isc_stdtime_t)offset, endp, orig);
+		val = base - offset;
+	} else {
+		fatal("time value %s is invalid", orig);
+	}
+
+	return ((isc_stdtime_t)val);
+}
+
+dns_rdataclass_t
+strtoclass(const char *str) {
+	isc_textregion_t r;
+	dns_rdataclass_t rdclass;
+	isc_result_t result;
+
+	if (str == NULL) {
+		return (dns_rdataclass_in);
+	}
+	DE_CONST(str, r.base);
+	r.length = strlen(str);
+	result = dns_rdataclass_fromtext(&rdclass, &r);
+	if (result != ISC_R_SUCCESS) {
+		fatal("unknown class %s", str);
+	}
+	return (rdclass);
+}
+
+unsigned int
+strtodsdigest(const char *str) {
+	isc_textregion_t r;
+	dns_dsdigest_t alg;
+	isc_result_t result;
+
+	DE_CONST(str, r.base);
+	r.length = strlen(str);
+	result = dns_dsdigest_fromtext(&alg, &r);
+	if (result != ISC_R_SUCCESS) {
+		fatal("unknown DS algorithm %s", str);
+	}
+	return (alg);
+}
+
+static int
+cmp_dtype(const void *ap, const void *bp) {
+	int a = *(const uint8_t *)ap;
+	int b = *(const uint8_t *)bp;
+	return (a - b);
+}
+
+void
+add_dtype(unsigned int dt) {
+	unsigned i, n;
+
+	/* ensure there is space for a zero terminator */
+	n = sizeof(dtype) / sizeof(dtype[0]) - 1;
+	for (i = 0; i < n; i++) {
+		if (dtype[i] == dt) {
+			return;
+		}
+		if (dtype[i] == 0) {
+			dtype[i] = dt;
+			qsort(dtype, i + 1, 1, cmp_dtype);
+			return;
+		}
+	}
+	fatal("too many -a digest type arguments");
+}
+
+isc_result_t
+try_dir(const char *dirname) {
+	isc_result_t result;
+	isc_dir_t d;
+
+	isc_dir_init(&d);
+	result = isc_dir_open(&d, dirname);
+	if (result == ISC_R_SUCCESS) {
+		isc_dir_close(&d);
+	}
+	return (result);
+}
+
+/*
+ * Check private key version compatibility.
+ */
+void
+check_keyversion(dst_key_t *key, char *keystr) {
+	int major, minor;
+	dst_key_getprivateformat(key, &major, &minor);
+	INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
+
+	if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
+		fatal("Key %s has incompatible format version %d.%d, "
+		      "use -f to force upgrade to new version.",
+		      keystr, major, minor);
+	}
+	if (minor > DST_MINOR_VERSION) {
+		fatal("Key %s has incompatible format version %d.%d, "
+		      "use -f to force downgrade to current version.",
+		      keystr, major, minor);
+	}
+}
+
+void
+set_keyversion(dst_key_t *key) {
+	int major, minor;
+	dst_key_getprivateformat(key, &major, &minor);
+	INSIST(major <= DST_MAJOR_VERSION);
+
+	if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION) {
+		dst_key_setprivateformat(key, DST_MAJOR_VERSION,
+					 DST_MINOR_VERSION);
+	}
+
+	/*
+	 * If the key is from a version older than 1.3, set
+	 * set the creation date
+	 */
+	if (major < 1 || (major == 1 && minor <= 2)) {
+		isc_stdtime_t now;
+		isc_stdtime_get(&now);
+		dst_key_settime(key, DST_TIME_CREATED, now);
+	}
+}
+
+bool
+key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
+	      isc_mem_t *mctx, bool *exact) {
+	isc_result_t result;
+	bool conflict = false;
+	dns_dnsseckeylist_t matchkeys;
+	dns_dnsseckey_t *key = NULL;
+	uint16_t id, oldid;
+	uint32_t rid, roldid;
+	dns_secalg_t alg;
+	char filename[NAME_MAX];
+	isc_buffer_t fileb;
+	isc_stdtime_t now;
+
+	if (exact != NULL) {
+		*exact = false;
+	}
+
+	id = dst_key_id(dstkey);
+	rid = dst_key_rid(dstkey);
+	alg = dst_key_alg(dstkey);
+
+	/*
+	 * For Diffie Hellman just check if there is a direct collision as
+	 * they can't be revoked.  Additionally dns_dnssec_findmatchingkeys
+	 * only handles DNSKEY which is not used for HMAC.
+	 */
+	if (alg == DST_ALG_DH) {
+		isc_buffer_init(&fileb, filename, sizeof(filename));
+		result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE, dir,
+					       &fileb);
+		if (result != ISC_R_SUCCESS) {
+			return (true);
+		}
+		return (isc_file_exists(filename));
+	}
+
+	ISC_LIST_INIT(matchkeys);
+	isc_stdtime_get(&now);
+	result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys);
+	if (result == ISC_R_NOTFOUND) {
+		return (false);
+	}
+
+	while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
+		key = ISC_LIST_HEAD(matchkeys);
+		if (dst_key_alg(key->key) != alg) {
+			goto next;
+		}
+
+		oldid = dst_key_id(key->key);
+		roldid = dst_key_rid(key->key);
+
+		if (oldid == rid || roldid == id || id == oldid) {
+			conflict = true;
+			if (id != oldid) {
+				if (verbose > 1) {
+					fprintf(stderr,
+						"Key ID %d could "
+						"collide with %d\n",
+						id, oldid);
+				}
+			} else {
+				if (exact != NULL) {
+					*exact = true;
+				}
+				if (verbose > 1) {
+					fprintf(stderr, "Key ID %d exists\n",
+						id);
+				}
+			}
+		}
+
+	next:
+		ISC_LIST_UNLINK(matchkeys, key, link);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+
+	/* Finish freeing the list */
+	while (!ISC_LIST_EMPTY(matchkeys)) {
+		key = ISC_LIST_HEAD(matchkeys);
+		ISC_LIST_UNLINK(matchkeys, key, link);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+
+	return (conflict);
+}
+
+bool
+isoptarg(const char *arg, char **argv, void (*usage)(void)) {
+	if (!strcasecmp(isc_commandline_argument, arg)) {
+		if (argv[isc_commandline_index] == NULL) {
+			fprintf(stderr, "%s: missing argument -%c %s\n",
+				program, isc_commandline_option,
+				isc_commandline_argument);
+			usage();
+		}
+		isc_commandline_argument = argv[isc_commandline_index];
+		/* skip to next argument */
+		isc_commandline_index++;
+		return (true);
+	}
+	return (false);
+}
+
+#ifdef _WIN32
+void
+InitSockets(void) {
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	int err;
+
+	wVersionRequested = MAKEWORD(2, 0);
+
+	err = WSAStartup(wVersionRequested, &wsaData);
+	if (err != 0) {
+		fprintf(stderr, "WSAStartup() failed: %d\n", err);
+		exit(1);
+	}
+}
+
+void
+DestroySockets(void) {
+	WSACleanup();
+}
+#endif /* ifdef _WIN32 */
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
new file mode 100644
index 0000000..4ce8490
--- /dev/null
+++ b/bin/dnssec/dnssectool.h
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNSSECTOOL_H
+#define DNSSECTOOL_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/log.h>
+#include <isc/platform.h>
+#include <isc/stdtime.h>
+
+#include <dns/rdatastruct.h>
+
+#include <dst/dst.h>
+
+/*! verbosity: set by -v and -q option in each program, defined in dnssectool.c
+ */
+extern int verbose;
+extern bool quiet;
+
+/*! program name, statically initialized in each program */
+extern const char *program;
+
+/*!
+ * List of DS digest types used by dnssec-cds and dnssec-dsfromkey,
+ * defined in dnssectool.c. Filled in by add_dtype() from -a
+ * arguments, sorted (so that DS records are in a canonical order) and
+ * terminated by a zero. The size of the array is an arbitrary limit
+ * which should be greater than the number of known digest types.
+ */
+extern uint8_t dtype[8];
+
+typedef void(fatalcallback_t)(void);
+
+#ifndef CPPCHECK
+ISC_PLATFORM_NORETURN_PRE void
+fatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+#else /* CPPCHECK */
+#define fatal(...) exit(1)
+#endif
+
+void
+setfatalcallback(fatalcallback_t *callback);
+
+void
+check_result(isc_result_t result, const char *message);
+
+void
+vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+
+ISC_PLATFORM_NORETURN_PRE void
+version(const char *program) ISC_PLATFORM_NORETURN_POST;
+
+void
+sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
+#define SIG_FORMATSIZE \
+	(DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
+
+void
+setup_logging(isc_mem_t *mctx, isc_log_t **logp);
+
+void
+cleanup_logging(isc_log_t **logp);
+
+dns_ttl_t
+strtottl(const char *str);
+
+dst_key_state_t
+strtokeystate(const char *str);
+
+isc_stdtime_t
+strtotime(const char *str, int64_t now, int64_t base, bool *setp);
+
+dns_rdataclass_t
+strtoclass(const char *str);
+
+unsigned int
+strtodsdigest(const char *str);
+
+void
+add_dtype(unsigned int dt);
+
+isc_result_t
+try_dir(const char *dirname);
+
+void
+check_keyversion(dst_key_t *key, char *keystr);
+
+void
+set_keyversion(dst_key_t *key);
+
+bool
+key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
+	      isc_mem_t *mctx, bool *exact);
+
+bool
+isoptarg(const char *arg, char **argv, void (*usage)(void));
+
+#ifdef _WIN32
+void
+InitSockets(void);
+void
+DestroySockets(void);
+#endif /* ifdef _WIN32 */
+
+#endif /* DNSSEC_DNSSECTOOL_H */
diff --git a/bin/dnssec/win32/cds.vcxproj.filters.in b/bin/dnssec/win32/cds.vcxproj.filters.in
new file mode 100644
index 0000000..b6893db
--- /dev/null
+++ b/bin/dnssec/win32/cds.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-cds.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
diff --git a/bin/dnssec/win32/cds.vcxproj.in b/bin/dnssec/win32/cds.vcxproj.in
new file mode 100644
index 0000000..0a543eb
--- /dev/null
+++ b/bin/dnssec/win32/cds.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{0EB1727E-2BBD-47A6-AD12-418F9DEB0531}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>cds</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-cds.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dnssec/win32/cds.vcxproj.user b/bin/dnssec/win32/cds.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dnssec/win32/cds.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/dnssectool.vcxproj.filters.in b/bin/dnssec/win32/dnssectool.vcxproj.filters.in
new file mode 100644
index 0000000..1743f84
--- /dev/null
+++ b/bin/dnssec/win32/dnssectool.vcxproj.filters.in
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\dnssectool.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssectool.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/dnssectool.vcxproj.in b/bin/dnssec/win32/dnssectool.vcxproj.in
new file mode 100644
index 0000000..be87bca
--- /dev/null
+++ b/bin/dnssec/win32/dnssectool.vcxproj.in
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\dnssectool.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssectool.c" />
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>dnssectool</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <OutDir>.\$(Configuration)\</OutDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <OutDir>.\$(Configuration)\</OutDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <LinkTimeCodeGeneration>false</LinkTimeCodeGeneration>
+    </Link>
+  </ItemDefinitionGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dnssec/win32/dnssectool.vcxproj.user b/bin/dnssec/win32/dnssectool.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dnssec/win32/dnssectool.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/dsfromkey.vcxproj.filters.in b/bin/dnssec/win32/dsfromkey.vcxproj.filters.in
new file mode 100644
index 0000000..7d0a58e
--- /dev/null
+++ b/bin/dnssec/win32/dsfromkey.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-dsfromkey.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/dsfromkey.vcxproj.in b/bin/dnssec/win32/dsfromkey.vcxproj.in
new file mode 100644
index 0000000..5b2b51d
--- /dev/null
+++ b/bin/dnssec/win32/dsfromkey.vcxproj.in
@@ -0,0 +1,147 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{6E6297F4-69D7-4533-85E1-BD17C30017C8}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>dsfromkey</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+@IF PYTHON
+    <PostBuildEvent>
+      <Command>cd ..\..\python
+copy /Y dnssec-checkds.py ..\..\Build\$(Configuration)\dnssec-checkds.py
+copy /Y dnssec-coverage.py ..\..\Build\$(Configuration)\dnssec-coverage.py
+copy /Y dnssec-keymgr.py ..\..\Build\$(Configuration)\dnssec-keymgr.py
+cd isc
+@PYTHON@ policy.py parse \dev\nul > nul
+set PYTHONPATH=.
+@PYTHON@ -m parsetab
+</Command>
+    </PostBuildEvent>
+@END PYTHON
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+@IF PYTHON
+    <PostBuildEvent>
+      <Command>cd ..\..\python
+copy /Y dnssec-checkds.py ..\..\Build\$(Configuration)\dnssec-checkds.py
+copy /Y dnssec-coverage.py ..\..\Build\$(Configuration)\dnssec-coverage.py
+copy /Y dnssec-keymgr.py ..\..\Build\$(Configuration)\dnssec-keymgr.py
+cd isc
+@PYTHON@ policy.py parse \dev\nul > nul
+set PYTHONPATH=.
+@PYTHON@ -m parsetab
+</Command>
+    </PostBuildEvent>
+@END PYTHON
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-dsfromkey.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dnssec/win32/dsfromkey.vcxproj.user b/bin/dnssec/win32/dsfromkey.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dnssec/win32/dsfromkey.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/importkey.vcxproj.filters.in b/bin/dnssec/win32/importkey.vcxproj.filters.in
new file mode 100644
index 0000000..0bced36
--- /dev/null
+++ b/bin/dnssec/win32/importkey.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-importkey.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
diff --git a/bin/dnssec/win32/importkey.vcxproj.in b/bin/dnssec/win32/importkey.vcxproj.in
new file mode 100644
index 0000000..f1d10d0
--- /dev/null
+++ b/bin/dnssec/win32/importkey.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{AB6690A0-055E-458f-BAC5-BF38BCC5834F}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>importkey</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-importkey.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dnssec/win32/importkey.vcxproj.user b/bin/dnssec/win32/importkey.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dnssec/win32/importkey.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/keyfromlabel.vcxproj.filters.in b/bin/dnssec/win32/keyfromlabel.vcxproj.filters.in
new file mode 100644
index 0000000..bb54f81
--- /dev/null
+++ b/bin/dnssec/win32/keyfromlabel.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-keyfromlabel.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/keyfromlabel.vcxproj.in b/bin/dnssec/win32/keyfromlabel.vcxproj.in
new file mode 100644
index 0000000..496e2b9
--- /dev/null
+++ b/bin/dnssec/win32/keyfromlabel.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{17455DC6-5FBB-47C3-8F44-7DB574A188D3}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>keyfromlabel</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-keyfromlabel.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dnssec/win32/keyfromlabel.vcxproj.user b/bin/dnssec/win32/keyfromlabel.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dnssec/win32/keyfromlabel.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/keygen.vcxproj.filters.in b/bin/dnssec/win32/keygen.vcxproj.filters.in
new file mode 100644
index 0000000..5d1fa4c
--- /dev/null
+++ b/bin/dnssec/win32/keygen.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-keygen.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/keygen.vcxproj.in b/bin/dnssec/win32/keygen.vcxproj.in
new file mode 100644
index 0000000..6051dbf
--- /dev/null
+++ b/bin/dnssec/win32/keygen.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{0BF11E21-168C-4CAA-B784-429D126BBAE5}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>keygen</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\win32;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libisccfg.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\win32;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libisccfg.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-keygen.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dnssec/win32/keygen.vcxproj.user b/bin/dnssec/win32/keygen.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dnssec/win32/keygen.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/revoke.vcxproj.filters.in b/bin/dnssec/win32/revoke.vcxproj.filters.in
new file mode 100644
index 0000000..46e7310
--- /dev/null
+++ b/bin/dnssec/win32/revoke.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-revoke.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/revoke.vcxproj.in b/bin/dnssec/win32/revoke.vcxproj.in
new file mode 100644
index 0000000..28e6868
--- /dev/null
+++ b/bin/dnssec/win32/revoke.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{D171F185-D3C2-4463-9CF3-ED1D0B1D6832}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>revoke</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-revoke.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dnssec/win32/revoke.vcxproj.user b/bin/dnssec/win32/revoke.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dnssec/win32/revoke.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/settime.vcxproj.filters.in b/bin/dnssec/win32/settime.vcxproj.filters.in
new file mode 100644
index 0000000..62b0e82
--- /dev/null
+++ b/bin/dnssec/win32/settime.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-settime.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/settime.vcxproj.in b/bin/dnssec/win32/settime.vcxproj.in
new file mode 100644
index 0000000..f5a6152
--- /dev/null
+++ b/bin/dnssec/win32/settime.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{03FB7588-C5A7-4572-968F-14F1206BC69C}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>settime</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-settime.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dnssec/win32/settime.vcxproj.user b/bin/dnssec/win32/settime.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dnssec/win32/settime.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/signzone.vcxproj.filters.in b/bin/dnssec/win32/signzone.vcxproj.filters.in
new file mode 100644
index 0000000..682ae55
--- /dev/null
+++ b/bin/dnssec/win32/signzone.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-signzone.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/signzone.vcxproj.in b/bin/dnssec/win32/signzone.vcxproj.in
new file mode 100644
index 0000000..2afa4dd
--- /dev/null
+++ b/bin/dnssec/win32/signzone.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{205ED8A9-2E4C-41CC-9385-F3613402AA90}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>signzone</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-signzone.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dnssec/win32/signzone.vcxproj.user b/bin/dnssec/win32/signzone.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dnssec/win32/signzone.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/verify.vcxproj.filters.in b/bin/dnssec/win32/verify.vcxproj.filters.in
new file mode 100644
index 0000000..3b194bd
--- /dev/null
+++ b/bin/dnssec/win32/verify.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-verify.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/dnssec/win32/verify.vcxproj.in b/bin/dnssec/win32/verify.vcxproj.in
new file mode 100644
index 0000000..971eccd
--- /dev/null
+++ b/bin/dnssec/win32/verify.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{FD653434-F1A8-44A9-85B2-A7468491DA6D}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>verify</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>dnssec-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\dnssec-verify.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/dnssec/win32/verify.vcxproj.user b/bin/dnssec/win32/verify.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/dnssec/win32/verify.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
new file mode 100644
index 0000000..3cbcb27
--- /dev/null
+++ b/bin/named/Makefile.in
@@ -0,0 +1,180 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_PRODUCT@
+
+@BIND9_DESCRIPTION@
+
+@BIND9_SRCID@
+
+@BIND9_CONFIGARGS@
+
+@BIND9_MAKE_INCLUDES@
+
+#
+# Add database drivers here.
+#
+DBDRIVER_OBJS =
+DBDRIVER_SRCS =
+DBDRIVER_INCLUDES =
+DBDRIVER_LIBS =
+
+DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
+
+DLZDRIVER_OBJS =	@DLZ_DRIVER_OBJS@
+DLZDRIVER_SRCS =	@DLZ_DRIVER_SRCS@
+DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
+DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+		${NS_INCLUDES} ${DNS_INCLUDES} \
+		${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
+		${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
+		${DBDRIVER_INCLUDES} \
+		${LIBUV_CFLAGS} \
+		${FSTRM_CFLAGS} \
+		${LMDB_CFLAGS} \
+		${OPENSSL_CFLAGS} \
+		${PROTOBUF_C_CFLAGS} \
+		${JSON_C_CFLAGS} \
+		${LIBXML2_CFLAGS} \
+		${MAXMINDDB_CFLAGS}
+
+CDEFINES =      @CONTRIB_DLZ@
+
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+NSLIBS =	../../lib/ns/libns.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+NSDEPLIBS =	../../lib/ns/libns.@A@
+
+DEPLIBS =	${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
+		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
+		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBCAP_LIBS@ \
+		${FSTRM_LIBS} ${PROTOBUF_C_LIBS} ${LMDB_LIBS} ${ZLIB_LIBS} \
+		${JSON_C_LIBS} ${LIBXML2_LIBS} ${MAXMINDDB_LIBS} \
+		${LIBUV_LIBS} ${OPENSSL_LIBS} @LIBS@
+
+NOSYMLIBS =	${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
+		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
+		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBCAP_LIBS@ \
+		${FSTRM_LIBS} ${PROTOBUF_C_LIBS} ${LMDB_LIBS} ${ZLIB_LIBS} \
+		${LIBUV_LIBS} @LIBS@
+
+SUBDIRS =	unix
+
+TARGETS =	named@EXEEXT@
+
+GEOIP2LINKOBJS = geoip.@O@
+
+OBJS =		builtin.@O@ config.@O@ control.@O@ \
+		controlconf.@O@ fuzz.@O@ \
+		@GEOIP2LINKOBJS@ \
+		log.@O@ logconf.@O@ main.@O@ \
+		server.@O@ statschannel.@O@ \
+		tkeyconf.@O@ tsigconf.@O@ zoneconf.@O@ \
+		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+
+UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
+
+SYMOBJS =	symtbl.@O@
+
+GEOIP2LINKSRCS = geoip.c
+
+SRCS =		builtin.c config.c control.c \
+		controlconf.c fuzz.c \
+		@GEOIP2LINKSRCS@ \
+		log.c logconf.c main.c \
+		server.c statschannel.c \
+		tkeyconf.c tsigconf.c zoneconf.c \
+		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+
+@BIND9_MAKE_RULES@
+
+main.@O@: main.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DPRODUCT=\"${PRODUCT}\" \
+		-DDESCRIPTION=\"${DESCRIPTION}\" \
+		-DSRCID=\"${SRCID}\" \
+		-DCONFIGARGS="\"${CONFIGARGS}\"" \
+		-DBUILDER="\"make\"" \
+		-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
+		-DNAMED_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
+
+config.@O@: config.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DSRCID=\"${SRCID}\" \
+		-DDYNDB_LIBDIR=\"@libdir@/bind\" \
+		-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
+		-DNAMED_SYSCONFDIR=\"${sysconfdir}\" \
+		-DMAXMINDDB_PREFIX=\"@MAXMINDDB_PREFIX@\" \
+		-c ${srcdir}/config.c
+
+server.@O@: server.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DPRODUCT=\"${PRODUCT}\" \
+		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
+
+named@EXEEXT@: ${OBJS} ${DEPLIBS}
+	export MAKE_SYMTABLE="yes"; \
+	export BASEOBJS="${OBJS} ${UOBJS}"; \
+	${FINALBUILDCMD}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS} ${OBJS}
+
+maintainer-clean::
+
+bind9.xsl.h: bind9.xsl ${srcdir}/convertxsl.pl
+	${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
+
+depend: bind9.xsl.h
+statschannel.@O@: bind9.xsl.h
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: named@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+
+@DLZ_DRIVER_RULES@
+
+named-symtbl.@O@: named-symtbl.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
new file mode 100644
index 0000000..309e5d4
--- /dev/null
+++ b/bin/named/bind9.xsl
@@ -0,0 +1,1144 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
+  <xsl:output method="html" indent="yes" version="4.0"/>
+  <!-- the version number **below** must match version in bin/named/statschannel.c -->
+  <!-- don't forget to update "/xml/v<STATS_XML_VERSION_MAJOR>" in the HTTP endpoints listed below -->
+  <xsl:template match="statistics[@version=&quot;3.11.1&quot;]">
+    <html>
+      <head>
+        <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
+        <script type="text/javascript">
+          $(function($) {
+              var wid=0;
+              $('table.zones').each(function(i) { if( $(this).width() > wid ) wid = $(this).width(); return true; });
+              $('table.zones').css('min-width', wid );
+              $("h2+table,h3+table,h4+table,h2+div,h3+div,h2+script,h3+script").prev().append(' <a class="tabletoggle" href="#" style="font-size:small">Show/Hide</a>');
+              $(".tabletoggle").click(function(){
+		 var n = $(this).closest("h2,h3,h4").next();
+		 if (n.is("script")) { n = n.next(); }
+	         if (n.is("div")) { n.toggleClass("hidden"); n = n.next(); }
+		 if (n.is("table")) { n.toggleClass("hidden"); }
+		 return false;
+	      });
+          });
+        </script>
+
+        <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
+          <!-- Non Mozilla specific markup -->
+          <script type="text/javascript" src="https://www.google.com/jsapi"/>
+          <script type="text/javascript">
+
+	    google.load("visualization", "1", {packages:["corechart"]});
+	    google.setOnLoadCallback(loadGraphs);
+
+	    var graphs=[];
+
+	    function drawChart(chart_title,target,style,data) {
+	      var data = google.visualization.arrayToDataTable(data);
+
+	      var options = {
+		title: chart_title
+	      };
+
+	      var chart;
+	      if (style == "barchart") {
+		chart = new google.visualization.BarChart(document.getElementById(target));
+		chart.draw(data, options);
+	      } else if (style == "piechart") {
+		chart = new google.visualization.PieChart(document.getElementById(target));
+		chart.draw(data, options);
+	      }
+	    }
+
+	    function loadGraphs(){
+	      var g;
+
+	      while(g = graphs.shift()){
+		// alert("going for: " + g.target);
+		if(g.data.length > 1){
+		  drawChart(g.title,g.target,g.style,g.data);
+		}
+	      }
+	    }
+
+	    <xsl:if test="server/counters[@type=&quot;qtype&quot;]/counter">
+	      // Server Incoming Query Types
+	      graphs.push({
+			   'title' : "Server Incoming Query Types",
+			   'target': 'chart_incoming_qtypes',
+			   'style': 'barchart',
+			   'data': [['Type','Counter'],<xsl:for-each select="server/counters[@type=&quot;qtype&quot;]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
+			   });
+	    </xsl:if>
+
+	    <xsl:if test="server/counters[@type=&quot;opcode&quot;]/counter">
+	      // Server Incoming Requests by opcode
+	      graphs.push({
+			   'title' : "Server Incoming Requests by DNS Opcode",
+			   'target': 'chart_incoming_opcodes',
+			   'style': 'barchart',
+			   'data': [['Opcode','Counter'],<xsl:for-each select="server/counters[@type=&quot;opcode&quot;]/counter[. &gt; 0 or substring(@name,1,3) != 'RES']">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]});
+	    </xsl:if>
+	  </script>
+        </xsl:if>
+        <style type="text/css">
+     body {
+      font-family: sans-serif;
+      background-color: #ffffff;
+      color: #000000;
+      font-size: 10pt;
+     }
+
+     .hidden{
+      display: none;
+     }
+
+     .odd{
+      background-color: #f0f0f0;
+     }
+
+     .even{
+      background-color: #ffffff;
+     }
+
+     p.footer{
+      font-style:italic;
+      color: grey;
+     }
+
+     table {
+      border-collapse: collapse;
+      border: 1px solid grey;
+     }
+
+     table.counters{
+      border: 1px solid grey;
+      width: 500px;
+     }
+     table.counters th {
+      text-align: right;
+      border: 1px solid grey;
+      width: 150px;
+     }
+     table.counters td {
+      text-align: right;
+      font-family: monospace;
+     }
+     table.counters tr:hover{
+      background-color: #99ddff;
+     }
+
+     table.info {
+      border: 1px solid grey;
+      width: 500px;
+     }
+     table.info th {
+      text-align: center;
+      border: 1px solid grey;
+      width: 150px;
+     }
+     table.info td {
+      text-align: center;
+     }
+     table.info tr:hover{
+      background-color: #99ddff;
+     }
+
+     table.tasks {
+      border: 1px solid grey;
+      width: 500px;
+     }
+     table.tasks th {
+      text-align: center;
+      border: 1px solid grey;
+      width: 150px;
+     }
+     table.tasks td {
+      text-align: right;
+      font-family: monospace;
+     }
+     table.tasks td:nth-child(2) {
+      text-align: center;
+     }
+     table.tasks td:nth-child(4) {
+      text-align: center;
+     }
+     table.tasks tr:hover{
+      background-color: #99ddff;
+     }
+
+     table.netstat {
+      border: 1px solid grey;
+      width: 500px;
+     }
+     table.netstat th {
+      text-align: center;
+      border: 1px solid grey;
+      width: 150px;
+     }
+     table.netstat td {
+      text-align: center;
+     }
+     table.netstat td:nth-child(4) {
+      text-align: right;
+      font-family: monospace;
+     }
+     table.netstat td:nth-child(7) {
+      text-align: left;
+     }
+     table.netstat tr:hover{
+      background-color: #99ddff;
+     }
+
+     table.mctx  {
+      border: 1px solid grey;
+      width: 500px;
+     }
+     table.mctx th {
+      text-align: center;
+      border: 1px solid grey;
+     }
+     table.mctx td {
+      text-align: right;
+      font-family: monospace;
+     }
+     table.mctx td:nth-child(-n+2) {
+      text-align: left;
+      width: 100px;
+     }
+     table.mctx tr:hover{
+      background-color: #99ddff;
+     }
+
+     table.zones {
+      border: 1px solid grey;
+      width: 500px;
+     }
+     table.zones th {
+      text-align: center;
+      border: 1px solid grey;
+     }
+     table.zones td {
+      text-align: center;
+      font-family: monospace;
+     }
+     table.zones td:nth-child(1) {
+      text-align: right;
+     }
+     table.zones td:nth-child(4) {
+      text-align: right;
+     }
+
+     .totals {
+      background-color: rgb(1,169,206);
+      color: #ffffff;
+     }
+     table.zones {
+       border: 1px solid grey;
+     }
+     table.zones td {
+       text-align: right;
+       font-family: monospace;
+     }
+     table.zones td:nth-child(2) {
+       text-align: center;
+     }
+     table.zones td:nth-child(3) {
+       text-align: left;
+     }
+     table.zones tr:hover{
+      background-color: #99ddff;
+     }
+
+     td, th {
+      padding-right: 5px;
+      padding-left: 5px;
+      border: 1px solid grey;
+     }
+
+     .header h1 {
+      color: rgb(1,169,206);
+      padding: 0px;
+     }
+
+     .content {
+      background-color: #ffffff;
+      color: #000000;
+      padding: 4px;
+     }
+
+     .item {
+      padding: 4px;
+      text-align: right;
+     }
+
+     .value {
+      padding: 4px;
+      font-weight: bold;
+     }
+
+
+     h2 {
+       color: grey;
+       font-size: 14pt;
+       width:500px;
+       text-align:center;
+     }
+
+     h3 {
+       color: #444444;
+       font-size: 12pt;
+       width:500px;
+       text-align:center;
+     }
+     h4 {
+	color:  rgb(1,169,206);
+	font-size: 10pt;
+       width:500px;
+       text-align:center;
+     }
+
+     .pie {
+      width:500px;
+      height: 500px;
+     }
+
+      </style>
+        <title>ISC BIND 9 Statistics</title>
+      </head>
+      <body>
+        <div class="header">
+          <h1>ISC Bind 9 Configuration and Statistics</h1>
+        </div>
+        <p>Alternate statistics views: <a href="/">All</a>,
+	<a href="/xml/v3/status">Status</a>,
+	<a href="/xml/v3/server">Server</a>,
+	<a href="/xml/v3/zones">Zones</a>,
+	<a href="/xml/v3/net">Network</a>,
+	<a href="/xml/v3/tasks">Tasks</a>,
+	<a href="/xml/v3/mem">Memory</a> and
+	<a href="/xml/v3/traffic">Traffic Size</a></p>
+        <hr/>
+        <h2>Server Status</h2>
+        <table class="info">
+          <tr class="odd">
+            <th>Boot time:</th>
+            <td>
+              <xsl:value-of select="server/boot-time"/>
+            </td>
+          </tr>
+          <tr class="even">
+            <th>Last reconfigured:</th>
+            <td>
+              <xsl:value-of select="server/config-time"/>
+            </td>
+          </tr>
+          <tr class="odd">
+            <th>Current time:</th>
+            <td>
+              <xsl:value-of select="server/current-time"/>
+            </td>
+          </tr>
+          <tr class="even">
+            <th>Server version:</th>
+            <td>
+              <xsl:value-of select="server/version"/>
+            </td>
+          </tr>
+        </table>
+        <br/>
+        <xsl:if test="server/counters[@type=&quot;opcode&quot;]/counter[. &gt; 0]">
+          <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
+            <h2>Incoming Requests by DNS Opcode</h2>
+            <!-- Non Mozilla specific markup -->
+            <div class="pie" id="chart_incoming_opcodes">
+	      [cannot display chart]
+	    </div>
+          </xsl:if>
+          <table class="counters">
+            <xsl:for-each select="server/counters[@type=&quot;opcode&quot;]/counter[. &gt; 0 or substring(@name,1,3) != 'RES']">
+              <xsl:sort select="." data-type="number" order="descending"/>
+                <xsl:variable name="css-class0">
+                  <xsl:choose>
+                    <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                    <xsl:otherwise>odd</xsl:otherwise>
+                  </xsl:choose>
+                </xsl:variable>
+                <tr class="{$css-class0}">
+                <th>
+                  <xsl:value-of select="@name"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+            <tr>
+              <th class="totals">Total:</th>
+              <td class="totals">
+                <xsl:value-of select="sum(server/counters[@type=&quot;opcode&quot;]/counter)"/>
+              </td>
+            </tr>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="server/counters[@type=&quot;qtype&quot;]/counter">
+          <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
+            <!-- Non Mozilla specific markup -->
+            <h3>Incoming Queries by Query Type</h3>
+            <div class="pie" id="chart_incoming_qtypes">
+	      [cannot display chart]
+	    </div>
+          </xsl:if>
+          <table class="counters">
+            <xsl:for-each select="server/counters[@type=&quot;qtype&quot;]/counter">
+              <xsl:sort select="." data-type="number" order="descending"/>
+              <xsl:variable name="css-class">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class}">
+                <th>
+                  <xsl:value-of select="@name"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+            <tr>
+              <th class="totals">Total:</th>
+              <td class="totals">
+                <xsl:value-of select="sum(server/counters[@type=&quot;qtype&quot;]/counter)"/>
+              </td>
+            </tr>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="views/view[count(counters[@type=&quot;resqtype&quot;]/counter) &gt; 0]">
+          <h2>Outgoing Queries per view</h2>
+          <xsl:for-each select="views/view[count(counters[@type=&quot;resqtype&quot;]/counter) &gt; 0]">
+            <h3>View <xsl:value-of select="@name"/></h3>
+            <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
+              <!-- Non Mozilla specific markup -->
+              <script type="text/javascript">
+		  graphs.push({
+				'title': "Outgoing Queries for view: <xsl:value-of select="@name"/>",
+				'target': 'chart_outgoing_queries_view_<xsl:value-of select="@name"/>',
+				'style': 'barchart',
+				'data': [['Type','Counter'],<xsl:for-each select="counters[@type=&quot;resqtype&quot;]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
+				});
+	      </script>
+              <xsl:variable name="target">
+                <xsl:value-of select="@name"/>
+              </xsl:variable>
+              <div class="pie" id="chart_outgoing_queries_view_{$target}">[no data to display]</div>
+            </xsl:if>
+            <table class="counters">
+              <xsl:for-each select="counters[@type=&quot;resqtype&quot;]/counter">
+                <xsl:sort select="." data-type="number" order="descending"/>
+                <xsl:variable name="css-class1">
+                  <xsl:choose>
+                    <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                    <xsl:otherwise>odd</xsl:otherwise>
+                  </xsl:choose>
+                </xsl:variable>
+                <tr class="{$css-class1}">
+                  <th>
+                    <xsl:value-of select="@name"/>
+                  </th>
+                  <td>
+                    <xsl:value-of select="."/>
+                  </td>
+                </tr>
+              </xsl:for-each>
+            </table>
+            <br/>
+          </xsl:for-each>
+        </xsl:if>
+        <xsl:if test="server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]">
+          <h2>Server Statistics</h2>
+          <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
+            <!-- Non Mozilla specific markup -->
+            <script type="text/javascript">
+		  graphs.push({
+				'title' : "Server Counters",
+				'target': 'chart_server_nsstat_restype',
+				'style': 'barchart',
+				'data': [['Type','Counter'],<xsl:for-each select="server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
+				});
+	      </script>
+            <div class="pie" id="chart_server_nsstat_restype">[no data to display]</div>
+          </xsl:if>
+          <table class="counters">
+            <xsl:for-each select="server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]">
+              <xsl:sort select="." data-type="number" order="descending"/>
+              <xsl:variable name="css-class2">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class2}">
+                <th>
+                  <xsl:value-of select="@name"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="server/counters[@type=&quot;zonestat&quot;]/counter[.&gt;0]">
+          <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
+            <h2>Zone Maintenance Statistics</h2>
+            <script type="text/javascript">
+		  graphs.push({
+				'title' : "Zone Maintenance Stats",
+				'target': 'chart_server_zone_maint',
+				'style': 'barchart',
+				'data': [['Type','Counter'],<xsl:for-each select="server/counters[@type=&quot;zonestat&quot;]/counter[.&gt;0]">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
+				});
+	    </script>
+            <!-- Non Mozilla specific markup -->
+            <div class="pie" id="chart_server_zone_maint">[no data to display]</div>
+          </xsl:if>
+          <table class="counters">
+            <xsl:for-each select="server/counters[@type=&quot;zonestat&quot;]/counter">
+              <xsl:sort select="." data-type="number" order="descending"/>
+              <xsl:variable name="css-class3">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class3}">
+                <th>
+                  <xsl:value-of select="@name"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+        </xsl:if>
+        <xsl:if test="server/counters[@type=&quot;resstat&quot;]/counter[.&gt;0]">
+          <h2>Resolver Statistics (Common)</h2>
+          <table class="counters">
+            <xsl:for-each select="server/counters[@type=&quot;resstat&quot;]/counter">
+              <xsl:sort select="." data-type="number" order="descending"/>
+              <xsl:variable name="css-class4">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class4}">
+                <th>
+                  <xsl:value-of select="@name"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+        </xsl:if>
+        <xsl:for-each select="views/view">
+          <xsl:if test="counters[@type=&quot;resstats&quot;]/counter[.&gt;0]">
+            <h3>Resolver Statistics for View <xsl:value-of select="@name"/></h3>
+            <table class="counters">
+              <xsl:for-each select="counters[@type=&quot;resstats&quot;]/counter[.&gt;0]">
+                <xsl:sort select="." data-type="number" order="descending"/>
+                <xsl:variable name="css-class5">
+                  <xsl:choose>
+                    <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                    <xsl:otherwise>odd</xsl:otherwise>
+                  </xsl:choose>
+                </xsl:variable>
+                <tr class="{$css-class5}">
+                  <th>
+                    <xsl:value-of select="@name"/>
+                  </th>
+                  <td>
+                    <xsl:value-of select="."/>
+                  </td>
+                </tr>
+              </xsl:for-each>
+            </table>
+          </xsl:if>
+        </xsl:for-each>
+        <xsl:for-each select="views/view">
+          <xsl:if test="counters[@type=&quot;adbstat&quot;]/counter[.&gt;0]">
+            <h3>ADB Statistics for View <xsl:value-of select="@name"/></h3>
+            <table class="counters">
+              <xsl:for-each select="counters[@type=&quot;adbstat&quot;]/counter[.&gt;0]">
+                <xsl:sort select="." data-type="number" order="descending"/>
+                <xsl:variable name="css-class5">
+                  <xsl:choose>
+                    <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                    <xsl:otherwise>odd</xsl:otherwise>
+                  </xsl:choose>
+                </xsl:variable>
+                <tr class="{$css-class5}">
+                  <th>
+                    <xsl:value-of select="@name"/>
+                  </th>
+                  <td>
+                    <xsl:value-of select="."/>
+                  </td>
+                </tr>
+              </xsl:for-each>
+            </table>
+          </xsl:if>
+        </xsl:for-each>
+        <xsl:for-each select="views/view">
+          <xsl:if test="counters[@type=&quot;cachestats&quot;]/counter[.&gt;0]">
+            <h3>Cache Statistics for View <xsl:value-of select="@name"/></h3>
+            <table class="counters">
+              <xsl:for-each select="counters[@type=&quot;cachestats&quot;]/counter[.&gt;0]">
+                <xsl:sort select="." data-type="number" order="descending"/>
+                <xsl:variable name="css-class5">
+                  <xsl:choose>
+                    <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                    <xsl:otherwise>odd</xsl:otherwise>
+                  </xsl:choose>
+                </xsl:variable>
+                <tr class="{$css-class5}">
+                  <th>
+                    <xsl:value-of select="@name"/>
+                  </th>
+                  <td>
+                    <xsl:value-of select="."/>
+                  </td>
+                </tr>
+              </xsl:for-each>
+            </table>
+          </xsl:if>
+        </xsl:for-each>
+        <xsl:for-each select="views/view">
+          <xsl:if test="cache/rrset">
+            <h3>Cache DB RRsets for View <xsl:value-of select="@name"/></h3>
+            <table class="counters">
+              <xsl:for-each select="cache/rrset">
+                <xsl:variable name="css-class6">
+                  <xsl:choose>
+                    <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                    <xsl:otherwise>odd</xsl:otherwise>
+                  </xsl:choose>
+                </xsl:variable>
+                <tr class="{$css-class6}">
+                  <th>
+                    <xsl:value-of select="name"/>
+                  </th>
+                  <td>
+                    <xsl:value-of select="counter"/>
+                  </td>
+                </tr>
+              </xsl:for-each>
+            </table>
+            <br/>
+          </xsl:if>
+        </xsl:for-each>
+        <xsl:if test="traffic//udp/counters[@type=&quot;request-size&quot;]/counter[.&gt;0] or traffic//udp/counters[@type=&quot;response-size&quot;]/counter[.&gt;0] or traffic//tcp/counters[@type=&quot;request-size&quot;]/counter[.&gt;0] or traffic//tcp/counters[@type=&quot;response-size&quot;]/counter[.&gt;0]">
+          <h2>Traffic Size Statistics</h2>
+        </xsl:if>
+        <xsl:if test="traffic//udp/counters[@type=&quot;request-size&quot;]/counter[.&gt;0]">
+          <h4>UDP Requests Received</h4>
+          <table class="counters">
+            <xsl:for-each select="traffic//udp/counters[@type=&quot;request-size&quot;]/counter[.&gt;0]">
+              <xsl:variable name="css-class7">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class7}">
+                <th><xsl:value-of select="local-name(../../..)"/></th>
+                <th>
+                  <xsl:value-of select="@name"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="traffic//udp/counters[@type=&quot;response-size&quot;]/counter[.&gt;0]">
+          <h4>UDP Responses Sent</h4>
+          <table class="counters">
+            <xsl:for-each select="traffic//udp/counters[@type=&quot;response-size&quot;]/counter[.&gt;0]">
+              <xsl:variable name="css-class7">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class7}">
+                <th><xsl:value-of select="local-name(../../..)"/></th>
+                <th>
+                  <xsl:value-of select="@name"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="traffic//tcp/counters[@type=&quot;request-size&quot;]/counter[.&gt;0]">
+          <h4>TCP Requests Received</h4>
+          <table class="counters">
+            <xsl:for-each select="traffic//tcp/counters[@type=&quot;request-size&quot;]/counter[.&gt;0]">
+              <xsl:variable name="css-class7">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class7}">
+                <th><xsl:value-of select="local-name(../../..)"/></th>
+                <th>
+                  <xsl:value-of select="@name"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="traffic//tcp/counters[@type=&quot;response-size&quot;]/counter[.&gt;0]">
+          <h4>TCP Responses Sent</h4>
+          <table class="counters">
+            <xsl:for-each select="traffic//tcp/counters[@type=&quot;response-size&quot;]/counter[.&gt;0]">
+              <xsl:variable name="css-class7">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class7}">
+                <th><xsl:value-of select="local-name(../../..)"/></th>
+                <th>
+                  <xsl:value-of select="@name"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="server/counters[@type=&quot;sockstat&quot;]/counter[.&gt;0]">
+          <h2>Socket I/O Statistics</h2>
+          <table class="counters">
+            <xsl:for-each select="server/counters[@type=&quot;sockstat&quot;]/counter[.&gt;0]">
+              <xsl:variable name="css-class7">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class7}">
+                <th>
+                  <xsl:value-of select="@name"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="views/view/zones/zone">
+          <xsl:for-each select="views/view">
+            <h3>Zones for View <xsl:value-of select="@name"/></h3>
+            <table class="zones">
+              <thead><tr><th>Name</th><th>Class</th><th>Type</th><th>Serial</th><th>Loaded</th><th>Expires</th><th>Refresh</th></tr></thead>
+              <tbody>
+                <xsl:for-each select="zones/zone">
+                  <xsl:variable name="css-class15">
+                    <xsl:choose>
+                      <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                      <xsl:otherwise>odd</xsl:otherwise>
+                    </xsl:choose>
+                  </xsl:variable>
+                  <tr class="{$css-class15}">
+                      <td><xsl:value-of select="@name"/></td>
+                      <td><xsl:value-of select="@rdataclass"/></td>
+                      <td><xsl:value-of select="type"/></td>
+                      <td><xsl:value-of select="serial"/></td>
+                      <td><xsl:value-of select="loaded"/></td>
+                      <td><xsl:value-of select="expires"/></td>
+                      <td><xsl:value-of select="refresh"/></td></tr>
+                </xsl:for-each>
+              </tbody>
+            </table>
+          </xsl:for-each>
+        </xsl:if>
+        <xsl:if test="views/view[zones/zone/counters[@type=&quot;qtype&quot;]/counter &gt;0]">
+          <h2>Received QTYPES per view/zone</h2>
+          <xsl:for-each select="views/view[zones/zone/counters[@type=&quot;qtype&quot;]/counter &gt;0]">
+            <h3>View <xsl:value-of select="@name"/></h3>
+            <xsl:variable name="thisview">
+              <xsl:value-of select="@name"/>
+            </xsl:variable>
+            <xsl:for-each select="zones/zone">
+              <xsl:if test="counters[@type=&quot;qtype&quot;]/counter[count(.) &gt; 0]">
+                <h4>Zone <xsl:value-of select="@name"/></h4>
+                <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
+                  <!-- Non Mozilla specific markup -->
+                  <script type="text/javascript">
+			graphs.push({
+				      'title': "Query types for zone <xsl:value-of select="@name"/>",
+				      'target': 'chart_qtype_<xsl:value-of select="../../@name"/>_<xsl:value-of select="@name"/>',
+				      'style': 'barchart',
+				      'data': [['Type','Counter'],<xsl:for-each select="counters[@type=&quot;qtype&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
+				      });
+
+		    </script>
+                  <xsl:variable name="target">
+                    <xsl:value-of select="@name"/>
+                  </xsl:variable>
+                  <div class="pie" id="chart_qtype_{$thisview}_{$target}">[no data to display]</div>
+                </xsl:if>
+                <table class="counters">
+                  <xsl:for-each select="counters[@type=&quot;qtype&quot;]/counter">
+                    <xsl:sort select="."/>
+                    <xsl:variable name="css-class10">
+                      <xsl:choose>
+                        <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                        <xsl:otherwise>odd</xsl:otherwise>
+                      </xsl:choose>
+                    </xsl:variable>
+                    <tr class="{$css-class10}">
+                      <th>
+                        <xsl:value-of select="@name"/>
+                      </th>
+                      <td>
+                        <xsl:value-of select="."/>
+                      </td>
+                    </tr>
+                  </xsl:for-each>
+                </table>
+              </xsl:if>
+            </xsl:for-each>
+          </xsl:for-each>
+        </xsl:if>
+        <xsl:if test="views/view[zones/zone/counters[@type=&quot;rcode&quot;]/counter &gt;0]">
+          <h2>Response Codes per view/zone</h2>
+          <xsl:for-each select="views/view[zones/zone/counters[@type=&quot;rcode&quot;]/counter &gt;0]">
+            <h3>View <xsl:value-of select="@name"/></h3>
+            <xsl:variable name="thisview2">
+              <xsl:value-of select="@name"/>
+            </xsl:variable>
+            <xsl:for-each select="zones/zone">
+              <xsl:if test="counters[@type=&quot;rcode&quot;]/counter[. &gt; 0]">
+                <h4>Zone <xsl:value-of select="@name"/></h4>
+                <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
+                  <!-- Non Mozilla specific markup -->
+                  <script type="text/javascript">
+			graphs.push({
+				      'title': "Response codes for zone <xsl:value-of select="@name"/>",
+				      'target': 'chart_rescode_<xsl:value-of select="../../@name"/>_<xsl:value-of select="@name"/>',
+				      'style': 'barchart',
+				      'data': [['Type','Counter'],<xsl:for-each select="counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
+				      });
+
+		</script>
+                  <xsl:variable name="target">
+                    <xsl:value-of select="@name"/>
+                  </xsl:variable>
+                  <div class="pie" id="chart_rescode_{$thisview2}_{$target}">[no data to display]</div>
+                </xsl:if>
+                <table class="counters">
+                  <xsl:for-each select="counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]">
+                    <xsl:sort select="."/>
+                    <xsl:variable name="css-class11">
+                      <xsl:choose>
+                        <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                        <xsl:otherwise>odd</xsl:otherwise>
+                      </xsl:choose>
+                    </xsl:variable>
+                    <tr class="{$css-class11}">
+                      <th>
+                        <xsl:value-of select="@name"/>
+                      </th>
+                      <td>
+                        <xsl:value-of select="."/>
+                      </td>
+                    </tr>
+                  </xsl:for-each>
+                </table>
+              </xsl:if>
+            </xsl:for-each>
+          </xsl:for-each>
+        </xsl:if>
+        <xsl:if test="views/view[zones/zone/counters[@type=&quot;gluecache&quot;]/counter &gt;0]">
+          <h2>Glue cache statistics</h2>
+          <xsl:for-each select="views/view[zones/zone/counters[@type=&quot;gluecache&quot;]/counter &gt;0]">
+            <h3>View <xsl:value-of select="@name"/></h3>
+            <xsl:variable name="thisview2">
+              <xsl:value-of select="@name"/>
+            </xsl:variable>
+            <xsl:for-each select="zones/zone">
+              <xsl:if test="counters[@type=&quot;gluecache&quot;]/counter[. &gt; 0]">
+                <h4>Zone <xsl:value-of select="@name"/></h4>
+                <table class="counters">
+                  <xsl:for-each select="counters[@type=&quot;gluecache&quot;]/counter[. &gt; 0]">
+                    <xsl:sort select="."/>
+                    <xsl:variable name="css-class11">
+                      <xsl:choose>
+                        <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                        <xsl:otherwise>odd</xsl:otherwise>
+                      </xsl:choose>
+                    </xsl:variable>
+                    <tr class="{$css-class11}">
+                      <th>
+                        <xsl:value-of select="@name"/>
+                      </th>
+                      <td>
+                        <xsl:value-of select="."/>
+                      </td>
+                    </tr>
+                  </xsl:for-each>
+                </table>
+              </xsl:if>
+            </xsl:for-each>
+          </xsl:for-each>
+        </xsl:if>
+        <xsl:if test="socketmgr/sockets/socket">
+          <h2>Network Status</h2>
+          <table class="netstat">
+            <tr>
+              <th>ID</th>
+              <th>Name</th>
+              <th>Type</th>
+              <th>References</th>
+              <th>LocalAddress</th>
+              <th>PeerAddress</th>
+              <th>State</th>
+            </tr>
+            <xsl:for-each select="socketmgr/sockets/socket">
+              <xsl:sort select="id"/>
+              <xsl:variable name="css-class12">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class12}">
+                <td>
+                  <xsl:value-of select="id"/>
+                </td>
+                <td>
+                  <xsl:value-of select="name"/>
+                </td>
+                <td>
+                  <xsl:value-of select="type"/>
+                </td>
+                <td>
+                  <xsl:value-of select="references"/>
+                </td>
+                <td>
+                  <xsl:value-of select="local-address"/>
+                </td>
+                <td>
+                  <xsl:value-of select="peer-address"/>
+                </td>
+                <td>
+                  <xsl:for-each select="states">
+                    <xsl:value-of select="."/>
+                  </xsl:for-each>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="taskmgr/thread-model/type">
+          <h2>Task Manager Configuration</h2>
+          <table class="counters">
+            <tr>
+              <th class="even">Thread-Model</th>
+              <td>
+                <xsl:value-of select="taskmgr/thread-model/type"/>
+              </td>
+            </tr>
+            <tr class="odd">
+              <th>Worker Threads</th>
+              <td>
+                <xsl:value-of select="taskmgr/thread-model/worker-threads"/>
+              </td>
+            </tr>
+            <tr class="even">
+              <th>Default Quantum</th>
+              <td>
+                <xsl:value-of select="taskmgr/thread-model/default-quantum"/>
+              </td>
+            </tr>
+            <tr class="odd">
+              <th>Tasks Running</th>
+              <td>
+                <xsl:value-of select="taskmgr/thread-model/tasks-running"/>
+              </td>
+            </tr>
+            <tr class="even">
+              <th>Tasks Ready</th>
+              <td>
+                <xsl:value-of select="taskmgr/thread-model/tasks-ready"/>
+              </td>
+            </tr>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="taskmgr/tasks/task">
+          <h2>Tasks</h2>
+          <table class="tasks">
+            <tr>
+              <th>ID</th>
+              <th>Name</th>
+              <th>References</th>
+              <th>State</th>
+              <th>Quantum</th>
+              <th>Events</th>
+            </tr>
+            <xsl:for-each select="taskmgr/tasks/task">
+              <xsl:sort select="name"/>
+              <xsl:variable name="css-class14">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class14}">
+                <td>
+                  <xsl:value-of select="id"/>
+                </td>
+                <td>
+                  <xsl:value-of select="name"/>
+                </td>
+                <td>
+                  <xsl:value-of select="references"/>
+                </td>
+                <td>
+                  <xsl:value-of select="state"/>
+                </td>
+                <td>
+                  <xsl:value-of select="quantum"/>
+                </td>
+                <td>
+                  <xsl:value-of select="events"/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="memory/summary">
+          <h2>Memory Usage Summary</h2>
+          <table class="counters">
+            <xsl:for-each select="memory/summary/*">
+              <xsl:variable name="css-class13">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class13}">
+                <th>
+                  <xsl:value-of select="name()"/>
+                </th>
+                <td>
+                  <xsl:value-of select="."/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:if>
+        <xsl:if test="memory/contexts/context">
+          <h2>Memory Contexts</h2>
+          <table class="mctx">
+            <tr>
+              <th>ID</th>
+              <th>Name</th>
+              <th>References</th>
+              <th>TotalUse</th>
+              <th>InUse</th>
+              <th>MaxUse</th>
+              <th>Malloced</th>
+              <th>MaxMalloced</th>
+              <th>BlockSize</th>
+              <th>Pools</th>
+              <th>HiWater</th>
+              <th>LoWater</th>
+            </tr>
+            <xsl:for-each select="memory/contexts/context">
+              <xsl:sort select="total" data-type="number" order="descending"/>
+              <xsl:variable name="css-class14">
+                <xsl:choose>
+                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
+                  <xsl:otherwise>odd</xsl:otherwise>
+                </xsl:choose>
+              </xsl:variable>
+              <tr class="{$css-class14}">
+                <td>
+                  <xsl:value-of select="id"/>
+                </td>
+                <td>
+                  <xsl:value-of select="name"/>
+                </td>
+                <td>
+                  <xsl:value-of select="references"/>
+                </td>
+                <td>
+                  <xsl:value-of select="total"/>
+                </td>
+                <td>
+                  <xsl:value-of select="inuse"/>
+                </td>
+                <td>
+                  <xsl:value-of select="maxinuse"/>
+                </td>
+                <td>
+                  <xsl:value-of select="malloced"/>
+                </td>
+                <td>
+                  <xsl:value-of select="maxmalloced"/>
+                </td>
+                <td>
+                  <xsl:value-of select="blocksize"/>
+                </td>
+                <td>
+                  <xsl:value-of select="pools"/>
+                </td>
+                <td>
+                  <xsl:value-of select="hiwater"/>
+                </td>
+                <td>
+                  <xsl:value-of select="lowater"/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+        </xsl:if>
+        <hr/>
+        <p class="footer">Internet Systems Consortium Inc.<br/><a href="http://www.isc.org">http://www.isc.org</a></p>
+      </body>
+    </html>
+  </xsl:template>
+</xsl:stylesheet>
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
new file mode 100644
index 0000000..fabb5fa
--- /dev/null
+++ b/bin/named/bind9.xsl.h
@@ -0,0 +1,1267 @@
+/*
+ * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp
+ * From unknown
+ */
+static char xslmsg[] =
+	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+	"\n"
+	"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" "
+	"xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
+	" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
+	" <!-- the version number **below** must match version in "
+	"bin/named/statschannel.c -->\n"
+	" <!-- don't forget to update \"/xml/v<STATS_XML_VERSION_MAJOR>\" in "
+	"the HTTP endpoints listed below -->\n"
+	" <xsl:template match=\"statistics[@version=&quot;3.11.1&quot;]\">\n"
+	" <html>\n"
+	" <head>\n"
+	" <script type=\"text/javascript\" "
+	"src=\"https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/"
+	"jquery.min.js\"></script>\n"
+	" <script type=\"text/javascript\">\n"
+	" $(function($) {\n"
+	" var wid=0;\n"
+	" $('table.zones').each(function(i) { if( $(this).width() > wid ) wid "
+	"= $(this).width(); return true; });\n"
+	" $('table.zones').css('min-width', wid );\n"
+	" $(\"h2+table,h3+table,h4+table,h2+div,h3+div,h2+script,h3+script\")."
+	"prev().append(' <a class=\"tabletoggle\" href=\"#\" "
+	"style=\"font-size:small\">Show/Hide</a>');\n"
+	" $(\".tabletoggle\").click(function(){\n"
+	" var n = $(this).closest(\"h2,h3,h4\").next();\n"
+	" if (n.is(\"script\")) { n = n.next(); }\n"
+	" if (n.is(\"div\")) { n.toggleClass(\"hidden\"); n = n.next(); }\n"
+	" if (n.is(\"table\")) { n.toggleClass(\"hidden\"); }\n"
+	" return false;\n"
+	" });\n"
+	" });\n"
+	" </script>\n"
+	"\n"
+	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
+	" <!-- Non Mozilla specific markup -->\n"
+	" <script type=\"text/javascript\" "
+	"src=\"https://www.google.com/jsapi\"/>\n"
+	" <script type=\"text/javascript\">\n"
+	"\n"
+	" google.load(\"visualization\", \"1\", {packages:[\"corechart\"]});\n"
+	" google.setOnLoadCallback(loadGraphs);\n"
+	"\n"
+	" var graphs=[];\n"
+	"\n"
+	" function drawChart(chart_title,target,style,data) {\n"
+	" var data = google.visualization.arrayToDataTable(data);\n"
+	"\n"
+	" var options = {\n"
+	" title: chart_title\n"
+	" };\n"
+	"\n"
+	" var chart;\n"
+	" if (style == \"barchart\") {\n"
+	" chart = new "
+	"google.visualization.BarChart(document.getElementById(target));\n"
+	" chart.draw(data, options);\n"
+	" } else if (style == \"piechart\") {\n"
+	" chart = new "
+	"google.visualization.PieChart(document.getElementById(target));\n"
+	" chart.draw(data, options);\n"
+	" }\n"
+	" }\n"
+	"\n"
+	" function loadGraphs(){\n"
+	" var g;\n"
+	"\n"
+	" while(g = graphs.shift()){\n"
+	" // alert(\"going for: \" + g.target);\n"
+	" if(g.data.length > 1){\n"
+	" drawChart(g.title,g.target,g.style,g.data);\n"
+	" }\n"
+	" }\n"
+	" }\n"
+	"\n"
+	" <xsl:if test=\"server/counters[@type=&quot;qtype&quot;]/counter\">\n"
+	" // Server Incoming Query Types\n"
+	" graphs.push({\n"
+	" 'title' : \"Server Incoming Query Types\",\n"
+	" 'target': 'chart_incoming_qtypes',\n"
+	" 'style': 'barchart',\n"
+	" 'data': [['Type','Counter'],<xsl:for-each "
+	"select=\"server/counters[@type=&quot;qtype&quot;]/"
+	"counter\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of "
+	"select=\".\"/>],</xsl:for-each>]\n"
+	" });\n"
+	" </xsl:if>\n"
+	"\n"
+	" <xsl:if test=\"server/counters[@type=&quot;opcode&quot;]/counter\">\n"
+	" // Server Incoming Requests by opcode\n"
+	" graphs.push({\n"
+	" 'title' : \"Server Incoming Requests by DNS Opcode\",\n"
+	" 'target': 'chart_incoming_opcodes',\n"
+	" 'style': 'barchart',\n"
+	" 'data': [['Opcode','Counter'],<xsl:for-each "
+	"select=\"server/counters[@type=&quot;opcode&quot;]/counter[. &gt; 0 "
+	"or substring(@name,1,3) != 'RES']\">['<xsl:value-of "
+	"select=\"@name\"/>',<xsl:value-of "
+	"select=\".\"/>],</xsl:for-each>]});\n"
+	" </xsl:if>\n"
+	" </script>\n"
+	" </xsl:if>\n"
+	" <style type=\"text/css\">\n"
+	" body {\n"
+	" font-family: sans-serif;\n"
+	" background-color: #ffffff;\n"
+	" color: #000000;\n"
+	" font-size: 10pt;\n"
+	" }\n"
+	"\n"
+	" .hidden{\n"
+	" display: none;\n"
+	" }\n"
+	"\n"
+	" .odd{\n"
+	" background-color: #f0f0f0;\n"
+	" }\n"
+	"\n"
+	" .even{\n"
+	" background-color: #ffffff;\n"
+	" }\n"
+	"\n"
+	" p.footer{\n"
+	" font-style:italic;\n"
+	" color: grey;\n"
+	" }\n"
+	"\n"
+	" table {\n"
+	" border-collapse: collapse;\n"
+	" border: 1px solid grey;\n"
+	" }\n"
+	"\n"
+	" table.counters{\n"
+	" border: 1px solid grey;\n"
+	" width: 500px;\n"
+	" }\n"
+	" table.counters th {\n"
+	" text-align: right;\n"
+	" border: 1px solid grey;\n"
+	" width: 150px;\n"
+	" }\n"
+	" table.counters td {\n"
+	" text-align: right;\n"
+	" font-family: monospace;\n"
+	" }\n"
+	" table.counters tr:hover{\n"
+	" background-color: #99ddff;\n"
+	" }\n"
+	"\n"
+	" table.info {\n"
+	" border: 1px solid grey;\n"
+	" width: 500px;\n"
+	" }\n"
+	" table.info th {\n"
+	" text-align: center;\n"
+	" border: 1px solid grey;\n"
+	" width: 150px;\n"
+	" }\n"
+	" table.info td {\n"
+	" text-align: center;\n"
+	" }\n"
+	" table.info tr:hover{\n"
+	" background-color: #99ddff;\n"
+	" }\n"
+	"\n"
+	" table.tasks {\n"
+	" border: 1px solid grey;\n"
+	" width: 500px;\n"
+	" }\n"
+	" table.tasks th {\n"
+	" text-align: center;\n"
+	" border: 1px solid grey;\n"
+	" width: 150px;\n"
+	" }\n"
+	" table.tasks td {\n"
+	" text-align: right;\n"
+	" font-family: monospace;\n"
+	" }\n"
+	" table.tasks td:nth-child(2) {\n"
+	" text-align: center;\n"
+	" }\n"
+	" table.tasks td:nth-child(4) {\n"
+	" text-align: center;\n"
+	" }\n"
+	" table.tasks tr:hover{\n"
+	" background-color: #99ddff;\n"
+	" }\n"
+	"\n"
+	" table.netstat {\n"
+	" border: 1px solid grey;\n"
+	" width: 500px;\n"
+	" }\n"
+	" table.netstat th {\n"
+	" text-align: center;\n"
+	" border: 1px solid grey;\n"
+	" width: 150px;\n"
+	" }\n"
+	" table.netstat td {\n"
+	" text-align: center;\n"
+	" }\n"
+	" table.netstat td:nth-child(4) {\n"
+	" text-align: right;\n"
+	" font-family: monospace;\n"
+	" }\n"
+	" table.netstat td:nth-child(7) {\n"
+	" text-align: left;\n"
+	" }\n"
+	" table.netstat tr:hover{\n"
+	" background-color: #99ddff;\n"
+	" }\n"
+	"\n"
+	" table.mctx {\n"
+	" border: 1px solid grey;\n"
+	" width: 500px;\n"
+	" }\n"
+	" table.mctx th {\n"
+	" text-align: center;\n"
+	" border: 1px solid grey;\n"
+	" }\n"
+	" table.mctx td {\n"
+	" text-align: right;\n"
+	" font-family: monospace;\n"
+	" }\n"
+	" table.mctx td:nth-child(-n+2) {\n"
+	" text-align: left;\n"
+	" width: 100px;\n"
+	" }\n"
+	" table.mctx tr:hover{\n"
+	" background-color: #99ddff;\n"
+	" }\n"
+	"\n"
+	" table.zones {\n"
+	" border: 1px solid grey;\n"
+	" width: 500px;\n"
+	" }\n"
+	" table.zones th {\n"
+	" text-align: center;\n"
+	" border: 1px solid grey;\n"
+	" }\n"
+	" table.zones td {\n"
+	" text-align: center;\n"
+	" font-family: monospace;\n"
+	" }\n"
+	" table.zones td:nth-child(1) {\n"
+	" text-align: right;\n"
+	" }\n"
+	" table.zones td:nth-child(4) {\n"
+	" text-align: right;\n"
+	" }\n"
+	"\n"
+	" .totals {\n"
+	" background-color: rgb(1,169,206);\n"
+	" color: #ffffff;\n"
+	" }\n"
+	" table.zones {\n"
+	" border: 1px solid grey;\n"
+	" }\n"
+	" table.zones td {\n"
+	" text-align: right;\n"
+	" font-family: monospace;\n"
+	" }\n"
+	" table.zones td:nth-child(2) {\n"
+	" text-align: center;\n"
+	" }\n"
+	" table.zones td:nth-child(3) {\n"
+	" text-align: left;\n"
+	" }\n"
+	" table.zones tr:hover{\n"
+	" background-color: #99ddff;\n"
+	" }\n"
+	"\n"
+	" td, th {\n"
+	" padding-right: 5px;\n"
+	" padding-left: 5px;\n"
+	" border: 1px solid grey;\n"
+	" }\n"
+	"\n"
+	" .header h1 {\n"
+	" color: rgb(1,169,206);\n"
+	" padding: 0px;\n"
+	" }\n"
+	"\n"
+	" .content {\n"
+	" background-color: #ffffff;\n"
+	" color: #000000;\n"
+	" padding: 4px;\n"
+	" }\n"
+	"\n"
+	" .item {\n"
+	" padding: 4px;\n"
+	" text-align: right;\n"
+	" }\n"
+	"\n"
+	" .value {\n"
+	" padding: 4px;\n"
+	" font-weight: bold;\n"
+	" }\n"
+	"\n"
+	"\n"
+	" h2 {\n"
+	" color: grey;\n"
+	" font-size: 14pt;\n"
+	" width:500px;\n"
+	" text-align:center;\n"
+	" }\n"
+	"\n"
+	" h3 {\n"
+	" color: #444444;\n"
+	" font-size: 12pt;\n"
+	" width:500px;\n"
+	" text-align:center;\n"
+	" }\n"
+	" h4 {\n"
+	" color: rgb(1,169,206);\n"
+	" font-size: 10pt;\n"
+	" width:500px;\n"
+	" text-align:center;\n"
+	" }\n"
+	"\n"
+	" .pie {\n"
+	" width:500px;\n"
+	" height: 500px;\n"
+	" }\n"
+	"\n"
+	" </style>\n"
+	" <title>ISC BIND 9 Statistics</title>\n"
+	" </head>\n"
+	" <body>\n"
+	" <div class=\"header\">\n"
+	" <h1>ISC Bind 9 Configuration and Statistics</h1>\n"
+	" </div>\n"
+	" <p>Alternate statistics views: <a href=\"/\">All</a>,\n"
+	" <a href=\"/xml/v3/status\">Status</a>,\n"
+	" <a href=\"/xml/v3/server\">Server</a>,\n"
+	" <a href=\"/xml/v3/zones\">Zones</a>,\n"
+	" <a href=\"/xml/v3/net\">Network</a>,\n"
+	" <a href=\"/xml/v3/tasks\">Tasks</a>,\n"
+	" <a href=\"/xml/v3/mem\">Memory</a> and\n"
+	" <a href=\"/xml/v3/traffic\">Traffic Size</a></p>\n"
+	" <hr/>\n"
+	" <h2>Server Status</h2>\n"
+	" <table class=\"info\">\n"
+	" <tr class=\"odd\">\n"
+	" <th>Boot time:</th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"server/boot-time\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" <tr class=\"even\">\n"
+	" <th>Last reconfigured:</th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"server/config-time\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" <tr class=\"odd\">\n"
+	" <th>Current time:</th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"server/current-time\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" <tr class=\"even\">\n"
+	" <th>Server version:</th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"server/version\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </table>\n"
+	" <br/>\n"
+	" <xsl:if test=\"server/counters[@type=&quot;opcode&quot;]/counter[. "
+	"&gt; 0]\">\n"
+	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
+	" <h2>Incoming Requests by DNS Opcode</h2>\n"
+	" <!-- Non Mozilla specific markup -->\n"
+	" <div class=\"pie\" id=\"chart_incoming_opcodes\">\n"
+	" [cannot display chart]\n"
+	" </div>\n"
+	" </xsl:if>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"server/counters[@type=&quot;opcode&quot;]/counter[. &gt; 0 "
+	"or substring(@name,1,3) != 'RES']\">\n"
+	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
+	" <xsl:variable name=\"css-class0\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class0}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" <tr>\n"
+	" <th class=\"totals\">Total:</th>\n"
+	" <td class=\"totals\">\n"
+	" <xsl:value-of "
+	"select=\"sum(server/counters[@type=&quot;opcode&quot;]/counter)\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if test=\"server/counters[@type=&quot;qtype&quot;]/counter\">\n"
+	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
+	" <!-- Non Mozilla specific markup -->\n"
+	" <h3>Incoming Queries by Query Type</h3>\n"
+	" <div class=\"pie\" id=\"chart_incoming_qtypes\">\n"
+	" [cannot display chart]\n"
+	" </div>\n"
+	" </xsl:if>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"server/counters[@type=&quot;qtype&quot;]/counter\">\n"
+	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
+	" <xsl:variable name=\"css-class\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" <tr>\n"
+	" <th class=\"totals\">Total:</th>\n"
+	" <td class=\"totals\">\n"
+	" <xsl:value-of "
+	"select=\"sum(server/counters[@type=&quot;qtype&quot;]/counter)\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"views/view[count(counters[@type=&quot;resqtype&quot;]/counter) "
+	"&gt; 0]\">\n"
+	" <h2>Outgoing Queries per view</h2>\n"
+	" <xsl:for-each "
+	"select=\"views/view[count(counters[@type=&quot;resqtype&quot;]/"
+	"counter) &gt; 0]\">\n"
+	" <h3>View <xsl:value-of select=\"@name\"/></h3>\n"
+	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
+	" <!-- Non Mozilla specific markup -->\n"
+	" <script type=\"text/javascript\">\n"
+	" graphs.push({\n"
+	" 'title': \"Outgoing Queries for view: <xsl:value-of "
+	"select=\"@name\"/>\",\n"
+	" 'target': 'chart_outgoing_queries_view_<xsl:value-of "
+	"select=\"@name\"/>',\n"
+	" 'style': 'barchart',\n"
+	" 'data': [['Type','Counter'],<xsl:for-each "
+	"select=\"counters[@type=&quot;resqtype&quot;]/"
+	"counter\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of "
+	"select=\".\"/>],</xsl:for-each>]\n"
+	" });\n"
+	" </script>\n"
+	" <xsl:variable name=\"target\">\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </xsl:variable>\n"
+	" <div class=\"pie\" id=\"chart_outgoing_queries_view_{$target}\">[no "
+	"data to display]</div>\n"
+	" </xsl:if>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"counters[@type=&quot;resqtype&quot;]/counter\">\n"
+	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
+	" <xsl:variable name=\"css-class1\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class1}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:for-each>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]\">\n"
+	" <h2>Server Statistics</h2>\n"
+	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
+	" <!-- Non Mozilla specific markup -->\n"
+	" <script type=\"text/javascript\">\n"
+	" graphs.push({\n"
+	" 'title' : \"Server Counters\",\n"
+	" 'target': 'chart_server_nsstat_restype',\n"
+	" 'style': 'barchart',\n"
+	" 'data': [['Type','Counter'],<xsl:for-each "
+	"select=\"server/counters[@type=&quot;nsstat&quot;]/"
+	"counter[.&gt;0]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of "
+	"select=\".\"/>],</xsl:for-each>]\n"
+	" });\n"
+	" </script>\n"
+	" <div class=\"pie\" id=\"chart_server_nsstat_restype\">[no data to "
+	"display]</div>\n"
+	" </xsl:if>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"server/counters[@type=&quot;nsstat&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
+	" <xsl:variable name=\"css-class2\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class2}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"server/counters[@type=&quot;zonestat&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
+	" <h2>Zone Maintenance Statistics</h2>\n"
+	" <script type=\"text/javascript\">\n"
+	" graphs.push({\n"
+	" 'title' : \"Zone Maintenance Stats\",\n"
+	" 'target': 'chart_server_zone_maint',\n"
+	" 'style': 'barchart',\n"
+	" 'data': [['Type','Counter'],<xsl:for-each "
+	"select=\"server/counters[@type=&quot;zonestat&quot;]/"
+	"counter[.&gt;0]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of "
+	"select=\".\"/>],</xsl:for-each>]\n"
+	" });\n"
+	" </script>\n"
+	" <!-- Non Mozilla specific markup -->\n"
+	" <div class=\"pie\" id=\"chart_server_zone_maint\">[no data to "
+	"display]</div>\n"
+	" </xsl:if>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"server/counters[@type=&quot;zonestat&quot;]/counter\">\n"
+	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
+	" <xsl:variable name=\"css-class3\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class3}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"server/counters[@type=&quot;resstat&quot;]/counter[.&gt;0]\">\n"
+	" <h2>Resolver Statistics (Common)</h2>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"server/counters[@type=&quot;resstat&quot;]/counter\">\n"
+	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
+	" <xsl:variable name=\"css-class4\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class4}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" </xsl:if>\n"
+	" <xsl:for-each select=\"views/view\">\n"
+	" <xsl:if "
+	"test=\"counters[@type=&quot;resstats&quot;]/counter[.&gt;0]\">\n"
+	" <h3>Resolver Statistics for View <xsl:value-of "
+	"select=\"@name\"/></h3>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"counters[@type=&quot;resstats&quot;]/counter[.&gt;0]\">\n"
+	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
+	" <xsl:variable name=\"css-class5\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class5}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" </xsl:if>\n"
+	" </xsl:for-each>\n"
+	" <xsl:for-each select=\"views/view\">\n"
+	" <xsl:if "
+	"test=\"counters[@type=&quot;adbstat&quot;]/counter[.&gt;0]\">\n"
+	" <h3>ADB Statistics for View <xsl:value-of select=\"@name\"/></h3>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"counters[@type=&quot;adbstat&quot;]/counter[.&gt;0]\">\n"
+	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
+	" <xsl:variable name=\"css-class5\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class5}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" </xsl:if>\n"
+	" </xsl:for-each>\n"
+	" <xsl:for-each select=\"views/view\">\n"
+	" <xsl:if "
+	"test=\"counters[@type=&quot;cachestats&quot;]/counter[.&gt;0]\">\n"
+	" <h3>Cache Statistics for View <xsl:value-of select=\"@name\"/></h3>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"counters[@type=&quot;cachestats&quot;]/counter[.&gt;0]\">\n"
+	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
+	" <xsl:variable name=\"css-class5\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class5}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" </xsl:if>\n"
+	" </xsl:for-each>\n"
+	" <xsl:for-each select=\"views/view\">\n"
+	" <xsl:if test=\"cache/rrset\">\n"
+	" <h3>Cache DB RRsets for View <xsl:value-of select=\"@name\"/></h3>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each select=\"cache/rrset\">\n"
+	" <xsl:variable name=\"css-class6\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class6}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"counter\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" </xsl:for-each>\n"
+	" <xsl:if "
+	"test=\"traffic//udp/counters[@type=&quot;request-size&quot;]/"
+	"counter[.&gt;0] or "
+	"traffic//udp/counters[@type=&quot;response-size&quot;]/"
+	"counter[.&gt;0] or "
+	"traffic//tcp/counters[@type=&quot;request-size&quot;]/counter[.&gt;0] "
+	"or "
+	"traffic//tcp/counters[@type=&quot;response-size&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <h2>Traffic Size Statistics</h2>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"traffic//udp/counters[@type=&quot;request-size&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <h4>UDP Requests Received</h4>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"traffic//udp/counters[@type=&quot;request-size&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <xsl:variable name=\"css-class7\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class7}\">\n"
+	" <th><xsl:value-of select=\"local-name(../../..)\"/></th>\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"traffic//udp/counters[@type=&quot;response-size&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <h4>UDP Responses Sent</h4>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"traffic//udp/counters[@type=&quot;response-size&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <xsl:variable name=\"css-class7\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class7}\">\n"
+	" <th><xsl:value-of select=\"local-name(../../..)\"/></th>\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"traffic//tcp/counters[@type=&quot;request-size&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <h4>TCP Requests Received</h4>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"traffic//tcp/counters[@type=&quot;request-size&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <xsl:variable name=\"css-class7\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class7}\">\n"
+	" <th><xsl:value-of select=\"local-name(../../..)\"/></th>\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"traffic//tcp/counters[@type=&quot;response-size&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <h4>TCP Responses Sent</h4>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"traffic//tcp/counters[@type=&quot;response-size&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <xsl:variable name=\"css-class7\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class7}\">\n"
+	" <th><xsl:value-of select=\"local-name(../../..)\"/></th>\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"server/counters[@type=&quot;sockstat&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <h2>Socket I/O Statistics</h2>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"server/counters[@type=&quot;sockstat&quot;]/"
+	"counter[.&gt;0]\">\n"
+	" <xsl:variable name=\"css-class7\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class7}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if test=\"views/view/zones/zone\">\n"
+	" <xsl:for-each select=\"views/view\">\n"
+	" <h3>Zones for View <xsl:value-of select=\"@name\"/></h3>\n"
+	" <table class=\"zones\">\n"
+	" <thead><tr><th>Name</th><th>Class</th><th>Type</th><th>Serial</"
+	"th><th>Loaded</th><th>Expires</th><th>Refresh</th></tr></thead>\n"
+	" <tbody>\n"
+	" <xsl:for-each select=\"zones/zone\">\n"
+	" <xsl:variable name=\"css-class15\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class15}\">\n"
+	" <td><xsl:value-of select=\"@name\"/></td>\n"
+	" <td><xsl:value-of select=\"@rdataclass\"/></td>\n"
+	" <td><xsl:value-of select=\"type\"/></td>\n"
+	" <td><xsl:value-of select=\"serial\"/></td>\n"
+	" <td><xsl:value-of select=\"loaded\"/></td>\n"
+	" <td><xsl:value-of select=\"expires\"/></td>\n"
+	" <td><xsl:value-of select=\"refresh\"/></td></tr>\n"
+	" </xsl:for-each>\n"
+	" </tbody>\n"
+	" </table>\n"
+	" </xsl:for-each>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"views/view[zones/zone/counters[@type=&quot;qtype&quot;]/"
+	"counter &gt;0]\">\n"
+	" <h2>Received QTYPES per view/zone</h2>\n"
+	" <xsl:for-each "
+	"select=\"views/view[zones/zone/counters[@type=&quot;qtype&quot;]/"
+	"counter &gt;0]\">\n"
+	" <h3>View <xsl:value-of select=\"@name\"/></h3>\n"
+	" <xsl:variable name=\"thisview\">\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </xsl:variable>\n"
+	" <xsl:for-each select=\"zones/zone\">\n"
+	" <xsl:if test=\"counters[@type=&quot;qtype&quot;]/counter[count(.) "
+	"&gt; 0]\">\n"
+	" <h4>Zone <xsl:value-of select=\"@name\"/></h4>\n"
+	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
+	" <!-- Non Mozilla specific markup -->\n"
+	" <script type=\"text/javascript\">\n"
+	" graphs.push({\n"
+	" 'title': \"Query types for zone <xsl:value-of select=\"@name\"/>\",\n"
+	" 'target': 'chart_qtype_<xsl:value-of "
+	"select=\"../../@name\"/>_<xsl:value-of select=\"@name\"/>',\n"
+	" 'style': 'barchart',\n"
+	" 'data': [['Type','Counter'],<xsl:for-each "
+	"select=\"counters[@type=&quot;qtype&quot;]/counter[.&gt;0 and @name "
+	"!= &quot;QryAuthAns&quot;]\">['<xsl:value-of "
+	"select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
+	" });\n"
+	"\n"
+	" </script>\n"
+	" <xsl:variable name=\"target\">\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </xsl:variable>\n"
+	" <div class=\"pie\" id=\"chart_qtype_{$thisview}_{$target}\">[no data "
+	"to display]</div>\n"
+	" </xsl:if>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each select=\"counters[@type=&quot;qtype&quot;]/counter\">\n"
+	" <xsl:sort select=\".\"/>\n"
+	" <xsl:variable name=\"css-class10\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class10}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" </xsl:if>\n"
+	" </xsl:for-each>\n"
+	" </xsl:for-each>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"views/view[zones/zone/counters[@type=&quot;rcode&quot;]/"
+	"counter &gt;0]\">\n"
+	" <h2>Response Codes per view/zone</h2>\n"
+	" <xsl:for-each "
+	"select=\"views/view[zones/zone/counters[@type=&quot;rcode&quot;]/"
+	"counter &gt;0]\">\n"
+	" <h3>View <xsl:value-of select=\"@name\"/></h3>\n"
+	" <xsl:variable name=\"thisview2\">\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </xsl:variable>\n"
+	" <xsl:for-each select=\"zones/zone\">\n"
+	" <xsl:if test=\"counters[@type=&quot;rcode&quot;]/counter[. &gt; "
+	"0]\">\n"
+	" <h4>Zone <xsl:value-of select=\"@name\"/></h4>\n"
+	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
+	" <!-- Non Mozilla specific markup -->\n"
+	" <script type=\"text/javascript\">\n"
+	" graphs.push({\n"
+	" 'title': \"Response codes for zone <xsl:value-of "
+	"select=\"@name\"/>\",\n"
+	" 'target': 'chart_rescode_<xsl:value-of "
+	"select=\"../../@name\"/>_<xsl:value-of select=\"@name\"/>',\n"
+	" 'style': 'barchart',\n"
+	" 'data': [['Type','Counter'],<xsl:for-each "
+	"select=\"counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name "
+	"!= &quot;QryAuthAns&quot;]\">['<xsl:value-of "
+	"select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
+	" });\n"
+	"\n"
+	" </script>\n"
+	" <xsl:variable name=\"target\">\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </xsl:variable>\n"
+	" <div class=\"pie\" id=\"chart_rescode_{$thisview2}_{$target}\">[no "
+	"data to display]</div>\n"
+	" </xsl:if>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name "
+	"!= &quot;QryAuthAns&quot;]\">\n"
+	" <xsl:sort select=\".\"/>\n"
+	" <xsl:variable name=\"css-class11\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class11}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" </xsl:if>\n"
+	" </xsl:for-each>\n"
+	" </xsl:for-each>\n"
+	" </xsl:if>\n"
+	" <xsl:if "
+	"test=\"views/view[zones/zone/counters[@type=&quot;gluecache&quot;]/"
+	"counter &gt;0]\">\n"
+	" <h2>Glue cache statistics</h2>\n"
+	" <xsl:for-each "
+	"select=\"views/view[zones/zone/counters[@type=&quot;gluecache&quot;]/"
+	"counter &gt;0]\">\n"
+	" <h3>View <xsl:value-of select=\"@name\"/></h3>\n"
+	" <xsl:variable name=\"thisview2\">\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </xsl:variable>\n"
+	" <xsl:for-each select=\"zones/zone\">\n"
+	" <xsl:if test=\"counters[@type=&quot;gluecache&quot;]/counter[. &gt; "
+	"0]\">\n"
+	" <h4>Zone <xsl:value-of select=\"@name\"/></h4>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each "
+	"select=\"counters[@type=&quot;gluecache&quot;]/counter[. &gt; 0]\">\n"
+	" <xsl:sort select=\".\"/>\n"
+	" <xsl:variable name=\"css-class11\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class11}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"@name\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" </xsl:if>\n"
+	" </xsl:for-each>\n"
+	" </xsl:for-each>\n"
+	" </xsl:if>\n"
+	" <xsl:if test=\"socketmgr/sockets/socket\">\n"
+	" <h2>Network Status</h2>\n"
+	" <table class=\"netstat\">\n"
+	" <tr>\n"
+	" <th>ID</th>\n"
+	" <th>Name</th>\n"
+	" <th>Type</th>\n"
+	" <th>References</th>\n"
+	" <th>LocalAddress</th>\n"
+	" <th>PeerAddress</th>\n"
+	" <th>State</th>\n"
+	" </tr>\n"
+	" <xsl:for-each select=\"socketmgr/sockets/socket\">\n"
+	" <xsl:sort select=\"id\"/>\n"
+	" <xsl:variable name=\"css-class12\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class12}\">\n"
+	" <td>\n"
+	" <xsl:value-of select=\"id\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"name\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"type\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"references\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"local-address\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"peer-address\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:for-each select=\"states\">\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </xsl:for-each>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if test=\"taskmgr/thread-model/type\">\n"
+	" <h2>Task Manager Configuration</h2>\n"
+	" <table class=\"counters\">\n"
+	" <tr>\n"
+	" <th class=\"even\">Thread-Model</th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"taskmgr/thread-model/type\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" <tr class=\"odd\">\n"
+	" <th>Worker Threads</th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"taskmgr/thread-model/worker-threads\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" <tr class=\"even\">\n"
+	" <th>Default Quantum</th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"taskmgr/thread-model/default-quantum\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" <tr class=\"odd\">\n"
+	" <th>Tasks Running</th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"taskmgr/thread-model/tasks-running\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" <tr class=\"even\">\n"
+	" <th>Tasks Ready</th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"taskmgr/thread-model/tasks-ready\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if test=\"taskmgr/tasks/task\">\n"
+	" <h2>Tasks</h2>\n"
+	" <table class=\"tasks\">\n"
+	" <tr>\n"
+	" <th>ID</th>\n"
+	" <th>Name</th>\n"
+	" <th>References</th>\n"
+	" <th>State</th>\n"
+	" <th>Quantum</th>\n"
+	" <th>Events</th>\n"
+	" </tr>\n"
+	" <xsl:for-each select=\"taskmgr/tasks/task\">\n"
+	" <xsl:sort select=\"name\"/>\n"
+	" <xsl:variable name=\"css-class14\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class14}\">\n"
+	" <td>\n"
+	" <xsl:value-of select=\"id\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"name\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"references\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"state\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"quantum\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"events\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if test=\"memory/summary\">\n"
+	" <h2>Memory Usage Summary</h2>\n"
+	" <table class=\"counters\">\n"
+	" <xsl:for-each select=\"memory/summary/*\">\n"
+	" <xsl:variable name=\"css-class13\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class13}\">\n"
+	" <th>\n"
+	" <xsl:value-of select=\"name()\"/>\n"
+	" </th>\n"
+	" <td>\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:if>\n"
+	" <xsl:if test=\"memory/contexts/context\">\n"
+	" <h2>Memory Contexts</h2>\n"
+	" <table class=\"mctx\">\n"
+	" <tr>\n"
+	" <th>ID</th>\n"
+	" <th>Name</th>\n"
+	" <th>References</th>\n"
+	" <th>TotalUse</th>\n"
+	" <th>InUse</th>\n"
+	" <th>MaxUse</th>\n"
+	" <th>Malloced</th>\n"
+	" <th>MaxMalloced</th>\n"
+	" <th>BlockSize</th>\n"
+	" <th>Pools</th>\n"
+	" <th>HiWater</th>\n"
+	" <th>LoWater</th>\n"
+	" </tr>\n"
+	" <xsl:for-each select=\"memory/contexts/context\">\n"
+	" <xsl:sort select=\"total\" data-type=\"number\" "
+	"order=\"descending\"/>\n"
+	" <xsl:variable name=\"css-class14\">\n"
+	" <xsl:choose>\n"
+	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
+	" <xsl:otherwise>odd</xsl:otherwise>\n"
+	" </xsl:choose>\n"
+	" </xsl:variable>\n"
+	" <tr class=\"{$css-class14}\">\n"
+	" <td>\n"
+	" <xsl:value-of select=\"id\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"name\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"references\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"total\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"inuse\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"maxinuse\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"malloced\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"maxmalloced\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"blocksize\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"pools\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"hiwater\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"lowater\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" </xsl:if>\n"
+	" <hr/>\n"
+	" <p class=\"footer\">Internet Systems Consortium Inc.<br/><a "
+	"href=\"http://www.isc.org\">http://www.isc.org</a></p>\n"
+	" </body>\n"
+	" </html>\n"
+	" </xsl:template>\n"
+	"</xsl:stylesheet>\n";
diff --git a/bin/named/builtin.c b/bin/named/builtin.c
new file mode 100644
index 0000000..6781c3d
--- /dev/null
+++ b/bin/named/builtin.c
@@ -0,0 +1,592 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ * \brief
+ * The built-in "version", "hostname", "id", "authors" and "empty" databases.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/sdb.h>
+
+#include <named/builtin.h>
+#include <named/globals.h>
+#include <named/os.h>
+#include <named/server.h>
+
+typedef struct builtin builtin_t;
+
+static isc_result_t
+do_version_lookup(dns_sdblookup_t *lookup);
+static isc_result_t
+do_hostname_lookup(dns_sdblookup_t *lookup);
+static isc_result_t
+do_authors_lookup(dns_sdblookup_t *lookup);
+static isc_result_t
+do_id_lookup(dns_sdblookup_t *lookup);
+static isc_result_t
+do_empty_lookup(dns_sdblookup_t *lookup);
+static isc_result_t
+do_dns64_lookup(dns_sdblookup_t *lookup);
+
+/*
+ * We can't use function pointers as the db_data directly
+ * because ANSI C does not guarantee that function pointers
+ * can safely be cast to void pointers and back.
+ */
+
+struct builtin {
+	isc_result_t (*do_lookup)(dns_sdblookup_t *lookup);
+	char *server;
+	char *contact;
+};
+
+static builtin_t version_builtin = { do_version_lookup, NULL, NULL };
+static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL };
+static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL };
+static builtin_t id_builtin = { do_id_lookup, NULL, NULL };
+static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL };
+static builtin_t dns64_builtin = { do_dns64_lookup, NULL, NULL };
+
+static dns_sdbimplementation_t *builtin_impl;
+static dns_sdbimplementation_t *dns64_impl;
+
+/*
+ * Pre computed HEX * 16 or 1 table.
+ */
+static const unsigned char hex16[256] = {
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*00*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*10*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*20*/
+	0, 16,	32,  48,  64,  80,  96,	 112, 128, 144, 1, 1, 1, 1, 1, 1, /*30*/
+	1, 160, 176, 192, 208, 224, 240, 1,   1,   1,	1, 1, 1, 1, 1, 1, /*40*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*50*/
+	1, 160, 176, 192, 208, 224, 240, 1,   1,   1,	1, 1, 1, 1, 1, 1, /*60*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*70*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*80*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*90*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*A0*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*B0*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*C0*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*D0*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1, /*E0*/
+	1, 1,	1,   1,	  1,   1,   1,	 1,   1,   1,	1, 1, 1, 1, 1, 1  /*F0*/
+};
+
+const unsigned char decimal[] = "0123456789";
+
+static size_t
+dns64_rdata(unsigned char *v, size_t start, unsigned char *rdata) {
+	size_t i, j = 0;
+
+	for (i = 0; i < 4U; i++) {
+		unsigned char c = v[start++];
+		if (start == 7U) {
+			start++;
+		}
+		if (c > 99) {
+			rdata[j++] = 3;
+			rdata[j++] = decimal[c / 100];
+			c = c % 100;
+			rdata[j++] = decimal[c / 10];
+			c = c % 10;
+			rdata[j++] = decimal[c];
+		} else if (c > 9) {
+			rdata[j++] = 2;
+			rdata[j++] = decimal[c / 10];
+			c = c % 10;
+			rdata[j++] = decimal[c];
+		} else {
+			rdata[j++] = 1;
+			rdata[j++] = decimal[c];
+		}
+	}
+	memmove(&rdata[j], "\07in-addr\04arpa", 14);
+	return (j + 14);
+}
+
+static isc_result_t
+dns64_cname(const dns_name_t *zone, const dns_name_t *name,
+	    dns_sdblookup_t *lookup) {
+	size_t zlen, nlen, j, len;
+	unsigned char v[16], n;
+	unsigned int i;
+	unsigned char rdata[sizeof("123.123.123.123.in-addr.arpa.")];
+	unsigned char *ndata;
+
+	/*
+	 * The combined length of the zone and name is 74.
+	 *
+	 * The minimum zone length is 10 ((3)ip6(4)arpa(0)).
+	 *
+	 * The length of name should always be even as we are expecting
+	 * a series of nibbles.
+	 */
+	zlen = zone->length;
+	nlen = name->length;
+	if ((zlen + nlen) > 74U || zlen < 10U || (nlen % 2) != 0U) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * We assume the zone name is well formed.
+	 */
+
+	/*
+	 * XXXMPA We could check the dns64 suffix here if we need to.
+	 */
+	/*
+	 * Check that name is a series of nibbles.
+	 * Compute the byte values that correspond to the nibbles as we go.
+	 *
+	 * Shift the final result 4 bits, by setting 'i' to 1, if we if we
+	 * have a odd number of nibbles so that "must be zero" tests below
+	 * are byte aligned and we correctly return ISC_R_NOTFOUND or
+	 * ISC_R_SUCCESS.  We will not generate a CNAME in this case.
+	 */
+	ndata = name->ndata;
+	i = (nlen % 4) == 2U ? 1 : 0;
+	j = nlen;
+	memset(v, 0, sizeof(v));
+	while (j != 0U) {
+		INSIST((i / 2) < sizeof(v));
+		if (ndata[0] != 1) {
+			return (ISC_R_NOTFOUND);
+		}
+		n = hex16[ndata[1] & 0xff];
+		if (n == 1) {
+			return (ISC_R_NOTFOUND);
+		}
+		v[i / 2] = n | (v[i / 2] >> 4);
+		j -= 2;
+		ndata += 2;
+		i++;
+	}
+
+	/*
+	 * If we get here then we know name only consisted of nibbles.
+	 * Now we need to determine if the name exists or not and whether
+	 * it corresponds to a empty node in the zone or there should be
+	 * a CNAME.
+	 */
+#define ZLEN(x) (10 + (x) / 2)
+	switch (zlen) {
+	case ZLEN(32): /* prefix len 32 */
+		/*
+		 * The nibbles that map to this byte must be zero for 'name'
+		 * to exist in the zone.
+		 */
+		if (nlen > 16U && v[(nlen - 1) / 4 - 4] != 0) {
+			return (ISC_R_NOTFOUND);
+		}
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U) {
+			return (ISC_R_SUCCESS);
+		}
+		len = dns64_rdata(v, 8, rdata);
+		break;
+	case ZLEN(40): /* prefix len 40 */
+		/*
+		 * The nibbles that map to this byte must be zero for 'name'
+		 * to exist in the zone.
+		 */
+		if (nlen > 12U && v[(nlen - 1) / 4 - 3] != 0) {
+			return (ISC_R_NOTFOUND);
+		}
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U) {
+			return (ISC_R_SUCCESS);
+		}
+		len = dns64_rdata(v, 6, rdata);
+		break;
+	case ZLEN(48): /* prefix len 48 */
+		/*
+		 * The nibbles that map to this byte must be zero for 'name'
+		 * to exist in the zone.
+		 */
+		if (nlen > 8U && v[(nlen - 1) / 4 - 2] != 0) {
+			return (ISC_R_NOTFOUND);
+		}
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U) {
+			return (ISC_R_SUCCESS);
+		}
+		len = dns64_rdata(v, 5, rdata);
+		break;
+	case ZLEN(56): /* prefix len 56 */
+		/*
+		 * The nibbles that map to this byte must be zero for 'name'
+		 * to exist in the zone.
+		 */
+		if (nlen > 4U && v[(nlen - 1) / 4 - 1] != 0) {
+			return (ISC_R_NOTFOUND);
+		}
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U) {
+			return (ISC_R_SUCCESS);
+		}
+		len = dns64_rdata(v, 4, rdata);
+		break;
+	case ZLEN(64): /* prefix len 64 */
+		/*
+		 * The nibbles that map to this byte must be zero for 'name'
+		 * to exist in the zone.
+		 */
+		if (v[(nlen - 1) / 4] != 0) {
+			return (ISC_R_NOTFOUND);
+		}
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U) {
+			return (ISC_R_SUCCESS);
+		}
+		len = dns64_rdata(v, 3, rdata);
+		break;
+	case ZLEN(96): /* prefix len 96 */
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U) {
+			return (ISC_R_SUCCESS);
+		}
+		len = dns64_rdata(v, 0, rdata);
+		break;
+	default:
+		/*
+		 * This should never be reached unless someone adds a
+		 * zone declaration with this internal type to named.conf.
+		 */
+		return (ISC_R_NOTFOUND);
+	}
+	return (dns_sdb_putrdata(lookup, dns_rdatatype_cname, 600, rdata,
+				 (unsigned int)len));
+}
+
+static isc_result_t
+builtin_lookup(const char *zone, const char *name, void *dbdata,
+	       dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo) {
+	builtin_t *b = (builtin_t *)dbdata;
+
+	UNUSED(zone);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	if (strcmp(name, "@") == 0) {
+		return (b->do_lookup(lookup));
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+static isc_result_t
+dns64_lookup(const dns_name_t *zone, const dns_name_t *name, void *dbdata,
+	     dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods,
+	     dns_clientinfo_t *clientinfo) {
+	builtin_t *b = (builtin_t *)dbdata;
+
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	if (name->labels == 0 && name->length == 0) {
+		return (b->do_lookup(lookup));
+	} else {
+		return (dns64_cname(zone, name, lookup));
+	}
+}
+
+static isc_result_t
+put_txt(dns_sdblookup_t *lookup, const char *text) {
+	unsigned char buf[256];
+	unsigned int len = strlen(text);
+	if (len > 255) {
+		len = 255; /* Silently truncate */
+	}
+	buf[0] = len;
+	memmove(&buf[1], text, len);
+	return (dns_sdb_putrdata(lookup, dns_rdatatype_txt, 0, buf, len + 1));
+}
+
+static isc_result_t
+do_version_lookup(dns_sdblookup_t *lookup) {
+	if (named_g_server->version_set) {
+		if (named_g_server->version == NULL) {
+			return (ISC_R_SUCCESS);
+		} else {
+			return (put_txt(lookup, named_g_server->version));
+		}
+	} else {
+		return (put_txt(lookup, named_g_version));
+	}
+}
+
+static isc_result_t
+do_hostname_lookup(dns_sdblookup_t *lookup) {
+	if (named_g_server->hostname_set) {
+		if (named_g_server->hostname == NULL) {
+			return (ISC_R_SUCCESS);
+		} else {
+			return (put_txt(lookup, named_g_server->hostname));
+		}
+	} else {
+		char buf[256];
+		isc_result_t result = named_os_gethostname(buf, sizeof(buf));
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		return (put_txt(lookup, buf));
+	}
+}
+
+static isc_result_t
+do_authors_lookup(dns_sdblookup_t *lookup) {
+	isc_result_t result;
+	const char **p;
+	static const char *authors[] = {
+		"Mark Andrews",	  "Curtis Blackburn",	"James Brister",
+		"Ben Cottrell",	  "John H. DuBois III", "Francis Dupont",
+		"Michael Graff",  "Andreas Gustafsson", "Bob Halley",
+		"Evan Hunt",	  "JINMEI Tatuya",	"Witold Krecicki",
+		"David Lawrence", "Scott Mann",		"Danny Mayer",
+		"Damien Neil",	  "Matt Nelson",	"Jeremy C. Reed",
+		"Michael Sawyer", "Brian Wellington",	NULL
+	};
+
+	/*
+	 * If a version string is specified, disable the authors.bind zone.
+	 */
+	if (named_g_server->version_set) {
+		return (ISC_R_SUCCESS);
+	}
+
+	for (p = authors; *p != NULL; p++) {
+		result = put_txt(lookup, *p);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+do_id_lookup(dns_sdblookup_t *lookup) {
+	if (named_g_server->sctx->gethostname != NULL) {
+		char buf[256];
+		isc_result_t result;
+
+		result = named_g_server->sctx->gethostname(buf, sizeof(buf));
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		return (put_txt(lookup, buf));
+	} else if (named_g_server->sctx->server_id != NULL) {
+		return (put_txt(lookup, named_g_server->sctx->server_id));
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static isc_result_t
+do_dns64_lookup(dns_sdblookup_t *lookup) {
+	UNUSED(lookup);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+do_empty_lookup(dns_sdblookup_t *lookup) {
+	UNUSED(lookup);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) {
+	isc_result_t result;
+	const char *contact = "hostmaster";
+	const char *server = "@";
+	builtin_t *b = (builtin_t *)dbdata;
+
+	UNUSED(zone);
+	UNUSED(dbdata);
+
+	if (b == &empty_builtin) {
+		server = ".";
+		contact = ".";
+	} else {
+		if (b->server != NULL) {
+			server = b->server;
+		}
+		if (b->contact != NULL) {
+			contact = b->contact;
+		}
+	}
+
+	result = dns_sdb_putsoa(lookup, server, contact, 0);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_FAILURE);
+	}
+
+	result = dns_sdb_putrr(lookup, "ns", 0, server);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+builtin_create(const char *zone, int argc, char **argv, void *driverdata,
+	       void **dbdata) {
+	REQUIRE(argc >= 1);
+
+	UNUSED(zone);
+	UNUSED(driverdata);
+
+	if (strcmp(argv[0], "empty") == 0 || strcmp(argv[0], "dns64") == 0) {
+		if (argc != 3) {
+			return (DNS_R_SYNTAX);
+		}
+	} else if (argc != 1) {
+		return (DNS_R_SYNTAX);
+	}
+
+	if (strcmp(argv[0], "version") == 0) {
+		*dbdata = &version_builtin;
+	} else if (strcmp(argv[0], "hostname") == 0) {
+		*dbdata = &hostname_builtin;
+	} else if (strcmp(argv[0], "authors") == 0) {
+		*dbdata = &authors_builtin;
+	} else if (strcmp(argv[0], "id") == 0) {
+		*dbdata = &id_builtin;
+	} else if (strcmp(argv[0], "empty") == 0 ||
+		   strcmp(argv[0], "dns64") == 0)
+	{
+		builtin_t *empty;
+		char *server;
+		char *contact;
+		/*
+		 * We don't want built-in zones to fail.  Fallback to
+		 * the static configuration if memory allocation fails.
+		 */
+		empty = isc_mem_get(named_g_mctx, sizeof(*empty));
+		server = isc_mem_strdup(named_g_mctx, argv[1]);
+		contact = isc_mem_strdup(named_g_mctx, argv[2]);
+		if (empty == NULL || server == NULL || contact == NULL) {
+			if (strcmp(argv[0], "empty") == 0) {
+				*dbdata = &empty_builtin;
+			} else {
+				*dbdata = &dns64_builtin;
+			}
+			if (server != NULL) {
+				isc_mem_free(named_g_mctx, server);
+			}
+			if (contact != NULL) {
+				isc_mem_free(named_g_mctx, contact);
+			}
+			if (empty != NULL) {
+				isc_mem_put(named_g_mctx, empty,
+					    sizeof(*empty));
+			}
+		} else {
+			if (strcmp(argv[0], "empty") == 0) {
+				memmove(empty, &empty_builtin,
+					sizeof(empty_builtin));
+			} else {
+				memmove(empty, &dns64_builtin,
+					sizeof(empty_builtin));
+			}
+			empty->server = server;
+			empty->contact = contact;
+			*dbdata = empty;
+		}
+	} else {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static void
+builtin_destroy(const char *zone, void *driverdata, void **dbdata) {
+	builtin_t *b = (builtin_t *)*dbdata;
+
+	UNUSED(zone);
+	UNUSED(driverdata);
+
+	/*
+	 * Don't free the static versions.
+	 */
+	if (*dbdata == &version_builtin || *dbdata == &hostname_builtin ||
+	    *dbdata == &authors_builtin || *dbdata == &id_builtin ||
+	    *dbdata == &empty_builtin || *dbdata == &dns64_builtin)
+	{
+		return;
+	}
+
+	isc_mem_free(named_g_mctx, b->server);
+	isc_mem_free(named_g_mctx, b->contact);
+	isc_mem_put(named_g_mctx, b, sizeof(*b));
+}
+
+static dns_sdbmethods_t builtin_methods = {
+	builtin_lookup, builtin_authority, NULL, /* allnodes */
+	builtin_create, builtin_destroy,   NULL
+};
+
+static dns_sdbmethods_t dns64_methods = {
+	NULL,		builtin_authority, NULL, /* allnodes */
+	builtin_create, builtin_destroy,   dns64_lookup,
+};
+
+isc_result_t
+named_builtin_init(void) {
+	RUNTIME_CHECK(dns_sdb_register("_builtin", &builtin_methods, NULL,
+				       DNS_SDBFLAG_RELATIVEOWNER |
+					       DNS_SDBFLAG_RELATIVERDATA,
+				       named_g_mctx,
+				       &builtin_impl) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_sdb_register("_dns64", &dns64_methods, NULL,
+				       DNS_SDBFLAG_RELATIVEOWNER |
+					       DNS_SDBFLAG_RELATIVERDATA |
+					       DNS_SDBFLAG_DNS64,
+				       named_g_mctx,
+				       &dns64_impl) == ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+}
+
+void
+named_builtin_deinit(void) {
+	dns_sdb_unregister(&builtin_impl);
+	dns_sdb_unregister(&dns64_impl);
+}
diff --git a/bin/named/config.c b/bin/named/config.c
new file mode 100644
index 0000000..4941470
--- /dev/null
+++ b/bin/named/config.c
@@ -0,0 +1,1090 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <bind.keys.h>
+#include <inttypes.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/parseint.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/tsig.h>
+#include <dns/zone.h>
+
+#include <dst/dst.h>
+
+#include <isccfg/grammar.h>
+#include <isccfg/namedconf.h>
+
+#include <named/config.h>
+#include <named/globals.h>
+
+/*% default configuration */
+static char defaultconf[] = "\
+options {\n\
+	answer-cookie true;\n\
+	automatic-interface-scan yes;\n\
+	bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\
+#	blackhole {none;};\n\
+	cookie-algorithm siphash24;\n"
+#ifndef WIN32
+			    "	coresize default;\n\
+	datasize default;\n"
+#endif /* ifndef WIN32 */
+			    "\
+#	directory <none>\n\
+	dnssec-policy \"none\";\n\
+	dump-file \"named_dump.db\";\n\
+	edns-udp-size 1232;\n"
+#ifndef WIN32
+			    "	files unlimited;\n"
+#endif /* ifndef WIN32 */
+#if defined(HAVE_GEOIP2) && !defined(WIN32)
+			    "	geoip-directory \"" MAXMINDDB_PREFIX
+			    "/share/GeoIP\";\n"
+#elif defined(HAVE_GEOIP2)
+			    "	geoip-directory \".\";\n"
+#endif /* if defined(HAVE_GEOIP2) && !defined(WIN32) */
+			    "\
+	heartbeat-interval 60;\n\
+	interface-interval 60;\n\
+#	keep-response-order {none;};\n\
+	listen-on {any;};\n\
+	listen-on-v6 {any;};\n\
+#	lock-file \"" NAMED_LOCALSTATEDIR "/run/named/named.lock\";\n\
+	match-mapped-addresses no;\n\
+	max-ixfr-ratio unlimited;\n\
+	max-rsa-exponent-size 0; /* no limit */\n\
+	max-udp-size 1232;\n\
+	memstatistics-file \"named.memstats\";\n\
+	nocookie-udp-size 4096;\n\
+	notify-rate 20;\n\
+	nta-lifetime 3600;\n\
+	nta-recheck 300;\n\
+#	pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\
+	port 53;\n"
+#if HAVE_SO_REUSEPORT_LB
+			    "\
+	reuseport yes;\n"
+#else
+			    "\
+	reuseport no;\n"
+#endif
+			    "\
+	prefetch 2 9;\n\
+	recursing-file \"named.recursing\";\n\
+	recursive-clients 1000;\n\
+	request-nsid false;\n\
+	reserved-sockets 512;\n\
+	resolver-query-timeout 10;\n\
+	rrset-order { order random; };\n\
+	secroots-file \"named.secroots\";\n\
+	send-cookie true;\n\
+	serial-query-rate 20;\n\
+	server-id none;\n\
+	session-keyalg hmac-sha256;\n\
+#	session-keyfile \"" NAMED_LOCALSTATEDIR "/run/named/session.key\";\n\
+	session-keyname local-ddns;\n"
+#ifndef WIN32
+			    "	stacksize default;\n"
+#endif /* ifndef WIN32 */
+			    "	startup-notify-rate 20;\n\
+	statistics-file \"named.stats\";\n\
+	tcp-advertised-timeout 300;\n\
+	tcp-clients 150;\n\
+	tcp-idle-timeout 300;\n\
+	tcp-initial-timeout 300;\n\
+	tcp-keepalive-timeout 300;\n\
+	tcp-listen-queue 10;\n\
+#	tkey-dhkey <none>\n\
+#	tkey-domain <none>\n\
+#	tkey-gssapi-credential <none>\n\
+	transfer-message-size 20480;\n\
+	transfers-in 10;\n\
+	transfers-out 10;\n\
+	transfers-per-ns 2;\n\
+	trust-anchor-telemetry yes;\n\
+	update-quota 100;\n\
+\n\
+	/* view */\n\
+	allow-new-zones no;\n\
+	allow-notify {none;};\n\
+	allow-query-cache { localnets; localhost; };\n\
+	allow-query-cache-on { any; };\n\
+	allow-recursion { localnets; localhost; };\n\
+	allow-recursion-on { any; };\n\
+	allow-update-forwarding {none;};\n\
+	auth-nxdomain false;\n\
+	check-dup-records warn;\n\
+	check-mx warn;\n\
+	check-names primary fail;\n\
+	check-names response ignore;\n\
+	check-names secondary warn;\n\
+	check-spf warn;\n\
+	clients-per-query 10;\n\
+	dnssec-accept-expired no;\n\
+	dnssec-validation " VALIDATION_DEFAULT "; \n"
+#ifdef HAVE_DNSTAP
+			    "	dnstap-identity hostname;\n"
+#endif /* ifdef HAVE_DNSTAP */
+			    "\
+	fetch-quota-params 100 0.1 0.3 0.7;\n\
+	fetches-per-server 0;\n\
+	fetches-per-zone 0;\n\
+	glue-cache yes;\n\
+	lame-ttl 0;\n"
+#ifdef HAVE_LMDB
+			    "	lmdb-mapsize 32M;\n"
+#endif /* ifdef HAVE_LMDB */
+			    "	max-cache-size 90%;\n\
+	max-cache-ttl 604800; /* 1 week */\n\
+	max-clients-per-query 100;\n\
+	max-ncache-ttl 10800; /* 3 hours */\n\
+	max-recursion-depth 7;\n\
+	max-recursion-queries 100;\n\
+	max-stale-ttl 86400; /* 1 day */\n\
+	message-compression yes;\n\
+	min-ncache-ttl 0; /* 0 hours */\n\
+	min-cache-ttl 0; /* 0 seconds */\n\
+	minimal-any false;\n\
+	minimal-responses no-auth-recursive;\n\
+	notify-source *;\n\
+	notify-source-v6 *;\n\
+	nsec3-test-zone no;\n\
+	parental-source *;\n\
+	parental-source-v6 *;\n\
+	provide-ixfr true;\n\
+	qname-minimization relaxed;\n\
+	query-source address *;\n\
+	query-source-v6 address *;\n\
+	recursion true;\n\
+	request-expire true;\n\
+	request-ixfr true;\n\
+	require-server-cookie no;\n\
+	resolver-nonbackoff-tries 3;\n\
+	resolver-retry-interval 800; /* in milliseconds */\n\
+	root-key-sentinel yes;\n\
+	servfail-ttl 1;\n\
+#	sortlist <none>\n\
+	stale-answer-client-timeout off;\n\
+	stale-answer-enable false;\n\
+	stale-answer-ttl 30; /* 30 seconds */\n\
+	stale-cache-enable true;\n\
+	stale-refresh-time 30; /* 30 seconds */\n\
+	synth-from-dnssec no;\n\
+#	topology <none>\n\
+	transfer-format many-answers;\n\
+	v6-bias 50;\n\
+	zero-no-soa-ttl-cache no;\n\
+\n\
+	/* zone */\n\
+	allow-query {any;};\n\
+	allow-query-on {any;};\n\
+	allow-transfer {any;};\n\
+#	also-notify <none>\n\
+	alt-transfer-source *;\n\
+	alt-transfer-source-v6 *;\n\
+	check-integrity yes;\n\
+	check-mx-cname warn;\n\
+	check-sibling yes;\n\
+	check-srv-cname warn;\n\
+	check-wildcard yes;\n\
+	dialup no;\n\
+	dnssec-dnskey-kskonly no;\n\
+	dnssec-loadkeys-interval 60;\n\
+	dnssec-secure-to-insecure no;\n\
+	dnssec-update-mode maintain;\n\
+#	forward <none>\n\
+#	forwarders <none>\n\
+#	inline-signing no;\n\
+	ixfr-from-differences false;\n\
+	max-journal-size default;\n\
+	max-records 0;\n\
+	max-refresh-time 2419200; /* 4 weeks */\n\
+	max-retry-time 1209600; /* 2 weeks */\n\
+	max-transfer-idle-in 60;\n\
+	max-transfer-idle-out 60;\n\
+	max-transfer-time-in 120;\n\
+	max-transfer-time-out 120;\n\
+	min-refresh-time 300;\n\
+	min-retry-time 500;\n\
+	multi-master no;\n\
+	notify yes;\n\
+	notify-delay 5;\n\
+	notify-to-soa no;\n\
+	serial-update-method increment;\n\
+	sig-signing-nodes 100;\n\
+	sig-signing-signatures 10;\n\
+	sig-signing-type 65534;\n\
+	sig-validity-interval 30; /* days */\n\
+	dnskey-sig-validity 0; /* default: sig-validity-interval */\n\
+	transfer-source *;\n\
+	transfer-source-v6 *;\n\
+	try-tcp-refresh yes; /* BIND 8 compat */\n\
+	update-check-ksk yes;\n\
+	zero-no-soa-ttl yes;\n\
+	zone-statistics terse;\n\
+};\n\
+"
+
+			    "#\n\
+#  Zones in the \"_bind\" view are NOT counted in the count of zones.\n\
+#\n\
+view \"_bind\" chaos {\n\
+	recursion no;\n\
+	notify no;\n\
+	allow-new-zones no;\n\
+	max-cache-size 2M;\n\
+\n\
+	# Prevent use of this zone in DNS amplified reflection DoS attacks\n\
+	rate-limit {\n\
+		responses-per-second 3;\n\
+		slip 0;\n\
+		min-table-size 10;\n\
+	};\n\
+\n\
+	zone \"version.bind\" chaos {\n\
+		type primary;\n\
+		database \"_builtin version\";\n\
+	};\n\
+\n\
+	zone \"hostname.bind\" chaos {\n\
+		type primary;\n\
+		database \"_builtin hostname\";\n\
+	};\n\
+\n\
+	zone \"authors.bind\" chaos {\n\
+		type primary;\n\
+		database \"_builtin authors\";\n\
+	};\n\
+\n\
+	zone \"id.server\" chaos {\n\
+		type primary;\n\
+		database \"_builtin id\";\n\
+	};\n\
+};\n\
+"
+			    "#\n\
+#  Default trusted key(s), used if \n\
+# \"dnssec-validation auto;\" is set and\n\
+#  " NAMED_SYSCONFDIR "/bind.keys doesn't exist).\n\
+#\n\
+# BEGIN TRUST ANCHORS\n"
+
+	/* Imported from bind.keys.h: */
+	TRUST_ANCHORS
+
+			    "# END TRUST ANCHORS\n\
+\n\
+primaries " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\
+	2001:500:200::b;	# b.root-servers.net\n\
+	2001:500:2::c;		# c.root-servers.net\n\
+	2001:500:2f::f;		# f.root-servers.net\n\
+	2001:500:12::d0d;	# g.root-servers.net\n\
+	2001:7fd::1;		# k.root-servers.net\n\
+	2620:0:2830:202::132;	# xfr.cjr.dns.icann.org\n\
+	2620:0:2d0:202::132;	# xfr.lax.dns.icann.org\n\
+	199.9.14.201;		# b.root-servers.net\n\
+	192.33.4.12;		# c.root-servers.net\n\
+	192.5.5.241;		# f.root-servers.net\n\
+	192.112.36.4;		# g.root-servers.net\n\
+	193.0.14.129;		# k.root-servers.net\n\
+	192.0.47.132;		# xfr.cjr.dns.icann.org\n\
+	192.0.32.132;		# xfr.lax.dns.icann.org\n\
+};\n\
+";
+
+isc_result_t
+named_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
+	isc_buffer_t b;
+
+	isc_buffer_init(&b, defaultconf, sizeof(defaultconf) - 1);
+	isc_buffer_add(&b, sizeof(defaultconf) - 1);
+	return (cfg_parse_buffer(parser, &b, __FILE__, 0, &cfg_type_namedconf,
+				 CFG_PCTX_NODEPRECATED, conf));
+}
+
+const char *
+named_config_getdefault(void) {
+	return (defaultconf);
+}
+
+isc_result_t
+named_config_get(cfg_obj_t const *const *maps, const char *name,
+		 const cfg_obj_t **obj) {
+	int i;
+
+	for (i = 0; maps[i] != NULL; i++) {
+		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) {
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+named_checknames_get(const cfg_obj_t **maps, const char *const names[],
+		     const cfg_obj_t **obj) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *checknames;
+	const cfg_obj_t *type;
+	const cfg_obj_t *value;
+	int i;
+
+	REQUIRE(maps != NULL);
+	REQUIRE(names != NULL);
+	REQUIRE(obj != NULL && *obj == NULL);
+
+	for (i = 0; maps[i] != NULL; i++) {
+		checknames = NULL;
+		if (cfg_map_get(maps[i], "check-names", &checknames) ==
+		    ISC_R_SUCCESS)
+		{
+			/*
+			 * Zone map entry is not a list.
+			 */
+			if (checknames != NULL && !cfg_obj_islist(checknames)) {
+				*obj = checknames;
+				return (ISC_R_SUCCESS);
+			}
+			for (element = cfg_list_first(checknames);
+			     element != NULL; element = cfg_list_next(element))
+			{
+				value = cfg_listelt_value(element);
+				type = cfg_tuple_get(value, "type");
+
+				for (size_t j = 0; names[j] != NULL; j++) {
+					if (strcasecmp(cfg_obj_asstring(type),
+						       names[j]) == 0)
+					{
+						*obj = cfg_tuple_get(value,
+								     "mode");
+						return (ISC_R_SUCCESS);
+					}
+				}
+			}
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+int
+named_config_listcount(const cfg_obj_t *list) {
+	const cfg_listelt_t *e;
+	int i = 0;
+
+	for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e)) {
+		i++;
+	}
+
+	return (i);
+}
+
+isc_result_t
+named_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
+		      dns_rdataclass_t *classp) {
+	isc_textregion_t r;
+	isc_result_t result;
+
+	if (!cfg_obj_isstring(classobj)) {
+		*classp = defclass;
+		return (ISC_R_SUCCESS);
+	}
+	DE_CONST(cfg_obj_asstring(classobj), r.base);
+	r.length = strlen(r.base);
+	result = dns_rdataclass_fromtext(classp, &r);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(classobj, named_g_lctx, ISC_LOG_ERROR,
+			    "unknown class '%s'", r.base);
+	}
+	return (result);
+}
+
+isc_result_t
+named_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+		     dns_rdatatype_t *typep) {
+	isc_textregion_t r;
+	isc_result_t result;
+
+	if (!cfg_obj_isstring(typeobj)) {
+		*typep = deftype;
+		return (ISC_R_SUCCESS);
+	}
+	DE_CONST(cfg_obj_asstring(typeobj), r.base);
+	r.length = strlen(r.base);
+	result = dns_rdatatype_fromtext(typep, &r);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(typeobj, named_g_lctx, ISC_LOG_ERROR,
+			    "unknown type '%s'", r.base);
+	}
+	return (result);
+}
+
+dns_zonetype_t
+named_config_getzonetype(const cfg_obj_t *zonetypeobj) {
+	dns_zonetype_t ztype = dns_zone_none;
+	const char *str;
+
+	str = cfg_obj_asstring(zonetypeobj);
+	if (strcasecmp(str, "primary") == 0 || strcasecmp(str, "master") == 0) {
+		ztype = dns_zone_primary;
+	} else if (strcasecmp(str, "secondary") == 0 ||
+		   strcasecmp(str, "slave") == 0)
+	{
+		ztype = dns_zone_secondary;
+	} else if (strcasecmp(str, "mirror") == 0) {
+		ztype = dns_zone_mirror;
+	} else if (strcasecmp(str, "stub") == 0) {
+		ztype = dns_zone_stub;
+	} else if (strcasecmp(str, "static-stub") == 0) {
+		ztype = dns_zone_staticstub;
+	} else if (strcasecmp(str, "redirect") == 0) {
+		ztype = dns_zone_redirect;
+	} else {
+		UNREACHABLE();
+	}
+	return (ztype);
+}
+
+isc_result_t
+named_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
+		       in_port_t defport, isc_mem_t *mctx,
+		       isc_sockaddr_t **addrsp, isc_dscp_t **dscpsp,
+		       uint32_t *countp) {
+	int count, i = 0;
+	const cfg_obj_t *addrlist;
+	const cfg_obj_t *portobj, *dscpobj;
+	const cfg_listelt_t *element;
+	isc_sockaddr_t *addrs;
+	in_port_t port;
+	isc_dscp_t dscp = -1, *dscps = NULL;
+	isc_result_t result;
+
+	INSIST(addrsp != NULL && *addrsp == NULL);
+	INSIST(dscpsp == NULL || *dscpsp == NULL);
+	INSIST(countp != NULL);
+
+	addrlist = cfg_tuple_get(list, "addresses");
+	count = named_config_listcount(addrlist);
+
+	portobj = cfg_tuple_get(list, "port");
+	if (cfg_obj_isuint32(portobj)) {
+		uint32_t val = cfg_obj_asuint32(portobj);
+		if (val > UINT16_MAX) {
+			cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR,
+				    "port '%u' out of range", val);
+			return (ISC_R_RANGE);
+		}
+		port = (in_port_t)val;
+	} else if (defport != 0) {
+		port = defport;
+	} else {
+		result = named_config_getport(config, &port);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if (dscpsp != NULL) {
+		dscpobj = cfg_tuple_get(list, "dscp");
+		if (dscpobj != NULL && cfg_obj_isuint32(dscpobj)) {
+			if (cfg_obj_asuint32(dscpobj) > 63) {
+				cfg_obj_log(dscpobj, named_g_lctx,
+					    ISC_LOG_ERROR,
+					    "dscp value '%u' is out of range",
+					    cfg_obj_asuint32(dscpobj));
+				return (ISC_R_RANGE);
+			}
+			dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
+		}
+
+		dscps = isc_mem_get(mctx, count * sizeof(isc_dscp_t));
+	}
+
+	addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t));
+
+	for (element = cfg_list_first(addrlist); element != NULL;
+	     element = cfg_list_next(element), i++)
+	{
+		const cfg_obj_t *addr;
+		INSIST(i < count);
+		addr = cfg_listelt_value(element);
+		addrs[i] = *cfg_obj_assockaddr(addr);
+		if (dscpsp != NULL) {
+			isc_dscp_t innerdscp;
+			innerdscp = cfg_obj_getdscp(addr);
+			if (innerdscp == -1) {
+				innerdscp = dscp;
+			}
+			dscps[i] = innerdscp;
+		}
+		if (isc_sockaddr_getport(&addrs[i]) == 0) {
+			isc_sockaddr_setport(&addrs[i], port);
+		}
+	}
+	INSIST(i == count);
+
+	*addrsp = addrs;
+	*countp = count;
+
+	if (dscpsp != NULL) {
+		*dscpsp = dscps;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+named_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+		       isc_dscp_t **dscpsp, uint32_t count) {
+	INSIST(addrsp != NULL && *addrsp != NULL);
+	INSIST(dscpsp == NULL || *dscpsp != NULL);
+
+	isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t));
+	*addrsp = NULL;
+
+	if (dscpsp != NULL) {
+		isc_mem_put(mctx, *dscpsp, count * sizeof(isc_dscp_t));
+		*dscpsp = NULL;
+	}
+}
+
+static isc_result_t
+getremotesdef(const cfg_obj_t *cctx, const char *list, const char *name,
+	      const cfg_obj_t **ret) {
+	isc_result_t result;
+	const cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *elt;
+
+	REQUIRE(cctx != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	result = cfg_map_get(cctx, list, &obj);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	elt = cfg_list_first(obj);
+	while (elt != NULL) {
+		obj = cfg_listelt_value(elt);
+		if (strcasecmp(cfg_obj_asstring(cfg_tuple_get(obj, "name")),
+			       name) == 0)
+		{
+			*ret = obj;
+			return (ISC_R_SUCCESS);
+		}
+		elt = cfg_list_next(elt);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+named_config_getremotesdef(const cfg_obj_t *cctx, const char *list,
+			   const char *name, const cfg_obj_t **ret) {
+	isc_result_t result;
+
+	if (strcmp(list, "parental-agents") == 0) {
+		return (getremotesdef(cctx, list, name, ret));
+	} else if (strcmp(list, "primaries") == 0) {
+		result = getremotesdef(cctx, list, name, ret);
+		if (result != ISC_R_SUCCESS) {
+			result = getremotesdef(cctx, "masters", name, ret);
+		}
+		return (result);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+named_config_getipandkeylist(const cfg_obj_t *config, const char *listtype,
+			     const cfg_obj_t *list, isc_mem_t *mctx,
+			     dns_ipkeylist_t *ipkl) {
+	uint32_t addrcount = 0, dscpcount = 0, keycount = 0, i = 0;
+	uint32_t listcount = 0, l = 0, j;
+	uint32_t stackcount = 0, pushed = 0;
+	isc_result_t result;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *addrlist;
+	const cfg_obj_t *portobj;
+	const cfg_obj_t *dscpobj;
+	in_port_t port;
+	isc_dscp_t dscp = -1;
+	dns_fixedname_t fname;
+	isc_sockaddr_t *addrs = NULL;
+	isc_dscp_t *dscps = NULL;
+	dns_name_t **keys = NULL;
+	struct {
+		const char *name;
+	} *lists = NULL;
+	struct {
+		const cfg_listelt_t *element;
+		in_port_t port;
+		isc_dscp_t dscp;
+	} *stack = NULL;
+
+	REQUIRE(ipkl != NULL);
+	REQUIRE(ipkl->count == 0);
+	REQUIRE(ipkl->addrs == NULL);
+	REQUIRE(ipkl->keys == NULL);
+	REQUIRE(ipkl->dscps == NULL);
+	REQUIRE(ipkl->labels == NULL);
+	REQUIRE(ipkl->allocated == 0);
+
+	/*
+	 * Get system defaults.
+	 */
+	result = named_config_getport(config, &port);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = named_config_getdscp(config, &dscp);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+newlist:
+	addrlist = cfg_tuple_get(list, "addresses");
+	portobj = cfg_tuple_get(list, "port");
+	dscpobj = cfg_tuple_get(list, "dscp");
+
+	if (cfg_obj_isuint32(portobj)) {
+		uint32_t val = cfg_obj_asuint32(portobj);
+		if (val > UINT16_MAX) {
+			cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR,
+				    "port '%u' out of range", val);
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		port = (in_port_t)val;
+	}
+
+	if (dscpobj != NULL && cfg_obj_isuint32(dscpobj)) {
+		if (cfg_obj_asuint32(dscpobj) > 63) {
+			cfg_obj_log(dscpobj, named_g_lctx, ISC_LOG_ERROR,
+				    "dscp value '%u' is out of range",
+				    cfg_obj_asuint32(dscpobj));
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
+	}
+
+	result = ISC_R_NOMEMORY;
+
+	element = cfg_list_first(addrlist);
+resume:
+	for (; element != NULL; element = cfg_list_next(element)) {
+		const cfg_obj_t *addr;
+		const cfg_obj_t *key;
+		const char *keystr;
+		isc_buffer_t b;
+
+		addr = cfg_tuple_get(cfg_listelt_value(element),
+				     "remoteselement");
+		key = cfg_tuple_get(cfg_listelt_value(element), "key");
+
+		if (!cfg_obj_issockaddr(addr)) {
+			const char *listname = cfg_obj_asstring(addr);
+			isc_result_t tresult;
+
+			/* Grow lists? */
+			if (listcount == l) {
+				void *tmp;
+				uint32_t newlen = listcount + 16;
+				size_t newsize, oldsize;
+
+				newsize = newlen * sizeof(*lists);
+				oldsize = listcount * sizeof(*lists);
+				tmp = isc_mem_get(mctx, newsize);
+				if (listcount != 0) {
+					memmove(tmp, lists, oldsize);
+					isc_mem_put(mctx, lists, oldsize);
+				}
+				lists = tmp;
+				listcount = newlen;
+			}
+			/* Seen? */
+			for (j = 0; j < l; j++) {
+				if (strcasecmp(lists[j].name, listname) == 0) {
+					break;
+				}
+			}
+			if (j < l) {
+				continue;
+			}
+			list = NULL;
+			tresult = named_config_getremotesdef(config, listtype,
+							     listname, &list);
+			if (tresult == ISC_R_NOTFOUND) {
+				cfg_obj_log(addr, named_g_lctx, ISC_LOG_ERROR,
+					    "%s \"%s\" not found", listtype,
+					    listname);
+
+				result = tresult;
+				goto cleanup;
+			}
+			if (tresult != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			lists[l++].name = listname;
+			/* Grow stack? */
+			if (stackcount == pushed) {
+				void *tmp;
+				uint32_t newlen = stackcount + 16;
+				size_t newsize, oldsize;
+
+				newsize = newlen * sizeof(*stack);
+				oldsize = stackcount * sizeof(*stack);
+				tmp = isc_mem_get(mctx, newsize);
+				if (stackcount != 0) {
+					memmove(tmp, stack, oldsize);
+					isc_mem_put(mctx, stack, oldsize);
+				}
+				stack = tmp;
+				stackcount = newlen;
+			}
+			/*
+			 * We want to resume processing this list on the
+			 * next element.
+			 */
+			stack[pushed].element = cfg_list_next(element);
+			stack[pushed].port = port;
+			stack[pushed].dscp = dscp;
+			pushed++;
+			goto newlist;
+		}
+
+		if (i == addrcount) {
+			void *tmp;
+			uint32_t newlen = addrcount + 16;
+			size_t newsize, oldsize;
+
+			newsize = newlen * sizeof(isc_sockaddr_t);
+			oldsize = addrcount * sizeof(isc_sockaddr_t);
+			tmp = isc_mem_get(mctx, newsize);
+			if (addrcount != 0) {
+				memmove(tmp, addrs, oldsize);
+				isc_mem_put(mctx, addrs, oldsize);
+			}
+			addrs = tmp;
+			addrcount = newlen;
+
+			newsize = newlen * sizeof(isc_dscp_t);
+			oldsize = dscpcount * sizeof(isc_dscp_t);
+			tmp = isc_mem_get(mctx, newsize);
+			if (dscpcount != 0) {
+				memmove(tmp, dscps, oldsize);
+				isc_mem_put(mctx, dscps, oldsize);
+			}
+			dscps = tmp;
+			dscpcount = newlen;
+
+			newsize = newlen * sizeof(dns_name_t *);
+			oldsize = keycount * sizeof(dns_name_t *);
+			tmp = isc_mem_get(mctx, newsize);
+			if (keycount != 0) {
+				memmove(tmp, keys, oldsize);
+				isc_mem_put(mctx, keys, oldsize);
+			}
+			keys = tmp;
+			keycount = newlen;
+		}
+
+		addrs[i] = *cfg_obj_assockaddr(addr);
+		if (isc_sockaddr_getport(&addrs[i]) == 0) {
+			isc_sockaddr_setport(&addrs[i], port);
+		}
+		dscps[i] = cfg_obj_getdscp(addr);
+		if (dscps[i] == -1) {
+			dscps[i] = dscp;
+		}
+		keys[i] = NULL;
+		i++; /* Increment here so that cleanup on error works. */
+		if (!cfg_obj_isstring(key)) {
+			continue;
+		}
+		keys[i - 1] = isc_mem_get(mctx, sizeof(dns_name_t));
+		dns_name_init(keys[i - 1], NULL);
+
+		keystr = cfg_obj_asstring(key);
+		isc_buffer_constinit(&b, keystr, strlen(keystr));
+		isc_buffer_add(&b, strlen(keystr));
+		dns_fixedname_init(&fname);
+		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
+					   dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		dns_name_dup(dns_fixedname_name(&fname), mctx, keys[i - 1]);
+	}
+	if (pushed != 0) {
+		pushed--;
+		element = stack[pushed].element;
+		port = stack[pushed].port;
+		dscp = stack[pushed].dscp;
+		goto resume;
+	}
+	if (i < addrcount) {
+		void *tmp;
+		size_t newsize, oldsize;
+
+		newsize = i * sizeof(isc_sockaddr_t);
+		oldsize = addrcount * sizeof(isc_sockaddr_t);
+		if (i != 0) {
+			tmp = isc_mem_get(mctx, newsize);
+			memmove(tmp, addrs, newsize);
+		} else {
+			tmp = NULL;
+		}
+		isc_mem_put(mctx, addrs, oldsize);
+		addrs = tmp;
+		addrcount = i;
+
+		newsize = i * sizeof(isc_dscp_t);
+		oldsize = dscpcount * sizeof(isc_dscp_t);
+		if (i != 0) {
+			tmp = isc_mem_get(mctx, newsize);
+			memmove(tmp, dscps, newsize);
+		} else {
+			tmp = NULL;
+		}
+		isc_mem_put(mctx, dscps, oldsize);
+		dscps = tmp;
+		dscpcount = i;
+
+		newsize = i * sizeof(dns_name_t *);
+		oldsize = keycount * sizeof(dns_name_t *);
+		if (i != 0) {
+			tmp = isc_mem_get(mctx, newsize);
+			memmove(tmp, keys, newsize);
+		} else {
+			tmp = NULL;
+		}
+		isc_mem_put(mctx, keys, oldsize);
+		keys = tmp;
+		keycount = i;
+	}
+
+	if (lists != NULL) {
+		isc_mem_put(mctx, lists, listcount * sizeof(*lists));
+	}
+	if (stack != NULL) {
+		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
+	}
+
+	INSIST(dscpcount == addrcount);
+	INSIST(keycount == addrcount);
+	INSIST(keycount == dscpcount);
+
+	ipkl->addrs = addrs;
+	ipkl->dscps = dscps;
+	ipkl->keys = keys;
+	ipkl->count = addrcount;
+	ipkl->allocated = addrcount;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (addrs != NULL) {
+		isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t));
+	}
+	if (dscps != NULL) {
+		isc_mem_put(mctx, dscps, dscpcount * sizeof(isc_dscp_t));
+	}
+	if (keys != NULL) {
+		for (j = 0; j < i; j++) {
+			if (keys[j] == NULL) {
+				continue;
+			}
+			if (dns_name_dynamic(keys[j])) {
+				dns_name_free(keys[j], mctx);
+			}
+			isc_mem_put(mctx, keys[j], sizeof(dns_name_t));
+		}
+		isc_mem_put(mctx, keys, keycount * sizeof(dns_name_t *));
+	}
+	if (lists != NULL) {
+		isc_mem_put(mctx, lists, listcount * sizeof(*lists));
+	}
+	if (stack != NULL) {
+		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
+	}
+	return (result);
+}
+
+isc_result_t
+named_config_getport(const cfg_obj_t *config, in_port_t *portp) {
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *portobj = NULL;
+	isc_result_t result;
+	int i;
+
+	(void)cfg_map_get(config, "options", &options);
+	i = 0;
+	if (options != NULL) {
+		maps[i++] = options;
+	}
+	maps[i++] = named_g_defaults;
+	maps[i] = NULL;
+
+	result = named_config_get(maps, "port", &portobj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_asuint32(portobj) >= UINT16_MAX) {
+		cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR,
+			    "port '%u' out of range",
+			    cfg_obj_asuint32(portobj));
+		return (ISC_R_RANGE);
+	}
+	*portp = (in_port_t)cfg_obj_asuint32(portobj);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+named_config_getdscp(const cfg_obj_t *config, isc_dscp_t *dscpp) {
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *dscpobj = NULL;
+	isc_result_t result;
+
+	(void)cfg_map_get(config, "options", &options);
+	if (options == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = cfg_map_get(options, "dscp", &dscpobj);
+	if (result != ISC_R_SUCCESS || dscpobj == NULL) {
+		*dscpp = -1;
+		return (ISC_R_SUCCESS);
+	}
+	if (cfg_obj_asuint32(dscpobj) >= 64) {
+		cfg_obj_log(dscpobj, named_g_lctx, ISC_LOG_ERROR,
+			    "dscp '%u' out of range",
+			    cfg_obj_asuint32(dscpobj));
+		return (ISC_R_RANGE);
+	}
+	*dscpp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
+	return (ISC_R_SUCCESS);
+}
+
+struct keyalgorithms {
+	const char *str;
+	enum {
+		hmacnone,
+		hmacmd5,
+		hmacsha1,
+		hmacsha224,
+		hmacsha256,
+		hmacsha384,
+		hmacsha512
+	} hmac;
+	unsigned int type;
+	uint16_t size;
+} algorithms[] = { { "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
+		   { "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
+		   { "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
+		   { "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
+		   { "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
+		   { "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
+		   { "hmac-sha384", hmacsha384, DST_ALG_HMACSHA384, 384 },
+		   { "hmac-sha512", hmacsha512, DST_ALG_HMACSHA512, 512 },
+		   { NULL, hmacnone, DST_ALG_UNKNOWN, 0 } };
+
+isc_result_t
+named_config_getkeyalgorithm(const char *str, const dns_name_t **name,
+			     uint16_t *digestbits) {
+	return (named_config_getkeyalgorithm2(str, name, NULL, digestbits));
+}
+
+isc_result_t
+named_config_getkeyalgorithm2(const char *str, const dns_name_t **name,
+			      unsigned int *typep, uint16_t *digestbits) {
+	int i;
+	size_t len = 0;
+	uint16_t bits;
+	isc_result_t result;
+
+	for (i = 0; algorithms[i].str != NULL; i++) {
+		len = strlen(algorithms[i].str);
+		if (strncasecmp(algorithms[i].str, str, len) == 0 &&
+		    (str[len] == '\0' ||
+		     (algorithms[i].size != 0 && str[len] == '-')))
+		{
+			break;
+		}
+	}
+	if (algorithms[i].str == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	if (str[len] == '-') {
+		result = isc_parse_uint16(&bits, str + len + 1, 10);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		if (bits > algorithms[i].size) {
+			return (ISC_R_RANGE);
+		}
+	} else if (algorithms[i].size == 0) {
+		bits = 128;
+	} else {
+		bits = algorithms[i].size;
+	}
+
+	if (name != NULL) {
+		switch (algorithms[i].hmac) {
+		case hmacmd5:
+			*name = dns_tsig_hmacmd5_name;
+			break;
+		case hmacsha1:
+			*name = dns_tsig_hmacsha1_name;
+			break;
+		case hmacsha224:
+			*name = dns_tsig_hmacsha224_name;
+			break;
+		case hmacsha256:
+			*name = dns_tsig_hmacsha256_name;
+			break;
+		case hmacsha384:
+			*name = dns_tsig_hmacsha384_name;
+			break;
+		case hmacsha512:
+			*name = dns_tsig_hmacsha512_name;
+			break;
+		default:
+			UNREACHABLE();
+		}
+	}
+	if (typep != NULL) {
+		*typep = algorithms[i].type;
+	}
+	if (digestbits != NULL) {
+		*digestbits = bits;
+	}
+	return (ISC_R_SUCCESS);
+}
diff --git a/bin/named/control.c b/bin/named/control.c
new file mode 100644
index 0000000..4cd5a5d
--- /dev/null
+++ b/bin/named/control.c
@@ -0,0 +1,311 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/app.h>
+#include <isc/event.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+
+#include <isccc/alist.h>
+#include <isccc/cc.h>
+#include <isccc/result.h>
+
+#include <named/control.h>
+#include <named/globals.h>
+#include <named/log.h>
+#include <named/os.h>
+#include <named/server.h>
+#ifdef HAVE_LIBSCF
+#include <named/smf_globals.h>
+#endif /* ifdef HAVE_LIBSCF */
+
+static isc_result_t
+getcommand(isc_lex_t *lex, char **cmdp) {
+	isc_result_t result;
+	isc_token_t token;
+
+	REQUIRE(cmdp != NULL && *cmdp == NULL);
+
+	result = isc_lex_gettoken(lex, ISC_LEXOPT_EOF, &token);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	isc_lex_ungettoken(lex, &token);
+
+	if (token.type != isc_tokentype_string) {
+		return (ISC_R_FAILURE);
+	}
+
+	*cmdp = token.value.as_textregion.base;
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+command_compare(const char *str, const char *command) {
+	return (strcasecmp(str, command) == 0);
+}
+
+/*%
+ * This function is called to process the incoming command
+ * when a control channel message is received.
+ */
+isc_result_t
+named_control_docommand(isccc_sexpr_t *message, bool readonly,
+			isc_buffer_t **text) {
+	isccc_sexpr_t *data;
+	char *cmdline = NULL;
+	char *command = NULL;
+	isc_result_t result;
+	int log_level;
+	isc_buffer_t src;
+	isc_lex_t *lex = NULL;
+#ifdef HAVE_LIBSCF
+	named_smf_want_disable = 0;
+#endif /* ifdef HAVE_LIBSCF */
+
+	data = isccc_alist_lookup(message, "_data");
+	if (!isccc_alist_alistp(data)) {
+		/*
+		 * No data section.
+		 */
+		return (ISC_R_FAILURE);
+	}
+
+	result = isccc_cc_lookupstring(data, "type", &cmdline);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * We have no idea what this is.
+		 */
+		return (result);
+	}
+
+	result = isc_lex_create(named_g_mctx, strlen(cmdline), &lex);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	isc_buffer_init(&src, cmdline, strlen(cmdline));
+	isc_buffer_add(&src, strlen(cmdline));
+	result = isc_lex_openbuffer(lex, &src);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = getcommand(lex, &command);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * Compare the 'command' parameter against all known control commands.
+	 */
+	if ((command_compare(command, NAMED_COMMAND_NULL) &&
+	     strlen(cmdline) == 4) ||
+	    command_compare(command, NAMED_COMMAND_STATUS))
+	{
+		log_level = ISC_LOG_DEBUG(1);
+	} else {
+		log_level = ISC_LOG_INFO;
+	}
+
+	/*
+	 * If this listener should have read-only access, reject
+	 * restricted commands here. rndc nta is handled specially
+	 * below.
+	 */
+	if (readonly && !command_compare(command, NAMED_COMMAND_NTA) &&
+	    !command_compare(command, NAMED_COMMAND_NULL) &&
+	    !command_compare(command, NAMED_COMMAND_STATUS) &&
+	    !command_compare(command, NAMED_COMMAND_SHOWZONE) &&
+	    !command_compare(command, NAMED_COMMAND_TESTGEN) &&
+	    !command_compare(command, NAMED_COMMAND_ZONESTATUS))
+	{
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_CONTROL, log_level,
+			      "rejecting restricted control channel "
+			      "command '%s'",
+			      cmdline);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_CONTROL, log_level,
+		      "received control channel command '%s'", cmdline);
+
+	/*
+	 * After the lengthy "halt" and "stop", the commands are
+	 * handled in alphabetical order of the NAMED_COMMAND_ macros.
+	 */
+	if (command_compare(command, NAMED_COMMAND_HALT)) {
+#ifdef HAVE_LIBSCF
+		/*
+		 * If we are managed by smf(5), AND in chroot, then
+		 * we cannot connect to the smf repository, so just
+		 * return with an appropriate message back to rndc.
+		 */
+		if (named_smf_got_instance == 1 && named_smf_chroot == 1) {
+			result = named_smf_add_message(text);
+			goto cleanup;
+		}
+		/*
+		 * If we are managed by smf(5) but not in chroot,
+		 * try to disable ourselves the smf way.
+		 */
+		if (named_smf_got_instance == 1 && named_smf_chroot == 0) {
+			named_smf_want_disable = 1;
+		}
+		/*
+		 * If named_smf_got_instance = 0, named_smf_chroot
+		 * is not relevant and we fall through to
+		 * isc_app_shutdown below.
+		 */
+#endif /* ifdef HAVE_LIBSCF */
+		/* Do not flush master files */
+		named_server_flushonshutdown(named_g_server, false);
+		named_os_shutdownmsg(cmdline, *text);
+		isc_app_shutdown();
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NAMED_COMMAND_STOP)) {
+		/*
+		 * "stop" is the same as "halt" except it does
+		 * flush master files.
+		 */
+#ifdef HAVE_LIBSCF
+		if (named_smf_got_instance == 1 && named_smf_chroot == 1) {
+			result = named_smf_add_message(text);
+			goto cleanup;
+		}
+		if (named_smf_got_instance == 1 && named_smf_chroot == 0) {
+			named_smf_want_disable = 1;
+		}
+#endif /* ifdef HAVE_LIBSCF */
+		named_server_flushonshutdown(named_g_server, true);
+		named_os_shutdownmsg(cmdline, *text);
+		isc_app_shutdown();
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NAMED_COMMAND_ADDZONE) ||
+		   command_compare(command, NAMED_COMMAND_MODZONE))
+	{
+		result = named_server_changezone(named_g_server, cmdline, text);
+	} else if (command_compare(command, NAMED_COMMAND_DELZONE)) {
+		result = named_server_delzone(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_DNSSEC)) {
+		result = named_server_dnssec(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_DNSTAP) ||
+		   command_compare(command, NAMED_COMMAND_DNSTAPREOPEN))
+	{
+		result = named_server_dnstap(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_DUMPDB)) {
+		named_server_dumpdb(named_g_server, lex, text);
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NAMED_COMMAND_DUMPSTATS)) {
+		result = named_server_dumpstats(named_g_server);
+	} else if (command_compare(command, NAMED_COMMAND_FLUSH)) {
+		result = named_server_flushcache(named_g_server, lex);
+	} else if (command_compare(command, NAMED_COMMAND_FLUSHNAME)) {
+		result = named_server_flushnode(named_g_server, lex, false);
+	} else if (command_compare(command, NAMED_COMMAND_FLUSHTREE)) {
+		result = named_server_flushnode(named_g_server, lex, true);
+	} else if (command_compare(command, NAMED_COMMAND_FREEZE)) {
+		result = named_server_freeze(named_g_server, true, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_LOADKEYS) ||
+		   command_compare(command, NAMED_COMMAND_SIGN))
+	{
+		result = named_server_rekey(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_MKEYS)) {
+		result = named_server_mkeys(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_NOTIFY)) {
+		result = named_server_notifycommand(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_NOTRACE)) {
+		named_g_debuglevel = 0;
+		isc_log_setdebuglevel(named_g_lctx, named_g_debuglevel);
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NAMED_COMMAND_NTA)) {
+		result = named_server_nta(named_g_server, lex, readonly, text);
+	} else if (command_compare(command, NAMED_COMMAND_NULL)) {
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NAMED_COMMAND_QUERYLOG)) {
+		result = named_server_togglequerylog(named_g_server, lex);
+	} else if (command_compare(command, NAMED_COMMAND_RECONFIG)) {
+		result = named_server_reconfigcommand(named_g_server);
+	} else if (command_compare(command, NAMED_COMMAND_RECURSING)) {
+		result = named_server_dumprecursing(named_g_server);
+	} else if (command_compare(command, NAMED_COMMAND_REFRESH)) {
+		result = named_server_refreshcommand(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_RELOAD)) {
+		result = named_server_reloadcommand(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_RETRANSFER)) {
+		result = named_server_retransfercommand(named_g_server, lex,
+							text);
+	} else if (command_compare(command, NAMED_COMMAND_SCAN)) {
+		named_server_scan_interfaces(named_g_server);
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NAMED_COMMAND_SECROOTS)) {
+		result = named_server_dumpsecroots(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_SERVESTALE)) {
+		result = named_server_servestale(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_SHOWZONE)) {
+		result = named_server_showzone(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_SIGNING)) {
+		result = named_server_signing(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_STATUS)) {
+		result = named_server_status(named_g_server, text);
+	} else if (command_compare(command, NAMED_COMMAND_SYNC)) {
+		result = named_server_sync(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_TCPTIMEOUTS)) {
+		result = named_server_tcptimeouts(lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_TESTGEN)) {
+		result = named_server_testgen(lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_THAW) ||
+		   command_compare(command, NAMED_COMMAND_UNFREEZE))
+	{
+		result = named_server_freeze(named_g_server, false, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_TIMERPOKE)) {
+		isc_timermgr_poke(named_g_timermgr);
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NAMED_COMMAND_TRACE)) {
+		result = named_server_setdebuglevel(named_g_server, lex);
+	} else if (command_compare(command, NAMED_COMMAND_TSIGDELETE)) {
+		result = named_server_tsigdelete(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_TSIGLIST)) {
+		result = named_server_tsiglist(named_g_server, text);
+	} else if (command_compare(command, NAMED_COMMAND_VALIDATION)) {
+		result = named_server_validation(named_g_server, lex, text);
+	} else if (command_compare(command, NAMED_COMMAND_ZONESTATUS)) {
+		result = named_server_zonestatus(named_g_server, lex, text);
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "unknown control channel command '%s'", command);
+		result = DNS_R_UNKNOWNCOMMAND;
+	}
+
+cleanup:
+	if (lex != NULL) {
+		isc_lex_destroy(&lex);
+	}
+
+	return (result);
+}
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
new file mode 100644
index 0000000..edb94aa
--- /dev/null
+++ b/bin/named/controlconf.c
@@ -0,0 +1,1563 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/event.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/nonce.h>
+#include <isc/random.h>
+#include <isc/result.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+
+#include <isccc/alist.h>
+#include <isccc/cc.h>
+#include <isccc/ccmsg.h>
+#include <isccc/events.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/symtab.h>
+#include <isccc/util.h>
+
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
+
+#include <named/config.h>
+#include <named/control.h>
+#include <named/log.h>
+#include <named/server.h>
+
+/*
+ * Note: Listeners and connections are not locked.  All event handlers are
+ * executed by the server task, and all callers of exported routines must
+ * be running under the server task.
+ */
+
+typedef struct controlkey controlkey_t;
+typedef ISC_LIST(controlkey_t) controlkeylist_t;
+
+typedef struct controlconnection controlconnection_t;
+typedef ISC_LIST(controlconnection_t) controlconnectionlist_t;
+
+typedef struct controllistener controllistener_t;
+typedef ISC_LIST(controllistener_t) controllistenerlist_t;
+
+struct controlkey {
+	char *keyname;
+	uint32_t algorithm;
+	isc_region_t secret;
+	ISC_LINK(controlkey_t) link;
+};
+
+struct controlconnection {
+	isc_socket_t *sock;
+	isccc_ccmsg_t ccmsg;
+	bool ccmsg_valid;
+	bool sending;
+	isc_timer_t *timer;
+	isc_buffer_t *buffer;
+	controllistener_t *listener;
+	uint32_t nonce;
+	ISC_LINK(controlconnection_t) link;
+};
+
+struct controllistener {
+	named_controls_t *controls;
+	isc_mem_t *mctx;
+	isc_task_t *task;
+	isc_sockaddr_t address;
+	isc_socket_t *sock;
+	dns_acl_t *acl;
+	bool listening;
+	bool exiting;
+	controlkeylist_t keys;
+	controlconnectionlist_t connections;
+	isc_sockettype_t type;
+	uint32_t perm;
+	uint32_t owner;
+	uint32_t group;
+	bool readonly;
+	ISC_LINK(controllistener_t) link;
+};
+
+struct named_controls {
+	named_server_t *server;
+	controllistenerlist_t listeners;
+	bool shuttingdown;
+	isc_mutex_t symtab_lock;
+	isccc_symtab_t *symtab;
+};
+
+static void
+control_newconn(isc_task_t *task, isc_event_t *event);
+static void
+control_recvmessage(isc_task_t *task, isc_event_t *event);
+
+#define CLOCKSKEW 300
+
+static void
+free_controlkey(controlkey_t *key, isc_mem_t *mctx) {
+	if (key->keyname != NULL) {
+		isc_mem_free(mctx, key->keyname);
+	}
+	if (key->secret.base != NULL) {
+		isc_mem_put(mctx, key->secret.base, key->secret.length);
+	}
+	isc_mem_put(mctx, key, sizeof(*key));
+}
+
+static void
+free_controlkeylist(controlkeylist_t *keylist, isc_mem_t *mctx) {
+	while (!ISC_LIST_EMPTY(*keylist)) {
+		controlkey_t *key = ISC_LIST_HEAD(*keylist);
+		ISC_LIST_UNLINK(*keylist, key, link);
+		free_controlkey(key, mctx);
+	}
+}
+
+static void
+free_listener(controllistener_t *listener) {
+	INSIST(listener->exiting);
+	INSIST(!listener->listening);
+	INSIST(ISC_LIST_EMPTY(listener->connections));
+
+	if (listener->sock != NULL) {
+		isc_socket_detach(&listener->sock);
+	}
+
+	free_controlkeylist(&listener->keys, listener->mctx);
+
+	if (listener->acl != NULL) {
+		dns_acl_detach(&listener->acl);
+	}
+
+	isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
+}
+
+static void
+maybe_free_listener(controllistener_t *listener) {
+	if (listener->exiting && !listener->listening &&
+	    ISC_LIST_EMPTY(listener->connections))
+	{
+		free_listener(listener);
+	}
+}
+
+static void
+maybe_free_connection(controlconnection_t *conn) {
+	controllistener_t *listener = conn->listener;
+
+	if (conn->buffer != NULL) {
+		isc_buffer_free(&conn->buffer);
+	}
+
+	if (conn->timer != NULL) {
+		isc_timer_destroy(&conn->timer);
+	}
+
+	if (conn->ccmsg_valid) {
+		isccc_ccmsg_cancelread(&conn->ccmsg);
+		return;
+	}
+
+	if (conn->sending) {
+		isc_socket_cancel(conn->sock, listener->task,
+				  ISC_SOCKCANCEL_SEND);
+		return;
+	}
+
+	ISC_LIST_UNLINK(listener->connections, conn, link);
+#ifdef ENABLE_AFL
+	if (named_g_fuzz_type == isc_fuzz_rndc) {
+		named_fuzz_notify();
+	}
+#endif /* ifdef ENABLE_AFL */
+	isc_mem_put(listener->mctx, conn, sizeof(*conn));
+}
+
+static void
+shutdown_listener(controllistener_t *listener) {
+	controlconnection_t *conn;
+	controlconnection_t *next;
+
+	if (!listener->exiting) {
+		char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+		ISC_LIST_UNLINK(listener->controls->listeners, listener, link);
+
+		isc_sockaddr_format(&listener->address, socktext,
+				    sizeof(socktext));
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
+			      "stopping command channel on %s", socktext);
+		if (listener->type == isc_sockettype_unix) {
+			isc_socket_cleanunix(&listener->address, true);
+		}
+		listener->exiting = true;
+	}
+
+	for (conn = ISC_LIST_HEAD(listener->connections); conn != NULL;
+	     conn = next)
+	{
+		next = ISC_LIST_NEXT(conn, link);
+		maybe_free_connection(conn);
+	}
+
+	if (listener->listening) {
+		isc_socket_cancel(listener->sock, listener->task,
+				  ISC_SOCKCANCEL_ACCEPT);
+		return;
+	}
+
+	maybe_free_listener(listener);
+}
+
+static bool
+address_ok(isc_sockaddr_t *sockaddr, dns_acl_t *acl) {
+	dns_aclenv_t *env =
+		ns_interfacemgr_getaclenv(named_g_server->interfacemgr);
+	isc_netaddr_t netaddr;
+	isc_result_t result;
+	int match;
+
+	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+
+	result = dns_acl_match(&netaddr, NULL, acl, env, &match, NULL);
+	return (result == ISC_R_SUCCESS && match > 0);
+}
+
+static isc_result_t
+control_accept(controllistener_t *listener) {
+	isc_result_t result;
+	result = isc_socket_accept(listener->sock, listener->task,
+				   control_newconn, listener);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socket_accept() failed: %s",
+				 isc_result_totext(result));
+	} else {
+		listener->listening = true;
+	}
+	return (result);
+}
+
+static isc_result_t
+control_listen(controllistener_t *listener) {
+	isc_result_t result;
+
+	result = isc_socket_listen(listener->sock, 0);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socket_listen() failed: %s",
+				 isc_result_totext(result));
+	}
+	return (result);
+}
+
+static void
+control_next(controllistener_t *listener) {
+	(void)control_accept(listener);
+}
+
+static void
+control_senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	controlconnection_t *conn = event->ev_arg;
+	controllistener_t *listener = conn->listener;
+	isc_socket_t *sock = (isc_socket_t *)sevent->ev_sender;
+	isc_result_t result;
+
+	REQUIRE(conn->sending);
+
+	UNUSED(task);
+
+	conn->sending = false;
+
+	if (sevent->result != ISC_R_SUCCESS && sevent->result != ISC_R_CANCELED)
+	{
+		char socktext[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_t peeraddr;
+
+		(void)isc_socket_getpeername(sock, &peeraddr);
+		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "error sending command response to %s: %s",
+			      socktext, isc_result_totext(sevent->result));
+	}
+	isc_event_free(&event);
+
+	result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
+					 control_recvmessage, conn);
+	if (result != ISC_R_SUCCESS) {
+		isc_socket_detach(&conn->sock);
+		maybe_free_connection(conn);
+		maybe_free_listener(listener);
+	}
+}
+
+static void
+log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t peeraddr;
+
+	(void)isc_socket_getpeername(ccmsg->sock, &peeraddr);
+	isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_CONTROL, ISC_LOG_ERROR,
+		      "invalid command from %s: %s", socktext,
+		      isc_result_totext(result));
+}
+
+static void
+control_recvmessage(isc_task_t *task, isc_event_t *event) {
+	controlconnection_t *conn = NULL;
+	controllistener_t *listener = NULL;
+	controlkey_t *key = NULL;
+	isccc_sexpr_t *request = NULL;
+	isccc_sexpr_t *response = NULL;
+	uint32_t algorithm;
+	isccc_region_t secret;
+	isc_stdtime_t now;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_buffer_t *text;
+	isc_result_t result;
+	isc_result_t eresult;
+	isccc_sexpr_t *_ctrl = NULL;
+	isccc_time_t sent;
+	isccc_time_t exp;
+	uint32_t nonce;
+	isccc_sexpr_t *data = NULL;
+
+	REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
+
+	conn = event->ev_arg;
+	listener = conn->listener;
+	algorithm = DST_ALG_UNKNOWN;
+	secret.rstart = NULL;
+	text = NULL;
+
+	/* Is the server shutting down? */
+	if (listener->controls->shuttingdown) {
+		goto cleanup;
+	}
+
+	if (conn->ccmsg.result != ISC_R_SUCCESS) {
+		if (conn->ccmsg.result != ISC_R_CANCELED &&
+		    conn->ccmsg.result != ISC_R_EOF)
+		{
+			log_invalid(&conn->ccmsg, conn->ccmsg.result);
+		}
+		goto cleanup;
+	}
+
+	request = NULL;
+
+	for (key = ISC_LIST_HEAD(listener->keys); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		isccc_region_t ccregion;
+
+		ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer);
+		ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer);
+		secret.rstart = isc_mem_get(listener->mctx, key->secret.length);
+		memmove(secret.rstart, key->secret.base, key->secret.length);
+		secret.rend = secret.rstart + key->secret.length;
+		algorithm = key->algorithm;
+		result = isccc_cc_fromwire(&ccregion, &request, algorithm,
+					   &secret);
+		if (result == ISC_R_SUCCESS) {
+			break;
+		}
+		isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
+	}
+
+	if (key == NULL) {
+		log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
+		goto cleanup;
+	}
+
+	/* We shouldn't be getting a reply. */
+	if (isccc_cc_isreply(request)) {
+		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
+		goto cleanup_request;
+	}
+
+	isc_stdtime_get(&now);
+
+	/*
+	 * Limit exposure to replay attacks.
+	 */
+	_ctrl = isccc_alist_lookup(request, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl)) {
+		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
+		goto cleanup_request;
+	}
+
+	if (isccc_cc_lookupuint32(_ctrl, "_tim", &sent) == ISC_R_SUCCESS) {
+		if ((sent + CLOCKSKEW) < now || (sent - CLOCKSKEW) > now) {
+			log_invalid(&conn->ccmsg, ISCCC_R_CLOCKSKEW);
+			goto cleanup_request;
+		}
+	} else {
+		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
+		goto cleanup_request;
+	}
+
+	/*
+	 * Expire messages that are too old.
+	 */
+	if (isccc_cc_lookupuint32(_ctrl, "_exp", &exp) == ISC_R_SUCCESS &&
+	    now > exp)
+	{
+		log_invalid(&conn->ccmsg, ISCCC_R_EXPIRED);
+		goto cleanup_request;
+	}
+
+	/*
+	 * Duplicate suppression (required for UDP).
+	 */
+	LOCK(&listener->controls->symtab_lock);
+	isccc_cc_cleansymtab(listener->controls->symtab, now);
+	result = isccc_cc_checkdup(listener->controls->symtab, request, now);
+	UNLOCK(&listener->controls->symtab_lock);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_EXISTS) {
+			result = ISCCC_R_DUPLICATE;
+		}
+		log_invalid(&conn->ccmsg, result);
+		goto cleanup_request;
+	}
+
+	if (conn->nonce != 0 &&
+	    (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS ||
+	     conn->nonce != nonce))
+	{
+		log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
+		goto cleanup_request;
+	}
+
+	isc_buffer_allocate(listener->mctx, &text, 2 * 2048);
+
+	/*
+	 * Establish nonce.
+	 */
+	if (conn->nonce == 0) {
+		while (conn->nonce == 0) {
+			isc_nonce_buf(&conn->nonce, sizeof(conn->nonce));
+		}
+		eresult = ISC_R_SUCCESS;
+	} else {
+		eresult = named_control_docommand(request, listener->readonly,
+						  &text);
+	}
+
+	result = isccc_cc_createresponse(request, now, now + 60, &response);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_request;
+	}
+
+	data = isccc_alist_lookup(response, "_data");
+	if (data != NULL) {
+		if (isccc_cc_defineuint32(data, "result", eresult) == NULL) {
+			goto cleanup_response;
+		}
+	}
+
+	if (eresult != ISC_R_SUCCESS) {
+		if (data != NULL) {
+			const char *estr = isc_result_totext(eresult);
+			if (isccc_cc_definestring(data, "err", estr) == NULL) {
+				goto cleanup_response;
+			}
+		}
+	}
+
+	if (isc_buffer_usedlength(text) > 0) {
+		if (data != NULL) {
+			char *str = (char *)isc_buffer_base(text);
+			if (isccc_cc_definestring(data, "text", str) == NULL) {
+				goto cleanup_response;
+			}
+		}
+	}
+
+	_ctrl = isccc_alist_lookup(response, "_ctrl");
+	if (_ctrl == NULL ||
+	    isccc_cc_defineuint32(_ctrl, "_nonce", conn->nonce) == NULL)
+	{
+		goto cleanup_response;
+	}
+
+	if (conn->buffer == NULL) {
+		isc_buffer_allocate(listener->mctx, &conn->buffer, 2 * 2048);
+	}
+
+	isc_buffer_clear(conn->buffer);
+	/* Skip the length field (4 bytes) */
+	isc_buffer_add(conn->buffer, 4);
+
+	result = isccc_cc_towire(response, &conn->buffer, algorithm, &secret);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_response;
+	}
+
+	isc_buffer_init(&b, conn->buffer->base, 4);
+	isc_buffer_putuint32(&b, conn->buffer->used - 4);
+
+	r.base = conn->buffer->base;
+	r.length = conn->buffer->used;
+
+	result = isc_socket_send(conn->sock, &r, task, control_senddone, conn);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_response;
+	}
+	conn->sending = true;
+
+	isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
+	isccc_sexpr_free(&request);
+	isccc_sexpr_free(&response);
+	isc_buffer_free(&text);
+	return;
+
+cleanup_response:
+	isccc_sexpr_free(&response);
+
+cleanup_request:
+	isccc_sexpr_free(&request);
+	isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
+	if (text != NULL) {
+		isc_buffer_free(&text);
+	}
+
+cleanup:
+	isc_socket_detach(&conn->sock);
+	isccc_ccmsg_invalidate(&conn->ccmsg);
+	conn->ccmsg_valid = false;
+	maybe_free_connection(conn);
+	maybe_free_listener(listener);
+}
+
+static void
+control_timeout(isc_task_t *task, isc_event_t *event) {
+	controlconnection_t *conn = event->ev_arg;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	isc_timer_destroy(&conn->timer);
+	maybe_free_connection(conn);
+}
+
+static isc_result_t
+newconnection(controllistener_t *listener, isc_socket_t *sock) {
+	controlconnection_t *conn;
+	isc_interval_t interval;
+	isc_result_t result;
+
+	conn = isc_mem_get(listener->mctx, sizeof(*conn));
+
+	conn->sock = sock;
+	isccc_ccmsg_init(listener->mctx, sock, &conn->ccmsg);
+
+	/* Set a 32 KiB upper limit on incoming message. */
+	isccc_ccmsg_setmaxsize(&conn->ccmsg, 32768);
+
+	conn->ccmsg_valid = true;
+	conn->sending = false;
+	conn->buffer = NULL;
+	conn->timer = NULL;
+	isc_interval_set(&interval, 60, 0);
+	result = isc_timer_create(named_g_timermgr, isc_timertype_once, NULL,
+				  &interval, listener->task, control_timeout,
+				  conn, &conn->timer);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	conn->listener = listener;
+	conn->nonce = 0;
+	ISC_LINK_INIT(conn, link);
+
+	result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
+					 control_recvmessage, conn);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	ISC_LIST_APPEND(listener->connections, conn, link);
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (conn->buffer != NULL) {
+		isc_buffer_free(&conn->buffer);
+	}
+	isccc_ccmsg_invalidate(&conn->ccmsg);
+	if (conn->timer != NULL) {
+		isc_timer_destroy(&conn->timer);
+	}
+	isc_mem_put(listener->mctx, conn, sizeof(*conn));
+#ifdef ENABLE_AFL
+	if (named_g_fuzz_type == isc_fuzz_rndc) {
+		named_fuzz_notify();
+	}
+#endif /* ifdef ENABLE_AFL */
+	return (result);
+}
+
+static void
+control_newconn(isc_task_t *task, isc_event_t *event) {
+	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
+	controllistener_t *listener = event->ev_arg;
+	isc_socket_t *sock;
+	isc_sockaddr_t peeraddr;
+	isc_result_t result;
+
+	UNUSED(task);
+
+	REQUIRE(listener->listening);
+
+	listener->listening = false;
+
+	if (nevent->result != ISC_R_SUCCESS) {
+		if (nevent->result == ISC_R_CANCELED) {
+			shutdown_listener(listener);
+			goto cleanup;
+		}
+		goto restart;
+	}
+
+	sock = nevent->newsocket;
+
+	/* Is the server shutting down? */
+	if (listener->controls->shuttingdown) {
+		isc_socket_detach(&sock);
+		shutdown_listener(listener);
+		goto cleanup;
+	}
+
+	isc_socket_setname(sock, "control", NULL);
+	(void)isc_socket_getpeername(sock, &peeraddr);
+	if (listener->type == isc_sockettype_tcp &&
+	    !address_ok(&peeraddr, listener->acl))
+	{
+		char socktext[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "rejected command channel message from %s",
+			      socktext);
+		isc_socket_detach(&sock);
+		goto restart;
+	}
+
+	result = newconnection(listener, sock);
+	if (result != ISC_R_SUCCESS) {
+		char socktext[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "dropped command channel from %s: %s", socktext,
+			      isc_result_totext(result));
+		isc_socket_detach(&sock);
+		goto restart;
+	}
+
+restart:
+	control_next(listener);
+cleanup:
+	isc_event_free(&event);
+}
+
+static void
+controls_shutdown(named_controls_t *controls) {
+	controllistener_t *listener;
+	controllistener_t *next;
+
+	for (listener = ISC_LIST_HEAD(controls->listeners); listener != NULL;
+	     listener = next)
+	{
+		/*
+		 * This is asynchronous.  As listeners shut down, they will
+		 * call their callbacks.
+		 */
+		next = ISC_LIST_NEXT(listener, link);
+		shutdown_listener(listener);
+	}
+}
+
+void
+named_controls_shutdown(named_controls_t *controls) {
+	controls_shutdown(controls);
+	controls->shuttingdown = true;
+}
+
+static isc_result_t
+cfgkeylist_find(const cfg_obj_t *keylist, const char *keyname,
+		const cfg_obj_t **objp) {
+	const cfg_listelt_t *element;
+	const char *str;
+	const cfg_obj_t *obj;
+
+	for (element = cfg_list_first(keylist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(cfg_map_getname(obj));
+		if (strcasecmp(str, keyname) == 0) {
+			break;
+		}
+	}
+	if (element == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	obj = cfg_listelt_value(element);
+	*objp = obj;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
+		       controlkeylist_t *keyids) {
+	const cfg_listelt_t *element;
+	char *newstr = NULL;
+	const char *str;
+	const cfg_obj_t *obj;
+	controlkey_t *key;
+
+	for (element = cfg_list_first(keylist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(obj);
+		newstr = isc_mem_strdup(mctx, str);
+		key = isc_mem_get(mctx, sizeof(*key));
+		key->keyname = newstr;
+		key->algorithm = DST_ALG_UNKNOWN;
+		key->secret.base = NULL;
+		key->secret.length = 0;
+		ISC_LINK_INIT(key, link);
+		ISC_LIST_APPEND(*keyids, key, link);
+		newstr = NULL;
+	}
+}
+
+static void
+register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
+	      controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext) {
+	controlkey_t *keyid, *next;
+	const cfg_obj_t *keydef;
+	char secret[1024];
+	isc_buffer_t b;
+	isc_result_t result;
+
+	/*
+	 * Find the keys corresponding to the keyids used by this listener.
+	 */
+	for (keyid = ISC_LIST_HEAD(*keyids); keyid != NULL; keyid = next) {
+		next = ISC_LIST_NEXT(keyid, link);
+
+		result = cfgkeylist_find(keylist, keyid->keyname, &keydef);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(control, named_g_lctx, ISC_LOG_WARNING,
+				    "couldn't find key '%s' for use with "
+				    "command channel %s",
+				    keyid->keyname, socktext);
+			ISC_LIST_UNLINK(*keyids, keyid, link);
+			free_controlkey(keyid, mctx);
+		} else {
+			const cfg_obj_t *algobj = NULL;
+			const cfg_obj_t *secretobj = NULL;
+			const char *algstr = NULL;
+			const char *secretstr = NULL;
+			unsigned int algtype;
+
+			(void)cfg_map_get(keydef, "algorithm", &algobj);
+			(void)cfg_map_get(keydef, "secret", &secretobj);
+			INSIST(algobj != NULL && secretobj != NULL);
+
+			algstr = cfg_obj_asstring(algobj);
+			secretstr = cfg_obj_asstring(secretobj);
+
+			if (named_config_getkeyalgorithm2(algstr, NULL,
+							  &algtype, NULL) !=
+			    ISC_R_SUCCESS)
+			{
+				cfg_obj_log(control, named_g_lctx,
+					    ISC_LOG_WARNING,
+					    "unsupported algorithm '%s' in "
+					    "key '%s' for use with command "
+					    "channel %s",
+					    algstr, keyid->keyname, socktext);
+				ISC_LIST_UNLINK(*keyids, keyid, link);
+				free_controlkey(keyid, mctx);
+				continue;
+			}
+
+			keyid->algorithm = algtype;
+			isc_buffer_init(&b, secret, sizeof(secret));
+			result = isc_base64_decodestring(secretstr, &b);
+
+			if (result != ISC_R_SUCCESS) {
+				cfg_obj_log(keydef, named_g_lctx,
+					    ISC_LOG_WARNING,
+					    "secret for key '%s' on "
+					    "command channel %s: %s",
+					    keyid->keyname, socktext,
+					    isc_result_totext(result));
+				ISC_LIST_UNLINK(*keyids, keyid, link);
+				free_controlkey(keyid, mctx);
+				continue;
+			}
+
+			keyid->secret.length = isc_buffer_usedlength(&b);
+			keyid->secret.base = isc_mem_get(mctx,
+							 keyid->secret.length);
+			memmove(keyid->secret.base, isc_buffer_base(&b),
+				keyid->secret.length);
+		}
+	}
+}
+
+#define CHECK(x)                             \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+static isc_result_t
+get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
+	isc_result_t result;
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *config = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *algobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const char *algstr = NULL;
+	const char *secretstr = NULL;
+	controlkey_t *keyid = NULL;
+	char secret[1024];
+	unsigned int algtype;
+	isc_buffer_t b;
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_CONTROL, ISC_LOG_INFO,
+		      "configuring command channel from '%s'", named_g_keyfile);
+	if (!isc_file_exists(named_g_keyfile)) {
+		return (ISC_R_FILENOTFOUND);
+	}
+
+	CHECK(cfg_parser_create(mctx, named_g_lctx, &pctx));
+	CHECK(cfg_parse_file(pctx, named_g_keyfile, &cfg_type_rndckey,
+			     &config));
+	CHECK(cfg_map_get(config, "key", &key));
+
+	keyid = isc_mem_get(mctx, sizeof(*keyid));
+	keyid->keyname = isc_mem_strdup(mctx,
+					cfg_obj_asstring(cfg_map_getname(key)));
+	keyid->secret.base = NULL;
+	keyid->secret.length = 0;
+	keyid->algorithm = DST_ALG_UNKNOWN;
+	ISC_LINK_INIT(keyid, link);
+	if (keyid->keyname == NULL) {
+		CHECK(ISC_R_NOMEMORY);
+	}
+
+	CHECK(bind9_check_key(key, named_g_lctx));
+
+	(void)cfg_map_get(key, "algorithm", &algobj);
+	(void)cfg_map_get(key, "secret", &secretobj);
+	INSIST(algobj != NULL && secretobj != NULL);
+
+	algstr = cfg_obj_asstring(algobj);
+	secretstr = cfg_obj_asstring(secretobj);
+
+	if (named_config_getkeyalgorithm2(algstr, NULL, &algtype, NULL) !=
+	    ISC_R_SUCCESS)
+	{
+		cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
+			    "unsupported algorithm '%s' in "
+			    "key '%s' for use with command "
+			    "channel",
+			    algstr, keyid->keyname);
+		goto cleanup;
+	}
+
+	keyid->algorithm = algtype;
+	isc_buffer_init(&b, secret, sizeof(secret));
+	result = isc_base64_decodestring(secretstr, &b);
+
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
+			    "secret for key '%s' on command channel: %s",
+			    keyid->keyname, isc_result_totext(result));
+		goto cleanup;
+	}
+
+	keyid->secret.length = isc_buffer_usedlength(&b);
+	keyid->secret.base = isc_mem_get(mctx, keyid->secret.length);
+	memmove(keyid->secret.base, isc_buffer_base(&b), keyid->secret.length);
+	ISC_LIST_APPEND(*keyids, keyid, link);
+	keyid = NULL;
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (keyid != NULL) {
+		free_controlkey(keyid, mctx);
+	}
+	if (config != NULL) {
+		cfg_obj_destroy(pctx, &config);
+	}
+	if (pctx != NULL) {
+		cfg_parser_destroy(&pctx);
+	}
+	return (result);
+}
+
+/*
+ * Ensures that both '*global_keylistp' and '*control_keylistp' are
+ * valid or both are NULL.
+ */
+static void
+get_key_info(const cfg_obj_t *config, const cfg_obj_t *control,
+	     const cfg_obj_t **global_keylistp,
+	     const cfg_obj_t **control_keylistp) {
+	isc_result_t result;
+	const cfg_obj_t *control_keylist = NULL;
+	const cfg_obj_t *global_keylist = NULL;
+
+	REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
+	REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
+
+	control_keylist = cfg_tuple_get(control, "keys");
+
+	if (!cfg_obj_isvoid(control_keylist) &&
+	    cfg_list_first(control_keylist) != NULL)
+	{
+		result = cfg_map_get(config, "key", &global_keylist);
+
+		if (result == ISC_R_SUCCESS) {
+			*global_keylistp = global_keylist;
+			*control_keylistp = control_keylist;
+		}
+	}
+}
+
+static void
+update_listener(named_controls_t *cp, controllistener_t **listenerp,
+		const cfg_obj_t *control, const cfg_obj_t *config,
+		isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+		const char *socktext, isc_sockettype_t type) {
+	controllistener_t *listener;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
+	dns_acl_t *new_acl = NULL;
+	controlkeylist_t keys;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (listener = ISC_LIST_HEAD(cp->listeners); listener != NULL;
+	     listener = ISC_LIST_NEXT(listener, link))
+	{
+		if (isc_sockaddr_equal(addr, &listener->address)) {
+			break;
+		}
+	}
+
+	if (listener == NULL) {
+		*listenerp = NULL;
+		return;
+	}
+
+	/*
+	 * There is already a listener for this sockaddr.
+	 * Update the access list and key information.
+	 *
+	 * First try to deal with the key situation.  There are a few
+	 * possibilities:
+	 *  (a)	It had an explicit keylist and still has an explicit keylist.
+	 *  (b)	It had an automagic key and now has an explicit keylist.
+	 *  (c)	It had an explicit keylist and now needs an automagic key.
+	 *  (d) It has an automagic key and still needs the automagic key.
+	 *
+	 * (c) and (d) are the annoying ones.  The caller needs to know
+	 * that it should use the automagic configuration for key information
+	 * in place of the named.conf configuration.
+	 *
+	 * XXXDCL There is one other hazard that has not been dealt with,
+	 * the problem that if a key change is being caused by a control
+	 * channel reload, then the response will be with the new key
+	 * and not able to be decrypted by the client.
+	 */
+	if (control != NULL) {
+		get_key_info(config, control, &global_keylist,
+			     &control_keylist);
+	}
+
+	if (control_keylist != NULL) {
+		INSIST(global_keylist != NULL);
+
+		ISC_LIST_INIT(keys);
+		controlkeylist_fromcfg(control_keylist, listener->mctx, &keys);
+		free_controlkeylist(&listener->keys, listener->mctx);
+		listener->keys = keys;
+		register_keys(control, global_keylist, &listener->keys,
+			      listener->mctx, socktext);
+	} else {
+		free_controlkeylist(&listener->keys, listener->mctx);
+		result = get_rndckey(listener->mctx, &listener->keys);
+	}
+
+	if (result != ISC_R_SUCCESS && global_keylist != NULL) {
+		/*
+		 * This message might be a little misleading since the
+		 * "new keys" might in fact be identical to the old ones,
+		 * but tracking whether they are identical just for the
+		 * sake of avoiding this message would be too much trouble.
+		 */
+		if (control != NULL) {
+			cfg_obj_log(control, named_g_lctx, ISC_LOG_WARNING,
+				    "couldn't install new keys for "
+				    "command channel %s: %s",
+				    socktext, isc_result_totext(result));
+		} else {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+				      "couldn't install new keys for "
+				      "command channel %s: %s",
+				      socktext, isc_result_totext(result));
+		}
+	}
+
+	/*
+	 * Now, keep the old access list unless a new one can be made.
+	 */
+	if (control != NULL && type == isc_sockettype_tcp) {
+		allow = cfg_tuple_get(control, "allow");
+		result = cfg_acl_fromconfig(allow, config, named_g_lctx,
+					    aclconfctx, listener->mctx, 0,
+					    &new_acl);
+	} else {
+		result = dns_acl_any(listener->mctx, &new_acl);
+	}
+
+	if (control != NULL) {
+		const cfg_obj_t *readonly;
+
+		readonly = cfg_tuple_get(control, "read-only");
+		if (!cfg_obj_isvoid(readonly)) {
+			listener->readonly = cfg_obj_asboolean(readonly);
+		}
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		dns_acl_detach(&listener->acl);
+		dns_acl_attach(new_acl, &listener->acl);
+		dns_acl_detach(&new_acl);
+		/* XXXDCL say the old acl is still used? */
+	} else if (control != NULL) {
+		cfg_obj_log(control, named_g_lctx, ISC_LOG_WARNING,
+			    "couldn't install new acl for "
+			    "command channel %s: %s",
+			    socktext, isc_result_totext(result));
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "couldn't install new acl for "
+			      "command channel %s: %s",
+			      socktext, isc_result_totext(result));
+	}
+
+	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
+		uint32_t perm, owner, group;
+		perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
+		owner = cfg_obj_asuint32(cfg_tuple_get(control, "owner"));
+		group = cfg_obj_asuint32(cfg_tuple_get(control, "group"));
+		result = ISC_R_SUCCESS;
+		if (listener->perm != perm || listener->owner != owner ||
+		    listener->group != group)
+		{
+			result = isc_socket_permunix(&listener->address, perm,
+						     owner, group);
+		}
+		if (result == ISC_R_SUCCESS) {
+			listener->perm = perm;
+			listener->owner = owner;
+			listener->group = group;
+		} else if (control != NULL) {
+			cfg_obj_log(control, named_g_lctx, ISC_LOG_WARNING,
+				    "couldn't update ownership/permission for "
+				    "command channel %s",
+				    socktext);
+		}
+	}
+
+	*listenerp = listener;
+}
+
+static void
+add_listener(named_controls_t *cp, controllistener_t **listenerp,
+	     const cfg_obj_t *control, const cfg_obj_t *config,
+	     isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+	     const char *socktext, isc_sockettype_t type) {
+	isc_mem_t *mctx = cp->server->mctx;
+	controllistener_t *listener;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *global_keylist = NULL;
+	const cfg_obj_t *control_keylist = NULL;
+	dns_acl_t *new_acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	listener = isc_mem_get(mctx, sizeof(*listener));
+
+	listener->mctx = NULL;
+	isc_mem_attach(mctx, &listener->mctx);
+	listener->controls = cp;
+	listener->task = cp->server->task;
+	listener->address = *addr;
+	listener->sock = NULL;
+	listener->listening = false;
+	listener->exiting = false;
+	listener->acl = NULL;
+	listener->type = type;
+	listener->perm = 0;
+	listener->owner = 0;
+	listener->group = 0;
+	listener->readonly = false;
+	ISC_LINK_INIT(listener, link);
+	ISC_LIST_INIT(listener->keys);
+	ISC_LIST_INIT(listener->connections);
+
+	/*
+	 * Make the acl.
+	 */
+	if (control != NULL && type == isc_sockettype_tcp) {
+		allow = cfg_tuple_get(control, "allow");
+		result = cfg_acl_fromconfig(allow, config, named_g_lctx,
+					    aclconfctx, mctx, 0, &new_acl);
+	} else {
+		result = dns_acl_any(mctx, &new_acl);
+	}
+
+	if ((result == ISC_R_SUCCESS) && (control != NULL)) {
+		const cfg_obj_t *readonly;
+
+		readonly = cfg_tuple_get(control, "read-only");
+		if (!cfg_obj_isvoid(readonly)) {
+			listener->readonly = cfg_obj_asboolean(readonly);
+		}
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		dns_acl_attach(new_acl, &listener->acl);
+		dns_acl_detach(&new_acl);
+
+		if (config != NULL) {
+			get_key_info(config, control, &global_keylist,
+				     &control_keylist);
+		}
+
+		if (control_keylist != NULL) {
+			controlkeylist_fromcfg(control_keylist, listener->mctx,
+					       &listener->keys);
+			register_keys(control, global_keylist, &listener->keys,
+				      listener->mctx, socktext);
+		} else {
+			result = get_rndckey(mctx, &listener->keys);
+		}
+
+		if (result != ISC_R_SUCCESS && control != NULL) {
+			cfg_obj_log(control, named_g_lctx, ISC_LOG_WARNING,
+				    "couldn't install keys for "
+				    "command channel %s: %s",
+				    socktext, isc_result_totext(result));
+		}
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		int pf = isc_sockaddr_pf(&listener->address);
+		if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		    (pf == AF_UNIX && isc_net_probeunix() != ISC_R_SUCCESS) ||
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+		    (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
+		{
+			result = ISC_R_FAMILYNOSUPPORT;
+		}
+	}
+
+	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
+		isc_socket_cleanunix(&listener->address, false);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		result = isc_socket_create(named_g_socketmgr,
+					   isc_sockaddr_pf(&listener->address),
+					   type, &listener->sock);
+	}
+	if (result == ISC_R_SUCCESS) {
+		isc_socket_setname(listener->sock, "control", NULL);
+	}
+
+#ifndef ISC_ALLOW_MAPPED
+	if (result == ISC_R_SUCCESS) {
+		isc_socket_ipv6only(listener->sock, true);
+	}
+#endif /* ifndef ISC_ALLOW_MAPPED */
+
+	if (result == ISC_R_SUCCESS) {
+		result = isc_socket_bind(listener->sock, &listener->address,
+					 ISC_SOCKET_REUSEADDRESS);
+	}
+
+	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
+		listener->perm =
+			cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
+		listener->owner =
+			cfg_obj_asuint32(cfg_tuple_get(control, "owner"));
+		listener->group =
+			cfg_obj_asuint32(cfg_tuple_get(control, "group"));
+		result = isc_socket_permunix(&listener->address, listener->perm,
+					     listener->owner, listener->group);
+	}
+	if (result == ISC_R_SUCCESS) {
+		result = control_listen(listener);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		result = control_accept(listener);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
+			      "command channel listening on %s", socktext);
+		*listenerp = listener;
+	} else {
+		listener->exiting = true;
+		free_listener(listener);
+
+		if (control != NULL) {
+			cfg_obj_log(control, named_g_lctx, ISC_LOG_WARNING,
+				    "couldn't add command channel %s: %s",
+				    socktext, isc_result_totext(result));
+		} else {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
+				      "couldn't add command channel %s: %s",
+				      socktext, isc_result_totext(result));
+		}
+
+		*listenerp = NULL;
+	}
+
+	/* XXXDCL return error results? fail hard? */
+}
+
+isc_result_t
+named_controls_configure(named_controls_t *cp, const cfg_obj_t *config,
+			 cfg_aclconfctx_t *aclconfctx) {
+	controllistener_t *listener;
+	controllistenerlist_t new_listeners;
+	const cfg_obj_t *controlslist = NULL;
+	const cfg_listelt_t *element, *element2;
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+	ISC_LIST_INIT(new_listeners);
+
+	/*
+	 * Get the list of named.conf 'controls' statements.
+	 */
+	(void)cfg_map_get(config, "controls", &controlslist);
+
+	/*
+	 * Run through the new control channel list, noting sockets that
+	 * are already being listened on and moving them to the new list.
+	 *
+	 * Identifying duplicate addr/port combinations is left to either
+	 * the underlying config code, or to the bind attempt getting an
+	 * address-in-use error.
+	 */
+	if (controlslist != NULL) {
+		for (element = cfg_list_first(controlslist); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const cfg_obj_t *controls;
+			const cfg_obj_t *inetcontrols = NULL;
+
+			controls = cfg_listelt_value(element);
+			(void)cfg_map_get(controls, "inet", &inetcontrols);
+			if (inetcontrols == NULL) {
+				continue;
+			}
+
+			for (element2 = cfg_list_first(inetcontrols);
+			     element2 != NULL;
+			     element2 = cfg_list_next(element2))
+			{
+				const cfg_obj_t *control;
+				const cfg_obj_t *obj;
+				isc_sockaddr_t addr;
+
+				/*
+				 * The parser handles BIND 8 configuration file
+				 * syntax, so it allows unix phrases as well
+				 * inet phrases with no keys{} clause.
+				 */
+				control = cfg_listelt_value(element2);
+
+				obj = cfg_tuple_get(control, "address");
+				addr = *cfg_obj_assockaddr(obj);
+				if (isc_sockaddr_getport(&addr) == 0) {
+					isc_sockaddr_setport(
+						&addr, NAMED_CONTROL_PORT);
+				}
+
+				isc_sockaddr_format(&addr, socktext,
+						    sizeof(socktext));
+
+				isc_log_write(named_g_lctx,
+					      NAMED_LOGCATEGORY_GENERAL,
+					      NAMED_LOGMODULE_CONTROL,
+					      ISC_LOG_DEBUG(9),
+					      "processing control channel %s",
+					      socktext);
+
+				update_listener(cp, &listener, control, config,
+						&addr, aclconfctx, socktext,
+						isc_sockettype_tcp);
+
+				if (listener != NULL) {
+					/*
+					 * Remove the listener from the old
+					 * list, so it won't be shut down.
+					 */
+					ISC_LIST_UNLINK(cp->listeners, listener,
+							link);
+				} else {
+					/*
+					 * This is a new listener.
+					 */
+					add_listener(cp, &listener, control,
+						     config, &addr, aclconfctx,
+						     socktext,
+						     isc_sockettype_tcp);
+				}
+
+				if (listener != NULL) {
+					ISC_LIST_APPEND(new_listeners, listener,
+							link);
+				}
+			}
+		}
+		for (element = cfg_list_first(controlslist); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const cfg_obj_t *controls;
+			const cfg_obj_t *unixcontrols = NULL;
+
+			controls = cfg_listelt_value(element);
+			(void)cfg_map_get(controls, "unix", &unixcontrols);
+			if (unixcontrols == NULL) {
+				continue;
+			}
+
+			for (element2 = cfg_list_first(unixcontrols);
+			     element2 != NULL;
+			     element2 = cfg_list_next(element2))
+			{
+				const cfg_obj_t *control;
+				const cfg_obj_t *path;
+				isc_sockaddr_t addr;
+				isc_result_t result;
+
+				/*
+				 * The parser handles BIND 8 configuration file
+				 * syntax, so it allows unix phrases as well
+				 * inet phrases with no keys{} clause.
+				 */
+				control = cfg_listelt_value(element2);
+
+				path = cfg_tuple_get(control, "path");
+				result = isc_sockaddr_frompath(
+					&addr, cfg_obj_asstring(path));
+				if (result != ISC_R_SUCCESS) {
+					isc_log_write(
+						named_g_lctx,
+						NAMED_LOGCATEGORY_GENERAL,
+						NAMED_LOGMODULE_CONTROL,
+						ISC_LOG_DEBUG(9),
+						"control channel '%s': %s",
+						cfg_obj_asstring(path),
+						isc_result_totext(result));
+					continue;
+				}
+
+				isc_log_write(named_g_lctx,
+					      NAMED_LOGCATEGORY_GENERAL,
+					      NAMED_LOGMODULE_CONTROL,
+					      ISC_LOG_DEBUG(9),
+					      "processing control channel '%s'",
+					      cfg_obj_asstring(path));
+
+				update_listener(cp, &listener, control, config,
+						&addr, aclconfctx,
+						cfg_obj_asstring(path),
+						isc_sockettype_unix);
+
+				if (listener != NULL) {
+					/*
+					 * Remove the listener from the old
+					 * list, so it won't be shut down.
+					 */
+					ISC_LIST_UNLINK(cp->listeners, listener,
+							link);
+				} else {
+					/*
+					 * This is a new listener.
+					 */
+					add_listener(cp, &listener, control,
+						     config, &addr, aclconfctx,
+						     cfg_obj_asstring(path),
+						     isc_sockettype_unix);
+				}
+
+				if (listener != NULL) {
+					ISC_LIST_APPEND(new_listeners, listener,
+							link);
+				}
+			}
+		}
+	} else {
+		int i;
+
+		for (i = 0; i < 2; i++) {
+			isc_sockaddr_t addr;
+
+			if (i == 0) {
+				struct in_addr localhost;
+
+				if (isc_net_probeipv4() != ISC_R_SUCCESS) {
+					continue;
+				}
+				localhost.s_addr = htonl(INADDR_LOOPBACK);
+				isc_sockaddr_fromin(&addr, &localhost, 0);
+			} else {
+				if (isc_net_probeipv6() != ISC_R_SUCCESS) {
+					continue;
+				}
+				isc_sockaddr_fromin6(&addr, &in6addr_loopback,
+						     0);
+			}
+			isc_sockaddr_setport(&addr, NAMED_CONTROL_PORT);
+
+			isc_sockaddr_format(&addr, socktext, sizeof(socktext));
+
+			update_listener(cp, &listener, NULL, NULL, &addr, NULL,
+					socktext, isc_sockettype_tcp);
+
+			if (listener != NULL) {
+				/*
+				 * Remove the listener from the old
+				 * list, so it won't be shut down.
+				 */
+				ISC_LIST_UNLINK(cp->listeners, listener, link);
+			} else {
+				/*
+				 * This is a new listener.
+				 */
+				add_listener(cp, &listener, NULL, NULL, &addr,
+					     NULL, socktext,
+					     isc_sockettype_tcp);
+			}
+
+			if (listener != NULL) {
+				ISC_LIST_APPEND(new_listeners, listener, link);
+			}
+		}
+	}
+
+	/*
+	 * named_control_shutdown() will stop whatever is on the global
+	 * listeners list, which currently only has whatever sockaddrs
+	 * were in the previous configuration (if any) that do not
+	 * remain in the current configuration.
+	 */
+	controls_shutdown(cp);
+
+	/*
+	 * Put all of the valid listeners on the listeners list.
+	 * Anything already on listeners in the process of shutting
+	 * down will be taken care of by listen_done().
+	 */
+	ISC_LIST_APPENDLIST(cp->listeners, new_listeners, link);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+named_controls_create(named_server_t *server, named_controls_t **ctrlsp) {
+	isc_mem_t *mctx = server->mctx;
+	isc_result_t result;
+	named_controls_t *controls = isc_mem_get(mctx, sizeof(*controls));
+
+	*controls = (named_controls_t){
+		.server = server,
+	};
+
+	ISC_LIST_INIT(controls->listeners);
+
+	isc_mutex_init(&controls->symtab_lock);
+	LOCK(&controls->symtab_lock);
+	result = isccc_cc_createsymtab(&controls->symtab);
+	UNLOCK(&controls->symtab_lock);
+
+	if (result != ISC_R_SUCCESS) {
+		isc_mutex_destroy(&controls->symtab_lock);
+		isc_mem_put(server->mctx, controls, sizeof(*controls));
+		return (result);
+	}
+	*ctrlsp = controls;
+	return (ISC_R_SUCCESS);
+}
+
+void
+named_controls_destroy(named_controls_t **ctrlsp) {
+	named_controls_t *controls = *ctrlsp;
+	*ctrlsp = NULL;
+
+	REQUIRE(ISC_LIST_EMPTY(controls->listeners));
+
+	LOCK(&controls->symtab_lock);
+	isccc_symtab_destroy(&controls->symtab);
+	UNLOCK(&controls->symtab_lock);
+	isc_mutex_destroy(&controls->symtab_lock);
+	isc_mem_put(controls->server->mctx, controls, sizeof(*controls));
+}
diff --git a/bin/named/convertxsl.pl b/bin/named/convertxsl.pl
new file mode 100755
index 0000000..37c2e15
--- /dev/null
+++ b/bin/named/convertxsl.pl
@@ -0,0 +1,53 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+my $rev = '$Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $';
+$rev =~ s/\$//g;
+$rev =~ s/,v//g;
+$rev =~ s/Id: //;
+
+my $xsl = "unknown";
+my $lines = '';
+
+while (<>) {
+    chomp;
+    # pickout the id for comment.
+    $xsl = $_ if (/<!-- .Id:.* -->/);
+    # convert Id string to a form not recognisable by cvs.
+    $_ =~ s/<!-- .Id:(.*). -->/<!-- \\045Id: $1\\045 -->/;
+    s/[\ \t]+/ /g;
+    s/\>\ \</\>\</g;
+    s/\"/\\\"/g;
+    s/^/\t\"/;
+    s/[\ \t]+$//g;
+    s/$/\\n\"/;
+    if ($lines eq "") {
+	    $lines .= $_;
+    } else {
+	    $lines .= "\n" . $_;
+    }
+}
+
+$xsl =~ s/\$//g;
+$xsl =~ s/<!-- Id: //;
+$xsl =~ s/ -->.*//;
+$xsl =~ s/,v//;
+
+print "/*\n * Generated by $rev \n * From $xsl\n */\n";
+print 'static char xslmsg[] =',"\n";
+print $lines;
+
+print ';', "\n";
diff --git a/bin/named/fuzz.c b/bin/named/fuzz.c
new file mode 100644
index 0000000..fb0d56f
--- /dev/null
+++ b/bin/named/fuzz.c
@@ -0,0 +1,782 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <named/fuzz.h>
+
+#ifdef ENABLE_AFL
+#include <arpa/inet.h>
+#include <errno.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/condition.h>
+#include <isc/mutex.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+
+#include <named/globals.h>
+#include <named/log.h>
+#include <named/server.h>
+
+/*
+ * We are using pthreads directly because we might be using it with
+ * unthreaded version of BIND, where all thread functions are
+ * mocks. Since AFL for now only works on Linux it's not a problem.
+ */
+static pthread_cond_t cond;
+static pthread_mutex_t mutex;
+static bool ready;
+
+/*
+ * In "client:" mode, this thread reads fuzzed query messages from AFL
+ * from standard input and sends it to named's listening port (DNS) that
+ * is passed in the -A client:<address>:<port> option. It can be used to
+ * test named from the client side.
+ */
+static void *
+fuzz_thread_client(void *arg) {
+	char *host;
+	char *port;
+	struct sockaddr_in servaddr;
+	int sockfd;
+	void *buf;
+
+	UNUSED(arg);
+
+	/*
+	 * Parse named -A argument in the "address:port" syntax. Due to
+	 * the syntax used, this only supports IPv4 addresses.
+	 */
+	host = strdup(named_g_fuzz_addr);
+	RUNTIME_CHECK(host != NULL);
+
+	port = strchr(host, ':');
+	RUNTIME_CHECK(port != NULL);
+	*port = 0;
+	++port;
+
+	memset(&servaddr, 0, sizeof(servaddr));
+	servaddr.sin_family = AF_INET;
+	RUNTIME_CHECK(inet_pton(AF_INET, host, &servaddr.sin_addr) == 1);
+	servaddr.sin_port = htons(atoi(port));
+
+	free(host);
+
+	/*
+	 * Wait for named to start. This is set in run_server() in the
+	 * named thread.
+	 */
+	while (!named_g_run_done) {
+		usleep(10000);
+	}
+
+	sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+	RUNTIME_CHECK(sockfd != -1);
+
+	buf = malloc(65536);
+	RUNTIME_CHECK(buf != NULL);
+
+	/*
+	 * Processing fuzzed packets 100,000 times before shutting down
+	 * the app.
+	 */
+#ifdef __AFL_LOOP
+	for (int loop = 0; loop < 100000; loop++) {
+#else  /* ifdef __AFL_LOOP */
+	{
+#endif /* ifdef __AFL_LOOP */
+		ssize_t length;
+		ssize_t sent;
+
+		length = read(0, buf, 65536);
+		if (length <= 0) {
+			usleep(1000000);
+			goto next;
+		}
+
+		/*
+		 * Ignore packets that are larger than 4096 bytes.
+		 */
+		if (length > 4096) {
+			/*
+			 * AFL_CMIN doesn't support persistent mode, so
+			 * shutdown the server.
+			 */
+			if (getenv("AFL_CMIN")) {
+				free(buf);
+				close(sockfd);
+				named_server_flushonshutdown(named_g_server,
+							     false);
+				isc_app_shutdown();
+				return (NULL);
+			}
+			raise(SIGSTOP);
+			goto next;
+		}
+
+		RUNTIME_CHECK(pthread_mutex_lock(&mutex) == 0);
+
+		ready = false;
+
+		sent = sendto(sockfd, buf, length, 0,
+			      (struct sockaddr *)&servaddr, sizeof(servaddr));
+		RUNTIME_CHECK(sent == length);
+
+		/*
+		 * Read the reply message from named to unclog it. Don't
+		 * bother if there isn't a reply.
+		 */
+		(void)recvfrom(sockfd, buf, 65536, MSG_DONTWAIT, NULL, NULL);
+
+		while (!ready) {
+			pthread_cond_wait(&cond, &mutex);
+		}
+
+		RUNTIME_CHECK(pthread_mutex_unlock(&mutex) == 0);
+	next:;
+	}
+
+	free(buf);
+	close(sockfd);
+
+	named_server_flushonshutdown(named_g_server, false);
+	isc_app_shutdown();
+
+	return (NULL);
+}
+
+/*
+ * In "resolver:" mode, this thread reads fuzzed reply messages from AFL
+ * from standard input. It also sets up a listener as a remote
+ * authoritative server and sends a driver query to the client side of
+ * named(resolver).  When named(resolver) connects to this authoritative
+ * server, this thread writes the fuzzed reply message from AFL to it.
+ *
+ * -A resolver:<saddress>:<sport>:<raddress>:<rport>
+ *
+ * Here, <saddress>:<sport> is where named(resolver) is listening on.
+ * <raddress>:<rport> is where the thread is supposed to setup the
+ * authoritative server. This address should be configured via the root
+ * zone to be the authoritiative server for aaaaaaaaaa.example.
+ *
+ * named(resolver) when being fuzzed will not cache answers.
+ */
+static void *
+fuzz_thread_resolver(void *arg) {
+	char *sqtype, *shost, *sport, *rhost, *rport;
+	struct sockaddr_in servaddr, recaddr, recvaddr;
+	/*
+	 * Query for aaaaaaaaaa.example./A in wire format with RD=1,
+	 * EDNS and DO=1. 0x88, 0x0c at the start is the ID field which
+	 * will be updated for each query.
+	 */
+	char respacket[] = { 0x88, 0x0c, 0x01, 0x20, 0x00, 0x01, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x01, 0x0a, 0x61, 0x61, 0x61,
+			     0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x07,
+			     0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x00,
+			     0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x29, 0x10,
+			     0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00 };
+	/*
+	 * Response for example./DNSKEY in wire format. Note that RRSIGs
+	 * were generated with this DNSKEY that are used as seeds for
+	 * AFL in the DNSSEC fuzzing job. So the DNSKEY content of this
+	 * message must not change, or the corresponding RRSIGs will
+	 * have to be updated. 0x8d, 0xf6 at the start is the ID field
+	 * which will be made to match the query.
+	 */
+	const uint8_t dnskey_wf[] = {
+		0x8d, 0xf6, 0x84, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x00,
+		0x00, 0x01, 0x07, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65,
+		0x00, 0x00, 0x30, 0x00, 0x01, 0xc0, 0x0c, 0x00, 0x30, 0x00,
+		0x01, 0x00, 0x00, 0x01, 0x2c, 0x01, 0x08, 0x01, 0x00, 0x03,
+		0x08, 0x03, 0x01, 0x00, 0x01, 0xbd, 0x81, 0xdc, 0x7f, 0x16,
+		0xd4, 0x81, 0x7c, 0x1f, 0x9f, 0x6a, 0x68, 0xdd, 0xd4, 0xda,
+		0x48, 0xd9, 0x1c, 0xbd, 0xa6, 0x46, 0x1a, 0xf0, 0xb4, 0xb9,
+		0xec, 0x3d, 0x6c, 0x0b, 0x57, 0xc7, 0xd6, 0x54, 0x66, 0xe6,
+		0x6c, 0xd5, 0x90, 0x3a, 0x78, 0x7d, 0x7f, 0x78, 0x80, 0xa2,
+		0x89, 0x61, 0x6d, 0x8a, 0x2b, 0xcd, 0x0a, 0x77, 0x7a, 0xad,
+		0xc9, 0x61, 0x53, 0x53, 0x8c, 0x99, 0x72, 0x86, 0x14, 0x74,
+		0x9c, 0x49, 0x2a, 0x47, 0x23, 0xf7, 0x02, 0x07, 0x73, 0x1c,
+		0x5c, 0x2e, 0xb4, 0x9a, 0xa4, 0xd7, 0x98, 0x42, 0xc3, 0xd2,
+		0xfe, 0xbf, 0xf3, 0xb3, 0x6a, 0x52, 0x92, 0xd5, 0xfa, 0x47,
+		0x00, 0xe3, 0xd9, 0x59, 0x31, 0x95, 0x48, 0x40, 0xfc, 0x06,
+		0x73, 0x90, 0xc6, 0x73, 0x96, 0xba, 0x29, 0x91, 0xe2, 0xac,
+		0xa3, 0xa5, 0x6d, 0x91, 0x6d, 0x52, 0xb9, 0x34, 0xba, 0x68,
+		0x4f, 0xad, 0xf0, 0xc3, 0xf3, 0x1d, 0x6d, 0x61, 0x76, 0xe5,
+		0x3d, 0xa3, 0x9b, 0x2a, 0x0c, 0x92, 0xb3, 0x78, 0x6b, 0xf1,
+		0x20, 0xd6, 0x90, 0xb7, 0xac, 0xe2, 0xf8, 0x2b, 0x94, 0x10,
+		0x79, 0xce, 0xa8, 0x60, 0x42, 0xea, 0x6a, 0x18, 0x2f, 0xc0,
+		0xd8, 0x05, 0x0a, 0x3b, 0x06, 0x0f, 0x02, 0x7e, 0xff, 0x33,
+		0x46, 0xee, 0xb6, 0x21, 0x25, 0x90, 0x63, 0x4b, 0x3b, 0x5e,
+		0xb2, 0x72, 0x3a, 0xcb, 0x91, 0x41, 0xf4, 0x20, 0x50, 0x78,
+		0x1c, 0x93, 0x95, 0xda, 0xfa, 0xae, 0x85, 0xc5, 0xd7, 0x6b,
+		0x92, 0x0c, 0x70, 0x6b, 0xe4, 0xb7, 0x29, 0x3a, 0x2e, 0x18,
+		0x88, 0x82, 0x33, 0x7c, 0xa8, 0xea, 0xb8, 0x31, 0x8f, 0xaf,
+		0x50, 0xc5, 0x9c, 0x08, 0x56, 0x8f, 0x09, 0x76, 0x4e, 0xdf,
+		0x97, 0x75, 0x9d, 0x00, 0x52, 0x7f, 0xdb, 0xec, 0x30, 0xcb,
+		0x1c, 0x4c, 0x2a, 0x21, 0x93, 0xc4, 0x6d, 0x85, 0xa9, 0x40,
+		0x3b, 0xc0, 0x0c, 0x00, 0x2e, 0x00, 0x01, 0x00, 0x00, 0x01,
+		0x2c, 0x01, 0x1b, 0x00, 0x30, 0x08, 0x01, 0x00, 0x00, 0x01,
+		0x2c, 0x67, 0x74, 0x85, 0x80, 0x58, 0xb3, 0xc5, 0x17, 0x36,
+		0x90, 0x07, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x00,
+		0x45, 0xac, 0xd3, 0x82, 0x69, 0xf3, 0x10, 0x3a, 0x97, 0x2c,
+		0x6a, 0xa9, 0x78, 0x99, 0xea, 0xb0, 0xcc, 0xf7, 0xaf, 0x33,
+		0x51, 0x5b, 0xdf, 0x77, 0x04, 0x18, 0x14, 0x99, 0x61, 0xeb,
+		0x8d, 0x76, 0x3f, 0xd1, 0x71, 0x14, 0x43, 0x80, 0x53, 0xc2,
+		0x3b, 0x9f, 0x09, 0x4f, 0xb3, 0x51, 0x04, 0x89, 0x0e, 0xc8,
+		0x54, 0x12, 0xcd, 0x07, 0x20, 0xbe, 0x94, 0xc2, 0xda, 0x99,
+		0xdd, 0x1e, 0xf8, 0xb0, 0x84, 0x2e, 0xf9, 0x19, 0x35, 0x36,
+		0xf5, 0xd0, 0x5d, 0x82, 0x18, 0x74, 0xa0, 0x00, 0xb6, 0x15,
+		0x57, 0x40, 0x5f, 0x78, 0x2d, 0x27, 0xac, 0xc7, 0x8a, 0x29,
+		0x55, 0xa9, 0xcd, 0xbc, 0xf7, 0x3e, 0xff, 0xae, 0x1a, 0x5a,
+		0x1d, 0xac, 0x0d, 0x78, 0x0e, 0x08, 0x33, 0x6c, 0x59, 0x70,
+		0x40, 0xb9, 0x65, 0xbd, 0x35, 0xbb, 0x9a, 0x70, 0xdc, 0x93,
+		0x66, 0xb0, 0xef, 0xfe, 0xf0, 0x32, 0xa6, 0xee, 0xb7, 0x03,
+		0x89, 0xa2, 0x4d, 0xe0, 0xf1, 0x20, 0xdf, 0x39, 0xe8, 0xe3,
+		0xcc, 0x95, 0xe9, 0x9a, 0xad, 0xbf, 0xbd, 0x7c, 0xf7, 0xd7,
+		0xde, 0x47, 0x9e, 0xf6, 0x17, 0xbb, 0x84, 0xa9, 0xed, 0xf2,
+		0x45, 0x61, 0x6d, 0x13, 0x0b, 0x06, 0x29, 0x50, 0xde, 0xfd,
+		0x42, 0xb0, 0x66, 0x2c, 0x1c, 0x2b, 0x63, 0xcb, 0x4e, 0xb9,
+		0x31, 0xc4, 0xea, 0xd2, 0x07, 0x3a, 0x08, 0x79, 0x19, 0x4b,
+		0x4c, 0x50, 0x97, 0x02, 0xd7, 0x26, 0x41, 0x2f, 0xdd, 0x57,
+		0xaa, 0xb0, 0xa0, 0x21, 0x4e, 0x74, 0xb6, 0x97, 0x4b, 0x8b,
+		0x09, 0x9c, 0x3d, 0x29, 0xfb, 0x12, 0x27, 0x47, 0x8f, 0xb8,
+		0xc5, 0x8e, 0x65, 0xcd, 0xca, 0x2f, 0xba, 0xf5, 0x3e, 0xec,
+		0x56, 0xc3, 0xc9, 0xa1, 0x62, 0x7d, 0xf2, 0x9f, 0x90, 0x16,
+		0x1d, 0xbf, 0x97, 0x28, 0xe1, 0x92, 0xb1, 0x53, 0xab, 0xc4,
+		0xe0, 0x99, 0xbb, 0x19, 0x90, 0x7c, 0x00, 0x00, 0x29, 0x10,
+		0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00
+	};
+
+	int sockfd;
+	int listenfd;
+	int loop;
+	uint16_t qtype;
+	char *buf, *rbuf;
+	char *nameptr;
+	unsigned int i;
+	uint8_t llen;
+	uint64_t seed;
+
+	UNUSED(arg);
+
+	/*
+	 * Parse named -A argument in the "qtype:saddress:sport:raddress:rport"
+	 * syntax.  Due to the syntax used, this only supports IPv4 addresses.
+	 */
+	sqtype = strdup(named_g_fuzz_addr);
+	RUNTIME_CHECK(sqtype != NULL);
+
+	shost = strchr(sqtype, ':');
+	RUNTIME_CHECK(shost != NULL);
+	*shost = 0;
+	shost++;
+
+	sport = strchr(shost, ':');
+	RUNTIME_CHECK(sport != NULL);
+	*sport = 0;
+	sport++;
+
+	rhost = strchr(sport, ':');
+	RUNTIME_CHECK(rhost != NULL);
+	*rhost = 0;
+	rhost++;
+
+	rport = strchr(rhost, ':');
+	RUNTIME_CHECK(rport != NULL);
+	*rport = 0;
+	rport++;
+
+	/*
+	 * Patch in the qtype into the question section of respacket.
+	 */
+	qtype = atoi(sqtype);
+	respacket[32] = (qtype >> 8) & 0xff;
+	respacket[33] = qtype & 0xff;
+
+	memset(&servaddr, 0, sizeof(servaddr));
+	servaddr.sin_family = AF_INET;
+	RUNTIME_CHECK(inet_pton(AF_INET, shost, &servaddr.sin_addr) == 1);
+	servaddr.sin_port = htons(atoi(sport));
+
+	memset(&recaddr, 0, sizeof(recaddr));
+	recaddr.sin_family = AF_INET;
+	RUNTIME_CHECK(inet_pton(AF_INET, rhost, &recaddr.sin_addr) == 1);
+	recaddr.sin_port = htons(atoi(rport));
+
+	free(sqtype);
+
+	/*
+	 * Wait for named to start. This is set in run_server() in the
+	 * named thread.
+	 */
+	while (!named_g_run_done) {
+		usleep(10000);
+	}
+
+	sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+	RUNTIME_CHECK(sockfd != -1);
+
+	listenfd = socket(AF_INET, SOCK_DGRAM, 0);
+	RUNTIME_CHECK(listenfd != -1);
+
+	RUNTIME_CHECK(bind(listenfd, (struct sockaddr *)&recaddr,
+			   sizeof(struct sockaddr_in)) == 0);
+
+	buf = malloc(65536);
+	rbuf = malloc(65536);
+	RUNTIME_CHECK(buf != NULL);
+	RUNTIME_CHECK(rbuf != NULL);
+
+	seed = 42;
+
+	/*
+	 * Processing fuzzed packets 100,000 times before shutting down
+	 * the app.
+	 */
+	for (loop = 0; loop < 100000; loop++) {
+		ssize_t length;
+		ssize_t sent;
+		unsigned short id;
+		socklen_t socklen;
+
+		memset(buf, 0, 12);
+		length = read(0, buf, 65536);
+		if (length <= 0) {
+			usleep(1000000);
+			continue;
+		}
+
+		if (length > 4096) {
+			if (getenv("AFL_CMIN")) {
+				free(buf);
+				free(rbuf);
+				close(sockfd);
+				close(listenfd);
+				named_server_flushonshutdown(named_g_server,
+							     false);
+				isc_app_shutdown();
+				return (NULL);
+			}
+			raise(SIGSTOP);
+			continue;
+		}
+
+		if (length < 12) {
+			length = 12;
+		}
+
+		RUNTIME_CHECK(pthread_mutex_lock(&mutex) == 0);
+
+		ready = false;
+
+		/* Use a unique query ID. */
+		seed = 1664525 * seed + 1013904223;
+		id = seed & 0xffff;
+		respacket[0] = (id >> 8) & 0xff;
+		respacket[1] = id & 0xff;
+
+		/*
+		 * Flush any pending data on the authoritative server.
+		 */
+		socklen = sizeof(recvaddr);
+		(void)recvfrom(listenfd, rbuf, 65536, MSG_DONTWAIT,
+			       (struct sockaddr *)&recvaddr, &socklen);
+
+		/*
+		 * Send a fixed client query to named(resolver) of
+		 * aaaaaaaaaa.example./A. This is the starting query
+		 * driver.
+		 */
+		sent = sendto(sockfd, respacket, sizeof(respacket), 0,
+			      (struct sockaddr *)&servaddr, sizeof(servaddr));
+		RUNTIME_CHECK(sent == sizeof(respacket));
+
+		/*
+		 * named(resolver) will process the query above and send
+		 * an upstream query to the authoritative server. We
+		 * handle that here as the upstream authoritative server
+		 * on listenfd.
+		 */
+		socklen = sizeof(recvaddr);
+		sent = recvfrom(listenfd, rbuf, 65536, 0,
+				(struct sockaddr *)&recvaddr, &socklen);
+		RUNTIME_CHECK(sent > 0);
+
+		/*
+		 * Copy QID and set QR so that response is always
+		 * accepted by named(resolver).
+		 */
+		buf[0] = rbuf[0];
+		buf[1] = rbuf[1];
+		buf[2] |= 0x80;
+
+		/*
+		 * NOTE: We are not copying the QNAME or setting
+		 * rcode=NOERROR each time. So the resolver may fail the
+		 * client query (driver) / wander due to this. AA flag
+		 * may also not be set based on the contents of the AFL
+		 * fuzzed packet.
+		 */
+
+		/*
+		 * A hack - set QTYPE to the one from query so that we
+		 * can easily share packets between instances. If we
+		 * write over something else we'll get FORMERR anyway.
+		 */
+
+		/* Skip DNS header to get to the name */
+		nameptr = buf + 12;
+
+		/* Skip the name to get to the qtype */
+		i = 0;
+		while (((llen = nameptr[i]) != 0) && (i < 255) &&
+		       (((nameptr + i + 1 + llen) - buf) < length))
+		{
+			i += 1 + llen;
+		}
+
+		if (i <= 255) {
+			nameptr += 1 + i;
+			/* Patch the qtype */
+			if ((nameptr - buf) < (length - 2)) {
+				*nameptr++ = (qtype >> 8) & 0xff;
+				*nameptr++ = qtype & 0xff;
+			}
+			/* Patch the qclass */
+			if ((nameptr - buf) < (length - 2)) {
+				*nameptr++ = 0;
+				*nameptr++ = 1;
+			}
+		}
+
+		/*
+		 * Send the reply to named(resolver).
+		 */
+		sent = sendto(listenfd, buf, length, 0,
+			      (struct sockaddr *)&recvaddr, sizeof(recvaddr));
+		RUNTIME_CHECK(sent == length);
+
+		/* We might get additional questions here (e.g. for CNAME). */
+		for (;;) {
+			fd_set fds;
+			struct timeval tv;
+			int rv;
+			int max;
+
+			FD_ZERO(&fds);
+			FD_SET(listenfd, &fds);
+			FD_SET(sockfd, &fds);
+			tv.tv_sec = 10;
+			tv.tv_usec = 0;
+			max = (listenfd > sockfd ? listenfd : sockfd) + 1;
+
+			rv = select(max, &fds, NULL, NULL, &tv);
+			RUNTIME_CHECK(rv > 0);
+
+			if (FD_ISSET(sockfd, &fds)) {
+				/*
+				 * It's the reply from named(resolver)
+				 * to the client(query driver), so we're
+				 * done.
+				 */
+				(void)recvfrom(sockfd, buf, 65536, 0, NULL,
+					       NULL);
+				break;
+			}
+
+			/*
+			 * We've got additional question (eg. due to
+			 * CNAME). Bounce it - setting QR flag and
+			 * NOERROR rcode and sending it back.
+			 */
+			length = recvfrom(listenfd, buf, 65536, 0,
+					  (struct sockaddr *)&recvaddr,
+					  &socklen);
+
+			/*
+			 * If this is a DNSKEY query, send the DNSKEY,
+			 * otherwise, bounce the query.
+			 */
+
+			/* Skip DNS header to get to the name */
+			nameptr = buf + 12;
+
+			/* Skip the name to get to the qtype */
+			i = 0;
+			while (((llen = nameptr[i]) != 0) && (i < 255) &&
+			       (((nameptr + i + 1 + llen) - buf) < length))
+			{
+				i += 1 + llen;
+			}
+
+			if (i <= 255) {
+				nameptr += 1 + i;
+				/*
+				 * Patch in the DNSKEY reply without
+				 * touching the ID field. Note that we
+				 * don't compare the name in the
+				 * question section in the query, but we
+				 * don't expect to receive any query for
+				 * type DNSKEY but for the name
+				 * "example."
+				 */
+				if ((nameptr - buf) < (length - 2)) {
+					uint8_t hb, lb;
+					hb = *nameptr++;
+					lb = *nameptr++;
+					qtype = (hb << 8) | lb;
+
+					if (qtype == 48) {
+						memmove(buf + 2, dnskey_wf + 2,
+							sizeof(dnskey_wf) - 2);
+						length = sizeof(dnskey_wf);
+					}
+				}
+			}
+
+			buf[2] |= 0x80;
+			buf[3] &= 0xF0;
+			sent = sendto(listenfd, buf, length, 0,
+				      (struct sockaddr *)&recvaddr,
+				      sizeof(recvaddr));
+			RUNTIME_CHECK(sent == length);
+		}
+
+		while (!ready) {
+			pthread_cond_wait(&cond, &mutex);
+		}
+
+		RUNTIME_CHECK(pthread_mutex_unlock(&mutex) == 0);
+	}
+
+	free(buf);
+	free(rbuf);
+	close(sockfd);
+	close(listenfd);
+	named_server_flushonshutdown(named_g_server, false);
+	isc_app_shutdown();
+
+#ifdef __AFL_LOOP
+	/*
+	 * This is here just for the signature, that's how AFL detects
+	 * if it's a 'persistent mode' binary. It has to occur somewhere
+	 * in the file, that's all. < wpk_> AFL checks the binary for
+	 * this signature ("##SIG_AFL_PERSISTENT##") and runs the binary
+	 * in persistent mode if it's present.
+	 */
+	__AFL_LOOP(0);
+#endif /* ifdef __AFL_LOOP */
+
+	return (NULL);
+}
+
+/*
+ * In "tcp:", "http:" and "rndc:" modes, this thread reads fuzzed query
+ * blobs from AFL from standard input and sends it to the corresponding
+ * TCP listening port of named (port 53 DNS, or the HTTP statistics
+ * channels listener or the rndc port) that is passed in the -A
+ * <mode>:<address>:<port> option. It can be used to test named from the
+ * client side.
+ */
+static void *
+fuzz_thread_tcp(void *arg) {
+	char *host;
+	char *port;
+	struct sockaddr_in servaddr;
+	int sockfd;
+	char *buf;
+	int loop;
+
+	UNUSED(arg);
+
+	/*
+	 * Parse named -A argument in the "address:port" syntax. Due to
+	 * the syntax used, this only supports IPv4 addresses.
+	 */
+	host = strdup(named_g_fuzz_addr);
+	RUNTIME_CHECK(host != NULL);
+
+	port = strchr(host, ':');
+	RUNTIME_CHECK(port != NULL);
+	*port = 0;
+	++port;
+
+	memset(&servaddr, 0, sizeof(servaddr));
+	servaddr.sin_family = AF_INET;
+	RUNTIME_CHECK(inet_pton(AF_INET, host, &servaddr.sin_addr) == 1);
+	servaddr.sin_port = htons(atoi(port));
+
+	free(host);
+
+	/*
+	 * Wait for named to start. This is set in run_server() in the
+	 * named thread.
+	 */
+	while (!named_g_run_done) {
+		usleep(10000);
+	}
+
+	buf = malloc(65539);
+	RUNTIME_CHECK(buf != NULL);
+
+	/*
+	 * Processing fuzzed packets 100,000 times before shutting down
+	 * the app.
+	 */
+	for (loop = 0; loop < 100000; loop++) {
+		ssize_t length;
+		ssize_t sent;
+		int yes;
+		int r;
+
+		if (named_g_fuzz_type == isc_fuzz_tcpclient) {
+			/*
+			 * To fuzz DNS TCP client we have to put 16-bit
+			 * message length preceding the start of packet.
+			 */
+			length = read(0, buf + 2, 65535);
+			buf[0] = (length >> 8) & 0xff;
+			buf[1] = length & 0xff;
+			length += 2;
+		} else {
+			/*
+			 * Other types of TCP clients such as HTTP, etc.
+			 */
+			length = read(0, buf, 65535);
+		}
+		if (length <= 0) {
+			usleep(1000000);
+			continue;
+		}
+		if (named_g_fuzz_type == isc_fuzz_http) {
+			/*
+			 * This guarantees that the request will be
+			 * processed.
+			 */
+			INSIST(length <= 65535);
+			buf[length++] = '\r';
+			buf[length++] = '\n';
+			buf[length++] = '\r';
+			buf[length++] = '\n';
+		}
+
+		RUNTIME_CHECK(pthread_mutex_lock(&mutex) == 0);
+
+		ready = false;
+		yes = 1;
+		sockfd = socket(AF_INET, SOCK_STREAM, 0);
+
+		RUNTIME_CHECK(sockfd != -1);
+		RUNTIME_CHECK(setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &yes,
+					 sizeof(int)) == 0);
+
+		do {
+			r = connect(sockfd, (struct sockaddr *)&servaddr,
+				    sizeof(servaddr));
+			if (r != 0) {
+				usleep(10000);
+			}
+		} while (r != 0);
+
+		/*
+		 * Send the fuzzed query blob to the target server.
+		 */
+		sent = write(sockfd, buf, length);
+		RUNTIME_CHECK(sent == length);
+
+		close(sockfd);
+
+		while (!ready) {
+			pthread_cond_wait(&cond, &mutex);
+		}
+
+		RUNTIME_CHECK(pthread_mutex_unlock(&mutex) == 0);
+	}
+
+	free(buf);
+	close(sockfd);
+	named_server_flushonshutdown(named_g_server, false);
+	isc_app_shutdown();
+
+	return (NULL);
+}
+
+#endif /* ENABLE_AFL */
+
+/*
+ * named has finished processing a message and has sent the
+ * reply. Signal the fuzz thread using the condition variable, to read
+ * and process the next item from AFL.
+ */
+void
+named_fuzz_notify(void) {
+#ifdef ENABLE_AFL
+	if (getenv("AFL_CMIN")) {
+		named_server_flushonshutdown(named_g_server, false);
+		isc_app_shutdown();
+		return;
+	}
+
+	raise(SIGSTOP);
+
+	RUNTIME_CHECK(pthread_mutex_lock(&mutex) == 0);
+
+	ready = true;
+
+	RUNTIME_CHECK(pthread_cond_signal(&cond) == 0);
+	RUNTIME_CHECK(pthread_mutex_unlock(&mutex) == 0);
+#endif /* ENABLE_AFL */
+}
+
+void
+named_fuzz_setup(void) {
+#ifdef ENABLE_AFL
+	if (getenv("__AFL_PERSISTENT") || getenv("AFL_CMIN")) {
+		pthread_t thread;
+		void *(fn) = NULL;
+
+		switch (named_g_fuzz_type) {
+		case isc_fuzz_client:
+			fn = fuzz_thread_client;
+			break;
+
+		case isc_fuzz_http:
+		case isc_fuzz_tcpclient:
+		case isc_fuzz_rndc:
+			fn = fuzz_thread_tcp;
+			break;
+
+		case isc_fuzz_resolver:
+			fn = fuzz_thread_resolver;
+			break;
+
+		default:
+			RUNTIME_CHECK(fn != NULL);
+		}
+
+		RUNTIME_CHECK(pthread_mutex_init(&mutex, NULL) == 0);
+		RUNTIME_CHECK(pthread_cond_init(&cond, NULL) == 0);
+		RUNTIME_CHECK(pthread_create(&thread, NULL, fn, NULL) == 0);
+	}
+#endif /* ENABLE_AFL */
+}
diff --git a/bin/named/geoip.c b/bin/named/geoip.c
new file mode 100644
index 0000000..9963ca8
--- /dev/null
+++ b/bin/named/geoip.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#if defined(HAVE_GEOIP2)
+#include <maxminddb.h>
+#endif /* if defined(HAVE_GEOIP2) */
+
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/geoip.h>
+
+#include <named/geoip.h>
+#include <named/log.h>
+
+static dns_geoip_databases_t geoip_table;
+
+#if defined(HAVE_GEOIP2)
+static MMDB_s geoip_country, geoip_city, geoip_as, geoip_isp, geoip_domain;
+
+static MMDB_s *
+open_geoip2(const char *dir, const char *dbfile, MMDB_s *mmdb) {
+	char pathbuf[PATH_MAX];
+	unsigned int n;
+	int ret;
+
+	n = snprintf(pathbuf, sizeof(pathbuf), "%s/%s", dir, dbfile);
+	if (n >= sizeof(pathbuf)) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "GeoIP2 database '%s/%s': path too long", dir,
+			      dbfile);
+		return (NULL);
+	}
+
+	ret = MMDB_open(pathbuf, MMDB_MODE_MMAP, mmdb);
+	if (ret == MMDB_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "opened GeoIP2 database '%s'", pathbuf);
+		return (mmdb);
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+		      "unable to open GeoIP2 database '%s' (status %d)",
+		      pathbuf, ret);
+
+	return (NULL);
+}
+#endif /* HAVE_GEOIP2 */
+
+void
+named_geoip_init(void) {
+#if defined(HAVE_GEOIP2)
+	if (named_g_geoip == NULL) {
+		named_g_geoip = &geoip_table;
+	}
+#else  /* if defined(HAVE_GEOIP2) */
+	return;
+#endif /* if defined(HAVE_GEOIP2) */
+}
+
+void
+named_geoip_load(char *dir) {
+#if defined(HAVE_GEOIP2)
+	REQUIRE(dir != NULL);
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "looking for GeoIP2 databases in '%s'", dir);
+
+	named_g_geoip->country = open_geoip2(dir, "GeoIP2-Country.mmdb",
+					     &geoip_country);
+	if (named_g_geoip->country == NULL) {
+		named_g_geoip->country = open_geoip2(
+			dir, "GeoLite2-Country.mmdb", &geoip_country);
+	}
+
+	named_g_geoip->city = open_geoip2(dir, "GeoIP2-City.mmdb", &geoip_city);
+	if (named_g_geoip->city == NULL) {
+		named_g_geoip->city = open_geoip2(dir, "GeoLite2-City.mmdb",
+						  &geoip_city);
+	}
+
+	named_g_geoip->as = open_geoip2(dir, "GeoIP2-ASN.mmdb", &geoip_as);
+	if (named_g_geoip->as == NULL) {
+		named_g_geoip->as = open_geoip2(dir, "GeoLite2-ASN.mmdb",
+						&geoip_as);
+	}
+
+	named_g_geoip->isp = open_geoip2(dir, "GeoIP2-ISP.mmdb", &geoip_isp);
+	named_g_geoip->domain = open_geoip2(dir, "GeoIP2-Domain.mmdb",
+					    &geoip_domain);
+#else  /* if defined(HAVE_GEOIP2) */
+	UNUSED(dir);
+
+	return;
+#endif /* if defined(HAVE_GEOIP2) */
+}
+
+void
+named_geoip_unload(void) {
+#ifdef HAVE_GEOIP2
+	if (named_g_geoip->country != NULL) {
+		MMDB_close(named_g_geoip->country);
+		named_g_geoip->country = NULL;
+	}
+	if (named_g_geoip->city != NULL) {
+		MMDB_close(named_g_geoip->city);
+		named_g_geoip->city = NULL;
+	}
+	if (named_g_geoip->as != NULL) {
+		MMDB_close(named_g_geoip->as);
+		named_g_geoip->as = NULL;
+	}
+	if (named_g_geoip->isp != NULL) {
+		MMDB_close(named_g_geoip->isp);
+		named_g_geoip->isp = NULL;
+	}
+	if (named_g_geoip->domain != NULL) {
+		MMDB_close(named_g_geoip->domain);
+		named_g_geoip->domain = NULL;
+	}
+#endif /* ifdef HAVE_GEOIP2 */
+}
+
+void
+named_geoip_shutdown(void) {
+#ifdef HAVE_GEOIP2
+	named_geoip_unload();
+#endif /* HAVE_GEOIP2 */
+}
diff --git a/bin/named/include/.clang-format b/bin/named/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/bin/named/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/bin/named/include/dlz/dlz_dlopen_driver.h b/bin/named/include/dlz/dlz_dlopen_driver.h
new file mode 100644
index 0000000..7835986
--- /dev/null
+++ b/bin/named/include/dlz/dlz_dlopen_driver.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DLZ_DLOPEN_DRIVER_H
+#define DLZ_DLOPEN_DRIVER_H
+
+isc_result_t
+dlz_dlopen_init(isc_mem_t *mctx);
+
+void
+dlz_dlopen_clear(void);
+#endif /* ifndef DLZ_DLOPEN_DRIVER_H */
diff --git a/bin/named/include/named/builtin.h b/bin/named/include/named/builtin.h
new file mode 100644
index 0000000..9968759
--- /dev/null
+++ b/bin/named/include/named/builtin.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_BUILTIN_H
+#define NAMED_BUILTIN_H 1
+
+/*! \file */
+
+#include <isc/types.h>
+
+isc_result_t
+named_builtin_init(void);
+
+void
+named_builtin_deinit(void);
+
+#endif /* NAMED_BUILTIN_H */
diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h
new file mode 100644
index 0000000..e6293ef
--- /dev/null
+++ b/bin/named/include/named/config.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_CONFIG_H
+#define NAMED_CONFIG_H 1
+
+/*! \file */
+
+#include <inttypes.h>
+
+#include <dns/types.h>
+#include <dns/zone.h>
+
+#include <isccfg/cfg.h>
+
+#define DEFAULT_IANA_ROOT_ZONE_PRIMARIES "_default_iana_root_zone_primaries"
+
+isc_result_t
+named_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf);
+
+const char *
+named_config_getdefault(void);
+
+isc_result_t
+named_config_get(cfg_obj_t const *const *maps, const char *name,
+		 const cfg_obj_t **obj);
+
+isc_result_t
+named_checknames_get(const cfg_obj_t **maps, const char *const names[],
+		     const cfg_obj_t **obj);
+
+int
+named_config_listcount(const cfg_obj_t *list);
+
+isc_result_t
+named_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
+		      dns_rdataclass_t *classp);
+
+isc_result_t
+named_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+		     dns_rdatatype_t *typep);
+
+dns_zonetype_t
+named_config_getzonetype(const cfg_obj_t *zonetypeobj);
+
+isc_result_t
+named_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
+		       in_port_t defport, isc_mem_t *mctx,
+		       isc_sockaddr_t **addrsp, isc_dscp_t **dscpsp,
+		       uint32_t *countp);
+
+void
+named_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+		       isc_dscp_t **dscpsp, uint32_t count);
+
+isc_result_t
+named_config_getremotesdef(const cfg_obj_t *cctx, const char *list,
+			   const char *name, const cfg_obj_t **ret);
+
+isc_result_t
+named_config_getipandkeylist(const cfg_obj_t *config, const char *listtype,
+			     const cfg_obj_t *list, isc_mem_t *mctx,
+			     dns_ipkeylist_t *ipkl);
+
+isc_result_t
+named_config_getport(const cfg_obj_t *config, in_port_t *portp);
+
+isc_result_t
+named_config_getkeyalgorithm(const char *str, const dns_name_t **name,
+			     uint16_t *digestbits);
+isc_result_t
+named_config_getkeyalgorithm2(const char *str, const dns_name_t **name,
+			      unsigned int *typep, uint16_t *digestbits);
+
+isc_result_t
+named_config_getdscp(const cfg_obj_t *config, isc_dscp_t *dscpp);
+
+#endif /* NAMED_CONFIG_H */
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
new file mode 100644
index 0000000..4c0e5f2
--- /dev/null
+++ b/bin/named/include/named/control.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_CONTROL_H
+#define NAMED_CONTROL_H 1
+
+/*! \file
+ * \brief
+ * The name server command channel.
+ */
+
+#include <stdbool.h>
+
+#include <isccfg/aclconf.h>
+
+#include <isccc/types.h>
+#include <named/types.h>
+
+#define NAMED_CONTROL_PORT 953
+
+#define NAMED_COMMAND_STOP	   "stop"
+#define NAMED_COMMAND_HALT	   "halt"
+#define NAMED_COMMAND_RELOAD	   "reload"
+#define NAMED_COMMAND_RECONFIG	   "reconfig"
+#define NAMED_COMMAND_REFRESH	   "refresh"
+#define NAMED_COMMAND_RETRANSFER   "retransfer"
+#define NAMED_COMMAND_DUMPSTATS	   "stats"
+#define NAMED_COMMAND_QUERYLOG	   "querylog"
+#define NAMED_COMMAND_DUMPDB	   "dumpdb"
+#define NAMED_COMMAND_SECROOTS	   "secroots"
+#define NAMED_COMMAND_TRACE	   "trace"
+#define NAMED_COMMAND_NOTRACE	   "notrace"
+#define NAMED_COMMAND_FLUSH	   "flush"
+#define NAMED_COMMAND_FLUSHNAME	   "flushname"
+#define NAMED_COMMAND_FLUSHTREE	   "flushtree"
+#define NAMED_COMMAND_STATUS	   "status"
+#define NAMED_COMMAND_TSIGLIST	   "tsig-list"
+#define NAMED_COMMAND_TSIGDELETE   "tsig-delete"
+#define NAMED_COMMAND_FREEZE	   "freeze"
+#define NAMED_COMMAND_UNFREEZE	   "unfreeze"
+#define NAMED_COMMAND_THAW	   "thaw"
+#define NAMED_COMMAND_TIMERPOKE	   "timerpoke"
+#define NAMED_COMMAND_RECURSING	   "recursing"
+#define NAMED_COMMAND_NULL	   "null"
+#define NAMED_COMMAND_NOTIFY	   "notify"
+#define NAMED_COMMAND_VALIDATION   "validation"
+#define NAMED_COMMAND_SCAN	   "scan"
+#define NAMED_COMMAND_SIGN	   "sign"
+#define NAMED_COMMAND_LOADKEYS	   "loadkeys"
+#define NAMED_COMMAND_ADDZONE	   "addzone"
+#define NAMED_COMMAND_MODZONE	   "modzone"
+#define NAMED_COMMAND_DELZONE	   "delzone"
+#define NAMED_COMMAND_SHOWZONE	   "showzone"
+#define NAMED_COMMAND_SYNC	   "sync"
+#define NAMED_COMMAND_SIGNING	   "signing"
+#define NAMED_COMMAND_DNSSEC	   "dnssec"
+#define NAMED_COMMAND_ZONESTATUS   "zonestatus"
+#define NAMED_COMMAND_NTA	   "nta"
+#define NAMED_COMMAND_TESTGEN	   "testgen"
+#define NAMED_COMMAND_MKEYS	   "managed-keys"
+#define NAMED_COMMAND_DNSTAPREOPEN "dnstap-reopen"
+#define NAMED_COMMAND_DNSTAP	   "dnstap"
+#define NAMED_COMMAND_TCPTIMEOUTS  "tcp-timeouts"
+#define NAMED_COMMAND_SERVESTALE   "serve-stale"
+
+isc_result_t
+named_controls_create(named_server_t *server, named_controls_t **ctrlsp);
+/*%<
+ * Create an initial, empty set of command channels for 'server'.
+ */
+
+void
+named_controls_destroy(named_controls_t **ctrlsp);
+/*%<
+ * Destroy a set of command channels.
+ *
+ * Requires:
+ *	Shutdown of the channels has completed.
+ */
+
+isc_result_t
+named_controls_configure(named_controls_t *controls, const cfg_obj_t *config,
+			 cfg_aclconfctx_t *aclconfctx);
+/*%<
+ * Configure zero or more command channels into 'controls'
+ * as defined in the configuration parse tree 'config'.
+ * The channels will evaluate ACLs in the context of
+ * 'aclconfctx'.
+ */
+
+void
+named_controls_shutdown(named_controls_t *controls);
+/*%<
+ * Initiate shutdown of all the command channels in 'controls'.
+ */
+
+isc_result_t
+named_control_docommand(isccc_sexpr_t *message, bool readonly,
+			isc_buffer_t **text);
+
+#endif /* NAMED_CONTROL_H */
diff --git a/bin/named/include/named/fuzz.h b/bin/named/include/named/fuzz.h
new file mode 100644
index 0000000..43a13e2
--- /dev/null
+++ b/bin/named/include/named/fuzz.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/fuzz.h>
+
+#ifndef NAMED_FUZZ_H
+#define NAMED_FUZZ_H
+
+void
+named_fuzz_notify(void);
+
+void
+named_fuzz_setup(void);
+
+#endif /* NAMED_FUZZ_H */
diff --git a/bin/named/include/named/geoip.h b/bin/named/include/named/geoip.h
new file mode 100644
index 0000000..d1852ef
--- /dev/null
+++ b/bin/named/include/named/geoip.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+extern dns_geoip_databases_t *named_g_geoip;
+
+void
+named_geoip_init(void);
+
+void
+named_geoip_load(char *dir);
+
+void
+named_geoip_unload(void);
+
+void
+named_geoip_shutdown(void);
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
new file mode 100644
index 0000000..82b632e
--- /dev/null
+++ b/bin/named/include/named/globals.h
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_GLOBALS_H
+#define NAMED_GLOBALS_H 1
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/log.h>
+#include <isc/net.h>
+#include <isc/netmgr.h>
+#include <isc/rwlock.h>
+
+#include <dns/acl.h>
+#include <dns/zone.h>
+
+#include <isccfg/aclconf.h>
+#include <isccfg/cfg.h>
+
+#include <dst/dst.h>
+#include <named/fuzz.h>
+#include <named/types.h>
+
+#undef EXTERN
+#undef INIT
+#ifdef NAMED_MAIN
+#define EXTERN
+#define INIT(v) = (v)
+#else /* ifdef NAMED_MAIN */
+#define EXTERN extern
+#define INIT(v)
+#endif /* ifdef NAMED_MAIN */
+
+#ifndef NAMED_RUN_PID_DIR
+#define NAMED_RUN_PID_DIR 1
+#endif /* ifndef NAMED_RUN_PID_DIR */
+
+EXTERN isc_mem_t *named_g_mctx		      INIT(NULL);
+EXTERN unsigned int named_g_cpus	      INIT(0);
+EXTERN unsigned int named_g_udpdisp	      INIT(0);
+EXTERN isc_taskmgr_t *named_g_taskmgr	      INIT(NULL);
+EXTERN dns_dispatchmgr_t *named_g_dispatchmgr INIT(NULL);
+EXTERN unsigned int named_g_cpus_detected     INIT(1);
+
+#ifdef ENABLE_AFL
+EXTERN bool named_g_run_done INIT(false);
+#endif /* ifdef ENABLE_AFL */
+/*
+ * XXXRTH  We're going to want multiple timer managers eventually.  One
+ *         for really short timers, another for client timers, and one
+ *         for zone timers.
+ */
+EXTERN isc_timermgr_t *named_g_timermgr	  INIT(NULL);
+EXTERN isc_socketmgr_t *named_g_socketmgr INIT(NULL);
+EXTERN isc_nm_t *named_g_nm		  INIT(NULL);
+EXTERN cfg_parser_t *named_g_parser	  INIT(NULL);
+EXTERN cfg_parser_t *named_g_addparser	  INIT(NULL);
+EXTERN const char *named_g_version	  INIT(VERSION);
+EXTERN const char *named_g_product	  INIT(PRODUCT);
+EXTERN const char *named_g_description	  INIT(DESCRIPTION);
+EXTERN const char *named_g_srcid	  INIT(SRCID);
+EXTERN const char *named_g_configargs	  INIT(CONFIGARGS);
+EXTERN const char *named_g_builder	  INIT(BUILDER);
+EXTERN in_port_t named_g_port		  INIT(0);
+EXTERN isc_dscp_t named_g_dscp		  INIT(-1);
+
+EXTERN named_server_t *named_g_server INIT(NULL);
+
+/*
+ * Logging.
+ */
+EXTERN isc_log_t *named_g_lctx		     INIT(NULL);
+EXTERN isc_logcategory_t *named_g_categories INIT(NULL);
+EXTERN isc_logmodule_t *named_g_modules	     INIT(NULL);
+EXTERN unsigned int named_g_debuglevel	     INIT(0);
+
+/*
+ * Current configuration information.
+ */
+EXTERN cfg_obj_t *named_g_config	   INIT(NULL);
+EXTERN const cfg_obj_t *named_g_defaults   INIT(NULL);
+EXTERN const char *named_g_conffile	   INIT(NAMED_SYSCONFDIR "/named.conf");
+EXTERN const char *named_g_defaultbindkeys INIT(NAMED_SYSCONFDIR "/bind.keys");
+EXTERN const char *named_g_keyfile	   INIT(NAMED_SYSCONFDIR "/rndc.key");
+
+EXTERN dns_tsigkey_t *named_g_sessionkey    INIT(NULL);
+EXTERN dns_name_t			    named_g_sessionkeyname;
+EXTERN bool named_g_conffileset		    INIT(false);
+EXTERN cfg_aclconfctx_t *named_g_aclconfctx INIT(NULL);
+
+/*
+ * Initial resource limits.
+ */
+EXTERN isc_resourcevalue_t named_g_initstacksize INIT(0);
+EXTERN isc_resourcevalue_t named_g_initdatasize	 INIT(0);
+EXTERN isc_resourcevalue_t named_g_initcoresize	 INIT(0);
+EXTERN isc_resourcevalue_t named_g_initopenfiles INIT(0);
+
+/*
+ * Misc.
+ */
+EXTERN bool named_g_coreok	     INIT(true);
+EXTERN const char *named_g_chrootdir INIT(NULL);
+EXTERN bool named_g_foreground	     INIT(false);
+EXTERN bool named_g_logstderr	     INIT(false);
+EXTERN bool named_g_nosyslog	     INIT(false);
+EXTERN const char *named_g_logfile   INIT(NULL);
+
+EXTERN const char *named_g_defaultsessionkeyfile INIT(NAMED_LOCALSTATEDIR
+						      "/run/named/"
+						      "session.key");
+EXTERN const char *named_g_defaultlockfile INIT(NAMED_LOCALSTATEDIR "/run/"
+								    "named/"
+								    "named."
+								    "lock");
+EXTERN bool named_g_forcelock		   INIT(false);
+
+#if NAMED_RUN_PID_DIR
+EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/named/"
+								   "named.pid");
+#else  /* if NAMED_RUN_PID_DIR */
+EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/"
+								   "named.pid");
+#endif /* if NAMED_RUN_PID_DIR */
+
+EXTERN const char *named_g_username INIT(NULL);
+
+EXTERN const char *named_g_engine INIT(NULL);
+
+EXTERN isc_time_t		  named_g_boottime;
+EXTERN isc_time_t		  named_g_configtime;
+EXTERN bool named_g_memstatistics INIT(false);
+EXTERN bool named_g_keepstderr	  INIT(false);
+
+EXTERN unsigned int named_g_tat_interval INIT(24 * 3600);
+EXTERN unsigned int named_g_maxcachesize INIT(0);
+
+#if defined(HAVE_GEOIP2)
+EXTERN dns_geoip_databases_t *named_g_geoip INIT(NULL);
+#endif /* if defined(HAVE_GEOIP2) */
+
+EXTERN const char *named_g_fuzz_addr	INIT(NULL);
+EXTERN isc_fuzztype_t named_g_fuzz_type INIT(isc_fuzz_none);
+
+EXTERN dns_acl_t *named_g_mapped INIT(NULL);
+
+#undef EXTERN
+#undef INIT
+
+#endif /* NAMED_GLOBALS_H */
diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h
new file mode 100644
index 0000000..d54b155
--- /dev/null
+++ b/bin/named/include/named/log.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_LOG_H
+#define NAMED_LOG_H 1
+
+/*! \file */
+
+#include <isc/log.h>
+#include <isc/types.h>
+
+#include <dns/log.h>
+
+#include <named/globals.h> /* Required for named_g_(categories|modules). */
+
+/* Unused slot 0. */
+#define NAMED_LOGCATEGORY_UNMATCHED (&named_g_categories[1])
+
+/*
+ * Backwards compatibility.
+ */
+#define NAMED_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL
+
+#define NAMED_LOGMODULE_MAIN	(&named_g_modules[0])
+#define NAMED_LOGMODULE_SERVER	(&named_g_modules[1])
+#define NAMED_LOGMODULE_CONTROL (&named_g_modules[2])
+
+isc_result_t
+named_log_init(bool safe);
+/*%
+ * Initialize the logging system and set up an initial default
+ * logging default configuration that will be used until the
+ * config file has been read.
+ *
+ * If 'safe' is true, use a default configuration that refrains
+ * from opening files.  This is to avoid creating log files
+ * as root.
+ */
+
+void
+named_log_setdefaultchannels(isc_logconfig_t *lcfg);
+/*%
+ * Set up logging channels according to the named defaults, which
+ * may differ from the logging library defaults.  Currently,
+ * this just means setting up default_debug.
+ */
+
+void
+named_log_setsafechannels(isc_logconfig_t *lcfg);
+/*%
+ * Like named_log_setdefaultchannels(), but omits any logging to files.
+ */
+
+isc_result_t
+named_log_setdefaultcategory(isc_logconfig_t *lcfg);
+/*%
+ * Set up "category default" to go to the right places.
+ */
+
+isc_result_t
+named_log_setunmatchedcategory(isc_logconfig_t *lcfg);
+/*%
+ * Set up "category unmatched" to go to the right places.
+ */
+
+void
+named_log_shutdown(void);
+
+#endif /* NAMED_LOG_H */
diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h
new file mode 100644
index 0000000..0fc1d3c
--- /dev/null
+++ b/bin/named/include/named/logconf.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_LOGCONF_H
+#define NAMED_LOGCONF_H 1
+
+/*! \file */
+
+#include <isc/log.h>
+
+isc_result_t
+named_logconfig(isc_logconfig_t *logconf, const cfg_obj_t *logstmt);
+/*%<
+ * Set up the logging configuration in '*logconf' according to
+ * the named.conf data in 'logstmt'.
+ */
+
+#endif /* NAMED_LOGCONF_H */
diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h
new file mode 100644
index 0000000..ee790b9
--- /dev/null
+++ b/bin/named/include/named/main.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_MAIN_H
+#define NAMED_MAIN_H 1
+
+/*! \file */
+
+#ifdef ISC_MAIN_HOOK
+#define main(argc, argv) bindmain(argc, argv)
+#endif /* ifdef ISC_MAIN_HOOK */
+
+/*
+ * Commandline arguments for named; also referenced in win32/ntservice.c
+ */
+#define NAMED_MAIN_ARGS "46A:c:Cd:D:E:fFgL:M:m:n:N:p:sS:t:T:U:u:vVx:X:"
+
+ISC_PLATFORM_NORETURN_PRE void
+named_main_earlyfatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+
+void
+named_main_earlywarning(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+void
+named_main_setmemstats(const char *);
+
+#endif /* NAMED_MAIN_H */
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
new file mode 100644
index 0000000..80f839d
--- /dev/null
+++ b/bin/named/include/named/server.h
@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_SERVER_H
+#define NAMED_SERVER_H 1
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/quota.h>
+#include <isc/sockaddr.h>
+#include <isc/types.h>
+
+#include <dns/acl.h>
+#include <dns/dnstap.h>
+#include <dns/stats.h>
+#include <dns/types.h>
+
+#include <ns/interfacemgr.h>
+#include <ns/server.h>
+#include <ns/stats.h>
+#include <ns/types.h>
+
+#include <named/types.h>
+
+#define NAMED_EVENTCLASS    ISC_EVENTCLASS(0x4E43)
+#define NAMED_EVENT_RELOAD  (NAMED_EVENTCLASS + 0)
+#define NAMED_EVENT_DELZONE (NAMED_EVENTCLASS + 1)
+#define NAMED_EVENT_COMMAND (NAMED_EVENTCLASS + 2)
+#define NAMED_EVENT_TATSEND (NAMED_EVENTCLASS + 3)
+
+/*%
+ * Name server state.  Better here than in lots of separate global variables.
+ */
+struct named_server {
+	unsigned int magic;
+	isc_mem_t   *mctx;
+
+	ns_server_t *sctx;
+
+	isc_task_t *task;
+
+	char *statsfile;    /*%< Statistics file name */
+	char *dumpfile;	    /*%< Dump file name */
+	char *secrootsfile; /*%< Secroots file name */
+	char *bindkeysfile; /*%< bind.keys file name
+			     * */
+	char *recfile;	    /*%< Recursive file name */
+	bool  version_set;  /*%< User has set version
+			     * */
+	char *version;	    /*%< User-specified version */
+	bool  hostname_set; /*%< User has set hostname
+			     * */
+	char *hostname;	    /*%< User-specified hostname
+			     * */
+
+	/* Server data structures. */
+	dns_loadmgr_t	  *loadmgr;
+	dns_zonemgr_t	  *zonemgr;
+	dns_viewlist_t	   viewlist;
+	dns_kasplist_t	   kasplist;
+	ns_interfacemgr_t *interfacemgr;
+	dns_db_t	  *in_roothints;
+
+	isc_timer_t *interface_timer;
+	isc_timer_t *heartbeat_timer;
+	isc_timer_t *pps_timer;
+	isc_timer_t *tat_timer;
+
+	uint32_t interface_interval;
+	uint32_t heartbeat_interval;
+
+	isc_mutex_t  reload_event_lock;
+	isc_event_t *reload_event;
+	atomic_int   reload_status;
+
+	bool flushonshutdown;
+
+	named_cachelist_t cachelist; /*%< Possibly shared caches
+				      * */
+	isc_stats_t *zonestats;	     /*% Zone management stats */
+	isc_stats_t *resolverstats;  /*% Resolver stats */
+	isc_stats_t *sockstats;	     /*%< Socket stats */
+
+	named_controls_t    *controls; /*%< Control channels */
+	unsigned int	     dispatchgen;
+	named_dispatchlist_t dispatches;
+
+	named_statschannellist_t statschannels;
+
+	dns_tsigkey_t *sessionkey;
+	char	      *session_keyfile;
+	dns_name_t    *session_keyname;
+	unsigned int   session_keyalg;
+	uint16_t       session_keybits;
+	bool	       interface_auto;
+	unsigned char  secret[32]; /*%< Server Cookie Secret */
+	ns_cookiealg_t cookiealg;
+
+	dns_dtenv_t *dtenv; /*%< Dnstap environment */
+
+	char *lockfile;
+};
+
+#define NAMED_SERVER_MAGIC    ISC_MAGIC('S', 'V', 'E', 'R')
+#define NAMED_SERVER_VALID(s) ISC_MAGIC_VALID(s, NAMED_SERVER_MAGIC)
+
+void
+named_server_create(isc_mem_t *mctx, named_server_t **serverp);
+/*%<
+ * Create a server object with default settings.
+ * This function either succeeds or causes the program to exit
+ * with a fatal error.
+ */
+
+void
+named_server_destroy(named_server_t **serverp);
+/*%<
+ * Destroy a server object, freeing its memory.
+ */
+
+void
+named_server_reloadwanted(named_server_t *server);
+/*%<
+ * Inform a server that a reload is wanted.  This function
+ * may be called asynchronously, from outside the server's task.
+ * If a reload is already scheduled or in progress, the call
+ * is ignored.
+ */
+
+void
+named_server_scan_interfaces(named_server_t *server);
+/*%<
+ * Trigger a interface scan.
+ * Must only be called when running under server->task.
+ */
+
+void
+named_server_flushonshutdown(named_server_t *server, bool flush);
+/*%<
+ * Inform the server that the zones should be flushed to disk on shutdown.
+ */
+
+isc_result_t
+named_server_reloadcommand(named_server_t *server, isc_lex_t *lex,
+			   isc_buffer_t **text);
+/*%<
+ * Act on a "reload" command from the command channel.
+ */
+
+isc_result_t
+named_server_reconfigcommand(named_server_t *server);
+/*%<
+ * Act on a "reconfig" command from the command channel.
+ */
+
+isc_result_t
+named_server_notifycommand(named_server_t *server, isc_lex_t *lex,
+			   isc_buffer_t **text);
+/*%<
+ * Act on a "notify" command from the command channel.
+ */
+
+isc_result_t
+named_server_refreshcommand(named_server_t *server, isc_lex_t *lex,
+			    isc_buffer_t **text);
+/*%<
+ * Act on a "refresh" command from the command channel.
+ */
+
+isc_result_t
+named_server_retransfercommand(named_server_t *server, isc_lex_t *lex,
+			       isc_buffer_t **text);
+/*%<
+ * Act on a "retransfer" command from the command channel.
+ */
+
+isc_result_t
+named_server_togglequerylog(named_server_t *server, isc_lex_t *lex);
+/*%<
+ * Enable/disable logging of queries.  (Takes "yes" or "no" argument,
+ * but can also be used as a toggle for backward comptibility.)
+ */
+
+/*%
+ * Save the current NTAs for all views to files.
+ */
+isc_result_t
+named_server_saventa(named_server_t *server);
+
+/*%
+ * Load NTAs for all views from files.
+ */
+isc_result_t
+named_server_loadnta(named_server_t *server);
+
+/*%
+ * Dump the current statistics to the statistics file.
+ */
+isc_result_t
+named_server_dumpstats(named_server_t *server);
+
+/*%
+ * Dump the current cache to the dump file.
+ */
+isc_result_t
+named_server_dumpdb(named_server_t *server, isc_lex_t *lex,
+		    isc_buffer_t **text);
+
+/*%
+ * Dump the current security roots to the secroots file.
+ */
+isc_result_t
+named_server_dumpsecroots(named_server_t *server, isc_lex_t *lex,
+			  isc_buffer_t **text);
+
+/*%
+ * Change or increment the server debug level.
+ */
+isc_result_t
+named_server_setdebuglevel(named_server_t *server, isc_lex_t *lex);
+
+/*%
+ * Flush the server's cache(s)
+ */
+isc_result_t
+named_server_flushcache(named_server_t *server, isc_lex_t *lex);
+
+/*%
+ * Flush a particular name from the server's cache.  If 'tree' is false,
+ * also flush the name from the ADB and badcache.  If 'tree' is true, also
+ * flush all the names under the specified name.
+ */
+isc_result_t
+named_server_flushnode(named_server_t *server, isc_lex_t *lex, bool tree);
+
+/*%
+ * Report the server's status.
+ */
+isc_result_t
+named_server_status(named_server_t *server, isc_buffer_t **text);
+
+/*%
+ * Report a list of dynamic and static tsig keys, per view.
+ */
+isc_result_t
+named_server_tsiglist(named_server_t *server, isc_buffer_t **text);
+
+/*%
+ * Delete a specific key (with optional view).
+ */
+isc_result_t
+named_server_tsigdelete(named_server_t *server, isc_lex_t *lex,
+			isc_buffer_t **text);
+
+/*%
+ * Enable or disable updates for a zone.
+ */
+isc_result_t
+named_server_freeze(named_server_t *server, bool freeze, isc_lex_t *lex,
+		    isc_buffer_t **text);
+
+/*%
+ * Dump zone updates to disk, optionally removing the journal file
+ */
+isc_result_t
+named_server_sync(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
+
+/*%
+ * Update a zone's DNSKEY set from the key repository.  If
+ * the command that triggered the call to this function was "sign",
+ * then force a full signing of the zone.  If it was "loadkeys",
+ * then don't sign the zone; any needed changes to signatures can
+ * take place incrementally.
+ */
+isc_result_t
+named_server_rekey(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
+
+/*%
+ * Dump the current recursive queries.
+ */
+isc_result_t
+named_server_dumprecursing(named_server_t *server);
+
+/*%
+ * Maintain a list of dispatches that require reserved ports.
+ */
+void
+named_add_reserved_dispatch(named_server_t *server, const isc_sockaddr_t *addr);
+
+/*%
+ * Enable or disable dnssec validation.
+ */
+isc_result_t
+named_server_validation(named_server_t *server, isc_lex_t *lex,
+			isc_buffer_t **text);
+
+/*%
+ * Add a zone to a running process, or modify an existing zone
+ */
+isc_result_t
+named_server_changezone(named_server_t *server, char *command,
+			isc_buffer_t **text);
+
+/*%
+ * Deletes a zone from a running process
+ */
+isc_result_t
+named_server_delzone(named_server_t *server, isc_lex_t *lex,
+		     isc_buffer_t **text);
+
+/*%
+ * Show current configuration for a given zone
+ */
+isc_result_t
+named_server_showzone(named_server_t *server, isc_lex_t *lex,
+		      isc_buffer_t **text);
+
+/*%
+ * Lists the status of the signing records for a given zone.
+ */
+isc_result_t
+named_server_signing(named_server_t *server, isc_lex_t *lex,
+		     isc_buffer_t **text);
+
+/*%
+ * Lists the DNSSEC status for a given zone.
+ */
+isc_result_t
+named_server_dnssec(named_server_t *server, isc_lex_t *lex,
+		    isc_buffer_t **text);
+
+/*%
+ * Lists status information for a given zone (e.g., name, type, files,
+ * load time, expiry, etc).
+ */
+isc_result_t
+named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
+			isc_buffer_t **text);
+
+/*%
+ * Adds/updates a Negative Trust Anchor (NTA) for a specified name and
+ * duration, in a particular view if specified, or in all views.
+ */
+isc_result_t
+named_server_nta(named_server_t *server, isc_lex_t *lex, bool readonly,
+		 isc_buffer_t **text);
+
+/*%
+ * Generates a test sequence that is only for use in system tests. The
+ * argument is the size of required output in bytes.
+ */
+isc_result_t
+named_server_testgen(isc_lex_t *lex, isc_buffer_t **text);
+
+/*%
+ * Force fefresh or print status for managed keys zones.
+ */
+isc_result_t
+named_server_mkeys(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
+
+/*%
+ * Close and reopen DNSTAP output file.
+ */
+isc_result_t
+named_server_dnstap(named_server_t *server, isc_lex_t *lex,
+		    isc_buffer_t **text);
+
+/*%
+ * Display or update tcp-{initial,idle,keepalive,advertised}-timeout options.
+ */
+isc_result_t
+named_server_tcptimeouts(isc_lex_t *lex, isc_buffer_t **text);
+
+/*%
+ * Control whether stale answers are served or not when configured in
+ * named.conf.
+ */
+isc_result_t
+named_server_servestale(named_server_t *server, isc_lex_t *lex,
+			isc_buffer_t **text);
+
+#endif /* NAMED_SERVER_H */
diff --git a/bin/named/include/named/smf_globals.h b/bin/named/include/named/smf_globals.h
new file mode 100644
index 0000000..d777c24
--- /dev/null
+++ b/bin/named/include/named/smf_globals.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_SMF_GLOBALS_H
+#define NAMED_SMF_GLOBALS_H 1
+
+#include <libscf.h>
+
+#undef EXTERN
+#undef INIT
+#ifdef NAMED_MAIN
+#define EXTERN
+#define INIT(v) = (v)
+#else /* ifdef NAMED_MAIN */
+#define EXTERN extern
+#define INIT(v)
+#endif /* ifdef NAMED_MAIN */
+
+EXTERN unsigned int named_smf_got_instance INIT(0);
+EXTERN unsigned int named_smf_chroot	   INIT(0);
+EXTERN unsigned int named_smf_want_disable INIT(0);
+
+isc_result_t
+named_smf_add_message(isc_buffer_t **text);
+isc_result_t
+named_smf_get_instance(char **name, int debug, isc_mem_t *mctx);
+
+#undef EXTERN
+#undef INIT
+
+#endif /* NAMED_SMF_GLOBALS_H */
diff --git a/bin/named/include/named/statschannel.h b/bin/named/include/named/statschannel.h
new file mode 100644
index 0000000..db6fb9d
--- /dev/null
+++ b/bin/named/include/named/statschannel.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_STATSCHANNEL_H
+#define NAMED_STATSCHANNEL_H 1
+
+/*! \file
+ * \brief
+ * The statistics channels built-in the name server.
+ */
+
+#include <isccfg/aclconf.h>
+
+#include <isccc/types.h>
+#include <named/types.h>
+
+#define NAMED_STATSCHANNEL_HTTPPORT 80
+
+isc_result_t
+named_statschannels_configure(named_server_t *server, const cfg_obj_t *config,
+			      cfg_aclconfctx_t *aclconfctx);
+/*%<
+ * [Re]configure the statistics channels.
+ *
+ * If it is no longer there but was previously configured, destroy
+ * it here.
+ *
+ * If the IP address or port has changed, destroy the old server
+ * and create a new one.
+ */
+
+void
+named_statschannels_shutdown(named_server_t *server);
+/*%<
+ * Initiate shutdown of all the statistics channel listeners.
+ */
+
+isc_result_t
+named_stats_dump(named_server_t *server, FILE *fp);
+/*%<
+ * Dump statistics counters managed by the server to the file fp.
+ */
+
+#endif /* NAMED_STATSCHANNEL_H */
diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h
new file mode 100644
index 0000000..8f42633
--- /dev/null
+++ b/bin/named/include/named/tkeyconf.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_TKEYCONF_H
+#define NAMED_TKEYCONF_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <isccfg/cfg.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
+			 dns_tkeyctx_t **tctxp);
+/*%<
+ * 	Create a TKEY context and configure it, including the default DH key
+ *	and default domain, according to 'options'.
+ *
+ *	Requires:
+ *\li		'cfg' is a valid configuration options object.
+ *\li		'mctx' is not NULL
+ *\li		'tctx' is not NULL
+ *\li		'*tctx' is NULL
+ *
+ *	Returns:
+ *\li		ISC_R_SUCCESS
+ *\li		ISC_R_NOMEMORY
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* NAMED_TKEYCONF_H */
diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h
new file mode 100644
index 0000000..f9f21d9
--- /dev/null
+++ b/bin/named/include/named/tsigconf.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_TSIGCONF_H
+#define NAMED_TSIGCONF_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+named_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+			     isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
+/*%<
+ * Create a TSIG key ring and configure it according to the 'key'
+ * statements in the global and view configuration objects.
+ *
+ *	Requires:
+ *	\li	'config' is not NULL.
+ *	\li	'vconfig' is not NULL.
+ *	\li	'mctx' is not NULL
+ *	\li	'ringp' is not NULL, and '*ringp' is NULL
+ *
+ *	Returns:
+ *	\li	ISC_R_SUCCESS
+ *	\li	ISC_R_NOMEMORY
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* NAMED_TSIGCONF_H */
diff --git a/bin/named/include/named/types.h b/bin/named/include/named/types.h
new file mode 100644
index 0000000..addb76a
--- /dev/null
+++ b/bin/named/include/named/types.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_TYPES_H
+#define NAMED_TYPES_H 1
+
+/*! \file */
+
+#include <dns/types.h>
+
+typedef struct named_cache named_cache_t;
+typedef ISC_LIST(named_cache_t) named_cachelist_t;
+typedef struct named_server   named_server_t;
+typedef struct named_xmld     named_xmld_t;
+typedef struct named_xmldmgr  named_xmldmgr_t;
+typedef struct named_controls named_controls_t;
+typedef struct named_dispatch named_dispatch_t;
+typedef ISC_LIST(named_dispatch_t) named_dispatchlist_t;
+typedef struct named_statschannel named_statschannel_t;
+typedef ISC_LIST(named_statschannel_t) named_statschannellist_t;
+
+/*%
+ * Used for server->reload_status as printed by `rndc status`
+ */
+typedef enum {
+	NAMED_RELOAD_DONE,
+	NAMED_RELOAD_IN_PROGRESS,
+	NAMED_RELOAD_FAILED,
+} named_reload_t;
+
+#endif /* NAMED_TYPES_H */
diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h
new file mode 100644
index 0000000..6f37f61
--- /dev/null
+++ b/bin/named/include/named/zoneconf.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_ZONECONF_H
+#define NAMED_ZONECONF_H 1
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <isccfg/aclconf.h>
+#include <isccfg/cfg.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+		     const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
+		     dns_kasplist_t *kasplist, dns_zone_t *zone,
+		     dns_zone_t *raw);
+/*%<
+ * Configure or reconfigure a zone according to the named.conf
+ * data.
+ *
+ * The zone origin is not configured, it is assumed to have been set
+ * at zone creation time.
+ *
+ * Require:
+ * \li	'ac' to point to an initialized cfg_aclconfctx_t.
+ * \li	'kasplist' to be initialized.
+ * \li	'zone' to be initialized.
+ */
+
+bool
+named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
+/*%<
+ * If 'zone' can be safely reconfigured according to the configuration
+ * data in 'zconfig', return true.  If the configuration data is so
+ * different from the current zone state that the zone needs to be destroyed
+ * and recreated, return false.
+ */
+
+bool
+named_zone_inlinesigning(const cfg_obj_t *zconfig);
+/*%<
+ * Determine if zone uses inline-signing. This is true if inline-signing
+ * is set to yes.
+ */
+
+isc_result_t
+named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
+				   dns_rdataclass_t rdclass, dns_name_t *name);
+/*%>
+ * configure a DLZ zone, setting up the database methods and calling
+ * postload to load the origin values
+ *
+ * Require:
+ * \li	'dlzdatabase' to be a valid dlz database
+ * \li	'zone' to be initialized.
+ * \li	'rdclass' to be a valid rdataclass
+ * \li	'name' to be a valid zone origin name
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* NAMED_ZONECONF_H */
diff --git a/bin/named/log.c b/bin/named/log.c
new file mode 100644
index 0000000..b59002d
--- /dev/null
+++ b/bin/named/log.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/result.h>
+
+#include <dns/log.h>
+
+#include <isccfg/log.h>
+
+#include <ns/log.h>
+
+#include <named/log.h>
+
+#ifndef ISC_FACILITY
+#define ISC_FACILITY LOG_DAEMON
+#endif /* ifndef ISC_FACILITY */
+
+/*%
+ * When adding a new category, be sure to add the appropriate
+ * \#define to <named/log.h> and to update the list in
+ * bin/check/check-tool.c.
+ */
+static isc_logcategory_t categories[] = { { "", 0 },
+					  { "unmatched", 0 },
+					  { NULL, 0 } };
+
+/*%
+ * When adding a new module, be sure to add the appropriate
+ * \#define to <dns/log.h>.
+ */
+static isc_logmodule_t modules[] = {
+	{ "main", 0 }, { "server", 0 }, { "control", 0 }, { NULL, 0 }
+};
+
+isc_result_t
+named_log_init(bool safe) {
+	isc_result_t result;
+	isc_logconfig_t *lcfg = NULL;
+
+	named_g_categories = categories;
+	named_g_modules = modules;
+
+	/*
+	 * Setup a logging context.
+	 */
+	isc_log_create(named_g_mctx, &named_g_lctx, &lcfg);
+
+	/*
+	 * named-checktool.c:setup_logging() needs to be kept in sync.
+	 */
+	isc_log_registercategories(named_g_lctx, named_g_categories);
+	isc_log_registermodules(named_g_lctx, named_g_modules);
+	isc_log_setcontext(named_g_lctx);
+	dns_log_init(named_g_lctx);
+	dns_log_setcontext(named_g_lctx);
+	cfg_log_init(named_g_lctx);
+	ns_log_init(named_g_lctx);
+	ns_log_setcontext(named_g_lctx);
+
+	if (safe) {
+		named_log_setsafechannels(lcfg);
+	} else {
+		named_log_setdefaultchannels(lcfg);
+	}
+
+	result = named_log_setdefaultcategory(lcfg);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	isc_log_destroy(&named_g_lctx);
+	isc_log_setcontext(NULL);
+	dns_log_setcontext(NULL);
+
+	return (result);
+}
+
+void
+named_log_setdefaultchannels(isc_logconfig_t *lcfg) {
+	isc_logdestination_t destination;
+
+	/*
+	 * By default, the logging library makes "default_debug" log to
+	 * stderr.  In BIND, we want to override this and log to named.run
+	 * instead, unless the -g option was given.
+	 */
+	if (!named_g_logstderr) {
+		destination.file.stream = NULL;
+		destination.file.name = "named.run";
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		isc_log_createchannel(lcfg, "default_debug", ISC_LOG_TOFILE,
+				      ISC_LOG_DYNAMIC, &destination,
+				      ISC_LOG_PRINTTIME | ISC_LOG_DEBUGONLY);
+	}
+
+	if (named_g_logfile != NULL) {
+		destination.file.stream = NULL;
+		destination.file.name = named_g_logfile;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		isc_log_createchannel(lcfg, "default_logfile", ISC_LOG_TOFILE,
+				      ISC_LOG_DYNAMIC, &destination,
+				      ISC_LOG_PRINTTIME |
+					      ISC_LOG_PRINTCATEGORY |
+					      ISC_LOG_PRINTLEVEL);
+	}
+
+#if ISC_FACILITY != LOG_DAEMON
+	destination.facility = ISC_FACILITY;
+	isc_log_createchannel(lcfg, "default_syslog", ISC_LOG_TOSYSLOG,
+			      ISC_LOG_INFO, &destination, 0);
+#endif /* if ISC_FACILITY != LOG_DAEMON */
+
+	/*
+	 * Set the initial debug level.
+	 */
+	isc_log_setdebuglevel(named_g_lctx, named_g_debuglevel);
+}
+
+void
+named_log_setsafechannels(isc_logconfig_t *lcfg) {
+	isc_logdestination_t destination;
+
+	if (!named_g_logstderr) {
+		isc_log_createchannel(lcfg, "default_debug", ISC_LOG_TONULL,
+				      ISC_LOG_DYNAMIC, NULL, 0);
+
+		/*
+		 * Setting the debug level to zero should get the output
+		 * discarded a bit faster.
+		 */
+		isc_log_setdebuglevel(named_g_lctx, 0);
+	} else {
+		isc_log_setdebuglevel(named_g_lctx, named_g_debuglevel);
+	}
+
+	if (named_g_logfile != NULL) {
+		destination.file.stream = NULL;
+		destination.file.name = named_g_logfile;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		isc_log_createchannel(lcfg, "default_logfile", ISC_LOG_TOFILE,
+				      ISC_LOG_DYNAMIC, &destination,
+				      ISC_LOG_PRINTTIME |
+					      ISC_LOG_PRINTCATEGORY |
+					      ISC_LOG_PRINTLEVEL);
+	}
+
+#if ISC_FACILITY != LOG_DAEMON
+	destination.facility = ISC_FACILITY;
+	isc_log_createchannel(lcfg, "default_syslog", ISC_LOG_TOSYSLOG,
+			      ISC_LOG_INFO, &destination, 0);
+#endif /* if ISC_FACILITY != LOG_DAEMON */
+}
+
+isc_result_t
+named_log_setdefaultcategory(isc_logconfig_t *lcfg) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	result = isc_log_usechannel(lcfg, "default_debug",
+				    ISC_LOGCATEGORY_DEFAULT, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	if (!named_g_logstderr) {
+		if (named_g_logfile != NULL) {
+			result = isc_log_usechannel(lcfg, "default_logfile",
+						    ISC_LOGCATEGORY_DEFAULT,
+						    NULL);
+		} else if (!named_g_nosyslog) {
+			result = isc_log_usechannel(lcfg, "default_syslog",
+						    ISC_LOGCATEGORY_DEFAULT,
+						    NULL);
+		}
+	}
+
+cleanup:
+	return (result);
+}
+
+isc_result_t
+named_log_setunmatchedcategory(isc_logconfig_t *lcfg) {
+	isc_result_t result;
+
+	result = isc_log_usechannel(lcfg, "null", NAMED_LOGCATEGORY_UNMATCHED,
+				    NULL);
+	return (result);
+}
+
+void
+named_log_shutdown(void) {
+	isc_log_destroy(&named_g_lctx);
+	isc_log_setcontext(NULL);
+	dns_log_setcontext(NULL);
+}
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
new file mode 100644
index 0000000..36a19ba
--- /dev/null
+++ b/bin/named/logconf.c
@@ -0,0 +1,373 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/file.h>
+#include <isc/offset.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/syslog.h>
+#include <isc/util.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/log.h>
+
+#include <named/log.h>
+#include <named/logconf.h>
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+/*%
+ * Set up a logging category according to the named.conf data
+ * in 'ccat' and add it to 'logconfig'.
+ */
+static isc_result_t
+category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *logconfig) {
+	isc_result_t result;
+	const char *catname;
+	isc_logcategory_t *category;
+	isc_logmodule_t *module;
+	const cfg_obj_t *destinations = NULL;
+	const cfg_listelt_t *element = NULL;
+
+	catname = cfg_obj_asstring(cfg_tuple_get(ccat, "name"));
+	category = isc_log_categorybyname(named_g_lctx, catname);
+	if (category == NULL) {
+		cfg_obj_log(ccat, named_g_lctx, ISC_LOG_ERROR,
+			    "unknown logging category '%s' ignored", catname);
+		/*
+		 * Allow further processing by returning success.
+		 */
+		return (ISC_R_SUCCESS);
+	}
+
+	if (logconfig == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	module = NULL;
+
+	destinations = cfg_tuple_get(ccat, "destinations");
+	for (element = cfg_list_first(destinations); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *channel = cfg_listelt_value(element);
+		const char *channelname = cfg_obj_asstring(channel);
+
+		result = isc_log_usechannel(logconfig, channelname, category,
+					    module);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, CFG_LOGCATEGORY_CONFIG,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "logging channel '%s': %s", channelname,
+				      isc_result_totext(result));
+			return (result);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Set up a logging channel according to the named.conf data
+ * in 'cchan' and add it to 'logconfig'.
+ */
+static isc_result_t
+channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *logconfig) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_logdestination_t dest;
+	unsigned int type;
+	unsigned int flags = 0;
+	int level;
+	const char *channelname;
+	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *syslogobj = NULL;
+	const cfg_obj_t *nullobj = NULL;
+	const cfg_obj_t *stderrobj = NULL;
+	const cfg_obj_t *severity = NULL;
+	int i;
+
+	channelname = cfg_obj_asstring(cfg_map_getname(channel));
+
+	(void)cfg_map_get(channel, "file", &fileobj);
+	(void)cfg_map_get(channel, "syslog", &syslogobj);
+	(void)cfg_map_get(channel, "null", &nullobj);
+	(void)cfg_map_get(channel, "stderr", &stderrobj);
+
+	i = 0;
+	if (fileobj != NULL) {
+		i++;
+	}
+	if (syslogobj != NULL) {
+		i++;
+	}
+	if (nullobj != NULL) {
+		i++;
+	}
+	if (stderrobj != NULL) {
+		i++;
+	}
+
+	if (i != 1) {
+		cfg_obj_log(channel, named_g_lctx, ISC_LOG_ERROR,
+			    "channel '%s': exactly one of file, syslog, "
+			    "null, and stderr must be present",
+			    channelname);
+		return (ISC_R_FAILURE);
+	}
+
+	type = ISC_LOG_TONULL;
+
+	if (fileobj != NULL) {
+		const cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
+		const cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
+		const cfg_obj_t *versionsobj = cfg_tuple_get(fileobj,
+							     "versions");
+		const cfg_obj_t *suffixobj = cfg_tuple_get(fileobj, "suffix");
+		int32_t versions = ISC_LOG_ROLLNEVER;
+		isc_log_rollsuffix_t suffix = isc_log_rollsuffix_increment;
+		isc_offset_t size = 0;
+		uint64_t maxoffset;
+
+		/*
+		 * isc_offset_t is a signed integer type, so the maximum
+		 * value is all 1s except for the MSB.
+		 */
+		switch (sizeof(isc_offset_t)) {
+		case 4:
+			maxoffset = 0x7fffffffULL;
+			break;
+		case 8:
+			maxoffset = 0x7fffffffffffffffULL;
+			break;
+		default:
+			UNREACHABLE();
+		}
+
+		type = ISC_LOG_TOFILE;
+
+		if (versionsobj != NULL && cfg_obj_isuint32(versionsobj)) {
+			versions = cfg_obj_asuint32(versionsobj);
+		} else if (versionsobj != NULL &&
+			   cfg_obj_isstring(versionsobj) &&
+			   strcasecmp(cfg_obj_asstring(versionsobj),
+				      "unlimited") == 0)
+		{
+			versions = ISC_LOG_ROLLINFINITE;
+		}
+		if (sizeobj != NULL && cfg_obj_isuint64(sizeobj) &&
+		    cfg_obj_asuint64(sizeobj) < maxoffset)
+		{
+			size = (isc_offset_t)cfg_obj_asuint64(sizeobj);
+		}
+		if (suffixobj != NULL && cfg_obj_isstring(suffixobj) &&
+		    strcasecmp(cfg_obj_asstring(suffixobj), "timestamp") == 0)
+		{
+			suffix = isc_log_rollsuffix_timestamp;
+		}
+
+		dest.file.stream = NULL;
+		dest.file.name = cfg_obj_asstring(pathobj);
+		dest.file.versions = versions;
+		dest.file.suffix = suffix;
+		dest.file.maximum_size = size;
+	} else if (syslogobj != NULL) {
+		int facility = LOG_DAEMON;
+
+		type = ISC_LOG_TOSYSLOG;
+
+		if (cfg_obj_isstring(syslogobj)) {
+			const char *facilitystr = cfg_obj_asstring(syslogobj);
+			(void)isc_syslog_facilityfromstring(facilitystr,
+							    &facility);
+		}
+		dest.facility = facility;
+	} else if (stderrobj != NULL) {
+		type = ISC_LOG_TOFILEDESC;
+		dest.file.stream = stderr;
+		dest.file.name = NULL;
+		dest.file.versions = ISC_LOG_ROLLNEVER;
+		dest.file.suffix = isc_log_rollsuffix_increment;
+		dest.file.maximum_size = 0;
+	}
+
+	/*
+	 * Munge flags.
+	 */
+	{
+		const cfg_obj_t *printcat = NULL;
+		const cfg_obj_t *printsev = NULL;
+		const cfg_obj_t *printtime = NULL;
+		const cfg_obj_t *buffered = NULL;
+
+		(void)cfg_map_get(channel, "print-category", &printcat);
+		(void)cfg_map_get(channel, "print-severity", &printsev);
+		(void)cfg_map_get(channel, "print-time", &printtime);
+		(void)cfg_map_get(channel, "buffered", &buffered);
+
+		if (printcat != NULL && cfg_obj_asboolean(printcat)) {
+			flags |= ISC_LOG_PRINTCATEGORY;
+		}
+		if (printsev != NULL && cfg_obj_asboolean(printsev)) {
+			flags |= ISC_LOG_PRINTLEVEL;
+		}
+		if (buffered != NULL && cfg_obj_asboolean(buffered)) {
+			flags |= ISC_LOG_BUFFERED;
+		}
+		if (printtime != NULL && cfg_obj_isboolean(printtime)) {
+			if (cfg_obj_asboolean(printtime)) {
+				flags |= ISC_LOG_PRINTTIME;
+			}
+		} else if (printtime != NULL) { /* local/iso8601/iso8601-utc */
+			const char *s = cfg_obj_asstring(printtime);
+			flags |= ISC_LOG_PRINTTIME;
+			if (strcasecmp(s, "iso8601") == 0) {
+				flags |= ISC_LOG_ISO8601;
+			} else if (strcasecmp(s, "iso8601-utc") == 0) {
+				flags |= ISC_LOG_ISO8601 | ISC_LOG_UTC;
+			}
+		}
+	}
+
+	level = ISC_LOG_INFO;
+	if (cfg_map_get(channel, "severity", &severity) == ISC_R_SUCCESS) {
+		if (cfg_obj_isstring(severity)) {
+			const char *str = cfg_obj_asstring(severity);
+			if (strcasecmp(str, "critical") == 0) {
+				level = ISC_LOG_CRITICAL;
+			} else if (strcasecmp(str, "error") == 0) {
+				level = ISC_LOG_ERROR;
+			} else if (strcasecmp(str, "warning") == 0) {
+				level = ISC_LOG_WARNING;
+			} else if (strcasecmp(str, "notice") == 0) {
+				level = ISC_LOG_NOTICE;
+			} else if (strcasecmp(str, "info") == 0) {
+				level = ISC_LOG_INFO;
+			} else if (strcasecmp(str, "dynamic") == 0) {
+				level = ISC_LOG_DYNAMIC;
+			}
+		} else {
+			/* debug */
+			level = cfg_obj_asuint32(severity);
+		}
+	}
+
+	if (logconfig != NULL) {
+		isc_log_createchannel(logconfig, channelname, type, level,
+				      &dest, flags);
+	}
+
+	if (type == ISC_LOG_TOFILE) {
+		FILE *fp;
+
+		/*
+		 * Test to make sure that file is a plain file.
+		 * Fix defect #22771
+		 */
+		result = isc_file_isplainfile(dest.file.name);
+		if (result == ISC_R_SUCCESS || result == ISC_R_FILENOTFOUND) {
+			/*
+			 * Test that the file can be opened, since
+			 * isc_log_open() can't effectively report
+			 * failures when called in isc_log_doit().
+			 */
+			result = isc_stdio_open(dest.file.name, "a", &fp);
+			if (result != ISC_R_SUCCESS) {
+				if (logconfig != NULL && !named_g_nosyslog) {
+					syslog(LOG_ERR,
+					       "isc_stdio_open '%s' failed: "
+					       "%s",
+					       dest.file.name,
+					       isc_result_totext(result));
+				}
+			} else {
+				(void)isc_stdio_close(fp);
+			}
+			goto done;
+		}
+		if (logconfig != NULL && !named_g_nosyslog) {
+			syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s",
+			       dest.file.name, isc_result_totext(result));
+		}
+	}
+
+done:
+	return (result);
+}
+
+isc_result_t
+named_logconfig(isc_logconfig_t *logconfig, const cfg_obj_t *logstmt) {
+	isc_result_t result;
+	const cfg_obj_t *channels = NULL;
+	const cfg_obj_t *categories = NULL;
+	const cfg_listelt_t *element;
+	bool default_set = false;
+	bool unmatched_set = false;
+	const cfg_obj_t *catname;
+
+	if (logconfig != NULL) {
+		named_log_setdefaultchannels(logconfig);
+	}
+
+	(void)cfg_map_get(logstmt, "channel", &channels);
+	for (element = cfg_list_first(channels); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *channel = cfg_listelt_value(element);
+		CHECK(channel_fromconf(channel, logconfig));
+	}
+
+	(void)cfg_map_get(logstmt, "category", &categories);
+	for (element = cfg_list_first(categories); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *category = cfg_listelt_value(element);
+		CHECK(category_fromconf(category, logconfig));
+		if (!default_set) {
+			catname = cfg_tuple_get(category, "name");
+			if (strcmp(cfg_obj_asstring(catname), "default") == 0) {
+				default_set = true;
+			}
+		}
+		if (!unmatched_set) {
+			catname = cfg_tuple_get(category, "name");
+			if (strcmp(cfg_obj_asstring(catname), "unmatched") == 0)
+			{
+				unmatched_set = true;
+			}
+		}
+	}
+
+	if (logconfig != NULL && !default_set) {
+		CHECK(named_log_setdefaultcategory(logconfig));
+	}
+
+	if (logconfig != NULL && !unmatched_set) {
+		CHECK(named_log_setunmatchedcategory(logconfig));
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	return (result);
+}
diff --git a/bin/named/main.c b/bin/named/main.c
new file mode 100644
index 0000000..074936b
--- /dev/null
+++ b/bin/named/main.c
@@ -0,0 +1,1788 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <uv.h>
+
+#if HAVE_LOCALE_H
+#include <locale.h>
+#endif /* HAVE_LOCALE_H */
+
+#ifdef HAVE_DNSTAP
+#include <protobuf-c/protobuf-c.h>
+#endif
+
+#include <isc/app.h>
+#include <isc/backtrace.h>
+#include <isc/commandline.h>
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/httpd.h>
+#include <isc/managers.h>
+#include <isc/netmgr.h>
+#include <isc/os.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/resource.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/dispatch.h>
+#include <dns/dyndb.h>
+#include <dns/name.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+#include <dst/result.h>
+
+#include <isccc/result.h>
+#if USE_PKCS11
+#include <pk11/result.h>
+#endif /* if USE_PKCS11 */
+
+#include <dlz/dlz_dlopen_driver.h>
+
+#ifdef HAVE_GPERFTOOLS_PROFILER
+#include <gperftools/profiler.h>
+#endif /* ifdef HAVE_GPERFTOOLS_PROFILER */
+
+#ifdef HAVE_JSON_C
+#include <json_c_version.h>
+#endif /* HAVE_JSON_C */
+
+#ifdef HAVE_GEOIP2
+#include <maxminddb.h>
+#endif /* ifdef HAVE_GEOIP2 */
+
+/*
+ * Defining NAMED_MAIN provides storage declarations (rather than extern)
+ * for variables in named/globals.h.
+ */
+#define NAMED_MAIN 1
+
+#include <ns/interfacemgr.h>
+
+#include <named/builtin.h>
+#include <named/config.h>
+#include <named/control.h>
+#include <named/fuzz.h>
+#include <named/globals.h> /* Explicit, though named/log.h includes it. */
+#include <named/log.h>
+#include <named/main.h>
+#include <named/os.h>
+#include <named/server.h>
+#ifdef HAVE_LIBSCF
+#include <named/smf_globals.h>
+#endif /* ifdef HAVE_LIBSCF */
+
+#include <openssl/crypto.h>
+#include <openssl/opensslv.h>
+#ifdef HAVE_LIBXML2
+#include <libxml/parser.h>
+#include <libxml/xmlversion.h>
+#endif /* ifdef HAVE_LIBXML2 */
+#ifdef HAVE_ZLIB
+#include <zlib.h>
+#endif /* ifdef HAVE_ZLIB */
+/*
+ * Include header files for database drivers here.
+ */
+/* #include "xxdb.h" */
+
+#ifdef CONTRIB_DLZ
+/*
+ * Include contributed DLZ drivers if appropriate.
+ */
+#include <dlz/dlz_drivers.h>
+#endif /* ifdef CONTRIB_DLZ */
+
+/*
+ * The maximum number of stack frames to dump on assertion failure.
+ */
+#ifndef BACKTRACE_MAXFRAME
+#define BACKTRACE_MAXFRAME 128
+#endif /* ifndef BACKTRACE_MAXFRAME */
+
+LIBISC_EXTERNAL_DATA extern int isc_dscp_check_value;
+LIBDNS_EXTERNAL_DATA extern unsigned int dns_zone_mkey_hour;
+LIBDNS_EXTERNAL_DATA extern unsigned int dns_zone_mkey_day;
+LIBDNS_EXTERNAL_DATA extern unsigned int dns_zone_mkey_month;
+
+static bool want_stats = false;
+static char program_name[NAME_MAX] = "named";
+static char absolute_conffile[PATH_MAX];
+static char saved_command_line[4096] = { 0 };
+static char ellipsis[5] = { 0 };
+static char version[512];
+static unsigned int maxsocks = 0;
+static int maxudp = 0;
+
+/*
+ * -T options:
+ */
+static bool dropedns = false;
+static bool ednsformerr = false;
+static bool ednsnotimp = false;
+static bool ednsrefused = false;
+static bool fixedlocal = false;
+static bool noaa = false;
+static bool noedns = false;
+static bool nonearest = false;
+static bool nosoa = false;
+static bool notcp = false;
+static bool sigvalinsecs = false;
+
+/*
+ * -4 and -6
+ */
+static bool disable6 = false;
+static bool disable4 = false;
+
+void
+named_main_earlywarning(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	if (named_g_lctx != NULL) {
+		isc_log_vwrite(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			       NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING, format,
+			       args);
+	} else {
+		fprintf(stderr, "%s: ", program_name);
+		vfprintf(stderr, format, args);
+		fprintf(stderr, "\n");
+		fflush(stderr);
+	}
+	va_end(args);
+}
+
+void
+named_main_earlyfatal(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	if (named_g_lctx != NULL) {
+		isc_log_vwrite(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			       NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL, format,
+			       args);
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			      "exiting (due to early fatal error)");
+	} else {
+		fprintf(stderr, "%s: ", program_name);
+		vfprintf(stderr, format, args);
+		fprintf(stderr, "\n");
+		fflush(stderr);
+	}
+	va_end(args);
+
+	exit(1);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+assertion_failed(const char *file, int line, isc_assertiontype_t type,
+		 const char *cond) ISC_PLATFORM_NORETURN_POST;
+
+static void
+assertion_failed(const char *file, int line, isc_assertiontype_t type,
+		 const char *cond) {
+	void *tracebuf[BACKTRACE_MAXFRAME];
+	int i, nframes;
+	isc_result_t result;
+	const char *logsuffix = "";
+	const char *fname;
+
+	/*
+	 * Handle assertion failures.
+	 */
+
+	if (named_g_lctx != NULL) {
+		/*
+		 * Reset the assertion callback in case it is the log
+		 * routines causing the assertion.
+		 */
+		isc_assertion_setcallback(NULL);
+
+		result = isc_backtrace_gettrace(tracebuf, BACKTRACE_MAXFRAME,
+						&nframes);
+		if (result == ISC_R_SUCCESS && nframes > 0) {
+			logsuffix = ", back trace";
+		}
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			      "%s:%d: %s(%s) failed%s", file, line,
+			      isc_assertion_typetotext(type), cond, logsuffix);
+		if (result == ISC_R_SUCCESS) {
+			for (i = 0; i < nframes; i++) {
+				unsigned long offset;
+
+				fname = NULL;
+				result = isc_backtrace_getsymbol(
+					tracebuf[i], &fname, &offset);
+				if (result == ISC_R_SUCCESS) {
+					isc_log_write(named_g_lctx,
+						      NAMED_LOGCATEGORY_GENERAL,
+						      NAMED_LOGMODULE_MAIN,
+						      ISC_LOG_CRITICAL,
+						      "#%d %p in %s()+0x%lx", i,
+						      tracebuf[i], fname,
+						      offset);
+				} else {
+					isc_log_write(named_g_lctx,
+						      NAMED_LOGCATEGORY_GENERAL,
+						      NAMED_LOGMODULE_MAIN,
+						      ISC_LOG_CRITICAL,
+						      "#%d %p in ??", i,
+						      tracebuf[i]);
+				}
+			}
+		}
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			      "exiting (due to assertion failure)");
+	} else {
+		fprintf(stderr, "%s:%d: %s(%s) failed\n", file, line,
+			isc_assertion_typetotext(type), cond);
+		fflush(stderr);
+	}
+
+	if (named_g_coreok) {
+		abort();
+	}
+	exit(1);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+library_fatal_error(const char *file, int line, const char *format,
+		    va_list args)
+	ISC_FORMAT_PRINTF(3, 0) ISC_PLATFORM_NORETURN_POST;
+
+static void
+library_fatal_error(const char *file, int line, const char *format,
+		    va_list args) {
+	/*
+	 * Handle isc_error_fatal() calls from our libraries.
+	 */
+
+	if (named_g_lctx != NULL) {
+		/*
+		 * Reset the error callback in case it is the log
+		 * routines causing the assertion.
+		 */
+		isc_error_setfatal(NULL);
+
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			      "%s:%d: fatal error:", file, line);
+		isc_log_vwrite(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			       NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL, format,
+			       args);
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			      "exiting (due to fatal error in library)");
+	} else {
+		fprintf(stderr, "%s:%d: fatal error: ", file, line);
+		vfprintf(stderr, format, args);
+		fprintf(stderr, "\n");
+		fflush(stderr);
+	}
+
+	if (named_g_coreok) {
+		abort();
+	}
+	exit(1);
+}
+
+static void
+library_unexpected_error(const char *file, int line, const char *format,
+			 va_list args) ISC_FORMAT_PRINTF(3, 0);
+
+static void
+library_unexpected_error(const char *file, int line, const char *format,
+			 va_list args) {
+	/*
+	 * Handle isc_error_unexpected() calls from our libraries.
+	 */
+
+	if (named_g_lctx != NULL) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_MAIN, ISC_LOG_ERROR,
+			      "%s:%d: unexpected error:", file, line);
+		isc_log_vwrite(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			       NAMED_LOGMODULE_MAIN, ISC_LOG_ERROR, format,
+			       args);
+	} else {
+		fprintf(stderr, "%s:%d: fatal error: ", file, line);
+		vfprintf(stderr, format, args);
+		fprintf(stderr, "\n");
+		fflush(stderr);
+	}
+}
+
+static void
+usage(void) {
+	fprintf(stderr, "usage: named [-4|-6] [-c conffile] [-d debuglevel] "
+			"[-D comment] [-E engine]\n"
+			"             [-f|-g] [-L logfile] [-n number_of_cpus] "
+			"[-p port] [-s]\n"
+			"             [-S sockets] [-t chrootdir] [-u "
+			"username] [-U listeners]\n"
+			"             [-X lockfile] [-m "
+			"{usage|trace|record|size|mctx}]\n"
+			"             [-M external|internal|fill|nofill]\n"
+			"usage: named [-v|-V|-C]\n");
+}
+
+static void
+save_command_line(int argc, char *argv[]) {
+	int i;
+	char *dst = saved_command_line;
+	char *eob = saved_command_line + sizeof(saved_command_line) - 1;
+	char *rollback = dst;
+
+	for (i = 1; i < argc && dst < eob; i++) {
+		char *src = argv[i];
+		bool quoted = false;
+
+		rollback = dst;
+		*dst++ = ' ';
+
+		while (*src != '\0' && dst < eob) {
+			if (isalnum(*(unsigned char *)src) || *src == ',' ||
+			    *src == '-' || *src == '_' || *src == '.' ||
+			    *src == '/')
+			{
+				*dst++ = *src++;
+			} else if (isprint(*(unsigned char *)src)) {
+				if (dst + 2 >= eob) {
+					goto add_ellipsis;
+				}
+				*dst++ = '\\';
+				*dst++ = *src++;
+			} else {
+				/*
+				 * Control character found in the input,
+				 * quote the whole arg and restart
+				 */
+				if (!quoted) {
+					dst = rollback;
+					src = argv[i];
+
+					if (dst + 3 >= eob) {
+						goto add_ellipsis;
+					}
+
+					*dst++ = ' ';
+					*dst++ = '$';
+					*dst++ = '\'';
+
+					quoted = true;
+					continue;
+				} else {
+					char tmp[5];
+					int c = snprintf(tmp, sizeof(tmp),
+							 "\\%03o", *src++);
+					if (dst + c >= eob) {
+						goto add_ellipsis;
+					}
+					memmove(dst, tmp, c);
+					dst += c;
+				}
+			}
+		}
+		if (quoted) {
+			if (dst == eob) {
+				goto add_ellipsis;
+			}
+			*dst++ = '\'';
+		}
+	}
+
+	if (dst < eob) {
+		return;
+	}
+add_ellipsis:
+	dst = rollback;
+	*dst = '\0';
+	strlcpy(ellipsis, " ...", sizeof(ellipsis));
+}
+
+static int
+parse_int(char *arg, const char *desc) {
+	char *endp;
+	int tmp;
+	long int ltmp;
+
+	ltmp = strtol(arg, &endp, 10);
+	tmp = (int)ltmp;
+	if (*endp != '\0') {
+		named_main_earlyfatal("%s '%s' must be numeric", desc, arg);
+	}
+	if (tmp < 0 || tmp != ltmp) {
+		named_main_earlyfatal("%s '%s' out of range", desc, arg);
+	}
+	return (tmp);
+}
+
+static struct flag_def {
+	const char *name;
+	unsigned int value;
+	bool negate;
+} mem_debug_flags[] = { { "none", 0, false },
+			{ "trace", ISC_MEM_DEBUGTRACE, false },
+			{ "record", ISC_MEM_DEBUGRECORD, false },
+			{ "usage", ISC_MEM_DEBUGUSAGE, false },
+			{ "size", ISC_MEM_DEBUGSIZE, false },
+			{ "mctx", ISC_MEM_DEBUGCTX, false },
+			{ NULL, 0, false } },
+  mem_context_flags[] = { { "external", ISC_MEMFLAG_INTERNAL, true },
+			  { "internal", ISC_MEMFLAG_INTERNAL, false },
+			  { "fill", ISC_MEMFLAG_FILL, false },
+			  { "nofill", ISC_MEMFLAG_FILL, true },
+			  { NULL, 0, false } };
+
+static void
+set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) {
+	bool clear = false;
+
+	for (;;) {
+		const struct flag_def *def;
+		const char *end = strchr(arg, ',');
+		int arglen;
+		if (end == NULL) {
+			end = arg + strlen(arg);
+		}
+		arglen = (int)(end - arg);
+		for (def = defs; def->name != NULL; def++) {
+			if (arglen == (int)strlen(def->name) &&
+			    memcmp(arg, def->name, arglen) == 0)
+			{
+				if (def->value == 0) {
+					clear = true;
+				}
+				if (def->negate) {
+					*ret &= ~(def->value);
+				} else {
+					*ret |= def->value;
+				}
+				goto found;
+			}
+		}
+		named_main_earlyfatal("unrecognized flag '%.*s'", arglen, arg);
+	found:
+		if (clear || (*end == '\0')) {
+			break;
+		}
+		arg = end + 1;
+	}
+
+	if (clear) {
+		*ret = 0;
+	}
+}
+
+/*%
+ * Convert algorithm type to string.
+ */
+static const char *
+dst_hmac_algorithm_totext(dns_secalg_t alg) {
+	switch (alg) {
+	case DST_ALG_HMACMD5:
+		return ("hmac-md5");
+	case DST_ALG_HMACSHA1:
+		return ("hmac-sha1");
+	case DST_ALG_HMACSHA224:
+		return ("hmac-sha224");
+	case DST_ALG_HMACSHA256:
+		return ("hmac-sha256");
+	case DST_ALG_HMACSHA384:
+		return ("hmac-sha384");
+	case DST_ALG_HMACSHA512:
+		return ("hmac-sha512");
+	default:
+		return ("(unknown)");
+	}
+}
+
+#define DST_ALG_HMAC_FIRST DST_ALG_HMACMD5
+#define DST_ALG_HMAC_LAST  DST_ALG_HMACSHA512
+
+static void
+list_dnssec_algorithms(isc_buffer_t *b) {
+	for (size_t i = DST_ALG_UNKNOWN; i < DST_MAX_ALGS; i++) {
+		if (i == DST_ALG_DH || i == DST_ALG_GSSAPI ||
+		    (i >= DST_ALG_HMAC_FIRST && i <= DST_ALG_HMAC_LAST))
+		{
+			continue;
+		}
+		if (dst_algorithm_supported(i)) {
+			isc_buffer_putstr(b, " ");
+			(void)dns_secalg_totext(i, b);
+		}
+	}
+}
+
+static void
+list_ds_algorithms(isc_buffer_t *b) {
+	for (size_t i = 0; i < 256; i++) {
+		if (dst_ds_digest_supported(i)) {
+			isc_buffer_putstr(b, " ");
+			(void)dns_dsdigest_totext(i, b);
+		}
+	}
+}
+
+static void
+list_hmac_algorithms(isc_buffer_t *b) {
+	isc_buffer_t sb = *b;
+	for (size_t i = DST_ALG_HMAC_FIRST; i <= DST_ALG_HMAC_LAST; i++) {
+		if (i == DST_ALG_GSSAPI) {
+			continue;
+		}
+		if (dst_algorithm_supported(i)) {
+			isc_buffer_putstr(b, " ");
+			isc_buffer_putstr(b, dst_hmac_algorithm_totext(i));
+		}
+	}
+	for (unsigned char *s = isc_buffer_used(&sb); s != isc_buffer_used(b);
+	     s++)
+	{
+		*s = toupper(*s);
+	}
+}
+
+static void
+logit(isc_buffer_t *b) {
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s",
+		      (int)isc_buffer_usedlength(b),
+		      (char *)isc_buffer_base(b));
+}
+
+static void
+printit(isc_buffer_t *b) {
+	printf("%.*s\n", (int)isc_buffer_usedlength(b),
+	       (char *)isc_buffer_base(b));
+}
+
+static void
+format_supported_algorithms(void (*emit)(isc_buffer_t *b)) {
+	isc_buffer_t b;
+	char buf[512];
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_buffer_putstr(&b, "DNSSEC algorithms:");
+	list_dnssec_algorithms(&b);
+	(*emit)(&b);
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_buffer_putstr(&b, "DS algorithms:");
+	list_ds_algorithms(&b);
+	(*emit)(&b);
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_buffer_putstr(&b, "HMAC algorithms:");
+	list_hmac_algorithms(&b);
+	(*emit)(&b);
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s",
+			  (dst_algorithm_supported(DST_ALG_DH) &&
+			   dst_algorithm_supported(DST_ALG_HMACMD5))
+				  ? "yes"
+				  : "non");
+	(*emit)(&b);
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_buffer_printf(&b, "TKEY mode 3 support (GSS-API): %s",
+			  dst_algorithm_supported(DST_ALG_GSSAPI) ? "yes"
+								  : "no");
+	(*emit)(&b);
+}
+
+static void
+printversion(bool verbose) {
+	char rndcconf[PATH_MAX], *dot = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	char buf[512];
+#if defined(HAVE_GEOIP2)
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *config = NULL;
+	const cfg_obj_t *defaults = NULL, *obj = NULL;
+#endif /* if defined(HAVE_GEOIP2) */
+
+	printf("%s %s%s%s <id:%s>\n", named_g_product, named_g_version,
+	       (*named_g_description != '\0') ? " " : "", named_g_description,
+	       named_g_srcid);
+
+	if (!verbose) {
+		return;
+	}
+
+	printf("running on %s\n", named_os_uname());
+	printf("built by %s with %s\n", named_g_builder, named_g_configargs);
+#ifdef __clang__
+	printf("compiled by CLANG %s\n", __VERSION__);
+#else /* ifdef __clang__ */
+#if defined(__ICC) || defined(__INTEL_COMPILER)
+	printf("compiled by ICC %s\n", __VERSION__);
+#else /* if defined(__ICC) || defined(__INTEL_COMPILER) */
+#ifdef __GNUC__
+	printf("compiled by GCC %s\n", __VERSION__);
+#endif /* ifdef __GNUC__ */
+#endif /* if defined(__ICC) || defined(__INTEL_COMPILER) */
+#endif /* ifdef __clang__ */
+#ifdef _MSC_VER
+	printf("compiled by MSVC %d\n", _MSC_VER);
+#endif /* ifdef _MSC_VER */
+#ifdef __SUNPRO_C
+	printf("compiled by Solaris Studio %x\n", __SUNPRO_C);
+#endif /* ifdef __SUNPRO_C */
+	printf("compiled with OpenSSL version: %s\n", OPENSSL_VERSION_TEXT);
+#if !defined(LIBRESSL_VERSION_NUMBER) && \
+	OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */
+	printf("linked to OpenSSL version: %s\n",
+	       OpenSSL_version(OPENSSL_VERSION));
+
+#else  /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
+	* 0x10100000L */
+	printf("linked to OpenSSL version: %s\n",
+	       SSLeay_version(SSLEAY_VERSION));
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+	printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR,
+	       UV_VERSION_MINOR, UV_VERSION_PATCH);
+	printf("linked to libuv version: %s\n", uv_version_string());
+#ifdef HAVE_LIBXML2
+	printf("compiled with libxml2 version: %s\n", LIBXML_DOTTED_VERSION);
+	printf("linked to libxml2 version: %s\n", xmlParserVersion);
+#endif /* ifdef HAVE_LIBXML2 */
+#if defined(HAVE_JSON_C)
+	printf("compiled with json-c version: %s\n", JSON_C_VERSION);
+	printf("linked to json-c version: %s\n", json_c_version());
+#endif /* if defined(HAVE_JSON_C) */
+#if defined(HAVE_ZLIB) && defined(ZLIB_VERSION)
+	printf("compiled with zlib version: %s\n", ZLIB_VERSION);
+	printf("linked to zlib version: %s\n", zlibVersion());
+#endif /* if defined(HAVE_ZLIB) && defined(ZLIB_VERSION) */
+#if defined(HAVE_GEOIP2)
+	/* Unfortunately, no version define on link time */
+	printf("linked to maxminddb version: %s\n", MMDB_lib_version());
+#endif /* if defined(HAVE_GEOIP2) */
+#if defined(HAVE_DNSTAP)
+	printf("compiled with protobuf-c version: %s\n", PROTOBUF_C_VERSION);
+	printf("linked to protobuf-c version: %s\n", protobuf_c_version());
+#endif /* if defined(HAVE_DNSTAP) */
+	printf("threads support is enabled\n");
+
+	isc_mem_create(&mctx);
+	result = dst_lib_init(mctx, named_g_engine);
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_init(&b, buf, sizeof(buf));
+		format_supported_algorithms(printit);
+		printf("\n");
+		dst_lib_destroy();
+	} else {
+		printf("DST initialization failure: %s\n",
+		       isc_result_totext(result));
+	}
+
+	/*
+	 * The default rndc.conf and rndc.key paths are in the same
+	 * directory, but named only has rndc.key defined internally.
+	 * We construct the rndc.conf path from it. (We could use
+	 * NAMED_SYSCONFDIR here but the result would look wrong on
+	 * Windows.)
+	 */
+	strlcpy(rndcconf, named_g_keyfile, sizeof(rndcconf));
+	dot = strrchr(rndcconf, '.');
+	if (dot != NULL) {
+		size_t len = dot - rndcconf + 1;
+		snprintf(dot + 1, PATH_MAX - len, "conf");
+	}
+
+	/*
+	 * Print default configuration paths.
+	 */
+	printf("default paths:\n");
+	printf("  named configuration:  %s\n", named_g_conffile);
+	printf("  rndc configuration:   %s\n", rndcconf);
+	printf("  DNSSEC root key:      %s\n", named_g_defaultbindkeys);
+	printf("  nsupdate session key: %s\n", named_g_defaultsessionkeyfile);
+	printf("  named PID file:       %s\n", named_g_defaultpidfile);
+	printf("  named lock file:      %s\n", named_g_defaultlockfile);
+#if defined(HAVE_GEOIP2)
+#define RTC(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
+	RTC(cfg_parser_create(mctx, named_g_lctx, &parser));
+	RTC(named_config_parsedefaults(parser, &config));
+	RTC(cfg_map_get(config, "options", &defaults));
+	RTC(cfg_map_get(defaults, "geoip-directory", &obj));
+	if (cfg_obj_isstring(obj)) {
+		printf("  geoip-directory:      %s\n", cfg_obj_asstring(obj));
+	}
+	cfg_obj_destroy(parser, &config);
+	cfg_parser_destroy(&parser);
+	isc_mem_detach(&mctx);
+#endif /* HAVE_GEOIP2 */
+}
+
+static void
+parse_fuzz_arg(void) {
+	if (!strncmp(isc_commandline_argument, "client:", 7)) {
+		named_g_fuzz_addr = isc_commandline_argument + 7;
+		named_g_fuzz_type = isc_fuzz_client;
+	} else if (!strncmp(isc_commandline_argument, "tcp:", 4)) {
+		named_g_fuzz_addr = isc_commandline_argument + 4;
+		named_g_fuzz_type = isc_fuzz_tcpclient;
+	} else if (!strncmp(isc_commandline_argument, "resolver:", 9)) {
+		named_g_fuzz_addr = isc_commandline_argument + 9;
+		named_g_fuzz_type = isc_fuzz_resolver;
+	} else if (!strncmp(isc_commandline_argument, "http:", 5)) {
+		named_g_fuzz_addr = isc_commandline_argument + 5;
+		named_g_fuzz_type = isc_fuzz_http;
+	} else if (!strncmp(isc_commandline_argument, "rndc:", 5)) {
+		named_g_fuzz_addr = isc_commandline_argument + 5;
+		named_g_fuzz_type = isc_fuzz_rndc;
+	} else {
+		named_main_earlyfatal("unknown fuzzing type '%s'",
+				      isc_commandline_argument);
+	}
+}
+
+static void
+parse_T_opt(char *option) {
+	const char *p;
+	char *last = NULL;
+	/*
+	 * force the server to behave (or misbehave) in
+	 * specified ways for testing purposes.
+	 * dscp=x:     check that dscp values are as
+	 * 	       expected and assert otherwise.
+	 */
+	if (!strcmp(option, "dropedns")) {
+		dropedns = true;
+	} else if (!strncmp(option, "dscp=", 5)) {
+		isc_dscp_check_value = atoi(option + 5);
+	} else if (!strcmp(option, "ednsformerr")) {
+		ednsformerr = true;
+	} else if (!strcmp(option, "ednsnotimp")) {
+		ednsnotimp = true;
+	} else if (!strcmp(option, "ednsrefused")) {
+		ednsrefused = true;
+	} else if (!strcmp(option, "fixedlocal")) {
+		fixedlocal = true;
+	} else if (!strcmp(option, "keepstderr")) {
+		named_g_keepstderr = true;
+	} else if (!strcmp(option, "noaa")) {
+		noaa = true;
+	} else if (!strcmp(option, "noedns")) {
+		noedns = true;
+	} else if (!strcmp(option, "nonearest")) {
+		nonearest = true;
+	} else if (!strcmp(option, "nosoa")) {
+		nosoa = true;
+	} else if (!strcmp(option, "nosyslog")) {
+		named_g_nosyslog = true;
+	} else if (!strcmp(option, "notcp")) {
+		notcp = true;
+	} else if (!strncmp(option, "maxcachesize=", 13)) {
+		named_g_maxcachesize = atoi(option + 13);
+	} else if (!strcmp(option, "maxudp512")) {
+		maxudp = 512;
+	} else if (!strcmp(option, "maxudp1460")) {
+		maxudp = 1460;
+	} else if (!strncmp(option, "maxudp=", 7)) {
+		maxudp = atoi(option + 7);
+		if (maxudp <= 0) {
+			named_main_earlyfatal("bad maxudp");
+		}
+	} else if (!strncmp(option, "mkeytimers=", 11)) {
+		p = strtok_r(option + 11, "/", &last);
+		if (p == NULL) {
+			named_main_earlyfatal("bad mkeytimer");
+		}
+
+		dns_zone_mkey_hour = atoi(p);
+		if (dns_zone_mkey_hour == 0) {
+			named_main_earlyfatal("bad mkeytimer");
+		}
+
+		p = strtok_r(NULL, "/", &last);
+		if (p == NULL) {
+			dns_zone_mkey_day = (24 * dns_zone_mkey_hour);
+			dns_zone_mkey_month = (30 * dns_zone_mkey_day);
+			return;
+		}
+
+		dns_zone_mkey_day = atoi(p);
+		if (dns_zone_mkey_day < dns_zone_mkey_hour) {
+			named_main_earlyfatal("bad mkeytimer");
+		}
+
+		p = strtok_r(NULL, "/", &last);
+		if (p == NULL) {
+			dns_zone_mkey_month = (30 * dns_zone_mkey_day);
+			return;
+		}
+
+		dns_zone_mkey_month = atoi(p);
+		if (dns_zone_mkey_month < dns_zone_mkey_day) {
+			named_main_earlyfatal("bad mkeytimer");
+		}
+	} else if (!strcmp(option, "sigvalinsecs")) {
+		sigvalinsecs = true;
+	} else if (!strncmp(option, "tat=", 4)) {
+		named_g_tat_interval = atoi(option + 4);
+	} else {
+		fprintf(stderr, "unknown -T flag '%s'\n", option);
+	}
+}
+
+static void
+parse_command_line(int argc, char *argv[]) {
+	int ch;
+	int port;
+	const char *p;
+
+	save_command_line(argc, argv);
+
+	/*
+	 * NAMED_MAIN_ARGS is defined in main.h, so that it can be used
+	 * both by named and by ntservice hooks.
+	 */
+	isc_commandline_errprint = false;
+	while ((ch = isc_commandline_parse(argc, argv, NAMED_MAIN_ARGS)) != -1)
+	{
+		switch (ch) {
+		case '4':
+			if (disable4) {
+				named_main_earlyfatal("cannot specify "
+						      "-4 and -6");
+			}
+			if (isc_net_probeipv4() != ISC_R_SUCCESS) {
+				named_main_earlyfatal("IPv4 not supported "
+						      "by OS");
+			}
+			isc_net_disableipv6();
+			disable6 = true;
+			break;
+		case '6':
+			if (disable6) {
+				named_main_earlyfatal("cannot specify "
+						      "-4 and -6");
+			}
+			if (isc_net_probeipv6() != ISC_R_SUCCESS) {
+				named_main_earlyfatal("IPv6 not supported "
+						      "by OS");
+			}
+			isc_net_disableipv4();
+			disable4 = true;
+			break;
+		case 'A':
+			parse_fuzz_arg();
+			break;
+		case 'c':
+			named_g_conffile = isc_commandline_argument;
+			named_g_conffileset = true;
+			break;
+		case 'C':
+			printf("# Built-in default values. "
+			       "This is NOT the run-time configuration!\n");
+			printf("%s", named_config_getdefault());
+			exit(0);
+		case 'd':
+			named_g_debuglevel = parse_int(isc_commandline_argument,
+						       "debug "
+						       "level");
+			break;
+		case 'D':
+			/* Descriptive comment for 'ps'. */
+			break;
+		case 'E':
+			named_g_engine = isc_commandline_argument;
+			break;
+		case 'f':
+			named_g_foreground = true;
+			break;
+		case 'g':
+			named_g_foreground = true;
+			named_g_logstderr = true;
+			break;
+		case 'L':
+			named_g_logfile = isc_commandline_argument;
+			break;
+		case 'M':
+			set_flags(isc_commandline_argument, mem_context_flags,
+				  &isc_mem_defaultflags);
+			break;
+		case 'm':
+			set_flags(isc_commandline_argument, mem_debug_flags,
+				  &isc_mem_debugging);
+			break;
+		case 'N': /* Deprecated. */
+		case 'n':
+			named_g_cpus = parse_int(isc_commandline_argument,
+						 "number of cpus");
+			if (named_g_cpus == 0) {
+				named_g_cpus = 1;
+			}
+			break;
+		case 'p':
+			port = parse_int(isc_commandline_argument, "port");
+			if (port < 1 || port > 65535) {
+				named_main_earlyfatal("port '%s' out of range",
+						      isc_commandline_argument);
+			}
+			named_g_port = port;
+			break;
+		case 's':
+			/* XXXRTH temporary syntax */
+			want_stats = true;
+			break;
+		case 'S':
+			maxsocks = parse_int(isc_commandline_argument,
+					     "max number of sockets");
+			break;
+		case 't':
+			/* XXXJAB should we make a copy? */
+			named_g_chrootdir = isc_commandline_argument;
+			break;
+		case 'T': /* NOT DOCUMENTED */
+			parse_T_opt(isc_commandline_argument);
+			break;
+		case 'U':
+			named_g_udpdisp = parse_int(isc_commandline_argument,
+						    "number of UDP listeners "
+						    "per interface");
+			break;
+		case 'u':
+			named_g_username = isc_commandline_argument;
+			break;
+		case 'v':
+			printversion(false);
+			exit(0);
+		case 'V':
+			printversion(true);
+			exit(0);
+		case 'x':
+			/* Obsolete. No longer in use. Ignore. */
+			break;
+		case 'X':
+			named_g_forcelock = true;
+			if (strcasecmp(isc_commandline_argument, "none") != 0) {
+				named_g_defaultlockfile =
+					isc_commandline_argument;
+			} else {
+				named_g_defaultlockfile = NULL;
+			}
+			break;
+		case 'F':
+			/* Reserved for FIPS mode */
+			FALLTHROUGH;
+		case '?':
+			usage();
+			if (isc_commandline_option == '?') {
+				exit(0);
+			}
+			p = strchr(NAMED_MAIN_ARGS, isc_commandline_option);
+			if (p == NULL || *++p != ':') {
+				named_main_earlyfatal("unknown option '-%c'",
+						      isc_commandline_option);
+			} else {
+				named_main_earlyfatal("option '-%c' requires "
+						      "an argument",
+						      isc_commandline_option);
+			}
+			FALLTHROUGH;
+		default:
+			named_main_earlyfatal("parsing options returned %d",
+					      ch);
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	POST(argv);
+
+	if (argc > 0) {
+		usage();
+		named_main_earlyfatal("extra command line arguments");
+	}
+}
+
+static isc_result_t
+create_managers(void) {
+	isc_result_t result;
+	unsigned int socks;
+
+	INSIST(named_g_cpus_detected > 0);
+
+	if (named_g_cpus == 0) {
+		named_g_cpus = named_g_cpus_detected;
+	}
+	isc_log_write(
+		named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
+		ISC_LOG_INFO, "found %u CPU%s, using %u worker thread%s",
+		named_g_cpus_detected, named_g_cpus_detected == 1 ? "" : "s",
+		named_g_cpus, named_g_cpus == 1 ? "" : "s");
+#ifdef WIN32
+	named_g_udpdisp = 1;
+#else  /* ifdef WIN32 */
+	if (named_g_udpdisp == 0) {
+		named_g_udpdisp = named_g_cpus_detected;
+	}
+	if (named_g_udpdisp > named_g_cpus) {
+		named_g_udpdisp = named_g_cpus;
+	}
+#endif /* ifdef WIN32 */
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "using %u UDP listener%s per interface", named_g_udpdisp,
+		      named_g_udpdisp == 1 ? "" : "s");
+
+	result = isc_managers_create(named_g_mctx, named_g_cpus, 0, &named_g_nm,
+				     &named_g_taskmgr);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_managers_create() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = isc_timermgr_create(named_g_mctx, &named_g_timermgr);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_timermgr_create() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = isc_socketmgr_create2(named_g_mctx, &named_g_socketmgr,
+				       maxsocks, named_g_cpus);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socketmgr_create() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	isc_socketmgr_maxudp(named_g_socketmgr, maxudp);
+	isc_nm_maxudp(named_g_nm, maxudp);
+	result = isc_socketmgr_getmaxsockets(named_g_socketmgr, &socks);
+	if (result == ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "using up to %u sockets", socks);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroy_managers(void) {
+	isc_managers_destroy(&named_g_nm, &named_g_taskmgr);
+	isc_timermgr_destroy(&named_g_timermgr);
+	isc_socketmgr_destroy(&named_g_socketmgr);
+}
+
+static void
+dump_symboltable(void) {
+	int i;
+	isc_result_t result;
+	const char *fname;
+	const void *addr;
+
+	if (isc__backtrace_nsymbols == 0) {
+		return;
+	}
+
+	if (!isc_log_wouldlog(named_g_lctx, ISC_LOG_DEBUG(99))) {
+		return;
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_DEBUG(99), "Symbol table:");
+
+	for (i = 0, result = ISC_R_SUCCESS; result == ISC_R_SUCCESS; i++) {
+		addr = NULL;
+		fname = NULL;
+		result = isc_backtrace_getsymbolfromindex(i, &addr, &fname);
+		if (result == ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_MAIN, ISC_LOG_DEBUG(99),
+				      "[%d] %p %s", i, addr, fname);
+		}
+	}
+}
+
+static void
+setup(void) {
+	isc_result_t result;
+	isc_resourcevalue_t old_openfiles;
+	ns_server_t *sctx;
+#ifdef HAVE_LIBSCF
+	char *instance = NULL;
+#endif /* ifdef HAVE_LIBSCF */
+
+	/*
+	 * Get the user and group information before changing the root
+	 * directory, so the administrator does not need to keep a copy
+	 * of the user and group databases in the chroot'ed environment.
+	 */
+	named_os_inituserinfo(named_g_username);
+
+	/*
+	 * Initialize time conversion information
+	 */
+	named_os_tzset();
+
+	named_os_opendevnull();
+
+#ifdef HAVE_LIBSCF
+	/* Check if named is under smf control, before chroot. */
+	result = named_smf_get_instance(&instance, 0, named_g_mctx);
+	/* We don't care about instance, just check if we got one. */
+	if (result == ISC_R_SUCCESS) {
+		named_smf_got_instance = 1;
+	} else {
+		named_smf_got_instance = 0;
+	}
+	if (instance != NULL) {
+		isc_mem_free(named_g_mctx, instance);
+	}
+#endif /* HAVE_LIBSCF */
+
+	/*
+	 * Check for the number of cpu's before named_os_chroot().
+	 */
+	named_g_cpus_detected = isc_os_ncpus();
+
+	named_os_chroot(named_g_chrootdir);
+
+	/*
+	 * For operating systems which have a capability mechanism, now
+	 * is the time to switch to minimal privs and change our user id.
+	 * On traditional UNIX systems, this call will be a no-op, and we
+	 * will change the user ID after reading the config file the first
+	 * time.  (We need to read the config file to know which possibly
+	 * privileged ports to bind() to.)
+	 */
+	named_os_minprivs();
+
+	result = named_log_init(named_g_username != NULL);
+	if (result != ISC_R_SUCCESS) {
+		named_main_earlyfatal("named_log_init() failed: %s",
+				      isc_result_totext(result));
+	}
+
+	/*
+	 * Now is the time to daemonize (if we're not running in the
+	 * foreground).  We waited until now because we wanted to get
+	 * a valid logging context setup.  We cannot daemonize any later,
+	 * because calling create_managers() will create threads, which
+	 * would be lost after fork().
+	 */
+	if (!named_g_foreground) {
+		named_os_daemonize();
+	}
+
+	/*
+	 * We call isc_app_start() here as some versions of FreeBSD's fork()
+	 * destroys all the signal handling it sets up.
+	 */
+	result = isc_app_start();
+	if (result != ISC_R_SUCCESS) {
+		named_main_earlyfatal("isc_app_start() failed: %s",
+				      isc_result_totext(result));
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "starting %s %s%s%s <id:%s>", named_g_product,
+		      named_g_version, *named_g_description ? " " : "",
+		      named_g_description, named_g_srcid);
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "running on %s",
+		      named_os_uname());
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "built with %s",
+		      named_g_configargs);
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "running as: %s%s%s", program_name, saved_command_line,
+		      ellipsis);
+#ifdef __clang__
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "compiled by CLANG %s", __VERSION__);
+#else /* ifdef __clang__ */
+#if defined(__ICC) || defined(__INTEL_COMPILER)
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "compiled by ICC %s", __VERSION__);
+#else /* if defined(__ICC) || defined(__INTEL_COMPILER) */
+#ifdef __GNUC__
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "compiled by GCC %s", __VERSION__);
+#endif /* ifdef __GNUC__ */
+#endif /* if defined(__ICC) || defined(__INTEL_COMPILER) */
+#endif /* ifdef __clang__ */
+#ifdef _MSC_VER
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "compiled by MSVC %d", _MSC_VER);
+#endif /* ifdef _MSC_VER */
+#ifdef __SUNPRO_C
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "compiled by Solaris Studio %x", __SUNPRO_C);
+#endif /* ifdef __SUNPRO_C */
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "compiled with OpenSSL version: %s",
+		      OPENSSL_VERSION_TEXT);
+#if !defined(LIBRESSL_VERSION_NUMBER) && \
+	OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "linked to OpenSSL version: %s",
+		      OpenSSL_version(OPENSSL_VERSION));
+#else  /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
+	* 0x10100000L */
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "linked to OpenSSL version: %s",
+		      SSLeay_version(SSLEAY_VERSION));
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "compiled with libuv version: %d.%d.%d", UV_VERSION_MAJOR,
+		      UV_VERSION_MINOR, UV_VERSION_PATCH);
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "linked to libuv version: %s", uv_version_string());
+#ifdef HAVE_LIBXML2
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "compiled with libxml2 version: %s",
+		      LIBXML_DOTTED_VERSION);
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "linked to libxml2 version: %s", xmlParserVersion);
+#endif /* ifdef HAVE_LIBXML2 */
+#if defined(HAVE_JSON_C)
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "compiled with json-c version: %s", JSON_C_VERSION);
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "linked to json-c version: %s", json_c_version());
+#endif /* if defined(HAVE_JSON_C) */
+#if defined(HAVE_ZLIB) && defined(ZLIB_VERSION)
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "compiled with zlib version: %s", ZLIB_VERSION);
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "linked to zlib version: %s", zlibVersion());
+#endif /* if defined(HAVE_ZLIB) && defined(ZLIB_VERSION) */
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "----------------------------------------------------");
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "BIND 9 is maintained by Internet Systems Consortium,");
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "Inc. (ISC), a non-profit 501(c)(3) public-benefit ");
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "corporation.  Support and training for BIND 9 are ");
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "available at https://www.isc.org/support");
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+		      "----------------------------------------------------");
+
+	dump_symboltable();
+
+	/*
+	 * Get the initial resource limits.
+	 */
+#ifndef WIN32
+	RUNTIME_CHECK(isc_resource_getlimit(isc_resource_stacksize,
+					    &named_g_initstacksize) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_resource_getlimit(isc_resource_datasize,
+					    &named_g_initdatasize) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_resource_getlimit(isc_resource_coresize,
+					    &named_g_initcoresize) ==
+		      ISC_R_SUCCESS);
+#endif /* ifndef WIN32 */
+	RUNTIME_CHECK(isc_resource_getlimit(isc_resource_openfiles,
+					    &named_g_initopenfiles) ==
+		      ISC_R_SUCCESS);
+
+	/*
+	 * System resources cannot effectively be tuned on some systems.
+	 * Raise the limit in such cases for safety.
+	 */
+	old_openfiles = named_g_initopenfiles;
+	named_os_adjustnofile();
+	RUNTIME_CHECK(isc_resource_getlimit(isc_resource_openfiles,
+					    &named_g_initopenfiles) ==
+		      ISC_R_SUCCESS);
+	if (old_openfiles != named_g_initopenfiles) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
+			      "adjusted limit on open files from "
+			      "%" PRIu64 " to "
+			      "%" PRIu64,
+			      old_openfiles, named_g_initopenfiles);
+	}
+
+	/*
+	 * If the named configuration filename is relative, prepend the current
+	 * directory's name before possibly changing to another directory.
+	 */
+	if (!isc_file_isabsolute(named_g_conffile)) {
+		result = isc_file_absolutepath(named_g_conffile,
+					       absolute_conffile,
+					       sizeof(absolute_conffile));
+		if (result != ISC_R_SUCCESS) {
+			named_main_earlyfatal("could not construct "
+					      "absolute path "
+					      "of configuration file: %s",
+					      isc_result_totext(result));
+		}
+		named_g_conffile = absolute_conffile;
+	}
+
+	/*
+	 * Record the server's startup time.
+	 */
+	result = isc_time_now(&named_g_boottime);
+	if (result != ISC_R_SUCCESS) {
+		named_main_earlyfatal("isc_time_now() failed: %s",
+				      isc_result_totext(result));
+	}
+
+	result = create_managers();
+	if (result != ISC_R_SUCCESS) {
+		named_main_earlyfatal("create_managers() failed: %s",
+				      isc_result_totext(result));
+	}
+
+	named_builtin_init();
+
+	/*
+	 * Add calls to register sdb drivers here.
+	 */
+	/* xxdb_init(); */
+
+#ifdef ISC_DLZ_DLOPEN
+	/*
+	 * Register the DLZ "dlopen" driver.
+	 */
+	result = dlz_dlopen_init(named_g_mctx);
+	if (result != ISC_R_SUCCESS) {
+		named_main_earlyfatal("dlz_dlopen_init() failed: %s",
+				      isc_result_totext(result));
+	}
+#endif /* ifdef ISC_DLZ_DLOPEN */
+
+#if CONTRIB_DLZ
+	/*
+	 * Register any other contributed DLZ drivers.
+	 */
+	result = dlz_drivers_init();
+	if (result != ISC_R_SUCCESS) {
+		named_main_earlyfatal("dlz_drivers_init() failed: %s",
+				      isc_result_totext(result));
+	}
+#endif /* if CONTRIB_DLZ */
+
+	named_server_create(named_g_mctx, &named_g_server);
+	ENSURE(named_g_server != NULL);
+	sctx = named_g_server->sctx;
+
+	/*
+	 * Report supported algorithms now that dst_lib_init() has
+	 * been called via named_server_create().
+	 */
+	format_supported_algorithms(logit);
+
+	/*
+	 * Modify server context according to command line options
+	 */
+	if (disable4) {
+		ns_server_setoption(sctx, NS_SERVER_DISABLE4, true);
+	}
+	if (disable6) {
+		ns_server_setoption(sctx, NS_SERVER_DISABLE6, true);
+	}
+	if (dropedns) {
+		ns_server_setoption(sctx, NS_SERVER_DROPEDNS, true);
+	}
+	if (ednsformerr) { /* STD13 server */
+		ns_server_setoption(sctx, NS_SERVER_EDNSFORMERR, true);
+	}
+	if (ednsnotimp) {
+		ns_server_setoption(sctx, NS_SERVER_EDNSNOTIMP, true);
+	}
+	if (ednsrefused) {
+		ns_server_setoption(sctx, NS_SERVER_EDNSREFUSED, true);
+	}
+	if (fixedlocal) {
+		ns_server_setoption(sctx, NS_SERVER_FIXEDLOCAL, true);
+	}
+	if (noaa) {
+		ns_server_setoption(sctx, NS_SERVER_NOAA, true);
+	}
+	if (noedns) {
+		ns_server_setoption(sctx, NS_SERVER_NOEDNS, true);
+	}
+	if (nonearest) {
+		ns_server_setoption(sctx, NS_SERVER_NONEAREST, true);
+	}
+	if (nosoa) {
+		ns_server_setoption(sctx, NS_SERVER_NOSOA, true);
+	}
+	if (notcp) {
+		ns_server_setoption(sctx, NS_SERVER_NOTCP, true);
+	}
+	if (sigvalinsecs) {
+		ns_server_setoption(sctx, NS_SERVER_SIGVALINSECS, true);
+	}
+}
+
+static void
+cleanup(void) {
+	destroy_managers();
+
+	if (named_g_mapped != NULL) {
+		dns_acl_detach(&named_g_mapped);
+	}
+
+	named_server_destroy(&named_g_server);
+
+	named_builtin_deinit();
+
+	/*
+	 * Add calls to unregister sdb drivers here.
+	 */
+	/* xxdb_clear(); */
+
+#ifdef CONTRIB_DLZ
+	/*
+	 * Unregister contributed DLZ drivers.
+	 */
+	dlz_drivers_clear();
+#endif /* ifdef CONTRIB_DLZ */
+#ifdef ISC_DLZ_DLOPEN
+	/*
+	 * Unregister "dlopen" DLZ driver.
+	 */
+	dlz_dlopen_clear();
+#endif /* ifdef ISC_DLZ_DLOPEN */
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "exiting");
+	named_log_shutdown();
+}
+
+static char *memstats = NULL;
+
+void
+named_main_setmemstats(const char *filename) {
+	/*
+	 * Caller has to ensure locking.
+	 */
+
+	if (memstats != NULL) {
+		free(memstats);
+		memstats = NULL;
+	}
+
+	if (filename == NULL) {
+		return;
+	}
+
+	memstats = strdup(filename);
+}
+
+#ifdef HAVE_LIBSCF
+/*
+ * Get FMRI for the named process.
+ */
+isc_result_t
+named_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) {
+	scf_handle_t *h = NULL;
+	int namelen;
+	char *instance;
+
+	REQUIRE(ins_name != NULL && *ins_name == NULL);
+
+	if ((h = scf_handle_create(SCF_VERSION)) == NULL) {
+		if (debug) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "scf_handle_create() failed: %s",
+					 scf_strerror(scf_error()));
+		}
+		return (ISC_R_FAILURE);
+	}
+
+	if (scf_handle_bind(h) == -1) {
+		if (debug) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "scf_handle_bind() failed: %s",
+					 scf_strerror(scf_error()));
+		}
+		scf_handle_destroy(h);
+		return (ISC_R_FAILURE);
+	}
+
+	if ((namelen = scf_myname(h, NULL, 0)) == -1) {
+		if (debug) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "scf_myname() failed: %s",
+					 scf_strerror(scf_error()));
+		}
+		scf_handle_destroy(h);
+		return (ISC_R_FAILURE);
+	}
+
+	if ((instance = isc_mem_allocate(mctx, namelen + 1)) == NULL) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "named_smf_get_instance memory "
+				 "allocation failed: %s",
+				 isc_result_totext(ISC_R_NOMEMORY));
+		scf_handle_destroy(h);
+		return (ISC_R_FAILURE);
+	}
+
+	if (scf_myname(h, instance, namelen + 1) == -1) {
+		if (debug) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "scf_myname() failed: %s",
+					 scf_strerror(scf_error()));
+		}
+		scf_handle_destroy(h);
+		isc_mem_free(mctx, instance);
+		return (ISC_R_FAILURE);
+	}
+
+	scf_handle_destroy(h);
+	*ins_name = instance;
+	return (ISC_R_SUCCESS);
+}
+#endif /* HAVE_LIBSCF */
+
+/* main entry point, possibly hooked */
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+#ifdef HAVE_LIBSCF
+	char *instance = NULL;
+#endif /* ifdef HAVE_LIBSCF */
+
+#ifdef HAVE_GPERFTOOLS_PROFILER
+	(void)ProfilerStart(NULL);
+#endif /* ifdef HAVE_GPERFTOOLS_PROFILER */
+
+#ifdef WIN32
+	/*
+	 * Prevent unbuffered I/O from crippling named performance on Windows
+	 * when it is logging to stderr (e.g. in system tests).  Use full
+	 * buffering (_IOFBF) as line buffering (_IOLBF) is unavailable on
+	 * Windows and fflush() is called anyway after each log message gets
+	 * written to the default stderr logging channels created by libisc.
+	 */
+	setvbuf(stderr, NULL, _IOFBF, BUFSIZ);
+#endif /* ifdef WIN32 */
+
+#ifdef HAVE_LIBXML2
+	xmlInitParser();
+#endif /* HAVE_LIBXML2 */
+
+	/*
+	 * Technically, this call is superfluous because on startup of the main
+	 * program, the portable "C" locale is selected by default.  This
+	 * explicit call here is for a reference that the BIND 9 code base is
+	 * not locale aware and the locale MUST be set to "C" (or "POSIX") when
+	 * calling any BIND 9 library code.  If you are calling external
+	 * libraries that use locale, such calls must be wrapped into
+	 * setlocale(LC_ALL, ""); before the call and setlocale(LC_ALL, "C");
+	 * after the call, and no BIND 9 library calls must be made in between.
+	 */
+#if HAVE_SETLOCALE
+	setlocale(LC_ALL, "C");
+#endif /* HAVE_SETLOCALE */
+
+	/*
+	 * Record version in core image.
+	 * strings named.core | grep "named version:"
+	 */
+	strlcat(version,
+#if defined(NO_VERSION_DATE) || !defined(__DATE__)
+		"named version: BIND " VERSION " <" SRCID ">",
+#else  /* if defined(NO_VERSION_DATE) || !defined(__DATE__) */
+		"named version: BIND " VERSION " <" SRCID "> (" __DATE__ ")",
+#endif /* if defined(NO_VERSION_DATE) || !defined(__DATE__) */
+		sizeof(version));
+	result = isc_file_progname(*argv, program_name, sizeof(program_name));
+	if (result != ISC_R_SUCCESS) {
+		named_main_earlyfatal("program name too long");
+	}
+
+	isc_assertion_setcallback(assertion_failed);
+	isc_error_setfatal(library_fatal_error);
+	isc_error_setunexpected(library_unexpected_error);
+
+	named_os_init(program_name);
+
+	dns_result_register();
+	dst_result_register();
+	isccc_result_register();
+#if USE_PKCS11
+	pk11_result_register();
+#endif /* if USE_PKCS11 */
+
+	parse_command_line(argc, argv);
+
+#ifdef ENABLE_AFL
+	if (named_g_fuzz_type != isc_fuzz_none) {
+		named_fuzz_setup();
+	}
+
+	if (named_g_fuzz_type == isc_fuzz_resolver) {
+		dns_resolver_setfuzzing();
+	} else if (named_g_fuzz_type == isc_fuzz_http) {
+		isc_httpd_setfinishhook(named_fuzz_notify);
+	}
+#endif /* ifdef ENABLE_AFL */
+	/*
+	 * Warn about common configuration error.
+	 */
+	if (named_g_chrootdir != NULL) {
+		int len = strlen(named_g_chrootdir);
+		if (strncmp(named_g_chrootdir, named_g_conffile, len) == 0 &&
+		    (named_g_conffile[len] == '/' ||
+		     named_g_conffile[len] == '\\'))
+		{
+			named_main_earlywarning("config filename (-c %s) "
+						"contains chroot path (-t %s)",
+						named_g_conffile,
+						named_g_chrootdir);
+		}
+	}
+
+	isc_mem_create(&named_g_mctx);
+	isc_mem_setname(named_g_mctx, "main", NULL);
+
+	setup();
+	INSIST(named_g_server != NULL);
+
+	/*
+	 * Start things running and then wait for a shutdown request
+	 * or reload.
+	 */
+	do {
+		result = isc_app_run();
+
+		if (result == ISC_R_RELOAD) {
+			named_server_reloadwanted(named_g_server);
+		} else if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_app_run(): %s",
+					 isc_result_totext(result));
+			/*
+			 * Force exit.
+			 */
+			result = ISC_R_SUCCESS;
+		}
+	} while (result != ISC_R_SUCCESS);
+
+#ifdef HAVE_LIBSCF
+	if (named_smf_want_disable == 1) {
+		result = named_smf_get_instance(&instance, 1, named_g_mctx);
+		if (result == ISC_R_SUCCESS && instance != NULL) {
+			if (smf_disable_instance(instance, 0) != 0) {
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "smf_disable_instance() "
+						 "failed for %s : %s",
+						 instance,
+						 scf_strerror(scf_error()));
+			}
+		}
+		if (instance != NULL) {
+			isc_mem_free(named_g_mctx, instance);
+		}
+	}
+#endif /* HAVE_LIBSCF */
+
+	cleanup();
+
+	if (want_stats) {
+		isc_mem_stats(named_g_mctx, stdout);
+		isc_mutex_stats(stdout);
+	}
+
+	if (named_g_memstatistics && memstats != NULL) {
+		FILE *fp = NULL;
+		result = isc_stdio_open(memstats, "w", &fp);
+		if (result == ISC_R_SUCCESS) {
+			isc_mem_stats(named_g_mctx, fp);
+			isc_mutex_stats(fp);
+			(void)isc_stdio_close(fp);
+		}
+	}
+	isc_mem_destroy(&named_g_mctx);
+	isc_mem_checkdestroyed(stderr);
+
+	named_main_setmemstats(NULL);
+
+	isc_app_finish();
+
+	named_os_closedevnull();
+
+	named_os_shutdown();
+
+#ifdef HAVE_LIBXML2
+	xmlCleanupParser();
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_GPERFTOOLS_PROFILER
+	ProfilerStop();
+#endif /* ifdef HAVE_GPERFTOOLS_PROFILER */
+
+	return (0);
+}
diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
new file mode 100644
index 0000000..4c9f9a7
--- /dev/null
+++ b/bin/named/named.conf.rst
@@ -0,0 +1,1082 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+named.conf - configuration file for **named**
+---------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named.conf`
+
+Description
+~~~~~~~~~~~
+
+``named.conf`` is the configuration file for ``named``. Statements are
+enclosed in braces and terminated with a semi-colon. Clauses in the
+statements are also semi-colon terminated.  The usual comment styles are
+supported:
+
+C style: /\* \*/
+
+ C++ style: // to end of line
+
+Unix style: # to end of line
+
+ACL
+^^^
+
+::
+
+  acl string { address_match_element; ... };
+
+CONTROLS
+^^^^^^^^
+
+::
+
+  controls {
+  	inet ( ipv4_address | ipv6_address |
+  	    * ) [ port ( integer | * ) ] allow
+  	    { address_match_element; ... } [
+  	    keys { string; ... } ] [ read-only
+  	    boolean ];
+  	unix quoted_string perm integer
+  	    owner integer group integer [
+  	    keys { string; ... } ] [ read-only
+  	    boolean ];
+  };
+
+DLZ
+^^^
+
+::
+
+  dlz string {
+  	database string;
+  	search boolean;
+  };
+
+DNSSEC-POLICY
+^^^^^^^^^^^^^
+
+::
+
+  dnssec-policy string {
+  	dnskey-ttl duration;
+  	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+  	    duration_or_unlimited algorithm string [ integer ]; ... };
+  	max-zone-ttl duration;
+  	nsec3param [ iterations integer ] [ optout boolean ] [
+  	    salt-length integer ];
+  	parent-ds-ttl duration;
+  	parent-propagation-delay duration;
+  	publish-safety duration;
+  	purge-keys duration;
+  	retire-safety duration;
+  	signatures-refresh duration;
+  	signatures-validity duration;
+  	signatures-validity-dnskey duration;
+  	zone-propagation-delay duration;
+  };
+
+DYNDB
+^^^^^
+
+::
+
+  dyndb string quoted_string {
+      unspecified-text };
+
+KEY
+^^^
+
+::
+
+  key string {
+  	algorithm string;
+  	secret string;
+  };
+
+LOGGING
+^^^^^^^
+
+::
+
+  logging {
+  	category string { string; ... };
+  	channel string {
+  		buffered boolean;
+  		file quoted_string [ versions ( unlimited | integer ) ]
+  		    [ size size ] [ suffix ( increment | timestamp ) ];
+  		null;
+  		print-category boolean;
+  		print-severity boolean;
+  		print-time ( iso8601 | iso8601-utc | local | boolean );
+  		severity log_severity;
+  		stderr;
+  		syslog [ syslog_facility ];
+  	};
+  };
+
+MANAGED-KEYS
+^^^^^^^^^^^^
+
+See DNSSEC-KEYS.
+
+::
+
+  managed-keys { string ( static-key
+      | initial-key | static-ds |
+      initial-ds ) integer integer
+      integer quoted_string; ... };, deprecated
+
+MASTERS
+^^^^^^^
+
+::
+
+  masters string [ port integer ] [ dscp
+      integer ] { ( remote-servers |
+      ipv4_address [ port integer ] |
+      ipv6_address [ port integer ] ) [ key
+      string ]; ... };
+
+OPTIONS
+^^^^^^^
+
+::
+
+  options {
+  	allow-new-zones boolean;
+  	allow-notify { address_match_element; ... };
+  	allow-query { address_match_element; ... };
+  	allow-query-cache { address_match_element; ... };
+  	allow-query-cache-on { address_match_element; ... };
+  	allow-query-on { address_match_element; ... };
+  	allow-recursion { address_match_element; ... };
+  	allow-recursion-on { address_match_element; ... };
+  	allow-transfer { address_match_element; ... };
+  	allow-update { address_match_element; ... };
+  	allow-update-forwarding { address_match_element; ... };
+  	also-notify [ port integer ] [ dscp integer ] { (
+  	    remote-servers | ipv4_address [ port integer ] |
+  	    ipv6_address [ port integer ] ) [ key string ]; ... };
+  	alt-transfer-source ( ipv4_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
+  	alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer |
+  	    * ) ] [ dscp integer ];
+  	answer-cookie boolean;
+  	attach-cache string;
+  	auth-nxdomain boolean; // default changed
+  	auto-dnssec ( allow | maintain | off );// deprecated
+  	automatic-interface-scan boolean;
+  	avoid-v4-udp-ports { portrange; ... };
+  	avoid-v6-udp-ports { portrange; ... };
+  	bindkeys-file quoted_string;
+  	blackhole { address_match_element; ... };
+  	cache-file quoted_string;// deprecated
+  	catalog-zones { zone string [ default-masters [ port integer ]
+  	    [ dscp integer ] { ( remote-servers | ipv4_address [ port
+  	    integer ] | ipv6_address [ port integer ] ) [ key
+  	    string ]; ... } ] [ zone-directory quoted_string ] [
+  	    in-memory boolean ] [ min-update-interval duration ]; ... };
+  	check-dup-records ( fail | warn | ignore );
+  	check-integrity boolean;
+  	check-mx ( fail | warn | ignore );
+  	check-mx-cname ( fail | warn | ignore );
+  	check-names ( primary | master |
+  	    secondary | slave | response ) (
+  	    fail | warn | ignore );
+  	check-sibling boolean;
+  	check-spf ( warn | ignore );
+  	check-srv-cname ( fail | warn | ignore );
+  	check-wildcard boolean;
+  	clients-per-query integer;
+  	cookie-algorithm ( aes | siphash24 );
+  	cookie-secret string;
+  	coresize ( default | unlimited | sizeval );
+  	datasize ( default | unlimited | sizeval );
+  	deny-answer-addresses { address_match_element; ... } [
+  	    except-from { string; ... } ];
+  	deny-answer-aliases { string; ... } [ except-from { string; ...
+  	    } ];
+  	dialup ( notify | notify-passive | passive | refresh | boolean );
+  	directory quoted_string;
+  	disable-algorithms string { string;
+  	    ... };
+  	disable-ds-digests string { string;
+  	    ... };
+  	disable-empty-zone string;
+  	dns64 netprefix {
+  		break-dnssec boolean;
+  		clients { address_match_element; ... };
+  		exclude { address_match_element; ... };
+  		mapped { address_match_element; ... };
+  		recursive-only boolean;
+  		suffix ipv6_address;
+  	};
+  	dns64-contact string;
+  	dns64-server string;
+  	dnskey-sig-validity integer;
+  	dnsrps-enable boolean;
+  	dnsrps-options { unspecified-text };
+  	dnssec-accept-expired boolean;
+  	dnssec-dnskey-kskonly boolean;
+  	dnssec-loadkeys-interval integer;
+  	dnssec-must-be-secure string boolean;
+  	dnssec-policy string;
+  	dnssec-secure-to-insecure boolean;
+  	dnssec-update-mode ( maintain | no-resign );
+  	dnssec-validation ( yes | no | auto );
+  	dnstap { ( all | auth | client | forwarder | resolver | update ) [
+  	    ( query | response ) ]; ... };
+  	dnstap-identity ( quoted_string | none | hostname );
+  	dnstap-output ( file | unix ) quoted_string [ size ( unlimited |
+  	    size ) ] [ versions ( unlimited | integer ) ] [ suffix (
+  	    increment | timestamp ) ];
+  	dnstap-version ( quoted_string | none );
+  	dscp integer;
+  	dual-stack-servers [ port integer ] { ( quoted_string [ port
+  	    integer ] [ dscp integer ] | ipv4_address [ port
+  	    integer ] [ dscp integer ] | ipv6_address [ port
+  	    integer ] [ dscp integer ] ); ... };
+  	dump-file quoted_string;
+  	edns-udp-size integer;
+  	empty-contact string;
+  	empty-server string;
+  	empty-zones-enable boolean;
+  	fetch-quota-params integer fixedpoint fixedpoint fixedpoint;
+  	fetches-per-server integer [ ( drop | fail ) ];
+  	fetches-per-zone integer [ ( drop | fail ) ];
+  	files ( default | unlimited | sizeval );
+  	flush-zones-on-shutdown boolean;
+  	forward ( first | only );
+  	forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
+  	    | ipv6_address ) [ port integer ] [ dscp integer ]; ... };
+  	fstrm-set-buffer-hint integer;
+  	fstrm-set-flush-timeout integer;
+  	fstrm-set-input-queue-size integer;
+  	fstrm-set-output-notify-threshold integer;
+  	fstrm-set-output-queue-model ( mpsc | spsc );
+  	fstrm-set-output-queue-size integer;
+  	fstrm-set-reopen-interval duration;
+  	geoip-directory ( quoted_string | none );
+  	glue-cache boolean;
+  	heartbeat-interval integer;
+  	hostname ( quoted_string | none );
+  	interface-interval duration;
+  	ixfr-from-differences ( primary | master | secondary | slave |
+  	    boolean );
+  	keep-response-order { address_match_element; ... };
+  	key-directory quoted_string;
+  	lame-ttl duration;
+  	listen-on [ port integer ] [ dscp
+  	    integer ] {
+  	    address_match_element; ... };
+  	listen-on-v6 [ port integer ] [ dscp
+  	    integer ] {
+  	    address_match_element; ... };
+  	lmdb-mapsize sizeval;
+  	lock-file ( quoted_string | none );
+  	managed-keys-directory quoted_string;
+  	masterfile-format ( map | raw | text );
+  	masterfile-style ( full | relative );
+  	match-mapped-addresses boolean;
+  	max-cache-size ( default | unlimited | sizeval | percentage );
+  	max-cache-ttl duration;
+  	max-clients-per-query integer;
+  	max-ixfr-ratio ( unlimited | percentage );
+  	max-journal-size ( default | unlimited | sizeval );
+  	max-ncache-ttl duration;
+  	max-records integer;
+  	max-recursion-depth integer;
+  	max-recursion-queries integer;
+  	max-refresh-time integer;
+  	max-retry-time integer;
+  	max-rsa-exponent-size integer;
+  	max-stale-ttl duration;
+  	max-transfer-idle-in integer;
+  	max-transfer-idle-out integer;
+  	max-transfer-time-in integer;
+  	max-transfer-time-out integer;
+  	max-udp-size integer;
+  	max-zone-ttl ( unlimited | duration );
+  	memstatistics boolean;
+  	memstatistics-file quoted_string;
+  	message-compression boolean;
+  	min-cache-ttl duration;
+  	min-ncache-ttl duration;
+  	min-refresh-time integer;
+  	min-retry-time integer;
+  	minimal-any boolean;
+  	minimal-responses ( no-auth | no-auth-recursive | boolean );
+  	multi-master boolean;
+  	new-zones-directory quoted_string;
+  	no-case-compress { address_match_element; ... };
+  	nocookie-udp-size integer;
+  	notify ( explicit | master-only | primary-only | boolean );
+  	notify-delay integer;
+  	notify-rate integer;
+  	notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
+  	    [ dscp integer ];
+  	notify-to-soa boolean;
+  	nta-lifetime duration;
+  	nta-recheck duration;
+  	nxdomain-redirect string;
+  	parental-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	parental-source-v6 ( ipv6_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
+  	pid-file ( quoted_string | none );
+  	port integer;
+  	preferred-glue string;
+  	prefetch integer [ integer ];
+  	provide-ixfr boolean;
+  	qname-minimization ( strict | relaxed | disabled | off );
+  	query-source ( ( [ address ] ( ipv4_address | * ) [ port (
+  	    integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ]
+  	    port ( integer | * ) ) ) [ dscp integer ];
+  	query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ port (
+  	    integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ]
+  	    port ( integer | * ) ) ) [ dscp integer ];
+  	querylog boolean;
+  	random-device ( quoted_string | none );
+  	rate-limit {
+  		all-per-second integer;
+  		errors-per-second integer;
+  		exempt-clients { address_match_element; ... };
+  		ipv4-prefix-length integer;
+  		ipv6-prefix-length integer;
+  		log-only boolean;
+  		max-table-size integer;
+  		min-table-size integer;
+  		nodata-per-second integer;
+  		nxdomains-per-second integer;
+  		qps-scale integer;
+  		referrals-per-second integer;
+  		responses-per-second integer;
+  		slip integer;
+  		window integer;
+  	};
+  	recursing-file quoted_string;
+  	recursion boolean;
+  	recursive-clients integer;
+  	request-expire boolean;
+  	request-ixfr boolean;
+  	request-nsid boolean;
+  	require-server-cookie boolean;
+  	reserved-sockets integer;
+  	resolver-nonbackoff-tries integer;
+  	resolver-query-timeout integer;
+  	resolver-retry-interval integer;
+  	response-padding { address_match_element; ... } block-size
+  	    integer;
+  	response-policy { zone string [ add-soa boolean ] [ log
+  	    boolean ] [ max-policy-ttl duration ] [ min-update-interval
+  	    duration ] [ policy ( cname | disabled | drop | given | no-op
+  	    | nodata | nxdomain | passthru | tcp-only quoted_string ) ] [
+  	    recursive-only boolean ] [ nsip-enable boolean ] [
+  	    nsdname-enable boolean ]; ... } [ add-soa boolean ] [
+  	    break-dnssec boolean ] [ max-policy-ttl duration ] [
+  	    min-update-interval duration ] [ min-ns-dots integer ] [
+  	    nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ]
+  	    [ recursive-only boolean ] [ nsip-enable boolean ] [
+  	    nsdname-enable boolean ] [ dnsrps-enable boolean ] [
+  	    dnsrps-options { unspecified-text } ];
+  	reuseport boolean;
+  	root-delegation-only [ exclude { string; ... } ];
+  	root-key-sentinel boolean;
+  	rrset-order { [ class string ] [ type string ] [ name
+  	    quoted_string ] string string; ... };
+  	secroots-file quoted_string;
+  	send-cookie boolean;
+  	serial-query-rate integer;
+  	serial-update-method ( date | increment | unixtime );
+  	server-id ( quoted_string | none | hostname );
+  	servfail-ttl duration;
+  	session-keyalg string;
+  	session-keyfile ( quoted_string | none );
+  	session-keyname string;
+  	sig-signing-nodes integer;
+  	sig-signing-signatures integer;
+  	sig-signing-type integer;
+  	sig-validity-interval integer [ integer ];
+  	sortlist { address_match_element; ... };
+  	stacksize ( default | unlimited | sizeval );
+  	stale-answer-client-timeout ( disabled | off | integer );
+  	stale-answer-enable boolean;
+  	stale-answer-ttl duration;
+  	stale-cache-enable boolean;
+  	stale-refresh-time duration;
+  	startup-notify-rate integer;
+  	statistics-file quoted_string;
+  	synth-from-dnssec boolean;
+  	tcp-advertised-timeout integer;
+  	tcp-clients integer;
+  	tcp-idle-timeout integer;
+  	tcp-initial-timeout integer;
+  	tcp-keepalive-timeout integer;
+  	tcp-listen-queue integer;
+  	tkey-dhkey quoted_string integer;
+  	tkey-domain quoted_string;
+  	tkey-gssapi-credential quoted_string;
+  	tkey-gssapi-keytab quoted_string;
+  	transfer-format ( many-answers | one-answer );
+  	transfer-message-size integer;
+  	transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
+  	transfers-in integer;
+  	transfers-out integer;
+  	transfers-per-ns integer;
+  	trust-anchor-telemetry boolean; // experimental
+  	try-tcp-refresh boolean;
+  	update-check-ksk boolean;
+  	update-quota integer;
+  	use-alt-transfer-source boolean;
+  	use-v4-udp-ports { portrange; ... };
+  	use-v6-udp-ports { portrange; ... };
+  	v6-bias integer;
+  	validate-except { string; ... };
+  	version ( quoted_string | none );
+  	zero-no-soa-ttl boolean;
+  	zero-no-soa-ttl-cache boolean;
+  	zone-statistics ( full | terse | none | boolean );
+  };
+
+PARENTAL-AGENTS
+^^^^^^^^^^^^^^^
+
+::
+
+  parental-agents string [ port integer ] [
+      dscp integer ] { ( remote-servers |
+      ipv4_address [ port integer ] |
+      ipv6_address [ port integer ] ) [ key
+      string ]; ... };
+
+PLUGIN
+^^^^^^
+
+::
+
+  plugin ( query ) string [ { unspecified-text
+      } ];
+
+PRIMARIES
+^^^^^^^^^
+
+::
+
+  primaries string [ port integer ] [ dscp
+      integer ] { ( remote-servers |
+      ipv4_address [ port integer ] |
+      ipv6_address [ port integer ] ) [ key
+      string ]; ... };
+
+SERVER
+^^^^^^
+
+::
+
+  server netprefix {
+  	bogus boolean;
+  	edns boolean;
+  	edns-udp-size integer;
+  	edns-version integer;
+  	keys server_key;
+  	max-udp-size integer;
+  	notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
+  	    [ dscp integer ];
+  	padding integer;
+  	provide-ixfr boolean;
+  	query-source ( ( [ address ] ( ipv4_address | * ) [ port (
+  	    integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ]
+  	    port ( integer | * ) ) ) [ dscp integer ];
+  	query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ port (
+  	    integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ]
+  	    port ( integer | * ) ) ) [ dscp integer ];
+  	request-expire boolean;
+  	request-ixfr boolean;
+  	request-nsid boolean;
+  	send-cookie boolean;
+  	tcp-keepalive boolean;
+  	tcp-only boolean;
+  	transfer-format ( many-answers | one-answer );
+  	transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
+  	transfers integer;
+  };
+
+STATISTICS-CHANNELS
+^^^^^^^^^^^^^^^^^^^
+
+::
+
+  statistics-channels {
+  	inet ( ipv4_address | ipv6_address |
+  	    * ) [ port ( integer | * ) ] [
+  	    allow { address_match_element; ...
+  	    } ];
+  };
+
+TRUST-ANCHORS
+^^^^^^^^^^^^^
+
+::
+
+  trust-anchors { string ( static-key |
+      initial-key | static-ds | initial-ds )
+      integer integer integer
+      quoted_string; ... };
+
+TRUSTED-KEYS
+^^^^^^^^^^^^
+
+Deprecated - see DNSSEC-KEYS.
+
+::
+
+  trusted-keys { string integer
+      integer integer
+      quoted_string; ... };, deprecated
+
+VIEW
+^^^^
+
+::
+
+  view string [ class ] {
+  	allow-new-zones boolean;
+  	allow-notify { address_match_element; ... };
+  	allow-query { address_match_element; ... };
+  	allow-query-cache { address_match_element; ... };
+  	allow-query-cache-on { address_match_element; ... };
+  	allow-query-on { address_match_element; ... };
+  	allow-recursion { address_match_element; ... };
+  	allow-recursion-on { address_match_element; ... };
+  	allow-transfer { address_match_element; ... };
+  	allow-update { address_match_element; ... };
+  	allow-update-forwarding { address_match_element; ... };
+  	also-notify [ port integer ] [ dscp integer ] { (
+  	    remote-servers | ipv4_address [ port integer ] |
+  	    ipv6_address [ port integer ] ) [ key string ]; ... };
+  	alt-transfer-source ( ipv4_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
+  	alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer |
+  	    * ) ] [ dscp integer ];
+  	attach-cache string;
+  	auth-nxdomain boolean; // default changed
+  	auto-dnssec ( allow | maintain | off );// deprecated
+  	cache-file quoted_string;// deprecated
+  	catalog-zones { zone string [ default-masters [ port integer ]
+  	    [ dscp integer ] { ( remote-servers | ipv4_address [ port
+  	    integer ] | ipv6_address [ port integer ] ) [ key
+  	    string ]; ... } ] [ zone-directory quoted_string ] [
+  	    in-memory boolean ] [ min-update-interval duration ]; ... };
+  	check-dup-records ( fail | warn | ignore );
+  	check-integrity boolean;
+  	check-mx ( fail | warn | ignore );
+  	check-mx-cname ( fail | warn | ignore );
+  	check-names ( primary | master |
+  	    secondary | slave | response ) (
+  	    fail | warn | ignore );
+  	check-sibling boolean;
+  	check-spf ( warn | ignore );
+  	check-srv-cname ( fail | warn | ignore );
+  	check-wildcard boolean;
+  	clients-per-query integer;
+  	deny-answer-addresses { address_match_element; ... } [
+  	    except-from { string; ... } ];
+  	deny-answer-aliases { string; ... } [ except-from { string; ...
+  	    } ];
+  	dialup ( notify | notify-passive | passive | refresh | boolean );
+  	disable-algorithms string { string;
+  	    ... };
+  	disable-ds-digests string { string;
+  	    ... };
+  	disable-empty-zone string;
+  	dlz string {
+  		database string;
+  		search boolean;
+  	};
+  	dns64 netprefix {
+  		break-dnssec boolean;
+  		clients { address_match_element; ... };
+  		exclude { address_match_element; ... };
+  		mapped { address_match_element; ... };
+  		recursive-only boolean;
+  		suffix ipv6_address;
+  	};
+  	dns64-contact string;
+  	dns64-server string;
+  	dnskey-sig-validity integer;
+  	dnsrps-enable boolean;
+  	dnsrps-options { unspecified-text };
+  	dnssec-accept-expired boolean;
+  	dnssec-dnskey-kskonly boolean;
+  	dnssec-loadkeys-interval integer;
+  	dnssec-must-be-secure string boolean;
+  	dnssec-policy string;
+  	dnssec-secure-to-insecure boolean;
+  	dnssec-update-mode ( maintain | no-resign );
+  	dnssec-validation ( yes | no | auto );
+  	dnstap { ( all | auth | client | forwarder | resolver | update ) [
+  	    ( query | response ) ]; ... };
+  	dual-stack-servers [ port integer ] { ( quoted_string [ port
+  	    integer ] [ dscp integer ] | ipv4_address [ port
+  	    integer ] [ dscp integer ] | ipv6_address [ port
+  	    integer ] [ dscp integer ] ); ... };
+  	dyndb string quoted_string {
+  	    unspecified-text };
+  	edns-udp-size integer;
+  	empty-contact string;
+  	empty-server string;
+  	empty-zones-enable boolean;
+  	fetch-quota-params integer fixedpoint fixedpoint fixedpoint;
+  	fetches-per-server integer [ ( drop | fail ) ];
+  	fetches-per-zone integer [ ( drop | fail ) ];
+  	forward ( first | only );
+  	forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
+  	    | ipv6_address ) [ port integer ] [ dscp integer ]; ... };
+  	glue-cache boolean;
+  	ixfr-from-differences ( primary | master | secondary | slave |
+  	    boolean );
+  	key string {
+  		algorithm string;
+  		secret string;
+  	};
+  	key-directory quoted_string;
+  	lame-ttl duration;
+  	lmdb-mapsize sizeval;
+  	managed-keys { string (
+  	    static-key | initial-key
+  	    | static-ds | initial-ds
+  	    ) integer integer
+  	    integer
+  	    quoted_string; ... };, deprecated
+  	masterfile-format ( map | raw | text );
+  	masterfile-style ( full | relative );
+  	match-clients { address_match_element; ... };
+  	match-destinations { address_match_element; ... };
+  	match-recursive-only boolean;
+  	max-cache-size ( default | unlimited | sizeval | percentage );
+  	max-cache-ttl duration;
+  	max-clients-per-query integer;
+  	max-ixfr-ratio ( unlimited | percentage );
+  	max-journal-size ( default | unlimited | sizeval );
+  	max-ncache-ttl duration;
+  	max-records integer;
+  	max-recursion-depth integer;
+  	max-recursion-queries integer;
+  	max-refresh-time integer;
+  	max-retry-time integer;
+  	max-stale-ttl duration;
+  	max-transfer-idle-in integer;
+  	max-transfer-idle-out integer;
+  	max-transfer-time-in integer;
+  	max-transfer-time-out integer;
+  	max-udp-size integer;
+  	max-zone-ttl ( unlimited | duration );
+  	message-compression boolean;
+  	min-cache-ttl duration;
+  	min-ncache-ttl duration;
+  	min-refresh-time integer;
+  	min-retry-time integer;
+  	minimal-any boolean;
+  	minimal-responses ( no-auth | no-auth-recursive | boolean );
+  	multi-master boolean;
+  	new-zones-directory quoted_string;
+  	no-case-compress { address_match_element; ... };
+  	nocookie-udp-size integer;
+  	notify ( explicit | master-only | primary-only | boolean );
+  	notify-delay integer;
+  	notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
+  	    [ dscp integer ];
+  	notify-to-soa boolean;
+  	nta-lifetime duration;
+  	nta-recheck duration;
+  	nxdomain-redirect string;
+  	parental-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	parental-source-v6 ( ipv6_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
+  	plugin ( query ) string [ {
+  	    unspecified-text } ];
+  	preferred-glue string;
+  	prefetch integer [ integer ];
+  	provide-ixfr boolean;
+  	qname-minimization ( strict | relaxed | disabled | off );
+  	query-source ( ( [ address ] ( ipv4_address | * ) [ port (
+  	    integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ]
+  	    port ( integer | * ) ) ) [ dscp integer ];
+  	query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ port (
+  	    integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ]
+  	    port ( integer | * ) ) ) [ dscp integer ];
+  	rate-limit {
+  		all-per-second integer;
+  		errors-per-second integer;
+  		exempt-clients { address_match_element; ... };
+  		ipv4-prefix-length integer;
+  		ipv6-prefix-length integer;
+  		log-only boolean;
+  		max-table-size integer;
+  		min-table-size integer;
+  		nodata-per-second integer;
+  		nxdomains-per-second integer;
+  		qps-scale integer;
+  		referrals-per-second integer;
+  		responses-per-second integer;
+  		slip integer;
+  		window integer;
+  	};
+  	recursion boolean;
+  	request-expire boolean;
+  	request-ixfr boolean;
+  	request-nsid boolean;
+  	require-server-cookie boolean;
+  	resolver-nonbackoff-tries integer;
+  	resolver-query-timeout integer;
+  	resolver-retry-interval integer;
+  	response-padding { address_match_element; ... } block-size
+  	    integer;
+  	response-policy { zone string [ add-soa boolean ] [ log
+  	    boolean ] [ max-policy-ttl duration ] [ min-update-interval
+  	    duration ] [ policy ( cname | disabled | drop | given | no-op
+  	    | nodata | nxdomain | passthru | tcp-only quoted_string ) ] [
+  	    recursive-only boolean ] [ nsip-enable boolean ] [
+  	    nsdname-enable boolean ]; ... } [ add-soa boolean ] [
+  	    break-dnssec boolean ] [ max-policy-ttl duration ] [
+  	    min-update-interval duration ] [ min-ns-dots integer ] [
+  	    nsip-wait-recurse boolean ] [ qname-wait-recurse boolean ]
+  	    [ recursive-only boolean ] [ nsip-enable boolean ] [
+  	    nsdname-enable boolean ] [ dnsrps-enable boolean ] [
+  	    dnsrps-options { unspecified-text } ];
+  	root-delegation-only [ exclude { string; ... } ];
+  	root-key-sentinel boolean;
+  	rrset-order { [ class string ] [ type string ] [ name
+  	    quoted_string ] string string; ... };
+  	send-cookie boolean;
+  	serial-update-method ( date | increment | unixtime );
+  	server netprefix {
+  		bogus boolean;
+  		edns boolean;
+  		edns-udp-size integer;
+  		edns-version integer;
+  		keys server_key;
+  		max-udp-size integer;
+  		notify-source ( ipv4_address | * ) [ port ( integer | *
+  		    ) ] [ dscp integer ];
+  		notify-source-v6 ( ipv6_address | * ) [ port ( integer
+  		    | * ) ] [ dscp integer ];
+  		padding integer;
+  		provide-ixfr boolean;
+  		query-source ( ( [ address ] ( ipv4_address | * ) [ port
+  		    ( integer | * ) ] ) | ( [ [ address ] (
+  		    ipv4_address | * ) ] port ( integer | * ) ) ) [
+  		    dscp integer ];
+  		query-source-v6 ( ( [ address ] ( ipv6_address | * ) [
+  		    port ( integer | * ) ] ) | ( [ [ address ] (
+  		    ipv6_address | * ) ] port ( integer | * ) ) ) [
+  		    dscp integer ];
+  		request-expire boolean;
+  		request-ixfr boolean;
+  		request-nsid boolean;
+  		send-cookie boolean;
+  		tcp-keepalive boolean;
+  		tcp-only boolean;
+  		transfer-format ( many-answers | one-answer );
+  		transfer-source ( ipv4_address | * ) [ port ( integer |
+  		    * ) ] [ dscp integer ];
+  		transfer-source-v6 ( ipv6_address | * ) [ port (
+  		    integer | * ) ] [ dscp integer ];
+  		transfers integer;
+  	};
+  	servfail-ttl duration;
+  	sig-signing-nodes integer;
+  	sig-signing-signatures integer;
+  	sig-signing-type integer;
+  	sig-validity-interval integer [ integer ];
+  	sortlist { address_match_element; ... };
+  	stale-answer-client-timeout ( disabled | off | integer );
+  	stale-answer-enable boolean;
+  	stale-answer-ttl duration;
+  	stale-cache-enable boolean;
+  	stale-refresh-time duration;
+  	synth-from-dnssec boolean;
+  	transfer-format ( many-answers | one-answer );
+  	transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
+  	trust-anchor-telemetry boolean; // experimental
+  	trust-anchors { string ( static-key |
+  	    initial-key | static-ds | initial-ds
+  	    ) integer integer integer
+  	    quoted_string; ... };
+  	trusted-keys { string
+  	    integer integer
+  	    integer
+  	    quoted_string; ... };, deprecated
+  	try-tcp-refresh boolean;
+  	update-check-ksk boolean;
+  	use-alt-transfer-source boolean;
+  	v6-bias integer;
+  	validate-except { string; ... };
+  	zero-no-soa-ttl boolean;
+  	zero-no-soa-ttl-cache boolean;
+  	zone string [ class ] {
+  		allow-notify { address_match_element; ... };
+  		allow-query { address_match_element; ... };
+  		allow-query-on { address_match_element; ... };
+  		allow-transfer { address_match_element; ... };
+  		allow-update { address_match_element; ... };
+  		allow-update-forwarding { address_match_element; ... };
+  		also-notify [ port integer ] [ dscp integer ] { (
+  		    remote-servers | ipv4_address [ port integer ] |
+  		    ipv6_address [ port integer ] ) [ key string ];
+  		    ... };
+  		alt-transfer-source ( ipv4_address | * ) [ port (
+  		    integer | * ) ] [ dscp integer ];
+  		alt-transfer-source-v6 ( ipv6_address | * ) [ port (
+  		    integer | * ) ] [ dscp integer ];
+  		auto-dnssec ( allow | maintain | off );// deprecated
+  		check-dup-records ( fail | warn | ignore );
+  		check-integrity boolean;
+  		check-mx ( fail | warn | ignore );
+  		check-mx-cname ( fail | warn | ignore );
+  		check-names ( fail | warn | ignore );
+  		check-sibling boolean;
+  		check-spf ( warn | ignore );
+  		check-srv-cname ( fail | warn | ignore );
+  		check-wildcard boolean;
+  		database string;
+  		delegation-only boolean;
+  		dialup ( notify | notify-passive | passive | refresh |
+  		    boolean );
+  		dlz string;
+  		dnskey-sig-validity integer;
+  		dnssec-dnskey-kskonly boolean;
+  		dnssec-loadkeys-interval integer;
+  		dnssec-policy string;
+  		dnssec-secure-to-insecure boolean;
+  		dnssec-update-mode ( maintain | no-resign );
+  		file quoted_string;
+  		forward ( first | only );
+  		forwarders [ port integer ] [ dscp integer ] { (
+  		    ipv4_address | ipv6_address ) [ port integer ] [
+  		    dscp integer ]; ... };
+  		in-view string;
+  		inline-signing boolean;
+  		ixfr-from-differences boolean;
+  		journal quoted_string;
+  		key-directory quoted_string;
+  		masterfile-format ( map | raw | text );
+  		masterfile-style ( full | relative );
+  		masters [ port integer ] [ dscp integer ] { (
+  		    remote-servers | ipv4_address [ port integer ] |
+  		    ipv6_address [ port integer ] ) [ key string ];
+  		    ... };
+  		max-ixfr-ratio ( unlimited | percentage );
+  		max-journal-size ( default | unlimited | sizeval );
+  		max-records integer;
+  		max-refresh-time integer;
+  		max-retry-time integer;
+  		max-transfer-idle-in integer;
+  		max-transfer-idle-out integer;
+  		max-transfer-time-in integer;
+  		max-transfer-time-out integer;
+  		max-zone-ttl ( unlimited | duration );
+  		min-refresh-time integer;
+  		min-retry-time integer;
+  		multi-master boolean;
+  		notify ( explicit | master-only | primary-only | boolean );
+  		notify-delay integer;
+  		notify-source ( ipv4_address | * ) [ port ( integer | *
+  		    ) ] [ dscp integer ];
+  		notify-source-v6 ( ipv6_address | * ) [ port ( integer
+  		    | * ) ] [ dscp integer ];
+  		notify-to-soa boolean;
+  		parental-agents [ port integer ] [ dscp integer ] { (
+  		    remote-servers | ipv4_address [ port integer ] |
+  		    ipv6_address [ port integer ] ) [ key string ];
+  		    ... };
+  		parental-source ( ipv4_address | * ) [ port ( integer |
+  		    * ) ] [ dscp integer ];
+  		parental-source-v6 ( ipv6_address | * ) [ port (
+  		    integer | * ) ] [ dscp integer ];
+  		primaries [ port integer ] [ dscp integer ] { (
+  		    remote-servers | ipv4_address [ port integer ] |
+  		    ipv6_address [ port integer ] ) [ key string ];
+  		    ... };
+  		request-expire boolean;
+  		request-ixfr boolean;
+  		serial-update-method ( date | increment | unixtime );
+  		server-addresses { ( ipv4_address | ipv6_address ); ... };
+  		server-names { string; ... };
+  		sig-signing-nodes integer;
+  		sig-signing-signatures integer;
+  		sig-signing-type integer;
+  		sig-validity-interval integer [ integer ];
+  		transfer-source ( ipv4_address | * ) [ port ( integer |
+  		    * ) ] [ dscp integer ];
+  		transfer-source-v6 ( ipv6_address | * ) [ port (
+  		    integer | * ) ] [ dscp integer ];
+  		try-tcp-refresh boolean;
+  		type ( primary | master | secondary | slave | mirror |
+  		    delegation-only | forward | hint | redirect |
+  		    static-stub | stub );
+  		update-check-ksk boolean;
+  		update-policy ( local | { ( deny | grant ) string (
+  		    6to4-self | external | krb5-self | krb5-selfsub |
+  		    krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
+  		    name | self | selfsub | selfwild | subdomain | tcp-self
+  		    | wildcard | zonesub ) [ string ] rrtypelist; ... } );
+  		use-alt-transfer-source boolean;
+  		zero-no-soa-ttl boolean;
+  		zone-statistics ( full | terse | none | boolean );
+  	};
+  	zone-statistics ( full | terse | none | boolean );
+  };
+
+ZONE
+^^^^
+
+::
+
+  zone string [ class ] {
+  	allow-notify { address_match_element; ... };
+  	allow-query { address_match_element; ... };
+  	allow-query-on { address_match_element; ... };
+  	allow-transfer { address_match_element; ... };
+  	allow-update { address_match_element; ... };
+  	allow-update-forwarding { address_match_element; ... };
+  	also-notify [ port integer ] [ dscp integer ] { (
+  	    remote-servers | ipv4_address [ port integer ] |
+  	    ipv6_address [ port integer ] ) [ key string ]; ... };
+  	alt-transfer-source ( ipv4_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
+  	alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer |
+  	    * ) ] [ dscp integer ];
+  	auto-dnssec ( allow | maintain | off );// deprecated
+  	check-dup-records ( fail | warn | ignore );
+  	check-integrity boolean;
+  	check-mx ( fail | warn | ignore );
+  	check-mx-cname ( fail | warn | ignore );
+  	check-names ( fail | warn | ignore );
+  	check-sibling boolean;
+  	check-spf ( warn | ignore );
+  	check-srv-cname ( fail | warn | ignore );
+  	check-wildcard boolean;
+  	database string;
+  	delegation-only boolean;
+  	dialup ( notify | notify-passive | passive | refresh | boolean );
+  	dlz string;
+  	dnskey-sig-validity integer;
+  	dnssec-dnskey-kskonly boolean;
+  	dnssec-loadkeys-interval integer;
+  	dnssec-policy string;
+  	dnssec-secure-to-insecure boolean;
+  	dnssec-update-mode ( maintain | no-resign );
+  	file quoted_string;
+  	forward ( first | only );
+  	forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
+  	    | ipv6_address ) [ port integer ] [ dscp integer ]; ... };
+  	in-view string;
+  	inline-signing boolean;
+  	ixfr-from-differences boolean;
+  	journal quoted_string;
+  	key-directory quoted_string;
+  	masterfile-format ( map | raw | text );
+  	masterfile-style ( full | relative );
+  	masters [ port integer ] [ dscp integer ] { ( remote-servers
+  	    | ipv4_address [ port integer ] | ipv6_address [ port
+  	    integer ] ) [ key string ]; ... };
+  	max-ixfr-ratio ( unlimited | percentage );
+  	max-journal-size ( default | unlimited | sizeval );
+  	max-records integer;
+  	max-refresh-time integer;
+  	max-retry-time integer;
+  	max-transfer-idle-in integer;
+  	max-transfer-idle-out integer;
+  	max-transfer-time-in integer;
+  	max-transfer-time-out integer;
+  	max-zone-ttl ( unlimited | duration );
+  	min-refresh-time integer;
+  	min-retry-time integer;
+  	multi-master boolean;
+  	notify ( explicit | master-only | primary-only | boolean );
+  	notify-delay integer;
+  	notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
+  	    [ dscp integer ];
+  	notify-to-soa boolean;
+  	parental-agents [ port integer ] [ dscp integer ] { (
+  	    remote-servers | ipv4_address [ port integer ] |
+  	    ipv6_address [ port integer ] ) [ key string ]; ... };
+  	parental-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	parental-source-v6 ( ipv6_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
+  	primaries [ port integer ] [ dscp integer ] { (
+  	    remote-servers | ipv4_address [ port integer ] |
+  	    ipv6_address [ port integer ] ) [ key string ]; ... };
+  	request-expire boolean;
+  	request-ixfr boolean;
+  	serial-update-method ( date | increment | unixtime );
+  	server-addresses { ( ipv4_address | ipv6_address ); ... };
+  	server-names { string; ... };
+  	sig-signing-nodes integer;
+  	sig-signing-signatures integer;
+  	sig-signing-type integer;
+  	sig-validity-interval integer [ integer ];
+  	transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
+  	try-tcp-refresh boolean;
+  	type ( primary | master | secondary | slave | mirror |
+  	    delegation-only | forward | hint | redirect | static-stub |
+  	    stub );
+  	update-check-ksk boolean;
+  	update-policy ( local | { ( deny | grant ) string ( 6to4-self |
+  	    external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
+  	    | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild
+  	    | subdomain | tcp-self | wildcard | zonesub ) [ string ]
+  	    rrtypelist; ... } );
+  	use-alt-transfer-source boolean;
+  	zero-no-soa-ttl boolean;
+  	zone-statistics ( full | terse | none | boolean );
+  };
+
+Files
+~~~~~
+
+``/etc/named.conf``
+
+See Also
+~~~~~~~~
+
+:manpage:`ddns-confgen(8)`, :manpage:`named(8)`, :manpage:`named-checkconf(8)`, :manpage:`rndc(8)`, :manpage:`rndc-confgen(8)`, BIND 9 Administrator Reference Manual.
+
diff --git a/bin/named/named.rst b/bin/named/named.rst
new file mode 100644
index 0000000..449761c
--- /dev/null
+++ b/bin/named/named.rst
@@ -0,0 +1,248 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_named:
+
+named - Internet domain name server
+-----------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-E** engine-name] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-S** #max-socks] [**-t** directory] [**-U** #listeners] [**-u** user] [**-v**] [**-V**] [**-X** lock-file] [**-x** cache-file]
+
+Description
+~~~~~~~~~~~
+
+``named`` is a Domain Name System (DNS) server, part of the BIND 9
+distribution from ISC. For more information on the DNS, see :rfc:`1033`,
+:rfc:`1034`, and :rfc:`1035`.
+
+When invoked without arguments, ``named`` reads the default
+configuration file ``/etc/named.conf``, reads any initial data, and
+listens for queries.
+
+Options
+~~~~~~~
+
+``-4``
+   This option tells ``named`` to use only IPv4, even if the host machine is capable of IPv6. ``-4`` and
+   ``-6`` are mutually exclusive.
+
+``-6``
+   This option tells ``named`` to use only IPv6, even if the host machine is capable of IPv4. ``-4`` and
+   ``-6`` are mutually exclusive.
+
+``-c config-file``
+   This option tells ``named`` to use ``config-file`` as its configuration file instead of the default,
+   ``/etc/named.conf``. To ensure that the configuration file
+   can be reloaded after the server has changed its working directory
+   due to to a possible ``directory`` option in the configuration file,
+   ``config-file`` should be an absolute pathname.
+
+``-C``
+
+   This option prints out the default built-in configuration and exits.
+
+   NOTE: This is for debugging purposes only and is not an
+   accurate representation of the actual configuration used by :iscman:`named`
+   at runtime.
+
+``-d debug-level``
+   This option sets the daemon's debug level to ``debug-level``. Debugging traces from
+   ``named`` become more verbose as the debug level increases.
+
+``-D string``
+   This option specifies a string that is used to identify a instance of ``named``
+   in a process listing. The contents of ``string`` are not examined.
+
+``-E engine-name``
+   When applicable, this option specifies the hardware to use for cryptographic
+   operations, such as a secure key store used for signing.
+
+   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+   engine identifier that drives the cryptographic accelerator or
+   hardware service module (usually ``pkcs11``). When BIND is
+   built with native PKCS#11 cryptography (``--enable-native-pkcs11``), it
+   defaults to the path of the PKCS#11 provider library specified via
+   ``--with-pkcs11``.
+
+``-f``
+   This option runs the server in the foreground (i.e., do not daemonize).
+
+``-g``
+   This option runs the server in the foreground and forces all logging to ``stderr``.
+
+``-L logfile``
+   This option sets the log to the file ``logfile`` by default, instead of the system log.
+
+``-M option``
+
+   This option sets the default (comma-separated) memory context
+   options. The possible flags are:
+
+   - ``external``: use system-provided memory allocation functions; this
+     is the implicit default.
+
+   - ``internal``: use the internal memory manager.
+
+   - ``fill``: fill blocks of memory with tag values when they are
+     allocated or freed, to assist debugging of memory problems; this is
+     the implicit default if ``named`` has been compiled with
+     ``--enable-developer``.
+
+   - ``nofill``: disable the behavior enabled by ``fill``; this is the
+     implicit default unless ``named`` has been compiled with
+     ``--enable-developer``.
+
+``-m flag``
+   This option turns on memory usage debugging flags. Possible flags are ``usage``,
+   ``trace``, ``record``, ``size``, and ``mctx``. These correspond to the
+   ``ISC_MEM_DEBUGXXXX`` flags described in ``<isc/mem.h>``.
+
+``-n #cpus``
+   This option controls the number of CPUs that ``named`` assumes the
+   presence of. If not specified, ``named`` tries to determine the
+   number of CPUs present automatically; if it fails, a single CPU is
+   assumed to be present.
+
+   ``named`` creates two threads per each CPU present (one thread for
+   receiving and sending client traffic and another thread for sending
+   and receiving resolver traffic) and then on top of that a single
+   thread for handling time-based events.
+
+``-p port``
+   This option listens for queries on ``port``. If not specified, the default is
+   port 53.
+
+``-s``
+   This option writes memory usage statistics to ``stdout`` on exit.
+
+.. note::
+
+      This option is mainly of interest to BIND 9 developers and may be
+      removed or changed in a future release.
+
+``-S #max-socks``
+   This option allows ``named`` to use up to ``#max-socks`` sockets. The default value is
+   21000 on systems built with default configuration options, and 4096
+   on systems built with ``configure --with-tuning=small``.
+
+.. warning::
+
+      This option should be unnecessary for the vast majority of users.
+      The use of this option could even be harmful, because the specified
+      value may exceed the limitation of the underlying system API. It
+      is therefore set only when the default configuration causes
+      exhaustion of file descriptors and the operational environment is
+      known to support the specified number of sockets. Note also that
+      the actual maximum number is normally slightly fewer than the
+      specified value, because ``named`` reserves some file descriptors
+      for its internal use.
+
+``-t directory``
+   This option tells ``named`` to chroot to ``directory`` after processing the command-line arguments, but
+   before reading the configuration file.
+
+.. warning::
+
+      This option should be used in conjunction with the ``-u`` option,
+      as chrooting a process running as root doesn't enhance security on
+      most systems; the way ``chroot`` is defined allows a process
+      with root privileges to escape a chroot jail.
+
+``-U #listeners``
+   This option tells ``named`` the number of ``#listeners`` worker threads to listen on, for incoming UDP packets on
+   each address. If not specified, ``named`` calculates a default
+   value based on the number of detected CPUs: 1 for 1 CPU, and the
+   number of detected CPUs minus one for machines with more than 1 CPU.
+   This cannot be increased to a value higher than the number of CPUs.
+   If ``-n`` has been set to a higher value than the number of detected
+   CPUs, then ``-U`` may be increased as high as that value, but no
+   higher. On Windows, the number of UDP listeners is hardwired to 1 and
+   this option has no effect.
+
+``-u user``
+   This option sets the setuid to ``user`` after completing privileged operations, such as
+   creating sockets that listen on privileged ports.
+
+.. note::
+
+      On Linux, ``named`` uses the kernel's capability mechanism to drop
+      all root privileges except the ability to ``bind`` to a
+      privileged port and set process resource limits. Unfortunately,
+      this means that the ``-u`` option only works when ``named`` is run
+      on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since
+      previous kernels did not allow privileges to be retained after
+      ``setuid``.
+
+``-v``
+   This option reports the version number and exits.
+
+``-V``
+   This option reports the version number, build options, supported
+   cryptographics algorithms, and exits.
+
+``-X lock-file``
+   This option acquires a lock on the specified file at runtime; this helps to
+   prevent duplicate ``named`` instances from running simultaneously.
+   Use of this option overrides the ``lock-file`` option in
+   ``named.conf``. If set to ``none``, the lock file check is disabled.
+
+``-x cache-file``
+   This option loads data from ``cache-file`` into the cache of the default view.
+
+.. warning::
+
+      This option must not be used in normal operations. It is only of interest to BIND 9
+      developers and may be removed or changed in a future release.
+
+Signals
+~~~~~~~
+
+In routine operation, signals should not be used to control the
+nameserver; ``rndc`` should be used instead.
+
+SIGHUP
+   This signal forces a reload of the server.
+
+SIGINT, SIGTERM
+   These signals shut down the server.
+
+The result of sending any other signals to the server is undefined.
+
+Configuration
+~~~~~~~~~~~~~
+
+The ``named`` configuration file is too complex to describe in detail
+here. A complete description is provided in the BIND 9 Administrator
+Reference Manual.
+
+``named`` inherits the ``umask`` (file creation mode mask) from the
+parent process. If files created by ``named``, such as journal files,
+need to have custom permissions, the ``umask`` should be set explicitly
+in the script used to start the ``named`` process.
+
+Files
+~~~~~
+
+``/etc/named.conf``
+   The default configuration file.
+
+``/var/run/named/named.pid``
+   The default process-id file.
+
+See Also
+~~~~~~~~
+
+:rfc:`1033`, :rfc:`1034`, :rfc:`1035`, :manpage:`named-checkconf(8)`, :manpage:`named-checkzone(8)`, :manpage:`rndc(8)`, :manpage:`named.conf(5)`, BIND 9 Administrator Reference Manual.
diff --git a/bin/named/server.c b/bin/named/server.c
new file mode 100644
index 0000000..7306e0a
--- /dev/null
+++ b/bin/named/server.c
@@ -0,0 +1,16272 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#ifdef HAVE_DNSTAP
+#include <fstrm.h>
+#endif
+
+#include <isc/aes.h>
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/commandline.h>
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/hex.h>
+#include <isc/hmac.h>
+#include <isc/httpd.h>
+#include <isc/lex.h>
+#include <isc/meminfo.h>
+#include <isc/netmgr.h>
+#include <isc/nonce.h>
+#include <isc/parseint.h>
+#include <isc/platform.h>
+#include <isc/portset.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/resource.h>
+#include <isc/siphash.h>
+#include <isc/socket.h>
+#include <isc/stat.h>
+#include <isc/stats.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/badcache.h>
+#include <dns/cache.h>
+#include <dns/catz.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/dlz.h>
+#include <dns/dns64.h>
+#include <dns/dnsrps.h>
+#include <dns/dnssec.h>
+#include <dns/dyndb.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/forward.h>
+#include <dns/geoip.h>
+#include <dns/journal.h>
+#include <dns/kasp.h>
+#include <dns/keymgr.h>
+#include <dns/keytable.h>
+#include <dns/keyvalues.h>
+#include <dns/lib.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/nsec3.h>
+#include <dns/nta.h>
+#include <dns/order.h>
+#include <dns/peer.h>
+#include <dns/portlist.h>
+#include <dns/private.h>
+#include <dns/rbt.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/resolver.h>
+#include <dns/rootns.h>
+#include <dns/rriterator.h>
+#include <dns/secalg.h>
+#include <dns/soa.h>
+#include <dns/stats.h>
+#include <dns/time.h>
+#include <dns/tkey.h>
+#include <dns/tsig.h>
+#include <dns/ttl.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#include <isccfg/grammar.h>
+#include <isccfg/kaspconf.h>
+#include <isccfg/namedconf.h>
+
+#include <ns/client.h>
+#include <ns/hooks.h>
+#include <ns/interfacemgr.h>
+#include <ns/listenlist.h>
+
+#include <bind9/check.h>
+
+#include <named/config.h>
+#include <named/control.h>
+#if defined(HAVE_GEOIP2)
+#include <named/geoip.h>
+#endif /* HAVE_GEOIP2 */
+#include <named/log.h>
+#include <named/logconf.h>
+#include <named/main.h>
+#include <named/os.h>
+#include <named/server.h>
+#include <named/statschannel.h>
+#include <named/tkeyconf.h>
+#include <named/tsigconf.h>
+#include <named/zoneconf.h>
+#ifdef HAVE_LIBSCF
+#include <stdlib.h>
+
+#include <named/smf_globals.h>
+#endif /* ifdef HAVE_LIBSCF */
+
+#ifdef HAVE_LMDB
+#include <lmdb.h>
+
+#include <dns/lmdb.h>
+#define count_newzones	   count_newzones_db
+#define configure_newzones configure_newzones_db
+#define dumpzone	   dumpzone_db
+#else /* HAVE_LMDB */
+#define count_newzones	   count_newzones_file
+#define configure_newzones configure_newzones_file
+#define dumpzone	   dumpzone_file
+#endif /* HAVE_LMDB */
+
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif /* ifndef SIZE_MAX */
+
+#ifndef SIZE_AS_PERCENT
+#define SIZE_AS_PERCENT ((size_t)-2)
+#endif /* ifndef SIZE_AS_PERCENT */
+
+#ifdef TUNE_LARGE
+#define RESOLVER_NTASKS_PERCPU 32
+#define UDPBUFFERS	       32768
+#define EXCLBUFFERS	       32768
+#else
+#define RESOLVER_NTASKS_PERCPU 8
+#define UDPBUFFERS	       1000
+#define EXCLBUFFERS	       4096
+#endif /* TUNE_LARGE */
+
+/* RFC7828 defines timeout as 16-bit value specified in units of 100
+ * milliseconds, so the maximum and minimum advertised and keepalive
+ * timeouts are capped by the data type (it's ~109 minutes)
+ */
+#define MIN_INITIAL_TIMEOUT    UINT32_C(2500)	/* 2.5 seconds */
+#define MAX_INITIAL_TIMEOUT    UINT32_C(120000) /* 2 minutes */
+#define MIN_IDLE_TIMEOUT       UINT32_C(100)	/* 0.1 seconds */
+#define MAX_IDLE_TIMEOUT       UINT32_C(120000) /* 2 minutes */
+#define MIN_KEEPALIVE_TIMEOUT  UINT32_C(100)	/* 0.1 seconds */
+#define MAX_KEEPALIVE_TIMEOUT  UINT32_C(UINT16_MAX * 100)
+#define MIN_ADVERTISED_TIMEOUT UINT32_C(0) /* No minimum */
+#define MAX_ADVERTISED_TIMEOUT UINT32_C(UINT16_MAX * 100)
+
+/*%
+ * Check an operation for failure.  Assumes that the function
+ * using it has a 'result' variable and a 'cleanup' label.
+ */
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+#define TCHECK(op)                               \
+	do {                                     \
+		tresult = (op);                  \
+		if (tresult != ISC_R_SUCCESS) {  \
+			isc_buffer_clear(*text); \
+			goto cleanup;            \
+		}                                \
+	} while (0)
+
+#define CHECKM(op, msg)                                                        \
+	do {                                                                   \
+		result = (op);                                                 \
+		if (result != ISC_R_SUCCESS) {                                 \
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, \
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,   \
+				      "%s: %s", msg,                           \
+				      isc_result_totext(result));              \
+			goto cleanup;                                          \
+		}                                                              \
+	} while (0)
+
+#define CHECKMF(op, msg, file)                                                 \
+	do {                                                                   \
+		result = (op);                                                 \
+		if (result != ISC_R_SUCCESS) {                                 \
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, \
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,   \
+				      "%s '%s': %s", msg, file,                \
+				      isc_result_totext(result));              \
+			goto cleanup;                                          \
+		}                                                              \
+	} while (0)
+
+#define CHECKFATAL(op, msg)                         \
+	do {                                        \
+		result = (op);                      \
+		if (result != ISC_R_SUCCESS)        \
+			fatal(server, msg, result); \
+	} while (0)
+
+/*%
+ * Maximum ADB size for views that share a cache.  Use this limit to suppress
+ * the total of memory footprint, which should be the main reason for sharing
+ * a cache.  Only effective when a finite max-cache-size is specified.
+ * This is currently defined to be 8MB.
+ */
+#define MAX_ADB_SIZE_FOR_CACHESHARE 8388608U
+
+struct named_dispatch {
+	isc_sockaddr_t addr;
+	unsigned int dispatchgen;
+	dns_dispatch_t *dispatch;
+	ISC_LINK(struct named_dispatch) link;
+};
+
+struct named_cache {
+	dns_cache_t *cache;
+	dns_view_t *primaryview;
+	bool needflush;
+	bool adbsizeadjusted;
+	dns_rdataclass_t rdclass;
+	ISC_LINK(named_cache_t) link;
+};
+
+struct dumpcontext {
+	isc_mem_t *mctx;
+	bool dumpcache;
+	bool dumpzones;
+	bool dumpadb;
+	bool dumpbad;
+	bool dumpexpired;
+	bool dumpfail;
+	FILE *fp;
+	ISC_LIST(struct viewlistentry) viewlist;
+	struct viewlistentry *view;
+	struct zonelistentry *zone;
+	dns_dumpctx_t *mdctx;
+	dns_db_t *db;
+	dns_db_t *cache;
+	isc_task_t *task;
+	dns_dbversion_t *version;
+};
+
+struct viewlistentry {
+	dns_view_t *view;
+	ISC_LINK(struct viewlistentry) link;
+	ISC_LIST(struct zonelistentry) zonelist;
+};
+
+struct zonelistentry {
+	dns_zone_t *zone;
+	ISC_LINK(struct zonelistentry) link;
+};
+
+/*%
+ * Configuration context to retain for each view that allows
+ * new zones to be added at runtime.
+ */
+typedef struct ns_cfgctx {
+	isc_mem_t *mctx;
+	cfg_parser_t *conf_parser;
+	cfg_parser_t *add_parser;
+	cfg_obj_t *config;
+	cfg_obj_t *vconfig;
+	cfg_obj_t *nzf_config;
+	cfg_aclconfctx_t *actx;
+} ns_cfgctx_t;
+
+/*%
+ * A function to write out added-zone configuration to the new_zone_file
+ * specified in 'view'. Maybe called by delete_zoneconf().
+ */
+typedef isc_result_t (*nzfwriter_t)(const cfg_obj_t *config, dns_view_t *view);
+
+/*%
+ * Holds state information for the initial zone loading process.
+ * Uses the isc_refcount structure to count the number of views
+ * with pending zone loads, dereferencing as each view finishes.
+ */
+typedef struct {
+	named_server_t *server;
+	bool reconfig;
+	isc_refcount_t refs;
+} ns_zoneload_t;
+
+typedef struct {
+	named_server_t *server;
+} catz_cb_data_t;
+
+typedef struct catz_chgzone_event {
+	ISC_EVENT_COMMON(struct catz_chgzone_event);
+	dns_catz_entry_t *entry;
+	dns_catz_zone_t *origin;
+	dns_view_t *view;
+	catz_cb_data_t *cbd;
+	bool mod;
+} catz_chgzone_event_t;
+
+typedef struct {
+	unsigned int magic;
+#define DZARG_MAGIC ISC_MAGIC('D', 'z', 'a', 'r')
+	isc_buffer_t **text;
+	isc_result_t result;
+} ns_dzarg_t;
+
+/*
+ * These zones should not leak onto the Internet.
+ */
+const char *empty_zones[] = {
+	/* RFC 1918 */
+	"10.IN-ADDR.ARPA", "16.172.IN-ADDR.ARPA", "17.172.IN-ADDR.ARPA",
+	"18.172.IN-ADDR.ARPA", "19.172.IN-ADDR.ARPA", "20.172.IN-ADDR.ARPA",
+	"21.172.IN-ADDR.ARPA", "22.172.IN-ADDR.ARPA", "23.172.IN-ADDR.ARPA",
+	"24.172.IN-ADDR.ARPA", "25.172.IN-ADDR.ARPA", "26.172.IN-ADDR.ARPA",
+	"27.172.IN-ADDR.ARPA", "28.172.IN-ADDR.ARPA", "29.172.IN-ADDR.ARPA",
+	"30.172.IN-ADDR.ARPA", "31.172.IN-ADDR.ARPA", "168.192.IN-ADDR.ARPA",
+
+	/* RFC 6598 */
+	"64.100.IN-ADDR.ARPA", "65.100.IN-ADDR.ARPA", "66.100.IN-ADDR.ARPA",
+	"67.100.IN-ADDR.ARPA", "68.100.IN-ADDR.ARPA", "69.100.IN-ADDR.ARPA",
+	"70.100.IN-ADDR.ARPA", "71.100.IN-ADDR.ARPA", "72.100.IN-ADDR.ARPA",
+	"73.100.IN-ADDR.ARPA", "74.100.IN-ADDR.ARPA", "75.100.IN-ADDR.ARPA",
+	"76.100.IN-ADDR.ARPA", "77.100.IN-ADDR.ARPA", "78.100.IN-ADDR.ARPA",
+	"79.100.IN-ADDR.ARPA", "80.100.IN-ADDR.ARPA", "81.100.IN-ADDR.ARPA",
+	"82.100.IN-ADDR.ARPA", "83.100.IN-ADDR.ARPA", "84.100.IN-ADDR.ARPA",
+	"85.100.IN-ADDR.ARPA", "86.100.IN-ADDR.ARPA", "87.100.IN-ADDR.ARPA",
+	"88.100.IN-ADDR.ARPA", "89.100.IN-ADDR.ARPA", "90.100.IN-ADDR.ARPA",
+	"91.100.IN-ADDR.ARPA", "92.100.IN-ADDR.ARPA", "93.100.IN-ADDR.ARPA",
+	"94.100.IN-ADDR.ARPA", "95.100.IN-ADDR.ARPA", "96.100.IN-ADDR.ARPA",
+	"97.100.IN-ADDR.ARPA", "98.100.IN-ADDR.ARPA", "99.100.IN-ADDR.ARPA",
+	"100.100.IN-ADDR.ARPA", "101.100.IN-ADDR.ARPA", "102.100.IN-ADDR.ARPA",
+	"103.100.IN-ADDR.ARPA", "104.100.IN-ADDR.ARPA", "105.100.IN-ADDR.ARPA",
+	"106.100.IN-ADDR.ARPA", "107.100.IN-ADDR.ARPA", "108.100.IN-ADDR.ARPA",
+	"109.100.IN-ADDR.ARPA", "110.100.IN-ADDR.ARPA", "111.100.IN-ADDR.ARPA",
+	"112.100.IN-ADDR.ARPA", "113.100.IN-ADDR.ARPA", "114.100.IN-ADDR.ARPA",
+	"115.100.IN-ADDR.ARPA", "116.100.IN-ADDR.ARPA", "117.100.IN-ADDR.ARPA",
+	"118.100.IN-ADDR.ARPA", "119.100.IN-ADDR.ARPA", "120.100.IN-ADDR.ARPA",
+	"121.100.IN-ADDR.ARPA", "122.100.IN-ADDR.ARPA", "123.100.IN-ADDR.ARPA",
+	"124.100.IN-ADDR.ARPA", "125.100.IN-ADDR.ARPA", "126.100.IN-ADDR.ARPA",
+	"127.100.IN-ADDR.ARPA",
+
+	/* RFC 5735 and RFC 5737 */
+	"0.IN-ADDR.ARPA",		/* THIS NETWORK */
+	"127.IN-ADDR.ARPA",		/* LOOPBACK */
+	"254.169.IN-ADDR.ARPA",		/* LINK LOCAL */
+	"2.0.192.IN-ADDR.ARPA",		/* TEST NET */
+	"100.51.198.IN-ADDR.ARPA",	/* TEST NET 2 */
+	"113.0.203.IN-ADDR.ARPA",	/* TEST NET 3 */
+	"255.255.255.255.IN-ADDR.ARPA", /* BROADCAST */
+
+	/* Local IPv6 Unicast Addresses */
+	"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6."
+	"ARPA",
+	"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6."
+	"ARPA",
+	/* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */
+	"D.F.IP6.ARPA", "8.E.F.IP6.ARPA", /* LINK LOCAL */
+	"9.E.F.IP6.ARPA",		  /* LINK LOCAL */
+	"A.E.F.IP6.ARPA",		  /* LINK LOCAL */
+	"B.E.F.IP6.ARPA",		  /* LINK LOCAL */
+
+	/* Example Prefix, RFC 3849. */
+	"8.B.D.0.1.0.0.2.IP6.ARPA",
+
+	/* RFC 7534 */
+	"EMPTY.AS112.ARPA",
+
+	/* RFC 8375 */
+	"HOME.ARPA",
+
+	NULL
+};
+
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(named_server_t *server, const char *msg,
+      isc_result_t result) ISC_PLATFORM_NORETURN_POST;
+
+static void
+named_server_reload(isc_task_t *task, isc_event_t *event);
+
+static isc_result_t
+ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
+			cfg_aclconfctx_t *actx, isc_mem_t *mctx,
+			uint16_t family, ns_listenelt_t **target);
+static isc_result_t
+ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
+			 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
+			 uint16_t family, ns_listenlist_t **target);
+
+static isc_result_t
+configure_forward(const cfg_obj_t *config, dns_view_t *view,
+		  const dns_name_t *origin, const cfg_obj_t *forwarders,
+		  const cfg_obj_t *forwardtype);
+
+static isc_result_t
+configure_alternates(const cfg_obj_t *config, dns_view_t *view,
+		     const cfg_obj_t *alternates);
+
+static isc_result_t
+configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
+	       dns_viewlist_t *viewlist, dns_kasplist_t *kasplist,
+	       cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok,
+	       bool modify);
+
+static void
+configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig,
+			     dns_view_t *view);
+
+static isc_result_t
+configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+		   isc_mem_t *mctx, cfg_aclconfctx_t *actx);
+
+static isc_result_t
+add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
+
+static void
+end_reserved_dispatches(named_server_t *server, bool all);
+
+static void
+newzone_cfgctx_destroy(void **cfgp);
+
+static isc_result_t
+putstr(isc_buffer_t **b, const char *str);
+
+static isc_result_t
+putmem(isc_buffer_t **b, const char *str, size_t len);
+
+static isc_result_t
+putuint8(isc_buffer_t **b, uint8_t val);
+
+static isc_result_t
+putnull(isc_buffer_t **b);
+
+static int
+count_zones(const cfg_obj_t *conf);
+
+#ifdef HAVE_LMDB
+static isc_result_t
+migrate_nzf(dns_view_t *view);
+
+static isc_result_t
+nzd_writable(dns_view_t *view);
+
+static isc_result_t
+nzd_open(dns_view_t *view, unsigned int flags, MDB_txn **txnp, MDB_dbi *dbi);
+
+static isc_result_t
+nzd_env_reopen(dns_view_t *view);
+
+static void
+nzd_env_close(dns_view_t *view);
+
+static isc_result_t
+nzd_close(MDB_txn **txnp, bool commit);
+
+static isc_result_t
+nzd_count(dns_view_t *view, int *countp);
+#else  /* ifdef HAVE_LMDB */
+static isc_result_t
+nzf_append(dns_view_t *view, const cfg_obj_t *zconfig);
+#endif /* ifdef HAVE_LMDB */
+
+/*%
+ * Configure a single view ACL at '*aclp'.  Get its configuration from
+ * 'vconfig' (for per-view configuration) and maybe from 'config'
+ */
+static isc_result_t
+configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+		   const cfg_obj_t *gconfig, const char *aclname,
+		   const char *acltuplename, cfg_aclconfctx_t *actx,
+		   isc_mem_t *mctx, dns_acl_t **aclp) {
+	isc_result_t result;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *aclobj = NULL;
+	int i = 0;
+
+	if (*aclp != NULL) {
+		dns_acl_detach(aclp);
+	}
+	if (vconfig != NULL) {
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	}
+	if (config != NULL) {
+		const cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			maps[i++] = options;
+		}
+	}
+	if (gconfig != NULL) {
+		const cfg_obj_t *options = NULL;
+		(void)cfg_map_get(gconfig, "options", &options);
+		if (options != NULL) {
+			maps[i++] = options;
+		}
+	}
+	maps[i] = NULL;
+
+	(void)named_config_get(maps, aclname, &aclobj);
+	if (aclobj == NULL) {
+		/*
+		 * No value available.	*aclp == NULL.
+		 */
+		return (ISC_R_SUCCESS);
+	}
+
+	if (acltuplename != NULL) {
+		/*
+		 * If the ACL is given in an optional tuple, retrieve it.
+		 * The parser should have ensured that a valid object be
+		 * returned.
+		 */
+		aclobj = cfg_tuple_get(aclobj, acltuplename);
+	}
+
+	result = cfg_acl_fromconfig(aclobj, config, named_g_lctx, actx, mctx, 0,
+				    aclp);
+
+	return (result);
+}
+
+/*%
+ * Configure a sortlist at '*aclp'.  Essentially the same as
+ * configure_view_acl() except it calls cfg_acl_fromconfig with a
+ * nest_level value of 2.
+ */
+static isc_result_t
+configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+			cfg_aclconfctx_t *actx, isc_mem_t *mctx,
+			dns_acl_t **aclp) {
+	isc_result_t result;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *aclobj = NULL;
+	int i = 0;
+
+	if (*aclp != NULL) {
+		dns_acl_detach(aclp);
+	}
+	if (vconfig != NULL) {
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	}
+	if (config != NULL) {
+		const cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			maps[i++] = options;
+		}
+	}
+	maps[i] = NULL;
+
+	(void)named_config_get(maps, "sortlist", &aclobj);
+	if (aclobj == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Use a nest level of 3 for the "top level" of the sortlist;
+	 * this means each entry in the top three levels will be stored
+	 * as lists of separate, nested ACLs, rather than merged together
+	 * into IP tables as is usually done with ACLs.
+	 */
+	result = cfg_acl_fromconfig(aclobj, config, named_g_lctx, actx, mctx, 3,
+				    aclp);
+
+	return (result);
+}
+
+static isc_result_t
+configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+			 const char *confname, const char *conftuplename,
+			 isc_mem_t *mctx, dns_rbt_t **rbtp) {
+	isc_result_t result;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *element;
+	int i = 0;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+	const char *str;
+	const cfg_obj_t *nameobj;
+
+	if (*rbtp != NULL) {
+		dns_rbt_destroy(rbtp);
+	}
+	if (vconfig != NULL) {
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	}
+	if (config != NULL) {
+		const cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			maps[i++] = options;
+		}
+	}
+	maps[i] = NULL;
+
+	(void)named_config_get(maps, confname, &obj);
+	if (obj == NULL) {
+		/*
+		 * No value available.	*rbtp == NULL.
+		 */
+		return (ISC_R_SUCCESS);
+	}
+
+	if (conftuplename != NULL) {
+		obj = cfg_tuple_get(obj, conftuplename);
+		if (cfg_obj_isvoid(obj)) {
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	result = dns_rbt_create(mctx, NULL, NULL, rbtp);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	name = dns_fixedname_initname(&fixed);
+	for (element = cfg_list_first(obj); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		nameobj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(nameobj);
+		isc_buffer_constinit(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+		/*
+		 * We don't need the node data, but need to set dummy data to
+		 * avoid a partial match with an empty node.  For example, if
+		 * we have foo.example.com and bar.example.com, we'd get a match
+		 * for baz.example.com, which is not the expected result.
+		 * We simply use (void *)1 as the dummy data.
+		 */
+		result = dns_rbt_addname(*rbtp, name, (void *)1);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(nameobj, named_g_lctx, ISC_LOG_ERROR,
+				    "failed to add %s for %s: %s", str,
+				    confname, isc_result_totext(result));
+			goto cleanup;
+		}
+	}
+
+	return (result);
+
+cleanup:
+	dns_rbt_destroy(rbtp);
+	return (result);
+}
+
+static isc_result_t
+ta_fromconfig(const cfg_obj_t *key, bool *initialp, const char **namestrp,
+	      unsigned char *digest, dns_rdata_ds_t *ds) {
+	isc_result_t result;
+	dns_rdata_dnskey_t keystruct;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	uint32_t rdata1, rdata2, rdata3;
+	const char *datastr = NULL, *namestr = NULL;
+	unsigned char data[4096];
+	isc_buffer_t databuf;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_region_t r;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+	isc_buffer_t namebuf;
+	const char *atstr = NULL;
+	enum {
+		INIT_DNSKEY,
+		STATIC_DNSKEY,
+		INIT_DS,
+		STATIC_DS,
+		TRUSTED
+	} anchortype;
+
+	REQUIRE(namestrp != NULL && *namestrp == NULL);
+	REQUIRE(ds != NULL);
+
+	/* if DNSKEY, flags; if DS, key tag */
+	rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
+
+	/* if DNSKEY, protocol; if DS, algorithm */
+	rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
+
+	/* if DNSKEY, algorithm; if DS, digest type */
+	rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
+
+	namestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
+	*namestrp = namestr;
+
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_constinit(&namebuf, namestr, strlen(namestr));
+	isc_buffer_add(&namebuf, strlen(namestr));
+	CHECK(dns_name_fromtext(name, &namebuf, dns_rootname, 0, NULL));
+
+	if (*initialp) {
+		atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
+
+		if (strcasecmp(atstr, "static-key") == 0) {
+			*initialp = false;
+			anchortype = STATIC_DNSKEY;
+		} else if (strcasecmp(atstr, "static-ds") == 0) {
+			*initialp = false;
+			anchortype = STATIC_DS;
+		} else if (strcasecmp(atstr, "initial-key") == 0) {
+			anchortype = INIT_DNSKEY;
+		} else if (strcasecmp(atstr, "initial-ds") == 0) {
+			anchortype = INIT_DS;
+		} else {
+			cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
+				    "key '%s': "
+				    "invalid initialization method '%s'",
+				    namestr, atstr);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+	} else {
+		anchortype = TRUSTED;
+	}
+
+	isc_buffer_init(&databuf, data, sizeof(data));
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+
+	*ds = (dns_rdata_ds_t){ .common.rdclass = dns_rdataclass_in,
+				.common.rdtype = dns_rdatatype_ds };
+
+	ISC_LINK_INIT(&ds->common, link);
+
+	switch (anchortype) {
+	case INIT_DNSKEY:
+	case STATIC_DNSKEY:
+	case TRUSTED:
+		/*
+		 * This function should never be reached for view
+		 * class other than IN
+		 */
+		keystruct.common.rdclass = dns_rdataclass_in;
+		keystruct.common.rdtype = dns_rdatatype_dnskey;
+
+		/*
+		 * The key data in keystruct is not dynamically allocated.
+		 */
+		keystruct.mctx = NULL;
+
+		ISC_LINK_INIT(&keystruct.common, link);
+
+		if (rdata1 > 0xffff) {
+			CHECKM(ISC_R_RANGE, "key flags");
+		}
+		if (rdata1 & DNS_KEYFLAG_REVOKE) {
+			CHECKM(DST_R_BADKEYTYPE, "key flags revoke bit set");
+		}
+		if (rdata2 > 0xff) {
+			CHECKM(ISC_R_RANGE, "key protocol");
+		}
+		if (rdata3 > 0xff) {
+			CHECKM(ISC_R_RANGE, "key algorithm");
+		}
+
+		keystruct.flags = (uint16_t)rdata1;
+		keystruct.protocol = (uint8_t)rdata2;
+		keystruct.algorithm = (uint8_t)rdata3;
+
+		if (!dst_algorithm_supported(keystruct.algorithm)) {
+			CHECK(DST_R_UNSUPPORTEDALG);
+		}
+
+		datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
+		CHECK(isc_base64_decodestring(datastr, &databuf));
+		isc_buffer_usedregion(&databuf, &r);
+		keystruct.datalen = r.length;
+		keystruct.data = r.base;
+
+		CHECK(dns_rdata_fromstruct(&rdata, keystruct.common.rdclass,
+					   keystruct.common.rdtype, &keystruct,
+					   &rrdatabuf));
+		CHECK(dns_ds_fromkeyrdata(name, &rdata, DNS_DSDIGEST_SHA256,
+					  digest, ds));
+		break;
+
+	case INIT_DS:
+	case STATIC_DS:
+		if (rdata1 > 0xffff) {
+			CHECKM(ISC_R_RANGE, "key tag");
+		}
+		if (rdata2 > 0xff) {
+			CHECKM(ISC_R_RANGE, "key algorithm");
+		}
+		if (rdata3 > 0xff) {
+			CHECKM(ISC_R_RANGE, "digest type");
+		}
+
+		ds->key_tag = (uint16_t)rdata1;
+		ds->algorithm = (uint8_t)rdata2;
+		ds->digest_type = (uint8_t)rdata3;
+
+		datastr = cfg_obj_asstring(cfg_tuple_get(key, "data"));
+		CHECK(isc_hex_decodestring(datastr, &databuf));
+		isc_buffer_usedregion(&databuf, &r);
+
+		switch (ds->digest_type) {
+		case DNS_DSDIGEST_SHA1:
+			if (r.length != ISC_SHA1_DIGESTLENGTH) {
+				CHECK(ISC_R_UNEXPECTEDEND);
+			}
+			break;
+		case DNS_DSDIGEST_SHA256:
+			if (r.length != ISC_SHA256_DIGESTLENGTH) {
+				CHECK(ISC_R_UNEXPECTEDEND);
+			}
+			break;
+		case DNS_DSDIGEST_SHA384:
+			if (r.length != ISC_SHA384_DIGESTLENGTH) {
+				CHECK(ISC_R_UNEXPECTEDEND);
+			}
+			break;
+		default:
+			cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
+				    "key '%s': "
+				    "unknown ds digest type %u",
+				    namestr, ds->digest_type);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+			break;
+		}
+
+		ds->length = r.length;
+		ds->digest = digest;
+		memmove(ds->digest, r.base, r.length);
+
+		break;
+
+	default:
+		UNREACHABLE();
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * Parse 'key' in the context of view configuration 'vconfig'.  If successful,
+ * add the key to 'secroots' if both of the following conditions are true:
+ *
+ *   - 'keyname_match' is NULL or it matches the owner name of 'key',
+ *   - support for the algorithm used by 'key' is not disabled by 'resolver'
+ *     for the owner name of 'key'.
+ *
+ * 'managed' is true for managed keys and false for trusted keys.  'mctx' is
+ * the memory context to use for allocating memory.
+ */
+static isc_result_t
+process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
+	    const dns_name_t *keyname_match, dns_resolver_t *resolver,
+	    bool managed) {
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname = NULL;
+	const char *namestr = NULL;
+	dns_rdata_ds_t ds;
+	isc_result_t result;
+	bool initializing = managed;
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	isc_buffer_t b;
+
+	result = ta_fromconfig(key, &initializing, &namestr, digest, &ds);
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+		/*
+		 * Trust anchor was parsed correctly.
+		 */
+		isc_buffer_constinit(&b, namestr, strlen(namestr));
+		isc_buffer_add(&b, strlen(namestr));
+		keyname = dns_fixedname_initname(&fkeyname);
+		result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		break;
+	case DST_R_UNSUPPORTEDALG:
+	case DST_R_BADKEYTYPE:
+		/*
+		 * Key was parsed correctly, but it cannot be used; this is not
+		 * a fatal error - log a warning about this key being ignored,
+		 * but do not prevent any further ones from being processed.
+		 */
+		cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
+			    "ignoring %s for '%s': %s",
+			    initializing ? "initial-key" : "static-key",
+			    namestr, isc_result_totext(result));
+		return (ISC_R_SUCCESS);
+	case DST_R_NOCRYPTO:
+		/*
+		 * Crypto support is not available.
+		 */
+		cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
+			    "ignoring %s for '%s': no crypto support",
+			    initializing ? "initial-key" : "static-key",
+			    namestr);
+		return (result);
+	default:
+		/*
+		 * Something unexpected happened; we have no choice but to
+		 * indicate an error so that the configuration loading process
+		 * is interrupted.
+		 */
+		cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
+			    "configuring %s for '%s': %s",
+			    initializing ? "initial-key" : "static-key",
+			    namestr, isc_result_totext(result));
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * If the caller requested to only load keys for a specific name and
+	 * the owner name of this key does not match the requested name, do not
+	 * load it.
+	 */
+	if (keyname_match != NULL && !dns_name_equal(keyname_match, keyname)) {
+		goto done;
+	}
+
+	/*
+	 * Ensure that 'resolver' allows using the algorithm of this key for
+	 * its owner name.  If it does not, do not load the key and log a
+	 * warning, but do not prevent further keys from being processed.
+	 */
+	if (!dns_resolver_algorithm_supported(resolver, keyname, ds.algorithm))
+	{
+		cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
+			    "ignoring %s for '%s': algorithm is disabled",
+			    initializing ? "initial-key" : "static-key",
+			    namestr);
+		goto done;
+	}
+
+	/*
+	 * Add the key to 'secroots'.  Keys from a "trust-anchors" or
+	 * "managed-keys" statement may be either static or initializing
+	 * keys. If it's not initializing, we don't want to treat it as
+	 * managed, so we use 'initializing' twice here, for both the
+	 * 'managed' and 'initializing' arguments to dns_keytable_add().
+	 */
+	result = dns_keytable_add(secroots, initializing, initializing, keyname,
+				  &ds);
+
+done:
+	return (result);
+}
+
+/*
+ * Load keys from configuration into key table. If 'keyname' is specified,
+ * only load keys matching that name. If 'managed' is true, load the key as
+ * an initializing key.
+ */
+static isc_result_t
+load_view_keys(const cfg_obj_t *keys, dns_view_t *view, bool managed,
+	       const dns_name_t *keyname) {
+	const cfg_listelt_t *elt, *elt2;
+	const cfg_obj_t *keylist;
+	isc_result_t result;
+	dns_keytable_t *secroots = NULL;
+
+	CHECK(dns_view_getsecroots(view, &secroots));
+
+	for (elt = cfg_list_first(keys); elt != NULL; elt = cfg_list_next(elt))
+	{
+		keylist = cfg_listelt_value(elt);
+
+		for (elt2 = cfg_list_first(keylist); elt2 != NULL;
+		     elt2 = cfg_list_next(elt2))
+		{
+			CHECK(process_key(cfg_listelt_value(elt2), secroots,
+					  keyname, view->resolver, managed));
+		}
+	}
+
+cleanup:
+	if (secroots != NULL) {
+		dns_keytable_detach(&secroots);
+	}
+	if (result == DST_R_NOCRYPTO) {
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+/*%
+ * Check whether a key has been successfully loaded.
+ */
+static bool
+keyloaded(dns_view_t *view, const dns_name_t *name) {
+	isc_result_t result;
+	dns_keytable_t *secroots = NULL;
+	dns_keynode_t *keynode = NULL;
+
+	result = dns_view_getsecroots(view, &secroots);
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+
+	result = dns_keytable_find(secroots, name, &keynode);
+
+	if (keynode != NULL) {
+		dns_keytable_detachkeynode(secroots, &keynode);
+	}
+	if (secroots != NULL) {
+		dns_keytable_detach(&secroots);
+	}
+
+	return (result == ISC_R_SUCCESS);
+}
+
+/*%
+ * Configure DNSSEC keys for a view.
+ *
+ * The per-view configuration values and the server-global defaults are read
+ * from 'vconfig' and 'config'.
+ */
+static isc_result_t
+configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
+			  const cfg_obj_t *config, const cfg_obj_t *bindkeys,
+			  bool auto_root, isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *view_keys = NULL;
+	const cfg_obj_t *global_keys = NULL;
+	const cfg_obj_t *view_managed_keys = NULL;
+	const cfg_obj_t *view_trust_anchors = NULL;
+	const cfg_obj_t *global_managed_keys = NULL;
+	const cfg_obj_t *global_trust_anchors = NULL;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *voptions = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *obj = NULL;
+	const char *directory;
+	int i = 0;
+
+	/* We don't need trust anchors for the _bind view */
+	if (strcmp(view->name, "_bind") == 0 &&
+	    view->rdclass == dns_rdataclass_chaos)
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	if (vconfig != NULL) {
+		voptions = cfg_tuple_get(vconfig, "options");
+		if (voptions != NULL) {
+			(void)cfg_map_get(voptions, "trusted-keys", &view_keys);
+
+			/* managed-keys and trust-anchors are synonyms. */
+			(void)cfg_map_get(voptions, "managed-keys",
+					  &view_managed_keys);
+			(void)cfg_map_get(voptions, "trust-anchors",
+					  &view_trust_anchors);
+
+			maps[i++] = voptions;
+		}
+	}
+
+	if (config != NULL) {
+		(void)cfg_map_get(config, "trusted-keys", &global_keys);
+
+		/* managed-keys and trust-anchors are synonyms. */
+		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
+		(void)cfg_map_get(config, "trust-anchors",
+				  &global_trust_anchors);
+
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			maps[i++] = options;
+		}
+	}
+
+	maps[i++] = named_g_defaults;
+	maps[i] = NULL;
+
+	result = dns_view_initsecroots(view, mctx);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "couldn't create keytable");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = dns_view_initntatable(view, named_g_taskmgr, named_g_timermgr);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "couldn't create NTA table");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	if (auto_root && view->rdclass == dns_rdataclass_in) {
+		const cfg_obj_t *builtin_keys = NULL;
+
+		/*
+		 * If bind.keys exists and is populated, it overrides
+		 * the trust-anchors clause hard-coded in named_g_config.
+		 */
+		if (bindkeys != NULL) {
+			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "obtaining root key for view %s "
+				      "from '%s'",
+				      view->name, named_g_server->bindkeysfile);
+
+			(void)cfg_map_get(bindkeys, "trust-anchors",
+					  &builtin_keys);
+
+			if (builtin_keys == NULL) {
+				isc_log_write(
+					named_g_lctx, DNS_LOGCATEGORY_SECURITY,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+					"dnssec-validation auto: "
+					"WARNING: root zone key "
+					"not found");
+			}
+		}
+
+		if (builtin_keys == NULL) {
+			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "using built-in root key for view %s",
+				      view->name);
+
+			(void)cfg_map_get(named_g_config, "trust-anchors",
+					  &builtin_keys);
+		}
+
+		if (builtin_keys != NULL) {
+			CHECK(load_view_keys(builtin_keys, view, true,
+					     dns_rootname));
+		}
+
+		if (!keyloaded(view, dns_rootname)) {
+			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "root key not loaded");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+	}
+
+	if (view->rdclass == dns_rdataclass_in) {
+		CHECK(load_view_keys(view_keys, view, false, NULL));
+		CHECK(load_view_keys(view_trust_anchors, view, true, NULL));
+		CHECK(load_view_keys(view_managed_keys, view, true, NULL));
+
+		CHECK(load_view_keys(global_keys, view, false, NULL));
+		CHECK(load_view_keys(global_trust_anchors, view, true, NULL));
+		CHECK(load_view_keys(global_managed_keys, view, true, NULL));
+	}
+
+	/*
+	 * Add key zone for managed keys.
+	 */
+	obj = NULL;
+	(void)named_config_get(maps, "managed-keys-directory", &obj);
+	directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL);
+	if (directory != NULL) {
+		result = isc_file_isdirectory(directory);
+	}
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "invalid managed-keys-directory %s: %s",
+			      directory, isc_result_totext(result));
+		goto cleanup;
+	} else if (directory != NULL) {
+		if (!isc_file_isdirwritable(directory)) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "managed-keys-directory '%s' "
+				      "is not writable",
+				      directory);
+			result = ISC_R_NOPERM;
+			goto cleanup;
+		}
+	}
+
+	CHECK(add_keydata_zone(view, directory, named_g_mctx));
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj;
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	bool value;
+	isc_result_t result;
+	isc_buffer_t b;
+
+	name = dns_fixedname_initname(&fixed);
+	for (element = cfg_list_first(mbs); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+		isc_buffer_constinit(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+		value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
+		CHECK(dns_resolver_setmustbesecure(resolver, name, value));
+	}
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * Get a dispatch appropriate for the resolver of a given view.
+ */
+static isc_result_t
+get_view_querysource_dispatch(const cfg_obj_t **maps, int af,
+			      dns_dispatch_t **dispatchp, isc_dscp_t *dscpp,
+			      bool is_firstview) {
+	isc_result_t result = ISC_R_FAILURE;
+	dns_dispatch_t *disp;
+	isc_sockaddr_t sa;
+	unsigned int attrs, attrmask;
+	const cfg_obj_t *obj = NULL;
+	unsigned int maxdispatchbuffers = UDPBUFFERS;
+	isc_dscp_t dscp = -1;
+
+	switch (af) {
+	case AF_INET:
+		result = named_config_get(maps, "query-source", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		break;
+	case AF_INET6:
+		result = named_config_get(maps, "query-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	sa = *(cfg_obj_assockaddr(obj));
+	INSIST(isc_sockaddr_pf(&sa) == af);
+
+	dscp = cfg_obj_getdscp(obj);
+	if (dscp != -1 && dscpp != NULL) {
+		*dscpp = dscp;
+	}
+
+	/*
+	 * If we don't support this address family, we're done!
+	 */
+	switch (af) {
+	case AF_INET:
+		result = isc_net_probeipv4();
+		break;
+	case AF_INET6:
+		result = isc_net_probeipv6();
+		break;
+	default:
+		UNREACHABLE();
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Try to find a dispatcher that we can share.
+	 */
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (af) {
+	case AF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+	case AF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+	}
+	if (isc_sockaddr_getport(&sa) == 0) {
+		attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
+		maxdispatchbuffers = EXCLBUFFERS;
+	} else {
+		INSIST(obj != NULL);
+		if (is_firstview) {
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_INFO,
+				    "using specific query-source port "
+				    "suppresses port randomization and can be "
+				    "insecure.");
+		}
+	}
+
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	disp = NULL;
+	result = dns_dispatch_getudp(named_g_dispatchmgr, named_g_socketmgr,
+				     named_g_taskmgr, &sa, 4096,
+				     maxdispatchbuffers, 32768, 16411, 16433,
+				     attrs, attrmask, &disp);
+	if (result != ISC_R_SUCCESS) {
+		isc_sockaddr_t any;
+		char buf[ISC_SOCKADDR_FORMATSIZE];
+
+		switch (af) {
+		case AF_INET:
+			isc_sockaddr_any(&any);
+			break;
+		case AF_INET6:
+			isc_sockaddr_any6(&any);
+			break;
+		}
+		if (isc_sockaddr_equal(&sa, &any)) {
+			return (ISC_R_SUCCESS);
+		}
+		isc_sockaddr_format(&sa, buf, sizeof(buf));
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "could not get query source dispatcher (%s)",
+			      buf);
+		return (result);
+	}
+
+	*dispatchp = disp;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+configure_order(dns_order_t *order, const cfg_obj_t *ent) {
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t rdtype;
+	const cfg_obj_t *obj;
+	dns_fixedname_t fixed;
+	unsigned int mode = 0;
+	const char *str;
+	isc_buffer_t b;
+	isc_result_t result;
+	bool addroot;
+
+	result = named_config_getclass(cfg_tuple_get(ent, "class"),
+				       dns_rdataclass_any, &rdclass);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = named_config_gettype(cfg_tuple_get(ent, "type"),
+				      dns_rdatatype_any, &rdtype);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	obj = cfg_tuple_get(ent, "name");
+	if (cfg_obj_isstring(obj)) {
+		str = cfg_obj_asstring(obj);
+	} else {
+		str = "*";
+	}
+	addroot = (strcmp(str, "*") == 0);
+	isc_buffer_constinit(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	dns_fixedname_init(&fixed);
+	result = dns_name_fromtext(dns_fixedname_name(&fixed), &b, dns_rootname,
+				   0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	obj = cfg_tuple_get(ent, "ordering");
+	INSIST(cfg_obj_isstring(obj));
+	str = cfg_obj_asstring(obj);
+	if (!strcasecmp(str, "fixed")) {
+#if DNS_RDATASET_FIXED
+		mode = DNS_RDATASETATTR_FIXEDORDER;
+#else  /* if DNS_RDATASET_FIXED */
+		mode = DNS_RDATASETATTR_CYCLIC;
+#endif /* DNS_RDATASET_FIXED */
+	} else if (!strcasecmp(str, "random")) {
+		mode = DNS_RDATASETATTR_RANDOMIZE;
+	} else if (!strcasecmp(str, "cyclic")) {
+		mode = DNS_RDATASETATTR_CYCLIC;
+	} else if (!strcasecmp(str, "none")) {
+		mode = DNS_RDATASETATTR_NONE;
+	} else {
+		UNREACHABLE();
+	}
+
+	/*
+	 * "*" should match everything including the root (BIND 8 compat).
+	 * As dns_name_matcheswildcard(".", "*.") returns FALSE add a
+	 * explicit entry for "." when the name is "*".
+	 */
+	if (addroot) {
+		result = dns_order_add(order, dns_rootname, rdtype, rdclass,
+				       mode);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	return (dns_order_add(order, dns_fixedname_name(&fixed), rdtype,
+			      rdclass, mode));
+}
+
+static isc_result_t
+configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
+	isc_netaddr_t na;
+	dns_peer_t *peer;
+	const cfg_obj_t *obj;
+	const char *str;
+	isc_result_t result;
+	unsigned int prefixlen;
+
+	cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen);
+
+	peer = NULL;
+	result = dns_peer_newprefix(mctx, &na, prefixlen, &peer);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "bogus", &obj);
+	if (obj != NULL) {
+		CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "provide-ixfr", &obj);
+	if (obj != NULL) {
+		CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "request-expire", &obj);
+	if (obj != NULL) {
+		CHECK(dns_peer_setrequestexpire(peer, cfg_obj_asboolean(obj)));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "request-ixfr", &obj);
+	if (obj != NULL) {
+		CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "request-nsid", &obj);
+	if (obj != NULL) {
+		CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj)));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "send-cookie", &obj);
+	if (obj != NULL) {
+		CHECK(dns_peer_setsendcookie(peer, cfg_obj_asboolean(obj)));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "edns", &obj);
+	if (obj != NULL) {
+		CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "edns-udp-size", &obj);
+	if (obj != NULL) {
+		uint32_t udpsize = cfg_obj_asuint32(obj);
+		if (udpsize < 512U) {
+			udpsize = 512U;
+		}
+		if (udpsize > 4096U) {
+			udpsize = 4096U;
+		}
+		CHECK(dns_peer_setudpsize(peer, (uint16_t)udpsize));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "edns-version", &obj);
+	if (obj != NULL) {
+		uint32_t ednsversion = cfg_obj_asuint32(obj);
+		if (ednsversion > 255U) {
+			ednsversion = 255U;
+		}
+		CHECK(dns_peer_setednsversion(peer, (uint8_t)ednsversion));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "max-udp-size", &obj);
+	if (obj != NULL) {
+		uint32_t udpsize = cfg_obj_asuint32(obj);
+		if (udpsize < 512U) {
+			udpsize = 512U;
+		}
+		if (udpsize > 4096U) {
+			udpsize = 4096U;
+		}
+		CHECK(dns_peer_setmaxudp(peer, (uint16_t)udpsize));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "padding", &obj);
+	if (obj != NULL) {
+		uint32_t padding = cfg_obj_asuint32(obj);
+		if (padding > 512U) {
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+				    "server padding value cannot "
+				    "exceed 512: lowering");
+			padding = 512U;
+		}
+		CHECK(dns_peer_setpadding(peer, (uint16_t)padding));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "tcp-only", &obj);
+	if (obj != NULL) {
+		CHECK(dns_peer_setforcetcp(peer, cfg_obj_asboolean(obj)));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "tcp-keepalive", &obj);
+	if (obj != NULL) {
+		CHECK(dns_peer_settcpkeepalive(peer, cfg_obj_asboolean(obj)));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "transfers", &obj);
+	if (obj != NULL) {
+		CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "transfer-format", &obj);
+	if (obj != NULL) {
+		str = cfg_obj_asstring(obj);
+		if (strcasecmp(str, "many-answers") == 0) {
+			CHECK(dns_peer_settransferformat(peer,
+							 dns_many_answers));
+		} else if (strcasecmp(str, "one-answer") == 0) {
+			CHECK(dns_peer_settransferformat(peer, dns_one_answer));
+		} else {
+			UNREACHABLE();
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "keys", &obj);
+	if (obj != NULL) {
+		result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj));
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	obj = NULL;
+	if (na.family == AF_INET) {
+		(void)cfg_map_get(cpeer, "transfer-source", &obj);
+	} else {
+		(void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
+	}
+	if (obj != NULL) {
+		result = dns_peer_settransfersource(peer,
+						    cfg_obj_assockaddr(obj));
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		result = dns_peer_settransferdscp(peer, cfg_obj_getdscp(obj));
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+	}
+
+	obj = NULL;
+	if (na.family == AF_INET) {
+		(void)cfg_map_get(cpeer, "notify-source", &obj);
+	} else {
+		(void)cfg_map_get(cpeer, "notify-source-v6", &obj);
+	}
+	if (obj != NULL) {
+		result = dns_peer_setnotifysource(peer,
+						  cfg_obj_assockaddr(obj));
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		result = dns_peer_setnotifydscp(peer, cfg_obj_getdscp(obj));
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+	}
+
+	obj = NULL;
+	if (na.family == AF_INET) {
+		(void)cfg_map_get(cpeer, "query-source", &obj);
+	} else {
+		(void)cfg_map_get(cpeer, "query-source-v6", &obj);
+	}
+	if (obj != NULL) {
+		result = dns_peer_setquerysource(peer, cfg_obj_assockaddr(obj));
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		result = dns_peer_setquerydscp(peer, cfg_obj_getdscp(obj));
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+	}
+
+	*peerp = peer;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_peer_detach(&peer);
+	return (result);
+}
+
+#ifdef HAVE_DLOPEN
+static isc_result_t
+configure_dyndb(const cfg_obj_t *dyndb, isc_mem_t *mctx,
+		const dns_dyndbctx_t *dctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *obj;
+	const char *name, *library;
+
+	/* Get the name of the dyndb instance and the library path . */
+	name = cfg_obj_asstring(cfg_tuple_get(dyndb, "name"));
+	library = cfg_obj_asstring(cfg_tuple_get(dyndb, "library"));
+
+	obj = cfg_tuple_get(dyndb, "parameters");
+	if (obj != NULL) {
+		result = dns_dyndb_load(library, name, cfg_obj_asstring(obj),
+					cfg_obj_file(obj), cfg_obj_line(obj),
+					mctx, dctx);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dynamic database '%s' configuration failed: %s",
+			      name, isc_result_totext(result));
+	}
+	return (result);
+}
+#endif /* ifdef HAVE_DLOPEN */
+
+static isc_result_t
+disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
+	isc_result_t result;
+	const cfg_obj_t *algorithms;
+	const cfg_listelt_t *element;
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+
+	name = dns_fixedname_initname(&fixed);
+	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
+	isc_buffer_constinit(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+
+	algorithms = cfg_tuple_get(disabled, "algorithms");
+	for (element = cfg_list_first(algorithms); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_textregion_t r;
+		dns_secalg_t alg;
+
+		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
+		r.length = strlen(r.base);
+
+		result = dns_secalg_fromtext(&alg, &r);
+		if (result != ISC_R_SUCCESS) {
+			uint8_t ui;
+			result = isc_parse_uint8(&ui, r.base, 10);
+			alg = ui;
+		}
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(cfg_listelt_value(element), named_g_lctx,
+				    ISC_LOG_ERROR, "invalid algorithm");
+			CHECK(result);
+		}
+		CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
+	}
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+disable_ds_digests(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
+	isc_result_t result;
+	const cfg_obj_t *digests;
+	const cfg_listelt_t *element;
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+
+	name = dns_fixedname_initname(&fixed);
+	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
+	isc_buffer_constinit(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+
+	digests = cfg_tuple_get(disabled, "digests");
+	for (element = cfg_list_first(digests); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_textregion_t r;
+		dns_dsdigest_t digest;
+
+		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
+		r.length = strlen(r.base);
+
+		/* disable_ds_digests handles numeric values. */
+		result = dns_dsdigest_fromtext(&digest, &r);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(cfg_listelt_value(element), named_g_lctx,
+				    ISC_LOG_ERROR, "invalid algorithm");
+			CHECK(result);
+		}
+		CHECK(dns_resolver_disable_ds_digest(resolver, name, digest));
+	}
+cleanup:
+	return (result);
+}
+
+static bool
+on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
+	const cfg_listelt_t *element;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_result_t result;
+	const cfg_obj_t *value;
+	const char *str;
+	isc_buffer_t b;
+
+	name = dns_fixedname_initname(&fixed);
+
+	for (element = cfg_list_first(disablelist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		value = cfg_listelt_value(element);
+		str = cfg_obj_asstring(value);
+		isc_buffer_constinit(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (dns_name_equal(name, zonename)) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+static isc_result_t
+check_dbtype(dns_zone_t *zone, unsigned int dbtypec, const char **dbargv,
+	     isc_mem_t *mctx) {
+	char **argv = NULL;
+	unsigned int i;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	CHECK(dns_zone_getdbtype(zone, &argv, mctx));
+
+	/*
+	 * Check that all the arguments match.
+	 */
+	for (i = 0; i < dbtypec; i++) {
+		if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) {
+			CHECK(ISC_R_FAILURE);
+
+			/*
+			 * Check that there are not extra arguments.
+			 */
+		}
+	}
+
+	/*
+	 * Check that there are not extra arguments.
+	 */
+	if (i == dbtypec && argv[i] != NULL) {
+		result = ISC_R_FAILURE;
+	}
+
+cleanup:
+	isc_mem_free(mctx, argv);
+	return (result);
+}
+
+static isc_result_t
+setquerystats(dns_zone_t *zone, isc_mem_t *mctx, dns_zonestat_level_t level) {
+	isc_result_t result;
+	isc_stats_t *zoneqrystats;
+
+	dns_zone_setstatlevel(zone, level);
+
+	zoneqrystats = NULL;
+	if (level == dns_zonestat_full) {
+		result = isc_stats_create(mctx, &zoneqrystats,
+					  ns_statscounter_max);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	dns_zone_setrequeststats(zone, zoneqrystats);
+	if (zoneqrystats != NULL) {
+		isc_stats_detach(&zoneqrystats);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static named_cache_t *
+cachelist_find(named_cachelist_t *cachelist, const char *cachename,
+	       dns_rdataclass_t rdclass) {
+	named_cache_t *nsc;
+
+	for (nsc = ISC_LIST_HEAD(*cachelist); nsc != NULL;
+	     nsc = ISC_LIST_NEXT(nsc, link))
+	{
+		if (nsc->rdclass == rdclass &&
+		    strcmp(dns_cache_getname(nsc->cache), cachename) == 0)
+		{
+			return (nsc);
+		}
+	}
+
+	return (NULL);
+}
+
+static bool
+cache_reusable(dns_view_t *originview, dns_view_t *view,
+	       bool new_zero_no_soattl) {
+	if (originview->rdclass != view->rdclass ||
+	    originview->checknames != view->checknames ||
+	    dns_resolver_getzeronosoattl(originview->resolver) !=
+		    new_zero_no_soattl ||
+	    originview->acceptexpired != view->acceptexpired ||
+	    originview->enablevalidation != view->enablevalidation ||
+	    originview->maxcachettl != view->maxcachettl ||
+	    originview->maxncachettl != view->maxncachettl)
+	{
+		return (false);
+	}
+
+	return (true);
+}
+
+static bool
+cache_sharable(dns_view_t *originview, dns_view_t *view,
+	       bool new_zero_no_soattl, uint64_t new_max_cache_size,
+	       uint32_t new_stale_ttl, uint32_t new_stale_refresh_time) {
+	/*
+	 * If the cache cannot even reused for the same view, it cannot be
+	 * shared with other views.
+	 */
+	if (!cache_reusable(originview, view, new_zero_no_soattl)) {
+		return (false);
+	}
+
+	/*
+	 * Check other cache related parameters that must be consistent among
+	 * the sharing views.
+	 */
+	if (dns_cache_getservestalettl(originview->cache) != new_stale_ttl ||
+	    dns_cache_getservestalerefresh(originview->cache) !=
+		    new_stale_refresh_time ||
+	    dns_cache_getcachesize(originview->cache) != new_max_cache_size)
+	{
+		return (false);
+	}
+
+	return (true);
+}
+
+/*
+ * Callback from DLZ configure when the driver sets up a writeable zone
+ */
+static isc_result_t
+dlzconfigure_callback(dns_view_t *view, dns_dlzdb_t *dlzdb, dns_zone_t *zone) {
+	dns_name_t *origin = dns_zone_getorigin(zone);
+	dns_rdataclass_t zclass = view->rdclass;
+	isc_result_t result;
+
+	result = dns_zonemgr_managezone(named_g_server->zonemgr, zone);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	dns_zone_setstats(zone, named_g_server->zonestats);
+
+	return (named_zone_configure_writeable_dlz(dlzdb, zone, zclass,
+						   origin));
+}
+
+static isc_result_t
+dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
+	      unsigned int prefixlen, const char *server, const char *contact) {
+	char reverse[48 + sizeof("ip6.arpa.")] = { 0 };
+	char buf[sizeof("x.x.")];
+	const char *dns64_dbtype[4] = { "_dns64", "dns64", ".", "." };
+	const char *sep = ": view ";
+	const char *viewname = view->name;
+	const unsigned char *s6;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_zone_t *zone = NULL;
+	int dns64_dbtypec = 4;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
+		prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
+
+	if (!strcmp(viewname, "_default")) {
+		sep = "";
+		viewname = "";
+	}
+
+	/*
+	 * Construct the reverse name of the zone.
+	 */
+	s6 = na->type.in6.s6_addr;
+	while (prefixlen > 0) {
+		prefixlen -= 8;
+		snprintf(buf, sizeof(buf), "%x.%x.", s6[prefixlen / 8] & 0xf,
+			 (s6[prefixlen / 8] >> 4) & 0xf);
+		strlcat(reverse, buf, sizeof(reverse));
+	}
+	strlcat(reverse, "ip6.arpa.", sizeof(reverse));
+
+	/*
+	 * Create the actual zone.
+	 */
+	if (server != NULL) {
+		dns64_dbtype[2] = server;
+	}
+	if (contact != NULL) {
+		dns64_dbtype[3] = contact;
+	}
+	name = dns_fixedname_initname(&fixed);
+	isc_buffer_constinit(&b, reverse, strlen(reverse));
+	isc_buffer_add(&b, strlen(reverse));
+	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+	CHECK(dns_zone_create(&zone, mctx));
+	CHECK(dns_zone_setorigin(zone, name));
+	dns_zone_setview(zone, view);
+	CHECK(dns_zonemgr_managezone(named_g_server->zonemgr, zone));
+	dns_zone_setclass(zone, view->rdclass);
+	dns_zone_settype(zone, dns_zone_primary);
+	dns_zone_setstats(zone, named_g_server->zonestats);
+	dns_zone_setdbtype(zone, dns64_dbtypec, dns64_dbtype);
+	if (view->queryacl != NULL) {
+		dns_zone_setqueryacl(zone, view->queryacl);
+	}
+	if (view->queryonacl != NULL) {
+		dns_zone_setqueryonacl(zone, view->queryonacl);
+	}
+	dns_zone_setdialup(zone, dns_dialuptype_no);
+	dns_zone_setnotifytype(zone, dns_notifytype_no);
+	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, true);
+	CHECK(setquerystats(zone, mctx, dns_zonestat_none)); /* XXXMPA */
+	CHECK(dns_view_addzone(view, zone));
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "dns64 reverse zone%s%s: %s", sep, viewname, reverse);
+
+cleanup:
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	return (result);
+}
+
+#ifdef USE_DNSRPS
+typedef struct conf_dnsrps_ctx conf_dnsrps_ctx_t;
+struct conf_dnsrps_ctx {
+	isc_result_t result;
+	char *cstr;
+	size_t cstr_size;
+	isc_mem_t *mctx;
+};
+
+/*
+ * Add to the DNSRPS configuration string.
+ */
+static bool
+conf_dnsrps_sadd(conf_dnsrps_ctx_t *ctx, const char *p, ...) {
+	size_t new_len, cur_len, new_cstr_size;
+	char *new_cstr;
+	va_list args;
+
+	if (ctx->cstr == NULL) {
+		ctx->cstr = isc_mem_get(ctx->mctx, 256);
+		ctx->cstr[0] = '\0';
+		ctx->cstr_size = 256;
+	}
+
+	cur_len = strlen(ctx->cstr);
+	va_start(args, p);
+	new_len = vsnprintf(ctx->cstr + cur_len, ctx->cstr_size - cur_len, p,
+			    args) +
+		  1;
+	va_end(args);
+
+	if (cur_len + new_len <= ctx->cstr_size) {
+		return (true);
+	}
+
+	new_cstr_size = ((cur_len + new_len) / 256 + 1) * 256;
+	new_cstr = isc_mem_get(ctx->mctx, new_cstr_size);
+
+	memmove(new_cstr, ctx->cstr, cur_len);
+	isc_mem_put(ctx->mctx, ctx->cstr, ctx->cstr_size);
+	ctx->cstr_size = new_cstr_size;
+	ctx->cstr = new_cstr;
+
+	/* cannot use args twice after a single va_start()on some systems */
+	va_start(args, p);
+	vsnprintf(ctx->cstr + cur_len, ctx->cstr_size - cur_len, p, args);
+	va_end(args);
+	return (true);
+}
+
+/*
+ * Get an DNSRPS configuration value using the global and view options
+ * for the default.  Return false upon failure.
+ */
+static bool
+conf_dnsrps_get(const cfg_obj_t **sub_obj, const cfg_obj_t **maps,
+		const cfg_obj_t *obj, const char *name,
+		conf_dnsrps_ctx_t *ctx) {
+	if (ctx != NULL && ctx->result != ISC_R_SUCCESS) {
+		*sub_obj = NULL;
+		return (false);
+	}
+
+	*sub_obj = cfg_tuple_get(obj, name);
+	if (cfg_obj_isvoid(*sub_obj)) {
+		*sub_obj = NULL;
+		if (maps != NULL &&
+		    ISC_R_SUCCESS != named_config_get(maps, name, sub_obj))
+		{
+			*sub_obj = NULL;
+		}
+	}
+	return (true);
+}
+
+/*
+ * Handle a DNSRPS boolean configuration value with the global and view
+ * options providing the default.
+ */
+static void
+conf_dnsrps_yes_no(const cfg_obj_t *obj, const char *name,
+		   conf_dnsrps_ctx_t *ctx) {
+	const cfg_obj_t *sub_obj;
+
+	if (!conf_dnsrps_get(&sub_obj, NULL, obj, name, ctx)) {
+		return;
+	}
+	if (sub_obj == NULL) {
+		return;
+	}
+	if (ctx == NULL) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
+			    "\"%s\" without \"dnsrps-enable yes\"", name);
+		return;
+	}
+
+	conf_dnsrps_sadd(ctx, " %s %s", name,
+			 cfg_obj_asboolean(sub_obj) ? "yes" : "no");
+}
+
+static void
+conf_dnsrps_num(const cfg_obj_t *obj, const char *name,
+		conf_dnsrps_ctx_t *ctx) {
+	const cfg_obj_t *sub_obj;
+
+	if (!conf_dnsrps_get(&sub_obj, NULL, obj, name, ctx)) {
+		return;
+	}
+	if (sub_obj == NULL) {
+		return;
+	}
+	if (ctx == NULL) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
+			    "\"%s\" without \"dnsrps-enable yes\"", name);
+		return;
+	}
+
+	if (cfg_obj_isduration(sub_obj)) {
+		conf_dnsrps_sadd(ctx, " %s %d", name,
+				 cfg_obj_asduration(sub_obj));
+	} else {
+		conf_dnsrps_sadd(ctx, " %s %d", name,
+				 cfg_obj_asuint32(sub_obj));
+	}
+}
+
+/*
+ * Convert the parsed RPZ configuration statement to a string for
+ * dns_rpz_new_zones().
+ */
+static isc_result_t
+conf_dnsrps(dns_view_t *view, const cfg_obj_t **maps, bool nsip_enabled,
+	    bool nsdname_enabled, dns_rpz_zbits_t *nsip_on,
+	    dns_rpz_zbits_t *nsdname_on, char **rps_cstr, size_t *rps_cstr_size,
+	    const cfg_obj_t *rpz_obj, const cfg_listelt_t *zone_element) {
+	conf_dnsrps_ctx_t ctx;
+	const cfg_obj_t *zone_obj, *obj;
+	dns_rpz_num_t rpz_num;
+	bool on;
+	const char *s;
+
+	memset(&ctx, 0, sizeof(ctx));
+	ctx.result = ISC_R_SUCCESS;
+	ctx.mctx = view->mctx;
+
+	for (rpz_num = 0; zone_element != NULL && ctx.result == ISC_R_SUCCESS;
+	     ++rpz_num)
+	{
+		zone_obj = cfg_listelt_value(zone_element);
+
+		s = cfg_obj_asstring(cfg_tuple_get(zone_obj, "zone name"));
+		conf_dnsrps_sadd(&ctx, "zone \"%s\"", s);
+
+		obj = cfg_tuple_get(zone_obj, "policy");
+		if (!cfg_obj_isvoid(obj)) {
+			s = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
+			conf_dnsrps_sadd(&ctx, " policy %s", s);
+			if (strcasecmp(s, "cname") == 0) {
+				s = cfg_obj_asstring(
+					cfg_tuple_get(obj, "cname"));
+				conf_dnsrps_sadd(&ctx, " %s", s);
+			}
+		}
+
+		conf_dnsrps_yes_no(zone_obj, "recursive-only", &ctx);
+		conf_dnsrps_yes_no(zone_obj, "log", &ctx);
+		conf_dnsrps_num(zone_obj, "max-policy-ttl", &ctx);
+		obj = cfg_tuple_get(rpz_obj, "nsip-enable");
+		if (!cfg_obj_isvoid(obj)) {
+			if (cfg_obj_asboolean(obj)) {
+				*nsip_on |= DNS_RPZ_ZBIT(rpz_num);
+			} else {
+				*nsip_on &= ~DNS_RPZ_ZBIT(rpz_num);
+			}
+		}
+		on = ((*nsip_on & DNS_RPZ_ZBIT(rpz_num)) != 0);
+		if (nsip_enabled != on) {
+			conf_dnsrps_sadd(&ctx, on ? " nsip-enable yes "
+						  : " nsip-enable no ");
+		}
+		obj = cfg_tuple_get(rpz_obj, "nsdname-enable");
+		if (!cfg_obj_isvoid(obj)) {
+			if (cfg_obj_asboolean(obj)) {
+				*nsdname_on |= DNS_RPZ_ZBIT(rpz_num);
+			} else {
+				*nsdname_on &= ~DNS_RPZ_ZBIT(rpz_num);
+			}
+		}
+		on = ((*nsdname_on & DNS_RPZ_ZBIT(rpz_num)) != 0);
+		if (nsdname_enabled != on) {
+			conf_dnsrps_sadd(&ctx, on ? " nsdname-enable yes "
+						  : " nsdname-enable no ");
+		}
+		conf_dnsrps_sadd(&ctx, ";\n");
+		zone_element = cfg_list_next(zone_element);
+	}
+
+	conf_dnsrps_yes_no(rpz_obj, "recursive-only", &ctx);
+	conf_dnsrps_num(rpz_obj, "max-policy-ttl", &ctx);
+	conf_dnsrps_num(rpz_obj, "min-ns-dots", &ctx);
+	conf_dnsrps_yes_no(rpz_obj, "qname-wait-recurse", &ctx);
+	conf_dnsrps_yes_no(rpz_obj, "break-dnssec", &ctx);
+	if (!nsip_enabled) {
+		conf_dnsrps_sadd(&ctx, " nsip-enable no ");
+	}
+	if (!nsdname_enabled) {
+		conf_dnsrps_sadd(&ctx, " nsdname-enable no ");
+	}
+
+	/*
+	 * Get the general dnsrpzd parameters from the response-policy
+	 * statement in the view and the general options.
+	 */
+	if (conf_dnsrps_get(&obj, maps, rpz_obj, "dnsrps-options", &ctx) &&
+	    obj != NULL)
+	{
+		conf_dnsrps_sadd(&ctx, " %s\n", cfg_obj_asstring(obj));
+	}
+
+	if (ctx.result == ISC_R_SUCCESS) {
+		*rps_cstr = ctx.cstr;
+		*rps_cstr_size = ctx.cstr_size;
+	} else {
+		if (ctx.cstr != NULL) {
+			isc_mem_put(ctx.mctx, ctx.cstr, ctx.cstr_size);
+		}
+		*rps_cstr = NULL;
+		*rps_cstr_size = 0;
+	}
+	return (ctx.result);
+}
+#endif /* ifdef USE_DNSRPS */
+
+static isc_result_t
+configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
+		   const char *str, const char *msg) {
+	isc_result_t result;
+
+	result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid %s '%s'", msg, str);
+	}
+	return (result);
+}
+
+static isc_result_t
+configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
+		    const char *str, const dns_name_t *origin) {
+	isc_result_t result;
+
+	result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
+				      view->mctx);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone '%s'", str);
+	}
+	return (result);
+}
+
+static isc_result_t
+configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
+		   bool recursive_only_default, bool add_soa_default,
+		   dns_ttl_t ttl_default, uint32_t minupdateinterval_default,
+		   const dns_rpz_zone_t *old, bool *old_rpz_okp) {
+	const cfg_obj_t *rpz_obj, *obj;
+	const char *str;
+	dns_rpz_zone_t *zone = NULL;
+	isc_result_t result;
+	dns_rpz_num_t rpz_num;
+
+	REQUIRE(old != NULL || !*old_rpz_okp);
+
+	rpz_obj = cfg_listelt_value(element);
+
+	if (view->rpzs->p.num_zones >= DNS_RPZ_MAX_ZONES) {
+		cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "limit of %d response policy zones exceeded",
+			    DNS_RPZ_MAX_ZONES);
+		return (ISC_R_FAILURE);
+	}
+
+	result = dns_rpz_new_zone(view->rpzs, &zone);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "Error creating new RPZ zone : %s",
+			    isc_result_totext(result));
+		return (result);
+	}
+
+	obj = cfg_tuple_get(rpz_obj, "recursive-only");
+	if (cfg_obj_isvoid(obj) ? recursive_only_default
+				: cfg_obj_asboolean(obj))
+	{
+		view->rpzs->p.no_rd_ok &= ~DNS_RPZ_ZBIT(zone->num);
+	} else {
+		view->rpzs->p.no_rd_ok |= DNS_RPZ_ZBIT(zone->num);
+	}
+
+	obj = cfg_tuple_get(rpz_obj, "log");
+	if (!cfg_obj_isvoid(obj) && !cfg_obj_asboolean(obj)) {
+		view->rpzs->p.no_log |= DNS_RPZ_ZBIT(zone->num);
+	} else {
+		view->rpzs->p.no_log &= ~DNS_RPZ_ZBIT(zone->num);
+	}
+
+	obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
+	if (cfg_obj_isduration(obj)) {
+		zone->max_policy_ttl = cfg_obj_asduration(obj);
+	} else {
+		zone->max_policy_ttl = ttl_default;
+	}
+	if (*old_rpz_okp && zone->max_policy_ttl != old->max_policy_ttl) {
+		*old_rpz_okp = false;
+	}
+
+	obj = cfg_tuple_get(rpz_obj, "min-update-interval");
+	if (cfg_obj_isduration(obj)) {
+		zone->min_update_interval = cfg_obj_asduration(obj);
+	} else {
+		zone->min_update_interval = minupdateinterval_default;
+	}
+	if (*old_rpz_okp &&
+	    zone->min_update_interval != old->min_update_interval)
+	{
+		*old_rpz_okp = false;
+	}
+
+	str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
+	result = configure_rpz_name(view, rpz_obj, &zone->origin, str, "zone");
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (dns_name_equal(&zone->origin, dns_rootname)) {
+		cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone name '%s'", str);
+		return (DNS_R_EMPTYLABEL);
+	}
+	if (!view->rpzs->p.dnsrps_enabled) {
+		for (rpz_num = 0; rpz_num < view->rpzs->p.num_zones - 1;
+		     ++rpz_num)
+		{
+			if (dns_name_equal(&view->rpzs->zones[rpz_num]->origin,
+					   &zone->origin))
+			{
+				cfg_obj_log(rpz_obj, named_g_lctx,
+					    DNS_RPZ_ERROR_LEVEL,
+					    "duplicate '%s'", str);
+				result = DNS_R_DUPLICATE;
+				return (result);
+			}
+		}
+	}
+	if (*old_rpz_okp && !dns_name_equal(&old->origin, &zone->origin)) {
+		*old_rpz_okp = false;
+	}
+
+	result = configure_rpz_name2(view, rpz_obj, &zone->client_ip,
+				     DNS_RPZ_CLIENT_IP_ZONE, &zone->origin);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = configure_rpz_name2(view, rpz_obj, &zone->ip, DNS_RPZ_IP_ZONE,
+				     &zone->origin);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = configure_rpz_name2(view, rpz_obj, &zone->nsdname,
+				     DNS_RPZ_NSDNAME_ZONE, &zone->origin);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = configure_rpz_name2(view, rpz_obj, &zone->nsip,
+				     DNS_RPZ_NSIP_ZONE, &zone->origin);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = configure_rpz_name(view, rpz_obj, &zone->passthru,
+				    DNS_RPZ_PASSTHRU_NAME, "name");
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = configure_rpz_name(view, rpz_obj, &zone->drop,
+				    DNS_RPZ_DROP_NAME, "name");
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = configure_rpz_name(view, rpz_obj, &zone->tcp_only,
+				    DNS_RPZ_TCP_ONLY_NAME, "name");
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	obj = cfg_tuple_get(rpz_obj, "policy");
+	if (cfg_obj_isvoid(obj)) {
+		zone->policy = DNS_RPZ_POLICY_GIVEN;
+	} else {
+		str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
+		zone->policy = dns_rpz_str2policy(str);
+		INSIST(zone->policy != DNS_RPZ_POLICY_ERROR);
+		if (zone->policy == DNS_RPZ_POLICY_CNAME) {
+			str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
+			result = configure_rpz_name(view, rpz_obj, &zone->cname,
+						    str, "cname");
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+	}
+	if (*old_rpz_okp && (zone->policy != old->policy ||
+			     !dns_name_equal(&old->cname, &zone->cname)))
+	{
+		*old_rpz_okp = false;
+	}
+
+	obj = cfg_tuple_get(rpz_obj, "add-soa");
+	if (cfg_obj_isvoid(obj)) {
+		zone->addsoa = add_soa_default;
+	} else {
+		zone->addsoa = cfg_obj_asboolean(obj);
+	}
+	if (*old_rpz_okp && zone->addsoa != old->addsoa) {
+		*old_rpz_okp = false;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+configure_rpz(dns_view_t *view, dns_view_t *pview, const cfg_obj_t **maps,
+	      const cfg_obj_t *rpz_obj, bool *old_rpz_okp) {
+	bool dnsrps_enabled;
+	const cfg_listelt_t *zone_element;
+	char *rps_cstr;
+	size_t rps_cstr_size;
+	const cfg_obj_t *sub_obj;
+	bool recursive_only_default, add_soa_default;
+	bool nsip_enabled, nsdname_enabled;
+	dns_rpz_zbits_t nsip_on, nsdname_on;
+	dns_ttl_t ttl_default;
+	uint32_t minupdateinterval_default;
+	dns_rpz_zones_t *zones;
+	const dns_rpz_zones_t *old;
+	bool pview_must_detach = false;
+	const dns_rpz_zone_t *old_zone;
+	isc_result_t result;
+	int i;
+
+	*old_rpz_okp = false;
+
+	zone_element = cfg_list_first(cfg_tuple_get(rpz_obj, "zone list"));
+	if (zone_element == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	nsip_enabled = true;
+	sub_obj = cfg_tuple_get(rpz_obj, "nsip-enable");
+	if (!cfg_obj_isvoid(sub_obj)) {
+		nsip_enabled = cfg_obj_asboolean(sub_obj);
+	}
+	nsip_on = nsip_enabled ? DNS_RPZ_ALL_ZBITS : 0;
+
+	nsdname_enabled = true;
+	sub_obj = cfg_tuple_get(rpz_obj, "nsdname-enable");
+	if (!cfg_obj_isvoid(sub_obj)) {
+		nsdname_enabled = cfg_obj_asboolean(sub_obj);
+	}
+	nsdname_on = nsdname_enabled ? DNS_RPZ_ALL_ZBITS : 0;
+
+	/*
+	 * "dnsrps-enable yes|no" can be either a global or response-policy
+	 * clause.
+	 */
+	dnsrps_enabled = false;
+	rps_cstr = NULL;
+	rps_cstr_size = 0;
+	sub_obj = NULL;
+	(void)named_config_get(maps, "dnsrps-enable", &sub_obj);
+	if (sub_obj != NULL) {
+		dnsrps_enabled = cfg_obj_asboolean(sub_obj);
+	}
+	sub_obj = cfg_tuple_get(rpz_obj, "dnsrps-enable");
+	if (!cfg_obj_isvoid(sub_obj)) {
+		dnsrps_enabled = cfg_obj_asboolean(sub_obj);
+	}
+#ifndef USE_DNSRPS
+	if (dnsrps_enabled) {
+		cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "\"dnsrps-enable yes\" but"
+			    " without `./configure --enable-dnsrps`");
+		return (ISC_R_FAILURE);
+	}
+#else  /* ifndef USE_DNSRPS */
+	if (dnsrps_enabled) {
+		if (librpz == NULL) {
+			cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
+				    "\"dnsrps-enable yes\" but %s",
+				    librpz_lib_open_emsg.c);
+			return (ISC_R_FAILURE);
+		}
+
+		/*
+		 * Generate the DNS Response Policy Service
+		 * configuration string.
+		 */
+		result = conf_dnsrps(view, maps, nsip_enabled, nsdname_enabled,
+				     &nsip_on, &nsdname_on, &rps_cstr,
+				     &rps_cstr_size, rpz_obj, zone_element);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+#endif /* ifndef USE_DNSRPS */
+
+	result = dns_rpz_new_zones(&view->rpzs, rps_cstr, rps_cstr_size,
+				   view->mctx, named_g_taskmgr,
+				   named_g_timermgr);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	zones = view->rpzs;
+
+	zones->p.nsip_on = nsip_on;
+	zones->p.nsdname_on = nsdname_on;
+
+	sub_obj = cfg_tuple_get(rpz_obj, "recursive-only");
+	if (!cfg_obj_isvoid(sub_obj) && !cfg_obj_asboolean(sub_obj)) {
+		recursive_only_default = false;
+	} else {
+		recursive_only_default = true;
+	}
+
+	sub_obj = cfg_tuple_get(rpz_obj, "add-soa");
+	if (!cfg_obj_isvoid(sub_obj) && !cfg_obj_asboolean(sub_obj)) {
+		add_soa_default = false;
+	} else {
+		add_soa_default = true;
+	}
+
+	sub_obj = cfg_tuple_get(rpz_obj, "break-dnssec");
+	if (!cfg_obj_isvoid(sub_obj) && cfg_obj_asboolean(sub_obj)) {
+		zones->p.break_dnssec = true;
+	} else {
+		zones->p.break_dnssec = false;
+	}
+
+	sub_obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
+	if (cfg_obj_isduration(sub_obj)) {
+		ttl_default = cfg_obj_asduration(sub_obj);
+	} else {
+		ttl_default = DNS_RPZ_MAX_TTL_DEFAULT;
+	}
+
+	sub_obj = cfg_tuple_get(rpz_obj, "min-update-interval");
+	if (cfg_obj_isduration(sub_obj)) {
+		minupdateinterval_default = cfg_obj_asduration(sub_obj);
+	} else {
+		minupdateinterval_default = DNS_RPZ_MINUPDATEINTERVAL_DEFAULT;
+	}
+
+	sub_obj = cfg_tuple_get(rpz_obj, "min-ns-dots");
+	if (cfg_obj_isuint32(sub_obj)) {
+		zones->p.min_ns_labels = cfg_obj_asuint32(sub_obj) + 1;
+	} else {
+		zones->p.min_ns_labels = 2;
+	}
+
+	sub_obj = cfg_tuple_get(rpz_obj, "qname-wait-recurse");
+	if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) {
+		zones->p.qname_wait_recurse = true;
+	} else {
+		zones->p.qname_wait_recurse = false;
+	}
+
+	sub_obj = cfg_tuple_get(rpz_obj, "nsip-wait-recurse");
+	if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) {
+		zones->p.nsip_wait_recurse = true;
+	} else {
+		zones->p.nsip_wait_recurse = false;
+	}
+
+	if (pview != NULL) {
+		old = pview->rpzs;
+	} else {
+		result = dns_viewlist_find(&named_g_server->viewlist,
+					   view->name, view->rdclass, &pview);
+		if (result == ISC_R_SUCCESS) {
+			pview_must_detach = true;
+			old = pview->rpzs;
+		} else {
+			old = NULL;
+		}
+	}
+
+	if (old == NULL) {
+		*old_rpz_okp = false;
+	} else {
+		*old_rpz_okp = true;
+	}
+
+	for (i = 0; zone_element != NULL;
+	     ++i, zone_element = cfg_list_next(zone_element))
+	{
+		INSIST(!*old_rpz_okp || old != NULL);
+		if (*old_rpz_okp && i < old->p.num_zones) {
+			old_zone = old->zones[i];
+		} else {
+			*old_rpz_okp = false;
+			old_zone = NULL;
+		}
+		result = configure_rpz_zone(
+			view, zone_element, recursive_only_default,
+			add_soa_default, ttl_default, minupdateinterval_default,
+			old_zone, old_rpz_okp);
+		if (result != ISC_R_SUCCESS) {
+			if (pview_must_detach) {
+				dns_view_detach(&pview);
+			}
+			return (result);
+		}
+	}
+
+	/*
+	 * If this is a reloading and the parameters and list of policy
+	 * zones are unchanged, then use the same policy data.
+	 * Data for individual zones that must be reloaded will be merged.
+	 */
+	if (*old_rpz_okp) {
+		if (old != NULL &&
+		    memcmp(&old->p, &zones->p, sizeof(zones->p)) != 0)
+		{
+			*old_rpz_okp = false;
+		} else if ((old == NULL || old->rps_cstr == NULL) !=
+			   (zones->rps_cstr == NULL))
+		{
+			*old_rpz_okp = false;
+		} else if (old != NULL && zones->rps_cstr != NULL &&
+			   strcmp(old->rps_cstr, zones->rps_cstr) != 0)
+		{
+			*old_rpz_okp = false;
+		}
+	}
+
+	if (*old_rpz_okp) {
+		dns_rpz_detach_rpzs(&view->rpzs);
+		dns_rpz_attach_rpzs(pview->rpzs, &view->rpzs);
+		dns_rpz_detach_rpzs(&pview->rpzs);
+	} else if (old != NULL && pview != NULL) {
+		++pview->rpzs->rpz_ver;
+		view->rpzs->rpz_ver = pview->rpzs->rpz_ver;
+		cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_DEBUG_LEVEL1,
+			    "updated RPZ policy: version %d",
+			    view->rpzs->rpz_ver);
+	}
+
+	if (pview_must_detach) {
+		dns_view_detach(&pview);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) {
+	catz_chgzone_event_t *ev = (catz_chgzone_event_t *)event0;
+	isc_result_t result;
+	isc_buffer_t namebuf;
+	isc_buffer_t *confbuf;
+	char nameb[DNS_NAME_FORMATSIZE];
+	const cfg_obj_t *zlist = NULL;
+	cfg_obj_t *zoneconf = NULL;
+	cfg_obj_t *zoneobj = NULL;
+	ns_cfgctx_t *cfg;
+	dns_zone_t *zone = NULL;
+
+	cfg = (ns_cfgctx_t *)ev->view->new_zone_config;
+	if (cfg == NULL) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "catz: allow-new-zones statement missing from "
+			      "config; cannot add zone from the catalog");
+		goto cleanup;
+	}
+
+	isc_buffer_init(&namebuf, nameb, DNS_NAME_FORMATSIZE);
+	dns_name_totext(dns_catz_entry_getname(ev->entry), true, &namebuf);
+	isc_buffer_putuint8(&namebuf, 0);
+
+	/* Zone shouldn't already exist */
+	result = dns_zt_find(ev->view->zonetable,
+			     dns_catz_entry_getname(ev->entry), 0, NULL, &zone);
+
+	if (ev->mod) {
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "catz: error \"%s\" while trying to "
+				      "modify zone \"%s\"",
+				      isc_result_totext(result), nameb);
+			goto cleanup;
+		} else {
+			if (!dns_zone_getadded(zone)) {
+				isc_log_write(
+					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+					"catz: "
+					"catz_addmodzone_taskaction: "
+					"zone '%s' is not a dynamically "
+					"added zone",
+					nameb);
+				goto cleanup;
+			}
+			if (dns_zone_get_parentcatz(zone) != ev->origin) {
+				isc_log_write(
+					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+					"catz: catz_delzone_taskaction: "
+					"zone '%s' exists in multiple "
+					"catalog zones",
+					nameb);
+				goto cleanup;
+			}
+			dns_zone_detach(&zone);
+		}
+	} else {
+		if (result == ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "catz: zone \"%s\" is overridden "
+				      "by explicitly configured zone",
+				      nameb);
+			goto cleanup;
+		} else if (result != ISC_R_NOTFOUND &&
+			   result != DNS_R_PARTIALMATCH)
+		{
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "catz: error \"%s\" while trying to "
+				      "add zone \"%s\"",
+				      isc_result_totext(result), nameb);
+			goto cleanup;
+		} else { /* this can happen in case of DNS_R_PARTIALMATCH */
+			if (zone != NULL) {
+				dns_zone_detach(&zone);
+			}
+		}
+	}
+	RUNTIME_CHECK(zone == NULL);
+	/* Create a config for new zone */
+	confbuf = NULL;
+	result = dns_catz_generate_zonecfg(ev->origin, ev->entry, &confbuf);
+	if (result == ISC_R_SUCCESS) {
+		cfg_parser_reset(cfg->add_parser);
+		result = cfg_parse_buffer(cfg->add_parser, confbuf, "catz", 0,
+					  &cfg_type_addzoneconf, 0, &zoneconf);
+		isc_buffer_free(&confbuf);
+	}
+	/*
+	 * Fail if either dns_catz_generate_zonecfg() or cfg_parse_buffer3()
+	 * failed.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "catz: error \"%s\" while trying to generate "
+			      "config for zone \"%s\"",
+			      isc_result_totext(result), nameb);
+		goto cleanup;
+	}
+	CHECK(cfg_map_get(zoneconf, "zone", &zlist));
+	if (!cfg_obj_islist(zlist)) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	/* For now we only support adding one zone at a time */
+	zoneobj = cfg_listelt_value(cfg_list_first(zlist));
+
+	/* Mark view unfrozen so that zone can be added */
+
+	result = isc_task_beginexclusive(task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_view_thaw(ev->view);
+	result = configure_zone(
+		cfg->config, zoneobj, cfg->vconfig, ev->cbd->server->mctx,
+		ev->view, &ev->cbd->server->viewlist,
+		&ev->cbd->server->kasplist, cfg->actx, true, false, ev->mod);
+	dns_view_freeze(ev->view);
+	isc_task_endexclusive(task);
+
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "catz: failed to configure zone \"%s\" - %d",
+			      nameb, result);
+		goto cleanup;
+	}
+
+	/* Is it there yet? */
+	CHECK(dns_zt_find(ev->view->zonetable,
+			  dns_catz_entry_getname(ev->entry), 0, NULL, &zone));
+
+	/*
+	 * Load the zone from the master file.	If this fails, we'll
+	 * need to undo the configuration we've done already.
+	 */
+	result = dns_zone_load(zone, true);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_t *dbp = NULL;
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "catz: dns_zone_load() failed "
+			      "with %s; reverting.",
+			      isc_result_totext(result));
+
+		/* If the zone loaded partially, unload it */
+		if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
+			dns_db_detach(&dbp);
+			dns_zone_unload(zone);
+		}
+
+		/* Remove the zone from the zone table */
+		dns_zt_unmount(ev->view->zonetable, zone);
+		goto cleanup;
+	}
+
+	/* Flag the zone as having been added at runtime */
+	dns_zone_setadded(zone, true);
+	dns_zone_set_parentcatz(zone, ev->origin);
+
+cleanup:
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	if (zoneconf != NULL) {
+		cfg_obj_destroy(cfg->add_parser, &zoneconf);
+	}
+	dns_catz_entry_detach(ev->origin, &ev->entry);
+	dns_catz_zone_detach(&ev->origin);
+	dns_view_detach(&ev->view);
+	isc_event_free(ISC_EVENT_PTR(&ev));
+}
+
+static void
+catz_delzone_taskaction(isc_task_t *task, isc_event_t *event0) {
+	catz_chgzone_event_t *ev = (catz_chgzone_event_t *)event0;
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_db_t *dbp = NULL;
+	char cname[DNS_NAME_FORMATSIZE];
+	const char *file;
+
+	result = isc_task_beginexclusive(task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	dns_name_format(dns_catz_entry_getname(ev->entry), cname,
+			DNS_NAME_FORMATSIZE);
+	result = dns_zt_find(ev->view->zonetable,
+			     dns_catz_entry_getname(ev->entry), 0, NULL, &zone);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "catz: catz_delzone_taskaction: "
+			      "zone '%s' not found",
+			      cname);
+		goto cleanup;
+	}
+
+	if (!dns_zone_getadded(zone)) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "catz: catz_delzone_taskaction: "
+			      "zone '%s' is not a dynamically added zone",
+			      cname);
+		goto cleanup;
+	}
+
+	if (dns_zone_get_parentcatz(zone) != ev->origin) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "catz: catz_delzone_taskaction: zone "
+			      "'%s' exists in multiple catalog zones",
+			      cname);
+		goto cleanup;
+	}
+
+	/* Stop answering for this zone */
+	if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
+		dns_db_detach(&dbp);
+		dns_zone_unload(zone);
+	}
+
+	CHECK(dns_zt_unmount(ev->view->zonetable, zone));
+	file = dns_zone_getfile(zone);
+	if (file != NULL) {
+		isc_file_remove(file);
+		file = dns_zone_getjournal(zone);
+		if (file != NULL) {
+			isc_file_remove(file);
+		}
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+		      "catz: catz_delzone_taskaction: "
+		      "zone '%s' deleted",
+		      cname);
+cleanup:
+	isc_task_endexclusive(task);
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	dns_catz_entry_detach(ev->origin, &ev->entry);
+	dns_catz_zone_detach(&ev->origin);
+	dns_view_detach(&ev->view);
+	isc_event_free(ISC_EVENT_PTR(&ev));
+}
+
+static isc_result_t
+catz_create_chg_task(dns_catz_entry_t *entry, dns_catz_zone_t *origin,
+		     dns_view_t *view, isc_taskmgr_t *taskmgr, void *udata,
+		     isc_eventtype_t type) {
+	catz_chgzone_event_t *event = NULL;
+	isc_task_t *task = NULL;
+	isc_result_t result;
+	isc_taskaction_t action = NULL;
+
+	result = isc_taskmgr_excltask(taskmgr, &task);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	switch (type) {
+	case DNS_EVENT_CATZADDZONE:
+	case DNS_EVENT_CATZMODZONE:
+		action = catz_addmodzone_taskaction;
+		break;
+	case DNS_EVENT_CATZDELZONE:
+		action = catz_delzone_taskaction;
+		break;
+	default:
+		REQUIRE(0);
+		UNREACHABLE();
+	}
+
+	event = (catz_chgzone_event_t *)isc_event_allocate(
+		view->mctx, origin, type, action, NULL, sizeof(*event));
+
+	event->cbd = (catz_cb_data_t *)udata;
+	event->entry = NULL;
+	event->origin = NULL;
+	event->view = NULL;
+	event->mod = (type == DNS_EVENT_CATZMODZONE);
+
+	dns_catz_entry_attach(entry, &event->entry);
+	dns_catz_zone_attach(origin, &event->origin);
+	dns_view_attach(view, &event->view);
+
+	isc_task_send(task, ISC_EVENT_PTR(&event));
+	isc_task_detach(&task);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+catz_addzone(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view,
+	     isc_taskmgr_t *taskmgr, void *udata) {
+	return (catz_create_chg_task(entry, origin, view, taskmgr, udata,
+				     DNS_EVENT_CATZADDZONE));
+}
+
+static isc_result_t
+catz_delzone(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view,
+	     isc_taskmgr_t *taskmgr, void *udata) {
+	return (catz_create_chg_task(entry, origin, view, taskmgr, udata,
+				     DNS_EVENT_CATZDELZONE));
+}
+
+static isc_result_t
+catz_modzone(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view,
+	     isc_taskmgr_t *taskmgr, void *udata) {
+	return (catz_create_chg_task(entry, origin, view, taskmgr, udata,
+				     DNS_EVENT_CATZMODZONE));
+}
+
+static isc_result_t
+configure_catz_zone(dns_view_t *view, dns_view_t *pview,
+		    const cfg_obj_t *config, const cfg_listelt_t *element) {
+	const cfg_obj_t *catz_obj, *obj;
+	dns_catz_zone_t *zone = NULL;
+	const char *str;
+	isc_result_t result;
+	dns_name_t origin;
+	dns_catz_options_t *opts;
+
+	dns_name_init(&origin, NULL);
+	catz_obj = cfg_listelt_value(element);
+
+	str = cfg_obj_asstring(cfg_tuple_get(catz_obj, "zone name"));
+
+	result = dns_name_fromstring(&origin, str, DNS_NAME_DOWNCASE,
+				     view->mctx);
+	if (result == ISC_R_SUCCESS && dns_name_equal(&origin, dns_rootname)) {
+		result = DNS_R_EMPTYLABEL;
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(catz_obj, named_g_lctx, DNS_CATZ_ERROR_LEVEL,
+			    "catz: invalid zone name '%s'", str);
+		goto cleanup;
+	}
+
+	result = dns_catz_add_zone(view->catzs, &origin, &zone);
+	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
+		cfg_obj_log(catz_obj, named_g_lctx, DNS_CATZ_ERROR_LEVEL,
+			    "catz: unable to create catalog zone '%s', "
+			    "error %s",
+			    str, isc_result_totext(result));
+		goto cleanup;
+	}
+
+	if (result == ISC_R_EXISTS) {
+		isc_ht_iter_t *it = NULL;
+
+		RUNTIME_CHECK(pview != NULL);
+
+		/*
+		 * xxxwpk todo: reconfigure the zone!!!!
+		 */
+		cfg_obj_log(catz_obj, named_g_lctx, DNS_CATZ_ERROR_LEVEL,
+			    "catz: catalog zone '%s' will not be reconfigured",
+			    str);
+		/*
+		 * We have to walk through all the member zones and attach
+		 * them to current view
+		 */
+		dns_catz_get_iterator(zone, &it);
+
+		for (result = isc_ht_iter_first(it); result == ISC_R_SUCCESS;
+		     result = isc_ht_iter_next(it))
+		{
+			dns_name_t *name = NULL;
+			dns_zone_t *dnszone = NULL;
+			dns_catz_entry_t *entry = NULL;
+			isc_result_t tresult;
+
+			isc_ht_iter_current(it, (void **)&entry);
+			name = dns_catz_entry_getname(entry);
+
+			tresult = dns_view_findzone(pview, name, &dnszone);
+			if (tresult != ISC_R_SUCCESS) {
+				continue;
+			}
+
+			dns_zone_setview(dnszone, view);
+			dns_view_addzone(view, dnszone);
+
+			/*
+			 * The dns_view_findzone() call above increments the
+			 * zone's reference count, which we need to decrement
+			 * back.  However, as dns_zone_detach() sets the
+			 * supplied pointer to NULL, calling it is deferred
+			 * until the dnszone variable is no longer used.
+			 */
+			dns_zone_detach(&dnszone);
+		}
+
+		isc_ht_iter_destroy(&it);
+
+		result = ISC_R_SUCCESS;
+	}
+
+	dns_catz_zone_resetdefoptions(zone);
+	opts = dns_catz_zone_getdefoptions(zone);
+
+	obj = cfg_tuple_get(catz_obj, "default-masters");
+	if (obj != NULL && cfg_obj_istuple(obj)) {
+		result = named_config_getipandkeylist(
+			config, "primaries", obj, view->mctx, &opts->masters);
+	}
+
+	obj = cfg_tuple_get(catz_obj, "in-memory");
+	if (obj != NULL && cfg_obj_isboolean(obj)) {
+		opts->in_memory = cfg_obj_asboolean(obj);
+	}
+
+	obj = cfg_tuple_get(catz_obj, "zone-directory");
+	if (!opts->in_memory && obj != NULL && cfg_obj_isstring(obj)) {
+		opts->zonedir = isc_mem_strdup(view->mctx,
+					       cfg_obj_asstring(obj));
+		if (isc_file_isdirectory(opts->zonedir) != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, named_g_lctx, DNS_CATZ_ERROR_LEVEL,
+				    "catz: zone-directory '%s' "
+				    "not found; zone files will not be "
+				    "saved",
+				    opts->zonedir);
+			opts->in_memory = true;
+		}
+	}
+
+	obj = cfg_tuple_get(catz_obj, "min-update-interval");
+	if (obj != NULL && cfg_obj_isduration(obj)) {
+		opts->min_update_interval = cfg_obj_asduration(obj);
+	}
+
+cleanup:
+	dns_name_free(&origin, view->mctx);
+
+	return (result);
+}
+
+static catz_cb_data_t ns_catz_cbdata;
+static dns_catz_zonemodmethods_t ns_catz_zonemodmethods = {
+	catz_addzone, catz_modzone, catz_delzone, &ns_catz_cbdata
+};
+
+static isc_result_t
+configure_catz(dns_view_t *view, dns_view_t *pview, const cfg_obj_t *config,
+	       const cfg_obj_t *catz_obj) {
+	const cfg_listelt_t *zone_element;
+	const dns_catz_zones_t *old = NULL;
+	bool pview_must_detach = false;
+	isc_result_t result;
+
+	/* xxxwpk TODO do it cleaner, once, somewhere */
+	ns_catz_cbdata.server = named_g_server;
+
+	zone_element = cfg_list_first(cfg_tuple_get(catz_obj, "zone list"));
+	if (zone_element == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	CHECK(dns_catz_new_zones(&view->catzs, &ns_catz_zonemodmethods,
+				 view->mctx, named_g_taskmgr,
+				 named_g_timermgr));
+
+	if (pview != NULL) {
+		old = pview->catzs;
+	} else {
+		result = dns_viewlist_find(&named_g_server->viewlist,
+					   view->name, view->rdclass, &pview);
+		if (result == ISC_R_SUCCESS) {
+			pview_must_detach = true;
+			old = pview->catzs;
+		}
+	}
+
+	if (old != NULL) {
+		dns_catz_catzs_detach(&view->catzs);
+		dns_catz_catzs_attach(pview->catzs, &view->catzs);
+		dns_catz_catzs_detach(&pview->catzs);
+		dns_catz_prereconfig(view->catzs);
+	}
+
+	while (zone_element != NULL) {
+		CHECK(configure_catz_zone(view, pview, config, zone_element));
+		zone_element = cfg_list_next(zone_element);
+	}
+
+	if (old != NULL) {
+		dns_catz_postreconfig(view->catzs);
+	}
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (pview_must_detach) {
+		dns_view_detach(&pview);
+	}
+
+	return (result);
+}
+
+#define CHECK_RRL(cond, pat, val1, val2)                                   \
+	do {                                                               \
+		if (!(cond)) {                                             \
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR, pat, \
+				    val1, val2);                           \
+			result = ISC_R_RANGE;                              \
+			goto cleanup;                                      \
+		}                                                          \
+	} while (0)
+
+#define CHECK_RRL_RATE(rate, def, max_rate, name)                           \
+	do {                                                                \
+		obj = NULL;                                                 \
+		rrl->rate.str = name;                                       \
+		result = cfg_map_get(map, name, &obj);                      \
+		if (result == ISC_R_SUCCESS) {                              \
+			rrl->rate.r = cfg_obj_asuint32(obj);                \
+			CHECK_RRL(rrl->rate.r <= max_rate, name " %d > %d", \
+				  rrl->rate.r, max_rate);                   \
+		} else {                                                    \
+			rrl->rate.r = def;                                  \
+		}                                                           \
+		rrl->rate.scaled = rrl->rate.r;                             \
+	} while (0)
+
+static isc_result_t
+configure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) {
+	const cfg_obj_t *obj;
+	dns_rrl_t *rrl;
+	isc_result_t result;
+	int min_entries, i, j;
+
+	/*
+	 * Most DNS servers have few clients, but intentinally open
+	 * recursive and authoritative servers often have many.
+	 * So start with a small number of entries unless told otherwise
+	 * to reduce cold-start costs.
+	 */
+	min_entries = 500;
+	obj = NULL;
+	result = cfg_map_get(map, "min-table-size", &obj);
+	if (result == ISC_R_SUCCESS) {
+		min_entries = cfg_obj_asuint32(obj);
+		if (min_entries < 1) {
+			min_entries = 1;
+		}
+	}
+	result = dns_rrl_init(&rrl, view, min_entries);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	i = ISC_MAX(20000, min_entries);
+	obj = NULL;
+	result = cfg_map_get(map, "max-table-size", &obj);
+	if (result == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= min_entries,
+			  "max-table-size %d < min-table-size %d", i,
+			  min_entries);
+	}
+	rrl->max_entries = i;
+
+	CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE,
+		       "responses-per-second");
+	CHECK_RRL_RATE(referrals_per_second, rrl->responses_per_second.r,
+		       DNS_RRL_MAX_RATE, "referrals-per-second");
+	CHECK_RRL_RATE(nodata_per_second, rrl->responses_per_second.r,
+		       DNS_RRL_MAX_RATE, "nodata-per-second");
+	CHECK_RRL_RATE(nxdomains_per_second, rrl->responses_per_second.r,
+		       DNS_RRL_MAX_RATE, "nxdomains-per-second");
+	CHECK_RRL_RATE(errors_per_second, rrl->responses_per_second.r,
+		       DNS_RRL_MAX_RATE, "errors-per-second");
+
+	CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE, "all-per-second");
+
+	CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP, "slip");
+
+	i = 15;
+	obj = NULL;
+	result = cfg_map_get(map, "window", &obj);
+	if (result == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW,
+			  "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW);
+	}
+	rrl->window = i;
+
+	i = 0;
+	obj = NULL;
+	result = cfg_map_get(map, "qps-scale", &obj);
+	if (result == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, "");
+	}
+	rrl->qps_scale = i;
+	rrl->qps = 1.0;
+
+	i = 24;
+	obj = NULL;
+	result = cfg_map_get(map, "ipv4-prefix-length", &obj);
+	if (result == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 8 && i <= 32,
+			  "invalid 'ipv4-prefix-length %d'%s", i, "");
+	}
+	rrl->ipv4_prefixlen = i;
+	if (i == 32) {
+		rrl->ipv4_mask = 0xffffffff;
+	} else {
+		rrl->ipv4_mask = htonl(0xffffffff << (32 - i));
+	}
+
+	i = 56;
+	obj = NULL;
+	result = cfg_map_get(map, "ipv6-prefix-length", &obj);
+	if (result == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX,
+			  "ipv6-prefix-length %d < 16 or > %d", i,
+			  DNS_RRL_MAX_PREFIX);
+	}
+	rrl->ipv6_prefixlen = i;
+	for (j = 0; j < 4; ++j) {
+		if (i <= 0) {
+			rrl->ipv6_mask[j] = 0;
+		} else if (i < 32) {
+			rrl->ipv6_mask[j] = htonl(0xffffffff << (32 - i));
+		} else {
+			rrl->ipv6_mask[j] = 0xffffffff;
+		}
+		i -= 32;
+	}
+
+	obj = NULL;
+	result = cfg_map_get(map, "exempt-clients", &obj);
+	if (result == ISC_R_SUCCESS) {
+		result = cfg_acl_fromconfig(obj, config, named_g_lctx,
+					    named_g_aclconfctx, named_g_mctx, 0,
+					    &rrl->exempt);
+		CHECK_RRL(result == ISC_R_SUCCESS, "invalid %s%s",
+			  "address match list", "");
+	}
+
+	obj = NULL;
+	result = cfg_map_get(map, "log-only", &obj);
+	if (result == ISC_R_SUCCESS && cfg_obj_asboolean(obj)) {
+		rrl->log_only = true;
+	} else {
+		rrl->log_only = false;
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_rrl_view_destroy(view);
+	return (result);
+}
+
+static isc_result_t
+add_soa(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name,
+	const dns_name_t *origin, const dns_name_t *contact) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	unsigned char buf[DNS_SOA_BUFFERSIZE];
+
+	CHECK(dns_soa_buildrdata(origin, contact, dns_db_class(db), 0, 28800,
+				 7200, 604800, 86400, buf, &rdata));
+
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.type = rdata.type;
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.ttl = 86400;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	CHECK(dns_db_findnode(db, name, true, &node));
+	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
+
+cleanup:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+static isc_result_t
+add_ns(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name,
+       const dns_name_t *nsname) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_ns_t ns;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	isc_buffer_t b;
+	unsigned char buf[DNS_NAME_MAXWIRE];
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+
+	ns.common.rdtype = dns_rdatatype_ns;
+	ns.common.rdclass = dns_db_class(db);
+	ns.mctx = NULL;
+	dns_name_init(&ns.name, NULL);
+	dns_name_clone(nsname, &ns.name);
+	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_ns,
+				   &ns, &b));
+
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.type = rdata.type;
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.ttl = 86400;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	CHECK(dns_db_findnode(db, name, true, &node));
+	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
+
+cleanup:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+static isc_result_t
+create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view,
+		  const cfg_obj_t *zonelist, const char **empty_dbtype,
+		  int empty_dbtypec, dns_zonestat_level_t statlevel) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj;
+	const cfg_obj_t *zconfig;
+	const cfg_obj_t *zoptions;
+	const char *rbt_dbtype[4] = { "rbt" };
+	const char *sep = ": view ";
+	const char *str;
+	const char *viewname = view->name;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_fixedname_t cfixed;
+	dns_fixedname_t fixed;
+	dns_fixedname_t nsfixed;
+	dns_name_t *contact;
+	dns_name_t *ns;
+	dns_name_t *zname;
+	dns_zone_t *myzone = NULL;
+	int rbt_dbtypec = 1;
+	isc_result_t result;
+	dns_namereln_t namereln;
+	int order;
+	unsigned int nlabels;
+
+	zname = dns_fixedname_initname(&fixed);
+	ns = dns_fixedname_initname(&nsfixed);
+	contact = dns_fixedname_initname(&cfixed);
+
+	/*
+	 * Look for forward "zones" beneath this empty zone and if so
+	 * create a custom db for the empty zone.
+	 */
+	for (element = cfg_list_first(zonelist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		zconfig = cfg_listelt_value(element);
+		str = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+		CHECK(dns_name_fromstring(zname, str, 0, NULL));
+		namereln = dns_name_fullcompare(zname, name, &order, &nlabels);
+		if (namereln != dns_namereln_subdomain) {
+			continue;
+		}
+
+		zoptions = cfg_tuple_get(zconfig, "options");
+
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "type", &obj);
+		if (obj != NULL &&
+		    strcasecmp(cfg_obj_asstring(obj), "forward") == 0)
+		{
+			obj = NULL;
+			(void)cfg_map_get(zoptions, "forward", &obj);
+			if (obj == NULL) {
+				continue;
+			}
+			if (strcasecmp(cfg_obj_asstring(obj), "only") != 0) {
+				continue;
+			}
+		}
+		if (db == NULL) {
+			CHECK(dns_db_create(view->mctx, "rbt", name,
+					    dns_dbtype_zone, view->rdclass, 0,
+					    NULL, &db));
+			CHECK(dns_db_newversion(db, &version));
+			if (strcmp(empty_dbtype[2], "@") == 0) {
+				dns_name_clone(name, ns);
+			} else {
+				CHECK(dns_name_fromstring(ns, empty_dbtype[2],
+							  0, NULL));
+			}
+			CHECK(dns_name_fromstring(contact, empty_dbtype[3], 0,
+						  NULL));
+			CHECK(add_soa(db, version, name, ns, contact));
+			CHECK(add_ns(db, version, name, ns));
+		}
+		CHECK(add_ns(db, version, zname, dns_rootname));
+	}
+
+	/*
+	 * Is the existing zone the ok to use?
+	 */
+	if (zone != NULL) {
+		unsigned int typec;
+		const char **dbargv;
+
+		if (db != NULL) {
+			typec = rbt_dbtypec;
+			dbargv = rbt_dbtype;
+		} else {
+			typec = empty_dbtypec;
+			dbargv = empty_dbtype;
+		}
+
+		result = check_dbtype(zone, typec, dbargv, view->mctx);
+		if (result != ISC_R_SUCCESS) {
+			zone = NULL;
+		}
+
+		if (zone != NULL && dns_zone_gettype(zone) != dns_zone_primary)
+		{
+			zone = NULL;
+		}
+		if (zone != NULL && dns_zone_getfile(zone) != NULL) {
+			zone = NULL;
+		}
+		if (zone != NULL) {
+			dns_zone_getraw(zone, &myzone);
+			if (myzone != NULL) {
+				dns_zone_detach(&myzone);
+				zone = NULL;
+			}
+		}
+	}
+
+	if (zone == NULL) {
+		CHECK(dns_zonemgr_createzone(named_g_server->zonemgr, &myzone));
+		zone = myzone;
+		CHECK(dns_zone_setorigin(zone, name));
+		CHECK(dns_zonemgr_managezone(named_g_server->zonemgr, zone));
+		if (db == NULL) {
+			dns_zone_setdbtype(zone, empty_dbtypec, empty_dbtype);
+		}
+		dns_zone_setclass(zone, view->rdclass);
+		dns_zone_settype(zone, dns_zone_primary);
+		dns_zone_setstats(zone, named_g_server->zonestats);
+	}
+
+	dns_zone_setoption(zone, ~DNS_ZONEOPT_NOCHECKNS, false);
+	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, true);
+	dns_zone_setnotifytype(zone, dns_notifytype_no);
+	dns_zone_setdialup(zone, dns_dialuptype_no);
+	dns_zone_setautomatic(zone, true);
+	if (view->queryacl != NULL) {
+		dns_zone_setqueryacl(zone, view->queryacl);
+	} else {
+		dns_zone_clearqueryacl(zone);
+	}
+	if (view->queryonacl != NULL) {
+		dns_zone_setqueryonacl(zone, view->queryonacl);
+	} else {
+		dns_zone_clearqueryonacl(zone);
+	}
+	dns_zone_clearupdateacl(zone);
+	if (view->transferacl != NULL) {
+		dns_zone_setxfracl(zone, view->transferacl);
+	} else {
+		dns_zone_clearxfracl(zone);
+	}
+
+	CHECK(setquerystats(zone, view->mctx, statlevel));
+	if (db != NULL) {
+		dns_db_closeversion(db, &version, true);
+		CHECK(dns_zone_replacedb(zone, db, false));
+	}
+	dns_zone_setoption(zone, DNS_ZONEOPT_AUTOEMPTY, true);
+	dns_zone_setview(zone, view);
+	CHECK(dns_view_addzone(view, zone));
+
+	if (!strcmp(viewname, "_default")) {
+		sep = "";
+		viewname = "";
+	}
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	isc_log_write(named_g_lctx, DNS_LOGCATEGORY_ZONELOAD,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "automatic empty zone%s%s: %s", sep, viewname, namebuf);
+
+cleanup:
+	if (myzone != NULL) {
+		dns_zone_detach(&myzone);
+	}
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	INSIST(version == NULL);
+
+	return (result);
+}
+
+#ifdef HAVE_DNSTAP
+static isc_result_t
+configure_dnstap(const cfg_obj_t **maps, dns_view_t *view) {
+	isc_result_t result;
+	const cfg_obj_t *obj, *obj2;
+	const cfg_listelt_t *element;
+	const char *dpath;
+	const cfg_obj_t *dlist = NULL;
+	dns_dtmsgtype_t dttypes = 0;
+	unsigned int i;
+	struct fstrm_iothr_options *fopt = NULL;
+
+	result = named_config_get(maps, "dnstap", &dlist);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	for (element = cfg_list_first(dlist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const char *str;
+		dns_dtmsgtype_t dt = 0;
+
+		obj = cfg_listelt_value(element);
+		obj2 = cfg_tuple_get(obj, "type");
+		str = cfg_obj_asstring(obj2);
+		if (strcasecmp(str, "client") == 0) {
+			dt |= DNS_DTTYPE_CQ | DNS_DTTYPE_CR;
+		} else if (strcasecmp(str, "auth") == 0) {
+			dt |= DNS_DTTYPE_AQ | DNS_DTTYPE_AR;
+		} else if (strcasecmp(str, "resolver") == 0) {
+			dt |= DNS_DTTYPE_RQ | DNS_DTTYPE_RR;
+		} else if (strcasecmp(str, "forwarder") == 0) {
+			dt |= DNS_DTTYPE_FQ | DNS_DTTYPE_FR;
+		} else if (strcasecmp(str, "update") == 0) {
+			dt |= DNS_DTTYPE_UQ | DNS_DTTYPE_UR;
+		} else if (strcasecmp(str, "all") == 0) {
+			dt |= DNS_DTTYPE_CQ | DNS_DTTYPE_CR | DNS_DTTYPE_AQ |
+			      DNS_DTTYPE_AR | DNS_DTTYPE_RQ | DNS_DTTYPE_RR |
+			      DNS_DTTYPE_FQ | DNS_DTTYPE_FR | DNS_DTTYPE_UQ |
+			      DNS_DTTYPE_UR;
+		}
+
+		obj2 = cfg_tuple_get(obj, "mode");
+		if (obj2 == NULL || cfg_obj_isvoid(obj2)) {
+			dttypes |= dt;
+			continue;
+		}
+
+		str = cfg_obj_asstring(obj2);
+		if (strcasecmp(str, "query") == 0) {
+			dt &= ~DNS_DTTYPE_RESPONSE;
+		} else if (strcasecmp(str, "response") == 0) {
+			dt &= ~DNS_DTTYPE_QUERY;
+		}
+
+		dttypes |= dt;
+	}
+
+	if (named_g_server->dtenv == NULL && dttypes != 0) {
+		dns_dtmode_t dmode;
+		uint64_t max_size = 0;
+		uint32_t rolls = 0;
+		isc_log_rollsuffix_t suffix = isc_log_rollsuffix_increment;
+
+		obj = NULL;
+		CHECKM(named_config_get(maps, "dnstap-output", &obj),
+		       "'dnstap-output' must be set if 'dnstap' is set");
+
+		obj2 = cfg_tuple_get(obj, "mode");
+		if (obj2 == NULL) {
+			CHECKM(ISC_R_FAILURE, "dnstap-output mode not found");
+		}
+		if (strcasecmp(cfg_obj_asstring(obj2), "file") == 0) {
+			dmode = dns_dtmode_file;
+		} else {
+			dmode = dns_dtmode_unix;
+		}
+
+		obj2 = cfg_tuple_get(obj, "path");
+		if (obj2 == NULL) {
+			CHECKM(ISC_R_FAILURE, "dnstap-output path not found");
+		}
+
+		dpath = cfg_obj_asstring(obj2);
+
+		obj2 = cfg_tuple_get(obj, "size");
+		if (obj2 != NULL && cfg_obj_isuint64(obj2)) {
+			max_size = cfg_obj_asuint64(obj2);
+			if (max_size > SIZE_MAX) {
+				cfg_obj_log(obj2, named_g_lctx, ISC_LOG_WARNING,
+					    "'dnstap-output size "
+					    "%" PRIu64 "' "
+					    "is too large for this "
+					    "system; reducing to %lu",
+					    max_size, (unsigned long)SIZE_MAX);
+				max_size = SIZE_MAX;
+			}
+		}
+
+		obj2 = cfg_tuple_get(obj, "versions");
+		if (obj2 != NULL && cfg_obj_isuint32(obj2)) {
+			rolls = cfg_obj_asuint32(obj2);
+		} else {
+			rolls = ISC_LOG_ROLLINFINITE;
+		}
+
+		obj2 = cfg_tuple_get(obj, "suffix");
+		if (obj2 != NULL && cfg_obj_isstring(obj2) &&
+		    strcasecmp(cfg_obj_asstring(obj2), "timestamp") == 0)
+		{
+			suffix = isc_log_rollsuffix_timestamp;
+		}
+
+		fopt = fstrm_iothr_options_init();
+		/*
+		 * Both network threads and worker threads may log dnstap data.
+		 */
+		fstrm_iothr_options_set_num_input_queues(fopt,
+							 2 * named_g_cpus);
+		fstrm_iothr_options_set_queue_model(
+			fopt, FSTRM_IOTHR_QUEUE_MODEL_MPSC);
+
+		obj = NULL;
+		result = named_config_get(maps, "fstrm-set-buffer-hint", &obj);
+		if (result == ISC_R_SUCCESS) {
+			i = cfg_obj_asuint32(obj);
+			fstrm_iothr_options_set_buffer_hint(fopt, i);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "fstrm-set-flush-timeout",
+					  &obj);
+		if (result == ISC_R_SUCCESS) {
+			i = cfg_obj_asuint32(obj);
+			fstrm_iothr_options_set_flush_timeout(fopt, i);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "fstrm-set-input-queue-size",
+					  &obj);
+		if (result == ISC_R_SUCCESS) {
+			i = cfg_obj_asuint32(obj);
+			fstrm_iothr_options_set_input_queue_size(fopt, i);
+		}
+
+		obj = NULL;
+		result = named_config_get(
+			maps, "fstrm-set-output-notify-threshold", &obj);
+		if (result == ISC_R_SUCCESS) {
+			i = cfg_obj_asuint32(obj);
+			fstrm_iothr_options_set_queue_notify_threshold(fopt, i);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "fstrm-set-output-queue-model",
+					  &obj);
+		if (result == ISC_R_SUCCESS) {
+			if (strcasecmp(cfg_obj_asstring(obj), "spsc") == 0) {
+				i = FSTRM_IOTHR_QUEUE_MODEL_SPSC;
+			} else {
+				i = FSTRM_IOTHR_QUEUE_MODEL_MPSC;
+			}
+			fstrm_iothr_options_set_queue_model(fopt, i);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "fstrm-set-output-queue-size",
+					  &obj);
+		if (result == ISC_R_SUCCESS) {
+			i = cfg_obj_asuint32(obj);
+			fstrm_iothr_options_set_output_queue_size(fopt, i);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "fstrm-set-reopen-interval",
+					  &obj);
+		if (result == ISC_R_SUCCESS) {
+			i = cfg_obj_asduration(obj);
+			fstrm_iothr_options_set_reopen_interval(fopt, i);
+		}
+
+		CHECKM(dns_dt_create(named_g_mctx, dmode, dpath, &fopt,
+				     named_g_server->task,
+				     &named_g_server->dtenv),
+		       "unable to create dnstap environment");
+
+		CHECKM(dns_dt_setupfile(named_g_server->dtenv, max_size, rolls,
+					suffix),
+		       "unable to set up dnstap logfile");
+	}
+
+	if (named_g_server->dtenv == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "dnstap-version", &obj);
+	if (result != ISC_R_SUCCESS) {
+		/* not specified; use the product and version */
+		dns_dt_setversion(named_g_server->dtenv, PRODUCT " " VERSION);
+	} else if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) {
+		/* Quoted string */
+		dns_dt_setversion(named_g_server->dtenv, cfg_obj_asstring(obj));
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "dnstap-identity", &obj);
+	if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
+		/* "hostname" is interpreted as boolean true */
+		char buf[256];
+		result = named_os_gethostname(buf, sizeof(buf));
+		if (result == ISC_R_SUCCESS) {
+			dns_dt_setidentity(named_g_server->dtenv, buf);
+		}
+	} else if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) {
+		/* Quoted string */
+		dns_dt_setidentity(named_g_server->dtenv,
+				   cfg_obj_asstring(obj));
+	}
+
+	dns_dt_attach(named_g_server->dtenv, &view->dtenv);
+	view->dttypes = dttypes;
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (fopt != NULL) {
+		fstrm_iothr_options_destroy(&fopt);
+	}
+
+	return (result);
+}
+#endif /* HAVE_DNSTAP */
+
+static isc_result_t
+create_mapped_acl(void) {
+	isc_result_t result;
+	dns_acl_t *acl = NULL;
+	struct in6_addr in6 = IN6ADDR_V4MAPPED_INIT;
+	isc_netaddr_t addr;
+
+	isc_netaddr_fromin6(&addr, &in6);
+
+	result = dns_acl_create(named_g_mctx, 1, &acl);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_iptable_addprefix(acl->iptable, &addr, 96, true);
+	if (result == ISC_R_SUCCESS) {
+		dns_acl_attach(acl, &named_g_mapped);
+	}
+	dns_acl_detach(&acl);
+	return (result);
+}
+
+#ifdef HAVE_DLOPEN
+/*%
+ * A callback for the cfg_pluginlist_foreach() call in configure_view() below.
+ * If registering any plugin fails, registering subsequent ones is not
+ * attempted.
+ */
+static isc_result_t
+register_one_plugin(const cfg_obj_t *config, const cfg_obj_t *obj,
+		    const char *plugin_path, const char *parameters,
+		    void *callback_data) {
+	dns_view_t *view = callback_data;
+	char full_path[PATH_MAX];
+	isc_result_t result;
+
+	result = ns_plugin_expandpath(plugin_path, full_path,
+				      sizeof(full_path));
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "%s: plugin configuration failed: "
+			      "unable to get full plugin path: %s",
+			      plugin_path, isc_result_totext(result));
+		return (result);
+	}
+
+	result = ns_plugin_register(full_path, parameters, config,
+				    cfg_obj_file(obj), cfg_obj_line(obj),
+				    named_g_mctx, named_g_lctx,
+				    named_g_aclconfctx, view);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "%s: plugin configuration failed: %s", full_path,
+			      isc_result_totext(result));
+	}
+
+	return (result);
+}
+#endif /* ifdef HAVE_DLOPEN */
+
+/*
+ * Determine if a minimal-sized cache can be used for a given view, according
+ * to 'maps' (implicit defaults, global options, view options) and 'optionmaps'
+ * (global options, view options).  This is only allowed for views which have
+ * recursion disabled and do not have "max-cache-size" set explicitly.  Using
+ * minimal-sized caches prevents a situation in which all explicitly configured
+ * and built-in views inherit the default "max-cache-size 90%;" setting, which
+ * could lead to memory exhaustion with multiple views configured.
+ */
+static bool
+minimal_cache_allowed(const cfg_obj_t *maps[4],
+		      const cfg_obj_t *optionmaps[3]) {
+	const cfg_obj_t *obj;
+
+	/*
+	 * Do not use a minimal-sized cache for a view with recursion enabled.
+	 */
+	obj = NULL;
+	(void)named_config_get(maps, "recursion", &obj);
+	INSIST(obj != NULL);
+	if (cfg_obj_asboolean(obj)) {
+		return (false);
+	}
+
+	/*
+	 * Do not use a minimal-sized cache if a specific size was requested.
+	 */
+	obj = NULL;
+	(void)named_config_get(optionmaps, "max-cache-size", &obj);
+	if (obj != NULL) {
+		return (false);
+	}
+
+	return (true);
+}
+
+static const char *const response_synonyms[] = { "response", NULL };
+
+/*
+ * Configure 'view' according to 'vconfig', taking defaults from 'config'
+ * where values are missing in 'vconfig'.
+ *
+ * When configuring the default view, 'vconfig' will be NULL and the
+ * global defaults in 'config' used exclusively.
+ */
+static isc_result_t
+configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
+	       cfg_obj_t *vconfig, named_cachelist_t *cachelist,
+	       dns_kasplist_t *kasplist, const cfg_obj_t *bindkeys,
+	       isc_mem_t *mctx, cfg_aclconfctx_t *actx, bool need_hints) {
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *cfgmaps[3];
+	const cfg_obj_t *optionmaps[3];
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *voptions = NULL;
+	const cfg_obj_t *forwardtype;
+	const cfg_obj_t *forwarders;
+	const cfg_obj_t *alternates;
+	const cfg_obj_t *zonelist;
+	const cfg_obj_t *dlzlist;
+	const cfg_obj_t *dlz;
+	const cfg_obj_t *prefetch_trigger;
+	const cfg_obj_t *prefetch_eligible;
+	unsigned int dlzargc;
+	char **dlzargv;
+	const cfg_obj_t *dyndb_list, *plugin_list;
+	const cfg_obj_t *disabled;
+	const cfg_obj_t *obj, *obj2;
+	const cfg_listelt_t *element = NULL;
+	const cfg_listelt_t *zone_element_latest = NULL;
+	in_port_t port;
+	dns_cache_t *cache = NULL;
+	isc_result_t result;
+	size_t max_cache_size;
+	uint32_t max_cache_size_percent = 0;
+	size_t max_adb_size;
+	uint32_t lame_ttl, fail_ttl;
+	uint32_t max_stale_ttl = 0;
+	uint32_t stale_refresh_time = 0;
+	dns_tsig_keyring_t *ring = NULL;
+	dns_view_t *pview = NULL; /* Production view */
+	isc_mem_t *cmctx = NULL, *hmctx = NULL;
+	dns_dispatch_t *dispatch4 = NULL;
+	dns_dispatch_t *dispatch6 = NULL;
+	bool rpz_configured = false;
+	bool catz_configured = false;
+	bool reused_cache = false;
+	bool shared_cache = false;
+	int i = 0, j = 0, k = 0;
+	const char *str;
+	const char *cachename = NULL;
+	dns_order_t *order = NULL;
+	uint32_t udpsize;
+	uint32_t maxbits;
+	unsigned int resopts = 0;
+	dns_zone_t *zone = NULL;
+	uint32_t max_clients_per_query;
+	bool empty_zones_enable;
+	const cfg_obj_t *disablelist = NULL;
+	isc_stats_t *resstats = NULL;
+	dns_stats_t *resquerystats = NULL;
+	bool auto_root = false;
+	named_cache_t *nsc;
+	bool zero_no_soattl;
+	dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
+	unsigned int query_timeout, ndisp;
+	bool old_rpz_ok = false;
+	isc_dscp_t dscp4 = -1, dscp6 = -1;
+	dns_dyndbctx_t *dctx = NULL;
+	unsigned int resolver_param;
+	dns_ntatable_t *ntatable = NULL;
+	const char *qminmode = NULL;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (config != NULL) {
+		(void)cfg_map_get(config, "options", &options);
+	}
+
+	/*
+	 * maps: view options, options, defaults
+	 * cfgmaps: view options, config
+	 * optionmaps: view options, options
+	 */
+	if (vconfig != NULL) {
+		voptions = cfg_tuple_get(vconfig, "options");
+		maps[i++] = voptions;
+		optionmaps[j++] = voptions;
+		cfgmaps[k++] = voptions;
+	}
+	if (options != NULL) {
+		maps[i++] = options;
+		optionmaps[j++] = options;
+	}
+
+	maps[i++] = named_g_defaults;
+	maps[i] = NULL;
+	optionmaps[j] = NULL;
+	if (config != NULL) {
+		cfgmaps[k++] = config;
+	}
+	cfgmaps[k] = NULL;
+
+	/*
+	 * Set the view's port number for outgoing queries.
+	 */
+	CHECKM(named_config_getport(config, &port), "port");
+	dns_view_setdstport(view, port);
+
+	/*
+	 * Make the list of response policy zone names for a view that
+	 * is used for real lookups and so cares about hints.
+	 */
+	obj = NULL;
+	if (view->rdclass == dns_rdataclass_in && need_hints &&
+	    named_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS)
+	{
+		CHECK(configure_rpz(view, NULL, maps, obj, &old_rpz_ok));
+		rpz_configured = true;
+	}
+
+	obj = NULL;
+	if (view->rdclass == dns_rdataclass_in && need_hints &&
+	    named_config_get(maps, "catalog-zones", &obj) == ISC_R_SUCCESS)
+	{
+		CHECK(configure_catz(view, NULL, config, obj));
+		catz_configured = true;
+	}
+
+	/*
+	 * Configure the zones.
+	 */
+	zonelist = NULL;
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "zone", &zonelist);
+	} else {
+		(void)cfg_map_get(config, "zone", &zonelist);
+	}
+
+	/*
+	 * Load zone configuration
+	 */
+	for (element = cfg_list_first(zonelist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *zconfig = cfg_listelt_value(element);
+		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
+				     viewlist, kasplist, actx, false,
+				     old_rpz_ok, false));
+		zone_element_latest = element;
+	}
+
+	/*
+	 * Check that a master or slave zone was found for each
+	 * zone named in the response policy statement
+	 * unless we are using RPZ service interface.
+	 */
+	if (view->rpzs != NULL && !view->rpzs->p.dnsrps_enabled) {
+		dns_rpz_num_t n;
+
+		for (n = 0; n < view->rpzs->p.num_zones; ++n) {
+			if ((view->rpzs->defined & DNS_RPZ_ZBIT(n)) == 0) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+
+				dns_name_format(&view->rpzs->zones[n]->origin,
+						namebuf, sizeof(namebuf));
+				isc_log_write(named_g_lctx,
+					      NAMED_LOGCATEGORY_GENERAL,
+					      NAMED_LOGMODULE_SERVER,
+					      DNS_RPZ_ERROR_LEVEL,
+					      "rpz '%s'"
+					      " is not a master or slave zone",
+					      namebuf);
+				result = ISC_R_NOTFOUND;
+				goto cleanup;
+			}
+		}
+	}
+
+	/*
+	 * If we're allowing added zones, then load zone configuration
+	 * from the newzone file for zones that were added during previous
+	 * runs.
+	 */
+	CHECK(configure_newzones(view, config, vconfig, mctx, actx));
+
+	/*
+	 * Create Dynamically Loadable Zone driver.
+	 */
+	dlzlist = NULL;
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "dlz", &dlzlist);
+	} else {
+		(void)cfg_map_get(config, "dlz", &dlzlist);
+	}
+
+	for (element = cfg_list_first(dlzlist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		dlz = cfg_listelt_value(element);
+
+		obj = NULL;
+		(void)cfg_map_get(dlz, "database", &obj);
+		if (obj != NULL) {
+			dns_dlzdb_t *dlzdb = NULL;
+			const cfg_obj_t *name, *search = NULL;
+			char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
+
+			if (s == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+
+			result = isc_commandline_strtoargv(mctx, s, &dlzargc,
+							   &dlzargv, 0);
+			if (result != ISC_R_SUCCESS) {
+				isc_mem_free(mctx, s);
+				goto cleanup;
+			}
+
+			name = cfg_map_getname(dlz);
+			result = dns_dlzcreate(mctx, cfg_obj_asstring(name),
+					       dlzargv[0], dlzargc, dlzargv,
+					       &dlzdb);
+			isc_mem_free(mctx, s);
+			isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+
+			/*
+			 * If the DLZ backend supports configuration,
+			 * and is searchable, then call its configure
+			 * method now.  If not searchable, we'll take
+			 * care of it when we process the zone statement.
+			 */
+			(void)cfg_map_get(dlz, "search", &search);
+			if (search == NULL || cfg_obj_asboolean(search)) {
+				dlzdb->search = true;
+				result = dns_dlzconfigure(
+					view, dlzdb, dlzconfigure_callback);
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+				ISC_LIST_APPEND(view->dlz_searched, dlzdb,
+						link);
+			} else {
+				dlzdb->search = false;
+				ISC_LIST_APPEND(view->dlz_unsearched, dlzdb,
+						link);
+			}
+		}
+	}
+
+	/*
+	 * Obtain configuration parameters that affect the decision of whether
+	 * we can reuse/share an existing cache.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "max-cache-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	/*
+	 * If "-T maxcachesize=..." is in effect, it overrides any other
+	 * "max-cache-size" setting found in configuration, either implicit or
+	 * explicit.  For simplicity, the value passed to that command line
+	 * option is always treated as the number of bytes to set
+	 * "max-cache-size" to.
+	 */
+	if (named_g_maxcachesize != 0) {
+		max_cache_size = named_g_maxcachesize;
+	} else if (minimal_cache_allowed(maps, optionmaps)) {
+		/*
+		 * dns_cache_setcachesize() will adjust this to the smallest
+		 * allowed value.
+		 */
+		max_cache_size = 1;
+	} else if (cfg_obj_isstring(obj)) {
+		str = cfg_obj_asstring(obj);
+		INSIST(strcasecmp(str, "unlimited") == 0);
+		max_cache_size = 0;
+	} else if (cfg_obj_ispercentage(obj)) {
+		max_cache_size = SIZE_AS_PERCENT;
+		max_cache_size_percent = cfg_obj_aspercentage(obj);
+	} else {
+		isc_resourcevalue_t value;
+		value = cfg_obj_asuint64(obj);
+		if (value > SIZE_MAX) {
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+				    "'max-cache-size "
+				    "%" PRIu64 "' "
+				    "is too large for this "
+				    "system; reducing to %lu",
+				    value, (unsigned long)SIZE_MAX);
+			value = SIZE_MAX;
+		}
+		max_cache_size = (size_t)value;
+	}
+
+	if (max_cache_size == SIZE_AS_PERCENT) {
+		uint64_t totalphys = isc_meminfo_totalphys();
+
+		max_cache_size =
+			(size_t)(totalphys * max_cache_size_percent / 100);
+		if (totalphys == 0) {
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+				    "Unable to determine amount of physical "
+				    "memory, setting 'max-cache-size' to "
+				    "unlimited");
+		} else {
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_INFO,
+				    "'max-cache-size %d%%' "
+				    "- setting to %" PRIu64 "MB "
+				    "(out of %" PRIu64 "MB)",
+				    max_cache_size_percent,
+				    (uint64_t)(max_cache_size / (1024 * 1024)),
+				    totalphys / (1024 * 1024));
+		}
+	}
+
+	/* Check-names. */
+	obj = NULL;
+	result = named_checknames_get(maps, response_synonyms, &obj);
+	INSIST(result == ISC_R_SUCCESS);
+
+	str = cfg_obj_asstring(obj);
+	if (strcasecmp(str, "fail") == 0) {
+		resopts |= DNS_RESOLVER_CHECKNAMES |
+			   DNS_RESOLVER_CHECKNAMESFAIL;
+		view->checknames = true;
+	} else if (strcasecmp(str, "warn") == 0) {
+		resopts |= DNS_RESOLVER_CHECKNAMES;
+		view->checknames = false;
+	} else if (strcasecmp(str, "ignore") == 0) {
+		view->checknames = false;
+	} else {
+		UNREACHABLE();
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "zero-no-soa-ttl-cache", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	zero_no_soattl = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "dns64", &obj);
+	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&
+	    strcmp(view->name, "_meta"))
+	{
+		isc_netaddr_t na, suffix, *sp;
+		unsigned int prefixlen;
+		const char *server, *contact;
+		const cfg_obj_t *myobj;
+
+		myobj = NULL;
+		result = named_config_get(maps, "dns64-server", &myobj);
+		if (result == ISC_R_SUCCESS) {
+			server = cfg_obj_asstring(myobj);
+		} else {
+			server = NULL;
+		}
+
+		myobj = NULL;
+		result = named_config_get(maps, "dns64-contact", &myobj);
+		if (result == ISC_R_SUCCESS) {
+			contact = cfg_obj_asstring(myobj);
+		} else {
+			contact = NULL;
+		}
+
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const cfg_obj_t *map = cfg_listelt_value(element);
+			dns_dns64_t *dns64 = NULL;
+			unsigned int dns64options = 0;
+
+			cfg_obj_asnetprefix(cfg_map_getname(map), &na,
+					    &prefixlen);
+
+			obj = NULL;
+			(void)cfg_map_get(map, "suffix", &obj);
+			if (obj != NULL) {
+				sp = &suffix;
+				isc_netaddr_fromsockaddr(
+					sp, cfg_obj_assockaddr(obj));
+			} else {
+				sp = NULL;
+			}
+
+			clients = mapped = excluded = NULL;
+			obj = NULL;
+			(void)cfg_map_get(map, "clients", &obj);
+			if (obj != NULL) {
+				result = cfg_acl_fromconfig(obj, config,
+							    named_g_lctx, actx,
+							    mctx, 0, &clients);
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+			}
+			obj = NULL;
+			(void)cfg_map_get(map, "mapped", &obj);
+			if (obj != NULL) {
+				result = cfg_acl_fromconfig(obj, config,
+							    named_g_lctx, actx,
+							    mctx, 0, &mapped);
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+			}
+			obj = NULL;
+			(void)cfg_map_get(map, "exclude", &obj);
+			if (obj != NULL) {
+				result = cfg_acl_fromconfig(obj, config,
+							    named_g_lctx, actx,
+							    mctx, 0, &excluded);
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+			} else {
+				if (named_g_mapped == NULL) {
+					result = create_mapped_acl();
+					if (result != ISC_R_SUCCESS) {
+						goto cleanup;
+					}
+				}
+				dns_acl_attach(named_g_mapped, &excluded);
+			}
+
+			obj = NULL;
+			(void)cfg_map_get(map, "recursive-only", &obj);
+			if (obj != NULL && cfg_obj_asboolean(obj)) {
+				dns64options |= DNS_DNS64_RECURSIVE_ONLY;
+			}
+
+			obj = NULL;
+			(void)cfg_map_get(map, "break-dnssec", &obj);
+			if (obj != NULL && cfg_obj_asboolean(obj)) {
+				dns64options |= DNS_DNS64_BREAK_DNSSEC;
+			}
+
+			result = dns_dns64_create(mctx, &na, prefixlen, sp,
+						  clients, mapped, excluded,
+						  dns64options, &dns64);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			dns_dns64_append(&view->dns64, dns64);
+			view->dns64cnt++;
+			result = dns64_reverse(view, mctx, &na, prefixlen,
+					       server, contact);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			if (clients != NULL) {
+				dns_acl_detach(&clients);
+			}
+			if (mapped != NULL) {
+				dns_acl_detach(&mapped);
+			}
+			if (excluded != NULL) {
+				dns_acl_detach(&excluded);
+			}
+		}
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "dnssec-accept-expired", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->acceptexpired = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	/* 'optionmaps', not 'maps': don't check named_g_defaults yet */
+	(void)named_config_get(optionmaps, "dnssec-validation", &obj);
+	if (obj == NULL) {
+		/*
+		 * Default to VALIDATION_DEFAULT as set in config.c.
+		 */
+		(void)cfg_map_get(named_g_defaults, "dnssec-validation", &obj);
+		INSIST(obj != NULL);
+	}
+	if (obj != NULL) {
+		if (cfg_obj_isboolean(obj)) {
+			view->enablevalidation = cfg_obj_asboolean(obj);
+		} else {
+			/*
+			 * If dnssec-validation is set but not boolean,
+			 * then it must be "auto"
+			 */
+			view->enablevalidation = true;
+			auto_root = true;
+		}
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "max-cache-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->maxcachettl = cfg_obj_asduration(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "max-ncache-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->maxncachettl = cfg_obj_asduration(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "min-cache-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->mincachettl = cfg_obj_asduration(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "min-ncache-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->minncachettl = cfg_obj_asduration(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "synth-from-dnssec", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->synthfromdnssec = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "stale-cache-enable", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_asboolean(obj)) {
+		obj = NULL;
+		result = named_config_get(maps, "max-stale-ttl", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		max_stale_ttl = ISC_MAX(cfg_obj_asduration(obj), 1);
+	}
+	/*
+	 * If 'stale-cache-enable' is false, max_stale_ttl is set to 0,
+	 * meaning keeping stale RRsets in cache is disabled.
+	 */
+
+	obj = NULL;
+	result = named_config_get(maps, "stale-answer-enable", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->staleanswersenable = cfg_obj_asboolean(obj);
+
+	result = dns_viewlist_find(&named_g_server->viewlist, view->name,
+				   view->rdclass, &pview);
+	if (result == ISC_R_SUCCESS) {
+		view->staleanswersok = pview->staleanswersok;
+		dns_view_detach(&pview);
+	} else {
+		view->staleanswersok = dns_stale_answer_conf;
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "stale-answer-client-timeout", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_isstring(obj)) {
+		/*
+		 * The only string values available for this option
+		 * are "disabled" and "off".
+		 * We use (uint32_t) -1 to represent disabled since
+		 * a value of zero means that stale data can be used
+		 * to promptly answer the query, while an attempt to
+		 * refresh the RRset will still be made in background.
+		 */
+		view->staleanswerclienttimeout = (uint32_t)-1;
+	} else {
+		view->staleanswerclienttimeout = cfg_obj_asuint32(obj);
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "stale-refresh-time", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	stale_refresh_time = cfg_obj_asduration(obj);
+
+	/*
+	 * Configure the view's cache.
+	 *
+	 * First, check to see if there are any attach-cache options.  If yes,
+	 * attempt to lookup an existing cache at attach it to the view.  If
+	 * there is not one, then try to reuse an existing cache if possible;
+	 * otherwise create a new cache.
+	 *
+	 * Note that the ADB is not preserved or shared in either case.
+	 *
+	 * When a matching view is found, the associated statistics are also
+	 * retrieved and reused.
+	 *
+	 * XXX Determining when it is safe to reuse or share a cache is tricky.
+	 * When the view's configuration changes, the cached data may become
+	 * invalid because it reflects our old view of the world.  We check
+	 * some of the configuration parameters that could invalidate the cache
+	 * or otherwise make it unshareable, but there are other configuration
+	 * options that should be checked.  For example, if a view uses a
+	 * forwarder, changes in the forwarder configuration may invalidate
+	 * the cache.  At the moment, it's the administrator's responsibility to
+	 * ensure these configuration options don't invalidate reusing/sharing.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "attach-cache", &obj);
+	if (result == ISC_R_SUCCESS) {
+		cachename = cfg_obj_asstring(obj);
+	} else {
+		cachename = view->name;
+	}
+	cache = NULL;
+	nsc = cachelist_find(cachelist, cachename, view->rdclass);
+	if (nsc != NULL) {
+		if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
+				    max_cache_size, max_stale_ttl,
+				    stale_refresh_time))
+		{
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "views %s and %s can't share the cache "
+				      "due to configuration parameter mismatch",
+				      nsc->primaryview->name, view->name);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		dns_cache_attach(nsc->cache, &cache);
+		shared_cache = true;
+	} else {
+		if (strcmp(cachename, view->name) == 0) {
+			result = dns_viewlist_find(&named_g_server->viewlist,
+						   cachename, view->rdclass,
+						   &pview);
+			if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
+			{
+				goto cleanup;
+			}
+			if (pview != NULL) {
+				if (!cache_reusable(pview, view,
+						    zero_no_soattl))
+				{
+					isc_log_write(named_g_lctx,
+						      NAMED_LOGCATEGORY_GENERAL,
+						      NAMED_LOGMODULE_SERVER,
+						      ISC_LOG_DEBUG(1),
+						      "cache cannot be reused "
+						      "for view %s due to "
+						      "configuration parameter "
+						      "mismatch",
+						      view->name);
+				} else {
+					INSIST(pview->cache != NULL);
+					isc_log_write(named_g_lctx,
+						      NAMED_LOGCATEGORY_GENERAL,
+						      NAMED_LOGMODULE_SERVER,
+						      ISC_LOG_DEBUG(3),
+						      "reusing existing cache");
+					reused_cache = true;
+					dns_cache_attach(pview->cache, &cache);
+				}
+				dns_view_getresstats(pview, &resstats);
+				dns_view_getresquerystats(pview,
+							  &resquerystats);
+				dns_view_detach(&pview);
+			}
+		}
+		if (cache == NULL) {
+			/*
+			 * Create a cache with the desired name.  This normally
+			 * equals the view name, but may also be a forward
+			 * reference to a view that share the cache with this
+			 * view but is not yet configured.  If it is not the
+			 * view name but not a forward reference either, then it
+			 * is simply a named cache that is not shared.
+			 *
+			 * We use two separate memory contexts for the
+			 * cache, for the main cache memory and the heap
+			 * memory.
+			 */
+			isc_mem_create(&cmctx);
+			isc_mem_setname(cmctx, "cache", NULL);
+			isc_mem_create(&hmctx);
+			isc_mem_setname(hmctx, "cache_heap", NULL);
+			CHECK(dns_cache_create(cmctx, hmctx, named_g_taskmgr,
+					       named_g_timermgr, view->rdclass,
+					       cachename, "rbt", 0, NULL,
+					       &cache));
+			isc_mem_detach(&cmctx);
+			isc_mem_detach(&hmctx);
+		}
+		nsc = isc_mem_get(mctx, sizeof(*nsc));
+		nsc->cache = NULL;
+		dns_cache_attach(cache, &nsc->cache);
+		nsc->primaryview = view;
+		nsc->needflush = false;
+		nsc->adbsizeadjusted = false;
+		nsc->rdclass = view->rdclass;
+		ISC_LINK_INIT(nsc, link);
+		ISC_LIST_APPEND(*cachelist, nsc, link);
+	}
+	dns_view_setcache(view, cache, shared_cache);
+
+	/*
+	 * cache-file cannot be inherited if views are present, but this
+	 * should be caught by the configuration checking stage.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "cache-file", &obj);
+	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
+		CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
+		if (!reused_cache && !shared_cache) {
+			CHECK(dns_cache_load(cache));
+		}
+	}
+
+	dns_cache_setcachesize(cache, max_cache_size);
+	dns_cache_setservestalettl(cache, max_stale_ttl);
+	dns_cache_setservestalerefresh(cache, stale_refresh_time);
+
+	dns_cache_detach(&cache);
+
+	obj = NULL;
+	result = named_config_get(maps, "stale-answer-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->staleanswerttl = ISC_MAX(cfg_obj_asduration(obj), 1);
+
+	/*
+	 * Resolver.
+	 *
+	 * XXXRTH  Hardwired number of tasks.
+	 */
+	CHECK(get_view_querysource_dispatch(
+		maps, AF_INET, &dispatch4, &dscp4,
+		(ISC_LIST_PREV(view, link) == NULL)));
+	CHECK(get_view_querysource_dispatch(
+		maps, AF_INET6, &dispatch6, &dscp6,
+		(ISC_LIST_PREV(view, link) == NULL)));
+	if (dispatch4 == NULL && dispatch6 == NULL) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "unable to obtain neither an IPv4 nor"
+				 " an IPv6 dispatch");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	if (resstats == NULL) {
+		CHECK(isc_stats_create(mctx, &resstats,
+				       dns_resstatscounter_max));
+	}
+	dns_view_setresstats(view, resstats);
+	if (resquerystats == NULL) {
+		CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
+	}
+	dns_view_setresquerystats(view, resquerystats);
+
+	ndisp = 4 * ISC_MIN(named_g_udpdisp, MAX_UDP_DISPATCH);
+	CHECK(dns_view_createresolver(
+		view, named_g_taskmgr, RESOLVER_NTASKS_PERCPU * named_g_cpus,
+		ndisp, named_g_socketmgr, named_g_timermgr, resopts,
+		named_g_dispatchmgr, dispatch4, dispatch6));
+
+	if (dscp4 == -1) {
+		dscp4 = named_g_dscp;
+	}
+	if (dscp6 == -1) {
+		dscp6 = named_g_dscp;
+	}
+	if (dscp4 != -1) {
+		dns_resolver_setquerydscp4(view->resolver, dscp4);
+	}
+	if (dscp6 != -1) {
+		dns_resolver_setquerydscp6(view->resolver, dscp6);
+	}
+
+	/*
+	 * Set the ADB cache size to 1/8th of the max-cache-size or
+	 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
+	 */
+	max_adb_size = 0;
+	if (max_cache_size != 0U) {
+		max_adb_size = max_cache_size / 8;
+		if (max_adb_size == 0U) {
+			max_adb_size = 1; /* Force minimum. */
+		}
+		if (view != nsc->primaryview &&
+		    max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE)
+		{
+			max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE;
+			if (!nsc->adbsizeadjusted) {
+				dns_adb_setadbsize(nsc->primaryview->adb,
+						   MAX_ADB_SIZE_FOR_CACHESHARE);
+				nsc->adbsizeadjusted = true;
+			}
+		}
+	}
+	dns_adb_setadbsize(view->adb, max_adb_size);
+
+	/*
+	 * Set up ADB quotas
+	 */
+	{
+		uint32_t fps, freq;
+		double low, high, discount;
+
+		obj = NULL;
+		result = named_config_get(maps, "fetches-per-server", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		obj2 = cfg_tuple_get(obj, "fetches");
+		fps = cfg_obj_asuint32(obj2);
+		obj2 = cfg_tuple_get(obj, "response");
+		if (!cfg_obj_isvoid(obj2)) {
+			const char *resp = cfg_obj_asstring(obj2);
+			isc_result_t r = DNS_R_SERVFAIL;
+
+			if (strcasecmp(resp, "drop") == 0) {
+				r = DNS_R_DROP;
+			} else if (strcasecmp(resp, "fail") == 0) {
+				r = DNS_R_SERVFAIL;
+			} else {
+				UNREACHABLE();
+			}
+
+			dns_resolver_setquotaresponse(view->resolver,
+						      dns_quotatype_server, r);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "fetch-quota-params", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+
+		obj2 = cfg_tuple_get(obj, "frequency");
+		freq = cfg_obj_asuint32(obj2);
+
+		obj2 = cfg_tuple_get(obj, "low");
+		low = (double)cfg_obj_asfixedpoint(obj2) / 100.0;
+
+		obj2 = cfg_tuple_get(obj, "high");
+		high = (double)cfg_obj_asfixedpoint(obj2) / 100.0;
+
+		obj2 = cfg_tuple_get(obj, "discount");
+		discount = (double)cfg_obj_asfixedpoint(obj2) / 100.0;
+
+		dns_adb_setquota(view->adb, fps, freq, low, high, discount);
+	}
+
+	/*
+	 * Set resolver's lame-ttl.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "lame-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	lame_ttl = cfg_obj_asduration(obj);
+	if (lame_ttl > 0) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "disabling lame cache despite lame-ttl > 0 as it "
+			    "may cause performance issues");
+		lame_ttl = 0;
+	}
+	dns_resolver_setlamettl(view->resolver, lame_ttl);
+
+	/*
+	 * Set the resolver's query timeout.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "resolver-query-timeout", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	query_timeout = cfg_obj_asuint32(obj);
+	dns_resolver_settimeout(view->resolver, query_timeout);
+
+	/*
+	 * Adjust stale-answer-client-timeout upper bound
+	 * to be resolver-query-timeout - 1s.
+	 * This assignment is safe as dns_resolver_settimeout()
+	 * ensures that resolver->querytimeout value will be in the
+	 * [MINIMUM_QUERY_TIMEOUT, MAXIMUM_QUERY_TIMEOUT] range and
+	 * MINIMUM_QUERY_TIMEOUT is > 1000 (in ms).
+	 */
+	if (view->staleanswerclienttimeout != (uint32_t)-1 &&
+	    view->staleanswerclienttimeout >
+		    (dns_resolver_gettimeout(view->resolver) - 1000))
+	{
+		view->staleanswerclienttimeout =
+			dns_resolver_gettimeout(view->resolver) - 1000;
+		isc_log_write(
+			named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			"stale-answer-client-timeout adjusted to %" PRIu32,
+			view->staleanswerclienttimeout);
+	}
+
+	/* Specify whether to use 0-TTL for negative response for SOA query */
+	dns_resolver_setzeronosoattl(view->resolver, zero_no_soattl);
+
+	/*
+	 * Set the resolver's EDNS UDP size.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "edns-udp-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	udpsize = cfg_obj_asuint32(obj);
+	if (udpsize < 512) {
+		udpsize = 512;
+	}
+	if (udpsize > 4096) {
+		udpsize = 4096;
+	}
+	dns_resolver_setudpsize(view->resolver, (uint16_t)udpsize);
+
+	/*
+	 * Set the maximum UDP response size.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "max-udp-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	udpsize = cfg_obj_asuint32(obj);
+	if (udpsize < 512) {
+		udpsize = 512;
+	}
+	if (udpsize > 4096) {
+		udpsize = 4096;
+	}
+	view->maxudp = udpsize;
+
+	/*
+	 * Set the maximum UDP when a COOKIE is not provided.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "nocookie-udp-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	udpsize = cfg_obj_asuint32(obj);
+	if (udpsize < 128) {
+		udpsize = 128;
+	}
+	if (udpsize > view->maxudp) {
+		udpsize = view->maxudp;
+	}
+	view->nocookieudp = udpsize;
+
+	/*
+	 * Set the maximum rsa exponent bits.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "max-rsa-exponent-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	maxbits = cfg_obj_asuint32(obj);
+	if (maxbits != 0 && maxbits < 35) {
+		maxbits = 35;
+	}
+	if (maxbits > 4096) {
+		maxbits = 4096;
+	}
+	view->maxbits = maxbits;
+
+	/*
+	 * Set resolver retry parameters.
+	 */
+	obj = NULL;
+	CHECK(named_config_get(maps, "resolver-retry-interval", &obj));
+	resolver_param = cfg_obj_asuint32(obj);
+	if (resolver_param > 0) {
+		dns_resolver_setretryinterval(view->resolver, resolver_param);
+	}
+
+	obj = NULL;
+	CHECK(named_config_get(maps, "resolver-nonbackoff-tries", &obj));
+	resolver_param = cfg_obj_asuint32(obj);
+	if (resolver_param > 0) {
+		dns_resolver_setnonbackofftries(view->resolver, resolver_param);
+	}
+
+	/*
+	 * Set supported DNSSEC algorithms.
+	 */
+	dns_resolver_reset_algorithms(view->resolver);
+	disabled = NULL;
+	(void)named_config_get(maps, "disable-algorithms", &disabled);
+	if (disabled != NULL) {
+		for (element = cfg_list_first(disabled); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			CHECK(disable_algorithms(cfg_listelt_value(element),
+						 view->resolver));
+		}
+	}
+
+	/*
+	 * Set supported DS digest types.
+	 */
+	dns_resolver_reset_ds_digests(view->resolver);
+	disabled = NULL;
+	(void)named_config_get(maps, "disable-ds-digests", &disabled);
+	if (disabled != NULL) {
+		for (element = cfg_list_first(disabled); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			CHECK(disable_ds_digests(cfg_listelt_value(element),
+						 view->resolver));
+		}
+	}
+
+	/*
+	 * A global or view "forwarders" option, if present,
+	 * creates an entry for "." in the forwarding table.
+	 */
+	forwardtype = NULL;
+	forwarders = NULL;
+	(void)named_config_get(maps, "forward", &forwardtype);
+	(void)named_config_get(maps, "forwarders", &forwarders);
+	if (forwarders != NULL) {
+		CHECK(configure_forward(config, view, dns_rootname, forwarders,
+					forwardtype));
+	}
+
+	/*
+	 * Dual Stack Servers.
+	 */
+	alternates = NULL;
+	(void)named_config_get(maps, "dual-stack-servers", &alternates);
+	if (alternates != NULL) {
+		CHECK(configure_alternates(config, view, alternates));
+	}
+
+	/*
+	 * We have default hints for class IN if we need them.
+	 */
+	if (view->rdclass == dns_rdataclass_in && view->hints == NULL) {
+		dns_view_sethints(view, named_g_server->in_roothints);
+	}
+
+	/*
+	 * If we still have no hints, this is a non-IN view with no
+	 * "hints zone" configured.  Issue a warning, except if this
+	 * is a root server.  Root servers never need to consult
+	 * their hints, so it's no point requiring users to configure
+	 * them.
+	 */
+	if (view->hints == NULL) {
+		dns_zone_t *rootzone = NULL;
+		(void)dns_view_findzone(view, dns_rootname, &rootzone);
+		if (rootzone != NULL) {
+			dns_zone_detach(&rootzone);
+			need_hints = false;
+		}
+		if (need_hints) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "no root hints for view '%s'",
+				      view->name);
+		}
+	}
+
+	/*
+	 * Configure the view's TSIG keys.
+	 */
+	CHECK(named_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
+	if (named_g_server->sessionkey != NULL) {
+		CHECK(dns_tsigkeyring_add(ring, named_g_server->session_keyname,
+					  named_g_server->sessionkey));
+	}
+	dns_view_setkeyring(view, ring);
+	dns_tsigkeyring_detach(&ring);
+
+	/*
+	 * See if we can re-use a dynamic key ring.
+	 */
+	result = dns_viewlist_find(&named_g_server->viewlist, view->name,
+				   view->rdclass, &pview);
+	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	if (pview != NULL) {
+		dns_view_getdynamickeyring(pview, &ring);
+		if (ring != NULL) {
+			dns_view_setdynamickeyring(view, ring);
+		}
+		dns_tsigkeyring_detach(&ring);
+		dns_view_detach(&pview);
+	} else {
+		dns_view_restorekeyring(view);
+	}
+
+	/*
+	 * Configure the view's peer list.
+	 */
+	{
+		const cfg_obj_t *peers = NULL;
+		dns_peerlist_t *newpeers = NULL;
+
+		(void)named_config_get(cfgmaps, "server", &peers);
+		CHECK(dns_peerlist_new(mctx, &newpeers));
+		for (element = cfg_list_first(peers); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const cfg_obj_t *cpeer = cfg_listelt_value(element);
+			dns_peer_t *peer;
+
+			CHECK(configure_peer(cpeer, mctx, &peer));
+			dns_peerlist_addpeer(newpeers, peer);
+			dns_peer_detach(&peer);
+		}
+		dns_peerlist_detach(&view->peers);
+		view->peers = newpeers; /* Transfer ownership. */
+	}
+
+	/*
+	 *	Configure the views rrset-order.
+	 */
+	{
+		const cfg_obj_t *rrsetorder = NULL;
+
+		(void)named_config_get(maps, "rrset-order", &rrsetorder);
+		CHECK(dns_order_create(mctx, &order));
+		for (element = cfg_list_first(rrsetorder); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const cfg_obj_t *ent = cfg_listelt_value(element);
+
+			CHECK(configure_order(order, ent));
+		}
+		if (view->order != NULL) {
+			dns_order_detach(&view->order);
+		}
+		dns_order_attach(order, &view->order);
+		dns_order_detach(&order);
+	}
+	/*
+	 * Copy the aclenv object.
+	 */
+	dns_aclenv_copy(&view->aclenv, ns_interfacemgr_getaclenv(
+					       named_g_server->interfacemgr));
+
+	/*
+	 * Configure the "match-clients" and "match-destinations" ACL.
+	 * (These are only meaningful at the view level, but 'config'
+	 * must be passed so that named ACLs defined at the global level
+	 * can be retrieved.)
+	 */
+	CHECK(configure_view_acl(vconfig, config, NULL, "match-clients", NULL,
+				 actx, named_g_mctx, &view->matchclients));
+	CHECK(configure_view_acl(vconfig, config, NULL, "match-destinations",
+				 NULL, actx, named_g_mctx,
+				 &view->matchdestinations));
+
+	/*
+	 * Configure the "match-recursive-only" option.
+	 */
+	obj = NULL;
+	(void)named_config_get(maps, "match-recursive-only", &obj);
+	if (obj != NULL && cfg_obj_asboolean(obj)) {
+		view->matchrecursiveonly = true;
+	} else {
+		view->matchrecursiveonly = false;
+	}
+
+	/*
+	 * Configure other configurable data.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "recursion", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->recursion = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "qname-minimization", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	qminmode = cfg_obj_asstring(obj);
+	INSIST(qminmode != NULL);
+	if (!strcmp(qminmode, "strict")) {
+		view->qminimization = true;
+		view->qmin_strict = true;
+	} else if (!strcmp(qminmode, "relaxed")) {
+		view->qminimization = true;
+		view->qmin_strict = false;
+	} else { /* "disabled" or "off" */
+		view->qminimization = false;
+		view->qmin_strict = false;
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "auth-nxdomain", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->auth_nxdomain = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "glue-cache", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->use_glue_cache = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "minimal-any", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->minimal_any = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "minimal-responses", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj)) {
+			view->minimalresponses = dns_minimal_yes;
+		} else {
+			view->minimalresponses = dns_minimal_no;
+		}
+	} else {
+		str = cfg_obj_asstring(obj);
+		if (strcasecmp(str, "no-auth") == 0) {
+			view->minimalresponses = dns_minimal_noauth;
+		} else if (strcasecmp(str, "no-auth-recursive") == 0) {
+			view->minimalresponses = dns_minimal_noauthrec;
+		} else {
+			UNREACHABLE();
+		}
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "transfer-format", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	str = cfg_obj_asstring(obj);
+	if (strcasecmp(str, "many-answers") == 0) {
+		view->transfer_format = dns_many_answers;
+	} else if (strcasecmp(str, "one-answer") == 0) {
+		view->transfer_format = dns_one_answer;
+	} else {
+		UNREACHABLE();
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "trust-anchor-telemetry", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "root-key-sentinel", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->root_key_sentinel = cfg_obj_asboolean(obj);
+
+	/*
+	 * Set the "allow-query", "allow-query-cache", "allow-recursion",
+	 * "allow-recursion-on" and "allow-query-cache-on" ACLs if
+	 * configured in named.conf, but NOT from the global defaults.
+	 * This is done by leaving the third argument to configure_view_acl()
+	 * NULL.
+	 *
+	 * We ignore the global defaults here because these ACLs
+	 * can inherit from each other.  If any are still unset after
+	 * applying the inheritance rules, we'll look up the defaults at
+	 * that time.
+	 */
+
+	/* named.conf only */
+	CHECK(configure_view_acl(vconfig, config, NULL, "allow-query", NULL,
+				 actx, named_g_mctx, &view->queryacl));
+
+	/* named.conf only */
+	CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
+				 NULL, actx, named_g_mctx, &view->cacheacl));
+	/* named.conf only */
+	CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache-on",
+				 NULL, actx, named_g_mctx, &view->cacheonacl));
+
+	if (strcmp(view->name, "_bind") != 0 &&
+	    view->rdclass != dns_rdataclass_chaos)
+	{
+		/* named.conf only */
+		CHECK(configure_view_acl(vconfig, config, NULL,
+					 "allow-recursion", NULL, actx,
+					 named_g_mctx, &view->recursionacl));
+		/* named.conf only */
+		CHECK(configure_view_acl(vconfig, config, NULL,
+					 "allow-recursion-on", NULL, actx,
+					 named_g_mctx, &view->recursiononacl));
+	}
+
+	if (view->recursion) {
+		/*
+		 * "allow-query-cache" inherits from "allow-recursion" if set,
+		 * otherwise from "allow-query" if set.
+		 */
+		if (view->cacheacl == NULL) {
+			if (view->recursionacl != NULL) {
+				dns_acl_attach(view->recursionacl,
+					       &view->cacheacl);
+			} else if (view->queryacl != NULL) {
+				dns_acl_attach(view->queryacl, &view->cacheacl);
+			}
+		}
+
+		/*
+		 * "allow-recursion" inherits from "allow-query-cache" if set,
+		 * otherwise from "allow-query" if set.
+		 */
+		if (view->recursionacl == NULL) {
+			if (view->cacheacl != NULL) {
+				dns_acl_attach(view->cacheacl,
+					       &view->recursionacl);
+			} else if (view->queryacl != NULL) {
+				dns_acl_attach(view->queryacl,
+					       &view->recursionacl);
+			}
+		}
+
+		/*
+		 * "allow-query-cache-on" inherits from "allow-recursion-on"
+		 * if set.
+		 */
+		if (view->cacheonacl == NULL) {
+			if (view->recursiononacl != NULL) {
+				dns_acl_attach(view->recursiononacl,
+					       &view->cacheonacl);
+			}
+		}
+
+		/*
+		 * "allow-recursion-on" inherits from "allow-query-cache-on"
+		 * if set.
+		 */
+		if (view->recursiononacl == NULL) {
+			if (view->cacheonacl != NULL) {
+				dns_acl_attach(view->cacheonacl,
+					       &view->recursiononacl);
+			}
+		}
+
+		/*
+		 * If any are still unset at this point, we now get default
+		 * values for from the global config.
+		 */
+
+		if (view->recursionacl == NULL) {
+			/* global default only */
+			CHECK(configure_view_acl(
+				NULL, NULL, named_g_config, "allow-recursion",
+				NULL, actx, named_g_mctx, &view->recursionacl));
+		}
+		if (view->recursiononacl == NULL) {
+			/* global default only */
+			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+						 "allow-recursion-on", NULL,
+						 actx, named_g_mctx,
+						 &view->recursiononacl));
+		}
+		if (view->cacheacl == NULL) {
+			/* global default only */
+			CHECK(configure_view_acl(
+				NULL, NULL, named_g_config, "allow-query-cache",
+				NULL, actx, named_g_mctx, &view->cacheacl));
+		}
+		if (view->cacheonacl == NULL) {
+			/* global default only */
+			CHECK(configure_view_acl(NULL, NULL, named_g_config,
+						 "allow-query-cache-on", NULL,
+						 actx, named_g_mctx,
+						 &view->cacheonacl));
+		}
+	} else {
+		/*
+		 * We're not recursive; if the query-cache ACLs haven't
+		 * been set at the options/view level, set them to none.
+		 */
+		if (view->cacheacl == NULL) {
+			CHECK(dns_acl_none(mctx, &view->cacheacl));
+		}
+		if (view->cacheonacl == NULL) {
+			CHECK(dns_acl_none(mctx, &view->cacheonacl));
+		}
+	}
+
+	/*
+	 * Finished setting recursion and query-cache ACLs, so now we
+	 * can get the allow-query default if it wasn't set in named.conf
+	 */
+	if (view->queryacl == NULL) {
+		/* global default only */
+		CHECK(configure_view_acl(NULL, NULL, named_g_config,
+					 "allow-query", NULL, actx,
+					 named_g_mctx, &view->queryacl));
+	}
+
+	/*
+	 * Ignore case when compressing responses to the specified
+	 * clients. This causes case not always to be preserved,
+	 * and is needed by some broken clients.
+	 */
+	CHECK(configure_view_acl(vconfig, config, named_g_config,
+				 "no-case-compress", NULL, actx, named_g_mctx,
+				 &view->nocasecompress));
+
+	/*
+	 * Disable name compression completely, this is a tradeoff
+	 * between CPU and network usage.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "message-compression", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->msgcompression = cfg_obj_asboolean(obj);
+
+	/*
+	 * Filter setting on addresses in the answer section.
+	 */
+	CHECK(configure_view_acl(vconfig, config, named_g_config,
+				 "deny-answer-addresses", "acl", actx,
+				 named_g_mctx, &view->denyansweracl));
+	CHECK(configure_view_nametable(vconfig, config, "deny-answer-addresses",
+				       "except-from", named_g_mctx,
+				       &view->answeracl_exclude));
+
+	/*
+	 * Filter setting on names (CNAME/DNAME targets) in the answer section.
+	 */
+	CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
+				       "name", named_g_mctx,
+				       &view->denyanswernames));
+	CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
+				       "except-from", named_g_mctx,
+				       &view->answernames_exclude));
+
+	/*
+	 * Configure sortlist, if set
+	 */
+	CHECK(configure_view_sortlist(vconfig, config, actx, named_g_mctx,
+				      &view->sortlist));
+
+	/*
+	 * Configure default allow-update and allow-update-forwarding ACLs,
+	 * so they can be inherited by zones. (XXX: These are not
+	 * read from the options/view level here. However, they may be
+	 * read from there in zoneconf.c:configure_zone_acl() later.)
+	 */
+	if (view->updateacl == NULL) {
+		CHECK(configure_view_acl(NULL, NULL, named_g_config,
+					 "allow-update", NULL, actx,
+					 named_g_mctx, &view->updateacl));
+	}
+	if (view->upfwdacl == NULL) {
+		CHECK(configure_view_acl(NULL, NULL, named_g_config,
+					 "allow-update-forwarding", NULL, actx,
+					 named_g_mctx, &view->upfwdacl));
+	}
+
+	/*
+	 * Configure default allow-transfer and allow-notify ACLs so they
+	 * can be inherited by zones.
+	 */
+	if (view->transferacl == NULL) {
+		CHECK(configure_view_acl(vconfig, config, named_g_config,
+					 "allow-transfer", NULL, actx,
+					 named_g_mctx, &view->transferacl));
+	}
+	if (view->notifyacl == NULL) {
+		CHECK(configure_view_acl(vconfig, config, named_g_config,
+					 "allow-notify", NULL, actx,
+					 named_g_mctx, &view->notifyacl));
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "provide-ixfr", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->provideixfr = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "request-nsid", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->requestnsid = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "send-cookie", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->sendcookie = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	if (view->pad_acl != NULL) {
+		dns_acl_detach(&view->pad_acl);
+	}
+	result = named_config_get(optionmaps, "response-padding", &obj);
+	if (result == ISC_R_SUCCESS) {
+		const cfg_obj_t *padobj = cfg_tuple_get(obj, "block-size");
+		const cfg_obj_t *aclobj = cfg_tuple_get(obj, "acl");
+		uint32_t padding = cfg_obj_asuint32(padobj);
+
+		if (padding > 512U) {
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+				    "response-padding block-size cannot "
+				    "exceed 512: lowering");
+			padding = 512U;
+		}
+		view->padding = (uint16_t)padding;
+		CHECK(cfg_acl_fromconfig(aclobj, config, named_g_lctx, actx,
+					 named_g_mctx, 0, &view->pad_acl));
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "require-server-cookie", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->requireservercookie = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "v6-bias", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->v6bias = cfg_obj_asuint32(obj) * 1000;
+
+	obj = NULL;
+	result = named_config_get(maps, "max-clients-per-query", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	max_clients_per_query = cfg_obj_asuint32(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "clients-per-query", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_resolver_setclientsperquery(view->resolver, cfg_obj_asuint32(obj),
+					max_clients_per_query);
+
+	obj = NULL;
+	result = named_config_get(maps, "max-recursion-depth", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj));
+
+	obj = NULL;
+	result = named_config_get(maps, "max-recursion-queries", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj));
+
+	obj = NULL;
+	result = named_config_get(maps, "fetches-per-zone", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	obj2 = cfg_tuple_get(obj, "fetches");
+	dns_resolver_setfetchesperzone(view->resolver, cfg_obj_asuint32(obj2));
+	obj2 = cfg_tuple_get(obj, "response");
+	if (!cfg_obj_isvoid(obj2)) {
+		const char *resp = cfg_obj_asstring(obj2);
+		isc_result_t r = DNS_R_SERVFAIL;
+
+		if (strcasecmp(resp, "drop") == 0) {
+			r = DNS_R_DROP;
+		} else if (strcasecmp(resp, "fail") == 0) {
+			r = DNS_R_SERVFAIL;
+		} else {
+			UNREACHABLE();
+		}
+
+		dns_resolver_setquotaresponse(view->resolver,
+					      dns_quotatype_zone, r);
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "prefetch", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	prefetch_trigger = cfg_tuple_get(obj, "trigger");
+	view->prefetch_trigger = cfg_obj_asuint32(prefetch_trigger);
+	if (view->prefetch_trigger > 10) {
+		view->prefetch_trigger = 10;
+	}
+	prefetch_eligible = cfg_tuple_get(obj, "eligible");
+	if (cfg_obj_isvoid(prefetch_eligible)) {
+		int m;
+		for (m = 1; maps[m] != NULL; m++) {
+			obj = NULL;
+			result = named_config_get(&maps[m], "prefetch", &obj);
+			INSIST(result == ISC_R_SUCCESS);
+			prefetch_eligible = cfg_tuple_get(obj, "eligible");
+			if (cfg_obj_isuint32(prefetch_eligible)) {
+				break;
+			}
+		}
+		INSIST(cfg_obj_isuint32(prefetch_eligible));
+	}
+	view->prefetch_eligible = cfg_obj_asuint32(prefetch_eligible);
+	if (view->prefetch_eligible < view->prefetch_trigger + 6) {
+		view->prefetch_eligible = view->prefetch_trigger + 6;
+	}
+
+	/*
+	 * For now, there is only one kind of trusted keys, the
+	 * "security roots".
+	 */
+	CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
+					auto_root, mctx));
+	dns_resolver_resetmustbesecure(view->resolver);
+	obj = NULL;
+	result = named_config_get(maps, "dnssec-must-be-secure", &obj);
+	if (result == ISC_R_SUCCESS) {
+		CHECK(mustbesecure(obj, view->resolver));
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "nta-recheck", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->nta_recheck = cfg_obj_asduration(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "nta-lifetime", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->nta_lifetime = cfg_obj_asduration(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "preferred-glue", &obj);
+	if (result == ISC_R_SUCCESS) {
+		str = cfg_obj_asstring(obj);
+		if (strcasecmp(str, "a") == 0) {
+			view->preferred_glue = dns_rdatatype_a;
+		} else if (strcasecmp(str, "aaaa") == 0) {
+			view->preferred_glue = dns_rdatatype_aaaa;
+		} else {
+			view->preferred_glue = 0;
+		}
+	} else {
+		view->preferred_glue = 0;
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "root-delegation-only", &obj);
+	if (result == ISC_R_SUCCESS) {
+		dns_view_setrootdelonly(view, true);
+	}
+	if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) {
+		const cfg_obj_t *exclude;
+		dns_fixedname_t fixed;
+		dns_name_t *name;
+
+		name = dns_fixedname_initname(&fixed);
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			exclude = cfg_listelt_value(element);
+			CHECK(dns_name_fromstring(
+				name, cfg_obj_asstring(exclude), 0, NULL));
+			CHECK(dns_view_excludedelegationonly(view, name));
+		}
+	} else {
+		dns_view_setrootdelonly(view, false);
+	}
+
+	/*
+	 * Load DynDB modules.
+	 */
+	dyndb_list = NULL;
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "dyndb", &dyndb_list);
+	} else {
+		(void)cfg_map_get(config, "dyndb", &dyndb_list);
+	}
+
+#ifdef HAVE_DLOPEN
+	for (element = cfg_list_first(dyndb_list); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *dyndb = cfg_listelt_value(element);
+
+		if (dctx == NULL) {
+			const void *hashinit = isc_hash_get_initializer();
+			CHECK(dns_dyndb_createctx(mctx, hashinit, named_g_lctx,
+						  view, named_g_server->zonemgr,
+						  named_g_server->task,
+						  named_g_timermgr, &dctx));
+		}
+
+		CHECK(configure_dyndb(dyndb, mctx, dctx));
+	}
+#endif /* ifdef HAVE_DLOPEN */
+
+	/*
+	 * Load plugins.
+	 */
+	plugin_list = NULL;
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "plugin", &plugin_list);
+	} else {
+		(void)cfg_map_get(config, "plugin", &plugin_list);
+	}
+
+#ifdef HAVE_DLOPEN
+	if (plugin_list != NULL) {
+		INSIST(view->hooktable == NULL);
+		CHECK(ns_hooktable_create(view->mctx,
+					  (ns_hooktable_t **)&view->hooktable));
+		view->hooktable_free = ns_hooktable_free;
+
+		ns_plugins_create(view->mctx, (ns_plugins_t **)&view->plugins);
+		view->plugins_free = ns_plugins_free;
+
+		CHECK(cfg_pluginlist_foreach(config, plugin_list, named_g_lctx,
+					     register_one_plugin, view));
+	}
+#endif /* ifdef HAVE_DLOPEN */
+
+	/*
+	 * Setup automatic empty zones.  If recursion is off then
+	 * they are disabled by default.
+	 */
+	obj = NULL;
+	(void)named_config_get(maps, "empty-zones-enable", &obj);
+	(void)named_config_get(maps, "disable-empty-zone", &disablelist);
+	if (obj == NULL && disablelist == NULL &&
+	    view->rdclass == dns_rdataclass_in)
+	{
+		empty_zones_enable = view->recursion;
+	} else if (view->rdclass == dns_rdataclass_in) {
+		if (obj != NULL) {
+			empty_zones_enable = cfg_obj_asboolean(obj);
+		} else {
+			empty_zones_enable = view->recursion;
+		}
+	} else {
+		empty_zones_enable = false;
+	}
+
+	if (empty_zones_enable) {
+		const char *empty;
+		int empty_zone = 0;
+		dns_fixedname_t fixed;
+		dns_name_t *name;
+		isc_buffer_t buffer;
+		char server[DNS_NAME_FORMATSIZE + 1];
+		char contact[DNS_NAME_FORMATSIZE + 1];
+		const char *empty_dbtype[4] = { "_builtin", "empty", NULL,
+						NULL };
+		int empty_dbtypec = 4;
+		dns_zonestat_level_t statlevel = dns_zonestat_none;
+
+		name = dns_fixedname_initname(&fixed);
+
+		obj = NULL;
+		result = named_config_get(maps, "empty-server", &obj);
+		if (result == ISC_R_SUCCESS) {
+			CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj),
+						  0, NULL));
+			isc_buffer_init(&buffer, server, sizeof(server) - 1);
+			CHECK(dns_name_totext(name, false, &buffer));
+			server[isc_buffer_usedlength(&buffer)] = 0;
+			empty_dbtype[2] = server;
+		} else {
+			empty_dbtype[2] = "@";
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "empty-contact", &obj);
+		if (result == ISC_R_SUCCESS) {
+			CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj),
+						  0, NULL));
+			isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
+			CHECK(dns_name_totext(name, false, &buffer));
+			contact[isc_buffer_usedlength(&buffer)] = 0;
+			empty_dbtype[3] = contact;
+		} else {
+			empty_dbtype[3] = ".";
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "zone-statistics", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		if (cfg_obj_isboolean(obj)) {
+			if (cfg_obj_asboolean(obj)) {
+				statlevel = dns_zonestat_full;
+			} else {
+				statlevel = dns_zonestat_none;
+			}
+		} else {
+			const char *levelstr = cfg_obj_asstring(obj);
+			if (strcasecmp(levelstr, "full") == 0) {
+				statlevel = dns_zonestat_full;
+			} else if (strcasecmp(levelstr, "terse") == 0) {
+				statlevel = dns_zonestat_terse;
+			} else if (strcasecmp(levelstr, "none") == 0) {
+				statlevel = dns_zonestat_none;
+			} else {
+				UNREACHABLE();
+			}
+		}
+
+		for (empty = empty_zones[empty_zone]; empty != NULL;
+		     empty = empty_zones[++empty_zone])
+		{
+			dns_forwarders_t *dnsforwarders = NULL;
+
+			/*
+			 * Look for zone on drop list.
+			 */
+			CHECK(dns_name_fromstring(name, empty, 0, NULL));
+			if (disablelist != NULL &&
+			    on_disable_list(disablelist, name))
+			{
+				continue;
+			}
+
+			/*
+			 * This zone already exists.
+			 */
+			(void)dns_view_findzone(view, name, &zone);
+			if (zone != NULL) {
+				dns_zone_detach(&zone);
+				continue;
+			}
+
+			/*
+			 * If we would forward this name don't add a
+			 * empty zone for it.
+			 */
+			result = dns_fwdtable_find(view->fwdtable, name, NULL,
+						   &dnsforwarders);
+			if (result == ISC_R_SUCCESS &&
+			    dnsforwarders->fwdpolicy == dns_fwdpolicy_only)
+			{
+				continue;
+			}
+
+			/*
+			 * See if we can re-use a existing zone.
+			 */
+			result = dns_viewlist_find(&named_g_server->viewlist,
+						   view->name, view->rdclass,
+						   &pview);
+			if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
+			{
+				goto cleanup;
+			}
+
+			if (pview != NULL) {
+				(void)dns_view_findzone(pview, name, &zone);
+				dns_view_detach(&pview);
+			}
+
+			CHECK(create_empty_zone(zone, name, view, zonelist,
+						empty_dbtype, empty_dbtypec,
+						statlevel));
+			if (zone != NULL) {
+				dns_zone_detach(&zone);
+			}
+		}
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "rate-limit", &obj);
+	if (result == ISC_R_SUCCESS) {
+		result = configure_rrl(view, config, obj);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Set the servfail-ttl.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "servfail-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	fail_ttl = cfg_obj_asduration(obj);
+	if (fail_ttl > 30) {
+		fail_ttl = 30;
+	}
+	dns_view_setfailttl(view, fail_ttl);
+
+	/*
+	 * Name space to look up redirect information in.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "nxdomain-redirect", &obj);
+	if (result == ISC_R_SUCCESS) {
+		dns_name_t *name = dns_fixedname_name(&view->redirectfixed);
+		CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj), 0,
+					  NULL));
+		view->redirectzone = name;
+	} else {
+		view->redirectzone = NULL;
+	}
+
+	/*
+	 * Exceptions to DNSSEC validation.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "validate-except", &obj);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_view_getntatable(view, &ntatable);
+	}
+	if (result == ISC_R_SUCCESS) {
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			dns_fixedname_t fntaname;
+			dns_name_t *ntaname;
+
+			ntaname = dns_fixedname_initname(&fntaname);
+			obj = cfg_listelt_value(element);
+			CHECK(dns_name_fromstring(
+				ntaname, cfg_obj_asstring(obj), 0, NULL));
+			CHECK(dns_ntatable_add(ntatable, ntaname, true, 0,
+					       0xffffffffU));
+		}
+	}
+
+#ifdef HAVE_DNSTAP
+	/*
+	 * Set up the dnstap environment and configure message
+	 * types to log.
+	 */
+	CHECK(configure_dnstap(maps, view));
+#endif /* HAVE_DNSTAP */
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	/*
+	 * Revert to the old view if there was an error.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		isc_result_t result2;
+
+		result2 = dns_viewlist_find(&named_g_server->viewlist,
+					    view->name, view->rdclass, &pview);
+		if (result2 == ISC_R_SUCCESS) {
+			dns_view_thaw(pview);
+
+			obj = NULL;
+			if (rpz_configured &&
+			    pview->rdclass == dns_rdataclass_in && need_hints &&
+			    named_config_get(maps, "response-policy", &obj) ==
+				    ISC_R_SUCCESS)
+			{
+				/*
+				 * We are swapping the places of the `view` and
+				 * `pview` in the function's parameters list
+				 * because we are reverting the same operation
+				 * done previously in the "correct" order.
+				 */
+				result2 = configure_rpz(pview, view, maps, obj,
+							&old_rpz_ok);
+				if (result2 != ISC_R_SUCCESS) {
+					isc_log_write(named_g_lctx,
+						      NAMED_LOGCATEGORY_GENERAL,
+						      NAMED_LOGMODULE_SERVER,
+						      ISC_LOG_ERROR,
+						      "rpz configuration "
+						      "revert failed for view "
+						      "'%s'",
+						      pview->name);
+				}
+			}
+
+			obj = NULL;
+			if (catz_configured &&
+			    pview->rdclass == dns_rdataclass_in && need_hints &&
+			    named_config_get(maps, "catalog-zones", &obj) ==
+				    ISC_R_SUCCESS)
+			{
+				/*
+				 * We are swapping the places of the `view` and
+				 * `pview` in the function's parameters list
+				 * because we are reverting the same operation
+				 * done previously in the "correct" order.
+				 */
+				result2 = configure_catz(pview, view, config,
+							 obj);
+				if (result2 != ISC_R_SUCCESS) {
+					isc_log_write(named_g_lctx,
+						      NAMED_LOGCATEGORY_GENERAL,
+						      NAMED_LOGMODULE_SERVER,
+						      ISC_LOG_ERROR,
+						      "catz configuration "
+						      "revert failed for view "
+						      "'%s'",
+						      pview->name);
+				}
+			}
+
+			dns_view_freeze(pview);
+		}
+
+		if (pview != NULL) {
+			dns_view_detach(&pview);
+		}
+
+		if (zone_element_latest != NULL) {
+			for (element = cfg_list_first(zonelist);
+			     element != NULL; element = cfg_list_next(element))
+			{
+				const cfg_obj_t *zconfig =
+					cfg_listelt_value(element);
+				configure_zone_setviewcommit(result, zconfig,
+							     view);
+				if (element == zone_element_latest) {
+					/*
+					 * This was the latest element that was
+					 * successfully configured earlier.
+					 */
+					break;
+				}
+			}
+		}
+	}
+
+	if (ntatable != NULL) {
+		dns_ntatable_detach(&ntatable);
+	}
+	if (clients != NULL) {
+		dns_acl_detach(&clients);
+	}
+	if (mapped != NULL) {
+		dns_acl_detach(&mapped);
+	}
+	if (excluded != NULL) {
+		dns_acl_detach(&excluded);
+	}
+	if (ring != NULL) {
+		dns_tsigkeyring_detach(&ring);
+	}
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	if (dispatch4 != NULL) {
+		dns_dispatch_detach(&dispatch4);
+	}
+	if (dispatch6 != NULL) {
+		dns_dispatch_detach(&dispatch6);
+	}
+	if (resstats != NULL) {
+		isc_stats_detach(&resstats);
+	}
+	if (resquerystats != NULL) {
+		dns_stats_detach(&resquerystats);
+	}
+	if (order != NULL) {
+		dns_order_detach(&order);
+	}
+	if (cmctx != NULL) {
+		isc_mem_detach(&cmctx);
+	}
+	if (hmctx != NULL) {
+		isc_mem_detach(&hmctx);
+	}
+	if (cache != NULL) {
+		dns_cache_detach(&cache);
+	}
+	if (dctx != NULL) {
+		dns_dyndb_destroyctx(&dctx);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+configure_hints(dns_view_t *view, const char *filename) {
+	isc_result_t result;
+	dns_db_t *db;
+
+	db = NULL;
+	result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
+	if (result == ISC_R_SUCCESS) {
+		dns_view_sethints(view, db);
+		dns_db_detach(&db);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+configure_alternates(const cfg_obj_t *config, dns_view_t *view,
+		     const cfg_obj_t *alternates) {
+	const cfg_obj_t *portobj;
+	const cfg_obj_t *addresses;
+	const cfg_listelt_t *element;
+	isc_result_t result = ISC_R_SUCCESS;
+	in_port_t port;
+
+	/*
+	 * Determine which port to send requests to.
+	 */
+	CHECKM(named_config_getport(config, &port), "port");
+
+	if (alternates != NULL) {
+		portobj = cfg_tuple_get(alternates, "port");
+		if (cfg_obj_isuint32(portobj)) {
+			uint32_t val = cfg_obj_asuint32(portobj);
+			if (val > UINT16_MAX) {
+				cfg_obj_log(portobj, named_g_lctx,
+					    ISC_LOG_ERROR,
+					    "port '%u' out of range", val);
+				return (ISC_R_RANGE);
+			}
+			port = (in_port_t)val;
+		}
+	}
+
+	addresses = NULL;
+	if (alternates != NULL) {
+		addresses = cfg_tuple_get(alternates, "addresses");
+	}
+
+	for (element = cfg_list_first(addresses); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *alternate = cfg_listelt_value(element);
+		isc_sockaddr_t sa;
+
+		if (!cfg_obj_issockaddr(alternate)) {
+			dns_fixedname_t fixed;
+			dns_name_t *name;
+			const char *str = cfg_obj_asstring(
+				cfg_tuple_get(alternate, "name"));
+			isc_buffer_t buffer;
+			in_port_t myport = port;
+
+			isc_buffer_constinit(&buffer, str, strlen(str));
+			isc_buffer_add(&buffer, strlen(str));
+			name = dns_fixedname_initname(&fixed);
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
+						NULL));
+
+			portobj = cfg_tuple_get(alternate, "port");
+			if (cfg_obj_isuint32(portobj)) {
+				uint32_t val = cfg_obj_asuint32(portobj);
+				if (val > UINT16_MAX) {
+					cfg_obj_log(portobj, named_g_lctx,
+						    ISC_LOG_ERROR,
+						    "port '%u' out of range",
+						    val);
+					return (ISC_R_RANGE);
+				}
+				myport = (in_port_t)val;
+			}
+			CHECK(dns_resolver_addalternate(view->resolver, NULL,
+							name, myport));
+			continue;
+		}
+
+		sa = *cfg_obj_assockaddr(alternate);
+		if (isc_sockaddr_getport(&sa) == 0) {
+			isc_sockaddr_setport(&sa, port);
+		}
+		CHECK(dns_resolver_addalternate(view->resolver, &sa, NULL, 0));
+	}
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+configure_forward(const cfg_obj_t *config, dns_view_t *view,
+		  const dns_name_t *origin, const cfg_obj_t *forwarders,
+		  const cfg_obj_t *forwardtype) {
+	const cfg_obj_t *portobj, *dscpobj;
+	const cfg_obj_t *faddresses;
+	const cfg_listelt_t *element;
+	dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
+	dns_forwarderlist_t fwdlist;
+	dns_forwarder_t *fwd;
+	isc_result_t result;
+	in_port_t port;
+	isc_dscp_t dscp = -1;
+
+	ISC_LIST_INIT(fwdlist);
+
+	/*
+	 * Determine which port to send forwarded requests to.
+	 */
+	CHECKM(named_config_getport(config, &port), "port");
+
+	if (forwarders != NULL) {
+		portobj = cfg_tuple_get(forwarders, "port");
+		if (cfg_obj_isuint32(portobj)) {
+			uint32_t val = cfg_obj_asuint32(portobj);
+			if (val > UINT16_MAX) {
+				cfg_obj_log(portobj, named_g_lctx,
+					    ISC_LOG_ERROR,
+					    "port '%u' out of range", val);
+				return (ISC_R_RANGE);
+			}
+			port = (in_port_t)val;
+		}
+	}
+
+	/*
+	 * DSCP value for forwarded requests.
+	 */
+	dscp = named_g_dscp;
+	if (forwarders != NULL) {
+		dscpobj = cfg_tuple_get(forwarders, "dscp");
+		if (cfg_obj_isuint32(dscpobj)) {
+			if (cfg_obj_asuint32(dscpobj) > 63) {
+				cfg_obj_log(dscpobj, named_g_lctx,
+					    ISC_LOG_ERROR,
+					    "dscp value '%u' is out of range",
+					    cfg_obj_asuint32(dscpobj));
+				return (ISC_R_RANGE);
+			}
+			dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
+		}
+	}
+
+	faddresses = NULL;
+	if (forwarders != NULL) {
+		faddresses = cfg_tuple_get(forwarders, "addresses");
+	}
+
+	for (element = cfg_list_first(faddresses); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *forwarder = cfg_listelt_value(element);
+		fwd = isc_mem_get(view->mctx, sizeof(dns_forwarder_t));
+		fwd->addr = *cfg_obj_assockaddr(forwarder);
+		if (isc_sockaddr_getport(&fwd->addr) == 0) {
+			isc_sockaddr_setport(&fwd->addr, port);
+		}
+		fwd->dscp = cfg_obj_getdscp(forwarder);
+		if (fwd->dscp == -1) {
+			fwd->dscp = dscp;
+		}
+		ISC_LINK_INIT(fwd, link);
+		ISC_LIST_APPEND(fwdlist, fwd, link);
+	}
+
+	if (ISC_LIST_EMPTY(fwdlist)) {
+		if (forwardtype != NULL) {
+			cfg_obj_log(forwardtype, named_g_lctx, ISC_LOG_WARNING,
+				    "no forwarders seen; disabling "
+				    "forwarding");
+		}
+		fwdpolicy = dns_fwdpolicy_none;
+	} else {
+		if (forwardtype == NULL) {
+			fwdpolicy = dns_fwdpolicy_first;
+		} else {
+			const char *forwardstr = cfg_obj_asstring(forwardtype);
+			if (strcasecmp(forwardstr, "first") == 0) {
+				fwdpolicy = dns_fwdpolicy_first;
+			} else if (strcasecmp(forwardstr, "only") == 0) {
+				fwdpolicy = dns_fwdpolicy_only;
+			} else {
+				UNREACHABLE();
+			}
+		}
+	}
+
+	result = dns_fwdtable_addfwd(view->fwdtable, origin, &fwdlist,
+				     fwdpolicy);
+	if (result != ISC_R_SUCCESS) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(origin, namebuf, sizeof(namebuf));
+		cfg_obj_log(forwarders, named_g_lctx, ISC_LOG_WARNING,
+			    "could not set up forwarding for domain '%s': %s",
+			    namebuf, isc_result_totext(result));
+		goto cleanup;
+	}
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+
+	while (!ISC_LIST_EMPTY(fwdlist)) {
+		fwd = ISC_LIST_HEAD(fwdlist);
+		ISC_LIST_UNLINK(fwdlist, fwd, link);
+		isc_mem_put(view->mctx, fwd, sizeof(dns_forwarder_t));
+	}
+
+	return (result);
+}
+
+static isc_result_t
+get_viewinfo(const cfg_obj_t *vconfig, const char **namep,
+	     dns_rdataclass_t *classp) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const char *viewname;
+	dns_rdataclass_t viewclass;
+
+	REQUIRE(namep != NULL && *namep == NULL);
+	REQUIRE(classp != NULL);
+
+	if (vconfig != NULL) {
+		const cfg_obj_t *classobj = NULL;
+
+		viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
+		classobj = cfg_tuple_get(vconfig, "class");
+		CHECK(named_config_getclass(classobj, dns_rdataclass_in,
+					    &viewclass));
+		if (dns_rdataclass_ismeta(viewclass)) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "view '%s': class must not be meta",
+				      viewname);
+			CHECK(ISC_R_FAILURE);
+		}
+	} else {
+		viewname = "_default";
+		viewclass = dns_rdataclass_in;
+	}
+
+	*namep = viewname;
+	*classp = viewclass;
+
+cleanup:
+	return (result);
+}
+
+/*
+ * Find a view based on its configuration info and attach to it.
+ *
+ * If 'vconfig' is NULL, attach to the default view.
+ */
+static isc_result_t
+find_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
+	  dns_view_t **viewp) {
+	isc_result_t result;
+	const char *viewname = NULL;
+	dns_rdataclass_t viewclass;
+	dns_view_t *view = NULL;
+
+	result = get_viewinfo(vconfig, &viewname, &viewclass);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	*viewp = view;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Create a new view and add it to the list.
+ *
+ * If 'vconfig' is NULL, create the default view.
+ *
+ * The view created is attached to '*viewp'.
+ */
+static isc_result_t
+create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
+	    dns_view_t **viewp) {
+	isc_result_t result;
+	const char *viewname = NULL;
+	dns_rdataclass_t viewclass;
+	dns_view_t *view = NULL;
+
+	result = get_viewinfo(vconfig, &viewname, &viewclass);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
+	if (result == ISC_R_SUCCESS) {
+		return (ISC_R_EXISTS);
+	}
+	if (result != ISC_R_NOTFOUND) {
+		return (result);
+	}
+	INSIST(view == NULL);
+
+	result = dns_view_create(named_g_mctx, viewclass, viewname, &view);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	isc_nonce_buf(view->secret, sizeof(view->secret));
+
+	ISC_LIST_APPEND(*viewlist, view, link);
+	dns_view_attach(view, viewp);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Configure or reconfigure a zone.
+ */
+static isc_result_t
+configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
+	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
+	       dns_viewlist_t *viewlist, dns_kasplist_t *kasplist,
+	       cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok,
+	       bool modify) {
+	dns_view_t *pview = NULL; /* Production view */
+	dns_zone_t *zone = NULL;  /* New or reused zone */
+	dns_zone_t *raw = NULL;	  /* New or reused raw zone */
+	dns_zone_t *dupzone = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *typeobj = NULL;
+	const cfg_obj_t *forwarders = NULL;
+	const cfg_obj_t *forwardtype = NULL;
+	const cfg_obj_t *ixfrfromdiffs = NULL;
+	const cfg_obj_t *only = NULL;
+	const cfg_obj_t *viewobj = NULL;
+	isc_result_t result;
+	isc_result_t tresult;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+	const char *zname;
+	dns_rdataclass_t zclass;
+	const char *ztypestr;
+	dns_rpz_num_t rpz_num;
+	bool zone_is_catz = false;
+	bool zone_maybe_inline = false;
+	bool inline_signing = false;
+	bool fullsign = false;
+
+	options = NULL;
+	(void)cfg_map_get(config, "options", &options);
+
+	zoptions = cfg_tuple_get(zconfig, "options");
+
+	/*
+	 * Get the zone origin as a dns_name_t.
+	 */
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+	isc_buffer_constinit(&buffer, zname, strlen(zname));
+	isc_buffer_add(&buffer, strlen(zname));
+	dns_fixedname_init(&fixorigin);
+	CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin), &buffer,
+				dns_rootname, 0, NULL));
+	origin = dns_fixedname_name(&fixorigin);
+
+	CHECK(named_config_getclass(cfg_tuple_get(zconfig, "class"),
+				    view->rdclass, &zclass));
+	if (zclass != view->rdclass) {
+		const char *vname = NULL;
+		if (vconfig != NULL) {
+			vname = cfg_obj_asstring(
+				cfg_tuple_get(vconfig, "name"));
+		} else {
+			vname = "<default view>";
+		}
+
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "zone '%s': wrong class for view '%s'", zname,
+			      vname);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	(void)cfg_map_get(zoptions, "in-view", &viewobj);
+	if (viewobj != NULL) {
+		const char *inview = cfg_obj_asstring(viewobj);
+		dns_view_t *otherview = NULL;
+
+		if (viewlist == NULL) {
+			cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
+				    "'in-view' option is not permitted in "
+				    "dynamically added zones");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		result = dns_viewlist_find(viewlist, inview, view->rdclass,
+					   &otherview);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
+				    "view '%s' is not yet defined.", inview);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		result = dns_view_findzone(otherview, origin, &zone);
+		dns_view_detach(&otherview);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
+				    "zone '%s' not defined in view '%s'", zname,
+				    inview);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		CHECK(dns_view_addzone(view, zone));
+		dns_zone_detach(&zone);
+
+		/*
+		 * If the zone contains a 'forwarders' statement, configure
+		 * selective forwarding.  Note: this is not inherited from the
+		 * other view.
+		 */
+		forwarders = NULL;
+		result = cfg_map_get(zoptions, "forwarders", &forwarders);
+		if (result == ISC_R_SUCCESS) {
+			forwardtype = NULL;
+			(void)cfg_map_get(zoptions, "forward", &forwardtype);
+			CHECK(configure_forward(config, view, origin,
+						forwarders, forwardtype));
+		}
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	(void)cfg_map_get(zoptions, "type", &typeobj);
+	if (typeobj == NULL) {
+		cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
+			    "zone '%s' 'type' not specified", zname);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+	ztypestr = cfg_obj_asstring(typeobj);
+
+	/*
+	 * "hints zones" aren't zones.	If we've got one,
+	 * configure it and return.
+	 */
+	if (strcasecmp(ztypestr, "hint") == 0) {
+		const cfg_obj_t *fileobj = NULL;
+		if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "zone '%s': 'file' not specified", zname);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		if (dns_name_equal(origin, dns_rootname)) {
+			const char *hintsfile = cfg_obj_asstring(fileobj);
+
+			CHECK(configure_hints(view, hintsfile));
+
+			/*
+			 * Hint zones may also refer to delegation only points.
+			 */
+			only = NULL;
+			tresult = cfg_map_get(zoptions, "delegation-only",
+					      &only);
+			if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
+			{
+				CHECK(dns_view_adddelegationonly(view, origin));
+			}
+		} else {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "ignoring non-root hint zone '%s'",
+				      zname);
+			result = ISC_R_SUCCESS;
+		}
+		/* Skip ordinary zone processing. */
+		goto cleanup;
+	}
+
+	/*
+	 * "forward zones" aren't zones either.  Translate this syntax into
+	 * the appropriate selective forwarding configuration and return.
+	 */
+	if (strcasecmp(ztypestr, "forward") == 0) {
+		forwardtype = NULL;
+		forwarders = NULL;
+
+		(void)cfg_map_get(zoptions, "forward", &forwardtype);
+		(void)cfg_map_get(zoptions, "forwarders", &forwarders);
+		CHECK(configure_forward(config, view, origin, forwarders,
+					forwardtype));
+
+		/*
+		 * Forward zones may also set delegation only.
+		 */
+		only = NULL;
+		tresult = cfg_map_get(zoptions, "delegation-only", &only);
+		if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only)) {
+			CHECK(dns_view_adddelegationonly(view, origin));
+		}
+		goto cleanup;
+	}
+
+	/*
+	 * "delegation-only zones" aren't zones either.
+	 */
+	if (strcasecmp(ztypestr, "delegation-only") == 0) {
+		result = dns_view_adddelegationonly(view, origin);
+		goto cleanup;
+	}
+
+	/*
+	 * Redirect zones only require minimal configuration.
+	 */
+	if (strcasecmp(ztypestr, "redirect") == 0) {
+		if (view->redirect != NULL) {
+			cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
+				    "redirect zone already exists");
+			result = ISC_R_EXISTS;
+			goto cleanup;
+		}
+		result = dns_viewlist_find(viewlist, view->name, view->rdclass,
+					   &pview);
+		if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		if (pview != NULL && pview->redirect != NULL) {
+			dns_zone_attach(pview->redirect, &zone);
+			dns_zone_setview(zone, view);
+		} else {
+			CHECK(dns_zonemgr_createzone(named_g_server->zonemgr,
+						     &zone));
+			CHECK(dns_zone_setorigin(zone, origin));
+			dns_zone_setview(zone, view);
+			CHECK(dns_zonemgr_managezone(named_g_server->zonemgr,
+						     zone));
+			dns_zone_setstats(zone, named_g_server->zonestats);
+		}
+		CHECK(named_zone_configure(config, vconfig, zconfig, aclconf,
+					   kasplist, zone, NULL));
+		dns_zone_attach(zone, &view->redirect);
+		goto cleanup;
+	}
+
+	if (!modify) {
+		/*
+		 * Check for duplicates in the new zone table.
+		 */
+		result = dns_view_findzone(view, origin, &dupzone);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We already have this zone!
+			 */
+			cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
+				    "zone '%s' already exists", zname);
+			dns_zone_detach(&dupzone);
+			result = ISC_R_EXISTS;
+			goto cleanup;
+		}
+		INSIST(dupzone == NULL);
+	}
+
+	/*
+	 * Note whether this is a response policy zone and which one if so,
+	 * unless we are using RPZ service interface.  In that case, the
+	 * BIND zone database has nothing to do with rpz and so we don't care.
+	 */
+	for (rpz_num = 0;; ++rpz_num) {
+		if (view->rpzs == NULL || rpz_num >= view->rpzs->p.num_zones ||
+		    view->rpzs->p.dnsrps_enabled)
+		{
+			rpz_num = DNS_RPZ_INVALID_NUM;
+			break;
+		}
+		if (dns_name_equal(&view->rpzs->zones[rpz_num]->origin, origin))
+		{
+			break;
+		}
+	}
+
+	if (view->catzs != NULL &&
+	    dns_catz_get_zone(view->catzs, origin) != NULL)
+	{
+		zone_is_catz = true;
+	}
+
+	/*
+	 * See if we can reuse an existing zone.  This is
+	 * only possible if all of these are true:
+	 *   - The zone's view exists
+	 *   - A zone with the right name exists in the view
+	 *   - The zone is compatible with the config
+	 *     options (e.g., an existing master zone cannot
+	 *     be reused if the options specify a slave zone)
+	 *   - The zone was not and is still not a response policy zone
+	 *     or the zone is a policy zone with an unchanged number
+	 *     and we are using the old policy zone summary data.
+	 */
+	result = dns_viewlist_find(&named_g_server->viewlist, view->name,
+				   view->rdclass, &pview);
+	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	if (pview != NULL) {
+		result = dns_view_findzone(pview, origin, &zone);
+	}
+	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	if (zone != NULL && !named_zone_reusable(zone, zconfig)) {
+		dns_zone_detach(&zone);
+		fullsign = true;
+	}
+
+	if (zone != NULL && (rpz_num != dns_zone_get_rpz_num(zone) ||
+			     (rpz_num != DNS_RPZ_INVALID_NUM && !old_rpz_ok)))
+	{
+		dns_zone_detach(&zone);
+	}
+
+	if (zone != NULL) {
+		/*
+		 * We found a reusable zone.  Make it use the
+		 * new view.
+		 */
+		dns_zone_setview(zone, view);
+	} else {
+		/*
+		 * We cannot reuse an existing zone, we have
+		 * to create a new one.
+		 */
+		CHECK(dns_zonemgr_createzone(named_g_server->zonemgr, &zone));
+		CHECK(dns_zone_setorigin(zone, origin));
+		dns_zone_setview(zone, view);
+		CHECK(dns_zonemgr_managezone(named_g_server->zonemgr, zone));
+		dns_zone_setstats(zone, named_g_server->zonestats);
+	}
+	if (rpz_num != DNS_RPZ_INVALID_NUM) {
+		result = dns_zone_rpz_enable(zone, view->rpzs, rpz_num);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "zone '%s': incompatible"
+				      " masterfile-format or database"
+				      " for a response policy zone",
+				      zname);
+			goto cleanup;
+		}
+	}
+
+	if (zone_is_catz) {
+		dns_zone_catz_enable(zone, view->catzs);
+	} else if (dns_zone_catz_is_enabled(zone)) {
+		dns_zone_catz_disable(zone);
+	}
+
+	/*
+	 * If the zone contains a 'forwarders' statement, configure
+	 * selective forwarding.
+	 */
+	forwarders = NULL;
+	if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS) {
+		forwardtype = NULL;
+		(void)cfg_map_get(zoptions, "forward", &forwardtype);
+		CHECK(configure_forward(config, view, origin, forwarders,
+					forwardtype));
+	}
+
+	/*
+	 * Stub and forward zones may also refer to delegation only points.
+	 */
+	only = NULL;
+	if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS) {
+		if (cfg_obj_asboolean(only)) {
+			CHECK(dns_view_adddelegationonly(view, origin));
+		}
+	}
+
+	/*
+	 * Mark whether the zone was originally added at runtime or not
+	 */
+	dns_zone_setadded(zone, added);
+
+	/*
+	 * Determine if we need to set up inline signing.
+	 */
+	zone_maybe_inline = ((strcasecmp(ztypestr, "primary") == 0 ||
+			      strcasecmp(ztypestr, "master") == 0 ||
+			      strcasecmp(ztypestr, "secondary") == 0 ||
+			      strcasecmp(ztypestr, "slave") == 0));
+
+	if (zone_maybe_inline) {
+		inline_signing = named_zone_inlinesigning(zconfig);
+	}
+	if (inline_signing) {
+		dns_zone_getraw(zone, &raw);
+		if (raw == NULL) {
+			CHECK(dns_zone_create(&raw, mctx));
+			CHECK(dns_zone_setorigin(raw, origin));
+			dns_zone_setview(raw, view);
+			dns_zone_setstats(raw, named_g_server->zonestats);
+			CHECK(dns_zone_link(zone, raw));
+		}
+		if (cfg_map_get(zoptions, "ixfr-from-differences",
+				&ixfrfromdiffs) == ISC_R_SUCCESS)
+		{
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "zone '%s': 'ixfr-from-differences' is "
+				      "ignored for inline-signed zones",
+				      zname);
+		}
+	}
+
+	/*
+	 * Configure the zone.
+	 */
+	CHECK(named_zone_configure(config, vconfig, zconfig, aclconf, kasplist,
+				   zone, raw));
+
+	/*
+	 * Add the zone to its view in the new view list.
+	 */
+	if (!modify) {
+		CHECK(dns_view_addzone(view, zone));
+	}
+
+	if (zone_is_catz) {
+		/*
+		 * force catz reload if the zone is loaded;
+		 * if it's not it'll get reloaded on zone load
+		 */
+		dns_db_t *db = NULL;
+
+		tresult = dns_zone_getdb(zone, &db);
+		if (tresult == ISC_R_SUCCESS) {
+			dns_catz_dbupdate_callback(db, view->catzs);
+			dns_db_detach(&db);
+		}
+	}
+
+	/*
+	 * Ensure that zone keys are reloaded on reconfig
+	 */
+	if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) {
+		dns_zone_rekey(zone, fullsign);
+	}
+
+cleanup:
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	if (raw != NULL) {
+		dns_zone_detach(&raw);
+	}
+	if (pview != NULL) {
+		dns_view_detach(&pview);
+	}
+
+	return (result);
+}
+
+/*
+ * Configure built-in zone for storing managed-key data.
+ */
+static isc_result_t
+add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_view_t *pview = NULL;
+	dns_zone_t *zone = NULL;
+	dns_acl_t *none = NULL;
+	char filename[PATH_MAX];
+	bool defaultview;
+
+	REQUIRE(view != NULL);
+
+	/* See if we can re-use an existing keydata zone. */
+	result = dns_viewlist_find(&named_g_server->viewlist, view->name,
+				   view->rdclass, &pview);
+	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (pview != NULL) {
+		if (pview->managed_keys != NULL) {
+			dns_zone_attach(pview->managed_keys,
+					&view->managed_keys);
+			dns_zone_setview(pview->managed_keys, view);
+			dns_zone_setviewcommit(pview->managed_keys);
+			dns_view_detach(&pview);
+			dns_zone_synckeyzone(view->managed_keys);
+			return (ISC_R_SUCCESS);
+		}
+
+		dns_view_detach(&pview);
+	}
+
+	/* No existing keydata zone was found; create one */
+	CHECK(dns_zonemgr_createzone(named_g_server->zonemgr, &zone));
+	CHECK(dns_zone_setorigin(zone, dns_rootname));
+
+	defaultview = (strcmp(view->name, "_default") == 0);
+	CHECK(isc_file_sanitize(
+		directory, defaultview ? "managed-keys" : view->name,
+		defaultview ? "bind" : "mkeys", filename, sizeof(filename)));
+	CHECK(dns_zone_setfile(zone, filename, dns_masterformat_text,
+			       &dns_master_style_default));
+
+	dns_zone_setview(zone, view);
+	dns_zone_settype(zone, dns_zone_key);
+	dns_zone_setclass(zone, view->rdclass);
+
+	CHECK(dns_zonemgr_managezone(named_g_server->zonemgr, zone));
+
+	CHECK(dns_acl_none(mctx, &none));
+	dns_zone_setqueryacl(zone, none);
+	dns_zone_setqueryonacl(zone, none);
+	dns_acl_detach(&none);
+
+	dns_zone_setdialup(zone, dns_dialuptype_no);
+	dns_zone_setnotifytype(zone, dns_notifytype_no);
+	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, true);
+	dns_zone_setjournalsize(zone, 0);
+
+	dns_zone_setstats(zone, named_g_server->zonestats);
+	CHECK(setquerystats(zone, mctx, dns_zonestat_none));
+
+	if (view->managed_keys != NULL) {
+		dns_zone_detach(&view->managed_keys);
+	}
+	dns_zone_attach(zone, &view->managed_keys);
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "set up managed keys zone for view %s, file '%s'",
+		      view->name, filename);
+
+cleanup:
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	if (none != NULL) {
+		dns_acl_detach(&none);
+	}
+
+	return (result);
+}
+
+/*
+ * Configure a single server quota.
+ */
+static void
+configure_server_quota(const cfg_obj_t **maps, const char *name,
+		       isc_quota_t *quota) {
+	const cfg_obj_t *obj = NULL;
+	isc_result_t result;
+
+	result = named_config_get(maps, name, &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	isc_quota_max(quota, cfg_obj_asuint32(obj));
+}
+
+/*
+ * This function is called as soon as the 'directory' statement has been
+ * parsed.  This can be extended to support other options if necessary.
+ */
+static isc_result_t
+directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
+	isc_result_t result;
+	const char *directory;
+
+	REQUIRE(strcasecmp("directory", clausename) == 0);
+
+	UNUSED(arg);
+	UNUSED(clausename);
+
+	/*
+	 * Change directory.
+	 */
+	directory = cfg_obj_asstring(obj);
+
+	if (!isc_file_ischdiridempotent(directory)) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "option 'directory' contains relative path '%s'",
+			    directory);
+	}
+
+	if (!isc_file_isdirwritable(directory)) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "directory '%s' is not writable", directory);
+		return (ISC_R_NOPERM);
+	}
+
+	result = isc_dir_chdir(directory);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
+			    "change directory to '%s' failed: %s", directory,
+			    isc_result_totext(result));
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This event callback is invoked to do periodic network interface
+ * scanning.
+ */
+
+static void
+interface_timer_tick(isc_task_t *task, isc_event_t *event) {
+	named_server_t *server = (named_server_t *)event->ev_arg;
+	INSIST(task == server->task);
+	UNUSED(task);
+
+	isc_event_free(&event);
+	ns_interfacemgr_scan(server->interfacemgr, false);
+}
+
+static void
+heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
+	named_server_t *server = (named_server_t *)event->ev_arg;
+	dns_view_t *view;
+
+	UNUSED(task);
+	isc_event_free(&event);
+	view = ISC_LIST_HEAD(server->viewlist);
+	while (view != NULL) {
+		dns_view_dialup(view);
+		view = ISC_LIST_NEXT(view, link);
+	}
+}
+
+typedef struct {
+	isc_mem_t *mctx;
+	isc_task_t *task;
+	dns_fetch_t *fetch;
+	dns_view_t *view;
+	dns_fixedname_t tatname;
+	dns_fixedname_t keyname;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t sigrdataset;
+} ns_tat_t;
+
+static int
+cid(const void *a, const void *b) {
+	const uint16_t ida = *(const uint16_t *)a;
+	const uint16_t idb = *(const uint16_t *)b;
+	if (ida < idb) {
+		return (-1);
+	} else if (ida > idb) {
+		return (1);
+	} else {
+		return (0);
+	}
+}
+
+static void
+tat_done(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	ns_tat_t *tat;
+
+	INSIST(event != NULL && event->ev_type == DNS_EVENT_FETCHDONE);
+	INSIST(event->ev_arg != NULL);
+
+	UNUSED(task);
+
+	tat = event->ev_arg;
+	devent = (dns_fetchevent_t *)event;
+
+	/* Free resources which are not of interest */
+	if (devent->node != NULL) {
+		dns_db_detachnode(devent->db, &devent->node);
+	}
+	if (devent->db != NULL) {
+		dns_db_detach(&devent->db);
+	}
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&tat->fetch);
+	if (dns_rdataset_isassociated(&tat->rdataset)) {
+		dns_rdataset_disassociate(&tat->rdataset);
+	}
+	if (dns_rdataset_isassociated(&tat->sigrdataset)) {
+		dns_rdataset_disassociate(&tat->sigrdataset);
+	}
+	dns_view_detach(&tat->view);
+	isc_task_detach(&tat->task);
+	isc_mem_putanddetach(&tat->mctx, tat, sizeof(*tat));
+}
+
+struct dotat_arg {
+	dns_view_t *view;
+	isc_task_t *task;
+};
+
+/*%
+ * Prepare the QNAME for the TAT query to be sent by processing the trust
+ * anchors present at 'keynode' of 'keytable'.  Store the result in 'dst' and
+ * the domain name which 'keynode' is associated with in 'origin'.
+ *
+ * A maximum of 12 key IDs can be reported in a single TAT query due to the
+ * 63-octet length limit for any single label in a domain name.  If there are
+ * more than 12 keys configured at 'keynode', only the first 12 will be
+ * reported in the TAT query.
+ */
+static isc_result_t
+get_tat_qname(dns_name_t *target, dns_name_t *keyname, dns_keynode_t *keynode) {
+	dns_rdataset_t dsset;
+	unsigned int i, n = 0;
+	uint16_t ids[12];
+	isc_textregion_t r;
+	char label[64];
+	int m;
+
+	dns_rdataset_init(&dsset);
+	if (dns_keynode_dsset(keynode, &dsset)) {
+		isc_result_t result;
+
+		for (result = dns_rdataset_first(&dsset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&dsset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdata_ds_t ds;
+
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&dsset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &ds, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (n < (sizeof(ids) / sizeof(ids[0]))) {
+				ids[n] = ds.key_tag;
+				n++;
+			}
+		}
+		dns_rdataset_disassociate(&dsset);
+	}
+
+	if (n == 0) {
+		return (DNS_R_EMPTYNAME);
+	}
+
+	if (n > 1) {
+		qsort(ids, n, sizeof(ids[0]), cid);
+	}
+
+	/*
+	 * Encoded as "_ta-xxxx\(-xxxx\)*" where xxxx is the hex version of
+	 * of the keyid.
+	 */
+	label[0] = 0;
+	r.base = label;
+	r.length = sizeof(label);
+	m = snprintf(r.base, r.length, "_ta");
+	if (m < 0 || (unsigned)m > r.length) {
+		return (ISC_R_FAILURE);
+	}
+	isc_textregion_consume(&r, m);
+	for (i = 0; i < n; i++) {
+		m = snprintf(r.base, r.length, "-%04x", ids[i]);
+		if (m < 0 || (unsigned)m > r.length) {
+			return (ISC_R_FAILURE);
+		}
+		isc_textregion_consume(&r, m);
+	}
+
+	return (dns_name_fromstring2(target, label, keyname, 0, NULL));
+}
+
+static void
+tat_send(isc_task_t *task, isc_event_t *event) {
+	ns_tat_t *tat;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fdomain;
+	dns_name_t *domain;
+	dns_rdataset_t nameservers;
+	isc_result_t result;
+	dns_name_t *keyname;
+	dns_name_t *tatname;
+
+	INSIST(event != NULL && event->ev_type == NAMED_EVENT_TATSEND);
+	INSIST(event->ev_arg != NULL);
+
+	UNUSED(task);
+
+	tat = event->ev_arg;
+
+	keyname = dns_fixedname_name(&tat->keyname);
+	tatname = dns_fixedname_name(&tat->tatname);
+
+	dns_name_format(tatname, namebuf, sizeof(namebuf));
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "%s: sending trust-anchor-telemetry query '%s/NULL'",
+		      tat->view->name, namebuf);
+
+	/*
+	 * TAT queries should be sent to the authoritative servers for a given
+	 * zone.  If this function is called for a keytable node corresponding
+	 * to a locally served zone, calling dns_resolver_createfetch() with
+	 * NULL 'domain' and 'nameservers' arguments will cause 'tatname' to be
+	 * resolved locally, without sending any TAT queries upstream.
+	 *
+	 * Work around this issue by calling dns_view_findzonecut() first.  If
+	 * the zone is served locally, the NS RRset for the given domain name
+	 * will be retrieved from local data; if it is not, the deepest zone
+	 * cut we have for it will be retrieved from cache.  In either case,
+	 * passing the results to dns_resolver_createfetch() will prevent it
+	 * from returning NXDOMAIN for 'tatname' while still allowing it to
+	 * chase down any potential delegations returned by upstream servers in
+	 * order to eventually find the destination host to send the TAT query
+	 * to.
+	 *
+	 * After the dns_view_findzonecut() call, 'domain' will hold the
+	 * deepest zone cut we can find for 'keyname' while 'nameservers' will
+	 * hold the NS RRset at that zone cut.
+	 */
+	domain = dns_fixedname_initname(&fdomain);
+	dns_rdataset_init(&nameservers);
+	result = dns_view_findzonecut(tat->view, keyname, domain, NULL, 0, 0,
+				      true, true, &nameservers, NULL);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_resolver_createfetch(
+			tat->view->resolver, tatname, dns_rdatatype_null,
+			domain, &nameservers, NULL, NULL, 0, 0, 0, NULL,
+			tat->task, tat_done, tat, &tat->rdataset,
+			&tat->sigrdataset, &tat->fetch);
+	}
+
+	/*
+	 * 'domain' holds the dns_name_t pointer inside a dst_key_t structure.
+	 * dns_resolver_createfetch() creates its own copy of 'domain' if it
+	 * succeeds.  Thus, 'domain' is not freed here.
+	 *
+	 * Even if dns_view_findzonecut() returned something else than
+	 * ISC_R_SUCCESS, it still could have associated 'nameservers'.
+	 * dns_resolver_createfetch() creates its own copy of 'nameservers' if
+	 * it succeeds.  Thus, we need to check whether 'nameservers' is
+	 * associated and release it if it is.
+	 */
+	if (dns_rdataset_isassociated(&nameservers)) {
+		dns_rdataset_disassociate(&nameservers);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&tat->view);
+		isc_task_detach(&tat->task);
+		isc_mem_putanddetach(&tat->mctx, tat, sizeof(*tat));
+	}
+	isc_event_free(&event);
+}
+
+static void
+dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, dns_name_t *keyname,
+      void *arg) {
+	struct dotat_arg *dotat_arg = arg;
+	isc_result_t result;
+	dns_view_t *view;
+	isc_task_t *task;
+	ns_tat_t *tat;
+	isc_event_t *event;
+
+	REQUIRE(keytable != NULL);
+	REQUIRE(keynode != NULL);
+	REQUIRE(dotat_arg != NULL);
+
+	view = dotat_arg->view;
+	task = dotat_arg->task;
+
+	tat = isc_mem_get(dotat_arg->view->mctx, sizeof(*tat));
+
+	tat->fetch = NULL;
+	tat->mctx = NULL;
+	tat->task = NULL;
+	tat->view = NULL;
+	dns_rdataset_init(&tat->rdataset);
+	dns_rdataset_init(&tat->sigrdataset);
+	dns_name_copynf(keyname, dns_fixedname_initname(&tat->keyname));
+	result = get_tat_qname(dns_fixedname_initname(&tat->tatname), keyname,
+			       keynode);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(dotat_arg->view->mctx, tat, sizeof(*tat));
+		return;
+	}
+	isc_mem_attach(dotat_arg->view->mctx, &tat->mctx);
+	isc_task_attach(task, &tat->task);
+	dns_view_attach(view, &tat->view);
+
+	/*
+	 * We don't want to be holding the keytable lock when calling
+	 * dns_view_findzonecut() as it creates a lock order loop so
+	 * call dns_view_findzonecut() in a event handler.
+	 *
+	 * zone->lock (dns_zone_setviewcommit) while holding view->lock
+	 * (dns_view_setviewcommit)
+	 *
+	 * keytable->lock (dns_keytable_find) while holding zone->lock
+	 * (zone_asyncload)
+	 *
+	 * view->lock (dns_view_findzonecut) while holding keytable->lock
+	 * (dns_keytable_forall)
+	 */
+	event = isc_event_allocate(tat->mctx, keytable, NAMED_EVENT_TATSEND,
+				   tat_send, tat, sizeof(isc_event_t));
+	isc_task_send(task, &event);
+}
+
+static void
+tat_timer_tick(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	named_server_t *server = (named_server_t *)event->ev_arg;
+	struct dotat_arg arg;
+	dns_view_t *view;
+	dns_keytable_t *secroots = NULL;
+
+	isc_event_free(&event);
+
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (!view->trust_anchor_telemetry || !view->enablevalidation) {
+			continue;
+		}
+
+		result = dns_view_getsecroots(view, &secroots);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		arg.view = view;
+		arg.task = task;
+		(void)dns_keytable_forall(secroots, dotat, &arg);
+		dns_keytable_detach(&secroots);
+	}
+}
+
+static void
+pps_timer_tick(isc_task_t *task, isc_event_t *event) {
+	static unsigned int oldrequests = 0;
+	unsigned int requests = atomic_load_relaxed(&ns_client_requests);
+
+	UNUSED(task);
+	isc_event_free(&event);
+
+	/*
+	 * Don't worry about wrapping as the overflow result will be right.
+	 */
+	dns_pps = (requests - oldrequests) / 1200;
+	oldrequests = requests;
+}
+
+/*
+ * Replace the current value of '*field', a dynamically allocated
+ * string or NULL, with a dynamically allocated copy of the
+ * null-terminated string pointed to by 'value', or NULL.
+ */
+static isc_result_t
+setstring(named_server_t *server, char **field, const char *value) {
+	char *copy;
+
+	if (value != NULL) {
+		copy = isc_mem_strdup(server->mctx, value);
+	} else {
+		copy = NULL;
+	}
+
+	if (*field != NULL) {
+		isc_mem_free(server->mctx, *field);
+	}
+
+	*field = copy;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Replace the current value of '*field', a dynamically allocated
+ * string or NULL, with another dynamically allocated string
+ * or NULL if whether 'obj' is a string or void value, respectively.
+ */
+static isc_result_t
+setoptstring(named_server_t *server, char **field, const cfg_obj_t *obj) {
+	if (cfg_obj_isvoid(obj)) {
+		return (setstring(server, field, NULL));
+	} else {
+		return (setstring(server, field, cfg_obj_asstring(obj)));
+	}
+}
+
+static void
+set_limit(const cfg_obj_t **maps, const char *configname,
+	  const char *description, isc_resource_t resourceid,
+	  isc_resourcevalue_t defaultvalue) {
+	const cfg_obj_t *obj = NULL;
+	const char *resource;
+	isc_resourcevalue_t value;
+	isc_result_t result;
+
+	if (named_config_get(maps, configname, &obj) != ISC_R_SUCCESS) {
+		return;
+	}
+
+	if (cfg_obj_isstring(obj)) {
+		resource = cfg_obj_asstring(obj);
+		if (strcasecmp(resource, "unlimited") == 0) {
+			value = ISC_RESOURCE_UNLIMITED;
+		} else {
+			INSIST(strcasecmp(resource, "default") == 0);
+			value = defaultvalue;
+		}
+	} else {
+		value = cfg_obj_asuint64(obj);
+	}
+
+	result = isc_resource_setlimit(resourceid, value);
+	isc_log_write(
+		named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
+		result == ISC_R_SUCCESS ? ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
+		"set maximum %s to %" PRIu64 ": %s", description, value,
+		isc_result_totext(result));
+}
+
+#define SETLIMIT(cfgvar, resource, description)                       \
+	set_limit(maps, cfgvar, description, isc_resource_##resource, \
+		  named_g_init##resource)
+
+static void
+set_limits(const cfg_obj_t **maps) {
+	SETLIMIT("stacksize", stacksize, "stack size");
+	SETLIMIT("datasize", datasize, "data size");
+	SETLIMIT("coresize", coresize, "core size");
+	SETLIMIT("files", openfiles, "open files");
+}
+
+static void
+portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
+		 bool positive) {
+	const cfg_listelt_t *element;
+
+	for (element = cfg_list_first(ports); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *obj = cfg_listelt_value(element);
+
+		if (cfg_obj_isuint32(obj)) {
+			in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
+
+			if (positive) {
+				isc_portset_add(portset, port);
+			} else {
+				isc_portset_remove(portset, port);
+			}
+		} else {
+			const cfg_obj_t *obj_loport, *obj_hiport;
+			in_port_t loport, hiport;
+
+			obj_loport = cfg_tuple_get(obj, "loport");
+			loport = (in_port_t)cfg_obj_asuint32(obj_loport);
+			obj_hiport = cfg_tuple_get(obj, "hiport");
+			hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
+
+			if (positive) {
+				isc_portset_addrange(portset, loport, hiport);
+			} else {
+				isc_portset_removerange(portset, loport,
+							hiport);
+			}
+		}
+	}
+}
+
+static isc_result_t
+removed(dns_zone_t *zone, void *uap) {
+	if (dns_zone_getview(zone) != uap) {
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed",
+		     dns_zonetype_name(dns_zone_gettype(zone)));
+	return (ISC_R_SUCCESS);
+}
+
+static void
+cleanup_session_key(named_server_t *server, isc_mem_t *mctx) {
+	if (server->session_keyfile != NULL) {
+		isc_file_remove(server->session_keyfile);
+		isc_mem_free(mctx, server->session_keyfile);
+		server->session_keyfile = NULL;
+	}
+
+	if (server->session_keyname != NULL) {
+		if (dns_name_dynamic(server->session_keyname)) {
+			dns_name_free(server->session_keyname, mctx);
+		}
+		isc_mem_put(mctx, server->session_keyname, sizeof(dns_name_t));
+		server->session_keyname = NULL;
+	}
+
+	if (server->sessionkey != NULL) {
+		dns_tsigkey_detach(&server->sessionkey);
+	}
+
+	server->session_keyalg = DST_ALG_UNKNOWN;
+	server->session_keybits = 0;
+}
+
+static isc_result_t
+generate_session_key(const char *filename, const char *keynamestr,
+		     const dns_name_t *keyname, const char *algstr,
+		     const dns_name_t *algname, unsigned int algtype,
+		     uint16_t bits, isc_mem_t *mctx, bool first_time,
+		     dns_tsigkey_t **tsigkeyp) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dst_key_t *key = NULL;
+	isc_buffer_t key_txtbuffer;
+	isc_buffer_t key_rawbuffer;
+	char key_txtsecret[256];
+	char key_rawsecret[64];
+	isc_region_t key_rawregion;
+	isc_stdtime_t now;
+	dns_tsigkey_t *tsigkey = NULL;
+	FILE *fp = NULL;
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "generating session key for dynamic DNS");
+
+	/* generate key */
+	result = dst_key_generate(keyname, algtype, bits, 1, 0,
+				  DNS_KEYPROTO_ANY, dns_rdataclass_in, mctx,
+				  &key, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Dump the key to the buffer for later use.  Should be done before
+	 * we transfer the ownership of key to tsigkey.
+	 */
+	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+	CHECK(dst_key_tobuffer(key, &key_rawbuffer));
+
+	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+	CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
+
+	/* Store the key in tsigkey. */
+	isc_stdtime_get(&now);
+	CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key, false,
+					NULL, now, now, mctx, NULL, &tsigkey));
+
+	/* Dump the key to the key file. */
+	fp = named_os_openfile(filename, S_IRUSR | S_IWUSR, first_time);
+	if (fp == NULL) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "could not create %s", filename);
+		result = ISC_R_NOPERM;
+		goto cleanup;
+	}
+
+	fprintf(fp,
+		"key \"%s\" {\n"
+		"\talgorithm %s;\n"
+		"\tsecret \"%.*s\";\n};\n",
+		keynamestr, algstr, (int)isc_buffer_usedlength(&key_txtbuffer),
+		(char *)isc_buffer_base(&key_txtbuffer));
+
+	CHECK(isc_stdio_flush(fp));
+	result = isc_stdio_close(fp);
+	fp = NULL;
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dst_key_free(&key);
+
+	*tsigkeyp = tsigkey;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "failed to generate session key "
+		      "for dynamic DNS: %s",
+		      isc_result_totext(result));
+	if (fp != NULL) {
+		(void)isc_stdio_close(fp);
+		(void)isc_file_remove(filename);
+	}
+	if (tsigkey != NULL) {
+		dns_tsigkey_detach(&tsigkey);
+	}
+	if (key != NULL) {
+		dst_key_free(&key);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+configure_session_key(const cfg_obj_t **maps, named_server_t *server,
+		      isc_mem_t *mctx, bool first_time) {
+	const char *keyfile, *keynamestr, *algstr;
+	unsigned int algtype;
+	dns_fixedname_t fname;
+	dns_name_t *keyname;
+	const dns_name_t *algname;
+	isc_buffer_t buffer;
+	uint16_t bits;
+	const cfg_obj_t *obj;
+	bool need_deleteold = false;
+	bool need_createnew = false;
+	isc_result_t result;
+
+	obj = NULL;
+	result = named_config_get(maps, "session-keyfile", &obj);
+	if (result == ISC_R_SUCCESS) {
+		if (cfg_obj_isvoid(obj)) {
+			keyfile = NULL; /* disable it */
+		} else {
+			keyfile = cfg_obj_asstring(obj);
+		}
+	} else {
+		keyfile = named_g_defaultsessionkeyfile;
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "session-keyname", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	keynamestr = cfg_obj_asstring(obj);
+	isc_buffer_constinit(&buffer, keynamestr, strlen(keynamestr));
+	isc_buffer_add(&buffer, strlen(keynamestr));
+	keyname = dns_fixedname_initname(&fname);
+	result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "session-keyalg", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	algstr = cfg_obj_asstring(obj);
+	algname = NULL;
+	result = named_config_getkeyalgorithm2(algstr, &algname, &algtype,
+					       &bits);
+	if (result != ISC_R_SUCCESS) {
+		const char *s = " (keeping current key)";
+
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
+			    "session-keyalg: "
+			    "unsupported or unknown algorithm '%s'%s",
+			    algstr, server->session_keyfile != NULL ? s : "");
+		return (result);
+	}
+
+	/* See if we need to (re)generate a new key. */
+	if (keyfile == NULL) {
+		if (server->session_keyfile != NULL) {
+			need_deleteold = true;
+		}
+	} else if (server->session_keyfile == NULL) {
+		need_createnew = true;
+	} else if (strcmp(keyfile, server->session_keyfile) != 0 ||
+		   !dns_name_equal(server->session_keyname, keyname) ||
+		   server->session_keyalg != algtype ||
+		   server->session_keybits != bits)
+	{
+		need_deleteold = true;
+		need_createnew = true;
+	}
+
+	if (need_deleteold) {
+		INSIST(server->session_keyfile != NULL);
+		INSIST(server->session_keyname != NULL);
+		INSIST(server->sessionkey != NULL);
+
+		cleanup_session_key(server, mctx);
+	}
+
+	if (need_createnew) {
+		INSIST(server->sessionkey == NULL);
+		INSIST(server->session_keyfile == NULL);
+		INSIST(server->session_keyname == NULL);
+		INSIST(server->session_keyalg == DST_ALG_UNKNOWN);
+		INSIST(server->session_keybits == 0);
+
+		server->session_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
+		dns_name_init(server->session_keyname, NULL);
+		dns_name_dup(keyname, mctx, server->session_keyname);
+
+		server->session_keyfile = isc_mem_strdup(mctx, keyfile);
+
+		server->session_keyalg = algtype;
+		server->session_keybits = bits;
+
+		CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
+					   algname, algtype, bits, mctx,
+					   first_time, &server->sessionkey));
+	}
+
+	return (result);
+
+cleanup:
+	cleanup_session_key(server, mctx);
+	return (result);
+}
+
+#ifndef HAVE_LMDB
+static isc_result_t
+count_newzones(dns_view_t *view, ns_cfgctx_t *nzcfg, int *num_zonesp) {
+	isc_result_t result;
+
+	/* The new zone file may not exist. That is OK. */
+	if (!isc_file_exists(view->new_zone_file)) {
+		*num_zonesp = 0;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * In the case of NZF files, we also parse the configuration in
+	 * the file at this stage.
+	 *
+	 * This may be called in multiple views, so we reset
+	 * the parser each time.
+	 */
+	cfg_parser_reset(named_g_addparser);
+	result = cfg_parse_file(named_g_addparser, view->new_zone_file,
+				&cfg_type_addzoneconf, &nzcfg->nzf_config);
+	if (result == ISC_R_SUCCESS) {
+		int num_zones;
+
+		num_zones = count_zones(nzcfg->nzf_config);
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "NZF file '%s' contains %d zones",
+			      view->new_zone_file, num_zones);
+		if (num_zonesp != NULL) {
+			*num_zonesp = num_zones;
+		}
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "Error parsing NZF file '%s': %s",
+			      view->new_zone_file, isc_result_totext(result));
+	}
+
+	return (result);
+}
+
+#else /* HAVE_LMDB */
+
+static isc_result_t
+count_newzones(dns_view_t *view, ns_cfgctx_t *nzcfg, int *num_zonesp) {
+	isc_result_t result;
+	int n;
+
+	UNUSED(nzcfg);
+
+	REQUIRE(num_zonesp != NULL);
+
+	LOCK(&view->new_zone_lock);
+
+	CHECK(migrate_nzf(view));
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "loading NZD zone count from '%s' "
+		      "for view '%s'",
+		      view->new_zone_db, view->name);
+
+	CHECK(nzd_count(view, &n));
+
+	*num_zonesp = n;
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "NZD database '%s' contains %d zones", view->new_zone_db,
+		      n);
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		*num_zonesp = 0;
+	}
+
+	UNLOCK(&view->new_zone_lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* HAVE_LMDB */
+
+static isc_result_t
+setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+	       cfg_parser_t *conf_parser, cfg_aclconfctx_t *actx,
+	       int *num_zones) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool allow = false;
+	ns_cfgctx_t *nzcfg = NULL;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *options = NULL, *voptions = NULL;
+	const cfg_obj_t *nz = NULL;
+	const cfg_obj_t *nzdir = NULL;
+	const char *dir = NULL;
+	const cfg_obj_t *obj = NULL;
+	int i = 0;
+	uint64_t mapsize = 0ULL;
+
+	REQUIRE(config != NULL);
+
+	if (vconfig != NULL) {
+		voptions = cfg_tuple_get(vconfig, "options");
+	}
+	if (voptions != NULL) {
+		maps[i++] = voptions;
+	}
+	result = cfg_map_get(config, "options", &options);
+	if (result == ISC_R_SUCCESS) {
+		maps[i++] = options;
+	}
+	maps[i++] = named_g_defaults;
+	maps[i] = NULL;
+
+	result = named_config_get(maps, "allow-new-zones", &nz);
+	if (result == ISC_R_SUCCESS) {
+		allow = cfg_obj_asboolean(nz);
+	}
+	result = named_config_get(maps, "new-zones-directory", &nzdir);
+	if (result == ISC_R_SUCCESS) {
+		dir = cfg_obj_asstring(nzdir);
+		result = isc_file_isdirectory(dir);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "invalid new-zones-directory %s: %s", dir,
+				      isc_result_totext(result));
+			return (result);
+		}
+		if (!isc_file_isdirwritable(dir)) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "new-zones-directory '%s' "
+				      "is not writable",
+				      dir);
+			return (ISC_R_NOPERM);
+		}
+
+		dns_view_setnewzonedir(view, dir);
+	}
+
+#ifdef HAVE_LMDB
+	result = named_config_get(maps, "lmdb-mapsize", &obj);
+	if (result == ISC_R_SUCCESS && obj != NULL) {
+		mapsize = cfg_obj_asuint64(obj);
+		if (mapsize < (1ULL << 20)) { /* 1 megabyte */
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
+				    "'lmdb-mapsize "
+				    "%" PRId64 "' "
+				    "is too small",
+				    mapsize);
+			return (ISC_R_FAILURE);
+		} else if (mapsize > (1ULL << 40)) { /* 1 terabyte */
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
+				    "'lmdb-mapsize "
+				    "%" PRId64 "' "
+				    "is too large",
+				    mapsize);
+			return (ISC_R_FAILURE);
+		}
+	}
+#else  /* ifdef HAVE_LMDB */
+	UNUSED(obj);
+#endif /* HAVE_LMDB */
+
+	/*
+	 * A non-empty catalog-zones statement implies allow-new-zones
+	 */
+	if (!allow) {
+		const cfg_obj_t *cz = NULL;
+		result = named_config_get(maps, "catalog-zones", &cz);
+		if (result == ISC_R_SUCCESS) {
+			const cfg_listelt_t *e =
+				cfg_list_first(cfg_tuple_get(cz, "zone list"));
+			if (e != NULL) {
+				allow = true;
+			}
+		}
+	}
+
+	if (!allow) {
+		dns_view_setnewzones(view, false, NULL, NULL, 0ULL);
+		if (num_zones != NULL) {
+			*num_zones = 0;
+		}
+		return (ISC_R_SUCCESS);
+	}
+
+	nzcfg = isc_mem_get(view->mctx, sizeof(*nzcfg));
+
+	/*
+	 * We attach the parser that was used for config as well
+	 * as the one that will be used for added zones, to avoid
+	 * a shutdown race later.
+	 */
+	memset(nzcfg, 0, sizeof(*nzcfg));
+	cfg_parser_attach(conf_parser, &nzcfg->conf_parser);
+	cfg_parser_attach(named_g_addparser, &nzcfg->add_parser);
+	isc_mem_attach(view->mctx, &nzcfg->mctx);
+	cfg_aclconfctx_attach(actx, &nzcfg->actx);
+
+	result = dns_view_setnewzones(view, true, nzcfg, newzone_cfgctx_destroy,
+				      mapsize);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_setnewzones(view, false, NULL, NULL, 0ULL);
+		return (result);
+	}
+
+	cfg_obj_attach(config, &nzcfg->config);
+	if (vconfig != NULL) {
+		cfg_obj_attach(vconfig, &nzcfg->vconfig);
+	}
+
+	result = count_newzones(view, nzcfg, num_zones);
+	return (result);
+}
+
+static void
+configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig,
+			     dns_view_t *view) {
+	const char *zname;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+	isc_result_t result2;
+	dns_view_t *pview = NULL;
+	dns_zone_t *zone = NULL;
+
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+	origin = dns_fixedname_initname(&fixorigin);
+
+	result2 = dns_name_fromstring(origin, zname, 0, NULL);
+	if (result2 != ISC_R_SUCCESS) {
+		return;
+	}
+
+	result2 = dns_viewlist_find(&named_g_server->viewlist, view->name,
+				    view->rdclass, &pview);
+	if (result2 != ISC_R_SUCCESS) {
+		return;
+	}
+
+	result2 = dns_view_findzone(pview, origin, &zone);
+	if (result2 != ISC_R_SUCCESS) {
+		dns_view_detach(&pview);
+		return;
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		dns_zone_setviewcommit(zone);
+	} else {
+		dns_zone_setviewrevert(zone);
+	}
+
+	dns_zone_detach(&zone);
+	dns_view_detach(&pview);
+}
+
+#ifndef HAVE_LMDB
+
+static isc_result_t
+configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+		   isc_mem_t *mctx, cfg_aclconfctx_t *actx) {
+	isc_result_t result;
+	ns_cfgctx_t *nzctx;
+	const cfg_obj_t *zonelist;
+	const cfg_listelt_t *element;
+
+	nzctx = view->new_zone_config;
+	if (nzctx == NULL || nzctx->nzf_config == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "loading additional zones for view '%s'", view->name);
+
+	zonelist = NULL;
+	cfg_map_get(nzctx->nzf_config, "zone", &zonelist);
+
+	for (element = cfg_list_first(zonelist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *zconfig = cfg_listelt_value(element);
+		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
+				     &named_g_server->viewlist,
+				     &named_g_server->kasplist, actx, true,
+				     false, false));
+	}
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	for (element = cfg_list_first(zonelist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *zconfig = cfg_listelt_value(element);
+		configure_zone_setviewcommit(result, zconfig, view);
+	}
+
+	return (result);
+}
+
+#else /* HAVE_LMDB */
+
+static isc_result_t
+data_to_cfg(dns_view_t *view, MDB_val *key, MDB_val *data, isc_buffer_t **text,
+	    cfg_obj_t **zoneconfig) {
+	isc_result_t result;
+	const char *zone_name;
+	size_t zone_name_len;
+	const char *zone_config;
+	size_t zone_config_len;
+	cfg_obj_t *zoneconf = NULL;
+	char bufname[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(view != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(data != NULL);
+	REQUIRE(text != NULL);
+	REQUIRE(zoneconfig != NULL && *zoneconfig == NULL);
+
+	if (*text == NULL) {
+		isc_buffer_allocate(view->mctx, text, 256);
+	} else {
+		isc_buffer_clear(*text);
+	}
+
+	zone_name = (const char *)key->mv_data;
+	zone_name_len = key->mv_size;
+	INSIST(zone_name != NULL && zone_name_len > 0);
+
+	zone_config = (const char *)data->mv_data;
+	zone_config_len = data->mv_size;
+	INSIST(zone_config != NULL && zone_config_len > 0);
+
+	/* zone zonename { config; }; */
+	result = isc_buffer_reserve(text, 6 + zone_name_len + 2 +
+						  zone_config_len + 2);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	CHECK(putstr(text, "zone \""));
+	CHECK(putmem(text, (const void *)zone_name, zone_name_len));
+	CHECK(putstr(text, "\" "));
+	CHECK(putmem(text, (const void *)zone_config, zone_config_len));
+	CHECK(putstr(text, ";\n"));
+
+	snprintf(bufname, sizeof(bufname), "%.*s", (int)zone_name_len,
+		 zone_name);
+
+	cfg_parser_reset(named_g_addparser);
+	result = cfg_parse_buffer(named_g_addparser, *text, bufname, 0,
+				  &cfg_type_addzoneconf, 0, &zoneconf);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "parsing config for zone '%.*s' in "
+			      "NZD database '%s' failed",
+			      (int)zone_name_len, zone_name, view->new_zone_db);
+		goto cleanup;
+	}
+
+	*zoneconfig = zoneconf;
+	zoneconf = NULL;
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (zoneconf != NULL) {
+		cfg_obj_destroy(named_g_addparser, &zoneconf);
+	}
+
+	return (result);
+}
+
+/*%
+ * Prototype for a callback which can be used with for_all_newzone_cfgs().
+ */
+typedef isc_result_t (*newzone_cfg_cb_t)(const cfg_obj_t *zconfig,
+					 cfg_obj_t *config, cfg_obj_t *vconfig,
+					 isc_mem_t *mctx, dns_view_t *view,
+					 cfg_aclconfctx_t *actx);
+
+/*%
+ * For each zone found in a NZD opened by the caller, create an object
+ * representing its configuration and invoke "callback" with the created
+ * object, "config", "vconfig", "mctx", "view" and "actx" as arguments (all
+ * these are non-global variables required to invoke configure_zone()).
+ * Immediately interrupt processing if an error is encountered while
+ * transforming NZD data into a zone configuration object or if "callback"
+ * returns an error.
+ *
+ * Caller must hold 'view->new_zone_lock'.
+ */
+static isc_result_t
+for_all_newzone_cfgs(newzone_cfg_cb_t callback, cfg_obj_t *config,
+		     cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
+		     cfg_aclconfctx_t *actx, MDB_txn *txn, MDB_dbi dbi) {
+	const cfg_obj_t *zconfig, *zlist;
+	isc_result_t result = ISC_R_SUCCESS;
+	cfg_obj_t *zconfigobj = NULL;
+	isc_buffer_t *text = NULL;
+	MDB_cursor *cursor = NULL;
+	MDB_val data, key;
+	int status;
+
+	status = mdb_cursor_open(txn, dbi, &cursor);
+	if (status != MDB_SUCCESS) {
+		return (ISC_R_FAILURE);
+	}
+
+	for (status = mdb_cursor_get(cursor, &key, &data, MDB_FIRST);
+	     status == MDB_SUCCESS;
+	     status = mdb_cursor_get(cursor, &key, &data, MDB_NEXT))
+	{
+		/*
+		 * Create a configuration object from data fetched from NZD.
+		 */
+		result = data_to_cfg(view, &key, &data, &text, &zconfigobj);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Extract zone configuration from configuration object.
+		 */
+		zlist = NULL;
+		result = cfg_map_get(zconfigobj, "zone", &zlist);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		} else if (!cfg_obj_islist(zlist)) {
+			result = ISC_R_FAILURE;
+			break;
+		}
+		zconfig = cfg_listelt_value(cfg_list_first(zlist));
+
+		/*
+		 * Invoke callback.
+		 */
+		result = callback(zconfig, config, vconfig, mctx, view, actx);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Destroy the configuration object created in this iteration.
+		 */
+		cfg_obj_destroy(named_g_addparser, &zconfigobj);
+	}
+
+	if (text != NULL) {
+		isc_buffer_free(&text);
+	}
+	if (zconfigobj != NULL) {
+		cfg_obj_destroy(named_g_addparser, &zconfigobj);
+	}
+	mdb_cursor_close(cursor);
+
+	return (result);
+}
+
+/*%
+ * Attempt to configure a zone found in NZD and return the result.
+ */
+static isc_result_t
+configure_newzone(const cfg_obj_t *zconfig, cfg_obj_t *config,
+		  cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
+		  cfg_aclconfctx_t *actx) {
+	return (configure_zone(
+		config, zconfig, vconfig, mctx, view, &named_g_server->viewlist,
+		&named_g_server->kasplist, actx, true, false, false));
+}
+
+/*%
+ * Revert new view assignment for a zone found in NZD.
+ */
+static isc_result_t
+configure_newzone_revert(const cfg_obj_t *zconfig, cfg_obj_t *config,
+			 cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
+			 cfg_aclconfctx_t *actx) {
+	UNUSED(config);
+	UNUSED(vconfig);
+	UNUSED(mctx);
+	UNUSED(actx);
+
+	configure_zone_setviewcommit(ISC_R_FAILURE, zconfig, view);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+		   isc_mem_t *mctx, cfg_aclconfctx_t *actx) {
+	isc_result_t result;
+	MDB_txn *txn = NULL;
+	MDB_dbi dbi;
+
+	if (view->new_zone_config == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	LOCK(&view->new_zone_lock);
+
+	result = nzd_open(view, MDB_RDONLY, &txn, &dbi);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&view->new_zone_lock);
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "loading NZD configs from '%s' "
+		      "for view '%s'",
+		      view->new_zone_db, view->name);
+
+	result = for_all_newzone_cfgs(configure_newzone, config, vconfig, mctx,
+				      view, actx, txn, dbi);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * An error was encountered while attempting to configure zones
+		 * found in NZD.  As this error may have been caused by a
+		 * configure_zone() failure, try restoring a sane configuration
+		 * by reattaching all zones found in NZD to the old view.  If
+		 * this also fails, too bad, there is nothing more we can do in
+		 * terms of trying to make things right.
+		 */
+		(void)for_all_newzone_cfgs(configure_newzone_revert, config,
+					   vconfig, mctx, view, actx, txn, dbi);
+	}
+
+	(void)nzd_close(&txn, false);
+
+	UNLOCK(&view->new_zone_lock);
+
+	return (result);
+}
+
+static isc_result_t
+get_newzone_config(dns_view_t *view, const char *zonename,
+		   cfg_obj_t **zoneconfig) {
+	isc_result_t result;
+	int status;
+	cfg_obj_t *zoneconf = NULL;
+	isc_buffer_t *text = NULL;
+	MDB_txn *txn = NULL;
+	MDB_dbi dbi;
+	MDB_val key, data;
+	char zname[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_buffer_t b;
+
+	INSIST(zoneconfig != NULL && *zoneconfig == NULL);
+
+	LOCK(&view->new_zone_lock);
+
+	CHECK(nzd_open(view, MDB_RDONLY, &txn, &dbi));
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "loading NZD config from '%s' "
+		      "for zone '%s'",
+		      view->new_zone_db, zonename);
+
+	/* Normalize zone name */
+	isc_buffer_constinit(&b, zonename, strlen(zonename));
+	isc_buffer_add(&b, strlen(zonename));
+	name = dns_fixedname_initname(&fname);
+	CHECK(dns_name_fromtext(name, &b, dns_rootname, DNS_NAME_DOWNCASE,
+				NULL));
+	dns_name_format(name, zname, sizeof(zname));
+
+	key.mv_data = zname;
+	key.mv_size = strlen(zname);
+
+	status = mdb_get(txn, dbi, &key, &data);
+	if (status != MDB_SUCCESS) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	CHECK(data_to_cfg(view, &key, &data, &text, &zoneconf));
+
+	*zoneconfig = zoneconf;
+	zoneconf = NULL;
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	(void)nzd_close(&txn, false);
+
+	UNLOCK(&view->new_zone_lock);
+
+	if (zoneconf != NULL) {
+		cfg_obj_destroy(named_g_addparser, &zoneconf);
+	}
+	if (text != NULL) {
+		isc_buffer_free(&text);
+	}
+
+	return (result);
+}
+
+#endif /* HAVE_LMDB */
+
+static int
+count_zones(const cfg_obj_t *conf) {
+	const cfg_obj_t *zonelist = NULL;
+	const cfg_listelt_t *element;
+	int n = 0;
+
+	REQUIRE(conf != NULL);
+
+	cfg_map_get(conf, "zone", &zonelist);
+	for (element = cfg_list_first(zonelist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		n++;
+	}
+
+	return (n);
+}
+
+static isc_result_t
+check_lockfile(named_server_t *server, const cfg_obj_t *config,
+	       bool first_time) {
+	isc_result_t result;
+	const char *filename = NULL;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *options;
+	const cfg_obj_t *obj;
+	int i;
+
+	i = 0;
+	options = NULL;
+	result = cfg_map_get(config, "options", &options);
+	if (result == ISC_R_SUCCESS) {
+		maps[i++] = options;
+	}
+	maps[i++] = named_g_defaults;
+	maps[i] = NULL;
+
+	obj = NULL;
+	(void)named_config_get(maps, "lock-file", &obj);
+
+	if (!first_time) {
+		if (obj != NULL && !cfg_obj_isstring(obj) &&
+		    server->lockfile != NULL &&
+		    strcmp(cfg_obj_asstring(obj), server->lockfile) != 0)
+		{
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "changing 'lock-file' "
+				      "has no effect until the "
+				      "server is restarted");
+		}
+
+		return (ISC_R_SUCCESS);
+	}
+
+	if (obj != NULL) {
+		if (cfg_obj_isvoid(obj)) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+				      "skipping lock-file check ");
+			return (ISC_R_SUCCESS);
+		} else if (named_g_forcelock) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "'lock-file' has no effect "
+				      "because the server was run with -X");
+			server->lockfile = isc_mem_strdup(
+				server->mctx, named_g_defaultlockfile);
+		} else {
+			filename = cfg_obj_asstring(obj);
+			server->lockfile = isc_mem_strdup(server->mctx,
+							  filename);
+		}
+
+		if (server->lockfile == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
+	}
+
+	if (named_g_forcelock && named_g_defaultlockfile != NULL) {
+		INSIST(server->lockfile == NULL);
+		server->lockfile = isc_mem_strdup(server->mctx,
+						  named_g_defaultlockfile);
+	}
+
+	if (server->lockfile == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (named_os_issingleton(server->lockfile)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "could not lock %s; another named "
+		      "process may be running",
+		      server->lockfile);
+	return (ISC_R_FAILURE);
+}
+
+static isc_result_t
+load_configuration(const char *filename, named_server_t *server,
+		   bool first_time) {
+	cfg_obj_t *config = NULL, *bindkeys = NULL;
+	cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *builtin_views;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *obj;
+	const cfg_obj_t *options;
+	const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
+	const cfg_obj_t *kasps;
+	dns_kasp_t *kasp = NULL;
+	dns_kasp_t *kasp_next = NULL;
+	dns_kasplist_t tmpkasplist, kasplist;
+	const cfg_obj_t *views;
+	dns_view_t *view = NULL;
+	dns_view_t *view_next = NULL;
+	dns_viewlist_t tmpviewlist;
+	dns_viewlist_t viewlist, builtin_viewlist;
+	in_port_t listen_port, udpport_low, udpport_high;
+	int i, backlog;
+	int num_zones = 0;
+	bool exclusive = false;
+	isc_interval_t interval;
+	isc_logconfig_t *logc = NULL;
+	isc_portset_t *v4portset = NULL;
+	isc_portset_t *v6portset = NULL;
+	isc_resourcevalue_t nfiles;
+	isc_result_t result, tresult;
+	uint32_t heartbeat_interval;
+	uint32_t interface_interval;
+	uint32_t reserved;
+	uint32_t udpsize;
+	uint32_t transfer_message_size;
+	named_cache_t *nsc;
+	named_cachelist_t cachelist, tmpcachelist;
+	ns_altsecret_t *altsecret;
+	ns_altsecretlist_t altsecrets, tmpaltsecrets;
+	unsigned int maxsocks;
+	uint32_t softquota = 0;
+	uint32_t max;
+	uint64_t initial, idle, keepalive, advertised;
+	bool loadbalancesockets;
+	dns_aclenv_t *env =
+		ns_interfacemgr_getaclenv(named_g_server->interfacemgr);
+
+	ISC_LIST_INIT(kasplist);
+	ISC_LIST_INIT(viewlist);
+	ISC_LIST_INIT(builtin_viewlist);
+	ISC_LIST_INIT(cachelist);
+	ISC_LIST_INIT(altsecrets);
+
+	/* Create the ACL configuration context */
+	if (named_g_aclconfctx != NULL) {
+		cfg_aclconfctx_detach(&named_g_aclconfctx);
+	}
+	CHECK(cfg_aclconfctx_create(named_g_mctx, &named_g_aclconfctx));
+
+	/*
+	 * Shut down all dyndb instances.
+	 */
+	dns_dyndb_cleanup(false);
+
+	/*
+	 * Parse the global default pseudo-config file.
+	 */
+	if (first_time) {
+		result = named_config_parsedefaults(named_g_parser,
+						    &named_g_config);
+		if (result != ISC_R_SUCCESS) {
+			named_main_earlyfatal("unable to load "
+					      "internal defaults: %s",
+					      isc_result_totext(result));
+		}
+		RUNTIME_CHECK(cfg_map_get(named_g_config, "options",
+					  &named_g_defaults) == ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Parse the configuration file using the new config code.
+	 */
+	config = NULL;
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "loading configuration from '%s'", filename);
+	CHECK(cfg_parser_create(named_g_mctx, named_g_lctx, &conf_parser));
+	cfg_parser_setcallback(conf_parser, directory_callback, NULL);
+	result = cfg_parse_file(conf_parser, filename, &cfg_type_namedconf,
+				&config);
+
+	CHECK(result);
+
+	/*
+	 * Check the validity of the configuration.
+	 *
+	 * (Ignore plugin parameters for now; they will be
+	 * checked later when the modules are actually loaded and
+	 * registered.)
+	 */
+	CHECK(bind9_check_namedconf(config, false, named_g_lctx, named_g_mctx));
+
+	/*
+	 * Fill in the maps array, used for resolving defaults.
+	 */
+	i = 0;
+	options = NULL;
+	result = cfg_map_get(config, "options", &options);
+	if (result == ISC_R_SUCCESS) {
+		maps[i++] = options;
+	}
+	maps[i++] = named_g_defaults;
+	maps[i] = NULL;
+
+	/*
+	 * If bind.keys exists, load it.  If "dnssec-validation auto"
+	 * is turned on, the root key found there will be used as a
+	 * default trust anchor.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "bindkeys-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj)),
+	       "strdup");
+	INSIST(server->bindkeysfile != NULL);
+
+	if (access(server->bindkeysfile, R_OK) == 0) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "reading built-in trust anchors "
+			      "from file '%s'",
+			      server->bindkeysfile);
+
+		CHECK(cfg_parser_create(named_g_mctx, named_g_lctx,
+					&bindkeys_parser));
+
+		result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
+					&cfg_type_bindkeys, &bindkeys);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "unable to parse '%s' error '%s'; using "
+				      "built-in keys instead",
+				      server->bindkeysfile,
+				      isc_result_totext(result));
+		}
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "unable to open '%s'; using built-in keys "
+			      "instead",
+			      server->bindkeysfile);
+	}
+
+	/* Ensure exclusive access to configuration data. */
+	if (!exclusive) {
+		result = isc_task_beginexclusive(server->task);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		exclusive = true;
+	}
+
+	/*
+	 * Set process limits, which (usually) needs to be done as root.
+	 */
+	set_limits(maps);
+
+	/*
+	 * Check the process lockfile.
+	 */
+	CHECK(check_lockfile(server, config, first_time));
+
+	/*
+	 * Check if max number of open sockets that the system allows is
+	 * sufficiently large.	Failing this condition is not necessarily fatal,
+	 * but may cause subsequent runtime failures for a busy recursive
+	 * server.
+	 */
+	result = isc_socketmgr_getmaxsockets(named_g_socketmgr, &maxsocks);
+	if (result != ISC_R_SUCCESS) {
+		maxsocks = 0;
+	}
+	result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles);
+	if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "max open files (%" PRIu64 ")"
+			      " is smaller than max sockets (%u)",
+			      nfiles, maxsocks);
+	}
+
+	/*
+	 * Set the number of socket reserved for TCP, stdio etc.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "reserved-sockets", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	reserved = cfg_obj_asuint32(obj);
+	if (maxsocks != 0) {
+		if (maxsocks < 128U) { /* Prevent underflow. */
+			reserved = 0;
+		} else if (reserved > maxsocks - 128U) { /* Minimum UDP space.
+							  */
+			reserved = maxsocks - 128;
+		}
+	}
+	/* Minimum TCP/stdio space. */
+	if (reserved < 128U) {
+		reserved = 128;
+	}
+	if (reserved + 128U > maxsocks && maxsocks != 0) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "less than 128 UDP sockets available after "
+			      "applying 'reserved-sockets' and 'maxsockets'");
+	}
+	isc_socketmgr_setreserved(named_g_socketmgr, reserved);
+
+#if defined(HAVE_GEOIP2)
+	/*
+	 * Release any previously opened GeoIP2 databases.
+	 */
+	named_geoip_unload();
+
+	/*
+	 * Initialize GeoIP databases from the configured location.
+	 * This should happen before configuring any ACLs, so that we
+	 * know what databases are available and can reject any GeoIP
+	 * ACLs that can't work.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "geoip-directory", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_isstring(obj)) {
+		char *dir;
+		DE_CONST(cfg_obj_asstring(obj), dir);
+		named_geoip_load(dir);
+	}
+	named_g_aclconfctx->geoip = named_g_geoip;
+#endif /* HAVE_GEOIP2 */
+
+	/*
+	 * Configure various server options.
+	 */
+	configure_server_quota(maps, "transfers-out",
+			       &server->sctx->xfroutquota);
+	configure_server_quota(maps, "tcp-clients", &server->sctx->tcpquota);
+	configure_server_quota(maps, "recursive-clients",
+			       &server->sctx->recursionquota);
+	configure_server_quota(maps, "update-quota", &server->sctx->updquota);
+
+	max = isc_quota_getmax(&server->sctx->recursionquota);
+	if (max > 1000) {
+		unsigned margin = ISC_MAX(100, named_g_cpus + 1);
+		if (margin + 100 > max) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "'recursive-clients %d' too low when "
+				      "running with %d worker threads",
+				      max, named_g_cpus);
+			CHECK(ISC_R_RANGE);
+		}
+		softquota = max - margin;
+	} else {
+		softquota = (max * 90) / 100;
+	}
+
+	isc_quota_soft(&server->sctx->recursionquota, softquota);
+
+	/*
+	 * Set "blackhole". Only legal at options level; there is
+	 * no default.
+	 */
+	CHECK(configure_view_acl(NULL, config, NULL, "blackhole", NULL,
+				 named_g_aclconfctx, named_g_mctx,
+				 &server->sctx->blackholeacl));
+	if (server->sctx->blackholeacl != NULL) {
+		dns_dispatchmgr_setblackhole(named_g_dispatchmgr,
+					     server->sctx->blackholeacl);
+	}
+
+	/*
+	 * Set "keep-response-order". Only legal at options or
+	 * global defaults level.
+	 */
+	CHECK(configure_view_acl(NULL, config, named_g_config,
+				 "keep-response-order", NULL,
+				 named_g_aclconfctx, named_g_mctx,
+				 &server->sctx->keepresporder));
+
+	obj = NULL;
+	result = named_config_get(maps, "match-mapped-addresses", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	env->match_mapped = cfg_obj_asboolean(obj);
+
+	CHECKM(named_statschannels_configure(named_g_server, config,
+					     named_g_aclconfctx),
+	       "configuring statistics server(s)");
+
+	obj = NULL;
+	result = named_config_get(maps, "tcp-initial-timeout", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	initial = cfg_obj_asuint32(obj) * 100;
+	if (initial > MAX_INITIAL_TIMEOUT) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "tcp-initial-timeout value is out of range: "
+			    "lowering to %" PRIu32,
+			    MAX_INITIAL_TIMEOUT / 100);
+		initial = MAX_INITIAL_TIMEOUT;
+	} else if (initial < MIN_INITIAL_TIMEOUT) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "tcp-initial-timeout value is out of range: "
+			    "raising to %" PRIu32,
+			    MIN_INITIAL_TIMEOUT / 100);
+		initial = MIN_INITIAL_TIMEOUT;
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "tcp-idle-timeout", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	idle = cfg_obj_asuint32(obj) * 100;
+	if (idle > MAX_IDLE_TIMEOUT) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "tcp-idle-timeout value is out of range: "
+			    "lowering to %" PRIu32,
+			    MAX_IDLE_TIMEOUT / 100);
+		idle = MAX_IDLE_TIMEOUT;
+	} else if (idle < MIN_IDLE_TIMEOUT) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "tcp-idle-timeout value is out of range: "
+			    "raising to %" PRIu32,
+			    MIN_IDLE_TIMEOUT / 100);
+		idle = MIN_IDLE_TIMEOUT;
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "tcp-keepalive-timeout", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	keepalive = cfg_obj_asuint32(obj) * 100;
+	if (keepalive > MAX_KEEPALIVE_TIMEOUT) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "tcp-keepalive-timeout value is out of range: "
+			    "lowering to %" PRIu32,
+			    MAX_KEEPALIVE_TIMEOUT / 100);
+		keepalive = MAX_KEEPALIVE_TIMEOUT;
+	} else if (keepalive < MIN_KEEPALIVE_TIMEOUT) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "tcp-keepalive-timeout value is out of range: "
+			    "raising to %" PRIu32,
+			    MIN_KEEPALIVE_TIMEOUT / 100);
+		keepalive = MIN_KEEPALIVE_TIMEOUT;
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "tcp-advertised-timeout", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	advertised = cfg_obj_asuint32(obj) * 100;
+	if (advertised > MAX_ADVERTISED_TIMEOUT) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "tcp-advertized-timeout value is out of range: "
+			    "lowering to %" PRIu32,
+			    MAX_ADVERTISED_TIMEOUT / 100);
+		advertised = MAX_ADVERTISED_TIMEOUT;
+	}
+
+	isc_nm_settimeouts(named_g_nm, initial, idle, keepalive, advertised);
+
+	/*
+	 * Configure sets of UDP query source ports.
+	 */
+	CHECKM(isc_portset_create(named_g_mctx, &v4portset), "creating UDP "
+							     "port set");
+	CHECKM(isc_portset_create(named_g_mctx, &v6portset), "creating UDP "
+							     "port set");
+
+	usev4ports = NULL;
+	usev6ports = NULL;
+	avoidv4ports = NULL;
+	avoidv6ports = NULL;
+
+	(void)named_config_get(maps, "use-v4-udp-ports", &usev4ports);
+	if (usev4ports != NULL) {
+		portset_fromconf(v4portset, usev4ports, true);
+	} else {
+		CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low,
+					       &udpport_high),
+		       "get the default UDP/IPv4 port range");
+		if (udpport_low == udpport_high) {
+			isc_portset_add(v4portset, udpport_low);
+		} else {
+			isc_portset_addrange(v4portset, udpport_low,
+					     udpport_high);
+		}
+		if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE4)) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "using default UDP/IPv4 port range: "
+				      "[%d, %d]",
+				      udpport_low, udpport_high);
+		}
+	}
+	(void)named_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
+	if (avoidv4ports != NULL) {
+		portset_fromconf(v4portset, avoidv4ports, false);
+	}
+
+	(void)named_config_get(maps, "use-v6-udp-ports", &usev6ports);
+	if (usev6ports != NULL) {
+		portset_fromconf(v6portset, usev6ports, true);
+	} else {
+		CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low,
+					       &udpport_high),
+		       "get the default UDP/IPv6 port range");
+		if (udpport_low == udpport_high) {
+			isc_portset_add(v6portset, udpport_low);
+		} else {
+			isc_portset_addrange(v6portset, udpport_low,
+					     udpport_high);
+		}
+		if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE6)) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "using default UDP/IPv6 port range: "
+				      "[%d, %d]",
+				      udpport_low, udpport_high);
+		}
+	}
+	(void)named_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
+	if (avoidv6ports != NULL) {
+		portset_fromconf(v6portset, avoidv6ports, false);
+	}
+
+	dns_dispatchmgr_setavailports(named_g_dispatchmgr, v4portset,
+				      v6portset);
+
+	/*
+	 * Set the EDNS UDP size when we don't match a view.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "edns-udp-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	udpsize = cfg_obj_asuint32(obj);
+	if (udpsize < 512) {
+		udpsize = 512;
+	}
+	if (udpsize > 4096) {
+		udpsize = 4096;
+	}
+	server->sctx->udpsize = (uint16_t)udpsize;
+
+	/* Set the transfer message size for TCP */
+	obj = NULL;
+	result = named_config_get(maps, "transfer-message-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	transfer_message_size = cfg_obj_asuint32(obj);
+	if (transfer_message_size < 512) {
+		transfer_message_size = 512;
+	} else if (transfer_message_size > 65535) {
+		transfer_message_size = 65535;
+	}
+	server->sctx->transfer_tcp_message_size =
+		(uint16_t)transfer_message_size;
+
+	/*
+	 * Configure the zone manager.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "transfers-in", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj));
+
+	obj = NULL;
+	result = named_config_get(maps, "transfers-per-ns", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
+
+	obj = NULL;
+	result = named_config_get(maps, "notify-rate", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_zonemgr_setnotifyrate(server->zonemgr, cfg_obj_asuint32(obj));
+
+	obj = NULL;
+	result = named_config_get(maps, "startup-notify-rate", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_zonemgr_setstartupnotifyrate(server->zonemgr,
+					 cfg_obj_asuint32(obj));
+
+	obj = NULL;
+	result = named_config_get(maps, "serial-query-rate", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj));
+
+	/*
+	 * Determine which port to use for listening for incoming connections.
+	 */
+	if (named_g_port != 0) {
+		listen_port = named_g_port;
+	} else {
+		CHECKM(named_config_getport(config, &listen_port), "port");
+	}
+
+	/*
+	 * Determining the default DSCP code point.
+	 */
+	CHECKM(named_config_getdscp(config, &named_g_dscp), "dscp");
+
+	/*
+	 * Find the listen queue depth.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "tcp-listen-queue", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	backlog = cfg_obj_asuint32(obj);
+	if ((backlog > 0) && (backlog < 10)) {
+		backlog = 10;
+	}
+	ns_interfacemgr_setbacklog(server->interfacemgr, backlog);
+
+	obj = NULL;
+	result = named_config_get(maps, "reuseport", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	loadbalancesockets = cfg_obj_asboolean(obj);
+#if HAVE_SO_REUSEPORT_LB
+	if (first_time) {
+		isc_nm_setloadbalancesockets(named_g_nm,
+					     cfg_obj_asboolean(obj));
+	} else if (loadbalancesockets !=
+		   isc_nm_getloadbalancesockets(named_g_nm))
+	{
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "changing reuseport value requires server restart");
+	}
+#else
+	if (loadbalancesockets) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "reuseport has no effect on this system");
+	}
+#endif
+
+	/*
+	 * Configure the interface manager according to the "listen-on"
+	 * statement.
+	 */
+	{
+		const cfg_obj_t *clistenon = NULL;
+		ns_listenlist_t *listenon = NULL;
+
+		clistenon = NULL;
+		/*
+		 * Even though listen-on is present in the default
+		 * configuration, this way is easier.
+		 */
+		if (options != NULL) {
+			(void)cfg_map_get(options, "listen-on", &clistenon);
+		}
+		if (clistenon != NULL) {
+			/* check return code? */
+			(void)ns_listenlist_fromconfig(
+				clistenon, config, named_g_aclconfctx,
+				named_g_mctx, AF_INET, &listenon);
+		} else {
+			/*
+			 * Not specified, use default.
+			 */
+			CHECK(ns_listenlist_default(named_g_mctx, listen_port,
+						    -1, true, &listenon));
+		}
+		if (listenon != NULL) {
+			ns_interfacemgr_setlistenon4(server->interfacemgr,
+						     listenon);
+			ns_listenlist_detach(&listenon);
+		}
+	}
+	/*
+	 * Ditto for IPv6.
+	 */
+	{
+		const cfg_obj_t *clistenon = NULL;
+		ns_listenlist_t *listenon = NULL;
+
+		if (options != NULL) {
+			(void)cfg_map_get(options, "listen-on-v6", &clistenon);
+		}
+		if (clistenon != NULL) {
+			/* check return code? */
+			(void)ns_listenlist_fromconfig(
+				clistenon, config, named_g_aclconfctx,
+				named_g_mctx, AF_INET6, &listenon);
+		} else {
+			/*
+			 * Not specified, use default.
+			 */
+			CHECK(ns_listenlist_default(named_g_mctx, listen_port,
+						    -1, true, &listenon));
+		}
+		if (listenon != NULL) {
+			ns_interfacemgr_setlistenon6(server->interfacemgr,
+						     listenon);
+			ns_listenlist_detach(&listenon);
+		}
+	}
+
+	/*
+	 * Rescan the interface list to pick up changes in the
+	 * listen-on option.  It's important that we do this before we try
+	 * to configure the query source, since the dispatcher we use might
+	 * be shared with an interface.
+	 */
+	result = ns_interfacemgr_scan(server->interfacemgr, true);
+
+	/*
+	 * Check that named is able to TCP listen on at least one
+	 * interface. Otherwise, another named process could be running
+	 * and we should fail.
+	 */
+	if (first_time && (result == ISC_R_ADDRINUSE)) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "unable to listen on any configured interfaces");
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	/*
+	 * Arrange for further interface scanning to occur periodically
+	 * as specified by the "interface-interval" option.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "interface-interval", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	interface_interval = cfg_obj_asduration(obj);
+	if (interface_interval == 0) {
+		CHECK(isc_timer_reset(server->interface_timer,
+				      isc_timertype_inactive, NULL, NULL,
+				      true));
+	} else if (server->interface_interval != interface_interval) {
+		isc_interval_set(&interval, interface_interval, 0);
+		CHECK(isc_timer_reset(server->interface_timer,
+				      isc_timertype_ticker, NULL, &interval,
+				      false));
+	}
+	server->interface_interval = interface_interval;
+
+	/*
+	 * Enable automatic interface scans.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "automatic-interface-scan", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	server->sctx->interface_auto = cfg_obj_asboolean(obj);
+
+	/*
+	 * Configure the dialup heartbeat timer.
+	 */
+	obj = NULL;
+	result = named_config_get(maps, "heartbeat-interval", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	heartbeat_interval = cfg_obj_asuint32(obj) * 60;
+	if (heartbeat_interval == 0) {
+		CHECK(isc_timer_reset(server->heartbeat_timer,
+				      isc_timertype_inactive, NULL, NULL,
+				      true));
+	} else if (server->heartbeat_interval != heartbeat_interval) {
+		isc_interval_set(&interval, heartbeat_interval, 0);
+		CHECK(isc_timer_reset(server->heartbeat_timer,
+				      isc_timertype_ticker, NULL, &interval,
+				      false));
+	}
+	server->heartbeat_interval = heartbeat_interval;
+
+	isc_interval_set(&interval, 1200, 0);
+	CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
+			      &interval, false));
+
+	isc_interval_set(&interval, named_g_tat_interval, 0);
+	CHECK(isc_timer_reset(server->tat_timer, isc_timertype_ticker, NULL,
+			      &interval, false));
+
+	/*
+	 * Write the PID file.
+	 */
+	obj = NULL;
+	if (named_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS) {
+		if (cfg_obj_isvoid(obj)) {
+			named_os_writepidfile(NULL, first_time);
+		} else {
+			named_os_writepidfile(cfg_obj_asstring(obj),
+					      first_time);
+		}
+	} else {
+		named_os_writepidfile(named_g_defaultpidfile, first_time);
+	}
+
+	/*
+	 * Configure the server-wide session key.  This must be done before
+	 * configure views because zone configuration may need to know
+	 * session-keyname.
+	 *
+	 * Failure of session key generation isn't fatal at this time; if it
+	 * turns out that a session key is really needed but doesn't exist,
+	 * we'll treat it as a fatal error then.
+	 */
+	(void)configure_session_key(maps, server, named_g_mctx, first_time);
+
+	/*
+	 * Create the DNSSEC key and signing policies (KASP).
+	 */
+	kasps = NULL;
+	(void)cfg_map_get(config, "dnssec-policy", &kasps);
+	for (element = cfg_list_first(kasps); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *kconfig = cfg_listelt_value(element);
+		kasp = NULL;
+		CHECK(cfg_kasp_fromconfig(kconfig, NULL, named_g_mctx,
+					  named_g_lctx, &kasplist, &kasp));
+		INSIST(kasp != NULL);
+		dns_kasp_freeze(kasp);
+		dns_kasp_detach(&kasp);
+	}
+	/*
+	 * Create the built-in kasp policies ("default", "insecure").
+	 */
+	kasp = NULL;
+	CHECK(cfg_kasp_fromconfig(NULL, "default", named_g_mctx, named_g_lctx,
+				  &kasplist, &kasp));
+	INSIST(kasp != NULL);
+	dns_kasp_freeze(kasp);
+	dns_kasp_detach(&kasp);
+
+	kasp = NULL;
+	CHECK(cfg_kasp_fromconfig(NULL, "insecure", named_g_mctx, named_g_lctx,
+				  &kasplist, &kasp));
+	INSIST(kasp != NULL);
+	dns_kasp_freeze(kasp);
+	dns_kasp_detach(&kasp);
+
+	tmpkasplist = server->kasplist;
+	server->kasplist = kasplist;
+	kasplist = tmpkasplist;
+
+	/*
+	 * Configure the views.
+	 */
+	views = NULL;
+	(void)cfg_map_get(config, "view", &views);
+
+	/*
+	 * Create the views and count all the configured zones in
+	 * order to correctly size the zone manager's task table.
+	 * (We only count zones for configured views; the built-in
+	 * "bind" view can be ignored as it only adds a negligible
+	 * number of zones.)
+	 *
+	 * If we're allowing new zones, we need to be able to find the
+	 * new zone file and count those as well.  So we setup the new
+	 * zone configuration context, but otherwise view configuration
+	 * waits until after the zone manager's task list has been sized.
+	 */
+	for (element = cfg_list_first(views); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *vconfig = cfg_listelt_value(element);
+		const cfg_obj_t *voptions = cfg_tuple_get(vconfig, "options");
+		int nzf_num_zones;
+
+		view = NULL;
+
+		CHECK(create_view(vconfig, &viewlist, &view));
+		INSIST(view != NULL);
+
+		num_zones += count_zones(voptions);
+
+		CHECK(setup_newzones(view, config, vconfig, conf_parser,
+				     named_g_aclconfctx, &nzf_num_zones));
+		num_zones += nzf_num_zones;
+
+		dns_view_detach(&view);
+	}
+
+	/*
+	 * If there were no explicit views then we do the default
+	 * view here.
+	 */
+	if (views == NULL) {
+		int nzf_num_zones;
+
+		CHECK(create_view(NULL, &viewlist, &view));
+		INSIST(view != NULL);
+
+		num_zones = count_zones(config);
+
+		CHECK(setup_newzones(view, config, NULL, conf_parser,
+				     named_g_aclconfctx, &nzf_num_zones));
+		num_zones += nzf_num_zones;
+
+		dns_view_detach(&view);
+	}
+
+	/*
+	 * Zones have been counted; set the zone manager task pool size.
+	 */
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "sizing zone task pool based on %d zones", num_zones);
+	CHECK(dns_zonemgr_setsize(named_g_server->zonemgr, num_zones));
+
+	/*
+	 * Configure and freeze all explicit views.  Explicit
+	 * views that have zones were already created at parsing
+	 * time, but views with no zones must be created here.
+	 */
+	for (element = cfg_list_first(views); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *vconfig = cfg_listelt_value(element);
+
+		view = NULL;
+		CHECK(find_view(vconfig, &viewlist, &view));
+		CHECK(configure_view(view, &viewlist, config, vconfig,
+				     &cachelist, &server->kasplist, bindkeys,
+				     named_g_mctx, named_g_aclconfctx, true));
+		dns_view_freeze(view);
+		dns_view_detach(&view);
+	}
+
+	/*
+	 * Make sure we have a default view if and only if there
+	 * were no explicit views.
+	 */
+	if (views == NULL) {
+		view = NULL;
+		CHECK(find_view(NULL, &viewlist, &view));
+		CHECK(configure_view(view, &viewlist, config, NULL, &cachelist,
+				     &server->kasplist, bindkeys, named_g_mctx,
+				     named_g_aclconfctx, true));
+		dns_view_freeze(view);
+		dns_view_detach(&view);
+	}
+
+	/*
+	 * Create (or recreate) the built-in views.
+	 */
+	builtin_views = NULL;
+	RUNTIME_CHECK(cfg_map_get(named_g_config, "view", &builtin_views) ==
+		      ISC_R_SUCCESS);
+	for (element = cfg_list_first(builtin_views); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *vconfig = cfg_listelt_value(element);
+
+		CHECK(create_view(vconfig, &builtin_viewlist, &view));
+		CHECK(configure_view(view, &viewlist, config, vconfig,
+				     &cachelist, &server->kasplist, bindkeys,
+				     named_g_mctx, named_g_aclconfctx, false));
+		dns_view_freeze(view);
+		dns_view_detach(&view);
+		view = NULL;
+	}
+
+	/* Now combine the two viewlists into one */
+	ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
+
+	/*
+	 * Commit any dns_zone_setview() calls on all zones in the new
+	 * view.
+	 */
+	for (view = ISC_LIST_HEAD(viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		dns_view_setviewcommit(view);
+	}
+
+	/* Swap our new view list with the production one. */
+	tmpviewlist = server->viewlist;
+	server->viewlist = viewlist;
+	viewlist = tmpviewlist;
+
+	/* Make the view list available to each of the views */
+	view = ISC_LIST_HEAD(server->viewlist);
+	while (view != NULL) {
+		view->viewlist = &server->viewlist;
+		view = ISC_LIST_NEXT(view, link);
+	}
+
+	/* Swap our new cache list with the production one. */
+	tmpcachelist = server->cachelist;
+	server->cachelist = cachelist;
+	cachelist = tmpcachelist;
+
+	/* Load the TKEY information from the configuration. */
+	if (options != NULL) {
+		dns_tkeyctx_t *t = NULL;
+		CHECKM(named_tkeyctx_fromconfig(options, named_g_mctx, &t),
+		       "configuring TKEY");
+		if (server->sctx->tkeyctx != NULL) {
+			dns_tkeyctx_destroy(&server->sctx->tkeyctx);
+		}
+		server->sctx->tkeyctx = t;
+	}
+
+	/*
+	 * Bind the control port(s).
+	 */
+	CHECKM(named_controls_configure(named_g_server->controls, config,
+					named_g_aclconfctx),
+	       "binding control channel(s)");
+
+#ifdef HAVE_LMDB
+	/*
+	 * If we're using LMDB, we may have created newzones databases
+	 * as root, making it impossible to reopen them later after
+	 * switching to a new userid. We close them now, and reopen
+	 * after relinquishing privileges them.
+	 */
+	if (first_time) {
+		for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			nzd_env_close(view);
+		}
+	}
+#endif /* HAVE_LMDB */
+
+	/*
+	 * Relinquish root privileges.
+	 */
+	if (first_time) {
+		named_os_changeuser();
+	}
+
+	/*
+	 * Check that the working directory is writable.
+	 */
+	if (!isc_file_isdirwritable(".")) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "the working directory is not writable");
+		result = ISC_R_NOPERM;
+		goto cleanup;
+	}
+
+#ifdef HAVE_LMDB
+	/*
+	 * Reopen NZD databases.
+	 */
+	if (first_time) {
+		for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			nzd_env_reopen(view);
+		}
+	}
+#endif /* HAVE_LMDB */
+
+	/*
+	 * Configure the logging system.
+	 *
+	 * Do this after changing UID to make sure that any log
+	 * files specified in named.conf get created by the
+	 * unprivileged user, not root.
+	 */
+	if (named_g_logstderr) {
+		const cfg_obj_t *logobj = NULL;
+
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "not using config file logging "
+			      "statement for logging due to "
+			      "-g option");
+
+		(void)cfg_map_get(config, "logging", &logobj);
+		if (logobj != NULL) {
+			result = named_logconfig(NULL, logobj);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(
+					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+					"checking logging configuration "
+					"failed: %s",
+					isc_result_totext(result));
+				goto cleanup;
+			}
+		}
+	} else {
+		const cfg_obj_t *logobj = NULL;
+
+		isc_logconfig_create(named_g_lctx, &logc);
+
+		logobj = NULL;
+		(void)cfg_map_get(config, "logging", &logobj);
+		if (logobj != NULL) {
+			CHECKM(named_logconfig(logc, logobj),
+			       "configuring logging");
+		} else {
+			named_log_setdefaultchannels(logc);
+			CHECKM(named_log_setunmatchedcategory(logc),
+			       "setting up default 'category unmatched'");
+			CHECKM(named_log_setdefaultcategory(logc),
+			       "setting up default 'category default'");
+		}
+
+		isc_logconfig_use(named_g_lctx, logc);
+		logc = NULL;
+
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+			      "now using logging configuration from "
+			      "config file");
+	}
+
+	/*
+	 * Set the default value of the query logging flag depending
+	 * whether a "queries" category has been defined.  This is
+	 * a disgusting hack, but we need to do this for BIND 8
+	 * compatibility.
+	 */
+	if (first_time) {
+		const cfg_obj_t *logobj = NULL;
+		const cfg_obj_t *categories = NULL;
+
+		obj = NULL;
+		if (named_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
+			ns_server_setoption(server->sctx, NS_SERVER_LOGQUERIES,
+					    cfg_obj_asboolean(obj));
+		} else {
+			(void)cfg_map_get(config, "logging", &logobj);
+			if (logobj != NULL) {
+				(void)cfg_map_get(logobj, "category",
+						  &categories);
+			}
+			if (categories != NULL) {
+				for (element = cfg_list_first(categories);
+				     element != NULL;
+				     element = cfg_list_next(element))
+				{
+					const cfg_obj_t *catobj;
+					const char *str;
+
+					obj = cfg_listelt_value(element);
+					catobj = cfg_tuple_get(obj, "name");
+					str = cfg_obj_asstring(catobj);
+					if (strcasecmp(str, "queries") == 0) {
+						ns_server_setoption(
+							server->sctx,
+							NS_SERVER_LOGQUERIES,
+							true);
+					}
+				}
+			}
+		}
+	}
+
+	obj = NULL;
+	if (options != NULL &&
+	    cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS)
+	{
+		named_g_memstatistics = cfg_obj_asboolean(obj);
+	} else {
+		named_g_memstatistics =
+			((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0);
+	}
+
+	obj = NULL;
+	if (named_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS)
+	{
+		named_main_setmemstats(cfg_obj_asstring(obj));
+	} else if (named_g_memstatistics) {
+		named_main_setmemstats("named.memstats");
+	} else {
+		named_main_setmemstats(NULL);
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "statistics-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
+	result = named_config_get(maps, "dump-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
+	result = named_config_get(maps, "secroots-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
+	result = named_config_get(maps, "recursing-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
+	result = named_config_get(maps, "version", &obj);
+	if (result == ISC_R_SUCCESS) {
+		CHECKM(setoptstring(server, &server->version, obj), "strdup");
+		server->version_set = true;
+	} else {
+		server->version_set = false;
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "hostname", &obj);
+	if (result == ISC_R_SUCCESS) {
+		CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
+		server->hostname_set = true;
+	} else {
+		server->hostname_set = false;
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "server-id", &obj);
+	server->sctx->gethostname = NULL;
+	if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
+		/* The parser translates "hostname" to true */
+		server->sctx->gethostname = named_os_gethostname;
+		result = ns_server_setserverid(server->sctx, NULL);
+	} else if (result == ISC_R_SUCCESS && !cfg_obj_isvoid(obj)) {
+		/* Found a quoted string */
+		result = ns_server_setserverid(server->sctx,
+					       cfg_obj_asstring(obj));
+	} else {
+		result = ns_server_setserverid(server->sctx, NULL);
+	}
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	obj = NULL;
+	result = named_config_get(maps, "flush-zones-on-shutdown", &obj);
+	if (result == ISC_R_SUCCESS) {
+		server->flushonshutdown = cfg_obj_asboolean(obj);
+	} else {
+		server->flushonshutdown = false;
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "answer-cookie", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	server->sctx->answercookie = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "cookie-algorithm", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (strcasecmp(cfg_obj_asstring(obj), "siphash24") == 0) {
+		server->sctx->cookiealg = ns_cookiealg_siphash24;
+	} else if (strcasecmp(cfg_obj_asstring(obj), "aes") == 0) {
+		server->sctx->cookiealg = ns_cookiealg_aes;
+	} else {
+		UNREACHABLE();
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "cookie-secret", &obj);
+	if (result == ISC_R_SUCCESS) {
+		const char *str;
+		bool first = true;
+		isc_buffer_t b;
+		unsigned int usedlength;
+		unsigned int expectedlength;
+
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			obj = cfg_listelt_value(element);
+			str = cfg_obj_asstring(obj);
+
+			if (first) {
+				memset(server->sctx->secret, 0,
+				       sizeof(server->sctx->secret));
+				isc_buffer_init(&b, server->sctx->secret,
+						sizeof(server->sctx->secret));
+				result = isc_hex_decodestring(str, &b);
+				if (result != ISC_R_SUCCESS &&
+				    result != ISC_R_NOSPACE)
+				{
+					goto cleanup;
+				}
+				first = false;
+			} else {
+				altsecret = isc_mem_get(server->sctx->mctx,
+							sizeof(*altsecret));
+				isc_buffer_init(&b, altsecret->secret,
+						sizeof(altsecret->secret));
+				result = isc_hex_decodestring(str, &b);
+				if (result != ISC_R_SUCCESS &&
+				    result != ISC_R_NOSPACE)
+				{
+					isc_mem_put(server->sctx->mctx,
+						    altsecret,
+						    sizeof(*altsecret));
+					goto cleanup;
+				}
+				ISC_LIST_INITANDAPPEND(altsecrets, altsecret,
+						       link);
+			}
+
+			usedlength = isc_buffer_usedlength(&b);
+			switch (server->sctx->cookiealg) {
+			case ns_cookiealg_siphash24:
+				expectedlength = ISC_SIPHASH24_KEY_LENGTH;
+				if (usedlength != expectedlength) {
+					CHECKM(ISC_R_RANGE, "SipHash-2-4 "
+							    "cookie-secret "
+							    "must be 128 bits");
+				}
+				break;
+			case ns_cookiealg_aes:
+				expectedlength = ISC_AES128_KEYLENGTH;
+				if (usedlength != expectedlength) {
+					CHECKM(ISC_R_RANGE, "AES cookie-secret "
+							    "must be 128 bits");
+				}
+				break;
+			}
+		}
+	} else {
+		isc_nonce_buf(server->sctx->secret,
+			      sizeof(server->sctx->secret));
+	}
+
+	/*
+	 * Swap altsecrets lists.
+	 */
+	tmpaltsecrets = server->sctx->altsecrets;
+	server->sctx->altsecrets = altsecrets;
+	altsecrets = tmpaltsecrets;
+
+	(void)named_server_loadnta(server);
+
+#ifdef USE_DNSRPS
+	/*
+	 * Start and connect to the DNS Response Policy Service
+	 * daemon, dnsrpzd, for each view that uses DNSRPS.
+	 */
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		result = dns_dnsrps_connect(view->rpzs);
+		if (result != ISC_R_SUCCESS) {
+			view = NULL;
+			goto cleanup;
+		}
+	}
+#endif /* ifdef USE_DNSRPS */
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (logc != NULL) {
+		isc_logconfig_destroy(&logc);
+	}
+
+	if (v4portset != NULL) {
+		isc_portset_destroy(named_g_mctx, &v4portset);
+	}
+
+	if (v6portset != NULL) {
+		isc_portset_destroy(named_g_mctx, &v6portset);
+	}
+
+	if (conf_parser != NULL) {
+		if (config != NULL) {
+			cfg_obj_destroy(conf_parser, &config);
+		}
+		cfg_parser_destroy(&conf_parser);
+	}
+
+	if (bindkeys_parser != NULL) {
+		if (bindkeys != NULL) {
+			cfg_obj_destroy(bindkeys_parser, &bindkeys);
+		}
+		cfg_parser_destroy(&bindkeys_parser);
+	}
+
+	if (view != NULL) {
+		dns_view_detach(&view);
+	}
+
+	if (kasp != NULL) {
+		dns_kasp_detach(&kasp);
+	}
+
+	ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
+
+	/*
+	 * This cleans up either the old production view list
+	 * or our temporary list depending on whether they
+	 * were swapped above or not.
+	 */
+	for (view = ISC_LIST_HEAD(viewlist); view != NULL; view = view_next) {
+		view_next = ISC_LIST_NEXT(view, link);
+		ISC_LIST_UNLINK(viewlist, view, link);
+		if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0)
+		{
+			dns_view_setviewrevert(view);
+			(void)dns_zt_apply(view->zonetable, isc_rwlocktype_read,
+					   false, NULL, removed, view);
+		}
+		dns_view_detach(&view);
+	}
+
+	/*
+	 * Same cleanup for kasp list.
+	 */
+	for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) {
+		kasp_next = ISC_LIST_NEXT(kasp, link);
+		ISC_LIST_UNLINK(kasplist, kasp, link);
+		dns_kasp_detach(&kasp);
+	}
+
+	/* Same cleanup for cache list. */
+	while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
+		ISC_LIST_UNLINK(cachelist, nsc, link);
+		dns_cache_detach(&nsc->cache);
+		isc_mem_put(server->mctx, nsc, sizeof(*nsc));
+	}
+
+	/* Cleanup for altsecrets list. */
+	while ((altsecret = ISC_LIST_HEAD(altsecrets)) != NULL) {
+		ISC_LIST_UNLINK(altsecrets, altsecret, link);
+		isc_mem_put(server->sctx->mctx, altsecret, sizeof(*altsecret));
+	}
+
+	/*
+	 * Record the time of most recent configuration
+	 */
+	tresult = isc_time_now(&named_g_configtime);
+	if (tresult != ISC_R_SUCCESS) {
+		named_main_earlyfatal("isc_time_now() failed: %s",
+				      isc_result_totext(result));
+	}
+
+	/* Relinquish exclusive access to configuration data. */
+	if (exclusive) {
+		isc_task_endexclusive(server->task);
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+		      "load_configuration: %s", isc_result_totext(result));
+
+	return (result);
+}
+
+static isc_result_t
+view_loaded(void *arg) {
+	isc_result_t result;
+	ns_zoneload_t *zl = (ns_zoneload_t *)arg;
+
+	/*
+	 * Force zone maintenance.  Do this after loading
+	 * so that we know when we need to force AXFR of
+	 * slave zones whose master files are missing.
+	 *
+	 * We use the zoneload reference counter to let us
+	 * know when all views are finished.
+	 */
+	if (isc_refcount_decrement(&zl->refs) == 1) {
+		named_server_t *server = zl->server;
+		bool reconfig = zl->reconfig;
+		dns_view_t *view = NULL;
+
+		isc_refcount_destroy(&zl->refs);
+		isc_mem_put(server->mctx, zl, sizeof(*zl));
+
+		/*
+		 * To maintain compatibility with log parsing tools that might
+		 * be looking for this string after "rndc reconfig", we keep it
+		 * as it is
+		 */
+		if (reconfig) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "any newly configured zones are now "
+				      "loaded");
+		} else {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE,
+				      "all zones loaded");
+		}
+
+		for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			if (view->managed_keys != NULL) {
+				result = dns_zone_synckeyzone(
+					view->managed_keys);
+				if (result != ISC_R_SUCCESS) {
+					isc_log_write(
+						named_g_lctx,
+						DNS_LOGCATEGORY_DNSSEC,
+						DNS_LOGMODULE_DNSSEC,
+						ISC_LOG_ERROR,
+						"failed to initialize "
+						"managed-keys for view %s "
+						"(%s): DNSSEC validation is "
+						"at risk",
+						view->name,
+						isc_result_totext(result));
+				}
+			}
+		}
+
+		CHECKFATAL(dns_zonemgr_forcemaint(server->zonemgr),
+			   "forcing zone maintenance");
+
+		named_os_started();
+
+#ifdef HAVE_FIPS_MODE
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE,
+			      "FIPS mode is %s",
+			      FIPS_mode() ? "enabled" : "disabled");
+#endif /* ifdef HAVE_FIPS_MODE */
+		atomic_store(&server->reload_status, NAMED_RELOAD_DONE);
+
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE,
+			      "running");
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_zones(named_server_t *server, bool init, bool reconfig) {
+	isc_result_t result;
+	isc_taskmgr_t *taskmgr = dns_zonemgr_gettaskmgr(server->zonemgr);
+	dns_view_t *view = NULL;
+	ns_zoneload_t *zl = NULL;
+
+	zl = isc_mem_get(server->mctx, sizeof(*zl));
+	zl->server = server;
+	zl->reconfig = reconfig;
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	isc_refcount_init(&zl->refs, 1);
+
+	/*
+	 * Schedule zones to be loaded from disk.
+	 */
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (view->managed_keys != NULL) {
+			result = dns_zone_load(view->managed_keys, false);
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_UPTODATE &&
+			    result != DNS_R_CONTINUE)
+			{
+				goto cleanup;
+			}
+		}
+		if (view->redirect != NULL) {
+			result = dns_zone_load(view->redirect, false);
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_UPTODATE &&
+			    result != DNS_R_CONTINUE)
+			{
+				goto cleanup;
+			}
+		}
+
+		/*
+		 * 'dns_view_asyncload' calls view_loaded if there are no
+		 * zones.
+		 */
+		isc_refcount_increment(&zl->refs);
+		result = dns_view_asyncload(view, reconfig, view_loaded, zl);
+		if (result != ISC_R_SUCCESS) {
+			isc_refcount_decrement1(&zl->refs);
+			goto cleanup;
+		}
+	}
+
+cleanup:
+	if (isc_refcount_decrement(&zl->refs) == 1) {
+		isc_refcount_destroy(&zl->refs);
+		isc_mem_put(server->mctx, zl, sizeof(*zl));
+	}
+
+	if (init) {
+		/*
+		 * If we're setting up the server for the first time, set
+		 * the task manager into privileged mode; this ensures
+		 * that no other tasks will begin to run until after zone
+		 * loading is complete. We won't return from exclusive mode
+		 * until the loading is finished; we can then drop out of
+		 * privileged mode.
+		 *
+		 * We do *not* want to do this in the case of reload or
+		 * reconfig, as loading a large zone could cause the server
+		 * to be inactive for too long a time.
+		 */
+		isc_taskmgr_setmode(taskmgr, isc_taskmgrmode_privileged);
+		isc_task_endexclusive(server->task);
+		isc_taskmgr_setmode(taskmgr, isc_taskmgrmode_normal);
+	} else {
+		isc_task_endexclusive(server->task);
+	}
+
+	return (result);
+}
+
+static void
+run_server(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	named_server_t *server = (named_server_t *)event->ev_arg;
+	dns_geoip_databases_t *geoip;
+
+	INSIST(task == server->task);
+
+	isc_event_free(&event);
+
+	CHECKFATAL(dns_dispatchmgr_create(named_g_mctx, &named_g_dispatchmgr),
+		   "creating dispatch manager");
+
+	dns_dispatchmgr_setstats(named_g_dispatchmgr, server->resolverstats);
+
+#if defined(HAVE_GEOIP2)
+	geoip = named_g_geoip;
+#else  /* if defined(HAVE_GEOIP2) */
+	geoip = NULL;
+#endif /* if defined(HAVE_GEOIP2) */
+
+	CHECKFATAL(ns_interfacemgr_create(
+			   named_g_mctx, server->sctx, named_g_taskmgr,
+			   named_g_timermgr, named_g_socketmgr, named_g_nm,
+			   named_g_dispatchmgr, server->task, named_g_udpdisp,
+			   geoip, named_g_cpus, &server->interfacemgr),
+		   "creating interface manager");
+
+	CHECKFATAL(isc_timer_create(named_g_timermgr, isc_timertype_inactive,
+				    NULL, NULL, server->task,
+				    interface_timer_tick, server,
+				    &server->interface_timer),
+		   "creating interface timer");
+
+	CHECKFATAL(isc_timer_create(named_g_timermgr, isc_timertype_inactive,
+				    NULL, NULL, server->task,
+				    heartbeat_timer_tick, server,
+				    &server->heartbeat_timer),
+		   "creating heartbeat timer");
+
+	CHECKFATAL(isc_timer_create(named_g_timermgr, isc_timertype_inactive,
+				    NULL, NULL, server->task, tat_timer_tick,
+				    server, &server->tat_timer),
+		   "creating trust anchor telemetry timer");
+
+	CHECKFATAL(isc_timer_create(named_g_timermgr, isc_timertype_inactive,
+				    NULL, NULL, server->task, pps_timer_tick,
+				    server, &server->pps_timer),
+		   "creating pps timer");
+
+	CHECKFATAL(
+		cfg_parser_create(named_g_mctx, named_g_lctx, &named_g_parser),
+		"creating default configuration parser");
+
+	CHECKFATAL(cfg_parser_create(named_g_mctx, named_g_lctx,
+				     &named_g_addparser),
+		   "creating additional configuration parser");
+
+	CHECKFATAL(load_configuration(named_g_conffile, server, true),
+		   "loading configuration");
+
+	CHECKFATAL(load_zones(server, true, false), "loading zones");
+#ifdef ENABLE_AFL
+	named_g_run_done = true;
+#endif /* ifdef ENABLE_AFL */
+}
+
+void
+named_server_flushonshutdown(named_server_t *server, bool flush) {
+	REQUIRE(NAMED_SERVER_VALID(server));
+
+	server->flushonshutdown = flush;
+}
+
+static void
+shutdown_server(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_view_t *view, *view_next = NULL;
+	dns_kasp_t *kasp, *kasp_next = NULL;
+	named_server_t *server = (named_server_t *)event->ev_arg;
+	bool flush = server->flushonshutdown;
+	named_cache_t *nsc;
+
+	UNUSED(task);
+	INSIST(task == server->task);
+
+	/*
+	 * We need to shutdown the interface before going
+	 * exclusive (which would pause the netmgr).
+	 */
+	ns_interfacemgr_shutdown(server->interfacemgr);
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, "shutting down%s",
+		      flush ? ": flushing changes" : "");
+
+	named_statschannels_shutdown(server);
+	named_controls_shutdown(server->controls);
+	end_reserved_dispatches(server, true);
+	cleanup_session_key(server, server->mctx);
+
+	if (named_g_aclconfctx != NULL) {
+		cfg_aclconfctx_detach(&named_g_aclconfctx);
+	}
+
+	cfg_obj_destroy(named_g_parser, &named_g_config);
+	cfg_parser_destroy(&named_g_parser);
+	cfg_parser_destroy(&named_g_addparser);
+
+	(void)named_server_saventa(server);
+
+	for (kasp = ISC_LIST_HEAD(server->kasplist); kasp != NULL;
+	     kasp = kasp_next)
+	{
+		kasp_next = ISC_LIST_NEXT(kasp, link);
+		ISC_LIST_UNLINK(server->kasplist, kasp, link);
+		dns_kasp_detach(&kasp);
+	}
+
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = view_next)
+	{
+		view_next = ISC_LIST_NEXT(view, link);
+		ISC_LIST_UNLINK(server->viewlist, view, link);
+		if (flush) {
+			dns_view_flushanddetach(&view);
+		} else {
+			dns_view_detach(&view);
+		}
+	}
+
+	/*
+	 * Shut down all dyndb instances.
+	 */
+	dns_dyndb_cleanup(true);
+
+	while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
+		ISC_LIST_UNLINK(server->cachelist, nsc, link);
+		dns_cache_detach(&nsc->cache);
+		isc_mem_put(server->mctx, nsc, sizeof(*nsc));
+	}
+
+	isc_timer_destroy(&server->interface_timer);
+	isc_timer_destroy(&server->heartbeat_timer);
+	isc_timer_destroy(&server->pps_timer);
+	isc_timer_destroy(&server->tat_timer);
+
+	ns_interfacemgr_detach(&server->interfacemgr);
+
+	dns_dispatchmgr_destroy(&named_g_dispatchmgr);
+
+	dns_zonemgr_shutdown(server->zonemgr);
+
+	if (named_g_sessionkey != NULL) {
+		dns_tsigkey_detach(&named_g_sessionkey);
+		dns_name_free(&named_g_sessionkeyname, server->mctx);
+	}
+#if defined(HAVE_GEOIP2)
+	named_geoip_shutdown();
+#endif /* HAVE_GEOIP2 */
+
+	dns_db_detach(&server->in_roothints);
+
+	isc_task_endexclusive(server->task);
+
+	isc_task_detach(&server->task);
+
+	isc_event_free(&event);
+}
+
+/*%
+ * Find a view that matches the source and destination addresses of a query.
+ */
+static isc_result_t
+get_matching_view(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr,
+		  dns_message_t *message, dns_aclenv_t *env,
+		  isc_result_t *sigresult, dns_view_t **viewp) {
+	dns_view_t *view;
+
+	REQUIRE(message != NULL);
+	REQUIRE(sigresult != NULL);
+	REQUIRE(viewp != NULL && *viewp == NULL);
+
+	for (view = ISC_LIST_HEAD(named_g_server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (message->rdclass == view->rdclass ||
+		    message->rdclass == dns_rdataclass_any)
+		{
+			const dns_name_t *tsig = NULL;
+
+			*sigresult = dns_message_rechecksig(message, view);
+			if (*sigresult == ISC_R_SUCCESS) {
+				dns_tsigkey_t *tsigkey;
+
+				tsigkey = message->tsigkey;
+				tsig = dns_tsigkey_identity(tsigkey);
+			}
+
+			if (dns_acl_allowed(srcaddr, tsig, view->matchclients,
+					    env) &&
+			    dns_acl_allowed(destaddr, tsig,
+					    view->matchdestinations, env) &&
+			    !(view->matchrecursiveonly &&
+			      (message->flags & DNS_MESSAGEFLAG_RD) == 0))
+			{
+				dns_view_attach(view, viewp);
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+void
+named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
+	isc_result_t result;
+	named_server_t *server = isc_mem_get(mctx, sizeof(*server));
+
+	*server = (named_server_t){
+		.mctx = mctx,
+		.statsfile = isc_mem_strdup(mctx, "named.stats"),
+		.bindkeysfile = isc_mem_strdup(mctx, named_g_defaultbindkeys),
+		.dumpfile = isc_mem_strdup(mctx, "named_dump.db"),
+		.secrootsfile = isc_mem_strdup(mctx, "named.secroots"),
+		.recfile = isc_mem_strdup(mctx, "named.recursing"),
+	};
+
+#ifdef USE_DNSRPS
+	CHECKFATAL(dns_dnsrps_server_create(), "initializing RPZ service "
+					       "interface");
+#endif /* ifdef USE_DNSRPS */
+
+	/* Initialize server data structures. */
+	ISC_LIST_INIT(server->kasplist);
+	ISC_LIST_INIT(server->viewlist);
+
+	/* Must be first. */
+	CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing "
+							       "DST");
+
+	CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
+				     &server->in_roothints),
+		   "setting up root hints");
+
+	isc_mutex_init(&server->reload_event_lock);
+
+	server->reload_event = isc_event_allocate(
+		named_g_mctx, server, NAMED_EVENT_RELOAD, named_server_reload,
+		server, sizeof(isc_event_t));
+	CHECKFATAL(server->reload_event == NULL ? ISC_R_NOMEMORY
+						: ISC_R_SUCCESS,
+		   "allocating reload event");
+	atomic_init(&server->reload_status, NAMED_RELOAD_IN_PROGRESS);
+
+	/*
+	 * Setup the server task, which is responsible for coordinating
+	 * startup and shutdown of the server, as well as all exclusive
+	 * tasks.
+	 */
+	CHECKFATAL(isc_task_create_bound(named_g_taskmgr, 0, &server->task, 0),
+		   "creating server task");
+	isc_task_setname(server->task, "server", server);
+	isc_taskmgr_setexcltask(named_g_taskmgr, server->task);
+
+	CHECKFATAL(ns_server_create(mctx, get_matching_view, &server->sctx),
+		   "creating server context");
+
+#if defined(HAVE_GEOIP2)
+	/*
+	 * GeoIP must be initialized before the interface
+	 * manager (which includes the ACL environment)
+	 * is created.
+	 */
+	named_geoip_init();
+#endif /* HAVE_GEOIP2 */
+
+#ifdef ENABLE_AFL
+	server->sctx->fuzztype = named_g_fuzz_type;
+	server->sctx->fuzznotify = named_fuzz_notify;
+#endif /* ifdef ENABLE_AFL */
+
+	CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
+		   "isc_task_onshutdown");
+	CHECKFATAL(
+		isc_app_onrun(named_g_mctx, server->task, run_server, server),
+		"isc_app_onrun");
+
+	CHECKFATAL(dns_zonemgr_create(named_g_mctx, named_g_taskmgr,
+				      named_g_timermgr, named_g_socketmgr,
+				      &server->zonemgr),
+		   "dns_zonemgr_create");
+	CHECKFATAL(dns_zonemgr_setsize(server->zonemgr, 1000), "dns_zonemgr_"
+							       "setsize");
+
+	CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
+				    isc_sockstatscounter_max),
+		   "isc_stats_create");
+	isc_socketmgr_setstats(named_g_socketmgr, server->sockstats);
+	isc_nm_setstats(named_g_nm, server->sockstats);
+
+	CHECKFATAL(isc_stats_create(named_g_mctx, &server->zonestats,
+				    dns_zonestatscounter_max),
+		   "dns_stats_create (zone)");
+
+	CHECKFATAL(isc_stats_create(named_g_mctx, &server->resolverstats,
+				    dns_resstatscounter_max),
+		   "dns_stats_create (resolver)");
+
+	CHECKFATAL(named_controls_create(server, &server->controls),
+		   "named_controls_create");
+
+	ISC_LIST_INIT(server->dispatches);
+
+	ISC_LIST_INIT(server->statschannels);
+
+	ISC_LIST_INIT(server->cachelist);
+
+	server->magic = NAMED_SERVER_MAGIC;
+	*serverp = server;
+}
+
+void
+named_server_destroy(named_server_t **serverp) {
+	named_server_t *server = *serverp;
+	REQUIRE(NAMED_SERVER_VALID(server));
+
+#ifdef HAVE_DNSTAP
+	if (server->dtenv != NULL) {
+		dns_dt_detach(&server->dtenv);
+	}
+#endif /* HAVE_DNSTAP */
+
+#ifdef USE_DNSRPS
+	dns_dnsrps_server_destroy();
+#endif /* ifdef USE_DNSRPS */
+
+	named_controls_destroy(&server->controls);
+
+	isc_stats_detach(&server->zonestats);
+	isc_stats_detach(&server->sockstats);
+	isc_stats_detach(&server->resolverstats);
+
+	if (server->sctx != NULL) {
+		ns_server_detach(&server->sctx);
+	}
+
+	isc_mem_free(server->mctx, server->statsfile);
+	isc_mem_free(server->mctx, server->bindkeysfile);
+	isc_mem_free(server->mctx, server->dumpfile);
+	isc_mem_free(server->mctx, server->secrootsfile);
+	isc_mem_free(server->mctx, server->recfile);
+
+	if (server->version != NULL) {
+		isc_mem_free(server->mctx, server->version);
+	}
+	if (server->hostname != NULL) {
+		isc_mem_free(server->mctx, server->hostname);
+	}
+	if (server->lockfile != NULL) {
+		isc_mem_free(server->mctx, server->lockfile);
+	}
+
+	if (server->zonemgr != NULL) {
+		dns_zonemgr_detach(&server->zonemgr);
+	}
+
+	dst_lib_destroy();
+
+	isc_event_free(&server->reload_event);
+	isc_mutex_destroy(&server->reload_event_lock);
+
+	INSIST(ISC_LIST_EMPTY(server->kasplist));
+	INSIST(ISC_LIST_EMPTY(server->viewlist));
+	INSIST(ISC_LIST_EMPTY(server->cachelist));
+
+	server->magic = 0;
+	isc_mem_put(server->mctx, server, sizeof(*server));
+	*serverp = NULL;
+}
+
+static void
+fatal(named_server_t *server, const char *msg, isc_result_t result) {
+	if (server != NULL && server->task != NULL) {
+		/*
+		 * Prevent races between the OpenSSL on_exit registered
+		 * function and any other OpenSSL calls from other tasks
+		 * by requesting exclusive access to the task manager.
+		 */
+		(void)isc_task_beginexclusive(server->task);
+	}
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_CRITICAL, "%s: %s", msg,
+		      isc_result_totext(result));
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_CRITICAL,
+		      "exiting (due to fatal error)");
+	named_os_shutdown();
+	exit(1);
+}
+
+static void
+start_reserved_dispatches(named_server_t *server) {
+	REQUIRE(NAMED_SERVER_VALID(server));
+
+	server->dispatchgen++;
+}
+
+static void
+end_reserved_dispatches(named_server_t *server, bool all) {
+	named_dispatch_t *dispatch, *nextdispatch;
+
+	REQUIRE(NAMED_SERVER_VALID(server));
+
+	for (dispatch = ISC_LIST_HEAD(server->dispatches); dispatch != NULL;
+	     dispatch = nextdispatch)
+	{
+		nextdispatch = ISC_LIST_NEXT(dispatch, link);
+		if (!all && server->dispatchgen == dispatch->dispatchgen) {
+			continue;
+		}
+		ISC_LIST_UNLINK(server->dispatches, dispatch, link);
+		dns_dispatch_detach(&dispatch->dispatch);
+		isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
+	}
+}
+
+void
+named_add_reserved_dispatch(named_server_t *server,
+			    const isc_sockaddr_t *addr) {
+	named_dispatch_t *dispatch;
+	in_port_t port;
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_result_t result;
+	unsigned int attrs, attrmask;
+
+	REQUIRE(NAMED_SERVER_VALID(server));
+
+	port = isc_sockaddr_getport(addr);
+	if (port == 0 || port >= 1024) {
+		return;
+	}
+
+	for (dispatch = ISC_LIST_HEAD(server->dispatches); dispatch != NULL;
+	     dispatch = ISC_LIST_NEXT(dispatch, link))
+	{
+		if (isc_sockaddr_equal(&dispatch->addr, addr)) {
+			break;
+		}
+	}
+	if (dispatch != NULL) {
+		dispatch->dispatchgen = server->dispatchgen;
+		return;
+	}
+
+	dispatch = isc_mem_get(server->mctx, sizeof(*dispatch));
+
+	dispatch->addr = *addr;
+	dispatch->dispatchgen = server->dispatchgen;
+	dispatch->dispatch = NULL;
+
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (isc_sockaddr_pf(addr)) {
+	case AF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+	case AF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup;
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	result = dns_dispatch_getudp(named_g_dispatchmgr, named_g_socketmgr,
+				     named_g_taskmgr, &dispatch->addr, 4096,
+				     UDPBUFFERS, 32768, 16411, 16433, attrs,
+				     attrmask, &dispatch->dispatch);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link);
+
+	return;
+
+cleanup:
+	isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
+	isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+		      "unable to create dispatch for reserved port %s: %s",
+		      addrbuf, isc_result_totext(result));
+}
+
+static isc_result_t
+loadconfig(named_server_t *server) {
+	isc_result_t result;
+	start_reserved_dispatches(server);
+	result = load_configuration(named_g_conffile, server, false);
+	if (result == ISC_R_SUCCESS) {
+		end_reserved_dispatches(server, false);
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "reloading configuration succeeded");
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "reloading configuration failed: %s",
+			      isc_result_totext(result));
+		atomic_store(&server->reload_status, NAMED_RELOAD_FAILED);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+reload(named_server_t *server) {
+	isc_result_t result;
+
+	atomic_store(&server->reload_status, NAMED_RELOAD_IN_PROGRESS);
+
+	CHECK(loadconfig(server));
+
+	result = load_zones(server, false, false);
+	if (result == ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "reloading zones succeeded");
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "reloading zones failed: %s",
+			      isc_result_totext(result));
+		atomic_store(&server->reload_status, NAMED_RELOAD_FAILED);
+	}
+cleanup:
+	return (result);
+}
+
+/*
+ * Handle a reload event (from SIGHUP).
+ */
+static void
+named_server_reload(isc_task_t *task, isc_event_t *event) {
+	named_server_t *server = (named_server_t *)event->ev_arg;
+
+	INSIST(task == server->task);
+	UNUSED(task);
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "received SIGHUP signal to reload zones");
+	(void)reload(server);
+
+	LOCK(&server->reload_event_lock);
+	INSIST(server->reload_event == NULL);
+	server->reload_event = event;
+	UNLOCK(&server->reload_event_lock);
+}
+
+void
+named_server_reloadwanted(named_server_t *server) {
+	LOCK(&server->reload_event_lock);
+	if (server->reload_event != NULL) {
+		isc_task_send(server->task, &server->reload_event);
+	}
+	UNLOCK(&server->reload_event_lock);
+}
+
+void
+named_server_scan_interfaces(named_server_t *server) {
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+		      "automatic interface rescan");
+
+	ns_interfacemgr_scan(server->interfacemgr, true);
+}
+
+/*
+ * Get the next token from lexer 'lex'.
+ *
+ * NOTE: the token value for string tokens always uses the same pointer
+ * value.  Multiple calls to this function on the same lexer will always
+ * return either that value (lex->data) or NULL. It is necessary to copy
+ * the token into local storage if it needs to be referenced after the next
+ * call to next_token().
+ */
+static char *
+next_token(isc_lex_t *lex, isc_buffer_t **text) {
+	isc_result_t result;
+	isc_token_t token;
+
+	token.type = isc_tokentype_unknown;
+	result = isc_lex_gettoken(lex, ISC_LEXOPT_EOF | ISC_LEXOPT_QSTRING,
+				  &token);
+
+	switch (result) {
+	case ISC_R_NOMORE:
+		(void)isc_lex_close(lex);
+		break;
+	case ISC_R_SUCCESS:
+		if (token.type == isc_tokentype_eof) {
+			(void)isc_lex_close(lex);
+		}
+		break;
+	case ISC_R_NOSPACE:
+		if (text != NULL) {
+			(void)putstr(text, "token too large");
+			(void)putnull(text);
+		}
+		return (NULL);
+	default:
+		if (text != NULL) {
+			(void)putstr(text, isc_result_totext(result));
+			(void)putnull(text);
+		}
+		return (NULL);
+	}
+
+	if (token.type == isc_tokentype_string ||
+	    token.type == isc_tokentype_qstring)
+	{
+		return (token.value.as_textregion.base);
+	}
+
+	return (NULL);
+}
+
+/*
+ * Find the zone specified in the control channel command, if any.
+ * If a zone is specified, point '*zonep' at it, otherwise
+ * set '*zonep' to NULL, and f 'zonename' is not NULL, copy
+ * the zone name into it (N.B. 'zonename' must have space to hold
+ * a full DNS name).
+ *
+ * If 'zonetxt' is set, the caller has already pulled a token
+ * off the command line that is to be used as the zone name. (This
+ * is sometimes done when it's necessary to check for an optional
+ * argument before the zone name, as in "rndc sync [-clean] zone".)
+ */
+static isc_result_t
+zone_from_args(named_server_t *server, isc_lex_t *lex, const char *zonetxt,
+	       dns_zone_t **zonep, char *zonename, isc_buffer_t **text,
+	       bool skip) {
+	char *ptr;
+	char *classtxt;
+	const char *viewtxt = NULL;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	dns_rdataclass_t rdclass;
+	char problem[DNS_NAME_FORMATSIZE + 500] = "";
+	char zonebuf[DNS_NAME_FORMATSIZE];
+	bool redirect = false;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	if (skip) {
+		/* Skip the command name. */
+		ptr = next_token(lex, text);
+		if (ptr == NULL) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+	}
+
+	/* Look for the zone name. */
+	if (zonetxt == NULL) {
+		zonetxt = next_token(lex, text);
+	}
+	if (zonetxt == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Copy zonetxt because it'll be overwritten by next_token() */
+	/* To locate a zone named "-redirect" use "-redirect." */
+	if (strcmp(zonetxt, "-redirect") == 0) {
+		redirect = true;
+		strlcpy(zonebuf, ".", DNS_NAME_FORMATSIZE);
+	} else {
+		strlcpy(zonebuf, zonetxt, DNS_NAME_FORMATSIZE);
+	}
+	if (zonename != NULL) {
+		strlcpy(zonename, redirect ? "." : zonetxt,
+			DNS_NAME_FORMATSIZE);
+	}
+
+	name = dns_fixedname_initname(&fname);
+	CHECK(dns_name_fromstring(name, zonebuf, 0, NULL));
+
+	/* Look for the optional class name. */
+	classtxt = next_token(lex, text);
+	if (classtxt != NULL) {
+		isc_textregion_t r;
+		r.base = classtxt;
+		r.length = strlen(classtxt);
+		CHECK(dns_rdataclass_fromtext(&rdclass, &r));
+
+		/* Look for the optional view name. */
+		viewtxt = next_token(lex, text);
+	} else {
+		rdclass = dns_rdataclass_in;
+	}
+
+	if (viewtxt == NULL) {
+		if (redirect) {
+			result = dns_viewlist_find(&server->viewlist,
+						   "_default",
+						   dns_rdataclass_in, &view);
+			if (result != ISC_R_SUCCESS || view->redirect == NULL) {
+				result = ISC_R_NOTFOUND;
+				snprintf(problem, sizeof(problem),
+					 "redirect zone not found in "
+					 "_default view");
+			} else {
+				dns_zone_attach(view->redirect, zonep);
+				result = ISC_R_SUCCESS;
+			}
+		} else {
+			result = dns_viewlist_findzone(&server->viewlist, name,
+						       (classtxt == NULL),
+						       rdclass, zonep);
+			if (result == ISC_R_NOTFOUND) {
+				snprintf(problem, sizeof(problem),
+					 "no matching zone '%s' in any view",
+					 zonebuf);
+			} else if (result == ISC_R_MULTIPLE) {
+				snprintf(problem, sizeof(problem),
+					 "zone '%s' was found in multiple "
+					 "views",
+					 zonebuf);
+			}
+		}
+	} else {
+		result = dns_viewlist_find(&server->viewlist, viewtxt, rdclass,
+					   &view);
+		if (result != ISC_R_SUCCESS) {
+			snprintf(problem, sizeof(problem),
+				 "no matching view '%s'", viewtxt);
+			goto report;
+		}
+
+		if (redirect) {
+			if (view->redirect != NULL) {
+				dns_zone_attach(view->redirect, zonep);
+				result = ISC_R_SUCCESS;
+			} else {
+				result = ISC_R_NOTFOUND;
+			}
+		} else {
+			result = dns_zt_find(view->zonetable, name, 0, NULL,
+					     zonep);
+		}
+		if (result != ISC_R_SUCCESS) {
+			snprintf(problem, sizeof(problem),
+				 "no matching zone '%s' in view '%s'", zonebuf,
+				 viewtxt);
+		}
+	}
+
+	/* Partial match? */
+	if (result != ISC_R_SUCCESS && *zonep != NULL) {
+		dns_zone_detach(zonep);
+	}
+	if (result == DNS_R_PARTIALMATCH) {
+		result = ISC_R_NOTFOUND;
+	}
+report:
+	if (result != ISC_R_SUCCESS) {
+		isc_result_t tresult;
+
+		tresult = putstr(text, problem);
+		if (tresult == ISC_R_SUCCESS) {
+			(void)putnull(text);
+		}
+	}
+
+cleanup:
+	if (view != NULL) {
+		dns_view_detach(&view);
+	}
+
+	return (result);
+}
+
+/*
+ * Act on a "retransfer" command from the command channel.
+ */
+isc_result_t
+named_server_retransfercommand(named_server_t *server, isc_lex_t *lex,
+			       isc_buffer_t **text) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_zone_t *raw = NULL;
+	dns_zonetype_t type;
+
+	REQUIRE(text != NULL);
+
+	result = zone_from_args(server, lex, NULL, &zone, NULL, text, true);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (zone == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	dns_zone_getraw(zone, &raw);
+	if (raw != NULL) {
+		dns_zone_detach(&zone);
+		dns_zone_attach(raw, &zone);
+		dns_zone_detach(&raw);
+	}
+	type = dns_zone_gettype(zone);
+	if (type == dns_zone_secondary || type == dns_zone_mirror ||
+	    type == dns_zone_stub ||
+	    (type == dns_zone_redirect &&
+	     dns_zone_getredirecttype(zone) == dns_zone_secondary))
+	{
+		dns_zone_forcereload(zone);
+	} else {
+		(void)putstr(text, "retransfer: inappropriate zone type: ");
+		(void)putstr(text, dns_zonetype_name(type));
+		if (type == dns_zone_redirect) {
+			type = dns_zone_getredirecttype(zone);
+			(void)putstr(text, "(");
+			(void)putstr(text, dns_zonetype_name(type));
+			(void)putstr(text, ")");
+		}
+		(void)putnull(text);
+		result = ISC_R_FAILURE;
+	}
+	dns_zone_detach(&zone);
+	return (result);
+}
+
+/*
+ * Act on a "reload" command from the command channel.
+ */
+isc_result_t
+named_server_reloadcommand(named_server_t *server, isc_lex_t *lex,
+			   isc_buffer_t **text) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_zonetype_t type;
+	const char *msg = NULL;
+
+	REQUIRE(text != NULL);
+
+	result = zone_from_args(server, lex, NULL, &zone, NULL, text, true);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (zone == NULL) {
+		result = reload(server);
+		if (result == ISC_R_SUCCESS) {
+			msg = "server reload successful";
+		}
+	} else {
+		type = dns_zone_gettype(zone);
+		if (type == dns_zone_secondary || type == dns_zone_mirror ||
+		    type == dns_zone_stub)
+		{
+			dns_zone_refresh(zone);
+			dns_zone_detach(&zone);
+			msg = "zone refresh queued";
+		} else {
+			result = dns_zone_load(zone, false);
+			dns_zone_detach(&zone);
+			switch (result) {
+			case ISC_R_SUCCESS:
+				msg = "zone reload successful";
+				break;
+			case DNS_R_CONTINUE:
+				msg = "zone reload queued";
+				result = ISC_R_SUCCESS;
+				break;
+			case DNS_R_UPTODATE:
+				msg = "zone reload up-to-date";
+				result = ISC_R_SUCCESS;
+				break;
+			default:
+				/* failure message will be generated by rndc */
+				break;
+			}
+		}
+	}
+	if (msg != NULL) {
+		(void)putstr(text, msg);
+		(void)putnull(text);
+	}
+	return (result);
+}
+
+/*
+ * Act on a "reconfig" command from the command channel.
+ */
+isc_result_t
+named_server_reconfigcommand(named_server_t *server) {
+	isc_result_t result;
+	atomic_store(&server->reload_status, NAMED_RELOAD_IN_PROGRESS);
+
+	CHECK(loadconfig(server));
+
+	result = load_zones(server, false, true);
+	if (result == ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "scheduled loading new zones");
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "loading new zones failed: %s",
+			      isc_result_totext(result));
+		atomic_store(&server->reload_status, NAMED_RELOAD_FAILED);
+	}
+cleanup:
+	return (result);
+}
+
+/*
+ * Act on a "notify" command from the command channel.
+ */
+isc_result_t
+named_server_notifycommand(named_server_t *server, isc_lex_t *lex,
+			   isc_buffer_t **text) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	const char msg[] = "zone notify queued";
+
+	REQUIRE(text != NULL);
+
+	result = zone_from_args(server, lex, NULL, &zone, NULL, text, true);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (zone == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	dns_zone_notify(zone);
+	dns_zone_detach(&zone);
+	(void)putstr(text, msg);
+	(void)putnull(text);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Act on a "refresh" command from the command channel.
+ */
+isc_result_t
+named_server_refreshcommand(named_server_t *server, isc_lex_t *lex,
+			    isc_buffer_t **text) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL, *raw = NULL;
+	const char msg1[] = "zone refresh queued";
+	const char msg2[] = "not a slave, mirror, or stub zone";
+	dns_zonetype_t type;
+
+	REQUIRE(text != NULL);
+
+	result = zone_from_args(server, lex, NULL, &zone, NULL, text, true);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (zone == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	dns_zone_getraw(zone, &raw);
+	if (raw != NULL) {
+		dns_zone_detach(&zone);
+		dns_zone_attach(raw, &zone);
+		dns_zone_detach(&raw);
+	}
+
+	type = dns_zone_gettype(zone);
+	if (type == dns_zone_secondary || type == dns_zone_mirror ||
+	    type == dns_zone_stub)
+	{
+		dns_zone_refresh(zone);
+		dns_zone_detach(&zone);
+		(void)putstr(text, msg1);
+		(void)putnull(text);
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_zone_detach(&zone);
+	(void)putstr(text, msg2);
+	(void)putnull(text);
+	return (ISC_R_FAILURE);
+}
+
+isc_result_t
+named_server_togglequerylog(named_server_t *server, isc_lex_t *lex) {
+	bool prev, value;
+	char *ptr;
+
+	/* Skip the command name. */
+	ptr = next_token(lex, NULL);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	prev = ns_server_getoption(server->sctx, NS_SERVER_LOGQUERIES);
+
+	ptr = next_token(lex, NULL);
+	if (ptr == NULL) {
+		value = !prev;
+	} else if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
+		   !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
+	{
+		value = true;
+	} else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
+		   !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
+	{
+		value = false;
+	} else {
+		return (DNS_R_SYNTAX);
+	}
+
+	if (value == prev) {
+		return (ISC_R_SUCCESS);
+	}
+
+	ns_server_setoption(server->sctx, NS_SERVER_LOGQUERIES, value);
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "query logging is now %s", value ? "on" : "off");
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
+			 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
+			 uint16_t family, ns_listenlist_t **target) {
+	isc_result_t result;
+	const cfg_listelt_t *element;
+	ns_listenlist_t *dlist = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	result = ns_listenlist_create(mctx, &dlist);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (element = cfg_list_first(listenlist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		ns_listenelt_t *delt = NULL;
+		const cfg_obj_t *listener = cfg_listelt_value(element);
+		result = ns_listenelt_fromconfig(listener, config, actx, mctx,
+						 family, &delt);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		ISC_LIST_APPEND(dlist->elts, delt, link);
+	}
+	*target = dlist;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	ns_listenlist_detach(&dlist);
+	return (result);
+}
+
+/*
+ * Create a listen list from the corresponding configuration
+ * data structure.
+ */
+static isc_result_t
+ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
+			cfg_aclconfctx_t *actx, isc_mem_t *mctx,
+			uint16_t family, ns_listenelt_t **target) {
+	isc_result_t result;
+	const cfg_obj_t *portobj, *dscpobj;
+	in_port_t port;
+	isc_dscp_t dscp = -1;
+	ns_listenelt_t *delt = NULL;
+	REQUIRE(target != NULL && *target == NULL);
+
+	portobj = cfg_tuple_get(listener, "port");
+	if (!cfg_obj_isuint32(portobj)) {
+		if (named_g_port != 0) {
+			port = named_g_port;
+		} else {
+			result = named_config_getport(config, &port);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+	} else {
+		if (cfg_obj_asuint32(portobj) >= UINT16_MAX) {
+			cfg_obj_log(portobj, named_g_lctx, ISC_LOG_ERROR,
+				    "port value '%u' is out of range",
+				    cfg_obj_asuint32(portobj));
+			return (ISC_R_RANGE);
+		}
+		port = (in_port_t)cfg_obj_asuint32(portobj);
+	}
+
+	dscpobj = cfg_tuple_get(listener, "dscp");
+	if (!cfg_obj_isuint32(dscpobj)) {
+		dscp = named_g_dscp;
+	} else {
+		if (cfg_obj_asuint32(dscpobj) > 63) {
+			cfg_obj_log(dscpobj, named_g_lctx, ISC_LOG_ERROR,
+				    "dscp value '%u' is out of range",
+				    cfg_obj_asuint32(dscpobj));
+			return (ISC_R_RANGE);
+		}
+		dscp = (isc_dscp_t)cfg_obj_asuint32(dscpobj);
+	}
+
+	result = ns_listenelt_create(mctx, port, dscp, NULL, &delt);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = cfg_acl_fromconfig2(cfg_tuple_get(listener, "acl"), config,
+				     named_g_lctx, actx, mctx, 0, family,
+				     &delt->acl);
+	if (result != ISC_R_SUCCESS) {
+		ns_listenelt_destroy(delt);
+		return (result);
+	}
+	*target = delt;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+named_server_dumpstats(named_server_t *server) {
+	isc_result_t result;
+	FILE *fp = NULL;
+
+	CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
+		"could not open statistics dump file", server->statsfile);
+
+	result = named_stats_dump(server, fp);
+
+cleanup:
+	if (fp != NULL) {
+		(void)isc_stdio_close(fp);
+	}
+	if (result == ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpstats complete");
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumpstats failed: %s",
+			      dns_result_totext(result));
+	}
+	return (result);
+}
+
+static isc_result_t
+add_zone_tolist(dns_zone_t *zone, void *uap) {
+	struct dumpcontext *dctx = uap;
+	struct zonelistentry *zle;
+
+	zle = isc_mem_get(dctx->mctx, sizeof *zle);
+	zle->zone = NULL;
+	dns_zone_attach(zone, &zle->zone);
+	ISC_LINK_INIT(zle, link);
+	ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
+	struct viewlistentry *vle;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	/*
+	 * Prevent duplicate views.
+	 */
+	for (vle = ISC_LIST_HEAD(dctx->viewlist); vle != NULL;
+	     vle = ISC_LIST_NEXT(vle, link))
+	{
+		if (vle->view == view) {
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	vle = isc_mem_get(dctx->mctx, sizeof *vle);
+	vle->view = NULL;
+	dns_view_attach(view, &vle->view);
+	ISC_LINK_INIT(vle, link);
+	ISC_LIST_INIT(vle->zonelist);
+	ISC_LIST_APPEND(dctx->viewlist, vle, link);
+	if (dctx->dumpzones) {
+		result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
+				      true, NULL, add_zone_tolist, dctx);
+	}
+	return (result);
+}
+
+static void
+dumpcontext_destroy(struct dumpcontext *dctx) {
+	struct viewlistentry *vle;
+	struct zonelistentry *zle;
+
+	vle = ISC_LIST_HEAD(dctx->viewlist);
+	while (vle != NULL) {
+		ISC_LIST_UNLINK(dctx->viewlist, vle, link);
+		zle = ISC_LIST_HEAD(vle->zonelist);
+		while (zle != NULL) {
+			ISC_LIST_UNLINK(vle->zonelist, zle, link);
+			dns_zone_detach(&zle->zone);
+			isc_mem_put(dctx->mctx, zle, sizeof *zle);
+			zle = ISC_LIST_HEAD(vle->zonelist);
+		}
+		dns_view_detach(&vle->view);
+		isc_mem_put(dctx->mctx, vle, sizeof *vle);
+		vle = ISC_LIST_HEAD(dctx->viewlist);
+	}
+	if (dctx->version != NULL) {
+		dns_db_closeversion(dctx->db, &dctx->version, false);
+	}
+	if (dctx->db != NULL) {
+		dns_db_detach(&dctx->db);
+	}
+	if (dctx->cache != NULL) {
+		dns_db_detach(&dctx->cache);
+	}
+	if (dctx->task != NULL) {
+		isc_task_detach(&dctx->task);
+	}
+	if (dctx->fp != NULL) {
+		(void)isc_stdio_close(dctx->fp);
+	}
+	if (dctx->mdctx != NULL) {
+		dns_dumpctx_detach(&dctx->mdctx);
+	}
+	isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
+}
+
+static void
+dumpdone(void *arg, isc_result_t result) {
+	struct dumpcontext *dctx = arg;
+	char buf[1024 + 32];
+	const dns_master_style_t *style;
+
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	if (dctx->mdctx != NULL) {
+		dns_dumpctx_detach(&dctx->mdctx);
+	}
+	if (dctx->view == NULL) {
+		dctx->view = ISC_LIST_HEAD(dctx->viewlist);
+		if (dctx->view == NULL) {
+			goto done;
+		}
+		INSIST(dctx->zone == NULL);
+	} else {
+		goto resume;
+	}
+nextview:
+	fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
+resume:
+	if (dctx->dumpcache && dns_view_iscacheshared(dctx->view->view)) {
+		fprintf(dctx->fp, ";\n; Cache of view '%s' is shared as '%s'\n",
+			dctx->view->view->name,
+			dns_cache_getname(dctx->view->view->cache));
+	} else if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache)
+	{
+		if (dctx->dumpexpired) {
+			style = &dns_master_style_cache_with_expired;
+		} else {
+			style = &dns_master_style_cache;
+		}
+		/* start cache dump */
+		if (dctx->view->view->cachedb != NULL) {
+			dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
+		}
+		if (dctx->cache != NULL) {
+			fprintf(dctx->fp,
+				";\n; Cache dump of view '%s' (cache %s)\n;\n",
+				dctx->view->view->name,
+				dns_cache_getname(dctx->view->view->cache));
+			result = dns_master_dumptostreamasync(
+				dctx->mctx, dctx->cache, NULL, style, dctx->fp,
+				dctx->task, dumpdone, dctx, &dctx->mdctx);
+			if (result == DNS_R_CONTINUE) {
+				return;
+			}
+			if (result == ISC_R_NOTIMPLEMENTED) {
+				fprintf(dctx->fp, "; %s\n",
+					dns_result_totext(result));
+			} else if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
+	}
+
+	if ((dctx->dumpadb || dctx->dumpbad || dctx->dumpfail) &&
+	    dctx->cache == NULL && dctx->view->view->cachedb != NULL)
+	{
+		dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
+	}
+
+	if (dctx->cache != NULL) {
+		if (dctx->dumpadb) {
+			dns_adb_dump(dctx->view->view->adb, dctx->fp);
+		}
+		if (dctx->dumpbad) {
+			dns_resolver_printbadcache(dctx->view->view->resolver,
+						   dctx->fp);
+		}
+		if (dctx->dumpfail) {
+			dns_badcache_print(dctx->view->view->failcache,
+					   "SERVFAIL cache", dctx->fp);
+		}
+		dns_db_detach(&dctx->cache);
+	}
+	if (dctx->dumpzones) {
+		style = &dns_master_style_full;
+	nextzone:
+		if (dctx->version != NULL) {
+			dns_db_closeversion(dctx->db, &dctx->version, false);
+		}
+		if (dctx->db != NULL) {
+			dns_db_detach(&dctx->db);
+		}
+		if (dctx->zone == NULL) {
+			dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
+		} else {
+			dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
+		}
+		if (dctx->zone != NULL) {
+			/* start zone dump */
+			dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
+			fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
+			result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(dctx->fp, "; %s\n",
+					dns_result_totext(result));
+				goto nextzone;
+			}
+			dns_db_currentversion(dctx->db, &dctx->version);
+			result = dns_master_dumptostreamasync(
+				dctx->mctx, dctx->db, dctx->version, style,
+				dctx->fp, dctx->task, dumpdone, dctx,
+				&dctx->mdctx);
+			if (result == DNS_R_CONTINUE) {
+				return;
+			}
+			if (result == ISC_R_NOTIMPLEMENTED) {
+				fprintf(dctx->fp, "; %s\n",
+					dns_result_totext(result));
+				result = ISC_R_SUCCESS;
+				POST(result);
+				goto nextzone;
+			}
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
+	}
+	if (dctx->view != NULL) {
+		dctx->view = ISC_LIST_NEXT(dctx->view, link);
+		if (dctx->view != NULL) {
+			goto nextview;
+		}
+	}
+done:
+	fprintf(dctx->fp, "; Dump complete\n");
+	result = isc_stdio_flush(dctx->fp);
+	if (result == ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpdb complete");
+	}
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumpdb failed: %s", dns_result_totext(result));
+	}
+	dumpcontext_destroy(dctx);
+}
+
+isc_result_t
+named_server_dumpdb(named_server_t *server, isc_lex_t *lex,
+		    isc_buffer_t **text) {
+	struct dumpcontext *dctx = NULL;
+	dns_view_t *view;
+	isc_result_t result;
+	char *ptr;
+	const char *sep;
+	bool found;
+
+	REQUIRE(text != NULL);
+
+	/* Skip the command name. */
+	ptr = next_token(lex, NULL);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	dctx = isc_mem_get(server->mctx, sizeof(*dctx));
+
+	dctx->mctx = server->mctx;
+	dctx->dumpcache = true;
+	dctx->dumpadb = true;
+	dctx->dumpbad = true;
+	dctx->dumpexpired = false;
+	dctx->dumpfail = true;
+	dctx->dumpzones = false;
+	dctx->fp = NULL;
+	ISC_LIST_INIT(dctx->viewlist);
+	dctx->view = NULL;
+	dctx->zone = NULL;
+	dctx->cache = NULL;
+	dctx->mdctx = NULL;
+	dctx->db = NULL;
+	dctx->cache = NULL;
+	dctx->task = NULL;
+	dctx->version = NULL;
+	isc_task_attach(server->task, &dctx->task);
+
+	CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
+		"could not open dump file", server->dumpfile);
+
+	ptr = next_token(lex, NULL);
+	sep = (ptr == NULL) ? "" : ": ";
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "dumpdb started%s%s", sep, (ptr != NULL) ? ptr : "");
+
+	if (ptr != NULL && strcmp(ptr, "-all") == 0) {
+		/* also dump zones */
+		dctx->dumpzones = true;
+		ptr = next_token(lex, NULL);
+	} else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
+		/* this is the default */
+		ptr = next_token(lex, NULL);
+	} else if (ptr != NULL && strcmp(ptr, "-expired") == 0) {
+		/* this is the same as -cache but includes expired data */
+		dctx->dumpexpired = true;
+		ptr = next_token(lex, NULL);
+	} else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
+		/* only dump zones, suppress caches */
+		dctx->dumpadb = false;
+		dctx->dumpbad = false;
+		dctx->dumpcache = false;
+		dctx->dumpfail = false;
+		dctx->dumpzones = true;
+		ptr = next_token(lex, NULL);
+	} else if (ptr != NULL && strcmp(ptr, "-adb") == 0) {
+		/* only dump adb, suppress other caches */
+		dctx->dumpbad = false;
+		dctx->dumpcache = false;
+		dctx->dumpfail = false;
+		ptr = next_token(lex, NULL);
+	} else if (ptr != NULL && strcmp(ptr, "-bad") == 0) {
+		/* only dump badcache, suppress other caches */
+		dctx->dumpadb = false;
+		dctx->dumpcache = false;
+		dctx->dumpfail = false;
+		ptr = next_token(lex, NULL);
+	} else if (ptr != NULL && strcmp(ptr, "-fail") == 0) {
+		/* only dump servfail cache, suppress other caches */
+		dctx->dumpadb = false;
+		dctx->dumpbad = false;
+		dctx->dumpcache = false;
+		ptr = next_token(lex, NULL);
+	}
+
+nextview:
+	found = false;
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (ptr != NULL && strcmp(view->name, ptr) != 0) {
+			continue;
+		}
+		found = true;
+		CHECK(add_view_tolist(dctx, view));
+	}
+	if (ptr != NULL) {
+		if (!found) {
+			CHECK(putstr(text, "view '"));
+			CHECK(putstr(text, ptr));
+			CHECK(putstr(text, "' not found"));
+			CHECK(putnull(text));
+			result = ISC_R_NOTFOUND;
+			dumpdone(dctx, result);
+			return (result);
+		}
+		ptr = next_token(lex, NULL);
+		if (ptr != NULL) {
+			goto nextview;
+		}
+	}
+	dumpdone(dctx, ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dumpcontext_destroy(dctx);
+	return (result);
+}
+
+isc_result_t
+named_server_dumpsecroots(named_server_t *server, isc_lex_t *lex,
+			  isc_buffer_t **text) {
+	dns_view_t *view;
+	dns_keytable_t *secroots = NULL;
+	dns_ntatable_t *ntatable = NULL;
+	isc_result_t result;
+	char *ptr;
+	FILE *fp = NULL;
+	isc_time_t now;
+	char tbuf[64];
+	unsigned int used = isc_buffer_usedlength(*text);
+	bool first = true;
+
+	REQUIRE(text != NULL);
+
+	/* Skip the command name. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* "-" here means print the output instead of dumping to file */
+	ptr = next_token(lex, text);
+	if (ptr != NULL && strcmp(ptr, "-") == 0) {
+		ptr = next_token(lex, text);
+	} else {
+		result = isc_stdio_open(server->secrootsfile, "w", &fp);
+		if (result != ISC_R_SUCCESS) {
+			(void)putstr(text, "could not open ");
+			(void)putstr(text, server->secrootsfile);
+			CHECKMF(result, "could not open secroots dump file",
+				server->secrootsfile);
+		}
+	}
+
+	TIME_NOW(&now);
+	isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
+	CHECK(putstr(text, "secure roots as of "));
+	CHECK(putstr(text, tbuf));
+	CHECK(putstr(text, ":\n"));
+	used = isc_buffer_usedlength(*text);
+
+	do {
+		for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			if (ptr != NULL && strcmp(view->name, ptr) != 0) {
+				continue;
+			}
+			if (secroots != NULL) {
+				dns_keytable_detach(&secroots);
+			}
+			result = dns_view_getsecroots(view, &secroots);
+			if (result == ISC_R_NOTFOUND) {
+				result = ISC_R_SUCCESS;
+				continue;
+			}
+			if (first || used != isc_buffer_usedlength(*text)) {
+				CHECK(putstr(text, "\n"));
+				first = false;
+			}
+			CHECK(putstr(text, " Start view "));
+			CHECK(putstr(text, view->name));
+			CHECK(putstr(text, "\n   Secure roots:\n\n"));
+			used = isc_buffer_usedlength(*text);
+			CHECK(dns_keytable_totext(secroots, text));
+
+			if (ntatable != NULL) {
+				dns_ntatable_detach(&ntatable);
+			}
+			result = dns_view_getntatable(view, &ntatable);
+			if (result == ISC_R_NOTFOUND) {
+				result = ISC_R_SUCCESS;
+				continue;
+			}
+			if (used != isc_buffer_usedlength(*text)) {
+				CHECK(putstr(text, "\n"));
+			}
+			CHECK(putstr(text, "   Negative trust anchors:\n\n"));
+			used = isc_buffer_usedlength(*text);
+			CHECK(dns_ntatable_totext(ntatable, NULL, text));
+		}
+
+		if (ptr != NULL) {
+			ptr = next_token(lex, text);
+		}
+	} while (ptr != NULL);
+
+cleanup:
+	if (secroots != NULL) {
+		dns_keytable_detach(&secroots);
+	}
+	if (ntatable != NULL) {
+		dns_ntatable_detach(&ntatable);
+	}
+
+	if (fp != NULL) {
+		if (used != isc_buffer_usedlength(*text)) {
+			(void)putstr(text, "\n");
+		}
+		fprintf(fp, "%.*s", (int)isc_buffer_usedlength(*text),
+			(char *)isc_buffer_base(*text));
+		isc_buffer_clear(*text);
+		(void)isc_stdio_close(fp);
+	} else if (isc_buffer_usedlength(*text) > 0) {
+		(void)putnull(text);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpsecroots complete");
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumpsecroots failed: %s",
+			      dns_result_totext(result));
+	}
+	return (result);
+}
+
+isc_result_t
+named_server_dumprecursing(named_server_t *server) {
+	FILE *fp = NULL;
+	dns_view_t *view;
+	isc_result_t result;
+
+	CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
+		"could not open dump file", server->recfile);
+	fprintf(fp, ";\n; Recursing Queries\n;\n");
+	ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
+
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		fprintf(fp, ";\n; Active fetch domains [view: %s]\n;\n",
+			view->name);
+		dns_resolver_dumpfetches(view->resolver, isc_statsformat_file,
+					 fp);
+	}
+
+	fprintf(fp, "; Dump complete\n");
+
+cleanup:
+	if (fp != NULL) {
+		result = isc_stdio_close(fp);
+	}
+	if (result == ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumprecursing complete");
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumprecursing failed: %s",
+			      dns_result_totext(result));
+	}
+	return (result);
+}
+
+isc_result_t
+named_server_setdebuglevel(named_server_t *server, isc_lex_t *lex) {
+	char *ptr;
+	char *endp;
+	long newlevel;
+
+	UNUSED(server);
+
+	/* Skip the command name. */
+	ptr = next_token(lex, NULL);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Look for the new level name. */
+	ptr = next_token(lex, NULL);
+	if (ptr == NULL) {
+		if (named_g_debuglevel < 99) {
+			named_g_debuglevel++;
+		}
+	} else {
+		newlevel = strtol(ptr, &endp, 10);
+		if (*endp != '\0' || newlevel < 0 || newlevel > 99) {
+			return (ISC_R_RANGE);
+		}
+		named_g_debuglevel = (unsigned int)newlevel;
+	}
+	isc_log_setdebuglevel(named_g_lctx, named_g_debuglevel);
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "debug level is now %u", named_g_debuglevel);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+named_server_validation(named_server_t *server, isc_lex_t *lex,
+			isc_buffer_t **text) {
+	char *ptr;
+	dns_view_t *view;
+	bool changed = false;
+	isc_result_t result;
+	bool enable = true, set = true, first = true;
+
+	REQUIRE(text != NULL);
+
+	/* Skip the command name. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Find out what we are to do. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
+	    !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
+	{
+		enable = true;
+	} else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
+		   !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
+	{
+		enable = false;
+	} else if (!strcasecmp(ptr, "check") || !strcasecmp(ptr, "status")) {
+		set = false;
+	} else {
+		return (DNS_R_SYNTAX);
+	}
+
+	/* Look for the view name. */
+	ptr = next_token(lex, text);
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if ((ptr != NULL && strcasecmp(ptr, view->name) != 0) ||
+		    strcasecmp("_bind", view->name) == 0)
+		{
+			continue;
+		}
+
+		if (set) {
+			CHECK(dns_view_flushcache(view, false));
+			view->enablevalidation = enable;
+			changed = true;
+		} else {
+			if (!first) {
+				CHECK(putstr(text, "\n"));
+			}
+			CHECK(putstr(text, "DNSSEC validation is "));
+			CHECK(putstr(text, view->enablevalidation
+						   ? "enabled"
+						   : "disabled"));
+			CHECK(putstr(text, " (view "));
+			CHECK(putstr(text, view->name));
+			CHECK(putstr(text, ")"));
+			first = false;
+		}
+	}
+	CHECK(putnull(text));
+
+	if (!set) {
+		result = ISC_R_SUCCESS;
+	} else if (changed) {
+		result = ISC_R_SUCCESS;
+	} else {
+		result = ISC_R_FAILURE;
+	}
+cleanup:
+	isc_task_endexclusive(server->task);
+	return (result);
+}
+
+isc_result_t
+named_server_flushcache(named_server_t *server, isc_lex_t *lex) {
+	char *ptr;
+	dns_view_t *view;
+	bool flushed;
+	bool found;
+	isc_result_t result;
+	named_cache_t *nsc;
+
+	/* Skip the command name. */
+	ptr = next_token(lex, NULL);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Look for the view name. */
+	ptr = next_token(lex, NULL);
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	flushed = true;
+	found = false;
+
+	/*
+	 * Flushing a cache is tricky when caches are shared by multiple views.
+	 * We first identify which caches should be flushed in the local cache
+	 * list, flush these caches, and then update other views that refer to
+	 * the flushed cache DB.
+	 */
+	if (ptr != NULL) {
+		/*
+		 * Mark caches that need to be flushed.  This is an O(#view^2)
+		 * operation in the very worst case, but should be normally
+		 * much more lightweight because only a few (most typically just
+		 * one) views will match.
+		 */
+		for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			if (strcasecmp(ptr, view->name) != 0) {
+				continue;
+			}
+			found = true;
+			for (nsc = ISC_LIST_HEAD(server->cachelist);
+			     nsc != NULL; nsc = ISC_LIST_NEXT(nsc, link))
+			{
+				if (nsc->cache == view->cache) {
+					break;
+				}
+			}
+			INSIST(nsc != NULL);
+			nsc->needflush = true;
+		}
+	} else {
+		found = true;
+	}
+
+	/* Perform flush */
+	for (nsc = ISC_LIST_HEAD(server->cachelist); nsc != NULL;
+	     nsc = ISC_LIST_NEXT(nsc, link))
+	{
+		if (ptr != NULL && !nsc->needflush) {
+			continue;
+		}
+		nsc->needflush = true;
+		result = dns_view_flushcache(nsc->primaryview, false);
+		if (result != ISC_R_SUCCESS) {
+			flushed = false;
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing cache in view '%s' failed: %s",
+				      nsc->primaryview->name,
+				      isc_result_totext(result));
+		}
+	}
+
+	/*
+	 * Fix up views that share a flushed cache: let the views update the
+	 * cache DB they're referring to.  This could also be an expensive
+	 * operation, but should typically be marginal: the inner loop is only
+	 * necessary for views that share a cache, and if there are many such
+	 * views the number of shared cache should normally be small.
+	 * A worst case is that we have n views and n/2 caches, each shared by
+	 * two views.  Then this will be a O(n^2/4) operation.
+	 */
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (!dns_view_iscacheshared(view)) {
+			continue;
+		}
+		for (nsc = ISC_LIST_HEAD(server->cachelist); nsc != NULL;
+		     nsc = ISC_LIST_NEXT(nsc, link))
+		{
+			if (!nsc->needflush || nsc->cache != view->cache) {
+				continue;
+			}
+			result = dns_view_flushcache(view, true);
+			if (result != ISC_R_SUCCESS) {
+				flushed = false;
+				isc_log_write(
+					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+					"fixing cache in view '%s' "
+					"failed: %s",
+					view->name, isc_result_totext(result));
+			}
+		}
+	}
+
+	/* Cleanup the cache list. */
+	for (nsc = ISC_LIST_HEAD(server->cachelist); nsc != NULL;
+	     nsc = ISC_LIST_NEXT(nsc, link))
+	{
+		nsc->needflush = false;
+	}
+
+	if (flushed && found) {
+		if (ptr != NULL) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing cache in view '%s' succeeded",
+				      ptr);
+		} else {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing caches in all views succeeded");
+		}
+		result = ISC_R_SUCCESS;
+	} else {
+		if (!found) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing cache in view '%s' failed: "
+				      "view not found",
+				      ptr);
+			result = ISC_R_NOTFOUND;
+		} else {
+			result = ISC_R_FAILURE;
+		}
+	}
+	isc_task_endexclusive(server->task);
+	return (result);
+}
+
+isc_result_t
+named_server_flushnode(named_server_t *server, isc_lex_t *lex, bool tree) {
+	char *ptr, *viewname;
+	char target[DNS_NAME_FORMATSIZE];
+	dns_view_t *view;
+	bool flushed;
+	bool found;
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	/* Skip the command name. */
+	ptr = next_token(lex, NULL);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Find the domain name to flush. */
+	ptr = next_token(lex, NULL);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	strlcpy(target, ptr, DNS_NAME_FORMATSIZE);
+	isc_buffer_constinit(&b, target, strlen(target));
+	isc_buffer_add(&b, strlen(target));
+	name = dns_fixedname_initname(&fixed);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/* Look for the view name. */
+	viewname = next_token(lex, NULL);
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	flushed = true;
+	found = false;
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (viewname != NULL && strcasecmp(viewname, view->name) != 0) {
+			continue;
+		}
+		found = true;
+		/*
+		 * It's a little inefficient to try flushing name for all views
+		 * if some of the views share a single cache.  But since the
+		 * operation is lightweight we prefer simplicity here.
+		 */
+		result = dns_view_flushnode(view, name, tree);
+		if (result != ISC_R_SUCCESS) {
+			flushed = false;
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing %s '%s' in cache view '%s' "
+				      "failed: %s",
+				      tree ? "tree" : "name", target,
+				      view->name, isc_result_totext(result));
+		}
+	}
+	if (flushed && found) {
+		if (viewname != NULL) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing %s '%s' in cache view '%s' "
+				      "succeeded",
+				      tree ? "tree" : "name", target, viewname);
+		} else {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing %s '%s' in all cache views "
+				      "succeeded",
+				      tree ? "tree" : "name", target);
+		}
+		result = ISC_R_SUCCESS;
+	} else {
+		if (!found) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing %s '%s' in cache view '%s' "
+				      "failed: view not found",
+				      tree ? "tree" : "name", target, viewname);
+		}
+		result = ISC_R_FAILURE;
+	}
+	isc_task_endexclusive(server->task);
+	return (result);
+}
+
+isc_result_t
+named_server_status(named_server_t *server, isc_buffer_t **text) {
+	isc_result_t result;
+	unsigned int zonecount, xferrunning, xferdeferred, soaqueries;
+	unsigned int automatic;
+	const char *ob = "", *cb = "", *alt = "";
+	char boottime[ISC_FORMATHTTPTIMESTAMP_SIZE];
+	char configtime[ISC_FORMATHTTPTIMESTAMP_SIZE];
+	char line[1024], hostname[256];
+	named_reload_t reload_status;
+
+	REQUIRE(text != NULL);
+
+	if (named_g_server->version_set) {
+		ob = " (";
+		cb = ")";
+		if (named_g_server->version == NULL) {
+			alt = "version.bind/txt/ch disabled";
+		} else {
+			alt = named_g_server->version;
+		}
+	}
+	zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
+	xferrunning = dns_zonemgr_getcount(server->zonemgr,
+					   DNS_ZONESTATE_XFERRUNNING);
+	xferdeferred = dns_zonemgr_getcount(server->zonemgr,
+					    DNS_ZONESTATE_XFERDEFERRED);
+	soaqueries = dns_zonemgr_getcount(server->zonemgr,
+					  DNS_ZONESTATE_SOAQUERY);
+	automatic = dns_zonemgr_getcount(server->zonemgr,
+					 DNS_ZONESTATE_AUTOMATIC);
+
+	isc_time_formathttptimestamp(&named_g_boottime, boottime,
+				     sizeof(boottime));
+	isc_time_formathttptimestamp(&named_g_configtime, configtime,
+				     sizeof(configtime));
+
+	snprintf(line, sizeof(line), "version: %s %s%s%s <id:%s>%s%s%s\n",
+		 named_g_product, named_g_version,
+		 (*named_g_description != '\0') ? " " : "", named_g_description,
+		 named_g_srcid, ob, alt, cb);
+	CHECK(putstr(text, line));
+
+	result = named_os_gethostname(hostname, sizeof(hostname));
+	if (result != ISC_R_SUCCESS) {
+		strlcpy(hostname, "localhost", sizeof(hostname));
+	}
+	snprintf(line, sizeof(line), "running on %s: %s\n", hostname,
+		 named_os_uname());
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "boot time: %s\n", boottime);
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "last configured: %s\n", configtime);
+	CHECK(putstr(text, line));
+
+	if (named_g_chrootdir != NULL) {
+		snprintf(line, sizeof(line), "configuration file: %s (%s%s)\n",
+			 named_g_conffile, named_g_chrootdir, named_g_conffile);
+	} else {
+		snprintf(line, sizeof(line), "configuration file: %s\n",
+			 named_g_conffile);
+	}
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "CPUs found: %u\n", named_g_cpus_detected);
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "worker threads: %u\n", named_g_cpus);
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "UDP listeners per interface: %u\n",
+		 named_g_udpdisp);
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "number of zones: %u (%u automatic)\n",
+		 zonecount, automatic);
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "debug level: %u\n", named_g_debuglevel);
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "xfers running: %u\n", xferrunning);
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "xfers deferred: %u\n", xferdeferred);
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "soa queries in progress: %u\n",
+		 soaqueries);
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "query logging is %s\n",
+		 ns_server_getoption(server->sctx, NS_SERVER_LOGQUERIES)
+			 ? "ON"
+			 : "OFF");
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "recursive clients: %u/%u/%u\n",
+		 isc_quota_getused(&server->sctx->recursionquota),
+		 isc_quota_getsoft(&server->sctx->recursionquota),
+		 isc_quota_getmax(&server->sctx->recursionquota));
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "tcp clients: %u/%u\n",
+		 isc_quota_getused(&server->sctx->tcpquota),
+		 isc_quota_getmax(&server->sctx->tcpquota));
+	CHECK(putstr(text, line));
+
+	snprintf(line, sizeof(line), "TCP high-water: %u\n",
+		 (unsigned)ns_stats_get_counter(server->sctx->nsstats,
+						ns_statscounter_tcphighwater));
+	CHECK(putstr(text, line));
+
+	reload_status = atomic_load(&server->reload_status);
+	if (reload_status != NAMED_RELOAD_DONE) {
+		snprintf(line, sizeof(line), "reload/reconfig %s\n",
+			 (reload_status == NAMED_RELOAD_FAILED
+				  ? "failed"
+				  : "in progress"));
+		CHECK(putstr(text, line));
+	}
+
+	CHECK(putstr(text, "server is up and running"));
+	CHECK(putnull(text));
+
+	return (ISC_R_SUCCESS);
+cleanup:
+	return (result);
+}
+
+isc_result_t
+named_server_testgen(isc_lex_t *lex, isc_buffer_t **text) {
+	isc_result_t result;
+	char *ptr;
+	unsigned long count;
+	unsigned long i;
+	const unsigned char chars[] = "abcdefghijklmnopqrstuvwxyz0123456789";
+
+	REQUIRE(text != NULL);
+
+	/* Skip the command name. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		count = 26;
+	} else {
+		count = strtoul(ptr, NULL, 10);
+	}
+
+	CHECK(isc_buffer_reserve(text, count));
+	for (i = 0; i < count; i++) {
+		CHECK(putuint8(text, chars[i % (sizeof(chars) - 1)]));
+	}
+
+	CHECK(putnull(text));
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+delete_keynames(dns_tsig_keyring_t *ring, char *target,
+		unsigned int *foundkeys) {
+	char namestr[DNS_NAME_FORMATSIZE];
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+
+	dns_name_init(&foundname, NULL);
+	origin = dns_fixedname_initname(&fixedorigin);
+
+again:
+	dns_rbtnodechain_init(&chain);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin);
+	if (result == ISC_R_NOTFOUND) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (result);
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+
+		if (tkey != NULL) {
+			if (!tkey->generated) {
+				goto nextkey;
+			}
+
+			dns_name_format(&tkey->name, namestr, sizeof(namestr));
+			if (strcmp(namestr, target) == 0) {
+				(*foundkeys)++;
+				dns_rbtnodechain_invalidate(&chain);
+				(void)dns_rbt_deletename(ring->keys,
+							 &tkey->name, false);
+				goto again;
+			}
+		}
+
+	nextkey:
+		result = dns_rbtnodechain_next(&chain, &foundname, origin);
+		if (result == ISC_R_NOMORE) {
+			break;
+		}
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+named_server_tsigdelete(named_server_t *server, isc_lex_t *lex,
+			isc_buffer_t **text) {
+	isc_result_t result;
+	dns_view_t *view;
+	unsigned int foundkeys = 0;
+	char *ptr, *viewname;
+	char target[DNS_NAME_FORMATSIZE];
+	char fbuf[16];
+
+	REQUIRE(text != NULL);
+
+	(void)next_token(lex, text); /* skip command name */
+
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	strlcpy(target, ptr, DNS_NAME_FORMATSIZE);
+
+	viewname = next_token(lex, text);
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (viewname == NULL || strcmp(view->name, viewname) == 0) {
+			RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
+			result = delete_keynames(view->dynamickeys, target,
+						 &foundkeys);
+			RWUNLOCK(&view->dynamickeys->lock,
+				 isc_rwlocktype_write);
+			if (result != ISC_R_SUCCESS) {
+				isc_task_endexclusive(server->task);
+				return (result);
+			}
+		}
+	}
+	isc_task_endexclusive(server->task);
+
+	snprintf(fbuf, sizeof(fbuf), "%u", foundkeys);
+
+	CHECK(putstr(text, fbuf));
+	CHECK(putstr(text, " tsig keys deleted."));
+	CHECK(putnull(text));
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t **text,
+	      unsigned int *foundkeys) {
+	char namestr[DNS_NAME_FORMATSIZE];
+	char creatorstr[DNS_NAME_FORMATSIZE];
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+	const char *viewname;
+
+	if (view != NULL) {
+		viewname = view->name;
+	} else {
+		viewname = "(global)";
+	}
+
+	dns_name_init(&foundname, NULL);
+	origin = dns_fixedname_initname(&fixedorigin);
+	dns_rbtnodechain_init(&chain);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin);
+	if (result == ISC_R_NOTFOUND) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (result);
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+
+		if (tkey != NULL) {
+			dns_name_format(&tkey->name, namestr, sizeof(namestr));
+			if (tkey->generated) {
+				dns_name_format(tkey->creator, creatorstr,
+						sizeof(creatorstr));
+				if (*foundkeys != 0) {
+					CHECK(putstr(text, "\n"));
+				}
+				CHECK(putstr(text, "view \""));
+				CHECK(putstr(text, viewname));
+				CHECK(putstr(text, "\"; type \"dynamic\"; key "
+						   "\""));
+				CHECK(putstr(text, namestr));
+				CHECK(putstr(text, "\"; creator \""));
+				CHECK(putstr(text, creatorstr));
+				CHECK(putstr(text, "\";"));
+			} else {
+				if (*foundkeys != 0) {
+					CHECK(putstr(text, "\n"));
+				}
+				CHECK(putstr(text, "view \""));
+				CHECK(putstr(text, viewname));
+				CHECK(putstr(text, "\"; type \"static\"; key "
+						   "\""));
+				CHECK(putstr(text, namestr));
+				CHECK(putstr(text, "\";"));
+			}
+			(*foundkeys)++;
+		}
+		result = dns_rbtnodechain_next(&chain, &foundname, origin);
+		if (result == ISC_R_NOMORE || result == DNS_R_NEWORIGIN) {
+			break;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	return (result);
+}
+
+isc_result_t
+named_server_tsiglist(named_server_t *server, isc_buffer_t **text) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_view_t *view;
+	unsigned int foundkeys = 0;
+
+	REQUIRE(text != NULL);
+
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
+		result = list_keynames(view, view->statickeys, text,
+				       &foundkeys);
+		RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
+		result = list_keynames(view, view->dynamickeys, text,
+				       &foundkeys);
+		RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if (foundkeys == 0) {
+		CHECK(putstr(text, "no tsig keys found."));
+	}
+
+	if (isc_buffer_usedlength(*text) > 0) {
+		CHECK(putnull(text));
+	}
+
+cleanup:
+	return (result);
+}
+
+/*
+ * Act on a "sign" or "loadkeys" command from the command channel.
+ */
+isc_result_t
+named_server_rekey(named_server_t *server, isc_lex_t *lex,
+		   isc_buffer_t **text) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_zonetype_t type;
+	uint16_t keyopts;
+	bool fullsign = false;
+	char *ptr;
+
+	REQUIRE(text != NULL);
+
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	if (strcasecmp(ptr, NAMED_COMMAND_SIGN) == 0) {
+		fullsign = true;
+	}
+
+	REQUIRE(text != NULL);
+
+	result = zone_from_args(server, lex, NULL, &zone, NULL, text, false);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (zone == NULL) {
+		return (ISC_R_UNEXPECTEDEND); /* XXX: or do all zones? */
+	}
+
+	type = dns_zone_gettype(zone);
+	if (type != dns_zone_primary) {
+		dns_zone_detach(&zone);
+		return (DNS_R_NOTMASTER);
+	}
+
+	keyopts = dns_zone_getkeyopts(zone);
+
+	/*
+	 * "rndc loadkeys" requires "auto-dnssec maintain"
+	 * or a "dnssec-policy".
+	 */
+	if ((keyopts & DNS_ZONEKEY_ALLOW) == 0) {
+		result = ISC_R_NOPERM;
+	} else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign) {
+		result = ISC_R_NOPERM;
+	} else {
+		dns_zone_rekey(zone, fullsign);
+	}
+
+	dns_zone_detach(&zone);
+	return (result);
+}
+
+/*
+ * Act on a "sync" command from the command channel.
+ */
+static isc_result_t
+synczone(dns_zone_t *zone, void *uap) {
+	bool cleanup = *(bool *)uap;
+	isc_result_t result;
+	dns_zone_t *raw = NULL;
+	char *journal;
+
+	dns_zone_getraw(zone, &raw);
+	if (raw != NULL) {
+		synczone(raw, uap);
+		dns_zone_detach(&raw);
+	}
+
+	result = dns_zone_flush(zone);
+	if (result != ISC_R_SUCCESS) {
+		cleanup = false;
+	}
+	if (cleanup) {
+		journal = dns_zone_getjournal(zone);
+		if (journal != NULL) {
+			(void)isc_file_remove(journal);
+		}
+	}
+
+	return (result);
+}
+
+isc_result_t
+named_server_sync(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
+	isc_result_t result, tresult;
+	dns_view_t *view;
+	dns_zone_t *zone = NULL;
+	char classstr[DNS_RDATACLASS_FORMATSIZE];
+	char zonename[DNS_NAME_FORMATSIZE];
+	const char *vname, *sep, *arg;
+	bool cleanup = false;
+
+	REQUIRE(text != NULL);
+
+	(void)next_token(lex, text);
+
+	arg = next_token(lex, text);
+	if (arg != NULL &&
+	    (strcmp(arg, "-clean") == 0 || strcmp(arg, "-clear") == 0))
+	{
+		cleanup = true;
+		arg = next_token(lex, text);
+	}
+
+	REQUIRE(text != NULL);
+
+	result = zone_from_args(server, lex, arg, &zone, NULL, text, false);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (zone == NULL) {
+		result = isc_task_beginexclusive(server->task);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		tresult = ISC_R_SUCCESS;
+		for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			result = dns_zt_apply(view->zonetable,
+					      isc_rwlocktype_none, false, NULL,
+					      synczone, &cleanup);
+			if (result != ISC_R_SUCCESS && tresult == ISC_R_SUCCESS)
+			{
+				tresult = result;
+			}
+		}
+		isc_task_endexclusive(server->task);
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumping all zones%s: %s",
+			      cleanup ? ", removing journal files" : "",
+			      isc_result_totext(result));
+		return (tresult);
+	}
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	result = synczone(zone, &cleanup);
+	isc_task_endexclusive(server->task);
+
+	view = dns_zone_getview(zone);
+	if (strcmp(view->name, "_default") == 0 ||
+	    strcmp(view->name, "_bind") == 0)
+	{
+		vname = "";
+		sep = "";
+	} else {
+		vname = view->name;
+		sep = " ";
+	}
+	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
+			      sizeof(classstr));
+	dns_name_format(dns_zone_getorigin(zone), zonename, sizeof(zonename));
+	isc_log_write(
+		named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
+		ISC_LOG_INFO, "sync: dumping zone '%s/%s'%s%s%s: %s", zonename,
+		classstr, sep, vname, cleanup ? ", removing journal file" : "",
+		isc_result_totext(result));
+	dns_zone_detach(&zone);
+	return (result);
+}
+
+/*
+ * Act on a "freeze" or "thaw" command from the command channel.
+ */
+isc_result_t
+named_server_freeze(named_server_t *server, bool freeze, isc_lex_t *lex,
+		    isc_buffer_t **text) {
+	isc_result_t result, tresult;
+	dns_zone_t *mayberaw = NULL, *raw = NULL;
+	dns_zonetype_t type;
+	char classstr[DNS_RDATACLASS_FORMATSIZE];
+	char zonename[DNS_NAME_FORMATSIZE];
+	dns_view_t *view;
+	const char *vname, *sep;
+	bool frozen;
+	const char *msg = NULL;
+
+	REQUIRE(text != NULL);
+
+	result = zone_from_args(server, lex, NULL, &mayberaw, NULL, text, true);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (mayberaw == NULL) {
+		result = isc_task_beginexclusive(server->task);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		tresult = ISC_R_SUCCESS;
+		for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			result = dns_view_freezezones(view, freeze);
+			if (result != ISC_R_SUCCESS && tresult == ISC_R_SUCCESS)
+			{
+				tresult = result;
+			}
+		}
+		isc_task_endexclusive(server->task);
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "%s all zones: %s",
+			      freeze ? "freezing" : "thawing",
+			      isc_result_totext(tresult));
+		return (tresult);
+	}
+	dns_zone_getraw(mayberaw, &raw);
+	if (raw != NULL) {
+		dns_zone_detach(&mayberaw);
+		dns_zone_attach(raw, &mayberaw);
+		dns_zone_detach(&raw);
+	}
+	type = dns_zone_gettype(mayberaw);
+	if (type != dns_zone_primary) {
+		dns_zone_detach(&mayberaw);
+		return (DNS_R_NOTMASTER);
+	}
+
+	if (freeze && !dns_zone_isdynamic(mayberaw, true)) {
+		dns_zone_detach(&mayberaw);
+		return (DNS_R_NOTDYNAMIC);
+	}
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	frozen = dns_zone_getupdatedisabled(mayberaw);
+	if (freeze) {
+		if (frozen) {
+			msg = "WARNING: The zone was already frozen.\n"
+			      "Someone else may be editing it or "
+			      "it may still be re-loading.";
+			result = DNS_R_FROZEN;
+		}
+		if (result == ISC_R_SUCCESS) {
+			result = dns_zone_flush(mayberaw);
+			if (result != ISC_R_SUCCESS) {
+				msg = "Flushing the zone updates to "
+				      "disk failed.";
+			}
+		}
+		if (result == ISC_R_SUCCESS) {
+			dns_zone_setupdatedisabled(mayberaw, freeze);
+		}
+	} else {
+		if (frozen) {
+			result = dns_zone_loadandthaw(mayberaw);
+			switch (result) {
+			case ISC_R_SUCCESS:
+			case DNS_R_UPTODATE:
+				msg = "The zone reload and thaw was "
+				      "successful.";
+				result = ISC_R_SUCCESS;
+				break;
+			case DNS_R_CONTINUE:
+				msg = "A zone reload and thaw was started.\n"
+				      "Check the logs to see the result.";
+				result = ISC_R_SUCCESS;
+				break;
+			}
+		}
+	}
+	isc_task_endexclusive(server->task);
+
+	if (msg != NULL) {
+		(void)putstr(text, msg);
+		(void)putnull(text);
+	}
+
+	view = dns_zone_getview(mayberaw);
+	if (strcmp(view->name, "_default") == 0 ||
+	    strcmp(view->name, "_bind") == 0)
+	{
+		vname = "";
+		sep = "";
+	} else {
+		vname = view->name;
+		sep = " ";
+	}
+	dns_rdataclass_format(dns_zone_getclass(mayberaw), classstr,
+			      sizeof(classstr));
+	dns_name_format(dns_zone_getorigin(mayberaw), zonename,
+			sizeof(zonename));
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "%s zone '%s/%s'%s%s: %s",
+		      freeze ? "freezing" : "thawing", zonename, classstr, sep,
+		      vname, isc_result_totext(result));
+	dns_zone_detach(&mayberaw);
+	return (result);
+}
+
+#ifdef HAVE_LIBSCF
+/*
+ * This function adds a message for rndc to echo if named
+ * is managed by smf and is also running chroot.
+ */
+isc_result_t
+named_smf_add_message(isc_buffer_t **text) {
+	REQUIRE(text != NULL);
+
+	return (putstr(text, "use svcadm(1M) to manage named"));
+}
+#endif /* HAVE_LIBSCF */
+
+#ifndef HAVE_LMDB
+
+/*
+ * Emit a comment at the top of the nzf file containing the viewname
+ * Expects the fp to already be open for writing
+ */
+#define HEADER1 "# New zone file for view: "
+#define HEADER2                                                     \
+	"\n# This file contains configuration for zones added by\n" \
+	"# the 'rndc addzone' command. DO NOT EDIT BY HAND.\n"
+static isc_result_t
+add_comment(FILE *fp, const char *viewname) {
+	isc_result_t result;
+	CHECK(isc_stdio_write(HEADER1, sizeof(HEADER1) - 1, 1, fp, NULL));
+	CHECK(isc_stdio_write(viewname, strlen(viewname), 1, fp, NULL));
+	CHECK(isc_stdio_write(HEADER2, sizeof(HEADER2) - 1, 1, fp, NULL));
+cleanup:
+	return (result);
+}
+
+static void
+dumpzone(void *arg, const char *buf, int len) {
+	FILE *fp = arg;
+
+	(void)isc_stdio_write(buf, len, 1, fp, NULL);
+}
+
+static isc_result_t
+nzf_append(dns_view_t *view, const cfg_obj_t *zconfig) {
+	isc_result_t result;
+	off_t offset;
+	FILE *fp = NULL;
+	bool offsetok = false;
+
+	LOCK(&view->new_zone_lock);
+
+	CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
+	CHECK(isc_stdio_seek(fp, 0, SEEK_END));
+
+	CHECK(isc_stdio_tell(fp, &offset));
+	offsetok = true;
+	if (offset == 0) {
+		CHECK(add_comment(fp, view->name));
+	}
+
+	CHECK(isc_stdio_write("zone ", 5, 1, fp, NULL));
+	cfg_printx(zconfig, CFG_PRINTER_ONELINE, dumpzone, fp);
+	CHECK(isc_stdio_write(";\n", 2, 1, fp, NULL));
+	CHECK(isc_stdio_flush(fp));
+	result = isc_stdio_close(fp);
+	fp = NULL;
+
+cleanup:
+	if (fp != NULL) {
+		(void)isc_stdio_close(fp);
+		if (offsetok) {
+			isc_result_t result2;
+
+			result2 = isc_file_truncate(view->new_zone_file,
+						    offset);
+			if (result2 != ISC_R_SUCCESS) {
+				isc_log_write(
+					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+					"Error truncating NZF file '%s' "
+					"during rollback from append: "
+					"%s",
+					view->new_zone_file,
+					isc_result_totext(result2));
+			}
+		}
+	}
+	UNLOCK(&view->new_zone_lock);
+	return (result);
+}
+
+static isc_result_t
+nzf_writeconf(const cfg_obj_t *config, dns_view_t *view) {
+	const cfg_obj_t *zl = NULL;
+	cfg_list_t *list;
+	const cfg_listelt_t *elt;
+
+	FILE *fp = NULL;
+	char tmp[1024];
+	isc_result_t result;
+
+	result = isc_file_template(view->new_zone_file, "nzf-XXXXXXXX", tmp,
+				   sizeof(tmp));
+	if (result == ISC_R_SUCCESS) {
+		result = isc_file_openunique(tmp, &fp);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	cfg_map_get(config, "zone", &zl);
+	if (!cfg_obj_islist(zl)) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	DE_CONST(&zl->value.list, list);
+
+	CHECK(add_comment(fp, view->name)); /* force a comment */
+
+	for (elt = ISC_LIST_HEAD(*list); elt != NULL;
+	     elt = ISC_LIST_NEXT(elt, link))
+	{
+		const cfg_obj_t *zconfig = cfg_listelt_value(elt);
+
+		CHECK(isc_stdio_write("zone ", 5, 1, fp, NULL));
+		cfg_printx(zconfig, CFG_PRINTER_ONELINE, dumpzone, fp);
+		CHECK(isc_stdio_write(";\n", 2, 1, fp, NULL));
+	}
+
+	CHECK(isc_stdio_flush(fp));
+	result = isc_stdio_close(fp);
+	fp = NULL;
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	CHECK(isc_file_rename(tmp, view->new_zone_file));
+	return (result);
+
+cleanup:
+	if (fp != NULL) {
+		(void)isc_stdio_close(fp);
+	}
+	(void)isc_file_remove(tmp);
+	return (result);
+}
+
+#else /* HAVE_LMDB */
+
+static void
+nzd_setkey(MDB_val *key, dns_name_t *name, char *namebuf, size_t buflen) {
+	dns_fixedname_t fixed;
+
+	dns_fixedname_init(&fixed);
+	dns_name_downcase(name, dns_fixedname_name(&fixed), NULL);
+	dns_name_format(dns_fixedname_name(&fixed), namebuf, buflen);
+
+	key->mv_data = namebuf;
+	key->mv_size = strlen(namebuf);
+}
+
+static void
+dumpzone(void *arg, const char *buf, int len) {
+	ns_dzarg_t *dzarg = arg;
+	isc_result_t result;
+
+	REQUIRE(dzarg != NULL && ISC_MAGIC_VALID(dzarg, DZARG_MAGIC));
+
+	result = putmem(dzarg->text, buf, len);
+	if (result != ISC_R_SUCCESS && dzarg->result == ISC_R_SUCCESS) {
+		dzarg->result = result;
+	}
+}
+
+static isc_result_t
+nzd_save(MDB_txn **txnp, MDB_dbi dbi, dns_zone_t *zone,
+	 const cfg_obj_t *zconfig) {
+	isc_result_t result;
+	int status;
+	dns_view_t *view;
+	bool commit = false;
+	isc_buffer_t *text = NULL;
+	char namebuf[1024];
+	MDB_val key, data;
+	ns_dzarg_t dzarg;
+
+	view = dns_zone_getview(zone);
+
+	nzd_setkey(&key, dns_zone_getorigin(zone), namebuf, sizeof(namebuf));
+
+	if (zconfig == NULL) {
+		/* We're deleting the zone from the database */
+		status = mdb_del(*txnp, dbi, &key, NULL);
+		if (status != MDB_SUCCESS && status != MDB_NOTFOUND) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "Error deleting zone %s "
+				      "from NZD database: %s",
+				      namebuf, mdb_strerror(status));
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		} else if (status != MDB_NOTFOUND) {
+			commit = true;
+		}
+	} else {
+		/* We're creating or overwriting the zone */
+		const cfg_obj_t *zoptions;
+
+		isc_buffer_allocate(view->mctx, &text, 256);
+
+		zoptions = cfg_tuple_get(zconfig, "options");
+		if (zoptions == NULL) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "Unable to get options from config in "
+				      "nzd_save()");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		dzarg.magic = DZARG_MAGIC;
+		dzarg.text = &text;
+		dzarg.result = ISC_R_SUCCESS;
+		cfg_printx(zoptions, CFG_PRINTER_ONELINE, dumpzone, &dzarg);
+		if (dzarg.result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "Error writing zone config to "
+				      "buffer in nzd_save(): %s",
+				      isc_result_totext(dzarg.result));
+			result = dzarg.result;
+			goto cleanup;
+		}
+
+		data.mv_data = isc_buffer_base(text);
+		data.mv_size = isc_buffer_usedlength(text);
+
+		status = mdb_put(*txnp, dbi, &key, &data, 0);
+		if (status != MDB_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "Error inserting zone in "
+				      "NZD database: %s",
+				      mdb_strerror(status));
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		commit = true;
+	}
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (!commit || result != ISC_R_SUCCESS) {
+		(void)mdb_txn_abort(*txnp);
+	} else {
+		status = mdb_txn_commit(*txnp);
+		if (status != MDB_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "Error committing "
+				      "NZD database: %s",
+				      mdb_strerror(status));
+			result = ISC_R_FAILURE;
+		}
+	}
+	*txnp = NULL;
+
+	if (text != NULL) {
+		isc_buffer_free(&text);
+	}
+
+	return (result);
+}
+
+/*
+ * Check whether the new zone database for 'view' can be opened for writing.
+ *
+ * Caller must hold 'view->new_zone_lock'.
+ */
+static isc_result_t
+nzd_writable(dns_view_t *view) {
+	isc_result_t result = ISC_R_SUCCESS;
+	int status;
+	MDB_dbi dbi;
+	MDB_txn *txn = NULL;
+
+	REQUIRE(view != NULL);
+
+	status = mdb_txn_begin((MDB_env *)view->new_zone_dbenv, 0, 0, &txn);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "mdb_txn_begin: %s", mdb_strerror(status));
+		return (ISC_R_FAILURE);
+	}
+
+	status = mdb_dbi_open(txn, NULL, 0, &dbi);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "mdb_dbi_open: %s", mdb_strerror(status));
+		result = ISC_R_FAILURE;
+	}
+
+	mdb_txn_abort(txn);
+	return (result);
+}
+
+/*
+ * Open the new zone database for 'view' and start a transaction for it.
+ *
+ * Caller must hold 'view->new_zone_lock'.
+ */
+static isc_result_t
+nzd_open(dns_view_t *view, unsigned int flags, MDB_txn **txnp, MDB_dbi *dbi) {
+	int status;
+	MDB_txn *txn = NULL;
+
+	REQUIRE(view != NULL);
+	REQUIRE(txnp != NULL && *txnp == NULL);
+	REQUIRE(dbi != NULL);
+
+	status = mdb_txn_begin((MDB_env *)view->new_zone_dbenv, 0, flags, &txn);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "mdb_txn_begin: %s", mdb_strerror(status));
+		goto cleanup;
+	}
+
+	status = mdb_dbi_open(txn, NULL, 0, dbi);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "mdb_dbi_open: %s", mdb_strerror(status));
+		goto cleanup;
+	}
+
+	*txnp = txn;
+
+cleanup:
+	if (status != MDB_SUCCESS) {
+		if (txn != NULL) {
+			mdb_txn_abort(txn);
+		}
+		return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * nzd_env_close() and nzd_env_reopen are a kluge to address the
+ * problem of an NZD file possibly being created before we drop
+ * root privileges.
+ */
+static void
+nzd_env_close(dns_view_t *view) {
+	const char *dbpath = NULL;
+	char dbpath_copy[PATH_MAX];
+	char lockpath[PATH_MAX];
+	int status, ret;
+
+	if (view->new_zone_dbenv == NULL) {
+		return;
+	}
+
+	status = mdb_env_get_path(view->new_zone_dbenv, &dbpath);
+	INSIST(status == MDB_SUCCESS);
+	snprintf(lockpath, sizeof(lockpath), "%s-lock", dbpath);
+	strlcpy(dbpath_copy, dbpath, sizeof(dbpath_copy));
+	mdb_env_close((MDB_env *)view->new_zone_dbenv);
+
+	/*
+	 * Database files must be owned by the eventual user, not by root.
+	 */
+	ret = chown(dbpath_copy, ns_os_uid(), -1);
+	UNUSED(ret);
+
+	/*
+	 * Some platforms need the lockfile not to exist when we reopen the
+	 * environment.
+	 */
+	(void)isc_file_remove(lockpath);
+
+	view->new_zone_dbenv = NULL;
+}
+
+static isc_result_t
+nzd_env_reopen(dns_view_t *view) {
+	isc_result_t result;
+	MDB_env *env = NULL;
+	int status;
+
+	if (view->new_zone_db == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	nzd_env_close(view);
+
+	status = mdb_env_create(&env);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_OTHER, ISC_LOG_ERROR,
+			      "mdb_env_create failed: %s",
+			      mdb_strerror(status));
+		CHECK(ISC_R_FAILURE);
+	}
+
+	if (view->new_zone_mapsize != 0ULL) {
+		status = mdb_env_set_mapsize(env, view->new_zone_mapsize);
+		if (status != MDB_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_OTHER, ISC_LOG_ERROR,
+				      "mdb_env_set_mapsize failed: %s",
+				      mdb_strerror(status));
+			CHECK(ISC_R_FAILURE);
+		}
+	}
+
+	status = mdb_env_open(env, view->new_zone_db, DNS_LMDB_FLAGS, 0600);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_OTHER, ISC_LOG_ERROR,
+			      "mdb_env_open of '%s' failed: %s",
+			      view->new_zone_db, mdb_strerror(status));
+		CHECK(ISC_R_FAILURE);
+	}
+
+	view->new_zone_dbenv = env;
+	env = NULL;
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (env != NULL) {
+		mdb_env_close(env);
+	}
+	return (result);
+}
+
+/*
+ * If 'commit' is true, commit the new zone database transaction pointed to by
+ * 'txnp'; otherwise, abort that transaction.
+ *
+ * Caller must hold 'view->new_zone_lock' for the view that the transaction
+ * pointed to by 'txnp' was started for.
+ */
+static isc_result_t
+nzd_close(MDB_txn **txnp, bool commit) {
+	isc_result_t result = ISC_R_SUCCESS;
+	int status;
+
+	REQUIRE(txnp != NULL);
+
+	if (*txnp != NULL) {
+		if (commit) {
+			status = mdb_txn_commit(*txnp);
+			if (status != MDB_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		} else {
+			mdb_txn_abort(*txnp);
+		}
+		*txnp = NULL;
+	}
+
+	return (result);
+}
+
+/*
+ * Count the zones configured in the new zone database for 'view' and store the
+ * result in 'countp'.
+ *
+ * Caller must hold 'view->new_zone_lock'.
+ */
+static isc_result_t
+nzd_count(dns_view_t *view, int *countp) {
+	isc_result_t result;
+	int status;
+	MDB_txn *txn = NULL;
+	MDB_dbi dbi;
+	MDB_stat statbuf;
+
+	REQUIRE(countp != NULL);
+
+	result = nzd_open(view, MDB_RDONLY, &txn, &dbi);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	status = mdb_stat(txn, dbi, &statbuf);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "mdb_stat: %s", mdb_strerror(status));
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	*countp = statbuf.ms_entries;
+
+cleanup:
+	(void)nzd_close(&txn, false);
+
+	return (result);
+}
+
+/*
+ * Migrate zone configuration from an NZF file to an NZD database.
+ * Caller must hold view->new_zone_lock.
+ */
+static isc_result_t
+migrate_nzf(dns_view_t *view) {
+	isc_result_t result;
+	cfg_obj_t *nzf_config = NULL;
+	int status, n;
+	isc_buffer_t *text = NULL;
+	bool commit = false;
+	const cfg_obj_t *zonelist;
+	const cfg_listelt_t *element;
+	char tempname[PATH_MAX];
+	MDB_txn *txn = NULL;
+	MDB_dbi dbi;
+	MDB_val key, data;
+	ns_dzarg_t dzarg;
+
+	/*
+	 * If NZF file doesn't exist, or NZD DB exists and already
+	 * has data, return without attempting migration.
+	 */
+	if (!isc_file_exists(view->new_zone_file)) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	result = nzd_count(view, &n);
+	if (result == ISC_R_SUCCESS && n > 0) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "Migrating zones from NZF file '%s' to "
+		      "NZD database '%s'",
+		      view->new_zone_file, view->new_zone_db);
+	/*
+	 * Instead of blindly copying lines, we parse the NZF file using
+	 * the configuration parser, because it validates it against the
+	 * config type, giving us a guarantee that valid configuration
+	 * will be written to DB.
+	 */
+	cfg_parser_reset(named_g_addparser);
+	result = cfg_parse_file(named_g_addparser, view->new_zone_file,
+				&cfg_type_addzoneconf, &nzf_config);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "Error parsing NZF file '%s': %s",
+			      view->new_zone_file, isc_result_totext(result));
+		goto cleanup;
+	}
+
+	zonelist = NULL;
+	CHECK(cfg_map_get(nzf_config, "zone", &zonelist));
+	if (!cfg_obj_islist(zonelist)) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	CHECK(nzd_open(view, 0, &txn, &dbi));
+
+	isc_buffer_allocate(view->mctx, &text, 256);
+
+	for (element = cfg_list_first(zonelist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *zconfig;
+		const cfg_obj_t *zoptions;
+		char zname[DNS_NAME_FORMATSIZE];
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		const char *origin;
+		isc_buffer_t b;
+
+		zconfig = cfg_listelt_value(element);
+
+		origin = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+		if (origin == NULL) {
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		/* Normalize zone name */
+		isc_buffer_constinit(&b, origin, strlen(origin));
+		isc_buffer_add(&b, strlen(origin));
+		name = dns_fixedname_initname(&fname);
+		CHECK(dns_name_fromtext(name, &b, dns_rootname,
+					DNS_NAME_DOWNCASE, NULL));
+		dns_name_format(name, zname, sizeof(zname));
+
+		key.mv_data = zname;
+		key.mv_size = strlen(zname);
+
+		zoptions = cfg_tuple_get(zconfig, "options");
+		if (zoptions == NULL) {
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		isc_buffer_clear(text);
+		dzarg.magic = DZARG_MAGIC;
+		dzarg.text = &text;
+		dzarg.result = ISC_R_SUCCESS;
+		cfg_printx(zoptions, CFG_PRINTER_ONELINE, dumpzone, &dzarg);
+		if (dzarg.result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "Error writing zone config to "
+				      "buffer in migrate_nzf(): %s",
+				      isc_result_totext(result));
+			result = dzarg.result;
+			goto cleanup;
+		}
+
+		data.mv_data = isc_buffer_base(text);
+		data.mv_size = isc_buffer_usedlength(text);
+
+		status = mdb_put(txn, dbi, &key, &data, MDB_NOOVERWRITE);
+		if (status != MDB_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "Error inserting zone in "
+				      "NZD database: %s",
+				      mdb_strerror(status));
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		commit = true;
+	}
+
+	result = ISC_R_SUCCESS;
+
+	/*
+	 * Leaving the NZF file in place is harmless as we won't use it
+	 * if an NZD database is found for the view. But we rename NZF file
+	 * to a backup name here.
+	 */
+	strlcpy(tempname, view->new_zone_file, sizeof(tempname));
+	if (strlen(tempname) < sizeof(tempname) - 1) {
+		strlcat(tempname, "~", sizeof(tempname));
+		isc_file_rename(view->new_zone_file, tempname);
+	}
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		(void)nzd_close(&txn, false);
+	} else {
+		result = nzd_close(&txn, commit);
+	}
+
+	if (text != NULL) {
+		isc_buffer_free(&text);
+	}
+
+	if (nzf_config != NULL) {
+		cfg_obj_destroy(named_g_addparser, &nzf_config);
+	}
+
+	return (result);
+}
+
+#endif /* HAVE_LMDB */
+
+static isc_result_t
+newzone_parse(named_server_t *server, char *command, dns_view_t **viewp,
+	      cfg_obj_t **zoneconfp, const cfg_obj_t **zoneobjp,
+	      bool *redirectp, isc_buffer_t **text) {
+	isc_result_t result;
+	isc_buffer_t argbuf;
+	bool redirect = false;
+	cfg_obj_t *zoneconf = NULL;
+	const cfg_obj_t *zlist = NULL;
+	const cfg_obj_t *zoneobj = NULL;
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *obj = NULL;
+	const char *viewname = NULL;
+	dns_rdataclass_t rdclass;
+	dns_view_t *view = NULL;
+	const char *bn = NULL;
+
+	REQUIRE(viewp != NULL && *viewp == NULL);
+	REQUIRE(zoneobjp != NULL && *zoneobjp == NULL);
+	REQUIRE(zoneconfp != NULL && *zoneconfp == NULL);
+	REQUIRE(redirectp != NULL);
+
+	/* Try to parse the argument string */
+	isc_buffer_init(&argbuf, command, (unsigned int)strlen(command));
+	isc_buffer_add(&argbuf, strlen(command));
+
+	if (strncasecmp(command, "add", 3) == 0) {
+		bn = "addzone";
+	} else if (strncasecmp(command, "mod", 3) == 0) {
+		bn = "modzone";
+	} else {
+		UNREACHABLE();
+	}
+
+	/*
+	 * Convert the "addzone" or "modzone" to just "zone", for
+	 * the benefit of the parser
+	 */
+	isc_buffer_forward(&argbuf, 3);
+
+	cfg_parser_reset(named_g_addparser);
+	CHECK(cfg_parse_buffer(named_g_addparser, &argbuf, bn, 0,
+			       &cfg_type_addzoneconf, 0, &zoneconf));
+	CHECK(cfg_map_get(zoneconf, "zone", &zlist));
+	if (!cfg_obj_islist(zlist)) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	/* For now we only support adding one zone at a time */
+	zoneobj = cfg_listelt_value(cfg_list_first(zlist));
+
+	/* Check the zone type for ones that are not supported by addzone. */
+	zoptions = cfg_tuple_get(zoneobj, "options");
+
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "type", &obj);
+	if (obj == NULL) {
+		(void)cfg_map_get(zoptions, "in-view", &obj);
+		if (obj != NULL) {
+			(void)putstr(text, "'in-view' zones not supported by ");
+			(void)putstr(text, bn);
+		} else {
+			(void)putstr(text, "zone type not specified");
+		}
+		CHECK(ISC_R_FAILURE);
+	}
+
+	if (strcasecmp(cfg_obj_asstring(obj), "hint") == 0 ||
+	    strcasecmp(cfg_obj_asstring(obj), "forward") == 0 ||
+	    strcasecmp(cfg_obj_asstring(obj), "delegation-only") == 0)
+	{
+		(void)putstr(text, "'");
+		(void)putstr(text, cfg_obj_asstring(obj));
+		(void)putstr(text, "' zones not supported by ");
+		(void)putstr(text, bn);
+		CHECK(ISC_R_FAILURE);
+	}
+
+	if (strcasecmp(cfg_obj_asstring(obj), "redirect") == 0) {
+		redirect = true;
+	}
+
+	/* Make sense of optional class argument */
+	obj = cfg_tuple_get(zoneobj, "class");
+	CHECK(named_config_getclass(obj, dns_rdataclass_in, &rdclass));
+
+	/* Make sense of optional view argument */
+	obj = cfg_tuple_get(zoneobj, "view");
+	if (obj && cfg_obj_isstring(obj)) {
+		viewname = cfg_obj_asstring(obj);
+	}
+	if (viewname == NULL || *viewname == '\0') {
+		viewname = "_default";
+	}
+	result = dns_viewlist_find(&server->viewlist, viewname, rdclass, &view);
+	if (result == ISC_R_NOTFOUND) {
+		(void)putstr(text, "no matching view found for '");
+		(void)putstr(text, viewname);
+		(void)putstr(text, "'");
+		goto cleanup;
+	} else if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	*viewp = view;
+	*zoneobjp = zoneobj;
+	*zoneconfp = zoneconf;
+	*redirectp = redirect;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (zoneconf != NULL) {
+		cfg_obj_destroy(named_g_addparser, &zoneconf);
+	}
+	if (view != NULL) {
+		dns_view_detach(&view);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+delete_zoneconf(dns_view_t *view, cfg_parser_t *pctx, const cfg_obj_t *config,
+		const dns_name_t *zname, nzfwriter_t nzfwriter) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	const cfg_listelt_t *elt = NULL;
+	const cfg_obj_t *zl = NULL;
+	cfg_list_t *list;
+	dns_fixedname_t myfixed;
+	dns_name_t *myname;
+
+	REQUIRE(view != NULL);
+	REQUIRE(pctx != NULL);
+	REQUIRE(config != NULL);
+	REQUIRE(zname != NULL);
+
+	LOCK(&view->new_zone_lock);
+
+	cfg_map_get(config, "zone", &zl);
+
+	if (!cfg_obj_islist(zl)) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	DE_CONST(&zl->value.list, list);
+
+	myname = dns_fixedname_initname(&myfixed);
+
+	for (elt = ISC_LIST_HEAD(*list); elt != NULL;
+	     elt = ISC_LIST_NEXT(elt, link))
+	{
+		const cfg_obj_t *zconf = cfg_listelt_value(elt);
+		const char *zn;
+		cfg_listelt_t *e;
+
+		zn = cfg_obj_asstring(cfg_tuple_get(zconf, "name"));
+		result = dns_name_fromstring(myname, zn, 0, NULL);
+		if (result != ISC_R_SUCCESS || !dns_name_equal(zname, myname)) {
+			continue;
+		}
+
+		DE_CONST(elt, e);
+		ISC_LIST_UNLINK(*list, e, link);
+		cfg_obj_destroy(pctx, &e->obj);
+		isc_mem_put(pctx->mctx, e, sizeof(*e));
+		result = ISC_R_SUCCESS;
+		break;
+	}
+
+	/*
+	 * Write config to NZF file if appropriate
+	 */
+	if (nzfwriter != NULL && view->new_zone_file != NULL) {
+		result = nzfwriter(config, view);
+	}
+
+cleanup:
+	UNLOCK(&view->new_zone_lock);
+	return (result);
+}
+
+static isc_result_t
+do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
+	   dns_name_t *name, cfg_obj_t *zoneconf, const cfg_obj_t *zoneobj,
+	   bool redirect, isc_buffer_t **text) {
+	isc_result_t result, tresult;
+	dns_zone_t *zone = NULL;
+#ifndef HAVE_LMDB
+	FILE *fp = NULL;
+	bool cleanup_config = false;
+#else /* HAVE_LMDB */
+	MDB_txn *txn = NULL;
+	MDB_dbi dbi;
+	bool locked = false;
+
+	UNUSED(zoneconf);
+#endif
+
+	/* Zone shouldn't already exist */
+	if (redirect) {
+		result = (view->redirect != NULL) ? ISC_R_SUCCESS
+						  : ISC_R_NOTFOUND;
+	} else {
+		result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
+	}
+	if (result == ISC_R_SUCCESS) {
+		result = ISC_R_EXISTS;
+		goto cleanup;
+	} else if (result == DNS_R_PARTIALMATCH) {
+		/* Create our sub-zone anyway */
+		dns_zone_detach(&zone);
+		zone = NULL;
+	} else if (result != ISC_R_NOTFOUND) {
+		goto cleanup;
+	}
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+#ifndef HAVE_LMDB
+	/*
+	 * Make sure we can open the configuration save file
+	 */
+	result = isc_stdio_open(view->new_zone_file, "a", &fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_task_endexclusive(server->task);
+		TCHECK(putstr(text, "unable to create '"));
+		TCHECK(putstr(text, view->new_zone_file));
+		TCHECK(putstr(text, "': "));
+		TCHECK(putstr(text, isc_result_totext(result)));
+		goto cleanup;
+	}
+
+	(void)isc_stdio_close(fp);
+	fp = NULL;
+#else  /* HAVE_LMDB */
+	LOCK(&view->new_zone_lock);
+	locked = true;
+	/* Make sure we can open the NZD database */
+	result = nzd_writable(view);
+	if (result != ISC_R_SUCCESS) {
+		isc_task_endexclusive(server->task);
+		TCHECK(putstr(text, "unable to open NZD database for '"));
+		TCHECK(putstr(text, view->new_zone_db));
+		TCHECK(putstr(text, "'"));
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+#endif /* HAVE_LMDB */
+
+	/* Mark view unfrozen and configure zone */
+	dns_view_thaw(view);
+	result = configure_zone(cfg->config, zoneobj, cfg->vconfig,
+				server->mctx, view, &server->viewlist,
+				&server->kasplist, cfg->actx, true, false,
+				false);
+	dns_view_freeze(view);
+
+	isc_task_endexclusive(server->task);
+
+	if (result != ISC_R_SUCCESS) {
+		TCHECK(putstr(text, "configure_zone failed: "));
+		TCHECK(putstr(text, isc_result_totext(result)));
+		goto cleanup;
+	}
+
+	/* Is it there yet? */
+	if (redirect) {
+		if (view->redirect == NULL) {
+			CHECK(ISC_R_NOTFOUND);
+		}
+		dns_zone_attach(view->redirect, &zone);
+	} else {
+		result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "added new zone was not found: %s",
+				      isc_result_totext(result));
+			goto cleanup;
+		}
+	}
+
+#ifndef HAVE_LMDB
+	/*
+	 * If there wasn't a previous newzone config, just save the one
+	 * we've created. If there was a previous one, merge the new
+	 * zone into it.
+	 */
+	if (cfg->nzf_config == NULL) {
+		cfg_obj_attach(zoneconf, &cfg->nzf_config);
+	} else {
+		cfg_obj_t *z;
+		DE_CONST(zoneobj, z);
+		CHECK(cfg_parser_mapadd(cfg->add_parser, cfg->nzf_config, z,
+					"zone"));
+	}
+	cleanup_config = true;
+#endif /* HAVE_LMDB */
+
+	/*
+	 * Load the zone from the master file.  If this fails, we'll
+	 * need to undo the configuration we've done already.
+	 */
+	result = dns_zone_load(zone, true);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_t *dbp = NULL;
+
+		TCHECK(putstr(text, "dns_zone_loadnew failed: "));
+		TCHECK(putstr(text, isc_result_totext(result)));
+
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "addzone failed; reverting.");
+
+		/* If the zone loaded partially, unload it */
+		if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
+			dns_db_detach(&dbp);
+			dns_zone_unload(zone);
+		}
+
+		/* Remove the zone from the zone table */
+		dns_zt_unmount(view->zonetable, zone);
+		goto cleanup;
+	}
+
+	/* Flag the zone as having been added at runtime */
+	dns_zone_setadded(zone, true);
+
+#ifdef HAVE_LMDB
+	/* Save the new zone configuration into the NZD */
+	CHECK(nzd_open(view, 0, &txn, &dbi));
+	CHECK(nzd_save(&txn, dbi, zone, zoneobj));
+#else  /* ifdef HAVE_LMDB */
+	/* Append the zone configuration to the NZF */
+	result = nzf_append(view, zoneobj);
+#endif /* HAVE_LMDB */
+
+cleanup:
+
+#ifndef HAVE_LMDB
+	if (fp != NULL) {
+		(void)isc_stdio_close(fp);
+	}
+	if (result != ISC_R_SUCCESS && cleanup_config) {
+		tresult = delete_zoneconf(view, cfg->add_parser,
+					  cfg->nzf_config, name, NULL);
+		RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
+	}
+#else  /* HAVE_LMDB */
+	if (txn != NULL) {
+		(void)nzd_close(&txn, false);
+	}
+	if (locked) {
+		UNLOCK(&view->new_zone_lock);
+	}
+#endif /* HAVE_LMDB */
+
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
+	   dns_name_t *name, const char *zname, const cfg_obj_t *zoneobj,
+	   bool redirect, isc_buffer_t **text) {
+	isc_result_t result, tresult;
+	dns_zone_t *zone = NULL;
+	bool added;
+	bool exclusive = false;
+#ifndef HAVE_LMDB
+	FILE *fp = NULL;
+	cfg_obj_t *z;
+#else  /* HAVE_LMDB */
+	MDB_txn *txn = NULL;
+	MDB_dbi dbi;
+	bool locked = false;
+#endif /* HAVE_LMDB */
+
+	/* Zone must already exist */
+	if (redirect) {
+		if (view->redirect != NULL) {
+			dns_zone_attach(view->redirect, &zone);
+			result = ISC_R_SUCCESS;
+		} else {
+			result = ISC_R_NOTFOUND;
+		}
+	} else {
+		result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	added = dns_zone_getadded(zone);
+	dns_zone_detach(&zone);
+
+#ifndef HAVE_LMDB
+	cfg = (ns_cfgctx_t *)view->new_zone_config;
+	if (cfg == NULL) {
+		TCHECK(putstr(text, "new zone config is not set"));
+		CHECK(ISC_R_FAILURE);
+	}
+#endif /* ifndef HAVE_LMDB */
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	exclusive = true;
+
+#ifndef HAVE_LMDB
+	/* Make sure we can open the configuration save file */
+	result = isc_stdio_open(view->new_zone_file, "a", &fp);
+	if (result != ISC_R_SUCCESS) {
+		TCHECK(putstr(text, "unable to open '"));
+		TCHECK(putstr(text, view->new_zone_file));
+		TCHECK(putstr(text, "': "));
+		TCHECK(putstr(text, isc_result_totext(result)));
+		goto cleanup;
+	}
+	(void)isc_stdio_close(fp);
+	fp = NULL;
+#else  /* HAVE_LMDB */
+	LOCK(&view->new_zone_lock);
+	locked = true;
+	/* Make sure we can open the NZD database */
+	result = nzd_writable(view);
+	if (result != ISC_R_SUCCESS) {
+		TCHECK(putstr(text, "unable to open NZD database for '"));
+		TCHECK(putstr(text, view->new_zone_db));
+		TCHECK(putstr(text, "'"));
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+#endif /* HAVE_LMDB */
+
+	/* Reconfigure the zone */
+	dns_view_thaw(view);
+	result = configure_zone(cfg->config, zoneobj, cfg->vconfig,
+				server->mctx, view, &server->viewlist,
+				&server->kasplist, cfg->actx, true, false,
+				true);
+	dns_view_freeze(view);
+
+	exclusive = false;
+	isc_task_endexclusive(server->task);
+
+	if (result != ISC_R_SUCCESS) {
+		TCHECK(putstr(text, "configure_zone failed: "));
+		TCHECK(putstr(text, isc_result_totext(result)));
+		goto cleanup;
+	}
+
+	/* Is it there yet? */
+	if (redirect) {
+		if (view->redirect == NULL) {
+			CHECK(ISC_R_NOTFOUND);
+		}
+		dns_zone_attach(view->redirect, &zone);
+	} else {
+		CHECK(dns_zt_find(view->zonetable, name, 0, NULL, &zone));
+	}
+
+#ifndef HAVE_LMDB
+	/* Remove old zone from configuration (and NZF file if applicable) */
+	if (added) {
+		result = delete_zoneconf(view, cfg->add_parser, cfg->nzf_config,
+					 dns_zone_getorigin(zone),
+					 nzf_writeconf);
+		if (result != ISC_R_SUCCESS) {
+			TCHECK(putstr(text, "former zone configuration "
+					    "not deleted: "));
+			TCHECK(putstr(text, isc_result_totext(result)));
+			goto cleanup;
+		}
+	}
+#endif /* HAVE_LMDB */
+
+	if (!added) {
+		if (cfg->vconfig == NULL) {
+			result = delete_zoneconf(
+				view, cfg->conf_parser, cfg->config,
+				dns_zone_getorigin(zone), NULL);
+		} else {
+			const cfg_obj_t *voptions = cfg_tuple_get(cfg->vconfig,
+								  "options");
+			result = delete_zoneconf(
+				view, cfg->conf_parser, voptions,
+				dns_zone_getorigin(zone), NULL);
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			TCHECK(putstr(text, "former zone configuration "
+					    "not deleted: "));
+			TCHECK(putstr(text, isc_result_totext(result)));
+			goto cleanup;
+		}
+	}
+
+	/* Load the zone from the master file if it needs reloading. */
+	result = dns_zone_load(zone, true);
+
+	/*
+	 * Dynamic zones need no reloading, so we can pass this result.
+	 */
+	if (result == DNS_R_DYNAMIC) {
+		result = ISC_R_SUCCESS;
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		dns_db_t *dbp = NULL;
+
+		TCHECK(putstr(text, "failed to load zone '"));
+		TCHECK(putstr(text, zname));
+		TCHECK(putstr(text, "': "));
+		TCHECK(putstr(text, isc_result_totext(result)));
+		TCHECK(putstr(text, "\nThe zone is no longer being served. "));
+		TCHECK(putstr(text, "Use 'rndc addzone' to correct\n"));
+		TCHECK(putstr(text, "the problem and restore service."));
+
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "modzone failed; removing zone.");
+
+		/* If the zone loaded partially, unload it */
+		if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
+			dns_db_detach(&dbp);
+			dns_zone_unload(zone);
+		}
+
+		/* Remove the zone from the zone table */
+		dns_zt_unmount(view->zonetable, zone);
+		goto cleanup;
+	}
+
+#ifndef HAVE_LMDB
+	/* Store the new zone configuration; also in NZF if applicable */
+	DE_CONST(zoneobj, z);
+	CHECK(cfg_parser_mapadd(cfg->add_parser, cfg->nzf_config, z, "zone"));
+#endif /* HAVE_LMDB */
+
+	if (added) {
+#ifdef HAVE_LMDB
+		CHECK(nzd_open(view, 0, &txn, &dbi));
+		CHECK(nzd_save(&txn, dbi, zone, zoneobj));
+#else  /* ifdef HAVE_LMDB */
+		result = nzf_append(view, zoneobj);
+		if (result != ISC_R_SUCCESS) {
+			TCHECK(putstr(text, "\nNew zone config not saved: "));
+			TCHECK(putstr(text, isc_result_totext(result)));
+			goto cleanup;
+		}
+#endif /* HAVE_LMDB */
+
+		TCHECK(putstr(text, "zone '"));
+		TCHECK(putstr(text, zname));
+		TCHECK(putstr(text, "' reconfigured."));
+	} else {
+		TCHECK(putstr(text, "zone '"));
+		TCHECK(putstr(text, zname));
+		TCHECK(putstr(text, "' must also be reconfigured in\n"));
+		TCHECK(putstr(text, "named.conf to make changes permanent."));
+	}
+
+cleanup:
+	if (exclusive) {
+		isc_task_endexclusive(server->task);
+	}
+
+#ifndef HAVE_LMDB
+	if (fp != NULL) {
+		(void)isc_stdio_close(fp);
+	}
+#else  /* HAVE_LMDB */
+	if (txn != NULL) {
+		(void)nzd_close(&txn, false);
+	}
+	if (locked) {
+		UNLOCK(&view->new_zone_lock);
+	}
+#endif /* HAVE_LMDB */
+
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+
+	return (result);
+}
+
+/*
+ * Act on an "addzone" or "modzone" command from the command channel.
+ */
+isc_result_t
+named_server_changezone(named_server_t *server, char *command,
+			isc_buffer_t **text) {
+	isc_result_t result;
+	bool addzone;
+	bool redirect = false;
+	ns_cfgctx_t *cfg = NULL;
+	cfg_obj_t *zoneconf = NULL;
+	const cfg_obj_t *zoneobj = NULL;
+	const char *zonename;
+	dns_view_t *view = NULL;
+	isc_buffer_t buf;
+	dns_fixedname_t fname;
+	dns_name_t *dnsname;
+
+	REQUIRE(text != NULL);
+
+	if (strncasecmp(command, "add", 3) == 0) {
+		addzone = true;
+	} else {
+		INSIST(strncasecmp(command, "mod", 3) == 0);
+		addzone = false;
+	}
+
+	CHECK(newzone_parse(server, command, &view, &zoneconf, &zoneobj,
+			    &redirect, text));
+
+	/* Are we accepting new zones in this view? */
+#ifdef HAVE_LMDB
+	if (view->new_zone_db == NULL)
+#else  /* ifdef HAVE_LMDB */
+	if (view->new_zone_file == NULL)
+#endif /* HAVE_LMDB */
+	{
+		(void)putstr(text, "Not allowing new zones in view '");
+		(void)putstr(text, view->name);
+		(void)putstr(text, "'");
+		result = ISC_R_NOPERM;
+		goto cleanup;
+	}
+
+	cfg = (ns_cfgctx_t *)view->new_zone_config;
+	if (cfg == NULL) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	zonename = cfg_obj_asstring(cfg_tuple_get(zoneobj, "name"));
+	isc_buffer_constinit(&buf, zonename, strlen(zonename));
+	isc_buffer_add(&buf, strlen(zonename));
+
+	dnsname = dns_fixedname_initname(&fname);
+	CHECK(dns_name_fromtext(dnsname, &buf, dns_rootname, 0, NULL));
+
+	if (redirect) {
+		if (!dns_name_equal(dnsname, dns_rootname)) {
+			(void)putstr(text, "redirect zones must be called "
+					   "\".\"");
+			CHECK(ISC_R_FAILURE);
+		}
+	}
+
+	if (addzone) {
+		CHECK(do_addzone(server, cfg, view, dnsname, zoneconf, zoneobj,
+				 redirect, text));
+	} else {
+		CHECK(do_modzone(server, cfg, view, dnsname, zonename, zoneobj,
+				 redirect, text));
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "%s zone %s in view %s via %s",
+		      addzone ? "added" : "updated", zonename, view->name,
+		      addzone ? NAMED_COMMAND_ADDZONE : NAMED_COMMAND_MODZONE);
+
+	/* Changing a zone counts as reconfiguration */
+	CHECK(isc_time_now(&named_g_configtime));
+
+cleanup:
+	if (isc_buffer_usedlength(*text) > 0) {
+		(void)putnull(text);
+	}
+	if (zoneconf != NULL) {
+		cfg_obj_destroy(named_g_addparser, &zoneconf);
+	}
+	if (view != NULL) {
+		dns_view_detach(&view);
+	}
+
+	return (result);
+}
+
+static bool
+inuse(const char *file, bool first, isc_buffer_t **text) {
+	if (file != NULL && isc_file_exists(file)) {
+		if (first) {
+			(void)putstr(text, "The following files were in use "
+					   "and may now be removed:\n");
+		} else {
+			(void)putstr(text, "\n");
+		}
+		(void)putstr(text, file);
+		(void)putnull(text);
+		return (false);
+	}
+	return (first);
+}
+
+typedef struct {
+	dns_zone_t *zone;
+	bool cleanup;
+} ns_dzctx_t;
+
+/*
+ * Carry out a zone deletion scheduled by named_server_delzone().
+ */
+static void
+rmzone(isc_task_t *task, isc_event_t *event) {
+	ns_dzctx_t *dz = (ns_dzctx_t *)event->ev_arg;
+	dns_zone_t *zone = NULL, *raw = NULL, *mayberaw = NULL;
+	dns_catz_zone_t *catz = NULL;
+	char zonename[DNS_NAME_FORMATSIZE];
+	dns_view_t *view = NULL;
+	ns_cfgctx_t *cfg = NULL;
+	dns_db_t *dbp = NULL;
+	bool added;
+	isc_result_t result;
+#ifdef HAVE_LMDB
+	MDB_txn *txn = NULL;
+	MDB_dbi dbi;
+#endif /* ifdef HAVE_LMDB */
+
+	REQUIRE(dz != NULL);
+
+	isc_event_free(&event);
+
+	/* Dig out configuration for this zone */
+	zone = dz->zone;
+	view = dns_zone_getview(zone);
+	cfg = (ns_cfgctx_t *)view->new_zone_config;
+	dns_name_format(dns_zone_getorigin(zone), zonename, sizeof(zonename));
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "deleting zone %s in view %s via delzone", zonename,
+		      view->name);
+
+	/*
+	 * Remove the zone from configuration (and NZF file if applicable)
+	 * (If this is a catalog zone member then nzf_config can be NULL)
+	 */
+	added = dns_zone_getadded(zone);
+	catz = dns_zone_get_parentcatz(zone);
+
+	if (added && catz == NULL && cfg != NULL) {
+#ifdef HAVE_LMDB
+		/* Make sure we can open the NZD database */
+		LOCK(&view->new_zone_lock);
+		result = nzd_open(view, 0, &txn, &dbi);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "unable to open NZD database for '%s'",
+				      view->new_zone_db);
+		} else {
+			result = nzd_save(&txn, dbi, zone, NULL);
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "unable to delete zone configuration: %s",
+				      isc_result_totext(result));
+		}
+
+		if (txn != NULL) {
+			(void)nzd_close(&txn, false);
+		}
+		UNLOCK(&view->new_zone_lock);
+#else  /* ifdef HAVE_LMDB */
+		result = delete_zoneconf(view, cfg->add_parser, cfg->nzf_config,
+					 dns_zone_getorigin(zone),
+					 nzf_writeconf);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "unable to delete zone configuration: %s",
+				      isc_result_totext(result));
+		}
+#endif /* HAVE_LMDB */
+	}
+
+	if (!added && cfg != NULL) {
+		if (cfg->vconfig != NULL) {
+			const cfg_obj_t *voptions = cfg_tuple_get(cfg->vconfig,
+								  "options");
+			result = delete_zoneconf(
+				view, cfg->conf_parser, voptions,
+				dns_zone_getorigin(zone), NULL);
+		} else {
+			result = delete_zoneconf(
+				view, cfg->conf_parser, cfg->config,
+				dns_zone_getorigin(zone), NULL);
+		}
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "unable to delete zone configuration: %s",
+				      isc_result_totext(result));
+		}
+	}
+
+	/* Unload zone database */
+	if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
+		dns_db_detach(&dbp);
+		dns_zone_unload(zone);
+	}
+
+	/* Clean up stub/slave zone files if requested to do so */
+	dns_zone_getraw(zone, &raw);
+	mayberaw = (raw != NULL) ? raw : zone;
+
+	if (added && dz->cleanup) {
+		const char *file;
+
+		file = dns_zone_getfile(mayberaw);
+		result = isc_file_remove(file);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "file %s not removed: %s", file,
+				      isc_result_totext(result));
+		}
+
+		file = dns_zone_getjournal(mayberaw);
+		result = isc_file_remove(file);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "file %s not removed: %s", file,
+				      isc_result_totext(result));
+		}
+
+		if (zone != mayberaw) {
+			file = dns_zone_getfile(zone);
+			result = isc_file_remove(file);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(
+					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+					"file %s not removed: %s", file,
+					isc_result_totext(result));
+			}
+
+			file = dns_zone_getjournal(zone);
+			result = isc_file_remove(file);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(
+					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+					"file %s not removed: %s", file,
+					isc_result_totext(result));
+			}
+		}
+	}
+
+	if (raw != NULL) {
+		dns_zone_detach(&raw);
+	}
+	dns_zone_detach(&zone);
+	isc_mem_put(named_g_mctx, dz, sizeof(*dz));
+	isc_task_detach(&task);
+}
+
+/*
+ * Act on a "delzone" command from the command channel.
+ */
+isc_result_t
+named_server_delzone(named_server_t *server, isc_lex_t *lex,
+		     isc_buffer_t **text) {
+	isc_result_t result, tresult;
+	dns_zone_t *zone = NULL;
+	dns_zone_t *raw = NULL;
+	dns_zone_t *mayberaw;
+	dns_view_t *view = NULL;
+	char zonename[DNS_NAME_FORMATSIZE];
+	bool cleanup = false;
+	const char *ptr;
+	bool added;
+	ns_dzctx_t *dz = NULL;
+	isc_event_t *dzevent = NULL;
+	isc_task_t *task = NULL;
+
+	REQUIRE(text != NULL);
+
+	/* Skip the command name. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Find out what we are to do. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	if (strcmp(ptr, "-clean") == 0 || strcmp(ptr, "-clear") == 0) {
+		cleanup = true;
+		ptr = next_token(lex, text);
+	}
+
+	CHECK(zone_from_args(server, lex, ptr, &zone, zonename, text, false));
+	if (zone == NULL) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto cleanup;
+	}
+
+	INSIST(zonename != NULL);
+
+	/* Is this a policy zone? */
+	if (dns_zone_get_rpz_num(zone) != DNS_RPZ_INVALID_NUM) {
+		TCHECK(putstr(text, "zone '"));
+		TCHECK(putstr(text, zonename));
+		TCHECK(putstr(text,
+			      "' cannot be deleted: response-policy zone."));
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	view = dns_zone_getview(zone);
+	if (dns_zone_gettype(zone) == dns_zone_redirect) {
+		dns_zone_detach(&view->redirect);
+	} else {
+		CHECK(dns_zt_unmount(view->zonetable, zone));
+	}
+
+	/* Send cleanup event */
+	dz = isc_mem_get(named_g_mctx, sizeof(*dz));
+
+	dz->cleanup = cleanup;
+	dz->zone = NULL;
+	dns_zone_attach(zone, &dz->zone);
+	dzevent = isc_event_allocate(named_g_mctx, server, NAMED_EVENT_DELZONE,
+				     rmzone, dz, sizeof(isc_event_t));
+
+	dns_zone_gettask(zone, &task);
+	isc_task_send(task, &dzevent);
+	dz = NULL;
+
+	/* Inform user about cleaning up stub/slave zone files */
+	dns_zone_getraw(zone, &raw);
+	mayberaw = (raw != NULL) ? raw : zone;
+
+	added = dns_zone_getadded(zone);
+	if (!added) {
+		TCHECK(putstr(text, "zone '"));
+		TCHECK(putstr(text, zonename));
+		TCHECK(putstr(text, "' is no longer active and will be "
+				    "deleted.\n"));
+		TCHECK(putstr(text, "To keep it from returning "));
+		TCHECK(putstr(text, "when the server is restarted, it\n"));
+		TCHECK(putstr(text, "must also be removed from named.conf."));
+	} else if (cleanup) {
+		TCHECK(putstr(text, "zone '"));
+		TCHECK(putstr(text, zonename));
+		TCHECK(putstr(text, "' and associated files will be deleted."));
+	} else if (dns_zone_gettype(mayberaw) == dns_zone_secondary ||
+		   dns_zone_gettype(mayberaw) == dns_zone_mirror ||
+		   dns_zone_gettype(mayberaw) == dns_zone_stub)
+	{
+		bool first;
+		const char *file;
+
+		TCHECK(putstr(text, "zone '"));
+		TCHECK(putstr(text, zonename));
+		TCHECK(putstr(text, "' will be deleted."));
+
+		file = dns_zone_getfile(mayberaw);
+		first = inuse(file, true, text);
+
+		file = dns_zone_getjournal(mayberaw);
+		first = inuse(file, first, text);
+
+		if (zone != mayberaw) {
+			file = dns_zone_getfile(zone);
+			first = inuse(file, first, text);
+
+			file = dns_zone_getjournal(zone);
+			(void)inuse(file, first, text);
+		}
+	}
+
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "zone %s scheduled for removal via delzone", zonename);
+
+	/* Removing a zone counts as reconfiguration */
+	CHECK(isc_time_now(&named_g_configtime));
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (isc_buffer_usedlength(*text) > 0) {
+		(void)putnull(text);
+	}
+	if (raw != NULL) {
+		dns_zone_detach(&raw);
+	}
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+
+	return (result);
+}
+
+static const cfg_obj_t *
+find_name_in_list_from_map(const cfg_obj_t *config,
+			   const char *map_key_for_list, const char *name,
+			   bool redirect) {
+	const cfg_obj_t *list = NULL;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj = NULL;
+	dns_fixedname_t fixed1, fixed2;
+	dns_name_t *name1 = NULL, *name2 = NULL;
+	isc_result_t result;
+
+	if (strcmp(map_key_for_list, "zone") == 0) {
+		name1 = dns_fixedname_initname(&fixed1);
+		name2 = dns_fixedname_initname(&fixed2);
+		result = dns_name_fromstring(name1, name, 0, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+
+	cfg_map_get(config, map_key_for_list, &list);
+	for (element = cfg_list_first(list); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const char *vname;
+
+		obj = cfg_listelt_value(element);
+		INSIST(obj != NULL);
+		vname = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+		if (vname == NULL) {
+			obj = NULL;
+			continue;
+		}
+
+		if (name1 != NULL) {
+			result = dns_name_fromstring(name2, vname, 0, NULL);
+			if (result == ISC_R_SUCCESS &&
+			    dns_name_equal(name1, name2))
+			{
+				const cfg_obj_t *zoptions;
+				const cfg_obj_t *typeobj = NULL;
+				zoptions = cfg_tuple_get(obj, "options");
+
+				if (zoptions != NULL) {
+					cfg_map_get(zoptions, "type", &typeobj);
+				}
+				if (redirect && typeobj != NULL &&
+				    strcasecmp(cfg_obj_asstring(typeobj),
+					       "redirect") == 0)
+				{
+					break;
+				} else if (!redirect) {
+					break;
+				}
+			}
+		} else if (strcasecmp(vname, name) == 0) {
+			break;
+		}
+
+		obj = NULL;
+	}
+
+	return (obj);
+}
+
+static void
+emitzone(void *arg, const char *buf, int len) {
+	ns_dzarg_t *dzarg = arg;
+	isc_result_t result;
+
+	REQUIRE(dzarg != NULL && ISC_MAGIC_VALID(dzarg, DZARG_MAGIC));
+	result = putmem(dzarg->text, buf, len);
+	if (result != ISC_R_SUCCESS && dzarg->result == ISC_R_SUCCESS) {
+		dzarg->result = result;
+	}
+}
+
+/*
+ * Act on a "showzone" command from the command channel.
+ */
+isc_result_t
+named_server_showzone(named_server_t *server, isc_lex_t *lex,
+		      isc_buffer_t **text) {
+	isc_result_t result;
+	const cfg_obj_t *vconfig = NULL, *zconfig = NULL;
+	char zonename[DNS_NAME_FORMATSIZE];
+	const cfg_obj_t *map;
+	dns_view_t *view = NULL;
+	dns_zone_t *zone = NULL;
+	ns_cfgctx_t *cfg = NULL;
+#ifdef HAVE_LMDB
+	cfg_obj_t *nzconfig = NULL;
+#endif /* HAVE_LMDB */
+	bool added, redirect;
+	ns_dzarg_t dzarg;
+
+	REQUIRE(text != NULL);
+
+	/* Parse parameters */
+	CHECK(zone_from_args(server, lex, NULL, &zone, zonename, text, true));
+	if (zone == NULL) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto cleanup;
+	}
+
+	redirect = dns_zone_gettype(zone) == dns_zone_redirect;
+	added = dns_zone_getadded(zone);
+	view = dns_zone_getview(zone);
+	dns_zone_detach(&zone);
+
+	cfg = (ns_cfgctx_t *)view->new_zone_config;
+	if (cfg == NULL) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (!added) {
+		/* Find the view statement */
+		vconfig = find_name_in_list_from_map(cfg->config, "view",
+						     view->name, false);
+
+		/* Find the zone statement */
+		if (vconfig != NULL) {
+			map = cfg_tuple_get(vconfig, "options");
+		} else {
+			map = cfg->config;
+		}
+
+		zconfig = find_name_in_list_from_map(map, "zone", zonename,
+						     redirect);
+	}
+
+#ifndef HAVE_LMDB
+	if (zconfig == NULL && cfg->nzf_config != NULL) {
+		zconfig = find_name_in_list_from_map(cfg->nzf_config, "zone",
+						     zonename, redirect);
+	}
+#else  /* HAVE_LMDB */
+	if (zconfig == NULL) {
+		const cfg_obj_t *zlist = NULL;
+		CHECK(get_newzone_config(view, zonename, &nzconfig));
+		CHECK(cfg_map_get(nzconfig, "zone", &zlist));
+		if (!cfg_obj_islist(zlist)) {
+			CHECK(ISC_R_FAILURE);
+		}
+
+		zconfig = cfg_listelt_value(cfg_list_first(zlist));
+	}
+#endif /* HAVE_LMDB */
+
+	if (zconfig == NULL) {
+		CHECK(ISC_R_NOTFOUND);
+	}
+
+	CHECK(putstr(text, "zone "));
+	dzarg.magic = DZARG_MAGIC;
+	dzarg.text = text;
+	dzarg.result = ISC_R_SUCCESS;
+	cfg_printx(zconfig, CFG_PRINTER_ONELINE, emitzone, &dzarg);
+	CHECK(dzarg.result);
+
+	CHECK(putstr(text, ";"));
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+#ifdef HAVE_LMDB
+	if (nzconfig != NULL) {
+		cfg_obj_destroy(named_g_addparser, &nzconfig);
+	}
+#endif /* HAVE_LMDB */
+	if (isc_buffer_usedlength(*text) > 0) {
+		(void)putnull(text);
+	}
+
+	return (result);
+}
+
+static void
+newzone_cfgctx_destroy(void **cfgp) {
+	ns_cfgctx_t *cfg;
+
+	REQUIRE(cfgp != NULL && *cfgp != NULL);
+
+	cfg = *cfgp;
+
+	if (cfg->conf_parser != NULL) {
+		if (cfg->config != NULL) {
+			cfg_obj_destroy(cfg->conf_parser, &cfg->config);
+		}
+		if (cfg->vconfig != NULL) {
+			cfg_obj_destroy(cfg->conf_parser, &cfg->vconfig);
+		}
+		cfg_parser_destroy(&cfg->conf_parser);
+	}
+	if (cfg->add_parser != NULL) {
+		if (cfg->nzf_config != NULL) {
+			cfg_obj_destroy(cfg->add_parser, &cfg->nzf_config);
+		}
+		cfg_parser_destroy(&cfg->add_parser);
+	}
+
+	if (cfg->actx != NULL) {
+		cfg_aclconfctx_detach(&cfg->actx);
+	}
+
+	isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg));
+	*cfgp = NULL;
+}
+
+isc_result_t
+named_server_signing(named_server_t *server, isc_lex_t *lex,
+		     isc_buffer_t **text) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_zone_t *zone = NULL;
+	dns_name_t *origin;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdatatype_t privatetype;
+	dns_rdataset_t privset;
+	bool first = true;
+	bool list = false, clear = false;
+	bool chain = false;
+	bool setserial = false;
+	bool resalt = false;
+	uint32_t serial = 0;
+	char keystr[DNS_SECALG_FORMATSIZE + 7]; /* <5-digit keyid>/<alg> */
+	unsigned short hash = 0, flags = 0, iter = 0, saltlen = 0;
+	unsigned char salt[255];
+	const char *ptr;
+	size_t n;
+
+	REQUIRE(text != NULL);
+
+	dns_rdataset_init(&privset);
+
+	/* Skip the command name. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Find out what we are to do. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	if (strcasecmp(ptr, "-list") == 0) {
+		list = true;
+	} else if ((strcasecmp(ptr, "-clear") == 0) ||
+		   (strcasecmp(ptr, "-clean") == 0))
+	{
+		clear = true;
+		ptr = next_token(lex, text);
+		if (ptr == NULL) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		strlcpy(keystr, ptr, sizeof(keystr));
+	} else if (strcasecmp(ptr, "-nsec3param") == 0) {
+		char hashbuf[64], flagbuf[64], iterbuf[64];
+		char nbuf[256];
+
+		chain = true;
+		ptr = next_token(lex, text);
+		if (ptr == NULL) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+
+		if (strcasecmp(ptr, "none") == 0) {
+			hash = 0;
+		} else {
+			strlcpy(hashbuf, ptr, sizeof(hashbuf));
+
+			ptr = next_token(lex, text);
+			if (ptr == NULL) {
+				return (ISC_R_UNEXPECTEDEND);
+			}
+			strlcpy(flagbuf, ptr, sizeof(flagbuf));
+
+			ptr = next_token(lex, text);
+			if (ptr == NULL) {
+				return (ISC_R_UNEXPECTEDEND);
+			}
+			strlcpy(iterbuf, ptr, sizeof(iterbuf));
+			n = snprintf(nbuf, sizeof(nbuf), "%s %s %s", hashbuf,
+				     flagbuf, iterbuf);
+			if (n == sizeof(nbuf)) {
+				return (ISC_R_NOSPACE);
+			}
+			n = sscanf(nbuf, "%hu %hu %hu", &hash, &flags, &iter);
+			if (n != 3U) {
+				return (ISC_R_BADNUMBER);
+			}
+
+			if (hash > 0xffU || flags > 0xffU ||
+			    iter > dns_nsec3_maxiterations())
+			{
+				return (ISC_R_RANGE);
+			}
+
+			ptr = next_token(lex, text);
+			if (ptr == NULL) {
+				return (ISC_R_UNEXPECTEDEND);
+			} else if (strcasecmp(ptr, "auto") == 0) {
+				/* Auto-generate a random salt.
+				 * XXXMUKS: This currently uses the
+				 * minimum recommended length by RFC
+				 * 5155 (64 bits). It should be made
+				 * configurable.
+				 */
+				saltlen = 8;
+				resalt = true;
+			} else if (strcmp(ptr, "-") != 0) {
+				isc_buffer_t buf;
+
+				isc_buffer_init(&buf, salt, sizeof(salt));
+				CHECK(isc_hex_decodestring(ptr, &buf));
+				saltlen = isc_buffer_usedlength(&buf);
+			}
+		}
+	} else if (strcasecmp(ptr, "-serial") == 0) {
+		ptr = next_token(lex, text);
+		if (ptr == NULL) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		CHECK(isc_parse_uint32(&serial, ptr, 10));
+		setserial = true;
+	} else {
+		CHECK(DNS_R_SYNTAX);
+	}
+
+	CHECK(zone_from_args(server, lex, NULL, &zone, NULL, text, false));
+	if (zone == NULL) {
+		CHECK(ISC_R_UNEXPECTEDEND);
+	}
+
+	if (dns_zone_getkasp(zone) != NULL) {
+		(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
+				   "command instead");
+		(void)putnull(text);
+		goto cleanup;
+	}
+
+	if (clear) {
+		CHECK(dns_zone_keydone(zone, keystr));
+		(void)putstr(text, "request queued");
+		(void)putnull(text);
+	} else if (chain) {
+		CHECK(dns_zone_setnsec3param(
+			zone, (uint8_t)hash, (uint8_t)flags, iter,
+			(uint8_t)saltlen, salt, true, resalt));
+		(void)putstr(text, "nsec3param request queued");
+		(void)putnull(text);
+	} else if (setserial) {
+		CHECK(dns_zone_setserial(zone, serial));
+		(void)putstr(text, "serial request queued");
+		(void)putnull(text);
+	} else if (list) {
+		privatetype = dns_zone_getprivatetype(zone);
+		origin = dns_zone_getorigin(zone);
+		CHECK(dns_zone_getdb(zone, &db));
+		CHECK(dns_db_findnode(db, origin, false, &node));
+		dns_db_currentversion(db, &version);
+
+		result = dns_db_findrdataset(db, node, version, privatetype,
+					     dns_rdatatype_none, 0, &privset,
+					     NULL);
+		if (result == ISC_R_NOTFOUND) {
+			(void)putstr(text, "No signing records found");
+			(void)putnull(text);
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+
+		for (result = dns_rdataset_first(&privset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&privset))
+		{
+			dns_rdata_t priv = DNS_RDATA_INIT;
+			/*
+			 * In theory, the output buffer could hold a full RDATA
+			 * record which is 16-bit and then some text around
+			 * it
+			 */
+			char output[UINT16_MAX + BUFSIZ];
+			isc_buffer_t buf;
+
+			dns_rdataset_current(&privset, &priv);
+
+			isc_buffer_init(&buf, output, sizeof(output));
+			CHECK(dns_private_totext(&priv, &buf));
+			if (!first) {
+				CHECK(putstr(text, "\n"));
+			}
+			CHECK(putstr(text, output));
+			first = false;
+		}
+		if (!first) {
+			CHECK(putnull(text));
+		}
+
+		if (result == ISC_R_NOMORE) {
+			result = ISC_R_SUCCESS;
+		}
+	}
+
+cleanup:
+	if (dns_rdataset_isassociated(&privset)) {
+		dns_rdataset_disassociate(&privset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+
+	return (result);
+}
+
+static bool
+argcheck(char *cmd, const char *full) {
+	size_t l;
+
+	if (cmd == NULL || cmd[0] != '-') {
+		return (false);
+	}
+
+	cmd++;
+	l = strlen(cmd);
+	if (l > strlen(full) || strncasecmp(cmd, full, l) != 0) {
+		return (false);
+	}
+
+	return (true);
+}
+
+isc_result_t
+named_server_dnssec(named_server_t *server, isc_lex_t *lex,
+		    isc_buffer_t **text) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_zone_t *zone = NULL;
+	dns_kasp_t *kasp = NULL;
+	dns_dnsseckeylist_t keys;
+	dns_dnsseckey_t *key;
+	char *ptr, *zonetext = NULL;
+	const char *msg = NULL;
+	/* variables for -checkds */
+	bool checkds = false, dspublish = false;
+	/* variables for -rollover */
+	bool rollover = false;
+	/* variables for -key */
+	bool use_keyid = false;
+	dns_keytag_t keyid = 0;
+	uint8_t algorithm = 0;
+	/* variables for -status */
+	bool status = false;
+	char output[4096];
+	isc_stdtime_t now, when;
+	isc_time_t timenow, timewhen;
+	const char *dir;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+
+	REQUIRE(text != NULL);
+
+	/* Skip the command name. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Find out what we are to do. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Initialize current time and key list. */
+	TIME_NOW(&timenow);
+	now = isc_time_seconds(&timenow);
+	when = now;
+
+	ISC_LIST_INIT(keys);
+
+	if (strcasecmp(ptr, "-status") == 0) {
+		status = true;
+	} else if (strcasecmp(ptr, "-rollover") == 0) {
+		rollover = true;
+	} else if (strcasecmp(ptr, "-checkds") == 0) {
+		checkds = true;
+	} else {
+		CHECK(DNS_R_SYNTAX);
+	}
+
+	if (rollover || checkds) {
+		/* Check for options */
+		for (;;) {
+			ptr = next_token(lex, text);
+			if (ptr == NULL) {
+				msg = "Bad format";
+				CHECK(ISC_R_UNEXPECTEDEND);
+			} else if (argcheck(ptr, "alg")) {
+				isc_consttextregion_t alg;
+				ptr = next_token(lex, text);
+				if (ptr == NULL) {
+					msg = "No key algorithm specified";
+					CHECK(ISC_R_UNEXPECTEDEND);
+				}
+				alg.base = ptr;
+				alg.length = strlen(alg.base);
+				result = dns_secalg_fromtext(
+					&algorithm, (isc_textregion_t *)&alg);
+				if (result != ISC_R_SUCCESS) {
+					msg = "Bad algorithm";
+					CHECK(DNS_R_SYNTAX);
+				}
+				continue;
+			} else if (argcheck(ptr, "key")) {
+				uint16_t id;
+				ptr = next_token(lex, text);
+				if (ptr == NULL) {
+					msg = "No key identifier specified";
+					CHECK(ISC_R_UNEXPECTEDEND);
+				}
+				CHECK(isc_parse_uint16(&id, ptr, 10));
+				keyid = (dns_keytag_t)id;
+				use_keyid = true;
+				continue;
+			} else if (argcheck(ptr, "when")) {
+				uint32_t tw;
+				ptr = next_token(lex, text);
+				if (ptr == NULL) {
+					msg = "No time specified";
+					CHECK(ISC_R_UNEXPECTEDEND);
+				}
+				CHECK(dns_time32_fromtext(ptr, &tw));
+				when = (isc_stdtime_t)tw;
+				continue;
+			} else if (ptr[0] == '-') {
+				msg = "Unknown option";
+				CHECK(DNS_R_SYNTAX);
+			} else if (checkds) {
+				/*
+				 * No arguments provided, so we must be
+				 * parsing "published|withdrawn".
+				 */
+				if (strcasecmp(ptr, "published") == 0) {
+					dspublish = true;
+				} else if (strcasecmp(ptr, "withdrawn") != 0) {
+					CHECK(DNS_R_SYNTAX);
+				}
+			} else if (rollover) {
+				/*
+				 * No arguments provided, so we must be
+				 * parsing the zone.
+				 */
+				zonetext = ptr;
+			}
+			break;
+		}
+
+		if (rollover && !use_keyid) {
+			msg = "Key id is required when scheduling rollover";
+			CHECK(DNS_R_SYNTAX);
+		}
+
+		if (algorithm > 0 && !use_keyid) {
+			msg = "Key id is required when setting algorithm";
+			CHECK(DNS_R_SYNTAX);
+		}
+	}
+
+	/* Get zone. */
+	CHECK(zone_from_args(server, lex, zonetext, &zone, NULL, text, false));
+	if (zone == NULL) {
+		msg = "Zone not found";
+		CHECK(ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Trailing garbage? */
+	ptr = next_token(lex, text);
+	if (ptr != NULL) {
+		msg = "Too many arguments";
+		CHECK(DNS_R_SYNTAX);
+	}
+
+	/* Get dnssec-policy. */
+	kasp = dns_zone_getkasp(zone);
+	if (kasp == NULL) {
+		msg = "Zone does not have dnssec-policy";
+		goto cleanup;
+	}
+
+	/* Get DNSSEC keys. */
+	dir = dns_zone_getkeydirectory(zone);
+	CHECK(dns_zone_getdb(zone, &db));
+	dns_db_currentversion(db, &version);
+	LOCK(&kasp->lock);
+	result = dns_zone_getdnsseckeys(zone, db, version, now, &keys);
+	UNLOCK(&kasp->lock);
+	if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_NOTFOUND) {
+			goto cleanup;
+		}
+	}
+
+	if (status) {
+		/*
+		 * Output the DNSSEC status of the key and signing policy.
+		 */
+		LOCK(&kasp->lock);
+		dns_keymgr_status(kasp, &keys, now, &output[0], sizeof(output));
+		UNLOCK(&kasp->lock);
+		CHECK(putstr(text, output));
+	} else if (checkds) {
+		/*
+		 * Mark DS record has been seen, so it may move to the
+		 * rumoured state.
+		 */
+		char whenbuf[80];
+		isc_time_set(&timewhen, when, 0);
+		isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf));
+		isc_result_t ret;
+
+		LOCK(&kasp->lock);
+		if (use_keyid) {
+			result = dns_keymgr_checkds_id(kasp, &keys, dir, now,
+						       when, dspublish, keyid,
+						       (unsigned int)algorithm);
+		} else {
+			result = dns_keymgr_checkds(kasp, &keys, dir, now, when,
+						    dspublish);
+		}
+		UNLOCK(&kasp->lock);
+
+		switch (result) {
+		case ISC_R_SUCCESS:
+			/*
+			 * Rekey after checkds command because the next key
+			 * event may have changed.
+			 */
+			dns_zone_rekey(zone, false);
+
+			if (use_keyid) {
+				char tagbuf[6];
+				snprintf(tagbuf, sizeof(tagbuf), "%u", keyid);
+				CHECK(putstr(text, "KSK "));
+				CHECK(putstr(text, tagbuf));
+				CHECK(putstr(text, ": "));
+			}
+			CHECK(putstr(text, "Marked DS as "));
+			if (dspublish) {
+				CHECK(putstr(text, "published "));
+			} else {
+				CHECK(putstr(text, "withdrawn "));
+			}
+			CHECK(putstr(text, "since "));
+			CHECK(putstr(text, whenbuf));
+			break;
+		case DNS_R_TOOMANYKEYS:
+			CHECK(putstr(text,
+				     "Error: multiple possible keys found, "
+				     "retry command with -key id"));
+			break;
+		default:
+			ret = result;
+			CHECK(putstr(text,
+				     "Error executing checkds command: "));
+			CHECK(putstr(text, isc_result_totext(ret)));
+			break;
+		}
+	} else if (rollover) {
+		/*
+		 * Manually rollover a key.
+		 */
+		char whenbuf[80];
+		isc_time_set(&timewhen, when, 0);
+		isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf));
+		isc_result_t ret;
+
+		LOCK(&kasp->lock);
+		result = dns_keymgr_rollover(kasp, &keys, dir, now, when, keyid,
+					     (unsigned int)algorithm);
+		UNLOCK(&kasp->lock);
+
+		switch (result) {
+		case ISC_R_SUCCESS:
+			/*
+			 * Rekey after rollover command because the next key
+			 * event may have changed.
+			 */
+			dns_zone_rekey(zone, false);
+
+			if (use_keyid) {
+				char tagbuf[6];
+				snprintf(tagbuf, sizeof(tagbuf), "%u", keyid);
+				CHECK(putstr(text, "Key "));
+				CHECK(putstr(text, tagbuf));
+				CHECK(putstr(text, ": "));
+			}
+			CHECK(putstr(text, "Rollover scheduled on "));
+			CHECK(putstr(text, whenbuf));
+			break;
+		case DNS_R_TOOMANYKEYS:
+			CHECK(putstr(text,
+				     "Error: multiple possible keys found, "
+				     "retry command with -alg algorithm"));
+			break;
+		default:
+			ret = result;
+			CHECK(putstr(text,
+				     "Error executing rollover command: "));
+			CHECK(putstr(text, isc_result_totext(ret)));
+			break;
+		}
+	}
+	CHECK(putnull(text));
+
+cleanup:
+	if (msg != NULL) {
+		(void)putstr(text, msg);
+		(void)putnull(text);
+	}
+
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	while (!ISC_LIST_EMPTY(keys)) {
+		key = ISC_LIST_HEAD(keys);
+		ISC_LIST_UNLINK(keys, key, link);
+		dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
+	}
+
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+putmem(isc_buffer_t **b, const char *str, size_t len) {
+	isc_result_t result;
+
+	result = isc_buffer_reserve(b, (unsigned int)len);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOSPACE);
+	}
+
+	isc_buffer_putmem(*b, (const unsigned char *)str, (unsigned int)len);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+putstr(isc_buffer_t **b, const char *str) {
+	return (putmem(b, str, strlen(str)));
+}
+
+static isc_result_t
+putuint8(isc_buffer_t **b, uint8_t val) {
+	isc_result_t result;
+
+	result = isc_buffer_reserve(b, 1);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOSPACE);
+	}
+
+	isc_buffer_putuint8(*b, val);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+putnull(isc_buffer_t **b) {
+	return (putuint8(b, 0));
+}
+
+isc_result_t
+named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
+			isc_buffer_t **text) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_zone_t *zone = NULL, *raw = NULL, *mayberaw = NULL;
+	const char *type, *file;
+	char zonename[DNS_NAME_FORMATSIZE];
+	uint32_t serial, signed_serial, nodes;
+	char serbuf[16], sserbuf[16], nodebuf[16];
+	char resignbuf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + 2];
+	char lbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+	char xbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+	char rbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+	char kbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+	char rtbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+	isc_time_t loadtime, expiretime, refreshtime;
+	isc_time_t refreshkeytime, resigntime;
+	dns_zonetype_t zonetype;
+	bool dynamic = false, frozen = false;
+	bool hasraw = false;
+	bool secure, maintain, allow;
+	dns_db_t *db = NULL, *rawdb = NULL;
+	char **incfiles = NULL;
+	int nfiles = 0;
+
+	REQUIRE(text != NULL);
+
+	isc_time_settoepoch(&loadtime);
+	isc_time_settoepoch(&refreshtime);
+	isc_time_settoepoch(&expiretime);
+	isc_time_settoepoch(&refreshkeytime);
+	isc_time_settoepoch(&resigntime);
+
+	CHECK(zone_from_args(server, lex, NULL, &zone, zonename, text, true));
+	if (zone == NULL) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto cleanup;
+	}
+
+	/* Inline signing? */
+	CHECK(dns_zone_getdb(zone, &db));
+	dns_zone_getraw(zone, &raw);
+	hasraw = (raw != NULL);
+	if (hasraw) {
+		mayberaw = raw;
+		zonetype = dns_zone_gettype(raw);
+		CHECK(dns_zone_getdb(raw, &rawdb));
+	} else {
+		mayberaw = zone;
+		zonetype = dns_zone_gettype(zone);
+	}
+
+	type = dns_zonetype_name(zonetype);
+
+	/* Serial number */
+	result = dns_zone_getserial(mayberaw, &serial);
+
+	/* This is to mirror old behavior with dns_zone_getserial */
+	if (result != ISC_R_SUCCESS) {
+		serial = 0;
+	}
+
+	snprintf(serbuf, sizeof(serbuf), "%u", serial);
+	if (hasraw) {
+		result = dns_zone_getserial(zone, &signed_serial);
+		if (result != ISC_R_SUCCESS) {
+			serial = 0;
+		}
+		snprintf(sserbuf, sizeof(sserbuf), "%u", signed_serial);
+	}
+
+	/* Database node count */
+	nodes = dns_db_nodecount(hasraw ? rawdb : db);
+	snprintf(nodebuf, sizeof(nodebuf), "%u", nodes);
+
+	/* Security */
+	secure = dns_db_issecure(db);
+	allow = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_ALLOW) != 0);
+	maintain = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0);
+
+	/* Master files */
+	file = dns_zone_getfile(mayberaw);
+	nfiles = dns_zone_getincludes(mayberaw, &incfiles);
+
+	/* Load time */
+	dns_zone_getloadtime(zone, &loadtime);
+	isc_time_formathttptimestamp(&loadtime, lbuf, sizeof(lbuf));
+
+	/* Refresh/expire times */
+	if (zonetype == dns_zone_secondary || zonetype == dns_zone_mirror ||
+	    zonetype == dns_zone_stub || zonetype == dns_zone_redirect)
+	{
+		dns_zone_getexpiretime(mayberaw, &expiretime);
+		isc_time_formathttptimestamp(&expiretime, xbuf, sizeof(xbuf));
+		dns_zone_getrefreshtime(mayberaw, &refreshtime);
+		isc_time_formathttptimestamp(&refreshtime, rbuf, sizeof(rbuf));
+	}
+
+	/* Key refresh time */
+	if (zonetype == dns_zone_primary ||
+	    (zonetype == dns_zone_secondary && hasraw))
+	{
+		dns_zone_getrefreshkeytime(zone, &refreshkeytime);
+		isc_time_formathttptimestamp(&refreshkeytime, kbuf,
+					     sizeof(kbuf));
+	}
+
+	/* Dynamic? */
+	if (zonetype == dns_zone_primary) {
+		dynamic = dns_zone_isdynamic(mayberaw, true);
+		frozen = dynamic && !dns_zone_isdynamic(mayberaw, false);
+	}
+
+	/* Next resign event */
+	if (secure &&
+	    (zonetype == dns_zone_primary ||
+	     (zonetype == dns_zone_secondary && hasraw)) &&
+	    ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_NORESIGN) == 0))
+	{
+		dns_name_t *name;
+		dns_fixedname_t fixed;
+		dns_rdataset_t next;
+
+		dns_rdataset_init(&next);
+		name = dns_fixedname_initname(&fixed);
+
+		result = dns_db_getsigningtime(db, &next, name);
+		if (result == ISC_R_SUCCESS) {
+			isc_stdtime_t timenow;
+			char namebuf[DNS_NAME_FORMATSIZE];
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+			isc_stdtime_get(&timenow);
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(next.covers, typebuf,
+					     sizeof(typebuf));
+			snprintf(resignbuf, sizeof(resignbuf), "%s/%s", namebuf,
+				 typebuf);
+			isc_time_set(
+				&resigntime,
+				next.resign -
+					dns_zone_getsigresigninginterval(zone),
+				0);
+			isc_time_formathttptimestamp(&resigntime, rtbuf,
+						     sizeof(rtbuf));
+			dns_rdataset_disassociate(&next);
+		}
+	}
+
+	/* Create text */
+	CHECK(putstr(text, "name: "));
+	CHECK(putstr(text, zonename));
+
+	CHECK(putstr(text, "\ntype: "));
+	CHECK(putstr(text, type));
+
+	if (file != NULL) {
+		int i;
+		CHECK(putstr(text, "\nfiles: "));
+		CHECK(putstr(text, file));
+		for (i = 0; i < nfiles; i++) {
+			CHECK(putstr(text, ", "));
+			if (incfiles[i] != NULL) {
+				CHECK(putstr(text, incfiles[i]));
+			}
+		}
+	}
+
+	CHECK(putstr(text, "\nserial: "));
+	CHECK(putstr(text, serbuf));
+	if (hasraw) {
+		CHECK(putstr(text, "\nsigned serial: "));
+		CHECK(putstr(text, sserbuf));
+	}
+
+	CHECK(putstr(text, "\nnodes: "));
+	CHECK(putstr(text, nodebuf));
+
+	if (!isc_time_isepoch(&loadtime)) {
+		CHECK(putstr(text, "\nlast loaded: "));
+		CHECK(putstr(text, lbuf));
+	}
+
+	if (!isc_time_isepoch(&refreshtime)) {
+		CHECK(putstr(text, "\nnext refresh: "));
+		CHECK(putstr(text, rbuf));
+	}
+
+	if (!isc_time_isepoch(&expiretime)) {
+		CHECK(putstr(text, "\nexpires: "));
+		CHECK(putstr(text, xbuf));
+	}
+
+	if (secure) {
+		CHECK(putstr(text, "\nsecure: yes"));
+		if (hasraw) {
+			CHECK(putstr(text, "\ninline signing: yes"));
+		} else {
+			CHECK(putstr(text, "\ninline signing: no"));
+		}
+	} else {
+		CHECK(putstr(text, "\nsecure: no"));
+	}
+
+	if (maintain) {
+		CHECK(putstr(text, "\nkey maintenance: automatic"));
+		if (!isc_time_isepoch(&refreshkeytime)) {
+			CHECK(putstr(text, "\nnext key event: "));
+			CHECK(putstr(text, kbuf));
+		}
+	} else if (allow) {
+		CHECK(putstr(text, "\nkey maintenance: on command"));
+	} else if (secure || hasraw) {
+		CHECK(putstr(text, "\nkey maintenance: none"));
+	}
+
+	if (!isc_time_isepoch(&resigntime)) {
+		CHECK(putstr(text, "\nnext resign node: "));
+		CHECK(putstr(text, resignbuf));
+		CHECK(putstr(text, "\nnext resign time: "));
+		CHECK(putstr(text, rtbuf));
+	}
+
+	if (dynamic) {
+		CHECK(putstr(text, "\ndynamic: yes"));
+		if (frozen) {
+			CHECK(putstr(text, "\nfrozen: yes"));
+		} else {
+			CHECK(putstr(text, "\nfrozen: no"));
+		}
+	} else {
+		CHECK(putstr(text, "\ndynamic: no"));
+	}
+
+	CHECK(putstr(text, "\nreconfigurable via modzone: "));
+	CHECK(putstr(text, dns_zone_getadded(zone) ? "yes" : "no"));
+
+cleanup:
+	/* Indicate truncated output if possible. */
+	if (result == ISC_R_NOSPACE) {
+		(void)putstr(text, "\n...");
+	}
+	if ((result == ISC_R_SUCCESS || result == ISC_R_NOSPACE)) {
+		(void)putnull(text);
+	}
+
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	if (rawdb != NULL) {
+		dns_db_detach(&rawdb);
+	}
+	if (incfiles != NULL && mayberaw != NULL) {
+		int i;
+		isc_mem_t *mctx = dns_zone_getmctx(mayberaw);
+
+		for (i = 0; i < nfiles; i++) {
+			if (incfiles[i] != NULL) {
+				isc_mem_free(mctx, incfiles[i]);
+			}
+		}
+		isc_mem_free(mctx, incfiles);
+	}
+	if (raw != NULL) {
+		dns_zone_detach(&raw);
+	}
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	return (result);
+}
+
+isc_result_t
+named_server_nta(named_server_t *server, isc_lex_t *lex, bool readonly,
+		 isc_buffer_t **text) {
+	dns_view_t *view;
+	dns_ntatable_t *ntatable = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	char *ptr, *nametext = NULL, *viewname;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char viewbuf[DNS_NAME_FORMATSIZE];
+	isc_stdtime_t now, when;
+	isc_time_t t;
+	char tbuf[64];
+	const char *msg = NULL;
+	bool dump = false, force = false;
+	dns_fixedname_t fn;
+	const dns_name_t *ntaname;
+	dns_name_t *fname;
+	dns_ttl_t ntattl;
+	bool ttlset = false, excl = false, viewfound = false;
+	dns_rdataclass_t rdclass = dns_rdataclass_in;
+	bool first = true;
+
+	REQUIRE(text != NULL);
+
+	UNUSED(force);
+
+	fname = dns_fixedname_initname(&fn);
+
+	/* Skip the command name. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	for (;;) {
+		/* Check for options */
+		ptr = next_token(lex, text);
+		if (ptr == NULL) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+
+		if (strcmp(ptr, "--") == 0) {
+			break;
+		} else if (argcheck(ptr, "dump")) {
+			dump = true;
+		} else if (argcheck(ptr, "remove")) {
+			ntattl = 0;
+			ttlset = true;
+		} else if (argcheck(ptr, "force")) {
+			force = true;
+			continue;
+		} else if (argcheck(ptr, "lifetime")) {
+			isc_textregion_t tr;
+
+			ptr = next_token(lex, text);
+			if (ptr == NULL) {
+				msg = "No lifetime specified";
+				CHECK(ISC_R_UNEXPECTEDEND);
+			}
+
+			tr.base = ptr;
+			tr.length = strlen(ptr);
+			result = dns_ttl_fromtext(&tr, &ntattl);
+			if (result != ISC_R_SUCCESS) {
+				msg = "could not parse NTA lifetime";
+				CHECK(result);
+			}
+
+			if (ntattl > 604800) {
+				msg = "NTA lifetime cannot exceed one week";
+				CHECK(ISC_R_RANGE);
+			}
+
+			ttlset = true;
+			continue;
+		} else if (argcheck(ptr, "class")) {
+			isc_textregion_t tr;
+
+			ptr = next_token(lex, text);
+			if (ptr == NULL) {
+				msg = "No class specified";
+				CHECK(ISC_R_UNEXPECTEDEND);
+			}
+
+			tr.base = ptr;
+			tr.length = strlen(ptr);
+			CHECK(dns_rdataclass_fromtext(&rdclass, &tr));
+			continue;
+		} else if (ptr[0] == '-') {
+			msg = "Unknown option";
+			CHECK(DNS_R_SYNTAX);
+		} else {
+			nametext = ptr;
+		}
+
+		break;
+	}
+
+	/*
+	 * If -dump was specified, list NTA's and return
+	 */
+	if (dump) {
+		for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			if (ntatable != NULL) {
+				dns_ntatable_detach(&ntatable);
+			}
+			result = dns_view_getntatable(view, &ntatable);
+			if (result == ISC_R_NOTFOUND) {
+				continue;
+			}
+
+			CHECK(dns_ntatable_totext(ntatable, view->name, text));
+		}
+		CHECK(putnull(text));
+
+		goto cleanup;
+	}
+
+	if (readonly) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_CONTROL, ISC_LOG_INFO,
+			      "rejecting restricted control channel "
+			      "NTA command");
+		CHECK(ISC_R_FAILURE);
+	}
+
+	/* Get the NTA name if not found above. */
+	if (nametext == NULL) {
+		nametext = next_token(lex, text);
+	}
+	if (nametext == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Copy nametext as it'll be overwritten by next_token() */
+	strlcpy(namebuf, nametext, DNS_NAME_FORMATSIZE);
+
+	if (strcmp(namebuf, ".") == 0) {
+		ntaname = dns_rootname;
+	} else {
+		isc_buffer_t b;
+		isc_buffer_init(&b, namebuf, strlen(namebuf));
+		isc_buffer_add(&b, strlen(namebuf));
+		CHECK(dns_name_fromtext(fname, &b, dns_rootname, 0, NULL));
+		ntaname = fname;
+	}
+
+	/* Look for the view name. */
+	viewname = next_token(lex, text);
+	if (viewname != NULL) {
+		strlcpy(viewbuf, viewname, DNS_NAME_FORMATSIZE);
+		viewname = viewbuf;
+	}
+
+	if (next_token(lex, text) != NULL) {
+		CHECK(DNS_R_SYNTAX);
+	}
+
+	isc_stdtime_get(&now);
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	excl = true;
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (viewname != NULL && strcmp(view->name, viewname) != 0) {
+			continue;
+		}
+		viewfound = true;
+
+		if (view->rdclass != rdclass && rdclass != dns_rdataclass_any) {
+			continue;
+		}
+
+		if (view->nta_lifetime == 0) {
+			continue;
+		}
+
+		if (!ttlset) {
+			ntattl = view->nta_lifetime;
+		}
+
+		if (ntatable != NULL) {
+			dns_ntatable_detach(&ntatable);
+		}
+
+		result = dns_view_getntatable(view, &ntatable);
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+			continue;
+		}
+
+		result = dns_view_flushnode(view, ntaname, true);
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "flush tree '%s' in cache view '%s': %s", namebuf,
+			      view->name, isc_result_totext(result));
+
+		if (ntattl != 0) {
+			CHECK(dns_ntatable_add(ntatable, ntaname, force, now,
+					       ntattl));
+
+			when = now + ntattl;
+			isc_time_set(&t, when, 0);
+			isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
+
+			if (!first) {
+				CHECK(putstr(text, "\n"));
+			}
+			first = false;
+
+			CHECK(putstr(text, "Negative trust anchor added: "));
+			CHECK(putstr(text, namebuf));
+			CHECK(putstr(text, "/"));
+			CHECK(putstr(text, view->name));
+			CHECK(putstr(text, ", expires "));
+			CHECK(putstr(text, tbuf));
+
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "added NTA '%s' (%d sec) in view '%s'",
+				      namebuf, ntattl, view->name);
+		} else {
+			bool wasremoved;
+
+			result = dns_ntatable_delete(ntatable, ntaname);
+			if (result == ISC_R_SUCCESS) {
+				wasremoved = true;
+			} else if (result == ISC_R_NOTFOUND) {
+				wasremoved = false;
+			} else {
+				goto cleanup;
+			}
+
+			if (!first) {
+				CHECK(putstr(text, "\n"));
+			}
+			first = false;
+
+			CHECK(putstr(text, "Negative trust anchor "));
+			CHECK(putstr(text,
+				     wasremoved ? "removed: " : "not found: "));
+			CHECK(putstr(text, namebuf));
+			CHECK(putstr(text, "/"));
+			CHECK(putstr(text, view->name));
+
+			if (wasremoved) {
+				isc_log_write(
+					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+					"removed NTA '%s' in view %s", namebuf,
+					view->name);
+			}
+		}
+
+		result = dns_view_saventa(view);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "error writing NTA file "
+				      "for view '%s': %s",
+				      view->name, isc_result_totext(result));
+		}
+	}
+
+	if (!viewfound) {
+		msg = "No such view";
+		CHECK(ISC_R_NOTFOUND);
+	}
+
+	(void)putnull(text);
+
+cleanup:
+	if (msg != NULL) {
+		(void)putstr(text, msg);
+		(void)putnull(text);
+	}
+
+	if (excl) {
+		isc_task_endexclusive(server->task);
+	}
+	if (ntatable != NULL) {
+		dns_ntatable_detach(&ntatable);
+	}
+	return (result);
+}
+
+isc_result_t
+named_server_saventa(named_server_t *server) {
+	dns_view_t *view;
+
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		isc_result_t result = dns_view_saventa(view);
+
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "error writing NTA file "
+				      "for view '%s': %s",
+				      view->name, isc_result_totext(result));
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+named_server_loadnta(named_server_t *server) {
+	dns_view_t *view;
+
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		isc_result_t result = dns_view_loadnta(view);
+
+		if ((result != ISC_R_SUCCESS) &&
+		    (result != ISC_R_FILENOTFOUND) &&
+		    (result != ISC_R_NOTFOUND))
+		{
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "error loading NTA file "
+				      "for view '%s': %s",
+				      view->name, isc_result_totext(result));
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+mkey_refresh(dns_view_t *view, isc_buffer_t **text) {
+	isc_result_t result;
+	char msg[DNS_NAME_FORMATSIZE + 500] = "";
+
+	snprintf(msg, sizeof(msg), "refreshing managed keys for '%s'",
+		 view->name);
+	CHECK(putstr(text, msg));
+	CHECK(dns_zone_synckeyzone(view->managed_keys));
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+mkey_destroy(named_server_t *server, dns_view_t *view, isc_buffer_t **text) {
+	isc_result_t result;
+	char msg[DNS_NAME_FORMATSIZE + 500] = "";
+	bool exclusive = false;
+	const char *file = NULL;
+	dns_db_t *dbp = NULL;
+	dns_zone_t *mkzone = NULL;
+	bool removed_a_file = false;
+
+	if (view->managed_keys == NULL) {
+		CHECK(ISC_R_NOTFOUND);
+	}
+
+	snprintf(msg, sizeof(msg), "destroying managed-keys database for '%s'",
+		 view->name);
+	CHECK(putstr(text, msg));
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	exclusive = true;
+
+	/* Remove and clean up managed keys zone from view */
+	mkzone = view->managed_keys;
+	view->managed_keys = NULL;
+	(void)dns_zone_flush(mkzone);
+
+	/* Unload zone database */
+	if (dns_zone_getdb(mkzone, &dbp) == ISC_R_SUCCESS) {
+		dns_db_detach(&dbp);
+		dns_zone_unload(mkzone);
+	}
+
+	/* Delete files */
+	file = dns_zone_getfile(mkzone);
+	result = isc_file_remove(file);
+	if (result == ISC_R_SUCCESS) {
+		removed_a_file = true;
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "file %s not removed: %s", file,
+			      isc_result_totext(result));
+	}
+
+	file = dns_zone_getjournal(mkzone);
+	result = isc_file_remove(file);
+	if (result == ISC_R_SUCCESS) {
+		removed_a_file = true;
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "file %s not removed: %s", file,
+			      isc_result_totext(result));
+	}
+
+	if (!removed_a_file) {
+		CHECK(putstr(text, "error: no files could be removed"));
+		CHECK(ISC_R_FAILURE);
+	}
+
+	dns_zone_detach(&mkzone);
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (exclusive) {
+		isc_task_endexclusive(server->task);
+	}
+	return (result);
+}
+
+static isc_result_t
+mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_rriterator_t rrit;
+	isc_stdtime_t now;
+	dns_name_t *prevname = NULL;
+
+	isc_stdtime_get(&now);
+
+	CHECK(dns_zone_getdb(view->managed_keys, &db));
+	dns_db_currentversion(db, &ver);
+	dns_rriterator_init(&rrit, db, ver, 0);
+	for (result = dns_rriterator_first(&rrit); result == ISC_R_SUCCESS;
+	     result = dns_rriterator_nextrrset(&rrit))
+	{
+		char buf[DNS_NAME_FORMATSIZE + 500];
+		dns_name_t *name = NULL;
+		dns_rdataset_t *kdset = NULL;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_keydata_t kd;
+		uint32_t ttl;
+
+		dns_rriterator_current(&rrit, &name, &ttl, &kdset, NULL);
+		if (kdset == NULL || kdset->type != dns_rdatatype_keydata ||
+		    !dns_rdataset_isassociated(kdset))
+		{
+			continue;
+		}
+
+		if (name != prevname) {
+			char nbuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(name, nbuf, sizeof(nbuf));
+			snprintf(buf, sizeof(buf), "\n\n    name: %s", nbuf);
+			CHECK(putstr(text, buf));
+		}
+
+		for (result = dns_rdataset_first(kdset);
+		     result == ISC_R_SUCCESS; result = dns_rdataset_next(kdset))
+		{
+			char alg[DNS_SECALG_FORMATSIZE];
+			char tbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+			dns_keytag_t keyid;
+			isc_region_t r;
+			isc_time_t t;
+			bool revoked;
+
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(kdset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &kd, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			dns_rdata_toregion(&rdata, &r);
+			isc_region_consume(&r, 12);
+			keyid = dst_region_computeid(&r);
+
+			snprintf(buf, sizeof(buf), "\n    keyid: %u", keyid);
+			CHECK(putstr(text, buf));
+
+			dns_secalg_format(kd.algorithm, alg, sizeof(alg));
+			snprintf(buf, sizeof(buf), "\n\talgorithm: %s", alg);
+			CHECK(putstr(text, buf));
+
+			revoked = ((kd.flags & DNS_KEYFLAG_REVOKE) != 0);
+			snprintf(buf, sizeof(buf), "\n\tflags:%s%s%s",
+				 revoked ? " REVOKE" : "",
+				 ((kd.flags & DNS_KEYFLAG_KSK) != 0) ? " SEP"
+								     : "",
+				 (kd.flags == 0) ? " (none)" : "");
+			CHECK(putstr(text, buf));
+
+			isc_time_set(&t, kd.refresh, 0);
+			isc_time_formathttptimestamp(&t, tbuf, sizeof(tbuf));
+			snprintf(buf, sizeof(buf), "\n\tnext refresh: %s",
+				 tbuf);
+			CHECK(putstr(text, buf));
+
+			if (kd.removehd != 0) {
+				isc_time_set(&t, kd.removehd, 0);
+				isc_time_formathttptimestamp(&t, tbuf,
+							     sizeof(tbuf));
+				snprintf(buf, sizeof(buf), "\n\tremove at: %s",
+					 tbuf);
+				CHECK(putstr(text, buf));
+			}
+
+			isc_time_set(&t, kd.addhd, 0);
+			isc_time_formathttptimestamp(&t, tbuf, sizeof(tbuf));
+			if (kd.addhd == 0) {
+				snprintf(buf, sizeof(buf), "\n\tno trust");
+			} else if (revoked) {
+				snprintf(buf, sizeof(buf), "\n\ttrust revoked");
+			} else if (kd.addhd <= now) {
+				snprintf(buf, sizeof(buf),
+					 "\n\ttrusted since: %s", tbuf);
+			} else if (kd.addhd > now) {
+				snprintf(buf, sizeof(buf),
+					 "\n\ttrust pending: %s", tbuf);
+			}
+			CHECK(putstr(text, buf));
+		}
+	}
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup:
+	if (ver != NULL) {
+		dns_rriterator_destroy(&rrit);
+		dns_db_closeversion(db, &ver, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+mkey_status(dns_view_t *view, isc_buffer_t **text) {
+	isc_result_t result;
+	char msg[ISC_FORMATHTTPTIMESTAMP_SIZE];
+	isc_time_t t;
+
+	CHECK(putstr(text, "view: "));
+	CHECK(putstr(text, view->name));
+
+	CHECK(putstr(text, "\nnext scheduled event: "));
+
+	dns_zone_getrefreshkeytime(view->managed_keys, &t);
+	if (isc_time_isepoch(&t)) {
+		CHECK(putstr(text, "never"));
+	} else {
+		isc_time_formathttptimestamp(&t, msg, sizeof(msg));
+		CHECK(putstr(text, msg));
+	}
+
+	CHECK(mkey_dumpzone(view, text));
+
+cleanup:
+	return (result);
+}
+
+isc_result_t
+named_server_mkeys(named_server_t *server, isc_lex_t *lex,
+		   isc_buffer_t **text) {
+	char *cmd, *classtxt, *viewtxt = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_view_t *view = NULL;
+	dns_rdataclass_t rdclass;
+	char msg[DNS_NAME_FORMATSIZE + 500] = "";
+	enum { NONE, STATUS, REFRESH, SYNC, DESTROY } opt = NONE;
+	bool found = false;
+	bool first = true;
+
+	REQUIRE(text != NULL);
+
+	/* Skip rndc command name */
+	cmd = next_token(lex, text);
+	if (cmd == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* Get managed-keys subcommand */
+	cmd = next_token(lex, text);
+	if (cmd == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	if (strcasecmp(cmd, "status") == 0) {
+		opt = STATUS;
+	} else if (strcasecmp(cmd, "refresh") == 0) {
+		opt = REFRESH;
+	} else if (strcasecmp(cmd, "sync") == 0) {
+		opt = SYNC;
+	} else if (strcasecmp(cmd, "destroy") == 0) {
+		opt = DESTROY;
+	} else {
+		snprintf(msg, sizeof(msg), "unknown command '%s'", cmd);
+		(void)putstr(text, msg);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	/* Look for the optional class name. */
+	classtxt = next_token(lex, text);
+	if (classtxt != NULL) {
+		isc_textregion_t r;
+		r.base = classtxt;
+		r.length = strlen(classtxt);
+		result = dns_rdataclass_fromtext(&rdclass, &r);
+		if (result != ISC_R_SUCCESS) {
+			snprintf(msg, sizeof(msg), "unknown class '%s'",
+				 classtxt);
+			(void)putstr(text, msg);
+			goto cleanup;
+		}
+		viewtxt = next_token(lex, text);
+	}
+
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (viewtxt != NULL && (rdclass != view->rdclass ||
+					strcmp(view->name, viewtxt) != 0))
+		{
+			continue;
+		}
+
+		if (view->managed_keys == NULL) {
+			if (viewtxt != NULL) {
+				snprintf(msg, sizeof(msg),
+					 "view '%s': no managed keys", viewtxt);
+				CHECK(putstr(text, msg));
+				goto cleanup;
+			} else {
+				continue;
+			}
+		}
+
+		found = true;
+
+		switch (opt) {
+		case REFRESH:
+			if (!first) {
+				CHECK(putstr(text, "\n"));
+			}
+			CHECK(mkey_refresh(view, text));
+			break;
+		case STATUS:
+			if (!first) {
+				CHECK(putstr(text, "\n\n"));
+			}
+			CHECK(mkey_status(view, text));
+			break;
+		case SYNC:
+			CHECK(dns_zone_flush(view->managed_keys));
+			break;
+		case DESTROY:
+			if (!first) {
+				CHECK(putstr(text, "\n"));
+			}
+			CHECK(mkey_destroy(server, view, text));
+			break;
+		default:
+			UNREACHABLE();
+		}
+
+		if (viewtxt != NULL) {
+			break;
+		}
+		first = false;
+	}
+
+	if (!found) {
+		CHECK(putstr(text, "no views with managed keys"));
+	}
+
+cleanup:
+	if (isc_buffer_usedlength(*text) > 0) {
+		(void)putnull(text);
+	}
+
+	return (result);
+}
+
+isc_result_t
+named_server_dnstap(named_server_t *server, isc_lex_t *lex,
+		    isc_buffer_t **text) {
+#ifdef HAVE_DNSTAP
+	char *ptr;
+	isc_result_t result;
+	bool reopen = false;
+	int backups = 0;
+
+	REQUIRE(text != NULL);
+
+	if (server->dtenv == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/* Check the command name. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/* "dnstap-reopen" was used in 9.11.0b1 */
+	if (strcasecmp(ptr, "dnstap-reopen") == 0) {
+		reopen = true;
+	} else {
+		ptr = next_token(lex, text);
+		if (ptr == NULL) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+	}
+
+	if (reopen || strcasecmp(ptr, "-reopen") == 0) {
+		backups = ISC_LOG_ROLLNEVER;
+	} else if ((strcasecmp(ptr, "-roll") == 0)) {
+		unsigned int n;
+		ptr = next_token(lex, text);
+		if (ptr != NULL) {
+			unsigned int u;
+			n = sscanf(ptr, "%u", &u);
+			if (n != 1U || u > INT_MAX) {
+				return (ISC_R_BADNUMBER);
+			}
+			backups = u;
+		} else {
+			backups = ISC_LOG_ROLLINFINITE;
+		}
+	} else {
+		return (DNS_R_SYNTAX);
+	}
+
+	result = dns_dt_reopen(server->dtenv, backups);
+	return (result);
+#else  /* ifdef HAVE_DNSTAP */
+	UNUSED(server);
+	UNUSED(lex);
+	UNUSED(text);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif /* ifdef HAVE_DNSTAP */
+}
+
+isc_result_t
+named_server_tcptimeouts(isc_lex_t *lex, isc_buffer_t **text) {
+	char *ptr;
+	isc_result_t result = ISC_R_SUCCESS;
+	uint32_t initial, idle, keepalive, advertised;
+	char msg[128];
+
+	/* Skip the command name. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	isc_nm_gettimeouts(named_g_nm, &initial, &idle, &keepalive,
+			   &advertised);
+
+	/* Look for optional arguments. */
+	ptr = next_token(lex, NULL);
+	if (ptr != NULL) {
+		CHECK(isc_parse_uint32(&initial, ptr, 10));
+		initial *= 100;
+		if (initial > MAX_INITIAL_TIMEOUT) {
+			CHECK(ISC_R_RANGE);
+		}
+		if (initial < MIN_INITIAL_TIMEOUT) {
+			CHECK(ISC_R_RANGE);
+		}
+
+		ptr = next_token(lex, text);
+		if (ptr == NULL) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		CHECK(isc_parse_uint32(&idle, ptr, 10));
+		idle *= 100;
+		if (idle > MAX_IDLE_TIMEOUT) {
+			CHECK(ISC_R_RANGE);
+		}
+		if (idle < MIN_IDLE_TIMEOUT) {
+			CHECK(ISC_R_RANGE);
+		}
+
+		ptr = next_token(lex, text);
+		if (ptr == NULL) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		CHECK(isc_parse_uint32(&keepalive, ptr, 10));
+		keepalive *= 100;
+		if (keepalive > MAX_KEEPALIVE_TIMEOUT) {
+			CHECK(ISC_R_RANGE);
+		}
+		if (keepalive < MIN_KEEPALIVE_TIMEOUT) {
+			CHECK(ISC_R_RANGE);
+		}
+
+		ptr = next_token(lex, text);
+		if (ptr == NULL) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		CHECK(isc_parse_uint32(&advertised, ptr, 10));
+		advertised *= 100;
+		if (advertised > MAX_ADVERTISED_TIMEOUT) {
+			CHECK(ISC_R_RANGE);
+		}
+
+		result = isc_task_beginexclusive(named_g_server->task);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		isc_nm_settimeouts(named_g_nm, initial, idle, keepalive,
+				   advertised);
+
+		isc_task_endexclusive(named_g_server->task);
+	}
+
+	snprintf(msg, sizeof(msg), "tcp-initial-timeout=%u\n", initial / 100);
+	CHECK(putstr(text, msg));
+	snprintf(msg, sizeof(msg), "tcp-idle-timeout=%u\n", idle / 100);
+	CHECK(putstr(text, msg));
+	snprintf(msg, sizeof(msg), "tcp-keepalive-timeout=%u\n",
+		 keepalive / 100);
+	CHECK(putstr(text, msg));
+	snprintf(msg, sizeof(msg), "tcp-advertised-timeout=%u",
+		 advertised / 100);
+	CHECK(putstr(text, msg));
+
+cleanup:
+	if (isc_buffer_usedlength(*text) > 0) {
+		(void)putnull(text);
+	}
+
+	return (result);
+}
+
+isc_result_t
+named_server_servestale(named_server_t *server, isc_lex_t *lex,
+			isc_buffer_t **text) {
+	char *ptr, *classtxt, *viewtxt = NULL;
+	char msg[128];
+	dns_rdataclass_t rdclass = dns_rdataclass_in;
+	dns_view_t *view;
+	bool found = false;
+	dns_stale_answer_t staleanswersok = dns_stale_answer_conf;
+	bool wantstatus = false;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool exclusive = false;
+
+	REQUIRE(text != NULL);
+
+	/* Skip the command name. */
+	ptr = next_token(lex, text);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	ptr = next_token(lex, NULL);
+	if (ptr == NULL) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
+	    !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
+	{
+		staleanswersok = dns_stale_answer_yes;
+	} else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
+		   !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
+	{
+		staleanswersok = dns_stale_answer_no;
+	} else if (strcasecmp(ptr, "reset") == 0) {
+		staleanswersok = dns_stale_answer_conf;
+	} else if (!strcasecmp(ptr, "check") || !strcasecmp(ptr, "status")) {
+		wantstatus = true;
+	} else {
+		return (DNS_R_SYNTAX);
+	}
+
+	/* Look for the optional class name. */
+	classtxt = next_token(lex, text);
+	if (classtxt != NULL) {
+		isc_textregion_t r;
+
+		/* Look for the optional view name. */
+		viewtxt = next_token(lex, text);
+
+		/*
+		 * If 'classtext' is not a valid class then it us a view name.
+		 */
+		r.base = classtxt;
+		r.length = strlen(classtxt);
+		result = dns_rdataclass_fromtext(&rdclass, &r);
+		if (result != ISC_R_SUCCESS) {
+			if (viewtxt != NULL) {
+				snprintf(msg, sizeof(msg), "unknown class '%s'",
+					 classtxt);
+				(void)putstr(text, msg);
+				goto cleanup;
+			}
+
+			viewtxt = classtxt;
+			classtxt = NULL;
+		}
+	}
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	exclusive = true;
+
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		dns_ttl_t stale_ttl = 0;
+		uint32_t stale_refresh = 0;
+		dns_db_t *db = NULL;
+
+		if (classtxt != NULL && rdclass != view->rdclass) {
+			continue;
+		}
+
+		if (viewtxt != NULL && strcmp(view->name, viewtxt) != 0) {
+			continue;
+		}
+
+		if (!wantstatus) {
+			view->staleanswersok = staleanswersok;
+			found = true;
+			continue;
+		}
+
+		db = NULL;
+		dns_db_attach(view->cachedb, &db);
+		(void)dns_db_getservestalettl(db, &stale_ttl);
+		(void)dns_db_getservestalerefresh(db, &stale_refresh);
+		dns_db_detach(&db);
+		if (found) {
+			CHECK(putstr(text, "\n"));
+		}
+		CHECK(putstr(text, view->name));
+		CHECK(putstr(text, ": "));
+		switch (view->staleanswersok) {
+		case dns_stale_answer_yes:
+			if (stale_ttl > 0) {
+				CHECK(putstr(text, "on (rndc)"));
+			} else {
+				CHECK(putstr(text, "off (not-cached)"));
+			}
+			break;
+		case dns_stale_answer_no:
+			CHECK(putstr(text, "off (rndc)"));
+			break;
+		case dns_stale_answer_conf:
+			if (view->staleanswersenable && stale_ttl > 0) {
+				CHECK(putstr(text, "on"));
+			} else if (view->staleanswersenable) {
+				CHECK(putstr(text, "off (not-cached)"));
+			} else {
+				CHECK(putstr(text, "off"));
+			}
+			break;
+		}
+		if (stale_ttl > 0) {
+			snprintf(msg, sizeof(msg),
+				 " (stale-answer-ttl=%u max-stale-ttl=%u "
+				 "stale-refresh-time=%u)",
+				 view->staleanswerttl, stale_ttl,
+				 stale_refresh);
+			CHECK(putstr(text, msg));
+		}
+		found = true;
+	}
+
+	if (!found) {
+		result = ISC_R_NOTFOUND;
+	}
+
+cleanup:
+	if (exclusive) {
+		isc_task_endexclusive(named_g_server->task);
+	}
+
+	if (isc_buffer_usedlength(*text) > 0) {
+		(void)putnull(text);
+	}
+
+	return (result);
+}
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
new file mode 100644
index 0000000..ff3deab
--- /dev/null
+++ b/bin/named/statschannel.c
@@ -0,0 +1,4224 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/httpd.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/opcode.h>
+#include <dns/rcode.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/stats.h>
+#include <dns/view.h>
+#include <dns/zt.h>
+
+#include <ns/stats.h>
+
+#include <named/log.h>
+#include <named/server.h>
+#include <named/statschannel.h>
+
+#if HAVE_JSON_C
+#include <json_object.h>
+#include <linkhash.h>
+#endif /* HAVE_JSON_C */
+
+#if HAVE_LIBXML2
+#include <libxml/xmlwriter.h>
+#define ISC_XMLCHAR (const xmlChar *)
+#endif /* HAVE_LIBXML2 */
+
+#include "bind9.xsl.h"
+
+#define CHECK(m)                             \
+	do {                                 \
+		result = (m);                \
+		if (result != ISC_R_SUCCESS) \
+			goto error;          \
+	} while (0)
+
+struct named_statschannel {
+	/* Unlocked */
+	isc_httpdmgr_t *httpdmgr;
+	isc_sockaddr_t address;
+	isc_mem_t *mctx;
+
+	/*
+	 * Locked by channel lock: can be referenced and modified by both
+	 * the server task and the channel task.
+	 */
+	isc_mutex_t lock;
+	dns_acl_t *acl;
+
+	/* Locked by server task */
+	ISC_LINK(struct named_statschannel) link;
+};
+
+typedef struct stats_dumparg {
+	isc_statsformat_t type;
+	void *arg;		 /* type dependent argument */
+	int ncounters;		 /* for general statistics */
+	int *counterindices;	 /* for general statistics */
+	uint64_t *countervalues; /* for general statistics */
+	isc_result_t result;
+} stats_dumparg_t;
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+#if defined(HAVE_LIBXML2) || defined(HAVE_JSON_C)
+#define EXTENDED_STATS
+#else /* if defined(HAVE_LIBXML2) || defined(HAVE_JSON_C) */
+#undef EXTENDED_STATS
+#endif /* if defined(HAVE_LIBXML2) || defined(HAVE_JSON_C) */
+
+#ifdef EXTENDED_STATS
+static const char *
+user_zonetype(dns_zone_t *zone) {
+	dns_zonetype_t ztype;
+	dns_view_t *view;
+	static const struct zt {
+		const dns_zonetype_t type;
+		const char *const string;
+	} typemap[] = { { dns_zone_none, "none" },
+			{ dns_zone_primary, "master" },
+			{ dns_zone_secondary, "slave" },
+			{ dns_zone_mirror, "mirror" },
+			{ dns_zone_stub, "stub" },
+			{ dns_zone_staticstub, "static-stub" },
+			{ dns_zone_key, "key" },
+			{ dns_zone_dlz, "dlz" },
+			{ dns_zone_redirect, "redirect" },
+			{ 0, NULL } };
+	const struct zt *tp;
+
+	if ((dns_zone_getoptions(zone) & DNS_ZONEOPT_AUTOEMPTY) != 0) {
+		return ("builtin");
+	}
+
+	view = dns_zone_getview(zone);
+	if (view != NULL && strcmp(view->name, "_bind") == 0) {
+		return ("builtin");
+	}
+
+	ztype = dns_zone_gettype(zone);
+	for (tp = typemap; tp->string != NULL && tp->type != ztype; tp++) {
+		/* empty */
+	}
+	return (tp->string);
+}
+#endif /* ifdef EXTENDED_STATS */
+
+/*%
+ * Statistics descriptions.  These could be statistically initialized at
+ * compile time, but we configure them run time in the init_desc() function
+ * below so that they'll be less susceptible to counter name changes.
+ */
+static const char *nsstats_desc[ns_statscounter_max];
+static const char *resstats_desc[dns_resstatscounter_max];
+static const char *adbstats_desc[dns_adbstats_max];
+static const char *zonestats_desc[dns_zonestatscounter_max];
+static const char *sockstats_desc[isc_sockstatscounter_max];
+static const char *dnssecstats_desc[dns_dnssecstats_max];
+static const char *udpinsizestats_desc[dns_sizecounter_in_max];
+static const char *udpoutsizestats_desc[dns_sizecounter_out_max];
+static const char *tcpinsizestats_desc[dns_sizecounter_in_max];
+static const char *tcpoutsizestats_desc[dns_sizecounter_out_max];
+static const char *dnstapstats_desc[dns_dnstapcounter_max];
+static const char *gluecachestats_desc[dns_gluecachestatscounter_max];
+#if defined(EXTENDED_STATS)
+static const char *nsstats_xmldesc[ns_statscounter_max];
+static const char *resstats_xmldesc[dns_resstatscounter_max];
+static const char *adbstats_xmldesc[dns_adbstats_max];
+static const char *zonestats_xmldesc[dns_zonestatscounter_max];
+static const char *sockstats_xmldesc[isc_sockstatscounter_max];
+static const char *dnssecstats_xmldesc[dns_dnssecstats_max];
+static const char *udpinsizestats_xmldesc[dns_sizecounter_in_max];
+static const char *udpoutsizestats_xmldesc[dns_sizecounter_out_max];
+static const char *tcpinsizestats_xmldesc[dns_sizecounter_in_max];
+static const char *tcpoutsizestats_xmldesc[dns_sizecounter_out_max];
+static const char *dnstapstats_xmldesc[dns_dnstapcounter_max];
+static const char *gluecachestats_xmldesc[dns_gluecachestatscounter_max];
+#else /* if defined(EXTENDED_STATS) */
+#define nsstats_xmldesc		NULL
+#define resstats_xmldesc	NULL
+#define adbstats_xmldesc	NULL
+#define zonestats_xmldesc	NULL
+#define sockstats_xmldesc	NULL
+#define dnssecstats_xmldesc	NULL
+#define udpinsizestats_xmldesc	NULL
+#define udpoutsizestats_xmldesc NULL
+#define tcpinsizestats_xmldesc	NULL
+#define tcpoutsizestats_xmldesc NULL
+#define dnstapstats_xmldesc	NULL
+#define gluecachestats_xmldesc	NULL
+#endif /* EXTENDED_STATS */
+
+#define TRY0(a)                     \
+	do {                        \
+		xmlrc = (a);        \
+		if (xmlrc < 0)      \
+			goto error; \
+	} while (0)
+
+/*%
+ * Mapping arrays to represent statistics counters in the order of our
+ * preference, regardless of the order of counter indices.  For example,
+ * nsstats_desc[nsstats_index[0]] will be the description that is shown first.
+ */
+static int nsstats_index[ns_statscounter_max];
+static int resstats_index[dns_resstatscounter_max];
+static int adbstats_index[dns_adbstats_max];
+static int zonestats_index[dns_zonestatscounter_max];
+static int sockstats_index[isc_sockstatscounter_max];
+static int dnssecstats_index[dns_dnssecstats_max];
+static int udpinsizestats_index[dns_sizecounter_in_max];
+static int udpoutsizestats_index[dns_sizecounter_out_max];
+static int tcpinsizestats_index[dns_sizecounter_in_max];
+static int tcpoutsizestats_index[dns_sizecounter_out_max];
+static int dnstapstats_index[dns_dnstapcounter_max];
+static int gluecachestats_index[dns_gluecachestatscounter_max];
+
+static void
+set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs,
+	 const char *xdesc, const char **xdescs) {
+	REQUIRE(counter < maxcounter);
+	REQUIRE(fdescs != NULL && fdescs[counter] == NULL);
+#if defined(EXTENDED_STATS)
+	REQUIRE(xdescs != NULL && xdescs[counter] == NULL);
+#endif /* if defined(EXTENDED_STATS) */
+
+	fdescs[counter] = fdesc;
+#if defined(EXTENDED_STATS)
+	xdescs[counter] = xdesc;
+#else  /* if defined(EXTENDED_STATS) */
+	UNUSED(xdesc);
+	UNUSED(xdescs);
+#endif /* if defined(EXTENDED_STATS) */
+}
+
+static void
+init_desc(void) {
+	int i;
+
+	/* Initialize name server statistics */
+	for (i = 0; i < ns_statscounter_max; i++) {
+		nsstats_desc[i] = NULL;
+	}
+#if defined(EXTENDED_STATS)
+	for (i = 0; i < ns_statscounter_max; i++) {
+		nsstats_xmldesc[i] = NULL;
+	}
+#endif /* if defined(EXTENDED_STATS) */
+
+#define SET_NSSTATDESC(counterid, desc, xmldesc)                           \
+	do {                                                               \
+		set_desc(ns_statscounter_##counterid, ns_statscounter_max, \
+			 desc, nsstats_desc, xmldesc, nsstats_xmldesc);    \
+		nsstats_index[i++] = ns_statscounter_##counterid;          \
+	} while (0)
+
+	i = 0;
+	SET_NSSTATDESC(requestv4, "IPv4 requests received", "Requestv4");
+	SET_NSSTATDESC(requestv6, "IPv6 requests received", "Requestv6");
+	SET_NSSTATDESC(edns0in, "requests with EDNS(0) received", "ReqEdns0");
+	SET_NSSTATDESC(badednsver,
+		       "requests with unsupported EDNS version received",
+		       "ReqBadEDNSVer");
+	SET_NSSTATDESC(tsigin, "requests with TSIG received", "ReqTSIG");
+	SET_NSSTATDESC(sig0in, "requests with SIG(0) received", "ReqSIG0");
+	SET_NSSTATDESC(invalidsig, "requests with invalid signature",
+		       "ReqBadSIG");
+	SET_NSSTATDESC(requesttcp, "TCP requests received", "ReqTCP");
+	SET_NSSTATDESC(tcphighwater, "TCP connection high-water",
+		       "TCPConnHighWater");
+	SET_NSSTATDESC(authrej, "auth queries rejected", "AuthQryRej");
+	SET_NSSTATDESC(recurserej, "recursive queries rejected", "RecQryRej");
+	SET_NSSTATDESC(xfrrej, "transfer requests rejected", "XfrRej");
+	SET_NSSTATDESC(updaterej, "update requests rejected", "UpdateRej");
+	SET_NSSTATDESC(response, "responses sent", "Response");
+	SET_NSSTATDESC(truncatedresp, "truncated responses sent",
+		       "TruncatedResp");
+	SET_NSSTATDESC(edns0out, "responses with EDNS(0) sent", "RespEDNS0");
+	SET_NSSTATDESC(tsigout, "responses with TSIG sent", "RespTSIG");
+	SET_NSSTATDESC(sig0out, "responses with SIG(0) sent", "RespSIG0");
+	SET_NSSTATDESC(success, "queries resulted in successful answer",
+		       "QrySuccess");
+	SET_NSSTATDESC(authans, "queries resulted in authoritative answer",
+		       "QryAuthAns");
+	SET_NSSTATDESC(nonauthans,
+		       "queries resulted in non authoritative answer",
+		       "QryNoauthAns");
+	SET_NSSTATDESC(referral, "queries resulted in referral answer",
+		       "QryReferral");
+	SET_NSSTATDESC(nxrrset, "queries resulted in nxrrset", "QryNxrrset");
+	SET_NSSTATDESC(servfail, "queries resulted in SERVFAIL", "QrySERVFAIL");
+	SET_NSSTATDESC(formerr, "queries resulted in FORMERR", "QryFORMERR");
+	SET_NSSTATDESC(nxdomain, "queries resulted in NXDOMAIN", "QryNXDOMAIN");
+	SET_NSSTATDESC(recursion, "queries caused recursion", "QryRecursion");
+	SET_NSSTATDESC(duplicate, "duplicate queries received", "QryDuplicate");
+	SET_NSSTATDESC(dropped, "queries dropped", "QryDropped");
+	SET_NSSTATDESC(failure, "other query failures", "QryFailure");
+	SET_NSSTATDESC(xfrdone, "requested transfers completed", "XfrReqDone");
+	SET_NSSTATDESC(updatereqfwd, "update requests forwarded",
+		       "UpdateReqFwd");
+	SET_NSSTATDESC(updaterespfwd, "update responses forwarded",
+		       "UpdateRespFwd");
+	SET_NSSTATDESC(updatefwdfail, "update forward failed", "UpdateFwdFail");
+	SET_NSSTATDESC(updatedone, "updates completed", "UpdateDone");
+	SET_NSSTATDESC(updatefail, "updates failed", "UpdateFail");
+	SET_NSSTATDESC(updatebadprereq,
+		       "updates rejected due to prerequisite failure",
+		       "UpdateBadPrereq");
+	SET_NSSTATDESC(recursclients, "recursing clients", "RecursClients");
+	SET_NSSTATDESC(dns64, "queries answered by DNS64", "DNS64");
+	SET_NSSTATDESC(ratedropped, "responses dropped for rate limits",
+		       "RateDropped");
+	SET_NSSTATDESC(rateslipped, "responses truncated for rate limits",
+		       "RateSlipped");
+	SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites",
+		       "RPZRewrites");
+	SET_NSSTATDESC(udp, "UDP queries received", "QryUDP");
+	SET_NSSTATDESC(tcp, "TCP queries received", "QryTCP");
+	SET_NSSTATDESC(nsidopt, "NSID option received", "NSIDOpt");
+	SET_NSSTATDESC(expireopt, "Expire option received", "ExpireOpt");
+	SET_NSSTATDESC(keepaliveopt, "EDNS TCP keepalive option received",
+		       "KeepAliveOpt");
+	SET_NSSTATDESC(padopt, "EDNS padding option received", "PadOpt");
+	SET_NSSTATDESC(otheropt, "Other EDNS option received", "OtherOpt");
+	SET_NSSTATDESC(cookiein, "COOKIE option received", "CookieIn");
+	SET_NSSTATDESC(cookienew, "COOKIE - client only", "CookieNew");
+	SET_NSSTATDESC(cookiebadsize, "COOKIE - bad size", "CookieBadSize");
+	SET_NSSTATDESC(cookiebadtime, "COOKIE - bad time", "CookieBadTime");
+	SET_NSSTATDESC(cookienomatch, "COOKIE - no match", "CookieNoMatch");
+	SET_NSSTATDESC(cookiematch, "COOKIE - match", "CookieMatch");
+	SET_NSSTATDESC(ecsopt, "EDNS client subnet option received", "ECSOpt");
+	SET_NSSTATDESC(nxdomainredirect,
+		       "queries resulted in NXDOMAIN that were redirected",
+		       "QryNXRedir");
+	SET_NSSTATDESC(nxdomainredirect_rlookup,
+		       "queries resulted in NXDOMAIN that were redirected and "
+		       "resulted in a successful remote lookup",
+		       "QryNXRedirRLookup");
+	SET_NSSTATDESC(badcookie, "sent badcookie response", "QryBADCOOKIE");
+	SET_NSSTATDESC(nxdomainsynth, "synthesized a NXDOMAIN response",
+		       "SynthNXDOMAIN");
+	SET_NSSTATDESC(nodatasynth, "syththesized a no-data response",
+		       "SynthNODATA");
+	SET_NSSTATDESC(wildcardsynth, "synthesized a wildcard response",
+		       "SynthWILDCARD");
+	SET_NSSTATDESC(trystale,
+		       "attempts to use stale cache data after lookup failure",
+		       "QryTryStale");
+	SET_NSSTATDESC(usedstale,
+		       "successful uses of stale cache data after lookup "
+		       "failure",
+		       "QryUsedStale");
+	SET_NSSTATDESC(prefetch, "queries triggered prefetch", "Prefetch");
+	SET_NSSTATDESC(keytagopt, "Keytag option received", "KeyTagOpt");
+	SET_NSSTATDESC(reclimitdropped,
+		       "queries dropped due to recursive client limit",
+		       "RecLimitDropped");
+	SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota");
+
+	INSIST(i == ns_statscounter_max);
+
+	/* Initialize resolver statistics */
+	for (i = 0; i < dns_resstatscounter_max; i++) {
+		resstats_desc[i] = NULL;
+	}
+#if defined(EXTENDED_STATS)
+	for (i = 0; i < dns_resstatscounter_max; i++) {
+		resstats_xmldesc[i] = NULL;
+	}
+#endif /* if defined(EXTENDED_STATS) */
+
+#define SET_RESSTATDESC(counterid, desc, xmldesc)                      \
+	do {                                                           \
+		set_desc(dns_resstatscounter_##counterid,              \
+			 dns_resstatscounter_max, desc, resstats_desc, \
+			 xmldesc, resstats_xmldesc);                   \
+		resstats_index[i++] = dns_resstatscounter_##counterid; \
+	} while (0)
+
+	i = 0;
+	SET_RESSTATDESC(queryv4, "IPv4 queries sent", "Queryv4");
+	SET_RESSTATDESC(queryv6, "IPv6 queries sent", "Queryv6");
+	SET_RESSTATDESC(responsev4, "IPv4 responses received", "Responsev4");
+	SET_RESSTATDESC(responsev6, "IPv6 responses received", "Responsev6");
+	SET_RESSTATDESC(nxdomain, "NXDOMAIN received", "NXDOMAIN");
+	SET_RESSTATDESC(servfail, "SERVFAIL received", "SERVFAIL");
+	SET_RESSTATDESC(formerr, "FORMERR received", "FORMERR");
+	SET_RESSTATDESC(othererror, "other errors received", "OtherError");
+	SET_RESSTATDESC(edns0fail, "EDNS(0) query failures", "EDNS0Fail");
+	SET_RESSTATDESC(mismatch, "mismatch responses received", "Mismatch");
+	SET_RESSTATDESC(truncated, "truncated responses received", "Truncated");
+	SET_RESSTATDESC(lame, "lame delegations received", "Lame");
+	SET_RESSTATDESC(retry, "query retries", "Retry");
+	SET_RESSTATDESC(dispabort, "queries aborted due to quota",
+			"QueryAbort");
+	SET_RESSTATDESC(dispsockfail, "failures in opening query sockets",
+			"QuerySockFail");
+	SET_RESSTATDESC(disprequdp, "UDP queries in progress", "QueryCurUDP");
+	SET_RESSTATDESC(dispreqtcp, "TCP queries in progress", "QueryCurTCP");
+	SET_RESSTATDESC(querytimeout, "query timeouts", "QueryTimeout");
+	SET_RESSTATDESC(gluefetchv4, "IPv4 NS address fetches", "GlueFetchv4");
+	SET_RESSTATDESC(gluefetchv6, "IPv6 NS address fetches", "GlueFetchv6");
+	SET_RESSTATDESC(gluefetchv4fail, "IPv4 NS address fetch failed",
+			"GlueFetchv4Fail");
+	SET_RESSTATDESC(gluefetchv6fail, "IPv6 NS address fetch failed",
+			"GlueFetchv6Fail");
+	SET_RESSTATDESC(val, "DNSSEC validation attempted", "ValAttempt");
+	SET_RESSTATDESC(valsuccess, "DNSSEC validation succeeded", "ValOk");
+	SET_RESSTATDESC(valnegsuccess, "DNSSEC NX validation succeeded",
+			"ValNegOk");
+	SET_RESSTATDESC(valfail, "DNSSEC validation failed", "ValFail");
+	SET_RESSTATDESC(queryrtt0,
+			"queries with RTT < " DNS_RESOLVER_QRYRTTCLASS0STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS0STR);
+	SET_RESSTATDESC(queryrtt1,
+			"queries with RTT " DNS_RESOLVER_QRYRTTCLASS0STR
+			"-" DNS_RESOLVER_QRYRTTCLASS1STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS1STR);
+	SET_RESSTATDESC(queryrtt2,
+			"queries with RTT " DNS_RESOLVER_QRYRTTCLASS1STR
+			"-" DNS_RESOLVER_QRYRTTCLASS2STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS2STR);
+	SET_RESSTATDESC(queryrtt3,
+			"queries with RTT " DNS_RESOLVER_QRYRTTCLASS2STR
+			"-" DNS_RESOLVER_QRYRTTCLASS3STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS3STR);
+	SET_RESSTATDESC(queryrtt4,
+			"queries with RTT " DNS_RESOLVER_QRYRTTCLASS3STR
+			"-" DNS_RESOLVER_QRYRTTCLASS4STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS4STR);
+	SET_RESSTATDESC(queryrtt5,
+			"queries with RTT > " DNS_RESOLVER_QRYRTTCLASS4STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS4STR "+");
+	SET_RESSTATDESC(nfetch, "active fetches", "NumFetch");
+	SET_RESSTATDESC(buckets, "bucket size", "BucketSize");
+	SET_RESSTATDESC(refused, "REFUSED received", "REFUSED");
+	SET_RESSTATDESC(cookienew, "COOKIE send with client cookie only",
+			"ClientCookieOut");
+	SET_RESSTATDESC(cookieout, "COOKIE sent with client and server cookie",
+			"ServerCookieOut");
+	SET_RESSTATDESC(cookiein, "COOKIE replies received", "CookieIn");
+	SET_RESSTATDESC(cookieok, "COOKIE client ok", "CookieClientOk");
+	SET_RESSTATDESC(badvers, "bad EDNS version", "BadEDNSVersion");
+	SET_RESSTATDESC(badcookie, "bad cookie rcode", "BadCookieRcode");
+	SET_RESSTATDESC(zonequota, "spilled due to zone quota", "ZoneQuota");
+	SET_RESSTATDESC(serverquota, "spilled due to server quota",
+			"ServerQuota");
+	SET_RESSTATDESC(nextitem, "waited for next item", "NextItem");
+	SET_RESSTATDESC(priming, "priming queries", "Priming");
+
+	INSIST(i == dns_resstatscounter_max);
+
+	/* Initialize adb statistics */
+	for (i = 0; i < dns_adbstats_max; i++) {
+		adbstats_desc[i] = NULL;
+	}
+#if defined(EXTENDED_STATS)
+	for (i = 0; i < dns_adbstats_max; i++) {
+		adbstats_xmldesc[i] = NULL;
+	}
+#endif /* if defined(EXTENDED_STATS) */
+
+#define SET_ADBSTATDESC(id, desc, xmldesc)                          \
+	do {                                                        \
+		set_desc(dns_adbstats_##id, dns_adbstats_max, desc, \
+			 adbstats_desc, xmldesc, adbstats_xmldesc); \
+		adbstats_index[i++] = dns_adbstats_##id;            \
+	} while (0)
+	i = 0;
+	SET_ADBSTATDESC(nentries, "Address hash table size", "nentries");
+	SET_ADBSTATDESC(entriescnt, "Addresses in hash table", "entriescnt");
+	SET_ADBSTATDESC(nnames, "Name hash table size", "nnames");
+	SET_ADBSTATDESC(namescnt, "Names in hash table", "namescnt");
+
+	INSIST(i == dns_adbstats_max);
+
+	/* Initialize zone statistics */
+	for (i = 0; i < dns_zonestatscounter_max; i++) {
+		zonestats_desc[i] = NULL;
+	}
+#if defined(EXTENDED_STATS)
+	for (i = 0; i < dns_zonestatscounter_max; i++) {
+		zonestats_xmldesc[i] = NULL;
+	}
+#endif /* if defined(EXTENDED_STATS) */
+
+#define SET_ZONESTATDESC(counterid, desc, xmldesc)                       \
+	do {                                                             \
+		set_desc(dns_zonestatscounter_##counterid,               \
+			 dns_zonestatscounter_max, desc, zonestats_desc, \
+			 xmldesc, zonestats_xmldesc);                    \
+		zonestats_index[i++] = dns_zonestatscounter_##counterid; \
+	} while (0)
+
+	i = 0;
+	SET_ZONESTATDESC(notifyoutv4, "IPv4 notifies sent", "NotifyOutv4");
+	SET_ZONESTATDESC(notifyoutv6, "IPv6 notifies sent", "NotifyOutv6");
+	SET_ZONESTATDESC(notifyinv4, "IPv4 notifies received", "NotifyInv4");
+	SET_ZONESTATDESC(notifyinv6, "IPv6 notifies received", "NotifyInv6");
+	SET_ZONESTATDESC(notifyrej, "notifies rejected", "NotifyRej");
+	SET_ZONESTATDESC(soaoutv4, "IPv4 SOA queries sent", "SOAOutv4");
+	SET_ZONESTATDESC(soaoutv6, "IPv6 SOA queries sent", "SOAOutv6");
+	SET_ZONESTATDESC(axfrreqv4, "IPv4 AXFR requested", "AXFRReqv4");
+	SET_ZONESTATDESC(axfrreqv6, "IPv6 AXFR requested", "AXFRReqv6");
+	SET_ZONESTATDESC(ixfrreqv4, "IPv4 IXFR requested", "IXFRReqv4");
+	SET_ZONESTATDESC(ixfrreqv6, "IPv6 IXFR requested", "IXFRReqv6");
+	SET_ZONESTATDESC(xfrsuccess, "transfer requests succeeded",
+			 "XfrSuccess");
+	SET_ZONESTATDESC(xfrfail, "transfer requests failed", "XfrFail");
+	INSIST(i == dns_zonestatscounter_max);
+
+	/* Initialize socket statistics */
+	for (i = 0; i < isc_sockstatscounter_max; i++) {
+		sockstats_desc[i] = NULL;
+	}
+#if defined(EXTENDED_STATS)
+	for (i = 0; i < isc_sockstatscounter_max; i++) {
+		sockstats_xmldesc[i] = NULL;
+	}
+#endif /* if defined(EXTENDED_STATS) */
+
+#define SET_SOCKSTATDESC(counterid, desc, xmldesc)                       \
+	do {                                                             \
+		set_desc(isc_sockstatscounter_##counterid,               \
+			 isc_sockstatscounter_max, desc, sockstats_desc, \
+			 xmldesc, sockstats_xmldesc);                    \
+		sockstats_index[i++] = isc_sockstatscounter_##counterid; \
+	} while (0)
+
+	i = 0;
+	SET_SOCKSTATDESC(udp4open, "UDP/IPv4 sockets opened", "UDP4Open");
+	SET_SOCKSTATDESC(udp6open, "UDP/IPv6 sockets opened", "UDP6Open");
+	SET_SOCKSTATDESC(tcp4open, "TCP/IPv4 sockets opened", "TCP4Open");
+	SET_SOCKSTATDESC(tcp6open, "TCP/IPv6 sockets opened", "TCP6Open");
+	SET_SOCKSTATDESC(unixopen, "Unix domain sockets opened", "UnixOpen");
+	SET_SOCKSTATDESC(rawopen, "Raw sockets opened", "RawOpen");
+	SET_SOCKSTATDESC(udp4openfail, "UDP/IPv4 socket open failures",
+			 "UDP4OpenFail");
+	SET_SOCKSTATDESC(udp6openfail, "UDP/IPv6 socket open failures",
+			 "UDP6OpenFail");
+	SET_SOCKSTATDESC(tcp4openfail, "TCP/IPv4 socket open failures",
+			 "TCP4OpenFail");
+	SET_SOCKSTATDESC(tcp6openfail, "TCP/IPv6 socket open failures",
+			 "TCP6OpenFail");
+	SET_SOCKSTATDESC(unixopenfail, "Unix domain socket open failures",
+			 "UnixOpenFail");
+	SET_SOCKSTATDESC(rawopenfail, "Raw socket open failures",
+			 "RawOpenFail");
+	SET_SOCKSTATDESC(udp4close, "UDP/IPv4 sockets closed", "UDP4Close");
+	SET_SOCKSTATDESC(udp6close, "UDP/IPv6 sockets closed", "UDP6Close");
+	SET_SOCKSTATDESC(tcp4close, "TCP/IPv4 sockets closed", "TCP4Close");
+	SET_SOCKSTATDESC(tcp6close, "TCP/IPv6 sockets closed", "TCP6Close");
+	SET_SOCKSTATDESC(unixclose, "Unix domain sockets closed", "UnixClose");
+	SET_SOCKSTATDESC(fdwatchclose, "FDwatch sockets closed",
+			 "FDWatchClose");
+	SET_SOCKSTATDESC(rawclose, "Raw sockets closed", "RawClose");
+	SET_SOCKSTATDESC(udp4bindfail, "UDP/IPv4 socket bind failures",
+			 "UDP4BindFail");
+	SET_SOCKSTATDESC(udp6bindfail, "UDP/IPv6 socket bind failures",
+			 "UDP6BindFail");
+	SET_SOCKSTATDESC(tcp4bindfail, "TCP/IPv4 socket bind failures",
+			 "TCP4BindFail");
+	SET_SOCKSTATDESC(tcp6bindfail, "TCP/IPv6 socket bind failures",
+			 "TCP6BindFail");
+	SET_SOCKSTATDESC(unixbindfail, "Unix domain socket bind failures",
+			 "UnixBindFail");
+	SET_SOCKSTATDESC(fdwatchbindfail, "FDwatch socket bind failures",
+			 "FdwatchBindFail");
+	SET_SOCKSTATDESC(udp4connectfail, "UDP/IPv4 socket connect failures",
+			 "UDP4ConnFail");
+	SET_SOCKSTATDESC(udp6connectfail, "UDP/IPv6 socket connect failures",
+			 "UDP6ConnFail");
+	SET_SOCKSTATDESC(tcp4connectfail, "TCP/IPv4 socket connect failures",
+			 "TCP4ConnFail");
+	SET_SOCKSTATDESC(tcp6connectfail, "TCP/IPv6 socket connect failures",
+			 "TCP6ConnFail");
+	SET_SOCKSTATDESC(unixconnectfail, "Unix domain socket connect failures",
+			 "UnixConnFail");
+	SET_SOCKSTATDESC(fdwatchconnectfail, "FDwatch socket connect failures",
+			 "FDwatchConnFail");
+	SET_SOCKSTATDESC(udp4connect, "UDP/IPv4 connections established",
+			 "UDP4Conn");
+	SET_SOCKSTATDESC(udp6connect, "UDP/IPv6 connections established",
+			 "UDP6Conn");
+	SET_SOCKSTATDESC(tcp4connect, "TCP/IPv4 connections established",
+			 "TCP4Conn");
+	SET_SOCKSTATDESC(tcp6connect, "TCP/IPv6 connections established",
+			 "TCP6Conn");
+	SET_SOCKSTATDESC(unixconnect, "Unix domain connections established",
+			 "UnixConn");
+	SET_SOCKSTATDESC(fdwatchconnect,
+			 "FDwatch domain connections established",
+			 "FDwatchConn");
+	SET_SOCKSTATDESC(tcp4acceptfail, "TCP/IPv4 connection accept failures",
+			 "TCP4AcceptFail");
+	SET_SOCKSTATDESC(tcp6acceptfail, "TCP/IPv6 connection accept failures",
+			 "TCP6AcceptFail");
+	SET_SOCKSTATDESC(unixacceptfail,
+			 "Unix domain connection accept failures",
+			 "UnixAcceptFail");
+	SET_SOCKSTATDESC(tcp4accept, "TCP/IPv4 connections accepted",
+			 "TCP4Accept");
+	SET_SOCKSTATDESC(tcp6accept, "TCP/IPv6 connections accepted",
+			 "TCP6Accept");
+	SET_SOCKSTATDESC(unixaccept, "Unix domain connections accepted",
+			 "UnixAccept");
+	SET_SOCKSTATDESC(udp4sendfail, "UDP/IPv4 send errors", "UDP4SendErr");
+	SET_SOCKSTATDESC(udp6sendfail, "UDP/IPv6 send errors", "UDP6SendErr");
+	SET_SOCKSTATDESC(tcp4sendfail, "TCP/IPv4 send errors", "TCP4SendErr");
+	SET_SOCKSTATDESC(tcp6sendfail, "TCP/IPv6 send errors", "TCP6SendErr");
+	SET_SOCKSTATDESC(unixsendfail, "Unix domain send errors",
+			 "UnixSendErr");
+	SET_SOCKSTATDESC(fdwatchsendfail, "FDwatch send errors",
+			 "FDwatchSendErr");
+	SET_SOCKSTATDESC(udp4recvfail, "UDP/IPv4 recv errors", "UDP4RecvErr");
+	SET_SOCKSTATDESC(udp6recvfail, "UDP/IPv6 recv errors", "UDP6RecvErr");
+	SET_SOCKSTATDESC(tcp4recvfail, "TCP/IPv4 recv errors", "TCP4RecvErr");
+	SET_SOCKSTATDESC(tcp6recvfail, "TCP/IPv6 recv errors", "TCP6RecvErr");
+	SET_SOCKSTATDESC(unixrecvfail, "Unix domain recv errors",
+			 "UnixRecvErr");
+	SET_SOCKSTATDESC(fdwatchrecvfail, "FDwatch recv errors",
+			 "FDwatchRecvErr");
+	SET_SOCKSTATDESC(rawrecvfail, "Raw recv errors", "RawRecvErr");
+	SET_SOCKSTATDESC(udp4active, "UDP/IPv4 sockets active", "UDP4Active");
+	SET_SOCKSTATDESC(udp6active, "UDP/IPv6 sockets active", "UDP6Active");
+	SET_SOCKSTATDESC(tcp4active, "TCP/IPv4 sockets active", "TCP4Active");
+	SET_SOCKSTATDESC(tcp6active, "TCP/IPv6 sockets active", "TCP6Active");
+	SET_SOCKSTATDESC(unixactive, "Unix domain sockets active",
+			 "UnixActive");
+	SET_SOCKSTATDESC(rawactive, "Raw sockets active", "RawActive");
+	INSIST(i == isc_sockstatscounter_max);
+
+	/* Initialize DNSSEC statistics */
+	for (i = 0; i < dns_dnssecstats_max; i++) {
+		dnssecstats_desc[i] = NULL;
+	}
+#if defined(EXTENDED_STATS)
+	for (i = 0; i < dns_dnssecstats_max; i++) {
+		dnssecstats_xmldesc[i] = NULL;
+	}
+#endif /* if defined(EXTENDED_STATS) */
+
+#define SET_DNSSECSTATDESC(counterid, desc, xmldesc)                       \
+	do {                                                               \
+		set_desc(dns_dnssecstats_##counterid, dns_dnssecstats_max, \
+			 desc, dnssecstats_desc, xmldesc,                  \
+			 dnssecstats_xmldesc);                             \
+		dnssecstats_index[i++] = dns_dnssecstats_##counterid;      \
+	} while (0)
+
+	i = 0;
+	SET_DNSSECSTATDESC(asis,
+			   "dnssec validation success with signer "
+			   "\"as is\"",
+			   "DNSSECasis");
+	SET_DNSSECSTATDESC(downcase,
+			   "dnssec validation success with signer "
+			   "lower cased",
+			   "DNSSECdowncase");
+	SET_DNSSECSTATDESC(wildcard, "dnssec validation of wildcard signature",
+			   "DNSSECwild");
+	SET_DNSSECSTATDESC(fail, "dnssec validation failures", "DNSSECfail");
+	INSIST(i == dns_dnssecstats_max);
+
+	/* Initialize dnstap statistics */
+	for (i = 0; i < dns_dnstapcounter_max; i++) {
+		dnstapstats_desc[i] = NULL;
+	}
+#if defined(EXTENDED_STATS)
+	for (i = 0; i < dns_dnstapcounter_max; i++) {
+		dnstapstats_xmldesc[i] = NULL;
+	}
+#endif /* if defined(EXTENDED_STATS) */
+
+#define SET_DNSTAPSTATDESC(counterid, desc, xmldesc)                           \
+	do {                                                                   \
+		set_desc(dns_dnstapcounter_##counterid, dns_dnstapcounter_max, \
+			 desc, dnstapstats_desc, xmldesc,                      \
+			 dnstapstats_xmldesc);                                 \
+		dnstapstats_index[i++] = dns_dnstapcounter_##counterid;        \
+	} while (0)
+	i = 0;
+	SET_DNSTAPSTATDESC(success, "dnstap messages written", "DNSTAPsuccess");
+	SET_DNSTAPSTATDESC(drop, "dnstap messages dropped", "DNSTAPdropped");
+	INSIST(i == dns_dnstapcounter_max);
+
+#define SET_GLUECACHESTATDESC(counterid, desc, xmldesc)         \
+	do {                                                    \
+		set_desc(dns_gluecachestatscounter_##counterid, \
+			 dns_gluecachestatscounter_max, desc,   \
+			 gluecachestats_desc, xmldesc,          \
+			 gluecachestats_xmldesc);               \
+		gluecachestats_index[i++] =                     \
+			dns_gluecachestatscounter_##counterid;  \
+	} while (0)
+	i = 0;
+	SET_GLUECACHESTATDESC(hits_present, "Hits for present glue (cached)",
+			      "GLUECACHEhitspresent");
+	SET_GLUECACHESTATDESC(hits_absent,
+			      "Hits for non-existent glue (cached)",
+			      "GLUECACHEhitsabsent");
+	SET_GLUECACHESTATDESC(inserts_present,
+			      "Miss-plus-cache-inserts for present glue",
+			      "GLUECACHEinsertspresent");
+	SET_GLUECACHESTATDESC(inserts_absent,
+			      "Miss-plus-cache-inserts for non-existent glue",
+			      "GLUECACHEinsertsabsent");
+	INSIST(i == dns_gluecachestatscounter_max);
+
+	/* Sanity check */
+	for (i = 0; i < ns_statscounter_max; i++) {
+		INSIST(nsstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_resstatscounter_max; i++) {
+		INSIST(resstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_adbstats_max; i++) {
+		INSIST(adbstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_zonestatscounter_max; i++) {
+		INSIST(zonestats_desc[i] != NULL);
+	}
+	for (i = 0; i < isc_sockstatscounter_max; i++) {
+		INSIST(sockstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_dnssecstats_max; i++) {
+		INSIST(dnssecstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_dnstapcounter_max; i++) {
+		INSIST(dnstapstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_gluecachestatscounter_max; i++) {
+		INSIST(gluecachestats_desc[i] != NULL);
+	}
+#if defined(EXTENDED_STATS)
+	for (i = 0; i < ns_statscounter_max; i++) {
+		INSIST(nsstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_resstatscounter_max; i++) {
+		INSIST(resstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_adbstats_max; i++) {
+		INSIST(adbstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_zonestatscounter_max; i++) {
+		INSIST(zonestats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < isc_sockstatscounter_max; i++) {
+		INSIST(sockstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_dnssecstats_max; i++) {
+		INSIST(dnssecstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_dnstapcounter_max; i++) {
+		INSIST(dnstapstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_gluecachestatscounter_max; i++) {
+		INSIST(gluecachestats_xmldesc[i] != NULL);
+	}
+#endif /* if defined(EXTENDED_STATS) */
+
+	/* Initialize traffic size statistics */
+	for (i = 0; i < dns_sizecounter_in_max; i++) {
+		udpinsizestats_desc[i] = NULL;
+		tcpinsizestats_desc[i] = NULL;
+#if defined(EXTENDED_STATS)
+		udpinsizestats_xmldesc[i] = NULL;
+		tcpinsizestats_xmldesc[i] = NULL;
+#endif /* if defined(EXTENDED_STATS) */
+	}
+	for (i = 0; i < dns_sizecounter_out_max; i++) {
+		udpoutsizestats_desc[i] = NULL;
+		tcpoutsizestats_desc[i] = NULL;
+#if defined(EXTENDED_STATS)
+		udpoutsizestats_xmldesc[i] = NULL;
+		tcpoutsizestats_xmldesc[i] = NULL;
+#endif /* if defined(EXTENDED_STATS) */
+	}
+
+#define SET_SIZESTATDESC(counterid, desc, xmldesc, inout)       \
+	do {                                                    \
+		set_desc(dns_sizecounter_##inout##_##counterid, \
+			 dns_sizecounter_##inout##_max, desc,   \
+			 udp##inout##sizestats_desc, xmldesc,   \
+			 udp##inout##sizestats_xmldesc);        \
+		set_desc(dns_sizecounter_##inout##_##counterid, \
+			 dns_sizecounter_##inout##_max, desc,   \
+			 tcp##inout##sizestats_desc, xmldesc,   \
+			 tcp##inout##sizestats_xmldesc);        \
+		udp##inout##sizestats_index[i] =                \
+			dns_sizecounter_##inout##_##counterid;  \
+		tcp##inout##sizestats_index[i] =                \
+			dns_sizecounter_##inout##_##counterid;  \
+		i++;                                            \
+	} while (0)
+
+	i = 0;
+	SET_SIZESTATDESC(0, "requests received 0-15 bytes", "0-15", in);
+	SET_SIZESTATDESC(16, "requests received 16-31 bytes", "16-31", in);
+	SET_SIZESTATDESC(32, "requests received 32-47 bytes", "32-47", in);
+	SET_SIZESTATDESC(48, "requests received 48-63 bytes", "48-63", in);
+	SET_SIZESTATDESC(64, "requests received 64-79 bytes", "64-79", in);
+	SET_SIZESTATDESC(80, "requests received 80-95 bytes", "80-95", in);
+	SET_SIZESTATDESC(96, "requests received 96-111 bytes", "96-111", in);
+	SET_SIZESTATDESC(112, "requests received 112-127 bytes", "112-127", in);
+	SET_SIZESTATDESC(128, "requests received 128-143 bytes", "128-143", in);
+	SET_SIZESTATDESC(144, "requests received 144-159 bytes", "144-159", in);
+	SET_SIZESTATDESC(160, "requests received 160-175 bytes", "160-175", in);
+	SET_SIZESTATDESC(176, "requests received 176-191 bytes", "176-191", in);
+	SET_SIZESTATDESC(192, "requests received 192-207 bytes", "192-207", in);
+	SET_SIZESTATDESC(208, "requests received 208-223 bytes", "208-223", in);
+	SET_SIZESTATDESC(224, "requests received 224-239 bytes", "224-239", in);
+	SET_SIZESTATDESC(240, "requests received 240-255 bytes", "240-255", in);
+	SET_SIZESTATDESC(256, "requests received 256-271 bytes", "256-271", in);
+	SET_SIZESTATDESC(272, "requests received 272-287 bytes", "272-287", in);
+	SET_SIZESTATDESC(288, "requests received 288+ bytes", "288+", in);
+	INSIST(i == dns_sizecounter_in_max);
+
+	i = 0;
+	SET_SIZESTATDESC(0, "responses sent 0-15 bytes", "0-15", out);
+	SET_SIZESTATDESC(16, "responses sent 16-31 bytes", "16-31", out);
+	SET_SIZESTATDESC(32, "responses sent 32-47 bytes", "32-47", out);
+	SET_SIZESTATDESC(48, "responses sent 48-63 bytes", "48-63", out);
+	SET_SIZESTATDESC(64, "responses sent 64-79 bytes", "64-79", out);
+	SET_SIZESTATDESC(80, "responses sent 80-95 bytes", "80-95", out);
+	SET_SIZESTATDESC(96, "responses sent 96-111 bytes", "96-111", out);
+	SET_SIZESTATDESC(112, "responses sent 112-127 bytes", "112-127", out);
+	SET_SIZESTATDESC(128, "responses sent 128-143 bytes", "128-143", out);
+	SET_SIZESTATDESC(144, "responses sent 144-159 bytes", "144-159", out);
+	SET_SIZESTATDESC(160, "responses sent 160-175 bytes", "160-175", out);
+	SET_SIZESTATDESC(176, "responses sent 176-191 bytes", "176-191", out);
+	SET_SIZESTATDESC(192, "responses sent 192-207 bytes", "192-207", out);
+	SET_SIZESTATDESC(208, "responses sent 208-223 bytes", "208-223", out);
+	SET_SIZESTATDESC(224, "responses sent 224-239 bytes", "224-239", out);
+	SET_SIZESTATDESC(240, "responses sent 240-255 bytes", "240-255", out);
+	SET_SIZESTATDESC(256, "responses sent 256-271 bytes", "256-271", out);
+	SET_SIZESTATDESC(272, "responses sent 272-287 bytes", "272-287", out);
+	SET_SIZESTATDESC(288, "responses sent 288-303 bytes", "288-303", out);
+	SET_SIZESTATDESC(304, "responses sent 304-319 bytes", "304-319", out);
+	SET_SIZESTATDESC(320, "responses sent 320-335 bytes", "320-335", out);
+	SET_SIZESTATDESC(336, "responses sent 336-351 bytes", "336-351", out);
+	SET_SIZESTATDESC(352, "responses sent 352-367 bytes", "352-367", out);
+	SET_SIZESTATDESC(368, "responses sent 368-383 bytes", "368-383", out);
+	SET_SIZESTATDESC(384, "responses sent 384-399 bytes", "384-399", out);
+	SET_SIZESTATDESC(400, "responses sent 400-415 bytes", "400-415", out);
+	SET_SIZESTATDESC(416, "responses sent 416-431 bytes", "416-431", out);
+	SET_SIZESTATDESC(432, "responses sent 432-447 bytes", "432-447", out);
+	SET_SIZESTATDESC(448, "responses sent 448-463 bytes", "448-463", out);
+	SET_SIZESTATDESC(464, "responses sent 464-479 bytes", "464-479", out);
+	SET_SIZESTATDESC(480, "responses sent 480-495 bytes", "480-495", out);
+	SET_SIZESTATDESC(496, "responses sent 496-511 bytes", "496-511", out);
+	SET_SIZESTATDESC(512, "responses sent 512-527 bytes", "512-527", out);
+	SET_SIZESTATDESC(528, "responses sent 528-543 bytes", "528-543", out);
+	SET_SIZESTATDESC(544, "responses sent 544-559 bytes", "544-559", out);
+	SET_SIZESTATDESC(560, "responses sent 560-575 bytes", "560-575", out);
+	SET_SIZESTATDESC(576, "responses sent 576-591 bytes", "576-591", out);
+	SET_SIZESTATDESC(592, "responses sent 592-607 bytes", "592-607", out);
+	SET_SIZESTATDESC(608, "responses sent 608-623 bytes", "608-623", out);
+	SET_SIZESTATDESC(624, "responses sent 624-639 bytes", "624-639", out);
+	SET_SIZESTATDESC(640, "responses sent 640-655 bytes", "640-655", out);
+	SET_SIZESTATDESC(656, "responses sent 656-671 bytes", "656-671", out);
+	SET_SIZESTATDESC(672, "responses sent 672-687 bytes", "672-687", out);
+	SET_SIZESTATDESC(688, "responses sent 688-703 bytes", "688-703", out);
+	SET_SIZESTATDESC(704, "responses sent 704-719 bytes", "704-719", out);
+	SET_SIZESTATDESC(720, "responses sent 720-735 bytes", "720-735", out);
+	SET_SIZESTATDESC(736, "responses sent 736-751 bytes", "736-751", out);
+	SET_SIZESTATDESC(752, "responses sent 752-767 bytes", "752-767", out);
+	SET_SIZESTATDESC(768, "responses sent 768-783 bytes", "768-783", out);
+	SET_SIZESTATDESC(784, "responses sent 784-799 bytes", "784-799", out);
+	SET_SIZESTATDESC(800, "responses sent 800-815 bytes", "800-815", out);
+	SET_SIZESTATDESC(816, "responses sent 816-831 bytes", "816-831", out);
+	SET_SIZESTATDESC(832, "responses sent 832-847 bytes", "832-847", out);
+	SET_SIZESTATDESC(848, "responses sent 848-863 bytes", "848-863", out);
+	SET_SIZESTATDESC(864, "responses sent 864-879 bytes", "864-879", out);
+	SET_SIZESTATDESC(880, "responses sent 880-895 bytes", "880-895", out);
+	SET_SIZESTATDESC(896, "responses sent 896-911 bytes", "896-911", out);
+	SET_SIZESTATDESC(912, "responses sent 912-927 bytes", "912-927", out);
+	SET_SIZESTATDESC(928, "responses sent 928-943 bytes", "928-943", out);
+	SET_SIZESTATDESC(944, "responses sent 944-959 bytes", "944-959", out);
+	SET_SIZESTATDESC(960, "responses sent 960-975 bytes", "960-975", out);
+	SET_SIZESTATDESC(976, "responses sent 976-991 bytes", "976-991", out);
+	SET_SIZESTATDESC(992, "responses sent 992-1007 bytes", "992-1007", out);
+	SET_SIZESTATDESC(1008, "responses sent 1008-1023 bytes", "1008-1023",
+			 out);
+	SET_SIZESTATDESC(1024, "responses sent 1024-1039 bytes", "1024-1039",
+			 out);
+	SET_SIZESTATDESC(1040, "responses sent 1040-1055 bytes", "1040-1055",
+			 out);
+	SET_SIZESTATDESC(1056, "responses sent 1056-1071 bytes", "1056-1071",
+			 out);
+	SET_SIZESTATDESC(1072, "responses sent 1072-1087 bytes", "1072-1087",
+			 out);
+	SET_SIZESTATDESC(1088, "responses sent 1088-1103 bytes", "1088-1103",
+			 out);
+	SET_SIZESTATDESC(1104, "responses sent 1104-1119 bytes", "1104-1119",
+			 out);
+	SET_SIZESTATDESC(1120, "responses sent 1120-1135 bytes", "1120-1135",
+			 out);
+	SET_SIZESTATDESC(1136, "responses sent 1136-1151 bytes", "1136-1151",
+			 out);
+	SET_SIZESTATDESC(1152, "responses sent 1152-1167 bytes", "1152-1167",
+			 out);
+	SET_SIZESTATDESC(1168, "responses sent 1168-1183 bytes", "1168-1183",
+			 out);
+	SET_SIZESTATDESC(1184, "responses sent 1184-1199 bytes", "1184-1199",
+			 out);
+	SET_SIZESTATDESC(1200, "responses sent 1200-1215 bytes", "1200-1215",
+			 out);
+	SET_SIZESTATDESC(1216, "responses sent 1216-1231 bytes", "1216-1231",
+			 out);
+	SET_SIZESTATDESC(1232, "responses sent 1232-1247 bytes", "1232-1247",
+			 out);
+	SET_SIZESTATDESC(1248, "responses sent 1248-1263 bytes", "1248-1263",
+			 out);
+	SET_SIZESTATDESC(1264, "responses sent 1264-1279 bytes", "1264-1279",
+			 out);
+	SET_SIZESTATDESC(1280, "responses sent 1280-1295 bytes", "1280-1295",
+			 out);
+	SET_SIZESTATDESC(1296, "responses sent 1296-1311 bytes", "1296-1311",
+			 out);
+	SET_SIZESTATDESC(1312, "responses sent 1312-1327 bytes", "1312-1327",
+			 out);
+	SET_SIZESTATDESC(1328, "responses sent 1328-1343 bytes", "1328-1343",
+			 out);
+	SET_SIZESTATDESC(1344, "responses sent 1344-1359 bytes", "1344-1359",
+			 out);
+	SET_SIZESTATDESC(1360, "responses sent 1360-1375 bytes", "1360-1375",
+			 out);
+	SET_SIZESTATDESC(1376, "responses sent 1376-1391 bytes", "1376-1391",
+			 out);
+	SET_SIZESTATDESC(1392, "responses sent 1392-1407 bytes", "1392-1407",
+			 out);
+	SET_SIZESTATDESC(1408, "responses sent 1408-1423 bytes", "1408-1423",
+			 out);
+	SET_SIZESTATDESC(1424, "responses sent 1424-1439 bytes", "1424-1439",
+			 out);
+	SET_SIZESTATDESC(1440, "responses sent 1440-1455 bytes", "1440-1455",
+			 out);
+	SET_SIZESTATDESC(1456, "responses sent 1456-1471 bytes", "1456-1471",
+			 out);
+	SET_SIZESTATDESC(1472, "responses sent 1472-1487 bytes", "1472-1487",
+			 out);
+	SET_SIZESTATDESC(1488, "responses sent 1488-1503 bytes", "1488-1503",
+			 out);
+	SET_SIZESTATDESC(1504, "responses sent 1504-1519 bytes", "1504-1519",
+			 out);
+	SET_SIZESTATDESC(1520, "responses sent 1520-1535 bytes", "1520-1535",
+			 out);
+	SET_SIZESTATDESC(1536, "responses sent 1536-1551 bytes", "1536-1551",
+			 out);
+	SET_SIZESTATDESC(1552, "responses sent 1552-1567 bytes", "1552-1567",
+			 out);
+	SET_SIZESTATDESC(1568, "responses sent 1568-1583 bytes", "1568-1583",
+			 out);
+	SET_SIZESTATDESC(1584, "responses sent 1584-1599 bytes", "1584-1599",
+			 out);
+	SET_SIZESTATDESC(1600, "responses sent 1600-1615 bytes", "1600-1615",
+			 out);
+	SET_SIZESTATDESC(1616, "responses sent 1616-1631 bytes", "1616-1631",
+			 out);
+	SET_SIZESTATDESC(1632, "responses sent 1632-1647 bytes", "1632-1647",
+			 out);
+	SET_SIZESTATDESC(1648, "responses sent 1648-1663 bytes", "1648-1663",
+			 out);
+	SET_SIZESTATDESC(1664, "responses sent 1664-1679 bytes", "1664-1679",
+			 out);
+	SET_SIZESTATDESC(1680, "responses sent 1680-1695 bytes", "1680-1695",
+			 out);
+	SET_SIZESTATDESC(1696, "responses sent 1696-1711 bytes", "1696-1711",
+			 out);
+	SET_SIZESTATDESC(1712, "responses sent 1712-1727 bytes", "1712-1727",
+			 out);
+	SET_SIZESTATDESC(1728, "responses sent 1728-1743 bytes", "1728-1743",
+			 out);
+	SET_SIZESTATDESC(1744, "responses sent 1744-1759 bytes", "1744-1759",
+			 out);
+	SET_SIZESTATDESC(1760, "responses sent 1760-1775 bytes", "1760-1775",
+			 out);
+	SET_SIZESTATDESC(1776, "responses sent 1776-1791 bytes", "1776-1791",
+			 out);
+	SET_SIZESTATDESC(1792, "responses sent 1792-1807 bytes", "1792-1807",
+			 out);
+	SET_SIZESTATDESC(1808, "responses sent 1808-1823 bytes", "1808-1823",
+			 out);
+	SET_SIZESTATDESC(1824, "responses sent 1824-1839 bytes", "1824-1839",
+			 out);
+	SET_SIZESTATDESC(1840, "responses sent 1840-1855 bytes", "1840-1855",
+			 out);
+	SET_SIZESTATDESC(1856, "responses sent 1856-1871 bytes", "1856-1871",
+			 out);
+	SET_SIZESTATDESC(1872, "responses sent 1872-1887 bytes", "1872-1887",
+			 out);
+	SET_SIZESTATDESC(1888, "responses sent 1888-1903 bytes", "1888-1903",
+			 out);
+	SET_SIZESTATDESC(1904, "responses sent 1904-1919 bytes", "1904-1919",
+			 out);
+	SET_SIZESTATDESC(1920, "responses sent 1920-1935 bytes", "1920-1935",
+			 out);
+	SET_SIZESTATDESC(1936, "responses sent 1936-1951 bytes", "1936-1951",
+			 out);
+	SET_SIZESTATDESC(1952, "responses sent 1952-1967 bytes", "1952-1967",
+			 out);
+	SET_SIZESTATDESC(1968, "responses sent 1968-1983 bytes", "1968-1983",
+			 out);
+	SET_SIZESTATDESC(1984, "responses sent 1984-1999 bytes", "1984-1999",
+			 out);
+	SET_SIZESTATDESC(2000, "responses sent 2000-2015 bytes", "2000-2015",
+			 out);
+	SET_SIZESTATDESC(2016, "responses sent 2016-2031 bytes", "2016-2031",
+			 out);
+	SET_SIZESTATDESC(2032, "responses sent 2032-2047 bytes", "2032-2047",
+			 out);
+	SET_SIZESTATDESC(2048, "responses sent 2048-2063 bytes", "2048-2063",
+			 out);
+	SET_SIZESTATDESC(2064, "responses sent 2064-2079 bytes", "2064-2079",
+			 out);
+	SET_SIZESTATDESC(2080, "responses sent 2080-2095 bytes", "2080-2095",
+			 out);
+	SET_SIZESTATDESC(2096, "responses sent 2096-2111 bytes", "2096-2111",
+			 out);
+	SET_SIZESTATDESC(2112, "responses sent 2112-2127 bytes", "2112-2127",
+			 out);
+	SET_SIZESTATDESC(2128, "responses sent 2128-2143 bytes", "2128-2143",
+			 out);
+	SET_SIZESTATDESC(2144, "responses sent 2144-2159 bytes", "2144-2159",
+			 out);
+	SET_SIZESTATDESC(2160, "responses sent 2160-2175 bytes", "2160-2175",
+			 out);
+	SET_SIZESTATDESC(2176, "responses sent 2176-2191 bytes", "2176-2191",
+			 out);
+	SET_SIZESTATDESC(2192, "responses sent 2192-2207 bytes", "2192-2207",
+			 out);
+	SET_SIZESTATDESC(2208, "responses sent 2208-2223 bytes", "2208-2223",
+			 out);
+	SET_SIZESTATDESC(2224, "responses sent 2224-2239 bytes", "2224-2239",
+			 out);
+	SET_SIZESTATDESC(2240, "responses sent 2240-2255 bytes", "2240-2255",
+			 out);
+	SET_SIZESTATDESC(2256, "responses sent 2256-2271 bytes", "2256-2271",
+			 out);
+	SET_SIZESTATDESC(2272, "responses sent 2272-2287 bytes", "2272-2287",
+			 out);
+	SET_SIZESTATDESC(2288, "responses sent 2288-2303 bytes", "2288-2303",
+			 out);
+	SET_SIZESTATDESC(2304, "responses sent 2304-2319 bytes", "2304-2319",
+			 out);
+	SET_SIZESTATDESC(2320, "responses sent 2320-2335 bytes", "2320-2335",
+			 out);
+	SET_SIZESTATDESC(2336, "responses sent 2336-2351 bytes", "2336-2351",
+			 out);
+	SET_SIZESTATDESC(2352, "responses sent 2352-2367 bytes", "2352-2367",
+			 out);
+	SET_SIZESTATDESC(2368, "responses sent 2368-2383 bytes", "2368-2383",
+			 out);
+	SET_SIZESTATDESC(2384, "responses sent 2384-2399 bytes", "2384-2399",
+			 out);
+	SET_SIZESTATDESC(2400, "responses sent 2400-2415 bytes", "2400-2415",
+			 out);
+	SET_SIZESTATDESC(2416, "responses sent 2416-2431 bytes", "2416-2431",
+			 out);
+	SET_SIZESTATDESC(2432, "responses sent 2432-2447 bytes", "2432-2447",
+			 out);
+	SET_SIZESTATDESC(2448, "responses sent 2448-2463 bytes", "2448-2463",
+			 out);
+	SET_SIZESTATDESC(2464, "responses sent 2464-2479 bytes", "2464-2479",
+			 out);
+	SET_SIZESTATDESC(2480, "responses sent 2480-2495 bytes", "2480-2495",
+			 out);
+	SET_SIZESTATDESC(2496, "responses sent 2496-2511 bytes", "2496-2511",
+			 out);
+	SET_SIZESTATDESC(2512, "responses sent 2512-2527 bytes", "2512-2527",
+			 out);
+	SET_SIZESTATDESC(2528, "responses sent 2528-2543 bytes", "2528-2543",
+			 out);
+	SET_SIZESTATDESC(2544, "responses sent 2544-2559 bytes", "2544-2559",
+			 out);
+	SET_SIZESTATDESC(2560, "responses sent 2560-2575 bytes", "2560-2575",
+			 out);
+	SET_SIZESTATDESC(2576, "responses sent 2576-2591 bytes", "2576-2591",
+			 out);
+	SET_SIZESTATDESC(2592, "responses sent 2592-2607 bytes", "2592-2607",
+			 out);
+	SET_SIZESTATDESC(2608, "responses sent 2608-2623 bytes", "2608-2623",
+			 out);
+	SET_SIZESTATDESC(2624, "responses sent 2624-2639 bytes", "2624-2639",
+			 out);
+	SET_SIZESTATDESC(2640, "responses sent 2640-2655 bytes", "2640-2655",
+			 out);
+	SET_SIZESTATDESC(2656, "responses sent 2656-2671 bytes", "2656-2671",
+			 out);
+	SET_SIZESTATDESC(2672, "responses sent 2672-2687 bytes", "2672-2687",
+			 out);
+	SET_SIZESTATDESC(2688, "responses sent 2688-2703 bytes", "2688-2703",
+			 out);
+	SET_SIZESTATDESC(2704, "responses sent 2704-2719 bytes", "2704-2719",
+			 out);
+	SET_SIZESTATDESC(2720, "responses sent 2720-2735 bytes", "2720-2735",
+			 out);
+	SET_SIZESTATDESC(2736, "responses sent 2736-2751 bytes", "2736-2751",
+			 out);
+	SET_SIZESTATDESC(2752, "responses sent 2752-2767 bytes", "2752-2767",
+			 out);
+	SET_SIZESTATDESC(2768, "responses sent 2768-2783 bytes", "2768-2783",
+			 out);
+	SET_SIZESTATDESC(2784, "responses sent 2784-2799 bytes", "2784-2799",
+			 out);
+	SET_SIZESTATDESC(2800, "responses sent 2800-2815 bytes", "2800-2815",
+			 out);
+	SET_SIZESTATDESC(2816, "responses sent 2816-2831 bytes", "2816-2831",
+			 out);
+	SET_SIZESTATDESC(2832, "responses sent 2832-2847 bytes", "2832-2847",
+			 out);
+	SET_SIZESTATDESC(2848, "responses sent 2848-2863 bytes", "2848-2863",
+			 out);
+	SET_SIZESTATDESC(2864, "responses sent 2864-2879 bytes", "2864-2879",
+			 out);
+	SET_SIZESTATDESC(2880, "responses sent 2880-2895 bytes", "2880-2895",
+			 out);
+	SET_SIZESTATDESC(2896, "responses sent 2896-2911 bytes", "2896-2911",
+			 out);
+	SET_SIZESTATDESC(2912, "responses sent 2912-2927 bytes", "2912-2927",
+			 out);
+	SET_SIZESTATDESC(2928, "responses sent 2928-2943 bytes", "2928-2943",
+			 out);
+	SET_SIZESTATDESC(2944, "responses sent 2944-2959 bytes", "2944-2959",
+			 out);
+	SET_SIZESTATDESC(2960, "responses sent 2960-2975 bytes", "2960-2975",
+			 out);
+	SET_SIZESTATDESC(2976, "responses sent 2976-2991 bytes", "2976-2991",
+			 out);
+	SET_SIZESTATDESC(2992, "responses sent 2992-3007 bytes", "2992-3007",
+			 out);
+	SET_SIZESTATDESC(3008, "responses sent 3008-3023 bytes", "3008-3023",
+			 out);
+	SET_SIZESTATDESC(3024, "responses sent 3024-3039 bytes", "3024-3039",
+			 out);
+	SET_SIZESTATDESC(3040, "responses sent 3040-3055 bytes", "3040-3055",
+			 out);
+	SET_SIZESTATDESC(3056, "responses sent 3056-3071 bytes", "3056-3071",
+			 out);
+	SET_SIZESTATDESC(3072, "responses sent 3072-3087 bytes", "3072-3087",
+			 out);
+	SET_SIZESTATDESC(3088, "responses sent 3088-3103 bytes", "3088-3103",
+			 out);
+	SET_SIZESTATDESC(3104, "responses sent 3104-3119 bytes", "3104-3119",
+			 out);
+	SET_SIZESTATDESC(3120, "responses sent 3120-3135 bytes", "3120-3135",
+			 out);
+	SET_SIZESTATDESC(3136, "responses sent 3136-3151 bytes", "3136-3151",
+			 out);
+	SET_SIZESTATDESC(3152, "responses sent 3152-3167 bytes", "3152-3167",
+			 out);
+	SET_SIZESTATDESC(3168, "responses sent 3168-3183 bytes", "3168-3183",
+			 out);
+	SET_SIZESTATDESC(3184, "responses sent 3184-3199 bytes", "3184-3199",
+			 out);
+	SET_SIZESTATDESC(3200, "responses sent 3200-3215 bytes", "3200-3215",
+			 out);
+	SET_SIZESTATDESC(3216, "responses sent 3216-3231 bytes", "3216-3231",
+			 out);
+	SET_SIZESTATDESC(3232, "responses sent 3232-3247 bytes", "3232-3247",
+			 out);
+	SET_SIZESTATDESC(3248, "responses sent 3248-3263 bytes", "3248-3263",
+			 out);
+	SET_SIZESTATDESC(3264, "responses sent 3264-3279 bytes", "3264-3279",
+			 out);
+	SET_SIZESTATDESC(3280, "responses sent 3280-3295 bytes", "3280-3295",
+			 out);
+	SET_SIZESTATDESC(3296, "responses sent 3296-3311 bytes", "3296-3311",
+			 out);
+	SET_SIZESTATDESC(3312, "responses sent 3312-3327 bytes", "3312-3327",
+			 out);
+	SET_SIZESTATDESC(3328, "responses sent 3328-3343 bytes", "3328-3343",
+			 out);
+	SET_SIZESTATDESC(3344, "responses sent 3344-3359 bytes", "3344-3359",
+			 out);
+	SET_SIZESTATDESC(3360, "responses sent 3360-3375 bytes", "3360-3375",
+			 out);
+	SET_SIZESTATDESC(3376, "responses sent 3376-3391 bytes", "3376-3391",
+			 out);
+	SET_SIZESTATDESC(3392, "responses sent 3392-3407 bytes", "3392-3407",
+			 out);
+	SET_SIZESTATDESC(3408, "responses sent 3408-3423 bytes", "3408-3423",
+			 out);
+	SET_SIZESTATDESC(3424, "responses sent 3424-3439 bytes", "3424-3439",
+			 out);
+	SET_SIZESTATDESC(3440, "responses sent 3440-3455 bytes", "3440-3455",
+			 out);
+	SET_SIZESTATDESC(3456, "responses sent 3456-3471 bytes", "3456-3471",
+			 out);
+	SET_SIZESTATDESC(3472, "responses sent 3472-3487 bytes", "3472-3487",
+			 out);
+	SET_SIZESTATDESC(3488, "responses sent 3488-3503 bytes", "3488-3503",
+			 out);
+	SET_SIZESTATDESC(3504, "responses sent 3504-3519 bytes", "3504-3519",
+			 out);
+	SET_SIZESTATDESC(3520, "responses sent 3520-3535 bytes", "3520-3535",
+			 out);
+	SET_SIZESTATDESC(3536, "responses sent 3536-3551 bytes", "3536-3551",
+			 out);
+	SET_SIZESTATDESC(3552, "responses sent 3552-3567 bytes", "3552-3567",
+			 out);
+	SET_SIZESTATDESC(3568, "responses sent 3568-3583 bytes", "3568-3583",
+			 out);
+	SET_SIZESTATDESC(3584, "responses sent 3584-3599 bytes", "3584-3599",
+			 out);
+	SET_SIZESTATDESC(3600, "responses sent 3600-3615 bytes", "3600-3615",
+			 out);
+	SET_SIZESTATDESC(3616, "responses sent 3616-3631 bytes", "3616-3631",
+			 out);
+	SET_SIZESTATDESC(3632, "responses sent 3632-3647 bytes", "3632-3647",
+			 out);
+	SET_SIZESTATDESC(3648, "responses sent 3648-3663 bytes", "3648-3663",
+			 out);
+	SET_SIZESTATDESC(3664, "responses sent 3664-3679 bytes", "3664-3679",
+			 out);
+	SET_SIZESTATDESC(3680, "responses sent 3680-3695 bytes", "3680-3695",
+			 out);
+	SET_SIZESTATDESC(3696, "responses sent 3696-3711 bytes", "3696-3711",
+			 out);
+	SET_SIZESTATDESC(3712, "responses sent 3712-3727 bytes", "3712-3727",
+			 out);
+	SET_SIZESTATDESC(3728, "responses sent 3728-3743 bytes", "3728-3743",
+			 out);
+	SET_SIZESTATDESC(3744, "responses sent 3744-3759 bytes", "3744-3759",
+			 out);
+	SET_SIZESTATDESC(3760, "responses sent 3760-3775 bytes", "3760-3775",
+			 out);
+	SET_SIZESTATDESC(3776, "responses sent 3776-3791 bytes", "3776-3791",
+			 out);
+	SET_SIZESTATDESC(3792, "responses sent 3792-3807 bytes", "3792-3807",
+			 out);
+	SET_SIZESTATDESC(3808, "responses sent 3808-3823 bytes", "3808-3823",
+			 out);
+	SET_SIZESTATDESC(3824, "responses sent 3824-3839 bytes", "3824-3839",
+			 out);
+	SET_SIZESTATDESC(3840, "responses sent 3840-3855 bytes", "3840-3855",
+			 out);
+	SET_SIZESTATDESC(3856, "responses sent 3856-3871 bytes", "3856-3871",
+			 out);
+	SET_SIZESTATDESC(3872, "responses sent 3872-3887 bytes", "3872-3887",
+			 out);
+	SET_SIZESTATDESC(3888, "responses sent 3888-3903 bytes", "3888-3903",
+			 out);
+	SET_SIZESTATDESC(3904, "responses sent 3904-3919 bytes", "3904-3919",
+			 out);
+	SET_SIZESTATDESC(3920, "responses sent 3920-3935 bytes", "3920-3935",
+			 out);
+	SET_SIZESTATDESC(3936, "responses sent 3936-3951 bytes", "3936-3951",
+			 out);
+	SET_SIZESTATDESC(3952, "responses sent 3952-3967 bytes", "3952-3967",
+			 out);
+	SET_SIZESTATDESC(3968, "responses sent 3968-3983 bytes", "3968-3983",
+			 out);
+	SET_SIZESTATDESC(3984, "responses sent 3984-3999 bytes", "3984-3999",
+			 out);
+	SET_SIZESTATDESC(4000, "responses sent 4000-4015 bytes", "4000-4015",
+			 out);
+	SET_SIZESTATDESC(4016, "responses sent 4016-4031 bytes", "4016-4031",
+			 out);
+	SET_SIZESTATDESC(4032, "responses sent 4032-4047 bytes", "4032-4047",
+			 out);
+	SET_SIZESTATDESC(4048, "responses sent 4048-4063 bytes", "4048-4063",
+			 out);
+	SET_SIZESTATDESC(4064, "responses sent 4064-4079 bytes", "4064-4079",
+			 out);
+	SET_SIZESTATDESC(4080, "responses sent 4080-4095 bytes", "4080-4095",
+			 out);
+	SET_SIZESTATDESC(4096, "responses sent 4096+ bytes", "4096+", out);
+	INSIST(i == dns_sizecounter_out_max);
+
+	/* Sanity check */
+	for (i = 0; i < ns_statscounter_max; i++) {
+		INSIST(nsstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_resstatscounter_max; i++) {
+		INSIST(resstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_adbstats_max; i++) {
+		INSIST(adbstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_zonestatscounter_max; i++) {
+		INSIST(zonestats_desc[i] != NULL);
+	}
+	for (i = 0; i < isc_sockstatscounter_max; i++) {
+		INSIST(sockstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_dnssecstats_max; i++) {
+		INSIST(dnssecstats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_sizecounter_in_max; i++) {
+		INSIST(udpinsizestats_desc[i] != NULL);
+		INSIST(tcpinsizestats_desc[i] != NULL);
+	}
+	for (i = 0; i < dns_sizecounter_out_max; i++) {
+		INSIST(udpoutsizestats_desc[i] != NULL);
+		INSIST(tcpoutsizestats_desc[i] != NULL);
+	}
+#if defined(EXTENDED_STATS)
+	for (i = 0; i < ns_statscounter_max; i++) {
+		INSIST(nsstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_resstatscounter_max; i++) {
+		INSIST(resstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_adbstats_max; i++) {
+		INSIST(adbstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_zonestatscounter_max; i++) {
+		INSIST(zonestats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < isc_sockstatscounter_max; i++) {
+		INSIST(sockstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_dnssecstats_max; i++) {
+		INSIST(dnssecstats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_sizecounter_in_max; i++) {
+		INSIST(udpinsizestats_xmldesc[i] != NULL);
+		INSIST(tcpinsizestats_xmldesc[i] != NULL);
+	}
+	for (i = 0; i < dns_sizecounter_out_max; i++) {
+		INSIST(udpoutsizestats_xmldesc[i] != NULL);
+		INSIST(tcpoutsizestats_xmldesc[i] != NULL);
+	}
+#endif /* if defined(EXTENDED_STATS) */
+}
+
+/*%
+ * Dump callback functions.
+ */
+static void
+generalstat_dump(isc_statscounter_t counter, uint64_t val, void *arg) {
+	stats_dumparg_t *dumparg = arg;
+
+	REQUIRE(counter < dumparg->ncounters);
+	dumparg->countervalues[counter] = val;
+}
+
+static isc_result_t
+dump_counters(isc_stats_t *stats, isc_statsformat_t type, void *arg,
+	      const char *category, const char **desc, int ncounters,
+	      int *indices, uint64_t *values, int options) {
+	int i, idx;
+	uint64_t value;
+	stats_dumparg_t dumparg;
+	FILE *fp;
+#ifdef HAVE_LIBXML2
+	void *writer;
+	int xmlrc;
+#endif /* ifdef HAVE_LIBXML2 */
+#ifdef HAVE_JSON_C
+	json_object *job, *cat, *counter;
+#endif /* ifdef HAVE_JSON_C */
+
+#if !defined(EXTENDED_STATS)
+	UNUSED(category);
+#endif /* if !defined(EXTENDED_STATS) */
+
+	dumparg.type = type;
+	dumparg.ncounters = ncounters;
+	dumparg.counterindices = indices;
+	dumparg.countervalues = values;
+
+	memset(values, 0, sizeof(values[0]) * ncounters);
+	isc_stats_dump(stats, generalstat_dump, &dumparg, options);
+
+#ifdef HAVE_JSON_C
+	cat = job = (json_object *)arg;
+	if (ncounters > 0 && type == isc_statsformat_json) {
+		if (category != NULL) {
+			cat = json_object_new_object();
+			if (cat == NULL) {
+				return (ISC_R_NOMEMORY);
+			}
+			json_object_object_add(job, category, cat);
+		}
+	}
+#endif /* ifdef HAVE_JSON_C */
+
+	for (i = 0; i < ncounters; i++) {
+		idx = indices[i];
+		value = values[idx];
+
+		if (value == 0 && (options & ISC_STATSDUMP_VERBOSE) == 0) {
+			continue;
+		}
+
+		switch (dumparg.type) {
+		case isc_statsformat_file:
+			fp = arg;
+			fprintf(fp, "%20" PRIu64 " %s\n", value, desc[idx]);
+			break;
+		case isc_statsformat_xml:
+#ifdef HAVE_LIBXML2
+			writer = arg;
+
+			if (category != NULL) {
+				/* <NameOfCategory> */
+				TRY0(xmlTextWriterStartElement(
+					writer, ISC_XMLCHAR category));
+
+				/* <name> inside category */
+				TRY0(xmlTextWriterStartElement(
+					writer, ISC_XMLCHAR "name"));
+				TRY0(xmlTextWriterWriteString(
+					writer, ISC_XMLCHAR desc[idx]));
+				TRY0(xmlTextWriterEndElement(writer));
+				/* </name> */
+
+				/* <counter> */
+				TRY0(xmlTextWriterStartElement(
+					writer, ISC_XMLCHAR "counter"));
+				TRY0(xmlTextWriterWriteFormatString(
+					writer, "%" PRIu64, value));
+
+				TRY0(xmlTextWriterEndElement(writer));
+				/* </counter> */
+				TRY0(xmlTextWriterEndElement(writer));
+				/* </NameOfCategory> */
+			} else {
+				TRY0(xmlTextWriterStartElement(
+					writer, ISC_XMLCHAR "counter"));
+				TRY0(xmlTextWriterWriteAttribute(
+					writer, ISC_XMLCHAR "name",
+					ISC_XMLCHAR desc[idx]));
+				TRY0(xmlTextWriterWriteFormatString(
+					writer, "%" PRIu64, value));
+				TRY0(xmlTextWriterEndElement(writer));
+				/* counter */
+			}
+
+#endif /* ifdef HAVE_LIBXML2 */
+			break;
+		case isc_statsformat_json:
+#ifdef HAVE_JSON_C
+			counter = json_object_new_int64(value);
+			if (counter == NULL) {
+				return (ISC_R_NOMEMORY);
+			}
+			json_object_object_add(cat, desc[idx], counter);
+#endif /* ifdef HAVE_JSON_C */
+			break;
+		}
+	}
+	return (ISC_R_SUCCESS);
+#ifdef HAVE_LIBXML2
+error:
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "failed at dump_counters()");
+	return (ISC_R_FAILURE);
+#endif /* ifdef HAVE_LIBXML2 */
+}
+
+static void
+rdtypestat_dump(dns_rdatastatstype_t type, uint64_t val, void *arg) {
+	char typebuf[64];
+	const char *typestr;
+	stats_dumparg_t *dumparg = arg;
+	FILE *fp;
+#ifdef HAVE_LIBXML2
+	void *writer;
+	int xmlrc;
+#endif /* ifdef HAVE_LIBXML2 */
+#ifdef HAVE_JSON_C
+	json_object *zoneobj, *obj;
+#endif /* ifdef HAVE_JSON_C */
+
+	if ((DNS_RDATASTATSTYPE_ATTR(type) &
+	     DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) == 0)
+	{
+		dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf,
+				     sizeof(typebuf));
+		typestr = typebuf;
+	} else {
+		typestr = "Others";
+	}
+
+	switch (dumparg->type) {
+	case isc_statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" PRIu64 " %s\n", val, typestr);
+		break;
+	case isc_statsformat_xml:
+#ifdef HAVE_LIBXML2
+		writer = dumparg->arg;
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR typestr));
+
+		TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64, val));
+
+		TRY0(xmlTextWriterEndElement(writer)); /* type */
+#endif						       /* ifdef HAVE_LIBXML2 */
+		break;
+	case isc_statsformat_json:
+#ifdef HAVE_JSON_C
+		zoneobj = (json_object *)dumparg->arg;
+		obj = json_object_new_int64(val);
+		if (obj == NULL) {
+			return;
+		}
+		json_object_object_add(zoneobj, typestr, obj);
+#endif /* ifdef HAVE_JSON_C */
+		break;
+	}
+	return;
+#ifdef HAVE_LIBXML2
+error:
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "failed at rdtypestat_dump()");
+	dumparg->result = ISC_R_FAILURE;
+	return;
+#endif /* ifdef HAVE_LIBXML2 */
+}
+
+static bool
+rdatastatstype_attr(dns_rdatastatstype_t type, unsigned int attr) {
+	return ((DNS_RDATASTATSTYPE_ATTR(type) & attr) != 0);
+}
+
+static void
+rdatasetstats_dump(dns_rdatastatstype_t type, uint64_t val, void *arg) {
+	stats_dumparg_t *dumparg = arg;
+	FILE *fp;
+	char typebuf[64];
+	const char *typestr;
+	bool nxrrset = false;
+	bool stale = false;
+	bool ancient = false;
+#ifdef HAVE_LIBXML2
+	void *writer;
+	int xmlrc;
+#endif /* ifdef HAVE_LIBXML2 */
+#ifdef HAVE_JSON_C
+	json_object *zoneobj, *obj;
+	char buf[1024];
+#endif /* ifdef HAVE_JSON_C */
+
+	if ((DNS_RDATASTATSTYPE_ATTR(type) &
+	     DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) != 0)
+	{
+		typestr = "NXDOMAIN";
+	} else if ((DNS_RDATASTATSTYPE_ATTR(type) &
+		    DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) != 0)
+	{
+		typestr = "Others";
+	} else {
+		dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf,
+				     sizeof(typebuf));
+		typestr = typebuf;
+	}
+
+	nxrrset = rdatastatstype_attr(type, DNS_RDATASTATSTYPE_ATTR_NXRRSET);
+	stale = rdatastatstype_attr(type, DNS_RDATASTATSTYPE_ATTR_STALE);
+	ancient = rdatastatstype_attr(type, DNS_RDATASTATSTYPE_ATTR_ANCIENT);
+
+	switch (dumparg->type) {
+	case isc_statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" PRIu64 " %s%s%s%s\n", val, ancient ? "~" : "",
+			stale ? "#" : "", nxrrset ? "!" : "", typestr);
+		break;
+	case isc_statsformat_xml:
+#ifdef HAVE_LIBXML2
+		writer = dumparg->arg;
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "rrset"));
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
+		TRY0(xmlTextWriterWriteFormatString(
+			writer, "%s%s%s%s", ancient ? "~" : "",
+			stale ? "#" : "", nxrrset ? "!" : "", typestr));
+		TRY0(xmlTextWriterEndElement(writer)); /* name */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64, val));
+		TRY0(xmlTextWriterEndElement(writer)); /* counter */
+
+		TRY0(xmlTextWriterEndElement(writer)); /* rrset */
+#endif						       /* ifdef HAVE_LIBXML2 */
+		break;
+	case isc_statsformat_json:
+#ifdef HAVE_JSON_C
+		zoneobj = (json_object *)dumparg->arg;
+		snprintf(buf, sizeof(buf), "%s%s%s%s", ancient ? "~" : "",
+			 stale ? "#" : "", nxrrset ? "!" : "", typestr);
+		obj = json_object_new_int64(val);
+		if (obj == NULL) {
+			return;
+		}
+		json_object_object_add(zoneobj, buf, obj);
+#endif /* ifdef HAVE_JSON_C */
+		break;
+	}
+	return;
+#ifdef HAVE_LIBXML2
+error:
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "failed at rdatasetstats_dump()");
+	dumparg->result = ISC_R_FAILURE;
+#endif /* ifdef HAVE_LIBXML2 */
+}
+
+static void
+opcodestat_dump(dns_opcode_t code, uint64_t val, void *arg) {
+	FILE *fp;
+	isc_buffer_t b;
+	char codebuf[64];
+	stats_dumparg_t *dumparg = arg;
+#ifdef HAVE_LIBXML2
+	void *writer;
+	int xmlrc;
+#endif /* ifdef HAVE_LIBXML2 */
+#ifdef HAVE_JSON_C
+	json_object *zoneobj, *obj;
+#endif /* ifdef HAVE_JSON_C */
+
+	isc_buffer_init(&b, codebuf, sizeof(codebuf) - 1);
+	dns_opcode_totext(code, &b);
+	codebuf[isc_buffer_usedlength(&b)] = '\0';
+
+	switch (dumparg->type) {
+	case isc_statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" PRIu64 " %s\n", val, codebuf);
+		break;
+	case isc_statsformat_xml:
+#ifdef HAVE_LIBXML2
+		writer = dumparg->arg;
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR codebuf));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64, val));
+		TRY0(xmlTextWriterEndElement(writer)); /* counter */
+#endif						       /* ifdef HAVE_LIBXML2 */
+		break;
+	case isc_statsformat_json:
+#ifdef HAVE_JSON_C
+		zoneobj = (json_object *)dumparg->arg;
+		obj = json_object_new_int64(val);
+		if (obj == NULL) {
+			return;
+		}
+		json_object_object_add(zoneobj, codebuf, obj);
+#endif /* ifdef HAVE_JSON_C */
+		break;
+	}
+	return;
+
+#ifdef HAVE_LIBXML2
+error:
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "failed at opcodestat_dump()");
+	dumparg->result = ISC_R_FAILURE;
+	return;
+#endif /* ifdef HAVE_LIBXML2 */
+}
+
+static void
+rcodestat_dump(dns_rcode_t code, uint64_t val, void *arg) {
+	FILE *fp;
+	isc_buffer_t b;
+	char codebuf[64];
+	stats_dumparg_t *dumparg = arg;
+#ifdef HAVE_LIBXML2
+	void *writer;
+	int xmlrc;
+#endif /* ifdef HAVE_LIBXML2 */
+#ifdef HAVE_JSON_C
+	json_object *zoneobj, *obj;
+#endif /* ifdef HAVE_JSON_C */
+
+	isc_buffer_init(&b, codebuf, sizeof(codebuf) - 1);
+	dns_rcode_totext(code, &b);
+	codebuf[isc_buffer_usedlength(&b)] = '\0';
+
+	switch (dumparg->type) {
+	case isc_statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" PRIu64 " %s\n", val, codebuf);
+		break;
+	case isc_statsformat_xml:
+#ifdef HAVE_LIBXML2
+		writer = dumparg->arg;
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR codebuf));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64, val));
+		TRY0(xmlTextWriterEndElement(writer)); /* counter */
+#endif						       /* ifdef HAVE_LIBXML2 */
+		break;
+	case isc_statsformat_json:
+#ifdef HAVE_JSON_C
+		zoneobj = (json_object *)dumparg->arg;
+		obj = json_object_new_int64(val);
+		if (obj == NULL) {
+			return;
+		}
+		json_object_object_add(zoneobj, codebuf, obj);
+#endif /* ifdef HAVE_JSON_C */
+		break;
+	}
+	return;
+
+#ifdef HAVE_LIBXML2
+error:
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "failed at rcodestat_dump()");
+	dumparg->result = ISC_R_FAILURE;
+	return;
+#endif /* ifdef HAVE_LIBXML2 */
+}
+
+#if defined(EXTENDED_STATS)
+static void
+dnssecsignstat_dump(dns_keytag_t tag, uint64_t val, void *arg) {
+	FILE *fp;
+	char tagbuf[64];
+	stats_dumparg_t *dumparg = arg;
+#ifdef HAVE_LIBXML2
+	xmlTextWriterPtr writer;
+	int xmlrc;
+#endif /* ifdef HAVE_LIBXML2 */
+#ifdef HAVE_JSON_C
+	json_object *zoneobj, *obj;
+#endif /* ifdef HAVE_JSON_C */
+
+	snprintf(tagbuf, sizeof(tagbuf), "%u", tag);
+
+	switch (dumparg->type) {
+	case isc_statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" PRIu64 " %s\n", val, tagbuf);
+		break;
+	case isc_statsformat_xml:
+#ifdef HAVE_LIBXML2
+		writer = dumparg->arg;
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR tagbuf));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64, val));
+		TRY0(xmlTextWriterEndElement(writer)); /* counter */
+#endif						       /* ifdef HAVE_LIBXML2 */
+		break;
+	case isc_statsformat_json:
+#ifdef HAVE_JSON_C
+		zoneobj = (json_object *)dumparg->arg;
+		obj = json_object_new_int64(val);
+		if (obj == NULL) {
+			return;
+		}
+		json_object_object_add(zoneobj, tagbuf, obj);
+#endif /* ifdef HAVE_JSON_C */
+		break;
+	}
+	return;
+#ifdef HAVE_LIBXML2
+error:
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "failed at dnssecsignstat_dump()");
+	dumparg->result = ISC_R_FAILURE;
+	return;
+#endif /* ifdef HAVE_LIBXML2 */
+}
+#endif /* defined(EXTENDED_STATS) */
+
+#ifdef HAVE_LIBXML2
+/*
+ * Which statistics to include when rendering to XML
+ */
+#define STATS_XML_STATUS  0x00 /* display only common statistics */
+#define STATS_XML_SERVER  0x01
+#define STATS_XML_ZONES	  0x02
+#define STATS_XML_TASKS	  0x04
+#define STATS_XML_NET	  0x08
+#define STATS_XML_MEM	  0x10
+#define STATS_XML_TRAFFIC 0x20
+#define STATS_XML_ALL	  0xff
+
+static isc_result_t
+zone_xmlrender(dns_zone_t *zone, void *arg) {
+	isc_result_t result;
+	char buf[1024 + 32]; /* sufficiently large for zone name and class */
+	dns_rdataclass_t rdclass;
+	uint32_t serial;
+	xmlTextWriterPtr writer = arg;
+	dns_zonestat_level_t statlevel;
+	int xmlrc;
+	stats_dumparg_t dumparg;
+	const char *ztype;
+
+	statlevel = dns_zone_getstatlevel(zone);
+	if (statlevel == dns_zonestat_none) {
+		return (ISC_R_SUCCESS);
+	}
+
+	dumparg.type = isc_statsformat_xml;
+	dumparg.arg = writer;
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone"));
+
+	dns_zone_nameonly(zone, buf, sizeof(buf));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+					 ISC_XMLCHAR buf));
+
+	rdclass = dns_zone_getclass(zone);
+	dns_rdataclass_format(rdclass, buf, sizeof(buf));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "rdataclass",
+					 ISC_XMLCHAR buf));
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "type"));
+	ztype = user_zonetype(zone);
+	if (ztype != NULL) {
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR ztype));
+	} else {
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "unknown"));
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* type */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial"));
+	if (dns_zone_getserial(zone, &serial) == ISC_R_SUCCESS) {
+		TRY0(xmlTextWriterWriteFormatString(writer, "%u", serial));
+	} else {
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "-"));
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* serial */
+
+	/*
+	 * Export zone timers to the statistics channel in XML format.  For
+	 * master zones, only include the loaded time.  For slave zones, also
+	 * include the expires and refresh times.
+	 */
+	isc_time_t timestamp;
+
+	result = dns_zone_getloadtime(zone, &timestamp);
+	if (result != ISC_R_SUCCESS) {
+		goto error;
+	}
+
+	isc_time_formatISO8601(&timestamp, buf, 64);
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "loaded"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf));
+	TRY0(xmlTextWriterEndElement(writer));
+
+	if (dns_zone_gettype(zone) == dns_zone_secondary) {
+		result = dns_zone_getexpiretime(zone, &timestamp);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+		isc_time_formatISO8601(&timestamp, buf, 64);
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "expires"));
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf));
+		TRY0(xmlTextWriterEndElement(writer));
+
+		result = dns_zone_getrefreshtime(zone, &timestamp);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+		isc_time_formatISO8601(&timestamp, buf, 64);
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "refresh"));
+		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf));
+		TRY0(xmlTextWriterEndElement(writer));
+	}
+
+	if (statlevel == dns_zonestat_full) {
+		isc_stats_t *zonestats;
+		isc_stats_t *gluecachestats;
+		dns_stats_t *rcvquerystats;
+		dns_stats_t *dnssecsignstats;
+		uint64_t nsstat_values[ns_statscounter_max];
+		uint64_t gluecachestats_values[dns_gluecachestatscounter_max];
+
+		zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "counters"));
+			TRY0(xmlTextWriterWriteAttribute(writer,
+							 ISC_XMLCHAR "type",
+							 ISC_XMLCHAR "rcode"));
+
+			result = dump_counters(zonestats, isc_statsformat_xml,
+					       writer, NULL, nsstats_xmldesc,
+					       ns_statscounter_max,
+					       nsstats_index, nsstat_values,
+					       ISC_STATSDUMP_VERBOSE);
+			if (result != ISC_R_SUCCESS) {
+				goto error;
+			}
+			/* counters type="rcode"*/
+			TRY0(xmlTextWriterEndElement(writer));
+		}
+
+		gluecachestats = dns_zone_getgluecachestats(zone);
+		if (gluecachestats != NULL) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "counters"));
+			TRY0(xmlTextWriterWriteAttribute(
+				writer, ISC_XMLCHAR "type",
+				ISC_XMLCHAR "gluecache"));
+
+			result = dump_counters(
+				gluecachestats, isc_statsformat_xml, writer,
+				NULL, gluecachestats_xmldesc,
+				dns_gluecachestatscounter_max,
+				gluecachestats_index, gluecachestats_values,
+				ISC_STATSDUMP_VERBOSE);
+			if (result != ISC_R_SUCCESS) {
+				goto error;
+			}
+			/* counters type="rcode"*/
+			TRY0(xmlTextWriterEndElement(writer));
+		}
+
+		rcvquerystats = dns_zone_getrcvquerystats(zone);
+		if (rcvquerystats != NULL) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "counters"));
+			TRY0(xmlTextWriterWriteAttribute(writer,
+							 ISC_XMLCHAR "type",
+							 ISC_XMLCHAR "qtype"));
+
+			dumparg.result = ISC_R_SUCCESS;
+			dns_rdatatypestats_dump(rcvquerystats, rdtypestat_dump,
+						&dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS) {
+				goto error;
+			}
+
+			/* counters type="qtype"*/
+			TRY0(xmlTextWriterEndElement(writer));
+		}
+
+		dnssecsignstats = dns_zone_getdnssecsignstats(zone);
+		if (dnssecsignstats != NULL) {
+			/* counters type="dnssec-sign"*/
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "counters"));
+			TRY0(xmlTextWriterWriteAttribute(
+				writer, ISC_XMLCHAR "type",
+				ISC_XMLCHAR "dnssec-sign"));
+
+			dumparg.result = ISC_R_SUCCESS;
+			dns_dnssecsignstats_dump(
+				dnssecsignstats, dns_dnssecsignstats_sign,
+				dnssecsignstat_dump, &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS) {
+				goto error;
+			}
+
+			/* counters type="dnssec-sign"*/
+			TRY0(xmlTextWriterEndElement(writer));
+
+			/* counters type="dnssec-refresh"*/
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "counters"));
+			TRY0(xmlTextWriterWriteAttribute(
+				writer, ISC_XMLCHAR "type",
+				ISC_XMLCHAR "dnssec-refresh"));
+
+			dumparg.result = ISC_R_SUCCESS;
+			dns_dnssecsignstats_dump(
+				dnssecsignstats, dns_dnssecsignstats_refresh,
+				dnssecsignstat_dump, &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS) {
+				goto error;
+			}
+
+			/* counters type="dnssec-refresh"*/
+			TRY0(xmlTextWriterEndElement(writer));
+		}
+	}
+
+	TRY0(xmlTextWriterEndElement(writer)); /* zone */
+
+	return (ISC_R_SUCCESS);
+error:
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "Failed at zone_xmlrender()");
+	return (ISC_R_FAILURE);
+}
+
+static isc_result_t
+generatexml(named_server_t *server, uint32_t flags, int *buflen,
+	    xmlChar **buf) {
+	char boottime[sizeof "yyyy-mm-ddThh:mm:ss.sssZ"];
+	char configtime[sizeof "yyyy-mm-ddThh:mm:ss.sssZ"];
+	char nowstr[sizeof "yyyy-mm-ddThh:mm:ss.sssZ"];
+	isc_time_t now;
+	xmlTextWriterPtr writer = NULL;
+	xmlDocPtr doc = NULL;
+	int xmlrc;
+	dns_view_t *view;
+	stats_dumparg_t dumparg;
+	dns_stats_t *cacherrstats;
+	uint64_t nsstat_values[ns_statscounter_max];
+	uint64_t resstat_values[dns_resstatscounter_max];
+	uint64_t adbstat_values[dns_adbstats_max];
+	uint64_t zonestat_values[dns_zonestatscounter_max];
+	uint64_t sockstat_values[isc_sockstatscounter_max];
+	uint64_t udpinsizestat_values[dns_sizecounter_in_max];
+	uint64_t udpoutsizestat_values[dns_sizecounter_out_max];
+	uint64_t tcpinsizestat_values[dns_sizecounter_in_max];
+	uint64_t tcpoutsizestat_values[dns_sizecounter_out_max];
+#ifdef HAVE_DNSTAP
+	uint64_t dnstapstat_values[dns_dnstapcounter_max];
+#endif /* ifdef HAVE_DNSTAP */
+	isc_result_t result;
+
+	isc_time_now(&now);
+	isc_time_formatISO8601ms(&named_g_boottime, boottime, sizeof boottime);
+	isc_time_formatISO8601ms(&named_g_configtime, configtime,
+				 sizeof configtime);
+	isc_time_formatISO8601ms(&now, nowstr, sizeof nowstr);
+
+	writer = xmlNewTextWriterDoc(&doc, 0);
+	if (writer == NULL) {
+		goto error;
+	}
+	TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL));
+	TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet",
+				  ISC_XMLCHAR "type=\"text/xsl\" "
+					      "href=\"/bind9.xsl\""));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
+					 ISC_XMLCHAR "3.11.1"));
+
+	/* Set common fields for statistics dump */
+	dumparg.type = isc_statsformat_xml;
+	dumparg.arg = writer;
+
+	/* Render server information */
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime));
+	TRY0(xmlTextWriterEndElement(writer)); /* boot-time */
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "config-time"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR configtime));
+	TRY0(xmlTextWriterEndElement(writer)); /* config-time */
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr));
+	TRY0(xmlTextWriterEndElement(writer)); /* current-time */
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "version"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR named_g_version));
+	TRY0(xmlTextWriterEndElement(writer)); /* version */
+
+	if ((flags & STATS_XML_SERVER) != 0) {
+		dumparg.result = ISC_R_SUCCESS;
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "opcode"));
+
+		dns_opcodestats_dump(server->sctx->opcodestats, opcodestat_dump,
+				     &dumparg, ISC_STATSDUMP_VERBOSE);
+		if (dumparg.result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer));
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "rcode"));
+
+		dns_rcodestats_dump(server->sctx->rcodestats, rcodestat_dump,
+				    &dumparg, ISC_STATSDUMP_VERBOSE);
+		if (dumparg.result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer));
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "qtype"));
+
+		dumparg.result = ISC_R_SUCCESS;
+		dns_rdatatypestats_dump(server->sctx->rcvquerystats,
+					rdtypestat_dump, &dumparg, 0);
+		if (dumparg.result != ISC_R_SUCCESS) {
+			goto error;
+		}
+		TRY0(xmlTextWriterEndElement(writer)); /* counters */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "nsstat"));
+
+		result = dump_counters(ns_stats_get(server->sctx->nsstats),
+				       isc_statsformat_xml, writer, NULL,
+				       nsstats_xmldesc, ns_statscounter_max,
+				       nsstats_index, nsstat_values,
+				       ISC_STATSDUMP_VERBOSE);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* /nsstat */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "zonestat"));
+
+		result = dump_counters(server->zonestats, isc_statsformat_xml,
+				       writer, NULL, zonestats_xmldesc,
+				       dns_zonestatscounter_max,
+				       zonestats_index, zonestat_values,
+				       ISC_STATSDUMP_VERBOSE);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* /zonestat */
+
+		/*
+		 * Most of the common resolver statistics entries are 0, so
+		 * we don't use the verbose dump here.
+		 */
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "resstat"));
+		result = dump_counters(
+			server->resolverstats, isc_statsformat_xml, writer,
+			NULL, resstats_xmldesc, dns_resstatscounter_max,
+			resstats_index, resstat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+		TRY0(xmlTextWriterEndElement(writer)); /* resstat */
+
+#ifdef HAVE_DNSTAP
+		if (server->dtenv != NULL) {
+			isc_stats_t *dnstapstats = NULL;
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "counters"));
+			TRY0(xmlTextWriterWriteAttribute(writer,
+							 ISC_XMLCHAR "type",
+							 ISC_XMLCHAR "dnstap"));
+			dns_dt_getstats(named_g_server->dtenv, &dnstapstats);
+			result = dump_counters(
+				dnstapstats, isc_statsformat_xml, writer, NULL,
+				dnstapstats_xmldesc, dns_dnstapcounter_max,
+				dnstapstats_index, dnstapstat_values, 0);
+			isc_stats_detach(&dnstapstats);
+			if (result != ISC_R_SUCCESS) {
+				goto error;
+			}
+			TRY0(xmlTextWriterEndElement(writer)); /* dnstap */
+		}
+#endif /* ifdef HAVE_DNSTAP */
+	}
+
+	if ((flags & STATS_XML_NET) != 0) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "sockstat"));
+
+		result = dump_counters(server->sockstats, isc_statsformat_xml,
+				       writer, NULL, sockstats_xmldesc,
+				       isc_sockstatscounter_max,
+				       sockstats_index, sockstat_values,
+				       ISC_STATSDUMP_VERBOSE);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* /sockstat */
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* /server */
+
+	if ((flags & STATS_XML_TRAFFIC) != 0) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "traffic"));
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "ipv4"));
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "udp"));
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "request-size"));
+
+		result = dump_counters(
+			server->sctx->udpinstats4, isc_statsformat_xml, writer,
+			NULL, udpinsizestats_xmldesc, dns_sizecounter_in_max,
+			udpinsizestats_index, udpinsizestat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* </counters> */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "response-size"));
+
+		result = dump_counters(
+			server->sctx->udpoutstats4, isc_statsformat_xml, writer,
+			NULL, udpoutsizestats_xmldesc, dns_sizecounter_out_max,
+			udpoutsizestats_index, udpoutsizestat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* </counters> */
+		TRY0(xmlTextWriterEndElement(writer)); /* </udp> */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "tcp"));
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "request-size"));
+
+		result = dump_counters(
+			server->sctx->tcpinstats4, isc_statsformat_xml, writer,
+			NULL, tcpinsizestats_xmldesc, dns_sizecounter_in_max,
+			tcpinsizestats_index, tcpinsizestat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* </counters> */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "response-size"));
+
+		result = dump_counters(
+			server->sctx->tcpoutstats4, isc_statsformat_xml, writer,
+			NULL, tcpoutsizestats_xmldesc, dns_sizecounter_out_max,
+			tcpoutsizestats_index, tcpoutsizestat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* </counters> */
+		TRY0(xmlTextWriterEndElement(writer)); /* </tcp> */
+		TRY0(xmlTextWriterEndElement(writer)); /* </ipv4> */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "ipv6"));
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "udp"));
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "request-size"));
+
+		result = dump_counters(
+			server->sctx->udpinstats6, isc_statsformat_xml, writer,
+			NULL, udpinsizestats_xmldesc, dns_sizecounter_in_max,
+			udpinsizestats_index, udpinsizestat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* </counters> */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "response-size"));
+
+		result = dump_counters(
+			server->sctx->udpoutstats6, isc_statsformat_xml, writer,
+			NULL, udpoutsizestats_xmldesc, dns_sizecounter_out_max,
+			udpoutsizestats_index, udpoutsizestat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* </counters> */
+		TRY0(xmlTextWriterEndElement(writer)); /* </udp> */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "tcp"));
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "request-size"));
+
+		result = dump_counters(
+			server->sctx->tcpinstats6, isc_statsformat_xml, writer,
+			NULL, tcpinsizestats_xmldesc, dns_sizecounter_in_max,
+			tcpinsizestats_index, tcpinsizestat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* </counters> */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "response-size"));
+
+		result = dump_counters(
+			server->sctx->tcpoutstats6, isc_statsformat_xml, writer,
+			NULL, tcpoutsizestats_xmldesc, dns_sizecounter_out_max,
+			tcpoutsizestats_index, tcpoutsizestat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* </counters> */
+		TRY0(xmlTextWriterEndElement(writer)); /* </tcp> */
+		TRY0(xmlTextWriterEndElement(writer)); /* </ipv6> */
+		TRY0(xmlTextWriterEndElement(writer)); /* </traffic> */
+	}
+
+	/*
+	 * Render views.  For each view we know of, call its
+	 * rendering function.
+	 */
+	view = ISC_LIST_HEAD(server->viewlist);
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views"));
+	while (view != NULL &&
+	       ((flags & (STATS_XML_SERVER | STATS_XML_ZONES)) != 0))
+	{
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "view"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+						 ISC_XMLCHAR view->name));
+
+		if ((flags & STATS_XML_ZONES) != 0) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "zones"));
+			CHECK(dns_zt_apply(view->zonetable, isc_rwlocktype_read,
+					   true, NULL, zone_xmlrender, writer));
+			TRY0(xmlTextWriterEndElement(writer)); /* /zones */
+		}
+
+		if ((flags & STATS_XML_SERVER) == 0) {
+			TRY0(xmlTextWriterEndElement(writer)); /* /view */
+			view = ISC_LIST_NEXT(view, link);
+			continue;
+		}
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "resqtype"));
+
+		if (view->resquerystats != NULL) {
+			dumparg.result = ISC_R_SUCCESS;
+			dns_rdatatypestats_dump(view->resquerystats,
+						rdtypestat_dump, &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS) {
+				goto error;
+			}
+		}
+		TRY0(xmlTextWriterEndElement(writer));
+
+		/* <resstats> */
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "resstats"));
+		if (view->resstats != NULL) {
+			result = dump_counters(
+				view->resstats, isc_statsformat_xml, writer,
+				NULL, resstats_xmldesc, dns_resstatscounter_max,
+				resstats_index, resstat_values,
+				ISC_STATSDUMP_VERBOSE);
+			if (result != ISC_R_SUCCESS) {
+				goto error;
+			}
+		}
+		TRY0(xmlTextWriterEndElement(writer)); /* </resstats> */
+
+		cacherrstats = dns_db_getrrsetstats(view->cachedb);
+		if (cacherrstats != NULL) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "cache"));
+			TRY0(xmlTextWriterWriteAttribute(
+				writer, ISC_XMLCHAR "name",
+				ISC_XMLCHAR dns_cache_getname(view->cache)));
+			dumparg.result = ISC_R_SUCCESS;
+			dns_rdatasetstats_dump(cacherrstats, rdatasetstats_dump,
+					       &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS) {
+				goto error;
+			}
+			TRY0(xmlTextWriterEndElement(writer)); /* cache */
+		}
+
+		/* <adbstats> */
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "adbstat"));
+		if (view->adbstats != NULL) {
+			result = dump_counters(
+				view->adbstats, isc_statsformat_xml, writer,
+				NULL, adbstats_xmldesc, dns_adbstats_max,
+				adbstats_index, adbstat_values,
+				ISC_STATSDUMP_VERBOSE);
+			if (result != ISC_R_SUCCESS) {
+				goto error;
+			}
+		}
+		TRY0(xmlTextWriterEndElement(writer)); /* </adbstats> */
+
+		/* <cachestats> */
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
+						 ISC_XMLCHAR "cachestats"));
+		TRY0(dns_cache_renderxml(view->cache, writer));
+		TRY0(xmlTextWriterEndElement(writer)); /* </cachestats> */
+
+		TRY0(xmlTextWriterEndElement(writer)); /* view */
+
+		view = ISC_LIST_NEXT(view, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* /views */
+
+	if ((flags & STATS_XML_NET) != 0) {
+		TRY0(xmlTextWriterStartElement(writer,
+					       ISC_XMLCHAR "socketmgr"));
+		TRY0(isc_socketmgr_renderxml(named_g_socketmgr, writer));
+		TRY0(xmlTextWriterEndElement(writer)); /* /socketmgr */
+	}
+
+	if ((flags & STATS_XML_TASKS) != 0) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
+		TRY0(isc_taskmgr_renderxml(named_g_taskmgr, writer));
+		TRY0(xmlTextWriterEndElement(writer)); /* /taskmgr */
+	}
+
+	if ((flags & STATS_XML_MEM) != 0) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
+		TRY0(isc_mem_renderxml(writer));
+		TRY0(xmlTextWriterEndElement(writer)); /* /memory */
+	}
+
+	TRY0(xmlTextWriterEndElement(writer)); /* /statistics */
+	TRY0(xmlTextWriterEndDocument(writer));
+
+	xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 0);
+	if (*buf == NULL) {
+		goto error;
+	}
+
+	xmlFreeTextWriter(writer);
+	xmlFreeDoc(doc);
+	return (ISC_R_SUCCESS);
+
+error:
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "failed generating XML response");
+	if (writer != NULL) {
+		xmlFreeTextWriter(writer);
+	}
+	if (doc != NULL) {
+		xmlFreeDoc(doc);
+	}
+	return (ISC_R_FAILURE);
+}
+
+static void
+wrap_xmlfree(isc_buffer_t *buffer, void *arg) {
+	UNUSED(arg);
+
+	xmlFree(isc_buffer_base(buffer));
+}
+
+static isc_result_t
+render_xml(uint32_t flags, const char *url, isc_httpdurl_t *urlinfo,
+	   const char *querystring, const char *headers, void *arg,
+	   unsigned int *retcode, const char **retmsg, const char **mimetype,
+	   isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) {
+	unsigned char *msg = NULL;
+	int msglen;
+	named_server_t *server = arg;
+	isc_result_t result;
+
+	UNUSED(url);
+	UNUSED(urlinfo);
+	UNUSED(headers);
+	UNUSED(querystring);
+
+	result = generatexml(server, flags, &msglen, &msg);
+
+	if (result == ISC_R_SUCCESS) {
+		*retcode = 200;
+		*retmsg = "OK";
+		*mimetype = "text/xml";
+		isc_buffer_reinit(b, msg, msglen);
+		isc_buffer_add(b, msglen);
+		*freecb = wrap_xmlfree;
+		*freecb_args = NULL;
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "failed at rendering XML()");
+	}
+
+	return (result);
+}
+
+static isc_result_t
+render_xml_all(const char *url, isc_httpdurl_t *urlinfo,
+	       const char *querystring, const char *headers, void *arg,
+	       unsigned int *retcode, const char **retmsg,
+	       const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb,
+	       void **freecb_args) {
+	return (render_xml(STATS_XML_ALL, url, urlinfo, querystring, headers,
+			   arg, retcode, retmsg, mimetype, b, freecb,
+			   freecb_args));
+}
+
+static isc_result_t
+render_xml_status(const char *url, isc_httpdurl_t *urlinfo,
+		  const char *querystring, const char *headers, void *arg,
+		  unsigned int *retcode, const char **retmsg,
+		  const char **mimetype, isc_buffer_t *b,
+		  isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_xml(STATS_XML_STATUS, url, urlinfo, querystring, headers,
+			   arg, retcode, retmsg, mimetype, b, freecb,
+			   freecb_args));
+}
+
+static isc_result_t
+render_xml_server(const char *url, isc_httpdurl_t *urlinfo,
+		  const char *querystring, const char *headers, void *arg,
+		  unsigned int *retcode, const char **retmsg,
+		  const char **mimetype, isc_buffer_t *b,
+		  isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_xml(STATS_XML_SERVER, url, urlinfo, querystring, headers,
+			   arg, retcode, retmsg, mimetype, b, freecb,
+			   freecb_args));
+}
+
+static isc_result_t
+render_xml_zones(const char *url, isc_httpdurl_t *urlinfo,
+		 const char *querystring, const char *headers, void *arg,
+		 unsigned int *retcode, const char **retmsg,
+		 const char **mimetype, isc_buffer_t *b,
+		 isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_xml(STATS_XML_ZONES, url, urlinfo, querystring, headers,
+			   arg, retcode, retmsg, mimetype, b, freecb,
+			   freecb_args));
+}
+
+static isc_result_t
+render_xml_net(const char *url, isc_httpdurl_t *urlinfo,
+	       const char *querystring, const char *headers, void *arg,
+	       unsigned int *retcode, const char **retmsg,
+	       const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb,
+	       void **freecb_args) {
+	return (render_xml(STATS_XML_NET, url, urlinfo, querystring, headers,
+			   arg, retcode, retmsg, mimetype, b, freecb,
+			   freecb_args));
+}
+
+static isc_result_t
+render_xml_tasks(const char *url, isc_httpdurl_t *urlinfo,
+		 const char *querystring, const char *headers, void *arg,
+		 unsigned int *retcode, const char **retmsg,
+		 const char **mimetype, isc_buffer_t *b,
+		 isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_xml(STATS_XML_TASKS, url, urlinfo, querystring, headers,
+			   arg, retcode, retmsg, mimetype, b, freecb,
+			   freecb_args));
+}
+
+static isc_result_t
+render_xml_mem(const char *url, isc_httpdurl_t *urlinfo,
+	       const char *querystring, const char *headers, void *arg,
+	       unsigned int *retcode, const char **retmsg,
+	       const char **mimetype, isc_buffer_t *b, isc_httpdfree_t **freecb,
+	       void **freecb_args) {
+	return (render_xml(STATS_XML_MEM, url, urlinfo, querystring, headers,
+			   arg, retcode, retmsg, mimetype, b, freecb,
+			   freecb_args));
+}
+
+static isc_result_t
+render_xml_traffic(const char *url, isc_httpdurl_t *urlinfo,
+		   const char *querystring, const char *headers, void *arg,
+		   unsigned int *retcode, const char **retmsg,
+		   const char **mimetype, isc_buffer_t *b,
+		   isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_xml(STATS_XML_TRAFFIC, url, urlinfo, querystring,
+			   headers, arg, retcode, retmsg, mimetype, b, freecb,
+			   freecb_args));
+}
+
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+/*
+ * Which statistics to include when rendering to JSON
+ */
+#define STATS_JSON_STATUS  0x00 /* display only common statistics */
+#define STATS_JSON_SERVER  0x01
+#define STATS_JSON_ZONES   0x02
+#define STATS_JSON_TASKS   0x04
+#define STATS_JSON_NET	   0x08
+#define STATS_JSON_MEM	   0x10
+#define STATS_JSON_TRAFFIC 0x20
+#define STATS_JSON_ALL	   0xff
+
+#define CHECKMEM(m)                              \
+	do {                                     \
+		if (m == NULL) {                 \
+			result = ISC_R_NOMEMORY; \
+			goto error;              \
+		}                                \
+	} while (0)
+
+static void
+wrap_jsonfree(isc_buffer_t *buffer, void *arg) {
+	json_object_put(isc_buffer_base(buffer));
+	if (arg != NULL) {
+		json_object_put((json_object *)arg);
+	}
+}
+
+static json_object *
+addzone(char *name, char *classname, const char *ztype, uint32_t serial,
+	bool add_serial) {
+	json_object *node = json_object_new_object();
+
+	if (node == NULL) {
+		return (NULL);
+	}
+
+	json_object_object_add(node, "name", json_object_new_string(name));
+	json_object_object_add(node, "class",
+			       json_object_new_string(classname));
+	if (add_serial) {
+		json_object_object_add(node, "serial",
+				       json_object_new_int64(serial));
+	}
+	if (ztype != NULL) {
+		json_object_object_add(node, "type",
+				       json_object_new_string(ztype));
+	}
+	return (node);
+}
+
+static isc_result_t
+zone_jsonrender(dns_zone_t *zone, void *arg) {
+	isc_result_t result = ISC_R_SUCCESS;
+	char buf[1024 + 32]; /* sufficiently large for zone name and class */
+	char classbuf[64];   /* sufficiently large for class */
+	char *zone_name_only = NULL;
+	char *class_only = NULL;
+	dns_rdataclass_t rdclass;
+	uint32_t serial;
+	json_object *zonearray = (json_object *)arg;
+	json_object *zoneobj = NULL;
+	dns_zonestat_level_t statlevel;
+
+	statlevel = dns_zone_getstatlevel(zone);
+	if (statlevel == dns_zonestat_none) {
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_zone_nameonly(zone, buf, sizeof(buf));
+	zone_name_only = buf;
+
+	rdclass = dns_zone_getclass(zone);
+	dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
+	class_only = classbuf;
+
+	if (dns_zone_getserial(zone, &serial) != ISC_R_SUCCESS) {
+		zoneobj = addzone(zone_name_only, class_only,
+				  user_zonetype(zone), 0, false);
+	} else {
+		zoneobj = addzone(zone_name_only, class_only,
+				  user_zonetype(zone), serial, true);
+	}
+
+	if (zoneobj == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * Export zone timers to the statistics channel in JSON format.  For
+	 * master zones, only include the loaded time.  For slave zones, also
+	 * include the expires and refresh times.
+	 */
+
+	isc_time_t timestamp;
+
+	result = dns_zone_getloadtime(zone, &timestamp);
+	if (result != ISC_R_SUCCESS) {
+		goto error;
+	}
+
+	isc_time_formatISO8601(&timestamp, buf, 64);
+	json_object_object_add(zoneobj, "loaded", json_object_new_string(buf));
+
+	if (dns_zone_gettype(zone) == dns_zone_secondary) {
+		result = dns_zone_getexpiretime(zone, &timestamp);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+		isc_time_formatISO8601(&timestamp, buf, 64);
+		json_object_object_add(zoneobj, "expires",
+				       json_object_new_string(buf));
+
+		result = dns_zone_getrefreshtime(zone, &timestamp);
+		if (result != ISC_R_SUCCESS) {
+			goto error;
+		}
+		isc_time_formatISO8601(&timestamp, buf, 64);
+		json_object_object_add(zoneobj, "refresh",
+				       json_object_new_string(buf));
+	}
+
+	if (statlevel == dns_zonestat_full) {
+		isc_stats_t *zonestats;
+		isc_stats_t *gluecachestats;
+		dns_stats_t *rcvquerystats;
+		dns_stats_t *dnssecsignstats;
+		uint64_t nsstat_values[ns_statscounter_max];
+		uint64_t gluecachestats_values[dns_gluecachestatscounter_max];
+
+		zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL) {
+			json_object *counters = json_object_new_object();
+			if (counters == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto error;
+			}
+
+			result = dump_counters(zonestats, isc_statsformat_json,
+					       counters, NULL, nsstats_xmldesc,
+					       ns_statscounter_max,
+					       nsstats_index, nsstat_values, 0);
+			if (result != ISC_R_SUCCESS) {
+				json_object_put(counters);
+				goto error;
+			}
+
+			if (json_object_get_object(counters)->count != 0) {
+				json_object_object_add(zoneobj, "rcodes",
+						       counters);
+			} else {
+				json_object_put(counters);
+			}
+		}
+
+		gluecachestats = dns_zone_getgluecachestats(zone);
+		if (gluecachestats != NULL) {
+			json_object *counters = json_object_new_object();
+			if (counters == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto error;
+			}
+
+			result = dump_counters(
+				gluecachestats, isc_statsformat_json, counters,
+				NULL, gluecachestats_xmldesc,
+				dns_gluecachestatscounter_max,
+				gluecachestats_index, gluecachestats_values, 0);
+			if (result != ISC_R_SUCCESS) {
+				json_object_put(counters);
+				goto error;
+			}
+
+			if (json_object_get_object(counters)->count != 0) {
+				json_object_object_add(zoneobj, "gluecache",
+						       counters);
+			} else {
+				json_object_put(counters);
+			}
+		}
+
+		rcvquerystats = dns_zone_getrcvquerystats(zone);
+		if (rcvquerystats != NULL) {
+			stats_dumparg_t dumparg;
+			json_object *counters = json_object_new_object();
+			CHECKMEM(counters);
+
+			dumparg.type = isc_statsformat_json;
+			dumparg.arg = counters;
+			dumparg.result = ISC_R_SUCCESS;
+			dns_rdatatypestats_dump(rcvquerystats, rdtypestat_dump,
+						&dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS) {
+				json_object_put(counters);
+				goto error;
+			}
+
+			if (json_object_get_object(counters)->count != 0) {
+				json_object_object_add(zoneobj, "qtypes",
+						       counters);
+			} else {
+				json_object_put(counters);
+			}
+		}
+
+		dnssecsignstats = dns_zone_getdnssecsignstats(zone);
+		if (dnssecsignstats != NULL) {
+			stats_dumparg_t dumparg;
+			json_object *sign_counters = json_object_new_object();
+			CHECKMEM(sign_counters);
+
+			dumparg.type = isc_statsformat_json;
+			dumparg.arg = sign_counters;
+			dumparg.result = ISC_R_SUCCESS;
+			dns_dnssecsignstats_dump(
+				dnssecsignstats, dns_dnssecsignstats_sign,
+				dnssecsignstat_dump, &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS) {
+				json_object_put(sign_counters);
+				goto error;
+			}
+
+			if (json_object_get_object(sign_counters)->count != 0) {
+				json_object_object_add(zoneobj, "dnssec-sign",
+						       sign_counters);
+			} else {
+				json_object_put(sign_counters);
+			}
+
+			json_object *refresh_counters =
+				json_object_new_object();
+			CHECKMEM(refresh_counters);
+
+			dumparg.type = isc_statsformat_json;
+			dumparg.arg = refresh_counters;
+			dumparg.result = ISC_R_SUCCESS;
+			dns_dnssecsignstats_dump(
+				dnssecsignstats, dns_dnssecsignstats_refresh,
+				dnssecsignstat_dump, &dumparg, 0);
+			if (dumparg.result != ISC_R_SUCCESS) {
+				json_object_put(refresh_counters);
+				goto error;
+			}
+
+			if (json_object_get_object(refresh_counters)->count !=
+			    0)
+			{
+				json_object_object_add(zoneobj,
+						       "dnssec-refresh",
+						       refresh_counters);
+			} else {
+				json_object_put(refresh_counters);
+			}
+		}
+	}
+
+	json_object_array_add(zonearray, zoneobj);
+	zoneobj = NULL;
+	result = ISC_R_SUCCESS;
+
+error:
+	if (zoneobj != NULL) {
+		json_object_put(zoneobj);
+	}
+	return (result);
+}
+
+static isc_result_t
+generatejson(named_server_t *server, size_t *msglen, const char **msg,
+	     json_object **rootp, uint32_t flags) {
+	dns_view_t *view;
+	isc_result_t result = ISC_R_SUCCESS;
+	json_object *bindstats, *viewlist, *counters, *obj;
+	json_object *traffic = NULL;
+	json_object *udpreq4 = NULL, *udpresp4 = NULL;
+	json_object *tcpreq4 = NULL, *tcpresp4 = NULL;
+	json_object *udpreq6 = NULL, *udpresp6 = NULL;
+	json_object *tcpreq6 = NULL, *tcpresp6 = NULL;
+	uint64_t nsstat_values[ns_statscounter_max];
+	uint64_t resstat_values[dns_resstatscounter_max];
+	uint64_t adbstat_values[dns_adbstats_max];
+	uint64_t zonestat_values[dns_zonestatscounter_max];
+	uint64_t sockstat_values[isc_sockstatscounter_max];
+	uint64_t udpinsizestat_values[dns_sizecounter_in_max];
+	uint64_t udpoutsizestat_values[dns_sizecounter_out_max];
+	uint64_t tcpinsizestat_values[dns_sizecounter_in_max];
+	uint64_t tcpoutsizestat_values[dns_sizecounter_out_max];
+#ifdef HAVE_DNSTAP
+	uint64_t dnstapstat_values[dns_dnstapcounter_max];
+#endif /* ifdef HAVE_DNSTAP */
+	stats_dumparg_t dumparg;
+	char boottime[sizeof "yyyy-mm-ddThh:mm:ss.sssZ"];
+	char configtime[sizeof "yyyy-mm-ddThh:mm:ss.sssZ"];
+	char nowstr[sizeof "yyyy-mm-ddThh:mm:ss.sssZ"];
+	isc_time_t now;
+
+	REQUIRE(msglen != NULL);
+	REQUIRE(msg != NULL && *msg == NULL);
+	REQUIRE(rootp == NULL || *rootp == NULL);
+
+	bindstats = json_object_new_object();
+	if (bindstats == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * These statistics are included no matter which URL we use.
+	 */
+	obj = json_object_new_string("1.5.1");
+	CHECKMEM(obj);
+	json_object_object_add(bindstats, "json-stats-version", obj);
+
+	isc_time_now(&now);
+	isc_time_formatISO8601ms(&named_g_boottime, boottime, sizeof(boottime));
+	isc_time_formatISO8601ms(&named_g_configtime, configtime,
+				 sizeof configtime);
+	isc_time_formatISO8601ms(&now, nowstr, sizeof(nowstr));
+
+	obj = json_object_new_string(boottime);
+	CHECKMEM(obj);
+	json_object_object_add(bindstats, "boot-time", obj);
+
+	obj = json_object_new_string(configtime);
+	CHECKMEM(obj);
+	json_object_object_add(bindstats, "config-time", obj);
+
+	obj = json_object_new_string(nowstr);
+	CHECKMEM(obj);
+	json_object_object_add(bindstats, "current-time", obj);
+	obj = json_object_new_string(named_g_version);
+	CHECKMEM(obj);
+	json_object_object_add(bindstats, "version", obj);
+
+	if ((flags & STATS_JSON_SERVER) != 0) {
+		/* OPCODE counters */
+		counters = json_object_new_object();
+
+		dumparg.result = ISC_R_SUCCESS;
+		dumparg.type = isc_statsformat_json;
+		dumparg.arg = counters;
+
+		dns_opcodestats_dump(server->sctx->opcodestats, opcodestat_dump,
+				     &dumparg, ISC_STATSDUMP_VERBOSE);
+		if (dumparg.result != ISC_R_SUCCESS) {
+			json_object_put(counters);
+			goto error;
+		}
+
+		if (json_object_get_object(counters)->count != 0) {
+			json_object_object_add(bindstats, "opcodes", counters);
+		} else {
+			json_object_put(counters);
+		}
+
+		/* OPCODE counters */
+		counters = json_object_new_object();
+
+		dumparg.type = isc_statsformat_json;
+		dumparg.arg = counters;
+
+		dns_rcodestats_dump(server->sctx->rcodestats, rcodestat_dump,
+				    &dumparg, ISC_STATSDUMP_VERBOSE);
+		if (dumparg.result != ISC_R_SUCCESS) {
+			json_object_put(counters);
+			goto error;
+		}
+
+		if (json_object_get_object(counters)->count != 0) {
+			json_object_object_add(bindstats, "rcodes", counters);
+		} else {
+			json_object_put(counters);
+		}
+
+		/* QTYPE counters */
+		counters = json_object_new_object();
+
+		dumparg.result = ISC_R_SUCCESS;
+		dumparg.arg = counters;
+
+		dns_rdatatypestats_dump(server->sctx->rcvquerystats,
+					rdtypestat_dump, &dumparg, 0);
+		if (dumparg.result != ISC_R_SUCCESS) {
+			json_object_put(counters);
+			goto error;
+		}
+
+		if (json_object_get_object(counters)->count != 0) {
+			json_object_object_add(bindstats, "qtypes", counters);
+		} else {
+			json_object_put(counters);
+		}
+
+		/* server stat counters */
+		counters = json_object_new_object();
+
+		dumparg.result = ISC_R_SUCCESS;
+		dumparg.arg = counters;
+
+		result = dump_counters(ns_stats_get(server->sctx->nsstats),
+				       isc_statsformat_json, counters, NULL,
+				       nsstats_xmldesc, ns_statscounter_max,
+				       nsstats_index, nsstat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			json_object_put(counters);
+			goto error;
+		}
+
+		if (json_object_get_object(counters)->count != 0) {
+			json_object_object_add(bindstats, "nsstats", counters);
+		} else {
+			json_object_put(counters);
+		}
+
+		/* zone stat counters */
+		counters = json_object_new_object();
+
+		dumparg.result = ISC_R_SUCCESS;
+		dumparg.arg = counters;
+
+		result = dump_counters(server->zonestats, isc_statsformat_json,
+				       counters, NULL, zonestats_xmldesc,
+				       dns_zonestatscounter_max,
+				       zonestats_index, zonestat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			json_object_put(counters);
+			goto error;
+		}
+
+		if (json_object_get_object(counters)->count != 0) {
+			json_object_object_add(bindstats, "zonestats",
+					       counters);
+		} else {
+			json_object_put(counters);
+		}
+
+		/* resolver stat counters */
+		counters = json_object_new_object();
+
+		dumparg.result = ISC_R_SUCCESS;
+		dumparg.arg = counters;
+
+		result = dump_counters(
+			server->resolverstats, isc_statsformat_json, counters,
+			NULL, resstats_xmldesc, dns_resstatscounter_max,
+			resstats_index, resstat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			json_object_put(counters);
+			goto error;
+		}
+
+		if (json_object_get_object(counters)->count != 0) {
+			json_object_object_add(bindstats, "resstats", counters);
+		} else {
+			json_object_put(counters);
+		}
+
+#ifdef HAVE_DNSTAP
+		/* dnstap stat counters */
+		if (named_g_server->dtenv != NULL) {
+			isc_stats_t *dnstapstats = NULL;
+			dns_dt_getstats(named_g_server->dtenv, &dnstapstats);
+			counters = json_object_new_object();
+			dumparg.result = ISC_R_SUCCESS;
+			dumparg.arg = counters;
+			result = dump_counters(
+				dnstapstats, isc_statsformat_json, counters,
+				NULL, dnstapstats_xmldesc,
+				dns_dnstapcounter_max, dnstapstats_index,
+				dnstapstat_values, 0);
+			isc_stats_detach(&dnstapstats);
+			if (result != ISC_R_SUCCESS) {
+				json_object_put(counters);
+				goto error;
+			}
+
+			if (json_object_get_object(counters)->count != 0) {
+				json_object_object_add(bindstats, "dnstapstats",
+						       counters);
+			} else {
+				json_object_put(counters);
+			}
+		}
+#endif /* ifdef HAVE_DNSTAP */
+	}
+
+	if ((flags & (STATS_JSON_ZONES | STATS_JSON_SERVER)) != 0) {
+		viewlist = json_object_new_object();
+		CHECKMEM(viewlist);
+
+		json_object_object_add(bindstats, "views", viewlist);
+
+		view = ISC_LIST_HEAD(server->viewlist);
+		while (view != NULL) {
+			json_object *za, *v = json_object_new_object();
+
+			CHECKMEM(v);
+			json_object_object_add(viewlist, view->name, v);
+
+			za = json_object_new_array();
+			CHECKMEM(za);
+
+			if ((flags & STATS_JSON_ZONES) != 0) {
+				CHECK(dns_zt_apply(view->zonetable,
+						   isc_rwlocktype_read, true,
+						   NULL, zone_jsonrender, za));
+			}
+
+			if (json_object_array_length(za) != 0) {
+				json_object_object_add(v, "zones", za);
+			} else {
+				json_object_put(za);
+			}
+
+			if ((flags & STATS_JSON_SERVER) != 0) {
+				json_object *res;
+				dns_stats_t *dstats;
+				isc_stats_t *istats;
+
+				res = json_object_new_object();
+				CHECKMEM(res);
+				json_object_object_add(v, "resolver", res);
+
+				istats = view->resstats;
+				if (istats != NULL) {
+					counters = json_object_new_object();
+					CHECKMEM(counters);
+
+					result = dump_counters(
+						istats, isc_statsformat_json,
+						counters, NULL,
+						resstats_xmldesc,
+						dns_resstatscounter_max,
+						resstats_index, resstat_values,
+						0);
+					if (result != ISC_R_SUCCESS) {
+						json_object_put(counters);
+						result = dumparg.result;
+						goto error;
+					}
+
+					json_object_object_add(res, "stats",
+							       counters);
+				}
+
+				dstats = view->resquerystats;
+				if (dstats != NULL) {
+					counters = json_object_new_object();
+					CHECKMEM(counters);
+
+					dumparg.arg = counters;
+					dumparg.result = ISC_R_SUCCESS;
+					dns_rdatatypestats_dump(dstats,
+								rdtypestat_dump,
+								&dumparg, 0);
+					if (dumparg.result != ISC_R_SUCCESS) {
+						json_object_put(counters);
+						result = dumparg.result;
+						goto error;
+					}
+
+					json_object_object_add(res, "qtypes",
+							       counters);
+				}
+
+				dstats = dns_db_getrrsetstats(view->cachedb);
+				if (dstats != NULL) {
+					counters = json_object_new_object();
+					CHECKMEM(counters);
+
+					dumparg.arg = counters;
+					dumparg.result = ISC_R_SUCCESS;
+					dns_rdatasetstats_dump(
+						dstats, rdatasetstats_dump,
+						&dumparg, 0);
+					if (dumparg.result != ISC_R_SUCCESS) {
+						json_object_put(counters);
+						result = dumparg.result;
+						goto error;
+					}
+
+					json_object_object_add(res, "cache",
+							       counters);
+				}
+
+				counters = json_object_new_object();
+				CHECKMEM(counters);
+
+				result = dns_cache_renderjson(view->cache,
+							      counters);
+				if (result != ISC_R_SUCCESS) {
+					json_object_put(counters);
+					goto error;
+				}
+
+				json_object_object_add(res, "cachestats",
+						       counters);
+
+				istats = view->adbstats;
+				if (istats != NULL) {
+					counters = json_object_new_object();
+					CHECKMEM(counters);
+
+					result = dump_counters(
+						istats, isc_statsformat_json,
+						counters, NULL,
+						adbstats_xmldesc,
+						dns_adbstats_max,
+						adbstats_index, adbstat_values,
+						0);
+					if (result != ISC_R_SUCCESS) {
+						json_object_put(counters);
+						result = dumparg.result;
+						goto error;
+					}
+
+					json_object_object_add(res, "adb",
+							       counters);
+				}
+			}
+
+			view = ISC_LIST_NEXT(view, link);
+		}
+	}
+
+	if ((flags & STATS_JSON_NET) != 0) {
+		/* socket stat counters */
+		json_object *sockets;
+		counters = json_object_new_object();
+
+		dumparg.result = ISC_R_SUCCESS;
+		dumparg.arg = counters;
+
+		result = dump_counters(server->sockstats, isc_statsformat_json,
+				       counters, NULL, sockstats_xmldesc,
+				       isc_sockstatscounter_max,
+				       sockstats_index, sockstat_values, 0);
+		if (result != ISC_R_SUCCESS) {
+			json_object_put(counters);
+			goto error;
+		}
+
+		if (json_object_get_object(counters)->count != 0) {
+			json_object_object_add(bindstats, "sockstats",
+					       counters);
+		} else {
+			json_object_put(counters);
+		}
+
+		sockets = json_object_new_object();
+		CHECKMEM(sockets);
+
+		result = isc_socketmgr_renderjson(named_g_socketmgr, sockets);
+		if (result != ISC_R_SUCCESS) {
+			json_object_put(sockets);
+			goto error;
+		}
+
+		json_object_object_add(bindstats, "socketmgr", sockets);
+	}
+
+	if ((flags & STATS_JSON_TASKS) != 0) {
+		json_object *tasks = json_object_new_object();
+		CHECKMEM(tasks);
+
+		result = isc_taskmgr_renderjson(named_g_taskmgr, tasks);
+		if (result != ISC_R_SUCCESS) {
+			json_object_put(tasks);
+			goto error;
+		}
+
+		json_object_object_add(bindstats, "taskmgr", tasks);
+	}
+
+	if ((flags & STATS_JSON_MEM) != 0) {
+		json_object *memory = json_object_new_object();
+		CHECKMEM(memory);
+
+		result = isc_mem_renderjson(memory);
+		if (result != ISC_R_SUCCESS) {
+			json_object_put(memory);
+			goto error;
+		}
+
+		json_object_object_add(bindstats, "memory", memory);
+	}
+
+	if ((flags & STATS_JSON_TRAFFIC) != 0) {
+		traffic = json_object_new_object();
+		CHECKMEM(traffic);
+
+		udpreq4 = json_object_new_object();
+		CHECKMEM(udpreq4);
+
+		udpresp4 = json_object_new_object();
+		CHECKMEM(udpresp4);
+
+		tcpreq4 = json_object_new_object();
+		CHECKMEM(tcpreq4);
+
+		tcpresp4 = json_object_new_object();
+		CHECKMEM(tcpresp4);
+
+		udpreq6 = json_object_new_object();
+		CHECKMEM(udpreq6);
+
+		udpresp6 = json_object_new_object();
+		CHECKMEM(udpresp6);
+
+		tcpreq6 = json_object_new_object();
+		CHECKMEM(tcpreq6);
+
+		tcpresp6 = json_object_new_object();
+		CHECKMEM(tcpresp6);
+
+		CHECK(dump_counters(
+			server->sctx->udpinstats4, isc_statsformat_json,
+			udpreq4, NULL, udpinsizestats_xmldesc,
+			dns_sizecounter_in_max, udpinsizestats_index,
+			udpinsizestat_values, 0));
+
+		CHECK(dump_counters(
+			server->sctx->udpoutstats4, isc_statsformat_json,
+			udpresp4, NULL, udpoutsizestats_xmldesc,
+			dns_sizecounter_out_max, udpoutsizestats_index,
+			udpoutsizestat_values, 0));
+
+		CHECK(dump_counters(
+			server->sctx->tcpinstats4, isc_statsformat_json,
+			tcpreq4, NULL, tcpinsizestats_xmldesc,
+			dns_sizecounter_in_max, tcpinsizestats_index,
+			tcpinsizestat_values, 0));
+
+		CHECK(dump_counters(
+			server->sctx->tcpoutstats4, isc_statsformat_json,
+			tcpresp4, NULL, tcpoutsizestats_xmldesc,
+			dns_sizecounter_out_max, tcpoutsizestats_index,
+			tcpoutsizestat_values, 0));
+
+		CHECK(dump_counters(
+			server->sctx->udpinstats6, isc_statsformat_json,
+			udpreq6, NULL, udpinsizestats_xmldesc,
+			dns_sizecounter_in_max, udpinsizestats_index,
+			udpinsizestat_values, 0));
+
+		CHECK(dump_counters(
+			server->sctx->udpoutstats6, isc_statsformat_json,
+			udpresp6, NULL, udpoutsizestats_xmldesc,
+			dns_sizecounter_out_max, udpoutsizestats_index,
+			udpoutsizestat_values, 0));
+
+		CHECK(dump_counters(
+			server->sctx->tcpinstats6, isc_statsformat_json,
+			tcpreq6, NULL, tcpinsizestats_xmldesc,
+			dns_sizecounter_in_max, tcpinsizestats_index,
+			tcpinsizestat_values, 0));
+
+		CHECK(dump_counters(
+			server->sctx->tcpoutstats6, isc_statsformat_json,
+			tcpresp6, NULL, tcpoutsizestats_xmldesc,
+			dns_sizecounter_out_max, tcpoutsizestats_index,
+			tcpoutsizestat_values, 0));
+
+		json_object_object_add(traffic,
+				       "dns-udp-requests-sizes-received-ipv4",
+				       udpreq4);
+		json_object_object_add(
+			traffic, "dns-udp-responses-sizes-sent-ipv4", udpresp4);
+		json_object_object_add(traffic,
+				       "dns-tcp-requests-sizes-received-ipv4",
+				       tcpreq4);
+		json_object_object_add(
+			traffic, "dns-tcp-responses-sizes-sent-ipv4", tcpresp4);
+		json_object_object_add(traffic,
+				       "dns-udp-requests-sizes-received-ipv6",
+				       udpreq6);
+		json_object_object_add(
+			traffic, "dns-udp-responses-sizes-sent-ipv6", udpresp6);
+		json_object_object_add(traffic,
+				       "dns-tcp-requests-sizes-received-ipv6",
+				       tcpreq6);
+		json_object_object_add(
+			traffic, "dns-tcp-responses-sizes-sent-ipv6", tcpresp6);
+		json_object_object_add(bindstats, "traffic", traffic);
+		udpreq4 = NULL;
+		udpresp4 = NULL;
+		tcpreq4 = NULL;
+		tcpresp4 = NULL;
+		udpreq6 = NULL;
+		udpresp6 = NULL;
+		tcpreq6 = NULL;
+		tcpresp6 = NULL;
+		traffic = NULL;
+	}
+
+	*msg = json_object_to_json_string_ext(bindstats,
+					      JSON_C_TO_STRING_PRETTY);
+	*msglen = strlen(*msg);
+
+	if (rootp != NULL) {
+		*rootp = bindstats;
+		bindstats = NULL;
+	}
+
+	result = ISC_R_SUCCESS;
+
+error:
+	if (udpreq4 != NULL) {
+		json_object_put(udpreq4);
+	}
+	if (udpresp4 != NULL) {
+		json_object_put(udpresp4);
+	}
+	if (tcpreq4 != NULL) {
+		json_object_put(tcpreq4);
+	}
+	if (tcpresp4 != NULL) {
+		json_object_put(tcpresp4);
+	}
+	if (udpreq6 != NULL) {
+		json_object_put(udpreq6);
+	}
+	if (udpresp6 != NULL) {
+		json_object_put(udpresp6);
+	}
+	if (tcpreq6 != NULL) {
+		json_object_put(tcpreq6);
+	}
+	if (tcpresp6 != NULL) {
+		json_object_put(tcpresp6);
+	}
+	if (traffic != NULL) {
+		json_object_put(traffic);
+	}
+	if (bindstats != NULL) {
+		json_object_put(bindstats);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+render_json(uint32_t flags, const char *url, isc_httpdurl_t *urlinfo,
+	    const char *querystring, const char *headers, void *arg,
+	    unsigned int *retcode, const char **retmsg, const char **mimetype,
+	    isc_buffer_t *b, isc_httpdfree_t **freecb, void **freecb_args) {
+	isc_result_t result;
+	json_object *bindstats = NULL;
+	named_server_t *server = arg;
+	const char *msg = NULL;
+	size_t msglen = 0;
+	char *p;
+
+	UNUSED(url);
+	UNUSED(urlinfo);
+	UNUSED(headers);
+	UNUSED(querystring);
+
+	result = generatejson(server, &msglen, &msg, &bindstats, flags);
+	if (result == ISC_R_SUCCESS) {
+		*retcode = 200;
+		*retmsg = "OK";
+		*mimetype = "application/json";
+		DE_CONST(msg, p);
+		isc_buffer_reinit(b, p, msglen);
+		isc_buffer_add(b, msglen);
+		*freecb = wrap_jsonfree;
+		*freecb_args = bindstats;
+	} else {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "failed at rendering JSON()");
+	}
+
+	return (result);
+}
+
+static isc_result_t
+render_json_all(const char *url, isc_httpdurl_t *urlinfo,
+		const char *querystring, const char *headers, void *arg,
+		unsigned int *retcode, const char **retmsg,
+		const char **mimetype, isc_buffer_t *b,
+		isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_json(STATS_JSON_ALL, url, urlinfo, querystring, headers,
+			    arg, retcode, retmsg, mimetype, b, freecb,
+			    freecb_args));
+}
+
+static isc_result_t
+render_json_status(const char *url, isc_httpdurl_t *urlinfo,
+		   const char *querystring, const char *headers, void *arg,
+		   unsigned int *retcode, const char **retmsg,
+		   const char **mimetype, isc_buffer_t *b,
+		   isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_json(STATS_JSON_STATUS, url, urlinfo, querystring,
+			    headers, arg, retcode, retmsg, mimetype, b, freecb,
+			    freecb_args));
+}
+
+static isc_result_t
+render_json_server(const char *url, isc_httpdurl_t *urlinfo,
+		   const char *querystring, const char *headers, void *arg,
+		   unsigned int *retcode, const char **retmsg,
+		   const char **mimetype, isc_buffer_t *b,
+		   isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_json(STATS_JSON_SERVER, url, urlinfo, querystring,
+			    headers, arg, retcode, retmsg, mimetype, b, freecb,
+			    freecb_args));
+}
+
+static isc_result_t
+render_json_zones(const char *url, isc_httpdurl_t *urlinfo,
+		  const char *querystring, const char *headers, void *arg,
+		  unsigned int *retcode, const char **retmsg,
+		  const char **mimetype, isc_buffer_t *b,
+		  isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_json(STATS_JSON_ZONES, url, urlinfo, querystring,
+			    headers, arg, retcode, retmsg, mimetype, b, freecb,
+			    freecb_args));
+}
+
+static isc_result_t
+render_json_mem(const char *url, isc_httpdurl_t *urlinfo,
+		const char *querystring, const char *headers, void *arg,
+		unsigned int *retcode, const char **retmsg,
+		const char **mimetype, isc_buffer_t *b,
+		isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_json(STATS_JSON_MEM, url, urlinfo, querystring, headers,
+			    arg, retcode, retmsg, mimetype, b, freecb,
+			    freecb_args));
+}
+
+static isc_result_t
+render_json_tasks(const char *url, isc_httpdurl_t *urlinfo,
+		  const char *querystring, const char *headers, void *arg,
+		  unsigned int *retcode, const char **retmsg,
+		  const char **mimetype, isc_buffer_t *b,
+		  isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_json(STATS_JSON_TASKS, url, urlinfo, querystring,
+			    headers, arg, retcode, retmsg, mimetype, b, freecb,
+			    freecb_args));
+}
+
+static isc_result_t
+render_json_net(const char *url, isc_httpdurl_t *urlinfo,
+		const char *querystring, const char *headers, void *arg,
+		unsigned int *retcode, const char **retmsg,
+		const char **mimetype, isc_buffer_t *b,
+		isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_json(STATS_JSON_NET, url, urlinfo, querystring, headers,
+			    arg, retcode, retmsg, mimetype, b, freecb,
+			    freecb_args));
+}
+
+static isc_result_t
+render_json_traffic(const char *url, isc_httpdurl_t *urlinfo,
+		    const char *querystring, const char *headers, void *arg,
+		    unsigned int *retcode, const char **retmsg,
+		    const char **mimetype, isc_buffer_t *b,
+		    isc_httpdfree_t **freecb, void **freecb_args) {
+	return (render_json(STATS_JSON_TRAFFIC, url, urlinfo, querystring,
+			    headers, arg, retcode, retmsg, mimetype, b, freecb,
+			    freecb_args));
+}
+
+#endif /* HAVE_JSON_C */
+
+static isc_result_t
+render_xsl(const char *url, isc_httpdurl_t *urlinfo, const char *querystring,
+	   const char *headers, void *args, unsigned int *retcode,
+	   const char **retmsg, const char **mimetype, isc_buffer_t *b,
+	   isc_httpdfree_t **freecb, void **freecb_args) {
+	isc_result_t result;
+	char *_headers = NULL;
+
+	UNUSED(url);
+	UNUSED(querystring);
+	UNUSED(args);
+
+	*freecb = NULL;
+	*freecb_args = NULL;
+	*mimetype = "text/xslt+xml";
+
+	if (urlinfo->isstatic) {
+		isc_time_t when;
+		char *line, *saveptr;
+		const char *if_modified_since = "If-Modified-Since: ";
+		_headers = strdup(headers);
+
+		if (_headers == NULL) {
+			goto send;
+		}
+
+		saveptr = NULL;
+		for (line = strtok_r(_headers, "\n", &saveptr); line;
+		     line = strtok_r(NULL, "\n", &saveptr))
+		{
+			if (strncasecmp(line, if_modified_since,
+					strlen(if_modified_since)) == 0)
+			{
+				time_t t1, t2;
+				line += strlen(if_modified_since);
+				result = isc_time_parsehttptimestamp(line,
+								     &when);
+				if (result != ISC_R_SUCCESS) {
+					goto send;
+				}
+
+				result = isc_time_secondsastimet(&when, &t1);
+				if (result != ISC_R_SUCCESS) {
+					goto send;
+				}
+
+				result = isc_time_secondsastimet(
+					&urlinfo->loadtime, &t2);
+				if (result != ISC_R_SUCCESS) {
+					goto send;
+				}
+
+				if (t1 < t2) {
+					goto send;
+				}
+
+				*retcode = 304;
+				*retmsg = "Not modified";
+				goto end;
+			}
+		}
+	}
+
+send:
+	*retcode = 200;
+	*retmsg = "OK";
+	isc_buffer_reinit(b, xslmsg, strlen(xslmsg));
+	isc_buffer_add(b, strlen(xslmsg));
+end:
+	free(_headers);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+shutdown_listener(named_statschannel_t *listener) {
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_format(&listener->address, socktext, sizeof(socktext));
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE,
+		      "stopping statistics channel on %s", socktext);
+
+	isc_httpdmgr_shutdown(&listener->httpdmgr);
+}
+
+static bool
+client_ok(const isc_sockaddr_t *fromaddr, void *arg) {
+	named_statschannel_t *listener = arg;
+	dns_aclenv_t *env =
+		ns_interfacemgr_getaclenv(named_g_server->interfacemgr);
+	isc_netaddr_t netaddr;
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	int match;
+
+	REQUIRE(listener != NULL);
+
+	isc_netaddr_fromsockaddr(&netaddr, fromaddr);
+
+	LOCK(&listener->lock);
+	if ((dns_acl_match(&netaddr, NULL, listener->acl, env, &match, NULL) ==
+	     ISC_R_SUCCESS) &&
+	    match > 0)
+	{
+		UNLOCK(&listener->lock);
+		return (true);
+	}
+	UNLOCK(&listener->lock);
+
+	isc_sockaddr_format(fromaddr, socktext, sizeof(socktext));
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+		      "rejected statistics connection from %s", socktext);
+
+	return (false);
+}
+
+static void
+destroy_listener(void *arg) {
+	named_statschannel_t *listener = arg;
+
+	REQUIRE(listener != NULL);
+	REQUIRE(!ISC_LINK_LINKED(listener, link));
+
+	/* We don't have to acquire the lock here since it's already unlinked */
+	dns_acl_detach(&listener->acl);
+
+	isc_mutex_destroy(&listener->lock);
+	isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
+}
+
+static isc_result_t
+add_listener(named_server_t *server, named_statschannel_t **listenerp,
+	     const cfg_obj_t *listen_params, const cfg_obj_t *config,
+	     isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+	     const char *socktext) {
+	isc_result_t result;
+	named_statschannel_t *listener;
+	isc_task_t *task = NULL;
+	isc_socket_t *sock = NULL;
+	const cfg_obj_t *allow;
+	dns_acl_t *new_acl = NULL;
+
+	listener = isc_mem_get(server->mctx, sizeof(*listener));
+
+	listener->httpdmgr = NULL;
+	listener->address = *addr;
+	listener->acl = NULL;
+	listener->mctx = NULL;
+	ISC_LINK_INIT(listener, link);
+
+	isc_mutex_init(&listener->lock);
+
+	isc_mem_attach(server->mctx, &listener->mctx);
+
+	allow = cfg_tuple_get(listen_params, "allow");
+	if (allow != NULL && cfg_obj_islist(allow)) {
+		result = cfg_acl_fromconfig(allow, config, named_g_lctx,
+					    aclconfctx, listener->mctx, 0,
+					    &new_acl);
+	} else {
+		result = dns_acl_any(listener->mctx, &new_acl);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	dns_acl_attach(new_acl, &listener->acl);
+	dns_acl_detach(&new_acl);
+
+	result = isc_task_create(named_g_taskmgr, 0, &task);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	isc_task_setname(task, "statchannel", NULL);
+
+	result = isc_socket_create(named_g_socketmgr, isc_sockaddr_pf(addr),
+				   isc_sockettype_tcp, &sock);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	isc_socket_setname(sock, "statchannel", NULL);
+
+#ifndef ISC_ALLOW_MAPPED
+	isc_socket_ipv6only(sock, true);
+#endif /* ifndef ISC_ALLOW_MAPPED */
+
+	result = isc_socket_bind(sock, addr, ISC_SOCKET_REUSEADDRESS);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = isc_httpdmgr_create(server->mctx, sock, task, client_ok,
+				     destroy_listener, listener,
+				     named_g_timermgr, &listener->httpdmgr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+#ifdef HAVE_LIBXML2
+	isc_httpdmgr_addurl(listener->httpdmgr, "/", render_xml_all, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml", render_xml_all, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3", render_xml_all,
+			    server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/status",
+			    render_xml_status, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/server",
+			    render_xml_server, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/zones",
+			    render_xml_zones, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/net", render_xml_net,
+			    server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/tasks",
+			    render_xml_tasks, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/mem", render_xml_mem,
+			    server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3/traffic",
+			    render_xml_traffic, server);
+#endif /* ifdef HAVE_LIBXML2 */
+#ifdef HAVE_JSON_C
+	isc_httpdmgr_addurl(listener->httpdmgr, "/json", render_json_all,
+			    server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1", render_json_all,
+			    server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/status",
+			    render_json_status, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/server",
+			    render_json_server, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/zones",
+			    render_json_zones, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/tasks",
+			    render_json_tasks, server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/net", render_json_net,
+			    server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/mem", render_json_mem,
+			    server);
+	isc_httpdmgr_addurl(listener->httpdmgr, "/json/v1/traffic",
+			    render_json_traffic, server);
+#endif /* ifdef HAVE_JSON_C */
+	isc_httpdmgr_addurl2(listener->httpdmgr, "/bind9.xsl", true, render_xsl,
+			     server);
+
+	*listenerp = listener;
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE,
+		      "statistics channel listening on %s", socktext);
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		if (listener->acl != NULL) {
+			dns_acl_detach(&listener->acl);
+		}
+		isc_mutex_destroy(&listener->lock);
+		isc_mem_putanddetach(&listener->mctx, listener,
+				     sizeof(*listener));
+	}
+	if (task != NULL) {
+		isc_task_detach(&task);
+	}
+	if (sock != NULL) {
+		isc_socket_detach(&sock);
+	}
+
+	return (result);
+}
+
+static void
+update_listener(named_server_t *server, named_statschannel_t **listenerp,
+		const cfg_obj_t *listen_params, const cfg_obj_t *config,
+		isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+		const char *socktext) {
+	named_statschannel_t *listener;
+	const cfg_obj_t *allow = NULL;
+	dns_acl_t *new_acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (listener = ISC_LIST_HEAD(server->statschannels); listener != NULL;
+	     listener = ISC_LIST_NEXT(listener, link))
+	{
+		if (isc_sockaddr_equal(addr, &listener->address)) {
+			break;
+		}
+	}
+
+	if (listener == NULL) {
+		*listenerp = NULL;
+		return;
+	}
+
+	/*
+	 * Now, keep the old access list unless a new one can be made.
+	 */
+	allow = cfg_tuple_get(listen_params, "allow");
+	if (allow != NULL && cfg_obj_islist(allow)) {
+		result = cfg_acl_fromconfig(allow, config, named_g_lctx,
+					    aclconfctx, listener->mctx, 0,
+					    &new_acl);
+	} else {
+		result = dns_acl_any(listener->mctx, &new_acl);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		LOCK(&listener->lock);
+
+		dns_acl_detach(&listener->acl);
+		dns_acl_attach(new_acl, &listener->acl);
+		dns_acl_detach(&new_acl);
+
+		UNLOCK(&listener->lock);
+	} else {
+		cfg_obj_log(listen_params, named_g_lctx, ISC_LOG_WARNING,
+			    "couldn't install new acl for "
+			    "statistics channel %s: %s",
+			    socktext, isc_result_totext(result));
+	}
+
+	*listenerp = listener;
+}
+
+isc_result_t
+named_statschannels_configure(named_server_t *server, const cfg_obj_t *config,
+			      cfg_aclconfctx_t *aclconfctx) {
+	named_statschannel_t *listener, *listener_next;
+	named_statschannellist_t new_listeners;
+	const cfg_obj_t *statschannellist = NULL;
+	const cfg_listelt_t *element, *element2;
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+	RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS);
+
+	ISC_LIST_INIT(new_listeners);
+
+	/*
+	 * Get the list of named.conf 'statistics-channels' statements.
+	 */
+	(void)cfg_map_get(config, "statistics-channels", &statschannellist);
+
+	/*
+	 * Run through the new address/port list, noting sockets that are
+	 * already being listened on and moving them to the new list.
+	 *
+	 * Identifying duplicate addr/port combinations is left to either
+	 * the underlying config code, or to the bind attempt getting an
+	 * address-in-use error.
+	 */
+	if (statschannellist != NULL) {
+#ifndef EXTENDED_STATS
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "statistics-channels specified but not effective "
+			      "due to missing XML and/or JSON library");
+#else /* EXTENDED_STATS */
+#ifndef HAVE_LIBXML2
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "statistics-channels: XML library missing, "
+			      "only JSON stats will be available");
+#endif /* !HAVE_LIBXML2 */
+#ifndef HAVE_JSON_C
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "statistics-channels: JSON library missing, "
+			      "only XML stats will be available");
+#endif /* !HAVE_JSON_C */
+#endif /* EXTENDED_STATS */
+
+		for (element = cfg_list_first(statschannellist);
+		     element != NULL; element = cfg_list_next(element))
+		{
+			const cfg_obj_t *statschannel;
+			const cfg_obj_t *listenercfg = NULL;
+
+			statschannel = cfg_listelt_value(element);
+			(void)cfg_map_get(statschannel, "inet", &listenercfg);
+			if (listenercfg == NULL) {
+				continue;
+			}
+
+			for (element2 = cfg_list_first(listenercfg);
+			     element2 != NULL;
+			     element2 = cfg_list_next(element2))
+			{
+				const cfg_obj_t *listen_params;
+				const cfg_obj_t *obj;
+				isc_sockaddr_t addr;
+
+				listen_params = cfg_listelt_value(element2);
+
+				obj = cfg_tuple_get(listen_params, "address");
+				addr = *cfg_obj_assockaddr(obj);
+				if (isc_sockaddr_getport(&addr) == 0) {
+					isc_sockaddr_setport(
+						&addr,
+						NAMED_STATSCHANNEL_HTTPPORT);
+				}
+
+				isc_sockaddr_format(&addr, socktext,
+						    sizeof(socktext));
+
+				isc_log_write(named_g_lctx,
+					      NAMED_LOGCATEGORY_GENERAL,
+					      NAMED_LOGMODULE_SERVER,
+					      ISC_LOG_DEBUG(9),
+					      "processing statistics "
+					      "channel %s",
+					      socktext);
+
+				update_listener(server, &listener,
+						listen_params, config, &addr,
+						aclconfctx, socktext);
+
+				if (listener != NULL) {
+					/*
+					 * Remove the listener from the old
+					 * list, so it won't be shut down.
+					 */
+					ISC_LIST_UNLINK(server->statschannels,
+							listener, link);
+				} else {
+					/*
+					 * This is a new listener.
+					 */
+					isc_result_t r;
+
+					r = add_listener(server, &listener,
+							 listen_params, config,
+							 &addr, aclconfctx,
+							 socktext);
+					if (r != ISC_R_SUCCESS) {
+						cfg_obj_log(
+							listen_params,
+							named_g_lctx,
+							ISC_LOG_WARNING,
+							"couldn't allocate "
+							"statistics channel"
+							" %s: %s",
+							socktext,
+							isc_result_totext(r));
+					}
+				}
+
+				if (listener != NULL) {
+					ISC_LIST_APPEND(new_listeners, listener,
+							link);
+				}
+			}
+		}
+	}
+
+	for (listener = ISC_LIST_HEAD(server->statschannels); listener != NULL;
+	     listener = listener_next)
+	{
+		listener_next = ISC_LIST_NEXT(listener, link);
+		ISC_LIST_UNLINK(server->statschannels, listener, link);
+		shutdown_listener(listener);
+	}
+
+	ISC_LIST_APPENDLIST(server->statschannels, new_listeners, link);
+	return (ISC_R_SUCCESS);
+}
+
+void
+named_statschannels_shutdown(named_server_t *server) {
+	named_statschannel_t *listener;
+
+	while ((listener = ISC_LIST_HEAD(server->statschannels)) != NULL) {
+		ISC_LIST_UNLINK(server->statschannels, listener, link);
+		shutdown_listener(listener);
+	}
+}
+
+isc_result_t
+named_stats_dump(named_server_t *server, FILE *fp) {
+	isc_stdtime_t now;
+	isc_result_t result;
+	dns_view_t *view;
+	dns_zone_t *zone, *next;
+	stats_dumparg_t dumparg;
+	uint64_t nsstat_values[ns_statscounter_max];
+	uint64_t resstat_values[dns_resstatscounter_max];
+	uint64_t adbstat_values[dns_adbstats_max];
+	uint64_t zonestat_values[dns_zonestatscounter_max];
+	uint64_t sockstat_values[isc_sockstatscounter_max];
+	uint64_t gluecachestats_values[dns_gluecachestatscounter_max];
+
+	RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS);
+
+	/* Set common fields */
+	dumparg.type = isc_statsformat_file;
+	dumparg.arg = fp;
+
+	isc_stdtime_get(&now);
+	fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now);
+
+	fprintf(fp, "++ Incoming Requests ++\n");
+	dns_opcodestats_dump(server->sctx->opcodestats, opcodestat_dump,
+			     &dumparg, 0);
+
+	fprintf(fp, "++ Incoming Queries ++\n");
+	dns_rdatatypestats_dump(server->sctx->rcvquerystats, rdtypestat_dump,
+				&dumparg, 0);
+
+	fprintf(fp, "++ Outgoing Rcodes ++\n");
+	dns_rcodestats_dump(server->sctx->rcodestats, rcodestat_dump, &dumparg,
+			    0);
+
+	fprintf(fp, "++ Outgoing Queries ++\n");
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (view->resquerystats == NULL) {
+			continue;
+		}
+		if (strcmp(view->name, "_default") == 0) {
+			fprintf(fp, "[View: default]\n");
+		} else {
+			fprintf(fp, "[View: %s]\n", view->name);
+		}
+		dns_rdatatypestats_dump(view->resquerystats, rdtypestat_dump,
+					&dumparg, 0);
+	}
+
+	fprintf(fp, "++ Name Server Statistics ++\n");
+	(void)dump_counters(ns_stats_get(server->sctx->nsstats),
+			    isc_statsformat_file, fp, NULL, nsstats_desc,
+			    ns_statscounter_max, nsstats_index, nsstat_values,
+			    0);
+
+	fprintf(fp, "++ Zone Maintenance Statistics ++\n");
+	(void)dump_counters(server->zonestats, isc_statsformat_file, fp, NULL,
+			    zonestats_desc, dns_zonestatscounter_max,
+			    zonestats_index, zonestat_values, 0);
+
+	fprintf(fp, "++ Resolver Statistics ++\n");
+	fprintf(fp, "[Common]\n");
+	(void)dump_counters(server->resolverstats, isc_statsformat_file, fp,
+			    NULL, resstats_desc, dns_resstatscounter_max,
+			    resstats_index, resstat_values, 0);
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (view->resstats == NULL) {
+			continue;
+		}
+		if (strcmp(view->name, "_default") == 0) {
+			fprintf(fp, "[View: default]\n");
+		} else {
+			fprintf(fp, "[View: %s]\n", view->name);
+		}
+		(void)dump_counters(view->resstats, isc_statsformat_file, fp,
+				    NULL, resstats_desc,
+				    dns_resstatscounter_max, resstats_index,
+				    resstat_values, 0);
+	}
+
+	fprintf(fp, "++ Cache Statistics ++\n");
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (strcmp(view->name, "_default") == 0) {
+			fprintf(fp, "[View: default]\n");
+		} else {
+			fprintf(fp, "[View: %s (Cache: %s)]\n", view->name,
+				dns_cache_getname(view->cache));
+		}
+		/*
+		 * Avoid dumping redundant statistics when the cache is shared.
+		 */
+		if (dns_view_iscacheshared(view)) {
+			continue;
+		}
+		dns_cache_dumpstats(view->cache, fp);
+	}
+
+	fprintf(fp, "++ Cache DB RRsets ++\n");
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		dns_stats_t *cacherrstats;
+
+		cacherrstats = dns_db_getrrsetstats(view->cachedb);
+		if (cacherrstats == NULL) {
+			continue;
+		}
+		if (strcmp(view->name, "_default") == 0) {
+			fprintf(fp, "[View: default]\n");
+		} else {
+			fprintf(fp, "[View: %s (Cache: %s)]\n", view->name,
+				dns_cache_getname(view->cache));
+		}
+		if (dns_view_iscacheshared(view)) {
+			/*
+			 * Avoid dumping redundant statistics when the cache is
+			 * shared.
+			 */
+			continue;
+		}
+		dns_rdatasetstats_dump(cacherrstats, rdatasetstats_dump,
+				       &dumparg, 0);
+	}
+
+	fprintf(fp, "++ ADB stats ++\n");
+	for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (view->adbstats == NULL) {
+			continue;
+		}
+		if (strcmp(view->name, "_default") == 0) {
+			fprintf(fp, "[View: default]\n");
+		} else {
+			fprintf(fp, "[View: %s]\n", view->name);
+		}
+		(void)dump_counters(view->adbstats, isc_statsformat_file, fp,
+				    NULL, adbstats_desc, dns_adbstats_max,
+				    adbstats_index, adbstat_values, 0);
+	}
+
+	fprintf(fp, "++ Socket I/O Statistics ++\n");
+	(void)dump_counters(server->sockstats, isc_statsformat_file, fp, NULL,
+			    sockstats_desc, isc_sockstatscounter_max,
+			    sockstats_index, sockstat_values, 0);
+
+	fprintf(fp, "++ Per Zone Query Statistics ++\n");
+	zone = NULL;
+	for (result = dns_zone_first(server->zonemgr, &zone);
+	     result == ISC_R_SUCCESS;
+	     next = NULL, result = dns_zone_next(zone, &next), zone = next)
+	{
+		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL) {
+			char zonename[DNS_NAME_FORMATSIZE];
+
+			view = dns_zone_getview(zone);
+			if (view == NULL) {
+				continue;
+			}
+
+			dns_name_format(dns_zone_getorigin(zone), zonename,
+					sizeof(zonename));
+			fprintf(fp, "[%s", zonename);
+			if (strcmp(view->name, "_default") != 0) {
+				fprintf(fp, " (view: %s)", view->name);
+			}
+			fprintf(fp, "]\n");
+
+			(void)dump_counters(zonestats, isc_statsformat_file, fp,
+					    NULL, nsstats_desc,
+					    ns_statscounter_max, nsstats_index,
+					    nsstat_values, 0);
+		}
+	}
+
+	fprintf(fp, "++ Per Zone Glue Cache Statistics ++\n");
+	zone = NULL;
+	for (result = dns_zone_first(server->zonemgr, &zone);
+	     result == ISC_R_SUCCESS;
+	     next = NULL, result = dns_zone_next(zone, &next), zone = next)
+	{
+		isc_stats_t *gluecachestats = dns_zone_getgluecachestats(zone);
+		if (gluecachestats != NULL) {
+			char zonename[DNS_NAME_FORMATSIZE];
+
+			view = dns_zone_getview(zone);
+			if (view == NULL) {
+				continue;
+			}
+
+			dns_name_format(dns_zone_getorigin(zone), zonename,
+					sizeof(zonename));
+			fprintf(fp, "[%s", zonename);
+			if (strcmp(view->name, "_default") != 0) {
+				fprintf(fp, " (view: %s)", view->name);
+			}
+			fprintf(fp, "]\n");
+
+			(void)dump_counters(
+				gluecachestats, isc_statsformat_file, fp, NULL,
+				gluecachestats_desc,
+				dns_gluecachestatscounter_max,
+				gluecachestats_index, gluecachestats_values, 0);
+		}
+	}
+
+	fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now);
+
+	return (ISC_R_SUCCESS); /* this function currently always succeeds */
+}
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
new file mode 100644
index 0000000..03b198b
--- /dev/null
+++ b/bin/named/tkeyconf.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+#include <dns/tkey.h>
+
+#include <dst/gssapi.h>
+
+#include <isccfg/cfg.h>
+
+#include <named/tkeyconf.h>
+
+#define RETERR(x)                            \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+#include <named/log.h>
+#define LOG(msg)                                               \
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, \
+		      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "%s", msg)
+
+isc_result_t
+named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
+			 dns_tkeyctx_t **tctxp) {
+	isc_result_t result;
+	dns_tkeyctx_t *tctx = NULL;
+	const char *s;
+	uint32_t n;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_buffer_t b;
+	const cfg_obj_t *obj;
+	int type;
+
+	result = dns_tkeyctx_create(mctx, &tctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	obj = NULL;
+	result = cfg_map_get(options, "tkey-dhkey", &obj);
+	if (result == ISC_R_SUCCESS) {
+		s = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+		n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid"));
+		isc_buffer_constinit(&b, s, strlen(s));
+		isc_buffer_add(&b, strlen(s));
+		name = dns_fixedname_initname(&fname);
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+		type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
+		RETERR(dst_key_fromfile(name, (dns_keytag_t)n, DNS_KEYALG_DH,
+					type, NULL, mctx, &tctx->dhkey));
+	}
+
+	obj = NULL;
+	result = cfg_map_get(options, "tkey-domain", &obj);
+	if (result == ISC_R_SUCCESS) {
+		s = cfg_obj_asstring(obj);
+		isc_buffer_constinit(&b, s, strlen(s));
+		isc_buffer_add(&b, strlen(s));
+		name = dns_fixedname_initname(&fname);
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+		tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t));
+		dns_name_init(tctx->domain, NULL);
+		dns_name_dup(name, mctx, tctx->domain);
+	}
+
+	obj = NULL;
+	result = cfg_map_get(options, "tkey-gssapi-credential", &obj);
+	if (result == ISC_R_SUCCESS) {
+		s = cfg_obj_asstring(obj);
+
+		isc_buffer_constinit(&b, s, strlen(s));
+		isc_buffer_add(&b, strlen(s));
+		name = dns_fixedname_initname(&fname);
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+		RETERR(dst_gssapi_acquirecred(name, false, &tctx->gsscred));
+	}
+
+	obj = NULL;
+	result = cfg_map_get(options, "tkey-gssapi-keytab", &obj);
+	if (result == ISC_R_SUCCESS) {
+		s = cfg_obj_asstring(obj);
+		tctx->gssapi_keytab = isc_mem_strdup(mctx, s);
+	}
+
+	*tctxp = tctx;
+	return (ISC_R_SUCCESS);
+
+failure:
+	dns_tkeyctx_destroy(&tctx);
+	return (result);
+}
diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
new file mode 100644
index 0000000..085cc39
--- /dev/null
+++ b/bin/named/tsigconf.c
@@ -0,0 +1,181 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#include <isccfg/cfg.h>
+
+#include <named/config.h>
+#include <named/log.h>
+#include <named/tsigconf.h>
+
+static isc_result_t
+add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
+		 isc_mem_t *mctx) {
+	dns_tsigkey_t *tsigkey = NULL;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *key = NULL;
+	const char *keyid = NULL;
+	unsigned char *secret = NULL;
+	int secretalloc = 0;
+	int secretlen = 0;
+	isc_result_t ret;
+	isc_stdtime_t now;
+	uint16_t bits;
+
+	for (element = cfg_list_first(list); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *algobj = NULL;
+		const cfg_obj_t *secretobj = NULL;
+		dns_name_t keyname;
+		const dns_name_t *alg;
+		const char *algstr;
+		char keynamedata[1024];
+		isc_buffer_t keynamesrc, keynamebuf;
+		const char *secretstr;
+		isc_buffer_t secretbuf;
+
+		key = cfg_listelt_value(element);
+		keyid = cfg_obj_asstring(cfg_map_getname(key));
+
+		algobj = NULL;
+		secretobj = NULL;
+		(void)cfg_map_get(key, "algorithm", &algobj);
+		(void)cfg_map_get(key, "secret", &secretobj);
+		INSIST(algobj != NULL && secretobj != NULL);
+
+		/*
+		 * Create the key name.
+		 */
+		dns_name_init(&keyname, NULL);
+		isc_buffer_constinit(&keynamesrc, keyid, strlen(keyid));
+		isc_buffer_add(&keynamesrc, strlen(keyid));
+		isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
+		ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,
+					DNS_NAME_DOWNCASE, &keynamebuf);
+		if (ret != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		/*
+		 * Create the algorithm.
+		 */
+		algstr = cfg_obj_asstring(algobj);
+		if (named_config_getkeyalgorithm(algstr, &alg, &bits) !=
+		    ISC_R_SUCCESS)
+		{
+			cfg_obj_log(algobj, named_g_lctx, ISC_LOG_ERROR,
+				    "key '%s': has a "
+				    "unsupported algorithm '%s'",
+				    keyid, algstr);
+			ret = DNS_R_BADALG;
+			goto failure;
+		}
+
+		secretstr = cfg_obj_asstring(secretobj);
+		secretalloc = secretlen = strlen(secretstr) * 3 / 4;
+		secret = isc_mem_get(mctx, secretlen);
+		isc_buffer_init(&secretbuf, secret, secretlen);
+		ret = isc_base64_decodestring(secretstr, &secretbuf);
+		if (ret != ISC_R_SUCCESS) {
+			goto failure;
+		}
+		secretlen = isc_buffer_usedlength(&secretbuf);
+
+		isc_stdtime_get(&now);
+		ret = dns_tsigkey_create(&keyname, alg, secret, secretlen,
+					 false, NULL, now, now, mctx, ring,
+					 &tsigkey);
+		isc_mem_put(mctx, secret, secretalloc);
+		secret = NULL;
+		if (ret != ISC_R_SUCCESS) {
+			goto failure;
+		}
+		/*
+		 * Set digest bits.
+		 */
+		dst_key_setbits(tsigkey->key, bits);
+		dns_tsigkey_detach(&tsigkey);
+	}
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
+		    "configuring key '%s': %s", keyid, isc_result_totext(ret));
+
+	if (secret != NULL) {
+		isc_mem_put(mctx, secret, secretalloc);
+	}
+	return (ret);
+}
+
+isc_result_t
+named_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+			     isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *keylist;
+	dns_tsig_keyring_t *ring = NULL;
+	isc_result_t result;
+	int i;
+
+	REQUIRE(ringp != NULL && *ringp == NULL);
+
+	i = 0;
+	if (config != NULL) {
+		maps[i++] = config;
+	}
+	if (vconfig != NULL) {
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	}
+	maps[i] = NULL;
+
+	result = dns_tsigkeyring_create(mctx, &ring);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (i = 0;; i++) {
+		if (maps[i] == NULL) {
+			break;
+		}
+		keylist = NULL;
+		result = cfg_map_get(maps[i], "key", &keylist);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		result = add_initial_keys(keylist, ring, mctx);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+	}
+
+	*ringp = ring;
+	return (ISC_R_SUCCESS);
+
+failure:
+	dns_tsigkeyring_detach(&ring);
+	return (result);
+}
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
new file mode 100644
index 0000000..21d7bc3
--- /dev/null
+++ b/bin/named/unix/Makefile.in
@@ -0,0 +1,32 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
+		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
+		${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		os.@O@ dlz_dlopen_driver.@O@
+
+SRCS =		os.c dlz_dlopen_driver.c
+
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/bin/named/unix/dlz_dlopen_driver.c b/bin/named/unix/dlz_dlopen_driver.c
new file mode 100644
index 0000000..c84df10
--- /dev/null
+++ b/bin/named/unix/dlz_dlopen_driver.c
@@ -0,0 +1,596 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif /* if HAVE_DLFCN_H */
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/dlz_dlopen.h>
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include <dlz/dlz_dlopen_driver.h>
+#include <named/globals.h>
+
+#ifdef ISC_DLZ_DLOPEN
+static dns_sdlzimplementation_t *dlz_dlopen = NULL;
+
+typedef struct dlopen_data {
+	isc_mem_t *mctx;
+	char *dl_path;
+	char *dlzname;
+	void *dl_handle;
+	void *dbdata;
+	unsigned int flags;
+	isc_mutex_t lock;
+	int version;
+	bool in_configure;
+
+	dlz_dlopen_version_t *dlz_version;
+	dlz_dlopen_create_t *dlz_create;
+	dlz_dlopen_findzonedb_t *dlz_findzonedb;
+	dlz_dlopen_lookup_t *dlz_lookup;
+	dlz_dlopen_authority_t *dlz_authority;
+	dlz_dlopen_allnodes_t *dlz_allnodes;
+	dlz_dlopen_allowzonexfr_t *dlz_allowzonexfr;
+	dlz_dlopen_newversion_t *dlz_newversion;
+	dlz_dlopen_closeversion_t *dlz_closeversion;
+	dlz_dlopen_configure_t *dlz_configure;
+	dlz_dlopen_ssumatch_t *dlz_ssumatch;
+	dlz_dlopen_addrdataset_t *dlz_addrdataset;
+	dlz_dlopen_subrdataset_t *dlz_subrdataset;
+	dlz_dlopen_delrdataset_t *dlz_delrdataset;
+	dlz_dlopen_destroy_t *dlz_destroy;
+} dlopen_data_t;
+
+/* Modules can choose whether they are lock-safe or not. */
+#define MAYBE_LOCK(cd)                                            \
+	do {                                                      \
+		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
+		    !cd->in_configure)                            \
+			LOCK(&cd->lock);                          \
+	} while (0)
+
+#define MAYBE_UNLOCK(cd)                                          \
+	do {                                                      \
+		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
+		    !cd->in_configure)                            \
+			UNLOCK(&cd->lock);                        \
+	} while (0)
+
+/*
+ * Log a message at the given level.
+ */
+static void
+dlopen_log(int level, const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		       ISC_LOG_DEBUG(level), fmt, ap);
+	va_end(ap);
+}
+
+/*
+ * SDLZ methods
+ */
+
+static isc_result_t
+dlopen_dlz_allnodes(const char *zone, void *driverarg, void *dbdata,
+		    dns_sdlzallnodes_t *allnodes) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_allnodes == NULL) {
+		return (ISC_R_NOPERM);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_allnodes(zone, cd->dbdata, allnodes);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+static isc_result_t
+dlopen_dlz_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+			const char *client) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_allowzonexfr == NULL) {
+		return (ISC_R_NOPERM);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_allowzonexfr(cd->dbdata, name, client);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+static isc_result_t
+dlopen_dlz_authority(const char *zone, void *driverarg, void *dbdata,
+		     dns_sdlzlookup_t *lookup) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_authority == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_authority(zone, cd->dbdata, lookup);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+static isc_result_t
+dlopen_dlz_findzonedb(void *driverarg, void *dbdata, const char *name,
+		      dns_clientinfomethods_t *methods,
+		      dns_clientinfo_t *clientinfo) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_findzonedb(cd->dbdata, name, methods, clientinfo);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+static isc_result_t
+dlopen_dlz_lookup(const char *zone, const char *name, void *driverarg,
+		  void *dbdata, dns_sdlzlookup_t *lookup,
+		  dns_clientinfomethods_t *methods,
+		  dns_clientinfo_t *clientinfo) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_lookup(zone, name, cd->dbdata, lookup, methods,
+				clientinfo);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+/*
+ * Load a symbol from the library
+ */
+static void *
+dl_load_symbol(dlopen_data_t *cd, const char *symbol, bool mandatory) {
+	void *ptr = dlsym(cd->dl_handle, symbol);
+	if (ptr == NULL && mandatory) {
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen: library '%s' is missing "
+			   "required symbol '%s'",
+			   cd->dl_path, symbol);
+	}
+	return (ptr);
+}
+
+/*
+ * Called at startup for each dlopen zone in named.conf
+ */
+static isc_result_t
+dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
+		  void *driverarg, void **dbdata) {
+	dlopen_data_t *cd;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result = ISC_R_FAILURE;
+	int dlopen_flags = 0;
+
+	UNUSED(driverarg);
+
+	if (argc < 2) {
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen driver for '%s' needs a path to "
+			   "the shared library",
+			   dlzname);
+		return (ISC_R_FAILURE);
+	}
+
+	isc_mem_create(&mctx);
+
+	cd = isc_mem_get(mctx, sizeof(*cd));
+	memset(cd, 0, sizeof(*cd));
+
+	cd->mctx = mctx;
+
+	cd->dl_path = isc_mem_strdup(cd->mctx, argv[1]);
+
+	cd->dlzname = isc_mem_strdup(cd->mctx, dlzname);
+
+	/* Initialize the lock */
+	isc_mutex_init(&cd->lock);
+
+	/* Open the library */
+	dlopen_flags = RTLD_NOW | RTLD_GLOBAL;
+
+#if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__ && !__SANITIZE_THREAD__
+	/*
+	 * If RTLD_DEEPBIND is available then use it. This can avoid
+	 * issues with a module using a different version of a system
+	 * library than one that bind9 uses. For example, bind9 may link
+	 * to MIT kerberos, but the module may use Heimdal. If we don't
+	 * use RTLD_DEEPBIND then we could end up with Heimdal functions
+	 * calling MIT functions, which leads to bizarre results (usually
+	 * a segfault).
+	 */
+	dlopen_flags |= RTLD_DEEPBIND;
+#endif /* if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__ && \
+	  !__SANITIZE_THREAD__ */
+
+	cd->dl_handle = dlopen(cd->dl_path, dlopen_flags);
+	if (cd->dl_handle == NULL) {
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen failed to open library '%s' - %s",
+			   cd->dl_path, dlerror());
+		result = ISC_R_FAILURE;
+		goto failed;
+	}
+
+	/* Find the symbols */
+	cd->dlz_version =
+		(dlz_dlopen_version_t *)dl_load_symbol(cd, "dlz_version", true);
+	cd->dlz_create = (dlz_dlopen_create_t *)dl_load_symbol(cd, "dlz_create",
+							       true);
+	cd->dlz_lookup = (dlz_dlopen_lookup_t *)dl_load_symbol(cd, "dlz_lookup",
+							       true);
+	cd->dlz_findzonedb = (dlz_dlopen_findzonedb_t *)dl_load_symbol(
+		cd, "dlz_findzonedb", true);
+
+	if (cd->dlz_create == NULL || cd->dlz_version == NULL ||
+	    cd->dlz_lookup == NULL || cd->dlz_findzonedb == NULL)
+	{
+		/* We're missing a required symbol */
+		result = ISC_R_FAILURE;
+		goto failed;
+	}
+
+	cd->dlz_allowzonexfr = (dlz_dlopen_allowzonexfr_t *)dl_load_symbol(
+		cd, "dlz_allowzonexfr", false);
+	cd->dlz_allnodes = (dlz_dlopen_allnodes_t *)dl_load_symbol(
+		cd, "dlz_allnodes", (cd->dlz_allowzonexfr != NULL));
+	cd->dlz_authority = (dlz_dlopen_authority_t *)dl_load_symbol(
+		cd, "dlz_authority", false);
+	cd->dlz_newversion = (dlz_dlopen_newversion_t *)dl_load_symbol(
+		cd, "dlz_newversion", false);
+	cd->dlz_closeversion = (dlz_dlopen_closeversion_t *)dl_load_symbol(
+		cd, "dlz_closeversion", (cd->dlz_newversion != NULL));
+	cd->dlz_configure = (dlz_dlopen_configure_t *)dl_load_symbol(
+		cd, "dlz_configure", false);
+	cd->dlz_ssumatch = (dlz_dlopen_ssumatch_t *)dl_load_symbol(
+		cd, "dlz_ssumatch", false);
+	cd->dlz_addrdataset = (dlz_dlopen_addrdataset_t *)dl_load_symbol(
+		cd, "dlz_addrdataset", false);
+	cd->dlz_subrdataset = (dlz_dlopen_subrdataset_t *)dl_load_symbol(
+		cd, "dlz_subrdataset", false);
+	cd->dlz_delrdataset = (dlz_dlopen_delrdataset_t *)dl_load_symbol(
+		cd, "dlz_delrdataset", false);
+	cd->dlz_destroy = (dlz_dlopen_destroy_t *)dl_load_symbol(
+		cd, "dlz_destroy", false);
+
+	/* Check the version of the API is the same */
+	cd->version = cd->dlz_version(&cd->flags);
+	if (cd->version < (DLZ_DLOPEN_VERSION - DLZ_DLOPEN_AGE) ||
+	    cd->version > DLZ_DLOPEN_VERSION)
+	{
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen: %s: incorrect driver API version %d, "
+			   "requires %d",
+			   cd->dl_path, cd->version, DLZ_DLOPEN_VERSION);
+		result = ISC_R_FAILURE;
+		goto failed;
+	}
+
+	/*
+	 * Call the library's create function. Note that this is an
+	 * extended version of dlz create, with the addition of
+	 * named function pointers for helper functions that the
+	 * driver will need. This avoids the need for the backend to
+	 * link the BIND9 libraries
+	 */
+	MAYBE_LOCK(cd);
+	result = cd->dlz_create(dlzname, argc - 1, argv + 1, &cd->dbdata, "log",
+				dlopen_log, "putrr", dns_sdlz_putrr,
+				"putnamedrr", dns_sdlz_putnamedrr,
+				"writeable_zone", dns_dlz_writeablezone, NULL);
+	MAYBE_UNLOCK(cd);
+	if (result != ISC_R_SUCCESS) {
+		goto failed;
+	}
+
+	*dbdata = cd;
+
+	return (ISC_R_SUCCESS);
+
+failed:
+	dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname);
+	if (cd->dl_path != NULL) {
+		isc_mem_free(mctx, cd->dl_path);
+	}
+	if (cd->dlzname != NULL) {
+		isc_mem_free(mctx, cd->dlzname);
+	}
+	if (dlopen_flags != 0) {
+		isc_mutex_destroy(&cd->lock);
+	}
+#ifdef HAVE_DLCLOSE
+	if (cd->dl_handle) {
+		dlclose(cd->dl_handle);
+	}
+#endif /* ifdef HAVE_DLCLOSE */
+	isc_mem_put(mctx, cd, sizeof(*cd));
+	isc_mem_destroy(&mctx);
+	return (result);
+}
+
+/*
+ * Called when bind is shutting down
+ */
+static void
+dlopen_dlz_destroy(void *driverarg, void *dbdata) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_mem_t *mctx;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_destroy) {
+		MAYBE_LOCK(cd);
+		cd->dlz_destroy(cd->dbdata);
+		MAYBE_UNLOCK(cd);
+	}
+
+	if (cd->dl_path) {
+		isc_mem_free(cd->mctx, cd->dl_path);
+	}
+	if (cd->dlzname) {
+		isc_mem_free(cd->mctx, cd->dlzname);
+	}
+
+#ifdef HAVE_DLCLOSE
+	if (cd->dl_handle) {
+		dlclose(cd->dl_handle);
+	}
+#endif /* ifdef HAVE_DLCLOSE */
+
+	isc_mutex_destroy(&cd->lock);
+
+	mctx = cd->mctx;
+	isc_mem_put(mctx, cd, sizeof(*cd));
+	isc_mem_destroy(&mctx);
+}
+
+/*
+ * Called to start a transaction
+ */
+static isc_result_t
+dlopen_dlz_newversion(const char *zone, void *driverarg, void *dbdata,
+		      void **versionp) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_newversion == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_newversion(zone, cd->dbdata, versionp);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+/*
+ * Called to end a transaction
+ */
+static void
+dlopen_dlz_closeversion(const char *zone, bool commit, void *driverarg,
+			void *dbdata, void **versionp) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_newversion == NULL) {
+		*versionp = NULL;
+		return;
+	}
+
+	MAYBE_LOCK(cd);
+	cd->dlz_closeversion(zone, commit, cd->dbdata, versionp);
+	MAYBE_UNLOCK(cd);
+}
+
+/*
+ * Called on startup to configure any writeable zones
+ */
+static isc_result_t
+dlopen_dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb, void *driverarg,
+		     void *dbdata) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_configure == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	MAYBE_LOCK(cd);
+	cd->in_configure = true;
+	result = cd->dlz_configure(view, dlzdb, cd->dbdata);
+	cd->in_configure = false;
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+/*
+ * Check for authority to change a name.
+ */
+static bool
+dlopen_dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
+		    const char *type, const char *key, uint32_t keydatalen,
+		    unsigned char *keydata, void *driverarg, void *dbdata) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	bool ret;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_ssumatch == NULL) {
+		return (false);
+	}
+
+	MAYBE_LOCK(cd);
+	ret = cd->dlz_ssumatch(signer, name, tcpaddr, type, key, keydatalen,
+			       keydata, cd->dbdata);
+	MAYBE_UNLOCK(cd);
+
+	return (ret);
+}
+
+/*
+ * Add an rdataset.
+ */
+static isc_result_t
+dlopen_dlz_addrdataset(const char *name, const char *rdatastr, void *driverarg,
+		       void *dbdata, void *version) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_addrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_addrdataset(name, rdatastr, cd->dbdata, version);
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+/*
+ * Subtract an rdataset.
+ */
+static isc_result_t
+dlopen_dlz_subrdataset(const char *name, const char *rdatastr, void *driverarg,
+		       void *dbdata, void *version) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_subrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_subrdataset(name, rdatastr, cd->dbdata, version);
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+/*
+ * Delete a rdataset.
+ */
+static isc_result_t
+dlopen_dlz_delrdataset(const char *name, const char *type, void *driverarg,
+		       void *dbdata, void *version) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_delrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_delrdataset(name, type, cd->dbdata, version);
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+static dns_sdlzmethods_t dlz_dlopen_methods = {
+	dlopen_dlz_create,	 dlopen_dlz_destroy,	dlopen_dlz_findzonedb,
+	dlopen_dlz_lookup,	 dlopen_dlz_authority,	dlopen_dlz_allnodes,
+	dlopen_dlz_allowzonexfr, dlopen_dlz_newversion, dlopen_dlz_closeversion,
+	dlopen_dlz_configure,	 dlopen_dlz_ssumatch,	dlopen_dlz_addrdataset,
+	dlopen_dlz_subrdataset,	 dlopen_dlz_delrdataset
+};
+#endif /* ifdef ISC_DLZ_DLOPEN */
+
+/*
+ * Register driver with BIND
+ */
+isc_result_t
+dlz_dlopen_init(isc_mem_t *mctx) {
+#ifndef ISC_DLZ_DLOPEN
+	UNUSED(mctx);
+	return (ISC_R_NOTIMPLEMENTED);
+#else  /* ifndef ISC_DLZ_DLOPEN */
+	isc_result_t result;
+
+	dlopen_log(2, "Registering DLZ_dlopen driver");
+
+	result = dns_sdlzregister("dlopen", &dlz_dlopen_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+					  DNS_SDLZFLAG_RELATIVERDATA |
+					  DNS_SDLZFLAG_THREADSAFE,
+				  mctx, &dlz_dlopen);
+
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+#endif /* ifndef ISC_DLZ_DLOPEN */
+}
+
+/*
+ * Unregister the driver
+ */
+void
+dlz_dlopen_clear(void) {
+#ifdef ISC_DLZ_DLOPEN
+	dlopen_log(2, "Unregistering DLZ_dlopen driver");
+	if (dlz_dlopen != NULL) {
+		dns_sdlzunregister(&dlz_dlopen);
+	}
+#endif /* ifdef ISC_DLZ_DLOPEN */
+}
diff --git a/bin/named/unix/include/.clang-format b/bin/named/unix/include/.clang-format
new file mode 120000
index 0000000..e919bba
--- /dev/null
+++ b/bin/named/unix/include/.clang-format
@@ -0,0 +1 @@
+../../../../.clang-format.headers
\ No newline at end of file
diff --git a/bin/named/unix/include/named/os.h b/bin/named/unix/include/named/os.h
new file mode 100644
index 0000000..7f167b1
--- /dev/null
+++ b/bin/named/unix/include/named/os.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_OS_H
+#define NAMED_OS_H 1
+
+/*! \file */
+
+#include <pwd.h>
+#include <stdbool.h>
+
+#include <isc/types.h>
+
+void
+named_os_init(const char *progname);
+
+void
+named_os_daemonize(void);
+
+void
+named_os_opendevnull(void);
+
+void
+named_os_closedevnull(void);
+
+void
+named_os_chroot(const char *root);
+
+void
+named_os_inituserinfo(const char *username);
+
+void
+named_os_changeuser(void);
+
+uid_t
+ns_os_uid(void);
+
+void
+named_os_adjustnofile(void);
+
+void
+named_os_minprivs(void);
+
+FILE *
+named_os_openfile(const char *filename, mode_t mode, bool switch_user);
+
+void
+named_os_writepidfile(const char *filename, bool first_time);
+
+bool
+named_os_issingleton(const char *filename);
+
+void
+named_os_shutdown(void);
+
+isc_result_t
+named_os_gethostname(char *buf, size_t len);
+
+void
+named_os_shutdownmsg(char *command, isc_buffer_t *text);
+
+void
+named_os_tzset(void);
+
+void
+named_os_started(void);
+
+const char *
+named_os_uname(void);
+
+#endif /* NAMED_OS_H */
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
new file mode 100644
index 0000000..98c826c
--- /dev/null
+++ b/bin/named/unix/os.c
@@ -0,0 +1,940 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+#include <stdarg.h>
+#include <stdbool.h>
+#include <sys/stat.h>
+#include <sys/types.h> /* dev_t FreeBSD 2.1 */
+#ifdef HAVE_UNAME
+#include <sys/utsname.h>
+#endif /* ifdef HAVE_UNAME */
+
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <grp.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#ifdef HAVE_TZSET
+#include <time.h>
+#endif /* ifdef HAVE_TZSET */
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/print.h>
+#include <isc/resource.h>
+#include <isc/result.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <named/globals.h>
+#include <named/main.h>
+#include <named/os.h>
+#ifdef HAVE_LIBSCF
+#include <named/smf_globals.h>
+#endif /* ifdef HAVE_LIBSCF */
+
+static char *pidfile = NULL;
+static char *lockfile = NULL;
+static int devnullfd = -1;
+static int singletonfd = -1;
+
+#ifndef ISC_FACILITY
+#define ISC_FACILITY LOG_DAEMON
+#endif /* ifndef ISC_FACILITY */
+
+static struct passwd *runas_pw = NULL;
+static bool done_setuid = false;
+static int dfd[2] = { -1, -1 };
+
+#ifdef HAVE_SYS_CAPABILITY_H
+
+static bool non_root = false;
+static bool non_root_caps = false;
+
+#include <sys/capability.h>
+#include <sys/prctl.h>
+
+static void
+linux_setcaps(cap_t caps) {
+	char strbuf[ISC_STRERRORSIZE];
+
+	if ((getuid() != 0 && !non_root_caps) || non_root) {
+		return;
+	}
+	if (cap_set_proc(caps) < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlyfatal("cap_set_proc() failed: %s:"
+				      " please ensure that the capset kernel"
+				      " module is loaded.  see insmod(8)",
+				      strbuf);
+	}
+}
+
+#define SET_CAP(flag)                                                         \
+	do {                                                                  \
+		cap_flag_value_t curval;                                      \
+		capval = (flag);                                              \
+		err = cap_get_flag(curcaps, capval, CAP_PERMITTED, &curval);  \
+		if (err != -1 && curval) {                                    \
+			err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval,   \
+					   CAP_SET);                          \
+			if (err == -1) {                                      \
+				strerror_r(errno, strbuf, sizeof(strbuf));    \
+				named_main_earlyfatal("cap_set_proc failed: " \
+						      "%s",                   \
+						      strbuf);                \
+			}                                                     \
+                                                                              \
+			err = cap_set_flag(caps, CAP_PERMITTED, 1, &capval,   \
+					   CAP_SET);                          \
+			if (err == -1) {                                      \
+				strerror_r(errno, strbuf, sizeof(strbuf));    \
+				named_main_earlyfatal("cap_set_proc failed: " \
+						      "%s",                   \
+						      strbuf);                \
+			}                                                     \
+		}                                                             \
+	} while (0)
+#define INIT_CAP                                                              \
+	do {                                                                  \
+		caps = cap_init();                                            \
+		if (caps == NULL) {                                           \
+			strerror_r(errno, strbuf, sizeof(strbuf));            \
+			named_main_earlyfatal("cap_init failed: %s", strbuf); \
+		}                                                             \
+		curcaps = cap_get_proc();                                     \
+		if (curcaps == NULL) {                                        \
+			strerror_r(errno, strbuf, sizeof(strbuf));            \
+			named_main_earlyfatal("cap_get_proc failed: %s",      \
+					      strbuf);                        \
+		}                                                             \
+	} while (0)
+#define FREE_CAP                   \
+	{                          \
+		cap_free(caps);    \
+		cap_free(curcaps); \
+	}                          \
+	while (0)
+
+static void
+linux_initialprivs(void) {
+	cap_t caps;
+	cap_t curcaps;
+	cap_value_t capval;
+	char strbuf[ISC_STRERRORSIZE];
+	int err;
+
+	/*%
+	 * We don't need most privileges, so we drop them right away.
+	 * Later on linux_minprivs() will be called, which will drop our
+	 * capabilities to the minimum needed to run the server.
+	 */
+	INIT_CAP;
+
+	/*
+	 * We need to be able to bind() to privileged ports, notably port 53!
+	 */
+	SET_CAP(CAP_NET_BIND_SERVICE);
+
+	/*
+	 * We need chroot() initially too.
+	 */
+	SET_CAP(CAP_SYS_CHROOT);
+
+	/*
+	 * We need setuid() as the kernel supports keeping capabilities after
+	 * setuid().
+	 */
+	SET_CAP(CAP_SETUID);
+
+	/*
+	 * Since we call initgroups, we need this.
+	 */
+	SET_CAP(CAP_SETGID);
+
+	/*
+	 * Without this, we run into problems reading a configuration file
+	 * owned by a non-root user and non-world-readable on startup.
+	 */
+	SET_CAP(CAP_DAC_READ_SEARCH);
+
+	/*
+	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
+	 *      clear it would work right given the way linuxthreads work.
+	 * XXXDCL But since we need to be able to set the maximum number
+	 * of files, the stack size, data size, and core dump size to
+	 * support named.conf options, this is now being added to test.
+	 */
+	SET_CAP(CAP_SYS_RESOURCE);
+
+	/*
+	 * We need to be able to set the ownership of the containing
+	 * directory of the pid file when we create it.
+	 */
+	SET_CAP(CAP_CHOWN);
+
+	linux_setcaps(caps);
+
+	FREE_CAP;
+}
+
+static void
+linux_minprivs(void) {
+	cap_t caps;
+	cap_t curcaps;
+	cap_value_t capval;
+	char strbuf[ISC_STRERRORSIZE];
+	int err;
+
+	INIT_CAP;
+	/*%
+	 * Drop all privileges except the ability to bind() to privileged
+	 * ports.
+	 *
+	 * It's important that we drop CAP_SYS_CHROOT.  If we didn't, it
+	 * chroot() could be used to escape from the chrooted area.
+	 */
+
+	SET_CAP(CAP_NET_BIND_SERVICE);
+
+	/*
+	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
+	 *      clear it would work right given the way linuxthreads work.
+	 * XXXDCL But since we need to be able to set the maximum number
+	 * of files, the stack size, data size, and core dump size to
+	 * support named.conf options, this is now being added to test.
+	 */
+	SET_CAP(CAP_SYS_RESOURCE);
+
+	linux_setcaps(caps);
+
+	FREE_CAP;
+}
+
+static void
+linux_keepcaps(void) {
+	char strbuf[ISC_STRERRORSIZE];
+	/*%
+	 * Ask the kernel to allow us to keep our capabilities after we
+	 * setuid().
+	 */
+
+	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
+		if (errno != EINVAL) {
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			named_main_earlyfatal("prctl() failed: %s", strbuf);
+		}
+	} else {
+		non_root_caps = true;
+		if (getuid() != 0) {
+			non_root = true;
+		}
+	}
+}
+
+#endif /* HAVE_SYS_CAPABILITY_H */
+
+static void
+setup_syslog(const char *progname) {
+	int options;
+
+	options = LOG_PID;
+#ifdef LOG_NDELAY
+	options |= LOG_NDELAY;
+#endif /* ifdef LOG_NDELAY */
+	openlog(isc_file_basename(progname), options, ISC_FACILITY);
+}
+
+void
+named_os_init(const char *progname) {
+	setup_syslog(progname);
+#ifdef HAVE_SYS_CAPABILITY_H
+	linux_initialprivs();
+#endif /* ifdef HAVE_SYS_CAPABILITY_H */
+#ifdef SIGXFSZ
+	signal(SIGXFSZ, SIG_IGN);
+#endif /* ifdef SIGXFSZ */
+}
+
+void
+named_os_daemonize(void) {
+	pid_t pid;
+	char strbuf[ISC_STRERRORSIZE];
+
+	if (pipe(dfd) == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlyfatal("pipe(): %s", strbuf);
+	}
+
+	pid = fork();
+	if (pid == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlyfatal("fork(): %s", strbuf);
+	}
+	if (pid != 0) {
+		int n;
+		/*
+		 * Wait for the child to finish loading for the first time.
+		 * This would be so much simpler if fork() worked once we
+		 * were multi-threaded.
+		 */
+		(void)close(dfd[1]);
+		do {
+			char buf;
+			n = read(dfd[0], &buf, 1);
+			if (n == 1) {
+				_exit(0);
+			}
+		} while (n == -1 && errno == EINTR);
+		_exit(1);
+	}
+	(void)close(dfd[0]);
+
+	/*
+	 * We're the child.
+	 */
+
+	if (setsid() == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlyfatal("setsid(): %s", strbuf);
+	}
+
+	/*
+	 * Try to set stdin, stdout, and stderr to /dev/null, but press
+	 * on even if it fails.
+	 *
+	 * XXXMLG The close() calls here are unneeded on all but NetBSD, but
+	 * are harmless to include everywhere.  dup2() is supposed to close
+	 * the FD if it is in use, but unproven-pthreads-0.16 is broken
+	 * and will end up closing the wrong FD.  This will be fixed eventually,
+	 * and these calls will be removed.
+	 */
+	if (devnullfd != -1) {
+		if (devnullfd != STDIN_FILENO) {
+			(void)close(STDIN_FILENO);
+			(void)dup2(devnullfd, STDIN_FILENO);
+		}
+		if (devnullfd != STDOUT_FILENO) {
+			(void)close(STDOUT_FILENO);
+			(void)dup2(devnullfd, STDOUT_FILENO);
+		}
+		if (devnullfd != STDERR_FILENO && !named_g_keepstderr) {
+			(void)close(STDERR_FILENO);
+			(void)dup2(devnullfd, STDERR_FILENO);
+		}
+	}
+}
+
+void
+named_os_started(void) {
+	char buf = 0;
+
+	/*
+	 * Signal to the parent that we started successfully.
+	 */
+	if (dfd[0] != -1 && dfd[1] != -1) {
+		if (write(dfd[1], &buf, 1) != 1) {
+			named_main_earlyfatal("unable to signal parent that we "
+					      "otherwise started "
+					      "successfully.");
+		}
+		close(dfd[1]);
+		dfd[0] = dfd[1] = -1;
+	}
+}
+
+void
+named_os_opendevnull(void) {
+	devnullfd = open("/dev/null", O_RDWR, 0);
+}
+
+void
+named_os_closedevnull(void) {
+	if (devnullfd != STDIN_FILENO && devnullfd != STDOUT_FILENO &&
+	    devnullfd != STDERR_FILENO)
+	{
+		close(devnullfd);
+		devnullfd = -1;
+	}
+}
+
+static bool
+all_digits(const char *s) {
+	if (*s == '\0') {
+		return (false);
+	}
+	while (*s != '\0') {
+		if (!isdigit((unsigned char)(*s))) {
+			return (false);
+		}
+		s++;
+	}
+	return (true);
+}
+
+void
+named_os_chroot(const char *root) {
+	char strbuf[ISC_STRERRORSIZE];
+#ifdef HAVE_LIBSCF
+	named_smf_chroot = 0;
+#endif /* ifdef HAVE_LIBSCF */
+	if (root != NULL) {
+#ifdef HAVE_CHROOT
+		if (chroot(root) < 0) {
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			named_main_earlyfatal("chroot(): %s", strbuf);
+		}
+#else  /* ifdef HAVE_CHROOT */
+		named_main_earlyfatal("chroot(): disabled");
+#endif /* ifdef HAVE_CHROOT */
+		if (chdir("/") < 0) {
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			named_main_earlyfatal("chdir(/): %s", strbuf);
+		}
+#ifdef HAVE_LIBSCF
+		/* Set named_smf_chroot flag on successful chroot. */
+		named_smf_chroot = 1;
+#endif /* ifdef HAVE_LIBSCF */
+	}
+}
+
+void
+named_os_inituserinfo(const char *username) {
+	if (username == NULL) {
+		return;
+	}
+
+	if (all_digits(username)) {
+		runas_pw = getpwuid((uid_t)atoi(username));
+	} else {
+		runas_pw = getpwnam(username);
+	}
+	endpwent();
+
+	if (runas_pw == NULL) {
+		named_main_earlyfatal("user '%s' unknown", username);
+	}
+
+	if (getuid() == 0) {
+		char strbuf[ISC_STRERRORSIZE];
+		if (initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0) {
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			named_main_earlyfatal("initgroups(): %s", strbuf);
+		}
+	}
+}
+
+void
+named_os_changeuser(void) {
+	char strbuf[ISC_STRERRORSIZE];
+	if (runas_pw == NULL || done_setuid) {
+		return;
+	}
+
+	done_setuid = true;
+
+	if (setgid(runas_pw->pw_gid) < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlyfatal("setgid(): %s", strbuf);
+	}
+
+	if (setuid(runas_pw->pw_uid) < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlyfatal("setuid(): %s", strbuf);
+	}
+
+#if defined(HAVE_SYS_CAPABILITY_H)
+	/*
+	 * Restore the ability of named to drop core after the setuid()
+	 * call has disabled it.
+	 */
+	if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlywarning("prctl(PR_SET_DUMPABLE) failed: %s",
+					strbuf);
+	}
+
+	linux_minprivs();
+#endif /* if defined(HAVE_SYS_CAPABILITY_H) */
+}
+
+uid_t
+ns_os_uid(void) {
+	if (runas_pw == NULL) {
+		return (0);
+	}
+	return (runas_pw->pw_uid);
+}
+
+void
+named_os_adjustnofile(void) {
+#if defined(__linux__) || defined(__sun)
+	isc_result_t result;
+	isc_resourcevalue_t newvalue;
+
+	/*
+	 * Linux: max number of open files specified by one thread doesn't seem
+	 * to apply to other threads on Linux.
+	 * Sun: restriction needs to be removed sooner when hundreds of CPUs
+	 * are available.
+	 */
+	newvalue = ISC_RESOURCE_UNLIMITED;
+
+	result = isc_resource_setlimit(isc_resource_openfiles, newvalue);
+	if (result != ISC_R_SUCCESS) {
+		named_main_earlywarning("couldn't adjust limit on open files");
+	}
+#endif /* if defined(__linux__) || defined(__sun) */
+}
+
+void
+named_os_minprivs(void) {
+#if defined(HAVE_SYS_CAPABILITY_H)
+	linux_keepcaps();
+	named_os_changeuser();
+	linux_minprivs();
+#endif /* if defined(HAVE_SYS_CAPABILITY_H) */
+}
+
+static int
+safe_open(const char *filename, mode_t mode, bool append) {
+	int fd;
+	struct stat sb;
+
+	if (stat(filename, &sb) == -1) {
+		if (errno != ENOENT) {
+			return (-1);
+		}
+	} else if ((sb.st_mode & S_IFREG) == 0) {
+		errno = EOPNOTSUPP;
+		return (-1);
+	}
+
+	if (append) {
+		fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, mode);
+	} else {
+		if (unlink(filename) < 0 && errno != ENOENT) {
+			return (-1);
+		}
+		fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, mode);
+	}
+	return (fd);
+}
+
+static void
+cleanup_pidfile(void) {
+	int n;
+	if (pidfile != NULL) {
+		n = unlink(pidfile);
+		if (n == -1 && errno != ENOENT) {
+			named_main_earlywarning("unlink '%s': failed", pidfile);
+		}
+		free(pidfile);
+	}
+	pidfile = NULL;
+}
+
+static void
+cleanup_lockfile(void) {
+	if (singletonfd != -1) {
+		close(singletonfd);
+		singletonfd = -1;
+	}
+
+	if (lockfile != NULL) {
+		int n = unlink(lockfile);
+		if (n == -1 && errno != ENOENT) {
+			named_main_earlywarning("unlink '%s': failed",
+						lockfile);
+		}
+		free(lockfile);
+		lockfile = NULL;
+	}
+}
+
+/*
+ * Ensure that a directory exists.
+ * NOTE: This function overwrites the '/' characters in 'filename' with
+ * nulls. The caller should copy the filename to a fresh buffer first.
+ */
+static int
+mkdirpath(char *filename, void (*report)(const char *, ...)) {
+	char *slash = strrchr(filename, '/');
+	char strbuf[ISC_STRERRORSIZE];
+	unsigned int mode;
+
+	if (slash != NULL && slash != filename) {
+		struct stat sb;
+		*slash = '\0';
+
+		if (stat(filename, &sb) == -1) {
+			if (errno != ENOENT) {
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				(*report)("couldn't stat '%s': %s", filename,
+					  strbuf);
+				goto error;
+			}
+			if (mkdirpath(filename, report) == -1) {
+				goto error;
+			}
+			/*
+			 * Handle "//", "/./" and "/../" in path.
+			 */
+			if (!strcmp(slash + 1, "") || !strcmp(slash + 1, ".") ||
+			    !strcmp(slash + 1, ".."))
+			{
+				*slash = '/';
+				return (0);
+			}
+			mode = S_IRUSR | S_IWUSR | S_IXUSR; /* u=rwx */
+			mode |= S_IRGRP | S_IXGRP;	    /* g=rx */
+			mode |= S_IROTH | S_IXOTH;	    /* o=rx */
+			if (mkdir(filename, mode) == -1) {
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				(*report)("couldn't mkdir '%s': %s", filename,
+					  strbuf);
+				goto error;
+			}
+			if (runas_pw != NULL &&
+			    chown(filename, runas_pw->pw_uid,
+				  runas_pw->pw_gid) == -1)
+			{
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				(*report)("couldn't chown '%s': %s", filename,
+					  strbuf);
+			}
+		}
+		*slash = '/';
+	}
+	return (0);
+
+error:
+	*slash = '/';
+	return (-1);
+}
+
+#if !HAVE_SYS_CAPABILITY_H
+static void
+setperms(uid_t uid, gid_t gid) {
+#if defined(HAVE_SETEGID) || defined(HAVE_SETRESGID)
+	char strbuf[ISC_STRERRORSIZE];
+#endif /* if defined(HAVE_SETEGID) || defined(HAVE_SETRESGID) */
+#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
+	gid_t oldgid, tmpg;
+#endif /* if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */
+#if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID)
+	uid_t olduid, tmpu;
+#endif /* if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID) */
+#if defined(HAVE_SETEGID)
+	if (getegid() != gid && setegid(gid) == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlywarning("unable to set effective "
+					"gid to %ld: %s",
+					(long)gid, strbuf);
+	}
+#elif defined(HAVE_SETRESGID)
+	if (getresgid(&tmpg, &oldgid, &tmpg) == -1 || oldgid != gid) {
+		if (setresgid(-1, gid, -1) == -1) {
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			named_main_earlywarning("unable to set effective "
+						"gid to %d: %s",
+						gid, strbuf);
+		}
+	}
+#endif /* if defined(HAVE_SETEGID) */
+
+#if defined(HAVE_SETEUID)
+	if (geteuid() != uid && seteuid(uid) == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlywarning("unable to set effective "
+					"uid to %ld: %s",
+					(long)uid, strbuf);
+	}
+#elif defined(HAVE_SETRESUID)
+	if (getresuid(&tmpu, &olduid, &tmpu) == -1 || olduid != uid) {
+		if (setresuid(-1, uid, -1) == -1) {
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			named_main_earlywarning("unable to set effective "
+						"uid to %d: %s",
+						uid, strbuf);
+		}
+	}
+#endif /* if defined(HAVE_SETEUID) */
+}
+#endif /* HAVE_SYS_CAPABILITY_H */
+
+FILE *
+named_os_openfile(const char *filename, mode_t mode, bool switch_user) {
+	char strbuf[ISC_STRERRORSIZE], *f;
+	FILE *fp;
+	int fd;
+
+	/*
+	 * Make the containing directory if it doesn't exist.
+	 */
+	f = strdup(filename);
+	if (f == NULL) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlywarning("couldn't strdup() '%s': %s", filename,
+					strbuf);
+		return (NULL);
+	}
+	if (mkdirpath(f, named_main_earlywarning) == -1) {
+		free(f);
+		return (NULL);
+	}
+	free(f);
+
+	if (switch_user && runas_pw != NULL) {
+		uid_t olduid = getuid();
+		gid_t oldgid = getgid();
+#if HAVE_SYS_CAPABILITY_H
+		REQUIRE(olduid == runas_pw->pw_uid);
+		REQUIRE(oldgid == runas_pw->pw_gid);
+#else /* HAVE_SYS_CAPABILITY_H */
+		/* Set UID/GID to the one we'll be running with eventually */
+		setperms(runas_pw->pw_uid, runas_pw->pw_gid);
+#endif
+		fd = safe_open(filename, mode, false);
+
+#if !HAVE_SYS_CAPABILITY_H
+		/* Restore UID/GID to previous uid/gid */
+		setperms(olduid, oldgid);
+#endif
+
+		if (fd == -1) {
+			fd = safe_open(filename, mode, false);
+			if (fd != -1) {
+				named_main_earlywarning("Required root "
+							"permissions to open "
+							"'%s'.",
+							filename);
+			} else {
+				named_main_earlywarning("Could not open "
+							"'%s'.",
+							filename);
+			}
+			named_main_earlywarning("Please check file and "
+						"directory permissions "
+						"or reconfigure the filename.");
+		}
+	} else {
+		fd = safe_open(filename, mode, false);
+	}
+
+	if (fd < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlywarning("could not open file '%s': %s",
+					filename, strbuf);
+		return (NULL);
+	}
+
+	fp = fdopen(fd, "w");
+	if (fp == NULL) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlywarning("could not fdopen() file '%s': %s",
+					filename, strbuf);
+	}
+
+	return (fp);
+}
+
+void
+named_os_writepidfile(const char *filename, bool first_time) {
+	FILE *fh;
+	pid_t pid;
+	char strbuf[ISC_STRERRORSIZE];
+	void (*report)(const char *, ...);
+
+	/*
+	 * The caller must ensure any required synchronization.
+	 */
+
+	report = first_time ? named_main_earlyfatal : named_main_earlywarning;
+
+	cleanup_pidfile();
+
+	if (filename == NULL) {
+		return;
+	}
+
+	pidfile = strdup(filename);
+	if (pidfile == NULL) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		(*report)("couldn't strdup() '%s': %s", filename, strbuf);
+		return;
+	}
+
+	fh = named_os_openfile(filename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH,
+			       first_time);
+	if (fh == NULL) {
+		cleanup_pidfile();
+		return;
+	}
+	pid = getpid();
+	if (fprintf(fh, "%ld\n", (long)pid) < 0) {
+		(*report)("fprintf() to pid file '%s' failed", filename);
+		(void)fclose(fh);
+		cleanup_pidfile();
+		return;
+	}
+	if (fflush(fh) == EOF) {
+		(*report)("fflush() to pid file '%s' failed", filename);
+		(void)fclose(fh);
+		cleanup_pidfile();
+		return;
+	}
+	(void)fclose(fh);
+}
+
+bool
+named_os_issingleton(const char *filename) {
+	char strbuf[ISC_STRERRORSIZE];
+	struct flock lock;
+
+	if (singletonfd != -1) {
+		return (true);
+	}
+
+	if (strcasecmp(filename, "none") == 0) {
+		return (true);
+	}
+
+	/*
+	 * Make the containing directory if it doesn't exist.
+	 */
+	lockfile = strdup(filename);
+	if (lockfile == NULL) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		named_main_earlyfatal("couldn't allocate memory for '%s': %s",
+				      filename, strbuf);
+	} else {
+		int ret = mkdirpath(lockfile, named_main_earlywarning);
+		if (ret == -1) {
+			named_main_earlywarning("couldn't create '%s'",
+						filename);
+			cleanup_lockfile();
+			return (false);
+		}
+	}
+
+	/*
+	 * named_os_openfile() uses safeopen() which removes any existing
+	 * files. We can't use that here.
+	 */
+	singletonfd = open(filename, O_WRONLY | O_CREAT,
+			   S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+	if (singletonfd == -1) {
+		cleanup_lockfile();
+		return (false);
+	}
+
+	memset(&lock, 0, sizeof(lock));
+	lock.l_type = F_WRLCK;
+	lock.l_whence = SEEK_SET;
+	lock.l_start = 0;
+	lock.l_len = 1;
+
+	/* Non-blocking (does not wait for lock) */
+	if (fcntl(singletonfd, F_SETLK, &lock) == -1) {
+		close(singletonfd);
+		singletonfd = -1;
+		return (false);
+	}
+
+	return (true);
+}
+
+void
+named_os_shutdown(void) {
+	closelog();
+	cleanup_pidfile();
+	cleanup_lockfile();
+}
+
+isc_result_t
+named_os_gethostname(char *buf, size_t len) {
+	int n;
+
+	n = gethostname(buf, len);
+	return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE);
+}
+
+void
+named_os_shutdownmsg(char *command, isc_buffer_t *text) {
+	char *last, *ptr;
+	pid_t pid;
+
+	/* Skip the command name. */
+	if (strtok_r(command, " \t", &last) == NULL) {
+		return;
+	}
+
+	if ((ptr = strtok_r(NULL, " \t", &last)) == NULL) {
+		return;
+	}
+
+	if (strcmp(ptr, "-p") != 0) {
+		return;
+	}
+
+	pid = getpid();
+
+	(void)isc_buffer_printf(text, "pid: %ld", (long)pid);
+}
+
+void
+named_os_tzset(void) {
+#ifdef HAVE_TZSET
+	tzset();
+#endif /* ifdef HAVE_TZSET */
+}
+
+#ifdef HAVE_UNAME
+static char unamebuf[sizeof(struct utsname)];
+#else
+static const char unamebuf[] = { "unknown architecture" };
+#endif
+static const char *unamep = NULL;
+
+static void
+getuname(void) {
+#ifdef HAVE_UNAME
+	struct utsname uts;
+
+	memset(&uts, 0, sizeof(uts));
+	if (uname(&uts) < 0) {
+		snprintf(unamebuf, sizeof(unamebuf), "unknown architecture");
+		return;
+	}
+
+	snprintf(unamebuf, sizeof(unamebuf), "%s %s %s %s", uts.sysname,
+		 uts.machine, uts.release, uts.version);
+#endif /* ifdef HAVE_UNAME */
+	unamep = unamebuf;
+}
+
+const char *
+named_os_uname(void) {
+	if (unamep == NULL) {
+		getuname();
+	}
+	return (unamep);
+}
diff --git a/bin/named/win32/dlz_dlopen_driver.c b/bin/named/win32/dlz_dlopen_driver.c
new file mode 100644
index 0000000..7e41e9c
--- /dev/null
+++ b/bin/named/win32/dlz_dlopen_driver.c
@@ -0,0 +1,578 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <windows.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/dlz_dlopen.h>
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include <dlz/dlz_dlopen_driver.h>
+#include <named/globals.h>
+
+#ifdef ISC_DLZ_DLOPEN
+static dns_sdlzimplementation_t *dlz_dlopen = NULL;
+
+typedef struct dlopen_data {
+	isc_mem_t *mctx;
+	char *dl_path;
+	char *dlzname;
+	HMODULE dl_handle;
+	void *dbdata;
+	unsigned int flags;
+	isc_mutex_t lock;
+	int version;
+	bool in_configure;
+
+	dlz_dlopen_version_t *dlz_version;
+	dlz_dlopen_create_t *dlz_create;
+	dlz_dlopen_findzonedb_t *dlz_findzonedb;
+	dlz_dlopen_lookup_t *dlz_lookup;
+	dlz_dlopen_authority_t *dlz_authority;
+	dlz_dlopen_allnodes_t *dlz_allnodes;
+	dlz_dlopen_allowzonexfr_t *dlz_allowzonexfr;
+	dlz_dlopen_newversion_t *dlz_newversion;
+	dlz_dlopen_closeversion_t *dlz_closeversion;
+	dlz_dlopen_configure_t *dlz_configure;
+	dlz_dlopen_ssumatch_t *dlz_ssumatch;
+	dlz_dlopen_addrdataset_t *dlz_addrdataset;
+	dlz_dlopen_subrdataset_t *dlz_subrdataset;
+	dlz_dlopen_delrdataset_t *dlz_delrdataset;
+	dlz_dlopen_destroy_t *dlz_destroy;
+} dlopen_data_t;
+
+/* Modules can choose whether they are lock-safe or not. */
+#define MAYBE_LOCK(cd)                                            \
+	do {                                                      \
+		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
+		    !cd->in_configure)                            \
+			LOCK(&cd->lock);                          \
+	} while (0)
+
+#define MAYBE_UNLOCK(cd)                                          \
+	do {                                                      \
+		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
+		    !cd->in_configure)                            \
+			UNLOCK(&cd->lock);                        \
+	} while (0)
+
+/*
+ * Log a message at the given level.
+ */
+static void
+dlopen_log(int level, const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		       ISC_LOG_DEBUG(level), fmt, ap);
+	va_end(ap);
+}
+
+/*
+ * SDLZ methods
+ */
+
+static isc_result_t
+dlopen_dlz_allnodes(const char *zone, void *driverarg, void *dbdata,
+		    dns_sdlzallnodes_t *allnodes) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_allnodes == NULL) {
+		return (ISC_R_NOPERM);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_allnodes(zone, cd->dbdata, allnodes);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+static isc_result_t
+dlopen_dlz_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+			const char *client) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_allowzonexfr == NULL) {
+		return (ISC_R_NOPERM);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_allowzonexfr(cd->dbdata, name, client);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+static isc_result_t
+dlopen_dlz_authority(const char *zone, void *driverarg, void *dbdata,
+		     dns_sdlzlookup_t *lookup) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_authority == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_authority(zone, cd->dbdata, lookup);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+static isc_result_t
+dlopen_dlz_findzonedb(void *driverarg, void *dbdata, const char *name,
+		      dns_clientinfomethods_t *methods,
+		      dns_clientinfo_t *clientinfo) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_findzonedb(cd->dbdata, name, methods, clientinfo);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+static isc_result_t
+dlopen_dlz_lookup(const char *zone, const char *name, void *driverarg,
+		  void *dbdata, dns_sdlzlookup_t *lookup,
+		  dns_clientinfomethods_t *methods,
+		  dns_clientinfo_t *clientinfo) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_lookup(zone, name, cd->dbdata, lookup, methods,
+				clientinfo);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+/*
+ * Load a symbol from the library
+ */
+static void *
+dl_load_symbol(dlopen_data_t *cd, const char *symbol, bool mandatory) {
+	void *ptr = GetProcAddress(cd->dl_handle, symbol);
+	if (ptr == NULL && mandatory) {
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen: library '%s' is missing "
+			   "required symbol '%s'",
+			   cd->dl_path, symbol);
+	}
+	return (ptr);
+}
+
+/*
+ * Called at startup for each dlopen zone in named.conf
+ */
+static isc_result_t
+dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
+		  void *driverarg, void **dbdata) {
+	dlopen_data_t *cd;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result = ISC_R_FAILURE;
+	bool triedload = false;
+
+	UNUSED(driverarg);
+
+	if (argc < 2) {
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen driver for '%s' needs a path to "
+			   "the shared library",
+			   dlzname);
+		return (ISC_R_FAILURE);
+	}
+
+	isc_mem_create(&mctx);
+
+	cd = isc_mem_get(mctx, sizeof(*cd));
+	memset(cd, 0, sizeof(*cd));
+
+	cd->mctx = mctx;
+
+	cd->dl_path = isc_mem_strdup(cd->mctx, argv[1]);
+
+	cd->dlzname = isc_mem_strdup(cd->mctx, dlzname);
+
+	triedload = true;
+
+	/* Initialize the lock */
+	isc_mutex_init(&cd->lock);
+
+	/* Open the library */
+	cd->dl_handle = LoadLibraryA(cd->dl_path);
+	if (cd->dl_handle == NULL) {
+		unsigned int error = GetLastError();
+
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen failed to open library '%s' - %u",
+			   cd->dl_path, error);
+		result = ISC_R_FAILURE;
+		goto cleanup_lock;
+	}
+
+	/* Find the symbols */
+	cd->dlz_version =
+		(dlz_dlopen_version_t *)dl_load_symbol(cd, "dlz_version", true);
+	cd->dlz_create = (dlz_dlopen_create_t *)dl_load_symbol(cd, "dlz_create",
+							       true);
+	cd->dlz_lookup = (dlz_dlopen_lookup_t *)dl_load_symbol(cd, "dlz_lookup",
+							       true);
+	cd->dlz_findzonedb = (dlz_dlopen_findzonedb_t *)dl_load_symbol(
+		cd, "dlz_findzonedb", true);
+
+	if (cd->dlz_create == NULL || cd->dlz_version == NULL ||
+	    cd->dlz_lookup == NULL || cd->dlz_findzonedb == NULL)
+	{
+		/* We're missing a required symbol */
+		result = ISC_R_FAILURE;
+		goto cleanup_lock;
+	}
+
+	cd->dlz_allowzonexfr = (dlz_dlopen_allowzonexfr_t *)dl_load_symbol(
+		cd, "dlz_allowzonexfr", false);
+	cd->dlz_allnodes = (dlz_dlopen_allnodes_t *)dl_load_symbol(
+		cd, "dlz_allnodes", (cd->dlz_allowzonexfr != NULL));
+	cd->dlz_authority = (dlz_dlopen_authority_t *)dl_load_symbol(
+		cd, "dlz_authority", false);
+	cd->dlz_newversion = (dlz_dlopen_newversion_t *)dl_load_symbol(
+		cd, "dlz_newversion", false);
+	cd->dlz_closeversion = (dlz_dlopen_closeversion_t *)dl_load_symbol(
+		cd, "dlz_closeversion", (cd->dlz_newversion != NULL));
+	cd->dlz_configure = (dlz_dlopen_configure_t *)dl_load_symbol(
+		cd, "dlz_configure", false);
+	cd->dlz_ssumatch = (dlz_dlopen_ssumatch_t *)dl_load_symbol(
+		cd, "dlz_ssumatch", false);
+	cd->dlz_addrdataset = (dlz_dlopen_addrdataset_t *)dl_load_symbol(
+		cd, "dlz_addrdataset", false);
+	cd->dlz_subrdataset = (dlz_dlopen_subrdataset_t *)dl_load_symbol(
+		cd, "dlz_subrdataset", false);
+	cd->dlz_delrdataset = (dlz_dlopen_delrdataset_t *)dl_load_symbol(
+		cd, "dlz_delrdataset", false);
+
+	/* Check the version of the API is the same */
+	cd->version = cd->dlz_version(&cd->flags);
+	if (cd->version < (DLZ_DLOPEN_VERSION - DLZ_DLOPEN_AGE) ||
+	    cd->version > DLZ_DLOPEN_VERSION)
+	{
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen: %s: incorrect driver API version %d, "
+			   "requires %d",
+			   cd->dl_path, cd->version, DLZ_DLOPEN_VERSION);
+		result = ISC_R_FAILURE;
+		goto cleanup_lock;
+	}
+
+	/*
+	 * Call the library's create function. Note that this is an
+	 * extended version of dlz create, with the addition of
+	 * named function pointers for helper functions that the
+	 * driver will need. This avoids the need for the backend to
+	 * link the BIND9 libraries
+	 */
+	MAYBE_LOCK(cd);
+	result = cd->dlz_create(dlzname, argc - 1, argv + 1, &cd->dbdata, "log",
+				dlopen_log, "putrr", dns_sdlz_putrr,
+				"putnamedrr", dns_sdlz_putnamedrr,
+				"writeable_zone", dns_dlz_writeablezone, NULL);
+	MAYBE_UNLOCK(cd);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_lock;
+	}
+
+	*dbdata = cd;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_lock:
+	isc_mutex_destroy(&cd->lock);
+failed:
+	dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname);
+	if (cd->dl_path) {
+		isc_mem_free(mctx, cd->dl_path);
+	}
+	if (cd->dlzname) {
+		isc_mem_free(mctx, cd->dlzname);
+	}
+	if (triedload) {
+		isc_mutex_destroy(&cd->lock);
+	}
+	if (cd->dl_handle) {
+		FreeLibrary(cd->dl_handle);
+	}
+	isc_mem_put(mctx, cd, sizeof(*cd));
+	isc_mem_destroy(&mctx);
+	return (result);
+}
+
+/*
+ * Called when bind is shutting down
+ */
+static void
+dlopen_dlz_destroy(void *driverarg, void *dbdata) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_mem_t *mctx;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_destroy) {
+		MAYBE_LOCK(cd);
+		cd->dlz_destroy(cd->dbdata);
+		MAYBE_UNLOCK(cd);
+	}
+
+	if (cd->dl_path) {
+		isc_mem_free(cd->mctx, cd->dl_path);
+	}
+	if (cd->dlzname) {
+		isc_mem_free(cd->mctx, cd->dlzname);
+	}
+
+	if (cd->dl_handle) {
+		FreeLibrary(cd->dl_handle);
+	}
+
+	isc_mutex_destroy(&cd->lock);
+
+	mctx = cd->mctx;
+	isc_mem_put(mctx, cd, sizeof(*cd));
+	isc_mem_destroy(&mctx);
+}
+
+/*
+ * Called to start a transaction
+ */
+static isc_result_t
+dlopen_dlz_newversion(const char *zone, void *driverarg, void *dbdata,
+		      void **versionp) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_newversion == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_newversion(zone, cd->dbdata, versionp);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+/*
+ * Called to end a transaction
+ */
+static void
+dlopen_dlz_closeversion(const char *zone, bool commit, void *driverarg,
+			void *dbdata, void **versionp) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_newversion == NULL) {
+		*versionp = NULL;
+		return;
+	}
+
+	MAYBE_LOCK(cd);
+	cd->dlz_closeversion(zone, commit, cd->dbdata, versionp);
+	MAYBE_UNLOCK(cd);
+}
+
+/*
+ * Called on startup to configure any writeable zones
+ */
+static isc_result_t
+dlopen_dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb, void *driverarg,
+		     void *dbdata) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_configure == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	MAYBE_LOCK(cd);
+	cd->in_configure = true;
+	result = cd->dlz_configure(view, dlzdb, cd->dbdata);
+	cd->in_configure = false;
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+/*
+ * Check for authority to change a name
+ */
+static bool
+dlopen_dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
+		    const char *type, const char *key, uint32_t keydatalen,
+		    unsigned char *keydata, void *driverarg, void *dbdata) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	bool ret;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_ssumatch == NULL) {
+		return (false);
+	}
+
+	MAYBE_LOCK(cd);
+	ret = cd->dlz_ssumatch(signer, name, tcpaddr, type, key, keydatalen,
+			       keydata, cd->dbdata);
+	MAYBE_UNLOCK(cd);
+
+	return (ret);
+}
+
+/*
+ * Add an rdataset
+ */
+static isc_result_t
+dlopen_dlz_addrdataset(const char *name, const char *rdatastr, void *driverarg,
+		       void *dbdata, void *version) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_addrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_addrdataset(name, rdatastr, cd->dbdata, version);
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+/*
+ * Subtract an rdataset
+ */
+static isc_result_t
+dlopen_dlz_subrdataset(const char *name, const char *rdatastr, void *driverarg,
+		       void *dbdata, void *version) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_subrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_subrdataset(name, rdatastr, cd->dbdata, version);
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+/*
+ * delete a rdataset
+ */
+static isc_result_t
+dlopen_dlz_delrdataset(const char *name, const char *type, void *driverarg,
+		       void *dbdata, void *version) {
+	dlopen_data_t *cd = (dlopen_data_t *)dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_delrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_delrdataset(name, type, cd->dbdata, version);
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+static dns_sdlzmethods_t dlz_dlopen_methods = {
+	dlopen_dlz_create,	 dlopen_dlz_destroy,	dlopen_dlz_findzonedb,
+	dlopen_dlz_lookup,	 dlopen_dlz_authority,	dlopen_dlz_allnodes,
+	dlopen_dlz_allowzonexfr, dlopen_dlz_newversion, dlopen_dlz_closeversion,
+	dlopen_dlz_configure,	 dlopen_dlz_ssumatch,	dlopen_dlz_addrdataset,
+	dlopen_dlz_subrdataset,	 dlopen_dlz_delrdataset
+};
+#endif /* ifdef ISC_DLZ_DLOPEN */
+
+/*
+ * Register driver with BIND
+ */
+isc_result_t
+dlz_dlopen_init(isc_mem_t *mctx) {
+#ifndef ISC_DLZ_DLOPEN
+	UNUSED(mctx);
+	return (ISC_R_NOTIMPLEMENTED);
+#else  /* ifndef ISC_DLZ_DLOPEN */
+	isc_result_t result;
+
+	dlopen_log(2, "Registering DLZ_dlopen driver");
+
+	result = dns_sdlzregister("dlopen", &dlz_dlopen_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+					  DNS_SDLZFLAG_RELATIVERDATA |
+					  DNS_SDLZFLAG_THREADSAFE,
+				  mctx, &dlz_dlopen);
+
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+#endif /* ifndef ISC_DLZ_DLOPEN */
+}
+
+/*
+ * Unregister the driver
+ */
+void
+dlz_dlopen_clear(void) {
+#ifdef ISC_DLZ_DLOPEN
+	dlopen_log(2, "Unregistering DLZ_dlopen driver");
+	if (dlz_dlopen != NULL) {
+		dns_sdlzunregister(&dlz_dlopen);
+	}
+#endif /* ifdef ISC_DLZ_DLOPEN */
+}
diff --git a/bin/named/win32/include/.clang-format b/bin/named/win32/include/.clang-format
new file mode 120000
index 0000000..e919bba
--- /dev/null
+++ b/bin/named/win32/include/.clang-format
@@ -0,0 +1 @@
+../../../../.clang-format.headers
\ No newline at end of file
diff --git a/bin/named/win32/include/named/ntservice.h b/bin/named/win32/include/named/ntservice.h
new file mode 100644
index 0000000..0b380e5
--- /dev/null
+++ b/bin/named/win32/include/named/ntservice.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NTSERVICE_H
+#define NTSERVICE_H
+
+#include <winsvc.h>
+
+#define BIND_DISPLAY_NAME "ISC BIND"
+#define BIND_SERVICE_NAME "named"
+
+void
+     ntservice_init();
+void UpdateSCM(DWORD);
+void
+ServiceControl(DWORD dwCtrlCode);
+void
+ntservice_shutdown();
+BOOL
+ntservice_isservice();
+#endif /* ifndef NTSERVICE_H */
diff --git a/bin/named/win32/include/named/os.h b/bin/named/win32/include/named/os.h
new file mode 100644
index 0000000..696465b
--- /dev/null
+++ b/bin/named/win32/include/named/os.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NAMED_OS_H
+#define NAMED_OS_H 1
+
+#include <stdbool.h>
+
+#include <isc/types.h>
+
+void
+named_os_init(const char *progname);
+
+void
+named_os_daemonize(void);
+
+void
+named_os_opendevnull(void);
+
+void
+named_os_closedevnull(void);
+
+void
+named_os_chroot(const char *root);
+
+void
+named_os_inituserinfo(const char *username);
+
+void
+named_os_changeuser(void);
+
+unsigned int
+ns_os_uid(void);
+
+void
+named_os_adjustnofile(void);
+
+void
+named_os_minprivs(void);
+
+FILE *
+named_os_openfile(const char *filename, int mode, bool switch_user);
+
+void
+named_os_writepidfile(const char *filename, bool first_time);
+
+bool
+named_os_issingleton(const char *filename);
+
+void
+named_os_shutdown(void);
+
+isc_result_t
+named_os_gethostname(char *buf, size_t len);
+
+void
+named_os_shutdownmsg(char *command, isc_buffer_t *text);
+
+void
+named_os_tzset(void);
+
+void
+named_os_started(void);
+
+const char *
+named_os_uname(void);
+
+#endif /* NAMED_OS_H */
diff --git a/bin/named/win32/named.vcxproj.filters.in b/bin/named/win32/named.vcxproj.filters.in
new file mode 100644
index 0000000..60b2ec2
--- /dev/null
+++ b/bin/named/win32/named.vcxproj.filters.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="dlz_dlopen_driver.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ntservice.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="os.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\builtin.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\config.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\control.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\controlconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+@IF GEOIP
+    <ClCompile Include="..\geoip.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+@END GEOIP
+    <ClCompile Include="..\log.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\logconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\main.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\server.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\statschannel.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tkeyconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tsigconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\zoneconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="include\named\ntservice.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\named\os.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\builtin.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\config.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\control.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+@IF GEOIP
+    <ClInclude Include="..\include\named\geoip.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+@END GEOIP
+    <ClInclude Include="..\include\named\globals.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\log.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\logconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\main.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\server.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\statschannel.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\tkeyconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\tsigconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\types.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\named\zoneconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
diff --git a/bin/named/win32/named.vcxproj.in b/bin/named/win32/named.vcxproj.in
new file mode 100644
index 0000000..f470085
--- /dev/null
+++ b/bin/named/win32/named.vcxproj.in
@@ -0,0 +1,156 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{723C65DA-A96C-4BA3-A34E-44F11CA346F9}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>named</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@USE_GSSAPI@BUILDER="Visual Studio";_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>@LIBUV_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@.\;..\..\..\;@LIBXML2_INC@..\win32\include;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@LIBUV_LIB@@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@@GSSAPI_LIB@@GEOIP_LIB@libisc.lib;libdns.lib;libisccc.lib;libisccfg.lib;libbind9.lib;libns.lib;version.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@USE_GSSAPI@BUILDER="Visual Studio";NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>@LIBUV_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@.\;..\..\..\;@LIBXML2_INC@..\win32\include;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;..\..\..\lib\ns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@LIBUV_LIB@@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@@GSSAPI_LIB@@GEOIP_LIB@libisc.lib;libdns.lib;libisccc.lib;libisccfg.lib;libbind9.lib;libns.lib;version.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\builtin.c" />
+    <ClCompile Include="..\config.c" />
+    <ClCompile Include="..\control.c" />
+    <ClCompile Include="..\controlconf.c" />
+@IF GEOIP
+    <ClCompile Include="..\geoip.c" />
+@END GEOIP
+    <ClCompile Include="..\log.c" />
+    <ClCompile Include="..\logconf.c" />
+    <ClCompile Include="..\main.c" />
+    <ClCompile Include="..\server.c" />
+    <ClCompile Include="..\statschannel.c" />
+    <ClCompile Include="..\tkeyconf.c" />
+    <ClCompile Include="..\tsigconf.c" />
+    <ClCompile Include="..\zoneconf.c" />
+    <ClCompile Include="dlz_dlopen_driver.c" />
+    <ClCompile Include="ntservice.c" />
+    <ClCompile Include="os.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\named\builtin.h" />
+    <ClInclude Include="..\include\named\config.h" />
+    <ClInclude Include="..\include\named\control.h" />
+@IF GEOIP
+    <ClInclude Include="..\include\named\geoip.h" />
+@END GEOIP
+    <ClInclude Include="..\include\named\globals.h" />
+    <ClInclude Include="..\include\named\log.h" />
+    <ClInclude Include="..\include\named\logconf.h" />
+    <ClInclude Include="..\include\named\main.h" />
+    <ClInclude Include="..\include\named\server.h" />
+    <ClInclude Include="..\include\named\statschannel.h" />
+    <ClInclude Include="..\include\named\tkeyconf.h" />
+    <ClInclude Include="..\include\named\tsigconf.h" />
+    <ClInclude Include="..\include\named\types.h" />
+    <ClInclude Include="..\include\named\zoneconf.h" />
+    <ClInclude Include="include\named\ntservice.h" />
+    <ClInclude Include="include\named\os.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/named/win32/named.vcxproj.user b/bin/named/win32/named.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/named/win32/named.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/named/win32/ntservice.c b/bin/named/win32/ntservice.c
new file mode 100644
index 0000000..5c5c40f
--- /dev/null
+++ b/bin/named/win32/ntservice.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/log.h>
+#include <isc/print.h>
+#include <isc/string.h>
+
+#include <named/globals.h>
+#include <named/main.h>
+#include <named/ntservice.h>
+#include <named/server.h>
+
+/* Handle to SCM for updating service status */
+static SERVICE_STATUS_HANDLE hServiceStatus = 0;
+static BOOL foreground = FALSE;
+static char ConsoleTitle[128];
+
+/*
+ * Forward declarations
+ */
+static int
+bindmain_service_wrapper(int argc, char *argv[]);
+void
+ServiceControl(DWORD dwCtrlCode);
+int
+bindmain(int, char *[]); /* From main.c */
+
+/*
+ * Initialize the ISC library running as a Windows Service before calling
+ * bindmain()
+ */
+static int
+bindmain_service_wrapper(int argc, char *argv[]) {
+	return (isc_lib_ntservice(bindmain, argc, argv));
+}
+
+/*
+ * Initialize the Service by registering it.
+ */
+void
+ntservice_init(void) {
+	if (!foreground) {
+		/* Register handler with the SCM */
+		hServiceStatus = RegisterServiceCtrlHandler(
+			BIND_SERVICE_NAME, (LPHANDLER_FUNCTION)ServiceControl);
+		if (!hServiceStatus) {
+			named_main_earlyfatal("could not register service "
+					      "control handler");
+		}
+		UpdateSCM(SERVICE_RUNNING);
+	} else {
+		strlcpy(ConsoleTitle, "BIND Version ", sizeof(ConsoleTitle));
+		strlcat(ConsoleTitle, VERSION, sizeof(ConsoleTitle));
+		SetConsoleTitle(ConsoleTitle);
+	}
+}
+
+void
+ntservice_shutdown(void) {
+	UpdateSCM(SERVICE_STOPPED);
+}
+
+/*
+ * Routine to check if this is a service or a foreground program
+ */
+BOOL
+ntservice_isservice(void) {
+	return (!foreground);
+}
+
+/*
+ * ServiceControl(): Handles requests from the SCM and passes them on
+ * to named.
+ */
+void
+ServiceControl(DWORD dwCtrlCode) {
+	/* Handle the requested control code */
+	switch (dwCtrlCode) {
+	case SERVICE_CONTROL_INTERROGATE:
+		UpdateSCM(0);
+		break;
+
+	case SERVICE_CONTROL_SHUTDOWN:
+	case SERVICE_CONTROL_STOP:
+		named_server_flushonshutdown(named_g_server, true);
+		isc_app_shutdown();
+		UpdateSCM(SERVICE_STOP_PENDING);
+		break;
+	default:
+		break;
+	}
+}
+
+/*
+ * Tell the Service Control Manager the state of the service.
+ */
+void
+UpdateSCM(DWORD state) {
+	SERVICE_STATUS ss;
+	static DWORD dwState = SERVICE_STOPPED;
+
+	if (hServiceStatus) {
+		if (state) {
+			dwState = state;
+		}
+
+		memset(&ss, 0, sizeof(SERVICE_STATUS));
+		ss.dwServiceType |= SERVICE_WIN32_OWN_PROCESS;
+		ss.dwCurrentState = dwState;
+		ss.dwControlsAccepted = SERVICE_ACCEPT_STOP |
+					SERVICE_ACCEPT_SHUTDOWN;
+		ss.dwCheckPoint = 0;
+		ss.dwServiceSpecificExitCode = 0;
+		ss.dwWin32ExitCode = NO_ERROR;
+		ss.dwWaitHint = dwState == SERVICE_STOP_PENDING ? 10000 : 1000;
+
+		if (!SetServiceStatus(hServiceStatus, &ss)) {
+			ss.dwCurrentState = SERVICE_STOPPED;
+			SetServiceStatus(hServiceStatus, &ss);
+		}
+	}
+}
+
+/* unhook main */
+
+#undef main
+
+/*
+ * This is the entry point for the executable
+ * We can now call bindmain() explicitly or via StartServiceCtrlDispatcher()
+ * as we need to.
+ */
+int
+main(int argc, char *argv[]) {
+	int rc, ch;
+
+	/* Command line users should put -f in the options. */
+	isc_commandline_errprint = false;
+	while ((ch = isc_commandline_parse(argc, argv, NAMED_MAIN_ARGS)) != -1)
+	{
+		switch (ch) {
+		case 'f':
+		case 'g':
+		case 'v':
+		case 'V':
+			foreground = TRUE;
+			break;
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = true;
+
+	if (foreground) {
+		/* run in console window */
+		exit(bindmain(argc, argv));
+	} else {
+		/* Start up as service */
+		char *SERVICE_NAME = BIND_SERVICE_NAME;
+
+		SERVICE_TABLE_ENTRY dispatchTable[] = {
+			{ TEXT(SERVICE_NAME),
+			  (LPSERVICE_MAIN_FUNCTION)bindmain_service_wrapper },
+			{ NULL, NULL }
+		};
+
+		rc = StartServiceCtrlDispatcher(dispatchTable);
+		if (!rc) {
+			fprintf(stderr, "Use -f to run from the command "
+					"line.\n");
+			/* will be 1063 when launched as a console app */
+			exit(GetLastError());
+		}
+	}
+	exit(0);
+}
diff --git a/bin/named/win32/os.c b/bin/named/win32/os.c
new file mode 100644
index 0000000..5503d95
--- /dev/null
+++ b/bin/named/win32/os.c
@@ -0,0 +1,473 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <io.h>
+#include <process.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <syslog.h>
+
+#include <isc/ntpaths.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/win32os.h>
+
+#include <named/globals.h>
+#include <named/log.h>
+#include <named/main.h>
+#include <named/ntservice.h>
+#include <named/os.h>
+
+static char *lockfile = NULL;
+static char *pidfile = NULL;
+static int devnullfd = -1;
+static int lockfilefd = -1;
+
+static BOOL Initialized = FALSE;
+
+static char *version_error = "named requires Windows 2000 Service Pack 2 or "
+			     "later to run correctly";
+
+void
+named_paths_init(void) {
+	if (!Initialized) {
+		isc_ntpaths_init();
+	}
+
+	named_g_conffile = isc_ntpaths_get(NAMED_CONF_PATH);
+	named_g_defaultpidfile = isc_ntpaths_get(NAMED_PID_PATH);
+	named_g_defaultlockfile = isc_ntpaths_get(NAMED_LOCK_PATH);
+	named_g_keyfile = isc_ntpaths_get(RNDC_KEY_PATH);
+	named_g_defaultsessionkeyfile = isc_ntpaths_get(SESSION_KEY_PATH);
+	named_g_defaultbindkeys = isc_ntpaths_get(BIND_KEYS_PATH);
+
+	Initialized = TRUE;
+}
+
+/*
+ * Due to Knowledge base article Q263823 we need to make sure that
+ * Windows 2000 systems have Service Pack 2 or later installed and
+ * warn when it isn't.
+ */
+static void
+version_check(const char *progname) {
+	if ((isc_win32os_versioncheck(4, 0, 0, 0) >= 0) &&
+	    (isc_win32os_versioncheck(5, 0, 0, 0) < 0))
+	{
+		return; /* No problem with Version 4.0 */
+	}
+	if (isc_win32os_versioncheck(5, 0, 2, 0) < 0) {
+		if (ntservice_isservice()) {
+			NTReportError(progname, version_error);
+		} else {
+			fprintf(stderr, "%s\n", version_error);
+		}
+	}
+}
+
+static void
+setup_syslog(const char *progname) {
+	int options;
+
+	options = LOG_PID;
+#ifdef LOG_NDELAY
+	options |= LOG_NDELAY;
+#endif /* ifdef LOG_NDELAY */
+
+	openlog(progname, options, LOG_DAEMON);
+}
+
+void
+named_os_init(const char *progname) {
+	named_paths_init();
+	setup_syslog(progname);
+	/*
+	 * XXXMPA. We may need to split ntservice_init() in two and
+	 * just mark as running in named_os_started().  If we do that
+	 * this is where the first part of ntservice_init() should be
+	 * called from.
+	 *
+	 * XXX970 Remove comment if no problems by 9.7.0.
+	 *
+	 * ntservice_init();
+	 */
+	version_check(progname);
+	/*
+	 * If running in a Cygwin environment, clear the SEM_NOGPFAULTERRORBOX
+	 * bit in the process error mode to prevent Cygwin from concealing
+	 * non-abort() crashes, giving Windows Error Reporting a chance to
+	 * handle such crashes.  This is done to ensure all crashes triggered
+	 * by system tests can be detected.
+	 */
+	if (getenv("CYGWIN") != NULL) {
+		SetErrorMode(GetErrorMode() & ~SEM_NOGPFAULTERRORBOX);
+	}
+}
+
+void
+named_os_daemonize(void) {
+	/*
+	 * Try to set stdin, stdout, and stderr to /dev/null, but press
+	 * on even if it fails.
+	 */
+	if (devnullfd != -1) {
+		if (devnullfd != _fileno(stdin)) {
+			close(_fileno(stdin));
+			(void)_dup2(devnullfd, _fileno(stdin));
+		}
+		if (devnullfd != _fileno(stdout)) {
+			close(_fileno(stdout));
+			(void)_dup2(devnullfd, _fileno(stdout));
+		}
+		if (devnullfd != _fileno(stderr)) {
+			close(_fileno(stderr));
+			(void)_dup2(devnullfd, _fileno(stderr));
+		}
+	}
+}
+
+void
+named_os_opendevnull(void) {
+	devnullfd = open("NUL", O_RDWR, 0);
+}
+
+void
+named_os_closedevnull(void) {
+	if (devnullfd != _fileno(stdin) && devnullfd != _fileno(stdout) &&
+	    devnullfd != _fileno(stderr))
+	{
+		close(devnullfd);
+		devnullfd = -1;
+	}
+}
+
+void
+named_os_chroot(const char *root) {
+	if (root != NULL) {
+		named_main_earlyfatal("chroot(): isn't supported by Win32 API");
+	}
+}
+
+void
+named_os_inituserinfo(const char *username) {}
+
+void
+named_os_changeuser(void) {}
+
+unsigned int
+ns_os_uid(void) {
+	return (0);
+}
+
+void
+named_os_adjustnofile(void) {}
+
+void
+named_os_minprivs(void) {}
+
+static int
+safe_open(const char *filename, int mode, bool append) {
+	int fd;
+	struct stat sb;
+
+	if (stat(filename, &sb) == -1) {
+		if (errno != ENOENT) {
+			return (-1);
+		}
+	} else if ((sb.st_mode & S_IFREG) == 0) {
+		return (-1);
+	}
+
+	if (append) {
+		fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, mode);
+	} else {
+		(void)unlink(filename);
+		fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, mode);
+	}
+	return (fd);
+}
+
+static void
+cleanup_pidfile(void) {
+	if (pidfile != NULL) {
+		(void)unlink(pidfile);
+		free(pidfile);
+	}
+	pidfile = NULL;
+}
+
+static void
+cleanup_lockfile(void) {
+	if (lockfilefd != -1) {
+		close(lockfilefd);
+		lockfilefd = -1;
+	}
+
+	if (lockfile != NULL) {
+		int n = unlink(lockfile);
+		if (n == -1 && errno != ENOENT) {
+			named_main_earlywarning("unlink '%s': failed",
+						lockfile);
+		}
+		free(lockfile);
+		lockfile = NULL;
+	}
+}
+
+FILE *
+named_os_openfile(const char *filename, int mode, bool switch_user) {
+	char strbuf[ISC_STRERRORSIZE];
+	FILE *fp;
+	int fd;
+
+	UNUSED(switch_user);
+	fd = safe_open(filename, mode, false);
+	if (fd < 0) {
+		strerror_s(strbuf, sizeof(strbuf), errno);
+		named_main_earlywarning("could not open file '%s': %s",
+					filename, strbuf);
+		return (NULL);
+	}
+
+	fp = fdopen(fd, "w");
+	if (fp == NULL) {
+		strerror_s(strbuf, sizeof(strbuf), errno);
+		named_main_earlywarning("could not fdopen() file '%s': %s",
+					filename, strbuf);
+		close(fd);
+	}
+
+	return (fp);
+}
+
+void
+named_os_writepidfile(const char *filename, bool first_time) {
+	FILE *pidlockfile;
+	pid_t pid;
+	char strbuf[ISC_STRERRORSIZE];
+	void (*report)(const char *, ...);
+
+	/*
+	 * The caller must ensure any required synchronization.
+	 */
+
+	report = first_time ? named_main_earlyfatal : named_main_earlywarning;
+
+	cleanup_pidfile();
+
+	if (filename == NULL) {
+		return;
+	}
+
+	pidfile = strdup(filename);
+	if (pidfile == NULL) {
+		strerror_s(strbuf, sizeof(strbuf), errno);
+		(*report)("couldn't strdup() '%s': %s", filename, strbuf);
+		return;
+	}
+
+	pidlockfile = named_os_openfile(
+		filename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH, false);
+	if (pidlockfile == NULL) {
+		free(pidfile);
+		pidfile = NULL;
+		return;
+	}
+
+	pid = getpid();
+
+	if (fprintf(pidlockfile, "%ld\n", (long)pid) < 0) {
+		(*report)("fprintf() to pid file '%s' failed", filename);
+		(void)fclose(pidlockfile);
+		cleanup_pidfile();
+		return;
+	}
+	if (fflush(pidlockfile) == EOF) {
+		(*report)("fflush() to pid file '%s' failed", filename);
+		(void)fclose(pidlockfile);
+		cleanup_pidfile();
+		return;
+	}
+	(void)fclose(pidlockfile);
+}
+
+bool
+named_os_issingleton(const char *filename) {
+	char strbuf[ISC_STRERRORSIZE];
+	OVERLAPPED o;
+
+	if (lockfilefd != -1) {
+		return (true);
+	}
+
+	if (strcasecmp(filename, "none") == 0) {
+		return (true);
+	}
+
+	lockfile = strdup(filename);
+	if (lockfile == NULL) {
+		strerror_s(strbuf, sizeof(strbuf), errno);
+		named_main_earlyfatal("couldn't allocate memory for '%s': %s",
+				      filename, strbuf);
+	}
+
+	/*
+	 * named_os_openfile() uses safeopen() which removes any existing
+	 * files. We can't use that here.
+	 */
+	lockfilefd = open(filename, O_WRONLY | O_CREAT,
+			  S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+	if (lockfilefd == -1) {
+		cleanup_lockfile();
+		return (false);
+	}
+
+	memset(&o, 0, sizeof(o));
+	/* Expect ERROR_LOCK_VIOLATION if already locked */
+	if (!LockFileEx((HANDLE)_get_osfhandle(lockfilefd),
+			LOCKFILE_EXCLUSIVE_LOCK | LOCKFILE_FAIL_IMMEDIATELY, 0,
+			0, 1, &o))
+	{
+		cleanup_lockfile();
+		return (false);
+	}
+
+	return (true);
+}
+
+void
+named_os_shutdown(void) {
+	closelog();
+	cleanup_pidfile();
+
+	if (lockfilefd != -1) {
+		(void)UnlockFile((HANDLE)_get_osfhandle(lockfilefd), 0, 0, 0,
+				 1);
+	}
+	cleanup_lockfile();
+
+	ntservice_shutdown(); /* This MUST be the last thing done */
+}
+
+isc_result_t
+named_os_gethostname(char *buf, size_t len) {
+	int n;
+
+	n = gethostname(buf, (int)len);
+	return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE);
+}
+
+void
+named_os_shutdownmsg(char *command, isc_buffer_t *text) {
+	UNUSED(command);
+	UNUSED(text);
+}
+
+void
+named_os_tzset(void) {
+#ifdef HAVE_TZSET
+	tzset();
+#endif /* ifdef HAVE_TZSET */
+}
+
+void
+named_os_started(void) {
+	ntservice_init();
+}
+
+static char unamebuf[BUFSIZ];
+static const char *unamep = NULL;
+
+static void
+getuname(void) {
+	DWORD fvilen;
+	char *fvi;
+	VS_FIXEDFILEINFO *ffi;
+	UINT ffilen;
+	SYSTEM_INFO sysinfo;
+	char *arch;
+
+	fvi = NULL;
+	fvilen = GetFileVersionInfoSize("kernel32.dll", 0);
+	if (fvilen == 0) {
+		goto err;
+	}
+	fvi = (char *)malloc(fvilen);
+	if (fvi == NULL) {
+		goto err;
+	}
+	memset(fvi, 0, fvilen);
+	if (GetFileVersionInfo("kernel32.dll", 0, fvilen, fvi) == 0) {
+		goto err;
+	}
+	ffi = NULL;
+	ffilen = 0;
+	if ((VerQueryValue(fvi, "\\", &ffi, &ffilen) == 0) || (ffi == NULL) ||
+	    (ffilen == 0))
+	{
+		goto err;
+	}
+	memset(&sysinfo, 0, sizeof(sysinfo));
+	GetSystemInfo(&sysinfo);
+	switch (sysinfo.wProcessorArchitecture) {
+	case PROCESSOR_ARCHITECTURE_INTEL:
+		arch = "x86";
+		break;
+	case PROCESSOR_ARCHITECTURE_ARM:
+		arch = "arm";
+		break;
+	case PROCESSOR_ARCHITECTURE_IA64:
+		arch = "ia64";
+		break;
+	case PROCESSOR_ARCHITECTURE_AMD64:
+		arch = "x64";
+		break;
+	default:
+		arch = "unknown architecture";
+		break;
+	}
+
+	snprintf(unamebuf, sizeof(unamebuf),
+		 "Windows %d %d build %d %d for %s\n",
+		 (ffi->dwProductVersionMS >> 16) & 0xffff,
+		 ffi->dwProductVersionMS & 0xffff,
+		 (ffi->dwProductVersionLS >> 16) & 0xffff,
+		 ffi->dwProductVersionLS & 0xffff, arch);
+
+err:
+	if (fvi != NULL) {
+		free(fvi);
+	}
+	unamep = unamebuf;
+}
+
+/*
+ * GetVersionEx() returns 6.2 (aka Windows 8.1) since it was obsoleted
+ * so we had to switch to the recommended way to get the Windows version.
+ */
+const char *
+named_os_uname(void) {
+	if (unamep == NULL) {
+		getuname();
+	}
+	return (unamep);
+}
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
new file mode 100644
index 0000000..2e614aa
--- /dev/null
+++ b/bin/named/zoneconf.c
@@ -0,0 +1,2173 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/stats.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/ipkeylist.h>
+#include <dns/journal.h>
+#include <dns/kasp.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/name.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
+#include <dns/ssu.h>
+#include <dns/stats.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include <ns/client.h>
+
+#include <named/config.h>
+#include <named/globals.h>
+#include <named/log.h>
+#include <named/server.h>
+#include <named/zoneconf.h>
+
+/* ACLs associated with zone */
+typedef enum {
+	allow_notify,
+	allow_query,
+	allow_query_on,
+	allow_transfer,
+	allow_update,
+	allow_update_forwarding
+} acl_type_t;
+
+#define RETERR(x)                        \
+	do {                             \
+		isc_result_t _r = (x);   \
+		if (_r != ISC_R_SUCCESS) \
+			return ((_r));   \
+	} while (0)
+
+#define CHECK(x)                             \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+/*%
+ * Convenience function for configuring a single zone ACL.
+ */
+static isc_result_t
+configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
+		   const cfg_obj_t *config, acl_type_t acltype,
+		   cfg_aclconfctx_t *actx, dns_zone_t *zone,
+		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
+		   void (*clearzacl)(dns_zone_t *)) {
+	isc_result_t result;
+	const cfg_obj_t *maps[5] = { NULL, NULL, NULL, NULL, NULL };
+	const cfg_obj_t *aclobj = NULL;
+	int i = 0;
+	dns_acl_t **aclp = NULL, *acl = NULL;
+	const char *aclname;
+	dns_view_t *view;
+
+	view = dns_zone_getview(zone);
+
+	switch (acltype) {
+	case allow_notify:
+		if (view != NULL) {
+			aclp = &view->notifyacl;
+		}
+		aclname = "allow-notify";
+		break;
+	case allow_query:
+		if (view != NULL) {
+			aclp = &view->queryacl;
+		}
+		aclname = "allow-query";
+		break;
+	case allow_query_on:
+		if (view != NULL) {
+			aclp = &view->queryonacl;
+		}
+		aclname = "allow-query-on";
+		break;
+	case allow_transfer:
+		if (view != NULL) {
+			aclp = &view->transferacl;
+		}
+		aclname = "allow-transfer";
+		break;
+	case allow_update:
+		if (view != NULL) {
+			aclp = &view->updateacl;
+		}
+		aclname = "allow-update";
+		break;
+	case allow_update_forwarding:
+		if (view != NULL) {
+			aclp = &view->upfwdacl;
+		}
+		aclname = "allow-update-forwarding";
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	/* First check to see if ACL is defined within the zone */
+	if (zconfig != NULL) {
+		maps[0] = cfg_tuple_get(zconfig, "options");
+		(void)named_config_get(maps, aclname, &aclobj);
+		if (aclobj != NULL) {
+			aclp = NULL;
+			goto parse_acl;
+		}
+	}
+
+	/* Failing that, see if there's a default ACL already in the view */
+	if (aclp != NULL && *aclp != NULL) {
+		(*setzacl)(zone, *aclp);
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Check for default ACLs that haven't been parsed yet */
+	if (vconfig != NULL) {
+		const cfg_obj_t *options = cfg_tuple_get(vconfig, "options");
+		if (options != NULL) {
+			maps[i++] = options;
+		}
+	}
+	if (config != NULL) {
+		const cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			maps[i++] = options;
+		}
+	}
+	maps[i++] = named_g_defaults;
+	maps[i] = NULL;
+
+	(void)named_config_get(maps, aclname, &aclobj);
+	if (aclobj == NULL) {
+		(*clearzacl)(zone);
+		return (ISC_R_SUCCESS);
+	}
+
+parse_acl:
+	result = cfg_acl_fromconfig(aclobj, config, named_g_lctx, actx,
+				    named_g_mctx, 0, &acl);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	(*setzacl)(zone, acl);
+
+	/* Set the view default now */
+	if (aclp != NULL) {
+		dns_acl_attach(acl, aclp);
+	}
+
+	dns_acl_detach(&acl);
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Parse the zone update-policy statement.
+ */
+static isc_result_t
+configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
+			const char *zname) {
+	const cfg_obj_t *updatepolicy = NULL;
+	const cfg_listelt_t *element, *element2;
+	dns_ssutable_t *table = NULL;
+	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	bool autoddns = false;
+	isc_result_t result;
+
+	(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
+
+	if (updatepolicy == NULL) {
+		dns_zone_setssutable(zone, NULL);
+		return (ISC_R_SUCCESS);
+	}
+
+	if (cfg_obj_isstring(updatepolicy) &&
+	    strcmp("local", cfg_obj_asstring(updatepolicy)) == 0)
+	{
+		autoddns = true;
+		updatepolicy = NULL;
+	}
+
+	result = dns_ssutable_create(mctx, &table);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (element = cfg_list_first(updatepolicy); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *stmt = cfg_listelt_value(element);
+		const cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
+		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
+		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
+		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
+		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+		const char *str;
+		bool grant = false;
+		bool usezone = false;
+		dns_ssumatchtype_t mtype = dns_ssumatchtype_name;
+		dns_fixedname_t fname, fident;
+		isc_buffer_t b;
+		dns_rdatatype_t *types;
+		unsigned int i, n;
+
+		str = cfg_obj_asstring(mode);
+		if (strcasecmp(str, "grant") == 0) {
+			grant = true;
+		} else if (strcasecmp(str, "deny") == 0) {
+			grant = false;
+		} else {
+			UNREACHABLE();
+		}
+
+		str = cfg_obj_asstring(matchtype);
+		CHECK(dns_ssu_mtypefromstring(str, &mtype));
+		if (mtype == dns_ssumatchtype_subdomain &&
+		    strcasecmp(str, "zonesub") == 0)
+		{
+			usezone = true;
+		}
+
+		dns_fixedname_init(&fident);
+		str = cfg_obj_asstring(identity);
+		isc_buffer_constinit(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
+					   dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(identity, named_g_lctx, ISC_LOG_ERROR,
+				    "'%s' is not a valid name", str);
+			goto cleanup;
+		}
+
+		dns_fixedname_init(&fname);
+		if (usezone) {
+			dns_name_copynf(dns_zone_getorigin(zone),
+					dns_fixedname_name(&fname));
+		} else {
+			str = cfg_obj_asstring(dname);
+			isc_buffer_constinit(&b, str, strlen(str));
+			isc_buffer_add(&b, strlen(str));
+			result = dns_name_fromtext(dns_fixedname_name(&fname),
+						   &b, dns_rootname, 0, NULL);
+			if (result != ISC_R_SUCCESS) {
+				cfg_obj_log(identity, named_g_lctx,
+					    ISC_LOG_ERROR,
+					    "'%s' is not a valid name", str);
+				goto cleanup;
+			}
+		}
+
+		n = named_config_listcount(typelist);
+		if (n == 0) {
+			types = NULL;
+		} else {
+			types = isc_mem_get(mctx, n * sizeof(dns_rdatatype_t));
+		}
+
+		i = 0;
+		for (element2 = cfg_list_first(typelist); element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			const cfg_obj_t *typeobj;
+			isc_textregion_t r;
+
+			INSIST(i < n);
+
+			typeobj = cfg_listelt_value(element2);
+			str = cfg_obj_asstring(typeobj);
+			DE_CONST(str, r.base);
+			r.length = strlen(str);
+
+			result = dns_rdatatype_fromtext(&types[i++], &r);
+			if (result != ISC_R_SUCCESS) {
+				cfg_obj_log(identity, named_g_lctx,
+					    ISC_LOG_ERROR,
+					    "'%s' is not a valid type", str);
+				isc_mem_put(mctx, types,
+					    n * sizeof(dns_rdatatype_t));
+				goto cleanup;
+			}
+		}
+		INSIST(i == n);
+
+		result = dns_ssutable_addrule(
+			table, grant, dns_fixedname_name(&fident), mtype,
+			dns_fixedname_name(&fname), n, types);
+		if (types != NULL) {
+			isc_mem_put(mctx, types, n * sizeof(dns_rdatatype_t));
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * If "update-policy local;" and a session key exists,
+	 * then use the default policy, which is equivalent to:
+	 * update-policy { grant <session-keyname> zonesub any; };
+	 */
+	if (autoddns) {
+		dns_rdatatype_t any = dns_rdatatype_any;
+
+		if (named_g_server->session_keyname == NULL) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "failed to enable auto DDNS policy "
+				      "for zone %s: session key not found",
+				      zname);
+			result = ISC_R_NOTFOUND;
+			goto cleanup;
+		}
+
+		result = dns_ssutable_addrule(
+			table, true, named_g_server->session_keyname,
+			dns_ssumatchtype_local, dns_zone_getorigin(zone), 1,
+			&any);
+
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+	dns_zone_setssutable(zone, table);
+
+cleanup:
+	dns_ssutable_detach(&table);
+	return (result);
+}
+
+/*
+ * This is the TTL used for internally generated RRsets for static-stub zones.
+ * The value doesn't matter because the mapping is static, but needs to be
+ * defined for the sake of implementation.
+ */
+#define STATICSTUB_SERVER_TTL 86400
+
+/*%
+ * Configure an apex NS with glues for a static-stub zone.
+ * For example, for the zone named "example.com", the following RRs will be
+ * added to the zone DB:
+ * example.com. NS example.com.
+ * example.com. A 192.0.2.1
+ * example.com. AAAA 2001:db8::1
+ */
+static isc_result_t
+configure_staticstub_serveraddrs(const cfg_obj_t *zconfig, dns_zone_t *zone,
+				 dns_rdatalist_t *rdatalist_ns,
+				 dns_rdatalist_t *rdatalist_a,
+				 dns_rdatalist_t *rdatalist_aaaa) {
+	const cfg_listelt_t *element;
+	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	isc_region_t region, sregion;
+	dns_rdata_t *rdata;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (element = cfg_list_first(zconfig); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const isc_sockaddr_t *sa;
+		isc_netaddr_t na;
+		const cfg_obj_t *address = cfg_listelt_value(element);
+		dns_rdatalist_t *rdatalist;
+
+		sa = cfg_obj_assockaddr(address);
+		if (isc_sockaddr_getport(sa) != 0) {
+			cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
+				    "port is not configurable for "
+				    "static stub server-addresses");
+			return (ISC_R_FAILURE);
+		}
+		isc_netaddr_fromsockaddr(&na, sa);
+		if (isc_netaddr_getzone(&na) != 0) {
+			cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
+				    "scoped address is not allowed "
+				    "for static stub "
+				    "server-addresses");
+			return (ISC_R_FAILURE);
+		}
+
+		switch (na.family) {
+		case AF_INET:
+			region.length = sizeof(na.type.in);
+			rdatalist = rdatalist_a;
+			break;
+		default:
+			INSIST(na.family == AF_INET6);
+			region.length = sizeof(na.type.in6);
+			rdatalist = rdatalist_aaaa;
+			break;
+		}
+
+		rdata = isc_mem_get(mctx, sizeof(*rdata) + region.length);
+		region.base = (unsigned char *)(rdata + 1);
+		memmove(region.base, &na.type, region.length);
+		dns_rdata_init(rdata);
+		dns_rdata_fromregion(rdata, dns_zone_getclass(zone),
+				     rdatalist->type, &region);
+		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	}
+
+	/*
+	 * If no address is specified (unlikely in this context, but possible),
+	 * there's nothing to do anymore.
+	 */
+	if (ISC_LIST_EMPTY(rdatalist_a->rdata) &&
+	    ISC_LIST_EMPTY(rdatalist_aaaa->rdata))
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Add to the list an apex NS with the ns name being the origin name */
+	dns_name_toregion(dns_zone_getorigin(zone), &sregion);
+	rdata = isc_mem_get(mctx, sizeof(*rdata) + sregion.length);
+	region.length = sregion.length;
+	region.base = (unsigned char *)(rdata + 1);
+	memmove(region.base, sregion.base, region.length);
+	dns_rdata_init(rdata);
+	dns_rdata_fromregion(rdata, dns_zone_getclass(zone), dns_rdatatype_ns,
+			     &region);
+	ISC_LIST_APPEND(rdatalist_ns->rdata, rdata, link);
+
+	return (result);
+}
+
+/*%
+ * Configure an apex NS with an out-of-zone NS names for a static-stub zone.
+ * For example, for the zone named "example.com", something like the following
+ * RRs will be added to the zone DB:
+ * example.com. NS ns.example.net.
+ */
+static isc_result_t
+configure_staticstub_servernames(const cfg_obj_t *zconfig, dns_zone_t *zone,
+				 dns_rdatalist_t *rdatalist,
+				 const char *zname) {
+	const cfg_listelt_t *element;
+	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	dns_rdata_t *rdata;
+	isc_region_t sregion, region;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (element = cfg_list_first(zconfig); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *obj;
+		const char *str;
+		dns_fixedname_t fixed_name;
+		dns_name_t *nsname;
+		isc_buffer_t b;
+
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(obj);
+
+		nsname = dns_fixedname_initname(&fixed_name);
+
+		isc_buffer_constinit(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		result = dns_name_fromtext(nsname, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
+				    "server-name '%s' is not a valid "
+				    "name",
+				    str);
+			return (result);
+		}
+		if (dns_name_issubdomain(nsname, dns_zone_getorigin(zone))) {
+			cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
+				    "server-name '%s' must not be a "
+				    "subdomain of zone name '%s'",
+				    str, zname);
+			return (ISC_R_FAILURE);
+		}
+
+		dns_name_toregion(nsname, &sregion);
+		rdata = isc_mem_get(mctx, sizeof(*rdata) + sregion.length);
+		region.length = sregion.length;
+		region.base = (unsigned char *)(rdata + 1);
+		memmove(region.base, sregion.base, region.length);
+		dns_rdata_init(rdata);
+		dns_rdata_fromregion(rdata, dns_zone_getclass(zone),
+				     dns_rdatatype_ns, &region);
+		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	}
+
+	return (result);
+}
+
+/*%
+ * Configure static-stub zone.
+ */
+static isc_result_t
+configure_staticstub(const cfg_obj_t *zconfig, dns_zone_t *zone,
+		     const char *zname, const char *dbtype) {
+	int i = 0;
+	const cfg_obj_t *obj;
+	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	dns_db_t *db = NULL;
+	dns_dbversion_t *dbversion = NULL;
+	dns_dbnode_t *apexnode = NULL;
+	dns_name_t apexname;
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdatalist_t rdatalist_ns, rdatalist_a, rdatalist_aaaa;
+	dns_rdatalist_t *rdatalists[] = { &rdatalist_ns, &rdatalist_a,
+					  &rdatalist_aaaa, NULL };
+	dns_rdata_t *rdata;
+	isc_region_t region;
+
+	/* Create the DB beforehand */
+	RETERR(dns_db_create(mctx, dbtype, dns_zone_getorigin(zone),
+			     dns_dbtype_stub, dns_zone_getclass(zone), 0, NULL,
+			     &db));
+
+	dns_rdataset_init(&rdataset);
+
+	dns_rdatalist_init(&rdatalist_ns);
+	rdatalist_ns.rdclass = dns_zone_getclass(zone);
+	rdatalist_ns.type = dns_rdatatype_ns;
+	rdatalist_ns.ttl = STATICSTUB_SERVER_TTL;
+
+	dns_rdatalist_init(&rdatalist_a);
+	rdatalist_a.rdclass = dns_zone_getclass(zone);
+	rdatalist_a.type = dns_rdatatype_a;
+	rdatalist_a.ttl = STATICSTUB_SERVER_TTL;
+
+	dns_rdatalist_init(&rdatalist_aaaa);
+	rdatalist_aaaa.rdclass = dns_zone_getclass(zone);
+	rdatalist_aaaa.type = dns_rdatatype_aaaa;
+	rdatalist_aaaa.ttl = STATICSTUB_SERVER_TTL;
+
+	/* Prepare zone RRs from the configuration */
+	obj = NULL;
+	result = cfg_map_get(zconfig, "server-addresses", &obj);
+	if (result == ISC_R_SUCCESS) {
+		INSIST(obj != NULL);
+		CHECK(configure_staticstub_serveraddrs(obj, zone, &rdatalist_ns,
+						       &rdatalist_a,
+						       &rdatalist_aaaa));
+	}
+
+	obj = NULL;
+	result = cfg_map_get(zconfig, "server-names", &obj);
+	if (result == ISC_R_SUCCESS) {
+		INSIST(obj != NULL);
+		CHECK(configure_staticstub_servernames(obj, zone, &rdatalist_ns,
+						       zname));
+	}
+
+	/*
+	 * Sanity check: there should be at least one NS RR at the zone apex
+	 * to trigger delegation.
+	 */
+	if (ISC_LIST_EMPTY(rdatalist_ns.rdata)) {
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "No NS record is configured for a "
+			      "static-stub zone '%s'",
+			      zname);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	/*
+	 * Now add NS and glue A/AAAA RRsets to the zone DB.
+	 * First open a new version for the add operation and get a pointer
+	 * to the apex node (all RRs are of the apex name).
+	 */
+	CHECK(dns_db_newversion(db, &dbversion));
+
+	dns_name_init(&apexname, NULL);
+	dns_name_clone(dns_zone_getorigin(zone), &apexname);
+	CHECK(dns_db_findnode(db, &apexname, false, &apexnode));
+
+	/* Add NS RRset */
+	RUNTIME_CHECK(dns_rdatalist_tordataset(&rdatalist_ns, &rdataset) ==
+		      ISC_R_SUCCESS);
+	CHECK(dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset, 0,
+				 NULL));
+	dns_rdataset_disassociate(&rdataset);
+
+	/* Add glue A RRset, if any */
+	if (!ISC_LIST_EMPTY(rdatalist_a.rdata)) {
+		RUNTIME_CHECK(
+			dns_rdatalist_tordataset(&rdatalist_a, &rdataset) ==
+			ISC_R_SUCCESS);
+		CHECK(dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset,
+					 0, NULL));
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	/* Add glue AAAA RRset, if any */
+	if (!ISC_LIST_EMPTY(rdatalist_aaaa.rdata)) {
+		RUNTIME_CHECK(
+			dns_rdatalist_tordataset(&rdatalist_aaaa, &rdataset) ==
+			ISC_R_SUCCESS);
+		CHECK(dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset,
+					 0, NULL));
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	dns_db_closeversion(db, &dbversion, true);
+	dns_zone_setdb(zone, db);
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (apexnode != NULL) {
+		dns_db_detachnode(db, &apexnode);
+	}
+	if (dbversion != NULL) {
+		dns_db_closeversion(db, &dbversion, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	for (i = 0; rdatalists[i] != NULL; i++) {
+		while ((rdata = ISC_LIST_HEAD(rdatalists[i]->rdata)) != NULL) {
+			ISC_LIST_UNLINK(rdatalists[i]->rdata, rdata, link);
+			dns_rdata_toregion(rdata, &region);
+			isc_mem_put(mctx, rdata,
+				    sizeof(*rdata) + region.length);
+		}
+	}
+
+	INSIST(dbversion == NULL);
+
+	return (result);
+}
+
+/*%
+ * Convert a config file zone type into a server zone type.
+ */
+static dns_zonetype_t
+zonetype_fromconfig(const cfg_obj_t *map) {
+	const cfg_obj_t *obj = NULL;
+	isc_result_t result;
+
+	result = cfg_map_get(map, "type", &obj);
+	INSIST(result == ISC_R_SUCCESS && obj != NULL);
+	return (named_config_getzonetype(obj));
+}
+
+/*%
+ * Helper function for strtoargv().  Pardon the gratuitous recursion.
+ */
+static isc_result_t
+strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp,
+	     unsigned int n) {
+	isc_result_t result;
+
+	/* Discard leading whitespace. */
+	while (*s == ' ' || *s == '\t') {
+		s++;
+	}
+
+	if (*s == '\0') {
+		/* We have reached the end of the string. */
+		*argcp = n;
+		*argvp = isc_mem_get(mctx, n * sizeof(char *));
+	} else {
+		char *p = s;
+		while (*p != ' ' && *p != '\t' && *p != '\0') {
+			p++;
+		}
+		if (*p != '\0') {
+			*p++ = '\0';
+		}
+
+		result = strtoargvsub(mctx, p, argcp, argvp, n + 1);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		(*argvp)[n] = s;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Tokenize the string "s" into whitespace-separated words,
+ * return the number of words in '*argcp' and an array
+ * of pointers to the words in '*argvp'.  The caller
+ * must free the array using isc_mem_put().  The string
+ * is modified in-place.
+ */
+static isc_result_t
+strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
+	return (strtoargvsub(mctx, s, argcp, argvp, 0));
+}
+
+static const char *const primary_synonyms[] = { "primary", "master", NULL };
+
+static const char *const secondary_synonyms[] = { "secondary", "slave", NULL };
+
+static void
+checknames(dns_zonetype_t ztype, const cfg_obj_t **maps,
+	   const cfg_obj_t **objp) {
+	isc_result_t result;
+
+	switch (ztype) {
+	case dns_zone_secondary:
+	case dns_zone_mirror:
+		result = named_checknames_get(maps, secondary_synonyms, objp);
+		break;
+	case dns_zone_primary:
+		result = named_checknames_get(maps, primary_synonyms, objp);
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	INSIST(result == ISC_R_SUCCESS && objp != NULL && *objp != NULL);
+}
+
+/*
+ * Callback to see if a non-recursive query coming from 'srcaddr' to
+ * 'destaddr', with optional key 'mykey' for class 'rdclass' would be
+ * delivered to 'myview'.
+ *
+ * We run this unlocked as both the view list and the interface list
+ * are updated when the appropriate task has exclusivity.
+ */
+static bool
+isself(dns_view_t *myview, dns_tsigkey_t *mykey, const isc_sockaddr_t *srcaddr,
+       const isc_sockaddr_t *dstaddr, dns_rdataclass_t rdclass, void *arg) {
+	ns_interfacemgr_t *interfacemgr = (ns_interfacemgr_t *)arg;
+	dns_aclenv_t *env = ns_interfacemgr_getaclenv(interfacemgr);
+	dns_view_t *view;
+	dns_tsigkey_t *key = NULL;
+	isc_netaddr_t netsrc;
+	isc_netaddr_t netdst;
+
+	if (interfacemgr == NULL) {
+		return (true);
+	}
+
+	if (!ns_interfacemgr_listeningon(interfacemgr, dstaddr)) {
+		return (false);
+	}
+
+	isc_netaddr_fromsockaddr(&netsrc, srcaddr);
+	isc_netaddr_fromsockaddr(&netdst, dstaddr);
+
+	for (view = ISC_LIST_HEAD(named_g_server->viewlist); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		const dns_name_t *tsig = NULL;
+
+		if (view->matchrecursiveonly) {
+			continue;
+		}
+
+		if (rdclass != view->rdclass) {
+			continue;
+		}
+
+		if (mykey != NULL) {
+			bool match;
+			isc_result_t result;
+
+			result = dns_view_gettsig(view, &mykey->name, &key);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+			match = dst_key_compare(mykey->key, key->key);
+			dns_tsigkey_detach(&key);
+			if (!match) {
+				continue;
+			}
+			tsig = dns_tsigkey_identity(mykey);
+		}
+
+		if (dns_acl_allowed(&netsrc, tsig, view->matchclients, env) &&
+		    dns_acl_allowed(&netdst, tsig, view->matchdestinations,
+				    env))
+		{
+			break;
+		}
+	}
+	return (view == myview);
+}
+
+/*%
+ * For mirror zones, change "notify yes;" to "notify explicit;", informing the
+ * user only if "notify" was explicitly configured rather than inherited from
+ * default configuration.
+ */
+static dns_notifytype_t
+process_notifytype(dns_notifytype_t ntype, dns_zonetype_t ztype,
+		   const char *zname, const cfg_obj_t **maps) {
+	const cfg_obj_t *obj = NULL;
+
+	/*
+	 * Return the original setting if this is not a mirror zone or if the
+	 * zone is configured with something else than "notify yes;".
+	 */
+	if (ztype != dns_zone_mirror || ntype != dns_notifytype_yes) {
+		return (ntype);
+	}
+
+	/*
+	 * Only log a message if "notify" was set in the configuration
+	 * hierarchy supplied in 'maps'.
+	 */
+	if (named_config_get(maps, "notify", &obj) == ISC_R_SUCCESS) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_INFO,
+			    "'notify explicit;' will be used for mirror zone "
+			    "'%s'",
+			    zname);
+	}
+
+	return (dns_notifytype_explicit);
+}
+
+isc_result_t
+named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+		     const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
+		     dns_kasplist_t *kasplist, dns_zone_t *zone,
+		     dns_zone_t *raw) {
+	isc_result_t result;
+	const char *zname;
+	dns_rdataclass_t zclass;
+	dns_rdataclass_t vclass;
+	const cfg_obj_t *maps[5];
+	const cfg_obj_t *nodefault[4];
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *obj;
+	const char *filename = NULL;
+	const char *kaspname = NULL;
+	const char *dupcheck;
+	dns_notifytype_t notifytype = dns_notifytype_yes;
+	uint32_t count;
+	unsigned int dbargc;
+	char **dbargv;
+	static char default_dbtype[] = "rbt";
+	static char dlz_dbtype[] = "dlz";
+	char *cpval = default_dbtype;
+	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	dns_dialuptype_t dialup = dns_dialuptype_no;
+	dns_zonetype_t ztype;
+	int i;
+	int32_t journal_size;
+	bool multi;
+	bool alt;
+	dns_view_t *view = NULL;
+	dns_kasp_t *kasp = NULL;
+	bool check = false, fail = false;
+	bool warn = false, ignore = false;
+	bool ixfrdiff;
+	bool use_kasp = false;
+	dns_masterformat_t masterformat;
+	const dns_master_style_t *masterstyle = &dns_master_style_default;
+	isc_stats_t *zoneqrystats;
+	dns_stats_t *rcvquerystats;
+	dns_stats_t *dnssecsignstats;
+	dns_zonestat_level_t statlevel = dns_zonestat_none;
+	int seconds;
+	dns_ttl_t maxttl = 0; /* unlimited */
+	dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;
+	isc_dscp_t dscp;
+
+	i = 0;
+	if (zconfig != NULL) {
+		zoptions = cfg_tuple_get(zconfig, "options");
+		nodefault[i] = maps[i] = zoptions;
+		i++;
+	}
+	if (vconfig != NULL) {
+		nodefault[i] = maps[i] = cfg_tuple_get(vconfig, "options");
+		i++;
+	}
+	if (config != NULL) {
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			nodefault[i] = maps[i] = options;
+			i++;
+		}
+	}
+	nodefault[i] = NULL;
+	maps[i++] = named_g_defaults;
+	maps[i] = NULL;
+
+	if (vconfig != NULL) {
+		CHECK(named_config_getclass(cfg_tuple_get(vconfig, "class"),
+					    dns_rdataclass_in, &vclass));
+	} else {
+		vclass = dns_rdataclass_in;
+	}
+
+	/*
+	 * Configure values common to all zone types.
+	 */
+
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+
+	CHECK(named_config_getclass(cfg_tuple_get(zconfig, "class"), vclass,
+				    &zclass));
+	dns_zone_setclass(zone, zclass);
+	if (raw != NULL) {
+		dns_zone_setclass(raw, zclass);
+	}
+
+	ztype = zonetype_fromconfig(zoptions);
+	if (raw != NULL) {
+		dns_zone_settype(raw, ztype);
+		dns_zone_settype(zone, dns_zone_primary);
+	} else {
+		dns_zone_settype(zone, ztype);
+	}
+
+	obj = NULL;
+	result = cfg_map_get(zoptions, "database", &obj);
+	if (result == ISC_R_SUCCESS) {
+		cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
+	}
+	if (cpval == NULL) {
+		CHECK(ISC_R_NOMEMORY);
+	}
+
+	obj = NULL;
+	result = cfg_map_get(zoptions, "dlz", &obj);
+	if (result == ISC_R_SUCCESS) {
+		const char *dlzname = cfg_obj_asstring(obj);
+		size_t len;
+
+		if (cpval != default_dbtype) {
+			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "zone '%s': both 'database' and 'dlz' "
+				      "specified",
+				      zname);
+			CHECK(ISC_R_FAILURE);
+		}
+
+		len = strlen(dlzname) + 5;
+		cpval = isc_mem_allocate(mctx, len);
+		snprintf(cpval, len, "dlz %s", dlzname);
+	}
+
+	result = strtoargv(mctx, cpval, &dbargc, &dbargv);
+	if (result != ISC_R_SUCCESS && cpval != default_dbtype) {
+		isc_mem_free(mctx, cpval);
+		CHECK(result);
+	}
+
+	/*
+	 * ANSI C is strange here.  There is no logical reason why (char **)
+	 * cannot be promoted automatically to (const char * const *) by the
+	 * compiler w/o generating a warning.
+	 */
+	dns_zone_setdbtype(zone, dbargc, (const char *const *)dbargv);
+	isc_mem_put(mctx, dbargv, dbargc * sizeof(*dbargv));
+	if (cpval != default_dbtype && cpval != dlz_dbtype) {
+		isc_mem_free(mctx, cpval);
+	}
+
+	obj = NULL;
+	result = cfg_map_get(zoptions, "file", &obj);
+	if (result == ISC_R_SUCCESS) {
+		filename = cfg_obj_asstring(obj);
+	}
+
+	/*
+	 * Unless we're using some alternative database, a master zone
+	 * will be needing a master file.
+	 */
+	if (ztype == dns_zone_primary && cpval == default_dbtype &&
+	    filename == NULL)
+	{
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "zone '%s': 'file' not specified", zname);
+		CHECK(ISC_R_FAILURE);
+	}
+
+	if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
+		masterformat = dns_masterformat_raw;
+	} else {
+		masterformat = dns_masterformat_text;
+	}
+	obj = NULL;
+	result = named_config_get(maps, "masterfile-format", &obj);
+	if (result == ISC_R_SUCCESS) {
+		const char *masterformatstr = cfg_obj_asstring(obj);
+
+		if (strcasecmp(masterformatstr, "text") == 0) {
+			masterformat = dns_masterformat_text;
+		} else if (strcasecmp(masterformatstr, "raw") == 0) {
+			masterformat = dns_masterformat_raw;
+		} else if (strcasecmp(masterformatstr, "map") == 0) {
+			masterformat = dns_masterformat_map;
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+				    "masterfile-format: format 'map' is "
+				    "deprecated");
+		} else {
+			UNREACHABLE();
+		}
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "masterfile-style", &obj);
+	if (result == ISC_R_SUCCESS) {
+		const char *masterstylestr = cfg_obj_asstring(obj);
+
+		if (masterformat != dns_masterformat_text) {
+			cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
+				    "zone '%s': 'masterfile-style' "
+				    "can only be used with "
+				    "'masterfile-format text'",
+				    zname);
+			CHECK(ISC_R_FAILURE);
+		}
+
+		if (strcasecmp(masterstylestr, "full") == 0) {
+			masterstyle = &dns_master_style_full;
+		} else if (strcasecmp(masterstylestr, "relative") == 0) {
+			masterstyle = &dns_master_style_default;
+		} else {
+			UNREACHABLE();
+		}
+	}
+
+	obj = NULL;
+	result = named_config_get(maps, "max-records", &obj);
+	INSIST(result == ISC_R_SUCCESS && obj != NULL);
+	dns_zone_setmaxrecords(mayberaw, cfg_obj_asuint32(obj));
+	if (zone != mayberaw) {
+		dns_zone_setmaxrecords(zone, 0);
+	}
+
+	if (raw != NULL && filename != NULL) {
+#define SIGNED ".signed"
+		size_t signedlen = strlen(filename) + sizeof(SIGNED);
+		char *signedname;
+
+		CHECK(dns_zone_setfile(raw, filename, masterformat,
+				       masterstyle));
+		signedname = isc_mem_get(mctx, signedlen);
+
+		(void)snprintf(signedname, signedlen, "%s" SIGNED, filename);
+		result = dns_zone_setfile(zone, signedname,
+					  dns_masterformat_raw, NULL);
+		isc_mem_put(mctx, signedname, signedlen);
+		CHECK(result);
+	} else {
+		CHECK(dns_zone_setfile(zone, filename, masterformat,
+				       masterstyle));
+	}
+
+	obj = NULL;
+	result = cfg_map_get(zoptions, "journal", &obj);
+	if (result == ISC_R_SUCCESS) {
+		CHECK(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj)));
+	}
+
+	/*
+	 * Notify messages are processed by the raw zone if it exists.
+	 */
+	if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
+		CHECK(configure_zone_acl(zconfig, vconfig, config, allow_notify,
+					 ac, mayberaw, dns_zone_setnotifyacl,
+					 dns_zone_clearnotifyacl));
+	}
+
+	/*
+	 * XXXAG This probably does not make sense for stubs.
+	 */
+	CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query, ac,
+				 zone, dns_zone_setqueryacl,
+				 dns_zone_clearqueryacl));
+
+	CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query_on, ac,
+				 zone, dns_zone_setqueryonacl,
+				 dns_zone_clearqueryonacl));
+
+	obj = NULL;
+	result = named_config_get(maps, "dialup", &obj);
+	INSIST(result == ISC_R_SUCCESS && obj != NULL);
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj)) {
+			dialup = dns_dialuptype_yes;
+		} else {
+			dialup = dns_dialuptype_no;
+		}
+	} else {
+		const char *dialupstr = cfg_obj_asstring(obj);
+		if (strcasecmp(dialupstr, "notify") == 0) {
+			dialup = dns_dialuptype_notify;
+		} else if (strcasecmp(dialupstr, "notify-passive") == 0) {
+			dialup = dns_dialuptype_notifypassive;
+		} else if (strcasecmp(dialupstr, "refresh") == 0) {
+			dialup = dns_dialuptype_refresh;
+		} else if (strcasecmp(dialupstr, "passive") == 0) {
+			dialup = dns_dialuptype_passive;
+		} else {
+			UNREACHABLE();
+		}
+	}
+	if (raw != NULL) {
+		dns_zone_setdialup(raw, dialup);
+	}
+	dns_zone_setdialup(zone, dialup);
+
+	obj = NULL;
+	result = named_config_get(maps, "zone-statistics", &obj);
+	INSIST(result == ISC_R_SUCCESS && obj != NULL);
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj)) {
+			statlevel = dns_zonestat_full;
+		} else {
+			statlevel = dns_zonestat_none;
+		}
+	} else {
+		const char *levelstr = cfg_obj_asstring(obj);
+		if (strcasecmp(levelstr, "full") == 0) {
+			statlevel = dns_zonestat_full;
+		} else if (strcasecmp(levelstr, "terse") == 0) {
+			statlevel = dns_zonestat_terse;
+		} else if (strcasecmp(levelstr, "none") == 0) {
+			statlevel = dns_zonestat_none;
+		} else {
+			UNREACHABLE();
+		}
+	}
+	dns_zone_setstatlevel(zone, statlevel);
+
+	zoneqrystats = NULL;
+	rcvquerystats = NULL;
+	dnssecsignstats = NULL;
+	if (statlevel == dns_zonestat_full) {
+		CHECK(isc_stats_create(mctx, &zoneqrystats,
+				       ns_statscounter_max));
+		CHECK(dns_rdatatypestats_create(mctx, &rcvquerystats));
+		CHECK(dns_dnssecsignstats_create(mctx, &dnssecsignstats));
+	}
+	dns_zone_setrequeststats(zone, zoneqrystats);
+	dns_zone_setrcvquerystats(zone, rcvquerystats);
+	dns_zone_setdnssecsignstats(zone, dnssecsignstats);
+
+	if (zoneqrystats != NULL) {
+		isc_stats_detach(&zoneqrystats);
+	}
+
+	if (rcvquerystats != NULL) {
+		dns_stats_detach(&rcvquerystats);
+	}
+
+	if (dnssecsignstats != NULL) {
+		dns_stats_detach(&dnssecsignstats);
+	}
+
+	/*
+	 * Configure master functionality.  This applies
+	 * to primary servers (type "primary") and secondaries
+	 * acting as primaries (type "secondary"), but not to stubs.
+	 */
+	if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
+	    ztype != dns_zone_redirect)
+	{
+		obj = NULL;
+		result = named_config_get(maps, "dnssec-policy", &obj);
+		if (result == ISC_R_SUCCESS) {
+			kaspname = cfg_obj_asstring(obj);
+			if (strcmp(kaspname, "none") != 0) {
+				result = dns_kasplist_find(kasplist, kaspname,
+							   &kasp);
+				if (result != ISC_R_SUCCESS) {
+					cfg_obj_log(
+						obj, named_g_lctx,
+						ISC_LOG_ERROR,
+						"dnssec-policy '%s' not found ",
+						kaspname);
+					CHECK(result);
+				}
+				dns_zone_setkasp(zone, kasp);
+				use_kasp = true;
+			}
+		}
+		if (!use_kasp) {
+			dns_zone_setkasp(zone, NULL);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "notify", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (cfg_obj_isboolean(obj)) {
+			if (cfg_obj_asboolean(obj)) {
+				notifytype = dns_notifytype_yes;
+			} else {
+				notifytype = dns_notifytype_no;
+			}
+		} else {
+			const char *str = cfg_obj_asstring(obj);
+			if (strcasecmp(str, "explicit") == 0) {
+				notifytype = dns_notifytype_explicit;
+			} else if (strcasecmp(str, "master-only") == 0 ||
+				   strcasecmp(str, "primary-only") == 0)
+			{
+				notifytype = dns_notifytype_masteronly;
+			} else {
+				UNREACHABLE();
+			}
+		}
+		notifytype = process_notifytype(notifytype, ztype, zname,
+						nodefault);
+		if (raw != NULL) {
+			dns_zone_setnotifytype(raw, dns_notifytype_no);
+		}
+		dns_zone_setnotifytype(zone, notifytype);
+
+		obj = NULL;
+		result = named_config_get(maps, "also-notify", &obj);
+		if (result == ISC_R_SUCCESS &&
+		    (notifytype == dns_notifytype_yes ||
+		     notifytype == dns_notifytype_explicit ||
+		     (notifytype == dns_notifytype_masteronly &&
+		      ztype == dns_zone_primary)))
+		{
+			dns_ipkeylist_t ipkl;
+			dns_ipkeylist_init(&ipkl);
+
+			CHECK(named_config_getipandkeylist(config, "primaries",
+							   obj, mctx, &ipkl));
+			result = dns_zone_setalsonotifydscpkeys(
+				zone, ipkl.addrs, ipkl.dscps, ipkl.keys,
+				ipkl.count);
+			dns_ipkeylist_clear(mctx, &ipkl);
+			CHECK(result);
+		} else {
+			CHECK(dns_zone_setalsonotify(zone, NULL, 0));
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "parental-source", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		CHECK(dns_zone_setparentalsrc4(zone, cfg_obj_assockaddr(obj)));
+		dscp = cfg_obj_getdscp(obj);
+		if (dscp == -1) {
+			dscp = named_g_dscp;
+		}
+		CHECK(dns_zone_setparentalsrc4dscp(zone, dscp));
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "parental-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		CHECK(dns_zone_setparentalsrc6(zone, cfg_obj_assockaddr(obj)));
+		dscp = cfg_obj_getdscp(obj);
+		if (dscp == -1) {
+			dscp = named_g_dscp;
+		}
+		CHECK(dns_zone_setparentalsrc6dscp(zone, dscp));
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "notify-source", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		CHECK(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj)));
+		dscp = cfg_obj_getdscp(obj);
+		if (dscp == -1) {
+			dscp = named_g_dscp;
+		}
+		CHECK(dns_zone_setnotifysrc4dscp(zone, dscp));
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "notify-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		CHECK(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
+		dscp = cfg_obj_getdscp(obj);
+		if (dscp == -1) {
+			dscp = named_g_dscp;
+		}
+		CHECK(dns_zone_setnotifysrc6dscp(zone, dscp));
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "notify-to-soa", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_NOTIFYTOSOA,
+				   cfg_obj_asboolean(obj));
+
+		dns_zone_setisself(zone, isself, named_g_server->interfacemgr);
+
+		CHECK(configure_zone_acl(
+			zconfig, vconfig, config, allow_transfer, ac, zone,
+			dns_zone_setxfracl, dns_zone_clearxfracl));
+
+		obj = NULL;
+		result = named_config_get(maps, "max-transfer-time-out", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setmaxxfrout(zone, cfg_obj_asuint32(obj) * 60);
+
+		obj = NULL;
+		result = named_config_get(maps, "max-transfer-idle-out", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setidleout(zone, cfg_obj_asuint32(obj) * 60);
+
+		obj = NULL;
+		result = named_config_get(maps, "max-journal-size", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (raw != NULL) {
+			dns_zone_setjournalsize(raw, -1);
+		}
+		dns_zone_setjournalsize(zone, -1);
+		if (cfg_obj_isstring(obj)) {
+			const char *str = cfg_obj_asstring(obj);
+			if (strcasecmp(str, "unlimited") == 0) {
+				journal_size = DNS_JOURNAL_SIZE_MAX;
+			} else {
+				INSIST(strcasecmp(str, "default") == 0);
+				journal_size = -1;
+			}
+		} else {
+			isc_resourcevalue_t value;
+			value = cfg_obj_asuint64(obj);
+			if (value > DNS_JOURNAL_SIZE_MAX) {
+				cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
+					    "'max-journal-size "
+					    "%" PRId64 "' "
+					    "is too large",
+					    value);
+				CHECK(ISC_R_RANGE);
+			}
+			journal_size = (uint32_t)value;
+		}
+		if (raw != NULL) {
+			dns_zone_setjournalsize(raw, journal_size);
+		}
+		dns_zone_setjournalsize(zone, journal_size);
+
+		obj = NULL;
+		result = named_config_get(maps, "ixfr-from-differences", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (cfg_obj_isboolean(obj)) {
+			ixfrdiff = cfg_obj_asboolean(obj);
+		} else if ((strcasecmp(cfg_obj_asstring(obj), "primary") == 0 ||
+			    strcasecmp(cfg_obj_asstring(obj), "master") == 0) &&
+			   ztype == dns_zone_primary)
+		{
+			ixfrdiff = true;
+		} else if ((strcasecmp(cfg_obj_asstring(obj), "secondary") ==
+				    0 ||
+			    strcasecmp(cfg_obj_asstring(obj), "slave") == 0) &&
+			   ztype == dns_zone_secondary)
+		{
+			ixfrdiff = true;
+		} else {
+			ixfrdiff = false;
+		}
+		if (raw != NULL) {
+			dns_zone_setoption(raw, DNS_ZONEOPT_IXFRFROMDIFFS,
+					   true);
+			dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
+					   false);
+		} else {
+			dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
+					   ixfrdiff);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "max-ixfr-ratio", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (cfg_obj_isstring(obj)) {
+			dns_zone_setixfrratio(zone, 0);
+		} else {
+			dns_zone_setixfrratio(zone, cfg_obj_aspercentage(obj));
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "request-expire", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setrequestexpire(zone, cfg_obj_asboolean(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "request-ixfr", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setrequestixfr(zone, cfg_obj_asboolean(obj));
+
+		obj = NULL;
+		checknames(ztype, maps, &obj);
+		INSIST(obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			fail = false;
+			check = true;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			fail = check = true;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			fail = check = false;
+		} else {
+			UNREACHABLE();
+		}
+		if (raw != NULL) {
+			dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMES, check);
+			dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMESFAIL,
+					   fail);
+			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, false);
+			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL,
+					   false);
+		} else {
+			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check);
+			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL,
+					   fail);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "notify-delay", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setnotifydelay(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "check-sibling", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING,
+				   cfg_obj_asboolean(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "check-spf", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			check = true;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			check = false;
+		} else {
+			UNREACHABLE();
+		}
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSPF, check);
+
+		obj = NULL;
+		result = named_config_get(maps, "zero-no-soa-ttl", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "nsec3-test-zone", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_NSEC3TESTZONE,
+				   cfg_obj_asboolean(obj));
+	} else if (ztype == dns_zone_redirect) {
+		dns_zone_setnotifytype(zone, dns_notifytype_no);
+
+		obj = NULL;
+		result = named_config_get(maps, "max-journal-size", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setjournalsize(zone, -1);
+		if (cfg_obj_isstring(obj)) {
+			const char *str = cfg_obj_asstring(obj);
+			if (strcasecmp(str, "unlimited") == 0) {
+				journal_size = DNS_JOURNAL_SIZE_MAX;
+			} else {
+				INSIST(strcasecmp(str, "default") == 0);
+				journal_size = -1;
+			}
+		} else {
+			isc_resourcevalue_t value;
+			value = cfg_obj_asuint64(obj);
+			if (value > DNS_JOURNAL_SIZE_MAX) {
+				cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
+					    "'max-journal-size "
+					    "%" PRId64 "' "
+					    "is too large",
+					    value);
+				CHECK(ISC_R_RANGE);
+			}
+			journal_size = (uint32_t)value;
+		}
+		dns_zone_setjournalsize(zone, journal_size);
+	}
+
+	if (use_kasp) {
+		maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone));
+	} else {
+		obj = NULL;
+		result = named_config_get(maps, "max-zone-ttl", &obj);
+		if (result == ISC_R_SUCCESS) {
+			if (cfg_obj_isduration(obj)) {
+				maxttl = cfg_obj_asduration(obj);
+			}
+		}
+	}
+	dns_zone_setmaxttl(zone, maxttl);
+	if (raw != NULL) {
+		dns_zone_setmaxttl(raw, maxttl);
+	}
+
+	/*
+	 * Configure update-related options.  These apply to
+	 * primary servers only.
+	 */
+	if (ztype == dns_zone_primary) {
+		dns_acl_t *updateacl;
+
+		CHECK(configure_zone_acl(zconfig, vconfig, config, allow_update,
+					 ac, mayberaw, dns_zone_setupdateacl,
+					 dns_zone_clearupdateacl));
+
+		updateacl = dns_zone_getupdateacl(mayberaw);
+		if (updateacl != NULL && dns_acl_isinsecure(updateacl)) {
+			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
+				      NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "zone '%s' allows unsigned updates "
+				      "from remote hosts, which is insecure",
+				      zname);
+		}
+
+		CHECK(configure_zone_ssutable(zoptions, mayberaw, zname));
+	}
+
+	/*
+	 * Configure DNSSEC signing. These apply to primary zones or zones that
+	 * use inline-signing (raw != NULL).
+	 */
+	if (ztype == dns_zone_primary || raw != NULL) {
+		const cfg_obj_t *validity, *resign;
+		bool allow = false, maint = false;
+		bool sigvalinsecs;
+
+		if (use_kasp) {
+			if (dns_kasp_nsec3(kasp)) {
+				result = dns_zone_setnsec3param(
+					zone, 1, dns_kasp_nsec3flags(kasp),
+					dns_kasp_nsec3iter(kasp),
+					dns_kasp_nsec3saltlen(kasp), NULL, true,
+					false);
+			} else {
+				result = dns_zone_setnsec3param(
+					zone, 0, 0, 0, 0, NULL, true, false);
+			}
+			INSIST(result == ISC_R_SUCCESS);
+		}
+
+		if (use_kasp) {
+			seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp);
+		} else {
+			obj = NULL;
+			result = named_config_get(maps, "dnskey-sig-validity",
+						  &obj);
+			INSIST(result == ISC_R_SUCCESS && obj != NULL);
+			seconds = cfg_obj_asuint32(obj) * 86400;
+		}
+		dns_zone_setkeyvalidityinterval(zone, seconds);
+
+		if (use_kasp) {
+			seconds = (uint32_t)dns_kasp_sigvalidity(kasp);
+			dns_zone_setsigvalidityinterval(zone, seconds);
+			seconds = (uint32_t)dns_kasp_sigrefresh(kasp);
+			dns_zone_setsigresigninginterval(zone, seconds);
+		} else {
+			obj = NULL;
+			result = named_config_get(maps, "sig-validity-interval",
+						  &obj);
+			INSIST(result == ISC_R_SUCCESS && obj != NULL);
+
+			sigvalinsecs = ns_server_getoption(
+				named_g_server->sctx, NS_SERVER_SIGVALINSECS);
+			validity = cfg_tuple_get(obj, "validity");
+			seconds = cfg_obj_asuint32(validity);
+			if (!sigvalinsecs) {
+				seconds *= 86400;
+			}
+			dns_zone_setsigvalidityinterval(zone, seconds);
+
+			resign = cfg_tuple_get(obj, "re-sign");
+			if (cfg_obj_isvoid(resign)) {
+				seconds /= 4;
+			} else if (!sigvalinsecs) {
+				uint32_t r = cfg_obj_asuint32(resign);
+				if (seconds > 7 * 86400) {
+					seconds = r * 86400;
+				} else {
+					seconds = r * 3600;
+				}
+			} else {
+				seconds = cfg_obj_asuint32(resign);
+			}
+			dns_zone_setsigresigninginterval(zone, seconds);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "key-directory", &obj);
+		if (result == ISC_R_SUCCESS) {
+			filename = cfg_obj_asstring(obj);
+			CHECK(dns_zone_setkeydirectory(zone, filename));
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "sig-signing-signatures", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setsignatures(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "sig-signing-nodes", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setnodes(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "sig-signing-type", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "update-check-ksk", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
+				   cfg_obj_asboolean(obj));
+		/*
+		 * This setting will be ignored if dnssec-policy is used.
+		 * named-checkconf will error if both are configured.
+		 */
+
+		obj = NULL;
+		result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
+				   cfg_obj_asboolean(obj));
+		/*
+		 * This setting will be ignored if dnssec-policy is used.
+		 * named-checkconf will error if both are configured.
+		 */
+
+		obj = NULL;
+		result = named_config_get(maps, "dnssec-loadkeys-interval",
+					  &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		CHECK(dns_zone_setrefreshkeyinterval(zone,
+						     cfg_obj_asuint32(obj)));
+
+		obj = NULL;
+		result = cfg_map_get(zoptions, "auto-dnssec", &obj);
+		if (kasp != NULL) {
+			bool s2i = (strcmp(dns_kasp_getname(kasp),
+					   "insecure") != 0);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
+		} else if (result == ISC_R_SUCCESS) {
+			const char *arg = cfg_obj_asstring(obj);
+			if (strcasecmp(arg, "allow") == 0) {
+				allow = true;
+			} else if (strcasecmp(arg, "maintain") == 0) {
+				allow = maint = true;
+			} else if (strcasecmp(arg, "off") == 0) {
+				/* Default */
+			} else {
+				UNREACHABLE();
+			}
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
+		}
+	}
+
+	if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
+		CHECK(configure_zone_acl(zconfig, vconfig, config,
+					 allow_update_forwarding, ac, mayberaw,
+					 dns_zone_setforwardacl,
+					 dns_zone_clearforwardacl));
+	}
+
+	/*%
+	 * Configure parental agents, applies to primary and secondary zones.
+	 */
+	if (ztype == dns_zone_primary || ztype == dns_zone_secondary) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "parental-agents", &obj);
+		if (obj != NULL) {
+			dns_ipkeylist_t ipkl;
+			dns_ipkeylist_init(&ipkl);
+			CHECK(named_config_getipandkeylist(
+				config, "parental-agents", obj, mctx, &ipkl));
+			result = dns_zone_setparentals(zone, ipkl.addrs,
+						       ipkl.keys, ipkl.count);
+			dns_ipkeylist_clear(mctx, &ipkl);
+			CHECK(result);
+		} else {
+			CHECK(dns_zone_setparentals(zone, NULL, NULL, 0));
+		}
+	}
+
+	/*%
+	 * Primary master functionality.
+	 */
+	if (ztype == dns_zone_primary) {
+		obj = NULL;
+		result = named_config_get(maps, "check-wildcard", &obj);
+		if (result == ISC_R_SUCCESS) {
+			check = cfg_obj_asboolean(obj);
+		} else {
+			check = false;
+		}
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKWILDCARD, check);
+
+		/*
+		 * With map files, the default is ignore duplicate
+		 * records.  With other master formats, the default is
+		 * taken from the global configuration.
+		 */
+		obj = NULL;
+		if (masterformat != dns_masterformat_map) {
+			result = named_config_get(maps, "check-dup-records",
+						  &obj);
+			INSIST(result == ISC_R_SUCCESS && obj != NULL);
+			dupcheck = cfg_obj_asstring(obj);
+		} else {
+			result = named_config_get(nodefault,
+						  "check-dup-records", &obj);
+			if (result == ISC_R_SUCCESS) {
+				dupcheck = cfg_obj_asstring(obj);
+			} else {
+				dupcheck = "ignore";
+			}
+		}
+		if (strcasecmp(dupcheck, "warn") == 0) {
+			fail = false;
+			check = true;
+		} else if (strcasecmp(dupcheck, "fail") == 0) {
+			fail = check = true;
+		} else if (strcasecmp(dupcheck, "ignore") == 0) {
+			fail = check = false;
+		} else {
+			UNREACHABLE();
+		}
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRR, check);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRRFAIL, fail);
+
+		obj = NULL;
+		result = named_config_get(maps, "check-mx", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			fail = false;
+			check = true;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			fail = check = true;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			fail = check = false;
+		} else {
+			UNREACHABLE();
+		}
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMX, check);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMXFAIL, fail);
+
+		/*
+		 * With map files, the default is *not* to check
+		 * integrity.  With other master formats, the default is
+		 * taken from the global configuration.
+		 */
+		obj = NULL;
+		if (masterformat != dns_masterformat_map) {
+			result = named_config_get(maps, "check-integrity",
+						  &obj);
+			INSIST(result == ISC_R_SUCCESS && obj != NULL);
+			dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKINTEGRITY,
+					   cfg_obj_asboolean(obj));
+		} else {
+			check = false;
+			result = named_config_get(nodefault, "check-integrity",
+						  &obj);
+			if (result == ISC_R_SUCCESS) {
+				check = cfg_obj_asboolean(obj);
+			}
+			dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKINTEGRITY,
+					   check);
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "check-mx-cname", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			warn = true;
+			ignore = false;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			warn = ignore = false;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			warn = ignore = true;
+		} else {
+			UNREACHABLE();
+		}
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNMXCNAME, warn);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNOREMXCNAME, ignore);
+
+		obj = NULL;
+		result = named_config_get(maps, "check-srv-cname", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			warn = true;
+			ignore = false;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			warn = ignore = false;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			warn = ignore = true;
+		} else {
+			UNREACHABLE();
+		}
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNSRVCNAME, warn);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME,
+				   ignore);
+
+		obj = NULL;
+		result = named_config_get(maps, "dnssec-secure-to-insecure",
+					  &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_SECURETOINSECURE,
+				   cfg_obj_asboolean(obj));
+
+		obj = NULL;
+		result = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
+		if (result == ISC_R_SUCCESS) {
+			const char *arg = cfg_obj_asstring(obj);
+			if (strcasecmp(arg, "no-resign") == 0) {
+				dns_zone_setkeyopt(zone, DNS_ZONEKEY_NORESIGN,
+						   true);
+			} else if (strcasecmp(arg, "maintain") == 0) {
+				/* Default */
+			} else {
+				UNREACHABLE();
+			}
+		}
+
+		obj = NULL;
+		result = named_config_get(maps, "serial-update-method", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "unixtime") == 0) {
+			dns_zone_setserialupdatemethod(
+				zone, dns_updatemethod_unixtime);
+		} else if (strcasecmp(cfg_obj_asstring(obj), "date") == 0) {
+			dns_zone_setserialupdatemethod(zone,
+						       dns_updatemethod_date);
+		} else {
+			dns_zone_setserialupdatemethod(
+				zone, dns_updatemethod_increment);
+		}
+	}
+
+	/*
+	 * Configure slave functionality.
+	 */
+	switch (ztype) {
+	case dns_zone_mirror:
+		/*
+		 * Disable outgoing zone transfers for mirror zones unless they
+		 * are explicitly enabled by zone configuration.
+		 */
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "allow-transfer", &obj);
+		if (obj == NULL) {
+			dns_acl_t *none;
+			CHECK(dns_acl_none(mctx, &none));
+			dns_zone_setxfracl(zone, none);
+			dns_acl_detach(&none);
+		}
+		FALLTHROUGH;
+	case dns_zone_secondary:
+	case dns_zone_stub:
+	case dns_zone_redirect:
+		count = 0;
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "primaries", &obj);
+		if (obj == NULL) {
+			(void)cfg_map_get(zoptions, "masters", &obj);
+		}
+
+		/*
+		 * Use the built-in primary server list if one was not
+		 * explicitly specified and this is a root zone mirror.
+		 */
+		if (obj == NULL && ztype == dns_zone_mirror &&
+		    dns_name_equal(dns_zone_getorigin(zone), dns_rootname))
+		{
+			result = named_config_getremotesdef(
+				named_g_config, "primaries",
+				DEFAULT_IANA_ROOT_ZONE_PRIMARIES, &obj);
+			CHECK(result);
+		}
+		if (obj != NULL) {
+			dns_ipkeylist_t ipkl;
+			dns_ipkeylist_init(&ipkl);
+
+			CHECK(named_config_getipandkeylist(config, "primaries",
+							   obj, mctx, &ipkl));
+			result = dns_zone_setprimarieswithkeys(
+				mayberaw, ipkl.addrs, ipkl.keys, ipkl.count);
+			count = ipkl.count;
+			dns_ipkeylist_clear(mctx, &ipkl);
+			CHECK(result);
+		} else {
+			result = dns_zone_setprimaries(mayberaw, NULL, 0);
+		}
+		CHECK(result);
+
+		multi = false;
+		if (count > 1) {
+			obj = NULL;
+			result = named_config_get(maps, "multi-master", &obj);
+			INSIST(result == ISC_R_SUCCESS && obj != NULL);
+			multi = cfg_obj_asboolean(obj);
+		}
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_MULTIMASTER, multi);
+
+		obj = NULL;
+		result = named_config_get(maps, "max-transfer-time-in", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setmaxxfrin(mayberaw, cfg_obj_asuint32(obj) * 60);
+
+		obj = NULL;
+		result = named_config_get(maps, "max-transfer-idle-in", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setidlein(mayberaw, cfg_obj_asuint32(obj) * 60);
+
+		obj = NULL;
+		result = named_config_get(maps, "max-refresh-time", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setmaxrefreshtime(mayberaw, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "min-refresh-time", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setminrefreshtime(mayberaw, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "max-retry-time", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setmaxretrytime(mayberaw, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "min-retry-time", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setminretrytime(mayberaw, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "transfer-source", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		CHECK(dns_zone_setxfrsource4(mayberaw,
+					     cfg_obj_assockaddr(obj)));
+		dscp = cfg_obj_getdscp(obj);
+		if (dscp == -1) {
+			dscp = named_g_dscp;
+		}
+		CHECK(dns_zone_setxfrsource4dscp(mayberaw, dscp));
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "transfer-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		CHECK(dns_zone_setxfrsource6(mayberaw,
+					     cfg_obj_assockaddr(obj)));
+		dscp = cfg_obj_getdscp(obj);
+		if (dscp == -1) {
+			dscp = named_g_dscp;
+		}
+		CHECK(dns_zone_setxfrsource6dscp(mayberaw, dscp));
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "alt-transfer-source", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		CHECK(dns_zone_setaltxfrsource4(mayberaw,
+						cfg_obj_assockaddr(obj)));
+		dscp = cfg_obj_getdscp(obj);
+		if (dscp == -1) {
+			dscp = named_g_dscp;
+		}
+		CHECK(dns_zone_setaltxfrsource4dscp(mayberaw, dscp));
+
+		obj = NULL;
+		result = named_config_get(maps, "alt-transfer-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		CHECK(dns_zone_setaltxfrsource6(mayberaw,
+						cfg_obj_assockaddr(obj)));
+		dscp = cfg_obj_getdscp(obj);
+		if (dscp == -1) {
+			dscp = named_g_dscp;
+		}
+		CHECK(dns_zone_setaltxfrsource6dscp(mayberaw, dscp));
+
+		obj = NULL;
+		(void)named_config_get(maps, "use-alt-transfer-source", &obj);
+		if (obj == NULL) {
+			/*
+			 * Default off when views are in use otherwise
+			 * on for BIND 8 compatibility.
+			 */
+			view = dns_zone_getview(zone);
+			if (view != NULL && strcmp(view->name, "_default") == 0)
+			{
+				alt = true;
+			} else {
+				alt = false;
+			}
+		} else {
+			alt = cfg_obj_asboolean(obj);
+		}
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_USEALTXFRSRC, alt);
+
+		obj = NULL;
+		(void)named_config_get(maps, "try-tcp-refresh", &obj);
+		dns_zone_setoption(mayberaw, DNS_ZONEOPT_TRYTCPREFRESH,
+				   cfg_obj_asboolean(obj));
+		break;
+
+	case dns_zone_staticstub:
+		CHECK(configure_staticstub(zoptions, zone, zname,
+					   default_dbtype));
+		break;
+
+	default:
+		break;
+	}
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (kasp != NULL) {
+		dns_kasp_detach(&kasp);
+	}
+	return (result);
+}
+
+/*
+ * Set up a DLZ zone as writeable
+ */
+isc_result_t
+named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
+				   dns_rdataclass_t rdclass, dns_name_t *name) {
+	dns_db_t *db = NULL;
+	isc_time_t now;
+	isc_result_t result;
+
+	TIME_NOW(&now);
+
+	dns_zone_settype(zone, dns_zone_dlz);
+	result = dns_sdlz_setdb(dlzdatabase, rdclass, name, &db);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	result = dns_zone_dlzpostload(zone, db);
+	dns_db_detach(&db);
+	return (result);
+}
+
+bool
+named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *obj = NULL;
+	const char *cfilename;
+	const char *zfilename;
+	dns_zone_t *raw = NULL;
+	bool has_raw, inline_signing;
+	dns_zonetype_t ztype;
+
+	zoptions = cfg_tuple_get(zconfig, "options");
+
+	/*
+	 * We always reconfigure a static-stub zone for simplicity, assuming
+	 * the amount of data to be loaded is small.
+	 */
+	if (zonetype_fromconfig(zoptions) == dns_zone_staticstub) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "not reusable: staticstub");
+		return (false);
+	}
+
+	/* If there's a raw zone, use that for filename and type comparison */
+	dns_zone_getraw(zone, &raw);
+	if (raw != NULL) {
+		zfilename = dns_zone_getfile(raw);
+		ztype = dns_zone_gettype(raw);
+		dns_zone_detach(&raw);
+		has_raw = true;
+	} else {
+		zfilename = dns_zone_getfile(zone);
+		ztype = dns_zone_gettype(zone);
+		has_raw = false;
+	}
+
+	inline_signing = named_zone_inlinesigning(zconfig);
+	if (!inline_signing && has_raw) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "not reusable: old zone was inline-signing");
+		return (false);
+	} else if (inline_signing && !has_raw) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "not reusable: old zone was not inline-signing");
+		return (false);
+	}
+
+	if (zonetype_fromconfig(zoptions) != ztype) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "not reusable: type mismatch");
+		return (false);
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "file", &obj);
+	if (obj != NULL) {
+		cfilename = cfg_obj_asstring(obj);
+	} else {
+		cfilename = NULL;
+	}
+	if (!((cfilename == NULL && zfilename == NULL) ||
+	      (cfilename != NULL && zfilename != NULL &&
+	       strcmp(cfilename, zfilename) == 0)))
+	{
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "not reusable: filename mismatch");
+		return (false);
+	}
+
+	return (true);
+}
+
+bool
+named_zone_inlinesigning(const cfg_obj_t *zconfig) {
+	const cfg_obj_t *zoptions = NULL;
+	const cfg_obj_t *signing = NULL;
+	bool inline_signing = false;
+
+	zoptions = cfg_tuple_get(zconfig, "options");
+	inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) ==
+				  ISC_R_SUCCESS &&
+			  cfg_obj_asboolean(signing));
+
+	return (inline_signing);
+}
diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in
new file mode 100644
index 0000000..37d5cb3
--- /dev/null
+++ b/bin/nsupdate/Makefile.in
@@ -0,0 +1,86 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+READLINE_LIB = @READLINE_LIB@
+
+DST_GSSAPI_INC = @DST_GSSAPI_INC@
+
+CINCLUDES =	${DNS_INCLUDES} ${BIND9_INCLUDES} ${ISC_INCLUDES} \
+		${ISCCFG_INCLUDES} ${IRS_INCLUDES} ${DST_GSSAPI_INC} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =	-DVERSION=\"${VERSION}\" @USE_GSSAPI@
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+IRSLIBS =	../../lib/irs/libirs.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+IRSDEPLIBS =	../../lib/irs/libirs.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${IRSDEPLIBS} ${BIND9DEPLIBS} \
+		${ISCDEPLIBS} ${ISCCFGDEPLIBS}
+
+LIBS =		${DNSLIBS} ${IRSLIBS} ${BIND9LIBS} \
+		${ISCCFGLIBS} ${ISCLIBS} ${GSSAPI_LIBS} \
+		@LIBS@
+
+NOSYMLIBS =	${DNSLIBS} ${IRSLIBS} ${BIND9LIBS} \
+		${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	nsupdate@EXEEXT@
+
+OBJS =		nsupdate.@O@
+
+UOBJS =
+
+SRCS =		nsupdate.c
+
+@BIND9_MAKE_RULES@
+
+nsupdate.@O@: nsupdate.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \
+		-c ${srcdir}/nsupdate.c
+
+nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
+	export BASEOBJS="nsupdate.@O@ ${READLINE_LIB} ${UOBJS}"; \
+	export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
+	${FINALBUILDCMD}
+
+clean distclean::
+	rm -f ${TARGETS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+
+install:: nsupdate@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsupdate@EXEEXT@ ${DESTDIR}${bindir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/nsupdate@EXEEXT@
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
new file mode 100644
index 0000000..6c93a03
--- /dev/null
+++ b/bin/nsupdate/nsupdate.c
@@ -0,0 +1,3491 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/event.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/nonce.h>
+#include <isc/parseint.h>
+#include <isc/platform.h>
+#include <isc/portset.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/callbacks.h>
+#include <dns/dispatch.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/nsec3.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/request.h>
+#include <dns/result.h>
+#include <dns/tkey.h>
+#include <dns/tsig.h>
+
+#include <dst/dst.h>
+
+#include <isccfg/namedconf.h>
+
+#include <irs/resconf.h>
+
+#ifdef GSSAPI
+#include <dst/gssapi.h>
+#ifdef WIN32
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
+#include <krb5/krb5.h>
+#else /* ifdef WIN32 */
+#include ISC_PLATFORM_GSSAPIHEADER
+#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
+#include ISC_PLATFORM_GSSAPI_KRB5_HEADER
+#endif /* ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER */
+#include ISC_PLATFORM_KRB5HEADER
+#endif /* ifdef WIN32 */
+#endif /* ifdef GSSAPI */
+#include <bind9/getaddresses.h>
+
+#if defined(HAVE_READLINE)
+#if defined(HAVE_EDIT_READLINE_READLINE_H)
+#include <edit/readline/readline.h>
+#if defined(HAVE_EDIT_READLINE_HISTORY_H)
+#include <edit/readline/history.h>
+#endif /* if defined(HAVE_EDIT_READLINE_HISTORY_H) */
+#elif defined(HAVE_EDITLINE_READLINE_H)
+#include <editline/readline.h>
+#else /* if defined(HAVE_EDIT_READLINE_READLINE_H) */
+/* Prevent deprecated functions being declared. */
+#define _FUNCTION_DEF 1
+/* Ensure rl_message() gets prototype. */
+#define USE_VARARGS   1
+#define PREFER_STDARG 1
+#include <readline/history.h>
+#include <readline/readline.h>
+#endif /* if defined(HAVE_EDIT_READLINE_READLINE_H) */
+#endif /* if defined(HAVE_READLINE) */
+
+#define MAXCMD	     (128 * 1024)
+#define MAXWIRE	     (64 * 1024)
+#define PACKETSIZE   ((64 * 1024) - 1)
+#define INITTEXT     (2 * 1024)
+#define MAXTEXT	     (128 * 1024)
+#define FIND_TIMEOUT 5
+#define TTL_MAX	     2147483647U /* Maximum signed 32 bit integer. */
+
+#define DNSDEFAULTPORT 53
+
+/* Number of addresses to request from bind9_getaddresses() */
+#define MAX_SERVERADDRS 4
+
+static uint16_t dnsport = DNSDEFAULTPORT;
+
+#ifndef RESOLV_CONF
+#define RESOLV_CONF "/etc/resolv.conf"
+#endif /* ifndef RESOLV_CONF */
+
+static bool debugging = false, ddebugging = false;
+static bool memdebugging = false;
+static bool have_ipv4 = false;
+static bool have_ipv6 = false;
+static bool is_dst_up = false;
+static bool usevc = false;
+static bool usegsstsig = false;
+static bool use_win2k_gsstsig = false;
+static bool tried_other_gsstsig = false;
+static bool local_only = false;
+static isc_nm_t *netmgr = NULL;
+static isc_taskmgr_t *taskmgr = NULL;
+static isc_task_t *global_task = NULL;
+static isc_event_t *global_event = NULL;
+static isc_log_t *glctx = NULL;
+static isc_mem_t *gmctx = NULL;
+static dns_dispatchmgr_t *dispatchmgr = NULL;
+static dns_requestmgr_t *requestmgr = NULL;
+static isc_socketmgr_t *socketmgr = NULL;
+static isc_timermgr_t *timermgr = NULL;
+static dns_dispatch_t *dispatchv4 = NULL;
+static dns_dispatch_t *dispatchv6 = NULL;
+static dns_message_t *updatemsg = NULL;
+static dns_fixedname_t fuserzone;
+static dns_fixedname_t fzname;
+static dns_name_t *userzone = NULL;
+static dns_name_t *zname = NULL;
+static dns_name_t tmpzonename = DNS_NAME_INITEMPTY;
+static dns_name_t restart_master = DNS_NAME_INITEMPTY;
+static dns_tsig_keyring_t *gssring = NULL;
+static dns_tsigkey_t *tsigkey = NULL;
+static dst_key_t *sig0key = NULL;
+static isc_sockaddr_t *servers = NULL;
+static isc_sockaddr_t *master_servers = NULL;
+static bool default_servers = true;
+static int ns_inuse = 0;
+static int master_inuse = 0;
+static int ns_total = 0;
+static int ns_alloc = 0;
+static int master_total = 0;
+static int master_alloc = 0;
+static isc_sockaddr_t *localaddr4 = NULL;
+static isc_sockaddr_t *localaddr6 = NULL;
+static const char *keyfile = NULL;
+static char *keystr = NULL;
+static bool shuttingdown = false;
+static FILE *input;
+static bool interactive = true;
+static bool seenerror = false;
+static const dns_master_style_t *style;
+static int requests = 0;
+static unsigned int logdebuglevel = 0;
+static unsigned int timeout = 300;
+static unsigned int udp_timeout = 3;
+static unsigned int udp_retries = 3;
+static dns_rdataclass_t defaultclass = dns_rdataclass_in;
+static dns_rdataclass_t zoneclass = dns_rdataclass_none;
+static isc_mutex_t answer_lock;
+static dns_message_t *answer = NULL;
+static uint32_t default_ttl = 0;
+static bool default_ttl_set = false;
+static bool checknames = true;
+
+typedef struct nsu_requestinfo {
+	dns_message_t *msg;
+	isc_sockaddr_t *addr;
+} nsu_requestinfo_t;
+
+static void
+sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
+	    dns_request_t **request);
+static void
+send_update(dns_name_t *zonename, isc_sockaddr_t *master);
+
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+
+static void
+debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+static void
+ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+#ifdef GSSAPI
+static dns_fixedname_t fkname;
+static isc_sockaddr_t *kserver = NULL;
+static char *realm = NULL;
+static char servicename[DNS_NAME_FORMATSIZE];
+static dns_name_t *keyname;
+typedef struct nsu_gssinfo {
+	dns_message_t *msg;
+	isc_sockaddr_t *addr;
+	dns_gss_ctx_id_t context;
+} nsu_gssinfo_t;
+
+static void
+failed_gssrequest();
+static void
+start_gssrequest(dns_name_t *master);
+static void
+send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
+		dns_request_t **request, dns_gss_ctx_id_t context);
+static void
+recvgss(isc_task_t *task, isc_event_t *event);
+#endif /* GSSAPI */
+
+static void
+error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+#define STATUS_MORE   (uint16_t)0
+#define STATUS_SEND   (uint16_t)1
+#define STATUS_QUIT   (uint16_t)2
+#define STATUS_SYNTAX (uint16_t)3
+
+static void
+master_from_servers(void) {
+	if (master_servers != NULL && master_servers != servers) {
+		isc_mem_put(gmctx, master_servers,
+			    master_alloc * sizeof(isc_sockaddr_t));
+	}
+	master_servers = servers;
+	master_total = ns_total;
+	master_alloc = ns_alloc;
+	master_inuse = ns_inuse;
+}
+
+static dns_rdataclass_t
+getzoneclass(void) {
+	if (zoneclass == dns_rdataclass_none) {
+		zoneclass = defaultclass;
+	}
+	return (zoneclass);
+}
+
+static bool
+setzoneclass(dns_rdataclass_t rdclass) {
+	if (zoneclass == dns_rdataclass_none || rdclass == dns_rdataclass_none)
+	{
+		zoneclass = rdclass;
+	}
+	if (zoneclass != rdclass) {
+		return (false);
+	}
+	return (true);
+}
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static void
+error(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+}
+
+static void
+debug(const char *format, ...) {
+	va_list args;
+
+	if (debugging) {
+		va_start(args, format);
+		vfprintf(stderr, format, args);
+		va_end(args);
+		fprintf(stderr, "\n");
+	}
+}
+
+static void
+ddebug(const char *format, ...) {
+	va_list args;
+
+	if (ddebugging) {
+		va_start(args, format);
+		vfprintf(stderr, format, args);
+		va_end(args);
+		fprintf(stderr, "\n");
+	}
+}
+
+static void
+check_result(isc_result_t result, const char *msg) {
+	if (result != ISC_R_SUCCESS) {
+		fatal("%s: %s", msg, isc_result_totext(result));
+	}
+}
+
+static char *
+nsu_strsep(char **stringp, const char *delim) {
+	char *string = *stringp;
+	*stringp = NULL;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL) {
+		return (NULL);
+	}
+
+	for (; *string != '\0'; string++) {
+		sc = *string;
+		for (d = delim; (dc = *d) != '\0'; d++) {
+			if (sc == dc) {
+				break;
+			}
+		}
+		if (dc == 0) {
+			break;
+		}
+	}
+
+	for (s = string; *s != '\0'; s++) {
+		sc = *s;
+		for (d = delim; (dc = *d) != '\0'; d++) {
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+		}
+	}
+	return (string);
+}
+
+static void
+reset_system(void) {
+	ddebug("reset_system()");
+	/* If the update message is still around, destroy it */
+	if (updatemsg != NULL) {
+		dns_message_reset(updatemsg, DNS_MESSAGE_INTENTRENDER);
+	} else {
+		dns_message_create(gmctx, DNS_MESSAGE_INTENTRENDER, &updatemsg);
+	}
+	updatemsg->opcode = dns_opcode_update;
+	if (usegsstsig) {
+		if (tsigkey != NULL) {
+			dns_tsigkey_detach(&tsigkey);
+		}
+		if (gssring != NULL) {
+			dns_tsigkeyring_detach(&gssring);
+		}
+		tried_other_gsstsig = false;
+	}
+}
+
+static bool
+parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
+	   uint16_t *digestbitsp) {
+	uint16_t digestbits = 0;
+	isc_result_t result;
+	char buf[20];
+
+	REQUIRE(hmac != NULL && *hmac == NULL);
+	REQUIRE(hmacstr != NULL);
+
+	if (len >= sizeof(buf)) {
+		error("unknown key type '%.*s'", (int)(len), hmacstr);
+		return (false);
+	}
+
+	/* Copy len bytes and NUL terminate. */
+	strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf)));
+
+	if (strcasecmp(buf, "hmac-md5") == 0) {
+		*hmac = DNS_TSIG_HMACMD5_NAME;
+	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
+		*hmac = DNS_TSIG_HMACMD5_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[9], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 128) {
+			error("digest-bits out of range [0..128]");
+			return (false);
+		}
+		*digestbitsp = (digestbits + 7) & ~0x7U;
+	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
+		*hmac = DNS_TSIG_HMACSHA1_NAME;
+	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
+		*hmac = DNS_TSIG_HMACSHA1_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[10], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 160) {
+			error("digest-bits out of range [0..160]");
+			return (false);
+		}
+		*digestbitsp = (digestbits + 7) & ~0x7U;
+	} else if (strcasecmp(buf, "hmac-sha224") == 0) {
+		*hmac = DNS_TSIG_HMACSHA224_NAME;
+	} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
+		*hmac = DNS_TSIG_HMACSHA224_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[12], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 224) {
+			error("digest-bits out of range [0..224]");
+			return (false);
+		}
+		*digestbitsp = (digestbits + 7) & ~0x7U;
+	} else if (strcasecmp(buf, "hmac-sha256") == 0) {
+		*hmac = DNS_TSIG_HMACSHA256_NAME;
+	} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
+		*hmac = DNS_TSIG_HMACSHA256_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[12], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 256) {
+			error("digest-bits out of range [0..256]");
+			return (false);
+		}
+		*digestbitsp = (digestbits + 7) & ~0x7U;
+	} else if (strcasecmp(buf, "hmac-sha384") == 0) {
+		*hmac = DNS_TSIG_HMACSHA384_NAME;
+	} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
+		*hmac = DNS_TSIG_HMACSHA384_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[12], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 384) {
+			error("digest-bits out of range [0..384]");
+			return (false);
+		}
+		*digestbitsp = (digestbits + 7) & ~0x7U;
+	} else if (strcasecmp(buf, "hmac-sha512") == 0) {
+		*hmac = DNS_TSIG_HMACSHA512_NAME;
+	} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
+		*hmac = DNS_TSIG_HMACSHA512_NAME;
+		result = isc_parse_uint16(&digestbits, &buf[12], 10);
+		if (result != ISC_R_SUCCESS || digestbits > 512) {
+			error("digest-bits out of range [0..512]");
+			return (false);
+		}
+		*digestbitsp = (digestbits + 7) & ~0x7U;
+	} else {
+		error("unknown key type '%s'", buf);
+		return (false);
+	}
+	return (true);
+}
+
+static int
+basenamelen(const char *file) {
+	int len = strlen(file);
+
+	if (len > 1 && file[len - 1] == '.') {
+		len -= 1;
+	} else if (len > 8 && strcmp(file + len - 8, ".private") == 0) {
+		len -= 8;
+	} else if (len > 4 && strcmp(file + len - 4, ".key") == 0) {
+		len -= 4;
+	}
+	return (len);
+}
+
+static void
+setup_keystr(void) {
+	unsigned char *secret = NULL;
+	int secretlen;
+	isc_buffer_t secretbuf;
+	isc_result_t result;
+	isc_buffer_t keynamesrc;
+	char *secretstr;
+	char *s, *n;
+	dns_fixedname_t fkeyname;
+	dns_name_t *mykeyname;
+	char *name;
+	const dns_name_t *hmacname = NULL;
+	uint16_t digestbits = 0;
+
+	mykeyname = dns_fixedname_initname(&fkeyname);
+
+	debug("Creating key...");
+
+	s = strchr(keystr, ':');
+	if (s == NULL || s == keystr || s[1] == 0) {
+		fatal("key option must specify [hmac:]keyname:secret");
+	}
+	secretstr = s + 1;
+	n = strchr(secretstr, ':');
+	if (n != NULL) {
+		if (n == secretstr || n[1] == 0) {
+			fatal("key option must specify [hmac:]keyname:secret");
+		}
+		name = secretstr;
+		secretstr = n + 1;
+		if (!parse_hmac(&hmacname, keystr, s - keystr, &digestbits)) {
+			exit(1);
+		}
+	} else {
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		name = keystr;
+		n = s;
+	}
+
+	isc_buffer_init(&keynamesrc, name, (unsigned int)(n - name));
+	isc_buffer_add(&keynamesrc, (unsigned int)(n - name));
+
+	debug("namefromtext");
+	result = dns_name_fromtext(mykeyname, &keynamesrc, dns_rootname, 0,
+				   NULL);
+	check_result(result, "dns_name_fromtext");
+
+	secretlen = strlen(secretstr) * 3 / 4;
+	secret = isc_mem_allocate(gmctx, secretlen);
+
+	isc_buffer_init(&secretbuf, secret, secretlen);
+	result = isc_base64_decodestring(secretstr, &secretbuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not create key from %s: %s\n", keystr,
+			isc_result_totext(result));
+		goto failure;
+	}
+
+	secretlen = isc_buffer_usedlength(&secretbuf);
+
+	debug("keycreate");
+	result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen,
+				    false, NULL, 0, 0, gmctx, NULL, &tsigkey);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not create key from %s: %s\n", keystr,
+			dns_result_totext(result));
+	} else {
+		dst_key_setbits(tsigkey->key, digestbits);
+	}
+failure:
+	if (secret != NULL) {
+		isc_mem_free(gmctx, secret);
+	}
+}
+
+/*
+ * Get a key from a named.conf format keyfile
+ */
+static isc_result_t
+read_sessionkey(isc_mem_t *mctx, isc_log_t *lctx) {
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *sessionkey = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
+	const char *mykeyname;
+	const char *secretstr;
+	const char *algorithm;
+	isc_result_t result;
+	int len;
+
+	if (!isc_file_exists(keyfile)) {
+		return (ISC_R_FILENOTFOUND);
+	}
+
+	result = cfg_parser_create(mctx, lctx, &pctx);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = cfg_parse_file(pctx, keyfile, &cfg_type_sessionkey,
+				&sessionkey);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = cfg_map_get(sessionkey, "key", &key);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	(void)cfg_map_get(key, "secret", &secretobj);
+	(void)cfg_map_get(key, "algorithm", &algorithmobj);
+	if (secretobj == NULL || algorithmobj == NULL) {
+		fatal("key must have algorithm and secret");
+	}
+
+	mykeyname = cfg_obj_asstring(cfg_map_getname(key));
+	secretstr = cfg_obj_asstring(secretobj);
+	algorithm = cfg_obj_asstring(algorithmobj);
+
+	len = strlen(algorithm) + strlen(mykeyname) + strlen(secretstr) + 3;
+	keystr = isc_mem_allocate(mctx, len);
+	snprintf(keystr, len, "%s:%s:%s", algorithm, mykeyname, secretstr);
+	setup_keystr();
+
+cleanup:
+	if (pctx != NULL) {
+		if (sessionkey != NULL) {
+			cfg_obj_destroy(pctx, &sessionkey);
+		}
+		cfg_parser_destroy(&pctx);
+	}
+
+	if (keystr != NULL) {
+		isc_mem_free(mctx, keystr);
+	}
+
+	return (result);
+}
+
+static void
+setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+	const dns_name_t *hmacname = NULL;
+
+	debug("Creating key...");
+
+	if (sig0key != NULL) {
+		dst_key_free(&sig0key);
+	}
+
+	/* Try reading the key from a K* pair */
+	result = dst_key_fromnamedfile(
+		keyfile, NULL, DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey);
+
+	/* If that didn't work, try reading it as a session.key keyfile */
+	if (result != ISC_R_SUCCESS) {
+		result = read_sessionkey(mctx, lctx);
+		if (result == ISC_R_SUCCESS) {
+			return;
+		}
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr,
+			"could not read key from %.*s.{private,key}: "
+			"%s\n",
+			basenamelen(keyfile), keyfile,
+			isc_result_totext(result));
+		return;
+	}
+
+	switch (dst_key_alg(dstkey)) {
+	case DST_ALG_HMACMD5:
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		break;
+	case DST_ALG_HMACSHA1:
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		break;
+	case DST_ALG_HMACSHA224:
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		break;
+	case DST_ALG_HMACSHA256:
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		break;
+	case DST_ALG_HMACSHA384:
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		break;
+	case DST_ALG_HMACSHA512:
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		break;
+	}
+	if (hmacname != NULL) {
+		result = dns_tsigkey_createfromkey(
+			dst_key_name(dstkey), hmacname, dstkey, false, NULL, 0,
+			0, mctx, NULL, &tsigkey);
+		dst_key_free(&dstkey);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "could not create key from %s: %s\n",
+				keyfile, isc_result_totext(result));
+			return;
+		}
+	} else {
+		dst_key_attach(dstkey, &sig0key);
+		dst_key_free(&dstkey);
+	}
+}
+
+static void
+doshutdown(void) {
+	isc_task_detach(&global_task);
+
+	/*
+	 * The isc_mem_put of master_servers must be before the
+	 * isc_mem_put of servers as it sets the servers pointer
+	 * to NULL.
+	 */
+	if (master_servers != NULL && master_servers != servers) {
+		isc_mem_put(gmctx, master_servers,
+			    master_alloc * sizeof(isc_sockaddr_t));
+	}
+
+	if (servers != NULL) {
+		isc_mem_put(gmctx, servers, ns_alloc * sizeof(isc_sockaddr_t));
+	}
+
+	if (localaddr4 != NULL) {
+		isc_mem_put(gmctx, localaddr4, sizeof(isc_sockaddr_t));
+	}
+
+	if (localaddr6 != NULL) {
+		isc_mem_put(gmctx, localaddr6, sizeof(isc_sockaddr_t));
+	}
+
+	if (tsigkey != NULL) {
+		ddebug("Freeing TSIG key");
+		dns_tsigkey_detach(&tsigkey);
+	}
+
+	if (sig0key != NULL) {
+		ddebug("Freeing SIG(0) key");
+		dst_key_free(&sig0key);
+	}
+
+	if (updatemsg != NULL) {
+		dns_message_detach(&updatemsg);
+	}
+
+	if (is_dst_up) {
+		ddebug("Destroy DST lib");
+		dst_lib_destroy();
+		is_dst_up = false;
+	}
+
+	ddebug("Destroying request manager");
+	dns_requestmgr_detach(&requestmgr);
+
+	ddebug("Freeing the dispatchers");
+	if (have_ipv4) {
+		dns_dispatch_detach(&dispatchv4);
+	}
+	if (have_ipv6) {
+		dns_dispatch_detach(&dispatchv6);
+	}
+
+	ddebug("Shutting down dispatch manager");
+	dns_dispatchmgr_destroy(&dispatchmgr);
+}
+
+static void
+maybeshutdown(void) {
+	/* when called from getinput, doshutdown might be already finished */
+	if (requestmgr == NULL) {
+		return;
+	}
+
+	ddebug("Shutting down request manager");
+	dns_requestmgr_shutdown(requestmgr);
+
+	if (requests != 0) {
+		return;
+	}
+
+	doshutdown();
+}
+
+static void
+shutdown_program(isc_task_t *task, isc_event_t *event) {
+	REQUIRE(task == global_task);
+	UNUSED(task);
+
+	ddebug("shutdown_program()");
+	isc_event_free(&event);
+
+	shuttingdown = true;
+	maybeshutdown();
+}
+
+/*
+ * Try honoring the operating system's preferred ephemeral port range.
+ */
+static void
+set_source_ports(dns_dispatchmgr_t *manager) {
+	isc_portset_t *v4portset = NULL, *v6portset = NULL;
+	in_port_t udpport_low, udpport_high;
+	isc_result_t result;
+
+	result = isc_portset_create(gmctx, &v4portset);
+	check_result(result, "isc_portset_create (v4)");
+	result = isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high);
+	check_result(result, "isc_net_getudpportrange (v4)");
+	isc_portset_addrange(v4portset, udpport_low, udpport_high);
+
+	result = isc_portset_create(gmctx, &v6portset);
+	check_result(result, "isc_portset_create (v6)");
+	result = isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high);
+	check_result(result, "isc_net_getudpportrange (v6)");
+	isc_portset_addrange(v6portset, udpport_low, udpport_high);
+
+	result = dns_dispatchmgr_setavailports(manager, v4portset, v6portset);
+	check_result(result, "dns_dispatchmgr_setavailports");
+
+	isc_portset_destroy(gmctx, &v4portset);
+	isc_portset_destroy(gmctx, &v6portset);
+}
+
+static void
+setup_system(void) {
+	isc_result_t result;
+	isc_sockaddr_t bind_any, bind_any6;
+	unsigned int attrs, attrmask;
+	isc_sockaddrlist_t *nslist;
+	isc_logconfig_t *logconfig = NULL;
+	irs_resconf_t *resconf = NULL;
+
+	ddebug("setup_system()");
+
+	dns_result_register();
+
+	isc_log_create(gmctx, &glctx, &logconfig);
+	isc_log_setcontext(glctx);
+	dns_log_init(glctx);
+	dns_log_setcontext(glctx);
+
+	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
+	check_result(result, "isc_log_usechannel");
+
+	isc_log_setdebuglevel(glctx, logdebuglevel);
+
+	result = irs_resconf_load(gmctx, RESOLV_CONF, &resconf);
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		fatal("parse of %s failed", RESOLV_CONF);
+	}
+
+	nslist = irs_resconf_getnameservers(resconf);
+
+	if (servers != NULL) {
+		if (master_servers == servers) {
+			master_servers = NULL;
+		}
+		isc_mem_put(gmctx, servers, ns_alloc * sizeof(isc_sockaddr_t));
+	}
+
+	ns_inuse = 0;
+	if (local_only || ISC_LIST_EMPTY(*nslist)) {
+		struct in_addr in;
+		struct in6_addr in6;
+
+		if (local_only && keyfile == NULL) {
+			keyfile = SESSION_KEYFILE;
+		}
+
+		default_servers = !local_only;
+
+		ns_total = ns_alloc = (have_ipv4 ? 1 : 0) + (have_ipv6 ? 1 : 0);
+		servers = isc_mem_get(gmctx, ns_alloc * sizeof(isc_sockaddr_t));
+
+		if (have_ipv6) {
+			memset(&in6, 0, sizeof(in6));
+			in6.s6_addr[15] = 1;
+			isc_sockaddr_fromin6(&servers[0], &in6, dnsport);
+		}
+		if (have_ipv4) {
+			in.s_addr = htonl(INADDR_LOOPBACK);
+			isc_sockaddr_fromin(&servers[(have_ipv6 ? 1 : 0)], &in,
+					    dnsport);
+		}
+	} else {
+		isc_sockaddr_t *sa;
+		int i;
+
+		/*
+		 * Count the nameservers (skipping any that we can't use
+		 * because of address family restrictions) and allocate
+		 * the servers array.
+		 */
+		ns_total = 0;
+		for (sa = ISC_LIST_HEAD(*nslist); sa != NULL;
+		     sa = ISC_LIST_NEXT(sa, link))
+		{
+			switch (sa->type.sa.sa_family) {
+			case AF_INET:
+				if (have_ipv4) {
+					ns_total++;
+				}
+				break;
+			case AF_INET6:
+				if (have_ipv6) {
+					ns_total++;
+				}
+				break;
+			default:
+				fatal("bad family");
+			}
+		}
+
+		ns_alloc = ns_total;
+		servers = isc_mem_get(gmctx, ns_alloc * sizeof(isc_sockaddr_t));
+
+		i = 0;
+		for (sa = ISC_LIST_HEAD(*nslist); sa != NULL;
+		     sa = ISC_LIST_NEXT(sa, link))
+		{
+			switch (sa->type.sa.sa_family) {
+			case AF_INET:
+				if (have_ipv4) {
+					sa->type.sin.sin_port = htons(dnsport);
+				} else {
+					continue;
+				}
+				break;
+			case AF_INET6:
+				if (have_ipv6) {
+					sa->type.sin6.sin6_port =
+						htons(dnsport);
+				} else {
+					continue;
+				}
+				break;
+			default:
+				fatal("bad family");
+			}
+			INSIST(i < ns_alloc);
+			servers[i++] = *sa;
+		}
+	}
+
+	irs_resconf_destroy(&resconf);
+
+	result = dns_dispatchmgr_create(gmctx, &dispatchmgr);
+	check_result(result, "dns_dispatchmgr_create");
+
+	result = isc_socketmgr_create(gmctx, &socketmgr);
+	check_result(result, "dns_socketmgr_create");
+
+	result = isc_timermgr_create(gmctx, &timermgr);
+	check_result(result, "dns_timermgr_create");
+
+	result = isc_managers_create(gmctx, 1, 0, &netmgr, &taskmgr);
+	check_result(result, "isc_managers_create");
+
+	result = isc_task_create(taskmgr, 0, &global_task);
+	check_result(result, "isc_task_create");
+
+	result = isc_task_onshutdown(global_task, shutdown_program, NULL);
+	check_result(result, "isc_task_onshutdown");
+
+	result = dst_lib_init(gmctx, NULL);
+	check_result(result, "dst_lib_init");
+	is_dst_up = true;
+
+	set_source_ports(dispatchmgr);
+
+	attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
+
+	if (have_ipv6) {
+		attrs = DNS_DISPATCHATTR_UDP;
+		attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		isc_sockaddr_any6(&bind_any6);
+		result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
+					     &bind_any6, PACKETSIZE, 4, 2, 3, 5,
+					     attrs, attrmask, &dispatchv6);
+		check_result(result, "dns_dispatch_getudp (v6)");
+	}
+
+	if (have_ipv4) {
+		attrs = DNS_DISPATCHATTR_UDP;
+		attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		isc_sockaddr_any(&bind_any);
+		result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
+					     &bind_any, PACKETSIZE, 4, 2, 3, 5,
+					     attrs, attrmask, &dispatchv4);
+		check_result(result, "dns_dispatch_getudp (v4)");
+	}
+
+	result = dns_requestmgr_create(gmctx, timermgr, socketmgr, taskmgr,
+				       dispatchmgr, dispatchv4, dispatchv6,
+				       &requestmgr);
+	check_result(result, "dns_requestmgr_create");
+
+	if (keystr != NULL) {
+		setup_keystr();
+	} else if (local_only) {
+		result = read_sessionkey(gmctx, glctx);
+		if (result != ISC_R_SUCCESS) {
+			fatal("can't read key from %s: %s\n", keyfile,
+			      isc_result_totext(result));
+		}
+	} else if (keyfile != NULL) {
+		setup_keyfile(gmctx, glctx);
+	}
+
+	isc_mutex_init(&answer_lock);
+}
+
+static int
+get_addresses(char *host, in_port_t port, isc_sockaddr_t *sockaddr,
+	      int naddrs) {
+	int count = 0;
+	isc_result_t result;
+
+	isc_app_block();
+	result = bind9_getaddresses(host, port, sockaddr, naddrs, &count);
+	isc_app_unblock();
+	if (result != ISC_R_SUCCESS) {
+		error("couldn't get address for '%s': %s", host,
+		      isc_result_totext(result));
+	}
+	return (count);
+}
+
+static void
+version(void) {
+	fputs("nsupdate " VERSION "\n", stderr);
+}
+
+#define PARSE_ARGS_FMT "46dDML:y:ghilovk:p:Pr:R::t:Tu:V"
+
+static void
+pre_parse_args(int argc, char **argv) {
+	dns_rdatatype_t t;
+	int ch;
+	char buf[100];
+	bool doexit = false;
+	bool ipv4only = false, ipv6only = false;
+
+	while ((ch = isc_commandline_parse(argc, argv, PARSE_ARGS_FMT)) != -1) {
+		switch (ch) {
+		case 'M': /* was -dm */
+			debugging = true;
+			ddebugging = true;
+			memdebugging = true;
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE |
+					    ISC_MEM_DEBUGRECORD;
+			break;
+
+		case '4':
+			if (ipv6only) {
+				fatal("only one of -4 and -6 allowed");
+			}
+			ipv4only = true;
+			break;
+
+		case '6':
+			if (ipv4only) {
+				fatal("only one of -4 and -6 allowed");
+			}
+			ipv6only = true;
+			break;
+
+		case '?':
+		case 'h':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					argv[0], isc_commandline_option);
+			}
+			fprintf(stderr, "usage: nsupdate [-dDi] [-L level] [-l]"
+					"[-g | -o | -y keyname:secret | -k "
+					"keyfile] "
+					"[-v] [-V] [-P] [-T] [-4 | -6] "
+					"[filename]\n");
+			exit(1);
+
+		case 'P':
+			for (t = 0xff00; t <= 0xfffe; t++) {
+				if (dns_rdatatype_ismeta(t)) {
+					continue;
+				}
+				dns_rdatatype_format(t, buf, sizeof(buf));
+				if (strncmp(buf, "TYPE", 4) != 0) {
+					fprintf(stdout, "%s\n", buf);
+				}
+			}
+			doexit = true;
+			break;
+
+		case 'T':
+			for (t = 1; t <= 0xfeff; t++) {
+				if (dns_rdatatype_ismeta(t)) {
+					continue;
+				}
+				dns_rdatatype_format(t, buf, sizeof(buf));
+				if (strncmp(buf, "TYPE", 4) != 0) {
+					fprintf(stdout, "%s\n", buf);
+				}
+			}
+			doexit = true;
+			break;
+
+		case 'V':
+			version();
+			doexit = true;
+			break;
+
+		default:
+			break;
+		}
+	}
+	if (doexit) {
+		exit(0);
+	}
+	isc_commandline_reset = true;
+	isc_commandline_index = 1;
+}
+
+static void
+parse_args(int argc, char **argv) {
+	int ch;
+	uint32_t i;
+	isc_result_t result;
+	bool force_interactive = false;
+
+	debug("parse_args");
+	while ((ch = isc_commandline_parse(argc, argv, PARSE_ARGS_FMT)) != -1) {
+		switch (ch) {
+		case '4':
+			if (have_ipv4) {
+				isc_net_disableipv6();
+				have_ipv6 = false;
+			} else {
+				fatal("can't find IPv4 networking");
+			}
+			break;
+		case '6':
+			if (have_ipv6) {
+				isc_net_disableipv4();
+				have_ipv4 = false;
+			} else {
+				fatal("can't find IPv6 networking");
+			}
+			break;
+		case 'd':
+			debugging = true;
+			break;
+		case 'D': /* was -dd */
+			debugging = true;
+			ddebugging = true;
+			break;
+		case 'M':
+			break;
+		case 'i':
+			force_interactive = true;
+			interactive = true;
+			break;
+		case 'l':
+			local_only = true;
+			break;
+		case 'L':
+			result = isc_parse_uint32(&i, isc_commandline_argument,
+						  10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"bad library debug value "
+					"'%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			logdebuglevel = i;
+			break;
+		case 'y':
+			keystr = isc_commandline_argument;
+			break;
+		case 'v':
+			usevc = true;
+			break;
+		case 'k':
+			keyfile = isc_commandline_argument;
+			break;
+		case 'g':
+			usegsstsig = true;
+			use_win2k_gsstsig = false;
+			break;
+		case 'o':
+			usegsstsig = true;
+			use_win2k_gsstsig = true;
+			break;
+		case 'p':
+			result = isc_parse_uint16(&dnsport,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"bad port number "
+					"'%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		case 't':
+			result = isc_parse_uint32(&timeout,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad timeout '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			if (timeout == 0) {
+				timeout = UINT_MAX;
+			}
+			break;
+		case 'u':
+			result = isc_parse_uint32(&udp_timeout,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad udp timeout '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			if (udp_timeout == 0) {
+				udp_timeout = UINT_MAX;
+			}
+			break;
+		case 'r':
+			result = isc_parse_uint32(&udp_retries,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad udp retries '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+
+		case 'R':
+			fatal("The -R options has been deprecated.\n");
+			break;
+
+		default:
+			fprintf(stderr, "%s: unhandled option: %c\n", argv[0],
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+	if (keyfile != NULL && keystr != NULL) {
+		fprintf(stderr, "%s: cannot specify both -k and -y\n", argv[0]);
+		exit(1);
+	}
+
+#ifdef GSSAPI
+	if (usegsstsig && (keyfile != NULL || keystr != NULL)) {
+		fprintf(stderr, "%s: cannot specify -g with -k or -y\n",
+			argv[0]);
+		exit(1);
+	}
+#else  /* ifdef GSSAPI */
+	if (usegsstsig) {
+		fprintf(stderr,
+			"%s: cannot specify -g	or -o, "
+			"program not linked with GSS API Library\n",
+			argv[0]);
+		exit(1);
+	}
+#endif /* ifdef GSSAPI */
+
+	if (argv[isc_commandline_index] != NULL) {
+		if (strcmp(argv[isc_commandline_index], "-") == 0) {
+			input = stdin;
+		} else {
+			result = isc_stdio_open(argv[isc_commandline_index],
+						"r", &input);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "could not open '%s': %s\n",
+					argv[isc_commandline_index],
+					isc_result_totext(result));
+				exit(1);
+			}
+		}
+		if (!force_interactive) {
+			interactive = false;
+		}
+	}
+}
+
+static uint16_t
+parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) {
+	isc_result_t result;
+	char *word;
+	isc_buffer_t source;
+
+	word = nsu_strsep(cmdlinep, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read owner name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	result = dns_message_gettempname(msg, namep);
+	check_result(result, "dns_message_gettempname");
+	isc_buffer_init(&source, word, strlen(word));
+	isc_buffer_add(&source, strlen(word));
+	result = dns_name_fromtext(*namep, &source, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		error("invalid owner name: %s", isc_result_totext(result));
+		isc_buffer_invalidate(&source);
+		dns_message_puttempname(msg, namep);
+		return (STATUS_SYNTAX);
+	}
+	isc_buffer_invalidate(&source);
+	return (STATUS_MORE);
+}
+
+static uint16_t
+parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass,
+	    dns_rdatatype_t rdatatype, dns_message_t *msg, dns_rdata_t *rdata) {
+	char *cmdline = *cmdlinep;
+	isc_buffer_t source, *buf = NULL, *newbuf = NULL;
+	isc_region_t r;
+	isc_lex_t *lex = NULL;
+	dns_rdatacallbacks_t callbacks;
+	isc_result_t result;
+
+	if (cmdline == NULL) {
+		rdata->flags = DNS_RDATA_UPDATE;
+		return (STATUS_MORE);
+	}
+
+	while (*cmdline != 0 && isspace((unsigned char)*cmdline)) {
+		cmdline++;
+	}
+
+	if (*cmdline != 0) {
+		dns_rdatacallbacks_init(&callbacks);
+		result = isc_lex_create(gmctx, strlen(cmdline), &lex);
+		check_result(result, "isc_lex_create");
+		isc_buffer_init(&source, cmdline, strlen(cmdline));
+		isc_buffer_add(&source, strlen(cmdline));
+		result = isc_lex_openbuffer(lex, &source);
+		check_result(result, "isc_lex_openbuffer");
+		isc_buffer_allocate(gmctx, &buf, MAXWIRE);
+		result = dns_rdata_fromtext(NULL, rdataclass, rdatatype, lex,
+					    dns_rootname, 0, gmctx, buf,
+					    &callbacks);
+		isc_lex_destroy(&lex);
+		if (result == ISC_R_SUCCESS) {
+			isc_buffer_usedregion(buf, &r);
+			isc_buffer_allocate(gmctx, &newbuf, r.length);
+			isc_buffer_putmem(newbuf, r.base, r.length);
+			isc_buffer_usedregion(newbuf, &r);
+			dns_rdata_fromregion(rdata, rdataclass, rdatatype, &r);
+			isc_buffer_free(&buf);
+			dns_message_takebuffer(msg, &newbuf);
+		} else {
+			fprintf(stderr, "invalid rdata format: %s\n",
+				isc_result_totext(result));
+			isc_buffer_free(&buf);
+			return (STATUS_SYNTAX);
+		}
+	} else {
+		rdata->flags = DNS_RDATA_UPDATE;
+	}
+	*cmdlinep = cmdline;
+	return (STATUS_MORE);
+}
+
+static uint16_t
+make_prereq(char *cmdline, bool ispositive, bool isrrset) {
+	isc_result_t result;
+	char *word;
+	dns_name_t *name = NULL;
+	isc_textregion_t region;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataclass_t rdataclass;
+	dns_rdatatype_t rdatatype;
+	dns_rdata_t *rdata = NULL;
+	uint16_t retval;
+
+	ddebug("make_prereq()");
+
+	/*
+	 * Read the owner name
+	 */
+	retval = parse_name(&cmdline, updatemsg, &name);
+	if (retval != STATUS_MORE) {
+		return (retval);
+	}
+
+	/*
+	 * If this is an rrset prereq, read the class or type.
+	 */
+	if (isrrset) {
+		word = nsu_strsep(&cmdline, " \t\r\n");
+		if (word == NULL || *word == 0) {
+			fprintf(stderr, "could not read class or type\n");
+			goto failure;
+		}
+		region.base = word;
+		region.length = strlen(word);
+		result = dns_rdataclass_fromtext(&rdataclass, &region);
+		if (result == ISC_R_SUCCESS) {
+			if (!setzoneclass(rdataclass)) {
+				fprintf(stderr, "class mismatch: %s\n", word);
+				goto failure;
+			}
+			/*
+			 * Now read the type.
+			 */
+			word = nsu_strsep(&cmdline, " \t\r\n");
+			if (word == NULL || *word == 0) {
+				fprintf(stderr, "could not read type\n");
+				goto failure;
+			}
+			region.base = word;
+			region.length = strlen(word);
+			result = dns_rdatatype_fromtext(&rdatatype, &region);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid type: %s\n", word);
+				goto failure;
+			}
+		} else {
+			rdataclass = getzoneclass();
+			result = dns_rdatatype_fromtext(&rdatatype, &region);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid type: %s\n", word);
+				goto failure;
+			}
+		}
+	} else {
+		rdatatype = dns_rdatatype_any;
+	}
+
+	result = dns_message_gettemprdata(updatemsg, &rdata);
+	check_result(result, "dns_message_gettemprdata");
+
+	dns_rdata_init(rdata);
+
+	if (isrrset && ispositive) {
+		retval = parse_rdata(&cmdline, rdataclass, rdatatype, updatemsg,
+				     rdata);
+		if (retval != STATUS_MORE) {
+			goto failure;
+		}
+	} else {
+		rdata->flags = DNS_RDATA_UPDATE;
+	}
+
+	result = dns_message_gettemprdatalist(updatemsg, &rdatalist);
+	check_result(result, "dns_message_gettemprdatalist");
+	result = dns_message_gettemprdataset(updatemsg, &rdataset);
+	check_result(result, "dns_message_gettemprdataset");
+	rdatalist->type = rdatatype;
+	if (ispositive) {
+		if (isrrset && rdata->data != NULL) {
+			rdatalist->rdclass = rdataclass;
+		} else {
+			rdatalist->rdclass = dns_rdataclass_any;
+		}
+	} else {
+		rdatalist->rdclass = dns_rdataclass_none;
+	}
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatatype;
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(updatemsg, name, DNS_SECTION_PREREQUISITE);
+	return (STATUS_MORE);
+
+failure:
+	if (name != NULL) {
+		dns_message_puttempname(updatemsg, &name);
+	}
+	return (STATUS_SYNTAX);
+}
+
+static uint16_t
+evaluate_prereq(char *cmdline) {
+	char *word;
+	bool ispositive, isrrset;
+
+	ddebug("evaluate_prereq()");
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read operation code\n");
+		return (STATUS_SYNTAX);
+	}
+	if (strcasecmp(word, "nxdomain") == 0) {
+		ispositive = false;
+		isrrset = false;
+	} else if (strcasecmp(word, "yxdomain") == 0) {
+		ispositive = true;
+		isrrset = false;
+	} else if (strcasecmp(word, "nxrrset") == 0) {
+		ispositive = false;
+		isrrset = true;
+	} else if (strcasecmp(word, "yxrrset") == 0) {
+		ispositive = true;
+		isrrset = true;
+	} else {
+		fprintf(stderr, "incorrect operation code: %s\n", word);
+		return (STATUS_SYNTAX);
+	}
+	return (make_prereq(cmdline, ispositive, isrrset));
+}
+
+static uint16_t
+evaluate_server(char *cmdline) {
+	char *word, *server;
+	long port;
+
+	if (local_only) {
+		fprintf(stderr, "cannot reset server in localhost-only mode\n");
+		return (STATUS_SYNTAX);
+	}
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read server name\n");
+		return (STATUS_SYNTAX);
+	}
+	server = word;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		port = dnsport;
+	} else {
+		char *endp;
+		port = strtol(word, &endp, 10);
+		if (*endp != 0) {
+			fprintf(stderr, "port '%s' is not numeric\n", word);
+			return (STATUS_SYNTAX);
+		} else if (port < 1 || port > 65535) {
+			fprintf(stderr,
+				"port '%s' is out of range "
+				"(1 to 65535)\n",
+				word);
+			return (STATUS_SYNTAX);
+		}
+	}
+
+	if (servers != NULL) {
+		if (master_servers == servers) {
+			master_servers = NULL;
+		}
+		isc_mem_put(gmctx, servers, ns_alloc * sizeof(isc_sockaddr_t));
+	}
+
+	default_servers = false;
+
+	ns_alloc = MAX_SERVERADDRS;
+	ns_inuse = 0;
+	servers = isc_mem_get(gmctx, ns_alloc * sizeof(isc_sockaddr_t));
+
+	memset(servers, 0, ns_alloc * sizeof(isc_sockaddr_t));
+	ns_total = get_addresses(server, (in_port_t)port, servers, ns_alloc);
+	if (ns_total == 0) {
+		return (STATUS_SYNTAX);
+	}
+
+	return (STATUS_MORE);
+}
+
+static uint16_t
+evaluate_local(char *cmdline) {
+	char *word, *local;
+	long port;
+	struct in_addr in4;
+	struct in6_addr in6;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read server name\n");
+		return (STATUS_SYNTAX);
+	}
+	local = word;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		port = 0;
+	} else {
+		char *endp;
+		port = strtol(word, &endp, 10);
+		if (*endp != 0) {
+			fprintf(stderr, "port '%s' is not numeric\n", word);
+			return (STATUS_SYNTAX);
+		} else if (port < 1 || port > 65535) {
+			fprintf(stderr,
+				"port '%s' is out of range "
+				"(1 to 65535)\n",
+				word);
+			return (STATUS_SYNTAX);
+		}
+	}
+
+	if (have_ipv6 && inet_pton(AF_INET6, local, &in6) == 1) {
+		if (localaddr6 == NULL) {
+			localaddr6 = isc_mem_get(gmctx, sizeof(isc_sockaddr_t));
+		}
+		isc_sockaddr_fromin6(localaddr6, &in6, (in_port_t)port);
+	} else if (have_ipv4 && inet_pton(AF_INET, local, &in4) == 1) {
+		if (localaddr4 == NULL) {
+			localaddr4 = isc_mem_get(gmctx, sizeof(isc_sockaddr_t));
+		}
+		isc_sockaddr_fromin(localaddr4, &in4, (in_port_t)port);
+	} else {
+		fprintf(stderr, "invalid address %s", local);
+		return (STATUS_SYNTAX);
+	}
+
+	return (STATUS_MORE);
+}
+
+static uint16_t
+evaluate_key(char *cmdline) {
+	char *namestr;
+	char *secretstr;
+	isc_buffer_t b;
+	isc_result_t result;
+	dns_fixedname_t fkeyname;
+	dns_name_t *mykeyname;
+	int secretlen;
+	unsigned char *secret = NULL;
+	isc_buffer_t secretbuf;
+	const dns_name_t *hmacname = NULL;
+	uint16_t digestbits = 0;
+	char *n;
+
+	namestr = nsu_strsep(&cmdline, " \t\r\n");
+	if (namestr == NULL || *namestr == 0) {
+		fprintf(stderr, "could not read key name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	mykeyname = dns_fixedname_initname(&fkeyname);
+
+	n = strchr(namestr, ':');
+	if (n != NULL) {
+		if (!parse_hmac(&hmacname, namestr, n - namestr, &digestbits)) {
+			return (STATUS_SYNTAX);
+		}
+		namestr = n + 1;
+	} else {
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+	}
+
+	isc_buffer_init(&b, namestr, strlen(namestr));
+	isc_buffer_add(&b, strlen(namestr));
+	result = dns_name_fromtext(mykeyname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not parse key name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	secretstr = nsu_strsep(&cmdline, "\r\n");
+	if (secretstr == NULL || *secretstr == 0) {
+		fprintf(stderr, "could not read key secret\n");
+		return (STATUS_SYNTAX);
+	}
+	secretlen = strlen(secretstr) * 3 / 4;
+	secret = isc_mem_allocate(gmctx, secretlen);
+
+	isc_buffer_init(&secretbuf, secret, secretlen);
+	result = isc_base64_decodestring(secretstr, &secretbuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not create key from %s: %s\n", secretstr,
+			isc_result_totext(result));
+		isc_mem_free(gmctx, secret);
+		return (STATUS_SYNTAX);
+	}
+	secretlen = isc_buffer_usedlength(&secretbuf);
+
+	if (tsigkey != NULL) {
+		dns_tsigkey_detach(&tsigkey);
+	}
+	result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen,
+				    false, NULL, 0, 0, gmctx, NULL, &tsigkey);
+	isc_mem_free(gmctx, secret);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not create key from %s %s: %s\n",
+			namestr, secretstr, dns_result_totext(result));
+		return (STATUS_SYNTAX);
+	}
+	dst_key_setbits(tsigkey->key, digestbits);
+	return (STATUS_MORE);
+}
+
+static uint16_t
+evaluate_zone(char *cmdline) {
+	char *word;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read zone name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	userzone = dns_fixedname_initname(&fuserzone);
+	isc_buffer_init(&b, word, strlen(word));
+	isc_buffer_add(&b, strlen(word));
+	result = dns_name_fromtext(userzone, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		userzone = NULL; /* Lest it point to an invalid name */
+		fprintf(stderr, "could not parse zone name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	return (STATUS_MORE);
+}
+
+static uint16_t
+evaluate_realm(char *cmdline) {
+#ifdef GSSAPI
+	char *word;
+	char buf[1024];
+	int n;
+
+	if (realm != NULL) {
+		isc_mem_free(gmctx, realm);
+		realm = NULL;
+	}
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		return (STATUS_MORE);
+	}
+
+	n = snprintf(buf, sizeof(buf), "@%s", word);
+	if (n < 0 || (size_t)n >= sizeof(buf)) {
+		error("realm is too long");
+		return (STATUS_SYNTAX);
+	}
+	realm = isc_mem_strdup(gmctx, buf);
+	return (STATUS_MORE);
+#else  /* ifdef GSSAPI */
+	UNUSED(cmdline);
+	return (STATUS_SYNTAX);
+#endif /* ifdef GSSAPI */
+}
+
+static uint16_t
+evaluate_ttl(char *cmdline) {
+	char *word;
+	isc_result_t result;
+	uint32_t ttl;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read ttl\n");
+		return (STATUS_SYNTAX);
+	}
+
+	if (!strcasecmp(word, "none")) {
+		default_ttl = 0;
+		default_ttl_set = false;
+		return (STATUS_MORE);
+	}
+
+	result = isc_parse_uint32(&ttl, word, 10);
+	if (result != ISC_R_SUCCESS) {
+		return (STATUS_SYNTAX);
+	}
+
+	if (ttl > TTL_MAX) {
+		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n", word,
+			TTL_MAX);
+		return (STATUS_SYNTAX);
+	}
+	default_ttl = ttl;
+	default_ttl_set = true;
+
+	return (STATUS_MORE);
+}
+
+static uint16_t
+evaluate_class(char *cmdline) {
+	char *word;
+	isc_textregion_t r;
+	isc_result_t result;
+	dns_rdataclass_t rdclass;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read class name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	r.base = word;
+	r.length = strlen(word);
+	result = dns_rdataclass_fromtext(&rdclass, &r);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not parse class name: %s\n", word);
+		return (STATUS_SYNTAX);
+	}
+	switch (rdclass) {
+	case dns_rdataclass_none:
+	case dns_rdataclass_any:
+	case dns_rdataclass_reserved0:
+		fprintf(stderr, "bad default class: %s\n", word);
+		return (STATUS_SYNTAX);
+	default:
+		defaultclass = rdclass;
+	}
+
+	return (STATUS_MORE);
+}
+
+static uint16_t
+update_addordelete(char *cmdline, bool isdelete) {
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	uint32_t ttl;
+	char *word;
+	dns_rdataclass_t rdataclass;
+	dns_rdatatype_t rdatatype;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	isc_textregion_t region;
+	uint16_t retval;
+
+	ddebug("update_addordelete()");
+
+	/*
+	 * Read the owner name.
+	 */
+	retval = parse_name(&cmdline, updatemsg, &name);
+	if (retval != STATUS_MORE) {
+		return (retval);
+	}
+
+	result = dns_message_gettemprdata(updatemsg, &rdata);
+	check_result(result, "dns_message_gettemprdata");
+
+	dns_rdata_init(rdata);
+
+	/*
+	 * If this is an add, read the TTL and verify that it's in range.
+	 * If it's a delete, ignore a TTL if present (for compatibility).
+	 */
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		if (!isdelete) {
+			fprintf(stderr, "could not read owner ttl\n");
+			goto failure;
+		} else {
+			ttl = 0;
+			rdataclass = dns_rdataclass_any;
+			rdatatype = dns_rdatatype_any;
+			rdata->flags = DNS_RDATA_UPDATE;
+			goto doneparsing;
+		}
+	}
+	result = isc_parse_uint32(&ttl, word, 10);
+	if (result != ISC_R_SUCCESS) {
+		if (isdelete) {
+			ttl = 0;
+			goto parseclass;
+		} else if (default_ttl_set) {
+			ttl = default_ttl;
+			goto parseclass;
+		} else {
+			fprintf(stderr, "ttl '%s': %s\n", word,
+				isc_result_totext(result));
+			goto failure;
+		}
+	}
+
+	if (isdelete) {
+		ttl = 0;
+	} else if (ttl > TTL_MAX) {
+		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n", word,
+			TTL_MAX);
+		goto failure;
+	}
+
+	/*
+	 * Read the class or type.
+	 */
+	word = nsu_strsep(&cmdline, " \t\r\n");
+parseclass:
+	if (word == NULL || *word == 0) {
+		if (isdelete) {
+			rdataclass = dns_rdataclass_any;
+			rdatatype = dns_rdatatype_any;
+			rdata->flags = DNS_RDATA_UPDATE;
+			goto doneparsing;
+		} else {
+			fprintf(stderr, "could not read class or type\n");
+			goto failure;
+		}
+	}
+	region.base = word;
+	region.length = strlen(word);
+	rdataclass = dns_rdataclass_any;
+	result = dns_rdataclass_fromtext(&rdataclass, &region);
+	if (result == ISC_R_SUCCESS && rdataclass != dns_rdataclass_any) {
+		if (!setzoneclass(rdataclass)) {
+			fprintf(stderr, "class mismatch: %s\n", word);
+			goto failure;
+		}
+		/*
+		 * Now read the type.
+		 */
+		word = nsu_strsep(&cmdline, " \t\r\n");
+		if (word == NULL || *word == 0) {
+			if (isdelete) {
+				rdataclass = dns_rdataclass_any;
+				rdatatype = dns_rdatatype_any;
+				rdata->flags = DNS_RDATA_UPDATE;
+				goto doneparsing;
+			} else {
+				fprintf(stderr, "could not read type\n");
+				goto failure;
+			}
+		}
+		region.base = word;
+		region.length = strlen(word);
+		result = dns_rdatatype_fromtext(&rdatatype, &region);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "'%s' is not a valid type: %s\n", word,
+				isc_result_totext(result));
+			goto failure;
+		}
+	} else {
+		rdataclass = getzoneclass();
+		result = dns_rdatatype_fromtext(&rdatatype, &region);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr,
+				"'%s' is not a valid class or type: "
+				"%s\n",
+				word, isc_result_totext(result));
+			goto failure;
+		}
+	}
+
+	retval = parse_rdata(&cmdline, rdataclass, rdatatype, updatemsg, rdata);
+	if (retval != STATUS_MORE) {
+		goto failure;
+	}
+
+	if (isdelete) {
+		if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+			rdataclass = dns_rdataclass_any;
+		} else {
+			rdataclass = dns_rdataclass_none;
+		}
+	} else {
+		if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+			fprintf(stderr, "could not read rdata\n");
+			goto failure;
+		}
+	}
+
+	if (!isdelete && checknames) {
+		dns_fixedname_t fixed;
+		dns_name_t *bad;
+
+		if (!dns_rdata_checkowner(name, rdata->rdclass, rdata->type,
+					  true))
+		{
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			fprintf(stderr, "check-names failed: bad owner '%s'\n",
+				namebuf);
+			goto failure;
+		}
+
+		bad = dns_fixedname_initname(&fixed);
+		if (!dns_rdata_checknames(rdata, name, bad)) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			dns_name_format(bad, namebuf, sizeof(namebuf));
+			fprintf(stderr, "check-names failed: bad name '%s'\n",
+				namebuf);
+			goto failure;
+		}
+	}
+
+	if (!isdelete && rdata->type == dns_rdatatype_nsec3param) {
+		dns_rdata_nsec3param_t nsec3param;
+
+		result = dns_rdata_tostruct(rdata, &nsec3param, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		if (nsec3param.iterations > dns_nsec3_maxiterations()) {
+			fprintf(stderr,
+				"NSEC3PARAM has excessive iterations (> %u)\n",
+				dns_nsec3_maxiterations());
+			goto failure;
+		}
+	}
+
+doneparsing:
+
+	result = dns_message_gettemprdatalist(updatemsg, &rdatalist);
+	check_result(result, "dns_message_gettemprdatalist");
+	result = dns_message_gettemprdataset(updatemsg, &rdataset);
+	check_result(result, "dns_message_gettemprdataset");
+	rdatalist->type = rdatatype;
+	rdatalist->rdclass = rdataclass;
+	rdatalist->covers = rdatatype;
+	rdatalist->ttl = (dns_ttl_t)ttl;
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(updatemsg, name, DNS_SECTION_UPDATE);
+	return (STATUS_MORE);
+
+failure:
+	if (name != NULL) {
+		dns_message_puttempname(updatemsg, &name);
+	}
+	dns_message_puttemprdata(updatemsg, &rdata);
+	return (STATUS_SYNTAX);
+}
+
+static uint16_t
+evaluate_update(char *cmdline) {
+	char *word;
+	bool isdelete;
+
+	ddebug("evaluate_update()");
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read operation code\n");
+		return (STATUS_SYNTAX);
+	}
+	if (strcasecmp(word, "delete") == 0) {
+		isdelete = true;
+	} else if (strcasecmp(word, "del") == 0) {
+		isdelete = true;
+	} else if (strcasecmp(word, "add") == 0) {
+		isdelete = false;
+	} else {
+		fprintf(stderr, "incorrect operation code: %s\n", word);
+		return (STATUS_SYNTAX);
+	}
+	return (update_addordelete(cmdline, isdelete));
+}
+
+static uint16_t
+evaluate_checknames(char *cmdline) {
+	char *word;
+
+	ddebug("evaluate_checknames()");
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read check-names directive\n");
+		return (STATUS_SYNTAX);
+	}
+	if (strcasecmp(word, "yes") == 0 || strcasecmp(word, "true") == 0 ||
+	    strcasecmp(word, "on") == 0)
+	{
+		checknames = true;
+	} else if (strcasecmp(word, "no") == 0 ||
+		   strcasecmp(word, "false") == 0 ||
+		   strcasecmp(word, "off") == 0)
+	{
+		checknames = false;
+	} else {
+		fprintf(stderr, "incorrect check-names directive: %s\n", word);
+		return (STATUS_SYNTAX);
+	}
+	return (STATUS_MORE);
+}
+
+static void
+setzone(dns_name_t *zonename) {
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+
+	result = dns_message_firstname(updatemsg, DNS_SECTION_ZONE);
+	if (result == ISC_R_SUCCESS) {
+		dns_message_currentname(updatemsg, DNS_SECTION_ZONE, &name);
+		dns_message_removename(updatemsg, name, DNS_SECTION_ZONE);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_HEAD(name->list))
+		{
+			ISC_LIST_UNLINK(name->list, rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			dns_message_puttemprdataset(updatemsg, &rdataset);
+		}
+		dns_message_puttempname(updatemsg, &name);
+	}
+
+	if (zonename != NULL) {
+		result = dns_message_gettempname(updatemsg, &name);
+		check_result(result, "dns_message_gettempname");
+		dns_name_clone(zonename, name);
+		result = dns_message_gettemprdataset(updatemsg, &rdataset);
+		check_result(result, "dns_message_gettemprdataset");
+		dns_rdataset_makequestion(rdataset, getzoneclass(),
+					  dns_rdatatype_soa);
+		ISC_LIST_INIT(name->list);
+		ISC_LIST_APPEND(name->list, rdataset, link);
+		dns_message_addname(updatemsg, name, DNS_SECTION_ZONE);
+	}
+}
+
+static void
+show_message(FILE *stream, dns_message_t *msg, const char *description) {
+	isc_result_t result;
+	isc_buffer_t *buf = NULL;
+	int bufsz;
+
+	ddebug("show_message()");
+
+	setzone(userzone);
+
+	bufsz = INITTEXT;
+	do {
+		if (bufsz > MAXTEXT) {
+			fprintf(stderr, "could not allocate large enough "
+					"buffer to display message\n");
+			exit(1);
+		}
+		if (buf != NULL) {
+			isc_buffer_free(&buf);
+		}
+		isc_buffer_allocate(gmctx, &buf, bufsz);
+		result = dns_message_totext(msg, style, 0, buf);
+		bufsz *= 2;
+	} while (result == ISC_R_NOSPACE);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not convert message to text format.\n");
+		isc_buffer_free(&buf);
+		return;
+	}
+	fprintf(stream, "%s\n%.*s", description,
+		(int)isc_buffer_usedlength(buf), (char *)isc_buffer_base(buf));
+	fflush(stream);
+	isc_buffer_free(&buf);
+}
+
+static uint16_t
+do_next_command(char *cmdline) {
+	char *word;
+
+	ddebug("do_next_command()");
+	word = nsu_strsep(&cmdline, " \t\r\n");
+
+	if (word == NULL || *word == 0) {
+		return (STATUS_SEND);
+	}
+	if (word[0] == ';') {
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "quit") == 0) {
+		return (STATUS_QUIT);
+	}
+	if (strcasecmp(word, "prereq") == 0) {
+		return (evaluate_prereq(cmdline));
+	}
+	if (strcasecmp(word, "nxdomain") == 0) {
+		return (make_prereq(cmdline, false, false));
+	}
+	if (strcasecmp(word, "yxdomain") == 0) {
+		return (make_prereq(cmdline, true, false));
+	}
+	if (strcasecmp(word, "nxrrset") == 0) {
+		return (make_prereq(cmdline, false, true));
+	}
+	if (strcasecmp(word, "yxrrset") == 0) {
+		return (make_prereq(cmdline, true, true));
+	}
+	if (strcasecmp(word, "update") == 0) {
+		return (evaluate_update(cmdline));
+	}
+	if (strcasecmp(word, "delete") == 0) {
+		return (update_addordelete(cmdline, true));
+	}
+	if (strcasecmp(word, "del") == 0) {
+		return (update_addordelete(cmdline, true));
+	}
+	if (strcasecmp(word, "add") == 0) {
+		return (update_addordelete(cmdline, false));
+	}
+	if (strcasecmp(word, "server") == 0) {
+		return (evaluate_server(cmdline));
+	}
+	if (strcasecmp(word, "local") == 0) {
+		return (evaluate_local(cmdline));
+	}
+	if (strcasecmp(word, "zone") == 0) {
+		return (evaluate_zone(cmdline));
+	}
+	if (strcasecmp(word, "class") == 0) {
+		return (evaluate_class(cmdline));
+	}
+	if (strcasecmp(word, "send") == 0) {
+		return (STATUS_SEND);
+	}
+	if (strcasecmp(word, "debug") == 0) {
+		if (debugging) {
+			ddebugging = true;
+		} else {
+			debugging = true;
+		}
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "ttl") == 0) {
+		return (evaluate_ttl(cmdline));
+	}
+	if (strcasecmp(word, "show") == 0) {
+		show_message(stdout, updatemsg, "Outgoing update query:");
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "answer") == 0) {
+		LOCK(&answer_lock);
+		if (answer != NULL) {
+			show_message(stdout, answer, "Answer:");
+		}
+		UNLOCK(&answer_lock);
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "key") == 0) {
+		usegsstsig = false;
+		return (evaluate_key(cmdline));
+	}
+	if (strcasecmp(word, "realm") == 0) {
+		return (evaluate_realm(cmdline));
+	}
+	if (strcasecmp(word, "check-names") == 0 ||
+	    strcasecmp(word, "checknames") == 0)
+	{
+		return (evaluate_checknames(cmdline));
+	}
+	if (strcasecmp(word, "gsstsig") == 0) {
+#ifdef GSSAPI
+		usegsstsig = true;
+		use_win2k_gsstsig = false;
+#else  /* ifdef GSSAPI */
+		fprintf(stderr, "gsstsig not supported\n");
+#endif /* ifdef GSSAPI */
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "oldgsstsig") == 0) {
+#ifdef GSSAPI
+		usegsstsig = true;
+		use_win2k_gsstsig = true;
+#else  /* ifdef GSSAPI */
+		fprintf(stderr, "gsstsig not supported\n");
+#endif /* ifdef GSSAPI */
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "help") == 0) {
+		fprintf(stdout, "nsupdate " VERSION ":\n"
+				"local address [port]      (set local "
+				"resolver)\n"
+				"server address [port]     (set master server "
+				"for zone)\n"
+				"send                      (send the update "
+				"request)\n"
+				"show                      (show the update "
+				"request)\n"
+				"answer                    (show the answer to "
+				"the last request)\n"
+				"quit                      (quit, any pending "
+				"update is not sent)\n"
+				"help                      (display this "
+				"message)\n"
+				"key [hmac:]keyname secret (use TSIG to sign "
+				"the request)\n"
+				"gsstsig                   (use GSS_TSIG to "
+				"sign the request)\n"
+				"oldgsstsig                (use Microsoft's "
+				"GSS_TSIG to sign the request)\n"
+				"zone name                 (set the zone to be "
+				"updated)\n"
+				"class CLASS               (set the zone's DNS "
+				"class, e.g. IN (default), CH)\n"
+				"check-names { on | off }  (enable / disable "
+				"check-names)\n"
+				"[prereq] nxdomain name    (require that this "
+				"name does not exist)\n"
+				"[prereq] yxdomain name    (require that this "
+				"name exists)\n"
+				"[prereq] nxrrset ....     (require that this "
+				"RRset does not exist)\n"
+				"[prereq] yxrrset ....     (require that this "
+				"RRset exists)\n"
+				"[update] add ....         (add the given "
+				"record to the zone)\n"
+				"[update] del[ete] ....    (remove the given "
+				"record(s) from the zone)\n");
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "version") == 0) {
+		fprintf(stdout, "nsupdate " VERSION "\n");
+		return (STATUS_MORE);
+	}
+	fprintf(stderr, "incorrect section name: %s\n", word);
+	return (STATUS_SYNTAX);
+}
+
+static uint16_t
+get_next_command(void) {
+	uint16_t result = STATUS_QUIT;
+	char cmdlinebuf[MAXCMD];
+	char *cmdline;
+
+	isc_app_block();
+	if (interactive) {
+#ifdef HAVE_READLINE
+		cmdline = readline("> ");
+		if (cmdline != NULL) {
+			add_history(cmdline);
+		}
+#else  /* ifdef HAVE_READLINE */
+		fprintf(stdout, "> ");
+		fflush(stdout);
+		cmdline = fgets(cmdlinebuf, MAXCMD, input);
+#endif /* ifdef HAVE_READLINE */
+	} else {
+		cmdline = fgets(cmdlinebuf, MAXCMD, input);
+	}
+	isc_app_unblock();
+
+	if (cmdline != NULL) {
+		char *tmp = cmdline;
+
+		/*
+		 * Normalize input by removing any eol as readline()
+		 * removes eol but fgets doesn't.
+		 */
+		(void)nsu_strsep(&tmp, "\r\n");
+		result = do_next_command(cmdline);
+	}
+#ifdef HAVE_READLINE
+	if (interactive) {
+		free(cmdline);
+	}
+#endif /* ifdef HAVE_READLINE */
+	return (result);
+}
+
+static bool
+user_interaction(void) {
+	uint16_t result = STATUS_MORE;
+
+	ddebug("user_interaction()");
+	while ((result == STATUS_MORE) || (result == STATUS_SYNTAX)) {
+		result = get_next_command();
+		if (!interactive && result == STATUS_SYNTAX) {
+			fatal("syntax error");
+		}
+	}
+	if (result == STATUS_SEND) {
+		return (true);
+	}
+	return (false);
+}
+
+static void
+done_update(void) {
+	isc_event_t *event = global_event;
+	ddebug("done_update()");
+	isc_task_send(global_task, &event);
+}
+
+static void
+check_tsig_error(dns_rdataset_t *rdataset, isc_buffer_t *b) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_any_tsig_t tsig;
+
+	result = dns_rdataset_first(rdataset);
+	check_result(result, "dns_rdataset_first");
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &tsig, NULL);
+	check_result(result, "dns_rdata_tostruct");
+	if (tsig.error != 0) {
+		if (isc_buffer_remaininglength(b) < 1) {
+			check_result(ISC_R_NOSPACE, "isc_buffer_"
+						    "remaininglength");
+		}
+		isc_buffer_putstr(b, "(" /*)*/);
+		result = dns_tsigrcode_totext(tsig.error, b);
+		check_result(result, "dns_tsigrcode_totext");
+		if (isc_buffer_remaininglength(b) < 1) {
+			check_result(ISC_R_NOSPACE, "isc_buffer_"
+						    "remaininglength");
+		}
+		isc_buffer_putstr(b, /*(*/ ")");
+	}
+}
+
+static bool
+next_master(const char *caller, isc_sockaddr_t *addr, isc_result_t eresult) {
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+	fprintf(stderr, "; Communication with %s failed: %s\n", addrbuf,
+		isc_result_totext(eresult));
+	if (++master_inuse >= master_total) {
+		return (false);
+	}
+	ddebug("%s: trying next server", caller);
+	return (true);
+}
+
+static void
+update_completed(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	isc_result_t result;
+	dns_request_t *request;
+
+	UNUSED(task);
+
+	ddebug("update_completed()");
+
+	requests--;
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+
+	if (shuttingdown) {
+		dns_request_destroy(&request);
+		isc_event_free(&event);
+		maybeshutdown();
+		return;
+	}
+
+	if (reqev->result != ISC_R_SUCCESS) {
+		if (!next_master("update_completed",
+				 &master_servers[master_inuse], reqev->result))
+		{
+			seenerror = true;
+			goto done;
+		}
+
+		ddebug("Destroying request [%p]", request);
+		dns_request_destroy(&request);
+		dns_message_renderreset(updatemsg);
+		dns_message_settsigkey(updatemsg, NULL);
+		send_update(zname, &master_servers[master_inuse]);
+		isc_event_free(&event);
+		return;
+	}
+
+	LOCK(&answer_lock);
+	dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &answer);
+	result = dns_request_getresponse(request, answer,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		if (answer->verify_attempted) {
+			ddebug("tsig verification successful");
+		}
+		break;
+	case DNS_R_CLOCKSKEW:
+	case DNS_R_EXPECTEDTSIG:
+	case DNS_R_TSIGERRORSET:
+	case DNS_R_TSIGVERIFYFAILURE:
+	case DNS_R_UNEXPECTEDTSIG:
+	case ISC_R_FAILURE:
+#if 0
+		if (usegsstsig && answer->rcode == dns_rcode_noerror) {
+			/*
+			 * For MS DNS that violates RFC 2845, section 4.2
+			 */
+			break;
+		}
+#endif /* if 0 */
+		fprintf(stderr, "; TSIG error with server: %s\n",
+			isc_result_totext(result));
+		seenerror = true;
+		break;
+	default:
+		check_result(result, "dns_request_getresponse");
+	}
+
+	if (answer->opcode != dns_opcode_update) {
+		fatal("invalid OPCODE in response to UPDATE request");
+	}
+
+	if (answer->rcode != dns_rcode_noerror) {
+		seenerror = true;
+		if (!debugging) {
+			char buf[64];
+			isc_buffer_t b;
+			dns_rdataset_t *rds;
+
+			isc_buffer_init(&b, buf, sizeof(buf) - 1);
+			result = dns_rcode_totext(answer->rcode, &b);
+			check_result(result, "dns_rcode_totext");
+			rds = dns_message_gettsig(answer, NULL);
+			if (rds != NULL) {
+				check_tsig_error(rds, &b);
+			}
+			fprintf(stderr, "update failed: %.*s\n",
+				(int)isc_buffer_usedlength(&b), buf);
+		}
+	}
+	if (debugging) {
+		show_message(stderr, answer, "\nReply from update query:");
+	}
+	UNLOCK(&answer_lock);
+
+done:
+	dns_request_destroy(&request);
+	if (usegsstsig) {
+		dns_name_free(&tmpzonename, gmctx);
+		dns_name_free(&restart_master, gmctx);
+		dns_name_init(&tmpzonename, 0);
+		dns_name_init(&restart_master, 0);
+	}
+	isc_event_free(&event);
+	done_update();
+}
+
+static void
+send_update(dns_name_t *zone, isc_sockaddr_t *master) {
+	isc_result_t result;
+	dns_request_t *request = NULL;
+	unsigned int options = DNS_REQUESTOPT_CASE;
+	isc_sockaddr_t *srcaddr;
+
+	ddebug("send_update()");
+
+	setzone(zone);
+
+	if (usevc) {
+		options |= DNS_REQUESTOPT_TCP;
+	}
+	if (tsigkey == NULL && sig0key != NULL) {
+		result = dns_message_setsig0key(updatemsg, sig0key);
+		check_result(result, "dns_message_setsig0key");
+	}
+	if (debugging) {
+		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+		isc_sockaddr_format(master, addrbuf, sizeof(addrbuf));
+		fprintf(stderr, "Sending update to %s\n", addrbuf);
+	}
+
+	if (isc_sockaddr_pf(master) == AF_INET6) {
+		srcaddr = localaddr6;
+	} else {
+		srcaddr = localaddr4;
+	}
+
+	/* Windows doesn't like the tsig name to be compressed. */
+	if (updatemsg->tsigname) {
+		updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+	}
+
+	result = dns_request_createvia(requestmgr, updatemsg, srcaddr, master,
+				       -1, options, tsigkey, timeout,
+				       udp_timeout, udp_retries, global_task,
+				       update_completed, NULL, &request);
+	check_result(result, "dns_request_createvia");
+
+	if (debugging) {
+		show_message(stdout, updatemsg, "Outgoing update query:");
+	}
+
+	requests++;
+}
+
+static void
+next_server(const char *caller, isc_sockaddr_t *addr, isc_result_t eresult) {
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+	fprintf(stderr, "; Communication with %s failed: %s\n", addrbuf,
+		isc_result_totext(eresult));
+	if (++ns_inuse >= ns_total) {
+		fatal("could not reach any name server");
+	} else {
+		ddebug("%s: trying next server", caller);
+	}
+}
+
+static void
+recvsoa(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request = NULL;
+	isc_result_t result, eresult;
+	dns_message_t *rcvmsg = NULL;
+	dns_section_t section;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *soaset = NULL;
+	dns_rdata_soa_t soa;
+	dns_rdata_t soarr = DNS_RDATA_INIT;
+	int pass = 0;
+	dns_name_t master;
+	nsu_requestinfo_t *reqinfo;
+	dns_message_t *soaquery = NULL;
+	isc_sockaddr_t *addr;
+	isc_sockaddr_t *srcaddr;
+	bool seencname = false;
+	dns_name_t tname;
+	unsigned int nlabels;
+
+	UNUSED(task);
+
+	ddebug("recvsoa()");
+
+	requests--;
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	eresult = reqev->result;
+	reqinfo = reqev->ev_arg;
+	soaquery = reqinfo->msg;
+	addr = reqinfo->addr;
+
+	if (shuttingdown) {
+		dns_request_destroy(&request);
+		dns_message_detach(&soaquery);
+		isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t));
+		isc_event_free(&event);
+		maybeshutdown();
+		return;
+	}
+
+	if (eresult != ISC_R_SUCCESS) {
+		next_server("recvsoa", addr, eresult);
+		ddebug("Destroying request [%p]", request);
+		dns_request_destroy(&request);
+		dns_message_renderreset(soaquery);
+		dns_message_settsigkey(soaquery, NULL);
+		sendrequest(&servers[ns_inuse], soaquery, &request);
+		isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t));
+		isc_event_free(&event);
+		setzoneclass(dns_rdataclass_none);
+		return;
+	}
+
+	isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t));
+	reqinfo = NULL;
+	isc_event_free(&event);
+	reqev = NULL;
+
+	ddebug("About to create rcvmsg");
+	dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+	result = dns_request_getresponse(request, rcvmsg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	if (result == DNS_R_TSIGERRORSET && servers != NULL) {
+		dns_message_detach(&rcvmsg);
+		ddebug("Destroying request [%p]", request);
+		dns_request_destroy(&request);
+		reqinfo = isc_mem_get(gmctx, sizeof(nsu_requestinfo_t));
+		reqinfo->msg = soaquery;
+		reqinfo->addr = addr;
+		dns_message_renderreset(soaquery);
+		ddebug("retrying soa request without TSIG");
+
+		if (isc_sockaddr_pf(addr) == AF_INET6) {
+			srcaddr = localaddr6;
+		} else {
+			srcaddr = localaddr4;
+		}
+
+		result = dns_request_createvia(
+			requestmgr, soaquery, srcaddr, addr, -1, 0, NULL,
+			FIND_TIMEOUT * 20, FIND_TIMEOUT, 3, global_task,
+			recvsoa, reqinfo, &request);
+		check_result(result, "dns_request_createvia");
+		requests++;
+		return;
+	}
+	check_result(result, "dns_request_getresponse");
+
+	if (rcvmsg->rcode == dns_rcode_refused) {
+		next_server("recvsoa", addr, DNS_R_REFUSED);
+		dns_message_detach(&rcvmsg);
+		dns_request_destroy(&request);
+		dns_message_renderreset(soaquery);
+		dns_message_settsigkey(soaquery, NULL);
+		sendrequest(&servers[ns_inuse], soaquery, &request);
+		return;
+	}
+
+	section = DNS_SECTION_ANSWER;
+	POST(section);
+	if (debugging) {
+		show_message(stderr, rcvmsg, "Reply from SOA query:");
+	}
+
+	if (rcvmsg->opcode != dns_opcode_query) {
+		fatal("invalid OPCODE in response to SOA query");
+	}
+
+	if (rcvmsg->rcode != dns_rcode_noerror &&
+	    rcvmsg->rcode != dns_rcode_nxdomain)
+	{
+		fatal("response to SOA query was unsuccessful");
+	}
+
+	if (userzone != NULL && rcvmsg->rcode == dns_rcode_nxdomain) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(userzone, namebuf, sizeof(namebuf));
+		error("specified zone '%s' does not exist (NXDOMAIN)", namebuf);
+		dns_message_detach(&rcvmsg);
+		dns_request_destroy(&request);
+		dns_message_detach(&soaquery);
+		ddebug("Out of recvsoa");
+		seenerror = true;
+		done_update();
+		return;
+	}
+
+lookforsoa:
+	if (pass == 0) {
+		section = DNS_SECTION_ANSWER;
+	} else if (pass == 1) {
+		section = DNS_SECTION_AUTHORITY;
+	} else {
+		goto droplabel;
+	}
+
+	result = dns_message_firstname(rcvmsg, section);
+	if (result != ISC_R_SUCCESS) {
+		pass++;
+		goto lookforsoa;
+	}
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(rcvmsg, section, &name);
+		soaset = NULL;
+		result = dns_message_findtype(name, dns_rdatatype_soa, 0,
+					      &soaset);
+		if (result == ISC_R_SUCCESS) {
+			break;
+		}
+		if (section == DNS_SECTION_ANSWER) {
+			dns_rdataset_t *tset = NULL;
+			if (dns_message_findtype(name, dns_rdatatype_cname, 0,
+						 &tset) == ISC_R_SUCCESS ||
+			    dns_message_findtype(name, dns_rdatatype_dname, 0,
+						 &tset) == ISC_R_SUCCESS)
+			{
+				seencname = true;
+				break;
+			}
+		}
+
+		result = dns_message_nextname(rcvmsg, section);
+	}
+
+	if (soaset == NULL && !seencname) {
+		pass++;
+		goto lookforsoa;
+	}
+
+	if (seencname) {
+		goto droplabel;
+	}
+
+	if (debugging) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namestr, sizeof(namestr));
+		fprintf(stderr, "Found zone name: %s\n", namestr);
+	}
+
+	result = dns_rdataset_first(soaset);
+	check_result(result, "dns_rdataset_first");
+
+	dns_rdata_init(&soarr);
+	dns_rdataset_current(soaset, &soarr);
+	result = dns_rdata_tostruct(&soarr, &soa, NULL);
+	check_result(result, "dns_rdata_tostruct");
+
+	dns_name_init(&master, NULL);
+	dns_name_clone(&soa.origin, &master);
+
+	if (userzone != NULL) {
+		zname = userzone;
+	} else {
+		/*
+		 * Save the zone name in case we need to try a second
+		 * address.
+		 */
+		zname = dns_fixedname_initname(&fzname);
+		dns_name_copynf(name, zname);
+	}
+
+	if (debugging) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(&master, namestr, sizeof(namestr));
+		fprintf(stderr, "The master is: %s\n", namestr);
+	}
+
+	if (default_servers) {
+		char serverstr[DNS_NAME_MAXTEXT + 1];
+		isc_buffer_t buf;
+		size_t size;
+
+		isc_buffer_init(&buf, serverstr, sizeof(serverstr));
+		result = dns_name_totext(&master, true, &buf);
+		check_result(result, "dns_name_totext");
+		serverstr[isc_buffer_usedlength(&buf)] = 0;
+
+		if (master_servers != NULL && master_servers != servers) {
+			isc_mem_put(gmctx, master_servers,
+				    master_alloc * sizeof(isc_sockaddr_t));
+		}
+		master_alloc = MAX_SERVERADDRS;
+		size = master_alloc * sizeof(isc_sockaddr_t);
+		master_servers = isc_mem_get(gmctx, size);
+
+		memset(master_servers, 0, size);
+		master_total = get_addresses(serverstr, dnsport, master_servers,
+					     master_alloc);
+		if (master_total == 0) {
+			seenerror = true;
+			dns_rdata_freestruct(&soa);
+			dns_message_detach(&soaquery);
+			dns_request_destroy(&request);
+			dns_message_detach(&rcvmsg);
+			ddebug("Out of recvsoa");
+			done_update();
+			return;
+		}
+		master_inuse = 0;
+	} else {
+		master_from_servers();
+	}
+	dns_rdata_freestruct(&soa);
+
+#ifdef GSSAPI
+	if (usegsstsig) {
+		dns_name_init(&tmpzonename, NULL);
+		dns_name_dup(zname, gmctx, &tmpzonename);
+		dns_name_init(&restart_master, NULL);
+		dns_name_dup(&master, gmctx, &restart_master);
+		start_gssrequest(&master);
+	} else {
+		send_update(zname, &master_servers[master_inuse]);
+		setzoneclass(dns_rdataclass_none);
+	}
+#else  /* ifdef GSSAPI */
+	send_update(zname, &master_servers[master_inuse]);
+	setzoneclass(dns_rdataclass_none);
+#endif /* ifdef GSSAPI */
+
+	dns_message_detach(&soaquery);
+	dns_request_destroy(&request);
+
+out:
+	dns_message_detach(&rcvmsg);
+	ddebug("Out of recvsoa");
+	return;
+
+droplabel:
+	result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION);
+	INSIST(result == ISC_R_SUCCESS);
+	name = NULL;
+	dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name);
+	nlabels = dns_name_countlabels(name);
+	if (nlabels == 1) {
+		fatal("could not find enclosing zone");
+	}
+	dns_name_init(&tname, NULL);
+	dns_name_getlabelsequence(name, 1, nlabels - 1, &tname);
+	dns_name_clone(&tname, name);
+	dns_request_destroy(&request);
+	dns_message_renderreset(soaquery);
+	dns_message_settsigkey(soaquery, NULL);
+	sendrequest(&servers[ns_inuse], soaquery, &request);
+	goto out;
+}
+
+static void
+sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
+	    dns_request_t **request) {
+	isc_result_t result;
+	nsu_requestinfo_t *reqinfo;
+	isc_sockaddr_t *srcaddr;
+
+	reqinfo = isc_mem_get(gmctx, sizeof(nsu_requestinfo_t));
+	reqinfo->msg = msg;
+	reqinfo->addr = destaddr;
+
+	if (isc_sockaddr_pf(destaddr) == AF_INET6) {
+		srcaddr = localaddr6;
+	} else {
+		srcaddr = localaddr4;
+	}
+
+	result = dns_request_createvia(requestmgr, msg, srcaddr, destaddr, -1,
+				       0, default_servers ? NULL : tsigkey,
+				       FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,
+				       global_task, recvsoa, reqinfo, request);
+	check_result(result, "dns_request_createvia");
+	requests++;
+}
+
+#ifdef GSSAPI
+
+/*
+ * Get the realm from the users kerberos ticket if possible
+ */
+static void
+get_ticket_realm(isc_mem_t *mctx) {
+	krb5_context ctx;
+	krb5_error_code rc;
+	krb5_ccache ccache;
+	krb5_principal princ;
+	char *name;
+	const char *ticket_realm;
+
+	rc = krb5_init_context(&ctx);
+	if (rc != 0) {
+		return;
+	}
+
+	rc = krb5_cc_default(ctx, &ccache);
+	if (rc != 0) {
+		krb5_free_context(ctx);
+		return;
+	}
+
+	rc = krb5_cc_get_principal(ctx, ccache, &princ);
+	if (rc != 0) {
+		krb5_cc_close(ctx, ccache);
+		krb5_free_context(ctx);
+		return;
+	}
+
+	rc = krb5_unparse_name(ctx, princ, &name);
+	if (rc != 0) {
+		krb5_free_principal(ctx, princ);
+		krb5_cc_close(ctx, ccache);
+		krb5_free_context(ctx);
+		return;
+	}
+
+	ticket_realm = strrchr(name, '@');
+	if (ticket_realm != NULL) {
+		realm = isc_mem_strdup(mctx, ticket_realm);
+	}
+
+	free(name);
+	krb5_free_principal(ctx, princ);
+	krb5_cc_close(ctx, ccache);
+	krb5_free_context(ctx);
+	if (realm != NULL && debugging) {
+		fprintf(stderr, "Found realm from ticket: %s\n", realm + 1);
+	}
+}
+
+static void
+failed_gssrequest() {
+	seenerror = true;
+
+	dns_name_free(&tmpzonename, gmctx);
+	dns_name_free(&restart_master, gmctx);
+	dns_name_init(&tmpzonename, NULL);
+	dns_name_init(&restart_master, NULL);
+
+	done_update();
+}
+
+static void
+start_gssrequest(dns_name_t *master) {
+	dns_gss_ctx_id_t context;
+	isc_buffer_t buf;
+	isc_result_t result;
+	uint32_t val = 0;
+	dns_message_t *rmsg = NULL;
+	dns_request_t *request = NULL;
+	dns_name_t *servname;
+	dns_fixedname_t fname;
+	char namestr[DNS_NAME_FORMATSIZE];
+	char mykeystr[DNS_NAME_FORMATSIZE];
+	char *err_message = NULL;
+
+	debug("start_gssrequest");
+	usevc = true;
+
+	if (gssring != NULL) {
+		dns_tsigkeyring_detach(&gssring);
+	}
+	gssring = NULL;
+	result = dns_tsigkeyring_create(gmctx, &gssring);
+
+	if (result != ISC_R_SUCCESS) {
+		fatal("dns_tsigkeyring_create failed: %s",
+		      isc_result_totext(result));
+	}
+
+	dns_name_format(master, namestr, sizeof(namestr));
+	if (kserver == NULL) {
+		kserver = isc_mem_get(gmctx, sizeof(isc_sockaddr_t));
+	}
+
+	memmove(kserver, &master_servers[master_inuse], sizeof(isc_sockaddr_t));
+
+	servname = dns_fixedname_initname(&fname);
+
+	if (realm == NULL) {
+		get_ticket_realm(gmctx);
+	}
+
+	result = snprintf(servicename, sizeof(servicename), "DNS/%s%s", namestr,
+			  realm ? realm : "");
+	RUNTIME_CHECK(result < sizeof(servicename));
+	isc_buffer_init(&buf, servicename, strlen(servicename));
+	isc_buffer_add(&buf, strlen(servicename));
+	result = dns_name_fromtext(servname, &buf, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("dns_name_fromtext(servname) failed: %s",
+		      isc_result_totext(result));
+	}
+
+	keyname = dns_fixedname_initname(&fkname);
+
+	isc_nonce_buf(&val, sizeof(val));
+
+	result = snprintf(mykeystr, sizeof(mykeystr), "%u.sig-%s", val,
+			  namestr);
+	RUNTIME_CHECK(result <= sizeof(mykeystr));
+
+	isc_buffer_init(&buf, mykeystr, strlen(mykeystr));
+	isc_buffer_add(&buf, strlen(mykeystr));
+
+	result = dns_name_fromtext(keyname, &buf, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("dns_name_fromtext(keyname) failed: %s",
+		      isc_result_totext(result));
+	}
+
+	/* Windows doesn't recognize name compression in the key name. */
+	keyname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+
+	rmsg = NULL;
+	dns_message_create(gmctx, DNS_MESSAGE_INTENTRENDER, &rmsg);
+
+	/* Build first request. */
+	context = GSS_C_NO_CONTEXT;
+	result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0,
+					&context, use_win2k_gsstsig, gmctx,
+					&err_message);
+	if (result == ISC_R_FAILURE) {
+		fprintf(stderr, "tkey query failed: %s\n",
+			err_message != NULL ? err_message : "unknown error");
+		goto failure;
+	}
+	if (result != ISC_R_SUCCESS) {
+		fatal("dns_tkey_buildgssquery failed: %s",
+		      isc_result_totext(result));
+	}
+
+	send_gssrequest(kserver, rmsg, &request, context);
+	return;
+
+failure:
+	if (rmsg != NULL) {
+		dns_message_detach(&rmsg);
+	}
+	if (err_message != NULL) {
+		isc_mem_free(gmctx, err_message);
+	}
+	failed_gssrequest();
+}
+
+static void
+send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
+		dns_request_t **request, dns_gss_ctx_id_t context) {
+	isc_result_t result;
+	nsu_gssinfo_t *reqinfo;
+	unsigned int options = 0;
+	isc_sockaddr_t *srcaddr;
+
+	debug("send_gssrequest");
+	REQUIRE(destaddr != NULL);
+
+	reqinfo = isc_mem_get(gmctx, sizeof(nsu_gssinfo_t));
+	reqinfo->msg = msg;
+	reqinfo->addr = destaddr;
+	reqinfo->context = context;
+
+	options |= DNS_REQUESTOPT_TCP;
+
+	if (isc_sockaddr_pf(destaddr) == AF_INET6) {
+		srcaddr = localaddr6;
+	} else {
+		srcaddr = localaddr4;
+	}
+
+	result = dns_request_createvia(requestmgr, msg, srcaddr, destaddr, -1,
+				       options, tsigkey, FIND_TIMEOUT * 20,
+				       FIND_TIMEOUT, 3, global_task, recvgss,
+				       reqinfo, request);
+	check_result(result, "dns_request_createvia");
+	if (debugging) {
+		show_message(stdout, msg, "Outgoing update query:");
+	}
+	requests++;
+}
+
+static void
+recvgss(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request = NULL;
+	isc_result_t result, eresult;
+	dns_message_t *rcvmsg = NULL;
+	nsu_gssinfo_t *reqinfo;
+	dns_message_t *tsigquery = NULL;
+	isc_sockaddr_t *addr;
+	dns_gss_ctx_id_t context;
+	isc_buffer_t buf;
+	dns_name_t *servname;
+	dns_fixedname_t fname;
+	char *err_message = NULL;
+
+	UNUSED(task);
+
+	ddebug("recvgss()");
+
+	requests--;
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	eresult = reqev->result;
+	reqinfo = reqev->ev_arg;
+	tsigquery = reqinfo->msg;
+	context = reqinfo->context;
+	addr = reqinfo->addr;
+
+	if (shuttingdown) {
+		dns_request_destroy(&request);
+		dns_message_detach(&tsigquery);
+		isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));
+		isc_event_free(&event);
+		maybeshutdown();
+		return;
+	}
+
+	if (eresult != ISC_R_SUCCESS) {
+		ddebug("Destroying request [%p]", request);
+		dns_request_destroy(&request);
+		if (!next_master("recvgss", addr, eresult)) {
+			dns_message_detach(&tsigquery);
+			failed_gssrequest();
+		} else {
+			dns_message_renderreset(tsigquery);
+			memmove(kserver, &master_servers[master_inuse],
+				sizeof(isc_sockaddr_t));
+			send_gssrequest(kserver, tsigquery, &request, context);
+		}
+		isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));
+		isc_event_free(&event);
+		return;
+	}
+	isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));
+
+	isc_event_free(&event);
+	reqev = NULL;
+
+	ddebug("recvgss creating rcvmsg");
+	dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+
+	result = dns_request_getresponse(request, rcvmsg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	check_result(result, "dns_request_getresponse");
+
+	if (debugging) {
+		show_message(stderr, rcvmsg,
+			     "recvmsg reply from GSS-TSIG query");
+	}
+
+	if (rcvmsg->opcode != dns_opcode_query) {
+		fatal("invalid OPCODE in response to GSS-TSIG query");
+	}
+
+	if (rcvmsg->rcode == dns_rcode_formerr && !tried_other_gsstsig) {
+		ddebug("recvgss trying %s GSS-TSIG",
+		       use_win2k_gsstsig ? "Standard" : "Win2k");
+		if (use_win2k_gsstsig) {
+			use_win2k_gsstsig = false;
+		} else {
+			use_win2k_gsstsig = true;
+		}
+		tried_other_gsstsig = true;
+		start_gssrequest(&restart_master);
+		goto done;
+	}
+
+	if (rcvmsg->rcode != dns_rcode_noerror &&
+	    rcvmsg->rcode != dns_rcode_nxdomain)
+	{
+		fatal("response to GSS-TSIG query was unsuccessful");
+	}
+
+	servname = dns_fixedname_initname(&fname);
+	isc_buffer_init(&buf, servicename, strlen(servicename));
+	isc_buffer_add(&buf, strlen(servicename));
+	result = dns_name_fromtext(servname, &buf, dns_rootname, 0, NULL);
+	check_result(result, "dns_name_fromtext");
+
+	tsigkey = NULL;
+	result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname, &context,
+				       &tsigkey, gssring, use_win2k_gsstsig,
+				       &err_message);
+	switch (result) {
+	case DNS_R_CONTINUE:
+		dns_message_detach(&rcvmsg);
+		dns_request_destroy(&request);
+		send_gssrequest(kserver, tsigquery, &request, context);
+		ddebug("Out of recvgss");
+		return;
+
+	case ISC_R_SUCCESS:
+		/*
+		 * XXXSRA Waaay too much fun here.  There's no good
+		 * reason why we need a TSIG here (the people who put
+		 * it into the spec admitted at the time that it was
+		 * not a security issue), and Windows clients don't
+		 * seem to work if named complies with the spec and
+		 * includes the gratuitous TSIG.  So we're in the
+		 * bizarre situation of having to choose between
+		 * complying with a useless requirement in the spec
+		 * and interoperating.  This is nuts.  If we can
+		 * confirm this behavior, we should ask the WG to
+		 * consider removing the requirement for the
+		 * gratuitous TSIG here.  For the moment, we ignore
+		 * the TSIG -- this too is a spec violation, but it's
+		 * the least insane thing to do.
+		 */
+#if 0
+		/*
+		 * Verify the signature.
+		 */
+		rcvmsg->state = DNS_SECTION_ANY;
+		dns_message_setquerytsig(rcvmsg, NULL);
+		result = dns_message_settsigkey(rcvmsg, tsigkey);
+		check_result(result, "dns_message_settsigkey");
+		result = dns_message_checksig(rcvmsg, NULL);
+		ddebug("tsig verification: %s", dns_result_totext(result));
+		check_result(result, "dns_message_checksig");
+#endif /* 0 */
+
+		send_update(&tmpzonename, &master_servers[master_inuse]);
+		setzoneclass(dns_rdataclass_none);
+		break;
+
+	default:
+		fatal("dns_tkey_gssnegotiate: %s %s", isc_result_totext(result),
+		      err_message != NULL ? err_message : "");
+	}
+
+done:
+	dns_request_destroy(&request);
+	dns_message_detach(&tsigquery);
+
+	dns_message_detach(&rcvmsg);
+	ddebug("Out of recvgss");
+}
+#endif /* ifdef GSSAPI */
+
+static void
+start_update(void) {
+	isc_result_t result;
+	dns_rdataset_t *rdataset = NULL;
+	dns_name_t *name = NULL;
+	dns_request_t *request = NULL;
+	dns_message_t *soaquery = NULL;
+	dns_name_t *firstname;
+	dns_section_t section = DNS_SECTION_UPDATE;
+
+	ddebug("start_update()");
+
+	LOCK(&answer_lock);
+	if (answer != NULL) {
+		dns_message_detach(&answer);
+	}
+	UNLOCK(&answer_lock);
+
+	/*
+	 * If we have both the zone and the servers we have enough information
+	 * to send the update straight away otherwise we need to discover
+	 * the zone and / or the master server.
+	 */
+	if (userzone != NULL && !default_servers && !usegsstsig) {
+		master_from_servers();
+		send_update(userzone, &master_servers[master_inuse]);
+		setzoneclass(dns_rdataclass_none);
+		return;
+	}
+
+	dns_message_create(gmctx, DNS_MESSAGE_INTENTRENDER, &soaquery);
+
+	if (default_servers) {
+		soaquery->flags |= DNS_MESSAGEFLAG_RD;
+	}
+
+	result = dns_message_gettempname(soaquery, &name);
+	check_result(result, "dns_message_gettempname");
+
+	result = dns_message_gettemprdataset(soaquery, &rdataset);
+	check_result(result, "dns_message_gettemprdataset");
+
+	dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa);
+
+	if (userzone != NULL) {
+		dns_name_clone(userzone, name);
+	} else {
+		dns_rdataset_t *tmprdataset;
+		result = dns_message_firstname(updatemsg, section);
+		if (result == ISC_R_NOMORE) {
+			section = DNS_SECTION_PREREQUISITE;
+			result = dns_message_firstname(updatemsg, section);
+		}
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(soaquery, &name);
+			dns_rdataset_disassociate(rdataset);
+			dns_message_puttemprdataset(soaquery, &rdataset);
+			dns_message_detach(&soaquery);
+			done_update();
+			return;
+		}
+		firstname = NULL;
+		dns_message_currentname(updatemsg, section, &firstname);
+		dns_name_clone(firstname, name);
+		/*
+		 * Looks to see if the first name references a DS record
+		 * and if that name is not the root remove a label as DS
+		 * records live in the parent zone so we need to start our
+		 * search one label up.
+		 */
+		tmprdataset = ISC_LIST_HEAD(firstname->list);
+		if (section == DNS_SECTION_UPDATE &&
+		    !dns_name_equal(firstname, dns_rootname) &&
+		    tmprdataset->type == dns_rdatatype_ds)
+		{
+			unsigned int labels = dns_name_countlabels(name);
+			dns_name_getlabelsequence(name, 1, labels - 1, name);
+		}
+	}
+
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(soaquery, name, DNS_SECTION_QUESTION);
+
+	ns_inuse = 0;
+	sendrequest(&servers[ns_inuse], soaquery, &request);
+}
+
+static void
+cleanup(void) {
+	ddebug("cleanup()");
+
+	LOCK(&answer_lock);
+	if (answer != NULL) {
+		dns_message_detach(&answer);
+	}
+	UNLOCK(&answer_lock);
+
+#ifdef GSSAPI
+	if (tsigkey != NULL) {
+		ddebug("detach tsigkey x%p", tsigkey);
+		dns_tsigkey_detach(&tsigkey);
+	}
+	if (gssring != NULL) {
+		ddebug("Detaching GSS-TSIG keyring");
+		dns_tsigkeyring_detach(&gssring);
+	}
+#endif /* ifdef GSSAPI */
+
+	if (sig0key != NULL) {
+		dst_key_free(&sig0key);
+	}
+
+	ddebug("Shutting down task manager");
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	ddebug("Destroying event");
+	isc_event_free(&global_event);
+
+	ddebug("Shutting down socket manager");
+	isc_socketmgr_destroy(&socketmgr);
+
+	ddebug("Shutting down timer manager");
+	isc_timermgr_destroy(&timermgr);
+
+#ifdef GSSAPI
+	/*
+	 * Cleanup GSSAPI resources after taskmgr has been destroyed.
+	 */
+	if (kserver != NULL) {
+		isc_mem_put(gmctx, kserver, sizeof(isc_sockaddr_t));
+		kserver = NULL;
+	}
+	if (realm != NULL) {
+		isc_mem_free(gmctx, realm);
+		realm = NULL;
+	}
+	if (dns_name_dynamic(&tmpzonename)) {
+		dns_name_free(&tmpzonename, gmctx);
+	}
+	if (dns_name_dynamic(&restart_master)) {
+		dns_name_free(&restart_master, gmctx);
+	}
+#endif /* ifdef GSSAPI */
+
+	ddebug("Removing log context");
+	isc_log_destroy(&glctx);
+
+	ddebug("Destroying memory context");
+	if (memdebugging) {
+		isc_mem_stats(gmctx, stderr);
+	}
+	isc_mem_destroy(&gmctx);
+
+	isc_mutex_destroy(&answer_lock);
+}
+
+static void
+getinput(isc_task_t *task, isc_event_t *event) {
+	bool more;
+
+	UNUSED(task);
+
+	if (shuttingdown) {
+		maybeshutdown();
+		return;
+	}
+
+	if (global_event == NULL) {
+		global_event = event;
+	}
+
+	reset_system();
+	more = user_interaction();
+	if (!more) {
+		isc_app_shutdown();
+		return;
+	}
+	start_update();
+	return;
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+	style = &dns_master_style_debug;
+
+	input = stdin;
+
+	interactive = isatty(0);
+
+	isc_app_start();
+
+	if (isc_net_probeipv4() == ISC_R_SUCCESS) {
+		have_ipv4 = true;
+	}
+	if (isc_net_probeipv6() == ISC_R_SUCCESS) {
+		have_ipv6 = true;
+	}
+	if (!have_ipv4 && !have_ipv6) {
+		fatal("could not find either IPv4 or IPv6");
+	}
+
+	pre_parse_args(argc, argv);
+
+	isc_mem_create(&gmctx);
+
+	parse_args(argc, argv);
+
+	setup_system();
+
+	result = isc_app_onrun(gmctx, global_task, getinput, NULL);
+	check_result(result, "isc_app_onrun");
+
+	(void)isc_app_run();
+
+	cleanup();
+
+	isc_app_finish();
+
+	if (seenerror) {
+		return (2);
+	} else {
+		return (0);
+	}
+}
diff --git a/bin/nsupdate/nsupdate.rst b/bin/nsupdate/nsupdate.rst
new file mode 100644
index 0000000..aad9b02
--- /dev/null
+++ b/bin/nsupdate/nsupdate.rst
@@ -0,0 +1,357 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_nsupdate:
+
+nsupdate - dynamic DNS update utility
+-------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
+
+Description
+~~~~~~~~~~~
+
+``nsupdate`` is used to submit Dynamic DNS Update requests, as defined in
+:rfc:`2136`, to a name server. This allows resource records to be added or
+removed from a zone without manually editing the zone file. A single
+update request can contain requests to add or remove more than one
+resource record.
+
+Zones that are under dynamic control via ``nsupdate`` or a DHCP server
+should not be edited by hand. Manual edits could conflict with dynamic
+updates and cause data to be lost.
+
+The resource records that are dynamically added or removed with
+``nsupdate`` must be in the same zone. Requests are sent to the
+zone's primary server, which is identified by the MNAME field of the
+zone's SOA record.
+
+Transaction signatures can be used to authenticate the Dynamic DNS
+updates. These use the TSIG resource record type described in :rfc:`2845`,
+the SIG(0) record described in :rfc:`2535` and :rfc:`2931`, or GSS-TSIG as
+described in :rfc:`3645`.
+
+TSIG relies on a shared secret that should only be known to ``nsupdate``
+and the name server. For instance, suitable ``key`` and ``server``
+statements are added to ``/etc/named.conf`` so that the name server
+can associate the appropriate secret key and algorithm with the IP
+address of the client application that is using TSIG
+authentication. ``ddns-confgen`` can generate suitable
+configuration fragments. ``nsupdate`` uses the ``-y`` or ``-k`` options
+to provide the TSIG shared secret; these options are mutually exclusive.
+
+SIG(0) uses public key cryptography. To use a SIG(0) key, the public key
+must be stored in a KEY record in a zone served by the name server.
+
+GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode is switched
+on with the ``-g`` flag. A non-standards-compliant variant of GSS-TSIG
+used by Windows 2000 can be switched on with the ``-o`` flag.
+
+Options
+~~~~~~~
+
+``-4``
+   This option sets use of IPv4 only.
+
+``-6``
+   This option sets use of IPv6 only.
+
+``-d``
+   This option sets debug mode, which provides tracing information about the update
+   requests that are made and the replies received from the name server.
+
+``-D``
+   This option sets extra debug mode.
+
+``-i``
+   This option forces interactive mode, even when standard input is not a terminal.
+
+``-k keyfile``
+   This option indicates the file containing the TSIG authentication key. Keyfiles may be in
+   two formats: a single file containing a ``named.conf``-format ``key``
+   statement, which may be generated automatically by ``ddns-confgen``;
+   or a pair of files whose names are of the format
+   ``K{name}.+157.+{random}.key`` and
+   ``K{name}.+157.+{random}.private``, which can be generated by
+   ``dnssec-keygen``. The ``-k`` option can also be used to specify a SIG(0)
+   key used to authenticate Dynamic DNS update requests. In this case,
+   the key specified is not an HMAC-MD5 key.
+
+``-l``
+   This option sets local-host only mode, which sets the server address to localhost
+   (disabling the ``server`` so that the server address cannot be
+   overridden). Connections to the local server use a TSIG key
+   found in ``/var/run/named/session.key``, which is automatically
+   generated by ``named`` if any local ``primary`` zone has set
+   ``update-policy`` to ``local``. The location of this key file can be
+   overridden with the ``-k`` option.
+
+``-L level``
+   This option sets the logging debug level. If zero, logging is disabled.
+
+``-p port``
+   This option sets the port to use for connections to a name server. The default is
+   53.
+
+``-P``
+   This option prints the list of private BIND-specific resource record types whose
+   format is understood by ``nsupdate``. See also the ``-T`` option.
+
+``-r udpretries``
+   This option sets the number of UDP retries. The default is 3. If zero, only one update
+   request is made.
+
+``-t timeout``
+   This option sets the maximum time an update request can take before it is aborted. The
+   default is 300 seconds. If zero, the timeout is disabled.
+
+``-T``
+   This option prints the list of IANA standard resource record types whose format is
+   understood by ``nsupdate``. ``nsupdate`` exits after the lists
+   are printed. The ``-T`` option can be combined with the ``-P``
+   option.
+
+   Other types can be entered using ``TYPEXXXXX`` where ``XXXXX`` is the
+   decimal value of the type with no leading zeros. The rdata, if
+   present, is parsed using the UNKNOWN rdata format, (<backslash>
+   <hash> <space> <length> <space> <hexstring>).
+
+``-u udptimeout``
+   This option sets the UDP retry interval. The default is 3 seconds. If zero, the
+   interval is computed from the timeout interval and number of UDP
+   retries.
+
+``-v``
+   This option specifies that TCP should be used even for small update requests. By default, ``nsupdate`` uses
+   UDP to send update requests to the name server unless they are too
+   large to fit in a UDP request, in which case TCP is used. TCP may
+   be preferable when a batch of update requests is made.
+
+``-V``
+   This option prints the version number and exits.
+
+``-y [hmac:]keyname:secret``
+   This option sets the literal TSIG authentication key. ``keyname`` is the name of the key,
+   and ``secret`` is the base64 encoded shared secret. ``hmac`` is the
+   name of the key algorithm; valid choices are ``hmac-md5``,
+   ``hmac-sha1``, ``hmac-sha224``, ``hmac-sha256``, ``hmac-sha384``, or
+   ``hmac-sha512``. If ``hmac`` is not specified, the default is
+   ``hmac-md5``, or if MD5 was disabled, ``hmac-sha256``.
+
+   NOTE: Use of the ``-y`` option is discouraged because the shared
+   secret is supplied as a command-line argument in clear text. This may
+   be visible in the output from ps1 or in a history file maintained by
+   the user's shell.
+
+Input Format
+~~~~~~~~~~~~
+
+``nsupdate`` reads input from ``filename`` or standard input. Each
+command is supplied on exactly one line of input. Some commands are for
+administrative purposes; others are either update instructions or
+prerequisite checks on the contents of the zone. These checks set
+conditions that some name or set of resource records (RRset) either
+exists or is absent from the zone. These conditions must be met if the
+entire update request is to succeed. Updates are rejected if the
+tests for the prerequisite conditions fail.
+
+Every update request consists of zero or more prerequisites and zero or
+more updates. This allows a suitably authenticated update request to
+proceed if some specified resource records are either present or missing from
+the zone. A blank input line (or the ``send`` command) causes the
+accumulated commands to be sent as one Dynamic DNS update request to the
+name server.
+
+The command formats and their meanings are as follows:
+
+``server servername port``
+   This command sends all dynamic update requests to the name server ``servername``.
+   When no server statement is provided, ``nsupdate`` sends updates
+   to the primary server of the correct zone. The MNAME field of that
+   zone's SOA record identify the primary server for that zone.
+   ``port`` is the port number on ``servername`` where the dynamic
+   update requests are sent. If no port number is specified, the default
+   DNS port number of 53 is used.
+
+   .. note:: This command has no effect when GSS-TSIG is in use.
+
+``local address port``
+   This command sends all dynamic update requests using the local ``address``. When
+   no local statement is provided, ``nsupdate`` sends updates using
+   an address and port chosen by the system. ``port`` can also
+   be used to force requests to come from a specific port. If no port number
+   is specified, the system assigns one.
+
+``zone zonename``
+   This command specifies that all updates are to be made to the zone ``zonename``.
+   If no ``zone`` statement is provided, ``nsupdate`` attempts to
+   determine the correct zone to update based on the rest of the input.
+
+``class classname``
+   This command specifies the default class. If no ``class`` is specified, the default
+   class is ``IN``.
+
+``ttl seconds``
+   This command specifies the default time-to-live, in seconds, for records to be added. The value
+   ``none`` clears the default TTL.
+
+``key hmac:keyname secret``
+   This command specifies that all updates are to be TSIG-signed using the
+   ``keyname``-``secret`` pair. If ``hmac`` is specified, it sets
+   the signing algorithm in use. The default is ``hmac-md5``; if MD5
+   was disabled, the default is ``hmac-sha256``. The ``key`` command overrides any key
+   specified on the command line via ``-y`` or ``-k``.
+
+``gsstsig``
+   This command uses GSS-TSIG to sign the updates. This is equivalent to specifying
+   ``-g`` on the command line.
+
+``oldgsstsig``
+   This command uses the Windows 2000 version of GSS-TSIG to sign the updates. This is
+   equivalent to specifying ``-o`` on the command line.
+
+``realm [realm_name]``
+   When using GSS-TSIG, this command specifies the use of ``realm_name`` rather than the default realm
+   in ``krb5.conf``. If no realm is specified, the saved realm is
+   cleared.
+
+``check-names [yes_or_no]``
+   This command turns on or off check-names processing on records to be added.
+   Check-names has no effect on prerequisites or records to be deleted.
+   By default check-names processing is on. If check-names processing
+   fails, the record is not added to the UPDATE message.
+
+``prereq nxdomain domain-name``
+   This command requires that no resource record of any type exist with the name
+   ``domain-name``.
+
+``prereq yxdomain domain-name``
+   This command requires that ``domain-name`` exist (as at least one resource
+   record, of any type).
+
+``prereq nxrrset domain-name class type``
+   This command requires that no resource record exist of the specified ``type``,
+   ``class``, and ``domain-name``. If ``class`` is omitted, IN (Internet)
+   is assumed.
+
+``prereq yxrrset domain-name class type``
+   This command requires that a resource record of the specified ``type``,
+   ``class`` and ``domain-name`` exist. If ``class`` is omitted, IN
+   (internet) is assumed.
+
+``prereq yxrrset domain-name class type data``
+   With this command, the ``data`` from each set of prerequisites of this form sharing a
+   common ``type``, ``class``, and ``domain-name`` are combined to form
+   a set of RRs. This set of RRs must exactly match the set of RRs
+   existing in the zone at the given ``type``, ``class``, and
+   ``domain-name``. The ``data`` are written in the standard text
+   representation of the resource record's RDATA.
+
+``update delete domain-name ttl class type data``
+   This command deletes any resource records named ``domain-name``. If ``type`` and
+   ``data`` are provided, only matching resource records are removed.
+   The Internet class is assumed if ``class`` is not supplied. The
+   ``ttl`` is ignored, and is only allowed for compatibility.
+
+``update add domain-name ttl class type data``
+   This command adds a new resource record with the specified ``ttl``, ``class``, and
+   ``data``.
+
+``show``
+   This command displays the current message, containing all of the prerequisites and
+   updates specified since the last send.
+
+``send``
+   This command sends the current message. This is equivalent to entering a blank
+   line.
+
+``answer``
+   This command displays the answer.
+
+``debug``
+   This command turns on debugging.
+
+``version``
+   This command prints the version number.
+
+``help``
+   This command prints a list of commands.
+
+Lines beginning with a semicolon (;) are comments and are ignored.
+
+Examples
+~~~~~~~~
+
+The examples below show how ``nsupdate`` can be used to insert and
+delete resource records from the ``example.com`` zone. Notice that the
+input in each example contains a trailing blank line, so that a group of
+commands is sent as one dynamic update request to the primary name
+server for ``example.com``.
+
+::
+
+   # nsupdate
+   > update delete oldhost.example.com A
+   > update add newhost.example.com 86400 A 172.16.1.1
+   > send
+
+Any A records for ``oldhost.example.com`` are deleted, and an A record
+for ``newhost.example.com`` with IP address 172.16.1.1 is added. The
+newly added record has a TTL of 1 day (86400 seconds).
+
+::
+
+   # nsupdate
+   > prereq nxdomain nickname.example.com
+   > update add nickname.example.com 86400 CNAME somehost.example.com
+   > send
+
+The prerequisite condition tells the name server to verify that there are
+no resource records of any type for ``nickname.example.com``. If there
+are, the update request fails. If this name does not exist, a CNAME for
+it is added. This ensures that when the CNAME is added, it cannot
+conflict with the long-standing rule in :rfc:`1034` that a name must not
+exist as any other record type if it exists as a CNAME. (The rule has
+been updated for DNSSEC in :rfc:`2535` to allow CNAMEs to have RRSIG,
+DNSKEY, and NSEC records.)
+
+Files
+~~~~~
+
+``/etc/resolv.conf``
+   Used to identify the default name server
+
+``/var/run/named/session.key``
+   Sets the default TSIG key for use in local-only mode
+
+``K{name}.+157.+{random}.key``
+   Base-64 encoding of the HMAC-MD5 key created by ``dnssec-keygen``.
+
+``K{name}.+157.+{random}.private``
+   Base-64 encoding of the HMAC-MD5 key created by ``dnssec-keygen``.
+
+See Also
+~~~~~~~~
+
+:rfc:`2136`, :rfc:`3007`, :rfc:`2104`, :rfc:`2845`, :rfc:`1034`, :rfc:`2535`, :rfc:`2931`,
+:manpage:`named(8)`, :manpage:`ddns-confgen(8)`, :manpage:`dnssec-keygen(8)`.
+
+Bugs
+~~~~
+
+The TSIG key is redundantly stored in two separate files. This is a
+consequence of ``nsupdate`` using the DST library for its cryptographic
+operations, and may change in future releases.
diff --git a/bin/nsupdate/win32/nsupdate.vcxproj.filters.in b/bin/nsupdate/win32/nsupdate.vcxproj.filters.in
new file mode 100644
index 0000000..477847e
--- /dev/null
+++ b/bin/nsupdate/win32/nsupdate.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\nsupdate.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/nsupdate/win32/nsupdate.vcxproj.in b/bin/nsupdate/win32/nsupdate.vcxproj.in
new file mode 100644
index 0000000..572d939
--- /dev/null
+++ b/bin/nsupdate/win32/nsupdate.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C41266C7-E27E-4D60-9815-82D3B32BF82F}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>nsupdate</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@USE_GSSAPI@USE_READLINE_STATIC;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@READLINE_LIBD@@GSSAPI_LIB@@KRB5_LIB@libisc.lib;libdns.lib;libbind9.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@USE_GSSAPI@USE_READLINE_STATIC;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\include;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@READLINE_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\irs\include;..\..\..\lib\irs\win32\include;..\..\..\lib\bind9\include;..\..\..\lib\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@READLINE_LIB@@GSSAPI_LIB@@KRB5_LIB@libisc.lib;libdns.lib;libbind9.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\nsupdate.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/nsupdate/win32/nsupdate.vcxproj.user b/bin/nsupdate/win32/nsupdate.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/nsupdate/win32/nsupdate.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
new file mode 100644
index 0000000..ad0da42
--- /dev/null
+++ b/bin/pkcs11/Makefile.in
@@ -0,0 +1,82 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${ISC_INCLUDES}
+
+CDEFINES =
+
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+DEPLIBS =	${ISCDEPLIBS}
+
+# if FORCE_STATIC_PROVIDER: LIBS += ${PROVIDER}
+LIBS =		${ISCLIBS} @LIBS@
+
+SUBDIRS =	benchmarks
+
+TARGETS =	pkcs11-list@EXEEXT@ pkcs11-destroy@EXEEXT@ \
+		pkcs11-keygen@EXEEXT@ pkcs11-tokens@EXEEXT@
+SRCS =		pkcs11-list.c pkcs11-destroy.c \
+		pkcs11-keygen.c pkcs11-tokens.c
+OBJS =		pkcs11-list.@O@ pkcs11-destroy.@O@ \
+		pkcs11-keygen.@O@ pkcs11-tokens.@O@
+
+@BIND9_MAKE_RULES@
+
+pkcs11-list@EXEEXT@: pkcs11-list.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ pkcs11-list.@O@ ${LIBS}
+
+pkcs11-destroy@EXEEXT@: pkcs11-destroy.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ pkcs11-destroy.@O@ ${LIBS}
+
+pkcs11-keygen@EXEEXT@: pkcs11-keygen.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ pkcs11-keygen.@O@ ${LIBS}
+
+pkcs11-tokens@EXEEXT@: pkcs11-tokens.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ pkcs11-tokens.@O@ ${LIBS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: ${TARGETS} installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \
+		${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \
+		${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ \
+		${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \
+		${DESTDIR}${sbindir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f /
+		${DESTDIR}${sbindir}/pkcs11-tokens@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f /
+		${DESTDIR}${sbindir}/pkcs11-keygen@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f /
+		${DESTDIR}${sbindir}/pkcs11-destroy@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f /
+		${DESTDIR}${sbindir}/pkcs11-list@EXEEXT@
+
+clean distclean::
+	rm -f ${OBJS} ${TARGETS}
diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c
new file mode 100644
index 0000000..04f9682
--- /dev/null
+++ b/bin/pkcs11/pkcs11-destroy.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label]
+ *                 [-p $pin] [ -w $wait ]
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+#ifdef WIN32
+#define sleep(x) Sleep(x)
+#endif /* ifdef WIN32 */
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession;
+	CK_BYTE attr_id[2];
+	CK_OBJECT_HANDLE akey[50];
+	pk11_context_t pctx;
+	char *lib_name = NULL;
+	char *label = NULL;
+	char *pin = NULL;
+	int error = 0;
+	unsigned int id = 0, i = 0, wait = 5;
+	int c, errflg = 0;
+	CK_ULONG ulObjectCount;
+	CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id,
+					     sizeof(attr_id) } };
+	unsigned int j, len;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:w:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			break;
+		case 'i':
+			id = atoi(isc_commandline_argument);
+			id &= 0xffff;
+			break;
+		case 'l':
+			label = isc_commandline_argument;
+			break;
+		case 'p':
+			pin = isc_commandline_argument;
+			break;
+		case 'w':
+			wait = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg || (id && (label != NULL))) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] "
+				"{-i id | -l label} [-p pin] [-w waittime]\n");
+		exit(1);
+	}
+
+	if (id) {
+		attr_id[0] = (id >> 8) & 0xff;
+		attr_id[1] = id & 0xff;
+	} else if (label) {
+		search_template[0].type = CKA_LABEL;
+		search_template[0].pValue = label;
+		search_template[0].ulValueLen = strlen(label);
+	}
+
+	pk11_result_register();
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (pin == NULL) {
+		pin = getpass("Enter Pin: ");
+	}
+
+	result = pk11_get_session(&pctx, OP_ANY, false, true, true,
+				  (const char *)pin, slot);
+	if (result == PK11_R_NORANDOMSERVICE ||
+	    result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
+	{
+		fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
+		fprintf(stderr, "This HSM will not work with BIND 9 "
+				"using native PKCS#11.\n");
+	} else if (result != ISC_R_SUCCESS) {
+		fprintf(stderr,
+			"Unrecoverable error initializing "
+			"PKCS#11: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	memset(pin, 0, strlen(pin));
+
+	hSession = pctx.session;
+
+	rv = pkcs_C_FindObjectsInit(hSession, search_template,
+				    ((id != 0) || (label != NULL)) ? 1 : 0);
+
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_session;
+	}
+
+	rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_search;
+	}
+
+	if (ulObjectCount == 0) {
+		printf("No matching key objects found.\n");
+		goto exit_search;
+	} else {
+		printf("Key object%s found:\n", ulObjectCount > 1 ? "s" : "");
+	}
+
+	for (i = 0; i < ulObjectCount; i++) {
+		CK_OBJECT_CLASS oclass = 0;
+		CK_BYTE labelbuf[64 + 1];
+		CK_BYTE idbuf[64];
+		CK_ATTRIBUTE attr_template[] = {
+			{ CKA_CLASS, &oclass, sizeof(oclass) },
+			{ CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 },
+			{ CKA_ID, idbuf, sizeof(idbuf) }
+		};
+
+		memset(labelbuf, 0, sizeof(labelbuf));
+		memset(idbuf, 0, sizeof(idbuf));
+
+		rv = pkcs_C_GetAttributeValue(hSession, akey[i], attr_template,
+					      3);
+		if (rv != CKR_OK) {
+			fprintf(stderr,
+				"C_GetAttributeValue[%u]: rv = 0x%.8lX\n", i,
+				rv);
+			error = 1;
+			goto exit_search;
+		}
+		len = attr_template[2].ulValueLen;
+		printf("  object[%u]: class %lu, label '%s', id[%lu] ", i,
+		       oclass, labelbuf, attr_template[2].ulValueLen);
+		if (len > 4) {
+			len = 4;
+		}
+		if (len > 0) {
+			printf("0x");
+		}
+		for (j = 0; j < len; j++) {
+			printf("%02x", idbuf[j]);
+		}
+		if (attr_template[2].ulValueLen > len) {
+			printf("...\n");
+		} else {
+			printf("\n");
+		}
+	}
+
+	if (wait != 0) {
+		printf("WARNING: This action is irreversible! "
+		       "Destroying key objects in %u seconds\n  ",
+		       wait);
+		for (i = 0; i < wait; i++) {
+			printf(".");
+			fflush(stdout);
+			sleep(1);
+		}
+		printf("\n");
+	}
+
+	for (i = 0; i < ulObjectCount; i++) {
+		rv = pkcs_C_DestroyObject(hSession, akey[i]);
+		if (rv != CKR_OK) {
+			fprintf(stderr,
+				"C_DestroyObject[%u] failed: rv = 0x%.8lX\n", i,
+				rv);
+			error = 1;
+		}
+	}
+
+	if (error == 0) {
+		printf("Destruction complete.\n");
+	}
+
+exit_search:
+	rv = pkcs_C_FindObjectsFinal(hSession);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
+		error = 1;
+	}
+
+exit_session:
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/pkcs11/pkcs11-destroy.rst b/bin/pkcs11/pkcs11-destroy.rst
new file mode 100644
index 0000000..bad150c
--- /dev/null
+++ b/bin/pkcs11/pkcs11-destroy.rst
@@ -0,0 +1,61 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_pkcs11-destroy:
+
+pkcs11-destroy - destroy PKCS#11 objects
+
+Synopsis
+~~~~~~~~
+
+:program:`pkcs11-destroy` [**-m** module] [**-s** slot] [**-i** ID] [**-l** label] [**-p** PIN] [**-w** seconds]
+
+Description
+~~~~~~~~~~~
+
+``pkcs11-destroy`` destroys keys stored in a PKCS#11 device, identified
+by their ``ID`` or ``label``.
+
+Matching keys are displayed before being destroyed. By default, there is
+a five-second delay to allow the user to interrupt the process before
+the destruction takes place.
+
+Options
+~~~~~~~
+
+``-m module``
+   This option specifies the PKCS#11 provider module. This must be the full path to a
+   shared library object implementing the PKCS#11 API for the device.
+
+``-s slot``
+   This option opens the session with the given PKCS#11 slot. The default is slot 0.
+
+``-i ID``
+   This option destroys keys with the given object ID.
+
+``-l label``
+   This option destroys keys with the given label.
+
+``-p PIN``
+   This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command
+   line, ``pkcs11-destroy`` prompts for it.
+
+``-w seconds``
+   This option specifies how long, in seconds, to pause before carrying out key destruction. The
+   default is 5 seconds. If set to ``0``, destruction is
+   immediate.
+
+See Also
+~~~~~~~~
+
+:manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
new file mode 100644
index 0000000..e1859b2
--- /dev/null
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -0,0 +1,476 @@
+/*
+ * Copyright (C) 2009, 2012, 2015 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* pkcs11-keygen - PKCS#11 key generator
+ *
+ * Create a key in the keystore of an HSM
+ *
+ * The calculation of key tag is left to the script
+ * that converts the key into a DNSKEY RR and inserts
+ * it into a zone file.
+ *
+ * usage:
+ * pkcs11-keygen [-P] [-m module] [-s slot] [-e] [-b keysize]
+ *               [-i id] [-p pin] -l label
+ *
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/constants.h>
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+/* Define static key template values */
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+/* Static arrays of data used for key template initialization */
+static CK_BYTE pk11_ecc_prime256v1[] = PK11_ECC_PRIME256V1;
+static CK_BYTE pk11_ecc_secp384r1[] = PK11_ECC_SECP384R1;
+static CK_BYTE pk11_ecx_ed25519[] = PK11_ECX_ED25519;
+static CK_BYTE pk11_ecx_ed448[] = PK11_ECX_ED448;
+
+/* Key class: RSA, ECC, ECX, or unknown */
+typedef enum { key_unknown, key_rsa, key_ecc, key_ecx } key_class_t;
+
+/*
+ * Private key template
+ */
+#define PRIVATE_LABEL	    0
+#define PRIVATE_SIGN	    1
+#define PRIVATE_TOKEN	    2
+#define PRIVATE_PRIVATE	    3
+#define PRIVATE_SENSITIVE   4
+#define PRIVATE_EXTRACTABLE 5
+#define PRIVATE_ID	    6
+#define PRIVATE_ATTRS	    7
+static CK_ATTRIBUTE private_template[] = {
+	{ CKA_LABEL, NULL_PTR, 0 },
+	{ CKA_SIGN, &truevalue, sizeof(truevalue) },
+	{ CKA_TOKEN, &truevalue, sizeof(truevalue) },
+	{ CKA_PRIVATE, &truevalue, sizeof(truevalue) },
+	{ CKA_SENSITIVE, &truevalue, sizeof(truevalue) },
+	{ CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue) },
+	{ CKA_ID, NULL_PTR, 0 }
+};
+
+/*
+ * Public key template for RSA keys
+ */
+#define RSA_LABEL	    0
+#define RSA_VERIFY	    1
+#define RSA_TOKEN	    2
+#define RSA_PRIVATE	    3
+#define RSA_MODULUS_BITS    4
+#define RSA_PUBLIC_EXPONENT 5
+#define RSA_ID		    6
+#define RSA_ATTRS	    7
+static CK_ATTRIBUTE rsa_template[] = {
+	{ CKA_LABEL, NULL_PTR, 0 },
+	{ CKA_VERIFY, &truevalue, sizeof(truevalue) },
+	{ CKA_TOKEN, &truevalue, sizeof(truevalue) },
+	{ CKA_PRIVATE, &falsevalue, sizeof(falsevalue) },
+	{ CKA_MODULUS_BITS, NULL_PTR, 0 },
+	{ CKA_PUBLIC_EXPONENT, NULL_PTR, 0 },
+	{ CKA_ID, NULL_PTR, 0 }
+};
+
+/*
+ * Public key template for ECC/ECX keys
+ */
+#define ECC_LABEL   0
+#define ECC_VERIFY  1
+#define ECC_TOKEN   2
+#define ECC_PRIVATE 3
+#define ECC_PARAMS  4
+#define ECC_ID	    5
+#define ECC_ATTRS   6
+static CK_ATTRIBUTE ecc_template[] = {
+	{ CKA_LABEL, NULL_PTR, 0 },
+	{ CKA_VERIFY, &truevalue, sizeof(truevalue) },
+	{ CKA_TOKEN, &truevalue, sizeof(truevalue) },
+	{ CKA_PRIVATE, &falsevalue, sizeof(falsevalue) },
+	{ CKA_EC_PARAMS, NULL_PTR, 0 },
+	{ CKA_ID, NULL_PTR, 0 }
+};
+
+/*
+ * Convert from text to key class.  Accepts the names of DNSSEC
+ * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
+ * NSEC3RSASHA1 maps to RSA.
+ */
+static key_class_t
+keyclass_fromtext(const char *name) {
+	if (name == NULL) {
+		return (key_unknown);
+	}
+
+	if (strncasecmp(name, "rsa", 3) == 0 ||
+	    strncasecmp(name, "nsec3rsa", 8) == 0)
+	{
+		return (key_rsa);
+	} else if (strncasecmp(name, "ecc", 3) == 0 ||
+		   strncasecmp(name, "ecdsa", 5) == 0)
+	{
+		return (key_ecc);
+	} else if (strncasecmp(name, "ecx", 3) == 0 ||
+		   strncasecmp(name, "ed", 2) == 0)
+	{
+		return (key_ecx);
+	} else {
+		return (key_unknown);
+	}
+}
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n"
+			"\tpkcs11-keygen -a algorithm -b keysize -l label\n"
+			"\t              [-P] [-m module] "
+			"[-s slot] [-e] [-S] [-i id] [-p PIN]\n");
+	exit(2);
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_MECHANISM mech;
+	CK_SESSION_HANDLE hSession;
+	char *lib_name = NULL;
+	char *pin = NULL;
+	CK_ULONG bits = 0;
+	CK_CHAR *label = NULL;
+	CK_OBJECT_HANDLE privatekey, publickey;
+	CK_BYTE exponent[5];
+	CK_ULONG expsize = 0;
+	pk11_context_t pctx;
+	int error = 0;
+	int c, errflg = 0;
+	int hide = 1, quiet = 0;
+	int idlen = 0, id_offset = 0;
+	unsigned long id = 0;
+	CK_BYTE idbuf[4];
+	CK_ULONG ulObjectCount;
+	CK_ATTRIBUTE search_template[] = { { CKA_LABEL, NULL_PTR, 0 } };
+	CK_ATTRIBUTE *public_template = NULL;
+	CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS;
+	key_class_t keyclass = key_rsa;
+	pk11_optype_t op_type = OP_ANY;
+
+#define OPTIONS ":a:b:ei:l:m:Pp:qSs:"
+	while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
+		switch (c) {
+		case 'a':
+			keyclass = keyclass_fromtext(isc_commandline_argument);
+			break;
+		case 'P':
+			hide = 0;
+			break;
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			break;
+		case 'e':
+			expsize = 5;
+			break;
+		case 'b':
+			bits = atoi(isc_commandline_argument);
+			break;
+		case 'l':
+			/* -l option is retained for backward compatibility * */
+			label = (CK_CHAR *)isc_commandline_argument;
+			break;
+		case 'i':
+			id = strtoul(isc_commandline_argument, NULL, 0);
+			idlen = 4;
+			break;
+		case 'p':
+			pin = isc_commandline_argument;
+			break;
+		case 'q':
+			quiet = 1;
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (label == NULL && isc_commandline_index < argc) {
+		label = (CK_CHAR *)argv[isc_commandline_index];
+	}
+
+	if (errflg || (label == NULL)) {
+		usage();
+	}
+
+	if (expsize != 0 && keyclass != key_rsa) {
+		fprintf(stderr, "The -e option is only compatible "
+				"with RSA key generation\n");
+		exit(2);
+	}
+
+	switch (keyclass) {
+	case key_rsa:
+		op_type = OP_RSA;
+		if (expsize == 0) {
+			expsize = 3;
+		}
+		if (bits == 0) {
+			usage();
+		}
+
+		mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
+		mech.pParameter = NULL;
+		mech.ulParameterLen = 0;
+
+		public_template = rsa_template;
+		public_attrcnt = RSA_ATTRS;
+		id_offset = RSA_ID;
+
+		/* Set public exponent to F4 or F5 */
+		exponent[0] = 0x01;
+		exponent[1] = 0x00;
+		if (expsize == 3) {
+			exponent[2] = 0x01;
+		} else {
+			exponent[2] = 0x00;
+			exponent[3] = 0x00;
+			exponent[4] = 0x01;
+		}
+
+		public_template[RSA_MODULUS_BITS].pValue = &bits;
+		public_template[RSA_MODULUS_BITS].ulValueLen = sizeof(bits);
+		public_template[RSA_PUBLIC_EXPONENT].pValue = &exponent;
+		public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
+		break;
+	case key_ecc:
+		op_type = OP_ECDSA;
+		if (bits == 0) {
+			bits = 256;
+		} else if (bits != 256 && bits != 384) {
+			fprintf(stderr, "ECC keys only support bit sizes of "
+					"256 and 384\n");
+			exit(2);
+		}
+
+		mech.mechanism = CKM_EC_KEY_PAIR_GEN;
+		mech.pParameter = NULL;
+		mech.ulParameterLen = 0;
+
+		public_template = ecc_template;
+		public_attrcnt = ECC_ATTRS;
+		id_offset = ECC_ID;
+
+		if (bits == 256) {
+			public_template[4].pValue = pk11_ecc_prime256v1;
+			public_template[4].ulValueLen =
+				sizeof(pk11_ecc_prime256v1);
+		} else {
+			public_template[4].pValue = pk11_ecc_secp384r1;
+			public_template[4].ulValueLen =
+				sizeof(pk11_ecc_secp384r1);
+		}
+
+		break;
+	case key_ecx:
+		op_type = OP_EDDSA;
+		if (bits == 0) {
+			bits = 256;
+		} else if (bits != 256 && bits != 456) {
+			fprintf(stderr, "ECX keys only support bit sizes of "
+					"256 and 456\n");
+			exit(2);
+		}
+
+		mech.mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN;
+		mech.pParameter = NULL;
+		mech.ulParameterLen = 0;
+
+		public_template = ecc_template;
+		public_attrcnt = ECC_ATTRS;
+		id_offset = ECC_ID;
+
+		if (bits == 256) {
+			public_template[4].pValue = pk11_ecx_ed25519;
+			public_template[4].ulValueLen =
+				sizeof(pk11_ecx_ed25519);
+		} else {
+			public_template[4].pValue = pk11_ecx_ed448;
+			public_template[4].ulValueLen = sizeof(pk11_ecx_ed448);
+		}
+
+		break;
+	case key_unknown:
+		usage();
+	}
+
+	search_template[0].pValue = label;
+	search_template[0].ulValueLen = strlen((char *)label);
+	public_template[0].pValue = label;
+	public_template[0].ulValueLen = strlen((char *)label);
+	private_template[0].pValue = label;
+	private_template[0].ulValueLen = strlen((char *)label);
+
+	if (idlen == 0) {
+		public_attrcnt--;
+		private_attrcnt--;
+	} else {
+		if (id <= 0xffff) {
+			idlen = 2;
+			idbuf[0] = (CK_BYTE)(id >> 8);
+			idbuf[1] = (CK_BYTE)id;
+		} else {
+			idbuf[0] = (CK_BYTE)(id >> 24);
+			idbuf[1] = (CK_BYTE)(id >> 16);
+			idbuf[2] = (CK_BYTE)(id >> 8);
+			idbuf[3] = (CK_BYTE)id;
+		}
+
+		public_template[id_offset].pValue = idbuf;
+		public_template[id_offset].ulValueLen = idlen;
+		private_template[PRIVATE_ID].pValue = idbuf;
+		private_template[PRIVATE_ID].ulValueLen = idlen;
+	}
+
+	pk11_result_register();
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (pin == NULL) {
+		pin = getpass("Enter Pin: ");
+	}
+
+	result = pk11_get_session(&pctx, op_type, false, true, true,
+				  (const char *)pin, slot);
+	if (result == PK11_R_NORANDOMSERVICE ||
+	    result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
+	{
+		fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
+		fprintf(stderr, "This HSM will not work with BIND 9 "
+				"using native PKCS#11.\n");
+	} else if (result != ISC_R_SUCCESS) {
+		fprintf(stderr,
+			"Unrecoverable error initializing "
+			"PKCS#11: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	memset(pin, 0, strlen(pin));
+
+	hSession = pctx.session;
+
+	/* check if a key with the same id already exists */
+	rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_session;
+	}
+	rv = pkcs_C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_search;
+	}
+	if (ulObjectCount != 0) {
+		fprintf(stderr, "Key already exists.\n");
+		error = 1;
+		goto exit_search;
+	}
+
+	/* Set attributes if the key is not to be hidden */
+	if (!hide) {
+		private_template[4].pValue = &falsevalue;
+		private_template[5].pValue = &truevalue;
+	}
+
+	/* Generate Key pair for signing/verifying */
+	rv = pkcs_C_GenerateKeyPair(hSession, &mech, public_template,
+				    public_attrcnt, private_template,
+				    private_attrcnt, &publickey, &privatekey);
+
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
+		error = 1;
+	} else if (!quiet) {
+		printf("Key pair generation complete.\n");
+	}
+
+exit_search:
+	rv = pkcs_C_FindObjectsFinal(hSession);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
+		error = 1;
+	}
+
+exit_session:
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/pkcs11/pkcs11-keygen.rst b/bin/pkcs11/pkcs11-keygen.rst
new file mode 100644
index 0000000..9ce2fba
--- /dev/null
+++ b/bin/pkcs11/pkcs11-keygen.rst
@@ -0,0 +1,80 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_pkcs11-keygen:
+
+pkcs11-keygen - generate keys on a PKCS#11 device
+-------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`pkcs11-keygen` [**-a** algorithm] [**-b** keysize] [**-e**] [**-i** id] [**-m** module] [**-P**] [**-p** PIN] [**-q**] [**-S**] [**-s** slot] label
+
+Description
+~~~~~~~~~~~
+
+``pkcs11-keygen`` causes a PKCS#11 device to generate a new key pair
+with the given ``label`` (which must be unique) and with ``keysize``
+bits of prime.
+
+Options
+~~~~~~~
+
+``-a algorithm``
+   This option specifies the key algorithm class: supported classes are RSA, DSA, DH,
+   ECC, and ECX. In addition to these strings, the ``algorithm`` can be
+   specified as a DNSSEC signing algorithm to be used with this
+   key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to
+   ECC, and ED25519 to ECX. The default class is ``RSA``.
+
+``-b keysize``
+   This option creates the key pair with ``keysize`` bits of prime. For ECC keys, the
+   only valid values are 256 and 384, and the default is 256. For ECX
+   keys, the only valid values are 256 and 456, and the default is 256.
+
+``-e``
+   For RSA keys only, this option specifies use of a large exponent.
+
+``-i id``
+   This option creates key objects with ``id``. The ID is either an unsigned short 2-byte
+   or an unsigned long 4-byte number.
+
+``-m module``
+   This option specifies the PKCS#11 provider module. This must be the full path to a
+   shared library object implementing the PKCS#11 API for the device.
+
+``-P``
+   This option sets the new private key to be non-sensitive and extractable, and
+   allows the private key data to be read from the PKCS#11 device. The
+   default is for private keys to be sensitive and non-extractable.
+
+``-p PIN``
+   This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command
+   line, ``pkcs11-keygen`` prompts for it.
+
+``-q``
+   This option sets quiet mode, which suppresses unnecessary output.
+
+``-S``
+   For Diffie-Hellman (DH) keys only, this option specifies use of a special prime of 768-, 1024-,
+   or 1536-bit size and base (AKA generator) 2. If not specified, bit
+   size defaults to 1024.
+
+``-s slot``
+   This option opens the session with the given PKCS#11 slot. The default is slot 0.
+
+See Also
+~~~~~~~~
+
+:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-list(8)`, :manpage:`pkcs11-tokens(8)`, :manpage:`dnssec-keyfromlabel(8)`
diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c
new file mode 100644
index 0000000..1fdd8a8
--- /dev/null
+++ b/bin/pkcs11/pkcs11-list.c
@@ -0,0 +1,277 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* pkcs11-list [-P] [-m module] [-s slot] [-i $id | -l $label] [-p $pin] */
+
+/*! \file */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession;
+	CK_BYTE attr_id[2];
+	CK_OBJECT_HANDLE akey[50];
+	pk11_context_t pctx;
+	char *lib_name = NULL;
+	char *label = NULL;
+	char *pin = NULL;
+	bool error = false, logon = true, all = false;
+	unsigned int i = 0, id = 0;
+	int c, errflg = 0;
+	CK_ULONG ulObjectCount;
+	CK_ATTRIBUTE search_template[] = { { CKA_ID, &attr_id,
+					     sizeof(attr_id) } };
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:P")) != -1) {
+		switch (c) {
+		case 'P':
+			logon = false;
+			break;
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			break;
+		case 'i':
+			id = atoi(isc_commandline_argument);
+			id &= 0xffff;
+			break;
+		case 'l':
+			label = isc_commandline_argument;
+			break;
+		case 'p':
+			pin = isc_commandline_argument;
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tpkcs11-list [-P] [-m module] [-s slot] "
+				"[-i id | -l label] [-p pin]\n");
+		exit(1);
+	}
+
+	if (!id && (label == NULL)) {
+		all = true;
+	}
+
+	if (slot) {
+		printf("slot %lu\n", slot);
+	}
+
+	if (id) {
+		printf("id %u\n", id);
+		attr_id[0] = (id >> 8) & 0xff;
+		attr_id[1] = id & 0xff;
+	} else if (label != NULL) {
+		printf("label %s\n", label);
+		search_template[0].type = CKA_LABEL;
+		search_template[0].pValue = label;
+		search_template[0].ulValueLen = strlen(label);
+	}
+
+	pk11_result_register();
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (logon && pin == NULL) {
+		pin = getpass("Enter Pin: ");
+	}
+
+	result = pk11_get_session(&pctx, OP_ANY, false, false, logon, pin,
+				  slot);
+	if (result == PK11_R_NORANDOMSERVICE ||
+	    result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
+	{
+		fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
+		fprintf(stderr, "This HSM will not work with BIND 9 "
+				"using native PKCS#11.\n");
+	} else if (result != ISC_R_SUCCESS) {
+		fprintf(stderr,
+			"Unrecoverable error initializing "
+			"PKCS#11: %s\n",
+			isc_result_totext(result));
+		fprintf(stderr,
+			"Unrecoverable error initializing "
+			"PKCS#11: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	if (pin != NULL) {
+		memset(pin, 0, strlen(pin));
+	}
+
+	hSession = pctx.session;
+
+	rv = pkcs_C_FindObjectsInit(hSession, search_template, all ? 0 : 1);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_session;
+	}
+
+	ulObjectCount = 1;
+	while (ulObjectCount) {
+		rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
+			error = 1;
+			goto exit_search;
+		}
+		for (i = 0; i < ulObjectCount; i++) {
+			unsigned int j, len;
+
+			CK_OBJECT_CLASS oclass = 0;
+			CK_BYTE labelbuf[64 + 1];
+			CK_BYTE idbuf[64];
+			CK_BBOOL extract = TRUE;
+			CK_BBOOL never = FALSE;
+			CK_ATTRIBUTE template[] = {
+				{ CKA_CLASS, &oclass, sizeof(oclass) },
+				{ CKA_LABEL, labelbuf, sizeof(labelbuf) - 1 },
+				{ CKA_ID, idbuf, sizeof(idbuf) }
+			};
+			CK_ATTRIBUTE priv_template[] = {
+				{ CKA_EXTRACTABLE, &extract, sizeof(extract) },
+				{ CKA_NEVER_EXTRACTABLE, &never, sizeof(never) }
+			};
+
+			memset(labelbuf, 0, sizeof(labelbuf));
+			memset(idbuf, 0, sizeof(idbuf));
+
+			rv = pkcs_C_GetAttributeValue(hSession, akey[i],
+						      template, 3);
+			if (rv != CKR_OK) {
+				fprintf(stderr,
+					"C_GetAttributeValue[%u]: "
+					"rv = 0x%.8lX\n",
+					i, rv);
+				if (rv == CKR_BUFFER_TOO_SMALL) {
+					fprintf(stderr,
+						"%u too small: %lu %lu %lu\n",
+						i, template[0].ulValueLen,
+						template[1].ulValueLen,
+						template[2].ulValueLen);
+				}
+				error = 1;
+				continue;
+			}
+
+			len = template[2].ulValueLen;
+			printf("object[%u]: handle %lu class %lu "
+			       "label[%lu] '%s' id[%lu] ",
+			       i, akey[i], oclass, template[1].ulValueLen,
+			       labelbuf, template[2].ulValueLen);
+			if (len == 2) {
+				id = (idbuf[0] << 8) & 0xff00;
+				id |= idbuf[1] & 0xff;
+				printf("%u", id);
+			} else {
+				if (len > 8) {
+					len = 8;
+				}
+				if (len > 0) {
+					printf("0x");
+				}
+				for (j = 0; j < len; j++) {
+					printf("%02x", idbuf[j]);
+				}
+				if (template[2].ulValueLen > len) {
+					printf("...");
+				}
+			}
+			if ((oclass == CKO_PRIVATE_KEY ||
+			     oclass == CKO_SECRET_KEY) &&
+			    pkcs_C_GetAttributeValue(hSession, akey[i],
+						     priv_template,
+						     2) == CKR_OK)
+			{
+				printf(" E:%s",
+				       extract ? "true"
+					       : (never ? "never" : "false"));
+			}
+			printf("\n");
+		}
+	}
+
+exit_search:
+	rv = pkcs_C_FindObjectsFinal(hSession);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
+		error = 1;
+	}
+
+exit_session:
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/pkcs11/pkcs11-list.rst b/bin/pkcs11/pkcs11-list.rst
new file mode 100644
index 0000000..5cfe2da
--- /dev/null
+++ b/bin/pkcs11/pkcs11-list.rst
@@ -0,0 +1,56 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_pkcs11-list:
+
+pkcs11-list - list PKCS#11 objects
+----------------------------------
+
+:program:`pkcs11-list` [**-P**] [**-m** module] [**-s** slot] [**-i** ID **] [-l** label] [**-p** PIN]
+
+Description
+~~~~~~~~~~~
+
+``pkcs11-list`` lists the PKCS#11 objects with ``ID`` or ``label`` or, by
+default, all objects. The object class, label, and ID are displayed for
+all keys. For private or secret keys, the extractability attribute is
+also displayed, as either ``true``, ``false``, or ``never``.
+
+Options
+~~~~~~~
+
+``-P``
+   This option lists only the public objects. (Note that on some PKCS#11 devices, all
+   objects are private.)
+
+``-m module``
+   This option specifies the PKCS#11 provider module. This must be the full path to a
+   shared library object implementing the PKCS#11 API for the device.
+
+``-s slot``
+   This option opens the session with the given PKCS#11 slot. The default is slot 0.
+
+``-i ID``
+   This option lists only key objects with the given object ID.
+
+``-l label``
+   This option lists only key objects with the given label.
+
+``-p PIN``
+   This option specifies the ``PIN`` for the device. If no ``PIN`` is provided on the command
+   line, ``pkcs11-list`` prompts for it.
+
+See Also
+~~~~~~~~
+
+:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-tokens(8)`
diff --git a/bin/pkcs11/pkcs11-tokens.c b/bin/pkcs11/pkcs11-tokens.c
new file mode 100644
index 0000000..e95fa4c
--- /dev/null
+++ b/bin/pkcs11/pkcs11-tokens.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* pkcs11-tokens [-m module] */
+
+/*! \file */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	char *lib_name = NULL;
+	int c, errflg = 0;
+	isc_mem_t *mctx = NULL;
+	pk11_context_t pctx;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 'v':
+			pk11_verbose_init = true;
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tpkcs11-tokens [-v] [-m module]\n");
+		exit(1);
+	}
+
+	isc_mem_create(&mctx);
+
+	pk11_result_register();
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	result = pk11_get_session(&pctx, OP_ANY, true, false, false, NULL, 0);
+	if (result == PK11_R_NORANDOMSERVICE ||
+	    result == PK11_R_NODIGESTSERVICE || result == PK11_R_NOAESSERVICE)
+	{
+		fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
+		fprintf(stderr, "This HSM will not work with BIND 9 "
+				"using native PKCS#11.\n\n");
+	} else if ((result != ISC_R_SUCCESS) && (result != ISC_R_NOTFOUND)) {
+		fprintf(stderr,
+			"Unrecoverable error initializing "
+			"PKCS#11: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	pk11_dump_tokens();
+
+	if (pctx.handle != NULL) {
+		pk11_return_session(&pctx);
+	}
+	(void)pk11_finalize();
+
+	isc_mem_destroy(&mctx);
+
+	exit(0);
+}
diff --git a/bin/pkcs11/pkcs11-tokens.rst b/bin/pkcs11/pkcs11-tokens.rst
new file mode 100644
index 0000000..3612105
--- /dev/null
+++ b/bin/pkcs11/pkcs11-tokens.rst
@@ -0,0 +1,43 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_pkcs11-tokens:
+
+pkcs11-tokens - list PKCS#11 available tokens
+---------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`pkcs11-tokens` [**-m** module] [**-v**]
+
+Description
+~~~~~~~~~~~
+
+``pkcs11-tokens`` lists the PKCS#11 available tokens with defaults from
+the slot/token scan performed at application initialization.
+
+Options
+~~~~~~~
+
+``-m module``
+   This option specifies the PKCS#11 provider module. This must be the full path to a
+   shared library object implementing the PKCS#11 API for the device.
+
+``-v``
+   This option makes the PKCS#11 libisc initialization verbose.
+
+See Also
+~~~~~~~~
+
+:manpage:`pkcs11-destroy(8)`, :manpage:`pkcs11-keygen(8)`, :manpage:`pkcs11-list(8)`
diff --git a/bin/pkcs11/win32/pk11destroy.vcxproj.filters.in b/bin/pkcs11/win32/pk11destroy.vcxproj.filters.in
new file mode 100644
index 0000000..bdcc431
--- /dev/null
+++ b/bin/pkcs11/win32/pk11destroy.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\pkcs11-destroy.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/win32/pk11destroy.vcxproj.in b/bin/pkcs11/win32/pk11destroy.vcxproj.in
new file mode 100644
index 0000000..4e006d5
--- /dev/null
+++ b/bin/pkcs11/win32/pk11destroy.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{5B3137E5-7E1F-49AA-8810-A09AA417D326}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>pk11destroy</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>pkcs11-destroy</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>pkcs11-destroy</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\pkcs11-destroy.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/pkcs11/win32/pk11destroy.vcxproj.user b/bin/pkcs11/win32/pk11destroy.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/pkcs11/win32/pk11destroy.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/win32/pk11keygen.vcxproj.filters.in b/bin/pkcs11/win32/pk11keygen.vcxproj.filters.in
new file mode 100644
index 0000000..412ff86
--- /dev/null
+++ b/bin/pkcs11/win32/pk11keygen.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\pkcs11-keygen.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/win32/pk11keygen.vcxproj.in b/bin/pkcs11/win32/pk11keygen.vcxproj.in
new file mode 100644
index 0000000..137d251
--- /dev/null
+++ b/bin/pkcs11/win32/pk11keygen.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{5042D371-0402-4FA3-A52A-769708694422}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>pk11keygen</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>pkcs11-keygen</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>pkcs11-keygen</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\pkcs11-keygen.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/pkcs11/win32/pk11keygen.vcxproj.user b/bin/pkcs11/win32/pk11keygen.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/pkcs11/win32/pk11keygen.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/win32/pk11list.vcxproj.filters.in b/bin/pkcs11/win32/pk11list.vcxproj.filters.in
new file mode 100644
index 0000000..6944afd
--- /dev/null
+++ b/bin/pkcs11/win32/pk11list.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\pkcs11-list.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/win32/pk11list.vcxproj.in b/bin/pkcs11/win32/pk11list.vcxproj.in
new file mode 100644
index 0000000..52c6f02
--- /dev/null
+++ b/bin/pkcs11/win32/pk11list.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C663B088-F7BC-4C8C-8D06-A76636EED651}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>pk11list</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>pkcs11-list</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>pkcs11-list</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\pkcs11-list.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/pkcs11/win32/pk11list.vcxproj.user b/bin/pkcs11/win32/pk11list.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/pkcs11/win32/pk11list.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/win32/pk11tokens.vcxproj.filters.in b/bin/pkcs11/win32/pk11tokens.vcxproj.filters.in
new file mode 100644
index 0000000..7c3b8ed
--- /dev/null
+++ b/bin/pkcs11/win32/pk11tokens.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\pkcs11-tokens.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/win32/pk11tokens.vcxproj.in b/bin/pkcs11/win32/pk11tokens.vcxproj.in
new file mode 100644
index 0000000..7bb41cb
--- /dev/null
+++ b/bin/pkcs11/win32/pk11tokens.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{403FD4B1-A4F9-4159-9013-5860E3A4417D}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>pk11tokens</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>pkcs11-tokens</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>pkcs11-tokens</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\pkcs11-tokens.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/pkcs11/win32/pk11tokens.vcxproj.user b/bin/pkcs11/win32/pk11tokens.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/pkcs11/win32/pk11tokens.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/plugins/Makefile.in b/bin/plugins/Makefile.in
new file mode 100644
index 0000000..4bd606a
--- /dev/null
+++ b/bin/plugins/Makefile.in
@@ -0,0 +1,67 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+		${NS_INCLUDES} ${DNS_INCLUDES} \
+		${ISCCFG_INCLUDES} ${ISC_INCLUDES}
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+NSLIBS =	../../lib/ns/libns.@A@
+
+LIBS =
+
+SO_TARGETS =	lib/filter-aaaa.@SO@
+SO_INSTALL =	filter-aaaa.@SO@
+TARGETS =	@SO_TARGETS@
+
+SO_OBJS =	filter-aaaa.@O@
+SO_SRCS =	filter-aaaa.c
+
+CFLAGS =	@CFLAGS@ @SO_CFLAGS@
+SO_LDFLAGS =	@LDFLAGS@ @SO_LDFLAGS@
+
+@BIND9_MAKE_RULES@
+
+lib/filter-aaaa.@SO@: filter-aaaa.@SO@
+	$(SHELL) ${top_srcdir}/mkinstalldirs `pwd`/lib
+	${LIBTOOL_MODE_INSTALL} ${INSTALL} filter-aaaa.@SO@ `pwd`/lib
+
+filter-aaaa.@SO@: filter-aaaa.@O@
+	${LIBTOOL_MODE_LINK} @SO_LD@ ${SO_LDFLAGS} -o $@ \
+		filter-aaaa.@O@ ${LIBS}
+
+clean distclean::
+	rm -f filter-aaaa.so
+	rm -f ${TARGETS} ${OBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${plugindir}
+
+install:: @SO_TARGETS@ installdirs
+	for i in ${SO_INSTALL} ; \
+	do \
+		if test -f $$i ; \
+		then \
+			${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} $$i \
+				 ${DESTDIR}${plugindir}; \
+		fi \
+	done
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${plugindir}/filter-aaaa.@SO@
diff --git a/bin/plugins/filter-aaaa.c b/bin/plugins/filter-aaaa.c
new file mode 100644
index 0000000..265da26
--- /dev/null
+++ b/bin/plugins/filter-aaaa.c
@@ -0,0 +1,881 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/ht.h>
+#include <isc/lib.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/db.h>
+#include <dns/enumtype.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/view.h>
+
+#include <isccfg/aclconf.h>
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+
+#include <ns/client.h>
+#include <ns/hooks.h>
+#include <ns/log.h>
+#include <ns/query.h>
+#include <ns/types.h>
+
+#define CHECK(op)                              \
+	do {                                   \
+		result = (op);                 \
+		if (result != ISC_R_SUCCESS) { \
+			goto cleanup;          \
+		}                              \
+	} while (0)
+
+/*
+ * Possible values for the settings of filter-aaaa-on-v4 and
+ * filter-aaaa-on-v6: "no" is NONE, "yes" is FILTER, "break-dnssec"
+ * is BREAK_DNSSEC.
+ */
+typedef enum { NONE = 0, FILTER = 1, BREAK_DNSSEC = 2 } filter_aaaa_t;
+
+/*
+ * Persistent data for use by this module. This will be associated
+ * with client object address in the hash table, and will remain
+ * accessible until the client object is detached.
+ */
+typedef struct filter_data {
+	filter_aaaa_t mode;
+	uint32_t flags;
+} filter_data_t;
+
+typedef struct filter_instance {
+	ns_plugin_t *module;
+	isc_mem_t *mctx;
+
+	/*
+	 * Hash table associating a client object with its persistent data.
+	 */
+	isc_ht_t *ht;
+	isc_mutex_t hlock;
+
+	/*
+	 * Values configured when the module is loaded.
+	 */
+	filter_aaaa_t v4_aaaa;
+	filter_aaaa_t v6_aaaa;
+	dns_acl_t *aaaa_acl;
+} filter_instance_t;
+
+/*
+ * Per-client flags set by this module
+ */
+#define FILTER_AAAA_RECURSING 0x0001 /* Recursing for A */
+#define FILTER_AAAA_FILTERED  0x0002 /* AAAA was removed from answer */
+
+/*
+ * Client attribute tests.
+ */
+#define WANTDNSSEC(c)  (((c)->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)
+#define RECURSIONOK(c) (((c)->query.attributes & NS_QUERYATTR_RECURSIONOK) != 0)
+
+/*
+ * Forward declarations of functions referenced in install_hooks().
+ */
+static ns_hookresult_t
+filter_qctx_initialize(void *arg, void *cbdata, isc_result_t *resp);
+static ns_hookresult_t
+filter_respond_begin(void *arg, void *cbdata, isc_result_t *resp);
+static ns_hookresult_t
+filter_respond_any_found(void *arg, void *cbdata, isc_result_t *resp);
+static ns_hookresult_t
+filter_prep_response_begin(void *arg, void *cbdata, isc_result_t *resp);
+static ns_hookresult_t
+filter_query_done_send(void *arg, void *cbdata, isc_result_t *resp);
+static ns_hookresult_t
+filter_qctx_destroy(void *arg, void *cbdata, isc_result_t *resp);
+
+/*%
+ * Register the functions to be called at each hook point in 'hooktable', using
+ * memory context 'mctx' for allocating copies of stack-allocated structures
+ * passed to ns_hook_add().  Make sure 'inst' will be passed as the 'cbdata'
+ * argument to every callback.
+ */
+static void
+install_hooks(ns_hooktable_t *hooktable, isc_mem_t *mctx,
+	      filter_instance_t *inst) {
+	const ns_hook_t filter_init = {
+		.action = filter_qctx_initialize,
+		.action_data = inst,
+	};
+
+	const ns_hook_t filter_respbegin = {
+		.action = filter_respond_begin,
+		.action_data = inst,
+	};
+
+	const ns_hook_t filter_respanyfound = {
+		.action = filter_respond_any_found,
+		.action_data = inst,
+	};
+
+	const ns_hook_t filter_prepresp = {
+		.action = filter_prep_response_begin,
+		.action_data = inst,
+	};
+
+	const ns_hook_t filter_donesend = {
+		.action = filter_query_done_send,
+		.action_data = inst,
+	};
+
+	const ns_hook_t filter_destroy = {
+		.action = filter_qctx_destroy,
+		.action_data = inst,
+	};
+
+	ns_hook_add(hooktable, mctx, NS_QUERY_QCTX_INITIALIZED, &filter_init);
+	ns_hook_add(hooktable, mctx, NS_QUERY_RESPOND_BEGIN, &filter_respbegin);
+	ns_hook_add(hooktable, mctx, NS_QUERY_RESPOND_ANY_FOUND,
+		    &filter_respanyfound);
+	ns_hook_add(hooktable, mctx, NS_QUERY_PREP_RESPONSE_BEGIN,
+		    &filter_prepresp);
+	ns_hook_add(hooktable, mctx, NS_QUERY_DONE_SEND, &filter_donesend);
+	ns_hook_add(hooktable, mctx, NS_QUERY_QCTX_DESTROYED, &filter_destroy);
+}
+
+/**
+** Support for parsing of parameters and configuration of the module.
+**/
+
+/*
+ * Support for parsing of parameters.
+ */
+static const char *filter_aaaa_enums[] = { "break-dnssec", NULL };
+
+static isc_result_t
+parse_filter_aaaa(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+
+static void
+doc_filter_aaaa(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+
+static cfg_type_t cfg_type_filter_aaaa = {
+	"filter_aaaa",	 parse_filter_aaaa, cfg_print_ustring,
+	doc_filter_aaaa, &cfg_rep_string,   filter_aaaa_enums,
+};
+
+static cfg_clausedef_t param_clauses[] = {
+	{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
+	{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa, 0 },
+	{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa, 0 },
+};
+
+static cfg_clausedef_t *param_clausesets[] = { param_clauses, NULL };
+
+static cfg_type_t cfg_type_parameters = {
+	"filter-aaaa-params", cfg_parse_mapbody, cfg_print_mapbody,
+	cfg_doc_mapbody,      &cfg_rep_map,	 param_clausesets
+};
+
+static isc_result_t
+parse_filter_aaaa_on(const cfg_obj_t *param_obj, const char *param_name,
+		     filter_aaaa_t *dstp) {
+	const cfg_obj_t *obj = NULL;
+	isc_result_t result;
+
+	result = cfg_map_get(param_obj, param_name, &obj);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj)) {
+			*dstp = FILTER;
+		} else {
+			*dstp = NONE;
+		}
+	} else if (strcasecmp(cfg_obj_asstring(obj), "break-dnssec") == 0) {
+		*dstp = BREAK_DNSSEC;
+	} else {
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+check_syntax(cfg_obj_t *fmap, const void *cfg, isc_mem_t *mctx, isc_log_t *lctx,
+	     void *actx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *aclobj = NULL;
+	dns_acl_t *acl = NULL;
+	filter_aaaa_t f4 = NONE, f6 = NONE;
+
+	cfg_map_get(fmap, "filter-aaaa", &aclobj);
+	if (aclobj == NULL) {
+		return (result);
+	}
+
+	CHECK(cfg_acl_fromconfig(aclobj, (const cfg_obj_t *)cfg, lctx,
+				 (cfg_aclconfctx_t *)actx, mctx, 0, &acl));
+
+	CHECK(parse_filter_aaaa_on(fmap, "filter-aaaa-on-v4", &f4));
+	CHECK(parse_filter_aaaa_on(fmap, "filter-aaaa-on-v6", &f6));
+
+	if ((f4 != NONE || f6 != NONE) && dns_acl_isnone(acl)) {
+		cfg_obj_log(aclobj, lctx, ISC_LOG_WARNING,
+			    "\"filter-aaaa\" is 'none;' but "
+			    "either filter-aaaa-on-v4 or filter-aaaa-on-v6 "
+			    "is enabled");
+		result = ISC_R_FAILURE;
+	} else if (f4 == NONE && f6 == NONE && !dns_acl_isnone(acl)) {
+		cfg_obj_log(aclobj, lctx, ISC_LOG_WARNING,
+			    "\"filter-aaaa\" is set but "
+			    "neither filter-aaaa-on-v4 or filter-aaaa-on-v6 "
+			    "is enabled");
+		result = ISC_R_FAILURE;
+	}
+
+cleanup:
+	if (acl != NULL) {
+		dns_acl_detach(&acl);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+parse_parameters(filter_instance_t *inst, const char *parameters,
+		 const void *cfg, const char *cfg_file, unsigned long cfg_line,
+		 isc_mem_t *mctx, isc_log_t *lctx, void *actx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *param_obj = NULL;
+	const cfg_obj_t *obj = NULL;
+	isc_buffer_t b;
+
+	CHECK(cfg_parser_create(mctx, lctx, &parser));
+
+	isc_buffer_constinit(&b, parameters, strlen(parameters));
+	isc_buffer_add(&b, strlen(parameters));
+	CHECK(cfg_parse_buffer(parser, &b, cfg_file, cfg_line,
+			       &cfg_type_parameters, 0, &param_obj));
+
+	CHECK(check_syntax(param_obj, cfg, mctx, lctx, actx));
+
+	CHECK(parse_filter_aaaa_on(param_obj, "filter-aaaa-on-v4",
+				   &inst->v4_aaaa));
+	CHECK(parse_filter_aaaa_on(param_obj, "filter-aaaa-on-v6",
+				   &inst->v6_aaaa));
+
+	result = cfg_map_get(param_obj, "filter-aaaa", &obj);
+	if (result == ISC_R_SUCCESS) {
+		CHECK(cfg_acl_fromconfig(obj, (const cfg_obj_t *)cfg, lctx,
+					 (cfg_aclconfctx_t *)actx, mctx, 0,
+					 &inst->aaaa_acl));
+	} else {
+		CHECK(dns_acl_any(mctx, &inst->aaaa_acl));
+	}
+
+cleanup:
+	if (param_obj != NULL) {
+		cfg_obj_destroy(parser, &param_obj);
+	}
+	if (parser != NULL) {
+		cfg_parser_destroy(&parser);
+	}
+	return (result);
+}
+
+/**
+** Mandatory plugin API functions:
+**
+** - plugin_destroy
+** - plugin_register
+** - plugin_version
+** - plugin_check
+**/
+
+/*
+ * Called by ns_plugin_register() to initialize the plugin and
+ * register hook functions into the view hook table.
+ */
+isc_result_t
+plugin_register(const char *parameters, const void *cfg, const char *cfg_file,
+		unsigned long cfg_line, isc_mem_t *mctx, isc_log_t *lctx,
+		void *actx, ns_hooktable_t *hooktable, void **instp) {
+	filter_instance_t *inst = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	isc_log_write(lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS,
+		      ISC_LOG_INFO,
+		      "registering 'filter-aaaa' "
+		      "module from %s:%lu, %s parameters",
+		      cfg_file, cfg_line, parameters != NULL ? "with" : "no");
+
+	inst = isc_mem_get(mctx, sizeof(*inst));
+	memset(inst, 0, sizeof(*inst));
+	isc_mem_attach(mctx, &inst->mctx);
+
+	if (parameters != NULL) {
+		CHECK(parse_parameters(inst, parameters, cfg, cfg_file,
+				       cfg_line, mctx, lctx, actx));
+	}
+
+	isc_ht_init(&inst->ht, mctx, 16);
+	isc_mutex_init(&inst->hlock);
+
+	/*
+	 * Set hook points in the view's hooktable.
+	 */
+	install_hooks(hooktable, mctx, inst);
+
+	*instp = inst;
+
+cleanup:
+	if (result != ISC_R_SUCCESS && inst != NULL) {
+		plugin_destroy((void **)&inst);
+	}
+
+	return (result);
+}
+
+isc_result_t
+plugin_check(const char *parameters, const void *cfg, const char *cfg_file,
+	     unsigned long cfg_line, isc_mem_t *mctx, isc_log_t *lctx,
+	     void *actx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *param_obj = NULL;
+	isc_buffer_t b;
+
+	CHECK(cfg_parser_create(mctx, lctx, &parser));
+
+	isc_buffer_constinit(&b, parameters, strlen(parameters));
+	isc_buffer_add(&b, strlen(parameters));
+	CHECK(cfg_parse_buffer(parser, &b, cfg_file, cfg_line,
+			       &cfg_type_parameters, 0, &param_obj));
+
+	CHECK(check_syntax(param_obj, cfg, mctx, lctx, actx));
+
+cleanup:
+	if (param_obj != NULL) {
+		cfg_obj_destroy(parser, &param_obj);
+	}
+	if (parser != NULL) {
+		cfg_parser_destroy(&parser);
+	}
+	return (result);
+}
+
+/*
+ * Called by ns_plugins_free(); frees memory allocated by
+ * the module when it was registered.
+ */
+void
+plugin_destroy(void **instp) {
+	filter_instance_t *inst = (filter_instance_t *)*instp;
+
+	if (inst->ht != NULL) {
+		isc_ht_destroy(&inst->ht);
+		isc_mutex_destroy(&inst->hlock);
+	}
+	if (inst->aaaa_acl != NULL) {
+		dns_acl_detach(&inst->aaaa_acl);
+	}
+
+	isc_mem_putanddetach(&inst->mctx, inst, sizeof(*inst));
+	*instp = NULL;
+
+	return;
+}
+
+/*
+ * Returns plugin API version for compatibility checks.
+ */
+int
+plugin_version(void) {
+	return (NS_PLUGIN_VERSION);
+}
+
+/**
+** "filter-aaaa" feature implementation begins here.
+**/
+
+/*%
+ * Structure describing the filtering to be applied by process_section().
+ */
+typedef struct section_filter {
+	query_ctx_t *qctx;
+	filter_aaaa_t mode;
+	dns_section_t section;
+	const dns_name_t *name;
+	dns_rdatatype_t type;
+	bool only_if_a_exists;
+} section_filter_t;
+
+/*
+ * Check whether this is an IPv4 client.
+ */
+static bool
+is_v4_client(ns_client_t *client) {
+	if (isc_sockaddr_pf(&client->peeraddr) == AF_INET) {
+		return (true);
+	}
+	if (isc_sockaddr_pf(&client->peeraddr) == AF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&client->peeraddr.type.sin6.sin6_addr))
+	{
+		return (true);
+	}
+	return (false);
+}
+
+/*
+ * Check whether this is an IPv6 client.
+ */
+static bool
+is_v6_client(ns_client_t *client) {
+	if (isc_sockaddr_pf(&client->peeraddr) == AF_INET6 &&
+	    !IN6_IS_ADDR_V4MAPPED(&client->peeraddr.type.sin6.sin6_addr))
+	{
+		return (true);
+	}
+	return (false);
+}
+
+static filter_data_t *
+client_state_get(const query_ctx_t *qctx, filter_instance_t *inst) {
+	filter_data_t *client_state = NULL;
+	isc_result_t result;
+
+	LOCK(&inst->hlock);
+	result = isc_ht_find(inst->ht, (const unsigned char *)&qctx->client,
+			     sizeof(qctx->client), (void **)&client_state);
+	UNLOCK(&inst->hlock);
+
+	return (result == ISC_R_SUCCESS ? client_state : NULL);
+}
+
+static void
+client_state_create(const query_ctx_t *qctx, filter_instance_t *inst) {
+	filter_data_t *client_state;
+	isc_result_t result;
+
+	client_state = isc_mem_get(inst->mctx, sizeof(*client_state));
+
+	client_state->mode = NONE;
+	client_state->flags = 0;
+
+	LOCK(&inst->hlock);
+	result = isc_ht_add(inst->ht, (const unsigned char *)&qctx->client,
+			    sizeof(qctx->client), client_state);
+	UNLOCK(&inst->hlock);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+}
+
+static void
+client_state_destroy(const query_ctx_t *qctx, filter_instance_t *inst) {
+	filter_data_t *client_state = client_state_get(qctx, inst);
+	isc_result_t result;
+
+	if (client_state == NULL) {
+		return;
+	}
+
+	LOCK(&inst->hlock);
+	result = isc_ht_delete(inst->ht, (const unsigned char *)&qctx->client,
+			       sizeof(qctx->client));
+	UNLOCK(&inst->hlock);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	isc_mem_put(inst->mctx, client_state, sizeof(*client_state));
+}
+
+/*%
+ * Mark 'rdataset' and 'sigrdataset' as rendered, gracefully handling NULL
+ * pointers and non-associated rdatasets.
+ */
+static void
+mark_as_rendered(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	if (rdataset != NULL && dns_rdataset_isassociated(rdataset)) {
+		rdataset->attributes |= DNS_RDATASETATTR_RENDERED;
+	}
+	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
+		sigrdataset->attributes |= DNS_RDATASETATTR_RENDERED;
+	}
+}
+
+/*%
+ * Check whether an RRset of given 'type' is present at given 'name'.  If
+ * it is found and either it is not signed or the combination of query
+ * flags and configured processing 'mode' allows it, mark the RRset and its
+ * associated signatures as already rendered to prevent them from appearing
+ * in the response message stored in 'qctx'.  If 'only_if_a_exists' is
+ * true, an RRset of type A must also exist at 'name' in order for the
+ * above processing to happen.
+ */
+static bool
+process_name(query_ctx_t *qctx, filter_aaaa_t mode, const dns_name_t *name,
+	     dns_rdatatype_t type, bool only_if_a_exists) {
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	isc_result_t result;
+	bool modified = false;
+
+	if (only_if_a_exists) {
+		CHECK(dns_message_findtype(name, dns_rdatatype_a, 0, NULL));
+	}
+
+	(void)dns_message_findtype(name, type, 0, &rdataset);
+	(void)dns_message_findtype(name, dns_rdatatype_rrsig, type,
+				   &sigrdataset);
+
+	if (rdataset != NULL &&
+	    (sigrdataset == NULL || !WANTDNSSEC(qctx->client) ||
+	     mode == BREAK_DNSSEC))
+	{
+		/*
+		 * An RRset of given 'type' was found at 'name' and at least
+		 * one of the following is true:
+		 *
+		 *   - the RRset is not signed,
+		 *   - the client did not set the DO bit in its request,
+		 *   - configuration allows us to tamper with signed responses.
+		 *
+		 * This means it is okay to filter out this RRset and its
+		 * signatures, if any, from the response.
+		 */
+		mark_as_rendered(rdataset, sigrdataset);
+		modified = true;
+	}
+
+cleanup:
+	return (modified);
+}
+
+/*%
+ * Apply the requested section filter, i.e. prevent (when possible, as
+ * determined by process_name()) RRsets of given 'type' from being rendered
+ * in the given 'section' of the response message stored in 'qctx'.  Clear
+ * the AD bit if the answer and/or authority section was modified.  If
+ * 'name' is NULL, all names in the given 'section' are processed;
+ * otherwise, only 'name' is.  'only_if_a_exists' is passed through to
+ * process_name().
+ */
+static void
+process_section(const section_filter_t *filter) {
+	query_ctx_t *qctx = filter->qctx;
+	filter_aaaa_t mode = filter->mode;
+	dns_section_t section = filter->section;
+	const dns_name_t *name = filter->name;
+	dns_rdatatype_t type = filter->type;
+	bool only_if_a_exists = filter->only_if_a_exists;
+
+	dns_message_t *message = qctx->client->message;
+	isc_result_t result;
+
+	for (result = dns_message_firstname(message, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, section))
+	{
+		dns_name_t *cur = NULL;
+		dns_message_currentname(message, section, &cur);
+		if (name != NULL && !dns_name_equal(name, cur)) {
+			/*
+			 * We only want to process 'name' and this is not it.
+			 */
+			continue;
+		}
+
+		if (!process_name(qctx, mode, cur, type, only_if_a_exists)) {
+			/*
+			 * Response was not modified, do not touch the AD bit.
+			 */
+			continue;
+		}
+
+		if (section == DNS_SECTION_ANSWER ||
+		    section == DNS_SECTION_AUTHORITY)
+		{
+			message->flags &= ~DNS_MESSAGEFLAG_AD;
+		}
+	}
+}
+
+/*
+ * Initialize filter state, fetching it from a memory pool and storing it
+ * in a hash table keyed according to the client object; this enables us to
+ * retrieve persistent data related to a client query for as long as the
+ * object persists.
+ */
+static ns_hookresult_t
+filter_qctx_initialize(void *arg, void *cbdata, isc_result_t *resp) {
+	query_ctx_t *qctx = (query_ctx_t *)arg;
+	filter_instance_t *inst = (filter_instance_t *)cbdata;
+	filter_data_t *client_state;
+
+	*resp = ISC_R_UNSET;
+
+	client_state = client_state_get(qctx, inst);
+	if (client_state == NULL) {
+		client_state_create(qctx, inst);
+	}
+
+	return (NS_HOOK_CONTINUE);
+}
+
+/*
+ * Determine whether this client should have AAAA filtered or not, based on
+ * the client address family and the settings of filter-aaaa-on-v4 and
+ * filter-aaaa-on-v6.
+ */
+static ns_hookresult_t
+filter_prep_response_begin(void *arg, void *cbdata, isc_result_t *resp) {
+	query_ctx_t *qctx = (query_ctx_t *)arg;
+	filter_instance_t *inst = (filter_instance_t *)cbdata;
+	filter_data_t *client_state = client_state_get(qctx, inst);
+	isc_result_t result;
+
+	*resp = ISC_R_UNSET;
+
+	if (client_state == NULL) {
+		return (NS_HOOK_CONTINUE);
+	}
+
+	if (inst->v4_aaaa != NONE || inst->v6_aaaa != NONE) {
+		result = ns_client_checkaclsilent(qctx->client, NULL,
+						  inst->aaaa_acl, true);
+		if (result == ISC_R_SUCCESS && inst->v4_aaaa != NONE &&
+		    is_v4_client(qctx->client))
+		{
+			client_state->mode = inst->v4_aaaa;
+		} else if (result == ISC_R_SUCCESS && inst->v6_aaaa != NONE &&
+			   is_v6_client(qctx->client))
+		{
+			client_state->mode = inst->v6_aaaa;
+		}
+	}
+
+	return (NS_HOOK_CONTINUE);
+}
+
+/*
+ * Hide AAAA rrsets if there is a matching A. Trigger recursion if
+ * necessary to find out whether an A exists.
+ *
+ * (This version is for processing answers to explicit AAAA queries; ANY
+ * queries are handled in filter_respond_any_found().)
+ */
+static ns_hookresult_t
+filter_respond_begin(void *arg, void *cbdata, isc_result_t *resp) {
+	query_ctx_t *qctx = (query_ctx_t *)arg;
+	filter_instance_t *inst = (filter_instance_t *)cbdata;
+	filter_data_t *client_state = client_state_get(qctx, inst);
+	isc_result_t result = ISC_R_UNSET;
+
+	*resp = ISC_R_UNSET;
+
+	if (client_state == NULL) {
+		return (NS_HOOK_CONTINUE);
+	}
+
+	if (client_state->mode != BREAK_DNSSEC &&
+	    (client_state->mode != FILTER ||
+	     (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL &&
+	      dns_rdataset_isassociated(qctx->sigrdataset))))
+	{
+		return (NS_HOOK_CONTINUE);
+	}
+
+	if (qctx->qtype == dns_rdatatype_aaaa) {
+		dns_rdataset_t *trdataset;
+		trdataset = ns_client_newrdataset(qctx->client);
+		result = dns_db_findrdataset(
+			qctx->db, qctx->node, qctx->version, dns_rdatatype_a, 0,
+			qctx->client->now, trdataset, NULL);
+		if (dns_rdataset_isassociated(trdataset)) {
+			dns_rdataset_disassociate(trdataset);
+		}
+		ns_client_putrdataset(qctx->client, &trdataset);
+
+		/*
+		 * We found an AAAA. If we also found an A, then the AAAA
+		 * must not be rendered.
+		 *
+		 * If the A is not in our cache, then any result other than
+		 * DNS_R_DELEGATION or ISC_R_NOTFOUND means there is no A,
+		 * and so AAAAs are okay.
+		 *
+		 * We assume there is no A if we can't recurse for this
+		 * client. That might be the wrong answer, but what else
+		 * can we do?  Besides, the fact that we have the AAAA and
+		 * are using this mechanism in the first place suggests
+		 * that we care more about As than AAAAs, and would have
+		 * cached an A if it existed.
+		 */
+		if (result == ISC_R_SUCCESS) {
+			mark_as_rendered(qctx->rdataset, qctx->sigrdataset);
+			qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
+			client_state->flags |= FILTER_AAAA_FILTERED;
+		} else if (!qctx->authoritative && RECURSIONOK(qctx->client) &&
+			   (result == DNS_R_DELEGATION ||
+			    result == ISC_R_NOTFOUND))
+		{
+			/*
+			 * This is an ugly kludge to recurse
+			 * for the A and discard the result.
+			 *
+			 * Continue to add the AAAA now.
+			 * We'll make a note to not render it
+			 * if the recursion for the A succeeds.
+			 */
+			result = ns_query_recurse(qctx->client, dns_rdatatype_a,
+						  qctx->client->query.qname,
+						  NULL, NULL, qctx->resuming);
+			if (result == ISC_R_SUCCESS) {
+				client_state->flags |= FILTER_AAAA_RECURSING;
+				qctx->client->query.attributes |=
+					NS_QUERYATTR_RECURSING;
+			}
+		}
+	} else if (qctx->qtype == dns_rdatatype_a &&
+		   (client_state->flags & FILTER_AAAA_RECURSING) != 0)
+	{
+		const section_filter_t filter_answer = {
+			.qctx = qctx,
+			.mode = client_state->mode,
+			.section = DNS_SECTION_ANSWER,
+			.name = qctx->fname,
+			.type = dns_rdatatype_aaaa,
+		};
+		process_section(&filter_answer);
+
+		client_state->flags &= ~FILTER_AAAA_RECURSING;
+
+		result = ns_query_done(qctx);
+
+		*resp = result;
+
+		return (NS_HOOK_RETURN);
+	}
+
+	*resp = result;
+	return (NS_HOOK_CONTINUE);
+}
+
+/*
+ * When answering an ANY query, remove AAAA if A is present.
+ */
+static ns_hookresult_t
+filter_respond_any_found(void *arg, void *cbdata, isc_result_t *resp) {
+	query_ctx_t *qctx = (query_ctx_t *)arg;
+	filter_instance_t *inst = (filter_instance_t *)cbdata;
+	filter_data_t *client_state = client_state_get(qctx, inst);
+
+	*resp = ISC_R_UNSET;
+
+	if (client_state != NULL && client_state->mode != NONE) {
+		/*
+		 * If we are authoritative, require an A record to be
+		 * present before filtering out AAAA records; otherwise,
+		 * just assume an A record exists even if it was not in the
+		 * cache (and therefore is not in the response message),
+		 * thus proceeding with filtering out AAAA records.
+		 */
+		const section_filter_t filter_answer = {
+			.qctx = qctx,
+			.mode = client_state->mode,
+			.section = DNS_SECTION_ANSWER,
+			.name = qctx->tname,
+			.type = dns_rdatatype_aaaa,
+			.only_if_a_exists = qctx->authoritative,
+		};
+		process_section(&filter_answer);
+	}
+
+	return (NS_HOOK_CONTINUE);
+}
+
+/*
+ * Hide AAAA rrsets in the additional section if there is a matching A, and
+ * hide NS in the authority section if AAAA was filtered in the answer
+ * section.
+ */
+static ns_hookresult_t
+filter_query_done_send(void *arg, void *cbdata, isc_result_t *resp) {
+	query_ctx_t *qctx = (query_ctx_t *)arg;
+	filter_instance_t *inst = (filter_instance_t *)cbdata;
+	filter_data_t *client_state = client_state_get(qctx, inst);
+
+	*resp = ISC_R_UNSET;
+
+	if (client_state != NULL && client_state->mode != NONE) {
+		const section_filter_t filter_additional = {
+			.qctx = qctx,
+			.mode = client_state->mode,
+			.section = DNS_SECTION_ADDITIONAL,
+			.type = dns_rdatatype_aaaa,
+			.only_if_a_exists = true,
+		};
+		process_section(&filter_additional);
+
+		if ((client_state->flags & FILTER_AAAA_FILTERED) != 0) {
+			const section_filter_t filter_authority = {
+				.qctx = qctx,
+				.mode = client_state->mode,
+				.section = DNS_SECTION_AUTHORITY,
+				.type = dns_rdatatype_ns,
+			};
+			process_section(&filter_authority);
+		}
+	}
+
+	return (NS_HOOK_CONTINUE);
+}
+
+/*
+ * If the client is being detached, then we can delete our persistent data
+ * from hash table and return it to the memory pool.
+ */
+static ns_hookresult_t
+filter_qctx_destroy(void *arg, void *cbdata, isc_result_t *resp) {
+	query_ctx_t *qctx = (query_ctx_t *)arg;
+	filter_instance_t *inst = (filter_instance_t *)cbdata;
+
+	*resp = ISC_R_UNSET;
+
+	if (!qctx->detach_client) {
+		return (NS_HOOK_CONTINUE);
+	}
+
+	client_state_destroy(qctx, inst);
+
+	return (NS_HOOK_CONTINUE);
+}
diff --git a/bin/plugins/filter-aaaa.rst b/bin/plugins/filter-aaaa.rst
new file mode 100644
index 0000000..1696101
--- /dev/null
+++ b/bin/plugins/filter-aaaa.rst
@@ -0,0 +1,89 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_filter-aaaa:
+
+filter-aaaa.so - filter AAAA in DNS responses when A is present
+---------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`plugin query` "filter-aaaa.so" [{ parameters }];
+
+Description
+~~~~~~~~~~~
+
+``filter-aaaa.so`` is a query plugin module for ``named``, enabling
+``named`` to omit some IPv6 addresses when responding to clients.
+
+Until BIND 9.12, this feature was implemented natively in ``named`` and
+enabled with the ``filter-aaaa`` ACL and the ``filter-aaaa-on-v4`` and
+``filter-aaaa-on-v6`` options. These options are now deprecated in
+``named.conf`` but can be passed as parameters to the
+``filter-aaaa.so`` plugin, for example:
+
+::
+
+   plugin query "/usr/local/lib/filter-aaaa.so" {
+           filter-aaaa-on-v4 yes;
+           filter-aaaa-on-v6 yes;
+           filter-aaaa { 192.0.2.1; 2001:db8:2::1; };
+   };
+
+This module is intended to aid transition from IPv4 to IPv6 by
+withholding IPv6 addresses from DNS clients which are not connected to
+the IPv6 Internet, when the name being looked up has an IPv4 address
+available. Use of this module is not recommended unless absolutely
+necessary.
+
+Note: This mechanism can erroneously cause other servers not to give
+AAAA records to their clients. If a recursing server with both IPv6 and
+IPv4 network connections queries an authoritative server using this
+mechanism via IPv4, it is denied AAAA records even if its client is
+using IPv6.
+
+Options
+~~~~~~~
+
+``filter-aaaa``
+   This option specifies a list of client addresses for which AAAA filtering is to
+   be applied. The default is ``any``.
+
+``filter-aaaa-on-v4``
+   If set to ``yes``, this option indicates that the DNS client is at an IPv4 address, in
+   ``filter-aaaa``. If the response does not include DNSSEC
+   signatures, then all AAAA records are deleted from the response. This
+   filtering applies to all responses, not only authoritative
+   ones.
+
+   If set to ``break-dnssec``, then AAAA records are deleted even when
+   DNSSEC is enabled. As suggested by the name, this causes the response
+   to fail to verify, because the DNSSEC protocol is designed to detect
+   deletions.
+
+   This mechanism can erroneously cause other servers not to give AAAA
+   records to their clients. If a recursing server with both IPv6 and IPv4
+   network connections queries an authoritative server using this
+   mechanism via IPv4, it is denied AAAA records even if its client is
+   using IPv6.
+
+``filter-aaaa-on-v6``
+   This option is identical to ``filter-aaaa-on-v4``, except that it filters AAAA responses
+   to queries from IPv6 clients instead of IPv4 clients. To filter all
+   responses, set both options to ``yes``.
+
+See Also
+~~~~~~~~
+
+BIND 9 Administrator Reference Manual.
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
new file mode 100644
index 0000000..dc1af40
--- /dev/null
+++ b/bin/python/Makefile.in
@@ -0,0 +1,66 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+PYTHON	=	@PYTHON@
+
+SUBDIRS	=	isc
+
+TARGETS =	dnssec-checkds dnssec-coverage dnssec-keymgr
+PYSRCS =	dnssec-checkds.py dnssec-coverage.py dnssec-keymgr.py
+
+@BIND9_MAKE_RULES@
+
+dnssec-checkds: dnssec-checkds.py
+	cp -f dnssec-checkds.py dnssec-checkds
+	chmod +x dnssec-checkds
+
+dnssec-coverage: dnssec-coverage.py
+	cp -f dnssec-coverage.py dnssec-coverage
+	chmod +x dnssec-coverage
+
+dnssec-keymgr: dnssec-keymgr.py
+	cp -f dnssec-keymgr.py dnssec-keymgr
+	chmod +x dnssec-keymgr
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: ${TARGETS} installdirs
+	${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir}
+	${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir}
+	${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir}
+	if test -n "${PYTHON}" ; then \
+		if test -n "${DESTDIR}" ; then \
+			${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
+		else \
+			${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
+		fi ; \
+		rm -rf build ; \
+	fi
+
+uninstall::
+	rm -f ${DESTDIR}${sbindir}/dnssec-keymgr
+	rm -f ${DESTDIR}${sbindir}/dnssec-coverage
+	rm -f ${DESTDIR}${sbindir}/dnssec-checkds
+	# only manually uninstall for the python package itself
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -rf build
+
+distclean::
+	rm -f dnssec-checkds.py dnssec-coverage.py dnssec-keymgr.py
diff --git a/bin/python/dnssec-checkds.py.in b/bin/python/dnssec-checkds.py.in
new file mode 100644
index 0000000..3ec15e2
--- /dev/null
+++ b/bin/python/dnssec-checkds.py.in
@@ -0,0 +1,32 @@
+#!@PYTHON@
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+import sys
+
+sys.path.insert(0, os.path.dirname(sys.argv[0]))
+if os.name != "nt":
+    if "@PYTHON_INSTALL_DIR@":  # value of --with-python-install-dir
+        sys.path.insert(1, "@PYTHON_INSTALL_DIR@")
+    else:
+        sys.path.insert(
+            1,
+            os.path.join(
+                "@prefix@", "lib", "python" + sys.version[:3], "site-packages"
+            ),
+        )
+
+import isc.checkds
+
+if __name__ == "__main__":
+    isc.checkds.main()
diff --git a/bin/python/dnssec-checkds.rst b/bin/python/dnssec-checkds.rst
new file mode 100644
index 0000000..aa239fa
--- /dev/null
+++ b/bin/python/dnssec-checkds.rst
@@ -0,0 +1,68 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-checkds:
+
+dnssec-checkds - DNSSEC delegation consistency checking tool
+------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+``dnssec-checkds`` [**-d**\ *dig path*] [**-D**\ *dsfromkey path*]
+[**-f**\ *file*] [**-l**\ *domain*] [**-s**\ *file*] {zone}
+
+Description
+~~~~~~~~~~~
+
+``dnssec-checkds`` verifies the correctness of Delegation Signer (DS)
+resource records for keys in a specified zone.
+
+Options
+~~~~~~~
+
+**-a** *algorithm*
+
+   Specify a digest algorithm to use when converting the zones DNSKEY
+   records to expected DS records. This option can be repeated, so that
+   multiple records are checked for each DNSKEY record.
+
+   The *algorithm* must be one of SHA-1, SHA-256, or SHA-384. These
+   values are case insensitive, and the hyphen may be omitted. If no
+   algorithm is specified, the default is SHA-256.
+
+**-f** *file*
+
+   If a ``file`` is specified, then the zone is read from that file to
+   find the DNSKEY records. If not, then the DNSKEY records for the zone
+   are looked up in the DNS.
+
+**-s** *file*
+
+   Specifies a prepared dsset file, such as would be generated by
+   ``dnssec-signzone``, to use as a source for the DS RRset instead of
+   querying the parent.
+
+**-d** *dig path*
+
+   Specifies a path to a ``dig`` binary. Used for testing.
+
+**-D** *dsfromkey path*
+
+   Specifies a path to a ``dnssec-dsfromkey`` binary. Used for testing.
+
+See Also
+~~~~~~~~
+
+``dnssec-dsfromkey``\ (8), ``dnssec-keygen``\ (8),
+``dnssec-signzone``\ (8),
diff --git a/bin/python/dnssec-coverage.py.in b/bin/python/dnssec-coverage.py.in
new file mode 100644
index 0000000..a82dfe3
--- /dev/null
+++ b/bin/python/dnssec-coverage.py.in
@@ -0,0 +1,32 @@
+#!@PYTHON@
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+import sys
+
+sys.path.insert(0, os.path.dirname(sys.argv[0]))
+if os.name != "nt":
+    if "@PYTHON_INSTALL_DIR@":  # value of --with-python-install-dir
+        sys.path.insert(1, "@PYTHON_INSTALL_DIR@")
+    else:
+        sys.path.insert(
+            1,
+            os.path.join(
+                "@prefix@", "lib", "python" + sys.version[:3], "site-packages"
+            ),
+        )
+
+import isc.coverage
+
+if __name__ == "__main__":
+    isc.coverage.main()
diff --git a/bin/python/dnssec-coverage.rst b/bin/python/dnssec-coverage.rst
new file mode 100644
index 0000000..e2658cb
--- /dev/null
+++ b/bin/python/dnssec-coverage.rst
@@ -0,0 +1,152 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-coverage:
+
+dnssec-coverage - checks future DNSKEY coverage for a zone
+----------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+``dnssec-coverage`` [**-K**\ *directory*] [**-l**\ *length*]
+[**-f**\ *file*] [**-d**\ *DNSKEY TTL*] [**-m**\ *max TTL*]
+[**-r**\ *interval*] [**-c**\ *compilezone path*] [**-k**] [**-z**]
+[zone...]
+
+Description
+~~~~~~~~~~~
+
+``dnssec-coverage`` verifies that the DNSSEC keys for a given zone or a
+set of zones have timing metadata set properly to ensure no future
+lapses in DNSSEC coverage.
+
+If ``zone`` is specified, then keys found in the key repository matching
+that zone are scanned, and an ordered list is generated of the events
+scheduled for that key (i.e., publication, activation, inactivation,
+deletion). The list of events is walked in order of occurrence. Warnings
+are generated if any event is scheduled which could cause the zone to
+enter a state in which validation failures might occur: for example, if
+the number of published or active keys for a given algorithm drops to
+zero, or if a key is deleted from the zone too soon after a new key is
+rolled, and cached data signed by the prior key has not had time to
+expire from resolver caches.
+
+If ``zone`` is not specified, then all keys in the key repository will
+be scanned, and all zones for which there are keys will be analyzed.
+(Note: This method of reporting is only accurate if all the zones that
+have keys in a given repository share the same TTL parameters.)
+
+Options
+~~~~~~~
+
+**-K** *directory*
+
+   Sets the directory in which keys can be found. Defaults to the
+   current working directory.
+
+**-f** *file*
+
+   If a ``file`` is specified, then the zone is read from that file; the
+   largest TTL and the DNSKEY TTL are determined directly from the zone
+   data, and the ``-m`` and ``-d`` options do not need to be specified
+   on the command line.
+
+**-l** *duration*
+
+   The length of time to check for DNSSEC coverage. Key events scheduled
+   further into the future than ``duration`` will be ignored, and
+   assumed to be correct.
+
+   The value of ``duration`` can be set in seconds, or in larger units
+   of time by adding a suffix: mi for minutes, h for hours, d for days,
+   w for weeks, mo for months, y for years.
+
+**-m** *maximum TTL*
+
+   Sets the value to be used as the maximum TTL for the zone or zones
+   being analyzed when determining whether there is a possibility of
+   validation failure. When a zone-signing key is deactivated, there
+   must be enough time for the record in the zone with the longest TTL
+   to have expired from resolver caches before that key can be purged
+   from the DNSKEY RRset. If that condition does not apply, a warning
+   will be generated.
+
+   The length of the TTL can be set in seconds, or in larger units of
+   time by adding a suffix: mi for minutes, h for hours, d for days, w
+   for weeks, mo for months, y for years.
+
+   This option is not necessary if the ``-f`` has been used to specify a
+   zone file. If ``-f`` has been specified, this option may still be
+   used; it will override the value found in the file.
+
+   If this option is not used and the maximum TTL cannot be retrieved
+   from a zone file, a warning is generated and a default value of 1
+   week is used.
+
+**-d** *DNSKEY TTL*
+
+   Sets the value to be used as the DNSKEY TTL for the zone or zones
+   being analyzed when determining whether there is a possibility of
+   validation failure. When a key is rolled (that is, replaced with a
+   new key), there must be enough time for the old DNSKEY RRset to have
+   expired from resolver caches before the new key is activated and
+   begins generating signatures. If that condition does not apply, a
+   warning will be generated.
+
+   The length of the TTL can be set in seconds, or in larger units of
+   time by adding a suffix: mi for minutes, h for hours, d for days, w
+   for weeks, mo for months, y for years.
+
+   This option is not necessary if ``-f`` has been used to specify a
+   zone file from which the TTL of the DNSKEY RRset can be read, or if a
+   default key TTL was set using ith the ``-L`` to ``dnssec-keygen``. If
+   either of those is true, this option may still be used; it will
+   override the values found in the zone file or the key file.
+
+   If this option is not used and the key TTL cannot be retrieved from
+   the zone file or the key file, then a warning is generated and a
+   default value of 1 day is used.
+
+**-r** *resign interval*
+
+   Sets the value to be used as the resign interval for the zone or
+   zones being analyzed when determining whether there is a possibility
+   of validation failure. This value defaults to 22.5 days, which is
+   also the default in ``named``. However, if it has been changed by the
+   ``sig-validity-interval`` option in named.conf, then it should also
+   be changed here.
+
+   The length of the interval can be set in seconds, or in larger units
+   of time by adding a suffix: mi for minutes, h for hours, d for days,
+   w for weeks, mo for months, y for years.
+
+**-k**
+
+   Only check KSK coverage; ignore ZSK events. Cannot be used with
+   ``-z``.
+
+**-z**
+
+   Only check ZSK coverage; ignore KSK events. Cannot be used with
+   ``-k``.
+
+**-c** *compilezone path*
+
+   Specifies a path to a ``named-compilezone`` binary. Used for testing.
+
+See Also
+~~~~~~~~
+
+``dnssec-checkds``\ (8), ``dnssec-dsfromkey``\ (8),
+``dnssec-keygen``\ (8), ``dnssec-signzone``\ (8)
diff --git a/bin/python/dnssec-keymgr.py.in b/bin/python/dnssec-keymgr.py.in
new file mode 100644
index 0000000..f8ee013
--- /dev/null
+++ b/bin/python/dnssec-keymgr.py.in
@@ -0,0 +1,32 @@
+#!@PYTHON@
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+import sys
+
+sys.path.insert(0, os.path.dirname(sys.argv[0]))
+if os.name != "nt":
+    if "@PYTHON_INSTALL_DIR@":  # value of --with-python-install-dir
+        sys.path.insert(1, "@PYTHON_INSTALL_DIR@")
+    else:
+        sys.path.insert(
+            1,
+            os.path.join(
+                "@prefix@", "lib", "python" + sys.version[:3], "site-packages"
+            ),
+        )
+
+import isc.keymgr
+
+if __name__ == "__main__":
+    isc.keymgr.main()
diff --git a/bin/python/dnssec-keymgr.rst b/bin/python/dnssec-keymgr.rst
new file mode 100644
index 0000000..4320541
--- /dev/null
+++ b/bin/python/dnssec-keymgr.rst
@@ -0,0 +1,223 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-keymgr:
+
+dnssec-keymgr - Ensures correct DNSKEY coverage based on a defined policy
+-------------------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-keymgr` [**-K**\ *directory*] [**-c**\ *file*] [**-f**] [**-k**] [**-q**] [**-v**] [**-z**] [**-g**\ *path*] [**-s**\ *path*] [zone...]
+
+Description
+~~~~~~~~~~~
+
+``dnssec-keymgr`` is a high level Python wrapper to facilitate the key
+rollover process for zones handled by BIND. It uses the BIND commands
+for manipulating DNSSEC key metadata: ``dnssec-keygen`` and
+``dnssec-settime``.
+
+DNSSEC policy can be read from a configuration file (default
+/etc/dnssec-policy.conf), from which the key parameters, publication and
+rollover schedule, and desired coverage duration for any given zone can
+be determined. This file may be used to define individual DNSSEC
+policies on a per-zone basis, or to set a "default" policy used for all
+zones.
+
+When ``dnssec-keymgr`` runs, it examines the DNSSEC keys for one or more
+zones, comparing their timing metadata against the policies for those
+zones. If key settings do not conform to the DNSSEC policy (for example,
+because the policy has been changed), they are automatically corrected.
+
+A zone policy can specify a duration for which we want to ensure the key
+correctness (``coverage``). It can also specify a rollover period
+(``roll-period``). If policy indicates that a key should roll over
+before the coverage period ends, then a successor key will automatically
+be created and added to the end of the key series.
+
+If zones are specified on the command line, ``dnssec-keymgr`` will
+examine only those zones. If a specified zone does not already have keys
+in place, then keys will be generated for it according to policy.
+
+If zones are *not* specified on the command line, then ``dnssec-keymgr``
+will search the key directory (either the current working directory or
+the directory set by the ``-K`` option), and check the keys for all the
+zones represented in the directory.
+
+Key times that are in the past will not be updated unless the ``-f`` is
+used (see below). Key inactivation and deletion times that are less than
+five minutes in the future will be delayed by five minutes.
+
+It is expected that this tool will be run automatically and unattended
+(for example, by ``cron``).
+
+Options
+~~~~~~~
+
+**-c** *file*
+
+   If ``-c`` is specified, then the DNSSEC policy is read from ``file``.
+   (If not specified, then the policy is read from
+   /etc/dnssec-policy.conf; if that file doesnt exist, a built-in global
+   default policy is used.)
+
+**-f**
+
+   Force: allow updating of key events even if they are already in the
+   past. This is not recommended for use with zones in which keys have
+   already been published. However, if a set of keys has been generated
+   all of which have publication and activation dates in the past, but
+   the keys have not been published in a zone as yet, then this option
+   can be used to clean them up and turn them into a proper series of
+   keys with appropriate rollover intervals.
+
+**-g** *keygen-path*
+
+   Specifies a path to a ``dnssec-keygen`` binary. Used for testing. See
+   also the ``-s`` option.
+
+**-h**
+
+   Print the ``dnssec-keymgr`` help summary and exit.
+
+**-K** *directory*
+
+   Sets the directory in which keys can be found. Defaults to the
+   current working directory.
+
+**-k**
+
+   Only apply policies to KSK keys. See also the ``-z`` option.
+
+**-q**
+
+   Quiet: suppress printing of ``dnssec-keygen`` and ``dnssec-settime``.
+
+**-s** *settime-path*
+
+   Specifies a path to a ``dnssec-settime`` binary. Used for testing.
+   See also the ``-g`` option.
+
+**-v**
+
+   Print the ``dnssec-keymgr`` version and exit.
+
+**-z**
+
+   Only apply policies to ZSK keys. See also the ``-k`` option.
+
+Policy Configuration
+~~~~~~~~~~~~~~~~~~~~
+
+The dnssec-policy.conf file can specify three kinds of policies:
+
+   · *Policy classes* (``policy``\ *name*\ ``{ ... };``) can be
+   inherited by zone policies or other policy classes; these can be used
+   to create sets of different security profiles. For example, a policy
+   class ``normal`` might specify 1024-bit key sizes, but a class
+   ``extra`` might specify 2048 bits instead; ``extra`` would be used
+   for zones that had unusually high security needs.
+
+..
+
+   · *Algorithm policies:* (``algorithm-policy``\ *algorithm*\ ``{ ...
+   };`` ) override default per-algorithm settings. For example, by
+   default, RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK.
+   This can be modified using ``algorithm-policy``, and the new key
+   sizes would then be used for any key of type RSASHA256.
+
+   · *Zone policies:* (``zone``\ *name*\ ``{ ... };`` ) set policy for a
+   single zone by name. A zone policy can inherit a policy class by
+   including a ``policy`` option. Zone names beginning with digits
+   (i.e., 0-9) must be quoted. If a zone does not have its own policy
+   then the "default" policy applies.
+
+Options that can be specified in policies:
+
+``algorithm`` *name*;
+
+   The key algorithm. If no policy is defined, the default is RSASHA256.
+
+``coverage`` *duration*;
+
+   The length of time to ensure that keys will be correct; no action
+   will be taken to create new keys to be activated after this time.
+   This can be represented as a number of seconds, or as a duration
+   using human-readable units (examples: "1y" or "6 months"). A default
+   value for this option can be set in algorithm policies as well as in
+   policy classes or zone policies. If no policy is configured, the
+   default is six months.
+
+``directory`` *path*;
+
+   Specifies the directory in which keys should be stored.
+
+``key-size`` *keytype* *size*;
+
+   Specifies the number of bits to use in creating keys. The keytype is
+   either "zsk" or "ksk". A default value for this option can be set in
+   algorithm policies as well as in policy classes or zone policies. If
+   no policy is configured, the default is 2048 bits for RSA keys.
+
+``keyttl`` *duration*;
+
+   The key TTL. If no policy is defined, the default is one hour.
+
+``post-publish`` *keytype* *duration*;
+
+   How long after inactivation a key should be deleted from the zone.
+   Note: If ``roll-period`` is not set, this value is ignored. The
+   keytype is either "zsk" or "ksk". A default duration for this option
+   can be set in algorithm policies as well as in policy classes or zone
+   policies. The default is one month.
+
+``pre-publish`` *keytype* *duration*;
+
+   How long before activation a key should be published. Note: If
+   ``roll-period`` is not set, this value is ignored. The keytype is
+   either "zsk" or "ksk". A default duration for this option can be set
+   in algorithm policies as well as in policy classes or zone policies.
+   The default is one month.
+
+``roll-period`` *keytype* *duration*;
+
+   How frequently keys should be rolled over. The keytype is either
+   "zsk" or "ksk". A default duration for this option can be set in
+   algorithm policies as well as in policy classes or zone policies. If
+   no policy is configured, the default is one year for ZSKs. KSKs do
+   not roll over by default.
+
+``standby`` *keytype* *number*;
+
+   Not yet implemented.
+
+Remaining Work
+~~~~~~~~~~~~~~
+
+   · Enable scheduling of KSK rollovers using the ``-P sync`` and ``-D
+   sync`` options to ``dnssec-keygen`` and ``dnssec-settime``. Check the
+   parent zone (as in ``dnssec-checkds``) to determine when its safe for
+   the key to roll.
+
+..
+
+   · Allow configuration of standby keys and use of the REVOKE bit, for
+   keys that use RFC 5011 semantics.
+
+See Also
+~~~~~~~~
+
+``dnssec-coverage``\ (8), ``dnssec-keygen``\ (8),
+``dnssec-settime``\ (8), ``dnssec-checkds``\ (8)
diff --git a/bin/python/isc/Makefile.in b/bin/python/isc/Makefile.in
new file mode 100644
index 0000000..f175c6c
--- /dev/null
+++ b/bin/python/isc/Makefile.in
@@ -0,0 +1,45 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+SUBDIRS	=	tests
+
+PYTHON	=	@PYTHON@
+
+PYSRCS =	__init__.py checkds.py coverage.py dnskey.py eventlist.py \
+		keydict.py keyevent.py keymgr.py keyseries.py keyzone.py \
+		policy.py rndc.py utils.py
+
+TARGETS =	parsetab.py
+
+@BIND9_MAKE_RULES@
+
+.SUFFIXES: .py .pyc
+.py.pyc:
+	$(PYTHON) -m compileall .
+
+parsetab.py: policy.py
+	$(PYTHON) policy.py parse /dev/null > /dev/null
+	PYTHONPATH=${srcdir} $(PYTHON) -m parsetab
+
+check test: subdirs
+
+clean distclean::
+	rm -f *.pyc parser.out parsetab.py
+	rm -rf __pycache__ build
+
+distclean::
+	rm -rf ${PYSRCS}
diff --git a/bin/python/isc/__init__.py.in b/bin/python/isc/__init__.py.in
new file mode 100644
index 0000000..405c3d7
--- /dev/null
+++ b/bin/python/isc/__init__.py.in
@@ -0,0 +1,38 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+__all__ = [
+    "checkds",
+    "coverage",
+    "keymgr",
+    "dnskey",
+    "eventlist",
+    "keydict",
+    "keyevent",
+    "keyseries",
+    "keyzone",
+    "policy",
+    "parsetab",
+    "rndc",
+    "utils",
+]
+
+from isc.dnskey import *
+from isc.eventlist import *
+from isc.keydict import *
+from isc.keyevent import *
+from isc.keyseries import *
+from isc.keyzone import *
+from isc.policy import *
+from isc.rndc import *
+from isc.utils import *
diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in
new file mode 100644
index 0000000..f2e6562
--- /dev/null
+++ b/bin/python/isc/checkds.py.in
@@ -0,0 +1,226 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import argparse
+import os
+import sys
+from subprocess import Popen, PIPE
+
+from isc.utils import prefix, version
+
+prog = "dnssec-checkds"
+
+
+############################################################################
+# SECRR class:
+# Class for DS resource record
+############################################################################
+class SECRR:
+    hashalgs = {1: "SHA-1", 2: "SHA-256", 3: "GOST", 4: "SHA-384"}
+    rrname = ""
+    rrclass = "IN"
+    keyid = None
+    keyalg = None
+    hashalg = None
+    digest = ""
+    ttl = 0
+
+    def __init__(self, rrtext):
+        if not rrtext:
+            raise Exception
+
+        # 'str' does not have decode method in python3
+        if type(rrtext) is not str:
+            fields = rrtext.decode("ascii").split()
+        else:
+            fields = rrtext.split()
+        if len(fields) < 7:
+            raise Exception
+
+        self.rrtype = "DS"
+        self.rrname = fields[0].lower()
+
+        fields = fields[1:]
+        if fields[0].upper() in ["IN", "CH", "HS"]:
+            self.rrclass = fields[0].upper()
+            fields = fields[1:]
+        else:
+            self.ttl = int(fields[0])
+            self.rrclass = fields[1].upper()
+            fields = fields[2:]
+
+        if fields[0].upper() != self.rrtype:
+            raise Exception("%s does not match %s" % (fields[0].upper(), self.rrtype))
+
+        self.keyid, self.keyalg, self.hashalg = map(int, fields[1:4])
+        self.digest = "".join(fields[4:]).upper()
+
+    def __repr__(self):
+        return "%s %s %s %d %d %d %s" % (
+            self.rrname,
+            self.rrclass,
+            self.rrtype,
+            self.keyid,
+            self.keyalg,
+            self.hashalg,
+            self.digest,
+        )
+
+    def __eq__(self, other):
+        return self.__repr__() == other.__repr__()
+
+
+############################################################################
+# check:
+# Fetch DS RRset for the given zone from the DNS; fetch DNSKEY
+# RRset from the masterfile if specified, or from DNS if not.
+# Generate a set of expected DS records from the DNSKEY RRset,
+# and report on congruency.
+############################################################################
+def check(zone, args):
+    rrlist = []
+    if args.dssetfile:
+        fp = open(args.dssetfile).read()
+    else:
+        cmd = [args.dig, "+noall", "+answer", "-t", "ds", "-q", zone]
+        fp, _ = Popen(cmd, stdout=PIPE).communicate()
+
+    for line in fp.splitlines():
+        if type(line) is not str:
+            line = line.decode("ascii")
+        rrlist.append(SECRR(line))
+    rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg))
+
+    klist = []
+
+    cmd = [args.dsfromkey]
+    for algo in args.algo:
+        cmd += ["-a", algo]
+
+    if args.masterfile:
+        cmd += ["-f", args.masterfile, zone]
+        fp, _ = Popen(cmd, stdout=PIPE).communicate()
+    else:
+        intods, _ = Popen(
+            [args.dig, "+noall", "+answer", "-t", "dnskey", "-q", zone], stdout=PIPE
+        ).communicate()
+        cmd += ["-f", "-", zone]
+        fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods)
+
+    for line in fp.splitlines():
+        if type(line) is not str:
+            line = line.decode("ascii")
+        klist.append(SECRR(line))
+
+    if len(klist) < 1:
+        print("No DNSKEY records found in zone apex")
+        return False
+
+    match = True
+    for rr in rrlist:
+        if rr not in klist:
+            print(
+                "KSK for %s %s/%03d/%05d (%s) missing from child"
+                % (
+                    rr.rrtype,
+                    rr.rrname.strip("."),
+                    rr.keyalg,
+                    rr.keyid,
+                    SECRR.hashalgs[rr.hashalg],
+                )
+            )
+            match = False
+    for rr in klist:
+        if rr not in rrlist:
+            print(
+                "%s for KSK %s/%03d/%05d (%s) missing from parent"
+                % (
+                    rr.rrtype,
+                    rr.rrname.strip("."),
+                    rr.keyalg,
+                    rr.keyid,
+                    SECRR.hashalgs[rr.hashalg],
+                )
+            )
+            match = False
+    for rr in klist:
+        if rr in rrlist:
+            print(
+                "%s for KSK %s/%03d/%05d (%s) found in parent"
+                % (
+                    rr.rrtype,
+                    rr.rrname.strip("."),
+                    rr.keyalg,
+                    rr.keyid,
+                    SECRR.hashalgs[rr.hashalg],
+                )
+            )
+
+    return match
+
+
+############################################################################
+# parse_args:
+# Read command line arguments, set global 'args' structure
+############################################################################
+def parse_args():
+    parser = argparse.ArgumentParser(description=prog + ": checks DS coverage")
+
+    bindir = "bin"
+    sbindir = "bin" if os.name == "nt" else "sbin"
+
+    parser.add_argument("zone", type=str, help="zone to check")
+    parser.add_argument(
+        "-a",
+        "--algo",
+        dest="algo",
+        action="append",
+        default=[],
+        type=str,
+        help="DS digest algorithm",
+    )
+    parser.add_argument(
+        "-d",
+        "--dig",
+        dest="dig",
+        default=os.path.join(prefix(bindir), "dig"),
+        type=str,
+        help="path to 'dig'",
+    )
+    parser.add_argument(
+        "-D",
+        "--dsfromkey",
+        dest="dsfromkey",
+        default=os.path.join(prefix(sbindir), "dnssec-dsfromkey"),
+        type=str,
+        help="path to 'dnssec-dsfromkey'",
+    )
+    parser.add_argument(
+        "-f", "--file", dest="masterfile", type=str, help="zone master file"
+    )
+    parser.add_argument(
+        "-s", "--dsset", dest="dssetfile", type=str, help="prepared DSset file"
+    )
+    parser.add_argument("-v", "--version", action="version", version=version)
+    args = parser.parse_args()
+
+    args.zone = args.zone.strip(".")
+
+    return args
+
+
+############################################################################
+# Main
+############################################################################
+def main():
+    args = parse_args()
+    match = check(args.zone, args)
+    exit(0 if match else 1)
diff --git a/bin/python/isc/coverage.py.in b/bin/python/isc/coverage.py.in
new file mode 100644
index 0000000..e9be265
--- /dev/null
+++ b/bin/python/isc/coverage.py.in
@@ -0,0 +1,333 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from __future__ import print_function
+import os
+import sys
+import argparse
+import glob
+import re
+import time
+import calendar
+import pprint
+from collections import defaultdict
+
+prog = "dnssec-coverage"
+
+from isc import dnskey, eventlist, keydict, keyevent, keyzone, utils
+
+
+############################################################################
+# print a fatal error and exit
+############################################################################
+def fatal(*args, **kwargs):
+    print(*args, **kwargs)
+    sys.exit(1)
+
+
+############################################################################
+# output:
+############################################################################
+_firstline = True
+
+
+def output(*args, **kwargs):
+    """output text, adding a vertical space this is *not* the first
+    first section being printed since a call to vreset()"""
+    global _firstline
+    if "skip" in kwargs:
+        skip = kwargs["skip"]
+        kwargs.pop("skip", None)
+    else:
+        skip = True
+    if _firstline:
+        _firstline = False
+    elif skip:
+        print("")
+    if args:
+        print(*args, **kwargs)
+
+
+def vreset():
+    """reset vertical spacing"""
+    global _firstline
+    _firstline = True
+
+
+############################################################################
+# parse_time
+############################################################################
+def parse_time(s):
+    """convert a formatted time (e.g., 1y, 6mo, 15mi, etc) into seconds
+    :param s: String with some text representing a time interval
+    :return: Integer with the number of seconds in the time interval
+    """
+    s = s.strip()
+
+    # if s is an integer, we're done already
+    try:
+        return int(s)
+    except ValueError:
+        pass
+
+    # try to parse as a number with a suffix indicating unit of time
+    r = re.compile(r"([0-9][0-9]*)\s*([A-Za-z]*)")
+    m = r.match(s)
+    if not m:
+        raise ValueError("Cannot parse %s" % s)
+    n, unit = m.groups()
+    n = int(n)
+    unit = unit.lower()
+    if unit.startswith("y"):
+        return n * 31536000
+    elif unit.startswith("mo"):
+        return n * 2592000
+    elif unit.startswith("w"):
+        return n * 604800
+    elif unit.startswith("d"):
+        return n * 86400
+    elif unit.startswith("h"):
+        return n * 3600
+    elif unit.startswith("mi"):
+        return n * 60
+    elif unit.startswith("s"):
+        return n
+    else:
+        raise ValueError("Invalid suffix %s" % unit)
+
+
+############################################################################
+# set_path:
+############################################################################
+def set_path(command, default=None):
+    """find the location of a specified command.  if a default is supplied
+    and it works, we use it; otherwise we search PATH for a match.
+    :param command: string with a command to look for in the path
+    :param default: default location to use
+    :return: detected location for the desired command
+    """
+
+    fpath = default
+    if not fpath or not os.path.isfile(fpath) or not os.access(fpath, os.X_OK):
+        path = os.environ["PATH"]
+        if not path:
+            path = os.path.defpath
+        for directory in path.split(os.pathsep):
+            fpath = os.path.join(directory, command)
+            if os.path.isfile(fpath) and os.access(fpath, os.X_OK):
+                break
+            fpath = None
+
+    return fpath
+
+
+############################################################################
+# parse_args:
+############################################################################
+def parse_args():
+    """Read command line arguments, set global 'args' structure"""
+    compilezone = set_path(
+        "named-compilezone", os.path.join(utils.prefix("sbin"), "named-compilezone")
+    )
+
+    parser = argparse.ArgumentParser(
+        description=prog + ": checks future " + "DNSKEY coverage for a zone"
+    )
+
+    parser.add_argument(
+        "zone",
+        type=str,
+        nargs="*",
+        default=None,
+        help="zone(s) to check" + "(default: all zones in the directory)",
+    )
+    parser.add_argument(
+        "-K",
+        dest="path",
+        default=".",
+        type=str,
+        help="a directory containing keys to process",
+        metavar="dir",
+    )
+    parser.add_argument(
+        "-f", dest="filename", type=str, help="zone master file", metavar="file"
+    )
+    parser.add_argument(
+        "-m",
+        dest="maxttl",
+        type=str,
+        help="the longest TTL in the zone(s)",
+        metavar="time",
+    )
+    parser.add_argument(
+        "-d", dest="keyttl", type=str, help="the DNSKEY TTL", metavar="time"
+    )
+    parser.add_argument(
+        "-r",
+        dest="resign",
+        default="1944000",
+        type=str,
+        help="the RRSIG refresh interval " "in seconds [default: 22.5 days]",
+        metavar="time",
+    )
+    parser.add_argument(
+        "-c",
+        dest="compilezone",
+        default=compilezone,
+        type=str,
+        help="path to 'named-compilezone'",
+        metavar="path",
+    )
+    parser.add_argument(
+        "-l",
+        dest="checklimit",
+        type=str,
+        default="0",
+        help="Length of time to check for " "DNSSEC coverage [default: 0 (unlimited)]",
+        metavar="time",
+    )
+    parser.add_argument(
+        "-z",
+        dest="no_ksk",
+        action="store_true",
+        default=False,
+        help="Only check zone-signing keys (ZSKs)",
+    )
+    parser.add_argument(
+        "-k",
+        dest="no_zsk",
+        action="store_true",
+        default=False,
+        help="Only check key-signing keys (KSKs)",
+    )
+    parser.add_argument(
+        "-D",
+        "--debug",
+        dest="debug_mode",
+        action="store_true",
+        default=False,
+        help="Turn on debugging output",
+    )
+    parser.add_argument("-v", "--version", action="version", version=utils.version)
+
+    args = parser.parse_args()
+
+    if args.no_zsk and args.no_ksk:
+        fatal("ERROR: -z and -k cannot be used together.")
+    elif args.no_zsk or args.no_ksk:
+        args.keytype = "KSK" if args.no_zsk else "ZSK"
+    else:
+        args.keytype = None
+
+    if args.filename and len(args.zone) > 1:
+        fatal("ERROR: -f can only be used with one zone.")
+
+    # strip trailing dots if any
+    args.zone = [x[:-1] if (len(x) > 1 and x[-1] == ".") else x for x in args.zone]
+
+    # convert from time arguments to seconds
+    try:
+        if args.maxttl:
+            m = parse_time(args.maxttl)
+            args.maxttl = m
+    except ValueError:
+        pass
+
+    try:
+        if args.keyttl:
+            k = parse_time(args.keyttl)
+            args.keyttl = k
+    except ValueError:
+        pass
+
+    try:
+        if args.resign:
+            r = parse_time(args.resign)
+            args.resign = r
+    except ValueError:
+        pass
+
+    try:
+        if args.checklimit:
+            lim = args.checklimit
+            r = parse_time(args.checklimit)
+            if r == 0:
+                args.checklimit = None
+            else:
+                args.checklimit = time.time() + r
+    except ValueError:
+        pass
+
+    # if we've got the values we need from the command line, stop now
+    if args.maxttl and args.keyttl:
+        return args
+
+    # load keyttl and maxttl data from zonefile
+    if args.zone and args.filename:
+        try:
+            zone = keyzone(args.zone[0], args.filename, args.compilezone)
+            args.maxttl = args.maxttl or zone.maxttl
+            args.keyttl = args.maxttl or zone.keyttl
+        except Exception as e:
+            print("Unable to load zone data from %s: " % args.filename, e)
+
+    if not args.maxttl:
+        output(
+            "WARNING: Maximum TTL value was not specified.  Using 1 week\n"
+            "\t (604800 seconds); re-run with the -m option to get more\n"
+            "\t accurate results."
+        )
+        args.maxttl = 604800
+
+    return args
+
+
+############################################################################
+# Main
+############################################################################
+def main():
+    args = parse_args()
+
+    print("PHASE 1--Loading keys to check for internal timing problems")
+
+    try:
+        kd = keydict(path=args.path, zones=args.zone, keyttl=args.keyttl)
+    except Exception as e:
+        fatal("ERROR: Unable to build key dictionary: " + str(e))
+
+    for key in kd:
+        key.check_prepub(output)
+        if key.sep:
+            key.check_postpub(output)
+        else:
+            key.check_postpub(output, args.maxttl + args.resign)
+
+    output("PHASE 2--Scanning future key events for coverage failures")
+    vreset()
+
+    try:
+        elist = eventlist(kd)
+    except Exception as e:
+        fatal("ERROR: Unable to build event list: " + str(e))
+
+    errors = False
+    if not args.zone:
+        if not elist.coverage(None, args.keytype, args.checklimit, output):
+            errors = True
+    else:
+        for zone in args.zone:
+            try:
+                if not elist.coverage(zone, args.keytype, args.checklimit, output):
+                    errors = True
+            except:
+                output("ERROR: Coverage check failed for zone " + zone)
+
+    sys.exit(1 if errors else 0)
diff --git a/bin/python/isc/dnskey.py.in b/bin/python/isc/dnskey.py.in
new file mode 100644
index 0000000..c4cdc57
--- /dev/null
+++ b/bin/python/isc/dnskey.py.in
@@ -0,0 +1,570 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+import time
+import calendar
+from subprocess import Popen, PIPE
+
+
+########################################################################
+# Class dnskey
+########################################################################
+class TimePast(Exception):
+    def __init__(self, key, prop, value):
+        super(TimePast, self).__init__(
+            "%s time for key %s (%d) is already past" % (prop, key, value)
+        )
+
+
+class dnskey:
+    """An individual DNSSEC key.  Identified by path, name, algorithm, keyid.
+    Contains a dictionary of metadata events."""
+
+    _PROPS = (
+        "Created",
+        "Publish",
+        "Activate",
+        "Inactive",
+        "Delete",
+        "Revoke",
+        "DSPublish",
+        "SyncPublish",
+        "SyncDelete",
+    )
+    _OPTS = (None, "-P", "-A", "-I", "-D", "-R", None, "-Psync", "-Dsync")
+
+    _ALGNAMES = (
+        None,
+        "RSAMD5",
+        "DH",
+        "DSA",
+        None,
+        "RSASHA1",
+        "NSEC3DSA",
+        "NSEC3RSASHA1",
+        "RSASHA256",
+        None,
+        "RSASHA512",
+        None,
+        "ECCGOST",
+        "ECDSAP256SHA256",
+        "ECDSAP384SHA384",
+        "ED25519",
+        "ED448",
+    )
+
+    def __init__(self, key, directory=None, keyttl=None):
+        # this makes it possible to use algname as a class or instance method
+        if isinstance(key, tuple) and len(key) == 3:
+            self._dir = directory or "."
+            (name, alg, keyid) = key
+            self.fromtuple(name, alg, keyid, keyttl)
+
+        self._dir = directory or os.path.dirname(key) or "."
+        key = os.path.basename(key)
+        (name, alg, keyid) = key.split("+")
+        name = name[1:-1]
+        alg = int(alg)
+        keyid = int(keyid.split(".")[0])
+        self.fromtuple(name, alg, keyid, keyttl)
+
+    def fromtuple(self, name, alg, keyid, keyttl):
+        if name.endswith("."):
+            fullname = name
+            name = name.rstrip(".")
+        else:
+            fullname = name + "."
+
+        keystr = "K%s+%03d+%05d" % (fullname, alg, keyid)
+        key_file = self._dir + (self._dir and os.sep or "") + keystr + ".key"
+        private_file = self._dir + (self._dir and os.sep or "") + keystr + ".private"
+
+        self.keystr = keystr
+
+        self.name = name
+        self.alg = int(alg)
+        self.keyid = int(keyid)
+        self.fullname = fullname
+
+        kfp = open(key_file, "r")
+        for line in kfp:
+            if line[0] == ";":
+                continue
+            tokens = line.split()
+            if not tokens:
+                continue
+
+            if tokens[1].lower() in ("in", "ch", "hs"):
+                septoken = 3
+                self.ttl = keyttl
+            else:
+                septoken = 4
+                self.ttl = int(tokens[1]) if not keyttl else keyttl
+
+            if (int(tokens[septoken]) & 0x1) == 1:
+                self.sep = True
+            else:
+                self.sep = False
+        kfp.close()
+
+        pfp = open(private_file, "r")
+
+        self.metadata = dict()
+        self._changed = dict()
+        self._delete = dict()
+        self._times = dict()
+        self._fmttime = dict()
+        self._timestamps = dict()
+        self._original = dict()
+        self._origttl = None
+
+        for line in pfp:
+            line = line.strip()
+            if not line or line[0] in ("!#"):
+                continue
+            punctuation = [line.find(c) for c in ":= "] + [len(line)]
+            found = min([pos for pos in punctuation if pos != -1])
+            name = line[:found].rstrip()
+            value = line[found:].lstrip(":= ").rstrip()
+            self.metadata[name] = value
+
+        for prop in dnskey._PROPS:
+            self._changed[prop] = False
+            if prop in self.metadata:
+                t = self.parsetime(self.metadata[prop])
+                self._times[prop] = t
+                self._fmttime[prop] = self.formattime(t)
+                self._timestamps[prop] = self.epochfromtime(t)
+                self._original[prop] = self._timestamps[prop]
+            else:
+                self._times[prop] = None
+                self._fmttime[prop] = None
+                self._timestamps[prop] = None
+                self._original[prop] = None
+
+        pfp.close()
+
+    def commit(self, settime_bin, **kwargs):
+        quiet = kwargs.get("quiet", False)
+        cmd = []
+        first = True
+
+        if self._origttl is not None:
+            cmd += ["-L", str(self.ttl)]
+
+        for prop, opt in zip(dnskey._PROPS, dnskey._OPTS):
+            if not opt or not self._changed[prop]:
+                continue
+
+            delete = False
+            if prop in self._delete and self._delete[prop]:
+                delete = True
+
+            when = "none" if delete else self._fmttime[prop]
+            cmd += [opt, when]
+            first = False
+
+        if cmd:
+            fullcmd = (
+                [settime_bin, "-K", self._dir]
+                + cmd
+                + [
+                    self.keystr,
+                ]
+            )
+            if not quiet:
+                print("# " + " ".join(fullcmd))
+            try:
+                p = Popen(fullcmd, stdout=PIPE, stderr=PIPE)
+                stdout, stderr = p.communicate()
+                if stderr:
+                    raise Exception(str(stderr))
+            except Exception as e:
+                raise Exception("unable to run %s: %s" % (settime_bin, str(e)))
+            self._origttl = None
+            for prop in dnskey._PROPS:
+                self._original[prop] = self._timestamps[prop]
+                self._changed[prop] = False
+
+    @classmethod
+    def generate(
+        cls,
+        keygen_bin,
+        randomdev,
+        keys_dir,
+        name,
+        alg,
+        keysize,
+        sep,
+        ttl,
+        publish=None,
+        activate=None,
+        **kwargs
+    ):
+        quiet = kwargs.get("quiet", False)
+
+        keygen_cmd = [keygen_bin, "-q", "-K", keys_dir, "-L", str(ttl)]
+
+        if randomdev:
+            keygen_cmd += ["-r", randomdev]
+
+        if sep:
+            keygen_cmd.append("-fk")
+
+        if alg:
+            keygen_cmd += ["-a", alg]
+
+        if keysize:
+            keygen_cmd += ["-b", str(keysize)]
+
+        if publish:
+            t = dnskey.timefromepoch(publish)
+            keygen_cmd += ["-P", dnskey.formattime(t)]
+
+        if activate:
+            t = dnskey.timefromepoch(activate)
+            keygen_cmd += ["-A", dnskey.formattime(activate)]
+
+        keygen_cmd.append(name)
+
+        if not quiet:
+            print("# " + " ".join(keygen_cmd))
+
+        p = Popen(keygen_cmd, stdout=PIPE, stderr=PIPE)
+        stdout, stderr = p.communicate()
+        if stderr:
+            raise Exception("unable to generate key: " + str(stderr))
+
+        try:
+            keystr = stdout.splitlines()[0].decode("ascii")
+            newkey = dnskey(keystr, keys_dir, ttl)
+            return newkey
+        except Exception as e:
+            raise Exception("unable to parse generated key: %s" % str(e))
+
+    def generate_successor(self, keygen_bin, randomdev, prepublish, **kwargs):
+        quiet = kwargs.get("quiet", False)
+
+        if not self.inactive():
+            raise Exception("predecessor key %s has no inactive date" % self)
+
+        keygen_cmd = [keygen_bin, "-q", "-K", self._dir, "-S", self.keystr]
+
+        if self.ttl:
+            keygen_cmd += ["-L", str(self.ttl)]
+
+        if randomdev:
+            keygen_cmd += ["-r", randomdev]
+
+        if prepublish:
+            keygen_cmd += ["-i", str(prepublish)]
+
+        if not quiet:
+            print("# " + " ".join(keygen_cmd))
+
+        p = Popen(keygen_cmd, stdout=PIPE, stderr=PIPE)
+        stdout, stderr = p.communicate()
+        if stderr:
+            raise Exception("unable to generate key: " + stderr)
+
+        try:
+            keystr = stdout.splitlines()[0].decode("ascii")
+            newkey = dnskey(keystr, self._dir, self.ttl)
+            return newkey
+        except:
+            raise Exception("unable to generate successor for key %s" % self)
+
+    @staticmethod
+    def algstr(alg):
+        name = None
+        if alg in range(len(dnskey._ALGNAMES)):
+            name = dnskey._ALGNAMES[alg]
+        return name if name else ("%03d" % alg)
+
+    @staticmethod
+    def algnum(alg):
+        if not alg:
+            return None
+        alg = alg.upper()
+        try:
+            return dnskey._ALGNAMES.index(alg)
+        except ValueError:
+            return None
+
+    def algname(self, alg=None):
+        return self.algstr(alg or self.alg)
+
+    @staticmethod
+    def timefromepoch(secs):
+        return time.gmtime(secs)
+
+    @staticmethod
+    def parsetime(string):
+        return time.strptime(string, "%Y%m%d%H%M%S")
+
+    @staticmethod
+    def epochfromtime(t):
+        return calendar.timegm(t)
+
+    @staticmethod
+    def formattime(t):
+        return time.strftime("%Y%m%d%H%M%S", t)
+
+    def setmeta(self, prop, secs, now, **kwargs):
+        force = kwargs.get("force", False)
+
+        if self._timestamps[prop] == secs:
+            return
+
+        if (
+            self._original[prop] is not None
+            and self._original[prop] < now
+            and not force
+        ):
+            raise TimePast(self, prop, self._original[prop])
+
+        if secs is None:
+            self._changed[prop] = False if self._original[prop] is None else True
+
+            self._delete[prop] = True
+            self._timestamps[prop] = None
+            self._times[prop] = None
+            self._fmttime[prop] = None
+            return
+
+        t = self.timefromepoch(secs)
+        self._timestamps[prop] = secs
+        self._times[prop] = t
+        self._fmttime[prop] = self.formattime(t)
+        self._changed[prop] = (
+            False if self._original[prop] == self._timestamps[prop] else True
+        )
+
+    def gettime(self, prop):
+        return self._times[prop]
+
+    def getfmttime(self, prop):
+        return self._fmttime[prop]
+
+    def gettimestamp(self, prop):
+        return self._timestamps[prop]
+
+    def created(self):
+        return self._timestamps["Created"]
+
+    def syncpublish(self):
+        return self._timestamps["SyncPublish"]
+
+    def setsyncpublish(self, secs, now=time.time(), **kwargs):
+        self.setmeta("SyncPublish", secs, now, **kwargs)
+
+    def publish(self):
+        return self._timestamps["Publish"]
+
+    def setpublish(self, secs, now=time.time(), **kwargs):
+        self.setmeta("Publish", secs, now, **kwargs)
+
+    def activate(self):
+        return self._timestamps["Activate"]
+
+    def setactivate(self, secs, now=time.time(), **kwargs):
+        self.setmeta("Activate", secs, now, **kwargs)
+
+    def revoke(self):
+        return self._timestamps["Revoke"]
+
+    def setrevoke(self, secs, now=time.time(), **kwargs):
+        self.setmeta("Revoke", secs, now, **kwargs)
+
+    def inactive(self):
+        return self._timestamps["Inactive"]
+
+    def setinactive(self, secs, now=time.time(), **kwargs):
+        self.setmeta("Inactive", secs, now, **kwargs)
+
+    def delete(self):
+        return self._timestamps["Delete"]
+
+    def setdelete(self, secs, now=time.time(), **kwargs):
+        self.setmeta("Delete", secs, now, **kwargs)
+
+    def syncdelete(self):
+        return self._timestamps["SyncDelete"]
+
+    def setsyncdelete(self, secs, now=time.time(), **kwargs):
+        self.setmeta("SyncDelete", secs, now, **kwargs)
+
+    def setttl(self, ttl):
+        if ttl is None or self.ttl == ttl:
+            return
+        elif self._origttl is None:
+            self._origttl = self.ttl
+            self.ttl = ttl
+        elif self._origttl == ttl:
+            self._origttl = None
+            self.ttl = ttl
+        else:
+            self.ttl = ttl
+
+    def keytype(self):
+        return "KSK" if self.sep else "ZSK"
+
+    def __str__(self):
+        return "%s/%s/%05d" % (self.name, self.algname(), self.keyid)
+
+    def __repr__(self):
+        return "%s/%s/%05d (%s)" % (
+            self.name,
+            self.algname(),
+            self.keyid,
+            ("KSK" if self.sep else "ZSK"),
+        )
+
+    def date(self):
+        return self.activate() or self.publish() or self.created()
+
+    # keys are sorted first by zone name, then by algorithm. within
+    # the same name/algorithm, they are sorted according to their
+    # 'date' value: the activation date if set, OR the publication
+    # if set, OR the creation date.
+    def __lt__(self, other):
+        if self.name != other.name:
+            return self.name < other.name
+        if self.alg != other.alg:
+            return self.alg < other.alg
+        return self.date() < other.date()
+
+    def check_prepub(self, output=None):
+        def noop(*args, **kwargs):
+            pass
+
+        if not output:
+            output = noop
+
+        now = int(time.time())
+        a = self.activate()
+        p = self.publish()
+
+        if not a:
+            return False
+
+        if not p:
+            if a > now:
+                output(
+                    "WARNING: Key %s is scheduled for\n"
+                    "\t activation but not for publication." % repr(self)
+                )
+            return False
+
+        if p <= now and a <= now:
+            return True
+
+        if p == a:
+            output(
+                "WARNING: %s is scheduled to be\n"
+                "\t published and activated at the same time. This\n"
+                "\t could result in a coverage gap if the zone was\n"
+                "\t previously signed. Activation should be at least\n"
+                "\t %s after publication."
+                % (repr(self), dnskey.duration(self.ttl) or "one DNSKEY TTL")
+            )
+            return True
+
+        if a < p:
+            output("WARNING: Key %s is active before it is published" % repr(self))
+            return False
+
+        if self.ttl is not None and a - p < self.ttl:
+            output(
+                "WARNING: Key %s is activated too soon\n"
+                "\t after publication; this could result in coverage \n"
+                "\t gaps due to resolver caches containing old data.\n"
+                "\t Activation should be at least %s after\n"
+                "\t publication."
+                % (repr(self), dnskey.duration(self.ttl) or "one DNSKEY TTL")
+            )
+            return False
+
+        return True
+
+    def check_postpub(self, output=None, timespan=None):
+        def noop(*args, **kwargs):
+            pass
+
+        if output is None:
+            output = noop
+
+        if timespan is None:
+            timespan = self.ttl
+
+        if timespan is None:
+            output("WARNING: Key %s using default TTL." % repr(self))
+            timespan = 60 * 60 * 24
+
+        now = time.time()
+        d = self.delete()
+        i = self.inactive()
+
+        if not d:
+            return False
+
+        if not i:
+            if d > now:
+                output(
+                    "WARNING: Key %s is scheduled for\n"
+                    "\t deletion but not for inactivation." % repr(self)
+                )
+            return False
+
+        if d < now and i < now:
+            return True
+
+        if d < i:
+            output(
+                "WARNING: Key %s is scheduled for\n"
+                "\t deletion before inactivation." % repr(self)
+            )
+            return False
+
+        if d - i < timespan:
+            output(
+                "WARNING: Key %s scheduled for\n"
+                "\t deletion too soon after deactivation; this may \n"
+                "\t result in coverage gaps due to resolver caches\n"
+                "\t containing old data.  Deletion should be at least\n"
+                "\t %s after inactivation." % (repr(self), dnskey.duration(timespan))
+            )
+            return False
+
+        return True
+
+    @staticmethod
+    def duration(secs):
+        if not secs:
+            return None
+
+        units = [
+            ("year", 60 * 60 * 24 * 365),
+            ("month", 60 * 60 * 24 * 30),
+            ("day", 60 * 60 * 24),
+            ("hour", 60 * 60),
+            ("minute", 60),
+            ("second", 1),
+        ]
+
+        output = []
+        for unit in units:
+            v, secs = secs // unit[1], secs % unit[1]
+            if v > 0:
+                output.append("%d %s%s" % (v, unit[0], "s" if v > 1 else ""))
+
+        return ", ".join(output)
diff --git a/bin/python/isc/eventlist.py.in b/bin/python/isc/eventlist.py.in
new file mode 100644
index 0000000..f2f26aa
--- /dev/null
+++ b/bin/python/isc/eventlist.py.in
@@ -0,0 +1,178 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from collections import defaultdict
+from .dnskey import *
+from .keydict import *
+from .keyevent import *
+
+
+class eventlist:
+    _K = defaultdict(lambda: defaultdict(list))
+    _Z = defaultdict(lambda: defaultdict(list))
+    _zones = set()
+    _kdict = None
+
+    def __init__(self, kdict):
+        properties = [
+            "SyncPublish",
+            "Publish",
+            "SyncDelete",
+            "Activate",
+            "Inactive",
+            "Delete",
+        ]
+        self._kdict = kdict
+        for zone in kdict.zones():
+            self._zones.add(zone)
+            for alg, keys in kdict[zone].items():
+                for k in keys.values():
+                    for prop in properties:
+                        t = k.gettime(prop)
+                        if not t:
+                            continue
+                        e = keyevent(prop, k, t)
+                        if k.sep:
+                            self._K[zone][alg].append(e)
+                        else:
+                            self._Z[zone][alg].append(e)
+
+                self._K[zone][alg] = sorted(
+                    self._K[zone][alg], key=lambda event: event.when
+                )
+                self._Z[zone][alg] = sorted(
+                    self._Z[zone][alg], key=lambda event: event.when
+                )
+
+    # scan events per zone, algorithm, and key type, in order of
+    # occurrence, noting inconsistent states when found
+    def coverage(self, zone, keytype, until, output=None):
+        def noop(*args, **kwargs):
+            pass
+
+        if not output:
+            output = noop
+
+        no_zsk = True if (keytype and keytype == "KSK") else False
+        no_ksk = True if (keytype and keytype == "ZSK") else False
+        kok = zok = True
+        found = False
+
+        if zone and not zone in self._zones:
+            output("ERROR: No key events found for %s" % zone)
+            return False
+
+        if zone:
+            found = True
+            if not no_ksk:
+                kok = self.checkzone(zone, "KSK", until, output)
+            if not no_zsk:
+                zok = self.checkzone(zone, "ZSK", until, output)
+        else:
+            for z in self._zones:
+                if not no_ksk and z in self._K.keys():
+                    found = True
+                    kok = self.checkzone(z, "KSK", until, output)
+                if not no_zsk and z in self._Z.keys():
+                    found = True
+                    zok = self.checkzone(z, "ZSK", until, output)
+
+        if not found:
+            output("ERROR: No key events found")
+            return False
+
+        return kok and zok
+
+    def checkzone(self, zone, keytype, until, output):
+        allok = True
+        if keytype == "KSK":
+            kz = self._K[zone]
+        else:
+            kz = self._Z[zone]
+
+        for alg in kz.keys():
+            output(
+                "Checking scheduled %s events for zone %s, "
+                "algorithm %s..." % (keytype, zone, dnskey.algstr(alg))
+            )
+            ok = eventlist.checkset(kz[alg], keytype, until, output)
+            if ok:
+                output("No errors found")
+            allok = allok and ok
+
+        return allok
+
+    @staticmethod
+    def showset(eventset, output):
+        if not eventset:
+            return
+        output("  " + eventset[0].showtime() + ":", skip=False)
+        for event in eventset:
+            output("    %s: %s" % (event.what, repr(event.key)), skip=False)
+
+    @staticmethod
+    def checkset(eventset, keytype, until, output):
+        groups = list()
+        group = list()
+
+        # collect up all events that have the same time
+        eventsfound = False
+        for event in eventset:
+            # we found an event
+            eventsfound = True
+
+            # add event to current group
+            if not group or group[0].when == event.when:
+                group.append(event)
+
+            # if we're at the end of the list, we're done.  if
+            # we've found an event with a later time, start a new group
+            if group[0].when != event.when:
+                groups.append(group)
+                group = list()
+                group.append(event)
+
+        if group:
+            groups.append(group)
+
+        if not eventsfound:
+            output("ERROR: No %s events found" % keytype)
+            return False
+
+        active = published = None
+        for group in groups:
+            if until and calendar.timegm(group[0].when) > until:
+                output(
+                    "Ignoring events after %s"
+                    % time.strftime("%a %b %d %H:%M:%S UTC %Y", time.gmtime(until))
+                )
+                return True
+
+            for event in group:
+                (active, published) = event.status(active, published)
+
+            eventlist.showset(group, output)
+
+            # and then check for inconsistencies:
+            if not active:
+                output("ERROR: No %s's are active after this event" % keytype)
+                return False
+            elif not published:
+                output("ERROR: No %s's are published after this event" % keytype)
+                return False
+            elif not published.intersection(active):
+                output(
+                    "ERROR: No %s's are both active and published "
+                    "after this event" % keytype
+                )
+                return False
+
+        return True
diff --git a/bin/python/isc/keydict.py.in b/bin/python/isc/keydict.py.in
new file mode 100644
index 0000000..723a32a
--- /dev/null
+++ b/bin/python/isc/keydict.py.in
@@ -0,0 +1,87 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from collections import defaultdict
+from . import dnskey
+import os
+import glob
+
+
+########################################################################
+# Class keydict
+########################################################################
+class keydict:
+    """A dictionary of keys, indexed by name, algorithm, and key id"""
+
+    _keydict = defaultdict(lambda: defaultdict(dict))
+    _defttl = None
+    _missing = []
+
+    def __init__(self, dp=None, **kwargs):
+        self._defttl = kwargs.get("keyttl", None)
+        zones = kwargs.get("zones", None)
+
+        if not zones:
+            path = kwargs.get("path", None) or "."
+            self.readall(path)
+        else:
+            for zone in zones:
+                if "path" in kwargs and kwargs["path"] is not None:
+                    path = kwargs["path"]
+                else:
+                    path = dp and dp.policy(zone).directory or "."
+                if not self.readone(path, zone):
+                    self._missing.append(zone)
+
+    def readall(self, path):
+        files = glob.glob(os.path.join(path, "*.private"))
+
+        for infile in files:
+            key = dnskey(infile, path, self._defttl)
+            self._keydict[key.name][key.alg][key.keyid] = key
+
+    def readone(self, path, zone):
+        if not zone.endswith("."):
+            zone += "."
+        match = "K" + zone + "+*.private"
+        files = glob.glob(os.path.join(path, match))
+
+        found = False
+        for infile in files:
+            key = dnskey(infile, path, self._defttl)
+            if key.fullname != zone:  # shouldn't ever happen
+                continue
+            keyname = key.name if zone != "." else "."
+            self._keydict[keyname][key.alg][key.keyid] = key
+            found = True
+
+        return found
+
+    def __iter__(self):
+        for zone, algorithms in self._keydict.items():
+            for alg, keys in algorithms.items():
+                for key in keys.values():
+                    yield key
+
+    def __getitem__(self, name):
+        return self._keydict[name]
+
+    def zones(self):
+        return self._keydict.keys()
+
+    def algorithms(self, zone):
+        return self._keydict[zone].keys()
+
+    def keys(self, zone, alg):
+        return self._keydict[zone][alg].keys()
+
+    def missing(self):
+        return self._missing
diff --git a/bin/python/isc/keyevent.py.in b/bin/python/isc/keyevent.py.in
new file mode 100644
index 0000000..d01c97a
--- /dev/null
+++ b/bin/python/isc/keyevent.py.in
@@ -0,0 +1,80 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import time
+
+
+########################################################################
+# Class keyevent
+########################################################################
+class keyevent:
+    """A discrete key event, e.g., Publish, Activate, Inactive, Delete,
+    etc. Stores the date of the event, and identifying information
+    about the key to which the event will occur."""
+
+    def __init__(self, what, key, when=None):
+        self.what = what
+        self.when = when or key.gettime(what)
+        self.key = key
+        self.sep = key.sep
+        self.zone = key.name
+        self.alg = key.alg
+        self.keyid = key.keyid
+
+    def __repr__(self):
+        return repr((self.when, self.what, self.keyid, self.sep, self.zone, self.alg))
+
+    def showtime(self):
+        return time.strftime("%a %b %d %H:%M:%S UTC %Y", self.when)
+
+    # update sets of active and published keys, based on
+    # the contents of this keyevent
+    def status(self, active, published, output=None):
+        def noop(*args, **kwargs):
+            pass
+
+        if not output:
+            output = noop
+
+        if not active:
+            active = set()
+        if not published:
+            published = set()
+
+        if self.what == "Activate":
+            active.add(self.keyid)
+        elif self.what == "Publish":
+            published.add(self.keyid)
+        elif self.what == "Inactive":
+            if self.keyid not in active:
+                output(
+                    "\tWARNING: %s scheduled to become inactive "
+                    "before it is active" % repr(self.key)
+                )
+            else:
+                active.remove(self.keyid)
+        elif self.what == "Delete":
+            if self.keyid in published:
+                published.remove(self.keyid)
+            else:
+                output(
+                    "WARNING: key %s is scheduled for deletion "
+                    "before it is published" % repr(self.key)
+                )
+        elif self.what == "Revoke":
+            # We don't need to worry about the logic of this one;
+            # just stop counting this key as either active or published
+            if self.keyid in published:
+                published.remove(self.keyid)
+            if self.keyid in active:
+                active.remove(self.keyid)
+
+        return active, published
diff --git a/bin/python/isc/keymgr.py.in b/bin/python/isc/keymgr.py.in
new file mode 100644
index 0000000..67fe4c7
--- /dev/null
+++ b/bin/python/isc/keymgr.py.in
@@ -0,0 +1,207 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from __future__ import print_function
+import os, sys, argparse, glob, re, time, calendar, pprint
+from collections import defaultdict
+
+prog = "dnssec-keymgr"
+
+from isc import dnskey, keydict, keyseries, policy, parsetab, utils
+
+
+############################################################################
+# print a fatal error and exit
+############################################################################
+def fatal(*args, **kwargs):
+    print(*args, **kwargs)
+    sys.exit(1)
+
+
+############################################################################
+# find the location of an external command
+############################################################################
+def set_path(command, default=None):
+    """find the location of a specified command. If a default is supplied,
+    exists and it's an executable, we use it; otherwise we search PATH
+    for an alternative.
+    :param command: command to look for
+    :param default: default value to use
+    :return: PATH with the location of a suitable binary
+    """
+    fpath = default
+    if not fpath or not os.path.isfile(fpath) or not os.access(fpath, os.X_OK):
+        path = os.environ["PATH"]
+        if not path:
+            path = os.path.defpath
+        for directory in path.split(os.pathsep):
+            fpath = directory + os.sep + command
+            if os.path.isfile(fpath) and os.access(fpath, os.X_OK):
+                break
+            fpath = None
+
+    return fpath
+
+
+############################################################################
+# parse arguments
+############################################################################
+def parse_args():
+    """Read command line arguments, returns 'args' object
+    :return: args object properly prepared
+    """
+
+    keygen = set_path(
+        "dnssec-keygen", os.path.join(utils.prefix("sbin"), "dnssec-keygen")
+    )
+    settime = set_path(
+        "dnssec-settime", os.path.join(utils.prefix("sbin"), "dnssec-settime")
+    )
+
+    parser = argparse.ArgumentParser(
+        description=prog + ": schedule "
+        "DNSSEC key rollovers according to a "
+        "pre-defined policy"
+    )
+
+    parser.add_argument(
+        "zone",
+        type=str,
+        nargs="*",
+        default=None,
+        help="Zone(s) to which the policy should be applied "
+        + "(default: all zones in the directory)",
+    )
+    parser.add_argument(
+        "-K", dest="path", type=str, help="Directory containing keys", metavar="dir"
+    )
+    parser.add_argument(
+        "-c", dest="policyfile", type=str, help="Policy definition file", metavar="file"
+    )
+    parser.add_argument(
+        "-g",
+        dest="keygen",
+        default=keygen,
+        type=str,
+        help="Path to 'dnssec-keygen'",
+        metavar="path",
+    )
+    parser.add_argument(
+        "-r",
+        dest="randomdev",
+        type=str,
+        default=None,
+        help="DEPRECATED",
+        metavar="path",
+    )
+    parser.add_argument(
+        "-s",
+        dest="settime",
+        default=settime,
+        type=str,
+        help="Path to 'dnssec-settime'",
+        metavar="path",
+    )
+    parser.add_argument(
+        "-k",
+        dest="no_zsk",
+        action="store_true",
+        default=False,
+        help="Only apply policy to key-signing keys (KSKs)",
+    )
+    parser.add_argument(
+        "-z",
+        dest="no_ksk",
+        action="store_true",
+        default=False,
+        help="Only apply policy to zone-signing keys (ZSKs)",
+    )
+    parser.add_argument(
+        "-f",
+        "--force",
+        dest="force",
+        action="store_true",
+        default=False,
+        help="Force updates to key events " + "even if they are in the past",
+    )
+    parser.add_argument(
+        "-q",
+        "--quiet",
+        dest="quiet",
+        action="store_true",
+        default=False,
+        help="Update keys silently",
+    )
+    parser.add_argument("-v", "--version", action="version", version=utils.version)
+
+    args = parser.parse_args()
+
+    if args.randomdev:
+        fatal("ERROR: -r option has been deprecated.")
+
+    if args.no_zsk and args.no_ksk:
+        fatal("ERROR: -z and -k cannot be used together.")
+
+    if args.keygen is None:
+        fatal("ERROR: dnssec-keygen not found")
+
+    if args.settime is None:
+        fatal("ERROR: dnssec-settime not found")
+
+    # if a policy file was specified, check that it exists.
+    # if not, use the default file, unless it doesn't exist
+    if args.policyfile is not None:
+        if not os.path.exists(args.policyfile):
+            fatal('ERROR: Policy file "%s" not found' % args.policyfile)
+    else:
+        args.policyfile = os.path.join(utils.sysconfdir, "dnssec-policy.conf")
+        if not os.path.exists(args.policyfile):
+            args.policyfile = None
+
+    return args
+
+
+############################################################################
+# main
+############################################################################
+def main():
+    args = parse_args()
+
+    # As we may have specific locations for the binaries, we put that info
+    # into a context object that can be passed around
+    context = {
+        "keygen_path": args.keygen,
+        "settime_path": args.settime,
+        "keys_path": args.path,
+        "randomdev": args.randomdev,
+    }
+
+    try:
+        dp = policy.dnssec_policy(args.policyfile)
+    except Exception as e:
+        fatal("Unable to load DNSSEC policy: " + str(e))
+
+    try:
+        kd = keydict(dp, path=args.path, zones=args.zone)
+    except Exception as e:
+        fatal("Unable to build key dictionary: " + str(e))
+
+    try:
+        ks = keyseries(kd, context=context)
+    except Exception as e:
+        fatal("Unable to build key series: " + str(e))
+
+    try:
+        ks.enforce_policy(
+            dp, ksk=args.no_zsk, zsk=args.no_ksk, force=args.force, quiet=args.quiet
+        )
+    except Exception as e:
+        fatal("Unable to apply policy: " + str(e))
diff --git a/bin/python/isc/keyseries.py.in b/bin/python/isc/keyseries.py.in
new file mode 100644
index 0000000..e75f82b
--- /dev/null
+++ b/bin/python/isc/keyseries.py.in
@@ -0,0 +1,232 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from collections import defaultdict
+from .dnskey import *
+from .keydict import *
+from .keyevent import *
+from .policy import *
+import time
+
+
+class keyseries:
+    _K = defaultdict(lambda: defaultdict(list))
+    _Z = defaultdict(lambda: defaultdict(list))
+    _zones = set()
+    _kdict = None
+    _context = None
+
+    def __init__(self, kdict, now=time.time(), context=None):
+        self._kdict = kdict
+        self._context = context
+        self._zones = set(kdict.missing())
+
+        for zone in kdict.zones():
+            self._zones.add(zone)
+            for alg, keys in kdict[zone].items():
+                for k in keys.values():
+                    if k.sep:
+                        if not (k.delete() and k.delete() < now):
+                            self._K[zone][alg].append(k)
+                    else:
+                        if not (k.delete() and k.delete() < now):
+                            self._Z[zone][alg].append(k)
+
+                self._K[zone][alg].sort()
+                self._Z[zone][alg].sort()
+
+    def __iter__(self):
+        for zone in self._zones:
+            for collection in [self._K, self._Z]:
+                if zone not in collection:
+                    continue
+                for alg, keys in collection[zone].items():
+                    for key in keys:
+                        yield key
+
+    def dump(self):
+        for k in self:
+            print("%s" % repr(k))
+
+    def fixseries(self, keys, policy, now, **kwargs):
+        force = kwargs.get("force", False)
+        if not keys:
+            return
+
+        # handle the first key
+        key = keys[0]
+        if key.sep:
+            rp = policy.ksk_rollperiod
+            prepub = policy.ksk_prepublish or (30 * 86400)
+            postpub = policy.ksk_postpublish or (30 * 86400)
+        else:
+            rp = policy.zsk_rollperiod
+            prepub = policy.zsk_prepublish or (30 * 86400)
+            postpub = policy.zsk_postpublish or (30 * 86400)
+
+        # the first key should be published and active
+        p = key.publish()
+        a = key.activate()
+        if not p or p > now:
+            key.setpublish(now)
+            p = now
+        if not a or a > now:
+            key.setactivate(now)
+            a = now
+
+        i = key.inactive()
+        fudge = 300
+        if not rp:
+            key.setinactive(None, **kwargs)
+            key.setdelete(None, **kwargs)
+        elif not i or a + rp != i:
+            if not i and a + rp > now + prepub + fudge:
+                key.setinactive(a + rp, **kwargs)
+                key.setdelete(a + rp + postpub, **kwargs)
+            elif not i:
+                key.setinactive(now + prepub + fudge, **kwargs)
+                key.setdelete(now + prepub + postpub + fudge, **kwargs)
+            elif i < now:
+                pass
+            elif a + rp > i:
+                key.setinactive(a + rp, **kwargs)
+                key.setdelete(a + rp + postpub, **kwargs)
+            elif a + rp > now + prepub + fudge:
+                key.setinactive(a + rp, **kwargs)
+                key.setdelete(a + rp + postpub, **kwargs)
+            else:
+                key.setinactive(now + prepub + fudge, **kwargs)
+                key.setdelete(now + prepub + postpub + fudge, **kwargs)
+        else:
+            d = key.delete()
+            if not d or i + postpub > now + fudge:
+                key.setdelete(i + postpub, **kwargs)
+            elif not d:
+                key.setdelete(now + postpub + fudge, **kwargs)
+            elif d < now + fudge:
+                pass
+            elif d < i + postpub:
+                key.setdelete(i + postpub, **kwargs)
+
+        if policy.keyttl != key.ttl:
+            key.setttl(policy.keyttl)
+
+        # handle all the subsequent keys
+        prev = key
+        for key in keys[1:]:
+            # if no rollperiod, then all keys after the first in
+            # the series kept inactive.
+            # (XXX: we need to change this to allow standby keys)
+            if not rp:
+                key.setpublish(None, **kwargs)
+                key.setactivate(None, **kwargs)
+                key.setinactive(None, **kwargs)
+                key.setdelete(None, **kwargs)
+                if policy.keyttl != key.ttl:
+                    key.setttl(policy.keyttl)
+                continue
+
+            # otherwise, ensure all dates are set correctly based on
+            # the initial key
+            a = prev.inactive()
+            p = a - prepub
+            key.setactivate(a, **kwargs)
+            key.setpublish(p, **kwargs)
+            key.setinactive(a + rp, **kwargs)
+            key.setdelete(a + rp + postpub, **kwargs)
+            prev.setdelete(a + postpub, **kwargs)
+            if policy.keyttl != key.ttl:
+                key.setttl(policy.keyttl)
+            prev = key
+
+        # if we haven't got sufficient coverage, create successor key(s)
+        while rp and prev.inactive() and prev.inactive() < now + policy.coverage:
+            # commit changes to predecessor: a successor can only be
+            # generated if Inactive has been set in the predecessor key
+            prev.commit(self._context["settime_path"], **kwargs)
+            key = prev.generate_successor(
+                self._context["keygen_path"],
+                self._context["randomdev"],
+                prepub,
+                **kwargs
+            )
+
+            key.setinactive(key.activate() + rp, **kwargs)
+            key.setdelete(key.inactive() + postpub, **kwargs)
+            keys.append(key)
+            prev = key
+
+        # last key? we already know we have sufficient coverage now, so
+        # disable the inactivation of the final key (if it was set),
+        # ensuring that if dnssec-keymgr isn't run again, the last key
+        # in the series will at least remain usable.
+        prev.setinactive(None, **kwargs)
+        prev.setdelete(None, **kwargs)
+
+        # commit changes
+        for key in keys:
+            key.commit(self._context["settime_path"], **kwargs)
+
+    def enforce_policy(self, policies, now=time.time(), **kwargs):
+        # If zones is provided as a parameter, use that list.
+        # If not, use what we have in this object
+        zones = kwargs.get("zones", self._zones)
+        keys_dir = kwargs.get("dir", self._context.get("keys_path", None))
+        force = kwargs.get("force", False)
+
+        for zone in zones:
+            collections = []
+            policy = policies.policy(zone)
+            keys_dir = keys_dir or policy.directory or "."
+            alg = policy.algorithm
+            algnum = dnskey.algnum(alg)
+            if "ksk" not in kwargs or not kwargs["ksk"]:
+                if len(self._Z[zone][algnum]) == 0:
+                    k = dnskey.generate(
+                        self._context["keygen_path"],
+                        self._context["randomdev"],
+                        keys_dir,
+                        zone,
+                        alg,
+                        policy.zsk_keysize,
+                        False,
+                        policy.keyttl or 3600,
+                        **kwargs
+                    )
+                    self._Z[zone][algnum].append(k)
+                collections.append(self._Z[zone])
+
+            if "zsk" not in kwargs or not kwargs["zsk"]:
+                if len(self._K[zone][algnum]) == 0:
+                    k = dnskey.generate(
+                        self._context["keygen_path"],
+                        self._context["randomdev"],
+                        keys_dir,
+                        zone,
+                        alg,
+                        policy.ksk_keysize,
+                        True,
+                        policy.keyttl or 3600,
+                        **kwargs
+                    )
+                    self._K[zone][algnum].append(k)
+                collections.append(self._K[zone])
+
+            for collection in collections:
+                for algorithm, keys in collection.items():
+                    if algorithm != algnum:
+                        continue
+                    try:
+                        self.fixseries(keys, policy, now, **kwargs)
+                    except Exception as e:
+                        raise Exception(
+                            "%s/%s: %s" % (zone, dnskey.algstr(algnum), str(e))
+                        )
diff --git a/bin/python/isc/keyzone.py.in b/bin/python/isc/keyzone.py.in
new file mode 100644
index 0000000..c0c7043
--- /dev/null
+++ b/bin/python/isc/keyzone.py.in
@@ -0,0 +1,59 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+import sys
+import re
+from subprocess import Popen, PIPE
+
+
+########################################################################
+# Exceptions
+########################################################################
+class KeyZoneException(Exception):
+    pass
+
+
+########################################################################
+# class keyzone
+########################################################################
+class keyzone:
+    """reads a zone file to find data relevant to keys"""
+
+    def __init__(self, name, filename, czpath):
+        self.maxttl = None
+        self.keyttl = None
+
+        if not name:
+            return
+
+        if not czpath or not os.path.isfile(czpath) or not os.access(czpath, os.X_OK):
+            raise KeyZoneException('"named-compilezone" not found')
+            return
+
+        maxttl = keyttl = None
+
+        fp, _ = Popen(
+            [czpath, "-o", "-", name, filename], stdout=PIPE, stderr=PIPE
+        ).communicate()
+        for line in fp.splitlines():
+            if type(line) is not str:
+                line = line.decode("ascii")
+            if re.search("^[:space:]*;", line):
+                continue
+            fields = line.split()
+            if not maxttl or int(fields[1]) > maxttl:
+                maxttl = int(fields[1])
+            if fields[3] == "DNSKEY":
+                keyttl = int(fields[1])
+
+        self.keyttl = keyttl
+        self.maxttl = maxttl
diff --git a/bin/python/isc/policy.py.in b/bin/python/isc/policy.py.in
new file mode 100644
index 0000000..0fa231c
--- /dev/null
+++ b/bin/python/isc/policy.py.in
@@ -0,0 +1,761 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import re
+import ply.lex as lex
+import ply.yacc as yacc
+from string import *
+from copy import copy
+
+
+############################################################################
+# PolicyLex: a lexer for the policy file syntax.
+############################################################################
+class PolicyLex:
+    reserved = (
+        "POLICY",
+        "ALGORITHM_POLICY",
+        "ZONE",
+        "ALGORITHM",
+        "DIRECTORY",
+        "KEYTTL",
+        "KEY_SIZE",
+        "ROLL_PERIOD",
+        "PRE_PUBLISH",
+        "POST_PUBLISH",
+        "COVERAGE",
+        "STANDBY",
+        "NONE",
+    )
+
+    tokens = reserved + (
+        "DATESUFFIX",
+        "KEYTYPE",
+        "ALGNAME",
+        "STR",
+        "QSTRING",
+        "NUMBER",
+        "LBRACE",
+        "RBRACE",
+        "SEMI",
+    )
+    reserved_map = {}
+
+    t_ignore = " \t"
+    t_ignore_olcomment = r"(//|\#).*"
+
+    t_LBRACE = r"\{"
+    t_RBRACE = r"\}"
+    t_SEMI = r";"
+
+    def t_newline(self, t):
+        r"\n+"
+        t.lexer.lineno += t.value.count("\n")
+
+    def t_comment(self, t):
+        r"/\*(.|\n)*?\*/"
+        t.lexer.lineno += t.value.count("\n")
+
+    def t_DATESUFFIX(self, t):
+        r"(?<=[0-9 \t])(y(?:ears|ear|ea|e)?|mo(?:nths|nth|nt|n)?|w(?:eeks|eek|ee|e)?|d(?:ays|ay|a)?|h(?:ours|our|ou|o)?|mi(?:nutes|nute|nut|nu|n)?|s(?:econds|econd|econ|eco|ec|e)?)\b"
+        t.value = (
+            re.match(r"(y|mo|w|d|h|mi|s)([a-z]*)", t.value, re.IGNORECASE)
+            .group(1)
+            .lower()
+        )
+        return t
+
+    def t_KEYTYPE(self, t):
+        r"\b(KSK|ZSK)\b"
+        t.value = t.value.upper()
+        return t
+
+    def t_ALGNAME(self, t):
+        r"\b(DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b"
+        t.value = t.value.upper()
+        return t
+
+    def t_STR(self, t):
+        r"[A-Za-z._-][\w._-]*"
+        t.type = self.reserved_map.get(t.value, "STR")
+        return t
+
+    def t_QSTRING(self, t):
+        r'"([^"\n]|(\\"))*"'
+        t.type = self.reserved_map.get(t.value, "QSTRING")
+        t.value = t.value[1:-1]
+        return t
+
+    def t_NUMBER(self, t):
+        r"\d+"
+        t.value = int(t.value)
+        return t
+
+    def t_error(self, t):
+        print("Illegal character '%s'" % t.value[0])
+        t.lexer.skip(1)
+
+    def __init__(self, **kwargs):
+        if "maketrans" in dir(str):
+            trans = str.maketrans("_", "-")
+        else:
+            trans = maketrans("_", "-")
+        for r in self.reserved:
+            self.reserved_map[r.lower().translate(trans)] = r
+        self.lexer = lex.lex(object=self, reflags=re.VERBOSE | re.IGNORECASE, **kwargs)
+
+    def test(self, text):
+        self.lexer.input(text)
+        while True:
+            t = self.lexer.token()
+            if not t:
+                break
+            print(t)
+
+
+############################################################################
+# Policy: this object holds a set of DNSSEC policy settings.
+############################################################################
+class Policy:
+    is_zone = False
+    is_alg = False
+    is_constructed = False
+    ksk_rollperiod = None
+    zsk_rollperiod = None
+    ksk_prepublish = None
+    zsk_prepublish = None
+    ksk_postpublish = None
+    zsk_postpublish = None
+    ksk_keysize = None
+    zsk_keysize = None
+    ksk_standby = None
+    zsk_standby = None
+    keyttl = None
+    coverage = None
+    directory = None
+    valid_key_sz_per_algo = {
+        "RSASHA1": [1024, 4096],
+        "NSEC3RSASHA1": [512, 4096],
+        "RSASHA256": [1024, 4096],
+        "RSASHA512": [1024, 4096],
+        "ECDSAP256SHA256": None,
+        "ECDSAP384SHA384": None,
+        "ED25519": None,
+        "ED448": None,
+    }
+
+    def __init__(self, name=None, algorithm=None, parent=None):
+        self.name = name
+        self.algorithm = algorithm
+        self.parent = parent
+        pass
+
+    def __repr__(self):
+        return (
+            "%spolicy %s:\n"
+            "\tinherits %s\n"
+            "\tdirectory %s\n"
+            "\talgorithm %s\n"
+            "\tcoverage %s\n"
+            "\tksk_keysize %s\n"
+            "\tzsk_keysize %s\n"
+            "\tksk_rollperiod %s\n"
+            "\tzsk_rollperiod %s\n"
+            "\tksk_prepublish %s\n"
+            "\tksk_postpublish %s\n"
+            "\tzsk_prepublish %s\n"
+            "\tzsk_postpublish %s\n"
+            "\tksk_standby %s\n"
+            "\tzsk_standby %s\n"
+            "\tkeyttl %s\n"
+            % (
+                (
+                    self.is_constructed
+                    and "constructed "
+                    or self.is_zone
+                    and "zone "
+                    or self.is_alg
+                    and "algorithm "
+                    or ""
+                ),
+                self.name or "UNKNOWN",
+                self.parent and self.parent.name or "None",
+                self.directory and ('"' + str(self.directory) + '"') or "None",
+                self.algorithm or "None",
+                self.coverage and str(self.coverage) or "None",
+                self.ksk_keysize and str(self.ksk_keysize) or "None",
+                self.zsk_keysize and str(self.zsk_keysize) or "None",
+                self.ksk_rollperiod and str(self.ksk_rollperiod) or "None",
+                self.zsk_rollperiod and str(self.zsk_rollperiod) or "None",
+                self.ksk_prepublish and str(self.ksk_prepublish) or "None",
+                self.ksk_postpublish and str(self.ksk_postpublish) or "None",
+                self.zsk_prepublish and str(self.zsk_prepublish) or "None",
+                self.zsk_postpublish and str(self.zsk_postpublish) or "None",
+                self.ksk_standby and str(self.ksk_standby) or "None",
+                self.zsk_standby and str(self.zsk_standby) or "None",
+                self.keyttl and str(self.keyttl) or "None",
+            )
+        )
+
+    def __verify_size(self, key_size, size_range):
+        return size_range[0] <= key_size <= size_range[1]
+
+    def get_name(self):
+        return self.name
+
+    def constructed(self):
+        return self.is_constructed
+
+    def validate(self):
+        """Check if the values in the policy make sense
+        :return: True/False if the policy passes validation
+        """
+        if (
+            self.ksk_rollperiod
+            and self.ksk_prepublish is not None
+            and self.ksk_prepublish > self.ksk_rollperiod
+        ):
+            print(self.ksk_rollperiod)
+            return (
+                False,
+                (
+                    "KSK pre-publish period (%d) exceeds rollover period %d"
+                    % (self.ksk_prepublish, self.ksk_rollperiod)
+                ),
+            )
+
+        if (
+            self.ksk_rollperiod
+            and self.ksk_postpublish is not None
+            and self.ksk_postpublish > self.ksk_rollperiod
+        ):
+            return (
+                False,
+                (
+                    "KSK post-publish period (%d) exceeds rollover period %d"
+                    % (self.ksk_postpublish, self.ksk_rollperiod)
+                ),
+            )
+
+        if (
+            self.zsk_rollperiod
+            and self.zsk_prepublish is not None
+            and self.zsk_prepublish >= self.zsk_rollperiod
+        ):
+            return (
+                False,
+                (
+                    "ZSK pre-publish period (%d) exceeds rollover period %d"
+                    % (self.zsk_prepublish, self.zsk_rollperiod)
+                ),
+            )
+
+        if (
+            self.zsk_rollperiod
+            and self.zsk_postpublish is not None
+            and self.zsk_postpublish >= self.zsk_rollperiod
+        ):
+            return (
+                False,
+                (
+                    "ZSK post-publish period (%d) exceeds rollover period %d"
+                    % (self.zsk_postpublish, self.zsk_rollperiod)
+                ),
+            )
+
+        if (
+            self.ksk_rollperiod
+            and self.ksk_prepublish
+            and self.ksk_postpublish
+            and self.ksk_prepublish + self.ksk_postpublish >= self.ksk_rollperiod
+        ):
+            return (
+                False,
+                (
+                    (
+                        "KSK pre/post-publish periods (%d/%d) "
+                        + "combined exceed rollover period %d"
+                    )
+                    % (self.ksk_prepublish, self.ksk_postpublish, self.ksk_rollperiod)
+                ),
+            )
+
+        if (
+            self.zsk_rollperiod
+            and self.zsk_prepublish
+            and self.zsk_postpublish
+            and self.zsk_prepublish + self.zsk_postpublish >= self.zsk_rollperiod
+        ):
+            return (
+                False,
+                (
+                    (
+                        "ZSK pre/post-publish periods (%d/%d) "
+                        + "combined exceed rollover period %d"
+                    )
+                    % (self.zsk_prepublish, self.zsk_postpublish, self.zsk_rollperiod)
+                ),
+            )
+
+        if self.algorithm is not None:
+            # Validate the key size
+            key_sz_range = self.valid_key_sz_per_algo.get(self.algorithm)
+            if key_sz_range is not None:
+                # Verify KSK
+                if not self.__verify_size(self.ksk_keysize, key_sz_range):
+                    return False, "KSK key size %d outside valid range %s" % (
+                        self.ksk_keysize,
+                        key_sz_range,
+                    )
+
+                # Verify ZSK
+                if not self.__verify_size(self.zsk_keysize, key_sz_range):
+                    return False, "ZSK key size %d outside valid range %s" % (
+                        self.zsk_keysize,
+                        key_sz_range,
+                    )
+
+            if self.algorithm in [
+                "ECDSAP256SHA256",
+                "ECDSAP384SHA384",
+                "ED25519",
+                "ED448",
+            ]:
+                self.ksk_keysize = None
+                self.zsk_keysize = None
+
+        return True, ""
+
+
+############################################################################
+# dnssec_policy:
+# This class reads a dnssec.policy file and creates a dictionary of
+# DNSSEC policy rules from which a policy for a specific zone can
+# be generated.
+############################################################################
+class PolicyException(Exception):
+    pass
+
+
+class dnssec_policy:
+    alg_policy = {}
+    named_policy = {}
+    zone_policy = {}
+    current = None
+    filename = None
+    initial = True
+
+    def __init__(self, filename=None, **kwargs):
+        self.plex = PolicyLex()
+        self.tokens = self.plex.tokens
+        if "debug" not in kwargs:
+            kwargs["debug"] = False
+        if "write_tables" not in kwargs:
+            kwargs["write_tables"] = False
+        self.parser = yacc.yacc(module=self, **kwargs)
+
+        # set defaults
+        self.setup(
+            """policy global { algorithm rsasha256;
+                                      key-size ksk 2048;
+                                      key-size zsk 2048;
+                                      roll-period ksk 0;
+                                      roll-period zsk 1y;
+                                      pre-publish ksk 1mo;
+                                      pre-publish zsk 1mo;
+                                      post-publish ksk 1mo;
+                                      post-publish zsk 1mo;
+                                      standby ksk 0;
+                                      standby zsk 0;
+                                      keyttl 1h;
+                                      coverage 6mo; };
+                      policy default { policy global; };"""
+        )
+
+        p = Policy()
+        p.algorithm = None
+        p.is_alg = True
+        p.ksk_keysize = 2048
+        p.zsk_keysize = 2048
+
+        # set default algorithm policies
+
+        # these can use default settings
+        self.alg_policy["RSASHA1"] = copy(p)
+        self.alg_policy["RSASHA1"].algorithm = "RSASHA1"
+        self.alg_policy["RSASHA1"].name = "RSASHA1"
+
+        self.alg_policy["NSEC3RSASHA1"] = copy(p)
+        self.alg_policy["NSEC3RSASHA1"].algorithm = "NSEC3RSASHA1"
+        self.alg_policy["NSEC3RSASHA1"].name = "NSEC3RSASHA1"
+
+        self.alg_policy["RSASHA256"] = copy(p)
+        self.alg_policy["RSASHA256"].algorithm = "RSASHA256"
+        self.alg_policy["RSASHA256"].name = "RSASHA256"
+
+        self.alg_policy["RSASHA512"] = copy(p)
+        self.alg_policy["RSASHA512"].algorithm = "RSASHA512"
+        self.alg_policy["RSASHA512"].name = "RSASHA512"
+
+        self.alg_policy["ECDSAP256SHA256"] = copy(p)
+        self.alg_policy["ECDSAP256SHA256"].algorithm = "ECDSAP256SHA256"
+        self.alg_policy["ECDSAP256SHA256"].name = "ECDSAP256SHA256"
+        self.alg_policy["ECDSAP256SHA256"].ksk_keysize = None
+        self.alg_policy["ECDSAP256SHA256"].zsk_keysize = None
+
+        self.alg_policy["ECDSAP384SHA384"] = copy(p)
+        self.alg_policy["ECDSAP384SHA384"].algorithm = "ECDSAP384SHA384"
+        self.alg_policy["ECDSAP384SHA384"].name = "ECDSAP384SHA384"
+        self.alg_policy["ECDSAP384SHA384"].ksk_keysize = None
+        self.alg_policy["ECDSAP384SHA384"].zsk_keysize = None
+
+        self.alg_policy["ED25519"] = copy(p)
+        self.alg_policy["ED25519"].algorithm = "ED25519"
+        self.alg_policy["ED25519"].name = "ED25519"
+        self.alg_policy["ED25519"].ksk_keysize = None
+        self.alg_policy["ED25519"].zsk_keysize = None
+
+        self.alg_policy["ED448"] = copy(p)
+        self.alg_policy["ED448"].algorithm = "ED448"
+        self.alg_policy["ED448"].name = "ED448"
+        self.alg_policy["ED448"].ksk_keysize = None
+        self.alg_policy["ED448"].zsk_keysize = None
+
+        if filename:
+            self.load(filename)
+
+    def load(self, filename):
+        self.filename = filename
+        self.initial = True
+        with open(filename) as f:
+            text = f.read()
+            self.plex.lexer.lineno = 0
+            self.parser.parse(text)
+
+        self.filename = None
+
+    def setup(self, text):
+        self.initial = True
+        self.plex.lexer.lineno = 0
+        self.parser.parse(text)
+
+    def policy(self, zone, **kwargs):
+        z = zone.lower()
+        p = None
+
+        if z in self.zone_policy:
+            p = self.zone_policy[z]
+
+        if p is None:
+            p = copy(self.named_policy["default"])
+            p.name = zone
+            p.is_constructed = True
+
+        if p.algorithm is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent and not parent.algorithm:
+                parent = parent.parent
+            p.algorithm = parent and parent.algorithm or None
+
+        if p.algorithm in self.alg_policy:
+            ap = self.alg_policy[p.algorithm]
+        else:
+            raise PolicyException("algorithm not found")
+
+        if p.directory is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent is not None and not parent.directory:
+                parent = parent.parent
+            p.directory = parent and parent.directory
+
+        if p.coverage is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent and not parent.coverage:
+                parent = parent.parent
+            p.coverage = parent and parent.coverage or ap.coverage
+
+        if p.ksk_keysize is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent.parent and not parent.ksk_keysize:
+                parent = parent.parent
+            p.ksk_keysize = parent and parent.ksk_keysize or ap.ksk_keysize
+
+        if p.zsk_keysize is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent.parent and not parent.zsk_keysize:
+                parent = parent.parent
+            p.zsk_keysize = parent and parent.zsk_keysize or ap.zsk_keysize
+
+        if p.ksk_rollperiod is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent.parent and not parent.ksk_rollperiod:
+                parent = parent.parent
+            p.ksk_rollperiod = parent and parent.ksk_rollperiod or ap.ksk_rollperiod
+
+        if p.zsk_rollperiod is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent.parent and not parent.zsk_rollperiod:
+                parent = parent.parent
+            p.zsk_rollperiod = parent and parent.zsk_rollperiod or ap.zsk_rollperiod
+
+        if p.ksk_prepublish is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent.parent and not parent.ksk_prepublish:
+                parent = parent.parent
+            p.ksk_prepublish = parent and parent.ksk_prepublish or ap.ksk_prepublish
+
+        if p.zsk_prepublish is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent.parent and not parent.zsk_prepublish:
+                parent = parent.parent
+            p.zsk_prepublish = parent and parent.zsk_prepublish or ap.zsk_prepublish
+
+        if p.ksk_postpublish is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent.parent and not parent.ksk_postpublish:
+                parent = parent.parent
+            p.ksk_postpublish = parent and parent.ksk_postpublish or ap.ksk_postpublish
+
+        if p.zsk_postpublish is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent.parent and not parent.zsk_postpublish:
+                parent = parent.parent
+            p.zsk_postpublish = parent and parent.zsk_postpublish or ap.zsk_postpublish
+
+        if p.keyttl is None:
+            parent = p.parent or self.named_policy["default"]
+            while parent is not None and not parent.keyttl:
+                parent = parent.parent
+            p.keyttl = parent and parent.keyttl
+
+        if "novalidate" not in kwargs or not kwargs["novalidate"]:
+            (valid, msg) = p.validate()
+            if not valid:
+                raise PolicyException(msg)
+                return None
+
+        return p
+
+    def p_policylist(self, p):
+        """policylist : init policy
+        | policylist policy"""
+        pass
+
+    def p_init(self, p):
+        "init :"
+        self.initial = False
+
+    def p_policy(self, p):
+        """policy : alg_policy
+        | zone_policy
+        | named_policy"""
+        pass
+
+    def p_name(self, p):
+        """name : STR
+        | KEYTYPE
+        | DATESUFFIX"""
+        p[0] = p[1]
+        pass
+
+    def p_domain(self, p):
+        """domain : STR
+        | QSTRING
+        | KEYTYPE
+        | DATESUFFIX"""
+        p[0] = p[1].strip()
+        if not re.match(r"^[\w.-][\w.-]*$", p[0]):
+            raise PolicyException("invalid domain")
+        pass
+
+    def p_new_policy(self, p):
+        "new_policy :"
+        self.current = Policy()
+
+    def p_alg_policy(self, p):
+        "alg_policy : ALGORITHM_POLICY ALGNAME new_policy alg_option_group SEMI"
+        self.current.name = p[2]
+        self.current.is_alg = True
+        self.alg_policy[p[2]] = self.current
+        pass
+
+    def p_zone_policy(self, p):
+        "zone_policy : ZONE domain new_policy policy_option_group SEMI"
+        self.current.name = p[2].rstrip(".")
+        self.current.is_zone = True
+        self.zone_policy[p[2].rstrip(".").lower()] = self.current
+        pass
+
+    def p_named_policy(self, p):
+        "named_policy : POLICY name new_policy policy_option_group SEMI"
+        self.current.name = p[2]
+        self.named_policy[p[2].lower()] = self.current
+        pass
+
+    def p_duration_1(self, p):
+        "duration : NUMBER"
+        p[0] = p[1]
+        pass
+
+    def p_duration_2(self, p):
+        "duration : NONE"
+        p[0] = None
+        pass
+
+    def p_duration_3(self, p):
+        "duration : NUMBER DATESUFFIX"
+        if p[2] == "y":
+            p[0] = p[1] * 31536000  # year
+        elif p[2] == "mo":
+            p[0] = p[1] * 2592000  # month
+        elif p[2] == "w":
+            p[0] = p[1] * 604800  # week
+        elif p[2] == "d":
+            p[0] = p[1] * 86400  # day
+        elif p[2] == "h":
+            p[0] = p[1] * 3600  # hour
+        elif p[2] == "mi":
+            p[0] = p[1] * 60  # minute
+        elif p[2] == "s":
+            p[0] = p[1]  # second
+        else:
+            raise PolicyException("invalid duration")
+
+    def p_policy_option_group(self, p):
+        "policy_option_group : LBRACE policy_option_list RBRACE"
+        pass
+
+    def p_policy_option_list(self, p):
+        """policy_option_list : policy_option SEMI
+        | policy_option_list policy_option SEMI"""
+        pass
+
+    def p_policy_option(self, p):
+        """policy_option : parent_option
+        | directory_option
+        | coverage_option
+        | rollperiod_option
+        | prepublish_option
+        | postpublish_option
+        | keysize_option
+        | algorithm_option
+        | keyttl_option
+        | standby_option"""
+        pass
+
+    def p_alg_option_group(self, p):
+        "alg_option_group : LBRACE alg_option_list RBRACE"
+        pass
+
+    def p_alg_option_list(self, p):
+        """alg_option_list : alg_option SEMI
+        | alg_option_list alg_option SEMI"""
+        pass
+
+    def p_alg_option(self, p):
+        """alg_option : coverage_option
+        | rollperiod_option
+        | prepublish_option
+        | postpublish_option
+        | keyttl_option
+        | keysize_option
+        | standby_option"""
+        pass
+
+    def p_parent_option(self, p):
+        "parent_option : POLICY name"
+        self.current.parent = self.named_policy[p[2].lower()]
+
+    def p_directory_option(self, p):
+        "directory_option : DIRECTORY QSTRING"
+        self.current.directory = p[2]
+
+    def p_coverage_option(self, p):
+        "coverage_option : COVERAGE duration"
+        self.current.coverage = p[2]
+
+    def p_rollperiod_option(self, p):
+        "rollperiod_option : ROLL_PERIOD KEYTYPE duration"
+        if p[2] == "KSK":
+            self.current.ksk_rollperiod = p[3]
+        else:
+            self.current.zsk_rollperiod = p[3]
+
+    def p_prepublish_option(self, p):
+        "prepublish_option : PRE_PUBLISH KEYTYPE duration"
+        if p[2] == "KSK":
+            self.current.ksk_prepublish = p[3]
+        else:
+            self.current.zsk_prepublish = p[3]
+
+    def p_postpublish_option(self, p):
+        "postpublish_option : POST_PUBLISH KEYTYPE duration"
+        if p[2] == "KSK":
+            self.current.ksk_postpublish = p[3]
+        else:
+            self.current.zsk_postpublish = p[3]
+
+    def p_keysize_option(self, p):
+        "keysize_option : KEY_SIZE KEYTYPE NUMBER"
+        if p[2] == "KSK":
+            self.current.ksk_keysize = p[3]
+        else:
+            self.current.zsk_keysize = p[3]
+
+    def p_standby_option(self, p):
+        "standby_option : STANDBY KEYTYPE NUMBER"
+        if p[2] == "KSK":
+            self.current.ksk_standby = p[3]
+        else:
+            self.current.zsk_standby = p[3]
+
+    def p_keyttl_option(self, p):
+        "keyttl_option : KEYTTL duration"
+        self.current.keyttl = p[2]
+
+    def p_algorithm_option(self, p):
+        "algorithm_option : ALGORITHM ALGNAME"
+        self.current.algorithm = p[2]
+
+    def p_error(self, p):
+        if p:
+            print(
+                "%s%s%d:syntax error near '%s'"
+                % (self.filename or "", ":" if self.filename else "", p.lineno, p.value)
+            )
+        else:
+            if not self.initial:
+                raise PolicyException(
+                    "%s%s%d:unexpected end of input"
+                    % (
+                        self.filename or "",
+                        ":" if self.filename else "",
+                        p and p.lineno or 0,
+                    )
+                )
+
+
+if __name__ == "__main__":
+    import sys
+
+    if sys.argv[1] == "lex":
+        file = open(sys.argv[2])
+        text = file.read()
+        file.close()
+        plex = PolicyLex(debug=1)
+        plex.test(text)
+    elif sys.argv[1] == "parse":
+        try:
+            pp = dnssec_policy(sys.argv[2], write_tables=True, debug=True)
+            print(pp.named_policy["default"])
+            print(pp.policy("nonexistent.zone"))
+        except Exception as e:
+            print(e.args[0])
diff --git a/bin/python/isc/rndc.py.in b/bin/python/isc/rndc.py.in
new file mode 100644
index 0000000..a8af767
--- /dev/null
+++ b/bin/python/isc/rndc.py.in
@@ -0,0 +1,193 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+############################################################################
+# rndc.py
+# This module implements the RNDC control protocol.
+############################################################################
+
+from collections import OrderedDict
+import time
+import struct
+import hashlib
+import hmac
+import base64
+import random
+import socket
+
+
+class rndc(object):
+    """RNDC protocol client library"""
+
+    __algos = {
+        "md5": 157,
+        "sha1": 161,
+        "sha224": 162,
+        "sha256": 163,
+        "sha384": 164,
+        "sha512": 165,
+    }
+
+    def __init__(self, host, algo, secret):
+        """Creates a persistent connection to RNDC and logs in
+        host - (ip, port) tuple
+        algo - HMAC algorithm: one of md5, sha1, sha224, sha256, sha384, sha512
+               (with optional prefix 'hmac-')
+        secret - HMAC secret, base64 encoded"""
+        self.host = host
+        algo = algo.lower()
+        if algo.startswith("hmac-"):
+            algo = algo[5:]
+        self.algo = algo
+        self.hlalgo = getattr(hashlib, algo)
+        self.secret = base64.b64decode(secret)
+        self.ser = random.randint(0, 1 << 24)
+        self.nonce = None
+        self.__connect_login()
+
+    def call(self, cmd):
+        """Call a RNDC command, all parsing is done on the server side
+        cmd - a complete string with a command (eg 'reload zone example.com')
+        """
+        return dict(self.__command(type=cmd)["_data"])
+
+    def __serialize_dict(self, data, ignore_auth=False):
+        rv = bytearray()
+        for k, v in data.items():
+            if ignore_auth and k == "_auth":
+                continue
+            rv += struct.pack("B", len(k)) + k.encode("ascii")
+            if type(v) == str:
+                rv += struct.pack(">BI", 1, len(v)) + v.encode("ascii")
+            elif type(v) == bytes:
+                rv += struct.pack(">BI", 1, len(v)) + v
+            elif type(v) == bytearray:
+                rv += struct.pack(">BI", 1, len(v)) + v
+            elif type(v) == OrderedDict:
+                sd = self.__serialize_dict(v)
+                rv += struct.pack(">BI", 2, len(sd)) + sd
+            else:
+                raise NotImplementedError(
+                    "Cannot serialize element of type %s" % type(v)
+                )
+        return rv
+
+    def __prep_message(self, *args, **kwargs):
+        self.ser += 1
+        now = int(time.time())
+        data = OrderedDict(*args, **kwargs)
+
+        d = OrderedDict()
+        d["_auth"] = OrderedDict()
+        d["_ctrl"] = OrderedDict()
+        d["_ctrl"]["_ser"] = str(self.ser)
+        d["_ctrl"]["_tim"] = str(now)
+        d["_ctrl"]["_exp"] = str(now + 60)
+        if self.nonce is not None:
+            d["_ctrl"]["_nonce"] = self.nonce
+        d["_data"] = data
+
+        msg = self.__serialize_dict(d, ignore_auth=True)
+        hash = hmac.new(self.secret, msg, self.hlalgo).digest()
+        bhash = base64.b64encode(hash)
+        if self.algo == "md5":
+            d["_auth"]["hmd5"] = struct.pack("22s", bhash)
+        else:
+            d["_auth"]["hsha"] = bytearray(
+                struct.pack("B88s", self.__algos[self.algo], bhash)
+            )
+        msg = self.__serialize_dict(d)
+        msg = struct.pack(">II", len(msg) + 4, 1) + msg
+        return msg
+
+    def __verify_msg(self, msg):
+        if self.nonce is not None and msg["_ctrl"]["_nonce"] != self.nonce:
+            return False
+        if self.algo == "md5":
+            bhash = msg["_auth"]["hmd5"]
+        else:
+            bhash = msg["_auth"]["hsha"][1:]
+        if type(bhash) == bytes:
+            bhash = bhash.decode("ascii")
+        bhash += "=" * (4 - (len(bhash) % 4))
+        remote_hash = base64.b64decode(bhash)
+        my_msg = self.__serialize_dict(msg, ignore_auth=True)
+        my_hash = hmac.new(self.secret, my_msg, self.hlalgo).digest()
+        return my_hash == remote_hash
+
+    def __command(self, *args, **kwargs):
+        msg = self.__prep_message(*args, **kwargs)
+        sent = self.socket.send(msg)
+        if sent != len(msg):
+            raise IOError("Cannot send the message")
+
+        header = self.socket.recv(8)
+        if len(header) != 8:
+            # What should we throw here? Bad auth can cause this...
+            raise IOError("Can't read response header")
+
+        length, version = struct.unpack(">II", header)
+        if version != 1:
+            raise NotImplementedError("Wrong message version %d" % version)
+
+        # it includes the header
+        length -= 4
+        data = self.socket.recv(length, socket.MSG_WAITALL)
+        if len(data) != length:
+            raise IOError("Can't read response data")
+
+        if type(data) == str:
+            data = bytearray(data)
+        msg = self.__parse_message(data)
+        if not self.__verify_msg(msg):
+            raise IOError("Authentication failure")
+
+        return msg
+
+    def __connect_login(self):
+        self.socket = socket.create_connection(self.host)
+        self.nonce = None
+        msg = self.__command(type="null")
+        self.nonce = msg["_ctrl"]["_nonce"]
+
+    def __parse_element(self, input):
+        pos = 0
+        labellen = input[pos]
+        pos += 1
+        label = input[pos : pos + labellen].decode("ascii")
+        pos += labellen
+        type = input[pos]
+        pos += 1
+        datalen = struct.unpack(">I", input[pos : pos + 4])[0]
+        pos += 4
+        data = input[pos : pos + datalen]
+        pos += datalen
+        rest = input[pos:]
+
+        if type == 1:  # raw binary value
+            return label, data, rest
+        elif type == 2:  # dictionary
+            d = OrderedDict()
+            while len(data) > 0:
+                ilabel, value, data = self.__parse_element(data)
+                d[ilabel] = value
+            return label, d, rest
+        # TODO type 3 - list
+        else:
+            raise NotImplementedError("Unknown element type %d" % type)
+
+    def __parse_message(self, input):
+        rv = OrderedDict()
+        hdata = None
+        while len(input) > 0:
+            label, value, input = self.__parse_element(input)
+            rv[label] = value
+        return rv
diff --git a/bin/python/isc/tests/Makefile.in b/bin/python/isc/tests/Makefile.in
new file mode 100644
index 0000000..233f7f9
--- /dev/null
+++ b/bin/python/isc/tests/Makefile.in
@@ -0,0 +1,33 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+PYTHON	=	@PYTHON@
+
+PYTESTS =	dnskey_test.py policy_test.py
+
+@BIND9_MAKE_RULES@
+
+check test:
+	for test in $(PYTESTS); do \
+		PYTHONPATH=${srcdir}/../.. $(PYTHON) ${srcdir}/$$test; \
+	done
+
+clean distclean::
+	rm -rf *.pyc __pycache__
+
+distclean::
+	rm -f ${PYTESTS}
diff --git a/bin/python/isc/tests/dnskey_test.py.in b/bin/python/isc/tests/dnskey_test.py.in
new file mode 100644
index 0000000..e3ce3f7
--- /dev/null
+++ b/bin/python/isc/tests/dnskey_test.py.in
@@ -0,0 +1,54 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import sys
+import unittest
+
+sys.path.append("../..")
+from isc import *
+
+kdict = None
+
+
+def getkey():
+    global kdict
+    if not kdict:
+        kd = keydict(path="testdata")
+    for key in kd:
+        return key
+
+
+class DnskeyTest(unittest.TestCase):
+    def test_metdata(self):
+        key = getkey()
+        self.assertEqual(key.created(), 1448055647)
+        self.assertEqual(key.publish(), 1445463714)
+        self.assertEqual(key.activate(), 1448055714)
+        self.assertEqual(key.revoke(), 1479591714)
+        self.assertEqual(key.inactive(), 1511127714)
+        self.assertEqual(key.delete(), 1542663714)
+        self.assertEqual(key.syncpublish(), 1442871714)
+        self.assertEqual(key.syncdelete(), 1448919714)
+
+    def test_fmttime(self):
+        key = getkey()
+        self.assertEqual(key.getfmttime("Created"), "20151120214047")
+        self.assertEqual(key.getfmttime("Publish"), "20151021214154")
+        self.assertEqual(key.getfmttime("Activate"), "20151120214154")
+        self.assertEqual(key.getfmttime("Revoke"), "20161119214154")
+        self.assertEqual(key.getfmttime("Inactive"), "20171119214154")
+        self.assertEqual(key.getfmttime("Delete"), "20181119214154")
+        self.assertEqual(key.getfmttime("SyncPublish"), "20150921214154")
+        self.assertEqual(key.getfmttime("SyncDelete"), "20151130214154")
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/bin/python/isc/tests/policy_test.py.in b/bin/python/isc/tests/policy_test.py.in
new file mode 100644
index 0000000..c115a31
--- /dev/null
+++ b/bin/python/isc/tests/policy_test.py.in
@@ -0,0 +1,104 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import sys
+import unittest
+
+sys.path.append("../..")
+from isc import *
+
+
+class PolicyTest(unittest.TestCase):
+    def test_keysize(self):
+        pol = policy.dnssec_policy()
+        pol.load("test-policies/01-keysize.pol")
+
+        p = pol.policy("good_rsa.test", novalidate=True)
+        self.assertEqual(p.get_name(), "good_rsa.test")
+        self.assertEqual(p.constructed(), False)
+        self.assertEqual(p.validate(), (True, ""))
+
+    def test_prepublish(self):
+        pol = policy.dnssec_policy()
+        pol.load("test-policies/02-prepublish.pol")
+        p = pol.policy("good_prepublish.test", novalidate=True)
+        self.assertEqual(p.validate(), (True, ""))
+
+        p = pol.policy("bad_prepublish.test", novalidate=True)
+        self.assertEqual(
+            p.validate(),
+            (
+                False,
+                "KSK pre/post-publish periods "
+                "(10368000/5184000) combined exceed "
+                "rollover period 10368000",
+            ),
+        )
+
+    def test_postpublish(self):
+        pol = policy.dnssec_policy()
+        pol.load("test-policies/03-postpublish.pol")
+
+        p = pol.policy("good_postpublish.test", novalidate=True)
+        self.assertEqual(p.validate(), (True, ""))
+
+        p = pol.policy("bad_postpublish.test", novalidate=True)
+        self.assertEqual(
+            p.validate(),
+            (
+                False,
+                "KSK pre/post-publish periods "
+                "(10368000/5184000) combined exceed "
+                "rollover period 10368000",
+            ),
+        )
+
+    def test_combined_pre_post(self):
+        pol = policy.dnssec_policy()
+        pol.load("test-policies/04-combined-pre-post.pol")
+
+        p = pol.policy("good_combined_pre_post_ksk.test", novalidate=True)
+        self.assertEqual(p.validate(), (True, ""))
+
+        p = pol.policy("bad_combined_pre_post_ksk.test", novalidate=True)
+        self.assertEqual(
+            p.validate(),
+            (
+                False,
+                "KSK pre/post-publish periods "
+                "(5184000/5184000) combined exceed "
+                "rollover period 10368000",
+            ),
+        )
+
+        p = pol.policy("good_combined_pre_post_zsk.test", novalidate=True)
+        self.assertEqual(p.validate(), (True, ""))
+        p = pol.policy("bad_combined_pre_post_zsk.test", novalidate=True)
+        self.assertEqual(
+            p.validate(),
+            (
+                False,
+                "ZSK pre/post-publish periods "
+                "(5184000/5184000) combined exceed "
+                "rollover period 7776000",
+            ),
+        )
+
+    def test_numeric_zone(self):
+        pol = policy.dnssec_policy()
+        pol.load("test-policies/05-numeric-zone.pol")
+
+        p = pol.policy("99example.test", novalidate=True)
+        self.assertEqual(p.validate(), (True, ""))
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/bin/python/isc/tests/test-policies/01-keysize.pol b/bin/python/isc/tests/test-policies/01-keysize.pol
new file mode 100644
index 0000000..db22058
--- /dev/null
+++ b/bin/python/isc/tests/test-policies/01-keysize.pol
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+policy keysize_rsa {
+	algorithm rsasha1;
+	coverage 1y;
+	roll-period zsk 3mo;
+	pre-publish zsk 2w;
+	post-publish zsk 2w;
+	roll-period ksk 1y;
+	pre-publish ksk 1mo;
+	post-publish ksk 2mo;
+	keyttl 1h;
+	key-size ksk 2048;
+	key-size zsk 1024;
+};
+
+policy keysize_dsa {
+	algorithm dsa;
+	coverage 1y;
+	key-size ksk 2048;
+	key-size zsk 1024;
+};
+
+zone good_rsa.test {
+	policy keysize_rsa;
+};
+
+zone bad_rsa.test {
+	policy keysize_rsa;
+	key-size ksk 511;
+};
+
+zone good_dsa.test {
+	policy keysize_dsa;
+	key-size ksk 1024;
+	key-size zsk 768;
+};
+
+zone bad_dsa.test {
+	policy keysize_dsa;
+	key-size ksk 1024;
+	key-size zsk 769;
+};
diff --git a/bin/python/isc/tests/test-policies/02-prepublish.pol b/bin/python/isc/tests/test-policies/02-prepublish.pol
new file mode 100644
index 0000000..7dd1b32
--- /dev/null
+++ b/bin/python/isc/tests/test-policies/02-prepublish.pol
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+policy prepublish_rsa {
+	algorithm rsasha1;
+	coverage 1y;
+	roll-period zsk 3mo;
+	pre-publish zsk 2w;
+	post-publish zsk 2w;
+	roll-period ksk 1y;
+	pre-publish ksk 1mo;
+	post-publish ksk 2mo;
+	keyttl 1h;
+	key-size ksk 2048;
+	key-size zsk 1024;
+};
+
+// Policy that defines a pre-publish period lower than the rollover period
+zone good_prepublish.test {
+	policy prepublish_rsa;
+	coverage 6mo;
+	roll-period ksk 4mo;
+	pre-publish ksk 1mo;
+};
+
+// Policy that defines a pre-publish period equal to the rollover period
+zone bad_prepublish.test {
+	policy prepublish_rsa;
+	coverage 6mo;
+	roll-period ksk 4mo;
+	pre-publish ksk 4mo;
+};
+
+
diff --git a/bin/python/isc/tests/test-policies/03-postpublish.pol b/bin/python/isc/tests/test-policies/03-postpublish.pol
new file mode 100644
index 0000000..74bd822
--- /dev/null
+++ b/bin/python/isc/tests/test-policies/03-postpublish.pol
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+policy postpublish_rsa {
+	algorithm rsasha1;
+	coverage 1y;
+	roll-period zsk 3mo;
+	pre-publish zsk 2w;
+	post-publish zsk 2w;
+	roll-period ksk 1y;
+	pre-publish ksk 1mo;
+	post-publish ksk 2mo;
+	keyttl 1h;
+	key-size ksk 2048;
+	key-size zsk 1024;
+};
+
+// Policy that defines a post-publish period lower than the rollover period
+zone good_postpublish.test {
+	policy postpublish_rsa;
+	coverage 6mo;
+	roll-period ksk 4mo;
+	pre-publish ksk 1mo;
+};
+
+// Policy that defines a post-publish period equal to the rollover period
+zone bad_postpublish.test {
+	policy postpublish_rsa;
+	coverage 6mo;
+	roll-period ksk 4mo;
+	pre-publish ksk 4mo;
+};
+
+
diff --git a/bin/python/isc/tests/test-policies/04-combined-pre-post.pol b/bin/python/isc/tests/test-policies/04-combined-pre-post.pol
new file mode 100644
index 0000000..82c001c
--- /dev/null
+++ b/bin/python/isc/tests/test-policies/04-combined-pre-post.pol
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+policy combined_pre_post_rsa {
+	algorithm rsasha1;
+	coverage 1y;
+	roll-period zsk 3mo;
+	pre-publish zsk 2w;
+	post-publish zsk 2w;
+	roll-period ksk 1y;
+	pre-publish ksk 1mo;
+	post-publish ksk 2mo;
+	keyttl 1h;
+	key-size ksk 2048;
+	key-size zsk 1024;
+};
+
+// Policy that defines a combined pre-publish and post-publish period lower
+// than the rollover period
+zone good_combined_pre_post_ksk.test {
+	policy combined_pre_post_rsa;
+	coverage 6mo;
+	roll-period ksk 4mo;
+	pre-publish ksk 1mo;
+	post-publish ksk 1mo;
+};
+
+// Policy that defines a combined pre-publish and post-publish period higher
+// than the rollover period
+zone bad_combined_pre_post_ksk.test {
+	policy combined_pre_post_rsa;
+	coverage 6mo;
+	roll-period ksk 4mo;
+	pre-publish ksk 2mo;
+	post-publish ksk 2mo;
+};
+
+// Policy that defines a combined pre-publish and post-publish period lower
+// than the rollover period
+zone good_combined_pre_post_zsk.test {
+	policy combined_pre_post_rsa;
+	coverage 1y;
+	roll-period zsk 3mo;
+	pre-publish zsk 1mo;
+	post-publish zsk 1mo;
+};
+
+// Policy that defines a combined pre-publish and post-publish period higher
+// than the rollover period
+zone bad_combined_pre_post_zsk.test {
+	policy combined_pre_post_rsa;
+	coverage 1y;
+	roll-period zsk 3mo;
+	pre-publish zsk 2mo;
+	post-publish zsk 2mo;
+};
+
+
diff --git a/bin/python/isc/tests/test-policies/05-numeric-zone.pol b/bin/python/isc/tests/test-policies/05-numeric-zone.pol
new file mode 100644
index 0000000..26e546b
--- /dev/null
+++ b/bin/python/isc/tests/test-policies/05-numeric-zone.pol
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// Zone policy that uses a numeric name
+zone "99example.test" {
+	coverage 6mo;
+};
diff --git a/bin/python/isc/tests/testdata/Kexample.com.+007+35529.key b/bin/python/isc/tests/testdata/Kexample.com.+007+35529.key
new file mode 100644
index 0000000..c5afbe2
--- /dev/null
+++ b/bin/python/isc/tests/testdata/Kexample.com.+007+35529.key
@@ -0,0 +1,8 @@
+; This is a key-signing key, keyid 35529, for example.com.
+; Created: 20151120214047 (Fri Nov 20 13:40:47 2015)
+; Publish: 20151021214154 (Wed Oct 21 14:41:54 2015)
+; Activate: 20151120214154 (Fri Nov 20 13:41:54 2015)
+; Revoke: 20161119214154 (Sat Nov 19 13:41:54 2016)
+; Inactive: 20171119214154 (Sun Nov 19 13:41:54 2017)
+; Delete: 20181119214154 (Mon Nov 19 13:41:54 2018)
+example.com. IN DNSKEY 257 3 7 AwEAAbbJK96tY8d4sF6RLxh9SVIhho5s2ZhrcijT5j1SNLECen7QLutj VJPEiG8UgBLaJSGkxPDxOygYv4hwh4JXBSj89o9rNabAJtCa9XzIXSpt /cfiCfvqmcOZb9nepmDCXsC7gn/gbae/4Y5ym9XOiCp8lu+tlFWgRiJ+ kxDGN48rRPrGfpq+SfwM9NUtftVa7B0EFVzDkADKedRj0SSGYOqH+WYH CnWjhPFmgJoAw3/m4slTHW1l+mDwFvsCMjXopg4JV0CNnTybnOmyuIwO LWRhB3q8ze24sYBU1fpE9VAMxZ++4Kqh/2MZFeDAs7iPPKSmI3wkRCW5 pkwDLO5lJ9c=
diff --git a/bin/python/isc/tests/testdata/Kexample.com.+007+35529.private b/bin/python/isc/tests/testdata/Kexample.com.+007+35529.private
new file mode 100644
index 0000000..af22c6a
--- /dev/null
+++ b/bin/python/isc/tests/testdata/Kexample.com.+007+35529.private
@@ -0,0 +1,18 @@
+Private-key-format: v1.3
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: tskr3q1jx3iwXpEvGH1JUiGGjmzZmGtyKNPmPVI0sQJ6ftAu62NUk8SIbxSAEtolIaTE8PE7KBi/iHCHglcFKPz2j2s1psAm0Jr1fMhdKm39x+IJ++qZw5lv2d6mYMJewLuCf+Btp7/hjnKb1c6IKnyW762UVaBGIn6TEMY3jytE+sZ+mr5J/Az01S1+1VrsHQQVXMOQAMp51GPRJIZg6of5ZgcKdaOE8WaAmgDDf+biyVMdbWX6YPAW+wIyNeimDglXQI2dPJuc6bK4jA4tZGEHerzN7bixgFTV+kT1UAzFn77gqqH/YxkV4MCzuI88pKYjfCREJbmmTAMs7mUn1w==
+PublicExponent: AQAB
+PrivateExponent: jfiM6YU1Rd6Y5qrPsK7HP1Ko54DmNbvmzI1hfGmYYZAyQsNCXjQloix5aAW9QGdNhecrzJUhxJAMXFZC+lrKuD5a56R25JDE1Sw21nft3SHXhuQrqw5Z5hIMTWXhRrBR1lMOFnLj2PJxqCmenp+vJYjl1z20RBmbv/keE15SExFRJIJ3G0lI4V0KxprY5rgsT/vID0pS32f7rmXhgEzyWDyuxceTMidBooD5BSeEmSTYa4rvCVZ2vgnzIGSxjYDPJE2rGve2dpvdXQuujRFaf4+/FzjaOgg35rTtUmC9klfB4D6KJIfc1PNUwcH7V0VJ2fFlgZgMYi4W331QORl9sQ==
+Prime1: 479rW3EeoBwHhUKDy5YeyfnMKjhaosrcYhW4resevLzatFrvS/n2KxJnsHoEzmGr2A13naI61RndgVBBOwNDWI3/tQ+aKvcr+V9m4omROV3xYa8s1FsDbEW0Z6G0UheaqRFir8WK98/Lj6Zht1uBXHSPPf91OW0qj+b5gbX7TK8=
+Prime2: zXXlxgIq+Ih6kxsUw4Ith0nd/d2P3d42QYPjxYjsg4xYicPAjva9HltnbBQ2lr4JEG9Yyb8KalSnJUSuvXtn7bGfBzLu8W6omCeVWXQVH4NIu9AjpO16NpMKWGRfiHHbbSYJs1daTZKHC2FEmi18MKX/RauHGGOakFQ/3A/GMVk=
+Exponent1: 0o9UQ1uHNAIWFedUEHJ/jr7LOrGVYnLpZCmu7+S0K0zzatGz8ets44+FnAyDywdUKFDzKSMm/4SFXRwE4vl2VzYZlp2RLG4PEuRYK9OCF6a6F1UsvjxTItQjIbjIDSnTjMINGnMps0lDa1EpgKsyI3eEQ46eI3TBZ//k6D6G0vM=
+Exponent2: d+CYJgXRyJzo17fvT3s+0TbaHWsOq+chROyNEw4m4UIbzpW2XjO8eF/gYgERMLbEVyCAb4XVr+CgfXArfEbqhpciMHMZUyi7mbtOupiuUmqpH1v70Bj3O6xjVtuJmfTEkFSnSEppV+VsgclI26Q6V7Ai1yWTdzl2T0u4zs8tVlE=
+Coefficient: E4EYw76gIChdQDn6+Uh44/xH9Uwmvq3OETR8w/kEZ0xQ8AkTdKFKUp84nlR6gN+ljb2mUxERKrVLwnBsU8EbUlo9UccMbBGkkZ/8MyfGCBb9nUyOFtOxdHY2M0MQadesRptXHt/m30XjdohwmT7qfSIENwtgUOHbwFnn7WPMc/k=
+Created: 20151120214047
+Publish: 20151021214154
+Activate: 20151120214154
+Revoke: 20161119214154
+Inactive: 20171119214154
+Delete: 20181119214154
+SyncPublish: 20150921214154
+SyncDelete: 20151130214154
diff --git a/bin/python/isc/utils.py.in b/bin/python/isc/utils.py.in
new file mode 100644
index 0000000..3ce4d4c
--- /dev/null
+++ b/bin/python/isc/utils.py.in
@@ -0,0 +1,71 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+
+# These routines permit platform-independent location of BIND 9 tools
+if os.name == "nt":
+    import win32con
+    import win32api
+
+
+def prefix(bindir=""):
+    if os.name != "nt":
+        return os.path.join("@prefix@", bindir)
+
+    hklm = win32con.HKEY_LOCAL_MACHINE
+    bind_subkey = "Software\\ISC\\BIND"
+    sam = win32con.KEY_READ
+    h_key = None
+    key_found = True
+    # can fail if the registry redirected for 32/64 bits
+    try:
+        h_key = win32api.RegOpenKeyEx(hklm, bind_subkey, 0, sam)
+    except:
+        key_found = False
+    # retry for 32 bit python with 64 bit bind9
+    if not key_found:
+        key_found = True
+        sam64 = sam | win32con.KEY_WOW64_64KEY
+        try:
+            h_key = win32api.RegOpenKeyEx(hklm, bind_subkey, 0, sam64)
+        except:
+            key_found = False
+    # retry 64 bit python with 32 bit bind9
+    if not key_found:
+        key_found = True
+        sam32 = sam | win32con.KEY_WOW64_32KEY
+        try:
+            h_key = win32api.RegOpenKeyEx(hklm, bind_subkey, 0, sam32)
+        except:
+            key_found = False
+    if key_found:
+        try:
+            (named_base, _) = win32api.RegQueryValueEx(h_key, "InstallDir")
+        except:
+            key_found = False
+        win32api.RegCloseKey(h_key)
+    if key_found:
+        return os.path.join(named_base, bindir)
+    return os.path.join(win32api.GetSystemDirectory(), bindir)
+
+
+def shellquote(s):
+    if os.name == "nt":
+        return '"' + s.replace('"', '"\\"') + '"'
+    return "'" + s.replace("'", "'\\''") + "'"
+
+
+version = "@BIND9_VERSION@"
+if os.name != "nt":
+    sysconfdir = "@expanded_sysconfdir@"
+else:
+    sysconfdir = prefix("etc")
diff --git a/bin/python/setup.py b/bin/python/setup.py
new file mode 100644
index 0000000..4440b74
--- /dev/null
+++ b/bin/python/setup.py
@@ -0,0 +1,28 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+try:
+    from setuptools import setup
+except ImportError:
+    # pylint: disable=deprecated-module
+    from distutils.core import setup
+
+setup(
+    name="isc",
+    version="2.0",
+    description="Python functions to support BIND utilities",
+    url="https://www.isc.org/bind",
+    author="Internet Systems Consortium, Inc",
+    author_email="info@isc.org",
+    license="MPL",
+    requires=["ply"],
+    packages=["isc"],
+)
diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
new file mode 100644
index 0000000..d2a5366
--- /dev/null
+++ b/bin/rndc/Makefile.in
@@ -0,0 +1,74 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
+
+RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+SRCS=		rndc.c
+
+TARGETS =	rndc@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+rndc.@O@: rndc.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DRNDC_CONFFILE=\"${sysconfdir}/rndc.conf\" \
+		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+		-c ${srcdir}/rndc.c
+
+rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
+	export BASEOBJS="rndc.@O@ util.@O@"; \
+	export LIBS0="${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS}"; \
+	${FINALBUILDCMD}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: rndc@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc@EXEEXT@ ${DESTDIR}${sbindir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/rndc@EXEEXT@
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/bin/rndc/include/.clang-format b/bin/rndc/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/bin/rndc/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/bin/rndc/include/rndc/os.h b/bin/rndc/include/rndc/os.h
new file mode 100644
index 0000000..000dbde
--- /dev/null
+++ b/bin/rndc/include/rndc/os.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifndef RNDC_OS_H
+#define RNDC_OS_H 1
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+int
+set_user(FILE *fd, const char *user);
+/*%<
+ * Set the owner of the file referenced by 'fd' to 'user'.
+ * Returns:
+ *   0 		success
+ *   -1 	insufficient permissions, or 'user' does not exist.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ifndef RNDC_OS_H */
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
new file mode 100644
index 0000000..2fa9ca6
--- /dev/null
+++ b/bin/rndc/rndc.c
@@ -0,0 +1,1105 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/atomic.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/log.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/socket.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/name.h>
+
+#include <isccc/alist.h>
+#include <isccc/base64.h>
+#include <isccc/cc.h>
+#include <isccc/ccmsg.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/types.h>
+#include <isccc/util.h>
+
+#include <isccfg/namedconf.h>
+
+#include <bind9/getaddresses.h>
+
+#include "util.h"
+
+#define SERVERADDRS 10
+
+const char *progname;
+bool verbose;
+
+static const char *admin_conffile;
+static const char *admin_keyfile;
+static const char *version = VERSION;
+static const char *servername = NULL;
+static isc_sockaddr_t serveraddrs[SERVERADDRS];
+static isc_sockaddr_t local4, local6;
+static bool local4set = false, local6set = false;
+static int nserveraddrs;
+static int currentaddr = 0;
+static unsigned int remoteport = 0;
+static isc_socketmgr_t *socketmgr = NULL;
+static isc_buffer_t *databuf;
+static isccc_ccmsg_t ccmsg;
+static uint32_t algorithm;
+static isccc_region_t secret;
+static bool failed = false;
+static bool c_flag = false;
+static isc_mem_t *rndc_mctx;
+static atomic_uint_fast32_t sends = 0;
+static atomic_uint_fast32_t recvs = 0;
+static atomic_uint_fast32_t connects = 0;
+static char *command;
+static char *args;
+static char program[256];
+static isc_socket_t *sock = NULL;
+static uint32_t serial;
+static bool quiet = false;
+static bool showresult = false;
+
+static void
+rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task);
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(int status) {
+	fprintf(stderr, "\
+Usage: %s [-b address] [-c config] [-s server] [-p port]\n\
+	[-k key-file ] [-y key] [-r] [-V] [-4 | -6] command\n\
+\n\
+command is one of the following:\n\
+\n\
+  addzone zone [class [view]] { zone-options }\n\
+		Add zone to given view. Requires allow-new-zones option.\n\
+  delzone [-clean] zone [class [view]]\n\
+		Removes zone from given view.\n\
+  dnssec -checkds [-key id [-alg algorithm]] [-when time] (published|withdrawn) zone [class [view]]\n\
+		Mark the DS record for the KSK of the given zone as seen\n\
+		in the parent.  If the zone has multiple KSKs, select a\n\
+		specific key by providing the keytag with -key id and\n\
+		optionally the key's algorithm with -alg algorithm.\n\
+		Requires the zone to have a dnssec-policy.\n\
+  dnssec -rollover -key id [-alg algorithm] [-when time] zone [class [view]]\n\
+		Rollover key with id of the given zone. Requires the zone\n\
+		to have a dnssec-policy.\n\
+  dnssec -status zone [class [view]]\n\
+		Show the DNSSEC signing state for the specified zone.\n\
+		Requires the zone to have a dnssec-policy.\n\
+  dnstap -reopen\n\
+		Close, truncate and re-open the DNSTAP output file.\n\
+  dnstap -roll [count]\n\
+		Close, rename and re-open the DNSTAP output file(s).\n\
+  dumpdb [-all|-cache|-zones|-adb|-bad|-expired|-fail] [view ...]\n\
+		Dump cache(s) to the dump file (named_dump.db).\n\
+  flush 	Flushes all of the server's caches.\n\
+  flush [view]	Flushes the server's cache for a view.\n\
+  flushname name [view]\n\
+		Flush the given name from the server's cache(s)\n\
+  flushtree name [view]\n\
+		Flush all names under the given name from the server's cache(s)\n\
+  freeze	Suspend updates to all dynamic zones.\n\
+  freeze zone [class [view]]\n\
+		Suspend updates to a dynamic zone.\n\
+  halt		Stop the server without saving pending updates.\n\
+  halt -p	Stop the server without saving pending updates reporting\n\
+		process id.\n\
+  loadkeys zone [class [view]]\n\
+		Update keys without signing immediately.\n\
+  managed-keys refresh [class [view]]\n\
+		Check trust anchor for RFC 5011 key changes\n\
+  managed-keys status [class [view]]\n\
+		Display RFC 5011 managed keys information\n\
+  managed-keys sync [class [view]]\n\
+		Write RFC 5011 managed keys to disk\n\
+  modzone zone [class [view]] { zone-options }\n\
+		Modify a zone's configuration.\n\
+		Requires allow-new-zones option.\n\
+  notify zone [class [view]]\n\
+		Resend NOTIFY messages for the zone.\n\
+  notrace	Set debugging level to 0.\n\
+  nta -dump\n\
+		List all negative trust anchors.\n\
+  nta [-lifetime duration] [-force] domain [view]\n\
+		Set a negative trust anchor, disabling DNSSEC validation\n\
+		for the given domain.\n\
+		Using -lifetime specifies the duration of the NTA, up\n\
+		to one week.\n\
+		Using -force prevents the NTA from expiring before its\n\
+		full lifetime, even if the domain can validate sooner.\n\
+  nta -remove domain [view]\n\
+		Remove a negative trust anchor, re-enabling validation\n\
+		for the given domain.\n\
+  querylog [ on | off ]\n\
+		Enable / disable query logging.\n\
+  reconfig	Reload configuration file and new zones only.\n\
+  recursing	Dump the queries that are currently recursing (named.recursing)\n\
+  refresh zone [class [view]]\n\
+		Schedule immediate maintenance for a zone.\n\
+  reload	Reload configuration file and zones.\n\
+  reload zone [class [view]]\n\
+		Reload a single zone.\n\
+  retransfer zone [class [view]]\n\
+		Retransfer a single zone without checking serial number.\n\
+  scan		Scan available network interfaces for changes.\n\
+  secroots [view ...]\n\
+		Write security roots to the secroots file.\n\
+  serve-stale [ on | off | reset | status ] [class [view]]\n\
+		Control whether stale answers are returned\n\
+  showzone zone [class [view]]\n\
+		Print a zone's configuration.\n\
+  sign zone [class [view]]\n\
+		Update zone keys, and sign as needed.\n\
+  signing -clear all zone [class [view]]\n\
+		Remove the private records for all keys that have\n\
+		finished signing the given zone.\n\
+  signing -clear <keyid>/<algorithm> zone [class [view]]\n\
+		Remove the private record that indicating the given key\n\
+		has finished signing the given zone.\n\
+  signing -list zone [class [view]]\n\
+		List the private records showing the state of DNSSEC\n\
+		signing in the given zone.\n\
+  signing -nsec3param hash flags iterations salt zone [class [view]]\n\
+		Add NSEC3 chain to zone if already signed.\n\
+		Prime zone with NSEC3 chain if not yet signed.\n\
+  signing -nsec3param none zone [class [view]]\n\
+		Remove NSEC3 chains from zone.\n\
+  signing -serial <value> zone [class [view]]\n\
+		Set the zones's serial to <value>.\n\
+  stats		Write server statistics to the statistics file.\n\
+  status	Display status of the server.\n\
+  stop		Save pending updates to master files and stop the server.\n\
+  stop -p	Save pending updates to master files and stop the server\n\
+		reporting process id.\n\
+  sync [-clean]	Dump changes to all dynamic zones to disk, and optionally\n\
+		remove their journal files.\n\
+  sync [-clean] zone [class [view]]\n\
+		Dump a single zone's changes to disk, and optionally\n\
+		remove its journal file.\n\
+  tcp-timeouts	Display the tcp-*-timeout option values\n\
+  tcp-timeouts initial idle keepalive advertised\n\
+		Update the tcp-*-timeout option values\n\
+  thaw		Enable updates to all dynamic zones and reload them.\n\
+  thaw zone [class [view]]\n\
+		Enable updates to a frozen dynamic zone and reload it.\n\
+  trace		Increment debugging level by one.\n\
+  trace level	Change the debugging level.\n\
+  tsig-delete keyname [view]\n\
+		Delete a TKEY-negotiated TSIG key.\n\
+  tsig-list	List all currently active TSIG keys, including both statically\n\
+		configured and TKEY-negotiated keys.\n\
+  validation [ on | off | status ] [view]\n\
+		Enable / disable DNSSEC validation.\n\
+  zonestatus zone [class [view]]\n\
+		Display the current status of a zone.\n\
+\n\
+Version: %s\n",
+		progname, version);
+
+	exit(status);
+}
+
+#define CMDLINE_FLAGS "46b:c:hk:Mmp:qrs:Vy:"
+
+static void
+preparse_args(int argc, char **argv) {
+	bool ipv4only = false, ipv6only = false;
+	int ch;
+
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case '4':
+			if (ipv6only) {
+				fatal("only one of -4 and -6 allowed");
+			}
+			ipv4only = true;
+			break;
+		case '6':
+			if (ipv4only) {
+				fatal("only one of -4 and -6 allowed");
+			}
+			ipv6only = true;
+			break;
+		default:
+			break;
+		}
+	}
+
+	isc_commandline_reset = true;
+	isc_commandline_index = 1;
+}
+
+static void
+get_addresses(const char *host, in_port_t port) {
+	isc_result_t result;
+	int found = 0, count;
+
+	REQUIRE(host != NULL);
+
+	if (*host == '/') {
+		result = isc_sockaddr_frompath(&serveraddrs[nserveraddrs],
+					       host);
+		if (result == ISC_R_SUCCESS) {
+			nserveraddrs++;
+		}
+	} else {
+		count = SERVERADDRS - nserveraddrs;
+		result = bind9_getaddresses(
+			host, port, &serveraddrs[nserveraddrs], count, &found);
+		nserveraddrs += found;
+	}
+	if (result != ISC_R_SUCCESS) {
+		fatal("couldn't get address for '%s': %s", host,
+		      isc_result_totext(result));
+	}
+	INSIST(nserveraddrs > 0);
+}
+
+static void
+rndc_senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+
+	if (sevent->result != ISC_R_SUCCESS) {
+		fatal("send failed: %s", isc_result_totext(sevent->result));
+	}
+	isc_event_free(&event);
+	if (atomic_fetch_sub_release(&sends, 1) == 1 &&
+	    atomic_load_acquire(&recvs) == 0)
+	{
+		isc_socket_detach(&sock);
+		isc_task_detach(&task);
+		isc_app_shutdown();
+	}
+}
+
+static void
+rndc_recvdone(isc_task_t *task, isc_event_t *event) {
+	isccc_sexpr_t *response = NULL;
+	isccc_sexpr_t *data;
+	isccc_region_t source;
+	char *errormsg = NULL;
+	char *textmsg = NULL;
+	isc_result_t result;
+
+	atomic_fetch_sub_release(&recvs, 1);
+
+	if (ccmsg.result == ISC_R_EOF) {
+		fatal("connection to remote host closed\n"
+		      "This may indicate that\n"
+		      "* the remote server is using an older version of"
+		      " the command protocol,\n"
+		      "* this host is not authorized to connect,\n"
+		      "* the clocks are not synchronized, or\n"
+		      "* the key is invalid.");
+	}
+
+	if (ccmsg.result != ISC_R_SUCCESS) {
+		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
+	}
+
+	source.rstart = isc_buffer_base(&ccmsg.buffer);
+	source.rend = isc_buffer_used(&ccmsg.buffer);
+
+	DO("parse message",
+	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
+
+	data = isccc_alist_lookup(response, "_data");
+	if (!isccc_alist_alistp(data)) {
+		fatal("bad or missing data section in response");
+	}
+	result = isccc_cc_lookupstring(data, "err", &errormsg);
+	if (result == ISC_R_SUCCESS) {
+		failed = true;
+		fprintf(stderr, "%s: '%s' failed: %s\n", progname, command,
+			errormsg);
+	} else if (result != ISC_R_NOTFOUND) {
+		fprintf(stderr, "%s: parsing response failed: %s\n", progname,
+			isc_result_totext(result));
+	}
+
+	result = isccc_cc_lookupstring(data, "text", &textmsg);
+	if (result == ISC_R_SUCCESS) {
+		if ((!quiet || failed) && strlen(textmsg) != 0U) {
+			fprintf(failed ? stderr : stdout, "%s\n", textmsg);
+		}
+	} else if (result != ISC_R_NOTFOUND) {
+		fprintf(stderr, "%s: parsing response failed: %s\n", progname,
+			isc_result_totext(result));
+	}
+
+	if (showresult) {
+		isc_result_t eresult;
+
+		result = isccc_cc_lookupuint32(data, "result", &eresult);
+		if (result == ISC_R_SUCCESS) {
+			printf("%s %u\n", isc_result_toid(eresult), eresult);
+		} else {
+			printf("NONE -1\n");
+		}
+	}
+
+	isc_event_free(&event);
+	isccc_sexpr_free(&response);
+	if (atomic_load_acquire(&sends) == 0 &&
+	    atomic_load_acquire(&recvs) == 0)
+	{
+		isc_socket_detach(&sock);
+		isc_task_detach(&task);
+		isc_app_shutdown();
+	}
+}
+
+static void
+rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+	isccc_sexpr_t *response = NULL;
+	isccc_sexpr_t *_ctrl;
+	isccc_region_t source;
+	isc_result_t result;
+	uint32_t nonce;
+	isccc_sexpr_t *request = NULL;
+	isccc_time_t now;
+	isc_region_t r;
+	isccc_sexpr_t *data;
+	isc_buffer_t b;
+
+	atomic_fetch_sub_release(&recvs, 1);
+
+	if (ccmsg.result == ISC_R_EOF) {
+		fatal("connection to remote host closed\n"
+		      "This may indicate that\n"
+		      "* the remote server is using an older version of"
+		      " the command protocol,\n"
+		      "* this host is not authorized to connect,\n"
+		      "* the clocks are not synchronized,\n"
+		      "* the key signing algorithm is incorrect, or\n"
+		      "* the key is invalid.");
+	}
+
+	if (ccmsg.result != ISC_R_SUCCESS) {
+		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
+	}
+
+	source.rstart = isc_buffer_base(&ccmsg.buffer);
+	source.rend = isc_buffer_used(&ccmsg.buffer);
+
+	DO("parse message",
+	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
+
+	_ctrl = isccc_alist_lookup(response, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl)) {
+		fatal("bad or missing ctrl section in response");
+	}
+	nonce = 0;
+	if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) {
+		nonce = 0;
+	}
+
+	isc_stdtime_get(&now);
+
+	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
+						    now, now + 60, &request));
+	data = isccc_alist_lookup(request, "_data");
+	if (data == NULL) {
+		fatal("_data section missing");
+	}
+	if (isccc_cc_definestring(data, "type", args) == NULL) {
+		fatal("out of memory");
+	}
+	if (nonce != 0) {
+		_ctrl = isccc_alist_lookup(request, "_ctrl");
+		if (_ctrl == NULL) {
+			fatal("_ctrl section missing");
+		}
+		if (isccc_cc_defineuint32(_ctrl, "_nonce", nonce) == NULL) {
+			fatal("out of memory");
+		}
+	}
+
+	isc_buffer_clear(databuf);
+	/* Skip the length field (4 bytes) */
+	isc_buffer_add(databuf, 4);
+
+	DO("render message",
+	   isccc_cc_towire(request, &databuf, algorithm, &secret));
+
+	isc_buffer_init(&b, databuf->base, 4);
+	isc_buffer_putuint32(&b, databuf->used - 4);
+
+	r.base = databuf->base;
+	r.length = databuf->used;
+
+	isccc_ccmsg_cancelread(&ccmsg);
+	DO("schedule recv",
+	   isccc_ccmsg_readmessage(&ccmsg, task, rndc_recvdone, NULL));
+	atomic_fetch_add_relaxed(&recvs, 1);
+	DO("send message",
+	   isc_socket_send(sock, &r, task, rndc_senddone, NULL));
+	atomic_fetch_add_relaxed(&sends, 1);
+
+	isc_event_free(&event);
+	isccc_sexpr_free(&response);
+	isccc_sexpr_free(&request);
+	return;
+}
+
+static void
+rndc_connected(isc_task_t *task, isc_event_t *event) {
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isccc_sexpr_t *request = NULL;
+	isccc_sexpr_t *data;
+	isccc_time_t now;
+	isc_region_t r;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	atomic_fetch_sub_release(&connects, 1);
+
+	if (sevent->result != ISC_R_SUCCESS) {
+		isc_sockaddr_format(&serveraddrs[currentaddr], socktext,
+				    sizeof(socktext));
+		if (sevent->result != ISC_R_CANCELED &&
+		    ++currentaddr < nserveraddrs)
+		{
+			notify("connection failed: %s: %s", socktext,
+			       isc_result_totext(sevent->result));
+			isc_socket_detach(&sock);
+			isc_event_free(&event);
+			rndc_startconnect(&serveraddrs[currentaddr], task);
+			return;
+		} else {
+			fatal("connect failed: %s: %s", socktext,
+			      isc_result_totext(sevent->result));
+		}
+	}
+
+	isc_stdtime_get(&now);
+	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
+						    now, now + 60, &request));
+	data = isccc_alist_lookup(request, "_data");
+	if (data == NULL) {
+		fatal("_data section missing");
+	}
+	if (isccc_cc_definestring(data, "type", "null") == NULL) {
+		fatal("out of memory");
+	}
+
+	isc_buffer_clear(databuf);
+	/* Skip the length field (4 bytes) */
+	isc_buffer_add(databuf, 4);
+
+	DO("render message",
+	   isccc_cc_towire(request, &databuf, algorithm, &secret));
+
+	isc_buffer_init(&b, databuf->base, 4);
+	isc_buffer_putuint32(&b, databuf->used - 4);
+
+	r.base = databuf->base;
+	r.length = databuf->used;
+
+	isccc_ccmsg_init(rndc_mctx, sock, &ccmsg);
+	isccc_ccmsg_setmaxsize(&ccmsg, 1024 * 1024);
+
+	DO("schedule recv",
+	   isccc_ccmsg_readmessage(&ccmsg, task, rndc_recvnonce, NULL));
+	atomic_fetch_add_relaxed(&recvs, 1);
+	DO("send message",
+	   isc_socket_send(sock, &r, task, rndc_senddone, NULL));
+	atomic_fetch_add_relaxed(&sends, 1);
+	isc_event_free(&event);
+	isccc_sexpr_free(&request);
+}
+
+static void
+rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) {
+	isc_result_t result;
+	int pf;
+	isc_sockettype_t type;
+
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(addr, socktext, sizeof(socktext));
+
+	notify("using server %s (%s)", servername, socktext);
+
+	pf = isc_sockaddr_pf(addr);
+	if (pf == AF_INET || pf == AF_INET6) {
+		type = isc_sockettype_tcp;
+	} else {
+		type = isc_sockettype_unix;
+	}
+	DO("create socket", isc_socket_create(socketmgr, pf, type, &sock));
+	switch (isc_sockaddr_pf(addr)) {
+	case AF_INET:
+		DO("bind socket", isc_socket_bind(sock, &local4, 0));
+		break;
+	case AF_INET6:
+		DO("bind socket", isc_socket_bind(sock, &local6, 0));
+		break;
+	default:
+		break;
+	}
+	DO("connect",
+	   isc_socket_connect(sock, addr, task, rndc_connected, NULL));
+	atomic_fetch_add_relaxed(&connects, 1);
+}
+
+static void
+rndc_start(isc_task_t *task, isc_event_t *event) {
+	isc_event_free(&event);
+
+	currentaddr = 0;
+	rndc_startconnect(&serveraddrs[currentaddr], task);
+}
+
+static void
+parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
+	     cfg_parser_t **pctxp, cfg_obj_t **configp) {
+	isc_result_t result;
+	const char *conffile = admin_conffile;
+	const cfg_obj_t *addresses = NULL;
+	const cfg_obj_t *defkey = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *server = NULL;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *defport = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
+	cfg_obj_t *config = NULL;
+	const cfg_obj_t *address = NULL;
+	const cfg_listelt_t *elt;
+	const char *secretstr;
+	const char *algorithmstr;
+	static char secretarray[1024];
+	const cfg_type_t *conftype = &cfg_type_rndcconf;
+	bool key_only = false;
+	const cfg_listelt_t *element;
+
+	if (!isc_file_exists(conffile)) {
+		conffile = admin_keyfile;
+		conftype = &cfg_type_rndckey;
+
+		if (c_flag) {
+			fatal("%s does not exist", admin_conffile);
+		}
+
+		if (!isc_file_exists(conffile)) {
+			fatal("neither %s nor %s was found", admin_conffile,
+			      admin_keyfile);
+		}
+		key_only = true;
+	} else if (!c_flag && isc_file_exists(admin_keyfile)) {
+		fprintf(stderr,
+			"WARNING: key file (%s) exists, but using "
+			"default configuration file (%s)\n",
+			admin_keyfile, admin_conffile);
+	}
+
+	DO("create parser", cfg_parser_create(mctx, log, pctxp));
+
+	/*
+	 * The parser will output its own errors, so DO() is not used.
+	 */
+	result = cfg_parse_file(*pctxp, conffile, conftype, &config);
+	if (result != ISC_R_SUCCESS) {
+		fatal("could not load rndc configuration");
+	}
+
+	if (!key_only) {
+		(void)cfg_map_get(config, "options", &options);
+	}
+
+	if (key_only && servername == NULL) {
+		servername = "127.0.0.1";
+	} else if (servername == NULL && options != NULL) {
+		const cfg_obj_t *defserverobj = NULL;
+		(void)cfg_map_get(options, "default-server", &defserverobj);
+		if (defserverobj != NULL) {
+			servername = cfg_obj_asstring(defserverobj);
+		}
+	}
+
+	if (servername == NULL) {
+		fatal("no server specified and no default");
+	}
+
+	if (!key_only) {
+		(void)cfg_map_get(config, "server", &servers);
+		if (servers != NULL) {
+			for (elt = cfg_list_first(servers); elt != NULL;
+			     elt = cfg_list_next(elt))
+			{
+				const char *name;
+				server = cfg_listelt_value(elt);
+				name = cfg_obj_asstring(
+					cfg_map_getname(server));
+				if (strcasecmp(name, servername) == 0) {
+					break;
+				}
+				server = NULL;
+			}
+		}
+	}
+
+	/*
+	 * Look for the name of the key to use.
+	 */
+	if (keyname != NULL) {
+		/* Was set on command line, do nothing. */
+	} else if (server != NULL) {
+		DO("get key for server", cfg_map_get(server, "key", &defkey));
+		keyname = cfg_obj_asstring(defkey);
+	} else if (options != NULL) {
+		DO("get default key",
+		   cfg_map_get(options, "default-key", &defkey));
+		keyname = cfg_obj_asstring(defkey);
+	} else if (!key_only) {
+		fatal("no key for server and no default");
+	}
+
+	/*
+	 * Get the key's definition.
+	 */
+	if (key_only) {
+		DO("get key", cfg_map_get(config, "key", &key));
+	} else {
+		DO("get config key list", cfg_map_get(config, "key", &keys));
+		for (elt = cfg_list_first(keys); elt != NULL;
+		     elt = cfg_list_next(elt))
+		{
+			key = cfg_listelt_value(elt);
+			if (strcasecmp(cfg_obj_asstring(cfg_map_getname(key)),
+				       keyname) == 0)
+			{
+				break;
+			}
+		}
+		if (elt == NULL) {
+			fatal("no key definition for name %s", keyname);
+		}
+	}
+	(void)cfg_map_get(key, "secret", &secretobj);
+	(void)cfg_map_get(key, "algorithm", &algorithmobj);
+	if (secretobj == NULL || algorithmobj == NULL) {
+		fatal("key must have algorithm and secret");
+	}
+
+	secretstr = cfg_obj_asstring(secretobj);
+	algorithmstr = cfg_obj_asstring(algorithmobj);
+
+	if (strcasecmp(algorithmstr, "hmac-md5") == 0) {
+		algorithm = ISCCC_ALG_HMACMD5;
+	} else if (strcasecmp(algorithmstr, "hmac-sha1") == 0) {
+		algorithm = ISCCC_ALG_HMACSHA1;
+	} else if (strcasecmp(algorithmstr, "hmac-sha224") == 0) {
+		algorithm = ISCCC_ALG_HMACSHA224;
+	} else if (strcasecmp(algorithmstr, "hmac-sha256") == 0) {
+		algorithm = ISCCC_ALG_HMACSHA256;
+	} else if (strcasecmp(algorithmstr, "hmac-sha384") == 0) {
+		algorithm = ISCCC_ALG_HMACSHA384;
+	} else if (strcasecmp(algorithmstr, "hmac-sha512") == 0) {
+		algorithm = ISCCC_ALG_HMACSHA512;
+	} else {
+		fatal("unsupported algorithm: %s", algorithmstr);
+	}
+
+	secret.rstart = (unsigned char *)secretarray;
+	secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
+	DO("decode base64 secret", isccc_base64_decode(secretstr, &secret));
+	secret.rend = secret.rstart;
+	secret.rstart = (unsigned char *)secretarray;
+
+	/*
+	 * Find the port to connect to.
+	 */
+	if (remoteport != 0) {
+		/* Was set on command line, do nothing. */
+	} else {
+		if (server != NULL) {
+			(void)cfg_map_get(server, "port", &defport);
+		}
+		if (defport == NULL && options != NULL) {
+			(void)cfg_map_get(options, "default-port", &defport);
+		}
+	}
+	if (defport != NULL) {
+		remoteport = cfg_obj_asuint32(defport);
+		if (remoteport > 65535 || remoteport == 0) {
+			fatal("port %u out of range", remoteport);
+		}
+	} else if (remoteport == 0) {
+		remoteport = NS_CONTROL_PORT;
+	}
+
+	if (server != NULL) {
+		result = cfg_map_get(server, "addresses", &addresses);
+	} else {
+		result = ISC_R_NOTFOUND;
+	}
+	if (result == ISC_R_SUCCESS) {
+		for (element = cfg_list_first(addresses); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			isc_sockaddr_t sa;
+
+			address = cfg_listelt_value(element);
+			if (!cfg_obj_issockaddr(address)) {
+				unsigned int myport;
+				const char *name;
+				const cfg_obj_t *obj;
+
+				obj = cfg_tuple_get(address, "name");
+				name = cfg_obj_asstring(obj);
+				obj = cfg_tuple_get(address, "port");
+				if (cfg_obj_isuint32(obj)) {
+					myport = cfg_obj_asuint32(obj);
+					if (myport > UINT16_MAX || myport == 0)
+					{
+						fatal("port %u out of range",
+						      myport);
+					}
+				} else {
+					myport = remoteport;
+				}
+				if (nserveraddrs < SERVERADDRS) {
+					get_addresses(name, (in_port_t)myport);
+				} else {
+					fprintf(stderr,
+						"too many address: "
+						"%s: dropped\n",
+						name);
+				}
+				continue;
+			}
+			sa = *cfg_obj_assockaddr(address);
+			if (isc_sockaddr_getport(&sa) == 0) {
+				isc_sockaddr_setport(&sa, remoteport);
+			}
+			if (nserveraddrs < SERVERADDRS) {
+				serveraddrs[nserveraddrs++] = sa;
+			} else {
+				char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+				isc_sockaddr_format(&sa, socktext,
+						    sizeof(socktext));
+				fprintf(stderr,
+					"too many address: %s: dropped\n",
+					socktext);
+			}
+		}
+	}
+
+	if (!local4set && server != NULL) {
+		address = NULL;
+		cfg_map_get(server, "source-address", &address);
+		if (address != NULL) {
+			local4 = *cfg_obj_assockaddr(address);
+			local4set = true;
+		}
+	}
+	if (!local4set && options != NULL) {
+		address = NULL;
+		cfg_map_get(options, "default-source-address", &address);
+		if (address != NULL) {
+			local4 = *cfg_obj_assockaddr(address);
+			local4set = true;
+		}
+	}
+
+	if (!local6set && server != NULL) {
+		address = NULL;
+		cfg_map_get(server, "source-address-v6", &address);
+		if (address != NULL) {
+			local6 = *cfg_obj_assockaddr(address);
+			local6set = true;
+		}
+	}
+	if (!local6set && options != NULL) {
+		address = NULL;
+		cfg_map_get(options, "default-source-address-v6", &address);
+		if (address != NULL) {
+			local6 = *cfg_obj_assockaddr(address);
+			local6set = true;
+		}
+	}
+
+	*configp = config;
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool show_final_mem = false;
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_task_t *task = NULL;
+	isc_log_t *log = NULL;
+	isc_logconfig_t *logconfig = NULL;
+	isc_logdestination_t logdest;
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *config = NULL;
+	const char *keyname = NULL;
+	struct in_addr in;
+	struct in6_addr in6;
+	char *p;
+	size_t argslen;
+	int ch;
+	int i;
+
+	result = isc_file_progname(*argv, program, sizeof(program));
+	if (result != ISC_R_SUCCESS) {
+		memmove(program, "rndc", 5);
+	}
+	progname = program;
+
+	admin_conffile = RNDC_CONFFILE;
+	admin_keyfile = RNDC_KEYFILE;
+
+	isc_sockaddr_any(&local4);
+	isc_sockaddr_any6(&local6);
+
+	result = isc_app_start();
+	if (result != ISC_R_SUCCESS) {
+		fatal("isc_app_start() failed: %s", isc_result_totext(result));
+	}
+
+	isc_commandline_errprint = false;
+
+	preparse_args(argc, argv);
+
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case '4':
+			if (isc_net_probeipv4() != ISC_R_SUCCESS) {
+				fatal("can't find IPv4 networking");
+			}
+			isc_net_disableipv6();
+			break;
+		case '6':
+			if (isc_net_probeipv6() != ISC_R_SUCCESS) {
+				fatal("can't find IPv6 networking");
+			}
+			isc_net_disableipv4();
+			break;
+		case 'b':
+			if (inet_pton(AF_INET, isc_commandline_argument, &in) ==
+			    1)
+			{
+				isc_sockaddr_fromin(&local4, &in, 0);
+				local4set = true;
+			} else if (inet_pton(AF_INET6, isc_commandline_argument,
+					     &in6) == 1)
+			{
+				isc_sockaddr_fromin6(&local6, &in6, 0);
+				local6set = true;
+			}
+			break;
+
+		case 'c':
+			admin_conffile = isc_commandline_argument;
+			c_flag = true;
+			break;
+
+		case 'k':
+			admin_keyfile = isc_commandline_argument;
+			break;
+
+		case 'M':
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+			break;
+
+		case 'm':
+			show_final_mem = true;
+			break;
+
+		case 'p':
+			remoteport = atoi(isc_commandline_argument);
+			if (remoteport > 65535 || remoteport == 0) {
+				fatal("port '%s' out of range",
+				      isc_commandline_argument);
+			}
+			break;
+
+		case 'q':
+			quiet = true;
+			break;
+
+		case 'r':
+			showresult = true;
+			break;
+
+		case 's':
+			servername = isc_commandline_argument;
+			break;
+
+		case 'V':
+			verbose = true;
+			break;
+
+		case 'y':
+			keyname = isc_commandline_argument;
+			break;
+
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			}
+			FALLTHROUGH;
+		case 'h':
+			usage(0);
+			break;
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", program,
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1) {
+		usage(1);
+	}
+
+	serial = isc_random32();
+
+	isc_mem_create(&rndc_mctx);
+	DO("create socket manager",
+	   isc_socketmgr_create(rndc_mctx, &socketmgr));
+	DO("create task manager",
+	   isc_managers_create(rndc_mctx, 1, 0, &netmgr, &taskmgr));
+	DO("create task", isc_task_create(taskmgr, 0, &task));
+
+	isc_log_create(rndc_mctx, &log, &logconfig);
+	isc_log_setcontext(log);
+	isc_log_settag(logconfig, progname);
+	logdest.file.stream = stderr;
+	logdest.file.name = NULL;
+	logdest.file.versions = ISC_LOG_ROLLNEVER;
+	logdest.file.maximum_size = 0;
+	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_INFO, &logdest,
+			      ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL);
+	DO("enabling log channel",
+	   isc_log_usechannel(logconfig, "stderr", NULL, NULL));
+
+	parse_config(rndc_mctx, log, keyname, &pctx, &config);
+
+	isccc_result_register();
+
+	command = *argv;
+
+	isc_buffer_allocate(rndc_mctx, &databuf, 2048);
+
+	/*
+	 * Convert argc/argv into a space-delimited command string
+	 * similar to what the user might enter in interactive mode
+	 * (if that were implemented).
+	 */
+	argslen = 0;
+	for (i = 0; i < argc; i++) {
+		argslen += strlen(argv[i]) + 1;
+	}
+
+	args = isc_mem_get(rndc_mctx, argslen);
+
+	p = args;
+	for (i = 0; i < argc; i++) {
+		size_t len = strlen(argv[i]);
+		memmove(p, argv[i], len);
+		p += len;
+		*p++ = ' ';
+	}
+
+	p--;
+	*p++ = '\0';
+	INSIST(p == args + argslen);
+
+	notify("%s", command);
+
+	if (strcmp(command, "restart") == 0) {
+		fatal("'%s' is not implemented", command);
+	}
+
+	if (nserveraddrs == 0 && servername != NULL) {
+		get_addresses(servername, (in_port_t)remoteport);
+	}
+
+	isc_task_attach(task, &(isc_task_t *){ NULL });
+	DO("post event", isc_app_onrun(rndc_mctx, task, rndc_start, NULL));
+
+	result = isc_app_run();
+	if (result != ISC_R_SUCCESS) {
+		fatal("isc_app_run() failed: %s", isc_result_totext(result));
+	}
+
+	if (atomic_load_acquire(&connects) > 0 ||
+	    atomic_load_acquire(&sends) > 0 || atomic_load_acquire(&recvs) > 0)
+	{
+		isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL);
+	}
+
+	isc_task_detach(&task);
+	isc_managers_destroy(&netmgr, &taskmgr);
+	isc_socketmgr_destroy(&socketmgr);
+	isc_log_destroy(&log);
+	isc_log_setcontext(NULL);
+
+	cfg_obj_destroy(pctx, &config);
+	cfg_parser_destroy(&pctx);
+
+	isc_mem_put(rndc_mctx, args, argslen);
+	isccc_ccmsg_invalidate(&ccmsg);
+
+	isc_buffer_free(&databuf);
+
+	if (show_final_mem) {
+		isc_mem_stats(rndc_mctx, stderr);
+	}
+
+	isc_mem_destroy(&rndc_mctx);
+
+	if (failed) {
+		return (1);
+	}
+
+	return (0);
+}
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
new file mode 100644
index 0000000..78ee858
--- /dev/null
+++ b/bin/rndc/rndc.conf
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Sample rndc configuration file.
+ */
+
+options {
+	default-server  localhost;
+	default-key     "key";
+};
+
+server localhost {
+	key     "key";
+};
+
+key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+	algorithm hmac-sha256;
+	secret "34f88008d07deabbe65bd01f1d233d47";
+};
+
+server "test1" {
+	key "cc64b3d1db63fc88d7cb5d2f9f57d258";
+	port 5353;
+	addresses { 10.53.0.1; };
+};
+
+key "key" {
+	algorithm       hmac-sha256;
+	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+};
diff --git a/bin/rndc/rndc.conf.rst b/bin/rndc/rndc.conf.rst
new file mode 100644
index 0000000..b02e780
--- /dev/null
+++ b/bin/rndc/rndc.conf.rst
@@ -0,0 +1,156 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_rndc.conf:
+
+rndc.conf - rndc configuration file
+-----------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`rndc.conf`
+
+Description
+~~~~~~~~~~~
+
+``rndc.conf`` is the configuration file for ``rndc``, the BIND 9 name
+server control utility. This file has a similar structure and syntax to
+``named.conf``. Statements are enclosed in braces and terminated with a
+semi-colon. Clauses in the statements are also semi-colon terminated.
+The usual comment styles are supported:
+
+C style: /\* \*/
+
+C++ style: // to end of line
+
+Unix style: # to end of line
+
+``rndc.conf`` is much simpler than ``named.conf``. The file uses three
+statements: an options statement, a server statement, and a key
+statement.
+
+The ``options`` statement contains five clauses. The ``default-server``
+clause is followed by the name or address of a name server. This host
+is used when no name server is given as an argument to ``rndc``.
+The ``default-key`` clause is followed by the name of a key, which is
+identified by a ``key`` statement. If no ``keyid`` is provided on the
+rndc command line, and no ``key`` clause is found in a matching
+``server`` statement, this default key is used to authenticate the
+server's commands and responses. The ``default-port`` clause is followed
+by the port to connect to on the remote name server. If no ``port``
+option is provided on the rndc command line, and no ``port`` clause is
+found in a matching ``server`` statement, this default port is used
+to connect. The ``default-source-address`` and
+``default-source-address-v6`` clauses can be used to set the IPv4
+and IPv6 source addresses respectively.
+
+After the ``server`` keyword, the server statement includes a string
+which is the hostname or address for a name server. The statement has
+three possible clauses: ``key``, ``port``, and ``addresses``. The key
+name must match the name of a key statement in the file. The port number
+specifies the port to connect to. If an ``addresses`` clause is supplied,
+these addresses are used instead of the server name. Each address
+can take an optional port. If an ``source-address`` or
+``source-address-v6`` is supplied, it is used to specify the
+IPv4 and IPv6 source address, respectively.
+
+The ``key`` statement begins with an identifying string, the name of the
+key. The statement has two clauses. ``algorithm`` identifies the
+authentication algorithm for ``rndc`` to use; currently only HMAC-MD5
+(for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 (default),
+HMAC-SHA384, and HMAC-SHA512 are supported. This is followed by a secret
+clause which contains the base-64 encoding of the algorithm's
+authentication key. The base-64 string is enclosed in double quotes.
+
+There are two common ways to generate the base-64 string for the secret.
+The BIND 9 program ``rndc-confgen`` can be used to generate a random
+key, or the ``mmencode`` program, also known as ``mimencode``, can be
+used to generate a base-64 string from known input. ``mmencode`` does
+not ship with BIND 9 but is available on many systems. See the Example
+section for sample command lines for each.
+
+Example
+~~~~~~~
+
+::
+
+         options {
+           default-server  localhost;
+           default-key     samplekey;
+         };
+
+::
+
+         server localhost {
+           key             samplekey;
+         };
+
+::
+
+         server testserver {
+           key     testkey;
+           addresses   { localhost port 5353; };
+         };
+
+::
+
+         key samplekey {
+           algorithm       hmac-sha256;
+           secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
+         };
+
+::
+
+         key testkey {
+           algorithm   hmac-sha256;
+           secret      "R3HI8P6BKw9ZwXwN3VZKuQ==";
+         };
+
+
+In the above example, ``rndc`` by default uses the server at
+localhost (127.0.0.1) and the key called "samplekey". Commands to the
+localhost server use the "samplekey" key, which must also be defined
+in the server's configuration file with the same name and secret. The
+key statement indicates that "samplekey" uses the HMAC-SHA256 algorithm
+and its secret clause contains the base-64 encoding of the HMAC-SHA256
+secret enclosed in double quotes.
+
+If ``rndc -s testserver`` is used, then ``rndc`` connects to the server
+on localhost port 5353 using the key "testkey".
+
+To generate a random secret with ``rndc-confgen``:
+
+``rndc-confgen``
+
+A complete ``rndc.conf`` file, including the randomly generated key,
+is written to the standard output. Commented-out ``key`` and
+``controls`` statements for ``named.conf`` are also printed.
+
+To generate a base-64 secret with ``mmencode``:
+
+``echo "known plaintext for a secret" | mmencode``
+
+Name Server Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The name server must be configured to accept rndc connections and to
+recognize the key specified in the ``rndc.conf`` file, using the
+controls statement in ``named.conf``. See the sections on the
+``controls`` statement in the BIND 9 Administrator Reference Manual for
+details.
+
+See Also
+~~~~~~~~
+
+:manpage:`rndc(8)`, :manpage:`rndc-confgen(8)`, :manpage:`mmencode(1)`, BIND 9 Administrator Reference Manual.
diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst
new file mode 100644
index 0000000..b2ec0e8
--- /dev/null
+++ b/bin/rndc/rndc.rst
@@ -0,0 +1,608 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_rndc:
+
+rndc - name server control utility
+----------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`rndc` [**-b** source-address] [**-c** config-file] [**-k** key-file] [**-s** server] [**-p** port] [**-q**] [**-r**] [**-V**] [**-y** key_id] [[**-4**] | [**-6**]] {command}
+
+Description
+~~~~~~~~~~~
+
+``rndc`` controls the operation of a name server; it supersedes the
+``ndc`` utility. If ``rndc`` is
+invoked with no command line options or arguments, it prints a short
+summary of the supported commands and the available options and their
+arguments.
+
+``rndc`` communicates with the name server over a TCP connection,
+sending commands authenticated with digital signatures. In the current
+versions of ``rndc`` and ``named``, the only supported authentication
+algorithms are HMAC-MD5 (for compatibility), HMAC-SHA1, HMAC-SHA224,
+HMAC-SHA256 (default), HMAC-SHA384, and HMAC-SHA512. They use a shared
+secret on each end of the connection, which provides TSIG-style
+authentication for the command request and the name server's response.
+All commands sent over the channel must be signed by a key_id known to
+the server.
+
+``rndc`` reads a configuration file to determine how to contact the name
+server and decide what algorithm and key it should use.
+
+Options
+~~~~~~~
+
+``-4``
+   This option indicates use of IPv4 only.
+
+``-6``
+   This option indicates use of IPv6 only.
+
+``-b source-address``
+   This option indicates ``source-address`` as the source address for the connection to the
+   server. Multiple instances are permitted, to allow setting of both the
+   IPv4 and IPv6 source addresses.
+
+``-c config-file``
+   This option indicates ``config-file`` as the configuration file instead of the default,
+   ``/etc/rndc.conf``.
+
+``-k key-file``
+   This option indicates ``key-file`` as the key file instead of the default,
+   ``/etc/rndc.key``. The key in ``/etc/rndc.key`` is used to
+   authenticate commands sent to the server if the config-file does not
+   exist.
+
+``-s server``
+   ``server`` is the name or address of the server which matches a server
+   statement in the configuration file for ``rndc``. If no server is
+   supplied on the command line, the host named by the default-server
+   clause in the options statement of the ``rndc`` configuration file
+   is used.
+
+``-p port``
+   This option instructs BIND 9 to send commands to TCP port ``port`` instead of its default control
+   channel port, 953.
+
+``-q``
+   This option sets quiet mode, where message text returned by the server is not printed
+   unless there is an error.
+
+``-r``
+   This option instructs ``rndc`` to print the result code returned by ``named``
+   after executing the requested command (e.g., ISC_R_SUCCESS,
+   ISC_R_FAILURE, etc.).
+
+``-V``
+   This option enables verbose logging.
+
+``-y key_id``
+   This option indicates use of the key ``key_id`` from the configuration file. For control message validation to succeed, ``key_id`` must be known
+   by ``named`` with the same algorithm and secret string. If no ``key_id`` is specified,
+   ``rndc`` first looks for a key clause in the server statement of
+   the server being used, or if no server statement is present for that
+   host, then in the default-key clause of the options statement. Note that
+   the configuration file contains shared secrets which are used to send
+   authenticated control commands to name servers, and should therefore
+   not have general read or write access.
+
+Commands
+~~~~~~~~
+
+A list of commands supported by ``rndc`` can be seen by running ``rndc``
+without arguments.
+
+Currently supported commands are:
+
+``addzone`` *zone* [*class* [*view*]] *configuration*
+   This command adds a zone while the server is running. This command requires the
+   ``allow-new-zones`` option to be set to ``yes``. The configuration
+   string specified on the command line is the zone configuration text
+   that would ordinarily be placed in ``named.conf``.
+
+   The configuration is saved in a file called ``viewname.nzf`` (or, if
+   ``named`` is compiled with liblmdb, an LMDB database file called
+   ``viewname.nzd``). ``viewname`` is the name of the view, unless the view
+   name contains characters that are incompatible with use as a file
+   name, in which case a cryptographic hash of the view name is used
+   instead. When ``named`` is restarted, the file is loaded into
+   the view configuration so that zones that were added can persist
+   after a restart.
+
+   This sample ``addzone`` command adds the zone ``example.com`` to
+   the default view:
+
+   ``rndc addzone example.com '{ type master; file "example.com.db"; };'``
+
+   (Note the brackets around and semi-colon after the zone configuration
+   text.)
+
+   See also ``rndc delzone`` and ``rndc modzone``.
+
+``delzone`` [**-clean**] *zone* [*class* [*view*]]
+   This command deletes a zone while the server is running.
+
+   If the ``-clean`` argument is specified, the zone's master file (and
+   journal file, if any) are deleted along with the zone. Without
+   the ``-clean`` option, zone files must be deleted manually. (If the
+   zone is of type ``secondary`` or ``stub``, the files needing to be removed
+   are reported in the output of the ``rndc delzone`` command.)
+
+   If the zone was originally added via ``rndc addzone``, then it is
+   removed permanently. However, if it was originally configured in
+   ``named.conf``, then that original configuration remains in place;
+   when the server is restarted or reconfigured, the zone is
+   recreated. To remove it permanently, it must also be removed from
+   ``named.conf``.
+
+   See also ``rndc addzone`` and ``rndc modzone``.
+
+``dnssec`` ( **-status** | **-rollover** **-key** id [**-alg** *algorithm*] [**-when** *time*] | **-checkds** [**-key** *id* [**-alg** *algorithm*]] [**-when** *time*] ( *published* | *withdrawn* )) *zone* [*class* [*view*]]
+   This command allows you to interact with the "dnssec-policy" of a given
+   zone.
+
+   ``rndc dnssec -status`` show the DNSSEC signing state for the specified
+   zone.
+
+   ``rndc dnssec -rollover`` allows you to schedule key rollover for a
+   specific key (overriding the original key lifetime).
+
+   ``rndc dnssec -checkds`` informs :iscman:`named` that the DS for
+   a specified zone's key-signing key has been confirmed to be published
+   in, or withdrawn from, the parent zone. This is required in order to
+   complete a KSK rollover.  The ``-key id`` and ``-alg algorithm`` arguments
+   can be used to specify a particular KSK, if necessary; if there is only
+   one key acting as a KSK for the zone, these arguments can be omitted.
+   The time of publication or withdrawal for the DS is set to the current
+   time by default, but can be overridden to a specific time with the
+   argument ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS
+   notation.
+
+``dnstap`` ( **-reopen** | **-roll** [*number*] )
+   This command closes and re-opens DNSTAP output files.
+
+   ``rndc dnstap -reopen`` allows
+   the output file to be renamed externally, so that ``named`` can
+   truncate and re-open it.
+
+   ``rndc dnstap -roll`` causes the output file
+   to be rolled automatically, similar to log files. The most recent
+   output file has ".0" appended to its name; the previous most recent
+   output file is moved to ".1", and so on. If ``number`` is specified, then
+   the number of backup log files is limited to that number.
+
+``dumpdb`` [**-all** | **-cache** | **-zones** | **-adb** | **-bad** | **-expired** | **-fail**] [*view ...*]
+   This command dumps the server's caches (default) and/or zones to the dump file for
+   the specified views. If no view is specified, all views are dumped.
+   (See the ``dump-file`` option in the BIND 9 Administrator Reference
+   Manual.)
+
+``flush``
+   This command flushes the server's cache.
+
+``flushname`` *name* [*view*]
+   This command flushes the given name from the view's DNS cache and, if applicable,
+   from the view's nameserver address database, bad server cache, and
+   SERVFAIL cache.
+
+``flushtree`` *name* [*view*]
+   This command flushes the given name, and all of its subdomains, from the view's
+   DNS cache, address database, bad server cache, and SERVFAIL cache.
+
+``freeze`` [*zone* [*class* [*view*]]]
+   This command suspends updates to a dynamic zone. If no zone is specified, then all
+   zones are suspended. This allows manual edits to be made to a zone
+   normally updated by dynamic update, and causes changes in the
+   journal file to be synced into the master file. All dynamic update
+   attempts are refused while the zone is frozen.
+
+   See also ``rndc thaw``.
+
+``halt`` [**-p**]
+   This command stops the server immediately. Recent changes made through dynamic
+   update or IXFR are not saved to the master files, but are rolled
+   forward from the journal files when the server is restarted. If
+   ``-p`` is specified, ``named``'s process ID is returned. This allows
+   an external process to determine when ``named`` has completed
+   halting.
+
+   See also ``rndc stop``.
+
+``loadkeys`` [*zone* [*class* [*view*]]]
+   This command fetches all DNSSEC keys for the given zone from the key directory. If
+   they are within their publication period, they are merged into the
+   zone's DNSKEY RRset. Unlike ``rndc sign``, however, the zone is not
+   immediately re-signed by the new keys, but is allowed to
+   incrementally re-sign over time.
+
+   This command requires that the zone be configured with a ``dnssec-policy``, or
+   that the ``auto-dnssec`` zone option be set to ``maintain``, and also requires the
+   zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in
+   the Administrator Reference Manual for more details.)
+
+``managed-keys`` (*status* | *refresh* | *sync* | *destroy*) [*class* [*view*]]
+   This command inspects and controls the "managed-keys" database which handles
+   :rfc:`5011` DNSSEC trust anchor maintenance. If a view is specified, these
+   commands are applied to that view; otherwise, they are applied to all
+   views.
+
+   -  When run with the ``status`` keyword, this prints the current status of
+      the managed-keys database.
+
+   -  When run with the ``refresh`` keyword, this forces an immediate refresh
+      query to be sent for all the managed keys, updating the
+      managed-keys database if any new keys are found, without waiting
+      the normal refresh interval.
+
+   -  When run with the ``sync`` keyword, this forces an immediate dump of
+      the managed-keys database to disk (in the file
+      ``managed-keys.bind`` or (``viewname.mkeys``). This synchronizes
+      the database with its journal file, so that the database's current
+      contents can be inspected visually.
+
+   -  When run with the ``destroy`` keyword, the managed-keys database
+      is shut down and deleted, and all key maintenance is terminated.
+      This command should be used only with extreme caution.
+
+      Existing keys that are already trusted are not deleted from
+      memory; DNSSEC validation can continue after this command is used.
+      However, key maintenance operations cease until ``named`` is
+      restarted or reconfigured, and all existing key maintenance states
+      are deleted.
+
+      Running ``rndc reconfig`` or restarting ``named`` immediately
+      after this command causes key maintenance to be reinitialized
+      from scratch, just as if the server were being started for the
+      first time. This is primarily intended for testing, but it may
+      also be used, for example, to jumpstart the acquisition of new
+      keys in the event of a trust anchor rollover, or as a brute-force
+      repair for key maintenance problems.
+
+``modzone`` *zone* [*class* [*view*]] *configuration*
+   This command modifies the configuration of a zone while the server is running. This
+   command requires the ``allow-new-zones`` option to be set to ``yes``.
+   As with ``addzone``, the configuration string specified on the
+   command line is the zone configuration text that would ordinarily be
+   placed in ``named.conf``.
+
+   If the zone was originally added via ``rndc addzone``, the
+   configuration changes are recorded permanently and are still
+   in effect after the server is restarted or reconfigured. However, if
+   it was originally configured in ``named.conf``, then that original
+   configuration remains in place; when the server is restarted or
+   reconfigured, the zone reverts to its original configuration. To
+   make the changes permanent, it must also be modified in
+   ``named.conf``.
+
+   See also ``rndc addzone`` and ``rndc delzone``.
+
+``notify`` *zone* [*class* [*view*]]
+   This command resends NOTIFY messages for the zone.
+
+``notrace``
+   This command sets the server's debugging level to 0.
+
+   See also ``rndc trace``.
+
+``nta`` [( **-class** *class* | **-dump** | **-force** | **-remove** | **-lifetime** *duration*)] *domain* [*view*]
+   This command sets a DNSSEC negative trust anchor (NTA) for ``domain``, with a
+   lifetime of ``duration``. The default lifetime is configured in
+   ``named.conf`` via the ``nta-lifetime`` option, and defaults to one
+   hour. The lifetime cannot exceed one week.
+
+   A negative trust anchor selectively disables DNSSEC validation for
+   zones that are known to be failing because of misconfiguration rather
+   than an attack. When data to be validated is at or below an active
+   NTA (and above any other configured trust anchors), ``named``
+   aborts the DNSSEC validation process and treats the data as insecure
+   rather than bogus. This continues until the NTA's lifetime has
+   elapsed.
+
+   NTAs persist across restarts of the ``named`` server. The NTAs for a
+   view are saved in a file called ``name.nta``, where ``name`` is the name
+   of the view; if it contains characters that are incompatible with
+   use as a file name, a cryptographic hash is generated from the name of
+   the view.
+
+   An existing NTA can be removed by using the ``-remove`` option.
+
+   An NTA's lifetime can be specified with the ``-lifetime`` option.
+   TTL-style suffixes can be used to specify the lifetime in seconds,
+   minutes, or hours. If the specified NTA already exists, its lifetime
+   is updated to the new value. Setting ``lifetime`` to zero is
+   equivalent to ``-remove``.
+
+   If ``-dump`` is used, any other arguments are ignored and a list
+   of existing NTAs is printed. Note that this may include NTAs that are
+   expired but have not yet been cleaned up.
+
+   Normally, ``named`` periodically tests to see whether data below
+   an NTA can now be validated (see the ``nta-recheck`` option in the
+   Administrator Reference Manual for details). If data can be
+   validated, then the NTA is regarded as no longer necessary and is
+   allowed to expire early. The ``-force`` parameter overrides this behavior
+   and forces an NTA to persist for its entire lifetime, regardless of
+   whether data could be validated if the NTA were not present.
+
+   The view class can be specified with ``-class``. The default is class
+   ``IN``, which is the only class for which DNSSEC is currently
+   supported.
+
+   All of these options can be shortened, i.e., to ``-l``, ``-r``,
+   ``-d``, ``-f``, and ``-c``.
+
+   Unrecognized options are treated as errors. To refer to a domain or
+   view name that begins with a hyphen, use a double-hyphen (--) on the
+   command line to indicate the end of options.
+
+``querylog`` [(*on* | *off*)]
+   This command enables or disables query logging. For backward compatibility, this
+   command can also be used without an argument to toggle query logging
+   on and off.
+
+   Query logging can also be enabled by explicitly directing the
+   ``queries`` ``category`` to a ``channel`` in the ``logging`` section
+   of ``named.conf``, or by specifying ``querylog yes;`` in the
+   ``options`` section of ``named.conf``.
+
+``reconfig``
+   This command reloads the configuration file and loads new zones, but does not reload
+   existing zone files even if they have changed. This is faster than a
+   full ``reload`` when there is a large number of zones, because it
+   avoids the need to examine the modification times of the zone files.
+
+``recursing``
+   This command dumps the list of queries ``named`` is currently
+   recursing on, and the list of domains to which iterative queries
+   are currently being sent.
+
+   The first list includes all unique clients that are waiting for
+   recursion to complete, including the query that is awaiting a
+   response and the timestamp (seconds since the Unix epoch) of
+   when named started processing this client query.
+
+   The second list comprises of domains for which there are active
+   (or recently active) fetches in progress.  It reports the number
+   of active fetches for each domain and the number of queries that
+   have been passed (allowed) or dropped (spilled) as a result of
+   the ``fetches-per-zone`` limit.  (Note: these counters are not
+   cumulative over time; whenever the number of active fetches for
+   a domain drops to zero, the counter for that domain is deleted,
+   and the next time a fetch is sent to that domain, it is recreated
+   with the counters set to zero).
+
+``refresh`` *zone* [*class* [*view*]]
+   This command schedules zone maintenance for the given zone.
+
+``reload``
+   This command reloads the configuration file and zones.
+
+``reload`` *zone* [*class* [*view*]]
+   This command reloads the given zone.
+
+``retransfer`` *zone* [*class* [*view*]]
+   This command retransfers the given secondary zone from the primary server.
+
+   If the zone is configured to use ``inline-signing``, the signed
+   version of the zone is discarded; after the retransfer of the
+   unsigned version is complete, the signed version is regenerated
+   with new signatures.
+
+``scan``
+   This command scans the list of available network interfaces for changes, without
+   performing a full ``reconfig`` or waiting for the
+   ``interface-interval`` timer.
+
+``secroots`` [**-**] [*view* ...]
+   This command dumps the security roots (i.e., trust anchors configured via
+   ``trust-anchors``, or the ``managed-keys`` or ``trusted-keys`` statements
+   [both deprecated], or ``dnssec-validation auto``) and negative trust anchors
+   for the specified views. If no view is specified, all views are
+   dumped. Security roots indicate whether they are configured as trusted
+   keys, managed keys, or initializing managed keys (managed keys that have not
+   yet been updated by a successful key refresh query).
+
+   If the first argument is ``-``, then the output is returned via the
+   ``rndc`` response channel and printed to the standard output.
+   Otherwise, it is written to the secroots dump file, which defaults to
+   ``named.secroots``, but can be overridden via the ``secroots-file``
+   option in ``named.conf``.
+
+   See also ``rndc managed-keys``.
+
+``serve-stale`` (**on** | **off** | **reset** | **status**) [*class* [*view*]]
+   This command enables, disables, resets, or reports the current status of the serving
+   of stale answers as configured in ``named.conf``.
+
+   If serving of stale answers is disabled by ``rndc-serve-stale off``,
+   then it remains disabled even if ``named`` is reloaded or
+   reconfigured. ``rndc serve-stale reset`` restores the setting as
+   configured in ``named.conf``.
+
+   ``rndc serve-stale status`` reports whether serving of stale
+   answers is currently enabled, disabled by the configuration, or
+   disabled by ``rndc``. It also reports the values of
+   ``stale-answer-ttl`` and ``max-stale-ttl``.
+
+``showzone`` *zone* [*class* [*view*]]
+   This command prints the configuration of a running zone.
+
+   See also ``rndc zonestatus``.
+
+``sign`` *zone* [*class* [*view*]]
+   This command fetches all DNSSEC keys for the given zone from the key directory (see
+   the ``key-directory`` option in the BIND 9 Administrator Reference
+   Manual). If they are within their publication period, they are merged into
+   the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then the
+   zone is automatically re-signed with the new key set.
+
+   This command requires that the zone be configured with a ``dnssec-policy``, or
+   that the ``auto-dnssec`` zone option be set to ``allow`` or ``maintain``,
+   and also requires the zone to be configured to allow dynamic DNS. (See
+   "Dynamic Update Policies" in the BIND 9 Administrator Reference Manual for more
+   details.)
+
+   See also ``rndc loadkeys``.
+
+``signing`` [(**-list** | **-clear** *keyid/algorithm* | **-clear** *all* | **-nsec3param** ( *parameters* | none ) | **-serial** *value* ) *zone* [*class* [*view*]]
+   This command lists, edits, or removes the DNSSEC signing-state records for the
+   specified zone. The status of ongoing DNSSEC operations, such as
+   signing or generating NSEC3 chains, is stored in the zone in the form
+   of DNS resource records of type ``sig-signing-type``.
+   ``rndc signing -list`` converts these records into a human-readable
+   form, indicating which keys are currently signing or have finished
+   signing the zone, and which NSEC3 chains are being created or
+   removed.
+
+   ``rndc signing -clear`` can remove a single key (specified in the
+   same format that ``rndc signing -list`` uses to display it), or all
+   keys. In either case, only completed keys are removed; any record
+   indicating that a key has not yet finished signing the zone is
+   retained.
+
+   ``rndc signing -nsec3param`` sets the NSEC3 parameters for a zone.
+   This is the only supported mechanism for using NSEC3 with
+   ``inline-signing`` zones. Parameters are specified in the same format
+   as an NSEC3PARAM resource record: ``hash algorithm``, ``flags``, ``iterations``,
+   and ``salt``, in that order.
+
+   Currently, the only defined value for ``hash algorithm`` is ``1``,
+   representing SHA-1. The ``flags`` may be set to ``0`` or ``1``,
+   depending on whether the opt-out bit in the NSEC3
+   chain should be set. ``iterations`` defines the number of additional times to apply
+   the algorithm when generating an NSEC3 hash. The ``salt`` is a string
+   of data expressed in hexadecimal, a hyphen (``-``) if no salt is to be
+   used, or the keyword ``auto``, which causes ``named`` to generate a
+   random 64-bit salt.
+
+   The only recommended configuration is ``rndc signing -nsec3param 1 0 0 - zone``,
+   i.e. no salt, no additional iterations, no opt-out.
+
+   .. warning::
+      Do not use extra iterations, salt, or opt-out unless all their implications
+      are fully understood. A higher number of iterations causes interoperability
+      problems and opens servers to CPU-exhausting DoS attacks.
+
+   ``rndc signing -nsec3param none`` removes an existing NSEC3 chain and
+   replaces it with NSEC.
+
+   ``rndc signing -serial value`` sets the serial number of the zone to
+   ``value``. If the value would cause the serial number to go backwards, it
+   is rejected. The primary use of this parameter is to set the serial number on inline
+   signed zones.
+
+``stats``
+   This command writes server statistics to the statistics file. (See the
+   ``statistics-file`` option in the BIND 9 Administrator Reference
+   Manual.)
+
+``status``
+   This command displays the status of the server. Note that the number of zones includes
+   the internal ``bind/CH`` zone and the default ``./IN`` hint zone, if
+   there is no explicit root zone configured.
+
+``stop`` **-p**
+   This command stops the server, making sure any recent changes made through dynamic
+   update or IXFR are first saved to the master files of the updated
+   zones. If ``-p`` is specified, ``named(8)`'s process ID is returned.
+   This allows an external process to determine when ``named`` has
+   completed stopping.
+
+   See also ``rndc halt``.
+
+``sync`` **-clean** [*zone* [*class* [*view*]]]
+   This command syncs changes in the journal file for a dynamic zone to the master
+   file. If the "-clean" option is specified, the journal file is also
+   removed. If no zone is specified, then all zones are synced.
+
+``tcp-timeouts`` [*initial* *idle* *keepalive* *advertised*]
+   When called without arguments, this command displays the current values of the
+   ``tcp-initial-timeout``, ``tcp-idle-timeout``,
+   ``tcp-keepalive-timeout``, and ``tcp-advertised-timeout`` options.
+   When called with arguments, these values are updated. This allows an
+   administrator to make rapid adjustments when under a
+   denial-of-service (DoS) attack. See the descriptions of these options in the BIND 9
+   Administrator Reference Manual for details of their use.
+
+``thaw`` [*zone* [*class* [*view*]]]
+   This command enables updates to a frozen dynamic zone. If no zone is specified,
+   then all frozen zones are enabled. This causes the server to reload
+   the zone from disk, and re-enables dynamic updates after the load has
+   completed. After a zone is thawed, dynamic updates are no longer
+   refused. If the zone has changed and the ``ixfr-from-differences``
+   option is in use, the journal file is updated to reflect
+   changes in the zone. Otherwise, if the zone has changed, any existing
+   journal file is removed.
+
+   See also ``rndc freeze``.
+
+``trace``
+   This command increments the server's debugging level by one.
+
+``trace`` *level*
+   This command sets the server's debugging level to an explicit value.
+
+   See also ``rndc notrace``.
+
+``tsig-delete`` *keyname* [*view*]
+   This command deletes a given TKEY-negotiated key from the server. This does not
+   apply to statically configured TSIG keys.
+
+``tsig-list``
+   This command lists the names of all TSIG keys currently configured for use by
+   ``named`` in each view. The list includes both statically configured keys and
+   dynamic TKEY-negotiated keys.
+
+``validation`` (**on** | **off** | **status**) [*view* ...]``
+   This command enables, disables, or checks the current status of DNSSEC validation. By
+   default, validation is enabled.
+
+   The cache is flushed when validation is turned on or off to avoid using data
+   that might differ between states.
+
+``zonestatus`` *zone* [*class* [*view*]]
+   This command displays the current status of the given zone, including the master
+   file name and any include files from which it was loaded, when it was
+   most recently loaded, the current serial number, the number of nodes,
+   whether the zone supports dynamic updates, whether the zone is DNSSEC
+   signed, whether it uses automatic DNSSEC key management or inline
+   signing, and the scheduled refresh or expiry times for the zone.
+
+   See also ``rndc showzone``.
+
+``rndc`` commands that specify zone names, such as ``reload``,
+``retransfer``, or ``zonestatus``, can be ambiguous when applied to zones
+of type ``redirect``. Redirect zones are always called ``.``, and can be
+confused with zones of type ``hint`` or with secondary copies of the root
+zone. To specify a redirect zone, use the special zone name
+``-redirect``, without a trailing period. (With a trailing period, this
+would specify a zone called "-redirect".)
+
+Limitations
+~~~~~~~~~~~
+
+There is currently no way to provide the shared secret for a ``key_id``
+without using the configuration file.
+
+Several error messages could be clearer.
+
+See Also
+~~~~~~~~
+
+:manpage:`rndc.conf(5)`, :manpage:`rndc-confgen(8)`,
+:manpage:`named(8)`, :manpage:`named.conf(5)`, :manpage:`ndc(8)`, BIND 9 Administrator
+Reference Manual.
diff --git a/bin/rndc/util.c b/bin/rndc/util.c
new file mode 100644
index 0000000..3b3587c
--- /dev/null
+++ b/bin/rndc/util.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include "util.h"
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/print.h>
+
+extern bool verbose;
+extern const char *progname;
+
+void
+notify(const char *fmt, ...) {
+	va_list ap;
+
+	if (verbose) {
+		va_start(ap, fmt);
+		vfprintf(stderr, fmt, ap);
+		va_end(ap);
+		fputs("\n", stderr);
+	}
+}
+
+void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
diff --git a/bin/rndc/util.h b/bin/rndc/util.h
new file mode 100644
index 0000000..2d3c664
--- /dev/null
+++ b/bin/rndc/util.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RNDC_UTIL_H
+#define RNDC_UTIL_H 1
+
+/*! \file */
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+#define NS_CONTROL_PORT 953
+
+#undef DO
+#define DO(name, function)                                                \
+	do {                                                              \
+		result = function;                                        \
+		if (result != ISC_R_SUCCESS)                              \
+			fatal("%s: %s", name, isc_result_totext(result)); \
+		else                                                      \
+			notify("%s", name);                               \
+	} while (0)
+
+ISC_LANG_BEGINDECLS
+
+void
+notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+ISC_PLATFORM_NORETURN_PRE void
+fatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_UTIL_H */
diff --git a/bin/rndc/win32/rndc.vcxproj.filters.in b/bin/rndc/win32/rndc.vcxproj.filters.in
new file mode 100644
index 0000000..5187c16
--- /dev/null
+++ b/bin/rndc/win32/rndc.vcxproj.filters.in
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\util.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\rndc.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/rndc/win32/rndc.vcxproj.in b/bin/rndc/win32/rndc.vcxproj.in
new file mode 100644
index 0000000..2a72f5e
--- /dev/null
+++ b/bin/rndc/win32/rndc.vcxproj.in
@@ -0,0 +1,122 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{39721F26-8B80-4AA9-9826-2AEF7322C3D5}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>rndc</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@util.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccc\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@util.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\util.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\rndc.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/rndc/win32/rndc.vcxproj.user b/bin/rndc/win32/rndc.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/rndc/win32/rndc.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/rndc/win32/rndcutil.vcxproj.filters.in b/bin/rndc/win32/rndcutil.vcxproj.filters.in
new file mode 100644
index 0000000..766ea80
--- /dev/null
+++ b/bin/rndc/win32/rndcutil.vcxproj.filters.in
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\util.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\util.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/rndc/win32/rndcutil.vcxproj.in b/bin/rndc/win32/rndcutil.vcxproj.in
new file mode 100644
index 0000000..fad1472
--- /dev/null
+++ b/bin/rndc/win32/rndcutil.vcxproj.in
@@ -0,0 +1,113 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{7C8681A1-E3A8-470E-9EEF-16054D111A19}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>rndcutil</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>.\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>util</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>.\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>util</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Lib>
+      <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Lib>
+      <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\util.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\util.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/rndc/win32/rndcutil.vcxproj.user b/bin/rndc/win32/rndcutil.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/rndc/win32/rndcutil.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in
new file mode 100644
index 0000000..a1e7ea0
--- /dev/null
+++ b/bin/tests/Makefile.in
@@ -0,0 +1,87 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+BACKTRACECFLAGS = @BACKTRACECFLAGS@
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS
+ISCCFGLIBS = 	../../lib/isccfg/libisccfg.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCDEPNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	system @PKCS11_TOOLS@
+TESTDIRS =	system
+
+# Test programs that are built by default:
+# cfg_test is needed for regenerating doc/misc/options
+# makejournal is needed by system tests
+# wire_test is needed for fuzz testing
+# other opptional test programs have been moved to ./optional
+
+# Alphabetically
+XTARGETS =	all_tests
+TARGETS =	cfg_test@EXEEXT@ makejournal@EXEEXT@ \
+		wire_test@EXEEXT@ @XTARGETS@
+
+SRCS =		cfg_test.c makejournal.c wire_test.c
+
+@BIND9_MAKE_RULES@
+
+.NOTPARALLEL:
+
+.PHONY:
+all_tests:
+	echo "making depend in `pwd`/optional"; \
+	(cd optional; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@)
+
+wire_test@EXEEXT@: wire_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ wire_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+cfg_test@EXEEXT@: cfg_test.@O@ ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ cfg_test.@O@ \
+		${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+makejournal@EXEEXT@: makejournal.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ makejournal.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+distclean::
+	rm -f headerdep_test.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	( cd optional; $(MAKE) $@)
+
+check: test
+
+test:
+	@for dir in $(TESTDIRS) ;\
+	do \
+		( cd $$dir; $(MAKE) test ) ;\
+	done
diff --git a/bin/tests/bigtest/README b/bin/tests/bigtest/README
new file mode 100644
index 0000000..2d90f94
--- /dev/null
+++ b/bin/tests/bigtest/README
@@ -0,0 +1,18 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+	bash buildzones.sh < zones	# creates setup, run, servers/* master/*
+					# named.conf
+	sudo sh setup			# configure interfaces
+	sh run				# setup
+
+	../named/named [-g] -c named.conf
+
+	sh tests.sh < zones
+
+	sudo sh teardown		# teardown interfaces
+
+The test server can controlled with
+
+	rndc -k rndc.key -s 127.127.0.0 -p 5300 
diff --git a/bin/tests/bigtest/buildzones.sh b/bin/tests/bigtest/buildzones.sh
new file mode 100644
index 0000000..47b4cda
--- /dev/null
+++ b/bin/tests/bigtest/buildzones.sh
@@ -0,0 +1,269 @@
+#!/bin/bash
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. ../conf.sh
+
+addr=127.127.0.0
+ttl=300
+named=${NAMED}
+keygen=${KEYGEN}
+dsfromkey=${DSFROMKEY}
+
+nextaddr() {
+	OLDIF="$IFS"
+	IFS="${IFS}."
+	set $1
+	IFS="$OLDIFS"
+	_a=$1 _b=$2 _c=$3 _d=$4
+	_d=$(($_d + 1))
+	case $_d in
+	256) _c=$(($_c + 1)); _d=0;;
+	esac
+	case $_c in
+	256) _b=$(($_b + 1)); _c=0;;
+	esac
+	echo $_a.$_b.$_c.$_d
+}
+
+parent() {
+	OLDIF="$IFS"
+	IFS="${IFS}."
+	set $1
+	IFS="$OLDIFS"
+	shift
+	while [ $# -ne 0 ]
+	do
+		printf %s ${1}
+		shift
+		printf %s ${1:+.}
+		
+	done
+}
+
+blackhole() {
+	echo 'options {'
+	echo '	port 5300;'
+	echo "	listen-on { $1; };"
+	echo "	query-source $1;"
+	echo "	notify-source $1;"
+	echo "	transfer-source $1;"
+	echo '	key-directory "keys";'
+	echo "	recursion ${2:-no};"
+	echo '	pid-file "pids/'"${addr}"'.pid";'
+	echo '	blackhole { 127.127.0.0; };'
+	echo '};'
+}
+
+refuse() {
+	echo 'options {'
+	echo '	port 5300;'
+	echo "	listen-on { $1; };"
+	echo "	query-source $1;"
+	echo "	notify-source $1;"
+	echo "	transfer-source $1;"
+	echo '	key-directory "keys";'
+	echo "	recursion ${2:-no};"
+	echo '	pid-file "pids/'"${addr}"'.pid";'
+	echo '	allow-query { !127.127.0.0; any; };'
+	echo '};'
+}
+
+options() {
+	echo 'options {'
+	echo '	port 5300;'
+	echo "	listen-on { $1; };"
+	echo "	query-source $1;"
+	echo "	notify-source $1;"
+	echo "	transfer-source $1;"
+	echo '	key-directory "keys";'
+	echo "	recursion ${2:-no};"
+	echo '	pid-file "pids/'"${addr}"'.pid";'
+	echo '};'
+}
+
+controls() {
+       echo 'include "rndc.key";'
+       echo "controls { inet $addr port 9953 allow { any; } keys { "rndc-key"; }; };"
+}
+
+delay() {
+	_s=$1
+	OLDIF="$IFS"
+	IFS="${IFS}/"
+	set ${2:-.}
+	IFS="$OLDIFS"
+
+	case $1 in
+	.) _d=;;
+	*) _d=$1;;
+	esac
+	case $_s in
+	1) echo -T delay=${_d:-100};;
+	2) echo -T delay=${2:-50};;
+	3) echo -T delay=${3:-150};;
+	4) echo -T delay=${4:-250};;
+	5) echo -T delay=${5:-125};;
+	6) echo -T delay=${6:-25};;
+	7) echo -T delay=${7:-75};;
+	8) echo -T delay=${8:-125};;
+	9) echo -T delay=${9:-10};;
+	10) echo -T delay=${10:-40};;
+	11) echo -T delay=${11:-80};;
+	12) echo -T delay=${12:-90};;
+	*) echo -T delay=50;;
+	esac
+}
+
+trusted-keys () {
+	awk '$3 == "DNSKEY" {
+	        b = ""; for (i=7; i <= NF; i++) { b = b $i; };
+		print "trusted-keys { \""$1"\"",$4,$5,$6,"\""b"\"; };" };'
+}
+
+signed-zone () {
+	echo "zone "'"'"${1:-.}"'"'" {"
+	echo "	type master;"
+	echo "	file "'"'"master/${2}.db"'"'";"
+	echo "	auto-dnssec maintain;"
+	echo "	allow-update { any; };"
+	echo "};"
+}
+
+unsigned-zone () {
+	echo "zone "'"'"${1:-.}"'"'" {"
+	echo "	type master;"
+	echo "	file "'"'"master/${2}.db"'"'";"
+	echo "};"
+}
+
+slave-zone () {
+	echo "zone "'"'"${zone:-.}"'"'" {"
+	echo "	type slave;"
+	echo "	masters { ${master}; };"
+	echo "};"
+}
+
+rm -rf servers master keys setup teardown run 
+mkdir -p servers
+mkdir -p master
+mkdir -p keys
+
+echo "ifconfig lo0 $addr netmask 0xffffffff alias" >> setup
+echo "ifconfig lo0 $addr -alias" >> teardown
+controls $addr > named.conf
+options $addr yes >> named.conf
+echo 'zone "." { type hint; file "master/hint.db"; };' >> named.conf
+
+while read zone servers nsfmt signed delay blackhole refuse flags
+do
+	i=1
+	case "${zone}" in
+	.) file=root zone=;;
+	*) file="$zone";;
+	esac
+	if [ "${zone}" != "" ] ; then
+		p=$(parent $zone)
+		case "${p}" in
+		"") p=root;;
+		esac
+	else
+		p=hint
+	fi
+	#echo "zone='${zone}' parent='${p}'"
+	addr=$(nextaddr $addr)
+	ns=$(printf "$nsfmt" ${i} "${zone}")
+	d=$(delay $i ${delay:-.})
+
+	echo "${zone}. ${ttl} soa ${ns}. hostmaster.${zone}${zone:+.} 1 3600 1200 604800 1200" >> master/${file}.db
+	echo "${zone}. ${ttl} ns ${ns}." >> master/${file}.db
+	echo "${ns}. ${ttl} a ${addr}" >> master/${file}.db
+	echo "${zone}. ${ttl} ns ${ns}." >> master/${p}.db
+	echo "${ns}. ${ttl} a ${addr}" >> master/${p}.db
+	if [ $signed = "S" ]; then
+		kskkey=`${keygen} -K keys -f KSK ${zone:-.}`
+		zskkey=`${keygen} -K keys ${zone:-.}`
+		if [ "${zone}" != "" ] ; then
+			${dsfromkey} -T ${ttl} keys/${kskkey}.key >> master/${p}.db
+		else
+			trusted-keys <  keys/${kskkey}.key >> named.conf
+		fi
+	fi
+	echo "ifconfig lo0 $addr netmask 0xffffffff alias" >> setup
+	echo "ifconfig lo0 $addr -alias" >> teardown
+	echo "${named} -D bigtest -c servers/${addr}.conf $d $flags" >> run
+	options ${addr} > servers/${addr}.conf
+	case ${signed} in
+	S) signed-zone ${zone:-.} ${file} >> servers/${addr}.conf;;
+	P) unsigned-zone ${zone:-.} ${file} >> servers/${addr}.conf;;
+	*) echo ${signed}; exit 1;;
+	esac
+
+	# slave servers
+	while [ $i -lt $servers ]
+	do
+		master=$addr
+		i=$(($i + 1))
+		ns=$(printf "$nsfmt" ${i} "${zone}")
+		d=$(delay $i ${delay:-.})
+		addr=$(nextaddr $addr)
+		echo "${zone}. ${ttl} ns ${ns}." >> master/${file}.db
+		echo "${ns}. ${ttl} a ${addr}" >> master/${file}.db
+		echo "${zone}. ${ttl} ns ${ns}." >> master/${p}.db
+		echo "${ns}. ${ttl} a ${addr}" >> master/${p}.db
+		echo "ifconfig lo0 $addr netmask 0xffffffff alias" >> setup
+		echo "ifconfig lo0 $addr -alias" >> teardown
+		echo "${named} -D bigtest -c servers/${addr}.conf $d $flags" >> run
+		if [ $i = ${refuse:-.} ]
+		then
+			refuse $addr > servers/${addr}.conf
+		elif [ $i = ${blackhole:-.} ]
+		then
+			blackhole $addr > servers/${addr}.conf
+		else
+			options $addr > servers/${addr}.conf
+		fi
+		slave-zone ${zone:-.} ${master} >> servers/${addr}.conf
+	done
+	if [ "${zone}" != "" ] ; then
+		echo "www.${zone}. ${ttl} a 127.0.0.1" >> master/${file}.db
+		echo "www.${zone}. ${ttl} aaaa ::1" >> master/${file}.db
+		echo "${zone}. ${ttl} mx 10 mail.${zone}." >> master/${file}.db
+		echo "mail.${zone}. ${ttl} a 127.0.0.1" >> master/${file}.db
+		echo "mail.${zone}. ${ttl} aaaa ::1" >> master/${file}.db
+		echo "*.big.${zone}. ${ttl} txt (" >> master/${file}.db
+		i=0
+		while [ $i -lt 150 ]
+		do
+			echo "1234567890" >> master/${file}.db
+			i=$(($i + 1))
+		done
+		echo ")" >> master/${file}.db
+		echo "*.medium.${zone}. ${ttl} txt (" >> master/${file}.db
+		i=0
+		while [ $i -lt 120 ]
+		do
+			echo "1234567890" >> master/${file}.db
+			i=$(($i + 1))
+		done
+		echo ")" >> master/${file}.db
+		echo "*.medium.${zone}. ${ttl} txt (" >> master/${file}.db
+		i=0
+		while [ $i -lt 120 ]
+		do
+			echo "1234567890" >> master/${file}.db
+			i=$(($i + 1))
+		done
+		echo ")" >> master/${file}.db
+	fi
+done
diff --git a/bin/tests/bigtest/rndc.key b/bin/tests/bigtest/rndc.key
new file mode 100644
index 0000000..f279e14
--- /dev/null
+++ b/bin/tests/bigtest/rndc.key
@@ -0,0 +1,5 @@
+key "rndc-key" {
+        algorithm hmac-md5;
+        secret "xxxxxxxxxxxxxxxxxxxxHg==";
+};
+
diff --git a/bin/tests/bigtest/tests.sh b/bin/tests/bigtest/tests.sh
new file mode 100644
index 0000000..19fc238
--- /dev/null
+++ b/bin/tests/bigtest/tests.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+TOP=$( (cd ../../.. && pwd) )
+dig=${TOP}/bin/dig/dig
+
+cmd="${dig} -p 5300 @127.127.0.0 txt"
+inner() {
+	zone=$1 i=$2 to=$3
+	x=$i
+	dout=dig$x.out
+	tout=time$x.out
+	while [ $i -lt $to ]
+	do
+		case $zone in
+		.) zone=;;
+		esac
+		
+		(time -p $cmd $i.${sub}$zone > $dout ) 2> $tout
+		s=`sed -n '/real/s/[^0-9]*\([0-9]*\)\..*/\1/p' $tout`
+		case $s in
+		0);;
+		1) t1=`expr ${t1:-0} + 1`;;
+		2) t2=`expr ${t2:-0} + 1`;;
+		3) t3=`expr ${t3:-0} + 1`;;
+		*) echo $i `grep real $tout`;;
+		esac
+
+		grep "status: \(NXDOMAIN\|NOERROR\)" $dout > /dev/null || {
+			echo $cmd $i.${sub}$zone
+			cat $dout
+		}
+		i=`expr $i + 1`
+	done
+	if test ${t1:-0} -ne 0 -o ${t2:-0} -ne 0 -o ${t3:-0} -ne 0
+	then
+		echo "$x timeouts: t1=${t1:-0} t2=${t2:-0} t3=${t3:-0}"
+	fi
+}
+
+while read zone rest
+do
+	for sub in "" medium. big.
+	do
+		case $zone in
+		.) echo doing ${sub:-.};;
+		*) echo doing $sub$zone;;
+		esac
+		( inner $zone 1 100) &
+		( inner $zone 101 200) &
+		( inner $zone 201 300) &
+		( inner $zone 301 400) &
+		( inner $zone 401 500) &
+		( inner $zone 501 600) &
+		( inner $zone 601 700) &
+		( inner $zone 701 800) &
+		( inner $zone 801 900) &
+		( inner $zone 901 1000) &
+		( inner $zone 1001 1100) &
+		( inner $zone 1101 1200) &
+		( inner $zone 1201 1300) &
+		( inner $zone 1301 1400) &
+		( inner $zone 1401 1500) &
+		( inner $zone 1501 1600) &
+		( inner $zone 1601 1700) &
+		wait
+	done
+done
diff --git a/bin/tests/bigtest/zones b/bin/tests/bigtest/zones
new file mode 100644
index 0000000..0bdcdfe
--- /dev/null
+++ b/bin/tests/bigtest/zones
@@ -0,0 +1,18 @@
+noedns-1.tld	1	ns%u.%s P . x x -T noedns
+dropedns-1.tld	1	ns%u.%s P . x x -T dropedns
+maxudp512-1.tld	1	ns%u.%s S . x x -T maxudp=512
+maxudp1460-1.tld	1	ns%u.%s S . x x -T maxudp=1460
+plain-1.tld	1	ns%u.%s S . x x
+noedns-3.tld	3	ns%u.%s	P . 2 x -T noedns 
+dropedns-3.tld	3	ns%u.%s P . 2 x -T dropedns
+maxudp512-3.tld	3	ns%u.%s S . x x -T maxudp=512
+maxudp1460-3.tld	3	ns%u.%s S . x x -T maxudp=1460
+plain-3.tld	3	ns%u.%s S . x 3
+noedns-5.tld	5	ns%u.%s	P . 3 x -T noedns
+dropedns-5.tld	5	ns%u.%s P . x x -T dropedns
+maxudp512-5.tld	5	ns%u.%s S . x x -T maxudp=512
+maxudp1460-5.tld	5	ns%u.%s S . x x -T maxudp=1460
+400ms-1.tld	5	ns%u.%s S 400/400/400/400/400 2 x
+plain-5.tld	5	ns%u.%s S . x x
+tld		12	ns%u.%s S . 5 8
+.		12	ns%u.root-servers.nil%s S . x x
diff --git a/bin/tests/cfg_test.c b/bin/tests/cfg_test.c
new file mode 100644
index 0000000..a243a3e
--- /dev/null
+++ b/bin/tests/cfg_test.c
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+
+#include <isccfg/grammar.h>
+#include <isccfg/namedconf.h>
+
+static void
+check_result(isc_result_t result, const char *format, ...) {
+	va_list args;
+
+	if (result == ISC_R_SUCCESS) {
+		return;
+	}
+
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, ": %s\n", isc_result_totext(result));
+	exit(1);
+}
+
+static void
+output(void *closure, const char *text, int textlen) {
+	UNUSED(closure);
+	(void)fwrite(text, 1, textlen, stdout);
+}
+
+static void
+usage(void) {
+	fprintf(stderr, "usage: cfg_test --rndc|--named "
+			"[--grammar] [--zonegrammar] [--active] "
+			"[--memstats] conffile\n");
+	exit(1);
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+	isc_mem_t *mctx = NULL;
+	isc_log_t *lctx = NULL;
+	isc_logconfig_t *lcfg = NULL;
+	isc_logdestination_t destination;
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *cfg = NULL;
+	cfg_type_t *type = NULL;
+	bool grammar = false;
+	bool memstats = false;
+	char *filename = NULL;
+	unsigned int zonetype = 0;
+	unsigned int pflags = 0;
+
+	isc_mem_create(&mctx);
+
+	isc_log_create(mctx, &lctx, &lcfg);
+	isc_log_setcontext(lctx);
+
+	/*
+	 * Create and install the default channel.
+	 */
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(lcfg, "_default", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, ISC_LOG_PRINTTIME);
+
+	result = isc_log_usechannel(lcfg, "_default", NULL, NULL);
+	check_result(result, "isc_log_usechannel()");
+
+	/*
+	 * Set the initial debug level.
+	 */
+	isc_log_setdebuglevel(lctx, 2);
+
+	if (argc < 3) {
+		usage();
+	}
+
+	while (argc > 1) {
+		if (strcmp(argv[1], "--active") == 0) {
+			pflags |= CFG_PRINTER_ACTIVEONLY;
+		} else if (strcmp(argv[1], "--grammar") == 0) {
+			grammar = true;
+		} else if (strcmp(argv[1], "--zonegrammar") == 0) {
+			argv++, argc--;
+			if (argc <= 1) {
+				usage();
+			}
+			if (strcmp(argv[1], "master") == 0 ||
+			    strcmp(argv[1], "primary") == 0)
+			{
+				zonetype = CFG_ZONE_PRIMARY;
+			} else if (strcmp(argv[1], "slave") == 0 ||
+				   strcmp(argv[1], "seconary") == 0)
+			{
+				zonetype = CFG_ZONE_SECONDARY;
+			} else if (strcmp(argv[1], "mirror") == 0) {
+				zonetype = CFG_ZONE_MIRROR;
+			} else if (strcmp(argv[1], "stub") == 0) {
+				zonetype = CFG_ZONE_STUB;
+			} else if (strcmp(argv[1], "static-stub") == 0) {
+				zonetype = CFG_ZONE_STATICSTUB;
+			} else if (strcmp(argv[1], "hint") == 0) {
+				zonetype = CFG_ZONE_HINT;
+			} else if (strcmp(argv[1], "forward") == 0) {
+				zonetype = CFG_ZONE_FORWARD;
+			} else if (strcmp(argv[1], "redirect") == 0) {
+				zonetype = CFG_ZONE_REDIRECT;
+			} else if (strcmp(argv[1], "delegation-only") == 0) {
+				zonetype = CFG_ZONE_DELEGATION;
+			} else if (strcmp(argv[1], "in-view") == 0) {
+				zonetype = CFG_ZONE_INVIEW;
+			} else {
+				usage();
+			}
+		} else if (strcmp(argv[1], "--memstats") == 0) {
+			memstats = true;
+		} else if (strcmp(argv[1], "--named") == 0) {
+			type = &cfg_type_namedconf;
+		} else if (strcmp(argv[1], "--rndc") == 0) {
+			type = &cfg_type_rndcconf;
+		} else if (argv[1][0] == '-') {
+			usage();
+		} else {
+			filename = argv[1];
+		}
+		argv++, argc--;
+	}
+
+	if (grammar) {
+		if (type == NULL) {
+			usage();
+		}
+		cfg_print_grammar(type, pflags, output, NULL);
+	} else if (zonetype != 0) {
+		cfg_print_zonegrammar(zonetype, pflags, output, NULL);
+	} else {
+		if (type == NULL || filename == NULL) {
+			usage();
+		}
+		RUNTIME_CHECK(cfg_parser_create(mctx, lctx, &pctx) ==
+			      ISC_R_SUCCESS);
+
+		result = cfg_parse_file(pctx, filename, type, &cfg);
+
+		fprintf(stderr, "read config: %s\n", isc_result_totext(result));
+
+		if (result != ISC_R_SUCCESS) {
+			exit(1);
+		}
+
+		cfg_print(cfg, output, NULL);
+
+		cfg_obj_destroy(pctx, &cfg);
+
+		cfg_parser_destroy(&pctx);
+	}
+
+	isc_log_destroy(&lctx);
+	if (memstats) {
+		isc_mem_stats(mctx, stderr);
+	}
+	isc_mem_destroy(&mctx);
+
+	fflush(stdout);
+	if (ferror(stdout)) {
+		fprintf(stderr, "write error\n");
+		return (1);
+	} else {
+		return (0);
+	}
+}
diff --git a/bin/tests/headerdep_test.sh.in b/bin/tests/headerdep_test.sh.in
new file mode 100644
index 0000000..40503d2
--- /dev/null
+++ b/bin/tests/headerdep_test.sh.in
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Check the installed bind9 headers to make sure that no header
+# depends on another header having been included first.
+#
+
+prefix=@prefix@
+tmp=/tmp/thdr$$.tmp
+
+status=0
+
+echo "Checking for header interdependencies..."
+
+# Make a list of header files.
+(cd $prefix/include; find . -name '*.h' -print | sed 's!^./!!') > $tmp
+
+# Check each header.
+while read h
+do
+    echo " - <$h>"
+
+    # Build a test program.
+    cat <<EOF >test.c
+#include <$h>
+EOF
+
+    # Compile the test program.
+    if
+       gcc @STD_CWARNINGS@ @STD_CINCLUDES@ -I$prefix/include -c test.c 2>&1
+    then
+       :
+    else
+       status=1
+    fi
+done <$tmp
+
+rm -f test.c test.o $tmp
+
+exit $status
diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c
new file mode 100644
index 0000000..2f602da
--- /dev/null
+++ b/bin/tests/makejournal.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/result.h>
+#include <dns/types.h>
+
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+isc_mem_t *mctx = NULL;
+isc_log_t *lctx = NULL;
+
+static bool dst_active = false;
+
+/*
+ * Logging categories: this needs to match the list in bin/named/log.c.
+ */
+static isc_logcategory_t categories[] = { { "", 0 },
+					  { "client", 0 },
+					  { "network", 0 },
+					  { "update", 0 },
+					  { "queries", 0 },
+					  { "unmatched", 0 },
+					  { "update-security", 0 },
+					  { "query-errors", 0 },
+					  { NULL, 0 } };
+
+static isc_result_t
+loadzone(dns_db_t **db, const char *origin, const char *filename) {
+	isc_result_t result;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	name = dns_fixedname_initname(&fixed);
+
+	result = dns_name_fromstring(name, origin, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, db);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_load(*db, filename, dns_masterformat_text, 0);
+	return (result);
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+	char *origin, *file1, *file2, *journal;
+	dns_db_t *olddb = NULL, *newdb = NULL;
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+
+	if (argc != 5) {
+		printf("usage: %s origin file1 file2 journal\n", argv[0]);
+		return (1);
+	}
+
+	origin = argv[1];
+	file1 = argv[2];
+	file2 = argv[3];
+	journal = argv[4];
+
+	isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+	isc_mem_create(&mctx);
+
+	CHECK(dst_lib_init(mctx, NULL));
+	dst_active = true;
+
+	isc_log_create(mctx, &lctx, &logconfig);
+	isc_log_registercategories(lctx, categories);
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, 0);
+
+	CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL));
+
+	dns_result_register();
+
+	result = loadzone(&olddb, origin, file1);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "Couldn't load %s: ", file1);
+		goto cleanup;
+	}
+
+	result = loadzone(&newdb, origin, file2);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "Couldn't load %s: ", file2);
+		goto cleanup;
+	}
+
+	result = dns_db_diff(mctx, newdb, NULL, olddb, NULL, journal);
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "%s\n", isc_result_totext(result));
+	}
+
+	if (newdb != NULL) {
+		dns_db_detach(&newdb);
+	}
+	if (olddb != NULL) {
+		dns_db_detach(&olddb);
+	}
+
+	if (lctx != NULL) {
+		isc_log_destroy(&lctx);
+	}
+	if (dst_active) {
+		dst_lib_destroy();
+		dst_active = false;
+	}
+	if (mctx != NULL) {
+		isc_mem_destroy(&mctx);
+	}
+
+	return (result != ISC_R_SUCCESS ? 1 : 0);
+}
diff --git a/bin/tests/named.conf b/bin/tests/named.conf
new file mode 100644
index 0000000..e251e71
--- /dev/null
+++ b/bin/tests/named.conf
@@ -0,0 +1,619 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This is a worthless, nonrunnable example of a named.conf file that has
+ * every conceivable syntax element in use.  We use it to test the parser.
+ * It could also be used as a conceptual template for users of new features.
+ */
+
+/*
+ * C-style comments are OK
+ */
+
+// So are C++-style comments
+
+# So are shell-style comments
+
+// watch out for ";" -- it's important!
+
+options {
+	additional-from-auth true;
+	additional-from-cache false;
+
+	version "my version string";
+	random-device "/dev/random";
+	directory "/tmp";
+
+	port 666;
+
+	sig-validity-interval 33;
+
+# Obsolete
+	named-xfer "/usr/libexec/named-xfer";	// _PATH_XFER
+
+	dump-file "named_dump.db";  	// _PATH_DUMPFILE
+	pid-file "/var/run/named.pid";  // _PATH_PIDFILE
+	statistics-file "named.stats";  // _PATH_STATS
+	memstatistics-file "named.memstats";	// _PATH_MEMSTATS
+
+	max-cache-ttl 999;
+	min-cache-ttl 66;
+	auth-nxdomain yes;		// always set AA on NXDOMAIN.
+					// don't set this to 'no' unless
+					// you know what you're doing -- older
+					// servers won't like it.
+
+# Obsolete
+	deallocate-on-exit no;
+
+	dialup yes;
+
+# Obsolete
+	fake-iquery no;
+
+	fetch-glue yes;
+	has-old-clients yes;
+	host-statistics no;
+
+# Obsolete
+	multiple-cnames no;		// if yes, then a name my have more
+					// than one CNAME RR.  This use
+					// is non-standard and is not
+					// recommended, but it is available
+					// because previous releases supported
+					// it and it was used by large sites
+					// for load balancing.
+
+	notify yes;			// send NOTIFY messages.  You can set
+					// notify on a zone-by-zone
+					// basis in the "zone" statement
+					// see (below)
+	recursion yes;
+	rfc2308-type1	no;
+
+# Obsolete
+	use-id-pool yes;
+
+# Obsolete
+	treat-cr-as-space yes;
+
+	also-notify { 10.0.2.3; };
+
+	// The "forward" option is only meaningful if you've defined
+	// forwarders.  "first" gives the normal BIND
+	// forwarding behavior, i.e. ask the forwarders first, and if that
+	// doesn't work then do the full lookup.  You can also say
+	// "forward only;" which is what used to be specified with
+	// "slave" or "options forward-only".  "only" will never attempt
+	// a full lookup; only the forwarders will be used.
+	forward first;
+	forwarders {
+		1.2.3.4;
+		5.6.7.8;
+	};
+
+	check-names master fail;
+	check-names slave warn;
+	check-names response ignore;
+
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-recursion { !any; };
+	blackhole { 45/24; };
+	keep-response-order { 46/24; };
+
+	listen-on {
+		10/24;
+		10.0.0.3;
+	};
+
+	listen-on port 53 { any; };
+
+	listen-on { 5.6.7.8; };
+
+	listen-on port 1234 {
+		!1.2.3.4;
+		1.2.3/24;
+	};
+
+	listen-on-v6 {
+		1:1:1:1:1:1:1:1;
+	};
+
+	listen-on-v6 port 777 {
+		2:2:2:2:2:2:2:2;
+	};
+
+	query-source-v6 address 8:7:6:5:4:3:2:1 port *;
+	query-source port * address 10.0.0.54  ;
+
+	lame-ttl 444;
+
+	max-transfer-time-in 300;
+	max-transfer-time-out 10;
+	max-transfer-idle-in 100;
+	max-transfer-idle-out 11;
+
+	max-retry-time 1234;
+	min-retry-time 1111;
+	max-refresh-time 888;
+	min-refresh-time 777;
+
+	max-ncache-ttl 333;
+	min-ncache-ttl 22;
+	min-roots 15;
+	serial-queries 34;
+
+	transfer-format one-answer;
+
+	transfers-in 10;
+	transfers-per-ns 2;
+	transfers-out 0;
+
+	transfer-source 10.0.0.5;
+	transfer-source-v6 4:3:2:1:5:6:7:8;
+
+	request-ixfr yes;
+	provide-ixfr yes;
+
+# Now called 'provide-ixfr'
+#    maintain-ixfr-base no;   // If yes, keep transaction log file for IXFR
+
+	max-ixfr-log-size 20m;
+	coresize 100;
+	datasize 101;
+	files 230;
+	max-cache-size 1m;
+	stacksize 231;
+	heartbeat-interval 1001;
+	interface-interval 1002;
+	statistics-interval 1003;
+
+	topology {
+		10/8;
+
+		!1.2.3/24;
+
+		{ 1.2/16; 3/8; };
+
+
+	};
+
+	sortlist { 10/8; 11/8; };
+
+	tkey-domain	"foo.com";
+	tkey-dhkey	"xyz" 666 ;
+
+	rrset-order {
+		class IN type A name "foo" order random;
+		order cyclic;
+	};
+};
+
+/*
+ * Control listeners, for "ndc".  Every nameserver needs at least one.
+ */
+controls {
+	// 'inet' lines without a 'port' defaults to 'port 953'
+	// 'keys' must be used and the list must have at least one entry
+	inet * port 52 allow { any; } keys { "key2"; };
+	unix "/var/run/ndc" perm 0600 owner 0 group 0;	// ignored by named.
+	inet 10.0.0.1 allow { any; key foo; } keys { "key4";};
+	inet 10.0.0.2 allow { none; } keys { "key-1"; "key-2"; };
+	inet 10.0.0.2 allow { none; };
+};
+
+zone "master.demo.zone" {
+	type master;			// what used to be called "primary"
+	database "somedb -option1 -option2 arg1 arg2 arg3";
+	file "master.demo.zone";
+	check-names fail;
+	allow-update { none; };
+	allow-update-forwarding { 10.0.0.5; !any; };
+	allow-transfer { any; };
+	allow-query { any; };
+	sig-validity-interval 990;
+	notify explicit;
+	also-notify {  1.0.0.1; };	// don't notify any nameservers other
+					// than those on the NS list for this
+					// zone
+	forward first;
+	forwarders { 10.0.0.3; 1:2:3:4:5:6:7:8; };
+};
+
+zone "slave.demo.zone" {
+	type slave;			// what used to be called "secondary"
+	file "slave.demo.zone";
+	ixfr-base  "slave.demo.zone.ixfr";  // File name for IXFR transaction log file
+	masters {
+		1.2.3.4 port 10 key "foo"; // where to zone transfer from
+		5.6.7.8;
+		6.7.8.9 key "zippo";
+	};
+	transfer-source 10.0.0.53;	// fixes multihoming problems
+	check-names warn;
+	allow-update { none; };
+	allow-transfer { any; };
+	allow-update-forwarding { any; };
+	allow-query { any; };
+	max-transfer-time-in 120;	// if not set, global option is used.
+	max-transfer-time-out 1;	// if not set, global option is used.
+	max-transfer-idle-in 2;	// if not set, global option is used.
+	max-transfer-idle-out 3;	// if not set, global option is used.
+	also-notify { 1.0.0.2; };
+	forward only;
+	forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; };
+};
+
+key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; };
+
+view "test-view" in {
+	key "viewkey" { algorithm "xxx" ; secret "eXl5" ; };
+	also-notify { 10.2.2.3; };
+	managed-keys {
+		foo.com. static 4 3 2 "abdefghijklmnopqrstuvwxyz";
+	};
+	sig-validity-interval 45;
+	max-cache-size 100000;
+	allow-query { 10.0.0.30;};
+	additional-from-cache false;
+	additional-from-auth no;
+	match-clients { 10.0.0.1 ; };
+	check-names master warn;
+	check-names slave ignore;
+	check-names response fail;
+	auth-nxdomain false;
+	recursion true;
+	provide-ixfr false;
+	request-ixfr true;
+	fetch-glue true;
+	notify false;
+	rfc2308-type1 false;
+	transfer-source 10.0.0.55;
+	transfer-source-v6 4:3:8:1:5:6:7:8;
+	query-source port * address 10.0.0.54  ;
+	query-source-v6 address 6:6:6:6:6:6:6:6 port *;
+	max-transfer-time-out 45;
+	max-transfer-idle-out 55;
+	min-roots 3;
+	lame-ttl 477;
+	max-ncache-ttl 333;
+	max-cache-ttl 777;
+	transfer-format many-answers;
+	max-retry-time 7;
+	min-retry-time 4;
+	max-refresh-time 999;
+	min-refresh-time 111;
+
+	zone "view-zone.com" {
+		type master;
+		allow-update-forwarding { 10.0.0.34;};
+		file "view-zone-master";
+	};
+
+	server 5.6.7.8 {
+		keys "viewkey";
+	};
+
+	server 10.9.8.7 {
+		keys "non-viewkey";
+	};
+	dialup yes;
+};
+
+
+zone "stub.demo.zone" {
+	type stub;			// stub zones are like slave zones,
+					// except that only the NS records
+					// are transferred.
+	dialup yes;
+	file "stub.demo.zone";
+	masters {
+		1.2.3.4 ;		// where to zone transfer from
+		5.6.7.8 port 999;
+	};
+	check-names warn;
+	allow-update { none; };
+	allow-transfer { any; };
+	allow-query { any; };
+
+	max-retry-time 10;
+	min-retry-time 11;
+	max-refresh-time 12;
+	min-refresh-time 13;
+
+	max-transfer-time-in 120;	// if not set, global option is used.
+	pubkey 257 255 1 "a useless key";
+	pubkey 257 255 1 "another useless key";
+};
+
+zone "." {
+	type hint;			// used to be specified w/ "cache"
+	file "cache.db";
+//	pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
+};
+
+managed-keys {
+	"." static 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
+};
+
+
+acl can_query { !1.2.3/24; any; };	// network 1.2.3.0 mask 255.255.255.0
+					// is disallowed; rest are OK
+acl can_axfr { 1.2.3.4; can_query; };	// host 1.2.3.4 and any host allowed
+					// by can_query are OK
+
+zone "disabled-zone.com" {
+	type master;
+	file "bar";
+
+	max-retry-time 100;
+	min-retry-time 110;
+	max-refresh-time 120;
+	min-refresh-time 130;
+};
+
+zone "non-default-acl.demo.zone" {
+	type master;
+	file "foo";
+	allow-query { can_query; };
+	allow-transfer { can_axfr; };
+	allow-update {
+		1.2.3.4;
+		5.6.7.8;
+	};
+	pubkey 666 665 664 "key of the beast";
+	// Errors trapped by parser:
+	//	identity or name not absolute
+	//	'wildcard' match type and no wildcard character in name
+	//
+	// issues:
+	//	- certain rdatatype values (such as "key") are config file keywords and
+	// 	  must be quoted or a syntax error will occur.
+	//
+
+	update-policy {
+		grant root.domain. subdomain host.domain. A MX CNAME;
+		grant sub.root.domain. wildcard *.host.domain. A;
+		grant root.domain. name host.domain. a ns md mf cname soa mb mg
+			mr "null" wks ptr hinfo minfo mx txt rp afsdb x25
+			isdn rt nsap sig "key" px gpos aaaa loc nxt srv naptr kx
+			cert a6 dname opt unspec uri tkey tsig ;
+		grant foo.bar.com. self foo.bar.com. a;
+	};
+};
+
+key sample_key {			// for TSIG; supported by parser
+	algorithm hmac-md5;		// but not yet implemented in the
+	secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server
+};
+
+key key2 {
+	algorithm hmac-md5;
+	secret "ZXJlaCB0ZXJjZXMgcm91eQ==";
+};
+
+acl key_acl { key sample_key; };	// a request signed with sample_key
+
+server 1.2.3.4 {
+	request-ixfr no;
+	provide-ixfr no;
+	bogus no;			// if yes, we won't query or listen
+					// to this server
+	transfer-format one-answer;	// set transfer format for this
+					// server (see the description of
+					// 'transfer-format' above)
+					// if not specified, the global option
+					// will be used
+	transfers 0;			// not implemented
+	keys { "sample_key" };	// for TSIG; supported by the parser
+					// but not yet implemented in the
+					// rest of the server
+# Now called 'request-ixfr'
+#	support-ixfr yes;      // for IXFR supported by server
+					// if yes, the listed server talks IXFR
+};
+
+logging {
+	/*
+	 * All log output goes to one or more "channels"; you can make as
+	 * many of them as you want.
+	 */
+
+	channel syslog_errors {		// this channel will send errors or
+		syslog user;		// or worse to syslog (user facility)
+		severity error;
+	};
+
+	channel stderr_errors {
+		stderr;
+	};
+
+	/*
+	 * Channels have a severity level.  Messages at severity levels
+	 * greater than or equal to the channel's level will be logged on
+	 * the channel.  In order of decreasing severity, the levels are:
+	 *
+	 * 	critical		a fatal error
+	 *	error
+	 *	warning
+	 *	notice			a normal, but significant event
+	 *	info			an informational message
+	 *	debug 1			the least detailed debugging info
+	 *	...
+	 *	debug 99		the most detailed debugging info
+	 */
+
+	/*
+	 * Here are the built-in channels:
+	 *
+	 * 	channel default_syslog {
+	 *		syslog daemon;
+	 *		severity info;
+	 *	};
+	 *
+	 *	channel default_debug {
+	 *		file "named.run";	// note: stderr is used instead
+	 *					// of "named.run" if the server
+	 *					// is started with the "-f"
+	 *					// option.
+	 *		severity dynamic;	// this means log debugging
+	 *					// at whatever debugging level
+	 *					// the server is at, and don't
+	 *					// log anything if not
+	 *					// debugging.
+	 *	};
+	 *
+	 *	channel null {			// this is the bit bucket;
+	 *		file "/dev/null";	// any logging to this channel
+	 *					// is discarded.
+	 *	};
+	 *
+	 *	channel default_stderr {	// writes to stderr
+	 *		file "<stderr>";	// this is illustrative only;
+	 *					// there's currently no way
+	 *					// of saying "stderr" in the
+	 *					// configuration language.
+	 *					// i.e. don't try this at home.
+	 *		severity info;
+	 *	};
+	 *
+	 *	default_stderr only works before the server daemonizes (i.e.
+	 *	during initial startup) or when it is running in foreground
+	 *	mode (-f command line option).
+	 */
+
+	/*
+	 * There are many categories, so you can send the logs
+	 * you want to see wherever you want, without seeing logs you
+	 * don't want.  Right now the categories are
+	 *
+	 *	default			the catch-all.  many things still
+	 *				aren't classified into categories, and
+	 *				they all end up here.  also, if you
+	 *				don't specify any channels for a
+	 *				category, the default category is used
+	 *				instead.
+	 *	config			high-level configuration file
+	 *				processing
+	 *	parser			low-level configuration file processing
+	 *	queries			what used to be called "query logging"
+	 *	lame-servers		messages like "Lame server on ..."
+	 *	statistics
+	 *	panic			if the server has to shut itself
+	 *				down due to an internal problem, it
+	 *				logs the problem here (as well as
+	 *				in the problem's native category)
+	 *	update			dynamic update
+	 *	ncache			negative caching
+	 *	xfer-in			zone transfers we're receiving
+	 *	xfer-out		zone transfers we're sending
+	 *	db			all database operations
+	 *	eventlib		debugging info from the event system
+	 *				(see below)
+	 *	packet			dumps of packets received and sent
+	 *				(see below)
+	 *	notify			the NOTIFY protocol
+	 *	cname			messages like "XX points to a CNAME"
+	 *	security		approved/unapproved requests
+	 *	os			operating system problems
+	 *	insist			consistency check failures
+	 *	maintenance		periodic maintenance
+	 *	load			zone loading
+	 *	response-checks		messages like
+	 *				"Malformed response ..."
+	 *				"wrong ans. name ..."
+	 *				"unrelated additional info ..."
+	 *				"invalid RR type ..."
+	 *				"bad referral ..."
+	 */
+
+	category parser {
+		syslog_errors;		// you can log to as many channels
+		default_syslog;		// as you want
+	};
+
+	category lame-servers { null; };	// don't log these at all
+
+	channel moderate_debug {
+		file "foo";			// foo
+		severity debug 3;		// level 3 debugging to file
+		print-time yes;			// timestamp log entries
+		print-category yes;		// print category name
+		print-severity yes;		// print severity level
+		/*
+		 * Note that debugging must have been turned on either
+		 * on the command line or with a signal to get debugging
+		 * output (non-debugging output will still be written to
+		 * this channel).
+		 */
+	};
+
+	channel another {
+		file "bar" versions 99 size 10M;
+		severity info;
+	};
+
+	channel third {
+		file "bar" size 100000 versions unlimited;
+		severity debug; // use default debug level
+	};
+
+	/*
+	 * If you don't want to see "zone XXXX loaded" messages but do
+	 * want to see any problems, you could do the following.
+	 */
+	channel no_info_messages {
+		syslog;
+		severity notice;
+	};
+
+	category load { no_info_messages; };
+
+	/*
+	 * You can also define category "default"; it gets used when no
+	 * "category" statement has been given for a category.
+	 */
+	category default {
+		default_syslog;
+		moderate_debug;
+	};
+
+	/*
+	 * If you don't define category default yourself, the default
+	 * default category will be used.  It is
+	 *
+	 * 	category default { default_syslog; default_debug; };
+	 */
+
+	/*
+	 * If you don't define category panic yourself, the default
+	 * panic category will be used.  It is
+	 *
+	 * 	category panic { default_syslog; default_stderr; };
+	 */
+
+	/*
+	 * Two categories, 'packet' and 'eventlib', are special.  Only one
+	 * channel may be assigned to each of them, and it must be a
+	 * file channel.  If you don't define them  yourself, they default to
+	 *
+	 *	category eventlib { default_debug; };
+	 *
+	 *	category packet { default_debug; };
+	 */
+};
+
+#include "filename";			// can't do within a statement
+
diff --git a/bin/tests/optional/Kchild.example.+005+33180.key b/bin/tests/optional/Kchild.example.+005+33180.key
new file mode 100644
index 0000000..ab92a6a
--- /dev/null
+++ b/bin/tests/optional/Kchild.example.+005+33180.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 33180, for child.example.
+; Created: 20181025104746 (Thu Oct 25 12:47:46 2018)
+; Publish: 20181025104746 (Thu Oct 25 12:47:46 2018)
+; Activate: 20181025104746 (Thu Oct 25 12:47:46 2018)
+child.example. IN DNSKEY 256 3 5 AwEAAb9eatC8ASzDnRApcZuxyBrvJRANRQjCXQ1FWK+8vEyXV5NIE9Km hKIV2wbq2tLBPfjNQz4BTJ9RmDINf1RayDlt6L+IQV1JCaDaMjd1zU3n SQK18Y7fMu0ww4AMKOnoVRbkIxa3zlA0chImXcfPE0q2AvKBYLzPfkPO cfplAuRkLcGUxdADCipNzCOakpcd5gfm9Sa2HlaXcw3gyI1WcE8=
diff --git a/bin/tests/optional/Kchild.example.+005+33180.private b/bin/tests/optional/Kchild.example.+005+33180.private
new file mode 100644
index 0000000..83a50df
--- /dev/null
+++ b/bin/tests/optional/Kchild.example.+005+33180.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: v15q0LwBLMOdEClxm7HIGu8lEA1FCMJdDUVYr7y8TJdXk0gT0qaEohXbBura0sE9+M1DPgFMn1GYMg1/VFrIOW3ov4hBXUkJoNoyN3XNTedJArXxjt8y7TDDgAwo6ehVFuQjFrfOUDRyEiZdx88TSrYC8oFgvM9+Q85x+mUC5GQtwZTF0AMKKk3MI5qSlx3mB+b1JrYeVpdzDeDIjVZwTw==
+PublicExponent: AQAB
+PrivateExponent: WDsn9GU6BXGLENCK2MX3BLQN2oDDu24hiOTYJu5VwtpkPjuVKCIuNKzu9xmBGnqOIBBDWGsw8KOmEC247yOL/S53iRdBS8lI7yiqznc52RhlmrdPKXbNpVnPwil8wocw+oQYa7uvdPYxI2Yy3B/tRgUxlxSlc/LW/dr0BX2L7qr/aeOBeGSRUlCpc7tYU9a2RUaLpVxF6SlqicCpC91MAQ==
+Prime1: 466f+JL66Bl4qYnkj0s9+1N3pYmdcM9Ja1AN66X4VLslA9Cm1JEaC5V9HOptfcXUk0XYEVnKeKM2lIQnvcLG0yuQHIa+pGi7P8vgQfdaRUE=
+Prime2: 1yuUkTVRSbUWeUreEcHgeeBBJ61UshX7t07gnGgIr3artGdo2CVEb5//+2Mvj5bgjCQBvjBbmHNZrR0jKDRBTIGtqbBerOuhEN4AXdAEgY8=
+Exponent1: KzUXbJ/P973ltR7S/hKEV66WVRbRhvf/cdsGWULs5n+BXcD59/r1W19qF9OxJZ4mYjBt+ZT1pIEsuXB+7jcJbkelGJTFlwO9DTVOgJZFTkE=
+Exponent2: FTPsLertGbBIiKdB/sn2Dsx0Xy6LXAkihsu1AnSV9oRhIyPVhwcVGVLQ7Lq3YxThB648pbsqK3miapamcj3D+YAF1uTUT4Hgm0LlEll/OC0=
+Coefficient: Vulw9kmmjKc+wmOukLdzheoA2hNPDVtgiynfzHybyXdqvapCoK+ZVmNFzjO0M41ATcpvya3iX0bekMQqYnBhLURNZUIyqz2nGskOjV8I5Jg=
+Created: 20181025104746
+Publish: 20181025104746
+Activate: 20181025104746
diff --git a/bin/tests/optional/Makefile.in b/bin/tests/optional/Makefile.in
new file mode 100644
index 0000000..29e026f
--- /dev/null
+++ b/bin/tests/optional/Makefile.in
@@ -0,0 +1,254 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+		${OPENSSL_CFLAGS} @DST_GSSAPI_INC@
+
+CDEFINES =	@USE_GSSAPI@
+
+CWARNINGS =
+BACKTRACECFLAGS = @BACKTRACECFLAGS@
+PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
+
+DNSLIBS =	../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCLIBS =	../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCCFGLIBS = 	../../../lib/isccfg/libisccfg.@A@
+
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+ISCDEPNOSYMLIBS = ../../../lib/isc/libisc-nosymtbl.@A@
+ISCCFGDEPLIBS = ../../../lib/isccfg/libisccfg.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =
+
+# These programs are not built by default, but only when
+# configured with --enable-developer or built explicitly with
+# "make all_tests"
+
+TARGETS =	@XTARGETS@
+XTARGETS =	adb_test@EXEEXT@ \
+		byaddr_test@EXEEXT@ \
+		backtrace_test@EXEEXT@ \
+		backtrace_test_nosymtbl@EXEEXT@ \
+		byname_test@EXEEXT@ \
+		db_test@EXEEXT@ \
+		gsstest@EXEEXT@ \
+		fsaccess_test@EXEEXT@ \
+		inter_test@EXEEXT@ \
+		lex_test@EXEEXT@ \
+		lfsr_test@EXEEXT@ \
+		log_test@EXEEXT@ \
+		master_test@EXEEXT@ \
+		mempool_test@EXEEXT@ \
+		name_test@EXEEXT@ \
+		nsecify@EXEEXT@ \
+		ratelimiter_test@EXEEXT@ \
+		rbt_test@EXEEXT@ \
+		rwlock_test@EXEEXT@ \
+		serial_test@EXEEXT@ \
+		shutdown_test@EXEEXT@ \
+		sig0_test@EXEEXT@ \
+		sock_test@EXEEXT@ \
+		sym_test@EXEEXT@ \
+		task_test@EXEEXT@ \
+		timer_test@EXEEXT@ \
+		zone_test@EXEEXT@
+
+SRCS =		${XSRCS}
+XSRCS =		adb_test.c \
+		byaddr_test.c \
+		backtrace_test.c \
+		byname_test.c \
+		db_test.c \
+		fsaccess_test.c \
+		gsstest.c \
+		inter_test.c \
+		lex_test.c \
+		lfsr_test.c \
+		log_test.c \
+		master_test.c \
+		mempool_test.c \
+		name_test.c \
+		nsecify.c \
+		ratelimiter_test.c \
+		rbt_test.c \
+		rwlock_test.c \
+		serial_test.c \
+		shutdown_test.c \
+		sig0_test.c \
+		sock_test.c \
+		sym_test.c \
+		task_test.c \
+		timer_test.c \
+		zone_test.c
+
+@BIND9_MAKE_RULES@
+
+# disable optimization for backtrace test to get the expected result
+BTTEST_CFLAGS =	${BACKTRACECFLAGS} ${EXT_CFLAGS} ${ALL_CPPFLAGS} -g \
+		${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS} ${PTHREAD_CFLAGS}
+
+all_tests: ${XTARGETS}
+
+adb_test@EXEEXT@: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ adb_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+backtrace_test_nosymtbl@EXEEXT@: ${srcdir}/backtrace_test.c ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${BTTEST_CFLAGS} ${LDFLAGS} -o $@ \
+	${srcdir}/backtrace_test.c ${ISCLIBS} ${LIBS}
+
+backtrace_test@EXEEXT@: ${srcdir}/backtrace_test.c backtrace_test_nosymtbl@EXEEXT@
+	#first step: create a first symbol table
+	rm -f symtbl.c
+	if test X${MKSYMTBL_PROGRAM} != X; then \
+	${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+	backtrace_test_nosymtbl@EXEEXT@; else \
+	cp ${top_srcdir}/lib/isc/backtrace-emptytbl.c symtbl.c; fi
+	#second step: build a binary with the first symbol table
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${BTTEST_CFLAGS} ${LDFLAGS} \
+	-o $@0 ${srcdir}/backtrace_test.c symtbl.c \
+	${ISCNOSYMLIBS} ${LIBS}
+	rm -f symtbl.c
+	#third step: create a second symbol table
+	if test X${MKSYMTBL_PROGRAM} != X; then \
+	${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl $@0; else \
+	cp ${top_srcdir}/lib/isc/backtrace-emptytbl.c symtbl.c; fi
+	#fourth step: build the final binary
+	rm -f $@0
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${BTTEST_CFLAGS} ${LDFLAGS} \
+	-o $@ ${srcdir}/backtrace_test.c symtbl.c ${ISCNOSYMLIBS} ${LIBS}
+	rm -f symtbl.c
+
+nsecify@EXEEXT@: nsecify.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsecify.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+byaddr_test@EXEEXT@: byaddr_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ byaddr_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+byname_test@EXEEXT@: byname_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ byname_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+lex_test@EXEEXT@: lex_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lex_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+lfsr_test@EXEEXT@: lfsr_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lfsr_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+log_test@EXEEXT@: log_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ log_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+name_test@EXEEXT@: name_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ name_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+entropy_test@EXEEXT@: entropy_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ entropy_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+entropy2_test@EXEEXT@: entropy2_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ entropy2_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+sock_test@EXEEXT@: sock_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sock_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+sym_test@EXEEXT@: sym_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sym_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+task_test@EXEEXT@: task_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ task_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+shutdown_test@EXEEXT@: shutdown_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ shutdown_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+timer_test@EXEEXT@: timer_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ timer_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+ratelimiter_test@EXEEXT@: ratelimiter_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ratelimiter_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+rbt_test@EXEEXT@: rbt_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rbt_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+rwlock_test@EXEEXT@: rwlock_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rwlock_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+master_test@EXEEXT@: master_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ master_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ db_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+mempool_test@EXEEXT@: mempool_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ mempool_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+serial_test@EXEEXT@: serial_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ serial_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+zone_test@EXEEXT@: zone_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+fsaccess_test@EXEEXT@: fsaccess_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ fsaccess_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+inter_test@EXEEXT@: inter_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ inter_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+sig0_test@EXEEXT@: sig0_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sig0_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+gsstest@EXEEXT@: gsstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+		-o $@ gsstest.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS} ${XTARGETS}
+	rm -f backtrace_test_symtbl.c
+
+check: test
+
+test:
+	@for dir in $(TESTDIRS) ;\
+	do \
+		( cd $$dir; $(MAKE) test ) ;\
+	done
diff --git a/bin/tests/optional/adb_test.c b/bin/tests/optional/adb_test.c
new file mode 100644
index 0000000..7e9e4ca
--- /dev/null
+++ b/bin/tests/optional/adb_test.c
@@ -0,0 +1,410 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/managers.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/rootns.h>
+
+typedef struct client client_t;
+struct client {
+	dns_name_t name;
+	const char *target;
+	ISC_LINK(client_t) link;
+	dns_adbfind_t *find;
+};
+
+static isc_mem_t *mctx = NULL;
+static isc_mempool_t *cmp = NULL;
+static isc_log_t *lctx = NULL;
+static isc_logconfig_t *lcfg = NULL;
+static isc_nm_t *netmgr = NULL;
+static isc_taskmgr_t *taskmgr = NULL;
+static isc_socketmgr_t *socketmgr = NULL;
+static isc_timermgr_t *timermgr = NULL;
+static dns_dispatchmgr_t *dispatchmgr = NULL;
+static isc_task_t *t1 = NULL, *t2 = NULL;
+static dns_view_t *view = NULL;
+static dns_db_t *rootdb = NULL;
+static ISC_LIST(client_t) clients;
+static isc_mutex_t client_lock;
+static isc_stdtime_t now;
+static dns_adb_t *adb = NULL;
+
+static void
+check_result(isc_result_t result, const char *format, ...)
+	ISC_FORMAT_PRINTF(2, 3);
+
+static void
+check_result(isc_result_t result, const char *format, ...) {
+	va_list args;
+
+	if (result == ISC_R_SUCCESS) {
+		return;
+	}
+
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, ": %s\n", isc_result_totext(result));
+	exit(1);
+}
+
+static client_t *
+new_client(void) {
+	client_t *client;
+
+	client = isc_mempool_get(cmp);
+	INSIST(client != NULL);
+	dns_name_init(&client->name, NULL);
+	ISC_LINK_INIT(client, link);
+	client->find = NULL;
+
+	return (client);
+}
+
+static void
+free_client(client_t **c) {
+	client_t *client;
+
+	INSIST(c != NULL);
+	client = *c;
+	*c = NULL;
+	INSIST(client != NULL);
+	dns_name_free(&client->name, mctx);
+	INSIST(!ISC_LINK_LINKED(client, link));
+	INSIST(client->find == NULL);
+
+	isc_mempool_put(cmp, client);
+}
+
+static void
+CLOCK(void) {
+	RUNTIME_CHECK(isc_mutex_lock(&client_lock) == ISC_R_SUCCESS);
+}
+
+static void
+CUNLOCK(void) {
+	RUNTIME_CHECK(isc_mutex_unlock(&client_lock) == ISC_R_SUCCESS);
+}
+
+static void
+lookup_callback(isc_task_t *task, isc_event_t *ev) {
+	client_t *client;
+
+	client = ev->ev_arg;
+	INSIST(client->find == ev->ev_sender);
+
+	printf("NAME %s:\n\tTask %p got event %p type %08x from %p, client "
+	       "%p\n\terr4: %s  err6: %s\n",
+	       client->target, task, ev, ev->ev_type, client->find, client,
+	       isc_result_totext(client->find->result_v4),
+	       isc_result_totext(client->find->result_v6));
+
+	isc_event_free(&ev);
+	ev = NULL;
+
+	CLOCK();
+
+	dns_adb_dumpfind(client->find, stderr);
+	dns_adb_destroyfind(&client->find);
+
+	ISC_LIST_UNLINK(clients, client, link);
+	free_client(&client);
+
+	CUNLOCK();
+}
+
+static void
+create_managers(void) {
+	isc_result_t result;
+
+	result = isc_managers_create(mctx, 5, 0, &netmgr, &taskmgr);
+	check_result(result, "isc_managers_create");
+
+	result = isc_timermgr_create(mctx, &timermgr);
+	check_result(result, "isc_timermgr_create");
+
+	result = isc_socketmgr_create(mctx, &socketmgr);
+	check_result(result, "isc_socketmgr_create");
+
+	result = dns_dispatchmgr_create(mctx, &dispatchmgr);
+	check_result(result, "dns_dispatchmgr_create");
+}
+
+static void
+create_view(void) {
+	dns_cache_t *cache = NULL;
+	isc_result_t result;
+
+	/*
+	 * View.
+	 */
+	result = dns_view_create(mctx, dns_rdataclass_in, "_default", &view);
+	check_result(result, "dns_view_create");
+
+	/*
+	 * Cache.
+	 */
+	result = dns_cache_create(mctx, mctx, taskmgr, timermgr,
+				  dns_rdataclass_in, "", "rbt", 0, NULL,
+				  &cache);
+	check_result(result, "dns_cache_create");
+	dns_view_setcache(view, cache, false);
+	dns_cache_detach(&cache);
+
+	{
+		unsigned int attrs;
+		isc_sockaddr_t any4, any6;
+		dns_dispatch_t *disp4 = NULL;
+		dns_dispatch_t *disp6 = NULL;
+
+		isc_sockaddr_any(&any4);
+		isc_sockaddr_any6(&any6);
+
+		attrs = DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_UDP;
+		RUNTIME_CHECK(dns_dispatch_getudp(dispatchmgr, socketmgr,
+						  taskmgr, &any4, 512, 6, 1024,
+						  17, 19, attrs, attrs,
+						  &disp4) == ISC_R_SUCCESS);
+		INSIST(disp4 != NULL);
+
+		attrs = DNS_DISPATCHATTR_IPV6 | DNS_DISPATCHATTR_UDP;
+		RUNTIME_CHECK(dns_dispatch_getudp(dispatchmgr, socketmgr,
+						  taskmgr, &any6, 512, 6, 1024,
+						  17, 19, attrs, attrs,
+						  &disp6) == ISC_R_SUCCESS);
+		INSIST(disp6 != NULL);
+
+		RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10, 1,
+						      socketmgr, timermgr, 0,
+						      dispatchmgr, disp4,
+						      disp6) == ISC_R_SUCCESS);
+	}
+
+	rootdb = NULL;
+	result = dns_rootns_create(mctx, dns_rdataclass_in, NULL, &rootdb);
+	check_result(result, "dns_rootns_create()");
+	dns_view_sethints(view, rootdb);
+	dns_db_detach(&rootdb);
+
+	dns_view_freeze(view);
+}
+
+static void
+lookup(const char *target) {
+	dns_name_t name;
+	unsigned char namedata[256];
+	client_t *client;
+	isc_buffer_t t, namebuf;
+	isc_result_t result;
+	unsigned int options;
+
+	INSIST(target != NULL);
+
+	client = new_client();
+	isc_buffer_constinit(&t, target, strlen(target));
+	isc_buffer_add(&t, strlen(target));
+	isc_buffer_init(&namebuf, namedata, sizeof(namedata));
+	dns_name_init(&name, NULL);
+	result = dns_name_fromtext(&name, &t, dns_rootname, 0, &namebuf);
+	check_result(result, "dns_name_fromtext %s", target);
+
+	dns_name_dup(&name, mctx, &client->name);
+
+	options = 0;
+	options |= DNS_ADBFIND_INET;
+	options |= DNS_ADBFIND_INET6;
+	options |= DNS_ADBFIND_WANTEVENT;
+	options |= DNS_ADBFIND_HINTOK;
+	options |= DNS_ADBFIND_GLUEOK;
+	result = dns_adb_createfind(
+		adb, t2, lookup_callback, client, &client->name, dns_rootname,
+		0, options, now, NULL, view->dstport, 0, NULL, &client->find);
+	if (result != ISC_R_SUCCESS) {
+		printf("DNS_ADB_CREATEFIND -> %s\n", dns_result_totext(result));
+	}
+	dns_adb_dumpfind(client->find, stderr);
+
+	if ((client->find->options & DNS_ADBFIND_WANTEVENT) != 0) {
+		client->target = target;
+		ISC_LIST_APPEND(clients, client, link);
+	} else {
+		printf("NAME %s:  err4 %s, err6 %s\n", target,
+		       isc_result_totext(client->find->result_v4),
+		       isc_result_totext(client->find->result_v6));
+
+		dns_adb_destroyfind(&client->find);
+		free_client(&client);
+	}
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+	isc_logdestination_t destination;
+
+	UNUSED(argc);
+	UNUSED(argv);
+
+	dns_result_register();
+	result = isc_app_start();
+	check_result(result, "isc_app_start()");
+
+	isc_stdtime_get(&now);
+
+	isc_mutex_init(&client_lock);
+
+	ISC_LIST_INIT(clients);
+
+	/*
+	 * EVERYTHING needs a memory context.
+	 */
+	isc_mem_create(&mctx);
+
+	cmp = NULL;
+	isc_mempool_create(mctx, sizeof(client_t), &cmp);
+	isc_mempool_setname(cmp, "adb test clients");
+
+	isc_log_create(mctx, &lctx, &lcfg);
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	/*
+	 * Create and install the default channel.
+	 */
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(lcfg, "_default", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, ISC_LOG_PRINTTIME);
+
+	result = isc_log_usechannel(lcfg, "_default", NULL, NULL);
+	check_result(result, "isc_log_usechannel()");
+
+	/*
+	 * Set the initial debug level.
+	 */
+	isc_log_setdebuglevel(lctx, 2);
+
+	create_managers();
+
+	result = isc_task_create(taskmgr, 0, &t1);
+	check_result(result, "isc_task_create t1");
+	result = isc_task_create(taskmgr, 0, &t2);
+	check_result(result, "isc_task_create t2");
+
+	printf("task 1 = %p\n", t1);
+	printf("task 2 = %p\n", t2);
+
+	create_view();
+	RUNTIME_CHECK(view != NULL);
+
+	adb = view->adb;
+
+	/*
+	 * Lock the entire client list here.  This will cause all events
+	 * for found names to block as well.
+	 */
+	CLOCK();
+	lookup("f.root-servers.net.");	   /* Should be in hints */
+	lookup("www.iengines.com");	   /* should fetch */
+	lookup("www.isc.org");		   /* should fetch */
+	lookup("www.flame.org");	   /* should fetch */
+	lookup("kechara.flame.org.");	   /* should fetch */
+	lookup("moghedien.flame.org.");	   /* should fetch */
+	lookup("mailrelay.flame.org.");	   /* should fetch */
+	lookup("ipv4v6.flame.org.");	   /* should fetch */
+	lookup("nonexistent.flame.org.");  /* should fail to be found */
+	lookup("foobar.badns.flame.org."); /* should fail utterly (NS) */
+	lookup("i.root-servers.net.");	   /* Should be in hints */
+	lookup("www.firstcard.com.");
+	lookup("dns04.flame.org.");
+	CUNLOCK();
+
+	sleep(10);
+
+	dns_adb_dump(adb, stderr);
+
+	sleep(10);
+
+	CLOCK();
+	lookup("f.root-servers.net.");	   /* Should be in hints */
+	lookup("www.iengines.com");	   /* should fetch */
+	lookup("www.isc.org");		   /* should fetch */
+	lookup("www.flame.org");	   /* should fetch */
+	lookup("kechara.flame.org.");	   /* should fetch */
+	lookup("moghedien.flame.org.");	   /* should fetch */
+	lookup("mailrelay.flame.org.");	   /* should fetch */
+	lookup("ipv4v6.flame.org.");	   /* should fetch */
+	lookup("nonexistent.flame.org.");  /* should fail to be found */
+	lookup("foobar.badns.flame.org."); /* should fail utterly (NS) */
+	lookup("i.root-servers.net.");	   /* Should be in hints */
+	CUNLOCK();
+
+	sleep(20);
+
+	dns_adb_dump(adb, stderr);
+
+	isc_task_detach(&t1);
+	isc_task_detach(&t2);
+
+	isc_mem_stats(mctx, stdout);
+	dns_adb_dump(adb, stderr);
+
+	isc_app_run();
+
+	dns_adb_dump(adb, stderr);
+
+	dns_view_detach(&view);
+	adb = NULL;
+
+	fprintf(stderr, "Destroying socket manager\n");
+	isc_socketmgr_destroy(&socketmgr);
+	fprintf(stderr, "Destroying timer manager\n");
+	isc_timermgr_destroy(&timermgr);
+
+	fprintf(stderr, "Destroying task and network managers\n");
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	isc_log_destroy(&lctx);
+
+	isc_mempool_destroy(&cmp);
+	isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	isc_app_finish();
+
+	return (0);
+}
diff --git a/bin/tests/optional/backtrace_test.c b/bin/tests/optional/backtrace_test.c
new file mode 100644
index 0000000..2aa7979
--- /dev/null
+++ b/bin/tests/optional/backtrace_test.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/backtrace.h>
+#include <isc/print.h>
+#include <isc/result.h>
+
+const char *expected_symbols[] = { "func3", "func2", "func1", "main" };
+
+static int
+func3() {
+	void *tracebuf[16];
+	int i, nframes;
+	int error = 0;
+	const char *fname;
+	isc_result_t result;
+	unsigned long offset;
+
+	result = isc_backtrace_gettrace(tracebuf, 16, &nframes);
+	if (result != ISC_R_SUCCESS) {
+		printf("isc_backtrace_gettrace failed: %s\n",
+		       isc_result_totext(result));
+		return (1);
+	}
+
+	if (nframes < 4) {
+		error++;
+	}
+
+	for (i = 0; i < 4 && i < nframes; i++) {
+		fname = NULL;
+		result = isc_backtrace_getsymbol(tracebuf[i], &fname, &offset);
+		if (result != ISC_R_SUCCESS) {
+			error++;
+			continue;
+		}
+		if (strcmp(fname, expected_symbols[i]) != 0) {
+			error++;
+		}
+	}
+
+	if (error) {
+		printf("Unexpected result:\n");
+		printf("  # of frames: %d (expected: at least 4)\n", nframes);
+		printf("  symbols:\n");
+		for (i = 0; i < nframes; i++) {
+			fname = NULL;
+			result = isc_backtrace_getsymbol(tracebuf[i], &fname,
+							 &offset);
+			if (result == ISC_R_SUCCESS) {
+				printf("  [%d] %s\n", i, fname);
+			} else {
+				printf("  [%d] %p getsymbol failed: %s\n", i,
+				       tracebuf[i], isc_result_totext(result));
+			}
+		}
+	}
+
+	return (error);
+}
+
+static int
+func2() {
+	return (func3());
+}
+
+static int
+func1() {
+	return (func2());
+}
+
+int
+main() {
+	return (func1());
+}
diff --git a/bin/tests/optional/byaddr_test.c b/bin/tests/optional/byaddr_test.c
new file mode 100644
index 0000000..7e24cfe
--- /dev/null
+++ b/bin/tests/optional/byaddr_test.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ */
+
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/cache.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/forward.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+static void
+done(isc_task_t *task, isc_event_t *event) {
+	dns_byaddrevent_t *bevent;
+	dns_byaddr_t *byaddr;
+	dns_name_t *name;
+
+	REQUIRE(event->ev_type == DNS_EVENT_BYADDRDONE);
+	bevent = (dns_byaddrevent_t *)event;
+
+	UNUSED(task);
+
+	printf("byaddr event result = %s\n", isc_result_totext(bevent->result));
+
+	if (bevent->result == ISC_R_SUCCESS) {
+		for (name = ISC_LIST_HEAD(bevent->names); name != NULL;
+		     name = ISC_LIST_NEXT(name, link))
+		{
+			char text[DNS_NAME_FORMATSIZE];
+			dns_name_format(name, text, sizeof(text));
+			printf("%s\n", text);
+		}
+	}
+
+	byaddr = event->ev_sender;
+	dns_byaddr_destroy(&byaddr);
+	isc_event_free(&event);
+
+	isc_app_shutdown();
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_mem_t *mctx = NULL;
+	bool verbose = false;
+	unsigned int workers = 2;
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_task_t *task = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	dns_view_t *view = NULL;
+	int ch;
+	isc_socketmgr_t *socketmgr = NULL;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	isc_netaddr_t na;
+	dns_byaddr_t *byaddr = NULL;
+	isc_result_t result;
+	unsigned int options = 0;
+	dns_cache_t *cache;
+
+	RUNTIME_CHECK(isc_app_start() == ISC_R_SUCCESS);
+
+	dns_result_register();
+
+	isc_mem_create(&mctx);
+
+	while ((ch = isc_commandline_parse(argc, argv, "nvw:")) != -1) {
+		switch (ch) {
+		case 'n':
+			/*
+			 * We only try nibbles, so do nothing for this option.
+			 */
+			break;
+		case 'v':
+			verbose = true;
+			break;
+		case 'w':
+			workers = (unsigned int)atoi(isc_commandline_argument);
+			break;
+		}
+	}
+
+	if (verbose) {
+		printf("%u workers\n", workers);
+		printf("IPv4: %s\n", isc_result_totext(isc_net_probeipv4()));
+		printf("IPv6: %s\n", isc_result_totext(isc_net_probeipv6()));
+	}
+
+	RUNTIME_CHECK(isc_managers_create(mctx, workers, 0, &netmgr,
+					  &taskmgr) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &task) == ISC_R_SUCCESS);
+	isc_task_setname(task, "byaddr", NULL);
+
+	RUNTIME_CHECK(dns_dispatchmgr_create(mctx, &dispatchmgr) ==
+		      ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_timermgr_create(mctx, &timermgr) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(dns_cache_create(mctx, mctx, taskmgr, timermgr,
+				       dns_rdataclass_in, "", "rbt", 0, NULL,
+				       &cache) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(dns_view_create(mctx, dns_rdataclass_in, "default",
+				      &view) == ISC_R_SUCCESS);
+
+	{
+		unsigned int attrs;
+		dns_dispatch_t *disp4 = NULL;
+		dns_dispatch_t *disp6 = NULL;
+
+		if (isc_net_probeipv4() == ISC_R_SUCCESS) {
+			isc_sockaddr_t any4;
+
+			isc_sockaddr_any(&any4);
+
+			attrs = DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_UDP;
+			RUNTIME_CHECK(
+				dns_dispatch_getudp(dispatchmgr, socketmgr,
+						    taskmgr, &any4, 512, 6,
+						    1024, 17, 19, attrs, attrs,
+						    &disp4) == ISC_R_SUCCESS);
+			INSIST(disp4 != NULL);
+		}
+
+		if (isc_net_probeipv6() == ISC_R_SUCCESS) {
+			isc_sockaddr_t any6;
+
+			isc_sockaddr_any6(&any6);
+
+			attrs = DNS_DISPATCHATTR_IPV6 | DNS_DISPATCHATTR_UDP;
+			RUNTIME_CHECK(
+				dns_dispatch_getudp(dispatchmgr, socketmgr,
+						    taskmgr, &any6, 512, 6,
+						    1024, 17, 19, attrs, attrs,
+						    &disp6) == ISC_R_SUCCESS);
+			INSIST(disp6 != NULL);
+		}
+
+		RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10, 1,
+						      socketmgr, timermgr, 0,
+						      dispatchmgr, disp4,
+						      disp6) == ISC_R_SUCCESS);
+
+		if (disp4 != NULL) {
+			dns_dispatch_detach(&disp4);
+		}
+		if (disp6 != NULL) {
+			dns_dispatch_detach(&disp6);
+		}
+	}
+
+	{
+		struct in_addr ina;
+		isc_sockaddr_t sa;
+		isc_sockaddrlist_t sal;
+
+		ISC_LIST_INIT(sal);
+		ina.s_addr = inet_addr("127.0.0.1");
+		isc_sockaddr_fromin(&sa, &ina, 53);
+		ISC_LIST_APPEND(sal, &sa, link);
+
+		RUNTIME_CHECK(dns_fwdtable_add(view->fwdtable, dns_rootname,
+					       &sal, dns_fwdpolicy_only) ==
+			      ISC_R_SUCCESS);
+	}
+
+	dns_view_setcache(view, cache, false);
+	dns_view_freeze(view);
+
+	dns_cache_detach(&cache);
+
+	printf("address = %s\n", argv[isc_commandline_index]);
+	na.family = AF_INET;
+	if (inet_pton(AF_INET, argv[isc_commandline_index],
+		      (char *)&na.type.in) != 1)
+	{
+		na.family = AF_INET6;
+		if (inet_pton(AF_INET6, argv[isc_commandline_index],
+			      (char *)&na.type.in6) != 1)
+		{
+			printf("unknown address format\n");
+			exit(1);
+		}
+	}
+
+	result = dns_byaddr_create(mctx, &na, view, options, task, done, NULL,
+				   &byaddr);
+	if (result != ISC_R_SUCCESS) {
+		printf("dns_byaddr_create() returned %s\n",
+		       isc_result_totext(result));
+		RUNTIME_CHECK(0);
+	}
+
+	(void)isc_app_run();
+
+	/*
+	 * XXXRTH if we get a control-C before we get to isc_app_run(),
+	 * we're in trouble (because we might try to destroy things before
+	 * they've been created.
+	 */
+
+	dns_view_detach(&view);
+
+	isc_task_shutdown(task);
+	isc_task_detach(&task);
+
+	dns_dispatchmgr_destroy(&dispatchmgr);
+
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	isc_socketmgr_destroy(&socketmgr);
+	isc_timermgr_destroy(&timermgr);
+
+	if (verbose) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	isc_app_finish();
+
+	return (0);
+}
diff --git a/bin/tests/optional/byname_test.c b/bin/tests/optional/byname_test.c
new file mode 100644
index 0000000..fa76973
--- /dev/null
+++ b/bin/tests/optional/byname_test.c
@@ -0,0 +1,350 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ */
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/hash.h>
+#include <isc/managers.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/cache.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/forward.h>
+#include <dns/log.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+
+static isc_mem_t *mctx = NULL;
+static isc_nm_t *netmgr = NULL;
+static isc_taskmgr_t *taskmgr = NULL;
+static dns_view_t *view = NULL;
+static dns_adbfind_t *find = NULL;
+static isc_task_t *task = NULL;
+static dns_fixedname_t fixed;
+static dns_fixedname_t target;
+static isc_log_t *lctx = NULL;
+static isc_logconfig_t *lcfg = NULL;
+static unsigned int level = 0;
+
+static void
+adb_callback(isc_task_t *task, isc_event_t *event);
+
+static void
+log_init(void) {
+	isc_logdestination_t destination;
+	unsigned int flags;
+
+	/*
+	 * Setup a logging context.
+	 */
+	isc_log_create(mctx, &lctx, &lcfg);
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	/*
+	 * Create and install the default channel.
+	 */
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	flags = ISC_LOG_PRINTTIME;
+	isc_log_createchannel(lcfg, "_default", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, flags);
+
+	RUNTIME_CHECK(isc_log_usechannel(lcfg, "_default", NULL, NULL) ==
+		      ISC_R_SUCCESS);
+	isc_log_setdebuglevel(lctx, level);
+}
+
+static void
+print_addresses(dns_adbfind_t *adbfind) {
+	dns_adbaddrinfo_t *address;
+
+	for (address = ISC_LIST_HEAD(adbfind->list); address != NULL;
+	     address = ISC_LIST_NEXT(address, publink))
+	{
+		isc_netaddr_t netaddr;
+		char text[ISC_NETADDR_FORMATSIZE];
+		isc_netaddr_fromsockaddr(&netaddr, &address->sockaddr);
+		isc_netaddr_format(&netaddr, text, sizeof(text));
+		printf("%s\n", text);
+	}
+}
+
+static void
+print_name(dns_name_t *name) {
+	char text[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(name, text, sizeof(text));
+	printf("%s\n", text);
+}
+
+static void
+do_find(bool want_event) {
+	isc_result_t result;
+	bool done = false;
+	unsigned int options;
+
+	options = DNS_ADBFIND_INET | DNS_ADBFIND_INET6;
+	if (want_event) {
+		options |= DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
+	}
+	dns_fixedname_init(&target);
+	result = dns_adb_createfind(view->adb, task, adb_callback, NULL,
+				    dns_fixedname_name(&fixed), dns_rootname, 0,
+				    options, 0, dns_fixedname_name(&target), 0,
+				    0, NULL, &find);
+	if (result == ISC_R_SUCCESS) {
+		if (!ISC_LIST_EMPTY(find->list)) {
+			/*
+			 * We have at least some of the addresses for the
+			 * name.
+			 */
+			INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
+			print_addresses(find);
+			done = true;
+		} else {
+			/*
+			 * We don't know any of the addresses for this
+			 * name.
+			 */
+			if ((find->options & DNS_ADBFIND_WANTEVENT) == 0) {
+				/*
+				 * And ADB isn't going to send us any events
+				 * either.  This query loses.
+				 */
+				done = true;
+			}
+			/*
+			 * If the DNS_ADBFIND_WANTEVENT flag was set, we'll
+			 * get an event when something happens.
+			 */
+		}
+	} else if (result == DNS_R_ALIAS) {
+		print_name(dns_fixedname_name(&target));
+		done = true;
+	} else {
+		printf("dns_adb_createfind() returned %s\n",
+		       isc_result_totext(result));
+		done = true;
+	}
+
+	if (done) {
+		if (find != NULL) {
+			dns_adb_destroyfind(&find);
+		}
+		isc_app_shutdown();
+	}
+}
+
+static void
+adb_callback(isc_task_t *etask, isc_event_t *event) {
+	unsigned int type = event->ev_type;
+
+	REQUIRE(etask == task);
+
+	isc_event_free(&event);
+	dns_adb_destroyfind(&find);
+
+	if (type == DNS_EVENT_ADBMOREADDRESSES) {
+		do_find(false);
+	} else if (type == DNS_EVENT_ADBNOMOREADDRESSES) {
+		printf("no more addresses\n");
+		isc_app_shutdown();
+	} else {
+		printf("unexpected ADB event type %u\n", type);
+		isc_app_shutdown();
+	}
+}
+
+static void
+run(isc_task_t *xtask, isc_event_t *event) {
+	UNUSED(xtask);
+	do_find(true);
+	isc_event_free(&event);
+}
+
+int
+main(int argc, char *argv[]) {
+	bool verbose = false;
+	unsigned int workers = 2;
+	isc_timermgr_t *timermgr = NULL;
+	int ch;
+	isc_socketmgr_t *socketmgr = NULL;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	dns_cache_t *cache = NULL;
+	isc_buffer_t b;
+
+	RUNTIME_CHECK(isc_app_start() == ISC_R_SUCCESS);
+
+	dns_result_register();
+
+	isc_mem_create(&mctx);
+
+	while ((ch = isc_commandline_parse(argc, argv, "d:vw:")) != -1) {
+		switch (ch) {
+		case 'd':
+			level = (unsigned int)atoi(isc_commandline_argument);
+			break;
+		case 'v':
+			verbose = true;
+			break;
+		case 'w':
+			workers = (unsigned int)atoi(isc_commandline_argument);
+			break;
+		}
+	}
+
+	log_init();
+
+	if (verbose) {
+		printf("%u workers\n", workers);
+		printf("IPv4: %s\n", isc_result_totext(isc_net_probeipv4()));
+		printf("IPv6: %s\n", isc_result_totext(isc_net_probeipv6()));
+	}
+
+	RUNTIME_CHECK(isc_managers_create(mctx, workers, 0, &netmgr,
+					  &taskmgr) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &task) == ISC_R_SUCCESS);
+	isc_task_setname(task, "byname", NULL);
+
+	RUNTIME_CHECK(dns_dispatchmgr_create(mctx, &dispatchmgr) ==
+		      ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_timermgr_create(mctx, &timermgr) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(dns_cache_create(mctx, mctx, taskmgr, timermgr,
+				       dns_rdataclass_in, "", "rbt", 0, NULL,
+				       &cache) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(dns_view_create(mctx, dns_rdataclass_in, "default",
+				      &view) == ISC_R_SUCCESS);
+
+	{
+		unsigned int attrs;
+		dns_dispatch_t *disp4 = NULL;
+		dns_dispatch_t *disp6 = NULL;
+
+		if (isc_net_probeipv4() == ISC_R_SUCCESS) {
+			isc_sockaddr_t any4;
+			isc_sockaddr_any(&any4);
+
+			attrs = DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_UDP;
+			RUNTIME_CHECK(
+				dns_dispatch_getudp(dispatchmgr, socketmgr,
+						    taskmgr, &any4, 512, 6,
+						    1024, 17, 19, attrs, attrs,
+						    &disp4) == ISC_R_SUCCESS);
+			INSIST(disp4 != NULL);
+		}
+
+		if (isc_net_probeipv6() == ISC_R_SUCCESS) {
+			isc_sockaddr_t any6;
+
+			isc_sockaddr_any6(&any6);
+
+			attrs = DNS_DISPATCHATTR_IPV6 | DNS_DISPATCHATTR_UDP;
+			RUNTIME_CHECK(
+				dns_dispatch_getudp(dispatchmgr, socketmgr,
+						    taskmgr, &any6, 512, 6,
+						    1024, 17, 19, attrs, attrs,
+						    &disp6) == ISC_R_SUCCESS);
+			INSIST(disp6 != NULL);
+		}
+
+		RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10, 1,
+						      socketmgr, timermgr, 0,
+						      dispatchmgr, disp4,
+						      disp6) == ISC_R_SUCCESS);
+
+		if (disp4 != NULL) {
+			dns_dispatch_detach(&disp4);
+		}
+		if (disp6 != NULL) {
+			dns_dispatch_detach(&disp6);
+		}
+	}
+
+	{
+		struct in_addr ina;
+		isc_sockaddr_t sa;
+		isc_sockaddrlist_t sal;
+
+		ISC_LIST_INIT(sal);
+		ina.s_addr = inet_addr("127.0.0.1");
+		isc_sockaddr_fromin(&sa, &ina, 53);
+		ISC_LIST_APPEND(sal, &sa, link);
+
+		REQUIRE(DNS_VIEW_VALID(view));
+		RUNTIME_CHECK(dns_fwdtable_add(view->fwdtable, dns_rootname,
+					       &sal, dns_fwdpolicy_only) ==
+			      ISC_R_SUCCESS);
+	}
+
+	dns_view_setcache(view, cache, false);
+	dns_view_freeze(view);
+
+	dns_cache_detach(&cache);
+
+	printf("name = %s\n", argv[isc_commandline_index]);
+	isc_buffer_init(&b, argv[isc_commandline_index],
+			strlen(argv[isc_commandline_index]));
+	isc_buffer_add(&b, strlen(argv[isc_commandline_index]));
+	dns_fixedname_init(&fixed);
+	dns_fixedname_init(&target);
+	RUNTIME_CHECK(dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+					dns_rootname, 0,
+					NULL) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_app_onrun(mctx, task, run, NULL) == ISC_R_SUCCESS);
+
+	(void)isc_app_run();
+
+	dns_view_detach(&view);
+	isc_task_shutdown(task);
+	isc_task_detach(&task);
+
+	dns_dispatchmgr_destroy(&dispatchmgr);
+
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	isc_socketmgr_destroy(&socketmgr);
+	isc_timermgr_destroy(&timermgr);
+
+	isc_log_destroy(&lctx);
+
+	if (verbose) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	isc_app_finish();
+
+	return (0);
+}
diff --git a/bin/tests/optional/db_test.c b/bin/tests/optional/db_test.c
new file mode 100644
index 0000000..05bd748
--- /dev/null
+++ b/bin/tests/optional/db_test.c
@@ -0,0 +1,983 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/commandline.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dbtable.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+
+#define MAXHOLD	    100
+#define MAXVERSIONS 100
+
+typedef struct dbinfo {
+	dns_db_t *db;
+	dns_dbversion_t *version;
+	dns_dbversion_t *wversion;
+	dns_dbversion_t *rversions[MAXVERSIONS];
+	int rcount;
+	dns_dbnode_t *hold_nodes[MAXHOLD];
+	int hold_count;
+	dns_dbiterator_t *dbiterator;
+	dns_dbversion_t *iversion;
+	int pause_every;
+	bool ascending;
+	ISC_LINK(struct dbinfo) link;
+} dbinfo;
+
+static isc_mem_t *mctx = NULL;
+static char dbtype[128];
+static dns_dbtable_t *dbtable;
+static ISC_LIST(dbinfo) dbs;
+static dbinfo *cache_dbi = NULL;
+static int pause_every = 0;
+static bool ascending = true;
+
+static void
+print_result(const char *message, isc_result_t result) {
+	if (message == NULL) {
+		message = "";
+	}
+	printf("%s%sresult %08x: %s\n", message, (*message == '\0') ? "" : " ",
+	       result, isc_result_totext(result));
+}
+
+static void
+print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset) {
+	isc_buffer_t text;
+	char t[1000];
+	isc_result_t result;
+	isc_region_t r;
+
+	isc_buffer_init(&text, t, sizeof(t));
+	result = dns_rdataset_totext(rdataset, name, false, false, &text);
+	isc_buffer_usedregion(&text, &r);
+	if (result == ISC_R_SUCCESS) {
+		printf("%.*s", (int)r.length, (char *)r.base);
+	} else {
+		print_result("", result);
+	}
+}
+
+static void
+print_rdatasets(dns_name_t *name, dns_rdatasetiter_t *rdsiter) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		print_rdataset(name, &rdataset);
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+	if (result != ISC_R_NOMORE) {
+		print_result("", result);
+	}
+}
+
+static dbinfo *
+select_db(char *origintext) {
+	dns_fixedname_t forigin;
+	dns_name_t *origin;
+	isc_buffer_t source;
+	size_t len;
+	dbinfo *dbi;
+	isc_result_t result;
+
+	if (strcasecmp(origintext, "cache") == 0) {
+		if (cache_dbi == NULL) {
+			printf("the cache does not exist\n");
+		}
+		return (cache_dbi);
+	}
+	len = strlen(origintext);
+	isc_buffer_init(&source, origintext, len);
+	isc_buffer_add(&source, len);
+	origin = dns_fixedname_initname(&forigin);
+	result = dns_name_fromtext(origin, &source, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		print_result("bad name", result);
+		return (NULL);
+	}
+
+	for (dbi = ISC_LIST_HEAD(dbs); dbi != NULL;
+	     dbi = ISC_LIST_NEXT(dbi, link))
+	{
+		if (dns_name_compare(dns_db_origin(dbi->db), origin) == 0) {
+			break;
+		}
+	}
+
+	return (dbi);
+}
+
+static void
+list(dbinfo *dbi, char *seektext) {
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	dns_dbnode_t *node;
+	dns_rdatasetiter_t *rdsiter;
+	isc_result_t result;
+	int i;
+	size_t len;
+	dns_fixedname_t fseekname;
+	dns_name_t *seekname;
+	isc_buffer_t source;
+
+	name = dns_fixedname_initname(&fname);
+
+	if (dbi->dbiterator == NULL) {
+		INSIST(dbi->iversion == NULL);
+		if (dns_db_iszone(dbi->db)) {
+			if (dbi->version != NULL) {
+				dns_db_attachversion(dbi->db, dbi->version,
+						     &dbi->iversion);
+			} else {
+				dns_db_currentversion(dbi->db, &dbi->iversion);
+			}
+		}
+
+		result = dns_db_createiterator(dbi->db, 0, &dbi->dbiterator);
+		if (result == ISC_R_SUCCESS) {
+			if (seektext != NULL) {
+				len = strlen(seektext);
+				isc_buffer_init(&source, seektext, len);
+				isc_buffer_add(&source, len);
+				seekname = dns_fixedname_initname(&fseekname);
+				result = dns_name_fromtext(
+					seekname, &source,
+					dns_db_origin(dbi->db), 0, NULL);
+				if (result == ISC_R_SUCCESS) {
+					result = dns_dbiterator_seek(
+						dbi->dbiterator, seekname);
+				}
+			} else if (dbi->ascending) {
+				result = dns_dbiterator_first(dbi->dbiterator);
+			} else {
+				result = dns_dbiterator_last(dbi->dbiterator);
+			}
+		}
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+	node = NULL;
+	rdsiter = NULL;
+	i = 0;
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(dbi->dbiterator, &node, name);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			break;
+		}
+		result = dns_db_allrdatasets(dbi->db, node, dbi->iversion, 0, 0,
+					     &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			dns_db_detachnode(dbi->db, &node);
+			break;
+		}
+		print_rdatasets(name, rdsiter);
+		dns_rdatasetiter_destroy(&rdsiter);
+		dns_db_detachnode(dbi->db, &node);
+		if (dbi->ascending) {
+			result = dns_dbiterator_next(dbi->dbiterator);
+		} else {
+			result = dns_dbiterator_prev(dbi->dbiterator);
+		}
+		i++;
+		if (result == ISC_R_SUCCESS && i == dbi->pause_every) {
+			printf("[more...]\n");
+			result = dns_dbiterator_pause(dbi->dbiterator);
+			if (result == ISC_R_SUCCESS) {
+				return;
+			}
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		print_result("", result);
+	}
+
+	dns_dbiterator_destroy(&dbi->dbiterator);
+	if (dbi->iversion != NULL) {
+		dns_db_closeversion(dbi->db, &dbi->iversion, false);
+	}
+}
+
+static isc_result_t
+load(const char *filename, const char *origintext, bool cache) {
+	dns_fixedname_t forigin;
+	dns_name_t *origin;
+	isc_result_t result;
+	isc_buffer_t source;
+	size_t len;
+	dbinfo *dbi;
+	unsigned int i;
+
+	dbi = isc_mem_get(mctx, sizeof(*dbi));
+
+	dbi->db = NULL;
+	dbi->version = NULL;
+	dbi->wversion = NULL;
+	for (i = 0; i < MAXVERSIONS; i++) {
+		dbi->rversions[i] = NULL;
+	}
+	dbi->hold_count = 0;
+	for (i = 0; i < MAXHOLD; i++) {
+		dbi->hold_nodes[i] = NULL;
+	}
+	dbi->dbiterator = NULL;
+	dbi->iversion = NULL;
+	dbi->pause_every = pause_every;
+	dbi->ascending = ascending;
+	ISC_LINK_INIT(dbi, link);
+
+	len = strlen(origintext);
+	isc_buffer_constinit(&source, origintext, len);
+	isc_buffer_add(&source, len);
+	origin = dns_fixedname_initname(&forigin);
+	result = dns_name_fromtext(origin, &source, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, dbi, sizeof(*dbi));
+		return (result);
+	}
+
+	result = dns_db_create(mctx, dbtype, origin,
+			       cache ? dns_dbtype_cache : dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &dbi->db);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, dbi, sizeof(*dbi));
+		return (result);
+	}
+
+	printf("loading %s (%s)\n", filename, origintext);
+	result = dns_db_load(dbi->db, filename, dns_masterformat_text, 0);
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+		dns_db_detach(&dbi->db);
+		isc_mem_put(mctx, dbi, sizeof(*dbi));
+		return (result);
+	}
+	printf("loaded\n");
+
+	if (cache) {
+		INSIST(cache_dbi == NULL);
+		dns_dbtable_adddefault(dbtable, dbi->db);
+		cache_dbi = dbi;
+	} else {
+		result = dns_dbtable_add(dbtable, dbi->db);
+		if (result != ISC_R_SUCCESS) {
+			dns_db_detach(&dbi->db);
+			isc_mem_put(mctx, dbi, sizeof(*dbi));
+			return (result);
+		}
+	}
+	ISC_LIST_APPEND(dbs, dbi, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+unload_all(void) {
+	dbinfo *dbi, *dbi_next;
+
+	for (dbi = ISC_LIST_HEAD(dbs); dbi != NULL; dbi = dbi_next) {
+		dbi_next = ISC_LIST_NEXT(dbi, link);
+		if (dns_db_iszone(dbi->db)) {
+			dns_dbtable_remove(dbtable, dbi->db);
+		} else {
+			INSIST(dbi == cache_dbi);
+			dns_dbtable_removedefault(dbtable);
+			cache_dbi = NULL;
+		}
+		dns_db_detach(&dbi->db);
+		ISC_LIST_UNLINK(dbs, dbi, link);
+		isc_mem_put(mctx, dbi, sizeof(*dbi));
+	}
+}
+
+#define DBI_CHECK(dbi)                                                 \
+	if ((dbi) == NULL) {                                           \
+		printf("You must first select a database with !DB\n"); \
+		continue;                                              \
+	}
+
+int
+main(int argc, char *argv[]) {
+	dns_db_t *db;
+	dns_dbnode_t *node;
+	isc_result_t result;
+	dns_name_t name;
+	dns_offsets_t offsets;
+	size_t len;
+	isc_buffer_t source, target;
+	char s[1000];
+	char b[255];
+	dns_rdataset_t rdataset, sigrdataset;
+	int ch;
+	dns_rdatatype_t type = 1;
+	bool printnode = false;
+	bool addmode = false;
+	bool delmode = false;
+	bool holdmode = false;
+	bool verbose = false;
+	bool done = false;
+	bool quiet = false;
+	bool time_lookups = false;
+	bool found_as;
+	bool find_zonecut = false;
+	bool noexact_zonecut = false;
+	int i, v;
+	dns_rdatasetiter_t *rdsiter;
+	char t1[256];
+	char t2[256];
+	isc_buffer_t tb1, tb2;
+	isc_region_t r1, r2;
+	dns_fixedname_t foundname;
+	dns_name_t *fname;
+	unsigned int options = 0, zcoptions;
+	isc_time_t start, finish;
+	const char *origintext;
+	dbinfo *dbi;
+	dns_dbversion_t *version;
+	const dns_name_t *origin;
+	dns_trust_t trust = 0;
+	unsigned int addopts;
+	isc_log_t *lctx = NULL;
+	size_t n;
+
+	dns_result_register();
+
+	isc_mem_create(&mctx);
+	RUNTIME_CHECK(dns_dbtable_create(mctx, dns_rdataclass_in, &dbtable) ==
+		      ISC_R_SUCCESS);
+
+	snprintf(dbtype, sizeof(dbtype), "rbt");
+	while ((ch = isc_commandline_parse(argc, argv, "c:d:t:z:P:Q:glpqvT")) !=
+	       -1)
+	{
+		switch (ch) {
+		case 'c':
+			result = load(isc_commandline_argument, ".", true);
+			if (result != ISC_R_SUCCESS) {
+				printf("cache load(%s) %08x: %s\n",
+				       isc_commandline_argument, result,
+				       isc_result_totext(result));
+			}
+			break;
+		case 'd':
+			n = strlcpy(dbtype, isc_commandline_argument,
+				    sizeof(dbtype));
+			if (n >= sizeof(dbtype)) {
+				fprintf(stderr, "bad db type '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		case 'g':
+			options |= (DNS_DBFIND_GLUEOK |
+				    DNS_DBFIND_VALIDATEGLUE);
+			break;
+		case 'l':
+			isc_log_create(mctx, &lctx, NULL);
+			isc_log_setcontext(lctx);
+			dns_log_init(lctx);
+			dns_log_setcontext(lctx);
+			break;
+		case 'q':
+			quiet = true;
+			verbose = false;
+			break;
+		case 'p':
+			printnode = true;
+			break;
+		case 'P':
+			pause_every = atoi(isc_commandline_argument);
+			break;
+		case 't':
+			type = atoi(isc_commandline_argument);
+			break;
+		case 'T':
+			time_lookups = true;
+			break;
+		case 'v':
+			verbose = true;
+			break;
+		case 'z':
+			origintext = strrchr(isc_commandline_argument, '/');
+			if (origintext == NULL) {
+				origintext = isc_commandline_argument;
+			} else {
+				origintext++; /* Skip '/'. */
+			}
+			result = load(isc_commandline_argument, origintext,
+				      false);
+			if (result != ISC_R_SUCCESS) {
+				printf("zone load(%s) %08x: %s\n",
+				       isc_commandline_argument, result,
+				       isc_result_totext(result));
+			}
+			break;
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	POST(argv);
+
+	if (argc != 0) {
+		printf("ignoring trailing arguments\n");
+	}
+
+	/*
+	 * Some final initialization...
+	 */
+	fname = dns_fixedname_initname(&foundname);
+	dbi = NULL;
+	origin = dns_rootname;
+	version = NULL;
+
+	if (time_lookups) {
+		TIME_NOW(&start);
+	}
+
+	while (!done) {
+		if (!quiet) {
+			printf("\n");
+		}
+		if (fgets(s, sizeof(s), stdin) == NULL) {
+			done = true;
+			continue;
+		}
+		len = strlen(s);
+		if (len > 0U && s[len - 1] == '\n') {
+			s[len - 1] = '\0';
+			len--;
+		}
+		if (verbose && dbi != NULL) {
+			if (dbi->wversion != NULL) {
+				printf("future version (%p)\n", dbi->wversion);
+			}
+			for (i = 0; i < dbi->rcount; i++) {
+				if (dbi->rversions[i] != NULL) {
+					printf("open version %d (%p)\n", i,
+					       dbi->rversions[i]);
+				}
+			}
+		}
+		dns_name_init(&name, offsets);
+		if (strcmp(s, "!R") == 0) {
+			DBI_CHECK(dbi);
+			if (dbi->rcount == MAXVERSIONS) {
+				printf("too many open versions\n");
+				continue;
+			}
+			dns_db_currentversion(dbi->db,
+					      &dbi->rversions[dbi->rcount]);
+			printf("opened version %d\n", dbi->rcount);
+			dbi->version = dbi->rversions[dbi->rcount];
+			version = dbi->version;
+			dbi->rcount++;
+			continue;
+		} else if (strcmp(s, "!W") == 0) {
+			DBI_CHECK(dbi);
+			if (dbi->wversion != NULL) {
+				printf("using existing future version\n");
+				dbi->version = dbi->wversion;
+				version = dbi->version;
+				continue;
+			}
+			result = dns_db_newversion(dbi->db, &dbi->wversion);
+			if (result != ISC_R_SUCCESS) {
+				print_result("", result);
+			} else {
+				printf("newversion\n");
+			}
+			dbi->version = dbi->wversion;
+			version = dbi->version;
+			continue;
+		} else if (strcmp(s, "!C") == 0) {
+			DBI_CHECK(dbi);
+			addmode = false;
+			delmode = false;
+			if (dbi->version == NULL) {
+				continue;
+			}
+			if (dbi->version == dbi->wversion) {
+				printf("closing future version\n");
+				dbi->wversion = NULL;
+			} else {
+				for (i = 0; i < dbi->rcount; i++) {
+					if (dbi->version == dbi->rversions[i]) {
+						dbi->rversions[i] = NULL;
+						printf("closing open version "
+						       "%d\n",
+						       i);
+						break;
+					}
+				}
+			}
+			dns_db_closeversion(dbi->db, &dbi->version, true);
+			version = NULL;
+			continue;
+		} else if (strcmp(s, "!X") == 0) {
+			DBI_CHECK(dbi);
+			addmode = false;
+			delmode = false;
+			if (dbi->version == NULL) {
+				continue;
+			}
+			if (dbi->version == dbi->wversion) {
+				printf("aborting future version\n");
+				dbi->wversion = NULL;
+			} else {
+				for (i = 0; i < dbi->rcount; i++) {
+					if (dbi->version == dbi->rversions[i]) {
+						dbi->rversions[i] = NULL;
+						printf("closing open version "
+						       "%d\n",
+						       i);
+						break;
+					}
+				}
+			}
+			dns_db_closeversion(dbi->db, &dbi->version, false);
+			version = NULL;
+			continue;
+		} else if (strcmp(s, "!A") == 0) {
+			DBI_CHECK(dbi);
+			delmode = false;
+			if (addmode) {
+				addmode = false;
+			} else {
+				addmode = true;
+			}
+			printf("addmode = %s\n", addmode ? "TRUE" : "FALSE");
+			continue;
+		} else if (strcmp(s, "!D") == 0) {
+			DBI_CHECK(dbi);
+			addmode = false;
+			if (delmode) {
+				delmode = false;
+			} else {
+				delmode = true;
+			}
+			printf("delmode = %s\n", delmode ? "TRUE" : "FALSE");
+			continue;
+		} else if (strcmp(s, "!H") == 0) {
+			DBI_CHECK(dbi);
+			if (holdmode) {
+				holdmode = false;
+			} else {
+				holdmode = true;
+			}
+			printf("holdmode = %s\n", holdmode ? "TRUE" : "FALSE");
+			continue;
+		} else if (strcmp(s, "!HR") == 0) {
+			DBI_CHECK(dbi);
+			for (i = 0; i < dbi->hold_count; i++) {
+				dns_db_detachnode(dbi->db, &dbi->hold_nodes[i]);
+			}
+			dbi->hold_count = 0;
+			holdmode = false;
+			printf("held nodes have been detached\n");
+			continue;
+		} else if (strcmp(s, "!VC") == 0) {
+			DBI_CHECK(dbi);
+			printf("switching to current version\n");
+			dbi->version = NULL;
+			version = NULL;
+			continue;
+		} else if (strstr(s, "!V") == s) {
+			DBI_CHECK(dbi);
+			v = atoi(&s[2]);
+			if (v >= dbi->rcount || v < 0) {
+				printf("unknown open version %d\n", v);
+				continue;
+			}
+			if (dbi->rversions[v] == NULL) {
+				printf("version %d is not open\n", v);
+				continue;
+			}
+			printf("switching to open version %d\n", v);
+			dbi->version = dbi->rversions[v];
+			version = dbi->version;
+			continue;
+		} else if (strstr(s, "!TR") == s) {
+			trust = (unsigned int)atoi(&s[3]);
+			printf("trust level is now %u\n", (unsigned int)trust);
+			continue;
+		} else if (strstr(s, "!T") == s) {
+			type = (unsigned int)atoi(&s[2]);
+			printf("now searching for type %u\n", type);
+			continue;
+		} else if (strcmp(s, "!G") == 0) {
+			if ((options & DNS_DBFIND_GLUEOK) != 0) {
+				options &= ~DNS_DBFIND_GLUEOK;
+			} else {
+				options |= DNS_DBFIND_GLUEOK;
+			}
+			printf("glue ok = %s\n",
+			       ((options & DNS_DBFIND_GLUEOK) != 0) ? "TRUE"
+								    : "FALSE");
+			continue;
+		} else if (strcmp(s, "!GV") == 0) {
+			if ((options & DNS_DBFIND_VALIDATEGLUE) != 0) {
+				options &= ~DNS_DBFIND_VALIDATEGLUE;
+			} else {
+				options |= DNS_DBFIND_VALIDATEGLUE;
+			}
+			printf("validate glue = %s\n",
+			       ((options & DNS_DBFIND_VALIDATEGLUE) != 0)
+				       ? "TRUE"
+				       : "FALSE");
+			continue;
+		} else if (strcmp(s, "!WC") == 0) {
+			if ((options & DNS_DBFIND_NOWILD) != 0) {
+				options &= ~DNS_DBFIND_NOWILD;
+			} else {
+				options |= DNS_DBFIND_NOWILD;
+			}
+			printf("wildcard matching = %s\n",
+			       ((options & DNS_DBFIND_NOWILD) == 0) ? "TRUE"
+								    : "FALSE");
+			continue;
+		} else if (strstr(s, "!LS ") == s) {
+			DBI_CHECK(dbi);
+			list(dbi, &s[4]);
+			continue;
+		} else if (strcmp(s, "!LS") == 0) {
+			DBI_CHECK(dbi);
+			list(dbi, NULL);
+			continue;
+		} else if (strstr(s, "!DU ") == s) {
+			DBI_CHECK(dbi);
+			result = dns_db_dump(dbi->db, dbi->version, s + 4);
+			if (result != ISC_R_SUCCESS) {
+				printf("\n");
+				print_result("", result);
+			}
+			continue;
+		} else if (strcmp(s, "!PN") == 0) {
+			if (printnode) {
+				printnode = false;
+			} else {
+				printnode = true;
+			}
+			printf("printnode = %s\n",
+			       printnode ? "TRUE" : "FALSE");
+			continue;
+		} else if (strstr(s, "!P") == s) {
+			DBI_CHECK(dbi);
+			v = atoi(&s[2]);
+			dbi->pause_every = v;
+			continue;
+		} else if (strcmp(s, "!+") == 0) {
+			DBI_CHECK(dbi);
+			dbi->ascending = true;
+			continue;
+		} else if (strcmp(s, "!-") == 0) {
+			DBI_CHECK(dbi);
+			dbi->ascending = false;
+			continue;
+		} else if (strcmp(s, "!DB") == 0) {
+			dbi = NULL;
+			origin = dns_rootname;
+			version = NULL;
+			printf("now searching all databases\n");
+			continue;
+		} else if (strncmp(s, "!DB ", 4) == 0) {
+			dbi = select_db(s + 4);
+			if (dbi != NULL) {
+				db = dbi->db;
+				origin = dns_db_origin(dbi->db);
+				version = dbi->version;
+				addmode = false;
+				delmode = false;
+				holdmode = false;
+			} else {
+				db = NULL;
+				version = NULL;
+				origin = dns_rootname;
+				printf("database not found; "
+				       "now searching all databases\n");
+			}
+			continue;
+		} else if (strcmp(s, "!ZC") == 0) {
+			if (find_zonecut) {
+				find_zonecut = false;
+			} else {
+				find_zonecut = true;
+			}
+			printf("find_zonecut = %s\n",
+			       find_zonecut ? "TRUE" : "FALSE");
+			continue;
+		} else if (strcmp(s, "!NZ") == 0) {
+			if (noexact_zonecut) {
+				noexact_zonecut = false;
+			} else {
+				noexact_zonecut = true;
+			}
+			printf("noexact_zonecut = %s\n",
+			       noexact_zonecut ? "TRUE" : "FALSE");
+			continue;
+		}
+
+		isc_buffer_init(&source, s, len);
+		isc_buffer_add(&source, len);
+		isc_buffer_init(&target, b, sizeof(b));
+		result = dns_name_fromtext(&name, &source, origin, 0, &target);
+		if (result != ISC_R_SUCCESS) {
+			print_result("bad name: ", result);
+			continue;
+		}
+
+		if (dbi == NULL) {
+			zcoptions = 0;
+			if (noexact_zonecut) {
+				zcoptions |= DNS_DBTABLEFIND_NOEXACT;
+			}
+			db = NULL;
+			result = dns_dbtable_find(dbtable, &name, zcoptions,
+						  &db);
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_PARTIALMATCH)
+			{
+				if (!quiet) {
+					printf("\n");
+					print_result("", result);
+				}
+				continue;
+			}
+			isc_buffer_init(&tb1, t1, sizeof(t1));
+			result = dns_name_totext(dns_db_origin(db), false,
+						 &tb1);
+			if (result != ISC_R_SUCCESS) {
+				printf("\n");
+				print_result("", result);
+				dns_db_detach(&db);
+				continue;
+			}
+			isc_buffer_usedregion(&tb1, &r1);
+			printf("\ndatabase = %.*s (%s)\n", (int)r1.length,
+			       r1.base, (dns_db_iszone(db)) ? "zone" : "cache");
+		}
+		node = NULL;
+		dns_rdataset_init(&rdataset);
+		dns_rdataset_init(&sigrdataset);
+
+		if (find_zonecut && dns_db_iscache(db)) {
+			zcoptions = options;
+			if (noexact_zonecut) {
+				zcoptions |= DNS_DBFIND_NOEXACT;
+			}
+			result = dns_db_findzonecut(db, &name, zcoptions, 0,
+						    &node, fname, NULL,
+						    &rdataset, &sigrdataset);
+		} else {
+			result = dns_db_find(db, &name, version, type, options,
+					     0, &node, fname, &rdataset,
+					     &sigrdataset);
+		}
+
+		if (!quiet) {
+			if (dbi != NULL) {
+				printf("\n");
+			}
+			print_result("", result);
+		}
+
+		found_as = false;
+		switch (result) {
+		case ISC_R_SUCCESS:
+		case DNS_R_GLUE:
+		case DNS_R_CNAME:
+		case DNS_R_ZONECUT:
+			break;
+		case DNS_R_DNAME:
+		case DNS_R_DELEGATION:
+			found_as = true;
+			break;
+		case DNS_R_NXRRSET:
+			if (dns_rdataset_isassociated(&rdataset)) {
+				break;
+			}
+			if (dbi != NULL) {
+				if (holdmode) {
+					RUNTIME_CHECK(dbi->hold_count <
+						      MAXHOLD);
+					dbi->hold_nodes[dbi->hold_count++] =
+						node;
+					node = NULL;
+				} else {
+					dns_db_detachnode(db, &node);
+				}
+			} else {
+				dns_db_detachnode(db, &node);
+				dns_db_detach(&db);
+			}
+			continue;
+		case DNS_R_NXDOMAIN:
+			if (dns_rdataset_isassociated(&rdataset)) {
+				break;
+			}
+			FALLTHROUGH;
+		default:
+			if (dbi == NULL) {
+				dns_db_detach(&db);
+			}
+			if (quiet) {
+				print_result("", result);
+			}
+			continue;
+		}
+		if (found_as && !quiet) {
+			isc_buffer_init(&tb1, t1, sizeof(t1));
+			isc_buffer_init(&tb2, t2, sizeof(t2));
+			result = dns_name_totext(&name, false, &tb1);
+			if (result != ISC_R_SUCCESS) {
+				print_result("", result);
+				dns_db_detachnode(db, &node);
+				if (dbi == NULL) {
+					dns_db_detach(&db);
+				}
+				continue;
+			}
+			result = dns_name_totext(fname, false, &tb2);
+			if (result != ISC_R_SUCCESS) {
+				print_result("", result);
+				dns_db_detachnode(db, &node);
+				if (dbi == NULL) {
+					dns_db_detach(&db);
+				}
+				continue;
+			}
+			isc_buffer_usedregion(&tb1, &r1);
+			isc_buffer_usedregion(&tb2, &r2);
+			printf("found %.*s as %.*s\n", (int)r1.length, r1.base,
+			       (int)r2.length, r2.base);
+		}
+
+		if (printnode) {
+			dns_db_printnode(db, node, stdout);
+		}
+
+		if (!found_as && type == dns_rdatatype_any) {
+			rdsiter = NULL;
+			result = dns_db_allrdatasets(db, node, version, 0, 0,
+						     &rdsiter);
+			if (result == ISC_R_SUCCESS) {
+				if (!quiet) {
+					print_rdatasets(fname, rdsiter);
+				}
+				dns_rdatasetiter_destroy(&rdsiter);
+			} else {
+				print_result("", result);
+			}
+		} else {
+			if (!quiet) {
+				print_rdataset(fname, &rdataset);
+			}
+			if (dns_rdataset_isassociated(&sigrdataset)) {
+				if (!quiet) {
+					print_rdataset(fname, &sigrdataset);
+				}
+				dns_rdataset_disassociate(&sigrdataset);
+			}
+			if (dbi != NULL && addmode && !found_as) {
+				rdataset.ttl++;
+				rdataset.trust = trust;
+				if (dns_db_iszone(db)) {
+					addopts = DNS_DBADD_MERGE;
+				} else {
+					addopts = 0;
+				}
+				result = dns_db_addrdataset(db, node, version,
+							    0, &rdataset,
+							    addopts, NULL);
+				if (result != ISC_R_SUCCESS) {
+					print_result("", result);
+				}
+				if (printnode) {
+					dns_db_printnode(db, node, stdout);
+				}
+			} else if (dbi != NULL && delmode && !found_as) {
+				result = dns_db_deleterdataset(
+					db, node, version, type, 0);
+				if (result != ISC_R_SUCCESS) {
+					print_result("", result);
+				}
+				if (printnode) {
+					dns_db_printnode(db, node, stdout);
+				}
+			}
+			dns_rdataset_disassociate(&rdataset);
+		}
+
+		if (dbi != NULL) {
+			if (holdmode) {
+				RUNTIME_CHECK(dbi->hold_count < MAXHOLD);
+				dbi->hold_nodes[dbi->hold_count++] = node;
+				node = NULL;
+			} else {
+				dns_db_detachnode(db, &node);
+			}
+		} else {
+			dns_db_detachnode(db, &node);
+			dns_db_detach(&db);
+		}
+	}
+
+	if (time_lookups) {
+		uint64_t usec;
+
+		TIME_NOW(&finish);
+
+		usec = isc_time_microdiff(&finish, &start);
+
+		printf("elapsed time: %lu.%06lu seconds\n",
+		       (unsigned long)(usec / 1000000),
+		       (unsigned long)(usec % 1000000));
+	}
+
+	unload_all();
+
+	dns_dbtable_detach(&dbtable);
+
+	if (lctx != NULL) {
+		isc_log_destroy(&lctx);
+	}
+
+	if (!quiet) {
+		isc_mem_stats(mctx, stdout);
+	}
+
+	return (0);
+}
diff --git a/bin/tests/optional/fsaccess_test.c b/bin/tests/optional/fsaccess_test.c
new file mode 100644
index 0000000..db5d21e
--- /dev/null
+++ b/bin/tests/optional/fsaccess_test.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>  /* Non-portable. */
+#include <sys/types.h> /* Non-portable. */
+
+#include <isc/fsaccess.h>
+#include <isc/print.h>
+#include <isc/result.h>
+
+#define PATH "/tmp/fsaccess"
+
+int
+main(void) {
+	isc_fsaccess_t access;
+	isc_result_t result;
+	FILE *fp;
+	int n;
+
+	n = remove(PATH);
+	if (n != 0 && errno != ENOENT) {
+		fprintf(stderr, "unable to remove(%s)\n", PATH);
+		exit(1);
+	}
+	fp = fopen(PATH, "w");
+	if (fp == NULL) {
+		fprintf(stderr, "unable to fopen(%s)\n", PATH);
+		exit(1);
+	}
+	n = chmod(PATH, 0);
+	if (n != 0) {
+		fprintf(stderr, "unable chmod(%s, 0)\n", PATH);
+		exit(1);
+	}
+
+	access = 0;
+
+	isc_fsaccess_add(ISC_FSACCESS_OWNER | ISC_FSACCESS_GROUP,
+			 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE, &access);
+
+	printf("fsaccess=%u\n", access);
+
+	isc_fsaccess_add(ISC_FSACCESS_OTHER, ISC_FSACCESS_READ, &access);
+
+	printf("fsaccess=%u\n", access);
+
+	result = isc_fsaccess_set(PATH, access);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "result = %s\n", isc_result_totext(result));
+	}
+	(void)fclose(fp);
+
+	return (0);
+}
diff --git a/bin/tests/optional/gsstest.c b/bin/tests/optional/gsstest.c
new file mode 100644
index 0000000..1cc18eb
--- /dev/null
+++ b/bin/tests/optional/gsstest.c
@@ -0,0 +1,550 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/log.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/dispatch.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/tkey.h>
+#include <dns/tsig.h>
+#include <dns/types.h>
+#include <dns/view.h>
+
+#include <dst/result.h>
+
+#ifdef GSSAPI
+#include ISC_PLATFORM_GSSAPIHEADER
+
+#define CHECK(str, x)                                                     \
+	{                                                                 \
+		if ((x) != ISC_R_SUCCESS) {                               \
+			fprintf(stderr, "I:%d:%s: %s\n", __LINE__, (str), \
+				isc_result_totext(x));                    \
+			goto end;                                         \
+		}                                                         \
+	}
+
+static dns_fixedname_t servername, gssname;
+
+static isc_mem_t *mctx = NULL;
+static dns_requestmgr_t *requestmgr = NULL;
+static isc_sockaddr_t address;
+
+static dns_tsig_keyring_t *ring = NULL;
+static dns_tsigkey_t *tsigkey = NULL;
+static dns_gss_ctx_id_t gssctx;
+static dns_gss_ctx_id_t *gssctxp = &gssctx;
+
+#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
+
+#define PORT	53
+#define TIMEOUT 30
+
+static void
+initctx1(isc_task_t *task, isc_event_t *event);
+static void
+sendquery(isc_task_t *task, isc_event_t *event);
+static void
+setup();
+
+static void
+console(isc_task_t *task, isc_event_t *event) {
+	char buf[32];
+	int c;
+
+	isc_event_t *ev = NULL;
+
+	isc_event_free(&event);
+
+	for (;;) {
+		printf("\nCommand => ");
+		c = scanf("%31s", buf);
+
+		if (c == EOF || strcmp(buf, "quit") == 0) {
+			isc_app_shutdown();
+			return;
+		}
+
+		if (strcmp(buf, "initctx") == 0) {
+			ev = isc_event_allocate(mctx, (void *)1, 1, initctx1,
+						NULL, sizeof(*event));
+			isc_task_send(task, &ev);
+			return;
+		}
+
+		if (strcmp(buf, "query") == 0) {
+			ev = isc_event_allocate(mctx, (void *)1, 1, sendquery,
+						NULL, sizeof(*event));
+			isc_task_send(task, &ev);
+			return;
+		}
+
+		printf("Unknown command\n");
+	}
+}
+
+static void
+recvresponse(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = (dns_requestevent_t *)event;
+	isc_result_t result, result2;
+	dns_message_t *query = NULL, *response = NULL;
+	isc_buffer_t outtoken;
+	isc_buffer_t outbuf;
+	char output[10 * 1024];
+
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	isc_buffer_init(&outtoken, array, sizeof(array));
+
+	UNUSED(task);
+
+	REQUIRE(reqev != NULL);
+
+	query = reqev->ev_arg;
+
+	if (reqev->result != ISC_R_SUCCESS) {
+		fprintf(stderr, "I:request event result: %s\n",
+			isc_result_totext(reqev->result));
+		goto end;
+	}
+
+	response = NULL;
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
+
+	printf("\nReceived Response:\n");
+
+	result2 = dns_request_getresponse(reqev->request, response,
+					  DNS_MESSAGEPARSE_PRESERVEORDER);
+	isc_buffer_init(&outbuf, output, sizeof(output));
+	result = dns_message_totext(response, &dns_master_style_debug, 0,
+				    &outbuf);
+	CHECK("dns_message_totext", result);
+	printf("%.*s\n", (int)isc_buffer_usedlength(&outbuf),
+	       (char *)isc_buffer_base(&outbuf));
+
+	CHECK("dns_request_getresponse", result2);
+
+	if (response != NULL) {
+		dns_message_detach(&response);
+	}
+
+end:
+	if (query != NULL) {
+		dns_message_detach(&query);
+	}
+
+	if (reqev->request != NULL) {
+		dns_request_destroy(&reqev->request);
+	}
+
+	isc_event_free(&event);
+
+	event = isc_event_allocate(mctx, (void *)1, 1, console, NULL,
+				   sizeof(*event));
+	isc_task_send(task, &event);
+	return;
+}
+
+static void
+sendquery(isc_task_t *task, isc_event_t *event) {
+	dns_request_t *request = NULL;
+	dns_message_t *message = NULL;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+	dns_fixedname_t queryname;
+	isc_buffer_t buf;
+	isc_buffer_t outbuf;
+	char output[10 * 1024];
+	static char host[256];
+	int c;
+
+	isc_event_free(&event);
+
+	printf("Query => ");
+	c = scanf("%255s", host);
+	if (c == EOF) {
+		return;
+	}
+
+	dns_fixedname_init(&queryname);
+	isc_buffer_init(&buf, host, strlen(host));
+	isc_buffer_add(&buf, strlen(host));
+	result = dns_name_fromtext(dns_fixedname_name(&queryname), &buf,
+				   dns_rootname, 0, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &message);
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = dns_rdataclass_in;
+	message->id = (unsigned short)(random() & 0xFFFF);
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	dns_name_init(qname, NULL);
+	dns_name_clone(dns_fixedname_name(&queryname), qname);
+	dns_rdataset_makequestion(qrdataset, dns_rdataclass_in,
+				  dns_rdatatype_a);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	result = dns_request_create(requestmgr, message, &address, 0, tsigkey,
+				    TIMEOUT, task, recvresponse, message,
+				    &request);
+	CHECK("dns_request_create", result);
+
+	printf("Submitting query:\n");
+	isc_buffer_init(&outbuf, output, sizeof(output));
+	result = dns_message_totext(message, &dns_master_style_debug, 0,
+				    &outbuf);
+	CHECK("dns_message_totext", result);
+	printf("%.*s\n", (int)isc_buffer_usedlength(&outbuf),
+	       (char *)isc_buffer_base(&outbuf));
+
+	return;
+
+end:
+	if (qname != NULL) {
+		dns_message_puttempname(message, &qname);
+	}
+	if (qrdataset != NULL) {
+		dns_message_puttemprdataset(message, &qrdataset);
+	}
+	if (message != NULL) {
+		dns_message_detach(&message);
+	}
+}
+
+static void
+initctx2(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = (dns_requestevent_t *)event;
+	isc_result_t result;
+	dns_message_t *query = NULL, *response = NULL;
+	isc_buffer_t outtoken;
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t qtype;
+	dns_name_t *question_name;
+
+	UNUSED(task);
+
+	REQUIRE(reqev != NULL);
+
+	query = reqev->ev_arg;
+
+	if (reqev->result != ISC_R_SUCCESS) {
+		fprintf(stderr, "I:request event result: %s\n",
+			isc_result_totext(reqev->result));
+		goto end;
+	}
+
+	response = NULL;
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
+
+	result = dns_request_getresponse(reqev->request, response,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	CHECK("dns_request_getresponse", result);
+
+	if (response->rcode != dns_rcode_noerror) {
+		result = ISC_RESULTCLASS_DNSRCODE + response->rcode;
+		fprintf(stderr, "I:response rcode: %s\n",
+			isc_result_totext(result));
+		goto end;
+	}
+
+	printf("Received token from server, calling gss_init_sec_context()\n");
+	isc_buffer_init(&outtoken, array, DNS_NAME_MAXTEXT + 1);
+	result = dns_tkey_processgssresponse(
+		query, response, dns_fixedname_name(&gssname), &gssctx,
+		&outtoken, &tsigkey, ring, NULL);
+	gssctx = *gssctxp;
+	CHECK("dns_tkey_processgssresponse", result);
+	printf("Context accepted\n");
+
+	question_name = NULL;
+	dns_message_currentname(response, DNS_SECTION_ANSWER, &question_name);
+	rdataset = ISC_LIST_HEAD(question_name->list);
+	INSIST(rdataset != NULL);
+	qtype = rdataset->type;
+	if (qtype == dns_rdatatype_tkey) {
+		printf("Received TKEY response from server\n");
+		printf("Context completed\n");
+	} else {
+		printf("Did not receive TKEY response from server\n");
+		printf("Context not completed\n");
+		dns_tsigkey_detach(&tsigkey);
+		tsigkey = NULL;
+	}
+
+	dns_message_detach(&response);
+
+end:
+	if (query != NULL) {
+		dns_message_detach(&query);
+	}
+
+	if (reqev->request != NULL) {
+		dns_request_destroy(&reqev->request);
+	}
+
+	isc_event_free(&event);
+
+	event = isc_event_allocate(mctx, (void *)1, 1, console, NULL,
+				   sizeof(*event));
+	isc_task_send(task, &event);
+	return;
+}
+
+static void
+initctx1(isc_task_t *task, isc_event_t *event) {
+	char gssid[512];
+	char contextname[512];
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_message_t *query;
+	dns_request_t *request;
+	int c;
+
+	isc_event_free(&event);
+
+	printf("Initctx - GSS name => ");
+	c = scanf("%511s", gssid);
+	if (c == EOF) {
+		return;
+	}
+
+	snprintf(contextname, sizeof(contextname), "gsstest.context.%d.",
+		 (int)time(NULL));
+
+	printf("Initctx - context name we're using: %s\n", contextname);
+
+	printf("Negotiating GSSAPI context: ");
+	printf("%s", gssid);
+	printf("\n");
+
+	/*
+	 * Setup a GSSAPI context with the server
+	 */
+	dns_fixedname_init(&servername);
+	isc_buffer_init(&buf, contextname, strlen(contextname));
+	isc_buffer_add(&buf, strlen(contextname));
+	result = dns_name_fromtext(dns_fixedname_name(&servername), &buf,
+				   dns_rootname, 0, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	/* Make name happen */
+	dns_fixedname_init(&gssname);
+	isc_buffer_init(&buf, gssid, strlen(gssid));
+	isc_buffer_add(&buf, strlen(gssid));
+	result = dns_name_fromtext(dns_fixedname_name(&gssname), &buf,
+				   dns_rootname, 0, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	query = NULL;
+	dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
+
+	printf("Calling gss_init_sec_context()\n");
+	gssctx = GSS_C_NO_CONTEXT;
+	result = dns_tkey_buildgssquery(query, dns_fixedname_name(&servername),
+					dns_fixedname_name(&gssname), NULL,
+					36000, &gssctx, true, mctx, NULL);
+	CHECK("dns_tkey_buildgssquery", result);
+
+	printf("Sending context token to server\n");
+	request = NULL;
+	result = dns_request_create(requestmgr, query, &address, 0, NULL,
+				    TIMEOUT, task, initctx2, query, &request);
+	CHECK("dns_request_create", result);
+
+	return;
+end:
+	event = isc_event_allocate(mctx, (void *)1, 1, console, NULL,
+				   sizeof(*event));
+	isc_task_send(task, &event);
+	return;
+}
+
+static void
+setup(void) {
+	for (;;) {
+		char serveraddress[512];
+		struct in_addr inaddr;
+		int c;
+
+		printf("Server IP => ");
+		c = scanf("%511s", serveraddress);
+
+		if (c == EOF || strcmp(serveraddress, "quit") == 0) {
+			isc_app_shutdown();
+			return;
+		}
+
+		if (inet_pton(AF_INET, serveraddress, &inaddr) == 1) {
+			isc_sockaddr_fromin(&address, &inaddr, PORT);
+			return;
+		}
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_socket_t *sock = NULL;
+	unsigned int attrs, attrmask;
+	isc_sockaddr_t bind_any;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	dns_dispatch_t *dispatchv4 = NULL;
+	dns_view_t *view = NULL;
+	isc_task_t *task = NULL;
+	isc_log_t *lctx = NULL;
+	isc_logconfig_t *lcfg = NULL;
+	isc_logdestination_t destination;
+
+	UNUSED(argv);
+	UNUSED(argc);
+
+	RUNCHECK(isc_app_start());
+
+	dns_result_register();
+
+	mctx = NULL;
+	isc_mem_create(&mctx);
+
+	isc_log_create(mctx, &lctx, &lcfg);
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	/*
+	 * Create and install the default channel.
+	 */
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(lcfg, "_default", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, ISC_LOG_PRINTTIME);
+
+	RUNCHECK(isc_log_usechannel(lcfg, "_default", NULL, NULL));
+
+	isc_log_setdebuglevel(lctx, 9);
+
+	RUNCHECK(dst_lib_init(mctx, NULL));
+
+	RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr));
+	RUNCHECK(isc_task_create(taskmgr, 0, &task));
+	RUNCHECK(isc_timermgr_create(mctx, &timermgr));
+	RUNCHECK(isc_socketmgr_create(mctx, &socketmgr));
+	RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr));
+	isc_sockaddr_any(&bind_any);
+	attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY |
+		DNS_DISPATCHATTR_IPV4;
+	attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP |
+		   DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
+	RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, &bind_any,
+				     4096, 4, 2, 3, 5, attrs, attrmask,
+				     &dispatchv4));
+	RUNCHECK(dns_requestmgr_create(mctx, timermgr, socketmgr, taskmgr,
+				       dispatchmgr, dispatchv4, NULL,
+				       &requestmgr));
+
+	RUNCHECK(dns_tsigkeyring_create(mctx, &ring));
+
+	RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
+	dns_view_setkeyring(view, ring);
+
+	RUNCHECK(isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp,
+				   &sock));
+
+	setup();
+
+	RUNCHECK(isc_app_onrun(mctx, task, console, NULL));
+
+	(void)isc_app_run();
+
+	if (tsigkey) {
+		dns_tsigkey_detach(&tsigkey);
+	}
+
+	dns_requestmgr_shutdown(requestmgr);
+	dns_requestmgr_detach(&requestmgr);
+
+	dns_dispatch_detach(&dispatchv4);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+
+	isc_timermgr_destroy(&timermgr);
+
+	isc_task_detach(&task);
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	isc_socket_detach(&sock);
+	isc_socketmgr_destroy(&socketmgr);
+
+	isc_mem_stats(mctx, stdout);
+
+	dns_view_detach(&view);
+
+	dst_lib_destroy();
+
+	isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	isc_app_finish();
+
+	return (0);
+}
+#else  /* ifdef GSSAPI */
+int
+main(int argc, char *argv[]) {
+	UNUSED(argc);
+	UNUSED(argv);
+	fprintf(stderr, "R:GSSAPIONLY\n");
+	return (0);
+}
+#endif /* ifdef GSSAPI */
diff --git a/bin/tests/optional/inter_test.c b/bin/tests/optional/inter_test.c
new file mode 100644
index 0000000..32fbb2e
--- /dev/null
+++ b/bin/tests/optional/inter_test.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdlib.h>
+
+#include <isc/interfaceiter.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+int
+main(int argc, char **argv) {
+	isc_mem_t *mctx = NULL;
+	isc_interfaceiter_t *iter = NULL;
+	isc_interface_t ifdata;
+	isc_result_t result;
+	const char *res;
+	char buf[128];
+
+	UNUSED(argc);
+	UNUSED(argv);
+
+	isc_mem_create(&mctx);
+	result = isc_interfaceiter_create(mctx, &iter);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = isc_interfaceiter_first(iter);
+	while (result == ISC_R_SUCCESS) {
+		result = isc_interfaceiter_current(iter, &ifdata);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stdout, "isc_interfaceiter_current: %s",
+				isc_result_totext(result));
+			continue;
+		}
+		fprintf(stdout, "%s %u %x\n", ifdata.name, ifdata.af,
+			ifdata.flags);
+		INSIST(ifdata.af == AF_INET || ifdata.af == AF_INET6);
+		res = inet_ntop(ifdata.af, &ifdata.address.type, buf,
+				sizeof(buf));
+		if (ifdata.address.zone != 0) {
+			fprintf(stdout, "address = %s (zone %u)\n",
+				res == NULL ? "BAD" : res, ifdata.address.zone);
+		} else {
+			fprintf(stdout, "address = %s\n",
+				res == NULL ? "BAD" : res);
+		}
+		INSIST(ifdata.address.family == ifdata.af);
+		res = inet_ntop(ifdata.af, &ifdata.netmask.type, buf,
+				sizeof(buf));
+		fprintf(stdout, "netmask = %s\n", res == NULL ? "BAD" : res);
+		INSIST(ifdata.netmask.family == ifdata.af);
+		if ((ifdata.flags & INTERFACE_F_POINTTOPOINT) != 0) {
+			res = inet_ntop(ifdata.af, &ifdata.dstaddress.type, buf,
+					sizeof(buf));
+			fprintf(stdout, "dstaddress = %s\n",
+				res == NULL ? "BAD" : res);
+
+			INSIST(ifdata.dstaddress.family == ifdata.af);
+		}
+		result = isc_interfaceiter_next(iter);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE) {
+			fprintf(stdout, "isc_interfaceiter_next: %s",
+				isc_result_totext(result));
+			continue;
+		}
+	}
+	isc_interfaceiter_destroy(&iter);
+
+	fprintf(stdout, "\nPass 2\n\n");
+
+	result = isc_interfaceiter_create(mctx, &iter);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = isc_interfaceiter_first(iter);
+	while (result == ISC_R_SUCCESS) {
+		result = isc_interfaceiter_current(iter, &ifdata);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stdout, "isc_interfaceiter_current: %s",
+				isc_result_totext(result));
+			continue;
+		}
+		fprintf(stdout, "%s %u %x\n", ifdata.name, ifdata.af,
+			ifdata.flags);
+		INSIST(ifdata.af == AF_INET || ifdata.af == AF_INET6);
+		res = inet_ntop(ifdata.af, &ifdata.address.type, buf,
+				sizeof(buf));
+		if (ifdata.address.zone != 0) {
+			fprintf(stdout, "address = %s (zone %u)\n",
+				res == NULL ? "BAD" : res, ifdata.address.zone);
+		} else {
+			fprintf(stdout, "address = %s\n",
+				res == NULL ? "BAD" : res);
+		}
+		INSIST(ifdata.address.family == ifdata.af);
+		res = inet_ntop(ifdata.af, &ifdata.netmask.type, buf,
+				sizeof(buf));
+		fprintf(stdout, "netmask = %s\n", res == NULL ? "BAD" : res);
+		INSIST(ifdata.netmask.family == ifdata.af);
+		if ((ifdata.flags & INTERFACE_F_POINTTOPOINT) != 0) {
+			res = inet_ntop(ifdata.af, &ifdata.dstaddress.type, buf,
+					sizeof(buf));
+			fprintf(stdout, "dstaddress = %s\n",
+				res == NULL ? "BAD" : res);
+
+			INSIST(ifdata.dstaddress.family == ifdata.af);
+		}
+		result = isc_interfaceiter_next(iter);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE) {
+			fprintf(stdout, "isc_interfaceiter_next: %s",
+				isc_result_totext(result));
+			continue;
+		}
+	}
+	isc_interfaceiter_destroy(&iter);
+cleanup:
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/tests/optional/lex_test.c b/bin/tests/optional/lex_test.c
new file mode 100644
index 0000000..e0e88f7
--- /dev/null
+++ b/bin/tests/optional/lex_test.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/commandline.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+isc_mem_t *mctx;
+isc_lex_t *lex;
+
+isc_lexspecials_t specials;
+
+static void
+print_token(isc_token_t *tokenp, FILE *stream) {
+	switch (tokenp->type) {
+	case isc_tokentype_unknown:
+		fprintf(stream, "UNKNOWN");
+		break;
+	case isc_tokentype_string:
+		fprintf(stream, "STRING %.*s",
+			(int)tokenp->value.as_region.length,
+			tokenp->value.as_region.base);
+		break;
+	case isc_tokentype_number:
+		fprintf(stream, "NUMBER %lu", tokenp->value.as_ulong);
+		break;
+	case isc_tokentype_qstring:
+		fprintf(stream, "QSTRING \"%.*s\"",
+			(int)tokenp->value.as_region.length,
+			tokenp->value.as_region.base);
+		break;
+	case isc_tokentype_eol:
+		fprintf(stream, "EOL");
+		break;
+	case isc_tokentype_eof:
+		fprintf(stream, "EOF");
+		break;
+	case isc_tokentype_initialws:
+		fprintf(stream, "INITIALWS");
+		break;
+	case isc_tokentype_special:
+		fprintf(stream, "SPECIAL %c", tokenp->value.as_char);
+		break;
+	case isc_tokentype_nomore:
+		fprintf(stream, "NOMORE");
+		break;
+	default:
+		FATAL_ERROR(__FILE__, __LINE__, "Unexpected type %d",
+			    tokenp->type);
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_token_t token;
+	isc_result_t result;
+	int quiet = 0;
+	int c;
+	int masterfile = 1;
+	int stats = 0;
+	unsigned int options = 0;
+	int done = 0;
+
+	while ((c = isc_commandline_parse(argc, argv, "qmcs")) != -1) {
+		switch (c) {
+		case 'q':
+			quiet = 1;
+			break;
+		case 'm':
+			masterfile = 1;
+			break;
+		case 'c':
+			masterfile = 0;
+			break;
+		case 's':
+			stats = 1;
+			break;
+		}
+	}
+
+	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_lex_create(mctx, 256, &lex) == ISC_R_SUCCESS);
+
+	if (masterfile) {
+		/* Set up to lex DNS master file. */
+
+		specials['('] = 1;
+		specials[')'] = 1;
+		specials['"'] = 1;
+		isc_lex_setspecials(lex, specials);
+		options = ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE |
+			  ISC_LEXOPT_EOF | ISC_LEXOPT_QSTRING |
+			  ISC_LEXOPT_NOMORE;
+		isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+	} else {
+		/* Set up to lex DNS config file. */
+
+		specials['{'] = 1;
+		specials['}'] = 1;
+		specials[';'] = 1;
+		specials['/'] = 1;
+		specials['"'] = 1;
+		specials['!'] = 1;
+		specials['*'] = 1;
+		isc_lex_setspecials(lex, specials);
+		options = ISC_LEXOPT_EOF | ISC_LEXOPT_QSTRING |
+			  ISC_LEXOPT_NUMBER | ISC_LEXOPT_NOMORE;
+		isc_lex_setcomments(lex, (ISC_LEXCOMMENT_C |
+					  ISC_LEXCOMMENT_CPLUSPLUS |
+					  ISC_LEXCOMMENT_SHELL));
+	}
+
+	RUNTIME_CHECK(isc_lex_openstream(lex, stdin) == ISC_R_SUCCESS);
+
+	while ((result = isc_lex_gettoken(lex, options, &token)) ==
+		       ISC_R_SUCCESS &&
+	       !done)
+	{
+		if (!quiet) {
+			char *name = isc_lex_getsourcename(lex);
+			print_token(&token, stdout);
+			printf(" line = %lu file = %s\n",
+			       isc_lex_getsourceline(lex),
+			       (name == NULL) ? "<none>" : name);
+		}
+		if (token.type == isc_tokentype_eof) {
+			isc_lex_close(lex);
+		}
+		if (token.type == isc_tokentype_nomore) {
+			done = 1;
+		}
+	}
+	if (result != ISC_R_SUCCESS) {
+		printf("Result: %s\n", isc_result_totext(result));
+	}
+
+	isc_lex_close(lex);
+	isc_lex_destroy(&lex);
+	if (!quiet && stats) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/tests/optional/lfsr_test.c b/bin/tests/optional/lfsr_test.c
new file mode 100644
index 0000000..c1c99f0
--- /dev/null
+++ b/bin/tests/optional/lfsr_test.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+
+#include <isc/lfsr.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+uint32_t state[1024 * 64];
+
+int
+main(int argc, char **argv) {
+	isc_lfsr_t lfsr1, lfsr2;
+	int i;
+	uint32_t temp;
+
+	UNUSED(argc);
+	UNUSED(argv);
+
+	/*
+	 * Verify that returned values are reproducible.
+	 */
+	isc_lfsr_init(&lfsr1, 0, 32, 0x80000057U, 0, NULL, NULL);
+	for (i = 0; i < 32; i++) {
+		isc_lfsr_generate(&lfsr1, &state[i], 4);
+		printf("lfsr1:  state[%2d] = %08x\n", i, state[i]);
+	}
+	isc_lfsr_init(&lfsr1, 0, 32, 0x80000057U, 0, NULL, NULL);
+	for (i = 0; i < 32; i++) {
+		isc_lfsr_generate(&lfsr1, &temp, 4);
+		if (state[i] != temp) {
+			printf("lfsr1:  state[%2d] = %08x, "
+			       "but new state is %08x\n",
+			       i, state[i], temp);
+		}
+	}
+
+	/*
+	 * Now do the same with skipping.
+	 */
+	isc_lfsr_init(&lfsr1, 0, 32, 0x80000057U, 0, NULL, NULL);
+	for (i = 0; i < 32; i++) {
+		isc_lfsr_generate(&lfsr1, &state[i], 4);
+		isc_lfsr_skip(&lfsr1, 32);
+		printf("lfsr1:  state[%2d] = %08x\n", i, state[i]);
+	}
+	isc_lfsr_init(&lfsr1, 0, 32, 0x80000057U, 0, NULL, NULL);
+	for (i = 0; i < 32; i++) {
+		isc_lfsr_generate(&lfsr1, &temp, 4);
+		isc_lfsr_skip(&lfsr1, 32);
+		if (state[i] != temp) {
+			printf("lfsr1:  state[%2d] = %08x, "
+			       "but new state is %08x\n",
+			       i, state[i], temp);
+		}
+	}
+
+	/*
+	 * Try to find the period of the LFSR.
+	 *
+	 *	x^16 + x^5 + x^3 + x^2 + 1
+	 */
+	isc_lfsr_init(&lfsr2, 0, 16, 0x00008016U, 0, NULL, NULL);
+	for (i = 0; i < 32; i++) {
+		isc_lfsr_generate(&lfsr2, &state[i], 4);
+		printf("lfsr2:  state[%2d] = %08x\n", i, state[i]);
+	}
+	isc_lfsr_init(&lfsr2, 0, 16, 0x00008016U, 0, NULL, NULL);
+	for (i = 0; i < 32; i++) {
+		isc_lfsr_generate(&lfsr2, &temp, 4);
+		if (state[i] != temp) {
+			printf("lfsr2:  state[%2d] = %08x, "
+			       "but new state is %08x\n",
+			       i, state[i], temp);
+		}
+	}
+
+	return (0);
+}
diff --git a/bin/tests/optional/log_test.c b/bin/tests/optional/log_test.c
new file mode 100644
index 0000000..006b1e2
--- /dev/null
+++ b/bin/tests/optional/log_test.c
@@ -0,0 +1,344 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+
+#define TEST_FILE     "/tmp/test_log"
+#define SYSLOG_FILE   "/var/log/daemon.log"
+#define FILE_VERSIONS 10
+
+char usage[] = "Usage: %s [-m] [-s syslog_logfile] [-r file_versions]\n";
+
+#define CHECK(expr)                                                     \
+	result = expr;                                                  \
+	if (result != ISC_R_SUCCESS) {                                  \
+		fprintf(stderr, "%s: " #expr "%s: exiting\n", progname, \
+			isc_result_totext(result));                     \
+	}
+
+int
+main(int argc, char **argv) {
+	const char *progname, *syslog_file, *message;
+	int ch, i, file_versions, stderr_line;
+	bool show_final_mem = false;
+	isc_log_t *lctx;
+	isc_logconfig_t *lcfg;
+	isc_mem_t *mctx;
+	isc_result_t result;
+	isc_logdestination_t destination;
+	const isc_logcategory_t *category;
+	const isc_logmodule_t *module;
+
+	progname = strrchr(*argv, '/');
+	if (progname != NULL) {
+		progname++;
+	} else {
+		progname = *argv;
+	}
+
+	syslog_file = SYSLOG_FILE;
+	file_versions = FILE_VERSIONS;
+
+	while ((ch = isc_commandline_parse(argc, argv, "ms:r:")) != -1) {
+		switch (ch) {
+		case 'm':
+			show_final_mem = true;
+			break;
+		case 's':
+			syslog_file = isc_commandline_argument;
+			break;
+		case 'r':
+			file_versions = atoi(isc_commandline_argument);
+			if (file_versions < 0 &&
+			    file_versions != ISC_LOG_ROLLNEVER &&
+			    file_versions != ISC_LOG_ROLLINFINITE)
+			{
+				fprintf(stderr,
+					"%s: file rotations must be "
+					"%d (ISC_LOG_ROLLNEVER),\n\t"
+					"%d (ISC_LOG_ROLLINFINITE) "
+					"or > 0\n",
+					progname, ISC_LOG_ROLLNEVER,
+					ISC_LOG_ROLLINFINITE);
+				exit(1);
+			}
+			break;
+		case '?':
+			fprintf(stderr, usage, progname);
+			exit(1);
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	POST(argv);
+
+	if (argc > 0) {
+		fprintf(stderr, usage, progname);
+		exit(1);
+	}
+
+	fprintf(stderr, "EXPECT:\n%s%d%s%s%s",
+		"8 lines to stderr (first 4 numbered, #3 repeated)\n",
+		file_versions == 0 || file_versions == ISC_LOG_ROLLNEVER ? 1
+		: file_versions > 0 ? file_versions + 1
+				    : FILE_VERSIONS + 1,
+		" " TEST_FILE " files, and\n", "2 lines to syslog\n",
+		"lines ending with exclamation marks are errors\n\n");
+
+	isc_log_opensyslog(progname, LOG_PID, LOG_DAEMON);
+
+	mctx = NULL;
+	lctx = NULL;
+	lcfg = NULL;
+
+	isc_mem_create(&mctx);
+	isc_log_create(mctx, &lctx, &lcfg);
+
+	isc_log_settag(lcfg, progname);
+
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	/*
+	 * Test isc_log_categorybyname and isc_log_modulebyname.
+	 */
+	category = isc_log_categorybyname(lctx, "notify");
+	if (category != NULL) {
+		fprintf(stderr, "%s category found. (expected)\n",
+			category->name);
+	} else {
+		fprintf(stderr, "notify category not found!\n");
+	}
+
+	module = isc_log_modulebyname(lctx, "xyzzy");
+	if (module != NULL) {
+		fprintf(stderr, "%s module found!\n", module->name);
+	} else {
+		fprintf(stderr, "xyzzy module not found. (expected)\n");
+	}
+
+	/*
+	 * Create a file channel to test file opening, size limiting and
+	 * version rolling.
+	 */
+
+	destination.file.name = TEST_FILE;
+	destination.file.maximum_size = 1;
+	destination.file.versions = file_versions;
+
+	isc_log_createchannel(
+		lcfg, "file_test", ISC_LOG_TOFILE, ISC_LOG_INFO, &destination,
+		ISC_LOG_PRINTTIME | ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL |
+			ISC_LOG_PRINTCATEGORY | ISC_LOG_PRINTMODULE);
+
+	/*
+	 * Create a dynamic debugging channel to a file descriptor.
+	 */
+	destination.file.stream = stderr;
+
+	isc_log_createchannel(lcfg, "debug_test", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination,
+			      ISC_LOG_PRINTTIME | ISC_LOG_PRINTLEVEL |
+				      ISC_LOG_DEBUGONLY);
+
+	/*
+	 * Test the usability of the four predefined logging channels.
+	 */
+	CHECK(isc_log_usechannel(lcfg, "default_syslog",
+				 DNS_LOGCATEGORY_DATABASE,
+				 DNS_LOGMODULE_CACHE));
+	CHECK(isc_log_usechannel(lcfg, "default_stderr",
+				 DNS_LOGCATEGORY_DATABASE,
+				 DNS_LOGMODULE_CACHE));
+	CHECK(isc_log_usechannel(lcfg, "default_debug",
+				 DNS_LOGCATEGORY_DATABASE,
+				 DNS_LOGMODULE_CACHE));
+	CHECK(isc_log_usechannel(lcfg, "null", DNS_LOGCATEGORY_DATABASE, NULL));
+
+	/*
+	 * Use the custom channels.
+	 */
+	CHECK(isc_log_usechannel(lcfg, "file_test", DNS_LOGCATEGORY_GENERAL,
+				 DNS_LOGMODULE_DB));
+
+	CHECK(isc_log_usechannel(lcfg, "debug_test", DNS_LOGCATEGORY_GENERAL,
+				 DNS_LOGMODULE_RBTDB));
+
+	fprintf(stderr, "\n==> stderr begin\n");
+
+	/*
+	 * Write to the internal default by testing both a category for which
+	 * no channel has been specified and a category which was specified
+	 * but not with the named module.
+	 */
+	stderr_line = 1;
+
+	isc_log_write(lctx, DNS_LOGCATEGORY_SECURITY, DNS_LOGMODULE_RBT,
+		      ISC_LOG_CRITICAL, "%s (%d)",
+		      "Unspecified category and unspecified module to stderr",
+		      stderr_line++);
+	isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_RBT,
+		      ISC_LOG_CRITICAL, "%s (%d)",
+		      "Specified category and unspecified module to stderr",
+		      stderr_line++);
+
+	/*
+	 * Write to default_syslog, default_stderr and default_debug.
+	 */
+	isc_log_write(lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_WARNING, "%s (%d twice)",
+		      "Using the predefined channels to syslog+stderr",
+		      stderr_line++);
+
+	/*
+	 * Write to predefined null channel.
+	 */
+	isc_log_write(lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_RBTDB,
+		      ISC_LOG_INFO, "This is to null and should not appear!");
+
+	/*
+	 * Reset the internal default to use syslog instead of stderr,
+	 * and test it.
+	 */
+	CHECK(isc_log_usechannel(lcfg, "default_syslog",
+				 ISC_LOGCATEGORY_DEFAULT, NULL));
+	isc_log_write(lctx, DNS_LOGCATEGORY_SECURITY, DNS_LOGMODULE_RBT,
+		      ISC_LOG_ERROR, "%s%s",
+		      "This message to the redefined default category should ",
+		      "be second in syslog");
+	/*
+	 * Write to the file channel.
+	 */
+	if (file_versions >= 0 || file_versions == ISC_LOG_ROLLINFINITE) {
+		/*
+		 * If file_versions is 0 or ISC_LOG_ROLLINFINITE, write
+		 * the "should not appear" and "should be in file" messages
+		 * to ensure they get rolled.
+		 */
+		if (file_versions <= 0) {
+			file_versions = FILE_VERSIONS;
+		} else {
+			isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DB, ISC_LOG_NOTICE,
+				      "This should be rolled over "
+				      "and not appear!");
+		}
+
+		for (i = file_versions - 1; i >= 0; i--) {
+			isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DB, ISC_LOG_NOTICE,
+				      "should be in file %d/%d", i,
+				      file_versions - 1);
+		}
+
+		isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DB,
+			      ISC_LOG_NOTICE, "should be in base file");
+	} else {
+		file_versions = FILE_VERSIONS;
+		for (i = 1; i <= file_versions; i++) {
+			isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DB, ISC_LOG_NOTICE,
+				      "This is message %d in the log file", i);
+		}
+	}
+
+	/*
+	 * Write a debugging message to a category that has no
+	 * debugging channels for the named module.
+	 */
+	isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DB,
+		      ISC_LOG_DEBUG(1),
+		      "This debug message should not appear!");
+
+	/*
+	 * Write debugging messages to a dynamic debugging channel.
+	 */
+	isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_RBTDB,
+		      ISC_LOG_CRITICAL,
+		      "This critical message should "
+		      "not appear because the debug level is 0!");
+
+	isc_log_setdebuglevel(lctx, 3);
+
+	isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_RBTDB,
+		      ISC_LOG_DEBUG(1), "%s (%d)",
+		      "Dynamic debugging to stderr", stderr_line++);
+	isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_RBTDB,
+		      ISC_LOG_DEBUG(5),
+		      "This debug level is too high and should not appear!");
+
+	/*
+	 * Test out the duplicate filtering using the debug_test channel.
+	 */
+	isc_log_setduplicateinterval(lcfg, 10);
+	message = "This message should appear only once on stderr";
+
+	isc_log_write1(lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_RBTDB,
+		       ISC_LOG_CRITICAL, "%s", message);
+	isc_log_write1(lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_RBTDB,
+		       ISC_LOG_CRITICAL, "%s", message);
+
+	isc_log_setduplicateinterval(lcfg, 1);
+	message = "This message should appear twice on stderr";
+
+	isc_log_write1(lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_RBTDB,
+		       ISC_LOG_CRITICAL, "%s", message);
+	sleep(2);
+	isc_log_write1(lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_RBTDB,
+		       ISC_LOG_CRITICAL, "%s", message);
+
+	/*
+	 * Review where everything went.
+	 * XXXDCL NT
+	 */
+	fputc('\n', stderr);
+	if (system("head " TEST_FILE "*; rm -f " TEST_FILE "*") != 0) {
+		fprintf(stderr, "system(\"head " TEST_FILE "*; rm -f " TEST_FILE
+				"*\") failed\n");
+		goto cleanup;
+	}
+
+	/* This is highly system specific. */
+	if (freopen(syslog_file, "r", stdin) == NULL) {
+		fprintf(stderr, "freopen(%s, \"r\", stdin) failed\n",
+			syslog_file);
+		goto cleanup;
+	}
+	fprintf(stderr, "\n==> %s <==\n", syslog_file);
+	if (system("tail -2") != 0) {
+		fprintf(stderr, "system(\"tail -2\") failed\n");
+		goto cleanup;
+	}
+	fputc('\n', stderr);
+
+cleanup:
+	isc_log_destroy(&lctx);
+
+	if (show_final_mem) {
+		isc_mem_stats(mctx, stderr);
+	}
+
+	return (0);
+}
diff --git a/bin/tests/optional/master_test.c b/bin/tests/optional/master_test.c
new file mode 100644
index 0000000..1cd6ec7
--- /dev/null
+++ b/bin/tests/optional/master_test.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/master.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+
+isc_mem_t *mctx;
+
+static isc_result_t
+print_dataset(void *arg, const dns_name_t *owner, dns_rdataset_t *dataset) {
+	char buf[64 * 1024];
+	isc_buffer_t target;
+	isc_result_t result;
+
+	UNUSED(arg);
+
+	isc_buffer_init(&target, buf, 64 * 1024);
+	result = dns_rdataset_totext(dataset, owner, false, false, &target);
+	if (result == ISC_R_SUCCESS) {
+		fprintf(stdout, "%.*s\n", (int)target.used,
+			(char *)target.base);
+	} else {
+		fprintf(stdout, "dns_rdataset_totext: %s\n",
+			dns_result_totext(result));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	dns_name_t origin;
+	isc_buffer_t source;
+	isc_buffer_t target;
+	unsigned char name_buf[255];
+	dns_rdatacallbacks_t callbacks;
+
+	UNUSED(argc);
+
+	isc_mem_create(&mctx);
+
+	if (argv[1]) {
+		isc_buffer_init(&source, argv[1], strlen(argv[1]));
+		isc_buffer_add(&source, strlen(argv[1]));
+		isc_buffer_setactive(&source, strlen(argv[1]));
+		isc_buffer_init(&target, name_buf, 255);
+		dns_name_init(&origin, NULL);
+		result = dns_name_fromtext(&origin, &source, dns_rootname, 0,
+					   &target);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stdout, "dns_name_fromtext: %s\n",
+				dns_result_totext(result));
+			exit(1);
+		}
+
+		dns_rdatacallbacks_init_stdio(&callbacks);
+		callbacks.add = print_dataset;
+
+		result = dns_master_loadfile(
+			argv[1], &origin, &origin, dns_rdataclass_in, 0, 0,
+			&callbacks, NULL, NULL, mctx, dns_masterformat_text, 0);
+		fprintf(stdout, "dns_master_loadfile: %s\n",
+			dns_result_totext(result));
+	}
+	return (0);
+}
diff --git a/bin/tests/optional/mempool_test.c b/bin/tests/optional/mempool_test.c
new file mode 100644
index 0000000..b3d04ee
--- /dev/null
+++ b/bin/tests/optional/mempool_test.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+isc_mem_t *mctx;
+
+int
+main(int argc, char *argv[]) {
+	void *items1[50];
+	void *items2[50];
+	void *tmp;
+	isc_mempool_t *mp1, *mp2;
+	unsigned int i, j;
+
+	UNUSED(argc);
+	UNUSED(argv);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	mctx = NULL;
+	isc_mem_create(&mctx);
+
+	mp1 = NULL;
+	isc_mempool_create(mctx, 24, &mp1);
+
+	mp2 = NULL;
+	isc_mempool_create(mctx, 31, &mp2);
+
+	isc_mem_stats(mctx, stderr);
+
+	isc_mempool_setfreemax(mp1, 10);
+	isc_mempool_setfillcount(mp1, 10);
+	isc_mempool_setmaxalloc(mp1, 30);
+
+	/*
+	 * Allocate 30 items from the pool.  This is our max.
+	 */
+	for (i = 0; i < 30; i++) {
+		items1[i] = isc_mempool_get(mp1);
+		RUNTIME_CHECK(items1[i] != NULL);
+	}
+
+	/*
+	 * Try to allocate one more.  This should fail.
+	 */
+	tmp = isc_mempool_get(mp1);
+	RUNTIME_CHECK(tmp == NULL);
+
+	/*
+	 * Free the first 11 items.  Verify that there are 10 free items on
+	 * the free list (which is our max).
+	 */
+
+	for (i = 0; i < 11; i++) {
+		isc_mempool_put(mp1, items1[i]);
+		items1[i] = NULL;
+	}
+
+	RUNTIME_CHECK(isc_mempool_getfreecount(mp1) == 10);
+	RUNTIME_CHECK(isc_mempool_getallocated(mp1) == 19);
+
+	isc_mem_stats(mctx, stderr);
+
+	/*
+	 * Now, beat up on mp2 for a while.  Allocate 50 items, then free
+	 * them, then allocate 50 more, etc.
+	 */
+	isc_mempool_setfreemax(mp2, 25);
+	isc_mempool_setfillcount(mp2, 25);
+	for (j = 0; j < 5000; j++) {
+		for (i = 0; i < 50; i++) {
+			items2[i] = isc_mempool_get(mp2);
+			RUNTIME_CHECK(items2[i] != NULL);
+		}
+		for (i = 0; i < 50; i++) {
+			isc_mempool_put(mp2, items2[i]);
+			items2[i] = NULL;
+		}
+	}
+
+	/*
+	 * Free all the other items and blow away this pool.
+	 */
+	for (i = 11; i < 30; i++) {
+		isc_mempool_put(mp1, items1[i]);
+		items1[i] = NULL;
+	}
+
+	isc_mempool_destroy(&mp1);
+
+	isc_mem_stats(mctx, stderr);
+
+	isc_mempool_destroy(&mp2);
+
+	isc_mem_stats(mctx, stderr);
+
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/tests/optional/name_test.c b/bin/tests/optional/name_test.c
new file mode 100644
index 0000000..4c37441
--- /dev/null
+++ b/bin/tests/optional/name_test.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/result.h>
+
+static void
+print_wirename(isc_region_t *name) {
+	unsigned char *ccurr, *cend;
+
+	if (name->length == 0) {
+		printf("<empty wire name>\n");
+		return;
+	}
+	ccurr = name->base;
+	cend = ccurr + name->length;
+	while (ccurr != cend) {
+		printf("%02x ", *ccurr++);
+	}
+	printf("\n");
+}
+
+static void
+print_name(dns_name_t *name) {
+	isc_result_t result;
+	isc_buffer_t source;
+	isc_region_t r;
+	char s[1000];
+
+	isc_buffer_init(&source, s, sizeof(s));
+	if (dns_name_countlabels(name) > 0) {
+		result = dns_name_totext(name, false, &source);
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_usedregion(&source, &r);
+		if (r.length > 0) {
+			printf("%.*s\n", (int)r.length, r.base);
+		} else {
+			printf("<empty text name>\n");
+		}
+	} else {
+		printf("error: %s\n", dns_result_totext(result));
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	char s[1000];
+	isc_result_t result;
+	dns_fixedname_t wname, wname2, oname, compname, downname;
+	isc_buffer_t source;
+	isc_region_t r;
+	dns_name_t *name, *comp, *down;
+	const dns_name_t *origin;
+	unsigned int downcase = 0;
+	size_t len;
+	bool quiet = false;
+	bool concatenate = false;
+	bool got_name = false;
+	bool check_absolute = false;
+	bool check_wildcard = false;
+	bool test_downcase = false;
+	bool inplace = false;
+	bool want_split = false;
+	unsigned int labels, split_label = 0;
+	dns_fixedname_t fprefix, fsuffix;
+	dns_name_t *prefix, *suffix;
+	int ch;
+
+	while ((ch = isc_commandline_parse(argc, argv, "acdiqs:w")) != -1) {
+		switch (ch) {
+		case 'a':
+			check_absolute = true;
+			break;
+		case 'c':
+			concatenate = true;
+			break;
+		case 'd':
+			test_downcase = true;
+			break;
+		case 'i':
+			inplace = true;
+			break;
+		case 'q':
+			quiet = true;
+			break;
+		case 's':
+			want_split = true;
+			split_label = atoi(isc_commandline_argument);
+			break;
+		case 'w':
+			check_wildcard = true;
+			break;
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc > 0) {
+		if (strcasecmp("none", argv[0]) == 0) {
+			origin = NULL;
+		} else {
+			len = strlen(argv[0]);
+			isc_buffer_init(&source, argv[0], len);
+			isc_buffer_add(&source, len);
+			dns_fixedname_init(&oname);
+			result = dns_name_fromtext(dns_fixedname_name(&oname),
+						   &source, dns_rootname, 0,
+						   NULL);
+			if (result != 0) {
+				fprintf(stderr,
+					"dns_name_fromtext() failed: %s\n",
+					dns_result_totext(result));
+				exit(1);
+			}
+			origin = dns_fixedname_name(&oname);
+		}
+	} else if (concatenate) {
+		origin = NULL;
+	} else {
+		origin = dns_rootname;
+	}
+
+	if (argc >= 1) {
+		if (strcasecmp("none", argv[1]) == 0) {
+			comp = NULL;
+		} else {
+			len = strlen(argv[1]);
+			isc_buffer_init(&source, argv[1], len);
+			isc_buffer_add(&source, len);
+			comp = dns_fixedname_initname(&compname);
+			result = dns_name_fromtext(comp, &source, origin, 0,
+						   NULL);
+			if (result != 0) {
+				fprintf(stderr,
+					"dns_name_fromtext() failed: %s\n",
+					dns_result_totext(result));
+				exit(1);
+			}
+		}
+	} else {
+		comp = NULL;
+	}
+
+	name = dns_fixedname_initname(&wname);
+	dns_fixedname_init(&wname2);
+	while (fgets(s, sizeof(s), stdin) != NULL) {
+		len = strlen(s);
+		if (len > 0U && s[len - 1] == '\n') {
+			s[len - 1] = '\0';
+			len--;
+		}
+		isc_buffer_init(&source, s, len);
+		isc_buffer_add(&source, len);
+
+		if (len > 0U) {
+			result = dns_name_fromtext(name, &source, origin,
+						   downcase, NULL);
+		} else {
+			if (name == dns_fixedname_name(&wname)) {
+				dns_fixedname_init(&wname);
+			} else {
+				dns_fixedname_init(&wname2);
+			}
+			result = ISC_R_SUCCESS;
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			printf("%s\n", dns_result_totext(result));
+			if (name == dns_fixedname_name(&wname)) {
+				dns_fixedname_init(&wname);
+			} else {
+				dns_fixedname_init(&wname2);
+			}
+			continue;
+		}
+
+		if (check_absolute && dns_name_countlabels(name) > 0) {
+			if (dns_name_isabsolute(name)) {
+				printf("absolute\n");
+			} else {
+				printf("relative\n");
+			}
+		}
+		if (check_wildcard && dns_name_countlabels(name) > 0) {
+			if (dns_name_iswildcard(name)) {
+				printf("wildcard\n");
+			} else {
+				printf("not wildcard\n");
+			}
+		}
+		dns_name_toregion(name, &r);
+		if (!quiet) {
+			print_wirename(&r);
+			printf("%u labels, %u bytes.\n",
+			       dns_name_countlabels(name), r.length);
+		}
+
+		if (concatenate) {
+			if (got_name) {
+				printf("Concatenating.\n");
+				result = dns_name_concatenate(
+					dns_fixedname_name(&wname),
+					dns_fixedname_name(&wname2),
+					dns_fixedname_name(&wname2), NULL);
+				name = dns_fixedname_name(&wname2);
+				if (result == ISC_R_SUCCESS) {
+					if (check_absolute &&
+					    dns_name_countlabels(name) > 0)
+					{
+						if (dns_name_isabsolute(name)) {
+							printf("absolute\n");
+						} else {
+							printf("relative\n");
+						}
+					}
+					if (check_wildcard &&
+					    dns_name_countlabels(name) > 0)
+					{
+						if (dns_name_iswildcard(name)) {
+							printf("wildcard\n");
+						} else {
+							printf("not "
+							       "wildcard\n");
+						}
+					}
+					dns_name_toregion(name, &r);
+					if (!quiet) {
+						print_wirename(&r);
+						printf("%u labels, "
+						       "%u bytes.\n",
+						       dns_name_countlabels(
+							       name),
+						       r.length);
+					}
+				} else {
+					printf("%s\n",
+					       dns_result_totext(result));
+				}
+				got_name = false;
+			} else {
+				got_name = true;
+			}
+		}
+		isc_buffer_init(&source, s, sizeof(s));
+		if (dns_name_countlabels(name) > 0) {
+			result = dns_name_totext(name, false, &source);
+		} else {
+			result = ISC_R_SUCCESS;
+		}
+		if (result == ISC_R_SUCCESS) {
+			isc_buffer_usedregion(&source, &r);
+			if (r.length > 0) {
+				printf("%.*s\n", (int)r.length, r.base);
+			} else {
+				printf("<empty text name>\n");
+			}
+			if (!quiet) {
+				printf("%u bytes.\n", source.used);
+			}
+		} else {
+			printf("%s\n", dns_result_totext(result));
+		}
+
+		if (test_downcase) {
+			if (inplace) {
+				down = name;
+			} else {
+				down = dns_fixedname_initname(&downname);
+			}
+			result = dns_name_downcase(name, down, NULL);
+			INSIST(result == ISC_R_SUCCESS);
+			if (!quiet) {
+				dns_name_toregion(down, &r);
+				print_wirename(&r);
+				printf("%u labels, %u bytes.\n",
+				       dns_name_countlabels(down), r.length);
+			}
+			isc_buffer_init(&source, s, sizeof(s));
+			print_name(down);
+		}
+
+		if (comp != NULL && dns_name_countlabels(name) > 0) {
+			int order;
+			unsigned int nlabels;
+			dns_namereln_t namereln;
+
+			namereln = dns_name_fullcompare(name, comp, &order,
+							&nlabels);
+			if (!quiet) {
+				if (order < 0) {
+					printf("<");
+				} else if (order > 0) {
+					printf(">");
+				} else {
+					printf("=");
+				}
+				switch (namereln) {
+				case dns_namereln_contains:
+					printf(", contains");
+					break;
+				case dns_namereln_subdomain:
+					printf(", subdomain");
+					break;
+				case dns_namereln_commonancestor:
+					printf(", common ancestor");
+					break;
+				default:
+					break;
+				}
+				if (namereln != dns_namereln_none &&
+				    namereln != dns_namereln_equal)
+				{
+					printf(", nlabels = %u", nlabels);
+				}
+				printf("\n");
+			}
+			printf("dns_name_equal() returns %s\n",
+			       dns_name_equal(name, comp) ? "TRUE" : "FALSE");
+		}
+
+		labels = dns_name_countlabels(name);
+		if (want_split && split_label < labels) {
+			prefix = dns_fixedname_initname(&fprefix);
+			suffix = dns_fixedname_initname(&fsuffix);
+			printf("splitting at label %u: ", split_label);
+			dns_name_split(name, split_label, prefix, suffix);
+			printf("\n    prefix = ");
+			print_name(prefix);
+			printf("    suffix = ");
+			print_name(suffix);
+		}
+
+		if (concatenate) {
+			if (got_name) {
+				name = dns_fixedname_name(&wname2);
+			} else {
+				name = dns_fixedname_name(&wname);
+			}
+		}
+	}
+
+	return (0);
+}
diff --git a/bin/tests/optional/nsecify.c b/bin/tests/optional/nsecify.c
new file mode 100644
index 0000000..357b47f
--- /dev/null
+++ b/bin/tests/optional/nsecify.c
@@ -0,0 +1,217 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/nsec.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+
+static isc_mem_t *mctx = NULL;
+
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(const char *message) ISC_PLATFORM_NORETURN_POST;
+
+static void
+fatal(const char *message) {
+	fprintf(stderr, "%s\n", message);
+	exit(1);
+}
+
+static void
+check_result(isc_result_t result, const char *message) {
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "%s: %s\n", message, isc_result_totext(result));
+		exit(1);
+	}
+}
+
+static bool
+active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
+	dns_rdatasetiter_t *rdsiter;
+	bool active = false;
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec) {
+			active = true;
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (!active) {
+			result = dns_rdatasetiter_next(rdsiter);
+		} else {
+			result = ISC_R_NOMORE;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		fatal("rdataset iteration failed");
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	if (!active) {
+		/*
+		 * Make sure there is no NSEC record for this node.
+		 */
+		result = dns_db_deleterdataset(db, node, version,
+					       dns_rdatatype_nsec, 0);
+		if (result == DNS_R_UNCHANGED) {
+			result = ISC_R_SUCCESS;
+		}
+		check_result(result, "dns_db_deleterdataset");
+	}
+
+	return (active);
+}
+
+static isc_result_t
+next_active(dns_db_t *db, dns_dbversion_t *version, dns_dbiterator_t *dbiter,
+	    dns_name_t *name, dns_dbnode_t **nodep) {
+	isc_result_t result;
+	bool active;
+
+	do {
+		active = false;
+		result = dns_dbiterator_current(dbiter, nodep, name);
+		if (result == ISC_R_SUCCESS) {
+			active = active_node(db, version, *nodep);
+			if (!active) {
+				dns_db_detachnode(db, nodep);
+				result = dns_dbiterator_next(dbiter);
+			}
+		}
+	} while (result == ISC_R_SUCCESS && !active);
+
+	return (result);
+}
+
+static void
+nsecify(char *filename) {
+	isc_result_t result;
+	dns_db_t *db;
+	dns_dbversion_t *wversion;
+	dns_dbnode_t *node, *nextnode;
+	const char *origintext;
+	dns_fixedname_t fname, fnextname;
+	dns_name_t *name, *nextname, *target;
+	isc_buffer_t b;
+	size_t len;
+	dns_dbiterator_t *dbiter;
+	char newfilename[1024];
+
+	name = dns_fixedname_initname(&fname);
+	nextname = dns_fixedname_initname(&fnextname);
+
+	origintext = strrchr(filename, '/');
+	if (origintext == NULL) {
+		origintext = filename;
+	} else {
+		origintext++; /* Skip '/'. */
+	}
+	len = strlen(origintext);
+	isc_buffer_constinit(&b, origintext, len);
+	isc_buffer_add(&b, len);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	check_result(result, "dns_name_fromtext()");
+
+	db = NULL;
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db);
+	check_result(result, "dns_db_create()");
+	result = dns_db_load(db, filename, dns_masterformat_text, 0);
+	if (result == DNS_R_SEENINCLUDE) {
+		result = ISC_R_SUCCESS;
+	}
+	check_result(result, "dns_db_load()");
+	wversion = NULL;
+	result = dns_db_newversion(db, &wversion);
+	check_result(result, "dns_db_newversion()");
+	dbiter = NULL;
+	result = dns_db_createiterator(db, 0, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+	node = NULL;
+	result = next_active(db, wversion, dbiter, name, &node);
+	while (result == ISC_R_SUCCESS) {
+		nextnode = NULL;
+		result = dns_dbiterator_next(dbiter);
+		if (result == ISC_R_SUCCESS) {
+			result = next_active(db, wversion, dbiter, nextname,
+					     &nextnode);
+		}
+		if (result == ISC_R_SUCCESS) {
+			target = nextname;
+		} else if (result == ISC_R_NOMORE) {
+			target = dns_db_origin(db);
+		} else {
+			target = NULL; /* Make compiler happy. */
+			fatal("db iteration failed");
+		}
+		dns_nsec_build(db, wversion, node, target, 3600); /* XXX BEW */
+		dns_db_detachnode(db, &node);
+		node = nextnode;
+	}
+	if (result != ISC_R_NOMORE) {
+		fatal("db iteration failed");
+	}
+	dns_dbiterator_destroy(&dbiter);
+	/*
+	 * XXXRTH  For now, we don't increment the SOA serial.
+	 */
+	dns_db_closeversion(db, &wversion, true);
+	len = strlen(filename);
+	if (len + 4 + 1 > sizeof(newfilename)) {
+		fatal("filename too long");
+	}
+	snprintf(newfilename, sizeof(newfilename), "%s.new", filename);
+	result = dns_db_dump(db, NULL, newfilename);
+	check_result(result, "dns_db_dump");
+	dns_db_detach(&db);
+}
+
+int
+main(int argc, char *argv[]) {
+	int i;
+
+	dns_result_register();
+
+	isc_mem_create(&mctx);
+
+	argc--;
+	argv++;
+
+	for (i = 0; i < argc; i++) {
+		nsecify(argv[i]);
+	}
+
+	/* isc_mem_stats(mctx, stdout); */
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/tests/optional/ratelimiter_test.c b/bin/tests/optional/ratelimiter_test.c
new file mode 100644
index 0000000..c8972f8
--- /dev/null
+++ b/bin/tests/optional/ratelimiter_test.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/app.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/ratelimiter.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+isc_ratelimiter_t *rlim = NULL;
+isc_nm_t *netmgr = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_task_t *g_task = NULL;
+isc_mem_t *mctx = NULL;
+
+static void
+utick(isc_task_t *task, isc_event_t *event);
+static void
+shutdown_rl(isc_task_t *task, isc_event_t *event);
+static void
+shutdown_all(isc_task_t *task, isc_event_t *event);
+
+typedef struct {
+	int milliseconds;
+	void (*fun)(isc_task_t *, isc_event_t *);
+} schedule_t;
+
+schedule_t schedule[] = { { 100, utick },	 { 200, utick },
+			  { 300, utick },	 { 3000, utick },
+			  { 3100, utick },	 { 3200, utick },
+			  { 3300, shutdown_rl }, { 5000, utick },
+			  { 6000, shutdown_all } };
+
+#define NEVENTS (int)(sizeof(schedule) / sizeof(schedule[0]))
+
+isc_timer_t *timers[NEVENTS];
+
+static void
+ltick(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+	printf("** ltick%s **\n",
+	       (event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0 ? " ("
+								      "canceled"
+								      ")"
+								    : "");
+	isc_event_free(&event);
+}
+
+static void
+utick(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	UNUSED(task);
+	event->ev_action = ltick;
+	event->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(rlim, g_task, &event);
+	printf("enqueue: %s\n", result == ISC_R_SUCCESS ? "ok" : "failed");
+}
+
+static void
+shutdown_rl(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+	UNUSED(event);
+	printf("shutdown ratelimiter\n");
+	isc_ratelimiter_shutdown(rlim);
+}
+
+static void
+shutdown_all(isc_task_t *task, isc_event_t *event) {
+	int i;
+	UNUSED(task);
+	UNUSED(event);
+	printf("shutdown all\n");
+	for (i = 0; i < NEVENTS; i++) {
+		isc_timer_destroy(&timers[i]);
+	}
+
+	isc_app_shutdown();
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_interval_t linterval;
+	int i;
+
+	UNUSED(argc);
+	UNUSED(argv);
+
+	isc_app_start();
+	isc_interval_set(&linterval, 1, 0);
+
+	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_managers_create(mctx, 3, 0, &netmgr, &taskmgr) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_timermgr_create(mctx, &timermgr) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &g_task) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_ratelimiter_create(mctx, timermgr, g_task, &rlim) ==
+		      ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_ratelimiter_setinterval(rlim, &linterval) ==
+		      ISC_R_SUCCESS);
+
+	for (i = 0; i < NEVENTS; i++) {
+		isc_interval_t uinterval;
+		int ms = schedule[i].milliseconds;
+		isc_interval_set(&uinterval, ms / 1000, (ms % 1000) * 1000000);
+		timers[i] = NULL;
+		RUNTIME_CHECK(isc_timer_create(timermgr, isc_timertype_once,
+					       NULL, &uinterval, g_task,
+					       schedule[i].fun, NULL,
+					       &timers[i]) == ISC_R_SUCCESS);
+	}
+
+	isc_app_run();
+
+	isc_task_destroy(&g_task);
+
+	isc_ratelimiter_detach(&rlim);
+
+	isc_timermgr_destroy(&timermgr);
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	isc_mem_stats(mctx, stdout);
+
+	isc_app_finish();
+	return (0);
+}
diff --git a/bin/tests/optional/rbt_test.c b/bin/tests/optional/rbt_test.c
new file mode 100644
index 0000000..735c229
--- /dev/null
+++ b/bin/tests/optional/rbt_test.c
@@ -0,0 +1,432 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+const char *progname;
+isc_mem_t *mctx;
+
+#define DNSNAMELEN 255
+
+static dns_name_t *
+create_name(char *s) {
+	int length;
+	isc_result_t result;
+	isc_buffer_t source, target;
+	static dns_name_t *name;
+
+	if (s == NULL || *s == '\0') {
+		printf("missing name argument\n");
+		return (NULL);
+	}
+
+	length = strlen(s);
+
+	isc_buffer_init(&source, s, length);
+	isc_buffer_add(&source, length);
+
+	/*
+	 * It isn't really necessary in this program to create individual
+	 * memory spaces for each name structure and its associated character
+	 * string.  It is done here to provide a relatively easy way to test
+	 * the callback from dns_rbt_deletename that is supposed to free the
+	 * data associated with a node.
+	 *
+	 * The buffer for the actual name will immediately follow the
+	 * name structure.
+	 */
+	name = isc_mem_get(mctx, sizeof(*name) + DNSNAMELEN);
+
+	dns_name_init(name, NULL);
+	isc_buffer_init(&target, name + 1, DNSNAMELEN);
+
+	result = dns_name_fromtext(name, &source, dns_rootname, 0, &target);
+
+	if (result != ISC_R_SUCCESS) {
+		printf("dns_name_fromtext(%s) failed: %s\n", s,
+		       dns_result_totext(result));
+		return (NULL);
+	}
+
+	return (name);
+}
+
+static void
+delete_name(void *data, void *arg) {
+	dns_name_t *name;
+
+	UNUSED(arg);
+	name = data;
+	isc_mem_put(mctx, name, sizeof(*name) + DNSNAMELEN);
+}
+
+static void
+print_name(dns_name_t *name) {
+	isc_buffer_t target;
+	char buffer[1024];
+
+	isc_buffer_init(&target, buffer, sizeof(buffer));
+
+	/*
+	 * false means absolute names have the final dot added.
+	 */
+	dns_name_totext(name, false, &target);
+
+	printf("%.*s", (int)target.used, (char *)target.base);
+}
+
+static void
+detail(dns_rbt_t *rbt, dns_name_t *name) {
+	dns_name_t *foundname, *origin, *fullname;
+	dns_fixedname_t fixedfoundname, fixedorigin, fixedfullname;
+	dns_rbtnode_t *node1, *node2;
+	dns_rbtnodechain_t chain;
+	isc_result_t result;
+	bool nodes_should_match = false;
+
+	dns_rbtnodechain_init(&chain);
+
+	origin = dns_fixedname_initname(&fixedorigin);
+	fullname = dns_fixedname_initname(&fixedfullname);
+	foundname = dns_fixedname_initname(&fixedfoundname);
+
+	node1 = node2 = NULL;
+
+	printf("checking chain information for ");
+	print_name(name);
+	printf("\n");
+
+	result = dns_rbt_findnode(rbt, name, foundname, &node1, &chain,
+				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+		printf("  found exact.");
+		nodes_should_match = true;
+		break;
+	case DNS_R_PARTIALMATCH:
+		printf("  found parent.");
+		break;
+	case ISC_R_NOTFOUND:
+		printf("  name not found.");
+		break;
+	default:
+		printf("  unexpected result: %s\n", dns_result_totext(result));
+		return;
+	}
+
+	if (node1 != NULL && node1->data != NULL) {
+		printf("  data at node: ");
+		print_name(node1->data);
+	} else {
+		printf("  no data at node.");
+	}
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		printf("\n  name from dns_rbt_findnode: ");
+		print_name(foundname);
+	}
+
+	result = dns_rbtnodechain_current(&chain, foundname, origin, &node2);
+
+	if (result == ISC_R_SUCCESS) {
+		printf("\n  name from dns_rbtnodechain_current: ");
+
+		result = dns_name_concatenate(foundname, origin, fullname,
+					      NULL);
+		if (result == ISC_R_SUCCESS) {
+			print_name(fullname);
+		} else {
+			printf("%s\n", dns_result_totext(result));
+		}
+		printf("\n      (foundname = ");
+		print_name(foundname);
+		printf(", origin = ");
+		print_name(origin);
+		printf(")\n");
+		if (nodes_should_match && node1 != node2) {
+			printf("  nodes returned from each function "
+			       "DO NOT match!\n");
+		}
+	} else {
+		printf("\n  result from dns_rbtnodechain_current: %s\n",
+		       dns_result_totext(result));
+	}
+
+	printf("  level_matches = %u, level_count = %u\n", chain.level_matches,
+	       chain.level_count);
+}
+
+static void
+iterate(dns_rbt_t *rbt, bool forward) {
+	dns_name_t foundname, *origin;
+	dns_rbtnodechain_t chain;
+	dns_fixedname_t fixedorigin;
+	isc_result_t result;
+	isc_result_t (*move)(dns_rbtnodechain_t *chain, dns_name_t *name,
+			     dns_name_t *origin);
+
+	dns_rbtnodechain_init(&chain);
+
+	dns_name_init(&foundname, NULL);
+	origin = dns_fixedname_initname(&fixedorigin);
+
+	if (forward) {
+		printf("iterating forward\n");
+		move = dns_rbtnodechain_next;
+
+		result = dns_rbtnodechain_first(&chain, rbt, &foundname,
+						origin);
+	} else {
+		printf("iterating backward\n");
+		move = dns_rbtnodechain_prev;
+
+		result = dns_rbtnodechain_last(&chain, rbt, &foundname, origin);
+	}
+
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		printf("start not found!\n");
+	} else {
+		for (;;) {
+			if (result == DNS_R_NEWORIGIN) {
+				printf("  new origin: ");
+				print_name(origin);
+				printf("\n");
+			}
+
+			if (result == ISC_R_SUCCESS ||
+			    result == DNS_R_NEWORIGIN)
+			{
+				print_name(&foundname);
+				printf("\n");
+			} else {
+				if (result != ISC_R_NOMORE) {
+					printf("UNEXPECTED ITERATION ERROR: %s",
+					       dns_result_totext(result));
+				}
+				break;
+			}
+
+			result = move(&chain, &foundname, origin);
+		}
+	}
+}
+
+#define CMDCHECK(s) (strncasecmp(command, (s), length) == 0)
+#define PRINTERR(r)             \
+	if (r != ISC_R_SUCCESS) \
+		printf("... %s\n", dns_result_totext(r));
+
+int
+main(int argc, char **argv) {
+	char *command, *arg, buffer[1024];
+	const char *whitespace;
+	dns_name_t *name, *foundname;
+	dns_fixedname_t fixedname;
+	dns_rbt_t *rbt = NULL;
+	int length, ch;
+	bool show_final_mem = false;
+	isc_result_t result;
+	void *data;
+
+	progname = strrchr(*argv, '/');
+	if (progname != NULL) {
+		progname++;
+	} else {
+		progname = *argv;
+	}
+
+	while ((ch = isc_commandline_parse(argc, argv, "m")) != -1) {
+		switch (ch) {
+		case 'm':
+			show_final_mem = true;
+			break;
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	POST(argv);
+
+	if (argc > 1) {
+		printf("Usage: %s [-m]\n", progname);
+		exit(1);
+	}
+
+	setbuf(stdout, NULL);
+
+	/*
+	 * So isc_mem_stats() can report any allocation leaks.
+	 */
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	isc_mem_create(&mctx);
+
+	result = dns_rbt_create(mctx, delete_name, NULL, &rbt);
+	if (result != ISC_R_SUCCESS) {
+		printf("dns_rbt_create: %s: exiting\n",
+		       dns_result_totext(result));
+		exit(1);
+	}
+
+	whitespace = " \t";
+
+	while (fgets(buffer, sizeof(buffer), stdin) != NULL) {
+		length = strlen(buffer);
+
+		if (buffer[length - 1] != '\n') {
+			printf("line to long (%lu max), ignored\n",
+			       (unsigned long)sizeof(buffer) - 2);
+			continue;
+		}
+
+		buffer[length - 1] = '\0';
+
+		command = buffer + strspn(buffer, whitespace);
+
+		if (*command == '#') {
+			continue;
+		}
+
+		arg = strpbrk(command, whitespace);
+		if (arg != NULL) {
+			*arg++ = '\0';
+			arg += strspn(arg, whitespace);
+		}
+
+		length = strlen(command);
+		if (*command != '\0') {
+			if (CMDCHECK("add")) {
+				name = create_name(arg);
+				if (name != NULL) {
+					printf("adding name %s\n", arg);
+					result = dns_rbt_addname(rbt, name,
+								 name);
+					PRINTERR(result);
+				}
+			} else if (CMDCHECK("delete")) {
+				name = create_name(arg);
+				if (name != NULL) {
+					printf("deleting name %s\n", arg);
+					result = dns_rbt_deletename(rbt, name,
+								    false);
+					PRINTERR(result);
+					delete_name(name, NULL);
+				}
+			} else if (CMDCHECK("nuke")) {
+				name = create_name(arg);
+				if (name != NULL) {
+					printf("nuking name %s "
+					       "and its descendants\n",
+					       arg);
+					result = dns_rbt_deletename(rbt, name,
+								    true);
+					PRINTERR(result);
+					delete_name(name, NULL);
+				}
+			} else if (CMDCHECK("search")) {
+				name = create_name(arg);
+				if (name != NULL) {
+					printf("searching for name %s ... ",
+					       arg);
+
+					foundname = dns_fixedname_initname(
+						&fixedname);
+					data = NULL;
+
+					result = dns_rbt_findname(
+						rbt, name, 0, foundname, &data);
+					switch (result) {
+					case ISC_R_SUCCESS:
+						printf("found exact: ");
+						print_name(data);
+						putchar('\n');
+						break;
+					case DNS_R_PARTIALMATCH:
+						printf("found parent: ");
+						print_name(data);
+						printf("\n\t(foundname: ");
+						print_name(foundname);
+						printf(")\n");
+						break;
+					case ISC_R_NOTFOUND:
+						printf("NOT FOUND!\n");
+						break;
+					case ISC_R_NOMEMORY:
+						printf("OUT OF MEMORY!\n");
+						break;
+					default:
+						printf("UNEXPECTED RESULT\n");
+					}
+
+					delete_name(name, NULL);
+				}
+			} else if (CMDCHECK("check")) {
+				/*
+				 * Or "chain".  I know, I know.  Lame name.
+				 * I was having a hard time thinking of a
+				 * name (especially one that did not have
+				 * a conflicting first letter with another
+				 * command) that would differentiate this
+				 * from the search command.
+				 *
+				 * But it is just a test program, eh?
+				 */
+				name = create_name(arg);
+				if (name != NULL) {
+					detail(rbt, name);
+
+					delete_name(name, NULL);
+				}
+			} else if (CMDCHECK("forward")) {
+				iterate(rbt, true);
+			} else if (CMDCHECK("backward")) {
+				iterate(rbt, false);
+			} else if (CMDCHECK("print")) {
+				if (arg == NULL || *arg == '\0') {
+					dns_rbt_printtext(rbt, NULL, stdout);
+				} else {
+					printf("usage: print\n");
+				}
+			} else if (CMDCHECK("quit")) {
+				if (arg == NULL || *arg == '\0') {
+					break;
+				} else {
+					printf("usage: quit\n");
+				}
+			} else {
+				printf("a(dd) NAME, d(elete) NAME, "
+				       "s(earch) NAME, p(rint), or q(uit)\n");
+			}
+		}
+	}
+
+	dns_rbt_destroy(&rbt);
+
+	if (show_final_mem) {
+		isc_mem_stats(mctx, stderr);
+	}
+
+	return (0);
+}
diff --git a/bin/tests/optional/rbt_test.out b/bin/tests/optional/rbt_test.out
new file mode 100644
index 0000000..95bf4f9
--- /dev/null
+++ b/bin/tests/optional/rbt_test.out
@@ -0,0 +1,395 @@
+adding name a.vix.com
+adding name b.vix.com
+adding name c.vix.com
+vix.com. (black)
+	++ BEG down from vix.com.
+	b (black)
+		a (RED from b)
+			NULL
+			NULL
+		c (RED from b)
+			NULL
+			NULL
+	-- END down from vix.com.
+	NULL
+	NULL
+adding name a.b.c.d.e.f.vix.com
+adding name b.b.c.d.e.f.vix.com
+adding name c.b.c.d.e.f.vix.com
+vix.com. (black)
+	++ BEG down from vix.com.
+	b (black)
+		a (black from b)
+			NULL
+			NULL
+		c (black from b)
+			NULL
+			b.c.d.e.f (RED from c)
+				++ BEG down from b.c.d.e.f
+				b (black)
+					a (RED from b)
+						NULL
+						NULL
+					c (RED from b)
+						NULL
+						NULL
+				-- END down from b.c.d.e.f
+				NULL
+				NULL
+	-- END down from vix.com.
+	NULL
+	NULL
+adding name a.d.e.f.vix.com
+adding name q.d.e.f.vix.com
+adding name d.e.f.vix.com
+vix.com. (black)
+	++ BEG down from vix.com.
+	b (black)
+		a (black from b)
+			NULL
+			NULL
+		c (black from b)
+			NULL
+			d.e.f (RED from c)
+				++ BEG down from d.e.f
+				b.c (black)
+					++ BEG down from b.c
+					b (black)
+						a (RED from b)
+							NULL
+							NULL
+						c (RED from b)
+							NULL
+							NULL
+					-- END down from b.c
+					a (RED from b.c)
+						NULL
+						NULL
+					q (RED from b.c)
+						NULL
+						NULL
+				-- END down from d.e.f
+				NULL
+				NULL
+	-- END down from vix.com.
+	NULL
+	NULL
+adding name g.h.vix.com
+vix.com. (black)
+	++ BEG down from vix.com.
+	b (black)
+		a (black from b)
+			NULL
+			NULL
+		d.e.f (black from b)
+			++ BEG down from d.e.f
+			b.c (black)
+				++ BEG down from b.c
+				b (black)
+					a (RED from b)
+						NULL
+						NULL
+					c (RED from b)
+						NULL
+						NULL
+				-- END down from b.c
+				a (RED from b.c)
+					NULL
+					NULL
+				q (RED from b.c)
+					NULL
+					NULL
+			-- END down from d.e.f
+			c (RED from d.e.f)
+				NULL
+				NULL
+			g.h (RED from d.e.f)
+				NULL
+				NULL
+	-- END down from vix.com.
+	NULL
+	NULL
+searching for name q.d.e.f.vix.com ... found exact: q.d.e.f.vix.com.
+searching for name just-parent.a.vix.com ... found parent: a.vix.com.
+	(foundname: a.vix.com.)
+searching for name no-real-parent.vix.com ... NOT FOUND!
+searching for name does.not.exist.at.all ... NOT FOUND!
+iterating forward
+  new origin: .
+vix.com
+  new origin: vix.com.
+a
+b
+c
+d.e.f
+  new origin: d.e.f.vix.com.
+a
+b.c
+  new origin: b.c.d.e.f.vix.com.
+a
+b
+c
+  new origin: d.e.f.vix.com.
+q
+  new origin: vix.com.
+g.h
+iterating backward
+  new origin: vix.com.
+g.h
+  new origin: d.e.f.vix.com.
+q
+  new origin: b.c.d.e.f.vix.com.
+c
+b
+a
+  new origin: d.e.f.vix.com.
+b.c
+a
+  new origin: vix.com.
+d.e.f
+c
+b
+a
+  new origin: .
+vix.com
+checking chain information for vix.com.
+  found exact.  no data at node.
+  name from dns_rbt_findnode: vix.com.
+  name from dns_rbtnodechain_current: vix.com.
+      (foundname = vix.com, origin = .)
+  level_matches = 0, level_count = 0
+checking chain information for zzz.com.
+  name not found.  no data at node.
+  name from dns_rbtnodechain_current: g.h.vix.com.
+      (foundname = g.h, origin = vix.com.)
+  level_matches = 0, level_count = 1
+checking chain information for 0.vix.com.
+  found parent.  no data at node.
+  name from dns_rbt_findnode: vix.com.
+  name from dns_rbtnodechain_current: vix.com.
+      (foundname = vix.com, origin = .)
+  level_matches = 0, level_count = 0
+checking chain information for d.vix.com.
+  found parent.  no data at node.
+  name from dns_rbt_findnode: vix.com.
+  name from dns_rbtnodechain_current: c.vix.com.
+      (foundname = c, origin = vix.com.)
+  level_matches = 0, level_count = 1
+checking chain information for f.vix.com.
+  found parent.  no data at node.
+  name from dns_rbt_findnode: vix.com.
+  name from dns_rbtnodechain_current: c.vix.com.
+      (foundname = c, origin = vix.com.)
+  level_matches = 0, level_count = 1
+checking chain information for a.e.f.vix.com.
+  found parent.  no data at node.
+  name from dns_rbt_findnode: vix.com.
+  name from dns_rbtnodechain_current: c.vix.com.
+      (foundname = c, origin = vix.com.)
+  level_matches = 0, level_count = 1
+checking chain information for z.e.f.vix.com.
+  found parent.  no data at node.
+  name from dns_rbt_findnode: vix.com.
+  name from dns_rbtnodechain_current: q.d.e.f.vix.com.
+      (foundname = q, origin = d.e.f.vix.com.)
+  level_matches = 0, level_count = 2
+checking chain information for g.vix.com.
+  found parent.  no data at node.
+  name from dns_rbt_findnode: vix.com.
+  name from dns_rbtnodechain_current: q.d.e.f.vix.com.
+      (foundname = q, origin = d.e.f.vix.com.)
+  level_matches = 0, level_count = 2
+checking chain information for i.vix.com.
+  found parent.  no data at node.
+  name from dns_rbt_findnode: vix.com.
+  name from dns_rbtnodechain_current: g.h.vix.com.
+      (foundname = g.h, origin = vix.com.)
+  level_matches = 0, level_count = 1
+checking chain information for b.c.vix.com.
+  found parent.  data at node: c.vix.com.
+  name from dns_rbt_findnode: c.vix.com.
+  name from dns_rbtnodechain_current: c.vix.com.
+      (foundname = c, origin = vix.com.)
+  level_matches = 1, level_count = 1
+nuking name d.e.f.vix.com and its descendants
+vix.com. (black)
+	++ BEG down from vix.com.
+	b (black)
+		a (black from b)
+			NULL
+			NULL
+		g.h (black from b)
+			c (RED from g.h)
+				NULL
+				NULL
+			NULL
+	-- END down from vix.com.
+	NULL
+	NULL
+adding name x.a.vix.com
+adding name y.x.a.vix.com
+vix.com. (black)
+	++ BEG down from vix.com.
+	b (black)
+		a (black from b)
+			++ BEG down from a
+			x (black)
+				++ BEG down from x
+				y (black)
+					NULL
+					NULL
+				-- END down from x
+				NULL
+				NULL
+			-- END down from a
+			NULL
+			NULL
+		g.h (black from b)
+			c (RED from g.h)
+				NULL
+				NULL
+			NULL
+	-- END down from vix.com.
+	NULL
+	NULL
+deleting name a.vix.com
+deleting name x.a.vix.com
+vix.com. (black)
+	++ BEG down from vix.com.
+	b (black)
+		a (black from b)
+			++ BEG down from a
+			x (black)
+				++ BEG down from x
+				y (black)
+					NULL
+					NULL
+				-- END down from x
+				NULL
+				NULL
+			-- END down from a
+			NULL
+			NULL
+		g.h (black from b)
+			c (RED from g.h)
+				NULL
+				NULL
+			NULL
+	-- END down from vix.com.
+	NULL
+	NULL
+deleting name b.vix.com
+deleting name c.vix.com
+vix.com. (black)
+	++ BEG down from vix.com.
+	g.h (black)
+		a (RED from g.h)
+			++ BEG down from a
+			x (black)
+				++ BEG down from x
+				y (black)
+					NULL
+					NULL
+				-- END down from x
+				NULL
+				NULL
+			-- END down from a
+			NULL
+			NULL
+		NULL
+	-- END down from vix.com.
+	NULL
+	NULL
+deleting name y.x.a.vix.com
+vix.com. (black)
+	++ BEG down from vix.com.
+	g.h (black)
+		a (RED from g.h)
+			++ BEG down from a
+			x (black)
+				NULL
+				NULL
+			-- END down from a
+			NULL
+			NULL
+		NULL
+	-- END down from vix.com.
+	NULL
+	NULL
+deleting name g.h.vix.com.
+adding name \[b100000].vix.com.
+adding name \[b010000].vix.com.
+adding name \[b001000].vix.com.
+adding name \[b000100].vix.com.
+adding name \[b000010].vix.com.
+adding name \[b000001].vix.com.
+vix.com. (black)
+	++ BEG down from vix.com.
+	\[x80/6] (black)
+		\[x0/1] (RED from \[x80/6])
+			++ BEG down from \[x0/1]
+			\[x80/5] (black)
+				\[x0/1] (RED from \[x80/5])
+					++ BEG down from \[x0/1]
+					\[x8/4] (black)
+						\[x0/1] (RED from \[x8/4])
+							++ BEG down from \[x0/1]
+							\[x8/3] (black)
+								\[x0/1] (RED from \[x8/3])
+									++ BEG down from \[x0/1]
+									\[x8/2] (black)
+										\[x4/2] (RED from \[x8/2])
+											NULL
+											NULL
+										NULL
+									-- END down from \[x0/1]
+									NULL
+									NULL
+								NULL
+							-- END down from \[x0/1]
+							NULL
+							NULL
+						NULL
+					-- END down from \[x0/1]
+					NULL
+					NULL
+				NULL
+			-- END down from \[x0/1]
+			NULL
+			NULL
+		a (RED from \[x80/6])
+			++ BEG down from a
+			x (black)
+				NULL
+				NULL
+			-- END down from a
+			NULL
+			NULL
+	-- END down from vix.com.
+	NULL
+	NULL
+searching for name \[b000100].vix.com. ... found exact: \[x10/6].vix.com.
+adding name vix.com.
+nuking name vix.com. and its descendants
+adding name a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.
+adding name b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.
+b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w. (black)
+	++ BEG down from b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.
+	a (black)
+		NULL
+		NULL
+	-- END down from b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.
+	NULL
+	NULL
+adding name .
+nuking name . and its descendants
+adding name \[xFFFF/16].\[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/256].com
+adding name \[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/128].com
+\[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/128].com. (black)
+	++ BEG down from \[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/128].com.
+	\[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/144] (black)
+		NULL
+		NULL
+	-- END down from \[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/128].com.
+	NULL
+	NULL
diff --git a/bin/tests/optional/rbt_test.txt b/bin/tests/optional/rbt_test.txt
new file mode 100644
index 0000000..e44d72e
--- /dev/null
+++ b/bin/tests/optional/rbt_test.txt
@@ -0,0 +1,87 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+add a.vix.com
+add b.vix.com
+add c.vix.com
+print
+add a.b.c.d.e.f.vix.com
+add b.b.c.d.e.f.vix.com
+add c.b.c.d.e.f.vix.com
+print
+add a.d.e.f.vix.com
+add q.d.e.f.vix.com
+add d.e.f.vix.com
+print
+add g.h.vix.com
+print
+search q.d.e.f.vix.com
+search just-parent.a.vix.com
+search no-real-parent.vix.com
+search does.not.exist.at.all
+forward
+backward
+# existing name
+check vix.com.
+# greater than stop node, which has down pointer
+check zzz.com.
+# less than lowest in level (would be left link from stop node)
+check 0.vix.com
+# greater than stop node, no down pointer
+check d.vix.com
+# superdomain stored in existing node
+check f.vix.com
+# common ancestor stored in existing node; existing is successor
+check a.e.f.vix.com
+# common ancestor stored in existing node; existing is less but not predecessor
+check z.e.f.vix.com
+#
+check g.vix.com
+#
+check i.vix.com
+#
+check b.c.vix.com
+nuke d.e.f.vix.com
+print
+add x.a.vix.com
+add y.x.a.vix.com
+print
+delete a.vix.com
+delete x.a.vix.com
+print
+delete b.vix.com
+delete c.vix.com
+print
+delete y.x.a.vix.com
+print
+delete g.h.vix.com.
+add \[b100000].vix.com.
+add \[b010000].vix.com.
+add \[b001000].vix.com.
+add \[b000100].vix.com.
+add \[b000010].vix.com.
+add \[b000001].vix.com.
+p
+search \[b000100].vix.com.
+# zap the entire tree
+add vix.com.
+nuke vix.com.
+add a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.
+add b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.
+print
+add .
+# zap it again
+nuke .
+# test splitting of maximal bitstring
+add \[xFFFF/16].\[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/256].com
+add \[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/128].com
+print
+quit
diff --git a/bin/tests/optional/rwlock_test.c b/bin/tests/optional/rwlock_test.c
new file mode 100644
index 0000000..fc94eaf
--- /dev/null
+++ b/bin/tests/optional/rwlock_test.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#ifdef WIN32
+#define sleep(x) Sleep(1000 * x)
+#endif /* ifdef WIN32 */
+
+isc_rwlock_t lock;
+
+static isc_threadresult_t
+#ifdef WIN32
+	WINAPI
+#endif /* ifdef WIN32 */
+	run1(void *arg) {
+	char *message = arg;
+
+	RUNTIME_CHECK(isc_rwlock_lock(&lock, isc_rwlocktype_read) ==
+		      ISC_R_SUCCESS);
+	printf("%s got READ lock\n", message);
+	sleep(1);
+	printf("%s giving up READ lock\n", message);
+	RUNTIME_CHECK(isc_rwlock_unlock(&lock, isc_rwlocktype_read) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_rwlock_lock(&lock, isc_rwlocktype_read) ==
+		      ISC_R_SUCCESS);
+	printf("%s got READ lock\n", message);
+	sleep(1);
+	printf("%s giving up READ lock\n", message);
+	RUNTIME_CHECK(isc_rwlock_unlock(&lock, isc_rwlocktype_read) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_rwlock_lock(&lock, isc_rwlocktype_write) ==
+		      ISC_R_SUCCESS);
+	printf("%s got WRITE lock\n", message);
+	sleep(1);
+	printf("%s giving up WRITE lock\n", message);
+	RUNTIME_CHECK(isc_rwlock_unlock(&lock, isc_rwlocktype_write) ==
+		      ISC_R_SUCCESS);
+	return ((isc_threadresult_t)0);
+}
+
+static isc_threadresult_t
+#ifdef WIN32
+	WINAPI
+#endif /* ifdef WIN32 */
+	run2(void *arg) {
+	char *message = arg;
+
+	RUNTIME_CHECK(isc_rwlock_lock(&lock, isc_rwlocktype_write) ==
+		      ISC_R_SUCCESS);
+	printf("%s got WRITE lock\n", message);
+	sleep(1);
+	printf("%s giving up WRITE lock\n", message);
+	RUNTIME_CHECK(isc_rwlock_unlock(&lock, isc_rwlocktype_write) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_rwlock_lock(&lock, isc_rwlocktype_write) ==
+		      ISC_R_SUCCESS);
+	printf("%s got WRITE lock\n", message);
+	sleep(1);
+	printf("%s giving up WRITE lock\n", message);
+	RUNTIME_CHECK(isc_rwlock_unlock(&lock, isc_rwlocktype_write) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_rwlock_lock(&lock, isc_rwlocktype_read) ==
+		      ISC_R_SUCCESS);
+	printf("%s got READ lock\n", message);
+	sleep(1);
+	printf("%s giving up READ lock\n", message);
+	RUNTIME_CHECK(isc_rwlock_unlock(&lock, isc_rwlocktype_read) ==
+		      ISC_R_SUCCESS);
+	return ((isc_threadresult_t)0);
+}
+
+int
+main(int argc, char *argv[]) {
+	unsigned int nworkers;
+	unsigned int i;
+	isc_thread_t workers[100];
+	char name[100];
+	void *dupname;
+
+	if (argc > 1) {
+		nworkers = atoi(argv[1]);
+	} else {
+		nworkers = 2;
+	}
+	if (nworkers > 100) {
+		nworkers = 100;
+	}
+	printf("%u workers\n", nworkers);
+
+	isc_rwlock_init(&lock, 5, 10);
+
+	for (i = 0; i < nworkers; i++) {
+		snprintf(name, sizeof(name), "%02u", i);
+		dupname = strdup(name);
+		RUNTIME_CHECK(dupname != NULL);
+		if (i != 0 && i % 3 == 0) {
+			isc_thread_create(run1, dupname, &workers[i]);
+		} else {
+			isc_thread_create(run2, dupname, &workers[i]);
+		}
+	}
+
+	for (i = 0; i < nworkers; i++) {
+		isc_thread_join(workers[i], NULL);
+	}
+
+	isc_rwlock_destroy(&lock);
+
+	return (0);
+}
diff --git a/bin/tests/optional/serial_test.c b/bin/tests/optional/serial_test.c
new file mode 100644
index 0000000..c16acc0
--- /dev/null
+++ b/bin/tests/optional/serial_test.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/print.h>
+#include <isc/serial.h>
+
+int
+main() {
+	uint32_t a, b;
+	char buf[1024];
+	char *s, *e;
+
+	while (fgets(buf, sizeof(buf), stdin) != NULL) {
+		buf[sizeof(buf) - 1] = '\0';
+		s = buf;
+		a = strtoul(s, &e, 0);
+		if (s == e) {
+			continue;
+		}
+		s = e;
+		b = strtoul(s, &e, 0);
+		if (s == e) {
+			continue;
+		}
+		fprintf(stdout, "%u %u gt:%d lt:%d ge:%d le:%d eq:%d ne:%d\n",
+			a, b, isc_serial_gt(a, b), isc_serial_lt(a, b),
+			isc_serial_ge(a, b), isc_serial_le(a, b),
+			isc_serial_eq(a, b), isc_serial_ne(a, b));
+	}
+	return (0);
+}
diff --git a/bin/tests/optional/shutdown_test.c b/bin/tests/optional/shutdown_test.c
new file mode 100644
index 0000000..c8cf03c
--- /dev/null
+++ b/bin/tests/optional/shutdown_test.c
@@ -0,0 +1,226 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+typedef struct {
+	isc_mem_t *mctx;
+	isc_task_t *task;
+	isc_timer_t *timer;
+	unsigned int ticks;
+	char name[16];
+	bool exiting;
+	isc_task_t *peer;
+} t_info;
+
+#define MAX_TASKS	3
+#define T2_SHUTDOWNOK	(ISC_EVENTCLASS(1024) + 0)
+#define T2_SHUTDOWNDONE (ISC_EVENTCLASS(1024) + 1)
+#define FOO_EVENT	(ISC_EVENTCLASS(1024) + 2)
+
+static t_info tasks[MAX_TASKS];
+static unsigned int task_count;
+static isc_nm_t *netmgr = NULL;
+static isc_taskmgr_t *taskmgr = NULL;
+static isc_timermgr_t *timer_manager;
+
+static void
+t1_shutdown(isc_task_t *task, isc_event_t *event) {
+	t_info *info = event->ev_arg;
+
+	printf("task %s (%p) t1_shutdown\n", info->name, task);
+	isc_task_detach(&info->task);
+	isc_event_free(&event);
+}
+
+static void
+t2_shutdown(isc_task_t *task, isc_event_t *event) {
+	t_info *info = event->ev_arg;
+
+	printf("task %s (%p) t2_shutdown\n", info->name, task);
+	info->exiting = true;
+	isc_event_free(&event);
+}
+
+static void
+shutdown_action(isc_task_t *task, isc_event_t *event) {
+	t_info *info = event->ev_arg;
+	isc_event_t *nevent;
+
+	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
+
+	printf("task %s (%p) shutdown\n", info->name, task);
+	if (strcmp(info->name, "0") == 0) {
+		isc_timer_destroy(&info->timer);
+		nevent = isc_event_allocate(info->mctx, info, T2_SHUTDOWNOK,
+					    t2_shutdown, &tasks[1],
+					    sizeof(*event));
+		RUNTIME_CHECK(nevent != NULL);
+		info->exiting = true;
+		isc_task_sendanddetach(&info->peer, &nevent);
+	}
+	isc_event_free(&event);
+}
+
+static void
+foo_event(isc_task_t *task, isc_event_t *event) {
+	printf("task(%p) foo\n", task);
+	isc_event_free(&event);
+}
+
+static void
+tick(isc_task_t *task, isc_event_t *event) {
+	t_info *info = event->ev_arg;
+	isc_event_t *nevent;
+
+	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
+
+	printf("task %s (%p) tick\n", info->name, task);
+
+	info->ticks++;
+	if (strcmp(info->name, "1") == 0) {
+		if (info->ticks == 10) {
+			isc_app_shutdown();
+		} else if (info->ticks >= 15 && info->exiting) {
+			isc_timer_destroy(&info->timer);
+			isc_task_detach(&info->task);
+			nevent = isc_event_allocate(
+				info->mctx, info, T2_SHUTDOWNDONE, t1_shutdown,
+				&tasks[0], sizeof(*event));
+			RUNTIME_CHECK(nevent != NULL);
+			isc_task_send(info->peer, &nevent);
+			isc_task_detach(&info->peer);
+		}
+	} else if (strcmp(info->name, "foo") == 0) {
+		isc_timer_destroy(&info->timer);
+		nevent = isc_event_allocate(info->mctx, info, FOO_EVENT,
+					    foo_event, task, sizeof(*event));
+		RUNTIME_CHECK(nevent != NULL);
+		isc_task_sendanddetach(&task, &nevent);
+	}
+
+	isc_event_free(&event);
+}
+
+static t_info *
+new_task(isc_mem_t *mctx, const char *name) {
+	t_info *ti;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	RUNTIME_CHECK(task_count < MAX_TASKS);
+	ti = &tasks[task_count];
+	ti->mctx = mctx;
+	ti->task = NULL;
+	ti->timer = NULL;
+	ti->ticks = 0;
+	if (name != NULL) {
+		INSIST(strlen(name) < sizeof(ti->name));
+		strlcpy(ti->name, name, sizeof(ti->name));
+	} else {
+		snprintf(ti->name, sizeof(ti->name), "%u", task_count);
+	}
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &ti->task) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_onshutdown(ti->task, shutdown_action, ti) ==
+		      ISC_R_SUCCESS);
+
+	isc_time_settoepoch(&expires);
+	isc_interval_set(&interval, 1, 0);
+	RUNTIME_CHECK(isc_timer_create(timer_manager, isc_timertype_ticker,
+				       &expires, &interval, ti->task, tick, ti,
+				       &ti->timer) == ISC_R_SUCCESS);
+
+	task_count++;
+
+	return (ti);
+}
+
+int
+main(int argc, char *argv[]) {
+	unsigned int workers;
+	t_info *t1, *t2 = NULL;
+	isc_task_t *task = NULL;
+	isc_mem_t *mctx = NULL, *mctx2 = NULL;
+
+	RUNTIME_CHECK(isc_app_start() == ISC_R_SUCCESS);
+
+	if (argc > 1) {
+		workers = atoi(argv[1]);
+		if (workers < 1) {
+			workers = 1;
+		}
+		if (workers > 8192) {
+			workers = 8192;
+		}
+	} else {
+		workers = 2;
+	}
+	printf("%u workers\n", workers);
+
+	isc_mem_create(&mctx);
+	isc_mem_create(&mctx2);
+	RUNTIME_CHECK(isc_managers_create(mctx, workers, 0, &netmgr,
+					  &taskmgr) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_timermgr_create(mctx, &timer_manager) ==
+		      ISC_R_SUCCESS);
+
+	t1 = new_task(mctx, NULL);
+	t2 = new_task(mctx2, NULL);
+	isc_task_attach(t2->task, &t1->peer);
+	isc_task_attach(t1->task, &t2->peer);
+
+	/*
+	 * Test run-triggered shutdown.
+	 */
+	(void)new_task(mctx2, "foo");
+
+	/*
+	 * Test implicit shutdown.
+	 */
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &task) == ISC_R_SUCCESS);
+	isc_task_detach(&task);
+
+	/*
+	 * Test anti-zombie code.
+	 */
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &task) == ISC_R_SUCCESS);
+	isc_task_detach(&task);
+
+	RUNTIME_CHECK(isc_app_run() == ISC_R_SUCCESS);
+
+	isc_managers_destroy(&netmgr, &taskmgr);
+	isc_timermgr_destroy(&timer_manager);
+
+	printf("Statistics for mctx:\n");
+	isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+	printf("Statistics for mctx2:\n");
+	isc_mem_stats(mctx2, stdout);
+	isc_mem_destroy(&mctx2);
+
+	isc_app_finish();
+
+	return (0);
+}
diff --git a/bin/tests/optional/sig0_test.c b/bin/tests/optional/sig0_test.c
new file mode 100644
index 0000000..e419700
--- /dev/null
+++ b/bin/tests/optional/sig0_test.c
@@ -0,0 +1,282 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/assertions.h>
+#include <isc/commandline.h>
+#include <isc/error.h>
+#include <isc/log.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#define CHECK(str, x)                                                    \
+	{                                                                \
+		if ((x) != ISC_R_SUCCESS) {                              \
+			printf("%s: %s\n", (str), isc_result_totext(x)); \
+			exit(-1);                                        \
+		}                                                        \
+	}
+
+isc_mutex_t lock;
+dst_key_t *key = NULL;
+isc_mem_t *mctx = NULL;
+unsigned char qdata[1024], rdata[1024];
+isc_buffer_t qbuffer, rbuffer;
+isc_nm_t *netmgr = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_task_t *task1 = NULL;
+isc_log_t *lctx = NULL;
+isc_logconfig_t *logconfig = NULL;
+isc_socket_t *s = NULL;
+isc_sockaddr_t address;
+char output[10 * 1024];
+isc_buffer_t outbuf;
+static const dns_master_style_t *style = &dns_master_style_debug;
+
+static void
+senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+
+	REQUIRE(sevent != NULL);
+	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(task == task1);
+
+	printf("senddone\n");
+
+	isc_event_free(&event);
+}
+
+static void
+recvdone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isc_buffer_t source;
+	isc_result_t result;
+	dns_message_t *response = NULL;
+
+	REQUIRE(sevent != NULL);
+	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_RECVDONE);
+	REQUIRE(task == task1);
+
+	printf("recvdone\n");
+	if (sevent->result != ISC_R_SUCCESS) {
+		printf("failed\n");
+		exit(-1);
+	}
+
+	isc_buffer_init(&source, sevent->region.base, sevent->region.length);
+	isc_buffer_add(&source, sevent->n);
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
+	result = dns_message_parse(response, &source, 0);
+	CHECK("dns_message_parse", result);
+
+	isc_buffer_init(&outbuf, output, sizeof(output));
+	result = dns_message_totext(response, style, 0, &outbuf);
+	CHECK("dns_message_totext", result);
+	printf("%.*s\n", (int)isc_buffer_usedlength(&outbuf),
+	       (char *)isc_buffer_base(&outbuf));
+
+	dns_message_detach(&response);
+	isc_event_free(&event);
+
+	isc_app_shutdown();
+}
+
+static void
+buildquery(void) {
+	isc_result_t result;
+	dns_rdataset_t *question = NULL;
+	dns_name_t *qname = NULL;
+	isc_region_t r, inr;
+	dns_message_t *query = NULL;
+	char nametext[] = "host.example";
+	isc_buffer_t namesrc, namedst;
+	unsigned char namedata[256];
+	isc_sockaddr_t sa;
+	dns_compress_t cctx;
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
+	result = dns_message_setsig0key(query, key);
+	CHECK("dns_message_setsig0key", result);
+
+	result = dns_message_gettemprdataset(query, &question);
+	CHECK("dns_message_gettemprdataset", result);
+	dns_rdataset_makequestion(question, dns_rdataclass_in, dns_rdatatype_a);
+	result = dns_message_gettempname(query, &qname);
+	CHECK("dns_message_gettempname", result);
+	isc_buffer_init(&namesrc, nametext, strlen(nametext));
+	isc_buffer_add(&namesrc, strlen(nametext));
+	isc_buffer_init(&namedst, namedata, sizeof(namedata));
+	dns_name_init(qname, NULL);
+	result = dns_name_fromtext(qname, &namesrc, dns_rootname, 0, &namedst);
+	CHECK("dns_name_fromtext", result);
+	ISC_LIST_APPEND(qname->list, question, link);
+	dns_message_addname(query, qname, DNS_SECTION_QUESTION);
+
+	isc_buffer_init(&qbuffer, qdata, sizeof(qdata));
+
+	result = dns_compress_init(&cctx, -1, mctx);
+	CHECK("dns_compress_init", result);
+	result = dns_message_renderbegin(query, &cctx, &qbuffer);
+	CHECK("dns_message_renderbegin", result);
+	result = dns_message_rendersection(query, DNS_SECTION_QUESTION, 0);
+	CHECK("dns_message_rendersection(question)", result);
+	result = dns_message_rendersection(query, DNS_SECTION_ANSWER, 0);
+	CHECK("dns_message_rendersection(answer)", result);
+	result = dns_message_rendersection(query, DNS_SECTION_AUTHORITY, 0);
+	CHECK("dns_message_rendersection(auth)", result);
+	result = dns_message_rendersection(query, DNS_SECTION_ADDITIONAL, 0);
+	CHECK("dns_message_rendersection(add)", result);
+	result = dns_message_renderend(query);
+	CHECK("dns_message_renderend", result);
+	dns_compress_invalidate(&cctx);
+
+	isc_buffer_init(&outbuf, output, sizeof(output));
+	result = dns_message_totext(query, style, 0, &outbuf);
+	CHECK("dns_message_totext", result);
+	printf("%.*s\n", (int)isc_buffer_usedlength(&outbuf),
+	       (char *)isc_buffer_base(&outbuf));
+
+	isc_buffer_usedregion(&qbuffer, &r);
+	isc_sockaddr_any(&sa);
+	result = isc_socket_bind(s, &sa, 0);
+	CHECK("isc_socket_bind", result);
+	result = isc_socket_sendto(s, &r, task1, senddone, NULL, &address,
+				   NULL);
+	CHECK("isc_socket_sendto", result);
+
+	inr.base = rdata;
+	inr.length = sizeof(rdata);
+	result = isc_socket_recv(s, &inr, 1, task1, recvdone, NULL);
+	CHECK("isc_socket_recv", result);
+	dns_message_detach(&query);
+}
+
+int
+main(int argc, char *argv[]) {
+	bool verbose = false;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	struct in_addr inaddr;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+	isc_buffer_t b;
+	int ch;
+	isc_result_t result;
+	in_port_t port = 53;
+
+	RUNTIME_CHECK(isc_app_start() == ISC_R_SUCCESS);
+
+	isc_mutex_init(&lock);
+
+	mctx = NULL;
+	isc_mem_create(&mctx);
+
+	while ((ch = isc_commandline_parse(argc, argv, "vp:")) != -1) {
+		switch (ch) {
+		case 'v':
+			verbose = true;
+			break;
+		case 'p':
+			port = (unsigned int)atoi(isc_commandline_argument);
+			break;
+		}
+	}
+
+	RUNTIME_CHECK(dst_lib_init(mctx, NULL) == ISC_R_SUCCESS);
+
+	dns_result_register();
+	dst_result_register();
+
+	RUNTIME_CHECK(isc_managers_create(mctx, 2, 0, &netmgr, &taskmgr) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &task1) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_timermgr_create(mctx, &timermgr) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
+
+	isc_log_create(mctx, &lctx, &logconfig);
+
+	RUNTIME_CHECK(isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp,
+					&s) == ISC_R_SUCCESS);
+
+	inaddr.s_addr = htonl(INADDR_LOOPBACK);
+	isc_sockaddr_fromin(&address, &inaddr, port);
+
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_constinit(&b, "child.example.", strlen("child.example."));
+	isc_buffer_add(&b, strlen("child.example."));
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	result = dst_key_fromfile(name, 33180, DNS_KEYALG_RSASHA1,
+				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, NULL,
+				  mctx, &key);
+	CHECK("dst_key_fromfile", result);
+
+	buildquery();
+
+	(void)isc_app_run();
+
+	isc_task_shutdown(task1);
+	isc_task_detach(&task1);
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	isc_socket_detach(&s);
+	isc_socketmgr_destroy(&socketmgr);
+	isc_timermgr_destroy(&timermgr);
+
+	dst_key_free(&key);
+
+	dst_lib_destroy();
+
+	isc_log_destroy(&lctx);
+
+	if (verbose) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	isc_mutex_destroy(&lock);
+
+	isc_app_finish();
+
+	return (0);
+}
diff --git a/bin/tests/optional/sock_test.c b/bin/tests/optional/sock_test.c
new file mode 100644
index 0000000..f88f76d
--- /dev/null
+++ b/bin/tests/optional/sock_test.c
@@ -0,0 +1,394 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+isc_mem_t *mctx = NULL;
+isc_nm_t *netmgr = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+
+static void
+my_shutdown(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
+
+	printf("shutdown %s (%p)\n", name, task);
+	fflush(stdout);
+	isc_event_free(&event);
+}
+
+static void
+my_send(isc_task_t *task, isc_event_t *event) {
+	isc_socket_t *sock;
+	isc_socketevent_t *dev;
+
+	sock = event->ev_sender;
+	dev = (isc_socketevent_t *)event;
+
+	printf("my_send: %s task %p\n\t(sock %p, base %p, length %u, n %u, "
+	       "result %u)\n",
+	       (char *)(event->ev_arg), task, sock, dev->region.base,
+	       dev->region.length, dev->n, dev->result);
+
+	if (dev->result != ISC_R_SUCCESS) {
+		isc_socket_detach(&sock);
+		isc_task_shutdown(task);
+	}
+
+	if (dev->region.base != NULL) {
+		isc_mem_put(mctx, dev->region.base, dev->region.length);
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+my_recv(isc_task_t *task, isc_event_t *event) {
+	isc_socket_t *sock;
+	isc_socketevent_t *dev;
+	isc_region_t region;
+	char buf[1024];
+	char host[256];
+
+	sock = event->ev_sender;
+	dev = (isc_socketevent_t *)event;
+
+	printf("Socket %s (sock %p, base %p, length %u, n %u, result %u)\n",
+	       (char *)(event->ev_arg), sock, dev->region.base,
+	       dev->region.length, dev->n, dev->result);
+	if (dev->address.type.sa.sa_family == AF_INET6) {
+		inet_ntop(AF_INET6, &dev->address.type.sin6.sin6_addr, host,
+			  sizeof(host));
+		printf("\tFrom: %s port %d\n", host,
+		       ntohs(dev->address.type.sin6.sin6_port));
+	} else {
+		inet_ntop(AF_INET, &dev->address.type.sin.sin_addr, host,
+			  sizeof(host));
+		printf("\tFrom: %s port %d\n", host,
+		       ntohs(dev->address.type.sin.sin_port));
+	}
+
+	if (dev->result != ISC_R_SUCCESS) {
+		isc_socket_detach(&sock);
+
+		if (dev->region.base != NULL) {
+			isc_mem_put(mctx, dev->region.base, dev->region.length);
+		}
+		isc_event_free(&event);
+
+		isc_task_shutdown(task);
+		return;
+	}
+
+	/*
+	 * Echo the data back.
+	 */
+	if (strcmp(event->ev_arg, "so2") != 0) {
+		region = dev->region;
+		snprintf(buf, sizeof(buf), "\r\nReceived: %.*s\r\n\r\n",
+			 (int)dev->n, (char *)region.base);
+		region.base = isc_mem_get(mctx, strlen(buf) + 1);
+		{
+			region.length = strlen(buf) + 1;
+			strlcpy((char *)region.base, buf, region.length);
+		}
+		isc_socket_send(sock, &region, task, my_send, event->ev_arg);
+	} else {
+		region = dev->region;
+		printf("\r\nReceived: %.*s\r\n\r\n", (int)dev->n,
+		       (char *)region.base);
+	}
+
+	isc_socket_recv(sock, &dev->region, 1, task, my_recv, event->ev_arg);
+
+	isc_event_free(&event);
+}
+
+static void
+my_http_get(isc_task_t *task, isc_event_t *event) {
+	isc_socket_t *sock;
+	isc_socketevent_t *dev;
+
+	sock = event->ev_sender;
+	dev = (isc_socketevent_t *)event;
+
+	printf("my_http_get: %s task %p\n\t(sock %p, base %p, length %u, "
+	       "n %u, result %u)\n",
+	       (char *)(event->ev_arg), task, sock, dev->region.base,
+	       dev->region.length, dev->n, dev->result);
+
+	if (dev->result != ISC_R_SUCCESS) {
+		isc_socket_detach(&sock);
+		isc_task_shutdown(task);
+		if (dev->region.base != NULL) {
+			isc_mem_put(mctx, dev->region.base, dev->region.length);
+		}
+		isc_event_free(&event);
+		return;
+	}
+
+	isc_socket_recv(sock, &dev->region, 1, task, my_recv, event->ev_arg);
+
+	isc_event_free(&event);
+}
+
+static void
+my_connect(isc_task_t *task, isc_event_t *event) {
+	isc_socket_t *sock;
+	isc_socket_connev_t *dev;
+	isc_region_t region;
+	char buf[1024];
+
+	sock = event->ev_sender;
+	dev = (isc_socket_connev_t *)event;
+
+	printf("%s: Connection result:  %u\n", (char *)(event->ev_arg),
+	       dev->result);
+
+	if (dev->result != ISC_R_SUCCESS) {
+		isc_socket_detach(&sock);
+		isc_event_free(&event);
+		isc_task_shutdown(task);
+		return;
+	}
+
+	/*
+	 * Send a GET string, and set up to receive (and just display)
+	 * the result.
+	 */
+	snprintf(buf, sizeof(buf),
+		 "GET / HTTP/1.1\r\nHost: www.flame.org\r\n"
+		 "Connection: Close\r\n\r\n");
+	region.base = isc_mem_get(mctx, strlen(buf) + 1);
+	{
+		region.length = strlen(buf) + 1;
+		strlcpy((char *)region.base, buf, region.length);
+	}
+
+	isc_socket_send(sock, &region, task, my_http_get, event->ev_arg);
+
+	isc_event_free(&event);
+}
+
+static void
+my_listen(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
+	isc_socket_newconnev_t *dev = NULL;
+	isc_region_t region;
+	isc_socket_t *oldsock = NULL;
+	isc_task_t *newtask = NULL;
+
+	dev = (isc_socket_newconnev_t *)event;
+
+	printf("newcon %s (task %p, oldsock %p, newsock %p, result %u)\n", name,
+	       task, event->ev_sender, dev->newsocket, dev->result);
+	fflush(stdout);
+
+	if (dev->result == ISC_R_SUCCESS) {
+		/*
+		 * Queue another listen on this socket.
+		 */
+		RUNTIME_CHECK(isc_socket_accept(event->ev_sender, task,
+						my_listen, event->ev_arg) ==
+			      ISC_R_SUCCESS);
+
+		region.base = isc_mem_get(mctx, 20);
+		region.length = 20;
+
+		/*
+		 * Create a new task for this socket, and queue up a
+		 * recv on it.
+		 */
+		RUNTIME_CHECK(isc_task_create(taskmgr, 0, &newtask) ==
+			      ISC_R_SUCCESS);
+		isc_socket_recv(dev->newsocket, &region, 1, newtask, my_recv,
+				event->ev_arg);
+		isc_task_detach(&newtask);
+	} else {
+		printf("detaching from socket %p\n", event->ev_sender);
+		oldsock = event->ev_sender;
+
+		isc_socket_detach(&oldsock);
+
+		isc_event_free(&event);
+		isc_task_shutdown(task);
+		return;
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+timeout(isc_task_t *task, isc_event_t *event) {
+	isc_socket_t *sock = event->ev_arg;
+
+	printf("Timeout, canceling IO on socket %p (task %p)\n", sock, task);
+
+	isc_socket_cancel(sock, NULL, ISC_SOCKCANCEL_ALL);
+	isc_timer_destroy((isc_timer_t **)&event->ev_sender);
+	isc_event_free(&event);
+}
+
+static char one[] = "1";
+static char two[] = "2";
+static char xso1[] = "so1";
+static char xso2[] = "so2";
+
+int
+main(int argc, char *argv[]) {
+	isc_task_t *t1 = NULL, *t2 = NULL;
+	isc_timermgr_t *timgr = NULL;
+	isc_time_t expires;
+	isc_interval_t interval;
+	isc_timer_t *ti1 = NULL;
+	unsigned int workers;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_socket_t *so1 = NULL, *so2 = NULL;
+	isc_sockaddr_t sockaddr;
+	struct in_addr ina;
+	struct in6_addr in6a;
+	isc_result_t result;
+	int pf;
+
+	if (argc > 1) {
+		workers = atoi(argv[1]);
+		if (workers < 1) {
+			workers = 1;
+		}
+		if (workers > 8192) {
+			workers = 8192;
+		}
+	} else {
+		workers = 2;
+	}
+	printf("%u workers\n", workers);
+
+	if (isc_net_probeipv6() == ISC_R_SUCCESS) {
+		pf = PF_INET6;
+	} else {
+		pf = PF_INET;
+	}
+
+	/*
+	 * EVERYTHING needs a memory context.
+	 */
+	isc_mem_create(&mctx);
+
+	/*
+	 * The task manager is independent (other than memory context)
+	 */
+	RUNTIME_CHECK(isc_managers_create(mctx, workers, 0, &netmgr,
+					  &taskmgr) == ISC_R_SUCCESS);
+
+	/*
+	 * Timer manager depends only on the memory context as well.
+	 */
+	RUNTIME_CHECK(isc_timermgr_create(mctx, &timgr) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t1) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t2) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_onshutdown(t1, my_shutdown, one) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_onshutdown(t2, my_shutdown, two) ==
+		      ISC_R_SUCCESS);
+
+	printf("task 1 = %p\n", t1);
+	printf("task 2 = %p\n", t2);
+
+	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
+
+	/*
+	 * Open up a listener socket.
+	 */
+
+	if (pf == PF_INET6) {
+		in6a = in6addr_any;
+		isc_sockaddr_fromin6(&sockaddr, &in6a, 5544);
+	} else {
+		ina.s_addr = INADDR_ANY;
+		isc_sockaddr_fromin(&sockaddr, &ina, 5544);
+	}
+	RUNTIME_CHECK(isc_socket_create(socketmgr, pf, isc_sockettype_tcp,
+					&so1) == ISC_R_SUCCESS);
+	result = isc_socket_bind(so1, &sockaddr, ISC_SOCKET_REUSEADDRESS);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_socket_listen(so1, 0) == ISC_R_SUCCESS);
+
+	/*
+	 * Queue up the first accept event.
+	 */
+	RUNTIME_CHECK(isc_socket_accept(so1, t1, my_listen, xso1) ==
+		      ISC_R_SUCCESS);
+	isc_time_settoepoch(&expires);
+	isc_interval_set(&interval, 10, 0);
+	RUNTIME_CHECK(isc_timer_create(timgr, isc_timertype_once, &expires,
+				       &interval, t1, timeout, so1,
+				       &ti1) == ISC_R_SUCCESS);
+
+	/*
+	 * Open up a socket that will connect to www.flame.org, port 80.
+	 * Why not.  :)
+	 */
+	ina.s_addr = inet_addr("204.152.184.97");
+	if (0 && pf == PF_INET6) {
+		isc_sockaddr_v6fromin(&sockaddr, &ina, 80);
+	} else {
+		isc_sockaddr_fromin(&sockaddr, &ina, 80);
+	}
+	RUNTIME_CHECK(isc_socket_create(socketmgr, isc_sockaddr_pf(&sockaddr),
+					isc_sockettype_tcp,
+					&so2) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_socket_connect(so2, &sockaddr, t2, my_connect,
+					 xso2) == ISC_R_SUCCESS);
+
+	/*
+	 * Detaching these is safe, since the socket will attach to the
+	 * task for any outstanding requests.
+	 */
+	isc_task_detach(&t1);
+	isc_task_detach(&t2);
+
+	/*
+	 * Wait a short while.
+	 */
+#ifndef WIN32
+	sleep(10);
+#else  /* ifndef WIN32 */
+	Sleep(10000);
+#endif /* ifndef WIN32 */
+
+	fprintf(stderr, "Destroying socket manager\n");
+	isc_socketmgr_destroy(&socketmgr);
+
+	fprintf(stderr, "Destroying timer manager\n");
+	isc_timermgr_destroy(&timgr);
+
+	fprintf(stderr, "Destroying task manager\n");
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/tests/optional/sym_test.c b/bin/tests/optional/sym_test.c
new file mode 100644
index 0000000..81e2916
--- /dev/null
+++ b/bin/tests/optional/sym_test.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+isc_mem_t *mctx;
+isc_symtab_t *st;
+
+static void
+undefine_action(char *key, unsigned int type, isc_symvalue_t value, void *arg) {
+	UNUSED(arg);
+
+	INSIST(type == 1);
+	isc_mem_free(mctx, key);
+	isc_mem_free(mctx, value.as_pointer);
+}
+
+int
+main(int argc, char *argv[]) {
+	char s[1000], *cp, *key;
+	size_t len;
+	isc_result_t result;
+	isc_symvalue_t value;
+	int trace = 0;
+	int c;
+	isc_symexists_t exists_policy = isc_symexists_reject;
+	bool case_sensitive = false;
+
+	while ((c = isc_commandline_parse(argc, argv, "tarc")) != -1) {
+		switch (c) {
+		case 't':
+			trace = 1;
+			break;
+		case 'a':
+			exists_policy = isc_symexists_add;
+			break;
+		case 'r':
+			exists_policy = isc_symexists_replace;
+			break;
+		case 'c':
+			case_sensitive = true;
+			break;
+		}
+	}
+
+	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_symtab_create(mctx, 691, undefine_action, NULL,
+					case_sensitive, &st) == ISC_R_SUCCESS);
+
+	while (fgets(s, sizeof(s), stdin) != NULL) {
+		len = strlen(s);
+		if (len > 0U && s[len - 1] == '\n') {
+			s[len - 1] = '\0';
+			len--;
+		}
+
+		cp = s;
+
+		if (cp[0] == '!') {
+			cp++;
+			result = isc_symtab_undefine(st, cp, 1);
+			if (trace || result != ISC_R_SUCCESS) {
+				printf("undefine('%s'): %s\n", cp,
+				       isc_result_totext(result));
+			}
+		} else {
+			key = cp;
+			while (*cp != '\0' && *cp != ' ' && *cp != '\t') {
+				cp++;
+			}
+			if (*cp == '\0') {
+				result = isc_symtab_lookup(st, key, 0, &value);
+				if (trace || result != ISC_R_SUCCESS) {
+					printf("lookup('%s'): %s", key,
+					       isc_result_totext(result));
+					if (result == ISC_R_SUCCESS) {
+						cp = value.as_pointer;
+						printf(", value == '%s'", cp);
+					}
+					printf("\n");
+				}
+			} else {
+				*cp++ = '\0';
+				key = isc_mem_strdup(mctx, key);
+				value.as_pointer = isc_mem_strdup(mctx, cp);
+				result = isc_symtab_define(st, key, 1, value,
+							   exists_policy);
+				if (trace || result != ISC_R_SUCCESS) {
+					printf("define('%s', '%s'): %s\n", key,
+					       cp, isc_result_totext(result));
+					if (result != ISC_R_SUCCESS) {
+						undefine_action(key, 1, value,
+								NULL);
+					}
+				}
+			}
+		}
+	}
+
+	isc_symtab_destroy(&st);
+	isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/tests/optional/task_test.c b/bin/tests/optional/task_test.c
new file mode 100644
index 0000000..48e6bfd
--- /dev/null
+++ b/bin/tests/optional/task_test.c
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+isc_mem_t *mctx = NULL;
+
+static void
+my_callback(isc_task_t *task, isc_event_t *event) {
+	int i, j;
+	char *name = event->ev_arg;
+
+	j = 0;
+	for (i = 0; i < 1000000; i++) {
+		j += 100;
+	}
+	printf("task %s (%p): %d\n", name, task, j);
+	isc_event_free(&event);
+}
+
+static void
+my_shutdown(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
+
+	printf("shutdown %s (%p)\n", name, task);
+	isc_event_free(&event);
+}
+
+static void
+my_tick(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
+
+	printf("task %p tick %s\n", task, name);
+	isc_event_free(&event);
+}
+
+static char one[] = "1";
+static char two[] = "2";
+static char three[] = "3";
+static char four[] = "4";
+static char foo[] = "foo";
+static char bar[] = "bar";
+
+int
+main(int argc, char *argv[]) {
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_task_t *t1 = NULL, *t2 = NULL;
+	isc_task_t *t3 = NULL, *t4 = NULL;
+	isc_event_t *event;
+	unsigned int workers;
+	isc_timermgr_t *timgr;
+	isc_timer_t *ti1, *ti2;
+	struct isc_interval interval;
+
+	if (argc > 1) {
+		workers = atoi(argv[1]);
+		if (workers < 1) {
+			workers = 1;
+		}
+		if (workers > 8192) {
+			workers = 8192;
+		}
+	} else {
+		workers = 2;
+	}
+	printf("%u workers\n", workers);
+
+	isc_mem_create(&mctx);
+
+	RUNTIME_CHECK(isc_managers_create(mctx, workers, 0, &netmgr,
+					  &taskmgr) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t1) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t2) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t3) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t4) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_task_onshutdown(t1, my_shutdown, one) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_onshutdown(t2, my_shutdown, two) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_onshutdown(t3, my_shutdown, three) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_onshutdown(t4, my_shutdown, four) ==
+		      ISC_R_SUCCESS);
+
+	timgr = NULL;
+	RUNTIME_CHECK(isc_timermgr_create(mctx, &timgr) == ISC_R_SUCCESS);
+	ti1 = NULL;
+
+	isc_interval_set(&interval, 1, 0);
+	RUNTIME_CHECK(isc_timer_create(timgr, isc_timertype_ticker, NULL,
+				       &interval, t1, my_tick, foo,
+				       &ti1) == ISC_R_SUCCESS);
+
+	ti2 = NULL;
+	isc_interval_set(&interval, 1, 0);
+	RUNTIME_CHECK(isc_timer_create(timgr, isc_timertype_ticker, NULL,
+				       &interval, t2, my_tick, bar,
+				       &ti2) == ISC_R_SUCCESS);
+
+	printf("task 1 = %p\n", t1);
+	printf("task 2 = %p\n", t2);
+#ifndef WIN32
+	sleep(2);
+#else  /* ifndef WIN32 */
+	Sleep(2000);
+#endif /* ifndef WIN32 */
+
+	/*
+	 * Note:  (void *)1 is used as a sender here, since some compilers
+	 * don't like casting a function pointer to a (void *).
+	 *
+	 * In a real use, it is more likely the sender would be a
+	 * structure (socket, timer, task, etc) but this is just a test
+	 * program.
+	 */
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, one,
+				   sizeof(*event));
+	isc_task_send(t1, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, one,
+				   sizeof(*event));
+	isc_task_send(t1, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, one,
+				   sizeof(*event));
+	isc_task_send(t1, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, one,
+				   sizeof(*event));
+	isc_task_send(t1, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, one,
+				   sizeof(*event));
+	isc_task_send(t1, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, one,
+				   sizeof(*event));
+	isc_task_send(t1, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, one,
+				   sizeof(*event));
+	isc_task_send(t1, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, one,
+				   sizeof(*event));
+	isc_task_send(t1, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, one,
+				   sizeof(*event));
+	isc_task_send(t1, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, two,
+				   sizeof(*event));
+	isc_task_send(t2, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, three,
+				   sizeof(*event));
+	isc_task_send(t3, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, four,
+				   sizeof(*event));
+	isc_task_send(t4, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, two,
+				   sizeof(*event));
+	isc_task_send(t2, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, three,
+				   sizeof(*event));
+	isc_task_send(t3, &event);
+	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, four,
+				   sizeof(*event));
+	isc_task_send(t4, &event);
+	isc_task_purgerange(t3, NULL, ISC_EVENTTYPE_FIRSTEVENT,
+			    ISC_EVENTTYPE_LASTEVENT, NULL);
+
+	isc_task_detach(&t1);
+	isc_task_detach(&t2);
+	isc_task_detach(&t3);
+	isc_task_detach(&t4);
+
+#ifndef WIN32
+	sleep(10);
+#else  /* ifndef WIN32 */
+	Sleep(10000);
+#endif /* ifndef WIN32 */
+	printf("destroy\n");
+	isc_timer_destroy(&ti1);
+	isc_timer_destroy(&ti2);
+	isc_timermgr_destroy(&timgr);
+	isc_managers_destroy(&netmgr, &taskmgr);
+	printf("destroyed\n");
+
+	isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/tests/optional/timer_test.c b/bin/tests/optional/timer_test.c
new file mode 100644
index 0000000..0eb6e9f
--- /dev/null
+++ b/bin/tests/optional/timer_test.c
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+isc_mem_t *mctx1, *mctx2, *mctx3;
+isc_task_t *t1, *t2, *t3;
+isc_timer_t *ti1, *ti2, *ti3;
+int tick_count = 0;
+
+static void
+shutdown_task(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
+
+	printf("task %p shutdown %s\n", task, name);
+	isc_event_free(&event);
+}
+
+static void
+tick(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
+
+	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
+
+	printf("task %s (%p) tick\n", name, task);
+
+	tick_count++;
+	if (ti3 != NULL && tick_count % 3 == 0) {
+		isc_timer_touch(ti3);
+	}
+
+	if (ti3 != NULL && tick_count == 7) {
+		isc_time_t expires;
+		isc_interval_t interval;
+
+		isc_interval_set(&interval, 5, 0);
+		(void)isc_time_nowplusinterval(&expires, &interval);
+		isc_interval_set(&interval, 4, 0);
+		printf("*** resetting ti3 ***\n");
+		RUNTIME_CHECK(isc_timer_reset(ti3, isc_timertype_once, &expires,
+					      &interval,
+					      true) == ISC_R_SUCCESS);
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+timeout(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
+	const char *type;
+
+	INSIST(event->ev_type == ISC_TIMEREVENT_IDLE ||
+	       event->ev_type == ISC_TIMEREVENT_LIFE);
+
+	if (event->ev_type == ISC_TIMEREVENT_IDLE) {
+		type = "idle";
+	} else {
+		type = "life";
+	}
+	printf("task %s (%p) %s timeout\n", name, task, type);
+
+	if (strcmp(name, "3") == 0) {
+		printf("*** saving task 3 ***\n");
+		isc_event_free(&event);
+		return;
+	}
+
+	isc_event_free(&event);
+	isc_task_shutdown(task);
+}
+
+static char one[] = "1";
+static char two[] = "2";
+static char three[] = "3";
+
+int
+main(int argc, char *argv[]) {
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_timermgr_t *timgr = NULL;
+	unsigned int workers;
+	isc_time_t expires, now;
+	isc_interval_t interval;
+
+	if (argc > 1) {
+		workers = atoi(argv[1]);
+		if (workers < 1) {
+			workers = 1;
+		}
+		if (workers > 8192) {
+			workers = 8192;
+		}
+	} else {
+		workers = 2;
+	}
+	printf("%u workers\n", workers);
+
+	isc_mem_create(&mctx1);
+	RUNTIME_CHECK(isc_managers_create(mctx1, workers, 0, &netmgr,
+					  &taskmgr) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_timermgr_create(mctx1, &timgr) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t1) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t2) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t3) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_onshutdown(t1, shutdown_task, one) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_onshutdown(t2, shutdown_task, two) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_onshutdown(t3, shutdown_task, three) ==
+		      ISC_R_SUCCESS);
+
+	printf("task 1: %p\n", t1);
+	printf("task 2: %p\n", t2);
+	printf("task 3: %p\n", t3);
+
+	TIME_NOW(&now);
+
+	isc_interval_set(&interval, 2, 0);
+	RUNTIME_CHECK(isc_timer_create(timgr, isc_timertype_once, NULL,
+				       &interval, t2, timeout, two,
+				       &ti2) == ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, 1, 0);
+	RUNTIME_CHECK(isc_timer_create(timgr, isc_timertype_ticker, NULL,
+				       &interval, t1, tick, one,
+				       &ti1) == ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, 10, 0);
+	RUNTIME_CHECK(isc_time_add(&now, &interval, &expires) == ISC_R_SUCCESS);
+	isc_interval_set(&interval, 2, 0);
+	RUNTIME_CHECK(isc_timer_create(timgr, isc_timertype_once, &expires,
+				       &interval, t3, timeout, three,
+				       &ti3) == ISC_R_SUCCESS);
+
+	isc_task_detach(&t1);
+	isc_task_detach(&t2);
+	isc_task_detach(&t3);
+
+#ifndef WIN32
+	sleep(15);
+#else  /* ifndef WIN32 */
+	Sleep(15000);
+#endif /* ifndef WIN32 */
+	printf("destroy\n");
+	isc_timer_destroy(&ti1);
+	isc_timer_destroy(&ti2);
+	isc_timer_destroy(&ti3);
+#ifndef WIN32
+	sleep(2);
+#else  /* ifndef WIN32 */
+	Sleep(2000);
+#endif /* ifndef WIN32 */
+	isc_timermgr_destroy(&timgr);
+	isc_managers_destroy(&netmgr, &taskmgr);
+	printf("destroyed\n");
+
+	printf("Statistics for mctx1:\n");
+	isc_mem_stats(mctx1, stdout);
+	isc_mem_destroy(&mctx1);
+
+	return (0);
+}
diff --git a/bin/tests/optional/zone_test.c b/bin/tests/optional/zone_test.c
new file mode 100644
index 0000000..05193f8
--- /dev/null
+++ b/bin/tests/optional/zone_test.c
@@ -0,0 +1,318 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdlib.h>
+#include <sys/param.h>
+#include <sys/select.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/zone.h>
+
+static int debug = 0;
+static int quiet = 0;
+static int stats = 0;
+static isc_mem_t *mctx = NULL;
+dns_zone_t *zone = NULL;
+isc_nm_t *netmgr = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_socketmgr_t *socketmgr = NULL;
+dns_zonemgr_t *zonemgr = NULL;
+dns_zonetype_t zonetype = dns_zone_primary;
+isc_sockaddr_t addr;
+
+#define ERRRET(result, function)                                        \
+	do {                                                            \
+		if (result != ISC_R_SUCCESS) {                          \
+			fprintf(stderr, "%s() returned %s\n", function, \
+				dns_result_totext(result));             \
+			return;                                         \
+		}                                                       \
+	} while (0)
+
+#define ERRCONT(result, function)                               \
+	if (result != ISC_R_SUCCESS) {                          \
+		fprintf(stderr, "%s() returned %s\n", function, \
+			dns_result_totext(result));             \
+		continue;                                       \
+	} else                                                  \
+		(void)NULL
+
+static void
+usage(void) {
+	fprintf(stderr, "usage: zone_test [-dqsSM] [-c class] [-f file] "
+			"zone\n");
+	exit(1);
+}
+
+static void
+setup(const char *zonename, const char *filename, const char *classname) {
+	isc_result_t result;
+	dns_rdataclass_t rdclass;
+	isc_consttextregion_t region;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+	const char *rbt = "rbt";
+
+	if (debug) {
+		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
+			zonename, filename, classname);
+	}
+	result = dns_zone_create(&zone, mctx);
+	ERRRET(result, "dns_zone_new");
+
+	dns_zone_settype(zone, zonetype);
+
+	isc_buffer_constinit(&buffer, zonename, strlen(zonename));
+	isc_buffer_add(&buffer, strlen(zonename));
+	dns_fixedname_init(&fixorigin);
+	result = dns_name_fromtext(dns_fixedname_name(&fixorigin), &buffer,
+				   dns_rootname, 0, NULL);
+	ERRRET(result, "dns_name_fromtext");
+	origin = dns_fixedname_name(&fixorigin);
+
+	result = dns_zone_setorigin(zone, origin);
+	ERRRET(result, "dns_zone_setorigin");
+
+	dns_zone_setdbtype(zone, 1, &rbt);
+
+	result = dns_zone_setfile(zone, filename, dns_masterformat_text,
+				  &dns_master_style_default);
+	ERRRET(result, "dns_zone_setfile");
+
+	region.base = classname;
+	region.length = strlen(classname);
+	result = dns_rdataclass_fromtext(&rdclass,
+					 (isc_textregion_t *)(void *)&region);
+	ERRRET(result, "dns_rdataclass_fromtext");
+
+	dns_zone_setclass(zone, rdclass);
+
+	if (zonetype == dns_zone_secondary) {
+		dns_zone_setprimaries(zone, &addr, 1);
+	}
+
+	result = dns_zone_load(zone, false);
+	ERRRET(result, "dns_zone_load");
+
+	result = dns_zonemgr_managezone(zonemgr, zone);
+	ERRRET(result, "dns_zonemgr_managezone");
+}
+
+static void
+print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset) {
+	isc_buffer_t text;
+	char t[1000];
+	isc_result_t result;
+	isc_region_t r;
+
+	isc_buffer_init(&text, t, sizeof(t));
+	result = dns_rdataset_totext(rdataset, name, false, false, &text);
+	isc_buffer_usedregion(&text, &r);
+	if (result == ISC_R_SUCCESS) {
+		printf("%.*s", (int)r.length, (char *)r.base);
+	} else {
+		printf("%s\n", dns_result_totext(result));
+	}
+}
+
+static void
+query(void) {
+	char buf[1024];
+	dns_fixedname_t name;
+	dns_fixedname_t found;
+	dns_db_t *db;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t sigset;
+	fd_set rfdset = { { 0 } };
+
+	db = NULL;
+	result = dns_zone_getdb(zone, &db);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "%s() returned %s\n", "dns_zone_getdb",
+			dns_result_totext(result));
+		return;
+	}
+
+	dns_fixedname_init(&found);
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&sigset);
+
+	do {
+		char *s;
+		fprintf(stdout, "zone_test ");
+		fflush(stdout);
+		FD_ZERO(&rfdset);
+		FD_SET(0, &rfdset);
+		select(1, &rfdset, NULL, NULL, NULL);
+		if (fgets(buf, sizeof(buf), stdin) == NULL) {
+			fprintf(stdout, "\n");
+			break;
+		}
+		buf[sizeof(buf) - 1] = '\0';
+
+		s = strchr(buf, '\n');
+		if (s != NULL) {
+			*s = '\0';
+		}
+		s = strchr(buf, '\r');
+		if (s != NULL) {
+			*s = '\0';
+		}
+		if (strcmp(buf, "dump") == 0) {
+			dns_zone_dumptostream(zone, stdout,
+					      dns_masterformat_text,
+					      &dns_master_style_default, 0);
+			continue;
+		}
+		if (strlen(buf) == 0U) {
+			continue;
+		}
+		dns_fixedname_init(&name);
+		isc_buffer_init(&buffer, buf, strlen(buf));
+		isc_buffer_add(&buffer, strlen(buf));
+		result = dns_name_fromtext(dns_fixedname_name(&name), &buffer,
+					   dns_rootname, 0, NULL);
+		ERRCONT(result, "dns_name_fromtext");
+
+		result = dns_db_find(db, dns_fixedname_name(&name),
+				     NULL /*version*/, dns_rdatatype_a,
+				     0 /*options*/, 0 /*time*/, NULL /*nodep*/,
+				     dns_fixedname_name(&found), &rdataset,
+				     &sigset);
+		fprintf(stderr, "%s() returned %s\n", "dns_db_find",
+			dns_result_totext(result));
+		switch (result) {
+		case DNS_R_DELEGATION:
+			print_rdataset(dns_fixedname_name(&found), &rdataset);
+			break;
+		case ISC_R_SUCCESS:
+			print_rdataset(dns_fixedname_name(&name), &rdataset);
+			break;
+		default:
+			break;
+		}
+
+		if (dns_rdataset_isassociated(&rdataset)) {
+			dns_rdataset_disassociate(&rdataset);
+		}
+		if (dns_rdataset_isassociated(&sigset)) {
+			dns_rdataset_disassociate(&sigset);
+		}
+	} while (1);
+	dns_rdataset_invalidate(&rdataset);
+	dns_db_detach(&db);
+}
+
+int
+main(int argc, char **argv) {
+	int c;
+	char *filename = NULL;
+	const char *classname = "IN";
+
+	while ((c = isc_commandline_parse(argc, argv, "cdf:m:qsMS")) != EOF) {
+		switch (c) {
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+		case 'd':
+			debug++;
+			break;
+		case 'f':
+			if (filename != NULL) {
+				usage();
+			}
+			filename = isc_commandline_argument;
+			break;
+		case 'm':
+			memset(&addr, 0, sizeof(addr));
+			addr.type.sin.sin_family = AF_INET;
+			if (inet_pton(AF_INET, isc_commandline_argument,
+				      &addr.type.sin.sin_addr) != 1)
+			{
+				fprintf(stderr, "bad master address '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			addr.type.sin.sin_port = htons(53);
+			break;
+		case 'q':
+			quiet++;
+			break;
+		case 's':
+			stats++;
+			break;
+		case 'S':
+			zonetype = dns_zone_secondary;
+			break;
+		case 'M':
+			zonetype = dns_zone_primary;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	if (argv[isc_commandline_index] == NULL) {
+		usage();
+	}
+
+	RUNTIME_CHECK(isc_app_start() == ISC_R_SUCCESS);
+	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_managers_create(mctx, 2, 0, NULL, &taskmgr) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_timermgr_create(mctx, &timermgr) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_zonemgr_create(mctx, taskmgr, timermgr, socketmgr,
+					 &zonemgr) == ISC_R_SUCCESS);
+	if (filename == NULL) {
+		filename = argv[isc_commandline_index];
+	}
+	setup(argv[isc_commandline_index], filename, classname);
+	query();
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	dns_zonemgr_shutdown(zonemgr);
+	dns_zonemgr_detach(&zonemgr);
+	isc_socketmgr_destroy(&socketmgr);
+	isc_managers_destroy(&netmgr, &taskmgr);
+	isc_timermgr_destroy(&timermgr);
+	if (!quiet && stats) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/tests/pkcs11/Makefile.in b/bin/tests/pkcs11/Makefile.in
new file mode 100644
index 0000000..56024c4
--- /dev/null
+++ b/bin/tests/pkcs11/Makefile.in
@@ -0,0 +1,32 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${ISC_INCLUDES}
+CDEFINES =
+
+ISCLIBS =	../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+LIBS =		${ISCLIBS} @LIBS@
+
+SUBDIRS =	benchmarks
+
+@BIND9_MAKE_RULES@
+
+test:
+
+clean distclean::
+	rm -f ${TARGETS}
diff --git a/bin/tests/pkcs11/README b/bin/tests/pkcs11/README
new file mode 100644
index 0000000..2b594d9
--- /dev/null
+++ b/bin/tests/pkcs11/README
@@ -0,0 +1,15 @@
+"pkcs11-hmacmd5" is here to check for the presence of a known bug in
+the Thales nCipher PKCS#11 provider library.  To test for the bug, use
+pkcs11-hmacmd5 to hash a test vector from RFC 2104, and determine
+whether the resulting digest is is correct.  For instance:
+
+    echo -n "Hi There" | \
+        ./pkcs11-hmacmd5 -p <PIN> -k '0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b'
+
+...must return "9294727a3638bb1c13f48ef8158bfc9d".
+
+If any other value is returned, then the provider library is buggy,
+and theflag PK11_MD5_HMAC_REPLACE must be defined in
+lib/isc/include/pk11/site.h
+However, if the correct value is returned, then it is safe to turn
+off PK11_MD5_HMAC_REPLACE. (It is on by default.)
diff --git a/bin/tests/pkcs11/benchmarks/Makefile.in b/bin/tests/pkcs11/benchmarks/Makefile.in
new file mode 100644
index 0000000..8101efc
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/Makefile.in
@@ -0,0 +1,74 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${ISC_INCLUDES}
+CDEFINES =
+
+ISCLIBS =	../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+LIBS =		${ISCLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	session@EXEEXT@ login@EXEEXT@ \
+		create@EXEEXT@ find@EXEEXT@ \
+		pubrsa@EXEEXT@ privrsa@EXEEXT@ genrsa@EXEEXT@ \
+		sign@EXEEXT@ verify@EXEEXT@
+
+SRCS =		session.c login.c create.c find.c \
+		pubrsa.c privrsa.c genrsa.c sign.c verify.c
+
+@BIND9_MAKE_RULES@
+
+session@EXEEXT@: @srcdir@/session.c
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ @srcdir@/session.c ${LIBS}
+
+login@EXEEXT@: @srcdir@/login.c
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ @srcdir@/login.c ${LIBS}
+
+create@EXEEXT@: @srcdir@/create.c
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ @srcdir@/create.c ${LIBS}
+
+find@EXEEXT@: @srcdir@/find.c
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ @srcdir@/find.c ${LIBS}
+
+pubrsa@EXEEXT@: @srcdir@/pubrsa.c
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ @srcdir@/pubrsa.c ${LIBS}
+
+privrsa@EXEEXT@: @srcdir@/privrsa.c
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ @srcdir@/privrsa.c ${LIBS}
+
+genrsa@EXEEXT@: @srcdir@/genrsa.c
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ @srcdir@/genrsa.c ${LIBS}
+
+sign@EXEEXT@: @srcdir@/sign.c
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ @srcdir@/sign.c ${LIBS}
+
+verify@EXEEXT@: @srcdir@/verify.c
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ @srcdir@/verify.c ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
diff --git a/bin/tests/pkcs11/benchmarks/create.c b/bin/tests/pkcs11/benchmarks/create.c
new file mode 100644
index 0000000..2f1c365
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/create.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* create [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+
+#include <sys/time.h>
+
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif /* ifndef CLOCK_REALTIME */
+
+static int
+clock_gettime(int32_t id, struct timespec *tp);
+
+static int
+clock_gettime(int32_t id, struct timespec *tp) {
+	struct timeval tv;
+	int result;
+
+	UNUSED(id);
+
+	result = gettimeofday(&tv, NULL);
+	if (result == 0) {
+		tp->tv_sec = tv.tv_sec;
+		tp->tv_nsec = (long)tv.tv_usec * 1000;
+	}
+	return (result);
+}
+#endif /* ifndef HAVE_CLOCK_GETTIME */
+
+CK_BYTE buf[1024];
+char label[16];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE *hKey;
+	CK_OBJECT_CLASS kClass = CKO_DATA;
+	CK_ULONG len = sizeof(buf);
+	CK_ATTRIBUTE kTemplate[] = {
+		{ CKA_CLASS, &kClass, (CK_ULONG)sizeof(kClass) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_LABEL, (CK_BYTE_PTR)label, (CK_ULONG)sizeof(label) },
+		{ CKA_VALUE, buf, (CK_ULONG)sizeof(buf) }
+	};
+	pk11_context_t pctx;
+	char *lib_name = NULL;
+	char *pin = NULL;
+	int error = 0;
+	int c, errflg = 0;
+	int ontoken = 0;
+	unsigned int count = 1000;
+	unsigned int i;
+	struct timespec starttime;
+	struct timespec endtime;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			break;
+		case 't':
+			ontoken = 1;
+			break;
+		case 'p':
+			pin = isc_commandline_argument;
+			break;
+		case 'n':
+			count = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tcreate [-m module] [-s slot] [-t] [-n "
+				"count]\n");
+		exit(1);
+	}
+
+	pk11_result_register();
+
+	/* Allocate handles */
+	hKey = (CK_SESSION_HANDLE *)malloc(count * sizeof(CK_SESSION_HANDLE));
+	if (hKey == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+	for (i = 0; i < count; i++) {
+		hKey[i] = CK_INVALID_HANDLE;
+	}
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (pin == NULL) {
+		pin = getpass("Enter Pin: ");
+	}
+
+	result = pk11_get_session(&pctx, OP_ANY, true, true, true,
+				  (const char *)pin, slot);
+	if ((result != ISC_R_SUCCESS) && (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE))
+	{
+		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	if (pin != NULL) {
+		memset(pin, 0, strlen((char *)pin));
+	}
+
+	hSession = pctx.session;
+
+	/* Randomize the buffer */
+	rv = pkcs_C_GenerateRandom(hSession, buf, len);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+		goto exit_objects;
+	}
+
+	if (ontoken) {
+		kTemplate[1].pValue = &truevalue;
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+		perror("clock_gettime(start)");
+		goto exit_objects;
+	}
+
+	for (i = 0; i < count; i++) {
+		(void)snprintf(label, sizeof(label), "obj%u", i);
+		kTemplate[3].ulValueLen = strlen(label);
+		rv = pkcs_C_CreateObject(hSession, kTemplate, 5, &hKey[i]);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_CreateObject[%u]: Error = 0x%.8lX\n",
+				i, rv);
+			error = 1;
+			if (i == 0) {
+				goto exit_objects;
+			}
+			break;
+		}
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+		perror("clock_gettime(end)");
+		goto exit_objects;
+	}
+
+	endtime.tv_sec -= starttime.tv_sec;
+	endtime.tv_nsec -= starttime.tv_nsec;
+	while (endtime.tv_nsec < 0) {
+		endtime.tv_sec -= 1;
+		endtime.tv_nsec += 1000000000;
+	}
+	printf("%u created objects in %ld.%09lds\n", i, endtime.tv_sec,
+	       endtime.tv_nsec);
+	if (i > 0) {
+		printf("%g created objects/s\n",
+		       1024 * i /
+			       ((double)endtime.tv_sec +
+				(double)endtime.tv_nsec / 1000000000.));
+	}
+
+exit_objects:
+	for (i = 0; i < count; i++) {
+		/* Destroy objects */
+		if (hKey[i] == CK_INVALID_HANDLE) {
+			continue;
+		}
+		rv = pkcs_C_DestroyObject(hSession, hKey[i]);
+		if ((rv != CKR_OK) && !errflg) {
+			fprintf(stderr,
+				"C_DestroyObject[%u]: Error = 0x%.8lX\n", i,
+				rv);
+			errflg = 1;
+		}
+	}
+
+	free(hKey);
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/find.c b/bin/tests/pkcs11/benchmarks/find.c
new file mode 100644
index 0000000..e43fb68
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/find.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* find [-m module] [-s $slot] [-p pin] [-n count] */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+
+#include <sys/time.h>
+
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif /* ifndef CLOCK_REALTIME */
+
+static int
+clock_gettime(int32_t id, struct timespec *tp);
+
+static int
+clock_gettime(int32_t id, struct timespec *tp) {
+	struct timeval tv;
+	int result;
+
+	UNUSED(id);
+
+	result = gettimeofday(&tv, NULL);
+	if (result == 0) {
+		tp->tv_sec = tv.tv_sec;
+		tp->tv_nsec = (long)tv.tv_usec * 1000;
+	}
+	return (result);
+}
+#endif /* ifndef HAVE_CLOCK_GETTIME */
+
+CK_BYTE label[] = "foo??bar!!";
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+	CK_ATTRIBUTE sTemplate[] = {
+		{ CKA_LABEL, label, (CK_ULONG)sizeof(label) },
+	};
+	CK_OBJECT_HANDLE sKey = CK_INVALID_HANDLE;
+	CK_ULONG found = 0;
+	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
+	char *lib_name = NULL;
+	char *pin = NULL;
+	int error = 0;
+	int c, errflg = 0;
+	unsigned int count = 1000;
+	unsigned int i;
+	struct timespec starttime;
+	struct timespec endtime;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:p:n:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
+			break;
+		case 'p':
+			pin = isc_commandline_argument;
+			break;
+		case 'n':
+			count = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tfind [-m module] [-s slot] [-p pin] [-n "
+				"count]\n");
+		exit(1);
+	}
+
+	pk11_result_register();
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (pin == NULL) {
+		pin = getpass("Enter Pin: ");
+	}
+
+	result = pk11_get_session(&pctx, op_type, false, false, true,
+				  (const char *)pin, slot);
+	if ((result != ISC_R_SUCCESS) && (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE))
+	{
+		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	if (pin != NULL) {
+		memset(pin, 0, strlen((char *)pin));
+	}
+
+	hSession = pctx.session;
+
+	if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+		perror("clock_gettime(start)");
+		goto exit_objects;
+	}
+
+	for (i = 0; !error && (i < count); i++) {
+		rv = pkcs_C_FindObjectsInit(hSession, sTemplate, 1);
+		if (rv != CKR_OK) {
+			fprintf(stderr,
+				"C_FindObjectsInit[%u]: Error = 0x%.8lX\n", i,
+				rv);
+			error = 1;
+			break;
+		}
+
+		rv = pkcs_C_FindObjects(hSession, &sKey, 1, &found);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_FindObjects[%u]: Error = 0x%.8lX\n",
+				i, rv);
+			error = 1;
+			/* no break here! */
+		}
+
+		rv = pkcs_C_FindObjectsFinal(hSession);
+		if (rv != CKR_OK) {
+			fprintf(stderr,
+				"C_FindObjectsFinal[%u]: Error = 0x%.8lX\n", i,
+				rv);
+			error = 1;
+			break;
+		}
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+		perror("clock_gettime(end)");
+		goto exit_objects;
+	}
+
+	endtime.tv_sec -= starttime.tv_sec;
+	endtime.tv_nsec -= starttime.tv_nsec;
+	while (endtime.tv_nsec < 0) {
+		endtime.tv_sec -= 1;
+		endtime.tv_nsec += 1000000000;
+	}
+	printf("%u object searches in %ld.%09lds\n", i, endtime.tv_sec,
+	       endtime.tv_nsec);
+	if (i > 0) {
+		printf("%g object searches/s\n",
+		       1024 * i /
+			       ((double)endtime.tv_sec +
+				(double)endtime.tv_nsec / 1000000000.));
+	}
+
+exit_objects:
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/genrsa.c b/bin/tests/pkcs11/benchmarks/genrsa.c
new file mode 100644
index 0000000..062fa69
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/genrsa.c
@@ -0,0 +1,296 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* genrsa [-m module] [-s $slot] [-p pin] [-t] [-b bits] [-n count] */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+
+#include <sys/time.h>
+
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif /* ifndef CLOCK_REALTIME */
+
+static int
+clock_gettime(int32_t id, struct timespec *tp);
+
+static int
+clock_gettime(int32_t id, struct timespec *tp) {
+	struct timeval tv;
+	int result;
+
+	UNUSED(id);
+
+	result = gettimeofday(&tv, NULL);
+	if (result == 0) {
+		tp->tv_sec = tv.tv_sec;
+		tp->tv_nsec = (long)tv.tv_usec * 1000;
+	}
+	return (result);
+}
+#endif /* ifndef HAVE_CLOCK_GETTIME */
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+	CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 };
+	CK_OBJECT_HANDLE *pubKey;
+	CK_OBJECT_HANDLE *privKey;
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE kType = CKK_RSA;
+	CK_ULONG bits = 1024;
+	CK_BYTE exponent[] = { 0x01, 0x00, 0x01 };
+	CK_ATTRIBUTE pubTemplate[] = {
+		{ CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) },
+		{ CKA_KEY_TYPE, &kType, (CK_ULONG)sizeof(kType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_MODULUS_BITS, &bits, (CK_ULONG)sizeof(bits) },
+		{ CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG)sizeof(exponent) }
+	};
+	CK_ATTRIBUTE privTemplate[] = {
+		{ CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) },
+		{ CKA_KEY_TYPE, &kType, (CK_ULONG)sizeof(kType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+	};
+	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
+	char *lib_name = NULL;
+	char *pin = NULL;
+	int error = 0;
+	int c, errflg = 0;
+	int ontoken = 0;
+	unsigned int count = 1000;
+	unsigned int i;
+	struct timespec starttime;
+	struct timespec endtime;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tb:n:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
+			break;
+		case 'p':
+			pin = isc_commandline_argument;
+			break;
+		case 't':
+			ontoken = 1;
+			break;
+		case 'b':
+			bits = (CK_ULONG)atoi(isc_commandline_argument);
+			break;
+		case 'n':
+			count = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tgenrsa [-m module] [-s slot] [-p pin] "
+				"[-t] [-b bits] [-n count]\n");
+		exit(1);
+	}
+
+	pk11_result_register();
+
+	/* Allocate handles */
+	pubKey = (CK_SESSION_HANDLE *)malloc(count * sizeof(CK_SESSION_HANDLE));
+	if (pubKey == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+	privKey =
+		(CK_SESSION_HANDLE *)malloc(count * sizeof(CK_SESSION_HANDLE));
+	if (privKey == NULL) {
+		free(pubKey);
+		perror("malloc");
+		exit(1);
+	}
+	for (i = 0; i < count; i++) {
+		pubKey[i] = CK_INVALID_HANDLE;
+		privKey[i] = CK_INVALID_HANDLE;
+	}
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (pin == NULL) {
+		pin = getpass("Enter Pin: ");
+	}
+
+	result = pk11_get_session(&pctx, op_type, false, true, true,
+				  (const char *)pin, slot);
+	if ((result != ISC_R_SUCCESS) && (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE))
+	{
+		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	if (pin != NULL) {
+		memset(pin, 0, strlen((char *)pin));
+	}
+
+	hSession = pctx.session;
+
+	if (ontoken) {
+		pubTemplate[2].pValue = &truevalue;
+		privTemplate[2].pValue = &truevalue;
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+		perror("clock_gettime(start)");
+		goto exit_keys;
+	}
+
+	for (i = 0; i < count; i++) {
+		rv = pkcs_C_GenerateKeyPair(hSession, &mech, pubTemplate, 7,
+					    privTemplate, 5, &pubKey[i],
+					    &privKey[i]);
+		if (rv != CKR_OK) {
+			fprintf(stderr,
+				"C_GenerateKeyPair[%u]: Error = 0x%.8lX\n", i,
+				rv);
+			error = 1;
+			if (i == 0) {
+				goto exit_keys;
+			}
+			break;
+		}
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+		perror("clock_gettime(end)");
+		goto exit_keys;
+	}
+
+	endtime.tv_sec -= starttime.tv_sec;
+	endtime.tv_nsec -= starttime.tv_nsec;
+	while (endtime.tv_nsec < 0) {
+		endtime.tv_sec -= 1;
+		endtime.tv_nsec += 1000000000;
+	}
+	printf("%u generated RSA in %ld.%09lds\n", i, endtime.tv_sec,
+	       endtime.tv_nsec);
+	if (i > 0) {
+		printf("%g generated RSA/s\n",
+		       1024 * i /
+			       ((double)endtime.tv_sec +
+				(double)endtime.tv_nsec / 1000000000.));
+	}
+
+exit_keys:
+	for (i = 0; i < count; i++) {
+		/* Destroy keys */
+		if (pubKey[i] == CK_INVALID_HANDLE) {
+			goto destroy_priv;
+		}
+		rv = pkcs_C_DestroyObject(hSession, pubKey[i]);
+		if ((rv != CKR_OK) && !errflg) {
+			fprintf(stderr,
+				"C_DestroyObject[pub%u]: Error = 0x%.8lX\n", i,
+				rv);
+			errflg = 1;
+		}
+	destroy_priv:
+		if (privKey[i] == CK_INVALID_HANDLE) {
+			continue;
+		}
+		rv = pkcs_C_DestroyObject(hSession, privKey[i]);
+		if ((rv != CKR_OK) && !errflg) {
+			fprintf(stderr,
+				"C_DestroyObject[priv%u]: Error = 0x%.8lX\n", i,
+				rv);
+			errflg = 1;
+		}
+	}
+
+	free(pubKey);
+	free(privKey);
+
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/login.c b/bin/tests/pkcs11/benchmarks/login.c
new file mode 100644
index 0000000..70dd0a1
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/login.c
@@ -0,0 +1,251 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* login [-m module] [-s $slot] [-p pin] [-n count] */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+
+#include <sys/time.h>
+
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif /* ifndef CLOCK_REALTIME */
+
+static int
+clock_gettime(int32_t id, struct timespec *tp);
+
+static int
+clock_gettime(int32_t id, struct timespec *tp) {
+	struct timeval tv;
+	int result;
+
+	UNUSED(id);
+
+	result = gettimeofday(&tv, NULL);
+	if (result == 0) {
+		tp->tv_sec = tv.tv_sec;
+		tp->tv_nsec = (long)tv.tv_usec * 1000;
+	}
+	return (result);
+}
+#endif /* ifndef HAVE_CLOCK_GETTIME */
+
+int
+main(int argc, char *argv[]) {
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE *hSession;
+	CK_UTF8CHAR *pin = NULL;
+	char *lib_name = NULL;
+	int error = 0;
+	int c, errflg = 0;
+	unsigned int count = 1000;
+	unsigned int i, j;
+	struct timespec starttime;
+	struct timespec endtime;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:p:n:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			break;
+		case 'p':
+			pin = (CK_UTF8CHAR *)isc_commandline_argument;
+			break;
+		case 'n':
+			count = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tlogin [-m module] [-s slot] [-p pin] [-n "
+				"count]\n");
+		exit(1);
+	}
+
+	/* allocate sessions */
+	hSession =
+		(CK_SESSION_HANDLE *)malloc(count * sizeof(CK_SESSION_HANDLE));
+	if (hSession == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+	for (i = 0; i < count; i++) {
+		hSession[i] = CK_INVALID_HANDLE;
+	}
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (pin == NULL) {
+		pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
+	}
+
+	rv = pkcs_C_Initialize(NULL_PTR);
+	if (rv != CKR_OK) {
+		if (rv == 0xfe) {
+			fprintf(stderr, "Can't load or link module \"%s\"\n",
+				pk11_get_lib_name());
+		} else {
+			fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+		}
+		free(hSession);
+		exit(1);
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+		perror("clock_gettime(start)");
+		goto exit_program;
+	}
+
+	/* loop */
+	for (i = 0; i < count; i++) {
+		/* Open sessions */
+		rv = pkcs_C_OpenSession(slot, CKF_SERIAL_SESSION, NULL_PTR,
+					NULL_PTR, &hSession[i]);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_OpenSession[%u]: Error = 0x%.8lX\n",
+				i, rv);
+			error = 1;
+			if (i == 0) {
+				goto exit_program;
+			}
+			break;
+		}
+
+		/* Logon */
+		rv = pkcs_C_Login(hSession[i], CKU_USER, pin,
+				  strlen((char *)pin));
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_Login[%u]: Error = 0x%.8lX\n", i,
+				rv);
+			error = 1;
+			if (i == 0) {
+				goto exit_program;
+			}
+			break;
+		}
+
+		/* Logoff */
+		rv = pkcs_C_Logout(hSession[i]);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_Logout[%u]: Error = 0x%.8lX\n", i,
+				rv);
+			error = 1;
+			if (i == 0) {
+				goto exit_program;
+			}
+			break;
+		}
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+		perror("clock_gettime(end)");
+		goto exit_program;
+	}
+
+	endtime.tv_sec -= starttime.tv_sec;
+	endtime.tv_nsec -= starttime.tv_nsec;
+	while (endtime.tv_nsec < 0) {
+		endtime.tv_sec -= 1;
+		endtime.tv_nsec += 1000000000;
+	}
+	printf("%u logins in %ld.%09lds\n", i, endtime.tv_sec, endtime.tv_nsec);
+	if (i > 0) {
+		printf("%g logins/s\n",
+		       i / ((double)endtime.tv_sec +
+			    (double)endtime.tv_nsec / 1000000000.));
+	}
+
+	for (j = 0; j < i; j++) {
+		if (hSession[j] == CK_INVALID_HANDLE) {
+			continue;
+		}
+		/* Close sessions */
+		rv = pkcs_C_CloseSession(hSession[j]);
+		if ((rv != CKR_OK) && !errflg) {
+			fprintf(stderr, "C_CloseSession[%u]: Error = 0x%.8lX\n",
+				j, rv);
+			errflg = 1;
+		}
+	}
+
+exit_program:
+	free(hSession);
+
+	rv = pkcs_C_Finalize(NULL_PTR);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_Finalize: Error = 0x%.8lX\n", rv);
+	}
+
+	exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/privrsa.c b/bin/tests/pkcs11/benchmarks/privrsa.c
new file mode 100644
index 0000000..bd6911e
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/privrsa.c
@@ -0,0 +1,332 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* privrsa [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+
+#include <sys/time.h>
+
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif /* ifndef CLOCK_REALTIME */
+
+static int
+clock_gettime(int32_t id, struct timespec *tp);
+
+static int
+clock_gettime(int32_t id, struct timespec *tp) {
+	struct timeval tv;
+	int result;
+
+	UNUSED(id);
+
+	result = gettimeofday(&tv, NULL);
+	if (result == 0) {
+		tp->tv_sec = tv.tv_sec;
+		tp->tv_nsec = (long)tv.tv_usec * 1000;
+	}
+	return (result);
+}
+#endif /* ifndef HAVE_CLOCK_GETTIME */
+
+CK_BYTE modulus[] = {
+	0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99, 0x44, 0x82, 0x20, 0x78,
+	0x43, 0x7f, 0x5f, 0x3b, 0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+	0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f, 0x16, 0x1c, 0x56, 0xf8,
+	0xc1, 0x06, 0x2f, 0x96, 0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+	0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b, 0x9f, 0xdc, 0x36, 0xcb,
+	0xad, 0x56, 0xf4, 0xbd, 0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+	0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79, 0xca, 0x4e, 0x72, 0xeb,
+	0xfb, 0x2c, 0xf1, 0x45, 0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+	0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd, 0x49, 0xdd, 0x8a, 0x3c,
+	0x3c, 0xf7, 0xa1, 0x5d, 0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+	0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34, 0xbf
+};
+CK_BYTE pubexp[] = { 0x01, 0x00, 0x01 };
+CK_BYTE privexp[] = {
+	0x00, 0xae, 0x02, 0xf1, 0x47, 0xa8, 0x07, 0x02, 0xb8, 0xf1, 0xd6, 0x92,
+	0x03, 0xee, 0x50, 0x33, 0xab, 0x67, 0x9e, 0x3b, 0xb1, 0x57, 0xc7, 0x3e,
+	0xc4, 0x86, 0x46, 0x61, 0xf1, 0xf8, 0xb6, 0x63, 0x9f, 0x91, 0xe6, 0x3f,
+	0x44, 0xb8, 0x77, 0x1b, 0xbe, 0x4c, 0x3c, 0xb8, 0x9f, 0xf7, 0x45, 0x7d,
+	0xbf, 0x4f, 0xef, 0x3b, 0xcc, 0xda, 0x1a, 0x4e, 0x34, 0xa8, 0x40, 0xea,
+	0x51, 0x72, 0x8a, 0xea, 0x47, 0x06, 0x04, 0xd0, 0x62, 0x31, 0xa0, 0x6c,
+	0x09, 0x60, 0xf9, 0xc7, 0x95, 0x88, 0x4a, 0xd7, 0x19, 0xce, 0x89, 0x08,
+	0x87, 0x14, 0xef, 0xcc, 0x0a, 0xef, 0x72, 0xb9, 0x21, 0xf5, 0xf0, 0xcd,
+	0x6d, 0xe5, 0xfa, 0x15, 0x7f, 0xae, 0x33, 0x9f, 0x26, 0xac, 0x2e, 0x52,
+	0x02, 0x07, 0xfb, 0x1d, 0x4b, 0xec, 0x9a, 0x6b, 0x3b, 0x26, 0x1f, 0x52,
+	0xfc, 0x47, 0xf8, 0x66, 0x33, 0xfa, 0x50, 0x6c, 0x41
+};
+CK_BYTE prime1[] = { 0x00, 0xe8, 0x98, 0xeb, 0xa1, 0xf0, 0xce, 0xde, 0xc2, 0x74,
+		     0x01, 0x18, 0x2b, 0xd3, 0x8f, 0x58, 0xcd, 0xe9, 0x8e, 0x97,
+		     0xbe, 0xfe, 0xe8, 0x6f, 0xd6, 0x0c, 0x0a, 0x47, 0xf8, 0x56,
+		     0x84, 0x36, 0x15, 0xe6, 0x75, 0x1c, 0x69, 0x48, 0x8b, 0xf5,
+		     0x0f, 0x84, 0xd2, 0x60, 0x8b, 0xa2, 0x2a, 0xa1, 0xeb, 0xed,
+		     0xbe, 0x2d, 0xe9, 0x41, 0x0b, 0xed, 0x17, 0x7c, 0xd3, 0xa6,
+		     0x35, 0x6e, 0xa6, 0xd8, 0x21 };
+CK_BYTE prime2[] = { 0x00, 0xca, 0x15, 0x6a, 0x43, 0x5e, 0x83, 0xc9, 0x09, 0xeb,
+		     0x14, 0x1e, 0x46, 0x46, 0x97, 0xfa, 0xfa, 0x3c, 0x61, 0x7e,
+		     0xc1, 0xf8, 0x8c, 0x5e, 0xcb, 0xbf, 0xe4, 0xb9, 0x78, 0x7f,
+		     0x4f, 0xab, 0x82, 0x15, 0x53, 0xaa, 0x04, 0xee, 0x11, 0x21,
+		     0x2e, 0x23, 0x08, 0xa0, 0x14, 0x6d, 0x3a, 0x88, 0xe6, 0xf8,
+		     0xbe, 0x61, 0x38, 0x99, 0xca, 0x36, 0x0d, 0x3e, 0x42, 0x0f,
+		     0x63, 0x4d, 0x73, 0xf0, 0xdf };
+CK_BYTE exp_1[] = { 0x66, 0x2d, 0xb7, 0x65, 0xbe, 0x99, 0xc2, 0x35, 0xfe, 0x2b,
+		    0xf4, 0xe8, 0x5b, 0xd9, 0xdf, 0x13, 0x26, 0x04, 0xe4, 0x18,
+		    0x9d, 0x76, 0x92, 0x9a, 0x9f, 0x53, 0x6c, 0xe6, 0x65, 0x6b,
+		    0x53, 0x2f, 0x2f, 0xbc, 0x46, 0xac, 0xe1, 0x97, 0xca, 0x21,
+		    0xf5, 0x21, 0x4e, 0x14, 0x49, 0x3b, 0x1d, 0x42, 0xbd, 0x80,
+		    0x0c, 0x3f, 0x29, 0xba, 0x09, 0x7f, 0x85, 0xf0, 0x9c, 0x55,
+		    0x60, 0xb4, 0x9e, 0xc1 };
+CK_BYTE exp_2[] = { 0x00, 0x87, 0x22, 0x74, 0xf1, 0xe2, 0x15, 0x3c, 0x6d, 0xde,
+		    0x7e, 0x90, 0x94, 0x2c, 0x06, 0xdb, 0xb5, 0x54, 0x85, 0x59,
+		    0xcf, 0x7a, 0x56, 0xdb, 0xd9, 0x62, 0x54, 0x20, 0x56, 0xdc,
+		    0xc3, 0xb9, 0x0b, 0xff, 0x18, 0xf8, 0x7b, 0xdd, 0x7b, 0x24,
+		    0xf6, 0x06, 0x45, 0x71, 0x4e, 0xd7, 0x90, 0x2a, 0x16, 0x52,
+		    0x46, 0x75, 0x1a, 0xf5, 0x74, 0x8c, 0x5a, 0xa4, 0xc4, 0x66,
+		    0x27, 0xe0, 0x96, 0x64, 0x7f };
+CK_BYTE coeff[] = { 0x00, 0xd0, 0x1f, 0xb3, 0x47, 0x40, 0x93, 0x8b, 0x99, 0xd7,
+		    0xb5, 0xc6, 0x09, 0x82, 0x65, 0x94, 0x9d, 0x56, 0x0a, 0x05,
+		    0x55, 0x7d, 0x93, 0x04, 0xa4, 0x26, 0xee, 0x42, 0x86, 0xa3,
+		    0xf1, 0xd5, 0x7a, 0x42, 0x84, 0x3c, 0x21, 0x96, 0x9a, 0xd9,
+		    0x36, 0xd4, 0x62, 0x01, 0xb0, 0x8b, 0x77, 0xe5, 0xcc, 0x1b,
+		    0xd2, 0x12, 0xd2, 0x9c, 0x89, 0x67, 0x0c, 0x00, 0x09, 0x56,
+		    0x8c, 0x33, 0x57, 0xf9, 0x8c };
+
+char label[16];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE *hKey;
+	CK_OBJECT_CLASS kClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE kType = CKK_RSA;
+	CK_ATTRIBUTE kTemplate[] = {
+		{ CKA_CLASS, &kClass, (CK_ULONG)sizeof(kClass) },
+		{ CKA_KEY_TYPE, &kType, (CK_ULONG)sizeof(kType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_LABEL, (CK_BYTE_PTR)label, (CK_ULONG)sizeof(label) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_MODULUS, modulus, (CK_ULONG)sizeof(modulus) },
+		{ CKA_PUBLIC_EXPONENT, pubexp, (CK_ULONG)sizeof(pubexp) },
+		{ CKA_PRIVATE_EXPONENT, privexp, (CK_ULONG)sizeof(privexp) },
+		{ CKA_PRIME_1, prime1, (CK_ULONG)sizeof(prime1) },
+		{ CKA_PRIME_2, prime2, (CK_ULONG)sizeof(prime2) },
+		{ CKA_EXPONENT_1, exp_1, (CK_ULONG)sizeof(exp_1) },
+		{ CKA_EXPONENT_2, exp_2, (CK_ULONG)sizeof(exp_2) },
+		{ CKA_COEFFICIENT, coeff, (CK_ULONG)sizeof(coeff) }
+	};
+	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
+	char *lib_name = NULL;
+	char *pin = NULL;
+	int error = 0;
+	int c, errflg = 0;
+	int ontoken = 0;
+	unsigned int count = 1000;
+	unsigned int i;
+	struct timespec starttime;
+	struct timespec endtime;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
+			break;
+		case 'p':
+			pin = isc_commandline_argument;
+			break;
+		case 't':
+			ontoken = 1;
+			break;
+		case 'n':
+			count = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tprivrsa [-m module] [-s slot] [-p pin] "
+				"[-t] [-n count]\n");
+		exit(1);
+	}
+
+	pk11_result_register();
+
+	/* Allocate handles */
+	hKey = (CK_SESSION_HANDLE *)malloc(count * sizeof(CK_SESSION_HANDLE));
+	if (hKey == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+	for (i = 0; i < count; i++) {
+		hKey[i] = CK_INVALID_HANDLE;
+	}
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (pin == NULL) {
+		pin = getpass("Enter Pin: ");
+	}
+
+	result = pk11_get_session(&pctx, op_type, false, true, true,
+				  (const char *)pin, slot);
+	if ((result != ISC_R_SUCCESS) && (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE))
+	{
+		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+			isc_result_totext(result));
+		free(hKey);
+		exit(1);
+	}
+
+	if (pin != NULL) {
+		memset(pin, 0, strlen((char *)pin));
+	}
+
+	hSession = pctx.session;
+
+	if (ontoken) {
+		kTemplate[2].pValue = &truevalue;
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+		perror("clock_gettime(start)");
+		goto exit_objects;
+	}
+
+	for (i = 0; i < count; i++) {
+		(void)snprintf(label, sizeof(label), "obj%u", i);
+		kTemplate[4].ulValueLen = strlen(label);
+		rv = pkcs_C_CreateObject(hSession, kTemplate, 14, &hKey[i]);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_CreateObject[%u]: Error = 0x%.8lX\n",
+				i, rv);
+			error = 1;
+			if (i == 0) {
+				goto exit_objects;
+			}
+			break;
+		}
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+		perror("clock_gettime(end)");
+		goto exit_objects;
+	}
+
+	endtime.tv_sec -= starttime.tv_sec;
+	endtime.tv_nsec -= starttime.tv_nsec;
+	while (endtime.tv_nsec < 0) {
+		endtime.tv_sec -= 1;
+		endtime.tv_nsec += 1000000000;
+	}
+	printf("%u private RSA keys in %ld.%09lds\n", i, endtime.tv_sec,
+	       endtime.tv_nsec);
+	if (i > 0) {
+		printf("%g private RSA keys/s\n",
+		       1024 * i /
+			       ((double)endtime.tv_sec +
+				(double)endtime.tv_nsec / 1000000000.));
+	}
+
+exit_objects:
+	for (i = 0; i < count; i++) {
+		/* Destroy objects */
+		if (hKey[i] == CK_INVALID_HANDLE) {
+			continue;
+		}
+		rv = pkcs_C_DestroyObject(hSession, hKey[i]);
+		if ((rv != CKR_OK) && !errflg) {
+			fprintf(stderr,
+				"C_DestroyObject[%u]: Error = 0x%.8lX\n", i,
+				rv);
+			errflg = 1;
+		}
+	}
+
+	free(hKey);
+
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/pubrsa.c b/bin/tests/pkcs11/benchmarks/pubrsa.c
new file mode 100644
index 0000000..1036df7
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/pubrsa.c
@@ -0,0 +1,278 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* pubrsa [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+
+#include <sys/time.h>
+
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif /* ifndef CLOCK_REALTIME */
+
+static int
+clock_gettime(int32_t id, struct timespec *tp);
+
+static int
+clock_gettime(int32_t id, struct timespec *tp) {
+	struct timeval tv;
+	int result;
+
+	UNUSED(id);
+
+	result = gettimeofday(&tv, NULL);
+	if (result == 0) {
+		tp->tv_sec = tv.tv_sec;
+		tp->tv_nsec = (long)tv.tv_usec * 1000;
+	}
+	return (result);
+}
+#endif /* ifndef HAVE_CLOCK_GETTIME */
+
+CK_BYTE modulus[] = {
+	0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99, 0x44, 0x82, 0x20, 0x78,
+	0x43, 0x7f, 0x5f, 0x3b, 0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+	0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f, 0x16, 0x1c, 0x56, 0xf8,
+	0xc1, 0x06, 0x2f, 0x96, 0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+	0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b, 0x9f, 0xdc, 0x36, 0xcb,
+	0xad, 0x56, 0xf4, 0xbd, 0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+	0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79, 0xca, 0x4e, 0x72, 0xeb,
+	0xfb, 0x2c, 0xf1, 0x45, 0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+	0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd, 0x49, 0xdd, 0x8a, 0x3c,
+	0x3c, 0xf7, 0xa1, 0x5d, 0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+	0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34, 0xbf
+};
+CK_BYTE exponent[] = { 0x01, 0x00, 0x01 };
+
+char label[16];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE *hKey;
+	CK_OBJECT_CLASS kClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE kType = CKK_RSA;
+	CK_ATTRIBUTE kTemplate[] = {
+		{ CKA_CLASS, &kClass, (CK_ULONG)sizeof(kClass) },
+		{ CKA_KEY_TYPE, &kType, (CK_ULONG)sizeof(kType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_LABEL, (CK_BYTE_PTR)label, (CK_ULONG)sizeof(label) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_MODULUS, modulus, (CK_ULONG)sizeof(modulus) },
+		{ CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG)sizeof(exponent) }
+	};
+	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
+	char *lib_name = NULL;
+	char *pin = NULL;
+	int error = 0;
+	int c, errflg = 0;
+	int ontoken = 0;
+	unsigned int count = 1000;
+	unsigned int i;
+	struct timespec starttime;
+	struct timespec endtime;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
+			break;
+		case 'p':
+			pin = isc_commandline_argument;
+			break;
+		case 't':
+			ontoken = 1;
+			break;
+		case 'n':
+			count = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tpubrsa [-m module] [-s slot] [-p pin] "
+				"[-t] [-n count]\n");
+		exit(1);
+	}
+
+	pk11_result_register();
+
+	/* Allocate handles */
+	hKey = (CK_SESSION_HANDLE *)malloc(count * sizeof(CK_SESSION_HANDLE));
+	if (hKey == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+	for (i = 0; i < count; i++) {
+		hKey[i] = CK_INVALID_HANDLE;
+	}
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (pin == NULL) {
+		pin = getpass("Enter Pin: ");
+	}
+
+	result = pk11_get_session(&pctx, op_type, false, true, true,
+				  (const char *)pin, slot);
+	if ((result != ISC_R_SUCCESS) && (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE))
+	{
+		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+			isc_result_totext(result));
+		free(hKey);
+		exit(1);
+	}
+
+	if (pin != NULL) {
+		memset(pin, 0, strlen((char *)pin));
+	}
+
+	hSession = pctx.session;
+
+	if (ontoken) {
+		kTemplate[2].pValue = &truevalue;
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+		perror("clock_gettime(start)");
+		goto exit_objects;
+	}
+
+	for (i = 0; i < count; i++) {
+		(void)snprintf(label, sizeof(label), "obj%u", i);
+		kTemplate[4].ulValueLen = strlen(label);
+		rv = pkcs_C_CreateObject(hSession, kTemplate, 8, &hKey[i]);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_CreateObject[%u]: Error = 0x%.8lX\n",
+				i, rv);
+			error = 1;
+			if (i == 0) {
+				goto exit_objects;
+			}
+			break;
+		}
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+		perror("clock_gettime(end)");
+		goto exit_objects;
+	}
+
+	endtime.tv_sec -= starttime.tv_sec;
+	endtime.tv_nsec -= starttime.tv_nsec;
+	while (endtime.tv_nsec < 0) {
+		endtime.tv_sec -= 1;
+		endtime.tv_nsec += 1000000000;
+	}
+	printf("%u public RSA keys in %ld.%09lds\n", i, endtime.tv_sec,
+	       endtime.tv_nsec);
+	if (i > 0) {
+		printf("%g public RSA keys/s\n",
+		       1024 * i /
+			       ((double)endtime.tv_sec +
+				(double)endtime.tv_nsec / 1000000000.));
+	}
+
+exit_objects:
+	for (i = 0; i < count; i++) {
+		/* Destroy objects */
+		if (hKey[i] == CK_INVALID_HANDLE) {
+			continue;
+		}
+		rv = pkcs_C_DestroyObject(hSession, hKey[i]);
+		if ((rv != CKR_OK) && !errflg) {
+			fprintf(stderr,
+				"C_DestroyObject[%u]: Error = 0x%.8lX\n", i,
+				rv);
+			errflg = 1;
+		}
+	}
+
+	free(hKey);
+
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/session.c b/bin/tests/pkcs11/benchmarks/session.c
new file mode 100644
index 0000000..69f823f
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/session.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* session [-m module] [-s $slot] [-n count] */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+
+#include <sys/time.h>
+
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif /* ifndef CLOCK_REALTIME */
+
+static int
+clock_gettime(int32_t id, struct timespec *tp);
+
+static int
+clock_gettime(int32_t id, struct timespec *tp) {
+	struct timeval tv;
+	int result;
+
+	UNUSED(id);
+
+	result = gettimeofday(&tv, NULL);
+	if (result == 0) {
+		tp->tv_sec = tv.tv_sec;
+		tp->tv_nsec = (long)tv.tv_usec * 1000;
+	}
+	return (result);
+}
+#endif /* ifndef HAVE_CLOCK_GETTIME */
+
+int
+main(int argc, char *argv[]) {
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE *hSession;
+	char *lib_name = NULL;
+	int error = 0;
+	int c, errflg = 0;
+	unsigned int count = 1000;
+	unsigned int i;
+	struct timespec starttime;
+	struct timespec endtime;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			break;
+		case 'n':
+			count = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tsession [-m module] [-s slot] [-n count]\n");
+		exit(1);
+	}
+
+	/* Allocate sessions */
+	hSession =
+		(CK_SESSION_HANDLE *)malloc(count * sizeof(CK_SESSION_HANDLE));
+	if (hSession == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+	for (i = 0; i < count; i++) {
+		hSession[i] = CK_INVALID_HANDLE;
+	}
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	rv = pkcs_C_Initialize(NULL_PTR);
+	if (rv != CKR_OK) {
+		if (rv == 0xfe) {
+			fprintf(stderr, "Can't load or link module \"%s\"\n",
+				pk11_get_lib_name());
+		} else {
+			fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+		}
+		free(hSession);
+		exit(1);
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+		perror("clock_gettime(start)");
+		goto exit_program;
+	}
+
+	/* loop */
+	for (i = 0; i < count; i++) {
+		/* Open sessions */
+		rv = pkcs_C_OpenSession(slot, CKF_SERIAL_SESSION, NULL_PTR,
+					NULL_PTR, &hSession[i]);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_OpenSession[%u]: Error = 0x%.8lX\n",
+				i, rv);
+			error = 1;
+			if (i == 0) {
+				goto exit_program;
+			}
+			break;
+		}
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+		perror("clock_gettime(end)");
+		goto exit_program;
+	}
+
+	endtime.tv_sec -= starttime.tv_sec;
+	endtime.tv_nsec -= starttime.tv_nsec;
+	while (endtime.tv_nsec < 0) {
+		endtime.tv_sec -= 1;
+		endtime.tv_nsec += 1000000000;
+	}
+	printf("%u sessions in %ld.%09lds\n", i, endtime.tv_sec,
+	       endtime.tv_nsec);
+	if (i > 0) {
+		printf("%g sessions/s\n",
+		       i / ((double)endtime.tv_sec +
+			    (double)endtime.tv_nsec / 1000000000.));
+	}
+
+	for (i = 0; i < count; i++) {
+		/* Close sessions */
+		if (hSession[i] == CK_INVALID_HANDLE) {
+			continue;
+		}
+		rv = pkcs_C_CloseSession(hSession[i]);
+		if ((rv != CKR_OK) && !errflg) {
+			fprintf(stderr, "C_CloseSession[%u]: Error = 0x%.8lX\n",
+				i, rv);
+			errflg = 1;
+		}
+	}
+
+exit_program:
+	free(hSession);
+
+	rv = pkcs_C_Finalize(NULL_PTR);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_Finalize: Error = 0x%.8lX\n", rv);
+	}
+
+	exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/sha1.c b/bin/tests/pkcs11/benchmarks/sha1.c
new file mode 100644
index 0000000..17a5662
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/sha1.c
@@ -0,0 +1,217 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* sha1 [-m module] [-s $slot] [-n count] */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+
+#include <sys/time.h>
+
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif /* ifndef CLOCK_REALTIME */
+
+static int
+clock_gettime(int32_t id, struct timespec *tp);
+
+static int
+clock_gettime(int32_t id, struct timespec *tp) {
+	struct timeval tv;
+	int result;
+
+	UNUSED(id);
+
+	result = gettimeofday(&tv, NULL);
+	if (result == 0) {
+		tp->tv_sec = tv.tv_sec;
+		tp->tv_nsec = (long)tv.tv_usec * 1000;
+	}
+	return (result);
+}
+#endif /* ifndef HAVE_CLOCK_GETTIME */
+
+CK_BYTE buf[1024];
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+	CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+	CK_ULONG len = sizeof(buf);
+	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_DIGEST;
+	char *lib_name = NULL;
+	int error = 0;
+	int c, errflg = 0;
+	unsigned int count = 1000;
+	unsigned int i;
+	struct timespec starttime;
+	struct timespec endtime;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
+			break;
+		case 'n':
+			count = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tssha1 [-m module] [-s slot] [-n count]\n");
+		exit(1);
+	}
+
+	pk11_result_register();
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	result = pk11_get_session(&pctx, op_type, false, false, false, NULL,
+				  slot);
+	if ((result != ISC_R_SUCCESS) && (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE))
+	{
+		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	hSession = pctx.session;
+
+	/* Randomize the buffer */
+	rv = pkcs_C_GenerateRandom(hSession, buf, len);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+		goto exit_session;
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+		perror("clock_gettime(start)");
+		goto exit_session;
+	}
+
+	/* Initialize Digest */
+	rv = pkcs_C_DigestInit(hSession, &mech);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_DigestInit: Error = 0x%.8lX\n", rv);
+		goto exit_session;
+	}
+
+	for (i = 0; i < count; i++) {
+		/* Digest buffer */
+		rv = pkcs_C_DigestUpdate(hSession, buf, len);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_DigestUpdate[%u]: Error = 0x%.8lX\n",
+				i, rv);
+			error = 1;
+			break;
+		}
+	}
+
+	/* Finalize Digest (unconditionally) */
+	len = 20U;
+	rv = pkcs_C_DigestFinal(hSession, buf, &len);
+	if ((rv != CKR_OK) && !error) {
+		fprintf(stderr, "C_DigestFinal: Error = 0x%.8lX\n", rv);
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+		perror("clock_gettime(end)");
+		goto exit_session;
+	}
+
+	endtime.tv_sec -= starttime.tv_sec;
+	endtime.tv_nsec -= starttime.tv_nsec;
+	while (endtime.tv_nsec < 0) {
+		endtime.tv_sec -= 1;
+		endtime.tv_nsec += 1000000000;
+	}
+	printf("%uK digested bytes in %ld.%09lds\n", i, endtime.tv_sec,
+	       endtime.tv_nsec);
+	if (i > 0) {
+		printf("%g digested bytes/s\n",
+		       1024 * i /
+			       ((double)endtime.tv_sec +
+				(double)endtime.tv_nsec / 1000000000.));
+	}
+
+exit_session:
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/sign.c b/bin/tests/pkcs11/benchmarks/sign.c
new file mode 100644
index 0000000..0a2bed7
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/sign.c
@@ -0,0 +1,336 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* signrsa [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+
+#include <sys/time.h>
+
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif /* ifndef CLOCK_REALTIME */
+
+static int
+clock_gettime(int32_t id, struct timespec *tp);
+
+static int
+clock_gettime(int32_t id, struct timespec *tp) {
+	struct timeval tv;
+	int result;
+
+	UNUSED(id);
+
+	result = gettimeofday(&tv, NULL);
+	if (result == 0) {
+		tp->tv_sec = tv.tv_sec;
+		tp->tv_nsec = (long)tv.tv_usec * 1000;
+	}
+	return (result);
+}
+#endif /* ifndef HAVE_CLOCK_GETTIME */
+
+CK_BYTE modulus[] = {
+	0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99, 0x44, 0x82, 0x20, 0x78,
+	0x43, 0x7f, 0x5f, 0x3b, 0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+	0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f, 0x16, 0x1c, 0x56, 0xf8,
+	0xc1, 0x06, 0x2f, 0x96, 0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+	0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b, 0x9f, 0xdc, 0x36, 0xcb,
+	0xad, 0x56, 0xf4, 0xbd, 0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+	0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79, 0xca, 0x4e, 0x72, 0xeb,
+	0xfb, 0x2c, 0xf1, 0x45, 0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+	0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd, 0x49, 0xdd, 0x8a, 0x3c,
+	0x3c, 0xf7, 0xa1, 0x5d, 0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+	0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34, 0xbf
+};
+CK_BYTE pubexp[] = { 0x01, 0x00, 0x01 };
+CK_BYTE privexp[] = {
+	0x00, 0xae, 0x02, 0xf1, 0x47, 0xa8, 0x07, 0x02, 0xb8, 0xf1, 0xd6, 0x92,
+	0x03, 0xee, 0x50, 0x33, 0xab, 0x67, 0x9e, 0x3b, 0xb1, 0x57, 0xc7, 0x3e,
+	0xc4, 0x86, 0x46, 0x61, 0xf1, 0xf8, 0xb6, 0x63, 0x9f, 0x91, 0xe6, 0x3f,
+	0x44, 0xb8, 0x77, 0x1b, 0xbe, 0x4c, 0x3c, 0xb8, 0x9f, 0xf7, 0x45, 0x7d,
+	0xbf, 0x4f, 0xef, 0x3b, 0xcc, 0xda, 0x1a, 0x4e, 0x34, 0xa8, 0x40, 0xea,
+	0x51, 0x72, 0x8a, 0xea, 0x47, 0x06, 0x04, 0xd0, 0x62, 0x31, 0xa0, 0x6c,
+	0x09, 0x60, 0xf9, 0xc7, 0x95, 0x88, 0x4a, 0xd7, 0x19, 0xce, 0x89, 0x08,
+	0x87, 0x14, 0xef, 0xcc, 0x0a, 0xef, 0x72, 0xb9, 0x21, 0xf5, 0xf0, 0xcd,
+	0x6d, 0xe5, 0xfa, 0x15, 0x7f, 0xae, 0x33, 0x9f, 0x26, 0xac, 0x2e, 0x52,
+	0x02, 0x07, 0xfb, 0x1d, 0x4b, 0xec, 0x9a, 0x6b, 0x3b, 0x26, 0x1f, 0x52,
+	0xfc, 0x47, 0xf8, 0x66, 0x33, 0xfa, 0x50, 0x6c, 0x41
+};
+CK_BYTE prime1[] = { 0x00, 0xe8, 0x98, 0xeb, 0xa1, 0xf0, 0xce, 0xde, 0xc2, 0x74,
+		     0x01, 0x18, 0x2b, 0xd3, 0x8f, 0x58, 0xcd, 0xe9, 0x8e, 0x97,
+		     0xbe, 0xfe, 0xe8, 0x6f, 0xd6, 0x0c, 0x0a, 0x47, 0xf8, 0x56,
+		     0x84, 0x36, 0x15, 0xe6, 0x75, 0x1c, 0x69, 0x48, 0x8b, 0xf5,
+		     0x0f, 0x84, 0xd2, 0x60, 0x8b, 0xa2, 0x2a, 0xa1, 0xeb, 0xed,
+		     0xbe, 0x2d, 0xe9, 0x41, 0x0b, 0xed, 0x17, 0x7c, 0xd3, 0xa6,
+		     0x35, 0x6e, 0xa6, 0xd8, 0x21 };
+CK_BYTE prime2[] = { 0x00, 0xca, 0x15, 0x6a, 0x43, 0x5e, 0x83, 0xc9, 0x09, 0xeb,
+		     0x14, 0x1e, 0x46, 0x46, 0x97, 0xfa, 0xfa, 0x3c, 0x61, 0x7e,
+		     0xc1, 0xf8, 0x8c, 0x5e, 0xcb, 0xbf, 0xe4, 0xb9, 0x78, 0x7f,
+		     0x4f, 0xab, 0x82, 0x15, 0x53, 0xaa, 0x04, 0xee, 0x11, 0x21,
+		     0x2e, 0x23, 0x08, 0xa0, 0x14, 0x6d, 0x3a, 0x88, 0xe6, 0xf8,
+		     0xbe, 0x61, 0x38, 0x99, 0xca, 0x36, 0x0d, 0x3e, 0x42, 0x0f,
+		     0x63, 0x4d, 0x73, 0xf0, 0xdf };
+CK_BYTE exp_1[] = { 0x66, 0x2d, 0xb7, 0x65, 0xbe, 0x99, 0xc2, 0x35, 0xfe, 0x2b,
+		    0xf4, 0xe8, 0x5b, 0xd9, 0xdf, 0x13, 0x26, 0x04, 0xe4, 0x18,
+		    0x9d, 0x76, 0x92, 0x9a, 0x9f, 0x53, 0x6c, 0xe6, 0x65, 0x6b,
+		    0x53, 0x2f, 0x2f, 0xbc, 0x46, 0xac, 0xe1, 0x97, 0xca, 0x21,
+		    0xf5, 0x21, 0x4e, 0x14, 0x49, 0x3b, 0x1d, 0x42, 0xbd, 0x80,
+		    0x0c, 0x3f, 0x29, 0xba, 0x09, 0x7f, 0x85, 0xf0, 0x9c, 0x55,
+		    0x60, 0xb4, 0x9e, 0xc1 };
+CK_BYTE exp_2[] = { 0x00, 0x87, 0x22, 0x74, 0xf1, 0xe2, 0x15, 0x3c, 0x6d, 0xde,
+		    0x7e, 0x90, 0x94, 0x2c, 0x06, 0xdb, 0xb5, 0x54, 0x85, 0x59,
+		    0xcf, 0x7a, 0x56, 0xdb, 0xd9, 0x62, 0x54, 0x20, 0x56, 0xdc,
+		    0xc3, 0xb9, 0x0b, 0xff, 0x18, 0xf8, 0x7b, 0xdd, 0x7b, 0x24,
+		    0xf6, 0x06, 0x45, 0x71, 0x4e, 0xd7, 0x90, 0x2a, 0x16, 0x52,
+		    0x46, 0x75, 0x1a, 0xf5, 0x74, 0x8c, 0x5a, 0xa4, 0xc4, 0x66,
+		    0x27, 0xe0, 0x96, 0x64, 0x7f };
+CK_BYTE coeff[] = { 0x00, 0xd0, 0x1f, 0xb3, 0x47, 0x40, 0x93, 0x8b, 0x99, 0xd7,
+		    0xb5, 0xc6, 0x09, 0x82, 0x65, 0x94, 0x9d, 0x56, 0x0a, 0x05,
+		    0x55, 0x7d, 0x93, 0x04, 0xa4, 0x26, 0xee, 0x42, 0x86, 0xa3,
+		    0xf1, 0xd5, 0x7a, 0x42, 0x84, 0x3c, 0x21, 0x96, 0x9a, 0xd9,
+		    0x36, 0xd4, 0x62, 0x01, 0xb0, 0x8b, 0x77, 0xe5, 0xcc, 0x1b,
+		    0xd2, 0x12, 0xd2, 0x9c, 0x89, 0x67, 0x0c, 0x00, 0x09, 0x56,
+		    0x8c, 0x33, 0x57, 0xf9, 0x8c };
+
+CK_BYTE buf[1024];
+CK_BYTE sig[128];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+	CK_ULONG len;
+	CK_ULONG slen;
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS kClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE kType = CKK_RSA;
+	CK_ATTRIBUTE kTemplate[] = {
+		{ CKA_CLASS, &kClass, (CK_ULONG)sizeof(kClass) },
+		{ CKA_KEY_TYPE, &kType, (CK_ULONG)sizeof(kType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_MODULUS, modulus, (CK_ULONG)sizeof(modulus) },
+		{ CKA_PUBLIC_EXPONENT, pubexp, (CK_ULONG)sizeof(pubexp) },
+		{ CKA_PRIVATE_EXPONENT, privexp, (CK_ULONG)sizeof(privexp) },
+		{ CKA_PRIME_1, prime1, (CK_ULONG)sizeof(prime1) },
+		{ CKA_PRIME_2, prime2, (CK_ULONG)sizeof(prime2) },
+		{ CKA_EXPONENT_1, exp_1, (CK_ULONG)sizeof(exp_1) },
+		{ CKA_EXPONENT_2, exp_2, (CK_ULONG)sizeof(exp_2) },
+		{ CKA_COEFFICIENT, coeff, (CK_ULONG)sizeof(coeff) }
+	};
+	CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 };
+	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
+	char *lib_name = NULL;
+	char *pin = NULL;
+	int error = 0;
+	int c, errflg = 0;
+	int ontoken = 0;
+	unsigned int count = 1000;
+	unsigned int i;
+	struct timespec starttime;
+	struct timespec endtime;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
+			break;
+		case 'p':
+			pin = isc_commandline_argument;
+			break;
+		case 't':
+			ontoken = 1;
+			break;
+		case 'n':
+			count = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tsign [-m module] [-s slot] [-p pin] "
+				"[-t] [-n count]\n");
+		exit(1);
+	}
+
+	pk11_result_register();
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (pin == NULL) {
+		pin = getpass("Enter Pin: ");
+	}
+
+	result = pk11_get_session(&pctx, op_type, false, true, true,
+				  (const char *)pin, slot);
+	if ((result != ISC_R_SUCCESS) && (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE))
+	{
+		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	if (pin != NULL) {
+		memset(pin, 0, strlen((char *)pin));
+	}
+
+	hSession = pctx.session;
+
+	/* Create the private RSA key */
+	if (ontoken) {
+		kTemplate[2].pValue = &truevalue;
+	}
+
+	rv = pkcs_C_CreateObject(hSession, kTemplate, 13, &hKey);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv);
+		goto exit_key;
+	}
+
+	/* Randomize the buffer */
+	len = (CK_ULONG)sizeof(buf);
+	rv = pkcs_C_GenerateRandom(hSession, buf, len);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+		goto exit_key;
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+		perror("clock_gettime(start)");
+		goto exit_key;
+	}
+
+	for (i = 0; i < count; i++) {
+		/* Initialize Sign */
+		rv = pkcs_C_SignInit(hSession, &mech, hKey);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_SignInit[%u]: Error = 0x%.8lX\n", i,
+				rv);
+			error = 1;
+			break;
+		}
+
+		/* Perform Sign */
+		slen = (CK_ULONG)sizeof(sig);
+		rv = pkcs_C_Sign(hSession, buf, len, sig, &slen);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_Sign[%u]: Error = 0x%.8lX\n", i, rv);
+			error = 1;
+			break;
+		}
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+		perror("clock_gettime(end)");
+		goto exit_key;
+	}
+
+	endtime.tv_sec -= starttime.tv_sec;
+	endtime.tv_nsec -= starttime.tv_nsec;
+	while (endtime.tv_nsec < 0) {
+		endtime.tv_sec -= 1;
+		endtime.tv_nsec += 1000000000;
+	}
+	printf("%u RSA signs in %ld.%09lds\n", i, endtime.tv_sec,
+	       endtime.tv_nsec);
+	if (i > 0) {
+		printf("%g RSA signs/s\n",
+		       1024 * i /
+			       ((double)endtime.tv_sec +
+				(double)endtime.tv_nsec / 1000000000.));
+	}
+
+exit_key:
+	if (hKey != CK_INVALID_HANDLE) {
+		rv = pkcs_C_DestroyObject(hSession, hKey);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_DestroyObject: Error = 0x%.8lX\n",
+				rv);
+		}
+	}
+
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/verify.c b/bin/tests/pkcs11/benchmarks/verify.c
new file mode 100644
index 0000000..a2f1c29
--- /dev/null
+++ b/bin/tests/pkcs11/benchmarks/verify.c
@@ -0,0 +1,285 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* verify [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+
+#include <sys/time.h>
+
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif /* ifndef CLOCK_REALTIME */
+
+static int
+clock_gettime(int32_t id, struct timespec *tp);
+
+static int
+clock_gettime(int32_t id, struct timespec *tp) {
+	struct timeval tv;
+	int result;
+
+	UNUSED(id);
+
+	result = gettimeofday(&tv, NULL);
+	if (result == 0) {
+		tp->tv_sec = tv.tv_sec;
+		tp->tv_nsec = (long)tv.tv_usec * 1000;
+	}
+	return (result);
+}
+#endif /* ifndef HAVE_CLOCK_GETTIME */
+
+CK_BYTE modulus[] = {
+	0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99, 0x44, 0x82, 0x20, 0x78,
+	0x43, 0x7f, 0x5f, 0x3b, 0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+	0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f, 0x16, 0x1c, 0x56, 0xf8,
+	0xc1, 0x06, 0x2f, 0x96, 0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+	0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b, 0x9f, 0xdc, 0x36, 0xcb,
+	0xad, 0x56, 0xf4, 0xbd, 0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+	0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79, 0xca, 0x4e, 0x72, 0xeb,
+	0xfb, 0x2c, 0xf1, 0x45, 0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+	0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd, 0x49, 0xdd, 0x8a, 0x3c,
+	0x3c, 0xf7, 0xa1, 0x5d, 0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+	0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34, 0xbf
+};
+CK_BYTE exponent[] = { 0x01, 0x00, 0x01 };
+
+CK_BYTE buf[1024];
+CK_BYTE sig[128];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+	CK_ULONG len;
+	CK_ULONG slen;
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS kClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE kType = CKK_RSA;
+	CK_ATTRIBUTE kTemplate[] = {
+		{ CKA_CLASS, &kClass, (CK_ULONG)sizeof(kClass) },
+		{ CKA_KEY_TYPE, &kType, (CK_ULONG)sizeof(kType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_MODULUS, modulus, (CK_ULONG)sizeof(modulus) },
+		{ CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG)sizeof(exponent) }
+	};
+	CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 };
+	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
+	char *lib_name = NULL;
+	char *pin = NULL;
+	int error = 0;
+	int c, errflg = 0;
+	int ontoken = 0;
+	unsigned int count = 1000;
+	unsigned int i;
+	struct timespec starttime;
+	struct timespec endtime;
+
+	while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+		switch (c) {
+		case 'm':
+			lib_name = isc_commandline_argument;
+			break;
+		case 's':
+			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
+			break;
+		case 'p':
+			pin = isc_commandline_argument;
+			break;
+		case 't':
+			ontoken = 1;
+			break;
+		case 'n':
+			count = atoi(isc_commandline_argument);
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				isc_commandline_option);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n",
+				isc_commandline_option);
+			errflg++;
+		}
+	}
+
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tverify [-m module] [-s slot] [-p pin] "
+				"[-t] [-n count]\n");
+		exit(1);
+	}
+
+	pk11_result_register();
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL) {
+		pk11_set_lib_name(lib_name);
+	}
+
+	if (pin == NULL) {
+		pin = getpass("Enter Pin: ");
+	}
+
+	result = pk11_get_session(&pctx, op_type, false, true, true,
+				  (const char *)pin, slot);
+	if ((result != ISC_R_SUCCESS) && (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE))
+	{
+		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	if (pin != NULL) {
+		memset(pin, 0, strlen((char *)pin));
+	}
+
+	hSession = pctx.session;
+
+	/* Create the private RSA key */
+	if (ontoken) {
+		kTemplate[2].pValue = &truevalue;
+	}
+
+	rv = pkcs_C_CreateObject(hSession, kTemplate, 7, &hKey);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_key;
+	}
+
+	/* Randomize the buffer */
+	len = (CK_ULONG)sizeof(buf);
+	rv = pkcs_C_GenerateRandom(hSession, buf, len);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+		goto exit_key;
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+		perror("clock_gettime(start)");
+		goto exit_key;
+	}
+
+	for (i = 0; i < count; i++) {
+		/* Initialize Verify */
+		rv = pkcs_C_VerifyInit(hSession, &mech, hKey);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_VerifyInit[%u]: Error = 0x%.8lX\n",
+				i, rv);
+			error = 1;
+			break;
+		}
+
+		/* Perform Verify */
+		slen = (CK_ULONG)sizeof(sig);
+		rv = pkcs_C_Verify(hSession, buf, len, sig, slen);
+		if ((rv != CKR_OK) && (rv != CKR_SIGNATURE_INVALID)) {
+			fprintf(stderr, "C_Verify[%u]: Error = 0x%.8lX\n", i,
+				rv);
+			error = 1;
+			break;
+		}
+	}
+
+	if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+		perror("clock_gettime(end)");
+		goto exit_key;
+	}
+
+	endtime.tv_sec -= starttime.tv_sec;
+	endtime.tv_nsec -= starttime.tv_nsec;
+	while (endtime.tv_nsec < 0) {
+		endtime.tv_sec -= 1;
+		endtime.tv_nsec += 1000000000;
+	}
+	printf("%u RSA verify in %ld.%09lds\n", i, endtime.tv_sec,
+	       endtime.tv_nsec);
+	if (i > 0) {
+		printf("%g RSA verify/s\n",
+		       1024 * i /
+			       ((double)endtime.tv_sec +
+				(double)endtime.tv_nsec / 1000000000.));
+	}
+
+exit_key:
+	if (hKey != CK_INVALID_HANDLE) {
+		rv = pkcs_C_DestroyObject(hSession, hKey);
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_DestroyObject: Error = 0x%.8lX\n",
+				rv);
+			error = 1;
+		}
+	}
+
+	pk11_return_session(&pctx);
+	(void)pk11_finalize();
+
+	exit(error);
+}
diff --git a/bin/tests/prepare-softhsm2.sh b/bin/tests/prepare-softhsm2.sh
new file mode 100755
index 0000000..f1fa194
--- /dev/null
+++ b/bin/tests/prepare-softhsm2.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+if [ -n "${SOFTHSM2_CONF}" ] && command -v softhsm2-util >/dev/null; then
+    SOFTHSM2_DIR=$(dirname "$SOFTHSM2_CONF")
+    mkdir -p "${SOFTHSM2_DIR}/tokens"
+    echo "directories.tokendir = ${SOFTHSM2_DIR}/tokens" > "${SOFTHSM2_CONF}"
+    echo "objectstore.backend = file" >> "${SOFTHSM2_CONF}"
+    echo "log.level = DEBUG" >> "${SOFTHSM2_CONF}"
+    softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
+fi
+exit 0
diff --git a/bin/tests/startperf/README b/bin/tests/startperf/README
new file mode 100644
index 0000000..2f0afa7
--- /dev/null
+++ b/bin/tests/startperf/README
@@ -0,0 +1,30 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+
+These scripts generate a named.conf file with an arbitrary number of
+small zones, for testing startup performance.
+
+To generate a test server with 1000 zones each of which contains 5 A
+records, run:
+
+   $ sh setup.sh 1000 5 > named.conf
+
+Zones are generated with random names, and the zone files are created
+in the subdirectory "zones".
+
+Or, to generate a test server with 100 zones which all load from the same
+generic file (smallzone.db):
+
+   $ sh setup.sh -s 100 > named.conf
+
+The "number of records" argument is ignored if -s is used.
diff --git a/bin/tests/startperf/clean.sh b/bin/tests/startperf/clean.sh
new file mode 100644
index 0000000..5f7e51a
--- /dev/null
+++ b/bin/tests/startperf/clean.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -rf zones
+rm -f named.conf
diff --git a/bin/tests/startperf/makenames.pl b/bin/tests/startperf/makenames.pl
new file mode 100644
index 0000000..cb4a734
--- /dev/null
+++ b/bin/tests/startperf/makenames.pl
@@ -0,0 +1,30 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+
+die "Usage: makenames.pl <num> [<len>]" if (@ARGV == 0 || @ARGV > 2);
+my $len = 10;
+$len = @ARGV[1] if (@ARGV == 2);
+
+my @chars = split("", "abcdefghijklmnopqrstuvwxyz123456789");
+
+srand; 
+for (my $i = 0; $i < @ARGV[0]; $i++) {
+        my $name = "";
+        for (my $j = 0; $j < $len; $j++) {
+                my $r = rand 35;
+                $name .= $chars[$r];
+        }
+        print "$name" . ".example\n";
+}
diff --git a/bin/tests/startperf/mkzonefile.pl b/bin/tests/startperf/mkzonefile.pl
new file mode 100644
index 0000000..3fdc802
--- /dev/null
+++ b/bin/tests/startperf/mkzonefile.pl
@@ -0,0 +1,47 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+
+die "Usage: makenames.pl zonename num_records" if (@ARGV != 2);
+my $zname = @ARGV[0];
+my $nrecords = @ARGV[1];
+
+my @chars = split("", "abcdefghijklmnopqrstuvwxyz");
+
+print"\$TTL 300	; 5 minutes
+\$ORIGIN $zname.
+@			IN SOA	mname1. . (
+				2011080201 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				600        ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3\n";
+
+srand; 
+for (my $i = 0; $i < $nrecords; $i++) {
+        my $name = "";
+        for (my $j = 0; $j < 8; $j++) {
+                my $r = rand 25;
+                $name .= $chars[$r];
+        }
+        print "$name" . "\tIN\tA\t";
+        my $x = int rand 254;
+        my $y = int rand 254;
+        my $z = int rand 254;
+        print "10.$x.$y.$z\n";
+}
+
diff --git a/bin/tests/startperf/setup.sh b/bin/tests/startperf/setup.sh
new file mode 100644
index 0000000..e664bbc
--- /dev/null
+++ b/bin/tests/startperf/setup.sh
@@ -0,0 +1,82 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+usage () {
+    echo "Usage: $0 [-s] <number of zones> [<records per zone>]"
+    echo "       -s: use the same zone file all zones"
+    exit 1
+}
+
+if [ "$#" -lt 1 -o "$#" -gt 3 ]; then
+    usage
+fi
+
+single_file=""
+if [ $1 = "-s" ]; then
+    single_file=yes
+    shift
+fi
+
+nzones=$1
+shift
+
+nrecords=5
+[ "$#" -eq 1 ] && nrecords=$1
+
+. ../system/conf.sh
+
+cat << EOF
+options {
+        directory "`pwd`";
+        listen-on { localhost; };
+        listen-on-v6 { localhost; };
+	port 5300;
+        allow-query { any; };
+        allow-transfer { localhost; };
+        allow-recursion { none; };
+        recursion no;
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-md5;
+};
+
+controls {
+        inet 127.0.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+logging {
+        channel basic {
+                file "`pwd`/named.log" versions 3 size 100m;
+                severity info;
+                print-time yes;
+                print-severity no;
+                print-category no;
+        };
+        category default {
+                basic;
+        };
+};
+
+EOF
+
+$PERL makenames.pl $nzones | while read zonename; do
+    if [ $single_file ]; then
+        echo "zone $zonename { type master; file \"smallzone.db\"; };"
+    else
+        [ -d zones ] || mkdir zones
+        $PERL mkzonefile.pl $zonename $nrecords > zones/$zonename.db
+        echo "zone $zonename { type master; file \"zones/$zonename.db\"; };"
+    fi
+done
diff --git a/bin/tests/startperf/smallzone.db b/bin/tests/startperf/smallzone.db
new file mode 100644
index 0000000..3a26acd
--- /dev/null
+++ b/bin/tests/startperf/smallzone.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in
new file mode 100644
index 0000000..7b8b42c
--- /dev/null
+++ b/bin/tests/system/Makefile.in
@@ -0,0 +1,108 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+SUBDIRS =	dlzexternal dyndb pipelined rndc rpz rsabigexponent tkey
+
+CINCLUDES =	${ISC_INCLUDES} \
+		${DNS_INCLUDES}	\
+		${ISCCFG_INCLUDES} \
+		${IRS_INCLUDES}
+
+CDEFINES =	@USE_GSSAPI@ @CONTRIB_DLZ@
+CWARNINGS =
+
+ISCLIBS =	../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCCFGLIBS =	../../../lib/isccfg/libisccfg.@A@
+IRSLIBS =	../../../lib/irs/libirs.@A@
+
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCCFGDEPLIBS =	../../../lib/isccfg/libisccfg.@A@
+IRSDEPLIBS =	../../../lib/irs/libirs.@A@
+
+DEPLIBS =	${IRSDEPLIBS} ${ISCCFGDEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${IRSLIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+
+OBJS =		feature-test.@O@ resolve.@O@
+SRCS =		feature-test.c resolve.c
+
+TARGETS =	feature-test@EXEEXT@ resolve@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+subdirs: ${TARGETS}
+
+feature-test@EXEEXT@: feature-test.@O@
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
+
+resolve@EXEEXT@: resolve.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	resolve.@O@ ${LIBS}
+
+# Running the scripts below is bypassed when a separate build directory is
+# used.
+
+# Produce intermediate makefile that assigns unique port numbers to each
+# parallel test.  The start port number of 5,000 is arbitrary - it must just
+# be greater than the highest privileged port, 1024.
+#
+# Test names need to be sanitized because Solaris make does not like
+# underscores in target names and requires explicit differentiation
+# between a target name and a directory name (.PHONY is not supported).
+
+.PHONY: parallel.mk
+
+parallel.mk:
+	$(SHELL) parallel.sh > parallel.mk
+
+# Targets to run the tests.
+
+test: parallel.mk subdirs
+	@$(MAKE) -f parallel.mk check
+	@$(SHELL) ./runsequential.sh
+	@$(SHELL) ./testsummary.sh
+
+check: test
+
+# Other targets:
+#
+# testclean - delete files generated by running tests.
+# clean     - testclean + also delete files built for the tests by "make".
+# distclean - clean + also delete test-related files generated by "configure".
+
+testclean clean distclean::
+	if test -f ./cleanall.sh; then $(SHELL) ./cleanall.sh; fi
+	rm -f systests.output
+	rm -f random.data
+	rm -f parallel.mk
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f ${OBJS}
+
+distclean::
+	rm -f conf.sh
+
+installdirs:
+
+install::
+
+uninstall::
diff --git a/bin/tests/system/README b/bin/tests/system/README
new file mode 100644
index 0000000..fc9294d
--- /dev/null
+++ b/bin/tests/system/README
@@ -0,0 +1,724 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+Introduction
+===
+This directory holds a simple test environment for running bind9 system tests
+involving multiple name servers.
+
+With the exception of "common" (which holds configuration information common to
+multiple tests) and "win32" (which holds files needed to run the tests in a
+Windows environment), each directory holds a set of scripts and configuration
+files to test different parts of BIND.  The directories are named for the
+aspect of BIND they test, for example:
+
+  dnssec/       DNSSEC tests
+  forward/      Forwarding tests
+  glue/         Glue handling tests
+
+etc.
+
+Typically each set of tests sets up 2-5 name servers and then performs one or
+more tests against them.  Within the test subdirectory, each name server has a
+separate subdirectory containing its configuration data.  These subdirectories
+are named "nsN" or "ansN" (where N is a number between 1 and 8, e.g. ns1, ans2
+etc.)
+
+The tests are completely self-contained and do not require access to the real
+DNS.  Generally, one of the test servers (usually ns1) is set up as a root
+nameserver and is listed in the hints file of the others.
+
+
+Preparing to Run the Tests
+===
+To enable all servers to run on the same machine, they bind to separate virtual
+IP addresses on the loopback interface.  ns1 runs on 10.53.0.1, ns2 on
+10.53.0.2, etc.  Before running any tests, you must set up these addresses by
+running the command
+
+    sh ifconfig.sh up
+
+as root.  The interfaces can be removed by executing the command:
+
+    sh ifconfig.sh down
+
+... also as root.
+
+The servers use unprivileged ports (above 1024) instead of the usual port 53,
+so they can be run without root privileges once the interfaces have been set
+up.
+
+
+Note for MacOS Users
+---
+If you wish to make the interfaces survive across reboots, copy
+org.isc.bind.system and org.isc.bind.system.plist to /Library/LaunchDaemons
+then run
+
+    launchctl load /Library/LaunchDaemons/org.isc.bind.system.plist
+
+... as root.
+
+
+Running the System Tests
+===
+
+Running an Individual Test
+---
+The tests can be run individually using the following command:
+
+    sh run.sh [flags] <test-name> [<test-arguments>]
+
+e.g.
+
+    sh run.sh [flags] notify
+
+Optional flags are:
+
+    -k              Keep servers running after the test completes.  Each test
+                    usually starts a number of nameservers, either instances
+                    of the "named" being tested, or custom servers (written in
+                    Python or Perl) that feature test-specific behavior.  The
+                    servers are automatically started before the test is run
+                    and stopped after it ends.  This flag leaves them running
+                    at the end of the test, so that additional queries can be
+                    sent by hand.  To stop the servers afterwards, use the
+                    command "sh stop.sh <test-name>".
+
+    -n              Noclean - do not remove the output files if the test
+                    completes successfully.  By default, files created by the
+                    test are deleted if it passes;  they are not deleted if the
+                    test fails.
+
+    -p <number>     Sets the range of ports used by the test.  A block of 100
+                    ports is available for each test, the number given to the
+                    "-p" switch being the number of the start of that block
+                    (e.g. "-p 7900" will mean that the test is able to use
+                    ports 7900 through 7999).  If not specified, the test will
+                    have ports 5000 to 5099 available to it.
+
+Arguments are:
+
+    test-name       Mandatory.  The name of the test, which is the name of the
+                    subdirectory in bin/tests/system holding the test files.
+
+    test-arguments  Optional arguments that are passed to each of the test's
+                    scripts.
+
+
+Running All The System Tests
+---
+To run all the system tests, enter the command:
+
+    sh runall.sh [-c] [-n] [numproc]
+
+The optional flag "-c" forces colored output (by default system test output is
+not printed in color due to run.sh being piped through "tee").
+
+The optional flag "-n" has the same effect as it does for "run.sh" - it causes
+the retention of all output files from all tests.
+
+The optional "numproc" argument specifies the maximum number of tests that can
+run in parallel.  The default is 1, which means that all of the tests run
+sequentially.  If greater than 1, up to "numproc" tests will run simultaneously,
+new tests being started as tests finish.  Each test will get a unique set of
+ports, so there is no danger of tests interfering with one another.  Parallel
+running will reduce the total time taken to run the BIND system tests, but will
+mean that the output from all the tests sent to the screen will be mixed up
+with one another.  However, the systests.output file produced at the end of the
+run (in the bin/tests/system directory) will contain the output from each test
+in sequential order.
+
+Note that it is not possible to pass arguments to tests though the "runall.sh"
+script.
+
+A run of all the system tests can also be initiated via make:
+
+    make [-j numproc] test
+
+In this case, retention of the output files after a test completes successfully
+is specified by setting the environment variable SYSTEMTEST_NO_CLEAN to 1 prior
+to running make, e.g.
+
+    SYSTEMTEST_NO_CLEAN=1 make [-j numproc] test
+
+while setting environment variable SYSTEMTEST_FORCE_COLOR to 1 forces system
+test output to be printed in color.
+
+
+Running Multiple System Test Suites Simultaneously
+---
+In some cases it may be desirable to have multiple instances of the system test
+suite running simultaneously (e.g. from different terminal windows).  To do
+this:
+
+1. Each installation must have its own directory tree.  The system tests create
+files in the test directories, so separate directory trees are required to
+avoid interference between the same test running in the different
+installations.
+
+2. For one of the test suites, the starting port number must be specified by
+setting the environment variable STARTPORT before starting the test suite.
+Each test suite comprises about 100 tests, each being allocated a set of 100
+ports.  The port ranges for each test are allocated sequentially, so each test
+suite requires about 10,000 ports to itself.  By default, the port allocation
+starts at 5,000.  So the following set of commands:
+
+    Terminal Window 1:
+        cd <installation-1>/bin/tests/system
+        sh runall.sh 4
+
+    Terminal Window 2:
+        cd <installation-2>/bin/tests/system
+        STARTPORT=20000 sh runall.sh 4
+
+... will start the test suite for installation-1 using the default base port
+of 5,000, so the test suite will use ports 5,000 through 15,000 (or there
+abouts).  The use of "STARTPORT=20000" to prefix the run of the test suite for
+installation-2 will mean the test suite uses ports 20,000 through 30,000 or so.
+
+
+Format of Test Output
+---
+All output from the system tests is in the form of lines with the following
+structure:
+
+    <letter>:<test-name>:<message> [(<number>)]
+
+e.g.
+
+    I:catz:checking that dom1.example is not served by master (1)
+
+The meanings of the fields are as follows:
+
+<letter>
+This indicates the type of message.  This is one of:
+
+    S   Start of the test
+    A   Start of test (retained for backwards compatibility)
+    T   Start of test (retained for backwards compatibility)
+    E   End of the test
+    I   Information.  A test will typically output many of these messages
+        during its run, indicating test progress.  Note that such a message may
+        be of the form "I:testname:failed", indicating that a sub-test has
+        failed.
+    R   Result.  Each test will result in one such message, which is of the
+        form:
+
+                R:<test-name>:<result>
+
+        where <result> is one of:
+
+            PASS        The test passed
+            FAIL        The test failed
+            SKIPPED     The test was not run, usually because some
+                        prerequisites required to run the test are missing.
+
+<test-name>
+This is the name of the test from which the message emanated, which is also the
+name of the subdirectory holding the test files.
+
+<message>
+This is text output by the test during its execution.
+
+(<number>)
+If present, this will correlate with a file created by the test.  The tests
+execute commands and route the output of each command to a file.  The name of
+this file depends on the command and the test, but will usually be of the form:
+
+    <command>.out.<suffix><number>
+
+e.g. nsupdate.out.test28, dig.out.q3.  This aids diagnosis of problems by
+allowing the output that caused the problem message to be identified.
+
+
+Re-Running the Tests
+---
+If there is a requirement to re-run a test (or the entire test suite), the
+files produced by the tests should be deleted first.  Normally, these files are
+deleted if the test succeeds but are retained on error.  The run.sh script
+automatically calls a given test's clean.sh script before invoking its setup.sh
+script.
+
+Deletion of the files produced by the set of tests (e.g. after the execution
+of "runall.sh") can be carried out using the command:
+
+    sh cleanall.sh
+
+or
+
+    make testclean
+
+(Note that the Makefile has two other targets for cleaning up files: "clean"
+will delete all the files produced by the tests, as well as the object and
+executable files used by the tests.  "distclean" does all the work of "clean"
+as well as deleting configuration files produced by "configure".)
+
+
+Developer Notes
+===
+This section is intended for developers writing new tests.
+
+
+Overview
+---
+As noted above, each test is in a separate directory.  To interact with the
+test framework, the directories contain the following standard files:
+
+prereq.sh   Run at the beginning to determine whether the test can be run at
+            all; if not, we see a R:SKIPPED result.  This file is optional:
+            if not present, the test is assumed to have all its prerequisites
+            met.
+
+setup.sh    Run after prereq.sh, this sets up the preconditions for the tests.
+            Although optional, virtually all tests will require such a file to
+            set up the ports they should use for the test.
+
+tests.sh    Runs the actual tests.  This file is mandatory.
+
+clean.sh    Run at the end to clean up temporary files, but only if the test
+            was completed successfully and its running was not inhibited by the
+	    "-n" switch being passed to "run.sh".  Otherwise the temporary
+	    files are left in place for inspection.
+
+ns<N>       These subdirectories contain test name servers that can be queried
+	    or can interact with each other.  The value of N indicates the
+	    address the server listens on: for example, ns2 listens on
+	    10.53.0.2, and ns4 on 10.53.0.4.  All test servers use an
+	    unprivileged port, so they don't need to run as root.  These
+	    servers log at the highest debug level and the log is captured in
+	    the file "named.run".
+
+ans<N>      Like ns[X], but these are simple mock name servers implemented in
+            Perl or Python.  They are generally programmed to misbehave in ways
+            named would not so as to exercise named's ability to interoperate
+            with badly behaved name servers.
+
+
+Port Usage
+---
+In order for the tests to run in parallel, each test requires a unique set of
+ports.  These are specified by the "-p" option passed to "run.sh", which sets
+environment variables that the scripts listed above can reference.
+
+The convention used in the system tests is that the number passed is the start
+of a range of 100 ports.  The test is free to use the ports as required,
+although the first ten ports in the block are named and generally tests use the
+named ports for their intended purpose.  The names of the environment variables
+are:
+
+    PORT                     Number to be used for the query port.
+    CONTROLPORT              Number to be used as the RNDC control port.
+    EXTRAPORT1 - EXTRAPORT8  Eight port numbers that can be used as needed.
+
+Two other environment variables are defined:
+
+    LOWPORT                  The lowest port number in the range.
+    HIGHPORT                 The highest port number in the range.
+
+Since port ranges usually start on a boundary of 10, the variables are set such
+that the last digit of the port number corresponds to the number of the
+EXTRAPORTn variable.  For example, if the port range were to start at 5200, the
+port assignments would be:
+
+    PORT = 5200
+    EXTRAPORT1 = 5201
+        :
+    EXTRAPORT8 = 5208
+    CONTROLPORT = 5209
+    LOWPORT = 5200
+    HIGHPORT = 5299
+
+When running tests in parallel (i.e. giving a value of "numproc" greater than 1
+in the "make" or "runall.sh" commands listed above), it is guaranteed that each
+test will get a set of unique port numbers.
+
+
+Writing a Test
+---
+The test framework requires up to four shell scripts (listed above) as well as
+a number of nameserver instances to run.  Certain expectations are put on each
+script:
+
+
+General
+---
+1. Each of the four scripts will be invoked with the command
+
+    (cd <test-directory> ; sh <script> [<arguments>] )
+
+... so that working directory when the script starts executing is the test
+directory.
+
+2. Arguments can be only passed to the script if the test is being run as a
+one-off with "run.sh".  In this case, everything on the command line after the
+name of the test is passed to each script.  For example, the command:
+
+    sh run.sh -p 12300 mytest -D xyz
+
+... will run "mytest" with a port range of 12300 to 12399.  Each of the
+framework scripts provided by the test will be invoked using the remaining
+arguments, e.g.:
+
+   (cd mytest ; sh prereq.sh -D xyz)
+   (cd mytest ; sh setup.sh -D xyz)
+   (cd mytest ; sh tests.sh -D xyz)
+   (cd mytest ; sh clean.sh -D xyz)
+
+No arguments will be passed to the test scripts if the test is run as part of
+a run of the full test suite (e.g. the tests are started with "runall.sh").
+
+3.  Each script should start with the following lines:
+
+    SYSTEMTESTTOP=..
+    . $SYSTEMTESTTOP/conf.sh
+
+"conf.sh" defines a series of environment variables together with functions
+useful for the test scripts. (conf.sh.win32 is the Windows equivalent of this
+file.)
+
+
+prereq.sh
+---
+As noted above, this is optional.  If present, it should check whether specific
+software needed to run the test is available and/or whether BIND has been
+configured with the appropriate options required.
+
+    * If the software required to run the test is present and the BIND
+      configure options are correct, prereq.sh should return with a status code
+      of 0.
+
+    * If the software required to run the test is not available and/or BIND
+      has not been configured with the appropriate options, prereq.sh should
+      return with a status code of 1.
+
+    * If there is some other problem (e.g. prerequisite software is available
+      but is not properly configured), a status code of 255 should be returned.
+
+
+setup.sh
+---
+This is responsible for setting up the configuration files used in the test.
+
+To cope with the varying port number, ports are not hard-coded into
+configuration files (or, for that matter, scripts that emulate nameservers).
+Instead, setup.sh is responsible for editing the configuration files to set the
+port numbers.
+
+To do this, configuration files should be supplied in the form of templates
+containing tokens identifying ports.  The tokens have the same name as the
+environment variables listed above, but are prefixed and suffixed by the "@"
+symbol.  For example, a fragment of a configuration file template might look
+like:
+
+    controls {
+        inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+    };
+
+    options {
+        query-source address 10.53.0.1;
+        notify-source 10.53.0.1;
+        transfer-source 10.53.0.1;
+        port @PORT@;
+        allow-new-zones yes;
+    };
+
+setup.sh should copy the template to the desired filename using the
+"copy_setports" shell function defined in "conf.sh", i.e.
+
+    copy_setports ns1/named.conf.in ns1/named.conf
+
+This replaces the tokens @PORT@, @CONTROLPORT@, @EXTRAPORT1@ through
+@EXTRAPORT8@ with the contents of the environment variables listed above.
+setup.sh should do this for all configuration files required when the test
+starts.
+
+("setup.sh" should also use this method for replacing the tokens in any Perl or
+Python name servers used in the test.)
+
+
+tests.sh
+---
+This is the main test file and the contents depend on the test.  The contents
+are completely up to the developer, although most test scripts have a form
+similar to the following for each sub-test:
+
+    1. n=`expr $n + 1`
+    2. echo_i "prime cache nodata.example ($n)"
+    3. ret=0
+    4. $DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n
+    5. grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+    6. grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+    7. if [ $ret != 0 ]; then echo_i "failed"; fi
+    8. status=`expr $status + $ret`
+
+1.  Increment the test number "n" (initialized to zero at the start of the
+    script).
+
+2.  Indicate that the sub-test is about to begin.  Note that "echo_i" instead
+    of "echo" is used.  echo_i is a function defined in "conf.sh" which will
+    prefix the message with "I:<testname>:", so allowing the output from each
+    test to be identified within the output.  The test number is included in
+    the message in order to tie the sub-test with its output.
+
+3. Initialize return status.
+
+4 - 6. Carry out the sub-test.  In this case, a nameserver is queried (note
+    that the port used is given by the PORT environment variable, which was set
+    by the inclusion of the file "conf.sh" at the start of the script).  The
+    output is routed to a file whose suffix includes the test number.  The
+    response from the server is examined and, in this case, if the required
+    string is not found, an error is indicated by setting "ret" to 1.
+
+7.  If the sub-test failed, a message is printed. "echo_i" is used to print
+    the message to add the prefix "I:<test-name>:" before it is output.
+
+8.  "status", used to track how many of the sub-tests have failed, is
+    incremented accordingly.  The value of "status" determines the status
+    returned by "tests.sh", which in turn determines whether the framework
+    prints the PASS or FAIL message.
+
+Regardless of this, rules that should be followed are:
+
+a.  Use the environment variables set by conf.sh to determine the ports to use
+    for sending and receiving queries.
+
+b.  Use a counter to tag messages and to associate the messages with the output
+    files.
+
+c.  Store all output produced by queries/commands into files.  These files
+    should be named according to the command that produced them, e.g. "dig"
+    output should be stored in a file "dig.out.<suffix>", the suffix being
+    related to the value of the counter.
+
+d.  Use "echo_i" to output informational messages.
+
+e.  Retain a count of test failures and return this as the exit status from
+    the script.
+
+
+clean.sh
+---
+The inverse of "setup.sh", this is invoked by the framework to clean up the
+test directory.  It should delete all files that have been created by the test
+during its run.
+
+
+Starting Nameservers
+---
+As noted earlier, a system test will involve a number of nameservers.  These
+will be either instances of named, or special servers written in a language
+such as Perl or Python.
+
+For the former, the version of "named" being run is that in the "bin/named"
+directory in the tree holding the tests (i.e. if "make test" is being run
+immediately after "make", the version of "named" used is that just built).  The
+configuration files, zone files etc. for these servers are located in
+subdirectories of the test directory named "nsN", where N is a small integer.
+The latter are special nameservers, mostly used for generating deliberately bad
+responses, located in subdirectories named "ansN" (again, N is an integer).
+In addition to configuration files, these directories should hold the
+appropriate script files as well.
+
+Note that the "N" for a particular test forms a single number space, e.g. if
+there is an "ns2" directory, there cannot be an "ans2" directory as well.
+Ideally, the directory numbers should start at 1 and work upwards.
+
+When running a test, the servers are started using "start.sh" (which is nothing
+more than a wrapper for start.pl).  The options for "start.pl" are documented
+in the header for that file, so will not be repeated here.  In summary, when
+invoked by "run.sh", start.pl looks for directories named "nsN" or "ansN" in
+the test directory and starts the servers it finds there.
+
+
+"named" Command-Line Options
+---
+By default, start.pl starts a "named" server with the following options:
+
+    -c named.conf   Specifies the configuration file to use (so by implication,
+                    each "nsN" nameserver's configuration file must be called
+                    named.conf).
+
+    -d 99           Sets the maximum debugging level.
+
+    -D <name>       The "-D" option sets a string used to identify the
+                    nameserver in a process listing.  In this case, the string
+                    is the name of the subdirectory.
+
+    -g              Runs the server in the foreground and logs everything to
+                    stderr.
+
+    -m record,size,mctx
+                    Turns on these memory usage debugging flags.
+
+    -U 4            Uses four listeners.
+
+    -X named.lock   Acquires a lock on this file in the "nsN" directory, so
+                    preventing multiple instances of this named running in this
+                    directory (which could possibly interfere with the test).
+
+All output is sent to a file called "named.run" in the nameserver directory.
+
+The options used to start named can be altered.  There are three ways of doing
+this.  "start.pl" checks the methods in a specific order: if a check succeeds,
+the options are set and any other specification is ignored.  In order, these
+are:
+
+1. Specifying options to "start.sh"/"start.pl" after the name of the test
+directory, e.g.
+
+    sh start.sh reclimit ns1 -- "-c n.conf -d 43"
+
+(This is only really useful when running tests interactively.)
+
+2. Including a file called "named.args" in the "nsN" directory.  If present,
+the contents of the first non-commented, non-blank line of the file are used as
+the named command-line arguments.  The rest of the file is ignored.
+
+3. Tweaking the default command line arguments with "-T" options.  This flag is
+used to alter the behavior of BIND for testing and is not documented in the
+ARM.  The presence of certain files in the "nsN" directory adds flags to
+the default command line (the content of the files is irrelevant - it
+is only the presence that counts):
+
+    named.noaa       Appends "-T noaa" to the command line, which causes
+                     "named" to never set the AA bit in an answer.
+
+    named.dropedns   Adds "-T dropedns" to the command line, which causes
+                     "named" to recognise EDNS options in messages, but drop
+                     messages containing them.
+
+    named.maxudp1460 Adds "-T maxudp1460" to the command line, setting the
+                     maximum UDP size handled by named to 1460.
+
+    named.maxudp512  Adds "-T maxudp512" to the command line, setting the
+                     maximum UDP size handled by named to 512.
+
+    named.noedns     Appends "-T noedns" to the command line, which disables
+                     recognition of EDNS options in messages.
+
+    named.notcp      Adds "-T notcp", which disables TCP in "named".
+
+    named.soa        Appends "-T nosoa" to the command line, which disables
+                     the addition of SOA records to negative responses (or to
+                     the additional section if the response is triggered by RPZ
+                     rewriting).
+
+Starting Other Nameservers
+---
+In contrast to "named", nameservers written in Perl or Python (whose script
+file should have the name "ans.pl" or "ans.py" respectively) are started with a
+fixed command line.  In essence, the server is given the address and nothing
+else.
+
+(This is not strictly true: Python servers are provided with the number of the
+query port to use.  Altering the port used by Perl servers currently requires
+creating a template file containing the "@PORT@" token, and having "setup.sh"
+substitute the actual port being used before the test starts.)
+
+
+Stopping Nameservers
+---
+As might be expected, the test system stops nameservers with the script
+"stop.sh", which is little more than a wrapper for "stop.pl".  Like "start.pl",
+the options available are listed in the file's header and will not be repeated
+here.
+
+In summary though, the nameservers for a given test, if left running by
+specifying the "-k" flag to "run.sh" when the test is started, can be stopped
+by the command:
+
+    sh stop.sh <test-name> [server]
+
+... where if the server (e.g. "ns1", "ans3") is not specified, all servers
+associated with the test are stopped.
+
+
+Adding a Test to the System Test Suite
+---
+Once a test has been created, the following files should be edited:
+
+* conf.sh.in  The name of the test should be added to the PARALLELDIRS or
+SEQUENTIALDIRS variables as appropriate.  The former is used for tests that
+can run in parallel with other tests, the latter for tests that are unable to
+do so.
+
+* conf.sh.win32 This is the Windows equivalent of conf.sh.in.  The name of the
+test should be added to the PARALLELDIRS or SEQUENTIALDIRS variables as
+appropriate.
+
+* Makefile.in The name of the test should be added to one of the the PARALLEL
+or SEQUENTIAL variables.
+
+(It is likely that a future iteration of the system test suite will remove the
+need to edit multiple files to add a test.)
+
+
+Valgrind
+---
+When running system tests, named can be run under Valgrind.  The output from
+Valgrind are sent to per-process files that can be reviewed after the test has
+completed.  To enable this, set the USE_VALGRIND environment variable to
+"helgrind" to run the Helgrind tool, or any other value to run the Memcheck
+tool.  To use "helgrind" effectively, build BIND with --disable-atomic.
+
+
+Maintenance Notes
+===
+This section is aimed at developers maintaining BIND's system test framework.
+
+Notes on Parallel Execution
+---
+Although execution of an individual test is controlled by "run.sh", which
+executes the above shell scripts (and starts the relevant servers) for each
+test, the running of all tests in the test suite is controlled by the Makefile.
+("runall.sh" does little more than invoke "make" on the Makefile.)
+
+All system tests are capable of being run in parallel.  For this to work, each
+test needs to use a unique set of ports.  To avoid the need to define which
+tests use which ports (and so risk port clashes as further tests are added),
+the ports are assigned when the tests are run.  This is achieved by having the
+"test" target in the Makefile depend on "parallel.mk".  That file is created
+when "make check" is run, and contains a target for each test of the form:
+
+    <test-name>:
+        @$(SHELL) run.sh -p <baseport> <test-name>
+
+The <baseport> is unique and the values of <baseport> for each test are
+separated by at least 100 ports.
+
+
+Cleaning Up From Tests
+---
+When a test is run, up to three different types of files are created:
+
+1. Files generated by the test itself, e.g. output from "dig" and "rndc", are
+stored in the test directory.
+
+2. Files produced by named which may not be cleaned up if named exits
+abnormally, e.g. core files, PID files etc., are stored in the test directory.
+
+3. A file "test.output.<test-name>" containing the text written to stdout by the
+test is written to bin/tests/system/.  This file is only produced when the test
+is run as part of the entire test suite (e.g. via "runall.sh").
+
+If the test fails, all these files are retained.  But if the test succeeds,
+they are cleaned up at different times:
+
+1. Files generated by the test itself are cleaned up by the test's own
+"clean.sh", which is called from "run.sh".
+
+2. Files that may not be cleaned up if named exits abnormally can be removed
+using the "cleanall.sh" script.
+
+3. "test.output.*" files are deleted when the test suite ends.  At this point,
+the file "testsummary.sh" is called which concatenates all the "test.output.*"
+files into a single "systests.output" file before deleting them.
diff --git a/bin/tests/system/acl/clean.sh b/bin/tests/system/acl/clean.sh
new file mode 100644
index 0000000..c8d26cc
--- /dev/null
+++ b/bin/tests/system/acl/clean.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f dig.out.*
+rm -f ns2/example.db ns2/tsigzone.db ns2/example.db.jnl
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f ns*/_default.nzf
+rm -f ns*/_default.nzd*
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
new file mode 100644
index 0000000..745048a
--- /dev/null
+++ b/bin/tests/system/acl/ns2/named1.conf.in
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+};
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key two {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "tsigzone" {
+	type primary;
+	file "tsigzone.db";
+	allow-transfer { !key one; any; };
+};
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
new file mode 100644
index 0000000..21aa991
--- /dev/null
+++ b/bin/tests/system/acl/ns2/named2.conf.in
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+};
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key two {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "tsigzone" {
+	type primary;
+	file "tsigzone.db";
+	/*
+	 * 0a00::/8 and 10/8 are the same bits, but different address
+	 * families.  This should *not* match IPv4 queries from 10.*.
+	 */
+	allow-transfer { 0a00::/8; !10/8; key one; };
+};
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
new file mode 100644
index 0000000..3208c92
--- /dev/null
+++ b/bin/tests/system/acl/ns2/named3.conf.in
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+};
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key two {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key three {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+acl reject {
+	!key one; !key two; any;
+};
+
+acl accept {
+	10.53.0.1; 10.53.0.2;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "tsigzone" {
+	type primary;
+	file "tsigzone.db";
+	allow-transfer { !reject; accept; };
+};
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
new file mode 100644
index 0000000..14e82ed
--- /dev/null
+++ b/bin/tests/system/acl/ns2/named4.conf.in
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+};
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key two {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+acl rejectkeys {
+	!key one; !key two; any;
+};
+
+acl rejectaddrs {
+	!10.53.0.1; !10.53.0.2; any;
+};
+
+acl check1 { !key one; 10.53.0.1; };
+
+acl check2 { !key two; 10.53.0.2; };
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "tsigzone" {
+	type primary;
+	file "tsigzone.db";
+	allow-transfer { !rejectkeys; !rejectaddrs; !check1; !check2; any; };
+};
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
new file mode 100644
index 0000000..f43f33c
--- /dev/null
+++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+	allow-query-on { 10.53.0.2; };
+	blackhole { 10.53.0.8; };
+};
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key two {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "tsigzone" {
+	type primary;
+	file "tsigzone.db";
+	allow-transfer { !key one; any; };
+};
diff --git a/bin/tests/system/acl/ns3/example.db b/bin/tests/system/acl/ns3/example.db
new file mode 100644
index 0000000..34fe9e5
--- /dev/null
+++ b/bin/tests/system/acl/ns3/example.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
diff --git a/bin/tests/system/acl/ns3/named.conf.in b/bin/tests/system/acl/ns3/named.conf.in
new file mode 100644
index 0000000..fceed38
--- /dev/null
+++ b/bin/tests/system/acl/ns3/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	allow-new-zones yes;
+	allow-transfer { none; };
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/acl/ns4/example.db b/bin/tests/system/acl/ns4/example.db
new file mode 100644
index 0000000..91c8702
--- /dev/null
+++ b/bin/tests/system/acl/ns4/example.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.4
diff --git a/bin/tests/system/acl/ns4/existing.db b/bin/tests/system/acl/ns4/existing.db
new file mode 100644
index 0000000..91c8702
--- /dev/null
+++ b/bin/tests/system/acl/ns4/existing.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.4
diff --git a/bin/tests/system/acl/ns4/named.conf.in b/bin/tests/system/acl/ns4/named.conf.in
new file mode 100644
index 0000000..6389c33
--- /dev/null
+++ b/bin/tests/system/acl/ns4/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	allow-new-zones yes;
+	allow-transfer { none; };
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+zone "existing" {
+	type primary;
+	file "existing.db";
+};
diff --git a/bin/tests/system/acl/setup.sh b/bin/tests/system/acl/setup.sh
new file mode 100644
index 0000000..2f2db71
--- /dev/null
+++ b/bin/tests/system/acl/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+$SHELL ../genzone.sh 2 3 >ns2/example.db
+$SHELL ../genzone.sh 2 3 >ns2/tsigzone.db
+copy_setports ns2/named1.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
new file mode 100644
index 0000000..19e5c8f
--- /dev/null
+++ b/bin/tests/system/acl/tests.sh
@@ -0,0 +1,228 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+t=0
+
+echo_i "testing basic ACL processing"
+# key "one" should fail
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+
+# any other key should be fine
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+copy_setports ns2/named2.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+sleep 5
+
+# prefix 10/8 should fail
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+# any other address should work, as long as it sends key "one"
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+echo_i "testing nested ACL processing"
+# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed
+copy_setports ns2/named3.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+sleep 5
+
+# should succeed
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+# should succeed
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+# should succeed
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+# should succeed
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+# but only one or the other should fail
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1; }
+
+# and other values? right out
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
+copy_setports ns2/named4.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+sleep 5
+
+# should succeed
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+# should succeed
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+# should fail
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+# should fail
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+# should fail
+t=`expr $t + 1`
+$DIG $DIGOPTS tsigzone. \
+	@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
+grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+echo_i "testing allow-query-on ACL processing"
+copy_setports ns2/named5.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+sleep 5
+t=`expr $t + 1`
+$DIG -p ${PORT} +tcp soa example. \
+	@10.53.0.2 -b 10.53.0.3 > dig.out.${t}
+grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+echo_i "testing blackhole ACL processing"
+t=`expr $t + 1`
+ret=0
+$DIG -p ${PORT} +tcp soa example. \
+	@10.53.0.2 -b 10.53.0.3 > dig.out.1.${t}
+grep "status: NOERROR" dig.out.1.${t} > /dev/null 2>&1 || ret=1
+$DIG -p ${PORT} +tcp soa example. \
+	@10.53.0.2 -b 10.53.0.8 > dig.out.2.${t}
+grep "status: NOERROR" dig.out.2.${t} > /dev/null 2>&1 && ret=1
+grep "communications error" dig.out.2.${t} > /dev/null 2>&1 || ret=1
+$DIG -p ${PORT} soa example. \
+	@10.53.0.2 -b 10.53.0.3 > dig.out.3.${t}
+grep "status: NOERROR" dig.out.3.${t} > /dev/null 2>&1 || ret=1
+$DIG -p ${PORT} soa example. \
+	@10.53.0.2 -b 10.53.0.8 > dig.out.4.${t}
+grep "status: NOERROR" dig.out.4.${t} > /dev/null 2>&1 && ret=1
+grep "connection timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+# AXFR tests against ns3
+
+echo_i "testing allow-transfer ACLs against ns3 (no existing zones)"
+
+echo_i "calling addzone example.com on ns3"
+$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; '
+sleep 1
+
+t=`expr $t + 1`
+ret=0
+echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
+$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1
+grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "calling rndc reconfig"
+rndc_reconfig ns3 10.53.0.3
+
+sleep 1
+
+t=`expr $t + 1`
+ret=0
+echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
+$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1
+grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+# AXFR tests against ns4
+
+echo_i "testing allow-transfer ACLs against ns4 (1 pre-existing zone)"
+
+echo_i "calling addzone example.com on ns4"
+$RNDCCMD 10.53.0.4 addzone 'example.com {type primary; file "example.db"; }; '
+sleep 1
+
+t=`expr $t + 1`
+ret=0
+echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
+$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1
+grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "calling rndc reconfig"
+rndc_reconfig ns4 10.53.0.4
+
+sleep 1
+
+t=`expr $t + 1`
+ret=0
+echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
+$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1
+grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/additional/clean.sh b/bin/tests/system/additional/clean.sh
new file mode 100644
index 0000000..c43c36e
--- /dev/null
+++ b/bin/tests/system/additional/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after tests.
+#
+
+rm -f dig.out.*
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/additional/ns1/mx.db b/bin/tests/system/additional/ns1/mx.db
new file mode 100644
index 0000000..6305e8b
--- /dev/null
+++ b/bin/tests/system/additional/ns1/mx.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+@	IN	SOA	ns1 hostmaster ( 2 8H 2H 4W 1D );
+		NS	ns1
+		MX	0 mail
+ns1		A	10.53.0.1
+mail		A	1.2.3.4
+_25._tcp.mail	TLSA	3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383
diff --git a/bin/tests/system/additional/ns1/named.args b/bin/tests/system/additional/ns1/named.args
new file mode 100644
index 0000000..15aa849
--- /dev/null
+++ b/bin/tests/system/additional/ns1/named.args
@@ -0,0 +1,2 @@
+# this server runs named with only one worker thread
+-m record,size,mctx -c named.conf -d 99 -D additional-ns1 -X named.lock -g -n 1 -T maxcachesize=2097152
diff --git a/bin/tests/system/additional/ns1/named1.conf.in b/bin/tests/system/additional/ns1/named1.conf.in
new file mode 100644
index 0000000..d058d1e
--- /dev/null
+++ b/bin/tests/system/additional/ns1/named1.conf.in
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	recursion no;
+	dnssec-validation no;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	notify no;
+	minimal-responses yes;
+};
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+        type primary;
+        file "root.db";
+};
+
+zone "rt.example" {
+	type primary;
+	file "rt.db";
+};
+
+zone "naptr.example" {
+	type primary;
+	file "naptr.db";
+};
+
+zone "rt2.example" {
+	type primary;
+	file "rt2.db";
+};
+
+zone "naptr2.example" {
+	type primary;
+	file "naptr2.db";
+};
+
+zone "nid.example" {
+	type primary;
+	file "nid.db";
+};
diff --git a/bin/tests/system/additional/ns1/named2.conf.in b/bin/tests/system/additional/ns1/named2.conf.in
new file mode 100644
index 0000000..56c6d4b
--- /dev/null
+++ b/bin/tests/system/additional/ns1/named2.conf.in
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	recursion no;
+	dnssec-validation no;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	notify no;
+	minimal-responses no;
+};
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+        type primary;
+        file "root.db";
+};
+
+zone "rt.example" {
+	type primary;
+	file "rt.db";
+};
+
+zone "naptr.example" {
+	type primary;
+	file "naptr.db";
+};
+
+zone "rt2.example" {
+	type primary;
+	file "rt2.db";
+};
+
+zone "naptr2.example" {
+	type primary;
+	file "naptr2.db";
+};
+
+zone "nid.example" {
+	type primary;
+	file "nid.db";
+};
diff --git a/bin/tests/system/additional/ns1/named3.conf.in b/bin/tests/system/additional/ns1/named3.conf.in
new file mode 100644
index 0000000..ad453a3
--- /dev/null
+++ b/bin/tests/system/additional/ns1/named3.conf.in
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	recursion no;
+	dnssec-validation no;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	notify no;
+	minimal-any yes;
+	minimal-responses no-auth;
+};
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+        type primary;
+        file "root.db";
+};
+
+zone "rt.example" {
+	type primary;
+	file "rt.db";
+};
+
+zone "naptr.example" {
+	type primary;
+	file "naptr.db";
+};
+
+zone "rt2.example" {
+	type primary;
+	file "rt2.db";
+};
+
+zone "naptr2.example" {
+	type primary;
+	file "naptr2.db";
+};
+
+zone "nid.example" {
+	type primary;
+	file "nid.db";
+};
diff --git a/bin/tests/system/additional/ns1/named4.conf.in b/bin/tests/system/additional/ns1/named4.conf.in
new file mode 100644
index 0000000..69479b9
--- /dev/null
+++ b/bin/tests/system/additional/ns1/named4.conf.in
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	recursion no;
+	dnssec-validation no;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	notify no;
+	minimal-responses no-auth-recursive;
+};
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+        type primary;
+        file "root.db";
+};
+
+zone "mx.example" {
+	type primary;
+	file "mx.db";
+};
+
+zone "srv.example" {
+	type primary;
+	file "srv.db";
+};
+
+zone "rt.example" {
+	type primary;
+	file "rt.db";
+};
+
+zone "naptr.example" {
+	type primary;
+	file "naptr.db";
+};
+
+zone "rt2.example" {
+	type primary;
+	file "rt2.db";
+};
+
+zone "naptr2.example" {
+	type primary;
+	file "naptr2.db";
+};
+
+zone "nid.example" {
+	type primary;
+	file "nid.db";
+};
diff --git a/bin/tests/system/additional/ns1/naptr.db b/bin/tests/system/additional/ns1/naptr.db
new file mode 100644
index 0000000..51d3c85
--- /dev/null
+++ b/bin/tests/system/additional/ns1/naptr.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D );
+    NS ns1
+ns1 A 10.53.0.1
+
+nap IN NAPTR 50 50 "S" "SIPS+D2T" "" server
+server SRV 0 0 5061 server
+server A 192.168.2.9
+server AAAA 192::9
diff --git a/bin/tests/system/additional/ns1/naptr2.db b/bin/tests/system/additional/ns1/naptr2.db
new file mode 100644
index 0000000..78ca4ad
--- /dev/null
+++ b/bin/tests/system/additional/ns1/naptr2.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D );
+    NS ns1
+ns1 A 10.53.0.1
+
+nap IN NAPTR 50 50 "S" "SIPS+D2T" "" server.hang3a.zone.
+www AAAA 192::99
+www A 192.168.2.99
+www X25 100099
diff --git a/bin/tests/system/additional/ns1/nid.db b/bin/tests/system/additional/ns1/nid.db
new file mode 100644
index 0000000..f76b52e
--- /dev/null
+++ b/bin/tests/system/additional/ns1/nid.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D );
+    NS ns1
+ns1 A 10.53.0.1
+
+ns1 NID 2 0:0:0:0
+ns1 L64 2 0:0:0:0
+ns1 L32 2 0.0.0.0
+nid2 NID 2 0:0:0:1
+nid2 LP 2 ns1
diff --git a/bin/tests/system/additional/ns1/root.db b/bin/tests/system/additional/ns1/root.db
new file mode 100644
index 0000000..94cfdda
--- /dev/null
+++ b/bin/tests/system/additional/ns1/root.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. IN SOA ns2. hostmaster ( 2 8H 2H 4W 1D);
+. NS ns1.rt.example.
+. NS ns2.rt.example.
+ns1.rt.example. A 10.53.0.1
+ns2.rt.example. A 10.53.0.2
+rt.example. NS ns1.
+naptr.example. NS ns1.
+rt2.example. NS ns1.
+naptr2.example. NS ns1.
+nid.example. NS ns1.
diff --git a/bin/tests/system/additional/ns1/rt.db b/bin/tests/system/additional/ns1/rt.db
new file mode 100644
index 0000000..c858f0d
--- /dev/null
+++ b/bin/tests/system/additional/ns1/rt.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D );
+    NS ns1
+    NS ns1.rt2.example.
+ns1 A 10.53.0.1
+
+rt RT 2 www
+www AAAA 192::99
+www A 192.168.2.99
+www X25 100099
diff --git a/bin/tests/system/additional/ns1/rt2.db b/bin/tests/system/additional/ns1/rt2.db
new file mode 100644
index 0000000..b61a198
--- /dev/null
+++ b/bin/tests/system/additional/ns1/rt2.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D );
+    NS ns1
+ns1 A 10.53.0.1
+
+rt RT 2 www.hang3b.zone.
+server SRV 0 0 5061 server
+server A 192.168.2.9
+server AAAA 192::9
diff --git a/bin/tests/system/additional/ns1/srv.db b/bin/tests/system/additional/ns1/srv.db
new file mode 100644
index 0000000..0aee21a
--- /dev/null
+++ b/bin/tests/system/additional/ns1/srv.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+@	IN	SOA	ns1 hostmaster ( 2 8H 2H 4W 1D );
+		NS	ns1
+ns1		A	10.53.0.1
+_xmpp-client._tcp SRV     1 0 5222 server
+server		A	1.2.3.4
+_5222._tcp.server	TLSA	3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383
diff --git a/bin/tests/system/additional/ns2/named.conf.in b/bin/tests/system/additional/ns2/named.conf.in
new file mode 100644
index 0000000..dae255d
--- /dev/null
+++ b/bin/tests/system/additional/ns2/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	recursion no;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	notify no;
+	minimal-responses yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/additional/ns2/root.db b/bin/tests/system/additional/ns2/root.db
new file mode 100644
index 0000000..728bdde
--- /dev/null
+++ b/bin/tests/system/additional/ns2/root.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. IN SOA ns2. hostmaster ( 2 8H 2H 4W 1D);
+. NS ns2.
+ns1. A 10.53.0.1
+ns2. A 10.53.0.2
+rt.example. NS ns1.
+naptr.example. NS ns1.
+rt2.example. NS ns1.
+naptr2.example. NS ns1.
+nid.example. NS ns1.
+
diff --git a/bin/tests/system/additional/ns3/ex.db b/bin/tests/system/additional/ns3/ex.db
new file mode 100644
index 0000000..c893a84
--- /dev/null
+++ b/bin/tests/system/additional/ns3/ex.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D );
+    NS ns1
+    NS ns1.ex2.
+ns1 A 10.53.0.1
diff --git a/bin/tests/system/additional/ns3/ex2.db b/bin/tests/system/additional/ns3/ex2.db
new file mode 100644
index 0000000..f9039cf
--- /dev/null
+++ b/bin/tests/system/additional/ns3/ex2.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D );
+    NS ns1
+ns1 A 10.53.0.1
diff --git a/bin/tests/system/additional/ns3/named.conf.in b/bin/tests/system/additional/ns3/named.conf.in
new file mode 100644
index 0000000..2bd01c9
--- /dev/null
+++ b/bin/tests/system/additional/ns3/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	minimal-responses no;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "ex" {
+	type primary;
+	file "ex.db";
+};
+
+zone "ex2" {
+	type primary;
+	file "ex2.db";
+};
diff --git a/bin/tests/system/additional/ns3/root.hint b/bin/tests/system/additional/ns3/root.hint
new file mode 100644
index 0000000..ef6ee6f
--- /dev/null
+++ b/bin/tests/system/additional/ns3/root.hint
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. NS ns2.
+ns2. A 10.53.0.2
diff --git a/bin/tests/system/additional/setup.sh b/bin/tests/system/additional/setup.sh
new file mode 100644
index 0000000..62fe66a
--- /dev/null
+++ b/bin/tests/system/additional/setup.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+copy_setports ns1/named1.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
new file mode 100644
index 0000000..fbb9ce0
--- /dev/null
+++ b/bin/tests/system/additional/tests.sh
@@ -0,0 +1,378 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+n=0
+
+dotests() {
+    n=`expr $n + 1`
+    echo_i "test with RT, single zone (+rec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with RT, two zones (+rec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with NAPTR, single zone (+rec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with NAPTR, two zones (+rec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with LP (+rec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
+    case $minimal in
+    no)
+      grep -w "NS" dig.out.$n > /dev/null || ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    yes)
+      grep -w "NS" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+      ;;
+    no-auth)
+      grep -w "NS" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    no-auth-recursive)
+      grep -w "NS" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    esac
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with NID (+rec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $minimal = no ] ; then
+      # change && to || when we support NID additional processing
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    else
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    fi
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with NID + LP (+rec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $minimal = no ] ; then
+      # change && to || when we support NID additional processing
+      grep -w "LP" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    else
+      grep -w "LP" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    fi
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with RT, single zone (+norec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with RT, two zones (+norec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with NAPTR, single zone (+norec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with NAPTR, two zones (+norec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with LP (+norec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
+    case $minimal in
+    no)
+      grep -w "NS" dig.out.$n > /dev/null || ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    yes)
+      grep -w "NS" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+      ;;
+    no-auth)
+      grep -w "NS" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    no-auth-recursive)
+      grep -w "NS" dig.out.$n > /dev/null || ret=1
+      grep -w "L64" dig.out.$n > /dev/null || ret=1
+      grep -w "L32" dig.out.$n > /dev/null || ret=1
+      ;;
+    esac
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with NID (+norec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $minimal = no ] ; then
+      # change && to || when we support NID additional processing
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    else
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    fi
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with NID + LP (+norec) ($n)"
+    ret=0
+    $DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1
+    if [ $minimal = no ] ; then
+      # change && to || when we support NID additional processing
+      grep -w "LP" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    else
+      grep -w "LP" dig.out.$n > /dev/null && ret=1
+      grep -w "L64" dig.out.$n > /dev/null && ret=1
+      grep -w "L32" dig.out.$n > /dev/null && ret=1
+    fi
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with NS, root zone ($n)"
+    ret=0
+    $DIG $DIGOPTS -t NS . @10.53.0.1 > dig.out.$n || ret=1
+    # Always expect glue for root priming queries, regardless $minimal
+    grep 'ADDITIONAL: 3' dig.out.$n > /dev/null || ret=1
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+
+    n=`expr $n + 1`
+    echo_i "test with NS, non-root zone ($n)"
+    ret=0
+    $DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1
+    case $minimal in
+    yes)
+      grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
+      ;;
+    no)
+      grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
+      ;;
+    no-auth)
+      grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
+      ;;
+    no-auth-recursive)
+      grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1
+      ;;
+    esac
+    if [ $ret -eq 1 ] ; then
+            echo_i "failed"; status=$((status+1))
+    fi
+}
+
+echo_i "testing with 'minimal-responses yes;'"
+minimal=yes
+dotests
+
+echo_i "reconfiguring server: minimal-responses no"
+copy_setports ns1/named2.conf.in ns1/named.conf
+rndc_reconfig ns1 10.53.0.1
+
+echo_i "testing with 'minimal-responses no;'"
+minimal=no
+dotests
+
+n=`expr $n + 1`
+echo_i "testing with 'minimal-any no;' ($n)"
+ret=0
+$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
+grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=$((status+1))
+fi
+
+echo_i "reconfiguring server: minimal-any yes"
+copy_setports ns1/named3.conf.in ns1/named.conf
+rndc_reconfig ns1 10.53.0.1
+
+n=`expr $n + 1`
+echo_i "testing with 'minimal-any yes;' over UDP ($n)"
+ret=0
+$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
+grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=$((status+1))
+fi
+n=`expr $n + 1`
+
+echo_i "testing with 'minimal-any yes;' over TCP ($n)"
+ret=0
+$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
+grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=$((status+1))
+fi
+
+n=`expr $n + 1`
+echo_i "testing with 'minimal-any yes;' over UDP ($n)"
+ret=0
+$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1
+grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=$((status+1))
+fi
+
+echo_i "testing with 'minimal-responses no-auth;'"
+minimal=no-auth
+dotests
+
+echo_i "reconfiguring server: minimal-responses no-auth-recursive"
+copy_setports ns1/named4.conf.in ns1/named.conf
+rndc_reconfig ns1 10.53.0.1
+
+echo_i "testing with 'minimal-responses no-auth-recursive;'"
+minimal=no-auth-recursive
+dotests
+
+n=`expr $n + 1`
+echo_i "testing returning TLSA records with MX query ($n)"
+ret=0
+$DIG $DIGOPTS -t mx mx.example @10.53.0.1 > dig.out.$n || ret=1
+grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n > /dev/null || ret=1
+grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1
+grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=$((status+1))
+fi
+
+n=`expr $n + 1`
+echo_i "testing returning TLSA records with SRV query ($n)"
+ret=0
+$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 > dig.out.$n || ret=1
+grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n > /dev/null || ret=1
+grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1
+grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=$((status+1))
+fi
+
+echo_i "reconfiguring server: minimal-responses no"
+copy_setports ns1/named2.conf.in ns1/named.conf
+rndc_reconfig ns1 10.53.0.1
+
+n=`expr $n + 1`
+echo_i "testing NS handling in ANY responses (authoritative) ($n)"
+ret=0
+$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 > dig.out.$n || ret=1
+grep "AUTHORITY: 0" dig.out.$n  > /dev/null || ret=1
+grep "NS[ 	]*ns" dig.out.$n  > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=$((status+1))
+fi
+
+n=`expr $n + 1`
+echo_i "testing NS handling in ANY responses (recursive) ($n)"
+ret=0
+$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 > dig.out.$n || ret=1
+grep "AUTHORITY: 0" dig.out.$n  > /dev/null || ret=1
+grep "NS[ 	]*ns" dig.out.$n  > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=$((status+1))
+fi
+
+n=`expr $n + 1`
+echo_i "testing out-of-zone additional data from auth zones (authoritative) ($n)"
+ret=0
+$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1
+grep "ADDITIONAL: 2" dig.out.$n  > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=$((status+1))
+fi
+
+n=`expr $n + 1`
+echo_i "testing out-of-zone additional data from auth zones (recursive) ($n)"
+ret=0
+$DIG $DIGOPTS -t NS ex @10.53.0.3 > dig.out.$n || ret=1
+grep "ADDITIONAL: 3" dig.out.$n  > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=$((status+1))
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/addzone/clean.sh b/bin/tests/system/addzone/clean.sh
new file mode 100644
index 0000000..5e94b5c
--- /dev/null
+++ b/bin/tests/system/addzone/clean.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ./dig.out.*
+rm -f ./rndc.out*
+rm -f ./showzone.out*
+rm -f ./zonestatus.out*
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./ns1/*.nzf ./ns1/*.nzf~
+rm -f ./ns1/*.nzd ./ns1/*.nzd-lock
+rm -f ./ns2/*.nzf ./ns2/*.nzf~
+rm -f ./ns2/*.nzd ./ns2/*.nzd-lock
+rm -f ./ns3/*.nzf ./ns3/*.nzf~
+rm -f ./ns3/*.nzd ./ns3/*.nzd-lock
+rm -f ./ns2/core*
+rm -f ./ns2/inline.db.jbk
+rm -f ./ns2/inline.db.signed
+rm -f ./ns2/inlinesec.bk*
+rm -rf ./ns2/new-zones
+rm -f ./ns*/named.lock
+rm -f ./ns*/named.run ./ns*/named.run.prev
+rm -f ./ns2/nzf-*
+rm -f ./ns3/named.conf
+rm -f ./ns3/*.nzf ./ns3/*.nzf~
+rm -f ./ns3/*.nzd ns3/*.nzd-lock
+rm -f ./ns3/inlinesec.db
+rm -f ./ns1/redirect.db
+rm -f ./ns2/redirect.db
+rm -f ./ns2/redirect.bk
+rm -f ./ns3/redirect.db
+rm -f ./ns*/managed-keys.bind* ns*/*.mkeys*
+rm -f ./nzd2nzf.out.*
+rm -f ./wait_for_message.*
diff --git a/bin/tests/system/addzone/ns1/inlinesec.db b/bin/tests/system/addzone/ns1/inlinesec.db
new file mode 100644
index 0000000..eb9d042
--- /dev/null
+++ b/bin/tests/system/addzone/ns1/inlinesec.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN inlinesec.example.
+$TTL 300	; 5 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a			A	10.0.0.1
+mail			A	10.0.0.2
diff --git a/bin/tests/system/addzone/ns1/named.conf.in b/bin/tests/system/addzone/ns1/named.conf.in
new file mode 100644
index 0000000..afd7c31
--- /dev/null
+++ b/bin/tests/system/addzone/ns1/named.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	allow-query { any; };
+	allow-new-zones yes;
+	recursion no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "inlinesec.example" {
+	type primary;
+	file "inlinesec.db";
+};
+
+zone "." {
+	type redirect;
+	file "redirect.db";
+};
diff --git a/bin/tests/system/addzone/ns1/redirect.db.1 b/bin/tests/system/addzone/ns1/redirect.db.1
new file mode 100644
index 0000000..5dcdd1b
--- /dev/null
+++ b/bin/tests/system/addzone/ns1/redirect.db.1
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	0	SOA	. . 0 0 0 0 0
+@	0	NS	.
diff --git a/bin/tests/system/addzone/ns1/redirect.db.2 b/bin/tests/system/addzone/ns1/redirect.db.2
new file mode 100644
index 0000000..4dcbdbc
--- /dev/null
+++ b/bin/tests/system/addzone/ns1/redirect.db.2
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	0	SOA	. . 1 0 0 0 0
+@	0	NS	.
diff --git a/bin/tests/system/addzone/ns2/added.db b/bin/tests/system/addzone/ns2/added.db
new file mode 100644
index 0000000..286e717
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/added.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;$ORIGIN added.example.
+$TTL 300	; 5 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a			A	10.0.0.1
+mail			A	10.0.0.2
diff --git a/bin/tests/system/addzone/ns2/default.nzf.in b/bin/tests/system/addzone/ns2/default.nzf.in
new file mode 100644
index 0000000..d9740f5
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/default.nzf.in
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone previous.example { type primary; file "previous.db"; };
diff --git a/bin/tests/system/addzone/ns2/hints.db b/bin/tests/system/addzone/ns2/hints.db
new file mode 100644
index 0000000..e0f186c
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/hints.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/addzone/ns2/inline.db b/bin/tests/system/addzone/ns2/inline.db
new file mode 100644
index 0000000..c968104
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/inline.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN inline.example.
+$TTL 300	; 5 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a			A	10.0.0.1
+mail			A	10.0.0.2
diff --git a/bin/tests/system/addzone/ns2/named1.conf.in b/bin/tests/system/addzone/ns2/named1.conf.in
new file mode 100644
index 0000000..eb8519a
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/named1.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	allow-query { any; };
+	recursion no;
+	allow-new-zones yes;
+};
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "normal.db";
+};
+
+zone "finaldot.example." {
+	type primary;
+	file "normal.db";
+};
diff --git a/bin/tests/system/addzone/ns2/named2.conf.in b/bin/tests/system/addzone/ns2/named2.conf.in
new file mode 100644
index 0000000..33e45b9
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/named2.conf.in
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+view internal {
+	match-clients { 10.53.0.2; };
+	allow-new-zones no;
+	recursion yes;
+
+	response-policy { zone "policy"; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "policy" {
+		type primary;
+		file "normal.db";
+	};
+};
+
+view external {
+	match-clients { any; };
+	allow-new-zones yes;
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+};
+
+# This view is only here to test that configuration context is cleaned
+# up correctly when using multiple named ACLs (regression test for RT #22739)
+acl match { none; };
+acl nobody { none; };
+view extra {
+	match-clients { match; };
+	allow-new-zones yes;
+	allow-transfer { nobody; };
+	allow-query { nobody; };
+	allow-recursion { nobody; };
+};
diff --git a/bin/tests/system/addzone/ns2/named3.conf.in b/bin/tests/system/addzone/ns2/named3.conf.in
new file mode 100644
index 0000000..697d279
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/named3.conf.in
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; 10.53.0.4; 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	new-zones-directory "new-zones";
+};
+
+view internal {
+	match-clients { 10.53.0.2; };
+	allow-new-zones no;
+	recursion yes;
+
+	response-policy { zone "policy"; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "policy" {
+		type primary;
+		file "normal.db";
+	};
+};
+
+view directory {
+	match-clients { 10.53.0.5; };
+	allow-new-zones yes;
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+};
+
+view external {
+	match-clients { any; };
+	allow-new-zones yes;
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+};
+
+# This view is only here to test that configuration context is cleaned
+# up correctly when using multiple named ACLs (regression test for RT #22739)
+acl match { none; };
+acl nobody { none; };
+view extra {
+	match-clients { match; };
+	allow-new-zones yes;
+	allow-transfer { nobody; };
+	allow-query { nobody; };
+	allow-recursion { nobody; };
+};
diff --git a/bin/tests/system/addzone/ns2/normal.db b/bin/tests/system/addzone/ns2/normal.db
new file mode 100644
index 0000000..fa05638
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/normal.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN normal.example.
+$TTL 300	; 5 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a			A	10.0.0.1
+mail			A	10.0.0.2
diff --git a/bin/tests/system/addzone/ns2/previous.db b/bin/tests/system/addzone/ns2/previous.db
new file mode 100644
index 0000000..6d2e495
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/previous.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN previous.example.
+$TTL 300	; 5 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a			A	10.0.0.1
+mail			A	10.0.0.2
diff --git a/bin/tests/system/addzone/ns2/redirect.db.1 b/bin/tests/system/addzone/ns2/redirect.db.1
new file mode 100644
index 0000000..5dcdd1b
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/redirect.db.1
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	0	SOA	. . 0 0 0 0 0
+@	0	NS	.
diff --git a/bin/tests/system/addzone/ns2/redirect.db.2 b/bin/tests/system/addzone/ns2/redirect.db.2
new file mode 100644
index 0000000..4dcbdbc
--- /dev/null
+++ b/bin/tests/system/addzone/ns2/redirect.db.2
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	0	SOA	. . 1 0 0 0 0
+@	0	NS	.
diff --git a/bin/tests/system/addzone/ns3/e.db b/bin/tests/system/addzone/ns3/e.db
new file mode 100644
index 0000000..7f74f0a
--- /dev/null
+++ b/bin/tests/system/addzone/ns3/e.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	SOA	ns3 hostmaster 0 0 0 0 0
+@	NS	ns3
+ns3	A	10.53.0.3
diff --git a/bin/tests/system/addzone/ns3/example.db b/bin/tests/system/addzone/ns3/example.db
new file mode 100644
index 0000000..2bf4f8d
--- /dev/null
+++ b/bin/tests/system/addzone/ns3/example.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ IN SOA localhost. localhost.localhost. 1 10800 3600 605800 86400
+@ IN NS localhost.
diff --git a/bin/tests/system/addzone/ns3/named1.conf.in b/bin/tests/system/addzone/ns3/named1.conf.in
new file mode 100644
index 0000000..f1488f4
--- /dev/null
+++ b/bin/tests/system/addzone/ns3/named1.conf.in
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-query { any; };
+	recursion no;
+	allow-new-zones yes;
+};
+
+zone "." {
+	type primary;
+	file "redirect.db";
+};
+
+primaries "test" {
+	192.5.5.241;
+};
diff --git a/bin/tests/system/addzone/ns3/named2.conf.in b/bin/tests/system/addzone/ns3/named2.conf.in
new file mode 100644
index 0000000..3b56d64
--- /dev/null
+++ b/bin/tests/system/addzone/ns3/named2.conf.in
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-query { any; };
+	recursion no;
+	allow-new-zones yes;
+};
diff --git a/bin/tests/system/addzone/ns3/redirect.db.1 b/bin/tests/system/addzone/ns3/redirect.db.1
new file mode 100644
index 0000000..60a2622
--- /dev/null
+++ b/bin/tests/system/addzone/ns3/redirect.db.1
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	0	SOA	. . 0 0 0 0 0
+@	0	NS	.
+@	0	A	127.0.0.1
diff --git a/bin/tests/system/addzone/ns3/redirect.db.2 b/bin/tests/system/addzone/ns3/redirect.db.2
new file mode 100644
index 0000000..3804fef
--- /dev/null
+++ b/bin/tests/system/addzone/ns3/redirect.db.2
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	0	SOA	. . 1 0 0 0 0
+@	0	NS	.
+@	0	A	127.0.0.1
diff --git a/bin/tests/system/addzone/setup.sh b/bin/tests/system/addzone/setup.sh
new file mode 100644
index 0000000..0730553
--- /dev/null
+++ b/bin/tests/system/addzone/setup.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+cp -f ns1/redirect.db.1 ns1/redirect.db
+cp -f ns2/redirect.db.1 ns2/redirect.db
+cp -f ns3/redirect.db.1 ns3/redirect.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named1.conf.in ns2/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
+
+cp -f ns2/default.nzf.in ns2/3bf305731dd26307.nzf
+mkdir ns2/new-zones
diff --git a/bin/tests/system/addzone/tests.sh b/bin/tests/system/addzone/tests.sh
new file mode 100755
index 0000000..b3e21c6
--- /dev/null
+++ b/bin/tests/system/addzone/tests.sh
@@ -0,0 +1,755 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+check_zonestatus() (
+    $RNDCCMD "10.53.0.$1" zonestatus -redirect > "zonestatus.out.ns$1.$n" &&
+    grep "type: redirect" "zonestatus.out.ns$1.$n" > /dev/null &&
+    grep "serial: 1" "zonestatus.out.ns$1.$n" > /dev/null
+)
+
+status=0
+n=0
+
+echo_i "checking normally loaded zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# When LMDB support is compiled in, this tests that migration from
+# NZF to NZD occurs during named startup
+echo_i "checking previously added zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.previous.example' dig.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if $FEATURETEST --with-lmdb; then
+    echo_i "checking that existing NZF file was renamed after migration ($n)"
+    [ -e ns2/3bf305731dd26307.nzf~ ] || ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+fi
+
+echo_i "adding new zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone 'added.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
+_check_adding_new_zone () (
+	$DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n &&
+	grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
+	grep '^a.added.example' dig.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_adding_new_zone || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+nextpart ns2/named.run >/dev/null
+echo_i "checking addzone errors are logged correctly"
+ret=0
+$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1
+wait_for_log_peek 20 "addzone: 'mister' unexpected" ns2/named.run || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+nextpart ns2/named.run >/dev/null
+echo_i "checking modzone errors are logged correctly"
+ret=0
+$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1
+wait_for_log_peek 20 "modzone: 'mister' unexpected" ns2/named.run || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "adding a zone that requires quotes ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone '"32/1.0.0.127-in-addr.added.example" {
+check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
+_check_zone_that_requires_quotes() (
+	$DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a > dig.out.ns2.$n &&
+	grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
+	grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_zone_that_requires_quotes || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "adding a zone with a quote in the name ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone '"foo\"bar.example" { check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
+_check_zone_with_a_quote() (
+	$DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n &&
+	grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
+	grep '^a.foo\\"bar.example' dig.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_zone_with_a_quote || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "adding new zone with missing file ($n)"
+ret=0
+$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.pre.$n || ret=1
+grep "status: REFUSED" dig.out.ns2.pre.$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2> rndc.out.ns2.$n
+grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1
+$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.post.$n || ret=1
+grep "status: REFUSED" dig.out.ns2.post.$n > /dev/null || ret=1
+digcomp dig.out.ns2.pre.$n dig.out.ns2.post.$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if ! $FEATURETEST --with-lmdb; then
+    echo_i "verifying no comments in NZF file ($n)"
+    ret=0
+    hcount=`grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l`
+    [ $hcount -eq 0 ] || ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+fi
+
+echo_i "checking rndc showzone with previously added zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 showzone previous.example > rndc.out.ns2.$n
+expected='zone "previous.example" { type primary; file "previous.db"; };'
+[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if $FEATURETEST --with-lmdb; then
+    echo_i "checking zone is present in NZD ($n)"
+    ret=0
+    $NZD2NZF ns2/_default.nzd | grep previous.example > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+fi
+
+echo_i "deleting previously added zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 delzone previous.example 2>&1 | sed 's/^/I:ns2 /'
+_check_deleting_previously_added_zone() (
+	$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n &&
+	grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
+	! grep '^a.previous.example' dig.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_deleting_previously_added_zone || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+check_nzd2nzf() (
+	$NZD2NZF ns2/_default.nzd > nzd2nzf.out.$n &&
+	! grep previous.example nzd2nzf.out.$n > /dev/null
+)
+
+if $FEATURETEST --with-lmdb; then
+    echo_i "checking zone was deleted from NZD ($n)"
+    retry_quiet 10 check_nzd2nzf || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+fi
+
+if ! $FEATURETEST --with-lmdb; then
+    echo_i "checking NZF file now has comment ($n)"
+    ret=0
+    hcount=`grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l`
+    [ $hcount -eq 1 ] || ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+fi
+
+echo_i "deleting newly added zone added.example ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 delzone added.example 2>&1 | sed 's/^/I:ns2 /'
+_check_deleting_newly_added_zone() (
+	$DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n &&
+	grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
+	! grep '^a.added.example' dig.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_deleting_newly_added_zone || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "deleting newly added zone with escaped quote ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 delzone "foo\\\"bar.example" 2>&1 | sed 's/^/I:ns2 /'
+_check_deleting_newly_added_zone_quote() (
+	$DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n &&
+	grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
+	! grep "^a.foo\"bar.example" dig.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_deleting_newly_added_zone_quote || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking rndc showzone with a normally-loaded zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 showzone normal.example > rndc.out.ns2.$n
+expected='zone "normal.example" { type primary; file "normal.db"; };'
+[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking rndc showzone with a normally-loaded zone with trailing dot ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 showzone finaldot.example > rndc.out.ns2.$n
+expected='zone "finaldot.example." { type primary; file "normal.db"; };'
+[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking rndc showzone with a normally-loaded redirect zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 showzone -redirect > rndc.out.ns1.$n
+expected='zone "." { type redirect; file "redirect.db"; };'
+[ "`cat rndc.out.ns1.$n`" = "$expected" ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking rndc zonestatus with a normally-loaded redirect zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 zonestatus -redirect > rndc.out.ns1.$n
+grep "type: redirect" rndc.out.ns1.$n > /dev/null || ret=1
+grep "serial: 0" rndc.out.ns1.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking rndc reload with a normally-loaded redirect zone ($n)"
+ret=0
+sleep 1
+cp -f ns1/redirect.db.2 ns1/redirect.db
+$RNDCCMD 10.53.0.1 reload -redirect > rndc.out.ns1.$n
+retry_quiet 5 check_zonestatus 1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "delete a normally-loaded zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 delzone normal.example > rndc.out.ns2.$n 2>&1
+grep "is no longer active and will be deleted" rndc.out.ns2.$n > /dev/null || ret=11
+grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n > /dev/null || ret=1
+grep "must also be removed from named.conf." rndc.out.ns2.$n > /dev/null || ret=1
+_check_delete_normally_loaded_zone() (
+	$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n &&
+	grep 'status: REFUSED' dig.out.ns2.$n > /dev/null
+)
+retry_quiet 5 _check_delete_normally_loaded_zone || ret=1
+
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "attempting to add primary zone with inline signing ($n)"
+$RNDCCMD 10.53.0.2 addzone 'inline.example { type primary; file "inline.db"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /'
+_check_add_primary_zone_with_inline() (
+	$DIG $DIGOPTS @10.53.0.2 a.inline.example a > dig.out.ns2.$n &&
+	grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
+	grep '^a.inline.example' dig.out.ns2.$n > /dev/null
+)
+retry_quiet 5 _check_add_primary_zone_with_inline || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "attempting to add primary zone with inline signing and missing file ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2> rndc.out.ns2.$n
+grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "attempting to add secondary zone with inline signing ($n)"
+$RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /'
+_check_add_secondary_with_inline() (
+	$DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n &&
+	grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
+	grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null
+)
+retry_quiet 5 _check_add_secondary_with_inline || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "attempting to delete secondary zone with inline signing ($n)"
+ret=0
+retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1
+$RNDCCMD 10.53.0.2 delzone inlinesec.example > rndc.out2.test$n 2>&1 || ret=1
+test -f inlinesec.bk ||
+grep '^inlinesec.bk$' rndc.out2.test$n > /dev/null || {
+	echo_i "failed to report inlinesec.bk"; ret=1;
+}
+test ! -f inlinesec.bk.signed ||
+grep '^inlinesec.bk.signed$' rndc.out2.test$n > /dev/null || {
+	echo_i "failed to report inlinesec.bk.signed"; ret=1;
+}
+n=`expr $n + 1`
+status=`expr $status + $ret`
+
+echo_i "restoring secondary zone with inline signing ($n)"
+$RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /'
+_check_restoring_secondary_with_inline() (
+	$DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n &&
+	grep 'status: NOERROR' dig.out.ns2.$n > /dev/null &&
+	grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null
+)
+retry_quiet 5 _check_restoring_secondary_with_inline || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "deleting secondary zone with automatic zone file removal ($n)"
+ret=0
+retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1
+$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example > /dev/null 2>&1
+retry_quiet 10 test ! -f ns2/inlinesec.bk.signed -a ! -f ns2/inlinesec.bk
+n=`expr $n + 1`
+status=`expr $status + $ret`
+
+echo_i "modifying zone configuration ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone 'mod.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/ns2 /' | cat_i
+$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.1.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.2 modzone 'mod.example { type primary; file "added.db"; allow-query { none; }; };' 2>&1 | sed 's/^/ns2 /' | cat_i
+$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.2.$n || ret=1
+$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that adding a 'stub' zone works ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that adding a 'static-stub' zone works ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' > rndc.out.ns2.$n 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that adding a 'primary redirect' zone works ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' > rndc.out.ns2.$n 2>&1 || ret=1
+_check_add_primary_redirect() (
+	$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 &&
+	grep "type redirect;" showzone.out.ns2.$n > /dev/null &&
+	$RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 &&
+	grep "type: redirect" zonestatus.out.ns2.$n > /dev/null &&
+	grep "serial: 0" zonestatus.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_add_primary_redirect || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that reloading a added 'primary redirect' zone works ($n)"
+ret=0
+sleep 1
+cp -f ns2/redirect.db.2 ns2/redirect.db
+$RNDCCMD 10.53.0.2 reload -redirect > rndc.out.ns2.$n
+retry_quiet 10 check_zonestatus 2 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that retransfer of a added 'primary redirect' zone fails ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that deleting a 'primary redirect' zone works ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1
+_check_deleting_primary_redirect() (
+	$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true
+	grep 'not found' showzone.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_deleting_primary_redirect || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that adding a 'secondary redirect' zone works ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1
+_check_adding_secondary_redirect() (
+	$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 &&
+	grep "type redirect;" showzone.out.ns2.$n > /dev/null &&
+	$RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 &&
+	grep "type: redirect" zonestatus.out.ns2.$n > /dev/null &&
+	grep "serial: 0" zonestatus.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_adding_secondary_redirect || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that retransfering a added 'secondary redirect' zone works ($n)"
+ret=0
+cp -f ns3/redirect.db.2 ns3/redirect.db
+$RNDCCMD 10.53.0.3 reload . > showzone.out.ns3.$n 2>&1 || ret=1
+_check_retransfering_secondary_redirect() (
+	$RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 &&
+	$RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 &&
+	grep "type: redirect" zonestatus.out.ns2.$n > /dev/null &&
+	grep "serial: 1" zonestatus.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_retransfering_secondary_redirect || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that deleting a 'secondary redirect' zone works ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1
+_check_deleting_secondary_redirect() (
+	$RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true
+	grep 'not found' showzone.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_deleting_secondary_redirect || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that zone type 'hint' is properly rejected ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' > rndc.out.ns2.$n 2>&1 && ret=1
+grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that zone type 'forward' is properly rejected ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' > rndc.out.ns2.$n 2>&1 && ret=1
+grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that zone type 'delegation-only' is properly rejected ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' > rndc.out.ns2.$n 2>&1 && ret=1
+grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'in-view' zones are properly rejected ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1
+grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "reconfiguring server with multiple views"
+rm -f ns2/named.conf
+copy_setports ns2/named2.conf.in ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+
+echo_i "adding new zone to external view ($n)"
+# NOTE: The internal view has "recursion yes" set, and so queries for
+# nonexistent zones should return NOERROR.  The external view is
+# "recursion no", so queries for nonexistent zones should return
+# REFUSED.  This behavior should be the same regardless of whether
+# the zone does not exist because a) it has not yet been loaded, b)
+# it failed to load, or c) it has been deleted.
+ret=0
+$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1
+$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
+$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1
+$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1
+grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if ! $FEATURETEST --with-lmdb; then
+    echo_i "checking new NZF file has comment ($n)"
+    ret=0
+    hcount=`grep "^# New zone file for view: external" ns2/external.nzf | wc -l`
+    [ $hcount -eq 1 ] || ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+fi
+
+if $FEATURETEST --with-lmdb; then
+    echo_i "verifying added.example in external view created an external.nzd DB ($n)"
+    ret=0
+    [ -e ns2/external.nzd ] || ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+fi
+
+echo_i "checking rndc reload causes named to reload the external view's new zone config ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
+_check_rndc_reload_external_view_config() (
+	$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n &&
+	grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null &&
+	$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n &&
+	grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null &&
+	grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null
+)
+retry_quiet 10 _check_rndc_reload_external_view_config || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking rndc showzone with newly added zone ($n)"
+_check_rndc_showzone_newly_added() (
+	if ! $FEATURETEST --with-lmdb; then
+		expected='zone "added.example" in external { type primary; file "added.db"; };'
+	else
+		expected='zone "added.example" { type primary; file "added.db"; };'
+	fi
+	$RNDCCMD 10.53.0.2 showzone added.example in external > rndc.out.ns2.$n 2>/dev/null &&
+	[ "`cat rndc.out.ns2.$n`" = "$expected" ]
+)
+retry_quiet 10  _check_rndc_showzone_newly_added || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "deleting newly added zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /'
+_check_deleting_newly_added_zone() (
+	$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n &&
+	grep 'status: REFUSED' dig.out.ns2.$n > /dev/null &&
+	! grep '^a.added.example' dig.out.ns2.$n > /dev/null
+)
+retry_quiet 10 _check_deleting_newly_added_zone || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "attempting to add zone to internal view ($n)"
+ret=0
+$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.pre.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.pre.$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2> rndc.out.ns2.$n
+grep "permission denied" rndc.out.ns2.$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "attempting to delete a policy zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2> rndc.out.ns2.$n >&1
+grep 'cannot be deleted' rndc.out.ns2.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "adding new zone again to external view ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
+_check_adding_new_zone_again_external() (
+	$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n &&
+	grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null &&
+	$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n &&
+	grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null &&
+	grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null
+)
+retry_quiet 10 _check_adding_new_zone_again_external || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "reconfiguring server with multiple views and new-zones-directory"
+rm -f ns2/named.conf
+copy_setports ns2/named3.conf.in ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+
+echo_i "checking new zone is still loaded after dir change ($n)"
+ret=0
+$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1
+grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "deleting newly added zone from external ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /'
+$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "adding new zone to directory view ($n)"
+ret=0
+$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1
+$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1
+$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dirpre.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.dirpre.$n > /dev/null || ret=1
+$RNDCCMD 10.53.0.2 addzone 'added.example in directory { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /'
+$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1
+$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1
+$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dir.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.dir.$n > /dev/null || ret=1
+grep '^a.added.example' dig.out.ns2.dir.$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if $FEATURETEST --with-lmdb; then
+    echo_i "checking NZD file was created in new-zones-directory ($n)"
+    expect=ns2/new-zones/directory.nzd
+else
+    echo_i "checking NZF file was created in new-zones-directory ($n)"
+    expect=ns2/new-zones/directory.nzf
+fi
+$RNDCCMD 10.53.0.2 sync 'added.example IN directory' 2>&1 | sed 's/^/I:ns2 /'
+sleep 2
+[ -e "$expect" ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "deleting newly added zone from directory ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 delzone 'added.example in directory' 2>&1 | sed 's/^/I:ns2 /'
+$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "ensure the configuration context is cleaned up correctly ($n)"
+ret=0
+rndc_reconfig ns2 10.53.0.2
+$RNDCCMD 10.53.0.2 status > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check delzone after reconfig failure ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' > /dev/null 2>&1 || ret=1
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+$RNDCCMD 10.53.0.3 delzone inlinesec.example > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if ! $FEATURETEST --with-lmdb
+then
+    echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)"
+    ret=0
+    $RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
+    $RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' > /dev/null 2>&1 && ret=1
+    $RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
+    $RNDCCMD 10.53.0.3 delzone "test3.baz" > /dev/null 2>&1 || ret=1
+    grep test2.baz ns3/_default.nzf > /dev/null && ret=1
+    n=`expr $n + 1`
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+fi
+
+_check_version_bind() (
+	$DIG $DIGOPTS @10.53.0.3 version.bind txt ch > dig.out.test$n &&
+	grep "status: NOERROR" dig.out.test$n > /dev/null
+)
+
+echo_i "check that named restarts with multiple added zones ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1
+stop_server ns3
+start_server --noclean --restart --port ${PORT} ns3 || ret=1
+retry_quiet 10 _check_version_bind || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  "test4.baz" > dig.out.1.test$n || ret=1
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  "test5.baz" > dig.out.2.test$n || ret=1
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  'test/.baz' > dig.out.3.test$n || ret=1
+grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  'test\\.baz' > dig.out.4.test$n || ret=1
+grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.4.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  'test\032.baz' > dig.out.5.test$n || ret=1
+grep "status: NOERROR" dig.out.5.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.5.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 SOA  'test\010.baz' > dig.out.6.test$n || ret=1
+grep "status: NOERROR" dig.out.6.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.6.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/addzone/tests_rndc_deadlock.py b/bin/tests/system/addzone/tests_rndc_deadlock.py
new file mode 100755
index 0000000..7f4bf63
--- /dev/null
+++ b/bin/tests/system/addzone/tests_rndc_deadlock.py
@@ -0,0 +1,92 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import concurrent.futures
+import os
+import subprocess
+import time
+
+
+def run_rndc(server, rndc_command):
+    """
+    Send the specified 'rndc_command' to 'server' with a timeout of 10 seconds
+    """
+    rndc = os.getenv("RNDC")
+    port = os.getenv("CONTROLPORT")
+
+    cmdline = [rndc, "-c", "../common/rndc.conf", "-p", port, "-s", server]
+    cmdline.extend(rndc_command)
+
+    subprocess.check_output(cmdline, stderr=subprocess.STDOUT, timeout=10)
+
+
+def rndc_loop(test_state, domain):
+    """
+    Run "rndc addzone", "rndc modzone", and "rndc delzone" in a tight loop
+    until the test is considered finished, ignoring errors
+    """
+    rndc_commands = [
+        ["addzone", domain, '{ type master; file "example.db"; };'],
+        [
+            "modzone",
+            domain,
+            '{ type master; file "example.db"; allow-transfer { any; }; };',
+        ],
+        ["delzone", domain],
+    ]
+
+    while not test_state["finished"]:
+        for command in rndc_commands:
+            try:
+                run_rndc("10.53.0.3", command)
+            except subprocess.SubprocessError:
+                pass
+
+
+def check_if_server_is_responsive():
+    """
+    Check if server status can be successfully retrieved using "rndc status"
+    """
+    try:
+        run_rndc("10.53.0.3", ["status"])
+        return True
+    except subprocess.SubprocessError:
+        return False
+
+
+def test_rndc_deadlock():
+    """
+    Test whether running "rndc addzone", "rndc modzone", and "rndc delzone"
+    commands concurrently does not trigger a deadlock
+    """
+    test_state = {"finished": False}
+
+    # Create 4 worker threads running "rndc" commands in a loop.
+    with concurrent.futures.ThreadPoolExecutor() as executor:
+        for i in range(1, 5):
+            domain = "example%d" % i
+            executor.submit(rndc_loop, test_state, domain)
+
+        # Run "rndc status" 10 times, with 1-second pauses between attempts.
+        # Each "rndc status" invocation has a timeout of 10 seconds.  If any of
+        # them fails, the loop will be interrupted.
+        server_is_responsive = True
+        attempts = 10
+        while server_is_responsive and attempts > 0:
+            server_is_responsive = check_if_server_is_responsive()
+            attempts -= 1
+            time.sleep(1)
+
+        # Signal worker threads that the test is finished.
+        test_state["finished"] = True
+
+    # Check whether all "rndc status" commands succeeded.
+    assert server_is_responsive
diff --git a/bin/tests/system/allow-query/clean.sh b/bin/tests/system/allow-query/clean.sh
new file mode 100644
index 0000000..9914de7
--- /dev/null
+++ b/bin/tests/system/allow-query/clean.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after allow query tests.
+#
+
+rm -f dig.out.*
+rm -f ns*/named.conf
+rm -f ns2/controls.conf
+rm -f */named.memstats
+rm -f ns*/named.lock
+rm -f ns*/named.run ns*/named.run.prev
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
diff --git a/bin/tests/system/allow-query/ns1/named.conf.in b/bin/tests/system/allow-query/ns1/named.conf.in
new file mode 100644
index 0000000..a72cc87
--- /dev/null
+++ b/bin/tests/system/allow-query/ns1/named.conf.in
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/allow-query/ns1/root.db b/bin/tests/system/allow-query/ns1/root.db
new file mode 100644
index 0000000..456198e
--- /dev/null
+++ b/bin/tests/system/allow-query/ns1/root.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			SOA	a.root-servers.nil. hostmaster.localhost. 1 3600 1200 604800 3600
+			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+normal.example.		NS	ns2.normal.example.
+ns2.normal.example.	A	10.53.0.2
diff --git a/bin/tests/system/allow-query/ns2/generic.db b/bin/tests/system/allow-query/ns2/generic.db
new file mode 100644
index 0000000..83e66f9
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/generic.db
@@ -0,0 +1,33 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN @
+$TTL 300	; 5 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a			A	10.0.7.1
+mail			A	10.0.7.2
+b			A	10.0.7.3
+c			A	10.0.7.4
+d			A	10.0.7.5
+e			A	10.0.7.6
+f			A	10.0.7.7
+g			A	10.0.7.8
+h			A	10.0.7.9
diff --git a/bin/tests/system/allow-query/ns2/named01.conf.in b/bin/tests/system/allow-query/ns2/named01.conf.in
new file mode 100644
index 0000000..1f7ab40
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named01.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named02.conf.in b/bin/tests/system/allow-query/ns2/named02.conf.in
new file mode 100644
index 0000000..3e24bdc
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named02.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { any; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named03.conf.in b/bin/tests/system/allow-query/ns2/named03.conf.in
new file mode 100644
index 0000000..dd5985b
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named03.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { none; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named04.conf.in b/bin/tests/system/allow-query/ns2/named04.conf.in
new file mode 100644
index 0000000..f61447e
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named04.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { 10.53.0.2; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named05.conf.in b/bin/tests/system/allow-query/ns2/named05.conf.in
new file mode 100644
index 0000000..53c31a3
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named05.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { 10.53.0.1; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named06.conf.in b/bin/tests/system/allow-query/ns2/named06.conf.in
new file mode 100644
index 0000000..49d9e42
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named06.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query {! 10.53.0.2; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named07.conf.in b/bin/tests/system/allow-query/ns2/named07.conf.in
new file mode 100644
index 0000000..a40cade
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named07.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl accept { 10.53.0.2; };
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { accept; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named08.conf.in b/bin/tests/system/allow-query/ns2/named08.conf.in
new file mode 100644
index 0000000..413878b
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named08.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl accept { 10.53.0.1; };
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { accept; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named09.conf.in b/bin/tests/system/allow-query/ns2/named09.conf.in
new file mode 100644
index 0000000..b2d900e
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named09.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl accept { 10.53.0.2; };
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query {! accept; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
new file mode 100644
index 0000000..b91d19a
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { key one; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
new file mode 100644
index 0000000..308c4ca
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key two {
+	algorithm hmac-md5;
+	secret "1234efgh8765";
+};
+
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { key one; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
new file mode 100644
index 0000000..6b0fe55
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query {! key one; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
diff --git a/bin/tests/system/allow-query/ns2/named21.conf.in b/bin/tests/system/allow-query/ns2/named21.conf.in
new file mode 100644
index 0000000..311eaf7
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named21.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named22.conf.in b/bin/tests/system/allow-query/ns2/named22.conf.in
new file mode 100644
index 0000000..1c191da
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named22.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { any; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+
+};
diff --git a/bin/tests/system/allow-query/ns2/named23.conf.in b/bin/tests/system/allow-query/ns2/named23.conf.in
new file mode 100644
index 0000000..e0cd069
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named23.conf.in
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { none; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named24.conf.in b/bin/tests/system/allow-query/ns2/named24.conf.in
new file mode 100644
index 0000000..33f03b0
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named24.conf.in
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { 10.53.0.2; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named25.conf.in b/bin/tests/system/allow-query/ns2/named25.conf.in
new file mode 100644
index 0000000..28cadd0
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named25.conf.in
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { 10.53.0.1; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named26.conf.in b/bin/tests/system/allow-query/ns2/named26.conf.in
new file mode 100644
index 0000000..52b915d
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named26.conf.in
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query {! 10.53.0.2; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named27.conf.in b/bin/tests/system/allow-query/ns2/named27.conf.in
new file mode 100644
index 0000000..c95838c
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named27.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl accept { 10.53.0.2; };
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { accept; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+
+};
diff --git a/bin/tests/system/allow-query/ns2/named28.conf.in b/bin/tests/system/allow-query/ns2/named28.conf.in
new file mode 100644
index 0000000..06d9b91
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named28.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl accept { 10.53.0.1; };
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { accept; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named29.conf.in b/bin/tests/system/allow-query/ns2/named29.conf.in
new file mode 100644
index 0000000..acd1b41
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named29.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl accept { 10.53.0.2; };
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query {! accept; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
new file mode 100644
index 0000000..aefc474
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { key one; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
new file mode 100644
index 0000000..27eccc2
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key two {
+	algorithm hmac-md5;
+	secret "1234efgh8765";
+};
+
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { key one; };
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { key one; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
new file mode 100644
index 0000000..adbb203
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query {! key one; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named33.conf.in b/bin/tests/system/allow-query/ns2/named33.conf.in
new file mode 100644
index 0000000..be1e160
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named33.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { none; };
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { any; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+
+};
diff --git a/bin/tests/system/allow-query/ns2/named34.conf.in b/bin/tests/system/allow-query/ns2/named34.conf.in
new file mode 100644
index 0000000..d35ac3e
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named34.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { any; };
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { none; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
new file mode 100644
index 0000000..364f94b
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl accept { 10.53.0.2; };
+
+acl badaccept { 10.53.0.1; };
+
+key one {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key two {
+	algorithm hmac-md5;
+	secret "1234efgh8765";
+};
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+};
+
+zone "any.example" {
+	type primary;
+	file "generic.db";
+	allow-query { any; };
+};
+
+zone "none.example" {
+	type primary;
+	file "generic.db";
+	allow-query { none; };
+};
+
+zone "addrallow.example" {
+	type primary;
+	file "generic.db";
+	allow-query { 10.53.0.2; };
+};
+
+zone "addrnotallow.example" {
+	type primary;
+	file "generic.db";
+	allow-query { 10.53.0.1; };
+};
+
+zone "addrdisallow.example" {
+	type primary;
+	file "generic.db";
+	allow-query { ! 10.53.0.2; };
+};
+
+zone "aclallow.example" {
+	type primary;
+	file "generic.db";
+	allow-query { accept; };
+};
+
+zone "aclnotallow.example" {
+	type primary;
+	file "generic.db";
+	allow-query { badaccept; };
+};
+
+zone "acldisallow.example" {
+	type primary;
+	file "generic.db";
+	allow-query { ! accept; };
+};
+
+/* Also usable for testing key not allowed */
+zone "keyallow.example" {
+	type primary;
+	file "generic.db";
+	allow-query { key one; };
+};
+
+zone "keydisallow.example" {
+	type primary;
+	file "generic.db";
+	allow-query { ! key one; };
+};
diff --git a/bin/tests/system/allow-query/ns2/named53.conf.in b/bin/tests/system/allow-query/ns2/named53.conf.in
new file mode 100644
index 0000000..41ac6d3
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named53.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { none; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+	allow-query { any; };
+};
diff --git a/bin/tests/system/allow-query/ns2/named54.conf.in b/bin/tests/system/allow-query/ns2/named54.conf.in
new file mode 100644
index 0000000..64a3f69
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named54.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	allow-query { any; };
+};
+
+include "controls.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "normal.example" {
+	type primary;
+	file "generic.db";
+	allow-query { none; };
+};
diff --git a/bin/tests/system/allow-query/ns2/named55.conf.in b/bin/tests/system/allow-query/ns2/named55.conf.in
new file mode 100644
index 0000000..642e4c9
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named55.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { none; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+		allow-query { any; };
+	};
+
+};
diff --git a/bin/tests/system/allow-query/ns2/named56.conf.in b/bin/tests/system/allow-query/ns2/named56.conf.in
new file mode 100644
index 0000000..187d697
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named56.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+
+	allow-query { any; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+		allow-query { none; };
+	};
+};
diff --git a/bin/tests/system/allow-query/ns2/named57.conf.in b/bin/tests/system/allow-query/ns2/named57.conf.in
new file mode 100644
index 0000000..1502b12
--- /dev/null
+++ b/bin/tests/system/allow-query/ns2/named57.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "controls.conf";
+
+view "internal" {
+	allow-query-on { any; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "normal.example" {
+		type primary;
+		file "generic.db";
+	};
+
+	zone "aclnotallow.example" {
+		type primary;
+		file "generic.db";
+		allow-query-on { none; };
+	};
+};
diff --git a/bin/tests/system/allow-query/ns3/named.args b/bin/tests/system/allow-query/ns3/named.args
new file mode 100644
index 0000000..35e99d8
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named.args
@@ -0,0 +1,2 @@
+# this server only has 127.0.0.1 in its localhost/localnets ACLs
+-m record,size,mctx -c named.conf -d 99 -D allow-query-ns3 -X named.lock -g -T maxcachesize=2097152 -T fixedlocal
diff --git a/bin/tests/system/allow-query/ns3/named1.conf.in b/bin/tests/system/allow-query/ns3/named1.conf.in
new file mode 100644
index 0000000..68af61f
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named1.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/allow-query/ns3/named2.conf.in b/bin/tests/system/allow-query/ns3/named2.conf.in
new file mode 100644
index 0000000..d3f2205
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named2.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	allow-recursion { any; };
+	allow-recursion-on { none; };
+	allow-query-cache-on { 10.53.0.3; };
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/allow-query/ns3/named3.conf.in b/bin/tests/system/allow-query/ns3/named3.conf.in
new file mode 100644
index 0000000..32e1e0d
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named3.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; 10.53.1.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	allow-recursion { any; };
+	allow-query-cache { any; };
+	allow-query-cache-on { 10.53.0.3; }; # allow-recursion-on inherits
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/allow-query/ns3/named4.conf.in b/bin/tests/system/allow-query/ns3/named4.conf.in
new file mode 100644
index 0000000..e8ab737
--- /dev/null
+++ b/bin/tests/system/allow-query/ns3/named4.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; 10.53.1.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	allow-recursion { any; };
+	allow-query-cache { any; };
+	allow-recursion-on { 10.53.0.3; }; # allow-query-cache-on inherits
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/allow-query/setup.sh b/bin/tests/system/allow-query/setup.sh
new file mode 100644
index 0000000..3a693b5
--- /dev/null
+++ b/bin/tests/system/allow-query/setup.sh
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ../common/controls.conf.in ns2/controls.conf
+copy_setports  ns1/named.conf.in ns1/named.conf
+copy_setports  ns2/named01.conf.in ns2/named.conf
+copy_setports  ns3/named1.conf.in ns3/named.conf
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
new file mode 100644
index 0000000..41c7bb7
--- /dev/null
+++ b/bin/tests/system/allow-query/tests.sh
@@ -0,0 +1,688 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Test of allow-query statement.
+# allow-query takes an address match list and can be included in either the
+# options statement or in the zone statement.  This test assumes that the
+# acl tests cover the details of the address match list and uses a limited
+# number of address match test cases to ensure that allow-query finds the
+# expected match.
+# Test list:
+# In options:
+# default (any), any, none, [localhost, localnets],
+# allowed address, not allowed address, denied address,
+# allowed key, not allowed key, denied key
+# allowed acl, not allowed acl, denied acl (acls pointing to addresses)
+#
+# Each of these tests requires changing to a new configuration
+# file and using rndc to update the server
+#
+# In view, with nothing in options (default to any)
+# default (any), any, none, [localhost, localnets],
+# allowed address, not allowed address, denied address,
+# allowed key, not allowed key, denied key
+# allowed acl, not allowed acl, denied acl (acls pointing to addresses)
+#
+# In view, with options set to none, view set to any
+# In view, with options set to any, view set to none
+#
+# In zone, with nothing in options (default to any)
+# any, none, [localhost, localnets],
+# allowed address, denied address,
+# allowed key, not allowed key, denied key
+# allowed acl, not allowed acl, denied acl (acls pointing to addresses),
+#
+# In zone, with options set to none, zone set to any
+# In zone, with options set to any, zone set to none
+# In zone, with view set to none, zone set to any
+# In zone, with view set to any, zone set to none
+#
+# zone types of primary, secondary and stub can be tested in parallel by
+# using multiple instances (ns2 as primary, ns3 as secondary, ns4 as stub)
+# and querying as necessary.
+#
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}"
+
+status=0
+n=0
+
+nextpart ns2/named.run > /dev/null
+
+# Test 1 - default, query allowed
+n=`expr $n + 1`
+echo_i "test $n: default - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 2 - explicit any, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named02.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: explicit any - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 3 - none, query refused
+n=`expr $n + 1`
+copy_setports ns2/named03.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: none - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 4 - address allowed, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named04.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: address allowed - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 5 - address not allowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named05.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: address not allowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 6 - address disallowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named06.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: address disallowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 7 - acl allowed, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named07.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: acl allowed - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 8 - acl not allowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named08.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: acl not allowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+
+# Test 9 - acl disallowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named09.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: acl disallowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 10 - key allowed, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named10.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: key allowed - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 11 - key not allowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named11.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: key not allowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 12 - key disallowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named12.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: key disallowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# The next set of tests check if allow-query works in a view
+
+n=20
+# Test 21 - views default, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named21.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views default - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 22 - views explicit any, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named22.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views explicit any - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 23 - views none, query refused
+n=`expr $n + 1`
+copy_setports ns2/named23.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views none - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 24 - views address allowed, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named24.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views address allowed - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 25 - views address not allowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named25.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views address not allowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 26 - views address disallowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named26.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views address disallowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 27 - views acl allowed, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named27.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views acl allowed - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 28 - views acl not allowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named28.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views acl not allowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 29 - views acl disallowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named29.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views acl disallowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 30 - views key allowed, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named30.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views key allowed - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 31 - views key not allowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named31.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views key not allowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 32 - views key disallowed, query refused
+n=`expr $n + 1`
+copy_setports ns2/named32.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views key disallowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 33 - views over options, views allow, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named33.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views over options, views allow - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 34 - views over options, views disallow, query refused
+n=`expr $n + 1`
+copy_setports ns2/named34.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views over options, views disallow - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Tests for allow-query in the zone statements
+
+n=40
+
+# Test 41 - zone default, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named40.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: zone default - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 42 - zone explicit any, query allowed
+n=`expr $n + 1`
+echo_i "test $n: zone explicit any - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 43 - zone none, query refused
+n=`expr $n + 1`
+echo_i "test $n: zone none - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 44 - zone address allowed, query allowed
+n=`expr $n + 1`
+echo_i "test $n: zone address allowed - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 45 - zone address not allowed, query refused
+n=`expr $n + 1`
+echo_i "test $n: zone address not allowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 46 - zone address disallowed, query refused
+n=`expr $n + 1`
+echo_i "test $n: zone address disallowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 47 - zone acl allowed, query allowed
+n=`expr $n + 1`
+echo_i "test $n: zone acl allowed - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 48 - zone acl not allowed, query refused
+n=`expr $n + 1`
+echo_i "test $n: zone acl not allowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 49 - zone acl disallowed, query refused
+n=`expr $n + 1`
+echo_i "test $n: zone acl disallowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 50 - zone key allowed, query allowed
+n=`expr $n + 1`
+echo_i "test $n: zone key allowed - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 51 - zone key not allowed, query refused
+n=`expr $n + 1`
+echo_i "test $n: zone key not allowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 52 - zone key disallowed, query refused
+n=`expr $n + 1`
+echo_i "test $n: zone key disallowed - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 53 - zones over options, zones allow, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named53.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views over options, views allow - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 54 - zones over options, zones disallow, query refused
+n=`expr $n + 1`
+copy_setports ns2/named54.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: views over options, views disallow - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 55 - zones over views, zones allow, query allowed
+n=`expr $n + 1`
+copy_setports ns2/named55.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: zones over views, views allow - query allowed"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 56 - zones over views, zones disallow, query refused
+n=`expr $n + 1`
+copy_setports ns2/named56.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: zones over views, views disallow - query refused"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 57 - zones over views, zones disallow, query refused (allow-query-on)
+n=`expr $n + 1`
+copy_setports ns2/named57.conf.in ns2/named.conf
+rndc_reload ns2 10.53.0.2
+
+echo_i "test $n: zones over views, allow-query-on"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1
+grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1
+grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1
+grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1
+grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 58 - allow-recursion default
+n=`expr $n + 1`
+echo_i "test $n: default allow-recursion configuration"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n
+grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
+$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n
+grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 59 - allow-query-cache default
+n=`expr $n + 1`
+echo_i "test $n: default allow-query-cache configuration"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n
+grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
+$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n
+grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 60 - block recursion-on, allow query-cache-on
+n=`expr $n + 1`
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: block recursion-on, allow query-cache-on"
+ret=0
+# this should query the cache, and an answer should already be there
+$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
+grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1
+grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
+# this should require recursion and therefore can't get an answer
+$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n
+grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
+grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on
+n=`expr $n + 1`
+copy_setports ns3/named3.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: inheritance of allow-query-cache-on"
+ret=0
+# this should query the cache, an answer should already be there
+$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
+grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
+# this should be refused due to allow-recursion-on/allow-query-cache-on
+$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
+grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
+# this should require recursion and should be allowed
+$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n
+grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
+# this should require recursion and be refused
+$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n
+grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on
+n=`expr $n + 1`
+copy_setports ns3/named4.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+echo_i "test $n: inheritance of allow-recursion-on"
+ret=0
+# this should query the cache, an answer should already be there
+$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n
+grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
+# this should be refused due to allow-recursion-on/allow-query-cache-on
+$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n
+grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
+# this should require recursion and should be allowed
+$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n
+grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1
+# this should require recursion and be refused
+$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n
+grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
+grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/ans.pl b/bin/tests/system/ans.pl
new file mode 100644
index 0000000..446316f
--- /dev/null
+++ b/bin/tests/system/ans.pl
@@ -0,0 +1,531 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# This is the name server from hell.  It provides canned
+# responses based on pattern matching the queries, and
+# can be reprogrammed on-the-fly over a TCP connection.
+#
+# The server listens for queries on port 5300 (or PORT).
+#
+# The server listens for control connections on port 5301 (or EXTRAPORT1).
+#
+# A control connection is a TCP stream of lines like
+#
+#  /pattern/
+#  name ttl type rdata
+#  name ttl type rdata
+#  ...
+#  /pattern/
+#  name ttl type rdata
+#  name ttl type rdata
+#  ...
+#
+# There can be any number of patterns, each associated
+# with any number of response RRs.  Each pattern is a
+# Perl regular expression.  If an empty pattern ("//") is
+# received, the server will ignore all incoming queries (TCP
+# connections will still be accepted, but both UDP queries
+# and TCP queries will not be responded to).  If a non-empty
+# pattern is then received over the same control connection,
+# default behavior is restored.
+#
+# Each incoming query is converted into a string of the form
+# "qname qtype" (the printable query domain name, space,
+# printable query type) and matched against each pattern.
+#
+# The first pattern matching the query is selected, and
+# the RR following the pattern line are sent in the
+# answer section of the response.
+#
+# Each new control connection causes the current set of
+# patterns and responses to be cleared before adding new
+# ones.
+#
+# The server handles UDP and TCP queries.  Zone transfer
+# responses work, but must fit in a single 64 k message.
+#
+# Now you can add TSIG, just specify key/key data with:
+#
+#  /pattern <key> <key_data>/
+#  name ttl type rdata
+#  name ttl type rdata
+#
+#  Note that this data will still be sent with any request for
+#  pattern, only this data will be signed. Currently, this is only
+#  done for TCP.
+#
+# /pattern bad-id <key> <key_data>/
+# /pattern bad-id/
+#
+# will add 50 to the message id of the response.
+
+
+use IO::File;
+use IO::Socket;
+use Data::Dumper;
+use Net::DNS;
+use Net::DNS::Packet;
+use strict;
+
+# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early
+local $SIG{PIPE} = 'IGNORE';
+
+# Flush logged output after every line
+local $| = 1;
+
+# We default to listening on 10.53.0.2 for historical reasons
+# XXX: we should also be able to specify IPv6
+my $server_addr = "10.53.0.2";
+if (@ARGV > 0) {
+	$server_addr = @ARGV[0];
+}
+
+my $mainport = int($ENV{'PORT'});
+if (!$mainport) { $mainport = 5300; }
+my $ctrlport = int($ENV{'EXTRAPORT1'});
+if (!$ctrlport) { $ctrlport = 5301; }
+
+# XXX: we should also be able to set the port numbers to listen on.
+my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $ctrlport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
+
+my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $mainport, Proto => "udp", Reuse => 1) or die "$!";
+
+my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $mainport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
+
+print "listening on $server_addr:$mainport,$ctrlport.\n";
+print "Using Net::DNS $Net::DNS::VERSION\n";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";;
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+#my @answers = ();
+my @rules;
+my $udphandler;
+my $tcphandler;
+
+sub handleUDP {
+	my ($buf) = @_;
+	my $request;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$request = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($request, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	my @questions = $request->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+	my $qclass = $questions[0]->qclass;
+	my $id = $request->header->id;
+
+	my $packet = new Net::DNS::Packet($qname, $qtype, $qclass);
+	$packet->header->qr(1);
+	$packet->header->aa(1);
+	$packet->header->id($id);
+
+	# get the existing signature if any, and clear the additional section
+	my $prev_tsig;
+	while (my $rr = $request->pop("additional")) {
+		$prev_tsig = $rr if ($rr->type eq "TSIG");
+	}
+
+	my $r;
+	foreach $r (@rules) {
+		my $pattern = $r->{pattern};
+		my($dbtype, $key_name, $key_data) = split(/ /,$pattern);
+		print "[handleUDP] $dbtype, $key_name, $key_data \n";
+		if ("$qname $qtype" =~ /$dbtype/) {
+			my $a;
+			foreach $a (@{$r->{answer}}) {
+				$packet->push("answer", $a);
+			}
+			if(defined($key_name) && defined($key_data)) {
+				my $tsig;
+				# Sign the packet
+				print "  Signing the response with " .
+				      "$key_name/$key_data\n";
+
+				if ($Net::DNS::VERSION < 0.69) {
+					$tsig = Net::DNS::RR->new(
+						   "$key_name TSIG $key_data");
+				} else {
+					$tsig = Net::DNS::RR->new(
+							name => $key_name,
+							type => 'TSIG',
+							key  => $key_data);
+				}
+
+				# These kluges are necessary because Net::DNS
+				# doesn't know how to sign responses.  We
+				# clear compnames so that the TSIG key and
+				# algorithm name won't be compressed, and
+				# add one to arcount because the signing
+				# function will attempt to decrement it,
+				# which is incorrect in a response. Finally
+				# we set request_mac to the previous digest.
+				$packet->{"compnames"} = {}
+					if ($Net::DNS::VERSION < 0.70);
+				$packet->{"header"}{"arcount"} += 1
+					if ($Net::DNS::VERSION < 0.70);
+				if (defined($prev_tsig)) {
+					if ($Net::DNS::VERSION < 0.73) {
+						my $rmac = pack('n H*',
+							length($prev_tsig->mac)/2,
+							$prev_tsig->mac);
+						$tsig->{"request_mac"} =
+							unpack("H*", $rmac);
+					} else {
+						$tsig->request_mac(
+							 $prev_tsig->mac);
+					}
+				}
+				
+				$packet->sign_tsig($tsig);
+			}
+			last;
+		}
+	}
+	#$packet->print;
+
+	return $packet->data;
+}
+
+# namelen:
+# given a stream of data, reads a DNS-formatted name and returns its
+# total length, thus making it possible to skip past it.
+sub namelen {
+	my ($data) = @_;
+	my $len = 0;
+	my $label_len = 0;
+	do {
+		$label_len = unpack("c", $data);
+		$data = substr($data, $label_len + 1);
+		$len += $label_len + 1;
+	} while ($label_len != 0);
+	return ($len);
+}
+
+# packetlen:
+# given a stream of data, reads a DNS wire-format packet and returns
+# its total length, making it possible to skip past it.
+sub packetlen {
+	my ($data) = @_;
+	my $q;
+	my $rr;
+	my $header;
+	my $offset;
+
+	#
+	# decode/encode were introduced in Net::DNS 0.68
+	# parse is no longer a method and calling it here makes perl croak.
+	#
+	my $decode = 0;
+	$decode = 1 if ($Net::DNS::VERSION >= 0.68);
+
+	if ($decode) {
+		($header, $offset) = Net::DNS::Header->decode(\$data);
+	} else {
+		($header, $offset) = Net::DNS::Header->parse(\$data);
+	}
+		
+	for (1 .. $header->qdcount) {
+		if ($decode) {
+			($q, $offset) =
+				 Net::DNS::Question->decode(\$data, $offset);
+		} else {
+			($q, $offset) =
+				 Net::DNS::Question->parse(\$data, $offset);
+		}
+	}
+	for (1 .. $header->ancount) {
+		if ($decode) {
+			($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
+		} else {
+			($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
+		}
+	}
+	for (1 .. $header->nscount) {
+		if ($decode) {
+			($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
+		} else {
+			($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
+		}
+	}
+	for (1 .. $header->arcount) {
+		if ($decode) {
+			($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
+		} else {
+			($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
+		}
+	}
+	return $offset;
+}
+
+# sign_tcp_continuation:
+# This is a hack to correct the problem that Net::DNS has no idea how
+# to sign multiple-message TCP responses.  Several data that are included
+# in the digest when signing a query or the first message of a response are
+# omitted when signing subsequent messages in a TCP stream.
+#
+# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing
+# function (specified by calling Packet->sign_func()).  We use this
+# function as the signing function for TCP continuations, and it removes
+# the unwanted data from the digest before calling the default sign_hmac
+# function.
+sub sign_tcp_continuation {
+	my ($key, $data) = @_;
+
+	# copy out first two bytes: size of the previous MAC
+	my $rmacsize = unpack("n", $data);
+	$data = substr($data, 2);
+
+	# copy out previous MAC
+	my $rmac = substr($data, 0, $rmacsize);
+	$data = substr($data, $rmacsize);
+
+	# try parsing out the packet information
+	my $plen = packetlen($data);
+	my $pdata = substr($data, 0, $plen);
+	$data = substr($data, $plen);
+
+	# remove the keyname, ttl, class, and algorithm name
+	$data = substr($data, namelen($data));
+	$data = substr($data, 6);
+	$data = substr($data, namelen($data));
+
+	# preserve the TSIG data
+	my $tdata = substr($data, 0, 8);
+
+	# prepare a new digest and sign with it
+	$data = pack("n", $rmacsize) . $rmac . $pdata . $tdata;
+	return Net::DNS::RR::TSIG::sign_hmac($key, $data);
+}
+
+sub handleTCP {
+	my ($buf) = @_;
+	my $request;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$request = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($request, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+	
+	my @questions = $request->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+	my $qclass = $questions[0]->qclass;
+	my $id = $request->header->id;
+
+	my $opaque;
+
+	my $packet = new Net::DNS::Packet($qname, $qtype, $qclass);
+	$packet->header->qr(1);
+	$packet->header->aa(1);
+	$packet->header->id($id);
+
+	# get the existing signature if any, and clear the additional section
+	my $prev_tsig;
+	my $signer;
+	my $continuation = 0;
+	if ($Net::DNS::VERSION < 0.81) {
+		while (my $rr = $request->pop("additional")) {
+			if ($rr->type eq "TSIG") {
+				$prev_tsig = $rr;
+			}
+		}
+	}
+
+	my @results = ();
+	my $count_these = 0;
+
+	my $r;
+	foreach $r (@rules) {
+		my $pattern = $r->{pattern};
+		my($dbtype, $key_name, $key_data, $extra) = split(/ /,$pattern);
+		print "[handleTCP] $dbtype, $key_name, $key_data \n";
+		if ("$qname $qtype" =~ /$dbtype/) {
+			$count_these++;
+			my $a;
+			foreach $a (@{$r->{answer}}) {
+				$packet->push("answer", $a);
+			}
+			if(defined($key_name) && $key_name eq "bad-id") {
+				$packet->header->id(($id+50)%0xffff);
+				$key_name = $key_data;
+				$key_data = $extra;
+			}
+			if (defined($key_name) && defined($key_data)) {
+				my $tsig;
+				# sign the packet
+				print "  Signing the data with " . 
+				      "$key_name/$key_data\n";
+
+				if ($Net::DNS::VERSION < 0.69) {
+					$tsig = Net::DNS::RR->new(
+						   "$key_name TSIG $key_data");
+				} elsif ($Net::DNS::VERSION >= 0.81 &&
+					 $continuation) {
+				} elsif ($Net::DNS::VERSION >= 0.75 &&
+					 $continuation) {
+					$tsig = $prev_tsig;
+				} else {
+					$tsig = Net::DNS::RR->new(
+							name => $key_name,
+							type => 'TSIG',
+							key  => $key_data);
+				}
+
+				# These kluges are necessary because Net::DNS
+				# doesn't know how to sign responses.  We
+				# clear compnames so that the TSIG key and
+				# algorithm name won't be compressed, and
+				# add one to arcount because the signing
+				# function will attempt to decrement it,
+				# which is incorrect in a response. Finally
+				# we set request_mac to the previous digest.
+				$packet->{"compnames"} = {}
+					if ($Net::DNS::VERSION < 0.70);
+				$packet->{"header"}{"arcount"} += 1
+					if ($Net::DNS::VERSION < 0.70);
+				if (defined($prev_tsig)) {
+					if ($Net::DNS::VERSION < 0.73) {
+						my $rmac = pack('n H*',
+							length($prev_tsig->mac)/2,
+							$prev_tsig->mac);
+						$tsig->{"request_mac"} =
+							unpack("H*", $rmac);
+					} elsif ($Net::DNS::VERSION < 0.81) {
+						$tsig->request_mac(
+							 $prev_tsig->mac);
+					}
+				}
+				
+				$tsig->sign_func($signer) if defined($signer);
+				$tsig->continuation($continuation) if
+					 ($Net::DNS::VERSION >= 0.71 &&
+					  $Net::DNS::VERSION <= 0.74 );
+				if ($Net::DNS::VERSION < 0.81) {
+					$packet->sign_tsig($tsig);
+				} elsif ($continuation) {
+					$opaque = $packet->sign_tsig($opaque);
+				} else {
+					$opaque = $packet->sign_tsig($request);
+				}
+				$signer = \&sign_tcp_continuation
+					if ($Net::DNS::VERSION < 0.70);
+				$continuation = 1;
+
+				my $copy =
+					Net::DNS::Packet->new(\($packet->data));
+				$prev_tsig = $copy->pop("additional");
+			}
+			#$packet->print;
+			push(@results,$packet->data);
+			$packet = new Net::DNS::Packet($qname, $qtype, $qclass);
+			$packet->header->qr(1);
+			$packet->header->aa(1);
+			$packet->header->id($id);
+		}
+	}
+	print " A total of $count_these patterns matched\n";
+	return \@results;
+}
+
+# Main
+my $rin;
+my $rout;
+for (;;) {
+	$rin = '';
+	vec($rin, fileno($ctlsock), 1) = 1;
+	vec($rin, fileno($tcpsock), 1) = 1;
+	vec($rin, fileno($udpsock), 1) = 1;
+
+	select($rout = $rin, undef, undef, undef);
+
+	if (vec($rout, fileno($ctlsock), 1)) {
+		warn "ctl conn";
+		my $conn = $ctlsock->accept;
+		my $rule = ();
+		@rules = ();
+		while (my $line = $conn->getline) {
+			chomp $line;
+			if ($line =~ m!^/(.*)/$!) {
+				if (length($1) == 0) {
+					$udphandler = sub { return; };
+					$tcphandler = sub { return; };
+				} else {
+					$udphandler = \&handleUDP;
+					$tcphandler = \&handleTCP;
+					$rule = { pattern => $1, answer => [] };
+					push(@rules, $rule);
+				}
+			} else {
+				push(@{$rule->{answer}},
+				     new Net::DNS::RR($line));
+			}
+		}
+		$conn->close;
+		#print Dumper(@rules);
+		#print "+=+=+ $rules[0]->{'pattern'}\n";
+		#print "+=+=+ $rules[0]->{'answer'}->[0]->{'rname'}\n";
+		#print "+=+=+ $rules[0]->{'answer'}->[0]\n";
+	} elsif (vec($rout, fileno($udpsock), 1)) {
+		printf "UDP request\n";
+		my $buf;
+		$udpsock->recv($buf, 512);
+		my $result = &$udphandler($buf);
+		if (defined($result)) {
+			my $num_chars = $udpsock->send($result);
+			print "  Sent $num_chars bytes via UDP\n";
+		}
+	} elsif (vec($rout, fileno($tcpsock), 1)) {
+		my $conn = $tcpsock->accept;
+		my $buf;
+		for (;;) {
+			my $lenbuf;
+			my $n = $conn->sysread($lenbuf, 2);
+			last unless $n == 2;
+			my $len = unpack("n", $lenbuf);
+			$n = $conn->sysread($buf, $len);
+			last unless $n == $len;
+			print "TCP request\n";
+			my $result = &$tcphandler($buf);
+			if (defined($result)) {
+				foreach my $response (@$result) {
+					$len = length($response);
+					$n = $conn->syswrite(pack("n", $len), 2);
+					$n = $conn->syswrite($response, $len);
+					print "    Sent: $n chars via TCP\n";
+				}
+			}
+		}
+		$conn->close;
+	}
+}
diff --git a/bin/tests/system/auth/clean.sh b/bin/tests/system/auth/clean.sh
new file mode 100644
index 0000000..5fb37ac
--- /dev/null
+++ b/bin/tests/system/auth/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.conf
+rm -f dig.out.test*
+rm -f ns2/example.com.bk
+rm -f ns2/example.net.bk
+rm -f ns*/managed-keys.bind* ns*/*mkeys*
diff --git a/bin/tests/system/auth/ns1/chaos.db b/bin/tests/system/auth/ns1/chaos.db
new file mode 100644
index 0000000..bbd489a
--- /dev/null
+++ b/bin/tests/system/auth/ns1/chaos.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			CH SOA  ns root (
+				2018010100 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	ch-addr.example. 1001
+test 			A	ch-addr.example. 1002
+			A	ch-addr.example. 1003
diff --git a/bin/tests/system/auth/ns1/example.com.db b/bin/tests/system/auth/ns1/example.com.db
new file mode 100644
index 0000000..6768895
--- /dev/null
+++ b/bin/tests/system/auth/ns1/example.com.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300        ; 5 minutes
+@                       IN SOA  ns root (
+				2018010100 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS      ns
+ns                      A       10.53.0.1
+www			CNAME	server.example.net.
+inzone			CNAME	a.example.com.
+a			A	10.53.0.1
+dname			DNAME	@
diff --git a/bin/tests/system/auth/ns1/example.net.db b/bin/tests/system/auth/ns1/example.net.db
new file mode 100644
index 0000000..29885ca
--- /dev/null
+++ b/bin/tests/system/auth/ns1/example.net.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300        ; 5 minutes
+@                       IN SOA  ns root (
+				2018010100 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS      ns
+ns                      A       10.53.0.1
+server			A	10.53.0.100
diff --git a/bin/tests/system/auth/ns1/named.conf.in b/bin/tests/system/auth/ns1/named.conf.in
new file mode 100644
index 0000000..db7570e
--- /dev/null
+++ b/bin/tests/system/auth/ns1/named.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+view main in {
+	zone example.net {
+		type primary;
+		file "example.net.db";
+	};
+
+	zone example.com {
+		type primary;
+		file "example.com.db";
+	};
+};
+
+view alt chaos {
+	zone example.chaos chaos {
+		type primary;
+		file "chaos.db";
+	};
+};
diff --git a/bin/tests/system/auth/ns2/named.conf.in b/bin/tests/system/auth/ns2/named.conf.in
new file mode 100644
index 0000000..126d576
--- /dev/null
+++ b/bin/tests/system/auth/ns2/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+};
+
+zone example.net {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "example.net.bk";
+};
+
+zone example.com {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "example.com.bk";
+};
diff --git a/bin/tests/system/auth/setup.sh b/bin/tests/system/auth/setup.sh
new file mode 100644
index 0000000..36969b7
--- /dev/null
+++ b/bin/tests/system/auth/setup.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh
new file mode 100644
index 0000000..d7e923e
--- /dev/null
+++ b/bin/tests/system/auth/tests.sh
@@ -0,0 +1,191 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp -p ${PORT}"
+
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "wait for zones to finish transferring to ns2 ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+  ret=0
+  for zone in example.com example.net
+  do
+    $DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1
+    grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+  done
+  [ $ret -eq 0 ] && break
+  sleep 1
+done
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+#
+# If recursion is unrequested or unavailable, then cross-zone CNAME records
+# should not be followed. If both requested and available, they should be.
+#
+n=`expr $n + 1`
+echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
+grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1
+grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+#
+# In-zone CNAME records should always be followed regardless of RD and RA.
+#
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)"
+ret=0
+$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1
+grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1
+grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
+grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1
+grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1
+grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1
+grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1
+grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1
+grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that CHAOS addresses are compared correctly ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n
+lines=`wc -l < dig.out.test$n`
+[ ${lines:-0} -eq 2 ] || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh
new file mode 100644
index 0000000..ef67677
--- /dev/null
+++ b/bin/tests/system/autosign/clean.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk
+rm -f */core
+rm -f */example.bk
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run*
+rm -f */trusted.conf */private.conf
+rm -f activate-now-publish-1day.key
+rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key
+rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
+rm -f dig.out.*
+rm -f digcomp.out.test*
+rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key
+rm -f nopriv.key vanishing.key del1.key del2.key
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.lock
+rm -f ns1/root.db
+rm -f ns2/example.db
+rm -f ns2/optout-with-ent.db
+rm -f ns2/private.secure.example.db ns2/bar.db
+rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
+rm -f ns3/*.nzf
+rm -f ns3/autonsec3.example.db
+rm -f ns3/cdnskey-delete.example.db
+rm -f ns3/cds-delete.example.db
+rm -f ns3/delzsk.example.db
+rm -f ns3/dname-at-apex-nsec3.example.db
+rm -f ns3/inacksk2.example.db
+rm -f ns3/inacksk3.example.db
+rm -f ns3/inaczsk2.example.db
+rm -f ns3/inaczsk3.example.db
+rm -f ns3/jitter.nsec3.example.db
+rm -f ns3/kg.out ns3/s.out ns3/st.out
+rm -f ns3/kskonly.example.db
+rm -f ns3/named.ns3.prev
+rm -f ns3/noksk.example.db
+rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
+rm -f ns3/nsec-only.example.db
+rm -f ns3/nsec3-to-nsec.example.db
+rm -f ns3/nsec3.example.db
+rm -f ns3/nsec3.nsec3.example.db
+rm -f ns3/nsec3.optout.example.db
+rm -f ns3/oldsigs.example.db
+rm -f ns3/optout.example.db
+rm -f ns3/optout.nsec3.example.db
+rm -f ns3/optout.optout.example.db
+rm -f ns3/prepub.example.db
+rm -f ns3/prepub.example.db.in
+rm -f ns3/reconf.example.db
+rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
+rm -f ns3/secure-to-insecure.example.db
+rm -f ns3/secure-to-insecure2.example.db
+rm -f ns3/secure.example.db
+rm -f ns3/secure.nsec3.example.db
+rm -f ns3/secure.optout.example.db
+rm -f ns3/settime.out.*
+rm -f ns3/sync.example.db
+rm -f ns3/ttl*.db
+rm -f nsupdate.out
+rm -f settime.out.*
+rm -f signing.out.*
+rm -f sync.key
diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh
new file mode 100644
index 0000000..44401cb
--- /dev/null
+++ b/bin/tests/system/autosign/ns1/keygen.sh
@@ -0,0 +1,54 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+zonefile=root.db
+infile=root.db.in
+
+(cd ../ns2 && $SHELL keygen.sh )
+
+cat $infile ../ns2/dsset-example$TP ../ns2/dsset-bar$TP > $zonefile
+
+zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
+zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
+zskdel=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -D now $zone)
+zskinact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -I now $zone)
+zskunpub=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -G $zone)
+zsksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -A none $zone)
+zskactnowpub1d=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -A now -P +1d $zone)
+zsknopriv=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
+rm $zsknopriv.private
+
+ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone)
+kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone)
+
+keyfile_to_static_ds $ksksby > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns4/trusted.conf
+
+keyfile_to_static_ds $kskrev > trusted.conf
+cp trusted.conf ../ns5/trusted.conf
+
+echo $zskact > ../active.key
+echo $zskvanish > ../vanishing.key
+echo $zskdel > ../del.key
+echo $zskinact > ../inact.key
+echo $zskunpub > ../unpub.key
+echo $zsknopriv > ../nopriv.key
+echo $zsksby > ../standby.key
+echo $zskactnowpub1d > ../activate-now-publish-1day.key
+$REVOKE -R $kskrev > ../rev.key
diff --git a/bin/tests/system/autosign/ns1/named.conf.in b/bin/tests/system/autosign/ns1/named.conf.in
new file mode 100644
index 0000000..d0cfa03
--- /dev/null
+++ b/bin/tests/system/autosign/ns1/named.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+	allow-transfer { any; };
+	allow-query { any; };
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/autosign/ns1/root.db.in b/bin/tests/system/autosign/ns1/root.db.in
new file mode 100644
index 0000000..6715a02
--- /dev/null
+++ b/bin/tests/system/autosign/ns1/root.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30
+. 			IN SOA	a.root.servers.nil. each.isc.org. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+.                       TXT     "root zone"
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+bar.			NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+59973.key b/bin/tests/system/autosign/ns2/Xbar.+013+59973.key
new file mode 100644
index 0000000..1f4d1f4
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/Xbar.+013+59973.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 59973, for bar.
+; Created: 20220623022335 (Thu Jun 23 12:23:35 2022)
+; Publish: 20220623022335 (Thu Jun 23 12:23:35 2022)
+; Activate: 20220623022335 (Thu Jun 23 12:23:35 2022)
+bar. IN DNSKEY 257 3 13 QT6CpMaV4BT072+NaKLY5H01Mj2r1MOgsxgoiTAq1Fbf6rrkEWpnbktu Dh9Ol9kuzcUrefxDuxNwsXJu3iDPxw==
diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+59973.private b/bin/tests/system/autosign/ns2/Xbar.+013+59973.private
new file mode 100644
index 0000000..708d242
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/Xbar.+013+59973.private
@@ -0,0 +1,6 @@
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: joFZ8vCdyqkgMb6rZ0zanrdrzOSCg1GyEJV6tp5F+Bw=
+Created: 20220623022335
+Publish: 20220623022335
+Activate: 20220623022335
diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+60101.key b/bin/tests/system/autosign/ns2/Xbar.+013+60101.key
new file mode 100644
index 0000000..0c47840
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/Xbar.+013+60101.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 60101, for bar.
+; Created: 20220623022331 (Thu Jun 23 12:23:31 2022)
+; Publish: 20220623022331 (Thu Jun 23 12:23:31 2022)
+; Activate: 20220623022331 (Thu Jun 23 12:23:31 2022)
+bar. IN DNSKEY 257 3 13 dLGGOAE5uJd53Gci9MdymaRTMwsXVn13j05IfGJoVt9ucpeXpoIKVViX JNVE/uO4eJvkHycdEAvdVUWcslEmMQ==
diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+60101.private b/bin/tests/system/autosign/ns2/Xbar.+013+60101.private
new file mode 100644
index 0000000..6ca8370
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/Xbar.+013+60101.private
@@ -0,0 +1,6 @@
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: pTTXxZUTzeVBXHMUJxTMxjh9yU4oxDtEhEvpkj+olf0=
+Created: 20220623022331
+Publish: 20220623022331
+Activate: 20220623022331
diff --git a/bin/tests/system/autosign/ns2/bar.db.in b/bin/tests/system/autosign/ns2/bar.db.in
new file mode 100644
index 0000000..8a9fa98
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/bar.db.in
@@ -0,0 +1,80 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+
+; Used for testing ANY queries
+foo			TXT	"testing"
+foo			A	10.0.1.0
+
+; Used for testing CNAME queries
+cname1			CNAME	cname1-target
+cname1-target		TXT	"testing cname"
+
+cname2			CNAME	cname2-target
+cname2-target		TXT	"testing cname"
+
+; Used for testing DNAME queries
+dname1			DNAME	dname1-target
+foo.dname1-target	TXT	"testing dname"
+
+dname2			DNAME	dname2-target
+foo.dname2-target	TXT	"testing dname"
+
+; A secure subdomain
+secure			NS	ns.secure
+ns.secure		A	10.53.0.3
+
+; An insecure subdomain
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.3
+
+; A insecure subdomain
+mustbesecure		NS	ns.mustbesecure
+ns.mustbesecure		A	10.53.0.3
+
+z			A	10.0.0.26
+
+nsec3			NS	ns.nsec3
+ns.nsec3		A	10.53.0.3
+
+optout			NS	ns.optout
+ns.optout		A	10.53.0.3
+
+nsec3-unknown		NS	ns.nsec3-unknown
+ns.nsec3-unknown	A	10.53.0.3
+
+optout-unknown		NS	ns.optout-unknown
+ns.optout-unknown	A	10.53.0.3
+
+multiple		NS	ns.multiple
+ns.multiple		A	10.53.0.3
+
+rsasha256		NS	ns.rsasha256
+ns.rsasha256		A	10.53.0.3
+
+rsasha512		NS	ns.rsasha512
+ns.rsasha512		A	10.53.0.3
diff --git a/bin/tests/system/autosign/ns2/child.nsec3.example.db b/bin/tests/system/autosign/ns2/child.nsec3.example.db
new file mode 100644
index 0000000..8fc3bc8
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/child.nsec3.example.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2006081400 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			IN NS	ns2.example.
diff --git a/bin/tests/system/autosign/ns2/child.optout.example.db b/bin/tests/system/autosign/ns2/child.optout.example.db
new file mode 100644
index 0000000..8fc3bc8
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/child.optout.example.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2006081400 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			IN NS	ns2.example.
diff --git a/bin/tests/system/autosign/ns2/dst.example.db.in b/bin/tests/system/autosign/ns2/dst.example.db.in
new file mode 100644
index 0000000..0039484
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/dst.example.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2.example.
+a			A	10.0.0.1
diff --git a/bin/tests/system/autosign/ns2/example.db.in b/bin/tests/system/autosign/ns2/example.db.in
new file mode 100644
index 0000000..a970074
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/example.db.in
@@ -0,0 +1,88 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+
+; Used for testing ANY queries
+foo			TXT	"testing"
+foo			A	10.0.1.0
+
+; Used for testing CNAME queries
+cname1			CNAME	cname1-target
+cname1-target		TXT	"testing cname"
+
+cname2			CNAME	cname2-target
+cname2-target		TXT	"testing cname"
+
+; Used for testing DNAME queries
+dname1			DNAME	dname1-target
+foo.dname1-target	TXT	"testing dname"
+
+dname2			DNAME	dname2-target
+foo.dname2-target	TXT	"testing dname"
+
+; A secure subdomain
+secure			NS	ns.secure
+ns.secure		A	10.53.0.3
+
+; An insecure subdomain
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.3
+
+; A insecure subdomain
+mustbesecure		NS	ns.mustbesecure
+ns.mustbesecure		A	10.53.0.3
+
+z			A	10.0.0.26
+
+nsec3			NS	ns.nsec3
+ns.nsec3		A	10.53.0.3
+
+optout			NS	ns.optout
+ns.optout		A	10.53.0.3
+
+nsec3-unknown		NS	ns.nsec3-unknown
+ns.nsec3-unknown	A	10.53.0.3
+
+optout-unknown		NS	ns.optout-unknown
+ns.optout-unknown	A	10.53.0.3
+
+multiple		NS	ns.multiple
+ns.multiple		A	10.53.0.3
+
+rsasha256		NS	ns.rsasha256
+ns.rsasha256		A	10.53.0.3
+
+rsasha512		NS	ns.rsasha512
+ns.rsasha512		A	10.53.0.3
+
+nsec3-to-nsec		NS	ns.nsec3-to-nsec
+ns.nsec3-to-nsec	A	10.53.0.3
+
+oldsigs			NS	ns.oldsigs
+ns.oldsigs		A	10.53.0.3
+
+dname-at-apex-nsec3	NS	ns3
diff --git a/bin/tests/system/autosign/ns2/insecure.secure.example.db b/bin/tests/system/autosign/ns2/insecure.secure.example.db
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/insecure.secure.example.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh
new file mode 100644
index 0000000..087d397
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -0,0 +1,66 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+# Have the child generate subdomain keys and pass DS sets to us.
+( cd ../ns3 && $SHELL keygen.sh )
+
+for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \
+		 nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
+		 cdnskey-delete
+do
+	cp ../ns3/dsset-$subdomain.example$TP .
+done
+
+# Create keys and pass the DS to the parent.
+zone=example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cat $infile dsset-*.example$TP > $zonefile
+
+kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
+$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
+$DSFROMKEY $kskname.key > dsset-${zone}$TP
+
+# Create keys for a private secure zone.
+zone=private.secure.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
+$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
+keyfile_to_static_ds $ksk > private.conf
+cp private.conf ../ns4/private.conf
+$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null
+
+# Extract saved keys for the revoke-to-duplicate-key test
+zone=bar
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cat $infile > $zonefile
+for i in Xbar.+013+59973.key Xbar.+013+59973.private \
+	 Xbar.+013+60101.key Xbar.+013+60101.private
+do
+    cp $i $(echo $i | sed s/X/K/)
+done
+$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
+$DSFROMKEY Kbar.+013+60101.key > dsset-bar$TP
+
+# a zone with empty non-terminals.
+zone=optout-with-ent
+zonefile=optout-with-ent.db
+infile=optout-with-ent.db.in
+cat $infile > $zonefile
+kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
+$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null
diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in
new file mode 100644
index 0000000..d70306a
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/named.conf.in
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+	dnssec-loadkeys-interval 30;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "bar" {
+	type primary;
+	file "bar.db";
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-update { any; };
+	auto-dnssec maintain;
+	dnssec-dnskey-kskonly yes;
+};
+
+zone "private.secure.example" {
+	type primary;
+	file "private.secure.example.db";
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "insecure.secure.example" {
+	type primary;
+	file "insecure.secure.example.db";
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "child.nsec3.example" {
+	type primary;
+	file "child.nsec3.example.db";
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "child.optout.example" {
+	type primary;
+	file "child.optout.example.db";
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "optout-with-ent" {
+	type primary;
+	file "optout-with-ent.db";
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/autosign/ns2/optout-with-ent.db.in b/bin/tests/system/autosign/ns2/optout-with-ent.db.in
new file mode 100644
index 0000000..5a3e207
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/optout-with-ent.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA  ns2.example. . (
+			2010042407	; serial
+			20		; refresh (20 seconds)
+			20		; retry (20 seconds)
+			1814400		; expire (3 weeks)
+			3600		; minimum (1 hour)
+			)
+			NS	ns2.example.
+sub1.ent		NS	.
+sub2.ent		NS	.
diff --git a/bin/tests/system/autosign/ns2/private.secure.example.db.in b/bin/tests/system/autosign/ns2/private.secure.example.db.in
new file mode 100644
index 0000000..29fcddf
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/private.secure.example.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.2
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+private2secure-nxdomain	CNAME	r.example.
diff --git a/bin/tests/system/autosign/ns3/autonsec3.example.db.in b/bin/tests/system/autosign/ns3/autonsec3.example.db.in
new file mode 100644
index 0000000..17964e8
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/autonsec3.example.db.in
@@ -0,0 +1,37 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+child			NS	ns2.example.
+insecure		NS	ns.insecure
+ns.insecure 		A	10.53.0.3
+secure			NS	ns.secure
+ns.secure 		A	10.53.0.3
+nsec3			NS	ns.nsec3
+ns.nsec3 		A	10.53.0.3
+optout			NS	ns.optout
+ns.optout 		A	10.53.0.3
+02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
diff --git a/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in b/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in
new file mode 100644
index 0000000..3083a79
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/cds-delete.example.db.in b/bin/tests/system/autosign/ns3/cds-delete.example.db.in
new file mode 100644
index 0000000..3083a79
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/cds-delete.example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/delay.example.db b/bin/tests/system/autosign/ns3/delay.example.db
new file mode 100644
index 0000000..0b11a00
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/delay.example.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/delzsk.example.db.in b/bin/tests/system/autosign/ns3/delzsk.example.db.in
new file mode 100644
index 0000000..14fef54
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/delzsk.example.db.in
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000010101 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+sub			NS	ns.sub
+			DS	12345 8 1 0000000000000000000000000000000000000000
+ns.sub			A	10.53.0.3
diff --git a/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in
new file mode 100644
index 0000000..080d111
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	600
+@	SOA	ns3.example. . 1 1200 1200 1814400 3600
+@	NS	ns3.example.
+@	DNAME	example.
+@	NSEC3PARAM 1 0 0 -
diff --git a/bin/tests/system/autosign/ns3/inacksk2.example.db.in b/bin/tests/system/autosign/ns3/inacksk2.example.db.in
new file mode 100644
index 0000000..1376922
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/inacksk2.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/inacksk3.example.db.in b/bin/tests/system/autosign/ns3/inacksk3.example.db.in
new file mode 100644
index 0000000..1376922
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/inacksk3.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/inaczsk.example.db.in b/bin/tests/system/autosign/ns3/inaczsk.example.db.in
new file mode 100644
index 0000000..1376922
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/inaczsk.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/inaczsk2.example.db.in b/bin/tests/system/autosign/ns3/inaczsk2.example.db.in
new file mode 100644
index 0000000..1376922
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/inaczsk2.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/inaczsk3.example.db.in b/bin/tests/system/autosign/ns3/inaczsk3.example.db.in
new file mode 100644
index 0000000..1376922
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/inaczsk3.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/insecure.example.db b/bin/tests/system/autosign/ns3/insecure.example.db
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/insecure.example.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in b/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in
new file mode 100644
index 0000000..8a96023
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
new file mode 100644
index 0000000..53547d3
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -0,0 +1,399 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+SYSTESTDIR=autosign
+
+dumpit () {
+	echo_d "${debug}: dumping ${1}"
+	cat "${1}" | cat_d
+}
+
+setup () {
+	echo_i "setting up zone: $1"
+	debug="$1"
+	zone="$1"
+	zonefile="${zone}.db"
+	infile="${zonefile}.in"
+	n=$((${n:-0} + 1))
+}
+
+setup secure.example
+cp $infile $zonefile
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+#  NSEC3/NSEC test zone
+#
+setup secure.nsec3.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+#  NSEC3/NSEC3 test zone
+#
+setup nsec3.nsec3.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+#  Jitter/NSEC3 test zone
+#
+setup jitter.nsec3.example
+cp $infile $zonefile
+count=1
+while [ $count -le 1000 ]
+do
+    echo "label${count} IN TXT label${count}" >> $zonefile
+    count=$((count + 1))
+done
+# Don't create keys just yet, because the scenario we want to test
+# is an unsigned zone that has a NSEC3PARAM record added with
+# dynamic update before the keys are generated.
+
+#
+#  OPTOUT/NSEC3 test zone
+#
+setup optout.nsec3.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# A nsec3 zone (non-optout).
+#
+setup nsec3.example
+cat $infile dsset-*.${zone}$TP > $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# An NSEC3 zone, with NSEC3 parameters set prior to signing
+#
+setup autonsec3.example
+cat $infile > $zonefile
+ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+echo $ksk > ../autoksk.key
+zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
+echo $zsk > ../autozsk.key
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+#  OPTOUT/NSEC test zone
+#
+setup secure.optout.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+#  OPTOUT/NSEC3 test zone
+#
+setup nsec3.optout.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+#  OPTOUT/OPTOUT test zone
+#
+setup optout.optout.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# A optout nsec3 zone.
+#
+setup optout.example
+cat $infile dsset-*.${zone}$TP > $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# A RSASHA256 zone.
+#
+setup rsasha256.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# A RSASHA512 zone.
+#
+setup rsasha512.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# NSEC-only zone. A zone using NSEC-only DNSSEC algorithms.
+# None of these algorithms are supported for signing in FIPS mode
+# as they are MD5 and SHA1 based.
+#
+if (cd ..; SYSTEMTESTTOP=.. $SHELL ../testcrypto.sh -q RSASHA1)
+then
+    setup nsec-only.example
+    cp $infile $zonefile
+    ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out
+    $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
+    $DSFROMKEY $ksk.key > dsset-${zone}$TP
+else
+    echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
+fi
+
+#
+# Signature refresh test zone.  Signatures are set to expire long
+# in the past; they should be updated by autosign.
+#
+setup oldsigs.example
+cp $infile $zonefile
+count=1
+while [ $count -le 1000 ]
+do
+    echo "label${count} IN TXT label${count}" >> $zonefile
+    count=$((count + 1))
+done
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
+$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
+mv $zonefile.signed $zonefile
+
+#
+# NSEC3->NSEC transition test zone.
+#
+setup nsec3-to-nsec.example
+$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
+$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
+
+#
+# secure-to-insecure transition test zone; used to test removal of
+# keys via nsupdate
+#
+setup secure-to-insecure.example
+$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out
+$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
+
+#
+# another secure-to-insecure transition test zone; used to test
+# removal of keys on schedule.
+#
+setup secure-to-insecure2.example
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+echo $ksk > ../del1.key
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
+echo $zsk > ../del2.key
+$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
+
+#
+# Introducing a pre-published key test.
+#
+setup prepub.example
+infile="secure-to-insecure2.example.db.in"
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
+
+#
+# Key TTL tests.
+#
+
+# no default key TTL; DNSKEY should get SOA TTL
+setup ttl1.example
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+cp $infile $zonefile
+
+# default key TTL should be used
+setup ttl2.example
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+cp $infile $zonefile
+
+# mismatched key TTLs, should use shortest
+setup ttl3.example
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+cp $infile $zonefile
+
+# existing DNSKEY RRset, should retain TTL
+setup ttl4.example
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
+cat ${infile} K${zone}.+*.key > $zonefile
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
+
+#
+# A zone with a DNSKEY RRset that is published before it's activated
+#
+setup delay.example
+ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+echo $ksk > ../delayksk.key
+zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
+echo $zsk > ../delayzsk.key
+
+#
+# A zone with signatures that are already expired, and the private KSK
+# is missing.
+#
+setup noksk.example
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
+$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
+echo $ksk > ../noksk-ksk.key
+rm -f ${ksk}.private
+
+#
+# A zone with signatures that are already expired, and the private ZSK
+# is missing.
+#
+setup nozsk.example
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
+$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
+echo $ksk > ../nozsk-ksk.key
+echo $zsk > ../nozsk-zsk.key
+rm -f ${zsk}.private
+
+#
+# A zone with signatures that are already expired, and the private ZSK
+# is inactive.
+#
+setup inaczsk.example
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out
+$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
+echo $ksk > ../inaczsk-ksk.key
+echo $zsk > ../inaczsk-zsk.key
+$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
+
+#
+# A zone that is set to 'auto-dnssec maintain' during a reconfig
+#
+setup reconf.example
+cp secure.example.db.in $zonefile
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+
+#
+# A zone which generates CDS and CDNSEY RRsets automatically
+#
+setup sync.example
+cp $infile $zonefile
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+echo ns3/$ksk > ../sync.key
+
+#
+# A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly
+#
+setup kskonly.example
+cp $infile $zonefile
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# A zone that has a published inactive key that is autosigned.
+#
+setup inacksk2.example
+cp $infile $zonefile
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# A zone that has a published inactive key that is autosigned.
+#
+setup inaczsk2.example
+cp $infile $zonefile
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# A zone that starts with a active KSK + ZSK and a inactive ZSK.
+#
+setup inacksk3.example
+cp $infile $zonefile
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# A zone that starts with a active KSK + ZSK and a inactive ZSK.
+#
+setup inaczsk3.example
+cp $infile $zonefile
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# A zone that starts with an active KSK + ZSK and an inactive ZSK, with the
+# latter getting deleted during the test.
+#
+setup delzsk.example
+cp $infile $zonefile
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out
+echo $zsk > ../delzsk.key
+
+#
+# Check that NSEC3 are correctly signed and returned from below a DNAME
+#
+setup dname-at-apex-nsec3.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# Check that dynamically added CDS (DELETE) is kept in the zone after signing.
+#
+setup cds-delete.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
+#
+# Check that dynamically added CDNSKEY (DELETE) is kept in the zone after
+# signing.
+#
+setup cdnskey-delete.example
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
diff --git a/bin/tests/system/autosign/ns3/kskonly.example.db.in b/bin/tests/system/autosign/ns3/kskonly.example.db.in
new file mode 100644
index 0000000..c6c7f88
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/kskonly.example.db.in
@@ -0,0 +1,34 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
new file mode 100644
index 0000000..a1f1f0d
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -0,0 +1,334 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+	dnssec-loadkeys-interval 10;
+	allow-new-zones yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "example.bk";
+};
+
+zone "bar" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "bar.bk";
+};
+
+zone "secure.example" {
+	type primary;
+	file "secure.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "insecure.example" {
+	type primary;
+	file "insecure.example.db";
+};
+
+zone "nsec3.example" {
+	type primary;
+	file "nsec3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "autonsec3.example" {
+	type primary;
+	file "autonsec3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "optout.nsec3.example" {
+	type primary;
+	file "optout.nsec3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "nsec3.nsec3.example" {
+	type primary;
+	file "nsec3.nsec3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "jitter.nsec3.example" {
+	type primary;
+	file "jitter.nsec3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+	sig-validity-interval 10 2;
+	sig-signing-nodes 1000;
+	sig-signing-signatures 100;
+};
+
+zone "secure.nsec3.example" {
+	type primary;
+	file "secure.nsec3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "optout.example" {
+	type primary;
+	file "optout.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "secure.optout.example" {
+	type primary;
+	file "secure.optout.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "nsec3.optout.example" {
+	type primary;
+	file "nsec3.optout.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "optout.optout.example" {
+	type primary;
+	file "optout.optout.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "rsasha256.example" {
+	type primary;
+	file "rsasha256.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "rsasha512.example" {
+	type primary;
+	file "rsasha512.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "nsec-only.example" {
+	type primary;
+	file "nsec-only.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "nsec3-to-nsec.example" {
+	type primary;
+	file "nsec3-to-nsec.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "secure-to-insecure.example" {
+	type primary;
+	file "secure-to-insecure.example.db";
+	allow-update { any; };
+	dnssec-secure-to-insecure yes;
+};
+
+zone "secure-to-insecure2.example" {
+	type primary;
+	file "secure-to-insecure2.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+	dnssec-secure-to-insecure yes;
+};
+
+zone "oldsigs.example" {
+	type primary;
+	file "oldsigs.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+	sig-validity-interval 10 2;
+	sig-signing-nodes 1000;
+	sig-signing-signatures 100;
+};
+
+zone "prepub.example" {
+	type primary;
+	file "prepub.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "ttl1.example" {
+	type primary;
+	file "ttl1.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "ttl2.example" {
+	type primary;
+	file "ttl2.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "ttl3.example" {
+	type primary;
+	file "ttl3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "ttl4.example" {
+	type primary;
+	file "ttl4.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "delay.example" {
+	type primary;
+	file "delay.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "nozsk.example" {
+	type primary;
+	file "nozsk.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "inaczsk.example" {
+	type primary;
+	file "inaczsk.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "noksk.example" {
+	type primary;
+	file "noksk.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "sync.example" {
+	type primary;
+	file "sync.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "kskonly.example" {
+	type primary;
+	file "kskonly.example.db";
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	auto-dnssec maintain;
+};
+
+zone "inacksk2.example" {
+	type primary;
+	file "inacksk2.example.db";
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	auto-dnssec maintain;
+};
+
+zone "inacksk3.example" {
+	type primary;
+	file "inacksk3.example.db";
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	auto-dnssec maintain;
+};
+
+zone "inaczsk2.example" {
+	type primary;
+	file "inaczsk2.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "inaczsk3.example" {
+	type primary;
+	file "inaczsk3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "delzsk.example." {
+	type primary;
+	file "delzsk.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "dname-at-apex-nsec3.example" {
+	type primary;
+	file "dname-at-apex-nsec3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "cds-delete.example" {
+	type primary;
+	file "cds-delete.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "cdnskey-delete.example" {
+	type primary;
+	file "cdnskey-delete.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/autosign/ns3/noksk.example.db.in b/bin/tests/system/autosign/ns3/noksk.example.db.in
new file mode 100644
index 0000000..1376922
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/noksk.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/nozsk.example.db.in b/bin/tests/system/autosign/ns3/nozsk.example.db.in
new file mode 100644
index 0000000..1376922
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nozsk.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/nsec-only.example.db.in b/bin/tests/system/autosign/ns3/nsec-only.example.db.in
new file mode 100644
index 0000000..0b11a00
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nsec-only.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in b/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in
new file mode 100644
index 0000000..0b11a00
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3.example.db.in
new file mode 100644
index 0000000..17964e8
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nsec3.example.db.in
@@ -0,0 +1,37 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+child			NS	ns2.example.
+insecure		NS	ns.insecure
+ns.insecure 		A	10.53.0.3
+secure			NS	ns.secure
+ns.secure 		A	10.53.0.3
+nsec3			NS	ns.nsec3
+ns.nsec3 		A	10.53.0.3
+optout			NS	ns.optout
+ns.optout 		A	10.53.0.3
+02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
diff --git a/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in b/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/autosign/ns3/oldsigs.example.db.in b/bin/tests/system/autosign/ns3/oldsigs.example.db.in
new file mode 100644
index 0000000..0b11a00
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/oldsigs.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/optout.example.db.in b/bin/tests/system/autosign/ns3/optout.example.db.in
new file mode 100644
index 0000000..fbb05af
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/optout.example.db.in
@@ -0,0 +1,38 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20	 ; refresh (20 seconds)
+				20	 ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.3
+secure			NS	ns.secure
+ns.secure		A	10.53.0.3
+nsec3			NS	ns.nsec3
+ns.nsec3		A	10.53.0.3
+optout			NS	ns.optout
+ns.optout		A	10.53.0.3
+child			NS	ns2.example.
+insecure.empty		NS	ns.insecure.empty
+ns.insecure.empty	A	10.53.0.3
diff --git a/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in b/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/autosign/ns3/optout.optout.example.db.in b/bin/tests/system/autosign/ns3/optout.optout.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/optout.optout.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/autosign/ns3/rsasha256.example.db.in b/bin/tests/system/autosign/ns3/rsasha256.example.db.in
new file mode 100644
index 0000000..f6c4fab
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/rsasha256.example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/rsasha512.example.db.in b/bin/tests/system/autosign/ns3/rsasha512.example.db.in
new file mode 100644
index 0000000..f6c4fab
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/rsasha512.example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in b/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in b/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/autosign/ns3/secure.example.db.in b/bin/tests/system/autosign/ns3/secure.example.db.in
new file mode 100644
index 0000000..9855ec0
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/secure.example.db.in
@@ -0,0 +1,37 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
+dname-and-txt		DNAME	@
+			TXT	"DNAME and TXT"
diff --git a/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in b/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/autosign/ns3/secure.optout.example.db.in b/bin/tests/system/autosign/ns3/secure.optout.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/secure.optout.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/autosign/ns3/sync.example.db.in b/bin/tests/system/autosign/ns3/sync.example.db.in
new file mode 100644
index 0000000..c6c7f88
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/sync.example.db.in
@@ -0,0 +1,34 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
diff --git a/bin/tests/system/autosign/ns3/ttl1.example.db.in b/bin/tests/system/autosign/ns3/ttl1.example.db.in
new file mode 100644
index 0000000..0b11a00
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/ttl1.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/ttl2.example.db.in b/bin/tests/system/autosign/ns3/ttl2.example.db.in
new file mode 100644
index 0000000..0b11a00
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/ttl2.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/ttl3.example.db.in b/bin/tests/system/autosign/ns3/ttl3.example.db.in
new file mode 100644
index 0000000..0b11a00
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/ttl3.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns3/ttl4.example.db.in b/bin/tests/system/autosign/ns3/ttl4.example.db.in
new file mode 100644
index 0000000..0b11a00
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/ttl4.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/autosign/ns4/named.conf.in b/bin/tests/system/autosign/ns4/named.conf.in
new file mode 100644
index 0000000..b46ce91
--- /dev/null
+++ b/bin/tests/system/autosign/ns4/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	dnssec-must-be-secure mustbesecure.example yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
+include "private.conf";
diff --git a/bin/tests/system/autosign/ns5/named.conf.in b/bin/tests/system/autosign/ns5/named.conf.in
new file mode 100644
index 0000000..710dfa8
--- /dev/null
+++ b/bin/tests/system/autosign/ns5/named.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/autosign/setup.sh b/bin/tests/system/autosign/setup.sh
new file mode 100644
index 0000000..82faf02
--- /dev/null
+++ b/bin/tests/system/autosign/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+
+echo_i "generating keys and preparing zones"
+cd ns1 && $SHELL keygen.sh
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
new file mode 100755
index 0000000..ac96507
--- /dev/null
+++ b/bin/tests/system/autosign/tests.sh
@@ -0,0 +1,1788 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+# convert private-type records to readable form
+showprivate () {
+    echo "-- $@ --"
+    $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' |
+        while read record; do
+            $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
+                die "invalid record" unless length($rdata) == 5;
+                my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
+                my $action = "signing";
+                $action = "removing" if $remove;
+                my $state = " (incomplete)";
+                $state = " (complete)" if $complete;
+                print ("$action: alg: $alg, key: $key$state\n");' $record
+        done
+}
+
+# check that signing records are marked as complete
+checkprivate () {
+    _ret=0
+    expected="${3:-0}"
+    x=$(showprivate "$@")
+    echo $x | grep incomplete > /dev/null && _ret=1
+
+    if [ $_ret = $expected ]; then
+        return 0
+    fi
+
+    echo "$x"
+    echo_i "failed"
+    return 1
+}
+
+# wait until notifies for zone $1 are sent by server $2. This is an indication
+# that the zone is signed with the active keys, and the changes have been
+# committed.
+wait_for_notifies () {
+	wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1
+}
+
+freq() {
+	_file=$1
+	# remove first and last line that has incomplete set and skews the distribution
+	awk '$4 == "RRSIG" {print substr($9,1,8)}' < "$_file" | sort | uniq -c | sed '1d;$d'
+}
+# Check the signatures expiration times.  First check how many signatures
+# there are in total ($rrsigs).  Then see what the distribution of signature
+# expiration times is ($expiretimes).  Ignore the time part for a better
+# modelled distribution.
+checkjitter () {
+	_file=$1
+	_ret=0
+
+	if ! command -v bc >/dev/null 2>&1; then
+		echo_i "skip: bc not available"
+		return 0
+	fi
+
+	freq "$_file" | cat_i
+	_expiretimes=$(freq "$_file" | awk '{print $1}')
+
+	_count=0
+	# Check if we have at least 4 days
+	# This number has been tuned for `sig-validity-interval 10 2`, as
+	# 1 signature expiration dates should be spread out across at most 8 (10-2) days
+	# 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days
+	# 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2)
+	for _num in $_expiretimes
+	do
+		_count=$((_count+1))
+	done
+	if [ "$_count" -lt 4 ]; then
+		echo_i "error: not enough categories"
+		return 1
+	fi
+
+	# Calculate mean
+	_total=0
+	for _num in $_expiretimes
+	do
+		_total=$((_total+_num))
+	done
+	_mean=$(($_total / $_count))
+
+	# Calculate stddev
+	_stddev=0
+	for _num in $_expiretimes
+	do
+		_stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc)
+	done
+	_stddev=$(echo "sqrt($_stddev/$_count)" | bc)
+
+	# We expect the number of signatures not to exceed the mean +- 3 * stddev.
+	_limit=$((_stddev*3))
+	_low=$((_mean-_limit))
+	_high=$((_mean+_limit))
+	# Find outliers.
+	echo_i "checking whether all frequencies fall into <$_low;$_high> range"
+	for _num in $_expiretimes
+	do
+		if [ $_num -gt $_high ]; then
+			echo_i "error: too many RRSIG records ($_num) in expiration bucket"
+			_ret=1
+		fi
+		if [ $_num -lt $_low ]; then
+			echo_i "error: too few RRSIG records ($_num) in expiration bucket"
+			_ret=1
+		fi
+	done
+
+	return $_ret
+}
+
+#
+#  The NSEC record at the apex of the zone and its RRSIG records are
+#  added as part of the last step in signing a zone.  We wait for the
+#  NSEC records to appear before proceeding with a counter to prevent
+#  infinite loops if there is a error.
+#
+echo_i "waiting for autosign changes to take effect"
+i=0
+while [ $i -lt 30 ]
+do
+	ret=0
+	#
+	# Wait for the root DNSKEY RRset to be fully signed.
+	#
+	$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
+	grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1
+	for z in .
+	do
+		$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
+		grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
+	done
+	for z in bar. example. private.secure.example. optout-with-ent.
+	do
+		$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
+		grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
+	done
+	for z in bar. example. inacksk2.example. inacksk3.example \
+		 inaczsk2.example. inaczsk3.example noksk.example nozsk.example
+	do
+		$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
+		grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
+	done
+	i=$((i + 1))
+	if [ $ret = 0 ]; then break; fi
+	echo_i "waiting ... ($i)"
+	sleep 2
+done
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "done"; fi
+status=$((status + ret))
+
+echo_i "Convert optout-with-ent from nsec to nsec3"
+($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
+
+echo_i "Initial counts of RRSIG expiry fields values for auto signed zones"
+for z in .
+do
+	echo_i zone $z
+	$DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
+done
+for z in bar. example. private.secure.example.
+do
+	echo_i zone $z
+	$DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
+done
+for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example
+do
+	echo_i zone $z
+	$DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
+done
+
+# Set logfile offset for wait_for_log usage.
+nextpartreset ns3/named.run
+
+#
+# Check that DNSKEY is initially signed with a KSK and not a ZSK.
+#
+echo_i "check that zone with active and inactive KSK and active ZSK is properly"
+echo_ic "resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
+echo_ic "is initially signed with a KSK and not a ZSK. ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
+
+zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
+       $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}')
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1
+
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
+grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
+
+count=$(awk 'BEGIN { count = 0 }
+	    $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
+	    END {print count}' dig.out.ns3.test$n)
+test $count -eq 1 || ret=1
+
+count=$(awk 'BEGIN { count = 0 }
+       $4 == "DNSKEY" { count++ }
+       END {print count}' dig.out.ns3.test$n)
+test $count -eq 3 || ret=1
+
+awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
+id=$(awk "${awk}" dig.out.ns3.test$n)
+
+keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
+$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
+($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+# Check that zone is initially signed with a ZSK and not a KSK.
+#
+echo_i "check that zone with active and inactive ZSK and active KSK is properly"
+echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone"
+echo_ic "is initially signed with a ZSK and not a KSK. ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
+kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
+       $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' )
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
+count=$(awk 'BEGIN { count = 0 }
+	    $4 == "RRSIG" && $5 == "CNAME" { count++ }
+	    END {print count}' dig.out.ns3.test$n)
+test $count -eq 1 || ret=1
+count=$(awk 'BEGIN { count = 0 }
+       $4 == "DNSKEY" { count++ }
+       END {print count}' dig.out.ns3.test$n)
+test $count -eq 3 || ret=1
+id=$(awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n)
+
+keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
+$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
+($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)"
+ret=0
+# these commands should result in an empty file:
+$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking NSEC3->NSEC conversion prerequisites ($n)"
+ret=0
+$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "converting zones from nsec to nsec3"
+$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
+server 10.53.0.3 ${PORT}
+zone nsec3.nsec3.example.
+update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+zone optout.nsec3.example.
+update add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF
+send
+zone nsec3.example.
+update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+zone autonsec3.example.
+update add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF
+send
+zone nsec3.optout.example.
+update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+zone optout.optout.example.
+update add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
+send
+zone optout.example.
+update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
+send
+END
+
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+    # try to convert nsec-only.example; this should fail due to
+    # non-NSEC3 compatible keys
+    echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
+    $NSUPDATE > nsupdate.out 2>&1 <<END
+server 10.53.0.3 ${PORT}
+zone nsec-only.example.
+update add nsec-only.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+END
+fi
+
+echo_i "checking for nsec3param in unsigned zone ($n)"
+ret=0
+$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking for nsec3param signing record ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
+grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "resetting nsec3param via rndc signing ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+	ret=0
+	$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1
+	grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1
+	num=$(grep "Pending " signing.out.test$n | wc -l)
+	[ $num -eq 1 ] || ret=1
+	[ $ret -eq 0 ] && break
+	echo_i "waiting ... ($i)"
+	sleep 2
+done
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "signing preset nsec3 zone"
+zsk=$(cat autozsk.key)
+ksk=$(cat autoksk.key)
+$SETTIME -K ns3 -P now -A now $zsk > settime.out.test$n.zsk || ret=1
+$SETTIME -K ns3 -P now -A now $ksk > settime.out.test$n.ksk || ret=1
+($RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+
+echo_i "waiting for changes to take effect"
+sleep 3
+
+echo_i "converting zone from nsec3 to nsec"
+$NSUPDATE > /dev/null 2>&1 << END	|| status=1
+server 10.53.0.3 ${PORT}
+zone nsec3-to-nsec.example.
+update delete nsec3-to-nsec.example. NSEC3PARAM
+send
+END
+
+echo_i "waiting for change to take effect"
+sleep 3
+
+missing=$(keyfile_to_key_id "$(cat noksk-ksk.key)")
+echo_i "checking that expired RRSIGs from missing KSK $missing are not deleted ($n)"
+ret=0
+$JOURNALPRINT ns3/noksk.example.db.jnl | \
+   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+missing=$(keyfile_to_key_id "$(cat nozsk-zsk.key)")
+ksk=$(keyfile_to_key_id "$(cat nozsk-ksk.key)")
+echo_i "checking that expired RRSIGs from missing ZSK $missing are replaced ($n)"
+ret=0
+$JOURNALPRINT ns3/nozsk.example.db.jnl | \
+   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1
+$JOURNALPRINT ns3/nozsk.example.db.jnl | \
+   awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+inactive=$(keyfile_to_key_id "$(cat inaczsk-zsk.key)")
+ksk=$(keyfile_to_key_id "$(cat inaczsk-ksk.key)")
+echo_i "checking that expired RRSIGs from inactive ZSK $inactive are replaced ($n)"
+ret=0
+$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
+   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1
+$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
+   awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)"
+ret=0
+loglines=$(grep "Key nozsk.example/$DEFAULT_ALGORITHM/$missing .* retaining signatures" ns3/named.run | wc -l)
+[ "$loglines" -eq 0 ] || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)"
+ret=0
+loglines=$(grep "Key inaczsk.example/$DEFAULT_ALGORITHM/$inactive .* retaining signatures" ns3/named.run | wc -l)
+[ "$loglines" -eq 0 ] || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Send rndc sync command to ns1, ns2 and ns3, to force the dynamically
+# signed zones to be dumped to their zone files
+echo_i "dumping zone files"
+($RNDCCMD 10.53.0.1 sync 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
+($RNDCCMD 10.53.0.2 sync 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
+($RNDCCMD 10.53.0.3 sync 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+
+now="$(TZ=UTC date +%Y%m%d%H%M%S)"
+check_expiry() (
+	$DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 > dig.out.test$n
+	nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' < dig.out.test$n | sort -n | head -1)"
+	if [ "$nearest_expiration" -le "$now" ]; then
+		echo_i "failed: $nearest_expiration <= $now"
+		return 1
+	fi
+)
+
+echo_i "checking expired signatures were updated ($n)"
+retry 10 check_expiry || ret=1
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Check jitter distribution.
+echo_i "checking expired signatures were jittered correctly ($n)"
+ret=0
+$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+checkjitter dig.out.ns3.test$n || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
+ret=0
+$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking direct NSEC3 autosigning succeeded ($n)"
+ret=0
+$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
+[ -s  dig.out.ns3.ok.test$n ] || ret=1
+grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
+ret=0
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+    grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
+else
+    echo_i "skip: RSASHA1 not supported"
+fi
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking NSEC3->NSEC conversion succeeded ($n)"
+ret=0
+# this command should result in an empty file:
+$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1
+# this command should result in an empty file:
+no_nsec3param() (
+ $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || return 1
+ grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && return 1
+ return 0
+)
+retry_quiet 10 no_nsec3param || ret=1
+$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking TTLs of imported DNSKEYs (no default) ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+[ -s dig.out.ns3.test$n ] || ret=1
+(awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking TTLs of imported DNSKEYs (with default) ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+[ -s dig.out.ns3.test$n ] || ret=1
+(awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+[ -s dig.out.ns3.test$n ] || ret=1
+(awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+[ -s dig.out.ns3.test$n ] || ret=1
+(awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking positive validation NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking positive validation NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking positive validation OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking negative validation NXDOMAIN NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth q.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking negative validation NXDOMAIN OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth q.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking negative validation NODATA NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking negative validation NODATA NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking negative validation NODATA OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.example. \
+	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.example. \
+	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Check the insecure.example domain
+
+echo_i "checking 1-server insecurity proof NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking 1-server negative insecurity proof NSEC ($n)"
+ret=0
+$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Check the secure.example domain
+
+echo_i "checking multi-stage positive validation NSEC/NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.secure.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.secure.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.secure.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.secure.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking empty NODATA OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth empty.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth empty.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Check the insecure.secure.example domain (insecurity proof)
+
+echo_i "checking 2-server insecurity proof ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
+	> dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Check a negative response in insecure.secure.example
+
+echo_i "checking 2-server insecurity proof with a negative answer ($n)"
+ret=0
+$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
+	|| ret=1
+$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
+	|| ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking security root query ($n)"
+ret=0
+$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking positive validation RSASHA256 NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking positive validation RSASHA512 NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that positive validation in a privately secure zone works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that negative validation in a privately secure zone works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking privately secure to nxdomain works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Try validating with a revoked trusted key.
+# This should fail.
+
+echo_i "checking that validation returns insecure due to revoked trusted key ($n)"
+ret=0
+$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that revoked key is present ($n)"
+ret=0
+id=$(cat rev.key)
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that revoked key self-signs ($n)"
+ret=0
+id=$(cat rev.key)
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking for unpublished key ($n)"
+ret=0
+id=$(keyfile_to_key_id "$(cat unpub.key)")
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking for activated but unpublished key ($n)"
+ret=0
+id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)")
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that standby key does not sign records ($n)"
+ret=0
+id=$(keyfile_to_key_id "$(cat standby.key)")
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that deactivated key does not sign records  ($n)"
+ret=0
+id=$(keyfile_to_key_id "$(cat inact.key)")
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking insertion of public-only key ($n)"
+ret=0
+id=$(keyfile_to_key_id "$(cat nopriv.key)")
+file="ns1/$(cat nopriv.key).key"
+keydata=$(grep DNSKEY $file)
+$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
+server 10.53.0.1 ${PORT}
+zone .
+ttl 3600
+update add $keydata
+send
+END
+sleep 1
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking key deletion ($n)"
+ret=0
+id=$(keyfile_to_key_id "$(cat del.key)")
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking secure-to-insecure transition, nsupdate ($n)"
+ret=0
+$NSUPDATE > /dev/null 2>&1 <<END	|| status=1
+server 10.53.0.3 ${PORT}
+zone secure-to-insecure.example
+update delete secure-to-insecure.example dnskey
+send
+END
+for i in 0 1 2 3 4 5 6 7 8 9; do
+	ret=0
+	$DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+	grep -E '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
+	[ $ret -eq 0 ] && break
+	echo_i "waiting ... ($i)"
+	sleep 2
+done
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking secure-to-insecure transition, scheduled ($n)"
+ret=0
+file="ns3/$(cat del1.key).key"
+$SETTIME -I now -D now $file > settime.out.test$n.1 || ret=1
+file="ns3/$(cat del2.key).key"
+$SETTIME -I now -D now $file > settime.out.test$n.2 || ret=1
+($RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+	ret=0
+	$DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+	grep -E '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
+	[ $ret -eq 0 ] && break
+	echo_i "waiting ... ($i)"
+	sleep 2
+done
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking jitter in a newly signed NSEC3 zone ($n)"
+ret=0
+# Use DNS UPDATE to add an NSEC3PARAM record into the zone.
+$NSUPDATE > nsupdate.out.test$n 2>&1 <<END || ret=1
+server 10.53.0.3 ${PORT}
+zone jitter.nsec3.example.
+update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+END
+[ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
+# Create DNSSEC keys in the zone directory.
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example > /dev/null
+# Trigger zone signing.
+($RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+# Wait until zone has been signed.
+check_if_nsec3param_exists() {
+	$DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 > dig.out.ns3.1.test$n || return 1
+	grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1
+}
+retry_quiet 40 check_if_nsec3param_exists || {
+	echo_i "error: NSEC3PARAM not present yet"
+	ret=1
+}
+$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
+# Check jitter distribution.
+checkjitter dig.out.ns3.2.test$n || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)"
+ret=0
+oldserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}')
+oldinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u)
+
+$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
+
+($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
+newserial=$oldserial
+try=0
+while [ $oldserial -eq $newserial -a $try -lt 42 ]
+do
+	newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 |
+		 awk '$0 !~ /SOA/ {print $3}')
+	sleep 1
+	try=$((try + 1))
+done
+newinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u)
+#echo "$oldserial : $newserial"
+#echo "$oldinception : $newinception"
+
+[ "$oldserial" = "$newserial" ] && ret=1
+[ "$oldinception" = "$newinception" ] && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "preparing to test key change corner cases"
+echo_i "removing a private key file"
+file="ns1/$(cat vanishing.key).private"
+rm -f $file
+
+echo_i "preparing ZSK roll"
+starttime=$($PERL -e 'print time(), "\n";')
+oldfile=$(cat active.key)
+oldid=$(keyfile_to_key_id "$(cat active.key)")
+newfile=$(cat standby.key)
+newid=$(keyfile_to_key_id "$(cat standby.key)")
+$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > settime.out.test$n.1 || ret=1
+$SETTIME -K ns1 -i 0 -S $oldfile $newfile > settime.out.test$n.2 || ret=1
+
+# note previous zone serial number
+oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}')
+
+($RNDCCMD 10.53.0.1 loadkeys . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
+sleep 4
+
+echo_i "revoking key to duplicated key ID"
+$SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1
+
+($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
+
+echo_i "waiting for changes to take effect"
+sleep 5
+
+echo_i "checking former standby key $newid is now active ($n)"
+ret=0
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking former standby key has only signed incrementally ($n)"
+ret=0
+$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that signing records have been marked as complete ($n)"
+ret=0
+checkprivate . 10.53.0.1 || ret=1
+checkprivate bar 10.53.0.2 || ret=1
+checkprivate example 10.53.0.2 || ret=1
+checkprivate private.secure.example 10.53.0.3 || ret=1
+checkprivate nsec3.example 10.53.0.3 || ret=1
+checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1
+checkprivate nsec3.optout.example 10.53.0.3 || ret=1
+checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+    checkprivate nsec-only.example 10.53.0.3 || ret=1
+fi
+checkprivate oldsigs.example 10.53.0.3 || ret=1
+checkprivate optout.example 10.53.0.3 || ret=1
+checkprivate optout.nsec3.example 10.53.0.3 || ret=1
+checkprivate optout.optout.example 10.53.0.3 || ret=1
+checkprivate prepub.example 10.53.0.3 1 || ret=1
+checkprivate rsasha256.example 10.53.0.3 || ret=1
+checkprivate rsasha512.example 10.53.0.3 || ret=1
+checkprivate secure.example 10.53.0.3 || ret=1
+checkprivate secure.nsec3.example 10.53.0.3 || ret=1
+checkprivate secure.optout.example 10.53.0.3 || ret=1
+checkprivate secure-to-insecure2.example 10.53.0.3 || ret=1
+checkprivate secure-to-insecure.example 10.53.0.3 || ret=1
+checkprivate ttl1.example 10.53.0.3 || ret=1
+checkprivate ttl2.example 10.53.0.3 || ret=1
+checkprivate ttl3.example 10.53.0.3 || ret=1
+checkprivate ttl4.example 10.53.0.3 || ret=1
+n=$((n + 1))
+status=$((status + ret))
+
+echo_i "forcing full sign"
+($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
+
+echo_i "waiting for change to take effect"
+sleep 5
+
+echo_i "checking former standby key has now signed fully ($n)"
+ret=0
+$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking SOA serial number has been incremented ($n)"
+ret=0
+newserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}')
+[ "$newserial" != "$oldserial" ] || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking delayed key publication/activation ($n)"
+ret=0
+zsk=$(cat delayzsk.key)
+ksk=$(cat delayksk.key)
+# publication and activation times should be unset
+$SETTIME -K ns3 -pA -pP $zsk > settime.out.test$n.zsk || ret=1
+grep -v UNSET settime.out.test$n.zsk >/dev/null && ret=1
+$SETTIME -K ns3 -pA -pP $ksk > settime.out.test$n.ksk || ret=1
+grep -v UNSET settime.out.test$n.ksk >/dev/null && ret=1
+$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+# DNSKEY not expected:
+awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking scheduled key publication, not activation ($n)"
+ret=0
+# Ensure initial zone is loaded.
+wait_for_notifies "delay.example" "ns3" || ret=1
+$SETTIME -K ns3 -P now+3s -A none $zsk > settime.out.test$n.zsk || ret=1
+$SETTIME -K ns3 -P now+3s -A none $ksk > settime.out.test$n.ksk || ret=1
+($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
+echo_i "waiting for changes to take effect"
+sleep 3
+wait_for_notifies "delay.example" "ns3" || ret=1
+
+$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
+# DNSKEY expected:
+awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1
+# RRSIG not expected:
+awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking scheduled key activation ($n)"
+ret=0
+$SETTIME -K ns3 -A now+3s $zsk > settime.out.test$n.zsk || ret=1
+$SETTIME -K ns3 -A now+3s $ksk > settime.out.test$n.ksk || ret=1
+($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
+echo_i "waiting for changes to take effect"
+sleep 3
+wait_for_log 10 "add delay\.example\..*NSEC.a\.delay\.example\. NS SOA RRSIG NSEC DNSKEY" ns3/named.run
+check_is_signed() {
+  $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || return 1
+  # DNSKEY expected:
+  awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1
+  # RRSIG expected:
+  awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1
+  $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || return 1
+  # A expected:
+  awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || return 1
+  # RRSIG expected:
+  awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.2.test$n || return 1
+  return 0
+}
+retry_quiet 5 check_is_signed || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking former active key was removed ($n)"
+#
+# Work out how long we need to sleep. Allow 4 seconds for the records
+# to be removed.
+#
+now=$($PERL -e 'print time(), "\n";')
+sleep=$((starttime + 29 - now))
+case $sleep in
+-*|0);;
+*) echo_i "waiting for timer to have activated"; sleep $sleep;;
+esac
+ret=0
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking private key file removal caused no immediate harm ($n)"
+ret=0
+id=$(keyfile_to_key_id "$(cat vanishing.key)")
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking revoked key with duplicate key ID ($n)"
+ret=0
+id=59973
+rid=60101
+$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1
+keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l)
+test $keys -eq 2 || ret=1
+$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking key event timers are always set ($n)"
+ret=0
+# this is a regression test for a bug in which the next key event could
+# be scheduled for the present moment, and then never fire.  check for
+# visible evidence of this error in the logs:
+awk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */named.run || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# this confirms that key events are never scheduled more than
+# 'dnssec-loadkeys-interval' minutes in the future, and that the
+# event scheduled is within 10 seconds of expected interval.
+check_interval () {
+        awk '/next key event/ {print $2 ":" $9}' $1/named.run |
+	sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' |
+            awk -F: '
+                     {
+                       x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000);
+		       # abs(x) < 1000 ms treat as 'now'
+		       if (x < 1000 && x > -1000)
+                         x = 0;
+		       # convert to seconds
+		       x = x/1000;
+		       # handle end of day roll over
+		       if (x < 0)
+			 x = x + 24*3600;
+		       # handle log timestamp being a few milliseconds later
+                       if (x != int(x))
+                         x = int(x + 1);
+                       if (int(x) > int(interval))
+                         exit (1);
+                     }
+                     END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2
+        return $?
+}
+
+echo_i "checking automatic key reloading interval ($n)"
+ret=0
+check_interval ns1 3600 || ret=1
+check_interval ns2 1800 || ret=1
+check_interval ns3 600 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking for key reloading loops ($n)"
+ret=0
+# every key event should schedule a successor, so these should be equal
+rekey_calls=$(grep "reconfiguring zone keys" ns*/named.run | wc -l)
+rekey_events=$(grep "next key event" ns*/named.run | wc -l)
+[ "$rekey_calls" = "$rekey_events" ] || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "forcing full sign with unreadable keys ($n)"
+ret=0
+chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1
+($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
+$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "test turning on auto-dnssec during reconfig ($n)"
+ret=0
+# first create a zone that doesn't have auto-dnssec
+($RNDCCMD 10.53.0.3 addzone reconf.example '{ type primary; file "reconf.example.db"; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l)
+[ "$rekey_calls" -eq 0 ] || ret=1
+# ...then we add auto-dnssec and reconfigure
+($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+rndc_reconfig ns3 10.53.0.3
+for i in 0 1 2 3 4 5 6 7 8 9; do
+    lret=0
+    rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l)
+    [ "$rekey_calls" -gt 0 ] || lret=1
+    if [ "$lret" -eq 0 ]; then break; fi
+    echo_i "waiting ... ($i)"
+    sleep 1
+done
+n=$((n + 1))
+if [ "$lret" != 0 ]; then ret=$lret; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "test CDS and CDNSKEY auto generation ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
+$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
+grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1
+grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n
+$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n
+$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n
+lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l)
+test ${lines:-0} -eq 2 || ret=1
+lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l)
+test ${lines:-0} -eq 2 || ret=1
+lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l)
+test ${lines:-0} -eq 2 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n
+$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n
+$DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n
+lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l)
+test ${lines:-0} -eq 1 || ret=1
+lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l)
+test ${lines:-0} -eq 1 || ret=1
+lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l)
+test ${lines:-0} -eq 1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'"
+$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1
+($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1
+
+echo_i "checking that the CDS and CDNSKEY are deleted ($n)"
+ret=0
+ensure_cds_and_cdnskey_are_deleted() {
+	$DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1
+	awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1
+	$DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1
+	awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1
+}
+retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "check that dnssec-settime -p Dsync works ($n)"
+ret=0
+$SETTIME -p Dsync $(cat sync.key) > settime.out.test$n || ret=1
+grep "SYNC Delete:" settime.out.test$n >/dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "check that dnssec-settime -p Psync works ($n)"
+ret=0
+$SETTIME -p Psync $(cat sync.key) > settime.out.test$n || ret=1
+grep "SYNC Publish:" settime.out.test$n >/dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
+
+zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
+       $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' )
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
+grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
+
+kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
+       $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' )
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} "
+grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
+
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
+grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+# Check that DNSKEY is now signed with the ZSK.
+#
+echo_i "check that zone with active and inactive KSK and active ZSK is properly"
+echo_ic "resigned after the active KSK is deleted - stage 2: Verify that DNSKEY"
+echo_ic "is now signed with the ZSK. ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
+
+zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
+       $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' )
+pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
+grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
+
+count=$(awk 'BEGIN { count = 0 }
+       $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
+       END {print count}' dig.out.ns3.test$n)
+test $count -eq 1 || ret=1
+
+count=$(awk 'BEGIN { count = 0 }
+       $4 == "DNSKEY" { count++ }
+       END {print count}' dig.out.ns3.test$n)
+test $count -eq 2 || ret=1
+
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+# Check that zone is now signed with the KSK.
+#
+echo_i "check that zone with active and inactive ZSK and active KSK is properly"
+echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone"
+echo_ic "is now signed with the KSK. ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
+kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
+       $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' )
+grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
+count=$(awk 'BEGIN { count = 0 }
+       $4 == "RRSIG" && $5 == "CNAME" { count++ }
+       END {print count}' dig.out.ns3.test$n)
+test $count -eq 1 || ret=1
+count=$(awk 'BEGIN { count = 0 }
+       $4 == "DNSKEY" { count++ }
+       END {print count}' dig.out.ns3.test$n)
+test $count -eq 2 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking for out-of-zone NSEC3 records after ZSK removal ($n)"
+ret=0
+# Switch the zone over to NSEC3 and wait until the transition is complete.
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. > signing.out.1.test$n 2>&1 || ret=1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+	_ret=1
+	$DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 > dig.out.ns3.1.test$n 2>&1 || ret=1
+	grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n > /dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		$RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.2.test$n 2>&1
+		grep "Creating NSEC3 chain " signing.out.2.test$n > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			_ret=0
+			break
+		fi
+	fi
+	sleep 1
+done
+if [ $_ret -ne 0 ]; then
+	echo_i "timed out waiting for NSEC3 chain creation"
+	ret=1
+fi
+# Mark the inactive ZSK as pending removal.
+file="ns3/$(cat delzsk.key).key"
+$SETTIME -D now-1h $file > settime.out.test$n || ret=1
+# Trigger removal of the inactive ZSK and wait until its completion.
+($RNDCCMD 10.53.0.3 loadkeys delzsk.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+	_ret=1
+	$RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.3.test$n 2>&1
+	grep "Signing " signing.out.3.test$n > /dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then
+			_ret=0
+			break
+		fi
+	fi
+	sleep 1
+done
+if [ $_ret -ne 0 ]; then
+	echo_i "timed out waiting for key removal"
+	ret=1
+fi
+# Check whether key removal caused NSEC3 records to be erroneously created for
+# glue records due to a secure delegation already being signed by the active key
+# (i.e. a key other than the one being removed but using the same algorithm).
+#
+# For reference:
+#
+#     $ nsec3hash 12345678 1 10 ns.sub.delzsk.example.
+#     589R358VSPJUFVAJU949JPVF74D9PTGH (salt=12345678, hash=1, iterations=10)
+#
+$DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 > dig.out.ns3.3.test$n || ret=1
+grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n > /dev/null 2>&1 && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
+ret=0
+$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that DNAME is not treated as a delegation when signing ($n)"
+ret=0
+$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
+grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n > /dev/null 2>&1 || ret=1
+$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
+grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n > /dev/null 2>&1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking key maintenance events were logged correctly ($n)"
+ret=0
+pub=$(grep "DNSKEY .* is now published" ns1/named.run | wc -l)
+[ "$pub" -eq 6 ] || ret=1
+act=$(grep "DNSKEY .* is now active" ns1/named.run | wc -l)
+[ "$act" -eq 5 ] || ret=1
+rev=$(grep "DNSKEY .* is now revoked" ns1/named.run | wc -l)
+[ "$rev" -eq 1 ] || ret=1
+inac=$(grep "DNSKEY .* is now inactive" ns1/named.run | wc -l)
+[ "$inac" -eq 1 ] || ret=1
+del=$(grep "DNSKEY .* is now deleted" ns1/named.run | wc -l)
+[ "$del" -eq 1 ] || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that CDS (DELETE) persists after zone sign ($n)"
+echo_i "update add cds-delete.example. CDS 0 0 00"
+ret=0
+$NSUPDATE > nsupdate.out 2>&1 <<END
+server 10.53.0.3 ${PORT}
+zone cds-delete.example.
+update add cds-delete.example. 3600 CDS 0 0 0 00
+send
+END
+
+_cds_delete() (
+	$DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1
+	grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1
+	return 0
+)
+_cdnskey_delete_nx() {
+	$DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1
+	grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1
+	return 0
+}
+
+echo_i "query cds-delete.example. CDS"
+retry_quiet 10 _cds_delete cds-delete.example. || ret=1
+echo_i "query cds-delete.example. CDNSKEY"
+retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1
+
+echo_i "sign cds-delete.example."
+nextpart ns3/named.run >/dev/null
+$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1
+wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run
+# The CDS (DELETE) record should still be here.
+echo_i "query cds-delete.example. CDS"
+retry_quiet 1 _cds_delete cds-delete.example. || ret=1
+# The CDNSKEY (DELETE) record should still not be added.
+echo_i "query cds-delete.example. CDNSKEY"
+retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1
+
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)"
+echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA=="
+ret=0
+$NSUPDATE > nsupdate.out 2>&1 <<END
+server 10.53.0.3 ${PORT}
+zone cdnskey-delete.example.
+update add cdnskey-delete.example. 3600 CDNSKEY 0 3 0 AA==
+send
+END
+
+_cds_delete_nx() (
+	$DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1
+	grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1
+	return 0
+)
+_cdnskey_delete() {
+	$DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1
+	grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1
+	return 0
+}
+
+echo_i "query cdnskey-delete.example. CDNSKEY"
+retry_quiet 10 _cdnskey_delete cdnskey-delete.example. || ret=1
+echo_i "query cdnskey-delete.example. CDS"
+retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1
+
+echo_i "sign cdsnskey-delete.example."
+nextpart ns3/named.run >/dev/null
+$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1
+wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run
+# The CDNSKEY (DELETE) record should still be here.
+echo_i "query cdnskey-delete.example. CDNSKEY"
+retry_quiet 1 _cdnskey_delete cdnskey-delete.example. || ret=1
+# The CDS (DELETE) record should still not be added.
+echo_i "query cdnskey-delete.example. CDS"
+retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1
+
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)"
+ret=0
+zone=optout-with-ent
+hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL
+# check that NSEC3 for ENT is present
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
+grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1
+grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1
+# remove first delegation of two delegations, NSEC3 for ENT should remain.
+(
+echo zone $zone
+echo server 10.53.0.2 "$PORT"
+echo update del sub1.ent.$zone NS
+echo send
+) | $NSUPDATE
+# check that NSEC3 for ENT is still present
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n
+grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1
+grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1
+# remove second delegation of two delegations, NSEC3 for ENT should be deleted.
+(
+echo zone $zone
+echo server 10.53.0.2 "$PORT"
+echo update del sub2.ent.$zone NS
+echo send
+) | $NSUPDATE
+# check that NSEC3 for ENT is gone present
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n
+grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1
+grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1
+$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n
+grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/builtin/clean.sh b/bin/tests/system/builtin/clean.sh
new file mode 100644
index 0000000..1ad33dc
--- /dev/null
+++ b/bin/tests/system/builtin/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns?/named.run
+rm -f ns?/named.memstats
+rm -f ns?/named.conf
+rm -f rndc.status.ns*
+rm -f dig.out.ns*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/builtin/ns1/named.conf.in b/bin/tests/system/builtin/ns1/named.conf.in
new file mode 100644
index 0000000..fd6569d
--- /dev/null
+++ b/bin/tests/system/builtin/ns1/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+};
diff --git a/bin/tests/system/builtin/ns2/named.conf.in b/bin/tests/system/builtin/ns2/named.conf.in
new file mode 100644
index 0000000..3275b06
--- /dev/null
+++ b/bin/tests/system/builtin/ns2/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	server-id hostname;
+};
diff --git a/bin/tests/system/builtin/ns3/named.conf.in b/bin/tests/system/builtin/ns3/named.conf.in
new file mode 100644
index 0000000..acde3a5
--- /dev/null
+++ b/bin/tests/system/builtin/ns3/named.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	hostname "this.is.a.test.of.hostname";
+	server-id "this.is.a.test.of.server-id";
+	version "this is a test of version";
+};
diff --git a/bin/tests/system/builtin/setup.sh b/bin/tests/system/builtin/setup.sh
new file mode 100644
index 0000000..57e0575
--- /dev/null
+++ b/bin/tests/system/builtin/setup.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/builtin/tests.sh b/bin/tests/system/builtin/tests.sh
new file mode 100644
index 0000000..416b792
--- /dev/null
+++ b/bin/tests/system/builtin/tests.sh
@@ -0,0 +1,247 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+n=0
+
+emptyzones="
+10.IN-ADDR.ARPA
+16.172.IN-ADDR.ARPA
+17.172.IN-ADDR.ARPA
+18.172.IN-ADDR.ARPA
+19.172.IN-ADDR.ARPA
+20.172.IN-ADDR.ARPA
+21.172.IN-ADDR.ARPA
+22.172.IN-ADDR.ARPA
+23.172.IN-ADDR.ARPA
+24.172.IN-ADDR.ARPA
+25.172.IN-ADDR.ARPA
+26.172.IN-ADDR.ARPA
+27.172.IN-ADDR.ARPA
+28.172.IN-ADDR.ARPA
+29.172.IN-ADDR.ARPA
+30.172.IN-ADDR.ARPA
+31.172.IN-ADDR.ARPA
+168.192.IN-ADDR.ARPA
+64.100.IN-ADDR.ARPA
+65.100.IN-ADDR.ARPA
+66.100.IN-ADDR.ARPA
+67.100.IN-ADDR.ARPA
+68.100.IN-ADDR.ARPA
+69.100.IN-ADDR.ARPA
+70.100.IN-ADDR.ARPA
+71.100.IN-ADDR.ARPA
+72.100.IN-ADDR.ARPA
+73.100.IN-ADDR.ARPA
+74.100.IN-ADDR.ARPA
+75.100.IN-ADDR.ARPA
+76.100.IN-ADDR.ARPA
+77.100.IN-ADDR.ARPA
+78.100.IN-ADDR.ARPA
+79.100.IN-ADDR.ARPA
+80.100.IN-ADDR.ARPA
+81.100.IN-ADDR.ARPA
+82.100.IN-ADDR.ARPA
+83.100.IN-ADDR.ARPA
+84.100.IN-ADDR.ARPA
+85.100.IN-ADDR.ARPA
+86.100.IN-ADDR.ARPA
+87.100.IN-ADDR.ARPA
+88.100.IN-ADDR.ARPA
+89.100.IN-ADDR.ARPA
+90.100.IN-ADDR.ARPA
+91.100.IN-ADDR.ARPA
+92.100.IN-ADDR.ARPA
+93.100.IN-ADDR.ARPA
+94.100.IN-ADDR.ARPA
+95.100.IN-ADDR.ARPA
+96.100.IN-ADDR.ARPA
+97.100.IN-ADDR.ARPA
+98.100.IN-ADDR.ARPA
+99.100.IN-ADDR.ARPA
+100.100.IN-ADDR.ARPA
+101.100.IN-ADDR.ARPA
+102.100.IN-ADDR.ARPA
+103.100.IN-ADDR.ARPA
+104.100.IN-ADDR.ARPA
+105.100.IN-ADDR.ARPA
+106.100.IN-ADDR.ARPA
+107.100.IN-ADDR.ARPA
+108.100.IN-ADDR.ARPA
+109.100.IN-ADDR.ARPA
+110.100.IN-ADDR.ARPA
+111.100.IN-ADDR.ARPA
+112.100.IN-ADDR.ARPA
+113.100.IN-ADDR.ARPA
+114.100.IN-ADDR.ARPA
+115.100.IN-ADDR.ARPA
+116.100.IN-ADDR.ARPA
+117.100.IN-ADDR.ARPA
+118.100.IN-ADDR.ARPA
+119.100.IN-ADDR.ARPA
+120.100.IN-ADDR.ARPA
+121.100.IN-ADDR.ARPA
+122.100.IN-ADDR.ARPA
+123.100.IN-ADDR.ARPA
+124.100.IN-ADDR.ARPA
+125.100.IN-ADDR.ARPA
+126.100.IN-ADDR.ARPA
+127.100.IN-ADDR.ARPA
+0.IN-ADDR.ARPA
+127.IN-ADDR.ARPA
+254.169.IN-ADDR.ARPA
+2.0.192.IN-ADDR.ARPA
+100.51.198.IN-ADDR.ARPA
+113.0.203.IN-ADDR.ARPA
+255.255.255.255.IN-ADDR.ARPA
+0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
+D.F.IP6.ARPA
+8.E.F.IP6.ARPA
+9.E.F.IP6.ARPA
+A.E.F.IP6.ARPA
+B.E.F.IP6.ARPA
+8.B.D.0.1.0.0.2.IP6.ARPA
+EMPTY.AS112.ARPA
+HOME.ARPA"
+
+n=`expr $n + 1`
+ret=0
+count=0
+echo_i "Checking expected empty zones were configured ($n)"
+for zone in ${emptyzones}
+do
+	grep "automatic empty zone: $zone" ns1/named.run > /dev/null || {
+		echo_i "failed (empty zone $zone missing)"
+		ret=1
+	}
+	count=`expr $count + 1`
+done
+lines=`grep "automatic empty zone: " ns1/named.run | wc -l`
+test $count -eq $lines -a $count -eq 99 || {
+	ret=1; echo_i "failed (count mismatch)";
+}
+if [ $ret != 0 ] ; then status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+echo_i "Checking that reconfiguring empty zones is silent ($n)"
+$RNDCCMD 10.53.0.1 reconfig
+ret=0
+grep "automatic empty zone" ns1/named.run > /dev/null || ret=1
+grep "received control channel command 'reconfig'" ns1/named.run > /dev/null || ret=1
+grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1
+sleep 1
+grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+echo_i "Checking that reloading empty zones is silent ($n)"
+rndc_reload ns1 10.53.0.1
+ret=0
+grep "automatic empty zone" ns1/named.run > /dev/null || ret=1
+grep "received control channel command 'reload'" ns1/named.run > /dev/null || ret=1
+grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1
+sleep 1
+grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+HOST_NAME=`$FEATURETEST --gethostname`
+BIND_VERSION_STRING=$($NAMED -V | head -1)
+BIND_VERSION=$($NAMED -V | sed -ne 's/^BIND \([^ ]*\).*/\1/p')
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that default version works for rndc ($n)"
+$RNDCCMD 10.53.0.1 status > rndc.status.ns1.$n 2>&1
+grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that custom version works for rndc ($n)"
+$RNDCCMD 10.53.0.3 status > rndc.status.ns3.$n 2>&1
+grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that default version works for query ($n)"
+$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that custom version works for query ($n)"
+$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 > dig.out.ns3.$n
+grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that default hostname works for query ($n)"
+$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "^\"$HOST_NAME\"$" dig.out.ns1.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that custom hostname works for query ($n)"
+$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 > dig.out.ns3.$n
+grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that default server-id is none for query ($n)"
+$DIG $DIGOPTS id.server txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that server-id hostname works for query ($n)"
+$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 > dig.out.ns2.$n
+grep "^\"$HOST_NAME\"$" dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that server-id hostname works for EDNS name server ID request ($n)"
+$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 > dig.out.ns2.$n
+grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that custom server-id works for query ($n)"
+$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 > dig.out.ns3.$n
+grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+n=`expr $n + 1`
+ret=0
+echo_i "Checking that custom server-id works for EDNS name server ID request ($n)"
+$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 > dig.out.ns3.$n
+grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/cacheclean/clean.sh b/bin/tests/system/cacheclean/clean.sh
new file mode 100644
index 0000000..b346e65
--- /dev/null
+++ b/bin/tests/system/cacheclean/clean.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after cache cleaner tests.
+#
+
+rm -f dig.out.ns2
+rm -f dig.out.expire
+rm -f rndc.out.*
+rm -f sed.out.*
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.conf
+rm -f ns2/named_dump.db.*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/cacheclean/dig.batch b/bin/tests/system/cacheclean/dig.batch
new file mode 100644
index 0000000..d185204
--- /dev/null
+++ b/bin/tests/system/cacheclean/dig.batch
@@ -0,0 +1,924 @@
+YA.AKAMAI.com. IN A
+UPR1.UPR.CLU.EDU. IN A
+integra.s-integra.co.JP. IN A
+avalon.iks-jena.de. IN A
+NS1.GLOBALDNS.com. IN A
+NS.RDU.BELLSOUTH.net. IN A
+ns.space.net. IN A
+SUN.MHS-RELAY.AC.UK. IN A
+AYAX.UNIANDES.EDU.CO. IN A
+DNS.NIC.CD. IN A
+NS.DNS.PT. IN A
+NS1.INTERNETSHARE.com. IN A
+MASTER.DNS.BE. IN A
+CATAMOUNT.middlebury.EDU. IN A
+FM03.FM. IN A
+NAAMAK.NCST.ERNET.IN. IN A
+gateway2.BFG.com. IN A
+NS3.NS.ESAT.net. IN A
+DNS1.INTUIT.com. IN A
+DEN-NS2.FWIDCSERVICES.net. IN A
+SOL.UNDPBI.TELEPAC.net. IN A
+NS2.tridog.com. IN A
+DNS2.KW. IN A
+NS2.MAIL.com. IN A
+NS.FIRSTCOM.CL. IN A
+DNS4.QUICKEN.com. IN A
+bofh.cid.net. IN A
+NS1.KRNIC.net. IN A
+NS2.SR.net. IN A
+NS1.TELSTRA.net. IN A
+ns.cafax.SE. IN A
+NS1.DNS.NET.NZ. IN A
+NS.CONCOURSE.com. IN A
+35.32/27.110.16.12.IN-ADDR.ARPA. IN PTR
+CCC.champcable.com. IN A
+NS.RIPE.net. IN A
+NS.NIC.NU. IN A
+KIM.CAMNET.CM. IN A
+DOGON.SOTELMA.net. IN A
+DNS02.FLAME.org. IN A
+NS.MIA.BELLSOUTH.net. IN A
+mail.ok.RU. IN A
+NS.NIC.MX. IN A
+NS2.BERKELEY.EDU. IN A
+SHIKHAR.MOS.COM.NP. IN A
+noc.rrz.Uni-Koeln.de. IN A
+NS.KORNET.net. IN A
+keith.gazpacho.org. IN A
+NS2.appliedtheory.com. IN A
+NS.CERNET.net. IN A
+smtp.ELISTX.com. IN A
+NS-AIT.THNIC.net. IN A
+from.PL. IN A
+mailhub.icann.org. IN A
+SEC1.DNS.UK.PSI.net. IN A
+isrv3-i.isc.org. IN A
+PHLOEM.UOREGON.EDU. IN A
+CTINA.AR. IN A
+DNS2.IAM.NET.MA. IN A
+10.126.39.137.IN-ADDR.ARPA. IN PTR
+DNS.PRINCETON.EDU. IN A
+NS.BELLSOUTH.net. IN A
+NS1.SNS-FELB.DEBIS.com. IN A
+localhost. IN A
+hm6.vt.highmeadow.com. IN A
+SYRUP.hill.com. IN A
+NS99.WAIKATO.AC.NZ. IN A
+NS4.CW.net. IN A
+NS2.SLOWMOE.com. IN A
+ns2.hypa.net. IN A
+ns.sxtyptt.NET.CN. IN A
+NS2.MERCHANTWARE.com. IN A
+uunymdgds1.DOUBLECLICK.net. IN A
+e34.co.us.IBM.com. IN A
+kista.dns.swip.net. IN A
+ZEBRA.UEM.MZ. IN A
+NET2.GENDYN.com. IN A
+NS0.UTK.EDU. IN A
+NS.RELCOM.EU.net. IN A
+DNS0.AXION.BT.CO.UK. IN A
+mail.vhv.com. IN A
+DNS4.UK.MSFT.net. IN A
+NS2.ADNS.net. IN A
+NS1.SEATTLE.US.NETDNS.com. IN A
+NS2.UNIVIE.AC.at. IN A
+NS15B.BOCA15-VERIO.com. IN A
+www.BAYAREA.com. IN CNAME
+ns4.onemain.com. IN A
+NS2.EDIGITALS.com. IN A
+MICHAEL.VATICAN.VA. IN A
+AUSTIN.GH.com. IN A
+sld-ns2.CNNIC.NET.CN. IN A
+NS2.CDC.GOV. IN A
+NS.WATSON.IBM.com. IN A
+NS.NIC.SH. IN A
+NS2.BAHNHOF.net. IN A
+NS-AUTH2.cmates.com. IN A
+ISDMNL.WR.USGS.GOV. IN A
+NS2.COBEX.net. IN A
+MERLE.CIRA.CA. IN A
+NS.UVG.EDU.GT. IN A
+NS1.CWVA.DOUBLECLICK.net. IN A
+eliot.diebold.com. IN A
+NS.ALMADEN.IBM.com. IN A
+NS2.INTERNETSQUARE.com. IN A
+mail.QUEST-NET.com. IN A
+Z1.NS.LHR1.GLOBIX.net. IN A
+DNS1.AVANTEL.NET.MX. IN A
+vh80040.vh8.INFI.net. IN A
+NS.LEB.net. IN A
+NS.DCC.UCHILE.CL. IN A
+CLOUSO.RISQ.QC.CA. IN A
+muenster.westfalen.de. IN A
+us.a1.YIMG.com. IN CNAME
+NS.DEMOS.SU. IN A
+south.NAVPOINT.com. IN A
+netconsult.netconx.de. IN A
+DNS2.btinternet.com. IN A
+NS2.CINE.net. IN A
+castor.cmc.ec.gc.CA. IN A
+EX2-DNS0.AVENUEA.com. IN A
+firewall3.glaxowellcome.com. IN A
+MACU.MA.MT.NP.ELS-GMS.att.net. IN A
+NS.PA. IN A
+TGSERV.TELE.GL. IN A
+KYNSE02.MESSAGESECURE.com. IN A
+GORGON.XTRA.CO.NZ. IN A
+DNS.NIC.IT. IN A
+pop.VERMONTEL.net. IN CNAME
+NS2.REGISTRY.HM. IN A
+NAMESERVER1.CONCENTRIC.net. IN A
+47.131.127.204.IN-ADDR.ARPA. IN PTR
+mailhost.tfm.com. IN A
+NS1.MRC.GM. IN A
+NS.WIDE.AD.JP. IN A
+NS.BTA.NET.CN. IN A
+NS2.ISPC.org. IN A
+BOW.RAIN.FR. IN A
+srs.srs.state.vt.us. IN A
+NS4.WEB2010.com. IN A
+NS.TELECOM.NET.ET. IN A
+NS1.DNS.NET.KH. IN A
+GATEN.JARING.MY. IN A
+shell.nominum.com. IN A
+CHEOPS.ANU.EDU.AU. IN A
+VANGOGH.CS.BERKELEY.EDU. IN A
+NS2.NOC.NULLUS.net. IN A
+NIC.LTH.SE. IN A
+ns.farm.net. IN A
+NS.USEC.SUN.com. IN A
+NS2.YOUR-DOMAIN.com. IN A
+DNS-EAST.PREP.net. IN A
+ns.hcr.net. IN A
+NS-RCH.nortelnetworks.com. IN A
+crl.DEC.com. IN A
+NS.PIXAR.ES. IN A
+MEX1-M-213.UNINET.NET.MX. IN A
+NS.ITU.CH. IN A
+matrix.uwm.EDU.PL. IN A
+gateway1.gmcr.com. IN A
+NS2.DNS.BR. IN A
+foxharp.boston.MA.us. IN MX
+Quest-7.symquest.com. IN A
+NS2.VERIO.net. IN A
+NAME.IAD.GBLX.net. IN A
+NS2.EMIRATES.NET.AE. IN A
+supai.oit.UMASS.EDU. IN A
+QUERN.EPILOGUE.com. IN A
+NS3.TOPICA.com. IN A
+NS1.JERKY.net. IN A
+JTB.BRUNET.BN. IN A
+AUTH100.NS.UU.net. IN A
+BOW.INTNET.DJ. IN A
+OSI2.GUA.net. IN A
+AZMODAN.ULA.VE. IN A
+THUMPER.RPSLMC.EDU. IN A
+ICHU.RCP.NET.PE. IN A
+NS.NIC.AC. IN A
+DNS.NETFLIGHT.com. IN A
+ns2.UTORONTO.CA. IN A
+mail.giffordmed.org. IN A
+RATA.VUW.AC.NZ. IN A
+NS-2.ADMONITOR.net. IN A
+NCC.MOC.KW. IN A
+NS.EUNET.ES. IN A
+NS3.best.com. IN A
+zip.MAIL-LIST.com. IN MX
+JATZ.AARNET.EDU.AU. IN A
+DNS2.MAN.LODZ.PL. IN A
+NS.VERITAS.com. IN A
+218.241.103.199.IN-ADDR.ARPA. IN PTR
+BOW.SNPT.KM. IN A
+Z1.NS.SJC1.GLOBIX.net. IN A
+DNS.NIC.TT. IN A
+MAKISIG.IPHIL.net. IN A
+NS.DK.net. IN A
+NS.NI. IN A
+CIUP1.NCC.UP.PT. IN A
+ns2.verisign-grs.com. IN A
+NS1.UMASS.EDU. IN A
+NS.NEWACCOUNT.net. IN A
+UDNS2.ULTRADNS.net. IN A
+NS2.LATNET.LV. IN A
+info-server.surrey.AC.UK. IN A
+NS2.SQUONK.net. IN A
+NS2.DSO.net. IN A
+www.energyenhancement.org. IN A
+DNS1.BD. IN A
+nl.COMPUWARE.com. IN MX
+NS.DHIRAAGU.MV. IN A
+TRANTOR.UMD.EDU. IN A
+NS.ALCANET.NO. IN A
+Z6.MSFT.AKADNS.com. IN A
+NS4.ync.net. IN A
+CMTU.MT.NS.ELS-GMS.att.net. IN A
+vh40099.vh4.INFI.net. IN A
+ns2.secondary.nl. IN A
+abyssinian.sleepycat.com. IN A
+APHEX.MENTOR.BE. IN A
+webmail.fiberia.com. IN A
+localhost.moonmothers.com. IN A
+NS2.DNS.LU. IN A
+NS.VISUALCOM.ES. IN A
+TONIC.TO. IN A
+NS1.CRSNIC.net. IN A
+trurl.ispid.com.PL. IN A
+datingagentur.de. IN A
+NS2.NSIREGISTRY.net. IN A
+ICE.VIA-NET-WORKS.IE. IN A
+sgi1.map.com. IN A
+NS0.HS0.U-NET.net. IN A
+candle.pha.pa.us. IN A
+NS1.PACIFIC.NET.SG. IN A
+NS.CENIAI.NET.CU. IN A
+NS2.UUCP.NE.JP. IN A
+za.akamaitech.net. IN A
+NS.UCR.AC.CR. IN A
+DNS-02.NS.cs.com. IN A
+dns2.primary.net. IN A
+PAPPSRV.PAPP.UNDP.org. IN A
+NS1.REGME.com. IN A
+DNS.CS.KULEUVEN.AC.BE. IN A
+NS1.VERMONTLAW.net. IN A
+mail.garmontusa.com. IN A
+NS2.SAIPAN.com. IN A
+NS.ARICATRA.com. IN A
+ns2.reedmedia.net. IN A
+NS.NETLAB.SK. IN A
+RELAY.GW.tislabs.com. IN A
+b.ns.tmcs.net. IN A
+NS1.IBL.BM. IN A
+ok.RU. IN A
+NS.RICC.ALMA-ATA.SU. IN A
+KITKA.MARNET.MK. IN A
+dasher.dartmouth.EDU. IN A
+NS0.PLANET-THREE.com. IN A
+KNOCK.SER.BBNPLANET.net. IN A
+tornado.webtech.elk.PL. IN A
+AUTH2.NS.IDT.net. IN A
+host3.VTLEGALAID.org. IN A
+NS.EUNET.SK. IN A
+TULKU.NIC.AR. IN A
+RELAY.CDNNET.CA. IN A
+DNS2.TPSA.PL. IN A
+enterprise.wirbel.com. IN A
+ECNET.EC. IN A
+ENGINE1.UNA.net. IN A
+WYCU.WY.BR.NP.ELS-GMS.att.net. IN A
+ARWENA.NASK.WAW.PL. IN A
+PAC2.NIPR.MIL. IN A
+DAISY.EE.UND.AC.ZA. IN A
+odin.ietf.org. IN A
+dns.kaben-net.de. IN A
+NS2.ALTAVISTA.com. IN A
+CASTOR.TELEGLOBE.net. IN A
+CIR.RED.SV. IN A
+PIJIN.COM.SB. IN A
+NS4.CTCCOM.net. IN A
+NS1.SOL.NO. IN A
+DNS2.TK.MSFT.net. IN A
+NS.BSDI.com. IN A
+NS.SVIANED.nl. IN A
+NS.NOVELL.com. IN A
+NS.LUCKY.net. IN A
+SJC-NS2.SJC.LYCOS.com. IN A
+NS1.OP.net. IN A
+worldnet.att.net. IN A
+APIES.FRD.AC.ZA. IN A
+mail.skiinsurance.com. IN A
+NS.BELNET.BE. IN A
+KOMO.INET.GA. IN A
+EARTH.THEPLANET.net. IN A
+VASCO.USMA.AC.PA. IN A
+GODFEVER.DCCSERVER.com. IN A
+BOS-NS2.BOS.LYCOS.com. IN A
+NS2.GOTO.com. IN A
+NS1.overstock.com. IN A
+NS1-PUBLIC.ZMA.COMPAQ.com. IN A
+ns.ilovedomain.com. IN A
+ns1.anycast.net. IN A
+PASCAL.UPRR.PR. IN A
+NS3-AUTH.SPRINTLINK.net. IN A
+NS1-Y.DNS.PIPEX.net. IN A
+prue.eim.surrey.AC.UK. IN A
+TROLL-GW.GATECH.EDU. IN A
+NS.SIERRATEL.SL. IN A
+ns2.PSHIFT.com. IN A
+NS.ERS.IBM.com. IN A
+ASLAN.OPEN-RSC.org. IN A
+NS2.DOMAIN-REGISTRY.nl. IN A
+uranus.lan-ks.de. IN A
+mail.unlisys.net. IN A
+NS.AUSTRIA.EU.net. IN A
+AUTH01.CONNECT.IE. IN A
+SUN.SCSI.GOV.BY. IN A
+NS1.SIGMAHOSTING.com. IN A
+NS.CAST.EDU.JM. IN A
+DS.NIC.NET.SG. IN A
+PRADES.CESCA.ES. IN A
+ns.sta.NET.CN. IN A
+NSE00.excite.com. IN A
+NS3.ABOVE.net. IN A
+CASBAH.ELDJAZAIR.NET.DZ. IN A
+ASKIA.SOTELMA.ML. IN A
+NS.IDT.net. IN A
+FXCLPR02.IS.CHRYSLER.com. IN A
+SVC00.APNIC.net. IN A
+NS5.DCX.YAHOO.com. IN A
+ns1.ray.net. IN A
+NS.NIC.MC. IN A
+ns.runway.CN.net. IN A
+benoni.uit.NO. IN A
+SCRATCHY.MINDSPRING.net. IN A
+ns1.pcode.com. IN A
+ns1.aha.RU. IN A
+ns2.uwaterloo.CA. IN A
+ns2.NIC.AD.JP. IN A
+a.ns.foxharp.boston.MA.us. IN A
+NS.NIC.IO. IN A
+A-GTLD-SERVERS.dot-god.com. IN A
+SMTP.slac.stanford.EDU. IN A
+52.87.198.209.IN-ADDR.ARPA. IN PTR
+BARNEY.ADVSYS.CO.UK. IN A
+NS1.TELEPAC.PT. IN A
+NICOSIA.CCS.UCY.AC.CY. IN A
+NS.PUNCHDOWN.org. IN A
+SYNAESTHESIA.COGNOSCENTI.org. IN A
+NS2.PLANET-THREE.net. IN A
+DNS.CIT.CORNELL.EDU. IN A
+MODOR.VERISIGN.net. IN A
+SUNSTROKE.IS.RPSLMC.EDU. IN A
+NS2.SEG.net. IN A
+NEMUNAS.SC-UNI.KTU.LT. IN A
+MULGA.CS.MU.OZ.AU. IN A
+NS1.NPLUS.GF. IN A
+ns2.centralinfo.net. IN A
+K.GTLD-SERVERS.net. IN A
+ns1.codelocal.com. IN A
+NS2.IPNS.com. IN A
+NS0.DE.NIC.NU. IN A
+NS.USSR.EU.net. IN A
+NS.INTERNET.SK. IN A
+CORREOS.SEKER.ES. IN A
+mx1.buf.ADELPHIA.net. IN A
+aun.UNINETT.NO. IN A
+NS0.NETANET.com. IN A
+www.MANY-PATHS-ENERGY-ENHANCEMENT.com. IN A
+NS2.STARFIRE.DOUGLAS.MA.us. IN A
+NS3.IKP.PL. IN A
+pns.dtag.de. IN A
+NZ.NS.NIC.NU. IN A
+DAVER.bungi.com. IN A
+gutenberg.bucksnet.com. IN A
+DNS2.IT.net. IN A
+NS2.SNS-UT.DEBIS.com. IN A
+ISI.EDU. IN A
+amethyst.xaos.org. IN A
+PAPPILLOMA.WWEBSVS.com. IN A
+NS2.bock.com. IN A
+NS2.OAR.net. IN A
+MINION.NETPOLICY.com. IN A
+Mail.catic1.com. IN A
+NS4.DNS.space.net. IN A
+b.gtld-servers.ORSC. IN A
+bend.madriver.com. IN A
+NS4.IS-FUN.net. IN A
+NS2.JPS.net. IN A
+NS1.IP-PLUS.net. IN A
+rush.cc1.RPSLMC.EDU. IN A
+NS2.GBMTECH.net. IN A
+DNS.MSEN.com. IN A
+DNSSEC2.SINGNET.COM.SG. IN A
+NS2.HOME.net. IN A
+ACCESS.MBNET.MB.CA. IN A
+DNS0.SPIN.AD.JP. IN A
+Filer.PHOTOTRUST.com. IN A
+jpl.NASA.GOV. IN A
+NS2.TECHNOLOGIA.net. IN A
+bparker.CONNACTIVITY.com. IN A
+NS1.uvm.EDU. IN A
+NS.SENET.net. IN A
+DNS2.UTCC.UTORONTO.CA. IN A
+localhost.costorf.com. IN A
+DNS2.AD. IN A
+HYDRA.HELSINKI.FI. IN A
+NAME.PHX.GBLX.net. IN A
+NS2.FOOL.com. IN A
+NS01-SERVER.CURINFO.AN. IN A
+NS.CR. IN A
+mail.pshift.net. IN A
+NS.IRD.FR. IN A
+NS.UZ. IN A
+DNS.INTELCOM.SM. IN A
+DNS2.UNIV-NKC.MR. IN A
+HNS3.hns.com. IN A
+bay.cs.UTORONTO.CA. IN A
+NS0.BT.net. IN A
+BAYONET.SJMERCURY.com. IN A
+PAN.BIJT.net. IN A
+NAVI.SUBTEND.net. IN A
+NS.CIX.CX. IN A
+waldorf.Informatik.Uni-Dortmund.de. IN A
+NS2.ivillage.com. IN A
+DNS.NIC.XLINK.net. IN A
+NS1.MERCHANTWARE.CON. IN A
+NS.TO.GD-ES.com. IN A
+NS-A.RNC.RO. IN A
+REGGAE.NCREN.net. IN A
+SSS-NL.DENIC.de. IN A
+NS1.TDC.TO. IN A
+NS.NIC.HU. IN A
+JOANNA.WILLIAM.org. IN A
+NS0.IIJ.AD.JP. IN A
+maus.spack.org. IN A
+B.NS.VERIO.net. IN A
+SECDNS.EUNET.BE. IN A
+NS3.EUROPE.YAHOO.com. IN A
+A.ROOT-SERVERS.net. IN A
+sherickpm.com. IN MX
+NS2.MEDIASERVICES.net. IN A
+YARDBIRD.CNS.vt.EDU. IN A
+SUNIC.SUNET.SE. IN A
+NS.MT. IN A
+CNDVG001.usa.net. IN A
+NS1.CX.ESCROW.IOCOMM.NET.CX. IN A
+DNS-02.NS.AOL.com. IN A
+ns2.tesserae.com. IN A
+SV10.BATELCO.COM.BH. IN A
+dec.anr.state.vt.us. IN MX
+3.133.188.192.IN-ADDR.ARPA. IN PTR
+NS1.LONDON.UK.NETDNS.com. IN A
+NS.NIC.MG. IN A
+DNS1.VN. IN A
+DENS20.DEN.nps.GOV. IN A
+z.ip6.INT. IN A
+NS3.TRIVALLEY.com. IN A
+isis.imag.FR. IN A
+NS.SOVAM.com. IN A
+NS-SOA.DARENET.DK. IN A
+NS4.NIC.TV. IN A
+DNSSRV1X.mitre.org. IN A
+GATEKEEPER.NYTIMES.com. IN A
+D.I-DNS.net. IN A
+NS.KOLO.net. IN A
+NS4.FIRSTWORLD.net. IN A
+DECST.CERIST.DZ. IN A
+NS4.DNS.WS. IN A
+NS0.GDGSC.com. IN A
+UCTHPX.UCT.AC.ZA. IN A
+NS2.HOTWIRED.com. IN A
+ns02.ca.us.ibm.net. IN A
+NS2.SPEAKEASY.net. IN A
+TELCOM.ZPTC.CO.ZW. IN A
+NS.DK-HOSTMASTER.DK. IN A
+NS.NIC.LK. IN A
+NS2.zama.net. IN A
+CZ.EUNET.CZ. IN A
+NS.AC.ID. IN A
+NS1.CUBE.de. IN A
+NS1.QUASAR.net. IN A
+NS1.OFFSHORE.AI. IN A
+NS5.NRSITE.com. IN A
+NS.AIC.net. IN A
+OWL.NCC.nps.GOV. IN A
+MAXIM.gbch.net. IN A
+BOW.INTNET.TD. IN A
+ns1.cacheware.com. IN A
+NS2.SPEEDHOST.com. IN A
+NS1.COMMIT.GM. IN A
+NAME.ROC.GBLX.net. IN A
+90.198.245.204.IN-ADDR.ARPA. IN PTR
+BOLOGNA.NETTUNO.IT. IN A
+NIC.IBD.com. IN A
+NS.WESTOL.com. IN A
+time.SOVER.net. IN CNAME
+UNIX1.CS.UMASS.EDU. IN A
+AARDVARK.WR.UMIST.AC.UK. IN A
+NS1.NIC.YU. IN A
+mail.velco.com. IN A
+DNSAUTH2.SYS.GTEI.net. IN A
+NS.TELE.FI. IN A
+state.vt.us. IN MX
+NS.NYC.juno.com. IN A
+NS1.g-world.com. IN A
+AUTH2.AMERICA.net. IN A
+KIRA.ECS.UMASS.EDU. IN A
+CONACYT.GOB.SV. IN A
+DNS.SRCE.HR. IN A
+NS00.ns0.com. IN A
+NS2.CL.BELLSOUTH.net. IN A
+jenner.med.HARVARD.EDU. IN A
+p2.cavebear.com. IN A
+NS1.NIC.JE. IN A
+ORCU.OR.BR.NP.ELS-GMS.att.net. IN A
+NS.XBILL.org. IN A
+WRAITH.CS.UOW.EDU.AU. IN A
+12.159.145.204.IN-ADDR.ARPA. IN PTR
+ns1.pr.SUN.com. IN A
+NS.SPIN.OMNES.net. IN A
+smtp.188.net. IN A
+TERMINAL.2GLOBE.net. IN A
+NS2.HARVARD.EDU. IN A
+NAMESERVER.CNR.IT. IN A
+EARTH.SY. IN A
+DNS2.REACCIUN.VE. IN A
+NS.TMX.COM.NI. IN A
+freefour.acs.rpi.EDU. IN A
+242.84.198.209.IN-ADDR.ARPA. IN PTR
+CORREU.STA.AD. IN A
+NS.DRUKNET.NET.BT. IN A
+NS4.US.PRSERV.net. IN A
+KAASASSUK.GH.GL. IN A
+ECUA.NET.EC. IN A
+NS.CONCYT.GOB.GT. IN A
+NS2.NAP.net. IN A
+DNS2.CN.net. IN A
+MX.NSI.NASA.GOV. IN A
+NS.TDS.net. IN A
+tdns-me1.NETSCAPE.com. IN A
+NS2.METU.EDU.TR. IN A
+NS2.SETARNET.AW. IN A
+87.184.152.204.IN-ADDR.ARPA. IN PTR
+DNS.OMNIWAY.SM. IN A
+NS0.U-NET.net. IN A
+elektro.CMHNET.org. IN A
+ns2.HIGGS.net. IN A
+NS2.SKYNETWEB.com. IN A
+MAGIC.MN. IN A
+NS1.YAHOO.com. IN A
+mx1.cdp.ADELPHIA.net. IN A
+SANTO.VANUATU.COM.VU. IN A
+www.mmuuf.org. IN MX
+ns1.timeheart.net. IN A
+NS2.TOGETHER.net. IN A
+NS.AMNIC.net. IN A
+NS.EENET.EE. IN A
+www.ONLINEPHOTOCONTEST.com. IN A
+VIC20.BLIPP.com. IN A
+DNS.FROGHOUSE.org. IN A
+NS2.ELI.net. IN A
+NS.CAIS.com. IN A
+BAABEN.AFRIQ.net. IN A
+NS2.NJ.EXODUS.net. IN A
+DOMREG.NIC.CH. IN A
+NS.EU.net. IN A
+NS1.DIEBOLD.net. IN A
+NS3.CP.net. IN A
+DNS.FUW.EDU.PL. IN A
+www.retro.com. IN A
+NS2.UNI2.net. IN A
+ns1.alcatrazmedia.com. IN A
+dns6.CP.MSFT.net. IN A
+NS1.SEYCHELLES.net. IN A
+NS2.INTERNIC.net. IN A
+front.macrosoft.WAW.PL. IN A
+NISC.JVNC.net. IN A
+AUTH03.NS.DE.UU.net. IN A
+BURDELL.CC.GATECH.EDU. IN A
+NS4.AH.net. IN A
+ns1.sgh-net.de. IN A
+Leland2.stanford.EDU. IN A
+CBRU.BR.NS.ELS-GMS.att.net. IN A
+DENEB.DOMAINNT.net. IN A
+ns1.ivm.net. IN A
+NS0.CWCI.net. IN A
+35.110.16.12.IN-ADDR.ARPA. IN CNAME
+f.trns. IN A
+ODISEJ.TELEKOM.YU. IN A
+FRCU.EUN.EG. IN A
+NS.HHS.net. IN A
+FOO.GRNET.GR. IN A
+mail.WonderWorks.com. IN A
+NS1.IAFRICA.com. IN A
+NS.KACST.EDU.SA. IN A
+srs.state.vt.us. IN A
+OM4.OMANTEL.NET.OM. IN A
+Yeshua.Christ.com. IN A
+NS1.SIMORGH.com. IN A
+OLKETA.SOLOMON.COM.SB. IN A
+BANBA.DOMAINREGISTRY.IE. IN A
+NOC.IOS.com. IN A
+ns.schnism.net. IN A
+e4.ny.us.IBM.com. IN A
+DNS2.SEANET.com. IN A
+doubt.dd.org. IN A
+AMBER.ELEKTRON.PL. IN A
+gw.rge.com. IN A
+NS2.ZTNET.com. IN A
+NS3.INFI.net. IN A
+ZA.AKADNS.net. IN A
+ESTIA.CSI.FORTH.GR. IN A
+vtagr04.agr.state.vt.us. IN A
+NS1-PUBLIC.ZTX.COMPAQ.com. IN A
+ADMII.ARL.MIL. IN A
+NS.NIXU.FI. IN A
+DNS2.PIONEERNET.net. IN A
+NS.NIC.CL. IN A
+NS2.UTZ. IN A
+NS4.LUXNOC.com. IN A
+NS2.PBI.net. IN A
+annwfn.erfurt.thur.de. IN A
+NS1.MW.mediaone.net. IN A
+NS1.ISU.NET.SA. IN A
+pop.SHOREHAM.net. IN CNAME
+DNS2.GUERNSEY.net. IN A
+NS1.BEACHSHORE.net. IN A
+HKUXB.HKU.HK. IN A
+NS.DOLEH.com. IN A
+NS.hactrn.net. IN A
+MALAKULA.BONDY.IRD.FR. IN A
+NS1.mediaone.net. IN A
+NS2.GPG.com. IN A
+noc.BelWue.de. IN A
+NS2.GIP.net. IN A
+RS.ISLES.net. IN A
+BOW.INTNET.GQ. IN A
+A.OPEN.BY. IN A
+us.i1.YIMG.com. IN CNAME
+athome.wetlogic.net. IN CNAME
+NS1.NIST.GOV. IN A
+mail.jerusalem-mail.com. IN A
+ISDSUN.cr.USGS.GOV. IN A
+NS.BOSTON.juno.com. IN A
+NS2.CADABRA.com. IN A
+nps.GOV. IN MX
+RELAY.HUJI.AC.IL. IN A
+styx.tahina.priv.at. IN A
+ISGATE.IS. IN A
+ns0.lux.dot-eu.org. IN A
+BILBO.NASK.ORG.PL. IN A
+MAIL.TARSUS.com. IN A
+SUN.REDIRIS.ES. IN A
+NS2.NEASE.net. IN A
+OHCU.OH.MT.NP.ELS-GMS.att.net. IN A
+NS2.NF. IN A
+MIRAF-SERVER3.HONDUTEL.HN. IN A
+ns3.worldnet.att.net. IN A
+NS2.NETNAMES.net. IN A
+ITGBOX.IAT.CNR.IT. IN A
+NS2.ADELPHIA.net. IN A
+NS2.RIPN.net. IN A
+NS1.cinenet.net. IN A
+jengate.thur.de. IN A
+NOC.ULCC.JA.net. IN A
+NS.NOC.UZ. IN A
+NS0.JA.net. IN A
+NS2.INR.net. IN A
+netsage.org. IN A
+TERI.USP.AC.FJ. IN A
+NS2.NETSOL.com. IN A
+NS2.ABAC.com. IN A
+NS2.NIC.FR. IN A
+KANIN.ARNES.SI. IN A
+NS.EDU.GU. IN A
+DNS.INRIA.FR. IN A
+HEDNS1.GOOGLE.com. IN A
+asylum.sf.ca.us. IN A
+ACT2.ACT2000.net. IN A
+ICM1.ICP.net. IN A
+202.192.103.198.209.IN-ADDR.ARPA. IN PTR
+ECSEL.jhuapl.EDU. IN A
+NS2.DCNY.DOUBLECLICK.net. IN A
+keith.netsage.org. IN A
+MANTA.OUTREMER.com. IN A
+NS2.globalnetisp.net. IN A
+NS2.CCSRS.net. IN A
+NS1.NL.CONCENTRIC.com. IN A
+NS2.VI.net. IN A
+NS2.NEO.net. IN A
+cgi.MERCURYCENTER.com. IN CNAME
+ORSTOM.RIO.net. IN A
+NS2.CONRADPROMOTIONS.com. IN A
+YARRINA.CONNECT.COM.AU. IN A
+dns03.OPS.usa.net. IN A
+APPSRV.HAITIWORLD.com. IN A
+NS.RELCOM.KZ. IN A
+NS1.MAGIC-MOMENTS.com. IN A
+NS.ALCATEL.com. IN A
+ns2.terra.net. IN A
+NS3.hotmail.com. IN A
+vtc.VSC.EDU. IN MX
+www.vmba.org. IN MX
+NAHOURI.ONATEL.BF. IN A
+SERVER2.INFN.IT. IN A
+NS2.AI-R.com. IN A
+NS1.FREE.net. IN A
+vcmr-54.server.rpi.EDU. IN A
+haig.CS.UCL.AC.UK. IN A
+mail.nova-data.com. IN A
+MOEVAX.EDU.TW. IN A
+NS2.LTWCC.org. IN A
+NS.BA. IN A
+noc.HRZ.uni-bielefeld.de. IN A
+VANILLA.WRO.nps.GOV. IN A
+NS2.SZTAKI.HU. IN A
+SECIU.EDU.UY. IN A
+COL2.CARIBSURF.com. IN A
+NS2.QATAR.NET.QA. IN A
+NS2.E-SYNC.net. IN A
+ns1.eu.SUN.com. IN A
+NS1.UUSJ.DOUBLECLICK.net. IN A
+NS2.CUHK.EDU.HK. IN A
+NS1.MEITCA.com. IN A
+NS2.DSL.net. IN A
+techfac.techfak.uni-bielefeld.de. IN A
+listserv.performancediver.com. IN A
+foolusmf.D4P.net. IN CNAME
+pedic-med.vrx.net. IN A
+GRUMPY.NET.NA. IN A
+BK.tifosi.com. IN A
+ns3.PAIR.com. IN A
+ns2.ar.com. IN A
+MASSIRA.ONPT.NET.MA. IN A
+NS.KBFI.EE. IN A
+ns3.Algebra.com. IN A
+faerber.muc.de. IN MX
+9.206.203.192.IN-ADDR.ARPA. IN PTR
+PUKU.UNZA.ZM. IN A
+ATLNET.ATLONLINE.com. IN A
+Z1.NS.NYC1.GLOBIX.net. IN A
+www.hometownbands.com. IN A
+SIMON.CS.CORNELL.EDU. IN A
+EKEKO.RCPIP.net. IN A
+emerald.itnet.com.PL. IN A
+DNS1.ICS.FORTH.GR. IN A
+NS.ATL.BELLSOUTH.net. IN A
+ntp.ctr.COLUMBIA.EDU. IN CNAME
+NS2.GLOBECOMM.net. IN A
+UUNS1DNS1.FLONETWORK.com. IN A
+GRIN.GNOSH.net. IN A
+NS.DIGSYS.BG. IN A
+uunet.UU.net. IN MX
+ns1.vermontel.com. IN A
+NS2.GREENMOUNTAINACCESS.net. IN A
+38.241.5.198.IN-ADDR.ARPA. IN PTR
+NS1.NIC.UK. IN A
+DNS.FCCN.PT. IN A
+NS2.NIC.TJ. IN A
+NS4.NEWACCOUNT.com. IN A
+NS2.IHUG.NET.NZ. IN A
+NS.SIGNALZ.com. IN A
+DNS.NIC.AD. IN A
+3.2.39.137.IN-ADDR.ARPA. IN PTR
+UUCP-GW-2.PA.DEC.com. IN A
+NS.LANDLORDS.com. IN A
+NS2.EXODUS.net. IN A
+NS2.SCRUZ.net. IN A
+NS.PIPEX-SZ.net. IN A
+saturn.SUN.com. IN A
+e24.nc.us.IBM.com. IN A
+NMS.CYFRONET.KRAKOW.PL. IN A
+NS.TWNIC.net. IN A
+ns2.alcatel.NO. IN A
+INPAKSODNS.AKSO.nps.GOV. IN A
+mail.reptiles.org. IN A
+59.187.152.204.IN-ADDR.ARPA. IN PTR
+ns1.mobydark.com. IN A
+NS.KG. IN A
+NS.SPB.SU. IN A
+PENDRAGON.CS.PURDUE.EDU. IN A
+NS1.IGC.APC.org. IN A
+USDNS.NIC.us. IN A
+NS2.WEBTRENDS.com. IN A
+URANUS.DAIMI.AAU.DK. IN A
+ANTANA.IRD.MG. IN A
+NS.JERSEY.juno.com. IN A
+NS2.INTERNET-TOOLS.com. IN A
+ns-tk012.ocn.AD.JP. IN A
+bvt-ext.gdarm.com. IN A
+NS1.ID. IN A
+NS2.MAHNET.net. IN A
+NS.ALCANET.COM.AU. IN A
+UTAMA.BOLNET.BO. IN A
+NS.CNC.AC.CN. IN A
+NS.KREN.NE.KR. IN A
+NS1.REDHAT.com. IN A
+db.rc.VIX.com. IN A
+198.103.198.209.IN-ADDR.ARPA. IN CNAME
+alf.pbks.PL. IN A
+FLAG.EP.net. IN A
+DNS2.IUNET.IT. IN A
+NS2.QUANTIFIED.net. IN A
+INTERNET-SERVER.ZURICH.IBM.com. IN A
+seaipsvcs.idx.com. IN A
+lebanon.valley.net. IN A
+SERVER.NORDU.net. IN A
+NS.NIC.DO. IN A
+isc-01.iscvt.org. IN A
+NAC.NO. IN A
+SAVA.UTIC.NET.BA. IN A
+NS1.TOKYO.JP.NETDNS.com. IN A
+NETSERV2.ITS.rpi.EDU. IN A
+IFI.UIO.NO. IN A
+www.TOAPLAN.com. IN A
+ns2.the-frontier.org. IN A
+NS.UNAM.MX. IN A
+ARISTO.TAU.AC.IL. IN A
+DNS.CS.WISC.EDU. IN A
+NS1.NIC.IR. IN A
+NS1.RETINA.AR. IN A
+mailer.connriver.net. IN A
+NS.ATI.TN. IN A
+NS2.CLEAR.NET.NZ. IN A
+NS4.EARTHLINK.net. IN A
+mejac.palo-alto.ca.us. IN A
+New-York4.NY.ALTER.net. IN A
+falcon.tallship.net. IN A
+ZEUS.CC.UCY.AC.CY. IN A
+NS2.SECURE.net. IN A
+NS0.FLIRBLE.org. IN A
+dns.zenon.net. IN A
+SERVIDOR.MICROASTUR.ES. IN A
+DOWNSTAGE.MCS.VUW.AC.NZ. IN A
+ns2.GNAC.com. IN A
+PRIFI.EUNET.FI. IN A
+ns2.k12.vt.us. IN A
+ns2.nic.mnet. IN A
+NS0.PIPEX.net. IN A
+NS1.SANFRANCISCO.US.NETDNS.com. IN A
+AMRA.NIC.GOV.JO. IN A
+kw.com.CN. IN MX
+SHNS.163.net. IN A
+NS.ER.USGS.GOV. IN A
+FAITH.MYNET.net. IN A
+mail.smuggs.com. IN A
+MIMOS.MY. IN A
+NS.GU. IN A
+mx00.schlund.de. IN A
+CADDSYS.IPTEK.net. IN A
+NS0.TELIA.NIC.NU. IN A
+NS2.GRANITECANYON.com. IN A
+GATEKEEPER.corning.com. IN A
+NS2.2DAY.com. IN A
+1.0.0.127.IN-ADDR.ARPA. IN PTR
+RAIN.PSG.com. IN A
+STRAWB.MIT.EDU. IN A
+NS2.DIGISERVE.com. IN A
+UMACSN2.UMAC.MO. IN A
+NS.JM. IN A
+12.153.66.206.IN-ADDR.ARPA. IN PTR
+EAST.ISI.EDU. IN A
+NS2.UUNET.CA. IN A
+SUNNY.STAT-USA.GOV. IN A
+BOW.INTNET.CF. IN A
+NS4.TELE.DK. IN A
+NS2.sodak.net. IN A
+NS1.NEWYORK.US.NETDNS.com. IN A
+NS2.PSI.net. IN A
+NS.KREONET.RE.KR. IN A
+GIANT.MINDLINK.net. IN A
+NS0.SECTOR001.org. IN A
+DNS.SEABONE.net. IN A
+NS2.MANA.PF. IN A
+NRWEB.CENPAC.NET.NR. IN A
+www.TRAVELPHOTOCONTESTS.com. IN A
+NS1.REGEX.com. IN A
+BIGBIRD.ITD.nps.GOV. IN A
+CUNIXD.CC.COLUMBIA.EDU. IN A
+NS1.CLASSIFIEDMONSTER.com. IN A
+SERVER1.SANS.org. IN A
+BRONZE.COIL.com. IN A
+SCSNMS.SWITCH.CH. IN A
+SCE.CNC.UNA.PY. IN A
+RELAY.LA.TIS.com. IN A
+NS.AUSTIN.IBM.com. IN A
+SERVICE.robert-morris.EDU. IN A
+MERCURY.ML.org. IN A
+proxy.pccf.net. IN A
+DUB-NAME-SVC-1.compuserve.com. IN A
+NS.CNRI.reston.va.us. IN A
+NS.UCAD.SN. IN A
+ns01.ny.us.ibm.net. IN A
+NS4-AUTH.ALASKA.net. IN A
+BOW.INTNET.NE. IN A
+NS-JP.SINET.AD.JP. IN A
+ns.musin.de. IN A
+ip1.romkey.SEG.net. IN A
+DNS2.ITD.UMICH.EDU. IN A
+mail.rpi.EDU. IN A
+INECO.NIC.ES. IN A
+DNS2.FIREHOUSE.net. IN A
+BOW.INTNET.BJ. IN A
+sundown.vtc.VSC.EDU. IN A
+NIC.AIX.GR. IN A
+NIC.AD.JP. IN A
+NS.DC.IGC.org. IN A
+LHR.NS.GDNS.net. IN A
+NS2.WEBMAGIC.net. IN A
+MUNNARI.OZ.AU. IN A
+HIPPO.RU.AC.ZA. IN A
+PEBBLES.IOM.com. IN A
+penpal.dmz.RPSLMC.EDU. IN A
+netnews.HINET.net. IN A
+INS2.TOSA.TWTELECOM.net. IN A
+proxy6.cisco.com. IN A
+NS2.HOST4U.net. IN A
+POIPARAU.OYSTER.NET.CK. IN A
+NS-EXT.VIX.com. IN A
+NS2.NURSAT.net. IN A
+mail2.kw.com.CN. IN A
+NS-02B.ANS.net. IN A
+DNS.RCCN.net. IN A
+B.ROOT-SERVERS.ORSC. IN A
+FIREHOUSE.net. IN A
diff --git a/bin/tests/system/cacheclean/knowngood.dig.out b/bin/tests/system/cacheclean/knowngood.dig.out
new file mode 100644
index 0000000..a0f087e
--- /dev/null
+++ b/bin/tests/system/cacheclean/knowngood.dig.out
@@ -0,0 +1,953 @@
+YA.AKAMAI.com.		604800	IN	A	204.178.118.68
+UPR1.UPR.CLU.EDU.	604800	IN	A	136.145.1.4
+integra.s-integra.co.JP. 604800	IN	A	210.162.202.34
+avalon.iks-jena.de.	604800	IN	A	194.221.90.34
+NS1.GLOBALDNS.com.	604800	IN	A	206.253.214.11
+NS.RDU.BELLSOUTH.net.	604800	IN	A	205.152.32.20
+ns.space.net.		604800	IN	A	195.30.0.1
+SUN.MHS-RELAY.AC.UK.	604800	IN	A	128.86.8.25
+AYAX.UNIANDES.EDU.CO.	604800	IN	A	157.253.50.30
+DNS.NIC.CD.		604800	IN	A	194.38.74.11
+NS.DNS.PT.		604800	IN	A	193.136.0.1
+NS1.INTERNETSHARE.com.	604800	IN	A	63.207.108.53
+MASTER.DNS.BE.		604800	IN	A	194.7.171.243
+CATAMOUNT.middlebury.EDU. 604800 IN	A	140.233.2.204
+FM03.FM.		604800	IN	A	206.49.89.4
+NAAMAK.NCST.ERNET.IN.	604800	IN	A	202.41.110.66
+gateway2.BFG.com.	604800	IN	A	166.102.214.66
+NS3.NS.ESAT.net.	604800	IN	A	192.111.39.100
+DNS1.INTUIT.com.	604800	IN	A	208.157.255.4
+DEN-NS2.FWIDCSERVICES.net. 604800 IN	A	216.7.160.32
+SOL.UNDPBI.TELEPAC.net.	604800	IN	A	194.65.87.2
+NS2.tridog.com.		604800	IN	A	206.168.112.51
+DNS2.KW.		604800	IN	A	161.252.48.150
+NS2.MAIL.com.		604800	IN	A	165.251.1.3
+NS.FIRSTCOM.CL.		604800	IN	A	200.27.2.2
+DNS4.QUICKEN.com.	604800	IN	A	198.3.99.252
+bofh.cid.net.		604800	IN	A	212.172.21.254
+NS1.KRNIC.net.		604800	IN	A	202.30.50.51
+NS2.SR.net.		604800	IN	A	200.1.156.11
+NS1.TELSTRA.net.	604800	IN	A	139.130.4.5
+ns.cafax.SE.		604800	IN	A	192.71.228.17
+NS1.DNS.NET.NZ.		604800	IN	A	202.46.161.3
+NS.CONCOURSE.com.	604800	IN	A	199.218.113.2
+35.32/27.110.16.12.IN-ADDR.ARPA. 604800	IN PTR	mail.nova-data.com.
+CCC.champcable.com.	604800	IN	A	207.41.53.11
+NS.RIPE.net.		604800	IN	A	193.0.0.193
+NS.NIC.NU.		604800	IN	A	128.11.47.50
+KIM.CAMNET.CM.		604800	IN	A	195.24.192.35
+DOGON.SOTELMA.net.	604800	IN	A	208.144.230.1
+DNS02.FLAME.org.	604800	IN	A	204.152.184.97
+NS.MIA.BELLSOUTH.net.	604800	IN	A	205.152.16.20
+mail.ok.RU.		604800	IN	A	195.2.83.162
+NS.NIC.MX.		604800	IN	A	200.23.1.1
+NS2.BERKELEY.EDU.	604800	IN	A	128.32.136.12
+NS2.BERKELEY.EDU.	604800	IN	A	128.32.206.12
+SHIKHAR.MOS.COM.NP.	604800	IN	A	202.52.255.5
+noc.rrz.Uni-Koeln.de.	604800	IN	A	134.95.100.209
+NS.KORNET.net.		604800	IN	A	168.126.63.1
+keith.gazpacho.org.	604800	IN	A	209.67.235.37
+NS2.appliedtheory.com.	604800	IN	A	168.75.17.11
+NS.CERNET.net.		604800	IN	A	202.112.0.44
+smtp.ELISTX.com.	604800	IN	A	209.116.252.130
+NS-AIT.THNIC.net.	604800	IN	A	192.41.170.219
+from.PL.		604800	IN	A	212.160.132.114
+mailhub.icann.org.	604800	IN	A	192.0.34.33
+SEC1.DNS.UK.PSI.net.	604800	IN	A	154.32.105.34
+isrv3-i.isc.org.	604800	IN	A	204.152.184.87
+PHLOEM.UOREGON.EDU.	604800	IN	A	128.223.32.35
+CTINA.AR.		604800	IN	A	200.16.97.17
+DNS2.IAM.NET.MA.	604800	IN	A	212.217.0.12
+10.126.39.137.IN-ADDR.ARPA. 604800 IN	PTR	Fddi0-0.New-York4.NY.ALTER.NET.
+DNS.PRINCETON.EDU.	604800	IN	A	128.112.129.15
+NS.BELLSOUTH.net.	604800	IN	A	205.152.0.5
+NS1.SNS-FELB.DEBIS.com.	604800	IN	A	53.122.1.10
+localhost.		604800	IN	A	127.0.0.1
+hm6.vt.highmeadow.com.	604800	IN	A	207.136.209.6
+SYRUP.hill.com.		604800	IN	A	208.162.106.3
+NS99.WAIKATO.AC.NZ.	604800	IN	A	130.217.76.27
+NS4.CW.net.		604800	IN	A	204.70.49.234
+NS2.SLOWMOE.com.	604800	IN	A	137.118.8.50
+ns2.hypa.net.		604800	IN	A	63.160.181.11
+ns.sxtyptt.NET.CN.	604800	IN	A	202.99.192.68
+NS2.MERCHANTWARE.com.	604800	IN	A	209.170.142.35
+uunymdgds1.DOUBLECLICK.net. 604800 IN	A	206.65.183.21
+e34.co.us.IBM.com.	604800	IN	A	32.97.110.132
+kista.dns.swip.net.	604800	IN	A	192.71.220.9
+ZEBRA.UEM.MZ.		604800	IN	A	196.3.96.67
+NET2.GENDYN.com.	604800	IN	A	204.60.171.9
+NS0.UTK.EDU.		604800	IN	A	160.36.0.66
+NS.RELCOM.EU.net.	604800	IN	A	193.124.23.3
+DNS0.AXION.BT.CO.UK.	604800	IN	A	132.146.5.1
+mail.vhv.com.		604800	IN	A	208.5.161.11
+DNS4.UK.MSFT.net.	604800	IN	A	213.199.144.152
+NS2.ADNS.net.		604800	IN	A	199.5.157.3
+NS1.SEATTLE.US.NETDNS.com. 604800 IN	A	206.253.214.13
+NS2.UNIVIE.AC.at.	604800	IN	A	193.171.255.66
+NS15B.BOCA15-VERIO.com.	604800	IN	A	208.55.91.51
+www.BAYAREA.com.	604800	IN	CNAME	vh80040.vh8.infi.net.
+ns4.onemain.com.	604800	IN	A	63.208.210.11
+NS2.EDIGITALS.com.	604800	IN	A	211.39.139.36
+MICHAEL.VATICAN.VA.	604800	IN	A	212.77.0.2
+AUSTIN.GH.com.		604800	IN	A	196.3.64.1
+sld-ns2.CNNIC.NET.CN.	604800	IN	A	202.97.16.197
+NS2.CDC.GOV.		604800	IN	A	198.246.96.92
+NS.WATSON.IBM.com.	604800	IN	A	198.81.209.2
+NS.NIC.SH.		604800	IN	A	194.205.62.60
+NS2.BAHNHOF.net.	604800	IN	A	212.85.64.4
+NS-AUTH2.cmates.com.	604800	IN	A	208.23.213.3
+ISDMNL.WR.USGS.GOV.	604800	IN	A	130.118.4.2
+NS2.COBEX.net.		604800	IN	A	207.102.129.72
+MERLE.CIRA.CA.		604800	IN	A	64.26.149.98
+NS.UVG.EDU.GT.		604800	IN	A	168.234.68.2
+NS1.CWVA.DOUBLECLICK.net. 604800 IN	A	205.138.3.20
+eliot.diebold.com.	604800	IN	A	204.151.249.21
+NS.ALMADEN.IBM.com.	604800	IN	A	198.4.83.35
+NS2.INTERNETSQUARE.com.	604800	IN	A	205.227.232.9
+mail.QUEST-NET.com.	604800	IN	A	207.140.30.11
+Z1.NS.LHR1.GLOBIX.net.	604800	IN	A	212.111.32.38
+DNS1.AVANTEL.NET.MX.	604800	IN	A	200.33.213.66
+vh80040.vh8.INFI.net.	604800	IN	A	209.97.59.245
+NS.LEB.net.		604800	IN	A	206.127.55.2
+NS.DCC.UCHILE.CL.	604800	IN	A	146.83.5.204
+CLOUSO.RISQ.QC.CA.	604800	IN	A	192.26.210.1
+muenster.westfalen.de.	604800	IN	A	193.174.5.2
+us.a1.YIMG.com.		604800	IN	CNAME	a32.g.a.YIMG.com.
+NS.DEMOS.SU.		604800	IN	A	194.87.0.8
+NS.DEMOS.SU.		604800	IN	A	194.87.0.9
+south.NAVPOINT.com.	604800	IN	A	207.106.42.12
+netconsult.netconx.de.	604800	IN	A	193.141.75.1
+DNS2.btinternet.com.	604800	IN	A	194.73.73.94
+NS2.CINE.net.		604800	IN	A	207.168.250.12
+castor.cmc.ec.gc.CA.	604800	IN	A	142.135.4.14
+EX2-DNS0.AVENUEA.com.	604800	IN	A	216.34.88.20
+firewall3.glaxowellcome.com. 604800 IN	A	192.58.204.207
+MACU.MA.MT.NP.ELS-GMS.att.net. 604800 IN A	199.191.145.136
+NS.PA.			604800	IN	A	168.77.8.2
+TGSERV.TELE.GL.		604800	IN	A	194.177.224.7
+KYNSE02.MESSAGESECURE.com. 604800 IN	A	216.142.252.201
+GORGON.XTRA.CO.NZ.	604800	IN	A	202.27.158.34
+DNS.NIC.IT.		604800	IN	A	193.205.245.5
+pop.VERMONTEL.net.	604800	IN	CNAME	loomis.VERMONTEL.net.
+NS2.REGISTRY.HM.	604800	IN	A	209.54.168.55
+NAMESERVER1.CONCENTRIC.net. 604800 IN	A	207.155.183.73
+47.131.127.204.IN-ADDR.ARPA. 604800 IN	PTR	mtiwmhc22.worldnet.att.net.
+mailhost.tfm.com.	604800	IN	A	192.231.224.11
+NS1.MRC.GM.		604800	IN	A	212.60.69.1
+NS.WIDE.AD.JP.		604800	IN	A	203.178.136.63
+NS.BTA.NET.CN.		604800	IN	A	202.96.0.133
+NS2.ISPC.org.		604800	IN	A	209.124.64.11
+BOW.RAIN.FR.		604800	IN	A	194.51.3.49
+srs.srs.state.vt.us.	604800	IN	A	159.105.101.150
+NS4.WEB2010.com.	604800	IN	A	216.157.55.6
+NS.TELECOM.NET.ET.	604800	IN	A	196.27.22.43
+NS1.DNS.NET.KH.		604800	IN	A	203.127.100.21
+GATEN.JARING.MY.	604800	IN	A	161.142.227.17
+shell.nominum.com.	604800	IN	A	204.152.187.59
+CHEOPS.ANU.EDU.AU.	604800	IN	A	150.203.224.24
+VANGOGH.CS.BERKELEY.EDU. 604800	IN	A	128.32.33.5
+NS2.NOC.NULLUS.net.	604800	IN	A	63.119.253.254
+NIC.LTH.SE.		604800	IN	A	130.235.20.3
+ns.farm.net.		604800	IN	A	216.112.179.160
+NS.USEC.SUN.com.	604800	IN	A	192.9.48.3
+NS2.YOUR-DOMAIN.com.	604800	IN	A	216.167.31.177
+DNS-EAST.PREP.net.	604800	IN	A	129.250.252.10
+ns.hcr.net.		604800	IN	A	208.240.246.4
+NS-RCH.nortelnetworks.com. 604800 IN	A	192.135.215.2
+crl.DEC.com.		604800	IN	A	192.58.206.2
+NS.PIXAR.ES.		604800	IN	A	194.143.196.3
+MEX1-M-213.UNINET.NET.MX. 604800 IN	A	200.33.146.213
+NS.ITU.CH.		604800	IN	A	156.106.192.121
+matrix.uwm.EDU.PL.	604800	IN	A	213.184.3.136
+gateway1.gmcr.com.	604800	IN	A	12.34.108.130
+NS2.DNS.BR.		604800	IN	A	200.19.119.99
+foxharp.boston.MA.us.	604800	IN	MX	10 bparker.connactivity.com.
+Quest-7.symquest.com.	604800	IN	A	64.69.102.131
+NS2.VERIO.net.		604800	IN	A	129.250.31.190
+NAME.IAD.GBLX.net.	604800	IN	A	204.152.166.155
+NS2.EMIRATES.NET.AE.	604800	IN	A	194.170.1.7
+supai.oit.UMASS.EDU.	604800	IN	A	128.119.175.6
+QUERN.EPILOGUE.com.	604800	IN	A	128.224.1.136
+NS3.TOPICA.com.		604800	IN	A	206.111.131.72
+NS1.JERKY.net.		604800	IN	A	204.57.55.100
+JTB.BRUNET.BN.		604800	IN	A	202.160.8.2
+AUTH100.NS.UU.net.	604800	IN	A	198.6.1.202
+BOW.INTNET.DJ.		604800	IN	A	193.251.143.253
+OSI2.GUA.net.		604800	IN	A	205.161.188.3
+AZMODAN.ULA.VE.		604800	IN	A	150.185.130.16
+THUMPER.RPSLMC.EDU.	604800	IN	A	144.74.22.8
+ICHU.RCP.NET.PE.	604800	IN	A	161.132.5.14
+NS.NIC.AC.		604800	IN	A	194.205.62.120
+DNS.NETFLIGHT.com.	604800	IN	A	207.88.32.2
+ns2.UTORONTO.CA.	604800	IN	A	128.100.102.202
+mail.giffordmed.org.	604800	IN	A	130.189.100.51
+RATA.VUW.AC.NZ.		604800	IN	A	130.195.2.11
+NS-2.ADMONITOR.net.	604800	IN	A	216.35.185.40
+NCC.MOC.KW.		604800	IN	A	196.1.69.98
+NS.EUNET.ES.		604800	IN	A	193.127.1.11
+NS3.best.com.		604800	IN	A	209.24.149.42
+zip.MAIL-LIST.com.	604800	IN	MX	5 zip.MAIL-LIST.com.
+zip.MAIL-LIST.com.	604800	IN	MX	20 sluice.MAIL-LIST.com.
+zip.MAIL-LIST.com.	604800	IN	MX	20 pipeline.MAIL-LIST.com.
+zip.MAIL-LIST.com.	604800	IN	MX	20 transport.MAIL-LIST.com.
+zip.MAIL-LIST.com.	604800	IN	MX	50 brisk.MAIL-LIST.com.
+zip.MAIL-LIST.com.	604800	IN	MX	50 swifty.MAIL-LIST.com.
+zip.MAIL-LIST.com.	604800	IN	MX	50 velocity.MAIL-LIST.com.
+JATZ.AARNET.EDU.AU.	604800	IN	A	139.130.204.4
+DNS2.MAN.LODZ.PL.	604800	IN	A	212.51.192.5
+NS.VERITAS.com.		604800	IN	A	204.177.156.38
+218.241.103.199.IN-ADDR.ARPA. 604800 IN	PTR	abyssinian.sleepycat.com.
+BOW.SNPT.KM.		604800	IN	A	195.101.19.253
+Z1.NS.SJC1.GLOBIX.net.	604800	IN	A	209.10.34.55
+DNS.NIC.TT.		604800	IN	A	24.3.198.194
+MAKISIG.IPHIL.net.	604800	IN	A	203.176.28.135
+NS.DK.net.		604800	IN	A	193.88.44.42
+NS.NI.			604800	IN	A	200.30.36.8
+NS.NI.			604800	IN	A	165.98.1.2
+CIUP1.NCC.UP.PT.	604800	IN	A	193.136.51.52
+ns2.verisign-grs.com.	604800	IN	A	198.41.3.108
+NS1.UMASS.EDU.		604800	IN	A	128.119.166.14
+NS.NEWACCOUNT.net.	604800	IN	A	216.121.96.26
+UDNS2.ULTRADNS.net.	604800	IN	A	204.74.101.1
+NS2.LATNET.LV.		604800	IN	A	159.148.108.1
+info-server.surrey.AC.UK. 604800 IN	A	131.227.102.6
+NS2.SQUONK.net.		604800	IN	A	63.84.12.135
+NS2.DSO.net.		604800	IN	A	206.16.77.11
+www.energyenhancement.org. 604800 IN	A	216.121.175.228
+DNS1.BD.		604800	IN	A	209.58.24.5
+nl.COMPUWARE.com.	604800	IN	MX	150 uucp.nl.net.
+nl.COMPUWARE.com.	604800	IN	MX	50 bitbucket.extern.uniface.nl.
+nl.COMPUWARE.com.	604800	IN	MX	100 smtp.nl.net.
+NS.DHIRAAGU.MV.		604800	IN	A	202.1.192.196
+TRANTOR.UMD.EDU.	604800	IN	A	128.8.10.14
+NS.ALCANET.NO.		604800	IN	A	193.213.238.10
+Z6.MSFT.AKADNS.com.	604800	IN	A	207.229.152.20
+NS4.ync.net.		604800	IN	A	206.185.20.9
+CMTU.MT.NS.ELS-GMS.att.net. 604800 IN	A	12.127.16.69
+vh40099.vh4.INFI.net.	604800	IN	A	209.97.59.121
+ns2.secondary.nl.	604800	IN	A	194.229.138.6
+abyssinian.sleepycat.com. 604800 IN	A	199.103.241.218
+APHEX.MENTOR.BE.	604800	IN	A	193.121.64.5
+webmail.fiberia.com.	604800	IN	A	216.55.147.2
+localhost.moonmothers.com. 604800 IN	A	127.0.0.1
+NS2.DNS.LU.		604800	IN	A	158.64.229.3
+NS.VISUALCOM.ES.	604800	IN	A	194.143.202.202
+TONIC.TO.		604800	IN	A	206.184.59.10
+NS1.CRSNIC.net.		604800	IN	A	198.41.3.39
+trurl.ispid.com.PL.	604800	IN	A	195.150.99.3
+datingagentur.de.	604800	IN	A	212.227.216.57
+NS2.NSIREGISTRY.net.	604800	IN	A	198.41.3.108
+ICE.VIA-NET-WORKS.IE.	604800	IN	A	212.17.32.2
+sgi1.map.com.		604800	IN	A	204.71.19.20
+NS0.HS0.U-NET.net.	604800	IN	A	194.119.128.70
+candle.pha.pa.us.	604800	IN	A	162.33.245.46
+NS1.PACIFIC.NET.SG.	604800	IN	A	192.169.33.3
+NS.CENIAI.NET.CU.	604800	IN	A	169.158.128.136
+NS2.UUCP.NE.JP.		604800	IN	A	210.141.111.69
+za.akamaitech.net.	604800	IN	A	204.178.107.226
+NS.UCR.AC.CR.		604800	IN	A	163.178.88.2
+DNS-02.NS.cs.com.	604800	IN	A	205.188.157.235
+dns2.primary.net.	604800	IN	A	205.242.187.235
+PAPPSRV.PAPP.UNDP.org.	604800	IN	A	192.115.229.1
+NS1.REGME.com.		604800	IN	A	207.153.57.14
+DNS.CS.KULEUVEN.AC.BE.	604800	IN	A	134.58.40.4
+NS1.VERMONTLAW.net.	604800	IN	A	63.89.26.15
+mail.garmontusa.com.	604800	IN	A	64.30.8.178
+NS2.SAIPAN.com.		604800	IN	A	202.128.28.2
+NS.ARICATRA.com.	604800	IN	A	206.64.112.114
+ns2.reedmedia.net.	604800	IN	A	209.241.86.6
+NS.NETLAB.SK.		604800	IN	A	195.168.1.4
+RELAY.GW.tislabs.com.	604800	IN	A	192.94.214.100
+b.ns.tmcs.net.		604800	IN	A	209.104.33.252
+NS1.IBL.BM.		604800	IN	A	199.172.192.1
+ok.RU.			604800	IN	A	195.2.83.162
+NS.RICC.ALMA-ATA.SU.	604800	IN	A	194.87.112.4
+KITKA.MARNET.MK.	604800	IN	A	194.149.131.2
+dasher.dartmouth.EDU.	604800	IN	A	129.170.208.6
+NS0.PLANET-THREE.com.	604800	IN	A	212.49.219.164
+KNOCK.SER.BBNPLANET.net. 604800	IN	A	192.239.16.129
+tornado.webtech.elk.PL.	604800	IN	A	212.244.162.100
+AUTH2.NS.IDT.net.	604800	IN	A	169.132.133.1
+host3.VTLEGALAID.org.	604800	IN	A	207.136.208.115
+NS.EUNET.SK.		604800	IN	A	192.108.130.33
+TULKU.NIC.AR.		604800	IN	A	200.16.97.77
+RELAY.CDNNET.CA.	604800	IN	A	192.73.5.1
+DNS2.TPSA.PL.		604800	IN	A	194.204.152.34
+enterprise.wirbel.com.	604800	IN	A	194.231.54.2
+ECNET.EC.		604800	IN	A	157.100.45.2
+ENGINE1.UNA.net.	604800	IN	A	208.136.52.74
+WYCU.WY.BR.NP.ELS-GMS.att.net. 604800 IN A	199.191.128.43
+ARWENA.NASK.WAW.PL.	604800	IN	A	193.59.201.28
+PAC2.NIPR.MIL.		604800	IN	A	199.252.155.234
+DAISY.EE.UND.AC.ZA.	604800	IN	A	146.230.192.18
+odin.ietf.org.		604800	IN	A	132.151.1.176
+dns.kaben-net.de.	604800	IN	A	195.179.28.17
+NS2.ALTAVISTA.com.	604800	IN	A	209.73.164.7
+CASTOR.TELEGLOBE.net.	604800	IN	A	199.202.55.2
+CIR.RED.SV.		604800	IN	A	168.243.254.1
+PIJIN.COM.SB.		604800	IN	A	202.139.42.10
+NS4.CTCCOM.net.		604800	IN	A	64.69.100.35
+NS1.SOL.NO.		604800	IN	A	195.225.2.10
+DNS2.TK.MSFT.net.	604800	IN	A	207.46.232.38
+NS.BSDI.com.		604800	IN	A	207.174.116.8
+NS.SVIANED.nl.		604800	IN	A	143.177.1.3
+NS.NOVELL.com.		604800	IN	A	137.65.1.1
+NS.LUCKY.net.		604800	IN	A	193.193.193.100
+SJC-NS2.SJC.LYCOS.com.	604800	IN	A	206.79.171.40
+NS1.OP.net.		604800	IN	A	209.152.193.4
+worldnet.att.net.	604800	IN	A	199.70.151.234
+APIES.FRD.AC.ZA.	604800	IN	A	137.214.80.1
+mail.skiinsurance.com.	604800	IN	A	207.136.205.152
+NS.BELNET.BE.		604800	IN	A	193.190.198.2
+NS.BELNET.BE.		604800	IN	A	193.190.198.10
+KOMO.INET.GA.		604800	IN	A	208.148.44.1
+EARTH.THEPLANET.net.	604800	IN	A	195.92.195.222
+VASCO.USMA.AC.PA.	604800	IN	A	208.141.92.2
+GODFEVER.DCCSERVER.com.	604800	IN	A	208.137.22.6
+BOS-NS2.BOS.LYCOS.com.	604800	IN	A	209.67.228.40
+NS2.GOTO.com.		604800	IN	A	204.71.128.137
+NS1.overstock.com.	604800	IN	A	207.225.194.13
+NS1-PUBLIC.ZMA.COMPAQ.com. 604800 IN	A	161.114.64.24
+ns.ilovedomain.com.	604800	IN	A	211.175.164.170
+ns1.anycast.net.	604800	IN	A	216.196.51.4
+PASCAL.UPRR.PR.		604800	IN	A	134.202.1.120
+NS3-AUTH.SPRINTLINK.net. 604800	IN	A	144.228.255.10
+NS1-Y.DNS.PIPEX.net.	604800	IN	A	158.43.193.89
+prue.eim.surrey.AC.UK.	604800	IN	A	131.227.76.5
+TROLL-GW.GATECH.EDU.	604800	IN	A	130.207.244.251
+NS.SIERRATEL.SL.	604800	IN	A	194.133.124.5
+ns2.PSHIFT.com.		604800	IN	A	208.153.85.21
+NS.ERS.IBM.com.		604800	IN	A	204.146.173.35
+ASLAN.OPEN-RSC.org.	604800	IN	A	199.5.157.128
+NS2.DOMAIN-REGISTRY.nl.	604800	IN	A	193.176.144.130
+uranus.lan-ks.de.	604800	IN	A	194.45.71.1
+mail.unlisys.net.	604800	IN	A	195.21.255.252
+NS.AUSTRIA.EU.net.	604800	IN	A	192.92.138.35
+AUTH01.CONNECT.IE.	604800	IN	A	194.106.128.50
+SUN.SCSI.GOV.BY.	604800	IN	A	195.50.5.103
+NS1.SIGMAHOSTING.com.	604800	IN	A	209.241.86.6
+NS.CAST.EDU.JM.		604800	IN	A	200.9.115.2
+DS.NIC.NET.SG.		604800	IN	A	202.42.194.205
+PRADES.CESCA.ES.	604800	IN	A	192.94.163.152
+ns.sta.NET.CN.		604800	IN	A	202.96.199.133
+NSE00.excite.com.	604800	IN	A	198.3.102.250
+NS3.ABOVE.net.		604800	IN	A	207.126.105.146
+CASBAH.ELDJAZAIR.NET.DZ. 604800	IN	A	193.194.81.45
+ASKIA.SOTELMA.ML.	604800	IN	A	208.144.230.3
+NS.IDT.net.		604800	IN	A	198.4.75.100
+FXCLPR02.IS.CHRYSLER.com. 604800 IN	A	204.189.94.37
+SVC00.APNIC.net.	604800	IN	A	202.12.28.131
+NS5.DCX.YAHOO.com.	604800	IN	A	216.32.74.10
+ns1.ray.net.		604800	IN	A	195.238.228.131
+NS.NIC.MC.		604800	IN	A	195.78.6.131
+ns.runway.CN.net.	604800	IN	A	211.101.132.8
+benoni.uit.NO.		604800	IN	A	129.242.4.254
+SCRATCHY.MINDSPRING.net. 604800	IN	A	207.69.200.211
+ns1.pcode.com.		604800	IN	A	216.15.192.135
+ns1.aha.RU.		604800	IN	A	195.2.80.142
+ns2.uwaterloo.CA.	604800	IN	A	129.97.128.100
+ns2.NIC.AD.JP.		604800	IN	A	202.12.30.133
+a.ns.foxharp.boston.MA.us. 604800 IN	A	24.147.209.205
+NS.NIC.IO.		604800	IN	A	194.205.62.100
+A-GTLD-SERVERS.dot-god.com. 604800 IN	A	205.189.73.123
+SMTP.slac.stanford.EDU.	604800	IN	A	134.79.18.80
+52.87.198.209.IN-ADDR.ARPA. 604800 IN	PTR	mqueue0.sover.net.
+BARNEY.ADVSYS.CO.UK.	604800	IN	A	194.72.124.2
+NS1.TELEPAC.PT.		604800	IN	A	194.65.3.20
+NICOSIA.CCS.UCY.AC.CY.	604800	IN	A	194.42.6.97
+NS.PUNCHDOWN.org.	604800	IN	A	140.174.131.100
+SYNAESTHESIA.COGNOSCENTI.org. 604800 IN	A	207.208.112.4
+NS2.PLANET-THREE.net.	604800	IN	A	212.49.219.190
+DNS.CIT.CORNELL.EDU.	604800	IN	A	192.35.82.50
+MODOR.VERISIGN.net.	604800	IN	A	205.139.94.55
+SUNSTROKE.IS.RPSLMC.EDU. 604800	IN	A	144.74.21.8
+NS2.SEG.net.		604800	IN	A	206.34.181.16
+NEMUNAS.SC-UNI.KTU.LT.	604800	IN	A	193.219.32.13
+MULGA.CS.MU.OZ.AU.	604800	IN	A	128.250.1.22
+MULGA.CS.MU.OZ.AU.	604800	IN	A	128.250.37.150
+NS1.NPLUS.GF.		604800	IN	A	195.6.144.3
+ns2.centralinfo.net.	604800	IN	A	63.102.204.130
+K.GTLD-SERVERS.net.	604800	IN	A	213.177.194.5
+ns1.codelocal.com.	604800	IN	A	216.15.192.130
+NS2.IPNS.com.		604800	IN	A	63.230.183.1
+NS0.DE.NIC.NU.		604800	IN	A	216.200.116.40
+NS.USSR.EU.net.		604800	IN	A	193.124.22.65
+NS.INTERNET.SK.		604800	IN	A	192.108.130.91
+CORREOS.SEKER.ES.	604800	IN	A	194.179.87.1
+mx1.buf.ADELPHIA.net.	604800	IN	A	24.48.36.10
+aun.UNINETT.NO.		604800	IN	A	129.241.1.99
+NS0.NETANET.com.	604800	IN	A	195.172.127.72
+NS0.NETANET.com.	604800	IN	A	194.6.96.218
+www.MANY-PATHS-ENERGY-ENHANCEMENT.com. 604800 IN A 66.33.4.50
+NS2.STARFIRE.DOUGLAS.MA.us. 604800 IN	A	216.129.136.9
+NS3.IKP.PL.		604800	IN	A	157.25.5.30
+pns.dtag.de.		604800	IN	A	194.25.0.125
+NZ.NS.NIC.NU.		604800	IN	A	203.97.132.66
+DAVER.bungi.com.	604800	IN	A	207.126.97.2
+DAVER.bungi.com.	604800	IN	A	206.14.228.2
+gutenberg.bucksnet.com.	604800	IN	A	207.113.15.5
+DNS2.IT.net.		604800	IN	A	151.1.2.1
+NS2.SNS-UT.DEBIS.com.	604800	IN	A	53.122.2.10
+ISI.EDU.		604800	IN	A	128.9.176.32
+amethyst.xaos.org.	604800	IN	A	204.145.159.12
+PAPPILLOMA.WWEBSVS.com.	604800	IN	A	209.233.37.10
+NS2.bock.com.		604800	IN	A	64.30.29.4
+NS2.OAR.net.		604800	IN	A	192.88.195.10
+MINION.NETPOLICY.com.	604800	IN	A	207.87.121.66
+Mail.catic1.com.	604800	IN	A	207.190.204.103
+NS4.DNS.space.net.	604800	IN	A	195.222.210.93
+b.gtld-servers.ORSC.	604800	IN	A	216.13.126.116
+bend.madriver.com.	604800	IN	A	207.136.232.15
+NS4.IS-FUN.net.		604800	IN	A	212.162.54.34
+NS2.JPS.net.		604800	IN	A	216.224.156.252
+NS1.IP-PLUS.net.	604800	IN	A	164.128.36.34
+rush.cc1.RPSLMC.EDU.	604800	IN	A	144.74.150.23
+NS2.GBMTECH.net.	604800	IN	A	208.243.164.3
+DNS.MSEN.com.		604800	IN	A	148.59.19.11
+DNSSEC2.SINGNET.COM.SG.	604800	IN	A	195.13.10.226
+NS2.HOME.net.		604800	IN	A	24.2.0.27
+ACCESS.MBNET.MB.CA.	604800	IN	A	130.179.16.143
+DNS0.SPIN.AD.JP.	604800	IN	A	165.76.0.98
+Filer.PHOTOTRUST.com.	604800	IN	A	64.85.86.172
+jpl.NASA.GOV.		604800	IN	A	137.78.160.180
+NS2.TECHNOLOGIA.net.	604800	IN	A	207.253.59.4
+bparker.CONNACTIVITY.com. 604800 IN	A	206.34.200.200
+NS1.uvm.EDU.		604800	IN	A	132.198.201.10
+NS.SENET.net.		604800	IN	A	206.155.163.195
+DNS2.UTCC.UTORONTO.CA.	604800	IN	A	128.100.102.201
+localhost.costorf.com.	604800	IN	A	127.0.0.1
+DNS2.AD.		604800	IN	A	194.158.64.8
+HYDRA.HELSINKI.FI.	604800	IN	A	128.214.4.29
+NAME.PHX.GBLX.net.	604800	IN	A	206.165.6.10
+NS2.FOOL.com.		604800	IN	A	208.51.76.222
+NS01-SERVER.CURINFO.AN.	604800	IN	A	200.44.117.129
+NS.CR.			604800	IN	A	163.178.8.2
+mail.pshift.net.	604800	IN	A	208.153.85.30
+NS.IRD.FR.		604800	IN	A	195.83.14.1
+NS.UZ.			604800	IN	A	213.68.88.11
+DNS.INTELCOM.SM.	604800	IN	A	194.183.64.11
+DNS2.UNIV-NKC.MR.	604800	IN	A	193.251.145.154
+HNS3.hns.com.		604800	IN	A	208.236.67.3
+bay.cs.UTORONTO.CA.	604800	IN	A	128.100.1.1
+NS0.BT.net.		604800	IN	A	194.72.6.51
+BAYONET.SJMERCURY.com.	604800	IN	A	207.1.134.34
+PAN.BIJT.net.		604800	IN	A	213.196.2.97
+NAVI.SUBTEND.net.	604800	IN	A	208.186.117.224
+NS.CIX.CX.		604800	IN	A	195.222.235.216
+waldorf.Informatik.Uni-Dortmund.de. 604800 IN A	129.217.4.42
+NS2.ivillage.com.	604800	IN	A	209.185.162.16
+DNS.NIC.XLINK.net.	604800	IN	A	193.141.40.42
+NS1.MERCHANTWARE.CON.	604800	IN	A	209.170.142.34
+NS.TO.GD-ES.com.	604800	IN	A	199.107.240.66
+NS-A.RNC.RO.		604800	IN	A	192.162.16.31
+REGGAE.NCREN.net.	604800	IN	A	128.109.131.3
+SSS-NL.DENIC.de.	604800	IN	A	193.0.0.237
+NS1.TDC.TO.		604800	IN	A	206.86.247.250
+NS.NIC.HU.		604800	IN	A	193.6.27.62
+JOANNA.WILLIAM.org.	604800	IN	A	195.153.6.2
+NS0.IIJ.AD.JP.		604800	IN	A	202.232.2.34
+maus.spack.org.		604800	IN	A	204.245.198.90
+B.NS.VERIO.net.		604800	IN	A	129.250.35.32
+SECDNS.EUNET.BE.	604800	IN	A	193.74.208.139
+NS3.EUROPE.YAHOO.com.	604800	IN	A	217.12.4.71
+A.ROOT-SERVERS.net.	604800	IN	A	198.41.0.4
+sherickpm.com.		604800	IN	MX	10 inbound.sherickpm.com.criticalpath.net.
+NS2.MEDIASERVICES.net.	604800	IN	A	64.65.16.237
+YARDBIRD.CNS.vt.EDU.	604800	IN	A	198.82.247.34
+SUNIC.SUNET.SE.		604800	IN	A	192.36.125.2
+NS.MT.			604800	IN	A	193.188.47.252
+CNDVG001.usa.net.	604800	IN	A	165.212.12.1
+NS1.CX.ESCROW.IOCOMM.NET.CX. 604800 IN	A	203.132.96.2
+DNS-02.NS.AOL.com.	604800	IN	A	205.188.157.232
+ns2.tesserae.com.	604800	IN	A	209.157.194.3
+SV10.BATELCO.COM.BH.	604800	IN	A	193.188.124.227
+dec.anr.state.vt.us.	604800	IN	MX	0 dec.anr.state.vt.us.
+dec.anr.state.vt.us.	604800	IN	MX	10 mx1.state.vt.us.
+dec.anr.state.vt.us.	604800	IN	MX	10 mx2.state.vt.us.
+3.133.188.192.IN-ADDR.ARPA. 604800 IN	PTR	elektro.com.
+NS1.LONDON.UK.NETDNS.com. 604800 IN	A	212.62.6.38
+NS.NIC.MG.		604800	IN	A	194.214.107.253
+DNS1.VN.		604800	IN	A	203.162.3.235
+DENS20.DEN.nps.GOV.	604800	IN	A	165.83.24.20
+z.ip6.INT.		604800	IN	A	198.32.2.66
+NS3.TRIVALLEY.com.	604800	IN	A	206.25.132.30
+isis.imag.FR.		604800	IN	A	129.88.32.24
+NS.SOVAM.com.		604800	IN	A	194.67.2.97
+NS-SOA.DARENET.DK.	604800	IN	A	130.226.1.4
+NS4.NIC.TV.		604800	IN	A	207.151.24.23
+DNSSRV1X.mitre.org.	604800	IN	A	199.94.97.51
+GATEKEEPER.NYTIMES.com.	604800	IN	A	199.181.175.201
+D.I-DNS.net.		604800	IN	A	211.169.245.170
+NS.KOLO.net.		604800	IN	A	209.66.103.20
+NS4.FIRSTWORLD.net.	604800	IN	A	216.7.160.162
+DECST.CERIST.DZ.	604800	IN	A	193.194.64.11
+NS4.DNS.WS.		604800	IN	A	216.52.234.102
+NS0.GDGSC.com.		604800	IN	A	192.160.62.66
+UCTHPX.UCT.AC.ZA.	604800	IN	A	137.158.128.1
+NS2.HOTWIRED.com.	604800	IN	A	209.185.151.6
+ns02.ca.us.ibm.net.	604800	IN	A	165.87.201.243
+NS2.SPEAKEASY.net.	604800	IN	A	216.231.41.22
+TELCOM.ZPTC.CO.ZW.	604800	IN	A	194.133.122.47
+NS.DK-HOSTMASTER.DK.	604800	IN	A	193.163.102.2
+NS.NIC.LK.		604800	IN	A	192.248.1.65
+NS2.zama.net.		604800	IN	A	203.142.130.5
+CZ.EUNET.CZ.		604800	IN	A	193.85.3.130
+NS.AC.ID.		604800	IN	A	202.159.124.34
+NS1.CUBE.de.		604800	IN	A	212.162.54.243
+NS1.QUASAR.net.		604800	IN	A	199.166.31.3
+NS1.OFFSHORE.AI.	604800	IN	A	209.88.68.34
+NS5.NRSITE.com.		604800	IN	A	208.178.169.4
+NS.AIC.net.		604800	IN	A	195.250.64.65
+OWL.NCC.nps.GOV.	604800	IN	A	165.83.34.60
+MAXIM.gbch.net.		604800	IN	A	203.9.155.249
+BOW.INTNET.TD.		604800	IN	A	193.251.147.253
+ns1.cacheware.com.	604800	IN	A	64.221.210.242
+NS2.SPEEDHOST.com.	604800	IN	A	216.42.31.169
+NS1.COMMIT.GM.		604800	IN	A	63.77.152.177
+NAME.ROC.GBLX.net.	604800	IN	A	209.130.187.10
+90.198.245.204.IN-ADDR.ARPA. 604800 IN	PTR	maus.spack.org.
+BOLOGNA.NETTUNO.IT.	604800	IN	A	193.43.2.5
+NIC.IBD.com.		604800	IN	A	209.249.61.18
+NS.WESTOL.com.		604800	IN	A	63.93.137.4
+time.SOVER.net.		604800	IN	CNAME	garnet.SOVER.net.
+UNIX1.CS.UMASS.EDU.	604800	IN	A	128.119.40.12
+AARDVARK.WR.UMIST.AC.UK. 604800	IN	A	130.88.146.3
+AARDVARK.WR.UMIST.AC.UK. 604800	IN	A	128.16.5.31
+NS1.NIC.YU.		604800	IN	A	147.91.8.6
+mail.velco.com.		604800	IN	A	198.136.217.106
+DNSAUTH2.SYS.GTEI.net.	604800	IN	A	4.2.49.3
+NS.TELE.FI.		604800	IN	A	193.210.19.19
+state.vt.us.		604800	IN	MX	10 mx1.state.vt.us.
+state.vt.us.		604800	IN	MX	10 mx2.state.vt.us.
+NS.NYC.juno.com.	604800	IN	A	205.231.108.1
+NS1.g-world.com.	604800	IN	A	216.26.39.10
+AUTH2.AMERICA.net.	604800	IN	A	209.17.197.18
+KIRA.ECS.UMASS.EDU.	604800	IN	A	128.119.91.10
+CONACYT.GOB.SV.		604800	IN	A	168.243.64.2
+DNS.SRCE.HR.		604800	IN	A	161.53.3.7
+NS00.ns0.com.		604800	IN	A	216.92.60.60
+NS2.CL.BELLSOUTH.net.	604800	IN	A	205.152.16.8
+jenner.med.HARVARD.EDU.	604800	IN	A	134.174.141.2
+p2.cavebear.com.	604800	IN	A	199.184.128.35
+NS1.NIC.JE.		604800	IN	A	216.110.45.224
+ORCU.OR.BR.NP.ELS-GMS.att.net. 604800 IN A	199.191.129.139
+NS.XBILL.org.		604800	IN	A	204.152.186.163
+WRAITH.CS.UOW.EDU.AU.	604800	IN	A	130.130.64.1
+12.159.145.204.IN-ADDR.ARPA. 604800 IN	PTR	amethyst.xaos.org.
+ns1.pr.SUN.com.		604800	IN	A	192.18.16.2
+NS.SPIN.OMNES.net.	604800	IN	A	192.23.90.196
+smtp.188.net.		604800	IN	A	202.96.125.104
+TERMINAL.2GLOBE.net.	604800	IN	A	195.178.183.230
+NS2.HARVARD.EDU.	604800	IN	A	128.103.1.1
+NAMESERVER.CNR.IT.	604800	IN	A	194.119.192.34
+EARTH.SY.		604800	IN	A	195.22.198.6
+DNS2.REACCIUN.VE.	604800	IN	A	150.188.4.212
+NS.TMX.COM.NI.		604800	IN	A	205.218.253.2
+freefour.acs.rpi.EDU.	604800	IN	A	128.113.24.91
+242.84.198.209.IN-ADDR.ARPA. 604800 IN	PTR	dlawren-gw.burl.sover.net.
+CORREU.STA.AD.		604800	IN	A	194.158.67.1
+NS.DRUKNET.NET.BT.	604800	IN	A	202.144.128.200
+NS4.US.PRSERV.net.	604800	IN	A	165.87.201.244
+KAASASSUK.GH.GL.	604800	IN	A	194.177.232.3
+ECUA.NET.EC.		604800	IN	A	157.100.1.2
+NS.CONCYT.GOB.GT.	604800	IN	A	168.234.106.2
+NS2.NAP.net.		604800	IN	A	206.54.224.1
+DNS2.CN.net.		604800	IN	A	202.97.18.61
+MX.NSI.NASA.GOV.	604800	IN	A	128.102.18.31
+NS.TDS.net.		604800	IN	A	204.246.1.20
+tdns-me1.NETSCAPE.com.	604800	IN	A	205.188.247.67
+NS2.METU.EDU.TR.	604800	IN	A	144.122.199.93
+NS2.SETARNET.AW.	604800	IN	A	206.48.100.11
+87.184.152.204.IN-ADDR.ARPA. 604800 IN	PTR	isrv3-i.isc.org.
+DNS.OMNIWAY.SM.		604800	IN	A	194.183.64.10
+NS0.U-NET.net.		604800	IN	A	194.119.128.65
+elektro.CMHNET.org.	604800	IN	A	192.188.133.3
+ns2.HIGGS.net.		604800	IN	A	204.80.125.145
+NS2.SKYNETWEB.com.	604800	IN	A	208.231.1.35
+MAGIC.MN.		604800	IN	A	202.131.0.10
+NS1.YAHOO.com.		604800	IN	A	204.71.200.33
+mx1.cdp.ADELPHIA.net.	604800	IN	A	24.48.58.221
+SANTO.VANUATU.COM.VU.	604800	IN	A	202.139.40.7
+www.mmuuf.org.		604800	IN	MX	10 gro.dd.org.
+ns1.timeheart.net.	604800	IN	A	63.197.231.203
+NS2.TOGETHER.net.	604800	IN	A	204.97.120.31
+NS.AMNIC.net.		604800	IN	A	195.250.64.90
+NS.EENET.EE.		604800	IN	A	193.40.56.245
+www.ONLINEPHOTOCONTEST.com. 604800 IN	A	64.85.86.152
+VIC20.BLIPP.com.	604800	IN	A	195.163.165.35
+DNS.FROGHOUSE.org.	604800	IN	A	207.121.69.243
+NS2.ELI.net.		604800	IN	A	207.173.86.2
+NS.CAIS.com.		604800	IN	A	205.177.10.10
+BAABEN.AFRIQ.net.	604800	IN	A	165.231.1.3
+NS2.NJ.EXODUS.net.	604800	IN	A	209.1.10.234
+DOMREG.NIC.CH.		604800	IN	A	130.59.1.80
+NS.EU.net.		604800	IN	A	192.16.202.11
+NS1.DIEBOLD.net.	604800	IN	A	65.196.80.10
+NS3.CP.net.		604800	IN	A	209.228.14.4
+DNS.FUW.EDU.PL.		604800	IN	A	193.0.80.11
+www.retro.com.		604800	IN	A	205.179.181.195
+NS2.UNI2.net.		604800	IN	A	195.82.195.99
+ns1.alcatrazmedia.com.	604800	IN	A	167.160.132.2
+dns6.CP.MSFT.net.	604800	IN	A	207.46.138.20
+NS1.SEYCHELLES.net.	604800	IN	A	202.84.235.33
+NS2.INTERNIC.net.	604800	IN	A	198.41.0.11
+front.macrosoft.WAW.PL.	604800	IN	A	194.196.86.66
+NISC.JVNC.net.		604800	IN	A	128.121.50.7
+AUTH03.NS.DE.UU.net.	604800	IN	A	192.76.144.16
+BURDELL.CC.GATECH.EDU.	604800	IN	A	130.207.3.207
+NS4.AH.net.		604800	IN	A	203.21.205.20
+ns1.sgh-net.de.		604800	IN	A	212.86.129.142
+Leland2.stanford.EDU.	604800	IN	A	171.64.14.58
+CBRU.BR.NS.ELS-GMS.att.net. 604800 IN	A	199.191.128.105
+DENEB.DOMAINNT.net.	604800	IN	A	207.211.220.90
+ns1.ivm.net.		604800	IN	A	62.204.1.1
+NS0.CWCI.net.		604800	IN	A	194.6.79.162
+35.110.16.12.IN-ADDR.ARPA. 604800 IN	CNAME	35.32/27.110.16.12.IN-ADDR.ARPA.
+f.trns.			604800	IN	A	209.133.38.16
+ODISEJ.TELEKOM.YU.	604800	IN	A	195.178.32.2
+FRCU.EUN.EG.		604800	IN	A	193.227.1.1
+NS.HHS.net.		604800	IN	A	63.93.136.29
+FOO.GRNET.GR.		604800	IN	A	194.177.210.211
+mail.WonderWorks.com.	604800	IN	A	192.203.206.67
+NS1.IAFRICA.com.	604800	IN	A	196.7.0.139
+NS.KACST.EDU.SA.	604800	IN	A	212.26.44.3
+srs.state.vt.us.	604800	IN	A	159.105.101.150
+OM4.OMANTEL.NET.OM.	604800	IN	A	206.49.101.5
+Yeshua.Christ.com.	604800	IN	A	207.54.4.5
+NS1.SIMORGH.com.	604800	IN	A	209.1.163.10
+OLKETA.SOLOMON.COM.SB.	604800	IN	A	202.139.42.4
+BANBA.DOMAINREGISTRY.IE. 604800	IN	A	193.1.142.2
+NOC.IOS.com.		604800	IN	A	198.4.75.69
+ns.schnism.net.		604800	IN	A	195.88.150.3
+e4.ny.us.IBM.com.	604800	IN	A	32.97.182.104
+DNS2.SEANET.com.	604800	IN	A	199.181.164.2
+doubt.dd.org.		604800	IN	A	209.198.103.193
+AMBER.ELEKTRON.PL.	604800	IN	A	195.117.6.10
+gw.rge.com.		604800	IN	A	157.225.178.11
+NS2.ZTNET.com.		604800	IN	A	63.211.17.252
+NS3.INFI.net.		604800	IN	A	205.219.239.5
+ZA.AKADNS.net.		604800	IN	A	209.185.188.39
+ESTIA.CSI.FORTH.GR.	604800	IN	A	139.91.191.3
+vtagr04.agr.state.vt.us. 604800	IN	A	159.105.50.4
+NS1-PUBLIC.ZTX.COMPAQ.com. 604800 IN	A	161.114.1.204
+ADMII.ARL.MIL.		604800	IN	A	128.63.31.4
+ADMII.ARL.MIL.		604800	IN	A	128.63.5.4
+NS.NIXU.FI.		604800	IN	A	193.209.237.29
+DNS2.PIONEERNET.net.	604800	IN	A	208.240.196.10
+NS.NIC.CL.		604800	IN	A	146.83.4.11
+NS2.UTZ.		604800	IN	A	160.124.112.10
+NS4.LUXNOC.com.		604800	IN	A	195.206.104.201
+NS2.PBI.net.		604800	IN	A	206.13.29.11
+annwfn.erfurt.thur.de.	604800	IN	A	194.122.210.3
+NS1.MW.mediaone.net.	604800	IN	A	24.131.1.8
+NS1.ISU.NET.SA.		604800	IN	A	212.26.18.3
+pop.SHOREHAM.net.	604800	IN	CNAME	SHOREHAM.net.
+DNS2.GUERNSEY.net.	604800	IN	A	195.226.128.3
+NS1.BEACHSHORE.net.	604800	IN	A	199.166.31.250
+HKUXB.HKU.HK.		604800	IN	A	147.8.16.15
+NS.DOLEH.com.		604800	IN	A	204.255.25.63
+NS.hactrn.net.		604800	IN	A	216.254.68.12
+MALAKULA.BONDY.IRD.FR.	604800	IN	A	193.50.53.1
+NS1.mediaone.net.	604800	IN	A	24.128.1.80
+NS2.GPG.com.		604800	IN	A	209.1.163.50
+noc.BelWue.de.		604800	IN	A	129.143.2.1
+NS2.GIP.net.		604800	IN	A	204.59.1.222
+RS.ISLES.net.		604800	IN	A	212.100.224.90
+BOW.INTNET.GQ.		604800	IN	A	195.101.152.253
+A.OPEN.BY.		604800	IN	A	194.226.121.36
+us.i1.YIMG.com.		604800	IN	CNAME	a1.g.a.YIMG.com.
+athome.wetlogic.net.	604800	IN	CNAME	c1059495-a.snvl1.sfba.home.com.
+NS1.NIST.GOV.		604800	IN	A	129.6.13.2
+mail.jerusalem-mail.com. 604800	IN	A	216.251.232.93
+ISDSUN.cr.USGS.GOV.	604800	IN	A	136.177.16.3
+NS.BOSTON.juno.com.	604800	IN	A	64.136.25.53
+NS2.CADABRA.com.	604800	IN	A	209.157.194.109
+nps.GOV.		604800	IN	MX	10 ccmail2.itd.nps.GOV.
+nps.GOV.		604800	IN	MX	5 ccmail.itd.nps.GOV.
+RELAY.HUJI.AC.IL.	604800	IN	A	128.139.6.1
+styx.tahina.priv.at.	604800	IN	A	194.152.163.253
+ISGATE.IS.		604800	IN	A	193.4.58.51
+ns0.lux.dot-eu.org.	604800	IN	A	195.206.105.102
+BILBO.NASK.ORG.PL.	604800	IN	A	195.187.245.51
+BILBO.NASK.ORG.PL.	604800	IN	A	148.81.16.51
+MAIL.TARSUS.com.	604800	IN	A	208.130.9.252
+SUN.REDIRIS.ES.		604800	IN	A	130.206.1.2
+NS2.NEASE.net.		604800	IN	A	202.103.134.4
+OHCU.OH.MT.NP.ELS-GMS.att.net. 604800 IN A	199.191.144.75
+NS2.NF.			604800	IN	A	203.12.249.101
+MIRAF-SERVER3.HONDUTEL.HN. 604800 IN	A	206.48.104.142
+ns3.worldnet.att.net.	604800	IN	A	204.127.160.1
+NS2.NETNAMES.net.	604800	IN	A	212.53.77.28
+ITGBOX.IAT.CNR.IT.	604800	IN	A	146.48.65.46
+NS2.ADELPHIA.net.	604800	IN	A	24.48.62.35
+NS2.RIPN.net.		604800	IN	A	195.209.0.6
+NS1.cinenet.net.	604800	IN	A	198.147.76.65
+jengate.thur.de.	604800	IN	A	193.174.15.34
+NOC.ULCC.JA.net.	604800	IN	A	193.63.94.25
+NS.NOC.UZ.		604800	IN	A	194.67.52.42
+NS0.JA.net.		604800	IN	A	128.86.1.20
+NS0.JA.net.		604800	IN	A	193.63.94.20
+NS2.INR.net.		604800	IN	A	198.77.208.3
+netsage.org.		604800	IN	A	209.67.235.38
+TERI.USP.AC.FJ.		604800	IN	A	144.120.8.1
+NS2.NETSOL.com.		604800	IN	A	198.17.208.71
+NS2.ABAC.com.		604800	IN	A	216.55.144.4
+NS2.NIC.FR.		604800	IN	A	192.93.0.4
+KANIN.ARNES.SI.		604800	IN	A	193.2.1.66
+NS.EDU.GU.		604800	IN	A	168.123.2.50
+DNS.INRIA.FR.		604800	IN	A	193.51.208.13
+HEDNS1.GOOGLE.com.	604800	IN	A	64.209.200.10
+asylum.sf.ca.us.	604800	IN	A	192.48.232.17
+ACT2.ACT2000.net.	604800	IN	A	207.42.132.227
+ICM1.ICP.net.		604800	IN	A	192.94.207.66
+202.192.103.198.209.IN-ADDR.ARPA. 604800 IN PTR	fraud.dd.org.
+ECSEL.jhuapl.EDU.	604800	IN	A	128.244.65.29
+NS2.DCNY.DOUBLECLICK.net. 604800 IN	A	204.253.104.10
+keith.netsage.org.	604800	IN	A	209.67.235.37
+MANTA.OUTREMER.com.	604800	IN	A	213.16.1.106
+NS2.globalnetisp.net.	604800	IN	A	207.136.213.2
+NS2.CCSRS.net.		604800	IN	A	206.253.214.73
+NS1.NL.CONCENTRIC.com.	604800	IN	A	195.18.114.5
+NS2.VI.net.		604800	IN	A	212.78.64.10
+NS2.NEO.net.		604800	IN	A	206.109.7.65
+cgi.MERCURYCENTER.com.	604800	IN	CNAME	vh80167.vh8.infi.net.
+ORSTOM.RIO.net.		604800	IN	A	192.33.151.1
+NS2.CONRADPROMOTIONS.com. 604800 IN	A	208.24.118.203
+YARRINA.CONNECT.COM.AU.	604800	IN	A	192.189.54.17
+dns03.OPS.usa.net.	604800	IN	A	204.68.24.136
+APPSRV.HAITIWORLD.com.	604800	IN	A	206.152.15.34
+NS.RELCOM.KZ.		604800	IN	A	212.110.240.65
+NS1.MAGIC-MOMENTS.com.	604800	IN	A	195.224.53.80
+NS.ALCATEL.com.		604800	IN	A	192.160.6.91
+ns2.terra.net.		604800	IN	A	199.103.128.2
+NS3.hotmail.com.	604800	IN	A	209.185.130.68
+vtc.VSC.EDU.		604800	IN	MX	0 eve.vtc.VSC.EDU.
+www.vmba.org.		604800	IN	MX	10 gro.dd.org.
+NAHOURI.ONATEL.BF.	604800	IN	A	206.82.130.195
+SERVER2.INFN.IT.	604800	IN	A	131.154.1.3
+NS2.AI-R.com.		604800	IN	A	66.33.4.51
+NS1.FREE.net.		604800	IN	A	147.45.15.34
+vcmr-54.server.rpi.EDU.	604800	IN	A	128.113.113.44
+haig.CS.UCL.AC.UK.	604800	IN	A	128.16.6.8
+mail.nova-data.com.	604800	IN	A	12.16.110.35
+MOEVAX.EDU.TW.		604800	IN	A	140.111.1.2
+NS2.LTWCC.org.		604800	IN	A	12.33.66.62
+NS.BA.			604800	IN	A	195.130.35.5
+noc.HRZ.uni-bielefeld.de. 604800 IN	A	129.70.5.16
+VANILLA.WRO.nps.GOV.	604800	IN	A	165.83.71.3
+NS2.SZTAKI.HU.		604800	IN	A	193.225.86.1
+SECIU.EDU.UY.		604800	IN	A	164.73.128.5
+COL2.CARIBSURF.com.	604800	IN	A	205.214.192.202
+NS2.QATAR.NET.QA.	604800	IN	A	212.77.192.13
+NS2.E-SYNC.net.		604800	IN	A	192.206.57.128
+ns1.eu.SUN.com.		604800	IN	A	192.18.240.8
+NS1.UUSJ.DOUBLECLICK.net. 604800 IN	A	204.176.177.10
+NS2.CUHK.EDU.HK.	604800	IN	A	137.189.6.21
+NS1.MEITCA.com.		604800	IN	A	137.203.5.1
+NS2.DSL.net.		604800	IN	A	209.87.79.232
+techfac.techfak.uni-bielefeld.de. 604800 IN A	129.70.132.100
+listserv.performancediver.com. 604800 IN A	216.34.185.155
+foolusmf.D4P.net.	604800	IN	CNAME	a100.g.akamai.net.
+pedic-med.vrx.net.	604800	IN	A	199.166.24.2
+GRUMPY.NET.NA.		604800	IN	A	196.20.23.1
+BK.tifosi.com.		604800	IN	A	208.58.189.13
+ns3.PAIR.com.		604800	IN	A	209.68.1.15
+ns2.ar.com.		604800	IN	A	64.124.80.42
+MASSIRA.ONPT.NET.MA.	604800	IN	A	206.103.26.1
+NS.KBFI.EE.		604800	IN	A	192.121.251.13
+ns3.Algebra.com.	604800	IN	A	216.254.54.22
+faerber.muc.de.		604800	IN	MX	10 slarti.muc.de.
+9.206.203.192.IN-ADDR.ARPA. 604800 IN	PTR	ice.WonderWorks.COM.
+PUKU.UNZA.ZM.		604800	IN	A	196.7.240.1
+ATLNET.ATLONLINE.com.	604800	IN	A	207.153.72.193
+Z1.NS.NYC1.GLOBIX.net.	604800	IN	A	209.10.66.55
+www.hometownbands.com.	604800	IN	A	209.67.235.38
+SIMON.CS.CORNELL.EDU.	604800	IN	A	128.84.154.10
+EKEKO.RCPIP.net.	604800	IN	A	209.45.127.2
+emerald.itnet.com.PL.	604800	IN	A	195.116.64.3
+DNS1.ICS.FORTH.GR.	604800	IN	A	139.91.151.70
+NS.ATL.BELLSOUTH.net.	604800	IN	A	205.152.0.20
+ntp.ctr.COLUMBIA.EDU.	604800	IN	CNAME	sirius.ctr.COLUMBIA.EDU.
+NS2.GLOBECOMM.net.	604800	IN	A	165.251.1.3
+UUNS1DNS1.FLONETWORK.com. 604800 IN	A	209.167.79.5
+GRIN.GNOSH.net.		604800	IN	A	216.15.87.207
+NS.DIGSYS.BG.		604800	IN	A	192.92.129.1
+uunet.UU.net.		604800	IN	MX	10 Mail.UU.net.
+ns1.vermontel.com.	604800	IN	A	204.164.106.2
+NS2.GREENMOUNTAINACCESS.net. 604800 IN	A	208.144.252.31
+38.241.5.198.IN-ADDR.ARPA. 604800 IN	PTR	cmr0.ash.ops.us.uu.net.
+NS1.NIC.UK.		604800	IN	A	195.66.240.130
+DNS.FCCN.PT.		604800	IN	A	193.136.192.10
+NS2.NIC.TJ.		604800	IN	A	209.77.224.1
+NS4.NEWACCOUNT.com.	604800	IN	A	209.78.16.6
+NS2.IHUG.NET.NZ.	604800	IN	A	203.29.160.2
+NS.SIGNALZ.com.		604800	IN	A	209.67.230.71
+DNS.NIC.AD.		604800	IN	A	194.158.67.251
+3.2.39.137.IN-ADDR.ARPA. 604800	IN	PTR	New-York4.NY.ALTER.NET.
+UUCP-GW-2.PA.DEC.com.	604800	IN	A	16.1.0.19
+NS.LANDLORDS.com.	604800	IN	A	63.64.164.68
+NS2.EXODUS.net.		604800	IN	A	207.82.198.150
+NS2.SCRUZ.net.		604800	IN	A	165.227.2.10
+NS.PIPEX-SZ.net.	604800	IN	A	196.15.232.19
+saturn.SUN.com.		604800	IN	A	192.9.25.2
+e24.nc.us.IBM.com.	604800	IN	A	32.97.136.230
+NMS.CYFRONET.KRAKOW.PL.	604800	IN	A	149.156.1.3
+NS.TWNIC.net.		604800	IN	A	192.83.166.11
+ns2.alcatel.NO.		604800	IN	A	193.213.238.2
+INPAKSODNS.AKSO.nps.GOV. 604800	IN	A	165.83.49.9
+mail.reptiles.org.	604800	IN	A	198.96.117.157
+59.187.152.204.IN-ADDR.ARPA. 604800 IN	PTR	shell.nominum.com.
+ns1.mobydark.com.	604800	IN	A	216.13.76.21
+NS.KG.			604800	IN	A	195.38.160.36
+NS.SPB.SU.		604800	IN	A	193.124.83.69
+PENDRAGON.CS.PURDUE.EDU. 604800	IN	A	128.10.2.5
+NS1.IGC.APC.org.	604800	IN	A	192.82.108.38
+USDNS.NIC.us.		604800	IN	A	198.41.3.87
+NS2.WEBTRENDS.com.	604800	IN	A	63.88.212.11
+URANUS.DAIMI.AAU.DK.	604800	IN	A	130.225.16.40
+ANTANA.IRD.MG.		604800	IN	A	194.214.107.1
+NS.JERSEY.juno.com.	604800	IN	A	64.136.17.178
+NS2.INTERNET-TOOLS.com.	604800	IN	A	206.109.113.140
+ns-tk012.ocn.AD.JP.	604800	IN	A	203.139.160.74
+bvt-ext.gdarm.com.	604800	IN	A	166.19.32.42
+NS1.ID.			604800	IN	A	202.155.30.227
+NS2.MAHNET.net.		604800	IN	A	207.219.173.132
+NS.ALCANET.COM.AU.	604800	IN	A	203.62.196.10
+UTAMA.BOLNET.BO.	604800	IN	A	166.114.1.40
+NS.CNC.AC.CN.		604800	IN	A	159.226.1.1
+NS.KREN.NE.KR.		604800	IN	A	147.47.1.1
+NS1.REDHAT.com.		604800	IN	A	216.148.218.250
+db.rc.VIX.com.		604800	IN	A	204.152.187.21
+198.103.198.209.IN-ADDR.ARPA. 604800 IN	CNAME	198.192.103.198.209.IN-ADDR.ARPA.
+alf.pbks.PL.		604800	IN	A	195.205.33.200
+FLAG.EP.net.		604800	IN	A	198.32.4.13
+DNS2.IUNET.IT.		604800	IN	A	192.106.1.31
+NS2.QUANTIFIED.net.	604800	IN	A	63.212.171.3
+INTERNET-SERVER.ZURICH.IBM.com.	604800 IN A	195.212.119.252
+seaipsvcs.idx.com.	604800	IN	A	172.22.64.42
+lebanon.valley.net.	604800	IN	A	198.115.160.16
+SERVER.NORDU.net.	604800	IN	A	193.10.252.19
+NS.NIC.DO.		604800	IN	A	207.176.16.50
+isc-01.iscvt.org.	604800	IN	A	207.136.209.131
+NAC.NO.			604800	IN	A	129.240.2.40
+SAVA.UTIC.NET.BA.	604800	IN	A	195.130.35.3
+NS1.TOKYO.JP.NETDNS.com. 604800	IN	A	64.56.164.118
+NETSERV2.ITS.rpi.EDU.	604800	IN	A	128.113.1.3
+IFI.UIO.NO.		604800	IN	A	129.240.64.2
+www.TOAPLAN.com.	604800	IN	A	216.42.31.169
+ns2.the-frontier.org.	604800	IN	A	216.86.199.115
+NS.UNAM.MX.		604800	IN	A	132.248.253.1
+ARISTO.TAU.AC.IL.	604800	IN	A	132.66.32.10
+DNS.CS.WISC.EDU.	604800	IN	A	128.105.2.10
+NS1.NIC.IR.		604800	IN	A	194.225.70.83
+NS1.RETINA.AR.		604800	IN	A	200.10.202.3
+mailer.connriver.net.	604800	IN	A	63.93.137.13
+NS.ATI.TN.		604800	IN	A	193.95.66.10
+NS2.CLEAR.NET.NZ.	604800	IN	A	203.97.37.14
+NS4.EARTHLINK.net.	604800	IN	A	209.179.179.19
+mejac.palo-alto.ca.us.	604800	IN	A	192.147.236.1
+New-York4.NY.ALTER.net.	604800	IN	A	137.39.2.3
+New-York4.NY.ALTER.net.	604800	IN	A	137.39.126.10
+falcon.tallship.net.	604800	IN	A	208.179.112.2
+ZEUS.CC.UCY.AC.CY.	604800	IN	A	194.42.1.1
+NS2.SECURE.net.		604800	IN	A	161.58.9.10
+NS0.FLIRBLE.org.	604800	IN	A	195.40.6.20
+dns.zenon.net.		604800	IN	A	195.2.83.107
+SERVIDOR.MICROASTUR.ES.	604800	IN	A	195.76.178.5
+DOWNSTAGE.MCS.VUW.AC.NZ. 604800	IN	A	130.195.6.10
+ns2.GNAC.com.		604800	IN	A	209.182.195.77
+PRIFI.EUNET.FI.		604800	IN	A	193.66.1.146
+ns2.k12.vt.us.		604800	IN	A	170.222.64.130
+ns2.nic.mnet.		604800	IN	A	208.109.83.110
+NS0.PIPEX.net.		604800	IN	A	158.43.128.8
+NS1.SANFRANCISCO.US.NETDNS.com.	604800 IN A	207.82.50.166
+AMRA.NIC.GOV.JO.	604800	IN	A	193.188.66.103
+kw.com.CN.		604800	IN	MX	15 mail2.kw.com.CN.
+SHNS.163.net.		604800	IN	A	61.129.65.108
+NS.ER.USGS.GOV.		604800	IN	A	130.11.48.2
+FAITH.MYNET.net.	604800	IN	A	207.13.11.2
+mail.smuggs.com.	604800	IN	A	209.67.230.71
+MIMOS.MY.		604800	IN	A	192.228.128.18
+NS.GU.			604800	IN	A	168.123.4.10
+mx00.schlund.de.	604800	IN	A	195.20.224.67
+mx00.schlund.de.	604800	IN	A	195.20.224.68
+mx00.schlund.de.	604800	IN	A	195.20.224.130
+mx00.schlund.de.	604800	IN	A	195.20.224.152
+mx00.schlund.de.	604800	IN	A	195.20.224.198
+CADDSYS.IPTEK.net.	604800	IN	A	202.46.1.2
+NS0.TELIA.NIC.NU.	604800	IN	A	212.181.91.4
+NS2.GRANITECANYON.com.	604800	IN	A	204.1.217.148
+GATEKEEPER.corning.com.	604800	IN	A	149.42.1.2
+NS2.2DAY.com.		604800	IN	A	202.89.128.74
+1.0.0.127.IN-ADDR.ARPA.	604800	IN	PTR	localhost.
+RAIN.PSG.com.		604800	IN	A	147.28.0.34
+STRAWB.MIT.EDU.		604800	IN	A	18.71.0.151
+NS2.DIGISERVE.com.	604800	IN	A	204.91.84.216
+UMACSN2.UMAC.MO.	604800	IN	A	161.64.3.2
+NS.JM.			604800	IN	A	196.2.1.6
+12.153.66.206.IN-ADDR.ARPA. 604800 IN	PTR	d.dd.org.
+EAST.ISI.EDU.		604800	IN	A	38.245.76.2
+NS2.UUNET.CA.		604800	IN	A	142.77.1.5
+SUNNY.STAT-USA.GOV.	604800	IN	A	192.239.70.8
+BOW.INTNET.CF.		604800	IN	A	194.206.73.253
+NS4.TELE.DK.		604800	IN	A	194.239.134.84
+NS2.sodak.net.		604800	IN	A	63.65.239.225
+NS1.NEWYORK.US.NETDNS.com. 604800 IN	A	216.32.212.86
+NS2.PSI.net.		604800	IN	A	38.8.50.2
+NS.KREONET.RE.KR.	604800	IN	A	134.75.30.1
+GIANT.MINDLINK.net.	604800	IN	A	204.174.18.2
+NS0.SECTOR001.org.	604800	IN	A	24.4.49.117
+DNS.SEABONE.net.	604800	IN	A	195.22.205.163
+NS2.MANA.PF.		604800	IN	A	202.3.225.20
+NRWEB.CENPAC.NET.NR.	604800	IN	A	203.98.224.66
+www.TRAVELPHOTOCONTESTS.com. 604800 IN	A	64.85.86.156
+NS1.REGEX.com.		604800	IN	A	202.152.12.227
+BIGBIRD.ITD.nps.GOV.	604800	IN	A	165.83.208.5
+CUNIXD.CC.COLUMBIA.EDU.	604800	IN	A	128.59.35.142
+NS1.CLASSIFIEDMONSTER.com. 604800 IN	A	216.254.54.22
+SERVER1.SANS.org.	604800	IN	A	167.216.133.33
+BRONZE.COIL.com.	604800	IN	A	198.4.94.1
+SCSNMS.SWITCH.CH.	604800	IN	A	130.59.1.30
+SCSNMS.SWITCH.CH.	604800	IN	A	130.59.10.30
+SCE.CNC.UNA.PY.		604800	IN	A	200.10.228.133
+RELAY.LA.TIS.com.	604800	IN	A	198.51.22.11
+NS.AUSTIN.IBM.com.	604800	IN	A	192.35.232.34
+SERVICE.robert-morris.EDU. 604800 IN	A	205.146.48.22
+MERCURY.ML.org.		604800	IN	A	209.68.0.85
+proxy.pccf.net.		604800	IN	A	205.189.73.123
+DUB-NAME-SVC-1.compuserve.com. 604800 IN A	149.174.213.5
+NS.CNRI.reston.va.us.	604800	IN	A	132.151.1.1
+NS.UCAD.SN.		604800	IN	A	196.1.95.1
+ns01.ny.us.ibm.net.	604800	IN	A	165.87.194.244
+NS4-AUTH.ALASKA.net.	604800	IN	A	209.112.130.4
+BOW.INTNET.NE.		604800	IN	A	194.51.164.253
+NS-JP.SINET.AD.JP.	604800	IN	A	150.100.2.3
+ns.musin.de.		604800	IN	A	194.113.40.45
+ip1.romkey.SEG.net.	604800	IN	A	207.121.69.234
+DNS2.ITD.UMICH.EDU.	604800	IN	A	141.211.125.15
+mail.rpi.EDU.		604800	IN	A	128.113.100.7
+INECO.NIC.ES.		604800	IN	A	194.69.254.2
+DNS2.FIREHOUSE.net.	604800	IN	A	63.160.175.18
+BOW.INTNET.BJ.		604800	IN	A	194.51.163.253
+sundown.vtc.VSC.EDU.	604800	IN	A	155.42.12.12
+NIC.AIX.GR.		604800	IN	A	195.130.89.210
+NIC.AD.JP.		604800	IN	A	202.12.30.33
+NS.DC.IGC.org.		604800	IN	A	199.75.208.10
+LHR.NS.GDNS.net.	604800	IN	A	212.250.25.101
+NS2.WEBMAGIC.net.	604800	IN	A	64.168.49.66
+MUNNARI.OZ.AU.		604800	IN	A	128.250.1.21
+HIPPO.RU.AC.ZA.		604800	IN	A	146.231.128.1
+PEBBLES.IOM.com.	604800	IN	A	194.72.124.1
+penpal.dmz.RPSLMC.EDU.	604800	IN	A	144.74.60.151
+netnews.HINET.net.	604800	IN	A	168.95.195.16
+INS2.TOSA.TWTELECOM.net. 604800	IN	A	204.95.160.4
+proxy6.cisco.com.	604800	IN	A	203.41.198.245
+NS2.HOST4U.net.		604800	IN	A	209.150.129.3
+POIPARAU.OYSTER.NET.CK.	604800	IN	A	202.65.32.127
+NS-EXT.VIX.com.		604800	IN	A	204.152.184.64
+NS2.NURSAT.net.		604800	IN	A	212.13.167.1
+mail2.kw.com.CN.	604800	IN	A	159.226.25.8
+NS-02B.ANS.net.		604800	IN	A	207.24.245.178
+DNS.RCCN.net.		604800	IN	A	193.136.7.17
+B.ROOT-SERVERS.ORSC.	604800	IN	A	216.13.126.116
+FIREHOUSE.net.		604800	IN	A	63.160.175.19
diff --git a/bin/tests/system/cacheclean/ns1/example.db b/bin/tests/system/cacheclean/ns1/example.db
new file mode 100644
index 0000000..7262109
--- /dev/null
+++ b/bin/tests/system/cacheclean/ns1/example.db
@@ -0,0 +1,2942 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+$ORIGIN .
+.                       IN SOA  hostmaster.nominum.com. a.root-servers.nil. (
+                                2000042100
+                                600
+                                600
+                                1200
+                                600
+                                )
+.                       NS      a.root-servers.nil.
+a.root-servers.nil	IN	A	10.53.0.1
+localhost		IN	A	127.0.0.1
+$ORIGIN NIC.AC.
+NS			IN	A	194.205.62.120
+$ORIGIN AD.
+DNS2			IN	A	194.158.64.8
+DINIS			IN	A	194.158.64.7
+$ORIGIN NIC.AD.
+DNS			IN	A	194.158.67.251
+$ORIGIN STA.AD.
+CORREU			IN	A	194.158.67.1
+$ORIGIN EMIRATES.NET.AE.
+NS2			IN	A	194.170.1.7
+NS1			IN	A	194.170.1.6
+$ORIGIN BA.
+NS			IN	A	195.130.35.5
+$ORIGIN UTIC.NET.BA.
+SAVA			IN	A	195.130.35.3
+$ORIGIN OFFSHORE.AI.
+NS1			IN	A	209.88.68.34
+$ORIGIN BD.
+DNS1			IN	A	209.58.24.5
+DNS			IN	A	209.58.24.3
+$ORIGIN MENTOR.BE.
+APHEX			IN	A	193.121.64.5
+$ORIGIN EUNET.BE.
+SECDNS			IN	A	193.74.208.139
+$ORIGIN BELNET.BE.
+NS			IN	A	193.190.198.10
+			IN	A	193.190.198.2
+$ORIGIN DNS.BE.
+MASTER			IN	A	194.7.171.243
+$ORIGIN CS.KULEUVEN.AC.BE.
+DNS			IN	A	134.58.40.4
+$ORIGIN CURINFO.AN.
+NS01-SERVER		IN	A	200.44.117.129
+KADUSHI			IN	A	200.44.117.130
+$ORIGIN ONATEL.BF.
+NAHOURI			IN	A	206.82.130.195
+$ORIGIN DIGSYS.BG.
+NS			IN	A	192.92.129.1
+$ORIGIN BATELCO.COM.BH.
+SV10			IN	A	193.188.124.227
+NS2			IN	A	193.188.97.212
+NS			IN	A	193.188.97.197
+$ORIGIN UTORONTO.CA.
+ns2			IN	A	128.100.102.202
+ns1			IN	A	128.100.100.129
+chime			IN	A	128.100.102.201
+$ORIGIN cs.UTORONTO.CA.
+bay			IN	A	128.100.1.1
+$ORIGIN UTCC.UTORONTO.CA.
+DNS2			IN	A	128.100.102.201
+$ORIGIN UUNET.CA.
+NS2			IN	A	142.77.1.5
+NS			IN	A	142.77.1.1
+$ORIGIN CIRA.CA.
+MERLE			IN	A	64.26.149.98
+$ORIGIN cmc.ec.gc.CA.
+castor			IN	A	142.135.4.14
+$ORIGIN RISQ.QC.CA.
+CLOUSO			IN	A	192.26.210.1
+$ORIGIN MBNET.MB.CA.
+ACCESS			IN	A	130.179.16.143
+$ORIGIN CDNNET.CA.
+RELAY			IN	A	192.73.5.1
+$ORIGIN uwaterloo.CA.
+ns2			IN	A	129.97.128.100
+math			IN	A	129.97.140.144
+			IN	A	129.97.216.42
+			IN	MX	0 math.uwaterloo.ca.
+ns1			IN	A	129.97.128.10
+$ORIGIN AR.
+CTINA			IN	A	200.16.97.17
+ATHEA			IN	A	200.16.98.2
+$ORIGIN NIC.AR.
+TULKU			IN	A	200.16.97.77
+$ORIGIN RETINA.AR.
+NS1			IN	A	200.10.202.3
+$ORIGIN INTNET.BJ.
+BOW			IN	A	194.51.163.253
+$ORIGIN NIC.CD.
+DNS			IN	A	194.38.74.11
+$ORIGIN tahina.priv.at.
+styx			IN	A	194.152.163.253
+$ORIGIN UNIVIE.AC.at.
+NS2			IN	A	193.171.255.66
+NS7			IN	A	194.246.96.192
+NS1			IN	A	193.171.255.2
+$ORIGIN OZ.AU.
+MUNNARI			IN	A	128.250.1.21
+$ORIGIN CS.MU.OZ.AU.
+MULGA			IN	A	128.250.1.22
+			IN	A	128.250.37.150
+$ORIGIN AARNET.EDU.AU.
+JATZ			IN	A	139.130.204.4
+$ORIGIN ANU.EDU.AU.
+CHEOPS			IN	A	150.203.224.24
+$ORIGIN CS.UOW.EDU.AU.
+WRAITH			IN	A	130.130.64.1
+$ORIGIN ALCANET.COM.AU.
+NS			IN	A	203.62.196.10
+$ORIGIN CONNECT.COM.AU.
+YARRINA			IN	A	192.189.54.17
+$ORIGIN IBL.BM.
+NS1			IN	A	199.172.192.1
+$ORIGIN BRUNET.BN.
+JTB			IN	A	202.160.8.2
+$ORIGIN INTNET.CF.
+BOW			IN	A	194.206.73.253
+$ORIGIN SETARNET.AW.
+NS2			IN	A	206.48.100.11
+NS1			IN	A	206.48.100.5
+$ORIGIN BOLNET.BO.
+UTAMA			IN	A	166.114.1.40
+$ORIGIN SWITCH.CH.
+SCSNMS			IN	A	130.59.1.30
+			IN	A	130.59.10.30
+MERAPI			IN	A	130.59.211.10
+$ORIGIN ITU.CH.
+NS			IN	A	156.106.192.121
+$ORIGIN NIC.CH.
+DOMREG			IN	A	130.59.1.80
+$ORIGIN ip6.INT.
+z			IN	A	198.32.2.66
+			IN	AAAA	3ffe:0:1::c60:242
+$ORIGIN DNS.BR.
+NS2			IN	A	200.19.119.99
+NS1			IN	A	200.255.253.234
+NS			IN	A	143.108.23.2
+$ORIGIN OYSTER.NET.CK.
+POIPARAU		IN	A	202.65.32.127
+PARAU			IN	A	202.65.32.128
+$ORIGIN DRUKNET.NET.BT.
+NS			IN	A	202.144.128.200
+$ORIGIN DCC.UCHILE.CL.
+NS			IN	A	146.83.5.204
+$ORIGIN NIC.CL.
+NS			IN	A	146.83.4.11
+$ORIGIN FIRSTCOM.CL.
+NS			IN	A	200.27.2.2
+$ORIGIN EDU.
+ISI			IN	A	128.9.176.32
+UMASS			IN	MX	20 vcmr-54.server.rpi.edu.
+			IN	MX	1 mail.rpi.edu.
+dartmouth		IN	A	129.170.16.6
+			IN	MX	10 donner.dartmouth.edu.
+			IN	MX	10 prancer.dartmouth.edu.
+			IN	MX	10 vixen.dartmouth.edu.
+			IN	MX	10 blitzen.dartmouth.edu.
+			IN	MX	0 mailhub.dartmouth.edu.
+			IN	MX	10 dasher.dartmouth.edu.
+rush			IN	MX	30 penpal.dmz.rpslmc.edu.
+			IN	MX	10 detox.cc1.rpslmc.edu.
+			IN	MX	20 rush.cc1.rpslmc.edu.
+NYU			IN	A	128.122.253.92
+GATECH			IN	A	130.207.244.244
+ARIZONA			IN	A	128.196.128.233
+stanford		IN	A	171.64.14.120
+			IN	MX	20 Leland.stanford.edu.
+			IN	MX	20 Leland2.stanford.edu.
+			IN	MX	20 Leland3.stanford.edu.
+$ORIGIN jhuapl.EDU.
+ECSEL			IN	A	128.244.65.29
+APLDNS2			IN	A	128.244.194.100
+ABACUS			IN	A	128.244.197.32
+$ORIGIN MIT.EDU.
+STRAWB			IN	A	18.71.0.151
+W20NS			IN	A	18.70.0.160
+BITSY			IN	A	18.72.0.3
+$ORIGIN ITD.UMICH.EDU.
+DNS2			IN	A	141.211.125.15
+$ORIGIN ISI.EDU.
+EAST			IN	A	38.245.76.2
+VENERA			IN	A	128.9.176.32
+NS			IN	A	128.9.128.127
+$ORIGIN CS.PURDUE.EDU.
+PENDRAGON		IN	A	128.10.2.5
+$ORIGIN CS.WISC.EDU.
+DNS			IN	A	128.105.2.10
+$ORIGIN UMD.EDU.
+TRANTOR			IN	A	128.8.10.14
+$ORIGIN RPSLMC.EDU.
+THUMPER			IN	A	144.74.22.8
+$ORIGIN dmz.RPSLMC.EDU.
+penpal			IN	A	144.74.60.151
+$ORIGIN cc1.RPSLMC.EDU.
+rush			IN	A	144.74.150.23
+detox			IN	A	144.74.150.44
+$ORIGIN IS.RPSLMC.EDU.
+SUNSTROKE		IN	A	144.74.21.8
+$ORIGIN VSC.EDU.
+vtc			IN	MX	0 eve.vtc.vsc.edu.
+MAZE			IN	A	155.42.1.89
+ENIGMA			IN	A	155.42.1.7
+$ORIGIN vtc.VSC.EDU.
+sundown			IN	A	155.42.12.12
+eve			IN	A	155.42.12.102
+$ORIGIN UMASS.EDU.
+NS1			IN	A	128.119.166.14
+NIC			IN	A	128.119.175.14
+$ORIGIN oit.UMASS.EDU.
+supai			IN	A	128.119.175.6
+ponzi			IN	A	128.119.166.18
+$ORIGIN ECS.UMASS.EDU.
+KIRA			IN	A	128.119.91.10
+$ORIGIN CS.UMASS.EDU.
+UNIX1			IN	A	128.119.40.12
+$ORIGIN UPR.CLU.EDU.
+UPR1			IN	A	136.145.1.4
+$ORIGIN PRINCETON.EDU.
+DNS			IN	A	128.112.129.15
+$ORIGIN rpi.EDU.
+mail			IN	A	128.113.100.7
+$ORIGIN server.rpi.EDU.
+vcmr-54			IN	A	128.113.113.44
+$ORIGIN acs.rpi.EDU.
+freefour		IN	A	128.113.24.91
+$ORIGIN ITS.rpi.EDU.
+NETSERV2		IN	A	128.113.1.3
+NETSERV1		IN	A	128.113.1.5
+$ORIGIN uvm.EDU.
+NS1			IN	A	132.198.201.10
+NS2			IN	A	132.198.202.10
+$ORIGIN dartmouth.EDU.
+dasher			IN	A	129.170.208.6
+mailhub			IN	A	129.170.16.6
+donner			IN	A	129.170.208.3
+prancer			IN	A	129.170.208.2
+vixen			IN	A	129.170.208.15
+NS1			IN	A	129.170.17.4
+blitzen			IN	A	129.170.208.4
+NS2			IN	A	129.170.16.4
+$ORIGIN middlebury.EDU.
+CATAMOUNT		IN	A	140.233.2.204
+LION			IN	A	140.233.1.4
+$ORIGIN CIT.CORNELL.EDU.
+DNS			IN	A	192.35.82.50
+$ORIGIN CS.CORNELL.EDU.
+SIMON			IN	A	128.84.154.10
+$ORIGIN BERKELEY.EDU.
+NS2			IN	A	128.32.136.12
+			IN	A	128.32.206.12
+NS1			IN	A	128.32.136.9
+			IN	A	128.32.206.9
+$ORIGIN CS.BERKELEY.EDU.
+VANGOGH			IN	A	128.32.33.5
+$ORIGIN ctr.COLUMBIA.EDU.
+ntp			IN	CNAME	sirius.ctr.columbia.edu.
+sirius			IN	A	128.59.64.60
+$ORIGIN CC.COLUMBIA.EDU.
+CUNIXD			IN	A	128.59.35.142
+$ORIGIN UOREGON.EDU.
+PHLOEM			IN	A	128.223.32.35
+$ORIGIN GATECH.EDU.
+TROLL-GW		IN	A	130.207.244.251
+$ORIGIN CC.GATECH.EDU.
+BURDELL			IN	A	130.207.3.207
+$ORIGIN UTK.EDU.
+NS0			IN	A	160.36.0.66
+NS1			IN	A	160.36.128.66
+$ORIGIN robert-morris.EDU.
+SERVICE			IN	A	205.146.48.22
+COLONIAL-SERVER		IN	A	205.146.48.25
+$ORIGIN CNS.vt.EDU.
+YARDBIRD		IN	A	198.82.247.34
+MILO			IN	A	198.82.247.98
+$ORIGIN stanford.EDU.
+Leland2			IN	A	171.64.14.58
+AVALLONE		IN	A	171.64.2.210
+ATALANTE		IN	A	171.64.2.220
+ARGUS			IN	A	171.64.2.230
+$ORIGIN slac.stanford.EDU.
+SMTP			IN	A	134.79.18.80
+NS2			IN	A	134.79.16.10
+NS1			IN	A	134.79.16.9
+$ORIGIN HARVARD.EDU.
+NS2			IN	A	128.103.1.1
+ns			IN	A	128.103.201.100
+NS1			IN	A	128.103.200.101
+$ORIGIN med.HARVARD.EDU.
+jenner			IN	A	134.174.141.2
+knight			IN	A	134.174.141.46
+eno			IN	A	134.174.141.50
+heckle			IN	A	134.174.146.152
+$ORIGIN de.
+datingagentur		IN	A	212.227.216.57
+			IN	MX	10 mx01.schlund.de.
+			IN	MX	10 mx00.schlund.de.
+$ORIGIN schlund.de.
+mx00			IN	A	195.20.224.130
+			IN	A	195.20.224.198
+			IN	A	195.20.224.67
+			IN	A	195.20.224.68
+			IN	A	195.20.224.152
+ns4			IN	A	195.20.225.36
+mx01			IN	A	195.20.224.131
+			IN	A	195.20.224.236
+			IN	A	195.20.224.237
+			IN	A	195.20.224.238
+ns3			IN	A	195.20.224.95
+$ORIGIN Informatik.Uni-Dortmund.de.
+waldorf			IN	A	129.217.4.42
+$ORIGIN muc.de.
+faerber			IN	MX	10 slarti.muc.de.
+			IN	A	193.149.49.70
+ns2			IN	A	193.149.48.2
+slarti			IN	A	193.149.48.10
+ns1			IN	A	193.149.48.11
+$ORIGIN westfalen.de.
+muenster		IN	A	193.174.5.2
+$ORIGIN lan-ks.de.
+uranus			IN	A	194.45.71.1
+$ORIGIN kaben-net.de.
+dns			IN	A	195.179.28.17
+$ORIGIN thur.de.
+jengate			IN	A	193.174.15.34
+$ORIGIN erfurt.thur.de.
+annwfn			IN	A	194.122.210.3
+$ORIGIN sgh-net.de.
+ns1			IN	A	212.86.129.142
+$ORIGIN DENIC.de.
+SSS-NL			IN	A	193.0.0.237
+SSS-AT			IN	A	193.171.255.34
+DNS			IN	A	194.246.96.79
+$ORIGIN iks-jena.de.
+avalon			IN	A	194.221.90.34
+$ORIGIN musin.de.
+ns			IN	A	194.113.40.45
+$ORIGIN rrz.Uni-Koeln.de.
+noc			IN	A	134.95.100.209
+$ORIGIN BelWue.de.
+noc			IN	A	129.143.2.1
+$ORIGIN HRZ.uni-bielefeld.de.
+noc			IN	A	129.70.5.16
+$ORIGIN techfak.uni-bielefeld.de.
+techfac			IN	A	129.70.132.100
+$ORIGIN CUBE.de.
+NS1			IN	A	212.162.54.243
+$ORIGIN dtag.de.
+pns			IN	A	194.25.0.125
+$ORIGIN netconx.de.
+netconsult		IN	A	193.141.75.1
+$ORIGIN CAMNET.CM.
+KIM			IN	A	195.24.192.35
+LOM			IN	A	195.24.192.34
+SANAGA			IN	A	195.24.192.17
+$ORIGIN sxtyptt.NET.CN.
+ns			IN	A	202.99.192.68
+$ORIGIN sta.NET.CN.
+ns			IN	A	202.96.199.133
+$ORIGIN BTA.NET.CN.
+NS			IN	A	202.96.0.133
+$ORIGIN CNNIC.NET.CN.
+sld-ns2			IN	A	202.97.16.197
+DNS2			IN	A	202.97.16.196
+sld-ns1			IN	A	159.226.1.3
+$ORIGIN com.CN.
+kw			IN	MX	15 mail2.kw.com.cn.
+$ORIGIN kw.com.CN.
+mail2			IN	A	159.226.25.8
+ns			IN	A	159.226.25.8
+$ORIGIN CNC.AC.CN.
+NS			IN	A	159.226.1.1
+$ORIGIN UNIANDES.EDU.CO.
+AYAX			IN	A	157.253.50.30
+CDCNET			IN	A	157.253.1.13
+$ORIGIN SCSI.GOV.BY.
+SUN			IN	A	195.50.5.103
+NS2			IN	A	194.67.193.130
+$ORIGIN OPEN.BY.
+A			IN	A	194.226.121.36
+$ORIGIN CR.
+NS			IN	A	163.178.8.2
+$ORIGIN UCR.AC.CR.
+NS			IN	A	163.178.88.2
+$ORIGIN INTNET.DJ.
+BOW			IN	A	193.251.143.253
+$ORIGIN DARENET.DK.
+NS-SOA			IN	A	130.226.1.4
+$ORIGIN TELE.DK.
+NS4			IN	A	194.239.134.84
+$ORIGIN DAIMI.AAU.DK.
+URANUS			IN	A	130.225.16.40
+$ORIGIN DK-HOSTMASTER.DK.
+NS			IN	A	193.163.102.2
+$ORIGIN EC.
+ECNET			IN	A	157.100.45.2
+$ORIGIN NET.EC.
+ECUA			IN	A	157.100.1.2
+$ORIGIN CENIAI.NET.CU.
+NS			IN	A	169.158.128.136
+$ORIGIN EENET.EE.
+NS			IN	A	193.40.56.245
+$ORIGIN KBFI.EE.
+NS			IN	A	192.121.251.13
+$ORIGIN NIC.DO.
+NS			IN	A	207.176.16.50
+$ORIGIN EUN.EG.
+FRCU			IN	A	193.227.1.1
+$ORIGIN CIX.CX.
+NS			IN	A	195.222.235.216
+$ORIGIN CX.ESCROW.IOCOMM.NET.CX.
+NS1			IN	A	203.132.96.2
+$ORIGIN CCS.UCY.AC.CY.
+NICOSIA			IN	A	194.42.6.97
+$ORIGIN CC.UCY.AC.CY.
+ZEUS			IN	A	194.42.1.1
+$ORIGIN EUNET.CZ.
+CZ			IN	A	193.85.3.130
+$ORIGIN EUNET.FI.
+PRIFI			IN	A	193.66.1.146
+$ORIGIN NIXU.FI.
+NS			IN	A	193.209.237.29
+$ORIGIN TELE.FI.
+NS			IN	A	193.210.19.19
+$ORIGIN HELSINKI.FI.
+HYDRA			IN	A	128.214.4.29
+$ORIGIN INET.GA.
+KOMO			IN	A	208.148.44.1
+$ORIGIN CERIST.DZ.
+DECST			IN	A	193.194.64.11
+$ORIGIN ELDJAZAIR.NET.DZ.
+CASBAH			IN	A	193.194.81.45
+$ORIGIN USP.AC.FJ.
+TERI			IN	A	144.120.8.1
+$ORIGIN EUNET.ES.
+NS			IN	A	193.127.1.11
+$ORIGIN NIC.ES.
+INECO			IN	A	194.69.254.2
+NS1			IN	A	194.69.254.1
+$ORIGIN VISUALCOM.ES.
+NS			IN	A	194.143.202.202
+$ORIGIN MICROASTUR.ES.
+SERVIDOR		IN	A	195.76.178.5
+$ORIGIN CESCA.ES.
+PRADES			IN	A	192.94.163.152
+$ORIGIN PIXAR.ES.
+NS			IN	A	194.143.196.3
+$ORIGIN REDIRIS.ES.
+SUN			IN	A	130.206.1.2
+$ORIGIN SEKER.ES.
+CORREOS			IN	A	194.179.87.1
+$ORIGIN TELECOM.NET.ET.
+NS			IN	A	196.27.22.43
+$ORIGIN FM.
+FM03			IN	A	206.49.89.4
+FM01			IN	A	206.49.89.2
+$ORIGIN NPLUS.GF.
+NS1			IN	A	195.6.144.3
+$ORIGIN trns.
+f			IN	A	209.133.38.16
+d			IN	A	207.112.147.14
+e			IN	A	145.89.234.7
+c			IN	A	212.172.21.254
+a			IN	A	64.6.65.10
+$ORIGIN IRD.FR.
+NS			IN	A	195.83.14.1
+$ORIGIN BONDY.IRD.FR.
+MALAKULA		IN	A	193.50.53.1
+$ORIGIN RAIN.FR.
+BOW			IN	A	194.51.3.49
+$ORIGIN imag.FR.
+isis			IN	A	129.88.32.24
+imag			IN	A	129.88.30.1
+$ORIGIN INRIA.FR.
+DNS			IN	A	193.51.208.13
+$ORIGIN NIC.FR.
+NS2			IN	A	192.93.0.4
+NS1			IN	A	192.93.0.1
+NS3			IN	A	192.134.0.49
+$ORIGIN GH.GL.
+KAASASSUK		IN	A	194.177.232.3
+$ORIGIN TELE.GL.
+TGSERV			IN	A	194.177.224.7
+$ORIGIN COMMIT.GM.
+NS1			IN	A	63.77.152.177
+$ORIGIN MRC.GM.
+NS1			IN	A	212.60.69.1
+$ORIGIN INTNET.GQ.
+BOW			IN	A	195.101.152.253
+$ORIGIN AIX.GR.
+NIC			IN	A	195.130.89.210
+$ORIGIN GRNET.GR.
+FOO			IN	A	194.177.210.211
+NIC			IN	A	194.177.210.210
+$ORIGIN CSI.FORTH.GR.
+ESTIA			IN	A	139.91.191.3
+$ORIGIN ICS.FORTH.GR.
+DNS1			IN	A	139.91.151.70
+GRDNS			IN	A	139.91.1.1
+$ORIGIN HKU.HK.
+HKUXB			IN	A	147.8.16.15
+$ORIGIN CUHK.EDU.HK.
+NS2			IN	A	137.189.6.21
+NS1			IN	A	137.189.6.1
+$ORIGIN CONCYT.GOB.GT.
+NS			IN	A	168.234.106.2
+$ORIGIN UVG.EDU.GT.
+NS			IN	A	168.234.68.2
+$ORIGIN ID.
+NS1			IN	A	202.155.30.227
+$ORIGIN AC.ID.
+NS			IN	A	202.159.124.34
+$ORIGIN GU.
+NS			IN	A	168.123.4.10
+$ORIGIN EDU.GU.
+NS			IN	A	168.123.2.50
+$ORIGIN REGISTRY.HM.
+NS2			IN	A	209.54.168.55
+NS3			IN	A	202.169.102.24
+NS1			IN	A	204.144.183.78
+$ORIGIN CONNECT.IE.
+AUTH01			IN	A	194.106.128.50
+$ORIGIN DOMAINREGISTRY.IE.
+BANBA			IN	A	193.1.142.2
+$ORIGIN VIA-NET-WORKS.IE.
+ICE			IN	A	212.17.32.2
+$ORIGIN HONDUTEL.HN.
+MIRAF-SERVER3		IN	A	206.48.104.142
+$ORIGIN SRCE.HR.
+DNS			IN	A	161.53.3.7
+$ORIGIN HUJI.AC.IL.
+RELAY			IN	A	128.139.6.1
+$ORIGIN TAU.AC.IL.
+ARISTO			IN	A	132.66.32.10
+$ORIGIN NIC.JE.
+NS1			IN	A	216.110.45.224
+$ORIGIN SZTAKI.HU.
+NS2			IN	A	193.225.86.1
+$ORIGIN NIC.HU.
+NS			IN	A	193.6.27.62
+$ORIGIN NCST.ERNET.IN.
+NAAMAK			IN	A	202.41.110.66
+SS585			IN	A	202.141.150.18
+$ORIGIN NIC.IO.
+NS			IN	A	194.205.62.100
+$ORIGIN NIC.IR.
+NS1			IN	A	194.225.70.83
+$ORIGIN IS.
+ISGATE			IN	A	193.4.58.51
+$ORIGIN IUNET.IT.
+DNS2			IN	A	192.106.1.31
+NS			IN	A	192.106.1.1
+$ORIGIN INFN.IT.
+SERVER2			IN	A	131.154.1.3
+$ORIGIN CNR.IT.
+NAMESERVER	IN	A	194.119.192.34
+$ORIGIN IAT.CNR.IT.
+ITGBOX			IN	A	146.48.65.46
+$ORIGIN NETTUNO.IT.
+BOLOGNA			IN	A	193.43.2.5
+$ORIGIN NIC.IT.
+DNS			IN	A	193.205.245.5
+$ORIGIN JM.
+NS			IN	A	196.2.1.6
+$ORIGIN CAST.EDU.JM.
+NS			IN	A	200.9.115.2
+$ORIGIN NIC.GOV.JO.
+AMRA			IN	A	193.188.66.103
+PETRA			IN	A	193.188.66.2
+$ORIGIN KG.
+NS			IN	A	195.38.160.36
+$ORIGIN AD.JP.
+NIC			IN	A	202.12.30.33
+$ORIGIN ocn.AD.JP.
+ns-tk012		IN	A	203.139.160.74
+$ORIGIN IIJ.AD.JP.
+NS0			IN	A	202.232.2.34
+$ORIGIN SINET.AD.JP.
+NS-JP			IN	A	150.100.2.3
+$ORIGIN SPIN.AD.JP.
+DNS0			IN	A	165.76.0.98
+$ORIGIN NIC.AD.JP.
+ns2			IN	A	202.12.30.133
+TRF			IN	A	192.41.192.2
+NS-JP			IN	A	61.120.151.100
+NS0			IN	A	202.12.30.131
+ns1			IN	A	202.12.30.33
+$ORIGIN WIDE.AD.JP.
+NS			IN	A	203.178.136.63
+			IN	MX	10 integra.s-integra.co.jp.
+$ORIGIN s-integra.co.JP.
+integra			IN	A	210.162.202.34
+$ORIGIN UUCP.NE.JP.
+NS2			IN	A	210.141.111.69
+$ORIGIN DNS.NET.KH.
+NS1			IN	A	203.127.100.21
+$ORIGIN org.
+netsage			IN	A	209.67.235.38
+ietf			IN	A	132.151.1.19
+			IN	MX	10 odin.ietf.org.
+vmba			IN	MX	10 gro.dd.org.
+bnfinfo			IN	MX	10 mail.sover.net.
+			IN	MX	20 mqueue.sover.net.
+dd			IN	MX	10 gro.dd.org.
+			IN	MX	50 mqueue.sover.net.
+			IN	MX	100 mail.uu.net.
+vtvast			IN	A	207.217.96.38
+			IN	A	207.217.96.39
+			IN	A	207.217.96.40
+			IN	A	207.217.96.41
+			IN	A	207.217.96.42
+			IN	A	207.217.96.43
+			IN	A	207.217.96.44
+			IN	A	207.217.96.45
+			IN	A	207.217.96.28
+			IN	A	207.217.96.29
+			IN	A	207.217.96.30
+			IN	A	207.217.96.31
+			IN	A	207.217.96.32
+			IN	A	207.217.96.33
+			IN	A	207.217.96.34
+			IN	A	207.217.96.35
+			IN	A	207.217.96.36
+			IN	A	207.217.96.37
+			IN	MX	10 vipmailgate.earthlink.net.
+gazpacho		IN	A	209.67.235.38
+bikeclub		IN	MX	20 pop.shoreham.net.
+			IN	MX	50 smtp.america.net.
+giffordmed		IN	A	130.189.100.57
+			IN	MX	20 quest-net.com.
+			IN	MX	10 mail.giffordmed.org.
+isc			IN	A	204.152.184.101
+icann			IN	MX	100 mail.icann.org.
+			IN	MX	95 mailhub.icann.org.
+xaos			IN	A	24.93.15.22
+			IN	TXT	"XAOS Associates Online Services"
+			IN	MX	0 mail.xaos.org.
+			IN	MX	5 gw.xaos.org.
+			IN	LOC	43 02 20.000 N 77 43 12.000 W 170.00m 1.00m 30.00m 10.00m
+mmuuf			IN	MX	10 gro.dd.org.
+reptiles		IN	A	198.96.117.142
+			IN	MX	10 mail2.reptiles.org.
+			IN	MX	20 mail.vex.net.
+			IN	MX	5 mail.reptiles.org.
+iscvt			IN	A	207.136.209.132
+			IN	MX	10 isc-01.iscvt.org.
+			IN	MX	20 mqueue.sover.net.
+mailinglists		IN	A	63.160.175.18
+lawlinevt		IN	MX	20 mqueue.sover.net.
+			IN	MX	10 host3.vtlegalaid.org.
+mail-abuse		IN	A	204.152.184.74
+$ORIGIN SECTOR001.org.
+NS0			IN	A	24.4.49.117
+NS1			IN	A	24.4.49.246
+$ORIGIN ML.org.
+MERCURY			IN	A	209.68.0.85
+$ORIGIN XBILL.org.
+NS			IN	A	204.152.186.163
+$ORIGIN spack.org.
+maus			IN	A	204.245.198.90
+$ORIGIN netsage.org.
+keith			IN	A	209.67.235.37
+www			IN	CNAME	netsage.org.
+sure			IN	A	209.67.235.38
+$ORIGIN ietf.org.
+odin			IN	A	132.151.1.176
+www2			IN	A	4.17.168.6
+www			IN	CNAME	www2.ietf.org.
+$ORIGIN lux.dot-eu.org.
+ns0			IN	A	195.206.105.102
+$ORIGIN the-frontier.org.
+ns2			IN	A	216.86.199.115
+ns1			IN	A	216.86.199.114
+$ORIGIN vmba.org.
+www			IN	MX	10 gro.dd.org.
+			IN	A	209.198.103.206
+$ORIGIN WILLIAM.org.
+JOANNA			IN	A	195.153.6.2
+$ORIGIN FROGHOUSE.org.
+DNS			IN	A	207.121.69.243
+$ORIGIN VTLEGALAID.org.
+host3			IN	A	207.136.208.115
+$ORIGIN dd.org.
+doubt			IN	A	209.198.103.193
+news			IN	CNAME	gro.dd.org.
+gro			IN	A	209.198.103.200
+d			IN	A	209.198.103.199
+workgroup		IN	A	209.198.103.201
+dhcp1			IN	A	209.198.103.194
+go			IN	A	209.198.103.198
+mail			IN	CNAME	gro.dd.org.
+localhost		IN	A	127.0.0.1
+dhcp2			IN	A	209.198.103.195
+www			IN	CNAME	gro.dd.org.
+dhcp3			IN	A	209.198.103.196
+dhcp4			IN	A	209.198.103.197
+moderators		IN	CNAME	moderators.isc.org.
+ns			IN	CNAME	gro.dd.org.
+$ORIGIN gazpacho.org.
+keith			IN	A	209.67.235.37
+sure			IN	A	209.67.235.38
+$ORIGIN FLAME.org.
+DNS02			IN	A	204.152.184.97
+www			IN	A	204.152.184.97
+DNS01			IN	A	204.152.184.80
+$ORIGIN giffordmed.org.
+mail			IN	A	130.189.100.51
+$ORIGIN isc.org.
+isrv3-i			IN	A	204.152.184.87
+$ORIGIN energyenhancement.org.
+www			IN	A	216.121.175.228
+$ORIGIN icann.org.
+mailhub			IN	A	192.0.34.33
+mail			IN	A	198.32.1.99
+$ORIGIN PAPP.UNDP.org.
+PAPPSRV			IN	A	192.115.229.1
+$ORIGIN xaos.org.
+amethyst		IN	A	204.145.159.12
+			IN	MX	0 mail.xaos.org.
+			IN	MX	5 gw.xaos.org.
+sure			IN	A	209.67.235.38
+taiyoo			IN	A	204.145.159.13
+			IN	MX	0 mail.xaos.org.
+			IN	MX	5 gw.xaos.org.
+gw			IN	A	24.93.15.22
+reimei			IN	A	204.145.159.17
+			IN	MX	0 mail.xaos.org.
+			IN	MX	5 gw.xaos.org.
+gwi			IN	A	204.145.159.2
+			IN	HINFO	"Firewall" "Gateway"
+			IN	MX	0 mail.xaos.org.
+			IN	MX	5 gw.xaos.org.
+keith			IN	A	209.67.235.37
+axis			IN	A	204.145.159.20
+mail			IN	CNAME	furii.xaos.org.
+all			IN	A	24.95.203.33
+			IN	MX	0 mail.xaos.org.
+			IN	MX	5 gw.xaos.org.
+www			IN	CNAME	gw.xaos.org.
+kadou			IN	A	204.145.159.14
+			IN	MX	0 mail.xaos.org.
+			IN	MX	5 gw.xaos.org.
+furii			IN	A	204.145.159.11
+			IN	MX	0 mail.xaos.org.
+			IN	MX	5 gw.xaos.org.
+ftp			IN	CNAME	gw.xaos.org.
+gwe			IN	CNAME	gw.xaos.org.
+$ORIGIN PUNCHDOWN.org.
+NS			IN	A	140.174.131.100
+$ORIGIN mmuuf.org.
+www			IN	MX	10 gro.dd.org.
+			IN	A	209.198.103.205
+$ORIGIN OPEN-RSC.org.
+ASLAN			IN	A	199.5.157.128
+UNICORN			IN	A	207.126.103.16
+$ORIGIN COGNOSCENTI.org.
+SYNAESTHESIA		IN	A	207.208.112.4
+ANAESTHESIA		IN	A	207.208.112.3
+$ORIGIN DC.IGC.org.
+NS			IN	A	199.75.208.10
+$ORIGIN mitre.org.
+DNSSRV1X		IN	A	199.94.97.51
+mbunix			IN	A	199.94.97.52
+DNSSRV3X		IN	A	198.76.173.100
+smtpproxy1		IN	A	129.83.20.90
+linus			IN	A	129.83.10.1
+			IN	MX	1 linus.mitre.org.
+			IN	MX	5 smtpproxy1.mitre.org.
+			IN	MX	10 smtpproxy2.mitre.org.
+smtpproxy2		IN	A	128.29.154.90
+mwunix			IN	A	198.76.173.52
+$ORIGIN reptiles.org.
+mail			IN	A	198.96.117.157
+NS2			IN	A	192.75.253.138
+NS			IN	A	198.96.117.136
+$ORIGIN ISPC.org.
+NS2			IN	A	209.124.64.11
+NS3			IN	A	207.230.32.23
+NS1			IN	A	207.106.7.7
+$ORIGIN IGC.APC.org.
+NS1			IN	A	192.82.108.38
+$ORIGIN iscvt.org.
+isc-01			IN	A	207.136.209.131
+$ORIGIN FLIRBLE.org.
+NS0			IN	A	195.40.6.20
+$ORIGIN SANS.org.
+SERVER1			IN	A	167.216.133.33
+$ORIGIN LTWCC.org.
+NS2			IN	A	12.33.66.62
+NS1			IN	A	12.33.66.61
+$ORIGIN CMHNET.org.
+elektro			IN	A	192.188.133.3
+$ORIGIN SNPT.KM.
+BOW			IN	A	195.101.19.253
+$ORIGIN ONPT.NET.MA.
+MASSIRA			IN	A	206.103.26.1
+$ORIGIN IAM.NET.MA.
+DNS2			IN	A	212.217.0.12
+DNS3			IN	A	212.217.1.1
+DNS1			IN	A	212.217.0.1
+$ORIGIN KREONET.RE.KR.
+NS			IN	A	134.75.30.1
+$ORIGIN KREN.NE.KR.
+NS			IN	A	147.47.1.1
+$ORIGIN NIC.LK.
+NS			IN	A	192.248.1.65
+$ORIGIN NIC.MC.
+NS			IN	A	195.78.6.131
+$ORIGIN 110.16.12.IN-ADDR.ARPA.
+35			IN	CNAME	35.32/27.110.16.12.in-addr.arpa.
+$ORIGIN 32/27.110.16.12.IN-ADDR.ARPA.
+35			IN	PTR	mail.nova-data.com.
+$ORIGIN 0.0.127.IN-ADDR.ARPA.
+1			IN	PTR	localhost.
+$ORIGIN 184.152.204.IN-ADDR.ARPA.
+87			IN	PTR	isrv3-i.isc.org.
+$ORIGIN 187.152.204.IN-ADDR.ARPA.
+59			IN	PTR	shell.nominum.com.
+$ORIGIN 131.127.204.IN-ADDR.ARPA.
+47			IN	PTR	mtiwmhc22.worldnet.att.net.
+$ORIGIN 198.245.204.IN-ADDR.ARPA.
+90			IN	PTR	maus.spack.org.
+$ORIGIN 159.145.204.IN-ADDR.ARPA.
+12			IN	PTR	amethyst.xaos.org.
+13			IN	PTR	taiyoo.xaos.org.
+14			IN	PTR	kadou.xaos.org.
+17			IN	PTR	reimei.xaos.org.
+20			IN	PTR	axis.xaos.org.
+2			IN	PTR	gwi.xaos.org.
+11			IN	PTR	furii.xaos.org.
+$ORIGIN 241.5.198.IN-ADDR.ARPA.
+38			IN	PTR	cmr0.ash.ops.us.uu.net.
+39			IN	PTR	cmr1.ash.ops.us.uu.net.
+$ORIGIN 241.103.199.IN-ADDR.ARPA.
+218			IN	PTR	abyssinian.sleepycat.com.
+$ORIGIN 153.66.206.IN-ADDR.ARPA.
+12			IN	PTR	d.dd.org.
+102			IN	PTR	gro.dd.org.
+128			IN	PTR	www.vmba.org.
+1			IN	PTR	workgroup.dd.org.
+2			IN	PTR	doubt.dd.org.
+136			IN	PTR	www.mmuuf.org.
+4			IN	PTR	nila.dd.org.
+10			IN	PTR	go.dd.org.
+$ORIGIN 84.198.209.IN-ADDR.ARPA.
+242			IN	PTR	dlawren-gw.burl.sover.net.
+$ORIGIN 87.198.209.IN-ADDR.ARPA.
+52			IN	PTR	mqueue0.sover.net.
+$ORIGIN 103.198.209.IN-ADDR.ARPA.
+198			IN	CNAME	198.192.103.198.209.in-addr.arpa.
+205			IN	CNAME	205.192.103.198.209.in-addr.arpa.
+199			IN	CNAME	199.192.103.198.209.in-addr.arpa.
+206			IN	CNAME	206.192.103.198.209.in-addr.arpa.
+193			IN	CNAME	193.192.103.198.209.in-addr.arpa.
+200			IN	CNAME	200.192.103.198.209.in-addr.arpa.
+201			IN	CNAME	201.192.103.198.209.in-addr.arpa.
+$ORIGIN 192.103.198.209.IN-ADDR.ARPA.
+202			IN	PTR	fraud.dd.org.
+195			IN	PTR	dhcp2.dd.org.
+203			IN	PTR	fraud.dd.org.
+196			IN	PTR	dhcp3.dd.org.
+204			IN	PTR	ppp.dd.org.
+197			IN	PTR	dhcp4.dd.org.
+205			IN	PTR	www.mmuuf.org.
+198			IN	PTR	go.dd.org.
+206			IN	PTR	www.vmba.org.
+199			IN	PTR	d.dd.org.
+207			IN	PTR	broadcast.dd.org.
+200			IN	PTR	gro.dd.org.
+193			IN	PTR	doubt.dd.org.
+201			IN	PTR	workgroup.dd.org.
+194			IN	PTR	dhcp1.dd.org.
+$ORIGIN 133.188.192.IN-ADDR.ARPA.
+3			IN	PTR	elektro.com.
+$ORIGIN 206.203.192.IN-ADDR.ARPA.
+9			IN	PTR	ice.WonderWorks.COM.
+$ORIGIN 2.39.137.IN-ADDR.ARPA.
+3			IN	PTR	New-York4.NY.ALTER.NET.
+$ORIGIN 126.39.137.IN-ADDR.ARPA.
+10			IN	PTR	Fddi0-0.New-York4.NY.ALTER.NET.
+$ORIGIN IRD.MG.
+ANTANA			IN	A	194.214.107.1
+$ORIGIN NIC.MG.
+NS			IN	A	194.214.107.253
+$ORIGIN KW.
+DNS2			IN	A	161.252.48.150
+DNS1			IN	A	161.252.48.140
+$ORIGIN MOC.KW.
+NCC			IN	A	196.1.69.98
+$ORIGIN NET.NA.
+GRUMPY			IN	A	196.20.23.1
+$ORIGIN RELCOM.KZ.
+NS			IN	A	212.110.240.65
+$ORIGIN MARNET.MK.
+KITKA			IN	A	194.149.131.2
+$ORIGIN SC-UNI.KTU.LT.
+NEMUNAS			IN	A	193.219.32.13
+$ORIGIN SOTELMA.ML.
+ASKIA			IN	A	208.144.230.3
+$ORIGIN DNS.LU.
+NS2			IN	A	158.64.229.3
+NS5			IN	A	194.246.96.193
+NS1			IN	A	158.64.229.2
+$ORIGIN INTNET.NE.
+BOW			IN	A	194.51.164.253
+$ORIGIN MN.
+MAGIC			IN	A	202.131.0.10
+$ORIGIN NF.
+NS2			IN	A	203.12.249.101
+NS1			IN	A	203.12.249.100
+$ORIGIN LATNET.LV.
+NS2			IN	A	159.148.108.1
+NS			IN	A	159.148.60.2
+$ORIGIN UMAC.MO.
+UMACSN2			IN	A	161.64.3.2
+NS2			IN	A	161.64.7.2
+UMACSN1			IN	A	161.64.3.1
+NS1			IN	A	161.64.7.1
+$ORIGIN NI.
+NS			IN	A	165.98.1.2
+			IN	A	200.30.36.8
+$ORIGIN TMX.COM.NI.
+NS			IN	A	205.218.253.2
+$ORIGIN UNIV-NKC.MR.
+DNS2			IN	A	193.251.145.154
+DNS1			IN	A	193.251.145.155
+$ORIGIN SVIANED.nl.
+NS			IN	A	143.177.1.3
+$ORIGIN secondary.nl.
+ns2			IN	A	194.229.138.6
+$ORIGIN DOMAIN-REGISTRY.nl.
+NS2			IN	A	193.176.144.130
+NS			IN	A	193.176.144.2
+$ORIGIN MT.
+NS			IN	A	193.188.47.252
+$ORIGIN DHIRAAGU.MV.
+NS			IN	A	202.1.192.196
+$ORIGIN NO.
+NAC			IN	A	129.240.2.40
+ALCANET			IN	MX	15 tyholt.uninett.no.
+			IN	MX	20 nac.no.
+			IN	A	158.39.5.5
+$ORIGIN UIO.NO.
+IFI			IN	A	129.240.64.2
+$ORIGIN SOL.NO.
+NS1			IN	A	195.225.2.10
+$ORIGIN uit.NO.
+benoni			IN	A	129.242.4.254
+$ORIGIN ALCANET.NO.
+NS			IN	A	193.213.238.10
+$ORIGIN UNINETT.NO.
+aun			IN	A	129.241.1.99
+tyholt			IN	A	158.38.60.10
+NN			IN	A	158.38.0.181
+$ORIGIN alcatel.NO.
+ns2			IN	A	193.213.238.2
+$ORIGIN UNINET.NET.MX.
+MEX1-M-213		IN	A	200.33.146.213
+$ORIGIN AVANTEL.NET.MX.
+DNS1			IN	A	200.33.213.66
+$ORIGIN UNAM.MX.
+NS			IN	A	132.248.253.1
+$ORIGIN NIC.MX.
+NS			IN	A	200.23.1.1
+$ORIGIN MOS.COM.NP.
+SHIKHAR			IN	A	202.52.255.5
+$ORIGIN MY.
+MIMOS			IN	A	192.228.128.18
+JARING			IN	A	192.228.128.20
+$ORIGIN JARING.MY.
+GATEN			IN	A	161.142.227.17
+GATE1			IN	A	161.142.2.17
+$ORIGIN PA.
+NS			IN	A	168.77.8.2
+$ORIGIN USMA.AC.PA.
+VASCO			IN	A	208.141.92.2
+$ORIGIN UEM.MZ.
+ZEBRA			IN	A	196.3.96.67
+OCEANO			IN	A	196.3.96.69
+DZOWO			IN	A	196.3.96.66
+$ORIGIN CENPAC.NET.NR.
+NRWEB			IN	A	203.98.224.66
+$ORIGIN NIC.NU.
+NS			IN	A	128.11.47.50
+$ORIGIN DE.NIC.NU.
+NS0			IN	A	216.200.116.40
+$ORIGIN TELIA.NIC.NU.
+NS0			IN	A	212.181.91.4
+$ORIGIN NS.NIC.NU.
+NZ			IN	A	203.97.132.66
+$ORIGIN OMANTEL.NET.OM.
+OM4			IN	A	206.49.101.5
+OM10			IN	A	206.49.101.6
+$ORIGIN RCP.NET.PE.
+ICHU			IN	A	161.132.5.14
+$ORIGIN MANA.PF.
+NS2			IN	A	202.3.225.20
+NS1			IN	A	202.3.225.10
+$ORIGIN QATAR.NET.QA.
+NS2			IN	A	212.77.192.13
+NS3			IN	A	212.77.192.15
+NS1			IN	A	212.77.192.10
+$ORIGIN CLEAR.NET.NZ.
+NS2			IN	A	203.97.37.14
+NS1			IN	A	203.97.33.14
+$ORIGIN DNS.NET.NZ.
+NS1			IN	A	202.46.161.3
+$ORIGIN IHUG.NET.NZ.
+NS2			IN	A	203.29.160.2
+$ORIGIN XTRA.CO.NZ.
+GORGON			IN	A	202.27.158.34
+$ORIGIN WAIKATO.AC.NZ.
+NS99			IN	A	130.217.76.27
+$ORIGIN VUW.AC.NZ.
+RATA			IN	A	130.195.2.11
+$ORIGIN MCS.VUW.AC.NZ.
+DOWNSTAGE		IN	A	130.195.6.10
+CIRCA			IN	A	130.195.5.12
+$ORIGIN PL.
+from			IN	A	212.160.132.114
+$ORIGIN NASK.ORG.PL.
+BILBO			IN	A	148.81.16.51
+			IN	A	195.187.245.51
+$ORIGIN pbks.PL.
+alf			IN	A	195.205.33.200
+$ORIGIN CYFRONET.KRAKOW.PL.
+NMS			IN	A	149.156.1.3
+$ORIGIN MAN.LODZ.PL.
+DNS2			IN	A	212.51.192.5
+$ORIGIN ispid.com.PL.
+trurl			IN	A	195.150.99.3
+$ORIGIN itnet.com.PL.
+emerald			IN	A	195.116.64.3
+$ORIGIN ELEKTRON.PL.
+AMBER			IN	A	195.117.6.10
+$ORIGIN macrosoft.WAW.PL.
+front			IN	A	194.196.86.66
+$ORIGIN NASK.WAW.PL.
+ARWENA			IN	A	193.59.201.28
+$ORIGIN webtech.elk.PL.
+tornado			IN	A	212.244.162.100
+$ORIGIN IKP.PL.
+NS3			IN	A	157.25.5.30
+$ORIGIN TPSA.PL.
+DNS2			IN	A	194.204.152.34
+$ORIGIN uwm.EDU.PL.
+matrix			IN	A	213.184.3.136
+$ORIGIN FUW.EDU.PL.
+DNS			IN	A	193.0.80.11
+$ORIGIN UPRR.PR.
+PASCAL			IN	A	134.202.1.120
+DESCARTES		IN	A	134.202.1.125
+$ORIGIN NCC.UP.PT.
+CIUP1			IN	A	193.136.51.52
+$ORIGIN FCCN.PT.
+DNS			IN	A	193.136.192.10
+$ORIGIN DNS.PT.
+NS			IN	A	193.136.0.1
+$ORIGIN TELEPAC.PT.
+NS1			IN	A	194.65.3.20
+VIVALDI			IN	A	194.65.3.21
+$ORIGIN CNC.UNA.PY.
+SCE			IN	A	200.10.228.133
+NS			IN	A	200.10.228.132
+$ORIGIN ISU.NET.SA.
+NS1			IN	A	212.26.18.3
+$ORIGIN KACST.EDU.SA.
+NS			IN	A	212.26.44.3
+$ORIGIN COM.SB.
+PIJIN			IN	A	202.139.42.10
+$ORIGIN SOLOMON.COM.SB.
+OLKETA			IN	A	202.139.42.4
+$ORIGIN cafax.SE.
+ns			IN	A	192.71.228.17
+$ORIGIN LTH.SE.
+NIC			IN	A	130.235.20.3
+$ORIGIN SUNET.SE.
+SUNIC			IN	A	192.36.125.2
+$ORIGIN PACIFIC.NET.SG.
+NS1			IN	A	192.169.33.3
+$ORIGIN NIC.NET.SG.
+DS			IN	A	202.42.194.205
+$ORIGIN SINGNET.COM.SG.
+DNSSEC2			IN	A	195.13.10.226
+DNSSEC3			IN	A	165.21.100.11
+DNSSEC1			IN	A	165.21.83.11
+$ORIGIN RNC.RO.
+NS-A			IN	A	192.162.16.31
+NS			IN	A	192.162.16.21
+$ORIGIN NIC.SH.
+NS			IN	A	194.205.62.60
+$ORIGIN ARNES.SI.
+KANIN			IN	A	193.2.1.66
+SREBRNJAK		IN	A	193.2.1.91
+$ORIGIN INTERNET.SK.
+NS			IN	A	192.108.130.91
+$ORIGIN EUNET.SK.
+NS			IN	A	192.108.130.33
+$ORIGIN NETLAB.SK.
+NS			IN	A	195.168.1.4
+$ORIGIN SIERRATEL.SL.
+NS			IN	A	194.133.124.5
+$ORIGIN INTNET.TD.
+BOW			IN	A	193.251.147.253
+$ORIGIN RU.
+ok			IN	A	195.2.83.162
+			IN	MX	50 mail.ok.ru.
+			IN	MX	100 relay1.aha.ru.
+			IN	MX	300 relay3.aha.ru.
+$ORIGIN aha.RU.
+ns1			IN	A	195.2.80.142
+$ORIGIN ok.RU.
+mail			IN	A	195.2.83.162
+ns			IN	A	195.2.64.36
+$ORIGIN INTELCOM.SM.
+DNS			IN	A	194.183.64.11
+$ORIGIN OMNIWAY.SM.
+DNS			IN	A	194.183.64.10
+$ORIGIN UCAD.SN.
+NS			IN	A	196.1.95.1
+$ORIGIN NIC.TJ.
+NS2			IN	A	209.77.224.1
+NS1			IN	A	209.77.250.1
+$ORIGIN SPB.SU.
+NS			IN	A	193.124.83.69
+$ORIGIN RICC.ALMA-ATA.SU.
+NS			IN	A	194.87.112.4
+$ORIGIN DEMOS.SU.
+NS			IN	A	194.87.0.8
+			IN	A	194.87.0.9
+$ORIGIN RED.SV.
+CIR			IN	A	168.243.254.1
+$ORIGIN GOB.SV.
+CONACYT			IN	A	168.243.64.2
+ANTEL			IN	A	168.243.65.1
+$ORIGIN ATI.TN.
+NS			IN	A	193.95.66.10
+$ORIGIN TO.
+TONIC			IN	A	206.184.59.10
+COLO			IN	A	206.86.247.253
+$ORIGIN TDC.TO.
+NS1			IN	A	206.86.247.250
+$ORIGIN SY.
+EARTH			IN	A	195.22.198.6
+$ORIGIN VATICAN.VA.
+MICHAEL			IN	A	212.77.0.2
+$ORIGIN METU.EDU.TR.
+NS2			IN	A	144.122.199.93
+NS1			IN	A	144.122.199.90
+$ORIGIN NIC.UK.
+NS1			IN	A	195.66.240.130
+$ORIGIN AXION.BT.CO.UK.
+DNS0			IN	A	132.146.5.1
+$ORIGIN ADVSYS.CO.UK.
+BARNEY			IN	A	194.72.124.2
+$ORIGIN WR.UMIST.AC.UK.
+AARDVARK		IN	A	130.88.146.3
+			IN	A	128.16.5.31
+			IN	MX	10 bells.cs.ucl.ac.uk.
+			IN	MX	11 haig.cs.ucl.ac.uk.
+$ORIGIN CS.UCL.AC.UK.
+haig			IN	A	128.16.6.8
+bells			IN	A	128.16.5.31
+NS1			IN	A	128.16.5.32
+$ORIGIN surrey.AC.UK.
+info-server		IN	A	131.227.102.6
+eim			IN	MX	6 phoebe.eim.surrey.ac.uk.
+			IN	MX	6 prue.eim.surrey.ac.uk.
+$ORIGIN eim.surrey.AC.UK.
+prue			IN	A	131.227.76.5
+phoebe			IN	A	131.227.74.4
+$ORIGIN MHS-RELAY.AC.UK.
+SUN			IN	A	128.86.8.25
+$ORIGIN NIC.TT.
+DNS			IN	A	24.3.198.194
+$ORIGIN REACCIUN.VE.
+DNS2			IN	A	150.188.4.212
+DNS			IN	A	150.188.4.210
+$ORIGIN ULA.VE.
+AZMODAN			IN	A	150.185.130.16
+$ORIGIN UTZ.
+NS2			IN	A	160.124.112.10
+NS3			IN	A	160.124.147.1
+NS1			IN	A	160.124.48.4
+$ORIGIN NIC.TV.
+NS4			IN	A	207.151.24.23
+NS2			IN	A	208.184.1.167
+NS6			IN	A	64.56.165.153
+NS7			IN	A	64.69.172.153
+NS1			IN	A	209.143.242.138
+$ORIGIN EDU.TW.
+MOEVAX			IN	A	140.111.1.2
+$ORIGIN vt.us.
+state			IN	MX	10 mx1.state.vt.us.
+			IN	MX	10 mx2.state.vt.us.
+$ORIGIN k12.vt.us.
+ns2			IN	A	170.222.64.130
+morristown		IN	MX	0 mail.k12.vt.us.
+ns1			IN	A	170.222.64.130
+jericho			IN	MX	0 mail.k12.vt.us.
+founders		IN	MX	0 mail.k12.vt.us.
+$ORIGIN state.vt.us.
+srs			IN	A	159.105.101.150
+			IN	MX	0 srs.srs.state.vt.us.
+			IN	MX	10 mx1.state.vt.us.
+			IN	MX	10 mx2.state.vt.us.
+defgen			IN	MX	0 mail.state.vt.us.
+			IN	MX	10 mx1.state.vt.us.
+			IN	MX	10 mx2.state.vt.us.
+			IN	MX	5 vtagr02.agr.state.vt.us.
+			IN	MX	15 mx1.state.vt.us.
+			IN	MX	20 mx2.state.vt.us.
+mail			IN	A	170.222.64.134
+ns1			IN	A	159.105.23.130
+ns2			IN	A	170.222.64.130
+$ORIGIN srs.state.vt.us.
+srs			IN	A	159.105.101.150
+$ORIGIN agr.state.vt.us.
+vtagr04			IN	A	159.105.50.4
+vtagr02			IN	A	159.105.50.2
+$ORIGIN anr.state.vt.us.
+dec			IN	MX	10 mx1.state.vt.us.
+			IN	MX	10 mx2.state.vt.us.
+			IN	MX	0 dec.anr.state.vt.us.
+			IN	A	159.105.46.4
+$ORIGIN pha.pa.us.
+candle			IN	A	162.33.245.46
+$ORIGIN CNRI.reston.va.us.
+NS			IN	A	132.151.1.1
+$ORIGIN boston.MA.us.
+foxharp			IN	MX	10 bparker.connactivity.com.
+$ORIGIN ns.foxharp.boston.MA.us.
+a			IN	A	24.147.209.205
+$ORIGIN STARFIRE.DOUGLAS.MA.us.
+NS2			IN	A	216.129.136.9
+DNS			IN	A	206.225.44.40
+NS1			IN	A	216.129.136.9
+$ORIGIN NIC.us.
+USDNS			IN	A	198.41.3.87
+$ORIGIN sf.ca.us.
+asylum			IN	A	192.48.232.17
+$ORIGIN palo-alto.ca.us.
+mejac			IN	A	192.147.236.1
+$ORIGIN VN.
+DNS1			IN	A	203.162.3.235
+$ORIGIN EDU.UY.
+SECIU			IN	A	164.73.128.5
+$ORIGIN UZ.
+NS			IN	A	213.68.88.11
+$ORIGIN NOC.UZ.
+NS			IN	A	194.67.52.42
+$ORIGIN VANUATU.COM.VU.
+SANTO			IN	A	202.139.40.7
+FUTUNA			IN	A	202.139.40.3
+EFATE			IN	A	202.139.40.5
+$ORIGIN nic.mnet.
+ns2			IN	A	208.109.83.110
+ns1			IN	A	216.61.39.172
+$ORIGIN DNS.WS.
+NS4			IN	A	216.52.234.102
+NS2			IN	A	216.35.187.250
+NS1			IN	A	202.4.48.217
+NS5			IN	A	216.35.188.8
+NS3			IN	A	216.52.234.99
+$ORIGIN UCT.AC.ZA.
+UCTHPX			IN	A	137.158.128.1
+$ORIGIN FRD.AC.ZA.
+APIES			IN	A	137.214.80.1
+$ORIGIN EE.UND.AC.ZA.
+DAISY			IN	A	146.230.192.18
+$ORIGIN RU.AC.ZA.
+HIPPO			IN	A	146.231.128.1
+$ORIGIN UNZA.ZM.
+PUKU			IN	A	196.7.240.1
+$ORIGIN NIC.YU.
+NS1			IN	A	147.91.8.6
+$ORIGIN TELEKOM.YU.
+ODISEJ			IN	A	195.178.32.2
+$ORIGIN gtld-servers.ORSC.
+b			IN	A	216.13.126.116
+$ORIGIN ROOT-SERVERS.ORSC.
+B			IN	A	216.13.126.116
+C			IN	A	65.196.80.102
+A			IN	A	199.166.24.1
+$ORIGIN ZPTC.CO.ZW.
+TELCOM			IN	A	194.133.122.47
+$ORIGIN NIPR.MIL.
+PAC2			IN	A	199.252.155.234
+EUR2			IN	A	199.252.143.234
+CON2			IN	A	199.252.173.234
+PAC1			IN	A	199.252.180.234
+EUR1			IN	A	199.252.154.234
+CON1			IN	A	199.252.175.234
+$ORIGIN ARL.MIL.
+ADMII			IN	A	128.63.31.4
+			IN	A	128.63.5.4
+$ORIGIN GOV.
+nps			IN	MX	5 ccmail.itd.nps.gov.
+			IN	MX	10 ccmail2.itd.nps.gov.
+$ORIGIN STAT-USA.GOV.
+SUNNY			IN	A	192.239.70.8
+$ORIGIN NASA.GOV.
+jpl			IN	A	137.78.160.180
+NASANS4			IN	A	198.116.144.33
+NASANS3			IN	A	198.116.144.49
+NASANS1			IN	A	192.77.84.32
+$ORIGIN NSI.NASA.GOV.
+MX			IN	A	128.102.18.31
+$ORIGIN CDC.GOV.
+NS2			IN	A	198.246.96.92
+NS1			IN	A	198.246.96.61
+$ORIGIN NIST.GOV.
+NS1			IN	A	129.6.13.2
+$ORIGIN cr.USGS.GOV.
+ISDSUN			IN	A	136.177.16.3
+ns			IN	A	136.177.16.3
+rgfsparc		IN	A	136.177.164.192
+$ORIGIN ER.USGS.GOV.
+NS			IN	A	130.11.48.2
+$ORIGIN WR.USGS.GOV.
+ISDMNL			IN	A	130.118.4.2
+$ORIGIN DEN.nps.GOV.
+DENS20			IN	A	165.83.24.20
+$ORIGIN ITD.nps.GOV.
+BIGBIRD			IN	A	165.83.208.5
+$ORIGIN AKSO.nps.GOV.
+INPAKSODNS		IN	A	165.83.49.9
+$ORIGIN WRO.nps.GOV.
+VANILLA			IN	A	165.83.71.3
+$ORIGIN NCC.nps.GOV.
+OWL			IN	A	165.83.34.60
+$ORIGIN net.
+FIREHOUSE		IN	A	63.160.175.19
+gbch			IN	MX	0 maxim.gbch.net.
+VERMONTEL		IN	A	63.167.45.2
+			IN	MX	0 pop.vermontel.net.
+reedmedia		IN	A	63.145.197.178
+goldstats		IN	A	66.33.12.17
+zama			IN	A	203.142.132.46
+helicon			IN	A	63.93.137.2
+wetlogic		IN	MX	10 athome.wetlogic.net.
+188			IN	A	202.96.125.100
+			IN	A	202.96.125.101
+			IN	MX	10 mx2.188.net.
+			IN	MX	20 smtp.188.net.
+			IN	MX	10 mx1.188.net.
+valley			IN	MX	0 lebanon.valley.net.
+primary			IN	A	216.87.34.253
+SOVER			IN	A	209.198.87.53
+			IN	A	209.198.87.34
+			IN	MX	10 mail.sover.net.
+			IN	MX	20 mqueue.sover.net.
+UU			IN	MX	10 external-mail-router.UU.NET.
+connriver		IN	A	63.93.137.13
+			IN	MX	10 ns.hcr.net.
+			IN	MX	1 mailer.connriver.net.
+SHOREHAM		IN	A	199.170.121.2
+$ORIGIN cinenet.net.
+NS1			IN	A	198.147.76.65
+$ORIGIN TOGETHER.net.
+NS2			IN	A	204.97.120.31
+NS1			IN	A	204.97.120.30
+$ORIGIN IPHIL.net.
+MAKISIG			IN	A	203.176.28.135
+$ORIGIN PLANET-THREE.net.
+NS2			IN	A	212.49.219.190
+$ORIGIN FIREHOUSE.net.
+DNS2			IN	A	63.160.175.18
+DNS1			IN	A	63.160.175.19
+$ORIGIN space.net.
+ns			IN	A	195.30.0.1
+$ORIGIN DNS.space.net.
+NS4			IN	A	195.222.210.93
+NS3			IN	A	193.149.44.49
+$ORIGIN ALASKA.net.
+NS4-AUTH		IN	A	209.112.130.4
+NS1-AUTH		IN	A	209.112.160.4
+$ORIGIN FWIDCSERVICES.net.
+DEN-NS2			IN	A	216.7.160.32
+IRV-NS1			IN	A	216.23.160.51
+DEN-NS1			IN	A	216.7.160.31
+NS1			IN	A	64.78.224.58
+$ORIGIN BIJT.net.
+PAN			IN	A	213.196.2.97
+$ORIGIN SEABONE.net.
+DNS			IN	A	195.22.205.163
+$ORIGIN SPIN.OMNES.net.
+NS			IN	A	192.23.90.196
+$ORIGIN VERIO.net.
+NS2			IN	A	129.250.31.190
+NS0			IN	A	129.250.15.61
+NS1			IN	A	204.91.99.140
+$ORIGIN NS.VERIO.net.
+B			IN	A	129.250.35.32
+T			IN	A	192.67.14.16
+$ORIGIN GNOSH.net.
+GRIN			IN	A	216.15.87.207
+$ORIGIN NEASE.net.
+NS2			IN	A	202.103.134.4
+$ORIGIN CRSNIC.net.
+NS1			IN	A	198.41.3.39
+$ORIGIN VERISIGN.net.
+MODOR			IN	A	205.139.94.55
+CITADEL			IN	A	205.139.94.15
+PAGOSA			IN	A	205.139.94.16
+KAOS			IN	A	208.202.137.126
+$ORIGIN terra.net.
+ns2			IN	A	199.103.128.2
+ns1			IN	A	199.103.128.1
+$ORIGIN ADMONITOR.net.
+NS-2			IN	A	216.35.185.40
+ads			IN	A	216.35.185.145
+SC-NS1			IN	A	64.70.20.85
+$ORIGIN NORDU.net.
+SERVER			IN	A	193.10.252.19
+$ORIGIN TELEGLOBE.net.
+CASTOR			IN	A	199.202.55.2
+$ORIGIN sodak.net.
+NS2			IN	A	63.65.239.225
+RINGNECK		IN	A	63.65.238.65
+$ORIGIN gbch.net.
+MAXIM			IN	A	203.9.155.249
+$ORIGIN VERMONTEL.net.
+pop			IN	CNAME	loomis.vermontel.net.
+NS2			IN	A	204.164.106.8
+loomis			IN	A	204.164.106.19
+NS1			IN	A	204.164.106.2
+$ORIGIN farm.net.
+ns			IN	A	216.112.179.160
+$ORIGIN NAP.net.
+NS2			IN	A	206.54.224.1
+$ORIGIN AH.net.
+NS4			IN	A	203.21.205.20
+NS2			IN	A	203.21.205.1
+$ORIGIN NS.GDNS.net.
+LHR			IN	A	212.250.25.101
+DCA			IN	A	209.207.221.1
+$ORIGIN CONCENTRIC.net.
+NAMESERVER1		IN	A	207.155.183.73
+NAMESERVER3		IN	A	206.173.119.72
+NAMESERVER		IN	A	207.155.183.72
+NIC2			IN	A	207.88.60.5
+NAMESERVER2		IN	A	207.155.184.72
+$ORIGIN att.net.
+worldnet		IN	A	199.70.151.234
+$ORIGIN worldnet.att.net.
+ns3			IN	A	204.127.160.1
+ns4			IN	A	204.127.160.2
+mtiwmhc22		IN	A	204.127.131.47
+ns1			IN	A	204.127.129.1
+ns			IN	A	204.127.160.2
+			IN	A	12.102.240.1
+			IN	A	12.102.240.2
+			IN	A	12.102.244.1
+			IN	A	12.102.244.2
+			IN	A	204.127.129.1
+			IN	A	204.127.129.2
+			IN	A	204.127.160.1
+ns2			IN	A	204.127.129.2
+$ORIGIN OR.BR.NP.ELS-GMS.att.net.
+ORCU			IN	A	199.191.129.139
+$ORIGIN WY.BR.NP.ELS-GMS.att.net.
+WYCU			IN	A	199.191.128.43
+$ORIGIN OH.MT.NP.ELS-GMS.att.net.
+OHCU			IN	A	199.191.144.75
+$ORIGIN MA.MT.NP.ELS-GMS.att.net.
+MACU			IN	A	199.191.145.136
+$ORIGIN MT.NS.ELS-GMS.att.net.
+CMTU			IN	A	12.127.16.69
+DMTU			IN	A	12.127.16.70
+$ORIGIN BR.NS.ELS-GMS.att.net.
+CBRU			IN	A	199.191.128.105
+DBRU			IN	A	199.191.128.106
+$ORIGIN LEB.net.
+NS			IN	A	206.127.55.2
+$ORIGIN SEG.net.
+NS2			IN	A	206.34.181.16
+NS1			IN	A	206.34.181.15
+$ORIGIN romkey.SEG.net.
+ip1			IN	A	207.121.69.234
+$ORIGIN ync.net.
+NS4			IN	A	206.185.20.9
+NS2			IN	A	216.34.185.21
+NS5			IN	A	206.185.20.10
+NS3			IN	A	206.185.20.8
+ns1			IN	A	216.34.185.20
+$ORIGIN GLOBECOMM.net.
+NS2			IN	A	165.251.1.3
+NS1			IN	A	165.251.1.2
+$ORIGIN PREP.net.
+DNS-EAST		IN	A	129.250.252.10
+$ORIGIN EARTHLINK.net.
+NS4			IN	A	209.179.179.19
+DNS2			IN	A	207.217.77.12
+DNS3			IN	A	207.217.120.13
+DNS4			IN	A	209.179.179.18
+NS1			IN	A	207.217.126.41
+NS2			IN	A	207.217.77.42
+$ORIGIN SPRINTLINK.net.
+NS3-AUTH		IN	A	144.228.255.10
+NS2-AUTH		IN	A	144.228.254.10
+NS1-AUTH		IN	A	206.228.179.10
+$ORIGIN OP.net.
+NS1			IN	A	209.152.193.4
+$ORIGIN CERNET.net.
+NS			IN	A	202.112.0.44
+$ORIGIN zenon.net.
+dns			IN	A	195.2.83.107
+$ORIGIN INFI.net.
+NS3			IN	A	205.219.239.5
+NS4			IN	A	216.33.106.19
+NS001			IN	A	208.131.160.201
+NS1			IN	A	198.22.1.107
+NS2			IN	A	198.22.1.108
+$ORIGIN vh8.INFI.net.
+vh80040			IN	A	209.97.59.245
+vh80167			IN	A	209.97.57.116
+$ORIGIN vh4.INFI.net.
+vh40099			IN	A	209.97.59.121
+$ORIGIN SCRUZ.net.
+NS2			IN	A	165.227.2.10
+NS			IN	A	165.227.1.1
+$ORIGIN HINET.net.
+netnews			IN	A	168.95.195.16
+			IN	MX	0 netnews.hinet.net.
+HNTP1			IN	A	168.95.192.1
+HNTP3			IN	A	168.95.192.2
+DNS			IN	A	168.95.1.1
+$ORIGIN reedmedia.net.
+ns2			IN	A	209.241.86.6
+NS1			IN	A	63.145.197.178
+$ORIGIN schnism.net.
+ns			IN	A	195.88.150.3
+$ORIGIN unlisys.net.
+mail			IN	A	195.21.255.252
+$ORIGIN AIC.net.
+NS			IN	A	195.250.64.65
+$ORIGIN PIPEX-SZ.net.
+NS			IN	A	196.15.232.19
+$ORIGIN DOMAINNT.net.
+DENEB			IN	A	207.211.220.90
+RIGEL			IN	A	212.0.205.5
+VEGA			IN	A	209.26.120.5
+POLARIS			IN	A	209.26.120.2
+ANTARES			IN	A	209.26.120.3
+$ORIGIN GUERNSEY.net.
+DNS2			IN	A	195.226.128.3
+$ORIGIN usa.net.
+CNDVG001		IN	A	165.212.12.1
+$ORIGIN OPS.usa.net.
+dns03			IN	A	204.68.24.136
+DNS01			IN	A	204.68.24.137
+$ORIGIN INR.net.
+NS2			IN	A	198.77.208.3
+NS1			IN	A	198.77.208.2
+$ORIGIN CP.MSFT.net.
+dns6			IN	A	207.46.138.20
+DNS4			IN	A	207.46.138.11
+dns7			IN	A	207.46.138.21
+dns			IN	A	207.46.138.10
+DNS5			IN	A	207.46.138.12
+$ORIGIN UK.MSFT.net.
+DNS4			IN	A	213.199.144.152
+DNS3			IN	A	213.199.144.151
+$ORIGIN TK.MSFT.net.
+DNS2			IN	A	207.46.232.38
+DNS1			IN	A	207.46.232.37
+$ORIGIN HHS.net.
+NS			IN	A	63.93.136.29
+$ORIGIN NEWACCOUNT.net.
+NS			IN	A	216.121.96.26
+$ORIGIN PBI.net.
+NS2			IN	A	206.13.29.11
+NS1			IN	A	206.13.28.11
+$ORIGIN timeheart.net.
+ns1			IN	A	63.197.231.203
+$ORIGIN TOSA.TWTELECOM.net.
+INS2			IN	A	204.95.160.4
+INS1			IN	A	204.95.160.2
+$ORIGIN zama.net.
+NS2			IN	A	203.142.130.5
+NS1			IN	A	203.142.130.4
+$ORIGIN MINDLINK.net.
+GIANT			IN	A	204.174.18.2
+DEEP			IN	A	204.174.16.4
+$ORIGIN SER.BBNPLANET.net.
+KNOCK			IN	A	192.239.16.129
+$ORIGIN MEDIASERVICES.net.
+NS2			IN	A	64.65.16.237
+NS			IN	A	64.65.15.147
+$ORIGIN KOLO.net.
+NS			IN	A	209.66.103.20
+$ORIGIN SEYCHELLES.net.
+NS1			IN	A	202.84.235.33
+$ORIGIN BT.net.
+NS0			IN	A	194.72.6.51
+$ORIGIN JERKY.net.
+NS1			IN	A	204.57.55.100
+$ORIGIN CN.net.
+DNS2			IN	A	202.97.18.61
+NS1			IN	A	202.97.7.17
+NS			IN	A	202.97.16.195
+$ORIGIN runway.CN.net.
+ns			IN	A	211.101.132.8
+$ORIGIN APNIC.net.
+SVC00			IN	A	202.12.28.131
+TECKLA			IN	A	202.12.28.129
+NS			IN	A	203.37.255.97
+$ORIGIN BELLSOUTH.net.
+NS			IN	A	205.152.0.5
+$ORIGIN ATL.BELLSOUTH.net.
+NS			IN	A	205.152.0.20
+$ORIGIN CL.BELLSOUTH.net.
+NS2			IN	A	205.152.16.8
+NS3			IN	A	205.152.32.8
+$ORIGIN MIA.BELLSOUTH.net.
+NS			IN	A	205.152.16.20
+$ORIGIN RDU.BELLSOUTH.net.
+NS			IN	A	205.152.32.20
+$ORIGIN 163.net.
+SHNS			IN	A	61.129.65.108
+BJNS			IN	A	202.108.255.202
+NS			IN	A	202.108.255.201
+$ORIGIN ca.us.ibm.net.
+ns02			IN	A	165.87.201.243
+ns01			IN	A	165.87.201.244
+$ORIGIN ny.us.ibm.net.
+ns01			IN	A	165.87.194.244
+$ORIGIN CP.net.
+NS3			IN	A	209.228.14.4
+NS1			IN	A	209.228.15.4
+$ORIGIN tallship.net.
+falcon			IN	A	208.179.112.2
+condor			IN	A	12.28.140.20
+nomad			IN	A	204.107.129.2
+satan			IN	A	204.107.129.3
+rectum			IN	A	204.107.129.10
+$ORIGIN ns.tmcs.net.
+b			IN	A	209.104.33.252
+c			IN	A	209.104.39.252
+a			IN	A	209.104.63.252
+$ORIGIN pshift.net.
+mail			IN	A	208.153.85.30
+$ORIGIN CTCCOM.net.
+NS4			IN	A	64.69.100.35
+NS3			IN	A	64.69.100.67
+$ORIGIN cid.net.
+bofh			IN	A	212.172.21.254
+$ORIGIN PIPEX.net.
+NS0			IN	A	158.43.128.8
+NS1			IN	A	158.43.192.7
+$ORIGIN DNS.PIPEX.net.
+NS1-Y			IN	A	158.43.193.89
+NS0-Y			IN	A	158.43.129.89
+$ORIGIN SOTELMA.net.
+DOGON			IN	A	208.144.230.1
+CIWARA			IN	A	208.144.230.2
+$ORIGIN DK.net.
+NS			IN	A	193.88.44.42
+$ORIGIN HIGGS.net.
+ns2			IN	A	204.80.125.145
+ns3			IN	A	204.80.101.94
+ns			IN	A	204.80.101.90
+ns1			IN	A	204.80.125.130
+PINE			IN	A	204.80.125.130
+$ORIGIN E-SYNC.net.
+NS2			IN	A	192.206.57.128
+NS1			IN	A	192.206.57.127
+$ORIGIN ABOVE.net.
+NS3			IN	A	207.126.105.146
+NS			IN	A	207.126.96.162
+$ORIGIN COBEX.net.
+NS2			IN	A	207.102.129.72
+NS1			IN	A	207.102.129.71
+$ORIGIN NEO.net.
+NS2			IN	A	206.109.7.65
+NS			IN	A	206.109.1.1
+$ORIGIN AFRIQ.net.
+BAABEN			IN	A	165.231.1.3
+NEENE			IN	A	165.231.1.2
+$ORIGIN CW.net.
+NS4			IN	A	204.70.49.234
+NS2			IN	A	204.70.57.242
+NS3			IN	A	204.70.25.234
+NS			IN	A	204.70.128.1
+$ORIGIN hactrn.net.
+NS			IN	A	216.254.68.12
+$ORIGIN QUASAR.net.
+NS1			IN	A	199.166.31.3
+$ORIGIN VERMONTLAW.net.
+NS1			IN	A	63.89.26.15
+NS			IN	A	63.89.26.16
+$ORIGIN ICP.net.
+ICM1			IN	A	192.94.207.66
+$ORIGIN wetlogic.net.
+athome			IN	CNAME	c1059495-a.snvl1.sfba.home.com.
+$ORIGIN NY.ALTER.net.
+New-York4		IN	A	137.39.126.10
+			IN	A	137.39.2.3
+$ORIGIN pccf.net.
+proxy			IN	A	205.189.73.123
+$ORIGIN IS-FUN.net.
+NS4			IN	A	212.162.54.34
+$ORIGIN GUA.net.
+OSI2			IN	A	205.161.188.3
+$ORIGIN 2GLOBE.net.
+TERMINAL		IN	A	195.178.183.230
+NS			IN	A	195.178.183.200
+$ORIGIN SYS.GTEI.net.
+DNSAUTH2		IN	A	4.2.49.3
+DNSAUTH3		IN	A	4.2.49.4
+DNSAUTH1		IN	A	4.2.49.2
+$ORIGIN SPEAKEASY.net.
+NS2			IN	A	216.231.41.22
+NS1			IN	A	216.254.0.9
+$ORIGIN PSI.net.
+NS2			IN	A	38.8.50.2
+$ORIGIN DNS.UK.PSI.net.
+SEC1			IN	A	154.32.105.34
+$ORIGIN ray.net.
+ns1			IN	A	195.238.228.131
+$ORIGIN anycast.net.
+ns1			IN	A	216.196.51.4
+$ORIGIN EP.net.
+FLAG			IN	A	198.32.4.13
+$ORIGIN SR.net.
+NS2			IN	A	200.1.156.11
+NS1			IN	A	200.1.157.10
+$ORIGIN IPTEK.net.
+CADDSYS			IN	A	202.46.1.2
+$ORIGIN NIC.XLINK.net.
+DNS			IN	A	193.141.40.42
+$ORIGIN NURSAT.net.
+NS2			IN	A	212.13.167.1
+NS			IN	A	194.226.128.1
+$ORIGIN 188.net.
+smtp			IN	A	202.96.125.104
+mx2			IN	A	202.96.125.101
+ns2			IN	A	202.103.134.4
+mx1			IN	A	202.96.125.100
+NS			IN	A	202.96.125.106
+$ORIGIN KORNET.net.
+NS			IN	A	168.126.63.1
+$ORIGIN CCSRS.net.
+NS2			IN	A	206.253.214.73
+NS1			IN	A	209.237.73.73
+$ORIGIN EU.net.
+NS			IN	A	192.16.202.11
+$ORIGIN USSR.EU.net.
+NS			IN	A	193.124.22.65
+$ORIGIN RELCOM.EU.net.
+NS			IN	A	193.124.23.3
+$ORIGIN AUSTRIA.EU.net.
+NS			IN	A	192.92.138.35
+NS3			IN	A	193.154.160.110
+$ORIGIN hypa.net.
+ns2			IN	A	63.160.181.11
+ns1			IN	A	63.160.181.10
+			IN	A	209.166.167.208
+$ORIGIN IDT.net.
+NS			IN	A	198.4.75.100
+$ORIGIN NS.IDT.net.
+AUTH2			IN	A	169.132.133.1
+$ORIGIN ROOT-SERVERS.net.
+A			IN	A	198.41.0.4
+B			IN	A	128.9.0.107
+C			IN	A	192.33.4.12
+D			IN	A	128.8.10.90
+E			IN	A	192.203.230.10
+F			IN	A	192.5.5.241
+G			IN	A	192.112.36.4
+H			IN	A	128.63.2.53
+I			IN	A	192.36.148.17
+$ORIGIN I-DNS.net.
+D			IN	A	211.169.245.170
+B			IN	A	208.184.25.199
+F			IN	A	216.200.119.128
+E			IN	A	202.160.253.152
+C			IN	A	210.189.254.50
+A			IN	A	208.184.174.7
+$ORIGIN US.PRSERV.net.
+NS4			IN	A	165.87.201.244
+NS1			IN	A	165.87.194.244
+NS3			IN	A	165.87.201.243
+$ORIGIN U-NET.net.
+NS0			IN	A	194.119.128.65
+NS1			IN	A	194.119.128.66
+$ORIGIN HS0.U-NET.net.
+NS0			IN	A	194.119.128.70
+NS1			IN	A	194.119.128.71
+$ORIGIN ULTRADNS.net.
+UDNS2			IN	A	204.74.101.1
+UDNS1			IN	A	204.69.234.1
+$ORIGIN WEBMAGIC.net.
+NS2			IN	A	64.168.49.66
+NS1			IN	A	209.119.182.2
+$ORIGIN HOST4U.net.
+NS2			IN	A	209.150.129.3
+NS			IN	A	209.150.128.30
+$ORIGIN RCCN.net.
+DNS			IN	A	193.136.7.17
+$ORIGIN valley.net.
+lebanon			IN	A	198.115.160.16
+NS2			IN	A	198.115.160.16
+DNS			IN	A	198.115.160.10
+$ORIGIN primary.net.
+dns2			IN	A	205.242.187.235
+NS2			IN	A	205.242.176.103
+dns1			IN	A	205.242.187.234
+NS1			IN	A	205.242.92.2
+$ORIGIN SQUONK.net.
+NS2			IN	A	63.84.12.135
+NS1			IN	A	63.84.12.133
+$ORIGIN IP-PLUS.net.
+NS1			IN	A	164.128.36.34
+$ORIGIN TECHNOLOGIA.net.
+NS2			IN	A	207.253.59.4
+NS1			IN	A	207.253.214.199
+NS3			IN	A	195.115.180.67
+$ORIGIN VI.net.
+NS2			IN	A	212.78.64.10
+NS1			IN	A	194.88.77.1
+$ORIGIN ISLES.net.
+RS			IN	A	212.100.224.90
+$ORIGIN SOVER.net.
+time			IN	CNAME	garnet.sover.net.
+mqueue			IN	A	209.198.87.52
+etrn			IN	A	209.198.87.58
+garnet			IN	A	209.198.87.53
+MAPLE			IN	A	209.198.87.41
+CLOVER			IN	A	209.198.87.40
+mail			IN	A	209.198.87.53
+			IN	A	209.198.87.34
+mqueue0			IN	A	209.198.87.52
+$ORIGIN ACT2000.net.
+ACT2			IN	A	207.42.132.227
+ACT1			IN	A	207.42.132.226
+$ORIGIN AKADNS.net.
+ZA			IN	A	209.185.188.39
+ZB			IN	A	216.32.65.105
+ZC			IN	A	204.178.107.227
+ZD			IN	A	204.178.110.67
+ZE			IN	A	216.200.14.118
+ZF			IN	A	208.5.85.132
+ZG			IN	A	206.132.160.36
+ZH			IN	A	63.208.48.42
+$ORIGIN NS.ESAT.net.
+NS3			IN	A	192.111.39.100
+$ORIGIN THEPLANET.net.
+EARTH			IN	A	195.92.195.222
+PLUTO			IN	A	194.207.6.30
+VENUS			IN	A	194.152.65.222
+$ORIGIN UU.net.
+uunet			IN	MX	10 Mail.uu.net.
+external-mail-router		IN	A	198.5.241.39
+			IN	A	198.5.241.38
+			IN	A	198.5.241.40
+NS			IN	A	137.39.1.3
+$ORIGIN NS.DE.UU.net.
+AUTH03			IN	A	192.76.144.16
+$ORIGIN NS.UU.net.
+AUTH100			IN	A	198.6.1.202
+AUTH00			IN	A	198.6.1.65
+AUTH02			IN	A	198.6.1.82
+AUTH03			IN	A	198.6.1.83
+AUTH60			IN	A	198.6.1.181
+AUTH61			IN	A	198.6.1.182
+AUTH110			IN	A	198.6.1.114
+AUTH50			IN	A	198.6.1.161
+AUTH51			IN	A	198.6.1.162
+$ORIGIN PIONEERNET.net.
+DNS2			IN	A	208.240.196.10
+DNS1			IN	A	208.240.196.9
+$ORIGIN HOME.net.
+NS2			IN	A	24.2.0.27
+NS1			IN	A	24.0.0.27
+$ORIGIN QUANTIFIED.net.
+NS2			IN	A	63.212.171.3
+NS1			IN	A	63.212.171.2
+$ORIGIN SECURE.net.
+NS2			IN	A	161.58.9.10
+NS1			IN	A	192.41.1.10
+$ORIGIN DSL.net.
+NS2			IN	A	209.87.79.232
+NS1			IN	A	209.87.64.70
+$ORIGIN JA.net.
+NS0			IN	A	128.86.1.20
+			IN	A	193.63.94.20
+$ORIGIN ULCC.JA.net.
+NOC			IN	A	193.63.94.25
+$ORIGIN CINE.net.
+NS2			IN	A	207.168.250.12
+$ORIGIN ANS.net.
+NS-02B			IN	A	207.24.245.178
+NS-01B			IN	A	199.221.47.8
+NS-02A			IN	A	207.24.245.179
+NS-01A			IN	A	199.221.47.7
+$ORIGIN OAR.net.
+NS2			IN	A	192.88.195.10
+NS1			IN	A	192.88.193.144
+$ORIGIN MAHNET.net.
+NS2			IN	A	207.219.173.132
+NS1			IN	A	24.69.168.121
+$ORIGIN NCREN.net.
+REGGAE			IN	A	128.109.131.3
+NCNOC			IN	A	192.101.21.1
+$ORIGIN AMERICA.net.
+AUTH2			IN	A	209.17.197.18
+AUTH1			IN	A	209.17.197.2
+$ORIGIN EXODUS.net.
+NS2			IN	A	207.82.198.150
+NS			IN	A	206.79.230.10
+NS3			IN	A	206.79.240.13
+$ORIGIN NJ.EXODUS.net.
+NS2			IN	A	209.1.10.234
+NS			IN	A	206.79.7.50
+$ORIGIN DOUBLECLICK.net.
+uunymdgds1		IN	A	206.65.183.21
+dcnymdgds1		IN	A	204.253.104.202
+exnjmdgds1		IN	A	209.67.38.22
+dcnyadgds1		IN	A	204.253.104.11
+bbvamdgds1		IN	A	128.11.60.75
+exnjadgds1		IN	A	209.67.38.48
+annyadgds1		IN	A	208.184.29.250
+annyadgds2		IN	A	208.184.29.252
+cwvamdgds1		IN	A	205.138.3.240
+uucamdgds1		IN	A	204.178.112.124
+cwvaadgds1		IN	A	205.138.3.242
+spnjadgds1		IN	A	208.32.211.70
+cwvaadgds2		IN	A	205.138.3.243
+ctukadgds1		IN	A	213.86.246.20
+tlseadgds1		IN	A	194.237.107.6
+uusjmdgds1		IN	A	204.176.177.20
+uuvamdgds1		IN	A	204.178.112.168
+$ORIGIN DCNY.DOUBLECLICK.net.
+NS2			IN	A	204.253.104.10
+NS1			IN	A	208.211.225.10
+$ORIGIN UUSJ.DOUBLECLICK.net.
+NS1			IN	A	204.176.177.10
+$ORIGIN CWVA.DOUBLECLICK.net.
+NS1			IN	A	205.138.3.20
+$ORIGIN DSO.net.
+NS2			IN	A	206.16.77.11
+NS1			IN	A	206.16.77.10
+$ORIGIN GIP.net.
+NS2			IN	A	204.59.1.222
+NS1			IN	A	204.59.144.222
+NS3			IN	A	204.59.64.222
+$ORIGIN AMNIC.net.
+NS			IN	A	195.250.64.90
+$ORIGIN TELSTRA.net.
+NS1			IN	A	139.130.4.5
+$ORIGIN ELI.net.
+NS2			IN	A	207.173.86.2
+NS			IN	A	209.63.0.2
+$ORIGIN TWNIC.net.
+NS			IN	A	192.83.166.11
+$ORIGIN BAHNHOF.net.
+NS2			IN	A	212.85.64.4
+NS1			IN	A	195.178.160.2
+$ORIGIN ivm.net.
+ns1			IN	A	62.204.1.1
+$ORIGIN BEACHSHORE.net.
+NS1			IN	A	199.166.31.250
+$ORIGIN TDS.net.
+NS			IN	A	204.246.1.20
+$ORIGIN FIRSTWORLD.net.
+NS4			IN	A	216.7.160.162
+NS2			IN	A	216.127.92.78
+NS1			IN	A	216.7.160.75
+NS3			IN	A	216.7.160.161
+$ORIGIN centralinfo.net.
+ns2			IN	A	63.102.204.130
+ns1			IN	A	63.102.200.2
+$ORIGIN NOC.NULLUS.net.
+NS2			IN	A	63.119.253.254
+NS3			IN	A	63.168.101.254
+NS1			IN	A	209.136.161.254
+$ORIGIN FREE.net.
+NS1			IN	A	147.45.15.34
+$ORIGIN mediaone.net.
+NS1			IN	A	24.128.1.80
+NS2			IN	A	24.128.1.81
+$ORIGIN MW.mediaone.net.
+NS1			IN	A	24.131.1.8
+$ORIGIN JVNC.net.
+NISC			IN	A	128.121.50.7
+$ORIGIN NS.NYC1.GLOBIX.net.
+Z1			IN	A	209.10.66.55
+$ORIGIN NS.LHR1.GLOBIX.net.
+Z1			IN	A	212.111.32.38
+$ORIGIN NS.SJC1.GLOBIX.net.
+Z1			IN	A	209.10.34.55
+$ORIGIN akamaitech.net.
+za			IN	A	204.178.107.226
+n6g			IN	A	216.52.121.175
+ZB			IN	A	128.11.47.240
+n2g			IN	A	216.52.56.47
+ZC			IN	A	216.32.65.14
+ZD			IN	A	38.144.120.147
+n5g			IN	A	216.52.56.33
+ZE			IN	A	216.200.14.134
+n1g			IN	A	216.52.56.36
+ZF			IN	A	204.178.110.73
+n8g			IN	A	216.52.56.33
+ZG			IN	A	209.185.188.14
+n4g			IN	A	216.52.56.33
+ZH			IN	A	213.161.66.165
+n0g			IN	A	216.52.56.33
+n7g			IN	A	216.52.196.5
+n3g			IN	A	216.52.56.48
+$ORIGIN THNIC.net.
+NS-AIT			IN	A	192.41.170.219
+NS			IN	A	202.28.0.1
+$ORIGIN connriver.net.
+mailer			IN	A	63.93.137.13
+ns2			IN	A	208.240.246.5
+netserver		IN	A	204.249.74.100
+$ORIGIN IT.net.
+DNS2			IN	A	151.1.2.1
+DNS			IN	A	151.1.1.1
+$ORIGIN D4P.net.
+foolusmf		IN	CNAME	a100.g.akamai.net.
+$ORIGIN LUCKY.net.
+NS			IN	A	193.193.193.100
+$ORIGIN SENET.net.
+NS			IN	A	206.155.163.195
+$ORIGIN RIPE.net.
+NS			IN	A	193.0.0.193
+$ORIGIN ADELPHIA.net.
+NS2			IN	A	24.48.62.35
+NS3			IN	A	208.239.78.134
+NS1			IN	A	24.48.43.3
+$ORIGIN cdp.ADELPHIA.net.
+mx1			IN	A	24.48.58.221
+$ORIGIN buf.ADELPHIA.net.
+mx1			IN	A	24.48.36.10
+$ORIGIN INTERNIC.net.
+NS2			IN	A	198.41.0.11
+$ORIGIN UNDPBI.TELEPAC.net.
+SOL			IN	A	194.65.87.2
+$ORIGIN KRNIC.net.
+NS1			IN	A	202.30.50.51
+NS			IN	A	202.30.50.50
+$ORIGIN UNI2.net.
+NS2			IN	A	195.82.195.99
+NS			IN	A	129.142.7.99
+$ORIGIN GTLD-SERVERS.net.
+K			IN	A	213.177.194.5
+A			IN	A	198.41.3.38
+B			IN	A	203.181.106.5
+M			IN	A	202.153.114.101
+C			IN	A	205.188.185.18
+D			IN	A	208.206.240.5
+E			IN	A	207.200.81.69
+F			IN	A	198.17.208.67
+G			IN	A	198.41.3.101
+I			IN	A	192.36.144.133
+J			IN	A	210.132.100.101
+$ORIGIN dns.swip.net.
+kista			IN	A	192.71.220.9
+$ORIGIN RCPIP.net.
+EKEKO			IN	A	209.45.127.2
+$ORIGIN UNA.net.
+ENGINE1			IN	A	208.136.52.74
+$ORIGIN hcr.net.
+ns			IN	A	208.240.246.4
+$ORIGIN NSIREGISTRY.net.
+NS2			IN	A	198.41.3.108
+$ORIGIN SUBTEND.net.
+NAVI			IN	A	208.186.117.224
+NS1			IN	A	208.186.117.71
+$ORIGIN IAD.GBLX.net.
+NAME			IN	A	204.152.166.155
+$ORIGIN PHX.GBLX.net.
+NAME			IN	A	206.165.6.10
+$ORIGIN ROC.GBLX.net.
+NAME			IN	A	209.130.187.10
+$ORIGIN SHOREHAM.net.
+pop			IN	CNAME	shoreham.net.
+$ORIGIN GREENMOUNTAINACCESS.net.
+NS2			IN	A	208.144.252.31
+NS1			IN	A	208.144.252.30
+$ORIGIN MINDSPRING.net.
+SCRATCHY		IN	A	207.69.200.211
+ITCHY			IN	A	207.69.200.210
+$ORIGIN RIPN.net.
+NS2			IN	A	195.209.0.6
+NS			IN	A	194.85.119.1
+$ORIGIN CWCI.net.
+NS0			IN	A	194.6.79.162
+$ORIGIN GBMTECH.net.
+NS2			IN	A	208.243.164.3
+NS1			IN	A	208.243.164.2
+$ORIGIN vrx.net.
+pedic-med		IN	A	199.166.24.2
+ns2			IN	A	65.196.80.102
+ns3			IN	A	199.166.24.3
+ns1			IN	A	199.166.24.1
+			IN	A	216.13.76.2
+$ORIGIN globalnetisp.net.
+NS2			IN	A	207.136.213.2
+NS1			IN	A	207.136.213.1
+$ORIGIN MYNET.net.
+FAITH			IN	A	207.13.11.2
+$ORIGIN ADNS.net.
+NS2			IN	A	199.5.157.3
+KOVU			IN	A	199.5.157.52
+NS1			IN	A	199.5.157.2
+$ORIGIN DIEBOLD.net.
+NS1			IN	A	65.196.80.10
+$ORIGIN JPS.net.
+NS2			IN	A	216.224.156.252
+NS1			IN	A	216.119.0.192
+$ORIGIN NETNAMES.net.
+NS2			IN	A	212.53.77.28
+NS1			IN	A	212.53.64.60
+$ORIGIN RIO.net.
+ORSTOM			IN	A	192.33.151.1
+$ORIGIN com.
+sherickpm		IN	MX	10 inbound.sherickpm.com.criticalpath.net.
+ultradevices		IN	A	209.249.61.20
+verisign		IN	A	205.139.94.60
+vermontel		IN	A	204.164.106.2
+			IN	MX	0 pop.vermontel.net.
+TOPICA			IN	A	206.132.75.196
+unknown			IN	A	168.143.148.168
+vietmercury		IN	A	207.1.134.34
+moonmothers		IN	A	24.218.253.157
+			IN	MX	10 costorf.ne.mediaone.net.
+vhv			IN	MX	0 mail.vhv.com.
+BURSTNET		IN	MX	15 mail.ar.com.
+			IN	MX	5 ibd.ar.com.
+velco			IN	A	207.217.96.41
+			IN	A	207.217.96.42
+			IN	A	207.217.96.43
+			IN	A	207.217.96.44
+			IN	A	207.217.96.45
+			IN	A	207.217.96.28
+			IN	A	207.217.96.29
+			IN	A	207.217.96.30
+			IN	A	207.217.96.31
+			IN	A	207.217.96.32
+			IN	A	207.217.96.33
+			IN	A	207.217.96.34
+			IN	A	207.217.96.35
+			IN	A	207.217.96.36
+			IN	A	207.217.96.37
+			IN	A	207.217.96.38
+			IN	A	207.217.96.39
+			IN	A	207.217.96.40
+			IN	MX	10 mail.velco.com.
+ffic			IN	A	64.84.58.128
+			IN	MX	5 mail.mailconnect.com.
+overstock		IN	A	64.78.130.251
+madriver		IN	MX	10 bend.madriver.com.
+catic1			IN	MX	10 Mail.catic1.com.
+			IN	MX	20 smtp-Relay.CTCCom.net.
+goldstats		IN	A	66.33.12.17
+nominum			IN	A	204.152.184.170
+hill			IN	A	208.162.106.6
+			IN	MX	20 mail.hill.com.
+garmontusa		IN	MX	20 mail.garmontusa.com.
+bt			IN	A	62.7.244.127
+xraylitho		IN	MX	10 mail.sover.net.
+			IN	MX	20 mqueue.sover.net.
+glaxowellcome		IN	MX	10 firewall1.glaxowellcome.com.
+			IN	MX	10 firewall3.glaxowellcome.com.
+nova-data		IN	A	64.70.144.14
+			IN	MX	10 mail.nova-data.com.
+AVENUEA			IN	MX	100 mail2.louisdreyfus.co.uk.
+			IN	MX	10 ldfwsvr2.l-dreyfus.com.
+			IN	MX	50 ldfwsvr02-hme1.l-dreyfus.com.
+			IN	MX	75 mail.louisdreyfus.co.uk.
+best			IN	MX	10 mail1.best.com.
+			IN	MX	10 mail2.best.com.
+			IN	MX	20 mail3.best.com.
+			IN	MX	20 mail4.best.com.
+biketrack		IN	MX	20 mqueue.sover.net.
+			IN	MX	10 mail.sover.net.
+ilovedomain		IN	A	211.175.164.170
+symquest		IN	A	64.69.102.131
+			IN	MX	10 Quest-7.symquest.com.
+QUEST-NET		IN	A	207.140.30.11
+			IN	MX	5 mail.quest-net.com.
+cacheware		IN	A	209.128.82.20
+Algebra			IN	A	208.233.99.160
+gmcr			IN	A	12.34.108.130
+			IN	MX	10 gateway1.gmcr.com.
+YAHOO			IN	A	216.115.108.243
+			IN	A	216.115.108.245
+ogud			IN	MX	90 smtp.elistx.com.
+			IN	MX	10 mail.dc.ogud.com.
+costorf			IN	A	24.218.253.157
+			IN	MX	10 costorf.ne.mediaone.net.
+highmeadow		IN	A	207.136.209.6
+			IN	MX	10 hm6.vt.highmeadow.com.
+			IN	MX	20 mqueue.sover.net.
+broadsoft		IN	A	208.39.36.48
+cmates			IN	MX	10 popmail.u-net.com.
+mt-mansfield		IN	A	208.153.85.16
+			IN	MX	10 mail.pshift.net.
+			IN	MX	30 pomail.pshift.com.
+skiinsurance		IN	MX	10 mail.skiinsurance.com.
+			IN	MX	20 etrn.sover.net.
+map			IN	A	206.98.40.150
+idx			IN	MX	30 isdev.idx.com.
+			IN	MX	50 drawbridge.idx.com.
+			IN	MX	10 idx.idx.com.
+			IN	MX	20 bvtsweeper.idx.com.
+msgbox			IN	A	216.71.82.42
+sleepycat		IN	A	192.41.61.122
+cisco			IN	A	198.133.219.25
+			IN	MX	10 proxy2.cisco.com.
+			IN	MX	10 proxy3.cisco.com.
+			IN	MX	20 proxy6.cisco.com.
+			IN	MX	20 proxy9.cisco.com.
+			IN	MX	10 proxy1.cisco.com.
+TOAPLAN			IN	A	216.42.31.169
+hometownbands		IN	A	209.67.235.38
+smuggs			IN	MX	10 mail.smuggs.com.
+clothncanvas		IN	A	208.153.85.16
+			IN	MX	10 mail.pshift.net.
+			IN	MX	30 mail.pshift.com.
+quantified		IN	A	63.212.171.4
+arabia			IN	A	216.251.232.40
+bostic			IN	A	199.103.241.218
+verisign-grs		IN	A	198.41.3.55
+gdarm			IN	MX	10 bvt-ext.gdarm.com.
+retro			IN	A	205.179.181.194
+			IN	MX	10 gw.retro.com.
+			IN	MX	20 www.retro.com.
+			IN	MX	50 mail.scruznet.com.
+vssg			IN	A	216.157.26.252
+jerusalem-mail		IN	A	216.251.232.93
+			IN	MX	10 mail.jerusalem-mail.com.
+tfm			IN	MX	50 mtbaker.tfm.com.
+			IN	MX	20 mailhost.tfm.com.
+fratfunz		IN	A	216.226.16.150
+elektro			IN	A	192.188.133.3
+WonderWorks		IN	A	192.203.206.65
+			IN	MX	50 mail.wonderworks.com.
+fiberia			IN	MX	10 webmail.fiberia.com.
+tifosi			IN	MX	10 gutenberg.bucksnet.com.
+ivillage		IN	A	209.185.162.150
+pwshift			IN	A	208.153.85.36
+goputney		IN	MX	10 mail.sover.net.
+			IN	MX	20 mqueue.sover.net.
+$ORIGIN IPNS.com.
+NS2			IN	A	63.230.183.1
+NS			IN	A	208.187.190.2
+$ORIGIN appliedtheory.com.
+NS2			IN	A	168.75.17.11
+NS1			IN	A	204.168.28.9
+ns3			IN	A	207.127.101.8
+$ORIGIN COMPUWARE.com.
+nl			IN	MX	150 uucp.nl.net.
+			IN	MX	50 bitbucket.extern.uniface.nl.
+			IN	MX	100 smtp.nl.net.
+$ORIGIN YOUR-DOMAIN.com.
+NS2			IN	A	216.167.31.177
+NS1			IN	A	216.167.31.176
+$ORIGIN nortelnetworks.com.
+NS-RCH			IN	A	192.135.215.2
+NS-OTT			IN	A	192.58.194.71
+ns-har			IN	A	192.100.101.3
+$ORIGIN SJMERCURY.com.
+BAYONET			IN	A	207.1.134.34
+$ORIGIN excite.com.
+NSE00			IN	A	198.3.102.250
+NS00			IN	A	198.3.98.250
+NSE01			IN	A	198.3.102.251
+NS01			IN	A	198.3.98.251
+$ORIGIN PLANET-THREE.com.
+NS0			IN	A	212.49.219.164
+$ORIGIN TOKYO.JP.NETDNS.com.
+NS1			IN	A	64.56.164.118
+$ORIGIN LONDON.UK.NETDNS.com.
+NS1			IN	A	212.62.6.38
+$ORIGIN SANFRANCISCO.US.NETDNS.com.
+NS1			IN	A	207.82.50.166
+$ORIGIN NEWYORK.US.NETDNS.com.
+NS1			IN	A	216.32.212.86
+$ORIGIN SEATTLE.US.NETDNS.com.
+NS1			IN	A	206.253.214.13
+$ORIGIN ARICATRA.com.
+NS			IN	A	206.64.112.114
+$ORIGIN REGME.com.
+NS1			IN	A	207.153.57.14
+$ORIGIN ELISTX.com.
+smtp			IN	A	209.116.252.130
+NS			IN	A	209.116.252.130
+$ORIGIN SIGMAHOSTING.com.
+NS1			IN	A	209.241.86.6
+$ORIGIN champcable.com.
+CCC			IN	A	207.41.53.11
+$ORIGIN IAFRICA.com.
+NS1			IN	A	196.7.0.139
+NS3			IN	A	196.7.0.137
+$ORIGIN dot-god.com.
+A-GTLD-SERVERS		IN	A	205.189.73.123
+B-GTLD-SERVERS		IN	A	205.189.71.10
+$ORIGIN CONRADPROMOTIONS.com.
+NS2			IN	A	208.24.118.203
+NS1			IN	A	208.158.96.118
+$ORIGIN onemain.com.
+ns4			IN	A	63.208.210.11
+NS2			IN	A	166.90.148.68
+NS1			IN	A	166.90.148.67
+ns3			IN	A	63.208.210.10
+$ORIGIN SIMORGH.com.
+NS1			IN	A	209.1.163.10
+$ORIGIN Christ.com.
+Yeshua			IN	A	207.54.4.5
+Abba			IN	A	63.229.15.59
+$ORIGIN TRAVELPHOTOCONTESTS.com.
+www			IN	A	64.85.86.156
+$ORIGIN WEB2010.com.
+NS4			IN	A	216.157.55.6
+NS2			IN	A	216.157.79.246
+NS3			IN	A	216.157.47.6
+NS			IN	A	209.235.31.149
+$ORIGIN 2DAY.com.
+NS2			IN	A	202.89.128.74
+NS1			IN	A	202.37.240.13
+NS3			IN	A	209.240.128.25
+$ORIGIN NETSCAPE.com.
+tdns-me1		IN	A	205.188.247.67
+tdns-me2		IN	A	205.188.247.68
+tdns2			IN	A	207.200.77.53
+tdns3			IN	A	207.200.73.72
+NS			IN	A	198.95.251.10
+NS2			IN	A	207.200.73.80
+$ORIGIN WWEBSVS.com.
+PAPPILLOMA		IN	A	209.233.37.10
+$ORIGIN vermontel.com.
+ns1			IN	A	204.164.106.2
+$ORIGIN LA.TIS.com.
+RELAY			IN	A	198.51.22.11
+$ORIGIN MSEN.com.
+DNS			IN	A	148.59.19.11
+$ORIGIN bungi.com.
+DAVER			IN	A	206.14.228.2
+			IN	A	207.126.97.2
+max			IN	A	206.14.228.7
+			IN	A	207.126.97.7
+$ORIGIN SPEEDHOST.com.
+NS2			IN	A	216.42.31.169
+NS3			IN	A	216.42.31.130
+$ORIGIN GPG.com.
+NS2			IN	A	209.1.163.50
+NS1			IN	A	209.1.163.30
+$ORIGIN NL.CONCENTRIC.com.
+NS1			IN	A	195.18.114.5
+$ORIGIN SJC.LYCOS.com.
+SJC-NS2			IN	A	206.79.171.40
+SJC-NS1			IN	A	206.79.171.39
+$ORIGIN BOS.LYCOS.com.
+BOS-NS2			IN	A	209.67.228.40
+BOS-NS1			IN	A	209.67.228.39
+$ORIGIN TOPICA.com.
+NS3			IN	A	206.111.131.72
+ns-ext			IN	A	206.132.75.195
+inmta011		IN	A	206.132.75.197
+inmta009		IN	A	206.132.75.226
+dns			IN	A	206.111.131.72
+outmta004		IN	A	206.132.75.201
+inmta001		IN	A	206.132.75.197
+			IN	A	206.111.131.79
+inmta003		IN	A	206.132.75.213
+outmta010		IN	A	206.132.75.222
+inmta005		IN	A	206.132.75.217
+NS1			IN	A	206.132.75.195
+NS2			IN	A	208.184.76.200
+$ORIGIN DOLEH.com.
+NS			IN	A	204.255.25.63
+$ORIGIN BSDI.com.
+NS			IN	A	207.174.116.8
+$ORIGIN NYTIMES.com.
+GATEKEEPER		IN	A	199.181.175.201
+$ORIGIN GDGSC.com.
+NS0			IN	A	192.160.62.66
+NS2			IN	A	204.162.124.66
+$ORIGIN EDIGITALS.com.
+NS2			IN	A	211.39.139.36
+NS3			IN	A	211.175.164.170
+NS1			IN	A	211.39.139.35
+$ORIGIN INTERNETSQUARE.com.
+NS2			IN	A	205.227.232.9
+NS1			IN	A	216.226.16.146
+$ORIGIN MAIL.com.
+NS2			IN	A	165.251.1.3
+GTLD			IN	A	165.251.1.239
+NS1			IN	A	165.251.1.2
+$ORIGIN moonmothers.com.
+localhost		IN	A	127.0.0.1
+www			IN	CNAME	moonmothers.com.
+$ORIGIN vhv.com.
+mail			IN	A	208.5.161.11
+$ORIGIN BOCA15-VERIO.com.
+NS15B			IN	A	208.55.91.51
+NS15A			IN	A	208.55.91.50
+$ORIGIN ar.com.
+ns2			IN	A	64.124.80.42
+ibd			IN	A	63.194.205.75
+mail			IN	A	63.194.205.74
+NS1			IN	A	63.194.205.74
+$ORIGIN BLIPP.com.
+VIC20			IN	A	195.163.165.35
+$ORIGIN CONCOURSE.com.
+NS			IN	A	199.218.113.2
+$ORIGIN velco.com.
+mail			IN	A	198.136.217.106
+$ORIGIN FLONETWORK.com.
+UUNS1DNS1		IN	A	209.167.79.5
+UUNS1DNS2		IN	A	209.167.79.6
+$ORIGIN overstock.com.
+NS1			IN	A	207.225.194.13
+$ORIGIN NEWACCOUNT.com.
+NS4			IN	A	209.78.16.6
+NS2			IN	A	209.78.16.5
+NS3			IN	A	216.121.32.205
+NS			IN	A	216.121.32.10
+$ORIGIN tridog.com.
+NS2			IN	A	206.168.112.51
+TRIDOG1			IN	A	206.168.112.71
+$ORIGIN madriver.com.
+bend			IN	A	207.136.232.15
+FUSION			IN	A	207.136.232.11
+PRIMUS			IN	A	207.136.232.12
+$ORIGIN catic1.com.
+Mail			IN	A	207.190.204.103
+$ORIGIN IBD.com.
+NIC			IN	A	209.249.61.18
+$ORIGIN IOM.com.
+PEBBLES			IN	A	194.72.124.1
+$ORIGIN nominum.com.
+shell			IN	A	204.152.187.59
+GNS2			IN	A	198.133.199.2
+gns1			IN	A	198.133.199.1
+$ORIGIN ATLONLINE.com.
+ATLNET			IN	A	207.153.72.193
+ATLWEB1			IN	A	207.153.72.194
+$ORIGIN hill.com.
+SYRUP			IN	A	208.162.106.3
+$ORIGIN garmontusa.com.
+mail			IN	A	64.30.8.178
+$ORIGIN VIX.com.
+NS-EXT			IN	A	204.152.184.64
+ns-int			IN	A	204.152.184.65
+$ORIGIN rc.VIX.com.
+db			IN	A	204.152.187.21
+$ORIGIN SOVAM.com.
+NS			IN	A	194.67.2.97
+$ORIGIN IOS.com.
+NOC			IN	A	198.4.75.69
+$ORIGIN BOSTON.juno.com.
+NS			IN	A	64.136.25.53
+$ORIGIN JERSEY.juno.com.
+NS			IN	A	64.136.17.178
+$ORIGIN NYC.juno.com.
+NS			IN	A	205.231.108.1
+$ORIGIN MEITCA.com.
+NS1			IN	A	137.203.5.1
+$ORIGIN glaxowellcome.com.
+firewall3		IN	A	192.58.204.207
+firewall1		IN	A	192.58.204.204
+NS			IN	A	192.58.204.113
+$ORIGIN EPILOGUE.com.
+QUERN			IN	A	128.224.1.136
+$ORIGIN CLASSIFIEDMONSTER.com.
+NS1			IN	A	216.254.54.22
+$ORIGIN nova-data.com.
+mail			IN	A	12.16.110.35
+$ORIGIN corning.com.
+GATEKEEPER		IN	A	149.42.1.2
+$ORIGIN a1.YIMG.com.
+us			IN	CNAME	a32.g.a.yimg.com.
+$ORIGIN i1.YIMG.com.
+us			IN	CNAME	a1.g.a.yimg.com.
+$ORIGIN nc.us.IBM.com.
+e24			IN	A	32.97.136.230
+e22			IN	A	32.97.136.228
+e23			IN	A	32.97.136.229
+e21			IN	A	32.97.136.227
+$ORIGIN co.us.IBM.com.
+e34			IN	A	32.97.110.132
+e32			IN	A	32.97.110.130
+e33			IN	A	32.97.110.131
+e31			IN	A	32.97.110.129
+$ORIGIN ny.us.IBM.com.
+e4			IN	A	32.97.182.104
+e2			IN	A	32.97.182.102
+e3			IN	A	32.97.182.103
+e1			IN	A	32.97.182.101
+$ORIGIN AUSTIN.IBM.com.
+NS			IN	A	192.35.232.34
+$ORIGIN ZURICH.IBM.com.
+INTERNET-SERVER		IN	A	195.212.119.252
+$ORIGIN ALMADEN.IBM.com.
+NS			IN	A	198.4.83.35
+$ORIGIN ERS.IBM.com.
+NS			IN	A	204.146.173.35
+$ORIGIN WATSON.IBM.com.
+NS			IN	A	198.81.209.2
+$ORIGIN DCCSERVER.com.
+GODFEVER		IN	A	208.137.22.6
+$ORIGIN SUN.com.
+saturn			IN	A	192.9.25.2
+venus			IN	A	192.9.25.5
+east			IN	MX	40 mars.sun.com.
+			IN	MX	40 mondzo.sun.com.
+			IN	MX	5 venus.sun.com.
+			IN	MX	5 lukla.sun.com.
+			IN	MX	5 saturn.sun.com.
+			IN	MX	5 patan.sun.com.
+			IN	MX	15 mercury.sun.com.
+mondzo			IN	A	192.18.100.1
+lukla			IN	A	192.18.98.31
+NS-BRM			IN	A	192.18.99.5
+ns-os			IN	A	192.9.9.6
+patan			IN	A	192.18.98.43
+mars			IN	A	192.9.22.1
+mercury			IN	A	192.9.25.1
+NS			IN	A	192.9.9.3
+$ORIGIN pr.SUN.com.
+ns1			IN	A	192.18.16.2
+$ORIGIN eu.SUN.com.
+ns1			IN	A	192.18.240.8
+$ORIGIN USEC.SUN.com.
+NS			IN	A	192.9.48.3
+$ORIGIN PSHIFT.com.
+ns2			IN	A	208.153.85.21
+NS1			IN	A	208.153.85.20
+$ORIGIN mobydark.com.
+ns1			IN	A	216.13.76.21
+$ORIGIN compuserve.com.
+DUB-NAME-SVC-1		IN	A	149.174.213.5
+ARL-NAME-SVC-1		IN	A	149.174.211.5
+$ORIGIN NS.cs.com.
+DNS-02			IN	A	205.188.157.235
+DNS-01			IN	A	152.163.159.235
+$ORIGIN pcode.com.
+ns1			IN	A	216.15.192.135
+$ORIGIN AVENUEA.com.
+EX2-DNS0		IN	A	216.34.88.20
+SEA2DNS			IN	A	63.251.8.150
+$ORIGIN PHOTOTRUST.com.
+Filer			IN	A	64.85.86.172
+NS02			IN	A	64.85.86.142
+www			IN	A	64.85.86.151
+NS01			IN	A	64.85.86.141
+$ORIGIN GOOGLE.com.
+HEDNS1			IN	A	64.209.200.10
+helbdns			IN	A	64.209.200.252
+valbdns			IN	A	216.239.37.252
+exlbdns			IN	A	64.208.34.252
+sulbdns			IN	A	64.208.32.252
+NS			IN	A	209.185.108.134
+sjlbdns			IN	A	216.239.35.252
+NS2			IN	A	209.185.108.135
+$ORIGIN ns0.com.
+NS00			IN	A	216.92.60.60
+ns0			IN	A	209.197.64.1
+$ORIGIN best.com.
+NS3			IN	A	209.24.149.42
+mail2			IN	A	206.184.139.12
+			IN	A	206.184.139.13
+			IN	A	206.184.139.16
+			IN	A	206.184.139.18
+mail3			IN	A	206.184.139.12
+			IN	A	206.184.139.13
+			IN	A	206.184.139.16
+			IN	A	206.184.139.18
+mail4			IN	A	206.184.139.12
+			IN	A	206.184.139.13
+			IN	A	206.184.139.16
+			IN	A	206.184.139.18
+NS1			IN	A	209.24.149.41
+mail1			IN	A	206.184.139.12
+			IN	A	206.184.139.13
+			IN	A	206.184.139.16
+			IN	A	206.184.139.18
+NS2			IN	A	209.157.102.11
+$ORIGIN WESTOL.com.
+NS			IN	A	63.93.137.4
+$ORIGIN ilovedomain.com.
+ns			IN	A	211.175.164.170
+$ORIGIN symquest.com.
+Quest-7			IN	A	64.69.102.131
+$ORIGIN QUEST-NET.com.
+mail			IN	A	207.140.30.11
+NS2			IN	A	207.140.30.13
+NS1			IN	A	207.140.30.11
+$ORIGIN cavebear.com.
+p2			IN	A	199.184.128.35
+npax			IN	A	192.203.17.71
+$ORIGIN cacheware.com.
+ns1			IN	A	64.221.210.242
+$ORIGIN Algebra.com.
+ns3			IN	A	216.254.54.22
+ns1			IN	A	160.79.196.177
+NS5			IN	A	208.233.99.161
+$ORIGIN gmcr.com.
+gateway1		IN	A	12.34.108.130
+$ORIGIN YAHOO.com.
+NS1			IN	A	204.71.200.33
+$ORIGIN EUROPE.YAHOO.com.
+NS3			IN	A	217.12.4.71
+$ORIGIN DCX.YAHOO.com.
+NS5			IN	A	216.32.74.10
+$ORIGIN GRANITECANYON.com.
+NS2			IN	A	204.1.217.148
+NS1			IN	A	205.166.226.38
+$ORIGIN costorf.com.
+localhost		IN	A	127.0.0.1
+www			IN	CNAME	costorf.com.
+$ORIGIN PSG.com.
+RAIN			IN	A	147.28.0.34
+RIP			IN	A	147.28.0.39
+$ORIGIN vt.highmeadow.com.
+hm6			IN	A	207.136.209.6
+$ORIGIN btinternet.com.
+DNS2			IN	A	194.73.73.94
+DNS1			IN	A	194.73.73.95
+$ORIGIN INTERNET-TOOLS.com.
+NS2			IN	A	206.109.113.140
+NS			IN	A	208.239.1.2
+NS3			IN	A	38.153.179.2
+$ORIGIN CADABRA.com.
+NS2			IN	A	209.157.194.109
+NS			IN	A	209.143.240.148
+$ORIGIN SLOWMOE.com.
+NS2			IN	A	137.118.8.50
+NS1			IN	A	137.118.8.49
+$ORIGIN ZTNET.com.
+NS2			IN	A	63.211.17.252
+NS1			IN	A	63.211.17.251
+$ORIGIN HOTWIRED.com.
+NS2			IN	A	209.185.151.6
+NS4			IN	A	209.185.151.4
+NS1			IN	A	216.32.228.8
+NS3			IN	A	216.32.228.9
+$ORIGIN g-world.com.
+NS1			IN	A	216.26.39.10
+$ORIGIN alcatrazmedia.com.
+ns1			IN	A	167.160.132.2
+$ORIGIN MESSAGESECURE.com.
+KYNSE02			IN	A	216.142.252.201
+KYNSE01			IN	A	216.142.252.199
+$ORIGIN HAITIWORLD.com.
+APPSRV			IN	A	206.152.15.34
+NS			IN	A	206.152.15.33
+$ORIGIN NETSOL.com.
+NS2			IN	A	198.17.208.71
+RS0			IN	A	216.168.224.206
+NS3			IN	A	216.168.224.201
+NS1			IN	A	216.168.224.200
+$ORIGIN cmates.com.
+NS-AUTH2		IN	A	208.23.213.3
+ns-auth1		IN	A	208.23.213.2
+$ORIGIN skiinsurance.com.
+mail			IN	A	207.136.205.152
+$ORIGIN GH.com.
+AUSTIN			IN	A	196.3.64.1
+$ORIGIN DIGISERVE.com.
+NS2			IN	A	204.91.84.216
+NS1			IN	A	151.196.69.5
+$ORIGIN map.com.
+sgi1			IN	A	204.71.19.20
+WORMHOLE		IN	A	204.71.19.10
+$ORIGIN SNS-UT.DEBIS.com.
+NS2			IN	A	53.122.2.10
+$ORIGIN SNS-FELB.DEBIS.com.
+NS1			IN	A	53.122.1.10
+$ORIGIN idx.com.
+seaipsvcs		IN	A	172.22.64.42
+BOSDOC			IN	A	198.114.171.109
+drawbridge		IN	A	204.165.241.2
+IDXNMS			IN	A	204.165.242.7
+idx			IN	A	198.114.171.160
+isdev			IN	A	198.181.234.9
+bvtipsvcs		IN	A	198.114.172.50
+bosdns			IN	A	198.114.171.109
+bvtsweeper		IN	A	198.181.234.69
+$ORIGIN VERITAS.com.
+NS			IN	A	204.177.156.38
+$ORIGIN BFG.com.
+gateway2		IN	A	166.102.214.66
+aisvt			IN	MX	0 gateway2.bfg.com.
+GATEWAY			IN	A	131.187.253.2
+$ORIGIN sleepycat.com.
+abyssinian		IN	A	199.103.241.218
+$ORIGIN cisco.com.
+proxy6			IN	A	203.41.198.245
+proxy9			IN	A	192.135.250.71
+proxy1			IN	A	192.31.7.88
+proxy2			IN	A	192.31.7.89
+proxy3			IN	A	192.31.7.90
+ns1			IN	A	128.107.241.185
+NS2			IN	A	192.135.250.69
+$ORIGIN TOAPLAN.com.
+www			IN	A	216.42.31.169
+$ORIGIN INTUIT.com.
+DNS1			IN	A	208.157.255.4
+$ORIGIN REGEX.com.
+NS1			IN	A	202.152.12.227
+$ORIGIN DEC.com.
+crl			IN	A	192.58.206.2
+ns			IN	A	204.123.2.42
+$ORIGIN PA.DEC.com.
+UUCP-GW-2		IN	A	16.1.0.19
+UUCP-GW-1		IN	A	16.1.0.18
+			IN	A	204.123.2.18
+$ORIGIN LANDLORDS.com.
+NS			IN	A	63.64.164.68
+$ORIGIN hometownbands.com.
+www			IN	A	209.67.235.38
+$ORIGIN MSFT.AKADNS.com.
+Z6			IN	A	207.229.152.20
+Z2			IN	A	32.96.80.17
+Z4			IN	A	208.148.96.220
+Z7			IN	A	213.161.66.158
+Z3			IN	A	63.215.198.67
+Z1			IN	A	216.32.118.104
+$ORIGIN smuggs.com.
+mail			IN	A	209.67.230.71
+$ORIGIN OUTREMER.com.
+MANTA			IN	A	213.16.1.106
+$ORIGIN hns.com.
+HNS3			IN	A	208.236.67.3
+$ORIGIN TRIVALLEY.com.
+NS3			IN	A	206.25.132.30
+$ORIGIN AI-R.com.
+NS2			IN	A	66.33.4.51
+NS1			IN	A	66.33.0.143
+$ORIGIN ALCATEL.com.
+NS			IN	A	192.160.6.91
+PRIMARY			IN	A	192.160.6.90
+$ORIGIN GENDYN.com.
+NET2			IN	A	204.60.171.9
+NET1			IN	A	204.60.171.8
+$ORIGIN ONLINEPHOTOCONTEST.com.
+www			IN	A	64.85.86.152
+$ORIGIN performancediver.com.
+listserv		IN	A	216.34.185.155
+$ORIGIN rge.com.
+gw			IN	A	157.225.178.11
+$ORIGIN NS.AOL.com.
+DNS-02			IN	A	205.188.157.232
+DNS-01			IN	A	152.163.159.232
+$ORIGIN MANY-PATHS-ENERGY-ENHANCEMENT.com.
+www			IN	A	66.33.4.50
+$ORIGIN IS.CHRYSLER.com.
+FXCLPR02		IN	A	204.189.94.37
+FXIOD01			IN	A	204.189.94.70
+$ORIGIN TO.GD-ES.com.
+NS			IN	A	199.107.240.66
+$ORIGIN GNAC.com.
+ns2			IN	A	209.182.195.77
+NS1			IN	A	209.182.195.77
+$ORIGIN AKAMAI.com.
+YA			IN	A	204.178.118.68
+ACCESS			IN	A	4.17.143.9
+YB			IN	A	204.212.232.16
+YC			IN	A	209.246.46.48
+YD			IN	A	209.189.112.39
+YE			IN	A	192.215.168.18
+YF			IN	A	216.32.118.14
+YG			IN	A	204.178.110.35
+YH			IN	A	128.11.61.225
+$ORIGIN QUICKEN.com.
+DNS4			IN	A	198.3.99.252
+DNS2			IN	A	206.154.105.67
+news			IN	MX	10 mail1.emailpub.com.
+			IN	MX	10 mail2.emailpub.com.
+			IN	MX	10 mail3.emailpub.com.
+			IN	MX	10 mail4.emailpub.com.
+			IN	MX	10 mail5.emailpub.com.
+			IN	MX	10 mail6.emailpub.com.
+			IN	A	207.211.106.100
+DNS3			IN	A	198.3.96.252
+DNS1			IN	A	206.154.105.66
+$ORIGIN LUXNOC.com.
+NS4			IN	A	195.206.104.201
+NS2			IN	A	195.206.105.102
+NS0			IN	A	195.206.105.1
+NS5			IN	A	195.206.104.211
+NS3			IN	A	195.206.104.1
+NS1			IN	A	195.206.105.101
+$ORIGIN MAGIC-MOMENTS.com.
+NS1			IN	A	195.224.53.80
+$ORIGIN ABAC.com.
+NS2			IN	A	216.55.144.4
+NS1			IN	A	216.55.128.4
+$ORIGIN GOTO.com.
+NS2			IN	A	204.71.128.137
+NS1			IN	A	206.132.152.241
+$ORIGIN WEBTRENDS.com.
+NS2			IN	A	63.88.212.11
+NS1			IN	A	63.88.212.10
+$ORIGIN hotmail.com.
+NS3			IN	A	209.185.130.68
+NS1			IN	A	216.200.206.140
+$ORIGIN MERCHANTWARE.com.
+NS2			IN	A	209.170.142.35
+$ORIGIN MERCURYCENTER.com.
+cgi			IN	CNAME	vh80167.vh8.infi.net.
+$ORIGIN CARIBSURF.com.
+COL2			IN	A	205.214.192.202
+COL1			IN	A	205.214.192.201
+$ORIGIN MAIL-LIST.com.
+zip			IN	MX	20 sluice.mail-list.com.
+			IN	MX	20 pipeline.mail-list.com.
+			IN	MX	20 transport.mail-list.com.
+			IN	MX	50 swifty.mail-list.com.
+			IN	MX	50 velocity.mail-list.com.
+			IN	MX	50 brisk.mail-list.com.
+			IN	MX	5 zip.mail-list.com.
+$ORIGIN NAVPOINT.com.
+south			IN	A	207.106.42.12
+north			IN	A	207.106.42.10
+NS2			IN	A	207.106.42.12
+NS			IN	A	207.106.42.10
+$ORIGIN verisign-grs.com.
+ns2			IN	A	198.41.3.108
+ns1			IN	A	198.41.3.39
+$ORIGIN gdarm.com.
+bvt-ext			IN	A	166.19.32.42
+$ORIGIN REDHAT.com.
+NS1			IN	A	216.148.218.250
+$ORIGIN SKYNETWEB.com.
+NS2			IN	A	208.231.1.35
+NS1			IN	A	208.231.1.34
+$ORIGIN COIL.com.
+BRONZE			IN	A	198.4.94.1
+$ORIGIN ZTX.COMPAQ.com.
+NS1-PUBLIC		IN	A	161.114.1.204
+$ORIGIN ZMA.COMPAQ.com.
+NS1-PUBLIC		IN	A	161.114.64.24
+$ORIGIN FOOL.com.
+NS2			IN	A	208.51.76.222
+NS1			IN	A	208.241.66.222
+$ORIGIN retro.com.
+www			IN	A	205.179.181.195
+gw			IN	A	205.179.181.194
+$ORIGIN NRSITE.com.
+NS5			IN	A	208.178.169.4
+NS7			IN	A	206.41.20.3
+NS3			IN	A	199.172.144.20
+$ORIGIN jerusalem-mail.com.
+mail			IN	A	216.251.232.93
+$ORIGIN PAIR.com.
+ns3			IN	A	209.68.1.15
+NS1			IN	A	209.68.1.11
+$ORIGIN GLOBALDNS.com.
+NS1			IN	A	206.253.214.11
+$ORIGIN tfm.com.
+mailhost		IN	A	192.231.224.11
+mtbaker			IN	A	192.231.224.2
+NS2			IN	A	208.236.160.42
+NS1			IN	A	209.83.142.82
+NS			IN	A	192.231.224.1
+$ORIGIN bock.com.
+NS2			IN	A	64.30.29.4
+NS1			IN	A	64.30.29.3
+$ORIGIN TARSUS.com.
+MAIL			IN	A	208.130.9.252
+BEAR			IN	A	208.130.9.248
+$ORIGIN NETANET.com.
+NS0			IN	A	194.6.96.218
+			IN	A	195.172.127.72
+NS1			IN	A	194.6.96.218
+$ORIGIN SEANET.com.
+DNS2			IN	A	199.181.164.2
+DNS3			IN	A	199.181.164.3
+DNS1			IN	A	199.181.164.1
+$ORIGIN INTERNETSHARE.com.
+NS1			IN	A	63.207.108.53
+$ORIGIN ALTAVISTA.com.
+NS2			IN	A	209.73.164.7
+NS3			IN	A	209.73.176.204
+NS1			IN	A	209.73.164.76
+$ORIGIN NOVELL.com.
+NS			IN	A	137.65.1.1
+$ORIGIN SAIPAN.com.
+NS2			IN	A	202.128.28.2
+NS			IN	A	202.128.27.2
+$ORIGIN diebold.com.
+eliot			IN	A	204.151.249.21
+ness			IN	A	208.228.181.21
+$ORIGIN WonderWorks.com.
+mail			IN	A	192.203.206.67
+ice			IN	A	192.203.206.9
+$ORIGIN SIGNALZ.com.
+NS			IN	A	209.67.230.71
+$ORIGIN GW.tislabs.com.
+RELAY			IN	A	192.94.214.100
+$ORIGIN CAIS.com.
+NS			IN	A	205.177.10.10
+$ORIGIN tesserae.com.
+ns2			IN	A	209.157.194.3
+NS			IN	A	209.157.194.2
+$ORIGIN NETPOLICY.com.
+MINION			IN	A	207.87.121.66
+$ORIGIN wirbel.com.
+enterprise		IN	A	194.231.54.2
+$ORIGIN fiberia.com.
+webmail			IN	A	216.55.147.2
+$ORIGIN BAYAREA.com.
+www			IN	CNAME	vh80040.vh8.infi.net.
+$ORIGIN CONNACTIVITY.com.
+bparker			IN	A	206.34.200.200
+NS2			IN	A	206.34.200.3
+CONNACTIVITY		IN	A	206.34.200.2
+$ORIGIN tifosi.com.
+BK			IN	A	208.58.189.13
+daytona			IN	A	192.104.156.3
+$ORIGIN bucksnet.com.
+gutenberg		IN	A	207.113.15.5
+$ORIGIN ivillage.com.
+NS2			IN	A	209.185.162.16
+NS1			IN	A	209.185.162.15
+$ORIGIN codelocal.com.
+ns1			IN	A	216.15.192.130
+$ORIGIN NETFLIGHT.com.
+DNS			IN	A	207.88.32.2
+$ORIGIN MERCHANTWARE.CON.
+NS1			IN	A	209.170.142.34
diff --git a/bin/tests/system/cacheclean/ns1/expire-test.db b/bin/tests/system/cacheclean/ns1/expire-test.db
new file mode 100644
index 0000000..8085543
--- /dev/null
+++ b/bin/tests/system/cacheclean/ns1/expire-test.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@			IN SOA	hostmaster.ns ns (
+				2011072900
+				600
+				600
+				1200
+				3600
+				)
+			NS	ns
+ns			IN	A	10.53.0.1
diff --git a/bin/tests/system/cacheclean/ns1/flushtest.db b/bin/tests/system/cacheclean/ns1/flushtest.db
new file mode 100644
index 0000000..ac6b408
--- /dev/null
+++ b/bin/tests/system/cacheclean/ns1/flushtest.db
@@ -0,0 +1,44 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+$ORIGIN flushtest.example.
+@			IN SOA	flushtest.example. ns.flushtest.example. (
+				2011072900
+				600
+				600
+				1200
+				3600
+				)
+			NS	ns
+ns			IN	A	10.53.0.1
+
+top1			IN	TXT	"text"
+second1.top1		IN	TXT	"text"
+third1.second1.top1	IN	TXT	"text"
+third2.second1.top1	IN	TXT	"text"
+second2.top1		IN	TXT	"text"
+second3.top1		IN	TXT	"text"
+
+; top2 node is omitted for testing with an empty nonterminal
+second1.top2		IN	TXT	"text"
+second2.top2		IN	TXT	"text"
+second3.top2		IN	TXT	"text"
+
+top3			IN	TXT	"text"
+second1.top3		IN	TXT	"text"
+third1.second1.top3	IN	TXT	"text"
+third2.second1.top3	IN	TXT	"text"
+; second2.top3 is omitted for testing with an empty nontermianl
+third1.second2.top3	IN	TXT	"text"
+third2.second2.top3	IN	TXT	"text"
+second3.top3		IN	TXT	"text"
+
diff --git a/bin/tests/system/cacheclean/ns1/named.args b/bin/tests/system/cacheclean/ns1/named.args
new file mode 100644
index 0000000..2ba9a14
--- /dev/null
+++ b/bin/tests/system/cacheclean/ns1/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 1 -D cacheclean-ns1 -X named.lock -g -T maxcachesize=2097152
diff --git a/bin/tests/system/cacheclean/ns1/named.conf.in b/bin/tests/system/cacheclean/ns1/named.conf.in
new file mode 100644
index 0000000..98d2b28
--- /dev/null
+++ b/bin/tests/system/cacheclean/ns1/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+	check-integrity no;
+	minimal-responses no;
+};
+
+zone "." {
+	type primary;
+	file "example.db";
+};
+
+zone "flushtest.example" {
+	type primary;
+	file "flushtest.db";
+};
+
+zone "expire-test" {
+	type primary;
+	file "expire-test.db";
+};
diff --git a/bin/tests/system/cacheclean/ns2/named.args b/bin/tests/system/cacheclean/ns2/named.args
new file mode 100644
index 0000000..1bcc5ea
--- /dev/null
+++ b/bin/tests/system/cacheclean/ns2/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 3 -D cacheclean-ns2 -X named.lock -g -T maxcachesize=2097152
diff --git a/bin/tests/system/cacheclean/ns2/named.conf.in b/bin/tests/system/cacheclean/ns2/named.conf.in
new file mode 100644
index 0000000..554730e
--- /dev/null
+++ b/bin/tests/system/cacheclean/ns2/named.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	notify yes;
+	disable-empty-zone 127.IN-ADDR.ARPA;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "flushtest.example" {
+	type forward;
+	forwarders { 10.53.0.1; };
+};
+
+zone "expire-test" {
+	type secondary;
+	primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/cacheclean/setup.sh b/bin/tests/system/cacheclean/setup.sh
new file mode 100644
index 0000000..36969b7
--- /dev/null
+++ b/bin/tests/system/cacheclean/setup.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
diff --git a/bin/tests/system/cacheclean/tests.sh b/bin/tests/system/cacheclean/tests.sh
new file mode 100755
index 0000000..033caf0
--- /dev/null
+++ b/bin/tests/system/cacheclean/tests.sh
@@ -0,0 +1,268 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+RNDCOPTS="-c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}"
+DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm \
+         +nostat @10.53.0.2 -p ${PORT}"
+
+# fill the cache with nodes from flushtest.example zone
+load_cache () {
+        # empty all existing cache data
+        $RNDC $RNDCOPTS flush
+
+	# load the positive cache entries
+	$DIG $DIGOPTS -f - << EOF > /dev/null 2>&1
+txt top1.flushtest.example
+txt second1.top1.flushtest.example
+txt third1.second1.top1.flushtest.example
+txt third2.second1.top1.flushtest.example
+txt second2.top1.flushtest.example
+txt second3.top1.flushtest.example
+txt second1.top2.flushtest.example
+txt second2.top2.flushtest.example
+txt second3.top2.flushtest.example
+txt top3.flushtest.example
+txt second1.top3.flushtest.example
+txt third1.second1.top3.flushtest.example
+txt third2.second1.top3.flushtest.example
+txt third1.second2.top3.flushtest.example
+txt third2.second2.top3.flushtest.example
+txt second3.top3.flushtest.example
+EOF
+
+	# load the negative cache entries
+        # nxrrset:
+	$DIG $DIGOPTS a third1.second1.top1.flushtest.example > /dev/null
+        # nxdomain:
+	$DIG $DIGOPTS txt top4.flushtest.example > /dev/null
+        # empty nonterminal:
+	$DIG $DIGOPTS txt second2.top3.flushtest.example > /dev/null
+
+	# sleep 2 seconds ensure the TTLs will be lower on cached data
+	sleep 2
+}
+
+dump_cache () {
+        rndc_dumpdb ns2 -cache _default
+}
+
+clear_cache () {
+        $RNDC $RNDCOPTS flush
+}
+
+in_cache () {
+        ttl=`$DIG $DIGOPTS "$@" | awk '{print $2}'`
+        [ -z "$ttl" ] && {
+                ttl=`$DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}'`
+                [ "$ttl" -ge 3599 ] && return 1
+                return 0
+        }
+        [ "$ttl" -ge 3599 ] && return 1
+        return 0
+}
+
+# Extract records at and below name "$1" from the cache dump in file "$2".
+filter_tree () {
+	tree="$1"
+	file="$2"
+	perl -n -e '
+		next if /^;/;
+		if (/'"$tree"'/ || (/^\t/ && $print)) {
+			$print = 1;
+		} else {
+			$print = 0;
+		}
+		print if $print;
+	' "$file"
+}
+
+n=`expr $n + 1`
+echo_i "check correctness of routine cache cleaning ($n)"
+$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch > dig.out.ns2 || status=1
+
+digcomp --lc dig.out.ns2 knowngood.dig.out || status=1
+
+n=`expr $n + 1`
+echo_i "only one tcp socket was used ($n)"
+tcpclients=`awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l`
+
+test $tcpclients -eq 1 || { status=1; echo_i "failed"; }
+
+n=`expr $n + 1`
+echo_i "reset and check that records are correctly cached initially ($n)"
+ret=0
+load_cache
+dump_cache
+nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l`
+[ $nrecords -eq 18 ] || { ret=1; echo_i "found $nrecords records expected 18"; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check flushing of the full cache ($n)"
+ret=0
+clear_cache
+dump_cache
+nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | wc -l`
+[ $nrecords -eq 0 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check flushing of individual nodes (interior node) ($n)"
+ret=0
+clear_cache
+load_cache
+# interior node
+in_cache txt top1.flushtest.example || ret=1
+$RNDC $RNDCOPTS flushname top1.flushtest.example
+in_cache txt top1.flushtest.example && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check flushing of individual nodes (leaf node, under the interior node) ($n)"
+ret=0
+# leaf node, under the interior node (should still exist)
+in_cache txt third2.second1.top1.flushtest.example || ret=1
+$RNDC $RNDCOPTS flushname third2.second1.top1.flushtest.example
+in_cache txt third2.second1.top1.flushtest.example && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check flushing of individual nodes (another leaf node, with both positive and negative cache entries) ($n)"
+ret=0
+# another leaf node, with both positive and negative cache entries
+in_cache a third1.second1.top1.flushtest.example || ret=1
+in_cache txt third1.second1.top1.flushtest.example || ret=1
+$RNDC $RNDCOPTS flushname third1.second1.top1.flushtest.example
+in_cache a third1.second1.top1.flushtest.example && ret=1
+in_cache txt third1.second1.top1.flushtest.example && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check flushing a nonexistent name ($n)"
+ret=0
+$RNDC $RNDCOPTS flushname fake.flushtest.example || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check flushing of namespaces ($n)"
+ret=0
+clear_cache
+load_cache
+# flushing leaf node should leave the interior node:
+in_cache txt third1.second1.top1.flushtest.example || ret=1
+in_cache txt top1.flushtest.example || ret=1
+$RNDC $RNDCOPTS flushtree third1.second1.top1.flushtest.example
+in_cache txt third1.second1.top1.flushtest.example && ret=1
+in_cache txt top1.flushtest.example || ret=1
+in_cache txt second1.top1.flushtest.example || ret=1
+in_cache txt third2.second1.top1.flushtest.example || ret=1
+$RNDC $RNDCOPTS flushtree second1.top1.flushtest.example
+in_cache txt top1.flushtest.example || ret=1
+in_cache txt second1.top1.flushtest.example && ret=1
+in_cache txt third2.second1.top1.flushtest.example && ret=1
+
+# flushing from an empty node should still remove all its children
+in_cache txt second1.top2.flushtest.example || ret=1
+$RNDC $RNDCOPTS flushtree top2.flushtest.example
+in_cache txt second1.top2.flushtest.example && ret=1
+in_cache txt second2.top2.flushtest.example && ret=1
+in_cache txt second3.top2.flushtest.example && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check flushing a nonexistent namespace ($n)"
+ret=0
+$RNDC $RNDCOPTS flushtree fake.flushtest.example || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check the number of cached records remaining ($n)"
+ret=0
+dump_cache
+nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l`
+[ $nrecords -eq 17 ] || { ret=1; echo_i "found $nrecords records expected 17"; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check the check that flushname of a partial match works ($n)"
+ret=0
+in_cache txt second2.top1.flushtest.example || ret=1
+$RNDC $RNDCOPTS flushtree example
+in_cache txt second2.top1.flushtest.example && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check the number of cached records remaining ($n)"
+ret=0
+dump_cache
+nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l`
+[ $nrecords -eq 1 ] || { ret=1; echo_i "found $nrecords records expected 1"; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check flushtree clears adb correctly ($n)"
+ret=0
+load_cache
+dump_cache
+mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.a
+sed -n '/plain success\/timeout/,/Unassociated entries/p' \
+	ns2/named_dump.db.test$n.a > sed.out.$n.a
+grep 'plain success/timeout' sed.out.$n.a > /dev/null 2>&1 || ret=1
+grep 'Unassociated entries' sed.out.$n.a > /dev/null 2>&1 || ret=1
+grep 'ns.flushtest.example' sed.out.$n.a > /dev/null 2>&1 || ret=1
+$RNDC $RNDCOPTS flushtree flushtest.example || ret=1
+dump_cache
+mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.b
+sed -n '/plain success\/timeout/,/Unassociated entries/p' \
+	ns2/named_dump.db.test$n.b > sed.out.$n.b
+grep 'plain success/timeout' sed.out.$n.b > /dev/null 2>&1 || ret=1
+grep 'Unassociated entries' sed.out.$n.b > /dev/null 2>&1 || ret=1
+grep 'ns.flushtest.example' sed.out.$n.b > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check expire option returned from primary zone ($n)"
+ret=0
+$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test > dig.out.expire
+grep EXPIRE: dig.out.expire > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check expire option returned from secondary zone ($n)"
+ret=0
+$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test > dig.out.expire
+grep EXPIRE: dig.out.expire > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/case/clean.sh b/bin/tests/system/case/clean.sh
new file mode 100644
index 0000000..2c7bf97
--- /dev/null
+++ b/bin/tests/system/case/clean.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.ns*.test*
+rm -f ns*/named.conf
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns1/dynamic.db
+rm -f ns1/dynamic.db.jnl
+rm -f ns2/dynamic.bk
+rm -f ns2/dynamic.bk.jnl
+rm -f ns2/example.bk
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/case/dynamic.good b/bin/tests/system/case/dynamic.good
new file mode 100644
index 0000000..66f8afd
--- /dev/null
+++ b/bin/tests/system/case/dynamic.good
@@ -0,0 +1,6 @@
+DyNaMiC.		300	IN	SOA	mname1. . 2000042407 20 20 1814400 3600
+DyNaMiC.		300	IN	NS	ns1.DYNAMIC.
+DynamiC.		300	IN	MX	0 mail.eXaMpLe.
+mAiL.DynamiC.		300	IN	A	10.53.0.1
+ns1.DYNAMIC.		300	IN	A	10.53.0.1
+DyNaMiC.		300	IN	SOA	mname1. . 2000042407 20 20 1814400 3600
diff --git a/bin/tests/system/case/ns1/dynamic.db.in b/bin/tests/system/case/ns1/dynamic.db.in
new file mode 100644
index 0000000..b39b519
--- /dev/null
+++ b/bin/tests/system/case/ns1/dynamic.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+$ORIGIN DyNaMiC.
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+$ORIGIN DYNAMIC.
+			NS	ns1
+ns1			A	10.53.0.1
+$ORIGIN DynamiC.
+@			MX	0 mail.eXaMpLe.
+mAiL			A	10.53.0.1
diff --git a/bin/tests/system/case/ns1/example.db b/bin/tests/system/case/ns1/example.db
new file mode 100644
index 0000000..b58414c
--- /dev/null
+++ b/bin/tests/system/case/ns1/example.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns1
+ns1			A	10.53.0.1
+@			MX	0 mail.eXaMpLe.
+mAiL			A	10.53.0.1
diff --git a/bin/tests/system/case/ns1/named.conf.in b/bin/tests/system/case/ns1/named.conf.in
new file mode 100644
index 0000000..076b9d0
--- /dev/null
+++ b/bin/tests/system/case/ns1/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+	minimal-responses no;
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	also-notify { 10.53.0.2; };
+};
+
+zone "dynamic" {
+	type primary;
+	file "dynamic.db";
+	allow-update { any; };
+	also-notify { 10.53.0.2; };
+};
diff --git a/bin/tests/system/case/ns2/named.conf.in b/bin/tests/system/case/ns2/named.conf.in
new file mode 100644
index 0000000..0a5c76f
--- /dev/null
+++ b/bin/tests/system/case/ns2/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+	no-case-compress { 10.53.0.2; };
+	minimal-responses no;
+};
+
+zone "example" {
+	type secondary;
+	file "example.bk";
+	primaries { 10.53.0.1; };
+};
+
+zone "dynamic" {
+	type secondary;
+	file "dynamic.bk";
+	primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/case/postns1.good b/bin/tests/system/case/postns1.good
new file mode 100644
index 0000000..fcb3f9c
--- /dev/null
+++ b/bin/tests/system/case/postns1.good
@@ -0,0 +1,6 @@
+dYNAMIc.		300	IN	SOA	mname1. . 2000042409 20 20 1814400 3600
+DyNaMiC.		300	IN	NS	ns1.DYNAMIC.
+DynamiC.		300	IN	MX	0 mail.eXaMpLe.
+mAiL.DynamiC.		300	IN	A	10.53.0.1
+Ns1.DyNaMIC.		300	IN	A	10.53.0.1
+dYNAMIc.		300	IN	SOA	mname1. . 2000042409 20 20 1814400 3600
diff --git a/bin/tests/system/case/postupdate.good b/bin/tests/system/case/postupdate.good
new file mode 100644
index 0000000..7755928
--- /dev/null
+++ b/bin/tests/system/case/postupdate.good
@@ -0,0 +1,6 @@
+dYNAMIc.		300	IN	SOA	mname1. . 2000042408 20 20 1814400 3600
+DyNaMiC.		300	IN	NS	ns1.DYNAMIC.
+DynamiC.		300	IN	MX	0 mail.eXaMpLe.
+mAiL.DynamiC.		300	IN	A	10.53.0.1
+ns1.DYNAMIC.		300	IN	A	10.53.0.1
+dYNAMIc.		300	IN	SOA	mname1. . 2000042408 20 20 1814400 3600
diff --git a/bin/tests/system/case/setup.sh b/bin/tests/system/case/setup.sh
new file mode 100644
index 0000000..f691185
--- /dev/null
+++ b/bin/tests/system/case/setup.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+cp -f ns1/dynamic.db.in ns1/dynamic.db
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
diff --git a/bin/tests/system/case/tests.sh b/bin/tests/system/case/tests.sh
new file mode 100644
index 0000000..96e8924
--- /dev/null
+++ b/bin/tests/system/case/tests.sh
@@ -0,0 +1,150 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+
+wait_for_serial() (
+    $DIG $DIGOPTS "@$1" "$2" SOA > "$4"
+    serial=$(awk '$4 == "SOA" { print $7 }' "$4")
+    [ "$3" -eq "${serial:--1}" ]
+)
+
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "waiting for zone transfer to complete ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9
+do
+	$DIG $DIGOPTS soa example. @10.53.0.2 > dig.ns2.test$n
+	grep SOA dig.ns2.test$n > /dev/null && break
+	sleep 1
+done
+for i in 1 2 3 4 5 6 7 8 9
+do
+	$DIG $DIGOPTS soa dynamic. @10.53.0.2 > dig.ns2.test$n
+	grep SOA dig.ns2.test$n > /dev/null && break
+	sleep 1
+done
+
+n=`expr $n + 1`
+echo_i "testing case preserving responses - no acl ($n)"
+ret=0
+$DIG $DIGOPTS mx example. @10.53.0.1 > dig.ns1.test$n
+grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1
+grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing no-case-compress acl '{ 10.53.0.2; }' ($n)"
+ret=0
+
+# check that we preserve zone case for non-matching query (10.53.0.1)
+$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 > dig.ns1.test$n
+grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1
+grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1
+
+# check that we don't preserve zone case for match (10.53.0.2)
+$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 > dig.ns2.test$n
+grep "0.mail.example" dig.ns2.test$n > /dev/null || ret=1
+grep "mail.example" dig.ns2.test$n > /dev/null || ret=1
+
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing load of dynamic zone with various \$ORIGIN values ($n)"
+ret=0
+$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n
+digcomp dig.ns1.test$n dynamic.good || ret=1
+
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "transfer of dynamic zone with various \$ORIGIN values ($n)"
+ret=0
+$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n
+digcomp dig.ns2.test$n dynamic.good || ret=1
+
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "change SOA owner case via update ($n)"
+$NSUPDATE << EOF
+server 10.53.0.1 ${PORT}
+zone dynamic
+update add dYNAMIc 0 SOA mname1. . 2000042408 20 20 1814400 3600
+send
+EOF
+$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n
+digcomp dig.ns1.test$n postupdate.good || ret=1
+
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+ret=0
+echo_i "wait for zone to transfer ($n)"
+retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042408 dig.ns2.test$n || ret=1
+
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check SOA owner case is transferred to secondary ($n)"
+ret=0
+$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n
+digcomp dig.ns2.test$n postupdate.good || ret=1
+
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+#update delete Ns1.DyNaMIC. 300 IN A 10.53.0.1
+n=`expr $n + 1`
+echo_i "change A record owner case via update ($n)"
+$NSUPDATE << EOF
+server 10.53.0.1 ${PORT}
+zone dynamic
+update add Ns1.DyNaMIC. 300 IN A 10.53.0.1
+send
+EOF
+$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n
+digcomp dig.ns1.test$n postns1.good || ret=1
+
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+ret=0
+echo_i "wait for zone to transfer ($n)"
+retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042409 dig.ns2.test$n || ret=1
+
+test $ret -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check A owner case is transferred to secondary ($n)"
+ret=0
+$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n
+digcomp dig.ns2.test$n postns1.good || ret=1
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/catz/clean.sh b/bin/tests/system/catz/clean.sh
new file mode 100644
index 0000000..b021f3b
--- /dev/null
+++ b/bin/tests/system/catz/clean.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.*
+rm -f ns*/*.jnl
+rm -f ns*/*.nzf
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/named.conf
+rm -f ns*/named.run
+rm -f ns*/named.run.prev
+rm -f ns1/*dom*example.db
+rm -f ns2/__catz__*db
+rm -f ns2/named.conf.tmp
+rm -f ns3/dom13.example.db ns3/dom14.example.db
+rm -f ns4/catalog-self.example.db
+rm -f nsupdate.out.*
+rm -f ns[123]/catalog[1234].example.db
+rm -rf ns2/zonedir
+rm -f ns*/*.nzd ns*/*.nzd-lock
+rm -f ns*/managed-keys.bind*
+rm -f wait_for_message.*
diff --git a/bin/tests/system/catz/ns1/catalog.example.db.in b/bin/tests/system/catz/ns1/catalog.example.db.in
new file mode 100644
index 0000000..a0bab0d
--- /dev/null
+++ b/bin/tests/system/catz/ns1/catalog.example.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 3600 SOA . . 1 86400 3600 86400 3600
+@ 3600 IN NS invalid.
+version IN TXT "1"
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
new file mode 100644
index 0000000..b64b4d5
--- /dev/null
+++ b/bin/tests/system/catz/ns1/named.conf.in
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	allow-new-zones yes;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on port @EXTRAPORT1@ { 10.53.0.1; };
+	listen-on-v6 { none; };
+	notify no;
+	recursion no;
+	allow-transfer { any; };
+};
+
+zone "catalog1.example" {
+	type primary;
+	file "catalog1.example.db";
+	allow-transfer { any; };
+	allow-update { any; };
+	also-notify { 10.53.0.2; };
+	notify explicit;
+};
+
+zone "catalog3.example" {
+	type primary;
+	file "catalog3.example.db";
+	allow-transfer { any; };
+	allow-update { any; };
+	also-notify { 10.53.0.2; };
+	notify explicit;
+};
+
+zone "catalog4.example" {
+	type primary;
+	file "catalog4.example.db";
+	allow-transfer { any; };
+	allow-update { any; };
+	also-notify { 10.53.0.2; };
+	notify explicit;
+};
+
+/* catalog5 is missing on purpose */
+
+key tsig_key. {
+	secret "LSAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};
+
+key next_key. {
+	secret "LaAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};
diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in
new file mode 100644
index 0000000..38381eb
--- /dev/null
+++ b/bin/tests/system/catz/ns2/named1.conf.in
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	notify no;
+	recursion no;
+	serial-query-rate 100;
+	catalog-zones {
+		zone "catalog1.example"
+			default-masters { 10.53.0.1; }
+			in-memory no
+			zone-directory "zonedir";
+		zone "catalog2.example"
+			default-masters { 10.53.0.1 port @EXTRAPORT1@; }
+			in-memory yes;
+		zone "catalog3.example"
+			default-masters { 10.53.0.1; }
+			zone-directory "nonexistent";
+#T1		zone "catalog4.example"
+#T1			default-masters { 10.53.0.1; };
+#T2		zone "catalog5.example"
+#T2			default-masters { 10.53.0.1; };
+	};
+};
+
+# A faulty dlz configuration to check if named and catz survive a certain class
+# of failed configuration attempts (see GL #3060).
+# We use "dlz" because the dlz processing code is located in an ideal place in
+# the view configuration function for the test to cover the view reverting code.
+#T3dlz "bad-dlz" {
+#T3	database "dlopen bad-dlz.so example.org";
+#T3};
+
+zone "catalog1.example" {
+	type secondary;
+	file "catalog1.example.db";
+	primaries { 10.53.0.1; };
+};
+
+zone "catalog2.example" {
+	type secondary;
+	file "catalog2.example.db";
+	primaries { 10.53.0.3; };
+};
+
+zone "catalog3.example" {
+	type secondary;
+	file "catalog3.example.db";
+	primaries { 10.53.0.1; };
+};
+
+zone "catalog4.example" {
+	type secondary;
+	file "catalog4.example.db";
+	primaries { 10.53.0.1; };
+};
+
+# When the following zone configuration is enabled, "dom3.example" should
+# already exist as a member of "catalog1.example", and named should be able
+# to deal with that situation (see GL #3911). Make sure that this duplicate
+# zone comes after the the "catalog1.example" zone in the configuration file.
+#T4zone "dom3.example" {
+#T4    type secondary;
+#T4    file "dom2.example.db";
+#T4};
+
+key tsig_key. {
+	secret "LSAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};
+
+key next_key. {
+	secret "LaAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};
diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in
new file mode 100644
index 0000000..c167310
--- /dev/null
+++ b/bin/tests/system/catz/ns2/named2.conf.in
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	notify no;
+	recursion no;
+	serial-query-rate 100;
+	# removed catalog-zone option, otherwise this is
+	# identical to named1.conf.in
+};
+
+zone "catalog1.example" {
+	type secondary;
+	file "catalog1.example.db";
+	primaries { 10.53.0.1; };
+};
+
+zone "catalog2.example" {
+	type secondary;
+	file "catalog2.example.db";
+	primaries { 10.53.0.3; };
+};
+
+zone "catalog3.example" {
+	type secondary;
+	file "catalog3.example.db";
+	primaries { 10.53.0.1; };
+};
+
+zone "catalog4.example" {
+	type secondary;
+	file "catalog4.example.db";
+	primaries { 10.53.0.1; };
+};
+
+key tsig_key. {
+	secret "LSAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};
diff --git a/bin/tests/system/catz/ns3/catalog.example.db.in b/bin/tests/system/catz/ns3/catalog.example.db.in
new file mode 100644
index 0000000..eccb4f1
--- /dev/null
+++ b/bin/tests/system/catz/ns3/catalog.example.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 3600 SOA . . 2670950424 86400 3600 86400 3600
+@ 3600 IN NS invalid.
+version IN TXT "1"
diff --git a/bin/tests/system/catz/ns3/dom5.example.db b/bin/tests/system/catz/ns3/dom5.example.db
new file mode 100644
index 0000000..5779aaf
--- /dev/null
+++ b/bin/tests/system/catz/ns3/dom5.example.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 3600 IN SOA . . 1 3600 3600 3600 3600
+@ IN NS invalid.
diff --git a/bin/tests/system/catz/ns3/dom6.example.db b/bin/tests/system/catz/ns3/dom6.example.db
new file mode 100644
index 0000000..5779aaf
--- /dev/null
+++ b/bin/tests/system/catz/ns3/dom6.example.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 3600 IN SOA . . 1 3600 3600 3600 3600
+@ IN NS invalid.
diff --git a/bin/tests/system/catz/ns3/named.conf.in b/bin/tests/system/catz/ns3/named.conf.in
new file mode 100644
index 0000000..7e6a8ae
--- /dev/null
+++ b/bin/tests/system/catz/ns3/named.conf.in
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	allow-new-zones yes;
+	pid-file "named.pid";
+	provide-ixfr no;
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { fd92:7065:b8e:ffff::3; };
+	notify no;
+	recursion no;
+};
+
+zone "catalog2.example" {
+	type primary;
+	file "catalog2.example.db";
+	allow-transfer { any; };
+	allow-update { any; };
+	also-notify { 10.53.0.2; };
+	notify explicit;
+};
+
+zone "dom5.example" {
+	type primary;
+	file "dom5.example.db";
+	allow-transfer { any; };
+	allow-update { any; };
+	notify explicit;
+};
+
+zone "dom6.example" {
+	type primary;
+	file "dom6.example.db";
+	allow-transfer { any; };
+	allow-update { any; };
+	notify explicit;
+};
diff --git a/bin/tests/system/catz/ns4/catalog.example.db.in b/bin/tests/system/catz/ns4/catalog.example.db.in
new file mode 100644
index 0000000..a0bab0d
--- /dev/null
+++ b/bin/tests/system/catz/ns4/catalog.example.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 3600 SOA . . 1 86400 3600 86400 3600
+@ 3600 IN NS invalid.
+version IN TXT "1"
diff --git a/bin/tests/system/catz/ns4/named.conf.in b/bin/tests/system/catz/ns4/named.conf.in
new file mode 100644
index 0000000..5f99308
--- /dev/null
+++ b/bin/tests/system/catz/ns4/named.conf.in
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { fd92:7065:b8e:ffff::4; };
+	notify no;
+	notify-delay 0;
+	recursion no;
+	serial-query-rate 100;
+	ixfr-from-differences yes; // GL #3777
+
+	catalog-zones {
+		zone "catalog-self.example"
+			min-update-interval 1s
+			default-masters { 10.53.0.4; };
+	};
+};
+
+zone "catalog-self.example" {
+	type primary;
+	file "catalog-self.example.db";
+	notify explicit;
+};
+
+key tsig_key. {
+	secret "LSAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};
+
+key next_key. {
+	secret "LaAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};
diff --git a/bin/tests/system/catz/setup.sh b/bin/tests/system/catz/setup.sh
new file mode 100644
index 0000000..d8ea177
--- /dev/null
+++ b/bin/tests/system/catz/setup.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named1.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+cp -f ns1/catalog.example.db.in ns1/catalog1.example.db
+cp -f ns3/catalog.example.db.in ns3/catalog2.example.db
+cp -f ns1/catalog.example.db.in ns1/catalog3.example.db
+cp -f ns1/catalog.example.db.in ns1/catalog4.example.db
+cp -f ns4/catalog.example.db.in ns4/catalog-self.example.db
+
+mkdir -p ns2/zonedir
diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh
new file mode 100644
index 0000000..69b3a57
--- /dev/null
+++ b/bin/tests/system/catz/tests.sh
@@ -0,0 +1,1915 @@
+#!/bin/sh -x
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck source=conf.sh
+SYSTEMTESTTOP=..
+. "$SYSTEMTESTTOP/conf.sh"
+
+dig_with_opts() {
+	"$DIG" -p "${PORT}" "$@"
+}
+
+rndccmd() (
+	"$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@"
+)
+
+_wait_for_message() (
+	nextpartpeek "$1" > wait_for_message.$n
+	grep -F "$2" wait_for_message.$n >/dev/null
+)
+
+wait_for_message() (
+	retry_quiet 20 _wait_for_message "$@"
+)
+
+_wait_for_rcode() (
+	rcode="$1"
+	qtype="$2"
+	ns="$3"
+	qname="$4"
+	file="$5"
+	shift 5
+	dig_with_opts "$ns" "$qtype" "$qname" "$@" >"$file" || return 1
+	grep "status: $rcode" "$file" >/dev/null
+)
+
+wait_for_rcode() (
+	retry_quiet 10 _wait_for_rcode "$@"
+)
+
+wait_for_soa() (
+	wait_for_rcode NOERROR SOA "$@"
+)
+
+wait_for_a() (
+	wait_for_rcode NOERROR A "$@"
+)
+
+wait_for_no_soa() {
+	wait_for_rcode REFUSED SOA "$@"
+}
+
+_wait_for_zonefile() (
+	# shellcheck disable=SC2234
+	[ -f "$1" ]
+)
+
+wait_for_zonefile() (
+	retry_quiet 10 _wait_for_zonefile "$@"
+)
+
+_wait_for_no_zonefile() (
+	# shellcheck disable=SC2234
+	[ ! -f "$1" ]
+)
+
+wait_for_no_zonefile() (
+	retry_quiet 10 _wait_for_no_zonefile "$@"
+)
+
+status=0
+n=0
+##########################################################################
+echo_i "Testing adding/removing of domain in catalog zone"
+n=$((n+1))
+echo_i "checking that dom1.example. is not served by primary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.1 dom1.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding a domain dom1.example. to primary via RNDC ($n)"
+ret=0
+# enough initial content for IXFR response when TXT record is added below
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom1.example.db
+echo "@ 3600 IN NS invalid." >> ns1/dom1.example.db
+echo "foo 3600 IN TXT some content here" >> ns1/dom1.example.db
+echo "bar 3600 IN TXT some content here" >> ns1/dom1.example.db
+echo "xxx 3600 IN TXT some content here" >> ns1/dom1.example.db
+echo "yyy 3600 IN TXT some content here" >> ns1/dom1.example.db
+rndccmd 10.53.0.1 addzone dom1.example. '{ type primary; file "dom1.example.db"; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom1.example. is now served by primary ($n)"
+ret=0
+wait_for_soa @10.53.0.1 dom1.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain dom1.example. to catalog1 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN PTR dom1.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run "catz: adding zone 'dom1.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run "transfer of 'dom1.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom1.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom1.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that zone-directory is populated ($n)"
+ret=0
+wait_for_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "update dom1.example. ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+   server 10.53.0.1 ${PORT}
+   update add dom1.example 0 IN TXT added record
+   send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "wait for secondary to be updated ($n)"
+ret=0
+wait_for_txt() {
+	dig_with_opts @10.53.0.2 TXT dom1.example. > dig.out.test$n || return 1
+	grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1
+	grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
+	grep "IN.TXT." dig.out.test$n > /dev/null || return 1
+}
+retry_quiet 10 wait_for_txt || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check that journal was created for cleanup test ($n)"
+ret=0
+test -f ns2/zonedir/__catz___default_catalog1.example_dom1.example.db.jnl || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "update catalog zone serial ($n)"
+ret=0
+# default minimum update rate is once / 5 seconds
+sleep 5
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add catalog1.example 3600 SOA . . 20 86400 3600 86400 3600
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "wait for catalog zone to transfer ($n)"
+ret=0
+wait_for_soa_equal_20() {
+	dig_with_opts @10.53.0.2 SOA catalog1.example. > dig.out.test$n || return 1
+	grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1
+	grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
+	grep 'IN.SOA.\. \. 20 ' dig.out.test$n > /dev/null || return 1
+}
+retry_quiet 10 wait_for_soa_equal_20 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "update dom1.example. again ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+   server 10.53.0.1 ${PORT}
+   update add foo.dom1.example 0 IN TXT added record
+   send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "wait for secondary to be updated again ($n)"
+ret=0
+wait_for_txt() {
+	dig_with_opts @10.53.0.2 TXT foo.dom1.example. > dig.out.test$n || return 1
+	grep "ANSWER: 2," dig.out.test$n > /dev/null || return 1
+	grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
+	grep "IN.TXT." dig.out.test$n > /dev/null || return 1
+}
+retry_quiet 10 wait_for_txt || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "removing domain dom1.example. from catalog1 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+   server 10.53.0.1 ${PORT}
+   update delete e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example
+   send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run "zone_shutdown: zone dom1.example/IN: shutting down" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom1.example. is not served by secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom1.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that zone-directory is emptied ($n)"
+ret=0
+wait_for_no_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db" || ret=1
+wait_for_no_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db.jnl" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+echo_i "Testing various simple operations on domains, including using multiple catalog zones and garbage in zone"
+n=$((n+1))
+echo_i "adding domain dom2.example. to primary via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom2.example.db
+echo "@ IN NS invalid." >> ns1/dom2.example.db
+rndccmd 10.53.0.1 addzone dom2.example. '{type primary; file "dom2.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "adding domain dom4.example. to primary via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom4.example.db
+echo "@ IN NS invalid." >> ns1/dom4.example.db
+rndccmd 10.53.0.1 addzone dom4.example. '{type primary; file "dom4.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "adding domains dom2.example, dom3.example. and some garbage to catalog1 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example.
+    update add b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example.
+    update add e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN NS foo.bar.
+    update add trash.catalog1.example. 3600 IN A 1.2.3.4
+    update add trash2.foo.catalog1.example. 3600 IN A 1.2.3.4
+    update add trash3.zones.catalog1.example. 3600 IN NS a.dom2.example.
+    update add foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example.
+    update add blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example.
+    update add foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN APL 1:1.2.3.4/30
+    update add blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "blah blah"
+    update add version.catalog1.example. 3600 IN A 1.2.3.4
+    send
+
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "adding domain dom4.example. to catalog2 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.3 ${PORT}
+    update add de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run "catz: updating catalog zone 'catalog2.example' with serial 2670950425" &&
+wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" &&
+wait_for_message ns2/named.run "transfer of 'dom4.example/IN' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom4.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom4.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
+n=$((n+1))
+echo_i "checking that dom3.example. is not served by primary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "adding a domain dom3.example. to primary via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom3.example.db
+echo "@ IN NS invalid." >> ns1/dom3.example.db
+rndccmd 10.53.0.1 addzone dom3.example. '{type primary; file "dom3.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom3.example. is served by primary ($n)"
+ret=0
+wait_for_soa  @10.53.0.1 dom3.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run  "transfer of 'dom2.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" &&
+wait_for_message ns2/named.run  "transfer of 'dom3.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom3.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+# GL #3060
+n=$((n+1))
+echo_i "reconfiguring secondary - checking if catz survives a certain class of failed reconfiguration attempts ($n)"
+ret=0
+sed -e "s/^#T3//" < ns2/named1.conf.in > ns2/named.conf.tmp
+copy_setports ns2/named.conf.tmp ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking again that dom3.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "reconfiguring secondary - reverting the bad configuration ($n)"
+ret=0
+copy_setports ns2/named1.conf.in ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+# GL #3911
+n=$((n+1))
+echo_i "reconfiguring secondary - checking if catz survives another type of failed reconfiguration attempts ($n)"
+ret=0
+sed -e "s/^#T4//" < ns2/named1.conf.in > ns2/named.conf.tmp
+copy_setports ns2/named.conf.tmp ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# catalog zone update can be deferred
+sleep 2
+
+n=$((n+1))
+echo_i "checking again that dom3.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "reconfiguring secondary - reverting the bad configuration ($n)"
+ret=0
+copy_setports ns2/named1.conf.in ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "removing all records from catalog1 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example.
+    update delete b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example.
+    update delete e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN NS foo.bar.
+    update delete trash.catalog1.example. 3600 IN A 1.2.3.4
+    update delete trash2.foo.catalog1.example. 3600 IN A 1.2.3.4
+    update delete trash3.zones.catalog1.example. 3600 IN NS a.dom2.example.
+    update delete foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example.
+    update delete blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example.
+    update delete foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN APL 1:1.2.3.4/30
+    update delete blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "blah blah"
+    update delete version.catalog1.example. 3600 IN A 1.2.3.4
+    send
+
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "removing all records from catalog2 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.3 ${PORT}
+    update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+echo_i "Testing masters suboption and random labels"
+n=$((n+1))
+echo_i "adding dom5.example. with a valid masters suboption (IP without TSIG) and a random label ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example.
+    update add masters.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run  "transfer of 'dom5.example/IN' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom5.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "removing dom5.example. ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example.
+    update delete masters.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "zone_shutdown: zone dom5.example/IN: shutting down" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom5.example. is no longer served by secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
+##########################################################################
+echo_i "Testing masters global option"
+n=$((n+1))
+echo_i "adding dom6.example. and a valid global masters option (IP without TSIG) ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add masters.catalog1.example. 3600 IN A 10.53.0.3
+    update add masters.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3
+    update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run  "transfer of 'dom6.example/IN' from " > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom6.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "removing dom6.example. ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete masters.catalog1.example. 3600 IN A 10.53.0.3
+    update delete masters.catalog1.example. 3600 IN AAAA  fd92:7065:b8e:ffff::3
+    update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "zone_shutdown: zone dom6.example/IN: shutting down" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom6.example. is no longer served by secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "adding dom6.example. and an invalid global masters option (TSIG without IP) ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add label1.masters.catalog1.example. 3600 IN TXT "tsig_key"
+    update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run  "error \"failure\" while trying to generate config for zone \"dom6.example\"" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "removing dom6.example. ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete label1.masters.catalog1.example. 3600 IN TXT "tsig_key"
+    update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: deleting zone 'dom6.example' from catalog 'catalog1.example' - success" > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+n=$((n+1))
+echo_i "Checking that a missing zone directory forces in-memory ($n)"
+ret=0
+grep "'nonexistent' not found; zone files will not be saved" ns2/named.run > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+echo_i "Testing allow-query and allow-transfer ACLs"
+n=$((n+1))
+echo_i "adding domains dom7.example. and dom8.example. to primary via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom7.example.db
+echo "@ IN NS invalid." >> ns1/dom7.example.db
+rndccmd 10.53.0.1 addzone dom7.example. '{type primary; file "dom7.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom8.example.db
+echo "@ IN NS invalid." >> ns1/dom8.example.db
+rndccmd 10.53.0.1 addzone dom8.example. '{type primary; file "dom8.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom7.example. is now served by primary ($n)"
+ret=0
+wait_for_soa @10.53.0.1 dom7.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "adding domain dom7.example. to catalog1 zone with an allow-query statement ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add 78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN PTR dom7.example.
+    update add allow-query.78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN APL 1:10.53.0.1/32 !1:10.53.0.0/30 1:0.0.0.0/0
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" > /dev/null &&
+wait_for_message ns2/named.run  "transfer of 'dom7.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom7.example. is accessible from 10.53.0.1 ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom7.example. is not accessible from 10.53.0.2 ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.2 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom7.example. is accessible from 10.53.0.5 ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.5 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+n=$((n+1))
+echo_i "adding dom8.example. domain and global allow-query and allow-transfer ACLs ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add cba95222e308baba42417be6021026fdf20827b6.zones.catalog1.example. 3600 IN PTR dom8.example
+    update add allow-query.catalog1.example. 3600 IN APL 1:10.53.0.1/32
+    update add allow-transfer.catalog1.example. 3600 IN APL 1:10.53.0.2/32
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" &&
+wait_for_message ns2/named.run  "transfer of 'dom8.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom8.example. is not accessible from 10.53.0.2 ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom8.example. is not AXFR accessible from 10.53.0.1 ($n)"
+ret=0
+dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n
+grep "Transfer failed." dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)"
+ret=0
+dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n
+grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+n=$((n+1))
+echo_i "deleting global allow-query and allow-domain ACLs ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete allow-query.catalog1.example. 3600 IN APL 1:10.53.0.1/32
+    update delete allow-transfer.catalog1.example. 3600 IN APL 1:10.53.0.2/32
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom8.example. is accessible from 10.53.0.2 ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.1 ($n)"
+ret=0
+dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n
+grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)"
+ret=0
+dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n
+grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
+##########################################################################
+echo_i "Testing TSIG keys for masters set per-domain"
+n=$((n+1))
+echo_i "adding a domain dom9.example. to primary via RNDC, with transfers allowed only with TSIG key ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom9.example.db
+echo "@ IN NS invalid." >> ns1/dom9.example.db
+rndccmd 10.53.0.1 addzone dom9.example. '{type primary; file "dom9.example.db"; allow-transfer { key tsig_key; }; };' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom9.example. is now served by primary ($n)"
+ret=0
+wait_for_soa @10.53.0.1 dom9.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "adding domain dom9.example. to catalog1 zone with a valid masters suboption (IP with TSIG) ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example.
+    update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1
+    update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key"
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run  "transfer of 'dom9.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom9.example. is accessible on secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "change TSIG key name on primary ($n)"
+ret=0
+rndccmd 10.53.0.1 modzone dom9.example. '{type primary; notify yes; file "dom9.example.db"; allow-transfer { key next_key; }; };' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "update TSIG key name in catalog zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update del label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key"
+    update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key"
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: modifying zone 'dom9.example' from catalog 'catalog1.example'" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "update zone contents and reload ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 2 3600 3600 3600 3600" > ns1/dom9.example.db
+echo "@ IN NS ns2" >> ns1/dom9.example.db
+echo "ns2 IN A 10.53.0.2" >> ns1/dom9.example.db
+rndccmd 10.53.0.1 reload dom9.example. || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "wait for primary to update zone ($n)"
+ret=0
+wait_for_a @10.53.0.1 ns2.dom9.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "wait for secondary to update zone ($n)"
+ret=0
+wait_for_a @10.53.0.2 ns2.dom9.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "deleting domain dom9.example. from catalog1 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example.
+    update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1
+    update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key"
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: deleting zone 'dom9.example' from catalog 'catalog1.example' - success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom9.example. is no longer accessible on secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "adding domain dom9.example. to catalog1 zone with an invalid masters suboption (TSIG without IP) ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example.
+    update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key"
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run  "error \"failure\" while trying to generate config for zone \"dom9.example\"" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "deleting domain dom9.example. from catalog1 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example.
+    update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key"
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: deleting zone 'dom9.example' from catalog 'catalog1.example'" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+echo_i "Testing catalog entries that can't be represented as filenames"
+# note: we need 4 backslashes in the shell to get 2 backslashes in DNS
+# presentation format, which is 1 backslash on the wire.
+for special in \
+       this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \
+       this.zone/domain.has.a.slash.dom10.example \
+       this.zone\\\\domain.has.backslash.dom10.example \
+       this.zone:domain.has.a.colon.dom.10.example
+do
+    # hashes below are generated by:
+    # python ${TOP}/contrib/scripts/catzhash.py "${special}"
+
+    case "$special" in
+    this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example)
+        hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858
+        db=__catz__4d70696f2335687069467f11f5d5378c480383f97782e553fb2d04a7bb2a23ed.db
+        ;;
+    this.zone/domain.has.a.slash.dom10.example)
+        hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa
+        db=__catz__46ba3e1b28d5955e5313d5fee61bedc78c71d08035aa7ea2f7bf0b8228ab3acc.db
+        ;;
+    this.zone\\\\domain.has.backslash.dom10.example)
+        hash=91e27e02153d38cf656a9b376d7747fbcd19f985
+        db=__catz__b667f7ff802c0895e0506699951cff9a1cab68c5ef8546aa0d07425f244ed870.db
+        ;;
+    this.zone:domain.has.a.colon.dom.10.example)
+        hash=8b7238bf4c34045834c573ba4116557ebb24d33c
+        db=__catz__5c721f7872913a4e7fa8ad42589cce5dd6e551a4c9e6ab3f86e77c0bbc7c2ca6.db
+        ;;
+    esac
+
+    n=$((n+1))
+    echo_i "checking that ${special}. is not served by primary ($n)"
+    ret=0
+    wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "Adding a domain ${special}. to primary via RNDC ($n)"
+    ret=0
+    echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom10.example.db
+    echo "@ IN NS invalid." >> ns1/dom10.example.db
+    rndccmd 10.53.0.1 addzone '"'"${special}"'"' '{type primary; file "dom10.example.db";};' || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking that ${special}. is now served by primary ($n)"
+    ret=0
+    wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    nextpart ns2/named.run >/dev/null
+
+    n=$((n+1))
+    echo_i "Adding domain ${special}. to catalog1 zone ($n)"
+    ret=0
+    $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+      server 10.53.0.1 ${PORT}
+      update add ${hash}.zones.catalog1.example 3600 IN PTR ${special}.
+      send
+END
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "waiting for secondary to sync up ($n)"
+    ret=0
+    wait_for_message ns2/named.run  "catz: adding zone '$special' from catalog 'catalog1.example'" &&
+    wait_for_message ns2/named.run  "transfer of '$special/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking that ${special}. is served by secondary ($n)"
+    ret=0
+    wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking that zone-directory is populated with a hashed filename ($n)"
+    ret=0
+    wait_for_zonefile "ns2/zonedir/$db" || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "removing domain ${special}. from catalog1 zone ($n)"
+    ret=0
+    $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+      server 10.53.0.1 ${PORT}
+      update delete ${hash}.zones.catalog1.example
+      send
+END
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "waiting for secondary to sync up ($n)"
+    ret=0
+    wait_for_message ns2/named.run  "zone_shutdown: zone ${special}/IN: shutting down" || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking that ${special}. is not served by secondary ($n)"
+    ret=0
+    wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking that zone-directory is emptied ($n)"
+    ret=0
+    wait_for_no_zonefile "ns2/zonedir/$db" || ret=1
+    wait_for_no_zonefile "ns2/zonedir/$db.jnl" || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+done
+
+##########################################################################
+echo_i "Testing adding a domain and a subdomain of it"
+n=$((n+1))
+echo_i "checking that dom11.example. is not served by primary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding a domain dom11.example. to primary via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom11.example.db
+echo "@ IN NS invalid." >> ns1/dom11.example.db
+rndccmd 10.53.0.1 addzone dom11.example. '{type primary; file "dom11.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom11.example. is now served by primary ($n)"
+ret=0
+wait_for_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain dom11.example. to catalog1 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example. 3600 IN PTR dom11.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run  "transfer of 'dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom11.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that subdomain.of.dom11.example. is not served by primary ($n)"
+ret=0
+wait_for_rcode NXDOMAIN SOA @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding a domain subdomain.of.dom11.example. to primary via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/subdomain.of.dom11.example.db
+echo "@ IN NS invalid." >> ns1/subdomain.of.dom11.example.db
+rndccmd 10.53.0.1 addzone subdomain.of.dom11.example. '{type primary; file "subdomain.of.dom11.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that subdomain.of.dom11.example. is now served by primary ($n)"
+ret=0
+wait_for_soa @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain subdomain.of.dom11.example. to catalog1 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example. 3600 IN PTR subdomain.of.dom11.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run  "transfer of 'subdomain.of.dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that subdomain.of.dom11.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "removing domain dom11.example. from catalog1 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+   server 10.53.0.1 ${PORT}
+   update delete 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example
+   send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "zone_shutdown: zone dom11.example/IN: shutting down" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom11.example. is not served by secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that subdomain.of.dom11.example. is still served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "removing domain subdomain.of.dom11.example. from catalog1 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+   server 10.53.0.1 ${PORT}
+   update delete 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example
+   send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "zone_shutdown: zone subdomain.of.dom11.example/IN: shutting down" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that subdomain.of.dom11.example. is not served by secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 subdomain.of.d11.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+echo_i "Testing adding a catalog zone at runtime with rndc reconfig"
+n=$((n+1))
+echo_i "checking that dom12.example. is not served by primary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding a domain dom12.example. to primary via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom12.example.db
+echo "@ IN NS invalid." >> ns1/dom12.example.db
+rndccmd 10.53.0.1 addzone dom12.example. '{type primary; file "dom12.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom12.example. is now served by primary ($n)"
+ret=0
+wait_for_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain dom12.example. to catalog4 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom12.example. is not served by secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
+n=$((n+1))
+echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)"
+ret=0
+sed -e "s/^#T1//g" <  ns2/named1.conf.in > ns2/named.conf.tmp
+copy_setports ns2/named.conf.tmp ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" &&
+wait_for_message ns2/named.run  "transfer of 'dom12.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom7.example. is still served by secondary after reconfiguration ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+n=$((n+1))
+
+echo_i "checking that dom12.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding non-existent catalog5 catalog zone ($n)"
+ret=0
+sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp
+copy_setports ns2/named.conf.tmp ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone ($n)"
+ret=0
+copy_setports ns2/named1.conf.in ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom12.example. is not served by secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "removing domain dom12.example. from catalog4 zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+echo_i "Testing having a zone in two different catalogs"
+n=$((n+1))
+echo_i "checking that dom13.example. is not served by primary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding a domain dom13.example. to primary ns1 via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom13.example.db
+echo "@ IN NS invalid." >> ns1/dom13.example.db
+echo "@ IN A 192.0.2.1" >> ns1/dom13.example.db
+rndccmd 10.53.0.1 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom13.example. is now served by primary ns1 ($n)"
+ret=0
+wait_for_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding a domain dom13.example. to primary ns3 via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom13.example.db
+echo "@ IN NS invalid." >> ns3/dom13.example.db
+echo "@ IN A 192.0.2.2" >> ns3/dom13.example.db
+rndccmd 10.53.0.3 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom13.example. is now served by primary ns3 ($n)"
+ret=0
+wait_for_soa @10.53.0.3 dom13.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain dom13.example. to catalog1 zone with ns1 as primary ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example.
+    update add masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.1
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run  "transfer of 'dom13.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "checking that dom13.example. is served by secondary and that it's the one from ns1 ($n)"
+ret=0
+wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1
+grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding domain dom13.example. to catalog2 zone with ns3 as primary ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.3 ${PORT}
+    update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example.
+    update add masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)"
+ret=0
+wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1
+grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Deleting domain dom13.example. from catalog2 ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.3 ${PORT}
+    update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example.
+    update delete masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)"
+ret=0
+wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1
+grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Deleting domain dom13.example. from catalog1 ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example.
+    update delete masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.2
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom13.example. is no longer served by secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom13.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+echo_i "Testing having a regular zone and a zone in catalog zone of the same name"
+n=$((n+1))
+echo_i "checking that dom14.example. is not served by primary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding a domain dom14.example. to primary ns1 via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom14.example.db
+echo "@ IN NS invalid." >> ns1/dom14.example.db
+echo "@ IN A 192.0.2.1" >> ns1/dom14.example.db
+rndccmd 10.53.0.1 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom14.example. is now served by primary ns1 ($n)"
+ret=0
+wait_for_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding a domain dom14.example. to primary ns3 via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom14.example.db
+echo "@ IN NS invalid." >> ns3/dom14.example.db
+echo "@ IN A 192.0.2.2" >> ns3/dom14.example.db
+rndccmd 10.53.0.3 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom14.example. is now served by primary ns3 ($n)"
+ret=0
+wait_for_soa @10.53.0.3 dom14.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain dom14.example. with rndc with ns1 as primary ($n)"
+ret=0
+rndccmd 10.53.0.2 addzone dom14.example. '{type secondary; primaries {10.53.0.1;};};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "transfer of 'dom14.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "checking that dom14.example. is served by secondary and that it's the one from ns1 ($n)"
+ret=0
+wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1
+grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding domain dom14.example. to catalog2 zone with ns3 as primary ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.3 ${PORT}
+    update add 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example.
+    update add masters.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)"
+ret=0
+wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1
+grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Deleting domain dom14.example. from catalog2 ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.3 ${PORT}
+    update delete 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example.
+    update delete masters.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)"
+ret=0
+wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1
+grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+echo_i "Testing changing label for a member zone"
+n=$((n+1))
+echo_i "checking that dom15.example. is not served by primary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding a domain dom15.example. to primary ns1 via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom15.example.db
+echo "@ IN NS invalid." >> ns1/dom15.example.db
+rndccmd 10.53.0.1 addzone dom15.example. '{type primary; file "dom15.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom15.example. is now served by primary ns1 ($n)"
+ret=0
+wait_for_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+echo_i "Adding domain dom15.example. to catalog1 zone with 'dom15label1' label ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+sleep 3
+
+n=$((n+1))
+echo_i "checking that dom15.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Changing label of domain dom15.example. from 'dom15label1' to 'dom15label2' ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example.
+    update add dom15label2.zones.catalog1.example. 3600 IN PTR dom15.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom15.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+echo_i "Testing recreation of a manually deleted zone after a reload"
+n=$((n+1))
+echo_i "checking that dom16.example. is not served by primary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Adding a domain dom16.example. to primary ns1 via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom16.example.db
+echo "@ IN NS invalid." >> ns1/dom16.example.db
+echo "@ IN A 192.0.2.1" >> ns1/dom16.example.db
+rndccmd 10.53.0.1 addzone dom16.example. '{type primary; file "dom16.example.db";};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom16.example. is now served by primary ns1 ($n)"
+ret=0
+wait_for_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain dom16.example. to catalog1 zone with ns1 as primary ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example.
+    update add masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: adding zone 'dom16.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run  "transfer of 'dom16.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)"
+ret=0
+wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1
+grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+echo_i "Deleting dom16.example. from secondary ns2 via RNDC ($n)"
+ret=0
+rndccmd 10.53.0.2 delzone dom16.example. >/dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom16.example. is no longer served by secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+echo_i "Reloading secondary ns2 via RNDC ($n)"
+ret=0
+rndccmd 10.53.0.2 reload >/dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)"
+ret=0
+wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1
+grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Deleting domain dom16.example. from catalog1 ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update delete efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example.
+    update delete masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run  "catz: update_from_db: new zone merged" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that dom16.example. is no longer served by secondary ($n)"
+ret=0
+wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that reconfig can delete and restore catalog zone configuration ($n)"
+ret=0
+copy_setports ns2/named2.conf.in ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+copy_setports ns2/named1.conf.in ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#########################################################################
+
+nextpart ns2/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding a dom19.example. to primary via RNDC ($n)"
+ret=0
+# enough initial content for IXFR response when TXT record is added below
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom19.example.db
+echo "@ 3600 IN NS invalid." >> ns1/dom19.example.db
+echo "foo 3600 IN TXT some content here" >> ns1/dom19.example.db
+echo "bar 3600 IN TXT some content here" >> ns1/dom19.example.db
+echo "xxx 3600 IN TXT some content here" >> ns1/dom19.example.db
+echo "yyy 3600 IN TXT some content here" >> ns1/dom19.example.db
+rndccmd 10.53.0.1 addzone dom19.example. '{ type primary; file "dom19.example.db"; allow-transfer { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "add an entry to the restored catalog zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add 09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN PTR dom19.example.
+    update add label1.masters.09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN A 10.53.0.1
+    update add label1.masters.09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN TXT "tsig_key"
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run "catz: adding zone 'dom19.example' from catalog 'catalog1.example'" &&
+wait_for_message ns2/named.run "transfer of 'dom19.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+# GL #3777
+nextpart ns4/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain self.example. to catalog-self zone without updating the serial ($n)"
+ret=0
+echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >> ns4/catalog-self.example.db
+rndccmd 10.53.0.4 reload || ret=1
+
+n=$((n+1))
+echo_i "Issuing another rndc reload command after 1 second ($n)"
+sleep 1
+rndccmd 10.53.0.4 reload || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##########################################################################
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/cds/checkmtime.pl b/bin/tests/system/cds/checkmtime.pl
new file mode 100644
index 0000000..be53584
--- /dev/null
+++ b/bin/tests/system/cds/checkmtime.pl
@@ -0,0 +1,18 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+my $target = shift;
+my $file = shift;
+my $mtime = time - (stat $file)[9];
+die "bad mtime $mtime"
+	unless ($mtime - $target >= 0 && $mtime - $target < 60);
diff --git a/bin/tests/system/cds/checktime.pl b/bin/tests/system/cds/checktime.pl
new file mode 100644
index 0000000..d85fd91
--- /dev/null
+++ b/bin/tests/system/cds/checktime.pl
@@ -0,0 +1,27 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+my $target = shift;
+my $notbefore;
+my $inception;
+while (<>) {
+	$notbefore = $1 if m{^.* must not be signed before \d+ [(](\d+)[)]};
+	$inception = $1 if m{^.* inception time \d+ [(](\d+)[)]};
+}
+die "missing notbefore time" unless $notbefore;
+die "missing inception time" unless $inception;
+my $delta = $inception - $notbefore;
+die "bad inception time $delta" unless abs($delta - $target) <= 10;
diff --git a/bin/tests/system/cds/clean.sh b/bin/tests/system/cds/clean.sh
new file mode 100644
index 0000000..b9743a5
--- /dev/null
+++ b/bin/tests/system/cds/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f CDNSKEY* CDS* DS*
+rm -f K*
+rm -f UP*
+rm -f brk.*
+rm -f db.*
+rm -f dsset-*
+rm -f empty
+rm -f sig.*
+rm -f vars.sh
+rm -f err* out* xerr xout
diff --git a/bin/tests/system/cds/mangle.pl b/bin/tests/system/cds/mangle.pl
new file mode 100644
index 0000000..9268cc0
--- /dev/null
+++ b/bin/tests/system/cds/mangle.pl
@@ -0,0 +1,19 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+my $re = $ARGV[0];
+shift;
+while (<>) {
+	s{($re)........}{${1}00000000};
+	print;
+}
diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh
new file mode 100644
index 0000000..6e3197d
--- /dev/null
+++ b/bin/tests/system/cds/setup.sh
@@ -0,0 +1,133 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+set -u
+
+touch empty
+
+Z=cds.test
+
+keyz=$($KEYGEN -q -a $DEFAULT_ALGORITHM $Z)
+key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK $Z)
+key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK $Z)
+
+idz=$(keyfile_to_key_id $keyz)
+id1=$(keyfile_to_key_id $key1)
+id2=$(keyfile_to_key_id $key2)
+
+cat <<EOF >vars.sh
+Z=$Z
+key1=$key1
+key2=$key2
+idz=$idz
+id1=$id1
+id2=$id2
+EOF
+
+tac() {
+	$PERL -e 'print reverse <>'
+}
+
+convert() {
+	key=$1
+	n=$2
+	$DSFROMKEY -12 $key >DS.$n
+	grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1
+	grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2
+	sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
+	sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
+	sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
+	sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
+	tac <DS.$n >DS.rev$n
+}
+convert $key1 1
+convert $key2 2
+
+# consistent order wrt IDs
+sort DS.1 DS.2 >DS.both
+
+cp DS.1 DS.inplace
+$PERL -we 'utime time, time - 7200, "DS.inplace" or die'
+
+mangle="$PERL mangle.pl"
+
+$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <DS.1 >DS.broke1
+$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} 2 " <DS.1 >DS.broke2
+$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} [12] " <DS.1 >DS.broke12
+
+sed 's/^/update add /
+$a\
+send
+' <DS.2 >UP.add2
+
+sed 's/^/update del /
+$a\
+send
+' <DS.1 >UP.del1
+
+cat UP.add2 UP.del1 | sed 3d >UP.swap
+
+sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl
+
+sign() {
+	cat >db.$1
+	$SIGNER >/dev/null \
+		 -S -O full -o $Z -f sig.$1 db.$1
+}
+
+sign null <<EOF
+\$TTL 1h
+@	SOA	localhost.	root.localhost. (
+		1	; serial
+		1h	; refresh
+		1h	; retry
+		1w	; expiry
+		1h	; minimum
+		)
+;
+	NS	localhost.
+;
+EOF
+
+cat sig.null CDS.1 >brk.unsigned-cds
+
+cat db.null CDS.1 | sign cds.1
+cat db.null CDS.2 | sign cds.2
+cat db.null CDS.1 CDS.2 | sign cds.both
+
+tac <sig.cds.1 >sig.cds.rev1
+
+cat db.null CDNSKEY.2 | sign cdnskey.2
+cat db.null CDS.2 CDNSKEY.2 | sign cds.cdnskey.2
+
+$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \
+	<sig.cds.1 >brk.rrsig.cds.zsk
+$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \
+	<sig.cds.1 >brk.rrsig.cds.ksk
+
+$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 |
+sign cds-mangled
+
+bad=$($PERL -le "print ($id1 ^ 255);")
+sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 |
+sign bad-digests
+
+sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 |
+sign bad-algos
+
+rm -f dsset-*
diff --git a/bin/tests/system/cds/tests.sh b/bin/tests/system/cds/tests.sh
new file mode 100644
index 0000000..700ae63
--- /dev/null
+++ b/bin/tests/system/cds/tests.sh
@@ -0,0 +1,243 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+fail() {
+	echo_i "failed"
+	status=$((status + 1))
+}
+
+runcmd() {
+        "$@" 1> out.$n 2> err.$n
+	echo $?
+}
+
+testcase() {
+	n=$((n + 1))
+	echo_i "$name ($n)"
+	expect=$1
+	shift
+	result=$(runcmd "$@")
+	check_stdout
+	check_stderr
+	if [ "$expect" -ne "$result" ]; then
+                echo_d "exit status does not match $expect"
+		fail
+	fi
+        unset name err out
+}
+
+check_stderr() {
+	if [ -n "${err:=}" ]; then
+		grep -E "$err" err.$n >/dev/null && return 0
+		echo_d "stderr did not match '$err'"
+	else
+		[ -s err.$n ] || return 0
+	fi
+	cat err.$n | cat_d
+	fail
+}
+
+check_stdout() {
+	$DIFF out.$n "${out:-empty}" >/dev/null && return
+	echo_d "stdout did not match '$out'"
+	(	echo "wanted"
+		cat "$out"
+		echo "got"
+		cat out.$n
+	) | cat_d
+	fail
+}
+
+Z=cds.test
+
+name='usage'
+err='Usage'
+testcase 1 $CDS
+
+name='need a DS file'
+err='DS pathname'
+testcase 1 $CDS $Z
+
+name='name of dsset in directory'
+err="./dsset-$Z.: file not found"
+testcase 1 $CDS -d . $Z
+
+name='load a file'
+err='could not find DS records'
+testcase 1 $CDS -d empty $Z
+
+name='load DS records'
+err='path to file containing child data must be specified'
+testcase 1 $CDS -d DS.1 $Z
+
+name='missing DNSKEY'
+err='could not find signed DNSKEY RRset'
+testcase 1 $CDS -f db.null -d DS.1 $Z
+
+name='sigs too old'
+err='could not validate child DNSKEY RRset'
+testcase 1 $CDS -f sig.null -d DS.1 $Z
+
+name='sigs too old, verbosely'
+err='skip RRSIG by key [0-9]+: too old'
+testcase 1 $CDS -v1 -f sig.null -d DS.1 $Z
+
+name='old sigs are allowed'
+err='found RRSIG by key'
+out=DS.1
+testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z
+
+name='no CDS/CDNSKEY records'
+out=DS.1
+testcase 0 $CDS -s -7200 -f sig.null -d DS.1 $Z
+
+name='no child records, verbosely'
+err='has neither CDS nor CDNSKEY records'
+out=DS.1
+testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z
+
+name='unsigned CDS'
+err='missing RRSIG CDS records'
+testcase 1 $CDS -f brk.unsigned-cds -d DS.1 $Z
+
+name='correct signature inception time'
+$CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr
+testcase 0 $PERL checktime.pl 3600 xerr
+
+name='in-place reads modification time'
+testcase 0 $CDS -f sig.cds.1 -i.bak -d DS.inplace $Z
+
+name='in-place output correct modification time'
+testcase 0 $PERL checkmtime.pl 3600 DS.inplace
+
+name='in-place backup correct modification time'
+testcase 0 $PERL checkmtime.pl 7200 DS.inplace.bak
+
+name='in-place correct output'
+testcase 0 $DIFF DS.1 DS.inplace
+
+name='in-place backup unmodified'
+testcase 0 $DIFF DS.1 DS.inplace.bak
+
+name='one mangled DS'
+err='found RRSIG by key'
+out=DS.1
+testcase 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke1 $Z
+
+name='other mangled DS'
+err='found RRSIG by key'
+out=DS.1
+testcase 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke2 $Z
+
+name='both mangled DS'
+err='could not validate child DNSKEY RRset'
+testcase 1 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke12 $Z
+
+name='mangle RRSIG CDS by ZSK'
+err='found RRSIG by key'
+out=DS.1
+testcase 0 $CDS -v1 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z
+
+name='mangle RRSIG CDS by KSK'
+err='could not validate child CDS RRset'
+testcase 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z
+
+name='mangle CDS 1'
+err='could not validate child DNSKEY RRset with new DS records'
+testcase 1 $CDS -s -7200 -f sig.cds-mangled -d DS.1 $Z
+
+name='inconsistent digests'
+err='do not cover each key with the same set of digest types'
+testcase 1 $CDS -s -7200 -f sig.bad-digests -d DS.1 $Z
+
+name='inconsistent algorithms'
+err='missing signature for algorithm'
+testcase 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z
+
+name='add DS records'
+out=DS.both
+$CDS -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out
+# sort to allow for numerical vs lexical order of key tags
+testcase 0 sort DS.out
+
+name='update add'
+out=UP.add2
+testcase 0 $CDS -u -s -7200 -f sig.cds.both -d DS.1 $Z
+
+name='remove DS records'
+out=DS.2
+testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.both $Z
+
+name='update del'
+out=UP.del1
+testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.both $Z
+
+name='swap DS records'
+out=DS.2
+testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='update swap'
+out=UP.swap
+testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='TTL from -T'
+out=DS.ttl2
+testcase 0 $CDS -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='update TTL from -T'
+out=UP.swapttl
+testcase 0 $CDS -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='update TTL from dsset'
+out=UP.swapttl
+testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z
+
+name='TTL from -T overrides dsset'
+out=DS.ttlong2
+testcase 0 $CDS -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z
+
+name='stable DS record order (changes)'
+out=DS.1
+testcase 0 $CDS -s -7200 -f sig.cds.rev1 -d DS.2 $Z
+
+name='CDNSKEY default algorithm'
+out=DS.2-2
+testcase 0 $CDS -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY SHA1'
+out=DS.2-1
+testcase 0 $CDS -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY two algorithms'
+out=DS.2
+testcase 0 $CDS -a SHA1 -a SHA256 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY two algorithms, reversed'
+out=DS.2
+testcase 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY and CDS'
+out=DS.2
+testcase 0 $CDS -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z
+
+name='prefer CDNSKEY'
+out=DS.2-2
+testcase 0 $CDS -D -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/chain/README b/bin/tests/system/chain/README
new file mode 100644
index 0000000..649142e
--- /dev/null
+++ b/bin/tests/system/chain/README
@@ -0,0 +1,22 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+ns1 is the root server.
+
+ns2 and ns5 are both authoritative servers.
+
+ans3 is a mock authoritative server that can return various broken
+responses.
+
+ans4 is a mock authoritative server that can return CNAME or DNAME
+responses of arbitrary size in arbitrary order.
+
+ns7 is the resolver under test.
diff --git a/bin/tests/system/chain/ans3/ans.pl b/bin/tests/system/chain/ans3/ans.pl
new file mode 100644
index 0000000..271b2a4
--- /dev/null
+++ b/bin/tests/system/chain/ans3/ans.pl
@@ -0,0 +1,131 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+use IO::File;
+use Getopt::Long;
+use Net::DNS::Nameserver;
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my $localaddr = "10.53.0.3";
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $verbose = 0;
+my $ttl = 60;
+my $zone = "example.broken";
+my $nsname = "ns3.$zone";
+my $synth = "synth-then-dname.$zone";
+my $synth2 = "synth2-then-dname.$zone";
+
+sub reply_handler {
+    my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_;
+    my ($rcode, @ans, @auth, @add);
+
+    print ("request: $qname/$qtype\n");
+    STDOUT->flush();
+
+    if ($qname eq "example.broken") {
+        if ($qtype eq "SOA") {
+	    my $rr = new Net::DNS::RR("$qname $ttl $qclass SOA . . 0 0 0 0 0");
+	    push @ans, $rr;
+        } elsif ($qtype eq "NS") {
+	    my $rr = new Net::DNS::RR("$qname $ttl $qclass NS $nsname");
+	    push @ans, $rr;
+	    $rr = new Net::DNS::RR("$nsname $ttl $qclass A $localaddr");
+	    push @add, $rr;
+        }
+        $rcode = "NOERROR";
+    } elsif ($qname eq "cname-to-$synth2") {
+        my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.$synth2");
+	push @ans, $rr;
+        $rr = new Net::DNS::RR("name.$synth2 $ttl $qclass CNAME name");
+	push @ans, $rr;
+        $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
+	push @ans, $rr;
+	$rcode = "NOERROR";
+    } elsif ($qname eq "$synth" || $qname eq "$synth2") {
+	if ($qtype eq "DNAME") {
+	    my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME .");
+	    push @ans, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "name.$synth") {
+	my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.");
+	push @ans, $rr;
+	$rr = new Net::DNS::RR("$synth $ttl $qclass DNAME .");
+	push @ans, $rr;
+	$rcode = "NOERROR";
+    } elsif ($qname eq "name.$synth2") {
+	my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.");
+	push @ans, $rr;
+	$rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
+	push @ans, $rr;
+	$rcode = "NOERROR";
+    # The following three code branches referring to the "example.dname"
+    # zone are necessary for the resolver variant of the CVE-2021-25215
+    # regression test to work.  A named instance cannot be used for
+    # serving the DNAME records below as a version of BIND vulnerable to
+    # CVE-2021-25215 would crash while answering the queries asked by
+    # the tested resolver.
+    } elsif ($qname eq "ns3.example.dname") {
+	if ($qtype eq "A") {
+		my $rr = new Net::DNS::RR("$qname $ttl $qclass A 10.53.0.3");
+		push @ans, $rr;
+	}
+	if ($qtype eq "AAAA") {
+		my $rr = new Net::DNS::RR("example.dname. $ttl $qclass SOA . . 0 0 0 0 $ttl");
+		push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "self.example.self.example.dname") {
+	my $rr = new Net::DNS::RR("self.example.dname. $ttl $qclass DNAME dname.");
+	push @ans, $rr;
+	$rr = new Net::DNS::RR("$qname $ttl $qclass CNAME self.example.dname.");
+	push @ans, $rr;
+	$rcode = "NOERROR";
+    } elsif ($qname eq "self.example.dname") {
+	if ($qtype eq "DNAME") {
+		my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME dname.");
+		push @ans, $rr;
+	}
+	$rcode = "NOERROR";
+    } else {
+	$rcode = "REFUSED";
+    }
+    return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+}
+
+GetOptions(
+    'port=i' => \$localport,
+    'verbose!' => \$verbose,
+);
+
+my $ns = Net::DNS::Nameserver->new(
+    LocalAddr => $localaddr,
+    LocalPort => $localport,
+    ReplyHandler => \&reply_handler,
+    Verbose => $verbose,
+);
+
+$ns->main_loop;
diff --git a/bin/tests/system/chain/ans4/README.anspy b/bin/tests/system/chain/ans4/README.anspy
new file mode 100644
index 0000000..7cb0bf0
--- /dev/null
+++ b/bin/tests/system/chain/ans4/README.anspy
@@ -0,0 +1,24 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+REQUIREMENTS
+ans.py requires at least dnspython 1.12.0.
+
+"ans.py" is a fairly simple Python script that will respond as an
+authoritative server to DNS queries. It opens a UDP socket on 10.53.0.4
+and fd92:7065:b8e:ffff::8, port 5300 (or PORT) (these are for DNS queries)
+and a TCP socket addresses on 10.53.0.4 at port 5301 (or EXTRAPORT1)
+(this is the control channel).
+
+Please note that all functionality and formatting are subject to change as
+we determine what features the tool will need.
+
+"ans.py" will respond to queries as follows: TBD
diff --git a/bin/tests/system/chain/ans4/ans.py b/bin/tests/system/chain/ans4/ans.py
new file mode 100755
index 0000000..839067f
--- /dev/null
+++ b/bin/tests/system/chain/ans4/ans.py
@@ -0,0 +1,386 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+############################################################################
+# ans.py: See README.anspy for details.
+############################################################################
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import functools
+
+import dns, dns.message, dns.query
+from dns.rdatatype import *
+from dns.rdataclass import *
+from dns.rcode import *
+from dns.name import *
+
+############################################################################
+# set up the RRs to be returned in the next answer
+#
+# the message contains up to two pipe-separated ('|') fields.
+#
+# the first field of the message is a comma-separated list
+# of actions indicating what to put into the answer set
+# (e.g., a dname, a cname, another cname, etc)
+#
+# supported actions:
+# - cname (cname from the current name to a new one in the same domain)
+# - dname (dname to a new domain, plus a synthesized cname)
+# - xname ("external" cname, to a new name in a new domain)
+#
+# example: xname, dname, cname represents a CNAME to an external
+# domain which is then answered by a DNAME and synthesized
+# CNAME pointing to yet another domain, which is then answered
+# by a CNAME within the same domain, and finally an answer
+# to the query. each RR in the answer set has a corresponding
+# RRSIG. these signatures are not valid, but will exercise the
+# response parser.
+#
+# the second field is a comma-separated list of which RRs in the
+# answer set to include in the answer, in which order. if prepended
+# with 's', the number indicates which signature to include.
+#
+# examples: for the answer set "cname, cname, cname", an rr set
+# '1, s1, 2, s2, 3, s3, 4, s4' indicates that all four RRs should
+# be included in the answer, with siagntures, in the original
+# order, while 4, s4, 3, s3, 2, s2, 1, s1' indicates the order
+# should be reversed, 's3, s3, s3, s3' indicates that the third
+# RRSIG should be repeated four times and everything else should
+# be omitted, and so on.
+#
+# if there is no second field (i.e., no pipe symbol appears in
+# the line) , the default is to send all answers and signatures.
+# if a pipe symbol exists but the second field is empty, then
+# nothing is sent at all.
+############################################################################
+actions = []
+rrs = []
+
+
+def ctl_channel(msg):
+    global actions, rrs
+
+    msg = msg.splitlines().pop(0)
+    print("received control message: %s" % msg)
+
+    msg = msg.split(b"|")
+    if len(msg) == 0:
+        return
+
+    actions = [x.strip() for x in msg[0].split(b",")]
+    n = functools.reduce(
+        lambda n, act: (n + (2 if act == b"dname" else 1)), [0] + actions
+    )
+
+    if len(msg) == 1:
+        rrs = []
+        for i in range(n):
+            for b in [False, True]:
+                rrs.append((i, b))
+        return
+
+    rlist = [x.strip() for x in msg[1].split(b",")]
+    rrs = []
+    for item in rlist:
+        if item[0] == b"s"[0]:
+            i = int(item[1:].strip()) - 1
+            if i > n:
+                print("invalid index %d" + (i + 1))
+                continue
+            rrs.append((int(item[1:]) - 1, True))
+        else:
+            i = int(item) - 1
+            if i > n:
+                print("invalid index %d" % (i + 1))
+                continue
+            rrs.append((i, False))
+
+
+############################################################################
+# Respond to a DNS query.
+############################################################################
+def create_response(msg):
+    m = dns.message.from_wire(msg)
+    qname = m.question[0].name.to_text()
+    labels = qname.lower().split(".")
+    wantsigs = True if m.ednsflags & dns.flags.DO else False
+
+    # get qtype
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+
+    # for 'www.example.com.'...
+    # - name is 'www'
+    # - domain is 'example.com.'
+    # - sld is 'example'
+    # - tld is 'com.'
+    name = labels.pop(0)
+    domain = ".".join(labels)
+    sld = labels.pop(0)
+    tld = ".".join(labels)
+
+    print("query: " + qname + "/" + typename)
+    print("domain: " + domain)
+
+    # default answers, depending on QTYPE.
+    # currently only A, AAAA, TXT and NS are supported.
+    ttl = 86400
+    additionalA = "10.53.0.4"
+    additionalAAAA = "fd92:7065:b8e:ffff::4"
+    if typename == "A":
+        final = "10.53.0.4"
+    elif typename == "AAAA":
+        final = "fd92:7065:b8e:ffff::4"
+    elif typename == "TXT":
+        final = "Some\ text\ here"
+    elif typename == "NS":
+        domain = qname
+        final = "ns1.%s" % domain
+    else:
+        final = None
+
+    # RRSIG rdata - won't validate but will exercise response parsing
+    t = datetime.now()
+    delta = timedelta(30)
+    t1 = t - delta
+    t2 = t + delta
+    inception = t1.strftime("%Y%m%d000000")
+    expiry = t2.strftime("%Y%m%d000000")
+    sigdata = "OCXH2De0yE4NMTl9UykvOsJ4IBGs/ZIpff2rpaVJrVG7jQfmj50otBAp A0Zo7dpBU4ofv0N/F2Ar6LznCncIojkWptEJIAKA5tHegf/jY39arEpO cevbGp6DKxFhlkLXNcw7k9o7DSw14OaRmgAjXdTFbrl4AiAa0zAttFko Tso="
+
+    # construct answer set.
+    answers = []
+    sigs = []
+    curdom = domain
+    curname = name
+    i = 0
+
+    for action in actions:
+        if name != "test":
+            continue
+        if action == b"xname":
+            owner = curname + "." + curdom
+            newname = "cname%d" % i
+            i += 1
+            newdom = "domain%d.%s" % (i, tld)
+            i += 1
+            target = newname + "." + newdom
+            print("add external CNAME %s to %s" % (owner, target))
+            answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target))
+            rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % (
+                ttl,
+                expiry,
+                inception,
+                domain,
+                sigdata,
+            )
+            print("add external RRISG(CNAME) %s to %s" % (owner, target))
+            sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig))
+            curname = newname
+            curdom = newdom
+            continue
+
+        if action == b"cname":
+            owner = curname + "." + curdom
+            newname = "cname%d" % i
+            target = newname + "." + curdom
+            i += 1
+            print("add CNAME %s to %s" % (owner, target))
+            answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target))
+            rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % (
+                ttl,
+                expiry,
+                inception,
+                domain,
+                sigdata,
+            )
+            print("add RRSIG(CNAME) %s to %s" % (owner, target))
+            sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig))
+            curname = newname
+            continue
+
+        if action == b"dname":
+            owner = curdom
+            newdom = "domain%d.%s" % (i, tld)
+            i += 1
+            print("add DNAME %s to %s" % (owner, newdom))
+            answers.append(dns.rrset.from_text(owner, ttl, IN, DNAME, newdom))
+            rrsig = "DNAME 5 3 %d %s %s 12345 %s %s" % (
+                ttl,
+                expiry,
+                inception,
+                domain,
+                sigdata,
+            )
+            print("add RRSIG(DNAME) %s to %s" % (owner, newdom))
+            sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig))
+            owner = curname + "." + curdom
+            target = curname + "." + newdom
+            print("add synthesized CNAME %s to %s" % (owner, target))
+            answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target))
+            rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % (
+                ttl,
+                expiry,
+                inception,
+                domain,
+                sigdata,
+            )
+            print("add synthesized RRSIG(CNAME) %s to %s" % (owner, target))
+            sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig))
+            curdom = newdom
+            continue
+
+    # now add the final answer
+    owner = curname + "." + curdom
+    answers.append(dns.rrset.from_text(owner, ttl, IN, rrtype, final))
+    rrsig = "%s 5 3 %d %s %s 12345 %s %s" % (
+        typename,
+        ttl,
+        expiry,
+        inception,
+        domain,
+        sigdata,
+    )
+    sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig))
+
+    # prepare the response and convert to wire format
+    r = dns.message.make_response(m)
+
+    if name != "test":
+        r.answer.append(answers[-1])
+        if wantsigs:
+            r.answer.append(sigs[-1])
+    else:
+        for i, sig in rrs:
+            if sig and not wantsigs:
+                continue
+            elif sig:
+                r.answer.append(sigs[i])
+            else:
+                r.answer.append(answers[i])
+
+    if typename != "NS":
+        r.authority.append(
+            dns.rrset.from_text(domain, ttl, IN, "NS", ("ns1.%s" % domain))
+        )
+    r.additional.append(
+        dns.rrset.from_text(("ns1.%s" % domain), 86400, IN, A, additionalA)
+    )
+    r.additional.append(
+        dns.rrset.from_text(("ns1.%s" % domain), 86400, IN, AAAA, additionalAAAA)
+    )
+
+    r.flags |= dns.flags.AA
+    r.use_edns()
+    return r.to_wire()
+
+
+def sigterm(signum, frame):
+    print("Shutting down now...")
+    os.remove("ans.pid")
+    running = False
+    sys.exit(0)
+
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4 = "10.53.0.4"
+ip6 = "fd92:7065:b8e:ffff::4"
+
+try:
+    port = int(os.environ["PORT"])
+except:
+    port = 5300
+
+try:
+    ctrlport = int(os.environ["EXTRAPORT1"])
+except:
+    ctrlport = 5300
+
+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_socket.bind((ip4, port))
+
+havev6 = True
+try:
+    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    try:
+        query6_socket.bind((ip6, port))
+    except:
+        query6_socket.close()
+        havev6 = False
+except:
+    havev6 = False
+
+ctrl_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ctrl_socket.bind((ip4, ctrlport))
+ctrl_socket.listen(5)
+
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open("ans.pid", "w")
+pid = os.getpid()
+print(pid, file=f)
+f.close()
+
+running = True
+
+print("Listening on %s port %d" % (ip4, port))
+if havev6:
+    print("Listening on %s port %d" % (ip6, port))
+print("Control channel on %s port %d" % (ip4, ctrlport))
+print("Ctrl-c to quit")
+
+if havev6:
+    input = [query4_socket, query6_socket, ctrl_socket]
+else:
+    input = [query4_socket, ctrl_socket]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        if s == ctrl_socket:
+            # Handle control channel input
+            conn, addr = s.accept()
+            print("Control channel connected")
+            while True:
+                msg = conn.recv(65535)
+                if not msg:
+                    break
+                ctl_channel(msg)
+            conn.close()
+        if s == query4_socket or s == query6_socket:
+            print("Query received on %s" % (ip4 if s == query4_socket else ip6))
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            rsp = create_response(msg[0])
+            if rsp:
+                s.sendto(rsp, msg[1])
+    if not running:
+        break
diff --git a/bin/tests/system/chain/clean.sh b/bin/tests/system/chain/clean.sh
new file mode 100755
index 0000000..57b05a7
--- /dev/null
+++ b/bin/tests/system/chain/clean.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.* named*.pid
+rm -f ns*/named.conf
+rm -f */named.memstats */named.recursing */named.lock */named.run */ans.run
+rm -f ns2/K* ns2/dsset-* ns2/*.db.signed
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/chain/ns1/named.conf.in b/bin/tests/system/chain/ns1/named.conf.in
new file mode 100644
index 0000000..5504261
--- /dev/null
+++ b/bin/tests/system/chain/ns1/named.conf.in
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation yes;
+	notify yes;
+};
+
+zone "." { type primary; file "root.db"; };
diff --git a/bin/tests/system/chain/ns1/root.db b/bin/tests/system/chain/ns1/root.db
new file mode 100644
index 0000000..3469fb5
--- /dev/null
+++ b/bin/tests/system/chain/ns1/root.db
@@ -0,0 +1,51 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	root.domain.nil a.root.servers.nil. (
+				2016012800   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+
+example.broken.		NS	ns3.example.broken.
+ns3.example.broken.	A	10.53.0.3
+
+; for the resolver variant of the CVE-2021-25215 regression test
+example.dname.		NS	ns3.example.dname.
+ns3.example.dname.	A	10.53.0.3
+
+domain0.nil.		NS	ns2.domain0.nil
+domain1.nil.		NS	ns2.domain0.nil
+domain2.nil.		NS	ns2.domain0.nil
+domain3.nil.		NS	ns2.domain0.nil
+domain4.nil.		NS	ns2.domain0.nil
+domain5.nil.		NS	ns2.domain0.nil
+domain6.nil.		NS	ns2.domain0.nil
+domain7.nil.		NS	ns2.domain0.nil
+domain8.nil.		NS	ns2.domain0.nil
+domain9.nil.		NS	ns2.domain0.nil
+ns2.domain0.nil.		A	10.53.0.2
+ns2.domain0.nil.		AAAA	fd92:7065:b8e:ffff::2
+
+domain.nil.		NS	ns4.domain.nil
+ns4.domain.nil.		A	10.53.0.4
+ns4.domain.nil.		AAAA	fd92:7065:b8e:ffff::4
+
+domain.		NS	ns4.domain.
+ns4.domain.		A	10.53.0.4
diff --git a/bin/tests/system/chain/ns2/example.db b/bin/tests/system/chain/ns2/example.db
new file mode 100644
index 0000000..c13f2d2
--- /dev/null
+++ b/bin/tests/system/chain/ns2/example.db
@@ -0,0 +1,69 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+
+a.short			A	10.0.0.1
+short-dname		DNAME	short
+a.longlonglonglonglonglonglonglonglonglonglonglonglong	A 10.0.0.2
+long-dname		DNAME	longlonglonglonglonglonglonglonglonglonglonglonglong
+toolong-dname		DNAME	longlonglonglonglonglonglonglonglonglonglonglonglong
+cname			CNAME	a.cnamedname
+cnamedname		DNAME	target
+a.target		A	10.0.0.3
+
+; CNAME to delegation
+; (unsigned delegations, external and internal)
+sub5			NS	ns5.sub5
+ns5.sub5		A	10.53.0.5
+a			CNAME	a.sub5
+sub2			NS	ns2.sub2
+ns2.sub2		A	10.53.0.2
+b			CNAME	b.sub2
+
+; (signed delegation, external and internal)
+; note: these DS records are fake and will not validate; we're only
+; testing that the resolver handles their presence in a reply correctly
+signed-sub5		NS	ns5.sub5
+signed-sub5		DS	44137 8 2 1CB4F54E0B4F4F85109143113A3C679716A2377D86EB0907846A03FB 0C0A3927
+c			CNAME	c.signed-sub5
+signed-sub2		NS	ns2.sub2
+signed-sub2		DS	44137 8 2 1CB4F54E0B4F4F85109143113A3C679716A2377D86EB0907846A03FB 0C0A3927
+d			CNAME	d.signed-sub2
+
+; long CNAME loop
+loop			CNAME	goop
+goop			CNAME	boop
+boop			CNAME	soup
+soup			CNAME	gump
+gump			CNAME	bump
+bump			CNAME	lump
+lump			CNAME	rump
+rump			CNAME	romp
+romp			CNAME	bomp
+bomp			CNAME	stomp
+stomp			CNAME	clomp
+clomp			CNAME	clump
+clump			CNAME	hunk
+hunk			CNAME	hank
+hank			CNAME	bank
+bank			CNAME	wank
+wank			CNAME	woop
+woop			CNAME	loop
diff --git a/bin/tests/system/chain/ns2/generic.db b/bin/tests/system/chain/ns2/generic.db
new file mode 100644
index 0000000..9d59378
--- /dev/null
+++ b/bin/tests/system/chain/ns2/generic.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	86400	SOA	ns2.domain0.nil. hostmaster.ns2.nil. 0 1 1 1 1
+@	86400	NS 	ns2.domain0.nil.
+ns2	86400	A 	10.53.0.2
+ns2	86400	AAAA    fd92:7065:b8e:ffff::2
+
+@       86400	A 	1.2.3.4
+@       86400	AAAA 	1:2:3::4
+*       86400	A 	1.2.3.4
+*       86400	AAAA 	1:2:3::4
+; CVE-2021-25215 regression test data
+self	86400	DNAME	nil.
diff --git a/bin/tests/system/chain/ns2/named.conf.in b/bin/tests/system/chain/ns2/named.conf.in
new file mode 100644
index 0000000..922d2fa
--- /dev/null
+++ b/bin/tests/system/chain/ns2/named.conf.in
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "example" {
+	type primary;
+	file "example.db.signed";
+	allow-update { any; };
+};
+
+zone "sub2.example" {
+	type primary;
+	file "sub.db";
+};
+
+zone "signed-sub2.example" {
+	type primary;
+	file "sub.db";
+};
+
+zone "wildcard-secure.example" {
+	type primary;
+	file "wildcard-secure.example.db.signed";
+};
+
+zone "wildcard-nsec.example" {
+	type primary;
+	file "wildcard-nsec.example.db.signed";
+};
+
+zone "wildcard-nsec3.example" {
+	type primary;
+	file "wildcard-nsec3.example.db.signed";
+};
+
+zone "wildcard-nsec3-optout.example" {
+	type primary;
+	file "wildcard-nsec3-optout.example.db.signed";
+};
+
+zone "domain0.nil" { type primary; file "generic.db"; };
+zone "domain1.nil" { type primary; file "generic.db"; };
+zone "domain2.nil" { type primary; file "generic.db"; };
+zone "domain3.nil" { type primary; file "generic.db"; };
+zone "domain4.nil" { type primary; file "generic.db"; };
+zone "domain5.nil" { type primary; file "generic.db"; };
+zone "domain6.nil" { type primary; file "generic.db"; };
+zone "domain7.nil" { type primary; file "generic.db"; };
+zone "domain8.nil" { type primary; file "generic.db"; };
+zone "domain9.nil" { type primary; file "generic.db"; };
diff --git a/bin/tests/system/chain/ns2/sign.sh b/bin/tests/system/chain/ns2/sign.sh
new file mode 100644
index 0000000..c067807
--- /dev/null
+++ b/bin/tests/system/chain/ns2/sign.sh
@@ -0,0 +1,55 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=example.
+zonefile=example.db
+signedfile=example.db.signed
+
+ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
+zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
+$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
+
+zone=wildcard-secure.example.
+zonefile=wildcard-secure.db
+signedfile=wildcard-secure.example.db.signed
+
+ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
+zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
+$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
+
+zone=wildcard-nsec.example.
+zonefile=wildcard.db
+signedfile=wildcard-nsec.example.db.signed
+
+ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
+zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
+$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null
+
+zone=wildcard-nsec3.example.
+zonefile=wildcard.db
+signedfile=wildcard-nsec3.example.db.signed
+
+ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
+zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
+$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile > /dev/null
+
+zone=wildcard-nsec3-optout.example.
+zonefile=wildcard.db
+signedfile=wildcard-nsec3-optout.example.db.signed
+
+ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone)
+zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone)
+$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile > /dev/null
diff --git a/bin/tests/system/chain/ns2/sub.db b/bin/tests/system/chain/ns2/sub.db
new file mode 100644
index 0000000..ad03165
--- /dev/null
+++ b/bin/tests/system/chain/ns2/sub.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2017031001 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+d			A	10.0.0.4
diff --git a/bin/tests/system/chain/ns2/wildcard-secure.db b/bin/tests/system/chain/ns2/wildcard-secure.db
new file mode 100644
index 0000000..e39237a
--- /dev/null
+++ b/bin/tests/system/chain/ns2/wildcard-secure.db
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2021051901 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	localhost.
+
+delegation		NS	localhost.
+			DS	12345 13 2 0000000000000000000000000000000000000000000000000000000000000000
+
+; CNAME pointing into a child zone
+cname			CNAME	delegation
+
+; wildcard CNAME pointing at a CNAME pointing into a child zone
+*			CNAME	cname
diff --git a/bin/tests/system/chain/ns2/wildcard.db b/bin/tests/system/chain/ns2/wildcard.db
new file mode 100644
index 0000000..cc39e9c
--- /dev/null
+++ b/bin/tests/system/chain/ns2/wildcard.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2021051901 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	localhost.
+
+delegation		NS	localhost.
+
+; CNAME pointing into a child zone
+cname			CNAME	delegation
+
+; wildcard CNAME pointing at a CNAME pointing into a child zone
+*			CNAME	cname
diff --git a/bin/tests/system/chain/ns5/named.conf.in b/bin/tests/system/chain/ns5/named.conf.in
new file mode 100644
index 0000000..86bbf26
--- /dev/null
+++ b/bin/tests/system/chain/ns5/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "sub5.example" {
+	type primary;
+	file "sub.db";
+};
+
+zone "signed-sub5.example" {
+	type primary;
+	file "sub.db";
+};
diff --git a/bin/tests/system/chain/ns5/sub.db b/bin/tests/system/chain/ns5/sub.db
new file mode 100644
index 0000000..df571fb
--- /dev/null
+++ b/bin/tests/system/chain/ns5/sub.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2017031001 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns5
+ns5			A	10.53.0.5
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+d			A	10.0.0.4
diff --git a/bin/tests/system/chain/ns7/named.conf.in b/bin/tests/system/chain/ns7/named.conf.in
new file mode 100644
index 0000000..31ca3ef
--- /dev/null
+++ b/bin/tests/system/chain/ns7/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { fd92:7065:b8e:ffff::7; };
+	recursion yes;
+	allow-recursion { any; };
+	dnssec-validation yes;
+	deny-answer-aliases {
+		"example";
+	} except-from {
+		"example";
+	};
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
diff --git a/bin/tests/system/chain/ns7/root.hint b/bin/tests/system/chain/ns7/root.hint
new file mode 100644
index 0000000..4f3f48b
--- /dev/null
+++ b/bin/tests/system/chain/ns7/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.                        IN NS  a.root-servers.nil.
+a.root-servers.nil.      IN A   10.53.0.1
diff --git a/bin/tests/system/chain/prereq.sh b/bin/tests/system/chain/prereq.sh
new file mode 100644
index 0000000..b074318
--- /dev/null
+++ b/bin/tests/system/chain/prereq.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null
+    then
+        :
+    else
+        echo_i "Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires the perl Net::DNS library." >&2
+    exit 1
+fi
+if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null
+then
+	:
+else
+    echo_i "This test requires the Net::DNS::Nameserver library." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/chain/setup.sh b/bin/tests/system/chain/setup.sh
new file mode 100644
index 0000000..a2c47ae
--- /dev/null
+++ b/bin/tests/system/chain/setup.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+
+cd ns2
+$SHELL sign.sh
diff --git a/bin/tests/system/chain/tests.sh b/bin/tests/system/chain/tests.sh
new file mode 100644
index 0000000..19cdb68
--- /dev/null
+++ b/bin/tests/system/chain/tests.sh
@@ -0,0 +1,625 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+SEND="$PERL $SYSTEMTESTTOP/send.pl 10.53.0.4 ${EXTRAPORT1}"
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "checking short DNAME from authoritative ($n)"
+ret=0
+$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a > dig.out.ns2.short || ret=1
+grep "status: NOERROR" dig.out.ns2.short > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking short DNAME from recursive ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a > dig.out.ns4.short || ret=1
+grep "status: NOERROR" dig.out.ns4.short > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking long DNAME from authoritative ($n)"
+ret=0
+$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a > dig.out.ns2.long || ret=1
+grep "status: NOERROR" dig.out.ns2.long > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking long DNAME from recursive ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a > dig.out.ns4.long || ret=1
+grep "status: NOERROR" dig.out.ns4.long > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking (too) long DNAME from authoritative ($n)"
+ret=0
+$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a > dig.out.ns2.toolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking (too) long DNAME from recursive with cached DNAME ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a > dig.out.ns4.cachedtoolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1
+grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking (too) long DNAME from recursive without cached DNAME ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a > dig.out.ns4.uncachedtoolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1
+grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+find_records() {
+	owner_name="$1"
+	rr_type="$2"
+	file="$3"
+	awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' < "$file"
+}
+
+count_records() {
+	owner_name="$1"
+	rr_type="$2"
+	file="$3"
+	find_records "$owner_name" "$rr_type" "$file" | wc -l
+}
+
+exactly_one_record_exists_for() {
+	owner_name="$1"
+	rr_type="$2"
+	file="$3"
+	test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1
+}
+
+no_records_exist_for() {
+	owner_name="$1"
+	rr_type="$2"
+	file="$3"
+	test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0
+}
+
+ensure_no_ds_in_bitmap() {
+	owner_name="$1"
+	rr_type="$2"
+	file="$3"
+	case "$rr_type" in
+		NSEC) start_index=6 ;;
+		NSEC3) start_index=10 ;;
+		*) exit 1 ;;
+	esac
+	find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }'
+}
+
+n=`expr $n + 1`
+echo_i "checking secure delegation prepared using CNAME chaining ($n)"
+ret=0
+# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
+# DS RRset.
+$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains the expected NS and DS RRsets.
+exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1
+exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking secure delegation prepared using wildcard expansion + CNAME chaining ($n)"
+ret=0
+# QNAME does not exist, so the AUTHORITY section should contain an NS RRset, an
+# NSEC record proving nonexistence of QNAME, and a DS RRset at the zone cut.
+$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains the expected NS and DS RRsets.
+exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1
+exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1
+# Check NSEC records in the AUTHORITY section.
+no_records_exist_for "wildcard-secure.example." NSEC dig.out.2.$n || ret=1
+exactly_one_record_exists_for "*.wildcard-secure.example." NSEC dig.out.2.$n || ret=1
+no_records_exist_for "cname.wildcard-secure.example." NSEC dig.out.2.$n || ret=1
+no_records_exist_for "delegation.wildcard-secure.example." NSEC dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking insecure delegation prepared using CNAME chaining, NSEC ($n)"
+ret=0
+# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
+# single NSEC record proving nonexistence of a DS RRset at the zone cut.
+$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains an NS RRset without an associated
+# DS RRset.
+exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
+no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1
+# Check NSEC records in the AUTHORITY section.
+no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+no_records_exist_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+no_records_exist_for "cname.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+# Ensure the NSEC record for the zone cut does not have the DS bit set in the
+# type bit map.
+ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #1 ($n)"
+ret=0
+# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
+# NSEC records proving nonexistence of both QNAME and a DS RRset at the zone
+# cut.  In this test case, these two NSEC records are different.
+$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains an NS RRset without an associated
+# DS RRset.
+exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
+no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1
+# Check NSEC records in the AUTHORITY section.
+no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+exactly_one_record_exists_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+no_records_exist_for "cname.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+# Ensure the NSEC record for the zone cut does not have the DS bit set in the
+# type bit map.
+ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #2 ($n)"
+ret=0
+# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
+# NSEC records proving nonexistence of both QNAME and a DS RRset at the zone
+# cut.  In this test case, the same NSEC record proves nonexistence of both the
+# QNAME and the DS RRset at the zone cut.
+$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains an NS RRset without an associated
+# DS RRset.
+exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1
+no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1
+# Check NSEC records in the AUTHORITY section.
+no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+no_records_exist_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+no_records_exist_for "cname.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+# Ensure the NSEC record for the zone cut does not have the DS bit set in the
+# type bit map.
+ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Relevant NSEC3 hashes:
+#
+# - existing names:
+#
+#       $ nsec3hash - 1 0 wildcard-nsec3.example.
+#       38IVP9CN0LBISO6H3V5REQCKMTHLI5AN (salt=-, hash=1, iterations=0)
+#       $ nsec3hash - 1 0 cname.wildcard-nsec3.example.
+#       3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D (salt=-, hash=1, iterations=0)
+#       $ nsec3hash - 1 0 delegation.wildcard-nsec3.example.
+#       AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC (salt=-, hash=1, iterations=0)
+#       $ nsec3hash - 1 0 *.wildcard-nsec3.example.
+#       Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2 (salt=-, hash=1, iterations=0)
+#
+# - nonexistent names:
+#
+#       $ nsec3hash - 1 0 a-nonexistent-name.wildcard-nsec3.example.
+#       PST9IH6M0DG3M139CO3G12NUP4ER88SH (salt=-, hash=1, iterations=0)
+#       $ nsec3hash - 1 0 z-nonexistent-name.wildcard-nsec3.example.
+#       SG2DEHEAOGCKP7FTNQAUVC3I3TIPJH0J (salt=-, hash=1, iterations=0)
+
+n=`expr $n + 1`
+echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 ($n)"
+ret=0
+# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
+# single NSEC3 record proving nonexistence of a DS RRset at the zone cut.
+$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains an NS RRset without an associated
+# DS RRset.
+exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
+no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1
+# Check NSEC3 records in the AUTHORITY section.
+no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+exactly_one_record_exists_for "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+no_records_exist_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+# Ensure the NSEC3 record matching the zone cut does not have the DS bit set in
+# the type bit map.
+ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #1 ($n)"
+ret=0
+# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
+# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
+# cut.  In this test case, these two NSEC3 records are different.
+$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains an NS RRset without an associated
+# DS RRset.
+exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
+no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1
+# Check NSEC3 records in the AUTHORITY section.
+no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+exactly_one_record_exists_for "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+exactly_one_record_exists_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+# Ensure the NSEC3 record matching the zone cut does not have the DS bit set in
+# the type bit map.
+ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #2 ($n)"
+ret=0
+# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
+# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
+# cut.  In this test case, the same NSEC3 record proves nonexistence of both the
+# QNAME and the DS RRset at the zone cut.
+$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains an NS RRset without an associated
+# DS RRset.
+exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1
+no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1
+# Check NSEC3 records in the AUTHORITY section.
+no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+exactly_one_record_exists_for "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+no_records_exist_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+# Ensure the NSEC3 record matching the zone cut does not have the DS bit set in
+# the type bit map.
+ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Relevant NSEC3 hashes:
+#
+# - existing names with corresponding NSEC3 records:
+#
+#       $ nsec3hash - 1 0 *.wildcard-nsec3-optout.example.
+#       2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO (salt=-, hash=1, iterations=0)
+#       $ nsec3hash - 1 0 cname.wildcard-nsec3-optout.example.
+#       OKRFKC9SS1O60E8U2980UD62MUSMKGUG (salt=-, hash=1, iterations=0)
+#       $ nsec3hash - 1 0 wildcard-nsec3-optout.example.
+#       SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI (salt=-, hash=1, iterations=0)
+#
+# - existing name with no corresponding NSEC3 record due to opt-out:
+#
+#       $ nsec3hash - 1 0 delegation.wildcard-nsec3-optout.example.
+#       UFP8PVECFTD57HU5PUD2HE0ES37QEOAP (salt=-, hash=1, iterations=0)
+#
+# - nonexistent names:
+#
+#       $ nsec3hash - 1 0 b-nonexistent-name.wildcard-nsec3-optout.example.
+#       3J38JE2OU0O7B4CE2ADMBBKJ5HT994S5 (salt=-, hash=1, iterations=0)
+#       $ nsec3hash - 1 0 z-nonexistent-name.wildcard-nsec3-optout.example.
+#       V7OTS4791T9SU0HKVL93EVNAJ9JH2CH3 (salt=-, hash=1, iterations=0)
+
+n=`expr $n + 1`
+echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 with opt-out ($n)"
+ret=0
+# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a
+# single NSEC3 record proving nonexistence of a DS RRset at the zone cut.
+$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains an NS RRset without an associated
+# DS RRset.
+exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
+no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1
+# Check NSEC3 records in the AUTHORITY section.
+no_records_exist_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+# Ensure the NSEC3 record covering the zone cut does not have the DS bit set in
+# the type bit map.
+ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #1 ($n)"
+ret=0
+# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
+# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
+# cut.  In this test case, these two NSEC3 records are different.
+$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains an NS RRset without an associated
+# DS RRset.
+exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
+no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1
+# Check NSEC3 records in the AUTHORITY section.
+exactly_one_record_exists_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+# Ensure the NSEC3 record covering the zone cut does not have the DS bit set in
+# the type bit map.
+ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #2 ($n)"
+ret=0
+# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and
+# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone
+# cut.  In this test case, the same NSEC3 record proves nonexistence of both the
+# QNAME and the DS RRset at the zone cut.
+$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1
+# Ensure that the AUTHORITY section contains an NS RRset without an associated
+# DS RRset.
+exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1
+no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1
+# Check NSEC3 records in the AUTHORITY section.
+no_records_exist_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+# Ensure the NSEC3 record covering the zone cut does not have the DS bit set in
+# the type bit map.
+ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking CNAME to DNAME from authoritative ($n)"
+ret=0
+$DIG $DIGOPTS cname.example @10.53.0.2 a > dig.out.ns2.cname
+grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking CNAME to DNAME from recursive"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS cname.example @10.53.0.7 a > dig.out.ns4.cname
+grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
+grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking DNAME is returned with synthesized CNAME before DNAME ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
+grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking DNAME is returned with CNAME to synthesized CNAME before DNAME ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1
+grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
+grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking CNAME loops are detected ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 17" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking CNAME to external delegated zones is handled ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 a.example > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking CNAME to internal delegated zones is handled ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 b.example > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking CNAME to signed external delegation is handled ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 c.example > dig.out.$n
+grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking CNAME to signed internal delegation is handled ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 d.example > dig.out.$n
+grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking CNAME chains in various orders ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
+grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "cname,cname,cname|1,1,2,2,3,4,s4,s3,s1" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
+grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "cname,cname,cname|2,1,3,4,s3,s1,s2,s4" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
+grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 2' dig.out.3.$n > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 null --- start test$n - step 4 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.4.$n 2>&1
+grep 'status: NOERROR' dig.out.4.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 2' dig.out.4.$n > /dev/null 2>&1 || ret=1
+echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | $SEND
+$RNDCCMD 10.53.0.7 null --- start test$n - step 5 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.5.$n 2>&1
+grep 'status: NOERROR' dig.out.5.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 2' dig.out.5.$n > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 null --- start test$n - step 6 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "cname,cname,cname|4,3,3,3,s1,s1,1,3,4" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.6.$n 2>&1
+grep 'status: NOERROR' dig.out.6.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 2' dig.out.6.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that only the initial CNAME is cached ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | $SEND
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
+sleep 1
+$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil > dig.out.2.$n 2>&1
+ttl=`awk '{print $2}' dig.out.2.$n`
+[ "$ttl" -eq 86400 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking DNAME chains in various orders ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
+grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 3' dig.out.1.$n > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
+grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 3' dig.out.2.$n > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "dname,dname|2,3,s1,s2,s3,s4,1" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
+grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 3' dig.out.3.$n > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking external CNAME/DNAME chains in various orders ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "xname,dname|1,2,3,4,s1,s2,s3,s4" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1
+grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "xname,dname|s2,2,s1,1,4,s4,3" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1
+grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+echo "xname,dname|s2,2,2,2" | $SEND
+$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1
+grep 'status: SERVFAIL' dig.out.3.$n > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking explicit DNAME query ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1
+grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking DNAME via ANY query ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1
+grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Regression test for CVE-2021-25215 (authoritative server).
+n=`expr $n + 1`
+echo_i "checking DNAME resolution via itself (authoritative) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1
+grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Regression test for CVE-2021-25215 (recursive resolver).
+n=`expr $n + 1`
+echo_i "checking DNAME resolution via itself (recursive) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1
+grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/checkconf/altdb.conf b/bin/tests/system/checkconf/altdb.conf
new file mode 100644
index 0000000..e40118c
--- /dev/null
+++ b/bin/tests/system/checkconf/altdb.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view override_bind chaos {
+	zone "version.bind" chaos {
+		type master;
+		database "_builtin version";
+	};
+};
diff --git a/bin/tests/system/checkconf/altdlz.conf b/bin/tests/system/checkconf/altdlz.conf
new file mode 100644
index 0000000..18539da
--- /dev/null
+++ b/bin/tests/system/checkconf/altdlz.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dlz external {
+	database "dlopen driver.so";
+	search no;
+};
+
+zone "example.com" {
+	type master;
+	dlz external;
+};
+
+zone "." {
+	type redirect;
+	dlz external;
+};
diff --git a/bin/tests/system/checkconf/ancient.conf b/bin/tests/system/checkconf/ancient.conf
new file mode 100644
index 0000000..98189cc
--- /dev/null
+++ b/bin/tests/system/checkconf/ancient.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Ancient options are fatal.
+ */
+options {
+	fake-iquery yes;
+};
diff --git a/bin/tests/system/checkconf/bad-acl.conf b/bin/tests/system/checkconf/bad-acl.conf
new file mode 100644
index 0000000..5095059
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-acl.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl a {
+	{ "none"; };
+	{ !19.0.0.0/7; };
+};
+
+options {
+	allow-query { a; };
+};
diff --git a/bin/tests/system/checkconf/bad-also-notify.conf b/bin/tests/system/checkconf/bad-also-notify.conf
new file mode 100644
index 0000000..d93ff2d
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-also-notify.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Missing master in also-notify clause.
+ */
+
+zone dummy {
+	type master;
+	file "xxxx";
+	also-notify { xxxx; };
+};
diff --git a/bin/tests/system/checkconf/bad-catz-zone.conf b/bin/tests/system/checkconf/bad-catz-zone.conf
new file mode 100644
index 0000000..6f0677a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-catz-zone.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	catalog-zones {
+		zone "nonexistent";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf b/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf
new file mode 100644
index 0000000..24e6ef9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	check-names primary warn;
+	check-names primary fail;
+};
diff --git a/bin/tests/system/checkconf/bad-checknames-primary-dup.conf b/bin/tests/system/checkconf/bad-checknames-primary-dup.conf
new file mode 100644
index 0000000..e746e84
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-checknames-primary-dup.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	check-names master warn;
+	check-names primary fail;
+};
diff --git a/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf b/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf
new file mode 100644
index 0000000..ea83d7e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	check-names slave ignore;
+	check-names secondary warn;
+};
diff --git a/bin/tests/system/checkconf/bad-dnskey-validity.conf b/bin/tests/system/checkconf/bad-dnskey-validity.conf
new file mode 100644
index 0000000..8c28ac5
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dnskey-validity.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnskey-sig-validity 5000;	/* maximum value 10 years, this is 14 */
+};
diff --git a/bin/tests/system/checkconf/bad-dnssec.conf b/bin/tests/system/checkconf/bad-dnssec.conf
new file mode 100644
index 0000000..7f1d524
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dnssec.conf
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone not-inline {
+	type slave;
+	masters { 127.0.0.1; };
+	inline-signing no;
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+	dnssec-loadkeys-interval 10;
+
+};
+
+zone inline {
+	type slave;
+	masters { 127.0.0.1; };
+	inline-signing yes;
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+	dnssec-loadkeys-interval 10;
+};
diff --git a/bin/tests/system/checkconf/bad-duplicate-key.conf b/bin/tests/system/checkconf/bad-duplicate-key.conf
new file mode 100644
index 0000000..17f2237
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duplicate-key.conf
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trust-anchors {
+	example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
+};
+
+trust-anchors {
+	example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+		6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf b/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf
new file mode 100644
index 0000000..3bbabde
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+primaries duplicate { 1.2.3.4; };
+primaries duplicate { 4.3.2.1; };
diff --git a/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf b/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf
new file mode 100644
index 0000000..1d1c6f0
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+masters duplicate { 1.2.3.4; };
+primaries duplicate { 4.3.2.1; };
diff --git a/bin/tests/system/checkconf/bad-duplicate-root-key.conf b/bin/tests/system/checkconf/bad-duplicate-root-key.conf
new file mode 100644
index 0000000..1cbc7d4
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duplicate-root-key.conf
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trust-anchors {
+	. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
+};
+
+trusted-keys {
+	. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+		6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-geoip-use-ecs.conf b/bin/tests/system/checkconf/bad-geoip-use-ecs.conf
new file mode 100644
index 0000000..b22d008
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-geoip-use-ecs.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	geoip-use-ecs yes;
+};
diff --git a/bin/tests/system/checkconf/bad-glue-cache-bogus.conf b/bin/tests/system/checkconf/bad-glue-cache-bogus.conf
new file mode 100644
index 0000000..c264b26
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-glue-cache-bogus.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	glue-cache bogusvalue;
+};
diff --git a/bin/tests/system/checkconf/bad-hint.conf b/bin/tests/system/checkconf/bad-hint.conf
new file mode 100644
index 0000000..7214a00
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-hint.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type hint;
+	masterfile-format raw;
+	file "hint";
+};
diff --git a/bin/tests/system/checkconf/bad-in-view-dup.conf b/bin/tests/system/checkconf/bad-in-view-dup.conf
new file mode 100644
index 0000000..5c6329c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-in-view-dup.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view a {
+	zone x { type master; file "x"; };
+};
+
+view b {
+	zone x { type master; file "x"; };
+	zone x { in-view a; };
+};
diff --git a/bin/tests/system/checkconf/bad-inline-options.conf b/bin/tests/system/checkconf/bad-inline-options.conf
new file mode 100644
index 0000000..f7c62dd
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-inline-options.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * inline-signing not allowed at options level.
+ */
+options {
+	inline-signing yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/checkconf/bad-inline-slave.conf b/bin/tests/system/checkconf/bad-inline-slave.conf
new file mode 100644
index 0000000..10e9649
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-inline-slave.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+ /*
+  * An inline-signing slave should be forced to have a file option
+  */
+
+  zone "." {
+	  type slave;
+	  inline-signing yes;
+	  masters { 10.53.0.1; };
+  };
\ No newline at end of file
diff --git a/bin/tests/system/checkconf/bad-inline-view.conf b/bin/tests/system/checkconf/bad-inline-view.conf
new file mode 100644
index 0000000..e46bd0b
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-inline-view.conf
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * inline-signing not allowed at view level.
+ */
+view "a" {
+	inline-signing yes;
+
+	zone "." {
+		type primary;
+		file "root.db.signed";
+	};
+};
+
+view "b" {
+	zone "." {
+		type primary;
+		file "root.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-interface-interval.conf b/bin/tests/system/checkconf/bad-interface-interval.conf
new file mode 100644
index 0000000..ba8341a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-interface-interval.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	interface-interval 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf
new file mode 100644
index 0000000..d7604eb
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl myacl {
+	127.1; /* Incomplete dotted IPv4 address / prefix */
+};
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
new file mode 100644
index 0000000..cb53741
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl myacl {
+	127.1/8; /* No-zero bits */
+};
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix2.conf b/bin/tests/system/checkconf/bad-ipv4-prefix2.conf
new file mode 100644
index 0000000..98e724a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-ipv4-prefix2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl myacl {
+	127; /* Non-dotted quad IPv4 address (0.0.0.127) / prefix without length. */
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-define-default.conf b/bin/tests/system/checkconf/bad-kasp-define-default.conf
new file mode 100644
index 0000000..569b1a8
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-define-default.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// 'default' is a built-in policy, redefinition not allowed.
+dnssec-policy "default" {
+	signatures-refresh P5D;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-define-insecure.conf b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf
new file mode 100644
index 0000000..060dde7
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// 'insecure' is a built-in policy, redefinition not allowed.
+dnssec-policy "insecure" {
+	signatures-refresh P5D;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-define-none.conf b/bin/tests/system/checkconf/bad-kasp-define-none.conf
new file mode 100644
index 0000000..2bdff02
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-define-none.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// 'none' is a built-in policy, redefinition not allowed.
+dnssec-policy "none" {
+	signatures-refresh P5D;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "none";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-duplicate.conf b/bin/tests/system/checkconf/bad-kasp-duplicate.conf
new file mode 100644
index 0000000..7f3ade6
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-duplicate.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy a { };
+dnssec-policy a { };
diff --git a/bin/tests/system/checkconf/bad-kasp-key1.conf b/bin/tests/system/checkconf/bad-kasp-key1.conf
new file mode 100644
index 0000000..b6bda15
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-key1.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+	keys {
+		csk lifetime unlimited algorithm ceasarscipher;
+	};
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "badalg";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-key2.conf b/bin/tests/system/checkconf/bad-kasp-key2.conf
new file mode 100644
index 0000000..7e6a60e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-key2.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+	keys {
+		csk lifetime unlimited algorithm 8 4097;
+	};
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "badalg";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-key3.conf b/bin/tests/system/checkconf/bad-kasp-key3.conf
new file mode 100644
index 0000000..92806ff
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-key3.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+	keys {
+		csk lifetime unlimited algorithm rsasha512 1023;
+	};
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "badalg";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-key4.conf b/bin/tests/system/checkconf/bad-kasp-key4.conf
new file mode 100644
index 0000000..c8e9ae6
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-key4.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+	keys {
+		csk lifetime unlimited algorithm 5 511;
+	};
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "badalg";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in
new file mode 100644
index 0000000..b0deaea
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The same zone in different views is using different DNSSEC policies, so it
+ * may not have the same key-directory.
+ */
+
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "default";
+		key-directory ".";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		key-directory ".";
+		file "example2.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in
new file mode 100644
index 0000000..699c193
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * No key-directory is set, so the default is used.
+ * Should fail because the same zone in different views is using different
+ * DNSSEC policies.
+ */
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "default";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		file "example2.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in
new file mode 100644
index 0000000..0dbd7e2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The zone in view "example1" inherits the key directory value from "options",
+ * but in view "example2" sets the key directory to the same value. This should
+ * be detected as an error because the zone is using different DNSSEC policies
+ * and should thus use different key directories.
+ */
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+options {
+	key-directory "keys";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	zone "example.net" {
+		type primary;
+		/* key-directory inherited from options. */
+		dnssec-policy "default";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		key-directory "keys";
+		file "example2.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in
new file mode 100644
index 0000000..af4a8f9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The zone inherits the key-directory from the "view" level. Both views use the
+ * same key-directory, but the zone uses a different DNSSEC policy per view.
+ * This is a configuration error.
+ */
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	key-directory "keys";
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "default";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	key-directory "keys";
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		file "example2.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in
new file mode 100644
index 0000000..1cca608
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * In one view, the zone inherits the key-directory from the "view" level, while
+ * in the other it is set explicitly at the "zone" level. In both cases, the
+ * same key-directory is used, but the zone uses a different DNSSEC policy per
+ * view. This is a configuration error.
+ */
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	key-directory "keys";
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "default";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		key-directory "keys";
+		file "example2.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf
new file mode 100644
index 0000000..12a26d3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+view "test" {
+	dnssec-policy "notdefined";
+
+	zone "example.net" {
+		type primary;
+		file "example.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf
new file mode 100644
index 0000000..48514ac
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+	dnssec-policy "notdefined";
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp10.conf b/bin/tests/system/checkconf/bad-kasp10.conf
new file mode 100644
index 0000000..3088fc9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp10.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with dnssec-policy 'none', one zone with dnssec-policy 'insecure',
+// both using the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "none";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp11.conf b/bin/tests/system/checkconf/bad-kasp11.conf
new file mode 100644
index 0000000..7c0b0e9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp11.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with a dnssec-policy, the other with allow-update,
+// with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	allow-update { any; };
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp12.conf b/bin/tests/system/checkconf/bad-kasp12.conf
new file mode 100644
index 0000000..67b8c85
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp12.conf
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with a dnssec-policy, the other with update-policy,
+// with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	update-policy {
+		grant * self * TXT;
+	};
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp13.conf b/bin/tests/system/checkconf/bad-kasp13.conf
new file mode 100644
index 0000000..e9078dd
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp13.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone transitioning to insecure, the other with allow-update,
+// with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	allow-update { any; };
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp2.conf b/bin/tests/system/checkconf/bad-kasp2.conf
new file mode 100644
index 0000000..7f27906
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp2.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "good-kasp.conf";
+
+// Bad zone configuration because this has dnssec-policy and other DNSSEC sign
+// configuration options (auto-dnssec).
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "test";
+	auto-dnssec maintain;
+	allow-update { any; };
+};
diff --git a/bin/tests/system/checkconf/bad-kasp3.conf b/bin/tests/system/checkconf/bad-kasp3.conf
new file mode 100644
index 0000000..9e0c4b9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp3.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "good-kasp.conf";
+
+// Bad zone configuration because this has dnssec-policy with no matching
+// dnssec-policy configuration (good-kasp.conf has "test", zone refers to
+// "nosuchpolicy".
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "nosuchpolicy";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp4.conf b/bin/tests/system/checkconf/bad-kasp4.conf
new file mode 100644
index 0000000..b5aa470
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp4.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// Bad kasp configuration because this has an invalid duration for
+// signatures-refresh.
+dnssec-policy "badduration" {
+	signatures-refresh PT20Sabcd;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "badduration";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp6.conf b/bin/tests/system/checkconf/bad-kasp6.conf
new file mode 100644
index 0000000..b05130c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp6.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// Two zones with dnssec-policy with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp7.conf b/bin/tests/system/checkconf/bad-kasp7.conf
new file mode 100644
index 0000000..05734a5
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp7.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// Two zones with dnssec-policy 'insecure' (transitioning to insecure)
+// with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp8.conf b/bin/tests/system/checkconf/bad-kasp8.conf
new file mode 100644
index 0000000..fa27a40
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp8.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with dnssec-policy, the other zone has 'dnssec-policy none',
+// both with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "none";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp9.conf b/bin/tests/system/checkconf/bad-kasp9.conf
new file mode 100644
index 0000000..a76436b
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp9.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with dnssec-policy, the other zone has 'dnssec-policy insecure'
+// (transitioning to inseure), both with the same zone file.
+
+zone "example1.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
diff --git a/bin/tests/system/checkconf/bad-keep-response-order.conf b/bin/tests/system/checkconf/bad-keep-response-order.conf
new file mode 100644
index 0000000..a3685d7
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-keep-response-order.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	keep-response-order {
+		does_not_exist;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-ksk-without-zsk.conf b/bin/tests/system/checkconf/bad-ksk-without-zsk.conf
new file mode 100644
index 0000000..66e1b7f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-ksk-without-zsk.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy ksk-without-zsk {
+	keys {
+		ksk lifetime 30d algorithm 13;
+	};
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	dnssec-policy ksk-without-zsk;
+};
diff --git a/bin/tests/system/checkconf/bad-lifetime.conf b/bin/tests/system/checkconf/bad-lifetime.conf
new file mode 100644
index 0000000..f268076
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-lifetime.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	nta-lifetime 8d;
+};
diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf
new file mode 100644
index 0000000..5655a16
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize bogusvalue;
+};
diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf
new file mode 100644
index 0000000..006ca7d
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize 2048G;
+};
diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf
new file mode 100644
index 0000000..5dd1720
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize 1;
+};
diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf
new file mode 100644
index 0000000..f1e7b88
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize unlimited;
+};
diff --git a/bin/tests/system/checkconf/bad-master-request-ixfr.conf b/bin/tests/system/checkconf/bad-master-request-ixfr.conf
new file mode 100644
index 0000000..19384b3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-master-request-ixfr.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * request-ixfr clause is not allowed in zone of type master.
+ */
+
+zone dummy {
+	type master;
+	request-ixfr no;
+	file "xxxx";
+};
diff --git a/bin/tests/system/checkconf/bad-masters-dup.conf b/bin/tests/system/checkconf/bad-masters-dup.conf
new file mode 100644
index 0000000..ed761c9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-masters-dup.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type secondary;
+	primaries { 192.168.1.1; };
+	masters { 192.168.1.2; };
+};
diff --git a/bin/tests/system/checkconf/bad-maxcachettl.conf b/bin/tests/system/checkconf/bad-maxcachettl.conf
new file mode 100644
index 0000000..47f0643
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxcachettl.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	max-cache-ttl 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-maxncachettl-1.conf b/bin/tests/system/checkconf/bad-maxncachettl-1.conf
new file mode 100644
index 0000000..ad852c3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxncachettl-1.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	max-ncache-ttl 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-maxncachettl-2.conf b/bin/tests/system/checkconf/bad-maxncachettl-2.conf
new file mode 100644
index 0000000..ada5c83
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxncachettl-2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view two {
+	max-ncache-ttl 604801;
+};
diff --git a/bin/tests/system/checkconf/bad-maxncachettl-3.conf b/bin/tests/system/checkconf/bad-maxncachettl-3.conf
new file mode 100644
index 0000000..771a0f3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxncachettl-3.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view three {
+	max-ncache-ttl 4000000000;
+};
+view four {
+	max-ncache-ttl -1;
+};
diff --git a/bin/tests/system/checkconf/bad-maxncachettl-4.conf b/bin/tests/system/checkconf/bad-maxncachettl-4.conf
new file mode 100644
index 0000000..d9cd939
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxncachettl-4.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view four {
+	max-ncache-ttl -1;
+};
diff --git a/bin/tests/system/checkconf/bad-maxratio1.conf b/bin/tests/system/checkconf/bad-maxratio1.conf
new file mode 100644
index 0000000..b6f6420
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxratio1.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type master;
+	masterfile-format map;
+	file "example.db";
+	max-ixfr-ratio 0.9;
+};
diff --git a/bin/tests/system/checkconf/bad-maxratio2.conf b/bin/tests/system/checkconf/bad-maxratio2.conf
new file mode 100644
index 0000000..54fec84
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxratio2.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type master;
+	masterfile-format map;
+	file "example.db";
+	max-ixfr-ratio 0%;
+};
diff --git a/bin/tests/system/checkconf/bad-maxttlmap.conf b/bin/tests/system/checkconf/bad-maxttlmap.conf
new file mode 100644
index 0000000..b2d8043
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxttlmap.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type master;
+	masterfile-format map;
+	file "example.db";
+	max-zone-ttl 3600;
+};
diff --git a/bin/tests/system/checkconf/bad-mincachettl.conf b/bin/tests/system/checkconf/bad-mincachettl.conf
new file mode 100644
index 0000000..cd02c66
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mincachettl.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-cache-ttl 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-minncachettl.conf b/bin/tests/system/checkconf/bad-minncachettl.conf
new file mode 100644
index 0000000..1148bcc
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-minncachettl.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-ncache-ttl 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf b/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf
new file mode 100644
index 0000000..351b3dd
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	recursion yes;
+	allow-recursion { none; };
+};
+
+zone "." {
+	type mirror;
+	masters { 127.0.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf
new file mode 100644
index 0000000..27ad850
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type mirror;
+	notify yes;
+};
diff --git a/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf b/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf
new file mode 100644
index 0000000..c9c8b03
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "foo." {
+	type mirror;
+};
diff --git a/bin/tests/system/checkconf/bad-mirror-recursion-no.conf b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf
new file mode 100644
index 0000000..f5536ac
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	recursion no;
+};
+
+zone "." {
+	type mirror;
+};
diff --git a/bin/tests/system/checkconf/bad-mirror-zonename.conf b/bin/tests/system/checkconf/bad-mirror-zonename.conf
new file mode 100644
index 0000000..6fc11c1
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mirror-zonename.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "\0example" {
+        type mirror;
+        file "example.db";
+};
diff --git a/bin/tests/system/checkconf/bad-noddns.conf b/bin/tests/system/checkconf/bad-noddns.conf
new file mode 100644
index 0000000..0e45c5c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-noddns.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type master;
+	file "example.db";
+	auto-dnssec maintain;
+	allow-update { none; };
+};
diff --git a/bin/tests/system/checkconf/bad-notify-source-v6.conf b/bin/tests/system/checkconf/bad-notify-source-v6.conf
new file mode 100644
index 0000000..ef53c96
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-notify-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source-v6 fd92:7065:b8e:ffff::1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-notify-source.conf b/bin/tests/system/checkconf/bad-notify-source.conf
new file mode 100644
index 0000000..b950784
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-notify-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source 10.53.0.1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-options-also-notify.conf b/bin/tests/system/checkconf/bad-options-also-notify.conf
new file mode 100644
index 0000000..74714f7
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-options-also-notify.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	also-notify { missing; };
+};
+
+zone "example.net" {
+	type slave;
+	masters { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-options.conf b/bin/tests/system/checkconf/bad-parental-agents-def-options.conf
new file mode 100644
index 0000000..2091155
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-options.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	parental-agents { 192.168.1.2; };
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view.conf
new file mode 100644
index 0000000..47c062a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-view.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "test" {
+	parental-agents { 192.168.1.2; };
+	zone "example.net" {
+		type primary;
+		file "example.net.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf
new file mode 100644
index 0000000..aa65a4d
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "test" {
+	parental-agents "net" {
+		192.168.1.2;
+	 };
+	zone "example.net" {
+		type primary;
+		file "example.net.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf b/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf
new file mode 100644
index 0000000..e2a8389
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents "net" { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-dup.conf b/bin/tests/system/checkconf/bad-parental-agents-dup.conf
new file mode 100644
index 0000000..cb5ac44
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-dup.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { 192.168.1.1; };
+	parental-agents { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf
new file mode 100644
index 0000000..7ca88f7
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+parental-agents "net" {
+	192.168.1.1;
+};
+
+parental-agents "net" {
+	192.168.1.2;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { "net"; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty.conf b/bin/tests/system/checkconf/bad-parental-agents-empty.conf
new file mode 100644
index 0000000..f61de06
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-empty.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+parental-agents "net" { };
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { "net"; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty2.conf b/bin/tests/system/checkconf/bad-parental-agents-empty2.conf
new file mode 100644
index 0000000..93b8f7b
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-empty2.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-mirror.conf b/bin/tests/system/checkconf/bad-parental-agents-mirror.conf
new file mode 100644
index 0000000..62926e2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-mirror.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type mirror;
+	file "root.mirror";
+	parental-agents { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-notfound.conf b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf
new file mode 100644
index 0000000..98075c4
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+parental-agents "com" {
+	192.168.1.2;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { "net"; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-source-v6.conf b/bin/tests/system/checkconf/bad-parental-source-v6.conf
new file mode 100644
index 0000000..1b053d0
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source-v6 fd92:7065:b8e:ffff::1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-parental-source.conf b/bin/tests/system/checkconf/bad-parental-source.conf
new file mode 100644
index 0000000..9587b3e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source 10.53.0.1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-port.conf b/bin/tests/system/checkconf/bad-port.conf
new file mode 100644
index 0000000..9650c8f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-port.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 99999;
+};
diff --git a/bin/tests/system/checkconf/bad-primaries-key.conf b/bin/tests/system/checkconf/bad-primaries-key.conf
new file mode 100644
index 0000000..f592293
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-key.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+        type secondary;
+        primaries { 1.2.3.4 key a..b; };
+};
diff --git a/bin/tests/system/checkconf/bad-primaries-notfound.conf b/bin/tests/system/checkconf/bad-primaries-notfound.conf
new file mode 100644
index 0000000..4640098
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-notfound.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+primaries "net" {
+	 192.168.1.2;
+};
+
+zone "example.net" {
+	type secondary;
+	primaries { "foo"; };
+};
diff --git a/bin/tests/system/checkconf/bad-printtime.conf b/bin/tests/system/checkconf/bad-printtime.conf
new file mode 100644
index 0000000..80a53cb
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-printtime.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+logging {
+	channel one {
+		file "one.out";
+		print-time bogus;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-acl.conf b/bin/tests/system/checkconf/bad-rate-limit-acl.conf
new file mode 100644
index 0000000..06543fb
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-acl.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		responses-per-second 10;
+		exempt-clients { localhost; localnets; unknownacl; };
+		log-only yes;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf
new file mode 100644
index 0000000..aae353e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		all-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf
new file mode 100644
index 0000000..b2c6097
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		errors-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf b/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf
new file mode 100644
index 0000000..b728575
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		ipv4-prefix-length 33;	// greater than bits in address
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf b/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf
new file mode 100644
index 0000000..6b5fda5
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		ipv6-prefix-length 65; // max 64
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf b/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf
new file mode 100644
index 0000000..95309db
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		max-table-size 30;	// less than min-table-size default of 500
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf
new file mode 100644
index 0000000..ecfb5f8
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		nodata-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf
new file mode 100644
index 0000000..77c5749
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		nxdomains-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf b/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf
new file mode 100644
index 0000000..0dc4532
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		qps-scale 0; // must be greater than zero
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf
new file mode 100644
index 0000000..0ea4836
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		referrals-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf
new file mode 100644
index 0000000..8187244
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		responses-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-slip.conf b/bin/tests/system/checkconf/bad-rate-limit-slip.conf
new file mode 100644
index 0000000..15d270c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-slip.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		slip 11; // greater than default of 10
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-window.conf b/bin/tests/system/checkconf/bad-rate-limit-window.conf
new file mode 100644
index 0000000..7ded786
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-window.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		window 3601; // greater than default of 3600
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-root-mixed-key.conf b/bin/tests/system/checkconf/bad-root-mixed-key.conf
new file mode 100644
index 0000000..7035066
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-root-mixed-key.conf
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (19036) is to be phased out starting in 2017. It will
+	# remain in the root zone for some time after its successor key
+	# has been added. It will remain this file until it is removed from
+	# the root zone.
+	. static-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf b/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf
new file mode 100644
index 0000000..9861529
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	response-policy {
+		zone "max1";
+		zone "max2";
+		zone "max3";
+		zone "max4";
+		zone "max5";
+		zone "max6";
+		zone "max7";
+		zone "max8";
+		zone "max9";
+		zone "max10";
+		zone "max11";
+		zone "max12";
+		zone "max13";
+		zone "max14";
+		zone "max15";
+		zone "max16";
+		zone "max17";
+		zone "max18";
+		zone "max19";
+		zone "max20";
+		zone "max21";
+		zone "max22";
+		zone "max23";
+		zone "max24";
+		zone "max25";
+		zone "max26";
+		zone "max27";
+		zone "max28";
+		zone "max29";
+		zone "max30";
+		zone "max31";
+		zone "max32";
+		zone "max33";
+		zone "max34";
+		zone "max35";
+		zone "max36";
+		zone "max37";
+		zone "max38";
+		zone "max39";
+		zone "max40";
+		zone "max41";
+		zone "max42";
+		zone "max43";
+		zone "max44";
+		zone "max45";
+		zone "max46";
+		zone "max47";
+		zone "max48";
+		zone "max49";
+		zone "max50";
+		zone "max51";
+		zone "max52";
+		zone "max53";
+		zone "max54";
+		zone "max55";
+		zone "max56";
+		zone "max57";
+		zone "max58";
+		zone "max59";
+		zone "max60";
+		zone "max61";
+		zone "max62";
+		zone "max63";
+		zone "max64";
+		zone "max65";
+	};
+};
+
+zone "max1" { type master; file "rpz.db"; };
+zone "max2" { type master; file "rpz.db"; };
+zone "max3" { type master; file "rpz.db"; };
+zone "max4" { type master; file "rpz.db"; };
+zone "max5" { type master; file "rpz.db"; };
+zone "max6" { type master; file "rpz.db"; };
+zone "max7" { type master; file "rpz.db"; };
+zone "max8" { type master; file "rpz.db"; };
+zone "max9" { type master; file "rpz.db"; };
+zone "max10" { type master; file "rpz.db"; };
+zone "max11" { type master; file "rpz.db"; };
+zone "max12" { type master; file "rpz.db"; };
+zone "max13" { type master; file "rpz.db"; };
+zone "max14" { type master; file "rpz.db"; };
+zone "max15" { type master; file "rpz.db"; };
+zone "max16" { type master; file "rpz.db"; };
+zone "max17" { type master; file "rpz.db"; };
+zone "max18" { type master; file "rpz.db"; };
+zone "max19" { type master; file "rpz.db"; };
+zone "max20" { type master; file "rpz.db"; };
+zone "max21" { type master; file "rpz.db"; };
+zone "max22" { type master; file "rpz.db"; };
+zone "max23" { type master; file "rpz.db"; };
+zone "max24" { type master; file "rpz.db"; };
+zone "max25" { type master; file "rpz.db"; };
+zone "max26" { type master; file "rpz.db"; };
+zone "max27" { type master; file "rpz.db"; };
+zone "max28" { type master; file "rpz.db"; };
+zone "max29" { type master; file "rpz.db"; };
+zone "max30" { type master; file "rpz.db"; };
+zone "max31" { type master; file "rpz.db"; };
+zone "max32" { type master; file "rpz.db"; };
+zone "max33" { type master; file "rpz.db"; };
+zone "max34" { type master; file "rpz.db"; };
+zone "max35" { type master; file "rpz.db"; };
+zone "max36" { type master; file "rpz.db"; };
+zone "max37" { type master; file "rpz.db"; };
+zone "max38" { type master; file "rpz.db"; };
+zone "max39" { type master; file "rpz.db"; };
+zone "max40" { type master; file "rpz.db"; };
+zone "max41" { type master; file "rpz.db"; };
+zone "max42" { type master; file "rpz.db"; };
+zone "max43" { type master; file "rpz.db"; };
+zone "max44" { type master; file "rpz.db"; };
+zone "max45" { type master; file "rpz.db"; };
+zone "max46" { type master; file "rpz.db"; };
+zone "max47" { type master; file "rpz.db"; };
+zone "max48" { type master; file "rpz.db"; };
+zone "max49" { type master; file "rpz.db"; };
+zone "max50" { type master; file "rpz.db"; };
+zone "max51" { type master; file "rpz.db"; };
+zone "max52" { type master; file "rpz.db"; };
+zone "max53" { type master; file "rpz.db"; };
+zone "max54" { type master; file "rpz.db"; };
+zone "max55" { type master; file "rpz.db"; };
+zone "max56" { type master; file "rpz.db"; };
+zone "max57" { type master; file "rpz.db"; };
+zone "max58" { type master; file "rpz.db"; };
+zone "max59" { type master; file "rpz.db"; };
+zone "max60" { type master; file "rpz.db"; };
+zone "max61" { type master; file "rpz.db"; };
+zone "max62" { type master; file "rpz.db"; };
+zone "max63" { type master; file "rpz.db"; };
+zone "max64" { type master; file "rpz.db"; };
+zone "max65" { type master; file "rpz.db"; };
diff --git a/bin/tests/system/checkconf/bad-rpz-ttl.conf b/bin/tests/system/checkconf/bad-rpz-ttl.conf
new file mode 100644
index 0000000..d54bba9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rpz-ttl.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type master;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com." policy given;
+	}
+		max-policy-ttl 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-rpz-update.conf b/bin/tests/system/checkconf/bad-rpz-update.conf
new file mode 100644
index 0000000..304b46c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rpz-update.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type master;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com."
+			policy given
+			min-update-interval 5x;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rpz-zone.conf b/bin/tests/system/checkconf/bad-rpz-zone.conf
new file mode 100644
index 0000000..4aadc61
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rpz-zone.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	response-policy {
+		zone "nonexistent";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-sharedwritable1.conf b/bin/tests/system/checkconf/bad-sharedwritable1.conf
new file mode 100644
index 0000000..e646b91
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sharedwritable1.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone a {
+	type master;
+	file "shared.db";
+};
+zone b {
+	type slave;
+	file "shared.db";
+	masters { 1.2.3.4; };
+};
diff --git a/bin/tests/system/checkconf/bad-sharedwritable2.conf b/bin/tests/system/checkconf/bad-sharedwritable2.conf
new file mode 100644
index 0000000..2224053
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sharedwritable2.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone a {
+	type slave;
+	file "shared.db";
+	masters { 1.2.3.4; };
+};
+zone b {
+	type slave;
+	file "shared.db";
+	masters { 1.2.3.4; };
+};
diff --git a/bin/tests/system/checkconf/bad-sharedzone1.conf b/bin/tests/system/checkconf/bad-sharedzone1.conf
new file mode 100644
index 0000000..a8255ad
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sharedzone1.conf
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "first" {
+	match-clients {
+		"none";
+	};
+	zone "clone" {
+		type master;
+		file "xxx";
+	};
+};
+view "second" {
+	match-clients {
+		"any";
+	};
+	zone "clone" {
+		in-view "first";
+		type slave;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-sharedzone2.conf b/bin/tests/system/checkconf/bad-sharedzone2.conf
new file mode 100644
index 0000000..fbe601a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sharedzone2.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "first" {
+	match-clients {
+		"none";
+	};
+	zone "clone" {
+		type master;
+		file "xxx";
+	};
+};
+view "second" {
+	match-clients {
+		"any";
+	};
+	zone "clone" {
+		in-view "first";
+		forward only;
+		forwarders { 10.0.0.100; };
+		type slave;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-sharedzone3.conf b/bin/tests/system/checkconf/bad-sharedzone3.conf
new file mode 100644
index 0000000..2adc554
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sharedzone3.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view first {
+	zone shared.example {
+		in-view second;
+	};
+};
+
+view second {
+	zone shared.example {
+		type master;
+		file "shared.example.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-sig-validity.conf b/bin/tests/system/checkconf/bad-sig-validity.conf
new file mode 100644
index 0000000..1744eba
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sig-validity.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+    sig-validity-interval 5000;
+};
diff --git a/bin/tests/system/checkconf/bad-static-initial-1.conf b/bin/tests/system/checkconf/bad-static-initial-1.conf
new file mode 100644
index 0000000..91a5c10
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-static-initial-1.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
+	example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
+};
diff --git a/bin/tests/system/checkconf/bad-static-initial-2.conf b/bin/tests/system/checkconf/bad-static-initial-2.conf
new file mode 100644
index 0000000..3b4754d
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-static-initial-2.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
+        example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-static-initial-3.conf b/bin/tests/system/checkconf/bad-static-initial-3.conf
new file mode 100644
index 0000000..c396d9c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-static-initial-3.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
+        example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-static-initial-4.conf b/bin/tests/system/checkconf/bad-static-initial-4.conf
new file mode 100644
index 0000000..2170d52
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-static-initial-4.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+        example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU=";
+        example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-stub-masters-dialup.conf b/bin/tests/system/checkconf/bad-stub-masters-dialup.conf
new file mode 100644
index 0000000..9944e82
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-stub-masters-dialup.conf
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	heartbeat-interval 2;
+	recursion no;
+};
+zone "." {
+	type hint;
+	file "hint";
+};
+zone "example." {
+	type stub;
+	dialup notify;
+	notify no;
+	file "example.bk";
+	// masters { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-transfer-source-v6.conf b/bin/tests/system/checkconf/bad-transfer-source-v6.conf
new file mode 100644
index 0000000..da182ff
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-transfer-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source-v6 fd92:7065:b8e:ffff::1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-transfer-source.conf b/bin/tests/system/checkconf/bad-transfer-source.conf
new file mode 100644
index 0000000..315c410
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-transfer-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source 10.53.0.1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
new file mode 100644
index 0000000..4af25b0
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-tsig.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* Bad secret */
+key "badtsig" {
+	algorithm hmac-md5;
+	secret "jEdD+BPKg==";
+};
+
diff --git a/bin/tests/system/checkconf/bad-unpaired-keys.conf b/bin/tests/system/checkconf/bad-unpaired-keys.conf
new file mode 100644
index 0000000..63b6dc2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-unpaired-keys.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy unpaired-keys {
+	keys {
+		/* zsk without ksk */
+		zsk lifetime 30d algorithm 13;
+		/* ksk without zsk */
+		ksk lifetime 30d algorithm 7;
+	};
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	dnssec-policy unpaired-keys;
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy1.conf b/bin/tests/system/checkconf/bad-update-policy1.conf
new file mode 100644
index 0000000..6eedd9d
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy1.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * self TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy10.conf b/bin/tests/system/checkconf/bad-update-policy10.conf
new file mode 100644
index 0000000..29ed061
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy10.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-selfsub TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy11.conf b/bin/tests/system/checkconf/bad-update-policy11.conf
new file mode 100644
index 0000000..8f9e873
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy11.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * ms-selfsub TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy12.conf b/bin/tests/system/checkconf/bad-update-policy12.conf
new file mode 100644
index 0000000..1d42cdc
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy12.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * external TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy13.conf b/bin/tests/system/checkconf/bad-update-policy13.conf
new file mode 100644
index 0000000..38973f6
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy13.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant a-key-name name TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy14.conf b/bin/tests/system/checkconf/bad-update-policy14.conf
new file mode 100644
index 0000000..2cd0ef5
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy14.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant a-key-name subdomain TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy15.conf b/bin/tests/system/checkconf/bad-update-policy15.conf
new file mode 100644
index 0000000..a2a354a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy15.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant a-key-name wildcard TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy2.conf b/bin/tests/system/checkconf/bad-update-policy2.conf
new file mode 100644
index 0000000..c83303f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy2.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * selfsub TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy3.conf b/bin/tests/system/checkconf/bad-update-policy3.conf
new file mode 100644
index 0000000..4856adb
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy3.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * selfwild TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy4.conf b/bin/tests/system/checkconf/bad-update-policy4.conf
new file mode 100644
index 0000000..4bf1f5c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy4.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * ms-self TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy5.conf b/bin/tests/system/checkconf/bad-update-policy5.conf
new file mode 100644
index 0000000..a1853f8
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy5.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-self TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy6.conf b/bin/tests/system/checkconf/bad-update-policy6.conf
new file mode 100644
index 0000000..b1ef09c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy6.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * ms-subdomain TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy7.conf b/bin/tests/system/checkconf/bad-update-policy7.conf
new file mode 100644
index 0000000..1469b94
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy7.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-subdomain TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy8.conf b/bin/tests/system/checkconf/bad-update-policy8.conf
new file mode 100644
index 0000000..9e263ee
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy8.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * tcp-self TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy9.conf b/bin/tests/system/checkconf/bad-update-policy9.conf
new file mode 100644
index 0000000..23fcb66
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy9.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * 6to4-self TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-validation-auto-key.conf b/bin/tests/system/checkconf/bad-validation-auto-key.conf
new file mode 100644
index 0000000..bd6f547
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-validation-auto-key.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation auto;
+};
+
+trust-anchors {
+	. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+		6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-view-also-notify.conf b/bin/tests/system/checkconf/bad-view-also-notify.conf
new file mode 100644
index 0000000..6dd9a4c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-view-also-notify.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view example {
+	also-notify { missing; };
+	zone "example.net" {
+		type slave;
+		masters { 192.168.1.1; };
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-zsk-without-ksk.conf b/bin/tests/system/checkconf/bad-zsk-without-ksk.conf
new file mode 100644
index 0000000..31b031c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-zsk-without-ksk.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy zsk-without-ksk {
+	keys {
+		zsk lifetime 30d algorithm 13;
+	};
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	dnssec-policy zsk-without-ksk;
+};
diff --git a/bin/tests/system/checkconf/check-dup-records-fail.conf b/bin/tests/system/checkconf/check-dup-records-fail.conf
new file mode 100644
index 0000000..a655681
--- /dev/null
+++ b/bin/tests/system/checkconf/check-dup-records-fail.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+  check-integrity yes; // default is yes
+};
+
+zone "check-dup-records" {
+  type master;
+  file "check-dup-records.db";
+  check-dup-records fail;
+};
+
diff --git a/bin/tests/system/checkconf/check-dup-records.db b/bin/tests/system/checkconf/check-dup-records.db
new file mode 100644
index 0000000..558686c
--- /dev/null
+++ b/bin/tests/system/checkconf/check-dup-records.db
@@ -0,0 +1,33 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			MX	10 mail
+
+mail			A	10.0.0.1
+ns2			A	10.53.0.2
+
+; following records are not de-duplicated
+; and will be matched by check-dup-records
+duplicate		HIP     ( 2 200100107B1A74DF365639CC39F1D578
+                                AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+                                rvs.example.com. )
+duplicate		HIP     ( 2 200100107B1A74DF365639CC39F1D578
+                                AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+                                RVS.example.com. )
diff --git a/bin/tests/system/checkconf/check-missing-zone.conf b/bin/tests/system/checkconf/check-missing-zone.conf
new file mode 100644
index 0000000..e33ad54
--- /dev/null
+++ b/bin/tests/system/checkconf/check-missing-zone.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view missing {
+	zone missing.example {
+		type master;
+		file "missing.example.db";
+	};
+};
+
+view good {
+	zone shared.example {
+		type master;
+		file "shared.example.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/check-mixed-keys.conf b/bin/tests/system/checkconf/check-mixed-keys.conf
new file mode 100644
index 0000000..1dd018d
--- /dev/null
+++ b/bin/tests/system/checkconf/check-mixed-keys.conf
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (19036) is to be phased out starting in 2017. It will
+	# remain in the root zone for some time after its successor key
+	# has been added. It will remain this file until it is removed from
+	# the root zone.
+	. static-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+};
+
+managed-keys {
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/check-mx-cname-fail.conf b/bin/tests/system/checkconf/check-mx-cname-fail.conf
new file mode 100644
index 0000000..611fb2c
--- /dev/null
+++ b/bin/tests/system/checkconf/check-mx-cname-fail.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+  check-integrity yes; // default is yes
+};
+
+zone "check-mx-cname" {
+  type master;
+  file "check-mx-cname.db";
+  check-mx-cname fail;
+};
diff --git a/bin/tests/system/checkconf/check-mx-cname.db b/bin/tests/system/checkconf/check-mx-cname.db
new file mode 100644
index 0000000..dc30f08
--- /dev/null
+++ b/bin/tests/system/checkconf/check-mx-cname.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			MX	10 mail
+
+; MX points to a CNAME which is detected by check-mx-cname
+mail			CNAME	ns2
+
+ns2			A	10.53.0.2
diff --git a/bin/tests/system/checkconf/check-mx-fail.conf b/bin/tests/system/checkconf/check-mx-fail.conf
new file mode 100644
index 0000000..408b1b4
--- /dev/null
+++ b/bin/tests/system/checkconf/check-mx-fail.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+  check-integrity yes; // default is yes
+};
+
+zone "check-mx" {
+  type master;
+  file "check-mx.db";
+  check-mx fail;
+};
diff --git a/bin/tests/system/checkconf/check-mx.db b/bin/tests/system/checkconf/check-mx.db
new file mode 100644
index 0000000..dced644
--- /dev/null
+++ b/bin/tests/system/checkconf/check-mx.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+; MX appears to be an address and will be detected by check-mx
+			MX	10 10.0.0.1
+
+ns2			A	10.53.0.2
diff --git a/bin/tests/system/checkconf/check-names-fail.conf b/bin/tests/system/checkconf/check-names-fail.conf
new file mode 100644
index 0000000..8137747
--- /dev/null
+++ b/bin/tests/system/checkconf/check-names-fail.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+  check-integrity yes; // default is yes
+};
+
+zone "check-names" {
+  type master;
+  file "check-names.db";
+  check-names fail;
+};
diff --git a/bin/tests/system/checkconf/check-names.db b/bin/tests/system/checkconf/check-names.db
new file mode 100644
index 0000000..0274ec9
--- /dev/null
+++ b/bin/tests/system/checkconf/check-names.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			MX	10 mail
+
+mail			A	10.0.0.1
+ns2			A	10.53.0.2
+
+; the RDATA of this record contains a name that may be considered
+; invalid and will be detected by check-names configuration.
+check-names		SRV	1 2 3 _underscore
diff --git a/bin/tests/system/checkconf/check-root-ksk-2010.conf b/bin/tests/system/checkconf/check-root-ksk-2010.conf
new file mode 100644
index 0000000..d422635
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (19036) is to be phased out starting in 2017. It will
+	# remain in the root zone for some time after its successor key
+	# has been added. It will remain this file until it is removed from
+	# the root zone.
+	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+};
diff --git a/bin/tests/system/checkconf/check-root-ksk-2017.conf b/bin/tests/system/checkconf/check-root-ksk-2017.conf
new file mode 100644
index 0000000..72f6fb4
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-ksk-2017.conf
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/check-root-ksk-both.conf b/bin/tests/system/checkconf/check-root-ksk-both.conf
new file mode 100644
index 0000000..88c308f
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-ksk-both.conf
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (19036) is to be phased out starting in 2017. It will
+	# remain in the root zone for some time after its successor key
+	# has been added. It will remain this file until it is removed from
+	# the root zone.
+	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/check-root-static-ds.conf b/bin/tests/system/checkconf/check-root-static-ds.conf
new file mode 100644
index 0000000..eb37b85
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-static-ds.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+        . static-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
+};
diff --git a/bin/tests/system/checkconf/check-root-static-key.conf b/bin/tests/system/checkconf/check-root-static-key.conf
new file mode 100644
index 0000000..7be5304
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-static-key.conf
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. static-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/check-root-trusted-key.conf b/bin/tests/system/checkconf/check-root-trusted-key.conf
new file mode 100644
index 0000000..65261a8
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-trusted-key.conf
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trusted-keys {
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/check-srv-cname-fail.conf b/bin/tests/system/checkconf/check-srv-cname-fail.conf
new file mode 100644
index 0000000..e5f9349
--- /dev/null
+++ b/bin/tests/system/checkconf/check-srv-cname-fail.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+  check-integrity yes; // default is yes
+};
+
+zone "check-srv-cname" {
+  type master;
+  file "check-srv-cname.db";
+  check-srv-cname fail;
+};
diff --git a/bin/tests/system/checkconf/check-srv-cname.db b/bin/tests/system/checkconf/check-srv-cname.db
new file mode 100644
index 0000000..0671ab1
--- /dev/null
+++ b/bin/tests/system/checkconf/check-srv-cname.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			MX	10 mail
+
+mail			A	10.0.0.1
+ns2			A	10.53.0.2
+
+check-srv-cname		SRV	1 2 3 	target
+; SRV points to a CNAME which is detected by check-srv-cname configuration
+target			CNAME	mail
diff --git a/bin/tests/system/checkconf/check-wildcard-no.conf b/bin/tests/system/checkconf/check-wildcard-no.conf
new file mode 100644
index 0000000..beb641a
--- /dev/null
+++ b/bin/tests/system/checkconf/check-wildcard-no.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "check-wildcard" {
+  type primary;
+  file "check-wildcard.db";
+  check-wildcard no;
+};
diff --git a/bin/tests/system/checkconf/check-wildcard.conf b/bin/tests/system/checkconf/check-wildcard.conf
new file mode 100644
index 0000000..263f8b4
--- /dev/null
+++ b/bin/tests/system/checkconf/check-wildcard.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "check-wildcard" {
+  type primary;
+  file "check-wildcard.db";
+  check-wildcard yes;
+};
diff --git a/bin/tests/system/checkconf/check-wildcard.db b/bin/tests/system/checkconf/check-wildcard.db
new file mode 100644
index 0000000..1db5af0
--- /dev/null
+++ b/bin/tests/system/checkconf/check-wildcard.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+; an interior wildcard name
+foo.*			TXT	The owner name contains an interior wildcard
diff --git a/bin/tests/system/checkconf/clean.sh b/bin/tests/system/checkconf/clean.sh
new file mode 100644
index 0000000..0d6001d
--- /dev/null
+++ b/bin/tests/system/checkconf/clean.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f bad-kasp-keydir1.conf
+rm -f bad-kasp-keydir2.conf
+rm -f bad-kasp-keydir3.conf
+rm -f bad-kasp-keydir4.conf
+rm -f bad-kasp-keydir5.conf
+rm -f checkconf.out*
+rm -f diff.out*
+rm -f good-kasp.conf.in
+rm -f good-server-christmas-tree.conf
+rm -f good.conf.in good.conf.out badzero.conf *.out
+rm -f ns*/named.lock
+rm -rf test.keydir
diff --git a/bin/tests/system/checkconf/deprecated-masterfile-format-map.conf b/bin/tests/system/checkconf/deprecated-masterfile-format-map.conf
new file mode 100644
index 0000000..634ca14
--- /dev/null
+++ b/bin/tests/system/checkconf/deprecated-masterfile-format-map.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { ::1; };
+	masterfile-format map;
+};
diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf
new file mode 100644
index 0000000..82a555d
--- /dev/null
+++ b/bin/tests/system/checkconf/deprecated.conf
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+server 1.2.3.4 {
+	query-source 10.10.10.10 dscp 10;
+};
+
+options {
+	dnssec-validation yes;
+	dscp 10;
+};
+
+trusted-keys {
+	fake.trusted. 257 3 8
+		"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+};
+
+managed-keys {
+	fake.managed. initial-key 257 3 8
+		"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/dlz-bad.conf b/bin/tests/system/checkconf/dlz-bad.conf
new file mode 100644
index 0000000..b279ccf
--- /dev/null
+++ b/bin/tests/system/checkconf/dlz-bad.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dlz one {
+	database "one";
+};
+
+dlz two {
+	database "two";
+	search no;
+};
+
+zone master {
+	type master;
+	database "none";
+	dlz two;
+};
diff --git a/bin/tests/system/checkconf/dnssec.1 b/bin/tests/system/checkconf/dnssec.1
new file mode 100644
index 0000000..ac79651
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.1
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-enable no;
+};
diff --git a/bin/tests/system/checkconf/dnssec.2 b/bin/tests/system/checkconf/dnssec.2
new file mode 100644
index 0000000..6eaa372
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.2
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ * 
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view view1 {
+	match-clients { any; };
+	dnssec-validation yes;
+};
+
+view view2 {
+	match-clients { none; };
+	dnssec-validation auto;
+};
+
+view view3 {
+	match-clients { none; };
+	auto-dnssec maintain;
+};
diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3
new file mode 100644
index 0000000..93b6ac2
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.3
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view view1 {
+	match-clients { any; };
+};
+
+view view2 {
+	match-clients { none; };
+};
+
+view view3 {
+	match-clients { none; };
+	dnssec-validation auto;
+};
+
+view view4 {
+	match-clients { none; };
+};
+
+view view5 {
+	match-clients { none; };
+	auto-dnssec off;
+};
diff --git a/bin/tests/system/checkconf/dnssec.4 b/bin/tests/system/checkconf/dnssec.4
new file mode 100644
index 0000000..53e5d91
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.4
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "test" {
+	type primary;
+	file "test.db";
+	auto-dnssec maintain;
+};
diff --git a/bin/tests/system/checkconf/good-acl.conf b/bin/tests/system/checkconf/good-acl.conf
new file mode 100644
index 0000000..be32923
--- /dev/null
+++ b/bin/tests/system/checkconf/good-acl.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl a {
+	{ "none"; };
+	{ !19.0.0.0/8; };
+};
+
+options {
+	allow-query { a; };
+};
diff --git a/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf b/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf
new file mode 100644
index 0000000..5bc9232
--- /dev/null
+++ b/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	allow-update-forwarding { any; };
+};
diff --git a/bin/tests/system/checkconf/good-allow-update-forwarding.conf b/bin/tests/system/checkconf/good-allow-update-forwarding.conf
new file mode 100644
index 0000000..d7e89be
--- /dev/null
+++ b/bin/tests/system/checkconf/good-allow-update-forwarding.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	allow-update-forwarding { any; };
+};
diff --git a/bin/tests/system/checkconf/good-allow-update-view.conf b/bin/tests/system/checkconf/good-allow-update-view.conf
new file mode 100644
index 0000000..da799a2
--- /dev/null
+++ b/bin/tests/system/checkconf/good-allow-update-view.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	allow-update { any; };
+};
diff --git a/bin/tests/system/checkconf/good-allow-update.conf b/bin/tests/system/checkconf/good-allow-update.conf
new file mode 100644
index 0000000..6b7a67e
--- /dev/null
+++ b/bin/tests/system/checkconf/good-allow-update.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	allow-update { any; };
+};
diff --git a/bin/tests/system/checkconf/good-class.conf b/bin/tests/system/checkconf/good-class.conf
new file mode 100644
index 0000000..2f8c321
--- /dev/null
+++ b/bin/tests/system/checkconf/good-class.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "example" class00 { };
diff --git a/bin/tests/system/checkconf/good-dnskey-validity-3660.conf b/bin/tests/system/checkconf/good-dnskey-validity-3660.conf
new file mode 100644
index 0000000..4e0a7ee
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dnskey-validity-3660.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnskey-sig-validity 3660;	/* maximum value 10 years */
+};
diff --git a/bin/tests/system/checkconf/good-dnskey-validity-zero.conf b/bin/tests/system/checkconf/good-dnskey-validity-zero.conf
new file mode 100644
index 0000000..5da41b8
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dnskey-validity-zero.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnskey-sig-validity 0;	/* 0 is disabled */
+};
diff --git a/bin/tests/system/checkconf/good-ds-key-1.conf b/bin/tests/system/checkconf/good-ds-key-1.conf
new file mode 100644
index 0000000..de7de84
--- /dev/null
+++ b/bin/tests/system/checkconf/good-ds-key-1.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
+        example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/good-ds-key-2.conf b/bin/tests/system/checkconf/good-ds-key-2.conf
new file mode 100644
index 0000000..060fb2f
--- /dev/null
+++ b/bin/tests/system/checkconf/good-ds-key-2.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
+        example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/good-dup-managed-key.conf b/bin/tests/system/checkconf/good-dup-managed-key.conf
new file mode 100644
index 0000000..2f91247
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dup-managed-key.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trust-anchors {
+	example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
+	example. initial-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+		6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/good-dup-trusted-key.conf b/bin/tests/system/checkconf/good-dup-trusted-key.conf
new file mode 100644
index 0000000..46089c4
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dup-trusted-key.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trusted-keys {
+	example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
+	example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+		6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/good-glue-cache.conf b/bin/tests/system/checkconf/good-glue-cache.conf
new file mode 100644
index 0000000..fd5524b
--- /dev/null
+++ b/bin/tests/system/checkconf/good-glue-cache.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	glue-cache yes;
+};
diff --git a/bin/tests/system/checkconf/good-initial-ds.conf b/bin/tests/system/checkconf/good-initial-ds.conf
new file mode 100644
index 0000000..b54a2b3
--- /dev/null
+++ b/bin/tests/system/checkconf/good-initial-ds.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. initial-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
+};
diff --git a/bin/tests/system/checkconf/good-interface-interval.conf b/bin/tests/system/checkconf/good-interface-interval.conf
new file mode 100644
index 0000000..60c50b3
--- /dev/null
+++ b/bin/tests/system/checkconf/good-interface-interval.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	interface-interval 1h;
+};
diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf
new file mode 100644
index 0000000..1a12d9f
--- /dev/null
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This is just a random selection of DNSSEC configuration options.
+ */
+
+/* cut here */
+dnssec-policy "test" {
+	dnskey-ttl 3600;
+	keys {
+		ksk key-directory lifetime P1Y algorithm ecdsa256;
+		zsk lifetime P30D algorithm 13;
+		csk key-directory lifetime unlimited algorithm rsasha256 2048;
+	};
+	max-zone-ttl 86400;
+	nsec3param iterations 5 optout no salt-length 8;
+	parent-ds-ttl 7200;
+	parent-propagation-delay PT1H;
+	publish-safety PT3600S;
+	retire-safety PT3600S;
+	signatures-refresh P3D;
+	signatures-validity P2W;
+	signatures-validity-dnskey P14D;
+	zone-propagation-delay PT5M;
+};
+options {
+	dnssec-policy "default";
+};
+zone "example1" {
+	type master;
+	file "example1.db";
+	inline-signing yes;
+};
+zone "example2" {
+	type master;
+	file "example2.db";
+	allow-update {
+		"any";
+	};
+	dnssec-policy "test";
+};
+zone "example3" {
+	type master;
+	file "example3.db";
+	inline-signing yes;
+	dnssec-policy "default";
+};
+zone "dnssec-policy-none-shared-zonefile1" {
+	type master;
+	file "shared.db";
+	dnssec-policy "none";
+};
+zone "dnssec-policy-none-shared-zonefile2" {
+	type master;
+	file "shared.db";
+	dnssec-policy "none";
+};
diff --git a/bin/tests/system/checkconf/good-key-directory.conf b/bin/tests/system/checkconf/good-key-directory.conf
new file mode 100644
index 0000000..45befff
--- /dev/null
+++ b/bin/tests/system/checkconf/good-key-directory.conf
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "internet" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P90D        algorithm ecdsa256;
+  };
+
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+dnssec-policy "intranet" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P30D        algorithm ecdsa256;
+  };
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+dnssec-policy "localhost" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P30D        algorithm ecdsa256;
+  };
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+options {
+    key-directory "global/keys";
+};
+
+view "localhost" {
+    match-clients { 127.0.0.1; ::1; };
+    zone "example.com" IN {
+        type primary;
+        file "localhost/example.com.zone";
+        dnssec-policy "localhost";
+        inline-signing yes;
+    };
+};
+
+view "external" {
+    match-clients { 0/0; };
+    key-directory "external/keys";
+    zone "example.com" IN {
+        type primary;
+        file "external/example.com.zone";
+        dnssec-policy "internet";
+        inline-signing yes;
+    };
+};
+
+view "internal" {
+    match-clients { ::/0; };
+    key-directory "internal/keys";
+    zone "example.com" IN {
+        type primary;
+        file "internal/example.com.zone";
+        dnssec-policy "intranet";
+        inline-signing yes;
+    };
+};
diff --git a/bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf b/bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf
new file mode 100644
index 0000000..a55b835
--- /dev/null
+++ b/bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize 1024G;
+};
diff --git a/bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf b/bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf
new file mode 100644
index 0000000..4478706
--- /dev/null
+++ b/bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize 1M;
+};
diff --git a/bin/tests/system/checkconf/good-masterfile-format-raw.conf b/bin/tests/system/checkconf/good-masterfile-format-raw.conf
new file mode 100644
index 0000000..b6f3cbf
--- /dev/null
+++ b/bin/tests/system/checkconf/good-masterfile-format-raw.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { ::1; };
+	masterfile-format raw;
+};
diff --git a/bin/tests/system/checkconf/good-masterfile-format-text.conf b/bin/tests/system/checkconf/good-masterfile-format-text.conf
new file mode 100644
index 0000000..8138058
--- /dev/null
+++ b/bin/tests/system/checkconf/good-masterfile-format-text.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { ::1; };
+	masterfile-format text;
+};
diff --git a/bin/tests/system/checkconf/good-masters-and-primaries.conf b/bin/tests/system/checkconf/good-masters-and-primaries.conf
new file mode 100644
index 0000000..d84657f
--- /dev/null
+++ b/bin/tests/system/checkconf/good-masters-and-primaries.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+masters a { 1.2.3.4; };
+primaries b { 1.2.3.4; };
diff --git a/bin/tests/system/checkconf/good-maxcachettl.conf b/bin/tests/system/checkconf/good-maxcachettl.conf
new file mode 100644
index 0000000..58f6901
--- /dev/null
+++ b/bin/tests/system/checkconf/good-maxcachettl.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	max-cache-ttl 0;
+};
+view two {
+	max-cache-ttl 86400;
+};
+view three {
+	max-cache-ttl 4000000000;
+};
+view four {
+	max-cache-ttl 3600s;
+};
+view five {
+	max-cache-ttl 1h;
+};
+view six {
+	max-cache-ttl 1d;
+};
+view seven {
+	max-cache-ttl 1w;
+};
diff --git a/bin/tests/system/checkconf/good-maxncachettl.conf b/bin/tests/system/checkconf/good-maxncachettl.conf
new file mode 100644
index 0000000..80dc753
--- /dev/null
+++ b/bin/tests/system/checkconf/good-maxncachettl.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	max-ncache-ttl 0;
+};
+view two {
+	max-ncache-ttl 86400;
+};
+view three {
+	max-ncache-ttl 604800;
+};
+view four {
+	max-ncache-ttl 3600s;
+};
+view five {
+	max-ncache-ttl 1h;
+};
+view six {
+	max-ncache-ttl 1d;
+};
+view seven {
+	max-ncache-ttl 1w;
+};
diff --git a/bin/tests/system/checkconf/good-maxratio1.conf b/bin/tests/system/checkconf/good-maxratio1.conf
new file mode 100644
index 0000000..add6b1a
--- /dev/null
+++ b/bin/tests/system/checkconf/good-maxratio1.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type master;
+	masterfile-format map;
+	file "example.db";
+	max-ixfr-ratio 50%;
+};
diff --git a/bin/tests/system/checkconf/good-maxratio2.conf b/bin/tests/system/checkconf/good-maxratio2.conf
new file mode 100644
index 0000000..be61ae2
--- /dev/null
+++ b/bin/tests/system/checkconf/good-maxratio2.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type master;
+	masterfile-format map;
+	file "example.db";
+	max-ixfr-ratio unlimited;
+};
diff --git a/bin/tests/system/checkconf/good-mincachettl.conf b/bin/tests/system/checkconf/good-mincachettl.conf
new file mode 100644
index 0000000..b619a73
--- /dev/null
+++ b/bin/tests/system/checkconf/good-mincachettl.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-cache-ttl 0;
+};
+view two {
+	min-cache-ttl 30;
+};
+view three {
+	min-cache-ttl 60;
+};
+view four {
+	min-cache-ttl 90s;
+};
+view five {
+	min-cache-ttl 1m;
+};
diff --git a/bin/tests/system/checkconf/good-minncachettl.conf b/bin/tests/system/checkconf/good-minncachettl.conf
new file mode 100644
index 0000000..3e4101b
--- /dev/null
+++ b/bin/tests/system/checkconf/good-minncachettl.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-ncache-ttl 0;
+};
+view two {
+	min-ncache-ttl 30;
+};
+view three {
+	min-ncache-ttl 60;
+};
+view four {
+	min-ncache-ttl 90s;
+};
+view five {
+	min-ncache-ttl 1m;
+};
diff --git a/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf
new file mode 100644
index 0000000..09bbf94
--- /dev/null
+++ b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	notify yes;
+};
+
+zone "." {
+	type mirror;
+};
diff --git a/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf b/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf
new file mode 100644
index 0000000..9723b7a
--- /dev/null
+++ b/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type mirror;
+};
diff --git a/bin/tests/system/checkconf/good-nested.conf b/bin/tests/system/checkconf/good-nested.conf
new file mode 100644
index 0000000..12a027c
--- /dev/null
+++ b/bin/tests/system/checkconf/good-nested.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl a { 127.0.0.1; ::1; };
+acl b { a; };
+acl c { !b; };
+
+options {
+	allow-query { c; };
+};
diff --git a/bin/tests/system/checkconf/good-notify-source-v6.conf b/bin/tests/system/checkconf/good-notify-source-v6.conf
new file mode 100644
index 0000000..797f966
--- /dev/null
+++ b/bin/tests/system/checkconf/good-notify-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source-v6 fd92:7065:b8e:ffff::1;
+};
diff --git a/bin/tests/system/checkconf/good-notify-source.conf b/bin/tests/system/checkconf/good-notify-source.conf
new file mode 100644
index 0000000..6b97314
--- /dev/null
+++ b/bin/tests/system/checkconf/good-notify-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source 10.53.0.1;
+};
diff --git a/bin/tests/system/checkconf/good-options-also-notify.conf b/bin/tests/system/checkconf/good-options-also-notify.conf
new file mode 100644
index 0000000..75066ef
--- /dev/null
+++ b/bin/tests/system/checkconf/good-options-also-notify.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	also-notify { missing; };
+};
+
+zone "example.net" {
+	type slave;
+	notify no;
+	masters { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/good-parental-source-v6.conf b/bin/tests/system/checkconf/good-parental-source-v6.conf
new file mode 100644
index 0000000..fe998f1
--- /dev/null
+++ b/bin/tests/system/checkconf/good-parental-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source-v6 fd92:7065:b8e:ffff::1;
+};
diff --git a/bin/tests/system/checkconf/good-parental-source.conf b/bin/tests/system/checkconf/good-parental-source.conf
new file mode 100644
index 0000000..e45856a
--- /dev/null
+++ b/bin/tests/system/checkconf/good-parental-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source 10.53.0.1;
+};
diff --git a/bin/tests/system/checkconf/good-printtime.conf b/bin/tests/system/checkconf/good-printtime.conf
new file mode 100644
index 0000000..06bb7be
--- /dev/null
+++ b/bin/tests/system/checkconf/good-printtime.conf
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+logging {
+	channel one {
+		file "one.out";
+		print-time no;
+	};
+	channel two {
+		file "two.out";
+		print-time yes;
+	};
+	channel three {
+		file "three.out";
+		print-time local;
+	};
+	channel four {
+		file "four.out";
+		print-time iso8601;
+	};
+	channel five {
+		file "five.out";
+		print-time iso8601-utc;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-response-dot.conf b/bin/tests/system/checkconf/good-response-dot.conf
new file mode 100644
index 0000000..68bd96e
--- /dev/null
+++ b/bin/tests/system/checkconf/good-response-dot.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type master;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com." policy given;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-rpz-ttl.conf b/bin/tests/system/checkconf/good-rpz-ttl.conf
new file mode 100644
index 0000000..b40a3d5
--- /dev/null
+++ b/bin/tests/system/checkconf/good-rpz-ttl.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type master;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com." policy given;
+	}
+		max-policy-ttl 1h;
+};
diff --git a/bin/tests/system/checkconf/good-rpz-update.conf b/bin/tests/system/checkconf/good-rpz-update.conf
new file mode 100644
index 0000000..2ad6bc1
--- /dev/null
+++ b/bin/tests/system/checkconf/good-rpz-update.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type master;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com."
+			policy given
+			min-update-interval 5m;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-rrset-order-none.conf b/bin/tests/system/checkconf/good-rrset-order-none.conf
new file mode 100644
index 0000000..f0818ca
--- /dev/null
+++ b/bin/tests/system/checkconf/good-rrset-order-none.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rrset-order {
+		order none;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-static-ds.conf b/bin/tests/system/checkconf/good-static-ds.conf
new file mode 100644
index 0000000..be7412a
--- /dev/null
+++ b/bin/tests/system/checkconf/good-static-ds.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
+};
diff --git a/bin/tests/system/checkconf/good-transfer-source-v6.conf b/bin/tests/system/checkconf/good-transfer-source-v6.conf
new file mode 100644
index 0000000..0527b85
--- /dev/null
+++ b/bin/tests/system/checkconf/good-transfer-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source-v6 fd92:7065:b8e:ffff::1;
+};
diff --git a/bin/tests/system/checkconf/good-transfer-source.conf b/bin/tests/system/checkconf/good-transfer-source.conf
new file mode 100644
index 0000000..df23d1c
--- /dev/null
+++ b/bin/tests/system/checkconf/good-transfer-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source 10.53.0.1;
+};
diff --git a/bin/tests/system/checkconf/good-update-policy1.conf b/bin/tests/system/checkconf/good-update-policy1.conf
new file mode 100644
index 0000000..b696d8d
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy1.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * self * TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy10.conf b/bin/tests/system/checkconf/good-update-policy10.conf
new file mode 100644
index 0000000..7035741
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy10.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-subdomain . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy11.conf b/bin/tests/system/checkconf/good-update-policy11.conf
new file mode 100644
index 0000000..8d1027f
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy11.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * tcp-self . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy12.conf b/bin/tests/system/checkconf/good-update-policy12.conf
new file mode 100644
index 0000000..10f1f3f
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy12.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * 6to4-self . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy2.conf b/bin/tests/system/checkconf/good-update-policy2.conf
new file mode 100644
index 0000000..06a35ab
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy2.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * self . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy3.conf b/bin/tests/system/checkconf/good-update-policy3.conf
new file mode 100644
index 0000000..1468a71
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy3.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * selfsub . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy4.conf b/bin/tests/system/checkconf/good-update-policy4.conf
new file mode 100644
index 0000000..6296bb2
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy4.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * selfsub * TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy5.conf b/bin/tests/system/checkconf/good-update-policy5.conf
new file mode 100644
index 0000000..2c900bb
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy5.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * selfwild * TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy6.conf b/bin/tests/system/checkconf/good-update-policy6.conf
new file mode 100644
index 0000000..e615812
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy6.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * selfwild . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy7.conf b/bin/tests/system/checkconf/good-update-policy7.conf
new file mode 100644
index 0000000..5beb004
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy7.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-self . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy8.conf b/bin/tests/system/checkconf/good-update-policy8.conf
new file mode 100644
index 0000000..496bc90
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy8.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * ms-self . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy9.conf b/bin/tests/system/checkconf/good-update-policy9.conf
new file mode 100644
index 0000000..691287a
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy9.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+	update-policy {
+		grant * ms-subdomain . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-view-also-notify.conf b/bin/tests/system/checkconf/good-view-also-notify.conf
new file mode 100644
index 0000000..2efb9b0
--- /dev/null
+++ b/bin/tests/system/checkconf/good-view-also-notify.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view example {
+	also-notify { missing; };
+	zone "example.net" {
+		type slave;
+		notify no;
+		masters { 192.168.1.1; };
+	};
+};
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
new file mode 100644
index 0000000..0ecdb68
--- /dev/null
+++ b/bin/tests/system/checkconf/good.conf
@@ -0,0 +1,289 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This is just a random selection of configuration options.
+ */
+
+/* cut here */
+dnssec-policy "test" {
+	dnskey-ttl 3600;
+	keys {
+		ksk key-directory lifetime P1Y algorithm 13 256;
+		zsk key-directory lifetime P30D algorithm 13;
+		csk key-directory lifetime P30D algorithm 8 2048;
+	};
+	max-zone-ttl 86400;
+	nsec3param ;
+	parent-ds-ttl 7200;
+	parent-propagation-delay PT1H;
+	publish-safety PT3600S;
+	purge-keys P90D;
+	retire-safety PT3600S;
+	signatures-refresh P3D;
+	signatures-validity P2W;
+	signatures-validity-dnskey P14D;
+	zone-propagation-delay PT5M;
+};
+options {
+	avoid-v4-udp-ports {
+		100;
+	};
+	avoid-v6-udp-ports {
+		100;
+	};
+	blackhole {
+		10.0.0.0/8;
+	};
+	coresize 1073741824;
+	datasize 104857600;
+	directory ".";
+	dscp 41;
+	dump-file "named_dumpdb";
+	files 1000;
+	heartbeat-interval 30;
+	hostname none;
+	interface-interval 30;
+	keep-response-order {
+		10.0.10.0/24;
+	};
+	listen-on port 90 {
+		"any";
+	};
+	listen-on port 100 dscp 33 {
+		127.0.0.1/32;
+	};
+	listen-on-v6 port 53 dscp 57 {
+		"none";
+	};
+	match-mapped-addresses yes;
+	memstatistics-file "named.memstats";
+	pid-file none;
+	port 5300;
+	querylog yes;
+	recursing-file "named.recursing";
+	recursive-clients 3000;
+	serial-query-rate 100;
+	server-id none;
+	update-quota 200;
+	check-names primary warn;
+	check-names secondary ignore;
+	max-cache-size 20000000000000;
+	nta-lifetime 604800;
+	nta-recheck 604800;
+	validate-except {
+		"corp";
+	};
+	dnssec-policy "test";
+	max-ixfr-ratio 90%;
+	transfer-source 0.0.0.0 dscp 63;
+	zone-statistics none;
+};
+parental-agents "parents" {
+	10.10.10.11;
+	10.10.10.12;
+};
+view "first" {
+	match-clients {
+		"none";
+	};
+	zone "example1" {
+		type master;
+		file "xxx";
+		update-policy local;
+		max-ixfr-ratio 20%;
+		notify-source 10.10.10.10 port 53 dscp 55;
+	};
+	zone "clone" {
+		type master;
+		file "yyy";
+		inline-signing yes;
+		max-ixfr-ratio unlimited;
+	};
+	dnssec-validation auto;
+	zone-statistics terse;
+};
+view "second" {
+	match-clients {
+		"any";
+	};
+	zone "example1" {
+		type master;
+		file "zzz";
+		update-policy local;
+		zone-statistics yes;
+	};
+	zone "example2" {
+		type static-stub;
+		forward only;
+		forwarders {
+			10.53.0.4;
+		};
+		zone-statistics no;
+	};
+	zone "example3" {
+		type static-stub;
+		server-addresses {
+			1.2.3.4;
+		};
+	};
+	zone "clone" {
+		in-view "first";
+	};
+	zone "." {
+		type redirect;
+		masters {
+			1.2.3.4;
+		};
+	};
+	dnssec-validation auto;
+	zone-statistics full;
+};
+view "third" {
+	match-clients {
+		"none";
+	};
+	zone "clone" {
+		in-view "first";
+		forward only;
+		forwarders {
+			10.0.0.100;
+		};
+	};
+	zone "dnssec" {
+		type master;
+		file "file";
+		allow-update {
+			"any";
+		};
+		dnssec-policy "default";
+	};
+	zone "p" {
+		type primary;
+		file "pfile";
+		inline-signing yes;
+	};
+	zone "s" {
+		type secondary;
+		file "sfile";
+		inline-signing yes;
+		masters {
+			1.2.3.4;
+		};
+		notify primary-only;
+	};
+};
+view "fourth" {
+	zone "dnssec-test" {
+		type master;
+		file "dnssec-test.db";
+		inline-signing yes;
+		parental-agents {
+			1.2.3.4;
+			1.2.3.5;
+		};
+		dnssec-policy "test";
+		parental-source 10.10.10.10 port 53 dscp 55;
+	};
+	zone "dnssec-default" {
+		type master;
+		file "dnssec-default.db";
+		inline-signing yes;
+		parental-agents {
+			"parents";
+		};
+		dnssec-policy "default";
+	};
+	zone "dnssec-inherit" {
+		type master;
+		file "dnssec-inherit.db";
+		inline-signing yes;
+	};
+	zone "dnssec-none" {
+		type master;
+		file "dnssec-none.db";
+		dnssec-policy "none";
+	};
+	zone "dnssec-view1" {
+		type master;
+		file "dnssec-view41.db";
+		inline-signing yes;
+		dnssec-policy "test";
+	};
+	zone "dnssec-view2" {
+		type master;
+		file "dnssec-view42.db";
+		inline-signing yes;
+	};
+	zone "dnssec-view3" {
+		type master;
+		file "dnssec-view43.db";
+		dnssec-policy "none";
+		key-directory "keys";
+	};
+	zone "dnssec-view4" {
+		type master;
+		file "dnssec-view44.db";
+		dnssec-policy "none";
+	};
+	dnssec-policy "default";
+	key-directory ".";
+};
+view "fifth" {
+	zone "dnssec-view1" {
+		type master;
+		file "dnssec-view51.db";
+		inline-signing yes;
+		dnssec-policy "test";
+	};
+	zone "dnssec-view2" {
+		type master;
+		file "dnssec-view52.db";
+		inline-signing yes;
+		dnssec-policy "test";
+		key-directory "keys";
+	};
+	zone "dnssec-view3" {
+		type master;
+		file "dnssec-view53.db";
+		inline-signing yes;
+		dnssec-policy "default";
+		key-directory "keys";
+	};
+	zone "dnssec-view4" {
+		type master;
+		file "dnssec-view54.db";
+		dnssec-policy "none";
+	};
+	key-directory ".";
+};
+view "chaos" chaos {
+	zone "hostname.bind" chaos {
+		type master;
+		database "_builtin hostname";
+		inline-signing yes;
+	};
+};
+dyndb "name" "library.so" {
+	this;
+	\};
+	is a {
+		"test" { \{ of; the; };
+	} bracketed;
+	"text \"";
+	system;
+};
+key "mykey" {
+	algorithm "hmac-md5";
+	secret "qwertyuiopasdfgh";
+};
diff --git a/bin/tests/system/checkconf/good.zonelist b/bin/tests/system/checkconf/good.zonelist
new file mode 100644
index 0000000..08a5665
--- /dev/null
+++ b/bin/tests/system/checkconf/good.zonelist
@@ -0,0 +1,24 @@
+example1 IN first master
+clone IN first master
+example1 IN second master
+example2 IN second static-stub
+example3 IN second static-stub
+clone IN second in-view first
+. IN second redirect
+clone IN third in-view first
+dnssec IN third master
+p IN third primary
+s IN third secondary
+dnssec-test IN fourth master
+dnssec-default IN fourth master
+dnssec-inherit IN fourth master
+dnssec-none IN fourth master
+dnssec-view1 IN fourth master
+dnssec-view2 IN fourth master
+dnssec-view3 IN fourth master
+dnssec-view4 IN fourth master
+dnssec-view1 IN fifth master
+dnssec-view2 IN fifth master
+dnssec-view3 IN fifth master
+dnssec-view4 IN fifth master
+hostname.bind chaos chaos master
diff --git a/bin/tests/system/checkconf/hint-nofile.conf b/bin/tests/system/checkconf/hint-nofile.conf
new file mode 100644
index 0000000..1d1dee2
--- /dev/null
+++ b/bin/tests/system/checkconf/hint-nofile.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type hint;
+	file "nonexistent.db";
+};
diff --git a/bin/tests/system/checkconf/in-view-good.conf b/bin/tests/system/checkconf/in-view-good.conf
new file mode 100644
index 0000000..afda587
--- /dev/null
+++ b/bin/tests/system/checkconf/in-view-good.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view internal {
+	zone shared.example {
+		type master;
+		file "shared.example.db";
+	};
+};
+
+view external {
+	zone shared.example {
+		in-view internal;
+	};
+};
diff --git a/bin/tests/system/checkconf/inline-bad.conf b/bin/tests/system/checkconf/inline-bad.conf
new file mode 100644
index 0000000..2eb23a5
--- /dev/null
+++ b/bin/tests/system/checkconf/inline-bad.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl "transferees" {};
+masters "stealthMasters" {127.0.0.1;};
+masters "publicSlaves" {127.0.0.1;};
+zone "example.net" {
+	type slave;
+	key-directory "/var/lib/bind/example.net";
+	auto-dnssec maintain;
+	inline-signing yes;
+	masters { stealthMasters; };
+	notify explicit;
+	also-notify { publicSlaves; };
+	allow-transfer { localhost; transferees; };
+};
+
diff --git a/bin/tests/system/checkconf/inline-good.conf b/bin/tests/system/checkconf/inline-good.conf
new file mode 100644
index 0000000..60c3b1e
--- /dev/null
+++ b/bin/tests/system/checkconf/inline-good.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl "transferees" {};
+masters "stealthMasters" {127.0.0.1;};
+masters "publicSlaves" {127.0.0.1;};
+zone "example.net" {
+	type slave;
+	file "/var/cache/bind/example.net.db";
+	key-directory "/var/lib/bind/example.net";
+	auto-dnssec maintain;
+	inline-signing yes;
+	masters { stealthMasters; };
+	notify explicit;
+	also-notify { publicSlaves; };
+	allow-transfer { localhost; transferees; };
+};
+
diff --git a/bin/tests/system/checkconf/inline-no.conf b/bin/tests/system/checkconf/inline-no.conf
new file mode 100644
index 0000000..64657f9
--- /dev/null
+++ b/bin/tests/system/checkconf/inline-no.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl "transferees" {};
+masters "stealthMasters" {127.0.0.1;};
+masters "publicSlaves" {127.0.0.1;};
+zone "example.net" {
+	type slave;
+	key-directory "/var/lib/bind/example.net";
+	auto-dnssec maintain;
+	inline-signing no;
+	masters { stealthMasters; };
+	notify explicit;
+	also-notify { publicSlaves; };
+	allow-transfer { localhost; transferees; };
+};
+
diff --git a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf
new file mode 100644
index 0000000..6e86d90
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "good-kasp.conf";
+
+zone "nsec3.net" {
+	type master;
+	file "nsec3.db";
+	dnssec-policy "test";
+	auto-dnssec maintain;
+	dnskey-sig-validity 3600;
+	dnssec-dnskey-kskonly yes;
+	dnssec-secure-to-insecure yes;
+	dnssec-update-mode maintain;
+	inline-signing no;
+	sig-validity-interval 3600;
+	update-check-ksk yes;
+};
diff --git a/bin/tests/system/checkconf/kasp-bad-keylen.conf b/bin/tests/system/checkconf/kasp-bad-keylen.conf
new file mode 100644
index 0000000..7e3465f
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-keylen.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-keylen" {
+	keys {
+		csk lifetime P10Y algorithm rsasha1 511;
+	};
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "bad-keylen";
+};
diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf
new file mode 100644
index 0000000..474c1d8
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-salt" {
+	keys {
+		csk lifetime unlimited algorithm rsasha1;
+	};
+	nsec3param ;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "bad-salt";
+};
+
diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
new file mode 100644
index 0000000..2333ca7
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "rsasha1" {
+	keys {
+		csk lifetime P10Y algorithm nsec3rsasha1 1024;
+	};
+	nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha1-bad" {
+	keys {
+		csk lifetime P10Y algorithm nsec3rsasha1 1024;
+	};
+	nsec3param iterations 151;
+};
+
+dnssec-policy "rsasha256" {
+	keys {
+		csk lifetime P10Y algorithm rsasha256 2048;
+	};
+	nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha256-bad" {
+	keys {
+		csk lifetime P10Y algorithm rsasha256 2048;
+	};
+	nsec3param iterations 151;
+};
+
+dnssec-policy "rsasha512" {
+	keys {
+		csk lifetime P10Y algorithm rsasha512 4096;
+	};
+	nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha512-bad" {
+	keys {
+		csk lifetime P10Y algorithm rsasha512 4096;
+	};
+	nsec3param iterations 151;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+	inline-signing yes;
+};
diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf
new file mode 100644
index 0000000..3465c39
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-salt" {
+	nsec3param salt "pepper";
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "bad-salt";
+};
+
diff --git a/bin/tests/system/checkconf/kasp-ignore-keylen.conf b/bin/tests/system/checkconf/kasp-ignore-keylen.conf
new file mode 100644
index 0000000..b1f1af0
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-ignore-keylen.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "warn-length" {
+	keys {
+		// Algorithm 13 has predefined length, warn about length param.
+		csk lifetime unlimited algorithm ecdsa256 2048;
+	};
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "warn-length";
+	inline-signing yes;
+};
+
diff --git a/bin/tests/system/checkconf/max-cache-size-good.conf b/bin/tests/system/checkconf/max-cache-size-good.conf
new file mode 100644
index 0000000..bb12775
--- /dev/null
+++ b/bin/tests/system/checkconf/max-cache-size-good.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	max-cache-size 60%;
+};
diff --git a/bin/tests/system/checkconf/max-ttl.conf b/bin/tests/system/checkconf/max-ttl.conf
new file mode 100644
index 0000000..ec97de5
--- /dev/null
+++ b/bin/tests/system/checkconf/max-ttl.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	max-zone-ttl 600;
+};
+
+zone "maxttl1.example" {
+	type master;
+	file "maxttl-bad.db";
+};
+
+zone "maxttl2.example" {
+	type master;
+	file "maxttl-bad.db";
+	max-zone-ttl 300;
+};
+
+zone "maxttl3.example" {
+	type master;
+	file "maxttl-bad.db";
+	max-zone-ttl 120;
+};
diff --git a/bin/tests/system/checkconf/maxttl-bad.conf b/bin/tests/system/checkconf/maxttl-bad.conf
new file mode 100644
index 0000000..aa764be
--- /dev/null
+++ b/bin/tests/system/checkconf/maxttl-bad.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	max-zone-ttl 8000w;
+};
+
+zone "maxttl.example" {
+	type master;
+	file "maxttl-bad.db";
+};
+
+
diff --git a/bin/tests/system/checkconf/maxttl-bad.db b/bin/tests/system/checkconf/maxttl-bad.db
new file mode 100644
index 0000000..978f0ec
--- /dev/null
+++ b/bin/tests/system/checkconf/maxttl-bad.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a       600		A	10.0.0.1
+mail	900		A	10.0.0.2
diff --git a/bin/tests/system/checkconf/maxttl.db b/bin/tests/system/checkconf/maxttl.db
new file mode 100644
index 0000000..3ad695e
--- /dev/null
+++ b/bin/tests/system/checkconf/maxttl.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a			A	10.0.0.1
+mail			A	10.0.0.2
diff --git a/bin/tests/system/checkconf/notify.conf b/bin/tests/system/checkconf/notify.conf
new file mode 100644
index 0000000..d6e324a
--- /dev/null
+++ b/bin/tests/system/checkconf/notify.conf
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	notify master-only;
+
+	# also-notify inconsistent with master-only notify option
+	zone "slave" {
+		type slave;
+		masters { 1.2.3.4; };
+		also-notify { 5.6.7.8; };
+	};
+
+	# OK
+	zone "master" {
+		type master;
+		file "filename";
+		also-notify { 5.6.7.8; };
+	};
+};
+
+view two {
+	notify no;
+
+	# also-notify inconsistent with notify option at the view level
+	zone "slave" {
+		type slave;
+		masters { 1.2.3.4; };
+		also-notify { 5.6.7.8; };
+	};
+
+	# OK
+	zone "master" {
+		type master;
+		file "filename";
+		notify yes;
+		also-notify { 5.6.7.8; };
+	};
+};
+
+view three {
+	# also-notify inconsistent with notify option at the zone level
+	zone "slave" {
+		type slave;
+		masters { 1.2.3.4; };
+		notify no;
+		also-notify { 5.6.7.8; };
+	};
+
+	# OK
+	zone "master" {
+		type master;
+		file "filename";
+		also-notify { 5.6.7.8; };
+	};
+};
+
+view four {
+	also-notify { 5.6.7.8; };
+
+	# OK
+	zone "slave" {
+		type slave;
+		masters { 1.2.3.4; };
+		notify master-only;
+	};
+
+	# OK
+	zone "master" {
+		type master;
+		file "filename";
+		notify no;
+	};
+};
diff --git a/bin/tests/system/checkconf/portrange-good.conf b/bin/tests/system/checkconf/portrange-good.conf
new file mode 100644
index 0000000..c4eb582
--- /dev/null
+++ b/bin/tests/system/checkconf/portrange-good.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	avoid-v4-udp-ports {
+		1935;
+		2605;
+		4321;
+		6514;
+		range 8610 8614;
+	};
+};
diff --git a/bin/tests/system/checkconf/range.conf b/bin/tests/system/checkconf/range.conf
new file mode 100644
index 0000000..b389ecb
--- /dev/null
+++ b/bin/tests/system/checkconf/range.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 999999;
+	dscp 222;
+	listen-on port 100 dscp 444 {
+		127.0.0.1/32;
+	};
+};
+
+zone "example" {
+	type master;
+	file "example.db";
+};
diff --git a/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf b/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf
new file mode 100644
index 0000000..3ff6b0d
--- /dev/null
+++ b/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	stale-refresh-time 0;
+};
diff --git a/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf b/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf
new file mode 100644
index 0000000..9e0669c
--- /dev/null
+++ b/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	stale-refresh-time 29;
+};
diff --git a/bin/tests/system/checkconf/shared.example.db b/bin/tests/system/checkconf/shared.example.db
new file mode 100644
index 0000000..5dcdd1b
--- /dev/null
+++ b/bin/tests/system/checkconf/shared.example.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	0	SOA	. . 0 0 0 0 0
+@	0	NS	.
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
new file mode 100644
index 0000000..c978efe
--- /dev/null
+++ b/bin/tests/system/checkconf/tests.sh
@@ -0,0 +1,643 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+mkdir keys
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf handles a known good config ($n)"
+ret=0
+$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf prints a known good config ($n)"
+ret=0
+awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
+[ -s good.conf.in ] || ret=1
+$CHECKCONF -p good.conf.in  > checkconf.out$n || ret=1
+grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
+cmp good.conf.in good.conf.out || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf -x removes secrets ($n)"
+ret=0
+# ensure there is a secret and that it is not the check string.
+grep 'secret "' good.conf.in > /dev/null || ret=1
+grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
+$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1
+grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
+grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+for bad in bad-*.conf
+do
+    n=`expr $n + 1`
+    echo_i "checking that named-checkconf detects error in $bad ($n)"
+    ret=0
+    $CHECKCONF $bad > checkconf.out$n 2>&1
+    if [ $? -ne 1 ]; then ret=1; fi
+    grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1
+    case $bad in
+    bad-update-policy[123].conf)
+	pat="identity and name fields are not the same"
+	grep "$pat" < checkconf.out$n > /dev/null || ret=1
+	;;
+    bad-update-policy[4589].conf|bad-update-policy1[01].conf)
+	pat="name field not set to placeholder value"
+	grep "$pat" < checkconf.out$n > /dev/null || ret=1
+	;;
+    bad-update-policy[67].conf|bad-update-policy1[2345].conf)
+	pat="missing name field type '.*' found"
+	grep "$pat" < checkconf.out$n > /dev/null || ret=1
+	;;
+    esac
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+done
+
+for good in good-*.conf
+do
+	n=`expr $n + 1`
+	echo_i "checking that named-checkconf detects no error in $good ($n)"
+	ret=0
+	$CHECKCONF $good > checkconf.out$n 2>&1
+	if [ $? -ne 0 ]; then echo_i "failed"; ret=1; fi
+	status=`expr $status + $ret`
+done
+
+n=`expr $n + 1`
+echo_i "checking that ancient options report a fatal error ($n)"
+ret=0
+$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1
+grep "no longer exists" ancient.out > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf -z catches missing hint file ($n)"
+ret=0
+$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1
+grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf catches range errors ($n)"
+ret=0
+$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf warns of notify inconsistencies ($n)"
+ret=0
+$CHECKCONF notify.conf > checkconf.out$n 2>&1
+warnings=`grep "'notify' is disabled" < checkconf.out$n | wc -l`
+[ $warnings -eq 3 ] || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf dnssec warnings ($n)"
+ret=0
+# dnssec.1: dnssec-enable is obsolete
+$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1
+grep "'dnssec-enable' is obsolete and should be removed" < checkconf.out$n.1 > /dev/null || ret=1
+# dnssec.2: auto-dnssec warning
+$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1
+grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1
+# dnssec.3: should have no warnings (other than deprecation warning)
+$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1
+grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.3 > /dev/null || ret=1
+lines=$(wc -l < "checkconf.out$n.3")
+if [ $lines != 1 ]; then ret=1; fi
+# dnssec.4: should have specific deprecation warning
+$CHECKCONF dnssec.4 > checkconf.out$n.4 2>&1
+grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.4 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf deprecate warnings ($n)"
+ret=0
+$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
+grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "token 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+# set -i to ignore deprecate warnings
+$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1
+grep '.*' < checkconf.out$n.2 > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf servestale warnings ($n)"
+ret=0
+$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1
+grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+ret=0
+$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1
+grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "range checking fields that do not allow zero ($n)"
+ret=0
+for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do
+    cat > badzero.conf << EOF
+options {
+    $field 0;
+};
+EOF
+    $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1
+    [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; }
+    cat > badzero.conf << EOF
+view dummy {
+    $field 0;
+};
+EOF
+    $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1
+    [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; }
+    cat > badzero.conf << EOF
+options {
+    $field 0;
+};
+view dummy {
+};
+EOF
+    $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1
+    [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; }
+    cat > badzero.conf << EOF
+zone dummy {
+    type secondary;
+    primaries { 0.0.0.0; };
+    $field 0;
+};
+EOF
+    $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1
+    [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; }
+done
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking options allowed in inline-signing secondaries ($n)"
+ret=0
+$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1
+l=`grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l`
+[ $l -eq 1 ] || ret=1
+$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1
+l=`grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l`
+[ $l -eq 1 ] || ret=1
+$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1
+l=`grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l`
+[ $l -eq 1 ] || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check file + inline-signing for secondary zones ($n)"
+$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1
+l=`grep "missing 'file' entry" < checkconf.out$n.1 | wc -l`
+[ $l -eq 0 ] || ret=1
+$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1
+l=`grep "missing 'file' entry" < checkconf.out$n.2 | wc -l`
+[ $l -eq 0 ] || ret=1
+$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1
+l=`grep "missing 'file' entry" < checkconf.out$n.3 | wc -l`
+[ $l -eq 1 ] || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf DLZ warnings ($n)"
+ret=0
+$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1
+grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking for missing key directory warning ($n)"
+ret=0
+rm -rf test.keydir
+$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1
+l=`grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l`
+[ $l -eq 1 ] || ret=1
+touch test.keydir
+$CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1
+l=`grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l`
+[ $l -eq 1 ] || ret=1
+rm -f test.keydir
+mkdir test.keydir
+$CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1
+l=`grep "key-directory" < checkconf.out$n.3 | wc -l`
+[ $l -eq 0 ] || ret=1
+rm -rf test.keydir
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)"
+ret=0
+$CHECKCONF -z max-ttl.conf > check.out 2>&1
+grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
+grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
+grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)"
+ret=0
+$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)"
+ret=0
+$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)"
+ret=0
+$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf -z fails on view with ANY class ($n)"
+ret=0
+$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)"
+ret=0
+$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf -z passes on view with IN class ($n)"
+ret=0
+$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)"
+ret=0
+$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that check-names fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that check-mx fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that check-dup-records fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that check-mx fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that check-mx-cname fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that check-srv-cname fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that named-checkconf -p properly print a port range ($n)"
+ret=0
+$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1
+grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that named-checkconf -z handles in-view ($n)"
+ret=0
+$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1
+grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that named-checkconf -z returns error when a later view is okay ($n)"
+ret=0
+$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)"
+ret=0
+$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1
+grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that named-checkconf -l prints out the zone list ($n)"
+ret=0
+$CHECKCONF -l good.conf |
+grep -v "is deprecated" |
+grep -v "is not implemented" |
+grep -v "is not recommended" |
+grep -v "no longer exists" |
+grep -v "is obsolete" > checkconf.out$n || ret=1
+diff good.zonelist checkconf.out$n > diff.out$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)"
+ret=0
+$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)"
+ret=0
+$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)"
+ret=0
+$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)"
+ret=0
+$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] || ret=1
+grep "key without the updated" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)"
+ret=0
+$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)"
+ret=0
+$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that a static root key generates a warning ($n)"
+ret=0
+$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that a static root DS trust anchor generates a warning ($n)"
+ret=0
+$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that a trusted-keys entry for root generates a warning ($n)"
+ret=0
+$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
+ret=0
+$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
+grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that 'geoip-use-ecs no' generates a warning ($n)"
+ret=0
+$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] || ret=1
+grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp errors ($n)"
+ret=0
+$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
+grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
+grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1
+lines=$(wc -l < "checkconf.out$n")
+if [ $lines -ne 3 ]; then ret=1; fi
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp key errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp predefined key length ($n)"
+ret=0
+$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1
+grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that a good 'kasp' configuration is accepted ($n)"
+ret=0
+$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that named-checkconf prints a known good kasp config ($n)"
+ret=0
+awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in
+[ -s good-kasp.conf.in ] || ret=1
+$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1
+cmp good-kasp.conf.in good-kasp.conf.out || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that max-ixfr-ratio 100% generates a warning ($n)"
+ret=0
+$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that *-source options with specified port generate warnings ($n)"
+ret=0
+$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "not recommended" < checkconf.out$n > /dev/null || ret=1
+$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "not recommended" < checkconf.out$n > /dev/null || ret=1
+$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "not recommended" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)"
+ret=0
+$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=$((n+1))
+echo_i "check that masterfile-format map generates deprecation warning ($n)"
+ret=0
+$CHECKCONF deprecated-masterfile-format-map.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "is deprecated" < checkconf.out$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check that masterfile-format text and raw don't generate deprecation warning ($n)"
+ret=0
+$CHECKCONF good-masterfile-format-text.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "is deprecated" < checkconf.out$n >/dev/null && ret=1
+$CHECKCONF good-masterfile-format-raw.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "is deprecated" < checkconf.out$n >/dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check that 'check-wildcard no;' succeeds as configured ($n)"
+ret=0
+$CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1
+grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that 'check-wildcard yes;' warns as configured ($n)"
+ret=0
+$CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1
+grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
+rmdir keys
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/checkconf/view-class-any1.conf b/bin/tests/system/checkconf/view-class-any1.conf
new file mode 100644
index 0000000..8b39456
--- /dev/null
+++ b/bin/tests/system/checkconf/view-class-any1.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "example" any { };
diff --git a/bin/tests/system/checkconf/view-class-any2.conf b/bin/tests/system/checkconf/view-class-any2.conf
new file mode 100644
index 0000000..049ccf6
--- /dev/null
+++ b/bin/tests/system/checkconf/view-class-any2.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "example" class255 { };
diff --git a/bin/tests/system/checkconf/view-class-in1.conf b/bin/tests/system/checkconf/view-class-in1.conf
new file mode 100644
index 0000000..1d203e6
--- /dev/null
+++ b/bin/tests/system/checkconf/view-class-in1.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "example" in { };
diff --git a/bin/tests/system/checkconf/view-class-in2.conf b/bin/tests/system/checkconf/view-class-in2.conf
new file mode 100644
index 0000000..38b356e
--- /dev/null
+++ b/bin/tests/system/checkconf/view-class-in2.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "example" class1 { };
diff --git a/bin/tests/system/checkconf/warn-dlv-auto.conf b/bin/tests/system/checkconf/warn-dlv-auto.conf
new file mode 100644
index 0000000..598edd2
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-dlv-auto.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-lookaside auto;
+};
diff --git a/bin/tests/system/checkconf/warn-dlv-dlv.example.com.conf b/bin/tests/system/checkconf/warn-dlv-dlv.example.com.conf
new file mode 100644
index 0000000..d274731
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-dlv-dlv.example.com.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-lookaside . trust-anchor dlv.example.com;
+};
diff --git a/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf b/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf
new file mode 100644
index 0000000..47bea02
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-lookaside . trust-anchor dlv.isc.org;
+};
diff --git a/bin/tests/system/checkconf/warn-geoip-use-ecs.conf b/bin/tests/system/checkconf/warn-geoip-use-ecs.conf
new file mode 100644
index 0000000..9b95003
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-geoip-use-ecs.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	geoip-use-ecs no;
+};
diff --git a/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
new file mode 100644
index 0000000..0d3139d
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+	dnssec-policy default;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	inline-signing yes;
+        max-zone-ttl 600;
+};
diff --git a/bin/tests/system/checkconf/warn-keydir.conf b/bin/tests/system/checkconf/warn-keydir.conf
new file mode 100644
index 0000000..7aa4536
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-keydir.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * key-directory defined but doesn't exist.
+ */
+options {
+	directory ".";
+};
+
+zone dummy {
+	type master;
+	file "xxxx";
+	key-directory "test.keydir";
+};
diff --git a/bin/tests/system/checkconf/warn-maxratio1.conf b/bin/tests/system/checkconf/warn-maxratio1.conf
new file mode 100644
index 0000000..31af34b
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-maxratio1.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type master;
+	masterfile-format map;
+	file "example.db";
+	max-ixfr-ratio 101%;
+};
diff --git a/bin/tests/system/checkconf/warn-notify-source.conf b/bin/tests/system/checkconf/warn-notify-source.conf
new file mode 100644
index 0000000..4d840cc
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-notify-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source 10.53.0.1 port 100;
+};
diff --git a/bin/tests/system/checkconf/warn-parental-source.conf b/bin/tests/system/checkconf/warn-parental-source.conf
new file mode 100644
index 0000000..2bbb34b
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-parental-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source 10.53.0.1 port 100;
+};
diff --git a/bin/tests/system/checkconf/warn-transfer-source.conf b/bin/tests/system/checkconf/warn-transfer-source.conf
new file mode 100644
index 0000000..eb31041
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-transfer-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source 10.53.0.1 port 100;
+};
diff --git a/bin/tests/system/checkds/README b/bin/tests/system/checkds/README
new file mode 100644
index 0000000..759c4bd
--- /dev/null
+++ b/bin/tests/system/checkds/README
@@ -0,0 +1,26 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+The test setup for the checkds tests.
+
+These servers are parent servers:
+- ns2 is a primary authoritative server that serves the parent zone for zones
+  configured in ns9.
+- ns4 is the secondary server for ns2.
+- ns5 is a primary authoritative server that serves the parent zone for zones
+  configured in ns9, but this one does not publish DS records (to test cases
+  where the DS is missing).
+- ns6 is an authoritative server for a different zone, to test badly configured
+  parental agents.
+- ns7 is the secondary server for ns5.
+
+Finally, ns9 is the authoritative server for the various DNSSEC enabled test
+domains.
diff --git a/bin/tests/system/checkds/clean.sh b/bin/tests/system/checkds/clean.sh
new file mode 100644
index 0000000..74bf421
--- /dev/null
+++ b/bin/tests/system/checkds/clean.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f dig.out*
+rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns*/*.jnl ns*/*.jbk
+rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/dsset-*
+rm -f ns*/*.db ns*/*.jnl ns*/*.jbk ns*/*.db.signed ns*/*.db.infile
+rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
+rm -f ns*/managed-keys.bind*
+rm -f ns*/*.mkeys
+rm -f ns*/zones
+rm -f *.checkds.out
diff --git a/bin/tests/system/checkds/ns2/named.conf.in b/bin/tests/system/checkds/ns2/named.conf.in
new file mode 100644
index 0000000..44a5776
--- /dev/null
+++ b/bin/tests/system/checkds/ns2/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "checkds" {
+	type primary;
+	file "checkds.db";
+};
diff --git a/bin/tests/system/checkds/ns2/setup.sh b/bin/tests/system/checkds/ns2/setup.sh
new file mode 100644
index 0000000..57c7f0a
--- /dev/null
+++ b/bin/tests/system/checkds/ns2/setup.sh
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns2/setup.sh"
+
+for subdomain in dspublished reference missing-dspublished bad-dspublished \
+		 multiple-dspublished incomplete-dspublished bad2-dspublished \
+		 dswithdrawn missing-dswithdrawn bad-dswithdrawn \
+		 multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn
+do
+	cp "../ns9/dsset-$subdomain.checkds$TP" .
+done
+
+zone="checkds"
+infile="checkds.db.infile"
+zonefile="checkds.db"
+
+CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
diff --git a/bin/tests/system/checkds/ns2/template.db.in b/bin/tests/system/checkds/ns2/template.db.in
new file mode 100644
index 0000000..ede62ef
--- /dev/null
+++ b/bin/tests/system/checkds/ns2/template.db.in
@@ -0,0 +1,38 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns2
+ns2				A	10.53.0.2
+
+dspublished			NS	ns9.dspublished
+reference			NS	ns9.reference
+missing-dspublished		NS	ns9.missing-dspublished
+bad-dspublished			NS	ns9.bad-dspublished
+multiple-dspublished		NS	ns9.multiple-dspublished
+incomplete-dspublished		NS	ns9.incomplete-dspublished
+bad2-dspublished		NS	ns9.bad2-dspublished
+
+dswithdrawn			NS	ns9.dswithdrawn
+missing-dswithdrawn		NS	ns9.missing-dswithdrawn
+bad-dswithdrawn			NS	ns9.bad-dswithdrawn
+multiple-dswithdrawn		NS	ns9.multiple-dswithdrawn
+incomplete-dswithdrawn		NS	ns9.incomplete-dswithdrawn
+bad2-dswithdrawn		NS	ns9.bad2-dswithdrawn
+
diff --git a/bin/tests/system/checkds/ns4/named.conf.in b/bin/tests/system/checkds/ns4/named.conf.in
new file mode 100644
index 0000000..b5421eb
--- /dev/null
+++ b/bin/tests/system/checkds/ns4/named.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "checkds" {
+	type secondary;
+	file "checkds.db";
+        primaries { 10.53.0.2 port @PORT@; };
+};
diff --git a/bin/tests/system/checkds/ns5/named.conf.in b/bin/tests/system/checkds/ns5/named.conf.in
new file mode 100644
index 0000000..baab6be
--- /dev/null
+++ b/bin/tests/system/checkds/ns5/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "checkds" {
+	type primary;
+	file "checkds.db";
+};
diff --git a/bin/tests/system/checkds/ns5/setup.sh b/bin/tests/system/checkds/ns5/setup.sh
new file mode 100644
index 0000000..79d7b71
--- /dev/null
+++ b/bin/tests/system/checkds/ns5/setup.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns5/setup.sh"
+
+zone="checkds"
+infile="checkds.db.infile"
+zonefile="checkds.db"
+
+CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
diff --git a/bin/tests/system/checkds/ns5/template.db.in b/bin/tests/system/checkds/ns5/template.db.in
new file mode 100644
index 0000000..ac3eb8e
--- /dev/null
+++ b/bin/tests/system/checkds/ns5/template.db.in
@@ -0,0 +1,38 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns5
+ns5				A	10.53.0.5
+
+dspublished			NS	ns9.dspublished
+reference			NS	ns9.reference
+missing-dspublished		NS	ns9.missing-dspublished
+bad-dspublished			NS	ns9.bad-dspublished
+multiple-dspublished		NS	ns9.multiple-dspublished
+incomplete-dspublished		NS	ns9.incomplete-dspublished
+bad2-dspublished		NS	ns9.bad2-dspublished
+
+dswithdrawn			NS	ns9.dswithdrawn
+missing-dswithdrawn		NS	ns9.missing-dswithdrawn
+bad-dswithdrawn			NS	ns9.bad-dswithdrawn
+multiple-dswithdrawn		NS	ns9.multiple-dswithdrawn
+incomplete-dswithdrawn		NS	ns9.incomplete-dswithdrawn
+bad2-dswithdrawn		NS	ns9.bad2-dswithdrawn
+
diff --git a/bin/tests/system/checkds/ns6/named.conf.in b/bin/tests/system/checkds/ns6/named.conf.in
new file mode 100644
index 0000000..53d3a16
--- /dev/null
+++ b/bin/tests/system/checkds/ns6/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "foo" {
+	type primary;
+	file "foo.db";
+};
diff --git a/bin/tests/system/checkds/ns7/named.conf.in b/bin/tests/system/checkds/ns7/named.conf.in
new file mode 100644
index 0000000..a3e3e15
--- /dev/null
+++ b/bin/tests/system/checkds/ns7/named.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS7
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+        type hint;
+        file "../../common/root.hint";
+};
+
+zone "checkds" {
+	type secondary;
+	file "checkds.db";
+        primaries { 10.53.0.5 port @PORT@; };
+};
diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in
new file mode 100644
index 0000000..0899f8a
--- /dev/null
+++ b/bin/tests/system/checkds/ns9/named.conf.in
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS9
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+parental-agents "ns2" port @PORT@ {
+	10.53.0.2;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+/*
+ * Zone with parental agent configured, due for DS checking.
+ */
+zone "dspublished.checkds" {
+	type primary;
+	file "dspublished.checkds.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents { 10.53.0.2 port @PORT@; };
+};
+
+/*
+ * Zone with parental agent configured, due for DS checking.
+ * Same as above, but now with a reference to parental-agents.
+ */
+zone "reference.checkds" {
+	type primary;
+	file "reference.checkds.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents { "ns2"; };
+};
+
+/*
+ * Zone with parental agent configured, due for DS checking.
+ * The parental agent does not have the DS yet.
+ */
+zone "missing-dspublished.checkds" {
+	type primary;
+	file "missing-dspublished.checkds.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.5 port @PORT@; // missing
+	};
+};
+
+
+/*
+ * Zone with parental agent configured, due for DS checking.
+ * This case, the server is badly configured.
+ */
+zone "bad-dspublished.checkds" {
+	type primary;
+	file "bad-dspublished.checkds.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.6 port @PORT@; // bad
+	};
+};
+
+/*
+ * Zone with multiple parental agents configured, due for DS checking.
+ * All need to have the DS before the rollover may continue.
+ */
+zone "multiple-dspublished.checkds" {
+	type primary;
+	file "multiple-dspublished.checkds.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.2 port @PORT@;
+		10.53.0.4 port @PORT@;
+	};
+};
+
+/*
+ * Zone with multiple parental agents configured, due for DS checking.
+ * All need to have the DS before the rollover may continue.
+ * This case, one server is still missing the DS.
+ */
+zone "incomplete-dspublished.checkds" {
+	type primary;
+	file "incomplete-dspublished.checkds.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.2 port @PORT@;
+		10.53.0.4 port @PORT@;
+		10.53.0.5 port @PORT@; // missing
+	};
+};
+
+
+/*
+ * Zone with multiple parental agents configured, due for DS checking.
+ * All need to have the DS before the rollover may continue.
+ * This case, one server is badly configured.
+ */
+zone "bad2-dspublished.checkds" {
+	type primary;
+	file "bad2-dspublished.checkds.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.2 port @PORT@;
+		10.53.0.4 port @PORT@;
+		10.53.0.6 port @PORT@; // bad
+	};
+};
+
+// TODO: Other test cases:
+// - Test with bogus response
+// - check with TSIG
+// - check with TLS
+
+
+/*
+ * Zones that are going insecure (test DS withdrawn polling).
+ */
+zone "dswithdrawn.checkds" {
+	type primary;
+	file "dswithdrawn.checkds.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents { 10.53.0.5 port @PORT@; };
+};
+
+zone "missing-dswithdrawn.checkds" {
+	type primary;
+	file "missing-dswithdrawn.checkds.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents {
+		10.53.0.2 port @PORT@; // still published
+	};
+};
+
+zone "bad-dswithdrawn.checkds" {
+	type primary;
+	file "bad-dswithdrawn.checkds.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents {
+		10.53.0.6 port @PORT@; // bad
+	};
+};
+
+zone "multiple-dswithdrawn.checkds" {
+	type primary;
+	file "multiple-dswithdrawn.checkds.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents {
+		10.53.0.5 port @PORT@;
+		10.53.0.7 port @PORT@;
+	};
+};
+
+zone "incomplete-dswithdrawn.checkds" {
+	type primary;
+	file "incomplete-dswithdrawn.checkds.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents {
+		10.53.0.2 port @PORT@; // still published
+		10.53.0.5 port @PORT@;
+		10.53.0.7 port @PORT@;
+	};
+};
+
+zone "bad2-dswithdrawn.checkds" {
+	type primary;
+	file "bad2-dswithdrawn.checkds.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents {
+		10.53.0.5 port @PORT@;
+		10.53.0.7 port @PORT@;
+		10.53.0.6 port @PORT@; // bad
+	};
+};
diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh
new file mode 100644
index 0000000..0990fa3
--- /dev/null
+++ b/bin/tests/system/checkds/ns9/setup.sh
@@ -0,0 +1,63 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns9/setup.sh"
+
+setup() {
+	zone="$1"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	infile="${zone}.db.infile"
+	echo "$zone" >> zones
+}
+
+# Short environment variable names for key states and times.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+T="now-30d"
+Y="now-1y"
+
+# DS Publication.
+for zn in dspublished reference missing-dspublished bad-dspublished \
+	  multiple-dspublished incomplete-dspublished bad2-dspublished
+do
+	setup "${zn}.checkds"
+	cp template.db.in "$zonefile"
+	keytimes="-P $T -P sync $T -A $T"
+	CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
+	$SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1
+	cat template.db.in "${CSK}.key" > "$infile"
+	private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+	cp $infile $zonefile
+	$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+done
+
+# DS Withdrawal.
+for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \
+	  incomplete-dswithdrawn bad2-dswithdrawn
+do
+	setup "${zn}.checkds"
+	cp template.db.in "$zonefile"
+	keytimes="-P $Y -P sync $Y -A $Y"
+	CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
+	$SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1
+	cat template.db.in "${CSK}.key" > "$infile"
+	private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+	cp $infile $zonefile
+	$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+done
diff --git a/bin/tests/system/checkds/ns9/template.db.in b/bin/tests/system/checkds/ns9/template.db.in
new file mode 100644
index 0000000..cf06015
--- /dev/null
+++ b/bin/tests/system/checkds/ns9/template.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns9
+ns9			A	10.53.0.9
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/checkds/prereq.sh b/bin/tests/system/checkds/prereq.sh
new file mode 100644
index 0000000..2204695
--- /dev/null
+++ b/bin/tests/system/checkds/prereq.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if test -n "$PYTHON"
+then
+    if [ "$($PYTHON -c "import dns.version; print(dns.version.MAJOR)" 2> /dev/null)" -ge 2 ]
+    then
+        :
+    else
+        echo_i "This test requires the dnspython >= 2.0.0 module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/checkds/setup.sh b/bin/tests/system/checkds/setup.sh
new file mode 100644
index 0000000..93c73b6
--- /dev/null
+++ b/bin/tests/system/checkds/setup.sh
@@ -0,0 +1,40 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
+
+# Setup zones
+(
+	cd ns9
+	$SHELL setup.sh
+)
+(
+	cd ns5
+	$SHELL setup.sh
+)
+(
+	cd ns2
+	$SHELL setup.sh
+)
diff --git a/bin/tests/system/checkds/tests_checkds.py b/bin/tests/system/checkds/tests_checkds.py
new file mode 100755
index 0000000..a52833e
--- /dev/null
+++ b/bin/tests/system/checkds/tests_checkds.py
@@ -0,0 +1,450 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import mmap
+import os
+import subprocess
+import sys
+import time
+
+import pytest
+
+pytest.importorskip("dns", minversion="2.0.0")
+import dns.exception
+import dns.message
+import dns.name
+import dns.query
+import dns.rcode
+import dns.rdataclass
+import dns.rdatatype
+import dns.resolver
+
+
+pytestmark = pytest.mark.skipif(
+    sys.version_info < (3, 7), reason="Python >= 3.7 required [GL #3001]"
+)
+
+
+def has_signed_apex_nsec(zone, response):
+    has_nsec = False
+    has_rrsig = False
+
+    ttl = 300
+    nextname = "a."
+    types = "NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY"
+    match = "{0} {1} IN NSEC {2}{0} {3}".format(zone, ttl, nextname, types)
+    sig = "{0} {1} IN RRSIG NSEC 13 2 300".format(zone, ttl)
+
+    for rr in response.answer:
+        if match in rr.to_text():
+            has_nsec = True
+        if sig in rr.to_text():
+            has_rrsig = True
+
+    if not has_nsec:
+        print("error: missing apex NSEC record in response")
+    if not has_rrsig:
+        print("error: missing NSEC signature in response")
+
+    return has_nsec and has_rrsig
+
+
+def do_query(server, qname, qtype, tcp=False):
+    query = dns.message.make_query(qname, qtype, use_edns=True, want_dnssec=True)
+    try:
+        if tcp:
+            response = dns.query.tcp(
+                query, server.nameservers[0], timeout=3, port=server.port
+            )
+        else:
+            response = dns.query.udp(
+                query, server.nameservers[0], timeout=3, port=server.port
+            )
+    except dns.exception.Timeout:
+        print(
+            "error: query timeout for query {} {} to {}".format(
+                qname, qtype, server.nameservers[0]
+            )
+        )
+        return None
+
+    return response
+
+
+def verify_zone(zone, transfer):
+    verify = os.getenv("VERIFY")
+    assert verify is not None
+
+    filename = "{}out".format(zone)
+    with open(filename, "w", encoding="utf-8") as file:
+        for rr in transfer.answer:
+            file.write(rr.to_text())
+            file.write("\n")
+
+    # dnssec-verify command with default arguments.
+    verify_cmd = [verify, "-z", "-o", zone, filename]
+
+    verifier = subprocess.run(verify_cmd, capture_output=True, check=True)
+
+    if verifier.returncode != 0:
+        print("error: dnssec-verify {} failed".format(zone))
+        sys.stderr.buffer.write(verifier.stderr)
+
+    return verifier.returncode == 0
+
+
+def read_statefile(server, zone):
+    addr = server.nameservers[0]
+    count = 0
+    keyid = 0
+    state = {}
+
+    response = do_query(server, zone, "DS", tcp=True)
+    if not isinstance(response, dns.message.Message):
+        print("error: no response for {} DS from {}".format(zone, addr))
+        return {}
+
+    if response.rcode() == dns.rcode.NOERROR:
+        # fetch key id from response.
+        for rr in response.answer:
+            if rr.match(
+                dns.name.from_text(zone),
+                dns.rdataclass.IN,
+                dns.rdatatype.DS,
+                dns.rdatatype.NONE,
+            ):
+                if count == 0:
+                    keyid = list(dict(rr.items).items())[0][0].key_tag
+                count += 1
+
+        if count != 1:
+            print(
+                "error: expected a single DS in response for {} from {},"
+                "got {}".format(zone, addr, count)
+            )
+            return {}
+    else:
+        print(
+            "error: {} response for {} DNSKEY from {}".format(
+                dns.rcode.to_text(response.rcode()), zone, addr
+            )
+        )
+        return {}
+
+    filename = "ns9/K{}+013+{:05d}.state".format(zone, keyid)
+    print("read state file {}".format(filename))
+
+    try:
+        with open(filename, "r", encoding="utf-8") as file:
+            for line in file:
+                if line.startswith(";"):
+                    continue
+                key, val = line.strip().split(":", 1)
+                state[key.strip()] = val.strip()
+
+    except FileNotFoundError:
+        # file may not be written just yet.
+        return {}
+
+    return state
+
+
+def zone_check(server, zone):
+    addr = server.nameservers[0]
+
+    # wait until zone is fully signed.
+    signed = False
+    for _ in range(10):
+        response = do_query(server, zone, "NSEC")
+        if not isinstance(response, dns.message.Message):
+            print("error: no response for {} NSEC from {}".format(zone, addr))
+        elif response.rcode() == dns.rcode.NOERROR:
+            signed = has_signed_apex_nsec(zone, response)
+        else:
+            print(
+                "error: {} response for {} NSEC from {}".format(
+                    dns.rcode.to_text(response.rcode()), zone, addr
+                )
+            )
+
+        if signed:
+            break
+
+        time.sleep(1)
+
+    assert signed
+
+    # check if zone if DNSSEC valid.
+    verified = False
+    transfer = do_query(server, zone, "AXFR", tcp=True)
+    if not isinstance(transfer, dns.message.Message):
+        print("error: no response for {} AXFR from {}".format(zone, addr))
+    elif transfer.rcode() == dns.rcode.NOERROR:
+        verified = verify_zone(zone, transfer)
+    else:
+        print(
+            "error: {} response for {} AXFR from {}".format(
+                dns.rcode.to_text(transfer.rcode()), zone, addr
+            )
+        )
+
+    assert verified
+
+
+def keystate_check(server, zone, key):
+    val = 0
+    deny = False
+
+    search = key
+    if key.startswith("!"):
+        deny = True
+        search = key[1:]
+
+    for _ in range(10):
+        state = read_statefile(server, zone)
+        try:
+            val = state[search]
+        except KeyError:
+            pass
+
+        if not deny and val != 0:
+            break
+        if deny and val == 0:
+            break
+
+        time.sleep(1)
+
+    if deny:
+        assert val == 0
+    else:
+        assert val != 0
+
+
+def wait_for_log(filename, log):
+    found = False
+
+    for _ in range(10):
+        print("read log file {}".format(filename))
+
+        try:
+            with open(filename, "r", encoding="utf-8") as file:
+                s = mmap.mmap(file.fileno(), 0, access=mmap.ACCESS_READ)
+                if s.find(bytes(log, "ascii")) != -1:
+                    found = True
+        except FileNotFoundError:
+            print("file not found {}".format(filename))
+
+        if found:
+            break
+
+        print("sleep")
+        time.sleep(1)
+
+    assert found
+
+
+def test_checkds_dspublished(named_port):
+    # We create resolver instances that will be used to send queries.
+    server = dns.resolver.Resolver()
+    server.nameservers = ["10.53.0.9"]
+    server.port = named_port
+
+    parent = dns.resolver.Resolver()
+    parent.nameservers = ["10.53.0.2"]
+    parent.port = named_port
+
+    # DS correctly published in parent.
+    zone_check(server, "dspublished.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone dspublished.checkds/IN (signed): checkds: DS response from 10.53.0.2",
+    )
+    keystate_check(parent, "dspublished.checkds.", "DSPublish")
+
+    # DS correctly published in parent (reference to parental-agent).
+    zone_check(server, "reference.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone reference.checkds/IN (signed): checkds: DS response from 10.53.0.2",
+    )
+    keystate_check(parent, "reference.checkds.", "DSPublish")
+
+    # DS not published in parent.
+    zone_check(server, "missing-dspublished.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone missing-dspublished.checkds/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5",
+    )
+    keystate_check(parent, "missing-dspublished.checkds.", "!DSPublish")
+
+    # Badly configured parent.
+    zone_check(server, "bad-dspublished.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad-dspublished.checkds/IN (signed): checkds: "
+        "bad DS response from 10.53.0.6",
+    )
+    keystate_check(parent, "bad-dspublished.checkds.", "!DSPublish")
+
+    # TBD: DS published in parent, but bogus signature.
+
+    # DS correctly published in all parents.
+    zone_check(server, "multiple-dspublished.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone multiple-dspublished.checkds/IN (signed): checkds: "
+        "DS response from 10.53.0.2",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone multiple-dspublished.checkds/IN (signed): checkds: "
+        "DS response from 10.53.0.4",
+    )
+    keystate_check(parent, "multiple-dspublished.checkds.", "DSPublish")
+
+    # DS published in only one of multiple parents.
+    zone_check(server, "incomplete-dspublished.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone incomplete-dspublished.checkds/IN (signed): checkds: "
+        "DS response from 10.53.0.2",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone incomplete-dspublished.checkds/IN (signed): checkds: "
+        "DS response from 10.53.0.4",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone incomplete-dspublished.checkds/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5",
+    )
+    keystate_check(parent, "incomplete-dspublished.checkds.", "!DSPublish")
+
+    # One of the parents is badly configured.
+    zone_check(server, "bad2-dswithdrawn.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad2-dspublished.checkds/IN (signed): checkds: "
+        "DS response from 10.53.0.2",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad2-dspublished.checkds/IN (signed): checkds: "
+        "DS response from 10.53.0.4",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad2-dspublished.checkds/IN (signed): checkds: "
+        "bad DS response from 10.53.0.6",
+    )
+    keystate_check(parent, "bad2-dspublished.checkds.", "!DSPublish")
+
+    # TBD: DS published in all parents, but one has bogus signature.
+
+    # TBD: Check with TSIG
+
+
+def test_checkds_dswithdrawn(named_port):
+    # We create resolver instances that will be used to send queries.
+    server = dns.resolver.Resolver()
+    server.nameservers = ["10.53.0.9"]
+    server.port = named_port
+
+    parent = dns.resolver.Resolver()
+    parent.nameservers = ["10.53.0.2"]
+    parent.port = named_port
+
+    # DS correctly published in single parent.
+    zone_check(server, "dswithdrawn.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone dswithdrawn.checkds/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5",
+    )
+    keystate_check(parent, "dswithdrawn.checkds.", "DSRemoved")
+
+    # DS not withdrawn from parent.
+    zone_check(server, "missing-dswithdrawn.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone missing-dswithdrawn.checkds/IN (signed): checkds: "
+        "DS response from 10.53.0.2",
+    )
+    keystate_check(parent, "missing-dswithdrawn.checkds.", "!DSRemoved")
+
+    # Badly configured parent.
+    zone_check(server, "bad-dswithdrawn.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad-dswithdrawn.checkds/IN (signed): checkds: "
+        "bad DS response from 10.53.0.6",
+    )
+    keystate_check(parent, "bad-dswithdrawn.checkds.", "!DSRemoved")
+
+    # TBD: DS published in parent, but bogus signature.
+
+    # DS correctly withdrawn from all parents.
+    zone_check(server, "multiple-dswithdrawn.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone multiple-dswithdrawn.checkds/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone multiple-dswithdrawn.checkds/IN (signed): checkds: "
+        "empty DS response from 10.53.0.7",
+    )
+    keystate_check(parent, "multiple-dswithdrawn.checkds.", "DSRemoved")
+
+    # DS withdrawn from only one of multiple parents.
+    zone_check(server, "incomplete-dswithdrawn.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: "
+        "DS response from 10.53.0.2",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: "
+        "empty DS response from 10.53.0.7",
+    )
+    keystate_check(parent, "incomplete-dswithdrawn.checkds.", "!DSRemoved")
+
+    # One of the parents is badly configured.
+    zone_check(server, "bad2-dswithdrawn.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad2-dswithdrawn.checkds/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad2-dswithdrawn.checkds/IN (signed): checkds: "
+        "empty DS response from 10.53.0.7",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad2-dswithdrawn.checkds/IN (signed): checkds: "
+        "bad DS response from 10.53.0.6",
+    )
+    keystate_check(parent, "bad2-dswithdrawn.checkds.", "!DSRemoved")
+
+    # TBD: DS withdrawn from all parents, but one has bogus signature.
diff --git a/bin/tests/system/checkdstool/clean.sh b/bin/tests/system/checkdstool/clean.sh
new file mode 100644
index 0000000..fb853c5
--- /dev/null
+++ b/bin/tests/system/checkdstool/clean.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f checkds.*
+rm -f ns*/named.lock
diff --git a/bin/tests/system/checkdstool/dig.bat b/bin/tests/system/checkdstool/dig.bat
new file mode 100755
index 0000000..9465a46
--- /dev/null
+++ b/bin/tests/system/checkdstool/dig.bat
@@ -0,0 +1,32 @@
+@echo off
+set ext=
+set file=
+
+:loop
+@set arg=%1
+if "%arg%" == "" goto end
+if "%arg:~0,1%" == "+" goto next
+if "%arg%" == "-t" goto next
+if "%arg%" == "ds" goto ds
+if "%arg%" == "DS" goto ds
+if "%arg%" == "dnskey" goto dnskey
+if "%arg%" == "DNSKEY" goto dnskey
+set file=%arg%
+goto next
+
+:ds
+set ext=ds
+goto next
+
+:dnskey
+set ext=dnskey
+goto next
+
+:next
+shift
+goto loop
+
+:end
+
+set name=%file%.%ext%.db
+type %name%
diff --git a/bin/tests/system/checkdstool/dig.pl b/bin/tests/system/checkdstool/dig.pl
new file mode 100644
index 0000000..3713b2c
--- /dev/null
+++ b/bin/tests/system/checkdstool/dig.pl
@@ -0,0 +1,41 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+my $arg;
+my $ext;
+my $file;
+
+foreach $arg (@ARGV) {
+    if ($arg =~ /^\+/) {
+        next;
+    }
+    if ($arg =~ /^-t/) {
+        next;
+    }
+    if ($arg =~ /^ds$/i) {
+        $ext = "ds";
+        next;
+    }
+    if ($arg =~ /^dnskey$/i) {
+        $ext = "dnskey";
+        next;
+    }
+    $file = $arg;
+    next;
+}
+
+open F, $file . "." . $ext . ".db" || die $!;
+while (<F>) {
+    print;
+}
+close F;
diff --git a/bin/tests/system/checkdstool/dig.sh b/bin/tests/system/checkdstool/dig.sh
new file mode 100755
index 0000000..7b3a1b2
--- /dev/null
+++ b/bin/tests/system/checkdstool/dig.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+while [ "$#" != 0 ]; do
+    case $1 in
+    +*) shift ;;
+    -t) shift ;;
+    DS|ds) ext=ds ; shift ;;
+    DNSKEY|dnskey) ext=dnskey ; shift ;;
+    *) file=$1 ; shift ;;
+    esac
+done
+
+cat ${file}.${ext}.db
diff --git a/bin/tests/system/checkdstool/missing.example.dnskey.db b/bin/tests/system/checkdstool/missing.example.dnskey.db
new file mode 100644
index 0000000..e372130
--- /dev/null
+++ b/bin/tests/system/checkdstool/missing.example.dnskey.db
@@ -0,0 +1,3 @@
+missing.example.	3600	IN	DNSKEY 257 3 5 AwEAAc6Cz10GXEh5lxA9ujTY/QarTajcUOBwwBYIeldjRsgoouK/UioY FYgxEFL0O5JK6YCRUoGzl3EgLr5GvNyhIp1PZpOpHf7o/4MVOZTGJzm/ sHWP5B+KcYjQOxJiDb433iCmRM4DpHPUUoxw0QbZglzAzl5MfKBoyZud lH59DdT/50bkBg8iVu35EzuW0SYt31k70hxHBSb2wAGWeqxEPKJ1nQiI UcrWNDeem7byrqjPN9wyZhq0XkQ9qbcYxAkRNd8Y7P0FyR1YKJMc6SWZ Ru7muvxqTHgCtJVgxVz4qndCFKdYidiDeKe2/X/z5gf7pyYl3549O8JR tWdNKqutppk=
+missing.example.	3600	IN	DNSKEY	257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjG rhhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA +u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy 347cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQ zBkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysy LKOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/b ByBNsO70aEFTd
+missing.example.	3600	IN	DNSKEY	256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0=
diff --git a/bin/tests/system/checkdstool/missing.example.ds.db b/bin/tests/system/checkdstool/missing.example.ds.db
new file mode 100644
index 0000000..540ec0b
--- /dev/null
+++ b/bin/tests/system/checkdstool/missing.example.ds.db
@@ -0,0 +1,2 @@
+missing.example.	3600	IN	DS	12892 5 2 EF59E5C70BC4153B7DB4C11F9C36B729577DA71474E0A5C9B8875173 6E583200
+missing.example.	3600	IN	DS	12892 5 1 9D4CD60491D372207FA584D2EE460CC51D7FF8A7
diff --git a/bin/tests/system/checkdstool/none.example.dnskey.db b/bin/tests/system/checkdstool/none.example.dnskey.db
new file mode 100644
index 0000000..76ae905
--- /dev/null
+++ b/bin/tests/system/checkdstool/none.example.dnskey.db
@@ -0,0 +1,3 @@
+none.example.	3600	IN	DNSKEY 257 3 5 AwEAAc6Cz10GXEh5lxA9ujTY/QarTajcUOBwwBYIeldjRsgoouK/UioY FYgxEFL0O5JK6YCRUoGzl3EgLr5GvNyhIp1PZpOpHf7o/4MVOZTGJzm/ sHWP5B+KcYjQOxJiDb433iCmRM4DpHPUUoxw0QbZglzAzl5MfKBoyZud lH59DdT/50bkBg8iVu35EzuW0SYt31k70hxHBSb2wAGWeqxEPKJ1nQiI UcrWNDeem7byrqjPN9wyZhq0XkQ9qbcYxAkRNd8Y7P0FyR1YKJMc6SWZ Ru7muvxqTHgCtJVgxVz4qndCFKdYidiDeKe2/X/z5gf7pyYl3549O8JR tWdNKqutppk=
+none.example.	3600	IN	DNSKEY	257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjG rhhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA +u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy 347cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQ zBkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysy LKOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/b ByBNsO70aEFTd
+none.example.	3600	IN	DNSKEY	256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0=
diff --git a/bin/tests/system/checkdstool/none.example.ds.db b/bin/tests/system/checkdstool/none.example.ds.db
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/bin/tests/system/checkdstool/none.example.ds.db
diff --git a/bin/tests/system/checkdstool/ok.example.dnskey.db b/bin/tests/system/checkdstool/ok.example.dnskey.db
new file mode 100644
index 0000000..c767c8f
--- /dev/null
+++ b/bin/tests/system/checkdstool/ok.example.dnskey.db
@@ -0,0 +1,2 @@
+ok.example.	625	IN	DNSKEY	257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd
+ok.example.	625	IN	DNSKEY	256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0=
diff --git a/bin/tests/system/checkdstool/ok.example.ds.db b/bin/tests/system/checkdstool/ok.example.ds.db
new file mode 100644
index 0000000..96b159b
--- /dev/null
+++ b/bin/tests/system/checkdstool/ok.example.ds.db
@@ -0,0 +1,2 @@
+ok.example.	3600	IN	DS	12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13
+ok.example.	3600	IN	DS	12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390
diff --git a/bin/tests/system/checkdstool/prep.example.db b/bin/tests/system/checkdstool/prep.example.db
new file mode 100644
index 0000000..5ba5987
--- /dev/null
+++ b/bin/tests/system/checkdstool/prep.example.db
@@ -0,0 +1,121 @@
+; File written on Thu Oct  5 23:44:34 2017
+; dnssec_signzone version 9.12.0a1
+prep.example.		300	IN SOA	ns1.prep.example. hostmaster.prep.example. (
+					1          ; serial
+					2000       ; refresh (33 minutes 20 seconds)
+					2000       ; retry (33 minutes 20 seconds)
+					1814400    ; expire (3 weeks)
+					3600       ; minimum (1 hour)
+					)
+			300	RRSIG	SOA 8 2 300 (
+					20171105054434 20171006054434 19260 prep.example.
+					1fX0z7Swu4gMPews/ZE8bzNg+JXNedFBDGIH
+					PTSfVQtVLIvRWpME+PylX7MdVMZE/PST+x4/
+					mWyveyjetEOo7/7aQL236FfI0y6TxQFy7HwC
+					FMieqoQCUluuKOvToxg4vUp4GOdlUGbqC63h
+					DbX5Z37VptJXLkt4niF4Kl2iD+U9/bk7HAEU
+					4zDiKroYnusGKfVB9xAWddzoHdLxhVuPi7ut
+					328suPdgX0bfs7uB+y4cikhGzAmPpNMlGHju
+					qYG74NcFGQNutLB7ayx/m87t7mTty7jbNKm3
+					QWJSPf5IR8/kmzAi8HMnapY5vUmm+hX8JOfU
+					UtH7i0iEsUqRbEwu5A== )
+			300	NS	ns1.prep.example.
+			300	RRSIG	NS 8 2 300 (
+					20171105054434 20171006054434 19260 prep.example.
+					u5sU2cfqNqIyCLw18ZNnFw28/GyRt0EOiPYS
+					dygmpfMDrvDaxjiiai8zWYjnl/E3qzVH9Zku
+					07lEDORZdVb0uCDe1NynjAyw4AHps85cAwVc
+					8HTSbzdVZsQTELpunYFJffh24PDr9unw7KOY
+					jzTP6qNedJ1uM54TOr177zfmBh7N2fkAoGyV
+					NjvTKrlgDYGNIn8/YMgHb4sNgyfe54MYY00f
+					kehVxfKnRCgDsbJ0Pk6jhBMCQWvOh8jG8WyV
+					ElAa/eMqlxUC1idF8ydWefjsI/7lPcjSalw9
+					qZw4CDCLHHZy0TOSmCYRRZuIeVXzBfDPJyi4
+					2A3iLntKFJ4AOLFMJg== )
+			3600	NSEC	ns1.prep.example. NS SOA RRSIG NSEC DNSKEY
+			3600	RRSIG	NSEC 8 2 3600 (
+					20171105054434 20171006054434 19260 prep.example.
+					Aed99/jdG82YAkKVWjoKOsAGtB3JnyKkCaAq
+					zgMrYkXU41y3KDCAmGzooGPQY7NN+WxX7FJ2
+					1nXkgljma/azgpsbi9ssneFtv7PPFClVmN+u
+					j+mM4MK/ZR7eJOsMqETg4PAO5VAh6c/GVmyA
+					RD/m6EhJVZEjPfLWbDoC4hVAgem7DP/NMjyI
+					GfztpDjMmyLQyv6tL+UEXSJHGp3ZEa5Z5i7X
+					Nl/bRTUlZs7L4rTgoqHv6LEmsXKAf9rZYq4b
+					eP6GF9I1Ry41MfHLc7lPUmtR38ErEsM5uGzw
+					trCQYEFhuRWUBxZ8OSL2EZK9rUBXZX+cwK/8
+					ZP7mIfDfljkXPQcmow== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAfMzj6aZIgZDVcpH1pKOtq998E85+nEY
+					YJa0lLS8+QTCC1Efke8GLwsXT0IPTuwnOuXM
+					RjySirab0NuEr69T8KP/43YxcRdmCg89mjjN
+					szoVPPstC9xBKVOc0pRMDF7sfsTrSye3RY7+
+					Z6uZEH5FOAkz2hNbJJHOn4HpNUhLPJGRauhf
+					0evamwUmQ/mlhkVW5q4WmqPCDMNY3K6XtkEm
+					cvm8n9ZCXC9Z5AX6KpynujzLdKyxpdGqUk6r
+					lavp9ILPpRKoTZDX+2q1pDgP5cDndwtgNSvU
+					DBQZoD0psS2cyB3PHo+dPwwpEyM//ZSKsH9m
+					e85Ti0413TOWFyFd/jUOUA8=
+					) ; ZSK; alg = RSASHA256 ; key id = 19260
+			3600	DNSKEY	257 3 8 (
+					AwEAAbV8X06Qvk350aZ6eZ1d7WbT1H/Y0Sv7
+					qAdbk5fbYIKpMvZ8D9xqoTHgD0z0uCgWWIcm
+					/xyKBfmax76oLwMBpR/kdtuJz0irgFITnJCH
+					pEfR9AJ/Mfm7NyMglq+/39I03E1/LXvpXQLG
+					tg+Mo/2CUE5sbG31jmPNK/2J8RMESkIi87fW
+					azZU/oyUEtECE5PGbdyw+4PacAsXNjnwl30T
+					aatL277wX4pt+IUPdE6EIph3t+dxXJ7OpHgW
+					8g+YSHLlCImLVapdg3oD/cs6ncaBq9z7la5Y
+					dHNw2QAIAvQ11EsonrkonPqO6zNVZAVdT2VB
+					X5YzGAoCFUvbCvlnl2a7SxM=
+					) ; KSK; alg = RSASHA256 ; key id = 65482
+			3600	RRSIG	DNSKEY 8 2 3600 (
+					20171105054434 20171006054434 19260 prep.example.
+					pPw81pJ3PeF+tqEswTul9N8Qsl9JKgK4v8SV
+					lPfP0pnlMBMbtMFFkx5ZmhQg3Z3U8SdE64Bt
+					C5St3qItyyKdTQ0Rbm9mfV6twxDB8lVry8F7
+					Pv7gJmmcWzBcbLGcrXIrVNSZhigkemQXTElj
+					P8y1j7kaNFWBWbDMn7KesiZ9BiC6sqvuKa3R
+					wSofjwXTESspWZP0NtXr5ymaBIMR9UtNj5Wh
+					jm1+tg6BxNBKxhCHlSC0ltPS/qq9J1ZUmtJz
+					sj/EAFfPVJVuEveebMvi1oDWPTgajO9+EHl4
+					ELrgnQHCgaybMzbpd/A5+Tr1hQkv48I8Mb0/
+					8LJ2/6xrvJm64yRteg== )
+			3600	RRSIG	DNSKEY 8 2 3600 (
+					20171105054434 20171006054434 65482 prep.example.
+					WeIWiC9SnBe2+UocVjpap62O8Rz+iljwJiu9
+					VlGUwct3Vydq4/4FVAKdPklXV5cYbBLhO2MB
+					3R4toX8RNU/0Ny8DnugQzLKvVfg0xoyU/UAJ
+					k4aWa/vPivSLGouLQPiNp71bdXN4LB/2xmzu
+					cPYXzS9ePpwCOp/9JLoNjBSMQkfjfWAcaNtj
+					1DKDmHHL1sPMizninxSJLQOAKb+JwUAjAkOM
+					O1JqwkB12/IZuzxN5hly+uNsbFFxPzQkcnJ4
+					5bhzxuh5D/JRXW0nF5aO4aR+9X+lSUpDJQZ1
+					5fOt1cybZCn/ag68RA92zrnisdbrggJGS003
+					wn/VKbLVfFj3eQrfNA== )
+ns1.prep.example.	300	IN A	1.1.1.1
+			300	RRSIG	A 8 3 300 (
+					20171105054434 20171006054434 19260 prep.example.
+					QUyDyJVk3JGEq+VTZtY3firzsRqOA0LUm3Tf
+					/fnemQBeOlMda2ErA7DqYVriIGfM8jph416E
+					YX8SKAZXGEAlsEbC9cWBVyc5TYH6tZ43sV51
+					55kGTiUY92NnrH10Q+m2SLAEEaKCA/cgBwOR
+					tN2Wb1meHgiLbGYN2LbANfDQzoEk4AYAgT6r
+					wDKVVg/V9Ed7JnCnBQc9MN9+LQ3h4NBGUiEY
+					mr7HX2w+yzqcGFNLI1aFPe2IwFt120QPLyyl
+					cZgc6FUBX4YCnWoCb0aFyyOT76AQkKF5YBRn
+					gAv6S8q1pZ/0B5w4gjaLEGlts3LG0bxZ1GJd
+					gCQMEhgYgyXUchTtZA== )
+			3600	NSEC	prep.example. A RRSIG NSEC
+			3600	RRSIG	NSEC 8 3 3600 (
+					20171105054434 20171006054434 19260 prep.example.
+					rDWN40u1a3DSzWOrS+4YR2XOxaem0BAQ/glN
+					QkXNDew1WsZo3fe0IHIhDKlJ/5MJAfAHq8Xs
+					A5UGUw2efoNAN/0LuWsI/9IPm4dwQOXiTCly
+					uxugXf5islPYyvn1Z14ay/7/2P3W6HZknXzo
+					lZFpwqfFZQCxz7c/1aH+2ntAMeqx8LHuewSr
+					Rz/sLsSiCcZQ6NMWnZdoC5SGy4CTcIIPPS8z
+					9dQ6QYTC5iq4MKRfyJUyvODyU9be4e6jbo5b
+					mjRcov4ttbImhD5jrLAZIfjO6DSazGNVFf/x
+					6rjxjrc8SISPkt2xYwcOlYch9OZuoH86wcZu
+					3Don6yAnLDYDrZylAA== )
diff --git a/bin/tests/system/checkdstool/prep.example.ds.db b/bin/tests/system/checkdstool/prep.example.ds.db
new file mode 100644
index 0000000..dddcad6
--- /dev/null
+++ b/bin/tests/system/checkdstool/prep.example.ds.db
@@ -0,0 +1,2 @@
+prep.example.		IN DS 65482 8 1 F3673708FBADDEC3EB55933E2E393ACE85EAC2BB
+prep.example.		IN DS 65482 8 2 51A7C97AAC42803DA515D1CAFEE28031A5018F6345F12F4B6C1B6D20 02B59820
diff --git a/bin/tests/system/checkdstool/tests.sh b/bin/tests/system/checkdstool/tests.sh
new file mode 100644
index 0000000..4248b11
--- /dev/null
+++ b/bin/tests/system/checkdstool/tests.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if [ "$CYGWIN" ]; then
+    DIG=".\dig.bat"
+    WINDSFROMKEY=`cygpath -w $DSFROMKEY`
+    CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $WINDSFROMKEY"
+else
+    DIG="./dig.sh"
+    CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $DSFROMKEY"
+fi
+chmod +x $DIG
+
+status=0
+n=1
+
+echo_i "checking for correct DS, looking up key via 'dig' ($n)"
+ret=0
+$CHECKDS ok.example > checkds.out.$n 2>&1 || ret=1
+grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking for correct DS, obtaining key from file ($n)"
+ret=0
+$CHECKDS -f ok.example.dnskey.db ok.example > checkds.out.$n 2>&1 || ret=1
+grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking for incorrect DS, looking up key via 'dig' ($n)"
+ret=0
+$CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1
+grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking for incorrect DS, obtaining key from file ($n)"
+ret=0
+$CHECKDS -f wrong.example.dnskey.db wrong.example > checkds.out.$n 2>&1 || ret=1
+grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking for partially missing DS, looking up key via 'dig' ($n)"
+ret=0
+$CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking for partially missing DS, obtaining key from file ($n)"
+ret=0
+$CHECKDS -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)"
+ret=0
+$CHECKDS none.example > checkds.out.$n 2>&1 && ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking for entirely missing DS, obtaining key from file ($n)"
+ret=0
+$CHECKDS -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking with prepared dsset file ($n)"
+ret=0
+$CHECKDS -f prep.example.db -s prep.example.ds.db prep.example > checkds.out.$n 2>&1 || ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if [ $status = 0 ]; then $SHELL clean.sh; fi
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/checkdstool/wrong.example.dnskey.db b/bin/tests/system/checkdstool/wrong.example.dnskey.db
new file mode 100644
index 0000000..cc5bfd6
--- /dev/null
+++ b/bin/tests/system/checkdstool/wrong.example.dnskey.db
@@ -0,0 +1,2 @@
+wrong.example.                3600    IN      DNSKEY 257 3 5 AwEAAc6Cz10GXEh5lxA9ujTY/QarTajcUOBwwBYIeldjRsgoouK/UioY FYgxEFL0O5JK6YCRUoGzl3EgLr5GvNyhIp1PZpOpHf7o/4MVOZTGJzm/ sHWP5B+KcYjQOxJiDb433iCmRM4DpHPUUoxw0QbZglzAzl5MfKBoyZud lH59DdT/50bkBg8iVu35EzuW0SYt31k70hxHBSb2wAGWeqxEPKJ1nQiI UcrWNDeem7byrqjPN9wyZhq0XkQ9qbcYxAkRNd8Y7P0FyR1YKJMc6SWZ Ru7muvxqTHgCtJVgxVz4qndCFKdYidiDeKe2/X/z5gf7pyYl3549O8JR tWdNKqutppk=
+wrong.example.		        3600	IN	DNSKEY	256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0=
diff --git a/bin/tests/system/checkdstool/wrong.example.ds.db b/bin/tests/system/checkdstool/wrong.example.ds.db
new file mode 100644
index 0000000..d7df610
--- /dev/null
+++ b/bin/tests/system/checkdstool/wrong.example.ds.db
@@ -0,0 +1,2 @@
+wrong.example.	3600	IN	DS 1192 5 1 684BB5119673C9272A0A7582AF8576561B5D80EC
+wrong.example.	3600	IN	DS 1192 5 2 14E4A873360E512CD2E8C2C331C4472F5EDAB0736669901F4D42E976 3D7B1F5C
diff --git a/bin/tests/system/checknames/clean.sh b/bin/tests/system/checknames/clean.sh
new file mode 100644
index 0000000..fcbd504
--- /dev/null
+++ b/bin/tests/system/checknames/clean.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/named.conf
+rm -f dig.out.ns?.test*
+rm -f nsupdate.out.test*
+rm -f ns1/*.example.db
+rm -f ns1/*.update.db
+rm -f ns1/*.update.db.jnl
+rm -f ns4/*.update.db
+rm -f ns4/*.update.db.jnl
+rm -f ns5/*.update.db
+rm -f ns5/*.update.db.jnl
+rm -f */named.memstats
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/checknames/ns1/fail.example.db.in b/bin/tests/system/checknames/ns1/fail.example.db.in
new file mode 100644
index 0000000..c4c06c3
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/fail.example.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	SOA ns1.fail.example. hostmaster.fail.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.fail.example.
+ns1.fail.example. A 10.53.0.1
+xx_xx.fail.example. A 127.0.0.1
diff --git a/bin/tests/system/checknames/ns1/fail.update.db.in b/bin/tests/system/checknames/ns1/fail.update.db.in
new file mode 100644
index 0000000..a360cfd
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/fail.update.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	SOA ns1.fail.update. hostmaster.fail.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.fail.update.
+ns1.fail.update. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns1/ignore.example.db.in b/bin/tests/system/checknames/ns1/ignore.example.db.in
new file mode 100644
index 0000000..148fa6a
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/ignore.example.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	SOA ns1.ignore.example. hostmaster.ignore.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.ignore.example.
+ns1.ignore.example. A 10.53.0.1
+yy_yy.ignore.example. A 10.53.0.1
+mx.ignore.example. MX 10 zz_zz.ignore.example.
diff --git a/bin/tests/system/checknames/ns1/ignore.update.db.in b/bin/tests/system/checknames/ns1/ignore.update.db.in
new file mode 100644
index 0000000..0925cef
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/ignore.update.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	SOA ns1.ignore.update. hostmaster.ignore.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.ignore.update.
+ns1.ignore.update. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns1/named.conf.in b/bin/tests/system/checknames/ns1/named.conf.in
new file mode 100644
index 0000000..a6a3a66
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/named.conf.in
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+	check-integrity no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "ignore.example" {
+	type primary;
+	file "ignore.example.db";
+	check-names ignore;
+};
+
+zone "warn.example" {
+	type primary;
+	file "warn.example.db";
+	check-names warn;
+};
+
+zone "fail.example" {
+	type primary;
+	file "fail.example.db";
+	check-names fail;
+};
+
+zone "ignore.update" {
+	type primary;
+	file "ignore.update.db";
+	allow-update { any; };
+	check-names ignore;
+};
+
+zone "warn.update" {
+	type primary;
+	file "warn.update.db";
+	allow-update { any; };
+	check-names warn;
+};
+
+zone "fail.update" {
+	type primary;
+	file "fail.update.db";
+	allow-update { any; };
+	check-names fail;
+};
diff --git a/bin/tests/system/checknames/ns1/root.db b/bin/tests/system/checknames/ns1/root.db
new file mode 100644
index 0000000..bc026a5
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/root.db
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	SOA ns1. hostmaster.warn.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.
+ns1. A 10.53.0.1
+;
+ignore.example. NS ns1.ignore.example.
+ns1.ignore.example. A 10.53.0.1
+warn.example. NS ns1.warn.example.
+ns1.warn.example. A 10.53.0.1
+fail.example. NS ns1.fail.example.
+ns1.fail.example. A 10.53.0.1
+;
+ignore.update. NS ns1.ignore.update.
+ns1.ignore.update. A 10.53.0.1
+warn.update. NS ns1.warn.update.
+ns1.warn.update. A 10.53.0.1
+fail.update. NS ns1.fail.update.
+ns1.fail.update. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns1/warn.example.db.in b/bin/tests/system/checknames/ns1/warn.example.db.in
new file mode 100644
index 0000000..7b636fd
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/warn.example.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	SOA ns1.warn.example. hostmaster.warn.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.warn.example.
+ns1.warn.example. A 10.53.0.1
+xx_xx.warn.example. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns1/warn.update.db.in b/bin/tests/system/checknames/ns1/warn.update.db.in
new file mode 100644
index 0000000..9a9af97
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/warn.update.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	SOA ns1.warn.update. hostmaster.warn.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.warn.update.
+ns1.warn.update. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns2/named.conf.in b/bin/tests/system/checknames/ns2/named.conf.in
new file mode 100644
index 0000000..3ba62e1
--- /dev/null
+++ b/bin/tests/system/checknames/ns2/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	check-names response warn;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
diff --git a/bin/tests/system/checknames/ns2/root.hints b/bin/tests/system/checknames/ns2/root.hints
new file mode 100644
index 0000000..5e89d74
--- /dev/null
+++ b/bin/tests/system/checknames/ns2/root.hints
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. NS  ns1.
+ns1. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns3/named.conf.in b/bin/tests/system/checknames/ns3/named.conf.in
new file mode 100644
index 0000000..7c0cacb
--- /dev/null
+++ b/bin/tests/system/checknames/ns3/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	check-names response fail;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
diff --git a/bin/tests/system/checknames/ns3/root.hints b/bin/tests/system/checknames/ns3/root.hints
new file mode 100644
index 0000000..5e89d74
--- /dev/null
+++ b/bin/tests/system/checknames/ns3/root.hints
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. NS  ns1.
+ns1. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns4/named.conf.in b/bin/tests/system/checknames/ns4/named.conf.in
new file mode 100644
index 0000000..f0cb870
--- /dev/null
+++ b/bin/tests/system/checknames/ns4/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	check-names primary ignore;
+	check-names secondary ignore;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
+
+zone "primary-ignore.update" {
+	type primary;
+	file "primary-ignore.update.db";
+	allow-update { any; };
+};
+
+zone "master-ignore.update" {
+	type secondary;
+	primaries { 10.53.0.5; };
+	file "secondary-ignore.update.db";
+};
diff --git a/bin/tests/system/checknames/ns4/primary-ignore.update.db.in b/bin/tests/system/checknames/ns4/primary-ignore.update.db.in
new file mode 100644
index 0000000..b343cb1
--- /dev/null
+++ b/bin/tests/system/checknames/ns4/primary-ignore.update.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	SOA ns4 hostmaster.ignore.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns4
+	NS  ns5
+ns4	A   10.53.0.4
+ns5	A   10.53.0.5
diff --git a/bin/tests/system/checknames/ns4/root.hints b/bin/tests/system/checknames/ns4/root.hints
new file mode 100644
index 0000000..5e89d74
--- /dev/null
+++ b/bin/tests/system/checknames/ns4/root.hints
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. NS  ns1.
+ns1. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns5/master-ignore.update.db.in b/bin/tests/system/checknames/ns5/master-ignore.update.db.in
new file mode 100644
index 0000000..1057248
--- /dev/null
+++ b/bin/tests/system/checknames/ns5/master-ignore.update.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	SOA ns5. hostmaster.ignore.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns4
+	NS  ns5
+ns4	A   10.53.0.4
+ns5	A   10.53.0.5
diff --git a/bin/tests/system/checknames/ns5/named.conf.in b/bin/tests/system/checknames/ns5/named.conf.in
new file mode 100644
index 0000000..1797aa1
--- /dev/null
+++ b/bin/tests/system/checknames/ns5/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	check-names master ignore;
+	check-names slave ignore;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
+
+zone "master-ignore.update" {
+	type primary;
+	file "master-ignore.update.db";
+	allow-update { any; };
+};
+
+zone "primary-ignore.update" {
+	type secondary;
+	primaries { 10.53.0.4; };
+	file "primary-ignore.update.db";
+};
diff --git a/bin/tests/system/checknames/ns5/root.hints b/bin/tests/system/checknames/ns5/root.hints
new file mode 100644
index 0000000..5e89d74
--- /dev/null
+++ b/bin/tests/system/checknames/ns5/root.hints
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. NS  ns1.
+ns1. A 10.53.0.1
diff --git a/bin/tests/system/checknames/setup.sh b/bin/tests/system/checknames/setup.sh
new file mode 100644
index 0000000..9b3fb1d
--- /dev/null
+++ b/bin/tests/system/checknames/setup.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+
+cp ns1/ignore.example.db.in ns1/ignore.example.db
+cp ns1/warn.example.db.in ns1/warn.example.db
+cp ns1/fail.example.db.in ns1/fail.example.db
+
+cp ns1/ignore.update.db.in ns1/ignore.update.db
+cp ns1/warn.update.db.in ns1/warn.update.db
+cp ns1/fail.update.db.in ns1/fail.update.db
+
+cp ns4/primary-ignore.update.db.in ns4/primary-ignore.update.db
+
+cp ns5/master-ignore.update.db.in ns5/master-ignore.update.db
diff --git a/bin/tests/system/checknames/tests.sh b/bin/tests/system/checknames/tests.sh
new file mode 100644
index 0000000..0c36227
--- /dev/null
+++ b/bin/tests/system/checknames/tests.sh
@@ -0,0 +1,191 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=1
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}"
+
+wait_for_record () {
+	$DIG $DIGOPTS "$1" "$2" "$3" > "$4" || return 1
+	grep NOERROR "$4" > /dev/null || return 1
+	return 0
+}
+
+# Entry should exist.
+echo_i "check for failure from on zone load for 'check-names fail;' ($n)"
+ret=0
+$DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
+grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1
+grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist.
+echo_i "check for warnings from on zone load for 'check-names warn;' ($n)"
+ret=0
+grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should not exist.
+echo_i "check for warnings from on zone load for 'check-names ignore;' ($n)"
+ret=1
+grep 'yy_yy.ignore.example: bad owner name (check-names)' ns1/named.run || ret=0
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist
+echo_i "check that 'check-names response warn;' works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+digcomp dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
+grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist
+echo_i "check that 'check-names response (owner) fails;' works ($n)"
+ret=0
+$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1
+grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist
+echo_i "check that 'check-names response (rdata) fails;' works ($n)"
+ret=0
+$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX > dig.out.ns3.test$n || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1
+grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "check that updates to 'check-names fail;' are rejected ($n)"
+ret=0
+not=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || not=0
+check-names off
+server 10.53.0.1 ${PORT}
+update add xxx_xxx.fail.update. 600 A 10.10.10.1
+send
+END
+if [ $not != 0 ]; then ret=1; fi
+$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
+grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
+grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "check that updates to 'check-names warn;' succeed and are logged ($n)"
+ret=0
+$NSUPDATE -d <<END > nsupdate.out.test$n  2>&1|| ret=1
+check-names off
+server 10.53.0.1 ${PORT}
+update add xxx_xxx.warn.update. 600 A 10.10.10.1
+send
+END
+$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
+grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "check that updates to 'check-names ignore;' succeed and are not logged ($n)"
+ret=0
+not=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
+check-names off
+server 10.53.0.1 ${PORT}
+update add xxx_xxx.ignore.update. 600 A 10.10.10.1
+send
+END
+grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0
+if [ $not != 0 ]; then ret=1; fi
+$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "check that updates to 'check-names primary ignore;' succeed and are not logged ($n)"
+ret=0
+not=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
+check-names off
+server 10.53.0.4 ${PORT}
+update add xxx_xxx.primary-ignore.update. 600 A 10.10.10.1
+send
+END
+grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run > /dev/null || not=0
+if [ $not != 0 ]; then ret=1; fi
+$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A > dig.out.ns4.test$n || ret=1
+grep NOERROR dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)"
+ret=0
+not=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
+check-names off
+server 10.53.0.5 ${PORT}
+update add xxx_xxx.master-ignore.update. 600 A 10.10.10.1
+send
+END
+grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run > /dev/null || not=0
+if [ $not != 0 ]; then ret=1; fi
+$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A > dig.out.ns5.test$n || ret=1
+grep NOERROR dig.out.ns5.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+n=$((n+1))
+
+echo_i "check that updates to 'check-names secondary ignore;' succeed and are not logged ($n)"
+ret=0
+# takes a while for the transfer to succeed as ns5 (primary) is started after ns4 (secondary)
+# and the zone is still loading when we get to this point.
+retry_quiet 35 wait_for_record xxx_xxx.master-ignore.update @10.53.0.4 A dig.out.ns4.test$n || ret=1
+grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)"
+ret=0
+retry_quiet 35 wait_for_record xxx_xxx.primary-ignore.update @10.53.0.5 A dig.out.ns5.test$n || ret=1
+grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+n=$((n+1))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/checkzone/clean.sh b/bin/tests/system/checkzone/clean.sh
new file mode 100644
index 0000000..a02fc64
--- /dev/null
+++ b/bin/tests/system/checkzone/clean.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f test.* good1.db.map good1.db.raw named-compilezone
+rm -f ns*/named.lock
+rm -f zones/bad-tsig.db
diff --git a/bin/tests/system/checkzone/setup.sh b/bin/tests/system/checkzone/setup.sh
new file mode 100644
index 0000000..f8b464a
--- /dev/null
+++ b/bin/tests/system/checkzone/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+ln -s $CHECKZONE named-compilezone
+
+./named-compilezone -D -F raw -o good1.db.raw example \
+        zones/good1.db > /dev/null 2>&1
+./named-compilezone -D -F map -o good1.db.map example \
+        zones/good1.db > /dev/null 2>&1
+
+copy_setports zones/bad-tsig.db.in zones/bad-tsig.db
diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh
new file mode 100644
index 0000000..0b0e822
--- /dev/null
+++ b/bin/tests/system/checkzone/tests.sh
@@ -0,0 +1,200 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=1
+
+for db in zones/good*.db
+do
+	echo_i "checking $db ($n)"
+	ret=0
+	case $db in
+	zones/good-gc-msdcs.db|zones/good-spf-exception.db)
+		$CHECKZONE -k fail -i local example $db > test.out.$n 2>&1 || ret=1
+		;;
+	zones/good-dns-sd-reverse.db)
+		$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || ret=1
+		;;
+	*)
+		$CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1
+		;;
+	esac
+	n=$((n+1))
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+done
+
+for db in zones/bad*.db
+do
+	echo_i "checking $db ($n)"
+	ret=0 v=0
+	case $db in
+	zones/bad-dns-sd-reverse.db|zones/bad-svcb-servername.db)
+		$CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || v=$?
+		;;
+	*)
+                $CHECKZONE -i local example $db > test.out.$n 2>&1 || v=$?
+		;;
+	esac
+	test $v = 1 || ret=1
+	n=$((n+1))
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+done
+
+echo_i "checking with journal file ($n)"
+ret=0
+$CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1
+$CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1
+$MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1
+jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l)
+[ $jlines = 3 ] || ret=1
+$CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1
+cmp -s test.changed.db test.out1.db || ret=1
+mv -f test.orig.db.jnl test.journal
+$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1
+cmp -s test.changed.db test.out2.db || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking with spf warnings ($n)"
+ret=0
+$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1
+$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1
+grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1
+grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1
+grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1
+grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1
+grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1
+grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking with max ttl (text) ($n)"
+ret=0
+$CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1
+$CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking with max ttl (raw) ($n)"
+ret=0
+$CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1
+$CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking with max ttl (map) ($n)"
+ret=0
+$CHECKZONE -f map -l 300 example good1.db.map > test.out1.$n 2>&1 && ret=1
+$CHECKZONE -f map -l 600 example good1.db.map > test.out2.$n 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no new \$ORIGIN ($n)"
+ret=0
+$CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
+grep "inherited.owner" test.out1.$n > /dev/null && ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)"
+ret=0
+$CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1
+grep "inherited.owner" test.out1.$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)"
+ret=0
+$CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
+grep "inherited.owner" test.out1.$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking that raw zone with bad class is handled ($n)"
+ret=0
+$CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1
+grep "failed: bad class" test.out.$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking that expirations that loop using serial arithmetic are handled ($n)"
+ret=0
+q=-q
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)"
+ret=0
+$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1
+grep "is below a DNAME" test.out.$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)"
+ret=0
+$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1
+grep "is below a DNAME" test.out.$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "checking integer overflow is prevented in \$GENERATE ($n)"
+$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1
+lines=$(grep -c CNAME test.out.$n)
+echo $lines
+[ "$lines" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/checkzone/zones/.gitattributes b/bin/tests/system/checkzone/zones/.gitattributes
new file mode 100644
index 0000000..a1b3cec
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/.gitattributes
@@ -0,0 +1 @@
+*.raw -text
diff --git a/bin/tests/system/checkzone/zones/bad-badclass.raw b/bin/tests/system/checkzone/zones/bad-badclass.raw
new file mode 100644
index 0000000..d8f1bf7
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-badclass.raw
diff --git a/bin/tests/system/checkzone/zones/bad-caa-rr.db b/bin/tests/system/checkzone/zones/bad-caa-rr.db
new file mode 100644
index 0000000..fb7b861
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-caa-rr.db
diff --git a/bin/tests/system/checkzone/zones/bad-cdnskey.db b/bin/tests/system/checkzone/zones/bad-cdnskey.db
new file mode 100644
index 0000000..d109423
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-cdnskey.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+example. 	0	CDNSKEY	257 3 14 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
diff --git a/bin/tests/system/checkzone/zones/bad-cds.db b/bin/tests/system/checkzone/zones/bad-cds.db
new file mode 100644
index 0000000..2ce4a0d
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-cds.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+example.	0	CDS 	14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B
diff --git a/bin/tests/system/checkzone/zones/bad-dhcid.db b/bin/tests/system/checkzone/zones/bad-dhcid.db
new file mode 100644
index 0000000..df36eb7
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-dhcid.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	DHCID
+@	3600	DHCID
diff --git a/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db b/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db
new file mode 100644
index 0000000..c766c8f
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 	60
+@	IN	SOA	. . 0 0 0 0 0
+@	IN	NS	.
+;
+; The following are *not* Service Discovery Prefixes from RFC 6763 and the
+; PTR check-names rules for IN-ADDR.ARPA and IP6.ARPA do still apply.
+;
+b._fail._udp	IN	PTR	!@#3.
+db._wrong._udp	IN	PTR	!@#3.
+lb._dns-sd._tcp	IN      PTR     !@#3.
diff --git a/bin/tests/system/checkzone/zones/bad-ds.db b/bin/tests/system/checkzone/zones/bad-ds.db
new file mode 100644
index 0000000..9363cb0
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-ds.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+example.	0	DS 	14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
diff --git a/bin/tests/system/checkzone/zones/bad-eid.db b/bin/tests/system/checkzone/zones/bad-eid.db
new file mode 100644
index 0000000..ba568ef
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-eid.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	EID
+@	EID
diff --git a/bin/tests/system/checkzone/zones/bad-generate-garbage.db b/bin/tests/system/checkzone/zones/bad-generate-garbage.db
new file mode 100644
index 0000000..0d66e75
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-generate-garbage.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+$GENERATE 0-7   host$	A 1.2.3.${1,0,dgarbagegarbage}
diff --git a/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db b/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db
new file mode 100644
index 0000000..314583e
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+$GENERATE 0-7   host$	A 1.2.3.${1000
diff --git a/bin/tests/system/checkzone/zones/bad-generate-range.db b/bin/tests/system/checkzone/zones/bad-generate-range.db
new file mode 100644
index 0000000..62a9e15
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-generate-range.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+; 2147483647 + 1 overflows what can be represented in an 'int'
+$GENERATE 1-1   host$	TXT foo${2147483647}
diff --git a/bin/tests/system/checkzone/zones/bad-generate-tkey.db b/bin/tests/system/checkzone/zones/bad-generate-tkey.db
new file mode 100644
index 0000000..8c05e51
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-generate-tkey.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+$GENERATE 0-7   tkey$	TKEY "invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw=="
diff --git a/bin/tests/system/checkzone/zones/bad-nimloc.db b/bin/tests/system/checkzone/zones/bad-nimloc.db
new file mode 100644
index 0000000..56d04c6
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-nimloc.db
@@ -0,0 +1,10 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
\ No newline at end of file
diff --git a/bin/tests/system/checkzone/zones/bad-nsap-empty.db b/bin/tests/system/checkzone/zones/bad-nsap-empty.db
new file mode 100644
index 0000000..fb8fdd0
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-nsap-empty.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+; NSAP with an odd number of hex digits
+example NSAP 0x47000580005a0000000001e133ffffff000161000
diff --git a/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db b/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db
new file mode 100644
index 0000000..d287648
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+; empty NSAP address
+example NSAP 0x
diff --git a/bin/tests/system/checkzone/zones/bad-nsec3-padded.db b/bin/tests/system/checkzone/zones/bad-nsec3-padded.db
new file mode 100644
index 0000000..8212bc4
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-nsec3-padded.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+; The following NSEC3 RR is invalid as the Next Hashed Owner Name field
+; is padded. See RFC 5155.
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom NSEC3 1 1 12 aabbccdd (
+			CPNMU=== MX DNSKEY NS
+			SOA NSEC3PARAM RRSIG )
diff --git a/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db b/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db
new file mode 100644
index 0000000..bf3c5ab
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+; The following NSEC3 RR owner is invalid as the owner name is padded.
+CPNMU===	NSEC3 2 1 12 aabbccdd ( CPNMU MX DNSKEY NS
+			SOA NSEC3PARAM RRSIG )
diff --git a/bin/tests/system/checkzone/zones/bad-svcb-mandatory.db b/bin/tests/system/checkzone/zones/bad-svcb-mandatory.db
new file mode 100644
index 0000000..368f0ca
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-svcb-mandatory.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+svcb		SVCB	0 . mandatory=alpn
diff --git a/bin/tests/system/checkzone/zones/bad-svcb-servername.db b/bin/tests/system/checkzone/zones/bad-svcb-servername.db
new file mode 100644
index 0000000..61751a0
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-svcb-servername.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+svcb		SVCB	1 _underscore.example. port=60 alpn=h3 ech="ZWFzdGVyIGVnZyE="
diff --git a/bin/tests/system/checkzone/zones/bad-svcb.db b/bin/tests/system/checkzone/zones/bad-svcb.db
new file mode 100644
index 0000000..ad710bf
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-svcb.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+svcb		SVCB	0 . unknown=wha
diff --git a/bin/tests/system/checkzone/zones/bad-tkey.db b/bin/tests/system/checkzone/zones/bad-tkey.db
new file mode 100644
index 0000000..a030074
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-tkey.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+tkey		TKEY invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw==
diff --git a/bin/tests/system/checkzone/zones/bad-tsig.db.in b/bin/tests/system/checkzone/zones/bad-tsig.db.in
new file mode 100644
index 0000000..daef06c
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-tsig.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+tsig		TSIG    @DEFAULT_HMAC@ 1516135665 300 20 thBt8DheAD7qpqSFTiGK999sxGg= 54994 NOERROR 0
diff --git a/bin/tests/system/checkzone/zones/bad-unspec.db b/bin/tests/system/checkzone/zones/bad-unspec.db
new file mode 100644
index 0000000..e5abefe
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-unspec.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+example IN TYPE103 ^# 1 00
diff --git a/bin/tests/system/checkzone/zones/bad1.db b/bin/tests/system/checkzone/zones/bad1.db
new file mode 100644
index 0000000..05ab829
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad1.db
diff --git a/bin/tests/system/checkzone/zones/bad2.db b/bin/tests/system/checkzone/zones/bad2.db
new file mode 100644
index 0000000..38e82e6
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad2.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+; The following GENERATE directive contains two dashes in the range
+; which is a syntax error.
+$GENERATE 9--10 host$ 3600 A 192.0.2.$
diff --git a/bin/tests/system/checkzone/zones/bad3.db b/bin/tests/system/checkzone/zones/bad3.db
new file mode 100644
index 0000000..1391afe
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad3.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+;
+; A trailing '/' is not permitted.
+;
+$GENERATE 1-3/	$ A	1.2.3.$
diff --git a/bin/tests/system/checkzone/zones/bad4.db b/bin/tests/system/checkzone/zones/bad4.db
new file mode 100644
index 0000000..99def7a
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad4.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+;
+; A step of zero is not permitted.
+;
+$GENERATE 1-3/0	$ A	1.2.3.$
diff --git a/bin/tests/system/checkzone/zones/badttl.db b/bin/tests/system/checkzone/zones/badttl.db
new file mode 100644
index 0000000..95cd422
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/badttl.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL
+@		SOA     ns hostmaster 2011012708 3600 1200 604800 1200
+                NS      ns
+ns		A       192.0.2.1
+
+ns-and-dname	NS      ns.ns-and-dname
+		DNAME	example.com.
+ns.ns-and-dname	A       203.178.141.207
diff --git a/bin/tests/system/checkzone/zones/crashzone.db b/bin/tests/system/checkzone/zones/crashzone.db
new file mode 100644
index 0000000..2a62e2a
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/crashzone.db
@@ -0,0 +1,62 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+dyn.example.net.	7200	IN SOA	ns1.example.net. hostmaster.example.net. (
+					6  ; serial
+					43200      ; refresh (12 hours)
+					1800       ; retry (30 minutes)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			7200	RRSIG	SOA 7 3 7200 2010	20100225214229 30323 dyn.example.net. MuyI
+			7200	NS	ns1.example.net.
+			7200	NS	ns2.example.net.
+			3600	RRSIG	DNSKEY 7 3 3600 20100227180048 (
+					20100221180048 52935 dyn.example.net.
+					MuyIUCa3XlttWuSnaQegQnRgTrTsx0Mj4EGI
+					fwtZs2H3L079Y/brqMvtlIGxtlr9meLg43oo
+					jX1w48ilerzf1PwYhtVpFefZTgmClK0h2ej4
+					Ho9Qh4/6snesVj06kWsQDkhuVs58zHmhRtEy
+					P4YlqP/R1CAk166RhwSmGuSx1O8= )
+			0	NSEC3PARAM 1 0 10 76931F
+ns1.dyn.example.net.	7200	IN A	1.0.0.5
+			7200	AAAA	2001:db8::53
+			7200	RRSIG	AAAA 7 4 7200 20100227180048 (
+					20100221180048 30323 dyn.example.net.
+					dk1DfG0y9qjCi3VD4e9B1NGKWEig7q8hFdaR
+					3hElCIzGlflvgHRiE7iTJxDMB+kTA0by4BMZ
+					yssUuXP2FMlB2g== )
+ns2.dyn.example.net.	7200	IN A	1.2.0.6
+y.dyn.example.net.	7200	IN A	1.2.3.5
+z.dyn.example.net.	7200	IN A	1.2.3.6
+A54T6DKFVU4QCKFFNJ0KEU0FH0I4OJSN.dyn.example.net. 7200 IN NSEC3	1 0 10 76931F AJHVGTICN6K0VDA53GCHFMT219SRRQLM A RRSIG
+ò		7200	RRSIG	NSEC3 7 4 7200 00100227180048 (
+					20100221180048 30323 dyn.example.net.
+					9BhZcQdLwRPU/Dz38uMis/nCcddyhKEm0Zb+
+					Mhh3V3OsGI202cebTaxbwVEbQQOeowpUmf8l
+					AmK/cNX7+IS2rw== )
+AJHVGTICN6K0VDA53GCHFMT219SRRQLM.dyn.example.net. 7200 IN NSEC3	1 0 10 76931F FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7 A RRSIG
+FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7.dyn.example.net.  7200	RRSIG	NSEC3 7 4 7200 20100227180048 (
+					20100221180048 30323 dyn.example.net.
+					577WZnTQemStx+diON9rEGXAGnU7C0KLjrFL
+					VyhocnBnNtxJS8eRMSWvb9XuYCMNhYKOurtt
+					Ar4qh4VW1+unmA== )
+I7A7A184GGMI35K1E3IR650LKO7NOB5R.dyn.example.net. 7200 IN NSEC3	1 0 10 76931F IMQ912BREQP1POLAH3RMONG;UED541AS A RRSIG
+IMQ912BREQP1POLAH3RMONG3UED541AS.dyn.example.net. 7200 IN NSEC3	1 0 10 76931F S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7 A RRSIG
+			7200	RRSIG	NSEC3 7 4 7200 20100227180048 (
+					20100221180048 30323 dyn.example.net.
+					smsg35snQ9PpeG2r8ZGxBl44pwSReh/1rIil
+					u/n8aa5nKbBpkqtbcc7q1OpUgb1Q7+Tl/wes
+					kB6bJA== )
+S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7.dyn.example.net.  7200	RRSIG	NSEC3 7 4 7200 20100227180048 (
+					20100221180048 30323 dyn.example.net.
+					XalRIESpdeVK1aNbwu9ym2SpK981Y127rKua
+					xsoals0Zn2tTjF9wpOYVGVOto3FcWBbyKD1g
+					69BTRlv634UIOw== )
+T320G5LC07QE1BLR074KORIJTG9DPTI9.dyn.example.net. 7200 IN NSEC3	1 0 10 76931F A54T6DKFVU4QCAFFNJ0KEU0FH0I4OJSN NS SOA RRSIG DNSKEY NSEC3PARAM
diff --git a/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
new file mode 100644
index 0000000..78c1029
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+example.com.		SOA	marka.isc.org. a.root.servers.nil. (
+				2026    ; serial
+				600     ; refresh
+				600     ; retry
+				1200    ; expire
+				600     ; minimum
+				)
+example.com.            NS	ns.example.com.
+ns.example.com.		A       192.168.0.2
+sub.example.com.        NS      ns.sub2.example.com.
+sub2.example.com.       DNAME   example.net.
+ns.sub2.example.com.	A       192.168.0.2
diff --git a/bin/tests/system/checkzone/zones/generate-overflow.db b/bin/tests/system/checkzone/zones/generate-overflow.db
new file mode 100644
index 0000000..c16b517
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/generate-overflow.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+$GENERATE 19-28/2147483645	$ CNAME x
diff --git a/bin/tests/system/checkzone/zones/good-cdnskey.db b/bin/tests/system/checkzone/zones/good-cdnskey.db
new file mode 100644
index 0000000..7892f13
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-cdnskey.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+example. 	0	CDNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
diff --git a/bin/tests/system/checkzone/zones/good-cds-unsigned.db b/bin/tests/system/checkzone/zones/good-cds-unsigned.db
new file mode 100644
index 0000000..9b1737d
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-cds-unsigned.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example.	0	SOA	. . 0 0 0 0 0
+example.	0	NS	.
+example.	0	CDS	0 0 0 00
+example.	0	CDNSKEY	0 3 0 AA==
+
diff --git a/bin/tests/system/checkzone/zones/good-cds.db b/bin/tests/system/checkzone/zones/good-cds.db
new file mode 100644
index 0000000..9200657
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-cds.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+example.	0	CDS 	14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
diff --git a/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db b/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db
new file mode 100644
index 0000000..fffd27b
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 	60
+@	IN	SOA	. . 0 0 0 0 0
+@	IN	NS	.
+;
+; The following are Service Discovery Prefixes from RFC 6763 and the
+; PTR check-names rules for IN-ADDR.ARPA and IP6.ARPA do not apply.
+;
+b._dns-sd._udp	IN	PTR	!@#3.
+db._dns-sd._udp	IN	PTR	!@#3.
+r._dns-sd._udp	IN	PTR	!@#3.
+dr._dns-sd._udp	IN      PTR     !@#3.
+lb._dns-sd._udp	IN      PTR     !@#3.
diff --git a/bin/tests/system/checkzone/zones/good-gc-msdcs.db b/bin/tests/system/checkzone/zones/good-gc-msdcs.db
new file mode 100644
index 0000000..defd550
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-gc-msdcs.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+gc._msdcs	A	192.0.2.2
diff --git a/bin/tests/system/checkzone/zones/good-generate-modifier.db b/bin/tests/system/checkzone/zones/good-generate-modifier.db
new file mode 100644
index 0000000..3c811d6
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-generate-modifier.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+$GENERATE 0-7   host$	A 1.2.3.${1,0,d}
+$GENERATE 8-9   host$	A 1.2.3.${1,0}
+$GENERATE 10-11 host$	A 1.2.3.${1}
+$GENERATE 1024-1026 ${0,3,n}	AAAA 2001:db8::${0,4,x}
diff --git a/bin/tests/system/checkzone/zones/good-nsap.db b/bin/tests/system/checkzone/zones/good-nsap.db
new file mode 100644
index 0000000..8ad9ee0
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-nsap.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+; empty NSAP address
+example NSAP 0x47.0005.80.005a00.0000....0001.e133.ffffff000162.00
diff --git a/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db b/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db
new file mode 100644
index 0000000..5bd378c
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+; a hash that isn't a multiple of 8 characters
+CPNMU		NSEC3 2 1 12 aabbccdd ( CPNMU MX DNSKEY NS
+			SOA NSEC3PARAM RRSIG )
diff --git a/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db b/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db
new file mode 100644
index 0000000..80fc4a6
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+example.	SOA	marka.isc.org. a.root.servers.nil. (
+			2026	; serial
+			600	; refresh
+			600	; retry
+			1200	; expire
+			600	; minimum
+			)
+example.	DNAME	example.net.		; only the apex record exist
+example.	NS	ns.example.net.         ; out of zone
+foo.example.	NS	exavider.example.       ; no "address" records
diff --git a/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db b/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db
new file mode 100644
index 0000000..38913b9
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+example.		SOA	marka.isc.org. a.root.servers.nil. (
+				2026	; serial
+				600	; refresh
+				600	; retry
+				1200	; expire
+				600	; minimum
+				)
+example.		NS	ns.example.net.		; out of zone
+foo.example.		NS	ns.example.net.		; out of zone
+bar.foo.example.	NS	x.foo.example.		; no address records
diff --git a/bin/tests/system/checkzone/zones/good-spf-exception.db b/bin/tests/system/checkzone/zones/good-spf-exception.db
new file mode 100644
index 0000000..212bfbc
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-spf-exception.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+a._spf		A	192.0.2.2
+a._spf_rate	A	192.0.2.2
+a._spf_verify	A	192.0.2.2
diff --git a/bin/tests/system/checkzone/zones/good-svcb.db b/bin/tests/system/checkzone/zones/good-svcb.db
new file mode 100644
index 0000000..df868f3
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-svcb.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+svcb0		SVCB	0 example.net.
+svcb1		SVCB	1 . port=60 alpn=h3 ech="ZWFzdGVyIGVnZyE="
+svcb2		SVCB	2 . no-default-alpn alpn=alpn
+svcb3		SVCB	3 . ipv4hint="10.10.10.10"
+svcb4		SVCB	4 . ipv6hint="feed:a::bee"
+svcb5		SVCB	5 . key9999="something"
+svcb6		SVCB	6 . mandatory=port,alpn port=60 alpn=h3
+svcb7		SVCB	7 . mandatory=port,alpn port=60 alpn=h1,h3
+svcb8		SVCB	8 . mandatory=port,alpn port=60 alpn="h1\\,h2,h3"
+svcb9		SVCB	0 44._svbc.example.net.
+svcb10		SVCB	7 . alpn="h2,h3" dohpath=/{?dns}
diff --git a/bin/tests/system/checkzone/zones/good1.db b/bin/tests/system/checkzone/zones/good1.db
new file mode 100644
index 0000000..59eaa54
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good1.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA     ns hostmaster 2011012708 3600 1200 604800 1200
+                NS      ns
+ns		A       192.0.2.1
+
+ns-and-dname	NS      ns.ns-and-dname
+		DNAME	example.com.
+ns.ns-and-dname	A       203.178.141.207
diff --git a/bin/tests/system/checkzone/zones/inherit.db b/bin/tests/system/checkzone/zones/inherit.db
new file mode 100644
index 0000000..e075d41
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/inherit.db
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+	NS .
diff --git a/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db b/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db
new file mode 100644
index 0000000..db26217
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 IN SOA . . 0 0 0 0 0
+$INCLUDE "zones/inherit.db"
diff --git a/bin/tests/system/checkzone/zones/ns-address-below-dname.db b/bin/tests/system/checkzone/zones/ns-address-below-dname.db
new file mode 100644
index 0000000..e15ad5c
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/ns-address-below-dname.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+example.com.		SOA	marka.isc.org. a.root.servers.nil. (
+				2026    ; serial
+				600     ; refresh
+				600     ; retry
+				1200    ; expire
+				600     ; minimum
+				)
+example.com.		DNAME	example.net.
+example.com.		NS	ns.example.com
+ns.example.com.		A	192.168.0.2
diff --git a/bin/tests/system/checkzone/zones/spf.db b/bin/tests/system/checkzone/zones/spf.db
new file mode 100644
index 0000000..9527b1b
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/spf.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 IN SOA . . 0 0 0 0 0
+@ 0 IN NS .
+@ 0 IN TXT "v=spf1 -all"
+@ 0 IN SPF "v=spf1 -all"
+x 0 IN TXT "v=spf1"
+y 0 IN SPF "v=spf1"
+y 0 IN TXT "a non spf record"
diff --git a/bin/tests/system/checkzone/zones/test1.db b/bin/tests/system/checkzone/zones/test1.db
new file mode 100644
index 0000000..55669d7
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/test1.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA     ns hostmaster 2012010901 3600 1200 604800 1200
+                NS      ns
+ns		A       192.0.2.1
+
+addr1	A      10.53.0.1
diff --git a/bin/tests/system/checkzone/zones/test2.db b/bin/tests/system/checkzone/zones/test2.db
new file mode 100644
index 0000000..0cb1184
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/test2.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA     ns hostmaster 2012010902 3600 1200 604800 1200
+                NS      ns
+ns		A       192.0.2.1
+
+addr1	A      10.53.0.1
+addr2	A      10.53.0.2
diff --git a/bin/tests/system/checkzone/zones/warn.inherit.origin.db b/bin/tests/system/checkzone/zones/warn.inherit.origin.db
new file mode 100644
index 0000000..a348a8f
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/warn.inherit.origin.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 IN SOA . . 0 0 0 0 0
+$ORIGIN @
+$INCLUDE "zones/inherit.db"
diff --git a/bin/tests/system/checkzone/zones/warn.inherited.owner.db b/bin/tests/system/checkzone/zones/warn.inherited.owner.db
new file mode 100644
index 0000000..dbbd9d1
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/warn.inherited.owner.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 IN SOA . . 0 0 0 0 0
+$INCLUDE "zones/inherit.db" @
diff --git a/bin/tests/system/ckdnsrps.sh b/bin/tests/system/ckdnsrps.sh
new file mode 100644
index 0000000..99ccb6c
--- /dev/null
+++ b/bin/tests/system/ckdnsrps.sh
@@ -0,0 +1,168 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# Say on stdout whether to test DNSRPS
+#	and create dnsrps.conf and dnsrps-slave.conf
+# Note that dnsrps.conf and dnsrps-slave.conf are included in named.conf
+#	and differ from dnsrpz.conf which is used by dnsrpzd.
+
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DNSRPS_CMD=../rpz/dnsrps
+
+AS_NS=
+TEST_DNSRPS=
+MCONF=dnsrps.conf
+SCONF=dnsrps-slave.conf
+USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-slave.conf]"
+while getopts "xADM:S:" c; do
+    case $c in
+	x) set -x; DEBUG=-x;;
+	A) AS_NS=yes;;
+	D) TEST_DNSRPS=yes;;
+	M) MCONF="$OPTARG";;
+	S) SCONF="$OPTARG";;
+	*) echo "$USAGE" 1>&2; exit 1;;
+    esac
+done
+shift `expr $OPTIND - 1 || true`
+if [ "$#" -ne 0 ]; then
+    echo "$USAGE" 1>&2
+    exit 1
+fi
+
+# erase any existing conf files
+cat /dev/null > $MCONF
+cat /dev/null > $SCONF
+
+add_conf () {
+    echo "$*" >>$MCONF
+    echo "$*" >>$SCONF
+}
+
+if ! $FEATURETEST --enable-dnsrps; then
+    if [ -n "$TEST_DNSRPS" ]; then
+        add_conf "## DNSRPS disabled at compile time"
+    fi
+    add_conf "#skip"
+    exit 0
+fi
+
+if [ -z "$TEST_DNSRPS" ]; then
+    add_conf "## testing with native RPZ"
+    add_conf '#skip'
+    exit 0
+else
+    add_conf "## testing with DNSRPS"
+fi
+
+if [ ! -x "$DNSRPS_CMD" ]; then
+    add_conf "## make $DNSRPS_CMD to test DNSRPS"
+    add_conf '#skip'
+    exit 0
+fi
+
+if $DNSRPS_CMD -a >/dev/null; then :
+else
+    add_conf "## DNSRPS provider library is not available"
+    add_conf '#skip'
+    exit 0
+fi
+
+CMN="	dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf
+			 dnsrpzd-sock ../dnsrpzd.sock
+			 dnsrpzd-rpzf ../dnsrpzd.rpzf
+			 dnsrpzd-args '-dddd -L stdout'
+			 log-level 3"
+
+MASTER="$CMN"
+if [ -n "$AS_NS" ]; then
+    MASTER="$MASTER
+			qname-as-ns yes
+			ip-as-ns yes"
+fi
+
+# write dnsrps settings for master resolver
+cat <<EOF >>$MCONF
+$MASTER };
+EOF
+
+# write dnsrps settings for resolvers that should not start dnsrpzd
+cat <<EOF >>$SCONF
+$CMN
+			dnsrpzd '' };	# do not start dnsrpzd
+EOF
+
+
+# DNSRPS is available.
+# The test should fail if the license is bad.
+add_conf "dnsrps-enable yes;"
+
+# Use alt-dnsrpzd-license.conf if it exists
+CUR_L=dnsrpzd-license-cur.conf
+ALT_L=alt-dnsrpzd-license.conf
+# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist
+[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf
+if [ -s $ALT_L ]; then
+    SRC_L=$ALT_L
+    USE_ALT=
+else
+    SRC_L=../rpz/dnsrpzd-license.conf
+    USE_ALT="## consider installing alt-dnsrpzd-license.conf"
+fi
+cp $SRC_L $CUR_L
+
+# parse $CUR_L for the license zone name, master IP addresses, and optional
+#   transfer-source IP addresses
+eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\
+    -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p'	\
+    -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p'		\
+    -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p'	\
+    -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p'			\
+    -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p'		\
+    -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p'		\
+	$CUR_L`
+if [ -z "$NAME" ]; then
+    add_conf "## no DNSRPS tests; no license domain name in $SRC_L"
+    add_conf '#fail'
+    exit 0
+fi
+if [ -z "$IPV4" ]; then
+    IPV4=license1.fastrpz.com
+    TS4=
+fi
+if [ -z "$IPV6" ]; then
+    IPV6=license1.fastrpz.com
+    TS6=
+fi
+
+# This TSIG key is common and NOT a secret
+KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1'
+
+# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems
+if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4				\
+	    | grep -i "^$NAME.*TXT" >/dev/null`; then
+    exit 0
+fi
+if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6				\
+	    | grep -i "^$NAME.*TXT" >/dev/null`; then
+    exit 0
+fi
+
+add_conf "## DNSRPS lacks a valid license via $SRC_L"
+[ -z "$USE_ALT" ] || add_conf "$USE_ALT"
+add_conf '#fail'
diff --git a/bin/tests/system/cleanall.sh b/bin/tests/system/cleanall.sh
new file mode 100644
index 0000000..e5cc477
--- /dev/null
+++ b/bin/tests/system/cleanall.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after system tests.
+#
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+
+find . -type f \( \
+    -name '*~' -o -name 'core' -o -name '*.core' \
+    -o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \
+    -o -name named.run -o -name ans.run \
+    -o -name '*-valgrind-*.log' \) -print | xargs rm -f
+
+status=0
+
+rm -f $SYSTEMTESTTOP/random.data
+
+for d in $SUBDIRS
+do
+   test ! -f $d/clean.sh || ( cd $d && $SHELL clean.sh )
+   rm -f test.output.$d
+   test -d $d && find $d -type d -exec rmdir '{}' \; 2> /dev/null
+done
diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh
new file mode 100644
index 0000000..ff8acd0
--- /dev/null
+++ b/bin/tests/system/cleanpkcs11.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. "$SYSTEMTESTTOP/conf.sh"
+
+PK11DELBIN=$(echo "$PK11DEL" | awk '{ print $1 }')
+
+[ -x "$PK11DELBIN" ] && $PK11DEL -w0 > /dev/null 2>&1
diff --git a/bin/tests/system/common/controls.conf.in b/bin/tests/system/common/controls.conf.in
new file mode 100644
index 0000000..3712885
--- /dev/null
+++ b/bin/tests/system/common/controls.conf.in
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/common/rndc.conf
new file mode 100644
index 0000000..b887ec3
--- /dev/null
+++ b/bin/tests/system/common/rndc.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	default-key     "rndc_key";
+};
+
+key rndc_key {
+	algorithm       hmac-sha256;
+	secret          "1234abcd8765";
+};
diff --git a/bin/tests/system/common/rndc.key b/bin/tests/system/common/rndc.key
new file mode 100644
index 0000000..3ef41c3
--- /dev/null
+++ b/bin/tests/system/common/rndc.key
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/common/root.hint b/bin/tests/system/common/root.hint
new file mode 100644
index 0000000..e0f186c
--- /dev/null
+++ b/bin/tests/system/common/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common
new file mode 100644
index 0000000..e87acca
--- /dev/null
+++ b/bin/tests/system/conf.sh.common
@@ -0,0 +1,744 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+testsock6() {
+	if test -n "$PERL" && $PERL -e "use IO::Socket::INET6;" 2> /dev/null
+	then
+		$PERL "$TOP/bin/tests/system/testsock6.pl" "$@"
+	else
+		false
+	fi
+}
+
+export LANG=C
+
+. ${TOP}/version
+
+#
+# Common lists of system tests to run.
+#
+# The following tests are hard-coded to use ports 5300 and 9953. For
+# this reason, these must be run sequentially.
+#
+# Sequential tests that only run on unix/linux should be added to
+# SEQUENTIAL_UNIX in conf.sh.in; those that only run on windows should
+# be added to SEQUENTIAL_WINDOWS in conf.sh.win32.
+#
+SEQUENTIAL_COMMON="ecdsa eddsa tkey"
+
+#
+# These tests can use ports assigned by the caller (other than 5300
+# and 9953). Because separate blocks of ports can be used for teach
+# test, these tests can be run in parallel.
+#
+# Parallel tests that only run on unix/linux should be added to
+# PARALLEL_UNIX in conf.sh.in; those that only run on windows should
+# be added to PARALLEL_WINDOWS in conf.sh.win32.
+#
+# Note: some of the longer-running tests such as serve-stale and
+# rpzrecurse are scheduled first, in order to get more benefit from
+# parallelism.
+#
+PARALLEL_COMMON="dnssec rpzrecurse serve-stale dupsigs \
+acl \
+additional \
+addzone \
+allow-query \
+auth \
+autosign \
+builtin \
+cacheclean \
+case \
+catz \
+cds \
+chain \
+checkconf \
+checkds \
+checknames \
+checkzone \
+database \
+digdelv \
+dlz \
+dlzexternal \
+dns64 \
+dscp \
+dsdigest \
+dyndb \
+ednscompliance \
+emptyzones \
+fetchlimit \
+filter-aaaa \
+formerr \
+forward \
+geoip2 \
+glue \
+idna \
+inline \
+integrity \
+ixfr \
+journal \
+kasp \
+keepalive \
+keymgr2kasp \
+legacy \
+limits \
+masterfile \
+masterformat \
+metadata \
+mirror \
+mkeys \
+names \
+notify \
+nsec3 \
+nslookup \
+nsupdate \
+nzd2nzf \
+padding \
+pending \
+pipelined \
+qmin \
+reclimit \
+redirect \
+resolver \
+rndc \
+rootkeysentinel \
+rpz \
+rrchecker \
+rrl \
+rrsetorder \
+rsabigexponent \
+runtime \
+sfcache \
+shutdown \
+smartsign \
+sortlist \
+spf \
+staticstub \
+statistics \
+statschannel \
+stress \
+stub \
+synthfromdnssec \
+timeouts \
+tcp \
+tools \
+tsig \
+tsiggss \
+ttl \
+unknown \
+upforwd \
+verify \
+views \
+wildcard \
+xfer \
+xferquota \
+zero \
+zonechecks"
+
+#
+# Set up color-coded test output
+#
+if [ ${SYSTEMTEST_FORCE_COLOR:-0} -eq 1 ] || test -t 1 && type tput > /dev/null 2>&1 && tput setaf 7 > /dev/null 2>&1 ; then
+    export COLOR_END=`tput setaf 4`    # blue
+    export COLOR_FAIL=`tput setaf 1`   # red
+    export COLOR_INFO=`tput bold`      # bold
+    export COLOR_NONE=`tput sgr0`
+    export COLOR_PASS=`tput setaf 2`   # green
+    export COLOR_START=`tput setaf 4`  # blue
+    export COLOR_WARN=`tput setaf 3`   # yellow
+else
+    # set to empty strings so printf succeeds
+    export COLOR_END=''
+    export COLOR_FAIL=''
+    export COLOR_INFO=''
+    export COLOR_NONE=''
+    export COLOR_PASS=''
+    export COLOR_START=''
+    export COLOR_WARN=''
+fi
+
+export SYSTESTDIR="`basename $PWD`"
+
+if type printf > /dev/null 2>&1
+then
+	echofail () {
+		printf "${COLOR_FAIL}%s${COLOR_NONE}\n" "$*"
+	}
+	echowarn () {
+		printf "${COLOR_WARN}%s${COLOR_NONE}\n" "$*"
+	}
+	echopass () {
+		printf "${COLOR_PASS}%s${COLOR_NONE}\n" "$*"
+	}
+	echoinfo () {
+		printf "${COLOR_INFO}%s${COLOR_NONE}\n" "$*"
+	}
+	echostart () {
+		printf "${COLOR_START}%s${COLOR_NONE}\n" "$*"
+	}
+	echoend () {
+		printf "${COLOR_END}%s${COLOR_NONE}\n" "$*"
+	}
+	echo_i() {
+	    printf '%s\n' "$*" | while IFS= read -r __LINE ; do
+	       echoinfo "I:$SYSTESTDIR:$__LINE"
+	    done
+	}
+
+	echo_ic() {
+	    printf '%s\n' "$*" | while IFS= read -r __LINE ; do
+	       echoinfo "I:$SYSTESTDIR:  $__LINE"
+	    done
+	}
+
+	echo_d() {
+	    printf '%s\n' "$*" | while IFS= read -r __LINE ; do
+	       echoinfo "D:$SYSTESTDIR:$__LINE"
+	    done
+	}
+else
+	echofail () {
+		echo "$*"
+	}
+	echowarn () {
+		echo "$*"
+	}
+	echopass () {
+		echo "$*"
+	}
+	echoinfo () {
+		echo "$*"
+	}
+	echostart () {
+		echo "$*"
+	}
+	echoend () {
+		echo "$*"
+	}
+
+	echo_i() {
+	    echo "$@" | while IFS= read -r __LINE ; do
+	       echoinfo "I:$SYSTESTDIR:$__LINE"
+	    done
+	}
+
+	echo_ic() {
+	    echo "$@" | while IFS= read -r __LINE ; do
+	       echoinfo "I:$SYSTESTDIR:  $__LINE"
+	    done
+	}
+
+	echo_d() {
+	    echo "$@" | while IFS= read -r __LINE ; do
+	       echoinfo "D:$SYSTESTDIR:$__LINE"
+	    done
+	}
+fi
+
+cat_i() {
+    while IFS= read -r __LINE ; do
+       echoinfo "I:$SYSTESTDIR:$__LINE"
+    done
+}
+
+cat_d() {
+    while IFS= read -r __LINE ; do
+       echoinfo "D:$SYSTESTDIR:$__LINE"
+    done
+}
+
+digcomp() {
+    output=`$PERL $SYSTEMTESTTOP/digcomp.pl "$@"`
+    result=$?
+    [ -n "$output" ] &&  { echo "digcomp failed:"; echo "$output"; } | cat_i
+    return $result
+}
+
+start_server() {
+    $PERL "$TOP_SRCDIR/bin/tests/system/start.pl" "$SYSTESTDIR" "$@"
+}
+
+stop_server() {
+    $PERL "$TOP_SRCDIR/bin/tests/system/stop.pl" "$SYSTESTDIR" "$@"
+}
+
+send() {
+    $PERL "$TOP_SRCDIR/bin/tests/system/send.pl" "$@"
+}
+
+#
+# Useful variables in test scripts
+#
+
+# The following script sets the following algorithm-related variables. These
+# are selected randomly at runtime from a list of supported algorithms. The
+# randomization is deterministic and remains stable for a period of time for a
+# given platform.
+#
+# Default algorithm for testing.
+# DEFAULT_ALGORITHM
+# DEFAULT_ALGORITHM_NUMBER
+# DEFAULT_BITS
+#
+# This is an alternative algorithm for test cases that require more than one
+# algorithm (for example algorithm rollover). Must be different from
+# DEFAULT_ALGORITHM.
+# ALTERNATIVE_ALGORITHM
+# ALTERNATIVE_ALGORITHM_NUMBER
+# ALTERNATIVE_BITS
+#
+# This is an algorithm that is used for tests against the "disable-algorithms"
+# configuration option. Must be different from above algorithms.
+# DISABLED_ALGORITHM
+# DISABLED_ALGORITHM_NUMBER
+# DISABLED_BITS
+#
+# There are multiple algoritms sets to choose from (see get_algorithms.py). To
+# override the default choice, set the ALGORITHM_SET env var (see mkeys system
+# test for example).
+if test -x "$PYTHON" && test -x "$KEYGEN"; then
+    eval "$($PYTHON "$TOP_SRCDIR/bin/tests/system/get_algorithms.py")"
+else
+    # 9.16 workarounds
+    #   - for ./configure which calls bin/tests/system/cleanall.sh, which
+    #     includes this file before $KEYGEN is compiled
+    #   - for our Windows CI which lacks Python
+    DEFAULT_ALGORITHM=ECDSAP256SHA256
+    DEFAULT_ALGORITHM_NUMBER=13
+    DEFAULT_BITS=256
+    ALTERNATIVE_ALGORITHM=RSASHA256
+    ALTERNATIVE_ALGORITHM_NUMBER=8
+    ALTERNATIVE_BITS=1280
+    DISABLED_ALGORITHM=ECDSAP384SHA384
+    DISABLED_ALGORITHM_NUMBER=14
+    DISABLED_BITS=384
+fi
+
+# Default HMAC algorithm.
+export DEFAULT_HMAC=hmac-sha256
+
+#
+# Useful functions in test scripts
+#
+
+# assert_int_equal: compare two integer variables, $1 and $2
+#
+# If $1 and $2 are equal, return 0; if $1 and $2 are not equal, report
+# the error using the description of the tested variable provided in $3
+# and return 1.
+assert_int_equal() {
+	found="$1"
+	expected="$2"
+	description="$3"
+
+	if [ "${expected}" -ne "${found}" ]; then
+		echo_i "incorrect ${description}: got ${found}, expected ${expected}"
+		return 1
+	fi
+
+	return 0
+}
+
+# keyfile_to_keys_section: helper function for keyfile_to_*_keys() which
+# converts keyfile data into a key-style trust anchor configuration
+# section using the supplied parameters
+keyfile_to_keys() {
+    section_name=$1
+    key_prefix=$2
+    shift
+    shift
+    echo "$section_name {"
+    for keyname in $*; do
+	awk '!/^; /{
+	    printf "\t\""$1"\" "
+	    printf "'"$key_prefix "'"
+	    printf $4 " " $5 " " $6 " \""
+	    for (i=7; i<=NF; i++) printf $i
+	    printf "\";\n"
+	}' $keyname.key
+    done
+    echo "};"
+}
+
+# keyfile_to_dskeys_section: helper function for keyfile_to_*_dskeys()
+# converts keyfile data into a DS-style trust anchor configuration
+# section using the supplied parameters
+keyfile_to_dskeys() {
+    section_name=$1
+    key_prefix=$2
+    shift
+    shift
+    echo "$section_name {"
+    for keyname in $*; do
+        $DSFROMKEY $keyname.key | \
+	awk '!/^; /{
+	    printf "\t\""$1"\" "
+	    printf "'"$key_prefix "'"
+	    printf $4 " " $5 " " $6 " \""
+	    for (i=7; i<=NF; i++) printf $i
+	    printf "\";\n"
+	}'
+    done
+    echo "};"
+}
+
+# keyfile_to_trusted_keys: convert key data contained in the keyfile(s)
+# provided to a "trust-keys" section suitable for including in a
+# resolver's configuration file
+keyfile_to_trusted_keys() {
+    keyfile_to_keys "trusted-keys" "" $*
+}
+
+# keyfile_to_static_keys: convert key data contained in the keyfile(s)
+# provided to a *static-key* "trust-anchors" section suitable for including in
+# a resolver's configuration file
+keyfile_to_static_keys() {
+    keyfile_to_keys "trust-anchors" "static-key" $*
+}
+
+# keyfile_to_initial_keys: convert key data contained in the keyfile(s)
+# provided to an *initial-key* "trust-anchors" section suitable for including
+# in a resolver's configuration file
+keyfile_to_initial_keys() {
+    keyfile_to_keys "trust-anchors" "initial-key" $*
+}
+
+# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
+# provided to a *static-ds* "trust-anchors" section suitable for including in a
+# resolver's configuration file
+keyfile_to_static_ds() {
+    keyfile_to_dskeys "trust-anchors" "static-ds" $*
+}
+
+# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
+# provided to an *initial-ds* "trust-anchors" section suitable for including
+# in a resolver's configuration file
+keyfile_to_initial_ds() {
+    keyfile_to_dskeys "trust-anchors" "initial-ds" $*
+}
+
+# keyfile_to_key_id: convert a key file name to a key ID
+#
+# For a given key file name (e.g. "Kexample.+013+06160") provided as $1,
+# print the key ID with leading zeros stripped ("6160" for the
+# aforementioned example).
+keyfile_to_key_id() {
+	echo "$1" | sed "s/.*+0\{0,4\}//"
+}
+
+# private_type_record: write a private type record recording the state of the
+# signing process
+#
+# For a given zone ($1), algorithm number ($2) and key file ($3), print the
+# private type record with default type value of 65534, indicating that the
+# signing process for this key is completed.
+private_type_record() {
+        _zone=$1
+        _algorithm=$2
+        _keyfile=$3
+
+        _id=$(keyfile_to_key_id "$_keyfile")
+
+        printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id"
+}
+
+# nextpart*() - functions for reading files incrementally
+#
+# These functions aim to facilitate looking for (or waiting for)
+# messages which may be logged more than once throughout the lifetime of
+# a given named instance by outputting just the part of the file which
+# has been appended since the last time we read it.
+#
+# Calling some of these functions causes temporary *.prev files to be
+# created that need to be cleaned up manually (usually by a given system
+# test's clean.sh script).
+#
+# Note that unlike other nextpart*() functions, nextpartread() is not
+# meant to be directly used in system tests; its sole purpose is to
+# reduce code duplication below.
+#
+# A quick usage example:
+#
+#     $ echo line1 > named.log
+#     $ echo line2 >> named.log
+#     $ nextpart named.log
+#     line1
+#     line2
+#     $ echo line3 >> named.log
+#     $ nextpart named.log
+#     line3
+#     $ nextpart named.log
+#     $ echo line4 >> named.log
+#     $ nextpartpeek named.log
+#     line4
+#     $ nextpartpeek named.log
+#     line4
+#     $ nextpartreset named.log
+#     $ nextpartpeek named.log
+#     line1
+#     line2
+#     line3
+#     line4
+#     $ nextpart named.log
+#     line1
+#     line2
+#     line3
+#     line4
+#     $ nextpart named.log
+#     $
+
+# nextpartreset: reset the marker used by nextpart() and nextpartpeek()
+# so that it points to the start of the given file
+nextpartreset() {
+    echo "0" > $1.prev
+}
+
+# nextpartread: read everything that's been appended to a file since the
+# last time nextpart() was called and print it to stdout, print the
+# total number of lines read from that file so far to file descriptor 3
+nextpartread() {
+    [ -f $1.prev ] || nextpartreset $1
+    prev=`cat $1.prev`
+    awk "NR > $prev "'{ print }
+	 END          { print NR > "/dev/stderr" }' $1 2>&3
+}
+
+# nextpart: read everything that's been appended to a file since the
+# last time nextpart() was called
+nextpart() {
+	nextpartread $1 3> $1.prev.tmp
+	mv $1.prev.tmp $1.prev
+}
+
+# nextpartpeek: read everything that's been appended to a file since the
+# last time nextpart() was called
+nextpartpeek() {
+	nextpartread $1 3> /dev/null
+}
+
+# _search_log: look for message $1 in file $2 with nextpart().
+_search_log() (
+	msg="$1"
+	file="$2"
+	nextpart "$file" | grep -F -e "$msg" > /dev/null
+)
+
+# _search_log_peek: look for message $1 in file $2 with nextpartpeek().
+_search_log_peek() (
+	msg="$1"
+	file="$2"
+	nextpartpeek "$file" | grep -F -e "$msg" > /dev/null
+)
+
+# wait_for_log: wait until message $2 in file $3 appears.  Bail out after
+# $1 seconds.  This needs to be used in conjunction with a prior call to
+# nextpart() or nextpartreset() on the same file to guarantee the offset is
+# set correctly.  Tests using wait_for_log() are responsible for cleaning up
+# the created <file>.prev files.
+wait_for_log() (
+	timeout="$1"
+	msg="$2"
+	file="$3"
+	retry_quiet "$timeout" _search_log "$msg" "$file" && return 0
+	echo_i "exceeded time limit waiting for '$msg' in $file"
+        return 1
+)
+
+# wait_for_log_peek: similar to wait_for_log() but peeking, so the file offset
+# does not change.
+wait_for_log_peek() (
+	timeout="$1"
+	msg="$2"
+	file="$3"
+	retry_quiet "$timeout" _search_log_peek "$msg" "$file" && return 0
+	echo_i "exceeded time limit waiting for '$msg' in $file"
+        return 1
+)
+
+# _retry: keep running a command until it succeeds, up to $1 times, with
+# one-second intervals, optionally printing a message upon every attempt
+_retry() {
+	__retries="${1}"
+	shift
+
+	while :; do
+		if "$@"; then
+			return 0
+		fi
+		__retries=$((__retries-1))
+		if [ "${__retries}" -gt 0 ]; then
+			if [ "${__retry_quiet}" -ne 1 ]; then
+				echo_i "retrying"
+			fi
+			sleep 1
+		else
+			return 1
+		fi
+	done
+}
+
+# retry: call _retry() in verbose mode
+retry() {
+	__retry_quiet=0
+	_retry "$@"
+}
+
+# retry_quiet: call _retry() in silent mode
+retry_quiet() {
+	__retry_quiet=1
+	_retry "$@"
+}
+
+# _repeat: keep running command up to $1 times, unless it fails
+_repeat() (
+    __retries="${1}"
+    shift
+    while :; do
+	if ! "$@"; then
+	    return 1
+	fi
+	__retries=$((__retries-1))
+	if [ "${__retries}" -le 0 ]; then
+	    break
+	fi
+    done
+    return 0
+)
+
+rndc_reload() {
+    $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /'
+    # reloading single zone is synchronous, if we're reloading whole server
+    # we need to wait for reload to finish
+    if [ -z "$3" ]; then
+	for __try in 0 1 2 3 4 5 6 7 8 9; do
+	    $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break
+	    sleep 1
+	done
+    fi
+}
+
+rndc_reconfig() {
+    $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /'
+    for __try in 0 1 2 3 4 5 6 7 8 9; do
+	$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break
+	sleep 1
+    done
+}
+
+# rndc_dumpdb: call "rndc dumpdb [...]" and wait until it completes
+#
+# The first argument is the name server instance to send the command to, in the
+# form of "nsX" (where "X" is the instance number), e.g. "ns5".  The remaining
+# arguments, if any, are appended to the rndc command line after "dumpdb".
+#
+# Control channel configuration for the name server instance to send the
+# command to must match the contents of bin/tests/system/common/rndc.conf.
+#
+# rndc output is stored in a file called rndc.out.test${n}; the "n" variable is
+# required to be set by the calling tests.sh script.
+#
+# Return 0 if the dump completes successfully; return 1 if rndc returns an exit
+# code other than 0 or if the "; Dump complete" string does not appear in the
+# dump within 10 seconds.
+rndc_dumpdb() {
+	__ret=0
+	__dump_complete=0
+	__server="${1}"
+	__ip="10.53.0.$(echo "${__server}" | tr -c -d "0-9")"
+
+	shift
+	${RNDC} -c ../common/rndc.conf -p "${CONTROLPORT}" -s "${__ip}" dumpdb "$@" > "rndc.out.test${n}" 2>&1 || __ret=1
+
+	for _ in 0 1 2 3 4 5 6 7 8 9
+	do
+		if grep '^; Dump complete$' "${__server}/named_dump.db" > /dev/null; then
+			mv "${__server}/named_dump.db" "${__server}/named_dump.db.test${n}"
+			__dump_complete=1
+			break
+		fi
+		sleep 1
+	done
+
+	if [ ${__dump_complete} -eq 0 ]; then
+		echo_i "timed out waiting for 'rndc dumpdb' to finish"
+		__ret=1
+	fi
+
+	return ${__ret}
+}
+
+# get_dig_xfer_stats: extract transfer statistics from dig output stored
+# in $1, converting them to a format used by some system tests.
+get_dig_xfer_stats() {
+	LOGFILE="$1"
+	sed -n "s/^;; XFR size: .*messages \([0-9][0-9]*\).*/messages=\1/p" "${LOGFILE}"
+	sed -n "s/^;; XFR size: \([0-9][0-9]*\) records.*/records=\1/p" "${LOGFILE}"
+	sed -n "s/^;; XFR size: .*bytes \([0-9][0-9]*\).*/bytes=\1/p" "${LOGFILE}"
+}
+
+# get_named_xfer_stats: from named log file $1, extract transfer
+# statistics for the last transfer for peer $2 and zone $3 (from a log
+# message which has to contain the string provided in $4), converting
+# them to a format used by some system tests.
+get_named_xfer_stats() {
+	LOGFILE="$1"
+	PEER="`echo $2 | sed 's/\./\\\\./g'`"
+	ZONE="`echo $3 | sed 's/\./\\\\./g'`"
+	MESSAGE="$4"
+	grep " ${PEER}#.*${MESSAGE}:" "${LOGFILE}" | \
+		sed -n "s/.* '${ZONE}\/.* \([0-9][0-9]*\) messages.*/messages=\1/p" | tail -1
+	grep " ${PEER}#.*${MESSAGE}:" "${LOGFILE}" | \
+		sed -n "s/.* '${ZONE}\/.* \([0-9][0-9]*\) records.*/records=\1/p" | tail -1
+	grep " ${PEER}#.*${MESSAGE}:" "${LOGFILE}" | \
+		sed -n "s/.* '${ZONE}\/.* \([0-9][0-9]*\) bytes.*/bytes=\1/p" | tail -1
+}
+
+# copy_setports - Copy Configuration File and Replace Ports
+#
+# Convenience function to copy a configuration file, replacing the tokens
+# QUERYPORT, CONTROLPORT and EXTRAPORT[1-8] with the values of the equivalent
+# environment variables. (These values are set by "run.sh", which calls the
+# scripts invoking this function.)
+#
+# Usage:
+#   copy_setports infile outfile
+#
+copy_setports() {
+    # The indirect method of handling the substitution of the PORT variables
+    # (defining "atsign" then substituting for it in the "sed" statement) is
+    # required to prevent the "Configure" script (in the win32utils/ directory)
+    # from replacing the <at>PORT<at> substitution tokens when it processes
+    # this file and produces conf.sh.
+    atsign="@"
+    sed -e "s/${atsign}PORT${atsign}/${PORT}/g" \
+        -e "s/${atsign}EXTRAPORT1${atsign}/${EXTRAPORT1}/g" \
+        -e "s/${atsign}EXTRAPORT2${atsign}/${EXTRAPORT2}/g" \
+        -e "s/${atsign}EXTRAPORT3${atsign}/${EXTRAPORT3}/g" \
+        -e "s/${atsign}EXTRAPORT4${atsign}/${EXTRAPORT4}/g" \
+        -e "s/${atsign}EXTRAPORT5${atsign}/${EXTRAPORT5}/g" \
+        -e "s/${atsign}EXTRAPORT6${atsign}/${EXTRAPORT6}/g" \
+        -e "s/${atsign}EXTRAPORT7${atsign}/${EXTRAPORT7}/g" \
+        -e "s/${atsign}EXTRAPORT8${atsign}/${EXTRAPORT8}/g" \
+        -e "s/${atsign}CONTROLPORT${atsign}/${CONTROLPORT}/g" \
+        -e "s/${atsign}DEFAULT_ALGORITHM${atsign}/${DEFAULT_ALGORITHM}/g" \
+        -e "s/${atsign}DEFAULT_ALGORITHM_NUMBER${atsign}/${DEFAULT_ALGORITHM_NUMBER}/g" \
+        -e "s/${atsign}DEFAULT_BITS${atsign}/${DEFAULT_BITS}/g" \
+        -e "s/${atsign}ALTERNATIVE_ALGORITHM${atsign}/${ALTERNATIVE_ALGORITHM}/g" \
+        -e "s/${atsign}ALTERNATIVE_ALGORITHM_NUMBER${atsign}/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \
+        -e "s/${atsign}ALTERNATIVE_BITS${atsign}/${ALTERNATIVE_BITS}/g" \
+        -e "s/${atsign}DEFAULT_HMAC${atsign}/${DEFAULT_HMAC}/g" \
+        -e "s/${atsign}DISABLED_ALGORITHM${atsign}/${DISABLED_ALGORITHM}/g" \
+        -e "s/${atsign}DISABLED_ALGORITHM_NUMBER${atsign}/${DISABLED_ALGORITHM_NUMBER}/g" \
+        -e "s/${atsign}DISABLED_BITS${atsign}/${DISABLED_BITS}/g" \
+        $1 > $2
+}
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
new file mode 100644
index 0000000..d5b5996
--- /dev/null
+++ b/bin/tests/system/conf.sh.in
@@ -0,0 +1,131 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Common configuration data for system tests, to be sourced into
+# other shell scripts.
+#
+
+# Find the top of the BIND9 tree.
+export TOP=@abs_top_builddir@
+export TOP_SRCDIR=@abs_top_srcdir@
+
+# Provide TMPDIR variable for tests that need it.
+export TMPDIR=${TMPDIR:-/tmp}
+
+# This is not the windows build.
+export CYGWIN=""
+
+export ARPANAME=$TOP/bin/tools/arpaname
+export CDS=$TOP/bin/dnssec/dnssec-cds
+export CHECKCONF=$TOP/bin/check/named-checkconf
+export CHECKDS=$TOP/bin/python/dnssec-checkds
+export CHECKZONE=$TOP/bin/check/named-checkzone
+export COVERAGE=$TOP/bin/python/dnssec-coverage
+export DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
+if [ -z "$TSAN_OPTIONS" ]; then  # workaround for GL#4119
+    export DELV=$TOP/bin/delv/delv
+    export RESOLVE=$TOP/bin/tests/system/resolve
+else
+    export DELV=:
+    export RESOLVE=:
+fi
+export DIG=$TOP/bin/dig/dig
+export DNSTAPREAD=$TOP/bin/tools/dnstap-read
+export DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
+export FEATURETEST=$TOP/bin/tests/system/feature-test
+export FSTRM_CAPTURE=@FSTRM_CAPTURE@
+export HOST=$TOP/bin/dig/host
+export IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
+export JOURNALPRINT=$TOP/bin/tools/named-journalprint
+export KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
+export KEYGEN=$TOP/bin/dnssec/dnssec-keygen
+export KEYMGR=$TOP/bin/python/dnssec-keymgr
+export MDIG=$TOP/bin/tools/mdig
+export NAMED=$TOP/bin/named/named
+export NSEC3HASH=$TOP/bin/tools/nsec3hash
+export NSLOOKUP=$TOP/bin/dig/nslookup
+export NSUPDATE=$TOP/bin/nsupdate/nsupdate
+export NZD2NZF=$TOP/bin/tools/named-nzd2nzf
+export PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
+export PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+export PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+export REVOKE=$TOP/bin/dnssec/dnssec-revoke
+export RNDC=$TOP/bin/rndc/rndc
+export RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
+export RRCHECKER=$TOP/bin/tools/named-rrchecker
+export SETTIME=$TOP/bin/dnssec/dnssec-settime
+export SIGNER=$TOP/bin/dnssec/dnssec-signzone
+export TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
+export VERIFY=$TOP/bin/dnssec/dnssec-verify
+export WIRETEST=$TOP/bin/tests/wire_test
+
+export BIGKEY=$TOP/bin/tests/system/rsabigexponent/bigkey
+export GENCHECK=$TOP/bin/tests/system/rndc/gencheck
+export KEYCREATE=$TOP/bin/tests/system/tkey/keycreate
+export KEYDELETE=$TOP/bin/tests/system/tkey/keydelete
+export MAKEJOURNAL=$TOP/bin/tests/makejournal
+export PIPEQUERIES=$TOP/bin/tests/system/pipelined/pipequeries
+
+# we don't want a KRB5_CONFIG setting breaking the tests
+export KRB5_CONFIG=/dev/null
+# use local keytab instead of default /etc/krb5.keytab
+export KRB5_KTNAME=dns.keytab
+
+# Things that are different on Windows
+export KILL=kill
+export DIFF=diff
+export DOS2UNIX=true
+# There's no trailing period on Windows
+export TP=.
+
+# Programs detected by configure
+# Variables will be empty if no program was found by configure
+export SHELL=@SHELL@
+export CURL=@CURL@
+export XMLLINT=@XMLLINT@
+export XSLTPROC=@XSLTPROC@
+export PYTEST=@PYTEST@
+
+# Windows process management leave empty
+export PSSUSPEND=
+
+#
+# Interpreters for system tests detected by configure
+#
+export PERL=@PERL@
+if ! test -x "$PERL"; then
+    echo "Perl interpreter is required for system tests."
+    exit 77
+fi
+export PYTHON=@PYTHON@
+
+#
+# Determine if we support various optional features.
+#
+export CRYPTO=@CRYPTO@
+
+
+# Load common values shared between windows and unix/linux.
+. $TOP/bin/tests/system/conf.sh.common
+
+#
+# Construct the lists of tests to run
+#
+SEQUENTIAL_UNIX="@PKCS11_TEST@"
+SEQUENTIALDIRS="$SEQUENTIAL_COMMON $SEQUENTIAL_UNIX"
+
+PARALLEL_UNIX="@CHECKDS@ @COVERAGE@ @DNSTAP@ @KEYMGR@ cookie logfileconfig"
+PARALLELDIRS="$PARALLEL_COMMON $PARALLEL_UNIX"
+
+SUBDIRS="$SEQUENTIALDIRS $PARALLELDIRS"
diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32
new file mode 100644
index 0000000..95f9c16
--- /dev/null
+++ b/bin/tests/system/conf.sh.win32
@@ -0,0 +1,129 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Common configuration data for system tests, to be sourced into
+# other shell scripts.
+#
+
+# Find the top of the BIND9 tree.
+TOP=${SYSTEMTESTTOP:=.}/../../..
+
+# Make it absolute so that it continues to work after we cd.
+export TOP=`cd $TOP && pwd`
+export TOP_SRCDIR="$TOP"
+
+# This is the windows build. This disables certain tests cases
+# and changes some specific behaviors where necessary.
+export CYGWIN=1
+
+# Visual Studio build configurations are Release and Debug
+export VSCONF=${VSCONF:-Debug}
+
+# Interpreters for system tests
+export PERL=/usr/bin/perl
+if ! test -x "$PERL"; then
+    echo "Perl interpreter is required for system tests."
+    exit 77
+fi
+export PYTHON=@PYTHON@
+
+
+export ARPANAME=$TOP/Build/$VSCONF/arpaname@EXEEXT@
+export CDS=$TOP/Build/$VSCONF/dnssec-cds@EXEEXT@
+export CHECKCONF=$TOP/Build/$VSCONF/named-checkconf@EXEEXT@
+export CHECKDS="$PYTHON `cygpath -w $TOP/bin/python/dnssec-checkds.py`"
+export CHECKZONE=$TOP/Build/$VSCONF/named-checkzone@EXEEXT@
+export COVERAGE="$PYTHON `cygpath -w $TOP/bin/python/dnssec-coverage.py`"
+export DDNSCONFGEN=$TOP/Build/$VSCONF/ddns-confgen@EXEEXT@
+export DELV=$TOP/Build/$VSCONF/delv@EXEEXT@
+export DIG=$TOP/Build/$VSCONF/dig@EXEEXT@
+export DNSTAPREAD=$TOP/Build/$VSCONF/dnstap-read@EXEEXT@
+export DSFROMKEY=$TOP/Build/$VSCONF/dnssec-dsfromkey@EXEEXT@
+export FEATURETEST=$TOP/Build/$VSCONF/feature-test@EXEEXT@
+export FSTRM_CAPTURE=@FSTRM_CAPTURE@
+export IMPORTKEY=$TOP/Build/$VSCONF/dnssec-importkey@EXEEXT@
+export JOURNALPRINT=$TOP/Build/$VSCONF/named-journalprint@EXEEXT@
+export KEYFRLAB=$TOP/Build/$VSCONF/dnssec-keyfromlabel@EXEEXT@
+export KEYGEN=$TOP/Build/$VSCONF/dnssec-keygen@EXEEXT@
+export KEYMGR="$PYTHON `cygpath -w $TOP/bin/python/dnssec-keymgr.py`"
+export MDIG=$TOP/Build/$VSCONF/mdig@EXEEXT@
+export NAMED=$TOP/Build/$VSCONF/named@EXEEXT@
+export NSEC3HASH=$TOP/Build/$VSCONF/nsec3hash@EXEEXT@
+export NSLOOKUP=$TOP/Build/$VSCONF/nslookup@EXEEXT@
+export NSUPDATE=$TOP/Build/$VSCONF/nsupdate@EXEEXT@
+export NZD2NZF=$TOP/Build/$VSCONF/named-nzd2nzf@EXEEXT@
+export PK11DEL="$TOP/Build/$VSCONF/pkcs11-destroy@EXEEXT@ -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
+export PK11GEN="$TOP/Build/$VSCONF/pkcs11-keygen@EXEEXT@ -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+export PK11LIST="$TOP/Build/$VSCONF/pkcs11-list@EXEEXT@ -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+export REVOKE=$TOP/Build/$VSCONF/dnssec-revoke@EXEEXT@
+export RNDC=$TOP/Build/$VSCONF/rndc@EXEEXT@
+export RNDCCONFGEN=$TOP/Build/$VSCONF/rndc-confgen@EXEEXT@
+export RRCHECKER=$TOP/Build/$VSCONF/named-rrchecker@EXEEXT@
+export SETTIME=$TOP/Build/$VSCONF/dnssec-settime@EXEEXT@
+export SIGNER=$TOP/Build/$VSCONF/dnssec-signzone@EXEEXT@
+export TSIGKEYGEN=$TOP/Build/$VSCONF/tsig-keygen@EXEEXT@
+export VERIFY=$TOP/Build/$VSCONF/dnssec-verify@EXEEXT@
+
+# to port WIRETEST=$TOP/Build/$VSCONF/wire_test@EXEEXT@
+export WIRETEST=
+
+export BIGKEY=$TOP/Build/$VSCONF/bigkey@EXEEXT@
+export GENCHECK=$TOP/Build/$VSCONF/gencheck@EXEEXT@
+export KEYCREATE=$TOP/Build/$VSCONF/keycreate@EXEEXT@
+export KEYDELETE=$TOP/Build/$VSCONF/keydelete@EXEEXT@
+export MAKEJOURNAL=$TOP/Build/$VSCONF/makejournal@EXEEXT@
+export PIPEQUERIES=$TOP/Build/$VSCONF/pipequeries@EXEEXT@
+export RESOLVE=$TOP/Build/$VSCONF/resolve@EXEEXT@
+
+# we don't want a KRB5_CONFIG setting breaking the tests
+export KRB5_CONFIG=NUL
+
+# Things that are different on Windows
+export KILL="/bin/kill -f"
+export DIFF="diff --strip-trailing-cr"
+export DOS2UNIX=dos2unix
+# No trailing period
+export TP=
+
+# Configure is launched from native environment, but tests are run in Cygwin -
+# so any detection is unreliable.
+export SHELL="/bin/bash -o igncr"
+export CURL=/usr/bin/curl
+export XMLLINT=/usr/bin/xmllint
+
+#
+# PsSuspend is part of PSTools and can be downloaded from
+# https://download.sysinternals.com/files/PSTools.zip
+#
+export PSSUSPEND=@PSSUSPEND@
+
+#
+# Determine if we support various optional features.
+#
+export CRYPTO=@CRYPTO@
+
+
+# The rest is shared between Windows and Unices
+. $TOP/bin/tests/system/conf.sh.common
+
+#
+# Construct the lists of tests to run
+#
+SEQUENTIAL_WINDOWS=""
+SEQUENTIALDIRS="$SEQUENTIAL_COMMON $SEQUENTIAL_WINDOWS"
+
+PARALLEL_WINDOWS="@CHECKDS@ @COVERAGE@ @DNSTAP@ @KEYMGR@"
+PARALLELDIRS="$PARALLEL_COMMON $PARALLEL_WINDOWS"
+
+SUBDIRS="$SEQUENTIALDIRS $PARALLELDIRS"
diff --git a/bin/tests/system/conftest.py b/bin/tests/system/conftest.py
new file mode 100644
index 0000000..8abf963
--- /dev/null
+++ b/bin/tests/system/conftest.py
@@ -0,0 +1,31 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+
+import pytest
+
+
+@pytest.fixture(scope="session")
+def named_port():
+    return int(os.environ.get("PORT", default=5300))
+
+
+@pytest.fixture(scope="session")
+def named_tlsport():
+    return int(os.environ.get("TLSPORT", default=8853))
+
+
+@pytest.fixture(scope="session")
+def control_port():
+    return int(os.environ.get("CONTROLPORT", default=9953))
diff --git a/bin/tests/system/cookie/ans9/ans.py b/bin/tests/system/cookie/ans9/ans.py
new file mode 100644
index 0000000..1266b7e
--- /dev/null
+++ b/bin/tests/system/cookie/ans9/ans.py
@@ -0,0 +1,300 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import time
+import functools
+
+import dns
+import dns.edns
+import dns.flags
+import dns.message
+import dns.query
+import dns.tsig
+import dns.tsigkeyring
+import dns.version
+
+from dns.edns import *
+from dns.name import *
+from dns.rcode import *
+from dns.rdataclass import *
+from dns.rdatatype import *
+from dns.tsig import *
+
+
+# Log query to file
+def logquery(type, qname):
+    with open("qlog", "a") as f:
+        f.write("%s %s\n", type, qname)
+
+
+# DNS 2.0 keyring specifies the algorithm
+try:
+    keyring = dns.tsigkeyring.from_text(
+        {
+            "foo": {"hmac-sha256", "aaaaaaaaaaaa"},
+            "fake": {"hmac-sha256", "aaaaaaaaaaaa"},
+        }
+    )
+except:
+    keyring = dns.tsigkeyring.from_text({"foo": "aaaaaaaaaaaa", "fake": "aaaaaaaaaaaa"})
+
+dopass2 = False
+
+
+############################################################################
+#
+# This server will serve valid and spoofed answers. A spoofed answer will
+# have the address 10.53.0.10 included.
+#
+# When receiving a query over UDP:
+#
+# A query to "nocookie"/A will result in a spoofed answer with no cookie set.
+# A query to "tcponly"/A will result in a spoofed answer with no cookie set.
+# A query to "withtsig"/A will result in two responses, the first is a spoofed
+# answer that is TSIG signed, the second is a valid answer with a cookie set.
+# A query to anything else will result in a valid answer with a cookie set.
+#
+# When receiving a query over TCP:
+#
+# A query to "nocookie"/A will result in a valid answer with no cookie set.
+# A query to anything else will result in a valid answer with a cookie set.
+#
+############################################################################
+def create_response(msg, tcp, first, ns10):
+    global dopass2
+    m = dns.message.from_wire(msg, keyring=keyring)
+    qname = m.question[0].name.to_text()
+    lqname = qname.lower()
+    labels = lqname.split(".")
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+
+    with open("query.log", "a") as f:
+        f.write("%s %s\n" % (typename, qname))
+        print("%s %s" % (typename, qname), end=" ")
+
+    r = dns.message.make_response(m)
+    r.set_rcode(NOERROR)
+    if rrtype == A:
+        # exempt potential nameserver A records.
+        if labels[0] == "ns" and ns10:
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        else:
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.9"))
+        if not tcp and labels[0] == "nocookie":
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        if not tcp and labels[0] == "tcponly":
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        if first and not tcp and labels[0] == "withtsig":
+            r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+            dopass2 = True
+    elif rrtype == NS:
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, NS, "."))
+    elif rrtype == SOA:
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    else:
+        r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    # Add a server cookie to the response
+    if labels[0] != "nocookie":
+        for o in m.options:
+            if o.otype == 10:  # Use 10 instead of COOKIE
+                if first and labels[0] == "withtsig" and not tcp:
+                    r.use_tsig(
+                        keyring=keyring,
+                        keyname=dns.name.from_text("fake"),
+                        algorithm=HMAC_SHA256,
+                    )
+                elif labels[0] != "tcponly" or tcp:
+                    cookie = o
+                    if len(o.data) == 8:
+                        cookie.data = o.data + o.data
+                    else:
+                        cookie.data = o.data
+                    r.use_edns(options=[cookie])
+    r.flags |= dns.flags.AA
+    return r
+
+
+def sigterm(signum, frame):
+    print("Shutting down now...")
+    os.remove("ans.pid")
+    running = False
+    sys.exit(0)
+
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4_addr1 = "10.53.0.9"
+ip4_addr2 = "10.53.0.10"
+ip6_addr1 = "fd92:7065:b8e:ffff::9"
+ip6_addr2 = "fd92:7065:b8e:ffff::10"
+
+try:
+    port = int(os.environ["PORT"])
+except:
+    port = 5300
+
+query4_udp1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_udp1.bind((ip4_addr1, port))
+query4_tcp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+query4_tcp1.bind((ip4_addr1, port))
+query4_tcp1.listen(1)
+query4_tcp1.settimeout(1)
+
+query4_udp2 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_udp2.bind((ip4_addr2, port))
+query4_tcp2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+query4_tcp2.bind((ip4_addr2, port))
+query4_tcp2.listen(1)
+query4_tcp2.settimeout(1)
+
+havev6 = True
+query6_udp1 = None
+query6_udp2 = None
+query6_tcp1 = None
+query6_tcp2 = None
+try:
+    query6_udp1 = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    query6_udp1.bind((ip6_addr1, port))
+    query6_tcp1 = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+    query6_tcp1.bind((ip6_addr1, port))
+    query6_tcp1.listen(1)
+    query6_tcp1.settimeout(1)
+
+    query6_udp2 = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    query6_udp2.bind((ip6_addr2, port))
+    query6_tcp2 = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+    query6_tcp2.bind((ip6_addr2, port))
+    query6_tcp2.listen(1)
+    query6_tcp2.settimeout(1)
+except:
+    if query6_udp1 != None:
+        query6_udp1.close()
+    if query6_tcp1 != None:
+        query6_tcp1.close()
+    if query6_udp2 != None:
+        query6_udp2.close()
+    if query6_tcp2 != None:
+        query6_tcp2.close()
+    havev6 = False
+
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open("ans.pid", "w")
+pid = os.getpid()
+print(pid, file=f)
+f.close()
+
+running = True
+
+print("Using DNS version %s" % dns.version.version)
+print("Listening on %s port %d" % (ip4_addr1, port))
+print("Listening on %s port %d" % (ip4_addr2, port))
+if havev6:
+    print("Listening on %s port %d" % (ip6_addr1, port))
+    print("Listening on %s port %d" % (ip6_addr2, port))
+print("Ctrl-c to quit")
+
+if havev6:
+    input = [
+        query4_udp1,
+        query6_udp1,
+        query4_tcp1,
+        query6_tcp1,
+        query4_udp2,
+        query6_udp2,
+        query4_tcp2,
+        query6_tcp2,
+    ]
+else:
+    input = [query4_udp1, query4_tcp1, query4_udp2, query4_tcp2]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        ns10 = False
+        if s == query4_udp1 or s == query6_udp1 or s == query4_udp2 or s == query6_udp2:
+            if s == query4_udp1 or s == query6_udp1:
+                print(
+                    "UDP Query received on %s"
+                    % (ip4_addr1 if s == query4_udp1 else ip6_addr1),
+                    end=" ",
+                )
+            if s == query4_udp2 or s == query6_udp2:
+                print(
+                    "UDP Query received on %s"
+                    % (ip4_addr2 if s == query4_udp2 else ip6_addr2),
+                    end=" ",
+                )
+                ns10 = True
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            dopass2 = False
+            rsp = create_response(msg[0], False, True, ns10)
+            print(dns.rcode.to_text(rsp.rcode()))
+            s.sendto(rsp.to_wire(), msg[1])
+            if dopass2:
+                print("Sending second UDP response without TSIG", end=" ")
+                rsp = create_response(msg[0], False, False, ns10)
+                s.sendto(rsp.to_wire(), msg[1])
+                print(dns.rcode.to_text(rsp.rcode()))
+
+        if s == query4_tcp1 or s == query6_tcp1 or s == query4_tcp2 or s == query6_tcp2:
+            try:
+                (cs, _) = s.accept()
+                if s == query4_tcp1 or s == query6_tcp1:
+                    print(
+                        "TCP Query received on %s"
+                        % (ip4_addr1 if s == query4_tcp1 else ip6_addr1),
+                        end=" ",
+                    )
+                if s == query4_tcp2 or s == query6_tcp2:
+                    print(
+                        "TCP Query received on %s"
+                        % (ip4_addr2 if s == query4_tcp2 else ip6_addr2),
+                        end=" ",
+                    )
+                    ns10 = True
+                # get TCP message length
+                buf = cs.recv(2)
+                length = struct.unpack(">H", buf[:2])[0]
+                # grep DNS message
+                msg = cs.recv(length)
+                rsp = create_response(msg, True, True, ns10)
+                print(dns.rcode.to_text(rsp.rcode()))
+                wire = rsp.to_wire()
+                cs.send(struct.pack(">H", len(wire)))
+                cs.send(wire)
+                cs.close()
+            except s.timeout:
+                pass
+    if not running:
+        break
diff --git a/bin/tests/system/cookie/bad-cookie-badaes.conf b/bin/tests/system/cookie/bad-cookie-badaes.conf
new file mode 100644
index 0000000..7d8cfe3
--- /dev/null
+++ b/bin/tests/system/cookie/bad-cookie-badaes.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	cookie-algorithm aes;
+	cookie-secret "ebc7701beabb4a40c57d140eeb6733faaa";  // 136 bits
+};
diff --git a/bin/tests/system/cookie/bad-cookie-badhex.conf b/bin/tests/system/cookie/bad-cookie-badhex.conf
new file mode 100644
index 0000000..43c11ad
--- /dev/null
+++ b/bin/tests/system/cookie/bad-cookie-badhex.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	cookie-secret "012345678901234567890123456789012345678901234567890123456789012";
+};
diff --git a/bin/tests/system/cookie/bad-cookie-badsiphash24.conf b/bin/tests/system/cookie/bad-cookie-badsiphash24.conf
new file mode 100644
index 0000000..25ff78f
--- /dev/null
+++ b/bin/tests/system/cookie/bad-cookie-badsiphash24.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	cookie-algorithm siphash24;
+	cookie-secret "ebc7701beabb4a40c57d140eeb6733faaabbccdd";  // 160 bits
+};
diff --git a/bin/tests/system/cookie/bad-cookie-toolong.conf b/bin/tests/system/cookie/bad-cookie-toolong.conf
new file mode 100644
index 0000000..5ea67b9
--- /dev/null
+++ b/bin/tests/system/cookie/bad-cookie-toolong.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	cookie-secret "01234567890123456789012345678901234567890123456789012345678901234567890";
+};
diff --git a/bin/tests/system/cookie/clean.sh b/bin/tests/system/cookie/clean.sh
new file mode 100644
index 0000000..2c10757
--- /dev/null
+++ b/bin/tests/system/cookie/clean.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/named.conf
+rm -f dig.out.*
+rm -f named.run.*
+rm -f rndc.out.*
+rm -f ns1/named_dump.db*
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.run.prev
+rm -f ans*/ans.run ans*/ans.log ans*/query.log
diff --git a/bin/tests/system/cookie/good-cookie-aes.conf b/bin/tests/system/cookie/good-cookie-aes.conf
new file mode 100644
index 0000000..97a6f67
--- /dev/null
+++ b/bin/tests/system/cookie/good-cookie-aes.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	cookie-algorithm aes;
+	cookie-secret "ebc7701beabb4a40c57d140eeb6733fa";  // 128 bits
+};
diff --git a/bin/tests/system/cookie/good-cookie-siphash24.conf b/bin/tests/system/cookie/good-cookie-siphash24.conf
new file mode 100644
index 0000000..c937d71
--- /dev/null
+++ b/bin/tests/system/cookie/good-cookie-siphash24.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	cookie-algorithm siphash24;
+	cookie-secret "ebc7701beabb4a40c57d140eeb6733fa";  // 128 bits
+};
diff --git a/bin/tests/system/cookie/ns1/example.db b/bin/tests/system/cookie/ns1/example.db
new file mode 100644
index 0000000..75a6d3c
--- /dev/null
+++ b/bin/tests/system/cookie/ns1/example.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	SOA	ns1 hostmaster.isc.org. 1 600 600 1200 600
+@ 	NS	ns1
+ns1 	A	10.53.0.1
+large	TXT	( large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large )
diff --git a/bin/tests/system/cookie/ns1/named.conf.in b/bin/tests/system/cookie/ns1/named.conf.in
new file mode 100644
index 0000000..129a9b1
--- /dev/null
+++ b/bin/tests/system/cookie/ns1/named.conf.in
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+key foo {
+	secret "aaaaaaaaaaaa";
+	algorithm hmac-sha256;
+};
+
+server 10.53.0.10 {
+	keys foo;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1 dscp 1;
+	notify-source 10.53.0.1 dscp 2;
+	transfer-source 10.53.0.1 dscp 3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
+		 except-from { "example.org"; };
+	deny-answer-aliases { "example.org"; }
+		except-from { "goodcname.example.net";
+			      "gooddname.example.net"; };
+	allow-query {!10.53.0.8; any; };
+	send-cookie yes;
+	nocookie-udp-size 512;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/cookie/ns1/root.hint b/bin/tests/system/cookie/ns1/root.hint
new file mode 100644
index 0000000..993227d
--- /dev/null
+++ b/bin/tests/system/cookie/ns1/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.2
diff --git a/bin/tests/system/cookie/ns2/named.conf.in b/bin/tests/system/cookie/ns2/named.conf.in
new file mode 100644
index 0000000..ef08125
--- /dev/null
+++ b/bin/tests/system/cookie/ns2/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2 dscp 1;
+	notify-source 10.53.0.2 dscp 2;
+	transfer-source 10.53.0.2 dscp 3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	send-cookie yes;
+	nocookie-udp-size 512;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/cookie/ns2/root.db b/bin/tests/system/cookie/ns2/root.db
new file mode 100644
index 0000000..533ab88
--- /dev/null
+++ b/bin/tests/system/cookie/ns2/root.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	SOA	a.root-servers.nil. hostmaster.isc.org. 1 600 600 1200 600
+@ 	NS	a.root-servers.nil.
+a.root-servers.nil. A	10.53.0.2
+large.xxx TXT	( large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large )
+tld.	NS	ns.tld.
+ns.tld	A	10.53.0.9
+tsig.	NS	ns.tsig.
+ns.tsig	A	10.53.0.10
diff --git a/bin/tests/system/cookie/ns3/named.conf.in b/bin/tests/system/cookie/ns3/named.conf.in
new file mode 100644
index 0000000..8b2ad79
--- /dev/null
+++ b/bin/tests/system/cookie/ns3/named.conf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3 dscp 1;
+	notify-source 10.53.0.3 dscp 2;
+	transfer-source 10.53.0.3 dscp 3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
+		 except-from { "example.org"; };
+	deny-answer-aliases { "example.org"; }
+		except-from { "goodcname.example.net";
+			      "gooddname.example.net"; };
+	allow-query {!10.53.0.8; any; };
+	send-cookie yes;
+	nocookie-udp-size 512;
+	require-server-cookie yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/cookie/ns3/root.hint b/bin/tests/system/cookie/ns3/root.hint
new file mode 100644
index 0000000..993227d
--- /dev/null
+++ b/bin/tests/system/cookie/ns3/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.2
diff --git a/bin/tests/system/cookie/ns4/named.conf.in b/bin/tests/system/cookie/ns4/named.conf.in
new file mode 100644
index 0000000..0b14272
--- /dev/null
+++ b/bin/tests/system/cookie/ns4/named.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	cookie-algorithm siphash24;
+	cookie-secret "569d36a6cc27d6bf55502183302ba352";
+	require-server-cookie yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
diff --git a/bin/tests/system/cookie/ns4/root.hint b/bin/tests/system/cookie/ns4/root.hint
new file mode 100644
index 0000000..993227d
--- /dev/null
+++ b/bin/tests/system/cookie/ns4/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.2
diff --git a/bin/tests/system/cookie/ns5/named.conf.in b/bin/tests/system/cookie/ns5/named.conf.in
new file mode 100644
index 0000000..2aabc5a
--- /dev/null
+++ b/bin/tests/system/cookie/ns5/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	cookie-algorithm siphash24;
+	cookie-secret "569d36a6cc27d6bf55502183302ba352";
+	cookie-secret "6b300e27a0db46d4b046e4189790fa7d";
+	require-server-cookie yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
diff --git a/bin/tests/system/cookie/ns5/root.hint b/bin/tests/system/cookie/ns5/root.hint
new file mode 100644
index 0000000..993227d
--- /dev/null
+++ b/bin/tests/system/cookie/ns5/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.2
diff --git a/bin/tests/system/cookie/ns6/named.conf.in b/bin/tests/system/cookie/ns6/named.conf.in
new file mode 100644
index 0000000..2bf3793
--- /dev/null
+++ b/bin/tests/system/cookie/ns6/named.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	cookie-algorithm siphash24;
+	cookie-secret "6b300e27a0db46d4b046e4189790fa7d";
+	require-server-cookie yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
diff --git a/bin/tests/system/cookie/ns6/root.hint b/bin/tests/system/cookie/ns6/root.hint
new file mode 100644
index 0000000..993227d
--- /dev/null
+++ b/bin/tests/system/cookie/ns6/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.2
diff --git a/bin/tests/system/cookie/ns7/named.conf.in b/bin/tests/system/cookie/ns7/named.conf.in
new file mode 100644
index 0000000..c9518ae
--- /dev/null
+++ b/bin/tests/system/cookie/ns7/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.7 dscp 1;
+	notify-source 10.53.0.7 dscp 2;
+	transfer-source 10.53.0.7 dscp 3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion no;
+	answer-cookie no;
+	send-cookie yes;
+	nocookie-udp-size 512;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/cookie/ns7/root.db b/bin/tests/system/cookie/ns7/root.db
new file mode 100644
index 0000000..39a63da
--- /dev/null
+++ b/bin/tests/system/cookie/ns7/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	SOA	a.root-servers.nil. hostmaster.isc.org. 1 600 600 1200 600
+@ 	NS	a.root-servers.nil.
+a.root-servers.nil. A	10.53.0.2
+large.xxx TXT	( large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large
+		  large large large large large large large large )
diff --git a/bin/tests/system/cookie/ns8/example.db b/bin/tests/system/cookie/ns8/example.db
new file mode 100644
index 0000000..7fa64d6
--- /dev/null
+++ b/bin/tests/system/cookie/ns8/example.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	SOA	. . 0 0 0 0 0
+@	3600	NS	.
diff --git a/bin/tests/system/cookie/ns8/named.conf.in b/bin/tests/system/cookie/ns8/named.conf.in
new file mode 100644
index 0000000..1a9697b
--- /dev/null
+++ b/bin/tests/system/cookie/ns8/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	dnssec-validation yes;
+	rate-limit {};
+	require-server-cookie yes;
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/cookie/prereq.sh b/bin/tests/system/cookie/prereq.sh
new file mode 100644
index 0000000..ad8bbe3
--- /dev/null
+++ b/bin/tests/system/cookie/prereq.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/cookie/setup.sh b/bin/tests/system/cookie/setup.sh
new file mode 100644
index 0000000..c679d03
--- /dev/null
+++ b/bin/tests/system/cookie/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
diff --git a/bin/tests/system/cookie/tests.sh b/bin/tests/system/cookie/tests.sh
new file mode 100755
index 0000000..29ace6f
--- /dev/null
+++ b/bin/tests/system/cookie/tests.sh
@@ -0,0 +1,515 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+n=0
+
+getcookie() {
+	awk '$2 == "COOKIE:" {
+		print $3;
+	}' < $1 | tr -d '\r'
+}
+
+fullcookie() {
+	awk 'BEGIN { n = 0 }
+	     // { v[n++] = length(); }
+	     END { print (v[1] == v[2]); }'
+}
+
+havetc() {
+	grep 'flags:.* tc[^;]*;' $1 > /dev/null
+}
+
+for bad in bad*.conf
+do
+	n=`expr $n + 1`
+	echo_i "checking that named-checkconf detects error in $bad ($n)"
+	ret=0
+	$CHECKCONF $bad > /dev/null 2>&1 && ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+for good in good*.conf
+do
+	n=`expr $n + 1`
+	echo_i "checking that named-checkconf detects accepts $good ($n)"
+	ret=0
+	$CHECKCONF $good > /dev/null 2>&1 || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+n=`expr $n + 1`
+echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)"
+ret=0
+$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n
+grep COOKIE: dig.out.test$n > /dev/null && ret=1
+grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)"
+ret=0
+$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n
+grep COOKIE: dig.out.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking COOKIE token is returned to empty COOKIE option ($n)"
+ret=0
+$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n
+grep COOKIE: dig.out.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking COOKIE is not returned when answer-cookie is false ($n)"
+ret=0
+$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n
+grep COOKIE: dig.out.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking response size without COOKIE ($n)"
+ret=0
+$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n
+havetc dig.out.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking response size without valid COOKIE ($n)"
+ret=0
+$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n
+havetc dig.out.test$n || ret=1
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking response size with COOKIE ($n)"
+ret=0
+$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l
+cookie=`getcookie dig.out.test$n.l`
+$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n
+havetc dig.out.test$n && ret=1
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking response size with COOKIE recursive ($n)"
+ret=0
+$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n
+havetc dig.out.test$n && ret=1
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking COOKIE is learnt for TCP retry ($n)"
+ret=0
+$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n
+linecount=`getcookie dig.out.test$n | wc -l`
+if [ $linecount != 3 ]; then ret=1; fi
+checkfull=`getcookie dig.out.test$n | fullcookie`
+if [ $checkfull != 1 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking for COOKIE value in adb ($n)"
+ret=0
+rndc_dumpdb ns1
+grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking require-server-cookie default (no) ($n)"
+ret=0
+$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n
+grep BADCOOKIE dig.out.test$n > /dev/null && ret=1
+linecount=`getcookie dig.out.test$n | wc -l`
+if [ $linecount != 2 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking require-server-cookie yes ($n)"
+ret=0
+$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n
+grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1
+grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
+grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
+linecount=`getcookie dig.out.test$n | wc -l`
+if [ $linecount != 2 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking require-server-cookie yes with rate-limit ($n)"
+ret=0
+$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n
+grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
+grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
+linecount=`getcookie dig.out.test$n | wc -l`
+if [ $linecount != 2 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "send undersized cookie ($n)"
+ret=0
+$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1
+grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "send oversized for named cookie ($n)"
+ret=0
+$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1
+grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "send oversized for named cookie with server requiring a good cookie ($n)"
+ret=0
+$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1
+grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+#
+# Test shared cookie-secret support.
+#
+# NS4 has cookie-secret "569d36a6cc27d6bf55502183302ba352";
+#
+# NS5 has cookie-secret "569d36a6cc27d6bf55502183302ba352";
+# NS5 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; (alternate)
+#
+# NS6 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d";
+#
+# Server cookies from NS4 are accepted by NS5 and not NS6
+# Server cookies from NS5 are accepted by NS4 and not NS6
+# Server cookies from NS6 are accepted by NS5 and not NS4
+#
+# Force local address so that the client's address is the same to all servers.
+#
+
+n=`expr $n + 1`
+echo_i "get NS4 cookie for cross server checking ($n)"
+ret=0
+$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+ns4cookie=`getcookie dig.out.test$n`
+test -n "$ns4cookie" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "get NS5 cookie for cross server checking ($n)"
+ret=0
+$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+ns5cookie=`getcookie dig.out.test$n`
+test -n "$ns5cookie" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "get NS6 cookie for cross server checking ($n)"
+ret=0
+$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+ns6cookie=`getcookie dig.out.test$n`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test NS4 cookie on NS5 (expect success) ($n)"
+ret=0
+$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)"
+ret=0
+$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test NS5 cookie on NS4 (expect success) ($n)"
+ret=0
+$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)"
+ret=0
+$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)"
+ret=0
+$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test NS6 cookie on NS5 (expect success) ($n)"
+ret=0
+$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n
+grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that test server is correctly configured ($n)"
+ret=0
+pat="; COOKIE: ................................ (good)"
+#UDP
+$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null  || ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3
+grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null  || ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4
+grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1
+
+#TCP
+$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5
+grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6
+grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7
+grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
+grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1
+
+$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8
+grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1
+grep "$pat" dig.out.test$n.8 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1
+grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that spoofed response is dropped when we have a server cookie ($n)"
+ret=0
+msg="missing expected cookie from"
+pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
+# prime EDNS COOKIE state
+$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+rndc_dumpdb ns1
+grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+# spoofed response contains 10.53.0.10
+nextpart ns1/named.run >/dev/null
+$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2
+wait_for_log 5 "$msg" ns1/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)"
+ret=0
+msg="missing expected cookie from"
+pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
+# prime EDNS COOKIE state
+$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+rndc_dumpdb ns1
+grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+# check the disabled server response
+nextpart ns1/named.run >/dev/null
+$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2
+wait_for_log 5 "$msg" ns1/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)"
+ret=0
+pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl'
+# prime EDNS COOKIE state
+$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1
+grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+rndc_dumpdb ns1
+grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+# spoofed response contains 10.53.0.10
+nextpart ns1/named.run >/dev/null
+$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2
+grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1
+nextpart ns1/named.run > named.run.test$n
+count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
+test $count -eq 1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if $PYTHON -c '
+import dns.version, sys;
+if dns.version.MAJOR > 1: sys.exit(0);
+if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0);
+sys.exit(1)'
+then
+  n=`expr $n + 1`
+  echo_i "check that TSIG test server is correctly configured ($n)"
+  ret=0
+  pat="; COOKIE: ................................ (good)"
+  key=hmac-sha256:foo:aaaaaaaaaaaa
+  #UDP
+  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1
+  grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+  grep "$pat" dig.out.test$n.1 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2
+  grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+  grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null  || ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3
+  grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1
+  grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null  || ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  #TCP
+  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5
+  grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1
+  grep "$pat" dig.out.test$n.5 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6
+  grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1
+  grep "$pat" dig.out.test$n.6 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7
+  grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1
+  grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1
+  grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1
+
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  n=`expr $n + 1`
+  echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)"
+  ret=0
+  pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl'
+  # prime EDNS COOKIE state
+  $DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1
+  grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1
+  rndc_dumpdb ns1
+  grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1
+  # check the disabled server response
+  nextpart ns1/named.run >/dev/null
+  $DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2
+  grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1
+  grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1
+  nextpart ns1/named.run > named.run.test$n
+  count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n)
+  test $count -eq 2 || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/coverage/01-ksk-inactive/README b/bin/tests/system/coverage/01-ksk-inactive/README
new file mode 100644
index 0000000..8102593
--- /dev/null
+++ b/bin/tests/system/coverage/01-ksk-inactive/README
@@ -0,0 +1,10 @@
+This set includes one KSK rollover.  The KSK is deactivated prior to
+its replacement being activated.  Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+ERROR: After 2012-31-Jul (20:59:14):
+    Inactive: example.com/007/45435 (KSK)
+No KSK's are active
+
+Checking ZSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/01-ksk-inactive/expect b/bin/tests/system/coverage/01-ksk-inactive/expect
new file mode 100644
index 0000000..3d342b1
--- /dev/null
+++ b/bin/tests/system/coverage/01-ksk-inactive/expect
@@ -0,0 +1,6 @@
+args="-d 1h -m 2h"
+warn=0
+error=1
+ok=1
+retcode=1
+match="No KSK's are active"
diff --git a/bin/tests/system/coverage/02-zsk-inactive/README b/bin/tests/system/coverage/02-zsk-inactive/README
new file mode 100644
index 0000000..5d3fed1
--- /dev/null
+++ b/bin/tests/system/coverage/02-zsk-inactive/README
@@ -0,0 +1,10 @@
+This set includes one ZSK rollover.  The first ZSK is deactivated
+prior to its replacement being activated.  Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+OK
+
+Checking ZSK events for zone example.com, algorithm 7:
+ERROR: After 2012-05-Dec (20:39:32):
+    Inactive: example.com/005/08376 (ZSK)
+No ZSK's are active
diff --git a/bin/tests/system/coverage/02-zsk-inactive/expect b/bin/tests/system/coverage/02-zsk-inactive/expect
new file mode 100644
index 0000000..a905b58
--- /dev/null
+++ b/bin/tests/system/coverage/02-zsk-inactive/expect
@@ -0,0 +1,6 @@
+args="-d 1h -m 2h"
+warn=0
+error=1
+ok=1
+retcode=1
+match="No ZSK's are active"
diff --git a/bin/tests/system/coverage/03-ksk-unpublished/README b/bin/tests/system/coverage/03-ksk-unpublished/README
new file mode 100644
index 0000000..7d8a301
--- /dev/null
+++ b/bin/tests/system/coverage/03-ksk-unpublished/README
@@ -0,0 +1,10 @@
+This set contains one KSK rollover.  The KSK is unpublished before its
+successor is published.  Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+ERROR: After 2012-06-Oct (21:07:57):
+    Delete: example.com/007/23040 (KSK)
+No KSK's are published
+
+Checking ZSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/03-ksk-unpublished/expect b/bin/tests/system/coverage/03-ksk-unpublished/expect
new file mode 100644
index 0000000..07bbff1
--- /dev/null
+++ b/bin/tests/system/coverage/03-ksk-unpublished/expect
@@ -0,0 +1,8 @@
+args="-d 1h -m 2h"
+warn=1
+error=1
+ok=1
+retcode=1
+match="WARNING: Key .* (KSK) is scheduled for
+deletion before inactivation
+No KSK's are published"
diff --git a/bin/tests/system/coverage/04-zsk-unpublished/README b/bin/tests/system/coverage/04-zsk-unpublished/README
new file mode 100644
index 0000000..5077abf
--- /dev/null
+++ b/bin/tests/system/coverage/04-zsk-unpublished/README
@@ -0,0 +1,10 @@
+This set contains one ZSK rollover.  The ZSK is unpublished before its
+successor is published.  Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+OK
+
+Checking ZSK events for zone example.com, algorithm 7:
+ERROR: After 2012-06-Oct (21:13:45):
+    Delete: example.com/007/25967 (ZSK)
+No ZSK's are published
diff --git a/bin/tests/system/coverage/04-zsk-unpublished/expect b/bin/tests/system/coverage/04-zsk-unpublished/expect
new file mode 100644
index 0000000..450ec24
--- /dev/null
+++ b/bin/tests/system/coverage/04-zsk-unpublished/expect
@@ -0,0 +1,8 @@
+args="-d 1h -m 2h"
+warn=1
+error=1
+ok=1
+retcode=1
+match="WARNING: Key .* (ZSK) is scheduled for
+deletion before inactivation
+No ZSK's are published"
diff --git a/bin/tests/system/coverage/05-ksk-unpub-active/README b/bin/tests/system/coverage/05-ksk-unpub-active/README
new file mode 100644
index 0000000..119c1b2
--- /dev/null
+++ b/bin/tests/system/coverage/05-ksk-unpub-active/README
@@ -0,0 +1,12 @@
+This set includes one KSK rollover.  The first KSK is deleted
+and its successor published prior to the first KSK being deactivated
+and its successor activated.  Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+ERROR: After 2012-05-Dec (21:22:19):
+    Delete: example.com/007/06219 (KSK)
+    Publish: example.com/007/20559 (KSK)
+No KSK's are both active and published
+
+Checking ZSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/05-ksk-unpub-active/expect b/bin/tests/system/coverage/05-ksk-unpub-active/expect
new file mode 100644
index 0000000..2edfa0e
--- /dev/null
+++ b/bin/tests/system/coverage/05-ksk-unpub-active/expect
@@ -0,0 +1,8 @@
+args="-d 1h -m 2h"
+warn=1
+error=1
+ok=1
+retcode=1
+match="WARNING: Key .* (KSK) is scheduled for
+deletion before inactivation
+No KSK's are both active and published"
diff --git a/bin/tests/system/coverage/06-zsk-unpub-active/README b/bin/tests/system/coverage/06-zsk-unpub-active/README
new file mode 100644
index 0000000..84833f8
--- /dev/null
+++ b/bin/tests/system/coverage/06-zsk-unpub-active/README
@@ -0,0 +1,12 @@
+This set includes one KSK rollover.  The first KSK is deleted
+and its successor published prior to the first KSK being deactivated
+and its successor activated.  Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+OK
+
+Checking ZSK events for zone example.com, algorithm 7:
+ERROR: After 2012-05-Dec (20:44:18):
+    Delete: example.com/007/26369 (ZSK)
+    Publish: example.com/007/21029 (ZSK)
+No ZSK's are both active and published
diff --git a/bin/tests/system/coverage/06-zsk-unpub-active/expect b/bin/tests/system/coverage/06-zsk-unpub-active/expect
new file mode 100644
index 0000000..0ef5b15
--- /dev/null
+++ b/bin/tests/system/coverage/06-zsk-unpub-active/expect
@@ -0,0 +1,8 @@
+args="-d 1h -m 2h"
+warn=1
+error=1
+ok=1
+retcode=1
+match="WARNING: Key .* (ZSK) is scheduled for
+deletion before inactivation
+No ZSK's are both active and published"
diff --git a/bin/tests/system/coverage/07-ksk-ttl/README b/bin/tests/system/coverage/07-ksk-ttl/README
new file mode 100644
index 0000000..2659099
--- /dev/null
+++ b/bin/tests/system/coverage/07-ksk-ttl/README
@@ -0,0 +1,4 @@
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
+
+Expected tool output TBD.
diff --git a/bin/tests/system/coverage/07-ksk-ttl/expect b/bin/tests/system/coverage/07-ksk-ttl/expect
new file mode 100644
index 0000000..eade21a
--- /dev/null
+++ b/bin/tests/system/coverage/07-ksk-ttl/expect
@@ -0,0 +1,9 @@
+args="-d 1w -m 2w"
+warn=1
+error=0
+ok=2
+retcode=0
+match="WARNING: Key .* (KSK) is activated too soon
+after publication
+Activation should be at least 7 days after
+publication."
diff --git a/bin/tests/system/coverage/08-zsk-ttl/README b/bin/tests/system/coverage/08-zsk-ttl/README
new file mode 100644
index 0000000..2659099
--- /dev/null
+++ b/bin/tests/system/coverage/08-zsk-ttl/README
@@ -0,0 +1,4 @@
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
+
+Expected tool output TBD.
diff --git a/bin/tests/system/coverage/08-zsk-ttl/expect b/bin/tests/system/coverage/08-zsk-ttl/expect
new file mode 100644
index 0000000..150c9cd
--- /dev/null
+++ b/bin/tests/system/coverage/08-zsk-ttl/expect
@@ -0,0 +1,9 @@
+args="-d 1w -m 2w"
+warn=1
+error=0
+ok=2
+retcode=0
+match="WARNING: Key .* (ZSK) is activated too soon
+after publication
+Activation should be at least 7 days after
+publication."
diff --git a/bin/tests/system/coverage/09-check-zsk/README b/bin/tests/system/coverage/09-check-zsk/README
new file mode 100644
index 0000000..bc5edc8
--- /dev/null
+++ b/bin/tests/system/coverage/09-check-zsk/README
@@ -0,0 +1,6 @@
+This set includes one KSK rollover.  The KSK is deactivated prior to
+its replacement being activated; however, as we are only checking ZSK's,
+we should not detect the error.  Tool output should resemble:
+
+Checking ZSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/09-check-zsk/expect b/bin/tests/system/coverage/09-check-zsk/expect
new file mode 100644
index 0000000..d56c4bf
--- /dev/null
+++ b/bin/tests/system/coverage/09-check-zsk/expect
@@ -0,0 +1,6 @@
+args="-z -d 1h -m 2h"
+warn=0
+error=0
+ok=1
+retcode=0
+match=""
diff --git a/bin/tests/system/coverage/10-check-ksk/README b/bin/tests/system/coverage/10-check-ksk/README
new file mode 100644
index 0000000..948364d
--- /dev/null
+++ b/bin/tests/system/coverage/10-check-ksk/README
@@ -0,0 +1,7 @@
+This set includes one ZSK rollover.  The first ZSK is deactivated
+prior to its replacement being activated; however, as we are only
+checking KSKs, we should not detect the error.  Tool output should
+resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/10-check-ksk/expect b/bin/tests/system/coverage/10-check-ksk/expect
new file mode 100644
index 0000000..a03d2aa
--- /dev/null
+++ b/bin/tests/system/coverage/10-check-ksk/expect
@@ -0,0 +1,6 @@
+args="-k -d 1h -m 2h"
+warn=0
+error=0
+ok=1
+retcode=0
+match=""
diff --git a/bin/tests/system/coverage/11-cutoff/README b/bin/tests/system/coverage/11-cutoff/README
new file mode 100644
index 0000000..8102593
--- /dev/null
+++ b/bin/tests/system/coverage/11-cutoff/README
@@ -0,0 +1,10 @@
+This set includes one KSK rollover.  The KSK is deactivated prior to
+its replacement being activated.  Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+ERROR: After 2012-31-Jul (20:59:14):
+    Inactive: example.com/007/45435 (KSK)
+No KSK's are active
+
+Checking ZSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/11-cutoff/expect b/bin/tests/system/coverage/11-cutoff/expect
new file mode 100644
index 0000000..bdf29d0
--- /dev/null
+++ b/bin/tests/system/coverage/11-cutoff/expect
@@ -0,0 +1,6 @@
+args="-l 1y -d 1h -m 2h"
+warn=0
+error=0
+ok=2
+retcode=0
+match=""
diff --git a/bin/tests/system/coverage/12-ksk-deletion/expect b/bin/tests/system/coverage/12-ksk-deletion/expect
new file mode 100644
index 0000000..898c0bf
--- /dev/null
+++ b/bin/tests/system/coverage/12-ksk-deletion/expect
@@ -0,0 +1,6 @@
+args=
+warn=4
+error=1
+ok=1
+retcode=1
+match=0
diff --git a/bin/tests/system/coverage/13-dotted-dotless/expect b/bin/tests/system/coverage/13-dotted-dotless/expect
new file mode 100644
index 0000000..5760d29
--- /dev/null
+++ b/bin/tests/system/coverage/13-dotted-dotless/expect
@@ -0,0 +1,7 @@
+args="-z -m2h"
+warn=0
+error=0
+ok=2
+retcode=0
+match=
+zones="one.example. two.example"
diff --git a/bin/tests/system/coverage/clean.sh b/bin/tests/system/coverage/clean.sh
new file mode 100644
index 0000000..5527946
--- /dev/null
+++ b/bin/tests/system/coverage/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f named-compilezone
+rm -f */K*.key
+rm -f */K*.private
+rm -rf coverage.*
+rm -rf dotted-dotless
+rm -f ns*/named.lock
diff --git a/bin/tests/system/coverage/setup.sh b/bin/tests/system/coverage/setup.sh
new file mode 100644
index 0000000..7de73b8
--- /dev/null
+++ b/bin/tests/system/coverage/setup.sh
@@ -0,0 +1,119 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+ln -s $CHECKZONE named-compilezone
+
+# Test 1: KSK goes inactive before successor is active
+dir=01-ksk-inactive
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=$($KEYGEN -q -K $dir -S $ksk1)
+$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+
+# Test 2: ZSK goes inactive before successor is active
+dir=02-zsk-inactive
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 3: KSK is unpublished before its successor is published
+dir=03-ksk-unpublished
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=$($KEYGEN -q -K $dir -S $ksk1)
+$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+
+# Test 4: ZSK is unpublished before its successor is published
+dir=04-zsk-unpublished
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 5: KSK deleted and successor published before KSK is deactivated
+# and successor activated.
+dir=05-ksk-unpub-active
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
+ksk2=$($KEYGEN -q -K $dir -S $ksk1)
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+
+# Test 6: ZSK deleted and successor published before ZSK is deactivated
+# and successor activated.
+dir=06-zsk-unpub-active
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 7: KSK rolled with insufficient delay after prepublication.
+dir=07-ksk-ttl
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=$($KEYGEN -q -K $dir -S $ksk1)
+# allow only 1 day between publication and activation
+$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+
+# Test 8: ZSK rolled with insufficient delay after prepublication.
+dir=08-zsk-ttl
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+# allow only 1 day between publication and activation
+$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 9: KSK goes inactive before successor is active, but checking ZSKs
+dir=09-check-zsk
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=$($KEYGEN -q -K $dir -S $ksk1)
+$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+
+# Test 10: ZSK goes inactive before successor is active, but checking KSKs
+dir=10-check-ksk
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 11: ZSK goes inactive before successor is active, but after cutoff
+dir=11-cutoff
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 12: Too early KSK deletion
+dir=12-ksk-deletion
+ksk1=$($KEYGEN -q -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com)
+ksk2=$($KEYGEN -q -K $dir -S $ksk1.key example.com)
+
+# Test 13: check names with/without dots at the end
+dir=13-dotted-dotless
+zsk1=$($KEYGEN -q -K $dir -a rsasha256 one.example)
+zsk2=$($KEYGEN -q -K $dir -a rsasha256 two.example)
diff --git a/bin/tests/system/coverage/tests.sh b/bin/tests/system/coverage/tests.sh
new file mode 100644
index 0000000..e0da919
--- /dev/null
+++ b/bin/tests/system/coverage/tests.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+COVERAGE="$COVERAGE -c ./named-compilezone"
+
+status=0
+n=1
+
+matchall () {
+    file=$1
+    echo "$2" | while read matchline; do
+        grep "$matchline" $file > /dev/null 2>&1 || {
+            echo "FAIL"
+            return
+        }
+    done
+}
+
+echo_i "checking for DNSSEC key coverage issues"
+ret=0
+for dir in [0-9][0-9]-*; do
+        ret=0
+        echo_i "$dir"
+        args= warn= error= ok= retcode= match= zones=
+        . $dir/expect
+        $COVERAGE $args -K $dir ${zones:-example.com} > coverage.$n 2>&1
+
+        # check that return code matches expectations
+        found=$?
+        if [ $found -ne $retcode ]; then
+            echo "retcode was $found expected $retcode"
+            ret=1
+        fi
+
+        # check for correct number of errors
+        found=`grep ERROR coverage.$n | wc -l`
+        if [ $found -ne $error ]; then
+            echo "error count was $found expected $error"
+            ret=1
+        fi
+
+        # check for correct number of warnings
+        found=`grep WARNING coverage.$n | wc -l`
+        if [ $found -ne $warn ]; then
+            echo "warning count was $found expected $warn"
+            ret=1
+        fi
+
+        # check for correct number of OKs
+        found=`grep "No errors found" coverage.$n | wc -l`
+        if [ $found -ne $ok ]; then
+            echo "good count was $found expected $ok"
+            ret=1
+        fi
+
+        found=`matchall coverage.$n "$match"`
+        if [ "$found" = "FAIL" ]; then
+            echo "no match on '$match'"
+            ret=1
+        fi
+
+        found=`grep Traceback coverage.$n | wc -l`
+        if [ $found -ne 0 ]; then
+            echo "python exception detected"
+            ret=1
+        fi
+
+        n=`expr $n + 1`
+        if [ $ret != 0 ]; then echo_i "failed"; fi
+        status=`expr $status + $ret`
+done
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/database/clean.sh b/bin/tests/system/database/clean.sh
new file mode 100644
index 0000000..f86404c
--- /dev/null
+++ b/bin/tests/system/database/clean.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns1/named.conf ns1/named.run ns1/named.memstats
+rm -f dig.out.*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/database/ns1/named1.conf.in b/bin/tests/system/database/ns1/named1.conf.in
new file mode 100644
index 0000000..56c6a07
--- /dev/null
+++ b/bin/tests/system/database/ns1/named1.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "database" {
+	type primary;
+	database "_builtin empty localhost. hostmaster.isc.org.";
+};
diff --git a/bin/tests/system/database/ns1/named2.conf.in b/bin/tests/system/database/ns1/named2.conf.in
new file mode 100644
index 0000000..7eb4930
--- /dev/null
+++ b/bin/tests/system/database/ns1/named2.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "database" {
+	type primary;
+	database "_builtin empty localhost. marka.isc.org.";
+};
diff --git a/bin/tests/system/database/setup.sh b/bin/tests/system/database/setup.sh
new file mode 100644
index 0000000..b40e103
--- /dev/null
+++ b/bin/tests/system/database/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named1.conf.in ns1/named.conf
diff --git a/bin/tests/system/database/tests.sh b/bin/tests/system/database/tests.sh
new file mode 100644
index 0000000..b919c2f
--- /dev/null
+++ b/bin/tests/system/database/tests.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
+RNDCCMD="$RNDC -s 10.53.0.1 -p ${CONTROLPORT} -c ../common/rndc.conf"
+
+# Check the example. domain
+
+echo_i "checking pre reload zone ($n)"
+ret=0
+$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "hostmaster\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+copy_setports ns1/named2.conf.in ns1/named.conf
+$RNDCCMD reload 2>&1 >/dev/null
+
+echo_i "checking post reload zone ($n)"
+ret=1
+try=0
+while test $try -lt 6
+do
+	sleep 1
+	ret=0
+	$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+	grep "marka\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1
+	try=`expr $try + 1`
+	test $ret -eq 0 && break
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/dialup/clean.sh b/bin/tests/system/dialup/clean.sh
new file mode 100644
index 0000000..9318255
--- /dev/null
+++ b/bin/tests/system/dialup/clean.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns2/example.bk
+rm -f ns3/example.bk
+rm -f */named.memstats */named.run
+rm -f ns*/named.conf
+rm -f ns*/named.lock
diff --git a/bin/tests/system/dialup/ns1/example.db b/bin/tests/system/dialup/ns1/example.db
new file mode 100644
index 0000000..3ce33f9
--- /dev/null
+++ b/bin/tests/system/dialup/ns1/example.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	SOA	hostmaster.ns1 ns1 (
+			1 3600 1200 3600000 1200 )
+		NS	ns1.example.
+		NS	ns2.example.
+		NS	ns3.example.
+ns1		A	10.53.0.1
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3
diff --git a/bin/tests/system/dialup/ns1/named.conf.in b/bin/tests/system/dialup/ns1/named.conf.in
new file mode 100644
index 0000000..8ed56a8
--- /dev/null
+++ b/bin/tests/system/dialup/ns1/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	heartbeat-interval 2;
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
+
+zone "example." {
+	type master;
+	notify explicit;
+	also-notify { 10.53.0.2; };
+	dialup yes;
+	file "example.db";
+};
diff --git a/bin/tests/system/dialup/ns1/root.db b/bin/tests/system/dialup/ns1/root.db
new file mode 100644
index 0000000..882da96
--- /dev/null
+++ b/bin/tests/system/dialup/ns1/root.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	SOA	hostmaster.ns1.example ns1.example (
+			1 3600 1200 3600000 1200 )
+		NS	ns1.example
+example		NS	ns1.example
+		NS	ns2.example
+		NS	ns3.example
+ns1.example	A	10.53.0.1
+ns2.example	A	10.53.0.2
+ns3.example	A	10.53.0.3
diff --git a/bin/tests/system/dialup/ns2/hint.db b/bin/tests/system/dialup/ns2/hint.db
new file mode 100644
index 0000000..0198f25
--- /dev/null
+++ b/bin/tests/system/dialup/ns2/hint.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	1200	NS	ns1.example
+ns1.example	A	10.53.0.1
diff --git a/bin/tests/system/dialup/ns2/named.conf.in b/bin/tests/system/dialup/ns2/named.conf.in
new file mode 100644
index 0000000..a30bb0d
--- /dev/null
+++ b/bin/tests/system/dialup/ns2/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	heartbeat-interval 2;
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
+
+zone "example." {
+	type slave;
+	dialup passive;
+	notify no;
+	file "example.bk";
+	masters { 10.53.0.1; };
+};
diff --git a/bin/tests/system/dialup/ns3/hint.db b/bin/tests/system/dialup/ns3/hint.db
new file mode 100644
index 0000000..0198f25
--- /dev/null
+++ b/bin/tests/system/dialup/ns3/hint.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	1200	NS	ns1.example
+ns1.example	A	10.53.0.1
diff --git a/bin/tests/system/dialup/ns3/named.conf.in b/bin/tests/system/dialup/ns3/named.conf.in
new file mode 100644
index 0000000..df6514d
--- /dev/null
+++ b/bin/tests/system/dialup/ns3/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	heartbeat-interval 2;
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
+
+zone "example." {
+	type slave;
+	dialup refresh;
+	notify no;
+	file "example.bk";
+	masters { 10.53.0.2; };
+};
diff --git a/bin/tests/system/dialup/setup.sh b/bin/tests/system/dialup/setup.sh
new file mode 100644
index 0000000..dad3589
--- /dev/null
+++ b/bin/tests/system/dialup/setup.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/dialup/tests.sh b/bin/tests/system/dialup/tests.sh
new file mode 100644
index 0000000..1353569
--- /dev/null
+++ b/bin/tests/system/dialup/tests.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+rm -f dig.out.*
+
+DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p ${PORT}"
+
+# Check the example. domain
+
+$DIG $DIGOPTS example. @10.53.0.1 soa > dig.out.ns1.test || ret=1
+echo_i "checking that first zone transfer worked"
+ret=0
+try=0
+while test $try -lt 120
+do
+	$DIG $DIGOPTS example. @10.53.0.2 soa > dig.out.ns2.test || ret=1
+	if grep SERVFAIL dig.out.ns2.test > /dev/null
+	then
+		try=`expr $try + 1`
+		sleep 1
+	else
+                digcomp dig.out.ns1.test dig.out.ns2.test || ret=1
+		break;
+	fi
+done
+echo_i "try $try"
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that second zone transfer worked"
+ret=0
+try=0
+while test $try -lt 120
+do
+	$DIG $DIGOPTS example. @10.53.0.3 soa > dig.out.ns3.test || ret=1
+	if grep SERVFAIL dig.out.ns3.test > /dev/null
+	then
+		try=`expr $try + 1`
+		sleep 1
+	else
+                digcomp dig.out.ns1.test dig.out.ns3.test || ret=1
+		break;
+	fi
+done
+echo_i "try $try"
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/digcomp.pl b/bin/tests/system/digcomp.pl
new file mode 100644
index 0000000..8024dea
--- /dev/null
+++ b/bin/tests/system/digcomp.pl
@@ -0,0 +1,164 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Compare two files, each with the output from dig, for differences.
+# Ignore "unimportant" differences, like ordering of NS lines, TTL's,
+# etc...
+
+$lc = 0;
+if ($ARGV[0] eq "--lc") {
+	$lc = 1;
+	shift;
+}
+$file1 = $ARGV[0];
+$file2 = $ARGV[1];
+
+$count = 0;
+$firstname = "";
+$status = 0;
+$rcode1 = "none";
+$rcode2 = "none";
+
+open(FILE1, $file1) || die("open: $file1: $!\n");
+while (<FILE1>) {
+	~ s/\r\n//g;
+	~ s/\n//g;
+	if (/^;.+status:\s+(\S+).+$/) {
+		$rcode1 = $1;
+	}
+	next if (/^;/);
+	if (/^(\S+)\s+\S+\s+(\S+)\s+(\S+)\s+(.+)$/) {
+		$name = $1;
+		$class = $2;
+		$type = $3;
+		$value = $4;
+		if ($lc) {
+			$name = lc($name);
+			$value = lc($value);
+		}
+		if ($type eq "SOA") {
+			$firstname = $name if ($firstname eq "");
+			if ($name eq $firstname) {
+				$name = "$name$count";
+				$count++;
+			}
+		}
+		if ($entry{"$name ; $class.$type ; $value"} ne "") {
+			$line = $entry{"$name ; $class.$type ; $value"};
+			print("Duplicate entry in $file1:\n> $_\n< $line\n");
+		} else {
+			$entry{"$name ; $class.$type ; $value"} = $_;
+		}
+	} elsif (/^(\S+)\s+\S+\s+(\S+)\s+(\S+)\s*$/) {
+		$name = $1;
+		$class = $2;
+		$type = $3;
+		$value = "";
+		if ($lc) {
+			$name = lc($name);
+			$value = lc($value);
+		}
+		if ($type eq "SOA") {
+			$firstname = $name if ($firstname eq "");
+			if ($name eq $firstname) {
+				$name = "$name$count";
+				$count++;
+			}
+		}
+		if ($entry{"$name ; $class.$type ; $value"} ne "") {
+			$line = $entry{"$name ; $class.$type ; $value"};
+			print("Duplicate entry in $file1:\n> $_\n< $line\n");
+		} else {
+			$entry{"$name ; $class.$type ; $value"} = $_;
+		}
+	}
+}
+close(FILE1);
+
+$printed = 0;
+
+open(FILE2, $file2) || die("open: $file2: $!\n");
+while (<FILE2>) {
+	~ s/\r\n//g;
+	~ s/\n//g;
+	if (/^;.+status:\s+(\S+).+$/) {
+		$rcode2 = $1;
+	}
+	next if (/^;/);
+	if (/^(\S+)\s+\S+\s+(\S+)\s+(\S+)\s+(.+)$/) {
+		$name = $1;
+		$class = $2;
+		$type = $3;
+		$value = $4;
+		if ($lc) {
+			$name = lc($name);
+			$value = lc($value);
+		}
+		if (($name eq $firstname) && ($type eq "SOA")) {
+			$count--;
+			$name = "$name$count";
+		}
+		if ($entry{"$name ; $class.$type ; $value"} ne "") {
+			$entry{"$name ; $class.$type ; $value"} = "";
+		} else {
+			print("Only in $file2 (missing from $file1):\n")
+			    if ($printed == 0);
+			print("> $_\n");
+			$printed++;
+			$status = 1;
+		}
+	} elsif (/^(\S+)\s+\S+\s+(\S+)\s+(\S+)\s*$/) {
+		$name = $1;
+		$class = $2;
+		$type = $3;
+		$value = "";
+		if ($lc) {
+			$name = lc($name);
+			$value = lc($value);
+		}
+		if (($name eq $firstname) && ($type eq "SOA")) {
+			$count--;
+			$name = "$name$count";
+		}
+		if ($entry{"$name ; $class.$type ; $value"} ne "") {
+			$entry{"$name ; $class.$type ; $value"} = "";
+		} else {
+			print("Only in $file2 (missing from $file1):\n")
+			    if ($printed == 0);
+			print("> $_\n");
+			$printed++;
+			$status = 1;
+		}
+	}
+}
+close(FILE2);
+
+$printed = 0;
+
+foreach $key (keys(%entry)) {
+	if ($entry{$key} ne "") {
+		print("Only in $file1 (missing from $file2):\n")
+		    if ($printed == 0);
+		print("< $entry{$key}\n");
+		$status = 1;
+		$printed++;
+	}
+}
+
+if ($rcode1 ne $rcode2) {
+	print("< status: $rcode1\n");
+	print("> status: $rcode2\n");
+	$status = 1;
+}
+
+exit($status);
diff --git a/bin/tests/system/digdelv/ans4/startme b/bin/tests/system/digdelv/ans4/startme
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/bin/tests/system/digdelv/ans4/startme
@@ -0,0 +1 @@
+
diff --git a/bin/tests/system/digdelv/ans5/ans.pl b/bin/tests/system/digdelv/ans5/ans.pl
new file mode 100644
index 0000000..6396406
--- /dev/null
+++ b/bin/tests/system/digdelv/ans5/ans.pl
@@ -0,0 +1,176 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# This is a TCP-only DNS server whose aim is to facilitate testing how dig
+# copes with prematurely closed TCP connections.
+#
+# This server can be configured (through a separate control socket) with a
+# series of responses to send for subsequent incoming TCP DNS queries.  Only
+# one query is handled before closing each connection.  In order to keep things
+# simple, the server is not equipped with any mechanism for handling malformed
+# queries.
+#
+# Available response types are defined in the %response_types hash in the
+# getAnswerSection() function below.  Each RR returned is generated dynamically
+# based on the QNAME found in the incoming query.
+
+use IO::File;
+use Net::DNS;
+use Net::DNS::Packet;
+
+use strict;
+
+# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early
+local $SIG{PIPE} = 'IGNORE';
+
+# Flush logged output after every line
+local $| = 1;
+
+my $server_addr = "10.53.0.5";
+if (@ARGV > 0) {
+	$server_addr = @ARGV[0];
+}
+
+my $mainport = int($ENV{'PORT'});
+if (!$mainport) { $mainport = 5300; }
+my $ctrlport = int($ENV{'EXTRAPORT1'});
+if (!$ctrlport) { $ctrlport = 5301; }
+
+my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $ctrlport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
+
+my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $mainport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";;
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my @response_sequence = ("complete_axfr");
+my $connection_counter = 0;
+
+# Return the next answer type to send, incrementing the connection counter and
+# making sure the latter does not exceed the size of the array holding the
+# configured response sequence.
+sub getNextResponseType {
+	my $response_type = $response_sequence[$connection_counter];
+
+	$connection_counter++;
+	$connection_counter %= scalar(@response_sequence);
+
+	return $response_type;
+}
+
+# Return an array of resource records comprising the answer section of a given
+# response type.
+sub getAnswerSection {
+	my ($response_type, $qname) = @_;
+
+	my %response_types = (
+		no_response => [],
+
+		partial_axfr => [
+			Net::DNS::RR->new("$qname 300 IN SOA . . 0 0 0 0 300"),
+			Net::DNS::RR->new("$qname NS ."),
+		],
+
+		complete_axfr => [
+			Net::DNS::RR->new("$qname 300 IN SOA . . 0 0 0 0 300"),
+			Net::DNS::RR->new("$qname NS ."),
+			Net::DNS::RR->new("$qname 300 IN SOA . . 0 0 0 0 300"),
+		],
+	);
+
+	return $response_types{$response_type};
+}
+
+
+# Generate a Net::DNS::Packet containing the response to send on the current
+# TCP connection.  If the answer section of the response is determined to be
+# empty, no data will be sent on the connection at all (immediate EOF).
+sub generateResponse {
+	my ($buf) = @_;
+	my $request;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$request = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($request, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	my @questions = $request->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+	my $qclass = $questions[0]->qclass;
+	my $id = $request->header->id;
+
+	my $packet = new Net::DNS::Packet($qname, $qtype, $qclass);
+	$packet->header->qr(1);
+	$packet->header->aa(1);
+	$packet->header->id($id);
+
+	my $response_type = getNextResponseType();
+	my $answers = getAnswerSection($response_type, $qname);
+	for my $rr (@$answers) {
+		$packet->push("answer", $rr);
+	}
+
+	print "    Sending \"$response_type\" response\n";
+
+	return $packet->data if @$answers;
+}
+
+my $rin;
+my $rout;
+for (;;) {
+	$rin = '';
+	vec($rin, fileno($ctlsock), 1) = 1;
+	vec($rin, fileno($tcpsock), 1) = 1;
+
+	select($rout = $rin, undef, undef, undef);
+
+	if (vec($rout, fileno($ctlsock), 1)) {
+		my $conn = $ctlsock->accept;
+		@response_sequence = split(' ', $conn->getline);
+		$connection_counter = 0;
+		print "Response sequence set to: @response_sequence\n";
+		$conn->close;
+	} elsif (vec($rout, fileno($tcpsock), 1)) {
+		my $buf;
+		my $lenbuf;
+		my $conn = $tcpsock->accept;
+		my $n = $conn->sysread($lenbuf, 2);
+		die unless $n == 2;
+		my $len = unpack("n", $lenbuf);
+		$n = $conn->sysread($buf, $len);
+		die unless $n == $len;
+		print "TCP request\n";
+		my $response = generateResponse($buf);
+		if ($response) {
+			$len = length($response);
+			$n = $conn->syswrite(pack("n", $len), 2);
+			$n = $conn->syswrite($response, $len);
+			print "    Sent: $n chars via TCP\n";
+		} else {
+			print "    No response sent\n";
+		}
+		$conn->close;
+	}
+}
diff --git a/bin/tests/system/digdelv/ans6/ans.pl b/bin/tests/system/digdelv/ans6/ans.pl
new file mode 100755
index 0000000..39d02b2
--- /dev/null
+++ b/bin/tests/system/digdelv/ans6/ans.pl
@@ -0,0 +1,84 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.6",
+   LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+for (;;) {
+	$sock->recv($buf, 512);
+
+	print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	print "REQUEST:\n";
+	$packet->print;
+
+	$packet->header->qr(1);
+
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+
+	my $donotrespond = 0;
+
+	$packet->header->aa(1);
+	if ($qtype eq "A") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .  " 300 A 10.53.0.5"));
+	} else {
+		$donotrespond = 1;
+	}
+
+	if ($donotrespond == 0) {
+                my $sendsock =
+                        IO::Socket::INET->new(LocalAddr => "10.53.1.2",
+                                              PeerAddr => $sock->peerhost,
+                                              PeerPort => $sock->peerport,
+                                              Proto => "udp") or die "$!";
+                print "**** response from ", $sendsock->sockhost, " to " ,
+                      $sendsock->peerhost, " port ", $sendsock->peerport, "\n";
+		$sendsock->send($packet->data);
+                $sendsock->close;
+		print "RESPONSE:\n";
+		$packet->print;
+		print "\n";
+	} else {
+		print "DROP:\n";
+	}
+}
diff --git a/bin/tests/system/digdelv/ans7/ans.pl b/bin/tests/system/digdelv/ans7/ans.pl
new file mode 100755
index 0000000..a7aa60e
--- /dev/null
+++ b/bin/tests/system/digdelv/ans7/ans.pl
@@ -0,0 +1,68 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.7",
+   LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+STDOUT->autoflush(1);
+
+print "Net::DNS::VERSION => $Net::DNS::VERSION\n";
+
+for (;;) {
+	$sock->recv($buf, 512);
+
+	print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	print "REQUEST:\n";
+	$packet->print;
+
+	$packet->header->qr(1);
+	$packet->header->opcode(5);
+
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+	$packet->push("update", rr_del("$qname SOA"));
+
+	print "RESPONSE:\n";
+	$packet->print;
+
+	$sock->send($packet->data);
+}
diff --git a/bin/tests/system/digdelv/clean.sh b/bin/tests/system/digdelv/clean.sh
new file mode 100644
index 0000000..ac84c3f
--- /dev/null
+++ b/bin/tests/system/digdelv/clean.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f ./*/anchor.*
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run
+rm -f ./delv.out.test*
+rm -f ./dig.out.*test*
+rm -f ./dig.out.mm.*
+rm -f ./dig.out.mn.*
+rm -f ./dig.out.nm.*
+rm -f ./dig.out.nn.*
+rm -f ./host.out.test*
+rm -f ./ns*/managed-keys.bind*
+rm -f ./ns*/named.lock
+rm -f ./ns2/dsset-example.
+rm -f ./ns2/example.db ./ns2/K* ./ns2/keyid ./ns2/keydata
+rm -f ./nslookup.out.test*
+rm -f ./yamlget.out.*
+rm -f ./nsupdate.out.test*
diff --git a/bin/tests/system/digdelv/ns1/named.conf.in b/bin/tests/system/digdelv/ns1/named.conf.in
new file mode 100644
index 0000000..df552bd
--- /dev/null
+++ b/bin/tests/system/digdelv/ns1/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { fd92:7065:b8e:ffff::1; };
+	recursion no;
+	notify yes;
+	dnssec-validation no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/digdelv/ns1/root.db b/bin/tests/system/digdelv/ns1/root.db
new file mode 100644
index 0000000..b43cc40
--- /dev/null
+++ b/bin/tests/system/digdelv/ns1/root.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+a.root-servers.nil.	AAAA	fd92:7065:b8e:ffff::1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+ns2.example.		AAAA	fd92:7065:b8e:ffff::2
diff --git a/bin/tests/system/digdelv/ns2/example.db.in b/bin/tests/system/digdelv/ns2/example.db.in
new file mode 100644
index 0000000..c711049
--- /dev/null
+++ b/bin/tests/system/digdelv/ns2/example.db.in
@@ -0,0 +1,51 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			NS	ns3
+ns2			A	10.53.0.2
+ns2			AAAA	fd92:7065:b8e:ffff::2
+ns3			A	10.53.0.3
+ns3			AAAA	fd92:7065:b8e:ffff::3
+
+a			A	10.0.0.1
+a			AAAA	fd92:7065:b8e:ffff::1
+b			A	10.0.0.2
+b			AAAA	fd92:7065:b8e:ffff::2
+c			A	10.0.0.3
+c			AAAA	fd92:7065:b8e:ffff::3
+d			A	10.0.0.0
+d			AAAA	fd92:7065:b8e:ffff::
+
+xn--caf-dma		A	10.1.2.3
+
+foo			TXT	"testing"
+foo			A	10.0.1.0
+foo			SSHFP	2 1 123456789abcdef67890123456789abcdef67890
+
+; TTL of 3 weeks
+weeks		1814400	A	10.53.0.2
+; TTL of 3 days
+days		259200	A	10.53.0.2
+; TTL of 3 hours
+hours		10800	A	10.53.0.2
+;TTL of 45 minutes
+minutes		2700	A	10.53.0.2
+;TTL of 45 seconds
+seconds		45	A	10.53.0.2
diff --git a/bin/tests/system/digdelv/ns2/named.conf.in b/bin/tests/system/digdelv/ns2/named.conf.in
new file mode 100644
index 0000000..1391b73
--- /dev/null
+++ b/bin/tests/system/digdelv/ns2/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/digdelv/ns2/sign.sh b/bin/tests/system/digdelv/ns2/sign.sh
new file mode 100644
index 0000000..41dacd6
--- /dev/null
+++ b/bin/tests/system/digdelv/ns2/sign.sh
@@ -0,0 +1,29 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.)
+
+cp example.db.in example.db
+
+"$SIGNER" -Sz -f example.db -o example example.db.in > /dev/null 2>&1
+
+keyfile_to_key_id "$ksk" > keyid
+grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata
+
+keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey
+keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds
diff --git a/bin/tests/system/digdelv/ns3/named.conf.in b/bin/tests/system/digdelv/ns3/named.conf.in
new file mode 100644
index 0000000..a13747b
--- /dev/null
+++ b/bin/tests/system/digdelv/ns3/named.conf.in
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3 dscp 1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { fd92:7065:b8e:ffff::3; };
+	recursion yes;
+	dnssec-validation no;
+	server-id "ns3";
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/digdelv/prereq.sh b/bin/tests/system/digdelv/prereq.sh
new file mode 100644
index 0000000..8f5a385
--- /dev/null
+++ b/bin/tests/system/digdelv/prereq.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    :
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/digdelv/setup.sh b/bin/tests/system/digdelv/setup.sh
new file mode 100644
index 0000000..b259e1b
--- /dev/null
+++ b/bin/tests/system/digdelv/setup.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+
+cd ns2 && $SHELL sign.sh
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
new file mode 100644
index 0000000..470f230
--- /dev/null
+++ b/bin/tests/system/digdelv/tests.sh
@@ -0,0 +1,1347 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+SYSTEMTESTTOP=..
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+status=0
+n=0
+
+sendcmd() {
+    "$PERL" "$SYSTEMTESTTOP/send.pl" "${1}" "$EXTRAPORT1"
+}
+
+dig_with_opts() {
+    "$DIG" -p "$PORT" "$@"
+}
+
+mdig_with_opts() {
+    "$MDIG" -p "$PORT" "$@"
+}
+
+# Check if response in file $1 has the correct TTL range.
+# The response record must have RRtype $2 and class IN (CLASS1).
+# Maximum TTL is given by $3.  This works in most cases where TTL is
+# the second word on the line.  TTL position can be adjusted with
+# setting the position $4, but that requires updating this function.
+check_ttl_range() {
+    file=$1
+    pos=$4
+
+    case "$pos" in
+    "3")
+    awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file
+    ;;
+    *)
+    awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file
+    ;;
+    esac
+
+   result=$?
+   [ $result -eq 0 ] || echo_i "ttl check failed"
+   return $result
+}
+
+# using delv insecure mode as not testing dnssec here
+delv_with_opts() {
+    "$DELV" +noroot -p "$PORT" "$@"
+}
+
+KEYID="$(cat ns2/keyid)"
+KEYDATA="$(< ns2/keydata sed -e 's/+/[+]/g')"
+NOSPLIT="$(< ns2/keydata sed -e 's/+/[+]/g' -e 's/ //g')"
+
+HAS_PYYAML=0
+if [ -n "$PYTHON" ] ; then
+	$PYTHON -c "import yaml" 2> /dev/null && HAS_PYYAML=1
+fi
+
+#
+# test whether ans7/ans.pl will be able to send a UPDATE response.
+# if it can't, we will log that below.
+#
+if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet; my $p = new Net::DNS::Packet; $p->header->opcode(5);' > /dev/null 2>&1
+then
+	checkupdate=1
+else
+	checkupdate=0
+fi
+
+if [ -x "$NSLOOKUP" -a $checkupdate -eq 1 ] ; then
+
+  n=$((n+1))
+  echo_i "check nslookup handles UPDATE response ($n)"
+  ret=0
+  "$NSLOOKUP" -q=CNAME "-port=$PORT" foo.bar 10.53.0.7 > nslookup.out.test$n 2>&1 && ret=1
+  grep "Opcode mismatch" nslookup.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+fi
+
+if [ -x "$HOST" -a $checkupdate -eq 1 ] ; then
+
+  n=$((n+1))
+  echo_i "check host handles UPDATE response ($n)"
+  ret=0
+  "$HOST" -t CNAME -p $PORT foo.bar 10.53.0.7 > host.out.test$n 2>&1 && ret=1
+  grep "Opcode mismatch" host.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+fi
+
+if [ -x "$NSUPDATE" -a $checkupdate -eq 1 ] ; then
+
+  n=$((n+1))
+  echo_i "check nsupdate handles UPDATE response to QUERY ($n)"
+  ret=0
+  res=0
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || res=$?
+server 10.53.0.7 ${PORT}
+add x.example.com 300 in a 1.2.3.4
+send
+EOF
+  test $res -eq 1 || ret=1
+  grep "invalid OPCODE in response to SOA query" nsupdate.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+fi
+
+if [ -x "$DIG" ] ; then
+
+  if [ $checkupdate -eq 1 ] ; then
+
+    n=$((n+1))
+    echo_i "check dig handles UPDATE response ($n)"
+    ret=0
+    dig_with_opts @10.53.0.7 cname foo.bar > dig.out.test$n 2>&1 && ret=1
+    grep "Opcode mismatch" dig.out.test$n > /dev/null || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  else
+    echo_i "Skipped UPDATE handling test"
+  fi
+
+  n=$((n+1))
+  echo_i "checking dig short form works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +short a a.example > dig.out.test$n || ret=1
+  test "$(wc -l < dig.out.test$n)" -eq 1 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig split width works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +split=4 -t sshfp foo.example > dig.out.test$n || ret=1
+  grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +unknownformat works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +unknownformat a a.example > dig.out.test$n || ret=1
+  grep "CLASS1[ 	][ 	]*TYPE1[ 	][ 	]*\\\\# 4 0A000001" < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "TYPE1" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig with reverse lookup works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 -x 127.0.0.1 > dig.out.test$n 2>&1 || ret=1
+  # doesn't matter if has answer
+  grep -i "127\\.in-addr\\.arpa\\." < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "SOA" 86400 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig over TCP works ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 a a.example > dig.out.test$n || ret=1
+  grep "10\\.0\\.0\\.1$" < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1
+  grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n > /dev/null && ret=1
+  check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +multi +norrcomments works for SOA (when default is rrcomments)($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example > dig.out.test$n || ret=1
+  grep "; serial" dig.out.test$n > /dev/null && ret=1
+  check_ttl_range dig.out.test$n "SOA" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +rrcomments works for DNSKEY($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > dig.out.test$n || ret=1
+  grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1
+  grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +short +nosplit works($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > dig.out.test$n || ret=1
+  grep "$NOSPLIT" < dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +short +rrcomments works($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1
+  grep -q "$KEYDATA  ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig multi flag is local($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +nomulti > dig.out.nn.$n || ret=1
+  dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +nomulti > dig.out.mn.$n || ret=1
+  dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +multi > dig.out.nm.$n || ret=1
+  dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +multi > dig.out.mm.$n || ret=1
+  lcnn=$(wc -l < dig.out.nn.$n)
+  lcmn=$(wc -l < dig.out.mn.$n)
+  lcnm=$(wc -l < dig.out.nm.$n)
+  lcmm=$(wc -l < dig.out.mm.$n)
+  test "$lcmm" -ge "$lcnm" || ret=1
+  test "$lcmm" -ge "$lcmn" || ret=1
+  test "$lcnm" -ge "$lcnn" || ret=1
+  test "$lcmn" -ge "$lcnn" || ret=1
+  check_ttl_range dig.out.nn.$n "DNSKEY" 300 || ret=1
+  check_ttl_range dig.out.mn.$n "DNSKEY" 300 || ret=1
+  check_ttl_range dig.out.nm.$n "DNSKEY" 300 || ret=1
+  check_ttl_range dig.out.mm.$n "DNSKEY" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +noheader-only works ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +noheader-only A example > dig.out.test$n || ret=1
+  grep "Got answer:" < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "SOA" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +short +rrcomments works($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1
+  grep -q "$KEYDATA  ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +header-only works ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +header-only example > dig.out.test$n || ret=1
+  grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1
+  grep "^;; QUESTION SECTION:" < dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +raflag works ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +raflag +qr example > dig.out.test$n || ret=1
+  grep "^;; flags: rd ra ad; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1
+  grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "SOA" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +tcflag works ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +tcflag +qr example > dig.out.test$n || ret=1
+  grep "^;; flags: tc rd ad; QUERY: 1, ANSWER: 0" < dig.out.test$n > /dev/null || ret=1
+  grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "SOA" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +header-only works (with class and type set) ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +header-only -c IN -t A example > dig.out.test$n || ret=1
+  grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1
+  grep "^;; QUESTION SECTION:" < dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +zflag works, and that BIND properly ignores it ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.3 +zflag +qr A example > dig.out.test$n || ret=1
+  sed -n '/Sending:/,/Got answer:/p' dig.out.test$n | grep "^;; flags: rd ad; MBZ: 0x4;" > /dev/null || ret=1
+  sed -n '/Got answer:/,/AUTHORITY SECTION:/p' dig.out.test$n | grep "^;; flags: qr rd ra; QUERY: 1" > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "SOA" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +qr +ednsopt=08 does not cause an INSIST failure ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=08 +qr a a.example > dig.out.test$n || ret=1
+  grep "INSIST" < dig.out.test$n > /dev/null && ret=1
+  grep "FORMERR" < dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +ttlunits works ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.2 +ttlunits A weeks.example > dig.out.test$n || ret=1
+  grep "^weeks.example.		3w" < dig.out.test$n > /dev/null || ret=1
+  dig_with_opts +tcp @10.53.0.2 +ttlunits A days.example > dig.out.test$n || ret=1
+  grep "^days.example.		3d" < dig.out.test$n > /dev/null || ret=1
+  dig_with_opts +tcp @10.53.0.2 +ttlunits A hours.example > dig.out.test$n || ret=1
+  grep "^hours.example.		3h" < dig.out.test$n > /dev/null || ret=1
+  dig_with_opts +tcp @10.53.0.2 +ttlunits A minutes.example > dig.out.test$n || ret=1
+  grep "^minutes.example.	45m" < dig.out.test$n > /dev/null || ret=1
+  dig_with_opts +tcp @10.53.0.2 +ttlunits A seconds.example > dig.out.test$n || ret=1
+  grep "^seconds.example.	45s" < dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig respects precedence of options with +ttlunits ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.2 +ttlunits +nottlid A weeks.example > dig.out.test$n || ret=1
+  grep "^weeks.example.		IN" < dig.out.test$n > /dev/null || ret=1
+  dig_with_opts +tcp @10.53.0.2 +nottlid +ttlunits A weeks.example > dig.out.test$n || ret=1
+  grep "^weeks.example.		3w" < dig.out.test$n > /dev/null || ret=1
+  dig_with_opts +tcp @10.53.0.2 +nottlid +nottlunits A weeks.example > dig.out.test$n || ret=1
+  grep "^weeks.example.		1814400" < dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig preserves origin on TCP retries ($n)"
+  ret=0
+  # Ask ans4 to still accept TCP connections, but not respond to queries
+  echo "//" | sendcmd 10.53.0.4
+  dig_with_opts -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo > dig.out.test$n 2>&1 && ret=1
+  test "$(grep -c "trying origin bar" dig.out.test$n)" -eq 2 || ret=1
+  grep "using root origin" < dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig -6 -4 ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.2 -4 -6 A a.example > dig.out.test$n 2>&1 && ret=1
+  grep "only one of -4 and -6 allowed" < dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig @IPv6addr -4 A a.example ($n)"
+  if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null
+  then
+    ret=0
+    dig_with_opts +tcp @fd92:7065:b8e:ffff::2 -4 A a.example > dig.out.test$n 2>&1 && ret=1
+    grep "address family not supported" < dig.out.test$n > /dev/null || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  else
+    echo_i "IPv6 unavailable; skipping"
+  fi
+
+  n=$((n+1))
+  echo_i "checking dig @IPv4addr -6 +mapped A a.example ($n)"
+  if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null && [ "$(uname -s)" != "OpenBSD" ]
+  then
+    ret=0
+    dig_with_opts +tcp @10.53.0.2 -6 +mapped A a.example > dig.out.test$n 2>&1 || ret=1
+    grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  else
+    echo_i "IPv6 or IPv4-to-IPv6 mapping unavailable; skipping"
+  fi
+
+  n=$((n+1))
+  echo_i "checking dig +tcp @IPv4addr -6 +nomapped A a.example ($n)"
+  if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null
+  then
+    ret=0
+    dig_with_opts +tcp @10.53.0.2 -6 +nomapped A a.example > dig.out.test$n 2>&1 || ret=1
+    grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  else
+    echo_i "IPv6 unavailable; skipping"
+  fi
+  n=$((n+1))
+
+  echo_i "checking dig +notcp @IPv4addr -6 +nomapped A a.example ($n)"
+  if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null
+  then
+    ret=0
+    dig_with_opts +notcp @10.53.0.2 -6 +nomapped A a.example > dig.out.test$n 2>&1 || ret=1
+    grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  else
+    echo_i "IPv6 unavailable; skipping"
+  fi
+
+  n=$((n+1))
+  echo_i "checking dig +subnet ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1
+  grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +subnet +subnet ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.0 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1
+  grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +subnet with various prefix lengths ($n)"
+  ret=0
+  for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24; do
+      dig_with_opts +tcp @10.53.0.2 +subnet=255.255.255.255/$i A a.example > dig.out.$i.test$n 2>&1 || ret=1
+      case $i in
+      1|9|17) octet=128 ;;
+      2|10|18) octet=192 ;;
+      3|11|19) octet=224 ;;
+      4|12|20) octet=240 ;;
+      5|13|21) octet=248 ;;
+      6|14|22) octet=252 ;;
+      7|15|23) octet=254 ;;
+      8|16|24) octet=255 ;;
+      esac
+      case $i in
+      1|2|3|4|5|6|7|8) addr="${octet}.0.0.0";;
+      9|10|11|12|13|14|15|16) addr="255.${octet}.0.0";;
+      17|18|19|20|21|22|23|24) addr="255.255.${octet}.0" ;;
+      esac
+      grep "FORMERR" < dig.out.$i.test$n > /dev/null && ret=1
+      grep "CLIENT-SUBNET: $addr/$i/0" < dig.out.$i.test$n > /dev/null || ret=1
+      check_ttl_range dig.out.$i.test$n "A" 300 || ret=1
+  done
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +subnet=0/0 ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.2 +subnet=0/0 A a.example > dig.out.test$n 2>&1 || ret=1
+  grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1
+  grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1
+  grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +subnet=0 ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.2 +subnet=0 A a.example > dig.out.test$n 2>&1 || ret=1
+  grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1
+  grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1
+  grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +subnet=::/0 ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.2 +subnet=::/0 A a.example > dig.out.test$n 2>&1 || ret=1
+  grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1
+  grep "CLIENT-SUBNET: ::/0/0" < dig.out.test$n > /dev/null || ret=1
+  grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +ednsopt=8:00000000 (family=0, source=0, scope=0) ($n)"
+  ret=0
+  dig_with_opts +tcp @10.53.0.2 +ednsopt=8:00000000 A a.example > dig.out.test$n 2>&1 || ret=1
+  grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1
+  grep "CLIENT-SUBNET: 0/0/0" < dig.out.test$n > /dev/null || ret=1
+  grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +ednsopt=8:00030000 (family=3, source=0, scope=0) ($n)"
+  ret=0
+  dig_with_opts +qr +tcp @10.53.0.2 +ednsopt=8:00030000 A a.example > dig.out.test$n 2>&1 || ret=1
+  grep "status: FORMERR" < dig.out.test$n > /dev/null || ret=1
+  grep "CLIENT-SUBNET: 00 03 00 00" < dig.out.test$n > /dev/null || ret=1
+  test "$(grep -c "CLIENT-SUBNET: 00 03 00 00" dig.out.test$n)" -eq 1 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +subnet with prefix lengths between byte boundaries ($n)"
+  ret=0
+  for p in 9 10 11 12 13 14 15; do
+    dig_with_opts +tcp @10.53.0.2 +subnet=10.53/$p A a.example > dig.out.test.$p.$n 2>&1 || ret=1
+    grep "FORMERR" < dig.out.test.$p.$n > /dev/null && ret=1
+    grep "CLIENT-SUBNET.*/$p/0" < dig.out.test.$p.$n > /dev/null || ret=1
+    check_ttl_range dig.out.test.$p.$n "A" 300 || ret=1
+  done
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +sp works as an abbreviated form of split ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example > dig.out.test$n || ret=1
+  grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig -c works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 -c CHAOS -t txt version.bind > dig.out.test$n || ret=1
+  grep "version.bind.		0	CH	TXT" < dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +dscp ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +dscp=32 a a.example > /dev/null 2>&1 || ret=1
+  dig_with_opts @10.53.0.3 +dscp=-1 a a.example > /dev/null 2>&1 && ret=1
+  dig_with_opts @10.53.0.3 +dscp=64 a a.example > /dev/null 2>&1 && ret=1
+  #TODO add a check to make sure dig is actually setting the dscp on the query
+  #we might have to add better logging to named for this
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +ednsopt with option number ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=3 a.example > dig.out.test$n 2>&1 || ret=1
+  grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking dig +ednsopt with option name ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=nsid a.example > dig.out.test$n 2>&1 || ret=1
+  grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1
+  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking ednsopt LLQ prints as expected ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=llq:0001000200001234567812345678fefefefe +qr a.example > dig.out.test$n 2>&1 || ret=1
+  pat='LLQ: Version: 1, Opcode: 2, Error: 0, Identifier: 1311768465173141112, Lifetime: 4278124286$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking that dig warns about .local queries ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 local soa > dig.out.test$n 2>&1 || ret=1
+  grep ";; WARNING: .local is reserved for Multicast DNS" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig processes +ednsopt=key-tag and FORMERR is returned ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=key-tag a.example +qr > dig.out.test$n 2>&1 || ret=1
+  grep "; KEY-TAG: *$" dig.out.test$n > /dev/null || ret=1
+  grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig processes +ednsopt=key-tag:<value-list> ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=key-tag:00010002 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  grep "; KEY-TAG: 1, 2$" dig.out.test$n > /dev/null || ret=1
+  grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1
+  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig processes +ednsopt=key-tag:<malformed-value-list> and FORMERR is returned ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=key-tag:0001000201 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  grep "; KEY-TAG: 00 01 00 02 01" dig.out.test$n > /dev/null || ret=1
+  grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig processes +ednsopt=client-tag:value ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=client-tag:0001 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  grep "; CLIENT-TAG: 1$" dig.out.test$n > /dev/null || ret=1
+  grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that FORMERR is returned for a too short client-tag ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=client-tag:01 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  grep "; CLIENT-TAG" dig.out.test$n > /dev/null || ret=1
+  grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that FORMERR is returned for a too long client-tag ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=client-tag:000001 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  grep "; CLIENT-TAG" dig.out.test$n > /dev/null || ret=1
+  grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig processes +ednsopt=server-tag:value ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=server-tag:0001 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  grep "; SERVER-TAG: 1$" dig.out.test$n > /dev/null || ret=1
+  grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that FORMERR is returned for a too short server-tag ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=server-tag:01 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  grep "; SERVER-TAG" dig.out.test$n > /dev/null || ret=1
+  grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that FORMERR is returned for a too long server-tag ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=server-tag:000001 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  grep "; SERVER-TAG" dig.out.test$n > /dev/null || ret=1
+  grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that Extended DNS Error 0 is printed correctly ($n)"
+  # First defined EDE code, additional text "foo".
+  dig_with_opts @10.53.0.3 +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1
+  pat='^; EDE: 0 (Other): (foo)$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that Extended DNS Error 24 is printed correctly ($n)"
+  # Last defined EDE code, no additional text.
+  dig_with_opts @10.53.0.3 +ednsopt=ede:0018 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  pat='^; EDE: 24 (Invalid Data)$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that Extended DNS Error 25 is printed correctly ($n)"
+  # First undefined EDE code, additional text "foo".
+  dig_with_opts @10.53.0.3 +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1
+  pat='^; EDE: 25: (foo)$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that invalid Extended DNS Error (length 0) is printed ($n)"
+  # EDE payload is too short
+  dig_with_opts @10.53.0.3 +ednsopt=ede a.example +qr > dig.out.test$n 2>&1 || ret=1
+  pat='^; EDE:$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that invalid Extended DNS Error (length 1) is printed ($n)"
+  # EDE payload is too short
+  dig_with_opts @10.53.0.3 +ednsopt=ede:00 a.example +qr > dig.out.test$n 2>&1 || ret=1
+  pat='^; EDE: 00 (".")$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  if [ $HAS_PYYAML -ne 0 ] ; then
+    n=$((n+1))
+    echo_i "check that +yaml Extended DNS Error 0 is printed correctly ($n)"
+    # First defined EDE code, additional text "foo".
+    dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1
+    $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1
+    read -r value < yamlget.out.test$n
+    [ "$value" = "0 (Other)" ] || ret=1
+    $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT > yamlget.out.test$n 2>&1 || ret=1
+    read -r value < yamlget.out.test$n
+    [ "$value" = "foo" ] || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "check that +yaml Extended DNS Error 24 is printed correctly ($n)"
+    # Last defined EDE code, no additional text.
+    dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0018 a.example +qr > dig.out.test$n 2>&1 || ret=1
+    $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1
+    read -r value < yamlget.out.test$n
+    [ "$value" = "24 (Invalid Data)" ] || ret=1
+    $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT > yamlget.out.test$n 2>&1 && ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "check that +yaml Extended DNS Error 25 is printed correctly ($n)"
+    # First undefined EDE code, additional text "foo".
+    dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1
+    $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1
+    read -r value < yamlget.out.test$n
+    [ "$value" = "25" ] || ret=1
+    $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT > yamlget.out.test$n 2>&1 || ret=1
+    read -r value < yamlget.out.test$n
+    [ "$value" = "foo" ] || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "check that invalid Extended DNS Error (length 0) is printed ($n)"
+    # EDE payload is too short
+    dig_with_opts @10.53.0.3 +yaml +ednsopt=ede a.example +qr > dig.out.test$n 2>&1 || ret=1
+    $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE > yamlget.out.test$n 2>&1 || ret=1
+    read -r value < yamlget.out.test$n
+    [ "$value" = "None" ] || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "check that invalid +yaml Extended DNS Error (length 1) is printed ($n)"
+    # EDE payload is too short
+    dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:00 a.example +qr > dig.out.test$n 2>&1 || ret=1
+    $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE > yamlget.out.test$n 2>&1 || ret=1
+    read -r value < yamlget.out.test$n
+    [ "$value" = '00 (".")' ] || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  fi
+
+  n=$((n+1))
+  echo_i "check that dig handles malformed option '+ednsopt=:' gracefully ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +ednsopt=: a.example > dig.out.test$n 2>&1 && ret=1
+  grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig gracefully handles bad escape in domain name ($n)"
+  ret=0
+  digstatus=0
+  dig_with_opts @10.53.0.3 '\0.' > dig.out.test$n 2>&1 || digstatus=$?
+  echo digstatus=$digstatus >> dig.out.test$n
+  test $digstatus -eq 10 || ret=1
+  grep REQUIRE dig.out.test$n > /dev/null && ret=1
+  grep "is not a legal name (bad escape)" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig -q -m works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 -q -m > dig.out.test$n 2>&1
+  pat='^;-m\..*IN.*A$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  grep "Dump of all outstanding memory allocations" dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking exit code for a retry upon TCP EOF (immediate -> immediate) ($n)"
+  ret=0
+  echo "no_response no_response" | sendcmd 10.53.0.5
+  dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1
+  # Sanity check: ensure ans5 behaves as expected.
+  [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> partial AXFR) ($n)"
+  ret=0
+  echo "partial_axfr partial_axfr" | sendcmd 10.53.0.5
+  dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1
+  # Sanity check: ensure ans5 behaves as expected.
+  [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking exit code for a retry upon TCP EOF (immediate -> partial AXFR) ($n)"
+  ret=0
+  echo "no_response partial_axfr" | sendcmd 10.53.0.5
+  dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1
+  # Sanity check: ensure ans5 behaves as expected.
+  [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> immediate) ($n)"
+  ret=0
+  echo "partial_axfr no_response" | sendcmd 10.53.0.5
+  dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1
+  # Sanity check: ensure ans5 behaves as expected.
+  [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking exit code for a retry upon TCP EOF (immediate -> complete AXFR) ($n)"
+  ret=0
+  echo "no_response complete_axfr" | sendcmd 10.53.0.5
+  dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1
+  # Sanity check: ensure ans5 behaves as expected.
+  [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> complete AXFR) ($n)"
+  ret=0
+  echo "partial_axfr complete_axfr" | sendcmd 10.53.0.5
+  dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1
+  # Sanity check: ensure ans5 behaves as expected.
+  [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking +tries=1 won't retry twice upon TCP EOF ($n)"
+  ret=0
+  echo "no_response no_response" | sendcmd 10.53.0.5
+  dig_with_opts @10.53.0.5 example AXFR +tries=1 > dig.out.test$n 2>&1 && ret=1
+  # Sanity check: ensure ans5 behaves as expected.
+  [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking +retry=0 won't retry twice upon TCP EOF ($n)"
+  ret=0
+  dig_with_opts @10.53.0.5 example AXFR +retry=0 > dig.out.test$n 2>&1 && ret=1
+  # Sanity check: ensure ans5 behaves as expected.
+  [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig +expandaaaa works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1
+  grep "ns2.example.*fd92:7065:0b8e:ffff:0000:0000:0000:0002" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig +noexpandaaaa works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +noexpandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1
+  grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig default for +[no]expandaaa (+noexpandaaaa) works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 AAAA ns2.example > dig.out.test$n 2>&1 || ret=1
+  grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+
+  echo_i "check that dig +short +expandaaaa works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 +short +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1
+  pat='^fd92:7065:0b8e:ffff:0000:0000:0000:0002$'
+  tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  if [ $HAS_PYYAML -ne 0 ] ; then
+    n=$((n+1))
+    echo_i "check dig +yaml output ($n)"
+    ret=0
+    dig_with_opts +qr +yaml @10.53.0.3 any ns2.example > dig.out.test$n 2>&1 || ret=1
+    value=$($PYTHON yamlget.py dig.out.test$n 0 message query_message_data status || ret=1)
+    [ "$value" = "NOERROR" ] || ret=1
+    value=$($PYTHON yamlget.py dig.out.test$n 1 message response_message_data status || ret=1)
+    [ "$value" = "NOERROR" ] || ret=1
+    value=$($PYTHON yamlget.py dig.out.test$n 1 message response_message_data QUESTION_SECTION 0 || ret=1)
+    [ "$value" = "ns2.example. IN ANY" ] || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "check dig +yaml output of an IPv6 address ending in zeroes ($n)"
+    ret=0
+    dig_with_opts +qr +yaml @10.53.0.3 aaaa d.example > dig.out.test$n 2>&1 || ret=1
+    $PYTHON yamlget.py dig.out.test$n 1 message response_message_data ANSWER_SECTION 0 > yamlget.out.test$n 2>&1 || ret=1
+    read -r value < yamlget.out.test$n
+    [ "$value" = "d.example. 300 IN AAAA fd92:7065:b8e:ffff::0" ] || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  fi
+
+  n=$((n+1))
+  echo_i "check that dig +unexpected works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.6 +unexpected a a.example > dig.out.test$n || ret=1
+  grep 'reply from unexpected source' dig.out.test$n > /dev/null || ret=1
+  grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig +nounexpected works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.6 +nounexpected +tries=1 +time=2 a a.example > dig.out.test$n && ret=1
+  grep 'reply from unexpected source' dig.out.test$n > /dev/null || ret=1
+  grep "status: NOERROR" < dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig default for +[no]unexpected (+nounexpected) works ($n)"
+  ret=0
+  dig_with_opts @10.53.0.6 +tries=1 +time=2 a a.example > dig.out.test$n && ret=1
+  grep 'reply from unexpected source' dig.out.test$n > /dev/null || ret=1
+  grep "status: NOERROR" < dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig +bufsize=0 disables EDNS ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 a.example +bufsize=0 +qr > dig.out.test$n 2>&1 || ret=1
+  grep "EDNS:" dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig +bufsize=0 +edns sends EDNS with bufsize of 0 ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 a.example +bufsize=0 +edns +qr > dig.out.test$n 2>&1 || ret=1
+  pat='EDNS:.* udp: 0$'
+  tr -d '\r' < dig.out.test$n | grep -E "$pat" > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig +bufsize restores default bufsize ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 a.example +bufsize=0 +bufsize +qr > dig.out.test$n 2>&1 || ret=1
+  lines1232=`grep "EDNS:.* udp: 1232" dig.out.test$n | wc -l`
+  lines4096=`grep "EDNS:.* udp: 4096" dig.out.test$n | wc -l`
+  test $lines1232 -eq 1 || ret=1
+  test $lines4096 -eq 1 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig without -u displays 'Query time' in millseconds ($n)"
+  ret=0
+  dig_with_opts @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1
+  grep ';; Query time: [0-9][0-9]* msec' dig.out.test$n >/dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig -u displays 'Query time' in microseconds ($n)"
+  ret=0
+  dig_with_opts -u @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1
+  grep ';; Query time: [0-9][0-9]* usec' dig.out.test$n >/dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig +yaml without -u displays timestamps in milliseconds ($n)"
+  ret=0
+  dig_with_opts +yaml @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1
+  grep 'query_time: !!timestamp ....-..-..T..:..:..\....Z' dig.out.test$n >/dev/null || ret=1
+  grep 'response_time: !!timestamp ....-..-..T..:..:..\....Z' dig.out.test$n >/dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that dig -u +yaml displays timestamps in microseconds ($n)"
+  ret=0
+  dig_with_opts -u +yaml @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1
+  grep 'query_time: !!timestamp ....-..-..T..:..:..\.......Z' dig.out.test$n >/dev/null || ret=1
+  grep 'response_time: !!timestamp ....-..-..T..:..:..\.......Z' dig.out.test$n >/dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+else
+  echo_i "$DIG is needed, so skipping these dig tests"
+fi
+
+if [ -x "$MDIG" ] ; then
+  n=$((n+1))
+  echo_i "check that mdig handles malformed option '+ednsopt=:' gracefully ($n)"
+  ret=0
+  mdig_with_opts @10.53.0.3 +ednsopt=: a.example > dig.out.test$n 2>&1 && ret=1
+  grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking mdig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)"
+  ret=0
+  mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1
+  grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking mdig +multi +norrcomments works for SOA (when default is rrcomments)($n)"
+  ret=0
+  mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example > dig.out.test$n || ret=1
+  grep "; serial" < dig.out.test$n > /dev/null && ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  if [ $HAS_PYYAML -ne 0 ] ; then
+    n=$((n+1))
+    echo_i "check mdig +yaml output ($n)"
+    ret=0
+    mdig_with_opts +yaml @10.53.0.3 -t any ns2.example > dig.out.test$n || ret=1
+    value=$($PYTHON yamlget.py dig.out.test$n 0 message response_message_data status || ret=1)
+    [ "$value" = "NOERROR" ] || ret=1
+    value=$($PYTHON yamlget.py dig.out.test$n 0 message response_message_data QUESTION_SECTION 0 || ret=1)
+    [ "$value" = "ns2.example. IN ANY" ] || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  fi
+else
+  echo_i "$MDIG is needed, so skipping these mdig tests"
+fi
+
+if [ -x "$DELV" ] ; then
+  n=$((n+1))
+  echo_i "checking delv short form works ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 +short a a.example > delv.out.test$n || ret=1
+  test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv split width works ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 +split=4 -t sshfp foo.example > delv.out.test$n || ret=1
+  grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1
+  check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv +unknownformat works ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 +unknownformat a a.example > delv.out.test$n || ret=1
+  grep "CLASS1[ 	][ 	]*TYPE1[ 	][ 	]*\\\\# 4 0A000001" < delv.out.test$n > /dev/null || ret=1
+  check_ttl_range delv.out.test$n "TYPE1" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv -4 -6 ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 -4 -6 A a.example > delv.out.test$n 2>&1 && ret=1
+  grep "only one of -4 and -6 allowed" < delv.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv with IPv6 on IPv4 does not work ($n)"
+  if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null
+  then
+    ret=0
+    # following should fail because @IPv4 overrides earlier @IPv6 above
+    # and -6 forces IPv6 so this should fail, with a message
+    # "Use of IPv4 disabled by -6"
+    delv_with_opts @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example > delv.out.test$n 2>&1 && ret=1
+    # it should have no results but error output
+    grep "testing" < delv.out.test$n > /dev/null && ret=1
+    grep "Use of IPv4 disabled by -6" delv.out.test$n > /dev/null || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  else
+    echo_i "IPv6 unavailable; skipping"
+  fi
+
+  n=$((n+1))
+  echo_i "checking delv with IPv4 on IPv6 does not work ($n)"
+  if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null
+  then
+    ret=0
+    # following should fail because @IPv6 overrides earlier @IPv4 above
+    # and -4 forces IPv4 so this should fail, with a message
+    # "Use of IPv6 disabled by -4"
+    delv_with_opts @10.53.0.3 @fd92:7065:b8e:ffff::3 -4 -t txt foo.example > delv.out.test$n 2>&1 && ret=1
+    # it should have no results but error output
+    grep "testing" delv.out.test$n > /dev/null && ret=1
+    grep "Use of IPv6 disabled by -4" delv.out.test$n > /dev/null || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  else
+    echo_i "IPv6 unavailable; skipping"
+  fi
+
+  n=$((n+1))
+  echo_i "checking delv with reverse lookup works ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 -x 127.0.0.1 > delv.out.test$n 2>&1 || ret=1
+  # doesn't matter if has answer
+  grep -i "127\\.in-addr\\.arpa\\." < delv.out.test$n > /dev/null || ret=1
+  check_ttl_range delv.out.test$n '\\-ANY' 10800 3 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv over TCP works ($n)"
+  ret=0
+  delv_with_opts +tcp @10.53.0.3 a a.example > delv.out.test$n || ret=1
+  grep "10\\.0\\.0\\.1$" < delv.out.test$n > /dev/null || ret=1
+  check_ttl_range delv.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)"
+  ret=0
+  delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY example > delv.out.test$n || ret=1
+  grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1
+  check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv +multi +norrcomments works for SOA (when default is rrcomments)($n)"
+  ret=0
+  delv_with_opts +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1
+  grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1
+  check_ttl_range delv.out.test$n "SOA" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv +rrcomments works for DNSKEY($n)"
+  ret=0
+  delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > delv.out.test$n || ret=1
+  grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1
+  check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
+  ret=0
+  delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1
+  grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv +short +rrcomments works ($n)"
+  ret=0
+  delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1
+  grep -q "$KEYDATA  ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv +short +nosplit works ($n)"
+  ret=0
+  delv_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > delv.out.test$n || ret=1
+  grep -q "$NOSPLIT" < delv.out.test$n || ret=1
+  test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1
+  test "$(awk '{print NF}' < delv.out.test$n)" -eq 14 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv +short +nosplit +norrcomments works ($n)"
+  ret=0
+  delv_with_opts +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY example > delv.out.test$n || ret=1
+  grep -q "$NOSPLIT\$" < delv.out.test$n || ret=1
+  test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1
+  test "$(awk '{print NF}' < delv.out.test$n)" -eq 4 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv +sp works as an abbriviated form of split ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example > delv.out.test$n || ret=1
+  grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1
+  check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv +sh works as an abbriviated form of short ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 +sh a a.example > delv.out.test$n || ret=1
+  test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv -c IN works ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 -c IN -t a a.example > delv.out.test$n || ret=1
+  grep "a.example." < delv.out.test$n > /dev/null || ret=1
+  check_ttl_range delv.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv -c CH is ignored, and treated like IN ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1
+  grep "a.example." < delv.out.test$n > /dev/null || ret=1
+  check_ttl_range delv.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "checking delv H is ignored, and treated like IN ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1
+  grep "a.example." < delv.out.test$n > /dev/null || ret=1
+  check_ttl_range delv.out.test$n "A" 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that delv -q -m works ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 -q -m > delv.out.test$n 2>&1 || ret=1
+  grep '^; -m\..*[0-9]*.*IN.*ANY.*;' delv.out.test$n > /dev/null || ret=1
+  grep "^add " delv.out.test$n > /dev/null && ret=1
+  grep "^del " delv.out.test$n > /dev/null && ret=1
+  check_ttl_range delv.out.test$n '\\-ANY' 300 3 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that delv -t ANY works ($n)"
+  ret=0
+  delv_with_opts @10.53.0.3 -t ANY example > delv.out.test$n 2>&1 || ret=1
+  grep "^example." < delv.out.test$n > /dev/null || ret=1
+  check_ttl_range delv.out.test$n NS 300 || ret=1
+  check_ttl_range delv.out.test$n SOA 300 || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that delv loads key-style trust anchors ($n)"
+  ret=0
+  delv_with_opts -a ns3/anchor.dnskey +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1
+  grep "fully validated" delv.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  n=$((n+1))
+  echo_i "check that delv loads DS-style trust anchors ($n)"
+  ret=0
+  delv_with_opts -a ns3/anchor.ds +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1
+  grep "fully validated" delv.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
+  if [ $HAS_PYYAML -ne 0 ] ; then
+    n=$((n+1))
+    echo_i "check delv +yaml output ($n)"
+    ret=0
+    delv_with_opts +yaml @10.53.0.3 any ns2.example > delv.out.test$n || ret=1
+    value=$($PYTHON yamlget.py delv.out.test$n status || ret=1)
+    [ "$value" = "success" ] || ret=1
+    value=$($PYTHON yamlget.py delv.out.test$n query_name || ret=1)
+    [ "$value" = "ns2.example" ] || ret=1
+    value=$($PYTHON yamlget.py delv.out.test$n records 0 answer_not_validated 0 || ret=1)
+    count=$(echo $value | wc -w )
+    [ ${count:-0} -eq 5 ] || ret=1
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+  fi
+else
+  echo_i "$DELV is needed, so skipping these delv tests"
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/digdelv/yamlget.py b/bin/tests/system/digdelv/yamlget.py
new file mode 100644
index 0000000..afa582d
--- /dev/null
+++ b/bin/tests/system/digdelv/yamlget.py
@@ -0,0 +1,35 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import sys
+
+try:
+    import yaml
+# pylint: disable=bare-except
+except:
+    print("No python yaml module, skipping")
+    sys.exit(1)
+
+with open(sys.argv[1], "r", encoding="utf-8") as f:
+    for item in yaml.safe_load_all(f):
+        for key in sys.argv[2:]:
+            try:
+                key = int(key)
+            except ValueError:
+                pass
+
+            try:
+                item = item[key]
+            except KeyError:
+                print('Key "' + key + '" not found.')
+                sys.exit(1)
+
+        print(item)
diff --git a/bin/tests/system/ditch.pl b/bin/tests/system/ditch.pl
new file mode 100644
index 0000000..e208250
--- /dev/null
+++ b/bin/tests/system/ditch.pl
@@ -0,0 +1,87 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# This is a tool for sending queries via UDP to specified address and
+# port, then exiting without waiting for a response.
+#
+# Usage: ditch.pl [-s <address>] [-p <port>] [filename]
+#
+# Input (in filename, if specified, otherwise stdin) is a series of one
+# or more DNS names and types to send as queries, e.g.:
+#
+# www.example.com A
+# www.example.org MX
+#
+# If not specified, address defaults to 127.0.0.1, port to 53.
+
+require 5.006.001;
+
+use strict;
+use Getopt::Std;
+use Net::DNS;
+use Net::DNS::Packet;
+use IO::File;
+use IO::Socket;
+
+sub usage {
+    print ("Usage: ditch.pl [-s address] [-p port] [file]\n");
+    exit 1;
+}
+
+my %options={};
+getopts("s:p:t:", \%options);
+
+my $addr = "127.0.0.1";
+$addr = $options{s} if defined $options{s};
+
+my $port = 53;
+$port = $options{p} if defined $options{p};
+
+my $file = "STDIN";
+if (@ARGV >= 1) {
+    my $filename = shift @ARGV;
+    open FH, "<$filename" or die "$filename: $!";
+    $file = "FH";
+}
+
+my $input = "";
+while (defined(my $line = <$file>) ) {
+    chomp $line;
+    next if ($line =~ m/^ *#/);
+    my @tokens = split (' ', $line);
+
+    my $packet;
+    if ($Net::DNS::VERSION > 0.68) {
+            $packet = new Net::DNS::Packet();
+            $@ and die $@;
+    } else {
+            my $err;
+            ($packet, $err) = new Net::DNS::Packet();
+            $err and die $err;
+    }
+
+    my $q = new Net::DNS::Question($tokens[0], $tokens[1], "IN");
+    $packet->header->rd(1);
+    $packet->push(question => $q);
+
+    my $sock = IO::Socket::INET->new(PeerAddr => $addr, PeerPort => $port,
+                                     Proto => "udp",) or die "$!";
+
+    my $bytes = $sock->send($packet->data);
+    #print ("sent $bytes bytes to $addr:$port:\n");
+    #print ("  ", unpack("H* ", $packet->data), "\n");
+
+    $sock->close;
+}
+
+close $file;
diff --git a/bin/tests/system/dlz/clean.sh b/bin/tests/system/dlz/clean.sh
new file mode 100644
index 0000000..65c836a
--- /dev/null
+++ b/bin/tests/system/dlz/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/named.conf
+rm -f dig.out.*
+rm -f */named.memstats
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.=
new file mode 100644
index 0000000..50d2ad0
--- /dev/null
+++ b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.=
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+The contents of this file is not read by the filesystem driver.
+This is the file for "DNAME 10 example.net.".
diff --git a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.= b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.=
new file mode 100644
index 0000000..5faa45c
--- /dev/null
+++ b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.=
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+The contents of this file is not read by the filesystem driver.
+This is the file for "NS 10 example.com.".
diff --git a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None= b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None=
new file mode 100644
index 0000000..ee74e03
--- /dev/null
+++ b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None=
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+The contents of this file is not read by the filesystem driver.
+This is the file for "SOA 10 ns.example.com. root.example.com. 2010062900 None None None None" which is a malformed SOA record.
diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.= b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.=
new file mode 100644
index 0000000..50d2ad0
--- /dev/null
+++ b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.=
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+The contents of this file is not read by the filesystem driver.
+This is the file for "DNAME 10 example.net.".
diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.= b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.=
new file mode 100644
index 0000000..5faa45c
--- /dev/null
+++ b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.=
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+The contents of this file is not read by the filesystem driver.
+This is the file for "NS 10 example.com.".
diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10= b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10=
new file mode 100644
index 0000000..2f63999
--- /dev/null
+++ b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10=
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+The contents of this file is not read by the filesystem driver.
+This is the file for "SOA 10 ns.example.com. root.example.com. 2010062900 0 0 0 10".
diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1 b/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1
new file mode 100644
index 0000000..8a07d4f
--- /dev/null
+++ b/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+The contents of this file are not read by the filesystem driver.
+The presence of this file allows 10.53.0.1 to transfer this zone.
diff --git a/bin/tests/system/dlz/ns1/named.conf.in b/bin/tests/system/dlz/ns1/named.conf.in
new file mode 100644
index 0000000..478672d
--- /dev/null
+++ b/bin/tests/system/dlz/ns1/named.conf.in
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+dlz fszone {
+	database "filesystem dns-root/ dns.d xfr.d 0 =";
+};
diff --git a/bin/tests/system/dlz/prereq.sh b/bin/tests/system/dlz/prereq.sh
new file mode 100644
index 0000000..4cf83f5
--- /dev/null
+++ b/bin/tests/system/dlz/prereq.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if ! $FEATURETEST --with-dlz-filesystem; then
+        echo_i "DLZ filesystem driver not supported"
+        exit 255
+fi
+exit 0
diff --git a/bin/tests/system/dlz/setup.sh b/bin/tests/system/dlz/setup.sh
new file mode 100644
index 0000000..1dc06c2
--- /dev/null
+++ b/bin/tests/system/dlz/setup.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/dlz/tests.sh b/bin/tests/system/dlz/tests.sh
new file mode 100644
index 0000000..87b3aa6
--- /dev/null
+++ b/bin/tests/system/dlz/tests.sh
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
+
+# Check the example.com. domain
+
+echo_i "checking DNAME at apex works ($n)"
+ret=0
+$DIG $DIGOPTS +norec foo.example.com. \
+	@10.53.0.1 a > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "example.com..*DNAME.*example.net." dig.out.ns1.test$n > /dev/null || ret=1
+grep "foo.example.com..*CNAME.*foo.example.net." dig.out.ns1.test$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking DLZ IXFR=2010062899 (less than serial) ($n)"
+ret=0
+$DIG $DIGOPTS ixfr=2010062899 example.com @10.53.0.1 +all > dig.out.ns1.test$n 
+grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null || ret=1
+grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking DLZ IXFR=2010062900 (equal serial) ($n)"
+ret=0
+$DIG $DIGOPTS ixfr=2010062900 example.com @10.53.0.1 +all > dig.out.ns1.test$n
+grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null && ret=1
+grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking DLZ IXFR=2010062901 (greater than serial) ($n)"
+ret=0
+$DIG $DIGOPTS ixfr=2010062901 example.com @10.53.0.1 +all > dig.out.ns1.test$n
+grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null && ret=1
+grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking DLZ with a malformed SOA record"
+ret=0
+$DIG $DIGOPTS broken.com type600 @10.53.0.1 > dig.out.ns1.test$n
+grep status: dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/dlzexternal/Makefile.in b/bin/tests/system/dlzexternal/Makefile.in
new file mode 100644
index 0000000..cfdda3e
--- /dev/null
+++ b/bin/tests/system/dlzexternal/Makefile.in
@@ -0,0 +1,49 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS}
+CDEFINES =
+CWARNINGS =
+
+LIBS =		@LIBS@
+
+SO_TARGETS =    driver.@SO@
+TARGETS =	@SO_TARGETS@
+
+SRCS =		driver.c
+
+SO_OBJS         = driver.@O@
+SO_SRCS         = driver.c
+
+OBJS =
+
+@BIND9_MAKE_RULES@
+
+CFLAGS =	@CFLAGS@ @SO_CFLAGS@
+SO_LDFLAGS =	@LDFLAGS@ @SO_LDFLAGS@
+
+driver.@SO@: ${SO_OBJS}
+	${LIBTOOL_MODE_LINK} @SO_LD@ ${SO_LDFLAGS} -o $@ driver.@O@
+
+clean distclean::
+	rm -f ${TARGETS}
+
+distclean::
+	rm -f ns1/named.conf
diff --git a/bin/tests/system/dlzexternal/clean.sh b/bin/tests/system/dlzexternal/clean.sh
new file mode 100644
index 0000000..2bbf75b
--- /dev/null
+++ b/bin/tests/system/dlzexternal/clean.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after dlzexternal tests.
+#
+
+rm -f ns1/update.txt
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f ns1/ddns.key
+rm -f dig.out*
+rm -f ns*/named.lock
+rm -f ns1/session.key
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c
new file mode 100644
index 0000000..14f02bc
--- /dev/null
+++ b/bin/tests/system/dlzexternal/driver.c
@@ -0,0 +1,845 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This provides a very simple example of an external loadable DLZ
+ * driver, with update support.
+ */
+
+#include "driver.h"
+#include <inttypes.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/log.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/dlz_dlopen.h>
+#include <dns/types.h>
+
+#define CHECK(x)                             \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+#define loginfo(...)                                           \
+	({                                                     \
+		if ((state != NULL) && (state->log != NULL))   \
+			state->log(ISC_LOG_INFO, __VA_ARGS__); \
+	})
+#define logerr(...)                                             \
+	({                                                      \
+		if ((state != NULL) && (state->log != NULL))    \
+			state->log(ISC_LOG_ERROR, __VA_ARGS__); \
+	})
+
+/* For this simple example, use fixed sized strings */
+struct record {
+	char name[100];
+	char type[10];
+	char data[200];
+	dns_ttl_t ttl;
+};
+
+#define MAX_RECORDS 100
+
+typedef void
+log_t(int level, const char *fmt, ...);
+
+struct dlz_example_data {
+	char *zone_name;
+
+	/* An example driver doesn't need good memory management :-) */
+	struct record current[MAX_RECORDS];
+	struct record adds[MAX_RECORDS];
+	struct record deletes[MAX_RECORDS];
+
+	bool transaction_started;
+
+	/* Helper functions from the dlz_dlopen driver */
+	log_t *log;
+	dns_sdlz_putrr_t *putrr;
+	dns_sdlz_putnamedrr_t *putnamedrr;
+	dns_dlz_writeablezone_t *writeable_zone;
+};
+
+static bool
+single_valued(const char *type) {
+	const char *single[] = { "soa", "cname", NULL };
+	int i;
+
+	for (i = 0; single[i]; i++) {
+		if (strcasecmp(single[i], type) == 0) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+/*
+ * Add a record to a list
+ */
+static isc_result_t
+add_name(struct dlz_example_data *state, struct record *list, const char *name,
+	 const char *type, dns_ttl_t ttl, const char *data) {
+	int i;
+	bool single = single_valued(type);
+	int first_empty = -1;
+
+	for (i = 0; i < MAX_RECORDS; i++) {
+		INSIST(list[i].name != NULL);
+		if (first_empty == -1 && strlen(list[i].name) == 0U) {
+			first_empty = i;
+		}
+		if (strcasecmp(list[i].name, name) != 0) {
+			continue;
+		}
+		if (strcasecmp(list[i].type, type) != 0) {
+			continue;
+		}
+		if (!single && strcasecmp(list[i].data, data) != 0) {
+			continue;
+		}
+		break;
+	}
+	if (i == MAX_RECORDS && first_empty != -1) {
+		i = first_empty;
+	}
+	if (i == MAX_RECORDS) {
+		logerr("dlz_example: out of record space");
+		return (ISC_R_FAILURE);
+	}
+
+	if (strlen(name) >= sizeof(list[i].name) ||
+	    strlen(type) >= sizeof(list[i].type) ||
+	    strlen(data) >= sizeof(list[i].data))
+	{
+		return (ISC_R_NOSPACE);
+	}
+
+	strncpy(list[i].name, name, sizeof(list[i].name) - 1);
+	list[i].name[sizeof(list[i].name) - 1] = '\0';
+
+	strncpy(list[i].type, type, sizeof(list[i].type) - 1);
+	list[i].type[sizeof(list[i].type) - 1] = '\0';
+
+	strncpy(list[i].data, data, sizeof(list[i].data) - 1);
+	list[i].data[sizeof(list[i].data) - 1] = '\0';
+
+	list[i].ttl = ttl;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Delete a record from a list
+ */
+static isc_result_t
+del_name(struct dlz_example_data *state, struct record *list, const char *name,
+	 const char *type, dns_ttl_t ttl, const char *data) {
+	int i;
+
+	UNUSED(state);
+
+	for (i = 0; i < MAX_RECORDS; i++) {
+		if (strcasecmp(name, list[i].name) == 0 &&
+		    strcasecmp(type, list[i].type) == 0 &&
+		    strcasecmp(data, list[i].data) == 0 && ttl == list[i].ttl)
+		{
+			break;
+		}
+	}
+	if (i == MAX_RECORDS) {
+		return (ISC_R_NOTFOUND);
+	}
+	memset(&list[i], 0, sizeof(struct record));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fmt_address(isc_sockaddr_t *addr, char *buffer, size_t size) {
+	char addr_buf[INET6_ADDRSTRLEN];
+	const char *ret;
+	uint16_t port = 0;
+
+	switch (addr->type.sa.sa_family) {
+	case AF_INET:
+		port = ntohs(addr->type.sin.sin_port);
+		ret = inet_ntop(AF_INET, &addr->type.sin.sin_addr, addr_buf,
+				sizeof(addr_buf));
+		break;
+	case AF_INET6:
+		port = ntohs(addr->type.sin6.sin6_port);
+		ret = inet_ntop(AF_INET6, &addr->type.sin6.sin6_addr, addr_buf,
+				sizeof(addr_buf));
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	if (ret == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	snprintf(buffer, size, "%s#%u", addr_buf, port);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Return the version of the API
+ */
+int
+dlz_version(unsigned int *flags) {
+	UNUSED(flags);
+	return (DLZ_DLOPEN_VERSION);
+}
+
+/*
+ * Remember a helper function from the bind9 dlz_dlopen driver
+ */
+static void
+b9_add_helper(struct dlz_example_data *state, const char *helper_name,
+	      void *ptr) {
+	if (strcmp(helper_name, "log") == 0) {
+		state->log = (log_t *)ptr;
+	}
+	if (strcmp(helper_name, "putrr") == 0) {
+		state->putrr = (dns_sdlz_putrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "putnamedrr") == 0) {
+		state->putnamedrr = (dns_sdlz_putnamedrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "writeable_zone") == 0) {
+		state->writeable_zone = (dns_dlz_writeablezone_t *)ptr;
+	}
+}
+
+/*
+ * Called to initialize the driver
+ */
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...) {
+	struct dlz_example_data *state;
+	const char *helper_name;
+	va_list ap;
+	char soa_data[sizeof("@ hostmaster.root 123 900 600 86400 3600")];
+	isc_result_t result;
+	size_t n;
+
+	UNUSED(dlzname);
+
+	state = calloc(1, sizeof(struct dlz_example_data));
+	if (state == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* Fill in the helper functions */
+	va_start(ap, dbdata);
+	while ((helper_name = va_arg(ap, const char *)) != NULL) {
+		b9_add_helper(state, helper_name, va_arg(ap, void *));
+	}
+	va_end(ap);
+
+	if (argc < 2 || argv[1][0] == '\0') {
+		logerr("dlz_example: please specify a zone name");
+		dlz_destroy(state);
+		return (ISC_R_FAILURE);
+	}
+
+	/* Ensure zone name is absolute */
+	state->zone_name = malloc(strlen(argv[1]) + 2);
+	if (state->zone_name == NULL) {
+		free(state);
+		return (ISC_R_NOMEMORY);
+	}
+	if (argv[1][strlen(argv[1]) - 1] == '.') {
+		strcpy(state->zone_name, argv[1]);
+	} else {
+		sprintf(state->zone_name, "%s.", argv[1]);
+	}
+
+	/*
+	 * Use relative names to trigger ISC_R_NOSPACE in dns_sdlz_putrr.
+	 */
+	if (strcmp(state->zone_name, ".") == 0) {
+		n = strlcpy(soa_data,
+			    "@ hostmaster.root 123 900 600 86400 3600",
+			    sizeof(soa_data));
+	} else {
+		n = strlcpy(soa_data, "@ hostmaster 123 900 600 86400 3600",
+			    sizeof(soa_data));
+	}
+
+	if (n >= sizeof(soa_data)) {
+		CHECK(ISC_R_NOSPACE);
+	}
+
+	add_name(state, &state->current[0], state->zone_name, "soa", 3600,
+		 soa_data);
+	add_name(state, &state->current[0], state->zone_name, "ns", 3600,
+		 state->zone_name);
+	add_name(state, &state->current[0], state->zone_name, "a", 1800,
+		 "10.53.0.1");
+
+	loginfo("dlz_example: started for zone %s", state->zone_name);
+
+	*dbdata = state;
+	return (ISC_R_SUCCESS);
+
+failure:
+	free(state);
+	return (result);
+}
+
+/*
+ * Shut down the backend
+ */
+void
+dlz_destroy(void *dbdata) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	loginfo("dlz_example: shutting down zone %s", state->zone_name);
+	free(state->zone_name);
+	free(state);
+}
+
+/*
+ * See if we handle a given zone
+ */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+	isc_sockaddr_t *src;
+	char addrbuf[100];
+	char absolute[1024];
+
+	strcpy(addrbuf, "unknown");
+	if (methods != NULL && methods->sourceip != NULL &&
+	    methods->version - methods->age <= DNS_CLIENTINFOMETHODS_VERSION &&
+	    DNS_CLIENTINFOMETHODS_VERSION <= methods->version)
+	{
+		methods->sourceip(clientinfo, &src);
+		fmt_address(src, addrbuf, sizeof(addrbuf));
+	}
+
+	loginfo("dlz_example: dlz_findzonedb called with name '%s' "
+		"in zone DB '%s' from %s",
+		name, state->zone_name, addrbuf);
+
+	/*
+	 * Returning ISC_R_NOTFOUND will cause the query logic to
+	 * check the database for parent names, looking for zone cuts.
+	 *
+	 * Returning ISC_R_NOMORE prevents the query logic from doing
+	 * this; it will move onto the next database after a single query.
+	 */
+	if (strcasecmp(name, "test.example.com") == 0) {
+		return (ISC_R_NOMORE);
+	}
+
+	/*
+	 * For example.net, only return ISC_R_NOMORE when queried
+	 * from 10.53.0.1.
+	 */
+	if (strcasecmp(name, "test.example.net") == 0 &&
+	    strncmp(addrbuf, "10.53.0.1", 9) == 0)
+	{
+		return (ISC_R_NOMORE);
+	}
+
+	/*
+	 * For bigcname.domain, return success so it appears to be
+	 * the zone origin; this regression tests a bug in which
+	 * zone origin nodes could fail to return SERVFAIL to the client.
+	 */
+	if (strcasecmp(name, "bigcname.domain") == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Return success if we have an exact match between the
+	 * zone name and the qname
+	 */
+	if (strcasecmp(state->zone_name, name) == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	snprintf(absolute, sizeof(absolute), "%s.", name);
+	if (strcasecmp(state->zone_name, absolute) == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+/*
+ * Look up one record in the sample database.
+ *
+ * If the queryname is "source-addr", send back a TXT record containing
+ * the address of the client, to test the use of 'methods' and 'clientinfo'
+ *
+ * If the queryname is "too-long", send back a TXT record that's too long
+ * to process; this should result in a SERVFAIL when queried.
+ */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+	bool found = false;
+	void *dbversion = NULL;
+	isc_sockaddr_t *src;
+	char full_name[256];
+	char buf[512];
+	static char last[256];
+	static int count = 0;
+	int i, size;
+
+	UNUSED(zone);
+
+	if (state->putrr == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	if (strcmp(name, "@") == 0) {
+		size = snprintf(full_name, sizeof(full_name), "%s",
+				state->zone_name);
+	} else if (strcmp(state->zone_name, ".") == 0) {
+		size = snprintf(full_name, sizeof(full_name), "%s.", name);
+	} else {
+		size = snprintf(full_name, sizeof(full_name), "%s.%s", name,
+				state->zone_name);
+	}
+
+	if (size < 0 || (size_t)size >= sizeof(full_name) ||
+	    (size_t)size >= sizeof(last))
+	{
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * For test purposes, log all calls to dlz_lookup()
+	 */
+	if (strcasecmp(full_name, last) == 0) {
+		count++;
+	} else {
+		count = 1;
+		memcpy(last, full_name, size + 1);
+	}
+	loginfo("lookup #%d for %s", count, full_name);
+
+	/*
+	 * If we need to know the database version (as set in
+	 * the 'newversion' dlz function) we can pick it up from the
+	 * clientinfo.
+	 *
+	 * This allows a lookup to query the correct version of the DNS
+	 * data, if the DLZ can differentiate between versions.
+	 *
+	 * For example, if a new database transaction is created by
+	 * 'newversion', the lookup should query within the same
+	 * transaction scope if it can.
+	 *
+	 * If the DLZ only operates on 'live' data, then version
+	 * wouldn't necessarily be needed.
+	 */
+	if (clientinfo != NULL && clientinfo->version >= 2) {
+		dbversion = clientinfo->dbversion;
+		if (dbversion != NULL && *(bool *)dbversion) {
+			loginfo("dlz_example: lookup against live transaction");
+		}
+	}
+
+	if (strcmp(name, "source-addr") == 0) {
+		char ecsbuf[DNS_ECS_FORMATSIZE] = "not supported";
+		strncpy(buf, "unknown", sizeof(buf));
+		if (methods != NULL && methods->sourceip != NULL &&
+		    (methods->version - methods->age <=
+		     DNS_CLIENTINFOMETHODS_VERSION) &&
+		    DNS_CLIENTINFOMETHODS_VERSION <= methods->version)
+		{
+			methods->sourceip(clientinfo, &src);
+			fmt_address(src, buf, sizeof(buf));
+		}
+		if (clientinfo != NULL && clientinfo->version >= 3) {
+			if (clientinfo->ecs.addr.family != AF_UNSPEC) {
+				dns_ecs_format(&clientinfo->ecs, ecsbuf,
+					       sizeof(ecsbuf));
+			} else {
+				snprintf(ecsbuf, sizeof(ecsbuf), "%s",
+					 "not present");
+			}
+		}
+		i = strlen(buf);
+		snprintf(buf + i, sizeof(buf) - i - 1, " ECS %s", ecsbuf);
+
+		loginfo("dlz_example: lookup connection from %s", buf);
+
+		found = true;
+		result = state->putrr(lookup, "TXT", 0, buf);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if (strcmp(name, "too-long") == 0 ||
+	    strcmp(zone, "bigcname.domain") == 0)
+	{
+		for (i = 0; i < 511; i++) {
+			buf[i] = 'x';
+		}
+		buf[i] = '\0';
+		found = true;
+		result = state->putrr(lookup, "TXT", 0, buf);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	/* Tests for DLZ redirection zones */
+	if (strcmp(name, "*") == 0 && strcmp(zone, ".") == 0) {
+		result = state->putrr(lookup, "A", 0, "100.100.100.2");
+		found = true;
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if (strcmp(name, "long.name.is.not.there") == 0 &&
+	    strcmp(zone, ".") == 0)
+	{
+		result = state->putrr(lookup, "A", 0, "100.100.100.3");
+		found = true;
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	/* Answer from current records */
+	for (i = 0; i < MAX_RECORDS; i++) {
+		if (strcasecmp(state->current[i].name, full_name) == 0) {
+			found = true;
+			result = state->putrr(lookup, state->current[i].type,
+					      state->current[i].ttl,
+					      state->current[i].data);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+	}
+
+	if (!found) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * See if a zone transfer is allowed
+ */
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+	isc_result_t result;
+
+	loginfo("dlz_example: dlz_allowzonexfr called for %s", name);
+
+	result = dlz_findzonedb(dbdata, name, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		loginfo("dlz_example: findzonedb returned %s",
+			isc_result_totext(result));
+		return (result);
+	}
+
+	/*
+	 * Exception for "example.org" so we can test the use of
+	 * the view ACL.
+	 */
+	if (strcmp(name, "example.org") == 0) {
+		loginfo("dlz_example: use view ACL for example.org");
+		return (ISC_R_DEFAULT);
+	}
+
+	/*
+	 * Exception for 10.53.0.5 so we can test that allow-transfer
+	 * is effective.
+	 */
+	if (strcmp(client, "10.53.0.5") == 0) {
+		loginfo("dlz_example: disallow transfer to 10.53.0.5");
+		return (ISC_R_NOPERM);
+	}
+
+	loginfo("dlz_example: transfer allowed for %s", name);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Perform a zone transfer
+ */
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+	int i;
+
+	UNUSED(zone);
+
+	if (state->putnamedrr == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	for (i = 0; i < MAX_RECORDS; i++) {
+		isc_result_t result;
+		if (strlen(state->current[i].name) == 0U) {
+			continue;
+		}
+		result = state->putnamedrr(allnodes, state->current[i].name,
+					   state->current[i].type,
+					   state->current[i].ttl,
+					   state->current[i].data);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Start a transaction
+ */
+isc_result_t
+dlz_newversion(const char *zone, void *dbdata, void **versionp) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (state->transaction_started) {
+		loginfo("dlz_example: transaction already started for zone %s",
+			zone);
+		return (ISC_R_FAILURE);
+	}
+
+	state->transaction_started = true;
+	*versionp = (void *)&state->transaction_started;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * End a transaction
+ */
+void
+dlz_closeversion(const char *zone, bool commit, void *dbdata, void **versionp) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (!state->transaction_started) {
+		loginfo("dlz_example: transaction not started for zone %s",
+			zone);
+		*versionp = NULL;
+		return;
+	}
+
+	state->transaction_started = false;
+
+	*versionp = NULL;
+
+	if (commit) {
+		int i;
+		loginfo("dlz_example: committing transaction on zone %s", zone);
+		for (i = 0; i < MAX_RECORDS; i++) {
+			if (strlen(state->deletes[i].name) > 0U) {
+				(void)del_name(state, &state->current[0],
+					       state->deletes[i].name,
+					       state->deletes[i].type,
+					       state->deletes[i].ttl,
+					       state->deletes[i].data);
+			}
+		}
+		for (i = 0; i < MAX_RECORDS; i++) {
+			if (strlen(state->adds[i].name) > 0U) {
+				(void)add_name(state, &state->current[0],
+					       state->adds[i].name,
+					       state->adds[i].type,
+					       state->adds[i].ttl,
+					       state->adds[i].data);
+			}
+		}
+	} else {
+		loginfo("dlz_example: cancelling transaction on zone %s", zone);
+	}
+	memset(state->adds, 0, sizeof(state->adds));
+	memset(state->deletes, 0, sizeof(state->deletes));
+}
+
+/*
+ * Configure a writeable zone
+ */
+isc_result_t
+dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb, void *dbdata) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+	isc_result_t result;
+
+	loginfo("dlz_example: starting configure");
+
+	if (state->writeable_zone == NULL) {
+		loginfo("dlz_example: no writeable_zone method available");
+		return (ISC_R_FAILURE);
+	}
+
+	result = state->writeable_zone(view, dlzdb, state->zone_name);
+	if (result != ISC_R_SUCCESS) {
+		loginfo("dlz_example: failed to configure zone %s",
+			state->zone_name);
+		return (result);
+	}
+
+	loginfo("dlz_example: configured writeable zone %s", state->zone_name);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Authorize a zone update
+ */
+bool
+dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
+	     const char *type, const char *key, uint32_t keydatalen,
+	     unsigned char *keydata, void *dbdata) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	UNUSED(tcpaddr);
+	UNUSED(type);
+	UNUSED(key);
+	UNUSED(keydatalen);
+	UNUSED(keydata);
+
+	if (strncmp(name, "deny.", 5) == 0) {
+		loginfo("dlz_example: denying update of name=%s by %s", name,
+			signer);
+		return (false);
+	}
+	loginfo("dlz_example: allowing update of name=%s by %s", name, signer);
+	return (true);
+}
+
+static isc_result_t
+modrdataset(struct dlz_example_data *state, const char *name,
+	    const char *rdatastr, struct record *list) {
+	char *full_name, *dclass, *type, *data, *ttlstr, *buf;
+	char absolute[1024];
+	isc_result_t result;
+	char *saveptr = NULL;
+
+	buf = strdup(rdatastr);
+	if (buf == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * The format is:
+	 * FULLNAME\tTTL\tDCLASS\tTYPE\tDATA
+	 *
+	 * The DATA field is space separated, and is in the data format
+	 * for the type used by dig
+	 */
+
+	full_name = strtok_r(buf, "\t", &saveptr);
+	if (full_name == NULL) {
+		goto error;
+	}
+
+	ttlstr = strtok_r(NULL, "\t", &saveptr);
+	if (ttlstr == NULL) {
+		goto error;
+	}
+
+	dclass = strtok_r(NULL, "\t", &saveptr);
+	if (dclass == NULL) {
+		goto error;
+	}
+
+	type = strtok_r(NULL, "\t", &saveptr);
+	if (type == NULL) {
+		goto error;
+	}
+
+	data = strtok_r(NULL, "\t", &saveptr);
+	if (data == NULL) {
+		goto error;
+	}
+
+	if (name[strlen(name) - 1] != '.') {
+		snprintf(absolute, sizeof(absolute), "%s.", name);
+		name = absolute;
+	}
+
+	result = add_name(state, list, name, type, strtoul(ttlstr, NULL, 10),
+			  data);
+	free(buf);
+	return (result);
+
+error:
+	free(buf);
+	return (ISC_R_FAILURE);
+}
+
+isc_result_t
+dlz_addrdataset(const char *name, const char *rdatastr, void *dbdata,
+		void *version) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (version != (void *)&state->transaction_started) {
+		return (ISC_R_FAILURE);
+	}
+
+	loginfo("dlz_example: adding rdataset %s '%s'", name, rdatastr);
+
+	return (modrdataset(state, name, rdatastr, &state->adds[0]));
+}
+
+isc_result_t
+dlz_subrdataset(const char *name, const char *rdatastr, void *dbdata,
+		void *version) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (version != (void *)&state->transaction_started) {
+		return (ISC_R_FAILURE);
+	}
+
+	loginfo("dlz_example: subtracting rdataset %s '%s'", name, rdatastr);
+
+	return (modrdataset(state, name, rdatastr, &state->deletes[0]));
+}
+
+isc_result_t
+dlz_delrdataset(const char *name, const char *type, void *dbdata,
+		void *version) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (version != (void *)&state->transaction_started) {
+		return (ISC_R_FAILURE);
+	}
+
+	loginfo("dlz_example: deleting rdataset %s of type %s", name, type);
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/bin/tests/system/dlzexternal/driver.h b/bin/tests/system/dlzexternal/driver.h
new file mode 100644
index 0000000..2c1a594
--- /dev/null
+++ b/bin/tests/system/dlzexternal/driver.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <dns/dlz_dlopen.h>
+
+/*
+ * This header includes the declarations of entry points.
+ */
+
+dlz_dlopen_version_t dlz_version;
+dlz_dlopen_create_t dlz_create;
+dlz_dlopen_destroy_t dlz_destroy;
+dlz_dlopen_findzonedb_t dlz_findzonedb;
+dlz_dlopen_lookup_t dlz_lookup;
+dlz_dlopen_allowzonexfr_t dlz_allowzonexfr;
+dlz_dlopen_allnodes_t dlz_allnodes;
+dlz_dlopen_newversion_t dlz_newversion;
+dlz_dlopen_closeversion_t dlz_closeversion;
+dlz_dlopen_configure_t dlz_configure;
+dlz_dlopen_ssumatch_t dlz_ssumatch;
+dlz_dlopen_addrdataset_t dlz_addrdataset;
+dlz_dlopen_subrdataset_t dlz_subrdataset;
+dlz_dlopen_delrdataset_t dlz_delrdataset;
diff --git a/bin/tests/system/dlzexternal/ns1/dlzs.conf.in b/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
new file mode 100644
index 0000000..9166cd6
--- /dev/null
+++ b/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dlz "example one" {
+	database "dlopen ../driver.@SO@ example.nil";
+};
+
+dlz "example two" {
+	database "dlopen ../driver.@SO@ alternate.nil";
+};
+
+dlz "example three" {
+	database "dlopen ../driver.@SO@ example.org";
+};
+
+dlz "example four" {
+        // Long zone name to trigger ISC_R_NOSPACE in dns_sdlz_putrr.
+        database "dlopen ../driver.@SO@ 123456789.123456789.123456789.123456789.123456789.example.foo";
+};
+
+dlz "unsearched1" {
+	database "dlopen ../driver.@SO@ other.nil";
+	search no;
+};
+
+dlz "unsearched2" {
+	database "dlopen ../driver.@SO@ zone.nil";
+	search no;
+};
+
+dlz redzone {
+	database "dlopen ../driver.@SO@ .";
+	search no;
+};
diff --git a/bin/tests/system/dlzexternal/ns1/named.conf.in b/bin/tests/system/dlzexternal/ns1/named.conf.in
new file mode 100644
index 0000000..b30ae8e
--- /dev/null
+++ b/bin/tests/system/dlzexternal/ns1/named.conf.in
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.1; 127.0.0.1; };
+	listen-on-v6 { none; };
+	allow-transfer { !10.53.0.1; any; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+include "ddns.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "dlzs.conf";
+
+zone zone.nil {
+	type primary;
+	dlz unsearched2;
+};
+
+zone "." {
+	type redirect;
+	dlz redzone;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/dlzexternal/ns1/root.db b/bin/tests/system/dlzexternal/ns1/root.db
new file mode 100644
index 0000000..6cbe579
--- /dev/null
+++ b/bin/tests/system/dlzexternal/ns1/root.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns1.example.
+ns1.example.		A	10.53.0.1
+
+exists.                 A       10.10.10.10
diff --git a/bin/tests/system/dlzexternal/prereq.sh b/bin/tests/system/dlzexternal/prereq.sh
new file mode 100644
index 0000000..9c161c2
--- /dev/null
+++ b/bin/tests/system/dlzexternal/prereq.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$FEATURETEST --have-dlopen ||  {
+        echo_i "dlopen() not supported - skipping dlzexternal test"
+        exit 255
+}
+
+$FEATURETEST --tsan && {
+	echo_i "TSAN - skipping dlzexternal test"
+        exit 255
+}
+
+exit 0
diff --git a/bin/tests/system/dlzexternal/setup.sh b/bin/tests/system/dlzexternal/setup.sh
new file mode 100644
index 0000000..6d6b4d4
--- /dev/null
+++ b/bin/tests/system/dlzexternal/setup.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh
new file mode 100644
index 0000000..ab35051
--- /dev/null
+++ b/bin/tests/system/dlzexternal/tests.sh
@@ -0,0 +1,230 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+DIGOPTS="@10.53.0.1 -p ${PORT} +nocookie"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+newtest() {
+	n=`expr $n + 1`
+	echo_i "${1} (${n})"
+	ret=0
+}
+
+test_update() {
+    host="$1"
+    type="$2"
+    cmd="$3"
+    digout="$4"
+    should_fail="$5"
+
+    cat <<EOF > ns1/update.txt
+server 10.53.0.1 ${PORT}
+update add $host $cmd
+send
+EOF
+
+    newtest "testing update for $host $type $cmd${comment:+ }$comment"
+    $NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 || {
+	[ "$should_fail" ] || \
+             echo_i "update failed for $host $type $cmd"
+	return 1
+    }
+
+    out=`$DIG $DIGOPTS -t $type -q $host | grep -E "^$host"`
+    lines=`echo "$out" | grep "$digout" | wc -l`
+    [ $lines -eq 1 ] || {
+	[ "$should_fail" ] || \
+            echo_i "dig output incorrect for $host $type $cmd: $out"
+	return 1
+    }
+    return 0
+}
+
+test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
+status=`expr $status + $ret`
+
+test_update testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1
+status=`expr $status + $ret`
+
+test_update testdc3.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
+status=`expr $status + $ret`
+
+test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fail && ret=1
+status=`expr $status + $ret`
+
+newtest "testing nxrrset"
+$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n
+grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1
+status=`expr $status + $ret`
+
+newtest "testing prerequisites are checked correctly"
+cat > ns1/update.txt << EOF
+server 10.53.0.1 ${PORT}
+prereq nxdomain testdc3.example.nil
+update add testdc3.example.nil 86500 in a 10.53.0.12
+send
+EOF
+$NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 && ret=1
+out=`$DIG $DIGOPTS +short a testdc3.example.nil`
+[ "$out" = "10.53.0.12" ] && ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing passing client info into DLZ driver"
+out=`$DIG $DIGOPTS +short -t txt -q source-addr.example.nil | grep -v '^;'`
+addr=`eval echo "$out" | cut -f1 -d'#'`
+[ "$addr" = "10.53.0.1" ] || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing DLZ driver is cleaned up on reload"
+rndc_reload ns1 10.53.0.1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+    ret=0
+    grep 'dlz_example: shutting down zone example.nil' ns1/named.run > /dev/null 2>&1 || ret=1
+    [ "$ret" -eq 0 ] && break
+    sleep 1
+done
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing multiple DLZ drivers"
+test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
+status=`expr $status + $ret`
+
+newtest "testing AXFR from DLZ drivers"
+$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n
+lines=`cat dig.out.example.ns1.test$n | wc -l`
+[ ${lines:-0} -eq 4 ] || ret=1
+$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
+lines=`cat dig.out.alternate.ns1.test$n | wc -l`
+[ ${lines:-0} -eq 5 ] || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing AXFR denied from DLZ drivers"
+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n
+grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
+grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing AXFR denied based on view ACL"
+# 10.53.0.1 should be disallowed
+$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1
+grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1
+# 10.53.0.2 should be allowed
+$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2
+grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing unsearched/unregistered DLZ zone is not found"
+$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
+grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing unsearched/registered DLZ zone is found"
+$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n
+grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing unsearched/registered DLZ zone is found"
+$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n
+grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing correct behavior with findzone returning ISC_R_NOMORE"
+$DIG $DIGOPTS +noall a test.example.com > /dev/null 2>&1 || ret=1
+# we should only find one logged lookup per searched DLZ database
+lines=`grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l`
+[ $lines -eq 1 ] || ret=1
+lines=`grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run | wc -l`
+[ $lines -eq 1 ] || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing findzone can return different results per client"
+$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net > /dev/null 2>&1 || ret=1
+# we should only find one logged lookup per searched DLZ database
+lines=`grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l`
+[ $lines -eq 1 ] || ret=1
+lines=`grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l`
+[ $lines -eq 1 ] || ret=1
+$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net > /dev/null 2>&1 || ret=1
+# we should find several logged lookups this time
+lines=`grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l`
+[ $lines -gt 2 ] || ret=1
+lines=`grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l`
+[ $lines -gt 2 ] || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing zone returning oversized data"
+$DIG $DIGOPTS txt too-long.example.nil > dig.out.ns1.test$n 2>&1 || ret=1
+grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "testing zone returning oversized data at zone origin"
+$DIG $DIGOPTS txt bigcname.domain > dig.out.ns1.test$n 2>&1 || ret=1
+grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+newtest "checking redirected lookup for nonexistent name"
+$DIG $DIGOPTS @10.53.0.1 unexists a > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "checking no redirected lookup for nonexistent type"
+$DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "checking redirected lookup for a long nonexistent name"
+$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
+lookups=`grep "lookup #.*\.not\.there" ns1/named.run | wc -l`
+[ "$lookups" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "checking ECS data is passed to driver in clientinfo"
+$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt > dig.out.ns1.test$n.1 || ret=1
+grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 > /dev/null || ret=1
+$DIG $DIGOPTS +short source-addr.example.nil txt > dig.out.ns1.test$n.2 || ret=1
+grep "not.*present" dig.out.ns1.test$n.2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/dns64/clean.sh b/bin/tests/system/dns64/clean.sh
new file mode 100644
index 0000000..b773e2d
--- /dev/null
+++ b/bin/tests/system/dns64/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/named.conf
+rm -f ns1/K*
+rm -f ns1/signed.db*
+rm -f ns1/dsset-signed.
+rm -f */named.memstats
+rm -f */named.run
+rm -f dig.out.*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/dns64/conf/bad1.conf b/bin/tests/system/dns64/conf/bad1.conf
new file mode 100644
index 0000000..a4b7e7f
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad1.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 ::/0 { };
+};
diff --git a/bin/tests/system/dns64/conf/bad10.conf b/bin/tests/system/dns64/conf/bad10.conf
new file mode 100644
index 0000000..21855f6
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad10.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 0000:0000:0000:0000:0100:000f::/96 { };  /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad11.conf b/bin/tests/system/dns64/conf/bad11.conf
new file mode 100644
index 0000000..c3bdd92
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad11.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 0000:0000:0000:0000:0200:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad12.conf b/bin/tests/system/dns64/conf/bad12.conf
new file mode 100644
index 0000000..6ffe720
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad12.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 0000:0000:0000:0000:0400:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad13.conf b/bin/tests/system/dns64/conf/bad13.conf
new file mode 100644
index 0000000..dc6c064
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad13.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 0000:0000:0000:0000:0800:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad14.conf b/bin/tests/system/dns64/conf/bad14.conf
new file mode 100644
index 0000000..985101a
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad14.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 0000:0000:0000:0000:1000:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad15.conf b/bin/tests/system/dns64/conf/bad15.conf
new file mode 100644
index 0000000..0931a55
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad15.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 0000:0000:0000:0000:2000:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad16.conf b/bin/tests/system/dns64/conf/bad16.conf
new file mode 100644
index 0000000..3a8b962
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad16.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 0000:0000:0000:0000:4000:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad17.conf b/bin/tests/system/dns64/conf/bad17.conf
new file mode 100644
index 0000000..6c9079b
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad17.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 0000:0000:0000:0000:8000:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad18.conf b/bin/tests/system/dns64/conf/bad18.conf
new file mode 100644
index 0000000..566e177
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad18.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 ::/32 { suffix ::8000:0000:0000:0000; }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad19.conf b/bin/tests/system/dns64/conf/bad19.conf
new file mode 100644
index 0000000..8a9fb76
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad19.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 ::/32 { suffix ::0100:0000:0000:0000; }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad2.conf b/bin/tests/system/dns64/conf/bad2.conf
new file mode 100644
index 0000000..d275998
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 ::/96 { suffix ::1; };
+};
diff --git a/bin/tests/system/dns64/conf/bad3.conf b/bin/tests/system/dns64/conf/bad3.conf
new file mode 100644
index 0000000..24971b3
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad3.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 ::/96 { suffix 127.0.0.1; };
+};
diff --git a/bin/tests/system/dns64/conf/bad4.conf b/bin/tests/system/dns64/conf/bad4.conf
new file mode 100644
index 0000000..bc73ca5
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad4.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 ::/129 { };
+};
diff --git a/bin/tests/system/dns64/conf/bad5.conf b/bin/tests/system/dns64/conf/bad5.conf
new file mode 100644
index 0000000..bc73ca5
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad5.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 ::/129 { };
+};
diff --git a/bin/tests/system/dns64/conf/bad6.conf b/bin/tests/system/dns64/conf/bad6.conf
new file mode 100644
index 0000000..1d85ab9
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad6.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 :: { };
+};
diff --git a/bin/tests/system/dns64/conf/bad7.conf b/bin/tests/system/dns64/conf/bad7.conf
new file mode 100644
index 0000000..afbf437
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad7.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 FC36:EAFE:F993::/64 {
+		exclude { bogusacl; };
+	};
+};
diff --git a/bin/tests/system/dns64/conf/bad8.conf b/bin/tests/system/dns64/conf/bad8.conf
new file mode 100644
index 0000000..9aa423f
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad8.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 FC36:EAFE:F993::/64 {
+		clients { bogusacl; };
+	};
+};
diff --git a/bin/tests/system/dns64/conf/bad9.conf b/bin/tests/system/dns64/conf/bad9.conf
new file mode 100644
index 0000000..b74204c
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad9.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dns64 FC36:EAFE:F993::/64 {
+		mapped { bogusacl; };
+	};
+};
diff --git a/bin/tests/system/dns64/conf/good1.conf b/bin/tests/system/dns64/conf/good1.conf
new file mode 100644
index 0000000..d84733e
--- /dev/null
+++ b/bin/tests/system/dns64/conf/good1.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+options {
+	/* Well Known Prefix */
+	dns64 64:FF9B::/96 {
+		clients { any; };
+		mapped { !rfc1918; any; };
+		exclude { ::ffff:0:0/96; };
+	};
+};
diff --git a/bin/tests/system/dns64/conf/good2.conf b/bin/tests/system/dns64/conf/good2.conf
new file mode 100644
index 0000000..41b5730
--- /dev/null
+++ b/bin/tests/system/dns64/conf/good2.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+options {
+	/* Well Known Prefix */
+	dns64 64:FF9B::/96 {
+		mapped { !rfc1918; any; };
+		exclude { ::ffff:0:0/96; };
+	};
+};
diff --git a/bin/tests/system/dns64/conf/good3.conf b/bin/tests/system/dns64/conf/good3.conf
new file mode 100644
index 0000000..450b2e0
--- /dev/null
+++ b/bin/tests/system/dns64/conf/good3.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+options {
+	/* Well Known Prefix */
+	dns64 64:FF9B::/96 {
+		clients { any; };
+		exclude { ::ffff:0:0/96; };
+	};
+};
diff --git a/bin/tests/system/dns64/conf/good4.conf b/bin/tests/system/dns64/conf/good4.conf
new file mode 100644
index 0000000..2c57f23
--- /dev/null
+++ b/bin/tests/system/dns64/conf/good4.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+options {
+	/* Well Known Prefix */
+	dns64 64:FF9B::/96 {
+		clients { any; };
+		mapped { !rfc1918; any; };
+	};
+};
diff --git a/bin/tests/system/dns64/conf/good5.conf b/bin/tests/system/dns64/conf/good5.conf
new file mode 100644
index 0000000..f6027a4
--- /dev/null
+++ b/bin/tests/system/dns64/conf/good5.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+options {
+	/* Well Known Prefix */
+	dns64 64:FF9B::/96 { };
+};
diff --git a/bin/tests/system/dns64/ns1/example.db b/bin/tests/system/dns64/ns1/example.db
new file mode 100644
index 0000000..8253f1d
--- /dev/null
+++ b/bin/tests/system/dns64/ns1/example.db
@@ -0,0 +1,56 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@	SOA ns1 marka.isc.org. 0 0 0 0 1200
+@	NS ns1
+ns1	A	10.53.0.1
+excluded-good-a	AAAA	2001:eeee::1
+		A	1.2.3.4
+excluded-bad-a	AAAA	2001:eeee::2
+		A	10.0.0.1
+excluded-only	AAAA	2001:eeee::3
+partially-excluded-good-a	AAAA	2001:eeee::1
+		AAAA	2001::1
+		A	1.2.3.4
+partially-excluded-bad-a	AAAA	2001:eeee::2
+		AAAA	2001::2
+		A	10.0.0.1
+partially-excluded-only	AAAA	2001:eeee::3
+		AAAA	2001::3
+a-only		A	1.2.3.5
+a-and-aaaa	AAAA	2001::1
+		A	1.2.3.6
+aaaa-only	AAAA	2001::2
+a-not-mapped	A	10.0.0.2
+a-and-mapped	AAAA	::ffff:1.2.3.4
+		A	1.2.3.5
+a-and-aaaa-and-mapped AAAA 2001:eeee::4
+a-and-aaaa-and-mapped AAAA ::ffff:1.2.3.4
+a-and-aaaa-and-mapped A	1.2.3.5
+mx-only		MX	10 ns.example.
+cname-excluded-good-a CNAME excluded-good-a
+cname-excluded-bad-a CNAME excluded-bad-a
+cname-excluded-only CNAME excluded-only
+cname-partial-excluded-good-a CNAME partial-excluded-good-a
+cname-partial-excluded-bad-a CNAME partial-excluded-bad-a
+cname-partial-excluded-only CNAME partial-excluded-only
+cname-a-only CNAME a-only
+cname-a-and-aaaa CNAME a-and-aaaa
+cname-aaaa-only CNAME aaaa-only
+cname-a-not-mapped CNAME a-not-mapped
+cname-mx-only CNAME mx-only
+cname-non-existent CNAME non-existent
+ttl-less-than-600 500 A 5.6.7.8
+ttl-more-than-600 700 A 5.6.7.8
+ttl-less-than-minimum 1100 A 5.6.7.8
+ttl-more-than-minimum 1300 A 5.6.7.8
+rpz 1500 A 99.99.99.99
diff --git a/bin/tests/system/dns64/ns1/named.conf.in b/bin/tests/system/dns64/ns1/named.conf.in
new file mode 100644
index 0000000..a118525
--- /dev/null
+++ b/bin/tests/system/dns64/ns1/named.conf.in
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	allow-recursion { 10.53.0.1; };
+	notify yes;
+	dnssec-validation yes;
+
+	dns64 2001:bbbb::/96 {
+		clients { any; };
+		mapped { !rfc1918; any; };
+		exclude { 2001:eeee::/32; 64:FF9B::/96; ::ffff:0000:0000/96; };
+		suffix ::;
+		recursive-only yes;
+	};
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "signed" {
+	type primary;
+	file "signed.db.signed";
+};
+
+// include "trusted.conf";
diff --git a/bin/tests/system/dns64/ns1/root.db b/bin/tests/system/dns64/ns1/root.db
new file mode 100644
index 0000000..0e3bbee
--- /dev/null
+++ b/bin/tests/system/dns64/ns1/root.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	a.root-servers.nil. marka.isc.org. 0 0 0 0 0
+@		NS	a.root-servers.nil.
+a.root-servers.nil.      A   10.53.0.1
+example 	NS	ns1.example.
+ns1.example.	A	10.53.0.1
+signed		NS	ns1.example.
+ns1.signed.	A	10.53.0.1
diff --git a/bin/tests/system/dns64/ns1/sign.sh b/bin/tests/system/dns64/ns1/sign.sh
new file mode 100644
index 0000000..9eff6e3
--- /dev/null
+++ b/bin/tests/system/dns64/ns1/sign.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=signed
+infile=example.db
+zonefile=signed.db
+
+key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM $zone)
+key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone)
+
+cat $infile $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
diff --git a/bin/tests/system/dns64/ns2/named.conf.in b/bin/tests/system/dns64/ns2/named.conf.in
new file mode 100644
index 0000000..be92d1a
--- /dev/null
+++ b/bin/tests/system/dns64/ns2/named.conf.in
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+
+	dns64 2001:aaaa::/96 {
+		clients { 10.53.0.2; };
+		mapped { !rfc1918; any; };
+		exclude { 2001:eeee::/32; 64:FF9B::/96; ::ffff:0000:0000/96; };
+		suffix ::;
+	};
+
+	dns64 64:FF9B::/96 {
+		clients { 10.53.0.1; };
+		mapped { !192.228.79.201; !rfc1918; any; };
+		exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
+		suffix ::;
+	};
+
+	dns64 2001:bbbb::/96 {
+		clients { 10.53.0.4; };
+		mapped { !rfc1918; any; };
+		suffix ::;
+	};
+
+	dns64-server "dns64.example.net.";
+	dns64-contact "hostmaster.example.net.";
+	dns64 2001:32::/32 { clients { 10.53.0.6; }; };
+	dns64 2001:40::/40 { clients { 10.53.0.6; }; };
+	dns64 2001:48::/48 { clients { 10.53.0.6; }; };
+	dns64 2001:56::/56 { clients { 10.53.0.6; }; };
+	dns64 2001:64::/64 { clients { 10.53.0.6; }; };
+
+	dns64 2001:96::/96 { clients { 10.53.0.7; }; };
+
+	response-policy { zone "rpz"; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "rpz" {
+	type primary;
+	file "rpz.db";
+};
diff --git a/bin/tests/system/dns64/ns2/rpz.db b/bin/tests/system/dns64/ns2/rpz.db
new file mode 100644
index 0000000..014cbf0
--- /dev/null
+++ b/bin/tests/system/dns64/ns2/rpz.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400      ; 1 day
+@               IN SOA  rpz. noc.rpz. (
+                                1         ; serial
+                                86400      ; refresh (1 day)
+                                3600       ; retry (1 hour)
+                                2592000    ; expire (4 weeks 2 days)
+                                25200      ; minimum (7 hours)
+                                )
+                        NS      @
+                        IN A    10.53.0.2
+
+rpz.example IN A    10.10.10.10
diff --git a/bin/tests/system/dns64/setup.sh b/bin/tests/system/dns64/setup.sh
new file mode 100644
index 0000000..24bd47c
--- /dev/null
+++ b/bin/tests/system/dns64/setup.sh
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+
+cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/dns64/tests.sh b/bin/tests/system/dns64/tests.sh
new file mode 100644
index 0000000..230246a
--- /dev/null
+++ b/bin/tests/system/dns64/tests.sh
@@ -0,0 +1,1406 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}"
+
+for conf in conf/good*.conf
+do
+        echo_i "checking that $conf is accepted ($n)"
+        ret=0
+        $CHECKCONF "$conf" || ret=1
+        n=`expr $n + 1`
+        if [ $ret != 0 ]; then echo_i "failed"; fi
+        status=`expr $status + $ret`
+done
+
+for conf in conf/bad*.conf
+do
+        echo_i "checking that $conf is rejected ($n)"
+        ret=0
+        $CHECKCONF "$conf" >/dev/null && ret=1
+	n=`expr $n + 1`
+        if [ $ret != 0 ]; then echo_i "failed"; fi
+        status=`expr $status + $ret`
+done
+
+# Check the example. domain
+
+echo_i "checking non-excluded AAAA lookup works ($n)"
+ret=0
+$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA lookup works ($n)"
+ret=0
+$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A lookup works ($n)"
+ret=0
+$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A lookup works ($n)"
+ret=0
+$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking default exclude acl ignores mapped A records (all mapped) ($n)"
+ret=0
+$DIG $DIGOPTS a-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:bbbb::1.2.3.5" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking default exclude acl ignores mapped A records (some mapped) ($n)"
+ret=0
+$DIG $DIGOPTS a-and-aaaa-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::4" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::ffff:1.2.3.4" dig.out.ns2.test$n > /dev/null && ret=1
+grep "::ffff:1.2.3.5" dig.out.ns2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking default exclude acl works with AAAA only ($n)"
+ret=0
+$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking default exclude acl A only lookup works ($n)"
+ret=0
+$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking partially excluded only AAAA lookup works ($n)"
+ret=0
+$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking partially-excluded AAAA and non-mapped A lookup works ($n)"
+ret=0
+$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking partially-excluded only AAAA and mapped A lookup works ($n)"
+ret=0
+$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only lookup works ($n)"
+ret=0
+$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only lookup works ($n)"
+ret=0
+$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA lookup works ($n)"
+ret=0
+$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A lookup works ($n)"
+ret=0
+$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA lookup works ($n)"
+ret=0
+$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA lookup works ($n)"
+ret=0
+$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-excluded AAAA via CNAME lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA via CNAME lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A via CNAME lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only via CNAME lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only via CNAME lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA via CNAME lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A via CNAME lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA via CNAME lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA via CNAME lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Check the example. domain recursive only
+
+echo_i "checking non-excluded AAAA lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:bbbb::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking partially excluded only AAAA lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA via CNAME lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:bbbb::102:304" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only via CNAME lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only via CNAME lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA via CNAME lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A via CNAME lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA via CNAME lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA via CNAME lookup works, recursive only ($n)"
+ret=0
+$DIG $DIGOPTS cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Check the example. domain recursive only w/o recursion
+
+echo_i "checking non-excluded AAAA lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking partially excluded only AAAA lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA via CNAME lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only via CNAME lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only via CNAME lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	a-only.example." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA via CNAME lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A via CNAME lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA via CNAME lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA via CNAME lookup works, recursive only +norec ($n)"
+ret=0
+$DIG $DIGOPTS +norec cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Check the example. domain from non client
+
+echo_i "checking non-excluded AAAA from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-excluded AAAA via CNAME from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA via CNAME from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A via CNAME from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A via CNAME from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only via CNAME from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only via CNAME from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA via CNAME from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A via CNAME from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA via CNAME from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA via CNAME from non-client lookup works ($n)"
+ret=0
+$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Check the signed. domain
+
+echo_i "checking non-excluded AAAA lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA via CNAME lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only via CNAME lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only via CNAME lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA via CNAME lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A via CNAME lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA via CNAME lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA via CNAME lookup is signed zone works ($n)"
+ret=0
+$DIG $DIGOPTS cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Check the signed. domain
+echo_i "checking non-excluded AAAA lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA via CNAME lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA only via CNAME lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A only via CNAME lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A and AAAA via CNAME lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2" dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking NODATA AAAA via CNAME lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+grep "CNAME	mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking non-existent AAAA via CNAME lookup is signed zone works with +dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking reverse mapping ($n)"
+ret=0
+$DIG $DIGOPTS -x 2001:aaaa::10.0.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep -i "CNAME.1.0.0.10.IN-ADDR.ARPA.$" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+list=`$DIG $DIGOPTS -b 10.53.0.6 @10.53.0.2 +short aaaa a-only.example | sort`
+for a in $list
+do
+	ret=0
+	echo_i "checking reverse mapping of $a ($n)"
+	$DIG $DIGOPTS -x $a @10.53.0.2 > dig.out.ns2.test$n || ret=1
+	grep -i "CNAME.5.3.2.1.IN-ADDR.ARPA." dig.out.ns2.test$n > /dev/null || ret=1
+	n=`expr $n + 1`
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+rev=`$ARPANAME 2001:aaaa::10.0.0.1`
+regex='..\(.*.IP6.ARPA\)'
+rev=`expr "${rev}" : "${regex}"`
+fin=`expr "${rev}" : "............${regex}"`
+while test "${rev}" != "${fin}"
+do
+	ret=0
+	echo_i "checking $rev ($n)"
+	$DIG $DIGOPTS $rev ptr @10.53.0.2 > dig.out.ns2.test$n || ret=1
+	grep -i "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+	grep -i "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1
+	n=`expr $n + 1`
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	rev=`expr "${rev}" : "${regex}"`
+done
+
+echo_i "checking dns64-server and dns64-contact ($n)"
+ret=0
+$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking TTL less than 600 from zone ($n)"
+ret=0
+#expect 500
+$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking TTL more than 600 from zone ($n)"
+ret=0
+#expect 700
+$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking TTL less than minimum from zone ($n)"
+ret=0
+#expect 1100
+$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking TTL limited to minimum from zone ($n)"
+ret=0
+#expect 1200
+$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking TTL less than 600 via cache ($n)"
+ret=0
+#expect 500
+$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns1.test$n || ret=1
+grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking TTL more than 600 via cache ($n)"
+ret=0
+#expect 700
+$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking TTL less than minimum via cache ($n)"
+ret=0
+#expect 1100
+$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking TTL limited to minimum via cache ($n)"
+ret=0
+#expect 1200
+$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking synthesis of AAAA from RPZ-remapped A ($n)"
+ret=0
+$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README
new file mode 100644
index 0000000..fcaa3b6
--- /dev/null
+++ b/bin/tests/system/dnssec/README
@@ -0,0 +1,32 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+The test setup for the DNSSEC tests has a secure root.
+
+ns1 is the root server.
+
+ns2 and ns3 are authoritative servers for the various test domains.
+
+ns4 is a caching-only server, configured with the correct trusted key
+for the root.
+
+ns5 is a caching-only server, configured with the an incorrect trusted
+key for the root.  It is used for testing failure cases.
+
+ns6 is an caching and authoritative server used for testing unusual
+server behaviors such as disabled DNSSEC algorithms.
+
+ns7 is used for checking non-cacheable answers.
+
+ns8 is a caching-only server, configured with unsupported and disabled
+algorithms.  It is used for testing failure cases.
+
+ns9 is a forwarding-only server.
diff --git a/bin/tests/system/dnssec/ans10/ans.py b/bin/tests/system/dnssec/ans10/ans.py
new file mode 100644
index 0000000..dbe49e5
--- /dev/null
+++ b/bin/tests/system/dnssec/ans10/ans.py
@@ -0,0 +1,158 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import time
+import functools
+
+import dns, dns.message, dns.query, dns.flags
+from dns.rdatatype import *
+from dns.rdataclass import *
+from dns.rcode import *
+from dns.name import *
+
+
+# Log query to file
+def logquery(type, qname):
+    with open("qlog", "a") as f:
+        f.write("%s %s\n", type, qname)
+
+
+############################################################################
+# Respond to a DNS query.
+# SOA gets a unsigned response.
+# NS gets a unsigned response.
+# DNSKEY get a unsigned NODATA response.
+# A gets a signed response.
+# All other types get a unsigned NODATA response.
+############################################################################
+def create_response(msg):
+    m = dns.message.from_wire(msg)
+    qname = m.question[0].name.to_text()
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+
+    with open("query.log", "a") as f:
+        f.write("%s %s\n" % (typename, qname))
+        print("%s %s" % (typename, qname), end=" ")
+
+    r = dns.message.make_response(m)
+    r.set_rcode(NOERROR)
+    if rrtype == A:
+        now = datetime.today()
+        expire = now + timedelta(days=30)
+        inception = now - timedelta(days=1)
+        rrsig = (
+            "A 13 2 60 "
+            + expire.strftime("%Y%m%d%H%M%S")
+            + " "
+            + inception.strftime("%Y%m%d%H%M%S")
+            + " 12345 "
+            + qname
+            + " gB+eISXAhSPZU2i/II0W9ZUhC2SCIrb94mlNvP5092WAeXxqN/vG43/1nmDl"
+            + "y2Qs7y5VCjSMOGn85bnaMoAc7w=="
+        )
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, RRSIG, rrsig))
+    elif rrtype == NS:
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, NS, "."))
+    elif rrtype == SOA:
+        r.answer.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    else:
+        r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    r.flags |= dns.flags.AA
+    return r
+
+
+def sigterm(signum, frame):
+    print("Shutting down now...")
+    os.remove("ans.pid")
+    running = False
+    sys.exit(0)
+
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4 = "10.53.0.10"
+ip6 = "fd92:7065:b8e:ffff::10"
+
+try:
+    port = int(os.environ["PORT"])
+except:
+    port = 5300
+
+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_socket.bind((ip4, port))
+havev6 = True
+try:
+    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    try:
+        query6_socket.bind((ip6, port))
+    except:
+        query6_socket.close()
+        havev6 = False
+except:
+    havev6 = False
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open("ans.pid", "w")
+pid = os.getpid()
+print(pid, file=f)
+f.close()
+
+running = True
+
+print("Listening on %s port %d" % (ip4, port))
+if havev6:
+    print("Listening on %s port %d" % (ip6, port))
+print("Ctrl-c to quit")
+
+if havev6:
+    input = [query4_socket, query6_socket]
+else:
+    input = [query4_socket]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        if s == query4_socket or s == query6_socket:
+            print(
+                "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" "
+            )
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            rsp = create_response(msg[0])
+            if rsp:
+                print(dns.rcode.to_text(rsp.rcode()))
+                s.sendto(rsp.to_wire(), msg[1])
+            else:
+                print("NO RESPONSE")
+    if not running:
+        break
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
new file mode 100644
index 0000000..28e72ba
--- /dev/null
+++ b/bin/tests/system/dnssec/clean.sh
@@ -0,0 +1,116 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed
+rm -f ./*/example.bk
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run ./*/named.run.prev
+rm -f ./*/named.secroots
+rm -f ./*/tmp* ./*/*.jnl ./*/*.bk ./*/*.jbk
+rm -f ./*/trusted.conf ./*/managed.conf ./*/revoked.conf
+rm -f ./Kexample.* ./Kkeygen* ./keygen*.err
+rm -f ./ans10/query.log ./ans10/ans.run
+rm -f ./canonical?.*
+rm -f ./delv.out*
+rm -f ./delve.out*
+rm -f ./dig.out.*
+rm -f ./ns2/too-many-iterations.db
+rm -f ./dnssectools.out*
+rm -f ./dsfromkey.out.*
+rm -f ./keygen.err
+rm -f ./named.secroots.test*
+rm -f ./nosign.before
+rm -f ./ns*/*.nta
+rm -f ./ns*/managed-keys.bind ./ns*/managed-keys.bind.jnl ./ns*/*.mkeys*
+rm -f ./ns*/named.lock
+rm -f ./ns1/managed.key.id
+rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db
+rm -f ./ns1/trusted.keys
+rm -f ./ns2/algroll.db
+rm -f ./ns2/badparam.db ./ns2/badparam.db.bad
+rm -f ./ns2/cdnskey-kskonly.secure.db
+rm -f ./ns2/cdnskey-kskonly.secure.id
+rm -f ./ns2/cdnskey-update.secure.db
+rm -f ./ns2/cdnskey-x.secure.db
+rm -f ./ns2/cdnskey.secure.db
+rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl
+rm -f ./ns2/cds-kskonly.secure.db
+rm -f ./ns2/cds-kskonly.secure.id
+rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl
+rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db
+rm -f ./ns2/in-addr.arpa.db
+rm -f ./ns2/nsec3chain-test.db
+rm -f ./ns2/single-nsec3.db
+rm -f ./ns2/updatecheck-kskonly.secure.*
+rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db
+rm -f ./ns3/badds.example.db
+rm -f ./ns3/dname-at-apex-nsec3.example.db
+rm -f ./ns3/dnskey-nsec3-unknown.example.db
+rm -f ./ns3/dnskey-nsec3-unknown.example.db.tmp
+rm -f ./ns3/dnskey-unknown.example.db
+rm -f ./ns3/dnskey-unknown.example.db.tmp
+rm -f ./ns3/dnskey-unsupported-2.example.db
+rm -f ./ns3/dnskey-unsupported-2.example.db.tmp
+rm -f ./ns3/dnskey-unsupported.example.db
+rm -f ./ns3/dnskey-unsupported.example.db.tmp
+rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl
+rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db
+rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db
+rm -f ./ns3/future.example.db ./ns3/trusted-future.key
+rm -f ./ns3/inline.example.db.signed
+rm -f ./ns3/kskonly.example.db
+rm -f ./ns3/lower.example.db ./ns3/upper.example.db ./ns3/upper.example.db.lower
+rm -f ./ns3/managed-future.example.db
+rm -f ./ns3/multiple.example.db ./ns3/nsec3-unknown.example.db ./ns3/nsec3.example.db
+rm -f ./ns3/nsec3.nsec3.example.db
+rm -f ./ns3/nsec3.optout.example.db
+rm -f ./ns3/occluded.example.db
+rm -f ./ns3/optout-unknown.example.db ./ns3/optout.example.db
+rm -f ./ns3/optout.nsec3.example.db
+rm -f ./ns3/optout.optout.example.db
+rm -f ./ns3/publish-inactive.example.db
+rm -f ./ns3/revkey.example.db
+rm -f ./ns3/rsasha256.example.db ./ns3/rsasha512.example.db
+rm -f ./ns3/secure.below-cname.example.db
+rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
+rm -f ./ns3/secure.nsec3.example.db
+rm -f ./ns3/secure.optout.example.db
+rm -f ./ns3/siginterval.conf
+rm -f ./ns3/siginterval.example.db
+rm -f ./ns3/split-dnssec.example.db
+rm -f ./ns3/split-smart.example.db
+rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed
+rm -f ./ns3/ttlpatch.example.db.patched
+rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db
+rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
+rm -f ./ns4/named_dump.db*
+rm -f ./ns6/optout-tld.db
+rm -f ./ns7/multiple.example.bk ./ns7/nsec3.example.bk ./ns7/optout.example.bk
+rm -f ./ns7/split-rrsig.db ./ns7/split-rrsig.db.unsplit
+rm -f ./nsupdate.out*
+rm -f ./python.out.*
+rm -f ./rndc.out.*
+rm -f ./signer/*.db
+rm -f ./signer/*.signed.post*
+rm -f ./signer/*.signed.pre*
+rm -f ./signer/example.db.after ./signer/example.db.before
+rm -f ./signer/example.db.changed
+rm -f ./signer/general/dsset*
+rm -f ./signer/general/signed.zone
+rm -f ./signer/general/signer.out.*
+rm -f ./signer/nsec3param.out
+rm -f ./signer/signer.out.*
+rm -f ./signing.out*
diff --git a/bin/tests/system/dnssec/dnssec_update_test.pl b/bin/tests/system/dnssec/dnssec_update_test.pl
new file mode 100644
index 0000000..a06c563
--- /dev/null
+++ b/bin/tests/system/dnssec/dnssec_update_test.pl
@@ -0,0 +1,99 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# DNSSEC Dynamic update test suite.
+#
+# Usage:
+#
+#   perl update_test.pl [-s server] [-p port] zone
+#
+# The server defaults to 127.0.0.1.
+# The port defaults to 53.
+#
+# Installation notes:
+#
+# This program uses the Net::DNS::Resolver module.
+# You can install it by saying
+#
+#    perl -MCPAN -e "install Net::DNS"
+#
+
+use Getopt::Std;
+use Net::DNS;
+use Net::DNS::Update;
+use Net::DNS::Resolver;
+
+$opt_s = "127.0.0.1";
+$opt_p = 53;
+
+getopt('s:p:');
+
+$res = new Net::DNS::Resolver;
+$res->nameservers($opt_s);
+$res->port($opt_p);
+$res->defnames(0); # Do not append default domain.
+
+@ARGV == 1 or die
+    "usage: perl update_test.pl [-s server] [-p port] zone\n";
+
+$zone = shift @ARGV;
+
+my $failures = 0;
+
+sub assert {
+    my ($cond, $explanation) = @_;
+    if (!$cond) {
+	print "Test Failed: $explanation ***\n";
+	$failures++
+    }
+}
+
+sub test {
+    my ($expected, @records) = @_;
+
+    my $update = new Net::DNS::Update("$zone");
+
+    foreach $rec (@records) {
+	$update->push(@$rec);
+    }
+
+    $reply = $res->send($update);
+
+    # Did it work?
+    if (defined $reply) {
+	my $rcode = $reply->header->rcode;
+        assert($rcode eq $expected, "expected $expected, got $rcode");
+    } else {
+	print "Update failed: ", $res->errorstring, "\n";
+    }
+}
+
+sub section {
+    my ($msg) = @_;
+    print "$msg\n";
+}
+
+section("Add a name");
+test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]);
+
+section("Delete the name");
+test("NOERROR", ["update", rr_del("a.$zone")]);
+
+if ($failures) {
+    print "$failures update tests failed.\n";
+} else {
+    print "All update tests successful.\n";
+}
+
+exit $failures;
diff --git a/bin/tests/system/dnssec/ns1/named.conf.in b/bin/tests/system/dnssec/ns1/named.conf.in
new file mode 100644
index 0000000..bd1ccc4
--- /dev/null
+++ b/bin/tests/system/dnssec/ns1/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+	/* test that we can turn off trust-anchor-telemetry */
+	trust-anchor-telemetry no;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in
new file mode 100644
index 0000000..526e36c
--- /dev/null
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@@ -0,0 +1,37 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+.			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100	; serial
+				600		; refresh
+				600		; retry
+				1200		; expire
+				600		; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+algroll.		NS	ns2.algroll.
+ns2.algroll.		A	10.53.0.2
+managed.		NS	ns2.managed.
+ns2.managed.		A	10.53.0.2
+trusted.		NS	ns2.trusted.
+ns2.trusted.		A	10.53.0.2
+optout-tld		NS	ns6.optout-tld.
+ns6.optout-tld.		A	10.53.0.6
+in-addr.arpa.		NS	ns2.example.
+inprogress.		NS	ns10.inprogress.
+ns10.inprogress.	A	10.53.0.10
+too-many-iterations.	NS	ns2.too-many-iterations.
+ns2.too-many-iterations.	A	10.53.0.2
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
new file mode 100644
index 0000000..563dc96
--- /dev/null
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -0,0 +1,62 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+(cd ../ns2 && $SHELL sign.sh )
+(cd ../ns6 && $SHELL sign.sh )
+(cd ../ns7 && $SHELL sign.sh )
+
+echo_i "ns1/sign.sh"
+
+cp "../ns2/dsset-example$TP" .
+cp "../ns2/dsset-in-addr.arpa$TP" .
+cp "../ns2/dsset-too-many-iterations$TP" .
+
+grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP"
+cp "../ns6/dsset-optout-tld$TP" .
+
+ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
+
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+
+# Configure the resolving server with a staitc key.
+keyfile_to_static_ds "$ksk" > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns4/trusted.conf
+cp trusted.conf ../ns6/trusted.conf
+cp trusted.conf ../ns7/trusted.conf
+cp trusted.conf ../ns9/trusted.conf
+
+keyfile_to_trusted_keys "$ksk" > trusted.keys
+
+# ...or with an initializing key.
+keyfile_to_initial_ds "$ksk" > managed.conf
+cp managed.conf ../ns4/managed.conf
+
+#
+#  Save keyid for managed key id test.
+#
+
+keyfile_to_key_id "$ksk" > managed.key.id
diff --git a/bin/tests/system/dnssec/ns2/algroll.db.in b/bin/tests/system/dnssec/ns2/algroll.db.in
new file mode 100644
index 0000000..6f66fc9
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/algroll.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				30       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
diff --git a/bin/tests/system/dnssec/ns2/badparam.db.in b/bin/tests/system/dnssec/ns2/badparam.db.in
new file mode 100644
index 0000000..b18d186
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/badparam.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2010081000 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
diff --git a/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in
new file mode 100644
index 0000000..aa3aaab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in
new file mode 100644
index 0000000..aa3aaab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in
new file mode 100644
index 0000000..aa3aaab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in
new file mode 100644
index 0000000..aa3aaab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in b/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in
new file mode 100644
index 0000000..aa3aaab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in
new file mode 100644
index 0000000..aa3aaab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/cds-update.secure.db.in b/bin/tests/system/dnssec/ns2/cds-update.secure.db.in
new file mode 100644
index 0000000..aa3aaab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/cds-update.secure.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/cds.secure.db.in b/bin/tests/system/dnssec/ns2/cds.secure.db.in
new file mode 100644
index 0000000..aa3aaab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/cds.secure.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/child.nsec3.example.db b/bin/tests/system/dnssec/ns2/child.nsec3.example.db
new file mode 100644
index 0000000..8fc3bc8
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/child.nsec3.example.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2006081400 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			IN NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/child.optout.example.db b/bin/tests/system/dnssec/ns2/child.optout.example.db
new file mode 100644
index 0000000..8fc3bc8
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/child.optout.example.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2006081400 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			IN NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/corp.db b/bin/tests/system/dnssec/ns2/corp.db
new file mode 100644
index 0000000..b2912bc
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/corp.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				30       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+
+www			A	10.0.0.1
diff --git a/bin/tests/system/dnssec/ns2/dst.example.db.in b/bin/tests/system/dnssec/ns2/dst.example.db.in
new file mode 100644
index 0000000..0039484
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/dst.example.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2.example.
+a			A	10.0.0.1
diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
new file mode 100644
index 0000000..f711f58
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -0,0 +1,171 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+
+; Used for testing ANY queries
+foo			TXT	"testing"
+foo			A	10.0.1.0
+
+bad-cname		CNAME   a
+bad-dname		DNAME   @
+
+; Used for testing CNAME queries
+cname1			CNAME	cname1-target
+cname1-target		TXT	"testing cname"
+
+cname2			CNAME	cname2-target
+cname2-target		TXT	"testing cname"
+
+; Used for testing DNAME queries
+dname1			DNAME	dname1-target
+foo.dname1-target	TXT	"testing dname"
+
+dname2			DNAME	dname2-target
+foo.dname2-target	TXT	"testing dname"
+
+; A secure subdomain
+secure			NS	ns3.secure
+ns3.secure		A	10.53.0.3
+
+; An insecure subdomain
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.3
+
+; A second insecure subdomain
+insecure2		NS	ns.insecure2
+ns.insecure2		A	10.53.0.3
+
+; A secure subdomain we're going to inject bogus data into
+bogus			NS	ns.bogus
+ns.bogus		A	10.53.0.3
+
+; A subdomain with a corrupt DS
+badds			NS	ns.badds
+ns.badds		A	10.53.0.3
+
+; A dynamic secure subdomain
+dynamic			NS	dynamic
+dynamic			A	10.53.0.3
+
+; A insecure subdomain
+mustbesecure		NS	ns.mustbesecure
+ns.mustbesecure		A	10.53.0.3
+
+; A subdomain with expired signatures
+expired			NS	ns.expired
+ns.expired		A	10.53.0.3
+
+; A rfc2535 signed zone w/ CNAME
+rfc2535			NS	ns.rfc2535
+ns.rfc2535		A	10.53.0.3
+
+z			A	10.0.0.26
+
+keyless			NS	ns.keyless
+ns.keyless		A	10.53.0.3
+
+nsec3			NS	ns.nsec3
+ns.nsec3		A	10.53.0.3
+
+optout			NS	ns.optout
+ns.optout		A	10.53.0.3
+
+nsec3-unknown		NS	ns.nsec3-unknown
+ns.nsec3-unknown	A	10.53.0.3
+
+optout-unknown		NS	ns.optout-unknown
+ns.optout-unknown	A	10.53.0.3
+
+dnskey-unknown		NS	ns.dnskey-unknown
+ns.dnskey-unknown	A	10.53.0.3
+
+dnskey-unsupported	NS	ns.dnskey-unsupported
+ns.dnskey-unsupported	A	10.53.0.3
+
+dnskey-nsec3-unknown	NS	ns.dnskey-nsec3-unknown
+ns.dnskey-nsec3-unknown	A	10.53.0.3
+
+multiple		NS	ns.multiple
+ns.multiple		A	10.53.0.3
+
+*.wild			A	10.0.0.27
+
+rsasha256		NS	ns.rsasha256
+ns.rsasha256		A	10.53.0.3
+
+rsasha512		NS	ns.rsasha512
+ns.rsasha512		A	10.53.0.3
+
+kskonly			NS	ns.kskonly
+ns.kskonly		A	10.53.0.3
+
+update-nsec3		NS	ns.update-nsec3
+ns.update-nsec3		A	10.53.0.3
+
+auto-nsec		NS	ns.auto-nsec
+ns.auto-nsec		A	10.53.0.3
+
+auto-nsec3		NS	ns.auto-nsec3
+ns.auto-nsec3		A	10.53.0.3
+
+
+below-cname		CNAME	some.where.else.
+
+insecure.below-cname	NS	ns.insecure.below-cname
+ns.insecure.below-cname	A	10.53.0.3
+
+secure.below-cname	NS	ns.secure.below-cname
+ns.secure.below-cname	A	10.53.0.3
+
+ttlpatch		NS	ns.ttlpatch
+ns.ttlpatch		A	10.53.0.3
+
+split-dnssec		NS	ns.split-dnssec
+ns.split-dnssec		A	10.53.0.3
+
+split-smart		NS	ns.split-smart
+ns.split-smart		A	10.53.0.3
+
+upper			NS	ns.upper
+ns.upper		A	10.53.0.3
+
+LOWER			NS	NS.LOWER
+NS.LOWER		A	10.53.0.3
+
+expiring                 NS      ns.expiring
+ns.expiring              A       10.53.0.3
+
+future			NS	ns.future
+ns.future		A	10.53.0.3
+
+managed-future		NS	ns.managed-future
+ns.managed-future	A	10.53.0.3
+
+revkey			NS	ns.revkey
+ns.revkey		A	10.53.0.3
+
+dname-at-apex-nsec3	NS	ns3
diff --git a/bin/tests/system/dnssec/ns2/hours-vs-days.db.in b/bin/tests/system/dnssec/ns2/hours-vs-days.db.in
new file mode 100644
index 0000000..5ec8801
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/hours-vs-days.db.in
@@ -0,0 +1,167 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+
+; Used for testing ANY queries
+foo			TXT	"testing"
+foo			A	10.0.1.0
+
+bad-cname		CNAME   a
+bad-dname		DNAME   @
+
+; Used for testing CNAME queries
+cname1			CNAME	cname1-target
+cname1-target		TXT	"testing cname"
+
+cname2			CNAME	cname2-target
+cname2-target		TXT	"testing cname"
+
+; Used for testing DNAME queries
+dname1			DNAME	dname1-target
+foo.dname1-target	TXT	"testing dname"
+
+dname2			DNAME	dname2-target
+foo.dname2-target	TXT	"testing dname"
+
+; A secure subdomain
+secure			NS	ns3.secure
+ns3.secure		A	10.53.0.3
+
+; An insecure subdomain
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.3
+
+; A secure subdomain we're going to inject bogus data into
+bogus			NS	ns.bogus
+ns.bogus		A	10.53.0.3
+
+; A subdomain with a corrupt DS
+badds			NS	ns.badds
+ns.badds		A	10.53.0.3
+
+; A dynamic secure subdomain
+dynamic			NS	dynamic
+dynamic			A	10.53.0.3
+
+; A insecure subdomain
+mustbesecure		NS	ns.mustbesecure
+ns.mustbesecure		A	10.53.0.3
+
+; A subdomain with expired signatures
+expired			NS	ns.expired
+ns.expired		A	10.53.0.3
+
+; A rfc2535 signed zone w/ CNAME
+rfc2535			NS	ns.rfc2535
+ns.rfc2535		A	10.53.0.3
+
+z			A	10.0.0.26
+
+keyless			NS	ns.keyless
+ns.keyless		A	10.53.0.3
+
+nsec3			NS	ns.nsec3
+ns.nsec3		A	10.53.0.3
+
+optout			NS	ns.optout
+ns.optout		A	10.53.0.3
+
+nsec3-unknown		NS	ns.nsec3-unknown
+ns.nsec3-unknown	A	10.53.0.3
+
+optout-unknown		NS	ns.optout-unknown
+ns.optout-unknown	A	10.53.0.3
+
+dnskey-unknown		NS	ns.dnskey-unknown
+ns.dnskey-unknown	A	10.53.0.3
+
+dnskey-unsupported	NS	ns.dnskey-unsupported
+ns.dnskey-unsupported	A	10.53.0.3
+
+dnskey-nsec3-unknown	NS	ns.dnskey-nsec3-unknown
+ns.dnskey-nsec3-unknown	A	10.53.0.3
+
+multiple		NS	ns.multiple
+ns.multiple		A	10.53.0.3
+
+*.wild			A	10.0.0.27
+
+rsasha256		NS	ns.rsasha256
+ns.rsasha256		A	10.53.0.3
+
+rsasha512		NS	ns.rsasha512
+ns.rsasha512		A	10.53.0.3
+
+kskonly			NS	ns.kskonly
+ns.kskonly		A	10.53.0.3
+
+update-nsec3		NS	ns.update-nsec3
+ns.update-nsec3		A	10.53.0.3
+
+auto-nsec		NS	ns.auto-nsec
+ns.auto-nsec		A	10.53.0.3
+
+auto-nsec3		NS	ns.auto-nsec3
+ns.auto-nsec3		A	10.53.0.3
+
+
+below-cname		CNAME	some.where.else.
+
+insecure.below-cname	NS	ns.insecure.below-cname
+ns.insecure.below-cname	A	10.53.0.3
+
+secure.below-cname	NS	ns.secure.below-cname
+ns.secure.below-cname	A	10.53.0.3
+
+ttlpatch		NS	ns.ttlpatch
+ns.ttlpatch		A	10.53.0.3
+
+split-dnssec		NS	ns.split-dnssec
+ns.split-dnssec		A	10.53.0.3
+
+split-smart		NS	ns.split-smart
+ns.split-smart		A	10.53.0.3
+
+upper			NS	ns.upper
+ns.upper		A	10.53.0.3
+
+LOWER			NS	NS.LOWER
+NS.LOWER		A	10.53.0.3
+
+expiring                 NS      ns.expiring
+ns.expiring              A       10.53.0.3
+
+future			NS	ns.future
+ns.future		A	10.53.0.3
+
+managed-future		NS	ns.managed-future
+ns.managed-future	A	10.53.0.3
+
+revkey			NS	ns.revkey
+ns.revkey		A	10.53.0.3
+
+dname-at-apex-nsec3	NS	ns3
diff --git a/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in
new file mode 100644
index 0000000..874b915
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
+;
+;	As we are testing empty zone behaviour ns3 doesn't need to be
+;	configured to serve 10.in-addr.arpa.
+;
+10	NS	ns3.example.
diff --git a/bin/tests/system/dnssec/ns2/insecure.secure.example.db b/bin/tests/system/dnssec/ns2/insecure.secure.example.db
new file mode 100644
index 0000000..62862f5
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/insecure.secure.example.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns2/key.db.in b/bin/tests/system/dnssec/ns2/key.db.in
new file mode 100644
index 0000000..2ff5df4
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/key.db.in
@@ -0,0 +1,45 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+
+; A secure subdomain
+secure			NS	ns3.secure
+ns3.secure		A	10.53.0.3
+
+; A subdomain that is signed with an unsupported algorithm
+unsupported		NS	ns3.unsupported
+ns3.unsupported		A	10.53.0.3
+
+; A secure subdomain with a disabled algorithm
+disabled		NS	ns3.disabled
+ns3.disabled		A	10.53.0.3
+
+; A secure subdomain with a disabled algorithm, but not in bailiwick
+enabled			NS	ns3.enabled
+ns3.enabled		A	10.53.0.3
+
+; A secure subdomain with a revoked trust anchor
+revoked			NS	ns3.revoked
+ns3.revoked		A	10.53.0.3
diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in
new file mode 100644
index 0000000..fbfd070
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+	notify-delay 1;
+	minimal-responses no;
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-sha256;
+};
+
+controls {
+        inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "trusted" {
+	type primary;
+	file "trusted.db.signed";
+};
+
+zone "managed" {
+	type primary;
+	file "managed.db.signed";
+};
+
+zone "example" {
+	type primary;
+	file "example.db.signed";
+	allow-update { any; };
+};
+
+zone "insecure.secure.example" {
+	type primary;
+	file "insecure.secure.example.db";
+	allow-update { any; };
+};
+
+zone "rfc2335.example" {
+	type primary;
+	file "rfc2335.example.db";
+};
+
+zone "child.nsec3.example" {
+	type primary;
+	file "child.nsec3.example.db";
+	allow-update { none; };
+};
+
+zone "child.optout.example" {
+	type primary;
+	file "child.optout.example.db";
+	allow-update { none; };
+};
+
+zone "badparam" {
+	type primary;
+	file "badparam.db.bad";
+};
+
+zone "single-nsec3" {
+	type primary;
+	file "single-nsec3.db.signed";
+};
+
+zone "algroll" {
+	type primary;
+	file "algroll.db.signed";
+};
+
+zone "nsec3chain-test" {
+	type primary;
+	file "nsec3chain-test.db.signed";
+	allow-update {any;};
+};
+
+zone "in-addr.arpa" {
+	type primary;
+	file "in-addr.arpa.db.signed";
+};
+
+zone "cds.secure" {
+	type primary;
+	file "cds.secure.db.signed";
+};
+
+zone "cds-x.secure" {
+	type primary;
+	file "cds-x.secure.db.signed";
+};
+
+zone "cds-update.secure" {
+	type primary;
+	file "cds-update.secure.db.signed";
+	allow-update { any; };
+};
+
+zone "cds-kskonly.secure" {
+	type primary;
+	dnssec-dnskey-kskonly yes;
+	file "cds-kskonly.secure.db.signed";
+	allow-update { any; };
+};
+
+zone "cds-auto.secure" {
+	type primary;
+	file "cds-auto.secure.db.signed";
+	auto-dnssec maintain;
+	allow-update { any; };
+};
+
+zone "cdnskey.secure" {
+	type primary;
+	file "cdnskey.secure.db.signed";
+};
+
+zone "cdnskey-x.secure" {
+	type primary;
+	file "cdnskey-x.secure.db.signed";
+};
+
+zone "cdnskey-update.secure" {
+	type primary;
+	file "cdnskey-update.secure.db.signed";
+	allow-update { any; };
+};
+
+zone "cdnskey-kskonly.secure" {
+	type primary;
+	dnssec-dnskey-kskonly yes;
+	file "cdnskey-kskonly.secure.db.signed";
+	allow-update { any; };
+};
+
+zone "cdnskey-auto.secure" {
+	type primary;
+	file "cdnskey-auto.secure.db.signed";
+	auto-dnssec maintain;
+	allow-update { any; };
+};
+
+zone "updatecheck-kskonly.secure" {
+	type primary;
+	auto-dnssec maintain;
+	key-directory ".";
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+	sig-validity-interval 10;
+	dnskey-sig-validity 40;
+	file "updatecheck-kskonly.secure.db.signed";
+	allow-update { any; };
+};
+
+zone "corp" {
+	type primary;
+	file "corp.db";
+};
+
+zone "hours-vs-days" {
+	type master;
+	file "hours-vs-days.db.signed";
+	auto-dnssec maintain;
+	/* validity 500 days, resign in 499 days */
+	sig-validity-interval 500 499;
+	allow-update { any; };
+};
+
+zone "too-many-iterations" {
+	type master;
+	file "too-many-iterations.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns2/private.secure.example.db.in b/bin/tests/system/dnssec/ns2/private.secure.example.db.in
new file mode 100644
index 0000000..94042ae
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/private.secure.example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.2
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+private2secure-nxdomain	CNAME	r.example.
+*.wild			CNAME   s.example.
diff --git a/bin/tests/system/dnssec/ns2/rfc2335.example.db b/bin/tests/system/dnssec/ns2/rfc2335.example.db
new file mode 100644
index 0000000..78e9326
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/rfc2335.example.db
@@ -0,0 +1,114 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; File written on Fri Apr 30 12:19:15 2004
+; dnssec_signzone version 9.2.4rc3
+rfc2335.example.	300	IN SOA	mname1. . (
+					2000042407 ; serial
+					20         ; refresh (20 seconds)
+					20         ; retry (20 seconds)
+					1814400    ; expire (3 weeks)
+					3600       ; minimum (1 hour)
+					)
+			300	SIG	SOA 1 2 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					nGPJKIzF7X/hMJbZURRz59UeEi/6HRxCn9Er
+					GqSnpw0Ea9Yx5Axu6sLKnF7jXlkZ6NHMCIpJ
+					+Lv+FDHXTs/dQg== )
+			300	NS	ns.rfc2335.example.
+			300	SIG	NS 1 2 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					Q234AL9dJYMvxdWG33lpww6AJ3GplKp+ace7
+					MUaj0oqDdkx4DtJF2XaP2xcqq7kTOObdQ8ES
+					vVxNThqOx7LFzg== )
+			300	KEY	256 3 1 (
+					AQPZhzXIabI8y5ihWUw7F0WxN2MabnYWkOcV
+					Fn11NgaGSdjBSYPRMMwMCasD5N2KYPRUP83W
+					y8mj+ofcoW1FurcZ
+					) ; key id = 47799
+			300	NXT	a.rfc2335.example. NS SOA SIG KEY NXT
+			300	SIG	NXT 1 2 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					Y587mqNy6pBEfbsU6+weM2XRSqLwLwRT9Sl7
+					oNuOK9kV3TR4R2M54m2S0MgJCXbRAwU+fF8Q
+					UbZkSTVe2N8Nyg== )
+a.rfc2335.example.	300	IN A	10.0.0.1
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					FnfWrcw5ire8ut25504zti5l///BdDMUAkJZ
+					UCLFiTW4lBGMcq1pqz64zltDZXCgJ3xUeQ2i
+					nRt19/ZxO6Z1KA== )
+			300	NXT	b.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					R6SpC3ndMVg4u/eZaaUsXSuMHV/hZXeaM/Op
+					bJLAe3KxMiOHfb6XgLy7wflAiC1xt6A9bWpy
+					kTc5T5gfic33kA== )
+b.rfc2335.example.	300	IN A	10.0.0.2
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					zjRsYXMGyhDI6ipDtu8YXC9XPN+3hGamzzxL
+					8uPE/LPo+x19MNdbzEgWzlajAf1/mkSGr2jN
+					BDMVBA5NMKpwAA== )
+			300	NXT	d.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					aV87iZCYsC5Tqop827Zzb18TNqopGt0QynkR
+					gIF/lIHqZasNFRfaS1/nTnXdDKD8JS5IqxKb
+					oTJr5zswDAtCEw== )
+d.rfc2335.example.	300	IN A	10.0.0.4
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					NsKyvhUYZxTbOTBX4YwxTxevI5iGBpULKwmt
+					+D4l00ME4XRygOVmiqVDTT9dF1EgjDxOdfMT
+					hSjtCh5M1b2f6g== )
+			300	NXT	ns.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					OGqlvSDZIZdHYigh4UAFzXfPze7vcQfgj7sN
+					+cAeoh4BL1gpa00DqANCxowNCYluDk3ZCDwt
+					UHZEJa8ZjNvv4g== )
+ns.rfc2335.example.	300	IN A	10.53.0.3
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					T6ZGeUWflLTku8jO23x/TeAPeUl8t0I18FCh
+					qHUZaHomLQasQ2jlZQn6cLpFd2uFJkBNxZ0G
+					I39aG7G1bObXdA== )
+			300	NXT	x.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					l46mrf3/Ii5iRm3AiDjYeMg4ZXBgitHxXA2y
+					e/NhKpkxRRpCs7UQ94wT/RiSCjjK49E5FBe6
+					5bRxtWq0GI7zlg== )
+x.rfc2335.example.	300	IN CNAME a.rfc2335.example.
+			300	SIG	CNAME 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					L3IOluq+kboBd2gR2Mu54uJKCUzfmyHRiWKl
+					kfx+vuFr0I8mEHQRmJtouxNDrBzmzGp5vybK
+					SdabLWw0n6uQEA== )
+			300	NXT	z.rfc2335.example. CNAME SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					CBKoJSkZzdpwiON7JS4yPFY5VVeBjfT19x/O
+					vx+5UK1JZUNKhTXWWgW1er+JlLzNf4Ot40+l
+					z9HUTyaeS0eWyw== )
+z.rfc2335.example.	300	IN A	10.0.0.26
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					ccqjVHnehvVwlNNd4+7n/GzGlRjj+ul0gCT3
+					X3950LTccxHsOFyjNNm8v/Ho/aurSYdqXEjY
+					jwmjC6elwkzB7A== )
+			300	NXT	rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					W42WoFyd9erysv8HjKo+CpHIH1x6+pAKwCDO
+					/hHnkEpQI3brewxl7cWOPYeA92Ns80Ody/ui
+					m2E28A5gnmWqPw== )
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
new file mode 100644
index 0000000..bb6c254
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -0,0 +1,333 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+# Sign child zones (served by ns3).
+( cd ../ns3 && $SHELL sign.sh )
+
+echo_i "ns2/sign.sh"
+
+# Get the DS records for the "trusted." and "managed." zones.
+for subdomain in secure unsupported disabled enabled
+do
+	cp "../ns3/dsset-$subdomain.managed$TP" .
+	cp "../ns3/dsset-$subdomain.trusted$TP" .
+done
+
+# Sign the "trusted." and "managed." zones.
+zone=managed.
+infile=key.db.in
+zonefile=managed.db
+
+keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+
+"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+
+zone=trusted.
+infile=key.db.in
+zonefile=trusted.db
+
+keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+
+"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+
+# The "example." zone.
+zone=example.
+infile=example.db.in
+zonefile=example.db
+
+# Get the DS records for the "example." zone.
+for subdomain in secure badds bogus dynamic keyless nsec3 optout \
+	nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
+	kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
+	ttlpatch split-dnssec split-smart expired expiring upper lower \
+	dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
+	dnskey-nsec3-unknown managed-future revkey \
+	dname-at-apex-nsec3 occluded
+do
+	cp "../ns3/dsset-$subdomain.example$TP" .
+done
+
+# Sign the "example." zone.
+keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+
+"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+
+#
+# lower/uppercase the signature bits with the exception of the last characters
+# changing the last 4 characters will lead to a bad base64 encoding.
+#
+
+zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
+"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" |
+tr -d '\r' |
+awk '
+tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
+	for (i = 1; i <= NF; i++ ) {
+		if (i <= 12) {
+			printf("%s ", $i);
+			continue;
+		}
+		prefix = substr($i, 1, length($i) - 4);
+		suffix = substr($i, length($i) - 4, 4);
+		if (i > 12 && tolower(prefix) != prefix)
+			printf("%s%s", tolower(prefix), suffix);
+		else if (i > 12 && toupper(prefix) != prefix)
+			printf("%s%s", toupper(prefix), suffix);
+		else
+			printf("%s%s ", prefix, suffix);
+	}
+	printf("\n");
+	next;
+}
+
+tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
+	for (i = 1; i <= NF; i++ ) {
+		if (i <= 12) {
+			printf("%s ", $i);
+			continue;
+		}
+		prefix = substr($i, 1, length($i) - 4);
+		suffix = substr($i, length($i) - 4, 4);
+		if (i > 12 && tolower(prefix) != prefix)
+			printf("%s%s", tolower(prefix), suffix);
+		else if (i > 12 && toupper(prefix) != prefix)
+			printf("%s%s", toupper(prefix), suffix);
+		else
+			printf("%s%s ", prefix, suffix);
+	}
+	printf("\n");
+	next;
+}
+
+{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed"
+
+#
+# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned.
+#
+zone=in-addr.arpa.
+infile=in-addr.arpa.db.in
+zonefile=in-addr.arpa.db
+
+keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+
+# Sign the badparam secure file
+
+zone=badparam.
+infile=badparam.db.in
+zonefile=badparam.db
+
+keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+
+sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad"
+
+# Sign the single-nsec3 secure zone with optout
+
+zone=single-nsec3.
+infile=single-nsec3.db.in
+zonefile=single-nsec3.db
+
+keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
+
+#
+# algroll has just has the old DNSKEY records removed and is waiting
+# for them to be flushed from caches.  We still need to generate
+# RRSIGs for the old DNSKEY.
+#
+zone=algroll.
+infile=algroll.db.in
+zonefile=algroll.db
+
+keyold1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
+keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
+keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
+
+#
+# Make a zone big enough that it takes several seconds to generate a new
+# nsec3 chain.
+#
+zone=nsec3chain-test
+zonefile=nsec3chain-test.db
+cat > "$zonefile" << EOF
+\$TTL 10
+@	10	SOA	ns2 hostmaster 0 3600 1200 864000 1200
+@	10	NS	ns2
+@	10	NS	ns3
+ns2	10	A	10.53.0.2
+ns3	10	A	10.53.0.3
+EOF
+i=1
+while [ $i -le 300 ]; do
+    echo "host$i 10 IN NS ns.elsewhere"
+    i=$((i+1))
+done >> "$zonefile"
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$key1.key" "$key2.key" >> "$zonefile"
+"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
+
+zone=cds.secure
+infile=cds.secure.db.in
+zonefile=cds.secure.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
+cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+
+zone=cds-x.secure
+infile=cds.secure.db.in
+zonefile=cds-x.secure.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+"$DSFROMKEY" -C "$key2.key" > "$key2.cds"
+cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile"
+"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
+
+zone=cds-update.secure
+infile=cds-update.secure.db.in
+zonefile=cds-update.secure.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+
+zone=cds-kskonly.secure
+infile=cds-kskonly.secure.db.in
+zonefile=cds-kskonly.secure.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+keyfile_to_key_id "$key1" > cds-kskonly.secure.id
+
+zone=cds-auto.secure
+infile=cds-auto.secure.db.in
+zonefile=cds-auto.secure.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+$SETTIME -P sync now "$key1" > /dev/null
+cat "$infile" > "$zonefile.signed"
+
+zone=cdnskey.secure
+infile=cdnskey.secure.db.in
+zonefile=cdnskey.secure.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
+cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile"
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+
+zone=cdnskey-x.secure
+infile=cdnskey.secure.db.in
+zonefile=cdnskey-x.secure.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
+cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
+"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
+
+zone=cdnskey-update.secure
+infile=cdnskey-update.secure.db.in
+zonefile=cdnskey-update.secure.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+
+zone=cdnskey-kskonly.secure
+infile=cdnskey-kskonly.secure.db.in
+zonefile=cdnskey-kskonly.secure.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id
+
+zone=cdnskey-auto.secure
+infile=cdnskey-auto.secure.db.in
+zonefile=cdnskey-auto.secure.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+$SETTIME -P sync now "$key1" > /dev/null
+cat "$infile" > "$zonefile.signed"
+
+zone=updatecheck-kskonly.secure
+infile=template.secure.db.in
+zonefile=${zone}.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+# Save key id's for checking active key usage
+keyfile_to_key_id "$key1" > $zone.ksk.id
+keyfile_to_key_id "$key2" > $zone.zsk.id
+echo "${key1}" > $zone.ksk.key
+echo "${key2}" > $zone.zsk.key
+# Add CDS and CDNSKEY records
+sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey"
+"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
+cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile"
+# Don't sign, let auto-dnssec maintain do it.
+mv $zonefile "$zonefile.signed"
+
+zone=hours-vs-days
+infile=hours-vs-days.db.in
+zonefile=hours-vs-days.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+$SETTIME -P sync now "$key1" > /dev/null
+cat "$infile" > "$zonefile.signed"
+
+#
+# Negative result from this zone should come back as insecure.
+#
+zone=too-many-iterations
+infile=too-many-iterations.db.in
+zonefile=too-many-iterations.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
+"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1
diff --git a/bin/tests/system/dnssec/ns2/single-nsec3.db.in b/bin/tests/system/dnssec/ns2/single-nsec3.db.in
new file mode 100644
index 0000000..b2e3c13
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/single-nsec3.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns2.example. . (
+				2010042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2.example.
+delegation		NS	ns3.example.
diff --git a/bin/tests/system/dnssec/ns2/template.secure.db.in b/bin/tests/system/dnssec/ns2/template.secure.db.in
new file mode 100644
index 0000000..aa3aaab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/template.secure.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/too-many-iterations.db.in b/bin/tests/system/dnssec/ns2/too-many-iterations.db.in
new file mode 100644
index 0000000..1527e07
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/too-many-iterations.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				30       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+*.a			A	10.0.0.3
+b			A	10.0.0.2
+d			A	10.0.0.4
diff --git a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in
new file mode 100644
index 0000000..a7792fd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in
@@ -0,0 +1,40 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
+nosoa 			NS	ns.nosoa
+ns.nosoa		A	10.53.0.7
+
+normalthenrrsig		A	10.0.0.28
+rrsigonly		A	10.0.0.29
diff --git a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in
new file mode 100644
index 0000000..a7792fd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in
@@ -0,0 +1,40 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
+nosoa 			NS	ns.nosoa
+ns.nosoa		A	10.53.0.7
+
+normalthenrrsig		A	10.0.0.28
+rrsigonly		A	10.0.0.29
diff --git a/bin/tests/system/dnssec/ns3/bogus.example.db.in b/bin/tests/system/dnssec/ns3/bogus.example.db.in
new file mode 100644
index 0000000..0feb441
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/bogus.example.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in
new file mode 100644
index 0000000..e758cdd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	600
+@	SOA	ns3.example. . 1 1200 1200 1814400 3600
+@	NS	ns3.example.
+@	DNAME	example.
diff --git a/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in
new file mode 100644
index 0000000..f37dd75
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in
new file mode 100644
index 0000000..f37dd75
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
new file mode 100644
index 0000000..f37dd75
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
new file mode 100644
index 0000000..f37dd75
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns3/dynamic.example.db.in b/bin/tests/system/dnssec/ns3/dynamic.example.db.in
new file mode 100644
index 0000000..babf54c
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/dynamic.example.db.in
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This has the NS and glue at the apex because testing RT #2399
+; requires we have only one name in the zone at a certain point
+; during the test.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			NS	@
+@			A	10.53.0.3
diff --git a/bin/tests/system/dnssec/ns3/expired.example.db.in b/bin/tests/system/dnssec/ns3/expired.example.db.in
new file mode 100644
index 0000000..b7706d3
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/expired.example.db.in
@@ -0,0 +1,44 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+			MX	10 mx
+ns			A	10.53.0.3
+mx 		 	A 	10.0.0.30
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
+nosoa 			NS	ns.nosoa
+ns.nosoa		A	10.53.0.7
+
+normalthenrrsig		A	10.0.0.28
+rrsigonly		A	10.0.0.29
+
+
diff --git a/bin/tests/system/dnssec/ns3/expiring.example.db.in b/bin/tests/system/dnssec/ns3/expiring.example.db.in
new file mode 100644
index 0000000..8acf7b1
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/expiring.example.db.in
@@ -0,0 +1,40 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+			MX	10 mx
+ns			A	10.53.0.3
+mx 		 	A 	10.0.0.30
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.wild			A	10.0.0.6
+child			NS	ns2.example.
+insecure		NS	ns.insecure
+ns.insecure 		A	10.53.0.3
+secure			NS	ns.secure
+ns.secure 		A	10.53.0.3
+nsec3			NS	ns.nsec3
+ns.nsec3 		A	10.53.0.3
+optout			NS	ns.optout
+ns.optout 		A	10.53.0.3
+02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
diff --git a/bin/tests/system/dnssec/ns3/future.example.db.in b/bin/tests/system/dnssec/ns3/future.example.db.in
new file mode 100644
index 0000000..20c19c5
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/future.example.db.in
@@ -0,0 +1,40 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20	 ; refresh (20 seconds)
+				20	 ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.wild			A	10.0.0.6
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.3
+secure			NS	ns.secure
+ns.secure		A	10.53.0.3
+nsec3			NS	ns.nsec3
+ns.nsec3		A	10.53.0.3
+optout			NS	ns.optout
+ns.optout		A	10.53.0.3
+child			NS	ns2.example.
+insecure.empty		NS	ns.insecure.empty
+ns.insecure.empty	A	10.53.0.3
+foo.*.empty-wild	NS	ns
diff --git a/bin/tests/system/dnssec/ns3/generic.example.db.in b/bin/tests/system/dnssec/ns3/generic.example.db.in
new file mode 100644
index 0000000..5cc3ecc
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/generic.example.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a.b			A	10.0.0.1
diff --git a/bin/tests/system/dnssec/ns3/inline.example.db b/bin/tests/system/dnssec/ns3/inline.example.db
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/inline.example.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db b/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/insecure.example.db b/bin/tests/system/dnssec/ns3/insecure.example.db
new file mode 100644
index 0000000..76e3f47
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/insecure.example.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			DNSKEY	258 3 5 Cg==
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db b/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/insecure.optout.example.db b/bin/tests/system/dnssec/ns3/insecure.optout.example.db
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/insecure.optout.example.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/insecure2.example.db b/bin/tests/system/dnssec/ns3/insecure2.example.db
new file mode 100644
index 0000000..76e3f47
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/insecure2.example.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			DNSKEY	258 3 5 Cg==
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/key.db.in b/bin/tests/system/dnssec/ns3/key.db.in
new file mode 100644
index 0000000..0165e3f
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/key.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/dnssec/ns3/kskonly.example.db.in b/bin/tests/system/dnssec/ns3/kskonly.example.db.in
new file mode 100644
index 0000000..0b11a00
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/kskonly.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+x			CNAME	a
diff --git a/bin/tests/system/dnssec/ns3/lower.example.db.in b/bin/tests/system/dnssec/ns3/lower.example.db.in
new file mode 100644
index 0000000..a04793e
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/lower.example.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	MNAME1. . (
+				2012042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			NS	NS
+NS			A	10.53.0.3
diff --git a/bin/tests/system/dnssec/ns3/managed-future.example.db.in b/bin/tests/system/dnssec/ns3/managed-future.example.db.in
new file mode 100644
index 0000000..20c19c5
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/managed-future.example.db.in
@@ -0,0 +1,40 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20	 ; refresh (20 seconds)
+				20	 ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.wild			A	10.0.0.6
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.3
+secure			NS	ns.secure
+ns.secure		A	10.53.0.3
+nsec3			NS	ns.nsec3
+ns.nsec3		A	10.53.0.3
+optout			NS	ns.optout
+ns.optout		A	10.53.0.3
+child			NS	ns2.example.
+insecure.empty		NS	ns.insecure.empty
+ns.insecure.empty	A	10.53.0.3
+foo.*.empty-wild	NS	ns
diff --git a/bin/tests/system/dnssec/ns3/multiple.example.db.in b/bin/tests/system/dnssec/ns3/multiple.example.db.in
new file mode 100644
index 0000000..f37dd75
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/multiple.example.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
new file mode 100644
index 0000000..bd0771d
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -0,0 +1,382 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+	session-keyfile "session.key";
+	minimal-responses no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "example.bk";
+};
+
+zone "secure.example" {
+	type primary;
+	file "secure.example.db.signed";
+	allow-update { any; };
+};
+
+zone "bogus.example" {
+	type primary;
+	file "bogus.example.db.signed";
+	allow-update { any; };
+};
+
+zone "badds.example" {
+	type primary;
+	file "badds.example.db.signed";
+	allow-update { any; };
+};
+
+zone "dynamic.example" {
+	type primary;
+	file "dynamic.example.db.signed";
+	allow-update { any; };
+};
+
+zone "insecure.example" {
+	type primary;
+	file "insecure.example.db";
+	allow-update { any; };
+};
+
+zone "insecure2.example" {
+	type primary;
+	file "insecure2.example.db";
+	allow-update { any; };
+};
+
+zone "insecure.nsec3.example" {
+	type primary;
+	file "insecure.nsec3.example.db";
+	allow-update { any; };
+};
+
+zone "insecure.optout.example" {
+	type primary;
+	file "insecure.optout.example.db";
+	allow-update { any; };
+};
+
+zone "keyless.example" {
+	type primary;
+	file "keyless.example.db.signed";
+};
+
+zone "nsec3.example" {
+	type primary;
+	file "nsec3.example.db.signed";
+};
+
+zone "optout.nsec3.example" {
+	type primary;
+	file "optout.nsec3.example.db.signed";
+};
+
+zone "nsec3.nsec3.example" {
+	type primary;
+	file "nsec3.nsec3.example.db.signed";
+};
+
+zone "secure.nsec3.example" {
+	type primary;
+	file "secure.nsec3.example.db.signed";
+};
+
+zone "optout.example" {
+	type primary;
+	file "optout.example.db.signed";
+};
+
+zone "secure.optout.example" {
+	type primary;
+	file "secure.optout.example.db.signed";
+};
+
+zone "nsec3.optout.example" {
+	type primary;
+	file "nsec3.optout.example.db.signed";
+};
+
+zone "optout.optout.example" {
+	type primary;
+	file "optout.optout.example.db.signed";
+};
+
+zone "nsec3-unknown.example" {
+	type primary;
+	nsec3-test-zone yes;
+	file "nsec3-unknown.example.db.signed";
+};
+
+zone "optout-unknown.example" {
+	type primary;
+	nsec3-test-zone yes;
+	file "optout-unknown.example.db.signed";
+};
+
+zone "dnskey-unknown.example" {
+	type primary;
+	file "dnskey-unknown.example.db.signed";
+};
+
+zone "dnskey-unsupported.example" {
+	type primary;
+	file "dnskey-unsupported.example.db.signed";
+};
+
+zone "dnskey-unsupported-2.example" {
+	type primary;
+	file "dnskey-unsupported-2.example.db.signed";
+};
+
+zone "dnskey-nsec3-unknown.example" {
+	type primary;
+	nsec3-test-zone yes;
+	file "dnskey-nsec3-unknown.example.db.signed";
+};
+
+zone "multiple.example" {
+	type primary;
+	file "multiple.example.db.signed";
+	allow-update { any; };
+};
+
+zone "rfc2335.example" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "rfc2335.example.bk";
+};
+
+zone "rsasha256.example" {
+	type primary;
+	file "rsasha256.example.db.signed";
+};
+
+zone "rsasha512.example" {
+	type primary;
+	file "rsasha512.example.db.signed";
+};
+
+zone "kskonly.example" {
+	type primary;
+	file "kskonly.example.db.signed";
+};
+
+zone "expired.example" {
+	type primary;
+	allow-update { none; };
+	file "expired.example.db.signed";
+};
+
+zone "update-nsec3.example" {
+	type primary;
+	allow-update { any; };
+	file "update-nsec3.example.db.signed";
+};
+
+zone "auto-nsec.example" {
+	type primary;
+	auto-dnssec maintain;
+	allow-update { !0.0.0.0; };
+	file "auto-nsec.example.db.signed";
+};
+
+zone "auto-nsec3.example" {
+	type primary;
+	auto-dnssec maintain;
+	allow-update { !0.0.0.0; };
+	file "auto-nsec3.example.db.signed";
+};
+
+zone "insecure.below-cname.example" {
+	type primary;
+	file "insecure.below-cname.example.db";
+};
+
+zone "secure.below-cname.example" {
+	type primary;
+	file "secure.below-cname.example.db.signed";
+};
+
+zone "ttlpatch.example" {
+	type primary;
+	file "ttlpatch.example.db.patched";
+};
+
+zone "split-dnssec.example" {
+	type primary;
+	file "split-dnssec.example.db";
+};
+
+zone "split-smart.example" {
+	type primary;
+	file "split-smart.example.db";
+};
+
+zone "nsec3chain-test" {
+	type secondary;
+	file "nsec3chain-test.bk";
+	primaries { 10.53.0.2; };
+};
+
+zone "expiring.example" {
+	type primary;
+	allow-update { any; };
+	file "expiring.example.db.signed";
+};
+
+zone "nosign.example" {
+	type primary;
+	allow-update { any; };
+	dnssec-update-mode no-resign;
+	file "nosign.example.db.signed";
+};
+
+zone "upper.example" {
+	type primary;
+	file "upper.example.db.signed";
+};
+
+zone "LOWER.EXAMPLE" {
+	type primary;
+	file "lower.example.db.signed";
+};
+
+zone "inline.example" {
+	type primary;
+	file "inline.example.db";
+	inline-signing yes;
+	auto-dnssec maintain;
+};
+
+zone "publish-inactive.example" {
+	type primary;
+	file "publish-inactive.example.db";
+	auto-dnssec maintain;
+	update-policy local;
+};
+
+zone "future.example" {
+	type primary;
+	file "future.example.db.signed";
+};
+
+zone "managed-future.example" {
+	type primary;
+	file "managed-future.example.db.signed";
+	allow-update { any; };
+};
+
+zone "revkey.example" {
+	type primary;
+	file "revkey.example.db.signed";
+};
+
+zone "dname-at-apex-nsec3.example" {
+	type primary;
+	file "dname-at-apex-nsec3.example.db.signed";
+};
+
+zone "occluded.example" {
+	type primary;
+	file "occluded.example.db.signed";
+};
+
+zone "secure.managed" {
+	type primary;
+	file "secure.managed.db.signed";
+};
+
+zone "disabled.managed" {
+	type primary;
+	file "disabled.managed.db.signed";
+};
+
+zone "enabled.managed" {
+	type primary;
+	file "enabled.managed.db.signed";
+};
+
+zone "unsupported.managed" {
+	type primary;
+	file "unsupported.managed.db.signed";
+};
+
+zone "revoked.managed" {
+	type primary;
+	file "revoked.managed.db.signed";
+};
+
+zone "secure.trusted" {
+	type primary;
+	file "secure.trusted.db.signed";
+};
+
+zone "disabled.trusted" {
+	type primary;
+	file "disabled.trusted.db.signed";
+};
+
+zone "enabled.trusted" {
+	type primary;
+	file "enabled.trusted.db.signed";
+};
+
+zone "unsupported.trusted" {
+	type primary;
+	file "unsupported.trusted.db.signed";
+};
+
+zone "revoked.trusted" {
+	type primary;
+	file "revoked.trusted.db.signed";
+};
+
+zone "too-many-iterations" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "too-many-iterations.bk";
+};
+
+include "siginterval.conf";
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns3/nosign.example.db.in b/bin/tests/system/dnssec/ns3/nosign.example.db.in
new file mode 100644
index 0000000..2be8a28
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/nosign.example.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
diff --git a/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in
new file mode 100644
index 0000000..f37dd75
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns3/nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.example.db.in
new file mode 100644
index 0000000..55b3877
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/nsec3.example.db.in
@@ -0,0 +1,38 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.wild			A	10.0.0.6
+child			NS	ns2.example.
+insecure		NS	ns.insecure
+ns.insecure 		A	10.53.0.3
+secure			NS	ns.secure
+ns.secure 		A	10.53.0.3
+nsec3			NS	ns.nsec3
+ns.nsec3 		A	10.53.0.3
+optout			NS	ns.optout
+ns.optout 		A	10.53.0.3
+02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
diff --git a/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/dnssec/ns3/occluded.example.db.in b/bin/tests/system/dnssec/ns3/occluded.example.db.in
new file mode 100644
index 0000000..ee9c900
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/occluded.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a.b			A	10.0.0.1
+delegation		NS	ns
+			A	10.53.0.3
+			AAAA	2002::
diff --git a/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in b/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in
new file mode 100644
index 0000000..f37dd75
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.e			A	10.0.0.6
+child			NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns3/optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.example.db.in
new file mode 100644
index 0000000..20c19c5
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/optout.example.db.in
@@ -0,0 +1,40 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20	 ; refresh (20 seconds)
+				20	 ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.wild			A	10.0.0.6
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.3
+secure			NS	ns.secure
+ns.secure		A	10.53.0.3
+nsec3			NS	ns.nsec3
+ns.nsec3		A	10.53.0.3
+optout			NS	ns.optout
+ns.optout		A	10.53.0.3
+child			NS	ns2.example.
+insecure.empty		NS	ns.insecure.empty
+ns.insecure.empty	A	10.53.0.3
+foo.*.empty-wild	NS	ns
diff --git a/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/dnssec/ns3/optout.optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.optout.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/optout.optout.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/rsasha256.example.db.in b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in
new file mode 100644
index 0000000..f6c4fab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
diff --git a/bin/tests/system/dnssec/ns3/rsasha512.example.db.in b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in
new file mode 100644
index 0000000..f6c4fab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
diff --git a/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in b/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in
new file mode 100644
index 0000000..ec39308
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -0,0 +1,49 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+d			A	10.0.0.4
+e			A	10.0.0.5
+f			A	10.0.0.6
+g			A	10.0.0.7
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+zz			DNSKEY	258 3 5 Cg==
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns2.insecure
+ns2.insecure		A	10.53.0.2
+
+nosoa 			NS	ns.nosoa
+ns.nosoa		A	10.53.0.7
+
+normalthenrrsig		A	10.0.0.28
+rrsigonly		A	10.0.0.29
+
+cnameandkey		CNAME	@
+cnamenokey		CNAME	@
+dnameandkey		DNAME	@
diff --git a/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/dnssec/ns3/secure.optout.example.db.in b/bin/tests/system/dnssec/ns3/secure.optout.example.db.in
new file mode 100644
index 0000000..15fe621
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/secure.optout.example.db.in
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
diff --git a/bin/tests/system/dnssec/ns3/siginterval.example.db.in b/bin/tests/system/dnssec/ns3/siginterval.example.db.in
new file mode 100644
index 0000000..ec6603a
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/siginterval.example.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2012042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			NS	ns
+ns			A	10.53.0.3
diff --git a/bin/tests/system/dnssec/ns3/siginterval1.conf b/bin/tests/system/dnssec/ns3/siginterval1.conf
new file mode 100644
index 0000000..4674cf3
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/siginterval1.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "siginterval.example" {
+	type primary;
+	allow-update { any; };
+	sig-validity-interval 1 23;
+	dnskey-sig-validity 90;
+	auto-dnssec maintain;
+	file "siginterval.example.db";
+};
diff --git a/bin/tests/system/dnssec/ns3/siginterval2.conf b/bin/tests/system/dnssec/ns3/siginterval2.conf
new file mode 100644
index 0000000..46a2007
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/siginterval2.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "siginterval.example" {
+	type primary;
+	allow-update { any; };
+	sig-validity-interval 35 28;
+	dnskey-sig-validity 90;
+	auto-dnssec maintain;
+	file "siginterval.example.db";
+};
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
new file mode 100644
index 0000000..aba74be
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -0,0 +1,673 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+echo_i "ns3/sign.sh"
+
+infile=key.db.in
+for tld in managed trusted
+do
+	# A secure zone to test.
+	zone=secure.${tld}
+	zonefile=${zone}.db
+
+	keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+	cat "$infile" "$keyname1.key" > "$zonefile"
+	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
+
+	# Zone to test trust anchor that matches disabled algorithm.
+	zone=disabled.${tld}
+	zonefile=${zone}.db
+
+	keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
+	cat "$infile" "$keyname2.key" > "$zonefile"
+	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
+
+	# Zone to test trust anchor that has disabled algorithm for other domain.
+	zone=enabled.${tld}
+	zonefile=${zone}.db
+
+	keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
+	cat "$infile" "$keyname3.key" > "$zonefile"
+	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
+
+	# Zone to test trust anchor with unsupported algorithm.
+	zone=unsupported.${tld}
+	zonefile=${zone}.db
+
+	keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+	cat "$infile" "$keyname4.key" > "$zonefile"
+	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+	awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
+
+	# Make trusted-keys and managed keys conf sections for ns8.
+	mv ${keyname4}.key ${keyname4}.tmp
+	awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key
+
+	# Zone to test trust anchor that is revoked.
+	zone=revoked.${tld}
+	zonefile=${zone}.db
+
+	keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+	cat "$infile" "$keyname5.key" > "$zonefile"
+	"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null
+
+	case $tld in
+	"managed")
+		keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf
+		;;
+	"trusted")
+		keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf
+		;;
+	esac
+done
+
+echo_i "ns3/sign.sh: example zones"
+
+zone=secure.example.
+infile=secure.example.db.in
+zonefile=secure.example.db
+
+cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
+dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+zone=bogus.example.
+infile=bogus.example.db.in
+zonefile=bogus.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+zone=dynamic.example.
+infile=dynamic.example.db.in
+zonefile=dynamic.example.db
+
+keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+
+cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+zone=keyless.example.
+infile=generic.example.db.in
+zonefile=keyless.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+# Change the signer field of the a.b.keyless.example RRSIG A
+# to point to a provably nonexistent DNSKEY record.
+zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1
+mv "$zonefile.signed" "$zonefiletmp"
+<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/
+    if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed"
+rm -f "$zonefiletmp"
+
+#
+#  NSEC3/NSEC test zone
+#
+zone=secure.nsec3.example.
+infile=secure.nsec3.example.db.in
+zonefile=secure.nsec3.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+#
+#  NSEC3/NSEC3 test zone
+#
+zone=nsec3.nsec3.example.
+infile=nsec3.nsec3.example.db.in
+zonefile=nsec3.nsec3.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
+
+#
+#  OPTOUT/NSEC3 test zone
+#
+zone=optout.nsec3.example.
+infile=optout.nsec3.example.db.in
+zonefile=optout.nsec3.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
+
+#
+# A nsec3 zone (non-optout).
+#
+zone=nsec3.example.
+infile=nsec3.example.db.in
+zonefile=nsec3.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null
+
+#
+#  OPTOUT/NSEC test zone
+#
+zone=secure.optout.example.
+infile=secure.optout.example.db.in
+zonefile=secure.optout.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+#
+#  OPTOUT/NSEC3 test zone
+#
+zone=nsec3.optout.example.
+infile=nsec3.optout.example.db.in
+zonefile=nsec3.optout.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
+
+#
+#  OPTOUT/OPTOUT test zone
+#
+zone=optout.optout.example.
+infile=optout.optout.example.db.in
+zonefile=optout.optout.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
+
+#
+# A optout nsec3 zone.
+#
+zone=optout.example.
+infile=optout.example.db.in
+zonefile=optout.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null
+
+#
+# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
+#
+zone=nsec3-unknown.example.
+infile=nsec3-unknown.example.db.in
+zonefile=nsec3-unknown.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null
+
+#
+# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
+#
+zone=optout-unknown.example.
+infile=optout-unknown.example.db.in
+zonefile=optout-unknown.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null
+
+#
+# A zone that is signed with an unknown DNSKEY algorithm.
+# Algorithm 7 is replaced by 100 in the zone and dsset.
+#
+zone=dnskey-unknown.example
+infile=dnskey-unknown.example.db.in
+zonefile=dnskey-unknown.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+
+awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed
+
+DSFILE="dsset-${zone}${TP}"
+$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
+
+#
+# A zone that is signed with an unsupported DNSKEY algorithm (3).
+# Algorithm 7 is replaced by 255 in the zone and dsset.
+#
+zone=dnskey-unsupported.example
+infile=dnskey-unsupported.example.db.in
+zonefile=dnskey-unsupported.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+
+awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
+
+DSFILE="dsset-${zone}${TP}"
+$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
+
+#
+# A zone with a published unsupported DNSKEY algorithm (Reserved).
+# Different from above because this key is not intended for signing.
+#
+zone=dnskey-unsupported-2.example
+infile=dnskey-unsupported-2.example.db.in
+zonefile=dnskey-unsupported-2.example.db
+
+ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
+
+"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null
+
+#
+# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
+# Algorithm 7 is replaced by 100 in the zone and dsset.
+#
+zone=dnskey-nsec3-unknown.example
+infile=dnskey-nsec3-unknown.example.db.in
+zonefile=dnskey-nsec3-unknown.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
+
+awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
+
+DSFILE="dsset-${zone}${TP}"
+$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
+
+#
+# A multiple parameter nsec3 zone.
+#
+zone=multiple.example.
+infile=multiple.example.db.in
+zonefile=multiple.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+mv "$zonefile".signed "$zonefile"
+"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null
+mv "$zonefile".signed "$zonefile"
+"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null
+mv "$zonefile".signed "$zonefile"
+"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null
+mv "$zonefile".signed "$zonefile"
+"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null
+mv "$zonefile".signed "$zonefile"
+"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null
+
+#
+# A RSASHA256 zone.
+#
+zone=rsasha256.example.
+infile=rsasha256.example.db.in
+zonefile=rsasha256.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+#
+# A RSASHA512 zone.
+#
+zone=rsasha512.example.
+infile=rsasha512.example.db.in
+zonefile=rsasha512.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+#
+# A zone with the DNSKEY set only signed by the KSK
+#
+zone=kskonly.example.
+infile=kskonly.example.db.in
+zonefile=kskonly.example.db
+
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
+"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null
+
+#
+# A zone with the expired signatures
+#
+zone=expired.example.
+infile=expired.example.db.in
+zonefile=expired.example.db
+
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
+"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null
+rm -f "$kskname.*" "$zskname.*"
+
+#
+# A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE.
+#
+zone=update-nsec3.example.
+infile=update-nsec3.example.db.in
+zonefile=update-nsec3.example.db
+
+kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
+zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
+"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
+
+#
+# A NSEC signed zone that will have auto-dnssec enabled and
+# extra keys not in the initial signed zone.
+#
+zone=auto-nsec.example.
+infile=auto-nsec.example.db.in
+zonefile=auto-nsec.example.db
+
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+#
+# A NSEC3 signed zone that will have auto-dnssec enabled and
+# extra keys not in the initial signed zone.
+#
+zone=auto-nsec3.example.
+infile=auto-nsec3.example.db.in
+zonefile=auto-nsec3.example.db
+
+kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
+zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
+zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
+"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
+
+#
+# Secure below cname test zone.
+#
+zone=secure.below-cname.example.
+infile=secure.below-cname.example.db.in
+zonefile=secure.below-cname.example.db
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$keyname.key" > "$zonefile"
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+#
+# Patched TTL test zone.
+#
+zone=ttlpatch.example.
+infile=ttlpatch.example.db.in
+zonefile=ttlpatch.example.db
+signedfile=ttlpatch.example.db.signed
+patchedfile=ttlpatch.example.db.patched
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null
+$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \
+    awk '{$2 = "3600"; print}' > $patchedfile
+
+#
+# Separate DNSSEC records.
+#
+zone=split-dnssec.example.
+infile=split-dnssec.example.db.in
+zonefile=split-dnssec.example.db
+signedfile=split-dnssec.example.db.signed
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$keyname.key" > "$zonefile"
+echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
+: > "$signedfile"
+"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null
+
+#
+# Separate DNSSEC records smart signing.
+#
+zone=split-smart.example.
+infile=split-smart.example.db.in
+zonefile=split-smart.example.db
+signedfile=split-smart.example.db.signed
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cp "$infile" "$zonefile"
+# shellcheck disable=SC2016
+echo "\$INCLUDE \"$signedfile\"" >> "$zonefile"
+: > "$signedfile"
+"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null
+
+#
+# Zone with signatures about to expire, but no private key to replace them
+#
+zone="expiring.example."
+infile="expiring.example.db.in"
+zonefile="expiring.example.db"
+signedfile="expiring.example.db.signed"
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+cp "$infile" "$zonefile"
+"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null
+mv -f "${zskname}.private" "${zskname}.private.moved"
+mv -f "${kskname}.private" "${kskname}.private.moved"
+
+#
+# A zone where the signer's name has been forced to uppercase.
+#
+zone="upper.example."
+infile="upper.example.db.in"
+zonefile="upper.example.db"
+lower="upper.example.db.lower"
+signedfile="upper.example.db.signed"
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+cp "$infile" "$zonefile"
+"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null
+$CHECKZONE -D upper.example $lower 2>/dev/null | \
+	sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
+
+#
+# Check that the signer's name is in lower case when zone name is in
+# upper case.
+#
+zone="LOWER.EXAMPLE."
+infile="lower.example.db.in"
+zonefile="lower.example.db"
+signedfile="lower.example.db.signed"
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+cp "$infile" "$zonefile"
+"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null
+
+#
+# Zone with signatures about to expire, and dynamic, but configured
+# not to resign with 'auto-resign no;'
+#
+zone="nosign.example."
+infile="nosign.example.db.in"
+zonefile="nosign.example.db"
+signedfile="nosign.example.db.signed"
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+cp "$infile" "$zonefile"
+"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null
+# preserve a normalized copy of the NS RRSIG for comparison later
+$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
+        awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
+        sed 's/[ 	][ 	]*/ /g'> ../nosign.before
+
+#
+# An inline signing zone
+#
+zone=inline.example.
+kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
+zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+#
+# publish a new key while deactivating another key at the same time.
+#
+zone=publish-inactive.example
+infile=publish-inactive.example.db.in
+zonefile=publish-inactive.example.db
+now=$(date -u +%Y%m%d%H%M%S)
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cp "$infile" "$zonefile"
+"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null
+
+#
+# A zone which will change its sig-validity-interval
+#
+zone=siginterval.example
+infile=siginterval.example.db.in
+zonefile=siginterval.example.db
+kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
+zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cp "$infile" "$zonefile"
+
+#
+# A zone with a bad DS in the parent
+# (sourced from bogus.example.db.in)
+#
+zone=badds.example.
+infile=bogus.example.db.in
+zonefile=badds.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP
+
+#
+# A zone with future signatures.
+#
+zone=future.example
+infile=future.example.db.in
+zonefile=future.example.db
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
+"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
+cp -f "$kskname.key" trusted-future.key
+
+#
+# A zone with future signatures.
+#
+zone=managed-future.example
+infile=managed-future.example.db.in
+zonefile=managed-future.example.db
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
+"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null
+
+#
+# A zone with a revoked key
+#
+zone=revkey.example.
+infile=generic.example.db.in
+zonefile=revkey.example.db
+
+ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
+ksk1=$("$REVOKE" "$ksk1")
+ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone")
+zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone")
+
+cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile"
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+
+#
+# Check that NSEC3 are correctly signed and returned from below a DNAME
+#
+zone=dname-at-apex-nsec3.example
+infile=dname-at-apex-nsec3.example.db.in
+zonefile=dname-at-apex-nsec3.example.db
+
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone")
+cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile"
+"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
+
+#
+# A NSEC zone with occuded data at the delegation
+#
+zone=occluded.example
+infile=occluded.example.db.in
+zonefile=occluded.example.db
+kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone")
+zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone")
+dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone")
+keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone")
+$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP"
+cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
+    "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile"
+"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
diff --git a/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in
new file mode 100644
index 0000000..55b3877
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in
@@ -0,0 +1,38 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.wild			A	10.0.0.6
+child			NS	ns2.example.
+insecure		NS	ns.insecure
+ns.insecure 		A	10.53.0.3
+secure			NS	ns.secure
+ns.secure 		A	10.53.0.3
+nsec3			NS	ns.nsec3
+ns.nsec3 		A	10.53.0.3
+optout			NS	ns.optout
+ns.optout 		A	10.53.0.3
+02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
diff --git a/bin/tests/system/dnssec/ns3/split-smart.example.db.in b/bin/tests/system/dnssec/ns3/split-smart.example.db.in
new file mode 100644
index 0000000..55b3877
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/split-smart.example.db.in
@@ -0,0 +1,38 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a			A	10.0.0.3
+*.wild			A	10.0.0.6
+child			NS	ns2.example.
+insecure		NS	ns.insecure
+ns.insecure 		A	10.53.0.3
+secure			NS	ns.secure
+ns.secure 		A	10.53.0.3
+nsec3			NS	ns.nsec3
+ns.nsec3 		A	10.53.0.3
+optout			NS	ns.optout
+ns.optout 		A	10.53.0.3
+02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
diff --git a/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in
new file mode 100644
index 0000000..14971bd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/unsupported-algorithm.key b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key
new file mode 100644
index 0000000..cc8bb9a
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key
@@ -0,0 +1 @@
+dnskey-unsupported-2.example.	IN	DNSKEY	257 3 255 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b}
diff --git a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in
new file mode 100644
index 0000000..a7792fd
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in
@@ -0,0 +1,40 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
+nosoa 			NS	ns.nosoa
+ns.nosoa		A	10.53.0.7
+
+normalthenrrsig		A	10.0.0.28
+rrsigonly		A	10.0.0.29
diff --git a/bin/tests/system/dnssec/ns3/upper.example.db.in b/bin/tests/system/dnssec/ns3/upper.example.db.in
new file mode 100644
index 0000000..ec6603a
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/upper.example.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2012042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			NS	ns
+ns			A	10.53.0.3
diff --git a/bin/tests/system/dnssec/ns4/managed-keys.bind.in b/bin/tests/system/dnssec/ns4/managed-keys.bind.in
new file mode 100644
index 0000000..570669d
--- /dev/null
+++ b/bin/tests/system/dnssec/ns4/managed-keys.bind.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 0	; 0 seconds
+@			IN SOA	. . (
+				2          ; serial
+				0          ; refresh (0 seconds)
+				0          ; retry (0 seconds)
+				0          ; expire (0 seconds)
+				0          ; minimum (0 seconds)
+				)
+			KEYDATA	20221028094934 19700101000000 19700101000000 0 0 0 ; placeholder
diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in
new file mode 100644
index 0000000..212ef85
--- /dev/null
+++ b/bin/tests/system/dnssec/ns4/named1.conf.in
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4 dscp 1;
+	notify-source 10.53.0.4 dscp 2;
+	transfer-source 10.53.0.4 dscp 3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	dnssec-must-be-secure mustbesecure.example yes;
+	minimal-responses no;
+
+	nta-lifetime 12s;
+	nta-recheck 9s;
+
+	validate-except { corp; };
+
+	# Note: We only reference the bind.keys file here to confirm that it
+	# is *not* being used.  It contains the real root key, and we're
+	# using a local toy root zone for the tests, so it wouldn't work.
+	# But since dnssec-validation is set to "yes" not "auto", that
+	# won't matter.
+	bindkeys-file "../../../../../bind.keys";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "corp" {
+	type static-stub;
+	server-addresses { 10.53.0.2; };
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in
new file mode 100644
index 0000000..3369b6b
--- /dev/null
+++ b/bin/tests/system/dnssec/ns4/named2.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4 dscp 4;
+	notify-source 10.53.0.4 dscp 5;
+	transfer-source 10.53.0.4 dscp 6;
+	dscp 16;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation auto;
+	bindkeys-file "managed.conf";
+	minimal-responses no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in
new file mode 100644
index 0000000..d6eaa01
--- /dev/null
+++ b/bin/tests/system/dnssec/ns4/named3.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation auto;
+	bindkeys-file "managed.conf";
+	dnssec-accept-expired yes;
+	minimal-responses no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in
new file mode 100644
index 0000000..db42f23
--- /dev/null
+++ b/bin/tests/system/dnssec/ns4/named4.conf.in
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key auth {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+include "trusted.conf";
+
+view rec {
+	match-recursive-only yes;
+	recursion yes;
+	dnssec-validation yes;
+	dnssec-accept-expired yes;
+	minimal-responses no;
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone secure.example {
+		type static-stub;
+		server-addresses { 10.53.0.4; };
+	};
+
+	zone insecure.secure.example {
+		type static-stub;
+		server-addresses { 10.53.0.4; };
+	};
+};
+
+view auth {
+	recursion no;
+	allow-recursion { none; };
+
+	zone secure.example {
+		type secondary;
+		primaries { 10.53.0.3; };
+	};
+
+	zone insecure.secure.example {
+		type secondary;
+		primaries { 10.53.0.2; };
+	};
+};
diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in
new file mode 100644
index 0000000..2be2f02
--- /dev/null
+++ b/bin/tests/system/dnssec/ns4/named5.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	bindkeys-file "managed.conf";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key auth {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/dnssec/ns5/named1.conf.in b/bin/tests/system/dnssec/ns5/named1.conf.in
new file mode 100644
index 0000000..deec9c2
--- /dev/null
+++ b/bin/tests/system/dnssec/ns5/named1.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns5/named2.conf.in b/bin/tests/system/dnssec/ns5/named2.conf.in
new file mode 100644
index 0000000..f334e16
--- /dev/null
+++ b/bin/tests/system/dnssec/ns5/named2.conf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; 127.0.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+};
+
+view root {
+	match-destinations { 127.0.0.1; };
+
+	zone "." {
+		type primary;
+		file "root.db.signed";
+	};
+};
+
+view other {
+include "revoked.conf";
+
+	zone "." {
+		type static-stub;
+		server-addresses { 127.0.0.1; };
+	};
+};
diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh
new file mode 100644
index 0000000..6a6df03
--- /dev/null
+++ b/bin/tests/system/dnssec/ns5/sign.sh
@@ -0,0 +1,39 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+echo_i "ns5/sign.sh"
+
+zone=.
+infile=../ns1/root.db.in
+zonefile=root.db.signed
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+
+# copy the KSK out first, then revoke it
+keyfile_to_initial_ds "$keyname" > revoked.conf
+
+"$SETTIME" -R now "${keyname}.key" > /dev/null
+
+# create a current set of keys, and sign the root zone
+"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null
+"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null
+"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
+
+keyfile_to_static_ds "$keyname" > trusted.conf
diff --git a/bin/tests/system/dnssec/ns6/named.args b/bin/tests/system/dnssec/ns6/named.args
new file mode 100644
index 0000000..65b7dbc
--- /dev/null
+++ b/bin/tests/system/dnssec/ns6/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D dnssec-ns6 -X named.lock -g -T maxcachesize=2097152 -T nonearest -T tat=1
diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in
new file mode 100644
index 0000000..4bdc79c
--- /dev/null
+++ b/bin/tests/system/dnssec/ns6/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	disable-algorithms . { @ALTERNATIVE_ALGORITHM@; };
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "optout-tld" {
+	type primary;
+	file "optout-tld.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns6/optout-tld.db.in b/bin/tests/system/dnssec/ns6/optout-tld.db.in
new file mode 100644
index 0000000..b2aa393
--- /dev/null
+++ b/bin/tests/system/dnssec/ns6/optout-tld.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+optout-tld. 60 IN SOA example. . 0 0 0 0 0
+optout-tld. 60 IN NS ns6.optout-tld.
+ns6.optout-tld. 60 IN A 10.53.0.6
+a 60 PTR example.
+b 60 PTR example.
+a.b.c.d 60 NS example.
+e 60 PTR example.
+f 60 PTR example.
+g 60 PTR example.
+h 60 PTR example.
diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh
new file mode 100644
index 0000000..abfb112
--- /dev/null
+++ b/bin/tests/system/dnssec/ns6/sign.sh
@@ -0,0 +1,29 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+echo_i "ns6/sign.sh"
+
+zone=optout-tld
+infile=optout-tld.db.in
+zonefile=optout-tld.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.in
new file mode 100644
index 0000000..55cbec9
--- /dev/null
+++ b/bin/tests/system/dnssec/ns7/named.conf.in
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+	minimal-responses yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "nsec3.example" {
+	type secondary;
+	primaries { 10.53.0.3; };
+	file "nsec3.example.bk";
+};
+
+zone "optout.example" {
+	type secondary;
+	primaries { 10.53.0.3; };
+	file "optout.example.bk";
+};
+
+zone "nsec3-unknown.example" {
+	type secondary;
+	primaries { 10.53.0.3; };
+	file "nsec3-unknown.example.bk";
+};
+
+zone "optout-unknown.example" {
+	type secondary;
+	primaries { 10.53.0.3; };
+	file "optout-unknown.example.bk";
+};
+
+zone "multiple.example" {
+	type secondary;
+	primaries { 10.53.0.3; };
+	file "multiple.example.bk";
+};
+
+zone "nosoa.secure.example" {
+	type primary;
+	file "nosoa.secure.example.db";
+};
+
+zone "split-rrsig" {
+	type primary;
+	file "split-rrsig.db.signed";
+	allow-update { any; };
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns7/named.nosoa b/bin/tests/system/dnssec/ns7/named.nosoa
new file mode 100644
index 0000000..caefbbb
--- /dev/null
+++ b/bin/tests/system/dnssec/ns7/named.nosoa
@@ -0,0 +1,12 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+Add -T nosoa.
diff --git a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db
new file mode 100644
index 0000000..d3c9878
--- /dev/null
+++ b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300        ; 5 minutes
+@                       IN SOA  mname1. . (
+                                2010062400 ; serial
+                                20         ; refresh (20 seconds)
+                                20         ; retry (20 seconds)
+                                1814400    ; expire (3 weeks)
+                                3600       ; minimum (1 hour)
+                                )
+@                       IN NS   ns
+ns			IN A	10.53.0.7
+a			IN A	1.2.3.4
diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh
new file mode 100644
index 0000000..55c1988
--- /dev/null
+++ b/bin/tests/system/dnssec/ns7/sign.sh
@@ -0,0 +1,44 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+echo_i "ns7/sign.sh"
+
+zone=split-rrsig
+infile=split-rrsig.db.in
+zonefile=split-rrsig.db
+
+k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$k1.key" "$k2.key" > "$zonefile"
+
+# The awk script below achieves two goals:
+#
+# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so
+#   that these two records (forming a single RRset) are not placed immediately
+#   next to each other; the test then checks if RRSIG RRsets split this way are
+#   correctly added to resigning heaps,
+#
+# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the
+#   zone apex; the test then checks whether such signatures are automatically
+#   removed from the zone after it is loaded.
+"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1
+awk 'BEGIN { r = ""; }
+     $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; }
+     { print }
+     END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed"
diff --git a/bin/tests/system/dnssec/ns7/split-rrsig.db.in b/bin/tests/system/dnssec/ns7/split-rrsig.db.in
new file mode 100644
index 0000000..48c2f87
--- /dev/null
+++ b/bin/tests/system/dnssec/ns7/split-rrsig.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+split-rrsig.		3660	IN SOA	. . (
+					1          ; serial
+					3600       ; refresh (1 hour)
+					3600       ; retry (1 hour)
+					3600       ; expire (1 hour)
+					3600       ; minimum (1 hour)
+					)
+			3660	NS	ns.example.
+a.split-rrsig.		3660	IN A	192.0.2.2
+b.split-rrsig.		3660	IN A	192.0.2.2
diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns8/named.conf.in
new file mode 100644
index 0000000..ef3c913
--- /dev/null
+++ b/bin/tests/system/dnssec/ns8/named.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS8
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	minimal-responses no;
+	disable-algorithms "disabled.managed." { @DISABLED_ALGORITHM@; };
+	disable-algorithms "disabled.trusted." { @DISABLED_ALGORITHM@; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "managed.conf";
+include "trusted.conf";
+
diff --git a/bin/tests/system/dnssec/ns9/named.conf.in b/bin/tests/system/dnssec/ns9/named.conf.in
new file mode 100644
index 0000000..d206d56
--- /dev/null
+++ b/bin/tests/system/dnssec/ns9/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS9
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	forward only;
+	forwarders { 10.53.0.4; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ntadiff.pl b/bin/tests/system/dnssec/ntadiff.pl
new file mode 100755
index 0000000..ca80eac
--- /dev/null
+++ b/bin/tests/system/dnssec/ntadiff.pl
@@ -0,0 +1,24 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use Time::Piece;
+use Time::Seconds;
+
+exit 1 if (scalar(@ARGV) != 2);
+
+my $actual = Time::Piece->strptime($ARGV[0], '%d-%b-%Y %H:%M:%S.000 %z');
+my $expected = Time::Piece->strptime($ARGV[1], '%s') + ONE_WEEK;
+my $diff = abs($actual - $expected);
+
+print($diff . "\n");
diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh
new file mode 100644
index 0000000..90f5a55
--- /dev/null
+++ b/bin/tests/system/dnssec/prereq.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+if "$PERL" -e 'use Net::DNS;' 2>/dev/null
+then
+    # shellcheck disable=SC2016
+    if "$PERL" -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null
+    then
+        :
+    else
+        echo_i "Net::DNS versions 0.69 to 0.70 have bugs that cause this test to fail: please update." >&2
+        exit 1
+    fi
+fi
+
+exit 0
diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh
new file mode 100644
index 0000000..568c62b
--- /dev/null
+++ b/bin/tests/system/dnssec/setup.sh
@@ -0,0 +1,52 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+
+copy_setports ns4/named1.conf.in ns4/named.conf
+copy_setports ns5/named1.conf.in ns5/named.conf
+
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+
+copy_setports ns9/named.conf.in ns9/named.conf
+
+(
+    cd ns1
+    $SHELL sign.sh
+    {
+	echo "a.bogus.example.	A	10.0.0.22"
+	echo "b.bogus.example.	A	10.0.0.23"
+	echo "c.bogus.example.	A	10.0.0.23"
+    } >>../ns3/bogus.example.db.signed
+)
+
+(
+    cd ns3
+    cp -f siginterval1.conf siginterval.conf
+)
+
+(
+    cd ns5
+    $SHELL sign.sh
+)
diff --git a/bin/tests/system/dnssec/signer/example.db.in b/bin/tests/system/dnssec/signer/example.db.in
new file mode 100644
index 0000000..3ab6aa2
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/example.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+example. 60 IN SOA example. . 0 0 0 0 0
+example. 60 IN NS example.
+example. 60 IN A 1.2.3.4
+; out of zone record
+out-of-zone. 60 IN A 1.2.3.4
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.key
new file mode 100644
index 0000000..d4b8efb
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 15002, for example.com.
+; Created: 20210423012926 (Fri Apr 23 11:29:26 2021)
+; Publish: 20210423012926 (Fri Apr 23 11:29:26 2021)
+; Activate: 20210423012926 (Fri Apr 23 11:29:26 2021)
+example.com. IN DNSKEY 257 3 8 AwEAAdp+oCXl7vpKA3Mmyndx6/iA+wLrtxeMUiWL7uWJ9ZF24EdS8Dye 63p0lGlyvjvM9T5dTiyEpTAdutEBr79H0MlDqIBqpadrCdJRI2S4kC+0 nq5+Aj2CEyiAamPGujwWeXwtfLAvVPfBqs42PBr6wPQIJOByFYDaZBU3 enUEWgHYy/7OnJDrt0QlswKphR6SvYtyuixiUR8J/WouWXglUY5qlC7Z vVDxs9E4q7B1mfKCyoqcFMKPh9lzEBH+IfUZ543xXEYf2BEztKB1SZ2R QnpYedjATGDcgPis46uA2gHMfvDYJTQ5UqTBtveGb3Wsqc0oRXVPMEoY 3WnWhaKDzkk=
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.private
new file mode 100644
index 0000000..72b8e2e
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 2n6gJeXu+koDcybKd3Hr+ID7Auu3F4xSJYvu5Yn1kXbgR1LwPJ7renSUaXK+O8z1Pl1OLISlMB260QGvv0fQyUOogGqlp2sJ0lEjZLiQL7Sern4CPYITKIBqY8a6PBZ5fC18sC9U98GqzjY8GvrA9Agk4HIVgNpkFTd6dQRaAdjL/s6ckOu3RCWzAqmFHpK9i3K6LGJRHwn9ai5ZeCVRjmqULtm9UPGz0TirsHWZ8oLKipwUwo+H2XMQEf4h9RnnjfFcRh/YETO0oHVJnZFCelh52MBMYNyA+Kzjq4DaAcx+8NglNDlSpMG294ZvdaypzShFdU8wShjdadaFooPOSQ==
+PublicExponent: AQAB
+PrivateExponent: SD4X64/0DTONonRP+2Biej8DP7r6RcHyo1F6QtDzrg4VJ+AHaLPO/iUvsRHsTk99QwqMv3F4QMmDrHmXR3KSWQmS3Crm7M0aaTzErBfOLMfWs7EcQoQQm5KiGq1phFaWAnXzxTlRKb4SIK6T/wOr6sQKlV+DNqB++Pjn92rh67vLM8kZBUzWI14Vl9N0ib+xOOFH1oYFo7ynDgMfJhpnQSkuRfyQls3aD1eKQsNazRtZ7lFi2S0HR/V0AKYH2AQi7SdL5wH6hYba5cHfpKSw7PebI0lYkUJ4PAg3Xw7DPMkg8O0hkpLICpU8x7MPqQQ74eKDaEY+fjbL0KLL0Dy9UQ==
+Prime1: /IDRb7WzMY6wp14LqDORULoUnmiQOqkRjOQnCoEXT2KVpYwPmGMG+GR40hrMFgqqAZFVmi56VBoasWpYbSBEqM4aJv1JVimMPREk23v5i+TY93kxICO/ee9/v0hXgLmrKUkS1Kwu4a1PxLX5U/LAzXPR6zF+EHP9OKFjDRWHqN0=
+Prime2: 3YU9QdtsXofjNmlDETRwemKv45pa0oVNPmNvS1vtzIpQ3m/QSuhJxzyTgSP9x1XMiIsg63er3LOCtkRifXVE1IBrfIUgchp8YD5LsyesRl2ielE8Hw8PwSA1YjUVu90yRHcVfbZJ8lm2KyRKHgDWXz94t2Xnm/9M5XjUGuNW7l0=
+Exponent1: 7KIkpJYZyvW4ZAFk10sMgiUBMbs4f2D2i509YUC9ga4YJD7wVpVncN1nxS9L19RCopl7KbUo+yxDm8TX/dzhu3j7VVLFqbPiM1Cfw/mZUhszoii3ezFFPpbOl4rKRl66I0TSGvEKNoDfYrBPavby7Rf/wHRveifZRXspgpeMvRk=
+Exponent2: yvvtjuxW2CRiopg/+YL40lyd2cy2DpRRnKqW8BHzzGquAbWpwwopmOS8MSjewgqv2irK5pmJJTpku0nciiOsB6EJXVfLzGLSt4o96ZOf+/aPDNBla/xsLkaqRCxqlvPwvOX2DnS8O9PS5qNhOy7/QNYzcrJxUfPV7awTh/Pr040=
+Coefficient: PHxU1tqPKTpI/8nABvso0SRerc1m+RPWGRk7s/SVcADSBvEW7fUDcwiZeRfK9MdlwPvLiVozbYnRbgRQl8GuKSqAD1+Cnvn2yOQk81AgNKbuKPwF7UvKIdq/c/xnhj2bvZUVSavJ91ux/RlZNP50378Ks8bj5HJl1xzAMVHXB5o=
+Created: 20210423012926
+Publish: 20210423012926
+Activate: 20210423012926
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.key
new file mode 100644
index 0000000..990b837
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 63613, for example.com.
+; Created: 20210423012810 (Fri Apr 23 11:28:10 2021)
+; Publish: 20210423012810 (Fri Apr 23 11:28:10 2021)
+; Activate: 20210423012810 (Fri Apr 23 11:28:10 2021)
+example.com. IN DNSKEY 256 3 8 AwEAAZzun7bYfjmGDwUEn4pyJG34vsiawRMW6pEdoNMH87ozxriOzgG6 /4zTjEv8JyYjGQz2k2vcoWWcD+86xD5IUqfa1pdXXUU8bdhG9DBtW/K1 mc4P6g8heU+0f++mq/L4TPlWVZUG8lVH4H8mD6r8PsVK7v/QR7wMeg9b JpCYyxon2A9rZ4zS0J9kX9bfciQVh6ODGVENctwEK5FNp5u0VonPEIx3 5Kj+IVn/mHpfbz4LaC02s7C6Kgvn3ToFFSJczwbOaexl/d+/ai8FLJi7 8UgiAq5/178bcVLItMeY6aD5eQGkRtr2c3JZ/JR4Nf+TQAWFBnl9NSDa RH4Qa55ZNqs=
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.private
new file mode 100644
index 0000000..1765d3f
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: nO6ftth+OYYPBQSfinIkbfi+yJrBExbqkR2g0wfzujPGuI7OAbr/jNOMS/wnJiMZDPaTa9yhZZwP7zrEPkhSp9rWl1ddRTxt2Eb0MG1b8rWZzg/qDyF5T7R/76ar8vhM+VZVlQbyVUfgfyYPqvw+xUru/9BHvAx6D1smkJjLGifYD2tnjNLQn2Rf1t9yJBWHo4MZUQ1y3AQrkU2nm7RWic8QjHfkqP4hWf+Yel9vPgtoLTazsLoqC+fdOgUVIlzPBs5p7GX9379qLwUsmLvxSCICrn/XvxtxUsi0x5jpoPl5AaRG2vZzcln8lHg1/5NABYUGeX01INpEfhBrnlk2qw==
+PublicExponent: AQAB
+PrivateExponent: N4egcDzO/V/YdLgcFAsrpNY9/BH2e+DCA7NuMv4/WgX0LV4quyYGQzigDksdNzt4I8Qkiig53BCK+uXahwdkaAzhng/F6zfkzoDc6z3nKUzlLasn8U6w9Gk0VAKwGXuPETNheShKG68hWxyGssQrGfjX9SEoIPxxPHnOfZ/zTj95KAnVV5qPz90xVAb0+FUrLXAt72KuRwepOTlsETsMFDKe17uUCqCCdX98Ko0u14wrO6zGRQtNhUsfvNB/pY8fvbHD1GcCTbFSx4FxsUsZMrNtMsvMe3HN9ggC0Y9htbH9HV0hS0w9SKCUyoeOVwf/JZL4hlfoe8+jglsyJpAgoQ==
+Prime1: zeXvO3PT4iXv9GlGeebl39pF1sXs8tXY4B9VHUJGGSYlyOlyCEy4URQJIPfuL6VjFKCErSxUJSrGz0HyQuKr8l9qP/0MGxGRH7wxvUR7YTmai84yyQ4fFENRmn8bzxGwj0MVHIW7cKC59j7nWT24gseT21/NP5m8EnPsjz/K40M=
+Prime2: wx5vVFSydUfr8HtOHNS1kRrTjhnQOfjmj8SxGi72Hk+mgi9fBCTC5fRLifd80wGbgyFk1vZOXeStOC8L3IlnBGLX0O9MNip+vVX3hRzIRhLwHhL1ygN3xEd04qwVH0XJ8+4A0XCzh/FJgW59F62geN6gwedo7GmZAOSZUBAyRHk=
+Exponent1: IlkqeLuQ7Fgx2I87b5iiXp62Keco6TXdkT4I3/GvagCgKw0utc2+rd/uye4ycQZhKg7BM3aCrxScx/STaq8PykY6nmQjgdyDXkzx60YiYwzOCGakuD+/1YyJb4Gm7PthffTN780rgNV/UGIcDBoszrxmoSExR1vpMRbfruIQgas=
+Exponent2: or0Os/KUibc79W6Snv9WlLkgPAQRpViQzNaLtD/47R0Xzrs975HNsMgJ/P+bb86Ga1994MC8ahmh1BuBNCax8nmScWQ1V3QoEzjRYoe4DqIa/aposF4mFWJX/fry/wtRPo+CxSzPwJGh8j86PHaHQmjFAhVFcPE+OP1xVdK8alk=
+Coefficient: r5wPmPXUF5pVC0Y7La3jVkL4w/3wvq9LBz91tH9gA8OUNLpDDBuFZISiJdhOZ4JVw+qSSoHcEa+3Phd+BqxmXzwZDU1Fqta9mLDDGCqCWjVQOopeeJgrvkv9P0TIzEuoGmW50cQhyqHYCtuUxjOnHfiQSc53p7rfD4Vom1VQ3Ok=
+Created: 20210423012810
+Publish: 20210423012810
+Activate: 20210423012810
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.key
new file mode 100644
index 0000000..47003a4
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 18240, for example.com.
+; Created: 20211221062121 (Tue Dec 21 17:21:21 2021)
+; Publish: 20211221062121 (Tue Dec 21 17:21:21 2021)
+; Activate: 20211221062121 (Tue Dec 21 17:21:21 2021)
+example.com. IN DNSKEY 256 3 10 AwEAAe5GunnuJFyzmKiGUknSQY3aPtR5UR8vNLLyMCJswffRzoYwY14/ 60ZTsqzh7N+lJV3KAOraocFSsTnmWIM7D7DPpqtaJMQw90ypBG0cnUP1 wKX9L/gdOH/ITlluBiZpCv9Aux3FRECHBO4Gx8Rse8ST2Vag3UuOPW+q HkLsWQt22K/hYuDhEtUWWx2dTIaXUVXNSNbk2zPL+lhC9PaRV+//1Fjo UX4qXCUuUN4TiqlkK2v4UkcIyld1n2R7qTQAkoN9amGFtPu8z5Zw7CxC San03yUSNuKub3fGys11gQRFuEHRX7FxKxvJjmcngG9qCh8AyfHZ8zYb VstTy1unFoM=
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.private
new file mode 100644
index 0000000..f16b627
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 10 (RSASHA512)
+Modulus: 7ka6ee4kXLOYqIZSSdJBjdo+1HlRHy80svIwImzB99HOhjBjXj/rRlOyrOHs36UlXcoA6tqhwVKxOeZYgzsPsM+mq1okxDD3TKkEbRydQ/XApf0v+B04f8hOWW4GJmkK/0C7HcVEQIcE7gbHxGx7xJPZVqDdS449b6oeQuxZC3bYr+Fi4OES1RZbHZ1MhpdRVc1I1uTbM8v6WEL09pFX7//UWOhRfipcJS5Q3hOKqWQra/hSRwjKV3WfZHupNACSg31qYYW0+7zPlnDsLEJJqfTfJRI24q5vd8bKzXWBBEW4QdFfsXErG8mOZyeAb2oKHwDJ8dnzNhtWy1PLW6cWgw==
+PublicExponent: AQAB
+PrivateExponent: U/ipDv9V4TWJvxpXNZzbbVpUehym8g54y/d97yPU17kgxzmWS0jLaWVluneEOuzAVmUyHZIfHzo9KuJ6nwTZar5DRm/mNR3siR+nZ6yF38VjtxubJB1oI+A7fFjB4hdywLHXP46dlv/+RMQu8pIorAZOubDHTDE8hXW2ZG9WkisJ5P7KoaL4KFHHHXi5vsXAMph4Zphd/zPxVL2tHD3l5c3QXRpQWfTNZNQcZ1f/4yVCuMRibg5LCvpia0ZwRrlygfZdAHUUd0VJDfRO45J5nlIJSAHQtjYtVTL+xNISWOHXovVlInkVyluACqfX94I7qPXTu41yg3SxrrtHE6RTwQ==
+Prime1: +/YsRxmUxgvHKUh4SxdjzqNDDEi8b2BtM5IpctjVG3oYsL6J9xJB3U5/lbrGEPgl/1ndBUSXMQ6zQ5WcDE1qBAdW8t0eyniyuiexcgQ9f04Ds7p7oUiSHGLRn8YqQOzmiASXoZmkzfJZ+42pGhT3RZ+aYKtWQGMHqXabwV3zZl0=
+Prime2: 8hhnKzPzExy6wv/MV0aYKo1g4azrRjug6743/ctTC7zjnMmDW7RMFTXmq5Tu3pFaIL4N4C4m1b7P3abfTrjm+DwHnrlRIvLWS3zJnvUEM22i4BwqqTLRiJpoT5Bfp4pVsdOPT7Iyx1q5UsJZ7Q4qMpg2TFpGiQyieRB5Xwpu4l8=
+Exponent1: ZFPx7Z3SD8pA0793pu75Xx7DY/DSl8bdtNtOhdyxfu9vRXGZnjg24diQFR76H2ewOa2exKo7Sd2ApDi+mmd4/4Gsrag+yoClKlsD3VKy6i42ayqmb+Jly8fNkMFnsdKjOSYa+s4jQZ5vFiuiWjBfBeo3nqabAahtNJ12B9lRQkE=
+Exponent2: tNz4TnVsFo4zFLVHsrghvECM7WxjBMBNc3FToT6CV1WRcjO1+A/Ve08eenc0kYBjpex2r1GrX6pC3uPpFoXav/8Q7kqiTArBf/nFIwUHU2iH8wf38xntIjHA1hgU7jTR2p0kBrUpbHfh1esuhYQ8kDnY7ufOpFqVEv70vcUsm98=
+Coefficient: 3acDCJ9jCnHAP1km7jRO388mOpiI8U6SMv0PBD8l2UoB4CYwujrFxy6PhgUa486bbm5xZEaOwhYZcbw/g1qyC6Qt5kYOb2fVWOob/lEQmyqbDvHMQWTJoIbqaDTKQN/szI4xVdb/xZ6QR4Bq7JgbJpUACgweS540Y7Lf8Dry8C0=
+Created: 20211221062121
+Publish: 20211221062121
+Activate: 20211221062121
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.key
new file mode 100644
index 0000000..37bd259
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 28633, for example.com.
+; Created: 20211221062130 (Tue Dec 21 17:21:30 2021)
+; Publish: 20211221062130 (Tue Dec 21 17:21:30 2021)
+; Activate: 20211221062130 (Tue Dec 21 17:21:30 2021)
+example.com. IN DNSKEY 257 3 10 AwEAAc4lt8fDsdCzMCLHxXm8Ok/dw6XDiqx06Rf47LTeLmo6b64xm1Fs 0zloNMrcZDgwS5IxjQ3Breqc5aEc+jehueqCXa/fJXMdIt1VpUG0H7GP 4B+1IVmEiziHfmOozktdkuAyLqcsNhsf+J1+bCoHJSffgz6KbjBks/jR 12uyUnZCDrKGE/KfiR0gpT3watqGqqChO0KXq2N2PsnYfyRDea5FMUjM oPgOOyAT8LIMsM8x4f+EbU6m9Zc3Esafek9iLCS9R1333Pm1EEh5ghQT BsZ7omc5aSvrKUaIneojU3RdofceZouCliIDXmqscfY0y6bivGcmCQI/ LM4XUh7GWlM=
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.private
new file mode 100644
index 0000000..6d7f72e
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 10 (RSASHA512)
+Modulus: ziW3x8Ox0LMwIsfFebw6T93DpcOKrHTpF/jstN4uajpvrjGbUWzTOWg0ytxkODBLkjGNDcGt6pzloRz6N6G56oJdr98lcx0i3VWlQbQfsY/gH7UhWYSLOId+Y6jOS12S4DIupyw2Gx/4nX5sKgclJ9+DPopuMGSz+NHXa7JSdkIOsoYT8p+JHSClPfBq2oaqoKE7QperY3Y+ydh/JEN5rkUxSMyg+A47IBPwsgywzzHh/4RtTqb1lzcSxp96T2IsJL1HXffc+bUQSHmCFBMGxnuiZzlpK+spRoid6iNTdF2h9x5mi4KWIgNeaqxx9jTLpuK8ZyYJAj8szhdSHsZaUw==
+PublicExponent: AQAB
+PrivateExponent: Wr3fl99cdjFqDuVA18UzJdTIOj9I24Da2eKIz1S9uaTfZB4R8FWm5K4qDuHUe6dGnKOTI2sN0ygdLD5FJhfabo/UDYZ8RZ+dqS/5/mH7UX2zekGQ3Iargcaiq9uycxpNfMKaJpwfdPEtzqXHlvhuMo8AhpcIyeSKFAzKdm2YPtUqIrum4RARHyfRLfLyWlkIotPdyiaKCVGQxiRbFsTcmIB2Bizmt7zRjlB+Hxf8MooXmaKUFRQtMCLnFGK0ecFI1CWAxmLSanvYVKQ0HxcFkFKzRiZAz1au7ZfMgYDZj0jF72WAGU3Edcmdc0QIQRTWjb/3wcBfwlr9s6lKoF3ngQ==
+Prime1: 1EIziKhz7dF41rb/hckdr2qeY8eM7tLrT5jIMPLISHCCuKm5IK2u7PY6m6NjMdhx1ilm7K2RGTt+TTFZaqDIEd8qpzRCxAGcfTVOmB9iHwmi9i9RoPSlY6o+iShft68ZnvPiGJWUF2huRYVK2F0cIWErwSqaBGsFd79mXmlkn98=
+Prime2: +KEdNtZj9JyCCR2xbLAw3tnAYxHvJ3skVMjxV3cyUupMWi12NWxGhHH1nnetXxDR2LBBuqIl4pE/4MeXe3sClMHTL3Z9XG+pzQAsHS7yvsfZERdyuWZYYy0ya/7XY2auvRVO6LxN7d47VWjYxAGfoCsbCEivgDxmt1dTZhAtRA0=
+Exponent1: d5TcZ69PsLoEtCLhDkRh/wO4PEqeMaaOf4d5sWn2QCly3Apyi+CN3l5SYoDIT7q7V4Z3v/uA9ZA49dBJqfLvBHKQGycsPjUSLtAreTSlGQtazguWl3F9BAtTs/4U/u0dKBoKVQNgLVfeWDhiFEdQo9WUyvzvTHHm4LHqQGJsGE0=
+Exponent2: EU2dK+DVygNOZXYEkAzfCdNbuUlZPIUsbR4i9bRc8zpNIAWD8YncioEn1+R6U2BnSk5R9LwuKMt1B568YyKXdmTa3rW/WbyHs7WsXEeVK0PbTn40RMTjp9tQZAWzVb6isJQYDsh0H/bUaEhItbNrOYlmczgjxqftehsAudysWc0=
+Coefficient: sl2u/8vttxpiTbspGV4SsaDmKUNdzQH7BgJ5rl3mXPp/aUpLw0Sr7FuARy8W8tq3yVNi9qCOnvGwVl6aQzZP7b8N04KiH8gewlAVdSfxG24yFKJIQNbWGKFZYZFYyjtLVlpK6NYF0f0I1KpAjn58XR0qIBvRFZYWBAkggU9C7ro=
+Created: 20211221062130
+Publish: 20211221062130
+Activate: 20211221062130
diff --git a/bin/tests/system/dnssec/signer/general/bogus-ksk.key b/bin/tests/system/dnssec/signer/general/bogus-ksk.key
new file mode 100644
index 0000000..e468574
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/bogus-ksk.key
@@ -0,0 +1,6 @@
+;
+; This is a bogus key.  It will not have a .private file.
+;
+; This will be key id 23221
+;
+example.com. IN DNSKEY 257 3 10 AwEAAbcyptpM++pVjhpYQW2fVtyOw04IBSw4X0SYi/Ke4wVkmDNW2vBm AFkgiVVKmmNbb0IHDYQiIY7seXk0fjEwjzeY2bmeOAZxDdv2KT9VQpoY Matk2y4NTi6F/V04x0lL/CBvyifTeNbZKvY+S1eKFuWHeS5Ss8tiagz9 zdYWUe/msvmin+Hbs2tlLwXVl4hOmABCL9uK9H8R6GPL5VdEXYyFOh/v 71CNhRU5ufrARti69YYkfzH6NpWhlJWyJvDjqAdt2L3H8V71C2vcXbBu S5NscEYl+8JQfwUvOTN553I5IQrG+NQEusW36UM/Rkad8mMnUVM9Vzqk GH86GHKtLMc=
diff --git a/bin/tests/system/dnssec/signer/general/bogus-zsk.key b/bin/tests/system/dnssec/signer/general/bogus-zsk.key
new file mode 100644
index 0000000..aa45938
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/bogus-zsk.key
@@ -0,0 +1,6 @@
+;
+; This is a bogus key.  It will not have a .private file.
+;
+; This will be key id 48930
+;
+example.com. IN DNSKEY 256 3 10 AwEAAa/0IcnbGutPVkrz04tw5ZIYx6rU+FprB2rlKS8cTK/wiBOqbOC6 QIDdegDpZG1fOdj04ZQGa3pIizqC2CnlIWfxpfR6W+qSLRBuQ8gmwTmS c/Jy/0vAGB3fv3oVIqKslLNqIXZb3CKNiA2kGcut3aUgfeOW970Jga6z PAGKqPpPZTelW1Qy9N5BO4cRTuYo4uvbZveJv1W/2n5RN+UaeqU0f+AE DP0+wqSWNUfZsi6HygLwk08x3eO8PzTBlqBlAMfvNAygrmXqccMREyyH KEc5dVJ1qOXfj8BAdJUPmunyJhIwC9PxzOW7mn1lW7mZO2D5U/Jaxw2k eX2KblmVk8s=
diff --git a/bin/tests/system/dnssec/signer/general/test1.zone b/bin/tests/system/dnssec/signer/general/test1.zone
new file mode 100644
index 0000000..98c9f02
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/test1.zone
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;	This is a zone which has two DNSKEY records, both of which have
+; existing private key files available.  They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+18240.key
+$include Kexample.com.+010+28633.key
diff --git a/bin/tests/system/dnssec/signer/general/test2.zone b/bin/tests/system/dnssec/signer/general/test2.zone
new file mode 100644
index 0000000..97c0d3d
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/test2.zone
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;	This is a zone which has one non-KSK DNSKEY record for which the
+; private key file exists.  It should be loaded automatically and the zone
+; correctly signed.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+18240.key
diff --git a/bin/tests/system/dnssec/signer/general/test3.zone b/bin/tests/system/dnssec/signer/general/test3.zone
new file mode 100644
index 0000000..bf9bc66
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/test3.zone
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;       This is a zone which has one KSK DNSKEY record for which the
+; private key file exists.  It should be loaded automatically.  As there
+; is no non-KSK DNSKEY the resulting zone should be rejected.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+28633.key
diff --git a/bin/tests/system/dnssec/signer/general/test4.zone b/bin/tests/system/dnssec/signer/general/test4.zone
new file mode 100644
index 0000000..9f05de5
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/test4.zone
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;	This is a zone which has three DNSKEY records, two (KSK + ZSK) of
+; which have existing private key files available.  The third is a
+; pre-published ZSK.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+18240.key
+$include Kexample.com.+010+28633.key
+$include bogus-zsk.key
diff --git a/bin/tests/system/dnssec/signer/general/test5.zone b/bin/tests/system/dnssec/signer/general/test5.zone
new file mode 100644
index 0000000..d61504f
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/test5.zone
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;	This is a zone which has three DNSKEY records, two (KSK +ZSK) of which
+; have existing private key files available.  The third is a KSK.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+18240.key
+$include Kexample.com.+010+28633.key
+$include bogus-ksk.key
diff --git a/bin/tests/system/dnssec/signer/general/test6.zone b/bin/tests/system/dnssec/signer/general/test6.zone
new file mode 100644
index 0000000..fcfb1ec
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/test6.zone
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;	This is a zone which has four DNSKEY records, two (KK + ZSK) of which
+; have existing private key files available.  There are also a KSK and ZSK
+; for which there will be no signatures.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+18240.key
+$include Kexample.com.+010+28633.key
+$include bogus-ksk.key
+$include bogus-zsk.key
diff --git a/bin/tests/system/dnssec/signer/general/test7.zone b/bin/tests/system/dnssec/signer/general/test7.zone
new file mode 100644
index 0000000..e52c535
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/test7.zone
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;	This is a zone which has two DNSKEY records, none of which have
+; existing private key files available.  The resulting zone should fail
+; the consistency tests.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include bogus-ksk.key
+$include bogus-zsk.key
diff --git a/bin/tests/system/dnssec/signer/general/test8.zone b/bin/tests/system/dnssec/signer/general/test8.zone
new file mode 100644
index 0000000..893d32d
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/test8.zone
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;	This is a zone which has two DNSKEY records, one of which,
+; the KSK, has a private key.  The resulting zone should be rejected as
+; it has no ZSK signatures.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+010+28633.key
+$include bogus-zsk.key
diff --git a/bin/tests/system/dnssec/signer/general/test9.zone b/bin/tests/system/dnssec/signer/general/test9.zone
new file mode 100644
index 0000000..14c47d0
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/test9.zone
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;	This is a zone which has two DNSKEY records, both of which have
+; existing private key files available.  They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+008+63613.key
+$include Kexample.com.+008+15002.key
diff --git a/bin/tests/system/dnssec/signer/prepub.db.in b/bin/tests/system/dnssec/signer/prepub.db.in
new file mode 100644
index 0000000..946aac1
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/prepub.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+prepub. 60 IN SOA prepub. . 0 0 0 0 0
+prepub. 60 IN NS prepub.
+prepub. 60 IN A 1.2.3.4
+; out of zone record
+out-of-zone. 60 IN A 1.2.3.4
diff --git a/bin/tests/system/dnssec/signer/remove.db.in b/bin/tests/system/dnssec/signer/remove.db.in
new file mode 100644
index 0000000..5629a42
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/remove.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+remove. 60 IN SOA remove. . 0 0 0 0 0
+remove. 60 IN NS remove.
+remove. 60 IN A 1.2.3.4
+remove. 60 IN AAAA ::ffff:1.2.3.4
+remove. 60 IN MX 0 remove.
+$INCLUDE remove.db.signed
diff --git a/bin/tests/system/dnssec/signer/remove2.db.in b/bin/tests/system/dnssec/signer/remove2.db.in
new file mode 100644
index 0000000..b2962b9
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/remove2.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+remove. 60 IN SOA remove. . 0 0 0 0 0
+remove. 60 IN NS remove.
+remove. 60 IN A 1.2.3.4
+$INCLUDE remove.db.signed
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
new file mode 100644
index 0000000..64927f3
--- /dev/null
+++ b/bin/tests/system/dnssec/tests.sh
@@ -0,0 +1,4441 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+SYSTEMTESTTOP=..
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+status=0
+n=1
+
+rm -f dig.out.*
+
+dig_with_opts() {
+    "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+dig_with_additionalopts() {
+    "$DIG" +noall +additional +dnssec -p "$PORT" "$@"
+}
+
+dig_with_answeropts() {
+    "$DIG" +noall +answer +dnssec -p "$PORT" "$@"
+}
+
+delv_with_opts() {
+    "$DELV" -a ns1/trusted.conf -p "$PORT" "$@"
+}
+
+rndccmd() {
+    "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@"
+}
+
+# TODO: Move loadkeys_on to conf.sh.common
+dnssec_loadkeys_on() {
+	nsidx=$1
+	zone=$2
+	nextpart ns${nsidx}/named.run > /dev/null
+	rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i
+	wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1
+}
+
+# convert private-type records to readable form
+showprivate () {
+    echo "-- $* --"
+    dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' |
+        while read -r record; do
+	    # shellcheck disable=SC2016
+            $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
+                die "invalid record" unless length($rdata) == 5;
+                my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata);
+                my $action = "signing";
+                $action = "removing" if $remove;
+                my $state = " (incomplete)";
+                $state = " (complete)" if $complete;
+                print ("$action: alg: $alg, key: $key$state\n");' "$record"
+        done
+}
+
+# check that signing records are marked as complete
+checkprivate () {
+    for i in 1 2 3 4 5 6 7 8 9 10; do
+        showprivate "$@" | grep -q incomplete || return 0
+	sleep 1
+    done
+    echo_d "$1 signing incomplete"
+    return 1
+}
+
+# check that a zone file is raw format, version 0
+israw0 () {
+    # shellcheck disable=SC2016
+    < "$1" $PERL -e 'binmode STDIN;
+	             read(STDIN, $input, 8);
+	             ($style, $version) = unpack("NN", $input);
+	             exit 1 if ($style != 2 || $version != 0);'
+    return $?
+}
+
+# check that a zone file is raw format, version 1
+israw1 () {
+    # shellcheck disable=SC2016
+    < "$1" $PERL -e 'binmode STDIN;
+		     read(STDIN, $input, 8);
+                     ($style, $version) = unpack("NN", $input);
+                     exit 1 if ($style != 2 || $version != 1);'
+    return $?
+}
+
+# strip NS and RRSIG NS from input
+stripns () {
+    awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1"
+}
+
+#
+# Ensure there is not multiple consecutive blank lines.
+# Ensure there is a blank line before "Start view" and
+# "Negative trust anchors:".
+# Ensure there is not a blank line before "Secure roots:".
+#
+check_secroots_layout () {
+	tr -d '\r' < "$1" | \
+	awk '$0 == "" { if (empty) exit(1); empty=1; next }
+	     /Start view/ { if (!empty) exit(1) }
+	     /Secure roots:/ { if (empty) exit(1) }
+	     /Negative trust anchors:/ { if (!empty) exit(1) }
+	     { empty=0 }'
+	return $?
+}
+
+# Check that for a query against a validating resolver where the
+# authoritative zone is unsigned (insecure delegation), glue is returned
+# in the additional section
+echo_i "checking that additional glue is returned for unsigned delegation ($n)"
+ret=0
+$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Check the example. domain
+
+echo_i "checking that zone transfer worked ($n)"
+for i in 1 2 3 4 5 6 7 8 9
+do
+	ret=0
+	dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+	dig_with_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+	$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1
+	[ "$ret" -eq 0 ] && break
+	sleep 1
+done
+digcomp dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# test AD bit:
+#  - dig +adflag asks for authentication (ad in response)
+echo_i "checking AD bit asking for validation ($n)"
+ret=0
+dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# test AD bit:
+#  - dig +noadflag
+echo_i "checking that AD is not set without +adflag or +dnssec ($n)"
+ret=0
+dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking for AD in authoritative answer ($n)"
+ret=0
+dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking positive validation NSEC ($n)"
+ret=0
+dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)"
+ret=0
+grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1
+grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1
+grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking positive validation NSEC using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1
+   grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
+   grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+
+   ret=0
+   echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)"
+   "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example > delv.out$n || ret=1
+   grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
+   grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking positive validation NSEC3 ($n)"
+ret=0
+dig_with_opts +noauth a.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking positive validation NSEC3 using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1
+   grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
+   grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking positive validation OPTOUT ($n)"
+ret=0
+dig_with_opts +noauth a.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+SP="[[:space:]]+"
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking positive validation OPTOUT using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1
+   grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1
+   grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking positive wildcard validation NSEC ($n)"
+ret=0
+dig_with_opts a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
+stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
+digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
+grep "\\*\\.wild\\.example\\..*RRSIG	NSEC" dig.out.ns4.test$n > /dev/null || ret=1
+grep "\\*\\.wild\\.example\\..*NSEC	z\\.example" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking positive wildcard validation NSEC using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1
+   grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1
+   grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking positive wildcard answer NSEC3 ($n)"
+ret=0
+dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking positive wildcard answer NSEC3 ($n)"
+ret=0
+dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking positive wildcard validation NSEC3 ($n)"
+ret=0
+dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
+stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
+digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1
+   grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1
+   grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking positive wildcard validation OPTOUT ($n)"
+ret=0
+dig_with_opts a.wild.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts a.wild.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
+stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
+digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1
+   grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1
+   grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking negative validation NXDOMAIN NSEC ($n)"
+ret=0
+dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
+ret=0
+dig_with_opts +noauth q.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth q.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking negative validation NXDOMAIN OPTOUT ($n)"
+ret=0
+dig_with_opts +noauth q.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth q.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking negative validation NODATA NSEC ($n)"
+ret=0
+dig_with_opts +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)"
+   delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking negative validation NODATA NSEC3 ($n)"
+ret=0
+dig_with_opts +noauth a.nsec3.example. \
+	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.nsec3.example. \
+	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)"
+   delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking negative validation NODATA OPTOUT ($n)"
+ret=0
+dig_with_opts +noauth a.optout.example. \
+	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.optout.example. \
+	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)"
+   delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking negative wildcard validation NSEC ($n)"
+ret=0
+dig_with_opts b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+dig_with_opts b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking negative wildcard validation NSEC using dns_client ($n)"
+   delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking negative wildcard validation NSEC3 ($n)"
+ret=0
+dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)"
+   delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking negative wildcard validation OPTOUT ($n)"
+ret=0
+dig_with_opts b.wild.optout.example. \
+	@10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+dig_with_opts b.wild.optout.example. \
+	@10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)"
+   delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+# Check the insecure.example domain
+
+echo_i "checking 1-server insecurity proof NSEC ($n)"
+ret=0
+dig_with_opts +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1
+   grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking 1-server insecurity proof NSEC3 ($n)"
+ret=0
+dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1
+   grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking 1-server insecurity proof OPTOUT ($n)"
+ret=0
+dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1
+   grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking 1-server negative insecurity proof NSEC ($n)"
+ret=0
+dig_with_opts q.insecure.example. a @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+dig_with_opts q.insecure.example. a @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking 1-server negative insecurity proof NSEC3 ($n)"
+ret=0
+dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking 1-server negative insecurity proof OPTOUT ($n)"
+ret=0
+dig_with_opts q.insecure.optout.example. a @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+dig_with_opts q.insecure.optout.example. a @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)"
+   delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)"
+ret=0
+dig_with_opts r.insecure.example. soa @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+dig_with_opts r.insecure.example. soa @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "0	IN	SOA" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)"
+ret=0
+dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "0	IN	SOA" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)"
+ret=0
+dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "0	IN	SOA" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check the secure.example domain
+
+echo_i "checking multi-stage positive validation NSEC/NSEC ($n)"
+ret=0
+dig_with_opts +noauth a.secure.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.secure.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
+ret=0
+dig_with_opts +noauth a.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)"
+ret=0
+dig_with_opts +noauth a.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)"
+ret=0
+dig_with_opts +noauth a.secure.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.secure.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)"
+ret=0
+dig_with_opts +noauth a.nsec3.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.nsec3.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)"
+ret=0
+dig_with_opts +noauth a.optout.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.optout.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)"
+ret=0
+dig_with_opts +noauth a.secure.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.secure.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
+ret=0
+dig_with_opts +noauth a.nsec3.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.nsec3.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
+ret=0
+dig_with_opts +noauth a.optout.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.optout.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking empty NODATA OPTOUT ($n)"
+ret=0
+dig_with_opts +noauth empty.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth empty.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check the bogus domain
+
+echo_i "checking failed validation ($n)"
+ret=0
+dig_with_opts a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking failed validation using dns_client ($n)"
+   delv_with_opts +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: RRSIG failed to verify" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+# Try validating with a bad trusted key.
+# This should fail.
+
+echo_i "checking that validation fails with a misconfigured trusted key ($n)"
+ret=0
+dig_with_opts example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that negative validation fails with a misconfigured trusted key ($n)"
+ret=0
+dig_with_opts example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)"
+ret=0
+dig_with_opts a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that validation fails when key record is missing ($n)"
+ret=0
+dig_with_opts a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking that validation fails when key record is missing using dns_client ($n)"
+   delv_with_opts +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1
+   grep "resolution failed: insecurity proof failed" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "checking that validation succeeds when a revoked key is encountered ($n)"
+ret=0
+dig_with_opts revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+if [ -x "${DELV}" ] ; then
+   ret=0
+   echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)"
+   delv_with_opts +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1
+   grep "fully validated" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
+fi
+
+echo_i "Checking that a bad CNAME signature is caught after a +CD query ($n)"
+ret=0
+#prime
+dig_with_opts +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1
+#check: requery with +CD.  pending data should be returned even if it's bogus
+expect="a.example.
+10.0.0.1"
+ans=$(dig_with_opts +cd +nodnssec +short bad-cname.example. @10.53.0.4) || ret=1
+test "$ans" = "$expect" || ret=1
+test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'"
+#check: requery without +CD.  bogus cached data should be rejected.
+dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "Checking that a bad DNAME signature is caught after a +CD query ($n)"
+ret=0
+#prime
+dig_with_opts +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1
+#check: requery with +CD.  pending data should be returned even if it's bogus
+expect="example.
+a.example.
+10.0.0.1"
+ans=$(dig_with_opts +cd +nodnssec +short a.bad-dname.example. @10.53.0.4) || ret=1
+test "$ans" = "$expect" || ret=1
+test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'"
+#check: requery without +CD.  bogus cached data should be rejected.
+dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check the insecure.secure.example domain (insecurity proof)
+
+echo_i "checking 2-server insecurity proof ($n)"
+ret=0
+dig_with_opts +noauth a.insecure.secure.example. @10.53.0.2 a \
+	> dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth a.insecure.secure.example. @10.53.0.4 a \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check a negative response in insecure.secure.example
+
+echo_i "checking 2-server insecurity proof with a negative answer ($n)"
+ret=0
+dig_with_opts q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
+	|| ret=1
+dig_with_opts q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
+	|| ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking 2-server insecurity proof with a negative answer and SOA hack ($n)"
+ret=0
+dig_with_opts r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \
+	|| ret=1
+dig_with_opts r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \
+	|| ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check that the query for a security root is successful and has ad set
+
+echo_i "checking security root query ($n)"
+ret=0
+dig_with_opts . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check that the setting the cd bit works
+
+echo_i "checking cd bit on a positive answer ($n)"
+ret=0
+dig_with_opts +noauth example. soa @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \
+	> dig.out.ns5.test$n || ret=1
+digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking cd bit on a negative answer ($n)"
+ret=0
+dig_with_opts q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1
+dig_with_opts +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking insecurity proof works using negative cache ($n)"
+ret=0
+rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
+dig_with_opts +cd @10.53.0.4 insecure.example. ds > dig.out.ns4.test$n.1 || ret=1
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
+do
+        dig_with_opts @10.53.0.4 nonexistent.insecure.example. > dig.out.ns4.test$n.2 || ret=1
+	if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then
+		break
+	fi
+	sleep 1
+done
+grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking positive validation RSASHA256 NSEC ($n)"
+ret=0
+dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking positive validation RSASHA512 NSEC ($n)"
+ret=0
+dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking positive validation with KSK-only DNSKEY signature ($n)"
+ret=0
+dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking cd bit on a query that should fail ($n)"
+ret=0
+dig_with_opts a.bogus.example. soa @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \
+	> dig.out.ns5.test$n || ret=1
+digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking cd bit on an insecurity proof ($n)"
+ret=0
+dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \
+	> dig.out.ns5.test$n || ret=1
+digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - these are looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking cd bit on a negative insecurity proof ($n)"
+ret=0
+dig_with_opts q.insecure.example. a @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \
+	> dig.out.ns5.test$n || ret=1
+digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - these are looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that validation of an ANY query works ($n)"
+ret=0
+dig_with_opts +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# 2 records in the zone, 1 NXT, 3 SIGs
+grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that validation of a query returning a CNAME works ($n)"
+ret=0
+dig_with_opts +noauth cname1.example. txt @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth cname1.example. txt @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# the CNAME & its sig, the TXT and its SIG
+grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that validation of a query returning a DNAME works ($n)"
+ret=0
+dig_with_opts +noauth foo.dname1.example. txt @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth foo.dname1.example. txt @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME.
+# It would be nice to test that the CNAME is being synthesized by the
+# recursive server and not cached, but I don't know how.
+grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that validation of an ANY query returning a CNAME works ($n)"
+ret=0
+dig_with_opts +noauth cname2.example. any @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth cname2.example. any @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# The CNAME, NXT, and their SIGs
+grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that validation of an ANY query returning a DNAME works ($n)"
+ret=0
+dig_with_opts +noauth foo.dname2.example. any @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth foo.dname2.example. any @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that lookups succeed after disabling an algorithm ($n)"
+ret=0
+dig_with_opts +noauth example. SOA @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth example. SOA @10.53.0.6 \
+	> dig.out.ns6.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking a non-cachable NODATA works ($n)"
+ret=0
+dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \
+	> dig.out.ns7.test$n || ret=1
+grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1
+dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking a non-cachable NXDOMAIN works ($n)"
+ret=0
+dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.7 \
+	> dig.out.ns7.test$n || ret=1
+grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1
+dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that we can load a rfc2535 signed zone ($n)"
+ret=0
+dig_with_opts rfc2535.example. SOA @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that we can transfer a rfc2535 signed zone ($n)"
+ret=0
+dig_with_opts rfc2535.example. SOA @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "basic dnssec-signzone checks:"
+echo_ic "two DNSKEYs ($n)"
+ret=0
+(
+cd signer/general || exit 1
+rm -f signed.zone
+$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n
+test -f signed.zone
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "one non-KSK DNSKEY ($n)"
+ret=0
+(
+cd signer/general || exit 0
+rm -f signed.zone
+$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n
+test -f signed.zone
+) && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "one KSK DNSKEY ($n)"
+ret=0
+(
+cd signer/general || exit 0
+rm -f signed.zone
+$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n
+test -f signed.zone
+) && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "three DNSKEY ($n)"
+ret=0
+(
+cd signer/general || exit 1
+rm -f signed.zone
+$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n
+test -f signed.zone
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "three DNSKEY, one private key missing ($n)"
+ret=0
+(
+cd signer/general || exit 1
+rm -f signed.zone
+$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n
+test -f signed.zone
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "four DNSKEY ($n)"
+ret=0
+(
+cd signer/general || exit 1
+rm -f signed.zone
+$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n
+test -f signed.zone
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "two DNSKEY, both private keys missing ($n)"
+ret=0
+(
+cd signer/general || exit 0
+rm -f signed.zone
+$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n
+test -f signed.zone
+) && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "two DNSKEY, one private key missing ($n)"
+ret=0
+(
+cd signer/general || exit 0
+rm -f signed.zone
+$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n
+test -f signed.zone
+) && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)"
+ret=0
+(
+cd signer/general || exit 0
+rm -f signed.zone
+$SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone > signer.out.$n
+test -f signed.zone
+) && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)"
+ret=0
+(
+cd signer/general || exit 1
+rm -f signed.zone
+$SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone > signer.out.$n
+test -f signed.zone
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+get_default_algorithm_key_ids_from_sigs() {
+	zone=$1
+
+	tr -d '\r' < signer/$zone.db.signed | \
+	awk -v alg=$DEFAULT_ALGORITHM_NUMBER '
+		NF < 8 { next }
+		$(NF-5) != "RRSIG" { next }
+		$(NF-3) != alg { next }
+		$NF != "(" { next }
+		{
+			getline;
+			print $3;
+		}
+	' | \
+	sort -u
+}
+
+# Test dnssec-signzone ZSK prepublish smooth rollover.
+echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)"
+ret=0
+zone=prepub
+# Generate keys.
+ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM -n zone "$zone")
+zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone")
+zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone")
+zskid1=$(keyfile_to_key_id "$zsk1")
+zskid2=$(keyfile_to_key_id "$zsk2")
+(
+cd signer || exit 1
+# Set times such that the current set of keys are introduced 60 days ago and
+# start signing now. The successor key is prepublished now and will be active
+# next day.
+$SETTIME -P now-60d -A now $ksk > /dev/null
+$SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 > /dev/null
+$SETTIME -S $zsk1 -i 1h $zsk2.key > /dev/null
+$SETTIME -P now -A now+1d $zsk2.key > /dev/null
+# Sign the zone with initial keys and prepublish successor. The zone signatures
+# are valid for 30 days and the DNSKEY signature is valid for 60 days.
+cp -f $zone.db.in $zone.db
+$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null
+echo "\$INCLUDE \"$zone.db.signed\"" >> $zone.db
+)
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1"
+status=$((status+ret))
+
+echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)"
+ret=0
+zone=prepub
+(
+cd signer || exit 1
+# Roll the ZSK. The predecessor is inactive from now on and the successor is
+# activated. The zone signatures are valid for 30 days and the DNSKEY
+# signature is valid for 60 days. Because of the predecessor/successor
+# relationship, the signatures of the predecessor are retained and no new
+# signatures with the successor should be generated.
+$SETTIME -A now-30d -I now -D now+30d $zsk1 > /dev/null
+$SETTIME -A now $zsk2 > /dev/null
+$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null
+)
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check dnssec-signzone swaps zone signatures after interval ($n)"
+ret=0
+zone=prepub
+(
+cd signer || exit 1
+# After some time the signatures should be replaced. When signing, set the
+# interval to 30 days plus one second, meaning all predecessor signatures
+# are within the refresh interval and should be replaced with successor
+# signatures.
+$SETTIME -A now-50d -I now-20d -D now+10d $zsk1 > /dev/null
+$SETTIME -A now-20d $zsk2 > /dev/null
+$SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db > /dev/null
+)
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null && ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)"
+ret=0
+zone=example
+# If dnssec-keygen fails, the test script will exit immediately.  Prevent that
+# from happening, and also trigger a test failure if dnssec-keygen unexpectedly
+# succeeds, by using "&& ret=1".
+$KEYGEN -a 255 $zone > dnssectools.out.test$n 2>&1 && ret=1
+grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)"
+ret=0
+zone=example
+# Fake an unsupported algorithm key
+unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp
+mv ${unsupportedkey}.tmp ${unsupportedkey}.key
+# If dnssec-dsfromkey fails, the test script will exit immediately.  Prevent
+# that from happening, and also trigger a test failure if dnssec-dsfromkey
+# unexpectedly succeeds, by using "&& ret=1".
+$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1
+grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)"
+ret=0
+ret=0
+cat signer/example.db.in "${unsupportedkey}.key" > signer/example.db
+# If dnssec-signzone fails, the test script will exit immediately.  Prevent that
+# from happening, and also trigger a test failure if dnssec-signzone
+# unexpectedly succeeds, by using "&& ret=1".
+$SIGNER -o example signer/example.db ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1
+grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that we can sign a zone with out-of-zone records ($n)"
+ret=0
+zone=example
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
+(
+cd signer || exit 1
+cat example.db.in "$key1.key" "$key2.key" > example.db
+$SIGNER -o example -f example.db example.db > /dev/null
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)"
+ret=0
+zone=example
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
+(
+cd signer || exit 1
+cat example.db.in "$key1.key" "$key2.key" > example.db
+$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null
+awk '/^IQF9LQTLK/ {
+		printf("%s", $0);
+		while (!index($0, ")")) {
+			if (getline <= 0)
+				break;
+			printf (" %s", $0);
+		}
+		printf("\n");
+	}' example.db | sed 's/[ 	][ 	]*/ /g' > nsec3param.out
+
+grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)"
+ret=0
+zone=example
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
+(
+cd signer || exit 1
+cat example.db.in "$key1.key" "$key2.key" > example3.db
+echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db
+$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null
+awk '/^IQF9LQTLK/ {
+		printf("%s", $0);
+		while (!index($0, ")")) {
+			if (getline <= 0)
+				break;
+			printf (" %s", $0);
+		}
+		printf("\n");
+	}' example.db | sed 's/[ 	][ 	]*/ /g' > nsec3param.out
+
+grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)"
+ret=0
+zone=example
+key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
+key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
+(
+cd signer || exit 1
+cat example.db.in "$key1.key" "$key2.key" > example.db
+$SIGNER -o example -f example.db.before example.db > /dev/null
+sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed
+$SIGNER -o example -f example.db.after example.db.changed > /dev/null
+)
+grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)"
+ret=0
+zone=example
+key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone)
+key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
+keyid2=$(keyfile_to_key_id "$key2")
+key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone)
+keyid3=$(keyfile_to_key_id "$key3")
+(
+cd signer || exit 1
+cat example.db.in "$key1.key" "$key2.key" > example.db
+$SIGNER -D -o example example.db > /dev/null
+
+# now switch out key2 for key3 and resign the zone
+cat example.db.in "$key1.key" "$key3.key" > example.db
+echo "\$INCLUDE \"example.db.signed\"" >> example.db
+$SIGNER -D -o example example.db > /dev/null
+) || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)"
+ret=0
+(
+cd signer || exit 1
+$SIGNER -RD -o example example.db > /dev/null
+) || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)"
+ret=0
+zone=example
+(
+cd signer || exit 1
+cp -f example.db.in example.db
+$SIGNER -SD -o example example.db > /dev/null
+echo "\$INCLUDE \"example.db.signed\"" >> example.db
+# now retire key2 and resign the zone
+$SETTIME -I now "$key2" > /dev/null 2>&1
+$SIGNER -SD -o example example.db > /dev/null
+) || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)"
+ret=0
+(
+cd signer || exit 1
+$SIGNER -SDQ -o example example.db > /dev/null
+) || ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1
+get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking dnssec-signzone retains unexpired signatures ($n)"
+ret=0
+(
+cd signer || exit 1
+$SIGNER -Sxt -o example example.db > signer.out.1
+$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2
+) || ret=1
+gen1=$(awk '/generated/ {print $3}' signer/signer.out.1)
+retain1=$(awk '/retained/ {print $3}' signer/signer.out.1)
+gen2=$(awk '/generated/ {print $3}' signer/signer.out.2)
+retain2=$(awk '/retained/ {print $3}' signer/signer.out.2)
+drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2)
+[ "$retain2" -eq $((gen1+retain1)) ] || ret=1
+[ "$gen2" -eq 0 ] || ret=1
+[ "$drop2" -eq 0 ] || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)"
+ret=0
+(
+cd signer || exit 1
+# remove NSEC-only keys
+rm -f Kexample.+005*
+cp -f example.db.in example2.db
+cat << EOF >> example2.db
+sub1.example. IN A 10.53.0.1
+ns.sub2.example. IN A 10.53.0.2
+EOF
+echo "\$INCLUDE \"example2.db.signed\"" >> example2.db
+touch example2.db.signed
+$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null
+) || ret=1
+grep "^sub1\\.example\\..*RRSIG[ 	]A[ 	]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
+grep "^ns\\.sub2\\.example\\..*RRSIG[ 	]A[ 	]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
+(
+cd signer || exit 1
+cp -f example.db.in example2.db
+cat << EOF >> example2.db
+sub1.example. IN NS sub1.example.
+sub1.example. IN A 10.53.0.1
+sub2.example. IN NS ns.sub2.example.
+ns.sub2.example. IN A 10.53.0.2
+EOF
+echo "\$INCLUDE \"example2.db.signed\"" >> example2.db
+$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null
+) || ret=1
+grep "^sub1\\.example\\..*RRSIG[ 	]A[ 	]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
+grep "^ns\\.sub2\\.example\\..*RRSIG[ 	]A[ 	]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)"
+ret=0
+(
+cd signer || exit 1
+rm -f example2.db.signed
+cp -f example.db.in example2.db
+cat << EOF >> example2.db
+sub1.example. IN A 10.53.0.1
+ns.sub2.example. IN A 10.53.0.2
+EOF
+echo "\$INCLUDE \"example2.db.signed\"" >> example2.db
+touch example2.db.signed
+$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null
+) || ret=1
+grep "^sub1\\.example\\..*RRSIG[ 	]A[ 	]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
+grep "^ns\\.sub2\\.example\\..*RRSIG[ 	]A[ 	]" signer/example2.db.signed > /dev/null 2>&1 || ret=1
+(
+cd signer || exit 1
+cp -f example.db.in example2.db
+cat << EOF >> example2.db
+sub1.example. IN NS sub1.example.
+sub1.example. IN A 10.53.0.1
+sub2.example. IN NS ns.sub2.example.
+ns.sub2.example. IN A 10.53.0.2
+EOF
+echo "\$INCLUDE \"example2.db.signed\"" >> example2.db
+$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null
+) || ret=1
+grep "^sub1\\.example\\..*RRSIG[ 	]A[ 	]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
+grep "^ns\\.sub2\\.example\\..*RRSIG[ 	]A[ 	]" signer/example2.db.signed > /dev/null 2>&1 && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking dnssec-signzone output format ($n)"
+ret=0
+(
+cd signer || exit 1
+$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null
+$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null
+$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null
+$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null
+$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null
+) || ret=1
+awk 'BEGIN { found = 0; }
+     $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); }
+     END { if (!found) exit(1); }' signer/signer.out.3 || ret=1
+awk 'BEGIN { found = 0; }
+     $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); }
+     END { if (!found) exit(1); }' signer/signer.out.4 || ret=1
+israw1 signer/signer.out.5 || ret=1
+israw0 signer/signer.out.6 || ret=1
+israw1 signer/signer.out.7 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking TTLs are capped by dnssec-signzone -M ($n)"
+ret=0
+(
+cd signer || exit 1
+$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null
+) || ret=1
+awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking dnssec-signzone -N date ($n)"
+ret=0
+(
+cd signer || exit 1
+TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null
+) || ret=1
+# shellcheck disable=SC2016
+now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];')
+serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9)
+[ "$now" -eq "$serial" ] || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking validated data are not cached longer than originalttl ($n)"
+ret=0
+dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1
+grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1
+grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Test that "rndc secroots" is able to dump trusted keys
+echo_i "checking rndc secroots ($n)"
+ret=0
+keyid=$(cat ns1/managed.key.id)
+rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i
+cp ns4/named.secroots named.secroots.test$n
+check_secroots_layout named.secroots.test$n || ret=1
+linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true)
+[ "$linecount" -eq 1 ] || ret=1
+linecount=$(< named.secroots.test$n wc -l)
+[ "$linecount" -eq 9 ] || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check direct query for RRSIG.  If we first ask for normal (non RRSIG)
+# record, the corresponding RRSIG should be cached and subsequent query
+# for RRSIG will be returned with the cached record.
+echo_i "checking RRSIG query from cache ($n)"
+ret=0
+dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1
+ans=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.4 rrsig) || ret=1
+expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ) || ret=1
+test "$ans" = "$expect" || ret=1
+# also check that RA is set
+dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1
+grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check direct query for RRSIG: If it's not cached with other records,
+# it should result in an empty response.
+echo_i "checking RRSIG query not in cache ($n)"
+ret=0
+ans=$(dig_with_opts +short rrsigonly.secure.example. @10.53.0.4 rrsig) || ret=1
+test -z "$ans" || ret=1
+# also check that RA is cleared
+dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1
+grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# RT21868 regression test.
+#
+echo_i "checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)"
+ret=0
+dig_with_opts non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# RT22007 regression test.
+#
+echo_i "checking optout NSEC3 referral with only insecure delegations ($n)"
+ret=0
+dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)"
+ret=0
+dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+
+status=$((status+ret))
+echo_i "checking optout NSEC3 nodata with only insecure delegations ($n)"
+ret=0
+dig_with_opts +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a zone finishing the transition from $ALTERNATIVE_ALGORITHM to $DEFAULT_ALGORITHM validates secure ($n)"
+ret=0
+dig_with_opts ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking validate-except in an insecure local domain ($n)"
+ret=0
+dig_with_opts ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking positive and negative validation with negative trust anchors ($n)"
+ret=0
+
+#
+# check correct initial behavior
+#
+dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null || ret=1
+dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1
+dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1
+
+if [ "$ret" -ne 0 ]; then echo_i "failed - checking initial state"; fi
+status=$((status+ret))
+ret=0
+
+#
+# add negative trust anchors
+#
+rndccmd 10.53.0.4 nta -f -l 20s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i
+rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i
+# reconfig should maintain NTAs
+rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1
+lines=$(wc -l < rndc.out.ns4.test$n.1)
+[ "$lines" -eq 2 ] || ret=1
+rndccmd 10.53.0.4 nta secure.example 2>&1 | sed 's/^/ns4 /' | cat_i
+rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i
+# reload should maintain NTAs
+rndc_reload ns4 10.53.0.4
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2
+lines=$(wc -l < rndc.out.ns4.test$n.2)
+[ "$lines" -eq 4 ] || ret=1
+# shellcheck disable=SC2016
+start=$($PERL -e 'print time()."\n";')
+
+if [ "$ret" -ne 0 ]; then echo_i "failed - adding NTA's failed"; fi
+status=$((status+ret))
+ret=0
+
+#
+# check behavior with NTA's in place
+#
+dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1
+dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 > /dev/null && ret=1
+dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.6 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 > /dev/null && ret=1
+dig_with_opts a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 > /dev/null && ret=1
+echo_i "dumping secroots"
+rndccmd 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i
+cp ns4/named.secroots named.secroots.test$n
+check_secroots_layout named.secroots.test$n || ret=1
+grep "bogus.example: expiry" named.secroots.test$n > /dev/null || ret=1
+grep "badds.example: expiry" named.secroots.test$n > /dev/null || ret=1
+grep "secure.example: expiry" named.secroots.test$n > /dev/null || ret=1
+grep "fakenode.secure.example: expiry" named.secroots.test$n > /dev/null || ret=1
+
+if [ "$ret" -ne 0 ]; then echo_i "failed - with NTA's in place failed"; fi
+status=$((status+ret))
+ret=0
+
+echo_i "waiting for NTA rechecks/expirations"
+
+#
+# secure.example and badds.example used default nta-duration
+# (configured as 12s in ns4/named1.conf), but nta recheck interval
+# is configured to 9s, so at t=10 the NTAs for secure.example and
+# fakenode.secure.example should both be lifted, but badds.example
+# should still be going.
+#
+# shellcheck disable=SC2016
+$PERL -e 'my $delay =  '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+dig_with_opts b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.8 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 > /dev/null || ret=1
+dig_with_opts b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n.9 > /dev/null || ret=1
+dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.10 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 > /dev/null && ret=1
+
+if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi
+status=$((status+ret))
+ret=0
+
+#
+# bogus.example was set to expire in 20s, so at t=13
+# it should still be NTA'd, but badds.example used the default
+# lifetime of 12s, so it should revert to SERVFAIL now.
+#
+# shellcheck disable=SC2016
+$PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+# check nta table
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n._11
+lines=$(grep -c " expiry " rndc.out.ns4.test$n._11 || true)
+[ "$lines" -le 2 ] || ret=1
+grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null || ret=1
+grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null && ret=1
+dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.11 > /dev/null && ret=1
+dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.12 > /dev/null || ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 > /dev/null && ret=1
+dig_with_opts c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.13 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 > /dev/null || ret=1
+
+if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi
+status=$((status+ret))
+ret=0
+
+#
+# at t=21, all the NTAs should have expired.
+#
+# shellcheck disable=SC2016
+$PERL -e 'my $delay = '"$start"' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+# check correct behavior after bogus.example expiry
+dig_with_opts d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.14 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 > /dev/null || ret=1
+dig_with_opts c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1
+# check nta table has been cleaned up now
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3
+lines=$(grep -c " expiry " rndc.out.ns4.test$n.3 || true)
+[ "$lines" -eq 0 ] || ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi
+status=$((status+ret))
+ret=0
+
+echo_i "testing NTA removals ($n)"
+rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1
+grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 > /dev/null || ret=1
+dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null && ret=1
+grep "^a.badds.example." dig.out.ns4.test$n.1 > /dev/null || ret=1
+rndccmd 10.53.0.4 nta -remove badds.example > rndc.out.ns4.test$n.2
+grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3
+grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null && ret=1
+dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+ret=0
+
+echo_i "remove non-existent NTA three times"
+rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.4 2>&1
+rndccmd 10.53.0.4 nta -remove foo > rndc.out.ns4.test$n.5 2>&1
+rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.6 2>&1
+grep "not found" rndc.out.ns4.test$n.6 > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+ret=0
+
+n=$((n+1))
+echo_i "testing NTA with bogus lifetimes ($n)"
+echo_i "check with no nta lifetime specified"
+rndccmd 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1 || true
+grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+ret=0
+
+echo_i "check with bad nta lifetime"
+rndccmd 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 || true
+grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+ret=0
+
+echo_i "check with too long nta lifetime"
+rndccmd 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 || true
+grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+ret=0
+
+#
+# check NTA persistence across restarts
+#
+n=$((n+1))
+echo_i "testing NTA persistence across restarts ($n)"
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1
+lines=$(grep -c " expiry " rndc.out.ns4.test$n.1 || true)
+[ "$lines" -eq 0 ] || ret=1
+rndccmd 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i
+rndccmd 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2
+lines=$(grep -c " expiry " rndc.out.ns4.test$n.2 || true)
+[ "$lines" -eq 2 ] || ret=1
+# shellcheck disable=SC2016
+start=$($PERL -e 'print time()."\n";')
+
+if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi
+status=$((status+ret))
+ret=0
+
+echo_i "killing ns4 with SIGTERM"
+$KILL -TERM "$(cat ns4/named.pid)"
+rm -f ns4/named.pid
+
+#
+# ns4 has now shutdown. wait until t=14 when badds.example's NTA
+# (lifetime=10s) would have expired, and then restart ns4.
+#
+echo_i "waiting till 14s have passed since NTAs were added before restarting ns4"
+# shellcheck disable=SC2016
+$PERL -e 'my $delay = '"$start"' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+
+if
+    start_server --noclean --restart --port "$PORT" ns4
+then
+    echo_i "restarted server ns4"
+else
+    echo_i "could not restart server ns4"
+    exit 1
+fi
+
+echo_i "sleeping for an additional 4 seconds for ns4 to fully startup"
+sleep 4
+
+#
+# ns4 should be back up now. The NTA for bogus.example should still be
+# valid, whereas badds.example should not have been added during named
+# startup (as it had already expired), the fact that it's ignored should
+# be logged.
+#
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3
+lines=$(wc -l < rndc.out.ns4.test$n.3)
+[ "$lines" -eq 1 ] || ret=1
+grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null || ret=1
+dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1
+dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1
+grep "ignoring expired NTA at badds.example" ns4/named.run > /dev/null || ret=1
+
+# cleanup
+rndccmd 10.53.0.4 nta -remove bogus.example > rndc.out.ns4.test$n.6
+
+if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi
+status=$((status+ret))
+ret=0
+
+#
+# check "regular" attribute in NTA file works as expected at named
+# startup.
+#
+n=$((n+1))
+echo_i "testing loading regular attribute from NTA file ($n)"
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
+lines=$(wc -l < rndc.out.ns4.test$n.1)
+[ "$lines" -eq 0 ] || ret=1
+# initially, secure.example. validates with AD=1
+dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1
+
+echo_i "killing ns4 with SIGTERM"
+$KILL -TERM "$(cat ns4/named.pid)"
+rm -f ns4/named.pid
+
+echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown"
+sleep 4
+
+#
+# ns4 has now shutdown. add NTA for secure.example. directly into the
+# _default.nta file with the regular attribute and some future timestamp.
+#
+future="$(($(date +%Y)+20))0101010000"
+echo "secure.example. regular $future" > ns4/_default.nta
+# shellcheck disable=SC2016
+start=$($PERL -e 'print time()."\n";')
+
+if
+    start_server --noclean --restart --port "$PORT" ns4
+then
+    echo_i "restarted server ns4"
+else
+    echo_i "could not restart server ns4"
+    exit 1
+fi
+
+# nta-recheck is configured as 9s, so at t=12 the NTAs for
+# secure.example. should be lifted as it is not a forced NTA.
+echo_i "waiting till 12s have passed after ns4 was restarted"
+# shellcheck disable=SC2016
+$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+
+# secure.example. should now return an AD=1 answer (still validates) as
+# the NTA has been lifted.
+dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1
+
+# cleanup
+rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null
+
+if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi
+status=$((status+ret))
+ret=0
+
+#
+# check "forced" attribute in NTA file works as expected at named
+# startup.
+#
+n=$((n+1))
+echo_i "testing loading forced attribute from NTA file ($n)"
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
+lines=$(wc -l < rndc.out.ns4.test$n.1)
+[ "$lines" -eq 0 ] || ret=1
+# initially, secure.example. validates with AD=1
+dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1
+
+echo_i "killing ns4 with SIGTERM"
+$KILL -TERM "$(cat ns4/named.pid)"
+rm -f named.pid
+
+echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown"
+sleep 4
+
+#
+# ns4 has now shutdown. add NTA for secure.example. directly into the
+# _default.nta file with the forced attribute and some future timestamp.
+#
+echo "secure.example. forced $future" > ns4/_default.nta
+start=$($PERL -e 'print time()."\n";')
+
+if
+    start_server --noclean --restart --port "$PORT" ns4
+then
+    echo_i "restarted server ns4"
+else
+    echo_i "could not restart server ns4"
+    exit 1
+fi
+
+# nta-recheck is configured as 9s, but even at t=12 the NTAs for
+# secure.example. should not be lifted as it is a forced NTA.
+echo_i "waiting till 12s have passed after ns4 was restarted"
+# shellcheck disable=SC2016
+$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+
+# secure.example. should now return an AD=0 answer (non-authenticated)
+# as the NTA is still there.
+dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null && ret=1
+
+# cleanup
+rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null
+
+if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi
+status=$((status+ret))
+ret=0
+
+#
+# check that NTA lifetime read from file is clamped to 1 week.
+#
+n=$((n+1))
+echo_i "testing loading out of bounds lifetime from NTA file ($n)"
+
+echo_i "killing ns4 with SIGTERM"
+$KILL -TERM "$(cat ns4/named.pid)"
+rm -f ns4/named.pid
+
+echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown"
+sleep 4
+
+#
+# ns4 has now shutdown. add NTA for secure.example. directly into the
+# _default.nta file with a lifetime well into the future.
+#
+echo "secure.example. forced $future" > ns4/_default.nta
+added=$($PERL -e 'print time()."\n";')
+
+if
+    start_server --noclean --restart --port "$PORT" ns4
+then
+    echo_i "restarted server ns4"
+else
+    echo_i "could not restart server ns4"
+    exit 1
+fi
+
+echo_i "sleeping for an additional 4 seconds for ns4 to fully startup"
+sleep 4
+
+# dump the NTA to a file (omit validate-except entries)
+echo_i "testing 'rndc nta'"
+rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
+# "corp" is configured as a validate-except domain and thus should be
+# omitted. only "secure.example" should be in the dump at this point.
+lines=$(wc -l < rndc.out.ns4.test$n.1)
+[ "$lines" -eq 1 ] || ret=1
+grep 'secure.example' rndc.out.ns4.test$n.1 > /dev/null || ret=1
+ts=$(awk '{print $3" "$4}' < rndc.out.ns4.test$n.1)
+# rndc nta outputs localtime, so append the timezone
+ts_with_zone="$ts $(date +%z)"
+echo "ts=$ts" > rndc.out.ns4.test$n.2
+echo "ts_with_zone=$ts_with_zone" >> rndc.out.ns4.test$n.2
+echo "added=$added" >> rndc.out.ns4.test$n.2
+if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null
+then
+    # ntadiff.pl computes $ts_with_zone - ($added + 1week)
+    d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added")
+    echo "d=$d" >> rndc.out.ns4.test$n.2
+    # diff from $added(now) + 1week to the clamped NTA lifetime should be
+    # less than a few seconds (handle daylight saving changes by adding 3600).
+    [ "$d" -lt 3610 ] || ret=1
+else
+    echo_i "skipped ntadiff test; install PERL module Time::Piece"
+fi
+
+# cleanup
+rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null
+
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed - NTA lifetime clamping failed"; fi
+status=$((status+ret))
+
+echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)"
+ret=0
+# Sanity check behavior without an NTA in place.
+dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.1 || ret=1
+grep "SERVFAIL" dig.out.ns9.test$n.1 > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns9.test$n.1 > /dev/null || ret=1
+grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 > /dev/null && ret=1
+# Add an NTA, expecting that to cause resolution to succeed.
+rndccmd 10.53.0.9 nta badds.example > rndc.out.ns9.test$n.1 2>&1 || ret=1
+dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.2 || ret=1
+grep "NOERROR" dig.out.ns9.test$n.2 > /dev/null || ret=1
+grep "ANSWER: 2" dig.out.ns9.test$n.2 > /dev/null || ret=1
+grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 > /dev/null && ret=1
+# Remove the NTA, expecting that to cause resolution to fail again.
+rndccmd 10.53.0.9 nta -remove badds.example > rndc.out.ns9.test$n.2 2>&1 || ret=1
+dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.3 || ret=1
+grep "SERVFAIL" dig.out.ns9.test$n.3 > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns9.test$n.3 > /dev/null || ret=1
+grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 > /dev/null && ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "completed NTA tests"
+
+# Run a minimal update test if possible.  This is really just
+# a regression test for RT #2399; more tests should be added.
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    echo_i "running DNSSEC update test"
+    ret=0
+    output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.)
+    test "$?" -eq 0 || ret=1
+    echo "$output" | cat_i
+    [ $ret -eq 1 ] && status=1
+else
+    echo_i "The DNSSEC update test requires the Net::DNS library." >&2
+fi
+
+n=$((n+1))
+echo_i "checking managed key maintenance has not started yet ($n)"
+ret=0
+[ -f "ns4/managed-keys.bind.jnl" ] && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Reconfigure caching server to use "dnssec-validation auto", and repeat
+# some of the DNSSEC validation tests to ensure that it works correctly.
+# Also setup a placeholder managed-keys zone to check if named can process it
+# correctly.
+echo_i "switching to automatic root key configuration"
+cp ns4/managed-keys.bind.in ns4/managed-keys.bind
+copy_setports ns4/named2.conf.in ns4/named.conf
+rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
+sleep 5
+
+echo_i "checking managed key maintenance timer has now started ($n)"
+ret=0
+[ -f "ns4/managed-keys.bind.jnl" ] || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking positive validation NSEC ($n)"
+ret=0
+dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking positive validation NSEC3 ($n)"
+ret=0
+dig_with_opts +noauth a.nsec3.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.nsec3.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking positive validation OPTOUT ($n)"
+ret=0
+dig_with_opts +noauth a.optout.example. \
+	@10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.optout.example. \
+	@10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking negative validation ($n)"
+ret=0
+dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that root DS queries validate ($n)"
+ret=0
+dig_with_opts +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1
+dig_with_opts +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns1.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)"
+ret=0
+dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
+grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
+ret=0
+dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
+grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+
+status=$((status+ret))
+echo_i "checking expired signatures do not validate ($n)"
+ret=0
+dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "expired.example/.*: RRSIG has expired" ns4/named.run > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)"
+ret=0
+(
+cd ns3 || exit 1
+kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example)
+(
+echo zone update-nsec3.example
+echo server 10.53.0.3 "$PORT"
+grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/'
+echo send
+) | $NSUPDATE
+)
+dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
+grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)"
+ret=0
+dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
+grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)"
+ret=0
+dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
+grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that signing records have been marked as complete ($n)"
+ret=0
+checkprivate dynamic.example 10.53.0.3 || ret=1
+checkprivate update-nsec3.example 10.53.0.3 || ret=1
+checkprivate auto-nsec3.example 10.53.0.3 || ret=1
+checkprivate expiring.example 10.53.0.3 || ret=1
+checkprivate auto-nsec.example 10.53.0.3 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing' without arguments is handled ($n)"
+ret=0
+rndccmd 10.53.0.3 signing > /dev/null 2>&1 && ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -list' without zone is handled ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -list > /dev/null 2>&1 && ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -clear' without additional arguments is handled ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -clear > /dev/null 2>&1 && ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -clear all' without zone is handled ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -clear all > /dev/null 2>&1 && ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -nsec3param' works with salt ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9 10 ; do
+        salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
+	if [ "$salt" = "FFFF" ]; then
+		break;
+	fi
+	echo_i "sleeping ...."
+	sleep 1
+done;
+[ "$salt" = "FFFF" ] || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -nsec3param' works without salt ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9 10 ; do
+	salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
+	if [ "$salt" = "-" ]; then
+		break;
+	fi
+	echo_i "sleeping ...."
+	sleep 1
+done;
+[ "$salt" = "-" ] || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)"
+ret=0
+rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9 10 ; do
+	salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
+	[ -n "$salt" ] && [ "$salt" != "-" ] && break
+	echo_i "sleeping ...."
+	sleep 1
+done;
+[ "$salt" != "-" ] || ret=1
+[ "${#salt}" -eq 16 ] || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)"
+ret=0
+oldsalt=$salt
+rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
+rndccmd 10.53.0.3 status > /dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9 10 ; do
+	salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}')
+	[ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break
+	echo_i "sleeping ...."
+	sleep 1
+done;
+[ "$salt" != "$oldsalt" ] || ret=1
+[ "${#salt}" -eq 16 ] || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check rndc signing -list output ($n)"
+ret=0
+{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out; } 2>&1
+grep -q "No signing records found" signing.out || {
+        ret=1
+        sed 's/^/ns3 /' signing.out | cat_i
+}
+{ rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1
+grep -q "Done signing with key .*/$DEFAULT_ALGORITHM" signing.out || {
+        ret=1
+        sed 's/^/ns3 /' signing.out | cat_i
+}
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "clear signing records ($n)"
+{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example > /dev/null; } 2>&1 || ret=1
+check_no_signing_record_found() {
+  { rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1
+  grep -q "No signing records found" signing.out || {
+    sed 's/^/ns3 /' signing.out | cat_i
+    return 1
+  }
+  return 0
+}
+retry_quiet 5 check_no_signing_record_found || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a insecure zone beneath a cname resolves ($n)"
+ret=0
+dig_with_opts soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a secure zone beneath a cname resolves ($n)"
+ret=0
+dig_with_opts soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+my_dig() {
+    "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@"
+}
+
+echo_i "checking DNSKEY query with no data still gets put in cache ($n)"
+ret=0
+firstVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }')
+sleep 1
+secondVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }')
+if [ "${firstVal:-0}" -eq "${secondVal:-0}" ]
+then
+	sleep 1
+	thirdVal=$(my_dig insecure.example. dnskey|awk '$1 != ";;" { print $2 }')
+	if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ]
+	then
+		echo_i "cannot confirm query answer still in cache"
+		ret=1
+	fi
+fi
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that a split dnssec dnssec-signzone work ($n)"
+ret=0
+dig_with_opts soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that a smart split dnssec dnssec-signzone work ($n)"
+ret=0
+dig_with_opts soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that NOTIFY is sent at the end of NSEC3 chain generation ($n)"
+ret=0
+(
+echo zone nsec3chain-test
+echo server 10.53.0.2 "$PORT"
+echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456
+echo send
+) | $NSUPDATE
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
+do
+	dig_with_opts nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1
+	if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null
+	then
+		break;
+	fi
+	echo_i "sleeping ...."
+	sleep 3
+done
+grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "nsec3 chain generation not complete"; fi
+dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1
+s2=$(awk '$4 == "SOA" { print $7}' dig.out.ns2.test$n)
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1
+	s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n)
+	test "$s2" = "$s3" && break
+	sleep 1
+done
+digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check dnssec-dsfromkey from stdin ($n)"
+ret=0
+dig_with_opts dnskey algroll. @10.53.0.2 | \
+        $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1
+NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u)
+[ "${NF}" = 7 ] || ret=1
+# make canonical
+awk '{
+	for (i=1;i<7;i++) printf("%s ", $i);
+	for (i=7;i<=NF;i++) printf("%s", $i);
+	printf("\n");
+}' < dig.out.ns2.test$n > canonical1.$n || ret=1
+awk '{
+	for (i=1;i<7;i++) printf("%s ", $i);
+	for (i=7;i<=NF;i++) printf("%s", $i);
+	printf("\n");
+}' < ns1/dsset-algroll$TP > canonical2.$n || ret=1
+$DIFF -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Intentionally strip ".key" from keyfile name to ensure the error message
+# includes it anyway to avoid confusion (RT #21731)
+echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)"
+ret=0
+key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example.) || ret=1
+mv "$key.key" "$key"
+$DSFROMKEY "$key" > dsfromkey.out.$n 2>&1 && ret=1
+grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check dnssec-dsfromkey with revoked key ($n)"
+ret=0
+dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1	# ZSK
+grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1	# revoked KSK
+grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1	# KSK
+test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1
+$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || ret=1
+test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+
+echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)"
+ret=0
+dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1
+# there must be a signature here
+[ -s dig.out.ns3.test$n ] || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing new records are signed with 'no-resign' ($n)"
+ret=0
+(
+echo zone nosign.example
+echo server 10.53.0.3 "$PORT"
+echo update add new.nosign.example 300 in txt "hi there"
+echo send
+) | $NSUPDATE
+sleep 1
+dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \
+        > dig.out.ns3.test$n 2>&1
+grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing expiring records aren't resigned with 'no-resign' ($n)"
+ret=0
+dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \
+        grep RRSIG | sed 's/[ 	][ 	]*/ /g' > dig.out.ns3.test$n 2>&1
+# the NS RRSIG should not be changed
+$DIFF nosign.before dig.out.ns3.test$n > /dev/null|| ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing updates fail with no private key ($n)"
+ret=0
+rm -f ns3/Knosign.example.*.private
+(
+echo zone nosign.example
+echo server 10.53.0.3 "$PORT"
+echo update add fail.nosign.example 300 in txt "reject me"
+echo send
+) | $NSUPDATE > /dev/null 2>&1 && ret=1
+dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \
+        > dig.out.ns3.test$n 2>&1
+[ -s dig.out.ns3.test$n ] && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing legacy upper case signer name validation ($n)"
+ret=0
+$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \
+        > dig.out.ns4.test$n 2>&1
+grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1
+grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing that we lower case signer name ($n)"
+ret=0
+$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa LOWER.EXAMPLE @10.53.0.4 \
+        > dig.out.ns4.test$n 2>&1
+grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1
+grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing TTL is capped at RRSIG expiry time ($n)"
+ret=0
+rndccmd 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i
+(
+cd ns3 || exit 1
+for file in K*.moved; do
+  mv "$file" "$(basename "$file" .moved)"
+done
+$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null
+) || ret=1
+rndc_reload ns3 10.53.0.3 expiring.example
+
+rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
+dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n
+dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n
+ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n)
+ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n)
+for ttl in ${ttls:-0}; do
+    [ "${ttl}" -eq 300 ] || ret=1
+done
+for ttl in ${ttls2:-0}; do
+    [ "${ttl}" -le 60 ] || ret=1
+done
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)"
+ret=0
+rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
+sleep 1
+dig_with_additionalopts +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n
+dig_with_additionalopts expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n
+ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n)
+ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n)
+for ttl in ${ttls:-300}; do
+    [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1
+done
+for ttl in ${ttls2:-0}; do
+    [ "$ttl" -le 60 ] || ret=1
+done
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)"
+ret=0
+rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
+sleep 1
+dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
+dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
+ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n)
+ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n)
+for ttl in ${ttls:-300}; do
+    [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1
+done
+for ttl in ${ttls2:-0}; do
+    [ "$ttl" -le 60 ] || ret=1
+done
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+copy_setports ns4/named3.conf.in ns4/named.conf
+rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
+sleep 3
+
+echo_i "testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)"
+ret=0
+rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
+dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n
+dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n
+ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n)
+ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n)
+for ttl in ${ttls:-0}; do
+    [ "$ttl" -eq 300 ] || ret=1
+done
+for ttl in ${ttls2:-0}; do
+    [ "$ttl" -eq 120 ] || ret=1
+done
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)"
+ret=0
+dig_with_answeropts +cd expired.example soa @10.53.0.4 > dig.out.ns4.1.$n
+dig_with_answeropts expired.example soa @10.53.0.4 > dig.out.ns4.2.$n
+ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n)
+ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n)
+for ttl in ${ttls:-0}; do
+    [ "$ttl" -eq 300 ] || ret=1
+done
+for ttl in ${ttls2:-0}; do
+    [ "$ttl" -eq 120 ] || ret=1
+done
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
+ret=0
+rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
+dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
+dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
+ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n)
+ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n)
+for ttl in ${ttls:-300}; do
+    [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1
+done
+for ttl in ${ttls2:-0}; do
+    [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1
+done
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing DNSKEY lookup via CNAME ($n)"
+ret=0
+dig_with_opts +noauth cnameandkey.secure.example. \
+	@10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth cnameandkey.secure.example. \
+	@10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing KEY lookup at CNAME (present) ($n)"
+ret=0
+dig_with_opts +noauth cnameandkey.secure.example. \
+	@10.53.0.3 key > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth cnameandkey.secure.example. \
+	@10.53.0.4 key > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing KEY lookup at CNAME (not present) ($n)"
+ret=0
+dig_with_opts +noauth cnamenokey.secure.example. \
+	@10.53.0.3 key > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth cnamenokey.secure.example. \
+	@10.53.0.4 key > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing DNSKEY lookup via DNAME ($n)"
+ret=0
+dig_with_opts a.dnameandkey.secure.example. \
+	@10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1
+dig_with_opts a.dnameandkey.secure.example. \
+	@10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1
+grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "testing KEY lookup via DNAME ($n)"
+ret=0
+dig_with_opts b.dnameandkey.secure.example. \
+	@10.53.0.3 key > dig.out.ns3.test$n || ret=1
+dig_with_opts b.dnameandkey.secure.example. \
+	@10.53.0.4 key > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that named doesn't loop when all private keys are not available ($n)"
+ret=0
+lines=$(grep -c "reading private key file expiring.example" ns3/named.run || true)
+test "${lines:-1000}" -lt 15 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check against against missing nearest provable proof ($n)"
+dig_with_opts +norec b.c.d.optout-tld. \
+	@10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1
+nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n || true)
+[ "$nsec3" -eq 2 ] || ret=1
+dig_with_opts +norec b.c.d.optout-tld. \
+	@10.53.0.6 A > dig.out.ns6.test$n || ret=1
+nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n || true)
+[ "$nsec3" -eq 1 ] || ret=1
+dig_with_opts optout-tld. \
+	@10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1
+dig_with_opts b.c.d.optout-tld. \
+	@10.53.0.4 A > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that key id are logged when dumping the cache ($n)"
+ret=0
+rndc_dumpdb ns4
+grep "; key id = " ns4/named_dump.db.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check KEYDATA records are printed in human readable form in key zone ($n)"
+# force the managed-keys zone to be written out
+rndccmd 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i
+for i in 1 2 3 4 5 6 7 8 9
+do
+    ret=0
+    if test -f ns4/managed-keys.bind
+    then
+	grep KEYDATA ns4/managed-keys.bind > /dev/null &&
+	grep "next refresh:" ns4/managed-keys.bind > /dev/null &&
+	break
+    fi
+    ret=1
+    sleep 1
+done
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check dig's +nocrypto flag ($n)"
+ret=0
+dig_with_opts +norec +nocrypto DNSKEY . \
+	@10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1
+grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+dig_with_opts +norec +nocrypto DS example \
+	@10.53.0.1 > dig.out.ds.ns1.test$n || ret=1
+grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)"
+ret=0
+cnt=0
+while :
+do
+dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n
+keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l)
+test "$keys" -gt 2 && break
+cnt=$((cnt+1))
+test "$cnt" -gt 120 && break
+sleep 1
+done
+test "$keys" -gt 2 || ret=1
+sigs=$(grep -c RRSIG dig.out.ns3.test$n || true)
+n=$((n+1))
+test "$sigs" -eq 2 || ret=1
+if test "$ret" -ne 0 ; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)"
+ret=0
+before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA)
+cp ns3/siginterval2.conf ns3/siginterval.conf
+rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+i=10
+while [ "$i" -ge 0 ]; do
+after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA)
+test "$before" != "$after" && break
+sleep 1
+i=$((i-1))
+done
+n=$((n+1))
+if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi
+status=$((status+ret))
+
+if [ -x "$PYTHON" ]; then
+    echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)"
+    ret=0
+    rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i
+    # convert expiry date to a comma-separated list of integers python can
+    # use as input to date(). strip leading 0s in months and days so
+    # python3 will recognize them as integers.
+    $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example > dig.out.soa.test$n
+    soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n |
+	       sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' |
+	       sed 's/ 0/ /g')
+    $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example > dig.out.dnskey.test$n
+    dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n |
+		  sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' |
+		  sed 's/ 0/ /g')
+    $PYTHON > python.out.$n <<EOF
+from datetime import date;
+ke=date($dnskeyexpire)
+se=date($soaexpire)
+print((ke-se).days);
+EOF
+    diff=$(cat python.out.$n)
+    [ "$diff" -ge 55 ] || ret=1
+    n=$((n+1))
+    test "$ret" -eq 0 || echo_i "failed"
+    status=$((status+ret))
+fi
+
+copy_setports ns4/named4.conf.in ns4/named.conf
+rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
+sleep 3
+
+echo_i "check insecure delegation between static-stub zones ($n)"
+ret=0
+dig_with_opts ns insecure.secure.example \
+	@10.53.0.4 > dig.out.ns4.1.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1
+dig_with_opts ns secure.example \
+	@10.53.0.4 > dig.out.ns4.2.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check the acceptance of seconds as inception and expiration times ($n)"
+ret=0
+in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo="
+
+exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo="
+
+out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//')
+[ "$out" = "$exp" ] || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check the correct resigning time is reported in zonestatus ($n)"
+ret=0
+rndccmd 10.53.0.3 \
+		zonestatus secure.example > rndc.out.ns3.test$n
+# next resign node: secure.example/DNSKEY
+qname=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,/.*,,')
+qtype=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,.*/,,')
+# next resign time: Thu, 24 Apr 2014 10:38:16 GMT
+time=$(awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03";
+		   m["Apr"] = "04"; m["May"] = "05"; m["Jun"] = "06";
+		   m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09";
+		   m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";}
+	 /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g')
+dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 > dig.out.test$n
+expire=$(awk '$4 == "RRSIG" { print $9 }' dig.out.test$n)
+inception=$(awk '$4 == "RRSIG" { print $10 }' dig.out.test$n)
+$PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that split rrsigs are handled ($n)"
+ret=0
+dig_with_opts split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1
+awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)"
+ret=0
+dig_with_opts split-rrsig AXFR @10.53.0.7 > dig.out.test$n || ret=1
+grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
+ret=0
+alg=1
+until test $alg -eq 256
+do
+    zone="keygen-$alg."
+    case $alg in
+	2) # Diffie Helman
+	    alg=$((alg+1))
+	    continue;;
+	157|160|161|162|163|164|165) # private - non standard
+	    alg=$((alg+1))
+	    continue;;
+	1|5|7|8|10) # RSA algorithms
+	    key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2> "keygen-$alg.err" || true)
+	    ;;
+	15|16)
+	    key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true)
+	    # Soft-fail	in case HSM doesn't support Edwards curves
+	    if grep "not found" "keygen-$alg.err" > /dev/null && [ "$CRYPTO" = "pkcs11" ]; then
+		echo_i "Algorithm $alg not supported by HSM: skipping"
+		alg=$((alg+1))
+		continue
+	    fi
+	    ;;
+	*)
+	    key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true)
+    esac
+    if grep "unsupported algorithm" "keygen-$alg.err" > /dev/null
+    then
+	alg=$((alg+1))
+	continue
+    fi
+    if test -z "$key1"
+    then
+	echo_i "'$KEYGEN -a $alg': failed"
+	cat "keygen-$alg.err"
+	ret=1
+	alg=$((alg+1))
+	continue
+    fi
+    $SETTIME -I now+4d "$key1.private" > /dev/null
+    key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2> /dev/null)
+    test -f "$key2.key" -a -f "$key2.private" || {
+	ret=1
+	echo_i "'dnssec-keygen -S' failed for algorithm: $alg"
+    }
+    alg=$((alg+1))
+done
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)"
+ret=0
+dig_with_opts +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($n)"
+ret=0
+dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that positive unknown NSEC3 hash algorithm does validate ($n)"
+ret=0
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)"
+ret=0
+dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that a CDS deletion record is accepted ($n)"
+ret=0
+(
+echo zone cds-update.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cds-update.secure CDS
+echo update add cds-update.secure 0 CDS 0 0 0 00
+echo send
+) | $NSUPDATE > nsupdate.out.test$n 2>&1
+dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
+lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
+test "${lines:-10}" -eq 1 || ret=1
+lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' | wc -l)
+test "$lines" -eq 1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)"
+ret=0
+(
+echo zone cds-update.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cds-update.secure CDS
+echo send
+dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure |
+grep "DNSKEY.257" |
+$DSFROMKEY -12 -C -f - -T 1 cds-update.secure |
+sed "s/^/update add /"
+echo send
+) | $NSUPDATE
+dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDS records are signed only using KSK when added by"
+echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
+ret=0
+keyid=$(cat ns2/cds-kskonly.secure.id)
+(
+echo zone cds-kskonly.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cds-kskonly.secure CDS
+echo send
+dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure |
+grep "DNSKEY.257" |
+$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure |
+sed "s/^/update add /"
+echo send
+) | $NSUPDATE
+dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDS deletion records are signed only using KSK when added by"
+echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
+ret=0
+keyid=$(cat ns2/cds-kskonly.secure.id)
+(
+echo zone cds-kskonly.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cds-kskonly.secure CDS
+echo update add cds-kskonly.secure 0 CDS 0 0 0 00
+echo send
+) | $NSUPDATE
+dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' | wc -l)
+test "$lines" -eq 1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)"
+ret=0
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)"
+ret=0
+(
+echo zone cds-update.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cds-update.secure CDS
+echo send
+dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure |
+grep "DNSKEY.257" |
+$DSFROMKEY -12 -C -f - -T 1 cds-update.secure |
+sed "s/^/update add /"
+dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure |
+grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' |
+$DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure |
+sed "s/^/update add /"
+echo send
+) | $NSUPDATE
+dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 4 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that negative unknown NSEC3 hash algorithm does not validate ($n)"
+ret=0
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)"
+ret=0
+dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x ($n)"
+ret=0
+dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)"
+ret=0
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)"
+ret=0
+dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that unknown DNSKEY algorithm validates as insecure ($n)"
+ret=0
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)"
+ret=0
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A > dig.out.ns3.test$n
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A > dig.out.ns4.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)"
+ret=0
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# TODO: test case for GL #1689.
+# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5)
+# we could write a test that signs a zone with supported and unsupported
+# algorithm, apply a fixed rrset order such that the unsupported algorithm
+# precedes the supported one in the DNSKEY RRset, and verify the result still
+# validates succesfully.
+
+echo_i "check that a CDNSKEY deletion record is accepted ($n)"
+ret=0
+(
+echo zone cdnskey-update.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cdnskey-update.secure CDNSKEY
+echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA==
+echo send
+) | $NSUPDATE > nsupdate.out.test$n 2>&1
+dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
+lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "${lines:-10}" -eq 1 || ret=1
+lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' | wc -l)
+test "${lines:-10}" -eq 1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)"
+ret=0
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n
+dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)"
+ret=0
+(
+echo zone cdnskey-update.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cdnskey-update.secure CDNSKEY
+dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure |
+sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p'
+echo send
+) | $NSUPDATE
+dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDNSKEY records are signed only using KSK when added by"
+echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
+ret=0
+keyid=$(cat ns2/cdnskey-kskonly.secure.id)
+(
+echo zone cdnskey-kskonly.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cdnskey-kskonly.secure CDNSKEY
+dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure |
+sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p'
+echo send
+) | $NSUPDATE
+dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that CDNSKEY deletion records are signed only using KSK when added by"
+echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)"
+ret=0
+keyid=$(cat ns2/cdnskey-kskonly.secure.id)
+(
+echo zone cdnskey-kskonly.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cdnskey-kskonly.secure CDNSKEY
+echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA==
+echo send
+) | $NSUPDATE
+dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' | wc -l)
+test "${lines:-10}" -eq 1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking initialization with a revoked managed key ($n)"
+ret=0
+copy_setports ns5/named2.conf.in ns5/named.conf
+rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i
+sleep 3
+dig_with_opts +dnssec @10.53.0.5 SOA . > dig.out.ns5.test$n
+grep "status: SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)"
+ret=0
+(
+echo zone cdnskey-update.secure
+echo server 10.53.0.2 "$PORT"
+echo update delete cdnskey-update.secure CDNSKEY
+dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure |
+sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p'
+dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure |
+sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p'
+echo send
+) | $NSUPDATE
+dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
+lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 2 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that RRSIGs are correctly removed from apex when RRset is removed  NSEC ($n)"
+ret=0
+# generate signed zone with MX and AAAA records at apex.
+(
+cd signer || exit 1
+$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove > /dev/null
+$KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove > /dev/null
+echo > remove.db.signed
+$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n
+)
+grep "RRSIG MX" signer/remove.db.signed > /dev/null || {
+	ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n;
+}
+# re-generate signed zone without MX and AAAA records at apex.
+(
+cd signer || exit 1
+$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n
+)
+grep "RRSIG MX" signer/remove.db.signed > /dev/null &&  {
+	ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n;
+}
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that RRSIGs are correctly removed from apex when RRset is removed  NSEC3 ($n)"
+ret=0
+# generate signed zone with MX and AAAA records at apex.
+(
+cd signer || exit 1
+echo > remove.db.signed
+$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n
+)
+grep "RRSIG MX" signer/remove.db.signed > /dev/null || {
+	ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n;
+}
+# re-generate signed zone without MX and AAAA records at apex.
+(
+cd signer || exit 1
+$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n
+)
+grep "RRSIG MX" signer/remove.db.signed > /dev/null &&  {
+	ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n;
+}
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)"
+ret=0
+dig_with_opts managed-future.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that trust-anchor-telemetry queries are logged ($n)"
+ret=0
+grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)"
+ret=0
+grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)"
+ret=0
+grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)"
+ret=0
+dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)"
+ret=0
+dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1
+grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1
+stop_server ns1 || ret=1
+nextpart ns1/named.run > /dev/null
+start_server --noclean --restart --port ${PORT} ns1 || ret=1
+n=$(($n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "waiting for root server to finish reloading ($n)"
+ret=0
+wait_for_log 20 "all zones loaded" ns1/named.run || ret=1
+n=$(($n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that the view is logged in messages from the validator when using views ($n)"
+ret=0
+grep "view rec: *validat" ns4/named.run > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)"
+ret=0
+dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "check that DNSKEY and other occluded data are excluded from the delegating bitmap ($n)"
+ret=0
+dig_with_opts axfr occluded.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n > /dev/null || ret=1
+grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n > /dev/null || ret=1
+grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)"
+ret=0
+dig_with_opts any x.insecure.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns3.1.test$n > /dev/null || ret=1
+dig_with_opts any zz.secure.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.2.test$n > /dev/null || ret=1
+# DNSKEY+RRSIG, NSEC+RRSIG
+grep "ANSWER: 4," dig.out.ns3.2.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# DNSSEC tests related to unsupported, disabled and revoked trust anchors.
+#
+
+# This nameserver (ns8) is loaded with a bunch of trust anchors.  Some of
+# them are good (enabled.managed, enabled.trusted, secure.managed,
+# secure.trusted), and some of them are bad (disabled.managed,
+# revoked.managed, unsupported.managed, disabled.trusted, revoked.trusted,
+# unsupported.trusted).  Make sure that the bad trust anchors are ignored.
+# This is tested by looking for the corresponding lines in the logfile.
+echo_i "checking that keys with unsupported algorithms and disabled algorithms are ignored ($n)"
+ret=0
+grep -q "ignoring static-key for 'disabled\.trusted\.': algorithm is disabled" ns8/named.run || ret=1
+grep -q "ignoring static-key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run || ret=1
+grep -q "ignoring static-key for 'revoked\.trusted\.': bad key type" ns8/named.run || ret=1
+grep -q "ignoring initial-key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run || ret=1
+grep -q "ignoring initial-key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run || ret=1
+grep -q "ignoring initial-key for 'revoked\.managed\.': bad key type" ns8/named.run || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# The next two tests are fairly normal DNSSEC queries to signed zones with a
+# default algorithm.  First, a query is made against the server that is
+# authoritative for the given zone (ns3).  Second, a query is made against a
+# resolver with trust anchors for the given zone (ns8).  Both are expected to
+# return an authentic data positive response.
+echo_i "checking that a trusted key using a supported algorithm validates as secure ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.secure.trusted A > dig.out.ns3.test$n
+dig_with_opts @10.53.0.8 a.secure.trusted A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a managed key using a supported algorithm validates as secure ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.secure.managed A > dig.out.ns3.test$n
+dig_with_opts @10.53.0.8 a.secure.managed A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# The next two queries ensure that a zone signed with a DNSKEY with an unsupported
+# algorithm will yield insecure positive responses.  These trust anchors in ns8 are
+# ignored and so this domain is treated as insecure.  The AD bit should not be set
+# in the response.
+echo_i "checking that a trusted key using an unsupported algorithm validates as insecure ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.unsupported.trusted A > dig.out.ns3.test$n
+dig_with_opts @10.53.0.8 a.unsupported.trusted A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.unsupported.managed A > dig.out.ns3.test$n
+dig_with_opts @10.53.0.8 a.unsupported.managed A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# The next two queries ensure that a zone signed with a DNSKEY that the nameserver
+# has a disabled algorithm match for will yield insecure positive responses.
+# These trust anchors in ns8 are ignored and so this domain is treated as insecure.
+# The AD bit should not be set in the response.
+echo_i "checking that a trusted key using a disabled algorithm validates as insecure ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.disabled.trusted A > dig.out.ns3.test$n
+dig_with_opts @10.53.0.8 a.disabled.trusted A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a managed key using a disabled algorithm validates as insecure ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.disabled.managed A > dig.out.ns3.test$n
+dig_with_opts @10.53.0.8 a.disabled.managed A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# The next two queries ensure that a zone signed with a DNSKEY that the
+# nameserver has a disabled algorithm for, but for a different domain, will
+# yield secure positive responses.  Since "enabled.trusted." and
+# "enabled.managed." do not match the "disable-algorithms" option, no
+# special rules apply and these zones should validate as secure, with the AD
+# bit set.
+echo_i "checking that a trusted key using an algorithm disabled for another domain validates as secure ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.enabled.trusted A > dig.out.ns3.test$n
+dig_with_opts @10.53.0.8 a.enabled.trusted A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a managed key using an algorithm disabled for another domain validates as secure ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.enabled.managed A > dig.out.ns3.test$n
+dig_with_opts @10.53.0.8 a.enabled.managed A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# A configured revoked trust anchor is ignored and thus the two queries below
+# should result in insecure responses, since no trust points for the
+# "revoked.trusted." and "revoked.managed." zones are created.
+echo_i "checking that a trusted key that is revoked validates as insecure ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.revoked.trusted A > dig.out.ns3.test$n
+dig_with_opts @10.53.0.8 a.revoked.trusted A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a managed key that is revoked validates as insecure ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.revoked.managed A > dig.out.ns3.test$n
+dig_with_opts @10.53.0.8 a.revoked.managed A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+###
+### Additional checks for when the KSK is offline.
+###
+
+# Save some useful information
+zone="updatecheck-kskonly.secure"
+KSK=$(cat ns2/${zone}.ksk.key)
+ZSK=$(cat ns2/${zone}.zsk.key)
+KSK_ID=$(cat ns2/${zone}.ksk.id)
+ZSK_ID=$(cat ns2/${zone}.zsk.id)
+SECTIONS="+answer +noauthority +noadditional"
+echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID"
+
+# Print IDs of keys used for generating RRSIG records for RRsets of type $1
+# found in dig output file $2.
+get_keys_which_signed() {
+	qtype=$1
+	output=$2
+	# The key ID is the 11th column of the RRSIG record line.
+	awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$output"
+}
+
+# Basic checks to make sure everything is fine before the KSK is made offline.
+for qtype in "DNSKEY" "CDNSKEY" "CDS"
+do
+  echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)"
+  ret=0
+  dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
+  lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
+  test "$lines" -eq 1 || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
+  n=$((n+1))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status+ret))
+done
+
+echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)"
+ret=0
+dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n
+lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
+get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1
+get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Roll the ZSK.
+zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
+keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2
+ZSK_ID2=$(cat ns2/$zone.zsk.id2)
+
+echo_i "load new ZSK $ZSK_ID2 for $zone ($n)"
+ret=0
+dnssec_loadkeys_on 2 $zone || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Make new ZSK active.
+echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)"
+ret=0
+$SETTIME -I now -K ns2 $ZSK > /dev/null
+$SETTIME -A now -K ns2 $zsk2 > /dev/null
+dnssec_loadkeys_on 2 $zone || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Remove the KSK from disk.
+echo_i "remove the KSK $KSK_ID for zone $zone from disk"
+mv ns2/$KSK.key ns2/$KSK.key.bak
+mv ns2/$KSK.private ns2/$KSK.private.bak
+
+# Update the zone that requires a resign of the SOA RRset.
+echo_i "update the zone with $zone IN TXT nsupdate added me"
+(
+echo zone $zone
+echo server 10.53.0.2 "$PORT"
+echo update add $zone. 300 in txt "nsupdate added me"
+echo send
+) | $NSUPDATE
+
+# Redo the tests now that the zone is updated and the KSK is offline.
+for qtype in "DNSKEY" "CDNSKEY" "CDS"
+do
+  echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)"
+  ret=0
+  dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
+  lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
+  test "$lines" -eq 1 || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1
+  n=$((n+1))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status+ret))
+done
+
+for qtype in "SOA" "TXT"
+do
+  echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)"
+  ret=0
+  dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
+  lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
+  test "$lines" -eq 1 || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1
+  n=$((n+1))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status+ret))
+done
+
+# Put back the KSK.
+echo_i "put back the KSK $KSK_ID for zone $zone from disk"
+mv ns2/$KSK.key.bak ns2/$KSK.key
+mv ns2/$KSK.private.bak ns2/$KSK.private
+
+# Roll the ZSK again.
+zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone")
+keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3
+ZSK_ID3=$(cat ns2/$zone.zsk.id3)
+
+# Schedule the new ZSK (ZSK3) to become active.
+echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)"
+$SETTIME -D now -K ns2 $ZSK > /dev/null
+$SETTIME -I +3600 -K ns2 $zsk2 > /dev/null
+$SETTIME -A +3600 -K ns2 $zsk3 > /dev/null
+dnssec_loadkeys_on 2 $zone || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Remove the KSK from disk.
+echo_i "remove the KSK $KSK_ID for zone $zone from disk"
+mv ns2/$KSK.key ns2/$KSK.key.bak
+mv ns2/$KSK.private ns2/$KSK.private.bak
+
+# Update the zone that requires a resign of the SOA RRset.
+echo_i "update the zone with $zone IN TXT nsupdate added me again"
+(
+echo zone $zone
+echo server 10.53.0.2 "$PORT"
+echo update add $zone. 300 in txt "nsupdate added me again"
+echo send
+) | $NSUPDATE
+
+# Redo the tests now that the ZSK roll has deleted the old key.
+for qtype in "DNSKEY" "CDNSKEY" "CDS"
+do
+  echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)"
+  ret=0
+  dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
+  lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
+  test "$lines" -eq 1 || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1
+  n=$((n+1))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status+ret))
+done
+
+for qtype in "SOA" "TXT"
+do
+  echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)"
+  ret=0
+  dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
+  lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
+  test "$lines" -eq 1 || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1
+  n=$((n+1))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status+ret))
+done
+
+# Make the new ZSK (ZSK3) active.
+echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)"
+$SETTIME -I +1 -K ns2 $zsk2 > /dev/null
+$SETTIME -A +1 -K ns2 $zsk3 > /dev/null
+dnssec_loadkeys_on 2 $zone || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Wait for newest ZSK to become active.
+echo_i "wait until new ZSK $ZSK_ID3 active and ZSK $ZSK_ID2 inactive"
+for i in 1 2 3 4 5 6 7 8 9 10; do
+    ret=0
+    grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run > /dev/null || ret=1
+    grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run > /dev/null || ret=1
+    [ "$ret" -eq 0 ] && break
+    sleep 1
+done
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Update the zone that requires a resign of the SOA RRset.
+echo_i "update the zone with $zone IN TXT nsupdate added me one more time"
+(
+echo zone $zone
+echo server 10.53.0.2 "$PORT"
+echo update add $zone. 300 in txt "nsupdate added me one more time"
+echo send
+) | $NSUPDATE
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Redo the tests one more time.
+for qtype in "DNSKEY" "CDNSKEY" "CDS"
+do
+  echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)"
+  ret=0
+  dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
+  lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
+  test "$lines" -eq 1 || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1
+  n=$((n+1))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status+ret))
+done
+
+for qtype in "SOA" "TXT"
+do
+  echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)"
+  ret=0
+  dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n
+  lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)
+  test "$lines" -eq 1 || ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1
+  get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null || ret=1
+  n=$((n+1))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status+ret))
+done
+
+echo_i "checking secroots output with multiple views ($n)"
+ret=0
+rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i
+cp ns4/named.secroots named.secroots.test$n
+check_secroots_layout named.secroots.test$n || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking sig-validity-interval second field hours vs days ($n)"
+ret=0
+# zone configured with 'sig-validity-interval 500 499;'
+# 499 days in the future w/ a 20 minute runtime to now allowance
+min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];')
+dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n
+awk -v min=$min '$4 == "RRSIG" { if ($9 < min) { exit(1); } }' dig.out.ns2.test$n || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking validation succeeds during transition to signed ($n)"
+ret=0
+dig_with_opts @10.53.0.4 inprogress A > dig.out.ns4.test$n || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep 'A.10\.53\.0\.10' dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)"
+ret=0
+grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1
+grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check that the validating resolver will fallback to insecure if the answer
+# contains NSEC3 records with high iteration count.
+echo_i "checking fallback to insecure when NSEC3 iterations is too high (nxdomain) ($n)"
+ret=0
+dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations > dig.out.ns2.test$n || ret=1
+dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking fallback to insecure when NSEC3 iterations is too high (nodata) ($n)"
+ret=0
+dig_with_opts @10.53.0.2 a.too-many-iterations txt > dig.out.ns2.test$n || ret=1
+dig_with_opts @10.53.0.4 a.too-many-iterations txt > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard) ($n)"
+ret=0
+dig_with_opts @10.53.0.2 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1
+dig_with_opts @10.53.0.4 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep 'wild\.a\.too-many-iterations\..*A.10\.0\.0\.3' dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard nodata) ($n)"
+ret=0
+dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1
+dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Check that a query against a validating resolver succeeds when there is
+# a negative cache entry with trust level "pending" for the DS.  Prime
+# with a +cd DS query to produce the negative cache entry, then send a
+# query that uses that entry as part of the validation process. [GL #3279]
+echo_i "check that pending negative DS cache entry validates ($n)"
+ret=0
+dig_with_opts @10.53.0.4 +cd insecure2.example. ds > dig.out.prime.ns4.test$n || ret=1
+grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n > /dev/null || ret=1
+dig_with_opts @10.53.0.4 a.insecure2.example. a > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/dnstap/README b/bin/tests/system/dnstap/README
new file mode 100644
index 0000000..856fe48
--- /dev/null
+++ b/bin/tests/system/dnstap/README
@@ -0,0 +1,27 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+The "large-answer.fstrm" file was generated by configuring a named instance
+compiled with --enable-dnstap and --enable-fixed-rrset with the following
+directives:
+
+    minimal-responses yes;
+    rrset-order { order fixed; };
+    dnstap { auth response; };
+    dnstap-identity none;
+    dnstap-output file "large-answer.fstrm";
+
+The captured RRset from the "example." zone was created using:
+
+    $GENERATE 1-48 @ IN A 127.0.0.$
+
+A server instance set up this way was then queried non-recursively (RD=0) for
+"example/A".
diff --git a/bin/tests/system/dnstap/bad-fstrm-reopen-interval.conf b/bin/tests/system/dnstap/bad-fstrm-reopen-interval.conf
new file mode 100644
index 0000000..fd673d6
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-reopen-interval.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-reopen-interval 1x;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf
new file mode 100644
index 0000000..cdab66b
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-buffer-hint 65537;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf
new file mode 100644
index 0000000..c5444e9
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-buffer-hint 1023;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf
new file mode 100644
index 0000000..05ab1d9
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-flush-timeout 0;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf
new file mode 100644
index 0000000..398b1ab
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-flush-timeout 601;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf
new file mode 100644
index 0000000..d6c4120
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-input-queue-size 1;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf
new file mode 100644
index 0000000..787f656
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-input-queue-size 16385;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf
new file mode 100644
index 0000000..ae713d3
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-input-queue-size 513;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf b/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf
new file mode 100644
index 0000000..643e2b8
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-output-notify-threshold 0;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf
new file mode 100644
index 0000000..853713f
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	/*
+	 * This value is system dependent and matches IOV_MAX.
+	 */
+	fstrm-set-output-queue-size 10000000;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf
new file mode 100644
index 0000000..7940c89
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-output-queue-size 1;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf
new file mode 100644
index 0000000..9cfa9e3
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-reopen-interval 601;
+};
diff --git a/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf
new file mode 100644
index 0000000..be6a640
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-reopen-interval 0;
+};
diff --git a/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf b/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf
new file mode 100644
index 0000000..853da36
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "view" {
+	dnstap { client; auth; };
+};
diff --git a/bin/tests/system/dnstap/bad-missing-dnstap-output.conf b/bin/tests/system/dnstap/bad-missing-dnstap-output.conf
new file mode 100644
index 0000000..b5565e2
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-missing-dnstap-output.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnstap { client; auth; };
+	recursion yes;
+};
diff --git a/bin/tests/system/dnstap/bad-size-version.conf b/bin/tests/system/dnstap/bad-size-version.conf
new file mode 100644
index 0000000..8e31528
--- /dev/null
+++ b/bin/tests/system/dnstap/bad-size-version.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnstap-output unix "/tmp/dnstap.sock" size 10k versions 3;
+};
diff --git a/bin/tests/system/dnstap/clean.sh b/bin/tests/system/dnstap/clean.sh
new file mode 100644
index 0000000..36f1ea3
--- /dev/null
+++ b/bin/tests/system/dnstap/clean.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.run.prev
+rm -f */named.stats
+rm -f dig.out*
+rm -f dnstap.out dnstap.hex
+rm -f dnstap.out.save
+rm -f fstrm_capture.out.*
+rm -f ns*/dnstap.out
+rm -f ns*/dnstap.out.save
+rm -f ns*/dnstap.out.save.?
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.lock
+rm -f ns2/dnstap.out.*
+rm -f ns2/example.db ns2/example.db.jnl
+rm -f ns3/dnstap.out.*
+rm -f ydump.out
diff --git a/bin/tests/system/dnstap/good-dnstap-in-options.conf b/bin/tests/system/dnstap/good-dnstap-in-options.conf
new file mode 100644
index 0000000..17feb5e
--- /dev/null
+++ b/bin/tests/system/dnstap/good-dnstap-in-options.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnstap-output		unix "/var/run/named/dnstap.sock";
+	dnstap-identity		hostname;
+	dnstap			{ client response; };
+};
diff --git a/bin/tests/system/dnstap/good-dnstap-in-view.conf b/bin/tests/system/dnstap/good-dnstap-in-view.conf
new file mode 100644
index 0000000..2c17f6c
--- /dev/null
+++ b/bin/tests/system/dnstap/good-dnstap-in-view.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnstap-output		unix "/var/run/named/dnstap.sock";
+	dnstap-identity		hostname;
+};
+
+view "view" {
+	dnstap			{ client response; };
+};
diff --git a/bin/tests/system/dnstap/good-fstrm-reopen-interval.conf b/bin/tests/system/dnstap/good-fstrm-reopen-interval.conf
new file mode 100644
index 0000000..d525262
--- /dev/null
+++ b/bin/tests/system/dnstap/good-fstrm-reopen-interval.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-reopen-interval 5m;
+};
diff --git a/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf b/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf
new file mode 100644
index 0000000..c550647
--- /dev/null
+++ b/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-buffer-hint 8192;
+};
diff --git a/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf b/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf
new file mode 100644
index 0000000..dd9abf0
--- /dev/null
+++ b/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-flush-timeout 1;
+};
diff --git a/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf b/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf
new file mode 100644
index 0000000..d01b8f8
--- /dev/null
+++ b/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-input-queue-size 512;
+};
diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf b/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf
new file mode 100644
index 0000000..2619dc0
--- /dev/null
+++ b/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-output-notify-threshold 32;
+};
diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf
new file mode 100644
index 0000000..a81ff7c
--- /dev/null
+++ b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-output-queue-model mpsc;
+};
diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf
new file mode 100644
index 0000000..7b394eb
--- /dev/null
+++ b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-output-queue-model spsc;
+};
diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf b/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf
new file mode 100644
index 0000000..87bf028
--- /dev/null
+++ b/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-output-queue-size 64;
+};
diff --git a/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf b/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf
new file mode 100644
index 0000000..116d3ae
--- /dev/null
+++ b/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	fstrm-set-reopen-interval 5;
+};
diff --git a/bin/tests/system/dnstap/good-size-unlimited.conf b/bin/tests/system/dnstap/good-size-unlimited.conf
new file mode 100644
index 0000000..8cb9712
--- /dev/null
+++ b/bin/tests/system/dnstap/good-size-unlimited.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnstap-output file "/tmp/dnstap.log"
+		size unlimited versions unlimited suffix increment;
+};
diff --git a/bin/tests/system/dnstap/good-size-version.conf b/bin/tests/system/dnstap/good-size-version.conf
new file mode 100644
index 0000000..ca1fba3
--- /dev/null
+++ b/bin/tests/system/dnstap/good-size-version.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnstap-output file "/tmp/dnstap.log"
+		size 10k versions 3 suffix timestamp;
+};
diff --git a/bin/tests/system/dnstap/large-answer.fstrm b/bin/tests/system/dnstap/large-answer.fstrm
new file mode 100644
index 0000000..873b315
--- /dev/null
+++ b/bin/tests/system/dnstap/large-answer.fstrm
diff --git a/bin/tests/system/dnstap/ns1/named.conf.in b/bin/tests/system/dnstap/ns1/named.conf.in
new file mode 100644
index 0000000..c2c0087
--- /dev/null
+++ b/bin/tests/system/dnstap/ns1/named.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	statistics-file "named.stats";
+	dnstap-identity "ns1";
+	dnstap-version "xxx";
+	dnstap-output file "dnstap.out" size 30k versions 10;
+	dnstap { all; };
+	send-cookie no;
+	require-server-cookie no;
+	dnssec-validation yes;
+	qname-minimization disabled;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/dnstap/ns1/root.db b/bin/tests/system/dnstap/ns1/root.db
new file mode 100644
index 0000000..17780d1
--- /dev/null
+++ b/bin/tests/system/dnstap/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/dnstap/ns2/example.db.in b/bin/tests/system/dnstap/ns2/example.db.in
new file mode 100644
index 0000000..7f88dec
--- /dev/null
+++ b/bin/tests/system/dnstap/ns2/example.db.in
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+
+$ORIGIN example.
+a			A	10.0.0.1
+a			A	10.0.0.3
+a			A	10.0.0.5
+			MX	10 mail.example.
+
+mail			A	10.0.0.2
diff --git a/bin/tests/system/dnstap/ns2/named.conf.in b/bin/tests/system/dnstap/ns2/named.conf.in
new file mode 100644
index 0000000..1c1713a
--- /dev/null
+++ b/bin/tests/system/dnstap/ns2/named.conf.in
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	statistics-file "named.stats";
+	dnstap-identity "ns2";
+	dnstap-version "xxx";
+	dnstap-output file "dnstap.out" size unlimited versions unlimited;
+	dnstap { all; };
+	send-cookie no;
+	require-server-cookie no;
+	dnssec-validation yes;
+	qname-minimization disabled;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/dnstap/ns3/named.args b/bin/tests/system/dnstap/ns3/named.args
new file mode 100644
index 0000000..fb42af2
--- /dev/null
+++ b/bin/tests/system/dnstap/ns3/named.args
@@ -0,0 +1,2 @@
+# Using "-n 1" allows GL #1795 to be reliably reproduced
+-D dnstap-ns3 -X named.lock -m record,size,mctx -c named.conf -d 99 -g -U 4 -n 1 -T maxcachesize=2097152
diff --git a/bin/tests/system/dnstap/ns3/named.conf.in b/bin/tests/system/dnstap/ns3/named.conf.in
new file mode 100644
index 0000000..24320ed
--- /dev/null
+++ b/bin/tests/system/dnstap/ns3/named.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnstap-identity "ns3";
+	dnstap-version "xxx";
+	dnstap-output file "dnstap.out";
+	dnstap { all; };
+	send-cookie no;
+	require-server-cookie no;
+	minimal-responses no;
+	dnssec-validation yes;
+	qname-minimization disabled;
+};
+
+server 10.53.0.1 { tcp-only yes; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/dnstap/ns4/named.conf.in b/bin/tests/system/dnstap/ns4/named.conf.in
new file mode 100644
index 0000000..e821f5e
--- /dev/null
+++ b/bin/tests/system/dnstap/ns4/named.conf.in
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnstap-identity "ns4";
+	dnstap-version "xxx";
+	dnstap-output unix "dnstap.out";
+	dnstap { all; };
+	send-cookie no;
+	require-server-cookie no;
+	dnssec-validation yes;
+	qname-minimization disabled;
+};
+
+server 10.53.0.1 { tcp-only yes; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/dnstap/prereq.sh b/bin/tests/system/dnstap/prereq.sh
new file mode 100644
index 0000000..f0748f3
--- /dev/null
+++ b/bin/tests/system/dnstap/prereq.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+$FEATURETEST --enable-dnstap || {
+	echo_i "This test requires dnstap support." >&2
+	exit 255
+}
+exit 0
diff --git a/bin/tests/system/dnstap/setup.sh b/bin/tests/system/dnstap/setup.sh
new file mode 100644
index 0000000..252d09e
--- /dev/null
+++ b/bin/tests/system/dnstap/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+cp ns2/example.db.in ns2/example.db
diff --git a/bin/tests/system/dnstap/tests.sh b/bin/tests/system/dnstap/tests.sh
new file mode 100644
index 0000000..5ed8e73
--- /dev/null
+++ b/bin/tests/system/dnstap/tests.sh
@@ -0,0 +1,834 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+short -p ${PORT}"
+RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf"
+
+status=0
+
+# dnstap_data_ready <fstrm_capture_PID> <capture_file> <min_file_size>
+# Flushes capture_file and checks wheter its size is >= min_file_size.
+dnstap_data_ready() {
+	# Process id of running fstrm_capture.
+	fstrm_capture_pid=$1
+	# Output file provided to fstrm_capture via -w switch.
+	capture_file=$2
+	# Minimum expected file size.
+	min_size_expected=$3
+
+	kill -HUP $fstrm_capture_pid
+	file_size=`wc -c < "$capture_file" | tr -d ' '`
+	if [ $file_size -lt $min_size_expected ]; then
+		return 1
+	fi
+}
+
+
+for bad in bad-*.conf
+do
+	ret=0
+	echo_i "checking that named-checkconf detects error in $bad"
+	$CHECKCONF $bad > /dev/null 2>&1
+	if [ $? != 1 ]; then echo_i "failed"; ret=1; fi
+	status=`expr $status + $ret`
+done
+
+for good in good-*.conf
+do
+	ret=0
+	echo_i "checking that named-checkconf detects no error in $good"
+	$CHECKCONF $good > /dev/null 2>&1
+	if [ $? != 0 ]; then echo_i "failed"; ret=1; fi
+	status=`expr $status + $ret`
+done
+
+echo_i "wait for servers to finish loading"
+ret=0
+wait_for_log 20 "all zones loaded" ns1/named.run || ret=1
+wait_for_log 20 "all zones loaded" ns2/named.run || ret=1
+wait_for_log 20 "all zones loaded" ns3/named.run || ret=1
+wait_for_log 20 "all zones loaded" ns4/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# both the 'a.example/A' lookup and the './NS' lookup to ns1
+# need tocomplete before reopening/rolling for the counts to
+# be correct.
+
+$DIG $DIGOPTS @10.53.0.3 a.example > dig.out
+wait_for_log 20 "(./NS): query_reset" ns1/named.run || true
+
+# check three different dnstap reopen/roll methods:
+# ns1: dnstap-reopen; ns2: dnstap -reopen; ns3: dnstap -roll
+mv ns1/dnstap.out ns1/dnstap.out.save
+mv ns2/dnstap.out ns2/dnstap.out.save
+
+if [ -n "$FSTRM_CAPTURE" ] ; then
+	ret=0
+	echo_i "starting fstrm_capture"
+	$FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \
+		-w dnstap.out > fstrm_capture.out.1 2>&1 &
+	fstrm_capture_pid=$!
+	wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.1 || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+fi
+
+$RNDCCMD -s 10.53.0.1 dnstap-reopen | sed 's/^/ns1 /' | cat_i
+$RNDCCMD -s 10.53.0.2 dnstap -reopen | sed 's/^/ns2 /' | cat_i
+$RNDCCMD -s 10.53.0.3 dnstap -roll | sed 's/^/ns3 /' | cat_i
+$RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i
+
+$DIG $DIGOPTS @10.53.0.3 a.example > dig.out
+
+# send an UPDATE to ns2
+$NSUPDATE <<- EOF
+server 10.53.0.2 ${PORT}
+zone example
+update add b.example 3600 in a 10.10.10.10
+send
+EOF
+
+# XXX: file output should be flushed once a second according
+# to the libfstrm source, but it doesn't seem to happen until
+# enough data has accumulated. to get all the output, we stop
+# the name servers, forcing a flush on shutdown. it would be
+# nice to find a better way to do this.
+$RNDCCMD -s 10.53.0.1 stop | sed 's/^/ns1 /' | cat_i
+$RNDCCMD -s 10.53.0.2 stop | sed 's/^/ns2 /' | cat_i
+$RNDCCMD -s 10.53.0.3 stop | sed 's/^/ns3 /' | cat_i
+
+sleep 1
+
+echo_i "checking initial message counts"
+
+udp1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UDP " | wc -l`
+tcp1=`$DNSTAPREAD ns1/dnstap.out.save | grep "TCP " | wc -l`
+aq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "AQ " | wc -l`
+ar1=`$DNSTAPREAD ns1/dnstap.out.save | grep "AR " | wc -l`
+cq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "CQ " | wc -l`
+cr1=`$DNSTAPREAD ns1/dnstap.out.save | grep "CR " | wc -l`
+rq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "RQ " | wc -l`
+rr1=`$DNSTAPREAD ns1/dnstap.out.save | grep "RR " | wc -l`
+uq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UQ " | wc -l`
+ur1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UR " | wc -l`
+
+udp2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UDP " | wc -l`
+tcp2=`$DNSTAPREAD ns2/dnstap.out.save | grep "TCP " | wc -l`
+aq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "AQ " | wc -l`
+ar2=`$DNSTAPREAD ns2/dnstap.out.save | grep "AR " | wc -l`
+cq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "CQ " | wc -l`
+cr2=`$DNSTAPREAD ns2/dnstap.out.save | grep "CR " | wc -l`
+rq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "RQ " | wc -l`
+rr2=`$DNSTAPREAD ns2/dnstap.out.save | grep "RR " | wc -l`
+uq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UQ " | wc -l`
+ur2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UR " | wc -l`
+
+mv ns3/dnstap.out.0 ns3/dnstap.out.save
+udp3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UDP " | wc -l`
+tcp3=`$DNSTAPREAD ns3/dnstap.out.save | grep "TCP " | wc -l`
+aq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "AQ " | wc -l`
+ar3=`$DNSTAPREAD ns3/dnstap.out.save | grep "AR " | wc -l`
+cq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "CQ " | wc -l`
+cr3=`$DNSTAPREAD ns3/dnstap.out.save | grep "CR " | wc -l`
+rq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "RQ " | wc -l`
+rr3=`$DNSTAPREAD ns3/dnstap.out.save | grep "RR " | wc -l`
+uq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UQ " | wc -l`
+ur3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UR " | wc -l`
+
+echo_i "checking UDP message counts"
+ret=0
+[ $udp1 -eq 0 ] || {
+	echo_i "ns1 $udp1 expected 0"
+	ret=1
+}
+[ $udp2 -eq 2 ] || {
+	echo_i "ns2 $udp2 expected 2"
+	ret=1
+}
+[ $udp3 -eq 4 ] || {
+	echo_i "ns3 $udp3 expected 4"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking TCP message counts"
+ret=0
+[ $tcp1 -eq 6 ] || {
+	echo_i "ns1 $tcp1 expected 6"
+	ret=1
+}
+[ $tcp2 -eq 2 ] || {
+	echo_i "ns2 $tcp2 expected 2"
+	ret=1
+}
+[ $tcp3 -eq 6 ] || {
+	echo_i "ns3 $tcp3 expected 6"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AUTH_QUERY message counts"
+ret=0
+[ $aq1 -eq 3 ] || {
+	echo_i "ns1 $aq1 exepcted 3"
+	ret=1
+}
+[ $aq2 -eq 2 ] || {
+	echo_i "ns2 $aq2 expected 2"
+	ret=1
+}
+[ $aq3 -eq 1 ] || {
+	echo_i "ns3 $aq3 expected 1"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AUTH_RESPONSE message counts"
+ret=0
+[ $ar1 -eq 2 ] || {
+	echo_i "ns1 $ar1 expected 2"
+	ret=1
+}
+[ $ar2 -eq 1 ] || {
+	echo_i "ns2 $ar2 expected 1"
+	ret=1
+}
+[ $ar3 -eq 0 ] || {
+	echo_i "ns3 $ar3 expected 0"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking CLIENT_QUERY message counts"
+ret=0
+[ $cq1 -eq 0 ] || {
+	echo_i "ns1 $cq1 expected 0"
+	ret=1
+}
+[ $cq2 -eq 0 ] || {
+	echo_i "ns2 $cq2 expected 0"
+	ret=1
+}
+[ $cq3 -eq 1 ] || {
+	echo_i "ns3 $cq3 expected 1"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking CLIENT_RESPONSE message counts"
+ret=0
+[ $cr1 -eq 1 ] || {
+	echo_i "ns1 $cr1 expected 1"
+	ret=1
+}
+[ $cr2 -eq 1 ] || {
+	echo_i "ns2 $cr2 expected 1"
+	ret=1
+}
+[ $cr3 -eq 2 ] || {
+	echo_i "ns3 $cr3 expected 2"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking RESOLVER_QUERY message counts"
+ret=0
+[ $rq1 -eq 0 ] || {
+	echo_i "ns1 $rq1 expected 0"
+	ret=1
+}
+[ $rq2 -eq 0 ] || {
+	echo_i "ns2 $rq2 expected 0"
+	ret=1
+}
+[ $rq3 -eq 3 ] || {
+	echo_i "ns3 $rq3 expected 3"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking RESOLVER_RESPONSE message counts"
+ret=0
+[ $rr1 -eq 0 ] || {
+	echo_i "ns1 $rr1 expected 0"
+	ret=1
+}
+[ $rr2 -eq 0 ] || {
+	echo_i "ns2 $rr2 expected 0"
+	ret=1
+}
+[ $rr3 -eq 3 ] || {
+	echo_i "ns3 $rr3 expected 3"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking UPDATE_QUERY message counts"
+ret=0
+[ $uq1 -eq 0 ] || {
+	echo_i "ns1 $uq1 expected 0"
+	ret=1
+}
+[ $uq2 -eq 0 ] || {
+	echo_i "ns2 $uq2 expected 0"
+	ret=1
+}
+[ $uq3 -eq 0 ] || {
+	echo_i "ns3 $uq3 expected 0"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking UPDATE_RESPONSE message counts"
+ret=0
+[ $ur1 -eq 0 ] || {
+	echo_i "ns1 $ur1 expected 0"
+	ret=1
+}
+[ $ur2 -eq 0 ] || {
+	echo_i "ns2 $ur2 expected 0"
+	ret=1
+}
+[ $ur3 -eq 0 ] || {
+	echo_i "ns3 $ur3 expected 0"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking reopened message counts"
+
+udp1=`$DNSTAPREAD ns1/dnstap.out | grep "UDP " | wc -l`
+tcp1=`$DNSTAPREAD ns1/dnstap.out | grep "TCP " | wc -l`
+aq1=`$DNSTAPREAD ns1/dnstap.out | grep "AQ " | wc -l`
+ar1=`$DNSTAPREAD ns1/dnstap.out | grep "AR " | wc -l`
+cq1=`$DNSTAPREAD ns1/dnstap.out | grep "CQ " | wc -l`
+cr1=`$DNSTAPREAD ns1/dnstap.out | grep "CR " | wc -l`
+rq1=`$DNSTAPREAD ns1/dnstap.out | grep "RQ " | wc -l`
+rr1=`$DNSTAPREAD ns1/dnstap.out | grep "RR " | wc -l`
+uq1=`$DNSTAPREAD ns1/dnstap.out | grep "UQ " | wc -l`
+ur1=`$DNSTAPREAD ns1/dnstap.out | grep "UR " | wc -l`
+
+udp2=`$DNSTAPREAD ns2/dnstap.out | grep "UDP " | wc -l`
+tcp2=`$DNSTAPREAD ns2/dnstap.out | grep "TCP " | wc -l`
+aq2=`$DNSTAPREAD ns2/dnstap.out | grep "AQ " | wc -l`
+ar2=`$DNSTAPREAD ns2/dnstap.out | grep "AR " | wc -l`
+cq2=`$DNSTAPREAD ns2/dnstap.out | grep "CQ " | wc -l`
+cr2=`$DNSTAPREAD ns2/dnstap.out | grep "CR " | wc -l`
+rq2=`$DNSTAPREAD ns2/dnstap.out | grep "RQ " | wc -l`
+rr2=`$DNSTAPREAD ns2/dnstap.out | grep "RR " | wc -l`
+uq2=`$DNSTAPREAD ns2/dnstap.out | grep "UQ " | wc -l`
+ur2=`$DNSTAPREAD ns2/dnstap.out | grep "UR " | wc -l`
+
+udp3=`$DNSTAPREAD ns3/dnstap.out | grep "UDP " | wc -l`
+tcp3=`$DNSTAPREAD ns3/dnstap.out | grep "TCP " | wc -l`
+aq3=`$DNSTAPREAD ns3/dnstap.out | grep "AQ " | wc -l`
+ar3=`$DNSTAPREAD ns3/dnstap.out | grep "AR " | wc -l`
+cq3=`$DNSTAPREAD ns3/dnstap.out | grep "CQ " | wc -l`
+cr3=`$DNSTAPREAD ns3/dnstap.out | grep "CR " | wc -l`
+rq3=`$DNSTAPREAD ns3/dnstap.out | grep "RQ " | wc -l`
+rr3=`$DNSTAPREAD ns3/dnstap.out | grep "RR " | wc -l`
+uq3=`$DNSTAPREAD ns3/dnstap.out | grep "UQ " | wc -l`
+ur3=`$DNSTAPREAD ns3/dnstap.out | grep "UR " | wc -l`
+
+echo_i "checking UDP message counts"
+ret=0
+[ $udp1 -eq 0 ] || {
+	echo_i "ns1 $udp1 expected 0"
+	ret=1
+}
+[ $udp2 -eq 2 ] || {
+	echo_i "ns2 $udp2 expected 2"
+	ret=1
+}
+[ $udp3 -eq 2 ] || {
+	echo_i "ns3 $udp3 expected 2"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking TCP message counts"
+ret=0
+[ $tcp1 -eq 0 ] || {
+	echo_i "ns1 $tcp1 expected 0"
+	ret=1
+}
+[ $tcp2 -eq 0 ] || {
+	echo_i "ns2 $tcp2 expected 0"
+	ret=1
+}
+[ $tcp3 -eq 0 ] || {
+	echo_i "ns3 $tcp3 expected 0"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AUTH_QUERY message counts"
+ret=0
+[ $aq1 -eq 0 ] || {
+	echo_i "ns1 $aq1 exepcted 0"
+	ret=1
+}
+[ $aq2 -eq 0 ] || {
+	echo_i "ns2 $aq2 expected 0"
+	ret=1
+}
+[ $aq3 -eq 0 ] || {
+	echo_i "ns3 $aq3 expected 0"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AUTH_RESPONSE message counts"
+ret=0
+[ $ar1 -eq 0 ] || {
+	echo_i "ns1 $ar1 expected 0"
+	ret=1
+}
+[ $ar2 -eq 0 ] || {
+	echo_i "ns2 $ar2 expected 0"
+	ret=1
+}
+[ $ar3 -eq 0 ] || {
+	echo_i "ns3 $ar3 expected 0"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking CLIENT_QUERY message counts"
+ret=0
+[ $cq1 -eq 0 ] || {
+	echo_i "ns1 $cq1 expected 0"
+	ret=1
+}
+[ $cq2 -eq 0 ] || {
+	echo_i "ns2 $cq2 expected 0"
+	ret=1
+}
+[ $cq3 -eq 1 ] || {
+	echo_i "ns3 $cq3 expected 1"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking CLIENT_RESPONSE message counts"
+ret=0
+[ $cr1 -eq 0 ] || {
+	echo_i "ns1 $cr1 expected 0"
+	ret=1
+}
+[ $cr2 -eq 0 ] || {
+	echo_i "ns2 $cr2 expected 0"
+	ret=1
+}
+[ $cr3 -eq 1 ] || {
+	echo_i "ns3 $cr3 expected 1"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking RESOLVER_QUERY message counts"
+ret=0
+[ $rq1 -eq 0 ] || {
+	echo_i "ns1 $rq1 expected 0"
+	ret=1
+}
+[ $rq2 -eq 0 ] || {
+	echo_i "ns2 $rq2 expected 0"
+	ret=1
+}
+[ $rq3 -eq 0 ] || {
+	echo_i "ns3 $rq3 expected 0"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking RESOLVER_RESPONSE message counts"
+ret=0
+[ $rr1 -eq 0 ] || {
+	echo_i "ns1 $rr1 expected 0"
+	ret=1
+}
+[ $rr2 -eq 0 ] || {
+	echo_i "ns2 $rr2 expected 0"
+	ret=1
+}
+[ $rr3 -eq 0 ] || {
+	echo_i "ns3 $rr3 expected 0"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking UPDATE_QUERY message counts"
+ret=0
+[ $uq1 -eq 0 ] || {
+	echo_i "ns1 $uq1 expected 0"
+	ret=1
+}
+[ $uq2 -eq 1 ] || {
+	echo_i "ns2 $uq2 expected 1"
+	ret=1
+}
+[ $uq3 -eq 0 ] || {
+	echo_i "ns3 $uq3 expected 0"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking UPDATE_RESPONSE message counts"
+ret=0
+[ $ur1 -eq 0 ] || {
+	echo_i "ns1 $ur1 expected 0"
+	ret=1
+}
+[ $ur2 -eq 1 ] || {
+	echo_i "ns2 $ur2 expected 1"
+	ret=1
+}
+[ $ur3 -eq 0 ] || {
+	echo_i "ns3 $ur3 expected 0"
+	ret=1
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking whether destination UDP port is logged for client queries"
+ret=0
+$DNSTAPREAD ns3/dnstap.out.save | grep -Eq "CQ [0-9:.]+ -> 10.53.0.3:${PORT} UDP" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+HAS_PYYAML=0
+if [ -n "$PYTHON" ] ; then
+	$PYTHON -c "import yaml" 2> /dev/null && HAS_PYYAML=1
+fi
+
+if [ $HAS_PYYAML -ne 0 ] ; then
+	echo_i "checking dnstap-read YAML output"
+	ret=0
+        {
+	  $PYTHON ydump.py "$DNSTAPREAD" "ns3/dnstap.out.save" > ydump.out || ret=1
+        } | cat_i
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+fi
+
+echo_i "checking dnstap-read hex output"
+ret=0
+hex=`$DNSTAPREAD -x ns3/dnstap.out | tail -1`
+echo $hex | $WIRETEST > dnstap.hex
+grep 'status: NOERROR' dnstap.hex > /dev/null 2>&1 || ret=1
+grep 'ANSWER: 3, AUTHORITY: 1' dnstap.hex > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if [ -n "$FSTRM_CAPTURE" ] ; then
+	$DIG $DIGOPTS @10.53.0.4 a.example > dig.out
+
+	# send an UPDATE to ns4
+	$NSUPDATE <<- EOF > nsupdate.out 2>&1
+	server 10.53.0.4 ${PORT}
+	zone example
+	update add b.example 3600 in a 10.10.10.10
+	send
+EOF
+	grep "update failed: NOTAUTH" nsupdate.out > /dev/null || ret=1
+
+	echo_i "checking unix socket message counts"
+	sleep 2
+	retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 450 || {
+		echo_i "dnstap output file smaller than expected"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	kill $fstrm_capture_pid
+	wait
+	udp4=`$DNSTAPREAD dnstap.out | grep "UDP " | wc -l`
+	tcp4=`$DNSTAPREAD dnstap.out | grep "TCP " | wc -l`
+	aq4=`$DNSTAPREAD dnstap.out | grep "AQ " | wc -l`
+	ar4=`$DNSTAPREAD dnstap.out | grep "AR " | wc -l`
+	cq4=`$DNSTAPREAD dnstap.out | grep "CQ " | wc -l`
+	cr4=`$DNSTAPREAD dnstap.out | grep "CR " | wc -l`
+	rq4=`$DNSTAPREAD dnstap.out | grep "RQ " | wc -l`
+	rr4=`$DNSTAPREAD dnstap.out | grep "RR " | wc -l`
+	uq4=`$DNSTAPREAD dnstap.out | grep "UQ " | wc -l`
+	ur4=`$DNSTAPREAD dnstap.out | grep "UR " | wc -l`
+
+	echo_i "checking UDP message counts"
+	ret=0
+	[ $udp4 -eq 4 ] || {
+		echo_i "ns4 $udp4 expected 4"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking TCP message counts"
+	ret=0
+	[ $tcp4 -eq 0 ] || {
+		echo_i "ns4 $tcp4 expected 0"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking AUTH_QUERY message counts"
+	ret=0
+	[ $aq4 -eq 0 ] || {
+		echo_i "ns4 $aq4 expected 0"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking AUTH_RESPONSE message counts"
+	ret=0
+	[ $ar4 -eq 0 ] || {
+		echo_i "ns4 $ar4 expected 0"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking CLIENT_QUERY message counts"
+	ret=0
+	[ $cq4 -eq 1 ] || {
+		echo_i "ns4 $cq4 expected 1"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking CLIENT_RESPONSE message counts"
+	ret=0
+	[ $cr4 -eq 1 ] || {
+		echo_i "ns4 $cr4 expected 1"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking RESOLVER_QUERY message counts"
+	ret=0
+	[ $rq4 -eq 0 ] || {
+		echo_i "ns4 $rq4 expected 0"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking RESOLVER_RESPONSE message counts"
+	ret=0
+	[ $rr4 -eq 0 ] || {
+		echo_i "ns4 $rr4 expected 0"
+		ret=1
+	}
+
+	echo_i "checking UPDATE_QUERY message counts"
+	ret=0
+	[ $uq4 -eq 1 ] || {
+		echo_i "ns4 $uq4 expected 1"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking UPDATE_RESPONSE message counts"
+	ret=0
+	[ $ur4 -eq 1 ] || {
+		echo_i "ns4 $ur4 expected 1"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	mv dnstap.out dnstap.out.save
+
+	echo_i "restarting fstrm_capture"
+	$FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \
+		-w dnstap.out > fstrm_capture.out.2 2>&1 &
+	fstrm_capture_pid=$!
+	wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.2 || {
+		echo_i "failed"
+		ret=1
+	}
+	$RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i
+	$DIG $DIGOPTS @10.53.0.4 a.example > dig.out
+
+	echo_i "checking reopened unix socket message counts"
+	sleep 2
+	retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270 || {
+		echo_i "dnstap output file smaller than expected"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status + ret))
+	kill $fstrm_capture_pid
+	wait
+	udp4=`$DNSTAPREAD dnstap.out | grep "UDP " | wc -l`
+	tcp4=`$DNSTAPREAD dnstap.out | grep "TCP " | wc -l`
+	aq4=`$DNSTAPREAD dnstap.out | grep "AQ " | wc -l`
+	ar4=`$DNSTAPREAD dnstap.out | grep "AR " | wc -l`
+	cq4=`$DNSTAPREAD dnstap.out | grep "CQ " | wc -l`
+	cr4=`$DNSTAPREAD dnstap.out | grep "CR " | wc -l`
+	rq4=`$DNSTAPREAD dnstap.out | grep "RQ " | wc -l`
+	rr4=`$DNSTAPREAD dnstap.out | grep "RR " | wc -l`
+	uq4=`$DNSTAPREAD dnstap.out | grep "UQ " | wc -l`
+	ur4=`$DNSTAPREAD dnstap.out | grep "UR " | wc -l`
+
+	echo_i "checking UDP message counts"
+	ret=0
+	[ $udp4 -eq 2 ] || {
+		echo_i "ns4 $udp4 expected 2"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking TCP message counts"
+	ret=0
+	[ $tcp4 -eq 0 ] || {
+		echo_i "ns4 $tcp4 expected 0"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking AUTH_QUERY message counts"
+	ret=0
+	[ $aq4 -eq 0 ] || {
+		echo_i "ns4 $aq4 expected 0"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking AUTH_RESPONSE message counts"
+	ret=0
+	[ $ar4 -eq 0 ] || {
+		echo_i "ns4 $ar4 expected 0"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking CLIENT_QUERY message counts"
+	ret=0
+	[ $cq4 -eq 1 ] || {
+		echo_i "ns4 $cq4 expected 1"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking CLIENT_RESPONSE message counts"
+	ret=0
+	[ $cr4 -eq 1 ] || {
+		echo_i "ns4 $cr4 expected 1"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking RESOLVER_QUERY message counts"
+	ret=0
+	[ $rq4 -eq 0 ] || {
+		echo_i "ns4 $rq4 expected 0"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking RESOLVER_RESPONSE message counts"
+	ret=0
+	[ $rr4 -eq 0 ] || {
+		echo_i "ns4 $rr4 expected 0"
+		ret=1
+	}
+
+	echo_i "checking UPDATE_QUERY message counts"
+	ret=0
+	[ $uq4 -eq 0 ] || {
+		echo_i "ns4 $uq4 expected 0"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+
+	echo_i "checking UPDATE_RESPONSE message counts"
+	ret=0
+	[ $ur4 -eq 0 ] || {
+		echo_i "ns4 $ur4 expected 0"
+		ret=1
+	}
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+fi
+
+echo_i "checking large packet printing"
+ret=0
+# Expect one occurrence of "opcode: QUERY" below "reponse_message_data" and
+# another one below "response_message".
+lines=`$DNSTAPREAD -y large-answer.fstrm | grep -c "opcode: QUERY"`
+[ $lines -eq 2 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+test_dnstap_roll() (
+    ip="$1"
+    ns="$2"
+    n="$3"
+    $RNDCCMD -s "${ip}" dnstap -roll "${n}" | sed "s/^/${ns} /" | cat_i &&
+    files=$(find "$ns" -name "dnstap.out.[0-9]" | wc -l) &&
+    test "$files" -le "${n}" && test "$files" -ge "1"
+)
+
+echo_i "checking 'rndc -roll <value>' (no versions)"
+ret=0
+start_server --noclean --restart --port "${PORT}" ns3
+_repeat 5 test_dnstap_roll 10.53.0.3 ns3 3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking 'rndc -roll <value>' (versions)"
+ret=0
+start_server --noclean --restart --port "${PORT}" ns2
+_repeat 5 test_dnstap_roll 10.53.0.2 ns2 3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ "$status" -eq 0 ] || exit 1
diff --git a/bin/tests/system/dnstap/ydump.py b/bin/tests/system/dnstap/ydump.py
new file mode 100644
index 0000000..ab7e3c9
--- /dev/null
+++ b/bin/tests/system/dnstap/ydump.py
@@ -0,0 +1,29 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import sys
+
+try:
+    import yaml
+except (ModuleNotFoundError, ImportError):
+    print("No python yaml module, skipping")
+    sys.exit(1)
+
+import subprocess
+import pprint
+
+DNSTAP_READ = sys.argv[1]
+DATAFILE = sys.argv[2]
+ARGS = [DNSTAP_READ, "-y", DATAFILE]
+
+with subprocess.Popen(ARGS, stdout=subprocess.PIPE) as f:
+    for y in yaml.load_all(f.stdout, Loader=yaml.SafeLoader):
+        pprint.pprint(y)
diff --git a/bin/tests/system/dscp/clean.sh b/bin/tests/system/dscp/clean.sh
new file mode 100644
index 0000000..e52f7b6
--- /dev/null
+++ b/bin/tests/system/dscp/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */root.bk
+rm -f dig.out.10.53.0.?
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.conf
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/dscp/ns1/named.args b/bin/tests/system/dscp/ns1/named.args
new file mode 100644
index 0000000..0c955c7
--- /dev/null
+++ b/bin/tests/system/dscp/ns1/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D dscp-ns1 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46
diff --git a/bin/tests/system/dscp/ns1/named.conf.in b/bin/tests/system/dscp/ns1/named.conf.in
new file mode 100644
index 0000000..e5c7971
--- /dev/null
+++ b/bin/tests/system/dscp/ns1/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dscp 46;
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/dscp/ns1/root.db b/bin/tests/system/dscp/ns1/root.db
new file mode 100644
index 0000000..9d473e2
--- /dev/null
+++ b/bin/tests/system/dscp/ns1/root.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+.	SOA	ns1.nil-servers. marka.isc.org. 1 3600 1200 3600000 1200
+.	NS	ns1.nil-servers.
+.	NS	ns2.nil-servers.
+ns1.nil-servers. A 10.53.0.1
+ns2.nil-servers. A 10.53.0.2
+xxx.example.	A	10.53.0.1
+xxx.tld.	A	10.53.0.1
diff --git a/bin/tests/system/dscp/ns2/named.args b/bin/tests/system/dscp/ns2/named.args
new file mode 100644
index 0000000..ff501a8
--- /dev/null
+++ b/bin/tests/system/dscp/ns2/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D dscp-ns2 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46
diff --git a/bin/tests/system/dscp/ns2/named.conf.in b/bin/tests/system/dscp/ns2/named.conf.in
new file mode 100644
index 0000000..ca835c8
--- /dev/null
+++ b/bin/tests/system/dscp/ns2/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dscp 46;
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "." {
+	type secondary;
+	file "root.bk";
+	primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/dscp/ns3/hint.db b/bin/tests/system/dscp/ns3/hint.db
new file mode 100644
index 0000000..875a407
--- /dev/null
+++ b/bin/tests/system/dscp/ns3/hint.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+. NS ns1.nil-servers.
+. NS ns2.nil-servers.
+ns1.nil-servers. A 10.53.0.1
+ns2.nil-servers. A 10.53.0.2
diff --git a/bin/tests/system/dscp/ns3/named.args b/bin/tests/system/dscp/ns3/named.args
new file mode 100644
index 0000000..3d1981f
--- /dev/null
+++ b/bin/tests/system/dscp/ns3/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D dscp-ns3 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46
diff --git a/bin/tests/system/dscp/ns3/named.conf.in b/bin/tests/system/dscp/ns3/named.conf.in
new file mode 100644
index 0000000..38d4985
--- /dev/null
+++ b/bin/tests/system/dscp/ns3/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dscp 46;
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	notify yes;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
diff --git a/bin/tests/system/dscp/ns4/named.args b/bin/tests/system/dscp/ns4/named.args
new file mode 100644
index 0000000..277a47b
--- /dev/null
+++ b/bin/tests/system/dscp/ns4/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D dscp-ns4 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46
diff --git a/bin/tests/system/dscp/ns4/named.conf.in b/bin/tests/system/dscp/ns4/named.conf.in
new file mode 100644
index 0000000..8c8ca4f
--- /dev/null
+++ b/bin/tests/system/dscp/ns4/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dscp 47;
+	query-source dscp 46 address 10.53.0.4;
+	notify-source 10.53.0.4 dscp 46;
+	transfer-source 10.53.0.4 dscp 46;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on dscp 46 { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/dscp/ns4/root.db b/bin/tests/system/dscp/ns4/root.db
new file mode 100644
index 0000000..cb3b395
--- /dev/null
+++ b/bin/tests/system/dscp/ns4/root.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+.	SOA	ns4.nil-servers. marka.isc.org. 1 3600 1200 3600000 1200
+.	NS	ns4.nil-servers.
+.	NS	ns5.nil-servers.
+ns4.nil-servers. A 10.53.0.4
+ns5.nil-servers. A 10.53.0.5
+xxx.example.	A	10.53.0.1
+xxx.tld.	A	10.53.0.1
diff --git a/bin/tests/system/dscp/ns5/named.args b/bin/tests/system/dscp/ns5/named.args
new file mode 100644
index 0000000..c678163
--- /dev/null
+++ b/bin/tests/system/dscp/ns5/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D dscp-ns5 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46
diff --git a/bin/tests/system/dscp/ns5/named.conf.in b/bin/tests/system/dscp/ns5/named.conf.in
new file mode 100644
index 0000000..2d1db3c
--- /dev/null
+++ b/bin/tests/system/dscp/ns5/named.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dscp 47;
+	query-source dscp 46 address 10.53.0.5;
+	notify-source 10.53.0.5 dscp 46;
+	transfer-source 10.53.0.5 dscp 46;
+	alt-transfer-source 10.53.0.5 dscp 46;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on dscp 46 { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "." {
+	type secondary;
+	file "root.bk";
+	primaries { 10.53.0.4; };
+};
diff --git a/bin/tests/system/dscp/ns6/hint.db b/bin/tests/system/dscp/ns6/hint.db
new file mode 100644
index 0000000..c2c51f2
--- /dev/null
+++ b/bin/tests/system/dscp/ns6/hint.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+. NS ns4.nil-servers.
+. NS ns5.nil-servers.
+ns4.nil-servers. A 10.53.0.4
+ns5.nil-servers. A 10.53.0.5
diff --git a/bin/tests/system/dscp/ns6/named.args b/bin/tests/system/dscp/ns6/named.args
new file mode 100644
index 0000000..283cf22
--- /dev/null
+++ b/bin/tests/system/dscp/ns6/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D dscp-ns6 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46
diff --git a/bin/tests/system/dscp/ns6/named.conf.in b/bin/tests/system/dscp/ns6/named.conf.in
new file mode 100644
index 0000000..94c1b59
--- /dev/null
+++ b/bin/tests/system/dscp/ns6/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dscp 47;
+	query-source dscp 46 address 10.53.0.6;
+	notify-source 10.53.0.6 dscp 46;
+	transfer-source 10.53.0.6 dscp 46;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on dscp 46 { 10.53.0.6; };
+	listen-on-v6 { none; };
+	notify yes;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
diff --git a/bin/tests/system/dscp/ns7/named.args b/bin/tests/system/dscp/ns7/named.args
new file mode 100644
index 0000000..4ccf38e
--- /dev/null
+++ b/bin/tests/system/dscp/ns7/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D dscp-ns7 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46
diff --git a/bin/tests/system/dscp/ns7/named.conf.in b/bin/tests/system/dscp/ns7/named.conf.in
new file mode 100644
index 0000000..cbf7096
--- /dev/null
+++ b/bin/tests/system/dscp/ns7/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dscp 47;
+	query-source dscp 46 address 10.53.0.7;
+	notify-source 10.53.0.7 dscp 47;
+	transfer-source 10.53.0.7 dscp 47;
+	alt-transfer-source 10.53.0.7 dscp 47;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on dscp 46 { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "." {
+	type secondary;
+	file "root.bk";
+	transfer-source 10.53.0.7 dscp 46;
+	notify-source 10.53.0.7 dscp 46;
+	alt-transfer-source 10.53.0.7 dscp 46;
+	primaries { 10.53.0.4; };
+};
diff --git a/bin/tests/system/dscp/setup.sh b/bin/tests/system/dscp/setup.sh
new file mode 100644
index 0000000..5cc2958
--- /dev/null
+++ b/bin/tests/system/dscp/setup.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
diff --git a/bin/tests/system/dscp/tests.sh b/bin/tests/system/dscp/tests.sh
new file mode 100644
index 0000000..d6b0824
--- /dev/null
+++ b/bin/tests/system/dscp/tests.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +noadd +nosea +nostat +noquest -p ${PORT}"
+
+status=0
+
+#
+# 10.53.0.1 10.53.0.2 10.53.0.3 have a global dscp setting;
+# 10.53.0.4 10.53.0.5 10.53.0.6 have dscp set in option *-source clauses;
+# 10.53.0.7 has dscp set in zone *-source clauses;
+#
+for server in 10.53.0.1 10.53.0.2 10.53.0.3 10.53.0.4 10.53.0.5 \
+	      10.53.0.6 10.53.0.7
+do
+	echo_i "testing root SOA lookup at $server"
+	for i in 0 1 2 3 4 5 6 7 8 9
+	do
+		ret=0
+		$DIG $DIGOPTS @$server soa . > dig.out.$server
+		grep "status: NOERROR" dig.out.$server > /dev/null || ret=1
+		test $ret = 0 && break
+		sleep 1
+	done
+	test $ret = 0 || { echo_i "failed"; status=`expr $status + $ret`; }
+done
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/dsdigest/clean.sh b/bin/tests/system/dsdigest/clean.sh
new file mode 100644
index 0000000..172cf1e
--- /dev/null
+++ b/bin/tests/system/dsdigest/clean.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f supported
+rm -f */K* */dsset-* */*.signed */trusted.conf
+rm -f ns1/root.db
+rm -f ns1/signer.err
+rm -f ns2/good.db ns2/bad.db
+rm -f dig.out*
+rm -f */named.conf
+rm -f */named.run
+rm -f */named.memstats
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/dsdigest/ns1/named.conf.in b/bin/tests/system/dsdigest/ns1/named.conf.in
new file mode 100644
index 0000000..da27c58
--- /dev/null
+++ b/bin/tests/system/dsdigest/ns1/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dsdigest/ns1/root.db.in b/bin/tests/system/dsdigest/ns1/root.db.in
new file mode 100644
index 0000000..30c61e9
--- /dev/null
+++ b/bin/tests/system/dsdigest/ns1/root.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	marka.isc.org. a.root.servers.nil. (
+				2012062000   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+good.			NS	ns2.good.
+ns2.good.		A	10.53.0.2
+bad.			NS	ns2.bad.
+ns2.bad.		A	10.53.0.2
diff --git a/bin/tests/system/dsdigest/ns1/sign.sh b/bin/tests/system/dsdigest/ns1/sign.sh
new file mode 100644
index 0000000..567d92f
--- /dev/null
+++ b/bin/tests/system/dsdigest/ns1/sign.sh
@@ -0,0 +1,37 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+(cd ../ns2 && $SHELL sign.sh)
+
+cp ../ns2/dsset-good$TP .
+cp ../ns2/dsset-bad$TP .
+
+key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+
+cat $infile $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+# Configure the resolving server with a static key.
+keyfile_to_static_ds $key2 > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns4/trusted.conf
diff --git a/bin/tests/system/dsdigest/ns2/bad.db.in b/bin/tests/system/dsdigest/ns2/bad.db.in
new file mode 100644
index 0000000..c5e8c83
--- /dev/null
+++ b/bin/tests/system/dsdigest/ns2/bad.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+
+a			A	10.0.0.1
diff --git a/bin/tests/system/dsdigest/ns2/good.db.in b/bin/tests/system/dsdigest/ns2/good.db.in
new file mode 100644
index 0000000..c5e8c83
--- /dev/null
+++ b/bin/tests/system/dsdigest/ns2/good.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+
+a			A	10.0.0.1
diff --git a/bin/tests/system/dsdigest/ns2/named.conf.in b/bin/tests/system/dsdigest/ns2/named.conf.in
new file mode 100644
index 0000000..d3fd750
--- /dev/null
+++ b/bin/tests/system/dsdigest/ns2/named.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "good" {
+	type primary;
+	file "good.db.signed";
+};
+
+zone "bad" {
+	type primary;
+	file "bad.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dsdigest/ns2/sign.sh b/bin/tests/system/dsdigest/ns2/sign.sh
new file mode 100644
index 0000000..d86c717
--- /dev/null
+++ b/bin/tests/system/dsdigest/ns2/sign.sh
@@ -0,0 +1,44 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone1=good
+infile1=good.db.in
+zonefile1=good.db
+zone2=bad
+infile2=bad.db.in
+zonefile2=bad.db
+
+keyname11=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone1)
+keyname12=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone1)
+keyname21=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone2)
+keyname22=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone2)
+
+cat $infile1 $keyname11.key $keyname12.key >$zonefile1
+cat $infile2 $keyname21.key $keyname22.key >$zonefile2
+
+$SIGNER -P -g -o $zone1 $zonefile1 > /dev/null
+$SIGNER -P -g -o $zone2 $zonefile2 > /dev/null
+
+DSFILENAME1=dsset-${zone1}${TP}
+DSFILENAME2=dsset-${zone2}${TP}
+$DSFROMKEY -a SHA-256 $keyname12 > $DSFILENAME1
+$DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2
+
+algo=SHA-384
+
+$DSFROMKEY -a $algo $keyname12 >> $DSFILENAME1
+$DSFROMKEY -a $algo $keyname22 > $DSFILENAME2
+
diff --git a/bin/tests/system/dsdigest/ns3/named.conf.in b/bin/tests/system/dsdigest/ns3/named.conf.in
new file mode 100644
index 0000000..a2b105c
--- /dev/null
+++ b/bin/tests/system/dsdigest/ns3/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	dnssec-must-be-secure . yes;
+	/* only SHA-256 is enabled */
+	disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; };
+
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dsdigest/ns4/named.conf.in b/bin/tests/system/dsdigest/ns4/named.conf.in
new file mode 100644
index 0000000..e43763b
--- /dev/null
+++ b/bin/tests/system/dsdigest/ns4/named.conf.in
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	/* only SHA-256 is enabled */
+	disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dsdigest/setup.sh b/bin/tests/system/dsdigest/setup.sh
new file mode 100644
index 0000000..eddbf6b
--- /dev/null
+++ b/bin/tests/system/dsdigest/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/dsdigest/tests.sh b/bin/tests/system/dsdigest/tests.sh
new file mode 100644
index 0000000..c1b5661
--- /dev/null
+++ b/bin/tests/system/dsdigest/tests.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
+
+# Check the good. domain
+
+echo_i "checking that validation with enabled digest types works"
+ret=0
+$DIG $DIGOPTS a.good. @10.53.0.3 a > dig.out.good || ret=1
+grep "status: NOERROR" dig.out.good > /dev/null || ret=1
+grep "flags:[^;]* ad[ ;]" dig.out.good > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# Check the bad. domain
+
+echo_i "checking that validation with no supported digest types and must-be-secure results in SERVFAIL"
+ret=0
+$DIG $DIGOPTS a.bad. @10.53.0.3 a > dig.out.bad || ret=1
+grep "SERVFAIL" dig.out.bad > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that validation with no supported digest algorithms results in insecure"
+ret=0
+$DIG $DIGOPTS bad. @10.53.0.4 ds > dig.out.ds || ret=1
+grep "NOERROR" dig.out.ds > /dev/null || ret=1
+grep "flags:[^;]* ad[ ;]" dig.out.ds > /dev/null || ret=1
+$DIG $DIGOPTS a.bad. @10.53.0.4 a > dig.out.insecure || ret=1
+grep "NOERROR" dig.out.insecure > /dev/null || ret=1
+grep "flags:[^;]* ad[ ;]" dig.out.insecure > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+echo_i "exit status: $status"
+
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/dupsigs/check_journal.pl b/bin/tests/system/dupsigs/check_journal.pl
new file mode 100644
index 0000000..99bf690
--- /dev/null
+++ b/bin/tests/system/dupsigs/check_journal.pl
@@ -0,0 +1,211 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+sub process_changeset;
+
+my @changeset;
+
+while( my $line = <> ) {
+    chomp $line;
+
+    if( $line =~ /^(?<op>add|del) (?<label>\S+)\s+(?<ttl>\d+)\s+IN\s+(?<rrtype>\S+)\s+(?<rdata>.*)/ ) {
+        my $change = {
+            op     => $+{op},
+            label  => $+{label},
+            ttl    => $+{ttl},
+            rrtype => $+{rrtype},
+            rdata  => $+{rdata},
+        };
+
+        if( $change->{op} eq 'del' and $change->{rrtype} eq 'SOA' ) {
+            if( @changeset ) {
+                process_changeset( @changeset );
+                @changeset = ();
+            }
+        }
+
+        push @changeset, $change;
+    }
+    else {
+        die "error parsing journal data";
+    }
+}
+
+if( @changeset ) {
+    process_changeset( @changeset );
+}
+
+{
+    my %rrsig_db;
+    my %keys;
+    my $apex;
+
+    sub process_changeset {
+        my @changeset = @_;
+
+        if( not $apex ) {
+            # the first record of the first changeset is guaranteed to be the apex
+            $apex = $changeset[0]{label};
+        }
+
+        my $newserial;
+        my %touched_rrsigs;
+        my %touched_keys;
+
+        foreach my $change( @changeset ) {
+            if( $change->{rrtype} eq 'SOA' ) {
+                if( $change->{op} eq 'add' ) {
+                    if( $change->{rdata} !~ /^\S+ \S+ (?<serial>\d+)/ ) {
+                        die "unable to parse SOA";
+                    }
+
+                    $newserial = $+{serial};
+                }
+            }
+            elsif( $change->{rrtype} eq 'NSEC' ) {
+                ; # do nothing
+            }
+            elsif( $change->{rrtype} eq 'DNSKEY' ) {
+                ; # ignore for now
+            }
+            elsif( $change->{rrtype} eq 'TYPE65534' and $change->{label} eq $apex ) {
+                # key status
+                if( $change->{rdata} !~ /^\\# (?<datasize>\d+) (?<data>[0-9A-F]+)$/ ) {
+                    die "unable to parse key status record";
+                }
+
+                my $datasize = $+{datasize};
+                my $data = $+{data};
+
+                if( $datasize == 5 ) {
+                    my( $alg, $id, $flag_del, $flag_done ) = unpack 'CnCC', pack( 'H10', $data );
+
+                    if( $change->{op} eq 'add' ) {
+                        if( not exists $keys{$id} ) {
+                            $touched_keys{$id} //= 1;
+
+                            $keys{$id} = {
+                                $data        => 1,
+                                rrs          => 1,
+                                done_signing => $flag_done,
+                                deleting     => $flag_del,
+                            };
+                        }
+                        else {
+                            if( not exists $keys{$id}{$data} ) {
+                                my $keydata = $keys{$id};
+                                $touched_keys{$id} = { %$keydata };
+
+                                $keydata->{rrs}++;
+                                $keydata->{$data} = 1;
+                                $keydata->{done_signing} += $flag_done;
+                                $keydata->{deleting} += $flag_del;
+                            }
+                        }
+                    }
+                    else {
+                        # this logic relies upon the convention that there won't
+                        # ever be multiple records with the same flag set
+                        if( exists $keys{$id} ) {
+                            my $keydata = $keys{$id};
+
+                            if( exists $keydata->{$data} ) {
+                                $touched_keys{$id} = { %$keydata };
+
+                                $keydata->{rrs}--;
+                                delete $keydata->{$data};
+                                $keydata->{done_signing} -= $flag_done;
+                                $keydata->{deleting} -= $flag_del;
+
+                                if( $keydata->{rrs} == 0 ) {
+                                    delete $keys{$id};
+                                }
+                            }
+                        }
+                    }
+                }
+                else {
+                    die "unexpected key status record content";
+                }
+            }
+            elsif( $change->{rrtype} eq 'RRSIG' ) {
+                if( $change->{rdata} !~ /^(?<covers>\S+) \d+ \d+ \d+ (?<validity_end>\d+) (?<validity_start>\d+) (?<signing_key>\d+)/ ) {
+                    die "unable to parse RRSIG rdata";
+                }
+
+                $change->{covers} = $+{covers};
+                $change->{validity_end} = $+{validity_end};
+                $change->{validity_start} = $+{validity_start};
+                $change->{signing_key} = $+{signing_key};
+
+                my $db_key = $change->{label} . ':' . $change->{covers};
+
+                $rrsig_db{$db_key} //= {};
+                $touched_rrsigs{$db_key} = 1;
+
+                if( $change->{op} eq 'add' ) {
+                    $rrsig_db{$db_key}{ $change->{signing_key} } = 1;
+                }
+                else {
+                    # del
+                    delete $rrsig_db{$db_key}{ $change->{signing_key} };
+                }
+            }
+        }
+
+        foreach my $key_id( sort keys %touched_keys ) {
+            my $old_data;
+            my $new_data;
+
+            if( ref $touched_keys{$key_id} ) {
+                $old_data = $touched_keys{$key_id};
+            }
+
+            if( exists $keys{$key_id} ) {
+                $new_data = $keys{$key_id};
+            }
+
+            if( $old_data ) {
+                if( $new_data ) {
+                    print "at serial $newserial key $key_id status changed from ($old_data->{deleting},$old_data->{done_signing}) to ($new_data->{deleting},$new_data->{done_signing})\n";
+                }
+                else {
+                    print "at serial $newserial key $key_id status removed from zone\n";
+                }
+            }
+            else {
+                print "at serial $newserial key $key_id status added with flags ($new_data->{deleting},$new_data->{done_signing})\n";
+            }
+        }
+
+        foreach my $rrsig_id( sort keys %touched_rrsigs ) {
+            my $n_signing_keys = keys %{ $rrsig_db{$rrsig_id} };
+
+            if( $n_signing_keys == 0 ) {
+                print "at serial $newserial $rrsig_id went unsigned\n";
+            }
+            elsif( $rrsig_id =~ /:DNSKEY$/ ) {
+                if( $n_signing_keys != 2 ) {
+                    print "at serial $newserial $rrsig_id was signed $n_signing_keys time(s) when it should have been signed twice\n";
+                }
+            }
+            elsif( $n_signing_keys > 1 ) {
+                my @signing_keys = sort { $a <=> $b } keys %{ $rrsig_db{$rrsig_id} };
+                print "at serial $newserial $rrsig_id was signed too many times, keys (@signing_keys)\n";
+            }
+        }
+    }
+}
diff --git a/bin/tests/system/dupsigs/clean.sh b/bin/tests/system/dupsigs/clean.sh
new file mode 100644
index 0000000..2af75a0
--- /dev/null
+++ b/bin/tests/system/dupsigs/clean.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out*
+rm -f ns1/named.conf
+rm -f ns1/named.lock
+rm -f ns1/named.memstats
+rm -f ns1/named.run
+rm -f ns1/signing.test.db
+rm -f ns1/signing.test.db.jbk
+rm -f ns1/signing.test.db.signed
+rm -f ns1/signing.test.db.signed.jnl
+rm -f ns1/keys/signing.test/K*
+rm -f ns1/managed-keys.bind*
diff --git a/bin/tests/system/dupsigs/ns1/named.args b/bin/tests/system/dupsigs/ns1/named.args
new file mode 100644
index 0000000..231eed4
--- /dev/null
+++ b/bin/tests/system/dupsigs/ns1/named.args
@@ -0,0 +1 @@
+-D dupsigs-ns1 -X named.lock -m record,size,mctx -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152 -T sigvalinsecs
diff --git a/bin/tests/system/dupsigs/ns1/named.conf.in b/bin/tests/system/dupsigs/ns1/named.conf.in
new file mode 100644
index 0000000..494ecfb
--- /dev/null
+++ b/bin/tests/system/dupsigs/ns1/named.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	recursion no;
+	max-journal-size unlimited;
+	port @PORT@;
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	pid-file "named.pid";
+};
+
+zone "signing.test" {
+	type primary;
+	masterfile-format text;
+	allow-update { any; };
+	file "signing.test.db";
+	update-check-ksk yes;
+	key-directory "keys/signing.test";
+	inline-signing yes;
+	auto-dnssec maintain;
+	sig-validity-interval 20 5;
+};
diff --git a/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bin/tests/system/dupsigs/ns1/reset_keys.sh
new file mode 100644
index 0000000..4faa0bb
--- /dev/null
+++ b/bin/tests/system/dupsigs/ns1/reset_keys.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=signing.test
+rm -rf keys/signing.test
+mkdir -p keys/signing.test
+
+timetodnssec() {
+    $PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]);
+	      printf("%04u%02u%02u%02u%02u%02u\n", $y+1900,$m+1,$d,$H,$M,$S);' ${1}
+}
+
+KEYDIR=keys/signing.test
+KSK=`$KEYGEN -a RSASHA256 -K $KEYDIR -q -f KSK $zone`
+
+ZSK0=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
+ZSK1=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
+ZSK2=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
+ZSK3=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
+ZSK4=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
+ZSK5=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
+ZSK6=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
+ZSK7=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
+ZSK8=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
+ZSK9=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone`
+
+# clear all times on all keys
+for FILEN in keys/signing.test/*.key
+do
+    $SETTIME -P none -A none -R none -I none -D none $FILEN
+done
+
+BASE=`date +%s`
+BASET=`timetodnssec $BASE`
+
+# reset the publish and activation time on the KSK
+$SETTIME -P $BASET -A $BASET $KEYDIR/$KSK
+
+# reset the publish and activation time on the first ZSK
+$SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0
+
+# schedule the first roll
+R1=`expr $BASE + 50`
+R1T=`timetodnssec $R1`
+
+$SETTIME -I $R1T $KEYDIR/$ZSK0
+$SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1
+
+# schedule the second roll (which includes the delete of the first key)
+R2=`expr $R1 + 50`
+R2T=`timetodnssec $R2`
+DT=$R2
+DTT=`timetodnssec $DT`
+
+$SETTIME -D $DTT $KEYDIR/$ZSK0
+$SETTIME -I $R2T $KEYDIR/$ZSK1
+$SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2
+
+# schedule the third roll
+R3=`expr $R2 + 25`
+R3T=`timetodnssec $R3`
+
+$SETTIME -D $R3T $KEYDIR/$ZSK1
+$SETTIME -I $R3T $KEYDIR/$ZSK2
+$SETTIME -P $R2T -A $R3T $KEYDIR/$ZSK3
+
+$SETTIME -P $R3T $KEYDIR/$ZSK4
+
+echo KSK=$KSK
+echo ZSK0=$ZSK0
+echo ZSK1=$ZSK1
+echo ZSK2=$ZSK2
+echo ZSK3=$ZSK3
+echo ZSK4=$ZSK4
+
+exit
+
+# schedule the fourth roll
+# this isn't long enough for the signing to complete and would result in
+# duplicate signatures, see
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597
+R4=`expr $R3 + 10`
+R4T=`timetodnssec $R4`
+
+$SETTIME -D $R4T $KEYDIR/$ZSK2
+$SETTIME -I $R4T $KEYDIR/$ZSK3
+$SETTIME -P $R3T -A $R4T $KEYDIR/$ZSK4
diff --git a/bin/tests/system/dupsigs/ns1/signing.test.db.in b/bin/tests/system/dupsigs/ns1/signing.test.db.in
new file mode 100644
index 0000000..b522b6f
--- /dev/null
+++ b/bin/tests/system/dupsigs/ns1/signing.test.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ IN SOA  ns root.ns 1996072700 3600 1800 86400 60
+@    NS   ns
+ns   A    127.0.0.1
+ns   AAAA ::1
+
+$GENERATE 0-499 a${0,4,d} AAAA ::$
diff --git a/bin/tests/system/dupsigs/setup.sh b/bin/tests/system/dupsigs/setup.sh
new file mode 100644
index 0000000..f687543
--- /dev/null
+++ b/bin/tests/system/dupsigs/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
+
+copy_setports ns1/named.conf.in ns1/named.conf
+
+cp -f ns1/signing.test.db.in ns1/signing.test.db
+(cd ns1; $SHELL ./reset_keys.sh)
diff --git a/bin/tests/system/dupsigs/tests.sh b/bin/tests/system/dupsigs/tests.sh
new file mode 100644
index 0000000..dfc88ce
--- /dev/null
+++ b/bin/tests/system/dupsigs/tests.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+# Wait for the zone to be fully signed before beginning test
+#
+# We expect the zone to have the following:
+#
+# - 6 signatures for signing.test.
+# - 3 signatures for ns.signing.test.
+# - 2 x 500 signatures for a{0000-0499}.signing.test.
+#
+# for a total of 1009.
+fully_signed () {
+        $DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr"
+        awk 'BEGIN { lines = 0 }
+             $4 == "RRSIG" {lines++}
+             END { if (lines != 1009) exit(1) }' < "dig.out.ns1.axfr"
+}
+
+# Wait for the last NSEC record in the zone to be signed. This is a lightweight
+# alternative to avoid many AXFR requests while waiting for the zone to be
+# fully signed.
+_wait_for_last_nsec_signed() {
+        $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1
+        grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1
+        return 0
+}
+
+echo_i "wait for the zone to be fully signed"
+retry_quiet 60 _wait_for_last_nsec_signed
+retry_quiet 10 fully_signed || status=1
+if [ $status != 0 ]; then echo_i "failed"; fi
+
+start=`date +%s`
+now=$start
+end=$((start + 140))
+
+while [ $now -lt $end ] && [ $status -eq 0 ]; do
+        et=$((now - start))
+	echo_i "............... $et ............"
+	$JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i
+	$DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
+	awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i
+	lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l`
+	if [ ${et} -ne 0 -a ${lines} -ne 1009 ]
+	then
+		echo_i "failed"
+                status=$((status + 1))
+	fi
+	sleep 5
+	now=`date +%s`
+done
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/dyndb/Makefile.in b/bin/tests/system/dyndb/Makefile.in
new file mode 100644
index 0000000..9a862db
--- /dev/null
+++ b/bin/tests/system/dyndb/Makefile.in
@@ -0,0 +1,23 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+SUBDIRS =	driver
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/bin/tests/system/dyndb/clean.sh b/bin/tests/system/dyndb/clean.sh
new file mode 100644
index 0000000..cb8ae94
--- /dev/null
+++ b/bin/tests/system/dyndb/clean.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after dyndb tests.
+#
+rm -f */named.conf
+rm -f */named.run
+rm -f ns1/named.memstats
+rm -f ns1/update.txt
+rm -f added.a.out.*
+rm -f added.ptr.out.*
+rm -f deleted.a.out.*
+rm -f deleted.ptr.out.*
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/dyndb/driver/AUTHORS b/bin/tests/system/dyndb/driver/AUTHORS
new file mode 100644
index 0000000..5b37853
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/AUTHORS
@@ -0,0 +1,33 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0 AND ISC
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+Copyright (C) 2009-2015 Red Hat
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+
+This sample driver is based on bind-dyndb-ldap project and small portions
+of code from ISC BIND 9.10.
+
+Authors listed in alphabetical order:
+Adam Tkac   <atkac@redhat.com>
+Jiri Kuncar <jkuncar@redhat.com>
+Martin Nagy <mnagy@redhat.com>
+Petr Spacek <pspacek@redhat.com>
diff --git a/bin/tests/system/dyndb/driver/Makefile.in b/bin/tests/system/dyndb/driver/Makefile.in
new file mode 100644
index 0000000..a3d6726
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/Makefile.in
@@ -0,0 +1,60 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../../../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCLIBS =	../../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+DNSDEPLIBS =	../../../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+
+SRCS =		db.c driver.c instance.c \
+		lock.c log.c syncptr.c zone.c
+
+OBJS =		db.@O@ driver.@O@ instance.@O@ \
+		lock.@O@ log.@O@ syncptr.@O@ zone.@O@
+
+SO_TARGETS =	lib/sample.@SO@
+TARGETS =	@SO_TARGETS@
+SO_STRIP =	@SO_STRIP@
+
+@BIND9_MAKE_RULES@
+
+CFLAGS =	@CFLAGS@ @SO_CFLAGS@
+SO_LDFLAGS =	@LDFLAGS@ @SO_LDFLAGS@
+
+lib/sample.@SO@: sample.@SO@
+	$(SHELL) ${top_srcdir}/mkinstalldirs `pwd`/lib
+	${LIBTOOL_MODE_INSTALL} ${INSTALL} sample.@SO@ `pwd`/lib
+
+sample.@SO@: ${OBJS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+	CLEANED=`echo "${DNSLIBS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}" | ${SO_STRIP}`; \
+	${LIBTOOL_MODE_LINK} @SO_LD@ ${SO_LDFLAGS} -o $@ ${OBJS} \
+		$${CLEANED}
+
+clean distclean::
+	rm -f ${OBJS} sample.so lib/sample.so
diff --git a/bin/tests/system/dyndb/driver/README b/bin/tests/system/dyndb/driver/README
new file mode 100644
index 0000000..db73396
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/README
@@ -0,0 +1,92 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0 and ISC
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+Copyright (C) Red Hat
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+-->
+
+To use the Dynamic DB sample driver, run named and check the log.
+
+    $ cd testing
+    $ named -gc named.conf
+
+You should be able to see something like:
+
+zone test/IN: loaded serial 0
+zone arpa/IN: loaded serial 0
+
+This means that the sample driver created empty zones "test." and
+"arpa." as defined by "arg" parameters in named.conf.
+
+$ dig @localhost test.
+
+should work as usual and you should be able to see the dummy zone with
+NS record pointing to the zone apex and A record with 127.0.0.1:
+
+;; ANSWER SECTION:
+test.			86400	IN	A	127.0.0.1
+test.			86400	IN	NS	test.
+test.			86400	IN	SOA	test. test. 0 28800 7200 604800 86400
+
+This driver creates two empty zones and allows query/transfer/update to
+all IP addresses for demonstration purposes.
+
+The driver wraps the RBT database implementation used natively by BIND,
+and modifies the addrdataset() and substractrdataset() functions to do
+additional work during dynamic updates.
+
+A dynamic update modifies the target zone as usual. After that, the
+driver detects whether the modified RR was of type A or AAAA, and if so,
+attempts to appropriately generate or delete a matching PTR record in
+one of the two zones managed by the driver.
+
+E.g.:
+
+$ nsupdate
+> update add a.test. 300 IN A 192.0.2.1
+> send
+
+will add the A record
+a.test.			300	IN	A	192.0.2.1
+
+and also automatically generate the PTR record
+1.2.0.192.in-addr.arpa.	300	IN	PTR	a.test.
+
+AXFR and RR deletion via dynamic updates should work as usual. Deletion
+of a type A or AAAA record should delete the corresponding PTR record
+too.
+
+The zone is stored only in memory, and all changes will be lost on
+reload/reconfig.
+
+Hints for code readers:
+- Driver initialization starts in driver.c: dyndb_init() function.
+- New database implementation is registered by calling dns_db_register()
+  and passing a function pointer to it. This sample uses the function
+  create_db() to initialize the database.
+- Zones are created later in instance.c: load_sample_instance_zones().
+- Database entry points are in structure db.c: dns_dbmethods_t
+  sampledb_methods
+- sampledb_methods points to an implementation of the database interface.
+  See the db.c: addrdataset() implementation and look at how the RBT
+  database instance is wrapped into an additional layer of logic.
diff --git a/bin/tests/system/dyndb/driver/db.c b/bin/tests/system/dyndb/driver/db.c
new file mode 100644
index 0000000..bed7d3e
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/db.c
@@ -0,0 +1,814 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2009-2015 Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Database API implementation. The interface is defined in lib/dns/db.h.
+ *
+ * dns_db_*() calls on database instances backed by this driver use
+ * struct sampledb_methods to find appropriate function implementation.
+ *
+ * This example re-uses RBT DB implementation from original BIND and blindly
+ * proxies most of dns_db_*() calls to this underlying RBT DB.
+ * See struct sampledb below.
+ */
+
+#include "db.h"
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/enumclass.h>
+#include <dns/rbt.h>
+#include <dns/rdatalist.h>
+#include <dns/rdatastruct.h>
+#include <dns/soa.h>
+#include <dns/types.h>
+
+#include "instance.h"
+#include "syncptr.h"
+#include "util.h"
+
+#define SAMPLEDB_MAGIC ISC_MAGIC('S', 'M', 'D', 'B')
+#define VALID_SAMPLEDB(sampledb) \
+	((sampledb) != NULL && (sampledb)->common.impmagic == SAMPLEDB_MAGIC)
+
+struct sampledb {
+	dns_db_t common;
+	isc_refcount_t refs;
+	sample_instance_t *inst;
+
+	/*
+	 * Internal RBT database implementation provided by BIND.
+	 * Most dns_db_* calls (find(), createiterator(), etc.)
+	 * are blindly forwarded to this RBT DB.
+	 */
+	dns_db_t *rbtdb;
+};
+
+typedef struct sampledb sampledb_t;
+
+/*
+ * Get full DNS name from the node.
+ *
+ * @warning
+ * The code silently expects that "node" came from RBTDB and thus
+ * assumption dns_dbnode_t (from RBTDB) == dns_rbtnode_t is correct.
+ *
+ * This should work as long as we use only RBTDB and nothing else.
+ */
+static isc_result_t
+sample_name_fromnode(dns_dbnode_t *node, dns_name_t *name) {
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	return (dns_rbt_fullnamefromnode(rbtnode, name));
+}
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	sampledb_t *sampledb = (sampledb_t *)source;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	isc_refcount_increment(&sampledb->refs);
+	*targetp = source;
+}
+
+static void
+free_sampledb(sampledb_t *sampledb) {
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_detach(&sampledb->rbtdb);
+	dns_name_free(&sampledb->common.origin, sampledb->common.mctx);
+	isc_mem_putanddetach(&sampledb->common.mctx, sampledb,
+			     sizeof(*sampledb));
+}
+
+static void
+detach(dns_db_t **dbp) {
+	REQUIRE(dbp != NULL && VALID_SAMPLEDB((sampledb_t *)(*dbp)));
+	sampledb_t *sampledb = (sampledb_t *)(*dbp);
+	*dbp = NULL;
+
+	if (isc_refcount_decrement(&sampledb->refs) == 1) {
+		free_sampledb(sampledb);
+	}
+}
+
+/*
+ * This method should never be called, because DB is "persistent".
+ * See ispersistent() function. It means that database do not need to be
+ * loaded in the usual sense.
+ */
+static isc_result_t
+beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	UNUSED(db);
+	UNUSED(callbacks);
+
+	fatal_error("current implementation should never call beginload()");
+
+	/* Not reached */
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This method should never be called, because DB is "persistent".
+ * See ispersistent() function. It means that database do not need to be
+ * loaded in the usual sense.
+ */
+static isc_result_t
+endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	UNUSED(db);
+	UNUSED(callbacks);
+
+	fatal_error("current implementation should never call endload()");
+
+	/* Not reached */
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+serialize(dns_db_t *db, dns_dbversion_t *version, FILE *file) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_serialize(sampledb->rbtdb, version, file));
+}
+
+static isc_result_t
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+     dns_masterformat_t masterformat) {
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(filename);
+	UNUSED(masterformat);
+
+	fatal_error("current implementation should never call dump()");
+
+	/* Not reached */
+	return (ISC_R_SUCCESS);
+}
+
+static void
+currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_currentversion(sampledb->rbtdb, versionp);
+}
+
+static isc_result_t
+newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_newversion(sampledb->rbtdb, versionp));
+}
+
+static void
+attachversion(dns_db_t *db, dns_dbversion_t *source,
+	      dns_dbversion_t **targetp) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_attachversion(sampledb->rbtdb, source, targetp);
+}
+
+static void
+closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_closeversion(sampledb->rbtdb, versionp, commit);
+}
+
+static isc_result_t
+findnode(dns_db_t *db, const dns_name_t *name, bool create,
+	 dns_dbnode_t **nodep) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_findnode(sampledb->rbtdb, name, create, nodep));
+}
+
+static isc_result_t
+find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+     dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+     dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
+     dns_rdataset_t *sigrdataset) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_find(sampledb->rbtdb, name, version, type, options, now,
+			    nodep, foundname, rdataset, sigrdataset));
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
+	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_name_t *dcname, dns_rdataset_t *rdataset,
+	    dns_rdataset_t *sigrdataset) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_findzonecut(sampledb->rbtdb, name, options, now, nodep,
+				   foundname, dcname, rdataset, sigrdataset));
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_attachnode(sampledb->rbtdb, source, targetp);
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_detachnode(sampledb->rbtdb, targetp);
+}
+
+static isc_result_t
+expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_expirenode(sampledb->rbtdb, node, now));
+}
+
+static void
+printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_printnode(sampledb->rbtdb, node, out);
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, unsigned int options,
+	       dns_dbiterator_t **iteratorp) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_createiterator(sampledb->rbtdb, options, iteratorp));
+}
+
+static isc_result_t
+findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now,
+	     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_findrdataset(sampledb->rbtdb, node, version, type,
+				    covers, now, rdataset, sigrdataset));
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     unsigned int options, isc_stdtime_t now,
+	     dns_rdatasetiter_t **iteratorp) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_allrdatasets(sampledb->rbtdb, node, version, options,
+				    now, iteratorp));
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+	isc_result_t result;
+	dns_fixedname_t name;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_fixedname_init(&name);
+	CHECK(dns_db_addrdataset(sampledb->rbtdb, node, version, now, rdataset,
+				 options, addedrdataset));
+	if (rdataset->type == dns_rdatatype_a ||
+	    rdataset->type == dns_rdatatype_aaaa)
+	{
+		CHECK(sample_name_fromnode(node, dns_fixedname_name(&name)));
+		CHECK(syncptrs(sampledb->inst, dns_fixedname_name(&name),
+			       rdataset, DNS_DIFFOP_ADD));
+	}
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 dns_rdataset_t *rdataset, unsigned int options,
+		 dns_rdataset_t *newrdataset) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+	isc_result_t result;
+	dns_fixedname_t name;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_fixedname_init(&name);
+	result = dns_db_subtractrdataset(sampledb->rbtdb, node, version,
+					 rdataset, options, newrdataset);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NXRRSET) {
+		goto cleanup;
+	}
+
+	if (rdataset->type == dns_rdatatype_a ||
+	    rdataset->type == dns_rdatatype_aaaa)
+	{
+		CHECK(sample_name_fromnode(node, dns_fixedname_name(&name)));
+		CHECK(syncptrs(sampledb->inst, dns_fixedname_name(&name),
+			       rdataset, DNS_DIFFOP_DEL));
+	}
+
+cleanup:
+	return (result);
+}
+
+/*
+ * deleterdataset() function is not used during DNS update processing so syncptr
+ * implementation is left as an exercise to the reader.
+ */
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_deleterdataset(sampledb->rbtdb, node, version, type,
+				      covers));
+}
+
+static bool
+issecure(dns_db_t *db) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_issecure(sampledb->rbtdb));
+}
+
+static unsigned int
+nodecount(dns_db_t *db) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_nodecount(sampledb->rbtdb));
+}
+
+/*
+ * The database does not need to be loaded from disk or written to disk.
+ * Always return true.
+ */
+static bool
+ispersistent(dns_db_t *db) {
+	UNUSED(db);
+
+	return (true);
+}
+
+static void
+overmem(dns_db_t *db, bool over) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_overmem(sampledb->rbtdb, over);
+}
+
+static void
+settask(dns_db_t *db, isc_task_t *task) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_settask(sampledb->rbtdb, task);
+}
+
+static isc_result_t
+getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_getoriginnode(sampledb->rbtdb, nodep));
+}
+
+static void
+transfernode(dns_db_t *db, dns_dbnode_t **sourcep, dns_dbnode_t **targetp) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_transfernode(sampledb->rbtdb, sourcep, targetp);
+}
+
+static isc_result_t
+getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash,
+		   uint8_t *flags, uint16_t *iterations, unsigned char *salt,
+		   size_t *salt_length) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_getnsec3parameters(sampledb->rbtdb, version, hash, flags,
+					  iterations, salt, salt_length));
+}
+
+static isc_result_t
+findnsec3node(dns_db_t *db, const dns_name_t *name, bool create,
+	      dns_dbnode_t **nodep) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_findnsec3node(sampledb->rbtdb, name, create, nodep));
+}
+
+static isc_result_t
+setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_setsigningtime(sampledb->rbtdb, rdataset, resign));
+}
+
+static isc_result_t
+getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_getsigningtime(sampledb->rbtdb, rdataset, name));
+}
+
+static void
+resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	dns_db_resigned(sampledb->rbtdb, rdataset, version);
+}
+
+static bool
+isdnssec(dns_db_t *db) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_isdnssec(sampledb->rbtdb));
+}
+
+static dns_stats_t *
+getrrsetstats(dns_db_t *db) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_getrrsetstats(sampledb->rbtdb));
+}
+
+static isc_result_t
+findnodeext(dns_db_t *db, const dns_name_t *name, bool create,
+	    dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	    dns_dbnode_t **nodep) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_findnodeext(sampledb->rbtdb, name, create, methods,
+				   clientinfo, nodep));
+}
+
+static isc_result_t
+findext(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+	dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	dns_dbnode_t **nodep, dns_name_t *foundname,
+	dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_findext(sampledb->rbtdb, name, version, type, options,
+			       now, nodep, foundname, methods, clientinfo,
+			       rdataset, sigrdataset));
+}
+
+static isc_result_t
+setcachestats(dns_db_t *db, isc_stats_t *stats) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_setcachestats(sampledb->rbtdb, stats));
+}
+
+static size_t
+hashsize(dns_db_t *db) {
+	sampledb_t *sampledb = (sampledb_t *)db;
+
+	REQUIRE(VALID_SAMPLEDB(sampledb));
+
+	return (dns_db_hashsize(sampledb->rbtdb));
+}
+
+/*
+ * DB interface definition. Database driver uses this structure to
+ * determine which implementation of dns_db_*() function to call.
+ */
+static dns_dbmethods_t sampledb_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	serialize,
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	findnode,
+	find,
+	findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask,
+	getoriginnode,
+	transfernode,
+	getnsec3parameters,
+	findnsec3node,
+	setsigningtime,
+	getsigningtime,
+	resigned,
+	isdnssec,
+	getrrsetstats,
+	NULL, /* rpz_attach */
+	NULL, /* rpz_ready */
+	findnodeext,
+	findext,
+	setcachestats,
+	hashsize,
+	NULL, /* nodefullname */
+	NULL, /* getsize */
+	NULL, /* setservestalettl */
+	NULL, /* getservestalettl */
+	NULL, /* setservestalerefresh */
+	NULL, /* getservestalerefresh */
+	NULL, /* setgluecachestats */
+	NULL  /* adjusthashsize */
+};
+
+/* Auxiliary driver functions. */
+
+/*
+ * Auxiliary functions add_*() create minimal database which can be loaded.
+ * This is necessary because this driver create empty 'fake' zone which
+ * is not loaded from disk so there is no way for user to supply SOA, NS and A
+ * records.
+ *
+ * Following functions were copied from BIND 9.10.2rc1 named/server.c,
+ * credit goes to ISC.
+ */
+static isc_result_t
+add_soa(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name,
+	const dns_name_t *origin, const dns_name_t *contact) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	unsigned char buf[DNS_SOA_BUFFERSIZE];
+
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+	CHECK(dns_soa_buildrdata(origin, contact, dns_db_class(db), 0, 28800,
+				 7200, 604800, 86400, buf, &rdata));
+	rdatalist.type = rdata.type;
+	rdatalist.covers = 0;
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.ttl = 86400;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	CHECK(dns_db_findnode(db, name, true, &node));
+	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
+cleanup:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+static isc_result_t
+add_ns(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name,
+       const dns_name_t *nsname) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_ns_t ns;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	isc_buffer_t b;
+	unsigned char buf[DNS_NAME_MAXWIRE];
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+	ns.common.rdtype = dns_rdatatype_ns;
+	ns.common.rdclass = dns_db_class(db);
+	ns.mctx = NULL;
+	dns_name_init(&ns.name, NULL);
+	dns_name_clone(nsname, &ns.name);
+	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_ns,
+				   &ns, &b));
+	rdatalist.type = rdata.type;
+	rdatalist.covers = 0;
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.ttl = 86400;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	CHECK(dns_db_findnode(db, name, true, &node));
+	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
+cleanup:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+static isc_result_t
+add_a(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name,
+      struct in_addr addr) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_in_a_t a;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	isc_buffer_t b;
+	unsigned char buf[DNS_NAME_MAXWIRE];
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+	a.common.rdtype = dns_rdatatype_a;
+	a.common.rdclass = dns_db_class(db);
+	a.in_addr = addr;
+	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_a,
+				   &a, &b));
+	rdatalist.type = rdata.type;
+	rdatalist.covers = 0;
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.ttl = 86400;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	CHECK(dns_db_findnode(db, name, true, &node));
+	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
+cleanup:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+/*
+ * Driver-specific implementation of dns_db_create().
+ *
+ * @param[in] argv      Database-specific parameters from dns_db_create().
+ * @param[in] driverarg Driver-specific parameter from dns_db_register().
+ */
+isc_result_t
+create_db(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+	  dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+	  void *driverarg, dns_db_t **dbp) {
+	sampledb_t *sampledb = NULL;
+	isc_result_t result;
+	dns_dbversion_t *version = NULL;
+	struct in_addr a_addr;
+
+	REQUIRE(type == dns_dbtype_zone);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(argc == 0);
+	REQUIRE(argv != NULL);
+	REQUIRE(driverarg != NULL); /* pointer to driver instance */
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	UNUSED(driverarg); /* no driver-specific configuration */
+
+	a_addr.s_addr = 0x0100007fU;
+
+	CHECKED_MEM_GET_PTR(mctx, sampledb);
+	ZERO_PTR(sampledb);
+
+	isc_mem_attach(mctx, &sampledb->common.mctx);
+	dns_name_init(&sampledb->common.origin, NULL);
+
+	sampledb->common.magic = DNS_DB_MAGIC;
+	sampledb->common.impmagic = SAMPLEDB_MAGIC;
+
+	sampledb->common.methods = &sampledb_methods;
+	sampledb->common.attributes = 0;
+	sampledb->common.rdclass = rdclass;
+
+	CHECK(dns_name_dupwithoffsets(origin, mctx, &sampledb->common.origin));
+
+	isc_refcount_init(&sampledb->refs, 1);
+
+	/* Translate instance name to instance pointer. */
+	sampledb->inst = driverarg;
+
+	/* Create internal instance of RBT DB implementation from BIND. */
+	CHECK(dns_db_create(mctx, "rbt", origin, dns_dbtype_zone,
+			    dns_rdataclass_in, 0, NULL, &sampledb->rbtdb));
+
+	/* Create fake SOA, NS, and A records to make database loadable. */
+	CHECK(dns_db_newversion(sampledb->rbtdb, &version));
+	CHECK(add_soa(sampledb->rbtdb, version, origin, origin, origin));
+	CHECK(add_ns(sampledb->rbtdb, version, origin, origin));
+	CHECK(add_a(sampledb->rbtdb, version, origin, a_addr));
+	dns_db_closeversion(sampledb->rbtdb, &version, true);
+
+	*dbp = (dns_db_t *)sampledb;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (sampledb != NULL) {
+		if (dns_name_dynamic(&sampledb->common.origin)) {
+			dns_name_free(&sampledb->common.origin, mctx);
+		}
+
+		isc_mem_putanddetach(&sampledb->common.mctx, sampledb,
+				     sizeof(*sampledb));
+	}
+
+	return (result);
+}
diff --git a/bin/tests/system/dyndb/driver/db.h b/bin/tests/system/dyndb/driver/db.h
new file mode 100644
index 0000000..c520c8b
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/db.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2009-2015 Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/**
+ * Database API implementation.
+ */
+
+#pragma once
+
+#include <isc/mem.h>
+#include <isc/result.h>
+
+#include <dns/db.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+
+isc_result_t
+create_db(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+	  dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+	  void *driverarg, dns_db_t **dbp);
diff --git a/bin/tests/system/dyndb/driver/driver.c b/bin/tests/system/dyndb/driver/driver.c
new file mode 100644
index 0000000..51bcbd2
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/driver.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Driver API implementation and main entry point for BIND.
+ *
+ * BIND calls dyndb_version() before loading, dyndb_init() during startup
+ * and dyndb_destroy() during shutdown.
+ *
+ * It is completely up to implementation what to do.
+ *
+ * dyndb <name> <driver> {} sections in named.conf are independent so
+ * driver init() and destroy() functions are called independently for
+ * each section even if they reference the same driver/library. It is
+ * up to driver implementation to detect and catch this situation if
+ * it is undesirable.
+ */
+
+#include <isc/commandline.h>
+#include <isc/hash.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dyndb.h>
+#include <dns/lib.h>
+#include <dns/types.h>
+
+#include "db.h"
+#include "instance.h"
+#include "log.h"
+#include "util.h"
+
+dns_dyndb_destroy_t dyndb_destroy;
+dns_dyndb_register_t dyndb_init;
+dns_dyndb_version_t dyndb_version;
+
+/*
+ * Driver init is called for each dyndb section in named.conf
+ * once during startup and then again on every reload.
+ *
+ * @code
+ * dyndb example-name "sample.so" { param1 param2 };
+ * @endcode
+ *
+ * @param[in] name        User-defined string from dyndb "name" {}; definition
+ *                        in named.conf.
+ *                        The example above will have name = "example-name".
+ * @param[in] parameters  User-defined parameters from dyndb section as one
+ *                        string. The example above will have
+ *                        params = "param1 param2";
+ * @param[in] file	  The name of the file from which the parameters
+ *                        were read.
+ * @param[in] line	  The line number from which the parameters were read.
+ * @param[out] instp      Pointer to instance-specific data
+ *                        (for one dyndb section).
+ */
+isc_result_t
+dyndb_init(isc_mem_t *mctx, const char *name, const char *parameters,
+	   const char *file, unsigned long line, const dns_dyndbctx_t *dctx,
+	   void **instp) {
+	isc_result_t result;
+	unsigned int argc;
+	char **argv = NULL;
+	char *s = NULL;
+	sample_instance_t *sample_inst = NULL;
+
+	REQUIRE(name != NULL);
+	REQUIRE(dctx != NULL);
+
+	/*
+	 * Depending on how dlopen() was called, we may not have
+	 * access to named's global namespace, in which case we need
+	 * to initialize libisc/libdns. We check this by comparing
+	 * the value of isc_mem_debugging to the value passed via
+	 * the context object.
+	 */
+	if (dctx->memdebug != &isc_mem_debugging) {
+		isc_lib_register();
+		isc_log_setcontext(dctx->lctx);
+		dns_log_setcontext(dctx->lctx);
+		isc_hash_set_initializer(dctx->hashinit);
+		isc_mem_debugging = *(unsigned int *)dctx->memdebug;
+	}
+
+	s = isc_mem_strdup(mctx, parameters);
+
+	result = isc_commandline_strtoargv(mctx, s, &argc, &argv, 0);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "dyndb_init: isc_commandline_strtoargv -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	log_write(ISC_LOG_DEBUG(9), "loading params for dyndb '%s' from %s:%lu",
+		  name, file, line);
+
+	/* Finally, create the instance. */
+	result = new_sample_instance(mctx, name, argc, argv, dctx,
+				     &sample_inst);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "dyndb_init: new_sample_instance -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/*
+	 * This is an example so we create and load zones
+	 * right now.  This step can be arbitrarily postponed.
+	 */
+	result = load_sample_instance_zones(sample_inst);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "dyndb_init: load_sample_instance_zones -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	*instp = sample_inst;
+
+cleanup:
+	isc_mem_free(mctx, s);
+	if (argv != NULL) {
+		isc_mem_put(mctx, argv, argc * sizeof(*argv));
+	}
+
+	return (result);
+}
+
+/*
+ * Driver destroy is called for every instance on every reload and then once
+ * during shutdown.
+ *
+ * @param[out] instp Pointer to instance-specific data (for one dyndb section).
+ */
+void
+dyndb_destroy(void **instp) {
+	destroy_sample_instance((sample_instance_t **)instp);
+}
+
+/*
+ * Driver version is called when loading the driver to ensure there
+ * is no API mismatch between the driver and the caller.
+ */
+int
+dyndb_version(unsigned int *flags) {
+	UNUSED(flags);
+
+	return (DNS_DYNDB_VERSION);
+}
diff --git a/bin/tests/system/dyndb/driver/instance.c b/bin/tests/system/dyndb/driver/instance.c
new file mode 100644
index 0000000..9e90a2c
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/instance.c
@@ -0,0 +1,231 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2009-2015 Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Driver instance object.
+ *
+ * One instance is equivalent to dynamic-db section in named.conf.
+ * This module parses arguments and provide high-level operations
+ * instance init/zone load/instance destroy.
+ */
+
+#include "instance.h"
+
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dyndb.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include "db.h"
+#include "log.h"
+#include "util.h"
+#include "zone.h"
+
+/*
+ * Parse parameters and convert them to zone names. Caller has to deallocate
+ * resulting DNS names.
+ *
+ * @param[in]  argv NULL-terminated string array of length 2 (excluding NULL)
+ * 		    Each string has to be a valid DNS name.
+ * @param[out] z1   Zone name from argv[0]
+ * @param[out] z2   Zone name from argv[1]
+ */
+static isc_result_t
+parse_params(isc_mem_t *mctx, int argc, char **argv, dns_name_t *z1,
+	     dns_name_t *z2) {
+	isc_result_t result;
+	int i;
+
+	REQUIRE(argv != NULL);
+	REQUIRE(z1 != NULL);
+	REQUIRE(z2 != NULL);
+
+	for (i = 0; i < argc; i++) {
+		log_info("param: '%s'", argv[i]);
+	}
+	log_info("number of params: %d", i);
+
+	if (argc != 2) {
+		log_error("exactly two parameters "
+			  "(absolute zone names) are required");
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+	result = dns_name_fromstring2(z1, argv[0], dns_rootname, 0, mctx);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "parse_params: dns_name_fromstring2 -> %s",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+	result = dns_name_fromstring2(z2, argv[1], dns_rootname, 0, mctx);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "parse_params: dns_name_fromstring2 -> %s",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	return (result);
+}
+
+/*
+ * Initialize new driver instance. It will not create zones until
+ * load_sample_instance_zones() is called.
+ */
+isc_result_t
+new_sample_instance(isc_mem_t *mctx, const char *db_name, int argc, char **argv,
+		    const dns_dyndbctx_t *dctx,
+		    sample_instance_t **sample_instp) {
+	isc_result_t result;
+	sample_instance_t *inst = NULL;
+
+	REQUIRE(sample_instp != NULL && *sample_instp == NULL);
+
+	CHECKED_MEM_GET_PTR(mctx, inst);
+	ZERO_PTR(inst);
+	isc_mem_attach(mctx, &inst->mctx);
+
+	inst->db_name = isc_mem_strdup(mctx, db_name);
+
+	inst->zone1_name = dns_fixedname_initname(&inst->zone1_fn);
+	inst->zone2_name = dns_fixedname_initname(&inst->zone2_fn);
+
+	result = parse_params(mctx, argc, argv, inst->zone1_name,
+			      inst->zone2_name);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "new_sample_instance: parse_params -> %s",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	dns_view_attach(dctx->view, &inst->view);
+	dns_zonemgr_attach(dctx->zmgr, &inst->zmgr);
+	isc_task_attach(dctx->task, &inst->task);
+
+	/* Register new DNS DB implementation. */
+	result = dns_db_register(db_name, create_db, inst, mctx, &inst->db_imp);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "new_sample_instance: dns_db_register -> %s",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	*sample_instp = inst;
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		destroy_sample_instance(&inst);
+	}
+	return (result);
+}
+
+/*
+ * Create empty zones, add fake SOA, NS, and A records, load fake zones
+ * and add them to inst->view.
+ */
+isc_result_t
+load_sample_instance_zones(sample_instance_t *inst) {
+	isc_result_t result;
+
+	result = create_zone(inst, inst->zone1_name, &inst->zone1);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "load_sample_instance_zones: create_zone -> %s",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+	result = activate_zone(inst, inst->zone1);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "load_sample_instance_zones: activate_zone -> %s",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	result = create_zone(inst, inst->zone2_name, &inst->zone2);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "load_sample_instance_zones: create_zone -> %s",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+	result = activate_zone(inst, inst->zone2);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "load_sample_instance_zones: activate_zone -> %s",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+cleanup:
+	return (result);
+}
+
+void
+destroy_sample_instance(sample_instance_t **instp) {
+	sample_instance_t *inst;
+	REQUIRE(instp != NULL);
+
+	inst = *instp;
+	*instp = NULL;
+	if (inst == NULL) {
+		return;
+	}
+
+	if (inst->db_name != NULL) {
+		isc_mem_free(inst->mctx, inst->db_name);
+	}
+	if (inst->zone1 != NULL) {
+		dns_zone_detach(&inst->zone1);
+	}
+	if (inst->zone2 != NULL) {
+		dns_zone_detach(&inst->zone2);
+	}
+	if (inst->db_imp != NULL) {
+		dns_db_unregister(&inst->db_imp);
+	}
+
+	dns_view_detach(&inst->view);
+	dns_zonemgr_detach(&inst->zmgr);
+	isc_task_detach(&inst->task);
+
+	MEM_PUT_AND_DETACH(inst);
+}
diff --git a/bin/tests/system/dyndb/driver/instance.h b/bin/tests/system/dyndb/driver/instance.h
new file mode 100644
index 0000000..ad34573
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/instance.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2009-2015 Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/**
+ * Driver instance object.
+ */
+
+#ifndef _LD_INSTANCE_H_
+#define _LD_INSTANCE_H_
+
+#include <stdbool.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/types.h>
+
+struct sample_instance {
+	isc_mem_t *mctx;
+	char *db_name;
+	dns_dbimplementation_t *db_imp;
+
+	/* These are needed for zone creation. */
+	dns_view_t *view;
+	dns_zonemgr_t *zmgr;
+	isc_task_t *task;
+	bool exiting;
+
+	dns_zone_t *zone1;
+	dns_fixedname_t zone1_fn;
+	dns_name_t *zone1_name;
+
+	dns_zone_t *zone2;
+	dns_fixedname_t zone2_fn;
+	dns_name_t *zone2_name;
+};
+
+typedef struct sample_instance sample_instance_t;
+
+isc_result_t
+new_sample_instance(isc_mem_t *mctx, const char *db_name, int argc, char **argv,
+		    const dns_dyndbctx_t *dctx,
+		    sample_instance_t **sample_instp);
+
+isc_result_t
+load_sample_instance_zones(sample_instance_t *inst);
+
+void
+destroy_sample_instance(sample_instance_t **sample_instp);
+
+#endif /* !_LD_INSTANCE_H_ */
diff --git a/bin/tests/system/dyndb/driver/lock.c b/bin/tests/system/dyndb/driver/lock.c
new file mode 100644
index 0000000..5d73871
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/lock.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "lock.h"
+
+#include <isc/task.h>
+#include <isc/util.h>
+
+/*
+ * Lock BIND dispatcher and allow only single task to run.
+ *
+ * @warning
+ * All calls to isc_task_beginexclusive() have to operate on the same task
+ * otherwise it would not be possible to distinguish recursive locking
+ * from real conflict on the dispatcher lock.
+ * For this reason this wrapper function always works with inst->task.
+ * As a result, this function have to be be called only from inst->task.
+ *
+ * Recursive locking is allowed. Auxiliary variable pointed to by "statep"
+ * stores information if last run_exclusive_enter() operation really locked
+ * something or if the lock was called recursively and was no-op.
+ *
+ * The pair (inst, state) used for run_exclusive_enter() has to be
+ * used for run_exclusive_exit().
+ *
+ * @param[in]  	  inst   The instance with the only task which is allowed to
+ * run.
+ * @param[in,out] statep Lock state: ISC_R_SUCCESS or ISC_R_LOCKBUSY
+ */
+void
+run_exclusive_enter(sample_instance_t *inst, isc_result_t *statep) {
+	REQUIRE(statep != NULL);
+	REQUIRE(*statep == ISC_R_IGNORE);
+
+	*statep = isc_task_beginexclusive(inst->task);
+	RUNTIME_CHECK(*statep == ISC_R_SUCCESS || *statep == ISC_R_LOCKBUSY);
+}
+
+/*
+ * Exit task-exclusive mode.
+ *
+ * @param[in] inst  The instance used for previous run_exclusive_enter() call.
+ * @param[in] state Lock state as returned by run_exclusive_enter().
+ */
+void
+run_exclusive_exit(sample_instance_t *inst, isc_result_t state) {
+	if (state == ISC_R_SUCCESS) {
+		isc_task_endexclusive(inst->task);
+	} else {
+		/* Unlocking recursive lock or the lock was never locked. */
+		INSIST(state == ISC_R_LOCKBUSY || state == ISC_R_IGNORE);
+	}
+
+	return;
+}
diff --git a/bin/tests/system/dyndb/driver/lock.h b/bin/tests/system/dyndb/driver/lock.h
new file mode 100644
index 0000000..8cf5907
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/lock.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef LOCK_H_
+#define LOCK_H_
+
+#include "instance.h"
+#include "util.h"
+
+void
+run_exclusive_enter(sample_instance_t *inst, isc_result_t *statep);
+
+void
+run_exclusive_exit(sample_instance_t *inst, isc_result_t state);
+
+#endif /* LOCK_H_ */
diff --git a/bin/tests/system/dyndb/driver/log.c b/bin/tests/system/dyndb/driver/log.c
new file mode 100644
index 0000000..ef8b1ee
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/log.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "log.h"
+
+#include <isc/util.h>
+
+#include <dns/log.h>
+
+void
+log_write(int level, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DYNDB,
+		       level, format, args);
+	va_end(args);
+}
diff --git a/bin/tests/system/dyndb/driver/log.h b/bin/tests/system/dyndb/driver/log.h
new file mode 100644
index 0000000..f612a8b
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/log.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _LD_LOG_H_
+#define _LD_LOG_H_
+
+#include <isc/error.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+
+#define fatal_error(...) isc_error_fatal(__FILE__, __LINE__, __VA_ARGS__)
+
+#define log_error_r(fmt, ...) \
+	log_error(fmt ": %s", ##__VA_ARGS__, dns_result_totext(result))
+
+#define log_error(format, ...) log_write(ISC_LOG_ERROR, format, ##__VA_ARGS__)
+
+#define log_info(format, ...) log_write(ISC_LOG_INFO, format, ##__VA_ARGS__)
+
+void
+log_write(int level, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
+
+#endif /* !_LD_LOG_H_ */
diff --git a/bin/tests/system/dyndb/driver/syncptr.c b/bin/tests/system/dyndb/driver/syncptr.c
new file mode 100644
index 0000000..cfed153
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/syncptr.c
@@ -0,0 +1,337 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Automatic A/AAAA/PTR record synchronization.
+ */
+
+#include "syncptr.h"
+
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/netaddr.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/db.h>
+#include <dns/name.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include "instance.h"
+#include "util.h"
+
+/* Almost random value. See eventclass.h */
+#define SYNCPTR_WRITE_EVENT (ISC_EVENTCLASS(1025) + 1)
+
+/*
+ * Event used for making changes to reverse zones.
+ */
+typedef struct syncptrevent syncptrevent_t;
+struct syncptrevent {
+	ISC_EVENT_COMMON(syncptrevent_t);
+	isc_mem_t *mctx;
+	dns_zone_t *zone;
+	dns_diff_t diff;
+	dns_fixedname_t ptr_target_name; /* referenced by owner name in
+					  * tuple */
+	isc_buffer_t b; /* referenced by target name in tuple */
+	unsigned char buf[DNS_NAME_MAXWIRE];
+};
+
+/*
+ * Write diff generated in syncptr() to reverse zone.
+ *
+ * This function will be called asynchronously and syncptr() will not get
+ * any result from it.
+ *
+ */
+static void
+syncptr_write(isc_task_t *task, isc_event_t *event) {
+	syncptrevent_t *pevent = (syncptrevent_t *)event;
+	dns_dbversion_t *version = NULL;
+	dns_db_t *db = NULL;
+	isc_result_t result;
+
+	REQUIRE(event->ev_type == SYNCPTR_WRITE_EVENT);
+
+	UNUSED(task);
+
+	log_write(ISC_LOG_INFO, "ENTER: syncptr_write");
+
+	result = dns_zone_getdb(pevent->zone, &db);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "syncptr_write: dns_zone_getdb -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "syncptr_write: dns_db_newversion -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+	result = dns_diff_apply(&pevent->diff, db, version);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "syncptr_write: dns_diff_apply -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+cleanup:
+	if (db != NULL) {
+		if (version != NULL) {
+			dns_db_closeversion(db, &version, true);
+		}
+		dns_db_detach(&db);
+	}
+	dns_zone_detach(&pevent->zone);
+	dns_diff_clear(&pevent->diff);
+	isc_event_free(&event);
+}
+
+/*
+ * Find a reverse zone for given IP address.
+ *
+ * @param[in]  rdata      IP address as A/AAAA record
+ * @param[out] name       Owner name for the PTR record
+ * @param[out] zone       DNS zone for reverse record matching the IP address
+ *
+ * @retval ISC_R_SUCCESS  DNS name derived from given IP address belongs to an
+ * 			  reverse zone managed by this driver instance.
+ * 			  PTR record synchronization can continue.
+ * @retval ISC_R_NOTFOUND Suitable reverse zone was not found because it
+ * 			  does not exist or is not managed by this driver.
+ */
+static isc_result_t
+syncptr_find_zone(sample_instance_t *inst, dns_rdata_t *rdata, dns_name_t *name,
+		  dns_zone_t **zone) {
+	isc_result_t result;
+	isc_netaddr_t isc_ip; /* internal net address representation */
+	dns_rdata_in_a_t ipv4;
+	dns_rdata_in_aaaa_t ipv6;
+
+	REQUIRE(inst != NULL);
+	REQUIRE(zone != NULL && *zone == NULL);
+
+	switch (rdata->type) {
+	case dns_rdatatype_a:
+		CHECK(dns_rdata_tostruct(rdata, &ipv4, inst->mctx));
+		isc_netaddr_fromin(&isc_ip, &ipv4.in_addr);
+		break;
+
+	case dns_rdatatype_aaaa:
+		CHECK(dns_rdata_tostruct(rdata, &ipv6, inst->mctx));
+		isc_netaddr_fromin6(&isc_ip, &ipv6.in6_addr);
+		break;
+
+	default:
+		fatal_error("unsupported address type 0x%x", rdata->type);
+		break;
+	}
+
+	/*
+	 * Convert IP address to PTR owner name.
+	 *
+	 * @example
+	 * 192.168.0.1 -> 1.0.168.192.in-addr.arpa
+	 */
+	result = dns_byaddr_createptrname(&isc_ip, 0, name);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "syncptr_find_zone: dns_byaddr_createptrname -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/* Find a zone containing owner name of the PTR record. */
+	result = dns_zt_find(inst->view->zonetable, name, 0, NULL, zone);
+	if (result == DNS_R_PARTIALMATCH) {
+		result = ISC_R_SUCCESS;
+	} else if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "syncptr_find_zone: dns_zt_find -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/* Make sure that the zone is managed by this driver. */
+	if (*zone != inst->zone1 && *zone != inst->zone2) {
+		dns_zone_detach(zone);
+		log_write(ISC_LOG_INFO, "syncptr_find_zone: zone not managed");
+		result = ISC_R_NOTFOUND;
+	}
+
+cleanup:
+	if (rdata->type == dns_rdatatype_a) {
+		dns_rdata_freestruct(&ipv4);
+	} else {
+		dns_rdata_freestruct(&ipv6);
+	}
+
+	return (result);
+}
+
+/*
+ * Generate update event for PTR record to reflect change in A/AAAA record.
+ *
+ * @pre Reverse zone is managed by this driver.
+ *
+ * @param[in]  a_name  DNS domain of modified A/AAAA record
+ * @param[in]  af      Address family
+ * @param[in]  ip_str  IP address as a string (IPv4 or IPv6)
+ * @param[in]  mod_op  LDAP_MOD_DELETE if A/AAAA record is being deleted
+ *                     or LDAP_MOD_ADD if A/AAAA record is being added.
+ *
+ * @retval ISC_R_SUCCESS Event for PTR record update was generated and send.
+ *                       Change to reverse zone will be done asynchronously.
+ * @retval other	 Synchronization failed - reverse doesn't exist,
+ * 			 is not managed by this driver instance,
+ * 			 memory allocation error, etc.
+ */
+static isc_result_t
+syncptr(sample_instance_t *inst, dns_name_t *name, dns_rdata_t *addr_rdata,
+	dns_ttl_t ttl, dns_diffop_t op) {
+	isc_result_t result;
+	isc_mem_t *mctx = inst->mctx;
+	dns_fixedname_t ptr_name;
+	dns_zone_t *ptr_zone = NULL;
+	dns_rdata_ptr_t ptr_struct;
+	dns_rdata_t ptr_rdata = DNS_RDATA_INIT;
+	dns_difftuple_t *tp = NULL;
+	isc_task_t *task = NULL;
+	syncptrevent_t *pevent = NULL;
+
+	dns_fixedname_init(&ptr_name);
+	DNS_RDATACOMMON_INIT(&ptr_struct, dns_rdatatype_ptr, dns_rdataclass_in);
+	dns_name_init(&ptr_struct.ptr, NULL);
+
+	pevent = (syncptrevent_t *)isc_event_allocate(
+		inst->mctx, inst, SYNCPTR_WRITE_EVENT, syncptr_write, NULL,
+		sizeof(syncptrevent_t));
+	isc_buffer_init(&pevent->b, pevent->buf, sizeof(pevent->buf));
+	dns_fixedname_init(&pevent->ptr_target_name);
+
+	/* Check if reverse zone is managed by this driver */
+	result = syncptr_find_zone(inst, addr_rdata,
+				   dns_fixedname_name(&ptr_name), &ptr_zone);
+	if (result != ISC_R_SUCCESS) {
+		log_error_r("PTR record synchronization skipped: reverse zone "
+			    "is not managed by driver instance '%s'",
+			    inst->db_name);
+		goto cleanup;
+	}
+
+	/* Reverse zone is managed by this driver, prepare PTR record */
+	pevent->zone = NULL;
+	dns_zone_attach(ptr_zone, &pevent->zone);
+	dns_name_copynf(name, dns_fixedname_name(&pevent->ptr_target_name));
+	dns_name_clone(dns_fixedname_name(&pevent->ptr_target_name),
+		       &ptr_struct.ptr);
+	dns_diff_init(inst->mctx, &pevent->diff);
+	result = dns_rdata_fromstruct(&ptr_rdata, dns_rdataclass_in,
+				      dns_rdatatype_ptr, &ptr_struct,
+				      &pevent->b);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "syncptr: dns_rdata_fromstruct -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/* Create diff */
+	result = dns_difftuple_create(mctx, op, dns_fixedname_name(&ptr_name),
+				      ttl, &ptr_rdata, &tp);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "syncptr: dns_difftuple_create -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+	dns_diff_append(&pevent->diff, &tp);
+
+	/*
+	 * Send update event to the reverse zone.
+	 * It will be processed asynchronously.
+	 */
+	dns_zone_gettask(ptr_zone, &task);
+	isc_task_send(task, (isc_event_t **)&pevent);
+
+cleanup:
+	if (ptr_zone != NULL) {
+		dns_zone_detach(&ptr_zone);
+	}
+	if (tp != NULL) {
+		dns_difftuple_free(&tp);
+	}
+	if (task != NULL) {
+		isc_task_detach(&task);
+	}
+	if (pevent != NULL) {
+		isc_event_free((isc_event_t **)&pevent);
+	}
+
+	return (result);
+}
+
+/*
+ * Generate update event for every rdata in rdataset.
+ *
+ * @param[in]  name      Owner name for A/AAAA records in rdataset.
+ * @param[in]  rdataset  A/AAAA records.
+ * @param[in]  op	 DNS_DIFFOP_ADD / DNS_DIFFOP_DEL for adding / deleting
+ * 			 the rdata
+ */
+isc_result_t
+syncptrs(sample_instance_t *inst, dns_name_t *name, dns_rdataset_t *rdataset,
+	 dns_diffop_t op) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdataset_current(rdataset, &rdata);
+		result = syncptr(inst, name, &rdata, rdataset->ttl, op);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+			goto cleanup;
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup:
+	return (result);
+}
diff --git a/bin/tests/system/dyndb/driver/syncptr.h b/bin/tests/system/dyndb/driver/syncptr.h
new file mode 100644
index 0000000..91edee1
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/syncptr.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Sync PTR records
+ */
+
+#pragma once
+
+#include <isc/result.h>
+
+#include <dns/diff.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+
+#include "instance.h"
+
+isc_result_t
+syncptrs(sample_instance_t *inst, dns_name_t *name, dns_rdataset_t *rdataset,
+	 dns_diffop_t op);
diff --git a/bin/tests/system/dyndb/driver/util.h b/bin/tests/system/dyndb/driver/util.h
new file mode 100644
index 0000000..1e43e05
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/util.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Memory allocation and error handling utilities.
+ */
+
+#ifndef _LD_UTIL_H_
+#define _LD_UTIL_H_
+
+#include <isc/mem.h>
+
+#include <dns/types.h>
+
+#include "log.h"
+
+#define CLEANUP_WITH(result_code)       \
+	do {                            \
+		result = (result_code); \
+		goto cleanup;           \
+	} while (0)
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+#define CHECKED_MEM_GET(m, target_ptr, s)                      \
+	do {                                                   \
+		(target_ptr) = isc_mem_get((m), (s));          \
+		if ((target_ptr) == NULL) {                    \
+			result = ISC_R_NOMEMORY;               \
+			log_error("Memory allocation failed"); \
+			goto cleanup;                          \
+		}                                              \
+	} while (0)
+
+#define CHECKED_MEM_GET_PTR(m, target_ptr) \
+	CHECKED_MEM_GET(m, target_ptr, sizeof(*(target_ptr)))
+
+#define CHECKED_MEM_STRDUP(m, source, target)                  \
+	do {                                                   \
+		(target) = isc_mem_strdup((m), (source));      \
+		if ((target) == NULL) {                        \
+			result = ISC_R_NOMEMORY;               \
+			log_error("Memory allocation failed"); \
+			goto cleanup;                          \
+		}                                              \
+	} while (0)
+
+#define ZERO_PTR(ptr) memset((ptr), 0, sizeof(*(ptr)))
+
+#define MEM_PUT_AND_DETACH(target_ptr)                        \
+	isc_mem_putanddetach(&(target_ptr)->mctx, target_ptr, \
+			     sizeof(*(target_ptr)))
+
+#endif /* !_LD_UTIL_H_ */
diff --git a/bin/tests/system/dyndb/driver/zone.c b/bin/tests/system/dyndb/driver/zone.c
new file mode 100644
index 0000000..7f6e1db
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/zone.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Red Hat
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Zone management.
+ */
+
+#include "zone.h"
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/util.h>
+
+#include <dns/dyndb.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include "instance.h"
+#include "lock.h"
+#include "log.h"
+#include "util.h"
+
+extern const char *impname;
+
+/*
+ * Create a new zone with origin 'name'. The zone stay invisible to clients
+ * until it is explicitly added to a view.
+ */
+isc_result_t
+create_zone(sample_instance_t *const inst, dns_name_t *const name,
+	    dns_zone_t **const rawp) {
+	isc_result_t result;
+	dns_zone_t *raw = NULL;
+	const char *zone_argv[1];
+	char zone_name[DNS_NAME_FORMATSIZE];
+	dns_acl_t *acl_any = NULL;
+
+	REQUIRE(inst != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(rawp != NULL && *rawp == NULL);
+
+	zone_argv[0] = inst->db_name;
+
+	result = dns_zone_create(&raw, inst->mctx);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR, "create_zone: dns_zone_create -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+	result = dns_zone_setorigin(raw, name);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "create_zone: dns_zone_setorigin -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+	dns_zone_setclass(raw, dns_rdataclass_in);
+	dns_zone_settype(raw, dns_zone_primary);
+	dns_zone_setdbtype(raw, 1, zone_argv);
+
+	result = dns_zonemgr_managezone(inst->zmgr, raw);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "create_zone: dns_zonemgr_managezone -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/* This is completely insecure - use some sensible values instead! */
+	result = dns_acl_any(inst->mctx, &acl_any);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR, "create_zone: dns_acl_any -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+	dns_zone_setupdateacl(raw, acl_any);
+	dns_zone_setqueryacl(raw, acl_any);
+	dns_zone_setxfracl(raw, acl_any);
+	dns_acl_detach(&acl_any);
+
+	*rawp = raw;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_name_format(name, zone_name, DNS_NAME_FORMATSIZE);
+	log_error_r("failed to create new zone '%s'", zone_name);
+
+	if (raw != NULL) {
+		if (dns_zone_getmgr(raw) != NULL) {
+			dns_zonemgr_releasezone(inst->zmgr, raw);
+		}
+		dns_zone_detach(&raw);
+	}
+	if (acl_any != NULL) {
+		dns_acl_detach(&acl_any);
+	}
+
+	return (result);
+}
+
+/*
+ * Add zone to the view defined in inst->view. This will make the zone visible
+ * to clients.
+ */
+static isc_result_t
+publish_zone(sample_instance_t *inst, dns_zone_t *zone) {
+	isc_result_t result;
+	bool freeze = false;
+	dns_zone_t *zone_in_view = NULL;
+	dns_view_t *view_in_zone = NULL;
+	isc_result_t lock_state = ISC_R_IGNORE;
+
+	REQUIRE(inst != NULL);
+	REQUIRE(zone != NULL);
+
+	/* Return success if the zone is already in the view as expected. */
+	result = dns_view_findzone(inst->view, dns_zone_getorigin(zone),
+				   &zone_in_view);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto cleanup;
+	}
+
+	view_in_zone = dns_zone_getview(zone);
+	if (view_in_zone != NULL) {
+		/* Zone has a view set -> view should contain the same zone. */
+		if (zone_in_view == zone) {
+			/* Zone is already published in the right view. */
+			CLEANUP_WITH(ISC_R_SUCCESS);
+		} else if (view_in_zone != inst->view) {
+			/*
+			 * Un-published inactive zone will have
+			 * inst->view in zone but will not be present
+			 * in the view itself.
+			 */
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone->view doesn't "
+				     "match data in the view");
+			CLEANUP_WITH(ISC_R_UNEXPECTED);
+		}
+	}
+
+	if (zone_in_view != NULL) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "cannot publish zone: view already "
+			     "contains another zone with this name");
+		CLEANUP_WITH(ISC_R_UNEXPECTED);
+	}
+
+	run_exclusive_enter(inst, &lock_state);
+	if (inst->view->frozen) {
+		freeze = true;
+		dns_view_thaw(inst->view);
+	}
+
+	dns_zone_setview(zone, inst->view);
+	result = dns_view_addzone(inst->view, zone);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "publish_zone: dns_view_addzone -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+cleanup:
+	if (zone_in_view != NULL) {
+		dns_zone_detach(&zone_in_view);
+	}
+	if (freeze) {
+		dns_view_freeze(inst->view);
+	}
+	run_exclusive_exit(inst, lock_state);
+
+	return (result);
+}
+
+/*
+ * @warning Never call this on raw part of in-line secure zone, call it only
+ * on the secure zone!
+ */
+static isc_result_t
+load_zone(dns_zone_t *zone) {
+	isc_result_t result;
+	bool zone_dynamic;
+	uint32_t serial;
+
+	result = dns_zone_load(zone, false);
+	if (result != ISC_R_SUCCESS && result != DNS_R_UPTODATE &&
+	    result != DNS_R_DYNAMIC && result != DNS_R_CONTINUE)
+	{
+		goto cleanup;
+	}
+	zone_dynamic = (result == DNS_R_DYNAMIC);
+
+	result = dns_zone_getserial(zone, &serial);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR,
+			  "load_zone: dns_zone_getserial -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+	dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u", serial);
+
+	if (zone_dynamic) {
+		dns_zone_notify(zone);
+	}
+
+cleanup:
+	return (result);
+}
+
+/*
+ * Add zone to view and call dns_zone_load().
+ */
+isc_result_t
+activate_zone(sample_instance_t *inst, dns_zone_t *raw) {
+	isc_result_t result;
+
+	/*
+	 * Zone has to be published *before* zone load
+	 * otherwise it will race with zone->view != NULL check
+	 * in zone_maintenance() in zone.c.
+	 */
+	result = publish_zone(inst, raw);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(raw, ISC_LOG_ERROR, "cannot add zone to view: %s",
+			     dns_result_totext(result));
+		goto cleanup;
+	}
+
+	result = load_zone(raw);
+	if (result != ISC_R_SUCCESS) {
+		log_write(ISC_LOG_ERROR, "activate_zone: load_zone -> %s\n",
+			  isc_result_totext(result));
+		goto cleanup;
+	}
+
+cleanup:
+	return (result);
+}
diff --git a/bin/tests/system/dyndb/driver/zone.h b/bin/tests/system/dyndb/driver/zone.h
new file mode 100644
index 0000000..85575a0
--- /dev/null
+++ b/bin/tests/system/dyndb/driver/zone.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Red Hat
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#pragma once
+
+#include <isc/result.h>
+
+#include <dns/name.h>
+
+#include "instance.h"
+
+isc_result_t
+create_zone(sample_instance_t *const inst, dns_name_t *const name,
+	    dns_zone_t **const rawp);
+
+isc_result_t
+activate_zone(sample_instance_t *inst, dns_zone_t *raw);
diff --git a/bin/tests/system/dyndb/ns1/named.conf.in b/bin/tests/system/dyndb/ns1/named.conf.in
new file mode 100644
index 0000000..279d0ed
--- /dev/null
+++ b/bin/tests/system/dyndb/ns1/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.1; 127.0.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+dyndb sample "../driver/lib/sample.so" { ipv4.example.nil. in-addr.arpa. };
+dyndb sample2 "../driver/lib/sample.so" { ipv6.example.nil. 8.b.d.0.1.0.0.2.ip6.arpa. };
diff --git a/bin/tests/system/dyndb/prereq.sh b/bin/tests/system/dyndb/prereq.sh
new file mode 100644
index 0000000..3140d14
--- /dev/null
+++ b/bin/tests/system/dyndb/prereq.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$FEATURETEST --have-dlopen ||  {
+        echo_i "dlopen() not supported - skipping dyndb test"
+        exit 255
+}
+
+$FEATURETEST --tsan &&  {
+        echo_i "TSAN - skipping dyndb test"
+        exit 255
+}
+
+exit 0
diff --git a/bin/tests/system/dyndb/setup.sh b/bin/tests/system/dyndb/setup.sh
new file mode 100644
index 0000000..e46affa
--- /dev/null
+++ b/bin/tests/system/dyndb/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/dyndb/tests.sh b/bin/tests/system/dyndb/tests.sh
new file mode 100644
index 0000000..2bc54a7
--- /dev/null
+++ b/bin/tests/system/dyndb/tests.sh
@@ -0,0 +1,165 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+DIGOPTS="@10.53.0.1 -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+newtest() {
+	n=`expr $n + 1`
+	echo_i "${1} (${n})"
+	ret=0
+}
+
+test_add() {
+    host="$1"
+    type="$2"
+    ip="$3"
+
+    cat <<EOF > ns1/update.txt
+server 10.53.0.1 ${PORT}
+ttl 86400
+update add $host $type $ip
+send
+EOF
+
+    newtest "adding $host $type $ip"
+    $NSUPDATE ns1/update.txt > /dev/null 2>&1 || {
+	[ "$should_fail" ] || \
+	     echo_i "update failed for $host $type $ip"
+	return 1
+    }
+
+    out=`$DIG $DIGOPTS +noall +answer -t $type -q $host`
+    echo $out > added.a.out.$n
+    lines=`echo "$out" | grep "$ip" | wc -l`
+    [ $lines -eq 1 ] || {
+	[ "$should_fail" ] || \
+	    echo_i "dig output incorrect for $host $type $cmd: $out"
+	return 1
+    }
+
+    for i in 1 2 3 4 5 6 7 8 9 10
+    do
+	out=`$DIG $DIGOPTS +noall +answer -x $ip`
+	echo $out > added.ptr.out.$n
+	lines=`echo "$out" | grep "$host" | wc -l`
+	[ $lines -eq 1 ] && break;
+	$PERL -e 'select(undef, undef, undef, 0.1);'
+    done
+    [ $lines -eq 1 ] || {
+	[ "$should_fail" ] || \
+	    echo_i "dig reverse output incorrect for $host $type $cmd: $out"
+	return 1
+    }
+
+    return 0
+}
+
+test_del() {
+    host="$1"
+    type="$2"
+
+    ip=`$DIG $DIGOPTS +short $host $type`
+
+    cat <<EOF > ns1/update.txt
+server 10.53.0.1 ${PORT}
+update del $host $type
+send
+EOF
+
+    newtest "deleting $host $type (was $ip)"
+    $NSUPDATE ns1/update.txt > /dev/null 2>&1 || {
+	[ "$should_fail" ] || \
+	     echo_i "update failed deleting $host $type"
+	return 1
+    }
+
+    out=`$DIG $DIGOPTS +noall +answer -t $type -q $host`
+    echo $out > deleted.a.out.$n
+    lines=`echo "$out" | grep "$ip" | wc -l`
+    [ $lines -eq 0 ] || {
+	[ "$should_fail" ] || \
+	    echo_i "dig output incorrect for $host $type $cmd: $out"
+	return 1
+    }
+
+    for i in 1 2 3 4 5 6 7 8 9 10
+    do
+	out=`$DIG $DIGOPTS +noall +answer -x $ip`
+	echo $out > deleted.ptr.out.$n
+	lines=`echo "$out" | grep "$host" | wc -l`
+	[ $lines -eq 0 ] && break
+	$PERL -e 'select(undef, undef, undef, 0.1);'
+    done
+    [ $lines -eq 0 ] || {
+	[ "$should_fail" ] || \
+	    echo_i "dig reverse output incorrect for $host $type $cmd: $out"
+	return 1
+    }
+
+    return 0
+}
+
+test_add test1.ipv4.example.nil. A "10.53.0.10" || ret=1
+status=`expr $status + $ret`
+
+test_add test2.ipv4.example.nil. A "10.53.0.11" || ret=1
+status=`expr $status + $ret`
+
+test_add test3.ipv4.example.nil. A "10.53.0.12" || ret=1
+status=`expr $status + $ret`
+
+test_add test4.ipv6.example.nil. AAAA "2001:db8::1" || ret=1
+status=`expr $status + $ret`
+
+test_del test1.ipv4.example.nil. A || ret=1
+status=`expr $status + $ret`
+
+test_del test2.ipv4.example.nil. A || ret=1
+status=`expr $status + $ret`
+
+test_del test3.ipv4.example.nil. A || ret=1
+status=`expr $status + $ret`
+
+test_del test4.ipv6.example.nil. AAAA || ret=1
+status=`expr $status + $ret`
+
+newtest "checking parameter logging"
+grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run > /dev/null || ret=1
+grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run > /dev/null || ret=1
+[ $ret -eq 1 ] && echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "checking dyndb still works after reload"
+rndc_reload ns1 10.53.0.1
+
+test_add test5.ipv4.example.nil. A "10.53.0.10" || ret=1
+status=`expr $status + $ret`
+
+test_add test6.ipv6.example.nil. AAAA "2001:db8::1" || ret=1
+status=`expr $status + $ret`
+
+test_del test5.ipv4.example.nil. A || ret=1
+status=`expr $status + $ret`
+
+test_del test6.ipv6.example.nil. AAAA || ret=1
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/ecdsa/clean.sh b/bin/tests/system/ecdsa/clean.sh
new file mode 100644
index 0000000..a5fa815
--- /dev/null
+++ b/bin/tests/system/ecdsa/clean.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */K* */dsset-* */*.signed
+rm -f dig.out*
+rm -f ns*/named.run
+rm -f ns*/named.memstats
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f ns*/managed-keys.bind*
+rm -f ns*/root.db
+rm -f ns*/signer.err
+rm -f ns*/trusted.conf
+rm -f *-supported.file
diff --git a/bin/tests/system/ecdsa/ns1/named.conf.in b/bin/tests/system/ecdsa/ns1/named.conf.in
new file mode 100644
index 0000000..da27c58
--- /dev/null
+++ b/bin/tests/system/ecdsa/ns1/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/ecdsa/ns1/root.db.in b/bin/tests/system/ecdsa/ns1/root.db.in
new file mode 100644
index 0000000..3bff1d1
--- /dev/null
+++ b/bin/tests/system/ecdsa/ns1/root.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	fdupont.isc.org. a.root.servers.nil. (
+				2012040600   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
diff --git a/bin/tests/system/ecdsa/ns1/sign.sh b/bin/tests/system/ecdsa/ns1/sign.sh
new file mode 100644
index 0000000..8c829bb
--- /dev/null
+++ b/bin/tests/system/ecdsa/ns1/sign.sh
@@ -0,0 +1,56 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+echo_i "ns1/sign.sh"
+
+cp $infile $zonefile
+
+if [ -f ../ecdsa256-supported.file ]; then
+	zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
+	ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
+	cat "$ksk256.key" "$zsk256.key" >> "$zonefile"
+	$DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256
+fi
+
+if [ -f ../ecdsa384-supported.file ]; then
+	zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
+	ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
+	cat "$ksk384.key" "$zsk384.key" >> "$zonefile"
+	$DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256
+fi
+
+# Configure the resolving server with a static key.
+if [ -f ../ecdsa256-supported.file ]; then
+	keyfile_to_static_ds $ksk256 > trusted.conf
+	cp trusted.conf ../ns2/trusted.conf
+else
+	keyfile_to_static_ds $ksk384 > trusted.conf
+	cp trusted.conf ../ns2/trusted.conf
+fi
+
+if [ -f ../ecdsa384-supported.file ]; then
+	keyfile_to_static_ds $ksk384 > trusted.conf
+	cp trusted.conf ../ns3/trusted.conf
+else
+	keyfile_to_static_ds $ksk256 > trusted.conf
+	cp trusted.conf ../ns3/trusted.conf
+fi
+
+$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
diff --git a/bin/tests/system/ecdsa/ns2/named.conf.in b/bin/tests/system/ecdsa/ns2/named.conf.in
new file mode 100644
index 0000000..fd125d3
--- /dev/null
+++ b/bin/tests/system/ecdsa/ns2/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/ecdsa/ns3/named.conf.in b/bin/tests/system/ecdsa/ns3/named.conf.in
new file mode 100644
index 0000000..f1a80b6
--- /dev/null
+++ b/bin/tests/system/ecdsa/ns3/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/ecdsa/setup.sh b/bin/tests/system/ecdsa/setup.sh
new file mode 100644
index 0000000..a0eba63
--- /dev/null
+++ b/bin/tests/system/ecdsa/setup.sh
@@ -0,0 +1,33 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+set -e
+
+if $SHELL ../testcrypto.sh ecdsap256sha256; then
+	echo "yes" > ecdsa256-supported.file
+fi
+
+if $SHELL ../testcrypto.sh ecdsap384sha384; then
+	echo "yes" > ecdsa384-supported.file
+fi
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+(
+	cd ns1
+	$SHELL sign.sh
+)
diff --git a/bin/tests/system/ecdsa/tests.sh b/bin/tests/system/ecdsa/tests.sh
new file mode 100644
index 0000000..7f3bfcf
--- /dev/null
+++ b/bin/tests/system/ecdsa/tests.sh
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+dig_with_opts() {
+    "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+if [ -f ecdsa256-supported.file ]; then
+	n=$((n+1))
+	echo_i "checking that ECDSA256 positive validation works ($n)"
+	ret=0
+	dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
+	dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
+	$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
+	grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+else
+	echo_i "algorithm ECDSA256 not supported, skipping test"
+fi
+
+if [ -f ecdsa384-supported.file ]; then
+	n=$((n+1))
+	echo_i "checking that ECDSA384 positive validation works ($n)"
+	ret=0
+	dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
+	dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
+	$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
+	grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+else
+	echo_i "algorithm ECDSA384 not supported, skipping test"
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/eddsa/clean.sh b/bin/tests/system/eddsa/clean.sh
new file mode 100644
index 0000000..48c4d81
--- /dev/null
+++ b/bin/tests/system/eddsa/clean.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */K* */dsset-* */*.signed
+rm -f dig.out*
+rm -f ns*/root.db
+rm -f ns*/signer.err
+rm -f ns*/named.run
+rm -f ns*/named.memstats
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
+rm -f ns*/trusted.conf
+rm -f ns*/example.com.db
+rm -f ns*/named.conf
+rm -f *-supported.file
diff --git a/bin/tests/system/eddsa/ns1/named.conf.in b/bin/tests/system/eddsa/ns1/named.conf.in
new file mode 100644
index 0000000..da27c58
--- /dev/null
+++ b/bin/tests/system/eddsa/ns1/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/eddsa/ns1/root.db.in b/bin/tests/system/eddsa/ns1/root.db.in
new file mode 100644
index 0000000..3bff1d1
--- /dev/null
+++ b/bin/tests/system/eddsa/ns1/root.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	fdupont.isc.org. a.root.servers.nil. (
+				2012040600   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
diff --git a/bin/tests/system/eddsa/ns1/sign.sh b/bin/tests/system/eddsa/ns1/sign.sh
new file mode 100644
index 0000000..148e475
--- /dev/null
+++ b/bin/tests/system/eddsa/ns1/sign.sh
@@ -0,0 +1,56 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+echo_i "ns1/sign.sh"
+
+cp $infile $zonefile
+
+if [ -f ../ed25519-supported.file ]; then
+	zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
+	ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
+	cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile"
+	$DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256
+fi
+
+if [ -f ../ed448-supported.file ]; then
+	zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
+	ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
+	cat "$ksk448.key" "$zsk448.key" >> "$zonefile"
+	$DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256
+fi
+
+# Configure the resolving server with a static key.
+if [ -f ../ed25519-supported.file ]; then
+	keyfile_to_static_ds $ksk25519 > trusted.conf
+	cp trusted.conf ../ns2/trusted.conf
+else
+	keyfile_to_static_ds $ksk448 > trusted.conf
+	cp trusted.conf ../ns2/trusted.conf
+fi
+
+if [ -f ../ed448-supported.file ]; then
+	keyfile_to_static_ds $ksk448 > trusted.conf
+	cp trusted.conf ../ns3/trusted.conf
+else
+	keyfile_to_static_ds $ksk25519 > trusted.conf
+	cp trusted.conf ../ns3/trusted.conf
+fi
+
+$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.key b/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.key
new file mode 100644
index 0000000..ff6d5bf
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.key
@@ -0,0 +1 @@
+example.com. IN DNSKEY 257 3 15 l02Woi0iS8Aa25FQkUd9RMzZHJpBoRQwAQEX1SxZJA4=
diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private b/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private
new file mode 100644
index 0000000..788b2d7
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private
@@ -0,0 +1,4 @@
+Private-key-format: v1.2
+Algorithm: 15 (ED25519)
+PrivateKey: ODIyNjAzODQ2MjgwODAxMjI2NDUxOTAyMDQxNDIyNjI=
+
diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key b/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key
new file mode 100644
index 0000000..71e4620
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key
@@ -0,0 +1 @@
+example.com. IN DNSKEY 257 3 15 zPnZ/QwEe7S8C5SPz2OfS5RR40ATk2/rYnE9xHIEijs=
diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private b/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private
new file mode 100644
index 0000000..78ec36d
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private
@@ -0,0 +1,3 @@
+Private-key-format: v1.2
+Algorithm: 15 (ED25519)
+PrivateKey: DSSF3o0s0f+ElWzj9E/Osxw8hLpk55chkmx0LYN5WiY=
diff --git a/bin/tests/system/eddsa/ns2/example.com.db.in b/bin/tests/system/eddsa/ns2/example.com.db.in
new file mode 100644
index 0000000..0ecda67
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/example.com.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@			IN SOA	fdupont.isc.org. ns.example.com. (
+				2012040600	; serial
+				600		; refresh
+				600		; retry
+				1200		; expire
+				3600		; minimum
+				)
+			MX	10 mail.example.com.
+			NS	ns.example.com.
+ns.example.com.		A	10.53.0.2
diff --git a/bin/tests/system/eddsa/ns2/named.conf.in b/bin/tests/system/eddsa/ns2/named.conf.in
new file mode 100644
index 0000000..fd125d3
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/eddsa/ns2/sign.sh b/bin/tests/system/eddsa/ns2/sign.sh
new file mode 100644
index 0000000..09bfb93
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/sign.sh
@@ -0,0 +1,37 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=example.com.
+infile=example.com.db.in
+zonefile=example.com.db
+starttime=20150729220000
+endtime=20150819220000
+
+echo_i "ns2/sign.sh"
+
+cp $infile $zonefile
+
+if [ -f ../ed25519-supported.file ]; then
+
+	for i in Xexample.com.+015+03613 Xexample.com.+015+35217
+	do
+		cp "$i.key" "$(echo $i.key | sed s/X/K/)"
+		cp "$i.private" "$(echo $i.private | sed s/X/K/)"
+		cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile"
+	done
+fi
+
+$SIGNER -P -z -s $starttime -e $endtime -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
diff --git a/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key
new file mode 100644
index 0000000..5c4628f
--- /dev/null
+++ b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key
@@ -0,0 +1 @@
+example.com. IN DNSKEY 257 3 16 3kgROaDjrh0H2iuixWBrc8g2EpBBLCdGzHmn+G2MpTPhpj/OiBVHHSfPodx1FYYUcJKm1MDpJtIA
diff --git a/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private
new file mode 100644
index 0000000..eb065f9
--- /dev/null
+++ b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private
@@ -0,0 +1,3 @@
+Private-key-format: v1.2
+Algorithm: 16 (ED448)
+PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA
diff --git a/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key
new file mode 100644
index 0000000..705856d
--- /dev/null
+++ b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key
@@ -0,0 +1 @@
+example.com. IN DNSKEY 257 3 16 kkreGWoccSDmUBGAe7+zsbG6ZAFQp+syPmYUurBRQc3tDjeMCJcVMRDmgcNLp5HlHAMy12VoISsA
diff --git a/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private
new file mode 100644
index 0000000..b512d80
--- /dev/null
+++ b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private
@@ -0,0 +1,3 @@
+Private-key-format: v1.2
+Algorithm: 16 (ED448)
+PrivateKey: WEykD3ht3MHkU8iH4uVOLz8JLwtRBSqiBoM6fF72+Mrp/u5gjxuB1DV6NnPO2BlZdz4hdSTkOdOA
diff --git a/bin/tests/system/eddsa/ns3/example.com.db.in b/bin/tests/system/eddsa/ns3/example.com.db.in
new file mode 100644
index 0000000..9a1aab6
--- /dev/null
+++ b/bin/tests/system/eddsa/ns3/example.com.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@			IN SOA	fdupont.isc.org. ns.example.com. (
+				2012040600	; serial
+				600		; refresh
+				600		; retry
+				1200		; expire
+				3600		; minimum
+				)
+			MX	10 mail.example.com.
+			NS	ns.example.com.
+ns.example.com.		A	10.53.0.3
diff --git a/bin/tests/system/eddsa/ns3/named.conf.in b/bin/tests/system/eddsa/ns3/named.conf.in
new file mode 100644
index 0000000..f1a80b6
--- /dev/null
+++ b/bin/tests/system/eddsa/ns3/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/eddsa/ns3/sign.sh b/bin/tests/system/eddsa/ns3/sign.sh
new file mode 100644
index 0000000..3cb8b45
--- /dev/null
+++ b/bin/tests/system/eddsa/ns3/sign.sh
@@ -0,0 +1,36 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=example.com.
+infile=example.com.db.in
+zonefile=example.com.db
+starttime=20150729220000
+endtime=20150819220000
+
+echo_i "ns3/sign.sh"
+
+cp $infile $zonefile
+
+if [ -f ../ed448-supported.file ]; then
+	for i in Xexample.com.+016+09713 Xexample.com.+016+38353
+	do
+		cp "$i.key" "$(echo $i.key | sed s/X/K/)"
+		cp "$i.private" "$(echo $i.private | sed s/X/K/)"
+		cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile"
+	done
+fi
+
+$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
diff --git a/bin/tests/system/eddsa/prereq.sh b/bin/tests/system/eddsa/prereq.sh
new file mode 100644
index 0000000..a1a16ae
--- /dev/null
+++ b/bin/tests/system/eddsa/prereq.sh
@@ -0,0 +1,25 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+supported=0
+if $SHELL ../testcrypto.sh ed25519; then
+	supported=1
+fi
+if $SHELL ../testcrypto.sh ed448; then
+	supported=1
+fi
+
+[ "$supported" -eq 1 ] || exit 1
diff --git a/bin/tests/system/eddsa/setup.sh b/bin/tests/system/eddsa/setup.sh
new file mode 100644
index 0000000..4bac09a
--- /dev/null
+++ b/bin/tests/system/eddsa/setup.sh
@@ -0,0 +1,40 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $SHELL ../testcrypto.sh ed25519; then
+	echo "yes" > ed25519-supported.file
+fi
+
+if $SHELL ../testcrypto.sh ed448; then
+	echo "yes" > ed448-supported.file
+fi
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+
+(
+	cd ns1
+	$SHELL sign.sh
+)
+(
+	cd ns2
+	$SHELL sign.sh
+)
+(
+	cd ns3
+	$SHELL sign.sh
+)
diff --git a/bin/tests/system/eddsa/tests.sh b/bin/tests/system/eddsa/tests.sh
new file mode 100644
index 0000000..705f5de
--- /dev/null
+++ b/bin/tests/system/eddsa/tests.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+dig_with_opts() {
+    "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+if [ -f ed25519-supported.file ]; then
+	# Check the example. domain
+	n=$((n+1))
+	echo_i "checking that Ed25519 positive validation works ($n)"
+	ret=0
+	dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
+	dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
+	$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
+	grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+
+	# Check test vectors (RFC 8080 + errata)
+	n=$((n+1))
+	echo_i "checking that Ed25519 test vectors match ($n)"
+	ret=0
+	grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1
+	grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1
+	grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1
+	grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+else
+	echo_i "algorithm Ed25519 not supported, skipping vectors match test"
+fi
+
+if [ -f ed448-supported.file ]; then
+	# Check the example. domain
+	n=$((n+1))
+	echo_i "checking that Ed448 positive validation works ($n)"
+	ret=0
+	dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
+	dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
+	$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
+	grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+
+	# Check test vectors (RFC 8080 + errata)
+	n=$((n+1))
+	echo_i "checking that Ed448 test vectors match ($n)"
+	ret=0
+	grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1
+	grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1
+	grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1
+	grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1
+	grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1
+
+	grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1
+	grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1
+	grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1
+	grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1
+	grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+else
+	echo_i "algorithm Ed448 not supported, skipping vectors match test"
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/ednscompliance/clean.sh b/bin/tests/system/ednscompliance/clean.sh
new file mode 100644
index 0000000..ad6176a
--- /dev/null
+++ b/bin/tests/system/ednscompliance/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out*
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f ns*/named.run
+rm -f ns*/named.memstats
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/ednscompliance/ns1/named.conf.in b/bin/tests/system/ednscompliance/ns1/named.conf.in
new file mode 100644
index 0000000..07aaf21
--- /dev/null
+++ b/bin/tests/system/ednscompliance/ns1/named.conf.in
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/ednscompliance/ns1/root.db b/bin/tests/system/ednscompliance/ns1/root.db
new file mode 100644
index 0000000..f9bfbe9
--- /dev/null
+++ b/bin/tests/system/ednscompliance/ns1/root.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	marka.isc.org. a.root.servers.nil. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.6
diff --git a/bin/tests/system/ednscompliance/setup.sh b/bin/tests/system/ednscompliance/setup.sh
new file mode 100644
index 0000000..e46affa
--- /dev/null
+++ b/bin/tests/system/ednscompliance/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/ednscompliance/tests.sh b/bin/tests/system/ednscompliance/tests.sh
new file mode 100644
index 0000000..27e46df
--- /dev/null
+++ b/bin/tests/system/ednscompliance/tests.sh
@@ -0,0 +1,113 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+norec -p ${PORT}"
+
+status=0
+n=0
+zone=.
+
+n=`expr $n + 1`
+echo_i "check +edns=100 sets version 100 ($n)"
+ret=0 reason=
+$DIG $DIGOPTS  @10.53.0.1 +qr +edns=100 soa $zone > dig.out$n
+grep "EDNS: version: 100," dig.out$n > /dev/null || { ret=1; reason="version"; }
+if [ $ret != 0 ]; then echo_i "failed $reason"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+ret=0 reason=
+echo_i "check +ednsopt=100 adds option 100 ($n)"
+$DIG $DIGOPTS  @10.53.0.1 +qr +ednsopt=100 soa $zone > dig.out$n
+grep "; OPT=100" dig.out$n > /dev/null || { ret=1; reason="option"; }
+if [ $ret != 0 ]; then echo_i "failed $reason"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check +ednsflags=0x80 sets flags to 0x0080 ($n)"
+ret=0 reason=
+$DIG $DIGOPTS  @10.53.0.1 +qr +ednsflags=0x80 soa $zone > dig.out$n
+grep "MBZ: 0x0080," dig.out$n > /dev/null || { ret=1; reason="flags"; }
+if [ $ret != 0 ]; then echo_i "failed $reason"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Unknown EDNS version ($n)"
+ret=0 reason=
+$DIG $DIGOPTS  @10.53.0.1 +edns=100 +noednsnegotiation soa $zone > dig.out$n
+grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
+grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
+grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
+if [ $ret != 0 ]; then echo_i "failed $reason"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Unknown EDNS option ($n)"
+ret=0 reason=
+$DIG $DIGOPTS  @10.53.0.1 +ednsopt=100 soa $zone > dig.out$n
+grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
+grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
+grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; }
+grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; }
+if [ $ret != 0 ]; then echo_i "failed $reason"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Unknown EDNS version + option ($n)"
+ret=0 reason=
+$DIG $DIGOPTS  @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone > dig.out$n
+grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
+grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
+grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; }
+grep "IN.SOA." dig.out$n > /dev/null &&  { ret=1; reason="soa"; }
+if [ $ret != 0 ]; then echo_i "failed: $reason"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "Unknown EDNS flag ($n)"
+ret=0 reason=
+$DIG $DIGOPTS  @10.53.0.1 +ednsflags=0x80 soa $zone > dig.out$n
+grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
+grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
+grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; }
+grep ".IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; }
+if [ $ret != 0 ]; then echo_i "failed $reason"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Unknown EDNS version + flag ($n)"
+ret=0 reason=
+$DIG $DIGOPTS  @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone > dig.out$n
+grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
+grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
+grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; }
+grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
+if [ $ret != 0 ]; then echo_i "failed $reason"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "DiG's EDNS negotiation ($n)"
+ret=0 reason=
+$DIG $DIGOPTS  @10.53.0.1 +edns=100 soa $zone > dig.out$n
+grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
+grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
+grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="soa"; }
+if [ $ret != 0 ]; then echo_i "failed $reason"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/emptyzones/clean.sh b/bin/tests/system/emptyzones/clean.sh
new file mode 100644
index 0000000..c7ff161
--- /dev/null
+++ b/bin/tests/system/emptyzones/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns1/named.conf
+rm -f ns*/named.lock
+rm -f ns*/named.run
+rm -f ns*/named.memstats
+rm -f dig.out.test*
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/emptyzones/ns1/empty.db b/bin/tests/system/emptyzones/ns1/empty.db
new file mode 100644
index 0000000..70dbcaf
--- /dev/null
+++ b/bin/tests/system/emptyzones/ns1/empty.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 SOA . . 0 0 0 0 0
+@ 0 NS .
diff --git a/bin/tests/system/emptyzones/ns1/named1.conf.in b/bin/tests/system/emptyzones/ns1/named1.conf.in
new file mode 100644
index 0000000..2cf1286
--- /dev/null
+++ b/bin/tests/system/emptyzones/ns1/named1.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	algorithm       hmac-sha256;
+	secret          "1234abcd8765";
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1 dscp 1;
+	notify-source 10.53.0.1 dscp 2;
+	transfer-source 10.53.0.1 dscp 3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
+		 except-from { "example.org"; };
+	deny-answer-aliases { "example.org"; }
+		except-from { "goodcname.example.net";
+			      "gooddname.example.net"; };
+	allow-query {!10.53.0.8; any; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+include "rfc1918.zones";
diff --git a/bin/tests/system/emptyzones/ns1/named2.conf.in b/bin/tests/system/emptyzones/ns1/named2.conf.in
new file mode 100644
index 0000000..f62cfc9
--- /dev/null
+++ b/bin/tests/system/emptyzones/ns1/named2.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	algorithm       hmac-sha256;
+	secret          "1234abcd8765";
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1 dscp 1;
+	notify-source 10.53.0.1 dscp 2;
+	transfer-source 10.53.0.1 dscp 3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
+		 except-from { "example.org"; };
+	deny-answer-aliases { "example.org"; }
+		except-from { "goodcname.example.net";
+			      "gooddname.example.net"; };
+	allow-query {!10.53.0.8; any; };
+	allow-transfer { none; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "1.10.in-addr.arpa" {
+	type primary; file "empty.db";
+};
diff --git a/bin/tests/system/emptyzones/ns1/rfc1918.zones b/bin/tests/system/emptyzones/ns1/rfc1918.zones
new file mode 100644
index 0000000..07858f9
--- /dev/null
+++ b/bin/tests/system/emptyzones/ns1/rfc1918.zones
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "10.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "16.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "17.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "18.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "19.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "20.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "21.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "22.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "23.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "24.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "25.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "26.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "27.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "28.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "29.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "30.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "31.172.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+zone "168.192.IN-ADDR.ARPA" { type primary; file "empty.db"; };
+
diff --git a/bin/tests/system/emptyzones/ns1/root.hint b/bin/tests/system/emptyzones/ns1/root.hint
new file mode 100644
index 0000000..993227d
--- /dev/null
+++ b/bin/tests/system/emptyzones/ns1/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.2
diff --git a/bin/tests/system/emptyzones/setup.sh b/bin/tests/system/emptyzones/setup.sh
new file mode 100644
index 0000000..df9d8f3
--- /dev/null
+++ b/bin/tests/system/emptyzones/setup.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+copy_setports ns1/named1.conf.in ns1/named.conf
diff --git a/bin/tests/system/emptyzones/tests.sh b/bin/tests/system/emptyzones/tests.sh
new file mode 100644
index 0000000..e2ee0fd
--- /dev/null
+++ b/bin/tests/system/emptyzones/tests.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "check that switching to automatic empty zones works ($n)"
+ret=0
+rndc_reload ns1 10.53.0.1
+
+copy_setports ns1/named2.conf.in ns1/named.conf
+$RNDCCMD 10.53.0.1 reload > /dev/null || ret=1
+sleep 5
+
+$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that allow-transfer { none; } works ($n)"
+ret=0
+$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all > dig.out.test$n || ret=1
+grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
new file mode 100644
index 0000000..e502ee9
--- /dev/null
+++ b/bin/tests/system/feature-test.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/md.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/edns.h>
+
+#ifdef WIN32
+#include <Winsock2.h>
+#endif /* ifdef WIN32 */
+
+#ifndef _POSIX_HOST_NAME_MAX
+#define _POSIX_HOST_NAME_MAX 255
+#endif
+
+static void
+usage() {
+	fprintf(stderr, "usage: feature-test <arg>\n");
+	fprintf(stderr, "args:\n");
+	fprintf(stderr, "\t--edns-version\n");
+	fprintf(stderr, "\t--enable-dnsrps\n");
+	fprintf(stderr, "\t--enable-dnstap\n");
+	fprintf(stderr, "\t--gethostname\n");
+	fprintf(stderr, "\t--gssapi\n");
+	fprintf(stderr, "\t--have-dlopen\n");
+	fprintf(stderr, "\t--have-geoip2\n");
+	fprintf(stderr, "\t--have-json-c\n");
+	fprintf(stderr, "\t--have-libxml2\n");
+	fprintf(stderr, "\t--ipv6only=no\n");
+	fprintf(stderr, "\t--md5\n");
+	fprintf(stderr, "\t--tsan\n");
+	fprintf(stderr, "\t--with-dlz-filesystem\n");
+	fprintf(stderr, "\t--with-idn\n");
+	fprintf(stderr, "\t--with-lmdb\n");
+	fprintf(stderr, "\t--with-zlib\n");
+}
+
+int
+main(int argc, char **argv) {
+	if (argc != 2) {
+		usage();
+		return (1);
+	}
+
+	if (strcmp(argv[1], "--edns-version") == 0) {
+#ifdef DNS_EDNS_VERSION
+		printf("%d\n", DNS_EDNS_VERSION);
+#else  /* ifdef DNS_EDNS_VERSION */
+		printf("0\n");
+#endif /* ifdef DNS_EDNS_VERSION */
+		return (0);
+	}
+
+	if (strcmp(argv[1], "--enable-dnsrps") == 0) {
+#ifdef USE_DNSRPS
+		return (0);
+#else  /* ifdef USE_DNSRPS */
+		return (1);
+#endif /* ifdef USE_DNSRPS */
+	}
+
+	if (strcmp(argv[1], "--enable-dnstap") == 0) {
+#ifdef HAVE_DNSTAP
+		return (0);
+#else  /* ifdef HAVE_DNSTAP */
+		return (1);
+#endif /* ifdef HAVE_DNSTAP */
+	}
+
+	if (strcmp(argv[1], "--gethostname") == 0) {
+		char hostname[_POSIX_HOST_NAME_MAX + 1];
+		int n;
+#ifdef WIN32
+		/* From InitSocket() */
+		WORD wVersionRequested;
+		WSADATA wsaData;
+		int err;
+
+		wVersionRequested = MAKEWORD(2, 0);
+		err = WSAStartup(wVersionRequested, &wsaData);
+		if (err != 0) {
+			fprintf(stderr, "WSAStartup() failed: %d\n", err);
+			exit(1);
+		}
+#endif /* ifdef WIN32 */
+
+		n = gethostname(hostname, sizeof(hostname));
+		if (n == -1) {
+			perror("gethostname");
+			return (1);
+		}
+		fprintf(stdout, "%s\n", hostname);
+#ifdef WIN32
+		WSACleanup();
+#endif /* ifdef WIN32 */
+		return (0);
+	}
+
+	if (strcmp(argv[1], "--gssapi") == 0) {
+#if defined(GSSAPI)
+		return (0);
+#else  /* if defined(GSSAPI) */
+		return (1);
+#endif /* if defined(GSSAPI) */
+	}
+
+	if (strcmp(argv[1], "--have-dlopen") == 0) {
+#if defined(HAVE_DLOPEN) && defined(ISC_DLZ_DLOPEN)
+		return (0);
+#else  /* if defined(HAVE_DLOPEN) && defined(ISC_DLZ_DLOPEN) */
+		return (1);
+#endif /* if defined(HAVE_DLOPEN) && defined(ISC_DLZ_DLOPEN) */
+	}
+
+	if (strcmp(argv[1], "--have-geoip2") == 0) {
+#ifdef HAVE_GEOIP2
+		return (0);
+#else  /* ifdef HAVE_GEOIP2 */
+		return (1);
+#endif /* ifdef HAVE_GEOIP2 */
+	}
+
+	if (strcmp(argv[1], "--have-json-c") == 0) {
+#ifdef HAVE_JSON_C
+		return (0);
+#else  /* ifdef HAVE_JSON_C */
+		return (1);
+#endif /* ifdef HAVE_JSON_C */
+	}
+
+	if (strcmp(argv[1], "--have-libxml2") == 0) {
+#ifdef HAVE_LIBXML2
+		return (0);
+#else  /* ifdef HAVE_LIBXML2 */
+		return (1);
+#endif /* ifdef HAVE_LIBXML2 */
+	}
+
+	if (strcmp(argv[1], "--ipv6only=no") == 0) {
+#ifdef WIN32
+		return (0);
+#elif defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
+		int s;
+		int n = -1;
+		int v6only = -1;
+		socklen_t len = sizeof(v6only);
+
+		s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+		if (s >= 0) {
+			n = getsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
+				       (void *)&v6only, &len);
+			close(s);
+		}
+		return ((n == 0 && v6only == 0) ? 0 : 1);
+#else  /* ifdef WIN32 */
+		return (1);
+#endif /* ifdef WIN32 */
+	}
+
+	if (strcmp(argv[1], "--md5") == 0) {
+		unsigned char digest[ISC_MAX_MD_SIZE];
+		const unsigned char test[] = "test";
+		unsigned int size = sizeof(digest);
+
+		if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) ==
+		    ISC_R_SUCCESS)
+		{
+			return (0);
+		} else {
+			return (1);
+		}
+	}
+
+	if (strcmp(argv[1], "--tsan") == 0) {
+#if defined(__has_feature)
+#if __has_feature(thread_sanitizer)
+		return (0);
+#endif
+#endif
+#if __SANITIZE_THREAD__
+		return (0);
+#else
+		return (1);
+#endif
+	}
+
+	if (strcmp(argv[1], "--with-dlz-filesystem") == 0) {
+#ifdef DLZ_FILESYSTEM
+		return (0);
+#else  /* ifdef DLZ_FILESYSTEM */
+		return (1);
+#endif /* ifdef DLZ_FILESYSTEM */
+	}
+
+	if (strcmp(argv[1], "--with-idn") == 0) {
+#ifdef HAVE_LIBIDN2
+		return (0);
+#else  /* ifdef HAVE_LIBIDN2 */
+		return (1);
+#endif /* ifdef HAVE_LIBIDN2 */
+	}
+
+	if (strcmp(argv[1], "--with-lmdb") == 0) {
+#ifdef HAVE_LMDB
+		return (0);
+#else  /* ifdef HAVE_LMDB */
+		return (1);
+#endif /* ifdef HAVE_LMDB */
+	}
+
+	if (strcmp(argv[1], "--with-zlib") == 0) {
+#ifdef HAVE_ZLIB
+		return (0);
+#else  /* ifdef HAVE_ZLIB */
+		return (1);
+#endif /* ifdef HAVE_ZLIB */
+	}
+
+	fprintf(stderr, "unknown arg: %s\n", argv[1]);
+	usage();
+	return (1);
+}
diff --git a/bin/tests/system/fetchlimit/ans4/ans.pl b/bin/tests/system/fetchlimit/ans4/ans.pl
new file mode 100644
index 0000000..5a265c4
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ans4/ans.pl
@@ -0,0 +1,86 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Don't respond if the "norespond" file exists; otherwise respond to
+# any A or AAAA query.
+#
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.4",
+   LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+for (;;) {
+	$sock->recv($buf, 512);
+
+	print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	print "REQUEST:\n";
+	$packet->print;
+
+	$packet->header->qr(1);
+
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+
+	my $donotrespond = 0;
+
+	if (-e 'norespond') {
+		$donotrespond = 1;
+	} else {
+		$packet->header->aa(1);
+		if ($qtype eq "A") {
+			$packet->push("answer",
+				      new Net::DNS::RR($qname .
+						       " 300 A 192.0.2.1"));
+		} elsif ($qtype eq "AAAA") {
+			$packet->push("answer",
+				      new Net::DNS::RR($qname .
+						" 300 AAAA 2001:db8:beef::1"));
+		}
+	}
+
+	if ($donotrespond == 0) {
+		$sock->send($packet->data);
+		print "RESPONSE:\n";
+		$packet->print;
+		print "\n";
+	}
+}
diff --git a/bin/tests/system/fetchlimit/clean.sh b/bin/tests/system/fetchlimit/clean.sh
new file mode 100644
index 0000000..f0158b1
--- /dev/null
+++ b/bin/tests/system/fetchlimit/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.conf */named.memstats */ans.run */named.recursing */named.run
+rm -f dig.out*
+rm -f ans4/norespond
+rm -f ns3/named.stats ns3/named_dump.db
+rm -f burst.input.*
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/fetchlimit/ns1/named.conf.in b/bin/tests/system/fetchlimit/ns1/named.conf.in
new file mode 100644
index 0000000..9725d01
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ns1/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "example.info." {
+	type primary;
+	file "example-info.db";
+};
diff --git a/bin/tests/system/fetchlimit/ns1/root.db b/bin/tests/system/fetchlimit/ns1/root.db
new file mode 100644
index 0000000..17780d1
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/fetchlimit/ns2/example.db b/bin/tests/system/fetchlimit/ns2/example.db
new file mode 100644
index 0000000..5bf9999
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ns2/example.db
@@ -0,0 +1,37 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1	   ; serial
+				20	   ; refresh (20 seconds)
+				20	   ; retry (20 seconds)
+				1814400	   ; expire (3 weeks)
+				3600	   ; minimum (1 hour)
+				)
+example		        NS	ns2.example.
+ns2.example.		A	10.53.0.2
+
+a.example.		A	10.0.0.1
+			MX	10 mail.example.
+
+mail.example.		A	10.0.0.2
+
+lamesub.example.        NS	ns4.example.
+ns4.example.	        A	10.53.0.4
+
+0.example.              A       10.53.1.0
+1.example.              A       10.53.1.1
+2.example.              A       10.53.1.2
+3.example.              A       10.53.1.3
+4.example.              A       10.53.1.4
+5.example.              A       10.53.1.5
diff --git a/bin/tests/system/fetchlimit/ns2/named.conf.in b/bin/tests/system/fetchlimit/ns2/named.conf.in
new file mode 100644
index 0000000..108877e
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ns2/named.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/fetchlimit/ns3/named.args b/bin/tests/system/fetchlimit/ns3/named.args
new file mode 100644
index 0000000..6bd3e6c
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ns3/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 1 -D fetchlimit-ns3 -X named.lock -g -T maxcachesize=2097152
diff --git a/bin/tests/system/fetchlimit/ns3/named1.conf.in b/bin/tests/system/fetchlimit/ns3/named1.conf.in
new file mode 100644
index 0000000..3adfe47
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ns3/named1.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	fetches-per-server 400;
+};
+
+server 10.53.0.4 {
+	edns no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
diff --git a/bin/tests/system/fetchlimit/ns3/named2.conf.in b/bin/tests/system/fetchlimit/ns3/named2.conf.in
new file mode 100644
index 0000000..74374b1
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ns3/named2.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	fetches-per-zone 40;
+};
+
+server 10.53.0.4 {
+	edns no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
diff --git a/bin/tests/system/fetchlimit/ns3/named3.conf.in b/bin/tests/system/fetchlimit/ns3/named3.conf.in
new file mode 100644
index 0000000..3df353b
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ns3/named3.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	recursive-clients 400;
+};
+
+server 10.53.0.4 {
+	edns no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
diff --git a/bin/tests/system/fetchlimit/ns3/root.hint b/bin/tests/system/fetchlimit/ns3/root.hint
new file mode 100644
index 0000000..e0f186c
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ns3/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/fetchlimit/prereq.sh b/bin/tests/system/fetchlimit/prereq.sh
new file mode 100644
index 0000000..ec369f8
--- /dev/null
+++ b/bin/tests/system/fetchlimit/prereq.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    :
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/fetchlimit/setup.sh b/bin/tests/system/fetchlimit/setup.sh
new file mode 100644
index 0000000..7f5cbe7
--- /dev/null
+++ b/bin/tests/system/fetchlimit/setup.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
diff --git a/bin/tests/system/fetchlimit/tests.sh b/bin/tests/system/fetchlimit/tests.sh
new file mode 100644
index 0000000..55f4bf6
--- /dev/null
+++ b/bin/tests/system/fetchlimit/tests.sh
@@ -0,0 +1,200 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGCMD="$DIG @10.53.0.3 -p ${PORT} +tcp +tries=1 +time=1"
+RNDCCMD="$RNDC -p ${CONTROLPORT} -s 10.53.0.3 -c ../common/rndc.conf"
+
+burst() {
+    num=${3:-20}
+    rm -f burst.input.$$
+    while [ $num -gt 0 ]; do
+        num=$((num-1))
+        echo "${num}${1}${2}.lamesub.example A" >> burst.input.$$
+    done
+    $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$
+    rm -f burst.input.$$
+}
+
+stat() {
+    clients=`$RNDCCMD status | grep "recursive clients" | 
+            sed 's;.*: \([^/][^/]*\)/.*;\1;'`
+    echo_i "clients: $clients"
+    [ "$clients" = "" ] && return 1
+    [ "$clients" -ge $1 ] || return 1
+    [ "$clients" -le $2 ] || return 1
+    return 0
+}
+
+status=0
+
+echo_i "checking recursing clients are dropped at the per-server limit"
+ret=0
+# make the server lame and restart
+$RNDCCMD flush
+touch ans4/norespond
+for try in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
+    burst a $try
+    # fetches-per-server is at 400, but at 20qps against a lame server,
+    # we'll reach 200 at the tenth second, and the quota should have been
+    # tuned to less than that by then.
+    [ $try -le 5 ] && low=$((try*10))
+    stat 20 200 || ret=1
+    [ $ret -eq 1 ] && break
+    sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "dumping ADB data"
+$RNDCCMD dumpdb -adb
+info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'`
+echo_i $info
+set -- $info
+quota=$5
+[ ${5:-200} -lt 200 ] || ret=1
+
+echo_i "checking servfail statistics"
+ret=0
+rm -f ns3/named.stats
+$RNDCCMD stats
+for try in 1 2 3 4 5; do
+    [ -f ns3/named.stats ] && break
+    sleep 1
+done
+sspill=`grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/'`
+[ -z "$sspill" ] && sspill=0
+fails=`grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'`
+[ -z "$fails" ] && fails=0
+[ "$fails" -ge "$sspill" ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking lame server recovery"
+ret=0
+rm -f ans4/norespond
+for try in 1 2 3 4 5; do
+    burst b $try
+    stat 0 200 || ret=1
+    [ $ret -eq 1 ] && break
+    sleep 1
+done
+
+echo_i "dumping ADB data"
+$RNDCCMD dumpdb -adb
+info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'`
+echo_i $info
+set -- $info
+[ ${5:-${quota}} -lt $quota ] || ret=1
+quota=$5
+
+for try in 1 2 3 4 5 6 7 8 9 10; do
+    burst c $try
+    stat 0 20 || ret=1
+    [ $ret -eq 1 ] && break
+    sleep 1
+done
+
+echo_i "dumping ADB data"
+$RNDCCMD dumpdb -adb
+info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'`
+echo_i $info
+set -- $info
+[ ${5:-${quota}} -gt $quota ] || ret=1
+quota=$5
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+
+echo_i "checking lame server clients are dropped at the per-domain limit"
+ret=0
+fail=0
+success=0
+touch ans4/norespond
+for try in 1 2 3 4 5; do
+    burst b $try 300
+    $DIGCMD a ${try}.example > dig.out.ns3.$try
+    grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \
+            success=$((success+1))
+    grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \
+            fail=$(($fail+1))
+    stat 30 50 || ret=1
+    [ $ret -eq 1 ] && break
+    $RNDCCMD recursing 2>&1 | sed 's/^/ns3 /' | cat_i
+    sleep 1
+done
+echo_i "$success successful valid queries, $fail SERVFAIL"
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking drop statistics"
+rm -f ns3/named.stats
+$RNDCCMD stats
+for try in 1 2 3 4 5; do
+    [ -f ns3/named.stats ] && break
+    sleep 1
+done
+zspill=`grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/'`
+[ -z "$zspill" ] && zspill=0
+drops=`grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'`
+[ -z "$drops" ] && drops=0
+[ "$drops" -ge "$zspill" ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+copy_setports ns3/named3.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+
+echo_i "checking lame server clients are dropped below the hard limit"
+ret=0
+fail=0
+exceeded=0
+success=0
+touch ans4/norespond
+for try in 1 2 3 4 5; do
+    burst b $try 400
+    $DIGCMD +time=2 a ${try}.example > dig.out.ns3.$try
+    stat 100 400 || exceeded=$((exceeded + 1))
+    grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \
+            success=$((success+1))
+    grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \
+            fail=$(($fail+1))
+    sleep 1
+done
+echo_i "$success successful valid queries (expected 5)"
+[ "$success" -eq 5 ] || { echo_i "failed"; ret=1; }
+echo_i "$fail SERVFAIL responses (expected 0)"
+[ "$fail" -eq 0 ] || { echo_i "failed"; ret=1; }
+echo_i "clients count exceeded 400 on $exceeded trials (expected 0)"
+[ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking drop statistics"
+rm -f ns3/named.stats
+$RNDCCMD stats
+for try in 1 2 3 4 5; do
+    [ -f ns3/named.stats ] && break
+    sleep 1
+done
+drops=`grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'`
+[ "${drops:-0}" -ne 0 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/filter-aaaa/clean.sh b/bin/tests/system/filter-aaaa/clean.sh
new file mode 100644
index 0000000..b7a2372
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/clean.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns1/K*
+rm -f ns1/*.signed
+rm -f ns1/signer.err
+rm -f ns1/dsset-*
+
+rm -f */named.run
+rm -f */named.conf
+rm -f */named.memstats
+
+rm -f ns4/K*
+rm -f ns4/*.signed
+rm -f ns4/signer.err
+rm -f ns4/dsset-*
+
+rm -f dig.out.*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
+
+rm -f ns*/trusted.conf
+rm -f ns*/keygen.out
diff --git a/bin/tests/system/filter-aaaa/conf/bad1.conf b/bin/tests/system/filter-aaaa/conf/bad1.conf
new file mode 100644
index 0000000..01613fd
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad1.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+plugin query "../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 yes;
+	filter-aaaa { none; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/bad2.conf b/bin/tests/system/filter-aaaa/conf/bad2.conf
new file mode 100644
index 0000000..e7a2d28
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad2.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+plugin query "../../../plugins/lib/filter-aaaa.so" {
+	/*
+	 * While this matches the defaults, it is not a good configuration
+	 * to have in named.conf as the two options contradict each other
+	 * indicating a error on behalf of the operator.
+	 *
+	 * The default is to have filter-aaaa-on-v4 off, but if it is turned
+	 * on then it applies to all IPv4 queries.  This results in
+	 * contradictory defaults.
+	 */
+	filter-aaaa-on-v4 no;
+	filter-aaaa { any; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/bad3.conf b/bin/tests/system/filter-aaaa/conf/bad3.conf
new file mode 100644
index 0000000..88b4c7c
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad3.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view myview {
+	plugin query "../../../plugins/lib/filter-aaaa.so" {
+		filter-aaaa-on-v4 no;
+		filter-aaaa { any; };
+	};
+};
diff --git a/bin/tests/system/filter-aaaa/conf/bad4.conf b/bin/tests/system/filter-aaaa/conf/bad4.conf
new file mode 100644
index 0000000..a65b367
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad4.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view myview {
+	plugin query "../../../plugins/lib/filter-aaaa.so" {
+		filter-aaaa-on-v4 yes;
+		filter-aaaa { none; };
+	};
+};
diff --git a/bin/tests/system/filter-aaaa/conf/bad5.conf b/bin/tests/system/filter-aaaa/conf/bad5.conf
new file mode 100644
index 0000000..e26564b
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad5.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+plugin query "../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 yes;
+	filter-aaaa { 1.0.0.0/8; };
+};
+
+view myview {
+	match-clients { any; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good1.conf b/bin/tests/system/filter-aaaa/conf/good1.conf
new file mode 100644
index 0000000..9203a13
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good1.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+plugin query "../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 yes;
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good2.conf b/bin/tests/system/filter-aaaa/conf/good2.conf
new file mode 100644
index 0000000..b6159b1
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+plugin query "../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 break-dnssec;
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good3.conf b/bin/tests/system/filter-aaaa/conf/good3.conf
new file mode 100644
index 0000000..7aad386
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good3.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+plugin query "../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 break-dnssec;
+	filter-aaaa { 1.0.0.0/8; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good4.conf b/bin/tests/system/filter-aaaa/conf/good4.conf
new file mode 100644
index 0000000..0161282
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good4.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+plugin query "../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 yes;
+	filter-aaaa { 1.0.0.0/8; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good5.conf b/bin/tests/system/filter-aaaa/conf/good5.conf
new file mode 100644
index 0000000..a88b003
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good5.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view myview {
+	plugin query "../../../plugins/lib/filter-aaaa.so" {
+		filter-aaaa-on-v4 yes;
+		filter-aaaa { 1.0.0.0/8; };
+	};
+};
diff --git a/bin/tests/system/filter-aaaa/ns1/named1.conf.in b/bin/tests/system/filter-aaaa/ns1/named1.conf.in
new file mode 100644
index 0000000..381241a
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/named1.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { fd92:7065:b8e:ffff::1; };
+	recursion no;
+	dnssec-validation yes;
+	notify yes;
+	minimal-responses no;
+};
+
+acl filterees { 10.53.0.1; };
+
+plugin query "../../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 yes;
+	filter-aaaa { filterees; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "." { type primary; file "root.db"; };
+zone "signed" { type primary; file "signed.db.signed"; };
+zone "unsigned" { type primary; file "unsigned.db"; };
diff --git a/bin/tests/system/filter-aaaa/ns1/named2.conf.in b/bin/tests/system/filter-aaaa/ns1/named2.conf.in
new file mode 100644
index 0000000..bebb8d0
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/named2.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { fd92:7065:b8e:ffff::1; };
+	recursion no;
+	dnssec-validation yes;
+	notify yes;
+	minimal-responses no;
+};
+
+plugin query "../../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v6 yes;
+	filter-aaaa { fd92:7065:b8e:ffff::1; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type primary; file "root.db"; };
+zone "signed" { type primary; file "signed.db.signed"; };
+zone "unsigned" { type primary; file "unsigned.db"; };
diff --git a/bin/tests/system/filter-aaaa/ns1/root.db b/bin/tests/system/filter-aaaa/ns1/root.db
new file mode 100644
index 0000000..150aa72
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/root.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	120
+@		SOA	ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
+@		NS	ns.utld
+ns.utld		A	10.53.0.1
+ns.utld		AAAA	fd92:7065:b8e:ffff::1
+;
+
+signed		NS	ns.signed
+ns.signed	A	10.53.0.1
+ns.signed	AAAA	fd92:7065:b8e:ffff::1
+
+unsigned	NS	ns.unsigned
+ns.unsigned	A	10.53.0.1
+ns.unsigned	AAAA	fd92:7065:b8e:ffff::1
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
new file mode 100755
index 0000000..71e5ecc
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+SYSTESTDIR=filter-aaaa
+
+zone=signed.
+infile=signed.db.in
+zonefile=signed.db.signed
+outfile=signed.db.signed
+
+$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
+$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i
+keyname=`cat keygen.out`
+rm -f keygen.out
+
+keyfile_to_static_ds $keyname > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns5/trusted.conf
+
+$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed zone '$zone'"
diff --git a/bin/tests/system/filter-aaaa/ns1/signed.db.in b/bin/tests/system/filter-aaaa/ns1/signed.db.in
new file mode 100644
index 0000000..36a0373
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/signed.db.in
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	120
+@		SOA	ns.signed.  hostmaster.ns.signed. ( 1 3600 1200 604800 60 )
+@		NS	ns
+@               MX      10 mx
+
+ns		A	10.53.0.1
+		AAAA	fd92:7065:b8e:ffff::1
+
+a-only		NS	1.0.0.1
+aaaa-only	AAAA	2001:db8::2
+dual		A	1.0.0.3
+dual 		AAAA	2001:db8::3
+mx		A	1.0.0.3
+mx 		AAAA	2001:db8::3
diff --git a/bin/tests/system/filter-aaaa/ns1/unsigned.db b/bin/tests/system/filter-aaaa/ns1/unsigned.db
new file mode 100644
index 0000000..abc3947
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/unsigned.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	120
+@		SOA	ns.unsigned.  hostmaster.ns.unsigned. ( 1 3600 1200 604800 60 )
+@		NS	ns
+@               MX      10 mx
+
+ns		A	10.53.0.1
+		AAAA	fd92:7065:b8e:ffff::1
+
+a-only		NS	1.0.0.4
+aaaa-only	AAAA	2001:db8::5
+dual		A	1.0.0.6
+dual 		AAAA	2001:db8::6
+mx		A	1.0.0.3
+mx 		AAAA	2001:db8::3
diff --git a/bin/tests/system/filter-aaaa/ns2/hints b/bin/tests/system/filter-aaaa/ns2/hints
new file mode 100644
index 0000000..fa0d3e4
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns2/hints
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+
+.		NS	ns.utld.
+ns.utld.	A	10.53.0.1
+ns.utld.	AAAA	fd92:7065:b8e:ffff::1
diff --git a/bin/tests/system/filter-aaaa/ns2/named1.conf.in b/bin/tests/system/filter-aaaa/ns2/named1.conf.in
new file mode 100644
index 0000000..6cac8e5
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns2/named1.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	minimal-responses no;
+};
+
+plugin query "../../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 yes;
+	filter-aaaa { 10.53.0.2; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints"; };
+
+include "trusted.conf";
diff --git a/bin/tests/system/filter-aaaa/ns2/named2.conf.in b/bin/tests/system/filter-aaaa/ns2/named2.conf.in
new file mode 100644
index 0000000..2107b7a
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns2/named2.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	minimal-responses no;
+};
+
+plugin query "../../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v6 yes;
+	filter-aaaa { fd92:7065:b8e:ffff::2; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints"; };
+
+include "trusted.conf";
diff --git a/bin/tests/system/filter-aaaa/ns3/hints b/bin/tests/system/filter-aaaa/ns3/hints
new file mode 100644
index 0000000..fa0d3e4
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns3/hints
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+
+.		NS	ns.utld.
+ns.utld.	A	10.53.0.1
+ns.utld.	AAAA	fd92:7065:b8e:ffff::1
diff --git a/bin/tests/system/filter-aaaa/ns3/named1.conf.in b/bin/tests/system/filter-aaaa/ns3/named1.conf.in
new file mode 100644
index 0000000..cd156f4
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns3/named1.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { fd92:7065:b8e:ffff::3; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	minimal-responses no;
+};
+
+plugin query "../../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 break-dnssec;
+	filter-aaaa { 10.53.0.3; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints"; };
+
+include "trusted.conf";
diff --git a/bin/tests/system/filter-aaaa/ns3/named2.conf.in b/bin/tests/system/filter-aaaa/ns3/named2.conf.in
new file mode 100644
index 0000000..6117849
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns3/named2.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { fd92:7065:b8e:ffff::3; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	minimal-responses no;
+};
+
+plugin query "../../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v6 break-dnssec;
+	filter-aaaa { fd92:7065:b8e:ffff::3; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints"; };
+
+include "trusted.conf";
diff --git a/bin/tests/system/filter-aaaa/ns4/named1.conf.in b/bin/tests/system/filter-aaaa/ns4/named1.conf.in
new file mode 100644
index 0000000..d47a71d
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/named1.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { fd92:7065:b8e:ffff::4; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+	minimal-responses no;
+};
+
+plugin query "../../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 break-dnssec;
+	filter-aaaa { 10.53.0.4; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type primary; file "root.db"; };
+zone "signed" { type primary; file "signed.db.signed"; };
+zone "unsigned" { type primary; file "unsigned.db"; };
diff --git a/bin/tests/system/filter-aaaa/ns4/named2.conf.in b/bin/tests/system/filter-aaaa/ns4/named2.conf.in
new file mode 100644
index 0000000..5a06ec3
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/named2.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { fd92:7065:b8e:ffff::4; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+	minimal-responses no;
+};
+
+plugin query "../../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v6 break-dnssec;
+	filter-aaaa { fd92:7065:b8e:ffff::4; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type primary; file "root.db"; };
+zone "signed" { type primary; file "signed.db.signed"; };
+zone "unsigned" { type primary; file "unsigned.db"; };
diff --git a/bin/tests/system/filter-aaaa/ns4/root.db b/bin/tests/system/filter-aaaa/ns4/root.db
new file mode 100644
index 0000000..7984c37
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@		SOA	ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
+@		NS	ns.utld
+ns.utld		A	10.53.0.4
+ns.utld		AAAA	fd92:7065:b8e:ffff::4
+;
+
+signed		NS	ns.signed
+ns.signed	A	10.53.0.4
+ns.signed	AAAA	fd92:7065:b8e:ffff::4
+
+unsigned	NS	ns.unsigned
+ns.unsigned	A	10.53.0.4
+ns.unsigned	AAAA	fd92:7065:b8e:ffff::4
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
new file mode 100755
index 0000000..f07d85b
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+SYSTESTDIR=filter-aaaa
+
+zone=signed.
+infile=signed.db.in
+zonefile=signed.db.signed
+outfile=signed.db.signed
+
+$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
+$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i
+
+$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed zone '$zone'"
diff --git a/bin/tests/system/filter-aaaa/ns4/signed.db.in b/bin/tests/system/filter-aaaa/ns4/signed.db.in
new file mode 100644
index 0000000..fa52106
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/signed.db.in
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	120
+@		SOA	ns.signed.  hostmaster.ns.signed. ( 1 3600 1200 604800 60 )
+@		NS	ns
+@               MX      10 mx
+
+ns		A	10.53.0.4
+		AAAA	fd92:7065:b8e:ffff::4
+
+a-only		NS	1.0.0.1
+aaaa-only	AAAA	2001:db8::2
+dual		A	1.0.0.3
+dual 		AAAA	2001:db8::3
+mx		A	1.0.0.3
+mx 		AAAA	2001:db8::3
diff --git a/bin/tests/system/filter-aaaa/ns4/unsigned.db b/bin/tests/system/filter-aaaa/ns4/unsigned.db
new file mode 100644
index 0000000..4baa462
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/unsigned.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	120
+@		SOA	ns.unsigned.  hostmaster.ns.unsigned. ( 1 3600 1200 604800 60 )
+@		NS	ns
+@               MX      10 mx
+
+ns		A	10.53.0.4
+		AAAA	fd92:7065:b8e:ffff::4
+
+a-only		NS	1.0.0.4
+aaaa-only	AAAA	2001:db8::5
+dual		A	1.0.0.6
+dual 		AAAA	2001:db8::6
+mx		A	1.0.0.3
+mx 		AAAA	2001:db8::3
diff --git a/bin/tests/system/filter-aaaa/ns5/hints b/bin/tests/system/filter-aaaa/ns5/hints
new file mode 100644
index 0000000..fa0d3e4
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns5/hints
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+
+.		NS	ns.utld.
+ns.utld.	A	10.53.0.1
+ns.utld.	AAAA	fd92:7065:b8e:ffff::1
diff --git a/bin/tests/system/filter-aaaa/ns5/named.conf.in b/bin/tests/system/filter-aaaa/ns5/named.conf.in
new file mode 100644
index 0000000..0584bcf
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns5/named.conf.in
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { fd92:7065:b8e:ffff::5; };
+	recursion yes;
+	dnssec-validation no;
+	notify yes;
+	dns64 64:ff9b::/96 {
+			    clients { any; };
+			    exclude { any; };
+			    mapped { any; };
+	};
+	minimal-responses no;
+};
+
+plugin query "../../../../plugins/lib/filter-aaaa.so" {
+	filter-aaaa-on-v4 break-dnssec;
+	filter-aaaa { any; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints"; };
+
+include "trusted.conf";
diff --git a/bin/tests/system/filter-aaaa/prereq.sh b/bin/tests/system/filter-aaaa/prereq.sh
new file mode 100644
index 0000000..4b7058b
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/prereq.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$FEATURETEST --have-dlopen ||  {
+        echo_i "dlopen() not supported - skipping filter-aaaa test"
+        exit 255
+}
+
+$FEATURETEST --tsan && {
+        echo_i "TSAN - skipping dlzexternal test"
+        exit 255
+}
+
+exit 0
diff --git a/bin/tests/system/filter-aaaa/setup.sh b/bin/tests/system/filter-aaaa/setup.sh
new file mode 100644
index 0000000..55ef60b
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named1.conf.in ns1/named.conf
+copy_setports ns2/named1.conf.in ns2/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
+copy_setports ns4/named1.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+
+(cd ns1 && $SHELL -e sign.sh)
+(cd ns4 && $SHELL -e sign.sh)
diff --git a/bin/tests/system/filter-aaaa/tests.sh b/bin/tests/system/filter-aaaa/tests.sh
new file mode 100644
index 0000000..a173f6a
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/tests.sh
@@ -0,0 +1,1419 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+for conf in conf/good*.conf
+do
+	n=`expr $n + 1`
+	echo_i "checking that $conf is accepted ($n)"
+	ret=0
+	$CHECKCONF "$conf" || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+for conf in conf/bad*.conf
+do
+	n=`expr $n + 1`
+	echo_i "checking that $conf is rejected ($n)"
+	ret=0
+	$CHECKCONF "$conf" >/dev/null && ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+#
+# Authoritative tests against:
+#	filter-aaaa-on-v4 yes;
+#	filter-aaaa { 10.53.0.1; };
+#
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, signed ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1
+grep ::2 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1
+grep ::5 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "AUTHORITY: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "AUTHORITY: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "AUTHORITY: 0," dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 ($n)"
+if testsock6 fd92:7065:b8e:ffff::1
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1
+grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+else
+echo_i "skipped."
+fi
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)"
+ret=0
+$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
+grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1
+grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6 ($n)"
+if testsock6 fd92:7065:b8e:ffff::1
+then
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+else
+echo_i "skipped."
+fi
+
+#
+# Authoritative tests against:
+#	filter-aaaa-on-v4 break-dnssec;
+#	filter-aaaa { 10.53.0.4; };
+#
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "AUTHORITY: 1," dig.out.ns4.test$n > /dev/null || ret=1
+grep ::2 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "AUTHORITY: 1," dig.out.ns4.test$n > /dev/null || ret=1
+grep ::5 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "AUTHORITY: 0," dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 with break-dnssec ($n)"
+if testsock6 fd92:7065:b8e:ffff::4
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+else
+echo_i "skipped."
+fi
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, with break-dnssec ($n)"
+if testsock6 fd92:7065:b8e:ffff::4
+then
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+else
+echo_i "skipped."
+fi
+
+
+#
+# Recursive tests against:
+#	filter-aaaa-on-v4 yes;
+#	filter-aaaa { 10.53.0.2; };
+#
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::2 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep ::5 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive ($n)"
+if testsock6 fd92:7065:b8e:ffff::2
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+else
+echo_i "skipped."
+fi
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)"
+ret=0
+$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, signed, recursive ($n)"
+ret=0
+# we need to prime the cache with addresses for the MX, since additional
+# section data won't be included unless it's validated, and that doesn't
+# necessarily happen otherwise.
+$DIG $DIGOPTS +dnssec mx.signed @10.53.0.2 > /dev/null
+$DIG $DIGOPTS +dnssec mx.signed aaaa @10.53.0.2 > /dev/null
+$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, recursive, over IPv6 ($n)"
+if testsock6 fd92:7065:b8e:ffff::2
+then
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+else
+echo_i "skipped."
+fi
+
+#
+# Recursive tests against:
+#	filter-aaaa-on-v4 break-dnssec;
+#	filter-aaaa { 10.53.0.3; };
+#
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
+grep ::2 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep ::5 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive with break-dnssec ($n)"
+if testsock6 fd92:7065:b8e:ffff::3
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+else
+echo_i "skipped."
+fi
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, recursive with break-dnssec ($n)"
+if testsock6 fd92:7065:b8e:ffff::3
+then
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+else
+echo_i "skipped."
+fi
+
+if ! testsock6 fd92:7065:b8e:ffff::1
+then
+	echo_i "IPv6 address not configured; skipping IPv6 query tests"
+	echo_i "exit status: $status"
+	exit $status
+fi
+
+# Reconfiguring for IPv6 tests
+echo_i "reconfiguring servers"
+copy_setports ns1/named2.conf.in ns1/named.conf
+rndc_reconfig ns1 10.53.0.1
+copy_setports ns2/named2.conf.in ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+copy_setports ns4/named2.conf.in ns4/named.conf
+rndc_reconfig ns4 10.53.0.4
+
+# BEGIN IPv6 TESTS
+
+#
+# Authoritative tests against:
+#	filter-aaaa-on-v6 yes;
+#	filter-aaaa { fd92:7065:b8e:ffff::1; };
+#
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, signed ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep ::2 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep ::5 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+
+#
+# Authoritative tests against:
+#	filter-aaaa-on-v6 break-dnssec;
+#	filter-aaaa { fd92:7065:b8e:ffff::4; };
+#
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep ::2 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep ::5 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+
+#
+# Recursive tests against:
+#	filter-aaaa-on-v6 yes;
+#	filter-aaaa { fd92:7065:b8e:ffff::2; };
+#
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::2 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep ::5 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+
+#
+# Recursive tests against:
+#	filter-aaaa-on-v6 yes;
+#	filter-aaaa { fd92:7065:b8e:ffff::3; };
+#
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
+grep ::2 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep ::5 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# We don't check for the AAAA record here as configuration in ns5 does
+# not make sense.  The AAAA record is wanted by filter-aaaa but discarded
+# by the dns64 configuration. We just want to ensure the server stays
+# running.
+n=`expr $n + 1`
+echo_i "checking filter-aaaa with dns64 ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/formerr/clean.sh b/bin/tests/system/formerr/clean.sh
new file mode 100644
index 0000000..e525530
--- /dev/null
+++ b/bin/tests/system/formerr/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f nametoolong.out 
+rm -f twoquestions.out 
+rm -f noquestions.out 
+rm -f ns*/named.conf
+rm -f ns*/named.lock
+rm -f ns*/named.run
+rm -f ns*/named.memstats
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/formerr/formerr.pl b/bin/tests/system/formerr/formerr.pl
new file mode 100644
index 0000000..0c68274
--- /dev/null
+++ b/bin/tests/system/formerr/formerr.pl
@@ -0,0 +1,97 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# This is a tool for sending an arbitrary packet via UDP or TCP to an
+# arbitrary address and port.  The packet is specified in a file or on
+# the standard input, in the form of a series of bytes in hexadecimal.
+# Whitespace is ignored, as is anything following a '#' symbol.
+#
+# For example, the following input would generate normal query for 
+# isc.org/NS/IN":
+#
+#     # QID:
+#     0c d8
+#     # header:
+#     01 00 00 01 00 00 00 00 00 00
+#     # qname isc.org:
+#     03 69 73 63 03 6f 72 67 00
+#     # qtype NS:
+#     00 02
+#     # qclass IN:
+#     00 01
+#
+# Note that we do not wait for a response for the server.  This is simply
+# a way of injecting arbitrary packets to test server resposnes.
+#
+# Usage: packet.pl [-a <address>] [-p <port>] [-t (udp|tcp)] [filename]
+#
+# If not specified, address defaults to 127.0.0.1, port to 53, protocol
+# to udp, and file to stdin.
+#
+# XXX: Doesn't support IPv6 yet
+
+require 5.006_001;
+
+use strict;
+use Getopt::Std;
+use IO::File;
+use IO::Socket;
+
+sub usage {
+    print ("Usage: packet.pl [-a address] [-p port] [file]\n");
+    exit 1;
+}
+
+my %options={};
+getopts("a:p:", \%options);
+
+my $addr = "127.0.0.1";
+$addr = $options{a} if defined $options{a};
+
+my $port = 53;
+$port = $options{p} if defined $options{p};
+
+my $file = "STDIN";
+if (@ARGV >= 1) {
+    my $filename = shift @ARGV;
+    open FH, "<$filename" or die "$filename: $!";
+    $file = "FH";
+}
+
+my $input = "";
+while (defined(my $line = <$file>) ) {
+    chomp $line;
+    $line =~ s/#.*$//;
+    $input .= $line;
+}
+
+$input =~ s/\s+//g;
+my $data = pack("H*", $input);
+my $len = length $data;
+
+my $output = unpack("H*", $data);
+print ("sending: $output\n");
+
+my $sock = IO::Socket::INET->new(PeerAddr => $addr, PeerPort => $port,
+				 Proto => "tcp") or die "$!";
+
+my $bytes;
+$bytes = $sock->syswrite(pack("n", $len), 2);
+$bytes = $sock->syswrite($data, $len);
+$bytes = $sock->sysread($data, 2);
+$len = unpack("n", $data);
+$bytes = $sock->sysread($data, $len);
+print "got: ", unpack("H*", $data). "\n";
+
+$sock->close;
+close $file;
diff --git a/bin/tests/system/formerr/nametoolong b/bin/tests/system/formerr/nametoolong
new file mode 100644
index 0000000..b81545f
--- /dev/null
+++ b/bin/tests/system/formerr/nametoolong
@@ -0,0 +1,19 @@
+00 00 00 00 00 01 00 00 00 00 00 00
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+0e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00
+00 01
+00 01
diff --git a/bin/tests/system/formerr/noquestions b/bin/tests/system/formerr/noquestions
new file mode 100644
index 0000000..f087bcd
--- /dev/null
+++ b/bin/tests/system/formerr/noquestions
@@ -0,0 +1 @@
+00 00 00 00 00 00 00 00 00 00 00 00
diff --git a/bin/tests/system/formerr/ns1/named.conf.in b/bin/tests/system/formerr/ns1/named.conf.in
new file mode 100644
index 0000000..07aaf21
--- /dev/null
+++ b/bin/tests/system/formerr/ns1/named.conf.in
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/formerr/ns1/root.db b/bin/tests/system/formerr/ns1/root.db
new file mode 100644
index 0000000..f4d4c69
--- /dev/null
+++ b/bin/tests/system/formerr/ns1/root.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	marka.isc.org. a.root.servers.nil. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.4
diff --git a/bin/tests/system/formerr/setup.sh b/bin/tests/system/formerr/setup.sh
new file mode 100644
index 0000000..e46affa
--- /dev/null
+++ b/bin/tests/system/formerr/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/formerr/tests.sh b/bin/tests/system/formerr/tests.sh
new file mode 100644
index 0000000..0e2bca4
--- /dev/null
+++ b/bin/tests/system/formerr/tests.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+echo_i "test name too long"
+$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong > nametoolong.out
+ans=`grep got: nametoolong.out`
+if [ "${ans}" != "got: 000080010000000000000000" ];
+then
+	echo_i "failed"; status=`expr $status + 1`;
+fi
+
+echo_i "two questions"
+$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions > twoquestions.out
+ans=`grep got: twoquestions.out`
+if [ "${ans}" != "got: 000080010000000000000000" ];
+then
+	echo_i "failed"; status=`expr $status + 1`;
+fi
+
+# this would be NOERROR if it included a COOKIE option,
+# but is a FORMERR without one.
+echo_i "empty question section (and no COOKIE option)"
+$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions > noquestions.out
+ans=`grep got: noquestions.out`
+if [ "${ans}" != "got: 000080010000000000000000" ];
+then
+	echo_i "failed"; status=`expr $status + 1`;
+fi
+
+echo_i "exit status: $status"
+
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/formerr/twoquestions b/bin/tests/system/formerr/twoquestions
new file mode 100644
index 0000000..2192e3d
--- /dev/null
+++ b/bin/tests/system/formerr/twoquestions
@@ -0,0 +1,7 @@
+00 00 00 00 00 02 00 00 00 00 00 00
+0e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00
+00 01
+00 02
+0e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00
+00 01
+00 01
diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py
new file mode 100644
index 0000000..e8f1195
--- /dev/null
+++ b/bin/tests/system/forward/ans11/ans.py
@@ -0,0 +1,143 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import time
+import functools
+
+import dns, dns.message, dns.query, dns.flags
+from dns.rdatatype import *
+from dns.rdataclass import *
+from dns.rcode import *
+from dns.name import *
+
+
+# Log query to file
+def logquery(type, qname):
+    with open("qlog", "a") as f:
+        f.write("%s %s\n", type, qname)
+
+
+############################################################################
+# Respond to a DNS query.
+############################################################################
+def create_response(msg):
+    m = dns.message.from_wire(msg)
+    qname = m.question[0].name.to_text()
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+
+    with open("query.log", "a") as f:
+        f.write("%s %s\n" % (typename, qname))
+        print("%s %s" % (typename, qname), end=" ")
+
+    r = dns.message.make_response(m)
+    r.set_rcode(NOERROR)
+    if rrtype == A:
+        tld = qname.split(".")[-2] + "."
+        ns = "local." + tld
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11"))
+        r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld))
+        r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11"))
+    elif rrtype == NS:
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, "."))
+    elif rrtype == SOA:
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
+    else:
+        r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
+    r.flags |= dns.flags.AA
+    return r
+
+
+def sigterm(signum, frame):
+    print("Shutting down now...")
+    os.remove("ans.pid")
+    running = False
+    sys.exit(0)
+
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4 = "10.53.0.11"
+ip6 = "fd92:7065:b8e:ffff::11"
+
+try:
+    port = int(os.environ["PORT"])
+except:
+    port = 5300
+
+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_socket.bind((ip4, port))
+havev6 = True
+try:
+    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    try:
+        query6_socket.bind((ip6, port))
+    except:
+        query6_socket.close()
+        havev6 = False
+except:
+    havev6 = False
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open("ans.pid", "w")
+pid = os.getpid()
+print(pid, file=f)
+f.close()
+
+running = True
+
+print("Listening on %s port %d" % (ip4, port))
+if havev6:
+    print("Listening on %s port %d" % (ip6, port))
+print("Ctrl-c to quit")
+
+if havev6:
+    input = [query4_socket, query6_socket]
+else:
+    input = [query4_socket]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        if s == query4_socket or s == query6_socket:
+            print(
+                "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" "
+            )
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            rsp = create_response(msg[0])
+            if rsp:
+                print(dns.rcode.to_text(rsp.rcode()))
+                s.sendto(rsp.to_wire(), msg[1])
+            else:
+                print("NO RESPONSE")
+    if not running:
+        break
diff --git a/bin/tests/system/forward/ans6/ans.pl b/bin/tests/system/forward/ans6/ans.pl
new file mode 100644
index 0000000..6102e4a
--- /dev/null
+++ b/bin/tests/system/forward/ans6/ans.pl
@@ -0,0 +1,562 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# This is the name server from hell.  It provides canned
+# responses based on pattern matching the queries, and
+# can be reprogrammed on-the-fly over a TCP connection.
+#
+# The server listens for queries on port 5300 (or PORT).
+#
+# The server listens for control connections on port 5301 (or EXTRAPORT1).
+#
+# A control connection is a TCP stream of lines like
+#
+#  /pattern/
+#  name ttl type rdata
+#  name ttl type rdata
+#  ...
+#  /pattern/
+#  name ttl type rdata
+#  name ttl type rdata
+#  ...
+#
+# There can be any number of patterns, each associated
+# with any number of response RRs.  Each pattern is a
+# Perl regular expression.  If an empty pattern ("//") is
+# received, the server will ignore all incoming queries (TCP
+# connections will still be accepted, but both UDP queries
+# and TCP queries will not be responded to).  If a non-empty
+# pattern is then received over the same control connection,
+# default behavior is restored.
+#
+# Each incoming query is converted into a string of the form
+# "qname qtype" (the printable query domain name, space,
+# printable query type) and matched against each pattern.
+#
+# The first pattern matching the query is selected, and
+# the RR following the pattern line are sent in the
+# answer section of the response.
+#
+# Each new control connection causes the current set of
+# patterns and responses to be cleared before adding new
+# ones.
+#
+# The server handles UDP and TCP queries.  Zone transfer
+# responses work, but must fit in a single 64 k message.
+#
+# Now you can add TSIG, just specify key/key data with:
+#
+#  /pattern <key> <key_data>/
+#  name ttl type rdata
+#  name ttl type rdata
+#
+#  Note that this data will still be sent with any request for
+#  pattern, only this data will be signed. Currently, this is only
+#  done for TCP.
+#
+# /pattern bad-id <key> <key_data>/
+# /pattern bad-id/
+#
+# will add 50 to the message id of the response.
+
+
+use IO::File;
+use IO::Socket;
+use Data::Dumper;
+use Net::DNS;
+use Net::DNS::Packet;
+use strict;
+
+# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early
+local $SIG{PIPE} = 'IGNORE';
+
+# Flush logged output after every line
+local $| = 1;
+
+# We default to listening on 10.53.0.2 for historical reasons
+# XXX: we should also be able to specify IPv6
+my $server_addr = "10.53.0.6";
+if (@ARGV > 0) {
+	$server_addr = @ARGV[0];
+}
+
+my $mainport = int($ENV{'PORT'});
+if (!$mainport) { $mainport = 5300; }
+my $ctrlport = int($ENV{'EXTRAPORT1'});
+if (!$ctrlport) { $ctrlport = 5301; }
+
+print "listening on $server_addr:$mainport,$ctrlport.\n";
+print "Using Net::DNS $Net::DNS::VERSION\n";
+
+# XXX: we should also be able to set the port numbers to listen on.
+my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $ctrlport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
+
+my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $mainport, Proto => "udp", Reuse => 1) or die "$!";
+
+my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $mainport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";;
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+#my @answers = ();
+my @rules;
+my $udphandler;
+my $tcphandler;
+
+sub handleUDP {
+	my ($buf) = @_;
+	my $request;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$request = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($request, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	my @questions = $request->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+	my $qclass = $questions[0]->qclass;
+	my $id = $request->header->id;
+
+	my $packet = new Net::DNS::Packet($qname, $qtype, $qclass);
+	$packet->header->qr(1);
+	$packet->header->aa(1);
+	$packet->header->id($id);
+
+	# get the existing signature if any, and clear the additional section
+	my $prev_tsig;
+	while (my $rr = $request->pop("additional")) {
+		$prev_tsig = $rr if ($rr->type eq "TSIG");
+	}
+
+	my $r;
+        my $answers = 0;
+        my $match;
+        my $key_name;
+        my $key_data;
+	foreach $r (@rules) {
+		my $pattern = $r->{pattern};
+		($match, $key_name, $key_data) = split(/ /,$pattern);
+		print "[handleUDP] $match, $key_name, $key_data\n";
+                $match =~ tr/\// /;
+		if ("$qname $qtype" =~ /$match/) {
+			my $a;
+			foreach $a (@{$r->{answer}}) {
+                                my $resp;
+                                $resp = new Net::DNS::RR("$qname $a");
+				$packet->push("answer", $resp);
+                                ++$answers;
+			}
+                        last;
+                }
+        }
+        if ($answers eq 0) {
+                my $soa;
+                $soa = new Net::DNS::RR("$qname 300 IN SOA . . 0 0 0 0 0");
+                $packet->push("authority", $soa)
+        }
+        if (defined($key_name) && defined($key_data)) {
+                my $tsig;
+                # Sign the packet
+                print "  Signing the response with " .
+                      "$key_name/$key_data\n";
+
+                if ($Net::DNS::VERSION < 0.69) {
+                        $tsig = Net::DNS::RR->new(
+                                   "$key_name TSIG $key_data");
+                } else {
+                        $tsig = Net::DNS::RR->new(
+                                        name => $key_name,
+                                        type => 'TSIG',
+                                        key  => $key_data);
+                }
+
+                # These kluges are necessary because Net::DNS
+                # doesn't know how to sign responses.  We
+                # clear compnames so that the TSIG key and
+                # algorithm name won't be compressed, and
+                # add one to arcount because the signing
+                # function will attempt to decrement it,
+                # which is incorrect in a response. Finally
+                # we set request_mac to the previous digest.
+                $packet->{"compnames"} = {}
+                        if ($Net::DNS::VERSION < 0.70);
+                $packet->{"header"}{"arcount"} += 1
+                        if ($Net::DNS::VERSION < 0.70);
+                if (defined($prev_tsig)) {
+                        if ($Net::DNS::VERSION < 0.73) {
+                                my $rmac = pack('n H*',
+                                        length($prev_tsig->mac)/2,
+                                        $prev_tsig->mac);
+                                $tsig->{"request_mac"} =
+                                        unpack("H*", $rmac);
+                        } else {
+                                $tsig->request_mac(
+                                         $prev_tsig->mac);
+                        }
+                }
+
+                $packet->sign_tsig($tsig);
+	}
+	#$packet->print;
+
+	return $packet->data;
+}
+
+# namelen:
+# given a stream of data, reads a DNS-formatted name and returns its
+# total length, thus making it possible to skip past it.
+sub namelen {
+	my ($data) = @_;
+	my $len = 0;
+	my $label_len = 0;
+	do {
+		$label_len = unpack("c", $data);
+		$data = substr($data, $label_len + 1);
+		$len += $label_len + 1;
+	} while ($label_len != 0);
+	return ($len);
+}
+
+# packetlen:
+# given a stream of data, reads a DNS wire-format packet and returns
+# its total length, making it possible to skip past it.
+sub packetlen {
+	my ($data) = @_;
+	my $q;
+	my $rr;
+	my $header;
+	my $offset;
+
+	#
+	# decode/encode were introduced in Net::DNS 0.68
+	# parse is no longer a method and calling it here makes perl croak.
+	#
+	my $decode = 0;
+	$decode = 1 if ($Net::DNS::VERSION >= 0.68);
+
+	if ($decode) {
+		($header, $offset) = Net::DNS::Header->decode(\$data);
+	} else {
+		($header, $offset) = Net::DNS::Header->parse(\$data);
+	}
+
+	for (1 .. $header->qdcount) {
+		if ($decode) {
+			($q, $offset) =
+				 Net::DNS::Question->decode(\$data, $offset);
+		} else {
+			($q, $offset) =
+				 Net::DNS::Question->parse(\$data, $offset);
+		}
+	}
+	for (1 .. $header->ancount) {
+		if ($decode) {
+			($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
+		} else {
+			($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
+		}
+	}
+	for (1 .. $header->nscount) {
+		if ($decode) {
+			($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
+		} else {
+			($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
+		}
+	}
+	for (1 .. $header->arcount) {
+		if ($decode) {
+			($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
+		} else {
+			($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
+		}
+	}
+	return $offset;
+}
+
+# sign_tcp_continuation:
+# This is a hack to correct the problem that Net::DNS has no idea how
+# to sign multiple-message TCP responses.  Several data that are included
+# in the digest when signing a query or the first message of a response are
+# omitted when signing subsequent messages in a TCP stream.
+#
+# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing
+# function (specified by calling Packet->sign_func()).  We use this
+# function as the signing function for TCP continuations, and it removes
+# the unwanted data from the digest before calling the default sign_hmac
+# function.
+sub sign_tcp_continuation {
+	my ($key, $data) = @_;
+
+	# copy out first two bytes: size of the previous MAC
+	my $rmacsize = unpack("n", $data);
+	$data = substr($data, 2);
+
+	# copy out previous MAC
+	my $rmac = substr($data, 0, $rmacsize);
+	$data = substr($data, $rmacsize);
+
+	# try parsing out the packet information
+	my $plen = packetlen($data);
+	my $pdata = substr($data, 0, $plen);
+	$data = substr($data, $plen);
+
+	# remove the keyname, ttl, class, and algorithm name
+	$data = substr($data, namelen($data));
+	$data = substr($data, 6);
+	$data = substr($data, namelen($data));
+
+	# preserve the TSIG data
+	my $tdata = substr($data, 0, 8);
+
+	# prepare a new digest and sign with it
+	$data = pack("n", $rmacsize) . $rmac . $pdata . $tdata;
+	return Net::DNS::RR::TSIG::sign_hmac($key, $data);
+}
+
+sub handleTCP {
+	my ($buf) = @_;
+	my $request;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$request = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($request, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	my @questions = $request->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+	my $qclass = $questions[0]->qclass;
+	my $id = $request->header->id;
+
+	my $opaque;
+
+	my $packet = new Net::DNS::Packet($qname, $qtype, $qclass);
+	$packet->header->qr(1);
+	$packet->header->aa(1);
+	$packet->header->id($id);
+
+	# get the existing signature if any, and clear the additional section
+	my $prev_tsig;
+	my $signer;
+	my $continuation = 0;
+	if ($Net::DNS::VERSION < 0.81) {
+		while (my $rr = $request->pop("additional")) {
+			if ($rr->type eq "TSIG") {
+				$prev_tsig = $rr;
+			}
+		}
+	}
+
+	my @results = ();
+	my $count_these = 0;
+
+	my $r;
+        my $answers = 0;
+        my $match;
+        my $key_name;
+        my $key_data;
+        my $tname;
+	foreach $r (@rules) {
+		my $pattern = $r->{pattern};
+		my($match, $key_name, $key_data, $tname) = split(/ /,$pattern);
+		print "[handleTCP] $match, $key_name, $key_data, $tname \n";
+                $match =~ tr/\// /;
+		if ("$qname $qtype" =~ /$match/) {
+			$count_these++;
+			my $a;
+			foreach $a (@{$r->{answer}}) {
+                                my $resp;
+                                $resp = new Net::DNS::RR("$qname $a");
+				$packet->push("answer", $resp);
+                                ++$answers;
+			}
+                        last;
+                }
+        }
+        if ($answers eq 0) {
+                my $soa;
+                $soa = new Net::DNS::RR("$qname 300 SOA . . 0 0 0 0 0");
+                $packet->push("authority", $soa)
+        }
+        if (defined($key_name) && $key_name eq "bad-id") {
+                $packet->header->id(($id+50)%0xffff);
+                $key_name = $key_data;
+                ($key_data, $tname) = split(/ /,$tname)
+        }
+        if (defined($key_name) && defined($key_data)) {
+                my $tsig;
+                # sign the packet
+                print "  Signing the data with " .
+                      "$key_name/$key_data\n";
+
+                if ($Net::DNS::VERSION < 0.69) {
+                        $tsig = Net::DNS::RR->new(
+                                   "$key_name TSIG $key_data");
+                } elsif ($Net::DNS::VERSION >= 0.81 &&
+                         $continuation) {
+                } elsif ($Net::DNS::VERSION >= 0.75 &&
+                         $continuation) {
+                        $tsig = $prev_tsig;
+                } else {
+                        $tsig = Net::DNS::RR->new(
+                                        name => $key_name,
+                                        type => 'TSIG',
+                                        key  => $key_data);
+                }
+
+                # These kluges are necessary because Net::DNS
+                # doesn't know how to sign responses.  We
+                # clear compnames so that the TSIG key and
+                # algorithm name won't be compressed, and
+                # add one to arcount because the signing
+                # function will attempt to decrement it,
+                # which is incorrect in a response. Finally
+                # we set request_mac to the previous digest.
+                $packet->{"compnames"} = {}
+                        if ($Net::DNS::VERSION < 0.70);
+                $packet->{"header"}{"arcount"} += 1
+                        if ($Net::DNS::VERSION < 0.70);
+                if (defined($prev_tsig)) {
+                        if ($Net::DNS::VERSION < 0.73) {
+                                my $rmac = pack('n H*',
+                                        length($prev_tsig->mac)/2,
+                                        $prev_tsig->mac);
+                                $tsig->{"request_mac"} =
+                                        unpack("H*", $rmac);
+                        } elsif ($Net::DNS::VERSION < 0.81) {
+                                $tsig->request_mac(
+                                         $prev_tsig->mac);
+                        }
+                }
+
+                $tsig->sign_func($signer) if defined($signer);
+                $tsig->continuation($continuation) if
+                         ($Net::DNS::VERSION >= 0.71 &&
+                          $Net::DNS::VERSION <= 0.74 );
+                if ($Net::DNS::VERSION < 0.81) {
+                        $packet->sign_tsig($tsig);
+                } elsif ($continuation) {
+                        $opaque = $packet->sign_tsig($opaque);
+                } else {
+                        $opaque = $packet->sign_tsig($request);
+                }
+                $signer = \&sign_tcp_continuation
+                        if ($Net::DNS::VERSION < 0.70);
+                $continuation = 1;
+
+                my $copy =
+                        Net::DNS::Packet->new(\($packet->data));
+                $prev_tsig = $copy->pop("additional");
+        }
+
+        #$packet->print;
+        push(@results,$packet->data);
+        if ($tname eq "") {
+                $tname = $qname;
+        }
+        $packet = new Net::DNS::Packet($tname, $qtype, $qclass);
+        $packet->header->qr(1);
+        $packet->header->aa(1);
+        $packet->header->id($id);
+	print " A total of $count_these patterns matched\n";
+	return \@results;
+}
+
+# Main
+my $rin;
+my $rout;
+for (;;) {
+	$rin = '';
+	vec($rin, fileno($ctlsock), 1) = 1;
+	vec($rin, fileno($tcpsock), 1) = 1;
+	vec($rin, fileno($udpsock), 1) = 1;
+
+	select($rout = $rin, undef, undef, undef);
+
+	if (vec($rout, fileno($ctlsock), 1)) {
+		warn "ctl conn";
+		my $conn = $ctlsock->accept;
+		my $rule = ();
+		@rules = ();
+		while (my $line = $conn->getline) {
+			chomp $line;
+			if ($line =~ m!^/(.*)/$!) {
+				if (length($1) == 0) {
+					$udphandler = sub { return; };
+					$tcphandler = sub { return; };
+				} else {
+					$udphandler = \&handleUDP;
+					$tcphandler = \&handleTCP;
+					$rule = { pattern => $1, answer => [] };
+					push(@rules, $rule);
+				}
+			} else {
+                                push(@{$rule->{answer}}, $line);
+			}
+		}
+		$conn->close;
+		#print Dumper(@rules);
+		#print "+=+=+ $rules[0]->{'pattern'}\n";
+		#print "+=+=+ $rules[0]->{'answer'}->[0]->{'rname'}\n";
+		#print "+=+=+ $rules[0]->{'answer'}->[0]\n";
+	} elsif (vec($rout, fileno($udpsock), 1)) {
+		printf "UDP request\n";
+		my $buf;
+		$udpsock->recv($buf, 512);
+		my $result = &$udphandler($buf);
+		if (defined($result)) {
+			my $num_chars = $udpsock->send($result);
+			print "  Sent $num_chars bytes via UDP\n";
+		}
+	} elsif (vec($rout, fileno($tcpsock), 1)) {
+		my $conn = $tcpsock->accept;
+		my $buf;
+		for (;;) {
+			my $lenbuf;
+			my $n = $conn->sysread($lenbuf, 2);
+			last unless $n == 2;
+			my $len = unpack("n", $lenbuf);
+			$n = $conn->sysread($buf, $len);
+			last unless $n == $len;
+			print "TCP request\n";
+			my $result = &$tcphandler($buf);
+			if (defined($result)) {
+				foreach my $response (@$result) {
+					$len = length($response);
+					$n = $conn->syswrite(pack("n", $len), 2);
+					$n = $conn->syswrite($response, $len);
+					print "    Sent: $n chars via TCP\n";
+				}
+			}
+		}
+		$conn->close;
+	}
+}
diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh
new file mode 100644
index 0000000..fad8ec5
--- /dev/null
+++ b/bin/tests/system/forward/clean.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after forward tests.
+#
+rm -f ./ans11/query.log
+rm -f ./dig.out.*
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run ./*/named.run.prev
+rm -f ./*/named_dump.db
+rm -f ./ns*/named.lock
+rm -f ./ns*/managed-keys.bind*
+rm -f ./ns1/root.db ./ns1/root.db.signed
+rm -f ./ns*/trusted.conf
+rm -f ./ns1/K* ./ns1/dsset-*
diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db
new file mode 100644
index 0000000..fd9a46e
--- /dev/null
+++ b/bin/tests/system/forward/ns1/diditwork.net.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+			TXT	"recursed"
+ns			A	10.53.0.1
diff --git a/bin/tests/system/forward/ns1/example.db b/bin/tests/system/forward/ns1/example.db
new file mode 100644
index 0000000..aac1bef
--- /dev/null
+++ b/bin/tests/system/forward/ns1/example.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+txt			TXT	"recursed"
diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in
new file mode 100644
index 0000000..f871fd6
--- /dev/null
+++ b/bin/tests/system/forward/ns1/named.conf.in
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	query-source-v6 address fd92:7065:b8e:ffff::1;
+	notify-source 10.53.0.1;
+	notify-source-v6 fd92:7065:b8e:ffff::1;
+	transfer-source 10.53.0.1;
+	transfer-source-v6 fd92:7065:b8e:ffff::1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { fd92:7065:b8e:ffff::1; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+zone "example1." {
+	type primary;
+	file "example.db";
+};
+
+zone "example2." {
+	type primary;
+	file "example.db";
+};
+
+zone "example3." {
+	type primary;
+	file "example.db";
+};
+
+zone "example4." {
+	type primary;
+	file "example.db";
+};
+
+zone "example5." {
+	type primary;
+	file "example.db";
+};
+
+zone "sld.tld" {
+	type primary;
+	file "sld.tld.db";
+};
+
+/* A forward zone without forwarders. */
+zone "example6" {
+	type forward;
+};
+
+zone "diditwork.net" {
+	type primary;
+	file "diditwork.net.db";
+};
+
+zone "spoofed.net" {
+	type primary;
+	file "spoofed.net.db";
+};
+
+zone "sub.local.net" {
+	type primary;
+	file "sub.local.net.db";
+};
+
+zone "net.example.lll" {
+	type master;
+	file "net.example.lll";
+};
diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll
new file mode 100644
index 0000000..ba0804f
--- /dev/null
+++ b/bin/tests/system/forward/ns1/net.example.lll
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+net.example.lll.		SOA	. . 0 0 0 0 0
+net.example.lll.		NS	attackSecureDomain.net.
+didItWork.net.example.lll.	TXT	"if you can see this record the attack worked"
diff --git a/bin/tests/system/forward/ns1/root.db.in b/bin/tests/system/forward/ns1/root.db.in
new file mode 100644
index 0000000..95ffac3
--- /dev/null
+++ b/bin/tests/system/forward/ns1/root.db.in
@@ -0,0 +1,36 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example1		NS	ns.example1
+ns.example1		A	10.53.0.1
+
+example2		NS	ns.example2
+ns.example2		A	10.53.0.1
+
+example3		NS	ns.example3
+ns.example3		A	10.53.0.1
+
+example7		NS	ns.example7
+ns.example7		A	10.53.0.2
+
+tld			NS	ns.tld
+ns.tld			A	10.53.0.2
diff --git a/bin/tests/system/forward/ns1/sign.sh b/bin/tests/system/forward/ns1/sign.sh
new file mode 100644
index 0000000..cba1918
--- /dev/null
+++ b/bin/tests/system/forward/ns1/sign.sh
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+echo_i "ns1/sign.sh"
+
+ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
+
+"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+
+# Configure the resolving server with a static key.
+keyfile_to_static_ds "$ksk" > trusted.conf
+cp trusted.conf ../ns3/trusted.conf
diff --git a/bin/tests/system/forward/ns1/sld.tld.db b/bin/tests/system/forward/ns1/sld.tld.db
new file mode 100644
index 0000000..f0d4b05
--- /dev/null
+++ b/bin/tests/system/forward/ns1/sld.tld.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+xxx			TXT	"foo"
diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db
new file mode 100644
index 0000000..eedc46f
--- /dev/null
+++ b/bin/tests/system/forward/ns1/spoofed.net.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+sub			TXT	"recursed"
diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db
new file mode 100644
index 0000000..fd9a46e
--- /dev/null
+++ b/bin/tests/system/forward/ns1/sub.local.net.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+			TXT	"recursed"
+ns			A	10.53.0.1
diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone
new file mode 100644
index 0000000..b655a32
--- /dev/null
+++ b/bin/tests/system/forward/ns10/fakenet.zone
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+net.			SOA	. . 0 0 0 0 0
+net.			NS	attackSecureDomain.net.
+attackSecureDomain.net.	A	10.53.0.10
+didItWork.net.		TXT	"if you can see this record the attack worked"
+ns.spoofed.net.		A	10.53.0.10
diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone
new file mode 100644
index 0000000..cd1e6e9
--- /dev/null
+++ b/bin/tests/system/forward/ns10/fakenet2.zone
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+net2.			SOA	. . 0 0 0 0 0
+net2.			NS	attackSecureDomain.net.
+net2.			DNAME	net.example.lll.
diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone
new file mode 100644
index 0000000..160b533
--- /dev/null
+++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+sub.local.net.		SOA	. . 0 0 0 0 0
+sub.local.net.		NS	ns.spoofed.net.
+sub.local.net.		TXT	"if you see this attacker overrode local delegation"
diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone
new file mode 100644
index 0000000..f78cbc7
--- /dev/null
+++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+sub.local.tld.		3600	IN	SOA	. . 0 0 0 0 0
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
+sub.local.tld.		3600	IN	TXT	bad
+ns.sub.local.tld.	3600	IN	A	10.53.0.8
diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in
new file mode 100644
index 0000000..1f318dd
--- /dev/null
+++ b/bin/tests/system/forward/ns10/named.conf.in
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.10;
+	notify-source 10.53.0.10;
+	transfer-source 10.53.0.10;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.10; };
+	listen-on-v6 { none; };
+	minimal-responses no;
+};
+
+zone "net." {
+	type master;
+	file "fakenet.zone";
+};
+
+zone "spoofed.net." {
+	type master;
+	file "spoofednet.zone";
+};
+
+zone "sub.local.net." {
+	type master;
+	file "fakesublocalnet.zone";
+};
+
+zone "net2" {
+	type master;
+	file "fakenet2.zone";
+};
+
+zone "net.example.lll" {
+	type master;
+	file "net.example.lll";
+};
+
+zone "sub.local.tld." {
+	type master;
+	file "fakesublocaltld.zone";
+};
diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll
new file mode 100644
index 0000000..ba0804f
--- /dev/null
+++ b/bin/tests/system/forward/ns10/net.example.lll
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+net.example.lll.		SOA	. . 0 0 0 0 0
+net.example.lll.		NS	attackSecureDomain.net.
+didItWork.net.example.lll.	TXT	"if you can see this record the attack worked"
diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone
new file mode 100644
index 0000000..fb70a43
--- /dev/null
+++ b/bin/tests/system/forward/ns10/spoofednet.zone
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 86400
+spoofed.net.		SOA	. . 0 0 0 0 0
+spoofed.net.		NS	ns.spoofed.net.
+ns.spoofed.net.		A	10.53.0.10
+spoofed.net.		TXT	"this record is clearly spoofed"
diff --git a/bin/tests/system/forward/ns2/example.db b/bin/tests/system/forward/ns2/example.db
new file mode 100644
index 0000000..df3e52c
--- /dev/null
+++ b/bin/tests/system/forward/ns2/example.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+txt			TXT	"forwarded"
diff --git a/bin/tests/system/forward/ns2/named.conf.in b/bin/tests/system/forward/ns2/named.conf.in
new file mode 100644
index 0000000..f9a081a
--- /dev/null
+++ b/bin/tests/system/forward/ns2/named.conf.in
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	query-source-v6 address fd92:7065:b8e:ffff::2;
+	notify-source 10.53.0.2;
+	notify-source-v6 fd92:7065:b8e:ffff::2;
+	transfer-source 10.53.0.2;
+	transfer-source-v6 fd92:7065:b8e:ffff::2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "example1." {
+	type primary;
+	file "example.db";
+};
+
+zone "example2." {
+	type primary;
+	file "example.db";
+};
+
+zone "example3." {
+	type primary;
+	file "example.db";
+};
+
+zone "example4." {
+	type primary;
+	file "example.db";
+};
+
+zone "example7." {
+	type primary;
+	file "example.db";
+};
+
+zone "grafted." {
+	type primary;
+	file "example.db";
+};
+
+zone "1.0.10.in-addr.arpa." {
+	type primary;
+	file "example.db";
+};
+
+zone "tld" {
+	type primary;
+	file "tld.db";
+};
diff --git a/bin/tests/system/forward/ns2/root.db b/bin/tests/system/forward/ns2/root.db
new file mode 100644
index 0000000..7108723
--- /dev/null
+++ b/bin/tests/system/forward/ns2/root.db
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example1		NS	ns.example1
+ns.example1		A	10.53.0.1
+
+example2		NS	ns.example2
+ns.example2		A	10.53.0.1
+
+example3		NS	ns.example3
+ns.example3		A	10.53.0.1
diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db
new file mode 100644
index 0000000..965f2a4
--- /dev/null
+++ b/bin/tests/system/forward/ns2/tld.db
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.2
+sld			NS	ns.sld
+ns.sld			A	10.53.0.1
+local			NS	ns.local
+ns.local		A	10.53.0.9
+sibling			NS	ns.sibling
+ns.sibling		A	10.53.0.4
+sibling			NS	ns.sub.local
+ns.sub.local		A	10.53.0.10
diff --git a/bin/tests/system/forward/ns3/named1.conf.in b/bin/tests/system/forward/ns3/named1.conf.in
new file mode 100644
index 0000000..88f1eee
--- /dev/null
+++ b/bin/tests/system/forward/ns3/named1.conf.in
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	query-source-v6 address fd92:7065:b8e:ffff::3;
+	notify-source 10.53.0.3;
+	notify-source-v6 fd92:7065:b8e:ffff::3;
+	transfer-source 10.53.0.3;
+	transfer-source-v6 fd92:7065:b8e:ffff::3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { fd92:7065:b8e:ffff::3; };
+	forwarders { fd92:7065:b8e:ffff::2; };
+	forward first;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "example1." {
+	type forward;
+	forward first;
+	forwarders { 10.53.0.2; };
+};
+
+zone "example2." {
+	type forward;
+	forward first;
+	forwarders { };
+};
+
+zone "example3." {
+	type forward;
+	forward only;
+	forwarders { };
+};
+
+zone "example7." {
+	type forward;
+	forward first;
+	forwarders { 10.53.0.6; };
+};
diff --git a/bin/tests/system/forward/ns3/named2.conf.in b/bin/tests/system/forward/ns3/named2.conf.in
new file mode 100644
index 0000000..b498e87
--- /dev/null
+++ b/bin/tests/system/forward/ns3/named2.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	query-source-v6 address fd92:7065:b8e:ffff::3;
+	notify-source 10.53.0.3;
+	notify-source-v6 fd92:7065:b8e:ffff::3;
+	transfer-source 10.53.0.3;
+	transfer-source-v6 fd92:7065:b8e:ffff::3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { fd92:7065:b8e:ffff::3; };
+	forwarders { 10.53.0.6; };
+	dnssec-validation yes;
+};
+
+include "trusted.conf";
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
diff --git a/bin/tests/system/forward/ns3/root.db b/bin/tests/system/forward/ns3/root.db
new file mode 100644
index 0000000..7108723
--- /dev/null
+++ b/bin/tests/system/forward/ns3/root.db
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example1		NS	ns.example1
+ns.example1		A	10.53.0.1
+
+example2		NS	ns.example2
+ns.example2		A	10.53.0.1
+
+example3		NS	ns.example3
+ns.example3		A	10.53.0.1
diff --git a/bin/tests/system/forward/ns4/malicious.db b/bin/tests/system/forward/ns4/malicious.db
new file mode 100644
index 0000000..e4859c1
--- /dev/null
+++ b/bin/tests/system/forward/ns4/malicious.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL    86400
+@       IN      SOA     malicious. admin.malicious. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS      ns
+
+ns          IN    A       10.53.0.4
+
+target      IN    CNAME   subdomain.rebind.
diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
new file mode 100644
index 0000000..c97823d
--- /dev/null
+++ b/bin/tests/system/forward/ns4/named.conf.in
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	minimal-responses yes;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "example1." {
+	type forward;
+	forward first;
+	forwarders { 10.53.0.2; };
+};
+
+zone "example3." {
+	type forward;
+	forwarders { 10.53.0.2; };
+};
+
+zone "example5." {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.2; };
+};
+
+zone "1.0.10.in-addr.arpa" {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.2; };
+};
+
+zone "grafted" {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.2; };
+};
+
+zone "malicious." {
+	type primary;
+	file "malicious.db";
+};
+
+zone "sibling.tld" {
+	type primary;
+	file "sibling.tld.db";
+};
diff --git a/bin/tests/system/forward/ns4/root.db b/bin/tests/system/forward/ns4/root.db
new file mode 100644
index 0000000..7108723
--- /dev/null
+++ b/bin/tests/system/forward/ns4/root.db
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example1		NS	ns.example1
+ns.example1		A	10.53.0.1
+
+example2		NS	ns.example2
+ns.example2		A	10.53.0.1
+
+example3		NS	ns.example3
+ns.example3		A	10.53.0.1
diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db
new file mode 100644
index 0000000..fe080ae
--- /dev/null
+++ b/bin/tests/system/forward/ns4/sibling.tld.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL    86400
+@       IN      SOA     malicious. admin.malicious. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS      ns
+
+ns          IN    A       10.53.0.4
diff --git a/bin/tests/system/forward/ns5/named.conf.in b/bin/tests/system/forward/ns5/named.conf.in
new file mode 100644
index 0000000..024f49b
--- /dev/null
+++ b/bin/tests/system/forward/ns5/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	forward only;
+	forwarders { 10.53.0.4; };
+	deny-answer-aliases { "rebind"; };
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "rebind" {
+	type primary;
+	file "rebind.db";
+};
diff --git a/bin/tests/system/forward/ns5/rebind.db b/bin/tests/system/forward/ns5/rebind.db
new file mode 100644
index 0000000..aed6c2e
--- /dev/null
+++ b/bin/tests/system/forward/ns5/rebind.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL    86400
+@       IN      SOA     rebind. admin.rebind. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS    ns
+
+ns          IN    A     10.53.0.5
+
+subdomain   IN    A     10.53.0.1
diff --git a/bin/tests/system/forward/ns5/root.db b/bin/tests/system/forward/ns5/root.db
new file mode 100644
index 0000000..7108723
--- /dev/null
+++ b/bin/tests/system/forward/ns5/root.db
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example1		NS	ns.example1
+ns.example1		A	10.53.0.1
+
+example2		NS	ns.example2
+ns.example2		A	10.53.0.1
+
+example3		NS	ns.example3
+ns.example3		A	10.53.0.1
diff --git a/bin/tests/system/forward/ns7/named.conf.in b/bin/tests/system/forward/ns7/named.conf.in
new file mode 100644
index 0000000..302bb55
--- /dev/null
+++ b/bin/tests/system/forward/ns7/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	forwarders { 10.53.0.4; };
+	forward first;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
diff --git a/bin/tests/system/forward/ns7/root.db b/bin/tests/system/forward/ns7/root.db
new file mode 100644
index 0000000..7108723
--- /dev/null
+++ b/bin/tests/system/forward/ns7/root.db
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example1		NS	ns.example1
+ns.example1		A	10.53.0.1
+
+example2		NS	ns.example2
+ns.example2		A	10.53.0.1
+
+example3		NS	ns.example3
+ns.example3		A	10.53.0.1
diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in
new file mode 100644
index 0000000..2de656f
--- /dev/null
+++ b/bin/tests/system/forward/ns8/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	forwarders { 10.53.0.2; };	// returns referrals
+	forward first;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "sub.local.tld" {
+	type primary;
+	file "sub.local.tld.db";
+};
diff --git a/bin/tests/system/forward/ns8/root.db b/bin/tests/system/forward/ns8/root.db
new file mode 100644
index 0000000..2cbdff5
--- /dev/null
+++ b/bin/tests/system/forward/ns8/root.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db
new file mode 100644
index 0000000..f2234c7
--- /dev/null
+++ b/bin/tests/system/forward/ns8/sub.local.tld.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+sub.local.tld.		3600	IN	SOA	. . 0 0 0 0 0
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
+sub.local.tld.		3600	IN	TXT	good
+ns.sub.local.tld.	3600	IN	A	10.53.0.8
diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db
new file mode 100644
index 0000000..af0d2a5
--- /dev/null
+++ b/bin/tests/system/forward/ns9/local.net.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+local.net.		3600	IN	SOA	. . 0 0 0 0 0
+local.net.		3600	IN	NS	localhost.
+ns.local.net.		3600	IN	A	10.53.0.9
+txt.local.net.		3600	IN	TXT	"something in the local auth zone"
+sub.local.net.		3600	IN	NS	ns.spoofed.net.  ; attacker will try to override this
diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db
new file mode 100644
index 0000000..876a913
--- /dev/null
+++ b/bin/tests/system/forward/ns9/local.tld.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+local.tld.		3600	IN	SOA	. . 0 0 0 0 0
+local.tld.		3600	IN	NS	localhost.
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
+ns.sub.local.tld.	3600	IN	A	10.53.0.8
diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in
new file mode 100644
index 0000000..be9a438
--- /dev/null
+++ b/bin/tests/system/forward/ns9/named1.conf.in
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	edns-udp-size 1232;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+server 10.53.0.10 {
+	edns no;
+};
+
+server 10.53.0.11 {
+	edns no;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "attacksecuredomain.net." {
+	type forward;
+	forwarders { 10.53.0.10; };
+};
+
+zone "attacksecuredomain.net2." {
+	type forward;
+	forwarders { 10.53.0.10; };
+};
+
+zone "attacksecuredomain.net3." {
+	type forward;
+	forwarders { 10.53.0.11; };
+};
+
+zone "local.net." {
+	type primary;
+	file "local.net.db";
+	forwarders {};
+};
diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in
new file mode 100644
index 0000000..2c40b42
--- /dev/null
+++ b/bin/tests/system/forward/ns9/named2.conf.in
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	edns-udp-size 1232;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+server 10.53.0.10 {
+	edns no;
+};
+
+server 10.53.0.11 {
+	edns no;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "attacksecuredomain.net." {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.10; };
+};
+
+zone "attacksecuredomain.net2." {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.10; };
+};
+
+zone "attacksecuredomain.net3." {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.11; };
+};
+
+zone "local.net." {
+	type primary;
+	file "local.net.db";
+	forwarders {};
+};
diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in
new file mode 100644
index 0000000..576f57c
--- /dev/null
+++ b/bin/tests/system/forward/ns9/named3.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	edns-udp-size 1232;
+	forward only;
+	forwarders { 10.53.0.10; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+server 10.53.0.10 {
+	edns no;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "local.net." {
+	type primary;
+	file "local.net.db";
+	forwarders {};
+};
diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in
new file mode 100644
index 0000000..5cd7d84
--- /dev/null
+++ b/bin/tests/system/forward/ns9/named4.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	edns-udp-size 1232;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+server 10.53.0.10 {
+	edns no;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "local.tld." {
+	type primary;
+	file "local.tld.db";
+};
diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db
new file mode 100644
index 0000000..2cbdff5
--- /dev/null
+++ b/bin/tests/system/forward/ns9/root.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
diff --git a/bin/tests/system/forward/prereq.sh b/bin/tests/system/forward/prereq.sh
new file mode 100644
index 0000000..2f5a187
--- /dev/null
+++ b/bin/tests/system/forward/prereq.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    :
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/forward/rfc1918-inherited.conf b/bin/tests/system/forward/rfc1918-inherited.conf
new file mode 100644
index 0000000..66569dc
--- /dev/null
+++ b/bin/tests/system/forward/rfc1918-inherited.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone 10.in-addr.arpa {
+	type forward;
+	forwarders { 1.2.3.4; };
+};
diff --git a/bin/tests/system/forward/rfc1918-notinherited.conf b/bin/tests/system/forward/rfc1918-notinherited.conf
new file mode 100644
index 0000000..d6d5c2d
--- /dev/null
+++ b/bin/tests/system/forward/rfc1918-notinherited.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone 10.in-addr.arpa {
+	type forward;
+	forward first;
+	forwarders { 1.2.3.4; };
+};
diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh
new file mode 100644
index 0000000..589f983
--- /dev/null
+++ b/bin/tests/system/forward/setup.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. "$SYSTEMTESTTOP/conf.sh"
+
+$SHELL clean.sh
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named1.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
+
+(
+    cd ns1
+    $SHELL sign.sh
+)
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
new file mode 100644
index 0000000..4b3a1ab
--- /dev/null
+++ b/bin/tests/system/forward/tests.sh
@@ -0,0 +1,383 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#shellcheck source=conf.sh
+SYSTEMTESTTOP=..
+. "$SYSTEMTESTTOP/conf.sh"
+
+dig_with_opts() (
+	"$DIG" -p "$PORT" "$@"
+)
+
+sendcmd() (
+	"$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1"
+)
+
+rndccmd() {
+    "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
+}
+
+root=10.53.0.1
+hidden=10.53.0.2
+f1=10.53.0.3
+f2=10.53.0.4
+
+status=0
+n=0
+
+n=$((n+1))
+echo_i "checking that a forward zone overrides global forwarders ($n)"
+ret=0
+dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
+dig_with_opts +noadd +noauth txt.example1. txt @$f1 > dig.out.$n.f1 || ret=1
+digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that a forward first zone no forwarders recurses ($n)"
+ret=0
+dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
+dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1
+digcomp dig.out.$n.root dig.out.$n.f1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that a forward only zone no forwarders fails ($n)"
+ret=0
+dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
+dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1
+digcomp dig.out.$n.root dig.out.$n.f1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that global forwarders work ($n)"
+ret=0
+dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
+dig_with_opts +noadd +noauth txt.example4. txt @$f1 > dig.out.$n.f1 || ret=1
+digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that a forward zone works ($n)"
+ret=0
+dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
+dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1
+digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that forwarding doesn't spontaneously happen ($n)"
+ret=0
+dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1
+dig_with_opts +noadd +noauth txt.example2. txt @$f2 > dig.out.$n.f2 || ret=1
+digcomp dig.out.$n.root dig.out.$n.f2 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that a forward zone with no specified policy works ($n)"
+ret=0
+dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1
+dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1
+digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that a forward only doesn't recurse ($n)"
+ret=0
+dig_with_opts txt.example5. txt @$f2 > dig.out.$n.f2 || ret=1
+grep "SERVFAIL" dig.out.$n.f2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking for negative caching of forwarder response ($n)"
+# prime the cache, shutdown the forwarder then check that we can
+# get the answer from the cache.  restart forwarder.
+ret=0
+dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1
+grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1
+stop_server ns4 || ret=1
+dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1
+grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1
+start_server --restart --noclean --port "${PORT}" ns4 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+check_override() (
+    dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 &&
+    grep "status: NOERROR" dig.out.$n.f2 > /dev/null &&
+    dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 &&
+    grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null
+)
+
+n=$((n+1))
+echo_i "checking that forward only zone overrides empty zone ($n)"
+ret=0
+# retry loop in case the server restart above causes transient failure
+retry_quiet 10 check_override || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that DS lookups for grafting forward zones are isolated ($n)"
+ret=0
+dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q1 || ret=1
+dig_with_opts grafted DS @10.53.0.4 > dig.out.$n.q2 || ret=1
+dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q3 || ret=1
+dig_with_opts grafted AAAA @10.53.0.4 > dig.out.$n.q4 || ret=1
+grep "status: NOERROR" dig.out.$n.q1 > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.$n.q2 > /dev/null || ret=1
+grep "status: NOERROR" dig.out.$n.q3 > /dev/null || ret=1
+grep "status: NOERROR" dig.out.$n.q4 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that rfc1918 inherited 'forward first;' zones are warned about ($n)"
+ret=0
+$CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1
+$CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that ULA inherited 'forward first;' zones are warned about ($n)"
+ret=0
+$CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1
+$CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+count_sent() (
+	logfile="$1"
+	start_pattern="$2"
+	pattern="$3"
+	nextpartpeek "$logfile" | tr -d '\r' | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern"
+)
+
+check_sent() (
+	expected="$1"
+	shift
+	count=$(count_sent "$@")
+	[ "$expected" = "$count" ]
+)
+
+wait_for_log() (
+	nextpartpeek "$1" | grep "$2" >/dev/null
+
+)
+
+n=$((n+1))
+echo_i "checking that a forwarder timeout prevents it from being reused in the same fetch context ($n)"
+ret=0
+# Make ans6 receive queries without responding to them.
+echo "//" | sendcmd
+# Query for a record in a zone which is forwarded to a non-responding forwarder
+# and is delegated from the root to check whether the forwarder will be retried
+# when a delegation is encountered after falling back to full recursive
+# resolution.
+nextpart ns3/named.run >/dev/null
+dig_with_opts txt.example7. txt @$f1 > dig.out.$n.f1 || ret=1
+# The forwarder for the "example7" zone should only be queried once.
+start_pattern="sending packet to 10\.53\.0\.6"
+retry_quiet 5 wait_for_log ns3/named.run "$start_pattern"
+check_sent 1 ns3/named.run "$start_pattern" ";txt\.example7\.[[:space:]]*IN[[:space:]]*TXT$" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that priming queries are not forwarded ($n)"
+ret=0
+nextpart ns7/named.run >/dev/null
+dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.$n.f7 || ret=1
+received_pattern="received packet from 10\.53\.0\.1"
+start_pattern="sending packet to 10\.53\.0\.1"
+retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1
+check_sent 1 ns7/named.run "$start_pattern" ";\.[[:space:]]*IN[[:space:]]*NS$" || ret=1
+sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run)
+[ "$sent" -eq 0 ] || ret=1
+sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run)
+[ "$sent" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking recovery from forwarding to a non-recursive server ($n)"
+ret=0
+dig_with_opts xxx.sld.tld txt @10.53.0.8  > dig.out.$n.f8 || ret=1
+grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that rebinding protection works in forward only mode ($n)"
+ret=0
+# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
+# which in turn will return a CNAME for subdomain.rebind.
+# to honor the option deny-answer-aliases { "rebind"; };
+# ns5 should return a SERVFAIL to avoid potential rebinding attacks
+dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
+grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)"
+ret=0
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 1
+sendcmd << EOF
+/ns1.sld.tld/A/
+300 A 10.53.0.2
+/sld.tld/NS/
+300 NS ns1.sld.tld.
+/sld.tld/
+EOF
+nextpart ns3/named.run >/dev/null
+dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1
+grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# Check various spoofed response scenarios. The same tests will be
+# run twice, with "forward first" and "forward only" configurations.
+#
+run_spooftests () {
+    n=$((n+1))
+    echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
+    ret=0
+    # prime
+    dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
+    # check 'net' is not poisoned.
+    dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
+    grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
+    # check 'sub.local.net' is not poisoned.
+    dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
+    grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
+    ret=0
+    # prime
+    dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
+    # check that net2/DNAME is not cached
+    dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
+    grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
+    grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking spoofed response scenario 3 - extra answer ($n)"
+    ret=0
+    # prime
+    dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
+    # check extra net3 records are not cached
+    rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
+    for try in 1 2 3 4 5; do
+        lines=$(grep "net3" ns9/named_dump.db | wc -l)
+        if [ ${lines} -eq 0 ]; then
+                sleep 1
+                continue
+        fi
+        [ ${lines} -eq 1 ] || ret=1
+        grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
+        grep -q '^local.net3' ns9/named_dump.db && ret=1
+    done
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+}
+
+echo_i "checking spoofed response scenarios with forward first zones"
+run_spooftests
+
+copy_setports ns9/named2.conf.in ns9/named.conf
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 1
+
+echo_i "rechecking spoofed response scenarios with forward only zones"
+run_spooftests
+
+#
+# This scenario expects the spoofed response to succeed. The tests are
+# similar to the ones above, but not identical.
+#
+echo_i "rechecking spoofed response scenarios with 'forward only' set globally"
+copy_setports ns9/named3.conf.in ns9/named.conf
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 1
+
+n=$((n+1))
+echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
+ret=0
+# prime
+dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
+# check 'net' is poisoned.
+dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
+grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
+# check 'sub.local.net' is poisoned.
+dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
+grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
+ret=0
+# prime
+dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
+# check that net2/DNAME is cached
+dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
+grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
+grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# This test doesn't use any forwarder clauses but is here because it
+# is similar to forwarders, as the set of servers that can populate
+# the namespace is defined by the zone content.
+#
+echo_i "rechecking spoofed response scenarios glue below local zone"
+copy_setports ns9/named4.conf.in ns9/named.conf
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 1
+
+n=$((n+1))
+echo_i "checking sibling glue below zone ($n)"
+ret=0
+# prime
+dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
+# check for glue A record for sub.local.tld is not used
+dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
+grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
+grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/forward/ula-inherited.conf b/bin/tests/system/forward/ula-inherited.conf
new file mode 100644
index 0000000..1fb94b1
--- /dev/null
+++ b/bin/tests/system/forward/ula-inherited.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone d.f.ip6.arpa {
+	type forward;
+	forwarders { 1.2.3.4; };
+};
diff --git a/bin/tests/system/forward/ula-notinherited.conf b/bin/tests/system/forward/ula-notinherited.conf
new file mode 100644
index 0000000..300001a
--- /dev/null
+++ b/bin/tests/system/forward/ula-notinherited.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone d.f.ip6.arpa {
+	type forward;
+	forward first;
+	forwarders { 1.2.3.4; };
+};
diff --git a/bin/tests/system/fromhex.pl b/bin/tests/system/fromhex.pl
new file mode 100644
index 0000000..2a229e0
--- /dev/null
+++ b/bin/tests/system/fromhex.pl
@@ -0,0 +1,47 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Converts hex ascii into raw data.
+# (This can be used, for example, to construct input for "wire_data -d".)
+
+require 5.006.001;
+
+use strict;
+use IO::File;
+
+sub usage {
+    print ("Usage: packet.pl [file]\n");
+    exit 1;
+}
+
+my $file = "STDIN";
+if (@ARGV >= 1) {
+    my $filename = shift @ARGV;
+    open FH, "<$filename" or die "$filename: $!";
+    $file = "FH";
+}
+
+my $input = "";
+while (defined(my $line = <$file>) ) {
+    chomp $line;
+    $line =~ s/#.*$//;
+    $input .= $line;
+}
+
+$input =~ s/\s+//g;
+my $data = pack("H*", $input);
+my $len = length $data;
+
+binmode(STDOUT);
+print($data);
+exit(0);
diff --git a/bin/tests/system/genzone.sh b/bin/tests/system/genzone.sh
new file mode 100644
index 0000000..02e3b96
--- /dev/null
+++ b/bin/tests/system/genzone.sh
@@ -0,0 +1,511 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Set up a test zone
+#
+# Usage: genzone.sh master-server-number secondary-server-number...
+#
+# e.g., "genzone.sh 2 3 4" means ns2 is the master and ns3, ns4
+# are secondaries.
+#
+
+master="$1"
+
+cat <<EOF
+\$TTL 3600
+
+@		86400	IN SOA	ns${master} hostmaster (
+					1397051952 ; "SER0"
+					5
+					5
+					1814400
+					3600 )
+EOF
+
+for n
+do
+	cat <<EOF
+@			NS	ns${n}
+ns${n}			A	10.53.0.${n}
+EOF
+done
+
+cat <<\EOF
+
+; type 1
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+
+; type 2
+; see NS records at top of file
+
+; type 3
+; md01			MD	madname
+; 			MD	.
+
+; type 4
+; mf01			MF	madname
+; mf01			MF	.
+
+; type 5
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+
+; type 6
+; see SOA record at top of file
+
+; type 7
+mb01			MG	madname
+mb02			MG	.
+
+; type 8
+mg01			MG	mgmname
+mg02			MG	.
+
+; type 9
+mr01			MR	mrname
+mr02			MR	.
+
+; type 10
+; NULL RRs are not allowed in master files per RFC1035.
+;null01			NULL
+
+; type 11
+wks01			WKS	10.0.0.1 tcp telnet ftp 0 1 2
+wks02			WKS	10.0.0.1 udp domain 0 1 2
+wks03			WKS	10.0.0.2 tcp 65535
+
+; type 12
+ptr01			PTR	@
+
+; type 13
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	PC NetBSD
+
+; type 14
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. . 
+
+; type 15
+mx01			MX	10 mail
+mx02			MX	10 .
+
+; type 16
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	foo
+txt04			TXT	foo bar
+txt05			TXT	"foo bar"
+txt06			TXT	"foo\032bar"
+txt07			TXT	foo\032bar
+txt08			TXT	"foo\010bar"
+txt09			TXT	foo\010bar
+txt10			TXT	foo\ bar
+txt11			TXT	"\"foo\""
+txt12			TXT	\"foo\"
+txt13			TXT	"foo;"
+txt14			TXT	"foo\;"
+txt15			TXT	"bar\\;"
+
+; type 17
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. . 
+
+; type 18
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+
+; type 19
+x2501			X25	123456789
+;x2502			X25	"123456789"
+
+; type 20
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	isdn-address
+isdn04			ISDN	isdn-address subaddress
+
+; type 21
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+
+; type 22
+nsap01			NSAP	(
+	0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00 )
+nsap02			NSAP	(
+	0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00. )
+;nsap03			NSAP	0x
+
+; type 23
+nsap-ptr01		NSAP-PTR foo.
+nsap-ptr01		NSAP-PTR .
+
+; type 24
+;sig01			SIG	NXT 1 3 ( 3600 20000102030405
+;				19961211100908 2143 foo.nil. 
+;				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
+;				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
+;				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
+
+; type 25
+;key01			KEY	512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
+;				9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV
+;				sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg
+;				a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= )
+
+; type 26
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+
+; type 27
+gpos01			GPOS    -22.6882 116.8652 250.0
+gpos02			GPOS    "" "" ""
+
+; type 28
+aaaa01			AAAA    ::1
+aaaa02			AAAA    fd92:7065:b8e:ffff::5
+
+; type 29
+loc01			LOC	60 9 N 24 39 E 10 20 2000 20
+loc02			LOC 	60 09 00.000 N 24 39 00.000 E 10.00m 20.00m (
+				  2000.00m 20.00m )
+
+; type 30
+;nxt01			NXT	a.secure.nil. ( NS SOA MX RRSIG KEY LOC NXT )
+;nxt02			NXT	. NXT NSAP-PTR
+;nxt03			NXT	. 1
+;nxt04			NXT	. 127
+
+; type 31
+eid01			EID	12 89 AB
+
+; type 32
+nimloc01		NIMLOC	12 89 AB
+
+; type 33
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535  old-slow-box
+
+; type 34
+atma01			ATMA	+61200000000
+atma02			ATMA	+61.2.0000.0000
+atma03			ATMA	1234567890abcdef
+atma04			ATMA	f.e.d.c.b.a.0.9.8.7.6.5.4.3.2.1
+
+; type 35
+naptr01			NAPTR   0 0 "" "" "" . 
+naptr02			NAPTR   65535 65535 blurgh blorf blllbb foo.
+naptr02			NAPTR   65535 65535 "blurgh" "blorf" "blllbb" foo.
+
+; type 36
+kx01			KX	10 kdc
+kx02			KX	10 .
+
+; type 37
+cert01			CERT	65534 65535 254 ( 
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
+				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
+				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
+; type 38
+a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+a601			A6	64 ::ffff:ffff:ffff:ffff foo.
+a601			A6	127 ::1 foo.
+a601			A6	128 .
+
+; type 39
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+
+; type 40
+sink01			SINK	1 0 0
+sink02			SINK	8 0 2 l4ik
+
+; type 41
+; OPT is a meta-type and should never occur in master files.
+
+; type 42
+apl01			APL	!1:10.0.0.1/32 1:10.0.0.0/24
+apl02			APL
+
+; type 43
+ds01			DS	12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13
+ds01			NS	ns42
+ds02			DS	12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390
+ds02			NS	ns43
+
+; type 44
+sshfp01			SSHFP	4 2 C76D8329954DA2835751E371544E963EFDA099080D6C58DD2BFD9A31 6E162C83
+sshfp02			SSHFP	1 2 BF29468C83AC58CCF8C85AB7B3BEB054ECF1E38512B8353AB36471FA 88961DCC
+
+; type 45
+ipseckey01		IPSECKEY	10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ipseckey02		IPSECKEY	10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ipseckey03		IPSECKEY	( 10 1 2
+					  192.0.2.3
+					  AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+ipseckey04		IPSECKEY	( 10 3 2
+					  mygateway.example.com.
+					  AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+ipseckey05		IPSECKEY	( 10 2 2
+					  2001:0DB8:0:8002::2000:1
+					  AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+; type 46
+rrsig01			RRSIG	NSEC 1 3 ( 3600 20000102030405
+				19961211100908 2143 foo.nil. 
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
+				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
+				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
+
+; type 47
+nsec01			NSEC	a.secure.nil. ( NS SOA MX RRSIG DNSKEY LOC NSEC )
+nsec02			NSEC	. NSEC NSAP-PTR
+nsec03			NSEC	. TYPE1
+nsec04			NSEC	. TYPE127
+
+; type 48
+dnskey01		DNSKEY	512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
+				9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV
+				sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg
+				a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= )
+
+; type 49
+dhcid01			DHCID	( AAIBY2/AuCccgoJbsaxcQc9TUapptP69l
+				  OjxfNuVAA2kjEA= )
+dhcid02			DHCID	( AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdW
+				  L3b/NaiUDlW2No= )
+dhcid03			DHCID	( AAABxLmlskllE0MVjd57zHcWmEH3pCQ6V
+				  ytcKD//7es/deY= )
+
+; type 50
+8f1tmio9avcom2k0frp92lgcumak0cad	NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU  A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
+kcd3juae64f9c5csl1kif1htaui7un0g	NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E
+mr5ukvsk1l37btu4q7b1dfevft4hkqdk	NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05  A AAAA RRSIG
+
+; type 51
+; @			NSEC3PARAM 1 0 1 868BCF7ED4108929
+
+; type 52
+tlsa			TLSA	( 1 1 2 92003ba34942dc74152e2f2c408d29ec
+				a5a520e7f2e06bb944f4dca346baf63c
+				1b177615d466f6c4b71c216a50292bd5
+				8c9ebdd2f74e38fe51ffd48c43326cbc )
+
+; type 53
+smimea			SMIMEA	( 1 1 2 92003ba34942dc74152e2f2c408d29ec
+				a5a520e7f2e06bb944f4dca346baf63c
+				1b177615d466f6c4b71c216a50292bd5
+				8c9ebdd2f74e38fe51ffd48c43326cbc )
+
+; type 54 (unassigned)
+
+; type 55
+hip1			HIP	( 2 200100107B1A74DF365639CC39F1D578
+				AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D )
+
+hip2			HIP	( 2 200100107B1A74DF365639CC39F1D578
+                                AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+				rvs.example.com. )
+
+; type 56
+ninfo01			NINFO	"foo"
+ninfo02			NINFO	"foo" "bar"
+ninfo03			NINFO	foo
+ninfo04			NINFO	foo bar
+ninfo05			NINFO	"foo bar"
+ninfo06			NINFO	"foo\032bar"
+ninfo07			NINFO	foo\032bar
+ninfo08			NINFO	"foo\010bar"
+ninfo09			NINFO	foo\010bar
+ninfo10			NINFO	foo\ bar
+ninfo11			NINFO	"\"foo\""
+ninfo12			NINFO	\"foo\"
+ninfo13			NINFO	"foo;"
+ninfo14			NINFO	"foo\;"
+ninfo15			NINFO	"bar\\;"
+
+; type 57
+rkey01			RKEY	0 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
+				9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV
+				sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg
+				a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= )
+
+; type 58
+talink0			TALINK	. talink1
+talink1			TALINK	talink0 talink2
+talink2			TALINK	talink2 .
+
+; type 59
+cds01			CDS	30795 1 1 (
+					310D27F4D82C1FC2400704EA9939FE6E1CEA
+					A3B9 )
+
+; type 60
+cdnskey01		CDNSKEY	512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
+				9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV
+				sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg
+				a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= )
+
+; type 61
+openpgpkey		OPENPGPKEY	( AQMFD5raczCJHViKtLYhWGz8hMY
+				9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV
+				sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg
+				a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= )
+
+;type	62
+csync01			CSYNC	0 0 A NS AAAA
+csync02			CSYNC	0 0
+
+;type	63
+zonemd01		ZONEMD	2019020700 1 1 (
+                                C220B8A6ED5728A971902F7E3D4FD93A
+                                DEEA88B0453C2E8E8C863D465AB06CF3
+                                4EB95B266398C98B59124FA239CB7EEB
+				)
+zonemd02		ZONEMD	2019020700 1 2 (
+				08CFA1115C7B948C4163A901270395EA
+			        226A930CD2CBCF2FA9A5E6EB85F37C8A
+                                4E114D884E66F176EAB121CB02DB7D65
+                                2E0CC4827E7A3204F166B47E5613FD27
+				)
+
+; type 64 -- 98 (unassigned)
+
+; type 99
+spf01			SPF	"v=spf1 -all"
+spf02			SPF	"v=spf1" " -all"
+
+; type 100 (UINFO - not implemented by BIND - unknown record format only)
+uinfo01			UINFO	\# 1 01
+
+; type 101 (UID - not implemented by BIND - unknown record format only)
+uid01			UID	\# 1 02
+
+; type 102 (GID - not implemented by BIND - unknown record format only)
+gid01			GID	\# 1 03
+
+; type 103 (UNSPEC - not implemented by BIND - unknown record format only)
+unspec01		UNSPEC	\# 1 04
+
+; type 104
+nid			NID	10 0014:4fff:ff20:ee64
+
+; type 105
+l32			L32	10 1.2.3.4
+
+; type 106
+l64			L64	10 0014:4fff:ff20:ee64
+
+; type 107
+lp			LP	10 example.net.
+
+; type 108
+eui48			EUI48	01-23-45-67-89-ab
+
+; type 109
+eui64			EUI64	01-23-45-67-89-ab-cd-ef
+
+; type 110 -- 248 (unassigned)
+
+; type 249
+; TKEY is a meta-type and should never occur in master files.
+; The text representation is not specified in the draft.
+; This example was written based on the bind9 RR parsing code.
+;tkey01			TKEY	928321914 928321915 (
+;				algorithm-name.	; algorithm
+;				65535 		; mode
+;				0		; error
+;				3 		; key size
+;				aaaa		; key data
+;				3 		; other size
+;				bbbb		; other data
+;				)
+;; A TKEY with empty "other data"
+;tkey02			TKEY	928321914 928321915 (
+;				algorithm-name.	; algorithm
+;				65535 		; mode
+;				0		; error
+;				3 		; key size
+;				aaaa		; key data
+;				0 		; other size
+;						; other data
+;				)
+
+; type 255
+; * is a meta-type and should never occur in master files.
+
+; type 256
+uri01			URI	10 20 "https://www.isc.org/"
+uri02			URI	30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/"
+uri03			URI	30 40 ""
+
+; type 257
+caa01			CAA	0 issue "ca.example.net; policy=ev"
+caa02			CAA	128 tbs "Unknown"
+caa03			CAA	128 tbs ""
+
+; type 258
+avc			AVC	foo:bar
+
+; type 259
+doa01			DOA	( 1234567890 1234567890 1 "image/gif"
+				  R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ////
+				  /////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkp
+				  noCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS
+				  1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMF
+				  dUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lI
+				  hmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 )
+doa02			DOA	0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8=
+
+; type 260
+amtrelay01		AMTRELAY 0 0 0
+amtrelay02		AMTRELAY 0 1 0
+amtrelay03		AMTRELAY 0 0 1 0.0.0.0
+amtrelay04		AMTRELAY 0 0 2 ::
+amtrelay05		AMTRELAY 0 0 3 example.net.
+amtrelay06		AMTRELAY \# 2 0004
+
+; type 261 -- 32767 (unassigned)
+
+; type 32768
+ta			TA	30795 1 1 (
+					310D27F4D82C1FC2400704EA9939FE6E1CEA
+					A3B9 )
+
+; type 32769
+dlv			DLV	30795 1 1 (
+					310D27F4D82C1FC2400704EA9939FE6E1CEA
+					A3B9 )
+
+; type 32770 -- 65279 (unassigned)
+
+; type 65280-65534 (private use)
+
+https0			HTTPS	0 example.net.
+https1			HTTPS	1 . port=60
+
+svcb0			SVCB	0 example.net.
+svcb1			SVCB	1 . port=60
+
+; keydata (internal type used for managed keys)
+keydata			TYPE65533	\# 0
+keydata			TYPE65533	\# 6 010203040506 
+keydata			TYPE65533	\# 18 010203040506010203040506010203040506
+
+; type 65535 (reserved)
+
+EOF
diff --git a/bin/tests/system/geoip2/clean.sh b/bin/tests/system/geoip2/clean.sh
new file mode 100644
index 0000000..46de65b
--- /dev/null
+++ b/bin/tests/system/geoip2/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns2/named.conf
+rm -f ns2/example*.db
+rm -f dig.out.* rndc.out.*
+rm -f ns?/named.run
+rm -f ns?/named.memstats
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
diff --git a/bin/tests/system/geoip2/conf/bad-areacode.conf b/bin/tests/system/geoip2/conf/bad-areacode.conf
new file mode 100644
index 0000000..2ca9dd4
--- /dev/null
+++ b/bin/tests/system/geoip2/conf/bad-areacode.conf
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	geoip-directory "data";
+	allow-query {
+		geoip area 831;
+		geoip areacode 831;
+		geoip metro 828;
+		geoip metrocode 828;
+		geoip tz "America/Los_Angeles";
+		geoip timezone "America/Los_Angeles";
+		geoip postal 95060;
+		geoip postalcode 95060;
+	};
+};
diff --git a/bin/tests/system/geoip2/conf/bad-dbname.conf b/bin/tests/system/geoip2/conf/bad-dbname.conf
new file mode 100644
index 0000000..9fc5238
--- /dev/null
+++ b/bin/tests/system/geoip2/conf/bad-dbname.conf
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+};
+
+view one {
+	match-clients { geoip db unknown asnum "WX"; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
diff --git a/bin/tests/system/geoip2/conf/bad-netspeed.conf b/bin/tests/system/geoip2/conf/bad-netspeed.conf
new file mode 100644
index 0000000..133fd42
--- /dev/null
+++ b/bin/tests/system/geoip2/conf/bad-netspeed.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	geoip-directory "data";
+	allow-query {
+		geoip netspeed 100;
+		geoip metro 828;
+		geoip metrocode 828;
+		geoip tz "America/Los_Angeles";
+		geoip timezone "America/Los_Angeles";
+		geoip postal 95060;
+		geoip postalcode 95060;
+	};
+};
diff --git a/bin/tests/system/geoip2/conf/bad-regiondb.conf b/bin/tests/system/geoip2/conf/bad-regiondb.conf
new file mode 100644
index 0000000..aebdbed
--- /dev/null
+++ b/bin/tests/system/geoip2/conf/bad-regiondb.conf
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip db region region "California"; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
diff --git a/bin/tests/system/geoip2/conf/bad-threeletter.conf b/bin/tests/system/geoip2/conf/bad-threeletter.conf
new file mode 100644
index 0000000..ec0a9df
--- /dev/null
+++ b/bin/tests/system/geoip2/conf/bad-threeletter.conf
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+view one {
+	match-clients { geoip db country country AUS; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
diff --git a/bin/tests/system/geoip2/conf/good-options.conf b/bin/tests/system/geoip2/conf/good-options.conf
new file mode 100644
index 0000000..02c5e5d
--- /dev/null
+++ b/bin/tests/system/geoip2/conf/good-options.conf
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	geoip-directory "data";
+	allow-query {
+		geoip metro 828;
+		geoip metrocode 828;
+		geoip tz "America/Los_Angeles";
+		geoip timezone "America/Los_Angeles";
+		geoip postal 95060;
+		geoip postalcode 95060;
+	};
+};
diff --git a/bin/tests/system/geoip2/data/GeoIP2-City.json b/bin/tests/system/geoip2/data/GeoIP2-City.json
new file mode 100644
index 0000000..5490d42
--- /dev/null
+++ b/bin/tests/system/geoip2/data/GeoIP2-City.json
@@ -0,0 +1,506 @@
+[
+   {
+      "::10.53.0.1/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Redwood City"
+            }
+         },
+         "location" : {
+            "metro_code" : "807",
+            "time_zone" : "America/Los_Angeles"
+         },
+         "postal" : {
+            "code" : "94063"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "CA",
+               "names" : {
+                  "en" : "California"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "::10.53.0.2/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Santa Cruz"
+            }
+         },
+         "location" : {
+            "metro_code" : "828",
+            "time_zone" : "America/Los_Angeles"
+         },
+         "postal" : {
+            "code" : "95060"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "CA",
+               "names" : {
+                  "en" : "California"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "::10.53.0.3/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Oklahoma City"
+            }
+         },
+         "location" : {
+            "metro_code" : "650",
+            "time_zone" : "America/Chicago"
+         },
+         "postal" : {
+            "code" : "73120"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "OK",
+               "names" : {
+                  "en" : "Oklahoma"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "::10.53.0.4/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Ashland"
+            }
+         },
+         "location" : {
+            "metro_code" : "556",
+            "time_zone" : "America/New_York"
+         },
+         "postal" : {
+            "code" : "23005"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "VA",
+               "names" : {
+                  "en" : "Virginia"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "::10.53.0.5/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Atlanta"
+            }
+         },
+         "location" : {
+            "metro_code" : "524",
+            "time_zone" : "America/New_York"
+         },
+         "postal" : {
+            "code" : "30345"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "GA",
+               "names" : {
+                  "en" : "Georgia"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "::10.53.0.6/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Morrison"
+            }
+         },
+         "location" : {
+            "metro_code" : "751",
+            "time_zone" : "America/Denver"
+         },
+         "postal" : {
+            "code" : "80465"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "CO",
+               "names" : {
+                  "en" : "Colorado"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "::10.53.0.7/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Ketchikan"
+            }
+         },
+         "location" : {
+            "metro_code" : "747",
+            "time_zone" : "America/Anchorage"
+         },
+         "postal" : {
+            "code" : "99901"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "AK",
+               "names" : {
+                  "en" : "Alaska"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::1/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Redwood City"
+            }
+         },
+         "location" : {
+            "metro_code" : "807",
+            "time_zone" : "America/Los_Angeles"
+         },
+         "postal" : {
+            "code" : "94063"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "CA",
+               "names" : {
+                  "en" : "California"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::2/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Santa Cruz"
+            }
+         },
+         "location" : {
+            "metro_code" : "828",
+            "time_zone" : "America/Los_Angeles"
+         },
+         "postal" : {
+            "code" : "95060"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "CA",
+               "names" : {
+                  "en" : "California"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::3/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Oklahoma City"
+            }
+         },
+         "location" : {
+            "metro_code" : "650",
+            "time_zone" : "America/Chicago"
+         },
+         "postal" : {
+            "code" : "73120"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "OK",
+               "names" : {
+                  "en" : "Oklahoma"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::4/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Ashland"
+            }
+         },
+         "location" : {
+            "metro_code" : "556",
+            "time_zone" : "America/New_York"
+         },
+         "postal" : {
+            "code" : "23005"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "VA",
+               "names" : {
+                  "en" : "Virginia"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::5/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Atlanta"
+            }
+         },
+         "location" : {
+            "metro_code" : "524",
+            "time_zone" : "America/New_York"
+         },
+         "postal" : {
+            "code" : "30345"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "GA",
+               "names" : {
+                  "en" : "Georgia"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::6/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Morrison"
+            }
+         },
+         "location" : {
+            "metro_code" : "751",
+            "time_zone" : "America/Denver"
+         },
+         "postal" : {
+            "code" : "80465"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "CO",
+               "names" : {
+                  "en" : "Colorado"
+               }
+            }
+         ]
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::7/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         },
+         "city" : {
+            "names" : {
+               "en" : "Ketchikan"
+            }
+         },
+         "location" : {
+            "metro_code" : "747",
+            "time_zone" : "America/Anchorage"
+         },
+         "postal" : {
+            "code" : "99901"
+         },
+         "subdivisions" : [
+            {
+               "iso_code" : "AK",
+               "names" : {
+                  "en" : "Alaska"
+               }
+            }
+         ]
+      }
+   }
+]
diff --git a/bin/tests/system/geoip2/data/GeoIP2-City.mmdb b/bin/tests/system/geoip2/data/GeoIP2-City.mmdb
new file mode 100644
index 0000000..79c5314
--- /dev/null
+++ b/bin/tests/system/geoip2/data/GeoIP2-City.mmdb
diff --git a/bin/tests/system/geoip2/data/GeoIP2-Country.json b/bin/tests/system/geoip2/data/GeoIP2-Country.json
new file mode 100644
index 0000000..83a8ca8
--- /dev/null
+++ b/bin/tests/system/geoip2/data/GeoIP2-Country.json
@@ -0,0 +1,242 @@
+[
+   {
+      "::10.53.0.1/128" : {
+         "continent" : {
+            "code" : "OC",
+            "names" : {
+               "en" : "Oceania"
+            }
+         },
+         "country" : {
+            "iso_code" : "AU",
+            "names" : {
+               "en" : "Australia"
+            }
+         }
+      }
+   },
+   {
+      "::10.53.0.2/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         }
+      }
+   },
+   {
+      "::10.53.0.3/128" : {
+         "continent" : {
+            "code" : "EU",
+            "names" : {
+               "en" : "Europe"
+            }
+         },
+         "country" : {
+            "iso_code" : "GB",
+            "names" : {
+               "en" : "United Kingdom"
+            }
+         }
+      }
+   },
+   {
+      "::10.53.0.4/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "CA",
+            "names" : {
+               "en" : "Canada"
+            }
+         }
+      }
+   },
+   {
+      "::10.53.0.5/128" : {
+         "continent" : {
+            "code" : "SA",
+            "names" : {
+               "en" : "South America"
+            }
+         },
+         "country" : {
+            "iso_code" : "CL",
+            "names" : {
+               "en" : "Chile"
+            }
+         }
+      }
+   },
+   {
+      "::10.53.0.6/128" : {
+         "continent" : {
+            "code" : "EU",
+            "names" : {
+               "en" : "Europe"
+            }
+         },
+         "country" : {
+            "iso_code" : "DE",
+            "names" : {
+               "en" : "Germany"
+            }
+         }
+      }
+   },
+   {
+      "::10.53.0.7/128" : {
+         "continent" : {
+            "code" : "AF",
+            "names" : {
+               "en" : "Africa"
+            }
+         },
+         "country" : {
+            "iso_code" : "EH",
+            "names" : {
+               "en" : "Western Sahara"
+            }
+         }
+      }
+   },
+   {
+      "::192.0.2.0/120" : {
+         "continent" : {
+            "code" : "O1",
+            "names" : {
+               "en" : "Other"
+            }
+         },
+         "country" : {
+            "iso_code" : "O1",
+            "names" : {
+               "en" : "Other"
+            }
+         }
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::1/128" : {
+         "continent" : {
+            "code" : "OC",
+            "names" : {
+               "en" : "Oceania"
+            }
+         },
+         "country" : {
+            "iso_code" : "AU",
+            "names" : {
+               "en" : "Australia"
+            }
+         }
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::2/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "US",
+            "names" : {
+               "en" : "United States"
+            }
+         }
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::3/128" : {
+         "continent" : {
+            "code" : "EU",
+            "names" : {
+               "en" : "Europe"
+            }
+         },
+         "country" : {
+            "iso_code" : "GB",
+            "names" : {
+               "en" : "United Kingdom"
+            }
+         }
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::4/128" : {
+         "continent" : {
+            "code" : "NA",
+            "names" : {
+               "en" : "North America"
+            }
+         },
+         "country" : {
+            "iso_code" : "CA",
+            "names" : {
+               "en" : "Canada"
+            }
+         }
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::5/128" : {
+         "continent" : {
+            "code" : "SA",
+            "names" : {
+               "en" : "South America"
+            }
+         },
+         "country" : {
+            "iso_code" : "CL",
+            "names" : {
+               "en" : "Chile"
+            }
+         }
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::6/128" : {
+         "continent" : {
+            "code" : "EU",
+            "names" : {
+               "en" : "Europe"
+            }
+         },
+         "country" : {
+            "iso_code" : "DE",
+            "names" : {
+               "en" : "Germany"
+            }
+         }
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::7/128" : {
+         "continent" : {
+            "code" : "AF",
+            "names" : {
+               "en" : "Africa"
+            }
+         },
+         "country" : {
+            "iso_code" : "EH",
+            "names" : {
+               "en" : "Western Sahara"
+            }
+         }
+      }
+   }
+]
diff --git a/bin/tests/system/geoip2/data/GeoIP2-Country.mmdb b/bin/tests/system/geoip2/data/GeoIP2-Country.mmdb
new file mode 100644
index 0000000..7771dc7
--- /dev/null
+++ b/bin/tests/system/geoip2/data/GeoIP2-Country.mmdb
diff --git a/bin/tests/system/geoip2/data/GeoIP2-Domain.json b/bin/tests/system/geoip2/data/GeoIP2-Domain.json
new file mode 100644
index 0000000..fb8e914
--- /dev/null
+++ b/bin/tests/system/geoip2/data/GeoIP2-Domain.json
@@ -0,0 +1,72 @@
+[
+   {
+      "::10.53.0.1/128" : {
+         "domain" : "one.de"
+      }
+   },
+   {
+      "::10.53.0.2/128" : {
+         "domain" : "two.com"
+      }
+   },
+   {
+      "::10.53.0.3/128" : {
+         "domain" : "three.com"
+      }
+   },
+   {
+      "::10.53.0.4/128" : {
+         "domain" : "four.edu"
+      }
+   },
+   {
+      "::10.53.0.5/128" : {
+         "domain" : "five.es"
+      }
+   },
+   {
+      "::10.53.0.6/128" : {
+         "domain" : "six.it"
+      }
+   },
+   {
+      "::10.53.0.7/128" : {
+         "domain" : "seven.org"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::1/128" : {
+         "domain" : "one.de"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::2/128" : {
+         "domain" : "two.com"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::3/128" : {
+         "domain" : "three.com"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::4/128" : {
+         "domain" : "four.edu"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::5/128" : {
+         "domain" : "five.es"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::6/128" : {
+         "domain" : "six.it"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::7/128" : {
+         "domain" : "seven.org"
+      }
+   }
+]
diff --git a/bin/tests/system/geoip2/data/GeoIP2-Domain.mmdb b/bin/tests/system/geoip2/data/GeoIP2-Domain.mmdb
new file mode 100644
index 0000000..fe93dec
--- /dev/null
+++ b/bin/tests/system/geoip2/data/GeoIP2-Domain.mmdb
diff --git a/bin/tests/system/geoip2/data/GeoIP2-ISP.json b/bin/tests/system/geoip2/data/GeoIP2-ISP.json
new file mode 100644
index 0000000..c6b0a5d
--- /dev/null
+++ b/bin/tests/system/geoip2/data/GeoIP2-ISP.json
@@ -0,0 +1,86 @@
+[
+   {
+      "::10.53.0.1/128" : {
+         "isp" : "One Systems, Inc.",
+         "organization" : "One Systems, Inc."
+      }
+   },
+   {
+      "::10.53.0.2/128" : {
+         "isp" : "Two Technology Ltd.",
+         "organization" : "Two Technology Ltd."
+      }
+   },
+   {
+      "::10.53.0.3/128" : {
+         "isp" : "Three Network Labs",
+         "organization" : "Three Network Labs"
+      }
+   },
+   {
+      "::10.53.0.4/128" : {
+         "isp" : "Four University",
+         "organization" : "Four University"
+      }
+   },
+   {
+      "::10.53.0.5/128" : {
+         "isp" : "Five Telecom",
+         "organization" : "Five Telecom"
+      }
+   },
+   {
+      "::10.53.0.6/128" : {
+         "isp" : "Six Company",
+         "organization" : "Six Company"
+      }
+   },
+   {
+      "::10.53.0.7/128" : {
+         "isp" : "Seven Communications",
+         "organization" : "Seven Communications"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::1/128" : {
+         "isp" : "One Systems, Inc.",
+         "organization" : "One Systems, Inc."
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::2/128" : {
+         "isp" : "Two Technology Ltd.",
+         "organization" : "Two Technology Ltd."
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::3/128" : {
+         "isp" : "Three Network Labs",
+         "organization" : "Three Network Labs"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::4/128" : {
+         "isp" : "Four University",
+         "organization" : "Four University"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::5/128" : {
+         "isp" : "Five Telecom",
+         "organization" : "Five Telecom"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::6/128" : {
+         "isp" : "Six Company",
+         "organization" : "Six Company"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::7/128" : {
+         "isp" : "Seven Communications",
+         "organization" : "Seven Communications"
+      }
+   }
+]
diff --git a/bin/tests/system/geoip2/data/GeoIP2-ISP.mmdb b/bin/tests/system/geoip2/data/GeoIP2-ISP.mmdb
new file mode 100644
index 0000000..73f0718
--- /dev/null
+++ b/bin/tests/system/geoip2/data/GeoIP2-ISP.mmdb
diff --git a/bin/tests/system/geoip2/data/GeoLite2-ASN.json b/bin/tests/system/geoip2/data/GeoLite2-ASN.json
new file mode 100644
index 0000000..8fad0ce
--- /dev/null
+++ b/bin/tests/system/geoip2/data/GeoLite2-ASN.json
@@ -0,0 +1,86 @@
+[
+   {
+      "::10.53.0.1/128" : {
+         "autonomous_system_number" : 100001,
+         "autonomous_system_organization" : "One Systems, Inc."
+      }
+   },
+   {
+      "::10.53.0.2/128" : {
+         "autonomous_system_number" : 100002,
+         "autonomous_system_organization" : "Two Technology Ltd."
+      }
+   },
+   {
+      "::10.53.0.3/128" : {
+         "autonomous_system_number" : 100003,
+         "autonomous_system_organization" : "Three Network Labs"
+      }
+   },
+   {
+      "::10.53.0.4/128" : {
+         "autonomous_system_number" : 100004,
+         "autonomous_system_organization" : "Four University"
+      }
+   },
+   {
+      "::10.53.0.5/128" : {
+         "autonomous_system_number" : 100005,
+         "autonomous_system_organization" : "Five Telecom"
+      }
+   },
+   {
+      "::10.53.0.6/128" : {
+         "autonomous_system_number" : 100006,
+         "autonomous_system_organization" : "Six Company"
+      }
+   },
+   {
+      "::10.53.0.7/128" : {
+         "autonomous_system_number" : 100007,
+         "autonomous_system_organization" : "Seven Communications"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::1/128" : {
+         "autonomous_system_number" : 100001,
+         "autonomous_system_organization" : "One Systems, Inc."
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::2/128" : {
+         "autonomous_system_number" : 100002,
+         "autonomous_system_organization" : "Two Technology Ltd."
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::3/128" : {
+         "autonomous_system_number" : 100003,
+         "autonomous_system_organization" : "Three Network Labs"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::4/128" : {
+         "autonomous_system_number" : 100004,
+         "autonomous_system_organization" : "Four University"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::5/128" : {
+         "autonomous_system_number" : 100005,
+         "autonomous_system_organization" : "Five Telecom"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::6/128" : {
+         "autonomous_system_number" : 100006,
+         "autonomous_system_organization" : "Six Company"
+      }
+   },
+   {
+      "fd92:7065:b8e:ffff::7/128" : {
+         "autonomous_system_number" : 100007,
+         "autonomous_system_organization" : "Seven Communications"
+      }
+   }
+]
diff --git a/bin/tests/system/geoip2/data/GeoLite2-ASN.mmdb b/bin/tests/system/geoip2/data/GeoLite2-ASN.mmdb
new file mode 100644
index 0000000..05260c0
--- /dev/null
+++ b/bin/tests/system/geoip2/data/GeoLite2-ASN.mmdb
diff --git a/bin/tests/system/geoip2/data/README.md b/bin/tests/system/geoip2/data/README.md
new file mode 100644
index 0000000..e326843
--- /dev/null
+++ b/bin/tests/system/geoip2/data/README.md
@@ -0,0 +1,23 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+##### Test MMDB databases
+
+This directory contains test versions of the GeoIP2/GeoLite2 CIty,
+Country, Domain, ISP, and ASN databases. The `.mmdb` files are built
+from the corresponding `.json` source files; to regenerate them, modify
+the source files and run `perl write-test-data.pl`.
+
+This script is adapted from one in
+[https://github.com/maxmind/MaxMind-DB](https://github.com/maxmind/MaxMind-DB).
+It depends on the MaxMind:DB:Writer module, which can be found in
+CPAN or at
+[https://github.com/maxmind/MaxMind-DB-Writer-perl](https://github.com/maxmind/MaxMind-DB-Writer-perl) .
diff --git a/bin/tests/system/geoip2/data/write-test-data.pl b/bin/tests/system/geoip2/data/write-test-data.pl
new file mode 100755
index 0000000..d12a014
--- /dev/null
+++ b/bin/tests/system/geoip2/data/write-test-data.pl
@@ -0,0 +1,194 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+use autodie;
+use utf8;
+
+use Carp qw( croak );
+use Cwd qw( abs_path );
+use File::Basename qw( dirname );
+use File::Slurper qw( read_binary write_binary );
+use Cpanel::JSON::XS qw( decode_json );
+use Math::Int128 qw( MAX_UINT128 string_to_uint128 uint128 );
+use MaxMind::DB::Writer::Serializer 0.100004;
+use MaxMind::DB::Writer::Tree 0.100004;
+use MaxMind::DB::Writer::Util qw( key_for_data );
+use Net::Works::Network;
+use Test::MaxMind::DB::Common::Util qw( standard_test_metadata );
+
+my $Dir = dirname( abs_path($0) );
+
+sub main {
+    write_geoip2_dbs();
+}
+
+sub write_geoip2_dbs {
+    _write_geoip2_db( @{$_}[ 0, 1 ], 'Test' )
+        for (
+        ['GeoIP2-City'],
+        ['GeoIP2-Country'],
+        ['GeoIP2-Domain'],
+        ['GeoIP2-ISP'],
+        ['GeoLite2-ASN'],
+        );
+}
+
+sub _universal_map_key_type_callback {
+    my $map = {
+
+        # languages
+        de      => 'utf8_string',
+        en      => 'utf8_string',
+        es      => 'utf8_string',
+        fr      => 'utf8_string',
+        ja      => 'utf8_string',
+        'pt-BR' => 'utf8_string',
+        ru      => 'utf8_string',
+        'zh-CN' => 'utf8_string',
+
+        # production
+        accuracy_radius                => 'uint16',
+        autonomous_system_number       => 'uint32',
+        autonomous_system_organization => 'utf8_string',
+        average_income                 => 'uint32',
+        city                           => 'map',
+        code                           => 'utf8_string',
+        confidence                     => 'uint16',
+        connection_type                => 'utf8_string',
+        continent                      => 'map',
+        country                        => 'map',
+        domain                         => 'utf8_string',
+        geoname_id                     => 'uint32',
+        ipv4_24                        => 'uint32',
+        ipv4_32                        => 'uint32',
+        ipv6_32                        => 'uint32',
+        ipv6_48                        => 'uint32',
+        ipv6_64                        => 'uint32',
+        is_anonymous                   => 'boolean',
+        is_anonymous_proxy             => 'boolean',
+        is_anonymous_vpn               => 'boolean',
+        is_hosting_provider            => 'boolean',
+        is_in_european_union           => 'boolean',
+        is_legitimate_proxy            => 'boolean',
+        is_public_proxy                => 'boolean',
+        is_satellite_provider          => 'boolean',
+        is_tor_exit_node               => 'boolean',
+        iso_code                       => 'utf8_string',
+        isp                            => 'utf8_string',
+        latitude                       => 'double',
+        location                       => 'map',
+        longitude                      => 'double',
+        metro_code                     => 'uint16',
+        names                          => 'map',
+        organization                   => 'utf8_string',
+        population_density             => 'uint32',
+        postal                         => 'map',
+        registered_country             => 'map',
+        represented_country            => 'map',
+        subdivisions                   => [ 'array', 'map' ],
+        time_zone                      => 'utf8_string',
+        traits                         => 'map',
+        traits                         => 'map',
+        type                           => 'utf8_string',
+        user_type                      => 'utf8_string',
+
+        # for testing only
+        foo       => 'utf8_string',
+        bar       => 'utf8_string',
+        buzz      => 'utf8_string',
+        our_value => 'utf8_string',
+    };
+
+    my $callback = sub {
+        my $key = shift;
+
+        return $map->{$key} || die <<"ERROR";
+Unknown tree key '$key'.
+
+The universal_map_key_type_callback doesn't know what type to use for the passed
+key.  If you are adding a new key that will be used in a frozen tree / mmdb then
+you should update the mapping in both our internal code and here.
+ERROR
+    };
+
+    return $callback;
+}
+
+sub _write_geoip2_db {
+    my $type                            = shift;
+    my $populate_all_networks_with_data = shift;
+    my $description                     = shift;
+
+    my $writer = MaxMind::DB::Writer::Tree->new(
+        ip_version    => 6,
+        record_size   => 28,
+        ip_version    => 6,
+        database_type => $type,
+        languages     => [ 'en', $type eq 'GeoIP2-City' ? ('zh') : () ],
+        description   => {
+            en => ( $type =~ s/-/ /gr )
+                . " $description Database (fake GeoIP2 data, for example purposes only)",
+            $type eq 'GeoIP2-City' ? ( zh => '�型数�库' ) : (),
+        },
+        alias_ipv6_to_ipv4    => 1,
+        map_key_type_callback => _universal_map_key_type_callback(),
+        remove_reserved_networks => 0,
+    );
+
+    _populate_all_networks( $writer, $populate_all_networks_with_data )
+        if $populate_all_networks_with_data;
+
+    my $value = shift;
+    my $nodes
+        = decode_json( read_binary("$Dir/$type.json") );
+
+    for my $node (@$nodes) {
+        for my $network ( keys %$node ) {
+            $writer->insert_network(
+                Net::Works::Network->new_from_string( string => $network ),
+                $node->{$network}
+            );
+        }
+    }
+
+    open my $output_fh, '>', "$Dir/$type.mmdb";
+    $writer->write_tree($output_fh);
+    close $output_fh;
+
+    return;
+}
+
+sub _populate_all_networks {
+    my $writer = shift;
+    my $data   = shift;
+
+    my $max_uint128 = uint128(0) - 1;
+    my @networks    = Net::Works::Network->range_as_subnets(
+        Net::Works::Address->new_from_integer(
+            integer => 0,
+            version => 6,
+        ),
+        Net::Works::Address->new_from_integer(
+            integer => $max_uint128,
+            version => 6,
+        ),
+    );
+
+    for my $network (@networks) {
+        $writer->insert_network( $network => $data );
+    }
+}
+
+main();
diff --git a/bin/tests/system/geoip2/ns2/example.db.in b/bin/tests/system/geoip2/ns2/example.db.in
new file mode 100644
index 0000000..fa3874c
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/example.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
diff --git a/bin/tests/system/geoip2/ns2/named1.conf.in b/bin/tests/system/geoip2/ns2/named1.conf.in
new file mode 100644
index 0000000..8c5784a
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named1.conf.in
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip db country country AU; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { geoip db country country US; };
+	zone "example" {
+		type primary;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { geoip db country country GB; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { geoip db country country CA; };
+	zone "example" {
+		type primary;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { geoip db country country CL; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { geoip db country country DE; };
+	zone "example" {
+		type primary;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { geoip db country country EH; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view other {
+	match-clients { geoip db country country O1; };
+	zone "example" {
+		type primary;
+		file "exampleother.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "example.db.in";
+	};
+};
diff --git a/bin/tests/system/geoip2/ns2/named10.conf.in b/bin/tests/system/geoip2/ns2/named10.conf.in
new file mode 100644
index 0000000..da3f9cd
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named10.conf.in
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip asnum 100001; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { geoip asnum 100002; };
+	zone "example" {
+		type primary;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { geoip asnum 100003; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { geoip asnum 100004; };
+	zone "example" {
+		type primary;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { geoip asnum 100005; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { geoip asnum 100006; };
+	zone "example" {
+		type primary;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { geoip asnum 100007; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "example.db.in";
+	};
+};
diff --git a/bin/tests/system/geoip2/ns2/named11.conf.in b/bin/tests/system/geoip2/ns2/named11.conf.in
new file mode 100644
index 0000000..578a484
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named11.conf.in
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip domain one.de; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { geoip domain two.com; };
+	zone "example" {
+		type primary;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { geoip domain three.com; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { geoip domain four.edu; };
+	zone "example" {
+		type primary;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { geoip domain five.es; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { geoip domain six.it; };
+	zone "example" {
+		type primary;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { geoip domain seven.org; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "example.db.in";
+	};
+};
diff --git a/bin/tests/system/geoip2/ns2/named12.conf.in b/bin/tests/system/geoip2/ns2/named12.conf.in
new file mode 100644
index 0000000..9c90c79
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named12.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+acl blocking {
+	geoip db country country AU;
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+	blackhole { blocking; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/geoip2/ns2/named2.conf.in b/bin/tests/system/geoip2/ns2/named2.conf.in
new file mode 100644
index 0000000..5ca5fcf
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named2.conf.in
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 127.0.0.1; 10.53.0.2; };
+	listen-on-v6 { ::1; fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+acl gAU { geoip db country country AU; };
+acl gUS { geoip db country country US; };
+acl gGB { geoip db country country GB; };
+acl gCA { geoip db country country CA; };
+acl gCL { geoip db country country CL; };
+acl gDE { geoip db country country DE; };
+acl gEH { geoip db country country EH; };
+
+view one {
+	match-clients { gAU; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { gUS; };
+	zone "example" {
+		type primary;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { gGB; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { gCA; };
+	zone "example" {
+		type primary;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { gCL; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { gDE; };
+	zone "example" {
+		type primary;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { gEH; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "examplebogus.db";
+	};
+};
diff --git a/bin/tests/system/geoip2/ns2/named3.conf.in b/bin/tests/system/geoip2/ns2/named3.conf.in
new file mode 100644
index 0000000..295122a
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named3.conf.in
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip db country country Australia; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { geoip db country country "United States"; };
+	zone "example" {
+		type primary;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { geoip db country country "United Kingdom"; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { geoip db country country Canada; };
+	zone "example" {
+		type primary;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { geoip db country country Chile; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { geoip db country country Germany; };
+	zone "example" {
+		type primary;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { geoip db country country "Western Sahara"; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "example.db.in";
+	};
+};
diff --git a/bin/tests/system/geoip2/ns2/named4.conf.in b/bin/tests/system/geoip2/ns2/named4.conf.in
new file mode 100644
index 0000000..efdcaeb
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named4.conf.in
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip db country continent OC; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { geoip db country continent NA; };
+	zone "example" {
+		type primary;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { geoip db country continent EU; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view five {
+	match-clients { geoip db country continent SA; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view seven {
+	match-clients { geoip db country continent AF; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "example.db.in";
+	};
+};
diff --git a/bin/tests/system/geoip2/ns2/named5.conf.in b/bin/tests/system/geoip2/ns2/named5.conf.in
new file mode 100644
index 0000000..675dc18
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named5.conf.in
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip region CA; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view three {
+	match-clients { geoip region OK; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { geoip region VA; };
+	zone "example" {
+		type primary;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { geoip region GA; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { geoip region CO; };
+	zone "example" {
+		type primary;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { geoip region AK; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "example.db.in";
+	};
+};
diff --git a/bin/tests/system/geoip2/ns2/named6.conf.in b/bin/tests/system/geoip2/ns2/named6.conf.in
new file mode 100644
index 0000000..456462f
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named6.conf.in
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip city "Redwood City"; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { geoip city "Santa Cruz"; };
+	zone "example" {
+		type primary;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { geoip city "Oklahoma City"; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { geoip city "Ashland"; };
+	zone "example" {
+		type primary;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { geoip city "Atlanta"; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { geoip city "Morrison"; };
+	zone "example" {
+		type primary;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { geoip city "Ketchikan"; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "example.db.in";
+	};
+};
diff --git a/bin/tests/system/geoip2/ns2/named7.conf.in b/bin/tests/system/geoip2/ns2/named7.conf.in
new file mode 100644
index 0000000..b248e02
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named7.conf.in
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip isp "One Systems, Inc."; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { geoip isp "Two Technology Ltd."; };
+	zone "example" {
+		type primary;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { geoip isp "Three Network Labs"; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { geoip isp "Four University"; };
+	zone "example" {
+		type primary;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { geoip isp "Five Telecom"; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { geoip isp "Six Company"; };
+	zone "example" {
+		type primary;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { geoip isp "Seven Communications"; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "example.db.in";
+	};
+};
diff --git a/bin/tests/system/geoip2/ns2/named8.conf.in b/bin/tests/system/geoip2/ns2/named8.conf.in
new file mode 100644
index 0000000..26660b5
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named8.conf.in
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip org "One Systems, Inc."; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { geoip org "Two Technology Ltd."; };
+	zone "example" {
+		type primary;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { geoip org "Three Network Labs"; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { geoip org "Four University"; };
+	zone "example" {
+		type primary;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { geoip org "Five Telecom"; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { geoip org "Six Company"; };
+	zone "example" {
+		type primary;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { geoip org "Seven Communications"; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "example.db.in";
+	};
+};
diff --git a/bin/tests/system/geoip2/ns2/named9.conf.in b/bin/tests/system/geoip2/ns2/named9.conf.in
new file mode 100644
index 0000000..392879b
--- /dev/null
+++ b/bin/tests/system/geoip2/ns2/named9.conf.in
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	dnssec-validation no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view one {
+	match-clients { geoip asnum "AS100001"; };
+	zone "example" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { geoip asnum "AS100002"; };
+	zone "example" {
+		type primary;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { geoip asnum "AS100003"; };
+	zone "example" {
+		type primary;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { geoip asnum "AS100004"; };
+	zone "example" {
+		type primary;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { geoip asnum "AS100005"; };
+	zone "example" {
+		type primary;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { geoip asnum "AS100006"; };
+	zone "example" {
+		type primary;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { geoip asnum "AS100007"; };
+	zone "example" {
+		type primary;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type primary;
+		file "example.db.in";
+	};
+};
diff --git a/bin/tests/system/geoip2/prereq.sh b/bin/tests/system/geoip2/prereq.sh
new file mode 100644
index 0000000..8d8528f
--- /dev/null
+++ b/bin/tests/system/geoip2/prereq.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$FEATURETEST --have-geoip2 || {
+	echo_i "This test requires GeoIP support." >&2
+	exit 255
+}
+exit 0
diff --git a/bin/tests/system/geoip2/setup.sh b/bin/tests/system/geoip2/setup.sh
new file mode 100644
index 0000000..22d3c46
--- /dev/null
+++ b/bin/tests/system/geoip2/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns2/named1.conf.in ns2/named.conf
+
+for i in 1 2 3 4 5 6 7 other bogus; do
+        cp ns2/example.db.in ns2/example${i}.db
+        echo "@ IN TXT \"$i\"" >> ns2/example$i.db
+done
diff --git a/bin/tests/system/geoip2/tests.sh b/bin/tests/system/geoip2/tests.sh
new file mode 100644
index 0000000..77b6f93
--- /dev/null
+++ b/bin/tests/system/geoip2/tests.sh
@@ -0,0 +1,489 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +short -p ${PORT} @10.53.0.2"
+DIGOPTS6="+tcp +short -p ${PORT} @fd92:7065:b8e:ffff::2 -6"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+for conf in conf/good*.conf
+do
+	n=`expr $n + 1`
+	echo_i "checking that $conf is accepted ($n)"
+	ret=0
+	$CHECKCONF "$conf" || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+for conf in conf/bad*.conf
+do
+	n=`expr $n + 1`
+	echo_i "checking that $conf is rejected ($n)"
+	ret=0
+	$CHECKCONF "$conf" >/dev/null && ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+n=`expr $n + 1`
+echo_i "checking Country database by code using IPv4 ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking Country database by code using IPv6 ($n)"
+  ret=0
+  lret=0
+  for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 country code test"
+fi
+
+echo_i "reloading server"
+copy_setports ns2/named2.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking Country database with nested ACLs using IPv4 ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking Country database with nested ACLs using IPv6 ($n)"
+  ret=0
+  lret=0
+  for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+      j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+      [ "$i" = "$j" ] || lret=1
+      [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 country nested ACL test"
+fi
+
+echo_i "reloading server"
+copy_setports ns2/named3.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking Country database by name using IPv4 ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking Country database by name using IPv6 ($n)"
+  ret=0
+  lret=0
+  for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 country name test"
+fi
+
+echo_i "reloading server"
+copy_setports ns2/named4.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking Country database by continent code using IPv4 ($n)"
+ret=0
+lret=0
+# deliberately skipping 4 and 6 as they have duplicate continents
+for i in 1 2 3 5 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking Country database by continent code using IPv6 ($n)"
+  ret=0
+  lret=0
+  # deliberately skipping 4 and 6 as they have duplicate continents
+  for i in 1 2 3 5 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 continent code test"
+fi
+
+echo_i "reloading server"
+copy_setports ns2/named5.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking City database by region code using IPv4 ($n)"
+ret=0
+lret=0
+# skipping 2 on purpose here; it has the same region code as 1
+for i in 1 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking City database by region code using IPv6 ($n)"
+  ret=0
+  lret=0
+# skipping 2 on purpose here; it has the same region code as 1
+  for i in 1 3 4 5 6 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 region code test"
+fi
+
+n=`expr $n + 1`
+echo_i "reloading server"
+copy_setports ns2/named6.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking City database by city name using IPv4 ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking City database by city name using IPv6 ($n)"
+  ret=0
+  lret=0
+  for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 city test"
+fi
+
+echo_i "reloading server"
+copy_setports ns2/named7.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking ISP database using IPv4 ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking ISP database using IPv6 ($n)"
+  ret=0
+  lret=0
+  for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+      j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+      [ "$i" = "$j" ] || lret=1
+      [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 ISP test"
+fi
+
+echo_i "reloading server"
+copy_setports ns2/named8.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking ASN database by org name using IPv4 ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking ASN database by org name using IPv6 ($n)"
+  ret=0
+  lret=0
+  for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+      j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+      [ "$i" = "$j" ] || lret=1
+      [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 ASN test"
+fi
+
+echo_i "reloading server"
+copy_setports ns2/named9.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking GeoIP6 ASN database, ASNNNN only, using IPv4 ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking ASN database, ASNNNN only, using IPv6 ($n)"
+  ret=0
+  lret=0
+  for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+      j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+      [ "$i" = "$j" ] || lret=1
+      [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 ASN test"
+fi
+
+echo_i "reloading server"
+copy_setports ns2/named10.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking GeoIP6 ASN database, NNNN only, using IPv4 ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking ASN database, NNNN only, using IPv6 ($n)"
+  ret=0
+  lret=0
+  for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+      j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+      [ "$i" = "$j" ] || lret=1
+      [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 ASN test"
+fi
+
+echo_i "reloading server"
+copy_setports ns2/named11.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking Domain database using IPv4 ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+if testsock6 fd92:7065:b8e:ffff::3
+then
+  n=`expr $n + 1`
+  echo_i "checking Domain database using IPv6 ($n)"
+  ret=0
+  lret=0
+  for i in 1 2 3 4 5 6 7; do
+    $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1
+      j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+      [ "$i" = "$j" ] || lret=1
+      [ $lret -eq 1 ] && break
+  done
+  [ $lret -eq 1 ] && ret=1
+  [ $ret -eq 0 ] || echo_i "failed"
+  status=`expr $status + $ret`
+else
+  echo_i "IPv6 unavailable; skipping IPv6 Domain test"
+fi
+
+echo_i "reloading server"
+copy_setports ns2/named12.conf.in ns2/named.conf
+$CHECKCONF ns2/named.conf | cat_i
+rndc_reload ns2 10.53.0.2
+sleep 3
+
+n=`expr $n + 1`
+echo_i "checking geoip blackhole ACL ($n)"
+ret=0
+$DIG $DIGOPTS txt example -b 10.53.0.7 > dig.out.ns2.test$n || ret=1
+$RNDCCMD 10.53.0.2 status 2>&1 > rndc.out.ns2.test$n || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/get_algorithms.py b/bin/tests/system/get_algorithms.py
new file mode 100755
index 0000000..529487a
--- /dev/null
+++ b/bin/tests/system/get_algorithms.py
@@ -0,0 +1,243 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# This script is a 'port' broker.  It keeps track of ports given to the
+# individual system subtests, so every test is given a unique port range.
+
+import logging
+import os
+from pathlib import Path
+import platform
+import random
+import subprocess
+import time
+from typing import Dict, List, NamedTuple, Union
+
+# Uncomment to enable DEBUG logging
+# logging.basicConfig(
+#     format="get_algorithms.py %(levelname)s %(message)s", level=logging.DEBUG
+# )
+
+STABLE_PERIOD = 3600 * 3
+"""number of secs during which algorithm selection remains stable"""
+
+
+class Algorithm(NamedTuple):
+    name: str
+    number: int
+    bits: int
+
+
+class AlgorithmSet(NamedTuple):
+    """Collection of DEFAULT, ALTERNATIVE and DISABLED algorithms"""
+
+    default: Union[Algorithm, List[Algorithm]]
+    """DEFAULT is the algorithm for testing."""
+
+    alternative: Union[Algorithm, List[Algorithm]]
+    """ALTERNATIVE is an alternative algorithm for test cases that require more
+    than one algorithm (for example algorithm rollover)."""
+
+    disabled: Union[Algorithm, List[Algorithm]]
+    """DISABLED is an algorithm that is used for tests against the
+    "disable-algorithms" configuration option."""
+
+
+RSASHA1 = Algorithm("RSASHA1", 5, 1280)
+RSASHA256 = Algorithm("RSASHA256", 8, 1280)
+RSASHA512 = Algorithm("RSASHA512", 10, 1280)
+ECDSAP256SHA256 = Algorithm("ECDSAP256SHA256", 13, 256)
+ECDSAP384SHA384 = Algorithm("ECDSAP384SHA384", 14, 384)
+ED25519 = Algorithm("ED25519", 15, 256)
+ED448 = Algorithm("ED448", 16, 456)
+
+ALL_ALGORITHMS = [
+    RSASHA1,
+    RSASHA256,
+    RSASHA512,
+    ECDSAP256SHA256,
+    ECDSAP384SHA384,
+    ED25519,
+    ED448,
+]
+
+ALGORITHM_SETS = {
+    "stable": AlgorithmSet(
+        default=ECDSAP256SHA256, alternative=RSASHA256, disabled=ECDSAP384SHA384
+    ),
+    "ecc_default": AlgorithmSet(
+        default=[
+            ECDSAP256SHA256,
+            ECDSAP384SHA384,
+            ED25519,
+            ED448,
+        ],
+        alternative=RSASHA256,
+        disabled=RSASHA512,
+    ),
+    # FUTURE The system tests needs more work before they're ready for this.
+    # "random": AlgorithmSet(
+    #     default=ALL_ALGORITHMS,
+    #     alternative=ALL_ALGORITHMS,
+    #     disabled=ALL_ALGORITHMS,
+    # ),
+}
+
+TESTCRYPTO = Path(__file__).resolve().parent / "testcrypto.sh"
+
+KEYGEN = os.getenv("KEYGEN", "")
+if not KEYGEN:
+    raise RuntimeError("KEYGEN environment variable has to be set")
+
+ALGORITHM_SET = os.getenv("ALGORITHM_SET", "stable")
+assert ALGORITHM_SET in ALGORITHM_SETS, f'ALGORITHM_SET "{ALGORITHM_SET}" unknown'
+logging.debug('choosing from ALGORITHM_SET "%s"', ALGORITHM_SET)
+
+
+def is_supported(alg: Algorithm) -> bool:
+    """Test whether a given algorithm is supported on the current platform."""
+    try:
+        subprocess.run(
+            f"{TESTCRYPTO} -q {alg.name}",
+            shell=True,
+            check=True,
+            env={
+                "KEYGEN": KEYGEN,
+                "TMPDIR": os.getenv("TMPDIR", "/tmp"),
+            },
+            stdout=subprocess.DEVNULL,
+        )
+    except subprocess.CalledProcessError as exc:
+        logging.debug(exc)
+        logging.info("algorithm %s not supported", alg.name)
+        return False
+    return True
+
+
+def filter_supported(algs: AlgorithmSet) -> AlgorithmSet:
+    """Select supported algorithms from the set."""
+    filtered = {}
+    for alg_type in algs._fields:
+        candidates = getattr(algs, alg_type)
+        if isinstance(candidates, Algorithm):
+            candidates = [candidates]
+        supported = list(filter(is_supported, candidates))
+        if len(supported) == 1:
+            supported = supported.pop()
+        elif not supported:
+            raise RuntimeError(
+                f'no {alg_type.upper()} algorithm from "{ALGORITHM_SET}" set '
+                "supported on this platform"
+            )
+        filtered[alg_type] = supported
+    return AlgorithmSet(**filtered)
+
+
+def select_random(algs: AlgorithmSet, stable_period=STABLE_PERIOD) -> AlgorithmSet:
+    """Select random DEFAULT, ALTERNATIVE and DISABLED algorithms from the set.
+
+    The algorithm selection is deterministic for a given time period and
+    platform. This should make potential issues more reproducible.
+
+    To increase the likelyhood of detecting an issue with a given algorithm in
+    CI, the current platform is used as a randomness source. When testing on
+    multiple platforms at the same time, this ensures more algorithm variance
+    while keeping reproducibility for a single platform.
+
+    The function also ensures that DEFAULT, ALTERNATIVE and DISABLED algorithms
+    are all different.
+    """
+    # FUTURE Random selection of ALTERNATIVE and DISABLED algorithms needs to
+    # be implemented.
+    alternative = algs.alternative
+    disabled = algs.disabled
+    assert isinstance(
+        alternative, Algorithm
+    ), "ALTERNATIVE algorithm randomization not supported yet"
+    assert isinstance(
+        disabled, Algorithm
+    ), "DISABLED algorithm randomization not supported yet"
+
+    # initialize randomness
+    now = time.time()
+    time_seed = int(now - now % stable_period)
+    seed = f"{platform.platform()}_{time_seed}"
+    random.seed(seed)
+
+    # DEFAULT selection
+    if isinstance(algs.default, Algorithm):
+        default = algs.default
+    else:
+        candidates = algs.default
+        for taken in [alternative, disabled]:
+            try:
+                candidates.remove(taken)
+            except ValueError:
+                pass
+        assert len(candidates), "no possible choice for DEFAULT algorithm"
+        random.shuffle(candidates)
+        default = candidates[0]
+
+    # Ensure only single algorithm is present for each option
+    assert isinstance(default, Algorithm)
+    assert isinstance(alternative, Algorithm)
+    assert isinstance(disabled, Algorithm)
+
+    assert default != alternative, "DEFAULT and ALTERNATIVE algorithms are the same"
+    assert default != disabled, "DEFAULT and DISABLED algorithms are the same"
+    assert alternative != disabled, "ALTERNATIVE and DISABLED algorithms are the same"
+
+    return AlgorithmSet(default, alternative, disabled)
+
+
+def algorithms_env(algs: AlgorithmSet) -> Dict[str, str]:
+    """Return environment variables with selected algorithms as a dict."""
+    algs_env: Dict[str, str] = {}
+
+    def set_alg_env(alg: Algorithm, prefix):
+        algs_env[f"{prefix}_ALGORITHM"] = alg.name
+        algs_env[f"{prefix}_ALGORITHM_NUMBER"] = str(alg.number)
+        algs_env[f"{prefix}_BITS"] = str(alg.bits)
+
+    assert isinstance(algs.default, Algorithm)
+    assert isinstance(algs.alternative, Algorithm)
+    assert isinstance(algs.disabled, Algorithm)
+
+    set_alg_env(algs.default, "DEFAULT")
+    set_alg_env(algs.alternative, "ALTERNATIVE")
+    set_alg_env(algs.disabled, "DISABLED")
+
+    logging.info("selected algorithms: %s", algs_env)
+    return algs_env
+
+
+def main():
+    disable_checking = int(os.getenv("DISABLE_ALGORITHM_SUPPORT_CHECKING", "0"))
+    try:
+        algs = ALGORITHM_SETS[ALGORITHM_SET]
+        if not disable_checking:
+            algs = filter_supported(algs)
+        algs = select_random(algs)
+        algs_env = algorithms_env(algs)
+    except Exception:
+        # if anything goes wrong, the conf.sh ignores error codes, so make sure
+        # we set an environment variable to an error value that can be checked
+        # later by run.sh
+        print("export ALGORITHM_SET=error")
+        raise
+    for name, value in algs_env.items():
+        print(f"export {name}={value}")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/bin/tests/system/glue/clean.sh b/bin/tests/system/glue/clean.sh
new file mode 100644
index 0000000..4d84f06
--- /dev/null
+++ b/bin/tests/system/glue/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after glue tests.
+#
+
+rm -f dig.out
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/glue/fi.good b/bin/tests/system/glue/fi.good
new file mode 100644
index 0000000..a08bc7a
--- /dev/null
+++ b/bin/tests/system/glue/fi.good
@@ -0,0 +1,27 @@
+
+; <<>> DiG 9.0 <<>> +norec @10.53.0.1 -p 5300 foo.bar.fi. A
+;; global options:  printcmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58772
+;; flags: qr ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 7
+
+;; QUESTION SECTION:
+;foo.bar.fi.			IN	A
+
+;; AUTHORITY SECTION:
+fi.			172800	IN	NS	NS.EU.NET.
+fi.			172800	IN	NS	NS.TELE.fi.
+fi.			172800	IN	NS	PRIFI.EUNET.fi.
+fi.			172800	IN	NS	NS.UU.NET.
+fi.			172800	IN	NS	T.NS.VERIO.NET.
+fi.			172800	IN	NS	HYDRA.HELSINKI.fi.
+
+;; ADDITIONAL SECTION:
+NS.TELE.fi.		172800	IN	A	193.210.19.19
+NS.TELE.fi.		172800	IN	A	193.210.18.18
+PRIFI.EUNET.fi.		172800	IN	A	193.66.1.146
+NS.UU.NET.		172800	IN	A	137.39.1.3
+T.NS.VERIO.NET.		172800	IN	A	192.67.14.16
+HYDRA.HELSINKI.fi.	172800	IN	A	128.214.4.29
+NS.EU.NET.		172800	IN	A	192.16.202.11
+
diff --git a/bin/tests/system/glue/noglue.good b/bin/tests/system/glue/noglue.good
new file mode 100644
index 0000000..22eca7b
--- /dev/null
+++ b/bin/tests/system/glue/noglue.good
@@ -0,0 +1,14 @@
+
+; <<>> DiG 9.0 <<>> @10.53.0.1 -p 5300 example.net a
+;; global options:  printcmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29409
+;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;example.net.			IN	A
+
+;; AUTHORITY SECTION:
+example.net.		300	IN	NS	ns2.example.
+example.net.		300	IN	NS	ns1.example.
+
diff --git a/bin/tests/system/glue/ns1/named.conf.in b/bin/tests/system/glue/ns1/named.conf.in
new file mode 100644
index 0000000..4d1ef75
--- /dev/null
+++ b/bin/tests/system/glue/ns1/named.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "root-servers.nil" {
+	type primary;
+	file "root-servers.nil.db";
+};
+zone "net" {
+	type primary;
+	file "net.db";
+};
diff --git a/bin/tests/system/glue/ns1/net.db b/bin/tests/system/glue/ns1/net.db
new file mode 100644
index 0000000..db784cc
--- /dev/null
+++ b/bin/tests/system/glue/ns1/net.db
@@ -0,0 +1,34 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN net.
+$TTL 300
+@ 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	a.root-servers.nil.
+
+; FI. authoritative servers, for the FI. glue test.
+uu.net.			NS	ns.uu.net.
+NS.UU.NET.		172800	IN	A	137.39.1.3
+eu.net.			NS	ns.eu.net.
+NS.EU.NET.		172800	IN	A	192.16.202.11
+
+; Referral outside of server authority, but with glue records present.
+; Don't hand out the glue.
+example.net.			NS	ns1.example.
+example.net.			NS	ns2.example.
+ns1.example.		172800	IN	A	1.1.1.1
+ns2.example.		172800	IN	A	2.2.2.2
diff --git a/bin/tests/system/glue/ns1/root-servers.nil.db b/bin/tests/system/glue/ns1/root-servers.nil.db
new file mode 100644
index 0000000..1475aed
--- /dev/null
+++ b/bin/tests/system/glue/ns1/root-servers.nil.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN SOA	ns hostmaster (
+				1
+				3600
+				1800
+				1814400
+				3600
+				)
+			NS	a
+a			A	10.53.0.1
+b			A	10.53.0.2
+
+
+
diff --git a/bin/tests/system/glue/ns1/root.db b/bin/tests/system/glue/ns1/root.db
new file mode 100644
index 0000000..debdf01
--- /dev/null
+++ b/bin/tests/system/glue/ns1/root.db
@@ -0,0 +1,44 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+
+root-servers.nil.	NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+; Delegate some domains that contain name servers for the sample
+; ccTLDs below.
+net.			172800	IN	NS	a.root-servers.nil.
+
+;
+; A sample ccTLD
+;
+fi.			172800	IN	NS	NS.TELE.fi.
+fi.			172800	IN	NS	PRIFI.EUNET.fi.
+fi.			172800	IN	NS	NS.UU.NET.
+fi.			172800	IN	NS	T.NS.VERIO.NET.
+fi.			172800	IN	NS	HYDRA.HELSINKI.fi.
+fi.			172800	IN	NS	NS.EU.NET.
+NS.TELE.fi.		172800	IN	A	193.210.18.18
+NS.TELE.fi.		172800	IN	A	193.210.19.19
+PRIFI.EUNET.fi.		172800	IN	A	193.66.1.146
+NS.UU.NET.		172800	IN	A	137.39.1.3
+T.NS.VERIO.NET.		172800	IN	A	192.67.14.16
+HYDRA.HELSINKI.fi.	172800	IN	A	128.214.4.29
+NS.EU.NET.		172800	IN	A	192.16.202.11
diff --git a/bin/tests/system/glue/setup.sh b/bin/tests/system/glue/setup.sh
new file mode 100644
index 0000000..e46affa
--- /dev/null
+++ b/bin/tests/system/glue/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/glue/tests.sh b/bin/tests/system/glue/tests.sh
new file mode 100644
index 0000000..c122c5e
--- /dev/null
+++ b/bin/tests/system/glue/tests.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+#
+# Do glue tests.
+#
+
+DIGOPTS="+norec -p ${PORT}"
+
+status=0
+
+echo_i "testing that a ccTLD referral gets a full glue set from the root zone"
+$DIG $DIGOPTS @10.53.0.1 foo.bar.fi. A >dig.out || status=1
+digcomp --lc fi.good dig.out || status=1
+
+echo_i "testing that we don't find out-of-zone glue"
+$DIG $DIGOPTS @10.53.0.1 example.net. a > dig.out || status=1
+digcomp noglue.good dig.out || status=1
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/idna/clean.sh b/bin/tests/system/idna/clean.sh
new file mode 100644
index 0000000..f99ecb5
--- /dev/null
+++ b/bin/tests/system/idna/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.conf
+rm -f dig.out.*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/idna/ns1/named.conf.in b/bin/tests/system/idna/ns1/named.conf.in
new file mode 100644
index 0000000..df552bd
--- /dev/null
+++ b/bin/tests/system/idna/ns1/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { fd92:7065:b8e:ffff::1; };
+	recursion no;
+	notify yes;
+	dnssec-validation no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/idna/ns1/root.db b/bin/tests/system/idna/ns1/root.db
new file mode 100644
index 0000000..b43cc40
--- /dev/null
+++ b/bin/tests/system/idna/ns1/root.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+a.root-servers.nil.	AAAA	fd92:7065:b8e:ffff::1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+ns2.example.		AAAA	fd92:7065:b8e:ffff::2
diff --git a/bin/tests/system/idna/setup.sh b/bin/tests/system/idna/setup.sh
new file mode 100644
index 0000000..1dc06c2
--- /dev/null
+++ b/bin/tests/system/idna/setup.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh
new file mode 100644
index 0000000..e38736e
--- /dev/null
+++ b/bin/tests/system/idna/tests.sh
@@ -0,0 +1,378 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+# Set known locale for the tests
+
+if locale -a | grep -qE "^C\\.(UTF-8|utf8)"; then
+    LC_ALL="C.UTF-8"
+elif locale -a | grep -qE "^en_US\\.(UTF-8|utf8)"; then
+    LC_ALL="en_US.UTF-8"
+fi
+export LC_ALL
+
+# This set of tests check the behavior of the IDNA options in "dig".
+#
+# "dig" supports two IDNA-related options:
+#
+# +[no]idnin -  Translates a domain name into punycode format before sending
+#               the query to the server.
+#
+#               Should the input name be a punycode name, "dig +idnin" will also
+#               validate the punycode, rejecting it if it is invalid.
+#
+# +[no]idnout - Translates the received punycode domain names into appropriate
+#               unicode characters before displaying.
+#
+# The tests run "dig" against an authoritative server configured with a minimal
+# root zone and nothing else.  As a result, all queries will result in an
+# NXDOMAIN.  The server will return the qname sent, which "dig" will display
+# according to the options selected.  This returned string is compared with
+# the qname originally sent.
+#
+# In the comments below, the following nomenclature (taken from RFC 5890) is
+# used:
+#
+# A-label: Label comprising ASCII characters that starts xn-- and whose
+#          characters after the xn-- are a valid output of the Punycode
+#          algorithm.
+#
+# Fake A-label: An A-label whose characters after the xn-- are not valid
+#          Punycode output.
+#
+# U-label: Unicode (native character) form of a label.
+#
+# For the purpose of this test script, U-labels do not include labels that
+# comprise purely ASCII characters, which are referred to as "ASCII-labels"
+# here. Valid ASCII-labels comprise letters, digits and hyphens and do not
+# start with a hyphen.
+#
+# References:
+# 1. http://www.unicode.org/reports/tr46/#Deviations
+# 2. http://www.unicode.org/reports/tr46/#IDNAComparison
+
+# Using dig insecure mode as we are not testing DNSSEC here
+DIGCMD="$DIG -i -p ${PORT} @10.53.0.1"
+
+# Initialize test count and status return
+n=0
+status=0
+
+
+# Function for extracting the qname from the response
+#
+# This is the first field in the line after the line starting
+# ";; QUESTION SECTION:".
+#
+# The string returned includes the trailing period.
+
+qname() {
+    awk 'BEGIN { qs = 0; } \
+        /;; QUESTION SECTION:/ { qs = 1; next; } \
+        qs == 1 {sub(";", "", $1) ; print $1; exit 0; }' \
+        $1
+}
+
+# Function for performing a test where "dig" is expected to succeed.
+#
+#   $1 - Description of the test
+#   $2 - Dig command additional options
+#   $3 - Name being queried
+#   $4 - The name that is expected to be displayed by "dig".  Note that names
+#        displayed by "dig" will always have a trailing period, so this
+#        parameter should have that period as well.
+
+idna_test() {
+    n=`expr $n + 1`
+    description=$1
+    if [ "$2" != "" ]; then
+        description="${description}: $2"
+    fi
+    echo_i "$description ($n)"
+
+    ret=0
+    $DIGCMD $2 $3 > dig.out.$n 2>&1
+    if [ $? -ne 0 ]; then
+        echo_i "failed: dig command returned non-zero status"
+        ret=1
+    else
+        actual=`qname dig.out.$n`
+        if [ "$4" != "$actual" ]; then
+            echo_i "failed: expected answer $4, actual result $actual"
+            ret=1
+        fi
+    fi
+    status=`expr $status + $ret`
+}
+
+# Function for performing a test where "dig" is expected to fail
+#
+#   $1 - Description of the test
+#   $2 - Dig command additional options
+#   $3 - Name being queried
+
+idna_fail() {
+    n=`expr $n + 1`
+    description=$1
+    if [ "$2" != "" ]; then
+        description="${description}: $2"
+    fi
+    echo_i "$description ($n)"
+
+    ret=0
+    $DIGCMD $2 $3 > dig.out.$n 2>&1
+    if [ $? -eq 0 ]; then
+        echo_i "failed: dig command unexpectedly succeeded"
+        ret=1
+    fi
+    status=`expr $status + $ret`
+}
+
+# Function to check that case is preserved for an all-ASCII label.
+#
+# Without IDNA support, case-preservation is the expected behavior.
+#
+# With IDNA support... not really.  IDNA maps uppercase ASCII characters to
+# their lower-case equivalent.  When IDNA support in "dig" was updated to
+# non-transitional IDNA 2008, the switch "+idnin" was added and made the default
+# behaviour. This meant that the command "dig LocalhosT" (no command switches)
+# sends the qname "localhost", a change in behavior from earlier versions.
+#
+# This was felt to be confusing to the significant number of users who are
+# not interested in IDNA. For this reason, after "dig" passes the input qname
+# through the IDNA conversion, is does a case-insensitive comparison with the
+# result.  If the two are the same, "dig" can conclude that the qname is
+# entirely ASCII and is uses the entered string instead of the converted string
+# as the qname.
+
+ascii_case_preservation_test() {
+    text="Checking valid ASCII label"
+    idna_test "$text" ""                   LocalhosT LocalhosT.
+    idna_test "$text" "+noidnin +noidnout" LocalhosT LocalhosT.
+    idna_test "$text" "+noidnin +idnout"   LocalhosT LocalhosT.
+    idna_test "$text" "+idnin   +noidnout" LocalhosT LocalhosT.
+    idna_test "$text" "+idnin   +idnout"   LocalhosT LocalhosT.
+}
+
+# Function to perform the tests if IDNA is enabled.
+
+idna_enabled_test() {
+    echo_i "IDNA is enabled, all IDNA tests will be performed"
+    # Check that case is preserved on an ASCII label.
+
+    ascii_case_preservation_test
+
+
+    # Test of a valid U-label
+    #
+    # +noidnin +noidnout: The label is sent as a unicode octet stream and dig
+    #                     will display the string in the \nnn format.
+    # +noidnin +idnout:   As for the previous case.
+    # +idnin   +noidnout: The label is converted to the xn-- format.  "dig"
+    #                     displays the returned xn-- text.
+    # +idnin   +idnout:   The label is converted to the xn-- format.  "dig"
+    #                     converts the returned xn-- string back to the original
+    #                     unicode text.
+    #
+    # Note that ASCII characters are converted to lower-case.
+
+    text="Checking valid non-ASCII label"
+    idna_test "$text" ""                   "München" "M\195\188nchen."
+    idna_test "$text" "+noidnin +noidnout" "München" "M\195\188nchen."
+    idna_test "$text" "+noidnin +idnout"   "München" "M\195\188nchen."
+    idna_test "$text" "+idnin   +noidnout" "München" "xn--mnchen-3ya."
+    idna_test "$text" "+idnin   +idnout"   "München" "münchen."
+
+
+    # Tests of transitional processing of a valid U-label
+    #
+    # IDNA2003 introduced national character sets but, unfortunately, didn't
+    # support several characters properly.  One of those was the German
+    # character "ß" (the "Eszett" or "sharp s"), which was interpreted as "ss".
+    # So the domain “faß.de� domain (for example) was processed as “fass.de�.
+    #
+    # This was corrected in IDNA2008, although some vendors that adopted this
+    # standard chose to keep the existing IDNA2003 translation for this
+    # character to prevent problems (e.g. people visiting www.faß.example would,
+    # under IDNA2003, go to www.fass.example but under IDNA2008 would end up at
+    # www.fa\195\159.example - a different web site).
+    #
+    # BIND has adopted a hard transition, so this test checks that these
+    # transitional mapping is not used.  The tests are essentially the same as
+    # for the valid U-label.
+
+    text="Checking that non-transitional IDNA processing is used"
+    idna_test "$text" ""                   "faß.de" "fa\195\159.de."
+    idna_test "$text" "+noidnin +noidnout" "faß.de" "fa\195\159.de."
+    idna_test "$text" "+noidnin +idnout"   "faß.de" "fa\195\159.de."
+    idna_test "$text" "+idnin   +noidnout" "faß.de" "xn--fa-hia.de."
+    idna_test "$text" "+idnin   +idnout"   "faß.de" "faß.de."
+
+    # Another problem character.  The final character in the first label mapped
+    # onto the Greek sigma character ("σ") in IDNA2003.
+
+    text="Second check that non-transitional IDNA processing is used"
+    idna_test "$text" ""                   "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com."
+    idna_test "$text" "+noidnin +noidnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com."
+    idna_test "$text" "+noidnin +idnout"   "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com."
+    idna_test "$text" "+idnin   +noidnout" "βόλος.com" "xn--nxasmm1c.com."
+    idna_test "$text" "+idnin   +idnout"   "βόλος.com" "βόλος.com."
+
+
+
+    # Tests of a valid A-label (i.e. starting xn--)
+    #
+    # +noidnout: The string is sent as-is to the server and the returned qname
+    #            is displayed in the same form.
+    # +idnout:   The string is sent as-is to the server and the returned qname
+    #            is displayed as the corresponding U-label.
+    #
+    # The "+[no]idnin" flag has no effect in these cases.
+
+    text="Checking valid A-label"
+    idna_test "$text" ""                   "xn--nxasmq6b.com" "xn--nxasmq6b.com."
+    idna_test "$text" "+noidnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com."
+    idna_test "$text" "+noidnin +idnout"   "xn--nxasmq6b.com" "βόλοσ.com."
+    idna_test "$text" "+idnin +noidnout"   "xn--nxasmq6b.com" "xn--nxasmq6b.com."
+    idna_test "$text" "+idnin +idnout"     "xn--nxasmq6b.com" "βόλοσ.com."
+
+    # Test of valid A-label in locale that cannot display it
+    #
+    # +noidnout: The string is sent as-is to the server and the returned qname
+    #            is displayed in the same form.
+    # +idnout:   The string is sent as-is to the server and the returned qname
+    #            is displayed as the corresponding A-label.
+    #
+    # The "+[no]idnout" flag has no effect in these cases.
+    saved_LC_ALL="${LC_ALL}"
+    LC_ALL="C"
+    text="Checking valid A-label in C locale"
+    label="xn--nxasmq6b.com"
+    if command -v idn2 >/dev/null && ! idn2 -d "$label" >/dev/null 2>/dev/null; then
+	idna_test "$text" ""                   "$label" "$label."
+	idna_test "$text" "+noidnin +noidnout" "$label" "$label."
+	idna_test "$text" "+noidnin +idnout"   "$label" "$label."
+	idna_test "$text" "+idnin +noidnout"   "$label" "$label."
+	idna_test "$text" "+idnin +idnout"     "$label" "$label."
+	idna_test "$text" "+noidnin +idnout"   "$label" "$label."
+    fi
+    LC_ALL="${saved_LC_ALL}"
+
+
+
+    # Tests of invalid A-labels
+    #
+    # +noidnin: The label is sent as-is to the server and dig will display the
+    #           returned fake A-label in the same form.
+    # +idnin:   "dig" should report that the label is not correct.
+    #
+    # +[no]idnout: If the label makes it to the server (via +noidnin), "dig"
+    #           should report an error if +idnout is specified.
+
+    # The minimum length of a punycode A-label is 7 characters.  Check that
+    # a shorter label is detected and rejected.
+
+    text="Checking punycode label shorter than minimum valid length"
+    idna_test "$text" ""                   "xn--xx" "xn--xx."
+    idna_test "$text" "+noidnin +noidnout" "xn--xx" "xn--xx."
+    idna_fail "$text" "+noidnin   +idnout" "xn--xx"
+    idna_fail "$text" "+idnin   +noidnout" "xn--xx"
+    idna_fail "$text" "+idnin     +idnout" "xn--xx"
+
+    # Fake A-label - the string does not translate to anything.
+
+    text="Checking fake A-label"
+    idna_test "$text" ""                   "xn--ahahah" "xn--ahahah."
+    idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah."
+    idna_fail "$text" "+noidnin   +idnout" "xn--ahahah"
+    idna_fail "$text" "+idnin   +noidnout" "xn--ahahah"
+    idna_fail "$text" "+idnin     +idnout" "xn--ahahah"
+
+    # Too long a label. The punycode string is too long (at 64 characters).
+    # BIND rejects such labels: with +idnin
+
+    label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj"
+    text="Checking punycode label longer than maximum valid length"
+    idna_fail "$text" ""                   "$label"
+    idna_fail "$text" "+noidnin +noidnout" "$label"
+    idna_fail "$text" "+noidnin   +idnout" "$label"
+    idna_fail "$text" "+idnin   +noidnout" "$label"
+    idna_fail "$text" "+idnin     +idnout" "$label"
+
+
+
+
+    # Tests of a valid unicode string but an invalid U-label (input)
+    #
+    # Symbols are not valid IDNA2008 names.  Check whether dig rejects them
+    # when they are supplied on the command line to ensure no IDNA2003
+    # fallbacks are in place.
+    #
+    # +noidnin: "dig" should send unicode octets to the server and display the
+    #           returned qname in the same form.
+    # +idnin:   "dig" should generate an error.
+    #
+    # The +[no]idnout options should not have any effect on the test.
+
+    text="Checking invalid input U-label"
+    idna_test "$text" ""                   "√.com" "\226\136\154.com."
+    idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com."
+    idna_test "$text" "+noidnin +idnout"   "√.com" "\226\136\154.com."
+    idna_test "$text" "+idnin   +noidnout" "√.com" "xn--19g.com."
+    idna_test "$text" "+idnin   +idnout"   "√.com" "√.com."
+
+    # Tests of a valid unicode string but an invalid U-label (output)
+    #
+    # Symbols are not valid IDNA2008 names.  Check whether dig rejects them
+    # when they are received in DNS responses to ensure no IDNA2003 fallbacks
+    # are in place.
+    #
+    # Note that "+idnin +noidnout" is not tested because libidn2 2.2.0+ parses
+    # Punycode more strictly than older versions and thus dig fails with that
+    # combination of options with libidn2 2.2.0+ but succeeds with older
+    # versions.
+    #
+    # +noidnout: "dig" should send the ACE string to the server and display the
+    #            returned qname.
+    # +idnout:   "dig" should generate an error.
+    #
+    # The +[no]idnin options should not have any effect on the test.
+
+    text="Checking invalid output U-label"
+    idna_test "$text" ""                   "xn--19g" "xn--19g."
+    idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g."
+    idna_test "$text" "+noidnin +idnout"   "xn--19g" "√."
+    idna_test "$text" "+idnin   +idnout"   "xn--19g" "√."
+}
+
+
+# Function to perform tests if IDNA is not enabled.
+
+idna_disabled_test() {
+    echo_i "IDNA is disabled, only case mapping tests will be performed"
+    ascii_case_preservation_test
+}
+
+
+# Main test begins here
+
+$FEATURETEST --with-idn
+if [ $? -eq 0 ]; then
+    idna_enabled_test
+else
+    idna_disabled_test
+fi
+
+exit $status
diff --git a/bin/tests/system/ifconfig.bat b/bin/tests/system/ifconfig.bat
new file mode 100644
index 0000000..9520abc
--- /dev/null
+++ b/bin/tests/system/ifconfig.bat
@@ -0,0 +1,49 @@
+echo off
+rem
+rem Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+rem 
+rem SPDX-License-Identifier: MPL-2.0
+rem 
+rem This Source Code Form is subject to the terms of the Mozilla Public
+rem License, v. 2.0. If a copy of the MPL was not distributed with this
+rem file, you can obtain one at https://mozilla.org/MPL/2.0/.
+rem 
+rem See the COPYRIGHT file distributed with this work for additional
+rem information regarding copyright ownership.
+
+rem ifconfig.bat
+rem Set up interface aliases for bind9 system tests.
+rem
+rem IPv4: 10.53.0.{1..10}			RFC 1918
+rem       10.53.1.{1..2}
+rem       10.53.2.{1..2}
+rem IPv6: fd92:7065:b8e:ffff::{1..10}		ULA
+rem       fd92:7065:b8e:99ff::{1..2}
+rem       fd92:7065:b8e:ff::{1..2}
+rem
+echo Please adapt this script to your system
+rem remove the following line when the script is ready
+exit /b 1
+
+rem for IPv4 adding these static addresses to a physical interface
+rem will switch it from DHCP to static flushing DHCP setup.
+rem So it is highly recommended to install the loopback pseudo-interface
+rem and add IPv4 addresses to it.
+
+rem for IPv6 your interface can have a different name, e.g.,
+rem "Local Area Connection". Please update this script and remove the
+rem exit line
+
+echo on
+
+FOR %%I IN (1,2,3,4,5,6,7,8,9,10) DO (
+	netsh interface ipv4 add address name=Loopback 10.53.0.%%I 255.255.255.0
+	netsh interface ipv6 add address interface=Loopback fd92:7065:b8e:ffff::%%I/64
+)
+FOR %%I IN (1,2) DO (
+	netsh interface ipv4 add address name=Loopback 10.53.1.%%I 255.255.255.0
+	netsh interface ipv4 add address name=Loopback 10.53.2.%%I 255.255.255.0
+
+	netsh interface ipv6 add address interface=Loopback fd92:7065:b8e:99ff::%%I/64
+	netsh interface ipv6 add address interface=Loopback fd92:7065:b8e:ff::%%I/64
+)
diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
new file mode 100755
index 0000000..8824c25
--- /dev/null
+++ b/bin/tests/system/ifconfig.sh
@@ -0,0 +1,271 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Set up interface aliases for bind9 system tests.
+#
+# IPv4: 10.53.0.{1..11}				RFC 1918
+#       10.53.1.{1..2}
+#       10.53.2.{1..2}
+# IPv6: fd92:7065:b8e:ffff::{1..11}		ULA
+#       fd92:7065:b8e:99ff::{1..2}
+#       fd92:7065:b8e:ff::{1..2}
+#
+# We also set the MTU on the 1500 bytes to match the default MTU on physical
+# interfaces, so we can properly test the cases with packets bigger than
+# interface MTU.
+
+SYSTEMTESTTOP="$(cd -P -- "$(dirname -- "$0")" && pwd -P)"
+. "$SYSTEMTESTTOP/conf.sh"
+
+export SYSTEMTESTTOP
+
+sys=$($SHELL "$TOP/config.guess")
+
+use_ip=
+case "$sys" in
+        *-*-linux*)
+                if type ip > /dev/null; then
+                        use_ip=yes
+                elif type ifconfig > /dev/null; then
+                        :
+                else
+                        echo "$0: can't find ip or ifconfig" >&2
+                        exit 1
+                fi
+                ;;
+esac
+
+up() {
+	case "$sys" in
+	    *-pc-solaris2.5.1)
+		[ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up
+		;;
+	    *-sun-solaris2.[6-7])
+		[ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up
+		;;
+	    *-*-solaris2.[8-9]|*-*-solaris2.10)
+		[ "$a" ] && {
+			/sbin/ifconfig lo0:$int plumb
+			/sbin/ifconfig lo0:$int $a up
+			/sbin/ifconfig lo0:$int mtu 1500
+		}
+		[ "$aaaa" ] && {
+			/sbin/ifconfig lo0:$int inet6 plumb
+			/sbin/ifconfig lo0:$int inet6 $aaaa up
+		}
+		;;
+	    *-*-solaris2.1[1-9])
+		[ "$a" ] && {
+			/sbin/ipadm create-addr -t -T static \
+				    -a $a lo0/bind9v4$int ||
+			echo failed lo0/bind9v4$int
+		}
+		[ "$aaaa" ] && {
+			/sbin/ipadm create-addr -t -T static \
+				    -a $aaaa lo0/bind9v6$int ||
+			echo failed lo0/bind9v6$int
+		}
+	       ;;
+	    *-*-linux*)
+		if [ "$use_ip" ]; then
+			ip address add $a/24 dev lo:$int
+			ip link set dev lo:$int mtu 1500
+			[ "$aaaa" ] && ip address add $aaaa/64 dev lo
+		else
+			ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500
+			[ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64
+		fi
+		;;
+	    *-unknown-freebsd*)
+		[ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500
+		[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias
+		;;
+	    *-unknown-dragonfly*|*-unknown-netbsd*|*-unknown-openbsd*)
+		[ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500
+		[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias
+		;;
+	    *-*-bsdi[3-5].*)
+		[ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0
+		;;
+	    *-dec-osf[4-5].*)
+		[ "$a" ] && ifconfig lo0 alias $a
+		;;
+	    *-sgi-irix6.*)
+		[ "$a" ] && ifconfig lo0 alias $a
+		;;
+	    *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
+		[ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff
+		;;
+	    *-ibm-aix4.*|*-ibm-aix5.*)
+		[ "$a" ] && ifconfig lo0 alias $a
+		[ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64
+		;;
+	    hpux)
+		[ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up
+		[ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up
+		;;
+	    *-sco3.2v*)
+		[ "$a" ] && ifconfig lo0 alias $a
+		;;
+	    *-darwin*)
+		[ "$a" ] && ifconfig lo0 alias $a
+		[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias
+		;;
+	    *-cygwin*)
+		echo "Please run ifconfig.bat as Administrator."
+		exit 1
+		;;
+	    *)
+		echo "Don't know how to set up interface.  Giving up."
+		exit 1
+		;;
+	esac
+}
+
+down() {
+	case "$sys" in
+	    *-pc-solaris2.5.1)
+		[ "$a" ] && ifconfig lo0:$int 0.0.0.0 down
+		;;
+	    *-sun-solaris2.[6-7])
+		[ "$a" ] && ifconfig lo0:$int $a down
+		;;
+	    *-*-solaris2.[8-9]|*-*-solaris2.10)
+		[ "$a" ] && {
+			ifconfig lo0:$int $a down
+			ifconfig lo0:$int $a unplumb
+		}
+		[ "$aaaa" ] && {
+			ifconfig lo0:$int inet6 down
+			ifconfig lo0:$int inet6 unplumb
+		}
+		;;
+	    *-*-solaris2.1[1-9])
+		[ "$a" ] && {
+			ipadm delete-addr lo0/bind9v4$int ||
+			echo failed lo0/bind9v4$int
+		}
+		[ "$aaaa" ] && {
+			ipadm delete-addr lo0/bind9v6$int ||
+			echo failed lo0/bind9v6$int
+		}
+		;;
+
+	    *-*-linux*)
+		if [ "$use_ip" ]; then
+			[ "$a" ] && ip address del $a/24 dev lo:$int
+			[ "$aaaa" ] && ip address del $aaaa/64 dev lo
+		else
+			[ "$a" ] && ifconfig lo:$int $a down
+			[ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64
+		fi
+		;;
+	    *-unknown-freebsd*)
+		[ "$a" ] && ifconfig lo0 $a delete
+		[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
+		;;
+	    *-unknown-netbsd*)
+		[ "$a" ] && ifconfig lo0 $a delete
+		[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
+		;;
+	    *-unknown-openbsd*)
+		[ "$a" ] && ifconfig lo0 $a delete
+		[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
+		;;
+	    *-*-bsdi[3-5].*)
+		[ "$a" ] && ifconfig lo0 remove $a
+		;;
+	    *-dec-osf[4-5].*)
+		[ "$a" ] && ifconfig lo0 -alias $a
+		;;
+	    *-sgi-irix6.*)
+		[ "$a" ] && ifconfig lo0 -alias $a
+		;;
+	    *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
+		[ "$a" ] && ifconfig lo0 -alias $a
+		;;
+	    *-ibm-aix4.*|*-ibm-aix5.*)
+		[ "$a" ] && ifconfig lo0 delete $a
+		[ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64
+		;;
+	    hpux)
+		[ "$a" ] && ifconfig lo0:$int 0.0.0.0
+		[ "$aaaa" ] && ifconfig lo0:$int inet6 ::
+		;;
+	    *-sco3.2v*)
+		[ "$a" ] && ifconfig lo0 -alias $a
+		;;
+	    *darwin*)
+		[ "$a" ] && ifconfig lo0 -alias $a
+		[ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete
+		;;
+	    *-cygwin*)
+		echo "Please run ifconfig.bat as Administrator."
+		exit 1
+		;;
+	    *)
+		echo "Don't know how to destroy interface.  Giving up."
+		exit 1
+		;;
+	esac
+}
+
+sequence() (
+	awk -v s=$1 -v e=$2 '
+		BEGIN {
+			for (i = s ; i <= e; i++) { print i; }
+			exit;
+		}'
+)
+
+#
+# 'max', 'i' and 'ns' are used to compute the interface identifier for
+# systems that need it and must be unique for each interface (e.g. lo:$int).
+#
+#	int=$((i * max + ns))
+#
+# 'max' is the number of nameservers configured in the inner loop.
+# 'i' is the outer loop counter.
+# 'ns' in the namserver being configured.
+# 'int' interface identifier.
+#
+max=11
+case $1 in
+    start|up|stop|down)
+	for i in $(sequence 0 2)
+	do
+		case $i in
+		  0) ipv6="ff" ;;
+		  1) ipv6="99" ;;
+		  2) ipv6="00" ;;
+		  *) ipv6="" ;;
+		esac
+		for ns in $(sequence 1 $max)
+		do
+			[ $i -gt 0 -a $ns -gt 2 ] && break
+			int=$((i * max + ns))
+			a=10.53.$i.$ns
+			aaaa=fd92:7065:b8e:${ipv6}ff::$ns
+			case "$1" in
+			    start|up) up;;
+			    stop|down) down;;
+			esac
+		done
+	done
+	;;
+    *)
+	echo "Usage: $0 { up | down }"
+	exit 1
+	;;
+esac
diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh
new file mode 100644
index 0000000..79f3774
--- /dev/null
+++ b/bin/tests/system/inline/clean.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -rf ./*/*.jbk \
+   ./*/*.nzd ./*/*.nzd-lock ./*/*.nzf \
+   ./*/named.conf ./*/named.memstats ./*/named.run* ./*/named.lock \
+   ./*/trusted.conf \
+   ./K* ./*/K* \
+   ./checkecdsa \
+   ./freeze.test* thaw.test* \
+   ./import.key \
+   ././ns*/managed-keys.bind* ./ns*/*.mkeys* \
+   ./*/dsset-* ./*/nzf-* \
+   ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \
+   ./*.out ./*.out* ./*/*.out ./*/*.out* \
+   ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \
+   ns3/a-file ns3/removedkeys
diff --git a/bin/tests/system/inline/ns1/named.conf.in b/bin/tests/system/inline/ns1/named.conf.in
new file mode 100644
index 0000000..da27c58
--- /dev/null
+++ b/bin/tests/system/inline/ns1/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in
new file mode 100644
index 0000000..915d95b
--- /dev/null
+++ b/bin/tests/system/inline/ns1/root.db.in
@@ -0,0 +1,59 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+bits.			NS	ns3.bits.
+bits.			NS	ns4.bits.
+ns3.bits.		A	10.53.0.3
+ns4.bits.		A	10.53.0.4
+
+noixfr.			NS	ns3.noixfr.
+ns3.noixfr.		A	10.53.0.3
+
+master.			NS	ns3.master.
+ns3.master.		A	10.53.0.3
+
+dynamic.			NS	ns3.dynamic.
+ns3.dynamic.		A	10.53.0.3
+
+updated.			NS	ns3.updated.
+ns3.updated.		A	10.53.0.3
+
+expired.			NS	ns3.expired.
+ns3.expired.		A	10.53.0.3
+
+retransfer.			NS	ns3.retransfer.
+ns3.retransfer.		A	10.53.0.3
+
+nsec3.			NS	ns3.nsec3.
+ns3.nsec3.		A	10.53.0.3
+
+externalkey.		NS	ns3.externalkey.
+ns3.externalkey.	A	10.53.0.3
+
+retransfer3.		NS	ns3.retransfer.
+ns3.retransfer3.	A	10.53.0.3
+
+inactiveksk.		NS	ns3.inactiveksk.
+ns3.inactiveksk.	A	10.53.0.3
+
+inactivezsk.		NS	ns3.inactivezsk.
+ns3.inactivezsk.	A	10.53.0.3
diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh
new file mode 100644
index 0000000..5e024c2
--- /dev/null
+++ b/bin/tests/system/inline/ns1/sign.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+rm -f K.+*+*.key
+rm -f K.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out
+[ $? = 0 ] || cat signer.out
+
+keyfile_to_static_ds $keyname > trusted.conf
+cp trusted.conf ../ns6/trusted.conf
diff --git a/bin/tests/system/inline/ns2/bits.db.in b/bin/tests/system/inline/ns2/bits.db.in
new file mode 100644
index 0000000..2652047
--- /dev/null
+++ b/bin/tests/system/inline/ns2/bits.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns2 . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
diff --git a/bin/tests/system/inline/ns2/named.conf.in b/bin/tests/system/inline/ns2/named.conf.in
new file mode 100644
index 0000000..3ad6d96
--- /dev/null
+++ b/bin/tests/system/inline/ns2/named.conf.in
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	notify-delay 0;
+	allow-new-zones yes;
+};
+
+zone "bits" {
+	type primary;
+	file "bits.db";
+	allow-update { any; };
+};
+
+zone "retransfer" {
+	type primary;
+	file "retransfer.db";
+	allow-update { any; };
+	notify no;
+};
+
+zone "retransfer3" {
+	type primary;
+	file "retransfer3.db";
+	allow-update { any; };
+	allow-transfer { none; };	// changed dynamically by tests.sh
+	notify no;
+};
+
+zone "nsec3-loop" {
+	type primary;
+	file "nsec3-loop.db";
+	notify no;
+};
+
+zone "inactiveksk" {
+	type primary;
+	file "inactiveksk.db";
+	allow-update { any; };
+};
+
+zone "inactivezsk" {
+	type primary;
+	file "inactivezsk.db";
+	allow-update { any; };
+};
+
+zone "nokeys" {
+	type primary;
+	file "nokeys.db";
+	allow-update { any; };
+};
+
+zone "removedkeys-secondary" {
+	type primary;
+	file "removedkeys-secondary.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/inline/ns2/nsec3-loop.db.in b/bin/tests/system/inline/ns2/nsec3-loop.db.in
new file mode 100644
index 0000000..d12af8d
--- /dev/null
+++ b/bin/tests/system/inline/ns2/nsec3-loop.db.in
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; NOTE: This zone's data has been crafted in order to reproduce a very specific
+; scenario (see ns7/named.conf for more details).  Please do not modify this
+; file.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns2 . (
+				1 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
diff --git a/bin/tests/system/inline/ns3/include.db.in b/bin/tests/system/inline/ns3/include.db.in
new file mode 100644
index 0000000..c46a6a8
--- /dev/null
+++ b/bin/tests/system/inline/ns3/include.db.in
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+f		A	10.0.0.7
diff --git a/bin/tests/system/inline/ns3/master.db.in b/bin/tests/system/inline/ns3/master.db.in
new file mode 100644
index 0000000..4d30cf6
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns3 . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
diff --git a/bin/tests/system/inline/ns3/master2.db.in b/bin/tests/system/inline/ns3/master2.db.in
new file mode 100644
index 0000000..24a0666
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master2.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns3 . (
+				2000042408 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+e			A	10.0.0.5
diff --git a/bin/tests/system/inline/ns3/master3.db.in b/bin/tests/system/inline/ns3/master3.db.in
new file mode 100644
index 0000000..f3062c3
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master3.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns3 . (
+				2000042409 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+c			A	10.0.0.3
+e			A	10.0.0.5
diff --git a/bin/tests/system/inline/ns3/master4.db.in b/bin/tests/system/inline/ns3/master4.db.in
new file mode 100644
index 0000000..737e2e2
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master4.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns3 hostmaster. (
+				2000042410 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+c			A	10.0.0.3
+e			A	10.0.0.5
diff --git a/bin/tests/system/inline/ns3/master5.db.in b/bin/tests/system/inline/ns3/master5.db.in
new file mode 100644
index 0000000..a1e1300
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master5.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns3 . (
+				2000042411 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+c			A	10.0.0.3
+e			A	10.0.0.5
diff --git a/bin/tests/system/inline/ns3/master6.db.in b/bin/tests/system/inline/ns3/master6.db.in
new file mode 100644
index 0000000..de3e651
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master6.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns3 . (
+				2000042412 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+c			A	10.0.0.3
+e			A	10.0.0.5
+
+$INCLUDE missingfile.db
diff --git a/bin/tests/system/inline/ns3/master7.db.in b/bin/tests/system/inline/ns3/master7.db.in
new file mode 100644
index 0000000..a3e33e7
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master7.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns3 . (
+				2000042412 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+c			A	10.0.0.3
+e			A	10.0.0.5
+
+$INCLUDE include.db
diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in
new file mode 100644
index 0000000..dc14fe9
--- /dev/null
+++ b/bin/tests/system/inline/ns3/named.conf.in
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	try-tcp-refresh no;
+	notify-delay 0;
+	allow-new-zones yes;
+};
+
+zone "bits" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	inline-signing yes;
+	auto-dnssec maintain;
+	allow-update-forwarding { any; };
+	file "bits.bk";
+	sig-signing-signatures 1;	// force incremental processing
+};
+
+server 10.53.0.4 { request-ixfr no; };
+
+zone "noixfr" {
+	type secondary;
+	primaries { 10.53.0.4; };
+	inline-signing yes;
+	auto-dnssec maintain;
+	allow-update-forwarding { any; };
+	file "noixfr.bk";
+};
+
+zone "master" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "master.db";
+	notify explicit;
+	also-notify {
+		10.53.0.3;
+	};
+};
+
+zone "dynamic" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	allow-update { any; };
+	file "dynamic.db";
+};
+
+zone "updated" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	allow-update { none; };
+	file "updated.db";
+};
+
+zone "expired" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	allow-update { any; };
+	file "expired.db";
+};
+
+zone "retransfer" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "retransfer.bk";
+};
+
+zone "nsec3" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	allow-update { any; };
+	file "nsec3.db";
+};
+
+zone "externalkey" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	allow-update { any; };
+	file "externalkey.db";
+};
+
+zone "retransfer3" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "retransfer3.bk";
+};
+
+zone "inactiveksk" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	inline-signing yes;
+	auto-dnssec maintain;
+	dnssec-dnskey-kskonly yes;
+	file "inactiveksk.bk";
+};
+
+zone "inactivezsk" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "inactivezsk.bk";
+};
+
+zone "nokeys" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "nokeys.bk";
+};
+
+zone "delayedkeys" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "delayedkeys.db";
+};
+
+zone "removedkeys-primary" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	allow-update { any; };
+	also-notify { 10.53.0.2; };
+	file "removedkeys-primary.db";
+};
+
+zone "removedkeys-secondary" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "removedkeys-secondary.bk";
+};
+
+zone "unsupported" {
+	type primary;
+	file "unsupported.db";
+	inline-signing yes;
+	auto-dnssec maintain;
+};
diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh
new file mode 100755
index 0000000..7e33046
--- /dev/null
+++ b/bin/tests/system/inline/ns3/sign.sh
@@ -0,0 +1,160 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+# Fake an unsupported key
+unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone unsupported)
+awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp
+mv ${unsupportedkey}.tmp ${unsupportedkey}.key
+
+zone=bits
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=noixfr
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=master
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=dynamic
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=updated
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
+cp master2.db.in updated.db
+
+# signatures are expired and should be regenerated on startup
+zone=expired
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
+
+zone=retransfer
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=nsec3
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=retransfer3
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=inactiveksk
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=inactivezsk
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=delayedkeys
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+# Keys for the "delayedkeys" zone should not be initially accessible.
+mv K${zone}.+*+*.* ../
+
+zone=removedkeys-primary
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+
+zone=removedkeys-secondary
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+
+for s in a c d h k l m q z
+do
+	zone=test-$s
+	keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+done
+
+for s in b f i o p t v
+do
+	zone=test-$s
+	keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+	keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+done
+
+zone=externalkey
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+
+for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM}
+do
+    k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone)
+    k2=$($KEYGEN -q -a $alg -n zone $zone)
+    k3=$($KEYGEN -q -a $alg -n zone $zone)
+    k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone)
+    $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db
+
+    # Convert k1 and k2 in to External Keys.
+    rm -f $k1.private 
+    mv $k1.key a-file
+    $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 ||
+        ( echo_i "importkey failed: $alg" )
+    rm -f $k2.private 
+    mv $k2.key a-file
+    $IMPORTKEY -f a-file $zone > /dev/null 2>&1 ||
+        ( echo_i "importkey failed: $alg" )
+done
diff --git a/bin/tests/system/inline/ns4/named.conf.in b/bin/tests/system/inline/ns4/named.conf.in
new file mode 100644
index 0000000..fed200a
--- /dev/null
+++ b/bin/tests/system/inline/ns4/named.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	notify-delay 0;
+};
+
+zone "noixfr" {
+	type primary;
+	file "noixfr.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/inline/ns4/noixfr.db.in b/bin/tests/system/inline/ns4/noixfr.db.in
new file mode 100644
index 0000000..c40f011
--- /dev/null
+++ b/bin/tests/system/inline/ns4/noixfr.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns4 . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns4			A	10.53.0.4
+ns3			A	10.53.0.3
diff --git a/bin/tests/system/inline/ns5/named.conf.post b/bin/tests/system/inline/ns5/named.conf.post
new file mode 100644
index 0000000..f454b35
--- /dev/null
+++ b/bin/tests/system/inline/ns5/named.conf.post
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	notify-delay 0;
+	servfail-ttl 0;
+};
+
+zone "bits" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "bits.bk";
+	auto-dnssec maintain;
+	inline-signing yes;
+};
diff --git a/bin/tests/system/inline/ns5/named.conf.pre b/bin/tests/system/inline/ns5/named.conf.pre
new file mode 100644
index 0000000..91844ac
--- /dev/null
+++ b/bin/tests/system/inline/ns5/named.conf.pre
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	notify-delay 0;
+};
+
+zone "bits" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "bits.bk";
+};
diff --git a/bin/tests/system/inline/ns6/named.conf.in b/bin/tests/system/inline/ns6/named.conf.in
new file mode 100644
index 0000000..215fd58
--- /dev/null
+++ b/bin/tests/system/inline/ns6/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	notify-delay 0;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in
new file mode 100644
index 0000000..3a0cf86
--- /dev/null
+++ b/bin/tests/system/inline/ns7/named.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * NS7
+ *
+ * NOTE: This named instance is used to reproduce a scenario which involves a
+ * number of functions getting called in a very specific order which results in
+ * an infinite loop while iterating over NSEC3 red-black tree.  Ensuring this
+ * happens requires carefully setting the number of signing keys, NSEC3
+ * parameters (number of iterations and salt value), zone data and named
+ * configuration.  Changing any of these and/or influencing this instance's
+ * behavior (e.g. by sending extra queries to it) might render this test moot
+ * as it will no longer be able to reproduce the exact scenario it attempts to.
+ *
+ * Given the above, please do not use this instance for any other test than the
+ * one it was meant for.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	try-tcp-refresh no;
+	allow-new-zones yes;
+	sig-signing-nodes 100;
+	sig-signing-signatures 10;
+};
diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh
new file mode 100755
index 0000000..462d6ad
--- /dev/null
+++ b/bin/tests/system/inline/ns7/sign.sh
@@ -0,0 +1,25 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+# NOTE: The number of signing keys generated below is not coincidental.  More
+# details can be found in the comment inside ns7/named.conf.
+
+zone=nsec3-loop
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
diff --git a/bin/tests/system/inline/ns8/example.com.db.in b/bin/tests/system/inline/ns8/example.com.db.in
new file mode 100644
index 0000000..dfc7630
--- /dev/null
+++ b/bin/tests/system/inline/ns8/example.com.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns8 . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns8
+ns8			A	10.53.0.8
diff --git a/bin/tests/system/inline/ns8/example.db.in b/bin/tests/system/inline/ns8/example.db.in
new file mode 100644
index 0000000..3ebf398
--- /dev/null
+++ b/bin/tests/system/inline/ns8/example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns8
+ns8			A	10.53.0.8
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
diff --git a/bin/tests/system/inline/ns8/example2.db.in b/bin/tests/system/inline/ns8/example2.db.in
new file mode 100644
index 0000000..1f42c3a
--- /dev/null
+++ b/bin/tests/system/inline/ns8/example2.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			2       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns8
+ns8			A	10.53.0.8
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
diff --git a/bin/tests/system/inline/ns8/example3.db.in b/bin/tests/system/inline/ns8/example3.db.in
new file mode 100644
index 0000000..a9e3daa
--- /dev/null
+++ b/bin/tests/system/inline/ns8/example3.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 400
+@		IN	SOA  mname1. . (
+			3       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns8
+ns8			A	10.53.0.8
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in
new file mode 100644
index 0000000..27590da
--- /dev/null
+++ b/bin/tests/system/inline/ns8/named.conf.in
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS8
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	try-tcp-refresh no;
+	notify-delay 0;
+	allow-new-zones yes;
+};
+
+zone "example01.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example01.com.db";
+};
+
+zone "example02.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example02.com.db";
+};
+
+zone "example03.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example03.com.db";
+};
+
+zone "example04.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example04.com.db";
+};
+
+zone "example05.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example05.com.db";
+};
+
+zone "example06.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example06.com.db";
+};
+
+zone "example07.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example07.com.db";
+};
+
+zone "example08.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example08.com.db";
+};
+
+zone "example09.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example09.com.db";
+};
+
+zone "example10.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example10.com.db";
+};
+
+zone "example11.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example11.com.db";
+};
+
+zone "example12.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example12.com.db";
+};
+
+zone "example13.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example13.com.db";
+};
+
+zone "example14.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example14.com.db";
+};
+
+zone "example15.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example15.com.db";
+};
+
+zone "example16.com" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example16.com.db";
+};
+
+zone example {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example.db";
+};
+
+zone "unsigned-serial-test" {
+	type primary;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "unsigned-serial-test.db";
+};
diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh
new file mode 100755
index 0000000..cedad7c
--- /dev/null
+++ b/bin/tests/system/inline/ns8/sign.sh
@@ -0,0 +1,36 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+for zone in example01.com example02.com example03.com example04.com \
+	    example05.com example06.com example07.com example08.com \
+	    example09.com example10.com example11.com example12.com \
+	    example13.com example14.com example15.com example16.com
+do
+  rm -f K${zone}.+*+*.key
+  rm -f K${zone}.+*+*.private
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone)
+  cp example.com.db.in ${zone}.db
+  $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
+done
+
+for zone in example unsigned-serial-test; do
+  rm -f K${zone}.+*+*.key
+  rm -f K${zone}.+*+*.private
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
+  keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone)
+  cp example.db.in ${zone}.db
+done
diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh
new file mode 100644
index 0000000..b31606c
--- /dev/null
+++ b/bin/tests/system/inline/setup.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+cp ns1/root.db.in ns1/root.db
+
+touch ns2/trusted.conf
+cp ns2/nsec3-loop.db.in ns2/nsec3-loop.db
+cp ns2/bits.db.in ns2/bits.db
+cp ns2/bits.db.in ns2/inactiveksk.db
+cp ns2/bits.db.in ns2/inactivezsk.db
+cp ns2/bits.db.in ns2/nokeys.db
+cp ns2/bits.db.in ns2/removedkeys-secondary.db
+cp ns2/bits.db.in ns2/retransfer.db
+cp ns2/bits.db.in ns2/retransfer3.db
+
+cp ns3/master.db.in ns3/master.db
+cp ns3/master.db.in ns3/dynamic.db
+cp ns3/master.db.in ns3/updated.db
+cp ns3/master.db.in ns3/unsupported.db
+cp ns3/master.db.in ns3/expired.db
+cp ns3/master.db.in ns3/nsec3.db
+cp ns3/master.db.in ns3/externalkey.db
+cp ns3/master.db.in ns3/delayedkeys.db
+cp ns3/master.db.in ns3/removedkeys-primary.db
+cp ns3/include.db.in ns3/include.db
+
+mkdir ns3/removedkeys
+
+touch ns4/trusted.conf
+cp ns4/noixfr.db.in ns4/noixfr.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.pre ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+
+(cd ns3; $SHELL -e sign.sh)
+(cd ns1; $SHELL -e sign.sh)
+(cd ns7; $SHELL -e sign.sh)
+(cd ns8; $SHELL -e sign.sh)
diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
new file mode 100755
index 0000000..2242d79
--- /dev/null
+++ b/bin/tests/system/inline/tests.sh
@@ -0,0 +1,1488 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +dnssec -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+dig_with_opts() {
+	$DIG $DIGOPTS "$@"
+}
+
+rndccmd() {
+	$RNDCCMD "$@"
+}
+
+wait_for_serial() (
+    $DIG $DIGOPTS "@$1" "$2" SOA > "$4"
+    serial=$(awk '$4 == "SOA" { print $7 }' "$4")
+    [ "$3" -eq "${serial:--1}" ]
+)
+
+status=0
+n=0
+
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1
+
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+	nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.)
+	test "$nsec3param" = "1 0 0 -" && break
+	sleep 1
+done
+
+n=$((n + 1))
+echo_i "checking that an unsupported algorithm is not used for signing ($n)"
+ret=0
+grep -q "algorithm is unsupported" ns3/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that rrsigs are replaced with ksk only ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 axfr nsec3. |
+	awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that the zone is signed on initial transfer ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
+	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+	[ $keys = 2 ] || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking expired signatures are updated on load ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n
+expiry=$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n)
+[ "$expiry" = "20110101000000" ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking removal of private type record via 'rndc signing -clear' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
+keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n)
+for key in $keys; do
+	$RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1
+	break;	# We only want to remove 1 record for now.
+done 2>&1 |sed 's/^/ns3 /' | cat_i
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ans=0
+	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
+        num=$(grep "Done signing with" signing.out.test$n | wc -l)
+	[ $num = 1 ] && break
+	sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking private type was properly signed ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
+grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ans=0
+	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
+	grep "No signing records found" signing.out.test$n > /dev/null || ans=1
+	[ $ans = 1 ] || break
+	sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking negative private type response was properly signed ($n)"
+ret=0
+sleep 1
+$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
+grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone bits
+server 10.53.0.2 ${PORT}
+update add added.bits 0 A 1.2.3.4
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking that the record is added on the hidden primary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 added.bits A > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that update has been transferred and has been signed ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone bits
+server 10.53.0.2 ${PORT}
+update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+	grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that the zone is signed on initial transfer, noixfr ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1
+	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+	[ $keys = 2 ] || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone noixfr
+server 10.53.0.4 ${PORT}
+update add added.noixfr 0 A 1.2.3.4
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking that the record is added on the hidden primary, noixfr ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.4 added.noixfr A > dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that update has been transferred and has been signed, noixfr ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone noixfr
+server 10.53.0.4 ${PORT}
+update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary, noixfr ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+	grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that the primary zone signed on initial load ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$RNDCCMD 10.53.0.3 signing -list master  > signing.out.test$n 2>&1
+	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+	[ $keys = 2 ] || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking removal of private type record via 'rndc signing -clear' (primary) ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
+keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n)
+for key in $keys; do
+	$RNDCCMD 10.53.0.3 signing -clear ${key} master > /dev/null || ret=1
+	break;	# We only want to remove 1 record for now.
+done 2>&1 |sed 's/^/ns3 /' | cat_i
+
+for i in 1 2 3 4 5 6 7 8 9
+do
+	ans=0
+	$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
+        num=$(grep "Done signing with" signing.out.test$n | wc -l)
+	[ $num = 1 ] && break
+	sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking private type was properly signed (primary) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.6 master TYPE65534 > dig.out.ns6.test$n
+grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking removal of remaining private type record via 'rndc signing -clear' (primary) ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -clear all master > /dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ans=0
+	$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
+	grep "No signing records found" signing.out.test$n > /dev/null || ans=1
+	[ $ans = 1 ] || break
+	sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check adding of record to unsigned primary ($n)"
+ret=0
+cp ns3/master2.db.in ns3/master.db
+rndc_reload ns3 10.53.0.3 master
+for i in 1 2 3 4 5 6 7 8 9
+do
+	ans=0
+	$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n
+	grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+	[ $ans = 1 ] || break
+	sleep 1
+done
+[ $ans = 0 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check adding record fails when SOA serial not changed ($n)"
+ret=0
+echo "c A 10.0.0.3" >> ns3/master.db
+rndc_reload ns3 10.53.0.3
+sleep 1
+$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
+grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check adding record works after updating SOA serial ($n)"
+ret=0
+cp ns3/master3.db.in ns3/master.db
+$RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i
+for i in 1 2 3 4 5 6 7 8 9
+do
+	ans=0
+	$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
+	grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+	[ $ans = 1 ] || break
+	sleep 1
+done
+[ $ans = 0 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check the added record was properly signed ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns6.test$n
+grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1
+grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that the dynamic primary zone signed on initial load ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1
+	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+	[ $keys = 2 ] || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking primary zone that was updated while offline is correct ($n)"
+ret=0
+$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n
+serial=$(awk '{print $3}' dig.out.ns2.soa.test$n)
+# serial should have changed
+[ "$serial" = "2000042407" ] && ret=1
+# e.updated should exist and should be signed
+$DIG $DIGOPTS @10.53.0.3 e.updated A > dig.out.ns3.test$n
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+# updated.db.signed.jnl should exist, should have the source serial
+# of master2.db, and should show a minimal diff: no more than 8 added
+# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
+# (SOA/RRSIG, NSEC/RRSIG).
+$JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n
+serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n)
+[ "$serial" = "2000042408" ] || ret=1
+diffsize=$(wc -l < journalprint.out.test$n)
+[ "$diffsize" -le 13 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking adding of record to unsigned primary using UPDATE ($n)"
+ret=0
+
+[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo_i "journal exists (pretest)" ; }
+
+$NSUPDATE << EOF
+zone dynamic
+server 10.53.0.3 ${PORT}
+update add e.dynamic 0 A 1.2.3.4
+send
+EOF
+
+[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo_i "journal does not exist (posttest)" ; }
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ans=0
+	$DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+	grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1
+	[ $ans = 0 ] && break
+	sleep 1
+done
+[ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; }
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "stop bump in the wire signer server ($n)"
+ret=0
+stop_server ns3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "restart bump in the wire signer server ($n)"
+ret=0
+start_server --noclean --restart --port ${PORT} ns3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone bits
+server 10.53.0.2 ${PORT}
+update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+	grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone noixfr
+server 10.53.0.4 ${PORT}
+update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary, noixfr ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+	grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone bits
+server 10.53.0.3 ${PORT}
+update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking forwarded update on hidden primary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking forwarded update on signed zone ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+	grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone noixfr
+server 10.53.0.3 ${PORT}
+update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking forwarded update on hidden primary, noixfr ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking forwarded update on signed zone, noixfr ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+	grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+ret=0
+n=$((n + 1))
+echo_i "checking turning on of inline signing in a secondary zone via reload ($n)"
+$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "setup broken"; fi
+status=$((status + ret))
+copy_setports ns5/named.conf.post ns5/named.conf
+(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits) > /dev/null 2>&1
+(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits) > /dev/null 2>&1
+rndc_reload ns5 10.53.0.5
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.5 bits SOA > dig.out.ns5.test$n
+	grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+	grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1;  }
+sleep 1
+$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynamic failed" ; ret=1; }
+sleep 1
+grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null ||  ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+
+n=$((n + 1))
+echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1
+sleep 1
+awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
+     { print; }
+     END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new
+mv ns3/dynamic.db.new ns3/dynamic.db
+$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check added record freeze1.dynamic ($n)"
+for i in 1 2 3 4 5 6 7 8 9
+do
+    ret=0
+    $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT > dig.out.ns3.test$n
+    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+    test $ret = 0 && break
+    sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# allow 1 second so that file time stamps change
+sleep 1
+
+n=$((n + 1))
+echo_i "checking rndc freeze/thaw of server ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1
+sleep 1
+awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
+     { print; }
+     END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new
+mv ns3/dynamic.db.new ns3/dynamic.db
+$RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check added record freeze2.dynamic ($n)"
+for i in 1 2 3 4 5 6 7 8 9
+do
+    ret=0
+    $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT > dig.out.ns3.test$n
+    grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+    grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+    test $ret = 0 && break
+    sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check rndc reload allows reuse of inline-signing zones ($n)"
+ret=0
+{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i
+grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check rndc sync removes both signed and unsigned journals ($n)"
+ret=0
+[ -f ns3/dynamic.db.jnl ] || ret=1
+[ -f ns3/dynamic.db.signed.jnl ] || ret=1
+$RNDCCMD 10.53.0.3 sync -clean dynamic 2>&1 || ret=1
+[ -f ns3/dynamic.db.jnl ] && ret=1
+[ -f ns3/dynamic.db.signed.jnl ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone retransfer
+server 10.53.0.2 ${PORT}
+update add added.retransfer 0 A 1.2.3.4
+send
+
+EOF
+
+n=$((n + 1))
+echo_i "checking that the retransfer record is added on the hidden primary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 added.retransfer A > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that the change has not been transferred due to notify ($n)"
+ret=0
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	ans=0
+	$DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
+	[ $ans = 0 ] && break
+	sleep 1
+done
+if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check rndc retransfer of a inline secondary zone works ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	ans=0
+	$DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+	[ $ans = 0 ] && break
+	sleep 1
+done
+[ $ans = 1 ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)"
+ret=0
+# The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2,
+# which means it should not yet be available on ns3.
+$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n
+grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1
+# Switch the zone to NSEC3.  An "NSEC3 -> NSEC -> NSEC3" sequence is used purely
+# to test that multiple queued "rndc signing -nsec3param" requests are handled
+# properly.
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
+# Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone.
+sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new
+mv ns2/named.conf.new ns2/named.conf
+$RNDCCMD 10.53.0.2 reconfig || ret=1
+# Request ns3 to retransfer the "retransfer3" zone.
+$RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1
+# Check whether "retransfer3" uses NSEC3 as requested.
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i
+	grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
+	grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
+	test $ret -eq 0 && break
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	ans=0
+	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n
+	grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1
+	grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1
+	[ $ans = 0 ] && break
+	sleep 1
+done
+$RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	ans=0
+	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n
+	grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1
+	grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1
+	[ $ans = 0 ] && break
+	sleep 1
+done
+[ $ans = 1 ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# NOTE: The test below should be considered fragile.  More details can be found
+# in the comment inside ns7/named.conf.
+n=$((n + 1))
+echo_i "check rndc retransfer of a inline nsec3 secondary does not trigger an infinite loop ($n)"
+ret=0
+zone=nsec3-loop
+# Add secondary zone using rndc
+$RNDCCMD 10.53.0.7 addzone $zone \
+	'{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };'
+# Wait until secondary zone is fully signed using NSEC
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+	ret=1
+	$RNDCCMD 10.53.0.7 signing -list $zone > signing.out.test$n 2>&1
+	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+	[ $keys -eq 3 ] && ret=0 && break
+	sleep 1
+done
+# Switch secondary zone to NSEC3
+$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1
+# Wait until secondary zone is fully signed using NSEC3
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+	ret=1
+	nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone)
+	test "$nsec3param" = "1 0 2 12345678" && ret=0 && break
+	sleep 1
+done
+# Attempt to retransfer the secondary zone from primary
+$RNDCCMD 10.53.0.7 retransfer $zone
+# Check whether the signer managed to fully sign the retransferred zone by
+# waiting for a specific SOA serial number to appear in the logs; if this
+# specific SOA serial number does not appear in the logs, it means the signer
+# has either ran into an infinite loop or crashed; note that we check the logs
+# instead of sending SOA queries to the signer as these may influence its
+# behavior in a way which may prevent the desired scenario from being
+# reproduced (see comment in ns7/named.conf)
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+	ret=1
+	grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run > /dev/null 2>&1
+	[ $? -eq 0 ] && ret=0 && break
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "stop bump in the wire signer server ($n)"
+ret=0
+stop_server ns3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "update SOA record while stopped"
+cp ns3/master4.db.in ns3/master.db
+rm ns3/master.db.jnl
+
+n=$((n + 1))
+echo_i "restart bump in the wire signer server ($n)"
+ret=0
+start_server --noclean --restart --port ${PORT} ns3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9
+do
+	ans=0
+	$DIG $DIGOPTS @10.53.0.3 master SOA > dig.out.ns3.test$n
+	grep "hostmaster" dig.out.ns3.test$n > /dev/null || ans=1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+	[ $ans = 1 ] || break
+	sleep 1
+done
+[ $ans = 0 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that reloading all zones does not cause zone maintenance to cease for inline-signed zones ($n)"
+ret=1
+# Ensure "rndc reload" attempts to load ns3/master.db by waiting 1 second so
+# that the file modification time has no possibility of being equal to
+# the one stored during server startup.
+sleep 1
+nextpart ns3/named.run > /dev/null
+cp ns3/master5.db.in ns3/master.db
+rndc_reload ns3 10.53.0.3
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	if nextpart ns3/named.run | grep "zone master.*sending notifies" > /dev/null; then
+		ret=0
+		break
+	fi
+	sleep 1
+done
+# Sanity check: file updates should be reflected in the signed zone,
+# i.e. SOA RNAME should no longer be set to "hostmaster".
+$DIG $DIGOPTS @10.53.0.3 master SOA > dig.out.ns3.test$n || ret=1
+grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that reloading errors prevent synchronization ($n)"
+ret=1
+$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.1 || ret=1
+sleep 1
+nextpart ns3/named.run > /dev/null
+cp ns3/master6.db.in ns3/master.db
+rndc_reload ns3 10.53.0.3
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	if nextpart ns3/named.run | grep "not loaded due to errors" > /dev/null
+        then
+		ret=0
+		break
+	fi
+	sleep 1
+done
+# Sanity check: the SOA record should be unchanged
+$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.2 || ret=1
+$DIFF dig.out.ns3.test$n.1  dig.out.ns3.test$n.2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check inline-signing with an include file ($n)"
+ret=0
+$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+sleep 1
+nextpart ns3/named.run > /dev/null
+cp ns3/master7.db.in ns3/master.db
+rndc_reload ns3 10.53.0.3
+_includefile_loaded() {
+	$DIG $DIGOPTS @10.53.0.3 f.master A > dig.out.ns3.test$n
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || return 1
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || return 1
+	grep "10\.0\.0\.7" dig.out.ns3.test$n > /dev/null || return 1
+	return 0
+}
+retry_quiet 10 _includefile_loaded
+# Sanity check: the SOA record should be changed
+$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.2 || ret=1
+$DIFF dig.out.ns3.test$n.1  dig.out.ns3.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "test add/del zone combinations ($n)"
+ret=0
+for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z
+do
+$RNDCCMD 10.53.0.2 addzone test-$zone \
+	'{ type primary; file "bits.db.in"; allow-transfer { any; }; };'
+$DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n
+grep "status: NOERROR," dig.out.ns2.$zone.test$n  > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; }
+$RNDCCMD 10.53.0.3 addzone test-$zone \
+	'{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };'
+$RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing adding external keys to a inline zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n
+for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER}
+do
+   [ $alg = 13 -a ! -f checkecdsa ] && continue;
+
+   case $alg in
+   7) echo_i "checking NSEC3RSASHA1";;
+   8) echo_i "checking RSASHA256";;
+   13) echo_i "checking ECDSAP256SHA256";;
+   *) echo_i "checking $alg";;
+   esac
+
+   dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l)
+   rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l)
+   test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
+   test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing imported key won't overwrite a private key ($n)"
+ret=0
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} import.example)
+cp ${key}.key import.key
+# import should fail
+$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
+rm -f ${key}.private
+# private key removed; import should now succeed
+$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
+# now that it's an external key, re-import should succeed
+$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing updating inline secure serial via 'rndc signing -serial' ($n)"
+ret=0
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
+$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
+retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing updating inline secure serial via 'rndc signing -serial' with negative change ($n)"
+ret=0
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
+$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
+sleep 1
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.ns3.post.test$n
+serial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
+[ ${oldserial:-0} -eq ${serial:-1} ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+# Freezing only operates on the raw zone.
+#
+n=$((n + 1))
+echo_i "testing updating inline secure serial via 'rndc signing -serial' when frozen ($n)"
+ret=0
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
+$RNDCCMD 10.53.0.3 freeze nsec3 > /dev/null 2>&1
+$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
+$RNDCCMD 10.53.0.3 thaw nsec3 > /dev/null 2>&1
+retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post1.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing updating dynamic serial via 'rndc signing -serial' ($n)"
+ret=0
+$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
+$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
+retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-0}" dig.out.ns2.post.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing updating dynamic serial via 'rndc signing -serial' with negative change ($n)"
+ret=0
+$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
+$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
+retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1
+retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing updating dynamic serial via 'rndc signing -serial' when frozen ($n)"
+ret=0
+$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
+$RNDCCMD 10.53.0.2 freeze bits > /dev/null 2>&1
+$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
+$RNDCCMD 10.53.0.2 thaw bits > /dev/null 2>&1
+retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1
+retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 soa inactivezsk  > dig.out.ns3.pre.test$n || ret=1
+soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n)
+
+$NSUPDATE << EOF
+server 10.53.0.2 ${PORT}
+update add added.inactivezsk 0 IN TXT added record
+send
+EOF
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+    $DIG $DIGOPTS @10.53.0.3 soa inactivezsk  > dig.out.ns3.post.test$n || ret=1
+    soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
+    test ${soa1:-0} -ne ${soa2:-0} && break
+    sleep 1
+done
+test ${soa1:-0} -ne ${soa2:-0} || ret=1
+
+$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
+grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
+grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n
+
+#
+#  check that DNSKEY is signed with ZSK for default algorithm
+#
+awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
+zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1
+awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
+kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
+
+#
+#  check that DNSKEY is signed with KSK for alternative algorithm
+#
+awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
+zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1
+awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
+kskid=$(awk  -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Wait until an update to the raw part of a given inline signed zone is fully
+# processed.  As waiting for a fixed amount of time is suboptimal and there is
+# no single message that would signify both a successful modification and an
+# error in a race-free manner, instead wait until either notifies are sent
+# (which means the secure zone was modified) or a receive_secure_serial() error
+# is logged (which means the zone was not modified and will not be modified any
+# further in response to the relevant raw zone update).
+wait_until_raw_zone_update_is_processed() {
+	zone="$1"
+	for i in 1 2 3 4 5 6 7 8 9 10
+	do
+		if nextpart ns3/named.run | grep -E "zone ${zone}.*(sending notifies|receive_secure_serial)" > /dev/null; then
+			return
+		fi
+		sleep 1
+	done
+}
+
+n=$((n + 1))
+echo_i "checking that changes to raw zone are applied to a previously unsigned secure zone ($n)"
+ret=0
+# Query for bar.nokeys/A and ensure the response is negative.  As this zone
+# does not have any signing keys set up, the response must be unsigned.
+$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.pre.test$n 2>&1 || ret=1
+grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1
+# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
+# log messages generated before the raw zone is updated.
+nextpart ns3/named.run > /dev/null
+# Add a record to the raw zone on the primary.
+$NSUPDATE << EOF || ret=1
+zone nokeys.
+server 10.53.0.2 ${PORT}
+update add bar.nokeys. 0 A 127.0.0.1
+send
+EOF
+wait_until_raw_zone_update_is_processed "nokeys"
+# Query for bar.nokeys/A again and ensure the signer now returns a positive,
+# yet still unsigned response.
+$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.post.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null || ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (primary) ($n)"
+ret=0
+# Query for bar.removedkeys-primary/A and ensure the response is negative.  As
+# this zone has signing keys set up, the response must be signed.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1
+grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+# Remove the signing keys for this zone.
+mv -f ns3/Kremovedkeys-primary* ns3/removedkeys
+# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
+# log messages generated before the raw zone is updated.
+nextpart ns3/named.run > /dev/null
+# Add a record to the raw zone on the primary.
+$NSUPDATE << EOF || ret=1
+zone removedkeys-primary.
+server 10.53.0.3 ${PORT}
+update add bar.removedkeys-primary. 0 A 127.0.0.1
+send
+EOF
+wait_until_raw_zone_update_is_processed "removedkeys-primary"
+# Query for bar.removedkeys-primary/A again and ensure the signer still returns
+# a negative, signed response.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.post.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that backlogged changes to raw zone are applied after keys become available (primary) ($n)"
+ret=0
+# Restore the signing keys for this zone.
+mv ns3/removedkeys/Kremovedkeys-primary* ns3
+$RNDCCMD 10.53.0.3 loadkeys removedkeys-primary > /dev/null 2>&1
+# Determine what a SOA record with a bumped serial number should look like.
+BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}')
+# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
+# log messages generated before the raw zone is updated.
+nextpart ns3/named.run > /dev/null
+# Bump the SOA serial number of the raw zone.
+$NSUPDATE << EOF || ret=1
+zone removedkeys-primary.
+server 10.53.0.3 ${PORT}
+update del removedkeys-primary. SOA
+update ${BUMPED_SOA}
+send
+EOF
+wait_until_raw_zone_update_is_processed "removedkeys-primary"
+# Query for bar.removedkeys-primary/A again and ensure the signer now returns a
+# positive, signed response.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (secondary) ($n)"
+ret=0
+# Query for bar.removedkeys-secondary/A and ensure the response is negative.  As this
+# zone does have signing keys set up, the response must be signed.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1
+grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+# Remove the signing keys for this zone.
+mv -f ns3/Kremovedkeys-secondary* ns3/removedkeys
+# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
+# log messages generated before the raw zone is updated.
+nextpart ns3/named.run > /dev/null
+# Add a record to the raw zone on the primary.
+$NSUPDATE << EOF || ret=1
+zone removedkeys-secondary.
+server 10.53.0.2 ${PORT}
+update add bar.removedkeys-secondary. 0 A 127.0.0.1
+send
+EOF
+wait_until_raw_zone_update_is_processed "removedkeys-secondary"
+# Query for bar.removedkeys-secondary/A again and ensure the signer still returns a
+# negative, signed response.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.post.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that backlogged changes to raw zone are applied after keys become available (secondary) ($n)"
+ret=0
+# Restore the signing keys for this zone.
+mv ns3/removedkeys/Kremovedkeys-secondary* ns3
+$RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary > /dev/null 2>&1
+# Determine what a SOA record with a bumped serial number should look like.
+BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}')
+# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
+# log messages generated before the raw zone is updated.
+nextpart ns3/named.run > /dev/null
+# Bump the SOA serial number of the raw zone on the primary.
+$NSUPDATE << EOF || ret=1
+zone removedkeys-secondary.
+server 10.53.0.2 ${PORT}
+update del removedkeys-secondary. SOA
+update ${BUMPED_SOA}
+send
+EOF
+wait_until_raw_zone_update_is_processed "removedkeys-secondary"
+# Query for bar.removedkeys-secondary/A again and ensure the signer now returns
+# a positive, signed response.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Check that the file $2 for zone $1 does not contain RRSIG records
+# while the journal file for that zone does contain them.
+ensure_sigs_only_in_journal() {
+	origin="$1"
+	masterfile="$2"
+	$CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null && ret=1
+	$CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1
+}
+
+n=$((n + 1))
+echo_i "checking that records added from a journal are scheduled to be resigned ($n)"
+ret=0
+# Signing keys for the "delayedkeys" zone are not yet accessible.  Thus, the
+# zone file for the signed version of the zone will contain no DNSSEC records.
+# Move keys into place now and load them, which will cause DNSSEC records to
+# only be present in the journal for the signed version of the zone.
+mv Kdelayedkeys* ns3/
+$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
+# Wait until the zone is signed.
+check_done_signing () (
+    $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1
+    num=$(grep "Done signing with" signing.out.test$n | wc -l)
+    [ $num -eq 2 ]
+)
+retry_quiet 10 check_done_signing || ret=1
+# Halt rather than stopping the server to prevent the file from being
+# flushed upon shutdown since we specifically want to avoid it.
+stop_server --use-rndc --halt --port ${CONTROLPORT} ns3
+ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed
+start_server --noclean --restart --port ${PORT} ns3
+# At this point, the raw zone journal will not have a source serial set.  Upon
+# server startup, receive_secure_serial() will rectify that, update SOA, resign
+# it, and schedule its future resign.  This will cause "rndc zonestatus" to
+# return delayedkeys/SOA as the next node to resign, so we restart the server
+# once again; with the raw zone journal now having a source serial set,
+# receive_secure_serial() should refrain from introducing any zone changes.
+stop_server --use-rndc --halt --port ${CONTROLPORT} ns3
+ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed
+nextpart ns3/named.run > /dev/null
+start_server --noclean --restart --port ${PORT} ns3
+# We can now test whether the secure zone journal was correctly processed:
+# unless the records contained in it were scheduled for resigning, no resigning
+# event will be scheduled at all since the secure zone file contains no
+# DNSSEC records.
+wait_for_log 20 "all zones loaded" ns3/named.run || ret=1
+$RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1
+grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that zonestatus reports 'type: primary' for an inline primary zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 zonestatus master > rndc.out.ns3.test$n
+grep "type: primary" rndc.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that zonestatus reports 'type: secondary' for an inline secondary zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 zonestatus bits > rndc.out.ns3.test$n
+grep "type: secondary" rndc.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking reload of touched inline zones ($n)"
+ret=0
+echo_ic "pre-reload 'next key event'"
+nextpart ns8/named.run > nextpart.pre$n.out
+count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l)
+echo_ic "found: $count/16"
+[ $count -eq 16 ] || ret=1
+echo_ic "touch and reload"
+touch ns8/example??.com.db
+$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 5
+echo_ic "post-reload 'next key event'"
+nextpart ns8/named.run > nextpart.post$n.out
+count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l)
+echo_ic "found: $count/16"
+[ $count -eq 16 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking second reload of touched inline zones ($n)"
+ret=0
+nextpart ns8/named.run > nextpart.pre$n.out
+$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 5
+nextpart ns8/named.run > nextpart.post$n.out
+grep "ixfr-from-differences: unchanged" nextpart.post$n.out && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)"
+ret=0
+dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1
+cp ns8/example2.db.in ns8/example.db || ret=1
+nextpart ns8/named.run > /dev/null
+rndccmd 10.53.0.8 reload || ret=1
+wait_for_log 3 "all zones loaded" ns8/named.run
+sleep 1
+dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1
+soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1)
+soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2)
+ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1)
+ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa2)
+test ${soa1:-1000} -lt ${soa2:-0} || ret=1
+test ${ttl1:-0} -eq 300 || ret=1
+test ${ttl2:-0} -eq 300 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Check that restart with zone changes and deleted journal works ($n)"
+TSIG=
+ret=0
+dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1
+stop_server --use-rndc --port ${CONTROLPORT} ns8
+# TTL of all records change from 300 to 400
+cp ns8/example3.db.in ns8/example.db || ret=1
+rm ns8/example.db.jnl
+nextpart ns8/named.run > /dev/null
+start_server --noclean --restart --port ${PORT} ns8
+wait_for_log 3 "all zones loaded" ns8/named.run
+sleep 1
+dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1
+soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1)
+soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2)
+ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1)
+ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa2)
+test ${soa1:-1000} -lt ${soa2:-0} || ret=1
+test ${ttl1:-0} -eq 300 || ret=1
+test ${ttl2:-0} -eq 400 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/inline/tests_signed_zone_files.py b/bin/tests/system/inline/tests_signed_zone_files.py
new file mode 100755
index 0000000..596b756
--- /dev/null
+++ b/bin/tests/system/inline/tests_signed_zone_files.py
@@ -0,0 +1,67 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import glob
+import struct
+
+
+class RawFormatHeader(dict):
+    """
+    A dictionary of raw-format header fields read from a zone file.
+    """
+
+    fields = [
+        "format",
+        "version",
+        "dumptime",
+        "flags",
+        "sourceserial",
+        "lastxfrin",
+    ]
+
+    def __init__(self, file_name):
+        header = struct.Struct(">IIIIII")
+        with open(file_name, "rb") as data:
+            header_data = data.read(header.size)
+        super().__init__(zip(self.fields, header.unpack_from(header_data)))
+
+
+def test_unsigned_serial_number():
+    """
+    Check whether all signed zone files in the "ns8" subdirectory contain the
+    serial number of the unsigned version of the zone in the raw-format header.
+    The test assumes that all "*.signed" files in the "ns8" subdirectory are in
+    raw format.
+
+    Notes:
+
+      - The actual zone signing and dumping happens while the tests.sh phase of
+        the "inline" system test is set up and run.  This check only verifies
+        the outcome of those events; it does not initiate any signing or
+        dumping itself.
+
+      - example[0-9][0-9].com.db.signed files are initially signed by
+        dnssec-signzone while the others - by named.
+    """
+
+    zones_with_unsigned_serial_missing = []
+
+    for signed_zone in sorted(glob.glob("ns8/*.signed")):
+        raw_header = RawFormatHeader(signed_zone)
+        # Ensure the unsigned serial number is placed where it is expected.
+        assert raw_header["format"] == 2
+        assert raw_header["version"] == 1
+        # Check whether the header flags indicate that the unsigned serial
+        # number is set and that the latter is indeed set.
+        if raw_header["flags"] & 0x02 == 0 or raw_header["sourceserial"] == 0:
+            zones_with_unsigned_serial_missing.append(signed_zone)
+
+    assert not zones_with_unsigned_serial_missing
diff --git a/bin/tests/system/integrity/clean.sh b/bin/tests/system/integrity/clean.sh
new file mode 100644
index 0000000..941fccf
--- /dev/null
+++ b/bin/tests/system/integrity/clean.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.test*
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/integrity/ns1/mx-cname.db b/bin/tests/system/integrity/ns1/mx-cname.db
new file mode 100644
index 0000000..a700269
--- /dev/null
+++ b/bin/tests/system/integrity/ns1/mx-cname.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@	SOA	ns1 hostmaster 0 0 0 0 0
+@	NS	ns1
+@	MX	0 cname
+ns1	A	10.53.0.1
+cname	CNAME	ns1
diff --git a/bin/tests/system/integrity/ns1/named.conf.in b/bin/tests/system/integrity/ns1/named.conf.in
new file mode 100644
index 0000000..4009c4f
--- /dev/null
+++ b/bin/tests/system/integrity/ns1/named.conf.in
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "mx-cname-fail" {
+	type primary;
+	check-integrity yes;
+	check-mx-cname fail;
+	file "mx-cname.db";
+};
+
+zone "mx-cname-warn" {
+	type primary;
+	check-integrity yes;
+	check-mx-cname warn;
+	file "mx-cname.db";
+};
+
+zone "mx-cname-ignore" {
+	type primary;
+	check-integrity yes;
+	check-mx-cname ignore;
+	file "mx-cname.db";
+};
+
+zone "no-mx-cname-fail" {
+	type primary;
+	check-integrity no;
+	check-mx-cname fail;
+	file "mx-cname.db";
+};
+
+zone "no-mx-cname-warn" {
+	type primary;
+	check-integrity no;
+	check-mx-cname warn;
+	file "mx-cname.db";
+};
+
+zone "no-mx-cname-ignore" {
+	type primary;
+	check-integrity no;
+	check-mx-cname ignore;
+	file "mx-cname.db";
+};
+
+zone "srv-cname-fail" {
+	type primary;
+	check-integrity yes;
+	check-srv-cname fail;
+	file "srv-cname.db";
+};
+
+zone "srv-cname-warn" {
+	type primary;
+	check-integrity yes;
+	check-srv-cname warn;
+	file "srv-cname.db";
+};
+
+zone "srv-cname-ignore" {
+	type primary;
+	check-integrity yes;
+	check-srv-cname ignore;
+	file "srv-cname.db";
+};
+zone "no-srv-cname-fail" {
+	type primary;
+	check-integrity no;
+	check-srv-cname fail;
+	file "srv-cname.db";
+};
+
+zone "no-srv-cname-warn" {
+	type primary;
+	check-integrity no;
+	check-srv-cname warn;
+	file "srv-cname.db";
+};
+
+zone "no-srv-cname-ignore" {
+	type primary;
+	check-integrity no;
+	check-srv-cname ignore;
+	file "srv-cname.db";
+};
diff --git a/bin/tests/system/integrity/ns1/srv-cname.db b/bin/tests/system/integrity/ns1/srv-cname.db
new file mode 100644
index 0000000..d6ae603
--- /dev/null
+++ b/bin/tests/system/integrity/ns1/srv-cname.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@	SOA	ns1 hostmaster 0 0 0 0 0
+@	NS	ns1
+@	SRV	0 0 0 cname
+ns1	A	10.53.0.1
+cname	CNAME	ns1
diff --git a/bin/tests/system/integrity/setup.sh b/bin/tests/system/integrity/setup.sh
new file mode 100644
index 0000000..e46affa
--- /dev/null
+++ b/bin/tests/system/integrity/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/integrity/tests.sh b/bin/tests/system/integrity/tests.sh
new file mode 100644
index 0000000..b69c3b4
--- /dev/null
+++ b/bin/tests/system/integrity/tests.sh
@@ -0,0 +1,131 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+
+status=0
+n=1
+
+echo_i "check that 'check-integrity yes; check-mx-cname fail;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 mx mx-cname-fail > dig.out.test$n || ret=1
+grep "status: SERVFAIL," dig.out.test$n > /dev/null || ret=1
+grep "zone mx-cname-fail/IN: mx-cname-fail/MX 'cname.mx-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity yes; check-mx-cname warn;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 mx mx-cname-warn > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone mx-cname-warn/IN: mx-cname-warn/MX 'cname.mx-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity yes; check-mx-cname ignore;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 mx mx-cname-ignore > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone mx-cname-ignore/IN: mx-cname-ignore/MX 'cname.mx-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity no; check-mx-cname fail;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-fail > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-mx-cname-fail/IN: no-mx-cname-fail/MX 'cname.no-mx-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity no; check-mx-cname warn;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-warn > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-mx-cname-warn/IN: no-mx-cname-warn/MX 'cname.no-mx-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity no; check-mx-cname ignore;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-ignore > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-mx-cname-ignore/IN: no-mx-cname-ignore/MX 'cname.no-mx-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity yes; check-srv-cname fail;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 srv srv-cname-fail > dig.out.test$n || ret=1
+grep "status: SERVFAIL," dig.out.test$n > /dev/null || ret=1
+grep "zone srv-cname-fail/IN: srv-cname-fail/SRV 'cname.srv-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity yes; check-srv-cname warn;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 srv srv-cname-warn > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone srv-cname-warn/IN: srv-cname-warn/SRV 'cname.srv-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity yes; check-srv-cname ignore;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 srv srv-cname-ignore > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone srv-cname-ignore/IN: srv-cname-ignore/SRV 'cname.srv-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity no; check-srv-cname fail;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-fail > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-srv-cname-fail/IN: no-srv-cname-fail/SRV 'cname.no-srv-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity no; check-srv-cname warn;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-warn > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-srv-cname-warn/IN: no-srv-cname-warn/SRV 'cname.no-srv-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check that 'check-integrity no; check-srv-cname ignore;' works ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-ignore > dig.out.test$n || ret=1
+grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
+grep "zone no-srv-cname-ignore/IN: no-srv-cname-ignore/SRV 'cname.no-srv-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+test $status -eq 0 || exit 1
diff --git a/bin/tests/system/ixfr/ans2/startme b/bin/tests/system/ixfr/ans2/startme
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/bin/tests/system/ixfr/ans2/startme
diff --git a/bin/tests/system/ixfr/clean.sh b/bin/tests/system/ixfr/clean.sh
new file mode 100644
index 0000000..eb78363
--- /dev/null
+++ b/bin/tests/system/ixfr/clean.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f stats.*
+rm -f ns1/*.db ns1/*.jnl
+rm -f ns3/*.jnl ns3/mytest*.db ns3/subtest*.db
+rm -f ns4/*.jnl ns4/*.db
+rm -f ns5/*.jnl ns5/*.db
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run */named.run.prev
+rm -f */ans.run
+rm -f dig.out.test* dig.out1.test* dig.out2.test* dig.out3.test*
+rm -f ns3/large.db
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind* ns*/*.mkeys
diff --git a/bin/tests/system/ixfr/ixfr-stats.good b/bin/tests/system/ixfr/ixfr-stats.good
new file mode 100644
index 0000000..3d0d2dd
--- /dev/null
+++ b/bin/tests/system/ixfr/ixfr-stats.good
@@ -0,0 +1,3 @@
+messages=1
+records=5
+bytes=204
diff --git a/bin/tests/system/ixfr/ns1/named.conf.in b/bin/tests/system/ixfr/ns1/named.conf.in
new file mode 100644
index 0000000..497e255
--- /dev/null
+++ b/bin/tests/system/ixfr/ns1/named.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/ixfr/ns1/startme b/bin/tests/system/ixfr/ns1/startme
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/bin/tests/system/ixfr/ns1/startme
diff --git a/bin/tests/system/ixfr/ns3/named.conf.in b/bin/tests/system/ixfr/ns3/named.conf.in
new file mode 100644
index 0000000..3ff936e
--- /dev/null
+++ b/bin/tests/system/ixfr/ns3/named.conf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	allow-transfer { any; };
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view "primary" {
+	ixfr-from-differences yes;
+	request-ixfr yes;
+	zone "test" IN {
+		type primary;
+		file "mytest.db";
+		max-ixfr-ratio 75%;
+	};
+	zone "sub.test" IN {
+		type primary;
+		file "subtest.db";
+	};
+	zone "large" IN {
+		type primary;
+		file "large.db";
+	};
+};
diff --git a/bin/tests/system/ixfr/ns4/named.conf.in b/bin/tests/system/ixfr/ns4/named.conf.in
new file mode 100644
index 0000000..934cbb6
--- /dev/null
+++ b/bin/tests/system/ixfr/ns4/named.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view "primary" {
+	ixfr-from-differences yes;
+	request-ixfr yes;
+	zone "test" IN {
+		type secondary;
+		file "mytest.db";
+		primaries { 10.53.0.3; };
+		max-ixfr-ratio unlimited;
+	};
+	zone "sub.test" IN {
+		type secondary;
+		file "subtest.db";
+		request-ixfr no;
+		primaries { 10.53.0.3; };
+	};
+};
diff --git a/bin/tests/system/ixfr/ns5/named.conf.in b/bin/tests/system/ixfr/ns5/named.conf.in
new file mode 100644
index 0000000..b2bf6d5
--- /dev/null
+++ b/bin/tests/system/ixfr/ns5/named.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	provide-ixfr no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view "primary" {
+	ixfr-from-differences yes;
+	request-ixfr yes;
+	zone "test" IN {
+		type secondary;
+		file "mytest.db";
+		primaries { 10.53.0.3; };
+	};
+	zone "sub.test" IN {
+		type secondary;
+		file "subtest.db";
+		request-ixfr no;
+		primaries { 10.53.0.3; };
+	};
+};
diff --git a/bin/tests/system/ixfr/prereq.sh b/bin/tests/system/ixfr/prereq.sh
new file mode 100644
index 0000000..ec369f8
--- /dev/null
+++ b/bin/tests/system/ixfr/prereq.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    :
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh
new file mode 100644
index 0000000..c84c950
--- /dev/null
+++ b/bin/tests/system/ixfr/setup.sh
@@ -0,0 +1,69 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+
+# Set up db files for zone "test" - this is a series of four
+# versions of the zone, the second and third having small changes
+# and the fourth having a large one.
+
+testdb () {
+    cat << EOF
+\$ORIGIN $1
+\$TTL    15
+@  15  IN        SOA ns1.test. hostmaster.test. (
+                              $2 ; serial
+                              3H ; refresh
+                              15 ; retry
+                              1w ; expire
+                              3h ; minimum
+                             )
+       IN  NS     ns1.test.
+       IN  NS     ns2.test.
+       IN  NS     ns5.test.
+ns1    IN  A      10.53.0.3
+ns2    IN  A      10.53.0.4
+ns5    IN  A      10.53.0.5
+EOF
+
+    i=0
+    while [ $i -lt $3 ]; do
+        echo "host$i IN A 192.0.2.$i"
+        i=$((i+1))
+    done
+}
+
+testdb test. 1 60 > ns3/mytest.db
+testdb test. 2 61 > ns3/mytest1.db
+testdb test. 3 62 > ns3/mytest2.db
+testdb test. 4 0  > ns3/mytest3.db
+
+# Set up similar db files for sub.test, which will have IXFR disabled
+testdb sub.test. 1 60 > ns3/subtest.db
+testdb sub.test. 3 61 > ns3/subtest1.db
+
+# Set up a large zone
+i=0
+$SHELL ../genzone.sh 3 > ns3/large.db
+while [ $i -lt 10000 ]; do
+    echo "record$i 10 IN TXT this is record %i" >> ns3/large.db
+    i=$((i+1))
+done
diff --git a/bin/tests/system/ixfr/tests.sh b/bin/tests/system/ixfr/tests.sh
new file mode 100644
index 0000000..1d37b45
--- /dev/null
+++ b/bin/tests/system/ixfr/tests.sh
@@ -0,0 +1,412 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# WARNING: The test labelled "testing request-ixfr option in view vs zone"
+#          is fragile because it depends upon counting instances of records
+#          in the log file - need a better approach <sdm> - until then,
+#          if you add any tests above that point, you will break the test.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+wait_for_serial() (
+    $DIG $DIGOPTS "@$1" "$2" SOA > "$4"
+    serial=$(awk '$4 == "SOA" { print $7 }' "$4")
+    [ "$3" -eq "${serial:--1}" ]
+)
+
+status=0
+n=0
+
+DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+SENDCMD="$PERL ../send.pl 10.53.0.2 ${EXTRAPORT1}"
+RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf -s"
+
+n=$((n+1))
+echo_i "testing initial AXFR ($n)"
+ret=0
+
+$SENDCMD <<EOF
+/SOA/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"initial AXFR"
+a.nil.		60	A	10.0.0.61
+b.nil.		60	A	10.0.0.62
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+EOF
+
+sleep 1
+
+# Initially, ns1 is not authoritative for anything (see setup.sh).
+# Now that ans is up and running with the right data, we make it
+# a secondary for nil.
+
+cat <<EOF >>ns1/named.conf
+zone "nil" {
+	type secondary;
+	file "myftp.db";
+	primaries { 10.53.0.2; };
+};
+EOF
+
+rndc_reload ns1 10.53.0.1
+
+retry_quiet 10 wait_for_serial 10.53.0.1 nil. 1 dig.out.test$n || ret=1
+
+$DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'initial AXFR' >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing successful IXFR ($n)"
+ret=0
+
+# We change the IP address of a.nil., and the TXT record at the apex.
+# Then we do a SOA-only update.
+
+$SENDCMD <<EOF
+/SOA/
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+/IXFR/
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+a.nil.      	60	A	10.0.0.61
+nil.		300	TXT	"initial AXFR"
+nil.      	300	SOA	ns.nil. root.nil. 2 300 300 604800 300
+nil.		300	TXT	"successful IXFR"
+a.nil.      	60	A	10.0.1.61
+nil.      	300	SOA	ns.nil. root.nil. 2 300 300 604800 300
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+EOF
+
+sleep 1
+
+$RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i
+
+sleep 2
+
+$DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'successful IXFR' >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing AXFR fallback after IXFR failure (not exact error) ($n)"
+ret=0
+
+# Provide a broken IXFR response and a working fallback AXFR response
+
+$SENDCMD <<EOF
+/SOA/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+/IXFR/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+nil.      	300	TXT	"delete-nonexistent-txt-record"
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+nil.      	300	TXT	"this-txt-record-would-be-added"
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+/AXFR/
+nil.      	300	NS	ns.nil.
+nil.      	300	TXT	"fallback AXFR"
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+EOF
+
+sleep 1
+
+$RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i
+
+sleep 2
+
+$DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'fallback AXFR' >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing AXFR fallback after IXFR failure (bad SOA owner) ($n)"
+ret=0
+
+# Prepare for checking the logs later on.
+nextpart ns1/named.run >/dev/null
+
+# Provide a broken IXFR response and a working fallback AXFR response.
+$SENDCMD <<EOF
+/SOA/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+/IXFR/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+bad-owner.    	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+test.nil.	300	TXT	"serial 4, malformed IXFR"
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+/AXFR/
+nil.      	300	NS	ns.nil.
+test.nil.      	300	TXT	"serial 4, fallback AXFR"
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+EOF
+$RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i
+
+# A broken server would accept the malformed IXFR and apply its contents to the
+# zone.  A fixed one would reject the IXFR and fall back to AXFR.  Both IXFR and
+# AXFR above bring the nil. zone up to serial 4, but we cannot reliably query
+# for the SOA record to check whether the transfer was finished because a broken
+# server would send back SERVFAIL responses to SOA queries after accepting the
+# malformed IXFR.  Instead, check transfer progress by querying for a TXT record
+# at test.nil. which is present in both IXFR and AXFR (with different contents).
+_wait_until_transfer_is_finished() {
+	$DIG $DIGOPTS +tries=1 +time=1 @10.53.0.1 test.nil. TXT > dig.out.test$n.1 &&
+	grep -q -F "serial 4" dig.out.test$n.1
+}
+if ! retry_quiet 10 _wait_until_transfer_is_finished; then
+	echo_i "timed out waiting for version 4 of zone nil. to be transferred"
+	ret=1
+fi
+
+# At this point a broken server would be serving a zone with no SOA records.
+# Try crashing it by triggering a SOA refresh query.
+$RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i
+
+# Do not wait until the zone refresh completes - even if a crash has not
+# happened by now, a broken server would never serve the record which is only
+# present in the fallback AXFR, so checking for that is enough to verify if a
+# server is broken or not; if it is, it is bound to crash shortly anyway.
+$DIG $DIGOPTS test.nil. TXT @10.53.0.1 > dig.out.test$n.2 || ret=1
+grep -q -F "serial 4, fallback AXFR" dig.out.test$n.2 || ret=1
+
+# Ensure the expected error is logged.
+nextpart ns1/named.run | grep -q -F "SOA name mismatch" || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing ixfr-from-differences option ($n)"
+# ns3 is primary; ns4 is secondary
+$CHECKZONE test. ns3/mytest.db > /dev/null 2>&1
+if [ $? -ne 0 ]
+then
+    echo_i "named-checkzone returned failure on ns3/mytest.db"
+fi
+
+retry_quiet 10 wait_for_serial 10.53.0.4 test. 1 dig.out.test$n || ret=1
+
+nextpart ns4/named.run > /dev/null
+
+# modify the primary
+sleep 1
+cp ns3/mytest1.db ns3/mytest.db
+$RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i
+
+# wait for primary to reload
+retry_quiet 10 wait_for_serial 10.53.0.3 test. 2 dig.out.test$n || ret=1
+
+# wait for secondary to reload
+tret=0
+retry_quiet 5 wait_for_serial 10.53.0.4 test. 2 dig.out.test$n || tret=1
+if [ $tret -eq 1 ]; then
+    # re-noitfy after 5 seconds, then wait another 10
+    $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i
+    retry_quiet 10 wait_for_serial 10.53.0.4 test. 2 dig.out.test$n || ret=1
+fi
+
+wait_for_log 10 'got incremental' ns4/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing 'request-ixfr no' option inheritance from view ($n)"
+ret=0
+# There's a view with 2 zones. In the view, "request-ixfr yes"
+# but in the zone "sub.test", request-ixfr no"
+# we want to make sure that a change to sub.test results in AXFR, while
+# changes to test. result in IXFR
+
+sleep 1
+cp ns3/subtest1.db ns3/subtest.db # change to sub.test zone, should be AXFR
+nextpart ns4/named.run > /dev/null
+$RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i
+
+# wait for primary to reload
+retry_quiet 10 wait_for_serial 10.53.0.3 sub.test. 3 dig.out.test$n || ret=1
+
+# wait for secondary to reload
+tret=0
+retry_quiet 5 wait_for_serial 10.53.0.4 sub.test. 3 dig.out.test$n || tret=1
+if [ $tret -eq 1 ]; then
+    # re-noitfy after 5 seconds, then wait another 10
+    $RNDCCMD 10.53.0.3 notify sub.test | set 's/^/ns3 /' | cat_i
+    retry_quiet 10 wait_for_serial 10.53.0.4 sub.test. 3 dig.out.test$n || ret=1
+fi
+
+wait_for_log 10 'got nonincremental response' ns4/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing 'request-ixfr yes' option inheritance from view ($n)"
+ret=0
+sleep 1
+cp ns3/mytest2.db ns3/mytest.db # change to test zone, should be IXFR
+nextpart ns4/named.run > /dev/null
+$RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i
+
+# wait for primary to reload
+retry_quiet 10 wait_for_serial 10.53.0.3 test. 3 dig.out.test$n || ret=1
+
+# wait for secondary to reload
+tret=0
+retry_quiet 5 wait_for_serial 10.53.0.4 test. 3 dig.out.test$n || tret=1
+if [ $tret -eq 1 ]; then
+    # re-noitfy after 5 seconds, then wait another 10
+    $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i
+    retry_quiet 10 wait_for_serial 10.53.0.4 test. 3 dig.out.test$n || ret=1
+fi
+
+wait_for_log 10 'got incremental response' ns4/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "testing DiG's handling of a multi message AXFR style IXFR response ($n)"
+(
+(sleep 10 && kill $$) 2>/dev/null &
+sub=$!
+$DIG -p ${PORT} ixfr=0 large @10.53.0.3 > dig.out.test$n
+kill $sub
+)
+lines=`grep hostmaster.large dig.out.test$n | wc -l`
+test ${lines:-0} -eq 2 || ret=1
+messages=`sed -n 's/^;;.*messages \([0-9]*\),.*/\1/p' dig.out.test$n`
+test ${messages:-0} -gt 1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "test 'dig +notcp ixfr=<value>' vs 'dig ixfr=<value> +notcp' vs 'dig ixfr=<value>' ($n)"
+ret=0
+# Should be "switch to TCP" response
+$DIG $DIGOPTS +notcp ixfr=1 test @10.53.0.4 > dig.out1.test$n || ret=1
+$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.4 > dig.out2.test$n || ret=1
+digcomp dig.out1.test$n dig.out2.test$n || ret=1
+awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1
+awk '$4 == "SOA" { if ($7 == 3) exit(0); else exit(1);}' dig.out1.test$n || ret=1
+#
+nextpart ns4/named.run > /dev/null
+# Should be incremental transfer.
+$DIG $DIGOPTS ixfr=1 test @10.53.0.4 > dig.out3.test$n || ret=1
+awk '$4 == "SOA" { soacnt++} END { if (soacnt == 6) exit(0); else exit(1);}' dig.out3.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check estimated IXFR size ($n)"
+ret=0
+# note IXFR delta size will be slightly bigger with version 1 transaction
+# headers as there is no correction for the overall record length storage.
+# Ver1 = 4 * (6 + 10 + 10 + 17 + 5 * 4) + 2 * (13 + 10 + 4) + (6 * 4) = 330
+# Ver2 = 4 * (6 + 10 + 10 + 17 + 5 * 4) + 2 * (13 + 10 + 4) = 306
+nextpart ns4/named.run | grep "IXFR delta size (306 bytes)" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# make sure ns5 has transfered the zone
+# wait for secondary to reload
+tret=0
+retry_quiet 5 wait_for_serial 10.53.0.5 test. 4 dig.out.test$n || tret=1
+if [ $tret -eq 1 ]; then
+    # re-noitfy after 5 seconds, then wait another 10
+    $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i
+    retry_quiet 10 wait_for_serial 10.53.0.5 test. 3 dig.out.test$n || ret=1
+fi
+
+n=$((n+1))
+echo_i "test 'provide-ixfr no;' (serial < current) ($n)"
+ret=0
+nextpart ns5/named.run > /dev/null
+# Should be "AXFR style" response
+$DIG $DIGOPTS ixfr=1 test @10.53.0.5 > dig.out1.test$n || ret=1
+# Should be "switch to TCP" response
+$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1
+awk '$4 == "SOA" { soacnt++} END {if (soacnt == 2) exit(0); else exit(1);}' dig.out1.test$n || ret=1
+awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking whether dig calculates IXFR statistics correctly ($n)"
+ret=0
+$DIG $DIGOPTS +noedns +stat -b 10.53.0.4 @10.53.0.4 test. ixfr=2 > dig.out1.test$n
+get_dig_xfer_stats dig.out1.test$n > stats.dig
+diff ixfr-stats.good stats.dig > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Note: in the next two tests, we use ns4 logs for checking both incoming and
+# outgoing transfer statistics as ns4 is both a secondary server (for ns3) and a
+# primary server (for dig queries from the previous test) for "test".
+
+_wait_for_stats () {
+    get_named_xfer_stats ns4/named.run "$1" test "$2" > "$3"
+    diff ixfr-stats.good "$3" > /dev/null || return 1
+    return 0
+}
+
+n=$((n+1))
+echo_i "checking whether named calculates incoming IXFR statistics correctly ($n)"
+ret=0
+retry_quiet 10 _wait_for_stats 10.53.0.3 "Transfer completed" stats.incoming || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking whether named calculates outgoing IXFR statistics correctly ($n)"
+retry_quiet 10 _wait_for_stats 10.53.0.4 "IXFR ended" stats.outgoing || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "testing fallback to AXFR when max-ixfr-ratio is exceeded ($n)"
+nextpart ns4/named.run > /dev/null
+
+sleep 1
+cp ns3/mytest3.db ns3/mytest.db # change to test zone, too big for IXFR
+$RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i
+
+# wait for secondary to reload
+tret=0
+retry_quiet 5 wait_for_serial 10.53.0.4 test. 4 dig.out.test$n || tret=1
+if [ $tret -eq 1 ]; then
+    # re-noitfy after 5 seconds, then wait another 10
+    $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i
+    retry_quiet 10 wait_for_serial 10.53.0.4 test. 4 dig.out.test$n || ret=1
+fi
+
+wait_for_log 10 'got nonincremental response' ns4/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/journal/clean.sh b/bin/tests/system/journal/clean.sh
new file mode 100644
index 0000000..adab870
--- /dev/null
+++ b/bin/tests/system/journal/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */*.db */*.jnl
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f dig.out*
+rm -f journalprint.out.*
+rm -f ns1/managed-keys.bind
+rm -f ns2/managed-keys.bind
+rm -f tmp.jnl
diff --git a/bin/tests/system/journal/ns1/changed.ver1.jnl.saved b/bin/tests/system/journal/ns1/changed.ver1.jnl.saved
new file mode 100644
index 0000000..b449a7d
--- /dev/null
+++ b/bin/tests/system/journal/ns1/changed.ver1.jnl.saved
diff --git a/bin/tests/system/journal/ns1/changed.ver2.jnl.saved b/bin/tests/system/journal/ns1/changed.ver2.jnl.saved
new file mode 100644
index 0000000..d2fa199
--- /dev/null
+++ b/bin/tests/system/journal/ns1/changed.ver2.jnl.saved
diff --git a/bin/tests/system/journal/ns1/d1212.jnl.saved b/bin/tests/system/journal/ns1/d1212.jnl.saved
new file mode 100644
index 0000000..57c1497
--- /dev/null
+++ b/bin/tests/system/journal/ns1/d1212.jnl.saved
diff --git a/bin/tests/system/journal/ns1/d2121.jnl.saved b/bin/tests/system/journal/ns1/d2121.jnl.saved
new file mode 100644
index 0000000..ec21372
--- /dev/null
+++ b/bin/tests/system/journal/ns1/d2121.jnl.saved
diff --git a/bin/tests/system/journal/ns1/generic.db.in b/bin/tests/system/journal/ns1/generic.db.in
new file mode 100644
index 0000000..55669d7
--- /dev/null
+++ b/bin/tests/system/journal/ns1/generic.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA     ns hostmaster 2012010901 3600 1200 604800 1200
+                NS      ns
+ns		A       192.0.2.1
+
+addr1	A      10.53.0.1
diff --git a/bin/tests/system/journal/ns1/ixfr.db.in b/bin/tests/system/journal/ns1/ixfr.db.in
new file mode 100644
index 0000000..0cb1184
--- /dev/null
+++ b/bin/tests/system/journal/ns1/ixfr.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA     ns hostmaster 2012010902 3600 1200 604800 1200
+                NS      ns
+ns		A       192.0.2.1
+
+addr1	A      10.53.0.1
+addr2	A      10.53.0.2
diff --git a/bin/tests/system/journal/ns1/ixfr.ver1.jnl.saved b/bin/tests/system/journal/ns1/ixfr.ver1.jnl.saved
new file mode 100644
index 0000000..10b5116
--- /dev/null
+++ b/bin/tests/system/journal/ns1/ixfr.ver1.jnl.saved
diff --git a/bin/tests/system/journal/ns1/managed-keys.bind.in b/bin/tests/system/journal/ns1/managed-keys.bind.in
new file mode 100644
index 0000000..923e98b
--- /dev/null
+++ b/bin/tests/system/journal/ns1/managed-keys.bind.in
@@ -0,0 +1,2 @@
+.			0	IN	SOA	. . 3297 0 0 0 0
+.			0	IN	TYPE65533 \# 276 60621140598E0A83000000000101030803010001ACFFB409BCC939F8 31F7A1E5EC88F7A59255EC53040BE432027390A4CE896D6F9086F3C5 E177FBFE118163AAEC7AF1462C47945944C4E2C026BE5E98BBCDED25 978272E1E3E079C5094D573F0E83C92F02B32D3513B1550B826929C8 0DD0F92CAC966D17769FD5867B647C3F38029ABDC48152EB8F207159 ECC5D232C7C1537C79F4B7AC28FF11682F21681BF6D6ABA555032BF6 F9F036BEB2AAA5B3778D6EEBFBA6BF9EA191BE4AB0CAEA759E2F773A 1F9029C73ECB8D5735B9321DB085F1B8E2D8038FE2941992548CEE0D 67DD4547E11DD63AF9C9FC1C5466FB684CF009D7197C2CF79E792AB5 01E6A8A1CA519AF2CB9B5F6367E94C0D47502451357BE1B5
diff --git a/bin/tests/system/journal/ns1/managed-keys.bind.jnl.in b/bin/tests/system/journal/ns1/managed-keys.bind.jnl.in
new file mode 100644
index 0000000..a63f91c
--- /dev/null
+++ b/bin/tests/system/journal/ns1/managed-keys.bind.jnl.in
@@ -0,0 +1,704 @@
+3b42494e44204c4f472056390a000000
+00000cd20000020000000ce200002bf8
+00000038000000000000000000000000
+00000000000000000000000000000000
+00000cd20000020000000cd30000049c
+00000cd40000073800000cd5000009d8
+00000cd600000c7800000cd700000f18
+00000cd8000011b800000cd900001458
+00000cda000016f800000cdb00001998
+00000cdc00001c3800000cdd00001ed8
+00000cde0000217800000cdf00002418
+00000ce0000026b800000ce100002958
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+00000000000000000000000000000000
+0000029000000cd200000cd300000021
+0000060001000000000016000000000c
+d2000000000000000000000000000000
+000000011f00fffd0001000000000114
+6058a4c2598e0a830000000001010308
+03010001acffb409bcc939f831f7a1e5
+ec88f7a59255ec53040be432027390a4
+ce896d6f9086f3c5e177fbfe118163aa
+ec7af1462c47945944c4e2c026be5e98
+bbcded25978272e1e3e079c5094d573f
+0e83c92f02b32d3513b1550b826929c8
+0dd0f92cac966d17769fd5867b647c3f
+38029abdc48152eb8f207159ecc5d232
+c7c1537c79f4b7ac28ff11682f21681b
+f6d6aba555032bf6f9f036beb2aaa5b3
+778d6eebfba6bf9ea191be4ab0caea75
+9e2f773a1f9029c73ecb8d5735b9321d
+b085f1b8e2d8038fe2941992548cee0d
+67dd4547e11dd63af9c9fc1c5466fb68
+4cf009d7197c2cf79e792ab501e6a8a1
+ca519af2cb9b5f6367e94c0d47502451
+357be1b5000000210000060001000000
+000016000000000cd300000000000000
+0000000000000000000000011f00fffd
+00010000000001146058e4a0598e0a83
+000000000101030803010001acffb409
+bcc939f831f7a1e5ec88f7a59255ec53
+040be432027390a4ce896d6f9086f3c5
+e177fbfe118163aaec7af1462c479459
+44c4e2c026be5e98bbcded25978272e1
+e3e079c5094d573f0e83c92f02b32d35
+13b1550b826929c80dd0f92cac966d17
+769fd5867b647c3f38029abdc48152eb
+8f207159ecc5d232c7c1537c79f4b7ac
+28ff11682f21681bf6d6aba555032bf6
+f9f036beb2aaa5b3778d6eebfba6bf9e
+a191be4ab0caea759e2f773a1f9029c7
+3ecb8d5735b9321db085f1b8e2d8038f
+e2941992548cee0d67dd4547e11dd63a
+f9c9fc1c5466fb684cf009d7197c2cf7
+9e792ab501e6a8a1ca519af2cb9b5f63
+67e94c0d47502451357be1b500000290
+00000cd300000cd40000002100000600
+01000000000016000000000cd3000000
+00000000000000000000000000000001
+1f00fffd00010000000001146058e4a0
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cd40000000000000000000000
+00000000000000011f00fffd00010000
+000001146059f642598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cd4
+00000cd5000000000000002100000600
+01000000000016000000000cd4000000
+00000000000000000000000000000001
+1f00fffd00010000000001146059f642
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cd50000000000000000000000
+00000000000000011f00fffd00010000
+00000114605a283e598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cd5
+00000cd6000000000000002100000600
+01000000000016000000000cd5000000
+00000000000000000000000000000001
+1f00fffd0001000000000114605a283e
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cd60000000000000000000000
+00000000000000011f00fffd00010000
+00000114605b47c2598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cd6
+00000cd7000000000000002100000600
+01000000000016000000000cd6000000
+00000000000000000000000000000001
+1f00fffd0001000000000114605b47c2
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cd70000000000000000000000
+00000000000000011f00fffd00010000
+00000114605b79bf598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cd7
+00000cd8000000000000002100000600
+01000000000016000000000cd7000000
+00000000000000000000000000000001
+1f00fffd0001000000000114605b79bf
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cd80000000000000000000000
+00000000000000011f00fffd00010000
+00000114605c9943598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cd8
+00000cd9000000000000002100000600
+01000000000016000000000cd8000000
+00000000000000000000000000000001
+1f00fffd0001000000000114605c9943
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cd90000000000000000000000
+00000000000000011f00fffd00010000
+00000114605ccb40598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cd9
+00000cda000000000000002100000600
+01000000000016000000000cd9000000
+00000000000000000000000000000001
+1f00fffd0001000000000114605ccb40
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cda0000000000000000000000
+00000000000000011f00fffd00010000
+00000114605deac4598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cda
+00000cdb000000000000002100000600
+01000000000016000000000cda000000
+00000000000000000000000000000001
+1f00fffd0001000000000114605deac4
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cdb0000000000000000000000
+00000000000000011f00fffd00010000
+00000114605e1cc0598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cdb
+00000cdc000000000000002100000600
+01000000000016000000000cdb000000
+00000000000000000000000000000001
+1f00fffd0001000000000114605e1cc0
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cdc0000000000000000000000
+00000000000000011f00fffd00010000
+00000114605efb3a598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cdc
+00000cdd000000000000002100000600
+01000000000016000000000cdc000000
+00000000000000000000000000000001
+1f00fffd0001000000000114605efb3a
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cdd0000000000000000000000
+00000000000000011f00fffd00010000
+00000114605f6e40598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cdd
+00000cde000000000000002100000600
+01000000000016000000000cdd000000
+00000000000000000000000000000001
+1f00fffd0001000000000114605f6e40
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cde0000000000000000000000
+00000000000000011f00fffd00010000
+0000011460604cbb598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cde
+00000cdf000000000000002100000600
+01000000000016000000000cde000000
+00000000000000000000000000000001
+1f00fffd000100000000011460604cbb
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000cdf0000000000000000000000
+00000000000000011f00fffd00010000
+000001146060bfc0598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000cdf
+00000ce0000000000000002100000600
+01000000000016000000000cdf000000
+00000000000000000000000000000001
+1f00fffd00010000000001146060bfc0
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000ce00000000000000000000000
+00000000000000011f00fffd00010000
+0000011460619e3b598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000ce0
+00000ce1000000000000002100000600
+01000000000016000000000ce0000000
+00000000000000000000000000000001
+1f00fffd000100000000011460619e3b
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000ce10000000000000000000000
+00000000000000011f00fffd00010000
+0000011460621140598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b50000029000000ce1
+00000ce2000000000000002100000600
+01000000000016000000000ce1000000
+00000000000000000000000000000001
+1f00fffd000100000000011460621140
+598e0a83000000000101030803010001
+acffb409bcc939f831f7a1e5ec88f7a5
+9255ec53040be432027390a4ce896d6f
+9086f3c5e177fbfe118163aaec7af146
+2c47945944c4e2c026be5e98bbcded25
+978272e1e3e079c5094d573f0e83c92f
+02b32d3513b1550b826929c80dd0f92c
+ac966d17769fd5867b647c3f38029abd
+c48152eb8f207159ecc5d232c7c1537c
+79f4b7ac28ff11682f21681bf6d6aba5
+55032bf6f9f036beb2aaa5b3778d6eeb
+fba6bf9ea191be4ab0caea759e2f773a
+1f9029c73ecb8d5735b9321db085f1b8
+e2d8038fe2941992548cee0d67dd4547
+e11dd63af9c9fc1c5466fb684cf009d7
+197c2cf79e792ab501e6a8a1ca519af2
+cb9b5f6367e94c0d47502451357be1b5
+00000021000006000100000000001600
+0000000ce20000000000000000000000
+00000000000000011f00fffd00010000
+000001146062efbb598e0a8300000000
+0101030803010001acffb409bcc939f8
+31f7a1e5ec88f7a59255ec53040be432
+027390a4ce896d6f9086f3c5e177fbfe
+118163aaec7af1462c47945944c4e2c0
+26be5e98bbcded25978272e1e3e079c5
+094d573f0e83c92f02b32d3513b1550b
+826929c80dd0f92cac966d17769fd586
+7b647c3f38029abdc48152eb8f207159
+ecc5d232c7c1537c79f4b7ac28ff1168
+2f21681bf6d6aba555032bf6f9f036be
+b2aaa5b3778d6eebfba6bf9ea191be4a
+b0caea759e2f773a1f9029c73ecb8d57
+35b9321db085f1b8e2d8038fe2941992
+548cee0d67dd4547e11dd63af9c9fc1c
+5466fb684cf009d7197c2cf79e792ab5
+01e6a8a1ca519af2cb9b5f6367e94c0d
+47502451357be1b5
diff --git a/bin/tests/system/journal/ns1/maxjournal.jnl.saved b/bin/tests/system/journal/ns1/maxjournal.jnl.saved
new file mode 100644
index 0000000..7c79e5c
--- /dev/null
+++ b/bin/tests/system/journal/ns1/maxjournal.jnl.saved
diff --git a/bin/tests/system/journal/ns1/maxjournal2.jnl.saved b/bin/tests/system/journal/ns1/maxjournal2.jnl.saved
new file mode 100644
index 0000000..e200905
--- /dev/null
+++ b/bin/tests/system/journal/ns1/maxjournal2.jnl.saved
diff --git a/bin/tests/system/journal/ns1/named.conf.in b/bin/tests/system/journal/ns1/named.conf.in
new file mode 100644
index 0000000..1f6e983
--- /dev/null
+++ b/bin/tests/system/journal/ns1/named.conf.in
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation yes;
+	minimal-responses no;
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone changed {
+	type primary;
+	update-policy local;
+	file "changed.db";
+};
+
+zone unchanged {
+	type primary;
+	update-policy local;
+	file "unchanged.db";
+};
+
+zone changed2 {
+	type primary;
+	update-policy local;
+	file "changed2.db";
+};
+
+zone unchanged2 {
+	type primary;
+	update-policy local;
+	file "unchanged2.db";
+};
+
+zone hdr1d1d2d1d2 {
+	type primary;
+	update-policy local;
+	file "d1212.db";
+};
+
+zone hdr1d2d1d2d1 {
+	type primary;
+	update-policy local;
+	file "d2121.db";
+};
+
+zone ixfr {
+	type primary;
+	ixfr-from-differences yes;
+	file "ixfr.db";
+};
+
+zone maxjournal {
+	type primary;
+	max-journal-size 1k;
+	update-policy local;
+	file "maxjournal.db";
+};
+
+zone maxjournal2 {
+	type primary;
+	max-journal-size 1k;
+	update-policy local;
+	file "maxjournal2.db";
+};
diff --git a/bin/tests/system/journal/ns1/unchanged.ver1.jnl.saved b/bin/tests/system/journal/ns1/unchanged.ver1.jnl.saved
new file mode 100644
index 0000000..f7885d9
--- /dev/null
+++ b/bin/tests/system/journal/ns1/unchanged.ver1.jnl.saved
diff --git a/bin/tests/system/journal/ns1/unchanged.ver2.jnl.saved b/bin/tests/system/journal/ns1/unchanged.ver2.jnl.saved
new file mode 100644
index 0000000..d974be4
--- /dev/null
+++ b/bin/tests/system/journal/ns1/unchanged.ver2.jnl.saved
diff --git a/bin/tests/system/journal/ns2/managed-keys.bind.in b/bin/tests/system/journal/ns2/managed-keys.bind.in
new file mode 100644
index 0000000..2139706
--- /dev/null
+++ b/bin/tests/system/journal/ns2/managed-keys.bind.in
@@ -0,0 +1,14 @@
+$ORIGIN .
+$TTL 0	; 0 seconds
+@			IN SOA	. . (
+				29         ; serial
+				0          ; refresh (0 seconds)
+				0          ; retry (0 seconds)
+				0          ; expire (0 seconds)
+				0          ; minimum (0 seconds)
+				)
+			KEYDATA	20210611104535 19700101000000 19700101000000 0 0 0 (
+
+				) ; ZSK; alg = 0; key id = 0
+				; next refresh: Fri, 11 Jun 2021 10:45:35 GMT
+				; no trust
diff --git a/bin/tests/system/journal/ns2/managed-keys.bind.jnl.in b/bin/tests/system/journal/ns2/managed-keys.bind.jnl.in
new file mode 100644
index 0000000..01c1d47
--- /dev/null
+++ b/bin/tests/system/journal/ns2/managed-keys.bind.jnl.in
diff --git a/bin/tests/system/journal/ns2/named.conf.in b/bin/tests/system/journal/ns2/named.conf.in
new file mode 100644
index 0000000..4c07c92
--- /dev/null
+++ b/bin/tests/system/journal/ns2/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	dnssec-validation yes;
+	minimal-responses no;
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/journal/setup.sh b/bin/tests/system/journal/setup.sh
new file mode 100644
index 0000000..e9b0072
--- /dev/null
+++ b/bin/tests/system/journal/setup.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+cp ns1/generic.db.in ns1/changed.db
+cp ns1/changed.ver1.jnl.saved ns1/changed.db.jnl
+
+cp ns1/generic.db.in ns1/unchanged.db
+cp ns1/unchanged.ver1.jnl.saved ns1/unchanged.db.jnl
+
+cp ns1/generic.db.in ns1/changed2.db
+cp ns1/changed.ver2.jnl.saved ns1/changed2.db.jnl
+
+cp ns1/generic.db.in ns1/unchanged2.db
+cp ns1/unchanged.ver2.jnl.saved ns1/unchanged2.db.jnl
+
+cp ns1/ixfr.db.in ns1/ixfr.db
+cp ns1/ixfr.ver1.jnl.saved ns1/ixfr.db.jnl
+
+cp ns1/generic.db.in ns1/d1212.db
+cp ns1/d1212.jnl.saved ns1/d1212.db.jnl
+
+cp ns1/generic.db.in ns1/d2121.db
+cp ns1/d2121.jnl.saved ns1/d2121.db.jnl
+
+cp ns1/generic.db.in ns1/maxjournal.db
+cp ns1/maxjournal.jnl.saved ns1/maxjournal.db.jnl
+
+cp ns1/generic.db.in ns1/maxjournal2.db
+cp ns1/maxjournal2.jnl.saved ns1/maxjournal2.db.jnl
+
+cp ns1/managed-keys.bind.in ns1/managed-keys.bind
+$PERL ../fromhex.pl < ns1/managed-keys.bind.jnl.in > ns1/managed-keys.bind.jnl
+
+copy_setports ns2/named.conf.in ns2/named.conf
+cp ns2/managed-keys.bind.in ns2/managed-keys.bind
+cp ns2/managed-keys.bind.jnl.in ns2/managed-keys.bind.jnl
diff --git a/bin/tests/system/journal/tests.sh b/bin/tests/system/journal/tests.sh
new file mode 100644
index 0000000..f6e0f4d
--- /dev/null
+++ b/bin/tests/system/journal/tests.sh
@@ -0,0 +1,255 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+dig_with_opts() {
+    "$DIG" @10.53.0.1 -p "$PORT" +tcp "$@"
+}
+
+rndc_with_opts() {
+    "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
+}
+
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "check outdated journal rolled forward (dynamic) ($n)"
+ret=0
+dig_with_opts changed soa > dig.out.test$n
+grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1
+grep '2012010902' dig.out.test$n > /dev/null || ret=1
+grep 'zone changed/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check outdated empty journal did not cause an error (dynamic) ($n)"
+ret=0
+dig_with_opts unchanged soa > dig.out.test$n
+grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1
+grep '2012010901' dig.out.test$n > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check outdated journals were updated or removed (dynamic) ($n)"
+ret=0
+cat -v ns1/changed.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1
+[ -f ns1/unchanged.db.jnl ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check updated journal has correct RR count (dynamic) ($n)"
+ret=0
+$JOURNALPRINT -x ns1/changed.db.jnl | grep "rrcount 3 " > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check new-format journal rolled forward (dynamic) ($n)"
+ret=0
+dig_with_opts changed2 soa > dig.out.test$n
+grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1
+grep '2012010902' dig.out.test$n > /dev/null || ret=1
+grep 'zone changed2/IN: journal rollforward completed successfully: success' ns1/named.run > /dev/null || ret=1
+grep 'zone changed2/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check new-format empty journal did not cause error (dynamic) ($n)"
+ret=0
+dig_with_opts unchanged2 soa > dig.out.test$n
+grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1
+grep '2012010901' dig.out.test$n > /dev/null || ret=1
+grep 'zone unchanged2/IN: journal rollforward completed successfully' ns1/named.run > /dev/null && ret=1
+grep 'zone unchanged2/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check new-format journals were updated or removed (dynamic) ($n)"
+ret=0
+cat -v ns1/changed2.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1
+[ -f ns1/unchanged2.db.jnl ] && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check outdated up-to-date journal succeeded (ixfr-from-differences) ($n)"
+ret=0
+dig_with_opts -t soa ixfr > dig.out.test$n
+grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1
+grep '2012010902' dig.out.test$n > /dev/null || ret=1
+grep 'zone ixfr/IN: journal rollforward completed successfully using old journal format: up to date' ns1/named.run > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check outdated journal was updated (ixfr-from-differences) ($n)"
+ret=0
+cat -v ns1/ixfr.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check journal with mixed headers succeeded (version 1,2,1,2) ($n)"
+ret=0
+dig_with_opts -t soa hdr1d1d2d1d2 > dig.out.test$n
+grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1
+grep '2012010905' dig.out.test$n > /dev/null || ret=1
+grep 'zone hdr1d1d2d1d2/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run > /dev/null || ret=1
+grep 'zone_journal_compact: zone hdr1d1d2d1d2/IN: repair full journal' ns1/named.run > /dev/null || ret=1
+grep 'hdr1d1d2d1d2/IN: dns_journal_compact: success' ns1/named.run > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check journal with mixed headers was updated (version 1,2,1,2) ($n)"
+ret=0
+[ $($JOURNALPRINT -x ns1/d1212.jnl.saved | grep -c "version 1") -eq 2 ] || ret=1
+[ $($JOURNALPRINT -x ns1/d1212.jnl.saved | grep -c "version 2") -eq 2 ] || ret=1
+[ $($JOURNALPRINT -x ns1/d1212.db.jnl | grep -c "version 1") -eq 0 ] || ret=1
+[ $($JOURNALPRINT -x ns1/d1212.db.jnl | grep -c "version 2") -eq 4 ] || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check journal with mixed headers succeeded (version 2,1,2,1) ($n)"
+ret=0
+dig_with_opts -t soa hdr1d2d1d2d1 > dig.out.test$n
+grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1
+grep '2012010905' dig.out.test$n > /dev/null || ret=1
+grep 'zone hdr1d2d1d2d1/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run > /dev/null || ret=1
+grep 'zone_journal_compact: zone hdr1d2d1d2d1/IN: repair full journal' ns1/named.run > /dev/null || ret=1
+grep 'zone hdr1d2d1d2d1/IN: dns_journal_compact: success' ns1/named.run > /dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check journal with mixed headers was updated (version 2,1,2,1) ($n)"
+ret=0
+[ $($JOURNALPRINT -x ns1/d2121.jnl.saved | grep -c "version 1") -eq 2 ] || ret=1
+[ $($JOURNALPRINT -x ns1/d2121.jnl.saved | grep -c "version 2") -eq 2 ] || ret=1
+[ $($JOURNALPRINT -x ns1/d2121.db.jnl | grep -c "version 1") -eq 0 ] || ret=1
+[ $($JOURNALPRINT -x ns1/d2121.db.jnl | grep -c "version 2") -eq 4 ] || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check there are no journals left un-updated ($n)"
+ret=0
+c1=$(cat -v ns1/*.jnl | grep -c "BIND LOG V9")
+c2=$(cat -v ns1/*.jnl | grep -c "BIND LOG V9.2")
+[ ${c1} -eq ${c2} ] || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Check that journal with mixed headers can be compacted (version 1,2,1,2) ($n)"
+ret=0
+journal=ns1/d1212.jnl.saved
+seriallist=$($JOURNALPRINT -x $journal | awk '$1 == "Transaction:" { print $11 }')
+for serial in $seriallist
+do
+        cp $journal tmp.jnl
+        $JOURNALPRINT -c $serial tmp.jnl || ret=1
+done
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Check that journal with mixed headers can be compacted (version 2,1,2,1) ($n)"
+ret=0
+journal=ns1/d2121.jnl.saved
+seriallist=$($JOURNALPRINT -x $journal | awk '$1 == "Transaction:" { print $11 }')
+for serial in $seriallist
+do
+        cp ns1/d1212.jnl.saved tmp.jnl
+        $JOURNALPRINT -c $serial tmp.jnl || ret=1
+done
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check upgrade of managed-keys.bind.jnl succeeded($n)"
+ret=0
+$JOURNALPRINT ns1/managed-keys.bind.jnl > journalprint.out.test$n
+lines=$(awk '$1 == "add" && $5 == "SOA" && $8 == "3297" { print }' journalprint.out.test$n | wc -l)
+test $lines -eq 1 || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check journal downgrade/upgrade ($n)"
+ret=0
+cp ns1/changed.db.jnl ns1/temp.jnl
+$JOURNALPRINT -d ns1/temp.jnl
+[ $($JOURNALPRINT -x ns1/temp.jnl | grep -c "version 1") -eq 1 ] || ret=1
+$JOURNALPRINT -x ns1/temp.jnl | grep -q "Header version = 1" || ret=1
+$JOURNALPRINT -u ns1/temp.jnl
+$JOURNALPRINT -x ns1/temp.jnl | grep -q "Header version = 2" || ret=1
+[ $($JOURNALPRINT -x ns1/temp.jnl | grep -c "version 2") -eq 1 ] || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check max-journal-size works after journal update ($n)"
+ret=0
+# journal was repaired, it should still be big
+[ $(wc -c < ns1/maxjournal.db.jnl) -gt 12000 ] || ret=1
+# the zone hasn't been dumped yet, so 'rndc sync' should work without
+# needing a zone update first.
+rndc_with_opts 10.53.0.1 sync maxjournal
+check_size() (
+    [ $(wc -c < ns1/maxjournal.db.jnl) -lt 4000 ]
+)
+retry_quiet 10 check_size || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check max-journal-size works with non-updated journals ($n)"
+ret=0
+# journal was not repaired, so it should still be big
+[ $(wc -c < ns1/maxjournal2.db.jnl) -gt 12000 ] || ret=1
+# the zone hasn't been dumped yet, so 'rndc sync' should work without
+# needing a zone update first.
+rndc_with_opts 10.53.0.1 sync maxjournal2
+check_size() (
+    [ $(wc -c < ns1/maxjournal2.db.jnl) -lt 4000 ]
+)
+retry_quiet 10 check_size || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check journal index consistency ($n)"
+ret=0
+for jnl in ns1/*.jnl; do
+    $JOURNALPRINT -x $jnl 2>&1 | grep -q "Offset mismatch" && ret=1
+done
+[ $ret -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check that journal is applied to zone with keydata placeholder record"
+ret=0
+grep 'managed-keys-zone: journal rollforward completed successfully: up to date' ns2/named.run > /dev/null 2>&1 || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
new file mode 100644
index 0000000..d49baa3
--- /dev/null
+++ b/bin/tests/system/kasp.sh
@@ -0,0 +1,1238 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Common configuration data for kasp system tests, to be sourced into
+# other shell scripts.
+#
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+###############################################################################
+# Constants                                                                   #
+###############################################################################
+DEFAULT_TTL=300
+
+###############################################################################
+# Query properties                                                            #
+###############################################################################
+TSIG=""
+SHA1="FrSt77yPTFx6hTs4i2tKLB9LmE0="
+SHA224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="
+SHA256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="
+VIEW1="YPfMoAk6h+3iN8MDRQC004iSNHY="
+VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8="
+VIEW3="C1Azf+gGPMmxrUg/WQINP6eV9Y0="
+
+###############################################################################
+# Key properties                                                              #
+###############################################################################
+# ID
+# BASEFILE
+# EXPECT
+# ROLE
+# KSK
+# ZSK
+# FLAGS
+# LIFETIME
+# ALG_NUM
+# ALG_STR
+# ALG_LEN
+# CREATED
+# PUBLISHED
+# ACTIVE
+# RETIRED
+# REVOKED
+# REMOVED
+# GOAL
+# STATE_DNSKEY
+# STATE_ZRRSIG
+# STATE_KRRSIG
+# STATE_DS
+# EXPECT_ZRRSIG
+# EXPECT_KRRSIG
+# LEGACY
+# PRIVATE
+# PRIVKEY_STAT
+# PUBKEY_STAT
+# STATE_STAT
+
+key_key() {
+	echo "${1}__${2}"
+}
+
+key_get() {
+	eval "echo \${$(key_key "$1" "$2")}"
+}
+
+key_set() {
+	eval "$(key_key "$1" "$2")='$3'"
+}
+
+key_stat() {
+	$PERL -e 'print((stat @ARGV[0])[9] . "\n");' "$1"
+}
+
+# Save certain values in the KEY array.
+key_save()
+{
+	# Save key id.
+	key_set "$1" ID "$KEY_ID"
+	# Save base filename.
+	key_set "$1" BASEFILE "$BASE_FILE"
+	# Save creation date.
+	key_set "$1" CREATED "${KEY_CREATED}"
+	# Save key change time.
+	key_set "$1" PRIVKEY_STAT $(key_stat "${BASE_FILE}.private")
+	key_set "$1" PUBKEY_STAT $(key_stat "${BASE_FILE}.key")
+	key_set "$1" STATE_STAT $(key_stat "${BASE_FILE}.state")
+}
+
+# Clear key state.
+#
+# This will update either the KEY1, KEY2, or KEY3 array.
+key_clear() {
+	key_set "$1" "ID" 'no'
+	key_set "$1" "IDPAD" 'no'
+	key_set "$1" "EXPECT" 'no'
+	key_set "$1" "ROLE" 'none'
+	key_set "$1" "KSK" 'no'
+	key_set "$1" "ZSK" 'no'
+	key_set "$1" "FLAGS" '0'
+	key_set "$1" "LIFETIME" 'none'
+	key_set "$1" "ALG_NUM" '0'
+	key_set "$1" "ALG_STR" 'none'
+	key_set "$1" "ALG_LEN" '0'
+	key_set "$1" "CREATED" '0'
+	key_set "$1" "PUBLISHED" 'none'
+	key_set "$1" "SYNCPUBLISH" 'none'
+	key_set "$1" "ACTIVE" 'none'
+	key_set "$1" "RETIRED" 'none'
+	key_set "$1" "REVOKED" 'none'
+	key_set "$1" "REMOVED" 'none'
+	key_set "$1" "GOAL" 'none'
+	key_set "$1" "STATE_DNSKEY" 'none'
+	key_set "$1" "STATE_KRRSIG" 'none'
+	key_set "$1" "STATE_ZRRSIG" 'none'
+	key_set "$1" "STATE_DS" 'none'
+	key_set "$1" "EXPECT_ZRRSIG" 'no'
+	key_set "$1" "EXPECT_KRRSIG" 'no'
+	key_set "$1" "LEGACY" 'no'
+	key_set "$1" "PRIVATE" 'yes'
+	key_set "$1" "PRIVKEY_STAT" '0'
+	key_set "$1" "PUBKEY_STAT" '0'
+	key_set "$1" "STATE_STAT" '0'
+}
+
+# Start clear.
+# There can be at most 4 keys at the same time during a rollover:
+# 2x KSK, 2x ZSK
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+###############################################################################
+# Utilities                                                                   #
+###############################################################################
+
+# Call dig with default options.
+_dig_with_opts() {
+
+	if [ -n "$TSIG" ]; then
+		"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
+	else
+		"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+	fi
+}
+
+# RNDC.
+_rndccmd() {
+	"$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
+}
+
+# Print IDs of keys used for generating RRSIG records for RRsets of type $1
+# found in dig output file $2.
+get_keys_which_signed() {
+	_qtype=$1
+	_output=$2
+	# The key ID is the 11th column of the RRSIG record line.
+	awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$_output"
+}
+
+# Get the key ids from key files for zone $2 in directory $1.
+get_keyids() {
+	_dir=$1
+	_zone=$2
+	_regex="K${_zone}.+*+*.key"
+
+	find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2,"
+}
+
+# By default log errors and don't quit immediately.
+_log=1
+_log_error() {
+	test $_log -eq 1 && echo_i "error: $1"
+	ret=$((ret+1))
+}
+disable_logerror() {
+	_log=0
+}
+enable_logerror() {
+	_log=1
+}
+
+# Set server key-directory ($1) and address ($2) for testing keys.
+set_server() {
+	DIR=$1
+	SERVER=$2
+}
+# Set zone name for testing keys.
+set_zone() {
+	ZONE=$1
+	DYNAMIC="no"
+}
+# By default zones are considered static.
+# When testing dynamic zones, call 'set_dynamic' after 'set_zone'.
+set_dynamic() {
+	DYNAMIC="yes"
+}
+
+# Set policy settings (name $1, number of keys $2, dnskey ttl $3) for testing keys.
+set_policy() {
+	POLICY=$1
+	NUM_KEYS=$2
+	DNSKEY_TTL=$3
+	CDS_DELETE="no"
+}
+# By default policies are considered to be secure.
+# If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the
+# system test to expect a CDS and CDNSKEY Delete record.
+set_cdsdelete() {
+	CDS_DELETE="yes"
+}
+
+# Set key properties for testing keys.
+# $1: Key to update (KEY1, KEY2, ...)
+# $2: Value
+set_keyrole() {
+	key_set "$1" "EXPECT" "yes"
+	key_set "$1" "ROLE" "$2"
+	key_set "$1" "KSK" "no"
+	key_set "$1" "ZSK" "no"
+	key_set "$1" "FLAGS" "0"
+
+	test "$2" = "ksk" && key_set "$1" "KSK" "yes"
+	test "$2" = "ksk" && key_set "$1" "FLAGS" "257"
+
+	test "$2" = "zsk" && key_set "$1" "ZSK" "yes"
+	test "$2" = "zsk" && key_set "$1" "FLAGS" "256"
+
+	test "$2" = "csk" && key_set "$1" "KSK" "yes"
+	test "$2" = "csk" && key_set "$1" "ZSK" "yes"
+	test "$2" = "csk" && key_set "$1" "FLAGS" "257"
+}
+set_keylifetime() {
+	key_set "$1" "EXPECT" "yes"
+	key_set "$1" "LIFETIME" "$2"
+}
+# The algorithm value consists of three parts:
+# $2: Algorithm (number)
+# $3: Algorithm (string-format)
+# $4: Algorithm length
+set_keyalgorithm() {
+	key_set "$1" "EXPECT" "yes"
+	key_set "$1" "ALG_NUM" "$2"
+	key_set "$1" "ALG_STR" "$3"
+	key_set "$1" "ALG_LEN" "$4"
+}
+set_keysigning() {
+	key_set "$1" "EXPECT" "yes"
+	key_set "$1" "EXPECT_KRRSIG" "$2"
+}
+set_zonesigning() {
+	key_set "$1" "EXPECT" "yes"
+	key_set "$1" "EXPECT_ZRRSIG" "$2"
+}
+
+# Set key timing metadata. Set to "none" to unset.
+# $1: Key to update (KEY1, KEY2, ...)
+# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED).
+# $3: Value
+set_keytime() {
+	key_set "$1" "EXPECT" "yes"
+	key_set "$1" "$2" "$3"
+}
+
+# Set key timing metadata to a value plus additional time.
+# $1: Key to update (KEY1, KEY2, ...)
+# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED).
+# $3: Value
+# $4: Additional time.
+set_addkeytime() {
+	if [ -x "$PYTHON" ]; then
+		# Convert "%Y%m%d%H%M%S" format to epoch seconds.
+		# Then, add the additional time (can be negative).
+		_value=$3
+		_plus=$4
+		$PYTHON > python.out.$ZONE.$1.$2 <<EOF
+from datetime import datetime
+from datetime import timedelta
+_now = datetime.strptime("$_value", "%Y%m%d%H%M%S")
+_delta = timedelta(seconds=$_plus)
+_then = _now + _delta
+print(_then.strftime("%Y%m%d%H%M%S"));
+EOF
+		# Set the expected timing metadata.
+		key_set "$1" "$2" $(cat python.out.$ZONE.$1.$2)
+	fi
+}
+
+# Set key state metadata. Set to "none" to unset.
+# $1: Key to update (KEY1, KEY2, ...)
+# $2: Key state to update (GOAL, STATE_DNSKEY, STATE_ZRRSIG, STATE_KRRSIG, or STATE_DS)
+# $3: Value
+set_keystate() {
+	key_set "$1" "EXPECT" "yes"
+	key_set "$1" "$2" "$3"
+}
+
+# Check the key $1 with id $2.
+# This requires environment variables to be set.
+#
+# This will set the following environment variables for testing:
+# BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
+# KEY_FILE="${BASE_FILE}.key"
+# PRIVATE_FILE="${BASE_FILE}.private"
+# STATE_FILE="${BASE_FILE}.state"
+# KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//')
+# KEY_CREATED (from the KEY_FILE)
+check_key() {
+	_dir="$DIR"
+	_zone="$ZONE"
+	_role=$(key_get "$1" ROLE)
+	_key_idpad="$2"
+	_key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
+	_alg_num=$(key_get "$1" ALG_NUM)
+	_alg_numpad=$(printf "%03d" "$_alg_num")
+	_alg_string=$(key_get "$1" ALG_STR)
+	_length=$(key_get "$1" "ALG_LEN")
+	_dnskey_ttl="$DNSKEY_TTL"
+	_lifetime=$(key_get "$1" LIFETIME)
+	_legacy=$(key_get "$1" LEGACY)
+	_private=$(key_get "$1" PRIVATE)
+	_flags=$(key_get "$1" FLAGS)
+
+	_published=$(key_get "$1" PUBLISHED)
+	_active=$(key_get "$1" ACTIVE)
+	_retired=$(key_get "$1" RETIRED)
+	_revoked=$(key_get "$1" REVOKED)
+	_removed=$(key_get "$1" REMOVED)
+
+	_goal=$(key_get "$1" GOAL)
+	_state_dnskey=$(key_get "$1" STATE_DNSKEY)
+	_state_zrrsig=$(key_get "$1" STATE_ZRRSIG)
+	_state_krrsig=$(key_get "$1" STATE_KRRSIG)
+	_state_ds=$(key_get "$1" STATE_DS)
+
+	_ksk="no"
+	_zsk="no"
+	if [ "$_role" = "ksk" ]; then
+		_ksk="yes"
+	elif [ "$_role" = "zsk" ]; then
+		_zsk="yes"
+	elif [ "$_role" = "csk" ]; then
+		_zsk="yes"
+		_ksk="yes"
+	fi
+
+	_role2="none"
+	if [ "$_flags" = "257" ]; then
+		_role2="key-signing"
+	elif [ "$_flags" = "256" ]; then
+		_role2="zone-signing"
+	fi
+
+	BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
+	KEY_FILE="${BASE_FILE}.key"
+	PRIVATE_FILE="${BASE_FILE}.private"
+	STATE_FILE="${BASE_FILE}.state"
+	KEY_ID="${_key_id}"
+
+	# Check file existence.
+	[ -s "$KEY_FILE" ] || ret=1
+	if [ "$_private" = "yes" ]; then
+		[ -s "$PRIVATE_FILE" ] || ret=1
+	fi
+	if [ "$_legacy" = "no" ]; then
+		[ -s "$STATE_FILE" ] || ret=1
+	fi
+	[ "$ret" -eq 0 ] || _log_error "${BASE_FILE} files missing"
+	[ "$ret" -eq 0 ] || return
+
+	# Retrieve creation date.
+	grep "; Created:" "$KEY_FILE" > "${ZONE}.${KEY_ID}.${_alg_num}.created" || _log_error "mismatch created comment in $KEY_FILE"
+	KEY_CREATED=$(awk '{print $3}' < "${ZONE}.${KEY_ID}.${_alg_num}.created")
+
+	if [ "$_private" = "yes" ]; then
+		grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch created in $PRIVATE_FILE"
+	fi
+	if [ "$_legacy" = "no" ]; then
+		grep "Generated: ${KEY_CREATED}" "$STATE_FILE" > /dev/null || _log_error "mismatch generated in $STATE_FILE"
+	fi
+
+	test $_log -eq 1 && echo_i "check key file $BASE_FILE"
+
+	# Check the public key file.
+	grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." "$KEY_FILE" > /dev/null || _log_error "mismatch top comment in $KEY_FILE"
+	grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" "$KEY_FILE" > /dev/null || _log_error "mismatch DNSKEY record in $KEY_FILE"
+	# Now check the private key file.
+	if [ "$_private" = "yes" ]; then
+		grep "Private-key-format: v1.3" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch private key format in $PRIVATE_FILE"
+		grep "Algorithm: ${_alg_num} (${_alg_string})" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch algorithm in $PRIVATE_FILE"
+	fi
+	# Now check the key state file.
+	if [ "$_legacy" = "no" ]; then
+		grep "This is the state of key ${_key_id}, for ${_zone}." "$STATE_FILE" > /dev/null || _log_error "mismatch top comment in $STATE_FILE"
+		if [ "$_lifetime" = "none" ]; then
+			grep "Lifetime: " "$STATE_FILE" > /dev/null && _log_error "unexpected lifetime in $STATE_FILE"
+		else
+			grep "Lifetime: ${_lifetime}" "$STATE_FILE" > /dev/null || _log_error "mismatch lifetime in $STATE_FILE"
+		fi
+		grep "Algorithm: ${_alg_num}" "$STATE_FILE" > /dev/null || _log_error "mismatch algorithm in $STATE_FILE"
+		grep "Length: ${_length}" "$STATE_FILE" > /dev/null || _log_error "mismatch length in $STATE_FILE"
+		grep "KSK: ${_ksk}" "$STATE_FILE" > /dev/null || _log_error "mismatch ksk in $STATE_FILE"
+		grep "ZSK: ${_zsk}" "$STATE_FILE" > /dev/null || _log_error "mismatch zsk in $STATE_FILE"
+
+		# Check key states.
+		if [ "$_goal" = "none" ]; then
+			grep "GoalState: " "$STATE_FILE" > /dev/null && _log_error "unexpected goal state in $STATE_FILE"
+		else
+			grep "GoalState: ${_goal}" "$STATE_FILE" > /dev/null || _log_error "mismatch goal state in $STATE_FILE"
+		fi
+
+		if [ "$_state_dnskey" = "none" ]; then
+			grep "DNSKEYState: " "$STATE_FILE" > /dev/null && _log_error "unexpected dnskey state in $STATE_FILE"
+			grep "DNSKEYChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected dnskey change in $STATE_FILE"
+		else
+			grep "DNSKEYState: ${_state_dnskey}" "$STATE_FILE" > /dev/null || _log_error "mismatch dnskey state in $STATE_FILE"
+			grep "DNSKEYChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch dnskey change in $STATE_FILE"
+		fi
+
+		if [ "$_state_zrrsig" = "none" ]; then
+			grep "ZRRSIGState: " "$STATE_FILE" > /dev/null && _log_error "unexpected zrrsig state in $STATE_FILE"
+			grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected zrrsig change in $STATE_FILE"
+		else
+			grep "ZRRSIGState: ${_state_zrrsig}" "$STATE_FILE" > /dev/null || _log_error "mismatch zrrsig state in $STATE_FILE"
+			grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch zrrsig change in $STATE_FILE"
+		fi
+
+		if [ "$_state_krrsig" = "none" ]; then
+			grep "KRRSIGState: " "$STATE_FILE" > /dev/null && _log_error "unexpected krrsig state in $STATE_FILE"
+			grep "KRRSIGChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected krrsig change in $STATE_FILE"
+		else
+			grep "KRRSIGState: ${_state_krrsig}" "$STATE_FILE" > /dev/null || _log_error "mismatch krrsig state in $STATE_FILE"
+			grep "KRRSIGChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch krrsig change in $STATE_FILE"
+		fi
+
+		if [ "$_state_ds" = "none" ]; then
+			grep "DSState: " "$STATE_FILE" > /dev/null && _log_error "unexpected ds state in $STATE_FILE"
+			grep "DSChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected ds change in $STATE_FILE"
+		else
+			grep "DSState: ${_state_ds}" "$STATE_FILE" > /dev/null || _log_error "mismatch ds state in $STATE_FILE"
+			grep "DSChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch ds change in $STATE_FILE"
+		fi
+	fi
+}
+
+# Check the key timing metadata for key $1.
+check_timingmetadata() {
+	_dir="$DIR"
+	_zone="$ZONE"
+	_key_idpad=$(key_get "$1" ID)
+	_key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
+	_alg_num=$(key_get "$1" ALG_NUM)
+	_alg_numpad=$(printf "%03d" "$_alg_num")
+
+	_published=$(key_get "$1" PUBLISHED)
+	_active=$(key_get "$1" ACTIVE)
+	_retired=$(key_get "$1" RETIRED)
+	_revoked=$(key_get "$1" REVOKED)
+	_removed=$(key_get "$1" REMOVED)
+
+	_goal=$(key_get "$1" GOAL)
+	_state_dnskey=$(key_get "$1" STATE_DNSKEY)
+	_state_zrrsig=$(key_get "$1" STATE_ZRRSIG)
+	_state_krrsig=$(key_get "$1" STATE_KRRSIG)
+	_state_ds=$(key_get "$1" STATE_DS)
+
+	_base_file=$(key_get "$1" BASEFILE)
+	_key_file="${_base_file}.key"
+	_private_file="${_base_file}.private"
+	_state_file="${_base_file}.state"
+	_legacy=$(key_get "$1" LEGACY)
+	_private=$(key_get "$1" PRIVATE)
+
+	_published=$(key_get "$1" PUBLISHED)
+	_syncpublish=$(key_get "$1" SYNCPUBLISH)
+	_active=$(key_get "$1" ACTIVE)
+	_retired=$(key_get "$1" RETIRED)
+	_revoked=$(key_get "$1" REVOKED)
+	_removed=$(key_get "$1" REMOVED)
+
+	# Check timing metadata.
+	n=$((n+1))
+	echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)"
+	ret=0
+
+	if [ "$_published" = "none" ]; then
+		grep "; Publish:" "${_key_file}" > /dev/null && _log_error "unexpected publish comment in ${_key_file}"
+		if [ "$_private" = "yes" ]; then
+			grep "Publish:" "${_private_file}" > /dev/null && _log_error "unexpected publish in ${_private_file}"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "Published: " "${_state_file}" > /dev/null && _log_error "unexpected publish in ${_state_file}"
+		fi
+	else
+		grep "; Publish: $_published" "${_key_file}" > /dev/null || _log_error "mismatch publish comment in ${_key_file} (expected ${_published})"
+		if [ "$_private" = "yes" ]; then
+			grep "Publish: $_published" "${_private_file}" > /dev/null || _log_error "mismatch publish in ${_private_file} (expected ${_published})"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "Published: $_published" "${_state_file}" > /dev/null || _log_error "mismatch publish in ${_state_file} (expected ${_published})"
+		fi
+	fi
+
+	if [ "$_syncpublish" = "none" ]; then
+		grep "; SyncPublish:" "${_key_file}" > /dev/null && _log_error "unexpected syncpublish comment in ${_key_file}"
+		if [ "$_private" = "yes" ]; then
+			grep "SyncPublish:" "${_private_file}" > /dev/null && _log_error "unexpected syncpublish in ${_private_file}"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "PublishCDS: " "${_state_file}" > /dev/null && _log_error "unexpected syncpublish in ${_state_file}"
+		fi
+	else
+		grep "; SyncPublish: $_syncpublish" "${_key_file}" > /dev/null || _log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})"
+		if [ "$_private" = "yes" ]; then
+			grep "SyncPublish: $_syncpublish" "${_private_file}" > /dev/null || _log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "PublishCDS: $_syncpublish" "${_state_file}" > /dev/null || _log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})"
+		fi
+	fi
+
+	if [ "$_active" = "none" ]; then
+		grep "; Activate:" "${_key_file}" > /dev/null && _log_error "unexpected active comment in ${_key_file}"
+		if [ "$_private" = "yes" ]; then
+			grep "Activate:" "${_private_file}" > /dev/null && _log_error "unexpected active in ${_private_file}"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "Active: " "${_state_file}" > /dev/null && _log_error "unexpected active in ${_state_file}"
+		fi
+	else
+		grep "; Activate: $_active" "${_key_file}" > /dev/null || _log_error "mismatch active comment in ${_key_file} (expected ${_active})"
+		if [ "$_private" = "yes" ]; then
+			grep "Activate: $_active" "${_private_file}" > /dev/null || _log_error "mismatch active in ${_private_file} (expected ${_active})"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "Active: $_active" "${_state_file}" > /dev/null || _log_error "mismatch active in ${_state_file} (expected ${_active})"
+		fi
+	fi
+
+	if [ "$_retired" = "none" ]; then
+		grep "; Inactive:" "${_key_file}" > /dev/null && _log_error "unexpected retired comment in ${_key_file}"
+		if [ "$_private" = "yes" ]; then
+			grep "Inactive:" "${_private_file}" > /dev/null && _log_error "unexpected retired in ${_private_file}"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "Retired: " "${_state_file}" > /dev/null && _log_error "unexpected retired in ${_state_file}"
+		fi
+	else
+		grep "; Inactive: $_retired" "${_key_file}" > /dev/null || _log_error "mismatch retired comment in ${_key_file} (expected ${_retired})"
+		if [ "$_private" = "yes" ]; then
+			grep "Inactive: $_retired" "${_private_file}" > /dev/null || _log_error "mismatch retired in ${_private_file} (expected ${_retired})"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "Retired: $_retired" "${_state_file}" > /dev/null || _log_error "mismatch retired in ${_state_file} (expected ${_retired})"
+		fi
+	fi
+
+	if [ "$_revoked" = "none" ]; then
+		grep "; Revoke:" "${_key_file}" > /dev/null && _log_error "unexpected revoked comment in ${_key_file}"
+		if [ "$_private" = "yes" ]; then
+			grep "Revoke:" "${_private_file}" > /dev/null && _log_error "unexpected revoked in ${_private_file}"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "Revoked: " "${_state_file}" > /dev/null && _log_error "unexpected revoked in ${_state_file}"
+		fi
+	else
+		grep "; Revoke: $_revoked" "${_key_file}" > /dev/null || _log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})"
+		if [ "$_private" = "yes" ]; then
+			grep "Revoke: $_revoked" "${_private_file}" > /dev/null || _log_error "mismatch revoked in ${_private_file} (expected ${_revoked})"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "Revoked: $_revoked" "${_state_file}" > /dev/null || _log_error "mismatch revoked in ${_state_file} (expected ${_revoked})"
+		fi
+	fi
+
+	if [ "$_removed" = "none" ]; then
+		grep "; Delete:" "${_key_file}" > /dev/null && _log_error "unexpected removed comment in ${_key_file}"
+		if [ "$_private" = "yes" ]; then
+			grep "Delete:" "${_private_file}" > /dev/null && _log_error "unexpected removed in ${_private_file}"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "Removed: " "${_state_file}" > /dev/null && _log_error "unexpected removed in ${_state_file}"
+		fi
+	else
+		grep "; Delete: $_removed" "${_key_file}" > /dev/null || _log_error "mismatch removed comment in ${_key_file} (expected ${_removed})"
+		if [ "$_private" = "yes" ]; then
+			grep "Delete: $_removed" "${_private_file}" > /dev/null || _log_error "mismatch removed in ${_private_file} (expected ${_removed})"
+		fi
+		if [ "$_legacy" = "no" ]; then
+			grep "Removed: $_removed" "${_state_file}" > /dev/null || _log_error "mismatch removed in ${_state_file} (expected ${_removed})"
+		fi
+	fi
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+check_keytimes() {
+	# The script relies on Python to set keytimes.
+	if [ -x "$PYTHON" ]; then
+
+		if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+			check_timingmetadata "KEY1"
+		fi
+		if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+			check_timingmetadata "KEY2"
+		fi
+		if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+			check_timingmetadata "KEY3"
+		fi
+		if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+			check_timingmetadata "KEY4"
+		fi
+	fi
+}
+
+# Check the key with key id $1 and see if it is unused.
+# This requires environment variables to be set.
+#
+# This will set the following environment variables for testing:
+# BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
+# KEY_FILE="${BASE_FILE}.key"
+# PRIVATE_FILE="${BASE_FILE}.private"
+# STATE_FILE="${BASE_FILE}.state"
+# KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//')
+key_unused() {
+	_dir=$DIR
+	_zone=$ZONE
+	_key_idpad=$1
+	_key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
+	_alg_num=$2
+        _alg_numpad=$(printf "%03d" "$_alg_num")
+
+	BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
+	KEY_FILE="${BASE_FILE}.key"
+	PRIVATE_FILE="${BASE_FILE}.private"
+	STATE_FILE="${BASE_FILE}.state"
+	KEY_ID="${_key_id}"
+
+	test $_log -eq 1 && echo_i "key unused $KEY_ID?"
+
+	# Check file existence.
+	[ -s "$KEY_FILE" ] || ret=1
+	[ -s "$PRIVATE_FILE" ] || ret=1
+	[ -s "$STATE_FILE" ] || ret=1
+	[ "$ret" -eq 0 ] || return
+
+	# Treat keys that have been removed from the zone as unused.
+	_check_removed=1
+	grep "; Created:" "$KEY_FILE" > created.key-${KEY_ID}.test${n} || _check_removed=0
+	grep "; Delete:" "$KEY_FILE" > unused.key-${KEY_ID}.test${n} || _check_removed=0
+	if [ "$_check_removed" -eq 1 ]; then
+		_created=$(awk '{print $3}' < created.key-${KEY_ID}.test${n})
+		_removed=$(awk '{print $3}' < unused.key-${KEY_ID}.test${n})
+		[ "$_removed" -le "$_created" ] && return
+	fi
+
+	# If no timing metadata is set, this key is unused.
+	grep "; Publish:" "$KEY_FILE" > /dev/null && _log_error "unexpected publish comment in $KEY_FILE"
+	grep "; Activate:" "$KEY_FILE" > /dev/null && _log_error "unexpected active comment in $KEY_FILE"
+	grep "; Inactive:" "$KEY_FILE" > /dev/null && _log_error "unexpected retired comment in $KEY_FILE"
+	grep "; Revoke:" "$KEY_FILE" > /dev/null && _log_error "unexpected revoked comment in $KEY_FILE"
+	grep "; Delete:" "$KEY_FILE" > /dev/null && _log_error "unexpected removed comment in $KEY_FILE"
+
+	grep "Publish:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected publish in $PRIVATE_FILE"
+	grep "Activate:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected active in $PRIVATE_FILE"
+	grep "Inactive:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected retired in $PRIVATE_FILE"
+	grep "Revoke:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected revoked in $PRIVATE_FILE"
+	grep "Delete:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected removed in $PRIVATE_FILE"
+
+	grep "Published: " "$STATE_FILE" > /dev/null && _log_error "unexpected publish in $STATE_FILE"
+	grep "Active: " "$STATE_FILE" > /dev/null && _log_error "unexpected active in $STATE_FILE"
+	grep "Retired: " "$STATE_FILE" > /dev/null && _log_error "unexpected retired in $STATE_FILE"
+	grep "Revoked: " "$STATE_FILE" > /dev/null && _log_error "unexpected revoked in $STATE_FILE"
+	grep "Removed: " "$STATE_FILE" > /dev/null && _log_error "unexpected removed in $STATE_FILE"
+}
+
+# Test: dnssec-verify zone $1.
+dnssec_verify()
+{
+	n=$((n+1))
+	echo_i "dnssec-verify zone ${ZONE} ($n)"
+	ret=0
+	_dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.axfr.test$n || _log_error "dig ${ZONE} AXFR failed"
+	$VERIFY -z -o "$ZONE" dig.out.axfr.test$n > verify.out.$ZONE.test$n || _log_error "dnssec verify zone $ZONE failed"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Wait for the zone to be signed.
+# The apex NSEC record indicates that it is signed.
+_wait_for_nsec() {
+	_dig_with_opts "@${SERVER}" "$ZONE" NSEC > "dig.out.nsec.test$n" || return 1
+	grep "NS SOA" "dig.out.nsec.test$n" > /dev/null || return 1
+	grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" > /dev/null || return 1
+	return 0
+}
+wait_for_nsec() {
+	n=$((n+1))
+	ret=0
+	echo_i "wait for ${ZONE} to be signed ($n)"
+	retry_quiet 10 _wait_for_nsec  || _log_error "wait for ${ZONE} to be signed failed"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+check_numkeys() {
+	_numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l)
+	test "$_numkeys" -eq "$NUM_KEYS" || return 1
+	return 0
+}
+
+_check_keys() {
+	ret=0
+	_ret=0
+
+	# Clear key ids.
+	key_set KEY1 ID "no"
+	key_set KEY2 ID "no"
+	key_set KEY3 ID "no"
+	key_set KEY4 ID "no"
+
+	# Check key files.
+	_ids=$(get_keyids "$DIR" "$ZONE")
+	for _id in $_ids; do
+		# There are multiple key files with the same algorithm.
+		# Check them until a match is found.
+		ret=0
+		echo_i "check key id $_id"
+
+		if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+			ret=0
+			check_key "KEY1" "$_id"
+			test "$ret" -eq 0 && key_save KEY1 && continue
+		fi
+		if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+			ret=0
+			check_key "KEY2" "$_id"
+			test "$ret" -eq 0 && key_save KEY2 && continue
+		fi
+		if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes"  ]; then
+			ret=0
+			check_key "KEY3" "$_id"
+			test "$ret" -eq 0 && key_save KEY3 && continue
+		fi
+		if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes"  ]; then
+			ret=0
+			check_key "KEY4" "$_id"
+			test "$ret" -eq 0 && key_save KEY4 && continue
+		fi
+
+		# This may be an unused key. Assume algorithm of KEY1.
+		ret=0 && key_unused "$_id" "$(key_get KEY1 ALG_NUM)"
+		test "$ret" -eq 0 && continue
+
+		# If ret is still non-zero, none of the files matched.
+		echo_i "failed"
+		_ret=1
+	done
+
+	return $_ret
+}
+
+# Check keys for a configured zone. This verifies:
+# 1. The right number of keys exist in the key pool ($1).
+# 2. The right number of keys is active. Checks KEY1, KEY2, KEY3, and KEY4.
+#
+# It is expected that KEY1, KEY2, KEY3, and KEY4 arrays are set correctly.
+# Found key identifiers are stored in the right key array.
+check_keys() {
+	n=$((n+1))
+	echo_i "check keys are created for zone ${ZONE} ($n)"
+	ret=0
+
+	echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)"
+	retry_quiet 10 check_numkeys || ret=1
+	if [ $ret -ne 0 ]; then
+		_numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l)
+		_log_error "bad number of key files ($_numkeys) for zone $ZONE (expected $NUM_KEYS)"
+		status=$((status+ret))
+	fi
+
+	# Temporarily don't log errors because we are searching multiple files.
+	disable_logerror
+
+	retry_quiet 3 _check_keys || ret=1
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+
+	# Turn error logs on again.
+	enable_logerror
+
+	ret=0
+	if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+		echo_i "KEY1 ID $(key_get KEY1 ID)"
+		test "no" = "$(key_get KEY1 ID)" && _log_error "No KEY1 found for zone ${ZONE}"
+	fi
+	if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+		echo_i "KEY2 ID $(key_get KEY2 ID)"
+		test "no" = "$(key_get KEY2 ID)" && _log_error "No KEY2 found for zone ${ZONE}"
+	fi
+	if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+		echo_i "KEY3 ID $(key_get KEY3 ID)"
+		test "no" = "$(key_get KEY3 ID)" && _log_error "No KEY3 found for zone ${ZONE}"
+	fi
+	if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+		echo_i "KEY4 ID $(key_get KEY4 ID)"
+		test "no" = "$(key_get KEY4 ID)" && _log_error "No KEY4 found for zone ${ZONE}"
+	fi
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Call rndc dnssec -status on server $1 for zone $3 in view $4 with policy $2
+# and check output. This is a loose verification, it just tests if the right
+# policy name is returned, and if all expected keys are listed.  The rndc
+# dnssec -status output also lists whether a key is published,
+# used for signing, is retired, or is removed, and if not when
+# it is scheduled to do so, and it shows the states for the various
+# DNSSEC records.
+check_dnssecstatus() {
+	_server=$1
+	_policy=$2
+	_zone=$3
+	_view=$4
+
+	n=$((n+1))
+	echo_i "check rndc dnssec -status output for ${_zone} (policy: $_policy) ($n)"
+	ret=0
+
+	_rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || _log_error "rndc dnssec -status zone ${_zone} failed"
+
+	if [ "$_policy" = "none" ]; then
+		grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for unsigned zone ${_zone}"
+	else
+		grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "bad dnssec status for signed zone ${_zone}"
+		if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+			grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY1 ID) from dnssec status"
+		fi
+		if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+			grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY2 ID) from dnssec status"
+		fi
+		if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+			grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY3 ID) from dnssec status"
+		fi
+		if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+			grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY4 ID) from dnssec status"
+		fi
+	fi
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if
+# inline-signing is enabled.
+check_inlinesigning() {
+	_server=$1
+	_zone=$2
+	_view=$3
+
+	_rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1
+	grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1
+}
+
+# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if
+# the zone is dynamic.
+check_isdynamic() {
+	_server=$1
+	_zone=$2
+	_view=$3
+
+	_rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1
+	grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1
+}
+
+# Check if RRset of type $1 in file $2 is signed with the right keys.
+# The right keys are the ones that expect a signature and matches the role $3.
+_check_signatures() {
+	_qtype=$1
+	_file=$2
+	_role=$3
+
+	numsigs=0
+
+	if [ "$_role" = "KSK" ]; then
+		_expect_type=EXPECT_KRRSIG
+	elif [ "$_role" = "ZSK" ]; then
+		_expect_type=EXPECT_ZRRSIG
+	fi
+
+	if [ "$(key_get KEY1 "$_expect_type")" = "yes" ] && [ "$(key_get KEY1 "$_role")" = "yes" ]; then
+		get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null || return 1
+		numsigs=$((numsigs+1))
+	elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+		get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null && return 1
+	fi
+
+	if [ "$(key_get KEY2 "$_expect_type")" = "yes" ] && [ "$(key_get KEY2 "$_role")" = "yes" ]; then
+		get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null || return 1
+		numsigs=$((numsigs+1))
+	elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+		get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null && return 1
+	fi
+
+	if [ "$(key_get KEY3 "$_expect_type")" = "yes" ] && [ "$(key_get KEY3 "$_role")" = "yes" ]; then
+		get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null || return 1
+		numsigs=$((numsigs+1))
+	elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+		get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null && return 1
+	fi
+
+	if [ "$(key_get KEY4 "$_expect_type")" = "yes" ] && [ "$(key_get KEY4 "$_role")" = "yes" ]; then
+		get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null || return 1
+		numsigs=$((numsigs+1))
+	elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+		get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null && return 1
+	fi
+
+	lines=$(get_keys_which_signed "${_qtype}" "${_file}" | wc -l)
+	test "$lines" -eq "$numsigs" || echo_i "bad number of signatures for $_qtype (got $lines, expected $numsigs)"
+	test "$lines" -eq "$numsigs" || return 1
+
+	return 0
+}
+check_signatures() {
+	retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed"
+}
+
+response_has_cds_for_key() (
+	awk -v zone="${ZONE%%.}." \
+	    -v ttl="${DNSKEY_TTL}" \
+	    -v qtype="CDS" \
+	    -v keyid="$(key_get "${1}" ID)" \
+	    -v keyalg="$(key_get "${1}" ALG_NUM)" \
+	    -v hashalg="2" \
+	    'BEGIN { ret=1; }
+	     $1 == zone && $2 == ttl && $4 == qtype && $5 == keyid && $6 == keyalg && $7 == hashalg { ret=0; exit; }
+	     END { exit ret; }' \
+	    "$2"
+)
+
+response_has_cdnskey_for_key() (
+
+	awk -v zone="${ZONE%%.}." \
+	    -v ttl="${DNSKEY_TTL}" \
+	    -v qtype="CDNSKEY" \
+	    -v flags="$(key_get "${1}" FLAGS)" \
+	    -v keyalg="$(key_get "${1}" ALG_NUM)" \
+	    'BEGIN { ret=1; }
+	     $1 == zone && $2 == ttl && $4 == qtype && $5 == flags && $7 == keyalg { ret=0; exit; }
+	     END { exit ret; }' \
+	    "$2"
+)
+
+# Test CDS and CDNSKEY publication.
+check_cds() {
+
+	n=$((n+1))
+	echo_i "check CDS and CDNSKEY rrset are signed correctly for zone ${ZONE} ($n)"
+	ret=0
+
+	_checksig=0
+
+	_dig_with_opts "$ZONE" "@${SERVER}" "CDS" > "dig.out.$DIR.test$n.cds" || _log_error "dig ${ZONE} CDS failed"
+	grep "status: NOERROR" "dig.out.$DIR.test$n.cds" > /dev/null || _log_error "mismatch status in DNS response"
+
+	_dig_with_opts "$ZONE" "@${SERVER}" "CDNSKEY" > "dig.out.$DIR.test$n.cdnskey" || _log_error "dig ${ZONE} CDNSKEY failed"
+	grep "status: NOERROR" "dig.out.$DIR.test$n.cdnskey" > /dev/null || _log_error "mismatch status in DNS response"
+
+	if [ "$CDS_DELETE" = "no" ]; then
+		grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" > /dev/null && _log_error "unexpected CDS DELETE record in DNS response"
+		grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" > /dev/null && _log_error "unexpected CDNSKEY DELETE record in DNS response"
+	else
+		grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" > /dev/null || _log_error "missing CDS DELETE record in DNS response"
+		grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" > /dev/null || _log_error "missing CDNSKEY DELETE record in DNS response"
+		_checksig=1
+	fi
+
+	if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then
+		response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)"
+		response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)"
+		_checksig=1
+	elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+		response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)"
+		# KEY1 should not have an associated CDNSKEY, but there may be
+		# one for another key.  Since the CDNSKEY has no field for key
+		# id, it is hard to check what key the CDNSKEY may belong to
+		# so let's skip this check for now.
+	fi
+
+	if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then
+		response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)"
+		response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)"
+		_checksig=1
+	elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+		response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)"
+		# KEY2 should not have an associated CDNSKEY, but there may be
+		# one for another key.  Since the CDNSKEY has no field for key
+		# id, it is hard to check what key the CDNSKEY may belong to
+		# so let's skip this check for now.
+	fi
+
+	if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then
+		response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)"
+		response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)"
+		_checksig=1
+	elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+		response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)"
+		# KEY3 should not have an associated CDNSKEY, but there may be
+		# one for another key.  Since the CDNSKEY has no field for key
+		# id, it is hard to check what key the CDNSKEY may belong to
+		# so let's skip this check for now.
+	fi
+
+	if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then
+		response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)"
+		response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)"
+		_checksig=1
+	elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+		response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)"
+		# KEY4 should not have an associated CDNSKEY, but there may be
+		# one for another key.  Since the CDNSKEY has no field for key
+		# id, it is hard to check what key the CDNSKEY may belong to
+		# so let's skip this check for now.
+	fi
+
+	test "$_checksig" -eq 0 || check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK"
+	test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK"
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+_find_dnskey() {
+	_owner="${ZONE}."
+	_alg="$(key_get $1 ALG_NUM)"
+	_flags="$(key_get $1 FLAGS)"
+	_key_file="$(key_get $1 BASEFILE).key"
+
+	awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' < "$_key_file"
+}
+
+
+# Test DNSKEY query.
+_check_apex_dnskey() {
+	_dig_with_opts "$ZONE" "@${SERVER}" "DNSKEY" > "dig.out.$DIR.test$n" || return 1
+	grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || return 1
+
+	_checksig=0
+
+	if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then
+		_pubkey=$(_find_dnskey KEY1)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
+		_checksig=1
+	elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+		_pubkey=$(_find_dnskey KEY1)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
+	fi
+
+	if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then
+		_pubkey=$(_find_dnskey KEY2)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
+		_checksig=1
+	elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+		_pubkey=$(_find_dnskey KEY2)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
+	fi
+
+	if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then
+		_pubkey=$(_find_dnskey KEY3)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
+		_checksig=1
+	elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+		_pubkey=$(_find_dnskey KEY3)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
+	fi
+
+	if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then
+		_pubkey=$(_find_dnskey KEY4)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
+		_checksig=1
+	elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+		_pubkey=$(_find_dnskey KEY4)
+		test -z "$_pubkey" && return 1
+		grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
+	fi
+
+	test "$_checksig" -eq 0 && return 0
+
+	_check_signatures "DNSKEY" "dig.out.$DIR.test$n" "KSK" || return 1
+
+	return 0
+}
+
+# Test the apex of a configured zone. This checks that the SOA and DNSKEY
+# RRsets are signed correctly and with the appropriate keys.
+check_apex() {
+
+	# Test DNSKEY query.
+	n=$((n+1))
+	echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_apex_dnskey || ret=1
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+
+	# We retry the DNSKEY query for at most ten seconds to avoid test
+	# failures due to timing issues. If the DNSKEY query check passes this
+	# means the zone is resigned and further apex checks (SOA, CDS, CDNSKEY)
+	# don't need to be retried quietly.
+
+	# Test SOA query.
+	n=$((n+1))
+	echo_i "check SOA rrset is signed correctly for zone ${ZONE} ($n)"
+	ret=0
+	_dig_with_opts "$ZONE" "@${SERVER}" "SOA" > "dig.out.$DIR.test$n" || _log_error "dig ${ZONE} SOA failed"
+	grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || _log_error "mismatch status in DNS response"
+	grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*SOA.*" "dig.out.$DIR.test$n" > /dev/null || _log_error "missing SOA record in response"
+	check_signatures "SOA" "dig.out.$DIR.test$n" "ZSK"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+
+	# Test CDS and CDNSKEY publication.
+	check_cds
+}
+
+# Test an RRset below the apex and verify it is signed correctly.
+check_subdomain() {
+	_qtype="A"
+	n=$((n+1))
+	echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)"
+	ret=0
+	_dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || _log_error "dig a.${ZONE} ${_qtype} failed"
+	grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || _log_error "mismatch status in DNS response"
+	grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" > /dev/null || _log_error "missing a.${ZONE} ${_qtype} record in response"
+	lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l)
+	check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Check if "CDS/CDNSKEY Published" is logged.
+check_cdslog() {
+	_dir=$1
+	_zone=$2
+	_key=$3
+
+	_alg=$(key_get $_key ALG_STR)
+	_id=$(key_get $_key ID)
+
+	n=$((n+1))
+	echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)"
+	ret=0
+
+	grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+	grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Tell named that the DS for the key in given zone has been seen in the
+# parent (this does not actually has to be true, we just issue the command
+# to make named believe it can continue with the rollover).
+rndc_checkds() {
+	_server=$1
+	_dir=$2
+	_key=$3
+	_when=$4
+	_what=$5
+	_zone=$6
+	_view=$7
+
+	_keycmd=""
+	if [ "${_key}" != "-" ]; then
+		_keyid=$(key_get $_key ID)
+		_keycmd=" -key ${_keyid}"
+	fi
+
+	_whencmd=""
+	if [ "${_when}" != "now" ]; then
+		_whencmd=" -when ${_when}"
+	fi
+
+	n=$((n+1))
+	echo_i "calling rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} in ${_view} ($n)"
+	ret=0
+
+	_rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || _log_error "rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} failed"
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Tell named to schedule a key rollover.
+rndc_rollover() {
+	_server=$1
+	_dir=$2
+	_keyid=$3
+	_when=$4
+	_zone=$5
+	_view=$6
+
+	_whencmd=""
+	if [ "${_when}" != "now" ]; then
+		_whencmd="-when ${_when}"
+	fi
+
+	n=$((n+1))
+	echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)"
+	ret=0
+
+	_rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || _log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
diff --git a/bin/tests/system/kasp/README b/bin/tests/system/kasp/README
new file mode 100644
index 0000000..96b0ef7
--- /dev/null
+++ b/bin/tests/system/kasp/README
@@ -0,0 +1,23 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+The test setup for the KASP tests.
+
+ns1 is reserved for the root server.
+
+ns2 is running primary service for ns3.
+
+ns3 is an authoritative server for the various test domains.
+
+ns4 and ns5 are authoritative servers for various test domains related to views.
+
+ns6 is an authoritative server that tests changes in dnssec-policy (algorithm
+rollover).
diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh
new file mode 100644
index 0000000..db264c2
--- /dev/null
+++ b/bin/tests/system/kasp/clean.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f ./keygen.*
+rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp
+rm -rf ./keys/
+rm -f dig.out* rrsig.out.* keyevent.out.* verify.out.* zone.out.*
+rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns*/named-fips.conf
+rm -f ns*/policies/*.conf
+rm -f ns*/*.jnl ns*/*.jbk
+rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
+rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
+rm -f ns*/managed-keys.bind
+rm -f ns*/*.mkeys
+rm -f ns*/zones ns*/*.db.infile
+rm -f ns*/*.zsk1 ns*/*.zsk2
+rm -f ns3/legacy-keys.*
+rm -f *.created published.test* retired.test*
+rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.*
+rm -f python.out.*
+rm -f *-supported.file
+rm -f created.key-* unused.key-*
diff --git a/bin/tests/system/kasp/kasp.conf b/bin/tests/system/kasp/kasp.conf
new file mode 100644
index 0000000..e7a2eab
--- /dev/null
+++ b/bin/tests/system/kasp/kasp.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This is just a random selection of configuration options.
+ */
+
+dnssec-policy "kasp" {
+	dnskey-ttl 200;
+
+	keys {
+		csk key-directory lifetime P1Y  algorithm 13;
+		ksk key-directory lifetime P1Y  algorithm 8;
+		zsk key-directory lifetime P30D algorithm 8 2048;
+		zsk key-directory lifetime P6M  algorithm 8 3072;
+	};
+};
diff --git a/bin/tests/system/kasp/ns2/named.conf.in b/bin/tests/system/kasp/ns2/named.conf.in
new file mode 100644
index 0000000..4b673c4
--- /dev/null
+++ b/bin/tests/system/kasp/ns2/named.conf.in
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	dnssec-policy "none";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* Inherit dnssec-policy (which is none) */
+
+zone "unsigned.tld" {
+	type primary;
+	file "unsigned.tld.db";
+};
+
+/* Override dnssec-policy */
+
+zone "signed.tld" {
+	type primary;
+	file "signed.tld.db";
+	dnssec-policy "default";
+	inline-signing yes;
+};
+
+/* Primary service for ns3 */
+
+zone "secondary.kasp" {
+	type primary;
+	file "secondary.kasp.db";
+	allow-transfer { 10.53.0.3; };
+	notify yes;
+};
diff --git a/bin/tests/system/kasp/ns2/secondary.kasp.db.in b/bin/tests/system/kasp/ns2/secondary.kasp.db.in
new file mode 100644
index 0000000..3c8d124
--- /dev/null
+++ b/bin/tests/system/kasp/ns2/secondary.kasp.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  secondary.kasp. hostmaster.kasp. (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns2
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/kasp/ns2/secondary.kasp.db.in2 b/bin/tests/system/kasp/ns2/secondary.kasp.db.in2
new file mode 100644
index 0000000..9289831
--- /dev/null
+++ b/bin/tests/system/kasp/ns2/secondary.kasp.db.in2
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  secondary.kasp. hostmaster.kasp. (
+			2       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns2
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.11
+b			A	10.0.0.2
+c			A	10.0.0.3
+d			A	10.0.0.4
+
diff --git a/bin/tests/system/kasp/ns2/setup.sh b/bin/tests/system/kasp/ns2/setup.sh
new file mode 100644
index 0000000..3890d52
--- /dev/null
+++ b/bin/tests/system/kasp/ns2/setup.sh
@@ -0,0 +1,35 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+echo_i "ns2/setup.sh"
+
+zone="secondary.kasp"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+
+zone="signed.tld"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+infile="template.tld.db.in"
+cp $infile $zonefile
+
+zone="unsigned.tld"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+infile="template.tld.db.in"
+cp $infile $zonefile
diff --git a/bin/tests/system/kasp/ns2/template.tld.db.in b/bin/tests/system/kasp/ns2/template.tld.db.in
new file mode 100644
index 0000000..400dc34
--- /dev/null
+++ b/bin/tests/system/kasp/ns2/template.tld.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  secondary.kasp. hostmaster.kasp. (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns2
+ns2			A	10.53.0.2
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/kasp/ns3/ed25519.conf b/bin/tests/system/kasp/ns3/ed25519.conf
new file mode 100644
index 0000000..999fa2f
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/ed25519.conf
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "ed25519" {
+        dnskey-ttl 1234;
+
+        keys {
+                ksk key-directory lifetime P10Y algorithm 15;
+                zsk key-directory lifetime P5Y  algorithm 15;
+                zsk key-directory lifetime P1Y  algorithm 15 256;
+        };
+};
+
+zone "ed25519.kasp" {
+        type primary;
+        file "ed25519.kasp.db";
+	inline-signing yes;
+        dnssec-policy "ed25519";
+};
diff --git a/bin/tests/system/kasp/ns3/ed448.conf b/bin/tests/system/kasp/ns3/ed448.conf
new file mode 100644
index 0000000..e9c8312
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/ed448.conf
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "ed448" {
+        dnskey-ttl 1234;
+
+        keys {
+                ksk key-directory lifetime P10Y algorithm 16;
+                zsk key-directory lifetime P5Y  algorithm 16;
+                zsk key-directory lifetime P1Y  algorithm 16 456;
+        };
+};
+
+zone "ed448.kasp" {
+        type primary;
+        file "ed448.kasp.db";
+	inline-signing yes;
+        dnssec-policy "ed448";
+};
diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in
new file mode 100644
index 0000000..b14b142
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/named-fips.conf.in
@@ -0,0 +1,519 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "policies/kasp.conf";
+include "policies/autosign.conf";
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	dnssec-policy "rsasha256";
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* Zones that are getting initially signed */
+
+/* The default case: No keys created, using default policy. */
+zone "default.kasp" {
+	type primary;
+	file "default.kasp.db";
+	inline-signing yes;
+	dnssec-policy "default";
+};
+
+/* checkds: Zone with one KSK. */
+zone "checkds-ksk.kasp" {
+	type primary;
+	file "checkds-ksk.kasp.db";
+	inline-signing yes;
+	dnssec-policy "checkds-ksk";
+};
+
+/* checkds: Zone with two KSKs. */
+zone "checkds-doubleksk.kasp" {
+	type primary;
+	file "checkds-doubleksk.kasp.db";
+	inline-signing yes;
+	dnssec-policy "checkds-doubleksk";
+};
+
+/* checkds: Zone with one CSK. */
+zone "checkds-csk.kasp" {
+	type primary;
+	file "checkds-csk.kasp.db";
+	inline-signing yes;
+	dnssec-policy "checkds-csk";
+};
+
+/* Key lifetime unlimited. */
+zone "unlimited.kasp" {
+	type primary;
+	file "unlimited.kasp.db";
+	inline-signing yes;
+	dnssec-policy "unlimited";
+};
+
+/* Manual rollover. */
+zone "manual-rollover.kasp" {
+	type primary;
+	file "manual-rollover.kasp.db";
+	inline-signing yes;
+	dnssec-policy "manual-rollover";
+};
+
+/* A zone that inherits dnssec-policy. */
+zone "inherit.kasp" {
+	type primary;
+	inline-signing yes;
+	file "inherit.kasp.db";
+};
+
+/* A zone that overrides dnssec-policy. */
+zone "unsigned.kasp" {
+	type primary;
+	file "unsigned.kasp.db";
+	inline-signing yes;
+	dnssec-policy "none";
+};
+
+/* A zone that is initially set to insecure. */
+zone "insecure.kasp" {
+	type primary;
+	file "insecure.kasp.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+};
+
+/* A primary zone with dnssec-policy but keys already created. */
+zone "dnssec-keygen.kasp" {
+	type primary;
+	file "dnssec-keygen.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+/* A secondary zone with dnssec-policy. */
+zone "secondary.kasp" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "secondary.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+/* A dynamic zone with dnssec-policy. */
+zone "dynamic.kasp" {
+	type primary;
+	file "dynamic.kasp.db";
+	dnssec-policy "default";
+	allow-update { any; };
+};
+
+/* A dynamic inline-signed zone with dnssec-policy. */
+zone "dynamic-inline-signing.kasp" {
+	type primary;
+	file "dynamic-inline-signing.kasp.db";
+	dnssec-policy "default";
+	allow-update { any; };
+	inline-signing yes;
+};
+
+/* An inline-signed zone with dnssec-policy. */
+zone "inline-signing.kasp" {
+	type primary;
+	file "inline-signing.kasp.db";
+	dnssec-policy "default";
+	inline-signing yes;
+};
+
+/*
+ * A configured dnssec-policy but some keys already created.
+ */
+zone "some-keys.kasp" {
+	type primary;
+	file "some-keys.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+/*
+ * A configured dnssec-policy but some keys already in use.
+ */
+zone "legacy-keys.kasp" {
+	type primary;
+	file "legacy-keys.kasp.db";
+	inline-signing yes;
+	dnssec-policy "migrate-to-dnssec-policy";
+};
+
+/*
+ * A configured dnssec-policy with (too) many keys pregenerated.
+ */
+zone "pregenerated.kasp" {
+	type primary;
+	file "pregenerated.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+/*
+ * A configured dnssec-policy with one rumoured key.
+ * Bugfix case for GL #1593.
+ */
+zone "rumoured.kasp" {
+	type primary;
+	file "rumoured.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+/* RFC 8901 Multi-signer Model 2. */
+zone "multisigner-model2.kasp" {
+	type primary;
+	file "multisigner-model2.kasp.db";
+	dnssec-policy "multisigner-model2";
+	allow-update { any; };
+};
+
+/*
+ * Different algorithms.
+ */
+zone "rsasha256.kasp" {
+	type primary;
+	file "rsasha256.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+zone "rsasha512.kasp" {
+	type primary;
+	file "rsasha512.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha512";
+};
+zone "ecdsa256.kasp" {
+	type primary;
+	file "ecdsa256.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ecdsa256";
+};
+zone "ecdsa384.kasp" {
+	type primary;
+	file "ecdsa384.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ecdsa384";
+};
+
+/*
+ * Zone with too high TTL.
+ */
+zone "max-zone-ttl.kasp" {
+	type primary;
+	file "max-zone-ttl.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ttl";
+};
+
+/*
+ * Zone for testing GL #2375: Three is a crowd.
+ */
+zone "three-is-a-crowd.kasp" {
+	type primary;
+	file "three-is-a-crowd.kasp.db";
+	inline-signing yes;
+	/* Use same policy as KSK rollover test zones. */
+	dnssec-policy "ksk-doubleksk";
+};
+
+/*
+ * Zones in different signing states.
+ */
+
+/*
+ * Zone that has expired signatures.
+ */
+zone "expired-sigs.autosign" {
+	type primary;
+	file "expired-sigs.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has valid, fresh signatures.
+ */
+zone "fresh-sigs.autosign" {
+	type primary;
+	file "fresh-sigs.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has unfresh signatures.
+ */
+zone "unfresh-sigs.autosign" {
+	type primary;
+	file "unfresh-sigs.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has missing private KSK.
+ */
+zone "ksk-missing.autosign" {
+	type primary;
+	file "ksk-missing.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has missing private ZSK.
+ */
+zone "zsk-missing.autosign" {
+	type primary;
+	file "zsk-missing.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has inactive ZSK.
+ */
+zone "zsk-retired.autosign" {
+	type primary;
+	file "zsk-retired.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zones for testing enabling DNSSEC.
+ */
+zone "step1.enable-dnssec.autosign" {
+	type primary;
+	file "step1.enable-dnssec.autosign.db";
+	inline-signing yes;
+	dnssec-policy "enable-dnssec";
+};
+zone "step2.enable-dnssec.autosign" {
+	type primary;
+	file "step2.enable-dnssec.autosign.db";
+	inline-signing yes;
+	dnssec-policy "enable-dnssec";
+};
+zone "step3.enable-dnssec.autosign" {
+	type primary;
+	file "step3.enable-dnssec.autosign.db";
+	inline-signing yes;
+	dnssec-policy "enable-dnssec";
+};
+zone "step4.enable-dnssec.autosign" {
+	type primary;
+	file "step4.enable-dnssec.autosign.db";
+	inline-signing yes;
+	dnssec-policy "enable-dnssec";
+};
+
+/*
+ * Zones for testing ZSK Pre-Publication steps.
+ */
+zone "step1.zsk-prepub.autosign" {
+	type primary;
+	file "step1.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+zone "step2.zsk-prepub.autosign" {
+	type primary;
+	file "step2.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+zone "step3.zsk-prepub.autosign" {
+	type primary;
+	file "step3.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+zone "step4.zsk-prepub.autosign" {
+	type primary;
+	file "step4.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+zone "step5.zsk-prepub.autosign" {
+	type primary;
+	file "step5.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+zone "step6.zsk-prepub.autosign" {
+	type primary;
+	file "step6.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+
+/*
+ * Zones for testing KSK Double-KSK steps.
+ */
+zone "step1.ksk-doubleksk.autosign" {
+	type primary;
+	file "step1.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step2.ksk-doubleksk.autosign" {
+	type primary;
+	file "step2.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step3.ksk-doubleksk.autosign" {
+	type primary;
+	file "step3.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step4.ksk-doubleksk.autosign" {
+	type primary;
+	file "step4.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step5.ksk-doubleksk.autosign" {
+	type primary;
+	file "step5.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step6.ksk-doubleksk.autosign" {
+	type primary;
+	file "step6.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+
+/*
+ * Zones for testing CSK rollover steps.
+ */
+zone "step1.csk-roll.autosign" {
+	type primary;
+	file "step1.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step2.csk-roll.autosign" {
+	type primary;
+	file "step2.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step3.csk-roll.autosign" {
+	type primary;
+	file "step3.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step4.csk-roll.autosign" {
+	type primary;
+	file "step4.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step5.csk-roll.autosign" {
+	type primary;
+	file "step5.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step6.csk-roll.autosign" {
+	type primary;
+	file "step6.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step7.csk-roll.autosign" {
+	type primary;
+	file "step7.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step8.csk-roll.autosign" {
+	type primary;
+	file "step8.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+
+zone "step1.csk-roll2.autosign" {
+	type primary;
+	file "step1.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step2.csk-roll2.autosign" {
+	type primary;
+	file "step2.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step3.csk-roll2.autosign" {
+	type primary;
+	file "step3.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step4.csk-roll2.autosign" {
+	type primary;
+	file "step4.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step5.csk-roll2.autosign" {
+	type primary;
+	file "step5.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step6.csk-roll2.autosign" {
+	type primary;
+	file "step6.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step7.csk-roll2.autosign" {
+	type primary;
+	file "step7.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
new file mode 100644
index 0000000..92e007d
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "named-fips.conf";
+
+zone "rsasha1.kasp" {
+	type primary;
+	file "rsasha1.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha1";
+};
+
+zone "rsasha1-nsec3.kasp" {
+	type primary;
+	file "rsasha1-nsec3.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha1-nsec3";
+};
diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf.in b/bin/tests/system/kasp/ns3/policies/autosign.conf.in
new file mode 100644
index 0000000..5564ec5
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/policies/autosign.conf.in
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "autosign" {
+
+	signatures-refresh P1W;
+	signatures-validity P2W;
+	signatures-validity-dnskey P2W;
+
+	dnskey-ttl 300;
+
+	keys {
+		ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "enable-dnssec" {
+
+	signatures-refresh P1W;
+	signatures-validity P2W;
+	signatures-validity-dnskey P2W;
+
+	dnskey-ttl 300;
+	max-zone-ttl PT12H;
+	zone-propagation-delay PT5M;
+	retire-safety PT20M;
+	publish-safety PT5M;
+
+	parent-propagation-delay 1h;
+	parent-ds-ttl 2h;
+
+	keys {
+		csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@;
+	};
+};
+
+dnssec-policy "zsk-prepub" {
+
+	signatures-refresh P1W;
+	signatures-validity P2W;
+	signatures-validity-dnskey P2W;
+
+	dnskey-ttl 3600;
+	publish-safety P1D;
+	retire-safety P2D;
+	purge-keys PT1H;
+
+	keys {
+		ksk key-directory lifetime P2Y  algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
+	};
+
+	zone-propagation-delay PT1H;
+	max-zone-ttl 1d;
+};
+
+dnssec-policy "ksk-doubleksk" {
+
+	signatures-refresh P1W;
+	signatures-validity P2W;
+	signatures-validity-dnskey P2W;
+
+	dnskey-ttl 2h;
+	publish-safety P1D;
+	retire-safety P2D;
+	purge-keys PT1H;
+
+	keys {
+		ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P1Y  algorithm @DEFAULT_ALGORITHM@;
+	};
+
+	zone-propagation-delay PT1H;
+	max-zone-ttl 1d;
+
+	parent-ds-ttl 3600;
+	parent-propagation-delay PT1H;
+};
+
+dnssec-policy "csk-roll" {
+
+	signatures-refresh P5D;
+	signatures-validity 30d;
+	signatures-validity-dnskey 30d;
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 2h;
+	purge-keys PT1H;
+
+	keys {
+		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
+	};
+
+	zone-propagation-delay 1h;
+	max-zone-ttl P1D;
+
+	parent-ds-ttl 1h;
+	parent-propagation-delay 1h;
+};
+
+dnssec-policy "csk-roll2" {
+
+	signatures-refresh 12h;
+	signatures-validity P1D;
+	signatures-validity-dnskey P1D;
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 1h;
+	purge-keys 0;
+
+	keys {
+		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
+	};
+
+	zone-propagation-delay PT1H;
+	max-zone-ttl 1d;
+
+	parent-ds-ttl PT1H;
+	parent-propagation-delay P1W;
+};
diff --git a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in
new file mode 100644
index 0000000..90a92a2
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "unlimited" {
+	dnskey-ttl 1234;
+
+	keys {
+		csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "manual-rollover" {
+	dnskey-ttl 3600;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "multisigner-model2" {
+	dnskey-ttl 3600;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "migrate-to-dnssec-policy" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P6M algorithm 8;
+		zsk key-directory lifetime P6M algorithm 8;
+	};
+};
+
+dnssec-policy "rsasha256" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P10Y algorithm 8;
+		zsk key-directory lifetime P5Y  algorithm 8;
+		zsk key-directory lifetime P1Y  algorithm 8 3072;
+	};
+};
+
+dnssec-policy "rsasha512" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P10Y algorithm 10;
+		zsk key-directory lifetime P5Y  algorithm 10;
+		zsk key-directory lifetime P1Y  algorithm 10 3072;
+	};
+};
+
+dnssec-policy "ecdsa256" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P10Y algorithm 13;
+		zsk key-directory lifetime P5Y  algorithm 13;
+		zsk key-directory lifetime P1Y  algorithm 13 256;
+	};
+};
+
+dnssec-policy "ecdsa384" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P10Y algorithm 14;
+		zsk key-directory lifetime P5Y  algorithm 14;
+		zsk key-directory lifetime P1Y  algorithm 14 384;
+	};
+};
+
+dnssec-policy "checkds-ksk" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "checkds-doubleksk" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "checkds-csk" {
+	dnskey-ttl 303;
+
+	keys {
+		csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "ttl" {
+	max-zone-ttl 299;
+};
diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
new file mode 100644
index 0000000..cb045bc
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "policies/kasp-fips.conf";
+
+dnssec-policy "rsasha1" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P10Y algorithm 5;
+		zsk key-directory lifetime P5Y  algorithm 5;
+		zsk key-directory lifetime P1Y  algorithm 5 2000;
+	};
+};
+
+dnssec-policy "rsasha1-nsec3" {
+	dnskey-ttl 1234;
+
+	keys {
+		ksk key-directory lifetime P10Y algorithm 7;
+		zsk key-directory lifetime P5Y  algorithm 7;
+		zsk key-directory lifetime P1Y  algorithm 7 2000;
+	};
+};
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
new file mode 100644
index 0000000..8682f54
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -0,0 +1,1470 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+echo_i "ns3/setup.sh"
+
+setup() {
+	zone="$1"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	infile="${zone}.db.infile"
+	echo "$zone" >> zones
+}
+
+# Set in the key state files the Predecessor/Successor fields.
+# Key $1 is the predecessor of key $2.
+key_successor() {
+	id1=$(keyfile_to_key_id "$1")
+	id2=$(keyfile_to_key_id "$2")
+	echo "Predecessor: ${id1}" >> "${2}.state"
+	echo "Successor: ${id2}" >> "${1}.state"
+}
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+
+#
+# Set up zones that will be initially signed.
+#
+for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
+	  rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
+	  dynamic dynamic-inline-signing inline-signing \
+	  checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
+	  manual-rollover multisigner-model2
+do
+	setup "${zn}.kasp"
+	cp template.db.in "$zonefile"
+done
+
+#
+# Set up RSASHA1 based zones
+#
+for zn in rsasha1 rsasha1-nsec3
+do
+	if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
+	then
+		setup "${zn}.kasp"
+		cp template.db.in "$zonefile"
+	else
+		# don't add to zones.
+		echo_i "setting up zone: ${zn}.kasp"
+		cp template.db.in "${zn}.kasp.db"
+	fi
+done
+
+if [ -f ../ed25519-supported.file ]; then
+	setup "ed25519.kasp"
+	cp template.db.in "$zonefile"
+	cat ed25519.conf >> named.conf
+fi
+
+if [ -f ../ed448-supported.file ]; then
+	setup "ed448.kasp"
+	cp template.db.in "$zonefile"
+	cat ed448.conf >> named.conf
+fi
+
+# Set up zones that stay unsigned.
+for zn in unsigned insecure max-zone-ttl
+do
+	zone="${zn}.kasp"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	infile="${zone}.db.infile"
+	cp template.db.in $infile
+	cp template.db.in $zonefile
+done
+
+# Some of these zones already have keys.
+zone="dnssec-keygen.kasp"
+echo_i "setting up zone: $zone"
+$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
+
+zone="some-keys.kasp"
+echo_i "setting up zone: $zone"
+$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1
+$KEYGEN -G -a RSASHA256 -f KSK  -L 1234 $zone > keygen.out.$zone.2 2>&1
+
+zone="legacy-keys.kasp"
+echo_i "setting up zone: $zone"
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1)
+KSK=$($KEYGEN -a RSASHA256 -f KSK  -L 1234 $zone 2> keygen.out.$zone.2)
+echo $ZSK > legacy-keys.kasp.zsk
+echo $KSK > legacy-keys.kasp.ksk
+# Predecessor keys:
+Tact="now-9mo"
+Tret="now-3mo"
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3)
+KSK=$($KEYGEN -a RSASHA256 -f KSK  -L 1234 $zone 2> keygen.out.$zone.4)
+$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK"  > settime.out.$zone.1 2>&1
+$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK"  > settime.out.$zone.2 2>&1
+
+zone="pregenerated.kasp"
+echo_i "setting up zone: $zone"
+$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
+$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
+
+zone="multisigner-model2.kasp"
+echo_i "setting up zone: $zone"
+# Import the ZSK sets of the other providers into their DNSKEY RRset.
+ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1)
+ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2)
+# ZSK1 will be added to the unsigned zonefile.
+cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db"
+cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1"
+rm -f "../${ZSK1}.*"
+# ZSK2 will be used with a Dynamic Update.
+cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2"
+rm -f "../${ZSK2}.*"
+
+zone="rumoured.kasp"
+echo_i "setting up zone: $zone"
+Tpub="now"
+Tact="now+1d"
+keytimes="-P ${Tpub} -A ${Tact}"
+KSK=$($KEYGEN  -a RSASHA256 -f KSK  -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a RSASHA256         -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
+$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub  "$KSK"  > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub              "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub              "$ZSK2" > settime.out.$zone.2 2>&1
+
+#
+# Set up zones that are already signed.
+#
+
+# Zone to test manual rollover.
+setup manual-rollover.kasp
+T="now-1d"
+ksktimes="-P $T -A $T -P sync $T"
+zsktimes="-P $T -A $T"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# These signatures are set to expire long in the past, update immediately.
+setup expired-sigs.autosign
+T="now-6mo"
+ksktimes="-P $T -A $T -P sync $T"
+zsktimes="-P $T -A $T"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# These signatures are still good, and can be reused.
+setup fresh-sigs.autosign
+T="now-6mo"
+ksktimes="-P $T -A $T -P sync $T"
+zsktimes="-P $T -A $T"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# These signatures are still good, but not fresh enough, update immediately.
+setup unfresh-sigs.autosign
+T="now-6mo"
+ksktimes="-P $T -A $T -P sync $T"
+zsktimes="-P $T -A $T"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# These signatures are still good, but the private KSK is missing.
+setup ksk-missing.autosign
+T="now-6mo"
+ksktimes="-P $T -A $T -P sync $T"
+zsktimes="-P $T -A $T"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+echo "KSK: yes" >> "${KSK}".state
+echo "ZSK: no" >> "${KSK}".state
+echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y
+rm -f "${KSK}".private
+
+# These signatures are still good, but the private ZSK is missing.
+setup zsk-missing.autosign
+T="now-6mo"
+ksktimes="-P $T -A $T -P sync $T"
+zsktimes="-P $T -A $T"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+echo "KSK: no" >> "${ZSK}".state
+echo "ZSK: yes" >> "${ZSK}".state
+echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y
+rm -f "${ZSK}".private
+
+# These signatures are already expired, and the private ZSK is retired.
+setup zsk-retired.autosign
+T="now-6mo"
+ksktimes="-P $T -A $T -P sync $T"
+zsktimes="-P $T -A $T -I now"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1
+
+#
+# The zones at enable-dnssec.autosign represent the various steps of the
+# initial signing of a zone.
+#
+
+# Step 1:
+# This is an unsigned zone and named should perform the initial steps of
+# introducing the DNSSEC records in the right order.
+setup step1.enable-dnssec.autosign
+cp template.db.in $zonefile
+
+# Step 2:
+# The DNSKEY has been published long enough to become OMNIPRESENT.
+setup step2.enable-dnssec.autosign
+# DNSKEY TTL:             300 seconds
+# zone-propagation-delay: 5 minutes (300 seconds)
+# publish-safety:         5 minutes (300 seconds)
+# Total:                  900 seconds
+TpubN="now-900s"
+# RRSIG TTL:              12 hour (43200 seconds)
+# zone-propagation-delay: 5 minutes (300 seconds)
+# retire-safety:          20 minutes (1200 seconds)
+# Already passed time:    -900 seconds
+# Total:                  43800 seconds
+TsbmN="now+43800s"
+keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
+CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 3:
+# The zone signatures have been published long enough to become OMNIPRESENT.
+setup step3.enable-dnssec.autosign
+# Passed time since publications: 43800 + 900 = 44700 seconds.
+TpubN="now-44700s"
+# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT.
+TcotN="now-43800s"
+# We can submit the DS now.
+TsbmN="now"
+keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
+CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 4:
+# The DS has been submitted long enough ago to become OMNIPRESENT.
+setup step4.enable-dnssec.autosign
+# DS TTL:                    2 hour (7200 seconds)
+# parent-propagation-delay:  1 hour (3600 seconds)
+# retire-safety:             20 minutes (1200 seconds)
+# Total aditional time:      12000 seconds
+# 44700 + 12000 = 56700
+TpubN="now-56700s"
+# 43800 + 12000 = 55800
+TcotN="now-55800s"
+TsbmN="now-12000s"
+keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
+CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+setup step4.enable-dnssec.autosign
+
+#
+# The zones at zsk-prepub.autosign represent the various steps of a ZSK
+# Pre-Publication rollover.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.zsk-prepub.autosign
+TactN="now"
+ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
+zsktimes="-P ${TactN} -A ${TactN}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN              "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 2:
+# It is time to pre-publish the successor ZSK.
+setup step2.zsk-prepub.autosign
+# According to RFC 7583:
+#
+# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+# Ipub = Dprp + TTLkey (+publish-safety)
+#
+#                 |3|   |4|      |5|  |6|
+#                  |     |        |    |
+#   Key N          |<-------Lzsk------>|
+#                  |     |        |    |
+#   Key N+1        |     |<-Ipub->|<-->|
+#                  |     |        |    |
+#   Key N         Tact
+#   Key N+1             Tpub     Trdy Tact
+#
+#                       Tnow
+#
+# Lzsk:           30d
+# Dprp:           1h
+# TTLkey:         1h
+# publish-safety: 1d
+# Ipub:           26h
+#
+# Tact(N) = Tnow + Ipub - Lzsk = now + 26h - 30d
+#         = now + 26h - 30d = now − 694h
+TactN="now-694h"
+ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
+zsktimes="-P ${TactN} -A ${TactN}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN              "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 3:
+# After the publication interval has passed the DNSKEY of the successor ZSK
+# is OMNIPRESENT and the zone can thus be signed with the successor ZSK.
+setup step3.zsk-prepub.autosign
+# According to RFC 7583:
+#
+# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+# Tret(N) = Tact(N+1) = Tact(N) + Lzsk
+# Trem(N) = Tret(N) + Iret
+# Iret = Dsgn + Dprp + TTLsig (+retire-safety)
+#
+#                 |3|   |4|      |5|  |6|      |7|   |8|
+#                  |     |        |    |        |     |
+#   Key N          |<-------Lzsk------>|<-Iret->|<--->|
+#                  |     |        |    |        |     |
+#   Key N+1        |     |<-Ipub->|<-->|<---Lzsk---- - -
+#                  |     |        |    |        |     |
+#   Key N         Tact                Tret     Tdea  Trem
+#   Key N+1             Tpub     Trdy Tact
+#
+#                                     Tnow
+#
+# Lzsk:          30d
+# Ipub:          26h
+# Dsgn:          1w
+# Dprp:          1h
+# TTLsig:        1d
+# retire-safety: 2d
+# Iret:          10d1h = 241h
+#
+# Tact(N)   = Tnow - Lzsk = now - 30d
+# Tret(N)   = now
+# Trem(N)   = Tnow + Iret = now + 241h
+# Tpub(N+1) = Tnow - Ipub = now - 26h
+# Tret(N+1) = Tnow + Lzsk = now + 30d
+# Trem(N+1) = Tnow + Lzsk + Iret = now + 30d + 241h
+#           = now + 961h
+TactN="now-30d"
+TretN="now"
+TremN="now+241h"
+TpubN1="now-26h"
+TactN1="now"
+TretN1="now+30d"
+TremN1="now+961h"
+ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}"
+zsktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $newtimes $zone 2> keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN  -r $O $TactN  -d $O $TactN "$KSK"  > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN  -z $O $TactN               "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1              "$ZSK2" > settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $ZSK1 $ZSK2
+# Sign zone.
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK"  >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 4:
+# After the retire interval has passed the predecessor DNSKEY can be
+# removed from the zone.
+setup step4.zsk-prepub.autosign
+# According to RFC 7583:
+#
+# Tret(N) = Tact(N) + Lzsk
+# Tdea(N) = Tret(N) + Iret
+#
+#                 |3|   |4|      |5|  |6|      |7|   |8|
+#                  |     |        |    |        |     |
+#   Key N          |<-------Lzsk------>|<-Iret->|<--->|
+#                  |     |        |    |        |     |
+#   Key N+1        |     |<-Ipub->|<-->|<---Lzsk---- - -
+#                  |     |        |    |        |     |
+#   Key N         Tact                Tret     Tdea  Trem
+#   Key N+1             Tpub     Trdy Tact
+#
+#                                                    Tnow
+#
+# Lzsk: 30d
+# Ipub: 26h
+# Iret: 241h
+#
+# Tact(N)   = Tnow - Iret - Lzsk
+#           = now - 241h - 30d = now - 241h - 720h
+#           = now - 961h
+# Tret(N)   = Tnow - Iret = now - 241h
+# Trem(N)   = Tnow
+# Tpub(N+1) = Tnow - Iret - Ipub
+#           = now - 241h - 26h
+#           = now - 267h
+# Tact(N+1) = Tnow - Iret = Tret(N)
+# Tret(N+1) = Tnow - Iret + Lzsk
+#           = now - 241h + 30d = now - 241h + 720h
+#           = now + 479h
+# Trem(N+1) = Tnow + Lzsk = now + 30d
+TactN="now-961h"
+TretN="now-241h"
+TremN="now"
+TpubN1="now-267h"
+TactN1="${TretN}"
+TretN1="now+479h"
+TremN1="now+30d"
+ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}"
+zsktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $newtimes $zone 2> keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN  -r $O $TactN -d $O $TactN "$KSK"  > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN  -z $U $TretN              "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1             "$ZSK2" > settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $ZSK1 $ZSK2
+# Sign zone.
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
+cp $infile $zonefile
+$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 5:
+# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
+setup step5.zsk-prepub.autosign
+# Subtract DNSKEY TTL from all the times (1h).
+# Tact(N)   = now - 961h - 1h = now - 962h
+# Tret(N)   = now - 241h - 1h = now - 242h
+# Tdea(N)   = now - 2d - 1h = now - 49h
+# Trem(N)   = now - 1h
+# Tpub(N+1) = now - 267h - 1h = now - 268h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 479h - 1h = now + 478h
+# Trem(N+1) = now + 30d - 1h = now + 719h
+TactN="now-962h"
+TretN="now-242h"
+TremN="now-1h"
+TdeaN="now-49h"
+TpubN1="now-268h"
+TactN1="${TretN}"
+TretN1="now+478h"
+TremN1="now+719h"
+ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}"
+zsktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $newtimes $zone 2> keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN  -r $O $TactN -d $O $TactN "$KSK"  > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $U $TdeaN  -z $H $TdeaN              "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN              "$ZSK2" > settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $ZSK1 $ZSK2
+# Sign zone.
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK"  >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 6:
+# The predecessor DNSKEY can be purged.
+setup step6.zsk-prepub.autosign
+# Subtract purge-keys interval from all the times (1h).
+# Tact(N)   = now - 962h - 1h = now - 963h
+# Tret(N)   = now - 242h - 1h = now - 243h
+# Tdea(N)   = now - 49h - 1h = now - 50h
+# Trem(N)   = now - 1h - 1h = now - 2h
+# Tpub(N+1) = now - 268h - 1h = now - 269h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 478h - 1h = now + 477h
+# Trem(N+1) = now + 719h - 1h = now + 718h
+TactN="now-963h"
+TretN="now-243h"
+TremN="now-2h"
+TdeaN="now-50h"
+TpubN1="now-269h"
+TactN1="${TretN}"
+TretN1="now+477h"
+TremN1="now+718h"
+ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}"
+zsktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $newtimes $zone 2> keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN  -r $O $TactN -d $O $TactN "$KSK"  > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $H $TdeaN  -z $H $TdeaN              "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN              "$ZSK2" > settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $ZSK1 $ZSK2
+# Sign zone.
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK"  >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+#
+# The zones at ksk-doubleksk.autosign represent the various steps of a KSK
+# Double-KSK rollover.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.ksk-doubleksk.autosign
+TactN="now"
+ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
+zsktimes="-P ${TactN} -A ${TactN}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O              -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 2:
+# It is time to submit the introduce the new KSK.
+setup step2.ksk-doubleksk.autosign
+# According to RFC 7583:
+#
+# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
+# IpubC = DprpC + TTLkey (+publish-safety)
+#
+#                       |1|       |2|   |3|      |4|
+#                        |         |     |        |
+#       Key N            |<-IpubC->|<--->|<-Dreg->|<-----Lksk--- - -
+#                        |         |     |        |
+#       Key N+1          |         |     |        |
+#                        |         |     |        |
+#       Key N           Tpub      Trdy  Tsbm     Tact
+#       Key N+1
+#
+#               (continued ...)
+#
+#                   |5|       |6|   |7|      |8|      |9|    |10|
+#                    |         |     |        |        |       |
+#       Key N   - - --------------Lksk------->|<-Iret->|<----->|
+#                    |         |     |        |        |       |
+#       Key N+1      |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - -
+#                    |         |     |        |        |       |
+#       Key N                                Tret     Tdea    Trem
+#       Key N+1     Tpub      Trdy  Tsbm     Tact
+#
+#                   Tnow
+#
+# Lksk:           60d
+# Dreg:           1d
+# DprpC:          1h
+# TTLkey:         2h
+# publish-safety: 1d
+# IpubC:          27h
+#
+# Tact(N) = Tnow - Lksk + Dreg + IpubC = now - 60d + 27h
+#         = now - 1440h + 27h = now - 1413h
+TactN="now-1413h"
+ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
+zsktimes="-P ${TactN} -A ${TactN}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN              "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 3:
+# It is time to submit the DS.
+setup step3.ksk-doubleksk.autosign
+# According to RFC 7583:
+#
+# Tsbm(N+1) >= Trdy(N+1)
+# Tact(N+1) = Tsbm(N+1) + Dreg
+# Iret = DprpP + TTLds (+retire-safety)
+#
+#                   |5|       |6|   |7|      |8|      |9|    |10|
+#                    |         |     |        |        |       |
+#       Key N   - - --------------Lksk------->|<-Iret->|<----->|
+#                    |         |     |        |        |       |
+#       Key N+1      |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - -
+#                    |         |     |        |        |       |
+#       Key N                                Tret     Tdea    Trem
+#       Key N+1     Tpub      Trdy  Tsbm     Tact
+#
+#                                   Tnow
+#
+# Lksk:           60d
+# Dreg:           N/A
+# DprpP:          1h
+# TTLds:          1h
+# retire-safety:  2d
+# Iret:           50h
+# DprpC:          1h
+# TTLkey:         2h
+# publish-safety: 1d
+# IpubC:          27h
+#
+# Tact(N)    = Tnow + Lksk = now - 60d = now - 60d
+# Tret(N)    = now
+# Trem(N)    = Tnow + Iret = now + 50h
+# Tpub(N+1)  = Tnow - IpubC = now - 27h
+# Tsbm(N+1)  = now
+# Tact(N+1)  = Tret(N)
+# Tret(N+1)  = Tnow + Lksk = now + 60d
+# Trem(N+1)  = Tnow + Lksk + Iret = now + 60d + 50h
+#            = now + 1440h + 50h = 1490h
+TactN="now-60d"
+TretN="now"
+TremN="now+50h"
+TpubN1="now-27h"
+TsbmN1="now"
+TactN1="${TretN}"
+TretN1="now+60d"
+TremN1="now+1490h"
+ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
+zsktimes="-P ${TactN}  -A ${TactN}"
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
+ZSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.3)
+$SETTIME -s -g $H -k $O $TactN   -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1  -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN   -z $O $TactN                "$ZSK"  > settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $KSK1 $KSK2
+# Sign zone.
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 4:
+# The DS should be swapped now.
+setup step4.ksk-doubleksk.autosign
+# According to RFC 7583:
+#
+# Tret(N)   = Tsbm(N+1)
+# Tdea(N)   = Tret(N) + Iret
+# Tact(N+1) = Tret(N)
+#
+#                   |5|       |6|   |7|      |8|      |9|    |10|
+#                    |         |     |        |        |       |
+#       Key N   - - --------------Lksk------->|<-Iret->|<----->|
+#                    |         |     |        |        |       |
+#       Key N+1      |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - -
+#                    |         |     |        |        |       |
+#       Key N                                Tret     Tdea    Trem
+#       Key N+1     Tpub      Trdy  Tsbm     Tact
+#
+#                                                             Tnow
+#
+# Lksk: 60d
+# Dreg: N/A
+# Iret: 50h
+#
+# Tact(N)   = Tnow - Lksk - Iret = now - 60d - 50h
+#           = now - 1440h - 50h = now - 1490h
+# Tret(N)   = Tnow - Iret = now - 50h
+# Trem(N)   = Tnow
+# Tpub(N+1) = Tnow - Iret - IpubC = now - 50h - 27h
+#           = now - 77h
+# Tsbm(N+1) = Tnow - Iret = now - 50h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h
+# Trem(N+1) = Tnow + Lksk = now + 60d
+TactN="now-1490h"
+TretN="now-50h"
+TremN="now"
+TpubN1="now-77h"
+TsbmN1="now-50h"
+TactN1="${TretN}"
+TretN1="now+1390h"
+TremN1="now+60d"
+ksktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
+zsktimes="-P ${TactN}  -A ${TactN}"
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
+ZSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.3)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN  -z $O $TactN                              "$ZSK"  > settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $KSK1 $KSK2
+# Sign zone.
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 5:
+# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
+setup step5.ksk-doubleksk.autosign
+# Subtract DNSKEY TTL from all the times (2h).
+# Tact(N)   = now - 1490h - 2h = now - 1492h
+# Tret(N)   = now - 50h - 2h = now - 52h
+# Trem(N)   = now - 2h
+# Tpub(N+1) = now - 77h - 2h = now - 79h
+# Tsbm(N+1) = now - 50h - 2h = now - 52h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 1390h - 2h = now + 1388h
+# Trem(N+1) = now + 60d - 2h = now + 1442h
+TactN="now-1492h"
+TretN="now-52h"
+TremN="now-2h"
+TpubN1="now-79h"
+TsbmN1="now-52h"
+TactN1="${TretN}"
+TretN1="now+1388h"
+TremN1="now+1442h"
+ksktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
+zsktimes="-P ${TactN}  -A ${TactN}"
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
+ZSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.3)
+$SETTIME -s -g $H -k $U $TretN  -r $U $TretN  -d $H $TretN  "$KSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN  -z $O $TactN                "$ZSK"  > settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $KSK1 $KSK2
+# Sign zone.
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 6:
+# The predecessor DNSKEY can be purged.
+setup step6.ksk-doubleksk.autosign
+# Subtract purge-keys interval from all the times (1h).
+# Tact(N)   = now - 1492h - 1h = now - 1493h
+# Tret(N)   = now - 52h - 1h = now - 53h
+# Trem(N)   = now - 2h - 1h = now - 3h
+# Tpub(N+1) = now - 79h - 1h = now - 80h
+# Tsbm(N+1) = now - 52h - 1h = now - 53h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 1388h - 1h = now + 1387h
+# Trem(N+1) = now + 1442h - 1h = now + 1441h
+TactN="now-1493h"
+TretN="now-53h"
+TremN="now-3h"
+TpubN1="now-80h"
+TsbmN1="now-53h"
+TactN1="${TretN}"
+TretN1="now+1387h"
+TremN1="now+1441h"
+ksktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
+zsktimes="-P ${TactN}  -A ${TactN}"
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
+ZSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.3)
+$SETTIME -s -g $H -k $H $TretN  -r $H $TretN  -d $H $TretN  "$KSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN  -z $O $TactN                "$ZSK"  > settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $KSK1 $KSK2
+# Sign zone.
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+#
+# The zones at csk-roll.autosign represent the various steps of a CSK rollover
+# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.csk-roll.autosign
+TactN="now"
+csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
+CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 2:
+# It is time to introduce the new CSK.
+setup step2.csk-roll.autosign
+# According to RFC 7583:
+# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
+# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+# IpubC = DprpC + TTLkey (+publish-safety)
+# Ipub  = IpubC
+# Lcsk = Lksk = Lzsk
+#
+# Lcsk:           6mo (186d, 4464h)
+# Dreg:           N/A
+# DprpC:          1h
+# TTLkey:         1h
+# publish-safety: 1h
+# Ipub:           3h
+#
+# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h
+#         = now - 4464h + 3h = now - 4461h
+TactN="now-4461h"
+csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
+CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 3:
+# It is time to submit the DS and to roll signatures.
+setup step3.csk-roll.autosign
+# According to RFC 7583:
+#
+# Tsbm(N+1) >= Trdy(N+1)
+# KSK: Tact(N+1) = Tsbm(N+1)
+# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
+# KSK: Iret  = DprpP + TTLds (+retire-safety)
+# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
+#
+# Lcsk:           186d
+# Dprp:           1h
+# DprpP:          1h
+# Dreg:           N/A
+# Dsgn:           25d
+# TTLds:          1h
+# TTLsig:         1d
+# retire-safety:  2h
+# Iret:           4h
+# IretZ:          26d3h
+# Ipub:           3h
+#
+# Tact(N)   = Tnow - Lcsk = now - 186d
+# Tret(N)   = now
+# Trem(N)   = Tnow + IretZ = now + 26d3h = now + 627h
+# Tpub(N+1) = Tnow - Ipub = now - 3h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = Tnow + Lcsk = now + 186d = now + 186d
+# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h =
+#           = now + 5091h
+TactN="now-186d"
+TretN="now"
+TremN="now+627h"
+TpubN1="now-3h"
+TsbmN1="now"
+TactN1="${TretN}"
+TretN1="now+186d"
+TremN1="now+5091h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  -z $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 4:
+# Some time later all the ZRRSIG records should be from the new CSK, and the
+# DS should be swapped.  The ZRRSIG records are all replaced after IretZ
+# (which is 26d3h).  The DS is swapped after Iret (which is 4h).
+# In other words, the DS is swapped before all zone signatures are replaced.
+setup step4.csk-roll.autosign
+# According to RFC 7583:
+# Trem(N)    = Tret(N) - Iret + IretZ
+# Tnow       = Tsbm(N+1) + Iret
+#
+# Lcsk:   186d
+# Iret:   4h
+# IretZ:  26d3h
+#
+# Tact(N)   = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h
+# Tret(N)   = Tnow - Iret = now - 4h = now - 4h
+# Trem(N)   = Tnow - Iret + IretZ = now - 4h + 26d3h
+#           = now + 623h
+# Tpub(N+1) = Tnow - Iret - IpubC = now - 4h - 3h = now - 7h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h
+# Trem(N+1) = Tnow - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h
+#	    = now + 5087h
+TactN="now-4468h"
+TretN="now-4h"
+TremN="now+623h"
+TpubN1="now-7h"
+TsbmN1="${TretN}"
+TactN1="${TretN}"
+TretN1="now+4460h"
+TremN1="now+5087h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 5:
+# After the DS is swapped in step 4, also the KRRSIG records can be removed.
+# At this time these have all become hidden.
+setup step5.csk-roll.autosign
+# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
+# Tact(N)   = now - 4468h - 2h = now - 4470h
+# Tret(N)   = now - 4h - 2h = now - 6h
+# Trem(N)   = now + 623h - 2h = now + 621h
+# Tpub(N+1) = now - 7h - 2h = now - 9h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4460h - 2h = now + 4458h
+# Trem(N+1) = now + 5087h - 2h = now + 5085h
+TactN="now-4470h"
+TretN="now-6h"
+TremN="now+621h"
+TpubN1="now-9h"
+TsbmN1="${TretN}"
+TactN1="${TretN}"
+TretN1="now+4458h"
+TremN1="now+5085h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN  -r $U now-2h  -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 6:
+# After the retire interval has passed the predecessor DNSKEY can be
+# removed from the zone.
+setup step6.csk-roll.autosign
+# According to RFC 7583:
+# Trem(N) = Tret(N) + IretZ
+# Tret(N) = Tact(N) + Lcsk
+#
+# Lcsk:   186d
+# Iret:   4h
+# IretZ:  26d3h
+#
+# Tact(N)   = Tnow - IretZ - Lcsk = now - 627h - 186d
+#           = now - 627h - 4464h = now - 5091h
+# Tret(N)   = Tnow - IretZ = now - 627h
+# Trem(N)   = Tnow
+# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h
+# Trem(N+1) = Tnow + Lcsk = now + 186d
+TactN="now-5091h"
+TretN="now-627h"
+TremN="now"
+TpubN1="now-630h"
+TsbmN1="${TretN}"
+TactN1="${TretN}"
+TretN1="now+3837h"
+TremN1="now+186d"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN  -r $H $TremN  -d $H $TremN  -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN  -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 7:
+# Some time later the predecessor DNSKEY enters the HIDDEN state.
+setup step7.csk-roll.autosign
+# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
+# Tact(N) = now - 5091h - 2h = now - 5093h
+# Tret(N) = now - 627h - 2h  = now - 629h
+# Trem(N) = now - 2h
+# Tpub(N+1) = now - 630h - 2h = now - 632h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 3837h - 2h = now + 3835h
+# Trem(N+1) = now + 186d - 2h = now + 4462h
+TactN="now-5093h"
+TretN="now-629h"
+TremN="now-2h"
+TpubN1="now-632h"
+TsbmN1="${TretN}"
+TactN1="${TretN}"
+TretN1="now+3835h"
+TremN1="now+4462h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN  -r $H $TremN  -d $H $TremN  -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 8:
+# The predecessor DNSKEY can be purged.
+setup step8.csk-roll.autosign
+# Subtract purge-keys interval from all the times (1h).
+# Tact(N) = now - 5093h - 1h = now - 5094h
+# Tret(N) = now - 629h - 1h  = now - 630h
+# Trem(N) = now - 2h - 1h = now - 3h
+# Tpub(N+1) = now - 632h - 1h = now - 633h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 3835h - 1h = now + 3834h
+# Trem(N+1) = now + 4462h - 1h = now + 4461h
+TactN="now-5094h"
+TretN="now-630h"
+TremN="now-3h"
+TpubN1="now-633h"
+TsbmN1="${TretN}"
+TactN1="${TretN}"
+TretN1="now+3834h"
+TremN1="now+4461h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $TremN  -r $H $TremN  -d $H $TremN  -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+#
+# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
+# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
+# This scenario differs from the above one because the zone signatures (ZRRSIG)
+# are replaced with the new key sooner than the DS is swapped.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.csk-roll2.autosign
+TactN="now"
+csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
+CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 2:
+# It is time to introduce the new CSK.
+setup step2.csk-roll2.autosign
+# According to RFC 7583:
+# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
+# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+# IpubC = DprpC + TTLkey (+publish-safety)
+# Ipub  = IpubC
+# Lcsk = Lksk = Lzsk
+#
+# Lcsk:           6mo (186d, 4464h)
+# Dreg:           N/A
+# DprpC:          1h
+# TTLkey:         1h
+# publish-safety: 1h
+# Ipub:           3h
+#
+# Tact(N)  = Tnow - Lcsk + Ipub = now - 186d + 3h
+#          = now - 4464h + 3h = now - 4461h
+TactN="now-4461h"
+csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
+CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 3:
+# It is time to submit the DS and to roll signatures.
+setup step3.csk-roll2.autosign
+# According to RFC 7583:
+#
+# Tsbm(N+1) >= Trdy(N+1)
+# KSK: Tact(N+1) = Tsbm(N+1)
+# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
+# KSK: Iret  = DprpP + TTLds (+retire-safety)
+# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
+#
+# Lcsk:           186d
+# Dprp:           1h
+# DprpP:          1w
+# Dreg:           N/A
+# Dsgn:           12h
+# TTLds:          1h
+# TTLsig:         1d
+# retire-safety:  1h
+# Iret:           170h
+# IretZ:          38h
+# Ipub:           3h
+#
+# Tact(N)   = Tnow - Lcsk = now - 186d
+# Tret(N)   = now
+# Trem(N)   = Tnow + Iret = now + 170h
+# Tpub(N+1) = Tnow - Ipub = now - 3h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = Tnow + Lcsk = now + 186d
+# Trem(N+1) = Tnow + Lcsk + Iret = now + 186d + 170h =
+#           = now + 4464h + 170h = now + 4634h
+TactN="now-186d"
+TretN="now"
+TremN="now+170h"
+TpubN1="now-3h"
+TsbmN1="${TretN}"
+TactN1="${TretN}"
+TretN1="now+186d"
+TremN1="now+4634h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  -z $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 4:
+# Some time later all the ZRRSIG records should be from the new CSK, and the
+# DS should be swapped.  The ZRRSIG records are all replaced after IretZ (38h).
+# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
+# signatures are replaced before the DS is swapped.
+setup step4.csk-roll2.autosign
+# According to RFC 7583:
+# Trem(N)    = Tret(N) + IretZ
+#
+# Lcsk:   186d
+# Dreg:   N/A
+# Iret:   170h
+# IretZ:  38h
+#
+# Tact(N)    = Tnow - IretZ = Lcsk = now - 38h - 186d
+#            = now - 38h - 4464h = now - 4502h
+# Tret(N)    = Tnow - IretZ = now - 38h
+# Trem(N)    = Tnow - IretZ + Iret = now - 38h + 170h = now + 132h
+# Tpub(N+1)  = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h
+# Tsbm(N+1)  = Tret(N)
+# Tact(N+1)  = Tret(N)
+# Tret(N+1)  = Tnow - IretZ + Lcsk = now - 38h + 186d
+#            = now + 4426h
+# Trem(N+1)  = Tnow - IretZ + Lcsk + Iret
+#            = now + 4426h + 3h = now + 4429h
+TactN="now-4502h"
+TretN="now-38h"
+TremN="now+132h"
+TpubN1="now-41h"
+TsbmN1="${TretN}"
+TactN1="${TretN}"
+TretN1="now+4426h"
+TremN1="now+4429h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -z $U $TretN  -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 5:
+# Some time later the DS can be swapped and the old DNSKEY can be removed from
+# the zone.
+setup step5.csk-roll2.autosign
+# Subtract Iret (170h) - IretZ (38h) = 132h.
+#
+# Tact(N)   = now - 4502h - 132h = now - 4634h
+# Tret(N)   = now - 38h - 132h = now - 170h
+# Trem(N)   = now + 132h - 132h = now
+# Tpub(N+1) = now - 41h - 132h = now - 173h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4426h - 132h = now + 4294h
+# Trem(N+1) = now + 4492h - 132h = now + 4360h
+TactN="now-4634h"
+TretN="now-170h"
+TremN="now"
+TpubN1="now-173h"
+TsbmN1="${TretN}"
+TactN1="${TretN}"
+TretN1="now+4294h"
+TremN1="now+4360h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 6:
+# Some time later the predecessor DNSKEY enters the HIDDEN state.
+setup step6.csk-roll2.autosign
+# Subtract DNSKEY TTL plus zone propagation delay (2h).
+#
+# Tact(N)   = now - 4634h - 2h = now - 4636h
+# Tret(N)   = now - 170h - 2h = now - 172h
+# Trem(N)   = now - 2h
+# Tpub(N+1) = now - 173h - 2h = now - 175h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4294h - 2h = now + 4292h
+# Trem(N+1) = now + 4360h - 2h = now + 4358h
+TactN="now-4636h"
+TretN="now-172h"
+TremN="now-2h"
+TpubN1="now-175h"
+TsbmN1="${TretN}"
+TactN1="${TretN}"
+TretN1="now+4292h"
+TremN1="now+4358h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 7:
+# The predecessor DNSKEY can be purged, but purge-keys is disabled.
+setup step7.csk-roll2.autosign
+# Subtract 90 days (default, 2160h) from all the times.
+# Tact(N)   = now - 4636h - 2160h = now - 6796h
+# Tret(N)   = now - 172h - 2160h = now - 2332h
+# Trem(N)   = now - 2h - 2160h = now - 2162h
+# Tpub(N+1) = now - 175h - 2160h = now - 2335h
+# Tsbm(N+1) = Tret(N)
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4294h - 2160h = now + 2134h
+# Trem(N+1) = now + 4360h - 2160h = now + 2200h
+TactN="now-6796h"
+TretN="now-2332h"
+TremN="now-2162h"
+TpubN1="now-2335h"
+TsbmN1="${TretN}"
+TactN1="${TretN}"
+TretN1="now+2134h"
+TremN1="now+2200h"
+csktimes="-P ${TactN}  -P sync ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Test #2375, the "three is a crowd" bug, where a new key is introduced but the
+# previous rollover has not finished yet. In other words, we have a key KEY2
+# that is the successor of key KEY1, and we introduce a new key KEY3 that is
+# the successor of key KEY2:
+#
+#     KEY1 < KEY2 < KEY3.
+#
+# The expected behavior is that all three keys remain in the zone, and not
+# the bug behavior where KEY2 is removed and immediately replaced with KEY3.
+#
+# Set up a zone that has a KSK (KEY1) and have the successor key (KEY2)
+# published as well.
+setup three-is-a-crowd.kasp
+# These times are the same as step3.ksk-doubleksk.autosign.
+TactN="now-60d"
+TretN="now"
+TremN="now+50h"
+TpubN1="now-27h"
+TsbmN1="now"
+TactN1="${TretN}"
+TretN1="now+60d"
+TremN1="now+1490h"
+ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}  -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
+zsktimes="-P ${TactN}  -A ${TactN}"
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
+ZSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.3)
+$SETTIME -s -g $H -k $O $TactN   -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1  -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN   -z $O $TactN                "$ZSK"  > settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $KSK1 $KSK2
+# Sign zone.
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
diff --git a/bin/tests/system/kasp/ns3/template.db.in b/bin/tests/system/kasp/ns3/template.db.in
new file mode 100644
index 0000000..010b05b
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/template.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/kasp/ns3/template2.db.in b/bin/tests/system/kasp/ns3/template2.db.in
new file mode 100644
index 0000000..7b94ace
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/template2.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			2       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.11
+b			A	10.0.0.22
+c			A	10.0.0.33
+d			A	10.0.0.44
diff --git a/bin/tests/system/kasp/ns4/example1.db.in b/bin/tests/system/kasp/ns4/example1.db.in
new file mode 100644
index 0000000..c9e537f
--- /dev/null
+++ b/bin/tests/system/kasp/ns4/example1.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns4
+ns4			A	10.53.0.4
+
+view			TXT	"view1"
diff --git a/bin/tests/system/kasp/ns4/example2.db.in b/bin/tests/system/kasp/ns4/example2.db.in
new file mode 100644
index 0000000..c1f16a2
--- /dev/null
+++ b/bin/tests/system/kasp/ns4/example2.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns4
+ns4			A	10.53.0.4
+
+view			TXT	"view2"
diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in
new file mode 100644
index 0000000..fff45ab
--- /dev/null
+++ b/bin/tests/system/kasp/ns4/named.conf.in
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key "sha1" {
+	algorithm "hmac-sha1";
+	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+};
+
+key "sha224" {
+	algorithm "hmac-sha224";
+	secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
+};
+
+key "sha256" {
+	algorithm "hmac-sha256";
+	secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
+};
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+key "keyforview3" {
+	algorithm @DEFAULT_HMAC@;
+	secret "C1Azf+gGPMmxrUg/WQINP6eV9Y0=";
+};
+
+dnssec-policy "test" {
+	keys {
+		csk key-directory lifetime 0 algorithm 14;
+	};
+};
+
+options {
+	query-source address 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-policy "test";
+};
+
+view "inherit" {
+	match-clients { key "sha1"; };
+
+	/* Inherit dnssec-policy 'test' */
+	zone "inherit.inherit.signed" {
+		type primary;
+		file "inherit.inherit.signed.db";
+		inline-signing yes;
+	};
+
+	/* Override dnssec-policy */
+	zone "override.inherit.signed" {
+		type primary;
+		file "override.inherit.signed.db";
+		inline-signing yes;
+		dnssec-policy "default";
+	};
+
+	/* Unset dnssec-policy */
+	zone "none.inherit.signed" {
+		type primary;
+		file "none.inherit.signed.db";
+		dnssec-policy "none";
+	};
+};
+
+view "override" {
+	match-clients { key "sha224"; };
+	dnssec-policy "default";
+
+	/* Inherit dnssec-policy 'test' */
+	zone "inherit.override.signed" {
+		type primary;
+		file "inherit.override.signed.db";
+		inline-signing yes;
+	};
+
+	/* Override dnssec-policy */
+	zone "override.override.signed" {
+		type primary;
+		file "override.override.signed.db";
+		inline-signing yes;
+		dnssec-policy "test";
+	};
+
+	/* Unset dnssec-policy */
+	zone "none.override.signed" {
+		type primary;
+		file "none.override.signed.db";
+		dnssec-policy "none";
+	};
+};
+
+view "none" {
+	match-clients { key "sha256"; };
+	dnssec-policy "none";
+
+	/* Inherit dnssec-policy 'none' */
+	zone "inherit.none.signed" {
+		type primary;
+		file "inherit.none.signed.db";
+	};
+
+	/* Override dnssec-policy */
+	zone "override.none.signed" {
+		type primary;
+		file "override.none.signed.db";
+		inline-signing yes;
+		dnssec-policy "test";
+	};
+
+	/* Unset dnssec-policy */
+	zone "none.none.signed" {
+		type primary;
+		file "none.none.signed.db";
+		dnssec-policy "none";
+	};
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	allow-update { any; };
+
+	zone "example.net" {
+		type primary;
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		file "example2.db";
+		inline-signing yes;
+	};
+};
+
+view "example3" {
+	match-clients { key "keyforview3"; };
+	zone "example.net" {
+		in-view example2;
+	};
+};
diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh
new file mode 100644
index 0000000..45cb5b3
--- /dev/null
+++ b/bin/tests/system/kasp/ns4/setup.sh
@@ -0,0 +1,33 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+echo_i "ns4/setup.sh"
+
+#
+# Set up zones that potentially will be initially signed.
+#
+for zn in inherit.inherit override.inherit none.inherit \
+	  inherit.override override.override none.override \
+	  inherit.none override.none none.none
+do
+	zone="$zn.signed"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	cp template.db.in $zonefile
+done
+
+cp example1.db.in example1.db
+cp example2.db.in example2.db
diff --git a/bin/tests/system/kasp/ns4/template.db.in b/bin/tests/system/kasp/ns4/template.db.in
new file mode 100644
index 0000000..0f72e9c
--- /dev/null
+++ b/bin/tests/system/kasp/ns4/template.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns4
+ns4			A	10.53.0.4
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/kasp/ns5/named.conf.in b/bin/tests/system/kasp/ns5/named.conf.in
new file mode 100644
index 0000000..dae2405
--- /dev/null
+++ b/bin/tests/system/kasp/ns5/named.conf.in
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key "sha1" {
+	algorithm "hmac-sha1";
+	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+};
+
+key "sha224" {
+	algorithm "hmac-sha224";
+	secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
+};
+
+key "sha256" {
+	algorithm "hmac-sha256";
+	secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
+};
+
+dnssec-policy "test" {
+	keys {
+		csk key-directory lifetime 0 algorithm 14;
+	};
+};
+
+options {
+	query-source address 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-policy "none";
+};
+
+view "inherit" {
+	match-clients { key "sha1"; };
+
+	/* Inherit dnssec-policy 'none' */
+	zone "inherit.inherit.unsigned" {
+		type primary;
+		file "inherit.inherit.unsigned.db";
+	};
+
+	/* Override dnssec-policy */
+	zone "override.inherit.unsigned" {
+		type primary;
+		file "override.inherit.unsigned.db";
+		inline-signing yes;
+		dnssec-policy "default";
+	};
+
+	/* Unset dnssec-policy */
+	zone "none.inherit.unsigned" {
+		type primary;
+		file "none.inherit.unsigned.db";
+		dnssec-policy "none";
+	};
+};
+
+view "override" {
+	match-clients { key "sha224"; };
+	dnssec-policy "default";
+
+	/* Inherit dnssec-policy 'default' */
+	zone "inherit.override.unsigned" {
+		type primary;
+		file "inherit.override.unsigned.db";
+		inline-signing yes;
+	};
+
+	/* Override dnssec-policy */
+	zone "override.override.unsigned" {
+		type primary;
+		file "override.override.unsigned.db";
+		inline-signing yes;
+		dnssec-policy "test";
+	};
+
+	/* Unset dnssec-policy */
+	zone "none.override.unsigned" {
+		type primary;
+		file "none.override.unsigned.db";
+		dnssec-policy "none";
+	};
+};
+
+view "none" {
+	match-clients { key "sha256"; };
+	dnssec-policy "none";
+
+	/* Inherit dnssec-policy 'none' */
+	zone "inherit.none.unsigned" {
+		type primary;
+		file "inherit.none.unsigned.db";
+	};
+
+	/* Override dnssec-policy */
+	zone "override.none.unsigned" {
+		type primary;
+		file "override.none.unsigned.db";
+		inline-signing yes;
+		dnssec-policy "test";
+	};
+
+	/* Unset dnssec-policy */
+	zone "none.none.unsigned" {
+		type primary;
+		file "none.none.unsigned.db";
+		dnssec-policy "none";
+	};
+};
diff --git a/bin/tests/system/kasp/ns5/setup.sh b/bin/tests/system/kasp/ns5/setup.sh
new file mode 100644
index 0000000..e51af06
--- /dev/null
+++ b/bin/tests/system/kasp/ns5/setup.sh
@@ -0,0 +1,30 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+echo_i "ns5/setup.sh"
+
+#
+# Set up zones that potentially will be initially signed.
+#
+for zn in inherit.inherit override.inherit none.inherit \
+	  inherit.override override.override none.override \
+	  inherit.none override.none none.none
+do
+	zone="$zn.unsigned"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	cp template.db.in $zonefile
+done
diff --git a/bin/tests/system/kasp/ns5/template.db.in b/bin/tests/system/kasp/ns5/template.db.in
new file mode 100644
index 0000000..6cb07a4
--- /dev/null
+++ b/bin/tests/system/kasp/ns5/template.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns5
+ns5			A	10.53.0.5
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/kasp/ns6/example.db.in b/bin/tests/system/kasp/ns6/example.db.in
new file mode 100644
index 0000000..d6b912c
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns6
+ns6			A	10.53.0.6
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
diff --git a/bin/tests/system/kasp/ns6/example2.db.in b/bin/tests/system/kasp/ns6/example2.db.in
new file mode 100644
index 0000000..46aed9b
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/example2.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			2       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns6
+ns6			A	10.53.0.6
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
diff --git a/bin/tests/system/kasp/ns6/example3.db.in b/bin/tests/system/kasp/ns6/example3.db.in
new file mode 100644
index 0000000..ccbd96a
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/example3.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 400
+@		IN	SOA  mname1. . (
+			3       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns6
+ns6			A	10.53.0.6
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in
new file mode 100644
index 0000000..cb9bd27
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+include "policies/kasp.conf";
+include "policies/csk1.conf";
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	key-directory ".";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone switch from dynamic to inline-signing. */
+zone "dynamic2inline.kasp" {
+	type primary;
+	file "dynamic2inline.kasp.db";
+	allow-update { any; };
+	dnssec-policy "default";
+};
+
+/* These zones are going insecure. */
+zone "step1.going-insecure.kasp" {
+	type master;
+	file "step1.going-insecure.kasp.db";
+	inline-signing yes;
+	dnssec-policy "unsigning";
+};
+
+zone "step1.going-insecure-dynamic.kasp" {
+	type master;
+	file "step1.going-insecure-dynamic.kasp.db";
+	dnssec-policy "unsigning";
+	allow-update { any; };
+};
+
+zone "step1.going-straight-to-none.kasp" {
+	type master;
+	file "step1.going-straight-to-none.kasp.db";
+	inline-signing yes;
+	dnssec-policy "default";
+};
+
+/* These are alorithm rollover test zones. */
+zone "step1.algorithm-roll.kasp" {
+	type primary;
+	file "step1.algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+zone "step1.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step1.csk-algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "csk-algoroll";
+};
+
+dnssec-policy "modified" {
+	keys {
+		csk lifetime unlimited algorithm rsasha256 2048;
+	};
+};
+
+zone example {
+	type primary;
+	file "example.db";
+	inline-signing yes;
+	dnssec-policy modified;
+};
diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in
new file mode 100644
index 0000000..5f4097e
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+include "policies/kasp.conf";
+include "policies/csk2.conf";
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone switch from dynamic to inline-signing. */
+zone "dynamic2inline.kasp" {
+	type primary;
+	file "dynamic2inline.kasp.db";
+	allow-update { any; };
+	inline-signing yes;
+	dnssec-policy "default";
+};
+
+/* Zones for testing going insecure. */
+zone "step1.going-insecure.kasp" {
+        type master;
+        file "step1.going-insecure.kasp.db";
+	inline-signing yes;
+        dnssec-policy "insecure";
+};
+
+zone "step2.going-insecure.kasp" {
+        type master;
+        file "step2.going-insecure.kasp.db";
+	inline-signing yes;
+        dnssec-policy "insecure";
+};
+
+zone "step1.going-insecure-dynamic.kasp" {
+        type master;
+        file "step1.going-insecure-dynamic.kasp.db";
+        dnssec-policy "insecure";
+	allow-update { any; };
+};
+
+zone "step2.going-insecure-dynamic.kasp" {
+        type master;
+        file "step2.going-insecure-dynamic.kasp.db";
+        dnssec-policy "insecure";
+	allow-update { any; };
+};
+
+zone "step1.going-straight-to-none.kasp" {
+        type master;
+        file "step1.going-straight-to-none.kasp.db";
+        dnssec-policy "none";
+};
+
+/*
+ * Zones for testing KSK/ZSK algorithm roll.
+ */
+zone "step1.algorithm-roll.kasp" {
+	type primary;
+	file "step1.algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ecdsa256";
+};
+
+zone "step2.algorithm-roll.kasp" {
+	type primary;
+	file "step2.algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ecdsa256";
+};
+
+zone "step3.algorithm-roll.kasp" {
+	type primary;
+	file "step3.algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ecdsa256";
+};
+
+zone "step4.algorithm-roll.kasp" {
+	type primary;
+	file "step4.algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ecdsa256";
+};
+
+zone "step5.algorithm-roll.kasp" {
+	type primary;
+	file "step5.algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ecdsa256";
+};
+
+zone "step6.algorithm-roll.kasp" {
+	type primary;
+	file "step6.algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ecdsa256";
+};
+
+/*
+ * Zones for testing CSK algorithm roll.
+ */
+zone "step1.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step1.csk-algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "csk-algoroll";
+};
+
+zone "step2.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step2.csk-algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "csk-algoroll";
+};
+
+zone "step3.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step3.csk-algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "csk-algoroll";
+};
+
+zone "step4.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step4.csk-algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "csk-algoroll";
+};
+
+zone "step5.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step5.csk-algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "csk-algoroll";
+};
+
+zone "step6.csk-algorithm-roll.kasp" {
+	type primary;
+	file "step6.csk-algorithm-roll.kasp.db";
+	inline-signing yes;
+	dnssec-policy "csk-algoroll";
+};
+
+dnssec-policy "modified" {
+	keys {
+		csk lifetime unlimited algorithm rsasha256 2048;
+	};
+};
+
+zone example {
+	type primary;
+	file "example.db";
+	inline-signing yes;
+	dnssec-policy modified;
+};
diff --git a/bin/tests/system/kasp/ns6/policies/csk1.conf.in b/bin/tests/system/kasp/ns6/policies/csk1.conf.in
new file mode 100644
index 0000000..a5ff042
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/policies/csk1.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "csk-algoroll" {
+	signatures-refresh P5D;
+	signatures-validity 30d;
+	signatures-validity-dnskey 30d;
+
+	keys {
+		csk lifetime unlimited algorithm rsasha256;
+	};
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 2h;
+	zone-propagation-delay 3600;
+	max-zone-ttl 6h;
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
diff --git a/bin/tests/system/kasp/ns6/policies/csk2.conf.in b/bin/tests/system/kasp/ns6/policies/csk2.conf.in
new file mode 100644
index 0000000..6d290c3
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/policies/csk2.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "csk-algoroll" {
+	signatures-refresh P5D;
+	signatures-validity 30d;
+	signatures-validity-dnskey 30d;
+
+	keys {
+		csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 2h;
+	zone-propagation-delay 3600;
+	max-zone-ttl 6h;
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
diff --git a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
new file mode 100644
index 0000000..810b91d
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "unsigning" {
+	dnskey-ttl 7200;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "nsec3" {
+	nsec3param iterations 0 optout no salt-length 0;
+};
+
+dnssec-policy "rsasha256" {
+	signatures-refresh P5D;
+	signatures-validity 30d;
+	signatures-validity-dnskey 30d;
+
+	keys {
+		ksk lifetime unlimited algorithm rsasha256;
+		zsk lifetime unlimited algorithm rsasha256;
+	};
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 2h;
+	zone-propagation-delay 3600;
+	max-zone-ttl 6h;
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
+
+dnssec-policy "ecdsa256" {
+	signatures-refresh P5D;
+	signatures-validity 30d;
+	signatures-validity-dnskey 30d;
+
+	keys {
+		ksk lifetime unlimited algorithm ecdsa256;
+		zsk lifetime unlimited algorithm ecdsa256;
+	};
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 2h;
+	zone-propagation-delay 3600;
+	max-zone-ttl 6h;
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf.in b/bin/tests/system/kasp/ns6/policies/kasp.conf.in
new file mode 100644
index 0000000..d634b76
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/policies/kasp.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "policies/kasp-fips.conf";
+
+dnssec-policy "rsasha1" {
+	signatures-refresh P5D;
+	signatures-validity 30d;
+	signatures-validity-dnskey 30d;
+
+	keys {
+		ksk lifetime unlimited algorithm rsasha1;
+		zsk lifetime unlimited algorithm rsasha1;
+	};
+
+	dnskey-ttl 1h;
+	publish-safety PT1H;
+	retire-safety 2h;
+	zone-propagation-delay 3600;
+	max-zone-ttl 6h;
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
new file mode 100644
index 0000000..3a18750
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -0,0 +1,409 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+echo_i "ns6/setup.sh"
+
+setup() {
+	zone="$1"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	infile="${zone}.db.infile"
+}
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+
+# The child zones (step1, step2) beneath these zones represent the various
+# steps of unsigning a zone.
+for zn in going-insecure.kasp going-insecure-dynamic.kasp
+do
+	# Step 1:
+	# Set up a zone with dnssec-policy that is going insecure.
+	setup step1.$zn
+	echo "$zone" >> zones
+	T="now-10d"
+	ksktimes="-P $T -A $T -P sync $T"
+	zsktimes="-P $T -A $T"
+	KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+	ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
+	cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+	private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+	private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+	cp $infile $zonefile
+	$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+	# Step 2:
+	# Set up a zone with dnssec-policy that is going insecure. Don't add
+	# this zone to the zones file, because this zone is no longer expected
+	# to be fully signed.
+	setup step2.$zn
+	# The DS was withdrawn from the parent zone 26 hours ago.
+	Trem="now-26h"
+	ksktimes="-P $T -A $T -P sync $T"
+	zsktimes="-P $T -A $T"
+	KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+	ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
+	$SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1
+	$SETTIME -s -g $H -k $O $T -z $O $T                         "$ZSK" > settime.out.$zone.2 2>&1
+	# Fake lifetime of old algorithm keys.
+	echo "Lifetime: 0" >> "${KSK}.state"
+	echo "Lifetime: 5184000" >> "${ZSK}.state"
+	cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+	private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+	private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+	cp $infile $zonefile
+	$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+done
+
+# This zone is going straight to "none" policy. This is undefined behavior.
+setup step1.going-straight-to-none.kasp
+echo "$zone" >> zones
+TactN="now"
+csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
+CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+#
+# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
+# algorithm rollover.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.algorithm-roll.kasp
+echo "$zone" >> zones
+TactN="now"
+ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
+zsktimes="-P ${TactN} -A ${TactN}"
+KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN              "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone 8 "$KSK" >> "$infile"
+private_type_record $zone 8 "$ZSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 2:
+# After the publication interval has passed the DNSKEY is OMNIPRESENT.
+setup step2.algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 3 hours.
+TactN="now-3h"
+TpubN1="now-3h"
+# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety =
+# now - 3h + 6h + 1h + 1h = now + 5h
+TsbmN1="now+5h"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I now"
+zsk1times="-P ${TactN}  -A ${TactN}                    -I now"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256          -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256          -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN  -z $O $TactN                "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >> "${KSK1}.state"
+echo "Lifetime: 0" >> "${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
+private_type_record $zone 8  "$KSK1" >> "$infile"
+private_type_record $zone 8  "$ZSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 3:
+# The zone signatures are also OMNIPRESENT.
+setup step3.algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 9 hours.
+TactN="now-9h"
+TretN="now-6h"
+TpubN1="now-9h"
+TsbmN1="now-1h"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
+zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256          -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256          -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN  -z $O $TactN                "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >> "${KSK1}.state"
+echo "Lifetime: 0" >> "${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
+private_type_record $zone 8  "$KSK1" >> "$infile"
+private_type_record $zone 8  "$ZSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 4:
+# The DS is swapped and can become OMNIPRESENT.
+setup step4.algorithm-roll.kasp
+# The time passed since the DS has been swapped is 29 hours.
+TactN="now-38h"
+TretN="now-35h"
+TpubN1="now-38h"
+TsbmN1="now-30h"
+TactN1="now-29h"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
+zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256          -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256          -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN  -z $O $TactN                              "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1                             "$ZSK2" > settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >> "${KSK1}.state"
+echo "Lifetime: 0" >> "${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
+private_type_record $zone 8  "$KSK1" >> "$infile"
+private_type_record $zone 8  "$ZSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 5:
+# The DNSKEY is removed long enough to be HIDDEN.
+setup step5.algorithm-roll.kasp
+# The time passed since the DNSKEY has been removed is 2 hours.
+TactN="now-40h"
+TretN="now-37h"
+TremN="now-2h"
+TpubN1="now-40h"
+TsbmN1="now-32h"
+TactN1="now-31h"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
+zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256          -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256          -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
+$SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $U $TremN  -z $U $TremN                "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >> "${KSK1}.state"
+echo "Lifetime: 0" >> "${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
+private_type_record $zone 8  "$KSK1" >> "$infile"
+private_type_record $zone 8  "$ZSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 6:
+# The RRSIGs have been removed long enough to be HIDDEN.
+setup step6.algorithm-roll.kasp
+# Additional time passed: 7h.
+TactN="now-47h"
+TretN="now-44h"
+TremN="now-7h"
+TpubN1="now-47h"
+TsbmN1="now-39h"
+TactN1="now-38h"
+TdeaN="now-9h"
+ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
+zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256          -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256          -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
+$SETTIME -s -g $H -k $H $TremN  -r $U $TdeaN  -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $H $TremN  -z $U $TdeaN                "$ZSK1" > settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1               "$ZSK2" > settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >> "${KSK1}.state"
+echo "Lifetime: 0" >> "${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
+private_type_record $zone 8  "$KSK1" >> "$infile"
+private_type_record $zone 8  "$ZSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+#
+# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
+# algorithm rollover.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.csk-algorithm-roll.kasp
+echo "$zone" >> zones
+TactN="now"
+csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
+CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone 5 "$CSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 2:
+# After the publication interval has passed the DNSKEY is OMNIPRESENT.
+setup step2.csk-algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 3 hours.
+TactN="now-3h"
+TpubN1="now-3h"
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I now"
+newtimes="-P ${TpubN1} -A ${TpubN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -z $O $TactN  -d $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >> "${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 5  "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 3:
+# The zone signatures are also OMNIPRESENT.
+setup step3.csk-algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 9 hours.
+TactN="now-9h"
+TretN="now-6h"
+TpubN1="now-9h"
+TactN1="now-6h"
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
+newtimes="-P ${TpubN1} -A ${TpubN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -z $O $TactN  -d $O $TactN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >> "${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 5  "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 4:
+# The DS is swapped and can become OMNIPRESENT.
+setup step4.csk-algorithm-roll.kasp
+# The time passed since the DS has been swapped is 29 hours.
+TactN="now-38h"
+TretN="now-35h"
+TpubN1="now-38h"
+TactN1="now-35h"
+TsubN1="now-29h"
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
+newtimes="-P ${TpubN1} -A ${TpubN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -z $O $TactN  -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >> "${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 5  "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 5:
+# The DNSKEY is removed long enough to be HIDDEN.
+setup step5.csk-algorithm-roll.kasp
+# The time passed since the DNSKEY has been removed is 2 hours.
+TactN="now-40h"
+TretN="now-37h"
+TremN="now-2h"
+TpubN1="now-40h"
+TactN1="now-37h"
+TsubN1="now-31h"
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
+newtimes="-P ${TpubN1} -A ${TpubN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -z $U $TremN  -d $H $TremN  "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN  "$CSK2" > settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >> "${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 5  "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+# Step 6:
+# The RRSIGs have been removed long enough to be HIDDEN.
+setup step6.csk-algorithm-roll.kasp
+# Additional time passed: 7h.
+TactN="now-47h"
+TretN="now-44h"
+TdeaN="now-9h"
+TremN="now-7h"
+TpubN1="now-47h"
+TactN1="now-44h"
+TsubN1="now-38h"
+csktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN} -I ${TretN}"
+newtimes="-P ${TpubN1} -A ${TpubN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $TremN  -r $U $TdeaN  -z $U $TdeaN  -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >> "${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 5  "$CSK1" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+#
+# Reload testing
+#
+echo "example" >> zones
+cp example.db.in example.db
+
+setup "dynamic2inline.kasp"
+cp template.db.in $zonefile
diff --git a/bin/tests/system/kasp/ns6/template.db.in b/bin/tests/system/kasp/ns6/template.db.in
new file mode 100644
index 0000000..f1d8b94
--- /dev/null
+++ b/bin/tests/system/kasp/ns6/template.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns6
+ns6			A	10.53.0.6
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/kasp/prereq.sh b/bin/tests/system/kasp/prereq.sh
new file mode 100644
index 0000000..9c5d879
--- /dev/null
+++ b/bin/tests/system/kasp/prereq.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if ! test -n "$PYTHON"; then
+	echo_i "This test requires Python."
+	exit 1
+fi
+exit 0
diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh
new file mode 100644
index 0000000..d3f4329
--- /dev/null
+++ b/bin/tests/system/kasp/setup.sh
@@ -0,0 +1,80 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+$SHELL clean.sh
+
+mkdir keys
+
+copy_setports ns2/named.conf.in ns2/named.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1
+then
+	copy_setports ns3/named-fips.conf.in ns3/named.conf
+else
+	copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
+	copy_setports ns3/named.conf.in ns3/named.conf
+fi
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+
+if $SHELL ../testcrypto.sh ed25519; then
+	echo "yes" > ed25519-supported.file
+fi
+
+if $SHELL ../testcrypto.sh ed448; then
+	echo "yes" > ed448-supported.file
+fi
+
+copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf
+copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf
+copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1
+then
+	cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf
+fi
+
+copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf
+copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf
+copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf
+copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1
+then
+	cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf
+fi
+
+# Setup zones
+(
+	cd ns2
+	$SHELL setup.sh
+)
+(
+	cd ns3
+	$SHELL setup.sh
+)
+(
+	cd ns4
+	$SHELL setup.sh
+)
+(
+	cd ns5
+	$SHELL setup.sh
+)
+(
+	cd ns6
+	$SHELL setup.sh
+)
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
new file mode 100644
index 0000000..4d3bda7
--- /dev/null
+++ b/bin/tests/system/kasp/tests.sh
@@ -0,0 +1,4882 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+# shellcheck source=kasp.sh
+SYSTEMTESTTOP=..
+. "$SYSTEMTESTTOP/conf.sh"
+. "$SYSTEMTESTTOP/kasp.sh"
+
+start_time="$(TZ=UTC date +%s)"
+status=0
+n=0
+
+###############################################################################
+# Utilities                                                                   #
+###############################################################################
+
+# Call dig with default options.
+dig_with_opts() {
+
+	if [ -n "$TSIG" ]; then
+		"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
+	else
+		"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+	fi
+}
+
+# RNDC.
+rndccmd() {
+	"$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@"
+}
+
+# Log error and increment failure rate.
+log_error() {
+	echo_i "error: $1"
+	ret=$((ret+1))
+}
+
+# Default next key event threshold. May be extended by wait periods.
+next_key_event_threshold=100
+
+###############################################################################
+# Tests                                                                       #
+###############################################################################
+
+#
+# dnssec-keygen
+#
+set_zone "kasp"
+set_policy "kasp" "4" "200"
+set_server "keys" "10.53.0.1"
+
+n=$((n+1))
+echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)"
+ret=0
+$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
+lines=$(wc -l < "keygen.out.$POLICY.test$n")
+test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines"
+# Temporarily don't log errors because we are searching multiple files.
+disable_logerror
+
+# Key properties.
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "31536000"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+
+set_keyrole      "KEY2" "ksk"
+set_keylifetime  "KEY2" "31536000"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
+set_keysigning   "KEY2" "yes"
+set_zonesigning  "KEY2" "no"
+
+set_keyrole      "KEY3" "zsk"
+set_keylifetime  "KEY3" "2592000"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
+set_keysigning   "KEY3" "no"
+set_zonesigning  "KEY3" "yes"
+
+set_keyrole      "KEY4" "zsk"
+set_keylifetime  "KEY4" "16070400"
+set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
+set_keysigning   "KEY4" "no"
+set_zonesigning  "KEY4" "yes"
+
+lines=$(get_keyids "$DIR" "$ZONE" | wc -l)
+test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids"
+
+ids=$(get_keyids "$DIR" "$ZONE")
+for id in $ids; do
+	# There are four key files with the same algorithm.
+	# Check them until a match is found.
+	ret=0 && check_key "KEY1" "$id"
+	test "$ret" -eq 0 && continue
+
+	ret=0 && check_key "KEY2" "$id"
+	test "$ret" -eq 0 && continue
+
+	ret=0 && check_key "KEY3" "$id"
+	test "$ret" -eq 0 && continue
+
+	ret=0 && check_key "KEY4" "$id"
+
+	# If ret is still non-zero, non of the files matched.
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+done
+# Turn error logs on again.
+enable_logerror
+
+n=$((n+1))
+echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
+ret=0
+set_zone "kasp"
+set_policy "default" "1" "3600"
+set_server "." "10.53.0.1"
+# Key properties.
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
+lines=$(wc -l < "keygen.out.$POLICY.test$n")
+test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines"
+ids=$(get_keyids "$DIR" "$ZONE")
+for id in $ids; do
+	check_key "KEY1" "$id"
+	test "$ret" -eq 0 && key_save KEY1
+	check_keytimes
+done
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# dnssec-settime
+#
+
+# These test builds upon the latest created key with dnssec-keygen and uses the
+# environment variables BASE_FILE, KEY_FILE, PRIVATE_FILE and STATE_FILE.
+CMP_FILE="${BASE_FILE}.cmp"
+n=$((n+1))
+echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)"
+ret=0
+cp "$STATE_FILE" "$CMP_FILE"
+$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed"
+grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE"
+grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE"
+$DIFF "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)"
+ret=0
+cp "$STATE_FILE" "$CMP_FILE"
+now=$(date +%Y%m%d%H%M%S)
+$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed"
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+check_key "KEY1" "$id"
+test "$ret" -eq 0 && key_save KEY1
+set_keytime  "KEY1" "PUBLISHED"    "${now}"
+check_keytimes
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)"
+ret=0
+cp "$STATE_FILE" "$CMP_FILE"
+$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed"
+set_keystate "KEY1" "GOAL"         "none"
+set_keystate "KEY1" "STATE_DNSKEY" "none"
+set_keystate "KEY1" "STATE_KRRSIG" "none"
+set_keystate "KEY1" "STATE_ZRRSIG" "none"
+set_keystate "KEY1" "STATE_DS"     "none"
+check_key "KEY1" "$id"
+test "$ret" -eq 0 && key_save KEY1
+set_keytime  "KEY1" "PUBLISHED"    "none"
+check_keytimes
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)"
+ret=0
+cp "$STATE_FILE" "$CMP_FILE"
+now=$(date +%Y%m%d%H%M%S)
+$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed"
+set_keystate "KEY1" "GOAL"         "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+check_key "KEY1" "$id"
+test "$ret" -eq 0 && key_save KEY1
+set_keytime  "KEY1" "ACTIVE"       "${now}"
+check_keytimes
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# named
+#
+
+# The NSEC record at the apex of the zone and its RRSIG records are
+# added as part of the last step in signing a zone.  We wait for the
+# NSEC records to appear before proceeding with a counter to prevent
+# infinite loops if there is an error.
+n=$((n+1))
+echo_i "waiting for kasp signing changes to take effect ($n)"
+
+_wait_for_done_apexnsec() {
+	while read -r zone
+	do
+		dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1
+		grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1
+		grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1
+	done < ns3/zones
+
+	while read -r zone
+	do
+		dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1
+		grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1
+		grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1
+	done < ns6/zones
+
+	return 0
+}
+retry_quiet 30 _wait_for_done_apexnsec || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Test max-zone-ttl rejects zones with too high TTL.
+n=$((n+1))
+echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)"
+ret=0
+set_zone "max-zone-ttl.kasp"
+grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Zone: default.kasp.
+#
+set_keytimes_csk_policy() {
+	# The first key is immediately published and activated.
+	created=$(key_get KEY1 CREATED)
+	set_keytime     "KEY1" "PUBLISHED"   "${created}"
+	set_keytime     "KEY1" "ACTIVE"      "${created}"
+	# The DS can be published if the DNSKEY and RRSIG records are
+	# OMNIPRESENT.  This happens after max-zone-ttl (1d) plus
+	# publish-safety (1h) plus zone-propagation-delay (300s) =
+	# 86400 + 3600 + 300 = 90300.
+	set_addkeytime  "KEY1" "SYNCPUBLISH" "${created}" 90300
+	# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
+}
+
+# Check the zone with default kasp policy has loaded and is signed.
+set_zone "default.kasp"
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Trigger a keymgr run. Make sure the key files are not touched if there are
+# no modifications to the key metadata.
+n=$((n+1))
+echo_i "make sure key files are untouched if metadata does not change ($n)"
+ret=0
+basefile=$(key_get KEY1 BASEFILE)
+privkey_stat=$(key_get KEY1 PRIVKEY_STAT)
+pubkey_stat=$(key_get KEY1 PUBKEY_STAT)
+state_stat=$(key_get KEY1 STATE_STAT)
+
+nextpart $DIR/named.run > /dev/null
+rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
+wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run
+privkey_stat2=$(key_stat "${basefile}.private")
+pubkey_stat2=$(key_stat "${basefile}.key")
+state_stat2=$(key_stat "${basefile}.state")
+test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)"
+test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)"
+test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "again ($n)"
+ret=0
+
+nextpart $DIR/named.run > /dev/null
+rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
+wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run
+privkey_stat2=$(key_stat "${basefile}.private")
+pubkey_stat2=$(key_stat "${basefile}.key")
+state_stat2=$(key_stat "${basefile}.state")
+test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)"
+test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)"
+test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Update zone.
+n=$((n+1))
+echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)"
+ret=0
+cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db"
+rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed"
+
+update_is_signed() {
+	ip_a=$1
+	ip_d=$2
+
+	if [ "$ip_a" != "-" ]; then
+		dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1
+		grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1
+		grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" > /dev/null || return 1
+		lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l)
+		test "$lines" -eq 1 || return 1
+		get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1
+	fi
+
+	if [ "$ip_d" != "-" ]; then
+		dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1
+		grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1
+		grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d > /dev/null || return 1
+		lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l)
+		test "$lines" -eq 1 || return 1
+		get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1
+	fi
+}
+
+retry_quiet 10 update_is_signed "10.0.0.11" "10.0.0.44" || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Move the private key file, a rekey event should not introduce replacement
+# keys.
+ret=0
+echo_i "test that if private key files are inaccessible this doesn't trigger a rollover ($n)"
+basefile=$(key_get KEY1 BASEFILE)
+mv "${basefile}.private" "${basefile}.offline"
+rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
+wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1
+mv "${basefile}.offline" "${basefile}.private"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Nothing has changed.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: dynamic.kasp
+#
+set_zone "dynamic.kasp"
+set_dynamic
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Update zone with nsupdate.
+n=$((n+1))
+echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)"
+ret=0
+(
+echo zone ${ZONE}
+echo server 10.53.0.3 "$PORT"
+echo update del "a.${ZONE}" 300 A 10.0.0.1
+echo update add "a.${ZONE}" 300 A 10.0.0.101
+echo update add "d.${ZONE}" 300 A 10.0.0.4
+echo send
+) | $NSUPDATE
+
+retry_quiet 10 update_is_signed "10.0.0.101" "10.0.0.4" || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Update zone with nsupdate (reverting the above change).
+n=$((n+1))
+echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)"
+ret=0
+(
+echo zone ${ZONE}
+echo server 10.53.0.3 "$PORT"
+echo update add "a.${ZONE}" 300 A 10.0.0.1
+echo update del "a.${ZONE}" 300 A 10.0.0.101
+echo update del "d.${ZONE}" 300 A 10.0.0.4
+echo send
+) | $NSUPDATE
+
+retry_quiet 10 update_is_signed "10.0.0.1" "-" || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Update zone with freeze/thaw.
+n=$((n+1))
+echo_i "modify zone file and check that new record is signed for zone ${ZONE} ($n)"
+ret=0
+rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed"
+sleep 1
+echo "d.${ZONE}. 300 A 10.0.0.44" >> "${DIR}/${ZONE}.db"
+rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed"
+
+retry_quiet 10 update_is_signed "10.0.0.1" "10.0.0.44" || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Zone: dynamic-inline-signing.kasp
+#
+set_zone "dynamic-inline-signing.kasp"
+set_dynamic
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Update zone with freeze/thaw.
+n=$((n+1))
+echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)"
+ret=0
+rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed"
+sleep 1
+cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db"
+rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed"
+
+retry_quiet 10 update_is_signed || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Zone: inline-signing.kasp
+#
+set_zone "inline-signing.kasp"
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: checkds-ksk.kasp.
+#
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_zone "checkds-ksk.kasp"
+set_policy "checkds-ksk" "2" "303"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+basefile=$(key_get KEY1 BASEFILE)
+
+_wait_for_metadata() {
+	_expr=$1
+	_file=$2
+	grep "$_expr" $_file > /dev/null || return 1
+	return 0
+}
+
+n=$((n+1))
+echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
+now=$(date +%Y%m%d%H%M%S)
+rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE"
+retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
+# DS State should be forced into RUMOURED.
+set_keystate "KEY1" "STATE_DS"     "rumoured"
+check_keys
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
+now=$(date +%Y%m%d%H%M%S)
+rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE"
+retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
+# DS State should be forced into UNRETENTIVE.
+set_keystate "KEY1" "STATE_DS"     "unretentive"
+check_keys
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Zone: checkds-doubleksk.kasp.
+#
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_zone "checkds-doubleksk.kasp"
+set_policy "checkds-doubleksk" "3" "303"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+set_keyrole      "KEY2" "ksk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY2" "yes"
+set_zonesigning  "KEY2" "no"
+
+set_keyrole      "KEY3" "zsk"
+set_keylifetime  "KEY3" "0"
+set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY3" "no"
+set_zonesigning  "KEY3" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY2" "STATE_DS"     "hidden"
+
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+basefile1=$(key_get KEY1 BASEFILE)
+basefile2=$(key_get KEY2 BASEFILE)
+
+n=$((n+1))
+echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)"
+rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE"
+grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)"
+rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE"
+grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
+grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds published does not set DSPublish for zone $ZONE (wrong algorithm) ($n)"
+rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n
+grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (wrong algorithm) ($n)"
+rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n
+grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
+grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)"
+rndc_checkds "$SERVER" "$DIR" KEY1 "20190102121314" "published" "$ZONE"
+retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile1}.state" || log_error "bad DSPublish in ${basefile1}.state"
+grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)"
+rndc_checkds "$SERVER" "$DIR" KEY2 "20200102121314" "withdrawn" "$ZONE"
+grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile2}.state" || log_error "bad DSRemoved in ${basefile2}.state"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Zone: checkds-csk.kasp.
+#
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_zone "checkds-csk.kasp"
+set_policy "checkds-csk" "1" "303"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+basefile=$(key_get KEY1 BASEFILE)
+
+n=$((n+1))
+echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
+rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE"
+retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
+rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE"
+retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Set keytimes for dnssec-policy with various algorithms.
+# These all use the same time values.
+set_keytimes_algorithm_policy() {
+	# The first KSK is immediately published and activated.
+	created=$(key_get KEY1 CREATED)
+	set_keytime    "KEY1" "PUBLISHED" "${created}"
+	set_keytime    "KEY1" "ACTIVE"    "${created}"
+	# Key was pregenerated.
+	if [ "$1" = "pregenerated" ]; then
+		keyfile=$(key_get KEY1 BASEFILE)
+		grep "; Publish:" "${keyfile}.key" > published.test${n}.key1
+		published=$(awk '{print $3}' < published.test${n}.key1)
+		set_keytime "KEY1" "PUBLISHED" "${published}"
+		set_keytime "KEY1" "ACTIVE"    "${published}"
+	fi
+	published=$(key_get KEY1 PUBLISHED)
+
+	# The DS can be published if the DNSKEY and RRSIG records are
+	# OMNIPRESENT.  This happens after max-zone-ttl (1d) plus
+	# publish-safety (1h) plus zone-propagation-delay (300s) =
+	# 86400 + 3600 + 300 = 90300.
+	set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
+	# Key lifetime is 10 years, 315360000 seconds.
+	set_addkeytime "KEY1" "RETIRED"     "${published}" 315360000
+	# The key is removed after the retire time plus DS TTL (1d),
+	# parent propagation delay (1h), and retire safety (1h) =
+	# 86400 + 3600 + 3600 = 93600.
+	retired=$(key_get KEY1 RETIRED)
+	set_addkeytime "KEY1" "REMOVED"     "${retired}"   93600
+
+	# The first ZSKs are immediately published and activated.
+	created=$(key_get KEY2 CREATED)
+	set_keytime    "KEY2" "PUBLISHED" "${created}"
+	set_keytime    "KEY2" "ACTIVE"    "${created}"
+	# Key was pregenerated.
+	if [ "$1" = "pregenerated" ]; then
+		keyfile=$(key_get KEY2 BASEFILE)
+		grep "; Publish:" "${keyfile}.key" > published.test${n}.key2
+		published=$(awk '{print $3}' < published.test${n}.key2)
+		set_keytime "KEY2" "PUBLISHED" "${published}"
+		set_keytime "KEY2" "ACTIVE"    "${published}"
+	fi
+	published=$(key_get KEY2 PUBLISHED)
+
+	# Key lifetime for KSK2 is 5 years, 157680000 seconds.
+	set_addkeytime "KEY2" "RETIRED"   "${published}" 157680000
+	# The key is removed after the retire time plus max zone ttl (1d), zone
+	# propagation delay (300s), retire safety (1h), and sign delay
+	# (signature validity minus refresh, 9d) =
+	# 86400 + 300 + 3600 + 777600 = 867900.
+	retired=$(key_get KEY2 RETIRED)
+	set_addkeytime "KEY2" "REMOVED"   "${retired}"   867900
+
+	# Second ZSK (KEY3).
+	created=$(key_get KEY3 CREATED)
+	set_keytime    "KEY3" "PUBLISHED" "${created}"
+	set_keytime    "KEY3" "ACTIVE"    "${created}"
+	# Key was pregenerated.
+	if [ "$1" = "pregenerated" ]; then
+		keyfile=$(key_get KEY3 BASEFILE)
+		grep "; Publish:" "${keyfile}.key" > published.test${n}.key3
+		published=$(awk '{print $3}' < published.test${n}.key3)
+		set_keytime "KEY3" "PUBLISHED" "${published}"
+		set_keytime "KEY3" "ACTIVE"    "${published}"
+	fi
+	published=$(key_get KEY3 PUBLISHED)
+
+	# Key lifetime for KSK3 is 1 year, 31536000 seconds.
+	set_addkeytime "KEY3" "RETIRED"   "${published}" 31536000
+	retired=$(key_get KEY3 RETIRED)
+	set_addkeytime "KEY3" "REMOVED"   "${retired}"   867900
+}
+
+#
+# Zone: rsasha1.kasp.
+#
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+	set_zone "rsasha1.kasp"
+	set_policy "rsasha1" "3" "1234"
+	set_server "ns3" "10.53.0.3"
+	# Key properties.
+	key_clear        "KEY1"
+	set_keyrole      "KEY1" "ksk"
+	set_keylifetime  "KEY1" "315360000"
+	set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+	set_keysigning   "KEY1" "yes"
+	set_zonesigning  "KEY1" "no"
+
+	key_clear        "KEY2"
+	set_keyrole      "KEY2" "zsk"
+	set_keylifetime  "KEY2" "157680000"
+	set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+	set_keysigning   "KEY2" "no"
+	set_zonesigning  "KEY2" "yes"
+
+	key_clear        "KEY3"
+	set_keyrole      "KEY3" "zsk"
+	set_keylifetime  "KEY3" "31536000"
+	set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
+	set_keysigning   "KEY3" "no"
+	set_zonesigning  "KEY3" "yes"
+
+	# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
+	# ZSK: DNSKEY, RRSIG (zsk) published.
+	set_keystate "KEY1" "GOAL"         "omnipresent"
+	set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+	set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+	set_keystate "KEY1" "STATE_DS"     "hidden"
+
+	set_keystate "KEY2" "GOAL"         "omnipresent"
+	set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+	set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+
+	set_keystate "KEY3" "GOAL"         "omnipresent"
+	set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+	set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
+	# Three keys only.
+	key_clear "KEY4"
+
+	check_keys
+	check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+	set_keytimes_algorithm_policy
+	check_keytimes
+	check_apex
+	check_subdomain
+	dnssec_verify
+fi
+
+#
+# Zone: unsigned.kasp.
+#
+set_zone "unsigned.kasp"
+set_policy "none" "0" "0"
+set_server "ns3" "10.53.0.3"
+
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+# Make sure the zone file is untouched.
+n=$((n+1))
+echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)"
+ret=0
+diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Zone: insecure.kasp.
+#
+set_zone "insecure.kasp"
+set_policy "insecure" "0" "0"
+set_server "ns3" "10.53.0.3"
+
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+#
+# Zone: unlimited.kasp.
+#
+set_zone "unlimited.kasp"
+set_policy "unlimited" "1" "1234"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: inherit.kasp.
+#
+set_zone "inherit.kasp"
+set_policy "rsasha256" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "315360000"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+key_clear        "KEY2"
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "157680000"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+
+key_clear        "KEY3"
+set_keyrole      "KEY3" "zsk"
+set_keylifetime  "KEY3" "31536000"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
+set_keysigning   "KEY3" "no"
+set_zonesigning  "KEY3" "yes"
+# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
+# ZSK: DNSKEY, RRSIG (zsk) published.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
+# Three keys only.
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_algorithm_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: dnssec-keygen.kasp.
+#
+set_zone "dnssec-keygen.kasp"
+set_policy "rsasha256" "3" "1234"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_algorithm_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: some-keys.kasp.
+#
+set_zone "some-keys.kasp"
+set_policy "rsasha256" "3" "1234"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_algorithm_policy "pregenerated"
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: pregenerated.kasp.
+#
+# There are more pregenerated keys than needed, hence the number of keys is
+# six, not three.
+set_zone "pregenerated.kasp"
+set_policy "rsasha256" "6" "1234"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_algorithm_policy "pregenerated"
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: rumoured.kasp.
+#
+# There are three keys in rumoured state.
+set_zone "rumoured.kasp"
+set_policy "rsasha256" "3" "1234"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_algorithm_policy
+# Activation date is a day later.
+set_addkeytime "KEY1" "ACTIVE"   $(key_get KEY1 ACTIVE)  86400
+set_addkeytime "KEY1" "RETIRED"  $(key_get KEY1 RETIRED) 86400
+set_addkeytime "KEY1" "REMOVED"  $(key_get KEY1 REMOVED) 86400
+set_addkeytime "KEY2" "ACTIVE"   $(key_get KEY2 ACTIVE)  86400
+set_addkeytime "KEY2" "RETIRED"  $(key_get KEY2 RETIRED) 86400
+set_addkeytime "KEY2" "REMOVED"  $(key_get KEY2 REMOVED) 86400
+set_addkeytime "KEY3" "ACTIVE"   $(key_get KEY3 ACTIVE)  86400
+set_addkeytime "KEY3" "RETIRED"  $(key_get KEY3 RETIRED) 86400
+set_addkeytime "KEY3" "REMOVED"  $(key_get KEY3 REMOVED) 86400
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: secondary.kasp.
+#
+set_zone "secondary.kasp"
+set_policy "rsasha256" "3" "1234"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_algorithm_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Update zone.
+n=$((n+1))
+echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)"
+ret=0
+cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db
+rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed"
+
+_wait_for_done_subdomains() {
+	ret=0
+	dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1
+	grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1
+	grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1
+	check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK"
+	if [ $ret -gt 0 ]; then return $ret; fi
+
+	dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1
+	grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1
+	grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1
+	check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK"
+	return $ret
+}
+retry_quiet 5 _wait_for_done_subdomains || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# TODO: we might want to test:
+# - configuring a zone with too many active keys (should trigger retire).
+# - configuring a zone with keys not matching the policy.
+
+#
+# Zone: rsasha1-nsec3.kasp.
+#
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+	set_zone "rsasha1-nsec3.kasp"
+	set_policy "rsasha1-nsec3" "3" "1234"
+	set_server "ns3" "10.53.0.3"
+	# Key properties.
+	set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
+	set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
+	set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
+	# Key timings and states same as above.
+
+	check_keys
+	check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+	set_keytimes_algorithm_policy
+	check_keytimes
+	check_apex
+	check_subdomain
+	dnssec_verify
+fi
+
+#
+# Zone: rsasha256.kasp.
+#
+set_zone "rsasha256.kasp"
+set_policy "rsasha256" "3" "1234"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
+# Key timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_algorithm_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: rsasha512.kasp.
+#
+set_zone "rsasha512.kasp"
+set_policy "rsasha512" "3" "1234"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyalgorithm "KEY1" "10" "RSASHA512" "2048"
+set_keyalgorithm "KEY2" "10" "RSASHA512" "2048"
+set_keyalgorithm "KEY3" "10" "RSASHA512" "3072"
+# Key timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_algorithm_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: ecdsa256.kasp.
+#
+set_zone "ecdsa256.kasp"
+set_policy "ecdsa256" "3" "1234"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
+# Key timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_algorithm_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: ecdsa512.kasp.
+#
+set_zone "ecdsa384.kasp"
+set_policy "ecdsa384" "3" "1234"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384"
+set_keyalgorithm "KEY2" "14" "ECDSAP384SHA384" "384"
+set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384"
+# Key timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_algorithm_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone: ed25519.kasp.
+#
+if [ -f ed25519-supported.file ]; then
+	set_zone "ed25519.kasp"
+	set_policy "ed25519" "3" "1234"
+	set_server "ns3" "10.53.0.3"
+	# Key properties.
+	set_keyalgorithm "KEY1" "15" "ED25519" "256"
+	set_keyalgorithm "KEY2" "15" "ED25519" "256"
+	set_keyalgorithm "KEY3" "15" "ED25519" "256"
+	# Key timings and states same as above.
+
+	check_keys
+	check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+	set_keytimes_algorithm_policy
+	check_keytimes
+	check_apex
+	check_subdomain
+	dnssec_verify
+fi
+
+#
+# Zone: ed448.kasp.
+#
+if [ -f ed448-supported.file ]; then
+	set_zone "ed448.kasp"
+	set_policy "ed448" "3" "1234"
+	set_server "ns3" "10.53.0.3"
+	# Key properties.
+	set_keyalgorithm "KEY1" "16" "ED448" "456"
+	set_keyalgorithm "KEY2" "16" "ED448" "456"
+	set_keyalgorithm "KEY3" "16" "ED448" "456"
+	# Key timings and states same as above.
+
+	check_keys
+	check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+	set_keytimes_algorithm_policy
+	check_keytimes
+	check_apex
+	check_subdomain
+	dnssec_verify
+fi
+
+# Set key times for 'autosign' policy.
+set_keytimes_autosign_policy() {
+	# The KSK was published six months ago (with settime).
+	created=$(key_get KEY1 CREATED)
+	set_addkeytime "KEY1" "PUBLISHED"   "${created}" -15552000
+	set_addkeytime "KEY1" "ACTIVE"      "${created}" -15552000
+	set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000
+	# Key lifetime is 2 years, 63072000 seconds.
+	active=$(key_get KEY1 ACTIVE)
+	set_addkeytime "KEY1" "RETIRED"     "${active}"  63072000
+	# The key is removed after the retire time plus DS TTL (1d),
+	# parent propagation delay (1h), retire safety (1h) =
+	# 86400 + 3600 + 3600 = 93600
+	retired=$(key_get KEY1 RETIRED)
+	set_addkeytime "KEY1" "REMOVED"     "${retired}" 93600
+
+	# The ZSK was published six months ago (with settime).
+	created=$(key_get KEY2 CREATED)
+	set_addkeytime "KEY2" "PUBLISHED"   "${created}" -15552000
+	set_addkeytime "KEY2" "ACTIVE"      "${created}" -15552000
+	# Key lifetime for KSK2 is 1 year, 31536000 seconds.
+	active=$(key_get KEY2 ACTIVE)
+	set_addkeytime "KEY2" "RETIRED"     "${active}"  31536000
+	# The key is removed after the retire time plus:
+        # TTLsig (RRSIG TTL):       1 day (86400 seconds)
+	# Dprp (propagation delay): 5 minutes (300 seconds)
+        # retire-safety:            1 hour (3600 seconds)
+        # Dsgn (sign delay):        7 days (604800 seconds)
+        # Iret:                     695100 seconds.
+	retired=$(key_get KEY2 RETIRED)
+	set_addkeytime "KEY2" "REMOVED"     "${retired}" 695100
+}
+
+#
+# Zone: expired-sigs.autosign.
+#
+set_zone "expired-sigs.autosign"
+set_policy "autosign" "2" "300"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "63072000"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+key_clear        "KEY2"
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "31536000"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+
+# Both KSK and ZSK stay OMNIPRESENT.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+# Expect only two keys.
+key_clear "KEY3"
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_autosign_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Verify all signatures have been refreshed.
+check_rrsig_refresh() {
+	# Apex.
+	_qtypes="DNSKEY SOA NS NSEC"
+	for _qtype in $_qtypes
+	do
+		n=$((n+1))
+		echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
+		ret=0
+		dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
+		grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
+		grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+		# If this exact RRSIG is also in the zone file it is not refreshed.
+		_rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
+		grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
+		test "$ret" -eq 0 || echo_i "failed"
+		status=$((status+ret))
+	done
+
+	# Below apex.
+	_labels="a b c ns3"
+	for _label in $_labels;
+	do
+		_qtypes="A NSEC"
+		for _qtype in $_qtypes
+		do
+			n=$((n+1))
+			echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
+			ret=0
+			dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
+			grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
+			grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+			_rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
+			grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
+			test "$ret" -eq 0 || echo_i "failed"
+			status=$((status+ret))
+		done
+	done
+}
+
+check_rrsig_refresh
+
+#
+# Zone: fresh-sigs.autosign.
+#
+set_zone "fresh-sigs.autosign"
+set_policy "autosign" "2" "300"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_autosign_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Verify signature reuse.
+check_rrsig_reuse() {
+	# Apex.
+	_qtypes="NS NSEC"
+	for _qtype in $_qtypes
+	do
+		n=$((n+1))
+		echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
+		ret=0
+		dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
+		grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
+		grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+		# If this exact RRSIG is also in the signed zone file it is not refreshed.
+		_rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype")
+		$CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null
+		grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
+		test "$ret" -eq 0 || echo_i "failed"
+		status=$((status+ret))
+	done
+
+	# Below apex.
+	_labels="a b c ns3"
+	for _label in $_labels;
+	do
+		_qtypes="A NSEC"
+		for _qtype in $_qtypes
+		do
+			n=$((n+1))
+			echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
+			ret=0
+			dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
+			grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
+			grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+			# If this exact RRSIG is also in the signed zone file it is not refreshed.
+			_rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype")
+			$CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null
+			grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
+			test "$ret" -eq 0 || echo_i "failed"
+			status=$((status+ret))
+		done
+	done
+}
+
+check_rrsig_reuse
+
+#
+# Zone: unfresh-sigs.autosign.
+#
+set_zone "unfresh-sigs.autosign"
+set_policy "autosign" "2" "300"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_autosign_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+check_rrsig_refresh
+
+#
+# Zone: ksk-missing.autosign.
+#
+set_zone "ksk-missing.autosign"
+set_policy "autosign" "2" "300"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+# Skip checking the private file, because it is missing.
+key_set "KEY1" "PRIVATE" "no"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# Restore the PRIVATE variable.
+key_set "KEY1" "PRIVATE" "yes"
+
+#
+# Zone: zsk-missing.autosign.
+#
+set_zone "zsk-missing.autosign"
+set_policy "autosign" "2" "300"
+set_server "ns3" "10.53.0.3"
+# Key properties, timings and states same as above.
+# Skip checking the private file, because it is missing.
+key_set "KEY2" "PRIVATE" "no"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# For the apex, we expect the SOA to be signed with the KSK because the ZSK is
+# offline. Temporary treat KEY1 as a zone signing key too.
+set_keyrole "KEY1" "csk"
+set_zonesigning "KEY1" "yes"
+set_zonesigning "KEY2" "no"
+check_apex
+set_keyrole "KEY1" "ksk"
+set_zonesigning "KEY1" "no"
+set_zonesigning "KEY2" "yes"
+check_subdomain
+dnssec_verify
+
+# Restore the PRIVATE variable.
+key_set "KEY2" "PRIVATE" "yes"
+
+#
+# Zone: zsk-retired.autosign.
+#
+set_zone "zsk-retired.autosign"
+set_policy "autosign" "3" "300"
+set_server "ns3" "10.53.0.3"
+# The third key is not yet expected to be signing.
+set_keyrole      "KEY3" "zsk"
+set_keylifetime  "KEY3" "31536000"
+set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY3" "no"
+set_zonesigning  "KEY3" "no"
+# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK
+# is active.
+set_keystate "KEY2" "GOAL"         "hidden"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+# A new ZSK should be introduced, so expect a key with goal OMNIPRESENT,
+# the DNSKEY introduced (RUMOURED) and the signatures HIDDEN.
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_autosign_policy
+
+# The old ZSK is retired.
+created=$(key_get KEY2 CREATED)
+set_keytime    "KEY2" "RETIRED"   "${created}"
+set_addkeytime "KEY2" "REMOVED"   "${created}"   695100
+# The new ZSK is immediately published.
+created=$(key_get KEY3 CREATED)
+set_keytime    "KEY3" "PUBLISHED" "${created}"
+# And becomes active after Ipub:
+# DNSKEY TTL:            300 seconds
+# zone-propagation-delay 5 minutes (300 seconds)
+# publish-safety:        1 hour (3600 seconds)
+# Ipub:                  4200 seconds
+published=$(key_get KEY3 PUBLISHED)
+set_addkeytime "KEY3" "ACTIVE"    "${published}" 4200
+# Lzsk:                  1 year (31536000 seconds)
+active=$(key_get KEY3 ACTIVE)
+set_addkeytime "KEY3" "RETIRED"   "${active}"    31536000
+# Iret:                  695100 seconds.
+retired=$(key_get KEY3 RETIRED)
+set_addkeytime "KEY3" "REMOVED"   "${retired}"   695100
+
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+check_rrsig_refresh
+
+#
+# Zone: legacy-keys.kasp.
+#
+set_zone "legacy-keys.kasp"
+# This zone has two active keys and two old keys left in key directory, so
+# expect 4 key files.
+set_policy "migrate-to-dnssec-policy" "4" "1234"
+set_server "ns3" "10.53.0.3"
+
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "16070400"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+key_clear        "KEY2"
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "16070400"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
+# ZSK: DNSKEY, RRSIG (zsk) published.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+# Two keys only.
+key_clear "KEY3"
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Make sure the correct legacy keys were used (and not the removed predecessor
+# keys).
+n=$((n+1))
+echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)"
+ret=0
+kskfile=$(cat ns3/legacy-keys.kasp.ksk)
+basefile=$(key_get KEY1 BASEFILE)
+echo_i "filename: $basefile (expect $kskfile)"
+test "$DIR/$kskfile" = "$basefile" || ret=1
+zskfile=$(cat ns3/legacy-keys.kasp.zsk)
+basefile=$(key_get KEY2 BASEFILE)
+echo_i "filename: $basefile (expect $zskfile)"
+test "$DIR/$zskfile" = "$basefile" || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# KSK times.
+created=$(key_get KEY1 CREATED)
+keyfile=$(key_get KEY1 BASEFILE)
+grep "; Publish:" "${keyfile}.key" > published.test${n}.key1
+published=$(awk '{print $3}' < published.test${n}.key1)
+set_keytime "KEY1" "PUBLISHED" "${published}"
+set_keytime "KEY1" "ACTIVE"    "${published}"
+published=$(key_get KEY1 PUBLISHED)
+# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT.
+#  This happens after max-zone-ttl (1d) plus publish-safety (1h) plus
+# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300.
+set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
+# Key lifetime is 6 months, 315360000 seconds.
+set_addkeytime "KEY1" "RETIRED"     "${published}" 16070400
+# The key is removed after the retire time plus DS TTL (1d), parent
+# propagation delay (1h), and retire safety (1h) = 86400 + 3600 + 3600 = 93600.
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED"     "${retired}"   93600
+
+# ZSK times.
+created=$(key_get KEY2 CREATED)
+keyfile=$(key_get KEY2 BASEFILE)
+grep "; Publish:" "${keyfile}.key" > published.test${n}.key2
+published=$(awk '{print $3}' < published.test${n}.key2)
+set_keytime "KEY2" "PUBLISHED" "${published}"
+set_keytime "KEY2" "ACTIVE"    "${published}"
+published=$(key_get KEY2 PUBLISHED)
+# Key lifetime is 6 months, 315360000 seconds.
+set_addkeytime "KEY2" "RETIRED"     "${published}" 16070400
+# The key is removed after the retire time plus max zone ttl (1d), zone
+# propagation delay (300s), retire safety (1h), and sign delay (signature
+# validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900.
+retired=$(key_get KEY2 RETIRED)
+set_addkeytime "KEY2" "REMOVED"   "${retired}"   867900
+
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Test dnssec-policy inheritance.
+#
+
+# These zones should be unsigned:
+# ns2/unsigned.tld
+# ns4/none.inherit.signed
+# ns4/none.override.signed
+# ns4/inherit.none.signed
+# ns4/none.none.signed
+# ns5/inherit.inherit.unsigned
+# ns5/none.inherit.unsigned
+# ns5/none.override.unsigned
+# ns5/inherit.none.unsigned
+# ns5/none.none.unsigned
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_zone "unsigned.tld"
+set_policy "none" "0" "0"
+set_server "ns2" "10.53.0.2"
+TSIG=""
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+set_zone "none.inherit.signed"
+set_policy "none" "0" "0"
+set_server "ns4" "10.53.0.4"
+TSIG="hmac-sha1:sha1:$SHA1"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+set_zone "none.override.signed"
+set_policy "none" "0" "0"
+set_server "ns4" "10.53.0.4"
+TSIG="hmac-sha224:sha224:$SHA224"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+set_zone "inherit.none.signed"
+set_policy "none" "0" "0"
+set_server "ns4" "10.53.0.4"
+TSIG="hmac-sha256:sha256:$SHA256"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+set_zone "none.none.signed"
+set_policy "none" "0" "0"
+set_server "ns4" "10.53.0.4"
+TSIG="hmac-sha256:sha256:$SHA256"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+set_zone "inherit.inherit.unsigned"
+set_policy "none" "0" "0"
+set_server "ns5" "10.53.0.5"
+TSIG="hmac-sha1:sha1:$SHA1"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+set_zone "none.inherit.unsigned"
+set_policy "none" "0" "0"
+set_server "ns5" "10.53.0.5"
+TSIG="hmac-sha1:sha1:$SHA1"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+set_zone "none.override.unsigned"
+set_policy "none" "0" "0"
+set_server "ns5" "10.53.0.5"
+TSIG="hmac-sha224:sha224:$SHA224"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+set_zone "inherit.none.unsigned"
+set_policy "none" "0" "0"
+set_server "ns5" "10.53.0.5"
+TSIG="hmac-sha256:sha256:$SHA256"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+set_zone "none.none.unsigned"
+set_policy "none" "0" "0"
+set_server "ns5" "10.53.0.5"
+TSIG="hmac-sha256:sha256:$SHA256"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+# These zones should be signed with the default policy:
+# ns2/signed.tld
+# ns4/override.inherit.signed
+# ns4/inherit.override.signed
+# ns5/override.inherit.signed
+# ns5/inherit.override.signed
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+
+set_zone "signed.tld"
+set_policy "default" "1" "3600"
+set_server "ns2" "10.53.0.2"
+TSIG=""
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+set_zone "override.inherit.signed"
+set_policy "default" "1" "3600"
+set_server "ns4" "10.53.0.4"
+TSIG="hmac-sha1:sha1:$SHA1"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+set_zone "inherit.override.signed"
+set_policy "default" "1" "3600"
+set_server "ns4" "10.53.0.4"
+TSIG="hmac-sha224:sha224:$SHA224"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+set_zone "override.inherit.unsigned"
+set_policy "default" "1" "3600"
+set_server "ns5" "10.53.0.5"
+TSIG="hmac-sha1:sha1:$SHA1"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+set_zone "inherit.override.unsigned"
+set_policy "default" "1" "3600"
+set_server "ns5" "10.53.0.5"
+TSIG="hmac-sha224:sha224:$SHA224"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# These zones should be signed with the test policy:
+# ns4/inherit.inherit.signed
+# ns4/override.override.signed
+# ns4/override.none.signed
+# ns5/override.override.unsigned
+# ns5/override.none.unsigned
+# ns4/example.net (both views)
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+
+set_zone "inherit.inherit.signed"
+set_policy "test" "1" "3600"
+set_server "ns4" "10.53.0.4"
+TSIG="hmac-sha1:sha1:$SHA1"
+wait_for_nsec
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+set_zone "override.override.signed"
+set_policy "test" "1" "3600"
+set_server "ns4" "10.53.0.4"
+TSIG="hmac-sha224:sha224:$SHA224"
+wait_for_nsec
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+set_zone "override.none.signed"
+set_policy "test" "1" "3600"
+set_server "ns4" "10.53.0.4"
+TSIG="hmac-sha256:sha256:$SHA256"
+wait_for_nsec
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+set_zone "override.override.unsigned"
+set_policy "test" "1" "3600"
+set_server "ns5" "10.53.0.5"
+TSIG="hmac-sha224:sha224:$SHA224"
+wait_for_nsec
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+set_zone "override.none.unsigned"
+set_policy "test" "1" "3600"
+set_server "ns5" "10.53.0.5"
+TSIG="hmac-sha256:sha256:$SHA256"
+wait_for_nsec
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Test with views.
+set_zone "example.net"
+set_server "ns4" "10.53.0.4"
+TSIG="$DEFAULT_HMAC:keyforview1:$VIEW1"
+wait_for_nsec
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example1"
+set_keytimes_csk_policy
+check_keytimes
+check_apex
+dnssec_verify
+# check zonestatus
+n=$((n+1))
+echo_i "check $ZONE (view example1) zonestatus ($n)"
+ret=0
+check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic"
+check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+# check subdomain
+n=$((n+1))
+echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)"
+ret=0
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2"
+wait_for_nsec
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
+check_apex
+dnssec_verify
+# check zonestatus
+n=$((n+1))
+echo_i "check $ZONE (view example2) zonestatus ($n)"
+ret=0
+check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected"
+check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+# check subdomain
+n=$((n+1))
+echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)"
+ret=0
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3"
+wait_for_nsec
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3"
+check_apex
+dnssec_verify
+# check zonestatus
+n=$((n+1))
+echo_i "check $ZONE (view example3) zonestatus ($n)"
+ret=0
+check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected"
+check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+# check subdomain
+n=$((n+1))
+echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)"
+ret=0
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Clear TSIG.
+TSIG=""
+
+#
+# Testing RFC 8901 Multi-Signer Model 2.
+#
+set_zone "multisigner-model2.kasp"
+set_policy "multisigner-model2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Key properties.
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check that the ZSKs from the other provider are published.
+zsks_are_published() {
+	dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1
+	# We should have three ZSKs.
+	lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l)
+	test "$lines" -eq 3 || return 1
+	# And one KSK.
+	lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l)
+	test "$lines" -eq 1 || return 1
+}
+
+n=$((n+1))
+echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)"
+ret=0
+(
+echo zone ${ZONE}
+echo server 10.53.0.3 "$PORT"
+echo update add $(cat "${DIR}/${ZONE}.zsk2")
+echo send
+) | $NSUPDATE
+retry_quiet 10 zsks_are_published || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Testing manual rollover.
+#
+set_zone "manual-rollover.kasp"
+set_policy "manual-rollover" "2" "3600"
+set_server "ns3" "10.53.0.3"
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+# Key properties.
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+# During set up everything was set to OMNIPRESENT.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The first keys were published and activated a day ago.
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED"   "${created}" -86400
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400
+set_addkeytime "KEY1" "ACTIVE"      "${created}" -86400
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}" -86400
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -86400
+# Key lifetimes are unlimited, so not setting RETIRED and REMOVED.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Schedule KSK rollover in six months (15552000 seconds).
+active=$(key_get KEY1 ACTIVE)
+set_addkeytime  "KEY1" "RETIRED" "${active}" 15552000
+retired=$(key_get KEY1 RETIRED)
+rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE"
+# Rollover starts in six months, but lifetime is set to six months plus
+# prepublication duration = 15552000 + 7500 = 15559500 seconds.
+set_keylifetime  "KEY1" "15559500"
+set_addkeytime  "KEY1" "RETIRED" "${active}" 15559500
+retired=$(key_get KEY1 RETIRED)
+# Retire interval of this policy is 26h (93600 seconds).
+set_addkeytime  "KEY1" "REMOVED" "${retired}" 93600
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Schedule KSK rollover now.
+set_policy "manual-rollover" "3" "3600"
+set_keystate "KEY1" "GOAL" "hidden"
+# This key was activated one day ago, so lifetime is set to 1d plus
+# prepublication duration (7500 seconds) = 93900 seconds.
+set_keylifetime  "KEY1" "93900"
+created=$(key_get KEY1 CREATED)
+set_keytime  "KEY1" "RETIRED" "${created}"
+rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE"
+# New key is introduced.
+set_keyrole      "KEY3" "ksk"
+set_keylifetime  "KEY3" "0"
+set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY3" "yes"
+set_zonesigning  "KEY3" "no"
+
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY3" "STATE_DS"     "hidden"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# Schedule ZSK rollover now.
+set_policy "manual-rollover" "4" "3600"
+set_keystate "KEY2" "GOAL" "hidden"
+# This key was activated one day ago, so lifetime is set to 1d plus
+# prepublication duration (7500 seconds) = 93900 seconds.
+set_keylifetime  "KEY2" "93900"
+created=$(key_get KEY2 CREATED)
+set_keytime  "KEY2" "RETIRED" "${created}"
+rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE"
+# New key is introduced.
+set_keyrole      "KEY4" "zsk"
+set_keylifetime  "KEY4" "0"
+set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY4" "no"
+set_zonesigning  "KEY4" "no" # not yet, first prepublish DNSKEY.
+
+set_keystate "KEY4" "GOAL"         "omnipresent"
+set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# Try to schedule a ZSK rollover for an inactive key (should fail).
+n=$((n+1))
+echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)"
+ret=0
+rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n
+grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Testing DNSSEC introduction.
+#
+
+#
+# Zone: step1.enable-dnssec.autosign.
+#
+set_zone "step1.enable-dnssec.autosign"
+set_policy "enable-dnssec" "1" "300"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+# The DNSKEY and signatures are introduced first, the DS remains hidden.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+# This policy lists only one key (CSK).
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The first key is immediately published and activated.
+created=$(key_get KEY1 CREATED)
+set_keytime     "KEY1" "PUBLISHED"   "${created}"
+set_keytime     "KEY1" "ACTIVE"      "${created}"
+# - The DS can be published if the DNSKEY and RRSIG records are
+#   OMNIPRESENT.  This happens after max-zone-ttl (12h) plus
+#   publish-safety (5m) plus zone-propagation-delay (5m) =
+#   43200 + 300 + 300 = 43800.
+set_addkeytime  "KEY1" "SYNCPUBLISH" "${created}" 43800
+# - Key lifetime is unlimited, so not setting RETIRED and REMOVED.
+
+# Various signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+_check_next_key_event() {
+	_expect=$1
+
+	grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || return 1
+
+	# Get the latest next key event.
+	if [ "${DYNAMIC}" = "yes" ]; then
+		_time=$(awk '{print $9}' < "keyevent.out.$ZONE.test$n" | tail -1)
+	else
+		# inline-signing zone adds "(signed)"
+		_time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1)
+	fi
+
+	# The next key event time must within threshold of the
+	# expected time.
+	_expectmin=$((_expect-next_key_event_threshold))
+	_expectmax=$((_expect+next_key_event_threshold))
+
+	test $_expectmin -le "$_time" || return 1
+	test $_expectmax -ge "$_time" || return 1
+
+	return 0
+}
+
+check_next_key_event() {
+	n=$((n+1))
+	echo_i "check next key event for zone ${ZONE} ($n)"
+	ret=0
+
+	retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+
+}
+
+# Next key event is when the DNSKEY RRset becomes OMNIPRESENT: DNSKEY TTL plus
+# publish safety plus the zone propagation delay: 900 seconds.
+check_next_key_event 900
+
+#
+# Zone: step2.enable-dnssec.autosign.
+#
+set_zone "step2.enable-dnssec.autosign"
+set_policy "enable-dnssec" "1" "300"
+set_server "ns3" "10.53.0.3"
+# The DNSKEY is omnipresent, but the zone signatures not yet.
+# Thus, the DS remains hidden.
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The key was published and activated 900 seconds ago (with settime).
+created=$(key_get KEY1 CREATED)
+set_addkeytime  "KEY1" "PUBLISHED"   "${created}" -900
+set_addkeytime  "KEY1" "ACTIVE"      "${created}" -900
+set_addkeytime  "KEY1" "SYNCPUBLISH" "${created}" 43800
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl
+# plus zone propagation delay plus retire safety minus the already elapsed
+# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds
+check_next_key_event 43800
+
+#
+# Zone: step3.enable-dnssec.autosign.
+#
+set_zone "step3.enable-dnssec.autosign"
+set_policy "enable-dnssec" "1" "300"
+set_server "ns3" "10.53.0.3"
+# All signatures should be omnipresent, so the DS can be submitted.
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "rumoured"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The key was published and activated 44700 seconds ago (with settime).
+created=$(key_get KEY1 CREATED)
+set_addkeytime  "KEY1" "PUBLISHED"   "${created}" -44700
+set_addkeytime  "KEY1" "ACTIVE"      "${created}" -44700
+set_keytime     "KEY1" "SYNCPUBLISH" "${created}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY1
+
+# The DS can be introduced. We ignore any parent registration delay, so set
+# the DS publish time to now.
+rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE"
+# Next key event is when the DS can move to the OMNIPRESENT state.  This occurs
+# when the parent propagation delay have passed, plus the DS TTL and retire
+# safety delay:  1h + 2h + 20m = 3h20m = 12000 seconds
+check_next_key_event 12000
+
+#
+# Zone: step4.enable-dnssec.autosign.
+#
+set_zone "step4.enable-dnssec.autosign"
+set_policy "enable-dnssec" "1" "300"
+set_server "ns3" "10.53.0.3"
+# The DS is omnipresent.
+set_keystate "KEY1" "STATE_DS" "omnipresent"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The key was published and activated 56700 seconds ago (with settime).
+created=$(key_get KEY1 CREATED)
+set_addkeytime  "KEY1" "PUBLISHED"   "${created}" -56700
+set_addkeytime  "KEY1" "ACTIVE"      "${created}" -56700
+set_addkeytime  "KEY1" "SYNCPUBLISH" "${created}" -12000
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is never, the zone dnssec-policy has been established. So we
+# fall back to the default loadkeys interval.
+check_next_key_event 3600
+
+#
+# Testing ZSK Pre-Publication rollover.
+#
+
+# Policy parameters.
+# Lksk:      2 years (63072000 seconds)
+# Lzsk:      30 days (2592000 seconds)
+# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d)
+# Iret(KSK): 3d1h (262800 seconds)
+# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d)
+# Iret(ZSK): 10d1h (867600 seconds)
+Lksk=63072000
+Lzsk=2592000
+IretKSK=262800
+IretZSK=867600
+
+#
+# Zone: step1.zsk-prepub.autosign.
+#
+set_zone "step1.zsk-prepub.autosign"
+set_policy "zsk-prepub" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
+set_retired_removed() {
+	_Lkey=$2
+	_Iret=$3
+
+	_active=$(key_get $1 ACTIVE)
+	set_addkeytime "${1}" "RETIRED" "${_active}"  "${_Lkey}"
+	_retired=$(key_get $1 RETIRED)
+	set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
+}
+
+rollover_predecessor_keytimes() {
+	_addtime=$1
+
+	_created=$(key_get KEY1 CREATED)
+	set_addkeytime  "KEY1" "PUBLISHED"   "${_created}" "${_addtime}"
+	set_addkeytime  "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+	set_addkeytime  "KEY1" "ACTIVE"      "${_created}" "${_addtime}"
+	[ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+
+	_created=$(key_get KEY2 CREATED)
+	set_addkeytime  "KEY2" "PUBLISHED"   "${_created}" "${_addtime}"
+	set_addkeytime  "KEY2" "ACTIVE"      "${_created}" "${_addtime}"
+	[ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+}
+
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "${Lksk}"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+key_clear        "KEY2"
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "${Lzsk}"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+# Initially only two keys.
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# These keys are immediately published and activated.
+rollover_predecessor_keytimes 0
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor ZSK needs to be published.  That is
+# the ZSK lifetime - prepublication time.  The prepublication time is DNSKEY
+# TTL plus publish safety plus the zone propagation delay.  For the
+# zsk-prepub policy that means: 30d - 3600s + 1d + 1h = 2498400 seconds.
+check_next_key_event 2498400
+
+#
+# Zone: step2.zsk-prepub.autosign.
+#
+set_zone "step2.zsk-prepub.autosign"
+set_policy "zsk-prepub" "3" "3600"
+set_server "ns3" "10.53.0.3"
+# New ZSK (KEY3) is prepublished, but not yet signing.
+key_clear        "KEY3"
+set_keyrole      "KEY3" "zsk"
+set_keylifetime  "KEY3" "${Lzsk}"
+set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY3" "no"
+set_zonesigning  "KEY3" "no"
+# Key states.
+set_keystate "KEY2" "GOAL"         "hidden"
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys were activated 694 hours ago (2498400 seconds).
+rollover_predecessor_keytimes -2498400
+# - The new ZSK is published now.
+created=$(key_get KEY3 CREATED)
+set_keytime "KEY3" "PUBLISHED" "${created}"
+# - The new ZSK becomes active when the DNSKEY is OMNIPRESENT.
+#   Ipub: TTLkey (1h) + Dprp (1h) + publish-safety (1d)
+#   Ipub: 26 hour (93600 seconds).
+IpubZSK=93600
+set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubZSK}"
+set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor ZSK becomes OMNIPRESENT.  That is the
+# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For
+# the zsk-prepub policy, this means: 3600s + 1h + 1d = 93600 seconds.
+check_next_key_event 93600
+
+#
+# Zone: step3.zsk-prepub.autosign.
+#
+set_zone "step3.zsk-prepub.autosign"
+set_policy "zsk-prepub" "3" "3600"
+set_server "ns3" "10.53.0.3"
+# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE.
+# New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
+set_zonesigning  "KEY2" "no"
+set_keystate     "KEY2" "STATE_ZRRSIG" "unretentive"
+set_zonesigning  "KEY3" "yes"
+set_keystate     "KEY3" "STATE_DNSKEY" "omnipresent"
+set_keystate     "KEY3" "STATE_ZRRSIG" "rumoured"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys are activated 30 days ago (2592000 seconds).
+rollover_predecessor_keytimes -2592000
+# - The new ZSK is published 26 hours ago (93600 seconds).
+created=$(key_get KEY3 CREATED)
+set_addkeytime "KEY3" "PUBLISHED"   "${created}" -93600
+set_keytime    "KEY3" "ACTIVE"      "${created}"
+set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+# Subdomain still has good signatures of ZSK (KEY2).
+# Set expected zone signing on for KEY2 and off for KEY3,
+# testing whether signatures which are still valid are being reused.
+set_zonesigning  "KEY2" "yes"
+set_zonesigning  "KEY3" "no"
+check_subdomain
+# Restore the expected zone signing properties.
+set_zonesigning  "KEY2" "no"
+set_zonesigning  "KEY3" "yes"
+dnssec_verify
+
+# Next key event is when all the RRSIG records have been replaced with
+# signatures of the new ZSK, in other words when ZRRSIG becomes OMNIPRESENT.
+# That is Dsgn plus the maximum zone TTL plus the zone propagation delay plus
+# retire-safety. For the zsk-prepub policy that means: 1w (because 2w validity
+# and refresh within a week) + 1d + 1h + 2d = 10d1h = 867600 seconds.
+check_next_key_event 867600
+
+#
+# Zone: step4.zsk-prepub.autosign.
+#
+set_zone "step4.zsk-prepub.autosign"
+set_policy "zsk-prepub" "3" "3600"
+set_server "ns3" "10.53.0.3"
+# ZSK (KEY2) DNSKEY is no longer needed.
+# ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
+set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
+set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys are activated 961 hours ago (3459600 seconds).
+rollover_predecessor_keytimes -3459600
+# - The new ZSK is published 267 hours ago (961200 seconds).
+created=$(key_get KEY3 CREATED)
+set_addkeytime "KEY3" "PUBLISHED"   "${created}"   -961200
+published=$(key_get KEY3 PUBLISHED)
+set_addkeytime "KEY3" "ACTIVE"      "${published}" "${IpubZSK}"
+set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the DNSKEY enters the HIDDEN state.  This is the
+# DNSKEY TTL plus zone propagation delay. For the zsk-prepub policy this is:
+# 3600s + 1h = 7200s
+check_next_key_event 7200
+
+#
+# Zone: step5.zsk-prepub.autosign.
+#
+set_zone "step5.zsk-prepub.autosign"
+set_policy "zsk-prepub" "3" "3600"
+set_server "ns3" "10.53.0.3"
+# ZSK (KEY2) DNSKEY is now completely HIDDEN and removed.
+set_keystate "KEY2" "STATE_DNSKEY" "hidden"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys are activated 962 hours ago (3463200 seconds).
+rollover_predecessor_keytimes -3463200
+# - The new ZSK is published 268 hours ago (964800 seconds).
+created=$(key_get KEY3 CREATED)
+set_addkeytime "KEY3" "PUBLISHED"   "${created}"   -964800
+published=$(key_get KEY3 PUBLISHED)
+set_addkeytime "KEY3" "ACTIVE"      "${published}" "${IpubZSK}"
+set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the new successor needs to be published.  This is the
+# ZSK lifetime minus Iret minus Ipub minus DNSKEY TTL.  For the zsk-prepub
+# policy this is: 30d - 867600s - 93600s - 3600s = 1627200 seconds.
+check_next_key_event 1627200
+
+#
+# Zone: step6.zsk-prepub.autosign.
+#
+set_zone "step6.zsk-prepub.autosign"
+set_policy "zsk-prepub" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# ZSK (KEY2) DNSKEY is purged.
+key_clear "KEY2"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Testing KSK Double-KSK rollover.
+#
+
+# Policy parameters.
+# Lksk:      60 days (16070400 seconds)
+# Lzsk:      1 year (31536000 seconds)
+# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d)
+# Iret(KSK): 50h (180000 seconds)
+# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d)
+# Iret(ZSK): 10d1h (867600 seconds)
+Lksk=5184000
+Lzsk=31536000
+IretKSK=180000
+IretZSK=867600
+
+#
+# Zone: step1.ksk-doubleksk.autosign.
+#
+set_zone "step1.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "2" "7200"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "${Lksk}"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+key_clear        "KEY2"
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "${Lzsk}"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+# Initially only two keys.
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# These keys are immediately published and activated.
+rollover_predecessor_keytimes 0
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor KSK needs to be published.  That is
+# the KSK lifetime - prepublication time.  The prepublication time is
+# DNSKEY TTL plus publish safety plus the zone propagation delay.
+# For the ksk-doubleksk policy that means: 60d - (1d3h) = 5086800 seconds.
+check_next_key_event 5086800
+
+#
+# Zone: step2.ksk-doubleksk.autosign.
+#
+set_zone "step2.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "3" "7200"
+set_server "ns3" "10.53.0.3"
+# New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
+key_clear        "KEY3"
+set_keyrole      "KEY3" "ksk"
+set_keylifetime  "KEY3" "${Lksk}"
+set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY3" "yes"
+set_zonesigning  "KEY3" "no"
+# Key states.
+set_keystate "KEY1" "GOAL"         "hidden"
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY3" "STATE_DS"     "hidden"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys were activated 1413 hours ago (5086800 seconds).
+rollover_predecessor_keytimes -5086800
+# - The new KSK is published now.
+created=$(key_get KEY3 CREATED)
+set_keytime    "KEY3" "PUBLISHED"   "${created}"
+# The new KSK should publish the CDS after the prepublication time.
+# TTLkey:         2h
+# DprpC:          1h
+# publish-safety: 1d
+# IpubC:          27h (97200 seconds)
+IpubC=97200
+set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}"
+set_addkeytime "KEY3" "ACTIVE"      "${created}" "${IpubC}"
+set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor KSK becomes OMNIPRESENT.  That is the
+# DNSKEY TTL plus the zone propagation delay, plus the publish-safety.  For
+# the ksk-doubleksk policy, this means: 7200s + 1h + 1d = 97200 seconds.
+check_next_key_event 97200
+
+#
+# Zone: step3.ksk-doubleksk.autosign.
+#
+set_zone "step3.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "3" "7200"
+set_server "ns3" "10.53.0.3"
+
+# The DNSKEY RRset has become omnipresent.
+# Check keys before we tell named that we saw the DS has been replaced.
+set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY3" "STATE_KRRSIG" "omnipresent"
+# The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced.
+set_keystate "KEY1" "STATE_DS"     "unretentive"
+set_keystate "KEY3" "STATE_DS"     "rumoured"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY3
+
+# Set expected key times:
+# - The old keys were activated 60 days ago (5184000 seconds).
+rollover_predecessor_keytimes -5184000
+# - The new KSK is published 27 hours ago (97200 seconds).
+created=$(key_get KEY3 CREATED)
+set_addkeytime "KEY3" "PUBLISHED"   "${created}" -97200
+# - The new KSK CDS is published now.
+set_keytime    "KEY3" "SYNCPUBLISH" "${created}"
+syncpub=$(key_get KEY3 SYNCPUBLISH)
+set_keytime "KEY3" "ACTIVE" "${syncpub}"
+set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# We ignore any parent registration delay, so set the DS publish time to now.
+rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published"  "$ZONE"
+# Next key event is when the predecessor DS has been replaced with the
+# successor DS and enough time has passed such that the all validators that
+# have this DS RRset cached only know about the successor DS.  This is the
+# the retire interval, which is the parent propagation delay plus the DS TTL
+# plus the retire-safety.  For the ksk-double-ksk policy this means:
+# 1h + 3600s + 2d = 2d2h = 180000 seconds.
+check_next_key_event 180000
+
+#
+# Zone: step4.ksk-doubleksk.autosign.
+#
+set_zone "step4.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "3" "7200"
+set_server "ns3" "10.53.0.3"
+# KSK (KEY1) DNSKEY can be removed.
+set_keysigning "KEY1" "no"
+set_keystate   "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate   "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate   "KEY1" "STATE_DS"     "hidden"
+# New KSK (KEY3) DS is now OMNIPRESENT.
+set_keystate   "KEY3" "STATE_DS"     "omnipresent"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys were activated 1490 hours ago (5364000 seconds).
+rollover_predecessor_keytimes -5364000
+# - The new KSK is published 77 hours ago (277200 seconds).
+created=$(key_get KEY3 CREATED)
+set_addkeytime "KEY3" "PUBLISHED"   "${created}"   -277200
+published=$(key_get KEY3 PUBLISHED)
+set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}"
+syncpub=$(key_get KEY3 SYNCPUBLISH)
+set_keytime "KEY3" "ACTIVE" "${syncpub}"
+set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the DNSKEY enters the HIDDEN state.  This is the
+# DNSKEY TTL plus zone propagation delay. For the ksk-doubleksk policy this is:
+# 7200s + 1h = 10800s
+check_next_key_event 10800
+
+#
+# Zone: step5.ksk-doubleksk.autosign.
+#
+set_zone "step5.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "3" "7200"
+set_server "ns3" "10.53.0.3"
+# KSK (KEY1) DNSKEY is now HIDDEN.
+set_keystate "KEY1" "STATE_DNSKEY" "hidden"
+set_keystate "KEY1" "STATE_KRRSIG" "hidden"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old KSK is activated 1492 hours ago (5371200 seconds).
+rollover_predecessor_keytimes -5371200
+# - The new KSK is published 79 hours ago (284400 seconds).
+created=$(key_get KEY3 CREATED)
+set_addkeytime "KEY3" "PUBLISHED"   "${created}"   -284400
+published=$(key_get KEY3 PUBLISHED)
+set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}"
+syncpub=$(key_get KEY3 SYNCPUBLISH)
+set_keytime "KEY3" "ACTIVE" "${syncpub}"
+set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
+
+# Various signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the new successor needs to be published.  This is the
+# KSK lifetime minus Ipub minus Iret minus DNSKEY TTL.  For the
+# ksk-doubleksk this is: 60d - 1d3h - 1d - 2d2h - 2h =
+# 5184000 - 97200 - 180000 - 7200 = 4813200 seconds.
+check_next_key_event 4899600
+
+#
+# Zone: step6.ksk-doubleksk.autosign.
+#
+set_zone "step6.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "2" "7200"
+set_server "ns3" "10.53.0.3"
+# KSK (KEY1) DNSKEY is purged.
+key_clear "KEY1"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Testing CSK key rollover (1).
+#
+
+# Policy parameters.
+# Lcsk:      186 days (5184000 seconds)
+# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h)
+# Iret(KSK): 4h (14400 seconds)
+# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (25d) + retire-safety (2h)
+# Iret(ZSK): 26d3h (2257200 seconds)
+Lcsk=16070400
+IretKSK=14400
+IretZSK=2257200
+IretCSK=$IretZSK
+
+csk_rollover_predecessor_keytimes() {
+	_addtime=$1
+
+	_created=$(key_get KEY1 CREATED)
+	set_addkeytime      "KEY1" "PUBLISHED"   "${_created}" "${_addtime}"
+	set_addkeytime      "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+	set_addkeytime      "KEY1" "ACTIVE"      "${_created}" "${_addtime}"
+	[ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}"
+}
+
+#
+# Zone: step1.csk-roll.autosign.
+#
+set_zone "step1.csk-roll.autosign"
+set_policy "csk-roll" "1" "3600"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "${Lcsk}"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+# The CSK (KEY1) starts in OMNIPRESENT.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+# Initially only one key.
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# This key is immediately published and activated.
+csk_rollover_predecessor_keytimes 0
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor CSK needs to be published.
+# This is Lcsk - Ipub - Dreg.
+# Lcsk: 186d (16070400 seconds)
+# Ipub: 3h   (10800 seconds)
+check_next_key_event 16059600
+
+#
+# Zone: step2.csk-roll.autosign.
+#
+set_zone "step2.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
+key_clear        "KEY2"
+set_keyrole      "KEY2" "csk"
+set_keylifetime  "KEY2" "16070400"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY2" "yes"
+set_zonesigning  "KEY2" "no"
+# Key states.
+set_keystate "KEY1" "GOAL"         "hidden"
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
+set_keystate "KEY2" "STATE_DS"     "hidden"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - This key was activated 4461 hours ago (16059600 seconds).
+csk_rollover_predecessor_keytimes -16059600
+# - The new CSK is published now.
+created=$(key_get KEY2 CREATED)
+set_keytime    "KEY2" "PUBLISHED"   "${created}"
+# - The new CSK should publish the CDS after the prepublication time.
+#   Ipub: 3 hour (10800 seconds)
+Ipub="10800"
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE"      "${created}" "${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor CSK becomes OMNIPRESENT.  That is the
+# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For
+# the csk-roll policy, this means 3 hours = 10800 seconds.
+check_next_key_event 10800
+
+#
+# Zone: step3.csk-roll.autosign.
+#
+set_zone "step3.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# Swap zone signing role.
+set_zonesigning  "KEY1" "no"
+set_zonesigning  "KEY2" "yes"
+# CSK (KEY1) will be removed, so moving to UNRETENTIVE.
+set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
+# New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED.
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
+set_keystate "KEY1" "STATE_DS"     "unretentive"
+set_keystate "KEY2" "STATE_DS"     "rumoured"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY2
+
+# Set expected key times:
+# - This key was activated 186 days ago (16070400 seconds).
+csk_rollover_predecessor_keytimes -16070400
+# - The new CSK is published three hours ago, CDS must be published now.
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}" "-${Ipub}"
+set_keytime    "KEY2" "SYNCPUBLISH" "${created}"
+# - Also signatures are being introduced now.
+set_keytime    "KEY2" "ACTIVE"      "${created}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+# Subdomain still has good signatures of old CSK (KEY1).
+# Set expected zone signing on for KEY1 and off for KEY2,
+# testing whether signatures which are still valid are being reused.
+set_zonesigning  "KEY1" "yes"
+set_zonesigning  "KEY2" "no"
+check_subdomain
+# Restore the expected zone signing properties.
+set_zonesigning  "KEY1" "no"
+set_zonesigning  "KEY2" "yes"
+dnssec_verify
+
+# We ignore any parent registration delay, so set the DS publish time to now.
+rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published"  "$ZONE"
+# Next key event is when the predecessor DS has been replaced with the
+# successor DS and enough time has passed such that the all validators that
+# have this DS RRset cached only know about the successor DS.  This is the
+# the retire interval, which is the parent propagation delay plus the DS TTL
+# plus the retire-safety.  For the csk-roll policy this means:
+# 1h + 1h + 2h = 4h = 14400 seconds.
+check_next_key_event 14400
+
+#
+# Zone: step4.csk-roll.autosign.
+#
+set_zone "step4.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# The old CSK (KEY1) is no longer signing the DNSKEY RRset.
+set_keysigning "KEY1" "no"
+# The old CSK (KEY1) DS is hidden.  We still need to keep the DNSKEY public
+# but can remove the KRRSIG records.
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+# The new CSK (KEY2) DS is now OMNIPRESENT.
+set_keystate "KEY2" "STATE_DS"     "omnipresent"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - This key was activated 4468 hours ago (16084800 seconds).
+csk_rollover_predecessor_keytimes -16084800
+# - The new CSK started signing 4h ago (14400 seconds).
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -14400
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400
+syncpub=$(key_get KEY2 SYNCPUBLISH)
+set_addkeytime "KEY2" "PUBLISHED"   "${syncpub}" "-${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the KRRSIG enters the HIDDEN state.  This is the
+# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is:
+# 1h + 1h = 7200 seconds.
+check_next_key_event 7200
+
+#
+# Zone: step5.csk-roll.autosign.
+#
+set_zone "step5.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# The old CSK (KEY1) KRRSIG records are now all hidden.
+set_keystate "KEY1" "STATE_KRRSIG" "hidden"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - This key was activated 4470 hours ago (16092000 seconds).
+csk_rollover_predecessor_keytimes -16092000
+# - The new CSK started signing 6h ago (21600 seconds).
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -21600
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600
+syncpub=$(key_get KEY2 SYNCPUBLISH)
+set_addkeytime "KEY2" "PUBLISHED"   "${syncpub}" "-${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the DNSKEY can be removed.  This is when all ZRRSIG
+# records have been replaced with signatures of the new CSK.  We have
+# calculated the interval to be 26d3h of which 4h (Iret(KSK)) plus
+# 2h (DNSKEY TTL + Dprp) have already passed.  So next key event is in
+# 26d3h - 4h - 2h = 621h = 2235600 seconds.
+check_next_key_event 2235600
+
+#
+# Zone: step6.csk-roll.autosign.
+#
+set_zone "step6.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can
+# be removed).
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
+# The new CSK (KEY2) is now fully OMNIPRESENT.
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times
+# - This key was activated 5091 hours ago (18327600 seconds).
+csk_rollover_predecessor_keytimes -18327600
+# - The new CSK is activated 627 hours ago (2257200 seconds).
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -2257200
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200
+syncpub=$(key_get KEY2 SYNCPUBLISH)
+set_addkeytime "KEY2" "PUBLISHED"   "${syncpub}" "-${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the DNSKEY enters the HIDDEN state.  This is the
+# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is:
+# 1h + 1h = 7200 seconds.
+check_next_key_event 7200
+
+#
+# Zone: step7.csk-roll.autosign.
+#
+set_zone "step7.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# The old CSK (KEY1) is now completely HIDDEN.
+set_keystate "KEY1" "STATE_DNSKEY" "hidden"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - This key was activated 5093 hours ago (18334800 seconds).
+csk_rollover_predecessor_keytimes -18334800
+# - The new CSK is activated 629 hours ago (2264400 seconds).
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -2264400
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400
+syncpub=$(key_get KEY2 SYNCPUBLISH)
+set_addkeytime "KEY2" "PUBLISHED"   "${syncpub}" "-${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the new successor needs to be published.
+# This is the Lcsk, minus time passed since the key started signing,
+# minus the prepublication time.
+# Lcsk:        186d (16070400 seconds)
+# Time passed: 629h (2264400 seconds)
+# Ipub:        3h   (10800 seconds)
+check_next_key_event 13795200
+
+#
+# Zone: step8.csk-roll.autosign.
+#
+set_zone "step8.csk-roll.autosign"
+set_policy "csk-roll" "1" "3600"
+set_server "ns3" "10.53.0.3"
+# The old CSK (KEY1) is purged.
+key_clear "KEY1"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Testing CSK key rollover (2).
+#
+
+# Policy parameters.
+# Lcsk:      186 days (16070400 seconds)
+# Dreg:      N/A
+# Iret(KSK): DS TTL (1h) + DprpP (1w) + retire-safety (1h)
+# Iret(KSK): 170h (61200 seconds)
+# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h)
+# Iret(ZSK): 38h (136800 seconds)
+Lcsk=16070400
+IretKSK=612000
+IretZSK=136800
+IretCSK=$IretKSK
+
+#
+# Zone: step1.csk-roll2.autosign.
+#
+set_zone "step1.csk-roll2.autosign"
+set_policy "csk-roll2" "1" "3600"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "16070400"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+# The CSK (KEY1) starts in OMNIPRESENT.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+# Initially only one key.
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# This key is immediately published and activated.
+csk_rollover_predecessor_keytimes 0
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor CSK needs to be published.
+# This is Lcsk - Ipub.
+# Lcsk:  186d   (16070400 seconds)
+# Ipub:  3h     (10800 seconds)
+# Total: 186d3h (16059600 seconds)
+check_next_key_event 16059600
+
+#
+# Zone: step2.csk-roll2.autosign.
+#
+set_zone "step2.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
+key_clear        "KEY2"
+set_keyrole      "KEY2" "csk"
+set_keylifetime  "KEY2" "16070400"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY2" "yes"
+set_zonesigning  "KEY2" "no"
+# Key states.
+set_keystate "KEY1" "GOAL"         "hidden"
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
+set_keystate "KEY2" "STATE_DS"     "hidden"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - This key was activated 4461 hours ago (16059600 seconds).
+csk_rollover_predecessor_keytimes -16059600
+# - The new CSK is published now.
+created=$(key_get KEY2 CREATED)
+set_keytime    "KEY2" "PUBLISHED"   "${created}"
+# - The new CSK should publish the CDS after the prepublication time.
+# - Ipub: 3 hour (10800 seconds)
+Ipub="10800"
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE"      "${created}" "${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor CSK becomes OMNIPRESENT.  That is the
+# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For
+# the csk-roll2 policy, this means 3h hours = 10800 seconds.
+check_next_key_event 10800
+
+#
+# Zone: step3.csk-roll2.autosign.
+#
+set_zone "step3.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# CSK (KEY1) can be removed, so move to UNRETENTIVE.
+set_zonesigning  "KEY1" "no"
+set_keystate     "KEY1" "STATE_ZRRSIG" "unretentive"
+# New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state.
+set_zonesigning  "KEY2" "yes"
+set_keystate     "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate     "KEY2" "STATE_KRRSIG" "omnipresent"
+set_keystate     "KEY2" "STATE_ZRRSIG" "rumoured"
+# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
+set_keystate     "KEY1" "STATE_DS" "unretentive"
+set_keystate     "KEY2" "STATE_DS" "rumoured"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY2
+
+# Set expected key times:
+# - This key was activated 186 days ago (16070400 seconds).
+csk_rollover_predecessor_keytimes -16070400
+# - The new CSK is published three hours ago, CDS must be published now.
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}" "-${Ipub}"
+set_keytime    "KEY2" "SYNCPUBLISH" "${created}"
+# - Also signatures are being introduced now.
+set_keytime    "KEY2" "ACTIVE"      "${created}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+# Subdomain still has good signatures of old CSK (KEY1).
+# Set expected zone signing on for KEY1 and off for KEY2,
+# testing whether signatures which are still valid are being reused.
+set_zonesigning  "KEY1" "yes"
+set_zonesigning  "KEY2" "no"
+check_subdomain
+# Restore the expected zone signing properties.
+set_zonesigning  "KEY1" "no"
+set_zonesigning  "KEY2" "yes"
+dnssec_verify
+
+# We ignore any parent registration delay, so set the DS publish time to now.
+rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
+# Next key event is when the predecessor ZRRSIG records have been replaced
+# with that of the successor and enough time has passed such that the all
+# validators that have such signed RRsets in cache only know about the
+# successor signatures.  This is the retire interval: Dsgn plus the
+# maximum zone TTL plus the zone propagation delay plus retire-safety. For the
+# csk-roll2 policy that means: 12h (because 1d validity and refresh within
+# 12 hours) + 1d + 1h + 1h = 38h = 136800 seconds.  Prevent intermittent false
+# positives on slow platforms by subtracting the number of seconds which
+# passed between key creation and invoking 'rndc dnssec -checkds'.
+now="$(TZ=UTC date +%s)"
+time_passed=$((now-start_time))
+next_time=$((136800-time_passed))
+check_next_key_event $next_time
+
+#
+# Zone: step4.csk-roll2.autosign.
+#
+set_zone "step4.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# The old CSK (KEY1) ZRRSIG is now HIDDEN.
+set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
+# The new CSK (KEY2) ZRRSIG is now OMNIPRESENT.
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - This key was activated 4502 hours ago (16207200 seconds).
+csk_rollover_predecessor_keytimes -16207200
+# - The new CSK was published 41 hours (147600 seconds) ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -147600
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE"      "${published}" "${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the predecessor DS has been replaced with the
+# successor DS and enough time has passed such that the all validators that
+# have this DS RRset cached only know about the successor DS.  This is the
+# registration delay plus the retire interval, which is the parent
+# propagation delay plus the DS TTL plus the retire-safety.  For the
+# csk-roll2 policy this means: 1w + 1h + 1h = 170h = 612000 seconds.
+# However, 136800 seconds have passed already, so 478800 seconds left.
+check_next_key_event 475200
+
+#
+# Zone: step5.csk-roll2.autosign.
+#
+set_zone "step5.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# The old CSK (KEY1) DNSKEY can be removed.
+set_keysigning   "KEY1" "no"
+set_keystate     "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate     "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate     "KEY1" "STATE_DS"     "hidden"
+# The new CSK (KEY2) is now fully OMNIPRESENT.
+set_keystate     "KEY2" "STATE_DS"     "omnipresent"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - This key was activated 4634 hours ago (16682400 seconds).
+csk_rollover_predecessor_keytimes -16682400
+# - The new CSK was published 173 hours (622800 seconds) ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -622800
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE"      "${published}" "${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the DNSKEY enters the HIDDEN state.  This is the
+# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is:
+# 1h + 1h = 7200 seconds.
+check_next_key_event 7200
+
+#
+# Zone: step6.csk-roll2.autosign.
+#
+set_zone "step6.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# The old CSK (KEY1) is now completely HIDDEN.
+set_keystate "KEY1" "STATE_DNSKEY" "hidden"
+set_keystate "KEY1" "STATE_KRRSIG" "hidden"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - This key was activated 4636 hours ago (16689600 seconds).
+csk_rollover_predecessor_keytimes -16689600
+# - The new CSK was published 175 hours (630000 seconds) ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}"   -630000
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE"      "${published}" "${Ipub}"
+set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the new successor needs to be published.
+# This is the Lcsk, minus time passed since the key was published.
+# Lcsk:        186d (16070400 seconds)
+# Time passed: 175h (630000 seconds)
+check_next_key_event 15440400
+
+#
+# Zone: step7.csk-roll2.autosign.
+#
+set_zone "step7.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+# The old CSK (KEY1) could have been purged, but purge-keys is disabled.
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Test #2375: Scheduled rollovers are happening faster than they can finish
+#
+set_zone "three-is-a-crowd.kasp"
+set_policy "ksk-doubleksk" "3" "7200"
+set_server "ns3" "10.53.0.3"
+CDNSKEY="no"
+# These are the same time values as calculated for ksk-doubleksk.
+Lksk=5184000
+Lzsk=31536000
+IretKSK=180000
+IretZSK=867600
+# KSK (KEY1) is outgoing.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "${Lksk}"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+set_keystate     "KEY1" "GOAL"         "hidden"
+set_keystate     "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate     "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate     "KEY1" "STATE_DS"     "unretentive"
+# KSK (KEY2) is incoming.
+key_clear        "KEY2"
+set_keyrole      "KEY2" "ksk"
+set_keylifetime  "KEY2" "${Lksk}"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY2" "yes"
+set_zonesigning  "KEY2" "no"
+set_keystate     "KEY2" "GOAL"         "omnipresent"
+set_keystate     "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate     "KEY2" "STATE_KRRSIG" "omnipresent"
+set_keystate     "KEY2" "STATE_DS"     "rumoured"
+# We will introduce the third KSK shortly.
+key_clear        "KEY3"
+# ZSK (KEY4).
+key_clear        "KEY4"
+set_keyrole      "KEY4" "zsk"
+set_keylifetime  "KEY4" "${Lzsk}"
+set_keyalgorithm "KEY4" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY4" "no"
+set_zonesigning  "KEY4" "yes"
+set_keystate     "KEY4" "GOAL"         "omnipresent"
+set_keystate     "KEY4" "STATE_DNSKEY" "omnipresent"
+set_keystate     "KEY4" "STATE_ZRRSIG" "omnipresent"
+# Run preliminary tests.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+# Roll over KEY2.
+# Set expected key lifetime, which is DNSKEY TTL plus the zone propagation delay,
+# plus the publish-safety: 7200s + 1h + 1d = 97200 seconds.
+set_keylifetime  "KEY2" "97200"
+created=$(key_get KEY2 CREATED)
+rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE"
+# Update expected number of keys and key states.
+set_keystate "KEY2" "GOAL" "hidden"
+set_policy "ksk-doubleksk" "4" "7200"
+CDNSKEY="no"
+# New KSK (KEY3) is introduced.
+set_keyrole      "KEY3" "ksk"
+set_keylifetime  "KEY3" "${Lksk}"
+set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY3" "yes"
+set_zonesigning  "KEY3" "no"
+set_keystate     "KEY3" "GOAL"         "omnipresent"
+set_keystate     "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate     "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate     "KEY3" "STATE_DS"     "hidden"
+# Run tests again. We now expect four keys (3x KSK, 1x ZSK).
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# Test dynamic zones that switch to inline-signing.
+set_zone "dynamic2inline.kasp"
+set_policy "default" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# The CSK is rumoured.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Testing algorithm rollover.
+#
+Lksk=0
+Lzsk=0
+IretKSK=0
+IretZSK=0
+
+#
+# Zone: step1.algorithm-roll.kasp
+#
+set_zone "step1.algorithm-roll.kasp"
+set_policy "rsasha256" "2" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+key_clear        "KEY2"
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# These keys are immediately published and activated.
+rollover_predecessor_keytimes 0
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor keys need to be published.
+# Since the lifetime of the keys are unlimited, so default to loadkeys
+# interval.
+check_next_key_event 3600
+
+#
+# Zone: step1.csk-algorithm-roll.kasp
+#
+set_zone "step1.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+# The CSK (KEY1) starts in OMNIPRESENT.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# This key is immediately published and activated.
+Lcsk=0
+IretCSK=0
+csk_rollover_predecessor_keytimes 0
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor keys need to be published.
+# Since the lifetime of the keys are unlimited, so default to loadkeys
+# interval.
+check_next_key_event 3600
+
+#
+# Testing going insecure.
+#
+
+#
+# Zone step1.going-insecure.kasp
+#
+set_zone "step1.going-insecure.kasp"
+set_policy "unsigning" "2" "7200"
+set_server "ns6" "10.53.0.6"
+
+# Policy parameters.
+# Lksk:      0
+# Lzsk:      60 days (5184000 seconds)
+# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (1h)
+# Iret(KSK): 1d2h (93600 seconds)
+# Iret(ZSK): RRSIG TTL (1d) + Dprp (5m) + Dsgn (9d) + retire-safety (1h)
+# Iret(ZSK): 10d1h5m (867900 seconds)
+Lksk=0
+Lzsk=5184000
+IretKSK=93600
+IretZSK=867900
+
+init_migration_insecure() {
+	key_clear        "KEY1"
+	set_keyrole      "KEY1" "ksk"
+	set_keylifetime  "KEY1" "${Lksk}"
+	set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+	set_keysigning   "KEY1" "yes"
+	set_zonesigning  "KEY1" "no"
+
+	set_keystate "KEY1" "GOAL"         "omnipresent"
+	set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+	set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+	set_keystate "KEY1" "STATE_DS"     "omnipresent"
+
+	key_clear        "KEY2"
+	set_keyrole      "KEY2" "zsk"
+	set_keylifetime  "KEY2" "${Lzsk}"
+	set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+	set_keysigning   "KEY2" "no"
+	set_zonesigning  "KEY2" "yes"
+
+	set_keystate "KEY2" "GOAL"         "omnipresent"
+	set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+	set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+
+	key_clear "KEY3"
+	key_clear "KEY4"
+}
+init_migration_insecure
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# We have set the timing metadata to now - 10 days (864000 seconds).
+rollover_predecessor_keytimes -864000
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone step1.going-insecure-dynamic.kasp
+#
+
+set_zone "step1.going-insecure-dynamic.kasp"
+set_dynamic
+set_policy "unsigning" "2" "7200"
+set_server "ns6" "10.53.0.6"
+init_migration_insecure
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# We have set the timing metadata to now - 10 days (864000 seconds).
+rollover_predecessor_keytimes -864000
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Zone step1.going-straight-to-none.kasp
+#
+set_zone "step1.going-straight-to-none.kasp"
+set_policy "default" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+# This policy only has one key.
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The first key is immediately published and activated.
+created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED"   "${created}"
+set_keytime "KEY1" "ACTIVE"      "${created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${created}"
+# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
+check_keytimes
+
+check_apex
+check_subdomain
+dnssec_verify
+
+# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
+# changes).
+echo_i "reconfig dnssec-policy to trigger algorithm rollover"
+copy_setports ns6/named2.conf.in ns6/named.conf
+rndc_reconfig ns6 10.53.0.6
+
+# Calculate time passed to correctly check for next key events.
+now="$(TZ=UTC date +%s)"
+time_passed=$((now-start_time))
+echo_i "${time_passed} seconds passed between start of tests and reconfig"
+
+# Wait until we have seen "zone_rekey done:" message for this key.
+_wait_for_done_signing() {
+	_zone=$1
+
+	_ksk=$(key_get $2 KSK)
+	_zsk=$(key_get $2 ZSK)
+	if [ "$_ksk" = "yes" ]; then
+		_role="KSK"
+		_expect_type=EXPECT_KRRSIG
+	elif [ "$_zsk" = "yes" ]; then
+		_role="ZSK"
+		_expect_type=EXPECT_ZRRSIG
+	fi
+
+	if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
+		_keyid=$(key_get $2 ID)
+		_keyalg=$(key_get $2 ALG_STR)
+		echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
+		grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1
+	fi
+
+	return 0
+}
+
+wait_for_done_signing() {
+	n=$((n+1))
+	echo_i "wait for zone ${ZONE} is done signing ($n)"
+	ret=0
+
+	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
+	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
+	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
+	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Test dynamic zones that switch to inline-signing.
+set_zone "dynamic2inline.kasp"
+set_policy "default" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# The CSK is rumoured.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+#
+# Testing going insecure.
+#
+
+#
+# Zone: step1.going-insecure.kasp
+#
+set_zone "step1.going-insecure.kasp"
+set_policy "insecure" "2" "7200"
+set_server "ns6" "10.53.0.6"
+# Expect a CDS/CDNSKEY Delete Record.
+set_cdsdelete
+
+# Key goal states should be HIDDEN.
+init_migration_insecure
+set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY2" "GOAL" "hidden"
+# The DS may be removed if we are going insecure.
+set_keystate "KEY1" "STATE_DS" "unretentive"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# Tell named that the DS has been removed.
+rndc_checkds "$SERVER" "$DIR" "KEY1" "now" "withdrawn" "$ZONE"
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the DS becomes HIDDEN. This happens after the
+# parent propagation delay, retire safety delay, and DS TTL:
+# 1h + 1h + 1d = 26h = 93600 seconds.
+check_next_key_event 93600
+
+#
+# Zone: step2.going-insecure.kasp
+#
+set_zone "step2.going-insecure.kasp"
+set_policy "insecure" "2" "7200"
+set_server "ns6" "10.53.0.6"
+
+# The DS is long enough removed from the zone to be considered HIDDEN.
+# This means the DNSKEY and the KSK signatures can be removed.
+set_keystate     "KEY1" "STATE_DS"     "hidden"
+set_keystate     "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate     "KEY1" "STATE_KRRSIG" "unretentive"
+set_keysigning   "KEY1" "no"
+
+set_keystate     "KEY2" "STATE_DNSKEY" "unretentive"
+set_keystate     "KEY2" "STATE_ZRRSIG" "unretentive"
+set_zonesigning  "KEY2" "no"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+# Next key event is when the DNSKEY becomes HIDDEN. This happens after the
+# propagation delay, plus DNSKEY TTL:
+# 5m + 2h = 125m =  7500 seconds.
+check_next_key_event 7500
+
+#
+# Zone: step1.going-insecure-dynamic.kasp
+#
+set_zone "step1.going-insecure-dynamic.kasp"
+set_dynamic
+set_policy "insecure" "2" "7200"
+set_server "ns6" "10.53.0.6"
+# Expect a CDS/CDNSKEY Delete Record.
+set_cdsdelete
+
+# Key goal states should be HIDDEN.
+init_migration_insecure
+set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY2" "GOAL" "hidden"
+# The DS may be removed if we are going insecure.
+set_keystate "KEY1" "STATE_DS" "unretentive"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# Tell named that the DS has been removed.
+rndc_checkds "$SERVER" "$DIR" "KEY1" "now" "withdrawn" "$ZONE"
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the DS becomes HIDDEN. This happens after the
+# parent propagation delay, retire safety delay, and DS TTL:
+# 1h + 1h + 1d = 26h = 93600 seconds.
+check_next_key_event 93600
+
+#
+# Zone: step2.going-insecure-dynamic.kasp
+#
+set_zone "step2.going-insecure-dynamic.kasp"
+set_dynamic
+set_policy "insecure" "2" "7200"
+set_server "ns6" "10.53.0.6"
+
+# The DS is long enough removed from the zone to be considered HIDDEN.
+# This means the DNSKEY and the KSK signatures can be removed.
+set_keystate     "KEY1" "STATE_DS"     "hidden"
+set_keystate     "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate     "KEY1" "STATE_KRRSIG" "unretentive"
+set_keysigning   "KEY1" "no"
+
+set_keystate     "KEY2" "STATE_DNSKEY" "unretentive"
+set_keystate     "KEY2" "STATE_ZRRSIG" "unretentive"
+set_zonesigning  "KEY2" "no"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+
+# Next key event is when the DNSKEY becomes HIDDEN. This happens after the
+# propagation delay, plus DNSKEY TTL:
+# 5m + 2h = 125m =  7500 seconds.
+check_next_key_event 7500
+
+#
+# Zone: step1.going-straight-to-none.kasp
+#
+set_zone "step1.going-straight-to-none.kasp"
+set_policy "none" "1" "3600"
+set_server "ns6" "10.53.0.6"
+
+# The zone will go bogus after signatures expire, but remains validly signed for now.
+
+# Key properties.
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+# This policy only has one key.
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+dnssec_verify
+
+#
+# Testing KSK/ZSK algorithm rollover.
+#
+
+# Policy parameters.
+# Lksk: unlimited
+# Lzsk: unlimited
+Lksk=0
+Lzsk=0
+
+#
+# Zone: step1.algorithm-roll.kasp
+#
+set_zone "step1.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+# Old RSASHA1 keys.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+key_clear        "KEY2"
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+# New ECDSAP256SHA256 keys.
+key_clear        "KEY3"
+set_keyrole      "KEY3" "ksk"
+set_keylifetime  "KEY3" "0"
+set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY3" "yes"
+set_zonesigning  "KEY3" "no"
+
+key_clear        "KEY4"
+set_keyrole      "KEY4" "zsk"
+set_keylifetime  "KEY4" "0"
+set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY4" "no"
+set_zonesigning  "KEY4" "yes"
+# The RSAHSHA1 keys are outroducing.
+set_keystate "KEY1" "GOAL"         "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+set_keystate "KEY2" "GOAL"         "hidden"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+# The ECDSAP256SHA256 keys are introducing.
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY3" "STATE_DS"     "hidden"
+set_keystate "KEY4" "GOAL"         "omnipresent"
+set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys are published and activated.
+rollover_predecessor_keytimes 0
+# - KSK must be retired since it no longer matches the policy.
+keyfile=$(key_get KEY1 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
+retired=$(awk '{print $3}' < retired.test${n}.ksk)
+set_keytime    "KEY1" "RETIRED"    "${retired}"
+# - The key is removed after the retire interval:
+#   IretKSK = TTLds + DprpP + retire-safety
+#   TTLds:         2h (7200 seconds)
+#   DprpP:         1h (3600 seconds)
+#   retire-safety: 2h (7200 seconds)
+#   IretKSK:       5h (18000 seconds)
+IretKSK=18000
+set_addkeytime "KEY1" "REMOVED"    "${retired}" "${IretKSK}"
+# - ZSK must be retired since it no longer matches the policy.
+keyfile=$(key_get KEY2 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
+retired=$(awk '{print $3}' < retired.test${n}.zsk)
+set_keytime    "KEY2" "RETIRED"    "${retired}"
+# - The key is removed after the retire interval:
+#   IretZSK = TTLsig + Dprp + Dsgn + retire-safety
+#   TTLsig:        6h (21600 seconds)
+#   Dprp:          1h (3600 seconds)
+#   Dsgn:          25d (2160000 seconds)
+#   retire-safety: 2h (7200 seconds)
+#   IretZSK:       25d9h (2192400 seconds)
+IretZSK=2192400
+set_addkeytime "KEY2" "REMOVED"    "${retired}" "${IretZSK}"
+# - The new KSK is published and activated.
+created=$(key_get KEY3 CREATED)
+set_keytime    "KEY3" "PUBLISHED"   "${created}"
+set_keytime    "KEY3" "ACTIVE"      "${created}"
+# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
+#   TTLsig:         6h (39600 seconds)
+#   Dprp:           1h (3600 seconds)
+#   publish-safety: 1h (3600 seconds)
+#   Ipub:           8h (28800 seconds)
+Ipub=28800
+set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
+# - The new ZSK is published and activated.
+created=$(key_get KEY4 CREATED)
+set_keytime    "KEY4" "PUBLISHED"   "${created}"
+set_keytime    "KEY4" "ACTIVE"      "${created}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the ecdsa256 keys have been propagated.
+# This is the DNSKEY TTL plus publish safety plus zone propagation delay:
+# 3 times an hour: 10800 seconds.
+check_next_key_event 10800
+
+#
+# Zone: step2.algorithm-roll.kasp
+#
+set_zone "step2.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+# The RSAHSHA1 keys are outroducing, but need to stay present until the new
+# algorithm chain of trust has been established. Thus the properties, timings
+# and states of the KEY1 and KEY2 are the same as above.
+
+# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent,
+# but the zone signatures are not.
+set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY3" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys were activated three hours ago (10800 seconds).
+rollover_predecessor_keytimes -10800
+# - KSK must be retired since it no longer matches the policy.
+created=$(key_get KEY1 CREATED)
+set_keytime    "KEY1" "RETIRED" "${created}"
+set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}"
+# - ZSK must be retired since it no longer matches the policy.
+created=$(key_get KEY2 CREATED)
+set_keytime    "KEY2" "RETIRED" "${created}"
+set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}"
+# - The new keys are published 3 hours ago.
+created=$(key_get KEY3 CREATED)
+set_addkeytime  "KEY3" "PUBLISHED"  "${created}"   -10800
+set_addkeytime  "KEY3" "ACTIVE"     "${created}"   -10800
+published=$(key_get KEY3 PUBLISHED)
+set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}"
+
+created=$(key_get KEY4 CREATED)
+set_addkeytime "KEY4" "PUBLISHED"   "${created}"   -10800
+set_addkeytime "KEY4" "ACTIVE"      "${created}"   -10800
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when all zone signatures are signed with the new
+# algorithm.  This is the max-zone-ttl plus zone propagation delay
+# plus retire safety: 6h + 1h + 2h.  But three hours have already passed
+# (the time it took to make the DNSKEY omnipresent), so the next event
+# should be scheduled in 6 hour: 21600 seconds.  Prevent intermittent
+# false positives on slow platforms by subtracting the number of seconds
+# which passed between key creation and invoking 'rndc reconfig'.
+next_time=$((21600-time_passed))
+check_next_key_event $next_time
+
+#
+# Zone: step3.algorithm-roll.kasp
+#
+set_zone "step3.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+# The ECDSAP256SHA256 keys are introducing.
+set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
+# The DS can be swapped.
+set_keystate "KEY1" "STATE_DS"     "unretentive"
+set_keystate "KEY3" "STATE_DS"     "rumoured"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY3
+
+# Set expected key times:
+# - The old keys were activated 9 hours ago (32400 seconds).
+rollover_predecessor_keytimes -32400
+# - And retired 6 hours ago (21600 seconds).
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "RETIRED"     "${created}"   -21600
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED"     "${retired}"   "${IretKSK}"
+
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "RETIRED"     "${created}"   -21600
+retired=$(key_get KEY2 RETIRED)
+set_addkeytime "KEY2" "REMOVED"     "${retired}"   "${IretZSK}"
+# - The new keys are published 9 hours ago.
+created=$(key_get KEY3 CREATED)
+set_addkeytime  "KEY3" "PUBLISHED"  "${created}"   -32400
+set_addkeytime  "KEY3" "ACTIVE"     "${created}"   -32400
+published=$(key_get KEY3 PUBLISHED)
+set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
+
+created=$(key_get KEY4 CREATED)
+set_addkeytime "KEY4" "PUBLISHED"   "${created}"   -32400
+set_addkeytime "KEY4" "ACTIVE"      "${created}"   -32400
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Tell named we "saw" the parent swap the DS and see if the next key event is
+# scheduled at the correct time.
+rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published"  "$ZONE"
+# Next key event is when the DS becomes OMNIPRESENT. This happens after the
+# parent propagation delay, retire safety delay, and DS TTL:
+# 1h + 2h + 2h = 5h = 18000 seconds.
+check_next_key_event 18000
+
+#
+# Zone: step4.algorithm-roll.kasp
+#
+set_zone "step4.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
+set_keysigning   "KEY1" "no"
+set_keystate     "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate     "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate     "KEY1" "STATE_DS"     "hidden"
+
+set_zonesigning  "KEY2" "no"
+set_keystate     "KEY2" "GOAL"         "hidden"
+set_keystate     "KEY2" "STATE_DNSKEY" "unretentive"
+set_keystate     "KEY2" "STATE_ZRRSIG" "unretentive"
+# The ECDSAP256SHA256 DS is now OMNIPRESENT.
+set_keystate     "KEY3" "STATE_DS"     "omnipresent"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys were activated 38 hours ago (136800 seconds).
+rollover_predecessor_keytimes -136800
+# - And retired 35 hours ago (126000 seconds).
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "RETIRED"     "${created}"   -126000
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED"     "${retired}"   "${IretKSK}"
+
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "RETIRED"     "${created}"   -126000
+retired=$(key_get KEY2 RETIRED)
+set_addkeytime "KEY2" "REMOVED"     "${retired}"   "${IretZSK}"
+
+# - The new keys are published 38 hours ago.
+created=$(key_get KEY3 CREATED)
+set_addkeytime  "KEY3" "PUBLISHED"  "${created}"   -136800
+set_addkeytime  "KEY3" "ACTIVE"     "${created}"   -136800
+published=$(key_get KEY3 PUBLISHED)
+set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
+
+created=$(key_get KEY4 CREATED)
+set_addkeytime "KEY4" "PUBLISHED"   "${created}"   -136800
+set_addkeytime "KEY4" "ACTIVE"      "${created}"   -136800
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the old DNSKEY becomes HIDDEN.  This happens after the
+# DNSKEY TTL plus zone propagation delay (2h).
+check_next_key_event 7200
+
+#
+# Zone: step5.algorithm-roll.kasp
+#
+set_zone "step5.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+# The DNSKEY becomes HIDDEN.
+set_keystate "KEY1" "STATE_DNSKEY" "hidden"
+set_keystate "KEY1" "STATE_KRRSIG" "hidden"
+set_keystate "KEY2" "STATE_DNSKEY" "hidden"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys were activated 40 hours ago (144000 seconds)
+rollover_predecessor_keytimes -144000
+# - And retired 37 hours ago (133200 seconds).
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "RETIRED"     "${created}"   -133200
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED"     "${retired}"   "${IretKSK}"
+
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "RETIRED"     "${created}"   -133200
+retired=$(key_get KEY2 RETIRED)
+set_addkeytime "KEY2" "REMOVED"     "${retired}"   "${IretZSK}"
+
+# The new keys are published 40 hours ago.
+created=$(key_get KEY3 CREATED)
+set_addkeytime  "KEY3" "PUBLISHED"  "${created}"   -144000
+set_addkeytime  "KEY3" "ACTIVE"     "${created}"   -144000
+published=$(key_get KEY3 PUBLISHED)
+set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
+
+created=$(key_get KEY4 CREATED)
+set_addkeytime "KEY4" "PUBLISHED"   "${created}"   -144000
+set_addkeytime "KEY4" "ACTIVE"      "${created}"   -144000
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the RSASHA1 signatures become HIDDEN.  This happens
+# after the max-zone-ttl plus zone propagation delay plus retire safety
+# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
+# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
+# false positives on slow platforms by subtracting the number of seconds
+# which passed between key creation and invoking 'rndc reconfig'.
+next_time=$((25200-time_passed))
+check_next_key_event $next_time
+
+#
+# Zone: step6.algorithm-roll.kasp
+#
+set_zone "step6.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+# The old zone signatures (KEY2) should now also be HIDDEN.
+set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys were activated 47 hours ago (169200 seconds)
+rollover_predecessor_keytimes -169200
+# - And retired 44 hours ago (158400 seconds).
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "RETIRED"     "${created}"   -158400
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED"     "${retired}"   "${IretKSK}"
+
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "RETIRED"     "${created}"   -158400
+retired=$(key_get KEY2 RETIRED)
+set_addkeytime "KEY2" "REMOVED"     "${retired}"   "${IretZSK}"
+
+# The new keys are published 47 hours ago.
+created=$(key_get KEY3 CREATED)
+set_addkeytime  "KEY3" "PUBLISHED"  "${created}"   -169200
+set_addkeytime  "KEY3" "ACTIVE"     "${created}"   -169200
+published=$(key_get KEY3 PUBLISHED)
+set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
+
+created=$(key_get KEY4 CREATED)
+set_addkeytime "KEY4" "PUBLISHED"   "${created}"   -169200
+set_addkeytime "KEY4" "ACTIVE"      "${created}"   -169200
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is never since we established the policy and the keys have
+# an unlimited lifetime.  Fallback to the default loadkeys interval.
+check_next_key_event 3600
+
+#
+# Testing CSK algorithm rollover.
+#
+
+# Policy parameters.
+# Lcsk: unlimited
+Lcksk=0
+
+#
+# Zone: step1.csk-algorithm-roll.kasp
+#
+set_zone "step1.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+# Old RSASHA1 key.
+key_clear	 "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+# New ECDSAP256SHA256 key.
+key_clear        "KEY2"
+set_keyrole      "KEY2" "csk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning   "KEY2" "yes"
+set_zonesigning  "KEY2" "yes"
+key_clear "KEY3"
+key_clear "KEY4"
+# The RSAHSHA1 key is outroducing.
+set_keystate "KEY1" "GOAL"         "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS"     "omnipresent"
+# The ECDSAP256SHA256 key is introducing.
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY2" "STATE_DS"     "hidden"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - CSK must be retired since it no longer matches the policy.
+csk_rollover_predecessor_keytimes 0
+keyfile=$(key_get KEY1 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
+retired=$(awk '{print $3}' < retired.test${n}.ksk)
+set_keytime    "KEY1" "RETIRED"    "${retired}"
+# - The key is removed after the retire interval:
+#   IretZSK = TTLsig + Dprp + Dsgn + retire-safety
+#   TTLsig:        6h (21600 seconds)
+#   Dprp:          1h (3600 seconds)
+#   Dsgn:          25d (2160000 seconds)
+#   retire-safety: 2h (7200 seconds)
+#   IretZSK:       25d9h (2192400 seconds)
+IretCSK=2192400
+set_addkeytime "KEY1" "REMOVED"    "${retired}" "${IretCSK}"
+# - The new CSK is published and activated.
+created=$(key_get KEY2 CREATED)
+set_keytime    "KEY2" "PUBLISHED"   "${created}"
+set_keytime    "KEY2" "ACTIVE"      "${created}"
+# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
+#   TTLsig:         6h (39600 seconds)
+#   Dprp:           1h (3600 seconds)
+#   publish-safety: 1h (3600 seconds)
+#   Ipub:           8h (28800 seconds)
+Ipub=28800
+set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the new key has been propagated.
+# This is the DNSKEY TTL plus publish safety plus zone propagation delay:
+# 3 times an hour: 10800 seconds.
+check_next_key_event 10800
+
+#
+# Zone: step2.csk-algorithm-roll.kasp
+#
+set_zone "step2.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+# The RSAHSHA1 key is outroducing, but need to stay present until the new
+# algorithm chain of trust has been established. Thus the properties, timings
+# and states of KEY1 is the same as above.
+#
+# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent,
+# but the zone signatures are not.
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old key was activated three hours ago (10800 seconds).
+csk_rollover_predecessor_keytimes -10800
+# - CSK must be retired since it no longer matches the policy.
+created=$(key_get KEY1 CREATED)
+set_keytime    "KEY1" "RETIRED" "${created}"
+set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}"
+# - The new key was published 3 hours ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime  "KEY2" "PUBLISHED"  "${created}"   -10800
+set_addkeytime  "KEY2" "ACTIVE"     "${created}"   -10800
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when all zone signatures are signed with the new
+# algorithm.  This is the max-zone-ttl plus zone propagation delay
+# plus retire safety: 6h + 1h + 2h.  But three hours have already passed
+# (the time it took to make the DNSKEY omnipresent), so the next event
+# should be scheduled in 6 hour: 21600 seconds.  Prevent intermittent
+# false positives on slow platforms by subtracting the number of seconds
+# which passed between key creation and invoking 'rndc reconfig'.
+next_time=$((21600-time_passed))
+check_next_key_event $next_time
+
+#
+# Zone: step3.csk-algorithm-roll.kasp
+#
+set_zone "step3.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+# The RSAHSHA1 key is outroducing, and it is time to swap the DS.
+# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures
+# are now omnipresent, so the DS can be introduced.
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
+set_keystate "KEY1" "STATE_DS"     "unretentive"
+set_keystate "KEY2" "STATE_DS"     "rumoured"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Check that CDS publication is logged.
+check_cdslog "$DIR" "$ZONE" KEY2
+
+# Set expected key times:
+# - The old key was activated 9 hours ago (32400 seconds).
+csk_rollover_predecessor_keytimes -32400
+# - And was retired 6 hours ago (21600 seconds).
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "RETIRED"     "${created}"   -21600
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED"     "${retired}"   "${IretCSK}"
+# - The new key was published 9 hours ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime  "KEY2" "PUBLISHED"  "${created}"   -32400
+set_addkeytime  "KEY2" "ACTIVE"     "${created}"   -32400
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# We ignore any parent registration delay, so set the DS publish time to now.
+rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
+# Next key event is when the DS becomes OMNIPRESENT. This happens after the
+# parent propagation delay, retire safety delay, and DS TTL:
+# 1h + 2h + 2h = 5h = 18000 seconds.
+check_next_key_event 18000
+
+#
+# Zone: step4.csk-algorithm-roll.kasp
+#
+set_zone "step4.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
+set_keysigning   "KEY1" "no"
+set_zonesigning  "KEY1" "no"
+set_keystate     "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate     "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate     "KEY1" "STATE_ZRRSIG" "unretentive"
+set_keystate     "KEY1" "STATE_DS"     "hidden"
+# The ECDSAP256SHA256 DS is now OMNIPRESENT.
+set_keystate     "KEY2" "STATE_DS"     "omnipresent"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old key was activated 38 hours ago (136800 seconds)
+csk_rollover_predecessor_keytimes -136800
+# - And retired 35 hours ago (126000 seconds).
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "RETIRED"     "${created}"   -126000
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED"     "${retired}"   "${IretCSK}"
+# - The new key was published 38 hours ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime  "KEY2" "PUBLISHED"  "${created}"   -136800
+set_addkeytime  "KEY2" "ACTIVE"     "${created}"   -136800
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the old DNSKEY becomes HIDDEN.  This happens after the
+# DNSKEY TTL plus zone propagation delay (2h).
+check_next_key_event 7200
+
+#
+# Zone: step5.csk-algorithm-roll.kasp
+#
+set_zone "step5.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+# The DNSKEY becomes HIDDEN.
+set_keystate "KEY1" "STATE_DNSKEY" "hidden"
+set_keystate "KEY1" "STATE_KRRSIG" "hidden"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old key was activated 40 hours ago (144000 seconds)
+csk_rollover_predecessor_keytimes -144000
+# - And retired 37 hours ago (133200 seconds).
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "RETIRED"     "${created}"   -133200
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED"     "${retired}"   "${IretCSK}"
+# - The new key was published 40 hours ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime  "KEY2" "PUBLISHED"  "${created}"   -144000
+set_addkeytime  "KEY2" "ACTIVE"     "${created}"   -144000
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the RSASHA1 signatures become HIDDEN.  This happens
+# after the max-zone-ttl plus zone propagation delay plus retire safety
+# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
+# been reached (2h): 9h - 2h = 7h = 25200 seconds.  Prevent intermittent
+# false positives on slow platforms by subtracting the number of seconds
+# which passed between key creation and invoking 'rndc reconfig'.
+next_time=$((25200-time_passed))
+check_next_key_event $next_time
+
+#
+# Zone: step6.csk-algorithm-roll.kasp
+#
+set_zone "step6.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+# The zone signatures should now also be HIDDEN.
+set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The old keys were activated 47 hours ago (169200 seconds)
+csk_rollover_predecessor_keytimes -169200
+# - And retired 44 hours ago (158400 seconds).
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "RETIRED"     "${created}"   -158400
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED"     "${retired}"   "${IretCSK}"
+# - The new key was published 47 hours ago.
+created=$(key_get KEY2 CREATED)
+set_addkeytime  "KEY2" "PUBLISHED"  "${created}"   -169200
+set_addkeytime  "KEY2" "ACTIVE"     "${created}"   -169200
+published=$(key_get KEY2 PUBLISHED)
+set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is never since we established the policy and the keys have
+# an unlimited lifetime.  Fallback to the default loadkeys interval.
+check_next_key_event 3600
+
+_check_soa_ttl() {
+	dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || return 1
+	soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1)
+	soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2)
+	ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1)
+	ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2)
+	test ${soa1:-1000} -lt ${soa2:-0} || return 1
+	test ${ttl1:-0} -eq $1 || return 1
+	test ${ttl2:-0} -eq $2 || return 1
+}
+
+n=$((n+1))
+echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)"
+TSIG=
+ret=0
+dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1
+cp ns6/example2.db.in ns6/example.db || ret=1
+nextpart ns6/named.run > /dev/null
+rndccmd 10.53.0.6 reload || ret=1
+wait_for_log 3 "all zones loaded" ns6/named.run
+# Check that the SOA SERIAL increases and check the TTLs (should be 300 as
+# defined in ns6/example2.db.in).
+retry_quiet 10 _check_soa_ttl 300 300 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Check that restart with zone changes and deleted journal works ($n)"
+TSIG=
+ret=0
+dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1
+stop_server --use-rndc --port ${CONTROLPORT} ns6
+# TTL of all records change from 300 to 400
+cp ns6/example3.db.in ns6/example.db || ret=1
+rm ns6/example.db.jnl
+nextpart ns6/named.run > /dev/null
+start_server --noclean --restart --port ${PORT} ns6
+wait_for_log 3 "all zones loaded" ns6/named.run
+# Check that the SOA SERIAL increases and check the TTLs (should be changed
+# from 300 to 400 as defined in ns6/example3.db.in).
+retry_quiet 10 _check_soa_ttl 300 400 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/keepalive/clean.sh b/bin/tests/system/keepalive/clean.sh
new file mode 100644
index 0000000..9ccbd12
--- /dev/null
+++ b/bin/tests/system/keepalive/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.*
+rm -f output
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/named.conf
+rm -f ns*/named.stats
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/keepalive/expected b/bin/tests/system/keepalive/expected
new file mode 100644
index 0000000..e498db7
--- /dev/null
+++ b/bin/tests/system/keepalive/expected
@@ -0,0 +1,4 @@
+tcp-initial-timeout=300
+tcp-idle-timeout=300
+tcp-keepalive-timeout=300
+tcp-advertised-timeout=200
diff --git a/bin/tests/system/keepalive/ns1/named.conf.in b/bin/tests/system/keepalive/ns1/named.conf.in
new file mode 100644
index 0000000..26cf4b3
--- /dev/null
+++ b/bin/tests/system/keepalive/ns1/named.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/keepalive/ns1/root.db b/bin/tests/system/keepalive/ns1/root.db
new file mode 100644
index 0000000..17780d1
--- /dev/null
+++ b/bin/tests/system/keepalive/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/keepalive/ns2/example.db b/bin/tests/system/keepalive/ns2/example.db
new file mode 100644
index 0000000..ccc6ef9
--- /dev/null
+++ b/bin/tests/system/keepalive/ns2/example.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	SOA	ns2 hostmaster.isc.org. 1 600 600 1200 600
+@ 	NS	ns2
+ns2 	A	10.53.0.2
+foo	A	10.53.1.1
+bar	A	10.53.2.2
diff --git a/bin/tests/system/keepalive/ns2/named.conf.in b/bin/tests/system/keepalive/ns2/named.conf.in
new file mode 100644
index 0000000..6e308f4
--- /dev/null
+++ b/bin/tests/system/keepalive/ns2/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	acache-enable yes;
+	send-cookie yes;
+	tcp-advertised-timeout 150;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/keepalive/ns3/named.conf.in b/bin/tests/system/keepalive/ns3/named.conf.in
new file mode 100644
index 0000000..b6b8073
--- /dev/null
+++ b/bin/tests/system/keepalive/ns3/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+server 10.53.0.2 {
+	tcp-only yes;
+	tcp-keepalive yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/keepalive/setup.sh b/bin/tests/system/keepalive/setup.sh
new file mode 100644
index 0000000..57e0575
--- /dev/null
+++ b/bin/tests/system/keepalive/setup.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/keepalive/tests.sh b/bin/tests/system/keepalive/tests.sh
new file mode 100644
index 0000000..7aea925
--- /dev/null
+++ b/bin/tests/system/keepalive/tests.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC  -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}"
+
+n=0
+status=0
+
+echo_i "checking that dig handles TCP keepalive ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +qr +keepalive foo.example @10.53.0.2 > dig.out.test$n
+grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that dig added TCP keepalive ($n)"
+ret=0
+n=`expr $n + 1`
+$RNDCCMD stats
+grep "EDNS TCP keepalive option received" ns2/named.stats > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that TCP keepalive is added for TCP responses ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n
+grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that TCP keepalive requires TCP ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +keepalive foo.example @10.53.0.2 > dig.out.test$n
+grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking default value ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.3 > dig.out.test$n
+grep "; TCP KEEPALIVE: 30.0 secs" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking configured value ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n
+grep "; TCP KEEPALIVE: 15.0 secs" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking re-configured value ($n)"
+ret=0
+n=`expr $n + 1`
+$RNDCCMD tcp-timeouts 300 300 300 200 > output
+$DIFF -b output expected || ret=1
+$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n
+grep "; TCP KEEPALIVE: 20.0 secs" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking server config entry ($n)"
+ret=0
+n=`expr $n + 1`
+$RNDCCMD stats
+oka=`grep  "EDNS TCP keepalive option received" ns2/named.stats | \
+    tail -1 | awk '{ print $1}'`
+$DIG $DIGOPTS bar.example @10.53.0.3 > dig.out.test$n
+$RNDCCMD stats
+nka=`grep  "EDNS TCP keepalive option received" ns2/named.stats | \
+    tail -1 | awk '{ print $1}'`
+#echo oka ':' $oka
+#echo nka ':' $nka
+if [ "$oka" -eq "$nka" ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/keymgr/01-ksk-inactive/README b/bin/tests/system/keymgr/01-ksk-inactive/README
new file mode 100644
index 0000000..a79314e
--- /dev/null
+++ b/bin/tests/system/keymgr/01-ksk-inactive/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes one KSK rollover.  The KSK is deactivated prior to
+its replacement being activated.
diff --git a/bin/tests/system/keymgr/01-ksk-inactive/expect b/bin/tests/system/keymgr/01-ksk-inactive/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/01-ksk-inactive/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/02-zsk-inactive/README b/bin/tests/system/keymgr/02-zsk-inactive/README
new file mode 100644
index 0000000..8997e0a
--- /dev/null
+++ b/bin/tests/system/keymgr/02-zsk-inactive/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes one ZSK rollover.  The first ZSK is deactivated
+prior to its replacement being activated.
diff --git a/bin/tests/system/keymgr/02-zsk-inactive/expect b/bin/tests/system/keymgr/02-zsk-inactive/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/02-zsk-inactive/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/README b/bin/tests/system/keymgr/03-ksk-unpublished/README
new file mode 100644
index 0000000..4086a31
--- /dev/null
+++ b/bin/tests/system/keymgr/03-ksk-unpublished/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set contains one KSK rollover.  The KSK is unpublished before its
+successor is published.
diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/expect b/bin/tests/system/keymgr/03-ksk-unpublished/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/03-ksk-unpublished/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/README b/bin/tests/system/keymgr/04-zsk-unpublished/README
new file mode 100644
index 0000000..a3bbe85
--- /dev/null
+++ b/bin/tests/system/keymgr/04-zsk-unpublished/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set contains one ZSK rollover.  The ZSK is unpublished before its
+successor is published.
diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/expect b/bin/tests/system/keymgr/04-zsk-unpublished/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/04-zsk-unpublished/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/README b/bin/tests/system/keymgr/05-ksk-unpub-active/README
new file mode 100644
index 0000000..5b47456
--- /dev/null
+++ b/bin/tests/system/keymgr/05-ksk-unpub-active/README
@@ -0,0 +1,7 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes one KSK rollover.  The first KSK is deleted
+and its successor published prior to the first KSK being deactivated
+and its successor activated.
diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/expect b/bin/tests/system/keymgr/05-ksk-unpub-active/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/05-ksk-unpub-active/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/README b/bin/tests/system/keymgr/06-zsk-unpub-active/README
new file mode 100644
index 0000000..5b47456
--- /dev/null
+++ b/bin/tests/system/keymgr/06-zsk-unpub-active/README
@@ -0,0 +1,7 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes one KSK rollover.  The first KSK is deleted
+and its successor published prior to the first KSK being deactivated
+and its successor activated.
diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/expect b/bin/tests/system/keymgr/06-zsk-unpub-active/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/06-zsk-unpub-active/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/07-ksk-ttl/README b/bin/tests/system/keymgr/07-ksk-ttl/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/07-ksk-ttl/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/07-ksk-ttl/expect b/bin/tests/system/keymgr/07-ksk-ttl/expect
new file mode 100644
index 0000000..03d719c
--- /dev/null
+++ b/bin/tests/system/keymgr/07-ksk-ttl/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/08-zsk-ttl/README b/bin/tests/system/keymgr/08-zsk-ttl/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/08-zsk-ttl/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/08-zsk-ttl/expect b/bin/tests/system/keymgr/08-zsk-ttl/expect
new file mode 100644
index 0000000..03d719c
--- /dev/null
+++ b/bin/tests/system/keymgr/08-zsk-ttl/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/09-no-keys/README b/bin/tests/system/keymgr/09-no-keys/README
new file mode 100644
index 0000000..7de6d40
--- /dev/null
+++ b/bin/tests/system/keymgr/09-no-keys/README
@@ -0,0 +1,5 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This directory has no key set, but one will be initialized by dnssec-keymgr.
diff --git a/bin/tests/system/keymgr/09-no-keys/expect b/bin/tests/system/keymgr/09-no-keys/expect
new file mode 100644
index 0000000..03d719c
--- /dev/null
+++ b/bin/tests/system/keymgr/09-no-keys/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/10-change-roll/README b/bin/tests/system/keymgr/10-change-roll/README
new file mode 100644
index 0000000..c83de5f
--- /dev/null
+++ b/bin/tests/system/keymgr/10-change-roll/README
@@ -0,0 +1,7 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This directory has a key set which is valid, but has a ZSK rollover period
+of only three months. It will be updated to have a ZSK rollover period of
+one year.
diff --git a/bin/tests/system/keymgr/10-change-roll/expect b/bin/tests/system/keymgr/10-change-roll/expect
new file mode 100644
index 0000000..03d719c
--- /dev/null
+++ b/bin/tests/system/keymgr/10-change-roll/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/11-many-simul/README b/bin/tests/system/keymgr/11-many-simul/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/11-many-simul/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/11-many-simul/expect b/bin/tests/system/keymgr/11-many-simul/expect
new file mode 100644
index 0000000..03d719c
--- /dev/null
+++ b/bin/tests/system/keymgr/11-many-simul/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/12-many-active/README b/bin/tests/system/keymgr/12-many-active/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/12-many-active/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/12-many-active/expect b/bin/tests/system/keymgr/12-many-active/expect
new file mode 100644
index 0000000..67fc4e9
--- /dev/null
+++ b/bin/tests/system/keymgr/12-many-active/expect
@@ -0,0 +1,9 @@
+kargs="-f example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/13-noroll/README b/bin/tests/system/keymgr/13-noroll/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/13-noroll/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/13-noroll/expect b/bin/tests/system/keymgr/13-noroll/expect
new file mode 100644
index 0000000..67fc4e9
--- /dev/null
+++ b/bin/tests/system/keymgr/13-noroll/expect
@@ -0,0 +1,9 @@
+kargs="-f example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/14-wrongalg/README b/bin/tests/system/keymgr/14-wrongalg/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/14-wrongalg/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/14-wrongalg/expect b/bin/tests/system/keymgr/14-wrongalg/expect
new file mode 100644
index 0000000..bd5eadb
--- /dev/null
+++ b/bin/tests/system/keymgr/14-wrongalg/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=4
diff --git a/bin/tests/system/keymgr/15-unspec/README b/bin/tests/system/keymgr/15-unspec/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/15-unspec/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/15-unspec/expect b/bin/tests/system/keymgr/15-unspec/expect
new file mode 100644
index 0000000..ad300c4
--- /dev/null
+++ b/bin/tests/system/keymgr/15-unspec/expect
@@ -0,0 +1,9 @@
+kargs=""
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/README b/bin/tests/system/keymgr/16-wrongalg-unspec/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/16-wrongalg-unspec/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/expect b/bin/tests/system/keymgr/16-wrongalg-unspec/expect
new file mode 100644
index 0000000..c836535
--- /dev/null
+++ b/bin/tests/system/keymgr/16-wrongalg-unspec/expect
@@ -0,0 +1,9 @@
+kargs=""
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=4
diff --git a/bin/tests/system/keymgr/17-noforce/README b/bin/tests/system/keymgr/17-noforce/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/17-noforce/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/17-noforce/expect b/bin/tests/system/keymgr/17-noforce/expect
new file mode 100644
index 0000000..029a4e9
--- /dev/null
+++ b/bin/tests/system/keymgr/17-noforce/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=1
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/README b/bin/tests/system/keymgr/18-nonstd-prepub/README
new file mode 100644
index 0000000..4ee0a8a
--- /dev/null
+++ b/bin/tests/system/keymgr/18-nonstd-prepub/README
@@ -0,0 +1,7 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This directory has a key set which is valid, but will expire within
+the rollover period. The prepublication interval in policy.conf is a
+nonstandard value.
diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/expect b/bin/tests/system/keymgr/18-nonstd-prepub/expect
new file mode 100644
index 0000000..e8518d8
--- /dev/null
+++ b/bin/tests/system/keymgr/18-nonstd-prepub/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 1d example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in
new file mode 100644
index 0000000..757311a
--- /dev/null
+++ b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+policy default {
+	policy global;
+	algorithm @DEFAULT_ALGORITHM@;
+	pre-publish zsk 2w;
+	roll-period zsk 6mo;
+	coverage 364d;
+};
diff --git a/bin/tests/system/keymgr/19-old-keys/README b/bin/tests/system/keymgr/19-old-keys/README
new file mode 100644
index 0000000..bd66ba8
--- /dev/null
+++ b/bin/tests/system/keymgr/19-old-keys/README
@@ -0,0 +1,7 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This directory has a key set which is valid, but which was published
+and activated more than one rollover period ago. dnssec-keymgr should
+not mark the keys as already being inactive and deleted.
diff --git a/bin/tests/system/keymgr/19-old-keys/expect b/bin/tests/system/keymgr/19-old-keys/expect
new file mode 100644
index 0000000..ad73b53
--- /dev/null
+++ b/bin/tests/system/keymgr/19-old-keys/expect
@@ -0,0 +1,12 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 1w example.com"
+cmatch="4,Publish
+4,Activate
+2,Inactive
+2,Delete"
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/19-old-keys/extra.sh b/bin/tests/system/keymgr/19-old-keys/extra.sh
new file mode 100644
index 0000000..502d951
--- /dev/null
+++ b/bin/tests/system/keymgr/19-old-keys/extra.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+now=`$PERL -e 'print time()."\n";'`
+for keyfile in K*.key; do
+    inactive=`$SETTIME -upI $keyfile | awk '{print $2}'`
+    if [ "$inactive" = UNSET ]; then
+        continue
+    elif [ "$inactive" -lt "$now" ]; then
+        echo_d "inactive date is in the past"
+        ret=1
+    fi
+done
diff --git a/bin/tests/system/keymgr/19-old-keys/policy.conf.in b/bin/tests/system/keymgr/19-old-keys/policy.conf.in
new file mode 100644
index 0000000..757311a
--- /dev/null
+++ b/bin/tests/system/keymgr/19-old-keys/policy.conf.in
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+policy default {
+	policy global;
+	algorithm @DEFAULT_ALGORITHM@;
+	pre-publish zsk 2w;
+	roll-period zsk 6mo;
+	coverage 364d;
+};
diff --git a/bin/tests/system/keymgr/clean.sh b/bin/tests/system/keymgr/clean.sh
new file mode 100644
index 0000000..d8cad32
--- /dev/null
+++ b/bin/tests/system/keymgr/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f 18-nonstd-prepub/policy.conf
+rm -f 19-old-keys/policy.conf
+rm -f K*.key */K*.key
+rm -f K*.private */K*.private
+rm -f coverage.* keymgr.* settime.*
+rm -f ns*/managed-keys.bind*
+rm -f policy.conf
+rm -f policy.out
diff --git a/bin/tests/system/keymgr/policy.conf.in b/bin/tests/system/keymgr/policy.conf.in
new file mode 100644
index 0000000..d6bc925
--- /dev/null
+++ b/bin/tests/system/keymgr/policy.conf.in
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+policy default {
+	policy global;
+	algorithm @DEFAULT_ALGORITHM@;
+	key-size zsk 1024;
+	pre-publish zsk 6w;
+	post-publish zsk 6w;
+	roll-period zsk 6mo;
+	roll-period ksk 0;
+	coverage 364d;
+};
diff --git a/bin/tests/system/keymgr/policy.good b/bin/tests/system/keymgr/policy.good
new file mode 100644
index 0000000..eb23246
--- /dev/null
+++ b/bin/tests/system/keymgr/policy.good
@@ -0,0 +1,187 @@
+policy default:
+	inherits global
+	directory None
+	algorithm None
+	coverage None
+	ksk_keysize None
+	zsk_keysize None
+	ksk_rollperiod None
+	zsk_rollperiod None
+	ksk_prepublish None
+	ksk_postpublish None
+	zsk_prepublish None
+	zsk_postpublish None
+	ksk_standby None
+	zsk_standby None
+	keyttl None
+
+policy global:
+	inherits None
+	directory None
+	algorithm RSASHA256
+	coverage 15552000
+	ksk_keysize 2048
+	zsk_keysize 2048
+	ksk_rollperiod None
+	zsk_rollperiod 31536000
+	ksk_prepublish 2592000
+	ksk_postpublish 2592000
+	zsk_prepublish 2592000
+	zsk_postpublish 2592000
+	ksk_standby None
+	zsk_standby None
+	keyttl 3600
+
+constructed policy example.com:
+	inherits global
+	directory None
+	algorithm RSASHA256
+	coverage 15552000
+	ksk_keysize 2048
+	zsk_keysize 2048
+	ksk_rollperiod None
+	zsk_rollperiod 31536000
+	ksk_prepublish 2592000
+	ksk_postpublish 2592000
+	zsk_prepublish 2592000
+	zsk_postpublish 2592000
+	ksk_standby None
+	zsk_standby None
+	keyttl 3600
+
+policy default:
+	inherits None
+	directory "keydir"
+	algorithm RSASHA1
+	coverage 31536000
+	ksk_keysize None
+	zsk_keysize None
+	ksk_rollperiod None
+	zsk_rollperiod 15552000
+	ksk_prepublish None
+	ksk_postpublish None
+	zsk_prepublish 3628800
+	zsk_postpublish 3628800
+	ksk_standby None
+	zsk_standby None
+	keyttl 3600
+
+zone policy example.com:
+	inherits extra
+	directory "keydir"
+	algorithm NSEC3RSASHA1
+	coverage 12960000
+	ksk_keysize 2048
+	zsk_keysize 2048
+	ksk_rollperiod 31536000
+	zsk_rollperiod 7776000
+	ksk_prepublish 7776000
+	ksk_postpublish None
+	zsk_prepublish 3628800
+	zsk_postpublish 604800
+	ksk_standby None
+	zsk_standby None
+	keyttl 7200
+
+constructed policy example.org:
+	inherits None
+	directory "keydir"
+	algorithm RSASHA1
+	coverage 31536000
+	ksk_keysize 2048
+	zsk_keysize 1024
+	ksk_rollperiod None
+	zsk_rollperiod 15552000
+	ksk_prepublish None
+	ksk_postpublish None
+	zsk_prepublish 3628800
+	zsk_postpublish 3628800
+	ksk_standby None
+	zsk_standby None
+	keyttl 3600
+
+constructed policy example.net:
+	inherits None
+	directory "keydir"
+	algorithm RSASHA1
+	coverage 31536000
+	ksk_keysize 2048
+	zsk_keysize 1024
+	ksk_rollperiod None
+	zsk_rollperiod 15552000
+	ksk_prepublish None
+	ksk_postpublish None
+	zsk_prepublish 3628800
+	zsk_postpublish 3628800
+	ksk_standby None
+	zsk_standby None
+	keyttl 3600
+
+algorithm policy RSASHA1:
+	inherits None
+	directory None
+	algorithm None
+	coverage None
+	ksk_keysize 2048
+	zsk_keysize 1024
+	ksk_rollperiod None
+	zsk_rollperiod None
+	ksk_prepublish None
+	ksk_postpublish None
+	zsk_prepublish None
+	zsk_postpublish None
+	ksk_standby None
+	zsk_standby None
+	keyttl None
+
+algorithm policy RSASHA256:
+	inherits None
+	directory None
+	algorithm RSASHA256
+	coverage None
+	ksk_keysize 2048
+	zsk_keysize 2048
+	ksk_rollperiod None
+	zsk_rollperiod None
+	ksk_prepublish None
+	ksk_postpublish None
+	zsk_prepublish None
+	zsk_postpublish None
+	ksk_standby None
+	zsk_standby None
+	keyttl None
+
+algorithm policy ECDSAP256SHA256:
+	inherits None
+	directory None
+	algorithm ECDSAP256SHA256
+	coverage None
+	ksk_keysize None
+	zsk_keysize None
+	ksk_rollperiod None
+	zsk_rollperiod None
+	ksk_prepublish None
+	ksk_postpublish None
+	zsk_prepublish None
+	zsk_postpublish None
+	ksk_standby None
+	zsk_standby None
+	keyttl None
+
+policy extra:
+	inherits default
+	directory None
+	algorithm None
+	coverage 157680000
+	ksk_keysize None
+	zsk_keysize None
+	ksk_rollperiod 31536000
+	zsk_rollperiod 7776000
+	ksk_prepublish 7776000
+	ksk_postpublish None
+	zsk_prepublish None
+	zsk_postpublish 604800
+	ksk_standby None
+	zsk_standby None
+	keyttl 7200
+
diff --git a/bin/tests/system/keymgr/policy.sample b/bin/tests/system/keymgr/policy.sample
new file mode 100644
index 0000000..8683e27
--- /dev/null
+++ b/bin/tests/system/keymgr/policy.sample
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# a comment which should be skipped
+
+algorithm-policy rsasha1 {
+	key-size ksk 2048;
+	key-size zsk 1024;     // this too
+};
+
+// and this
+
+policy default {
+	directory "keydir";
+	algorithm rsasha1;
+	coverage 1y;            # another comment
+	roll-period zsk 6mo;    // and yet another
+	pre-publish zsk 6w;
+	post-publish zsk 6w;
+	keyttl 1h;
+};
+
+policy extra {
+	policy default;
+	coverage 5y;
+	roll-period KSK 1 year;
+	roll-period zsk 3mo;
+	pre-publish ksk 3mo;
+	post-publish zsk 1w;
+	keyttl 2h;
+};
+
+/*
+ * and this is also a comment,
+ * and it should be ignored like
+ * the others.
+ */
+
+zone example.com {
+	policy extra;
+	coverage 5 mon;
+	algorithm nsec3rsasha1;
+};
+
+/*
+ * This confirms that zones starting with digits are accepted.
+ */
+zone "99example.com" {
+	policy global;
+};
diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh
new file mode 100644
index 0000000..d7cef0c
--- /dev/null
+++ b/bin/tests/system/keymgr/setup.sh
@@ -0,0 +1,192 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+KEYGEN="$KEYGEN -q"
+
+# Test 1: KSK goes inactive before successor is active
+dir=01-ksk-inactive
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=`$KEYGEN -K $dir -S $ksk1`
+$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+
+# Test 2: ZSK goes inactive before successor is active
+dir=02-zsk-inactive
+echo_i "set up $dir"
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=`$KEYGEN -K $dir -S $zsk1`
+$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+
+# Test 3: KSK is unpublished before its successor is published
+dir=03-ksk-unpublished
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=`$KEYGEN -K $dir -S $ksk1`
+$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+
+# Test 4: ZSK is unpublished before its successor is published
+dir=04-zsk-unpublished
+echo_i "set up $dir"
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=`$KEYGEN -K $dir -S $zsk1`
+$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+
+# Test 5: KSK deleted and successor published before KSK is deactivated
+# and successor activated.
+dir=05-ksk-unpub-active
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
+ksk2=`$KEYGEN -K $dir -S $ksk1`
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+
+# Test 6: ZSK deleted and successor published before ZSK is deactivated
+# and successor activated.
+dir=06-zsk-unpub-active
+echo_i "set up $dir"
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
+zsk2=`$KEYGEN -K $dir -S $zsk1`
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+
+# Test 7: KSK rolled with insufficient delay after prepublication.
+dir=07-ksk-ttl
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=`$KEYGEN -K $dir -S $ksk1`
+$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+
+# Test 8: ZSK rolled with insufficient delay after prepublication.
+dir=08-zsk-ttl
+echo_i "set up $dir"
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=`$KEYGEN -K $dir -S $zsk1`
+# allow only 1 day between publication and activation
+$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+
+# Test 9: No special preparation needed
+
+# Test 10: Valid key set, but rollover period has changed
+dir=10-change-roll
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1
+zsk2=`$KEYGEN -K $dir -S $zsk1`
+
+# Test 11: Many keys all simultaneously scheduled to be active in the future
+dir=11-many-simul
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk -P now+1mo -A now+1mo example.com`
+z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
+z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
+z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
+z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
+
+# Test 12: Many keys all simultaneously scheduled to be active in the past
+dir=12-many-active
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+
+# Test 13: Multiple simultaneous keys with no configured roll period
+dir=13-noroll
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+k2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+k3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+
+# Test 14: Keys exist but have the wrong algorithm
+dir=14-wrongalg
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com`
+z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com`
+$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
+z2=`$KEYGEN -K $dir -q -S ${z1}.key`
+$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
+z3=`$KEYGEN -K $dir -q -S ${z2}.key`
+$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null
+z4=`$KEYGEN -K $dir -q -S ${z3}.key`
+
+# Test 15: No zones specified; just search the directory for keys
+dir=15-unspec
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
+z2=`$KEYGEN -K $dir -q -S ${z1}.key`
+$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
+z3=`$KEYGEN -K $dir -q -S ${z2}.key`
+$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null
+z4=`$KEYGEN -K $dir -q -S ${z3}.key`
+
+# Test 16: No zones specified; search the directory for keys;
+# keys have the wrong algorithm for their policies
+dir=16-wrongalg-unspec
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com`
+z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com`
+$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
+z2=`$KEYGEN -K $dir -q -S ${z1}.key`
+$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
+z3=`$KEYGEN -K $dir -q -S ${z2}.key`
+$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null
+z4=`$KEYGEN -K $dir -q -S ${z3}.key`
+
+# Test 17: Keys are simultaneously active but we run with no force
+# flag (this should fail)
+dir=17-noforce
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+
+# Test 18: Prepublication interval is set to a nonstandard value
+dir=18-nonstd-prepub
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null
+
+# Test 19: Key has been published/active a long time
+dir=19-old-keys
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -P now-2y -A now-2y $ksk1 > /dev/null
+$SETTIME -K $dir -P now-2y -A now-2y $zsk1 > /dev/null
+
+copy_setports policy.conf.in policy.conf
+copy_setports 18-nonstd-prepub/policy.conf.in 18-nonstd-prepub/policy.conf
+copy_setports 19-old-keys/policy.conf.in 19-old-keys/policy.conf
diff --git a/bin/tests/system/keymgr/testpolicy.py b/bin/tests/system/keymgr/testpolicy.py
new file mode 100644
index 0000000..d63a079
--- /dev/null
+++ b/bin/tests/system/keymgr/testpolicy.py
@@ -0,0 +1,39 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import sys
+from isc import policy
+
+PP = policy.dnssec_policy()
+# print the unmodified default and a generated zone policy
+print(PP.named_policy["default"])
+print(PP.named_policy["global"])
+print(PP.policy("example.com"))
+
+if len(sys.argv) > 0:
+    for policy_file in sys.argv[1:]:
+        PP.load(policy_file)
+
+        # now print the modified default and generated zone policies
+        print(PP.named_policy["default"])
+        print(PP.policy("example.com"))
+        print(PP.policy("example.org"))
+        print(PP.policy("example.net"))
+
+        # print algorithm policies
+        print(PP.alg_policy["RSASHA1"])
+        print(PP.alg_policy["RSASHA256"])
+        print(PP.alg_policy["ECDSAP256SHA256"])
+
+        # print another named policy
+        print(PP.named_policy["extra"])
+else:
+    print("ERROR: Please provide an input file")
diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh
new file mode 100644
index 0000000..667277f
--- /dev/null
+++ b/bin/tests/system/keymgr/tests.sh
@@ -0,0 +1,146 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=1
+
+matchall () {
+    match_result=ok
+    file=$1
+    while IFS="," read expect matchline; do
+	[ -z "$matchline" ] && continue
+	matches=`grep "$matchline" $file | wc -l`
+	[ "$matches" -ne "$expect" ] && {
+	    echo "'$matchline': expected $expect found $matches"
+	    return 1
+	}
+    done << EOF
+    $2
+EOF
+    return 0
+}
+
+echo_i "checking for DNSSEC key coverage issues"
+ret=0
+for dir in [0-9][0-9]-*; do
+	ret=0
+	echo_i "$dir ($n)"
+	kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok=
+	. $dir/expect
+
+	# use policy.conf if available
+	policy=""
+	if [ -e "$dir/policy.conf" ]; then
+		policy="-c $dir/policy.conf"
+		if grep -e "-c policy.conf" $dir/expect > /dev/null
+		then
+			echo_i "fix $dir/expect: multiple policy files"
+			ret=1
+		fi
+	else
+		policy="-c policy.conf"
+	fi
+
+	# run keymgr to update keys
+	if [ "$CYGWIN" ]; then
+	    $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \
+		-s `cygpath -w $SETTIME` $kargs > keymgr.$n 2>&1
+	else
+	    $KEYMGR $policy -K $dir -g $KEYGEN \
+		-s $SETTIME $kargs > keymgr.$n 2>&1
+	fi
+	# check that return code matches expectations
+	found=$?
+	if [ $found -ne $kret ]; then
+	    echo "keymgr retcode was $found expected $kret"
+	    ret=1
+	fi
+
+	# check for matches in keymgr output
+	matchall keymgr.$n "$kmatch" || ret=1
+
+	# now check coverage
+	$COVERAGE -K $dir $cargs > coverage.$n 2>&1
+	# check that return code matches expectations
+	found=$?
+	if [ $found -ne $cret ]; then
+	    echo "coverage retcode was $found expected $cret"
+	    ret=1
+	fi
+
+	# check for correct number of errors
+	found=`grep ERROR coverage.$n | wc -l`
+	if [ $found -ne $error ]; then
+	    echo "error count was $found expected $error"
+	    ret=1
+	fi
+
+	# check for correct number of warnings
+	found=`grep WARNING coverage.$n | wc -l`
+	if [ $found -ne $warn ]; then
+	    echo "warning count was $found expected $warn"
+	    ret=1
+	fi
+
+	# check for correct number of OKs
+	found=`grep "No errors found" coverage.$n | wc -l`
+	if [ $found -ne $ok ]; then
+	    echo "good count was $found expected $ok"
+	    ret=1
+	fi
+
+	# check for matches in coverage output
+	matchall coverage.$n "$cmatch" || ret=1
+
+	if [ -f $dir/extra.sh ]; then
+	   cd $dir
+	   . ./extra.sh
+	   cd ..
+	fi
+
+	n=`expr $n + 1`
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+echo_i "checking domains ending in . ($n)"
+ret=0
+$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.1.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.1.$n | wc -l`
+[ "$nkeys" -eq 2 ] || ret=1
+$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.2.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.2.$n | wc -l`
+[ "$nkeys" -eq 0 ] || ret=1
+$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.3.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.3.$n | wc -l`
+[ "$nkeys" -eq 2 ] || ret=1
+$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.4.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.4.$n | wc -l`
+[ "$nkeys" -eq 0 ] || ret=1
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "checking policy.conf parser ($n)"
+ret=0
+PYTHONPATH="../../../python:$PYTHONPATH" ${PYTHON} testpolicy.py policy.sample > policy.out
+$DOS2UNIX policy.out > /dev/null 2>&1
+cmp -s policy.good policy.out || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/keymgr2kasp/README b/bin/tests/system/keymgr2kasp/README
new file mode 100644
index 0000000..f941209
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/README
@@ -0,0 +1,17 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+The test setup for migrating to KASP tests.
+
+ns3 is an authoritative server for the various test domains.
+
+ns4 is an authoritative server that tests a specific case where zones
+using views migrate to dnssec-policy.
diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh
new file mode 100644
index 0000000..1fe2bb9
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/clean.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/named.conf ns*/kasp.conf
+rm -f ns*/named.memstats ns*/named.run
+rm -f ns*/keygen.out* ns*/signer.out*
+rm -f ns*/zones
+rm -f ns*/dsset-*
+rm -f ns*/*.db ns*/*.db.jnl ns*/*.db.jbk
+rm -f ns*/*.db.signed* ns*/*.db.infile
+rm -f ns*/managed-keys.bind*
+rm -f ns*/*.mkeys*
+rm -f ./*.created
+rm -f ./created.key-*
+rm -f ./dig.out*
+rm -f ./python.out.*
+rm -f ./retired.*
+rm -f ./rndc.dnssec.*
+rm -f ./unused.key*
+rm -f ./verify.out.*
+
diff --git a/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in b/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in
new file mode 100644
index 0000000..0dae201
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "migrate" {
+	dnskey-ttl 7200;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "timing-metadata" {
+	dnskey-ttl 300;
+
+	signatures-refresh P1W;
+	signatures-validity P2W;
+	signatures-validity-dnskey P2W;
+
+	keys {
+		ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+	};
+
+	// Together 12h
+	zone-propagation-delay 3600;
+	max-zone-ttl 11h;
+
+	// Together 3h
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
+
+/*
+ * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
+ * to ECDSAP256SHA256 keys.
+ */
+dnssec-policy "migrate-nomatch-algnum" {
+	dnskey-ttl 300;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm ecdsa256;
+		zsk key-directory lifetime P60D algorithm ecdsa256;
+	};
+
+	// Together 12h
+	zone-propagation-delay 3600;
+	max-zone-ttl 11h;
+
+	// Together 3h
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
+
+/*
+ * This policy tests migration from existing keys with 2048 bits RSASHA256 keys
+ * to 3072 bits RSASHA256 keys.
+ */
+dnssec-policy "migrate-nomatch-alglen" {
+	dnskey-ttl 300;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm rsasha256 3072;
+		zsk key-directory lifetime P60D algorithm rsasha256 3072;
+	};
+
+	// Together 12h
+	zone-propagation-delay 3600;
+	max-zone-ttl 11h;
+
+	// Together 3h
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
diff --git a/bin/tests/system/keymgr2kasp/ns3/named.conf.in b/bin/tests/system/keymgr2kasp/ns3/named.conf.in
new file mode 100644
index 0000000..5a71a87
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns3/named.conf.in
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	key-directory ".";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* These are zones that migrate to dnssec-policy. */
+zone "migrate.kasp" {
+	type primary;
+	file "migrate.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+};
+
+zone "csk.kasp" {
+	type primary;
+	file "csk.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly no;
+};
+
+zone "csk-nosep.kasp" {
+	type primary;
+	file "csk-nosep.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly no;
+};
+
+zone "rumoured.kasp" {
+	type primary;
+	file "rumoured.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+};
+
+zone "omnipresent.kasp" {
+	type primary;
+	file "omnipresent.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+};
+
+zone "migrate-nomatch-algnum.kasp" {
+	type primary;
+	file "migrate-nomatch-algnum.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+};
+
+zone "migrate-nomatch-alglen.kasp" {
+	type primary;
+	file "migrate-nomatch-alglen.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+};
diff --git a/bin/tests/system/keymgr2kasp/ns3/named2.conf.in b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in
new file mode 100644
index 0000000..8d5aecb
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "kasp.conf";
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* These are zones that migrate to dnssec-policy. */
+zone "migrate.kasp" {
+	type primary;
+	file "migrate.kasp.db";
+	allow-update { any; };
+	dnssec-policy "migrate";
+};
+
+zone "csk.kasp" {
+	type primary;
+	file "csk.kasp.db";
+	allow-update { any; };
+	dnssec-policy "default";
+};
+
+zone "csk-nosep.kasp" {
+	type primary;
+	file "csk-nosep.kasp.db";
+	allow-update { any; };
+	dnssec-policy "default";
+};
+
+zone "rumoured.kasp" {
+	type primary;
+	file "rumoured.kasp.db";
+	allow-update { any; };
+	dnssec-policy "timing-metadata";
+};
+
+zone "omnipresent.kasp" {
+	type primary;
+	file "omnipresent.kasp.db";
+	allow-update { any; };
+	dnssec-policy "timing-metadata";
+};
+
+zone "migrate-nomatch-algnum.kasp" {
+	type primary;
+	file "migrate-nomatch-algnum.kasp.db";
+	allow-update { any; };
+	dnssec-policy "migrate-nomatch-algnum";
+};
+
+zone "migrate-nomatch-alglen.kasp" {
+	type primary;
+	file "migrate-nomatch-alglen.kasp.db";
+	allow-update { any; };
+	dnssec-policy "migrate-nomatch-alglen";
+};
diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh
new file mode 100644
index 0000000..6c1d0a5
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh
@@ -0,0 +1,131 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+setup() {
+	zone="$1"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	infile="${zone}.db.infile"
+}
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+
+# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
+setup migrate.kasp
+echo "$zone" >> zones
+ksktimes="-P now -A now -P sync now"
+zsktimes="-P now -A now"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Set up Single-Type Signing Scheme zones with auto-dnssec maintain to
+# migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;'
+# configured, meaning the zone is signed with a single CSK.
+setup csk.kasp
+echo "$zone" >> zones
+csktimes="-P now -A now -P sync now"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1)
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+setup csk-nosep.kasp
+echo "$zone" >> zones
+csktimes="-P now -A now -P sync now"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1)
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
+# time the existing keys do not match the policy.  The existing keys are
+# RSASHA256 keys, and will be migrated to a dnssec-policy that dictates
+# ECDSAP256SHA256 keys.
+setup migrate-nomatch-algnum.kasp
+echo "$zone" >> zones
+Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tkey="now-3900s" # DNSKEY TTL + propagation delay
+Tsig="now-12h"   # Zone's maximum TTL + propagation delay
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
+zsktimes="-P ${Tkey} -A ${Tsig}"
+KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone 5 "$KSK" >> "$infile"
+private_type_record $zone 5 "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
+# time the existing keys do not match the policy.  The existing keys are
+# 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that
+# dictates 3072 bits RSASHA256 keys.
+setup migrate-nomatch-alglen.kasp
+echo "$zone" >> zones
+Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tkey="now-3900s" # DNSKEY TTL + propagation delay
+Tsig="now-12h"   # Zone's maximum TTL + propagation delay
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
+zsktimes="-P ${Tkey} -A ${Tsig}"
+KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone 5 "$KSK" >> "$infile"
+private_type_record $zone 5 "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+#
+# Set up zones to test time metadata correctly sets state.
+#
+
+# Key states expected to be rumoured after migration.
+setup rumoured.kasp
+echo "$zone" >> zones
+Tds="now-2h"
+Tkey="now-300s"
+Tsig="now-11h"
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
+zsktimes="-P ${Tkey} -A ${Tsig}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Key states expected to be omnipresent after migration.
+setup omnipresent.kasp
+echo "$zone" >> zones
+Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tkey="now-3900s" # DNSKEY TTL + propagation delay
+Tsig="now-12h"   # Zone's maximum TTL + propagation delay
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
+zsktimes="-P ${Tkey} -A ${Tsig}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
diff --git a/bin/tests/system/keymgr2kasp/ns3/template.db.in b/bin/tests/system/keymgr2kasp/ns3/template.db.in
new file mode 100644
index 0000000..010b05b
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns3/template.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/keymgr2kasp/ns4/named.conf.in b/bin/tests/system/keymgr2kasp/ns4/named.conf.in
new file mode 100644
index 0000000..e478404
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns4/named.conf.in
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	key-directory ".";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key "external" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "internal" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "ext" {
+        match-clients { key "external"; };
+
+	zone "view-rsasha256.kasp" {
+		type master;
+		file "view-rsasha256.kasp.ext.db";
+		auto-dnssec maintain;
+		inline-signing yes;
+		dnssec-dnskey-kskonly yes;
+		update-check-ksk yes;
+	};
+};
+
+view "int" {
+        match-clients { key "internal"; };
+
+	zone "view-rsasha256.kasp" {
+		type master;
+		file "view-rsasha256.kasp.int.db";
+		auto-dnssec maintain;
+		inline-signing yes;
+		dnssec-dnskey-kskonly yes;
+		update-check-ksk yes;
+	};
+};
diff --git a/bin/tests/system/keymgr2kasp/ns4/named2.conf.in b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in
new file mode 100644
index 0000000..538aedc
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	key-directory ".";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+dnssec-policy "rsasha256" {
+	keys {
+		zsk key-directory lifetime P3M algorithm 8 2048;
+		ksk key-directory lifetime P1Y algorithm 8 2048;
+	};
+
+	dnskey-ttl 300;
+	publish-safety 1h;
+	retire-safety 1h;
+
+	signatures-refresh 5d;
+	signatures-validity 14d;
+	signatures-validity-dnskey 14d;
+
+	max-zone-ttl 1d;
+	zone-propagation-delay 300;
+
+	parent-ds-ttl 86400;
+	parent-propagation-delay 3h;
+};
+
+key "external" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "internal" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "ext" {
+        match-clients { key "external"; };
+
+	zone "view-rsasha256.kasp" {
+		type master;
+		file "view-rsasha256.kasp.ext.db";
+		inline-signing yes;
+		dnssec-policy "rsasha256";
+	};
+};
+
+view "int" {
+        match-clients { key "internal"; };
+
+	zone "view-rsasha256.kasp" {
+		type master;
+		file "view-rsasha256.kasp.int.db";
+		inline-signing yes;
+		dnssec-policy "rsasha256";
+	};
+};
diff --git a/bin/tests/system/keymgr2kasp/ns4/setup.sh b/bin/tests/system/keymgr2kasp/ns4/setup.sh
new file mode 100644
index 0000000..63121a0
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns4/setup.sh
@@ -0,0 +1,46 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns4/setup.sh"
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+
+zone="view-rsasha256.kasp"
+algo="RSASHA256"
+num="8"
+echo "$zone" >> zones
+
+# Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy.
+# The keys for these zones are in use long enough that they should start a
+# rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y).
+ksktimes="-P -186d -A -186d -P sync -186d"
+zsktimes="-P -186d -A -186d"
+KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $algo -L 300 -b 2048        $zsktimes $zone 2> keygen.out.$zone.2)
+
+echo_i "setting up zone $zone (external)"
+view="ext"
+zonefile="${zone}.${view}.db"
+cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
+
+echo_i "setting up zone $zone (internal)"
+view="int"
+zonefile="${zone}.${view}.db"
+cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
diff --git a/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in b/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in
new file mode 100644
index 0000000..eecda2f
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns4
+ns4			A	10.53.0.4
+
+view			TXT	"external"
diff --git a/bin/tests/system/keymgr2kasp/ns4/template.int.db.in b/bin/tests/system/keymgr2kasp/ns4/template.int.db.in
new file mode 100644
index 0000000..3783d64
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns4/template.int.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns4
+ns4			A	10.53.0.4
+
+view			TXT	"internal"
diff --git a/bin/tests/system/keymgr2kasp/setup.sh b/bin/tests/system/keymgr2kasp/setup.sh
new file mode 100644
index 0000000..e43f798
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/setup.sh
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+copy_setports ns3/kasp.conf.in ns3/kasp.conf
+
+# Setup zones
+(
+	cd ns3
+	$SHELL setup.sh
+)
+(
+	cd ns4
+	$SHELL setup.sh
+)
diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh
new file mode 100644
index 0000000..62b58a7
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/tests.sh
@@ -0,0 +1,1137 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+# shellcheck source=kasp.sh
+. ../kasp.sh
+
+start_time="$(TZ=UTC date +%s)"
+status=0
+n=0
+
+###############################################################################
+# Utilities                                                                   #
+###############################################################################
+
+# Call dig with default options.
+dig_with_opts() {
+
+	if [ -n "$TSIG" ]; then
+		"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
+	else
+		"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+	fi
+}
+
+# Log error and increment failure rate.
+log_error() {
+	echo_i "error: $1"
+	ret=$((ret+1))
+}
+
+# Default next key event threshold. May be extended by wait periods.
+next_key_event_threshold=100
+
+###############################################################################
+# Tests                                                                       #
+###############################################################################
+
+set_retired_removed() {
+	_Lkey=$2
+	_Iret=$3
+
+	_active=$(key_get $1 ACTIVE)
+	set_addkeytime "${1}" "RETIRED" "${_active}"  "${_Lkey}"
+	_retired=$(key_get $1 RETIRED)
+	set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
+}
+
+rollover_predecessor_keytimes() {
+	_addtime=$1
+
+	_created=$(key_get KEY1 CREATED)
+
+	set_addkeytime  "KEY1" "PUBLISHED"   "${_created}" "${_addtime}"
+	set_addkeytime  "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+	set_addkeytime  "KEY1" "ACTIVE"      "${_created}" "${_addtime}"
+	[ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+
+	_created=$(key_get KEY2 CREATED)
+	set_addkeytime  "KEY2" "PUBLISHED"   "${_created}" "${_addtime}"
+	set_addkeytime  "KEY2" "ACTIVE"      "${_created}" "${_addtime}"
+	[ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+}
+
+# Policy parameters.
+# Lksk: unlimited
+# Lzsk: unlimited
+Lksk=0
+Lzsk=0
+
+
+#################################################
+# Test state before switching to dnssec-policy. #
+#################################################
+
+# Set expected key properties for migration tests.
+# $1 $2: Algorithm number and string.
+# $3 $4: KSK and ZSK size.
+init_migration_keys() {
+	key_clear        "KEY1"
+	key_set          "KEY1" "LEGACY" "yes"
+	set_keyrole      "KEY1" "ksk"
+	set_keylifetime  "KEY1" "none"
+	set_keyalgorithm "KEY1" "$1" "$2" "$3"
+	set_keysigning   "KEY1" "yes"
+	set_zonesigning  "KEY1" "no"
+
+	key_clear        "KEY2"
+	key_set          "KEY2" "LEGACY" "yes"
+	set_keyrole      "KEY2" "zsk"
+	set_keylifetime  "KEY2" "none"
+	set_keyalgorithm "KEY2" "$1" "$2" "$4"
+	set_keysigning   "KEY2" "no"
+	set_zonesigning  "KEY2" "yes"
+
+	key_clear        "KEY3"
+	key_clear        "KEY4"
+}
+
+# Set expected key states for migration tests.
+# $1: Goal
+# $2: States
+init_migration_states() {
+	set_keystate "KEY1" "GOAL"         "$1"
+	set_keystate "KEY1" "STATE_DNSKEY" "$2"
+	set_keystate "KEY1" "STATE_KRRSIG" "$2"
+	set_keystate "KEY1" "STATE_DS"     "$2"
+
+	set_keystate "KEY2" "GOAL"         "$1"
+	set_keystate "KEY2" "STATE_DNSKEY" "$2"
+	set_keystate "KEY2" "STATE_ZRRSIG" "$2"
+}
+
+#
+# Testing a good migration.
+#
+set_zone "migrate.kasp"
+set_policy "none" "2" "7200"
+set_server "ns3" "10.53.0.3"
+
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "rumoured"
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# These keys are immediately published and activated.
+rollover_predecessor_keytimes 0
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_migrate_ksk=$(key_get KEY1 ID)
+_migrate_zsk=$(key_get KEY2 ID)
+
+#
+# Testing a good migration (CSK).
+#
+set_zone "csk.kasp"
+set_policy "none" "1" "7200"
+set_server "ns3" "10.53.0.3"
+
+key_clear        "KEY1"
+key_set          "KEY1" "LEGACY" "yes"
+set_keyrole      "KEY1" "ksk"
+# This key also acts as a ZSK.
+key_set          "KEY1" "ZSK" "yes"
+set_keylifetime  "KEY1" "none"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "rumoured"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Make sure the zone is signed with legacy key.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# The key is immediately published and activated.
+_created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED"   "${_created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
+set_keytime "KEY1" "ACTIVE"      "${_created}"
+
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_migrate_csk=$(key_get KEY1 ID)
+
+#
+# Testing a good migration (CSK, no SEP).
+#
+set_zone "csk-nosep.kasp"
+set_policy "none" "1" "7200"
+set_server "ns3" "10.53.0.3"
+
+key_clear        "KEY1"
+key_set          "KEY1" "LEGACY" "yes"
+set_keyrole      "KEY1" "zsk"
+# Despite the missing SEP bit, this key also acts as a KSK.
+key_set          "KEY1" "KSK" "yes"
+set_keylifetime  "KEY1" "none"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "rumoured"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Make sure the zone is signed with legacy key.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# The key is immediately published and activated.
+_created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED"   "${_created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
+set_keytime "KEY1" "ACTIVE"      "${_created}"
+
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_migrate_csk_nosep=$(key_get KEY1 ID)
+
+#
+# Testing key states derived from key timing metadata (rumoured).
+#
+set_zone "rumoured.kasp"
+set_policy "none" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "rumoured"
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_rumoured_ksk=$(key_get KEY1 ID)
+_rumoured_zsk=$(key_get KEY2 ID)
+
+#
+# Testing key states derived from key timing metadata (omnipresent).
+#
+set_zone "omnipresent.kasp"
+set_policy "none" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "omnipresent"
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_omnipresent_ksk=$(key_get KEY1 ID)
+_omnipresent_zsk=$(key_get KEY2 ID)
+
+#
+# Testing migration with unmatched existing keys (different algorithm).
+#
+set_zone "migrate-nomatch-algnum.kasp"
+set_policy "none" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+init_migration_keys "8" "RSASHA256" "2048" "2048"
+init_migration_states "omnipresent" "omnipresent"
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The KSK is immediately published and activated.
+# -P     : now-3900s
+# -P sync: now-3h
+# -A     : now-3900s
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+# The ZSK is immediately published and activated.
+# -P: now-3900s
+# -A: now-12h
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Remember legacy key tags.
+_migratenomatch_algnum_ksk=$(key_get KEY1 ID)
+_migratenomatch_algnum_zsk=$(key_get KEY2 ID)
+
+#
+# Testing migration with unmatched existing keys (different length).
+#
+set_zone "migrate-nomatch-alglen.kasp"
+set_policy "none" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+init_migration_keys "8" "RSASHA256" "2048" "2048"
+init_migration_states "omnipresent" "omnipresent"
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The KSK is immediately published and activated.
+#   P     : now-3900s
+#   P sync: now-3h
+#   A     : now-3900s
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+# - The ZSK is immediately published and activated.
+#   P: now-3900s
+#   A: now-12h
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Remember legacy key tags.
+_migratenomatch_alglen_ksk=$(key_get KEY1 ID)
+_migratenomatch_alglen_zsk=$(key_get KEY2 ID)
+
+
+#############
+# Reconfig. #
+#############
+echo_i "reconfig (migration to dnssec-policy)"
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+
+# Calculate time passed to correctly check for next key events.
+now="$(TZ=UTC date +%s)"
+time_passed=$((now-start_time))
+echo_i "${time_passed} seconds passed between start of tests and reconfig"
+
+# Wait until we have seen "zone_rekey done:" message for this key.
+_wait_for_done_signing() {
+	_zone=$1
+
+	_ksk=$(key_get $2 KSK)
+	_zsk=$(key_get $2 ZSK)
+	if [ "$_ksk" = "yes" ]; then
+		_role="KSK"
+		_expect_type=EXPECT_KRRSIG
+	elif [ "$_zsk" = "yes" ]; then
+		_role="ZSK"
+		_expect_type=EXPECT_ZRRSIG
+	fi
+
+	if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
+		_keyid=$(key_get $2 ID)
+		_keyalg=$(key_get $2 ALG_STR)
+		echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
+		grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1
+	fi
+
+	return 0
+}
+wait_for_done_signing() {
+	n=$((n+1))
+	echo_i "wait for zone ${ZONE} is done signing ($n)"
+	ret=0
+
+	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
+	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
+	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
+	retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+
+################################################
+# Test state after switching to dnssec-policy. #
+################################################
+
+# Policy parameters.
+# ZSK now has lifetime of 60 days (5184000 seconds).
+# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety.
+Lzsk=5184000
+IretZSK=867900
+
+#
+# Testing good migration.
+#
+set_zone "migrate.kasp"
+set_policy "migrate" "2" "7200"
+set_server "ns3" "10.53.0.3"
+
+# Key properties, timings and metadata should be the same as legacy keys above.
+# However, because the zsk has a lifetime, kasp will set the retired time.
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "rumoured"
+key_set "KEY1" "LEGACY" "no"
+key_set "KEY2" "LEGACY" "no"
+set_keylifetime "KEY1" "${Lksk}"
+set_keylifetime "KEY2" "${Lzsk}"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+rollover_predecessor_keytimes 0
+
+# - Key now has lifetime of 60 days (5184000 seconds).
+#   The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety.
+#   TTLsig:        1d (86400 seconds)
+#   Dprp:          5m (300 seconds)
+#   Dsgn:          9d (777600 seconds)
+#   retire-safety: 1h (3600 seconds)
+#   IretZSK:       10d65m (867900 seconds)
+active=$(key_get KEY2 ACTIVE)
+set_addkeytime "KEY2" "RETIRED"     "${active}"  "${Lzsk}"
+retired=$(key_get KEY2 RETIRED)
+set_addkeytime "KEY2" "REMOVED"     "${retired}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
+ret=0
+[ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Testing a good migration (CSK).
+#
+set_zone "csk.kasp"
+set_policy "default" "1" "7200"
+set_server "ns3" "10.53.0.3"
+
+key_clear        "KEY1"
+key_set          "KEY1" "LEGACY" "no"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "rumoured"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The key was immediately published and activated.
+_created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED"   "${_created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
+set_keytime "KEY1" "ACTIVE"      "${_created}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
+ret=0
+[ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Testing a good migration (CSK, no SEP).
+#
+set_zone "csk-nosep.kasp"
+set_policy "default" "1" "7200"
+set_server "ns3" "10.53.0.3"
+
+key_clear        "KEY1"
+key_set          "KEY1" "LEGACY" "no"
+set_keyrole      "KEY1" "csk"
+key_set          "KEY1" "FLAGS" "256"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "rumoured"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The key was immediately published and activated.
+_created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED"   "${_created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
+set_keytime "KEY1" "ACTIVE"      "${_created}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
+ret=0
+[ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Test migration to dnssec-policy, existing keys do not match key algorithm.
+#
+set_zone "migrate-nomatch-algnum.kasp"
+set_policy "migrate-nomatch-algnum" "4" "300"
+set_server "ns3" "10.53.0.3"
+# The legacy keys need to be retired, but otherwise stay present until the
+# new keys are omnipresent, and can be used to construct a chain of trust.
+init_migration_keys "8" "RSASHA256" "2048" "2048"
+init_migration_states "hidden" "omnipresent"
+key_set "KEY1" "LEGACY" "no"
+key_set "KEY2" "LEGACY" "no"
+
+set_keyrole      "KEY3" "ksk"
+set_keylifetime  "KEY3" "0"
+set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY3" "yes"
+set_zonesigning  "KEY3" "no"
+
+set_keyrole      "KEY4" "zsk"
+set_keylifetime  "KEY4" "5184000"
+set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY4" "no"
+set_zonesigning  "KEY4" "yes"
+
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY3" "STATE_DS"     "hidden"
+
+set_keystate "KEY4" "GOAL"         "omnipresent"
+set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - KSK must be retired since it no longer matches the policy.
+#   P     : now-3900s
+#   P sync: now-3h
+#   A     : now-3900s
+# - The key is removed after the retire interval:
+#   IretKSK = TTLds + DprpP + retire_safety.
+#   TTLds:         2h (7200 seconds)
+#   Dprp:          1h (3600 seconds)
+#   retire-safety: 1h (3600 seconds)
+#   IretKSK:       4h (14400 seconds)
+IretKSK=14400
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+keyfile=$(key_get KEY1 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
+retired=$(awk '{print $3}' < retired.test${n}.ksk)
+set_keytime    "KEY1" "RETIRED" "${retired}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+# - ZSK must be retired since it no longer matches the policy.
+#   P: now-3900s
+#   A: now-12h
+# - The key is removed after the retire interval:
+#   IretZSK = TTLsig + Dprp + Dsgn + retire-safety.
+#   TTLsig:        11h (39600 seconds)
+#   Dprp:          1h (3600 seconds)
+#   Dsgn:          9d (777600 seconds)
+#   retire-safety: 1h (3600 seconds)
+#   IretZSK:       9d13h (824400 seconds)
+IretZSK=824400
+Lzsk=5184000
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
+keyfile=$(key_get KEY2 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
+retired=$(awk '{print $3}' < retired.test${n}.zsk)
+set_keytime    "KEY2" "RETIRED" "${retired}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+# - The new KSK is immediately published and activated.
+created=$(key_get KEY3 CREATED)
+set_keytime    "KEY3" "PUBLISHED"   "${created}"
+set_keytime    "KEY3" "ACTIVE"      "${created}"
+# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
+#   TTLsig:         11h (39600 seconds)
+#   Dprp:           1h (3600 seconds)
+#   publish-safety: 1h (3600 seconds)
+#   Ipub:           13h (46800 seconds)
+Ipub=46800
+set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
+# - The ZSK is immediately published and activated.
+created=$(key_get KEY4 CREATED)
+set_keytime    "KEY4" "PUBLISHED"   "${created}"
+set_keytime    "KEY4" "ACTIVE"      "${created}"
+active=$(key_get KEY4 ACTIVE)
+set_addkeytime "KEY4" "RETIRED"     "${active}"  "${Lzsk}"
+retired=$(key_get KEY4 RETIRED)
+set_addkeytime "KEY4" "REMOVED"     "${retired}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
+ret=0
+[ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Test migration to dnssec-policy, existing keys do not match key length.
+#
+set_zone "migrate-nomatch-alglen.kasp"
+set_policy "migrate-nomatch-alglen" "4" "300"
+set_server "ns3" "10.53.0.3"
+
+# The legacy keys need to be retired, but otherwise stay present until the
+# new keys are omnipresent, and can be used to construct a chain of trust.
+init_migration_keys "8" "RSASHA256" "2048" "2048"
+init_migration_states "hidden" "omnipresent"
+key_set "KEY1" "LEGACY" "no"
+key_set "KEY2" "LEGACY" "no"
+
+set_keyrole      "KEY3" "ksk"
+set_keylifetime  "KEY3" "0"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
+set_keysigning   "KEY3" "yes"
+set_zonesigning  "KEY3" "no"
+
+set_keyrole      "KEY4" "zsk"
+set_keylifetime  "KEY4" "5184000"
+set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
+set_keysigning   "KEY4" "no"
+# This key is considered to be prepublished, so it is not yet signing.
+set_zonesigning  "KEY4" "no"
+
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY3" "STATE_DS"     "hidden"
+
+set_keystate "KEY4" "GOAL"         "omnipresent"
+set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - KSK must be retired since it no longer matches the policy.
+#   P     : now-3900s
+#   P sync: now-3h
+#   A     : now-3900s
+# - The key is removed after the retire interval:
+#   IretKSK = TTLds + DprpP + retire_safety.
+#   TTLds:         2h (7200 seconds)
+#   Dprp:          1h (3600 seconds)
+#   retire-safety: 1h (3600 seconds)
+#   IretKSK:       4h (14400 seconds)
+IretKSK=14400
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+keyfile=$(key_get KEY1 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
+retired=$(awk '{print $3}' < retired.test${n}.ksk)
+set_keytime    "KEY1" "RETIRED" "${retired}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+# - ZSK must be retired since it no longer matches the policy.
+#   P: now-3900s
+#   A: now-12h
+# - The key is removed after the retire interval:
+#   IretZSK = TTLsig + Dprp + Dsgn + retire-safety.
+#   TTLsig:         11h (39600 seconds)
+#   Dprp:           1h (3600 seconds)
+#   Dsgn:           9d (777600 seconds)
+#   publish-safety: 1h (3600 seconds)
+#   IretZSK:        9d13h (824400 seconds)
+IretZSK=824400
+Lzsk=5184000
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED"   "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
+keyfile=$(key_get KEY2 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
+retired=$(awk '{print $3}' < retired.test${n}.zsk)
+set_keytime    "KEY2" "RETIRED" "${retired}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+# - The new KSK is immediately published and activated.
+created=$(key_get KEY3 CREATED)
+set_keytime    "KEY3" "PUBLISHED"   "${created}"
+set_keytime    "KEY3" "ACTIVE"      "${created}"
+# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
+#   TTLsig:         11h (39600 seconds)
+#   Dprp:           1h (3600 seconds)
+#   publish-safety: 1h (3600 seconds)
+#   Ipub:           13h (46800 seconds)
+Ipub=46800
+set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
+# - The ZSK is immediately published and activated.
+created=$(key_get KEY4 CREATED)
+set_keytime    "KEY4" "PUBLISHED"   "${created}"
+set_keytime    "KEY4" "ACTIVE"      "${created}"
+active=$(key_get KEY4 ACTIVE)
+set_addkeytime "KEY4" "RETIRED"     "${active}"  "${Lzsk}"
+retired=$(key_get KEY4 RETIRED)
+set_addkeytime "KEY4" "REMOVED"     "${retired}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
+ret=0
+[ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+########################################################
+# Testing key states derived from key timing metadata. #
+########################################################
+
+# Policy parameters.
+# KSK has lifetime of 60 days (5184000 seconds).
+# The KSK is removed after Iret = DprpP + TTLds + retire-safety =
+# 4h = 14400 seconds.
+Lksk=5184000
+IretKSK=14400
+# ZSK has lifetime of 60 days (5184000 seconds).
+# The ZSK is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety =
+# 181h = 651600 seconds.
+Lzsk=5184000
+IretZSK=651600
+
+#
+# Testing rumoured state.
+#
+set_zone "rumoured.kasp"
+set_policy "timing-metadata" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+# Key properties, timings and metadata should be the same as legacy keys above.
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "rumoured"
+key_set "KEY1" "LEGACY" "no"
+key_set "KEY2" "LEGACY" "no"
+set_keylifetime "KEY1" "${Lksk}"
+set_keylifetime "KEY2" "${Lzsk}"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+#
+# Tds="now-2h"    (7200)
+# Tkey="now-300s" (300)
+# Tsig="now-11h"  (39600)
+created=$(key_get KEY1 CREATED)
+set_addkeytime      "KEY1" "PUBLISHED"   "${created}" -300
+set_addkeytime      "KEY1" "ACTIVE"      "${created}" -300
+set_addkeytime      "KEY1" "SYNCPUBLISH" "${created}"  -7200
+set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+created=$(key_get KEY2 CREATED)
+set_addkeytime      "KEY2" "PUBLISHED"   "${created}"  -300
+set_addkeytime      "KEY2" "ACTIVE"      "${created}"  -39600
+set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
+ret=0
+[ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Testing omnipresent state.
+#
+set_zone "omnipresent.kasp"
+set_policy "timing-metadata" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+# Key properties, timings and metadata should be the same as legacy keys above.
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "omnipresent"
+key_set "KEY1" "LEGACY" "no"
+key_set "KEY2" "LEGACY" "no"
+set_keylifetime "KEY1" "${Lksk}"
+set_keylifetime "KEY2" "${Lzsk}"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+#
+# Tds="now-3h"     (10800)
+# Tkey="now-3900s" (3900)
+# Tsig="now-12h"   (43200)
+created=$(key_get KEY1 CREATED)
+set_addkeytime      "KEY1" "PUBLISHED"   "${created}" -3900
+set_addkeytime      "KEY1" "ACTIVE"      "${created}" -3900
+set_addkeytime      "KEY1" "SYNCPUBLISH" "${created}"  -10800
+set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+created=$(key_get KEY2 CREATED)
+set_addkeytime      "KEY2" "PUBLISHED"   "${created}"  -3900
+set_addkeytime      "KEY2" "ACTIVE"      "${created}"  -43200
+set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
+ret=0
+[ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+
+######################################
+# Testing good migration with views. #
+######################################
+init_view_migration() {
+	key_clear        "KEY1"
+	key_set          "KEY1" "LEGACY" "yes"
+	set_keyrole      "KEY1" "ksk"
+	set_keylifetime  "KEY1" "0"
+	set_keysigning   "KEY1" "yes"
+	set_zonesigning  "KEY1" "no"
+
+	key_clear        "KEY2"
+	key_set          "KEY2" "LEGACY" "yes"
+	set_keyrole      "KEY2" "zsk"
+	set_keylifetime  "KEY2" "0"
+	set_keysigning   "KEY2" "no"
+	set_zonesigning  "KEY2" "yes"
+
+	key_clear        "KEY3"
+	key_clear        "KEY4"
+
+	set_keystate "KEY1" "GOAL"         "omnipresent"
+	set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+	set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+	set_keystate "KEY1" "STATE_DS"     "rumoured"
+
+	set_keystate "KEY2" "GOAL"         "omnipresent"
+	set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+	set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+}
+
+set_keytimes_view_migration() {
+	# Key is six months in use.
+	created=$(key_get KEY1 CREATED)
+	set_addkeytime "KEY1" "PUBLISHED"   "${created}" -16070400
+	set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400
+	set_addkeytime "KEY1" "ACTIVE"      "${created}" -16070400
+	created=$(key_get KEY2 CREATED)
+	set_addkeytime "KEY2" "PUBLISHED"   "${created}" -16070400
+	set_addkeytime "KEY2" "ACTIVE"      "${created}" -16070400
+}
+
+# Zone view.rsasha256.kasp (external)
+set_zone "view-rsasha256.kasp"
+set_policy "rsasha256" "2" "300"
+set_server "ns4" "10.53.0.4"
+init_view_migration
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
+TSIG="$DEFAULT_HMAC:external:$VIEW1"
+wait_for_nsec
+# Make sure the zone is signed with legacy keys.
+check_keys
+set_keytimes_view_migration
+check_keytimes
+dnssec_verify
+
+n=$((n+1))
+# check subdomain
+echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)"
+ret=0
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Remember legacy key tags.
+_migrate_ext8_ksk=$(key_get KEY1 ID)
+_migrate_ext8_zsk=$(key_get KEY2 ID)
+
+# Zone view.rsasha256.kasp (internal)
+set_zone "view-rsasha256.kasp"
+set_policy "rsasha256" "2" "300"
+set_server "ns4" "10.53.0.4"
+init_view_migration
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
+TSIG="$DEFAULT_HMAC:internal:$VIEW2"
+wait_for_nsec
+# Make sure the zone is signed with legacy keys.
+check_keys
+set_keytimes_view_migration
+check_keytimes
+dnssec_verify
+
+n=$((n+1))
+# check subdomain
+echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)"
+ret=0
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Remember legacy key tags.
+_migrate_int8_ksk=$(key_get KEY1 ID)
+_migrate_int8_zsk=$(key_get KEY2 ID)
+
+# Reconfig dnssec-policy.
+echo_i "reconfig to switch to dnssec-policy"
+copy_setports ns4/named2.conf.in ns4/named.conf
+rndc_reconfig ns4 10.53.0.4
+
+# Calculate time passed to correctly check for next key events.
+now="$(TZ=UTC date +%s)"
+time_passed=$((now-start_time))
+echo_i "${time_passed} seconds passed between start of tests and reconfig"
+
+#
+# Testing migration (RSASHA256, views).
+#
+set_zone "view-rsasha256.kasp"
+set_policy "rsasha256" "3" "300"
+set_server "ns4" "10.53.0.4"
+init_migration_keys "8" "RSASHA256" "2048" "2048"
+init_migration_states "omnipresent" "rumoured"
+# Key properties, timings and metadata should be the same as legacy keys above.
+# However, because the keys have a lifetime, kasp will set the retired time.
+key_set          "KEY1" "LEGACY" "no"
+set_keylifetime  "KEY1" "31536000"
+set_keystate     "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate     "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate     "KEY1" "STATE_DS"     "omnipresent"
+
+key_set          "KEY2" "LEGACY" "no"
+set_keylifetime  "KEY2" "8035200"
+set_keystate     "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate     "KEY2" "STATE_ZRRSIG" "omnipresent"
+# The ZSK needs to be replaced.
+set_keystate     "KEY2" "GOAL" "hidden"
+set_keystate     "KEY3" "GOAL" "omnipresent"
+set_keyrole      "KEY3" "zsk"
+set_keylifetime  "KEY3" "8035200"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
+set_keysigning   "KEY3" "no"
+set_zonesigning  "KEY3" "no" # not yet
+set_keystate     "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate     "KEY3" "STATE_ZRRSIG" "hidden"
+
+# Various signing policy checks (external).
+TSIG="$DEFAULT_HMAC:external:$VIEW1"
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "ext"
+set_keytimes_view_migration
+
+# Set expected key times:
+published=$(key_get KEY1 PUBLISHED)
+set_keytime "KEY1" "ACTIVE"      "${published}"
+set_keytime "KEY1" "SYNCPUBLISH" "${published}"
+# Lifetime: 1 year (8035200 seconds)
+active=$(key_get KEY1 ACTIVE)
+set_addkeytime "KEY1" "RETIRED" "${active}"  "31536000"
+# Retire interval:
+# DS TTL:                  1d
+# Parent zone propagation: 3h
+# Retire safety:           1h
+# Total:                   100800 seconds
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED" "${retired}" "100800"
+
+published=$(key_get KEY2 PUBLISHED)
+set_keytime "KEY2" "ACTIVE" "${published}"
+# Lifetime: 3 months (8035200 seconds)
+active=$(key_get KEY2 ACTIVE)
+set_addkeytime "KEY2" "RETIRED" "${active}" "8035200"
+# Retire interval:
+# Sign delay:             9d (14-5)
+# Max zone TTL:           1d
+# Retire safety:          1h
+# Zone propagation delay: 300s
+# Total:                  867900 seconds
+retired=$(key_get KEY2 RETIRED)
+set_addkeytime "KEY2" "REMOVED" "${retired}" "867900"
+
+created=$(key_get KEY3 CREATED)
+set_keytime    "KEY3" "PUBLISHED" "${created}"
+# Publication interval:
+# DNSKEY TTL:             300s
+# Publish safety:         1h
+# Zone propagation delay: 300s
+# Total:                  4200 seconds
+set_addkeytime "KEY3" "ACTIVE" "${created}" "4200"
+# Lifetime: 3 months (8035200 seconds)
+active=$(key_get KEY3 ACTIVE)
+set_addkeytime "KEY3" "RETIRED" "${active}" "8035200"
+# Retire interval:
+# Sign delay:             9d (14-5)
+# Max zone TTL:           1d
+# Retire safety:          1h
+# Zone propagation delay: 300s
+# Total:                  867900 seconds
+retired=$(key_get KEY3 RETIRED)
+set_addkeytime "KEY3" "REMOVED" "${retired}" "867900"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+dnssec_verify
+
+# Various signing policy checks (internal).
+TSIG="$DEFAULT_HMAC:internal:$VIEW2"
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "int"
+set_keytimes_view_migration
+check_keytimes
+check_apex
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
+ret=0
+[ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag"
+[ $_migrate_ext8_zsk = $_migrate_int8_zsk ] || log_error "mismatch zsk tag"
+[ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/legacy/build.sh b/bin/tests/system/legacy/build.sh
new file mode 100644
index 0000000..5aeeb9c
--- /dev/null
+++ b/bin/tests/system/legacy/build.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+(cd ns6 && $SHELL -e sign.sh)
+(cd ns7 && $SHELL -e sign.sh)
+
+$SHELL clean.sh
diff --git a/bin/tests/system/legacy/clean.sh b/bin/tests/system/legacy/clean.sh
new file mode 100644
index 0000000..4c65a2d
--- /dev/null
+++ b/bin/tests/system/legacy/clean.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.*
+rm -f ns*/named.conf
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/named.lock
+
+# build.sh
+rm -f ns1/named_dump.db*
+rm -f ns6/K*
+rm -f ns6/dsset-*
+rm -f ns6/edns512.db
+rm -f ns6/signer.err
+rm -f ns7/K*
+rm -f ns7/dsset-*
+rm -f ns7/edns512-notcp.db
+rm -f ns7/signer.err
+rm -f ns7/trusted.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/legacy/ns1/named1.conf.in b/bin/tests/system/legacy/ns1/named1.conf.in
new file mode 100644
index 0000000..7f8e897
--- /dev/null
+++ b/bin/tests/system/legacy/ns1/named1.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	max-udp-size 4096;
+	edns-udp-size 4096;
+	nocookie-udp-size 4096;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/legacy/ns1/named2.conf.in b/bin/tests/system/legacy/ns1/named2.conf.in
new file mode 100644
index 0000000..9d4f1f6
--- /dev/null
+++ b/bin/tests/system/legacy/ns1/named2.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	max-udp-size 4096;
+	edns-udp-size 4096;
+	nocookie-udp-size 4096;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/legacy/ns1/root.db b/bin/tests/system/legacy/ns1/root.db
new file mode 100644
index 0000000..175847a
--- /dev/null
+++ b/bin/tests/system/legacy/ns1/root.db
@@ -0,0 +1,33 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+.			SOA	ns1.	marka.isc.org 1 0 0 0 0
+.			NS	ns1.
+ns1.			A	10.53.0.1
+dropedns.		NS	ns.dropedns.
+ns.dropedns.		A	10.53.0.2
+dropedns-notcp.		NS	ns.dropedns-notcp.
+ns.dropedns-notcp.	A	10.53.0.3
+plain.			NS	ns.plain.
+ns.plain.		A	10.53.0.4
+plain-notcp.		NS	ns.plain-notcp.
+ns.plain-notcp.		A	10.53.0.5
+edns512.		NS	ns.edns512.
+ns.edns512.		A	10.53.0.6
+edns512-notcp.		NS	ns.edns512-notcp.
+ns.edns512-notcp.	A	10.53.0.7
+ednsformerr.		NS	ns.ednsformerr.
+ns.ednsformerr.		A	10.53.0.8
+ednsnotimp.		NS	ns.ednsnotimp.
+ns.ednsnotimp.		A	10.53.0.9
+ednsrefused.		NS	ns.ednsrefused.
+ns.ednsrefused.		A	10.53.0.10
diff --git a/bin/tests/system/legacy/ns1/trusted.conf b/bin/tests/system/legacy/ns1/trusted.conf
new file mode 100644
index 0000000..73500fc
--- /dev/null
+++ b/bin/tests/system/legacy/ns1/trusted.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+    "edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB";
+};
diff --git a/bin/tests/system/legacy/ns10/ednsrefused.db b/bin/tests/system/legacy/ns10/ednsrefused.db
new file mode 100644
index 0000000..9aa3a4a
--- /dev/null
+++ b/bin/tests/system/legacy/ns10/ednsrefused.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	60	SOA	ns marka.isc.org. 1 0 0 0 0
+@	60	NS	ns
+ns	60	A	10.53.0.8
diff --git a/bin/tests/system/legacy/ns10/named.conf.in b/bin/tests/system/legacy/ns10/named.conf.in
new file mode 100644
index 0000000..628c51a
--- /dev/null
+++ b/bin/tests/system/legacy/ns10/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.10;
+	notify-source 10.53.0.10;
+	transfer-source 10.53.0.10;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.10; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "ednsrefused" {
+	type primary;
+	file "ednsrefused.db";
+};
diff --git a/bin/tests/system/legacy/ns10/named.ednsrefused b/bin/tests/system/legacy/ns10/named.ednsrefused
new file mode 100644
index 0000000..6b43ac0
--- /dev/null
+++ b/bin/tests/system/legacy/ns10/named.ednsrefused
@@ -0,0 +1 @@
+ednsrefused
diff --git a/bin/tests/system/legacy/ns2/dropedns.db b/bin/tests/system/legacy/ns2/dropedns.db
new file mode 100644
index 0000000..06c023c
--- /dev/null
+++ b/bin/tests/system/legacy/ns2/dropedns.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	60	SOA	ns marka.isc.org. 1 0 0 0 0
+@	60	NS	ns
+ns	60	A	10.53.0.2
diff --git a/bin/tests/system/legacy/ns2/named.conf.in b/bin/tests/system/legacy/ns2/named.conf.in
new file mode 100644
index 0000000..e570ffe
--- /dev/null
+++ b/bin/tests/system/legacy/ns2/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "dropedns" {
+	type primary;
+	file "dropedns.db";
+};
diff --git a/bin/tests/system/legacy/ns2/named.dropedns b/bin/tests/system/legacy/ns2/named.dropedns
new file mode 100644
index 0000000..37dd9cf
--- /dev/null
+++ b/bin/tests/system/legacy/ns2/named.dropedns
@@ -0,0 +1 @@
+dropedns
diff --git a/bin/tests/system/legacy/ns3/dropedns-notcp.db b/bin/tests/system/legacy/ns3/dropedns-notcp.db
new file mode 100644
index 0000000..0ac44bc
--- /dev/null
+++ b/bin/tests/system/legacy/ns3/dropedns-notcp.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	60	SOA	ns marka.isc.org. 1 0 0 0 0
+@	60	NS	ns
+ns	60	A	10.53.0.3
diff --git a/bin/tests/system/legacy/ns3/named.conf.in b/bin/tests/system/legacy/ns3/named.conf.in
new file mode 100644
index 0000000..3d89554
--- /dev/null
+++ b/bin/tests/system/legacy/ns3/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "dropedns-notcp" {
+	type primary;
+	file "dropedns-notcp.db";
+};
diff --git a/bin/tests/system/legacy/ns3/named.dropedns b/bin/tests/system/legacy/ns3/named.dropedns
new file mode 100644
index 0000000..37dd9cf
--- /dev/null
+++ b/bin/tests/system/legacy/ns3/named.dropedns
@@ -0,0 +1 @@
+dropedns
diff --git a/bin/tests/system/legacy/ns3/named.notcp b/bin/tests/system/legacy/ns3/named.notcp
new file mode 100644
index 0000000..e25c3a8
--- /dev/null
+++ b/bin/tests/system/legacy/ns3/named.notcp
@@ -0,0 +1 @@
+notcp
diff --git a/bin/tests/system/legacy/ns4/named.args b/bin/tests/system/legacy/ns4/named.args
new file mode 100644
index 0000000..0fe6774
--- /dev/null
+++ b/bin/tests/system/legacy/ns4/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D legacy-ns4 -X named.lock -g -U 4 -T maxcachesize=2097152 -T noedns
diff --git a/bin/tests/system/legacy/ns4/named.conf.in b/bin/tests/system/legacy/ns4/named.conf.in
new file mode 100644
index 0000000..32bdb05
--- /dev/null
+++ b/bin/tests/system/legacy/ns4/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "plain" {
+	type primary;
+	file "plain.db";
+};
diff --git a/bin/tests/system/legacy/ns4/plain.db b/bin/tests/system/legacy/ns4/plain.db
new file mode 100644
index 0000000..2c20a70
--- /dev/null
+++ b/bin/tests/system/legacy/ns4/plain.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	60	SOA	ns marka.isc.org. 1 0 0 0 0
+@	60	NS	ns
+ns	60	A	10.53.0.4
diff --git a/bin/tests/system/legacy/ns5/named.args b/bin/tests/system/legacy/ns5/named.args
new file mode 100644
index 0000000..364370a
--- /dev/null
+++ b/bin/tests/system/legacy/ns5/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D legacy-ns5 -X named.lock -g -U 4 -T maxcachesize=2097152 -T noedns
diff --git a/bin/tests/system/legacy/ns5/named.conf.in b/bin/tests/system/legacy/ns5/named.conf.in
new file mode 100644
index 0000000..92e754f
--- /dev/null
+++ b/bin/tests/system/legacy/ns5/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "plain-notcp" {
+	type primary;
+	file "plain-notcp.db";
+};
diff --git a/bin/tests/system/legacy/ns5/named.notcp b/bin/tests/system/legacy/ns5/named.notcp
new file mode 100644
index 0000000..e25c3a8
--- /dev/null
+++ b/bin/tests/system/legacy/ns5/named.notcp
@@ -0,0 +1 @@
+notcp
diff --git a/bin/tests/system/legacy/ns5/plain-notcp.db b/bin/tests/system/legacy/ns5/plain-notcp.db
new file mode 100644
index 0000000..9c1a96b
--- /dev/null
+++ b/bin/tests/system/legacy/ns5/plain-notcp.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	60	SOA	ns marka.isc.org. 1 0 0 0 0
+@	60	NS	ns
+ns	60	A	10.53.0.5
diff --git a/bin/tests/system/legacy/ns6/edns512.db.in b/bin/tests/system/legacy/ns6/edns512.db.in
new file mode 100644
index 0000000..7c2309b
--- /dev/null
+++ b/bin/tests/system/legacy/ns6/edns512.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	60	SOA	ns marka.isc.org. 1 0 0 0 0
+@	60	NS	ns
+ns	60	A	10.53.0.6
diff --git a/bin/tests/system/legacy/ns6/edns512.db.signed b/bin/tests/system/legacy/ns6/edns512.db.signed
new file mode 100644
index 0000000..1493dd8
--- /dev/null
+++ b/bin/tests/system/legacy/ns6/edns512.db.signed
@@ -0,0 +1,248 @@
+; File written on Fri Dec  5 16:35:57 2014
+; dnssec_signzone version 9.11.0pre-alpha
+edns512.		60	IN SOA	ns.edns512. marka.isc.org. (
+					1          ; serial
+					0          ; refresh (0 seconds)
+					0          ; retry (0 seconds)
+					0          ; expire (0 seconds)
+					0          ; minimum (0 seconds)
+					)
+			60	RRSIG	SOA 10 1 60 (
+					20441127043557 20141205043557 59033 edns512.
+					Xqas69NmX1N9jXSQntGXjcDTmZpO542fJURc
+					peYqY2gD445jxcH6FwmdMbzyPX4Nel+ZKdqx
+					wzb6U4S2sc7V1Wt8sOuNWil3LOaF9Mr2ZhL9
+					/BgFaZixYdij0dFkUyuaSRfDx+3rvYtGZBRW
+					w55/U2bRvIgk0TjH+XHOUM+l5n755bsH1GFP
+					kRxhsYtsrUdWrB7Wn5lOdURsIf31xUfuMejR
+					QO5UIeqIgLhqE67GTy4SkfJW01G97Fkmt9Kx
+					6K1gIwOeJy2rHN9WIF9vLJ2nyxWiSkmUka7l
+					Zw3kuR9fjgrFE8FEy4e/J8VIoq0v9bnwLh8a
+					woBnoQoZcfngu56e5hyF+g4t91JDbViOMAcJ
+					/DWsaGa7IF0o61Z51XoOakpgV4TP3VU53jFr
+					gfc4HDKP3sQQH9ZqzOpkXtoWGpSQ+u+2jSYu
+					NKa05LW4q1SJf8DHTiMxAUkkbikGHemskgIm
+					0MESkBJI95/M3FbsRc9FswOeX0ZaRo3+6982
+					elE1T0ZVPOWjPq1L5upWvUZDP0/d+2ns7Yt/
+					MY5dKXjl74kQWTIDdeUC/8aaWFiJhsx7Haa1
+					LhHtttBHtQQKQBo8uWVoTHDs9XY7pDcpkF6Z
+					/NzaCOVHFKh4Ahpr9xwY1J9Cy56oRIq5AEP9
+					HmtN1vS04jbad220C+jfkDPJH9s64MKggQ4= )
+			60	NS	ns.edns512.
+			60	RRSIG	NS 10 1 60 (
+					20441127043557 20141205043557 59033 edns512.
+					G9qrHjBQZ+jcueOhibtN18rXYEaLzWOZh1o2
+					ZRQ9jS59BJd0KJ4taQzpz4CxA/juqEjSCmuY
+					Vynfeg15u4wvUf1/anC38Rp/QG0MHPrFily0
+					DzeS/o2plYNCJ8r2wOmufG34rZakXZs2EdBf
+					9s3+f+vqx+WsIs1TfaayGi90qDxVjn/SKGqb
+					v/eXGmYxyRMTaQ2x0+8y018MT+7zLbb3/VvV
+					EuD8X+J8N8dZiw3Rc1X6zj3usSOEO6wa4GRk
+					Oss3CMkYJuMND/3RG6XGt6du4hl3lK3+UK/4
+					bb/D5FBlCJc76bkmo8ZmUjxKGXXGzh9w+bMT
+					rt0GfabUcbQyWyOifIsWOeIxYVpvUHusk7VT
+					gvvhfqXabGT7pPoCPz97IW820qTXKPPX/Rzb
+					DpRgWdVdQDWcmhb4RBDQrr1DDMmBJlz91S4Q
+					0lDAnSMfMO2JIpJKOFNHnsMgLayEvdKOKQOH
+					ESKzbylxL4qARAq4zYbwz3vY6VDCV5MGcnAT
+					3XMNM9RwRq0/qMuE8XfPmRaDimIOLaEojMpU
+					59sFvaKzvn7t1h1ZQVLuJqu3jkWwz4iUtwts
+					+av/IdbbKP6spPy4gimngRWbpiiQHESNx9kp
+					EHB85/UAR28RffvPadNoQq1eaAOQJCEJf7xv
+					BOGytbBxrLFsTWrmrB5uCb9hujWu04unJyc= )
+			0	NSEC	ns.edns512. NS SOA RRSIG NSEC DNSKEY
+			0	RRSIG	NSEC 10 1 0 (
+					20441127043557 20141205043557 59033 edns512.
+					BY9hQLrs9zkekTWeXmSqT+8dCZ+vaRBGSSUf
+					E8BUr4gYbuzo7xeOpHjMkpO7IpkT80TRcIQf
+					AkleOlf3+XcUIhK9/7C/xu0/jI3XbaBs5NNJ
+					0zhf0CmJBzeCSMtxXInDLGkhGMgoclB3j5+f
+					nme65PHYFVEVWS/64ZRd71XUUV2kTk4slfqx
+					YNGhT7IPcgUTNOrsBGi6SmH2iKMseg2BfFOt
+					+2RRY9HBlfKywozHz9jjWsEmRZke3fqfpuln
+					C6r3EQ873XBjrsOrDerNaSDf29Zl46SQs3UQ
+					kCJZ0gWEReRvvooLlh4+PsbIW1M0FMmsImfv
+					l1kPh8kQgJVxljba7kXX3k5bc/YwTQE3rI6e
+					ametdxSwbxcUZiUr8rM2ZF4IfqFGS05sD+Cz
+					68dDDyR/vu+6Rt/U+39bzg2tI4Ok6aQxOgXP
+					v+hhOC8Sancpmn+SHLQvYoMW/VxR633TeyW3
+					zn4Xhcp7aD4TdKHGK9PpVrtWcx50zZEXu17c
+					essPk0yDOarTmoqx0r3LSe5jjDLJJ5kZxWxM
+					nlfkw3aKQwQMuyaVWN+Ruz7KRgD9lkwoOic4
+					Qs/7PYpMrV58YVlEa7aESd3+qPHjv6dD99Zm
+					Fe6bc+SqUTKwjeYfIm/luc70FpykGhdxTK/E
+					dEjQJ8jMrAzCCr/or/JOHgV1yrTCfU3hAN8= )
+			60	DNSKEY	256 3 10 (
+					AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68
+					u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAH
+					tVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpo
+					pFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyN
+					gnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMT
+					E3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66ueby
+					EYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2K
+					vsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+
+					5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u1
+					41LcvdASnlk58I77HbsnfausvDxdYYxEns7K
+					9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrS
+					CsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH
+					17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZg
+					a8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8t
+					S5T138V8d6SigzxZz1raiJNolVhXyA8SbbDp
+					gBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWd
+					pGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOI
+					GSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6Dnps
+					syN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNF
+					aGoB
+					) ; ZSK; alg = RSASHA512; key id = 59033
+			60	DNSKEY	257 3 10 (
+					AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68
+					u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAH
+					tVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpo
+					pFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyN
+					gnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMT
+					E3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66ueby
+					EYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2K
+					vsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+
+					5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u1
+					41LcvdASnlk58I77HbsnfausvDxdYYxEns7K
+					9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrS
+					CsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH
+					17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZg
+					a8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8t
+					S5T138V8d6SigzxZz1raiJNolVhXyA8SbbDp
+					gBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWd
+					pGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOI
+					GSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6Dnps
+					syN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNF
+					aGoB
+					) ; KSK; alg = RSASHA512; key id = 59034
+			60	RRSIG	DNSKEY 10 1 60 (
+					20441127043557 20141205043557 59033 edns512.
+					QYXBCtuqzY2R7s4sIDFmSkhLqXXYAAdm5T3x
+					MddwlppybV0tEnkRdgWD+3VL2PAdr+MMFigm
+					OCohMdYAXOhJwW9OHiSkeIpYamojB+eBPDBl
+					63guu73QADTUmffZirWvNb79reVHmKkTPdLm
+					nEfEs7VEtTm1Wj60jT1q1RIkJDvtIo7mJgRO
+					MYKyJBCocBUSGGXoHCA+djXCqKiuLavQ2rBu
+					IGxXtB2Pf2Wkw/9xxhBo5vTrT1u+V2hFGMPO
+					vnODw0lU4XiSjeBrmMXnadrsx8DrM4KInwAL
+					A9VolAXXWjqvD3il54ziqikkjTYnOeyik3QM
+					R7UtDrLTLnAeyeL9rhLuBk2dnsE+XaJ2PP3q
+					iD7LiEQLDGGKJRC3P6odVb17e7q0mDtH2HId
+					VdjGap+W6mxql8aVrRHs5P0t/5GJmW83JbJi
+					e7W3Y1ikoimB4S6FPBbjadaUEpzUs806SIdj
+					v/AZoydoa/qOdre9Pur51At2dQNgeFhIL9w+
+					2IcN3pRjojTPrMToqVRqOySzx6OzvSmnydDg
+					PMe4yoqpzumJLQXJ2IceEg5rlLaRjMOBYSW8
+					VuqLMfEup+KBEg+nZv6mAmx1KLuIgO5q5ae9
+					tq0I7eaV/EPvBYxO7j2RA0AbtmGSUyP4ZzTy
+					FjIYfOqzwwPjONzLQ2E/RsbS5MlIAk92aC0= )
+			60	RRSIG	DNSKEY 10 1 60 (
+					20441127043557 20141205043557 59034 edns512.
+					V13nqWSVWVdkN/RZnJ+4ywjju3JoRbQrpnjL
+					RKPi4U8cOc1nnh64y4RvaIe+2TI1hiVKYHfE
+					9XGXZb2zhxrWMq8kLjpIRN+jpItoFXu7rSRA
+					GmiHz7v7PW7+UHz7fhGHKJuqQuodBokTlHhR
+					/0mNkaDQ96OOyG/aLOfj6Jj16KEBfyM8hALy
+					jwWE8EOKzV37CLBWawazXVY/EAP5jzQuAaot
+					SPh3wFuJ2L6rB4lkh5IwaeXU42ip7eirT2i5
+					V9W2v01UWbQ3Jab1DJlNwVgNGzXYvCvLU9zG
+					EHbqVcDuMErOqFzePLhK7Aqh8LIB9DnQlFqE
+					2tyATJb0hcMetMNRiInJFGPMekdNiTguhLMC
+					GyEjzEJdiKT0XA/lVF9MVyEqL2HeSj3NYRe6
+					ScfqAZArEPgu+UI0CaiC2eR8KdQCPcwUJuNE
+					mNdv3F9CnNvq3w72Q3TJpOaFzuToQh8JleTN
+					Ty3zRkVGKWSDNs+px9sedJkRpaRyVQVXJruT
+					/boYT8HgK8R6PXIp3Ujud0SSlVjPQrlbxF/P
+					5saDwruBkYPRKNGBC0OVcHhI+w1N3gkp59kY
+					CqBih/kazLfWjUXxc130OEkPhmS1zUEOjsl2
+					fmRhKrlRmPM1DyHqFiEVogj/nfZ+VCiO4bIx
+					F+vVQX+EqQo0p3bRvfSxpY/I7fM0P6/cZlQ= )
+txt500.edns512.		60	IN TXT	"01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789"
+			60	RRSIG	TXT 10 2 60 (
+					20441127043557 20141205043557 59033 edns512.
+					OtzlxomsR6xFpPI19gEpl5edx+rbqjrhR6CI
+					zWiqpjHv5HhdydRPIW6M8KSuBDK/AOuUCy1P
+					9qOy7J0QUIGK8Ds4wcw09VCqkxImVu6w7e+z
+					HoaNJzKT4Oxf1LLrvUnitqEbS4cME15r+Fj4
+					cUlkpSZgttMcGhV+VPEiG3z56KzXNAViapJl
+					HaV10Be0nx0UtEpftkAtgnkXwNPIaDrbULUI
+					tvD/uvu3ICV5gRATriy3RcanB9c0xKEO9NAm
+					nbWQD8a7o+zs3OqqDRcZqvq0PRuz7X8Q4T/n
+					fPYNkGoph1etQTaM1F6V0gP/2Hxv/oQclL77
+					IQSRZ8zCZJech8qgBlEHgdY/4hqJzJtO98Ha
+					OfB7ixmHp9fE5dGInIot6eMKN+Utnl2KLjjn
+					oO05gh9VESsgDIOM2amN/aViP54ad5DFtJni
+					1mLRhV7FmBD2WSkdZF4/u4SvxjKYpWF1pspO
+					xNPhgaavnAqkM361P0kV13StLXzff9g9QsuB
+					S8Z4v0Ypiv4s5SlXsKeTpa0Y1gKXf8U1UZGq
+					/+2089ZurC8S1D89m72M3hgP80TDnLeuDCHY
+					/3tpU4V0yZ0u2riJG8/4MVFeeo8suk/z2gq0
+					nvs3YD7U0XB5ozLUlnKTT+NK49lnv5xoIByL
+					+ezP5zXMz4D0KAfKk+Wn84RgYn3ADABr1ZI= )
+			0	NSEC	edns512. TXT RRSIG NSEC
+			0	RRSIG	NSEC 10 2 0 (
+					20441127043557 20141205043557 59033 edns512.
+					nFZKkyTy5O+je3VUaWt/eqVDqPtpktHFJt5X
+					K1TJHvRbuEanNMJoQJidS6ZhawgJhK54qgcM
+					klsR2n/eZ61Wbr1dpUscI7PNWGtZThW18d6W
+					GQjfxvLVSi+YVcSlAt5Jfc+4KZ+Mcte25xOD
+					DJMWVXTv2AgKt9T7JdOQTrpiugkpflct87FQ
+					95POqtj5j72xnTvpjzaDcL22rD5q3kLQlQ14
+					xDZV1hOgqCYgbYVgwxgxigWSuWkKjiHiYR9o
+					YkLPkWHYNn7aDDFpAve4MJXRpuwPP9/TLQKH
+					hV4H8q7CZK30uKpUqy38JGTQzr7FDgTekGCd
+					InPLwSrURIkn3rVyCRq7PgvSBNXNW+3h9tYX
+					gMj6FDNyroWRH1eWmDFg3BmXKu6hUxrZ2fOk
+					wyhJ5M0LtZinjd5RuHy0CCKFuFA/Gv3Zga0m
+					vc34auzfwLnQmJc94j3JfwUGlMDeKtizKrhK
+					PahfCxEMVhY9E9LKx0UsbtJJ1ZgeNsm+zF5E
+					6TkzYFc+hHeYM2/Jb2PVxjTmOkbfRoDmnRCd
+					9Fus/kFtbgUK6ukpaQsNgdkwtLT8++FiaJUs
+					ion91SQWK7wjW3Fm+zMA88K/vzSQtv9mGUry
+					oZ4qpK1PFpafpzUVODx3HSS5RCPGZzd4zuDR
+					6u7jgRUH3mokpudb4X1qt9L6tVyMLPqAaq8= )
+ns.edns512.		60	IN A	10.53.0.6
+			60	RRSIG	A 10 2 60 (
+					20441127043557 20141205043557 59033 edns512.
+					BLCw43y8QO0QFaQpBPbMgLk3iIStBvp08qp6
+					wRCslXGRNK279mlNd29ZROVwmU7jrNd5jTIt
+					KhYlO/9DX0JMuTrG3W+tsGkGNqx3LNsVt6/U
+					rfF7iAxzBjnY4MRv0DIIKJqgEuz+A/vmbGQi
+					L0QxukaNPycQUEnMBbNmVvEi6uETW0yMPugn
+					BPg2jSVbrd/lY40K1yyUme//q8ljvneU++Mg
+					mmQ2crmINUQX3h4NBmXoOun0T5hehqiSvz4n
+					TUO9rhSMWFJxCvUcjndha2MBEm3/H5MhqHqH
+					vEFlL9/yDScmwT6FW7yoVtcoQzPymgimBIlB
+					SW75upaIy6EQcx88WhANB+oEm3JsIwufcpUl
+					jwe7taxtCV1VYxqbqH9ynEzbUH956pE6gsvW
+					1lYrqzkmKl1l4YdJEr/Um8daVT88OR8ClP/3
+					v3OhAjmvnzl6WolaMPARCkFtswK8Awd61qDw
+					T11lTu7k0jB7Xx0JNzP2L/ehPaLokctPvECl
+					lMbHUryP30VnfBahCewO3/15+sUEhKrrlCif
+					G/MSFzDWbV11X1ItEQcBWgfcvhNfmAgQ0bsi
+					HgrgUuFIkmosoQUPEqJFCggTMYNZ769zEv/a
+					9gJpLo5AmQqZYCn0sOw59IgXHUOsDoStB+WB
+					vAl9Q3ePoJ8wd+4sBC4KJs++Hw5pJ1oU+ks= )
+			0	NSEC	txt500.edns512. A RRSIG NSEC
+			0	RRSIG	NSEC 10 2 0 (
+					20441127043557 20141205043557 59033 edns512.
+					DP0dAdDzZRS91BYNOzrHPbcGRRDTdkk+fAHi
+					Zb+kQ6Eur3EbXrrc/zH9UBmqircogWtOk8iv
+					h83G5y7Ry/tKQdrqb2igbkLo/BFsyeLKZFLh
+					DuWbSVvC1Hhs9tzFHVcH5gUObmlrj7wQd3T5
+					Iq4ZHbQCHg4OWZbS2gn+90uL/G5OHncE2Ni9
+					ELp3puFG+mO5RJJbF6CpU6vVGRs+kQyHREmj
+					i9kQ6C/12SHPnuIW8v/IP6EUSNb92mJk5n9P
+					N7EW1E67zCrHSh0rURz627hZRkpt831uod9H
+					Yf/Uj88zyTkprnBYdflydOzsjBiLMJwMh1CZ
+					BQ4EkEuRinkFeE3fmKHzv26S/HSbhVIS9E2z
+					nF7InmHB67uJvqj0oBTP2YFQdrDx5KWNBrqG
+					4wB+OYnc6RSKrJWuvzUzyK4mCK619lVhgMi5
+					Jl6kBo7swgeriVhEODJVcX1ZEkd5WUwkpumw
+					JReLYStQKM8AbulcLQ4/bPwurhVPDpoNK6WL
+					kuv0MXijsFWps43ojok6DGPD01c7FRWxAKZV
+					eywmEIGLSYHDnWAzVIErXuO7RPfvLIVlZJzq
+					nzVj0ZLDh2BrrwbLt5zoETY5Ka6d6/YUXJLQ
+					Y+lxqTaDuJHnTqF7vcvxdkjYtR6JhsA4nfAO
+					TJHTtETInoRdXBTHahG5Q6tkj3kbhqR7dBc= )
diff --git a/bin/tests/system/legacy/ns6/named.args b/bin/tests/system/legacy/ns6/named.args
new file mode 100644
index 0000000..64e5524
--- /dev/null
+++ b/bin/tests/system/legacy/ns6/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D legacy-ns6 -X named.lock -g -U 4 -T maxcachesize=2097152 -T maxudp512
diff --git a/bin/tests/system/legacy/ns6/named.conf.in b/bin/tests/system/legacy/ns6/named.conf.in
new file mode 100644
index 0000000..17f19d9
--- /dev/null
+++ b/bin/tests/system/legacy/ns6/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "edns512" {
+	type primary;
+	file "edns512.db.signed";
+};
diff --git a/bin/tests/system/legacy/ns6/sign.sh b/bin/tests/system/legacy/ns6/sign.sh
new file mode 100755
index 0000000..6ebc2a4
--- /dev/null
+++ b/bin/tests/system/legacy/ns6/sign.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+SYSTESTDIR=legacy
+
+echo_i "sign edns512"
+
+zone=edns512
+infile=edns512.db.in
+zonefile=edns512.db
+outfile=edns512.db.signed
+
+keyname1=`$KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err
diff --git a/bin/tests/system/legacy/ns7/edns512-notcp.db.in b/bin/tests/system/legacy/ns7/edns512-notcp.db.in
new file mode 100644
index 0000000..89f3e83
--- /dev/null
+++ b/bin/tests/system/legacy/ns7/edns512-notcp.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	60	SOA	ns marka.isc.org. 1 0 0 0 0
+@	60	NS	ns
+ns	60	A	10.53.0.7
diff --git a/bin/tests/system/legacy/ns7/edns512-notcp.db.signed b/bin/tests/system/legacy/ns7/edns512-notcp.db.signed
new file mode 100644
index 0000000..87c8036
--- /dev/null
+++ b/bin/tests/system/legacy/ns7/edns512-notcp.db.signed
@@ -0,0 +1,248 @@
+; File written on Fri Dec  5 16:35:58 2014
+; dnssec_signzone version 9.11.0pre-alpha
+edns512-notcp.		60	IN SOA	ns.edns512-notcp. marka.isc.org. (
+					1          ; serial
+					0          ; refresh (0 seconds)
+					0          ; retry (0 seconds)
+					0          ; expire (0 seconds)
+					0          ; minimum (0 seconds)
+					)
+			60	RRSIG	SOA 10 1 60 (
+					20441127043558 20141205043558 59033 edns512-notcp.
+					ESBGgT1akISzDYasx1vDn4479d3zRZKvHIEb
+					OJIn2UqPVl6YDzcuUIqRwvFoqV7/eT4tllJ/
+					DSywHFPKV5t42BvnF2bEtPJZb6GUg3ZCqja4
+					CEaUNtqd4xyIT8BMT29w+d0OE6wbjaF3F3rS
+					RePp8RXde62vuR1rseTYLCF/V3jh1RvZCf3b
+					HnmavjU7Gzu6SG1IyBnxxJ43lvUOpKPbEiLa
+					H2MTRNzMxQ1CB7nv953XuWDjlqv37LqzQgt+
+					qHYC+Tjqx5KVUMewOAbcc4sne+ohMgz9p04h
+					JS3TIejgOfybFcmsZnsiqPkR9GKlDJ/L6hBH
+					azWKrnaHgS5n/j1rIWteV70E/VKXmiVspWkj
+					asOQM5F/7+RZWBA/bVsJqQOUdt3o04h70bQ5
+					mbPYY3AFpcpfPRVHoPAhvhMd5jdQoAY2SiI3
+					Uehleuyt3K+tDPCdgRhkkFwI15OBH1Jh2Y59
+					7jvcXLqgI7T9kzUAbRpKOpR3+73Sa+UCx/Vw
+					iZqr03mBT8sSaZR1Zyd9y4b9yAQ7W2gHY1VM
+					0N3lStdS938bwhcU5gN4ElkqXrwkCgVP8BoY
+					3FotvKHUcLmnvrfKgnjcwReCJ66GeI+i205x
+					NcbDnmSfxYcW4VsLYA8yoQM+0NWmBBXT5JT/
+					ybAmt683yRwbFnl/YovtNwXtNKMb8+FKJjw= )
+			60	NS	ns.edns512-notcp.
+			60	RRSIG	NS 10 1 60 (
+					20441127043558 20141205043558 59033 edns512-notcp.
+					FLwTgbguhIW1UHjObRRogJg6RA5/32Sd7623
+					+btt7TqXchUMJyQsiIdZ0g5+NKQNawnhY4CV
+					NwNTeEiW55fjrZJC1A+nwBXGeE0MP9a2ngkj
+					PNK6spLXe67hMqudgbdp3toSfx1M3jI4PJ0Q
+					ji1UryuIqleR6w77JiaSB55MpoVDUVui/y/Y
+					VYHJ2z4wVBA0upoLegE5S9fWWpWIuD8aCU9y
+					+WMWhUd92Jm1Z9NWc7M9cwPp5/CAmitV5wjZ
+					wWu17WytNbwpYBww+DB72CrvvMZvVw8fcbdC
+					5FIxIr6Ed0dNjfoakcPTW5EtDTk9ms6AjdMn
+					edNRZXgVuGZEenqmmsfuHFvNCurrNZJHG/je
+					xm5qhN9N85pmBILWpJPArKxwC37i00t/28Wx
+					FY7H2a7RWgtHkxuvnh4pwpidr2ZD+L5hQQ+c
+					O7CpzQMmS+dFOLF4/FOs6d/Do/7rxs1plUgp
+					NjOW3ts4tK1OkKPypXovuMxyLQstrnTkCNjA
+					pA+K5OBXdEsmtbIhXVAlARcyXXoKnYVFqd9c
+					Czu0kS4xy8B/auWcBzPMVYuTWGhNWemm7J9P
+					0zOOB4n6nsaM7/UIoWK7Qx1CJLLOiWdEYNur
+					ouS9X97/LnsRcO/SPWB0aBTJgsMVQBkDB073
+					0eZBJmUIAMidot4okbC3hQ3atQ0pGhDaAIo= )
+			0	NSEC	ns.edns512-notcp. NS SOA RRSIG NSEC DNSKEY
+			0	RRSIG	NSEC 10 1 0 (
+					20441127043558 20141205043558 59033 edns512-notcp.
+					JEdGV3CAGd23NG76F0B6FT6uz6TNWmP3Ecck
+					aI8djQLmnhu8vV1eYf4JCAS/EBOU/gS7iP+R
+					ziiJ3bPrvA1JSJhieTGw8K5IplUSTGHmlaIq
+					PfKRqN41mB9f3qI3PkN8h0Y2SbLKjYMIrHG1
+					1R3LubcKwyEc+Y4ylqySaYO7JPcGznvWiu8k
+					KLcvYsBOy2V9gjY2Q1BYP6TR0QyYMXDht7cR
+					27YSG2D+LP0HDIFV4f7T1SLjGmDl6ROh2Rnn
+					i51tnK02IwoDs207RC1ExlVqD4n/3JZIkh+M
+					c5FoPK/fV6IRz5cdwLk1Mv2ovihxPjryFLdw
+					1ULSEc7gK8EkYfedv336GgZbDEWhWQgmVhPE
+					h26vJNF+ZSqWlo0tkKLAKzbd8yEguPf6HY1e
+					0v5KVnUV3lINJIOmWtXDZNXho8WzA4WViqqW
+					yn+nTnRBg/20WdpHEhVDJKywQvKY6zsXMN8G
+					J++lx6FalaFdgE4gNcQQsu11VQDnJO90kKBU
+					uVRkFQArPj0TEaUWq+ZC1eJLKtraO9w/5ybw
+					LaIKBJBAcyU2jy7ieRc+NEY6rE2XOfJs0kEa
+					8q5vM9/AFbX01yUEKnYj2CO/VhtfUa2tHEVo
+					JhATux63HBiTwhiYcyjfKhYcML2KoEYUCYU/
+					DAdy4zrs352EC3gVxagyUxCNJZ1Bq0wq+jI= )
+			60	DNSKEY	256 3 10 (
+					AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68
+					u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAH
+					tVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpo
+					pFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyN
+					gnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMT
+					E3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66ueby
+					EYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2K
+					vsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+
+					5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u1
+					41LcvdASnlk58I77HbsnfausvDxdYYxEns7K
+					9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrS
+					CsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH
+					17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZg
+					a8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8t
+					S5T138V8d6SigzxZz1raiJNolVhXyA8SbbDp
+					gBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWd
+					pGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOI
+					GSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6Dnps
+					syN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNF
+					aGoB
+					) ; ZSK; alg = RSASHA512; key id = 59033
+			60	DNSKEY	257 3 10 (
+					AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68
+					u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAH
+					tVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpo
+					pFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyN
+					gnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMT
+					E3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66ueby
+					EYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2K
+					vsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+
+					5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u1
+					41LcvdASnlk58I77HbsnfausvDxdYYxEns7K
+					9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrS
+					CsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH
+					17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZg
+					a8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8t
+					S5T138V8d6SigzxZz1raiJNolVhXyA8SbbDp
+					gBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWd
+					pGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOI
+					GSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6Dnps
+					syN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNF
+					aGoB
+					) ; KSK; alg = RSASHA512; key id = 59034
+			60	RRSIG	DNSKEY 10 1 60 (
+					20441127043558 20141205043558 59033 edns512-notcp.
+					IrMpyEssdfDiqBDfMI5BVicoN5Upu20Bq0eL
+					BKXuiYBoRhBJhBnv6bovD0XWMf0spgPMHz4f
+					lgc0zT+41lQykiydy6WDLJ184E4If35ip9jp
+					Lj2yJGKUCr1FrvtciYPmYuH3wBIWl5wNlzJd
+					qH3P6nO3xYU4lgsBQPDUKvLHX7HIuSJB+2by
+					wbs3jj5Q78Ri1ELqKCCicfKbZwsRY9vexjw8
+					ptuJh+Y8kvhM/Yh7NyG5PByb5GRVVCCZ20ms
+					msBCiniPb/5IFiy7iUUiderLsa3y4UauTOKD
+					pKiOkBbB0XfxZtAsTZFU2W5seo6eoW3LfLp5
+					fD/qqUKyRZzPZaqJmp2n7egmX3WmRw11ILXk
+					LEuXA3P65YVbfqv08lZHz5K6xFhWsIJoBeev
+					2leb3hN6nmSFApltdF0PDEfq1ZV+sBpOBsKN
+					EekIGAYO28u3+7pjxMzMe5EMtDAajb9bZCT6
+					3ZTMPjlyT5ChtNRSIvgzgbfYAn1bigtQ+Opu
+					Jp82U+N1FRBNaSz7uw2uDAiE/cSNgfGIC7Dd
+					KBzWE6z/HFCzQp/gF8006AjztDq/SnyHWnWX
+					RzfMi1pE2IOT/GoCKOQwQNei0cG/ar+/ntVp
+					3yg9PbYdhdMH8IQ1GpwczFfD1/I2/wuOGzPw
+					1iFhd3dT9Sz2xgF/8xS95Ljgy8YgP+pmE3c= )
+			60	RRSIG	DNSKEY 10 1 60 (
+					20441127043558 20141205043558 59034 edns512-notcp.
+					VusByVbeIayH6KfnbhxLKycQfjU2L2Ilfa9o
+					K/MjEve4vMjqKeYV0oNan2X4DvPZusKeMVJp
+					JhQxvBz2GXE6syjrL5eEQtdcn6MW5Ew40w2E
+					i7BCGiHYrxH+SJqSORl5pBjihe24dRWoHHt/
+					3CVBE18TU+ubSdLgOT3SvBtffJ1NVtvtCgpP
+					/yIgffhHOU/F0J+ewL6lmYzrkj/48Ep8F9e9
+					suAoorKmRP4zmeiojQedM+4PfbRn0doOLFIR
+					8RZK8rv9WeQv1mhUh9s0zY4UARRGRb9i8Zhr
+					ERor3lZprmujx/Ok6XndTW7vRY/0IfC2i99C
+					0zfcIdzuZ96YtiUFFTynptz3yxrJqQxeJaFt
+					vuZ4rd5XqSb3uPu8wVzYJEwhNRPJGqBpRAba
+					vxqOV1HAw89t1sUKXQR2qQ4HvpIzRIxFpIKQ
+					hRPMyd6uz0EtPQFE6ri1C5JkZkbdZ0r5SauY
+					EqZMsIl8oGtt1S5kEK2Agqx4b1pUfSv6cOLb
+					765SGYVr1RdjmFZ7ftYYZPyMKJl6t3/ruZ9f
+					iazQGzoO6O+nQq3DD8EjZynsnAedzyEe3Hxd
+					tJM1Rm3nWAPka4QV5hdzpU93N/ao4tRuCYp/
+					4pnVlc8MStuyuy9RRapEoOMs0iIQFPdidU+V
+					aM+ZSOa6RbYwzvzmX7I1UxBf5gKJzuDydDA= )
+ns.edns512-notcp.	60	IN A	10.53.0.7
+			60	RRSIG	A 10 2 60 (
+					20441127043558 20141205043558 59033 edns512-notcp.
+					eY/gUZcEKDE0loJ4zaxwJDg4E/S+ILJOrJrC
+					Yb64VWSE7RAzoQt8gYXAcEec4NLo2ZFsckTL
+					O0jD4db+q1rJLtniw+Xg/fckXvjxt21jNR43
+					+rW17ZuEYYlOWg9o+NyP9QnLjxNOR22f6gSx
+					FCLOca+8Yoxf4bw7EsdV98KajMFpcljQu2iE
+					NOKCoDSdunaZnhdP8kVuXO7P+VEXRa1OFzxb
+					mm2axihSqXcA7vdEdpGmTWoUFdG7p61Kl8Jw
+					rQzT7RiA3PoeyYoQ2wC2oitRr4lnsN/IF1vz
+					D3ldJ6pnYNVYmSHaS2potOMNDSTZtgV2LUmx
+					pqsaa3coYaJPJj0ijWzxw77nAXXQ7u/YWIzz
+					vUhXKygQIZaInl1msFPkFRy4AqriDmDnAAfJ
+					YyPunq7VkR2ExUhU1iFGGmDFE35ktxFl6AWL
+					/0CWElHPwuvqGksLnxrE7Syr25TOC+EhqDUS
+					G5X7/7Cb+Hl/twlA4oYDv8eXCwxMsncMp1cn
+					VDfwOrN4/JWzYcqNLTZHFRr+Uz7Fo8tGAri0
+					p7yDVHg35QN7usMKfsU3WnoOm1VlD/sU8bTW
+					32dudd3yauhdKlmytZ2s2PMrXBf7/fsjDlY6
+					ZEc91TwM9Yt71FQ27XKoP5eFGajlxG+haoyB
+					6jfoV4cIDq4MVerLOSUlczFjczbBXLHwLno= )
+			0	NSEC	txt500.edns512-notcp. A RRSIG NSEC
+			0	RRSIG	NSEC 10 2 0 (
+					20441127043558 20141205043558 59033 edns512-notcp.
+					mR1PHdEWNP90/80SAlKkj7jV0hBj0eDxM5Q0
+					RGPbv2pb1fOT/W8dTe2Qm/qwE0aY4nmRfiah
+					8klCAXH9gvVAQFbPlz8tkLKEOrKjZM/YP9Vd
+					EoUmYj6+G2OXYvvetVStpqfiSK731iPUhKUD
+					Y0uYUzTyqgmOyyKWApk1+C+b3fYNS2E0jA77
+					riOCULE2FSPim7cEGS7JWE22qRY4//ENQZ27
+					eA+KbkXWR+vdqnQ6vs1cIwsbGbFFzmcogMT2
+					3cN1e2lNbzTZIpVd9ukwp8FqyT0p7oz+q5r/
+					so4Zq0EGx473OgThMfTMs6pOg7L6M60jMhmF
+					8V50dpePHmFLxI/Nn4kvxcUt684L3TWGObFQ
+					y9vxO8Wh66+USSX8jyDnP8mtMnGEeHD9SVYz
+					WIbCDVUsvSkFqSi/2o1/SZYWQ+wXkj6qO2Mz
+					JIgJKucALub0dOfaoncPYa7kfOxEOmgwY39I
+					RQodc53Brhgn6IF/1zNxZd5/FpWUs4ivrpsN
+					MOKy/E+MJiaGOdj1RwNlDdZQNtamexxOjcaD
+					6pWAD44LgakoELE0Ktxtl/oMmouky0Dx/zwN
+					e9nEBTe9nTbG99lbzuGZ2vWkfqA1EsliCryd
+					wH6+EF3l5w9EEKBdVgBIEoHZ92TaiiJfRmFQ
+					LwEjS+AYjQKzmvp47lGqQf8/ggvMxcv/SCE= )
+txt500.edns512-notcp.	60	IN TXT	"01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789"
+			60	RRSIG	TXT 10 2 60 (
+					20441127043558 20141205043558 59033 edns512-notcp.
+					fpzr1/DNby1CMHfZclvga7Pk9S3tqWn0wwC9
+					xsUhYoPRcaIN4o9g5rOC0fxX1W4Q6gEXt0l2
+					fKzUdxE9QqTgpJOAOcMJa7D1yRo2ifVoX3Oq
+					M2lUYusg3o0Wg1JuNnf3DXaSaLOiYOrS2ixs
+					XnPwU0pLiniGIT9Bh2OuMBPs5YP2dZRKKJ7z
+					VrxE4F213A0FQfN68tIbN5XrzwO8EfyjBTyM
+					YtApC33vMajYeILnFemLrs9VL5hbLoyKcyqg
+					1n0eSXhneHlYgsS5anSXWOSd9sT46jqpFwYF
+					O+frR2DNmdua4eZiUqA9HMgvaQnNodVU2Z5r
+					5lzrHSVSXS/Au7kp4FZtYCUj2W4m/grOidH9
+					ulwM0Ut+OZOOLHVcwBQGuedEEwU/h+YGbJH6
+					fomTvfW+NAaL6X3IJggcQnHmCOTf0f3xXeXT
+					iHK1hE+iabTQ8gCabt4KCQ11Oz8zu3j7ZB5T
+					2byQ49N2jj+i8+p2wsRbnz5Algx15KP11NM0
+					lUb+fhPlIrhbgwqPtv8udeRsBpRAwHXWrz5m
+					BxWQ5X52frQAPNoi51q5tTWE7UlpLYFBeXtW
+					0XY7o6+TqP+EN5lGwddNhS0wYRWE10M2Es8A
+					2q1RKIBDSPB3XEeULrQ6ciDgiDQ7T55p1KKM
+					r25OyqYCGZs9obDHnNVNQP2rTjfm6062TSo= )
+			0	NSEC	edns512-notcp. TXT RRSIG NSEC
+			0	RRSIG	NSEC 10 2 0 (
+					20441127043558 20141205043558 59033 edns512-notcp.
+					pTTiIXjWLSH1Qm59kZlX0QmXtm7gDhL4RdQF
+					sHMtxZA1JhWjBC3u48C8M19ZWTu1xmTrhuil
+					tPV9a4u9zTasPWOy2HSKnl/jMaqGZ3xa96mo
+					I1qULVqb8XRTYqPsJ3reD6x9jJepEFAsK+xa
+					/TdrFTfZ5Oc0RYLQxH2qrJVc2n7S5gCHp10O
+					extcck2cyhiaRnI/wha6PdAXKG0ikX/oKAQL
+					hMcNUpOeewJLTvXasVPf4cF9O0B1/wXun3C4
+					lkzKF+fYBe2qg6ikGgsHws72/TYD2xDOae41
+					yjkVwdthTECDzedPc6jbKeApyEGA1G2lc7Ie
+					DE1rLRP3OhME5X9bhPcQnop4k583RQI0QY60
+					PUdZ/cr99eM6Zj3Mal6zBrebPiBAJVnr8C4X
+					/ozv3MFmaoNalB0JuTVojCboQ6Sf7+UCumXk
+					VK56zx6ZiGcwtnKHRQZIGGsHpPt28zo33wKJ
+					0xljGuxfnxstGGmUUCTrhi0U/8991ZdqnjHg
+					hBkWxmEm1X5ioIVy5c5M6baSoEmls4iwad/O
+					vU9cx0aXxqir7/5jYlMFjn6Xo2BuUVQWf/LY
+					E9rZRZUN0a4sh7Wj8pjKS1hJ5pTK9C3ijEqD
+					Y9B5OslWHcOhSlv4q9YwuZkBo/b8UiV6EOnS
+					vE/TgzfP7DcXjTI5qErka0iJMxz/m90VuiU= )
diff --git a/bin/tests/system/legacy/ns7/named.args b/bin/tests/system/legacy/ns7/named.args
new file mode 100644
index 0000000..e491a95
--- /dev/null
+++ b/bin/tests/system/legacy/ns7/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D legacy-ns7 -X named.lock -g -U 4 -T maxcachesize=2097152 -T maxudp512
diff --git a/bin/tests/system/legacy/ns7/named.conf.in b/bin/tests/system/legacy/ns7/named.conf.in
new file mode 100644
index 0000000..ada7d4f
--- /dev/null
+++ b/bin/tests/system/legacy/ns7/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	max-udp-size 4096;
+	edns-udp-size 4096;
+	nocookie-udp-size 4096;
+};
+
+zone "edns512-notcp" {
+	type primary;
+	file "edns512-notcp.db.signed";
+};
diff --git a/bin/tests/system/legacy/ns7/named.notcp b/bin/tests/system/legacy/ns7/named.notcp
new file mode 100644
index 0000000..e25c3a8
--- /dev/null
+++ b/bin/tests/system/legacy/ns7/named.notcp
@@ -0,0 +1 @@
+notcp
diff --git a/bin/tests/system/legacy/ns7/sign.sh b/bin/tests/system/legacy/ns7/sign.sh
new file mode 100755
index 0000000..90ceca9
--- /dev/null
+++ b/bin/tests/system/legacy/ns7/sign.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+SYSTESTDIR=legacy
+
+echo_i "sign edns512-notcp"
+
+zone=edns512-notcp
+infile=edns512-notcp.db.in
+zonefile=edns512-notcp.db
+outfile=edns512-notcp.db.signed
+
+keyname1=`$KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err
+
+keyfile_to_static_ds $keyname2 > trusted.conf
+cp trusted.conf ../ns1
diff --git a/bin/tests/system/legacy/ns8/ednsformerr.db b/bin/tests/system/legacy/ns8/ednsformerr.db
new file mode 100644
index 0000000..9aa3a4a
--- /dev/null
+++ b/bin/tests/system/legacy/ns8/ednsformerr.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	60	SOA	ns marka.isc.org. 1 0 0 0 0
+@	60	NS	ns
+ns	60	A	10.53.0.8
diff --git a/bin/tests/system/legacy/ns8/named.conf.in b/bin/tests/system/legacy/ns8/named.conf.in
new file mode 100644
index 0000000..7431cf8
--- /dev/null
+++ b/bin/tests/system/legacy/ns8/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "ednsformerr" {
+	type primary;
+	file "ednsformerr.db";
+};
diff --git a/bin/tests/system/legacy/ns8/named.ednsformerr b/bin/tests/system/legacy/ns8/named.ednsformerr
new file mode 100644
index 0000000..e35cb02
--- /dev/null
+++ b/bin/tests/system/legacy/ns8/named.ednsformerr
@@ -0,0 +1 @@
+ednsformerr
diff --git a/bin/tests/system/legacy/ns9/ednsnotimp.db b/bin/tests/system/legacy/ns9/ednsnotimp.db
new file mode 100644
index 0000000..9aa3a4a
--- /dev/null
+++ b/bin/tests/system/legacy/ns9/ednsnotimp.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	60	SOA	ns marka.isc.org. 1 0 0 0 0
+@	60	NS	ns
+ns	60	A	10.53.0.8
diff --git a/bin/tests/system/legacy/ns9/named.conf.in b/bin/tests/system/legacy/ns9/named.conf.in
new file mode 100644
index 0000000..385fbfd
--- /dev/null
+++ b/bin/tests/system/legacy/ns9/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "ednsnotimp" {
+	type primary;
+	file "ednsnotimp.db";
+};
diff --git a/bin/tests/system/legacy/ns9/named.ednsnotimp b/bin/tests/system/legacy/ns9/named.ednsnotimp
new file mode 100644
index 0000000..4e6424d
--- /dev/null
+++ b/bin/tests/system/legacy/ns9/named.ednsnotimp
@@ -0,0 +1 @@
+ednsnotimp
diff --git a/bin/tests/system/legacy/setup.sh b/bin/tests/system/legacy/setup.sh
new file mode 100644
index 0000000..2356d8f
--- /dev/null
+++ b/bin/tests/system/legacy/setup.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named1.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
diff --git a/bin/tests/system/legacy/tests.sh b/bin/tests/system/legacy/tests.sh
new file mode 100755
index 0000000..5e1622b
--- /dev/null
+++ b/bin/tests/system/legacy/tests.sh
@@ -0,0 +1,275 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT} +tries=1 +time=2"
+
+# Check whether the SOA record for the name provided in $1 can be resolved by
+# ns1.  Return 0 if resolution succeeds as expected; return 1 otherwise.
+resolution_succeeds() {
+	_ret=0
+	$DIG $DIGOPTS +tcp +tries=3 +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n || _ret=1
+	grep "status: NOERROR" dig.out.test$n > /dev/null || _ret=1
+	return $_ret
+}
+
+# Check whether the SOA record for the name provided in $1 can be resolved by
+# ns1.  Return 0 if resolution fails as expected; return 1 otherwise.  Note that
+# both a SERVFAIL response and timing out mean resolution failed, so the exit
+# code of dig does not influence the result (the exit code for a SERVFAIL
+# response is 0 while the exit code for not getting a response at all is not 0).
+resolution_fails() {
+	_servfail=0
+	_timeout=0
+	$DIG $DIGOPTS +tcp +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n
+	grep "status: SERVFAIL" dig.out.test$n > /dev/null && _servfail=1
+	grep "connection timed out" dig.out.test$n > /dev/null && _timeout=1
+	if [ $_servfail -eq 1 ] || [ $_timeout -eq 1 ]; then
+		return 0
+	else
+		return 1
+	fi
+}
+
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "checking formerr edns server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.8 ednsformerr soa > dig.out.1.test$n || ret=1
+grep "status: FORMERR" dig.out.1.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noedns @10.53.0.8 ednsformerr soa > dig.out.2.test$n || ret=1
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to formerr edns server succeeds ($n)"
+ret=0
+resolution_succeeds ednsformerr. || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking notimp edns server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.9 ednsnotimp soa > dig.out.1.test$n || ret=1
+grep "status: NOTIMP" dig.out.1.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noedns @10.53.0.9 ednsnotimp soa > dig.out.2.test$n || ret=1
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to notimp edns server fails ($n)"
+ret=0
+resolution_fails ednsnotimp. || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking refused edns server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.10 ednsrefused soa > dig.out.1.test$n || ret=1
+grep "status: REFUSED" dig.out.1.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noedns @10.53.0.10 ednsrefused soa > dig.out.2.test$n || ret=1
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to refused edns server fails ($n)"
+ret=0
+resolution_fails ednsrefused. || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking drop edns server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.2 dropedns soa > dig.out.1.test$n && ret=1
+grep "connection timed out; no servers could be reached" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noedns @10.53.0.2 dropedns soa > dig.out.2.test$n || ret=1
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noedns +tcp @10.53.0.2 dropedns soa > dig.out.3.test$n || ret=1
+grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.3.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +edns +tcp @10.53.0.2 dropedns soa > dig.out.4.test$n && ret=1
+grep "connection timed out; no servers could be reached" dig.out.4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to drop edns server fails ($n)"
+ret=0
+resolution_fails dropedns. || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking drop edns + no tcp server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.3 dropedns-notcp soa > dig.out.1.test$n && ret=1
+grep "connection timed out; no servers could be reached" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noedns +tcp @10.53.0.3 dropedns-notcp soa > dig.out.2.test$n && ret=1
+grep "connection refused" dig.out.2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noedns @10.53.0.3 dropedns-notcp soa > dig.out.3.test$n || ret=1
+grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to drop edns + no tcp server fails ($n)"
+ret=0
+resolution_fails dropedns-notcp. || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking plain dns server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.4 plain soa > dig.out.1.test$n || ret=1
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +edns +tcp @10.53.0.4 plain soa > dig.out.2.test$n
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to plain dns server succeeds ($n)"
+ret=0
+resolution_succeeds plain. || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking plain dns + no tcp server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.5 plain-notcp soa > dig.out.1.test$n || ret=1
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +edns +tcp @10.53.0.5 plain-notcp soa > dig.out.2.test$n
+grep "connection refused" dig.out.2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to plain dns + no tcp server succeeds ($n)"
+ret=0
+resolution_succeeds plain-notcp. || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "checking edns 512 server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.6 edns512 soa > dig.out.1.test$n || ret=1
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +edns +tcp @10.53.0.6 edns512 soa > dig.out.2.test$n || ret=1
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +edns +dnssec @10.53.0.6 edns512 soa > dig.out.3.test$n && ret=1
+grep "connection timed out; no servers could be reached" dig.out.3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.6 edns512 soa > dig.out.4.test$n || ret=1
+grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.4.test$n > /dev/null || ret=1
+grep "flags:.* tc[ ;]" dig.out.4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to edns 512 server succeeds ($n)"
+ret=0
+resolution_succeeds edns512. || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking edns 512 + no tcp server setup ($n)"
+ret=0
+$DIG $DIGOPTS +edns @10.53.0.7 edns512-notcp soa > dig.out.1.test$n || ret=1
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +edns +tcp @10.53.0.7 edns512-notcp soa > dig.out.2.test$n && ret=1
+grep "connection refused" dig.out.2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +edns +dnssec @10.53.0.7 edns512-notcp soa > dig.out.3.test$n && ret=1
+grep "connection timed out; no servers could be reached" dig.out.3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.7 edns512-notcp soa > dig.out.4.test$n || ret=1
+grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1
+grep "EDNS: version:" dig.out.4.test$n > /dev/null || ret=1
+grep "flags:.* tc[ ;]" dig.out.4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to edns 512 + no tcp server fails ($n)"
+ret=0
+resolution_fails edns512-notcp. || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to edns 512 + no tcp server does not cause query loops ($n)"
+ret=0
+sent=`grep -c -F "sending packet to 10.53.0.7" ns1/named.run`
+if [ $sent -ge 10 ]; then
+	echo_i "ns1 sent $sent queries to ns7, expected less than 10"
+	ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that TCP failures do not influence EDNS statistics in the ADB ($n)"
+ret=0
+rndc_dumpdb ns1 -adb || ret=1
+timeouts512=`sed -n "s|.*10\.53\.0\.7.*\[edns \([0-9/][0-9/]*\).*|\1|p" ns1/named_dump.db.test$n | awk -F/ '{print $NF}'`
+if [ $timeouts512 -ne 0 ]; then
+	echo_i "512-byte EDNS timeouts according to ADB: $timeouts512, expected: 0"
+	ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+stop_server --use-rndc --port ${CONTROLPORT} ns1
+copy_setports ns1/named2.conf.in ns1/named.conf
+start_server --noclean --restart --port ${PORT} ns1
+
+n=`expr $n + 1`
+echo_i "checking recursive lookup to edns 512 + no tcp + trust anchor fails ($n)"
+# retry loop in case the server restart above causes transient failure
+for try in 0 1 2 3 4 5 6 7 8 9; do
+    ret=0
+    resolution_fails edns512-notcp. || ret=1
+    [ "$ret" -eq 0 ] && break
+    sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/limits/clean.sh b/bin/tests/system/limits/clean.sh
new file mode 100644
index 0000000..b69c695
--- /dev/null
+++ b/bin/tests/system/limits/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after limits tests.
+#
+rm -f dig.out.*
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/limits/knowngood.dig.out.1000 b/bin/tests/system/limits/knowngood.dig.out.1000
new file mode 100644
index 0000000..3b7e01a
--- /dev/null
+++ b/bin/tests/system/limits/knowngood.dig.out.1000
@@ -0,0 +1,1023 @@
+
+; <<>> DiG 8.2 <<>> 1000.example. @10.53.0.1 a -p
+; (1 server found)
+;; res options: init recurs defnam dnsrch
+;; got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
+;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1000, AUTHORITY: 1, ADDITIONAL: 1
+;; QUERY SECTION:
+;;	1000.example, type = A, class = IN
+
+;; ANSWER SECTION:
+1000.example.		5M IN A		10.0.0.0
+1000.example.		5M IN A		10.0.0.1
+1000.example.		5M IN A		10.0.0.2
+1000.example.		5M IN A		10.0.0.3
+1000.example.		5M IN A		10.0.0.4
+1000.example.		5M IN A		10.0.0.5
+1000.example.		5M IN A		10.0.0.6
+1000.example.		5M IN A		10.0.0.7
+1000.example.		5M IN A		10.0.0.8
+1000.example.		5M IN A		10.0.0.9
+1000.example.		5M IN A		10.0.0.10
+1000.example.		5M IN A		10.0.0.11
+1000.example.		5M IN A		10.0.0.12
+1000.example.		5M IN A		10.0.0.13
+1000.example.		5M IN A		10.0.0.14
+1000.example.		5M IN A		10.0.0.15
+1000.example.		5M IN A		10.0.0.16
+1000.example.		5M IN A		10.0.0.17
+1000.example.		5M IN A		10.0.0.18
+1000.example.		5M IN A		10.0.0.19
+1000.example.		5M IN A		10.0.0.20
+1000.example.		5M IN A		10.0.0.21
+1000.example.		5M IN A		10.0.0.22
+1000.example.		5M IN A		10.0.0.23
+1000.example.		5M IN A		10.0.0.24
+1000.example.		5M IN A		10.0.0.25
+1000.example.		5M IN A		10.0.0.26
+1000.example.		5M IN A		10.0.0.27
+1000.example.		5M IN A		10.0.0.28
+1000.example.		5M IN A		10.0.0.29
+1000.example.		5M IN A		10.0.0.30
+1000.example.		5M IN A		10.0.0.31
+1000.example.		5M IN A		10.0.0.32
+1000.example.		5M IN A		10.0.0.33
+1000.example.		5M IN A		10.0.0.34
+1000.example.		5M IN A		10.0.0.35
+1000.example.		5M IN A		10.0.0.36
+1000.example.		5M IN A		10.0.0.37
+1000.example.		5M IN A		10.0.0.38
+1000.example.		5M IN A		10.0.0.39
+1000.example.		5M IN A		10.0.0.40
+1000.example.		5M IN A		10.0.0.41
+1000.example.		5M IN A		10.0.0.42
+1000.example.		5M IN A		10.0.0.43
+1000.example.		5M IN A		10.0.0.44
+1000.example.		5M IN A		10.0.0.45
+1000.example.		5M IN A		10.0.0.46
+1000.example.		5M IN A		10.0.0.47
+1000.example.		5M IN A		10.0.0.48
+1000.example.		5M IN A		10.0.0.49
+1000.example.		5M IN A		10.0.0.50
+1000.example.		5M IN A		10.0.0.51
+1000.example.		5M IN A		10.0.0.52
+1000.example.		5M IN A		10.0.0.53
+1000.example.		5M IN A		10.0.0.54
+1000.example.		5M IN A		10.0.0.55
+1000.example.		5M IN A		10.0.0.56
+1000.example.		5M IN A		10.0.0.57
+1000.example.		5M IN A		10.0.0.58
+1000.example.		5M IN A		10.0.0.59
+1000.example.		5M IN A		10.0.0.60
+1000.example.		5M IN A		10.0.0.61
+1000.example.		5M IN A		10.0.0.62
+1000.example.		5M IN A		10.0.0.63
+1000.example.		5M IN A		10.0.0.64
+1000.example.		5M IN A		10.0.0.65
+1000.example.		5M IN A		10.0.0.66
+1000.example.		5M IN A		10.0.0.67
+1000.example.		5M IN A		10.0.0.68
+1000.example.		5M IN A		10.0.0.69
+1000.example.		5M IN A		10.0.0.70
+1000.example.		5M IN A		10.0.0.71
+1000.example.		5M IN A		10.0.0.72
+1000.example.		5M IN A		10.0.0.73
+1000.example.		5M IN A		10.0.0.74
+1000.example.		5M IN A		10.0.0.75
+1000.example.		5M IN A		10.0.0.76
+1000.example.		5M IN A		10.0.0.77
+1000.example.		5M IN A		10.0.0.78
+1000.example.		5M IN A		10.0.0.79
+1000.example.		5M IN A		10.0.0.80
+1000.example.		5M IN A		10.0.0.81
+1000.example.		5M IN A		10.0.0.82
+1000.example.		5M IN A		10.0.0.83
+1000.example.		5M IN A		10.0.0.84
+1000.example.		5M IN A		10.0.0.85
+1000.example.		5M IN A		10.0.0.86
+1000.example.		5M IN A		10.0.0.87
+1000.example.		5M IN A		10.0.0.88
+1000.example.		5M IN A		10.0.0.89
+1000.example.		5M IN A		10.0.0.90
+1000.example.		5M IN A		10.0.0.91
+1000.example.		5M IN A		10.0.0.92
+1000.example.		5M IN A		10.0.0.93
+1000.example.		5M IN A		10.0.0.94
+1000.example.		5M IN A		10.0.0.95
+1000.example.		5M IN A		10.0.0.96
+1000.example.		5M IN A		10.0.0.97
+1000.example.		5M IN A		10.0.0.98
+1000.example.		5M IN A		10.0.0.99
+1000.example.		5M IN A		10.0.0.100
+1000.example.		5M IN A		10.0.0.101
+1000.example.		5M IN A		10.0.0.102
+1000.example.		5M IN A		10.0.0.103
+1000.example.		5M IN A		10.0.0.104
+1000.example.		5M IN A		10.0.0.105
+1000.example.		5M IN A		10.0.0.106
+1000.example.		5M IN A		10.0.0.107
+1000.example.		5M IN A		10.0.0.108
+1000.example.		5M IN A		10.0.0.109
+1000.example.		5M IN A		10.0.0.110
+1000.example.		5M IN A		10.0.0.111
+1000.example.		5M IN A		10.0.0.112
+1000.example.		5M IN A		10.0.0.113
+1000.example.		5M IN A		10.0.0.114
+1000.example.		5M IN A		10.0.0.115
+1000.example.		5M IN A		10.0.0.116
+1000.example.		5M IN A		10.0.0.117
+1000.example.		5M IN A		10.0.0.118
+1000.example.		5M IN A		10.0.0.119
+1000.example.		5M IN A		10.0.0.120
+1000.example.		5M IN A		10.0.0.121
+1000.example.		5M IN A		10.0.0.122
+1000.example.		5M IN A		10.0.0.123
+1000.example.		5M IN A		10.0.0.124
+1000.example.		5M IN A		10.0.0.125
+1000.example.		5M IN A		10.0.0.126
+1000.example.		5M IN A		10.0.0.127
+1000.example.		5M IN A		10.0.0.128
+1000.example.		5M IN A		10.0.0.129
+1000.example.		5M IN A		10.0.0.130
+1000.example.		5M IN A		10.0.0.131
+1000.example.		5M IN A		10.0.0.132
+1000.example.		5M IN A		10.0.0.133
+1000.example.		5M IN A		10.0.0.134
+1000.example.		5M IN A		10.0.0.135
+1000.example.		5M IN A		10.0.0.136
+1000.example.		5M IN A		10.0.0.137
+1000.example.		5M IN A		10.0.0.138
+1000.example.		5M IN A		10.0.0.139
+1000.example.		5M IN A		10.0.0.140
+1000.example.		5M IN A		10.0.0.141
+1000.example.		5M IN A		10.0.0.142
+1000.example.		5M IN A		10.0.0.143
+1000.example.		5M IN A		10.0.0.144
+1000.example.		5M IN A		10.0.0.145
+1000.example.		5M IN A		10.0.0.146
+1000.example.		5M IN A		10.0.0.147
+1000.example.		5M IN A		10.0.0.148
+1000.example.		5M IN A		10.0.0.149
+1000.example.		5M IN A		10.0.0.150
+1000.example.		5M IN A		10.0.0.151
+1000.example.		5M IN A		10.0.0.152
+1000.example.		5M IN A		10.0.0.153
+1000.example.		5M IN A		10.0.0.154
+1000.example.		5M IN A		10.0.0.155
+1000.example.		5M IN A		10.0.0.156
+1000.example.		5M IN A		10.0.0.157
+1000.example.		5M IN A		10.0.0.158
+1000.example.		5M IN A		10.0.0.159
+1000.example.		5M IN A		10.0.0.160
+1000.example.		5M IN A		10.0.0.161
+1000.example.		5M IN A		10.0.0.162
+1000.example.		5M IN A		10.0.0.163
+1000.example.		5M IN A		10.0.0.164
+1000.example.		5M IN A		10.0.0.165
+1000.example.		5M IN A		10.0.0.166
+1000.example.		5M IN A		10.0.0.167
+1000.example.		5M IN A		10.0.0.168
+1000.example.		5M IN A		10.0.0.169
+1000.example.		5M IN A		10.0.0.170
+1000.example.		5M IN A		10.0.0.171
+1000.example.		5M IN A		10.0.0.172
+1000.example.		5M IN A		10.0.0.173
+1000.example.		5M IN A		10.0.0.174
+1000.example.		5M IN A		10.0.0.175
+1000.example.		5M IN A		10.0.0.176
+1000.example.		5M IN A		10.0.0.177
+1000.example.		5M IN A		10.0.0.178
+1000.example.		5M IN A		10.0.0.179
+1000.example.		5M IN A		10.0.0.180
+1000.example.		5M IN A		10.0.0.181
+1000.example.		5M IN A		10.0.0.182
+1000.example.		5M IN A		10.0.0.183
+1000.example.		5M IN A		10.0.0.184
+1000.example.		5M IN A		10.0.0.185
+1000.example.		5M IN A		10.0.0.186
+1000.example.		5M IN A		10.0.0.187
+1000.example.		5M IN A		10.0.0.188
+1000.example.		5M IN A		10.0.0.189
+1000.example.		5M IN A		10.0.0.190
+1000.example.		5M IN A		10.0.0.191
+1000.example.		5M IN A		10.0.0.192
+1000.example.		5M IN A		10.0.0.193
+1000.example.		5M IN A		10.0.0.194
+1000.example.		5M IN A		10.0.0.195
+1000.example.		5M IN A		10.0.0.196
+1000.example.		5M IN A		10.0.0.197
+1000.example.		5M IN A		10.0.0.198
+1000.example.		5M IN A		10.0.0.199
+1000.example.		5M IN A		10.0.0.200
+1000.example.		5M IN A		10.0.0.201
+1000.example.		5M IN A		10.0.0.202
+1000.example.		5M IN A		10.0.0.203
+1000.example.		5M IN A		10.0.0.204
+1000.example.		5M IN A		10.0.0.205
+1000.example.		5M IN A		10.0.0.206
+1000.example.		5M IN A		10.0.0.207
+1000.example.		5M IN A		10.0.0.208
+1000.example.		5M IN A		10.0.0.209
+1000.example.		5M IN A		10.0.0.210
+1000.example.		5M IN A		10.0.0.211
+1000.example.		5M IN A		10.0.0.212
+1000.example.		5M IN A		10.0.0.213
+1000.example.		5M IN A		10.0.0.214
+1000.example.		5M IN A		10.0.0.215
+1000.example.		5M IN A		10.0.0.216
+1000.example.		5M IN A		10.0.0.217
+1000.example.		5M IN A		10.0.0.218
+1000.example.		5M IN A		10.0.0.219
+1000.example.		5M IN A		10.0.0.220
+1000.example.		5M IN A		10.0.0.221
+1000.example.		5M IN A		10.0.0.222
+1000.example.		5M IN A		10.0.0.223
+1000.example.		5M IN A		10.0.0.224
+1000.example.		5M IN A		10.0.0.225
+1000.example.		5M IN A		10.0.0.226
+1000.example.		5M IN A		10.0.0.227
+1000.example.		5M IN A		10.0.0.228
+1000.example.		5M IN A		10.0.0.229
+1000.example.		5M IN A		10.0.0.230
+1000.example.		5M IN A		10.0.0.231
+1000.example.		5M IN A		10.0.0.232
+1000.example.		5M IN A		10.0.0.233
+1000.example.		5M IN A		10.0.0.234
+1000.example.		5M IN A		10.0.0.235
+1000.example.		5M IN A		10.0.0.236
+1000.example.		5M IN A		10.0.0.237
+1000.example.		5M IN A		10.0.0.238
+1000.example.		5M IN A		10.0.0.239
+1000.example.		5M IN A		10.0.0.240
+1000.example.		5M IN A		10.0.0.241
+1000.example.		5M IN A		10.0.0.242
+1000.example.		5M IN A		10.0.0.243
+1000.example.		5M IN A		10.0.0.244
+1000.example.		5M IN A		10.0.0.245
+1000.example.		5M IN A		10.0.0.246
+1000.example.		5M IN A		10.0.0.247
+1000.example.		5M IN A		10.0.0.248
+1000.example.		5M IN A		10.0.0.249
+1000.example.		5M IN A		10.0.0.250
+1000.example.		5M IN A		10.0.0.251
+1000.example.		5M IN A		10.0.0.252
+1000.example.		5M IN A		10.0.0.253
+1000.example.		5M IN A		10.0.0.254
+1000.example.		5M IN A		10.0.0.255
+1000.example.		5M IN A		10.0.1.0
+1000.example.		5M IN A		10.0.1.1
+1000.example.		5M IN A		10.0.1.2
+1000.example.		5M IN A		10.0.1.3
+1000.example.		5M IN A		10.0.1.4
+1000.example.		5M IN A		10.0.1.5
+1000.example.		5M IN A		10.0.1.6
+1000.example.		5M IN A		10.0.1.7
+1000.example.		5M IN A		10.0.1.8
+1000.example.		5M IN A		10.0.1.9
+1000.example.		5M IN A		10.0.1.10
+1000.example.		5M IN A		10.0.1.11
+1000.example.		5M IN A		10.0.1.12
+1000.example.		5M IN A		10.0.1.13
+1000.example.		5M IN A		10.0.1.14
+1000.example.		5M IN A		10.0.1.15
+1000.example.		5M IN A		10.0.1.16
+1000.example.		5M IN A		10.0.1.17
+1000.example.		5M IN A		10.0.1.18
+1000.example.		5M IN A		10.0.1.19
+1000.example.		5M IN A		10.0.1.20
+1000.example.		5M IN A		10.0.1.21
+1000.example.		5M IN A		10.0.1.22
+1000.example.		5M IN A		10.0.1.23
+1000.example.		5M IN A		10.0.1.24
+1000.example.		5M IN A		10.0.1.25
+1000.example.		5M IN A		10.0.1.26
+1000.example.		5M IN A		10.0.1.27
+1000.example.		5M IN A		10.0.1.28
+1000.example.		5M IN A		10.0.1.29
+1000.example.		5M IN A		10.0.1.30
+1000.example.		5M IN A		10.0.1.31
+1000.example.		5M IN A		10.0.1.32
+1000.example.		5M IN A		10.0.1.33
+1000.example.		5M IN A		10.0.1.34
+1000.example.		5M IN A		10.0.1.35
+1000.example.		5M IN A		10.0.1.36
+1000.example.		5M IN A		10.0.1.37
+1000.example.		5M IN A		10.0.1.38
+1000.example.		5M IN A		10.0.1.39
+1000.example.		5M IN A		10.0.1.40
+1000.example.		5M IN A		10.0.1.41
+1000.example.		5M IN A		10.0.1.42
+1000.example.		5M IN A		10.0.1.43
+1000.example.		5M IN A		10.0.1.44
+1000.example.		5M IN A		10.0.1.45
+1000.example.		5M IN A		10.0.1.46
+1000.example.		5M IN A		10.0.1.47
+1000.example.		5M IN A		10.0.1.48
+1000.example.		5M IN A		10.0.1.49
+1000.example.		5M IN A		10.0.1.50
+1000.example.		5M IN A		10.0.1.51
+1000.example.		5M IN A		10.0.1.52
+1000.example.		5M IN A		10.0.1.53
+1000.example.		5M IN A		10.0.1.54
+1000.example.		5M IN A		10.0.1.55
+1000.example.		5M IN A		10.0.1.56
+1000.example.		5M IN A		10.0.1.57
+1000.example.		5M IN A		10.0.1.58
+1000.example.		5M IN A		10.0.1.59
+1000.example.		5M IN A		10.0.1.60
+1000.example.		5M IN A		10.0.1.61
+1000.example.		5M IN A		10.0.1.62
+1000.example.		5M IN A		10.0.1.63
+1000.example.		5M IN A		10.0.1.64
+1000.example.		5M IN A		10.0.1.65
+1000.example.		5M IN A		10.0.1.66
+1000.example.		5M IN A		10.0.1.67
+1000.example.		5M IN A		10.0.1.68
+1000.example.		5M IN A		10.0.1.69
+1000.example.		5M IN A		10.0.1.70
+1000.example.		5M IN A		10.0.1.71
+1000.example.		5M IN A		10.0.1.72
+1000.example.		5M IN A		10.0.1.73
+1000.example.		5M IN A		10.0.1.74
+1000.example.		5M IN A		10.0.1.75
+1000.example.		5M IN A		10.0.1.76
+1000.example.		5M IN A		10.0.1.77
+1000.example.		5M IN A		10.0.1.78
+1000.example.		5M IN A		10.0.1.79
+1000.example.		5M IN A		10.0.1.80
+1000.example.		5M IN A		10.0.1.81
+1000.example.		5M IN A		10.0.1.82
+1000.example.		5M IN A		10.0.1.83
+1000.example.		5M IN A		10.0.1.84
+1000.example.		5M IN A		10.0.1.85
+1000.example.		5M IN A		10.0.1.86
+1000.example.		5M IN A		10.0.1.87
+1000.example.		5M IN A		10.0.1.88
+1000.example.		5M IN A		10.0.1.89
+1000.example.		5M IN A		10.0.1.90
+1000.example.		5M IN A		10.0.1.91
+1000.example.		5M IN A		10.0.1.92
+1000.example.		5M IN A		10.0.1.93
+1000.example.		5M IN A		10.0.1.94
+1000.example.		5M IN A		10.0.1.95
+1000.example.		5M IN A		10.0.1.96
+1000.example.		5M IN A		10.0.1.97
+1000.example.		5M IN A		10.0.1.98
+1000.example.		5M IN A		10.0.1.99
+1000.example.		5M IN A		10.0.1.100
+1000.example.		5M IN A		10.0.1.101
+1000.example.		5M IN A		10.0.1.102
+1000.example.		5M IN A		10.0.1.103
+1000.example.		5M IN A		10.0.1.104
+1000.example.		5M IN A		10.0.1.105
+1000.example.		5M IN A		10.0.1.106
+1000.example.		5M IN A		10.0.1.107
+1000.example.		5M IN A		10.0.1.108
+1000.example.		5M IN A		10.0.1.109
+1000.example.		5M IN A		10.0.1.110
+1000.example.		5M IN A		10.0.1.111
+1000.example.		5M IN A		10.0.1.112
+1000.example.		5M IN A		10.0.1.113
+1000.example.		5M IN A		10.0.1.114
+1000.example.		5M IN A		10.0.1.115
+1000.example.		5M IN A		10.0.1.116
+1000.example.		5M IN A		10.0.1.117
+1000.example.		5M IN A		10.0.1.118
+1000.example.		5M IN A		10.0.1.119
+1000.example.		5M IN A		10.0.1.120
+1000.example.		5M IN A		10.0.1.121
+1000.example.		5M IN A		10.0.1.122
+1000.example.		5M IN A		10.0.1.123
+1000.example.		5M IN A		10.0.1.124
+1000.example.		5M IN A		10.0.1.125
+1000.example.		5M IN A		10.0.1.126
+1000.example.		5M IN A		10.0.1.127
+1000.example.		5M IN A		10.0.1.128
+1000.example.		5M IN A		10.0.1.129
+1000.example.		5M IN A		10.0.1.130
+1000.example.		5M IN A		10.0.1.131
+1000.example.		5M IN A		10.0.1.132
+1000.example.		5M IN A		10.0.1.133
+1000.example.		5M IN A		10.0.1.134
+1000.example.		5M IN A		10.0.1.135
+1000.example.		5M IN A		10.0.1.136
+1000.example.		5M IN A		10.0.1.137
+1000.example.		5M IN A		10.0.1.138
+1000.example.		5M IN A		10.0.1.139
+1000.example.		5M IN A		10.0.1.140
+1000.example.		5M IN A		10.0.1.141
+1000.example.		5M IN A		10.0.1.142
+1000.example.		5M IN A		10.0.1.143
+1000.example.		5M IN A		10.0.1.144
+1000.example.		5M IN A		10.0.1.145
+1000.example.		5M IN A		10.0.1.146
+1000.example.		5M IN A		10.0.1.147
+1000.example.		5M IN A		10.0.1.148
+1000.example.		5M IN A		10.0.1.149
+1000.example.		5M IN A		10.0.1.150
+1000.example.		5M IN A		10.0.1.151
+1000.example.		5M IN A		10.0.1.152
+1000.example.		5M IN A		10.0.1.153
+1000.example.		5M IN A		10.0.1.154
+1000.example.		5M IN A		10.0.1.155
+1000.example.		5M IN A		10.0.1.156
+1000.example.		5M IN A		10.0.1.157
+1000.example.		5M IN A		10.0.1.158
+1000.example.		5M IN A		10.0.1.159
+1000.example.		5M IN A		10.0.1.160
+1000.example.		5M IN A		10.0.1.161
+1000.example.		5M IN A		10.0.1.162
+1000.example.		5M IN A		10.0.1.163
+1000.example.		5M IN A		10.0.1.164
+1000.example.		5M IN A		10.0.1.165
+1000.example.		5M IN A		10.0.1.166
+1000.example.		5M IN A		10.0.1.167
+1000.example.		5M IN A		10.0.1.168
+1000.example.		5M IN A		10.0.1.169
+1000.example.		5M IN A		10.0.1.170
+1000.example.		5M IN A		10.0.1.171
+1000.example.		5M IN A		10.0.1.172
+1000.example.		5M IN A		10.0.1.173
+1000.example.		5M IN A		10.0.1.174
+1000.example.		5M IN A		10.0.1.175
+1000.example.		5M IN A		10.0.1.176
+1000.example.		5M IN A		10.0.1.177
+1000.example.		5M IN A		10.0.1.178
+1000.example.		5M IN A		10.0.1.179
+1000.example.		5M IN A		10.0.1.180
+1000.example.		5M IN A		10.0.1.181
+1000.example.		5M IN A		10.0.1.182
+1000.example.		5M IN A		10.0.1.183
+1000.example.		5M IN A		10.0.1.184
+1000.example.		5M IN A		10.0.1.185
+1000.example.		5M IN A		10.0.1.186
+1000.example.		5M IN A		10.0.1.187
+1000.example.		5M IN A		10.0.1.188
+1000.example.		5M IN A		10.0.1.189
+1000.example.		5M IN A		10.0.1.190
+1000.example.		5M IN A		10.0.1.191
+1000.example.		5M IN A		10.0.1.192
+1000.example.		5M IN A		10.0.1.193
+1000.example.		5M IN A		10.0.1.194
+1000.example.		5M IN A		10.0.1.195
+1000.example.		5M IN A		10.0.1.196
+1000.example.		5M IN A		10.0.1.197
+1000.example.		5M IN A		10.0.1.198
+1000.example.		5M IN A		10.0.1.199
+1000.example.		5M IN A		10.0.1.200
+1000.example.		5M IN A		10.0.1.201
+1000.example.		5M IN A		10.0.1.202
+1000.example.		5M IN A		10.0.1.203
+1000.example.		5M IN A		10.0.1.204
+1000.example.		5M IN A		10.0.1.205
+1000.example.		5M IN A		10.0.1.206
+1000.example.		5M IN A		10.0.1.207
+1000.example.		5M IN A		10.0.1.208
+1000.example.		5M IN A		10.0.1.209
+1000.example.		5M IN A		10.0.1.210
+1000.example.		5M IN A		10.0.1.211
+1000.example.		5M IN A		10.0.1.212
+1000.example.		5M IN A		10.0.1.213
+1000.example.		5M IN A		10.0.1.214
+1000.example.		5M IN A		10.0.1.215
+1000.example.		5M IN A		10.0.1.216
+1000.example.		5M IN A		10.0.1.217
+1000.example.		5M IN A		10.0.1.218
+1000.example.		5M IN A		10.0.1.219
+1000.example.		5M IN A		10.0.1.220
+1000.example.		5M IN A		10.0.1.221
+1000.example.		5M IN A		10.0.1.222
+1000.example.		5M IN A		10.0.1.223
+1000.example.		5M IN A		10.0.1.224
+1000.example.		5M IN A		10.0.1.225
+1000.example.		5M IN A		10.0.1.226
+1000.example.		5M IN A		10.0.1.227
+1000.example.		5M IN A		10.0.1.228
+1000.example.		5M IN A		10.0.1.229
+1000.example.		5M IN A		10.0.1.230
+1000.example.		5M IN A		10.0.1.231
+1000.example.		5M IN A		10.0.1.232
+1000.example.		5M IN A		10.0.1.233
+1000.example.		5M IN A		10.0.1.234
+1000.example.		5M IN A		10.0.1.235
+1000.example.		5M IN A		10.0.1.236
+1000.example.		5M IN A		10.0.1.237
+1000.example.		5M IN A		10.0.1.238
+1000.example.		5M IN A		10.0.1.239
+1000.example.		5M IN A		10.0.1.240
+1000.example.		5M IN A		10.0.1.241
+1000.example.		5M IN A		10.0.1.242
+1000.example.		5M IN A		10.0.1.243
+1000.example.		5M IN A		10.0.1.244
+1000.example.		5M IN A		10.0.1.245
+1000.example.		5M IN A		10.0.1.246
+1000.example.		5M IN A		10.0.1.247
+1000.example.		5M IN A		10.0.1.248
+1000.example.		5M IN A		10.0.1.249
+1000.example.		5M IN A		10.0.1.250
+1000.example.		5M IN A		10.0.1.251
+1000.example.		5M IN A		10.0.1.252
+1000.example.		5M IN A		10.0.1.253
+1000.example.		5M IN A		10.0.1.254
+1000.example.		5M IN A		10.0.1.255
+1000.example.		5M IN A		10.0.2.0
+1000.example.		5M IN A		10.0.2.1
+1000.example.		5M IN A		10.0.2.2
+1000.example.		5M IN A		10.0.2.3
+1000.example.		5M IN A		10.0.2.4
+1000.example.		5M IN A		10.0.2.5
+1000.example.		5M IN A		10.0.2.6
+1000.example.		5M IN A		10.0.2.7
+1000.example.		5M IN A		10.0.2.8
+1000.example.		5M IN A		10.0.2.9
+1000.example.		5M IN A		10.0.2.10
+1000.example.		5M IN A		10.0.2.11
+1000.example.		5M IN A		10.0.2.12
+1000.example.		5M IN A		10.0.2.13
+1000.example.		5M IN A		10.0.2.14
+1000.example.		5M IN A		10.0.2.15
+1000.example.		5M IN A		10.0.2.16
+1000.example.		5M IN A		10.0.2.17
+1000.example.		5M IN A		10.0.2.18
+1000.example.		5M IN A		10.0.2.19
+1000.example.		5M IN A		10.0.2.20
+1000.example.		5M IN A		10.0.2.21
+1000.example.		5M IN A		10.0.2.22
+1000.example.		5M IN A		10.0.2.23
+1000.example.		5M IN A		10.0.2.24
+1000.example.		5M IN A		10.0.2.25
+1000.example.		5M IN A		10.0.2.26
+1000.example.		5M IN A		10.0.2.27
+1000.example.		5M IN A		10.0.2.28
+1000.example.		5M IN A		10.0.2.29
+1000.example.		5M IN A		10.0.2.30
+1000.example.		5M IN A		10.0.2.31
+1000.example.		5M IN A		10.0.2.32
+1000.example.		5M IN A		10.0.2.33
+1000.example.		5M IN A		10.0.2.34
+1000.example.		5M IN A		10.0.2.35
+1000.example.		5M IN A		10.0.2.36
+1000.example.		5M IN A		10.0.2.37
+1000.example.		5M IN A		10.0.2.38
+1000.example.		5M IN A		10.0.2.39
+1000.example.		5M IN A		10.0.2.40
+1000.example.		5M IN A		10.0.2.41
+1000.example.		5M IN A		10.0.2.42
+1000.example.		5M IN A		10.0.2.43
+1000.example.		5M IN A		10.0.2.44
+1000.example.		5M IN A		10.0.2.45
+1000.example.		5M IN A		10.0.2.46
+1000.example.		5M IN A		10.0.2.47
+1000.example.		5M IN A		10.0.2.48
+1000.example.		5M IN A		10.0.2.49
+1000.example.		5M IN A		10.0.2.50
+1000.example.		5M IN A		10.0.2.51
+1000.example.		5M IN A		10.0.2.52
+1000.example.		5M IN A		10.0.2.53
+1000.example.		5M IN A		10.0.2.54
+1000.example.		5M IN A		10.0.2.55
+1000.example.		5M IN A		10.0.2.56
+1000.example.		5M IN A		10.0.2.57
+1000.example.		5M IN A		10.0.2.58
+1000.example.		5M IN A		10.0.2.59
+1000.example.		5M IN A		10.0.2.60
+1000.example.		5M IN A		10.0.2.61
+1000.example.		5M IN A		10.0.2.62
+1000.example.		5M IN A		10.0.2.63
+1000.example.		5M IN A		10.0.2.64
+1000.example.		5M IN A		10.0.2.65
+1000.example.		5M IN A		10.0.2.66
+1000.example.		5M IN A		10.0.2.67
+1000.example.		5M IN A		10.0.2.68
+1000.example.		5M IN A		10.0.2.69
+1000.example.		5M IN A		10.0.2.70
+1000.example.		5M IN A		10.0.2.71
+1000.example.		5M IN A		10.0.2.72
+1000.example.		5M IN A		10.0.2.73
+1000.example.		5M IN A		10.0.2.74
+1000.example.		5M IN A		10.0.2.75
+1000.example.		5M IN A		10.0.2.76
+1000.example.		5M IN A		10.0.2.77
+1000.example.		5M IN A		10.0.2.78
+1000.example.		5M IN A		10.0.2.79
+1000.example.		5M IN A		10.0.2.80
+1000.example.		5M IN A		10.0.2.81
+1000.example.		5M IN A		10.0.2.82
+1000.example.		5M IN A		10.0.2.83
+1000.example.		5M IN A		10.0.2.84
+1000.example.		5M IN A		10.0.2.85
+1000.example.		5M IN A		10.0.2.86
+1000.example.		5M IN A		10.0.2.87
+1000.example.		5M IN A		10.0.2.88
+1000.example.		5M IN A		10.0.2.89
+1000.example.		5M IN A		10.0.2.90
+1000.example.		5M IN A		10.0.2.91
+1000.example.		5M IN A		10.0.2.92
+1000.example.		5M IN A		10.0.2.93
+1000.example.		5M IN A		10.0.2.94
+1000.example.		5M IN A		10.0.2.95
+1000.example.		5M IN A		10.0.2.96
+1000.example.		5M IN A		10.0.2.97
+1000.example.		5M IN A		10.0.2.98
+1000.example.		5M IN A		10.0.2.99
+1000.example.		5M IN A		10.0.2.100
+1000.example.		5M IN A		10.0.2.101
+1000.example.		5M IN A		10.0.2.102
+1000.example.		5M IN A		10.0.2.103
+1000.example.		5M IN A		10.0.2.104
+1000.example.		5M IN A		10.0.2.105
+1000.example.		5M IN A		10.0.2.106
+1000.example.		5M IN A		10.0.2.107
+1000.example.		5M IN A		10.0.2.108
+1000.example.		5M IN A		10.0.2.109
+1000.example.		5M IN A		10.0.2.110
+1000.example.		5M IN A		10.0.2.111
+1000.example.		5M IN A		10.0.2.112
+1000.example.		5M IN A		10.0.2.113
+1000.example.		5M IN A		10.0.2.114
+1000.example.		5M IN A		10.0.2.115
+1000.example.		5M IN A		10.0.2.116
+1000.example.		5M IN A		10.0.2.117
+1000.example.		5M IN A		10.0.2.118
+1000.example.		5M IN A		10.0.2.119
+1000.example.		5M IN A		10.0.2.120
+1000.example.		5M IN A		10.0.2.121
+1000.example.		5M IN A		10.0.2.122
+1000.example.		5M IN A		10.0.2.123
+1000.example.		5M IN A		10.0.2.124
+1000.example.		5M IN A		10.0.2.125
+1000.example.		5M IN A		10.0.2.126
+1000.example.		5M IN A		10.0.2.127
+1000.example.		5M IN A		10.0.2.128
+1000.example.		5M IN A		10.0.2.129
+1000.example.		5M IN A		10.0.2.130
+1000.example.		5M IN A		10.0.2.131
+1000.example.		5M IN A		10.0.2.132
+1000.example.		5M IN A		10.0.2.133
+1000.example.		5M IN A		10.0.2.134
+1000.example.		5M IN A		10.0.2.135
+1000.example.		5M IN A		10.0.2.136
+1000.example.		5M IN A		10.0.2.137
+1000.example.		5M IN A		10.0.2.138
+1000.example.		5M IN A		10.0.2.139
+1000.example.		5M IN A		10.0.2.140
+1000.example.		5M IN A		10.0.2.141
+1000.example.		5M IN A		10.0.2.142
+1000.example.		5M IN A		10.0.2.143
+1000.example.		5M IN A		10.0.2.144
+1000.example.		5M IN A		10.0.2.145
+1000.example.		5M IN A		10.0.2.146
+1000.example.		5M IN A		10.0.2.147
+1000.example.		5M IN A		10.0.2.148
+1000.example.		5M IN A		10.0.2.149
+1000.example.		5M IN A		10.0.2.150
+1000.example.		5M IN A		10.0.2.151
+1000.example.		5M IN A		10.0.2.152
+1000.example.		5M IN A		10.0.2.153
+1000.example.		5M IN A		10.0.2.154
+1000.example.		5M IN A		10.0.2.155
+1000.example.		5M IN A		10.0.2.156
+1000.example.		5M IN A		10.0.2.157
+1000.example.		5M IN A		10.0.2.158
+1000.example.		5M IN A		10.0.2.159
+1000.example.		5M IN A		10.0.2.160
+1000.example.		5M IN A		10.0.2.161
+1000.example.		5M IN A		10.0.2.162
+1000.example.		5M IN A		10.0.2.163
+1000.example.		5M IN A		10.0.2.164
+1000.example.		5M IN A		10.0.2.165
+1000.example.		5M IN A		10.0.2.166
+1000.example.		5M IN A		10.0.2.167
+1000.example.		5M IN A		10.0.2.168
+1000.example.		5M IN A		10.0.2.169
+1000.example.		5M IN A		10.0.2.170
+1000.example.		5M IN A		10.0.2.171
+1000.example.		5M IN A		10.0.2.172
+1000.example.		5M IN A		10.0.2.173
+1000.example.		5M IN A		10.0.2.174
+1000.example.		5M IN A		10.0.2.175
+1000.example.		5M IN A		10.0.2.176
+1000.example.		5M IN A		10.0.2.177
+1000.example.		5M IN A		10.0.2.178
+1000.example.		5M IN A		10.0.2.179
+1000.example.		5M IN A		10.0.2.180
+1000.example.		5M IN A		10.0.2.181
+1000.example.		5M IN A		10.0.2.182
+1000.example.		5M IN A		10.0.2.183
+1000.example.		5M IN A		10.0.2.184
+1000.example.		5M IN A		10.0.2.185
+1000.example.		5M IN A		10.0.2.186
+1000.example.		5M IN A		10.0.2.187
+1000.example.		5M IN A		10.0.2.188
+1000.example.		5M IN A		10.0.2.189
+1000.example.		5M IN A		10.0.2.190
+1000.example.		5M IN A		10.0.2.191
+1000.example.		5M IN A		10.0.2.192
+1000.example.		5M IN A		10.0.2.193
+1000.example.		5M IN A		10.0.2.194
+1000.example.		5M IN A		10.0.2.195
+1000.example.		5M IN A		10.0.2.196
+1000.example.		5M IN A		10.0.2.197
+1000.example.		5M IN A		10.0.2.198
+1000.example.		5M IN A		10.0.2.199
+1000.example.		5M IN A		10.0.2.200
+1000.example.		5M IN A		10.0.2.201
+1000.example.		5M IN A		10.0.2.202
+1000.example.		5M IN A		10.0.2.203
+1000.example.		5M IN A		10.0.2.204
+1000.example.		5M IN A		10.0.2.205
+1000.example.		5M IN A		10.0.2.206
+1000.example.		5M IN A		10.0.2.207
+1000.example.		5M IN A		10.0.2.208
+1000.example.		5M IN A		10.0.2.209
+1000.example.		5M IN A		10.0.2.210
+1000.example.		5M IN A		10.0.2.211
+1000.example.		5M IN A		10.0.2.212
+1000.example.		5M IN A		10.0.2.213
+1000.example.		5M IN A		10.0.2.214
+1000.example.		5M IN A		10.0.2.215
+1000.example.		5M IN A		10.0.2.216
+1000.example.		5M IN A		10.0.2.217
+1000.example.		5M IN A		10.0.2.218
+1000.example.		5M IN A		10.0.2.219
+1000.example.		5M IN A		10.0.2.220
+1000.example.		5M IN A		10.0.2.221
+1000.example.		5M IN A		10.0.2.222
+1000.example.		5M IN A		10.0.2.223
+1000.example.		5M IN A		10.0.2.224
+1000.example.		5M IN A		10.0.2.225
+1000.example.		5M IN A		10.0.2.226
+1000.example.		5M IN A		10.0.2.227
+1000.example.		5M IN A		10.0.2.228
+1000.example.		5M IN A		10.0.2.229
+1000.example.		5M IN A		10.0.2.230
+1000.example.		5M IN A		10.0.2.231
+1000.example.		5M IN A		10.0.2.232
+1000.example.		5M IN A		10.0.2.233
+1000.example.		5M IN A		10.0.2.234
+1000.example.		5M IN A		10.0.2.235
+1000.example.		5M IN A		10.0.2.236
+1000.example.		5M IN A		10.0.2.237
+1000.example.		5M IN A		10.0.2.238
+1000.example.		5M IN A		10.0.2.239
+1000.example.		5M IN A		10.0.2.240
+1000.example.		5M IN A		10.0.2.241
+1000.example.		5M IN A		10.0.2.242
+1000.example.		5M IN A		10.0.2.243
+1000.example.		5M IN A		10.0.2.244
+1000.example.		5M IN A		10.0.2.245
+1000.example.		5M IN A		10.0.2.246
+1000.example.		5M IN A		10.0.2.247
+1000.example.		5M IN A		10.0.2.248
+1000.example.		5M IN A		10.0.2.249
+1000.example.		5M IN A		10.0.2.250
+1000.example.		5M IN A		10.0.2.251
+1000.example.		5M IN A		10.0.2.252
+1000.example.		5M IN A		10.0.2.253
+1000.example.		5M IN A		10.0.2.254
+1000.example.		5M IN A		10.0.2.255
+1000.example.		5M IN A		10.0.3.0
+1000.example.		5M IN A		10.0.3.1
+1000.example.		5M IN A		10.0.3.2
+1000.example.		5M IN A		10.0.3.3
+1000.example.		5M IN A		10.0.3.4
+1000.example.		5M IN A		10.0.3.5
+1000.example.		5M IN A		10.0.3.6
+1000.example.		5M IN A		10.0.3.7
+1000.example.		5M IN A		10.0.3.8
+1000.example.		5M IN A		10.0.3.9
+1000.example.		5M IN A		10.0.3.10
+1000.example.		5M IN A		10.0.3.11
+1000.example.		5M IN A		10.0.3.12
+1000.example.		5M IN A		10.0.3.13
+1000.example.		5M IN A		10.0.3.14
+1000.example.		5M IN A		10.0.3.15
+1000.example.		5M IN A		10.0.3.16
+1000.example.		5M IN A		10.0.3.17
+1000.example.		5M IN A		10.0.3.18
+1000.example.		5M IN A		10.0.3.19
+1000.example.		5M IN A		10.0.3.20
+1000.example.		5M IN A		10.0.3.21
+1000.example.		5M IN A		10.0.3.22
+1000.example.		5M IN A		10.0.3.23
+1000.example.		5M IN A		10.0.3.24
+1000.example.		5M IN A		10.0.3.25
+1000.example.		5M IN A		10.0.3.26
+1000.example.		5M IN A		10.0.3.27
+1000.example.		5M IN A		10.0.3.28
+1000.example.		5M IN A		10.0.3.29
+1000.example.		5M IN A		10.0.3.30
+1000.example.		5M IN A		10.0.3.31
+1000.example.		5M IN A		10.0.3.32
+1000.example.		5M IN A		10.0.3.33
+1000.example.		5M IN A		10.0.3.34
+1000.example.		5M IN A		10.0.3.35
+1000.example.		5M IN A		10.0.3.36
+1000.example.		5M IN A		10.0.3.37
+1000.example.		5M IN A		10.0.3.38
+1000.example.		5M IN A		10.0.3.39
+1000.example.		5M IN A		10.0.3.40
+1000.example.		5M IN A		10.0.3.41
+1000.example.		5M IN A		10.0.3.42
+1000.example.		5M IN A		10.0.3.43
+1000.example.		5M IN A		10.0.3.44
+1000.example.		5M IN A		10.0.3.45
+1000.example.		5M IN A		10.0.3.46
+1000.example.		5M IN A		10.0.3.47
+1000.example.		5M IN A		10.0.3.48
+1000.example.		5M IN A		10.0.3.49
+1000.example.		5M IN A		10.0.3.50
+1000.example.		5M IN A		10.0.3.51
+1000.example.		5M IN A		10.0.3.52
+1000.example.		5M IN A		10.0.3.53
+1000.example.		5M IN A		10.0.3.54
+1000.example.		5M IN A		10.0.3.55
+1000.example.		5M IN A		10.0.3.56
+1000.example.		5M IN A		10.0.3.57
+1000.example.		5M IN A		10.0.3.58
+1000.example.		5M IN A		10.0.3.59
+1000.example.		5M IN A		10.0.3.60
+1000.example.		5M IN A		10.0.3.61
+1000.example.		5M IN A		10.0.3.62
+1000.example.		5M IN A		10.0.3.63
+1000.example.		5M IN A		10.0.3.64
+1000.example.		5M IN A		10.0.3.65
+1000.example.		5M IN A		10.0.3.66
+1000.example.		5M IN A		10.0.3.67
+1000.example.		5M IN A		10.0.3.68
+1000.example.		5M IN A		10.0.3.69
+1000.example.		5M IN A		10.0.3.70
+1000.example.		5M IN A		10.0.3.71
+1000.example.		5M IN A		10.0.3.72
+1000.example.		5M IN A		10.0.3.73
+1000.example.		5M IN A		10.0.3.74
+1000.example.		5M IN A		10.0.3.75
+1000.example.		5M IN A		10.0.3.76
+1000.example.		5M IN A		10.0.3.77
+1000.example.		5M IN A		10.0.3.78
+1000.example.		5M IN A		10.0.3.79
+1000.example.		5M IN A		10.0.3.80
+1000.example.		5M IN A		10.0.3.81
+1000.example.		5M IN A		10.0.3.82
+1000.example.		5M IN A		10.0.3.83
+1000.example.		5M IN A		10.0.3.84
+1000.example.		5M IN A		10.0.3.85
+1000.example.		5M IN A		10.0.3.86
+1000.example.		5M IN A		10.0.3.87
+1000.example.		5M IN A		10.0.3.88
+1000.example.		5M IN A		10.0.3.89
+1000.example.		5M IN A		10.0.3.90
+1000.example.		5M IN A		10.0.3.91
+1000.example.		5M IN A		10.0.3.92
+1000.example.		5M IN A		10.0.3.93
+1000.example.		5M IN A		10.0.3.94
+1000.example.		5M IN A		10.0.3.95
+1000.example.		5M IN A		10.0.3.96
+1000.example.		5M IN A		10.0.3.97
+1000.example.		5M IN A		10.0.3.98
+1000.example.		5M IN A		10.0.3.99
+1000.example.		5M IN A		10.0.3.100
+1000.example.		5M IN A		10.0.3.101
+1000.example.		5M IN A		10.0.3.102
+1000.example.		5M IN A		10.0.3.103
+1000.example.		5M IN A		10.0.3.104
+1000.example.		5M IN A		10.0.3.105
+1000.example.		5M IN A		10.0.3.106
+1000.example.		5M IN A		10.0.3.107
+1000.example.		5M IN A		10.0.3.108
+1000.example.		5M IN A		10.0.3.109
+1000.example.		5M IN A		10.0.3.110
+1000.example.		5M IN A		10.0.3.111
+1000.example.		5M IN A		10.0.3.112
+1000.example.		5M IN A		10.0.3.113
+1000.example.		5M IN A		10.0.3.114
+1000.example.		5M IN A		10.0.3.115
+1000.example.		5M IN A		10.0.3.116
+1000.example.		5M IN A		10.0.3.117
+1000.example.		5M IN A		10.0.3.118
+1000.example.		5M IN A		10.0.3.119
+1000.example.		5M IN A		10.0.3.120
+1000.example.		5M IN A		10.0.3.121
+1000.example.		5M IN A		10.0.3.122
+1000.example.		5M IN A		10.0.3.123
+1000.example.		5M IN A		10.0.3.124
+1000.example.		5M IN A		10.0.3.125
+1000.example.		5M IN A		10.0.3.126
+1000.example.		5M IN A		10.0.3.127
+1000.example.		5M IN A		10.0.3.128
+1000.example.		5M IN A		10.0.3.129
+1000.example.		5M IN A		10.0.3.130
+1000.example.		5M IN A		10.0.3.131
+1000.example.		5M IN A		10.0.3.132
+1000.example.		5M IN A		10.0.3.133
+1000.example.		5M IN A		10.0.3.134
+1000.example.		5M IN A		10.0.3.135
+1000.example.		5M IN A		10.0.3.136
+1000.example.		5M IN A		10.0.3.137
+1000.example.		5M IN A		10.0.3.138
+1000.example.		5M IN A		10.0.3.139
+1000.example.		5M IN A		10.0.3.140
+1000.example.		5M IN A		10.0.3.141
+1000.example.		5M IN A		10.0.3.142
+1000.example.		5M IN A		10.0.3.143
+1000.example.		5M IN A		10.0.3.144
+1000.example.		5M IN A		10.0.3.145
+1000.example.		5M IN A		10.0.3.146
+1000.example.		5M IN A		10.0.3.147
+1000.example.		5M IN A		10.0.3.148
+1000.example.		5M IN A		10.0.3.149
+1000.example.		5M IN A		10.0.3.150
+1000.example.		5M IN A		10.0.3.151
+1000.example.		5M IN A		10.0.3.152
+1000.example.		5M IN A		10.0.3.153
+1000.example.		5M IN A		10.0.3.154
+1000.example.		5M IN A		10.0.3.155
+1000.example.		5M IN A		10.0.3.156
+1000.example.		5M IN A		10.0.3.157
+1000.example.		5M IN A		10.0.3.158
+1000.example.		5M IN A		10.0.3.159
+1000.example.		5M IN A		10.0.3.160
+1000.example.		5M IN A		10.0.3.161
+1000.example.		5M IN A		10.0.3.162
+1000.example.		5M IN A		10.0.3.163
+1000.example.		5M IN A		10.0.3.164
+1000.example.		5M IN A		10.0.3.165
+1000.example.		5M IN A		10.0.3.166
+1000.example.		5M IN A		10.0.3.167
+1000.example.		5M IN A		10.0.3.168
+1000.example.		5M IN A		10.0.3.169
+1000.example.		5M IN A		10.0.3.170
+1000.example.		5M IN A		10.0.3.171
+1000.example.		5M IN A		10.0.3.172
+1000.example.		5M IN A		10.0.3.173
+1000.example.		5M IN A		10.0.3.174
+1000.example.		5M IN A		10.0.3.175
+1000.example.		5M IN A		10.0.3.176
+1000.example.		5M IN A		10.0.3.177
+1000.example.		5M IN A		10.0.3.178
+1000.example.		5M IN A		10.0.3.179
+1000.example.		5M IN A		10.0.3.180
+1000.example.		5M IN A		10.0.3.181
+1000.example.		5M IN A		10.0.3.182
+1000.example.		5M IN A		10.0.3.183
+1000.example.		5M IN A		10.0.3.184
+1000.example.		5M IN A		10.0.3.185
+1000.example.		5M IN A		10.0.3.186
+1000.example.		5M IN A		10.0.3.187
+1000.example.		5M IN A		10.0.3.188
+1000.example.		5M IN A		10.0.3.189
+1000.example.		5M IN A		10.0.3.190
+1000.example.		5M IN A		10.0.3.191
+1000.example.		5M IN A		10.0.3.192
+1000.example.		5M IN A		10.0.3.193
+1000.example.		5M IN A		10.0.3.194
+1000.example.		5M IN A		10.0.3.195
+1000.example.		5M IN A		10.0.3.196
+1000.example.		5M IN A		10.0.3.197
+1000.example.		5M IN A		10.0.3.198
+1000.example.		5M IN A		10.0.3.199
+1000.example.		5M IN A		10.0.3.200
+1000.example.		5M IN A		10.0.3.201
+1000.example.		5M IN A		10.0.3.202
+1000.example.		5M IN A		10.0.3.203
+1000.example.		5M IN A		10.0.3.204
+1000.example.		5M IN A		10.0.3.205
+1000.example.		5M IN A		10.0.3.206
+1000.example.		5M IN A		10.0.3.207
+1000.example.		5M IN A		10.0.3.208
+1000.example.		5M IN A		10.0.3.209
+1000.example.		5M IN A		10.0.3.210
+1000.example.		5M IN A		10.0.3.211
+1000.example.		5M IN A		10.0.3.212
+1000.example.		5M IN A		10.0.3.213
+1000.example.		5M IN A		10.0.3.214
+1000.example.		5M IN A		10.0.3.215
+1000.example.		5M IN A		10.0.3.216
+1000.example.		5M IN A		10.0.3.217
+1000.example.		5M IN A		10.0.3.218
+1000.example.		5M IN A		10.0.3.219
+1000.example.		5M IN A		10.0.3.220
+1000.example.		5M IN A		10.0.3.221
+1000.example.		5M IN A		10.0.3.222
+1000.example.		5M IN A		10.0.3.223
+1000.example.		5M IN A		10.0.3.224
+1000.example.		5M IN A		10.0.3.225
+1000.example.		5M IN A		10.0.3.226
+1000.example.		5M IN A		10.0.3.227
+1000.example.		5M IN A		10.0.3.228
+1000.example.		5M IN A		10.0.3.229
+1000.example.		5M IN A		10.0.3.230
+1000.example.		5M IN A		10.0.3.231
+
+;; AUTHORITY SECTION:
+example.		5M IN NS	ns1.example.
+
+;; ADDITIONAL SECTION:
+ns1.example.		5M IN A		10.53.0.1
+
+;; Total query time: 69 msec
+;; FROM: draco to SERVER: 10.53.0.1
+;; WHEN: Fri Jun 23 12:58:14 2000
+;; MSG SIZE  sent: 30  rcvd: 16064
+
diff --git a/bin/tests/system/limits/knowngood.dig.out.2000 b/bin/tests/system/limits/knowngood.dig.out.2000
new file mode 100644
index 0000000..96c9181
--- /dev/null
+++ b/bin/tests/system/limits/knowngood.dig.out.2000
@@ -0,0 +1,2023 @@
+
+; <<>> DiG 8.2 <<>> 2000.example. @10.53.0.1 a -p
+; (1 server found)
+;; res options: init recurs defnam dnsrch
+;; got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
+;; flags: qr aa rd ad; QUERY: 1, ANSWER: 2000, AUTHORITY: 1, ADDITIONAL: 1
+;; QUERY SECTION:
+;;	2000.example, type = A, class = IN
+
+;; ANSWER SECTION:
+2000.example.		5M IN A		10.0.0.0
+2000.example.		5M IN A		10.0.0.1
+2000.example.		5M IN A		10.0.0.2
+2000.example.		5M IN A		10.0.0.3
+2000.example.		5M IN A		10.0.0.4
+2000.example.		5M IN A		10.0.0.5
+2000.example.		5M IN A		10.0.0.6
+2000.example.		5M IN A		10.0.0.7
+2000.example.		5M IN A		10.0.0.8
+2000.example.		5M IN A		10.0.0.9
+2000.example.		5M IN A		10.0.0.10
+2000.example.		5M IN A		10.0.0.11
+2000.example.		5M IN A		10.0.0.12
+2000.example.		5M IN A		10.0.0.13
+2000.example.		5M IN A		10.0.0.14
+2000.example.		5M IN A		10.0.0.15
+2000.example.		5M IN A		10.0.0.16
+2000.example.		5M IN A		10.0.0.17
+2000.example.		5M IN A		10.0.0.18
+2000.example.		5M IN A		10.0.0.19
+2000.example.		5M IN A		10.0.0.20
+2000.example.		5M IN A		10.0.0.21
+2000.example.		5M IN A		10.0.0.22
+2000.example.		5M IN A		10.0.0.23
+2000.example.		5M IN A		10.0.0.24
+2000.example.		5M IN A		10.0.0.25
+2000.example.		5M IN A		10.0.0.26
+2000.example.		5M IN A		10.0.0.27
+2000.example.		5M IN A		10.0.0.28
+2000.example.		5M IN A		10.0.0.29
+2000.example.		5M IN A		10.0.0.30
+2000.example.		5M IN A		10.0.0.31
+2000.example.		5M IN A		10.0.0.32
+2000.example.		5M IN A		10.0.0.33
+2000.example.		5M IN A		10.0.0.34
+2000.example.		5M IN A		10.0.0.35
+2000.example.		5M IN A		10.0.0.36
+2000.example.		5M IN A		10.0.0.37
+2000.example.		5M IN A		10.0.0.38
+2000.example.		5M IN A		10.0.0.39
+2000.example.		5M IN A		10.0.0.40
+2000.example.		5M IN A		10.0.0.41
+2000.example.		5M IN A		10.0.0.42
+2000.example.		5M IN A		10.0.0.43
+2000.example.		5M IN A		10.0.0.44
+2000.example.		5M IN A		10.0.0.45
+2000.example.		5M IN A		10.0.0.46
+2000.example.		5M IN A		10.0.0.47
+2000.example.		5M IN A		10.0.0.48
+2000.example.		5M IN A		10.0.0.49
+2000.example.		5M IN A		10.0.0.50
+2000.example.		5M IN A		10.0.0.51
+2000.example.		5M IN A		10.0.0.52
+2000.example.		5M IN A		10.0.0.53
+2000.example.		5M IN A		10.0.0.54
+2000.example.		5M IN A		10.0.0.55
+2000.example.		5M IN A		10.0.0.56
+2000.example.		5M IN A		10.0.0.57
+2000.example.		5M IN A		10.0.0.58
+2000.example.		5M IN A		10.0.0.59
+2000.example.		5M IN A		10.0.0.60
+2000.example.		5M IN A		10.0.0.61
+2000.example.		5M IN A		10.0.0.62
+2000.example.		5M IN A		10.0.0.63
+2000.example.		5M IN A		10.0.0.64
+2000.example.		5M IN A		10.0.0.65
+2000.example.		5M IN A		10.0.0.66
+2000.example.		5M IN A		10.0.0.67
+2000.example.		5M IN A		10.0.0.68
+2000.example.		5M IN A		10.0.0.69
+2000.example.		5M IN A		10.0.0.70
+2000.example.		5M IN A		10.0.0.71
+2000.example.		5M IN A		10.0.0.72
+2000.example.		5M IN A		10.0.0.73
+2000.example.		5M IN A		10.0.0.74
+2000.example.		5M IN A		10.0.0.75
+2000.example.		5M IN A		10.0.0.76
+2000.example.		5M IN A		10.0.0.77
+2000.example.		5M IN A		10.0.0.78
+2000.example.		5M IN A		10.0.0.79
+2000.example.		5M IN A		10.0.0.80
+2000.example.		5M IN A		10.0.0.81
+2000.example.		5M IN A		10.0.0.82
+2000.example.		5M IN A		10.0.0.83
+2000.example.		5M IN A		10.0.0.84
+2000.example.		5M IN A		10.0.0.85
+2000.example.		5M IN A		10.0.0.86
+2000.example.		5M IN A		10.0.0.87
+2000.example.		5M IN A		10.0.0.88
+2000.example.		5M IN A		10.0.0.89
+2000.example.		5M IN A		10.0.0.90
+2000.example.		5M IN A		10.0.0.91
+2000.example.		5M IN A		10.0.0.92
+2000.example.		5M IN A		10.0.0.93
+2000.example.		5M IN A		10.0.0.94
+2000.example.		5M IN A		10.0.0.95
+2000.example.		5M IN A		10.0.0.96
+2000.example.		5M IN A		10.0.0.97
+2000.example.		5M IN A		10.0.0.98
+2000.example.		5M IN A		10.0.0.99
+2000.example.		5M IN A		10.0.0.100
+2000.example.		5M IN A		10.0.0.101
+2000.example.		5M IN A		10.0.0.102
+2000.example.		5M IN A		10.0.0.103
+2000.example.		5M IN A		10.0.0.104
+2000.example.		5M IN A		10.0.0.105
+2000.example.		5M IN A		10.0.0.106
+2000.example.		5M IN A		10.0.0.107
+2000.example.		5M IN A		10.0.0.108
+2000.example.		5M IN A		10.0.0.109
+2000.example.		5M IN A		10.0.0.110
+2000.example.		5M IN A		10.0.0.111
+2000.example.		5M IN A		10.0.0.112
+2000.example.		5M IN A		10.0.0.113
+2000.example.		5M IN A		10.0.0.114
+2000.example.		5M IN A		10.0.0.115
+2000.example.		5M IN A		10.0.0.116
+2000.example.		5M IN A		10.0.0.117
+2000.example.		5M IN A		10.0.0.118
+2000.example.		5M IN A		10.0.0.119
+2000.example.		5M IN A		10.0.0.120
+2000.example.		5M IN A		10.0.0.121
+2000.example.		5M IN A		10.0.0.122
+2000.example.		5M IN A		10.0.0.123
+2000.example.		5M IN A		10.0.0.124
+2000.example.		5M IN A		10.0.0.125
+2000.example.		5M IN A		10.0.0.126
+2000.example.		5M IN A		10.0.0.127
+2000.example.		5M IN A		10.0.0.128
+2000.example.		5M IN A		10.0.0.129
+2000.example.		5M IN A		10.0.0.130
+2000.example.		5M IN A		10.0.0.131
+2000.example.		5M IN A		10.0.0.132
+2000.example.		5M IN A		10.0.0.133
+2000.example.		5M IN A		10.0.0.134
+2000.example.		5M IN A		10.0.0.135
+2000.example.		5M IN A		10.0.0.136
+2000.example.		5M IN A		10.0.0.137
+2000.example.		5M IN A		10.0.0.138
+2000.example.		5M IN A		10.0.0.139
+2000.example.		5M IN A		10.0.0.140
+2000.example.		5M IN A		10.0.0.141
+2000.example.		5M IN A		10.0.0.142
+2000.example.		5M IN A		10.0.0.143
+2000.example.		5M IN A		10.0.0.144
+2000.example.		5M IN A		10.0.0.145
+2000.example.		5M IN A		10.0.0.146
+2000.example.		5M IN A		10.0.0.147
+2000.example.		5M IN A		10.0.0.148
+2000.example.		5M IN A		10.0.0.149
+2000.example.		5M IN A		10.0.0.150
+2000.example.		5M IN A		10.0.0.151
+2000.example.		5M IN A		10.0.0.152
+2000.example.		5M IN A		10.0.0.153
+2000.example.		5M IN A		10.0.0.154
+2000.example.		5M IN A		10.0.0.155
+2000.example.		5M IN A		10.0.0.156
+2000.example.		5M IN A		10.0.0.157
+2000.example.		5M IN A		10.0.0.158
+2000.example.		5M IN A		10.0.0.159
+2000.example.		5M IN A		10.0.0.160
+2000.example.		5M IN A		10.0.0.161
+2000.example.		5M IN A		10.0.0.162
+2000.example.		5M IN A		10.0.0.163
+2000.example.		5M IN A		10.0.0.164
+2000.example.		5M IN A		10.0.0.165
+2000.example.		5M IN A		10.0.0.166
+2000.example.		5M IN A		10.0.0.167
+2000.example.		5M IN A		10.0.0.168
+2000.example.		5M IN A		10.0.0.169
+2000.example.		5M IN A		10.0.0.170
+2000.example.		5M IN A		10.0.0.171
+2000.example.		5M IN A		10.0.0.172
+2000.example.		5M IN A		10.0.0.173
+2000.example.		5M IN A		10.0.0.174
+2000.example.		5M IN A		10.0.0.175
+2000.example.		5M IN A		10.0.0.176
+2000.example.		5M IN A		10.0.0.177
+2000.example.		5M IN A		10.0.0.178
+2000.example.		5M IN A		10.0.0.179
+2000.example.		5M IN A		10.0.0.180
+2000.example.		5M IN A		10.0.0.181
+2000.example.		5M IN A		10.0.0.182
+2000.example.		5M IN A		10.0.0.183
+2000.example.		5M IN A		10.0.0.184
+2000.example.		5M IN A		10.0.0.185
+2000.example.		5M IN A		10.0.0.186
+2000.example.		5M IN A		10.0.0.187
+2000.example.		5M IN A		10.0.0.188
+2000.example.		5M IN A		10.0.0.189
+2000.example.		5M IN A		10.0.0.190
+2000.example.		5M IN A		10.0.0.191
+2000.example.		5M IN A		10.0.0.192
+2000.example.		5M IN A		10.0.0.193
+2000.example.		5M IN A		10.0.0.194
+2000.example.		5M IN A		10.0.0.195
+2000.example.		5M IN A		10.0.0.196
+2000.example.		5M IN A		10.0.0.197
+2000.example.		5M IN A		10.0.0.198
+2000.example.		5M IN A		10.0.0.199
+2000.example.		5M IN A		10.0.0.200
+2000.example.		5M IN A		10.0.0.201
+2000.example.		5M IN A		10.0.0.202
+2000.example.		5M IN A		10.0.0.203
+2000.example.		5M IN A		10.0.0.204
+2000.example.		5M IN A		10.0.0.205
+2000.example.		5M IN A		10.0.0.206
+2000.example.		5M IN A		10.0.0.207
+2000.example.		5M IN A		10.0.0.208
+2000.example.		5M IN A		10.0.0.209
+2000.example.		5M IN A		10.0.0.210
+2000.example.		5M IN A		10.0.0.211
+2000.example.		5M IN A		10.0.0.212
+2000.example.		5M IN A		10.0.0.213
+2000.example.		5M IN A		10.0.0.214
+2000.example.		5M IN A		10.0.0.215
+2000.example.		5M IN A		10.0.0.216
+2000.example.		5M IN A		10.0.0.217
+2000.example.		5M IN A		10.0.0.218
+2000.example.		5M IN A		10.0.0.219
+2000.example.		5M IN A		10.0.0.220
+2000.example.		5M IN A		10.0.0.221
+2000.example.		5M IN A		10.0.0.222
+2000.example.		5M IN A		10.0.0.223
+2000.example.		5M IN A		10.0.0.224
+2000.example.		5M IN A		10.0.0.225
+2000.example.		5M IN A		10.0.0.226
+2000.example.		5M IN A		10.0.0.227
+2000.example.		5M IN A		10.0.0.228
+2000.example.		5M IN A		10.0.0.229
+2000.example.		5M IN A		10.0.0.230
+2000.example.		5M IN A		10.0.0.231
+2000.example.		5M IN A		10.0.0.232
+2000.example.		5M IN A		10.0.0.233
+2000.example.		5M IN A		10.0.0.234
+2000.example.		5M IN A		10.0.0.235
+2000.example.		5M IN A		10.0.0.236
+2000.example.		5M IN A		10.0.0.237
+2000.example.		5M IN A		10.0.0.238
+2000.example.		5M IN A		10.0.0.239
+2000.example.		5M IN A		10.0.0.240
+2000.example.		5M IN A		10.0.0.241
+2000.example.		5M IN A		10.0.0.242
+2000.example.		5M IN A		10.0.0.243
+2000.example.		5M IN A		10.0.0.244
+2000.example.		5M IN A		10.0.0.245
+2000.example.		5M IN A		10.0.0.246
+2000.example.		5M IN A		10.0.0.247
+2000.example.		5M IN A		10.0.0.248
+2000.example.		5M IN A		10.0.0.249
+2000.example.		5M IN A		10.0.0.250
+2000.example.		5M IN A		10.0.0.251
+2000.example.		5M IN A		10.0.0.252
+2000.example.		5M IN A		10.0.0.253
+2000.example.		5M IN A		10.0.0.254
+2000.example.		5M IN A		10.0.0.255
+2000.example.		5M IN A		10.0.1.0
+2000.example.		5M IN A		10.0.1.1
+2000.example.		5M IN A		10.0.1.2
+2000.example.		5M IN A		10.0.1.3
+2000.example.		5M IN A		10.0.1.4
+2000.example.		5M IN A		10.0.1.5
+2000.example.		5M IN A		10.0.1.6
+2000.example.		5M IN A		10.0.1.7
+2000.example.		5M IN A		10.0.1.8
+2000.example.		5M IN A		10.0.1.9
+2000.example.		5M IN A		10.0.1.10
+2000.example.		5M IN A		10.0.1.11
+2000.example.		5M IN A		10.0.1.12
+2000.example.		5M IN A		10.0.1.13
+2000.example.		5M IN A		10.0.1.14
+2000.example.		5M IN A		10.0.1.15
+2000.example.		5M IN A		10.0.1.16
+2000.example.		5M IN A		10.0.1.17
+2000.example.		5M IN A		10.0.1.18
+2000.example.		5M IN A		10.0.1.19
+2000.example.		5M IN A		10.0.1.20
+2000.example.		5M IN A		10.0.1.21
+2000.example.		5M IN A		10.0.1.22
+2000.example.		5M IN A		10.0.1.23
+2000.example.		5M IN A		10.0.1.24
+2000.example.		5M IN A		10.0.1.25
+2000.example.		5M IN A		10.0.1.26
+2000.example.		5M IN A		10.0.1.27
+2000.example.		5M IN A		10.0.1.28
+2000.example.		5M IN A		10.0.1.29
+2000.example.		5M IN A		10.0.1.30
+2000.example.		5M IN A		10.0.1.31
+2000.example.		5M IN A		10.0.1.32
+2000.example.		5M IN A		10.0.1.33
+2000.example.		5M IN A		10.0.1.34
+2000.example.		5M IN A		10.0.1.35
+2000.example.		5M IN A		10.0.1.36
+2000.example.		5M IN A		10.0.1.37
+2000.example.		5M IN A		10.0.1.38
+2000.example.		5M IN A		10.0.1.39
+2000.example.		5M IN A		10.0.1.40
+2000.example.		5M IN A		10.0.1.41
+2000.example.		5M IN A		10.0.1.42
+2000.example.		5M IN A		10.0.1.43
+2000.example.		5M IN A		10.0.1.44
+2000.example.		5M IN A		10.0.1.45
+2000.example.		5M IN A		10.0.1.46
+2000.example.		5M IN A		10.0.1.47
+2000.example.		5M IN A		10.0.1.48
+2000.example.		5M IN A		10.0.1.49
+2000.example.		5M IN A		10.0.1.50
+2000.example.		5M IN A		10.0.1.51
+2000.example.		5M IN A		10.0.1.52
+2000.example.		5M IN A		10.0.1.53
+2000.example.		5M IN A		10.0.1.54
+2000.example.		5M IN A		10.0.1.55
+2000.example.		5M IN A		10.0.1.56
+2000.example.		5M IN A		10.0.1.57
+2000.example.		5M IN A		10.0.1.58
+2000.example.		5M IN A		10.0.1.59
+2000.example.		5M IN A		10.0.1.60
+2000.example.		5M IN A		10.0.1.61
+2000.example.		5M IN A		10.0.1.62
+2000.example.		5M IN A		10.0.1.63
+2000.example.		5M IN A		10.0.1.64
+2000.example.		5M IN A		10.0.1.65
+2000.example.		5M IN A		10.0.1.66
+2000.example.		5M IN A		10.0.1.67
+2000.example.		5M IN A		10.0.1.68
+2000.example.		5M IN A		10.0.1.69
+2000.example.		5M IN A		10.0.1.70
+2000.example.		5M IN A		10.0.1.71
+2000.example.		5M IN A		10.0.1.72
+2000.example.		5M IN A		10.0.1.73
+2000.example.		5M IN A		10.0.1.74
+2000.example.		5M IN A		10.0.1.75
+2000.example.		5M IN A		10.0.1.76
+2000.example.		5M IN A		10.0.1.77
+2000.example.		5M IN A		10.0.1.78
+2000.example.		5M IN A		10.0.1.79
+2000.example.		5M IN A		10.0.1.80
+2000.example.		5M IN A		10.0.1.81
+2000.example.		5M IN A		10.0.1.82
+2000.example.		5M IN A		10.0.1.83
+2000.example.		5M IN A		10.0.1.84
+2000.example.		5M IN A		10.0.1.85
+2000.example.		5M IN A		10.0.1.86
+2000.example.		5M IN A		10.0.1.87
+2000.example.		5M IN A		10.0.1.88
+2000.example.		5M IN A		10.0.1.89
+2000.example.		5M IN A		10.0.1.90
+2000.example.		5M IN A		10.0.1.91
+2000.example.		5M IN A		10.0.1.92
+2000.example.		5M IN A		10.0.1.93
+2000.example.		5M IN A		10.0.1.94
+2000.example.		5M IN A		10.0.1.95
+2000.example.		5M IN A		10.0.1.96
+2000.example.		5M IN A		10.0.1.97
+2000.example.		5M IN A		10.0.1.98
+2000.example.		5M IN A		10.0.1.99
+2000.example.		5M IN A		10.0.1.100
+2000.example.		5M IN A		10.0.1.101
+2000.example.		5M IN A		10.0.1.102
+2000.example.		5M IN A		10.0.1.103
+2000.example.		5M IN A		10.0.1.104
+2000.example.		5M IN A		10.0.1.105
+2000.example.		5M IN A		10.0.1.106
+2000.example.		5M IN A		10.0.1.107
+2000.example.		5M IN A		10.0.1.108
+2000.example.		5M IN A		10.0.1.109
+2000.example.		5M IN A		10.0.1.110
+2000.example.		5M IN A		10.0.1.111
+2000.example.		5M IN A		10.0.1.112
+2000.example.		5M IN A		10.0.1.113
+2000.example.		5M IN A		10.0.1.114
+2000.example.		5M IN A		10.0.1.115
+2000.example.		5M IN A		10.0.1.116
+2000.example.		5M IN A		10.0.1.117
+2000.example.		5M IN A		10.0.1.118
+2000.example.		5M IN A		10.0.1.119
+2000.example.		5M IN A		10.0.1.120
+2000.example.		5M IN A		10.0.1.121
+2000.example.		5M IN A		10.0.1.122
+2000.example.		5M IN A		10.0.1.123
+2000.example.		5M IN A		10.0.1.124
+2000.example.		5M IN A		10.0.1.125
+2000.example.		5M IN A		10.0.1.126
+2000.example.		5M IN A		10.0.1.127
+2000.example.		5M IN A		10.0.1.128
+2000.example.		5M IN A		10.0.1.129
+2000.example.		5M IN A		10.0.1.130
+2000.example.		5M IN A		10.0.1.131
+2000.example.		5M IN A		10.0.1.132
+2000.example.		5M IN A		10.0.1.133
+2000.example.		5M IN A		10.0.1.134
+2000.example.		5M IN A		10.0.1.135
+2000.example.		5M IN A		10.0.1.136
+2000.example.		5M IN A		10.0.1.137
+2000.example.		5M IN A		10.0.1.138
+2000.example.		5M IN A		10.0.1.139
+2000.example.		5M IN A		10.0.1.140
+2000.example.		5M IN A		10.0.1.141
+2000.example.		5M IN A		10.0.1.142
+2000.example.		5M IN A		10.0.1.143
+2000.example.		5M IN A		10.0.1.144
+2000.example.		5M IN A		10.0.1.145
+2000.example.		5M IN A		10.0.1.146
+2000.example.		5M IN A		10.0.1.147
+2000.example.		5M IN A		10.0.1.148
+2000.example.		5M IN A		10.0.1.149
+2000.example.		5M IN A		10.0.1.150
+2000.example.		5M IN A		10.0.1.151
+2000.example.		5M IN A		10.0.1.152
+2000.example.		5M IN A		10.0.1.153
+2000.example.		5M IN A		10.0.1.154
+2000.example.		5M IN A		10.0.1.155
+2000.example.		5M IN A		10.0.1.156
+2000.example.		5M IN A		10.0.1.157
+2000.example.		5M IN A		10.0.1.158
+2000.example.		5M IN A		10.0.1.159
+2000.example.		5M IN A		10.0.1.160
+2000.example.		5M IN A		10.0.1.161
+2000.example.		5M IN A		10.0.1.162
+2000.example.		5M IN A		10.0.1.163
+2000.example.		5M IN A		10.0.1.164
+2000.example.		5M IN A		10.0.1.165
+2000.example.		5M IN A		10.0.1.166
+2000.example.		5M IN A		10.0.1.167
+2000.example.		5M IN A		10.0.1.168
+2000.example.		5M IN A		10.0.1.169
+2000.example.		5M IN A		10.0.1.170
+2000.example.		5M IN A		10.0.1.171
+2000.example.		5M IN A		10.0.1.172
+2000.example.		5M IN A		10.0.1.173
+2000.example.		5M IN A		10.0.1.174
+2000.example.		5M IN A		10.0.1.175
+2000.example.		5M IN A		10.0.1.176
+2000.example.		5M IN A		10.0.1.177
+2000.example.		5M IN A		10.0.1.178
+2000.example.		5M IN A		10.0.1.179
+2000.example.		5M IN A		10.0.1.180
+2000.example.		5M IN A		10.0.1.181
+2000.example.		5M IN A		10.0.1.182
+2000.example.		5M IN A		10.0.1.183
+2000.example.		5M IN A		10.0.1.184
+2000.example.		5M IN A		10.0.1.185
+2000.example.		5M IN A		10.0.1.186
+2000.example.		5M IN A		10.0.1.187
+2000.example.		5M IN A		10.0.1.188
+2000.example.		5M IN A		10.0.1.189
+2000.example.		5M IN A		10.0.1.190
+2000.example.		5M IN A		10.0.1.191
+2000.example.		5M IN A		10.0.1.192
+2000.example.		5M IN A		10.0.1.193
+2000.example.		5M IN A		10.0.1.194
+2000.example.		5M IN A		10.0.1.195
+2000.example.		5M IN A		10.0.1.196
+2000.example.		5M IN A		10.0.1.197
+2000.example.		5M IN A		10.0.1.198
+2000.example.		5M IN A		10.0.1.199
+2000.example.		5M IN A		10.0.1.200
+2000.example.		5M IN A		10.0.1.201
+2000.example.		5M IN A		10.0.1.202
+2000.example.		5M IN A		10.0.1.203
+2000.example.		5M IN A		10.0.1.204
+2000.example.		5M IN A		10.0.1.205
+2000.example.		5M IN A		10.0.1.206
+2000.example.		5M IN A		10.0.1.207
+2000.example.		5M IN A		10.0.1.208
+2000.example.		5M IN A		10.0.1.209
+2000.example.		5M IN A		10.0.1.210
+2000.example.		5M IN A		10.0.1.211
+2000.example.		5M IN A		10.0.1.212
+2000.example.		5M IN A		10.0.1.213
+2000.example.		5M IN A		10.0.1.214
+2000.example.		5M IN A		10.0.1.215
+2000.example.		5M IN A		10.0.1.216
+2000.example.		5M IN A		10.0.1.217
+2000.example.		5M IN A		10.0.1.218
+2000.example.		5M IN A		10.0.1.219
+2000.example.		5M IN A		10.0.1.220
+2000.example.		5M IN A		10.0.1.221
+2000.example.		5M IN A		10.0.1.222
+2000.example.		5M IN A		10.0.1.223
+2000.example.		5M IN A		10.0.1.224
+2000.example.		5M IN A		10.0.1.225
+2000.example.		5M IN A		10.0.1.226
+2000.example.		5M IN A		10.0.1.227
+2000.example.		5M IN A		10.0.1.228
+2000.example.		5M IN A		10.0.1.229
+2000.example.		5M IN A		10.0.1.230
+2000.example.		5M IN A		10.0.1.231
+2000.example.		5M IN A		10.0.1.232
+2000.example.		5M IN A		10.0.1.233
+2000.example.		5M IN A		10.0.1.234
+2000.example.		5M IN A		10.0.1.235
+2000.example.		5M IN A		10.0.1.236
+2000.example.		5M IN A		10.0.1.237
+2000.example.		5M IN A		10.0.1.238
+2000.example.		5M IN A		10.0.1.239
+2000.example.		5M IN A		10.0.1.240
+2000.example.		5M IN A		10.0.1.241
+2000.example.		5M IN A		10.0.1.242
+2000.example.		5M IN A		10.0.1.243
+2000.example.		5M IN A		10.0.1.244
+2000.example.		5M IN A		10.0.1.245
+2000.example.		5M IN A		10.0.1.246
+2000.example.		5M IN A		10.0.1.247
+2000.example.		5M IN A		10.0.1.248
+2000.example.		5M IN A		10.0.1.249
+2000.example.		5M IN A		10.0.1.250
+2000.example.		5M IN A		10.0.1.251
+2000.example.		5M IN A		10.0.1.252
+2000.example.		5M IN A		10.0.1.253
+2000.example.		5M IN A		10.0.1.254
+2000.example.		5M IN A		10.0.1.255
+2000.example.		5M IN A		10.0.2.0
+2000.example.		5M IN A		10.0.2.1
+2000.example.		5M IN A		10.0.2.2
+2000.example.		5M IN A		10.0.2.3
+2000.example.		5M IN A		10.0.2.4
+2000.example.		5M IN A		10.0.2.5
+2000.example.		5M IN A		10.0.2.6
+2000.example.		5M IN A		10.0.2.7
+2000.example.		5M IN A		10.0.2.8
+2000.example.		5M IN A		10.0.2.9
+2000.example.		5M IN A		10.0.2.10
+2000.example.		5M IN A		10.0.2.11
+2000.example.		5M IN A		10.0.2.12
+2000.example.		5M IN A		10.0.2.13
+2000.example.		5M IN A		10.0.2.14
+2000.example.		5M IN A		10.0.2.15
+2000.example.		5M IN A		10.0.2.16
+2000.example.		5M IN A		10.0.2.17
+2000.example.		5M IN A		10.0.2.18
+2000.example.		5M IN A		10.0.2.19
+2000.example.		5M IN A		10.0.2.20
+2000.example.		5M IN A		10.0.2.21
+2000.example.		5M IN A		10.0.2.22
+2000.example.		5M IN A		10.0.2.23
+2000.example.		5M IN A		10.0.2.24
+2000.example.		5M IN A		10.0.2.25
+2000.example.		5M IN A		10.0.2.26
+2000.example.		5M IN A		10.0.2.27
+2000.example.		5M IN A		10.0.2.28
+2000.example.		5M IN A		10.0.2.29
+2000.example.		5M IN A		10.0.2.30
+2000.example.		5M IN A		10.0.2.31
+2000.example.		5M IN A		10.0.2.32
+2000.example.		5M IN A		10.0.2.33
+2000.example.		5M IN A		10.0.2.34
+2000.example.		5M IN A		10.0.2.35
+2000.example.		5M IN A		10.0.2.36
+2000.example.		5M IN A		10.0.2.37
+2000.example.		5M IN A		10.0.2.38
+2000.example.		5M IN A		10.0.2.39
+2000.example.		5M IN A		10.0.2.40
+2000.example.		5M IN A		10.0.2.41
+2000.example.		5M IN A		10.0.2.42
+2000.example.		5M IN A		10.0.2.43
+2000.example.		5M IN A		10.0.2.44
+2000.example.		5M IN A		10.0.2.45
+2000.example.		5M IN A		10.0.2.46
+2000.example.		5M IN A		10.0.2.47
+2000.example.		5M IN A		10.0.2.48
+2000.example.		5M IN A		10.0.2.49
+2000.example.		5M IN A		10.0.2.50
+2000.example.		5M IN A		10.0.2.51
+2000.example.		5M IN A		10.0.2.52
+2000.example.		5M IN A		10.0.2.53
+2000.example.		5M IN A		10.0.2.54
+2000.example.		5M IN A		10.0.2.55
+2000.example.		5M IN A		10.0.2.56
+2000.example.		5M IN A		10.0.2.57
+2000.example.		5M IN A		10.0.2.58
+2000.example.		5M IN A		10.0.2.59
+2000.example.		5M IN A		10.0.2.60
+2000.example.		5M IN A		10.0.2.61
+2000.example.		5M IN A		10.0.2.62
+2000.example.		5M IN A		10.0.2.63
+2000.example.		5M IN A		10.0.2.64
+2000.example.		5M IN A		10.0.2.65
+2000.example.		5M IN A		10.0.2.66
+2000.example.		5M IN A		10.0.2.67
+2000.example.		5M IN A		10.0.2.68
+2000.example.		5M IN A		10.0.2.69
+2000.example.		5M IN A		10.0.2.70
+2000.example.		5M IN A		10.0.2.71
+2000.example.		5M IN A		10.0.2.72
+2000.example.		5M IN A		10.0.2.73
+2000.example.		5M IN A		10.0.2.74
+2000.example.		5M IN A		10.0.2.75
+2000.example.		5M IN A		10.0.2.76
+2000.example.		5M IN A		10.0.2.77
+2000.example.		5M IN A		10.0.2.78
+2000.example.		5M IN A		10.0.2.79
+2000.example.		5M IN A		10.0.2.80
+2000.example.		5M IN A		10.0.2.81
+2000.example.		5M IN A		10.0.2.82
+2000.example.		5M IN A		10.0.2.83
+2000.example.		5M IN A		10.0.2.84
+2000.example.		5M IN A		10.0.2.85
+2000.example.		5M IN A		10.0.2.86
+2000.example.		5M IN A		10.0.2.87
+2000.example.		5M IN A		10.0.2.88
+2000.example.		5M IN A		10.0.2.89
+2000.example.		5M IN A		10.0.2.90
+2000.example.		5M IN A		10.0.2.91
+2000.example.		5M IN A		10.0.2.92
+2000.example.		5M IN A		10.0.2.93
+2000.example.		5M IN A		10.0.2.94
+2000.example.		5M IN A		10.0.2.95
+2000.example.		5M IN A		10.0.2.96
+2000.example.		5M IN A		10.0.2.97
+2000.example.		5M IN A		10.0.2.98
+2000.example.		5M IN A		10.0.2.99
+2000.example.		5M IN A		10.0.2.100
+2000.example.		5M IN A		10.0.2.101
+2000.example.		5M IN A		10.0.2.102
+2000.example.		5M IN A		10.0.2.103
+2000.example.		5M IN A		10.0.2.104
+2000.example.		5M IN A		10.0.2.105
+2000.example.		5M IN A		10.0.2.106
+2000.example.		5M IN A		10.0.2.107
+2000.example.		5M IN A		10.0.2.108
+2000.example.		5M IN A		10.0.2.109
+2000.example.		5M IN A		10.0.2.110
+2000.example.		5M IN A		10.0.2.111
+2000.example.		5M IN A		10.0.2.112
+2000.example.		5M IN A		10.0.2.113
+2000.example.		5M IN A		10.0.2.114
+2000.example.		5M IN A		10.0.2.115
+2000.example.		5M IN A		10.0.2.116
+2000.example.		5M IN A		10.0.2.117
+2000.example.		5M IN A		10.0.2.118
+2000.example.		5M IN A		10.0.2.119
+2000.example.		5M IN A		10.0.2.120
+2000.example.		5M IN A		10.0.2.121
+2000.example.		5M IN A		10.0.2.122
+2000.example.		5M IN A		10.0.2.123
+2000.example.		5M IN A		10.0.2.124
+2000.example.		5M IN A		10.0.2.125
+2000.example.		5M IN A		10.0.2.126
+2000.example.		5M IN A		10.0.2.127
+2000.example.		5M IN A		10.0.2.128
+2000.example.		5M IN A		10.0.2.129
+2000.example.		5M IN A		10.0.2.130
+2000.example.		5M IN A		10.0.2.131
+2000.example.		5M IN A		10.0.2.132
+2000.example.		5M IN A		10.0.2.133
+2000.example.		5M IN A		10.0.2.134
+2000.example.		5M IN A		10.0.2.135
+2000.example.		5M IN A		10.0.2.136
+2000.example.		5M IN A		10.0.2.137
+2000.example.		5M IN A		10.0.2.138
+2000.example.		5M IN A		10.0.2.139
+2000.example.		5M IN A		10.0.2.140
+2000.example.		5M IN A		10.0.2.141
+2000.example.		5M IN A		10.0.2.142
+2000.example.		5M IN A		10.0.2.143
+2000.example.		5M IN A		10.0.2.144
+2000.example.		5M IN A		10.0.2.145
+2000.example.		5M IN A		10.0.2.146
+2000.example.		5M IN A		10.0.2.147
+2000.example.		5M IN A		10.0.2.148
+2000.example.		5M IN A		10.0.2.149
+2000.example.		5M IN A		10.0.2.150
+2000.example.		5M IN A		10.0.2.151
+2000.example.		5M IN A		10.0.2.152
+2000.example.		5M IN A		10.0.2.153
+2000.example.		5M IN A		10.0.2.154
+2000.example.		5M IN A		10.0.2.155
+2000.example.		5M IN A		10.0.2.156
+2000.example.		5M IN A		10.0.2.157
+2000.example.		5M IN A		10.0.2.158
+2000.example.		5M IN A		10.0.2.159
+2000.example.		5M IN A		10.0.2.160
+2000.example.		5M IN A		10.0.2.161
+2000.example.		5M IN A		10.0.2.162
+2000.example.		5M IN A		10.0.2.163
+2000.example.		5M IN A		10.0.2.164
+2000.example.		5M IN A		10.0.2.165
+2000.example.		5M IN A		10.0.2.166
+2000.example.		5M IN A		10.0.2.167
+2000.example.		5M IN A		10.0.2.168
+2000.example.		5M IN A		10.0.2.169
+2000.example.		5M IN A		10.0.2.170
+2000.example.		5M IN A		10.0.2.171
+2000.example.		5M IN A		10.0.2.172
+2000.example.		5M IN A		10.0.2.173
+2000.example.		5M IN A		10.0.2.174
+2000.example.		5M IN A		10.0.2.175
+2000.example.		5M IN A		10.0.2.176
+2000.example.		5M IN A		10.0.2.177
+2000.example.		5M IN A		10.0.2.178
+2000.example.		5M IN A		10.0.2.179
+2000.example.		5M IN A		10.0.2.180
+2000.example.		5M IN A		10.0.2.181
+2000.example.		5M IN A		10.0.2.182
+2000.example.		5M IN A		10.0.2.183
+2000.example.		5M IN A		10.0.2.184
+2000.example.		5M IN A		10.0.2.185
+2000.example.		5M IN A		10.0.2.186
+2000.example.		5M IN A		10.0.2.187
+2000.example.		5M IN A		10.0.2.188
+2000.example.		5M IN A		10.0.2.189
+2000.example.		5M IN A		10.0.2.190
+2000.example.		5M IN A		10.0.2.191
+2000.example.		5M IN A		10.0.2.192
+2000.example.		5M IN A		10.0.2.193
+2000.example.		5M IN A		10.0.2.194
+2000.example.		5M IN A		10.0.2.195
+2000.example.		5M IN A		10.0.2.196
+2000.example.		5M IN A		10.0.2.197
+2000.example.		5M IN A		10.0.2.198
+2000.example.		5M IN A		10.0.2.199
+2000.example.		5M IN A		10.0.2.200
+2000.example.		5M IN A		10.0.2.201
+2000.example.		5M IN A		10.0.2.202
+2000.example.		5M IN A		10.0.2.203
+2000.example.		5M IN A		10.0.2.204
+2000.example.		5M IN A		10.0.2.205
+2000.example.		5M IN A		10.0.2.206
+2000.example.		5M IN A		10.0.2.207
+2000.example.		5M IN A		10.0.2.208
+2000.example.		5M IN A		10.0.2.209
+2000.example.		5M IN A		10.0.2.210
+2000.example.		5M IN A		10.0.2.211
+2000.example.		5M IN A		10.0.2.212
+2000.example.		5M IN A		10.0.2.213
+2000.example.		5M IN A		10.0.2.214
+2000.example.		5M IN A		10.0.2.215
+2000.example.		5M IN A		10.0.2.216
+2000.example.		5M IN A		10.0.2.217
+2000.example.		5M IN A		10.0.2.218
+2000.example.		5M IN A		10.0.2.219
+2000.example.		5M IN A		10.0.2.220
+2000.example.		5M IN A		10.0.2.221
+2000.example.		5M IN A		10.0.2.222
+2000.example.		5M IN A		10.0.2.223
+2000.example.		5M IN A		10.0.2.224
+2000.example.		5M IN A		10.0.2.225
+2000.example.		5M IN A		10.0.2.226
+2000.example.		5M IN A		10.0.2.227
+2000.example.		5M IN A		10.0.2.228
+2000.example.		5M IN A		10.0.2.229
+2000.example.		5M IN A		10.0.2.230
+2000.example.		5M IN A		10.0.2.231
+2000.example.		5M IN A		10.0.2.232
+2000.example.		5M IN A		10.0.2.233
+2000.example.		5M IN A		10.0.2.234
+2000.example.		5M IN A		10.0.2.235
+2000.example.		5M IN A		10.0.2.236
+2000.example.		5M IN A		10.0.2.237
+2000.example.		5M IN A		10.0.2.238
+2000.example.		5M IN A		10.0.2.239
+2000.example.		5M IN A		10.0.2.240
+2000.example.		5M IN A		10.0.2.241
+2000.example.		5M IN A		10.0.2.242
+2000.example.		5M IN A		10.0.2.243
+2000.example.		5M IN A		10.0.2.244
+2000.example.		5M IN A		10.0.2.245
+2000.example.		5M IN A		10.0.2.246
+2000.example.		5M IN A		10.0.2.247
+2000.example.		5M IN A		10.0.2.248
+2000.example.		5M IN A		10.0.2.249
+2000.example.		5M IN A		10.0.2.250
+2000.example.		5M IN A		10.0.2.251
+2000.example.		5M IN A		10.0.2.252
+2000.example.		5M IN A		10.0.2.253
+2000.example.		5M IN A		10.0.2.254
+2000.example.		5M IN A		10.0.2.255
+2000.example.		5M IN A		10.0.3.0
+2000.example.		5M IN A		10.0.3.1
+2000.example.		5M IN A		10.0.3.2
+2000.example.		5M IN A		10.0.3.3
+2000.example.		5M IN A		10.0.3.4
+2000.example.		5M IN A		10.0.3.5
+2000.example.		5M IN A		10.0.3.6
+2000.example.		5M IN A		10.0.3.7
+2000.example.		5M IN A		10.0.3.8
+2000.example.		5M IN A		10.0.3.9
+2000.example.		5M IN A		10.0.3.10
+2000.example.		5M IN A		10.0.3.11
+2000.example.		5M IN A		10.0.3.12
+2000.example.		5M IN A		10.0.3.13
+2000.example.		5M IN A		10.0.3.14
+2000.example.		5M IN A		10.0.3.15
+2000.example.		5M IN A		10.0.3.16
+2000.example.		5M IN A		10.0.3.17
+2000.example.		5M IN A		10.0.3.18
+2000.example.		5M IN A		10.0.3.19
+2000.example.		5M IN A		10.0.3.20
+2000.example.		5M IN A		10.0.3.21
+2000.example.		5M IN A		10.0.3.22
+2000.example.		5M IN A		10.0.3.23
+2000.example.		5M IN A		10.0.3.24
+2000.example.		5M IN A		10.0.3.25
+2000.example.		5M IN A		10.0.3.26
+2000.example.		5M IN A		10.0.3.27
+2000.example.		5M IN A		10.0.3.28
+2000.example.		5M IN A		10.0.3.29
+2000.example.		5M IN A		10.0.3.30
+2000.example.		5M IN A		10.0.3.31
+2000.example.		5M IN A		10.0.3.32
+2000.example.		5M IN A		10.0.3.33
+2000.example.		5M IN A		10.0.3.34
+2000.example.		5M IN A		10.0.3.35
+2000.example.		5M IN A		10.0.3.36
+2000.example.		5M IN A		10.0.3.37
+2000.example.		5M IN A		10.0.3.38
+2000.example.		5M IN A		10.0.3.39
+2000.example.		5M IN A		10.0.3.40
+2000.example.		5M IN A		10.0.3.41
+2000.example.		5M IN A		10.0.3.42
+2000.example.		5M IN A		10.0.3.43
+2000.example.		5M IN A		10.0.3.44
+2000.example.		5M IN A		10.0.3.45
+2000.example.		5M IN A		10.0.3.46
+2000.example.		5M IN A		10.0.3.47
+2000.example.		5M IN A		10.0.3.48
+2000.example.		5M IN A		10.0.3.49
+2000.example.		5M IN A		10.0.3.50
+2000.example.		5M IN A		10.0.3.51
+2000.example.		5M IN A		10.0.3.52
+2000.example.		5M IN A		10.0.3.53
+2000.example.		5M IN A		10.0.3.54
+2000.example.		5M IN A		10.0.3.55
+2000.example.		5M IN A		10.0.3.56
+2000.example.		5M IN A		10.0.3.57
+2000.example.		5M IN A		10.0.3.58
+2000.example.		5M IN A		10.0.3.59
+2000.example.		5M IN A		10.0.3.60
+2000.example.		5M IN A		10.0.3.61
+2000.example.		5M IN A		10.0.3.62
+2000.example.		5M IN A		10.0.3.63
+2000.example.		5M IN A		10.0.3.64
+2000.example.		5M IN A		10.0.3.65
+2000.example.		5M IN A		10.0.3.66
+2000.example.		5M IN A		10.0.3.67
+2000.example.		5M IN A		10.0.3.68
+2000.example.		5M IN A		10.0.3.69
+2000.example.		5M IN A		10.0.3.70
+2000.example.		5M IN A		10.0.3.71
+2000.example.		5M IN A		10.0.3.72
+2000.example.		5M IN A		10.0.3.73
+2000.example.		5M IN A		10.0.3.74
+2000.example.		5M IN A		10.0.3.75
+2000.example.		5M IN A		10.0.3.76
+2000.example.		5M IN A		10.0.3.77
+2000.example.		5M IN A		10.0.3.78
+2000.example.		5M IN A		10.0.3.79
+2000.example.		5M IN A		10.0.3.80
+2000.example.		5M IN A		10.0.3.81
+2000.example.		5M IN A		10.0.3.82
+2000.example.		5M IN A		10.0.3.83
+2000.example.		5M IN A		10.0.3.84
+2000.example.		5M IN A		10.0.3.85
+2000.example.		5M IN A		10.0.3.86
+2000.example.		5M IN A		10.0.3.87
+2000.example.		5M IN A		10.0.3.88
+2000.example.		5M IN A		10.0.3.89
+2000.example.		5M IN A		10.0.3.90
+2000.example.		5M IN A		10.0.3.91
+2000.example.		5M IN A		10.0.3.92
+2000.example.		5M IN A		10.0.3.93
+2000.example.		5M IN A		10.0.3.94
+2000.example.		5M IN A		10.0.3.95
+2000.example.		5M IN A		10.0.3.96
+2000.example.		5M IN A		10.0.3.97
+2000.example.		5M IN A		10.0.3.98
+2000.example.		5M IN A		10.0.3.99
+2000.example.		5M IN A		10.0.3.100
+2000.example.		5M IN A		10.0.3.101
+2000.example.		5M IN A		10.0.3.102
+2000.example.		5M IN A		10.0.3.103
+2000.example.		5M IN A		10.0.3.104
+2000.example.		5M IN A		10.0.3.105
+2000.example.		5M IN A		10.0.3.106
+2000.example.		5M IN A		10.0.3.107
+2000.example.		5M IN A		10.0.3.108
+2000.example.		5M IN A		10.0.3.109
+2000.example.		5M IN A		10.0.3.110
+2000.example.		5M IN A		10.0.3.111
+2000.example.		5M IN A		10.0.3.112
+2000.example.		5M IN A		10.0.3.113
+2000.example.		5M IN A		10.0.3.114
+2000.example.		5M IN A		10.0.3.115
+2000.example.		5M IN A		10.0.3.116
+2000.example.		5M IN A		10.0.3.117
+2000.example.		5M IN A		10.0.3.118
+2000.example.		5M IN A		10.0.3.119
+2000.example.		5M IN A		10.0.3.120
+2000.example.		5M IN A		10.0.3.121
+2000.example.		5M IN A		10.0.3.122
+2000.example.		5M IN A		10.0.3.123
+2000.example.		5M IN A		10.0.3.124
+2000.example.		5M IN A		10.0.3.125
+2000.example.		5M IN A		10.0.3.126
+2000.example.		5M IN A		10.0.3.127
+2000.example.		5M IN A		10.0.3.128
+2000.example.		5M IN A		10.0.3.129
+2000.example.		5M IN A		10.0.3.130
+2000.example.		5M IN A		10.0.3.131
+2000.example.		5M IN A		10.0.3.132
+2000.example.		5M IN A		10.0.3.133
+2000.example.		5M IN A		10.0.3.134
+2000.example.		5M IN A		10.0.3.135
+2000.example.		5M IN A		10.0.3.136
+2000.example.		5M IN A		10.0.3.137
+2000.example.		5M IN A		10.0.3.138
+2000.example.		5M IN A		10.0.3.139
+2000.example.		5M IN A		10.0.3.140
+2000.example.		5M IN A		10.0.3.141
+2000.example.		5M IN A		10.0.3.142
+2000.example.		5M IN A		10.0.3.143
+2000.example.		5M IN A		10.0.3.144
+2000.example.		5M IN A		10.0.3.145
+2000.example.		5M IN A		10.0.3.146
+2000.example.		5M IN A		10.0.3.147
+2000.example.		5M IN A		10.0.3.148
+2000.example.		5M IN A		10.0.3.149
+2000.example.		5M IN A		10.0.3.150
+2000.example.		5M IN A		10.0.3.151
+2000.example.		5M IN A		10.0.3.152
+2000.example.		5M IN A		10.0.3.153
+2000.example.		5M IN A		10.0.3.154
+2000.example.		5M IN A		10.0.3.155
+2000.example.		5M IN A		10.0.3.156
+2000.example.		5M IN A		10.0.3.157
+2000.example.		5M IN A		10.0.3.158
+2000.example.		5M IN A		10.0.3.159
+2000.example.		5M IN A		10.0.3.160
+2000.example.		5M IN A		10.0.3.161
+2000.example.		5M IN A		10.0.3.162
+2000.example.		5M IN A		10.0.3.163
+2000.example.		5M IN A		10.0.3.164
+2000.example.		5M IN A		10.0.3.165
+2000.example.		5M IN A		10.0.3.166
+2000.example.		5M IN A		10.0.3.167
+2000.example.		5M IN A		10.0.3.168
+2000.example.		5M IN A		10.0.3.169
+2000.example.		5M IN A		10.0.3.170
+2000.example.		5M IN A		10.0.3.171
+2000.example.		5M IN A		10.0.3.172
+2000.example.		5M IN A		10.0.3.173
+2000.example.		5M IN A		10.0.3.174
+2000.example.		5M IN A		10.0.3.175
+2000.example.		5M IN A		10.0.3.176
+2000.example.		5M IN A		10.0.3.177
+2000.example.		5M IN A		10.0.3.178
+2000.example.		5M IN A		10.0.3.179
+2000.example.		5M IN A		10.0.3.180
+2000.example.		5M IN A		10.0.3.181
+2000.example.		5M IN A		10.0.3.182
+2000.example.		5M IN A		10.0.3.183
+2000.example.		5M IN A		10.0.3.184
+2000.example.		5M IN A		10.0.3.185
+2000.example.		5M IN A		10.0.3.186
+2000.example.		5M IN A		10.0.3.187
+2000.example.		5M IN A		10.0.3.188
+2000.example.		5M IN A		10.0.3.189
+2000.example.		5M IN A		10.0.3.190
+2000.example.		5M IN A		10.0.3.191
+2000.example.		5M IN A		10.0.3.192
+2000.example.		5M IN A		10.0.3.193
+2000.example.		5M IN A		10.0.3.194
+2000.example.		5M IN A		10.0.3.195
+2000.example.		5M IN A		10.0.3.196
+2000.example.		5M IN A		10.0.3.197
+2000.example.		5M IN A		10.0.3.198
+2000.example.		5M IN A		10.0.3.199
+2000.example.		5M IN A		10.0.3.200
+2000.example.		5M IN A		10.0.3.201
+2000.example.		5M IN A		10.0.3.202
+2000.example.		5M IN A		10.0.3.203
+2000.example.		5M IN A		10.0.3.204
+2000.example.		5M IN A		10.0.3.205
+2000.example.		5M IN A		10.0.3.206
+2000.example.		5M IN A		10.0.3.207
+2000.example.		5M IN A		10.0.3.208
+2000.example.		5M IN A		10.0.3.209
+2000.example.		5M IN A		10.0.3.210
+2000.example.		5M IN A		10.0.3.211
+2000.example.		5M IN A		10.0.3.212
+2000.example.		5M IN A		10.0.3.213
+2000.example.		5M IN A		10.0.3.214
+2000.example.		5M IN A		10.0.3.215
+2000.example.		5M IN A		10.0.3.216
+2000.example.		5M IN A		10.0.3.217
+2000.example.		5M IN A		10.0.3.218
+2000.example.		5M IN A		10.0.3.219
+2000.example.		5M IN A		10.0.3.220
+2000.example.		5M IN A		10.0.3.221
+2000.example.		5M IN A		10.0.3.222
+2000.example.		5M IN A		10.0.3.223
+2000.example.		5M IN A		10.0.3.224
+2000.example.		5M IN A		10.0.3.225
+2000.example.		5M IN A		10.0.3.226
+2000.example.		5M IN A		10.0.3.227
+2000.example.		5M IN A		10.0.3.228
+2000.example.		5M IN A		10.0.3.229
+2000.example.		5M IN A		10.0.3.230
+2000.example.		5M IN A		10.0.3.231
+2000.example.		5M IN A		10.0.3.232
+2000.example.		5M IN A		10.0.3.233
+2000.example.		5M IN A		10.0.3.234
+2000.example.		5M IN A		10.0.3.235
+2000.example.		5M IN A		10.0.3.236
+2000.example.		5M IN A		10.0.3.237
+2000.example.		5M IN A		10.0.3.238
+2000.example.		5M IN A		10.0.3.239
+2000.example.		5M IN A		10.0.3.240
+2000.example.		5M IN A		10.0.3.241
+2000.example.		5M IN A		10.0.3.242
+2000.example.		5M IN A		10.0.3.243
+2000.example.		5M IN A		10.0.3.244
+2000.example.		5M IN A		10.0.3.245
+2000.example.		5M IN A		10.0.3.246
+2000.example.		5M IN A		10.0.3.247
+2000.example.		5M IN A		10.0.3.248
+2000.example.		5M IN A		10.0.3.249
+2000.example.		5M IN A		10.0.3.250
+2000.example.		5M IN A		10.0.3.251
+2000.example.		5M IN A		10.0.3.252
+2000.example.		5M IN A		10.0.3.253
+2000.example.		5M IN A		10.0.3.254
+2000.example.		5M IN A		10.0.3.255
+2000.example.		5M IN A		10.0.4.0
+2000.example.		5M IN A		10.0.4.1
+2000.example.		5M IN A		10.0.4.2
+2000.example.		5M IN A		10.0.4.3
+2000.example.		5M IN A		10.0.4.4
+2000.example.		5M IN A		10.0.4.5
+2000.example.		5M IN A		10.0.4.6
+2000.example.		5M IN A		10.0.4.7
+2000.example.		5M IN A		10.0.4.8
+2000.example.		5M IN A		10.0.4.9
+2000.example.		5M IN A		10.0.4.10
+2000.example.		5M IN A		10.0.4.11
+2000.example.		5M IN A		10.0.4.12
+2000.example.		5M IN A		10.0.4.13
+2000.example.		5M IN A		10.0.4.14
+2000.example.		5M IN A		10.0.4.15
+2000.example.		5M IN A		10.0.4.16
+2000.example.		5M IN A		10.0.4.17
+2000.example.		5M IN A		10.0.4.18
+2000.example.		5M IN A		10.0.4.19
+2000.example.		5M IN A		10.0.4.20
+2000.example.		5M IN A		10.0.4.21
+2000.example.		5M IN A		10.0.4.22
+2000.example.		5M IN A		10.0.4.23
+2000.example.		5M IN A		10.0.4.24
+2000.example.		5M IN A		10.0.4.25
+2000.example.		5M IN A		10.0.4.26
+2000.example.		5M IN A		10.0.4.27
+2000.example.		5M IN A		10.0.4.28
+2000.example.		5M IN A		10.0.4.29
+2000.example.		5M IN A		10.0.4.30
+2000.example.		5M IN A		10.0.4.31
+2000.example.		5M IN A		10.0.4.32
+2000.example.		5M IN A		10.0.4.33
+2000.example.		5M IN A		10.0.4.34
+2000.example.		5M IN A		10.0.4.35
+2000.example.		5M IN A		10.0.4.36
+2000.example.		5M IN A		10.0.4.37
+2000.example.		5M IN A		10.0.4.38
+2000.example.		5M IN A		10.0.4.39
+2000.example.		5M IN A		10.0.4.40
+2000.example.		5M IN A		10.0.4.41
+2000.example.		5M IN A		10.0.4.42
+2000.example.		5M IN A		10.0.4.43
+2000.example.		5M IN A		10.0.4.44
+2000.example.		5M IN A		10.0.4.45
+2000.example.		5M IN A		10.0.4.46
+2000.example.		5M IN A		10.0.4.47
+2000.example.		5M IN A		10.0.4.48
+2000.example.		5M IN A		10.0.4.49
+2000.example.		5M IN A		10.0.4.50
+2000.example.		5M IN A		10.0.4.51
+2000.example.		5M IN A		10.0.4.52
+2000.example.		5M IN A		10.0.4.53
+2000.example.		5M IN A		10.0.4.54
+2000.example.		5M IN A		10.0.4.55
+2000.example.		5M IN A		10.0.4.56
+2000.example.		5M IN A		10.0.4.57
+2000.example.		5M IN A		10.0.4.58
+2000.example.		5M IN A		10.0.4.59
+2000.example.		5M IN A		10.0.4.60
+2000.example.		5M IN A		10.0.4.61
+2000.example.		5M IN A		10.0.4.62
+2000.example.		5M IN A		10.0.4.63
+2000.example.		5M IN A		10.0.4.64
+2000.example.		5M IN A		10.0.4.65
+2000.example.		5M IN A		10.0.4.66
+2000.example.		5M IN A		10.0.4.67
+2000.example.		5M IN A		10.0.4.68
+2000.example.		5M IN A		10.0.4.69
+2000.example.		5M IN A		10.0.4.70
+2000.example.		5M IN A		10.0.4.71
+2000.example.		5M IN A		10.0.4.72
+2000.example.		5M IN A		10.0.4.73
+2000.example.		5M IN A		10.0.4.74
+2000.example.		5M IN A		10.0.4.75
+2000.example.		5M IN A		10.0.4.76
+2000.example.		5M IN A		10.0.4.77
+2000.example.		5M IN A		10.0.4.78
+2000.example.		5M IN A		10.0.4.79
+2000.example.		5M IN A		10.0.4.80
+2000.example.		5M IN A		10.0.4.81
+2000.example.		5M IN A		10.0.4.82
+2000.example.		5M IN A		10.0.4.83
+2000.example.		5M IN A		10.0.4.84
+2000.example.		5M IN A		10.0.4.85
+2000.example.		5M IN A		10.0.4.86
+2000.example.		5M IN A		10.0.4.87
+2000.example.		5M IN A		10.0.4.88
+2000.example.		5M IN A		10.0.4.89
+2000.example.		5M IN A		10.0.4.90
+2000.example.		5M IN A		10.0.4.91
+2000.example.		5M IN A		10.0.4.92
+2000.example.		5M IN A		10.0.4.93
+2000.example.		5M IN A		10.0.4.94
+2000.example.		5M IN A		10.0.4.95
+2000.example.		5M IN A		10.0.4.96
+2000.example.		5M IN A		10.0.4.97
+2000.example.		5M IN A		10.0.4.98
+2000.example.		5M IN A		10.0.4.99
+2000.example.		5M IN A		10.0.4.100
+2000.example.		5M IN A		10.0.4.101
+2000.example.		5M IN A		10.0.4.102
+2000.example.		5M IN A		10.0.4.103
+2000.example.		5M IN A		10.0.4.104
+2000.example.		5M IN A		10.0.4.105
+2000.example.		5M IN A		10.0.4.106
+2000.example.		5M IN A		10.0.4.107
+2000.example.		5M IN A		10.0.4.108
+2000.example.		5M IN A		10.0.4.109
+2000.example.		5M IN A		10.0.4.110
+2000.example.		5M IN A		10.0.4.111
+2000.example.		5M IN A		10.0.4.112
+2000.example.		5M IN A		10.0.4.113
+2000.example.		5M IN A		10.0.4.114
+2000.example.		5M IN A		10.0.4.115
+2000.example.		5M IN A		10.0.4.116
+2000.example.		5M IN A		10.0.4.117
+2000.example.		5M IN A		10.0.4.118
+2000.example.		5M IN A		10.0.4.119
+2000.example.		5M IN A		10.0.4.120
+2000.example.		5M IN A		10.0.4.121
+2000.example.		5M IN A		10.0.4.122
+2000.example.		5M IN A		10.0.4.123
+2000.example.		5M IN A		10.0.4.124
+2000.example.		5M IN A		10.0.4.125
+2000.example.		5M IN A		10.0.4.126
+2000.example.		5M IN A		10.0.4.127
+2000.example.		5M IN A		10.0.4.128
+2000.example.		5M IN A		10.0.4.129
+2000.example.		5M IN A		10.0.4.130
+2000.example.		5M IN A		10.0.4.131
+2000.example.		5M IN A		10.0.4.132
+2000.example.		5M IN A		10.0.4.133
+2000.example.		5M IN A		10.0.4.134
+2000.example.		5M IN A		10.0.4.135
+2000.example.		5M IN A		10.0.4.136
+2000.example.		5M IN A		10.0.4.137
+2000.example.		5M IN A		10.0.4.138
+2000.example.		5M IN A		10.0.4.139
+2000.example.		5M IN A		10.0.4.140
+2000.example.		5M IN A		10.0.4.141
+2000.example.		5M IN A		10.0.4.142
+2000.example.		5M IN A		10.0.4.143
+2000.example.		5M IN A		10.0.4.144
+2000.example.		5M IN A		10.0.4.145
+2000.example.		5M IN A		10.0.4.146
+2000.example.		5M IN A		10.0.4.147
+2000.example.		5M IN A		10.0.4.148
+2000.example.		5M IN A		10.0.4.149
+2000.example.		5M IN A		10.0.4.150
+2000.example.		5M IN A		10.0.4.151
+2000.example.		5M IN A		10.0.4.152
+2000.example.		5M IN A		10.0.4.153
+2000.example.		5M IN A		10.0.4.154
+2000.example.		5M IN A		10.0.4.155
+2000.example.		5M IN A		10.0.4.156
+2000.example.		5M IN A		10.0.4.157
+2000.example.		5M IN A		10.0.4.158
+2000.example.		5M IN A		10.0.4.159
+2000.example.		5M IN A		10.0.4.160
+2000.example.		5M IN A		10.0.4.161
+2000.example.		5M IN A		10.0.4.162
+2000.example.		5M IN A		10.0.4.163
+2000.example.		5M IN A		10.0.4.164
+2000.example.		5M IN A		10.0.4.165
+2000.example.		5M IN A		10.0.4.166
+2000.example.		5M IN A		10.0.4.167
+2000.example.		5M IN A		10.0.4.168
+2000.example.		5M IN A		10.0.4.169
+2000.example.		5M IN A		10.0.4.170
+2000.example.		5M IN A		10.0.4.171
+2000.example.		5M IN A		10.0.4.172
+2000.example.		5M IN A		10.0.4.173
+2000.example.		5M IN A		10.0.4.174
+2000.example.		5M IN A		10.0.4.175
+2000.example.		5M IN A		10.0.4.176
+2000.example.		5M IN A		10.0.4.177
+2000.example.		5M IN A		10.0.4.178
+2000.example.		5M IN A		10.0.4.179
+2000.example.		5M IN A		10.0.4.180
+2000.example.		5M IN A		10.0.4.181
+2000.example.		5M IN A		10.0.4.182
+2000.example.		5M IN A		10.0.4.183
+2000.example.		5M IN A		10.0.4.184
+2000.example.		5M IN A		10.0.4.185
+2000.example.		5M IN A		10.0.4.186
+2000.example.		5M IN A		10.0.4.187
+2000.example.		5M IN A		10.0.4.188
+2000.example.		5M IN A		10.0.4.189
+2000.example.		5M IN A		10.0.4.190
+2000.example.		5M IN A		10.0.4.191
+2000.example.		5M IN A		10.0.4.192
+2000.example.		5M IN A		10.0.4.193
+2000.example.		5M IN A		10.0.4.194
+2000.example.		5M IN A		10.0.4.195
+2000.example.		5M IN A		10.0.4.196
+2000.example.		5M IN A		10.0.4.197
+2000.example.		5M IN A		10.0.4.198
+2000.example.		5M IN A		10.0.4.199
+2000.example.		5M IN A		10.0.4.200
+2000.example.		5M IN A		10.0.4.201
+2000.example.		5M IN A		10.0.4.202
+2000.example.		5M IN A		10.0.4.203
+2000.example.		5M IN A		10.0.4.204
+2000.example.		5M IN A		10.0.4.205
+2000.example.		5M IN A		10.0.4.206
+2000.example.		5M IN A		10.0.4.207
+2000.example.		5M IN A		10.0.4.208
+2000.example.		5M IN A		10.0.4.209
+2000.example.		5M IN A		10.0.4.210
+2000.example.		5M IN A		10.0.4.211
+2000.example.		5M IN A		10.0.4.212
+2000.example.		5M IN A		10.0.4.213
+2000.example.		5M IN A		10.0.4.214
+2000.example.		5M IN A		10.0.4.215
+2000.example.		5M IN A		10.0.4.216
+2000.example.		5M IN A		10.0.4.217
+2000.example.		5M IN A		10.0.4.218
+2000.example.		5M IN A		10.0.4.219
+2000.example.		5M IN A		10.0.4.220
+2000.example.		5M IN A		10.0.4.221
+2000.example.		5M IN A		10.0.4.222
+2000.example.		5M IN A		10.0.4.223
+2000.example.		5M IN A		10.0.4.224
+2000.example.		5M IN A		10.0.4.225
+2000.example.		5M IN A		10.0.4.226
+2000.example.		5M IN A		10.0.4.227
+2000.example.		5M IN A		10.0.4.228
+2000.example.		5M IN A		10.0.4.229
+2000.example.		5M IN A		10.0.4.230
+2000.example.		5M IN A		10.0.4.231
+2000.example.		5M IN A		10.0.4.232
+2000.example.		5M IN A		10.0.4.233
+2000.example.		5M IN A		10.0.4.234
+2000.example.		5M IN A		10.0.4.235
+2000.example.		5M IN A		10.0.4.236
+2000.example.		5M IN A		10.0.4.237
+2000.example.		5M IN A		10.0.4.238
+2000.example.		5M IN A		10.0.4.239
+2000.example.		5M IN A		10.0.4.240
+2000.example.		5M IN A		10.0.4.241
+2000.example.		5M IN A		10.0.4.242
+2000.example.		5M IN A		10.0.4.243
+2000.example.		5M IN A		10.0.4.244
+2000.example.		5M IN A		10.0.4.245
+2000.example.		5M IN A		10.0.4.246
+2000.example.		5M IN A		10.0.4.247
+2000.example.		5M IN A		10.0.4.248
+2000.example.		5M IN A		10.0.4.249
+2000.example.		5M IN A		10.0.4.250
+2000.example.		5M IN A		10.0.4.251
+2000.example.		5M IN A		10.0.4.252
+2000.example.		5M IN A		10.0.4.253
+2000.example.		5M IN A		10.0.4.254
+2000.example.		5M IN A		10.0.4.255
+2000.example.		5M IN A		10.0.5.0
+2000.example.		5M IN A		10.0.5.1
+2000.example.		5M IN A		10.0.5.2
+2000.example.		5M IN A		10.0.5.3
+2000.example.		5M IN A		10.0.5.4
+2000.example.		5M IN A		10.0.5.5
+2000.example.		5M IN A		10.0.5.6
+2000.example.		5M IN A		10.0.5.7
+2000.example.		5M IN A		10.0.5.8
+2000.example.		5M IN A		10.0.5.9
+2000.example.		5M IN A		10.0.5.10
+2000.example.		5M IN A		10.0.5.11
+2000.example.		5M IN A		10.0.5.12
+2000.example.		5M IN A		10.0.5.13
+2000.example.		5M IN A		10.0.5.14
+2000.example.		5M IN A		10.0.5.15
+2000.example.		5M IN A		10.0.5.16
+2000.example.		5M IN A		10.0.5.17
+2000.example.		5M IN A		10.0.5.18
+2000.example.		5M IN A		10.0.5.19
+2000.example.		5M IN A		10.0.5.20
+2000.example.		5M IN A		10.0.5.21
+2000.example.		5M IN A		10.0.5.22
+2000.example.		5M IN A		10.0.5.23
+2000.example.		5M IN A		10.0.5.24
+2000.example.		5M IN A		10.0.5.25
+2000.example.		5M IN A		10.0.5.26
+2000.example.		5M IN A		10.0.5.27
+2000.example.		5M IN A		10.0.5.28
+2000.example.		5M IN A		10.0.5.29
+2000.example.		5M IN A		10.0.5.30
+2000.example.		5M IN A		10.0.5.31
+2000.example.		5M IN A		10.0.5.32
+2000.example.		5M IN A		10.0.5.33
+2000.example.		5M IN A		10.0.5.34
+2000.example.		5M IN A		10.0.5.35
+2000.example.		5M IN A		10.0.5.36
+2000.example.		5M IN A		10.0.5.37
+2000.example.		5M IN A		10.0.5.38
+2000.example.		5M IN A		10.0.5.39
+2000.example.		5M IN A		10.0.5.40
+2000.example.		5M IN A		10.0.5.41
+2000.example.		5M IN A		10.0.5.42
+2000.example.		5M IN A		10.0.5.43
+2000.example.		5M IN A		10.0.5.44
+2000.example.		5M IN A		10.0.5.45
+2000.example.		5M IN A		10.0.5.46
+2000.example.		5M IN A		10.0.5.47
+2000.example.		5M IN A		10.0.5.48
+2000.example.		5M IN A		10.0.5.49
+2000.example.		5M IN A		10.0.5.50
+2000.example.		5M IN A		10.0.5.51
+2000.example.		5M IN A		10.0.5.52
+2000.example.		5M IN A		10.0.5.53
+2000.example.		5M IN A		10.0.5.54
+2000.example.		5M IN A		10.0.5.55
+2000.example.		5M IN A		10.0.5.56
+2000.example.		5M IN A		10.0.5.57
+2000.example.		5M IN A		10.0.5.58
+2000.example.		5M IN A		10.0.5.59
+2000.example.		5M IN A		10.0.5.60
+2000.example.		5M IN A		10.0.5.61
+2000.example.		5M IN A		10.0.5.62
+2000.example.		5M IN A		10.0.5.63
+2000.example.		5M IN A		10.0.5.64
+2000.example.		5M IN A		10.0.5.65
+2000.example.		5M IN A		10.0.5.66
+2000.example.		5M IN A		10.0.5.67
+2000.example.		5M IN A		10.0.5.68
+2000.example.		5M IN A		10.0.5.69
+2000.example.		5M IN A		10.0.5.70
+2000.example.		5M IN A		10.0.5.71
+2000.example.		5M IN A		10.0.5.72
+2000.example.		5M IN A		10.0.5.73
+2000.example.		5M IN A		10.0.5.74
+2000.example.		5M IN A		10.0.5.75
+2000.example.		5M IN A		10.0.5.76
+2000.example.		5M IN A		10.0.5.77
+2000.example.		5M IN A		10.0.5.78
+2000.example.		5M IN A		10.0.5.79
+2000.example.		5M IN A		10.0.5.80
+2000.example.		5M IN A		10.0.5.81
+2000.example.		5M IN A		10.0.5.82
+2000.example.		5M IN A		10.0.5.83
+2000.example.		5M IN A		10.0.5.84
+2000.example.		5M IN A		10.0.5.85
+2000.example.		5M IN A		10.0.5.86
+2000.example.		5M IN A		10.0.5.87
+2000.example.		5M IN A		10.0.5.88
+2000.example.		5M IN A		10.0.5.89
+2000.example.		5M IN A		10.0.5.90
+2000.example.		5M IN A		10.0.5.91
+2000.example.		5M IN A		10.0.5.92
+2000.example.		5M IN A		10.0.5.93
+2000.example.		5M IN A		10.0.5.94
+2000.example.		5M IN A		10.0.5.95
+2000.example.		5M IN A		10.0.5.96
+2000.example.		5M IN A		10.0.5.97
+2000.example.		5M IN A		10.0.5.98
+2000.example.		5M IN A		10.0.5.99
+2000.example.		5M IN A		10.0.5.100
+2000.example.		5M IN A		10.0.5.101
+2000.example.		5M IN A		10.0.5.102
+2000.example.		5M IN A		10.0.5.103
+2000.example.		5M IN A		10.0.5.104
+2000.example.		5M IN A		10.0.5.105
+2000.example.		5M IN A		10.0.5.106
+2000.example.		5M IN A		10.0.5.107
+2000.example.		5M IN A		10.0.5.108
+2000.example.		5M IN A		10.0.5.109
+2000.example.		5M IN A		10.0.5.110
+2000.example.		5M IN A		10.0.5.111
+2000.example.		5M IN A		10.0.5.112
+2000.example.		5M IN A		10.0.5.113
+2000.example.		5M IN A		10.0.5.114
+2000.example.		5M IN A		10.0.5.115
+2000.example.		5M IN A		10.0.5.116
+2000.example.		5M IN A		10.0.5.117
+2000.example.		5M IN A		10.0.5.118
+2000.example.		5M IN A		10.0.5.119
+2000.example.		5M IN A		10.0.5.120
+2000.example.		5M IN A		10.0.5.121
+2000.example.		5M IN A		10.0.5.122
+2000.example.		5M IN A		10.0.5.123
+2000.example.		5M IN A		10.0.5.124
+2000.example.		5M IN A		10.0.5.125
+2000.example.		5M IN A		10.0.5.126
+2000.example.		5M IN A		10.0.5.127
+2000.example.		5M IN A		10.0.5.128
+2000.example.		5M IN A		10.0.5.129
+2000.example.		5M IN A		10.0.5.130
+2000.example.		5M IN A		10.0.5.131
+2000.example.		5M IN A		10.0.5.132
+2000.example.		5M IN A		10.0.5.133
+2000.example.		5M IN A		10.0.5.134
+2000.example.		5M IN A		10.0.5.135
+2000.example.		5M IN A		10.0.5.136
+2000.example.		5M IN A		10.0.5.137
+2000.example.		5M IN A		10.0.5.138
+2000.example.		5M IN A		10.0.5.139
+2000.example.		5M IN A		10.0.5.140
+2000.example.		5M IN A		10.0.5.141
+2000.example.		5M IN A		10.0.5.142
+2000.example.		5M IN A		10.0.5.143
+2000.example.		5M IN A		10.0.5.144
+2000.example.		5M IN A		10.0.5.145
+2000.example.		5M IN A		10.0.5.146
+2000.example.		5M IN A		10.0.5.147
+2000.example.		5M IN A		10.0.5.148
+2000.example.		5M IN A		10.0.5.149
+2000.example.		5M IN A		10.0.5.150
+2000.example.		5M IN A		10.0.5.151
+2000.example.		5M IN A		10.0.5.152
+2000.example.		5M IN A		10.0.5.153
+2000.example.		5M IN A		10.0.5.154
+2000.example.		5M IN A		10.0.5.155
+2000.example.		5M IN A		10.0.5.156
+2000.example.		5M IN A		10.0.5.157
+2000.example.		5M IN A		10.0.5.158
+2000.example.		5M IN A		10.0.5.159
+2000.example.		5M IN A		10.0.5.160
+2000.example.		5M IN A		10.0.5.161
+2000.example.		5M IN A		10.0.5.162
+2000.example.		5M IN A		10.0.5.163
+2000.example.		5M IN A		10.0.5.164
+2000.example.		5M IN A		10.0.5.165
+2000.example.		5M IN A		10.0.5.166
+2000.example.		5M IN A		10.0.5.167
+2000.example.		5M IN A		10.0.5.168
+2000.example.		5M IN A		10.0.5.169
+2000.example.		5M IN A		10.0.5.170
+2000.example.		5M IN A		10.0.5.171
+2000.example.		5M IN A		10.0.5.172
+2000.example.		5M IN A		10.0.5.173
+2000.example.		5M IN A		10.0.5.174
+2000.example.		5M IN A		10.0.5.175
+2000.example.		5M IN A		10.0.5.176
+2000.example.		5M IN A		10.0.5.177
+2000.example.		5M IN A		10.0.5.178
+2000.example.		5M IN A		10.0.5.179
+2000.example.		5M IN A		10.0.5.180
+2000.example.		5M IN A		10.0.5.181
+2000.example.		5M IN A		10.0.5.182
+2000.example.		5M IN A		10.0.5.183
+2000.example.		5M IN A		10.0.5.184
+2000.example.		5M IN A		10.0.5.185
+2000.example.		5M IN A		10.0.5.186
+2000.example.		5M IN A		10.0.5.187
+2000.example.		5M IN A		10.0.5.188
+2000.example.		5M IN A		10.0.5.189
+2000.example.		5M IN A		10.0.5.190
+2000.example.		5M IN A		10.0.5.191
+2000.example.		5M IN A		10.0.5.192
+2000.example.		5M IN A		10.0.5.193
+2000.example.		5M IN A		10.0.5.194
+2000.example.		5M IN A		10.0.5.195
+2000.example.		5M IN A		10.0.5.196
+2000.example.		5M IN A		10.0.5.197
+2000.example.		5M IN A		10.0.5.198
+2000.example.		5M IN A		10.0.5.199
+2000.example.		5M IN A		10.0.5.200
+2000.example.		5M IN A		10.0.5.201
+2000.example.		5M IN A		10.0.5.202
+2000.example.		5M IN A		10.0.5.203
+2000.example.		5M IN A		10.0.5.204
+2000.example.		5M IN A		10.0.5.205
+2000.example.		5M IN A		10.0.5.206
+2000.example.		5M IN A		10.0.5.207
+2000.example.		5M IN A		10.0.5.208
+2000.example.		5M IN A		10.0.5.209
+2000.example.		5M IN A		10.0.5.210
+2000.example.		5M IN A		10.0.5.211
+2000.example.		5M IN A		10.0.5.212
+2000.example.		5M IN A		10.0.5.213
+2000.example.		5M IN A		10.0.5.214
+2000.example.		5M IN A		10.0.5.215
+2000.example.		5M IN A		10.0.5.216
+2000.example.		5M IN A		10.0.5.217
+2000.example.		5M IN A		10.0.5.218
+2000.example.		5M IN A		10.0.5.219
+2000.example.		5M IN A		10.0.5.220
+2000.example.		5M IN A		10.0.5.221
+2000.example.		5M IN A		10.0.5.222
+2000.example.		5M IN A		10.0.5.223
+2000.example.		5M IN A		10.0.5.224
+2000.example.		5M IN A		10.0.5.225
+2000.example.		5M IN A		10.0.5.226
+2000.example.		5M IN A		10.0.5.227
+2000.example.		5M IN A		10.0.5.228
+2000.example.		5M IN A		10.0.5.229
+2000.example.		5M IN A		10.0.5.230
+2000.example.		5M IN A		10.0.5.231
+2000.example.		5M IN A		10.0.5.232
+2000.example.		5M IN A		10.0.5.233
+2000.example.		5M IN A		10.0.5.234
+2000.example.		5M IN A		10.0.5.235
+2000.example.		5M IN A		10.0.5.236
+2000.example.		5M IN A		10.0.5.237
+2000.example.		5M IN A		10.0.5.238
+2000.example.		5M IN A		10.0.5.239
+2000.example.		5M IN A		10.0.5.240
+2000.example.		5M IN A		10.0.5.241
+2000.example.		5M IN A		10.0.5.242
+2000.example.		5M IN A		10.0.5.243
+2000.example.		5M IN A		10.0.5.244
+2000.example.		5M IN A		10.0.5.245
+2000.example.		5M IN A		10.0.5.246
+2000.example.		5M IN A		10.0.5.247
+2000.example.		5M IN A		10.0.5.248
+2000.example.		5M IN A		10.0.5.249
+2000.example.		5M IN A		10.0.5.250
+2000.example.		5M IN A		10.0.5.251
+2000.example.		5M IN A		10.0.5.252
+2000.example.		5M IN A		10.0.5.253
+2000.example.		5M IN A		10.0.5.254
+2000.example.		5M IN A		10.0.5.255
+2000.example.		5M IN A		10.0.6.0
+2000.example.		5M IN A		10.0.6.1
+2000.example.		5M IN A		10.0.6.2
+2000.example.		5M IN A		10.0.6.3
+2000.example.		5M IN A		10.0.6.4
+2000.example.		5M IN A		10.0.6.5
+2000.example.		5M IN A		10.0.6.6
+2000.example.		5M IN A		10.0.6.7
+2000.example.		5M IN A		10.0.6.8
+2000.example.		5M IN A		10.0.6.9
+2000.example.		5M IN A		10.0.6.10
+2000.example.		5M IN A		10.0.6.11
+2000.example.		5M IN A		10.0.6.12
+2000.example.		5M IN A		10.0.6.13
+2000.example.		5M IN A		10.0.6.14
+2000.example.		5M IN A		10.0.6.15
+2000.example.		5M IN A		10.0.6.16
+2000.example.		5M IN A		10.0.6.17
+2000.example.		5M IN A		10.0.6.18
+2000.example.		5M IN A		10.0.6.19
+2000.example.		5M IN A		10.0.6.20
+2000.example.		5M IN A		10.0.6.21
+2000.example.		5M IN A		10.0.6.22
+2000.example.		5M IN A		10.0.6.23
+2000.example.		5M IN A		10.0.6.24
+2000.example.		5M IN A		10.0.6.25
+2000.example.		5M IN A		10.0.6.26
+2000.example.		5M IN A		10.0.6.27
+2000.example.		5M IN A		10.0.6.28
+2000.example.		5M IN A		10.0.6.29
+2000.example.		5M IN A		10.0.6.30
+2000.example.		5M IN A		10.0.6.31
+2000.example.		5M IN A		10.0.6.32
+2000.example.		5M IN A		10.0.6.33
+2000.example.		5M IN A		10.0.6.34
+2000.example.		5M IN A		10.0.6.35
+2000.example.		5M IN A		10.0.6.36
+2000.example.		5M IN A		10.0.6.37
+2000.example.		5M IN A		10.0.6.38
+2000.example.		5M IN A		10.0.6.39
+2000.example.		5M IN A		10.0.6.40
+2000.example.		5M IN A		10.0.6.41
+2000.example.		5M IN A		10.0.6.42
+2000.example.		5M IN A		10.0.6.43
+2000.example.		5M IN A		10.0.6.44
+2000.example.		5M IN A		10.0.6.45
+2000.example.		5M IN A		10.0.6.46
+2000.example.		5M IN A		10.0.6.47
+2000.example.		5M IN A		10.0.6.48
+2000.example.		5M IN A		10.0.6.49
+2000.example.		5M IN A		10.0.6.50
+2000.example.		5M IN A		10.0.6.51
+2000.example.		5M IN A		10.0.6.52
+2000.example.		5M IN A		10.0.6.53
+2000.example.		5M IN A		10.0.6.54
+2000.example.		5M IN A		10.0.6.55
+2000.example.		5M IN A		10.0.6.56
+2000.example.		5M IN A		10.0.6.57
+2000.example.		5M IN A		10.0.6.58
+2000.example.		5M IN A		10.0.6.59
+2000.example.		5M IN A		10.0.6.60
+2000.example.		5M IN A		10.0.6.61
+2000.example.		5M IN A		10.0.6.62
+2000.example.		5M IN A		10.0.6.63
+2000.example.		5M IN A		10.0.6.64
+2000.example.		5M IN A		10.0.6.65
+2000.example.		5M IN A		10.0.6.66
+2000.example.		5M IN A		10.0.6.67
+2000.example.		5M IN A		10.0.6.68
+2000.example.		5M IN A		10.0.6.69
+2000.example.		5M IN A		10.0.6.70
+2000.example.		5M IN A		10.0.6.71
+2000.example.		5M IN A		10.0.6.72
+2000.example.		5M IN A		10.0.6.73
+2000.example.		5M IN A		10.0.6.74
+2000.example.		5M IN A		10.0.6.75
+2000.example.		5M IN A		10.0.6.76
+2000.example.		5M IN A		10.0.6.77
+2000.example.		5M IN A		10.0.6.78
+2000.example.		5M IN A		10.0.6.79
+2000.example.		5M IN A		10.0.6.80
+2000.example.		5M IN A		10.0.6.81
+2000.example.		5M IN A		10.0.6.82
+2000.example.		5M IN A		10.0.6.83
+2000.example.		5M IN A		10.0.6.84
+2000.example.		5M IN A		10.0.6.85
+2000.example.		5M IN A		10.0.6.86
+2000.example.		5M IN A		10.0.6.87
+2000.example.		5M IN A		10.0.6.88
+2000.example.		5M IN A		10.0.6.89
+2000.example.		5M IN A		10.0.6.90
+2000.example.		5M IN A		10.0.6.91
+2000.example.		5M IN A		10.0.6.92
+2000.example.		5M IN A		10.0.6.93
+2000.example.		5M IN A		10.0.6.94
+2000.example.		5M IN A		10.0.6.95
+2000.example.		5M IN A		10.0.6.96
+2000.example.		5M IN A		10.0.6.97
+2000.example.		5M IN A		10.0.6.98
+2000.example.		5M IN A		10.0.6.99
+2000.example.		5M IN A		10.0.6.100
+2000.example.		5M IN A		10.0.6.101
+2000.example.		5M IN A		10.0.6.102
+2000.example.		5M IN A		10.0.6.103
+2000.example.		5M IN A		10.0.6.104
+2000.example.		5M IN A		10.0.6.105
+2000.example.		5M IN A		10.0.6.106
+2000.example.		5M IN A		10.0.6.107
+2000.example.		5M IN A		10.0.6.108
+2000.example.		5M IN A		10.0.6.109
+2000.example.		5M IN A		10.0.6.110
+2000.example.		5M IN A		10.0.6.111
+2000.example.		5M IN A		10.0.6.112
+2000.example.		5M IN A		10.0.6.113
+2000.example.		5M IN A		10.0.6.114
+2000.example.		5M IN A		10.0.6.115
+2000.example.		5M IN A		10.0.6.116
+2000.example.		5M IN A		10.0.6.117
+2000.example.		5M IN A		10.0.6.118
+2000.example.		5M IN A		10.0.6.119
+2000.example.		5M IN A		10.0.6.120
+2000.example.		5M IN A		10.0.6.121
+2000.example.		5M IN A		10.0.6.122
+2000.example.		5M IN A		10.0.6.123
+2000.example.		5M IN A		10.0.6.124
+2000.example.		5M IN A		10.0.6.125
+2000.example.		5M IN A		10.0.6.126
+2000.example.		5M IN A		10.0.6.127
+2000.example.		5M IN A		10.0.6.128
+2000.example.		5M IN A		10.0.6.129
+2000.example.		5M IN A		10.0.6.130
+2000.example.		5M IN A		10.0.6.131
+2000.example.		5M IN A		10.0.6.132
+2000.example.		5M IN A		10.0.6.133
+2000.example.		5M IN A		10.0.6.134
+2000.example.		5M IN A		10.0.6.135
+2000.example.		5M IN A		10.0.6.136
+2000.example.		5M IN A		10.0.6.137
+2000.example.		5M IN A		10.0.6.138
+2000.example.		5M IN A		10.0.6.139
+2000.example.		5M IN A		10.0.6.140
+2000.example.		5M IN A		10.0.6.141
+2000.example.		5M IN A		10.0.6.142
+2000.example.		5M IN A		10.0.6.143
+2000.example.		5M IN A		10.0.6.144
+2000.example.		5M IN A		10.0.6.145
+2000.example.		5M IN A		10.0.6.146
+2000.example.		5M IN A		10.0.6.147
+2000.example.		5M IN A		10.0.6.148
+2000.example.		5M IN A		10.0.6.149
+2000.example.		5M IN A		10.0.6.150
+2000.example.		5M IN A		10.0.6.151
+2000.example.		5M IN A		10.0.6.152
+2000.example.		5M IN A		10.0.6.153
+2000.example.		5M IN A		10.0.6.154
+2000.example.		5M IN A		10.0.6.155
+2000.example.		5M IN A		10.0.6.156
+2000.example.		5M IN A		10.0.6.157
+2000.example.		5M IN A		10.0.6.158
+2000.example.		5M IN A		10.0.6.159
+2000.example.		5M IN A		10.0.6.160
+2000.example.		5M IN A		10.0.6.161
+2000.example.		5M IN A		10.0.6.162
+2000.example.		5M IN A		10.0.6.163
+2000.example.		5M IN A		10.0.6.164
+2000.example.		5M IN A		10.0.6.165
+2000.example.		5M IN A		10.0.6.166
+2000.example.		5M IN A		10.0.6.167
+2000.example.		5M IN A		10.0.6.168
+2000.example.		5M IN A		10.0.6.169
+2000.example.		5M IN A		10.0.6.170
+2000.example.		5M IN A		10.0.6.171
+2000.example.		5M IN A		10.0.6.172
+2000.example.		5M IN A		10.0.6.173
+2000.example.		5M IN A		10.0.6.174
+2000.example.		5M IN A		10.0.6.175
+2000.example.		5M IN A		10.0.6.176
+2000.example.		5M IN A		10.0.6.177
+2000.example.		5M IN A		10.0.6.178
+2000.example.		5M IN A		10.0.6.179
+2000.example.		5M IN A		10.0.6.180
+2000.example.		5M IN A		10.0.6.181
+2000.example.		5M IN A		10.0.6.182
+2000.example.		5M IN A		10.0.6.183
+2000.example.		5M IN A		10.0.6.184
+2000.example.		5M IN A		10.0.6.185
+2000.example.		5M IN A		10.0.6.186
+2000.example.		5M IN A		10.0.6.187
+2000.example.		5M IN A		10.0.6.188
+2000.example.		5M IN A		10.0.6.189
+2000.example.		5M IN A		10.0.6.190
+2000.example.		5M IN A		10.0.6.191
+2000.example.		5M IN A		10.0.6.192
+2000.example.		5M IN A		10.0.6.193
+2000.example.		5M IN A		10.0.6.194
+2000.example.		5M IN A		10.0.6.195
+2000.example.		5M IN A		10.0.6.196
+2000.example.		5M IN A		10.0.6.197
+2000.example.		5M IN A		10.0.6.198
+2000.example.		5M IN A		10.0.6.199
+2000.example.		5M IN A		10.0.6.200
+2000.example.		5M IN A		10.0.6.201
+2000.example.		5M IN A		10.0.6.202
+2000.example.		5M IN A		10.0.6.203
+2000.example.		5M IN A		10.0.6.204
+2000.example.		5M IN A		10.0.6.205
+2000.example.		5M IN A		10.0.6.206
+2000.example.		5M IN A		10.0.6.207
+2000.example.		5M IN A		10.0.6.208
+2000.example.		5M IN A		10.0.6.209
+2000.example.		5M IN A		10.0.6.210
+2000.example.		5M IN A		10.0.6.211
+2000.example.		5M IN A		10.0.6.212
+2000.example.		5M IN A		10.0.6.213
+2000.example.		5M IN A		10.0.6.214
+2000.example.		5M IN A		10.0.6.215
+2000.example.		5M IN A		10.0.6.216
+2000.example.		5M IN A		10.0.6.217
+2000.example.		5M IN A		10.0.6.218
+2000.example.		5M IN A		10.0.6.219
+2000.example.		5M IN A		10.0.6.220
+2000.example.		5M IN A		10.0.6.221
+2000.example.		5M IN A		10.0.6.222
+2000.example.		5M IN A		10.0.6.223
+2000.example.		5M IN A		10.0.6.224
+2000.example.		5M IN A		10.0.6.225
+2000.example.		5M IN A		10.0.6.226
+2000.example.		5M IN A		10.0.6.227
+2000.example.		5M IN A		10.0.6.228
+2000.example.		5M IN A		10.0.6.229
+2000.example.		5M IN A		10.0.6.230
+2000.example.		5M IN A		10.0.6.231
+2000.example.		5M IN A		10.0.6.232
+2000.example.		5M IN A		10.0.6.233
+2000.example.		5M IN A		10.0.6.234
+2000.example.		5M IN A		10.0.6.235
+2000.example.		5M IN A		10.0.6.236
+2000.example.		5M IN A		10.0.6.237
+2000.example.		5M IN A		10.0.6.238
+2000.example.		5M IN A		10.0.6.239
+2000.example.		5M IN A		10.0.6.240
+2000.example.		5M IN A		10.0.6.241
+2000.example.		5M IN A		10.0.6.242
+2000.example.		5M IN A		10.0.6.243
+2000.example.		5M IN A		10.0.6.244
+2000.example.		5M IN A		10.0.6.245
+2000.example.		5M IN A		10.0.6.246
+2000.example.		5M IN A		10.0.6.247
+2000.example.		5M IN A		10.0.6.248
+2000.example.		5M IN A		10.0.6.249
+2000.example.		5M IN A		10.0.6.250
+2000.example.		5M IN A		10.0.6.251
+2000.example.		5M IN A		10.0.6.252
+2000.example.		5M IN A		10.0.6.253
+2000.example.		5M IN A		10.0.6.254
+2000.example.		5M IN A		10.0.6.255
+2000.example.		5M IN A		10.0.7.0
+2000.example.		5M IN A		10.0.7.1
+2000.example.		5M IN A		10.0.7.2
+2000.example.		5M IN A		10.0.7.3
+2000.example.		5M IN A		10.0.7.4
+2000.example.		5M IN A		10.0.7.5
+2000.example.		5M IN A		10.0.7.6
+2000.example.		5M IN A		10.0.7.7
+2000.example.		5M IN A		10.0.7.8
+2000.example.		5M IN A		10.0.7.9
+2000.example.		5M IN A		10.0.7.10
+2000.example.		5M IN A		10.0.7.11
+2000.example.		5M IN A		10.0.7.12
+2000.example.		5M IN A		10.0.7.13
+2000.example.		5M IN A		10.0.7.14
+2000.example.		5M IN A		10.0.7.15
+2000.example.		5M IN A		10.0.7.16
+2000.example.		5M IN A		10.0.7.17
+2000.example.		5M IN A		10.0.7.18
+2000.example.		5M IN A		10.0.7.19
+2000.example.		5M IN A		10.0.7.20
+2000.example.		5M IN A		10.0.7.21
+2000.example.		5M IN A		10.0.7.22
+2000.example.		5M IN A		10.0.7.23
+2000.example.		5M IN A		10.0.7.24
+2000.example.		5M IN A		10.0.7.25
+2000.example.		5M IN A		10.0.7.26
+2000.example.		5M IN A		10.0.7.27
+2000.example.		5M IN A		10.0.7.28
+2000.example.		5M IN A		10.0.7.29
+2000.example.		5M IN A		10.0.7.30
+2000.example.		5M IN A		10.0.7.31
+2000.example.		5M IN A		10.0.7.32
+2000.example.		5M IN A		10.0.7.33
+2000.example.		5M IN A		10.0.7.34
+2000.example.		5M IN A		10.0.7.35
+2000.example.		5M IN A		10.0.7.36
+2000.example.		5M IN A		10.0.7.37
+2000.example.		5M IN A		10.0.7.38
+2000.example.		5M IN A		10.0.7.39
+2000.example.		5M IN A		10.0.7.40
+2000.example.		5M IN A		10.0.7.41
+2000.example.		5M IN A		10.0.7.42
+2000.example.		5M IN A		10.0.7.43
+2000.example.		5M IN A		10.0.7.44
+2000.example.		5M IN A		10.0.7.45
+2000.example.		5M IN A		10.0.7.46
+2000.example.		5M IN A		10.0.7.47
+2000.example.		5M IN A		10.0.7.48
+2000.example.		5M IN A		10.0.7.49
+2000.example.		5M IN A		10.0.7.50
+2000.example.		5M IN A		10.0.7.51
+2000.example.		5M IN A		10.0.7.52
+2000.example.		5M IN A		10.0.7.53
+2000.example.		5M IN A		10.0.7.54
+2000.example.		5M IN A		10.0.7.55
+2000.example.		5M IN A		10.0.7.56
+2000.example.		5M IN A		10.0.7.57
+2000.example.		5M IN A		10.0.7.58
+2000.example.		5M IN A		10.0.7.59
+2000.example.		5M IN A		10.0.7.60
+2000.example.		5M IN A		10.0.7.61
+2000.example.		5M IN A		10.0.7.62
+2000.example.		5M IN A		10.0.7.63
+2000.example.		5M IN A		10.0.7.64
+2000.example.		5M IN A		10.0.7.65
+2000.example.		5M IN A		10.0.7.66
+2000.example.		5M IN A		10.0.7.67
+2000.example.		5M IN A		10.0.7.68
+2000.example.		5M IN A		10.0.7.69
+2000.example.		5M IN A		10.0.7.70
+2000.example.		5M IN A		10.0.7.71
+2000.example.		5M IN A		10.0.7.72
+2000.example.		5M IN A		10.0.7.73
+2000.example.		5M IN A		10.0.7.74
+2000.example.		5M IN A		10.0.7.75
+2000.example.		5M IN A		10.0.7.76
+2000.example.		5M IN A		10.0.7.77
+2000.example.		5M IN A		10.0.7.78
+2000.example.		5M IN A		10.0.7.79
+2000.example.		5M IN A		10.0.7.80
+2000.example.		5M IN A		10.0.7.81
+2000.example.		5M IN A		10.0.7.82
+2000.example.		5M IN A		10.0.7.83
+2000.example.		5M IN A		10.0.7.84
+2000.example.		5M IN A		10.0.7.85
+2000.example.		5M IN A		10.0.7.86
+2000.example.		5M IN A		10.0.7.87
+2000.example.		5M IN A		10.0.7.88
+2000.example.		5M IN A		10.0.7.89
+2000.example.		5M IN A		10.0.7.90
+2000.example.		5M IN A		10.0.7.91
+2000.example.		5M IN A		10.0.7.92
+2000.example.		5M IN A		10.0.7.93
+2000.example.		5M IN A		10.0.7.94
+2000.example.		5M IN A		10.0.7.95
+2000.example.		5M IN A		10.0.7.96
+2000.example.		5M IN A		10.0.7.97
+2000.example.		5M IN A		10.0.7.98
+2000.example.		5M IN A		10.0.7.99
+2000.example.		5M IN A		10.0.7.100
+2000.example.		5M IN A		10.0.7.101
+2000.example.		5M IN A		10.0.7.102
+2000.example.		5M IN A		10.0.7.103
+2000.example.		5M IN A		10.0.7.104
+2000.example.		5M IN A		10.0.7.105
+2000.example.		5M IN A		10.0.7.106
+2000.example.		5M IN A		10.0.7.107
+2000.example.		5M IN A		10.0.7.108
+2000.example.		5M IN A		10.0.7.109
+2000.example.		5M IN A		10.0.7.110
+2000.example.		5M IN A		10.0.7.111
+2000.example.		5M IN A		10.0.7.112
+2000.example.		5M IN A		10.0.7.113
+2000.example.		5M IN A		10.0.7.114
+2000.example.		5M IN A		10.0.7.115
+2000.example.		5M IN A		10.0.7.116
+2000.example.		5M IN A		10.0.7.117
+2000.example.		5M IN A		10.0.7.118
+2000.example.		5M IN A		10.0.7.119
+2000.example.		5M IN A		10.0.7.120
+2000.example.		5M IN A		10.0.7.121
+2000.example.		5M IN A		10.0.7.122
+2000.example.		5M IN A		10.0.7.123
+2000.example.		5M IN A		10.0.7.124
+2000.example.		5M IN A		10.0.7.125
+2000.example.		5M IN A		10.0.7.126
+2000.example.		5M IN A		10.0.7.127
+2000.example.		5M IN A		10.0.7.128
+2000.example.		5M IN A		10.0.7.129
+2000.example.		5M IN A		10.0.7.130
+2000.example.		5M IN A		10.0.7.131
+2000.example.		5M IN A		10.0.7.132
+2000.example.		5M IN A		10.0.7.133
+2000.example.		5M IN A		10.0.7.134
+2000.example.		5M IN A		10.0.7.135
+2000.example.		5M IN A		10.0.7.136
+2000.example.		5M IN A		10.0.7.137
+2000.example.		5M IN A		10.0.7.138
+2000.example.		5M IN A		10.0.7.139
+2000.example.		5M IN A		10.0.7.140
+2000.example.		5M IN A		10.0.7.141
+2000.example.		5M IN A		10.0.7.142
+2000.example.		5M IN A		10.0.7.143
+2000.example.		5M IN A		10.0.7.144
+2000.example.		5M IN A		10.0.7.145
+2000.example.		5M IN A		10.0.7.146
+2000.example.		5M IN A		10.0.7.147
+2000.example.		5M IN A		10.0.7.148
+2000.example.		5M IN A		10.0.7.149
+2000.example.		5M IN A		10.0.7.150
+2000.example.		5M IN A		10.0.7.151
+2000.example.		5M IN A		10.0.7.152
+2000.example.		5M IN A		10.0.7.153
+2000.example.		5M IN A		10.0.7.154
+2000.example.		5M IN A		10.0.7.155
+2000.example.		5M IN A		10.0.7.156
+2000.example.		5M IN A		10.0.7.157
+2000.example.		5M IN A		10.0.7.158
+2000.example.		5M IN A		10.0.7.159
+2000.example.		5M IN A		10.0.7.160
+2000.example.		5M IN A		10.0.7.161
+2000.example.		5M IN A		10.0.7.162
+2000.example.		5M IN A		10.0.7.163
+2000.example.		5M IN A		10.0.7.164
+2000.example.		5M IN A		10.0.7.165
+2000.example.		5M IN A		10.0.7.166
+2000.example.		5M IN A		10.0.7.167
+2000.example.		5M IN A		10.0.7.168
+2000.example.		5M IN A		10.0.7.169
+2000.example.		5M IN A		10.0.7.170
+2000.example.		5M IN A		10.0.7.171
+2000.example.		5M IN A		10.0.7.172
+2000.example.		5M IN A		10.0.7.173
+2000.example.		5M IN A		10.0.7.174
+2000.example.		5M IN A		10.0.7.175
+2000.example.		5M IN A		10.0.7.176
+2000.example.		5M IN A		10.0.7.177
+2000.example.		5M IN A		10.0.7.178
+2000.example.		5M IN A		10.0.7.179
+2000.example.		5M IN A		10.0.7.180
+2000.example.		5M IN A		10.0.7.181
+2000.example.		5M IN A		10.0.7.182
+2000.example.		5M IN A		10.0.7.183
+2000.example.		5M IN A		10.0.7.184
+2000.example.		5M IN A		10.0.7.185
+2000.example.		5M IN A		10.0.7.186
+2000.example.		5M IN A		10.0.7.187
+2000.example.		5M IN A		10.0.7.188
+2000.example.		5M IN A		10.0.7.189
+2000.example.		5M IN A		10.0.7.190
+2000.example.		5M IN A		10.0.7.191
+2000.example.		5M IN A		10.0.7.192
+2000.example.		5M IN A		10.0.7.193
+2000.example.		5M IN A		10.0.7.194
+2000.example.		5M IN A		10.0.7.195
+2000.example.		5M IN A		10.0.7.196
+2000.example.		5M IN A		10.0.7.197
+2000.example.		5M IN A		10.0.7.198
+2000.example.		5M IN A		10.0.7.199
+2000.example.		5M IN A		10.0.7.200
+2000.example.		5M IN A		10.0.7.201
+2000.example.		5M IN A		10.0.7.202
+2000.example.		5M IN A		10.0.7.203
+2000.example.		5M IN A		10.0.7.204
+2000.example.		5M IN A		10.0.7.205
+2000.example.		5M IN A		10.0.7.206
+2000.example.		5M IN A		10.0.7.207
+
+;; AUTHORITY SECTION:
+example.		5M IN NS	ns1.example.
+
+;; ADDITIONAL SECTION:
+ns1.example.		5M IN A		10.53.0.1
+
+;; Total query time: 121 msec
+;; FROM: draco to SERVER: 10.53.0.1
+;; WHEN: Fri Jun 23 12:58:14 2000
+;; MSG SIZE  sent: 30  rcvd: 32068
+
diff --git a/bin/tests/system/limits/knowngood.dig.out.3000 b/bin/tests/system/limits/knowngood.dig.out.3000
new file mode 100644
index 0000000..1932475
--- /dev/null
+++ b/bin/tests/system/limits/knowngood.dig.out.3000
@@ -0,0 +1,3023 @@
+
+; <<>> DiG 8.2 <<>> 3000.example. @10.53.0.1 a -p
+; (1 server found)
+;; res options: init recurs defnam dnsrch
+;; got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
+;; flags: qr aa rd ad; QUERY: 1, ANSWER: 3000, AUTHORITY: 1, ADDITIONAL: 1
+;; QUERY SECTION:
+;;	3000.example, type = A, class = IN
+
+;; ANSWER SECTION:
+3000.example.		5M IN A		10.0.0.0
+3000.example.		5M IN A		10.0.0.1
+3000.example.		5M IN A		10.0.0.2
+3000.example.		5M IN A		10.0.0.3
+3000.example.		5M IN A		10.0.0.4
+3000.example.		5M IN A		10.0.0.5
+3000.example.		5M IN A		10.0.0.6
+3000.example.		5M IN A		10.0.0.7
+3000.example.		5M IN A		10.0.0.8
+3000.example.		5M IN A		10.0.0.9
+3000.example.		5M IN A		10.0.0.10
+3000.example.		5M IN A		10.0.0.11
+3000.example.		5M IN A		10.0.0.12
+3000.example.		5M IN A		10.0.0.13
+3000.example.		5M IN A		10.0.0.14
+3000.example.		5M IN A		10.0.0.15
+3000.example.		5M IN A		10.0.0.16
+3000.example.		5M IN A		10.0.0.17
+3000.example.		5M IN A		10.0.0.18
+3000.example.		5M IN A		10.0.0.19
+3000.example.		5M IN A		10.0.0.20
+3000.example.		5M IN A		10.0.0.21
+3000.example.		5M IN A		10.0.0.22
+3000.example.		5M IN A		10.0.0.23
+3000.example.		5M IN A		10.0.0.24
+3000.example.		5M IN A		10.0.0.25
+3000.example.		5M IN A		10.0.0.26
+3000.example.		5M IN A		10.0.0.27
+3000.example.		5M IN A		10.0.0.28
+3000.example.		5M IN A		10.0.0.29
+3000.example.		5M IN A		10.0.0.30
+3000.example.		5M IN A		10.0.0.31
+3000.example.		5M IN A		10.0.0.32
+3000.example.		5M IN A		10.0.0.33
+3000.example.		5M IN A		10.0.0.34
+3000.example.		5M IN A		10.0.0.35
+3000.example.		5M IN A		10.0.0.36
+3000.example.		5M IN A		10.0.0.37
+3000.example.		5M IN A		10.0.0.38
+3000.example.		5M IN A		10.0.0.39
+3000.example.		5M IN A		10.0.0.40
+3000.example.		5M IN A		10.0.0.41
+3000.example.		5M IN A		10.0.0.42
+3000.example.		5M IN A		10.0.0.43
+3000.example.		5M IN A		10.0.0.44
+3000.example.		5M IN A		10.0.0.45
+3000.example.		5M IN A		10.0.0.46
+3000.example.		5M IN A		10.0.0.47
+3000.example.		5M IN A		10.0.0.48
+3000.example.		5M IN A		10.0.0.49
+3000.example.		5M IN A		10.0.0.50
+3000.example.		5M IN A		10.0.0.51
+3000.example.		5M IN A		10.0.0.52
+3000.example.		5M IN A		10.0.0.53
+3000.example.		5M IN A		10.0.0.54
+3000.example.		5M IN A		10.0.0.55
+3000.example.		5M IN A		10.0.0.56
+3000.example.		5M IN A		10.0.0.57
+3000.example.		5M IN A		10.0.0.58
+3000.example.		5M IN A		10.0.0.59
+3000.example.		5M IN A		10.0.0.60
+3000.example.		5M IN A		10.0.0.61
+3000.example.		5M IN A		10.0.0.62
+3000.example.		5M IN A		10.0.0.63
+3000.example.		5M IN A		10.0.0.64
+3000.example.		5M IN A		10.0.0.65
+3000.example.		5M IN A		10.0.0.66
+3000.example.		5M IN A		10.0.0.67
+3000.example.		5M IN A		10.0.0.68
+3000.example.		5M IN A		10.0.0.69
+3000.example.		5M IN A		10.0.0.70
+3000.example.		5M IN A		10.0.0.71
+3000.example.		5M IN A		10.0.0.72
+3000.example.		5M IN A		10.0.0.73
+3000.example.		5M IN A		10.0.0.74
+3000.example.		5M IN A		10.0.0.75
+3000.example.		5M IN A		10.0.0.76
+3000.example.		5M IN A		10.0.0.77
+3000.example.		5M IN A		10.0.0.78
+3000.example.		5M IN A		10.0.0.79
+3000.example.		5M IN A		10.0.0.80
+3000.example.		5M IN A		10.0.0.81
+3000.example.		5M IN A		10.0.0.82
+3000.example.		5M IN A		10.0.0.83
+3000.example.		5M IN A		10.0.0.84
+3000.example.		5M IN A		10.0.0.85
+3000.example.		5M IN A		10.0.0.86
+3000.example.		5M IN A		10.0.0.87
+3000.example.		5M IN A		10.0.0.88
+3000.example.		5M IN A		10.0.0.89
+3000.example.		5M IN A		10.0.0.90
+3000.example.		5M IN A		10.0.0.91
+3000.example.		5M IN A		10.0.0.92
+3000.example.		5M IN A		10.0.0.93
+3000.example.		5M IN A		10.0.0.94
+3000.example.		5M IN A		10.0.0.95
+3000.example.		5M IN A		10.0.0.96
+3000.example.		5M IN A		10.0.0.97
+3000.example.		5M IN A		10.0.0.98
+3000.example.		5M IN A		10.0.0.99
+3000.example.		5M IN A		10.0.0.100
+3000.example.		5M IN A		10.0.0.101
+3000.example.		5M IN A		10.0.0.102
+3000.example.		5M IN A		10.0.0.103
+3000.example.		5M IN A		10.0.0.104
+3000.example.		5M IN A		10.0.0.105
+3000.example.		5M IN A		10.0.0.106
+3000.example.		5M IN A		10.0.0.107
+3000.example.		5M IN A		10.0.0.108
+3000.example.		5M IN A		10.0.0.109
+3000.example.		5M IN A		10.0.0.110
+3000.example.		5M IN A		10.0.0.111
+3000.example.		5M IN A		10.0.0.112
+3000.example.		5M IN A		10.0.0.113
+3000.example.		5M IN A		10.0.0.114
+3000.example.		5M IN A		10.0.0.115
+3000.example.		5M IN A		10.0.0.116
+3000.example.		5M IN A		10.0.0.117
+3000.example.		5M IN A		10.0.0.118
+3000.example.		5M IN A		10.0.0.119
+3000.example.		5M IN A		10.0.0.120
+3000.example.		5M IN A		10.0.0.121
+3000.example.		5M IN A		10.0.0.122
+3000.example.		5M IN A		10.0.0.123
+3000.example.		5M IN A		10.0.0.124
+3000.example.		5M IN A		10.0.0.125
+3000.example.		5M IN A		10.0.0.126
+3000.example.		5M IN A		10.0.0.127
+3000.example.		5M IN A		10.0.0.128
+3000.example.		5M IN A		10.0.0.129
+3000.example.		5M IN A		10.0.0.130
+3000.example.		5M IN A		10.0.0.131
+3000.example.		5M IN A		10.0.0.132
+3000.example.		5M IN A		10.0.0.133
+3000.example.		5M IN A		10.0.0.134
+3000.example.		5M IN A		10.0.0.135
+3000.example.		5M IN A		10.0.0.136
+3000.example.		5M IN A		10.0.0.137
+3000.example.		5M IN A		10.0.0.138
+3000.example.		5M IN A		10.0.0.139
+3000.example.		5M IN A		10.0.0.140
+3000.example.		5M IN A		10.0.0.141
+3000.example.		5M IN A		10.0.0.142
+3000.example.		5M IN A		10.0.0.143
+3000.example.		5M IN A		10.0.0.144
+3000.example.		5M IN A		10.0.0.145
+3000.example.		5M IN A		10.0.0.146
+3000.example.		5M IN A		10.0.0.147
+3000.example.		5M IN A		10.0.0.148
+3000.example.		5M IN A		10.0.0.149
+3000.example.		5M IN A		10.0.0.150
+3000.example.		5M IN A		10.0.0.151
+3000.example.		5M IN A		10.0.0.152
+3000.example.		5M IN A		10.0.0.153
+3000.example.		5M IN A		10.0.0.154
+3000.example.		5M IN A		10.0.0.155
+3000.example.		5M IN A		10.0.0.156
+3000.example.		5M IN A		10.0.0.157
+3000.example.		5M IN A		10.0.0.158
+3000.example.		5M IN A		10.0.0.159
+3000.example.		5M IN A		10.0.0.160
+3000.example.		5M IN A		10.0.0.161
+3000.example.		5M IN A		10.0.0.162
+3000.example.		5M IN A		10.0.0.163
+3000.example.		5M IN A		10.0.0.164
+3000.example.		5M IN A		10.0.0.165
+3000.example.		5M IN A		10.0.0.166
+3000.example.		5M IN A		10.0.0.167
+3000.example.		5M IN A		10.0.0.168
+3000.example.		5M IN A		10.0.0.169
+3000.example.		5M IN A		10.0.0.170
+3000.example.		5M IN A		10.0.0.171
+3000.example.		5M IN A		10.0.0.172
+3000.example.		5M IN A		10.0.0.173
+3000.example.		5M IN A		10.0.0.174
+3000.example.		5M IN A		10.0.0.175
+3000.example.		5M IN A		10.0.0.176
+3000.example.		5M IN A		10.0.0.177
+3000.example.		5M IN A		10.0.0.178
+3000.example.		5M IN A		10.0.0.179
+3000.example.		5M IN A		10.0.0.180
+3000.example.		5M IN A		10.0.0.181
+3000.example.		5M IN A		10.0.0.182
+3000.example.		5M IN A		10.0.0.183
+3000.example.		5M IN A		10.0.0.184
+3000.example.		5M IN A		10.0.0.185
+3000.example.		5M IN A		10.0.0.186
+3000.example.		5M IN A		10.0.0.187
+3000.example.		5M IN A		10.0.0.188
+3000.example.		5M IN A		10.0.0.189
+3000.example.		5M IN A		10.0.0.190
+3000.example.		5M IN A		10.0.0.191
+3000.example.		5M IN A		10.0.0.192
+3000.example.		5M IN A		10.0.0.193
+3000.example.		5M IN A		10.0.0.194
+3000.example.		5M IN A		10.0.0.195
+3000.example.		5M IN A		10.0.0.196
+3000.example.		5M IN A		10.0.0.197
+3000.example.		5M IN A		10.0.0.198
+3000.example.		5M IN A		10.0.0.199
+3000.example.		5M IN A		10.0.0.200
+3000.example.		5M IN A		10.0.0.201
+3000.example.		5M IN A		10.0.0.202
+3000.example.		5M IN A		10.0.0.203
+3000.example.		5M IN A		10.0.0.204
+3000.example.		5M IN A		10.0.0.205
+3000.example.		5M IN A		10.0.0.206
+3000.example.		5M IN A		10.0.0.207
+3000.example.		5M IN A		10.0.0.208
+3000.example.		5M IN A		10.0.0.209
+3000.example.		5M IN A		10.0.0.210
+3000.example.		5M IN A		10.0.0.211
+3000.example.		5M IN A		10.0.0.212
+3000.example.		5M IN A		10.0.0.213
+3000.example.		5M IN A		10.0.0.214
+3000.example.		5M IN A		10.0.0.215
+3000.example.		5M IN A		10.0.0.216
+3000.example.		5M IN A		10.0.0.217
+3000.example.		5M IN A		10.0.0.218
+3000.example.		5M IN A		10.0.0.219
+3000.example.		5M IN A		10.0.0.220
+3000.example.		5M IN A		10.0.0.221
+3000.example.		5M IN A		10.0.0.222
+3000.example.		5M IN A		10.0.0.223
+3000.example.		5M IN A		10.0.0.224
+3000.example.		5M IN A		10.0.0.225
+3000.example.		5M IN A		10.0.0.226
+3000.example.		5M IN A		10.0.0.227
+3000.example.		5M IN A		10.0.0.228
+3000.example.		5M IN A		10.0.0.229
+3000.example.		5M IN A		10.0.0.230
+3000.example.		5M IN A		10.0.0.231
+3000.example.		5M IN A		10.0.0.232
+3000.example.		5M IN A		10.0.0.233
+3000.example.		5M IN A		10.0.0.234
+3000.example.		5M IN A		10.0.0.235
+3000.example.		5M IN A		10.0.0.236
+3000.example.		5M IN A		10.0.0.237
+3000.example.		5M IN A		10.0.0.238
+3000.example.		5M IN A		10.0.0.239
+3000.example.		5M IN A		10.0.0.240
+3000.example.		5M IN A		10.0.0.241
+3000.example.		5M IN A		10.0.0.242
+3000.example.		5M IN A		10.0.0.243
+3000.example.		5M IN A		10.0.0.244
+3000.example.		5M IN A		10.0.0.245
+3000.example.		5M IN A		10.0.0.246
+3000.example.		5M IN A		10.0.0.247
+3000.example.		5M IN A		10.0.0.248
+3000.example.		5M IN A		10.0.0.249
+3000.example.		5M IN A		10.0.0.250
+3000.example.		5M IN A		10.0.0.251
+3000.example.		5M IN A		10.0.0.252
+3000.example.		5M IN A		10.0.0.253
+3000.example.		5M IN A		10.0.0.254
+3000.example.		5M IN A		10.0.0.255
+3000.example.		5M IN A		10.0.1.0
+3000.example.		5M IN A		10.0.1.1
+3000.example.		5M IN A		10.0.1.2
+3000.example.		5M IN A		10.0.1.3
+3000.example.		5M IN A		10.0.1.4
+3000.example.		5M IN A		10.0.1.5
+3000.example.		5M IN A		10.0.1.6
+3000.example.		5M IN A		10.0.1.7
+3000.example.		5M IN A		10.0.1.8
+3000.example.		5M IN A		10.0.1.9
+3000.example.		5M IN A		10.0.1.10
+3000.example.		5M IN A		10.0.1.11
+3000.example.		5M IN A		10.0.1.12
+3000.example.		5M IN A		10.0.1.13
+3000.example.		5M IN A		10.0.1.14
+3000.example.		5M IN A		10.0.1.15
+3000.example.		5M IN A		10.0.1.16
+3000.example.		5M IN A		10.0.1.17
+3000.example.		5M IN A		10.0.1.18
+3000.example.		5M IN A		10.0.1.19
+3000.example.		5M IN A		10.0.1.20
+3000.example.		5M IN A		10.0.1.21
+3000.example.		5M IN A		10.0.1.22
+3000.example.		5M IN A		10.0.1.23
+3000.example.		5M IN A		10.0.1.24
+3000.example.		5M IN A		10.0.1.25
+3000.example.		5M IN A		10.0.1.26
+3000.example.		5M IN A		10.0.1.27
+3000.example.		5M IN A		10.0.1.28
+3000.example.		5M IN A		10.0.1.29
+3000.example.		5M IN A		10.0.1.30
+3000.example.		5M IN A		10.0.1.31
+3000.example.		5M IN A		10.0.1.32
+3000.example.		5M IN A		10.0.1.33
+3000.example.		5M IN A		10.0.1.34
+3000.example.		5M IN A		10.0.1.35
+3000.example.		5M IN A		10.0.1.36
+3000.example.		5M IN A		10.0.1.37
+3000.example.		5M IN A		10.0.1.38
+3000.example.		5M IN A		10.0.1.39
+3000.example.		5M IN A		10.0.1.40
+3000.example.		5M IN A		10.0.1.41
+3000.example.		5M IN A		10.0.1.42
+3000.example.		5M IN A		10.0.1.43
+3000.example.		5M IN A		10.0.1.44
+3000.example.		5M IN A		10.0.1.45
+3000.example.		5M IN A		10.0.1.46
+3000.example.		5M IN A		10.0.1.47
+3000.example.		5M IN A		10.0.1.48
+3000.example.		5M IN A		10.0.1.49
+3000.example.		5M IN A		10.0.1.50
+3000.example.		5M IN A		10.0.1.51
+3000.example.		5M IN A		10.0.1.52
+3000.example.		5M IN A		10.0.1.53
+3000.example.		5M IN A		10.0.1.54
+3000.example.		5M IN A		10.0.1.55
+3000.example.		5M IN A		10.0.1.56
+3000.example.		5M IN A		10.0.1.57
+3000.example.		5M IN A		10.0.1.58
+3000.example.		5M IN A		10.0.1.59
+3000.example.		5M IN A		10.0.1.60
+3000.example.		5M IN A		10.0.1.61
+3000.example.		5M IN A		10.0.1.62
+3000.example.		5M IN A		10.0.1.63
+3000.example.		5M IN A		10.0.1.64
+3000.example.		5M IN A		10.0.1.65
+3000.example.		5M IN A		10.0.1.66
+3000.example.		5M IN A		10.0.1.67
+3000.example.		5M IN A		10.0.1.68
+3000.example.		5M IN A		10.0.1.69
+3000.example.		5M IN A		10.0.1.70
+3000.example.		5M IN A		10.0.1.71
+3000.example.		5M IN A		10.0.1.72
+3000.example.		5M IN A		10.0.1.73
+3000.example.		5M IN A		10.0.1.74
+3000.example.		5M IN A		10.0.1.75
+3000.example.		5M IN A		10.0.1.76
+3000.example.		5M IN A		10.0.1.77
+3000.example.		5M IN A		10.0.1.78
+3000.example.		5M IN A		10.0.1.79
+3000.example.		5M IN A		10.0.1.80
+3000.example.		5M IN A		10.0.1.81
+3000.example.		5M IN A		10.0.1.82
+3000.example.		5M IN A		10.0.1.83
+3000.example.		5M IN A		10.0.1.84
+3000.example.		5M IN A		10.0.1.85
+3000.example.		5M IN A		10.0.1.86
+3000.example.		5M IN A		10.0.1.87
+3000.example.		5M IN A		10.0.1.88
+3000.example.		5M IN A		10.0.1.89
+3000.example.		5M IN A		10.0.1.90
+3000.example.		5M IN A		10.0.1.91
+3000.example.		5M IN A		10.0.1.92
+3000.example.		5M IN A		10.0.1.93
+3000.example.		5M IN A		10.0.1.94
+3000.example.		5M IN A		10.0.1.95
+3000.example.		5M IN A		10.0.1.96
+3000.example.		5M IN A		10.0.1.97
+3000.example.		5M IN A		10.0.1.98
+3000.example.		5M IN A		10.0.1.99
+3000.example.		5M IN A		10.0.1.100
+3000.example.		5M IN A		10.0.1.101
+3000.example.		5M IN A		10.0.1.102
+3000.example.		5M IN A		10.0.1.103
+3000.example.		5M IN A		10.0.1.104
+3000.example.		5M IN A		10.0.1.105
+3000.example.		5M IN A		10.0.1.106
+3000.example.		5M IN A		10.0.1.107
+3000.example.		5M IN A		10.0.1.108
+3000.example.		5M IN A		10.0.1.109
+3000.example.		5M IN A		10.0.1.110
+3000.example.		5M IN A		10.0.1.111
+3000.example.		5M IN A		10.0.1.112
+3000.example.		5M IN A		10.0.1.113
+3000.example.		5M IN A		10.0.1.114
+3000.example.		5M IN A		10.0.1.115
+3000.example.		5M IN A		10.0.1.116
+3000.example.		5M IN A		10.0.1.117
+3000.example.		5M IN A		10.0.1.118
+3000.example.		5M IN A		10.0.1.119
+3000.example.		5M IN A		10.0.1.120
+3000.example.		5M IN A		10.0.1.121
+3000.example.		5M IN A		10.0.1.122
+3000.example.		5M IN A		10.0.1.123
+3000.example.		5M IN A		10.0.1.124
+3000.example.		5M IN A		10.0.1.125
+3000.example.		5M IN A		10.0.1.126
+3000.example.		5M IN A		10.0.1.127
+3000.example.		5M IN A		10.0.1.128
+3000.example.		5M IN A		10.0.1.129
+3000.example.		5M IN A		10.0.1.130
+3000.example.		5M IN A		10.0.1.131
+3000.example.		5M IN A		10.0.1.132
+3000.example.		5M IN A		10.0.1.133
+3000.example.		5M IN A		10.0.1.134
+3000.example.		5M IN A		10.0.1.135
+3000.example.		5M IN A		10.0.1.136
+3000.example.		5M IN A		10.0.1.137
+3000.example.		5M IN A		10.0.1.138
+3000.example.		5M IN A		10.0.1.139
+3000.example.		5M IN A		10.0.1.140
+3000.example.		5M IN A		10.0.1.141
+3000.example.		5M IN A		10.0.1.142
+3000.example.		5M IN A		10.0.1.143
+3000.example.		5M IN A		10.0.1.144
+3000.example.		5M IN A		10.0.1.145
+3000.example.		5M IN A		10.0.1.146
+3000.example.		5M IN A		10.0.1.147
+3000.example.		5M IN A		10.0.1.148
+3000.example.		5M IN A		10.0.1.149
+3000.example.		5M IN A		10.0.1.150
+3000.example.		5M IN A		10.0.1.151
+3000.example.		5M IN A		10.0.1.152
+3000.example.		5M IN A		10.0.1.153
+3000.example.		5M IN A		10.0.1.154
+3000.example.		5M IN A		10.0.1.155
+3000.example.		5M IN A		10.0.1.156
+3000.example.		5M IN A		10.0.1.157
+3000.example.		5M IN A		10.0.1.158
+3000.example.		5M IN A		10.0.1.159
+3000.example.		5M IN A		10.0.1.160
+3000.example.		5M IN A		10.0.1.161
+3000.example.		5M IN A		10.0.1.162
+3000.example.		5M IN A		10.0.1.163
+3000.example.		5M IN A		10.0.1.164
+3000.example.		5M IN A		10.0.1.165
+3000.example.		5M IN A		10.0.1.166
+3000.example.		5M IN A		10.0.1.167
+3000.example.		5M IN A		10.0.1.168
+3000.example.		5M IN A		10.0.1.169
+3000.example.		5M IN A		10.0.1.170
+3000.example.		5M IN A		10.0.1.171
+3000.example.		5M IN A		10.0.1.172
+3000.example.		5M IN A		10.0.1.173
+3000.example.		5M IN A		10.0.1.174
+3000.example.		5M IN A		10.0.1.175
+3000.example.		5M IN A		10.0.1.176
+3000.example.		5M IN A		10.0.1.177
+3000.example.		5M IN A		10.0.1.178
+3000.example.		5M IN A		10.0.1.179
+3000.example.		5M IN A		10.0.1.180
+3000.example.		5M IN A		10.0.1.181
+3000.example.		5M IN A		10.0.1.182
+3000.example.		5M IN A		10.0.1.183
+3000.example.		5M IN A		10.0.1.184
+3000.example.		5M IN A		10.0.1.185
+3000.example.		5M IN A		10.0.1.186
+3000.example.		5M IN A		10.0.1.187
+3000.example.		5M IN A		10.0.1.188
+3000.example.		5M IN A		10.0.1.189
+3000.example.		5M IN A		10.0.1.190
+3000.example.		5M IN A		10.0.1.191
+3000.example.		5M IN A		10.0.1.192
+3000.example.		5M IN A		10.0.1.193
+3000.example.		5M IN A		10.0.1.194
+3000.example.		5M IN A		10.0.1.195
+3000.example.		5M IN A		10.0.1.196
+3000.example.		5M IN A		10.0.1.197
+3000.example.		5M IN A		10.0.1.198
+3000.example.		5M IN A		10.0.1.199
+3000.example.		5M IN A		10.0.1.200
+3000.example.		5M IN A		10.0.1.201
+3000.example.		5M IN A		10.0.1.202
+3000.example.		5M IN A		10.0.1.203
+3000.example.		5M IN A		10.0.1.204
+3000.example.		5M IN A		10.0.1.205
+3000.example.		5M IN A		10.0.1.206
+3000.example.		5M IN A		10.0.1.207
+3000.example.		5M IN A		10.0.1.208
+3000.example.		5M IN A		10.0.1.209
+3000.example.		5M IN A		10.0.1.210
+3000.example.		5M IN A		10.0.1.211
+3000.example.		5M IN A		10.0.1.212
+3000.example.		5M IN A		10.0.1.213
+3000.example.		5M IN A		10.0.1.214
+3000.example.		5M IN A		10.0.1.215
+3000.example.		5M IN A		10.0.1.216
+3000.example.		5M IN A		10.0.1.217
+3000.example.		5M IN A		10.0.1.218
+3000.example.		5M IN A		10.0.1.219
+3000.example.		5M IN A		10.0.1.220
+3000.example.		5M IN A		10.0.1.221
+3000.example.		5M IN A		10.0.1.222
+3000.example.		5M IN A		10.0.1.223
+3000.example.		5M IN A		10.0.1.224
+3000.example.		5M IN A		10.0.1.225
+3000.example.		5M IN A		10.0.1.226
+3000.example.		5M IN A		10.0.1.227
+3000.example.		5M IN A		10.0.1.228
+3000.example.		5M IN A		10.0.1.229
+3000.example.		5M IN A		10.0.1.230
+3000.example.		5M IN A		10.0.1.231
+3000.example.		5M IN A		10.0.1.232
+3000.example.		5M IN A		10.0.1.233
+3000.example.		5M IN A		10.0.1.234
+3000.example.		5M IN A		10.0.1.235
+3000.example.		5M IN A		10.0.1.236
+3000.example.		5M IN A		10.0.1.237
+3000.example.		5M IN A		10.0.1.238
+3000.example.		5M IN A		10.0.1.239
+3000.example.		5M IN A		10.0.1.240
+3000.example.		5M IN A		10.0.1.241
+3000.example.		5M IN A		10.0.1.242
+3000.example.		5M IN A		10.0.1.243
+3000.example.		5M IN A		10.0.1.244
+3000.example.		5M IN A		10.0.1.245
+3000.example.		5M IN A		10.0.1.246
+3000.example.		5M IN A		10.0.1.247
+3000.example.		5M IN A		10.0.1.248
+3000.example.		5M IN A		10.0.1.249
+3000.example.		5M IN A		10.0.1.250
+3000.example.		5M IN A		10.0.1.251
+3000.example.		5M IN A		10.0.1.252
+3000.example.		5M IN A		10.0.1.253
+3000.example.		5M IN A		10.0.1.254
+3000.example.		5M IN A		10.0.1.255
+3000.example.		5M IN A		10.0.2.0
+3000.example.		5M IN A		10.0.2.1
+3000.example.		5M IN A		10.0.2.2
+3000.example.		5M IN A		10.0.2.3
+3000.example.		5M IN A		10.0.2.4
+3000.example.		5M IN A		10.0.2.5
+3000.example.		5M IN A		10.0.2.6
+3000.example.		5M IN A		10.0.2.7
+3000.example.		5M IN A		10.0.2.8
+3000.example.		5M IN A		10.0.2.9
+3000.example.		5M IN A		10.0.2.10
+3000.example.		5M IN A		10.0.2.11
+3000.example.		5M IN A		10.0.2.12
+3000.example.		5M IN A		10.0.2.13
+3000.example.		5M IN A		10.0.2.14
+3000.example.		5M IN A		10.0.2.15
+3000.example.		5M IN A		10.0.2.16
+3000.example.		5M IN A		10.0.2.17
+3000.example.		5M IN A		10.0.2.18
+3000.example.		5M IN A		10.0.2.19
+3000.example.		5M IN A		10.0.2.20
+3000.example.		5M IN A		10.0.2.21
+3000.example.		5M IN A		10.0.2.22
+3000.example.		5M IN A		10.0.2.23
+3000.example.		5M IN A		10.0.2.24
+3000.example.		5M IN A		10.0.2.25
+3000.example.		5M IN A		10.0.2.26
+3000.example.		5M IN A		10.0.2.27
+3000.example.		5M IN A		10.0.2.28
+3000.example.		5M IN A		10.0.2.29
+3000.example.		5M IN A		10.0.2.30
+3000.example.		5M IN A		10.0.2.31
+3000.example.		5M IN A		10.0.2.32
+3000.example.		5M IN A		10.0.2.33
+3000.example.		5M IN A		10.0.2.34
+3000.example.		5M IN A		10.0.2.35
+3000.example.		5M IN A		10.0.2.36
+3000.example.		5M IN A		10.0.2.37
+3000.example.		5M IN A		10.0.2.38
+3000.example.		5M IN A		10.0.2.39
+3000.example.		5M IN A		10.0.2.40
+3000.example.		5M IN A		10.0.2.41
+3000.example.		5M IN A		10.0.2.42
+3000.example.		5M IN A		10.0.2.43
+3000.example.		5M IN A		10.0.2.44
+3000.example.		5M IN A		10.0.2.45
+3000.example.		5M IN A		10.0.2.46
+3000.example.		5M IN A		10.0.2.47
+3000.example.		5M IN A		10.0.2.48
+3000.example.		5M IN A		10.0.2.49
+3000.example.		5M IN A		10.0.2.50
+3000.example.		5M IN A		10.0.2.51
+3000.example.		5M IN A		10.0.2.52
+3000.example.		5M IN A		10.0.2.53
+3000.example.		5M IN A		10.0.2.54
+3000.example.		5M IN A		10.0.2.55
+3000.example.		5M IN A		10.0.2.56
+3000.example.		5M IN A		10.0.2.57
+3000.example.		5M IN A		10.0.2.58
+3000.example.		5M IN A		10.0.2.59
+3000.example.		5M IN A		10.0.2.60
+3000.example.		5M IN A		10.0.2.61
+3000.example.		5M IN A		10.0.2.62
+3000.example.		5M IN A		10.0.2.63
+3000.example.		5M IN A		10.0.2.64
+3000.example.		5M IN A		10.0.2.65
+3000.example.		5M IN A		10.0.2.66
+3000.example.		5M IN A		10.0.2.67
+3000.example.		5M IN A		10.0.2.68
+3000.example.		5M IN A		10.0.2.69
+3000.example.		5M IN A		10.0.2.70
+3000.example.		5M IN A		10.0.2.71
+3000.example.		5M IN A		10.0.2.72
+3000.example.		5M IN A		10.0.2.73
+3000.example.		5M IN A		10.0.2.74
+3000.example.		5M IN A		10.0.2.75
+3000.example.		5M IN A		10.0.2.76
+3000.example.		5M IN A		10.0.2.77
+3000.example.		5M IN A		10.0.2.78
+3000.example.		5M IN A		10.0.2.79
+3000.example.		5M IN A		10.0.2.80
+3000.example.		5M IN A		10.0.2.81
+3000.example.		5M IN A		10.0.2.82
+3000.example.		5M IN A		10.0.2.83
+3000.example.		5M IN A		10.0.2.84
+3000.example.		5M IN A		10.0.2.85
+3000.example.		5M IN A		10.0.2.86
+3000.example.		5M IN A		10.0.2.87
+3000.example.		5M IN A		10.0.2.88
+3000.example.		5M IN A		10.0.2.89
+3000.example.		5M IN A		10.0.2.90
+3000.example.		5M IN A		10.0.2.91
+3000.example.		5M IN A		10.0.2.92
+3000.example.		5M IN A		10.0.2.93
+3000.example.		5M IN A		10.0.2.94
+3000.example.		5M IN A		10.0.2.95
+3000.example.		5M IN A		10.0.2.96
+3000.example.		5M IN A		10.0.2.97
+3000.example.		5M IN A		10.0.2.98
+3000.example.		5M IN A		10.0.2.99
+3000.example.		5M IN A		10.0.2.100
+3000.example.		5M IN A		10.0.2.101
+3000.example.		5M IN A		10.0.2.102
+3000.example.		5M IN A		10.0.2.103
+3000.example.		5M IN A		10.0.2.104
+3000.example.		5M IN A		10.0.2.105
+3000.example.		5M IN A		10.0.2.106
+3000.example.		5M IN A		10.0.2.107
+3000.example.		5M IN A		10.0.2.108
+3000.example.		5M IN A		10.0.2.109
+3000.example.		5M IN A		10.0.2.110
+3000.example.		5M IN A		10.0.2.111
+3000.example.		5M IN A		10.0.2.112
+3000.example.		5M IN A		10.0.2.113
+3000.example.		5M IN A		10.0.2.114
+3000.example.		5M IN A		10.0.2.115
+3000.example.		5M IN A		10.0.2.116
+3000.example.		5M IN A		10.0.2.117
+3000.example.		5M IN A		10.0.2.118
+3000.example.		5M IN A		10.0.2.119
+3000.example.		5M IN A		10.0.2.120
+3000.example.		5M IN A		10.0.2.121
+3000.example.		5M IN A		10.0.2.122
+3000.example.		5M IN A		10.0.2.123
+3000.example.		5M IN A		10.0.2.124
+3000.example.		5M IN A		10.0.2.125
+3000.example.		5M IN A		10.0.2.126
+3000.example.		5M IN A		10.0.2.127
+3000.example.		5M IN A		10.0.2.128
+3000.example.		5M IN A		10.0.2.129
+3000.example.		5M IN A		10.0.2.130
+3000.example.		5M IN A		10.0.2.131
+3000.example.		5M IN A		10.0.2.132
+3000.example.		5M IN A		10.0.2.133
+3000.example.		5M IN A		10.0.2.134
+3000.example.		5M IN A		10.0.2.135
+3000.example.		5M IN A		10.0.2.136
+3000.example.		5M IN A		10.0.2.137
+3000.example.		5M IN A		10.0.2.138
+3000.example.		5M IN A		10.0.2.139
+3000.example.		5M IN A		10.0.2.140
+3000.example.		5M IN A		10.0.2.141
+3000.example.		5M IN A		10.0.2.142
+3000.example.		5M IN A		10.0.2.143
+3000.example.		5M IN A		10.0.2.144
+3000.example.		5M IN A		10.0.2.145
+3000.example.		5M IN A		10.0.2.146
+3000.example.		5M IN A		10.0.2.147
+3000.example.		5M IN A		10.0.2.148
+3000.example.		5M IN A		10.0.2.149
+3000.example.		5M IN A		10.0.2.150
+3000.example.		5M IN A		10.0.2.151
+3000.example.		5M IN A		10.0.2.152
+3000.example.		5M IN A		10.0.2.153
+3000.example.		5M IN A		10.0.2.154
+3000.example.		5M IN A		10.0.2.155
+3000.example.		5M IN A		10.0.2.156
+3000.example.		5M IN A		10.0.2.157
+3000.example.		5M IN A		10.0.2.158
+3000.example.		5M IN A		10.0.2.159
+3000.example.		5M IN A		10.0.2.160
+3000.example.		5M IN A		10.0.2.161
+3000.example.		5M IN A		10.0.2.162
+3000.example.		5M IN A		10.0.2.163
+3000.example.		5M IN A		10.0.2.164
+3000.example.		5M IN A		10.0.2.165
+3000.example.		5M IN A		10.0.2.166
+3000.example.		5M IN A		10.0.2.167
+3000.example.		5M IN A		10.0.2.168
+3000.example.		5M IN A		10.0.2.169
+3000.example.		5M IN A		10.0.2.170
+3000.example.		5M IN A		10.0.2.171
+3000.example.		5M IN A		10.0.2.172
+3000.example.		5M IN A		10.0.2.173
+3000.example.		5M IN A		10.0.2.174
+3000.example.		5M IN A		10.0.2.175
+3000.example.		5M IN A		10.0.2.176
+3000.example.		5M IN A		10.0.2.177
+3000.example.		5M IN A		10.0.2.178
+3000.example.		5M IN A		10.0.2.179
+3000.example.		5M IN A		10.0.2.180
+3000.example.		5M IN A		10.0.2.181
+3000.example.		5M IN A		10.0.2.182
+3000.example.		5M IN A		10.0.2.183
+3000.example.		5M IN A		10.0.2.184
+3000.example.		5M IN A		10.0.2.185
+3000.example.		5M IN A		10.0.2.186
+3000.example.		5M IN A		10.0.2.187
+3000.example.		5M IN A		10.0.2.188
+3000.example.		5M IN A		10.0.2.189
+3000.example.		5M IN A		10.0.2.190
+3000.example.		5M IN A		10.0.2.191
+3000.example.		5M IN A		10.0.2.192
+3000.example.		5M IN A		10.0.2.193
+3000.example.		5M IN A		10.0.2.194
+3000.example.		5M IN A		10.0.2.195
+3000.example.		5M IN A		10.0.2.196
+3000.example.		5M IN A		10.0.2.197
+3000.example.		5M IN A		10.0.2.198
+3000.example.		5M IN A		10.0.2.199
+3000.example.		5M IN A		10.0.2.200
+3000.example.		5M IN A		10.0.2.201
+3000.example.		5M IN A		10.0.2.202
+3000.example.		5M IN A		10.0.2.203
+3000.example.		5M IN A		10.0.2.204
+3000.example.		5M IN A		10.0.2.205
+3000.example.		5M IN A		10.0.2.206
+3000.example.		5M IN A		10.0.2.207
+3000.example.		5M IN A		10.0.2.208
+3000.example.		5M IN A		10.0.2.209
+3000.example.		5M IN A		10.0.2.210
+3000.example.		5M IN A		10.0.2.211
+3000.example.		5M IN A		10.0.2.212
+3000.example.		5M IN A		10.0.2.213
+3000.example.		5M IN A		10.0.2.214
+3000.example.		5M IN A		10.0.2.215
+3000.example.		5M IN A		10.0.2.216
+3000.example.		5M IN A		10.0.2.217
+3000.example.		5M IN A		10.0.2.218
+3000.example.		5M IN A		10.0.2.219
+3000.example.		5M IN A		10.0.2.220
+3000.example.		5M IN A		10.0.2.221
+3000.example.		5M IN A		10.0.2.222
+3000.example.		5M IN A		10.0.2.223
+3000.example.		5M IN A		10.0.2.224
+3000.example.		5M IN A		10.0.2.225
+3000.example.		5M IN A		10.0.2.226
+3000.example.		5M IN A		10.0.2.227
+3000.example.		5M IN A		10.0.2.228
+3000.example.		5M IN A		10.0.2.229
+3000.example.		5M IN A		10.0.2.230
+3000.example.		5M IN A		10.0.2.231
+3000.example.		5M IN A		10.0.2.232
+3000.example.		5M IN A		10.0.2.233
+3000.example.		5M IN A		10.0.2.234
+3000.example.		5M IN A		10.0.2.235
+3000.example.		5M IN A		10.0.2.236
+3000.example.		5M IN A		10.0.2.237
+3000.example.		5M IN A		10.0.2.238
+3000.example.		5M IN A		10.0.2.239
+3000.example.		5M IN A		10.0.2.240
+3000.example.		5M IN A		10.0.2.241
+3000.example.		5M IN A		10.0.2.242
+3000.example.		5M IN A		10.0.2.243
+3000.example.		5M IN A		10.0.2.244
+3000.example.		5M IN A		10.0.2.245
+3000.example.		5M IN A		10.0.2.246
+3000.example.		5M IN A		10.0.2.247
+3000.example.		5M IN A		10.0.2.248
+3000.example.		5M IN A		10.0.2.249
+3000.example.		5M IN A		10.0.2.250
+3000.example.		5M IN A		10.0.2.251
+3000.example.		5M IN A		10.0.2.252
+3000.example.		5M IN A		10.0.2.253
+3000.example.		5M IN A		10.0.2.254
+3000.example.		5M IN A		10.0.2.255
+3000.example.		5M IN A		10.0.3.0
+3000.example.		5M IN A		10.0.3.1
+3000.example.		5M IN A		10.0.3.2
+3000.example.		5M IN A		10.0.3.3
+3000.example.		5M IN A		10.0.3.4
+3000.example.		5M IN A		10.0.3.5
+3000.example.		5M IN A		10.0.3.6
+3000.example.		5M IN A		10.0.3.7
+3000.example.		5M IN A		10.0.3.8
+3000.example.		5M IN A		10.0.3.9
+3000.example.		5M IN A		10.0.3.10
+3000.example.		5M IN A		10.0.3.11
+3000.example.		5M IN A		10.0.3.12
+3000.example.		5M IN A		10.0.3.13
+3000.example.		5M IN A		10.0.3.14
+3000.example.		5M IN A		10.0.3.15
+3000.example.		5M IN A		10.0.3.16
+3000.example.		5M IN A		10.0.3.17
+3000.example.		5M IN A		10.0.3.18
+3000.example.		5M IN A		10.0.3.19
+3000.example.		5M IN A		10.0.3.20
+3000.example.		5M IN A		10.0.3.21
+3000.example.		5M IN A		10.0.3.22
+3000.example.		5M IN A		10.0.3.23
+3000.example.		5M IN A		10.0.3.24
+3000.example.		5M IN A		10.0.3.25
+3000.example.		5M IN A		10.0.3.26
+3000.example.		5M IN A		10.0.3.27
+3000.example.		5M IN A		10.0.3.28
+3000.example.		5M IN A		10.0.3.29
+3000.example.		5M IN A		10.0.3.30
+3000.example.		5M IN A		10.0.3.31
+3000.example.		5M IN A		10.0.3.32
+3000.example.		5M IN A		10.0.3.33
+3000.example.		5M IN A		10.0.3.34
+3000.example.		5M IN A		10.0.3.35
+3000.example.		5M IN A		10.0.3.36
+3000.example.		5M IN A		10.0.3.37
+3000.example.		5M IN A		10.0.3.38
+3000.example.		5M IN A		10.0.3.39
+3000.example.		5M IN A		10.0.3.40
+3000.example.		5M IN A		10.0.3.41
+3000.example.		5M IN A		10.0.3.42
+3000.example.		5M IN A		10.0.3.43
+3000.example.		5M IN A		10.0.3.44
+3000.example.		5M IN A		10.0.3.45
+3000.example.		5M IN A		10.0.3.46
+3000.example.		5M IN A		10.0.3.47
+3000.example.		5M IN A		10.0.3.48
+3000.example.		5M IN A		10.0.3.49
+3000.example.		5M IN A		10.0.3.50
+3000.example.		5M IN A		10.0.3.51
+3000.example.		5M IN A		10.0.3.52
+3000.example.		5M IN A		10.0.3.53
+3000.example.		5M IN A		10.0.3.54
+3000.example.		5M IN A		10.0.3.55
+3000.example.		5M IN A		10.0.3.56
+3000.example.		5M IN A		10.0.3.57
+3000.example.		5M IN A		10.0.3.58
+3000.example.		5M IN A		10.0.3.59
+3000.example.		5M IN A		10.0.3.60
+3000.example.		5M IN A		10.0.3.61
+3000.example.		5M IN A		10.0.3.62
+3000.example.		5M IN A		10.0.3.63
+3000.example.		5M IN A		10.0.3.64
+3000.example.		5M IN A		10.0.3.65
+3000.example.		5M IN A		10.0.3.66
+3000.example.		5M IN A		10.0.3.67
+3000.example.		5M IN A		10.0.3.68
+3000.example.		5M IN A		10.0.3.69
+3000.example.		5M IN A		10.0.3.70
+3000.example.		5M IN A		10.0.3.71
+3000.example.		5M IN A		10.0.3.72
+3000.example.		5M IN A		10.0.3.73
+3000.example.		5M IN A		10.0.3.74
+3000.example.		5M IN A		10.0.3.75
+3000.example.		5M IN A		10.0.3.76
+3000.example.		5M IN A		10.0.3.77
+3000.example.		5M IN A		10.0.3.78
+3000.example.		5M IN A		10.0.3.79
+3000.example.		5M IN A		10.0.3.80
+3000.example.		5M IN A		10.0.3.81
+3000.example.		5M IN A		10.0.3.82
+3000.example.		5M IN A		10.0.3.83
+3000.example.		5M IN A		10.0.3.84
+3000.example.		5M IN A		10.0.3.85
+3000.example.		5M IN A		10.0.3.86
+3000.example.		5M IN A		10.0.3.87
+3000.example.		5M IN A		10.0.3.88
+3000.example.		5M IN A		10.0.3.89
+3000.example.		5M IN A		10.0.3.90
+3000.example.		5M IN A		10.0.3.91
+3000.example.		5M IN A		10.0.3.92
+3000.example.		5M IN A		10.0.3.93
+3000.example.		5M IN A		10.0.3.94
+3000.example.		5M IN A		10.0.3.95
+3000.example.		5M IN A		10.0.3.96
+3000.example.		5M IN A		10.0.3.97
+3000.example.		5M IN A		10.0.3.98
+3000.example.		5M IN A		10.0.3.99
+3000.example.		5M IN A		10.0.3.100
+3000.example.		5M IN A		10.0.3.101
+3000.example.		5M IN A		10.0.3.102
+3000.example.		5M IN A		10.0.3.103
+3000.example.		5M IN A		10.0.3.104
+3000.example.		5M IN A		10.0.3.105
+3000.example.		5M IN A		10.0.3.106
+3000.example.		5M IN A		10.0.3.107
+3000.example.		5M IN A		10.0.3.108
+3000.example.		5M IN A		10.0.3.109
+3000.example.		5M IN A		10.0.3.110
+3000.example.		5M IN A		10.0.3.111
+3000.example.		5M IN A		10.0.3.112
+3000.example.		5M IN A		10.0.3.113
+3000.example.		5M IN A		10.0.3.114
+3000.example.		5M IN A		10.0.3.115
+3000.example.		5M IN A		10.0.3.116
+3000.example.		5M IN A		10.0.3.117
+3000.example.		5M IN A		10.0.3.118
+3000.example.		5M IN A		10.0.3.119
+3000.example.		5M IN A		10.0.3.120
+3000.example.		5M IN A		10.0.3.121
+3000.example.		5M IN A		10.0.3.122
+3000.example.		5M IN A		10.0.3.123
+3000.example.		5M IN A		10.0.3.124
+3000.example.		5M IN A		10.0.3.125
+3000.example.		5M IN A		10.0.3.126
+3000.example.		5M IN A		10.0.3.127
+3000.example.		5M IN A		10.0.3.128
+3000.example.		5M IN A		10.0.3.129
+3000.example.		5M IN A		10.0.3.130
+3000.example.		5M IN A		10.0.3.131
+3000.example.		5M IN A		10.0.3.132
+3000.example.		5M IN A		10.0.3.133
+3000.example.		5M IN A		10.0.3.134
+3000.example.		5M IN A		10.0.3.135
+3000.example.		5M IN A		10.0.3.136
+3000.example.		5M IN A		10.0.3.137
+3000.example.		5M IN A		10.0.3.138
+3000.example.		5M IN A		10.0.3.139
+3000.example.		5M IN A		10.0.3.140
+3000.example.		5M IN A		10.0.3.141
+3000.example.		5M IN A		10.0.3.142
+3000.example.		5M IN A		10.0.3.143
+3000.example.		5M IN A		10.0.3.144
+3000.example.		5M IN A		10.0.3.145
+3000.example.		5M IN A		10.0.3.146
+3000.example.		5M IN A		10.0.3.147
+3000.example.		5M IN A		10.0.3.148
+3000.example.		5M IN A		10.0.3.149
+3000.example.		5M IN A		10.0.3.150
+3000.example.		5M IN A		10.0.3.151
+3000.example.		5M IN A		10.0.3.152
+3000.example.		5M IN A		10.0.3.153
+3000.example.		5M IN A		10.0.3.154
+3000.example.		5M IN A		10.0.3.155
+3000.example.		5M IN A		10.0.3.156
+3000.example.		5M IN A		10.0.3.157
+3000.example.		5M IN A		10.0.3.158
+3000.example.		5M IN A		10.0.3.159
+3000.example.		5M IN A		10.0.3.160
+3000.example.		5M IN A		10.0.3.161
+3000.example.		5M IN A		10.0.3.162
+3000.example.		5M IN A		10.0.3.163
+3000.example.		5M IN A		10.0.3.164
+3000.example.		5M IN A		10.0.3.165
+3000.example.		5M IN A		10.0.3.166
+3000.example.		5M IN A		10.0.3.167
+3000.example.		5M IN A		10.0.3.168
+3000.example.		5M IN A		10.0.3.169
+3000.example.		5M IN A		10.0.3.170
+3000.example.		5M IN A		10.0.3.171
+3000.example.		5M IN A		10.0.3.172
+3000.example.		5M IN A		10.0.3.173
+3000.example.		5M IN A		10.0.3.174
+3000.example.		5M IN A		10.0.3.175
+3000.example.		5M IN A		10.0.3.176
+3000.example.		5M IN A		10.0.3.177
+3000.example.		5M IN A		10.0.3.178
+3000.example.		5M IN A		10.0.3.179
+3000.example.		5M IN A		10.0.3.180
+3000.example.		5M IN A		10.0.3.181
+3000.example.		5M IN A		10.0.3.182
+3000.example.		5M IN A		10.0.3.183
+3000.example.		5M IN A		10.0.3.184
+3000.example.		5M IN A		10.0.3.185
+3000.example.		5M IN A		10.0.3.186
+3000.example.		5M IN A		10.0.3.187
+3000.example.		5M IN A		10.0.3.188
+3000.example.		5M IN A		10.0.3.189
+3000.example.		5M IN A		10.0.3.190
+3000.example.		5M IN A		10.0.3.191
+3000.example.		5M IN A		10.0.3.192
+3000.example.		5M IN A		10.0.3.193
+3000.example.		5M IN A		10.0.3.194
+3000.example.		5M IN A		10.0.3.195
+3000.example.		5M IN A		10.0.3.196
+3000.example.		5M IN A		10.0.3.197
+3000.example.		5M IN A		10.0.3.198
+3000.example.		5M IN A		10.0.3.199
+3000.example.		5M IN A		10.0.3.200
+3000.example.		5M IN A		10.0.3.201
+3000.example.		5M IN A		10.0.3.202
+3000.example.		5M IN A		10.0.3.203
+3000.example.		5M IN A		10.0.3.204
+3000.example.		5M IN A		10.0.3.205
+3000.example.		5M IN A		10.0.3.206
+3000.example.		5M IN A		10.0.3.207
+3000.example.		5M IN A		10.0.3.208
+3000.example.		5M IN A		10.0.3.209
+3000.example.		5M IN A		10.0.3.210
+3000.example.		5M IN A		10.0.3.211
+3000.example.		5M IN A		10.0.3.212
+3000.example.		5M IN A		10.0.3.213
+3000.example.		5M IN A		10.0.3.214
+3000.example.		5M IN A		10.0.3.215
+3000.example.		5M IN A		10.0.3.216
+3000.example.		5M IN A		10.0.3.217
+3000.example.		5M IN A		10.0.3.218
+3000.example.		5M IN A		10.0.3.219
+3000.example.		5M IN A		10.0.3.220
+3000.example.		5M IN A		10.0.3.221
+3000.example.		5M IN A		10.0.3.222
+3000.example.		5M IN A		10.0.3.223
+3000.example.		5M IN A		10.0.3.224
+3000.example.		5M IN A		10.0.3.225
+3000.example.		5M IN A		10.0.3.226
+3000.example.		5M IN A		10.0.3.227
+3000.example.		5M IN A		10.0.3.228
+3000.example.		5M IN A		10.0.3.229
+3000.example.		5M IN A		10.0.3.230
+3000.example.		5M IN A		10.0.3.231
+3000.example.		5M IN A		10.0.3.232
+3000.example.		5M IN A		10.0.3.233
+3000.example.		5M IN A		10.0.3.234
+3000.example.		5M IN A		10.0.3.235
+3000.example.		5M IN A		10.0.3.236
+3000.example.		5M IN A		10.0.3.237
+3000.example.		5M IN A		10.0.3.238
+3000.example.		5M IN A		10.0.3.239
+3000.example.		5M IN A		10.0.3.240
+3000.example.		5M IN A		10.0.3.241
+3000.example.		5M IN A		10.0.3.242
+3000.example.		5M IN A		10.0.3.243
+3000.example.		5M IN A		10.0.3.244
+3000.example.		5M IN A		10.0.3.245
+3000.example.		5M IN A		10.0.3.246
+3000.example.		5M IN A		10.0.3.247
+3000.example.		5M IN A		10.0.3.248
+3000.example.		5M IN A		10.0.3.249
+3000.example.		5M IN A		10.0.3.250
+3000.example.		5M IN A		10.0.3.251
+3000.example.		5M IN A		10.0.3.252
+3000.example.		5M IN A		10.0.3.253
+3000.example.		5M IN A		10.0.3.254
+3000.example.		5M IN A		10.0.3.255
+3000.example.		5M IN A		10.0.4.0
+3000.example.		5M IN A		10.0.4.1
+3000.example.		5M IN A		10.0.4.2
+3000.example.		5M IN A		10.0.4.3
+3000.example.		5M IN A		10.0.4.4
+3000.example.		5M IN A		10.0.4.5
+3000.example.		5M IN A		10.0.4.6
+3000.example.		5M IN A		10.0.4.7
+3000.example.		5M IN A		10.0.4.8
+3000.example.		5M IN A		10.0.4.9
+3000.example.		5M IN A		10.0.4.10
+3000.example.		5M IN A		10.0.4.11
+3000.example.		5M IN A		10.0.4.12
+3000.example.		5M IN A		10.0.4.13
+3000.example.		5M IN A		10.0.4.14
+3000.example.		5M IN A		10.0.4.15
+3000.example.		5M IN A		10.0.4.16
+3000.example.		5M IN A		10.0.4.17
+3000.example.		5M IN A		10.0.4.18
+3000.example.		5M IN A		10.0.4.19
+3000.example.		5M IN A		10.0.4.20
+3000.example.		5M IN A		10.0.4.21
+3000.example.		5M IN A		10.0.4.22
+3000.example.		5M IN A		10.0.4.23
+3000.example.		5M IN A		10.0.4.24
+3000.example.		5M IN A		10.0.4.25
+3000.example.		5M IN A		10.0.4.26
+3000.example.		5M IN A		10.0.4.27
+3000.example.		5M IN A		10.0.4.28
+3000.example.		5M IN A		10.0.4.29
+3000.example.		5M IN A		10.0.4.30
+3000.example.		5M IN A		10.0.4.31
+3000.example.		5M IN A		10.0.4.32
+3000.example.		5M IN A		10.0.4.33
+3000.example.		5M IN A		10.0.4.34
+3000.example.		5M IN A		10.0.4.35
+3000.example.		5M IN A		10.0.4.36
+3000.example.		5M IN A		10.0.4.37
+3000.example.		5M IN A		10.0.4.38
+3000.example.		5M IN A		10.0.4.39
+3000.example.		5M IN A		10.0.4.40
+3000.example.		5M IN A		10.0.4.41
+3000.example.		5M IN A		10.0.4.42
+3000.example.		5M IN A		10.0.4.43
+3000.example.		5M IN A		10.0.4.44
+3000.example.		5M IN A		10.0.4.45
+3000.example.		5M IN A		10.0.4.46
+3000.example.		5M IN A		10.0.4.47
+3000.example.		5M IN A		10.0.4.48
+3000.example.		5M IN A		10.0.4.49
+3000.example.		5M IN A		10.0.4.50
+3000.example.		5M IN A		10.0.4.51
+3000.example.		5M IN A		10.0.4.52
+3000.example.		5M IN A		10.0.4.53
+3000.example.		5M IN A		10.0.4.54
+3000.example.		5M IN A		10.0.4.55
+3000.example.		5M IN A		10.0.4.56
+3000.example.		5M IN A		10.0.4.57
+3000.example.		5M IN A		10.0.4.58
+3000.example.		5M IN A		10.0.4.59
+3000.example.		5M IN A		10.0.4.60
+3000.example.		5M IN A		10.0.4.61
+3000.example.		5M IN A		10.0.4.62
+3000.example.		5M IN A		10.0.4.63
+3000.example.		5M IN A		10.0.4.64
+3000.example.		5M IN A		10.0.4.65
+3000.example.		5M IN A		10.0.4.66
+3000.example.		5M IN A		10.0.4.67
+3000.example.		5M IN A		10.0.4.68
+3000.example.		5M IN A		10.0.4.69
+3000.example.		5M IN A		10.0.4.70
+3000.example.		5M IN A		10.0.4.71
+3000.example.		5M IN A		10.0.4.72
+3000.example.		5M IN A		10.0.4.73
+3000.example.		5M IN A		10.0.4.74
+3000.example.		5M IN A		10.0.4.75
+3000.example.		5M IN A		10.0.4.76
+3000.example.		5M IN A		10.0.4.77
+3000.example.		5M IN A		10.0.4.78
+3000.example.		5M IN A		10.0.4.79
+3000.example.		5M IN A		10.0.4.80
+3000.example.		5M IN A		10.0.4.81
+3000.example.		5M IN A		10.0.4.82
+3000.example.		5M IN A		10.0.4.83
+3000.example.		5M IN A		10.0.4.84
+3000.example.		5M IN A		10.0.4.85
+3000.example.		5M IN A		10.0.4.86
+3000.example.		5M IN A		10.0.4.87
+3000.example.		5M IN A		10.0.4.88
+3000.example.		5M IN A		10.0.4.89
+3000.example.		5M IN A		10.0.4.90
+3000.example.		5M IN A		10.0.4.91
+3000.example.		5M IN A		10.0.4.92
+3000.example.		5M IN A		10.0.4.93
+3000.example.		5M IN A		10.0.4.94
+3000.example.		5M IN A		10.0.4.95
+3000.example.		5M IN A		10.0.4.96
+3000.example.		5M IN A		10.0.4.97
+3000.example.		5M IN A		10.0.4.98
+3000.example.		5M IN A		10.0.4.99
+3000.example.		5M IN A		10.0.4.100
+3000.example.		5M IN A		10.0.4.101
+3000.example.		5M IN A		10.0.4.102
+3000.example.		5M IN A		10.0.4.103
+3000.example.		5M IN A		10.0.4.104
+3000.example.		5M IN A		10.0.4.105
+3000.example.		5M IN A		10.0.4.106
+3000.example.		5M IN A		10.0.4.107
+3000.example.		5M IN A		10.0.4.108
+3000.example.		5M IN A		10.0.4.109
+3000.example.		5M IN A		10.0.4.110
+3000.example.		5M IN A		10.0.4.111
+3000.example.		5M IN A		10.0.4.112
+3000.example.		5M IN A		10.0.4.113
+3000.example.		5M IN A		10.0.4.114
+3000.example.		5M IN A		10.0.4.115
+3000.example.		5M IN A		10.0.4.116
+3000.example.		5M IN A		10.0.4.117
+3000.example.		5M IN A		10.0.4.118
+3000.example.		5M IN A		10.0.4.119
+3000.example.		5M IN A		10.0.4.120
+3000.example.		5M IN A		10.0.4.121
+3000.example.		5M IN A		10.0.4.122
+3000.example.		5M IN A		10.0.4.123
+3000.example.		5M IN A		10.0.4.124
+3000.example.		5M IN A		10.0.4.125
+3000.example.		5M IN A		10.0.4.126
+3000.example.		5M IN A		10.0.4.127
+3000.example.		5M IN A		10.0.4.128
+3000.example.		5M IN A		10.0.4.129
+3000.example.		5M IN A		10.0.4.130
+3000.example.		5M IN A		10.0.4.131
+3000.example.		5M IN A		10.0.4.132
+3000.example.		5M IN A		10.0.4.133
+3000.example.		5M IN A		10.0.4.134
+3000.example.		5M IN A		10.0.4.135
+3000.example.		5M IN A		10.0.4.136
+3000.example.		5M IN A		10.0.4.137
+3000.example.		5M IN A		10.0.4.138
+3000.example.		5M IN A		10.0.4.139
+3000.example.		5M IN A		10.0.4.140
+3000.example.		5M IN A		10.0.4.141
+3000.example.		5M IN A		10.0.4.142
+3000.example.		5M IN A		10.0.4.143
+3000.example.		5M IN A		10.0.4.144
+3000.example.		5M IN A		10.0.4.145
+3000.example.		5M IN A		10.0.4.146
+3000.example.		5M IN A		10.0.4.147
+3000.example.		5M IN A		10.0.4.148
+3000.example.		5M IN A		10.0.4.149
+3000.example.		5M IN A		10.0.4.150
+3000.example.		5M IN A		10.0.4.151
+3000.example.		5M IN A		10.0.4.152
+3000.example.		5M IN A		10.0.4.153
+3000.example.		5M IN A		10.0.4.154
+3000.example.		5M IN A		10.0.4.155
+3000.example.		5M IN A		10.0.4.156
+3000.example.		5M IN A		10.0.4.157
+3000.example.		5M IN A		10.0.4.158
+3000.example.		5M IN A		10.0.4.159
+3000.example.		5M IN A		10.0.4.160
+3000.example.		5M IN A		10.0.4.161
+3000.example.		5M IN A		10.0.4.162
+3000.example.		5M IN A		10.0.4.163
+3000.example.		5M IN A		10.0.4.164
+3000.example.		5M IN A		10.0.4.165
+3000.example.		5M IN A		10.0.4.166
+3000.example.		5M IN A		10.0.4.167
+3000.example.		5M IN A		10.0.4.168
+3000.example.		5M IN A		10.0.4.169
+3000.example.		5M IN A		10.0.4.170
+3000.example.		5M IN A		10.0.4.171
+3000.example.		5M IN A		10.0.4.172
+3000.example.		5M IN A		10.0.4.173
+3000.example.		5M IN A		10.0.4.174
+3000.example.		5M IN A		10.0.4.175
+3000.example.		5M IN A		10.0.4.176
+3000.example.		5M IN A		10.0.4.177
+3000.example.		5M IN A		10.0.4.178
+3000.example.		5M IN A		10.0.4.179
+3000.example.		5M IN A		10.0.4.180
+3000.example.		5M IN A		10.0.4.181
+3000.example.		5M IN A		10.0.4.182
+3000.example.		5M IN A		10.0.4.183
+3000.example.		5M IN A		10.0.4.184
+3000.example.		5M IN A		10.0.4.185
+3000.example.		5M IN A		10.0.4.186
+3000.example.		5M IN A		10.0.4.187
+3000.example.		5M IN A		10.0.4.188
+3000.example.		5M IN A		10.0.4.189
+3000.example.		5M IN A		10.0.4.190
+3000.example.		5M IN A		10.0.4.191
+3000.example.		5M IN A		10.0.4.192
+3000.example.		5M IN A		10.0.4.193
+3000.example.		5M IN A		10.0.4.194
+3000.example.		5M IN A		10.0.4.195
+3000.example.		5M IN A		10.0.4.196
+3000.example.		5M IN A		10.0.4.197
+3000.example.		5M IN A		10.0.4.198
+3000.example.		5M IN A		10.0.4.199
+3000.example.		5M IN A		10.0.4.200
+3000.example.		5M IN A		10.0.4.201
+3000.example.		5M IN A		10.0.4.202
+3000.example.		5M IN A		10.0.4.203
+3000.example.		5M IN A		10.0.4.204
+3000.example.		5M IN A		10.0.4.205
+3000.example.		5M IN A		10.0.4.206
+3000.example.		5M IN A		10.0.4.207
+3000.example.		5M IN A		10.0.4.208
+3000.example.		5M IN A		10.0.4.209
+3000.example.		5M IN A		10.0.4.210
+3000.example.		5M IN A		10.0.4.211
+3000.example.		5M IN A		10.0.4.212
+3000.example.		5M IN A		10.0.4.213
+3000.example.		5M IN A		10.0.4.214
+3000.example.		5M IN A		10.0.4.215
+3000.example.		5M IN A		10.0.4.216
+3000.example.		5M IN A		10.0.4.217
+3000.example.		5M IN A		10.0.4.218
+3000.example.		5M IN A		10.0.4.219
+3000.example.		5M IN A		10.0.4.220
+3000.example.		5M IN A		10.0.4.221
+3000.example.		5M IN A		10.0.4.222
+3000.example.		5M IN A		10.0.4.223
+3000.example.		5M IN A		10.0.4.224
+3000.example.		5M IN A		10.0.4.225
+3000.example.		5M IN A		10.0.4.226
+3000.example.		5M IN A		10.0.4.227
+3000.example.		5M IN A		10.0.4.228
+3000.example.		5M IN A		10.0.4.229
+3000.example.		5M IN A		10.0.4.230
+3000.example.		5M IN A		10.0.4.231
+3000.example.		5M IN A		10.0.4.232
+3000.example.		5M IN A		10.0.4.233
+3000.example.		5M IN A		10.0.4.234
+3000.example.		5M IN A		10.0.4.235
+3000.example.		5M IN A		10.0.4.236
+3000.example.		5M IN A		10.0.4.237
+3000.example.		5M IN A		10.0.4.238
+3000.example.		5M IN A		10.0.4.239
+3000.example.		5M IN A		10.0.4.240
+3000.example.		5M IN A		10.0.4.241
+3000.example.		5M IN A		10.0.4.242
+3000.example.		5M IN A		10.0.4.243
+3000.example.		5M IN A		10.0.4.244
+3000.example.		5M IN A		10.0.4.245
+3000.example.		5M IN A		10.0.4.246
+3000.example.		5M IN A		10.0.4.247
+3000.example.		5M IN A		10.0.4.248
+3000.example.		5M IN A		10.0.4.249
+3000.example.		5M IN A		10.0.4.250
+3000.example.		5M IN A		10.0.4.251
+3000.example.		5M IN A		10.0.4.252
+3000.example.		5M IN A		10.0.4.253
+3000.example.		5M IN A		10.0.4.254
+3000.example.		5M IN A		10.0.4.255
+3000.example.		5M IN A		10.0.5.0
+3000.example.		5M IN A		10.0.5.1
+3000.example.		5M IN A		10.0.5.2
+3000.example.		5M IN A		10.0.5.3
+3000.example.		5M IN A		10.0.5.4
+3000.example.		5M IN A		10.0.5.5
+3000.example.		5M IN A		10.0.5.6
+3000.example.		5M IN A		10.0.5.7
+3000.example.		5M IN A		10.0.5.8
+3000.example.		5M IN A		10.0.5.9
+3000.example.		5M IN A		10.0.5.10
+3000.example.		5M IN A		10.0.5.11
+3000.example.		5M IN A		10.0.5.12
+3000.example.		5M IN A		10.0.5.13
+3000.example.		5M IN A		10.0.5.14
+3000.example.		5M IN A		10.0.5.15
+3000.example.		5M IN A		10.0.5.16
+3000.example.		5M IN A		10.0.5.17
+3000.example.		5M IN A		10.0.5.18
+3000.example.		5M IN A		10.0.5.19
+3000.example.		5M IN A		10.0.5.20
+3000.example.		5M IN A		10.0.5.21
+3000.example.		5M IN A		10.0.5.22
+3000.example.		5M IN A		10.0.5.23
+3000.example.		5M IN A		10.0.5.24
+3000.example.		5M IN A		10.0.5.25
+3000.example.		5M IN A		10.0.5.26
+3000.example.		5M IN A		10.0.5.27
+3000.example.		5M IN A		10.0.5.28
+3000.example.		5M IN A		10.0.5.29
+3000.example.		5M IN A		10.0.5.30
+3000.example.		5M IN A		10.0.5.31
+3000.example.		5M IN A		10.0.5.32
+3000.example.		5M IN A		10.0.5.33
+3000.example.		5M IN A		10.0.5.34
+3000.example.		5M IN A		10.0.5.35
+3000.example.		5M IN A		10.0.5.36
+3000.example.		5M IN A		10.0.5.37
+3000.example.		5M IN A		10.0.5.38
+3000.example.		5M IN A		10.0.5.39
+3000.example.		5M IN A		10.0.5.40
+3000.example.		5M IN A		10.0.5.41
+3000.example.		5M IN A		10.0.5.42
+3000.example.		5M IN A		10.0.5.43
+3000.example.		5M IN A		10.0.5.44
+3000.example.		5M IN A		10.0.5.45
+3000.example.		5M IN A		10.0.5.46
+3000.example.		5M IN A		10.0.5.47
+3000.example.		5M IN A		10.0.5.48
+3000.example.		5M IN A		10.0.5.49
+3000.example.		5M IN A		10.0.5.50
+3000.example.		5M IN A		10.0.5.51
+3000.example.		5M IN A		10.0.5.52
+3000.example.		5M IN A		10.0.5.53
+3000.example.		5M IN A		10.0.5.54
+3000.example.		5M IN A		10.0.5.55
+3000.example.		5M IN A		10.0.5.56
+3000.example.		5M IN A		10.0.5.57
+3000.example.		5M IN A		10.0.5.58
+3000.example.		5M IN A		10.0.5.59
+3000.example.		5M IN A		10.0.5.60
+3000.example.		5M IN A		10.0.5.61
+3000.example.		5M IN A		10.0.5.62
+3000.example.		5M IN A		10.0.5.63
+3000.example.		5M IN A		10.0.5.64
+3000.example.		5M IN A		10.0.5.65
+3000.example.		5M IN A		10.0.5.66
+3000.example.		5M IN A		10.0.5.67
+3000.example.		5M IN A		10.0.5.68
+3000.example.		5M IN A		10.0.5.69
+3000.example.		5M IN A		10.0.5.70
+3000.example.		5M IN A		10.0.5.71
+3000.example.		5M IN A		10.0.5.72
+3000.example.		5M IN A		10.0.5.73
+3000.example.		5M IN A		10.0.5.74
+3000.example.		5M IN A		10.0.5.75
+3000.example.		5M IN A		10.0.5.76
+3000.example.		5M IN A		10.0.5.77
+3000.example.		5M IN A		10.0.5.78
+3000.example.		5M IN A		10.0.5.79
+3000.example.		5M IN A		10.0.5.80
+3000.example.		5M IN A		10.0.5.81
+3000.example.		5M IN A		10.0.5.82
+3000.example.		5M IN A		10.0.5.83
+3000.example.		5M IN A		10.0.5.84
+3000.example.		5M IN A		10.0.5.85
+3000.example.		5M IN A		10.0.5.86
+3000.example.		5M IN A		10.0.5.87
+3000.example.		5M IN A		10.0.5.88
+3000.example.		5M IN A		10.0.5.89
+3000.example.		5M IN A		10.0.5.90
+3000.example.		5M IN A		10.0.5.91
+3000.example.		5M IN A		10.0.5.92
+3000.example.		5M IN A		10.0.5.93
+3000.example.		5M IN A		10.0.5.94
+3000.example.		5M IN A		10.0.5.95
+3000.example.		5M IN A		10.0.5.96
+3000.example.		5M IN A		10.0.5.97
+3000.example.		5M IN A		10.0.5.98
+3000.example.		5M IN A		10.0.5.99
+3000.example.		5M IN A		10.0.5.100
+3000.example.		5M IN A		10.0.5.101
+3000.example.		5M IN A		10.0.5.102
+3000.example.		5M IN A		10.0.5.103
+3000.example.		5M IN A		10.0.5.104
+3000.example.		5M IN A		10.0.5.105
+3000.example.		5M IN A		10.0.5.106
+3000.example.		5M IN A		10.0.5.107
+3000.example.		5M IN A		10.0.5.108
+3000.example.		5M IN A		10.0.5.109
+3000.example.		5M IN A		10.0.5.110
+3000.example.		5M IN A		10.0.5.111
+3000.example.		5M IN A		10.0.5.112
+3000.example.		5M IN A		10.0.5.113
+3000.example.		5M IN A		10.0.5.114
+3000.example.		5M IN A		10.0.5.115
+3000.example.		5M IN A		10.0.5.116
+3000.example.		5M IN A		10.0.5.117
+3000.example.		5M IN A		10.0.5.118
+3000.example.		5M IN A		10.0.5.119
+3000.example.		5M IN A		10.0.5.120
+3000.example.		5M IN A		10.0.5.121
+3000.example.		5M IN A		10.0.5.122
+3000.example.		5M IN A		10.0.5.123
+3000.example.		5M IN A		10.0.5.124
+3000.example.		5M IN A		10.0.5.125
+3000.example.		5M IN A		10.0.5.126
+3000.example.		5M IN A		10.0.5.127
+3000.example.		5M IN A		10.0.5.128
+3000.example.		5M IN A		10.0.5.129
+3000.example.		5M IN A		10.0.5.130
+3000.example.		5M IN A		10.0.5.131
+3000.example.		5M IN A		10.0.5.132
+3000.example.		5M IN A		10.0.5.133
+3000.example.		5M IN A		10.0.5.134
+3000.example.		5M IN A		10.0.5.135
+3000.example.		5M IN A		10.0.5.136
+3000.example.		5M IN A		10.0.5.137
+3000.example.		5M IN A		10.0.5.138
+3000.example.		5M IN A		10.0.5.139
+3000.example.		5M IN A		10.0.5.140
+3000.example.		5M IN A		10.0.5.141
+3000.example.		5M IN A		10.0.5.142
+3000.example.		5M IN A		10.0.5.143
+3000.example.		5M IN A		10.0.5.144
+3000.example.		5M IN A		10.0.5.145
+3000.example.		5M IN A		10.0.5.146
+3000.example.		5M IN A		10.0.5.147
+3000.example.		5M IN A		10.0.5.148
+3000.example.		5M IN A		10.0.5.149
+3000.example.		5M IN A		10.0.5.150
+3000.example.		5M IN A		10.0.5.151
+3000.example.		5M IN A		10.0.5.152
+3000.example.		5M IN A		10.0.5.153
+3000.example.		5M IN A		10.0.5.154
+3000.example.		5M IN A		10.0.5.155
+3000.example.		5M IN A		10.0.5.156
+3000.example.		5M IN A		10.0.5.157
+3000.example.		5M IN A		10.0.5.158
+3000.example.		5M IN A		10.0.5.159
+3000.example.		5M IN A		10.0.5.160
+3000.example.		5M IN A		10.0.5.161
+3000.example.		5M IN A		10.0.5.162
+3000.example.		5M IN A		10.0.5.163
+3000.example.		5M IN A		10.0.5.164
+3000.example.		5M IN A		10.0.5.165
+3000.example.		5M IN A		10.0.5.166
+3000.example.		5M IN A		10.0.5.167
+3000.example.		5M IN A		10.0.5.168
+3000.example.		5M IN A		10.0.5.169
+3000.example.		5M IN A		10.0.5.170
+3000.example.		5M IN A		10.0.5.171
+3000.example.		5M IN A		10.0.5.172
+3000.example.		5M IN A		10.0.5.173
+3000.example.		5M IN A		10.0.5.174
+3000.example.		5M IN A		10.0.5.175
+3000.example.		5M IN A		10.0.5.176
+3000.example.		5M IN A		10.0.5.177
+3000.example.		5M IN A		10.0.5.178
+3000.example.		5M IN A		10.0.5.179
+3000.example.		5M IN A		10.0.5.180
+3000.example.		5M IN A		10.0.5.181
+3000.example.		5M IN A		10.0.5.182
+3000.example.		5M IN A		10.0.5.183
+3000.example.		5M IN A		10.0.5.184
+3000.example.		5M IN A		10.0.5.185
+3000.example.		5M IN A		10.0.5.186
+3000.example.		5M IN A		10.0.5.187
+3000.example.		5M IN A		10.0.5.188
+3000.example.		5M IN A		10.0.5.189
+3000.example.		5M IN A		10.0.5.190
+3000.example.		5M IN A		10.0.5.191
+3000.example.		5M IN A		10.0.5.192
+3000.example.		5M IN A		10.0.5.193
+3000.example.		5M IN A		10.0.5.194
+3000.example.		5M IN A		10.0.5.195
+3000.example.		5M IN A		10.0.5.196
+3000.example.		5M IN A		10.0.5.197
+3000.example.		5M IN A		10.0.5.198
+3000.example.		5M IN A		10.0.5.199
+3000.example.		5M IN A		10.0.5.200
+3000.example.		5M IN A		10.0.5.201
+3000.example.		5M IN A		10.0.5.202
+3000.example.		5M IN A		10.0.5.203
+3000.example.		5M IN A		10.0.5.204
+3000.example.		5M IN A		10.0.5.205
+3000.example.		5M IN A		10.0.5.206
+3000.example.		5M IN A		10.0.5.207
+3000.example.		5M IN A		10.0.5.208
+3000.example.		5M IN A		10.0.5.209
+3000.example.		5M IN A		10.0.5.210
+3000.example.		5M IN A		10.0.5.211
+3000.example.		5M IN A		10.0.5.212
+3000.example.		5M IN A		10.0.5.213
+3000.example.		5M IN A		10.0.5.214
+3000.example.		5M IN A		10.0.5.215
+3000.example.		5M IN A		10.0.5.216
+3000.example.		5M IN A		10.0.5.217
+3000.example.		5M IN A		10.0.5.218
+3000.example.		5M IN A		10.0.5.219
+3000.example.		5M IN A		10.0.5.220
+3000.example.		5M IN A		10.0.5.221
+3000.example.		5M IN A		10.0.5.222
+3000.example.		5M IN A		10.0.5.223
+3000.example.		5M IN A		10.0.5.224
+3000.example.		5M IN A		10.0.5.225
+3000.example.		5M IN A		10.0.5.226
+3000.example.		5M IN A		10.0.5.227
+3000.example.		5M IN A		10.0.5.228
+3000.example.		5M IN A		10.0.5.229
+3000.example.		5M IN A		10.0.5.230
+3000.example.		5M IN A		10.0.5.231
+3000.example.		5M IN A		10.0.5.232
+3000.example.		5M IN A		10.0.5.233
+3000.example.		5M IN A		10.0.5.234
+3000.example.		5M IN A		10.0.5.235
+3000.example.		5M IN A		10.0.5.236
+3000.example.		5M IN A		10.0.5.237
+3000.example.		5M IN A		10.0.5.238
+3000.example.		5M IN A		10.0.5.239
+3000.example.		5M IN A		10.0.5.240
+3000.example.		5M IN A		10.0.5.241
+3000.example.		5M IN A		10.0.5.242
+3000.example.		5M IN A		10.0.5.243
+3000.example.		5M IN A		10.0.5.244
+3000.example.		5M IN A		10.0.5.245
+3000.example.		5M IN A		10.0.5.246
+3000.example.		5M IN A		10.0.5.247
+3000.example.		5M IN A		10.0.5.248
+3000.example.		5M IN A		10.0.5.249
+3000.example.		5M IN A		10.0.5.250
+3000.example.		5M IN A		10.0.5.251
+3000.example.		5M IN A		10.0.5.252
+3000.example.		5M IN A		10.0.5.253
+3000.example.		5M IN A		10.0.5.254
+3000.example.		5M IN A		10.0.5.255
+3000.example.		5M IN A		10.0.6.0
+3000.example.		5M IN A		10.0.6.1
+3000.example.		5M IN A		10.0.6.2
+3000.example.		5M IN A		10.0.6.3
+3000.example.		5M IN A		10.0.6.4
+3000.example.		5M IN A		10.0.6.5
+3000.example.		5M IN A		10.0.6.6
+3000.example.		5M IN A		10.0.6.7
+3000.example.		5M IN A		10.0.6.8
+3000.example.		5M IN A		10.0.6.9
+3000.example.		5M IN A		10.0.6.10
+3000.example.		5M IN A		10.0.6.11
+3000.example.		5M IN A		10.0.6.12
+3000.example.		5M IN A		10.0.6.13
+3000.example.		5M IN A		10.0.6.14
+3000.example.		5M IN A		10.0.6.15
+3000.example.		5M IN A		10.0.6.16
+3000.example.		5M IN A		10.0.6.17
+3000.example.		5M IN A		10.0.6.18
+3000.example.		5M IN A		10.0.6.19
+3000.example.		5M IN A		10.0.6.20
+3000.example.		5M IN A		10.0.6.21
+3000.example.		5M IN A		10.0.6.22
+3000.example.		5M IN A		10.0.6.23
+3000.example.		5M IN A		10.0.6.24
+3000.example.		5M IN A		10.0.6.25
+3000.example.		5M IN A		10.0.6.26
+3000.example.		5M IN A		10.0.6.27
+3000.example.		5M IN A		10.0.6.28
+3000.example.		5M IN A		10.0.6.29
+3000.example.		5M IN A		10.0.6.30
+3000.example.		5M IN A		10.0.6.31
+3000.example.		5M IN A		10.0.6.32
+3000.example.		5M IN A		10.0.6.33
+3000.example.		5M IN A		10.0.6.34
+3000.example.		5M IN A		10.0.6.35
+3000.example.		5M IN A		10.0.6.36
+3000.example.		5M IN A		10.0.6.37
+3000.example.		5M IN A		10.0.6.38
+3000.example.		5M IN A		10.0.6.39
+3000.example.		5M IN A		10.0.6.40
+3000.example.		5M IN A		10.0.6.41
+3000.example.		5M IN A		10.0.6.42
+3000.example.		5M IN A		10.0.6.43
+3000.example.		5M IN A		10.0.6.44
+3000.example.		5M IN A		10.0.6.45
+3000.example.		5M IN A		10.0.6.46
+3000.example.		5M IN A		10.0.6.47
+3000.example.		5M IN A		10.0.6.48
+3000.example.		5M IN A		10.0.6.49
+3000.example.		5M IN A		10.0.6.50
+3000.example.		5M IN A		10.0.6.51
+3000.example.		5M IN A		10.0.6.52
+3000.example.		5M IN A		10.0.6.53
+3000.example.		5M IN A		10.0.6.54
+3000.example.		5M IN A		10.0.6.55
+3000.example.		5M IN A		10.0.6.56
+3000.example.		5M IN A		10.0.6.57
+3000.example.		5M IN A		10.0.6.58
+3000.example.		5M IN A		10.0.6.59
+3000.example.		5M IN A		10.0.6.60
+3000.example.		5M IN A		10.0.6.61
+3000.example.		5M IN A		10.0.6.62
+3000.example.		5M IN A		10.0.6.63
+3000.example.		5M IN A		10.0.6.64
+3000.example.		5M IN A		10.0.6.65
+3000.example.		5M IN A		10.0.6.66
+3000.example.		5M IN A		10.0.6.67
+3000.example.		5M IN A		10.0.6.68
+3000.example.		5M IN A		10.0.6.69
+3000.example.		5M IN A		10.0.6.70
+3000.example.		5M IN A		10.0.6.71
+3000.example.		5M IN A		10.0.6.72
+3000.example.		5M IN A		10.0.6.73
+3000.example.		5M IN A		10.0.6.74
+3000.example.		5M IN A		10.0.6.75
+3000.example.		5M IN A		10.0.6.76
+3000.example.		5M IN A		10.0.6.77
+3000.example.		5M IN A		10.0.6.78
+3000.example.		5M IN A		10.0.6.79
+3000.example.		5M IN A		10.0.6.80
+3000.example.		5M IN A		10.0.6.81
+3000.example.		5M IN A		10.0.6.82
+3000.example.		5M IN A		10.0.6.83
+3000.example.		5M IN A		10.0.6.84
+3000.example.		5M IN A		10.0.6.85
+3000.example.		5M IN A		10.0.6.86
+3000.example.		5M IN A		10.0.6.87
+3000.example.		5M IN A		10.0.6.88
+3000.example.		5M IN A		10.0.6.89
+3000.example.		5M IN A		10.0.6.90
+3000.example.		5M IN A		10.0.6.91
+3000.example.		5M IN A		10.0.6.92
+3000.example.		5M IN A		10.0.6.93
+3000.example.		5M IN A		10.0.6.94
+3000.example.		5M IN A		10.0.6.95
+3000.example.		5M IN A		10.0.6.96
+3000.example.		5M IN A		10.0.6.97
+3000.example.		5M IN A		10.0.6.98
+3000.example.		5M IN A		10.0.6.99
+3000.example.		5M IN A		10.0.6.100
+3000.example.		5M IN A		10.0.6.101
+3000.example.		5M IN A		10.0.6.102
+3000.example.		5M IN A		10.0.6.103
+3000.example.		5M IN A		10.0.6.104
+3000.example.		5M IN A		10.0.6.105
+3000.example.		5M IN A		10.0.6.106
+3000.example.		5M IN A		10.0.6.107
+3000.example.		5M IN A		10.0.6.108
+3000.example.		5M IN A		10.0.6.109
+3000.example.		5M IN A		10.0.6.110
+3000.example.		5M IN A		10.0.6.111
+3000.example.		5M IN A		10.0.6.112
+3000.example.		5M IN A		10.0.6.113
+3000.example.		5M IN A		10.0.6.114
+3000.example.		5M IN A		10.0.6.115
+3000.example.		5M IN A		10.0.6.116
+3000.example.		5M IN A		10.0.6.117
+3000.example.		5M IN A		10.0.6.118
+3000.example.		5M IN A		10.0.6.119
+3000.example.		5M IN A		10.0.6.120
+3000.example.		5M IN A		10.0.6.121
+3000.example.		5M IN A		10.0.6.122
+3000.example.		5M IN A		10.0.6.123
+3000.example.		5M IN A		10.0.6.124
+3000.example.		5M IN A		10.0.6.125
+3000.example.		5M IN A		10.0.6.126
+3000.example.		5M IN A		10.0.6.127
+3000.example.		5M IN A		10.0.6.128
+3000.example.		5M IN A		10.0.6.129
+3000.example.		5M IN A		10.0.6.130
+3000.example.		5M IN A		10.0.6.131
+3000.example.		5M IN A		10.0.6.132
+3000.example.		5M IN A		10.0.6.133
+3000.example.		5M IN A		10.0.6.134
+3000.example.		5M IN A		10.0.6.135
+3000.example.		5M IN A		10.0.6.136
+3000.example.		5M IN A		10.0.6.137
+3000.example.		5M IN A		10.0.6.138
+3000.example.		5M IN A		10.0.6.139
+3000.example.		5M IN A		10.0.6.140
+3000.example.		5M IN A		10.0.6.141
+3000.example.		5M IN A		10.0.6.142
+3000.example.		5M IN A		10.0.6.143
+3000.example.		5M IN A		10.0.6.144
+3000.example.		5M IN A		10.0.6.145
+3000.example.		5M IN A		10.0.6.146
+3000.example.		5M IN A		10.0.6.147
+3000.example.		5M IN A		10.0.6.148
+3000.example.		5M IN A		10.0.6.149
+3000.example.		5M IN A		10.0.6.150
+3000.example.		5M IN A		10.0.6.151
+3000.example.		5M IN A		10.0.6.152
+3000.example.		5M IN A		10.0.6.153
+3000.example.		5M IN A		10.0.6.154
+3000.example.		5M IN A		10.0.6.155
+3000.example.		5M IN A		10.0.6.156
+3000.example.		5M IN A		10.0.6.157
+3000.example.		5M IN A		10.0.6.158
+3000.example.		5M IN A		10.0.6.159
+3000.example.		5M IN A		10.0.6.160
+3000.example.		5M IN A		10.0.6.161
+3000.example.		5M IN A		10.0.6.162
+3000.example.		5M IN A		10.0.6.163
+3000.example.		5M IN A		10.0.6.164
+3000.example.		5M IN A		10.0.6.165
+3000.example.		5M IN A		10.0.6.166
+3000.example.		5M IN A		10.0.6.167
+3000.example.		5M IN A		10.0.6.168
+3000.example.		5M IN A		10.0.6.169
+3000.example.		5M IN A		10.0.6.170
+3000.example.		5M IN A		10.0.6.171
+3000.example.		5M IN A		10.0.6.172
+3000.example.		5M IN A		10.0.6.173
+3000.example.		5M IN A		10.0.6.174
+3000.example.		5M IN A		10.0.6.175
+3000.example.		5M IN A		10.0.6.176
+3000.example.		5M IN A		10.0.6.177
+3000.example.		5M IN A		10.0.6.178
+3000.example.		5M IN A		10.0.6.179
+3000.example.		5M IN A		10.0.6.180
+3000.example.		5M IN A		10.0.6.181
+3000.example.		5M IN A		10.0.6.182
+3000.example.		5M IN A		10.0.6.183
+3000.example.		5M IN A		10.0.6.184
+3000.example.		5M IN A		10.0.6.185
+3000.example.		5M IN A		10.0.6.186
+3000.example.		5M IN A		10.0.6.187
+3000.example.		5M IN A		10.0.6.188
+3000.example.		5M IN A		10.0.6.189
+3000.example.		5M IN A		10.0.6.190
+3000.example.		5M IN A		10.0.6.191
+3000.example.		5M IN A		10.0.6.192
+3000.example.		5M IN A		10.0.6.193
+3000.example.		5M IN A		10.0.6.194
+3000.example.		5M IN A		10.0.6.195
+3000.example.		5M IN A		10.0.6.196
+3000.example.		5M IN A		10.0.6.197
+3000.example.		5M IN A		10.0.6.198
+3000.example.		5M IN A		10.0.6.199
+3000.example.		5M IN A		10.0.6.200
+3000.example.		5M IN A		10.0.6.201
+3000.example.		5M IN A		10.0.6.202
+3000.example.		5M IN A		10.0.6.203
+3000.example.		5M IN A		10.0.6.204
+3000.example.		5M IN A		10.0.6.205
+3000.example.		5M IN A		10.0.6.206
+3000.example.		5M IN A		10.0.6.207
+3000.example.		5M IN A		10.0.6.208
+3000.example.		5M IN A		10.0.6.209
+3000.example.		5M IN A		10.0.6.210
+3000.example.		5M IN A		10.0.6.211
+3000.example.		5M IN A		10.0.6.212
+3000.example.		5M IN A		10.0.6.213
+3000.example.		5M IN A		10.0.6.214
+3000.example.		5M IN A		10.0.6.215
+3000.example.		5M IN A		10.0.6.216
+3000.example.		5M IN A		10.0.6.217
+3000.example.		5M IN A		10.0.6.218
+3000.example.		5M IN A		10.0.6.219
+3000.example.		5M IN A		10.0.6.220
+3000.example.		5M IN A		10.0.6.221
+3000.example.		5M IN A		10.0.6.222
+3000.example.		5M IN A		10.0.6.223
+3000.example.		5M IN A		10.0.6.224
+3000.example.		5M IN A		10.0.6.225
+3000.example.		5M IN A		10.0.6.226
+3000.example.		5M IN A		10.0.6.227
+3000.example.		5M IN A		10.0.6.228
+3000.example.		5M IN A		10.0.6.229
+3000.example.		5M IN A		10.0.6.230
+3000.example.		5M IN A		10.0.6.231
+3000.example.		5M IN A		10.0.6.232
+3000.example.		5M IN A		10.0.6.233
+3000.example.		5M IN A		10.0.6.234
+3000.example.		5M IN A		10.0.6.235
+3000.example.		5M IN A		10.0.6.236
+3000.example.		5M IN A		10.0.6.237
+3000.example.		5M IN A		10.0.6.238
+3000.example.		5M IN A		10.0.6.239
+3000.example.		5M IN A		10.0.6.240
+3000.example.		5M IN A		10.0.6.241
+3000.example.		5M IN A		10.0.6.242
+3000.example.		5M IN A		10.0.6.243
+3000.example.		5M IN A		10.0.6.244
+3000.example.		5M IN A		10.0.6.245
+3000.example.		5M IN A		10.0.6.246
+3000.example.		5M IN A		10.0.6.247
+3000.example.		5M IN A		10.0.6.248
+3000.example.		5M IN A		10.0.6.249
+3000.example.		5M IN A		10.0.6.250
+3000.example.		5M IN A		10.0.6.251
+3000.example.		5M IN A		10.0.6.252
+3000.example.		5M IN A		10.0.6.253
+3000.example.		5M IN A		10.0.6.254
+3000.example.		5M IN A		10.0.6.255
+3000.example.		5M IN A		10.0.7.0
+3000.example.		5M IN A		10.0.7.1
+3000.example.		5M IN A		10.0.7.2
+3000.example.		5M IN A		10.0.7.3
+3000.example.		5M IN A		10.0.7.4
+3000.example.		5M IN A		10.0.7.5
+3000.example.		5M IN A		10.0.7.6
+3000.example.		5M IN A		10.0.7.7
+3000.example.		5M IN A		10.0.7.8
+3000.example.		5M IN A		10.0.7.9
+3000.example.		5M IN A		10.0.7.10
+3000.example.		5M IN A		10.0.7.11
+3000.example.		5M IN A		10.0.7.12
+3000.example.		5M IN A		10.0.7.13
+3000.example.		5M IN A		10.0.7.14
+3000.example.		5M IN A		10.0.7.15
+3000.example.		5M IN A		10.0.7.16
+3000.example.		5M IN A		10.0.7.17
+3000.example.		5M IN A		10.0.7.18
+3000.example.		5M IN A		10.0.7.19
+3000.example.		5M IN A		10.0.7.20
+3000.example.		5M IN A		10.0.7.21
+3000.example.		5M IN A		10.0.7.22
+3000.example.		5M IN A		10.0.7.23
+3000.example.		5M IN A		10.0.7.24
+3000.example.		5M IN A		10.0.7.25
+3000.example.		5M IN A		10.0.7.26
+3000.example.		5M IN A		10.0.7.27
+3000.example.		5M IN A		10.0.7.28
+3000.example.		5M IN A		10.0.7.29
+3000.example.		5M IN A		10.0.7.30
+3000.example.		5M IN A		10.0.7.31
+3000.example.		5M IN A		10.0.7.32
+3000.example.		5M IN A		10.0.7.33
+3000.example.		5M IN A		10.0.7.34
+3000.example.		5M IN A		10.0.7.35
+3000.example.		5M IN A		10.0.7.36
+3000.example.		5M IN A		10.0.7.37
+3000.example.		5M IN A		10.0.7.38
+3000.example.		5M IN A		10.0.7.39
+3000.example.		5M IN A		10.0.7.40
+3000.example.		5M IN A		10.0.7.41
+3000.example.		5M IN A		10.0.7.42
+3000.example.		5M IN A		10.0.7.43
+3000.example.		5M IN A		10.0.7.44
+3000.example.		5M IN A		10.0.7.45
+3000.example.		5M IN A		10.0.7.46
+3000.example.		5M IN A		10.0.7.47
+3000.example.		5M IN A		10.0.7.48
+3000.example.		5M IN A		10.0.7.49
+3000.example.		5M IN A		10.0.7.50
+3000.example.		5M IN A		10.0.7.51
+3000.example.		5M IN A		10.0.7.52
+3000.example.		5M IN A		10.0.7.53
+3000.example.		5M IN A		10.0.7.54
+3000.example.		5M IN A		10.0.7.55
+3000.example.		5M IN A		10.0.7.56
+3000.example.		5M IN A		10.0.7.57
+3000.example.		5M IN A		10.0.7.58
+3000.example.		5M IN A		10.0.7.59
+3000.example.		5M IN A		10.0.7.60
+3000.example.		5M IN A		10.0.7.61
+3000.example.		5M IN A		10.0.7.62
+3000.example.		5M IN A		10.0.7.63
+3000.example.		5M IN A		10.0.7.64
+3000.example.		5M IN A		10.0.7.65
+3000.example.		5M IN A		10.0.7.66
+3000.example.		5M IN A		10.0.7.67
+3000.example.		5M IN A		10.0.7.68
+3000.example.		5M IN A		10.0.7.69
+3000.example.		5M IN A		10.0.7.70
+3000.example.		5M IN A		10.0.7.71
+3000.example.		5M IN A		10.0.7.72
+3000.example.		5M IN A		10.0.7.73
+3000.example.		5M IN A		10.0.7.74
+3000.example.		5M IN A		10.0.7.75
+3000.example.		5M IN A		10.0.7.76
+3000.example.		5M IN A		10.0.7.77
+3000.example.		5M IN A		10.0.7.78
+3000.example.		5M IN A		10.0.7.79
+3000.example.		5M IN A		10.0.7.80
+3000.example.		5M IN A		10.0.7.81
+3000.example.		5M IN A		10.0.7.82
+3000.example.		5M IN A		10.0.7.83
+3000.example.		5M IN A		10.0.7.84
+3000.example.		5M IN A		10.0.7.85
+3000.example.		5M IN A		10.0.7.86
+3000.example.		5M IN A		10.0.7.87
+3000.example.		5M IN A		10.0.7.88
+3000.example.		5M IN A		10.0.7.89
+3000.example.		5M IN A		10.0.7.90
+3000.example.		5M IN A		10.0.7.91
+3000.example.		5M IN A		10.0.7.92
+3000.example.		5M IN A		10.0.7.93
+3000.example.		5M IN A		10.0.7.94
+3000.example.		5M IN A		10.0.7.95
+3000.example.		5M IN A		10.0.7.96
+3000.example.		5M IN A		10.0.7.97
+3000.example.		5M IN A		10.0.7.98
+3000.example.		5M IN A		10.0.7.99
+3000.example.		5M IN A		10.0.7.100
+3000.example.		5M IN A		10.0.7.101
+3000.example.		5M IN A		10.0.7.102
+3000.example.		5M IN A		10.0.7.103
+3000.example.		5M IN A		10.0.7.104
+3000.example.		5M IN A		10.0.7.105
+3000.example.		5M IN A		10.0.7.106
+3000.example.		5M IN A		10.0.7.107
+3000.example.		5M IN A		10.0.7.108
+3000.example.		5M IN A		10.0.7.109
+3000.example.		5M IN A		10.0.7.110
+3000.example.		5M IN A		10.0.7.111
+3000.example.		5M IN A		10.0.7.112
+3000.example.		5M IN A		10.0.7.113
+3000.example.		5M IN A		10.0.7.114
+3000.example.		5M IN A		10.0.7.115
+3000.example.		5M IN A		10.0.7.116
+3000.example.		5M IN A		10.0.7.117
+3000.example.		5M IN A		10.0.7.118
+3000.example.		5M IN A		10.0.7.119
+3000.example.		5M IN A		10.0.7.120
+3000.example.		5M IN A		10.0.7.121
+3000.example.		5M IN A		10.0.7.122
+3000.example.		5M IN A		10.0.7.123
+3000.example.		5M IN A		10.0.7.124
+3000.example.		5M IN A		10.0.7.125
+3000.example.		5M IN A		10.0.7.126
+3000.example.		5M IN A		10.0.7.127
+3000.example.		5M IN A		10.0.7.128
+3000.example.		5M IN A		10.0.7.129
+3000.example.		5M IN A		10.0.7.130
+3000.example.		5M IN A		10.0.7.131
+3000.example.		5M IN A		10.0.7.132
+3000.example.		5M IN A		10.0.7.133
+3000.example.		5M IN A		10.0.7.134
+3000.example.		5M IN A		10.0.7.135
+3000.example.		5M IN A		10.0.7.136
+3000.example.		5M IN A		10.0.7.137
+3000.example.		5M IN A		10.0.7.138
+3000.example.		5M IN A		10.0.7.139
+3000.example.		5M IN A		10.0.7.140
+3000.example.		5M IN A		10.0.7.141
+3000.example.		5M IN A		10.0.7.142
+3000.example.		5M IN A		10.0.7.143
+3000.example.		5M IN A		10.0.7.144
+3000.example.		5M IN A		10.0.7.145
+3000.example.		5M IN A		10.0.7.146
+3000.example.		5M IN A		10.0.7.147
+3000.example.		5M IN A		10.0.7.148
+3000.example.		5M IN A		10.0.7.149
+3000.example.		5M IN A		10.0.7.150
+3000.example.		5M IN A		10.0.7.151
+3000.example.		5M IN A		10.0.7.152
+3000.example.		5M IN A		10.0.7.153
+3000.example.		5M IN A		10.0.7.154
+3000.example.		5M IN A		10.0.7.155
+3000.example.		5M IN A		10.0.7.156
+3000.example.		5M IN A		10.0.7.157
+3000.example.		5M IN A		10.0.7.158
+3000.example.		5M IN A		10.0.7.159
+3000.example.		5M IN A		10.0.7.160
+3000.example.		5M IN A		10.0.7.161
+3000.example.		5M IN A		10.0.7.162
+3000.example.		5M IN A		10.0.7.163
+3000.example.		5M IN A		10.0.7.164
+3000.example.		5M IN A		10.0.7.165
+3000.example.		5M IN A		10.0.7.166
+3000.example.		5M IN A		10.0.7.167
+3000.example.		5M IN A		10.0.7.168
+3000.example.		5M IN A		10.0.7.169
+3000.example.		5M IN A		10.0.7.170
+3000.example.		5M IN A		10.0.7.171
+3000.example.		5M IN A		10.0.7.172
+3000.example.		5M IN A		10.0.7.173
+3000.example.		5M IN A		10.0.7.174
+3000.example.		5M IN A		10.0.7.175
+3000.example.		5M IN A		10.0.7.176
+3000.example.		5M IN A		10.0.7.177
+3000.example.		5M IN A		10.0.7.178
+3000.example.		5M IN A		10.0.7.179
+3000.example.		5M IN A		10.0.7.180
+3000.example.		5M IN A		10.0.7.181
+3000.example.		5M IN A		10.0.7.182
+3000.example.		5M IN A		10.0.7.183
+3000.example.		5M IN A		10.0.7.184
+3000.example.		5M IN A		10.0.7.185
+3000.example.		5M IN A		10.0.7.186
+3000.example.		5M IN A		10.0.7.187
+3000.example.		5M IN A		10.0.7.188
+3000.example.		5M IN A		10.0.7.189
+3000.example.		5M IN A		10.0.7.190
+3000.example.		5M IN A		10.0.7.191
+3000.example.		5M IN A		10.0.7.192
+3000.example.		5M IN A		10.0.7.193
+3000.example.		5M IN A		10.0.7.194
+3000.example.		5M IN A		10.0.7.195
+3000.example.		5M IN A		10.0.7.196
+3000.example.		5M IN A		10.0.7.197
+3000.example.		5M IN A		10.0.7.198
+3000.example.		5M IN A		10.0.7.199
+3000.example.		5M IN A		10.0.7.200
+3000.example.		5M IN A		10.0.7.201
+3000.example.		5M IN A		10.0.7.202
+3000.example.		5M IN A		10.0.7.203
+3000.example.		5M IN A		10.0.7.204
+3000.example.		5M IN A		10.0.7.205
+3000.example.		5M IN A		10.0.7.206
+3000.example.		5M IN A		10.0.7.207
+3000.example.		5M IN A		10.0.7.208
+3000.example.		5M IN A		10.0.7.209
+3000.example.		5M IN A		10.0.7.210
+3000.example.		5M IN A		10.0.7.211
+3000.example.		5M IN A		10.0.7.212
+3000.example.		5M IN A		10.0.7.213
+3000.example.		5M IN A		10.0.7.214
+3000.example.		5M IN A		10.0.7.215
+3000.example.		5M IN A		10.0.7.216
+3000.example.		5M IN A		10.0.7.217
+3000.example.		5M IN A		10.0.7.218
+3000.example.		5M IN A		10.0.7.219
+3000.example.		5M IN A		10.0.7.220
+3000.example.		5M IN A		10.0.7.221
+3000.example.		5M IN A		10.0.7.222
+3000.example.		5M IN A		10.0.7.223
+3000.example.		5M IN A		10.0.7.224
+3000.example.		5M IN A		10.0.7.225
+3000.example.		5M IN A		10.0.7.226
+3000.example.		5M IN A		10.0.7.227
+3000.example.		5M IN A		10.0.7.228
+3000.example.		5M IN A		10.0.7.229
+3000.example.		5M IN A		10.0.7.230
+3000.example.		5M IN A		10.0.7.231
+3000.example.		5M IN A		10.0.7.232
+3000.example.		5M IN A		10.0.7.233
+3000.example.		5M IN A		10.0.7.234
+3000.example.		5M IN A		10.0.7.235
+3000.example.		5M IN A		10.0.7.236
+3000.example.		5M IN A		10.0.7.237
+3000.example.		5M IN A		10.0.7.238
+3000.example.		5M IN A		10.0.7.239
+3000.example.		5M IN A		10.0.7.240
+3000.example.		5M IN A		10.0.7.241
+3000.example.		5M IN A		10.0.7.242
+3000.example.		5M IN A		10.0.7.243
+3000.example.		5M IN A		10.0.7.244
+3000.example.		5M IN A		10.0.7.245
+3000.example.		5M IN A		10.0.7.246
+3000.example.		5M IN A		10.0.7.247
+3000.example.		5M IN A		10.0.7.248
+3000.example.		5M IN A		10.0.7.249
+3000.example.		5M IN A		10.0.7.250
+3000.example.		5M IN A		10.0.7.251
+3000.example.		5M IN A		10.0.7.252
+3000.example.		5M IN A		10.0.7.253
+3000.example.		5M IN A		10.0.7.254
+3000.example.		5M IN A		10.0.7.255
+3000.example.		5M IN A		10.0.8.0
+3000.example.		5M IN A		10.0.8.1
+3000.example.		5M IN A		10.0.8.2
+3000.example.		5M IN A		10.0.8.3
+3000.example.		5M IN A		10.0.8.4
+3000.example.		5M IN A		10.0.8.5
+3000.example.		5M IN A		10.0.8.6
+3000.example.		5M IN A		10.0.8.7
+3000.example.		5M IN A		10.0.8.8
+3000.example.		5M IN A		10.0.8.9
+3000.example.		5M IN A		10.0.8.10
+3000.example.		5M IN A		10.0.8.11
+3000.example.		5M IN A		10.0.8.12
+3000.example.		5M IN A		10.0.8.13
+3000.example.		5M IN A		10.0.8.14
+3000.example.		5M IN A		10.0.8.15
+3000.example.		5M IN A		10.0.8.16
+3000.example.		5M IN A		10.0.8.17
+3000.example.		5M IN A		10.0.8.18
+3000.example.		5M IN A		10.0.8.19
+3000.example.		5M IN A		10.0.8.20
+3000.example.		5M IN A		10.0.8.21
+3000.example.		5M IN A		10.0.8.22
+3000.example.		5M IN A		10.0.8.23
+3000.example.		5M IN A		10.0.8.24
+3000.example.		5M IN A		10.0.8.25
+3000.example.		5M IN A		10.0.8.26
+3000.example.		5M IN A		10.0.8.27
+3000.example.		5M IN A		10.0.8.28
+3000.example.		5M IN A		10.0.8.29
+3000.example.		5M IN A		10.0.8.30
+3000.example.		5M IN A		10.0.8.31
+3000.example.		5M IN A		10.0.8.32
+3000.example.		5M IN A		10.0.8.33
+3000.example.		5M IN A		10.0.8.34
+3000.example.		5M IN A		10.0.8.35
+3000.example.		5M IN A		10.0.8.36
+3000.example.		5M IN A		10.0.8.37
+3000.example.		5M IN A		10.0.8.38
+3000.example.		5M IN A		10.0.8.39
+3000.example.		5M IN A		10.0.8.40
+3000.example.		5M IN A		10.0.8.41
+3000.example.		5M IN A		10.0.8.42
+3000.example.		5M IN A		10.0.8.43
+3000.example.		5M IN A		10.0.8.44
+3000.example.		5M IN A		10.0.8.45
+3000.example.		5M IN A		10.0.8.46
+3000.example.		5M IN A		10.0.8.47
+3000.example.		5M IN A		10.0.8.48
+3000.example.		5M IN A		10.0.8.49
+3000.example.		5M IN A		10.0.8.50
+3000.example.		5M IN A		10.0.8.51
+3000.example.		5M IN A		10.0.8.52
+3000.example.		5M IN A		10.0.8.53
+3000.example.		5M IN A		10.0.8.54
+3000.example.		5M IN A		10.0.8.55
+3000.example.		5M IN A		10.0.8.56
+3000.example.		5M IN A		10.0.8.57
+3000.example.		5M IN A		10.0.8.58
+3000.example.		5M IN A		10.0.8.59
+3000.example.		5M IN A		10.0.8.60
+3000.example.		5M IN A		10.0.8.61
+3000.example.		5M IN A		10.0.8.62
+3000.example.		5M IN A		10.0.8.63
+3000.example.		5M IN A		10.0.8.64
+3000.example.		5M IN A		10.0.8.65
+3000.example.		5M IN A		10.0.8.66
+3000.example.		5M IN A		10.0.8.67
+3000.example.		5M IN A		10.0.8.68
+3000.example.		5M IN A		10.0.8.69
+3000.example.		5M IN A		10.0.8.70
+3000.example.		5M IN A		10.0.8.71
+3000.example.		5M IN A		10.0.8.72
+3000.example.		5M IN A		10.0.8.73
+3000.example.		5M IN A		10.0.8.74
+3000.example.		5M IN A		10.0.8.75
+3000.example.		5M IN A		10.0.8.76
+3000.example.		5M IN A		10.0.8.77
+3000.example.		5M IN A		10.0.8.78
+3000.example.		5M IN A		10.0.8.79
+3000.example.		5M IN A		10.0.8.80
+3000.example.		5M IN A		10.0.8.81
+3000.example.		5M IN A		10.0.8.82
+3000.example.		5M IN A		10.0.8.83
+3000.example.		5M IN A		10.0.8.84
+3000.example.		5M IN A		10.0.8.85
+3000.example.		5M IN A		10.0.8.86
+3000.example.		5M IN A		10.0.8.87
+3000.example.		5M IN A		10.0.8.88
+3000.example.		5M IN A		10.0.8.89
+3000.example.		5M IN A		10.0.8.90
+3000.example.		5M IN A		10.0.8.91
+3000.example.		5M IN A		10.0.8.92
+3000.example.		5M IN A		10.0.8.93
+3000.example.		5M IN A		10.0.8.94
+3000.example.		5M IN A		10.0.8.95
+3000.example.		5M IN A		10.0.8.96
+3000.example.		5M IN A		10.0.8.97
+3000.example.		5M IN A		10.0.8.98
+3000.example.		5M IN A		10.0.8.99
+3000.example.		5M IN A		10.0.8.100
+3000.example.		5M IN A		10.0.8.101
+3000.example.		5M IN A		10.0.8.102
+3000.example.		5M IN A		10.0.8.103
+3000.example.		5M IN A		10.0.8.104
+3000.example.		5M IN A		10.0.8.105
+3000.example.		5M IN A		10.0.8.106
+3000.example.		5M IN A		10.0.8.107
+3000.example.		5M IN A		10.0.8.108
+3000.example.		5M IN A		10.0.8.109
+3000.example.		5M IN A		10.0.8.110
+3000.example.		5M IN A		10.0.8.111
+3000.example.		5M IN A		10.0.8.112
+3000.example.		5M IN A		10.0.8.113
+3000.example.		5M IN A		10.0.8.114
+3000.example.		5M IN A		10.0.8.115
+3000.example.		5M IN A		10.0.8.116
+3000.example.		5M IN A		10.0.8.117
+3000.example.		5M IN A		10.0.8.118
+3000.example.		5M IN A		10.0.8.119
+3000.example.		5M IN A		10.0.8.120
+3000.example.		5M IN A		10.0.8.121
+3000.example.		5M IN A		10.0.8.122
+3000.example.		5M IN A		10.0.8.123
+3000.example.		5M IN A		10.0.8.124
+3000.example.		5M IN A		10.0.8.125
+3000.example.		5M IN A		10.0.8.126
+3000.example.		5M IN A		10.0.8.127
+3000.example.		5M IN A		10.0.8.128
+3000.example.		5M IN A		10.0.8.129
+3000.example.		5M IN A		10.0.8.130
+3000.example.		5M IN A		10.0.8.131
+3000.example.		5M IN A		10.0.8.132
+3000.example.		5M IN A		10.0.8.133
+3000.example.		5M IN A		10.0.8.134
+3000.example.		5M IN A		10.0.8.135
+3000.example.		5M IN A		10.0.8.136
+3000.example.		5M IN A		10.0.8.137
+3000.example.		5M IN A		10.0.8.138
+3000.example.		5M IN A		10.0.8.139
+3000.example.		5M IN A		10.0.8.140
+3000.example.		5M IN A		10.0.8.141
+3000.example.		5M IN A		10.0.8.142
+3000.example.		5M IN A		10.0.8.143
+3000.example.		5M IN A		10.0.8.144
+3000.example.		5M IN A		10.0.8.145
+3000.example.		5M IN A		10.0.8.146
+3000.example.		5M IN A		10.0.8.147
+3000.example.		5M IN A		10.0.8.148
+3000.example.		5M IN A		10.0.8.149
+3000.example.		5M IN A		10.0.8.150
+3000.example.		5M IN A		10.0.8.151
+3000.example.		5M IN A		10.0.8.152
+3000.example.		5M IN A		10.0.8.153
+3000.example.		5M IN A		10.0.8.154
+3000.example.		5M IN A		10.0.8.155
+3000.example.		5M IN A		10.0.8.156
+3000.example.		5M IN A		10.0.8.157
+3000.example.		5M IN A		10.0.8.158
+3000.example.		5M IN A		10.0.8.159
+3000.example.		5M IN A		10.0.8.160
+3000.example.		5M IN A		10.0.8.161
+3000.example.		5M IN A		10.0.8.162
+3000.example.		5M IN A		10.0.8.163
+3000.example.		5M IN A		10.0.8.164
+3000.example.		5M IN A		10.0.8.165
+3000.example.		5M IN A		10.0.8.166
+3000.example.		5M IN A		10.0.8.167
+3000.example.		5M IN A		10.0.8.168
+3000.example.		5M IN A		10.0.8.169
+3000.example.		5M IN A		10.0.8.170
+3000.example.		5M IN A		10.0.8.171
+3000.example.		5M IN A		10.0.8.172
+3000.example.		5M IN A		10.0.8.173
+3000.example.		5M IN A		10.0.8.174
+3000.example.		5M IN A		10.0.8.175
+3000.example.		5M IN A		10.0.8.176
+3000.example.		5M IN A		10.0.8.177
+3000.example.		5M IN A		10.0.8.178
+3000.example.		5M IN A		10.0.8.179
+3000.example.		5M IN A		10.0.8.180
+3000.example.		5M IN A		10.0.8.181
+3000.example.		5M IN A		10.0.8.182
+3000.example.		5M IN A		10.0.8.183
+3000.example.		5M IN A		10.0.8.184
+3000.example.		5M IN A		10.0.8.185
+3000.example.		5M IN A		10.0.8.186
+3000.example.		5M IN A		10.0.8.187
+3000.example.		5M IN A		10.0.8.188
+3000.example.		5M IN A		10.0.8.189
+3000.example.		5M IN A		10.0.8.190
+3000.example.		5M IN A		10.0.8.191
+3000.example.		5M IN A		10.0.8.192
+3000.example.		5M IN A		10.0.8.193
+3000.example.		5M IN A		10.0.8.194
+3000.example.		5M IN A		10.0.8.195
+3000.example.		5M IN A		10.0.8.196
+3000.example.		5M IN A		10.0.8.197
+3000.example.		5M IN A		10.0.8.198
+3000.example.		5M IN A		10.0.8.199
+3000.example.		5M IN A		10.0.8.200
+3000.example.		5M IN A		10.0.8.201
+3000.example.		5M IN A		10.0.8.202
+3000.example.		5M IN A		10.0.8.203
+3000.example.		5M IN A		10.0.8.204
+3000.example.		5M IN A		10.0.8.205
+3000.example.		5M IN A		10.0.8.206
+3000.example.		5M IN A		10.0.8.207
+3000.example.		5M IN A		10.0.8.208
+3000.example.		5M IN A		10.0.8.209
+3000.example.		5M IN A		10.0.8.210
+3000.example.		5M IN A		10.0.8.211
+3000.example.		5M IN A		10.0.8.212
+3000.example.		5M IN A		10.0.8.213
+3000.example.		5M IN A		10.0.8.214
+3000.example.		5M IN A		10.0.8.215
+3000.example.		5M IN A		10.0.8.216
+3000.example.		5M IN A		10.0.8.217
+3000.example.		5M IN A		10.0.8.218
+3000.example.		5M IN A		10.0.8.219
+3000.example.		5M IN A		10.0.8.220
+3000.example.		5M IN A		10.0.8.221
+3000.example.		5M IN A		10.0.8.222
+3000.example.		5M IN A		10.0.8.223
+3000.example.		5M IN A		10.0.8.224
+3000.example.		5M IN A		10.0.8.225
+3000.example.		5M IN A		10.0.8.226
+3000.example.		5M IN A		10.0.8.227
+3000.example.		5M IN A		10.0.8.228
+3000.example.		5M IN A		10.0.8.229
+3000.example.		5M IN A		10.0.8.230
+3000.example.		5M IN A		10.0.8.231
+3000.example.		5M IN A		10.0.8.232
+3000.example.		5M IN A		10.0.8.233
+3000.example.		5M IN A		10.0.8.234
+3000.example.		5M IN A		10.0.8.235
+3000.example.		5M IN A		10.0.8.236
+3000.example.		5M IN A		10.0.8.237
+3000.example.		5M IN A		10.0.8.238
+3000.example.		5M IN A		10.0.8.239
+3000.example.		5M IN A		10.0.8.240
+3000.example.		5M IN A		10.0.8.241
+3000.example.		5M IN A		10.0.8.242
+3000.example.		5M IN A		10.0.8.243
+3000.example.		5M IN A		10.0.8.244
+3000.example.		5M IN A		10.0.8.245
+3000.example.		5M IN A		10.0.8.246
+3000.example.		5M IN A		10.0.8.247
+3000.example.		5M IN A		10.0.8.248
+3000.example.		5M IN A		10.0.8.249
+3000.example.		5M IN A		10.0.8.250
+3000.example.		5M IN A		10.0.8.251
+3000.example.		5M IN A		10.0.8.252
+3000.example.		5M IN A		10.0.8.253
+3000.example.		5M IN A		10.0.8.254
+3000.example.		5M IN A		10.0.8.255
+3000.example.		5M IN A		10.0.9.0
+3000.example.		5M IN A		10.0.9.1
+3000.example.		5M IN A		10.0.9.2
+3000.example.		5M IN A		10.0.9.3
+3000.example.		5M IN A		10.0.9.4
+3000.example.		5M IN A		10.0.9.5
+3000.example.		5M IN A		10.0.9.6
+3000.example.		5M IN A		10.0.9.7
+3000.example.		5M IN A		10.0.9.8
+3000.example.		5M IN A		10.0.9.9
+3000.example.		5M IN A		10.0.9.10
+3000.example.		5M IN A		10.0.9.11
+3000.example.		5M IN A		10.0.9.12
+3000.example.		5M IN A		10.0.9.13
+3000.example.		5M IN A		10.0.9.14
+3000.example.		5M IN A		10.0.9.15
+3000.example.		5M IN A		10.0.9.16
+3000.example.		5M IN A		10.0.9.17
+3000.example.		5M IN A		10.0.9.18
+3000.example.		5M IN A		10.0.9.19
+3000.example.		5M IN A		10.0.9.20
+3000.example.		5M IN A		10.0.9.21
+3000.example.		5M IN A		10.0.9.22
+3000.example.		5M IN A		10.0.9.23
+3000.example.		5M IN A		10.0.9.24
+3000.example.		5M IN A		10.0.9.25
+3000.example.		5M IN A		10.0.9.26
+3000.example.		5M IN A		10.0.9.27
+3000.example.		5M IN A		10.0.9.28
+3000.example.		5M IN A		10.0.9.29
+3000.example.		5M IN A		10.0.9.30
+3000.example.		5M IN A		10.0.9.31
+3000.example.		5M IN A		10.0.9.32
+3000.example.		5M IN A		10.0.9.33
+3000.example.		5M IN A		10.0.9.34
+3000.example.		5M IN A		10.0.9.35
+3000.example.		5M IN A		10.0.9.36
+3000.example.		5M IN A		10.0.9.37
+3000.example.		5M IN A		10.0.9.38
+3000.example.		5M IN A		10.0.9.39
+3000.example.		5M IN A		10.0.9.40
+3000.example.		5M IN A		10.0.9.41
+3000.example.		5M IN A		10.0.9.42
+3000.example.		5M IN A		10.0.9.43
+3000.example.		5M IN A		10.0.9.44
+3000.example.		5M IN A		10.0.9.45
+3000.example.		5M IN A		10.0.9.46
+3000.example.		5M IN A		10.0.9.47
+3000.example.		5M IN A		10.0.9.48
+3000.example.		5M IN A		10.0.9.49
+3000.example.		5M IN A		10.0.9.50
+3000.example.		5M IN A		10.0.9.51
+3000.example.		5M IN A		10.0.9.52
+3000.example.		5M IN A		10.0.9.53
+3000.example.		5M IN A		10.0.9.54
+3000.example.		5M IN A		10.0.9.55
+3000.example.		5M IN A		10.0.9.56
+3000.example.		5M IN A		10.0.9.57
+3000.example.		5M IN A		10.0.9.58
+3000.example.		5M IN A		10.0.9.59
+3000.example.		5M IN A		10.0.9.60
+3000.example.		5M IN A		10.0.9.61
+3000.example.		5M IN A		10.0.9.62
+3000.example.		5M IN A		10.0.9.63
+3000.example.		5M IN A		10.0.9.64
+3000.example.		5M IN A		10.0.9.65
+3000.example.		5M IN A		10.0.9.66
+3000.example.		5M IN A		10.0.9.67
+3000.example.		5M IN A		10.0.9.68
+3000.example.		5M IN A		10.0.9.69
+3000.example.		5M IN A		10.0.9.70
+3000.example.		5M IN A		10.0.9.71
+3000.example.		5M IN A		10.0.9.72
+3000.example.		5M IN A		10.0.9.73
+3000.example.		5M IN A		10.0.9.74
+3000.example.		5M IN A		10.0.9.75
+3000.example.		5M IN A		10.0.9.76
+3000.example.		5M IN A		10.0.9.77
+3000.example.		5M IN A		10.0.9.78
+3000.example.		5M IN A		10.0.9.79
+3000.example.		5M IN A		10.0.9.80
+3000.example.		5M IN A		10.0.9.81
+3000.example.		5M IN A		10.0.9.82
+3000.example.		5M IN A		10.0.9.83
+3000.example.		5M IN A		10.0.9.84
+3000.example.		5M IN A		10.0.9.85
+3000.example.		5M IN A		10.0.9.86
+3000.example.		5M IN A		10.0.9.87
+3000.example.		5M IN A		10.0.9.88
+3000.example.		5M IN A		10.0.9.89
+3000.example.		5M IN A		10.0.9.90
+3000.example.		5M IN A		10.0.9.91
+3000.example.		5M IN A		10.0.9.92
+3000.example.		5M IN A		10.0.9.93
+3000.example.		5M IN A		10.0.9.94
+3000.example.		5M IN A		10.0.9.95
+3000.example.		5M IN A		10.0.9.96
+3000.example.		5M IN A		10.0.9.97
+3000.example.		5M IN A		10.0.9.98
+3000.example.		5M IN A		10.0.9.99
+3000.example.		5M IN A		10.0.9.100
+3000.example.		5M IN A		10.0.9.101
+3000.example.		5M IN A		10.0.9.102
+3000.example.		5M IN A		10.0.9.103
+3000.example.		5M IN A		10.0.9.104
+3000.example.		5M IN A		10.0.9.105
+3000.example.		5M IN A		10.0.9.106
+3000.example.		5M IN A		10.0.9.107
+3000.example.		5M IN A		10.0.9.108
+3000.example.		5M IN A		10.0.9.109
+3000.example.		5M IN A		10.0.9.110
+3000.example.		5M IN A		10.0.9.111
+3000.example.		5M IN A		10.0.9.112
+3000.example.		5M IN A		10.0.9.113
+3000.example.		5M IN A		10.0.9.114
+3000.example.		5M IN A		10.0.9.115
+3000.example.		5M IN A		10.0.9.116
+3000.example.		5M IN A		10.0.9.117
+3000.example.		5M IN A		10.0.9.118
+3000.example.		5M IN A		10.0.9.119
+3000.example.		5M IN A		10.0.9.120
+3000.example.		5M IN A		10.0.9.121
+3000.example.		5M IN A		10.0.9.122
+3000.example.		5M IN A		10.0.9.123
+3000.example.		5M IN A		10.0.9.124
+3000.example.		5M IN A		10.0.9.125
+3000.example.		5M IN A		10.0.9.126
+3000.example.		5M IN A		10.0.9.127
+3000.example.		5M IN A		10.0.9.128
+3000.example.		5M IN A		10.0.9.129
+3000.example.		5M IN A		10.0.9.130
+3000.example.		5M IN A		10.0.9.131
+3000.example.		5M IN A		10.0.9.132
+3000.example.		5M IN A		10.0.9.133
+3000.example.		5M IN A		10.0.9.134
+3000.example.		5M IN A		10.0.9.135
+3000.example.		5M IN A		10.0.9.136
+3000.example.		5M IN A		10.0.9.137
+3000.example.		5M IN A		10.0.9.138
+3000.example.		5M IN A		10.0.9.139
+3000.example.		5M IN A		10.0.9.140
+3000.example.		5M IN A		10.0.9.141
+3000.example.		5M IN A		10.0.9.142
+3000.example.		5M IN A		10.0.9.143
+3000.example.		5M IN A		10.0.9.144
+3000.example.		5M IN A		10.0.9.145
+3000.example.		5M IN A		10.0.9.146
+3000.example.		5M IN A		10.0.9.147
+3000.example.		5M IN A		10.0.9.148
+3000.example.		5M IN A		10.0.9.149
+3000.example.		5M IN A		10.0.9.150
+3000.example.		5M IN A		10.0.9.151
+3000.example.		5M IN A		10.0.9.152
+3000.example.		5M IN A		10.0.9.153
+3000.example.		5M IN A		10.0.9.154
+3000.example.		5M IN A		10.0.9.155
+3000.example.		5M IN A		10.0.9.156
+3000.example.		5M IN A		10.0.9.157
+3000.example.		5M IN A		10.0.9.158
+3000.example.		5M IN A		10.0.9.159
+3000.example.		5M IN A		10.0.9.160
+3000.example.		5M IN A		10.0.9.161
+3000.example.		5M IN A		10.0.9.162
+3000.example.		5M IN A		10.0.9.163
+3000.example.		5M IN A		10.0.9.164
+3000.example.		5M IN A		10.0.9.165
+3000.example.		5M IN A		10.0.9.166
+3000.example.		5M IN A		10.0.9.167
+3000.example.		5M IN A		10.0.9.168
+3000.example.		5M IN A		10.0.9.169
+3000.example.		5M IN A		10.0.9.170
+3000.example.		5M IN A		10.0.9.171
+3000.example.		5M IN A		10.0.9.172
+3000.example.		5M IN A		10.0.9.173
+3000.example.		5M IN A		10.0.9.174
+3000.example.		5M IN A		10.0.9.175
+3000.example.		5M IN A		10.0.9.176
+3000.example.		5M IN A		10.0.9.177
+3000.example.		5M IN A		10.0.9.178
+3000.example.		5M IN A		10.0.9.179
+3000.example.		5M IN A		10.0.9.180
+3000.example.		5M IN A		10.0.9.181
+3000.example.		5M IN A		10.0.9.182
+3000.example.		5M IN A		10.0.9.183
+3000.example.		5M IN A		10.0.9.184
+3000.example.		5M IN A		10.0.9.185
+3000.example.		5M IN A		10.0.9.186
+3000.example.		5M IN A		10.0.9.187
+3000.example.		5M IN A		10.0.9.188
+3000.example.		5M IN A		10.0.9.189
+3000.example.		5M IN A		10.0.9.190
+3000.example.		5M IN A		10.0.9.191
+3000.example.		5M IN A		10.0.9.192
+3000.example.		5M IN A		10.0.9.193
+3000.example.		5M IN A		10.0.9.194
+3000.example.		5M IN A		10.0.9.195
+3000.example.		5M IN A		10.0.9.196
+3000.example.		5M IN A		10.0.9.197
+3000.example.		5M IN A		10.0.9.198
+3000.example.		5M IN A		10.0.9.199
+3000.example.		5M IN A		10.0.9.200
+3000.example.		5M IN A		10.0.9.201
+3000.example.		5M IN A		10.0.9.202
+3000.example.		5M IN A		10.0.9.203
+3000.example.		5M IN A		10.0.9.204
+3000.example.		5M IN A		10.0.9.205
+3000.example.		5M IN A		10.0.9.206
+3000.example.		5M IN A		10.0.9.207
+3000.example.		5M IN A		10.0.9.208
+3000.example.		5M IN A		10.0.9.209
+3000.example.		5M IN A		10.0.9.210
+3000.example.		5M IN A		10.0.9.211
+3000.example.		5M IN A		10.0.9.212
+3000.example.		5M IN A		10.0.9.213
+3000.example.		5M IN A		10.0.9.214
+3000.example.		5M IN A		10.0.9.215
+3000.example.		5M IN A		10.0.9.216
+3000.example.		5M IN A		10.0.9.217
+3000.example.		5M IN A		10.0.9.218
+3000.example.		5M IN A		10.0.9.219
+3000.example.		5M IN A		10.0.9.220
+3000.example.		5M IN A		10.0.9.221
+3000.example.		5M IN A		10.0.9.222
+3000.example.		5M IN A		10.0.9.223
+3000.example.		5M IN A		10.0.9.224
+3000.example.		5M IN A		10.0.9.225
+3000.example.		5M IN A		10.0.9.226
+3000.example.		5M IN A		10.0.9.227
+3000.example.		5M IN A		10.0.9.228
+3000.example.		5M IN A		10.0.9.229
+3000.example.		5M IN A		10.0.9.230
+3000.example.		5M IN A		10.0.9.231
+3000.example.		5M IN A		10.0.9.232
+3000.example.		5M IN A		10.0.9.233
+3000.example.		5M IN A		10.0.9.234
+3000.example.		5M IN A		10.0.9.235
+3000.example.		5M IN A		10.0.9.236
+3000.example.		5M IN A		10.0.9.237
+3000.example.		5M IN A		10.0.9.238
+3000.example.		5M IN A		10.0.9.239
+3000.example.		5M IN A		10.0.9.240
+3000.example.		5M IN A		10.0.9.241
+3000.example.		5M IN A		10.0.9.242
+3000.example.		5M IN A		10.0.9.243
+3000.example.		5M IN A		10.0.9.244
+3000.example.		5M IN A		10.0.9.245
+3000.example.		5M IN A		10.0.9.246
+3000.example.		5M IN A		10.0.9.247
+3000.example.		5M IN A		10.0.9.248
+3000.example.		5M IN A		10.0.9.249
+3000.example.		5M IN A		10.0.9.250
+3000.example.		5M IN A		10.0.9.251
+3000.example.		5M IN A		10.0.9.252
+3000.example.		5M IN A		10.0.9.253
+3000.example.		5M IN A		10.0.9.254
+3000.example.		5M IN A		10.0.9.255
+3000.example.		5M IN A		10.0.10.0
+3000.example.		5M IN A		10.0.10.1
+3000.example.		5M IN A		10.0.10.2
+3000.example.		5M IN A		10.0.10.3
+3000.example.		5M IN A		10.0.10.4
+3000.example.		5M IN A		10.0.10.5
+3000.example.		5M IN A		10.0.10.6
+3000.example.		5M IN A		10.0.10.7
+3000.example.		5M IN A		10.0.10.8
+3000.example.		5M IN A		10.0.10.9
+3000.example.		5M IN A		10.0.10.10
+3000.example.		5M IN A		10.0.10.11
+3000.example.		5M IN A		10.0.10.12
+3000.example.		5M IN A		10.0.10.13
+3000.example.		5M IN A		10.0.10.14
+3000.example.		5M IN A		10.0.10.15
+3000.example.		5M IN A		10.0.10.16
+3000.example.		5M IN A		10.0.10.17
+3000.example.		5M IN A		10.0.10.18
+3000.example.		5M IN A		10.0.10.19
+3000.example.		5M IN A		10.0.10.20
+3000.example.		5M IN A		10.0.10.21
+3000.example.		5M IN A		10.0.10.22
+3000.example.		5M IN A		10.0.10.23
+3000.example.		5M IN A		10.0.10.24
+3000.example.		5M IN A		10.0.10.25
+3000.example.		5M IN A		10.0.10.26
+3000.example.		5M IN A		10.0.10.27
+3000.example.		5M IN A		10.0.10.28
+3000.example.		5M IN A		10.0.10.29
+3000.example.		5M IN A		10.0.10.30
+3000.example.		5M IN A		10.0.10.31
+3000.example.		5M IN A		10.0.10.32
+3000.example.		5M IN A		10.0.10.33
+3000.example.		5M IN A		10.0.10.34
+3000.example.		5M IN A		10.0.10.35
+3000.example.		5M IN A		10.0.10.36
+3000.example.		5M IN A		10.0.10.37
+3000.example.		5M IN A		10.0.10.38
+3000.example.		5M IN A		10.0.10.39
+3000.example.		5M IN A		10.0.10.40
+3000.example.		5M IN A		10.0.10.41
+3000.example.		5M IN A		10.0.10.42
+3000.example.		5M IN A		10.0.10.43
+3000.example.		5M IN A		10.0.10.44
+3000.example.		5M IN A		10.0.10.45
+3000.example.		5M IN A		10.0.10.46
+3000.example.		5M IN A		10.0.10.47
+3000.example.		5M IN A		10.0.10.48
+3000.example.		5M IN A		10.0.10.49
+3000.example.		5M IN A		10.0.10.50
+3000.example.		5M IN A		10.0.10.51
+3000.example.		5M IN A		10.0.10.52
+3000.example.		5M IN A		10.0.10.53
+3000.example.		5M IN A		10.0.10.54
+3000.example.		5M IN A		10.0.10.55
+3000.example.		5M IN A		10.0.10.56
+3000.example.		5M IN A		10.0.10.57
+3000.example.		5M IN A		10.0.10.58
+3000.example.		5M IN A		10.0.10.59
+3000.example.		5M IN A		10.0.10.60
+3000.example.		5M IN A		10.0.10.61
+3000.example.		5M IN A		10.0.10.62
+3000.example.		5M IN A		10.0.10.63
+3000.example.		5M IN A		10.0.10.64
+3000.example.		5M IN A		10.0.10.65
+3000.example.		5M IN A		10.0.10.66
+3000.example.		5M IN A		10.0.10.67
+3000.example.		5M IN A		10.0.10.68
+3000.example.		5M IN A		10.0.10.69
+3000.example.		5M IN A		10.0.10.70
+3000.example.		5M IN A		10.0.10.71
+3000.example.		5M IN A		10.0.10.72
+3000.example.		5M IN A		10.0.10.73
+3000.example.		5M IN A		10.0.10.74
+3000.example.		5M IN A		10.0.10.75
+3000.example.		5M IN A		10.0.10.76
+3000.example.		5M IN A		10.0.10.77
+3000.example.		5M IN A		10.0.10.78
+3000.example.		5M IN A		10.0.10.79
+3000.example.		5M IN A		10.0.10.80
+3000.example.		5M IN A		10.0.10.81
+3000.example.		5M IN A		10.0.10.82
+3000.example.		5M IN A		10.0.10.83
+3000.example.		5M IN A		10.0.10.84
+3000.example.		5M IN A		10.0.10.85
+3000.example.		5M IN A		10.0.10.86
+3000.example.		5M IN A		10.0.10.87
+3000.example.		5M IN A		10.0.10.88
+3000.example.		5M IN A		10.0.10.89
+3000.example.		5M IN A		10.0.10.90
+3000.example.		5M IN A		10.0.10.91
+3000.example.		5M IN A		10.0.10.92
+3000.example.		5M IN A		10.0.10.93
+3000.example.		5M IN A		10.0.10.94
+3000.example.		5M IN A		10.0.10.95
+3000.example.		5M IN A		10.0.10.96
+3000.example.		5M IN A		10.0.10.97
+3000.example.		5M IN A		10.0.10.98
+3000.example.		5M IN A		10.0.10.99
+3000.example.		5M IN A		10.0.10.100
+3000.example.		5M IN A		10.0.10.101
+3000.example.		5M IN A		10.0.10.102
+3000.example.		5M IN A		10.0.10.103
+3000.example.		5M IN A		10.0.10.104
+3000.example.		5M IN A		10.0.10.105
+3000.example.		5M IN A		10.0.10.106
+3000.example.		5M IN A		10.0.10.107
+3000.example.		5M IN A		10.0.10.108
+3000.example.		5M IN A		10.0.10.109
+3000.example.		5M IN A		10.0.10.110
+3000.example.		5M IN A		10.0.10.111
+3000.example.		5M IN A		10.0.10.112
+3000.example.		5M IN A		10.0.10.113
+3000.example.		5M IN A		10.0.10.114
+3000.example.		5M IN A		10.0.10.115
+3000.example.		5M IN A		10.0.10.116
+3000.example.		5M IN A		10.0.10.117
+3000.example.		5M IN A		10.0.10.118
+3000.example.		5M IN A		10.0.10.119
+3000.example.		5M IN A		10.0.10.120
+3000.example.		5M IN A		10.0.10.121
+3000.example.		5M IN A		10.0.10.122
+3000.example.		5M IN A		10.0.10.123
+3000.example.		5M IN A		10.0.10.124
+3000.example.		5M IN A		10.0.10.125
+3000.example.		5M IN A		10.0.10.126
+3000.example.		5M IN A		10.0.10.127
+3000.example.		5M IN A		10.0.10.128
+3000.example.		5M IN A		10.0.10.129
+3000.example.		5M IN A		10.0.10.130
+3000.example.		5M IN A		10.0.10.131
+3000.example.		5M IN A		10.0.10.132
+3000.example.		5M IN A		10.0.10.133
+3000.example.		5M IN A		10.0.10.134
+3000.example.		5M IN A		10.0.10.135
+3000.example.		5M IN A		10.0.10.136
+3000.example.		5M IN A		10.0.10.137
+3000.example.		5M IN A		10.0.10.138
+3000.example.		5M IN A		10.0.10.139
+3000.example.		5M IN A		10.0.10.140
+3000.example.		5M IN A		10.0.10.141
+3000.example.		5M IN A		10.0.10.142
+3000.example.		5M IN A		10.0.10.143
+3000.example.		5M IN A		10.0.10.144
+3000.example.		5M IN A		10.0.10.145
+3000.example.		5M IN A		10.0.10.146
+3000.example.		5M IN A		10.0.10.147
+3000.example.		5M IN A		10.0.10.148
+3000.example.		5M IN A		10.0.10.149
+3000.example.		5M IN A		10.0.10.150
+3000.example.		5M IN A		10.0.10.151
+3000.example.		5M IN A		10.0.10.152
+3000.example.		5M IN A		10.0.10.153
+3000.example.		5M IN A		10.0.10.154
+3000.example.		5M IN A		10.0.10.155
+3000.example.		5M IN A		10.0.10.156
+3000.example.		5M IN A		10.0.10.157
+3000.example.		5M IN A		10.0.10.158
+3000.example.		5M IN A		10.0.10.159
+3000.example.		5M IN A		10.0.10.160
+3000.example.		5M IN A		10.0.10.161
+3000.example.		5M IN A		10.0.10.162
+3000.example.		5M IN A		10.0.10.163
+3000.example.		5M IN A		10.0.10.164
+3000.example.		5M IN A		10.0.10.165
+3000.example.		5M IN A		10.0.10.166
+3000.example.		5M IN A		10.0.10.167
+3000.example.		5M IN A		10.0.10.168
+3000.example.		5M IN A		10.0.10.169
+3000.example.		5M IN A		10.0.10.170
+3000.example.		5M IN A		10.0.10.171
+3000.example.		5M IN A		10.0.10.172
+3000.example.		5M IN A		10.0.10.173
+3000.example.		5M IN A		10.0.10.174
+3000.example.		5M IN A		10.0.10.175
+3000.example.		5M IN A		10.0.10.176
+3000.example.		5M IN A		10.0.10.177
+3000.example.		5M IN A		10.0.10.178
+3000.example.		5M IN A		10.0.10.179
+3000.example.		5M IN A		10.0.10.180
+3000.example.		5M IN A		10.0.10.181
+3000.example.		5M IN A		10.0.10.182
+3000.example.		5M IN A		10.0.10.183
+3000.example.		5M IN A		10.0.10.184
+3000.example.		5M IN A		10.0.10.185
+3000.example.		5M IN A		10.0.10.186
+3000.example.		5M IN A		10.0.10.187
+3000.example.		5M IN A		10.0.10.188
+3000.example.		5M IN A		10.0.10.189
+3000.example.		5M IN A		10.0.10.190
+3000.example.		5M IN A		10.0.10.191
+3000.example.		5M IN A		10.0.10.192
+3000.example.		5M IN A		10.0.10.193
+3000.example.		5M IN A		10.0.10.194
+3000.example.		5M IN A		10.0.10.195
+3000.example.		5M IN A		10.0.10.196
+3000.example.		5M IN A		10.0.10.197
+3000.example.		5M IN A		10.0.10.198
+3000.example.		5M IN A		10.0.10.199
+3000.example.		5M IN A		10.0.10.200
+3000.example.		5M IN A		10.0.10.201
+3000.example.		5M IN A		10.0.10.202
+3000.example.		5M IN A		10.0.10.203
+3000.example.		5M IN A		10.0.10.204
+3000.example.		5M IN A		10.0.10.205
+3000.example.		5M IN A		10.0.10.206
+3000.example.		5M IN A		10.0.10.207
+3000.example.		5M IN A		10.0.10.208
+3000.example.		5M IN A		10.0.10.209
+3000.example.		5M IN A		10.0.10.210
+3000.example.		5M IN A		10.0.10.211
+3000.example.		5M IN A		10.0.10.212
+3000.example.		5M IN A		10.0.10.213
+3000.example.		5M IN A		10.0.10.214
+3000.example.		5M IN A		10.0.10.215
+3000.example.		5M IN A		10.0.10.216
+3000.example.		5M IN A		10.0.10.217
+3000.example.		5M IN A		10.0.10.218
+3000.example.		5M IN A		10.0.10.219
+3000.example.		5M IN A		10.0.10.220
+3000.example.		5M IN A		10.0.10.221
+3000.example.		5M IN A		10.0.10.222
+3000.example.		5M IN A		10.0.10.223
+3000.example.		5M IN A		10.0.10.224
+3000.example.		5M IN A		10.0.10.225
+3000.example.		5M IN A		10.0.10.226
+3000.example.		5M IN A		10.0.10.227
+3000.example.		5M IN A		10.0.10.228
+3000.example.		5M IN A		10.0.10.229
+3000.example.		5M IN A		10.0.10.230
+3000.example.		5M IN A		10.0.10.231
+3000.example.		5M IN A		10.0.10.232
+3000.example.		5M IN A		10.0.10.233
+3000.example.		5M IN A		10.0.10.234
+3000.example.		5M IN A		10.0.10.235
+3000.example.		5M IN A		10.0.10.236
+3000.example.		5M IN A		10.0.10.237
+3000.example.		5M IN A		10.0.10.238
+3000.example.		5M IN A		10.0.10.239
+3000.example.		5M IN A		10.0.10.240
+3000.example.		5M IN A		10.0.10.241
+3000.example.		5M IN A		10.0.10.242
+3000.example.		5M IN A		10.0.10.243
+3000.example.		5M IN A		10.0.10.244
+3000.example.		5M IN A		10.0.10.245
+3000.example.		5M IN A		10.0.10.246
+3000.example.		5M IN A		10.0.10.247
+3000.example.		5M IN A		10.0.10.248
+3000.example.		5M IN A		10.0.10.249
+3000.example.		5M IN A		10.0.10.250
+3000.example.		5M IN A		10.0.10.251
+3000.example.		5M IN A		10.0.10.252
+3000.example.		5M IN A		10.0.10.253
+3000.example.		5M IN A		10.0.10.254
+3000.example.		5M IN A		10.0.10.255
+3000.example.		5M IN A		10.0.11.0
+3000.example.		5M IN A		10.0.11.1
+3000.example.		5M IN A		10.0.11.2
+3000.example.		5M IN A		10.0.11.3
+3000.example.		5M IN A		10.0.11.4
+3000.example.		5M IN A		10.0.11.5
+3000.example.		5M IN A		10.0.11.6
+3000.example.		5M IN A		10.0.11.7
+3000.example.		5M IN A		10.0.11.8
+3000.example.		5M IN A		10.0.11.9
+3000.example.		5M IN A		10.0.11.10
+3000.example.		5M IN A		10.0.11.11
+3000.example.		5M IN A		10.0.11.12
+3000.example.		5M IN A		10.0.11.13
+3000.example.		5M IN A		10.0.11.14
+3000.example.		5M IN A		10.0.11.15
+3000.example.		5M IN A		10.0.11.16
+3000.example.		5M IN A		10.0.11.17
+3000.example.		5M IN A		10.0.11.18
+3000.example.		5M IN A		10.0.11.19
+3000.example.		5M IN A		10.0.11.20
+3000.example.		5M IN A		10.0.11.21
+3000.example.		5M IN A		10.0.11.22
+3000.example.		5M IN A		10.0.11.23
+3000.example.		5M IN A		10.0.11.24
+3000.example.		5M IN A		10.0.11.25
+3000.example.		5M IN A		10.0.11.26
+3000.example.		5M IN A		10.0.11.27
+3000.example.		5M IN A		10.0.11.28
+3000.example.		5M IN A		10.0.11.29
+3000.example.		5M IN A		10.0.11.30
+3000.example.		5M IN A		10.0.11.31
+3000.example.		5M IN A		10.0.11.32
+3000.example.		5M IN A		10.0.11.33
+3000.example.		5M IN A		10.0.11.34
+3000.example.		5M IN A		10.0.11.35
+3000.example.		5M IN A		10.0.11.36
+3000.example.		5M IN A		10.0.11.37
+3000.example.		5M IN A		10.0.11.38
+3000.example.		5M IN A		10.0.11.39
+3000.example.		5M IN A		10.0.11.40
+3000.example.		5M IN A		10.0.11.41
+3000.example.		5M IN A		10.0.11.42
+3000.example.		5M IN A		10.0.11.43
+3000.example.		5M IN A		10.0.11.44
+3000.example.		5M IN A		10.0.11.45
+3000.example.		5M IN A		10.0.11.46
+3000.example.		5M IN A		10.0.11.47
+3000.example.		5M IN A		10.0.11.48
+3000.example.		5M IN A		10.0.11.49
+3000.example.		5M IN A		10.0.11.50
+3000.example.		5M IN A		10.0.11.51
+3000.example.		5M IN A		10.0.11.52
+3000.example.		5M IN A		10.0.11.53
+3000.example.		5M IN A		10.0.11.54
+3000.example.		5M IN A		10.0.11.55
+3000.example.		5M IN A		10.0.11.56
+3000.example.		5M IN A		10.0.11.57
+3000.example.		5M IN A		10.0.11.58
+3000.example.		5M IN A		10.0.11.59
+3000.example.		5M IN A		10.0.11.60
+3000.example.		5M IN A		10.0.11.61
+3000.example.		5M IN A		10.0.11.62
+3000.example.		5M IN A		10.0.11.63
+3000.example.		5M IN A		10.0.11.64
+3000.example.		5M IN A		10.0.11.65
+3000.example.		5M IN A		10.0.11.66
+3000.example.		5M IN A		10.0.11.67
+3000.example.		5M IN A		10.0.11.68
+3000.example.		5M IN A		10.0.11.69
+3000.example.		5M IN A		10.0.11.70
+3000.example.		5M IN A		10.0.11.71
+3000.example.		5M IN A		10.0.11.72
+3000.example.		5M IN A		10.0.11.73
+3000.example.		5M IN A		10.0.11.74
+3000.example.		5M IN A		10.0.11.75
+3000.example.		5M IN A		10.0.11.76
+3000.example.		5M IN A		10.0.11.77
+3000.example.		5M IN A		10.0.11.78
+3000.example.		5M IN A		10.0.11.79
+3000.example.		5M IN A		10.0.11.80
+3000.example.		5M IN A		10.0.11.81
+3000.example.		5M IN A		10.0.11.82
+3000.example.		5M IN A		10.0.11.83
+3000.example.		5M IN A		10.0.11.84
+3000.example.		5M IN A		10.0.11.85
+3000.example.		5M IN A		10.0.11.86
+3000.example.		5M IN A		10.0.11.87
+3000.example.		5M IN A		10.0.11.88
+3000.example.		5M IN A		10.0.11.89
+3000.example.		5M IN A		10.0.11.90
+3000.example.		5M IN A		10.0.11.91
+3000.example.		5M IN A		10.0.11.92
+3000.example.		5M IN A		10.0.11.93
+3000.example.		5M IN A		10.0.11.94
+3000.example.		5M IN A		10.0.11.95
+3000.example.		5M IN A		10.0.11.96
+3000.example.		5M IN A		10.0.11.97
+3000.example.		5M IN A		10.0.11.98
+3000.example.		5M IN A		10.0.11.99
+3000.example.		5M IN A		10.0.11.100
+3000.example.		5M IN A		10.0.11.101
+3000.example.		5M IN A		10.0.11.102
+3000.example.		5M IN A		10.0.11.103
+3000.example.		5M IN A		10.0.11.104
+3000.example.		5M IN A		10.0.11.105
+3000.example.		5M IN A		10.0.11.106
+3000.example.		5M IN A		10.0.11.107
+3000.example.		5M IN A		10.0.11.108
+3000.example.		5M IN A		10.0.11.109
+3000.example.		5M IN A		10.0.11.110
+3000.example.		5M IN A		10.0.11.111
+3000.example.		5M IN A		10.0.11.112
+3000.example.		5M IN A		10.0.11.113
+3000.example.		5M IN A		10.0.11.114
+3000.example.		5M IN A		10.0.11.115
+3000.example.		5M IN A		10.0.11.116
+3000.example.		5M IN A		10.0.11.117
+3000.example.		5M IN A		10.0.11.118
+3000.example.		5M IN A		10.0.11.119
+3000.example.		5M IN A		10.0.11.120
+3000.example.		5M IN A		10.0.11.121
+3000.example.		5M IN A		10.0.11.122
+3000.example.		5M IN A		10.0.11.123
+3000.example.		5M IN A		10.0.11.124
+3000.example.		5M IN A		10.0.11.125
+3000.example.		5M IN A		10.0.11.126
+3000.example.		5M IN A		10.0.11.127
+3000.example.		5M IN A		10.0.11.128
+3000.example.		5M IN A		10.0.11.129
+3000.example.		5M IN A		10.0.11.130
+3000.example.		5M IN A		10.0.11.131
+3000.example.		5M IN A		10.0.11.132
+3000.example.		5M IN A		10.0.11.133
+3000.example.		5M IN A		10.0.11.134
+3000.example.		5M IN A		10.0.11.135
+3000.example.		5M IN A		10.0.11.136
+3000.example.		5M IN A		10.0.11.137
+3000.example.		5M IN A		10.0.11.138
+3000.example.		5M IN A		10.0.11.139
+3000.example.		5M IN A		10.0.11.140
+3000.example.		5M IN A		10.0.11.141
+3000.example.		5M IN A		10.0.11.142
+3000.example.		5M IN A		10.0.11.143
+3000.example.		5M IN A		10.0.11.144
+3000.example.		5M IN A		10.0.11.145
+3000.example.		5M IN A		10.0.11.146
+3000.example.		5M IN A		10.0.11.147
+3000.example.		5M IN A		10.0.11.148
+3000.example.		5M IN A		10.0.11.149
+3000.example.		5M IN A		10.0.11.150
+3000.example.		5M IN A		10.0.11.151
+3000.example.		5M IN A		10.0.11.152
+3000.example.		5M IN A		10.0.11.153
+3000.example.		5M IN A		10.0.11.154
+3000.example.		5M IN A		10.0.11.155
+3000.example.		5M IN A		10.0.11.156
+3000.example.		5M IN A		10.0.11.157
+3000.example.		5M IN A		10.0.11.158
+3000.example.		5M IN A		10.0.11.159
+3000.example.		5M IN A		10.0.11.160
+3000.example.		5M IN A		10.0.11.161
+3000.example.		5M IN A		10.0.11.162
+3000.example.		5M IN A		10.0.11.163
+3000.example.		5M IN A		10.0.11.164
+3000.example.		5M IN A		10.0.11.165
+3000.example.		5M IN A		10.0.11.166
+3000.example.		5M IN A		10.0.11.167
+3000.example.		5M IN A		10.0.11.168
+3000.example.		5M IN A		10.0.11.169
+3000.example.		5M IN A		10.0.11.170
+3000.example.		5M IN A		10.0.11.171
+3000.example.		5M IN A		10.0.11.172
+3000.example.		5M IN A		10.0.11.173
+3000.example.		5M IN A		10.0.11.174
+3000.example.		5M IN A		10.0.11.175
+3000.example.		5M IN A		10.0.11.176
+3000.example.		5M IN A		10.0.11.177
+3000.example.		5M IN A		10.0.11.178
+3000.example.		5M IN A		10.0.11.179
+3000.example.		5M IN A		10.0.11.180
+3000.example.		5M IN A		10.0.11.181
+3000.example.		5M IN A		10.0.11.182
+3000.example.		5M IN A		10.0.11.183
+
+;; AUTHORITY SECTION:
+example.		5M IN NS	ns1.example.
+
+;; ADDITIONAL SECTION:
+ns1.example.		5M IN A		10.53.0.1
+
+;; Total query time: 211 msec
+;; FROM: draco to SERVER: 10.53.0.1
+;; WHEN: Fri Jun 23 12:58:17 2000
+;; MSG SIZE  sent: 30  rcvd: 48068
+
diff --git a/bin/tests/system/limits/knowngood.dig.out.4000 b/bin/tests/system/limits/knowngood.dig.out.4000
new file mode 100644
index 0000000..8b109c8
--- /dev/null
+++ b/bin/tests/system/limits/knowngood.dig.out.4000
@@ -0,0 +1,4023 @@
+
+; <<>> DiG 8.2 <<>> 4000.example. @10.53.0.1 a -p
+; (1 server found)
+;; res options: init recurs defnam dnsrch
+;; got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
+;; flags: qr aa rd ad; QUERY: 1, ANSWER: 4000, AUTHORITY: 1, ADDITIONAL: 1
+;; QUERY SECTION:
+;;	4000.example, type = A, class = IN
+
+;; ANSWER SECTION:
+4000.example.		5M IN A		10.0.0.0
+4000.example.		5M IN A		10.0.0.1
+4000.example.		5M IN A		10.0.0.2
+4000.example.		5M IN A		10.0.0.3
+4000.example.		5M IN A		10.0.0.4
+4000.example.		5M IN A		10.0.0.5
+4000.example.		5M IN A		10.0.0.6
+4000.example.		5M IN A		10.0.0.7
+4000.example.		5M IN A		10.0.0.8
+4000.example.		5M IN A		10.0.0.9
+4000.example.		5M IN A		10.0.0.10
+4000.example.		5M IN A		10.0.0.11
+4000.example.		5M IN A		10.0.0.12
+4000.example.		5M IN A		10.0.0.13
+4000.example.		5M IN A		10.0.0.14
+4000.example.		5M IN A		10.0.0.15
+4000.example.		5M IN A		10.0.0.16
+4000.example.		5M IN A		10.0.0.17
+4000.example.		5M IN A		10.0.0.18
+4000.example.		5M IN A		10.0.0.19
+4000.example.		5M IN A		10.0.0.20
+4000.example.		5M IN A		10.0.0.21
+4000.example.		5M IN A		10.0.0.22
+4000.example.		5M IN A		10.0.0.23
+4000.example.		5M IN A		10.0.0.24
+4000.example.		5M IN A		10.0.0.25
+4000.example.		5M IN A		10.0.0.26
+4000.example.		5M IN A		10.0.0.27
+4000.example.		5M IN A		10.0.0.28
+4000.example.		5M IN A		10.0.0.29
+4000.example.		5M IN A		10.0.0.30
+4000.example.		5M IN A		10.0.0.31
+4000.example.		5M IN A		10.0.0.32
+4000.example.		5M IN A		10.0.0.33
+4000.example.		5M IN A		10.0.0.34
+4000.example.		5M IN A		10.0.0.35
+4000.example.		5M IN A		10.0.0.36
+4000.example.		5M IN A		10.0.0.37
+4000.example.		5M IN A		10.0.0.38
+4000.example.		5M IN A		10.0.0.39
+4000.example.		5M IN A		10.0.0.40
+4000.example.		5M IN A		10.0.0.41
+4000.example.		5M IN A		10.0.0.42
+4000.example.		5M IN A		10.0.0.43
+4000.example.		5M IN A		10.0.0.44
+4000.example.		5M IN A		10.0.0.45
+4000.example.		5M IN A		10.0.0.46
+4000.example.		5M IN A		10.0.0.47
+4000.example.		5M IN A		10.0.0.48
+4000.example.		5M IN A		10.0.0.49
+4000.example.		5M IN A		10.0.0.50
+4000.example.		5M IN A		10.0.0.51
+4000.example.		5M IN A		10.0.0.52
+4000.example.		5M IN A		10.0.0.53
+4000.example.		5M IN A		10.0.0.54
+4000.example.		5M IN A		10.0.0.55
+4000.example.		5M IN A		10.0.0.56
+4000.example.		5M IN A		10.0.0.57
+4000.example.		5M IN A		10.0.0.58
+4000.example.		5M IN A		10.0.0.59
+4000.example.		5M IN A		10.0.0.60
+4000.example.		5M IN A		10.0.0.61
+4000.example.		5M IN A		10.0.0.62
+4000.example.		5M IN A		10.0.0.63
+4000.example.		5M IN A		10.0.0.64
+4000.example.		5M IN A		10.0.0.65
+4000.example.		5M IN A		10.0.0.66
+4000.example.		5M IN A		10.0.0.67
+4000.example.		5M IN A		10.0.0.68
+4000.example.		5M IN A		10.0.0.69
+4000.example.		5M IN A		10.0.0.70
+4000.example.		5M IN A		10.0.0.71
+4000.example.		5M IN A		10.0.0.72
+4000.example.		5M IN A		10.0.0.73
+4000.example.		5M IN A		10.0.0.74
+4000.example.		5M IN A		10.0.0.75
+4000.example.		5M IN A		10.0.0.76
+4000.example.		5M IN A		10.0.0.77
+4000.example.		5M IN A		10.0.0.78
+4000.example.		5M IN A		10.0.0.79
+4000.example.		5M IN A		10.0.0.80
+4000.example.		5M IN A		10.0.0.81
+4000.example.		5M IN A		10.0.0.82
+4000.example.		5M IN A		10.0.0.83
+4000.example.		5M IN A		10.0.0.84
+4000.example.		5M IN A		10.0.0.85
+4000.example.		5M IN A		10.0.0.86
+4000.example.		5M IN A		10.0.0.87
+4000.example.		5M IN A		10.0.0.88
+4000.example.		5M IN A		10.0.0.89
+4000.example.		5M IN A		10.0.0.90
+4000.example.		5M IN A		10.0.0.91
+4000.example.		5M IN A		10.0.0.92
+4000.example.		5M IN A		10.0.0.93
+4000.example.		5M IN A		10.0.0.94
+4000.example.		5M IN A		10.0.0.95
+4000.example.		5M IN A		10.0.0.96
+4000.example.		5M IN A		10.0.0.97
+4000.example.		5M IN A		10.0.0.98
+4000.example.		5M IN A		10.0.0.99
+4000.example.		5M IN A		10.0.0.100
+4000.example.		5M IN A		10.0.0.101
+4000.example.		5M IN A		10.0.0.102
+4000.example.		5M IN A		10.0.0.103
+4000.example.		5M IN A		10.0.0.104
+4000.example.		5M IN A		10.0.0.105
+4000.example.		5M IN A		10.0.0.106
+4000.example.		5M IN A		10.0.0.107
+4000.example.		5M IN A		10.0.0.108
+4000.example.		5M IN A		10.0.0.109
+4000.example.		5M IN A		10.0.0.110
+4000.example.		5M IN A		10.0.0.111
+4000.example.		5M IN A		10.0.0.112
+4000.example.		5M IN A		10.0.0.113
+4000.example.		5M IN A		10.0.0.114
+4000.example.		5M IN A		10.0.0.115
+4000.example.		5M IN A		10.0.0.116
+4000.example.		5M IN A		10.0.0.117
+4000.example.		5M IN A		10.0.0.118
+4000.example.		5M IN A		10.0.0.119
+4000.example.		5M IN A		10.0.0.120
+4000.example.		5M IN A		10.0.0.121
+4000.example.		5M IN A		10.0.0.122
+4000.example.		5M IN A		10.0.0.123
+4000.example.		5M IN A		10.0.0.124
+4000.example.		5M IN A		10.0.0.125
+4000.example.		5M IN A		10.0.0.126
+4000.example.		5M IN A		10.0.0.127
+4000.example.		5M IN A		10.0.0.128
+4000.example.		5M IN A		10.0.0.129
+4000.example.		5M IN A		10.0.0.130
+4000.example.		5M IN A		10.0.0.131
+4000.example.		5M IN A		10.0.0.132
+4000.example.		5M IN A		10.0.0.133
+4000.example.		5M IN A		10.0.0.134
+4000.example.		5M IN A		10.0.0.135
+4000.example.		5M IN A		10.0.0.136
+4000.example.		5M IN A		10.0.0.137
+4000.example.		5M IN A		10.0.0.138
+4000.example.		5M IN A		10.0.0.139
+4000.example.		5M IN A		10.0.0.140
+4000.example.		5M IN A		10.0.0.141
+4000.example.		5M IN A		10.0.0.142
+4000.example.		5M IN A		10.0.0.143
+4000.example.		5M IN A		10.0.0.144
+4000.example.		5M IN A		10.0.0.145
+4000.example.		5M IN A		10.0.0.146
+4000.example.		5M IN A		10.0.0.147
+4000.example.		5M IN A		10.0.0.148
+4000.example.		5M IN A		10.0.0.149
+4000.example.		5M IN A		10.0.0.150
+4000.example.		5M IN A		10.0.0.151
+4000.example.		5M IN A		10.0.0.152
+4000.example.		5M IN A		10.0.0.153
+4000.example.		5M IN A		10.0.0.154
+4000.example.		5M IN A		10.0.0.155
+4000.example.		5M IN A		10.0.0.156
+4000.example.		5M IN A		10.0.0.157
+4000.example.		5M IN A		10.0.0.158
+4000.example.		5M IN A		10.0.0.159
+4000.example.		5M IN A		10.0.0.160
+4000.example.		5M IN A		10.0.0.161
+4000.example.		5M IN A		10.0.0.162
+4000.example.		5M IN A		10.0.0.163
+4000.example.		5M IN A		10.0.0.164
+4000.example.		5M IN A		10.0.0.165
+4000.example.		5M IN A		10.0.0.166
+4000.example.		5M IN A		10.0.0.167
+4000.example.		5M IN A		10.0.0.168
+4000.example.		5M IN A		10.0.0.169
+4000.example.		5M IN A		10.0.0.170
+4000.example.		5M IN A		10.0.0.171
+4000.example.		5M IN A		10.0.0.172
+4000.example.		5M IN A		10.0.0.173
+4000.example.		5M IN A		10.0.0.174
+4000.example.		5M IN A		10.0.0.175
+4000.example.		5M IN A		10.0.0.176
+4000.example.		5M IN A		10.0.0.177
+4000.example.		5M IN A		10.0.0.178
+4000.example.		5M IN A		10.0.0.179
+4000.example.		5M IN A		10.0.0.180
+4000.example.		5M IN A		10.0.0.181
+4000.example.		5M IN A		10.0.0.182
+4000.example.		5M IN A		10.0.0.183
+4000.example.		5M IN A		10.0.0.184
+4000.example.		5M IN A		10.0.0.185
+4000.example.		5M IN A		10.0.0.186
+4000.example.		5M IN A		10.0.0.187
+4000.example.		5M IN A		10.0.0.188
+4000.example.		5M IN A		10.0.0.189
+4000.example.		5M IN A		10.0.0.190
+4000.example.		5M IN A		10.0.0.191
+4000.example.		5M IN A		10.0.0.192
+4000.example.		5M IN A		10.0.0.193
+4000.example.		5M IN A		10.0.0.194
+4000.example.		5M IN A		10.0.0.195
+4000.example.		5M IN A		10.0.0.196
+4000.example.		5M IN A		10.0.0.197
+4000.example.		5M IN A		10.0.0.198
+4000.example.		5M IN A		10.0.0.199
+4000.example.		5M IN A		10.0.0.200
+4000.example.		5M IN A		10.0.0.201
+4000.example.		5M IN A		10.0.0.202
+4000.example.		5M IN A		10.0.0.203
+4000.example.		5M IN A		10.0.0.204
+4000.example.		5M IN A		10.0.0.205
+4000.example.		5M IN A		10.0.0.206
+4000.example.		5M IN A		10.0.0.207
+4000.example.		5M IN A		10.0.0.208
+4000.example.		5M IN A		10.0.0.209
+4000.example.		5M IN A		10.0.0.210
+4000.example.		5M IN A		10.0.0.211
+4000.example.		5M IN A		10.0.0.212
+4000.example.		5M IN A		10.0.0.213
+4000.example.		5M IN A		10.0.0.214
+4000.example.		5M IN A		10.0.0.215
+4000.example.		5M IN A		10.0.0.216
+4000.example.		5M IN A		10.0.0.217
+4000.example.		5M IN A		10.0.0.218
+4000.example.		5M IN A		10.0.0.219
+4000.example.		5M IN A		10.0.0.220
+4000.example.		5M IN A		10.0.0.221
+4000.example.		5M IN A		10.0.0.222
+4000.example.		5M IN A		10.0.0.223
+4000.example.		5M IN A		10.0.0.224
+4000.example.		5M IN A		10.0.0.225
+4000.example.		5M IN A		10.0.0.226
+4000.example.		5M IN A		10.0.0.227
+4000.example.		5M IN A		10.0.0.228
+4000.example.		5M IN A		10.0.0.229
+4000.example.		5M IN A		10.0.0.230
+4000.example.		5M IN A		10.0.0.231
+4000.example.		5M IN A		10.0.0.232
+4000.example.		5M IN A		10.0.0.233
+4000.example.		5M IN A		10.0.0.234
+4000.example.		5M IN A		10.0.0.235
+4000.example.		5M IN A		10.0.0.236
+4000.example.		5M IN A		10.0.0.237
+4000.example.		5M IN A		10.0.0.238
+4000.example.		5M IN A		10.0.0.239
+4000.example.		5M IN A		10.0.0.240
+4000.example.		5M IN A		10.0.0.241
+4000.example.		5M IN A		10.0.0.242
+4000.example.		5M IN A		10.0.0.243
+4000.example.		5M IN A		10.0.0.244
+4000.example.		5M IN A		10.0.0.245
+4000.example.		5M IN A		10.0.0.246
+4000.example.		5M IN A		10.0.0.247
+4000.example.		5M IN A		10.0.0.248
+4000.example.		5M IN A		10.0.0.249
+4000.example.		5M IN A		10.0.0.250
+4000.example.		5M IN A		10.0.0.251
+4000.example.		5M IN A		10.0.0.252
+4000.example.		5M IN A		10.0.0.253
+4000.example.		5M IN A		10.0.0.254
+4000.example.		5M IN A		10.0.0.255
+4000.example.		5M IN A		10.0.1.0
+4000.example.		5M IN A		10.0.1.1
+4000.example.		5M IN A		10.0.1.2
+4000.example.		5M IN A		10.0.1.3
+4000.example.		5M IN A		10.0.1.4
+4000.example.		5M IN A		10.0.1.5
+4000.example.		5M IN A		10.0.1.6
+4000.example.		5M IN A		10.0.1.7
+4000.example.		5M IN A		10.0.1.8
+4000.example.		5M IN A		10.0.1.9
+4000.example.		5M IN A		10.0.1.10
+4000.example.		5M IN A		10.0.1.11
+4000.example.		5M IN A		10.0.1.12
+4000.example.		5M IN A		10.0.1.13
+4000.example.		5M IN A		10.0.1.14
+4000.example.		5M IN A		10.0.1.15
+4000.example.		5M IN A		10.0.1.16
+4000.example.		5M IN A		10.0.1.17
+4000.example.		5M IN A		10.0.1.18
+4000.example.		5M IN A		10.0.1.19
+4000.example.		5M IN A		10.0.1.20
+4000.example.		5M IN A		10.0.1.21
+4000.example.		5M IN A		10.0.1.22
+4000.example.		5M IN A		10.0.1.23
+4000.example.		5M IN A		10.0.1.24
+4000.example.		5M IN A		10.0.1.25
+4000.example.		5M IN A		10.0.1.26
+4000.example.		5M IN A		10.0.1.27
+4000.example.		5M IN A		10.0.1.28
+4000.example.		5M IN A		10.0.1.29
+4000.example.		5M IN A		10.0.1.30
+4000.example.		5M IN A		10.0.1.31
+4000.example.		5M IN A		10.0.1.32
+4000.example.		5M IN A		10.0.1.33
+4000.example.		5M IN A		10.0.1.34
+4000.example.		5M IN A		10.0.1.35
+4000.example.		5M IN A		10.0.1.36
+4000.example.		5M IN A		10.0.1.37
+4000.example.		5M IN A		10.0.1.38
+4000.example.		5M IN A		10.0.1.39
+4000.example.		5M IN A		10.0.1.40
+4000.example.		5M IN A		10.0.1.41
+4000.example.		5M IN A		10.0.1.42
+4000.example.		5M IN A		10.0.1.43
+4000.example.		5M IN A		10.0.1.44
+4000.example.		5M IN A		10.0.1.45
+4000.example.		5M IN A		10.0.1.46
+4000.example.		5M IN A		10.0.1.47
+4000.example.		5M IN A		10.0.1.48
+4000.example.		5M IN A		10.0.1.49
+4000.example.		5M IN A		10.0.1.50
+4000.example.		5M IN A		10.0.1.51
+4000.example.		5M IN A		10.0.1.52
+4000.example.		5M IN A		10.0.1.53
+4000.example.		5M IN A		10.0.1.54
+4000.example.		5M IN A		10.0.1.55
+4000.example.		5M IN A		10.0.1.56
+4000.example.		5M IN A		10.0.1.57
+4000.example.		5M IN A		10.0.1.58
+4000.example.		5M IN A		10.0.1.59
+4000.example.		5M IN A		10.0.1.60
+4000.example.		5M IN A		10.0.1.61
+4000.example.		5M IN A		10.0.1.62
+4000.example.		5M IN A		10.0.1.63
+4000.example.		5M IN A		10.0.1.64
+4000.example.		5M IN A		10.0.1.65
+4000.example.		5M IN A		10.0.1.66
+4000.example.		5M IN A		10.0.1.67
+4000.example.		5M IN A		10.0.1.68
+4000.example.		5M IN A		10.0.1.69
+4000.example.		5M IN A		10.0.1.70
+4000.example.		5M IN A		10.0.1.71
+4000.example.		5M IN A		10.0.1.72
+4000.example.		5M IN A		10.0.1.73
+4000.example.		5M IN A		10.0.1.74
+4000.example.		5M IN A		10.0.1.75
+4000.example.		5M IN A		10.0.1.76
+4000.example.		5M IN A		10.0.1.77
+4000.example.		5M IN A		10.0.1.78
+4000.example.		5M IN A		10.0.1.79
+4000.example.		5M IN A		10.0.1.80
+4000.example.		5M IN A		10.0.1.81
+4000.example.		5M IN A		10.0.1.82
+4000.example.		5M IN A		10.0.1.83
+4000.example.		5M IN A		10.0.1.84
+4000.example.		5M IN A		10.0.1.85
+4000.example.		5M IN A		10.0.1.86
+4000.example.		5M IN A		10.0.1.87
+4000.example.		5M IN A		10.0.1.88
+4000.example.		5M IN A		10.0.1.89
+4000.example.		5M IN A		10.0.1.90
+4000.example.		5M IN A		10.0.1.91
+4000.example.		5M IN A		10.0.1.92
+4000.example.		5M IN A		10.0.1.93
+4000.example.		5M IN A		10.0.1.94
+4000.example.		5M IN A		10.0.1.95
+4000.example.		5M IN A		10.0.1.96
+4000.example.		5M IN A		10.0.1.97
+4000.example.		5M IN A		10.0.1.98
+4000.example.		5M IN A		10.0.1.99
+4000.example.		5M IN A		10.0.1.100
+4000.example.		5M IN A		10.0.1.101
+4000.example.		5M IN A		10.0.1.102
+4000.example.		5M IN A		10.0.1.103
+4000.example.		5M IN A		10.0.1.104
+4000.example.		5M IN A		10.0.1.105
+4000.example.		5M IN A		10.0.1.106
+4000.example.		5M IN A		10.0.1.107
+4000.example.		5M IN A		10.0.1.108
+4000.example.		5M IN A		10.0.1.109
+4000.example.		5M IN A		10.0.1.110
+4000.example.		5M IN A		10.0.1.111
+4000.example.		5M IN A		10.0.1.112
+4000.example.		5M IN A		10.0.1.113
+4000.example.		5M IN A		10.0.1.114
+4000.example.		5M IN A		10.0.1.115
+4000.example.		5M IN A		10.0.1.116
+4000.example.		5M IN A		10.0.1.117
+4000.example.		5M IN A		10.0.1.118
+4000.example.		5M IN A		10.0.1.119
+4000.example.		5M IN A		10.0.1.120
+4000.example.		5M IN A		10.0.1.121
+4000.example.		5M IN A		10.0.1.122
+4000.example.		5M IN A		10.0.1.123
+4000.example.		5M IN A		10.0.1.124
+4000.example.		5M IN A		10.0.1.125
+4000.example.		5M IN A		10.0.1.126
+4000.example.		5M IN A		10.0.1.127
+4000.example.		5M IN A		10.0.1.128
+4000.example.		5M IN A		10.0.1.129
+4000.example.		5M IN A		10.0.1.130
+4000.example.		5M IN A		10.0.1.131
+4000.example.		5M IN A		10.0.1.132
+4000.example.		5M IN A		10.0.1.133
+4000.example.		5M IN A		10.0.1.134
+4000.example.		5M IN A		10.0.1.135
+4000.example.		5M IN A		10.0.1.136
+4000.example.		5M IN A		10.0.1.137
+4000.example.		5M IN A		10.0.1.138
+4000.example.		5M IN A		10.0.1.139
+4000.example.		5M IN A		10.0.1.140
+4000.example.		5M IN A		10.0.1.141
+4000.example.		5M IN A		10.0.1.142
+4000.example.		5M IN A		10.0.1.143
+4000.example.		5M IN A		10.0.1.144
+4000.example.		5M IN A		10.0.1.145
+4000.example.		5M IN A		10.0.1.146
+4000.example.		5M IN A		10.0.1.147
+4000.example.		5M IN A		10.0.1.148
+4000.example.		5M IN A		10.0.1.149
+4000.example.		5M IN A		10.0.1.150
+4000.example.		5M IN A		10.0.1.151
+4000.example.		5M IN A		10.0.1.152
+4000.example.		5M IN A		10.0.1.153
+4000.example.		5M IN A		10.0.1.154
+4000.example.		5M IN A		10.0.1.155
+4000.example.		5M IN A		10.0.1.156
+4000.example.		5M IN A		10.0.1.157
+4000.example.		5M IN A		10.0.1.158
+4000.example.		5M IN A		10.0.1.159
+4000.example.		5M IN A		10.0.1.160
+4000.example.		5M IN A		10.0.1.161
+4000.example.		5M IN A		10.0.1.162
+4000.example.		5M IN A		10.0.1.163
+4000.example.		5M IN A		10.0.1.164
+4000.example.		5M IN A		10.0.1.165
+4000.example.		5M IN A		10.0.1.166
+4000.example.		5M IN A		10.0.1.167
+4000.example.		5M IN A		10.0.1.168
+4000.example.		5M IN A		10.0.1.169
+4000.example.		5M IN A		10.0.1.170
+4000.example.		5M IN A		10.0.1.171
+4000.example.		5M IN A		10.0.1.172
+4000.example.		5M IN A		10.0.1.173
+4000.example.		5M IN A		10.0.1.174
+4000.example.		5M IN A		10.0.1.175
+4000.example.		5M IN A		10.0.1.176
+4000.example.		5M IN A		10.0.1.177
+4000.example.		5M IN A		10.0.1.178
+4000.example.		5M IN A		10.0.1.179
+4000.example.		5M IN A		10.0.1.180
+4000.example.		5M IN A		10.0.1.181
+4000.example.		5M IN A		10.0.1.182
+4000.example.		5M IN A		10.0.1.183
+4000.example.		5M IN A		10.0.1.184
+4000.example.		5M IN A		10.0.1.185
+4000.example.		5M IN A		10.0.1.186
+4000.example.		5M IN A		10.0.1.187
+4000.example.		5M IN A		10.0.1.188
+4000.example.		5M IN A		10.0.1.189
+4000.example.		5M IN A		10.0.1.190
+4000.example.		5M IN A		10.0.1.191
+4000.example.		5M IN A		10.0.1.192
+4000.example.		5M IN A		10.0.1.193
+4000.example.		5M IN A		10.0.1.194
+4000.example.		5M IN A		10.0.1.195
+4000.example.		5M IN A		10.0.1.196
+4000.example.		5M IN A		10.0.1.197
+4000.example.		5M IN A		10.0.1.198
+4000.example.		5M IN A		10.0.1.199
+4000.example.		5M IN A		10.0.1.200
+4000.example.		5M IN A		10.0.1.201
+4000.example.		5M IN A		10.0.1.202
+4000.example.		5M IN A		10.0.1.203
+4000.example.		5M IN A		10.0.1.204
+4000.example.		5M IN A		10.0.1.205
+4000.example.		5M IN A		10.0.1.206
+4000.example.		5M IN A		10.0.1.207
+4000.example.		5M IN A		10.0.1.208
+4000.example.		5M IN A		10.0.1.209
+4000.example.		5M IN A		10.0.1.210
+4000.example.		5M IN A		10.0.1.211
+4000.example.		5M IN A		10.0.1.212
+4000.example.		5M IN A		10.0.1.213
+4000.example.		5M IN A		10.0.1.214
+4000.example.		5M IN A		10.0.1.215
+4000.example.		5M IN A		10.0.1.216
+4000.example.		5M IN A		10.0.1.217
+4000.example.		5M IN A		10.0.1.218
+4000.example.		5M IN A		10.0.1.219
+4000.example.		5M IN A		10.0.1.220
+4000.example.		5M IN A		10.0.1.221
+4000.example.		5M IN A		10.0.1.222
+4000.example.		5M IN A		10.0.1.223
+4000.example.		5M IN A		10.0.1.224
+4000.example.		5M IN A		10.0.1.225
+4000.example.		5M IN A		10.0.1.226
+4000.example.		5M IN A		10.0.1.227
+4000.example.		5M IN A		10.0.1.228
+4000.example.		5M IN A		10.0.1.229
+4000.example.		5M IN A		10.0.1.230
+4000.example.		5M IN A		10.0.1.231
+4000.example.		5M IN A		10.0.1.232
+4000.example.		5M IN A		10.0.1.233
+4000.example.		5M IN A		10.0.1.234
+4000.example.		5M IN A		10.0.1.235
+4000.example.		5M IN A		10.0.1.236
+4000.example.		5M IN A		10.0.1.237
+4000.example.		5M IN A		10.0.1.238
+4000.example.		5M IN A		10.0.1.239
+4000.example.		5M IN A		10.0.1.240
+4000.example.		5M IN A		10.0.1.241
+4000.example.		5M IN A		10.0.1.242
+4000.example.		5M IN A		10.0.1.243
+4000.example.		5M IN A		10.0.1.244
+4000.example.		5M IN A		10.0.1.245
+4000.example.		5M IN A		10.0.1.246
+4000.example.		5M IN A		10.0.1.247
+4000.example.		5M IN A		10.0.1.248
+4000.example.		5M IN A		10.0.1.249
+4000.example.		5M IN A		10.0.1.250
+4000.example.		5M IN A		10.0.1.251
+4000.example.		5M IN A		10.0.1.252
+4000.example.		5M IN A		10.0.1.253
+4000.example.		5M IN A		10.0.1.254
+4000.example.		5M IN A		10.0.1.255
+4000.example.		5M IN A		10.0.2.0
+4000.example.		5M IN A		10.0.2.1
+4000.example.		5M IN A		10.0.2.2
+4000.example.		5M IN A		10.0.2.3
+4000.example.		5M IN A		10.0.2.4
+4000.example.		5M IN A		10.0.2.5
+4000.example.		5M IN A		10.0.2.6
+4000.example.		5M IN A		10.0.2.7
+4000.example.		5M IN A		10.0.2.8
+4000.example.		5M IN A		10.0.2.9
+4000.example.		5M IN A		10.0.2.10
+4000.example.		5M IN A		10.0.2.11
+4000.example.		5M IN A		10.0.2.12
+4000.example.		5M IN A		10.0.2.13
+4000.example.		5M IN A		10.0.2.14
+4000.example.		5M IN A		10.0.2.15
+4000.example.		5M IN A		10.0.2.16
+4000.example.		5M IN A		10.0.2.17
+4000.example.		5M IN A		10.0.2.18
+4000.example.		5M IN A		10.0.2.19
+4000.example.		5M IN A		10.0.2.20
+4000.example.		5M IN A		10.0.2.21
+4000.example.		5M IN A		10.0.2.22
+4000.example.		5M IN A		10.0.2.23
+4000.example.		5M IN A		10.0.2.24
+4000.example.		5M IN A		10.0.2.25
+4000.example.		5M IN A		10.0.2.26
+4000.example.		5M IN A		10.0.2.27
+4000.example.		5M IN A		10.0.2.28
+4000.example.		5M IN A		10.0.2.29
+4000.example.		5M IN A		10.0.2.30
+4000.example.		5M IN A		10.0.2.31
+4000.example.		5M IN A		10.0.2.32
+4000.example.		5M IN A		10.0.2.33
+4000.example.		5M IN A		10.0.2.34
+4000.example.		5M IN A		10.0.2.35
+4000.example.		5M IN A		10.0.2.36
+4000.example.		5M IN A		10.0.2.37
+4000.example.		5M IN A		10.0.2.38
+4000.example.		5M IN A		10.0.2.39
+4000.example.		5M IN A		10.0.2.40
+4000.example.		5M IN A		10.0.2.41
+4000.example.		5M IN A		10.0.2.42
+4000.example.		5M IN A		10.0.2.43
+4000.example.		5M IN A		10.0.2.44
+4000.example.		5M IN A		10.0.2.45
+4000.example.		5M IN A		10.0.2.46
+4000.example.		5M IN A		10.0.2.47
+4000.example.		5M IN A		10.0.2.48
+4000.example.		5M IN A		10.0.2.49
+4000.example.		5M IN A		10.0.2.50
+4000.example.		5M IN A		10.0.2.51
+4000.example.		5M IN A		10.0.2.52
+4000.example.		5M IN A		10.0.2.53
+4000.example.		5M IN A		10.0.2.54
+4000.example.		5M IN A		10.0.2.55
+4000.example.		5M IN A		10.0.2.56
+4000.example.		5M IN A		10.0.2.57
+4000.example.		5M IN A		10.0.2.58
+4000.example.		5M IN A		10.0.2.59
+4000.example.		5M IN A		10.0.2.60
+4000.example.		5M IN A		10.0.2.61
+4000.example.		5M IN A		10.0.2.62
+4000.example.		5M IN A		10.0.2.63
+4000.example.		5M IN A		10.0.2.64
+4000.example.		5M IN A		10.0.2.65
+4000.example.		5M IN A		10.0.2.66
+4000.example.		5M IN A		10.0.2.67
+4000.example.		5M IN A		10.0.2.68
+4000.example.		5M IN A		10.0.2.69
+4000.example.		5M IN A		10.0.2.70
+4000.example.		5M IN A		10.0.2.71
+4000.example.		5M IN A		10.0.2.72
+4000.example.		5M IN A		10.0.2.73
+4000.example.		5M IN A		10.0.2.74
+4000.example.		5M IN A		10.0.2.75
+4000.example.		5M IN A		10.0.2.76
+4000.example.		5M IN A		10.0.2.77
+4000.example.		5M IN A		10.0.2.78
+4000.example.		5M IN A		10.0.2.79
+4000.example.		5M IN A		10.0.2.80
+4000.example.		5M IN A		10.0.2.81
+4000.example.		5M IN A		10.0.2.82
+4000.example.		5M IN A		10.0.2.83
+4000.example.		5M IN A		10.0.2.84
+4000.example.		5M IN A		10.0.2.85
+4000.example.		5M IN A		10.0.2.86
+4000.example.		5M IN A		10.0.2.87
+4000.example.		5M IN A		10.0.2.88
+4000.example.		5M IN A		10.0.2.89
+4000.example.		5M IN A		10.0.2.90
+4000.example.		5M IN A		10.0.2.91
+4000.example.		5M IN A		10.0.2.92
+4000.example.		5M IN A		10.0.2.93
+4000.example.		5M IN A		10.0.2.94
+4000.example.		5M IN A		10.0.2.95
+4000.example.		5M IN A		10.0.2.96
+4000.example.		5M IN A		10.0.2.97
+4000.example.		5M IN A		10.0.2.98
+4000.example.		5M IN A		10.0.2.99
+4000.example.		5M IN A		10.0.2.100
+4000.example.		5M IN A		10.0.2.101
+4000.example.		5M IN A		10.0.2.102
+4000.example.		5M IN A		10.0.2.103
+4000.example.		5M IN A		10.0.2.104
+4000.example.		5M IN A		10.0.2.105
+4000.example.		5M IN A		10.0.2.106
+4000.example.		5M IN A		10.0.2.107
+4000.example.		5M IN A		10.0.2.108
+4000.example.		5M IN A		10.0.2.109
+4000.example.		5M IN A		10.0.2.110
+4000.example.		5M IN A		10.0.2.111
+4000.example.		5M IN A		10.0.2.112
+4000.example.		5M IN A		10.0.2.113
+4000.example.		5M IN A		10.0.2.114
+4000.example.		5M IN A		10.0.2.115
+4000.example.		5M IN A		10.0.2.116
+4000.example.		5M IN A		10.0.2.117
+4000.example.		5M IN A		10.0.2.118
+4000.example.		5M IN A		10.0.2.119
+4000.example.		5M IN A		10.0.2.120
+4000.example.		5M IN A		10.0.2.121
+4000.example.		5M IN A		10.0.2.122
+4000.example.		5M IN A		10.0.2.123
+4000.example.		5M IN A		10.0.2.124
+4000.example.		5M IN A		10.0.2.125
+4000.example.		5M IN A		10.0.2.126
+4000.example.		5M IN A		10.0.2.127
+4000.example.		5M IN A		10.0.2.128
+4000.example.		5M IN A		10.0.2.129
+4000.example.		5M IN A		10.0.2.130
+4000.example.		5M IN A		10.0.2.131
+4000.example.		5M IN A		10.0.2.132
+4000.example.		5M IN A		10.0.2.133
+4000.example.		5M IN A		10.0.2.134
+4000.example.		5M IN A		10.0.2.135
+4000.example.		5M IN A		10.0.2.136
+4000.example.		5M IN A		10.0.2.137
+4000.example.		5M IN A		10.0.2.138
+4000.example.		5M IN A		10.0.2.139
+4000.example.		5M IN A		10.0.2.140
+4000.example.		5M IN A		10.0.2.141
+4000.example.		5M IN A		10.0.2.142
+4000.example.		5M IN A		10.0.2.143
+4000.example.		5M IN A		10.0.2.144
+4000.example.		5M IN A		10.0.2.145
+4000.example.		5M IN A		10.0.2.146
+4000.example.		5M IN A		10.0.2.147
+4000.example.		5M IN A		10.0.2.148
+4000.example.		5M IN A		10.0.2.149
+4000.example.		5M IN A		10.0.2.150
+4000.example.		5M IN A		10.0.2.151
+4000.example.		5M IN A		10.0.2.152
+4000.example.		5M IN A		10.0.2.153
+4000.example.		5M IN A		10.0.2.154
+4000.example.		5M IN A		10.0.2.155
+4000.example.		5M IN A		10.0.2.156
+4000.example.		5M IN A		10.0.2.157
+4000.example.		5M IN A		10.0.2.158
+4000.example.		5M IN A		10.0.2.159
+4000.example.		5M IN A		10.0.2.160
+4000.example.		5M IN A		10.0.2.161
+4000.example.		5M IN A		10.0.2.162
+4000.example.		5M IN A		10.0.2.163
+4000.example.		5M IN A		10.0.2.164
+4000.example.		5M IN A		10.0.2.165
+4000.example.		5M IN A		10.0.2.166
+4000.example.		5M IN A		10.0.2.167
+4000.example.		5M IN A		10.0.2.168
+4000.example.		5M IN A		10.0.2.169
+4000.example.		5M IN A		10.0.2.170
+4000.example.		5M IN A		10.0.2.171
+4000.example.		5M IN A		10.0.2.172
+4000.example.		5M IN A		10.0.2.173
+4000.example.		5M IN A		10.0.2.174
+4000.example.		5M IN A		10.0.2.175
+4000.example.		5M IN A		10.0.2.176
+4000.example.		5M IN A		10.0.2.177
+4000.example.		5M IN A		10.0.2.178
+4000.example.		5M IN A		10.0.2.179
+4000.example.		5M IN A		10.0.2.180
+4000.example.		5M IN A		10.0.2.181
+4000.example.		5M IN A		10.0.2.182
+4000.example.		5M IN A		10.0.2.183
+4000.example.		5M IN A		10.0.2.184
+4000.example.		5M IN A		10.0.2.185
+4000.example.		5M IN A		10.0.2.186
+4000.example.		5M IN A		10.0.2.187
+4000.example.		5M IN A		10.0.2.188
+4000.example.		5M IN A		10.0.2.189
+4000.example.		5M IN A		10.0.2.190
+4000.example.		5M IN A		10.0.2.191
+4000.example.		5M IN A		10.0.2.192
+4000.example.		5M IN A		10.0.2.193
+4000.example.		5M IN A		10.0.2.194
+4000.example.		5M IN A		10.0.2.195
+4000.example.		5M IN A		10.0.2.196
+4000.example.		5M IN A		10.0.2.197
+4000.example.		5M IN A		10.0.2.198
+4000.example.		5M IN A		10.0.2.199
+4000.example.		5M IN A		10.0.2.200
+4000.example.		5M IN A		10.0.2.201
+4000.example.		5M IN A		10.0.2.202
+4000.example.		5M IN A		10.0.2.203
+4000.example.		5M IN A		10.0.2.204
+4000.example.		5M IN A		10.0.2.205
+4000.example.		5M IN A		10.0.2.206
+4000.example.		5M IN A		10.0.2.207
+4000.example.		5M IN A		10.0.2.208
+4000.example.		5M IN A		10.0.2.209
+4000.example.		5M IN A		10.0.2.210
+4000.example.		5M IN A		10.0.2.211
+4000.example.		5M IN A		10.0.2.212
+4000.example.		5M IN A		10.0.2.213
+4000.example.		5M IN A		10.0.2.214
+4000.example.		5M IN A		10.0.2.215
+4000.example.		5M IN A		10.0.2.216
+4000.example.		5M IN A		10.0.2.217
+4000.example.		5M IN A		10.0.2.218
+4000.example.		5M IN A		10.0.2.219
+4000.example.		5M IN A		10.0.2.220
+4000.example.		5M IN A		10.0.2.221
+4000.example.		5M IN A		10.0.2.222
+4000.example.		5M IN A		10.0.2.223
+4000.example.		5M IN A		10.0.2.224
+4000.example.		5M IN A		10.0.2.225
+4000.example.		5M IN A		10.0.2.226
+4000.example.		5M IN A		10.0.2.227
+4000.example.		5M IN A		10.0.2.228
+4000.example.		5M IN A		10.0.2.229
+4000.example.		5M IN A		10.0.2.230
+4000.example.		5M IN A		10.0.2.231
+4000.example.		5M IN A		10.0.2.232
+4000.example.		5M IN A		10.0.2.233
+4000.example.		5M IN A		10.0.2.234
+4000.example.		5M IN A		10.0.2.235
+4000.example.		5M IN A		10.0.2.236
+4000.example.		5M IN A		10.0.2.237
+4000.example.		5M IN A		10.0.2.238
+4000.example.		5M IN A		10.0.2.239
+4000.example.		5M IN A		10.0.2.240
+4000.example.		5M IN A		10.0.2.241
+4000.example.		5M IN A		10.0.2.242
+4000.example.		5M IN A		10.0.2.243
+4000.example.		5M IN A		10.0.2.244
+4000.example.		5M IN A		10.0.2.245
+4000.example.		5M IN A		10.0.2.246
+4000.example.		5M IN A		10.0.2.247
+4000.example.		5M IN A		10.0.2.248
+4000.example.		5M IN A		10.0.2.249
+4000.example.		5M IN A		10.0.2.250
+4000.example.		5M IN A		10.0.2.251
+4000.example.		5M IN A		10.0.2.252
+4000.example.		5M IN A		10.0.2.253
+4000.example.		5M IN A		10.0.2.254
+4000.example.		5M IN A		10.0.2.255
+4000.example.		5M IN A		10.0.3.0
+4000.example.		5M IN A		10.0.3.1
+4000.example.		5M IN A		10.0.3.2
+4000.example.		5M IN A		10.0.3.3
+4000.example.		5M IN A		10.0.3.4
+4000.example.		5M IN A		10.0.3.5
+4000.example.		5M IN A		10.0.3.6
+4000.example.		5M IN A		10.0.3.7
+4000.example.		5M IN A		10.0.3.8
+4000.example.		5M IN A		10.0.3.9
+4000.example.		5M IN A		10.0.3.10
+4000.example.		5M IN A		10.0.3.11
+4000.example.		5M IN A		10.0.3.12
+4000.example.		5M IN A		10.0.3.13
+4000.example.		5M IN A		10.0.3.14
+4000.example.		5M IN A		10.0.3.15
+4000.example.		5M IN A		10.0.3.16
+4000.example.		5M IN A		10.0.3.17
+4000.example.		5M IN A		10.0.3.18
+4000.example.		5M IN A		10.0.3.19
+4000.example.		5M IN A		10.0.3.20
+4000.example.		5M IN A		10.0.3.21
+4000.example.		5M IN A		10.0.3.22
+4000.example.		5M IN A		10.0.3.23
+4000.example.		5M IN A		10.0.3.24
+4000.example.		5M IN A		10.0.3.25
+4000.example.		5M IN A		10.0.3.26
+4000.example.		5M IN A		10.0.3.27
+4000.example.		5M IN A		10.0.3.28
+4000.example.		5M IN A		10.0.3.29
+4000.example.		5M IN A		10.0.3.30
+4000.example.		5M IN A		10.0.3.31
+4000.example.		5M IN A		10.0.3.32
+4000.example.		5M IN A		10.0.3.33
+4000.example.		5M IN A		10.0.3.34
+4000.example.		5M IN A		10.0.3.35
+4000.example.		5M IN A		10.0.3.36
+4000.example.		5M IN A		10.0.3.37
+4000.example.		5M IN A		10.0.3.38
+4000.example.		5M IN A		10.0.3.39
+4000.example.		5M IN A		10.0.3.40
+4000.example.		5M IN A		10.0.3.41
+4000.example.		5M IN A		10.0.3.42
+4000.example.		5M IN A		10.0.3.43
+4000.example.		5M IN A		10.0.3.44
+4000.example.		5M IN A		10.0.3.45
+4000.example.		5M IN A		10.0.3.46
+4000.example.		5M IN A		10.0.3.47
+4000.example.		5M IN A		10.0.3.48
+4000.example.		5M IN A		10.0.3.49
+4000.example.		5M IN A		10.0.3.50
+4000.example.		5M IN A		10.0.3.51
+4000.example.		5M IN A		10.0.3.52
+4000.example.		5M IN A		10.0.3.53
+4000.example.		5M IN A		10.0.3.54
+4000.example.		5M IN A		10.0.3.55
+4000.example.		5M IN A		10.0.3.56
+4000.example.		5M IN A		10.0.3.57
+4000.example.		5M IN A		10.0.3.58
+4000.example.		5M IN A		10.0.3.59
+4000.example.		5M IN A		10.0.3.60
+4000.example.		5M IN A		10.0.3.61
+4000.example.		5M IN A		10.0.3.62
+4000.example.		5M IN A		10.0.3.63
+4000.example.		5M IN A		10.0.3.64
+4000.example.		5M IN A		10.0.3.65
+4000.example.		5M IN A		10.0.3.66
+4000.example.		5M IN A		10.0.3.67
+4000.example.		5M IN A		10.0.3.68
+4000.example.		5M IN A		10.0.3.69
+4000.example.		5M IN A		10.0.3.70
+4000.example.		5M IN A		10.0.3.71
+4000.example.		5M IN A		10.0.3.72
+4000.example.		5M IN A		10.0.3.73
+4000.example.		5M IN A		10.0.3.74
+4000.example.		5M IN A		10.0.3.75
+4000.example.		5M IN A		10.0.3.76
+4000.example.		5M IN A		10.0.3.77
+4000.example.		5M IN A		10.0.3.78
+4000.example.		5M IN A		10.0.3.79
+4000.example.		5M IN A		10.0.3.80
+4000.example.		5M IN A		10.0.3.81
+4000.example.		5M IN A		10.0.3.82
+4000.example.		5M IN A		10.0.3.83
+4000.example.		5M IN A		10.0.3.84
+4000.example.		5M IN A		10.0.3.85
+4000.example.		5M IN A		10.0.3.86
+4000.example.		5M IN A		10.0.3.87
+4000.example.		5M IN A		10.0.3.88
+4000.example.		5M IN A		10.0.3.89
+4000.example.		5M IN A		10.0.3.90
+4000.example.		5M IN A		10.0.3.91
+4000.example.		5M IN A		10.0.3.92
+4000.example.		5M IN A		10.0.3.93
+4000.example.		5M IN A		10.0.3.94
+4000.example.		5M IN A		10.0.3.95
+4000.example.		5M IN A		10.0.3.96
+4000.example.		5M IN A		10.0.3.97
+4000.example.		5M IN A		10.0.3.98
+4000.example.		5M IN A		10.0.3.99
+4000.example.		5M IN A		10.0.3.100
+4000.example.		5M IN A		10.0.3.101
+4000.example.		5M IN A		10.0.3.102
+4000.example.		5M IN A		10.0.3.103
+4000.example.		5M IN A		10.0.3.104
+4000.example.		5M IN A		10.0.3.105
+4000.example.		5M IN A		10.0.3.106
+4000.example.		5M IN A		10.0.3.107
+4000.example.		5M IN A		10.0.3.108
+4000.example.		5M IN A		10.0.3.109
+4000.example.		5M IN A		10.0.3.110
+4000.example.		5M IN A		10.0.3.111
+4000.example.		5M IN A		10.0.3.112
+4000.example.		5M IN A		10.0.3.113
+4000.example.		5M IN A		10.0.3.114
+4000.example.		5M IN A		10.0.3.115
+4000.example.		5M IN A		10.0.3.116
+4000.example.		5M IN A		10.0.3.117
+4000.example.		5M IN A		10.0.3.118
+4000.example.		5M IN A		10.0.3.119
+4000.example.		5M IN A		10.0.3.120
+4000.example.		5M IN A		10.0.3.121
+4000.example.		5M IN A		10.0.3.122
+4000.example.		5M IN A		10.0.3.123
+4000.example.		5M IN A		10.0.3.124
+4000.example.		5M IN A		10.0.3.125
+4000.example.		5M IN A		10.0.3.126
+4000.example.		5M IN A		10.0.3.127
+4000.example.		5M IN A		10.0.3.128
+4000.example.		5M IN A		10.0.3.129
+4000.example.		5M IN A		10.0.3.130
+4000.example.		5M IN A		10.0.3.131
+4000.example.		5M IN A		10.0.3.132
+4000.example.		5M IN A		10.0.3.133
+4000.example.		5M IN A		10.0.3.134
+4000.example.		5M IN A		10.0.3.135
+4000.example.		5M IN A		10.0.3.136
+4000.example.		5M IN A		10.0.3.137
+4000.example.		5M IN A		10.0.3.138
+4000.example.		5M IN A		10.0.3.139
+4000.example.		5M IN A		10.0.3.140
+4000.example.		5M IN A		10.0.3.141
+4000.example.		5M IN A		10.0.3.142
+4000.example.		5M IN A		10.0.3.143
+4000.example.		5M IN A		10.0.3.144
+4000.example.		5M IN A		10.0.3.145
+4000.example.		5M IN A		10.0.3.146
+4000.example.		5M IN A		10.0.3.147
+4000.example.		5M IN A		10.0.3.148
+4000.example.		5M IN A		10.0.3.149
+4000.example.		5M IN A		10.0.3.150
+4000.example.		5M IN A		10.0.3.151
+4000.example.		5M IN A		10.0.3.152
+4000.example.		5M IN A		10.0.3.153
+4000.example.		5M IN A		10.0.3.154
+4000.example.		5M IN A		10.0.3.155
+4000.example.		5M IN A		10.0.3.156
+4000.example.		5M IN A		10.0.3.157
+4000.example.		5M IN A		10.0.3.158
+4000.example.		5M IN A		10.0.3.159
+4000.example.		5M IN A		10.0.3.160
+4000.example.		5M IN A		10.0.3.161
+4000.example.		5M IN A		10.0.3.162
+4000.example.		5M IN A		10.0.3.163
+4000.example.		5M IN A		10.0.3.164
+4000.example.		5M IN A		10.0.3.165
+4000.example.		5M IN A		10.0.3.166
+4000.example.		5M IN A		10.0.3.167
+4000.example.		5M IN A		10.0.3.168
+4000.example.		5M IN A		10.0.3.169
+4000.example.		5M IN A		10.0.3.170
+4000.example.		5M IN A		10.0.3.171
+4000.example.		5M IN A		10.0.3.172
+4000.example.		5M IN A		10.0.3.173
+4000.example.		5M IN A		10.0.3.174
+4000.example.		5M IN A		10.0.3.175
+4000.example.		5M IN A		10.0.3.176
+4000.example.		5M IN A		10.0.3.177
+4000.example.		5M IN A		10.0.3.178
+4000.example.		5M IN A		10.0.3.179
+4000.example.		5M IN A		10.0.3.180
+4000.example.		5M IN A		10.0.3.181
+4000.example.		5M IN A		10.0.3.182
+4000.example.		5M IN A		10.0.3.183
+4000.example.		5M IN A		10.0.3.184
+4000.example.		5M IN A		10.0.3.185
+4000.example.		5M IN A		10.0.3.186
+4000.example.		5M IN A		10.0.3.187
+4000.example.		5M IN A		10.0.3.188
+4000.example.		5M IN A		10.0.3.189
+4000.example.		5M IN A		10.0.3.190
+4000.example.		5M IN A		10.0.3.191
+4000.example.		5M IN A		10.0.3.192
+4000.example.		5M IN A		10.0.3.193
+4000.example.		5M IN A		10.0.3.194
+4000.example.		5M IN A		10.0.3.195
+4000.example.		5M IN A		10.0.3.196
+4000.example.		5M IN A		10.0.3.197
+4000.example.		5M IN A		10.0.3.198
+4000.example.		5M IN A		10.0.3.199
+4000.example.		5M IN A		10.0.3.200
+4000.example.		5M IN A		10.0.3.201
+4000.example.		5M IN A		10.0.3.202
+4000.example.		5M IN A		10.0.3.203
+4000.example.		5M IN A		10.0.3.204
+4000.example.		5M IN A		10.0.3.205
+4000.example.		5M IN A		10.0.3.206
+4000.example.		5M IN A		10.0.3.207
+4000.example.		5M IN A		10.0.3.208
+4000.example.		5M IN A		10.0.3.209
+4000.example.		5M IN A		10.0.3.210
+4000.example.		5M IN A		10.0.3.211
+4000.example.		5M IN A		10.0.3.212
+4000.example.		5M IN A		10.0.3.213
+4000.example.		5M IN A		10.0.3.214
+4000.example.		5M IN A		10.0.3.215
+4000.example.		5M IN A		10.0.3.216
+4000.example.		5M IN A		10.0.3.217
+4000.example.		5M IN A		10.0.3.218
+4000.example.		5M IN A		10.0.3.219
+4000.example.		5M IN A		10.0.3.220
+4000.example.		5M IN A		10.0.3.221
+4000.example.		5M IN A		10.0.3.222
+4000.example.		5M IN A		10.0.3.223
+4000.example.		5M IN A		10.0.3.224
+4000.example.		5M IN A		10.0.3.225
+4000.example.		5M IN A		10.0.3.226
+4000.example.		5M IN A		10.0.3.227
+4000.example.		5M IN A		10.0.3.228
+4000.example.		5M IN A		10.0.3.229
+4000.example.		5M IN A		10.0.3.230
+4000.example.		5M IN A		10.0.3.231
+4000.example.		5M IN A		10.0.3.232
+4000.example.		5M IN A		10.0.3.233
+4000.example.		5M IN A		10.0.3.234
+4000.example.		5M IN A		10.0.3.235
+4000.example.		5M IN A		10.0.3.236
+4000.example.		5M IN A		10.0.3.237
+4000.example.		5M IN A		10.0.3.238
+4000.example.		5M IN A		10.0.3.239
+4000.example.		5M IN A		10.0.3.240
+4000.example.		5M IN A		10.0.3.241
+4000.example.		5M IN A		10.0.3.242
+4000.example.		5M IN A		10.0.3.243
+4000.example.		5M IN A		10.0.3.244
+4000.example.		5M IN A		10.0.3.245
+4000.example.		5M IN A		10.0.3.246
+4000.example.		5M IN A		10.0.3.247
+4000.example.		5M IN A		10.0.3.248
+4000.example.		5M IN A		10.0.3.249
+4000.example.		5M IN A		10.0.3.250
+4000.example.		5M IN A		10.0.3.251
+4000.example.		5M IN A		10.0.3.252
+4000.example.		5M IN A		10.0.3.253
+4000.example.		5M IN A		10.0.3.254
+4000.example.		5M IN A		10.0.3.255
+4000.example.		5M IN A		10.0.4.0
+4000.example.		5M IN A		10.0.4.1
+4000.example.		5M IN A		10.0.4.2
+4000.example.		5M IN A		10.0.4.3
+4000.example.		5M IN A		10.0.4.4
+4000.example.		5M IN A		10.0.4.5
+4000.example.		5M IN A		10.0.4.6
+4000.example.		5M IN A		10.0.4.7
+4000.example.		5M IN A		10.0.4.8
+4000.example.		5M IN A		10.0.4.9
+4000.example.		5M IN A		10.0.4.10
+4000.example.		5M IN A		10.0.4.11
+4000.example.		5M IN A		10.0.4.12
+4000.example.		5M IN A		10.0.4.13
+4000.example.		5M IN A		10.0.4.14
+4000.example.		5M IN A		10.0.4.15
+4000.example.		5M IN A		10.0.4.16
+4000.example.		5M IN A		10.0.4.17
+4000.example.		5M IN A		10.0.4.18
+4000.example.		5M IN A		10.0.4.19
+4000.example.		5M IN A		10.0.4.20
+4000.example.		5M IN A		10.0.4.21
+4000.example.		5M IN A		10.0.4.22
+4000.example.		5M IN A		10.0.4.23
+4000.example.		5M IN A		10.0.4.24
+4000.example.		5M IN A		10.0.4.25
+4000.example.		5M IN A		10.0.4.26
+4000.example.		5M IN A		10.0.4.27
+4000.example.		5M IN A		10.0.4.28
+4000.example.		5M IN A		10.0.4.29
+4000.example.		5M IN A		10.0.4.30
+4000.example.		5M IN A		10.0.4.31
+4000.example.		5M IN A		10.0.4.32
+4000.example.		5M IN A		10.0.4.33
+4000.example.		5M IN A		10.0.4.34
+4000.example.		5M IN A		10.0.4.35
+4000.example.		5M IN A		10.0.4.36
+4000.example.		5M IN A		10.0.4.37
+4000.example.		5M IN A		10.0.4.38
+4000.example.		5M IN A		10.0.4.39
+4000.example.		5M IN A		10.0.4.40
+4000.example.		5M IN A		10.0.4.41
+4000.example.		5M IN A		10.0.4.42
+4000.example.		5M IN A		10.0.4.43
+4000.example.		5M IN A		10.0.4.44
+4000.example.		5M IN A		10.0.4.45
+4000.example.		5M IN A		10.0.4.46
+4000.example.		5M IN A		10.0.4.47
+4000.example.		5M IN A		10.0.4.48
+4000.example.		5M IN A		10.0.4.49
+4000.example.		5M IN A		10.0.4.50
+4000.example.		5M IN A		10.0.4.51
+4000.example.		5M IN A		10.0.4.52
+4000.example.		5M IN A		10.0.4.53
+4000.example.		5M IN A		10.0.4.54
+4000.example.		5M IN A		10.0.4.55
+4000.example.		5M IN A		10.0.4.56
+4000.example.		5M IN A		10.0.4.57
+4000.example.		5M IN A		10.0.4.58
+4000.example.		5M IN A		10.0.4.59
+4000.example.		5M IN A		10.0.4.60
+4000.example.		5M IN A		10.0.4.61
+4000.example.		5M IN A		10.0.4.62
+4000.example.		5M IN A		10.0.4.63
+4000.example.		5M IN A		10.0.4.64
+4000.example.		5M IN A		10.0.4.65
+4000.example.		5M IN A		10.0.4.66
+4000.example.		5M IN A		10.0.4.67
+4000.example.		5M IN A		10.0.4.68
+4000.example.		5M IN A		10.0.4.69
+4000.example.		5M IN A		10.0.4.70
+4000.example.		5M IN A		10.0.4.71
+4000.example.		5M IN A		10.0.4.72
+4000.example.		5M IN A		10.0.4.73
+4000.example.		5M IN A		10.0.4.74
+4000.example.		5M IN A		10.0.4.75
+4000.example.		5M IN A		10.0.4.76
+4000.example.		5M IN A		10.0.4.77
+4000.example.		5M IN A		10.0.4.78
+4000.example.		5M IN A		10.0.4.79
+4000.example.		5M IN A		10.0.4.80
+4000.example.		5M IN A		10.0.4.81
+4000.example.		5M IN A		10.0.4.82
+4000.example.		5M IN A		10.0.4.83
+4000.example.		5M IN A		10.0.4.84
+4000.example.		5M IN A		10.0.4.85
+4000.example.		5M IN A		10.0.4.86
+4000.example.		5M IN A		10.0.4.87
+4000.example.		5M IN A		10.0.4.88
+4000.example.		5M IN A		10.0.4.89
+4000.example.		5M IN A		10.0.4.90
+4000.example.		5M IN A		10.0.4.91
+4000.example.		5M IN A		10.0.4.92
+4000.example.		5M IN A		10.0.4.93
+4000.example.		5M IN A		10.0.4.94
+4000.example.		5M IN A		10.0.4.95
+4000.example.		5M IN A		10.0.4.96
+4000.example.		5M IN A		10.0.4.97
+4000.example.		5M IN A		10.0.4.98
+4000.example.		5M IN A		10.0.4.99
+4000.example.		5M IN A		10.0.4.100
+4000.example.		5M IN A		10.0.4.101
+4000.example.		5M IN A		10.0.4.102
+4000.example.		5M IN A		10.0.4.103
+4000.example.		5M IN A		10.0.4.104
+4000.example.		5M IN A		10.0.4.105
+4000.example.		5M IN A		10.0.4.106
+4000.example.		5M IN A		10.0.4.107
+4000.example.		5M IN A		10.0.4.108
+4000.example.		5M IN A		10.0.4.109
+4000.example.		5M IN A		10.0.4.110
+4000.example.		5M IN A		10.0.4.111
+4000.example.		5M IN A		10.0.4.112
+4000.example.		5M IN A		10.0.4.113
+4000.example.		5M IN A		10.0.4.114
+4000.example.		5M IN A		10.0.4.115
+4000.example.		5M IN A		10.0.4.116
+4000.example.		5M IN A		10.0.4.117
+4000.example.		5M IN A		10.0.4.118
+4000.example.		5M IN A		10.0.4.119
+4000.example.		5M IN A		10.0.4.120
+4000.example.		5M IN A		10.0.4.121
+4000.example.		5M IN A		10.0.4.122
+4000.example.		5M IN A		10.0.4.123
+4000.example.		5M IN A		10.0.4.124
+4000.example.		5M IN A		10.0.4.125
+4000.example.		5M IN A		10.0.4.126
+4000.example.		5M IN A		10.0.4.127
+4000.example.		5M IN A		10.0.4.128
+4000.example.		5M IN A		10.0.4.129
+4000.example.		5M IN A		10.0.4.130
+4000.example.		5M IN A		10.0.4.131
+4000.example.		5M IN A		10.0.4.132
+4000.example.		5M IN A		10.0.4.133
+4000.example.		5M IN A		10.0.4.134
+4000.example.		5M IN A		10.0.4.135
+4000.example.		5M IN A		10.0.4.136
+4000.example.		5M IN A		10.0.4.137
+4000.example.		5M IN A		10.0.4.138
+4000.example.		5M IN A		10.0.4.139
+4000.example.		5M IN A		10.0.4.140
+4000.example.		5M IN A		10.0.4.141
+4000.example.		5M IN A		10.0.4.142
+4000.example.		5M IN A		10.0.4.143
+4000.example.		5M IN A		10.0.4.144
+4000.example.		5M IN A		10.0.4.145
+4000.example.		5M IN A		10.0.4.146
+4000.example.		5M IN A		10.0.4.147
+4000.example.		5M IN A		10.0.4.148
+4000.example.		5M IN A		10.0.4.149
+4000.example.		5M IN A		10.0.4.150
+4000.example.		5M IN A		10.0.4.151
+4000.example.		5M IN A		10.0.4.152
+4000.example.		5M IN A		10.0.4.153
+4000.example.		5M IN A		10.0.4.154
+4000.example.		5M IN A		10.0.4.155
+4000.example.		5M IN A		10.0.4.156
+4000.example.		5M IN A		10.0.4.157
+4000.example.		5M IN A		10.0.4.158
+4000.example.		5M IN A		10.0.4.159
+4000.example.		5M IN A		10.0.4.160
+4000.example.		5M IN A		10.0.4.161
+4000.example.		5M IN A		10.0.4.162
+4000.example.		5M IN A		10.0.4.163
+4000.example.		5M IN A		10.0.4.164
+4000.example.		5M IN A		10.0.4.165
+4000.example.		5M IN A		10.0.4.166
+4000.example.		5M IN A		10.0.4.167
+4000.example.		5M IN A		10.0.4.168
+4000.example.		5M IN A		10.0.4.169
+4000.example.		5M IN A		10.0.4.170
+4000.example.		5M IN A		10.0.4.171
+4000.example.		5M IN A		10.0.4.172
+4000.example.		5M IN A		10.0.4.173
+4000.example.		5M IN A		10.0.4.174
+4000.example.		5M IN A		10.0.4.175
+4000.example.		5M IN A		10.0.4.176
+4000.example.		5M IN A		10.0.4.177
+4000.example.		5M IN A		10.0.4.178
+4000.example.		5M IN A		10.0.4.179
+4000.example.		5M IN A		10.0.4.180
+4000.example.		5M IN A		10.0.4.181
+4000.example.		5M IN A		10.0.4.182
+4000.example.		5M IN A		10.0.4.183
+4000.example.		5M IN A		10.0.4.184
+4000.example.		5M IN A		10.0.4.185
+4000.example.		5M IN A		10.0.4.186
+4000.example.		5M IN A		10.0.4.187
+4000.example.		5M IN A		10.0.4.188
+4000.example.		5M IN A		10.0.4.189
+4000.example.		5M IN A		10.0.4.190
+4000.example.		5M IN A		10.0.4.191
+4000.example.		5M IN A		10.0.4.192
+4000.example.		5M IN A		10.0.4.193
+4000.example.		5M IN A		10.0.4.194
+4000.example.		5M IN A		10.0.4.195
+4000.example.		5M IN A		10.0.4.196
+4000.example.		5M IN A		10.0.4.197
+4000.example.		5M IN A		10.0.4.198
+4000.example.		5M IN A		10.0.4.199
+4000.example.		5M IN A		10.0.4.200
+4000.example.		5M IN A		10.0.4.201
+4000.example.		5M IN A		10.0.4.202
+4000.example.		5M IN A		10.0.4.203
+4000.example.		5M IN A		10.0.4.204
+4000.example.		5M IN A		10.0.4.205
+4000.example.		5M IN A		10.0.4.206
+4000.example.		5M IN A		10.0.4.207
+4000.example.		5M IN A		10.0.4.208
+4000.example.		5M IN A		10.0.4.209
+4000.example.		5M IN A		10.0.4.210
+4000.example.		5M IN A		10.0.4.211
+4000.example.		5M IN A		10.0.4.212
+4000.example.		5M IN A		10.0.4.213
+4000.example.		5M IN A		10.0.4.214
+4000.example.		5M IN A		10.0.4.215
+4000.example.		5M IN A		10.0.4.216
+4000.example.		5M IN A		10.0.4.217
+4000.example.		5M IN A		10.0.4.218
+4000.example.		5M IN A		10.0.4.219
+4000.example.		5M IN A		10.0.4.220
+4000.example.		5M IN A		10.0.4.221
+4000.example.		5M IN A		10.0.4.222
+4000.example.		5M IN A		10.0.4.223
+4000.example.		5M IN A		10.0.4.224
+4000.example.		5M IN A		10.0.4.225
+4000.example.		5M IN A		10.0.4.226
+4000.example.		5M IN A		10.0.4.227
+4000.example.		5M IN A		10.0.4.228
+4000.example.		5M IN A		10.0.4.229
+4000.example.		5M IN A		10.0.4.230
+4000.example.		5M IN A		10.0.4.231
+4000.example.		5M IN A		10.0.4.232
+4000.example.		5M IN A		10.0.4.233
+4000.example.		5M IN A		10.0.4.234
+4000.example.		5M IN A		10.0.4.235
+4000.example.		5M IN A		10.0.4.236
+4000.example.		5M IN A		10.0.4.237
+4000.example.		5M IN A		10.0.4.238
+4000.example.		5M IN A		10.0.4.239
+4000.example.		5M IN A		10.0.4.240
+4000.example.		5M IN A		10.0.4.241
+4000.example.		5M IN A		10.0.4.242
+4000.example.		5M IN A		10.0.4.243
+4000.example.		5M IN A		10.0.4.244
+4000.example.		5M IN A		10.0.4.245
+4000.example.		5M IN A		10.0.4.246
+4000.example.		5M IN A		10.0.4.247
+4000.example.		5M IN A		10.0.4.248
+4000.example.		5M IN A		10.0.4.249
+4000.example.		5M IN A		10.0.4.250
+4000.example.		5M IN A		10.0.4.251
+4000.example.		5M IN A		10.0.4.252
+4000.example.		5M IN A		10.0.4.253
+4000.example.		5M IN A		10.0.4.254
+4000.example.		5M IN A		10.0.4.255
+4000.example.		5M IN A		10.0.5.0
+4000.example.		5M IN A		10.0.5.1
+4000.example.		5M IN A		10.0.5.2
+4000.example.		5M IN A		10.0.5.3
+4000.example.		5M IN A		10.0.5.4
+4000.example.		5M IN A		10.0.5.5
+4000.example.		5M IN A		10.0.5.6
+4000.example.		5M IN A		10.0.5.7
+4000.example.		5M IN A		10.0.5.8
+4000.example.		5M IN A		10.0.5.9
+4000.example.		5M IN A		10.0.5.10
+4000.example.		5M IN A		10.0.5.11
+4000.example.		5M IN A		10.0.5.12
+4000.example.		5M IN A		10.0.5.13
+4000.example.		5M IN A		10.0.5.14
+4000.example.		5M IN A		10.0.5.15
+4000.example.		5M IN A		10.0.5.16
+4000.example.		5M IN A		10.0.5.17
+4000.example.		5M IN A		10.0.5.18
+4000.example.		5M IN A		10.0.5.19
+4000.example.		5M IN A		10.0.5.20
+4000.example.		5M IN A		10.0.5.21
+4000.example.		5M IN A		10.0.5.22
+4000.example.		5M IN A		10.0.5.23
+4000.example.		5M IN A		10.0.5.24
+4000.example.		5M IN A		10.0.5.25
+4000.example.		5M IN A		10.0.5.26
+4000.example.		5M IN A		10.0.5.27
+4000.example.		5M IN A		10.0.5.28
+4000.example.		5M IN A		10.0.5.29
+4000.example.		5M IN A		10.0.5.30
+4000.example.		5M IN A		10.0.5.31
+4000.example.		5M IN A		10.0.5.32
+4000.example.		5M IN A		10.0.5.33
+4000.example.		5M IN A		10.0.5.34
+4000.example.		5M IN A		10.0.5.35
+4000.example.		5M IN A		10.0.5.36
+4000.example.		5M IN A		10.0.5.37
+4000.example.		5M IN A		10.0.5.38
+4000.example.		5M IN A		10.0.5.39
+4000.example.		5M IN A		10.0.5.40
+4000.example.		5M IN A		10.0.5.41
+4000.example.		5M IN A		10.0.5.42
+4000.example.		5M IN A		10.0.5.43
+4000.example.		5M IN A		10.0.5.44
+4000.example.		5M IN A		10.0.5.45
+4000.example.		5M IN A		10.0.5.46
+4000.example.		5M IN A		10.0.5.47
+4000.example.		5M IN A		10.0.5.48
+4000.example.		5M IN A		10.0.5.49
+4000.example.		5M IN A		10.0.5.50
+4000.example.		5M IN A		10.0.5.51
+4000.example.		5M IN A		10.0.5.52
+4000.example.		5M IN A		10.0.5.53
+4000.example.		5M IN A		10.0.5.54
+4000.example.		5M IN A		10.0.5.55
+4000.example.		5M IN A		10.0.5.56
+4000.example.		5M IN A		10.0.5.57
+4000.example.		5M IN A		10.0.5.58
+4000.example.		5M IN A		10.0.5.59
+4000.example.		5M IN A		10.0.5.60
+4000.example.		5M IN A		10.0.5.61
+4000.example.		5M IN A		10.0.5.62
+4000.example.		5M IN A		10.0.5.63
+4000.example.		5M IN A		10.0.5.64
+4000.example.		5M IN A		10.0.5.65
+4000.example.		5M IN A		10.0.5.66
+4000.example.		5M IN A		10.0.5.67
+4000.example.		5M IN A		10.0.5.68
+4000.example.		5M IN A		10.0.5.69
+4000.example.		5M IN A		10.0.5.70
+4000.example.		5M IN A		10.0.5.71
+4000.example.		5M IN A		10.0.5.72
+4000.example.		5M IN A		10.0.5.73
+4000.example.		5M IN A		10.0.5.74
+4000.example.		5M IN A		10.0.5.75
+4000.example.		5M IN A		10.0.5.76
+4000.example.		5M IN A		10.0.5.77
+4000.example.		5M IN A		10.0.5.78
+4000.example.		5M IN A		10.0.5.79
+4000.example.		5M IN A		10.0.5.80
+4000.example.		5M IN A		10.0.5.81
+4000.example.		5M IN A		10.0.5.82
+4000.example.		5M IN A		10.0.5.83
+4000.example.		5M IN A		10.0.5.84
+4000.example.		5M IN A		10.0.5.85
+4000.example.		5M IN A		10.0.5.86
+4000.example.		5M IN A		10.0.5.87
+4000.example.		5M IN A		10.0.5.88
+4000.example.		5M IN A		10.0.5.89
+4000.example.		5M IN A		10.0.5.90
+4000.example.		5M IN A		10.0.5.91
+4000.example.		5M IN A		10.0.5.92
+4000.example.		5M IN A		10.0.5.93
+4000.example.		5M IN A		10.0.5.94
+4000.example.		5M IN A		10.0.5.95
+4000.example.		5M IN A		10.0.5.96
+4000.example.		5M IN A		10.0.5.97
+4000.example.		5M IN A		10.0.5.98
+4000.example.		5M IN A		10.0.5.99
+4000.example.		5M IN A		10.0.5.100
+4000.example.		5M IN A		10.0.5.101
+4000.example.		5M IN A		10.0.5.102
+4000.example.		5M IN A		10.0.5.103
+4000.example.		5M IN A		10.0.5.104
+4000.example.		5M IN A		10.0.5.105
+4000.example.		5M IN A		10.0.5.106
+4000.example.		5M IN A		10.0.5.107
+4000.example.		5M IN A		10.0.5.108
+4000.example.		5M IN A		10.0.5.109
+4000.example.		5M IN A		10.0.5.110
+4000.example.		5M IN A		10.0.5.111
+4000.example.		5M IN A		10.0.5.112
+4000.example.		5M IN A		10.0.5.113
+4000.example.		5M IN A		10.0.5.114
+4000.example.		5M IN A		10.0.5.115
+4000.example.		5M IN A		10.0.5.116
+4000.example.		5M IN A		10.0.5.117
+4000.example.		5M IN A		10.0.5.118
+4000.example.		5M IN A		10.0.5.119
+4000.example.		5M IN A		10.0.5.120
+4000.example.		5M IN A		10.0.5.121
+4000.example.		5M IN A		10.0.5.122
+4000.example.		5M IN A		10.0.5.123
+4000.example.		5M IN A		10.0.5.124
+4000.example.		5M IN A		10.0.5.125
+4000.example.		5M IN A		10.0.5.126
+4000.example.		5M IN A		10.0.5.127
+4000.example.		5M IN A		10.0.5.128
+4000.example.		5M IN A		10.0.5.129
+4000.example.		5M IN A		10.0.5.130
+4000.example.		5M IN A		10.0.5.131
+4000.example.		5M IN A		10.0.5.132
+4000.example.		5M IN A		10.0.5.133
+4000.example.		5M IN A		10.0.5.134
+4000.example.		5M IN A		10.0.5.135
+4000.example.		5M IN A		10.0.5.136
+4000.example.		5M IN A		10.0.5.137
+4000.example.		5M IN A		10.0.5.138
+4000.example.		5M IN A		10.0.5.139
+4000.example.		5M IN A		10.0.5.140
+4000.example.		5M IN A		10.0.5.141
+4000.example.		5M IN A		10.0.5.142
+4000.example.		5M IN A		10.0.5.143
+4000.example.		5M IN A		10.0.5.144
+4000.example.		5M IN A		10.0.5.145
+4000.example.		5M IN A		10.0.5.146
+4000.example.		5M IN A		10.0.5.147
+4000.example.		5M IN A		10.0.5.148
+4000.example.		5M IN A		10.0.5.149
+4000.example.		5M IN A		10.0.5.150
+4000.example.		5M IN A		10.0.5.151
+4000.example.		5M IN A		10.0.5.152
+4000.example.		5M IN A		10.0.5.153
+4000.example.		5M IN A		10.0.5.154
+4000.example.		5M IN A		10.0.5.155
+4000.example.		5M IN A		10.0.5.156
+4000.example.		5M IN A		10.0.5.157
+4000.example.		5M IN A		10.0.5.158
+4000.example.		5M IN A		10.0.5.159
+4000.example.		5M IN A		10.0.5.160
+4000.example.		5M IN A		10.0.5.161
+4000.example.		5M IN A		10.0.5.162
+4000.example.		5M IN A		10.0.5.163
+4000.example.		5M IN A		10.0.5.164
+4000.example.		5M IN A		10.0.5.165
+4000.example.		5M IN A		10.0.5.166
+4000.example.		5M IN A		10.0.5.167
+4000.example.		5M IN A		10.0.5.168
+4000.example.		5M IN A		10.0.5.169
+4000.example.		5M IN A		10.0.5.170
+4000.example.		5M IN A		10.0.5.171
+4000.example.		5M IN A		10.0.5.172
+4000.example.		5M IN A		10.0.5.173
+4000.example.		5M IN A		10.0.5.174
+4000.example.		5M IN A		10.0.5.175
+4000.example.		5M IN A		10.0.5.176
+4000.example.		5M IN A		10.0.5.177
+4000.example.		5M IN A		10.0.5.178
+4000.example.		5M IN A		10.0.5.179
+4000.example.		5M IN A		10.0.5.180
+4000.example.		5M IN A		10.0.5.181
+4000.example.		5M IN A		10.0.5.182
+4000.example.		5M IN A		10.0.5.183
+4000.example.		5M IN A		10.0.5.184
+4000.example.		5M IN A		10.0.5.185
+4000.example.		5M IN A		10.0.5.186
+4000.example.		5M IN A		10.0.5.187
+4000.example.		5M IN A		10.0.5.188
+4000.example.		5M IN A		10.0.5.189
+4000.example.		5M IN A		10.0.5.190
+4000.example.		5M IN A		10.0.5.191
+4000.example.		5M IN A		10.0.5.192
+4000.example.		5M IN A		10.0.5.193
+4000.example.		5M IN A		10.0.5.194
+4000.example.		5M IN A		10.0.5.195
+4000.example.		5M IN A		10.0.5.196
+4000.example.		5M IN A		10.0.5.197
+4000.example.		5M IN A		10.0.5.198
+4000.example.		5M IN A		10.0.5.199
+4000.example.		5M IN A		10.0.5.200
+4000.example.		5M IN A		10.0.5.201
+4000.example.		5M IN A		10.0.5.202
+4000.example.		5M IN A		10.0.5.203
+4000.example.		5M IN A		10.0.5.204
+4000.example.		5M IN A		10.0.5.205
+4000.example.		5M IN A		10.0.5.206
+4000.example.		5M IN A		10.0.5.207
+4000.example.		5M IN A		10.0.5.208
+4000.example.		5M IN A		10.0.5.209
+4000.example.		5M IN A		10.0.5.210
+4000.example.		5M IN A		10.0.5.211
+4000.example.		5M IN A		10.0.5.212
+4000.example.		5M IN A		10.0.5.213
+4000.example.		5M IN A		10.0.5.214
+4000.example.		5M IN A		10.0.5.215
+4000.example.		5M IN A		10.0.5.216
+4000.example.		5M IN A		10.0.5.217
+4000.example.		5M IN A		10.0.5.218
+4000.example.		5M IN A		10.0.5.219
+4000.example.		5M IN A		10.0.5.220
+4000.example.		5M IN A		10.0.5.221
+4000.example.		5M IN A		10.0.5.222
+4000.example.		5M IN A		10.0.5.223
+4000.example.		5M IN A		10.0.5.224
+4000.example.		5M IN A		10.0.5.225
+4000.example.		5M IN A		10.0.5.226
+4000.example.		5M IN A		10.0.5.227
+4000.example.		5M IN A		10.0.5.228
+4000.example.		5M IN A		10.0.5.229
+4000.example.		5M IN A		10.0.5.230
+4000.example.		5M IN A		10.0.5.231
+4000.example.		5M IN A		10.0.5.232
+4000.example.		5M IN A		10.0.5.233
+4000.example.		5M IN A		10.0.5.234
+4000.example.		5M IN A		10.0.5.235
+4000.example.		5M IN A		10.0.5.236
+4000.example.		5M IN A		10.0.5.237
+4000.example.		5M IN A		10.0.5.238
+4000.example.		5M IN A		10.0.5.239
+4000.example.		5M IN A		10.0.5.240
+4000.example.		5M IN A		10.0.5.241
+4000.example.		5M IN A		10.0.5.242
+4000.example.		5M IN A		10.0.5.243
+4000.example.		5M IN A		10.0.5.244
+4000.example.		5M IN A		10.0.5.245
+4000.example.		5M IN A		10.0.5.246
+4000.example.		5M IN A		10.0.5.247
+4000.example.		5M IN A		10.0.5.248
+4000.example.		5M IN A		10.0.5.249
+4000.example.		5M IN A		10.0.5.250
+4000.example.		5M IN A		10.0.5.251
+4000.example.		5M IN A		10.0.5.252
+4000.example.		5M IN A		10.0.5.253
+4000.example.		5M IN A		10.0.5.254
+4000.example.		5M IN A		10.0.5.255
+4000.example.		5M IN A		10.0.6.0
+4000.example.		5M IN A		10.0.6.1
+4000.example.		5M IN A		10.0.6.2
+4000.example.		5M IN A		10.0.6.3
+4000.example.		5M IN A		10.0.6.4
+4000.example.		5M IN A		10.0.6.5
+4000.example.		5M IN A		10.0.6.6
+4000.example.		5M IN A		10.0.6.7
+4000.example.		5M IN A		10.0.6.8
+4000.example.		5M IN A		10.0.6.9
+4000.example.		5M IN A		10.0.6.10
+4000.example.		5M IN A		10.0.6.11
+4000.example.		5M IN A		10.0.6.12
+4000.example.		5M IN A		10.0.6.13
+4000.example.		5M IN A		10.0.6.14
+4000.example.		5M IN A		10.0.6.15
+4000.example.		5M IN A		10.0.6.16
+4000.example.		5M IN A		10.0.6.17
+4000.example.		5M IN A		10.0.6.18
+4000.example.		5M IN A		10.0.6.19
+4000.example.		5M IN A		10.0.6.20
+4000.example.		5M IN A		10.0.6.21
+4000.example.		5M IN A		10.0.6.22
+4000.example.		5M IN A		10.0.6.23
+4000.example.		5M IN A		10.0.6.24
+4000.example.		5M IN A		10.0.6.25
+4000.example.		5M IN A		10.0.6.26
+4000.example.		5M IN A		10.0.6.27
+4000.example.		5M IN A		10.0.6.28
+4000.example.		5M IN A		10.0.6.29
+4000.example.		5M IN A		10.0.6.30
+4000.example.		5M IN A		10.0.6.31
+4000.example.		5M IN A		10.0.6.32
+4000.example.		5M IN A		10.0.6.33
+4000.example.		5M IN A		10.0.6.34
+4000.example.		5M IN A		10.0.6.35
+4000.example.		5M IN A		10.0.6.36
+4000.example.		5M IN A		10.0.6.37
+4000.example.		5M IN A		10.0.6.38
+4000.example.		5M IN A		10.0.6.39
+4000.example.		5M IN A		10.0.6.40
+4000.example.		5M IN A		10.0.6.41
+4000.example.		5M IN A		10.0.6.42
+4000.example.		5M IN A		10.0.6.43
+4000.example.		5M IN A		10.0.6.44
+4000.example.		5M IN A		10.0.6.45
+4000.example.		5M IN A		10.0.6.46
+4000.example.		5M IN A		10.0.6.47
+4000.example.		5M IN A		10.0.6.48
+4000.example.		5M IN A		10.0.6.49
+4000.example.		5M IN A		10.0.6.50
+4000.example.		5M IN A		10.0.6.51
+4000.example.		5M IN A		10.0.6.52
+4000.example.		5M IN A		10.0.6.53
+4000.example.		5M IN A		10.0.6.54
+4000.example.		5M IN A		10.0.6.55
+4000.example.		5M IN A		10.0.6.56
+4000.example.		5M IN A		10.0.6.57
+4000.example.		5M IN A		10.0.6.58
+4000.example.		5M IN A		10.0.6.59
+4000.example.		5M IN A		10.0.6.60
+4000.example.		5M IN A		10.0.6.61
+4000.example.		5M IN A		10.0.6.62
+4000.example.		5M IN A		10.0.6.63
+4000.example.		5M IN A		10.0.6.64
+4000.example.		5M IN A		10.0.6.65
+4000.example.		5M IN A		10.0.6.66
+4000.example.		5M IN A		10.0.6.67
+4000.example.		5M IN A		10.0.6.68
+4000.example.		5M IN A		10.0.6.69
+4000.example.		5M IN A		10.0.6.70
+4000.example.		5M IN A		10.0.6.71
+4000.example.		5M IN A		10.0.6.72
+4000.example.		5M IN A		10.0.6.73
+4000.example.		5M IN A		10.0.6.74
+4000.example.		5M IN A		10.0.6.75
+4000.example.		5M IN A		10.0.6.76
+4000.example.		5M IN A		10.0.6.77
+4000.example.		5M IN A		10.0.6.78
+4000.example.		5M IN A		10.0.6.79
+4000.example.		5M IN A		10.0.6.80
+4000.example.		5M IN A		10.0.6.81
+4000.example.		5M IN A		10.0.6.82
+4000.example.		5M IN A		10.0.6.83
+4000.example.		5M IN A		10.0.6.84
+4000.example.		5M IN A		10.0.6.85
+4000.example.		5M IN A		10.0.6.86
+4000.example.		5M IN A		10.0.6.87
+4000.example.		5M IN A		10.0.6.88
+4000.example.		5M IN A		10.0.6.89
+4000.example.		5M IN A		10.0.6.90
+4000.example.		5M IN A		10.0.6.91
+4000.example.		5M IN A		10.0.6.92
+4000.example.		5M IN A		10.0.6.93
+4000.example.		5M IN A		10.0.6.94
+4000.example.		5M IN A		10.0.6.95
+4000.example.		5M IN A		10.0.6.96
+4000.example.		5M IN A		10.0.6.97
+4000.example.		5M IN A		10.0.6.98
+4000.example.		5M IN A		10.0.6.99
+4000.example.		5M IN A		10.0.6.100
+4000.example.		5M IN A		10.0.6.101
+4000.example.		5M IN A		10.0.6.102
+4000.example.		5M IN A		10.0.6.103
+4000.example.		5M IN A		10.0.6.104
+4000.example.		5M IN A		10.0.6.105
+4000.example.		5M IN A		10.0.6.106
+4000.example.		5M IN A		10.0.6.107
+4000.example.		5M IN A		10.0.6.108
+4000.example.		5M IN A		10.0.6.109
+4000.example.		5M IN A		10.0.6.110
+4000.example.		5M IN A		10.0.6.111
+4000.example.		5M IN A		10.0.6.112
+4000.example.		5M IN A		10.0.6.113
+4000.example.		5M IN A		10.0.6.114
+4000.example.		5M IN A		10.0.6.115
+4000.example.		5M IN A		10.0.6.116
+4000.example.		5M IN A		10.0.6.117
+4000.example.		5M IN A		10.0.6.118
+4000.example.		5M IN A		10.0.6.119
+4000.example.		5M IN A		10.0.6.120
+4000.example.		5M IN A		10.0.6.121
+4000.example.		5M IN A		10.0.6.122
+4000.example.		5M IN A		10.0.6.123
+4000.example.		5M IN A		10.0.6.124
+4000.example.		5M IN A		10.0.6.125
+4000.example.		5M IN A		10.0.6.126
+4000.example.		5M IN A		10.0.6.127
+4000.example.		5M IN A		10.0.6.128
+4000.example.		5M IN A		10.0.6.129
+4000.example.		5M IN A		10.0.6.130
+4000.example.		5M IN A		10.0.6.131
+4000.example.		5M IN A		10.0.6.132
+4000.example.		5M IN A		10.0.6.133
+4000.example.		5M IN A		10.0.6.134
+4000.example.		5M IN A		10.0.6.135
+4000.example.		5M IN A		10.0.6.136
+4000.example.		5M IN A		10.0.6.137
+4000.example.		5M IN A		10.0.6.138
+4000.example.		5M IN A		10.0.6.139
+4000.example.		5M IN A		10.0.6.140
+4000.example.		5M IN A		10.0.6.141
+4000.example.		5M IN A		10.0.6.142
+4000.example.		5M IN A		10.0.6.143
+4000.example.		5M IN A		10.0.6.144
+4000.example.		5M IN A		10.0.6.145
+4000.example.		5M IN A		10.0.6.146
+4000.example.		5M IN A		10.0.6.147
+4000.example.		5M IN A		10.0.6.148
+4000.example.		5M IN A		10.0.6.149
+4000.example.		5M IN A		10.0.6.150
+4000.example.		5M IN A		10.0.6.151
+4000.example.		5M IN A		10.0.6.152
+4000.example.		5M IN A		10.0.6.153
+4000.example.		5M IN A		10.0.6.154
+4000.example.		5M IN A		10.0.6.155
+4000.example.		5M IN A		10.0.6.156
+4000.example.		5M IN A		10.0.6.157
+4000.example.		5M IN A		10.0.6.158
+4000.example.		5M IN A		10.0.6.159
+4000.example.		5M IN A		10.0.6.160
+4000.example.		5M IN A		10.0.6.161
+4000.example.		5M IN A		10.0.6.162
+4000.example.		5M IN A		10.0.6.163
+4000.example.		5M IN A		10.0.6.164
+4000.example.		5M IN A		10.0.6.165
+4000.example.		5M IN A		10.0.6.166
+4000.example.		5M IN A		10.0.6.167
+4000.example.		5M IN A		10.0.6.168
+4000.example.		5M IN A		10.0.6.169
+4000.example.		5M IN A		10.0.6.170
+4000.example.		5M IN A		10.0.6.171
+4000.example.		5M IN A		10.0.6.172
+4000.example.		5M IN A		10.0.6.173
+4000.example.		5M IN A		10.0.6.174
+4000.example.		5M IN A		10.0.6.175
+4000.example.		5M IN A		10.0.6.176
+4000.example.		5M IN A		10.0.6.177
+4000.example.		5M IN A		10.0.6.178
+4000.example.		5M IN A		10.0.6.179
+4000.example.		5M IN A		10.0.6.180
+4000.example.		5M IN A		10.0.6.181
+4000.example.		5M IN A		10.0.6.182
+4000.example.		5M IN A		10.0.6.183
+4000.example.		5M IN A		10.0.6.184
+4000.example.		5M IN A		10.0.6.185
+4000.example.		5M IN A		10.0.6.186
+4000.example.		5M IN A		10.0.6.187
+4000.example.		5M IN A		10.0.6.188
+4000.example.		5M IN A		10.0.6.189
+4000.example.		5M IN A		10.0.6.190
+4000.example.		5M IN A		10.0.6.191
+4000.example.		5M IN A		10.0.6.192
+4000.example.		5M IN A		10.0.6.193
+4000.example.		5M IN A		10.0.6.194
+4000.example.		5M IN A		10.0.6.195
+4000.example.		5M IN A		10.0.6.196
+4000.example.		5M IN A		10.0.6.197
+4000.example.		5M IN A		10.0.6.198
+4000.example.		5M IN A		10.0.6.199
+4000.example.		5M IN A		10.0.6.200
+4000.example.		5M IN A		10.0.6.201
+4000.example.		5M IN A		10.0.6.202
+4000.example.		5M IN A		10.0.6.203
+4000.example.		5M IN A		10.0.6.204
+4000.example.		5M IN A		10.0.6.205
+4000.example.		5M IN A		10.0.6.206
+4000.example.		5M IN A		10.0.6.207
+4000.example.		5M IN A		10.0.6.208
+4000.example.		5M IN A		10.0.6.209
+4000.example.		5M IN A		10.0.6.210
+4000.example.		5M IN A		10.0.6.211
+4000.example.		5M IN A		10.0.6.212
+4000.example.		5M IN A		10.0.6.213
+4000.example.		5M IN A		10.0.6.214
+4000.example.		5M IN A		10.0.6.215
+4000.example.		5M IN A		10.0.6.216
+4000.example.		5M IN A		10.0.6.217
+4000.example.		5M IN A		10.0.6.218
+4000.example.		5M IN A		10.0.6.219
+4000.example.		5M IN A		10.0.6.220
+4000.example.		5M IN A		10.0.6.221
+4000.example.		5M IN A		10.0.6.222
+4000.example.		5M IN A		10.0.6.223
+4000.example.		5M IN A		10.0.6.224
+4000.example.		5M IN A		10.0.6.225
+4000.example.		5M IN A		10.0.6.226
+4000.example.		5M IN A		10.0.6.227
+4000.example.		5M IN A		10.0.6.228
+4000.example.		5M IN A		10.0.6.229
+4000.example.		5M IN A		10.0.6.230
+4000.example.		5M IN A		10.0.6.231
+4000.example.		5M IN A		10.0.6.232
+4000.example.		5M IN A		10.0.6.233
+4000.example.		5M IN A		10.0.6.234
+4000.example.		5M IN A		10.0.6.235
+4000.example.		5M IN A		10.0.6.236
+4000.example.		5M IN A		10.0.6.237
+4000.example.		5M IN A		10.0.6.238
+4000.example.		5M IN A		10.0.6.239
+4000.example.		5M IN A		10.0.6.240
+4000.example.		5M IN A		10.0.6.241
+4000.example.		5M IN A		10.0.6.242
+4000.example.		5M IN A		10.0.6.243
+4000.example.		5M IN A		10.0.6.244
+4000.example.		5M IN A		10.0.6.245
+4000.example.		5M IN A		10.0.6.246
+4000.example.		5M IN A		10.0.6.247
+4000.example.		5M IN A		10.0.6.248
+4000.example.		5M IN A		10.0.6.249
+4000.example.		5M IN A		10.0.6.250
+4000.example.		5M IN A		10.0.6.251
+4000.example.		5M IN A		10.0.6.252
+4000.example.		5M IN A		10.0.6.253
+4000.example.		5M IN A		10.0.6.254
+4000.example.		5M IN A		10.0.6.255
+4000.example.		5M IN A		10.0.7.0
+4000.example.		5M IN A		10.0.7.1
+4000.example.		5M IN A		10.0.7.2
+4000.example.		5M IN A		10.0.7.3
+4000.example.		5M IN A		10.0.7.4
+4000.example.		5M IN A		10.0.7.5
+4000.example.		5M IN A		10.0.7.6
+4000.example.		5M IN A		10.0.7.7
+4000.example.		5M IN A		10.0.7.8
+4000.example.		5M IN A		10.0.7.9
+4000.example.		5M IN A		10.0.7.10
+4000.example.		5M IN A		10.0.7.11
+4000.example.		5M IN A		10.0.7.12
+4000.example.		5M IN A		10.0.7.13
+4000.example.		5M IN A		10.0.7.14
+4000.example.		5M IN A		10.0.7.15
+4000.example.		5M IN A		10.0.7.16
+4000.example.		5M IN A		10.0.7.17
+4000.example.		5M IN A		10.0.7.18
+4000.example.		5M IN A		10.0.7.19
+4000.example.		5M IN A		10.0.7.20
+4000.example.		5M IN A		10.0.7.21
+4000.example.		5M IN A		10.0.7.22
+4000.example.		5M IN A		10.0.7.23
+4000.example.		5M IN A		10.0.7.24
+4000.example.		5M IN A		10.0.7.25
+4000.example.		5M IN A		10.0.7.26
+4000.example.		5M IN A		10.0.7.27
+4000.example.		5M IN A		10.0.7.28
+4000.example.		5M IN A		10.0.7.29
+4000.example.		5M IN A		10.0.7.30
+4000.example.		5M IN A		10.0.7.31
+4000.example.		5M IN A		10.0.7.32
+4000.example.		5M IN A		10.0.7.33
+4000.example.		5M IN A		10.0.7.34
+4000.example.		5M IN A		10.0.7.35
+4000.example.		5M IN A		10.0.7.36
+4000.example.		5M IN A		10.0.7.37
+4000.example.		5M IN A		10.0.7.38
+4000.example.		5M IN A		10.0.7.39
+4000.example.		5M IN A		10.0.7.40
+4000.example.		5M IN A		10.0.7.41
+4000.example.		5M IN A		10.0.7.42
+4000.example.		5M IN A		10.0.7.43
+4000.example.		5M IN A		10.0.7.44
+4000.example.		5M IN A		10.0.7.45
+4000.example.		5M IN A		10.0.7.46
+4000.example.		5M IN A		10.0.7.47
+4000.example.		5M IN A		10.0.7.48
+4000.example.		5M IN A		10.0.7.49
+4000.example.		5M IN A		10.0.7.50
+4000.example.		5M IN A		10.0.7.51
+4000.example.		5M IN A		10.0.7.52
+4000.example.		5M IN A		10.0.7.53
+4000.example.		5M IN A		10.0.7.54
+4000.example.		5M IN A		10.0.7.55
+4000.example.		5M IN A		10.0.7.56
+4000.example.		5M IN A		10.0.7.57
+4000.example.		5M IN A		10.0.7.58
+4000.example.		5M IN A		10.0.7.59
+4000.example.		5M IN A		10.0.7.60
+4000.example.		5M IN A		10.0.7.61
+4000.example.		5M IN A		10.0.7.62
+4000.example.		5M IN A		10.0.7.63
+4000.example.		5M IN A		10.0.7.64
+4000.example.		5M IN A		10.0.7.65
+4000.example.		5M IN A		10.0.7.66
+4000.example.		5M IN A		10.0.7.67
+4000.example.		5M IN A		10.0.7.68
+4000.example.		5M IN A		10.0.7.69
+4000.example.		5M IN A		10.0.7.70
+4000.example.		5M IN A		10.0.7.71
+4000.example.		5M IN A		10.0.7.72
+4000.example.		5M IN A		10.0.7.73
+4000.example.		5M IN A		10.0.7.74
+4000.example.		5M IN A		10.0.7.75
+4000.example.		5M IN A		10.0.7.76
+4000.example.		5M IN A		10.0.7.77
+4000.example.		5M IN A		10.0.7.78
+4000.example.		5M IN A		10.0.7.79
+4000.example.		5M IN A		10.0.7.80
+4000.example.		5M IN A		10.0.7.81
+4000.example.		5M IN A		10.0.7.82
+4000.example.		5M IN A		10.0.7.83
+4000.example.		5M IN A		10.0.7.84
+4000.example.		5M IN A		10.0.7.85
+4000.example.		5M IN A		10.0.7.86
+4000.example.		5M IN A		10.0.7.87
+4000.example.		5M IN A		10.0.7.88
+4000.example.		5M IN A		10.0.7.89
+4000.example.		5M IN A		10.0.7.90
+4000.example.		5M IN A		10.0.7.91
+4000.example.		5M IN A		10.0.7.92
+4000.example.		5M IN A		10.0.7.93
+4000.example.		5M IN A		10.0.7.94
+4000.example.		5M IN A		10.0.7.95
+4000.example.		5M IN A		10.0.7.96
+4000.example.		5M IN A		10.0.7.97
+4000.example.		5M IN A		10.0.7.98
+4000.example.		5M IN A		10.0.7.99
+4000.example.		5M IN A		10.0.7.100
+4000.example.		5M IN A		10.0.7.101
+4000.example.		5M IN A		10.0.7.102
+4000.example.		5M IN A		10.0.7.103
+4000.example.		5M IN A		10.0.7.104
+4000.example.		5M IN A		10.0.7.105
+4000.example.		5M IN A		10.0.7.106
+4000.example.		5M IN A		10.0.7.107
+4000.example.		5M IN A		10.0.7.108
+4000.example.		5M IN A		10.0.7.109
+4000.example.		5M IN A		10.0.7.110
+4000.example.		5M IN A		10.0.7.111
+4000.example.		5M IN A		10.0.7.112
+4000.example.		5M IN A		10.0.7.113
+4000.example.		5M IN A		10.0.7.114
+4000.example.		5M IN A		10.0.7.115
+4000.example.		5M IN A		10.0.7.116
+4000.example.		5M IN A		10.0.7.117
+4000.example.		5M IN A		10.0.7.118
+4000.example.		5M IN A		10.0.7.119
+4000.example.		5M IN A		10.0.7.120
+4000.example.		5M IN A		10.0.7.121
+4000.example.		5M IN A		10.0.7.122
+4000.example.		5M IN A		10.0.7.123
+4000.example.		5M IN A		10.0.7.124
+4000.example.		5M IN A		10.0.7.125
+4000.example.		5M IN A		10.0.7.126
+4000.example.		5M IN A		10.0.7.127
+4000.example.		5M IN A		10.0.7.128
+4000.example.		5M IN A		10.0.7.129
+4000.example.		5M IN A		10.0.7.130
+4000.example.		5M IN A		10.0.7.131
+4000.example.		5M IN A		10.0.7.132
+4000.example.		5M IN A		10.0.7.133
+4000.example.		5M IN A		10.0.7.134
+4000.example.		5M IN A		10.0.7.135
+4000.example.		5M IN A		10.0.7.136
+4000.example.		5M IN A		10.0.7.137
+4000.example.		5M IN A		10.0.7.138
+4000.example.		5M IN A		10.0.7.139
+4000.example.		5M IN A		10.0.7.140
+4000.example.		5M IN A		10.0.7.141
+4000.example.		5M IN A		10.0.7.142
+4000.example.		5M IN A		10.0.7.143
+4000.example.		5M IN A		10.0.7.144
+4000.example.		5M IN A		10.0.7.145
+4000.example.		5M IN A		10.0.7.146
+4000.example.		5M IN A		10.0.7.147
+4000.example.		5M IN A		10.0.7.148
+4000.example.		5M IN A		10.0.7.149
+4000.example.		5M IN A		10.0.7.150
+4000.example.		5M IN A		10.0.7.151
+4000.example.		5M IN A		10.0.7.152
+4000.example.		5M IN A		10.0.7.153
+4000.example.		5M IN A		10.0.7.154
+4000.example.		5M IN A		10.0.7.155
+4000.example.		5M IN A		10.0.7.156
+4000.example.		5M IN A		10.0.7.157
+4000.example.		5M IN A		10.0.7.158
+4000.example.		5M IN A		10.0.7.159
+4000.example.		5M IN A		10.0.7.160
+4000.example.		5M IN A		10.0.7.161
+4000.example.		5M IN A		10.0.7.162
+4000.example.		5M IN A		10.0.7.163
+4000.example.		5M IN A		10.0.7.164
+4000.example.		5M IN A		10.0.7.165
+4000.example.		5M IN A		10.0.7.166
+4000.example.		5M IN A		10.0.7.167
+4000.example.		5M IN A		10.0.7.168
+4000.example.		5M IN A		10.0.7.169
+4000.example.		5M IN A		10.0.7.170
+4000.example.		5M IN A		10.0.7.171
+4000.example.		5M IN A		10.0.7.172
+4000.example.		5M IN A		10.0.7.173
+4000.example.		5M IN A		10.0.7.174
+4000.example.		5M IN A		10.0.7.175
+4000.example.		5M IN A		10.0.7.176
+4000.example.		5M IN A		10.0.7.177
+4000.example.		5M IN A		10.0.7.178
+4000.example.		5M IN A		10.0.7.179
+4000.example.		5M IN A		10.0.7.180
+4000.example.		5M IN A		10.0.7.181
+4000.example.		5M IN A		10.0.7.182
+4000.example.		5M IN A		10.0.7.183
+4000.example.		5M IN A		10.0.7.184
+4000.example.		5M IN A		10.0.7.185
+4000.example.		5M IN A		10.0.7.186
+4000.example.		5M IN A		10.0.7.187
+4000.example.		5M IN A		10.0.7.188
+4000.example.		5M IN A		10.0.7.189
+4000.example.		5M IN A		10.0.7.190
+4000.example.		5M IN A		10.0.7.191
+4000.example.		5M IN A		10.0.7.192
+4000.example.		5M IN A		10.0.7.193
+4000.example.		5M IN A		10.0.7.194
+4000.example.		5M IN A		10.0.7.195
+4000.example.		5M IN A		10.0.7.196
+4000.example.		5M IN A		10.0.7.197
+4000.example.		5M IN A		10.0.7.198
+4000.example.		5M IN A		10.0.7.199
+4000.example.		5M IN A		10.0.7.200
+4000.example.		5M IN A		10.0.7.201
+4000.example.		5M IN A		10.0.7.202
+4000.example.		5M IN A		10.0.7.203
+4000.example.		5M IN A		10.0.7.204
+4000.example.		5M IN A		10.0.7.205
+4000.example.		5M IN A		10.0.7.206
+4000.example.		5M IN A		10.0.7.207
+4000.example.		5M IN A		10.0.7.208
+4000.example.		5M IN A		10.0.7.209
+4000.example.		5M IN A		10.0.7.210
+4000.example.		5M IN A		10.0.7.211
+4000.example.		5M IN A		10.0.7.212
+4000.example.		5M IN A		10.0.7.213
+4000.example.		5M IN A		10.0.7.214
+4000.example.		5M IN A		10.0.7.215
+4000.example.		5M IN A		10.0.7.216
+4000.example.		5M IN A		10.0.7.217
+4000.example.		5M IN A		10.0.7.218
+4000.example.		5M IN A		10.0.7.219
+4000.example.		5M IN A		10.0.7.220
+4000.example.		5M IN A		10.0.7.221
+4000.example.		5M IN A		10.0.7.222
+4000.example.		5M IN A		10.0.7.223
+4000.example.		5M IN A		10.0.7.224
+4000.example.		5M IN A		10.0.7.225
+4000.example.		5M IN A		10.0.7.226
+4000.example.		5M IN A		10.0.7.227
+4000.example.		5M IN A		10.0.7.228
+4000.example.		5M IN A		10.0.7.229
+4000.example.		5M IN A		10.0.7.230
+4000.example.		5M IN A		10.0.7.231
+4000.example.		5M IN A		10.0.7.232
+4000.example.		5M IN A		10.0.7.233
+4000.example.		5M IN A		10.0.7.234
+4000.example.		5M IN A		10.0.7.235
+4000.example.		5M IN A		10.0.7.236
+4000.example.		5M IN A		10.0.7.237
+4000.example.		5M IN A		10.0.7.238
+4000.example.		5M IN A		10.0.7.239
+4000.example.		5M IN A		10.0.7.240
+4000.example.		5M IN A		10.0.7.241
+4000.example.		5M IN A		10.0.7.242
+4000.example.		5M IN A		10.0.7.243
+4000.example.		5M IN A		10.0.7.244
+4000.example.		5M IN A		10.0.7.245
+4000.example.		5M IN A		10.0.7.246
+4000.example.		5M IN A		10.0.7.247
+4000.example.		5M IN A		10.0.7.248
+4000.example.		5M IN A		10.0.7.249
+4000.example.		5M IN A		10.0.7.250
+4000.example.		5M IN A		10.0.7.251
+4000.example.		5M IN A		10.0.7.252
+4000.example.		5M IN A		10.0.7.253
+4000.example.		5M IN A		10.0.7.254
+4000.example.		5M IN A		10.0.7.255
+4000.example.		5M IN A		10.0.8.0
+4000.example.		5M IN A		10.0.8.1
+4000.example.		5M IN A		10.0.8.2
+4000.example.		5M IN A		10.0.8.3
+4000.example.		5M IN A		10.0.8.4
+4000.example.		5M IN A		10.0.8.5
+4000.example.		5M IN A		10.0.8.6
+4000.example.		5M IN A		10.0.8.7
+4000.example.		5M IN A		10.0.8.8
+4000.example.		5M IN A		10.0.8.9
+4000.example.		5M IN A		10.0.8.10
+4000.example.		5M IN A		10.0.8.11
+4000.example.		5M IN A		10.0.8.12
+4000.example.		5M IN A		10.0.8.13
+4000.example.		5M IN A		10.0.8.14
+4000.example.		5M IN A		10.0.8.15
+4000.example.		5M IN A		10.0.8.16
+4000.example.		5M IN A		10.0.8.17
+4000.example.		5M IN A		10.0.8.18
+4000.example.		5M IN A		10.0.8.19
+4000.example.		5M IN A		10.0.8.20
+4000.example.		5M IN A		10.0.8.21
+4000.example.		5M IN A		10.0.8.22
+4000.example.		5M IN A		10.0.8.23
+4000.example.		5M IN A		10.0.8.24
+4000.example.		5M IN A		10.0.8.25
+4000.example.		5M IN A		10.0.8.26
+4000.example.		5M IN A		10.0.8.27
+4000.example.		5M IN A		10.0.8.28
+4000.example.		5M IN A		10.0.8.29
+4000.example.		5M IN A		10.0.8.30
+4000.example.		5M IN A		10.0.8.31
+4000.example.		5M IN A		10.0.8.32
+4000.example.		5M IN A		10.0.8.33
+4000.example.		5M IN A		10.0.8.34
+4000.example.		5M IN A		10.0.8.35
+4000.example.		5M IN A		10.0.8.36
+4000.example.		5M IN A		10.0.8.37
+4000.example.		5M IN A		10.0.8.38
+4000.example.		5M IN A		10.0.8.39
+4000.example.		5M IN A		10.0.8.40
+4000.example.		5M IN A		10.0.8.41
+4000.example.		5M IN A		10.0.8.42
+4000.example.		5M IN A		10.0.8.43
+4000.example.		5M IN A		10.0.8.44
+4000.example.		5M IN A		10.0.8.45
+4000.example.		5M IN A		10.0.8.46
+4000.example.		5M IN A		10.0.8.47
+4000.example.		5M IN A		10.0.8.48
+4000.example.		5M IN A		10.0.8.49
+4000.example.		5M IN A		10.0.8.50
+4000.example.		5M IN A		10.0.8.51
+4000.example.		5M IN A		10.0.8.52
+4000.example.		5M IN A		10.0.8.53
+4000.example.		5M IN A		10.0.8.54
+4000.example.		5M IN A		10.0.8.55
+4000.example.		5M IN A		10.0.8.56
+4000.example.		5M IN A		10.0.8.57
+4000.example.		5M IN A		10.0.8.58
+4000.example.		5M IN A		10.0.8.59
+4000.example.		5M IN A		10.0.8.60
+4000.example.		5M IN A		10.0.8.61
+4000.example.		5M IN A		10.0.8.62
+4000.example.		5M IN A		10.0.8.63
+4000.example.		5M IN A		10.0.8.64
+4000.example.		5M IN A		10.0.8.65
+4000.example.		5M IN A		10.0.8.66
+4000.example.		5M IN A		10.0.8.67
+4000.example.		5M IN A		10.0.8.68
+4000.example.		5M IN A		10.0.8.69
+4000.example.		5M IN A		10.0.8.70
+4000.example.		5M IN A		10.0.8.71
+4000.example.		5M IN A		10.0.8.72
+4000.example.		5M IN A		10.0.8.73
+4000.example.		5M IN A		10.0.8.74
+4000.example.		5M IN A		10.0.8.75
+4000.example.		5M IN A		10.0.8.76
+4000.example.		5M IN A		10.0.8.77
+4000.example.		5M IN A		10.0.8.78
+4000.example.		5M IN A		10.0.8.79
+4000.example.		5M IN A		10.0.8.80
+4000.example.		5M IN A		10.0.8.81
+4000.example.		5M IN A		10.0.8.82
+4000.example.		5M IN A		10.0.8.83
+4000.example.		5M IN A		10.0.8.84
+4000.example.		5M IN A		10.0.8.85
+4000.example.		5M IN A		10.0.8.86
+4000.example.		5M IN A		10.0.8.87
+4000.example.		5M IN A		10.0.8.88
+4000.example.		5M IN A		10.0.8.89
+4000.example.		5M IN A		10.0.8.90
+4000.example.		5M IN A		10.0.8.91
+4000.example.		5M IN A		10.0.8.92
+4000.example.		5M IN A		10.0.8.93
+4000.example.		5M IN A		10.0.8.94
+4000.example.		5M IN A		10.0.8.95
+4000.example.		5M IN A		10.0.8.96
+4000.example.		5M IN A		10.0.8.97
+4000.example.		5M IN A		10.0.8.98
+4000.example.		5M IN A		10.0.8.99
+4000.example.		5M IN A		10.0.8.100
+4000.example.		5M IN A		10.0.8.101
+4000.example.		5M IN A		10.0.8.102
+4000.example.		5M IN A		10.0.8.103
+4000.example.		5M IN A		10.0.8.104
+4000.example.		5M IN A		10.0.8.105
+4000.example.		5M IN A		10.0.8.106
+4000.example.		5M IN A		10.0.8.107
+4000.example.		5M IN A		10.0.8.108
+4000.example.		5M IN A		10.0.8.109
+4000.example.		5M IN A		10.0.8.110
+4000.example.		5M IN A		10.0.8.111
+4000.example.		5M IN A		10.0.8.112
+4000.example.		5M IN A		10.0.8.113
+4000.example.		5M IN A		10.0.8.114
+4000.example.		5M IN A		10.0.8.115
+4000.example.		5M IN A		10.0.8.116
+4000.example.		5M IN A		10.0.8.117
+4000.example.		5M IN A		10.0.8.118
+4000.example.		5M IN A		10.0.8.119
+4000.example.		5M IN A		10.0.8.120
+4000.example.		5M IN A		10.0.8.121
+4000.example.		5M IN A		10.0.8.122
+4000.example.		5M IN A		10.0.8.123
+4000.example.		5M IN A		10.0.8.124
+4000.example.		5M IN A		10.0.8.125
+4000.example.		5M IN A		10.0.8.126
+4000.example.		5M IN A		10.0.8.127
+4000.example.		5M IN A		10.0.8.128
+4000.example.		5M IN A		10.0.8.129
+4000.example.		5M IN A		10.0.8.130
+4000.example.		5M IN A		10.0.8.131
+4000.example.		5M IN A		10.0.8.132
+4000.example.		5M IN A		10.0.8.133
+4000.example.		5M IN A		10.0.8.134
+4000.example.		5M IN A		10.0.8.135
+4000.example.		5M IN A		10.0.8.136
+4000.example.		5M IN A		10.0.8.137
+4000.example.		5M IN A		10.0.8.138
+4000.example.		5M IN A		10.0.8.139
+4000.example.		5M IN A		10.0.8.140
+4000.example.		5M IN A		10.0.8.141
+4000.example.		5M IN A		10.0.8.142
+4000.example.		5M IN A		10.0.8.143
+4000.example.		5M IN A		10.0.8.144
+4000.example.		5M IN A		10.0.8.145
+4000.example.		5M IN A		10.0.8.146
+4000.example.		5M IN A		10.0.8.147
+4000.example.		5M IN A		10.0.8.148
+4000.example.		5M IN A		10.0.8.149
+4000.example.		5M IN A		10.0.8.150
+4000.example.		5M IN A		10.0.8.151
+4000.example.		5M IN A		10.0.8.152
+4000.example.		5M IN A		10.0.8.153
+4000.example.		5M IN A		10.0.8.154
+4000.example.		5M IN A		10.0.8.155
+4000.example.		5M IN A		10.0.8.156
+4000.example.		5M IN A		10.0.8.157
+4000.example.		5M IN A		10.0.8.158
+4000.example.		5M IN A		10.0.8.159
+4000.example.		5M IN A		10.0.8.160
+4000.example.		5M IN A		10.0.8.161
+4000.example.		5M IN A		10.0.8.162
+4000.example.		5M IN A		10.0.8.163
+4000.example.		5M IN A		10.0.8.164
+4000.example.		5M IN A		10.0.8.165
+4000.example.		5M IN A		10.0.8.166
+4000.example.		5M IN A		10.0.8.167
+4000.example.		5M IN A		10.0.8.168
+4000.example.		5M IN A		10.0.8.169
+4000.example.		5M IN A		10.0.8.170
+4000.example.		5M IN A		10.0.8.171
+4000.example.		5M IN A		10.0.8.172
+4000.example.		5M IN A		10.0.8.173
+4000.example.		5M IN A		10.0.8.174
+4000.example.		5M IN A		10.0.8.175
+4000.example.		5M IN A		10.0.8.176
+4000.example.		5M IN A		10.0.8.177
+4000.example.		5M IN A		10.0.8.178
+4000.example.		5M IN A		10.0.8.179
+4000.example.		5M IN A		10.0.8.180
+4000.example.		5M IN A		10.0.8.181
+4000.example.		5M IN A		10.0.8.182
+4000.example.		5M IN A		10.0.8.183
+4000.example.		5M IN A		10.0.8.184
+4000.example.		5M IN A		10.0.8.185
+4000.example.		5M IN A		10.0.8.186
+4000.example.		5M IN A		10.0.8.187
+4000.example.		5M IN A		10.0.8.188
+4000.example.		5M IN A		10.0.8.189
+4000.example.		5M IN A		10.0.8.190
+4000.example.		5M IN A		10.0.8.191
+4000.example.		5M IN A		10.0.8.192
+4000.example.		5M IN A		10.0.8.193
+4000.example.		5M IN A		10.0.8.194
+4000.example.		5M IN A		10.0.8.195
+4000.example.		5M IN A		10.0.8.196
+4000.example.		5M IN A		10.0.8.197
+4000.example.		5M IN A		10.0.8.198
+4000.example.		5M IN A		10.0.8.199
+4000.example.		5M IN A		10.0.8.200
+4000.example.		5M IN A		10.0.8.201
+4000.example.		5M IN A		10.0.8.202
+4000.example.		5M IN A		10.0.8.203
+4000.example.		5M IN A		10.0.8.204
+4000.example.		5M IN A		10.0.8.205
+4000.example.		5M IN A		10.0.8.206
+4000.example.		5M IN A		10.0.8.207
+4000.example.		5M IN A		10.0.8.208
+4000.example.		5M IN A		10.0.8.209
+4000.example.		5M IN A		10.0.8.210
+4000.example.		5M IN A		10.0.8.211
+4000.example.		5M IN A		10.0.8.212
+4000.example.		5M IN A		10.0.8.213
+4000.example.		5M IN A		10.0.8.214
+4000.example.		5M IN A		10.0.8.215
+4000.example.		5M IN A		10.0.8.216
+4000.example.		5M IN A		10.0.8.217
+4000.example.		5M IN A		10.0.8.218
+4000.example.		5M IN A		10.0.8.219
+4000.example.		5M IN A		10.0.8.220
+4000.example.		5M IN A		10.0.8.221
+4000.example.		5M IN A		10.0.8.222
+4000.example.		5M IN A		10.0.8.223
+4000.example.		5M IN A		10.0.8.224
+4000.example.		5M IN A		10.0.8.225
+4000.example.		5M IN A		10.0.8.226
+4000.example.		5M IN A		10.0.8.227
+4000.example.		5M IN A		10.0.8.228
+4000.example.		5M IN A		10.0.8.229
+4000.example.		5M IN A		10.0.8.230
+4000.example.		5M IN A		10.0.8.231
+4000.example.		5M IN A		10.0.8.232
+4000.example.		5M IN A		10.0.8.233
+4000.example.		5M IN A		10.0.8.234
+4000.example.		5M IN A		10.0.8.235
+4000.example.		5M IN A		10.0.8.236
+4000.example.		5M IN A		10.0.8.237
+4000.example.		5M IN A		10.0.8.238
+4000.example.		5M IN A		10.0.8.239
+4000.example.		5M IN A		10.0.8.240
+4000.example.		5M IN A		10.0.8.241
+4000.example.		5M IN A		10.0.8.242
+4000.example.		5M IN A		10.0.8.243
+4000.example.		5M IN A		10.0.8.244
+4000.example.		5M IN A		10.0.8.245
+4000.example.		5M IN A		10.0.8.246
+4000.example.		5M IN A		10.0.8.247
+4000.example.		5M IN A		10.0.8.248
+4000.example.		5M IN A		10.0.8.249
+4000.example.		5M IN A		10.0.8.250
+4000.example.		5M IN A		10.0.8.251
+4000.example.		5M IN A		10.0.8.252
+4000.example.		5M IN A		10.0.8.253
+4000.example.		5M IN A		10.0.8.254
+4000.example.		5M IN A		10.0.8.255
+4000.example.		5M IN A		10.0.9.0
+4000.example.		5M IN A		10.0.9.1
+4000.example.		5M IN A		10.0.9.2
+4000.example.		5M IN A		10.0.9.3
+4000.example.		5M IN A		10.0.9.4
+4000.example.		5M IN A		10.0.9.5
+4000.example.		5M IN A		10.0.9.6
+4000.example.		5M IN A		10.0.9.7
+4000.example.		5M IN A		10.0.9.8
+4000.example.		5M IN A		10.0.9.9
+4000.example.		5M IN A		10.0.9.10
+4000.example.		5M IN A		10.0.9.11
+4000.example.		5M IN A		10.0.9.12
+4000.example.		5M IN A		10.0.9.13
+4000.example.		5M IN A		10.0.9.14
+4000.example.		5M IN A		10.0.9.15
+4000.example.		5M IN A		10.0.9.16
+4000.example.		5M IN A		10.0.9.17
+4000.example.		5M IN A		10.0.9.18
+4000.example.		5M IN A		10.0.9.19
+4000.example.		5M IN A		10.0.9.20
+4000.example.		5M IN A		10.0.9.21
+4000.example.		5M IN A		10.0.9.22
+4000.example.		5M IN A		10.0.9.23
+4000.example.		5M IN A		10.0.9.24
+4000.example.		5M IN A		10.0.9.25
+4000.example.		5M IN A		10.0.9.26
+4000.example.		5M IN A		10.0.9.27
+4000.example.		5M IN A		10.0.9.28
+4000.example.		5M IN A		10.0.9.29
+4000.example.		5M IN A		10.0.9.30
+4000.example.		5M IN A		10.0.9.31
+4000.example.		5M IN A		10.0.9.32
+4000.example.		5M IN A		10.0.9.33
+4000.example.		5M IN A		10.0.9.34
+4000.example.		5M IN A		10.0.9.35
+4000.example.		5M IN A		10.0.9.36
+4000.example.		5M IN A		10.0.9.37
+4000.example.		5M IN A		10.0.9.38
+4000.example.		5M IN A		10.0.9.39
+4000.example.		5M IN A		10.0.9.40
+4000.example.		5M IN A		10.0.9.41
+4000.example.		5M IN A		10.0.9.42
+4000.example.		5M IN A		10.0.9.43
+4000.example.		5M IN A		10.0.9.44
+4000.example.		5M IN A		10.0.9.45
+4000.example.		5M IN A		10.0.9.46
+4000.example.		5M IN A		10.0.9.47
+4000.example.		5M IN A		10.0.9.48
+4000.example.		5M IN A		10.0.9.49
+4000.example.		5M IN A		10.0.9.50
+4000.example.		5M IN A		10.0.9.51
+4000.example.		5M IN A		10.0.9.52
+4000.example.		5M IN A		10.0.9.53
+4000.example.		5M IN A		10.0.9.54
+4000.example.		5M IN A		10.0.9.55
+4000.example.		5M IN A		10.0.9.56
+4000.example.		5M IN A		10.0.9.57
+4000.example.		5M IN A		10.0.9.58
+4000.example.		5M IN A		10.0.9.59
+4000.example.		5M IN A		10.0.9.60
+4000.example.		5M IN A		10.0.9.61
+4000.example.		5M IN A		10.0.9.62
+4000.example.		5M IN A		10.0.9.63
+4000.example.		5M IN A		10.0.9.64
+4000.example.		5M IN A		10.0.9.65
+4000.example.		5M IN A		10.0.9.66
+4000.example.		5M IN A		10.0.9.67
+4000.example.		5M IN A		10.0.9.68
+4000.example.		5M IN A		10.0.9.69
+4000.example.		5M IN A		10.0.9.70
+4000.example.		5M IN A		10.0.9.71
+4000.example.		5M IN A		10.0.9.72
+4000.example.		5M IN A		10.0.9.73
+4000.example.		5M IN A		10.0.9.74
+4000.example.		5M IN A		10.0.9.75
+4000.example.		5M IN A		10.0.9.76
+4000.example.		5M IN A		10.0.9.77
+4000.example.		5M IN A		10.0.9.78
+4000.example.		5M IN A		10.0.9.79
+4000.example.		5M IN A		10.0.9.80
+4000.example.		5M IN A		10.0.9.81
+4000.example.		5M IN A		10.0.9.82
+4000.example.		5M IN A		10.0.9.83
+4000.example.		5M IN A		10.0.9.84
+4000.example.		5M IN A		10.0.9.85
+4000.example.		5M IN A		10.0.9.86
+4000.example.		5M IN A		10.0.9.87
+4000.example.		5M IN A		10.0.9.88
+4000.example.		5M IN A		10.0.9.89
+4000.example.		5M IN A		10.0.9.90
+4000.example.		5M IN A		10.0.9.91
+4000.example.		5M IN A		10.0.9.92
+4000.example.		5M IN A		10.0.9.93
+4000.example.		5M IN A		10.0.9.94
+4000.example.		5M IN A		10.0.9.95
+4000.example.		5M IN A		10.0.9.96
+4000.example.		5M IN A		10.0.9.97
+4000.example.		5M IN A		10.0.9.98
+4000.example.		5M IN A		10.0.9.99
+4000.example.		5M IN A		10.0.9.100
+4000.example.		5M IN A		10.0.9.101
+4000.example.		5M IN A		10.0.9.102
+4000.example.		5M IN A		10.0.9.103
+4000.example.		5M IN A		10.0.9.104
+4000.example.		5M IN A		10.0.9.105
+4000.example.		5M IN A		10.0.9.106
+4000.example.		5M IN A		10.0.9.107
+4000.example.		5M IN A		10.0.9.108
+4000.example.		5M IN A		10.0.9.109
+4000.example.		5M IN A		10.0.9.110
+4000.example.		5M IN A		10.0.9.111
+4000.example.		5M IN A		10.0.9.112
+4000.example.		5M IN A		10.0.9.113
+4000.example.		5M IN A		10.0.9.114
+4000.example.		5M IN A		10.0.9.115
+4000.example.		5M IN A		10.0.9.116
+4000.example.		5M IN A		10.0.9.117
+4000.example.		5M IN A		10.0.9.118
+4000.example.		5M IN A		10.0.9.119
+4000.example.		5M IN A		10.0.9.120
+4000.example.		5M IN A		10.0.9.121
+4000.example.		5M IN A		10.0.9.122
+4000.example.		5M IN A		10.0.9.123
+4000.example.		5M IN A		10.0.9.124
+4000.example.		5M IN A		10.0.9.125
+4000.example.		5M IN A		10.0.9.126
+4000.example.		5M IN A		10.0.9.127
+4000.example.		5M IN A		10.0.9.128
+4000.example.		5M IN A		10.0.9.129
+4000.example.		5M IN A		10.0.9.130
+4000.example.		5M IN A		10.0.9.131
+4000.example.		5M IN A		10.0.9.132
+4000.example.		5M IN A		10.0.9.133
+4000.example.		5M IN A		10.0.9.134
+4000.example.		5M IN A		10.0.9.135
+4000.example.		5M IN A		10.0.9.136
+4000.example.		5M IN A		10.0.9.137
+4000.example.		5M IN A		10.0.9.138
+4000.example.		5M IN A		10.0.9.139
+4000.example.		5M IN A		10.0.9.140
+4000.example.		5M IN A		10.0.9.141
+4000.example.		5M IN A		10.0.9.142
+4000.example.		5M IN A		10.0.9.143
+4000.example.		5M IN A		10.0.9.144
+4000.example.		5M IN A		10.0.9.145
+4000.example.		5M IN A		10.0.9.146
+4000.example.		5M IN A		10.0.9.147
+4000.example.		5M IN A		10.0.9.148
+4000.example.		5M IN A		10.0.9.149
+4000.example.		5M IN A		10.0.9.150
+4000.example.		5M IN A		10.0.9.151
+4000.example.		5M IN A		10.0.9.152
+4000.example.		5M IN A		10.0.9.153
+4000.example.		5M IN A		10.0.9.154
+4000.example.		5M IN A		10.0.9.155
+4000.example.		5M IN A		10.0.9.156
+4000.example.		5M IN A		10.0.9.157
+4000.example.		5M IN A		10.0.9.158
+4000.example.		5M IN A		10.0.9.159
+4000.example.		5M IN A		10.0.9.160
+4000.example.		5M IN A		10.0.9.161
+4000.example.		5M IN A		10.0.9.162
+4000.example.		5M IN A		10.0.9.163
+4000.example.		5M IN A		10.0.9.164
+4000.example.		5M IN A		10.0.9.165
+4000.example.		5M IN A		10.0.9.166
+4000.example.		5M IN A		10.0.9.167
+4000.example.		5M IN A		10.0.9.168
+4000.example.		5M IN A		10.0.9.169
+4000.example.		5M IN A		10.0.9.170
+4000.example.		5M IN A		10.0.9.171
+4000.example.		5M IN A		10.0.9.172
+4000.example.		5M IN A		10.0.9.173
+4000.example.		5M IN A		10.0.9.174
+4000.example.		5M IN A		10.0.9.175
+4000.example.		5M IN A		10.0.9.176
+4000.example.		5M IN A		10.0.9.177
+4000.example.		5M IN A		10.0.9.178
+4000.example.		5M IN A		10.0.9.179
+4000.example.		5M IN A		10.0.9.180
+4000.example.		5M IN A		10.0.9.181
+4000.example.		5M IN A		10.0.9.182
+4000.example.		5M IN A		10.0.9.183
+4000.example.		5M IN A		10.0.9.184
+4000.example.		5M IN A		10.0.9.185
+4000.example.		5M IN A		10.0.9.186
+4000.example.		5M IN A		10.0.9.187
+4000.example.		5M IN A		10.0.9.188
+4000.example.		5M IN A		10.0.9.189
+4000.example.		5M IN A		10.0.9.190
+4000.example.		5M IN A		10.0.9.191
+4000.example.		5M IN A		10.0.9.192
+4000.example.		5M IN A		10.0.9.193
+4000.example.		5M IN A		10.0.9.194
+4000.example.		5M IN A		10.0.9.195
+4000.example.		5M IN A		10.0.9.196
+4000.example.		5M IN A		10.0.9.197
+4000.example.		5M IN A		10.0.9.198
+4000.example.		5M IN A		10.0.9.199
+4000.example.		5M IN A		10.0.9.200
+4000.example.		5M IN A		10.0.9.201
+4000.example.		5M IN A		10.0.9.202
+4000.example.		5M IN A		10.0.9.203
+4000.example.		5M IN A		10.0.9.204
+4000.example.		5M IN A		10.0.9.205
+4000.example.		5M IN A		10.0.9.206
+4000.example.		5M IN A		10.0.9.207
+4000.example.		5M IN A		10.0.9.208
+4000.example.		5M IN A		10.0.9.209
+4000.example.		5M IN A		10.0.9.210
+4000.example.		5M IN A		10.0.9.211
+4000.example.		5M IN A		10.0.9.212
+4000.example.		5M IN A		10.0.9.213
+4000.example.		5M IN A		10.0.9.214
+4000.example.		5M IN A		10.0.9.215
+4000.example.		5M IN A		10.0.9.216
+4000.example.		5M IN A		10.0.9.217
+4000.example.		5M IN A		10.0.9.218
+4000.example.		5M IN A		10.0.9.219
+4000.example.		5M IN A		10.0.9.220
+4000.example.		5M IN A		10.0.9.221
+4000.example.		5M IN A		10.0.9.222
+4000.example.		5M IN A		10.0.9.223
+4000.example.		5M IN A		10.0.9.224
+4000.example.		5M IN A		10.0.9.225
+4000.example.		5M IN A		10.0.9.226
+4000.example.		5M IN A		10.0.9.227
+4000.example.		5M IN A		10.0.9.228
+4000.example.		5M IN A		10.0.9.229
+4000.example.		5M IN A		10.0.9.230
+4000.example.		5M IN A		10.0.9.231
+4000.example.		5M IN A		10.0.9.232
+4000.example.		5M IN A		10.0.9.233
+4000.example.		5M IN A		10.0.9.234
+4000.example.		5M IN A		10.0.9.235
+4000.example.		5M IN A		10.0.9.236
+4000.example.		5M IN A		10.0.9.237
+4000.example.		5M IN A		10.0.9.238
+4000.example.		5M IN A		10.0.9.239
+4000.example.		5M IN A		10.0.9.240
+4000.example.		5M IN A		10.0.9.241
+4000.example.		5M IN A		10.0.9.242
+4000.example.		5M IN A		10.0.9.243
+4000.example.		5M IN A		10.0.9.244
+4000.example.		5M IN A		10.0.9.245
+4000.example.		5M IN A		10.0.9.246
+4000.example.		5M IN A		10.0.9.247
+4000.example.		5M IN A		10.0.9.248
+4000.example.		5M IN A		10.0.9.249
+4000.example.		5M IN A		10.0.9.250
+4000.example.		5M IN A		10.0.9.251
+4000.example.		5M IN A		10.0.9.252
+4000.example.		5M IN A		10.0.9.253
+4000.example.		5M IN A		10.0.9.254
+4000.example.		5M IN A		10.0.9.255
+4000.example.		5M IN A		10.0.10.0
+4000.example.		5M IN A		10.0.10.1
+4000.example.		5M IN A		10.0.10.2
+4000.example.		5M IN A		10.0.10.3
+4000.example.		5M IN A		10.0.10.4
+4000.example.		5M IN A		10.0.10.5
+4000.example.		5M IN A		10.0.10.6
+4000.example.		5M IN A		10.0.10.7
+4000.example.		5M IN A		10.0.10.8
+4000.example.		5M IN A		10.0.10.9
+4000.example.		5M IN A		10.0.10.10
+4000.example.		5M IN A		10.0.10.11
+4000.example.		5M IN A		10.0.10.12
+4000.example.		5M IN A		10.0.10.13
+4000.example.		5M IN A		10.0.10.14
+4000.example.		5M IN A		10.0.10.15
+4000.example.		5M IN A		10.0.10.16
+4000.example.		5M IN A		10.0.10.17
+4000.example.		5M IN A		10.0.10.18
+4000.example.		5M IN A		10.0.10.19
+4000.example.		5M IN A		10.0.10.20
+4000.example.		5M IN A		10.0.10.21
+4000.example.		5M IN A		10.0.10.22
+4000.example.		5M IN A		10.0.10.23
+4000.example.		5M IN A		10.0.10.24
+4000.example.		5M IN A		10.0.10.25
+4000.example.		5M IN A		10.0.10.26
+4000.example.		5M IN A		10.0.10.27
+4000.example.		5M IN A		10.0.10.28
+4000.example.		5M IN A		10.0.10.29
+4000.example.		5M IN A		10.0.10.30
+4000.example.		5M IN A		10.0.10.31
+4000.example.		5M IN A		10.0.10.32
+4000.example.		5M IN A		10.0.10.33
+4000.example.		5M IN A		10.0.10.34
+4000.example.		5M IN A		10.0.10.35
+4000.example.		5M IN A		10.0.10.36
+4000.example.		5M IN A		10.0.10.37
+4000.example.		5M IN A		10.0.10.38
+4000.example.		5M IN A		10.0.10.39
+4000.example.		5M IN A		10.0.10.40
+4000.example.		5M IN A		10.0.10.41
+4000.example.		5M IN A		10.0.10.42
+4000.example.		5M IN A		10.0.10.43
+4000.example.		5M IN A		10.0.10.44
+4000.example.		5M IN A		10.0.10.45
+4000.example.		5M IN A		10.0.10.46
+4000.example.		5M IN A		10.0.10.47
+4000.example.		5M IN A		10.0.10.48
+4000.example.		5M IN A		10.0.10.49
+4000.example.		5M IN A		10.0.10.50
+4000.example.		5M IN A		10.0.10.51
+4000.example.		5M IN A		10.0.10.52
+4000.example.		5M IN A		10.0.10.53
+4000.example.		5M IN A		10.0.10.54
+4000.example.		5M IN A		10.0.10.55
+4000.example.		5M IN A		10.0.10.56
+4000.example.		5M IN A		10.0.10.57
+4000.example.		5M IN A		10.0.10.58
+4000.example.		5M IN A		10.0.10.59
+4000.example.		5M IN A		10.0.10.60
+4000.example.		5M IN A		10.0.10.61
+4000.example.		5M IN A		10.0.10.62
+4000.example.		5M IN A		10.0.10.63
+4000.example.		5M IN A		10.0.10.64
+4000.example.		5M IN A		10.0.10.65
+4000.example.		5M IN A		10.0.10.66
+4000.example.		5M IN A		10.0.10.67
+4000.example.		5M IN A		10.0.10.68
+4000.example.		5M IN A		10.0.10.69
+4000.example.		5M IN A		10.0.10.70
+4000.example.		5M IN A		10.0.10.71
+4000.example.		5M IN A		10.0.10.72
+4000.example.		5M IN A		10.0.10.73
+4000.example.		5M IN A		10.0.10.74
+4000.example.		5M IN A		10.0.10.75
+4000.example.		5M IN A		10.0.10.76
+4000.example.		5M IN A		10.0.10.77
+4000.example.		5M IN A		10.0.10.78
+4000.example.		5M IN A		10.0.10.79
+4000.example.		5M IN A		10.0.10.80
+4000.example.		5M IN A		10.0.10.81
+4000.example.		5M IN A		10.0.10.82
+4000.example.		5M IN A		10.0.10.83
+4000.example.		5M IN A		10.0.10.84
+4000.example.		5M IN A		10.0.10.85
+4000.example.		5M IN A		10.0.10.86
+4000.example.		5M IN A		10.0.10.87
+4000.example.		5M IN A		10.0.10.88
+4000.example.		5M IN A		10.0.10.89
+4000.example.		5M IN A		10.0.10.90
+4000.example.		5M IN A		10.0.10.91
+4000.example.		5M IN A		10.0.10.92
+4000.example.		5M IN A		10.0.10.93
+4000.example.		5M IN A		10.0.10.94
+4000.example.		5M IN A		10.0.10.95
+4000.example.		5M IN A		10.0.10.96
+4000.example.		5M IN A		10.0.10.97
+4000.example.		5M IN A		10.0.10.98
+4000.example.		5M IN A		10.0.10.99
+4000.example.		5M IN A		10.0.10.100
+4000.example.		5M IN A		10.0.10.101
+4000.example.		5M IN A		10.0.10.102
+4000.example.		5M IN A		10.0.10.103
+4000.example.		5M IN A		10.0.10.104
+4000.example.		5M IN A		10.0.10.105
+4000.example.		5M IN A		10.0.10.106
+4000.example.		5M IN A		10.0.10.107
+4000.example.		5M IN A		10.0.10.108
+4000.example.		5M IN A		10.0.10.109
+4000.example.		5M IN A		10.0.10.110
+4000.example.		5M IN A		10.0.10.111
+4000.example.		5M IN A		10.0.10.112
+4000.example.		5M IN A		10.0.10.113
+4000.example.		5M IN A		10.0.10.114
+4000.example.		5M IN A		10.0.10.115
+4000.example.		5M IN A		10.0.10.116
+4000.example.		5M IN A		10.0.10.117
+4000.example.		5M IN A		10.0.10.118
+4000.example.		5M IN A		10.0.10.119
+4000.example.		5M IN A		10.0.10.120
+4000.example.		5M IN A		10.0.10.121
+4000.example.		5M IN A		10.0.10.122
+4000.example.		5M IN A		10.0.10.123
+4000.example.		5M IN A		10.0.10.124
+4000.example.		5M IN A		10.0.10.125
+4000.example.		5M IN A		10.0.10.126
+4000.example.		5M IN A		10.0.10.127
+4000.example.		5M IN A		10.0.10.128
+4000.example.		5M IN A		10.0.10.129
+4000.example.		5M IN A		10.0.10.130
+4000.example.		5M IN A		10.0.10.131
+4000.example.		5M IN A		10.0.10.132
+4000.example.		5M IN A		10.0.10.133
+4000.example.		5M IN A		10.0.10.134
+4000.example.		5M IN A		10.0.10.135
+4000.example.		5M IN A		10.0.10.136
+4000.example.		5M IN A		10.0.10.137
+4000.example.		5M IN A		10.0.10.138
+4000.example.		5M IN A		10.0.10.139
+4000.example.		5M IN A		10.0.10.140
+4000.example.		5M IN A		10.0.10.141
+4000.example.		5M IN A		10.0.10.142
+4000.example.		5M IN A		10.0.10.143
+4000.example.		5M IN A		10.0.10.144
+4000.example.		5M IN A		10.0.10.145
+4000.example.		5M IN A		10.0.10.146
+4000.example.		5M IN A		10.0.10.147
+4000.example.		5M IN A		10.0.10.148
+4000.example.		5M IN A		10.0.10.149
+4000.example.		5M IN A		10.0.10.150
+4000.example.		5M IN A		10.0.10.151
+4000.example.		5M IN A		10.0.10.152
+4000.example.		5M IN A		10.0.10.153
+4000.example.		5M IN A		10.0.10.154
+4000.example.		5M IN A		10.0.10.155
+4000.example.		5M IN A		10.0.10.156
+4000.example.		5M IN A		10.0.10.157
+4000.example.		5M IN A		10.0.10.158
+4000.example.		5M IN A		10.0.10.159
+4000.example.		5M IN A		10.0.10.160
+4000.example.		5M IN A		10.0.10.161
+4000.example.		5M IN A		10.0.10.162
+4000.example.		5M IN A		10.0.10.163
+4000.example.		5M IN A		10.0.10.164
+4000.example.		5M IN A		10.0.10.165
+4000.example.		5M IN A		10.0.10.166
+4000.example.		5M IN A		10.0.10.167
+4000.example.		5M IN A		10.0.10.168
+4000.example.		5M IN A		10.0.10.169
+4000.example.		5M IN A		10.0.10.170
+4000.example.		5M IN A		10.0.10.171
+4000.example.		5M IN A		10.0.10.172
+4000.example.		5M IN A		10.0.10.173
+4000.example.		5M IN A		10.0.10.174
+4000.example.		5M IN A		10.0.10.175
+4000.example.		5M IN A		10.0.10.176
+4000.example.		5M IN A		10.0.10.177
+4000.example.		5M IN A		10.0.10.178
+4000.example.		5M IN A		10.0.10.179
+4000.example.		5M IN A		10.0.10.180
+4000.example.		5M IN A		10.0.10.181
+4000.example.		5M IN A		10.0.10.182
+4000.example.		5M IN A		10.0.10.183
+4000.example.		5M IN A		10.0.10.184
+4000.example.		5M IN A		10.0.10.185
+4000.example.		5M IN A		10.0.10.186
+4000.example.		5M IN A		10.0.10.187
+4000.example.		5M IN A		10.0.10.188
+4000.example.		5M IN A		10.0.10.189
+4000.example.		5M IN A		10.0.10.190
+4000.example.		5M IN A		10.0.10.191
+4000.example.		5M IN A		10.0.10.192
+4000.example.		5M IN A		10.0.10.193
+4000.example.		5M IN A		10.0.10.194
+4000.example.		5M IN A		10.0.10.195
+4000.example.		5M IN A		10.0.10.196
+4000.example.		5M IN A		10.0.10.197
+4000.example.		5M IN A		10.0.10.198
+4000.example.		5M IN A		10.0.10.199
+4000.example.		5M IN A		10.0.10.200
+4000.example.		5M IN A		10.0.10.201
+4000.example.		5M IN A		10.0.10.202
+4000.example.		5M IN A		10.0.10.203
+4000.example.		5M IN A		10.0.10.204
+4000.example.		5M IN A		10.0.10.205
+4000.example.		5M IN A		10.0.10.206
+4000.example.		5M IN A		10.0.10.207
+4000.example.		5M IN A		10.0.10.208
+4000.example.		5M IN A		10.0.10.209
+4000.example.		5M IN A		10.0.10.210
+4000.example.		5M IN A		10.0.10.211
+4000.example.		5M IN A		10.0.10.212
+4000.example.		5M IN A		10.0.10.213
+4000.example.		5M IN A		10.0.10.214
+4000.example.		5M IN A		10.0.10.215
+4000.example.		5M IN A		10.0.10.216
+4000.example.		5M IN A		10.0.10.217
+4000.example.		5M IN A		10.0.10.218
+4000.example.		5M IN A		10.0.10.219
+4000.example.		5M IN A		10.0.10.220
+4000.example.		5M IN A		10.0.10.221
+4000.example.		5M IN A		10.0.10.222
+4000.example.		5M IN A		10.0.10.223
+4000.example.		5M IN A		10.0.10.224
+4000.example.		5M IN A		10.0.10.225
+4000.example.		5M IN A		10.0.10.226
+4000.example.		5M IN A		10.0.10.227
+4000.example.		5M IN A		10.0.10.228
+4000.example.		5M IN A		10.0.10.229
+4000.example.		5M IN A		10.0.10.230
+4000.example.		5M IN A		10.0.10.231
+4000.example.		5M IN A		10.0.10.232
+4000.example.		5M IN A		10.0.10.233
+4000.example.		5M IN A		10.0.10.234
+4000.example.		5M IN A		10.0.10.235
+4000.example.		5M IN A		10.0.10.236
+4000.example.		5M IN A		10.0.10.237
+4000.example.		5M IN A		10.0.10.238
+4000.example.		5M IN A		10.0.10.239
+4000.example.		5M IN A		10.0.10.240
+4000.example.		5M IN A		10.0.10.241
+4000.example.		5M IN A		10.0.10.242
+4000.example.		5M IN A		10.0.10.243
+4000.example.		5M IN A		10.0.10.244
+4000.example.		5M IN A		10.0.10.245
+4000.example.		5M IN A		10.0.10.246
+4000.example.		5M IN A		10.0.10.247
+4000.example.		5M IN A		10.0.10.248
+4000.example.		5M IN A		10.0.10.249
+4000.example.		5M IN A		10.0.10.250
+4000.example.		5M IN A		10.0.10.251
+4000.example.		5M IN A		10.0.10.252
+4000.example.		5M IN A		10.0.10.253
+4000.example.		5M IN A		10.0.10.254
+4000.example.		5M IN A		10.0.10.255
+4000.example.		5M IN A		10.0.11.0
+4000.example.		5M IN A		10.0.11.1
+4000.example.		5M IN A		10.0.11.2
+4000.example.		5M IN A		10.0.11.3
+4000.example.		5M IN A		10.0.11.4
+4000.example.		5M IN A		10.0.11.5
+4000.example.		5M IN A		10.0.11.6
+4000.example.		5M IN A		10.0.11.7
+4000.example.		5M IN A		10.0.11.8
+4000.example.		5M IN A		10.0.11.9
+4000.example.		5M IN A		10.0.11.10
+4000.example.		5M IN A		10.0.11.11
+4000.example.		5M IN A		10.0.11.12
+4000.example.		5M IN A		10.0.11.13
+4000.example.		5M IN A		10.0.11.14
+4000.example.		5M IN A		10.0.11.15
+4000.example.		5M IN A		10.0.11.16
+4000.example.		5M IN A		10.0.11.17
+4000.example.		5M IN A		10.0.11.18
+4000.example.		5M IN A		10.0.11.19
+4000.example.		5M IN A		10.0.11.20
+4000.example.		5M IN A		10.0.11.21
+4000.example.		5M IN A		10.0.11.22
+4000.example.		5M IN A		10.0.11.23
+4000.example.		5M IN A		10.0.11.24
+4000.example.		5M IN A		10.0.11.25
+4000.example.		5M IN A		10.0.11.26
+4000.example.		5M IN A		10.0.11.27
+4000.example.		5M IN A		10.0.11.28
+4000.example.		5M IN A		10.0.11.29
+4000.example.		5M IN A		10.0.11.30
+4000.example.		5M IN A		10.0.11.31
+4000.example.		5M IN A		10.0.11.32
+4000.example.		5M IN A		10.0.11.33
+4000.example.		5M IN A		10.0.11.34
+4000.example.		5M IN A		10.0.11.35
+4000.example.		5M IN A		10.0.11.36
+4000.example.		5M IN A		10.0.11.37
+4000.example.		5M IN A		10.0.11.38
+4000.example.		5M IN A		10.0.11.39
+4000.example.		5M IN A		10.0.11.40
+4000.example.		5M IN A		10.0.11.41
+4000.example.		5M IN A		10.0.11.42
+4000.example.		5M IN A		10.0.11.43
+4000.example.		5M IN A		10.0.11.44
+4000.example.		5M IN A		10.0.11.45
+4000.example.		5M IN A		10.0.11.46
+4000.example.		5M IN A		10.0.11.47
+4000.example.		5M IN A		10.0.11.48
+4000.example.		5M IN A		10.0.11.49
+4000.example.		5M IN A		10.0.11.50
+4000.example.		5M IN A		10.0.11.51
+4000.example.		5M IN A		10.0.11.52
+4000.example.		5M IN A		10.0.11.53
+4000.example.		5M IN A		10.0.11.54
+4000.example.		5M IN A		10.0.11.55
+4000.example.		5M IN A		10.0.11.56
+4000.example.		5M IN A		10.0.11.57
+4000.example.		5M IN A		10.0.11.58
+4000.example.		5M IN A		10.0.11.59
+4000.example.		5M IN A		10.0.11.60
+4000.example.		5M IN A		10.0.11.61
+4000.example.		5M IN A		10.0.11.62
+4000.example.		5M IN A		10.0.11.63
+4000.example.		5M IN A		10.0.11.64
+4000.example.		5M IN A		10.0.11.65
+4000.example.		5M IN A		10.0.11.66
+4000.example.		5M IN A		10.0.11.67
+4000.example.		5M IN A		10.0.11.68
+4000.example.		5M IN A		10.0.11.69
+4000.example.		5M IN A		10.0.11.70
+4000.example.		5M IN A		10.0.11.71
+4000.example.		5M IN A		10.0.11.72
+4000.example.		5M IN A		10.0.11.73
+4000.example.		5M IN A		10.0.11.74
+4000.example.		5M IN A		10.0.11.75
+4000.example.		5M IN A		10.0.11.76
+4000.example.		5M IN A		10.0.11.77
+4000.example.		5M IN A		10.0.11.78
+4000.example.		5M IN A		10.0.11.79
+4000.example.		5M IN A		10.0.11.80
+4000.example.		5M IN A		10.0.11.81
+4000.example.		5M IN A		10.0.11.82
+4000.example.		5M IN A		10.0.11.83
+4000.example.		5M IN A		10.0.11.84
+4000.example.		5M IN A		10.0.11.85
+4000.example.		5M IN A		10.0.11.86
+4000.example.		5M IN A		10.0.11.87
+4000.example.		5M IN A		10.0.11.88
+4000.example.		5M IN A		10.0.11.89
+4000.example.		5M IN A		10.0.11.90
+4000.example.		5M IN A		10.0.11.91
+4000.example.		5M IN A		10.0.11.92
+4000.example.		5M IN A		10.0.11.93
+4000.example.		5M IN A		10.0.11.94
+4000.example.		5M IN A		10.0.11.95
+4000.example.		5M IN A		10.0.11.96
+4000.example.		5M IN A		10.0.11.97
+4000.example.		5M IN A		10.0.11.98
+4000.example.		5M IN A		10.0.11.99
+4000.example.		5M IN A		10.0.11.100
+4000.example.		5M IN A		10.0.11.101
+4000.example.		5M IN A		10.0.11.102
+4000.example.		5M IN A		10.0.11.103
+4000.example.		5M IN A		10.0.11.104
+4000.example.		5M IN A		10.0.11.105
+4000.example.		5M IN A		10.0.11.106
+4000.example.		5M IN A		10.0.11.107
+4000.example.		5M IN A		10.0.11.108
+4000.example.		5M IN A		10.0.11.109
+4000.example.		5M IN A		10.0.11.110
+4000.example.		5M IN A		10.0.11.111
+4000.example.		5M IN A		10.0.11.112
+4000.example.		5M IN A		10.0.11.113
+4000.example.		5M IN A		10.0.11.114
+4000.example.		5M IN A		10.0.11.115
+4000.example.		5M IN A		10.0.11.116
+4000.example.		5M IN A		10.0.11.117
+4000.example.		5M IN A		10.0.11.118
+4000.example.		5M IN A		10.0.11.119
+4000.example.		5M IN A		10.0.11.120
+4000.example.		5M IN A		10.0.11.121
+4000.example.		5M IN A		10.0.11.122
+4000.example.		5M IN A		10.0.11.123
+4000.example.		5M IN A		10.0.11.124
+4000.example.		5M IN A		10.0.11.125
+4000.example.		5M IN A		10.0.11.126
+4000.example.		5M IN A		10.0.11.127
+4000.example.		5M IN A		10.0.11.128
+4000.example.		5M IN A		10.0.11.129
+4000.example.		5M IN A		10.0.11.130
+4000.example.		5M IN A		10.0.11.131
+4000.example.		5M IN A		10.0.11.132
+4000.example.		5M IN A		10.0.11.133
+4000.example.		5M IN A		10.0.11.134
+4000.example.		5M IN A		10.0.11.135
+4000.example.		5M IN A		10.0.11.136
+4000.example.		5M IN A		10.0.11.137
+4000.example.		5M IN A		10.0.11.138
+4000.example.		5M IN A		10.0.11.139
+4000.example.		5M IN A		10.0.11.140
+4000.example.		5M IN A		10.0.11.141
+4000.example.		5M IN A		10.0.11.142
+4000.example.		5M IN A		10.0.11.143
+4000.example.		5M IN A		10.0.11.144
+4000.example.		5M IN A		10.0.11.145
+4000.example.		5M IN A		10.0.11.146
+4000.example.		5M IN A		10.0.11.147
+4000.example.		5M IN A		10.0.11.148
+4000.example.		5M IN A		10.0.11.149
+4000.example.		5M IN A		10.0.11.150
+4000.example.		5M IN A		10.0.11.151
+4000.example.		5M IN A		10.0.11.152
+4000.example.		5M IN A		10.0.11.153
+4000.example.		5M IN A		10.0.11.154
+4000.example.		5M IN A		10.0.11.155
+4000.example.		5M IN A		10.0.11.156
+4000.example.		5M IN A		10.0.11.157
+4000.example.		5M IN A		10.0.11.158
+4000.example.		5M IN A		10.0.11.159
+4000.example.		5M IN A		10.0.11.160
+4000.example.		5M IN A		10.0.11.161
+4000.example.		5M IN A		10.0.11.162
+4000.example.		5M IN A		10.0.11.163
+4000.example.		5M IN A		10.0.11.164
+4000.example.		5M IN A		10.0.11.165
+4000.example.		5M IN A		10.0.11.166
+4000.example.		5M IN A		10.0.11.167
+4000.example.		5M IN A		10.0.11.168
+4000.example.		5M IN A		10.0.11.169
+4000.example.		5M IN A		10.0.11.170
+4000.example.		5M IN A		10.0.11.171
+4000.example.		5M IN A		10.0.11.172
+4000.example.		5M IN A		10.0.11.173
+4000.example.		5M IN A		10.0.11.174
+4000.example.		5M IN A		10.0.11.175
+4000.example.		5M IN A		10.0.11.176
+4000.example.		5M IN A		10.0.11.177
+4000.example.		5M IN A		10.0.11.178
+4000.example.		5M IN A		10.0.11.179
+4000.example.		5M IN A		10.0.11.180
+4000.example.		5M IN A		10.0.11.181
+4000.example.		5M IN A		10.0.11.182
+4000.example.		5M IN A		10.0.11.183
+4000.example.		5M IN A		10.0.11.184
+4000.example.		5M IN A		10.0.11.185
+4000.example.		5M IN A		10.0.11.186
+4000.example.		5M IN A		10.0.11.187
+4000.example.		5M IN A		10.0.11.188
+4000.example.		5M IN A		10.0.11.189
+4000.example.		5M IN A		10.0.11.190
+4000.example.		5M IN A		10.0.11.191
+4000.example.		5M IN A		10.0.11.192
+4000.example.		5M IN A		10.0.11.193
+4000.example.		5M IN A		10.0.11.194
+4000.example.		5M IN A		10.0.11.195
+4000.example.		5M IN A		10.0.11.196
+4000.example.		5M IN A		10.0.11.197
+4000.example.		5M IN A		10.0.11.198
+4000.example.		5M IN A		10.0.11.199
+4000.example.		5M IN A		10.0.11.200
+4000.example.		5M IN A		10.0.11.201
+4000.example.		5M IN A		10.0.11.202
+4000.example.		5M IN A		10.0.11.203
+4000.example.		5M IN A		10.0.11.204
+4000.example.		5M IN A		10.0.11.205
+4000.example.		5M IN A		10.0.11.206
+4000.example.		5M IN A		10.0.11.207
+4000.example.		5M IN A		10.0.11.208
+4000.example.		5M IN A		10.0.11.209
+4000.example.		5M IN A		10.0.11.210
+4000.example.		5M IN A		10.0.11.211
+4000.example.		5M IN A		10.0.11.212
+4000.example.		5M IN A		10.0.11.213
+4000.example.		5M IN A		10.0.11.214
+4000.example.		5M IN A		10.0.11.215
+4000.example.		5M IN A		10.0.11.216
+4000.example.		5M IN A		10.0.11.217
+4000.example.		5M IN A		10.0.11.218
+4000.example.		5M IN A		10.0.11.219
+4000.example.		5M IN A		10.0.11.220
+4000.example.		5M IN A		10.0.11.221
+4000.example.		5M IN A		10.0.11.222
+4000.example.		5M IN A		10.0.11.223
+4000.example.		5M IN A		10.0.11.224
+4000.example.		5M IN A		10.0.11.225
+4000.example.		5M IN A		10.0.11.226
+4000.example.		5M IN A		10.0.11.227
+4000.example.		5M IN A		10.0.11.228
+4000.example.		5M IN A		10.0.11.229
+4000.example.		5M IN A		10.0.11.230
+4000.example.		5M IN A		10.0.11.231
+4000.example.		5M IN A		10.0.11.232
+4000.example.		5M IN A		10.0.11.233
+4000.example.		5M IN A		10.0.11.234
+4000.example.		5M IN A		10.0.11.235
+4000.example.		5M IN A		10.0.11.236
+4000.example.		5M IN A		10.0.11.237
+4000.example.		5M IN A		10.0.11.238
+4000.example.		5M IN A		10.0.11.239
+4000.example.		5M IN A		10.0.11.240
+4000.example.		5M IN A		10.0.11.241
+4000.example.		5M IN A		10.0.11.242
+4000.example.		5M IN A		10.0.11.243
+4000.example.		5M IN A		10.0.11.244
+4000.example.		5M IN A		10.0.11.245
+4000.example.		5M IN A		10.0.11.246
+4000.example.		5M IN A		10.0.11.247
+4000.example.		5M IN A		10.0.11.248
+4000.example.		5M IN A		10.0.11.249
+4000.example.		5M IN A		10.0.11.250
+4000.example.		5M IN A		10.0.11.251
+4000.example.		5M IN A		10.0.11.252
+4000.example.		5M IN A		10.0.11.253
+4000.example.		5M IN A		10.0.11.254
+4000.example.		5M IN A		10.0.11.255
+4000.example.		5M IN A		10.0.12.0
+4000.example.		5M IN A		10.0.12.1
+4000.example.		5M IN A		10.0.12.2
+4000.example.		5M IN A		10.0.12.3
+4000.example.		5M IN A		10.0.12.4
+4000.example.		5M IN A		10.0.12.5
+4000.example.		5M IN A		10.0.12.6
+4000.example.		5M IN A		10.0.12.7
+4000.example.		5M IN A		10.0.12.8
+4000.example.		5M IN A		10.0.12.9
+4000.example.		5M IN A		10.0.12.10
+4000.example.		5M IN A		10.0.12.11
+4000.example.		5M IN A		10.0.12.12
+4000.example.		5M IN A		10.0.12.13
+4000.example.		5M IN A		10.0.12.14
+4000.example.		5M IN A		10.0.12.15
+4000.example.		5M IN A		10.0.12.16
+4000.example.		5M IN A		10.0.12.17
+4000.example.		5M IN A		10.0.12.18
+4000.example.		5M IN A		10.0.12.19
+4000.example.		5M IN A		10.0.12.20
+4000.example.		5M IN A		10.0.12.21
+4000.example.		5M IN A		10.0.12.22
+4000.example.		5M IN A		10.0.12.23
+4000.example.		5M IN A		10.0.12.24
+4000.example.		5M IN A		10.0.12.25
+4000.example.		5M IN A		10.0.12.26
+4000.example.		5M IN A		10.0.12.27
+4000.example.		5M IN A		10.0.12.28
+4000.example.		5M IN A		10.0.12.29
+4000.example.		5M IN A		10.0.12.30
+4000.example.		5M IN A		10.0.12.31
+4000.example.		5M IN A		10.0.12.32
+4000.example.		5M IN A		10.0.12.33
+4000.example.		5M IN A		10.0.12.34
+4000.example.		5M IN A		10.0.12.35
+4000.example.		5M IN A		10.0.12.36
+4000.example.		5M IN A		10.0.12.37
+4000.example.		5M IN A		10.0.12.38
+4000.example.		5M IN A		10.0.12.39
+4000.example.		5M IN A		10.0.12.40
+4000.example.		5M IN A		10.0.12.41
+4000.example.		5M IN A		10.0.12.42
+4000.example.		5M IN A		10.0.12.43
+4000.example.		5M IN A		10.0.12.44
+4000.example.		5M IN A		10.0.12.45
+4000.example.		5M IN A		10.0.12.46
+4000.example.		5M IN A		10.0.12.47
+4000.example.		5M IN A		10.0.12.48
+4000.example.		5M IN A		10.0.12.49
+4000.example.		5M IN A		10.0.12.50
+4000.example.		5M IN A		10.0.12.51
+4000.example.		5M IN A		10.0.12.52
+4000.example.		5M IN A		10.0.12.53
+4000.example.		5M IN A		10.0.12.54
+4000.example.		5M IN A		10.0.12.55
+4000.example.		5M IN A		10.0.12.56
+4000.example.		5M IN A		10.0.12.57
+4000.example.		5M IN A		10.0.12.58
+4000.example.		5M IN A		10.0.12.59
+4000.example.		5M IN A		10.0.12.60
+4000.example.		5M IN A		10.0.12.61
+4000.example.		5M IN A		10.0.12.62
+4000.example.		5M IN A		10.0.12.63
+4000.example.		5M IN A		10.0.12.64
+4000.example.		5M IN A		10.0.12.65
+4000.example.		5M IN A		10.0.12.66
+4000.example.		5M IN A		10.0.12.67
+4000.example.		5M IN A		10.0.12.68
+4000.example.		5M IN A		10.0.12.69
+4000.example.		5M IN A		10.0.12.70
+4000.example.		5M IN A		10.0.12.71
+4000.example.		5M IN A		10.0.12.72
+4000.example.		5M IN A		10.0.12.73
+4000.example.		5M IN A		10.0.12.74
+4000.example.		5M IN A		10.0.12.75
+4000.example.		5M IN A		10.0.12.76
+4000.example.		5M IN A		10.0.12.77
+4000.example.		5M IN A		10.0.12.78
+4000.example.		5M IN A		10.0.12.79
+4000.example.		5M IN A		10.0.12.80
+4000.example.		5M IN A		10.0.12.81
+4000.example.		5M IN A		10.0.12.82
+4000.example.		5M IN A		10.0.12.83
+4000.example.		5M IN A		10.0.12.84
+4000.example.		5M IN A		10.0.12.85
+4000.example.		5M IN A		10.0.12.86
+4000.example.		5M IN A		10.0.12.87
+4000.example.		5M IN A		10.0.12.88
+4000.example.		5M IN A		10.0.12.89
+4000.example.		5M IN A		10.0.12.90
+4000.example.		5M IN A		10.0.12.91
+4000.example.		5M IN A		10.0.12.92
+4000.example.		5M IN A		10.0.12.93
+4000.example.		5M IN A		10.0.12.94
+4000.example.		5M IN A		10.0.12.95
+4000.example.		5M IN A		10.0.12.96
+4000.example.		5M IN A		10.0.12.97
+4000.example.		5M IN A		10.0.12.98
+4000.example.		5M IN A		10.0.12.99
+4000.example.		5M IN A		10.0.12.100
+4000.example.		5M IN A		10.0.12.101
+4000.example.		5M IN A		10.0.12.102
+4000.example.		5M IN A		10.0.12.103
+4000.example.		5M IN A		10.0.12.104
+4000.example.		5M IN A		10.0.12.105
+4000.example.		5M IN A		10.0.12.106
+4000.example.		5M IN A		10.0.12.107
+4000.example.		5M IN A		10.0.12.108
+4000.example.		5M IN A		10.0.12.109
+4000.example.		5M IN A		10.0.12.110
+4000.example.		5M IN A		10.0.12.111
+4000.example.		5M IN A		10.0.12.112
+4000.example.		5M IN A		10.0.12.113
+4000.example.		5M IN A		10.0.12.114
+4000.example.		5M IN A		10.0.12.115
+4000.example.		5M IN A		10.0.12.116
+4000.example.		5M IN A		10.0.12.117
+4000.example.		5M IN A		10.0.12.118
+4000.example.		5M IN A		10.0.12.119
+4000.example.		5M IN A		10.0.12.120
+4000.example.		5M IN A		10.0.12.121
+4000.example.		5M IN A		10.0.12.122
+4000.example.		5M IN A		10.0.12.123
+4000.example.		5M IN A		10.0.12.124
+4000.example.		5M IN A		10.0.12.125
+4000.example.		5M IN A		10.0.12.126
+4000.example.		5M IN A		10.0.12.127
+4000.example.		5M IN A		10.0.12.128
+4000.example.		5M IN A		10.0.12.129
+4000.example.		5M IN A		10.0.12.130
+4000.example.		5M IN A		10.0.12.131
+4000.example.		5M IN A		10.0.12.132
+4000.example.		5M IN A		10.0.12.133
+4000.example.		5M IN A		10.0.12.134
+4000.example.		5M IN A		10.0.12.135
+4000.example.		5M IN A		10.0.12.136
+4000.example.		5M IN A		10.0.12.137
+4000.example.		5M IN A		10.0.12.138
+4000.example.		5M IN A		10.0.12.139
+4000.example.		5M IN A		10.0.12.140
+4000.example.		5M IN A		10.0.12.141
+4000.example.		5M IN A		10.0.12.142
+4000.example.		5M IN A		10.0.12.143
+4000.example.		5M IN A		10.0.12.144
+4000.example.		5M IN A		10.0.12.145
+4000.example.		5M IN A		10.0.12.146
+4000.example.		5M IN A		10.0.12.147
+4000.example.		5M IN A		10.0.12.148
+4000.example.		5M IN A		10.0.12.149
+4000.example.		5M IN A		10.0.12.150
+4000.example.		5M IN A		10.0.12.151
+4000.example.		5M IN A		10.0.12.152
+4000.example.		5M IN A		10.0.12.153
+4000.example.		5M IN A		10.0.12.154
+4000.example.		5M IN A		10.0.12.155
+4000.example.		5M IN A		10.0.12.156
+4000.example.		5M IN A		10.0.12.157
+4000.example.		5M IN A		10.0.12.158
+4000.example.		5M IN A		10.0.12.159
+4000.example.		5M IN A		10.0.12.160
+4000.example.		5M IN A		10.0.12.161
+4000.example.		5M IN A		10.0.12.162
+4000.example.		5M IN A		10.0.12.163
+4000.example.		5M IN A		10.0.12.164
+4000.example.		5M IN A		10.0.12.165
+4000.example.		5M IN A		10.0.12.166
+4000.example.		5M IN A		10.0.12.167
+4000.example.		5M IN A		10.0.12.168
+4000.example.		5M IN A		10.0.12.169
+4000.example.		5M IN A		10.0.12.170
+4000.example.		5M IN A		10.0.12.171
+4000.example.		5M IN A		10.0.12.172
+4000.example.		5M IN A		10.0.12.173
+4000.example.		5M IN A		10.0.12.174
+4000.example.		5M IN A		10.0.12.175
+4000.example.		5M IN A		10.0.12.176
+4000.example.		5M IN A		10.0.12.177
+4000.example.		5M IN A		10.0.12.178
+4000.example.		5M IN A		10.0.12.179
+4000.example.		5M IN A		10.0.12.180
+4000.example.		5M IN A		10.0.12.181
+4000.example.		5M IN A		10.0.12.182
+4000.example.		5M IN A		10.0.12.183
+4000.example.		5M IN A		10.0.12.184
+4000.example.		5M IN A		10.0.12.185
+4000.example.		5M IN A		10.0.12.186
+4000.example.		5M IN A		10.0.12.187
+4000.example.		5M IN A		10.0.12.188
+4000.example.		5M IN A		10.0.12.189
+4000.example.		5M IN A		10.0.12.190
+4000.example.		5M IN A		10.0.12.191
+4000.example.		5M IN A		10.0.12.192
+4000.example.		5M IN A		10.0.12.193
+4000.example.		5M IN A		10.0.12.194
+4000.example.		5M IN A		10.0.12.195
+4000.example.		5M IN A		10.0.12.196
+4000.example.		5M IN A		10.0.12.197
+4000.example.		5M IN A		10.0.12.198
+4000.example.		5M IN A		10.0.12.199
+4000.example.		5M IN A		10.0.12.200
+4000.example.		5M IN A		10.0.12.201
+4000.example.		5M IN A		10.0.12.202
+4000.example.		5M IN A		10.0.12.203
+4000.example.		5M IN A		10.0.12.204
+4000.example.		5M IN A		10.0.12.205
+4000.example.		5M IN A		10.0.12.206
+4000.example.		5M IN A		10.0.12.207
+4000.example.		5M IN A		10.0.12.208
+4000.example.		5M IN A		10.0.12.209
+4000.example.		5M IN A		10.0.12.210
+4000.example.		5M IN A		10.0.12.211
+4000.example.		5M IN A		10.0.12.212
+4000.example.		5M IN A		10.0.12.213
+4000.example.		5M IN A		10.0.12.214
+4000.example.		5M IN A		10.0.12.215
+4000.example.		5M IN A		10.0.12.216
+4000.example.		5M IN A		10.0.12.217
+4000.example.		5M IN A		10.0.12.218
+4000.example.		5M IN A		10.0.12.219
+4000.example.		5M IN A		10.0.12.220
+4000.example.		5M IN A		10.0.12.221
+4000.example.		5M IN A		10.0.12.222
+4000.example.		5M IN A		10.0.12.223
+4000.example.		5M IN A		10.0.12.224
+4000.example.		5M IN A		10.0.12.225
+4000.example.		5M IN A		10.0.12.226
+4000.example.		5M IN A		10.0.12.227
+4000.example.		5M IN A		10.0.12.228
+4000.example.		5M IN A		10.0.12.229
+4000.example.		5M IN A		10.0.12.230
+4000.example.		5M IN A		10.0.12.231
+4000.example.		5M IN A		10.0.12.232
+4000.example.		5M IN A		10.0.12.233
+4000.example.		5M IN A		10.0.12.234
+4000.example.		5M IN A		10.0.12.235
+4000.example.		5M IN A		10.0.12.236
+4000.example.		5M IN A		10.0.12.237
+4000.example.		5M IN A		10.0.12.238
+4000.example.		5M IN A		10.0.12.239
+4000.example.		5M IN A		10.0.12.240
+4000.example.		5M IN A		10.0.12.241
+4000.example.		5M IN A		10.0.12.242
+4000.example.		5M IN A		10.0.12.243
+4000.example.		5M IN A		10.0.12.244
+4000.example.		5M IN A		10.0.12.245
+4000.example.		5M IN A		10.0.12.246
+4000.example.		5M IN A		10.0.12.247
+4000.example.		5M IN A		10.0.12.248
+4000.example.		5M IN A		10.0.12.249
+4000.example.		5M IN A		10.0.12.250
+4000.example.		5M IN A		10.0.12.251
+4000.example.		5M IN A		10.0.12.252
+4000.example.		5M IN A		10.0.12.253
+4000.example.		5M IN A		10.0.12.254
+4000.example.		5M IN A		10.0.12.255
+4000.example.		5M IN A		10.0.13.0
+4000.example.		5M IN A		10.0.13.1
+4000.example.		5M IN A		10.0.13.2
+4000.example.		5M IN A		10.0.13.3
+4000.example.		5M IN A		10.0.13.4
+4000.example.		5M IN A		10.0.13.5
+4000.example.		5M IN A		10.0.13.6
+4000.example.		5M IN A		10.0.13.7
+4000.example.		5M IN A		10.0.13.8
+4000.example.		5M IN A		10.0.13.9
+4000.example.		5M IN A		10.0.13.10
+4000.example.		5M IN A		10.0.13.11
+4000.example.		5M IN A		10.0.13.12
+4000.example.		5M IN A		10.0.13.13
+4000.example.		5M IN A		10.0.13.14
+4000.example.		5M IN A		10.0.13.15
+4000.example.		5M IN A		10.0.13.16
+4000.example.		5M IN A		10.0.13.17
+4000.example.		5M IN A		10.0.13.18
+4000.example.		5M IN A		10.0.13.19
+4000.example.		5M IN A		10.0.13.20
+4000.example.		5M IN A		10.0.13.21
+4000.example.		5M IN A		10.0.13.22
+4000.example.		5M IN A		10.0.13.23
+4000.example.		5M IN A		10.0.13.24
+4000.example.		5M IN A		10.0.13.25
+4000.example.		5M IN A		10.0.13.26
+4000.example.		5M IN A		10.0.13.27
+4000.example.		5M IN A		10.0.13.28
+4000.example.		5M IN A		10.0.13.29
+4000.example.		5M IN A		10.0.13.30
+4000.example.		5M IN A		10.0.13.31
+4000.example.		5M IN A		10.0.13.32
+4000.example.		5M IN A		10.0.13.33
+4000.example.		5M IN A		10.0.13.34
+4000.example.		5M IN A		10.0.13.35
+4000.example.		5M IN A		10.0.13.36
+4000.example.		5M IN A		10.0.13.37
+4000.example.		5M IN A		10.0.13.38
+4000.example.		5M IN A		10.0.13.39
+4000.example.		5M IN A		10.0.13.40
+4000.example.		5M IN A		10.0.13.41
+4000.example.		5M IN A		10.0.13.42
+4000.example.		5M IN A		10.0.13.43
+4000.example.		5M IN A		10.0.13.44
+4000.example.		5M IN A		10.0.13.45
+4000.example.		5M IN A		10.0.13.46
+4000.example.		5M IN A		10.0.13.47
+4000.example.		5M IN A		10.0.13.48
+4000.example.		5M IN A		10.0.13.49
+4000.example.		5M IN A		10.0.13.50
+4000.example.		5M IN A		10.0.13.51
+4000.example.		5M IN A		10.0.13.52
+4000.example.		5M IN A		10.0.13.53
+4000.example.		5M IN A		10.0.13.54
+4000.example.		5M IN A		10.0.13.55
+4000.example.		5M IN A		10.0.13.56
+4000.example.		5M IN A		10.0.13.57
+4000.example.		5M IN A		10.0.13.58
+4000.example.		5M IN A		10.0.13.59
+4000.example.		5M IN A		10.0.13.60
+4000.example.		5M IN A		10.0.13.61
+4000.example.		5M IN A		10.0.13.62
+4000.example.		5M IN A		10.0.13.63
+4000.example.		5M IN A		10.0.13.64
+4000.example.		5M IN A		10.0.13.65
+4000.example.		5M IN A		10.0.13.66
+4000.example.		5M IN A		10.0.13.67
+4000.example.		5M IN A		10.0.13.68
+4000.example.		5M IN A		10.0.13.69
+4000.example.		5M IN A		10.0.13.70
+4000.example.		5M IN A		10.0.13.71
+4000.example.		5M IN A		10.0.13.72
+4000.example.		5M IN A		10.0.13.73
+4000.example.		5M IN A		10.0.13.74
+4000.example.		5M IN A		10.0.13.75
+4000.example.		5M IN A		10.0.13.76
+4000.example.		5M IN A		10.0.13.77
+4000.example.		5M IN A		10.0.13.78
+4000.example.		5M IN A		10.0.13.79
+4000.example.		5M IN A		10.0.13.80
+4000.example.		5M IN A		10.0.13.81
+4000.example.		5M IN A		10.0.13.82
+4000.example.		5M IN A		10.0.13.83
+4000.example.		5M IN A		10.0.13.84
+4000.example.		5M IN A		10.0.13.85
+4000.example.		5M IN A		10.0.13.86
+4000.example.		5M IN A		10.0.13.87
+4000.example.		5M IN A		10.0.13.88
+4000.example.		5M IN A		10.0.13.89
+4000.example.		5M IN A		10.0.13.90
+4000.example.		5M IN A		10.0.13.91
+4000.example.		5M IN A		10.0.13.92
+4000.example.		5M IN A		10.0.13.93
+4000.example.		5M IN A		10.0.13.94
+4000.example.		5M IN A		10.0.13.95
+4000.example.		5M IN A		10.0.13.96
+4000.example.		5M IN A		10.0.13.97
+4000.example.		5M IN A		10.0.13.98
+4000.example.		5M IN A		10.0.13.99
+4000.example.		5M IN A		10.0.13.100
+4000.example.		5M IN A		10.0.13.101
+4000.example.		5M IN A		10.0.13.102
+4000.example.		5M IN A		10.0.13.103
+4000.example.		5M IN A		10.0.13.104
+4000.example.		5M IN A		10.0.13.105
+4000.example.		5M IN A		10.0.13.106
+4000.example.		5M IN A		10.0.13.107
+4000.example.		5M IN A		10.0.13.108
+4000.example.		5M IN A		10.0.13.109
+4000.example.		5M IN A		10.0.13.110
+4000.example.		5M IN A		10.0.13.111
+4000.example.		5M IN A		10.0.13.112
+4000.example.		5M IN A		10.0.13.113
+4000.example.		5M IN A		10.0.13.114
+4000.example.		5M IN A		10.0.13.115
+4000.example.		5M IN A		10.0.13.116
+4000.example.		5M IN A		10.0.13.117
+4000.example.		5M IN A		10.0.13.118
+4000.example.		5M IN A		10.0.13.119
+4000.example.		5M IN A		10.0.13.120
+4000.example.		5M IN A		10.0.13.121
+4000.example.		5M IN A		10.0.13.122
+4000.example.		5M IN A		10.0.13.123
+4000.example.		5M IN A		10.0.13.124
+4000.example.		5M IN A		10.0.13.125
+4000.example.		5M IN A		10.0.13.126
+4000.example.		5M IN A		10.0.13.127
+4000.example.		5M IN A		10.0.13.128
+4000.example.		5M IN A		10.0.13.129
+4000.example.		5M IN A		10.0.13.130
+4000.example.		5M IN A		10.0.13.131
+4000.example.		5M IN A		10.0.13.132
+4000.example.		5M IN A		10.0.13.133
+4000.example.		5M IN A		10.0.13.134
+4000.example.		5M IN A		10.0.13.135
+4000.example.		5M IN A		10.0.13.136
+4000.example.		5M IN A		10.0.13.137
+4000.example.		5M IN A		10.0.13.138
+4000.example.		5M IN A		10.0.13.139
+4000.example.		5M IN A		10.0.13.140
+4000.example.		5M IN A		10.0.13.141
+4000.example.		5M IN A		10.0.13.142
+4000.example.		5M IN A		10.0.13.143
+4000.example.		5M IN A		10.0.13.144
+4000.example.		5M IN A		10.0.13.145
+4000.example.		5M IN A		10.0.13.146
+4000.example.		5M IN A		10.0.13.147
+4000.example.		5M IN A		10.0.13.148
+4000.example.		5M IN A		10.0.13.149
+4000.example.		5M IN A		10.0.13.150
+4000.example.		5M IN A		10.0.13.151
+4000.example.		5M IN A		10.0.13.152
+4000.example.		5M IN A		10.0.13.153
+4000.example.		5M IN A		10.0.13.154
+4000.example.		5M IN A		10.0.13.155
+4000.example.		5M IN A		10.0.13.156
+4000.example.		5M IN A		10.0.13.157
+4000.example.		5M IN A		10.0.13.158
+4000.example.		5M IN A		10.0.13.159
+4000.example.		5M IN A		10.0.13.160
+4000.example.		5M IN A		10.0.13.161
+4000.example.		5M IN A		10.0.13.162
+4000.example.		5M IN A		10.0.13.163
+4000.example.		5M IN A		10.0.13.164
+4000.example.		5M IN A		10.0.13.165
+4000.example.		5M IN A		10.0.13.166
+4000.example.		5M IN A		10.0.13.167
+4000.example.		5M IN A		10.0.13.168
+4000.example.		5M IN A		10.0.13.169
+4000.example.		5M IN A		10.0.13.170
+4000.example.		5M IN A		10.0.13.171
+4000.example.		5M IN A		10.0.13.172
+4000.example.		5M IN A		10.0.13.173
+4000.example.		5M IN A		10.0.13.174
+4000.example.		5M IN A		10.0.13.175
+4000.example.		5M IN A		10.0.13.176
+4000.example.		5M IN A		10.0.13.177
+4000.example.		5M IN A		10.0.13.178
+4000.example.		5M IN A		10.0.13.179
+4000.example.		5M IN A		10.0.13.180
+4000.example.		5M IN A		10.0.13.181
+4000.example.		5M IN A		10.0.13.182
+4000.example.		5M IN A		10.0.13.183
+4000.example.		5M IN A		10.0.13.184
+4000.example.		5M IN A		10.0.13.185
+4000.example.		5M IN A		10.0.13.186
+4000.example.		5M IN A		10.0.13.187
+4000.example.		5M IN A		10.0.13.188
+4000.example.		5M IN A		10.0.13.189
+4000.example.		5M IN A		10.0.13.190
+4000.example.		5M IN A		10.0.13.191
+4000.example.		5M IN A		10.0.13.192
+4000.example.		5M IN A		10.0.13.193
+4000.example.		5M IN A		10.0.13.194
+4000.example.		5M IN A		10.0.13.195
+4000.example.		5M IN A		10.0.13.196
+4000.example.		5M IN A		10.0.13.197
+4000.example.		5M IN A		10.0.13.198
+4000.example.		5M IN A		10.0.13.199
+4000.example.		5M IN A		10.0.13.200
+4000.example.		5M IN A		10.0.13.201
+4000.example.		5M IN A		10.0.13.202
+4000.example.		5M IN A		10.0.13.203
+4000.example.		5M IN A		10.0.13.204
+4000.example.		5M IN A		10.0.13.205
+4000.example.		5M IN A		10.0.13.206
+4000.example.		5M IN A		10.0.13.207
+4000.example.		5M IN A		10.0.13.208
+4000.example.		5M IN A		10.0.13.209
+4000.example.		5M IN A		10.0.13.210
+4000.example.		5M IN A		10.0.13.211
+4000.example.		5M IN A		10.0.13.212
+4000.example.		5M IN A		10.0.13.213
+4000.example.		5M IN A		10.0.13.214
+4000.example.		5M IN A		10.0.13.215
+4000.example.		5M IN A		10.0.13.216
+4000.example.		5M IN A		10.0.13.217
+4000.example.		5M IN A		10.0.13.218
+4000.example.		5M IN A		10.0.13.219
+4000.example.		5M IN A		10.0.13.220
+4000.example.		5M IN A		10.0.13.221
+4000.example.		5M IN A		10.0.13.222
+4000.example.		5M IN A		10.0.13.223
+4000.example.		5M IN A		10.0.13.224
+4000.example.		5M IN A		10.0.13.225
+4000.example.		5M IN A		10.0.13.226
+4000.example.		5M IN A		10.0.13.227
+4000.example.		5M IN A		10.0.13.228
+4000.example.		5M IN A		10.0.13.229
+4000.example.		5M IN A		10.0.13.230
+4000.example.		5M IN A		10.0.13.231
+4000.example.		5M IN A		10.0.13.232
+4000.example.		5M IN A		10.0.13.233
+4000.example.		5M IN A		10.0.13.234
+4000.example.		5M IN A		10.0.13.235
+4000.example.		5M IN A		10.0.13.236
+4000.example.		5M IN A		10.0.13.237
+4000.example.		5M IN A		10.0.13.238
+4000.example.		5M IN A		10.0.13.239
+4000.example.		5M IN A		10.0.13.240
+4000.example.		5M IN A		10.0.13.241
+4000.example.		5M IN A		10.0.13.242
+4000.example.		5M IN A		10.0.13.243
+4000.example.		5M IN A		10.0.13.244
+4000.example.		5M IN A		10.0.13.245
+4000.example.		5M IN A		10.0.13.246
+4000.example.		5M IN A		10.0.13.247
+4000.example.		5M IN A		10.0.13.248
+4000.example.		5M IN A		10.0.13.249
+4000.example.		5M IN A		10.0.13.250
+4000.example.		5M IN A		10.0.13.251
+4000.example.		5M IN A		10.0.13.252
+4000.example.		5M IN A		10.0.13.253
+4000.example.		5M IN A		10.0.13.254
+4000.example.		5M IN A		10.0.13.255
+4000.example.		5M IN A		10.0.14.0
+4000.example.		5M IN A		10.0.14.1
+4000.example.		5M IN A		10.0.14.2
+4000.example.		5M IN A		10.0.14.3
+4000.example.		5M IN A		10.0.14.4
+4000.example.		5M IN A		10.0.14.5
+4000.example.		5M IN A		10.0.14.6
+4000.example.		5M IN A		10.0.14.7
+4000.example.		5M IN A		10.0.14.8
+4000.example.		5M IN A		10.0.14.9
+4000.example.		5M IN A		10.0.14.10
+4000.example.		5M IN A		10.0.14.11
+4000.example.		5M IN A		10.0.14.12
+4000.example.		5M IN A		10.0.14.13
+4000.example.		5M IN A		10.0.14.14
+4000.example.		5M IN A		10.0.14.15
+4000.example.		5M IN A		10.0.14.16
+4000.example.		5M IN A		10.0.14.17
+4000.example.		5M IN A		10.0.14.18
+4000.example.		5M IN A		10.0.14.19
+4000.example.		5M IN A		10.0.14.20
+4000.example.		5M IN A		10.0.14.21
+4000.example.		5M IN A		10.0.14.22
+4000.example.		5M IN A		10.0.14.23
+4000.example.		5M IN A		10.0.14.24
+4000.example.		5M IN A		10.0.14.25
+4000.example.		5M IN A		10.0.14.26
+4000.example.		5M IN A		10.0.14.27
+4000.example.		5M IN A		10.0.14.28
+4000.example.		5M IN A		10.0.14.29
+4000.example.		5M IN A		10.0.14.30
+4000.example.		5M IN A		10.0.14.31
+4000.example.		5M IN A		10.0.14.32
+4000.example.		5M IN A		10.0.14.33
+4000.example.		5M IN A		10.0.14.34
+4000.example.		5M IN A		10.0.14.35
+4000.example.		5M IN A		10.0.14.36
+4000.example.		5M IN A		10.0.14.37
+4000.example.		5M IN A		10.0.14.38
+4000.example.		5M IN A		10.0.14.39
+4000.example.		5M IN A		10.0.14.40
+4000.example.		5M IN A		10.0.14.41
+4000.example.		5M IN A		10.0.14.42
+4000.example.		5M IN A		10.0.14.43
+4000.example.		5M IN A		10.0.14.44
+4000.example.		5M IN A		10.0.14.45
+4000.example.		5M IN A		10.0.14.46
+4000.example.		5M IN A		10.0.14.47
+4000.example.		5M IN A		10.0.14.48
+4000.example.		5M IN A		10.0.14.49
+4000.example.		5M IN A		10.0.14.50
+4000.example.		5M IN A		10.0.14.51
+4000.example.		5M IN A		10.0.14.52
+4000.example.		5M IN A		10.0.14.53
+4000.example.		5M IN A		10.0.14.54
+4000.example.		5M IN A		10.0.14.55
+4000.example.		5M IN A		10.0.14.56
+4000.example.		5M IN A		10.0.14.57
+4000.example.		5M IN A		10.0.14.58
+4000.example.		5M IN A		10.0.14.59
+4000.example.		5M IN A		10.0.14.60
+4000.example.		5M IN A		10.0.14.61
+4000.example.		5M IN A		10.0.14.62
+4000.example.		5M IN A		10.0.14.63
+4000.example.		5M IN A		10.0.14.64
+4000.example.		5M IN A		10.0.14.65
+4000.example.		5M IN A		10.0.14.66
+4000.example.		5M IN A		10.0.14.67
+4000.example.		5M IN A		10.0.14.68
+4000.example.		5M IN A		10.0.14.69
+4000.example.		5M IN A		10.0.14.70
+4000.example.		5M IN A		10.0.14.71
+4000.example.		5M IN A		10.0.14.72
+4000.example.		5M IN A		10.0.14.73
+4000.example.		5M IN A		10.0.14.74
+4000.example.		5M IN A		10.0.14.75
+4000.example.		5M IN A		10.0.14.76
+4000.example.		5M IN A		10.0.14.77
+4000.example.		5M IN A		10.0.14.78
+4000.example.		5M IN A		10.0.14.79
+4000.example.		5M IN A		10.0.14.80
+4000.example.		5M IN A		10.0.14.81
+4000.example.		5M IN A		10.0.14.82
+4000.example.		5M IN A		10.0.14.83
+4000.example.		5M IN A		10.0.14.84
+4000.example.		5M IN A		10.0.14.85
+4000.example.		5M IN A		10.0.14.86
+4000.example.		5M IN A		10.0.14.87
+4000.example.		5M IN A		10.0.14.88
+4000.example.		5M IN A		10.0.14.89
+4000.example.		5M IN A		10.0.14.90
+4000.example.		5M IN A		10.0.14.91
+4000.example.		5M IN A		10.0.14.92
+4000.example.		5M IN A		10.0.14.93
+4000.example.		5M IN A		10.0.14.94
+4000.example.		5M IN A		10.0.14.95
+4000.example.		5M IN A		10.0.14.96
+4000.example.		5M IN A		10.0.14.97
+4000.example.		5M IN A		10.0.14.98
+4000.example.		5M IN A		10.0.14.99
+4000.example.		5M IN A		10.0.14.100
+4000.example.		5M IN A		10.0.14.101
+4000.example.		5M IN A		10.0.14.102
+4000.example.		5M IN A		10.0.14.103
+4000.example.		5M IN A		10.0.14.104
+4000.example.		5M IN A		10.0.14.105
+4000.example.		5M IN A		10.0.14.106
+4000.example.		5M IN A		10.0.14.107
+4000.example.		5M IN A		10.0.14.108
+4000.example.		5M IN A		10.0.14.109
+4000.example.		5M IN A		10.0.14.110
+4000.example.		5M IN A		10.0.14.111
+4000.example.		5M IN A		10.0.14.112
+4000.example.		5M IN A		10.0.14.113
+4000.example.		5M IN A		10.0.14.114
+4000.example.		5M IN A		10.0.14.115
+4000.example.		5M IN A		10.0.14.116
+4000.example.		5M IN A		10.0.14.117
+4000.example.		5M IN A		10.0.14.118
+4000.example.		5M IN A		10.0.14.119
+4000.example.		5M IN A		10.0.14.120
+4000.example.		5M IN A		10.0.14.121
+4000.example.		5M IN A		10.0.14.122
+4000.example.		5M IN A		10.0.14.123
+4000.example.		5M IN A		10.0.14.124
+4000.example.		5M IN A		10.0.14.125
+4000.example.		5M IN A		10.0.14.126
+4000.example.		5M IN A		10.0.14.127
+4000.example.		5M IN A		10.0.14.128
+4000.example.		5M IN A		10.0.14.129
+4000.example.		5M IN A		10.0.14.130
+4000.example.		5M IN A		10.0.14.131
+4000.example.		5M IN A		10.0.14.132
+4000.example.		5M IN A		10.0.14.133
+4000.example.		5M IN A		10.0.14.134
+4000.example.		5M IN A		10.0.14.135
+4000.example.		5M IN A		10.0.14.136
+4000.example.		5M IN A		10.0.14.137
+4000.example.		5M IN A		10.0.14.138
+4000.example.		5M IN A		10.0.14.139
+4000.example.		5M IN A		10.0.14.140
+4000.example.		5M IN A		10.0.14.141
+4000.example.		5M IN A		10.0.14.142
+4000.example.		5M IN A		10.0.14.143
+4000.example.		5M IN A		10.0.14.144
+4000.example.		5M IN A		10.0.14.145
+4000.example.		5M IN A		10.0.14.146
+4000.example.		5M IN A		10.0.14.147
+4000.example.		5M IN A		10.0.14.148
+4000.example.		5M IN A		10.0.14.149
+4000.example.		5M IN A		10.0.14.150
+4000.example.		5M IN A		10.0.14.151
+4000.example.		5M IN A		10.0.14.152
+4000.example.		5M IN A		10.0.14.153
+4000.example.		5M IN A		10.0.14.154
+4000.example.		5M IN A		10.0.14.155
+4000.example.		5M IN A		10.0.14.156
+4000.example.		5M IN A		10.0.14.157
+4000.example.		5M IN A		10.0.14.158
+4000.example.		5M IN A		10.0.14.159
+4000.example.		5M IN A		10.0.14.160
+4000.example.		5M IN A		10.0.14.161
+4000.example.		5M IN A		10.0.14.162
+4000.example.		5M IN A		10.0.14.163
+4000.example.		5M IN A		10.0.14.164
+4000.example.		5M IN A		10.0.14.165
+4000.example.		5M IN A		10.0.14.166
+4000.example.		5M IN A		10.0.14.167
+4000.example.		5M IN A		10.0.14.168
+4000.example.		5M IN A		10.0.14.169
+4000.example.		5M IN A		10.0.14.170
+4000.example.		5M IN A		10.0.14.171
+4000.example.		5M IN A		10.0.14.172
+4000.example.		5M IN A		10.0.14.173
+4000.example.		5M IN A		10.0.14.174
+4000.example.		5M IN A		10.0.14.175
+4000.example.		5M IN A		10.0.14.176
+4000.example.		5M IN A		10.0.14.177
+4000.example.		5M IN A		10.0.14.178
+4000.example.		5M IN A		10.0.14.179
+4000.example.		5M IN A		10.0.14.180
+4000.example.		5M IN A		10.0.14.181
+4000.example.		5M IN A		10.0.14.182
+4000.example.		5M IN A		10.0.14.183
+4000.example.		5M IN A		10.0.14.184
+4000.example.		5M IN A		10.0.14.185
+4000.example.		5M IN A		10.0.14.186
+4000.example.		5M IN A		10.0.14.187
+4000.example.		5M IN A		10.0.14.188
+4000.example.		5M IN A		10.0.14.189
+4000.example.		5M IN A		10.0.14.190
+4000.example.		5M IN A		10.0.14.191
+4000.example.		5M IN A		10.0.14.192
+4000.example.		5M IN A		10.0.14.193
+4000.example.		5M IN A		10.0.14.194
+4000.example.		5M IN A		10.0.14.195
+4000.example.		5M IN A		10.0.14.196
+4000.example.		5M IN A		10.0.14.197
+4000.example.		5M IN A		10.0.14.198
+4000.example.		5M IN A		10.0.14.199
+4000.example.		5M IN A		10.0.14.200
+4000.example.		5M IN A		10.0.14.201
+4000.example.		5M IN A		10.0.14.202
+4000.example.		5M IN A		10.0.14.203
+4000.example.		5M IN A		10.0.14.204
+4000.example.		5M IN A		10.0.14.205
+4000.example.		5M IN A		10.0.14.206
+4000.example.		5M IN A		10.0.14.207
+4000.example.		5M IN A		10.0.14.208
+4000.example.		5M IN A		10.0.14.209
+4000.example.		5M IN A		10.0.14.210
+4000.example.		5M IN A		10.0.14.211
+4000.example.		5M IN A		10.0.14.212
+4000.example.		5M IN A		10.0.14.213
+4000.example.		5M IN A		10.0.14.214
+4000.example.		5M IN A		10.0.14.215
+4000.example.		5M IN A		10.0.14.216
+4000.example.		5M IN A		10.0.14.217
+4000.example.		5M IN A		10.0.14.218
+4000.example.		5M IN A		10.0.14.219
+4000.example.		5M IN A		10.0.14.220
+4000.example.		5M IN A		10.0.14.221
+4000.example.		5M IN A		10.0.14.222
+4000.example.		5M IN A		10.0.14.223
+4000.example.		5M IN A		10.0.14.224
+4000.example.		5M IN A		10.0.14.225
+4000.example.		5M IN A		10.0.14.226
+4000.example.		5M IN A		10.0.14.227
+4000.example.		5M IN A		10.0.14.228
+4000.example.		5M IN A		10.0.14.229
+4000.example.		5M IN A		10.0.14.230
+4000.example.		5M IN A		10.0.14.231
+4000.example.		5M IN A		10.0.14.232
+4000.example.		5M IN A		10.0.14.233
+4000.example.		5M IN A		10.0.14.234
+4000.example.		5M IN A		10.0.14.235
+4000.example.		5M IN A		10.0.14.236
+4000.example.		5M IN A		10.0.14.237
+4000.example.		5M IN A		10.0.14.238
+4000.example.		5M IN A		10.0.14.239
+4000.example.		5M IN A		10.0.14.240
+4000.example.		5M IN A		10.0.14.241
+4000.example.		5M IN A		10.0.14.242
+4000.example.		5M IN A		10.0.14.243
+4000.example.		5M IN A		10.0.14.244
+4000.example.		5M IN A		10.0.14.245
+4000.example.		5M IN A		10.0.14.246
+4000.example.		5M IN A		10.0.14.247
+4000.example.		5M IN A		10.0.14.248
+4000.example.		5M IN A		10.0.14.249
+4000.example.		5M IN A		10.0.14.250
+4000.example.		5M IN A		10.0.14.251
+4000.example.		5M IN A		10.0.14.252
+4000.example.		5M IN A		10.0.14.253
+4000.example.		5M IN A		10.0.14.254
+4000.example.		5M IN A		10.0.14.255
+4000.example.		5M IN A		10.0.15.0
+4000.example.		5M IN A		10.0.15.1
+4000.example.		5M IN A		10.0.15.2
+4000.example.		5M IN A		10.0.15.3
+4000.example.		5M IN A		10.0.15.4
+4000.example.		5M IN A		10.0.15.5
+4000.example.		5M IN A		10.0.15.6
+4000.example.		5M IN A		10.0.15.7
+4000.example.		5M IN A		10.0.15.8
+4000.example.		5M IN A		10.0.15.9
+4000.example.		5M IN A		10.0.15.10
+4000.example.		5M IN A		10.0.15.11
+4000.example.		5M IN A		10.0.15.12
+4000.example.		5M IN A		10.0.15.13
+4000.example.		5M IN A		10.0.15.14
+4000.example.		5M IN A		10.0.15.15
+4000.example.		5M IN A		10.0.15.16
+4000.example.		5M IN A		10.0.15.17
+4000.example.		5M IN A		10.0.15.18
+4000.example.		5M IN A		10.0.15.19
+4000.example.		5M IN A		10.0.15.20
+4000.example.		5M IN A		10.0.15.21
+4000.example.		5M IN A		10.0.15.22
+4000.example.		5M IN A		10.0.15.23
+4000.example.		5M IN A		10.0.15.24
+4000.example.		5M IN A		10.0.15.25
+4000.example.		5M IN A		10.0.15.26
+4000.example.		5M IN A		10.0.15.27
+4000.example.		5M IN A		10.0.15.28
+4000.example.		5M IN A		10.0.15.29
+4000.example.		5M IN A		10.0.15.30
+4000.example.		5M IN A		10.0.15.31
+4000.example.		5M IN A		10.0.15.32
+4000.example.		5M IN A		10.0.15.33
+4000.example.		5M IN A		10.0.15.34
+4000.example.		5M IN A		10.0.15.35
+4000.example.		5M IN A		10.0.15.36
+4000.example.		5M IN A		10.0.15.37
+4000.example.		5M IN A		10.0.15.38
+4000.example.		5M IN A		10.0.15.39
+4000.example.		5M IN A		10.0.15.40
+4000.example.		5M IN A		10.0.15.41
+4000.example.		5M IN A		10.0.15.42
+4000.example.		5M IN A		10.0.15.43
+4000.example.		5M IN A		10.0.15.44
+4000.example.		5M IN A		10.0.15.45
+4000.example.		5M IN A		10.0.15.46
+4000.example.		5M IN A		10.0.15.47
+4000.example.		5M IN A		10.0.15.48
+4000.example.		5M IN A		10.0.15.49
+4000.example.		5M IN A		10.0.15.50
+4000.example.		5M IN A		10.0.15.51
+4000.example.		5M IN A		10.0.15.52
+4000.example.		5M IN A		10.0.15.53
+4000.example.		5M IN A		10.0.15.54
+4000.example.		5M IN A		10.0.15.55
+4000.example.		5M IN A		10.0.15.56
+4000.example.		5M IN A		10.0.15.57
+4000.example.		5M IN A		10.0.15.58
+4000.example.		5M IN A		10.0.15.59
+4000.example.		5M IN A		10.0.15.60
+4000.example.		5M IN A		10.0.15.61
+4000.example.		5M IN A		10.0.15.62
+4000.example.		5M IN A		10.0.15.63
+4000.example.		5M IN A		10.0.15.64
+4000.example.		5M IN A		10.0.15.65
+4000.example.		5M IN A		10.0.15.66
+4000.example.		5M IN A		10.0.15.67
+4000.example.		5M IN A		10.0.15.68
+4000.example.		5M IN A		10.0.15.69
+4000.example.		5M IN A		10.0.15.70
+4000.example.		5M IN A		10.0.15.71
+4000.example.		5M IN A		10.0.15.72
+4000.example.		5M IN A		10.0.15.73
+4000.example.		5M IN A		10.0.15.74
+4000.example.		5M IN A		10.0.15.75
+4000.example.		5M IN A		10.0.15.76
+4000.example.		5M IN A		10.0.15.77
+4000.example.		5M IN A		10.0.15.78
+4000.example.		5M IN A		10.0.15.79
+4000.example.		5M IN A		10.0.15.80
+4000.example.		5M IN A		10.0.15.81
+4000.example.		5M IN A		10.0.15.82
+4000.example.		5M IN A		10.0.15.83
+4000.example.		5M IN A		10.0.15.84
+4000.example.		5M IN A		10.0.15.85
+4000.example.		5M IN A		10.0.15.86
+4000.example.		5M IN A		10.0.15.87
+4000.example.		5M IN A		10.0.15.88
+4000.example.		5M IN A		10.0.15.89
+4000.example.		5M IN A		10.0.15.90
+4000.example.		5M IN A		10.0.15.91
+4000.example.		5M IN A		10.0.15.92
+4000.example.		5M IN A		10.0.15.93
+4000.example.		5M IN A		10.0.15.94
+4000.example.		5M IN A		10.0.15.95
+4000.example.		5M IN A		10.0.15.96
+4000.example.		5M IN A		10.0.15.97
+4000.example.		5M IN A		10.0.15.98
+4000.example.		5M IN A		10.0.15.99
+4000.example.		5M IN A		10.0.15.100
+4000.example.		5M IN A		10.0.15.101
+4000.example.		5M IN A		10.0.15.102
+4000.example.		5M IN A		10.0.15.103
+4000.example.		5M IN A		10.0.15.104
+4000.example.		5M IN A		10.0.15.105
+4000.example.		5M IN A		10.0.15.106
+4000.example.		5M IN A		10.0.15.107
+4000.example.		5M IN A		10.0.15.108
+4000.example.		5M IN A		10.0.15.109
+4000.example.		5M IN A		10.0.15.110
+4000.example.		5M IN A		10.0.15.111
+4000.example.		5M IN A		10.0.15.112
+4000.example.		5M IN A		10.0.15.113
+4000.example.		5M IN A		10.0.15.114
+4000.example.		5M IN A		10.0.15.115
+4000.example.		5M IN A		10.0.15.116
+4000.example.		5M IN A		10.0.15.117
+4000.example.		5M IN A		10.0.15.118
+4000.example.		5M IN A		10.0.15.119
+4000.example.		5M IN A		10.0.15.120
+4000.example.		5M IN A		10.0.15.121
+4000.example.		5M IN A		10.0.15.122
+4000.example.		5M IN A		10.0.15.123
+4000.example.		5M IN A		10.0.15.124
+4000.example.		5M IN A		10.0.15.125
+4000.example.		5M IN A		10.0.15.126
+4000.example.		5M IN A		10.0.15.127
+4000.example.		5M IN A		10.0.15.128
+4000.example.		5M IN A		10.0.15.129
+4000.example.		5M IN A		10.0.15.130
+4000.example.		5M IN A		10.0.15.131
+4000.example.		5M IN A		10.0.15.132
+4000.example.		5M IN A		10.0.15.133
+4000.example.		5M IN A		10.0.15.134
+4000.example.		5M IN A		10.0.15.135
+4000.example.		5M IN A		10.0.15.136
+4000.example.		5M IN A		10.0.15.137
+4000.example.		5M IN A		10.0.15.138
+4000.example.		5M IN A		10.0.15.139
+4000.example.		5M IN A		10.0.15.140
+4000.example.		5M IN A		10.0.15.141
+4000.example.		5M IN A		10.0.15.142
+4000.example.		5M IN A		10.0.15.143
+4000.example.		5M IN A		10.0.15.144
+4000.example.		5M IN A		10.0.15.145
+4000.example.		5M IN A		10.0.15.146
+4000.example.		5M IN A		10.0.15.147
+4000.example.		5M IN A		10.0.15.148
+4000.example.		5M IN A		10.0.15.149
+4000.example.		5M IN A		10.0.15.150
+4000.example.		5M IN A		10.0.15.151
+4000.example.		5M IN A		10.0.15.152
+4000.example.		5M IN A		10.0.15.153
+4000.example.		5M IN A		10.0.15.154
+4000.example.		5M IN A		10.0.15.155
+4000.example.		5M IN A		10.0.15.156
+4000.example.		5M IN A		10.0.15.157
+4000.example.		5M IN A		10.0.15.158
+4000.example.		5M IN A		10.0.15.159
+
+;; AUTHORITY SECTION:
+example.		5M IN NS	ns1.example.
+
+;; ADDITIONAL SECTION:
+ns1.example.		5M IN A		10.53.0.1
+
+;; Total query time: 279 msec
+;; FROM: draco to SERVER: 10.53.0.1
+;; WHEN: Fri Jun 23 12:58:20 2000
+;; MSG SIZE  sent: 30  rcvd: 64068
+
diff --git a/bin/tests/system/limits/knowngood.dig.out.a-maximum-rrset b/bin/tests/system/limits/knowngood.dig.out.a-maximum-rrset
new file mode 100644
index 0000000..1688e83
--- /dev/null
+++ b/bin/tests/system/limits/knowngood.dig.out.a-maximum-rrset
@@ -0,0 +1,4114 @@
+
+; <<>> DiG 8.2 <<>> a-maximum-rrset.example. @10.53.0.1 a -p
+; (1 server found)
+;; res options: init recurs defnam dnsrch
+;; got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
+;; flags: qr aa rd ad; QUERY: 1, ANSWER: 4091, AUTHORITY: 1, ADDITIONAL: 1
+;; QUERY SECTION:
+;;	a-maximum-rrset.example, type = A, class = IN
+
+;; ANSWER SECTION:
+a-maximum-rrset.example.  5M IN A  10.0.0.0
+a-maximum-rrset.example.  5M IN A  10.0.0.1
+a-maximum-rrset.example.  5M IN A  10.0.0.2
+a-maximum-rrset.example.  5M IN A  10.0.0.3
+a-maximum-rrset.example.  5M IN A  10.0.0.4
+a-maximum-rrset.example.  5M IN A  10.0.0.5
+a-maximum-rrset.example.  5M IN A  10.0.0.6
+a-maximum-rrset.example.  5M IN A  10.0.0.7
+a-maximum-rrset.example.  5M IN A  10.0.0.8
+a-maximum-rrset.example.  5M IN A  10.0.0.9
+a-maximum-rrset.example.  5M IN A  10.0.0.10
+a-maximum-rrset.example.  5M IN A  10.0.0.11
+a-maximum-rrset.example.  5M IN A  10.0.0.12
+a-maximum-rrset.example.  5M IN A  10.0.0.13
+a-maximum-rrset.example.  5M IN A  10.0.0.14
+a-maximum-rrset.example.  5M IN A  10.0.0.15
+a-maximum-rrset.example.  5M IN A  10.0.0.16
+a-maximum-rrset.example.  5M IN A  10.0.0.17
+a-maximum-rrset.example.  5M IN A  10.0.0.18
+a-maximum-rrset.example.  5M IN A  10.0.0.19
+a-maximum-rrset.example.  5M IN A  10.0.0.20
+a-maximum-rrset.example.  5M IN A  10.0.0.21
+a-maximum-rrset.example.  5M IN A  10.0.0.22
+a-maximum-rrset.example.  5M IN A  10.0.0.23
+a-maximum-rrset.example.  5M IN A  10.0.0.24
+a-maximum-rrset.example.  5M IN A  10.0.0.25
+a-maximum-rrset.example.  5M IN A  10.0.0.26
+a-maximum-rrset.example.  5M IN A  10.0.0.27
+a-maximum-rrset.example.  5M IN A  10.0.0.28
+a-maximum-rrset.example.  5M IN A  10.0.0.29
+a-maximum-rrset.example.  5M IN A  10.0.0.30
+a-maximum-rrset.example.  5M IN A  10.0.0.31
+a-maximum-rrset.example.  5M IN A  10.0.0.32
+a-maximum-rrset.example.  5M IN A  10.0.0.33
+a-maximum-rrset.example.  5M IN A  10.0.0.34
+a-maximum-rrset.example.  5M IN A  10.0.0.35
+a-maximum-rrset.example.  5M IN A  10.0.0.36
+a-maximum-rrset.example.  5M IN A  10.0.0.37
+a-maximum-rrset.example.  5M IN A  10.0.0.38
+a-maximum-rrset.example.  5M IN A  10.0.0.39
+a-maximum-rrset.example.  5M IN A  10.0.0.40
+a-maximum-rrset.example.  5M IN A  10.0.0.41
+a-maximum-rrset.example.  5M IN A  10.0.0.42
+a-maximum-rrset.example.  5M IN A  10.0.0.43
+a-maximum-rrset.example.  5M IN A  10.0.0.44
+a-maximum-rrset.example.  5M IN A  10.0.0.45
+a-maximum-rrset.example.  5M IN A  10.0.0.46
+a-maximum-rrset.example.  5M IN A  10.0.0.47
+a-maximum-rrset.example.  5M IN A  10.0.0.48
+a-maximum-rrset.example.  5M IN A  10.0.0.49
+a-maximum-rrset.example.  5M IN A  10.0.0.50
+a-maximum-rrset.example.  5M IN A  10.0.0.51
+a-maximum-rrset.example.  5M IN A  10.0.0.52
+a-maximum-rrset.example.  5M IN A  10.0.0.53
+a-maximum-rrset.example.  5M IN A  10.0.0.54
+a-maximum-rrset.example.  5M IN A  10.0.0.55
+a-maximum-rrset.example.  5M IN A  10.0.0.56
+a-maximum-rrset.example.  5M IN A  10.0.0.57
+a-maximum-rrset.example.  5M IN A  10.0.0.58
+a-maximum-rrset.example.  5M IN A  10.0.0.59
+a-maximum-rrset.example.  5M IN A  10.0.0.60
+a-maximum-rrset.example.  5M IN A  10.0.0.61
+a-maximum-rrset.example.  5M IN A  10.0.0.62
+a-maximum-rrset.example.  5M IN A  10.0.0.63
+a-maximum-rrset.example.  5M IN A  10.0.0.64
+a-maximum-rrset.example.  5M IN A  10.0.0.65
+a-maximum-rrset.example.  5M IN A  10.0.0.66
+a-maximum-rrset.example.  5M IN A  10.0.0.67
+a-maximum-rrset.example.  5M IN A  10.0.0.68
+a-maximum-rrset.example.  5M IN A  10.0.0.69
+a-maximum-rrset.example.  5M IN A  10.0.0.70
+a-maximum-rrset.example.  5M IN A  10.0.0.71
+a-maximum-rrset.example.  5M IN A  10.0.0.72
+a-maximum-rrset.example.  5M IN A  10.0.0.73
+a-maximum-rrset.example.  5M IN A  10.0.0.74
+a-maximum-rrset.example.  5M IN A  10.0.0.75
+a-maximum-rrset.example.  5M IN A  10.0.0.76
+a-maximum-rrset.example.  5M IN A  10.0.0.77
+a-maximum-rrset.example.  5M IN A  10.0.0.78
+a-maximum-rrset.example.  5M IN A  10.0.0.79
+a-maximum-rrset.example.  5M IN A  10.0.0.80
+a-maximum-rrset.example.  5M IN A  10.0.0.81
+a-maximum-rrset.example.  5M IN A  10.0.0.82
+a-maximum-rrset.example.  5M IN A  10.0.0.83
+a-maximum-rrset.example.  5M IN A  10.0.0.84
+a-maximum-rrset.example.  5M IN A  10.0.0.85
+a-maximum-rrset.example.  5M IN A  10.0.0.86
+a-maximum-rrset.example.  5M IN A  10.0.0.87
+a-maximum-rrset.example.  5M IN A  10.0.0.88
+a-maximum-rrset.example.  5M IN A  10.0.0.89
+a-maximum-rrset.example.  5M IN A  10.0.0.90
+a-maximum-rrset.example.  5M IN A  10.0.0.91
+a-maximum-rrset.example.  5M IN A  10.0.0.92
+a-maximum-rrset.example.  5M IN A  10.0.0.93
+a-maximum-rrset.example.  5M IN A  10.0.0.94
+a-maximum-rrset.example.  5M IN A  10.0.0.95
+a-maximum-rrset.example.  5M IN A  10.0.0.96
+a-maximum-rrset.example.  5M IN A  10.0.0.97
+a-maximum-rrset.example.  5M IN A  10.0.0.98
+a-maximum-rrset.example.  5M IN A  10.0.0.99
+a-maximum-rrset.example.  5M IN A  10.0.0.100
+a-maximum-rrset.example.  5M IN A  10.0.0.101
+a-maximum-rrset.example.  5M IN A  10.0.0.102
+a-maximum-rrset.example.  5M IN A  10.0.0.103
+a-maximum-rrset.example.  5M IN A  10.0.0.104
+a-maximum-rrset.example.  5M IN A  10.0.0.105
+a-maximum-rrset.example.  5M IN A  10.0.0.106
+a-maximum-rrset.example.  5M IN A  10.0.0.107
+a-maximum-rrset.example.  5M IN A  10.0.0.108
+a-maximum-rrset.example.  5M IN A  10.0.0.109
+a-maximum-rrset.example.  5M IN A  10.0.0.110
+a-maximum-rrset.example.  5M IN A  10.0.0.111
+a-maximum-rrset.example.  5M IN A  10.0.0.112
+a-maximum-rrset.example.  5M IN A  10.0.0.113
+a-maximum-rrset.example.  5M IN A  10.0.0.114
+a-maximum-rrset.example.  5M IN A  10.0.0.115
+a-maximum-rrset.example.  5M IN A  10.0.0.116
+a-maximum-rrset.example.  5M IN A  10.0.0.117
+a-maximum-rrset.example.  5M IN A  10.0.0.118
+a-maximum-rrset.example.  5M IN A  10.0.0.119
+a-maximum-rrset.example.  5M IN A  10.0.0.120
+a-maximum-rrset.example.  5M IN A  10.0.0.121
+a-maximum-rrset.example.  5M IN A  10.0.0.122
+a-maximum-rrset.example.  5M IN A  10.0.0.123
+a-maximum-rrset.example.  5M IN A  10.0.0.124
+a-maximum-rrset.example.  5M IN A  10.0.0.125
+a-maximum-rrset.example.  5M IN A  10.0.0.126
+a-maximum-rrset.example.  5M IN A  10.0.0.127
+a-maximum-rrset.example.  5M IN A  10.0.0.128
+a-maximum-rrset.example.  5M IN A  10.0.0.129
+a-maximum-rrset.example.  5M IN A  10.0.0.130
+a-maximum-rrset.example.  5M IN A  10.0.0.131
+a-maximum-rrset.example.  5M IN A  10.0.0.132
+a-maximum-rrset.example.  5M IN A  10.0.0.133
+a-maximum-rrset.example.  5M IN A  10.0.0.134
+a-maximum-rrset.example.  5M IN A  10.0.0.135
+a-maximum-rrset.example.  5M IN A  10.0.0.136
+a-maximum-rrset.example.  5M IN A  10.0.0.137
+a-maximum-rrset.example.  5M IN A  10.0.0.138
+a-maximum-rrset.example.  5M IN A  10.0.0.139
+a-maximum-rrset.example.  5M IN A  10.0.0.140
+a-maximum-rrset.example.  5M IN A  10.0.0.141
+a-maximum-rrset.example.  5M IN A  10.0.0.142
+a-maximum-rrset.example.  5M IN A  10.0.0.143
+a-maximum-rrset.example.  5M IN A  10.0.0.144
+a-maximum-rrset.example.  5M IN A  10.0.0.145
+a-maximum-rrset.example.  5M IN A  10.0.0.146
+a-maximum-rrset.example.  5M IN A  10.0.0.147
+a-maximum-rrset.example.  5M IN A  10.0.0.148
+a-maximum-rrset.example.  5M IN A  10.0.0.149
+a-maximum-rrset.example.  5M IN A  10.0.0.150
+a-maximum-rrset.example.  5M IN A  10.0.0.151
+a-maximum-rrset.example.  5M IN A  10.0.0.152
+a-maximum-rrset.example.  5M IN A  10.0.0.153
+a-maximum-rrset.example.  5M IN A  10.0.0.154
+a-maximum-rrset.example.  5M IN A  10.0.0.155
+a-maximum-rrset.example.  5M IN A  10.0.0.156
+a-maximum-rrset.example.  5M IN A  10.0.0.157
+a-maximum-rrset.example.  5M IN A  10.0.0.158
+a-maximum-rrset.example.  5M IN A  10.0.0.159
+a-maximum-rrset.example.  5M IN A  10.0.0.160
+a-maximum-rrset.example.  5M IN A  10.0.0.161
+a-maximum-rrset.example.  5M IN A  10.0.0.162
+a-maximum-rrset.example.  5M IN A  10.0.0.163
+a-maximum-rrset.example.  5M IN A  10.0.0.164
+a-maximum-rrset.example.  5M IN A  10.0.0.165
+a-maximum-rrset.example.  5M IN A  10.0.0.166
+a-maximum-rrset.example.  5M IN A  10.0.0.167
+a-maximum-rrset.example.  5M IN A  10.0.0.168
+a-maximum-rrset.example.  5M IN A  10.0.0.169
+a-maximum-rrset.example.  5M IN A  10.0.0.170
+a-maximum-rrset.example.  5M IN A  10.0.0.171
+a-maximum-rrset.example.  5M IN A  10.0.0.172
+a-maximum-rrset.example.  5M IN A  10.0.0.173
+a-maximum-rrset.example.  5M IN A  10.0.0.174
+a-maximum-rrset.example.  5M IN A  10.0.0.175
+a-maximum-rrset.example.  5M IN A  10.0.0.176
+a-maximum-rrset.example.  5M IN A  10.0.0.177
+a-maximum-rrset.example.  5M IN A  10.0.0.178
+a-maximum-rrset.example.  5M IN A  10.0.0.179
+a-maximum-rrset.example.  5M IN A  10.0.0.180
+a-maximum-rrset.example.  5M IN A  10.0.0.181
+a-maximum-rrset.example.  5M IN A  10.0.0.182
+a-maximum-rrset.example.  5M IN A  10.0.0.183
+a-maximum-rrset.example.  5M IN A  10.0.0.184
+a-maximum-rrset.example.  5M IN A  10.0.0.185
+a-maximum-rrset.example.  5M IN A  10.0.0.186
+a-maximum-rrset.example.  5M IN A  10.0.0.187
+a-maximum-rrset.example.  5M IN A  10.0.0.188
+a-maximum-rrset.example.  5M IN A  10.0.0.189
+a-maximum-rrset.example.  5M IN A  10.0.0.190
+a-maximum-rrset.example.  5M IN A  10.0.0.191
+a-maximum-rrset.example.  5M IN A  10.0.0.192
+a-maximum-rrset.example.  5M IN A  10.0.0.193
+a-maximum-rrset.example.  5M IN A  10.0.0.194
+a-maximum-rrset.example.  5M IN A  10.0.0.195
+a-maximum-rrset.example.  5M IN A  10.0.0.196
+a-maximum-rrset.example.  5M IN A  10.0.0.197
+a-maximum-rrset.example.  5M IN A  10.0.0.198
+a-maximum-rrset.example.  5M IN A  10.0.0.199
+a-maximum-rrset.example.  5M IN A  10.0.0.200
+a-maximum-rrset.example.  5M IN A  10.0.0.201
+a-maximum-rrset.example.  5M IN A  10.0.0.202
+a-maximum-rrset.example.  5M IN A  10.0.0.203
+a-maximum-rrset.example.  5M IN A  10.0.0.204
+a-maximum-rrset.example.  5M IN A  10.0.0.205
+a-maximum-rrset.example.  5M IN A  10.0.0.206
+a-maximum-rrset.example.  5M IN A  10.0.0.207
+a-maximum-rrset.example.  5M IN A  10.0.0.208
+a-maximum-rrset.example.  5M IN A  10.0.0.209
+a-maximum-rrset.example.  5M IN A  10.0.0.210
+a-maximum-rrset.example.  5M IN A  10.0.0.211
+a-maximum-rrset.example.  5M IN A  10.0.0.212
+a-maximum-rrset.example.  5M IN A  10.0.0.213
+a-maximum-rrset.example.  5M IN A  10.0.0.214
+a-maximum-rrset.example.  5M IN A  10.0.0.215
+a-maximum-rrset.example.  5M IN A  10.0.0.216
+a-maximum-rrset.example.  5M IN A  10.0.0.217
+a-maximum-rrset.example.  5M IN A  10.0.0.218
+a-maximum-rrset.example.  5M IN A  10.0.0.219
+a-maximum-rrset.example.  5M IN A  10.0.0.220
+a-maximum-rrset.example.  5M IN A  10.0.0.221
+a-maximum-rrset.example.  5M IN A  10.0.0.222
+a-maximum-rrset.example.  5M IN A  10.0.0.223
+a-maximum-rrset.example.  5M IN A  10.0.0.224
+a-maximum-rrset.example.  5M IN A  10.0.0.225
+a-maximum-rrset.example.  5M IN A  10.0.0.226
+a-maximum-rrset.example.  5M IN A  10.0.0.227
+a-maximum-rrset.example.  5M IN A  10.0.0.228
+a-maximum-rrset.example.  5M IN A  10.0.0.229
+a-maximum-rrset.example.  5M IN A  10.0.0.230
+a-maximum-rrset.example.  5M IN A  10.0.0.231
+a-maximum-rrset.example.  5M IN A  10.0.0.232
+a-maximum-rrset.example.  5M IN A  10.0.0.233
+a-maximum-rrset.example.  5M IN A  10.0.0.234
+a-maximum-rrset.example.  5M IN A  10.0.0.235
+a-maximum-rrset.example.  5M IN A  10.0.0.236
+a-maximum-rrset.example.  5M IN A  10.0.0.237
+a-maximum-rrset.example.  5M IN A  10.0.0.238
+a-maximum-rrset.example.  5M IN A  10.0.0.239
+a-maximum-rrset.example.  5M IN A  10.0.0.240
+a-maximum-rrset.example.  5M IN A  10.0.0.241
+a-maximum-rrset.example.  5M IN A  10.0.0.242
+a-maximum-rrset.example.  5M IN A  10.0.0.243
+a-maximum-rrset.example.  5M IN A  10.0.0.244
+a-maximum-rrset.example.  5M IN A  10.0.0.245
+a-maximum-rrset.example.  5M IN A  10.0.0.246
+a-maximum-rrset.example.  5M IN A  10.0.0.247
+a-maximum-rrset.example.  5M IN A  10.0.0.248
+a-maximum-rrset.example.  5M IN A  10.0.0.249
+a-maximum-rrset.example.  5M IN A  10.0.0.250
+a-maximum-rrset.example.  5M IN A  10.0.0.251
+a-maximum-rrset.example.  5M IN A  10.0.0.252
+a-maximum-rrset.example.  5M IN A  10.0.0.253
+a-maximum-rrset.example.  5M IN A  10.0.0.254
+a-maximum-rrset.example.  5M IN A  10.0.0.255
+a-maximum-rrset.example.  5M IN A  10.0.1.0
+a-maximum-rrset.example.  5M IN A  10.0.1.1
+a-maximum-rrset.example.  5M IN A  10.0.1.2
+a-maximum-rrset.example.  5M IN A  10.0.1.3
+a-maximum-rrset.example.  5M IN A  10.0.1.4
+a-maximum-rrset.example.  5M IN A  10.0.1.5
+a-maximum-rrset.example.  5M IN A  10.0.1.6
+a-maximum-rrset.example.  5M IN A  10.0.1.7
+a-maximum-rrset.example.  5M IN A  10.0.1.8
+a-maximum-rrset.example.  5M IN A  10.0.1.9
+a-maximum-rrset.example.  5M IN A  10.0.1.10
+a-maximum-rrset.example.  5M IN A  10.0.1.11
+a-maximum-rrset.example.  5M IN A  10.0.1.12
+a-maximum-rrset.example.  5M IN A  10.0.1.13
+a-maximum-rrset.example.  5M IN A  10.0.1.14
+a-maximum-rrset.example.  5M IN A  10.0.1.15
+a-maximum-rrset.example.  5M IN A  10.0.1.16
+a-maximum-rrset.example.  5M IN A  10.0.1.17
+a-maximum-rrset.example.  5M IN A  10.0.1.18
+a-maximum-rrset.example.  5M IN A  10.0.1.19
+a-maximum-rrset.example.  5M IN A  10.0.1.20
+a-maximum-rrset.example.  5M IN A  10.0.1.21
+a-maximum-rrset.example.  5M IN A  10.0.1.22
+a-maximum-rrset.example.  5M IN A  10.0.1.23
+a-maximum-rrset.example.  5M IN A  10.0.1.24
+a-maximum-rrset.example.  5M IN A  10.0.1.25
+a-maximum-rrset.example.  5M IN A  10.0.1.26
+a-maximum-rrset.example.  5M IN A  10.0.1.27
+a-maximum-rrset.example.  5M IN A  10.0.1.28
+a-maximum-rrset.example.  5M IN A  10.0.1.29
+a-maximum-rrset.example.  5M IN A  10.0.1.30
+a-maximum-rrset.example.  5M IN A  10.0.1.31
+a-maximum-rrset.example.  5M IN A  10.0.1.32
+a-maximum-rrset.example.  5M IN A  10.0.1.33
+a-maximum-rrset.example.  5M IN A  10.0.1.34
+a-maximum-rrset.example.  5M IN A  10.0.1.35
+a-maximum-rrset.example.  5M IN A  10.0.1.36
+a-maximum-rrset.example.  5M IN A  10.0.1.37
+a-maximum-rrset.example.  5M IN A  10.0.1.38
+a-maximum-rrset.example.  5M IN A  10.0.1.39
+a-maximum-rrset.example.  5M IN A  10.0.1.40
+a-maximum-rrset.example.  5M IN A  10.0.1.41
+a-maximum-rrset.example.  5M IN A  10.0.1.42
+a-maximum-rrset.example.  5M IN A  10.0.1.43
+a-maximum-rrset.example.  5M IN A  10.0.1.44
+a-maximum-rrset.example.  5M IN A  10.0.1.45
+a-maximum-rrset.example.  5M IN A  10.0.1.46
+a-maximum-rrset.example.  5M IN A  10.0.1.47
+a-maximum-rrset.example.  5M IN A  10.0.1.48
+a-maximum-rrset.example.  5M IN A  10.0.1.49
+a-maximum-rrset.example.  5M IN A  10.0.1.50
+a-maximum-rrset.example.  5M IN A  10.0.1.51
+a-maximum-rrset.example.  5M IN A  10.0.1.52
+a-maximum-rrset.example.  5M IN A  10.0.1.53
+a-maximum-rrset.example.  5M IN A  10.0.1.54
+a-maximum-rrset.example.  5M IN A  10.0.1.55
+a-maximum-rrset.example.  5M IN A  10.0.1.56
+a-maximum-rrset.example.  5M IN A  10.0.1.57
+a-maximum-rrset.example.  5M IN A  10.0.1.58
+a-maximum-rrset.example.  5M IN A  10.0.1.59
+a-maximum-rrset.example.  5M IN A  10.0.1.60
+a-maximum-rrset.example.  5M IN A  10.0.1.61
+a-maximum-rrset.example.  5M IN A  10.0.1.62
+a-maximum-rrset.example.  5M IN A  10.0.1.63
+a-maximum-rrset.example.  5M IN A  10.0.1.64
+a-maximum-rrset.example.  5M IN A  10.0.1.65
+a-maximum-rrset.example.  5M IN A  10.0.1.66
+a-maximum-rrset.example.  5M IN A  10.0.1.67
+a-maximum-rrset.example.  5M IN A  10.0.1.68
+a-maximum-rrset.example.  5M IN A  10.0.1.69
+a-maximum-rrset.example.  5M IN A  10.0.1.70
+a-maximum-rrset.example.  5M IN A  10.0.1.71
+a-maximum-rrset.example.  5M IN A  10.0.1.72
+a-maximum-rrset.example.  5M IN A  10.0.1.73
+a-maximum-rrset.example.  5M IN A  10.0.1.74
+a-maximum-rrset.example.  5M IN A  10.0.1.75
+a-maximum-rrset.example.  5M IN A  10.0.1.76
+a-maximum-rrset.example.  5M IN A  10.0.1.77
+a-maximum-rrset.example.  5M IN A  10.0.1.78
+a-maximum-rrset.example.  5M IN A  10.0.1.79
+a-maximum-rrset.example.  5M IN A  10.0.1.80
+a-maximum-rrset.example.  5M IN A  10.0.1.81
+a-maximum-rrset.example.  5M IN A  10.0.1.82
+a-maximum-rrset.example.  5M IN A  10.0.1.83
+a-maximum-rrset.example.  5M IN A  10.0.1.84
+a-maximum-rrset.example.  5M IN A  10.0.1.85
+a-maximum-rrset.example.  5M IN A  10.0.1.86
+a-maximum-rrset.example.  5M IN A  10.0.1.87
+a-maximum-rrset.example.  5M IN A  10.0.1.88
+a-maximum-rrset.example.  5M IN A  10.0.1.89
+a-maximum-rrset.example.  5M IN A  10.0.1.90
+a-maximum-rrset.example.  5M IN A  10.0.1.91
+a-maximum-rrset.example.  5M IN A  10.0.1.92
+a-maximum-rrset.example.  5M IN A  10.0.1.93
+a-maximum-rrset.example.  5M IN A  10.0.1.94
+a-maximum-rrset.example.  5M IN A  10.0.1.95
+a-maximum-rrset.example.  5M IN A  10.0.1.96
+a-maximum-rrset.example.  5M IN A  10.0.1.97
+a-maximum-rrset.example.  5M IN A  10.0.1.98
+a-maximum-rrset.example.  5M IN A  10.0.1.99
+a-maximum-rrset.example.  5M IN A  10.0.1.100
+a-maximum-rrset.example.  5M IN A  10.0.1.101
+a-maximum-rrset.example.  5M IN A  10.0.1.102
+a-maximum-rrset.example.  5M IN A  10.0.1.103
+a-maximum-rrset.example.  5M IN A  10.0.1.104
+a-maximum-rrset.example.  5M IN A  10.0.1.105
+a-maximum-rrset.example.  5M IN A  10.0.1.106
+a-maximum-rrset.example.  5M IN A  10.0.1.107
+a-maximum-rrset.example.  5M IN A  10.0.1.108
+a-maximum-rrset.example.  5M IN A  10.0.1.109
+a-maximum-rrset.example.  5M IN A  10.0.1.110
+a-maximum-rrset.example.  5M IN A  10.0.1.111
+a-maximum-rrset.example.  5M IN A  10.0.1.112
+a-maximum-rrset.example.  5M IN A  10.0.1.113
+a-maximum-rrset.example.  5M IN A  10.0.1.114
+a-maximum-rrset.example.  5M IN A  10.0.1.115
+a-maximum-rrset.example.  5M IN A  10.0.1.116
+a-maximum-rrset.example.  5M IN A  10.0.1.117
+a-maximum-rrset.example.  5M IN A  10.0.1.118
+a-maximum-rrset.example.  5M IN A  10.0.1.119
+a-maximum-rrset.example.  5M IN A  10.0.1.120
+a-maximum-rrset.example.  5M IN A  10.0.1.121
+a-maximum-rrset.example.  5M IN A  10.0.1.122
+a-maximum-rrset.example.  5M IN A  10.0.1.123
+a-maximum-rrset.example.  5M IN A  10.0.1.124
+a-maximum-rrset.example.  5M IN A  10.0.1.125
+a-maximum-rrset.example.  5M IN A  10.0.1.126
+a-maximum-rrset.example.  5M IN A  10.0.1.127
+a-maximum-rrset.example.  5M IN A  10.0.1.128
+a-maximum-rrset.example.  5M IN A  10.0.1.129
+a-maximum-rrset.example.  5M IN A  10.0.1.130
+a-maximum-rrset.example.  5M IN A  10.0.1.131
+a-maximum-rrset.example.  5M IN A  10.0.1.132
+a-maximum-rrset.example.  5M IN A  10.0.1.133
+a-maximum-rrset.example.  5M IN A  10.0.1.134
+a-maximum-rrset.example.  5M IN A  10.0.1.135
+a-maximum-rrset.example.  5M IN A  10.0.1.136
+a-maximum-rrset.example.  5M IN A  10.0.1.137
+a-maximum-rrset.example.  5M IN A  10.0.1.138
+a-maximum-rrset.example.  5M IN A  10.0.1.139
+a-maximum-rrset.example.  5M IN A  10.0.1.140
+a-maximum-rrset.example.  5M IN A  10.0.1.141
+a-maximum-rrset.example.  5M IN A  10.0.1.142
+a-maximum-rrset.example.  5M IN A  10.0.1.143
+a-maximum-rrset.example.  5M IN A  10.0.1.144
+a-maximum-rrset.example.  5M IN A  10.0.1.145
+a-maximum-rrset.example.  5M IN A  10.0.1.146
+a-maximum-rrset.example.  5M IN A  10.0.1.147
+a-maximum-rrset.example.  5M IN A  10.0.1.148
+a-maximum-rrset.example.  5M IN A  10.0.1.149
+a-maximum-rrset.example.  5M IN A  10.0.1.150
+a-maximum-rrset.example.  5M IN A  10.0.1.151
+a-maximum-rrset.example.  5M IN A  10.0.1.152
+a-maximum-rrset.example.  5M IN A  10.0.1.153
+a-maximum-rrset.example.  5M IN A  10.0.1.154
+a-maximum-rrset.example.  5M IN A  10.0.1.155
+a-maximum-rrset.example.  5M IN A  10.0.1.156
+a-maximum-rrset.example.  5M IN A  10.0.1.157
+a-maximum-rrset.example.  5M IN A  10.0.1.158
+a-maximum-rrset.example.  5M IN A  10.0.1.159
+a-maximum-rrset.example.  5M IN A  10.0.1.160
+a-maximum-rrset.example.  5M IN A  10.0.1.161
+a-maximum-rrset.example.  5M IN A  10.0.1.162
+a-maximum-rrset.example.  5M IN A  10.0.1.163
+a-maximum-rrset.example.  5M IN A  10.0.1.164
+a-maximum-rrset.example.  5M IN A  10.0.1.165
+a-maximum-rrset.example.  5M IN A  10.0.1.166
+a-maximum-rrset.example.  5M IN A  10.0.1.167
+a-maximum-rrset.example.  5M IN A  10.0.1.168
+a-maximum-rrset.example.  5M IN A  10.0.1.169
+a-maximum-rrset.example.  5M IN A  10.0.1.170
+a-maximum-rrset.example.  5M IN A  10.0.1.171
+a-maximum-rrset.example.  5M IN A  10.0.1.172
+a-maximum-rrset.example.  5M IN A  10.0.1.173
+a-maximum-rrset.example.  5M IN A  10.0.1.174
+a-maximum-rrset.example.  5M IN A  10.0.1.175
+a-maximum-rrset.example.  5M IN A  10.0.1.176
+a-maximum-rrset.example.  5M IN A  10.0.1.177
+a-maximum-rrset.example.  5M IN A  10.0.1.178
+a-maximum-rrset.example.  5M IN A  10.0.1.179
+a-maximum-rrset.example.  5M IN A  10.0.1.180
+a-maximum-rrset.example.  5M IN A  10.0.1.181
+a-maximum-rrset.example.  5M IN A  10.0.1.182
+a-maximum-rrset.example.  5M IN A  10.0.1.183
+a-maximum-rrset.example.  5M IN A  10.0.1.184
+a-maximum-rrset.example.  5M IN A  10.0.1.185
+a-maximum-rrset.example.  5M IN A  10.0.1.186
+a-maximum-rrset.example.  5M IN A  10.0.1.187
+a-maximum-rrset.example.  5M IN A  10.0.1.188
+a-maximum-rrset.example.  5M IN A  10.0.1.189
+a-maximum-rrset.example.  5M IN A  10.0.1.190
+a-maximum-rrset.example.  5M IN A  10.0.1.191
+a-maximum-rrset.example.  5M IN A  10.0.1.192
+a-maximum-rrset.example.  5M IN A  10.0.1.193
+a-maximum-rrset.example.  5M IN A  10.0.1.194
+a-maximum-rrset.example.  5M IN A  10.0.1.195
+a-maximum-rrset.example.  5M IN A  10.0.1.196
+a-maximum-rrset.example.  5M IN A  10.0.1.197
+a-maximum-rrset.example.  5M IN A  10.0.1.198
+a-maximum-rrset.example.  5M IN A  10.0.1.199
+a-maximum-rrset.example.  5M IN A  10.0.1.200
+a-maximum-rrset.example.  5M IN A  10.0.1.201
+a-maximum-rrset.example.  5M IN A  10.0.1.202
+a-maximum-rrset.example.  5M IN A  10.0.1.203
+a-maximum-rrset.example.  5M IN A  10.0.1.204
+a-maximum-rrset.example.  5M IN A  10.0.1.205
+a-maximum-rrset.example.  5M IN A  10.0.1.206
+a-maximum-rrset.example.  5M IN A  10.0.1.207
+a-maximum-rrset.example.  5M IN A  10.0.1.208
+a-maximum-rrset.example.  5M IN A  10.0.1.209
+a-maximum-rrset.example.  5M IN A  10.0.1.210
+a-maximum-rrset.example.  5M IN A  10.0.1.211
+a-maximum-rrset.example.  5M IN A  10.0.1.212
+a-maximum-rrset.example.  5M IN A  10.0.1.213
+a-maximum-rrset.example.  5M IN A  10.0.1.214
+a-maximum-rrset.example.  5M IN A  10.0.1.215
+a-maximum-rrset.example.  5M IN A  10.0.1.216
+a-maximum-rrset.example.  5M IN A  10.0.1.217
+a-maximum-rrset.example.  5M IN A  10.0.1.218
+a-maximum-rrset.example.  5M IN A  10.0.1.219
+a-maximum-rrset.example.  5M IN A  10.0.1.220
+a-maximum-rrset.example.  5M IN A  10.0.1.221
+a-maximum-rrset.example.  5M IN A  10.0.1.222
+a-maximum-rrset.example.  5M IN A  10.0.1.223
+a-maximum-rrset.example.  5M IN A  10.0.1.224
+a-maximum-rrset.example.  5M IN A  10.0.1.225
+a-maximum-rrset.example.  5M IN A  10.0.1.226
+a-maximum-rrset.example.  5M IN A  10.0.1.227
+a-maximum-rrset.example.  5M IN A  10.0.1.228
+a-maximum-rrset.example.  5M IN A  10.0.1.229
+a-maximum-rrset.example.  5M IN A  10.0.1.230
+a-maximum-rrset.example.  5M IN A  10.0.1.231
+a-maximum-rrset.example.  5M IN A  10.0.1.232
+a-maximum-rrset.example.  5M IN A  10.0.1.233
+a-maximum-rrset.example.  5M IN A  10.0.1.234
+a-maximum-rrset.example.  5M IN A  10.0.1.235
+a-maximum-rrset.example.  5M IN A  10.0.1.236
+a-maximum-rrset.example.  5M IN A  10.0.1.237
+a-maximum-rrset.example.  5M IN A  10.0.1.238
+a-maximum-rrset.example.  5M IN A  10.0.1.239
+a-maximum-rrset.example.  5M IN A  10.0.1.240
+a-maximum-rrset.example.  5M IN A  10.0.1.241
+a-maximum-rrset.example.  5M IN A  10.0.1.242
+a-maximum-rrset.example.  5M IN A  10.0.1.243
+a-maximum-rrset.example.  5M IN A  10.0.1.244
+a-maximum-rrset.example.  5M IN A  10.0.1.245
+a-maximum-rrset.example.  5M IN A  10.0.1.246
+a-maximum-rrset.example.  5M IN A  10.0.1.247
+a-maximum-rrset.example.  5M IN A  10.0.1.248
+a-maximum-rrset.example.  5M IN A  10.0.1.249
+a-maximum-rrset.example.  5M IN A  10.0.1.250
+a-maximum-rrset.example.  5M IN A  10.0.1.251
+a-maximum-rrset.example.  5M IN A  10.0.1.252
+a-maximum-rrset.example.  5M IN A  10.0.1.253
+a-maximum-rrset.example.  5M IN A  10.0.1.254
+a-maximum-rrset.example.  5M IN A  10.0.1.255
+a-maximum-rrset.example.  5M IN A  10.0.2.0
+a-maximum-rrset.example.  5M IN A  10.0.2.1
+a-maximum-rrset.example.  5M IN A  10.0.2.2
+a-maximum-rrset.example.  5M IN A  10.0.2.3
+a-maximum-rrset.example.  5M IN A  10.0.2.4
+a-maximum-rrset.example.  5M IN A  10.0.2.5
+a-maximum-rrset.example.  5M IN A  10.0.2.6
+a-maximum-rrset.example.  5M IN A  10.0.2.7
+a-maximum-rrset.example.  5M IN A  10.0.2.8
+a-maximum-rrset.example.  5M IN A  10.0.2.9
+a-maximum-rrset.example.  5M IN A  10.0.2.10
+a-maximum-rrset.example.  5M IN A  10.0.2.11
+a-maximum-rrset.example.  5M IN A  10.0.2.12
+a-maximum-rrset.example.  5M IN A  10.0.2.13
+a-maximum-rrset.example.  5M IN A  10.0.2.14
+a-maximum-rrset.example.  5M IN A  10.0.2.15
+a-maximum-rrset.example.  5M IN A  10.0.2.16
+a-maximum-rrset.example.  5M IN A  10.0.2.17
+a-maximum-rrset.example.  5M IN A  10.0.2.18
+a-maximum-rrset.example.  5M IN A  10.0.2.19
+a-maximum-rrset.example.  5M IN A  10.0.2.20
+a-maximum-rrset.example.  5M IN A  10.0.2.21
+a-maximum-rrset.example.  5M IN A  10.0.2.22
+a-maximum-rrset.example.  5M IN A  10.0.2.23
+a-maximum-rrset.example.  5M IN A  10.0.2.24
+a-maximum-rrset.example.  5M IN A  10.0.2.25
+a-maximum-rrset.example.  5M IN A  10.0.2.26
+a-maximum-rrset.example.  5M IN A  10.0.2.27
+a-maximum-rrset.example.  5M IN A  10.0.2.28
+a-maximum-rrset.example.  5M IN A  10.0.2.29
+a-maximum-rrset.example.  5M IN A  10.0.2.30
+a-maximum-rrset.example.  5M IN A  10.0.2.31
+a-maximum-rrset.example.  5M IN A  10.0.2.32
+a-maximum-rrset.example.  5M IN A  10.0.2.33
+a-maximum-rrset.example.  5M IN A  10.0.2.34
+a-maximum-rrset.example.  5M IN A  10.0.2.35
+a-maximum-rrset.example.  5M IN A  10.0.2.36
+a-maximum-rrset.example.  5M IN A  10.0.2.37
+a-maximum-rrset.example.  5M IN A  10.0.2.38
+a-maximum-rrset.example.  5M IN A  10.0.2.39
+a-maximum-rrset.example.  5M IN A  10.0.2.40
+a-maximum-rrset.example.  5M IN A  10.0.2.41
+a-maximum-rrset.example.  5M IN A  10.0.2.42
+a-maximum-rrset.example.  5M IN A  10.0.2.43
+a-maximum-rrset.example.  5M IN A  10.0.2.44
+a-maximum-rrset.example.  5M IN A  10.0.2.45
+a-maximum-rrset.example.  5M IN A  10.0.2.46
+a-maximum-rrset.example.  5M IN A  10.0.2.47
+a-maximum-rrset.example.  5M IN A  10.0.2.48
+a-maximum-rrset.example.  5M IN A  10.0.2.49
+a-maximum-rrset.example.  5M IN A  10.0.2.50
+a-maximum-rrset.example.  5M IN A  10.0.2.51
+a-maximum-rrset.example.  5M IN A  10.0.2.52
+a-maximum-rrset.example.  5M IN A  10.0.2.53
+a-maximum-rrset.example.  5M IN A  10.0.2.54
+a-maximum-rrset.example.  5M IN A  10.0.2.55
+a-maximum-rrset.example.  5M IN A  10.0.2.56
+a-maximum-rrset.example.  5M IN A  10.0.2.57
+a-maximum-rrset.example.  5M IN A  10.0.2.58
+a-maximum-rrset.example.  5M IN A  10.0.2.59
+a-maximum-rrset.example.  5M IN A  10.0.2.60
+a-maximum-rrset.example.  5M IN A  10.0.2.61
+a-maximum-rrset.example.  5M IN A  10.0.2.62
+a-maximum-rrset.example.  5M IN A  10.0.2.63
+a-maximum-rrset.example.  5M IN A  10.0.2.64
+a-maximum-rrset.example.  5M IN A  10.0.2.65
+a-maximum-rrset.example.  5M IN A  10.0.2.66
+a-maximum-rrset.example.  5M IN A  10.0.2.67
+a-maximum-rrset.example.  5M IN A  10.0.2.68
+a-maximum-rrset.example.  5M IN A  10.0.2.69
+a-maximum-rrset.example.  5M IN A  10.0.2.70
+a-maximum-rrset.example.  5M IN A  10.0.2.71
+a-maximum-rrset.example.  5M IN A  10.0.2.72
+a-maximum-rrset.example.  5M IN A  10.0.2.73
+a-maximum-rrset.example.  5M IN A  10.0.2.74
+a-maximum-rrset.example.  5M IN A  10.0.2.75
+a-maximum-rrset.example.  5M IN A  10.0.2.76
+a-maximum-rrset.example.  5M IN A  10.0.2.77
+a-maximum-rrset.example.  5M IN A  10.0.2.78
+a-maximum-rrset.example.  5M IN A  10.0.2.79
+a-maximum-rrset.example.  5M IN A  10.0.2.80
+a-maximum-rrset.example.  5M IN A  10.0.2.81
+a-maximum-rrset.example.  5M IN A  10.0.2.82
+a-maximum-rrset.example.  5M IN A  10.0.2.83
+a-maximum-rrset.example.  5M IN A  10.0.2.84
+a-maximum-rrset.example.  5M IN A  10.0.2.85
+a-maximum-rrset.example.  5M IN A  10.0.2.86
+a-maximum-rrset.example.  5M IN A  10.0.2.87
+a-maximum-rrset.example.  5M IN A  10.0.2.88
+a-maximum-rrset.example.  5M IN A  10.0.2.89
+a-maximum-rrset.example.  5M IN A  10.0.2.90
+a-maximum-rrset.example.  5M IN A  10.0.2.91
+a-maximum-rrset.example.  5M IN A  10.0.2.92
+a-maximum-rrset.example.  5M IN A  10.0.2.93
+a-maximum-rrset.example.  5M IN A  10.0.2.94
+a-maximum-rrset.example.  5M IN A  10.0.2.95
+a-maximum-rrset.example.  5M IN A  10.0.2.96
+a-maximum-rrset.example.  5M IN A  10.0.2.97
+a-maximum-rrset.example.  5M IN A  10.0.2.98
+a-maximum-rrset.example.  5M IN A  10.0.2.99
+a-maximum-rrset.example.  5M IN A  10.0.2.100
+a-maximum-rrset.example.  5M IN A  10.0.2.101
+a-maximum-rrset.example.  5M IN A  10.0.2.102
+a-maximum-rrset.example.  5M IN A  10.0.2.103
+a-maximum-rrset.example.  5M IN A  10.0.2.104
+a-maximum-rrset.example.  5M IN A  10.0.2.105
+a-maximum-rrset.example.  5M IN A  10.0.2.106
+a-maximum-rrset.example.  5M IN A  10.0.2.107
+a-maximum-rrset.example.  5M IN A  10.0.2.108
+a-maximum-rrset.example.  5M IN A  10.0.2.109
+a-maximum-rrset.example.  5M IN A  10.0.2.110
+a-maximum-rrset.example.  5M IN A  10.0.2.111
+a-maximum-rrset.example.  5M IN A  10.0.2.112
+a-maximum-rrset.example.  5M IN A  10.0.2.113
+a-maximum-rrset.example.  5M IN A  10.0.2.114
+a-maximum-rrset.example.  5M IN A  10.0.2.115
+a-maximum-rrset.example.  5M IN A  10.0.2.116
+a-maximum-rrset.example.  5M IN A  10.0.2.117
+a-maximum-rrset.example.  5M IN A  10.0.2.118
+a-maximum-rrset.example.  5M IN A  10.0.2.119
+a-maximum-rrset.example.  5M IN A  10.0.2.120
+a-maximum-rrset.example.  5M IN A  10.0.2.121
+a-maximum-rrset.example.  5M IN A  10.0.2.122
+a-maximum-rrset.example.  5M IN A  10.0.2.123
+a-maximum-rrset.example.  5M IN A  10.0.2.124
+a-maximum-rrset.example.  5M IN A  10.0.2.125
+a-maximum-rrset.example.  5M IN A  10.0.2.126
+a-maximum-rrset.example.  5M IN A  10.0.2.127
+a-maximum-rrset.example.  5M IN A  10.0.2.128
+a-maximum-rrset.example.  5M IN A  10.0.2.129
+a-maximum-rrset.example.  5M IN A  10.0.2.130
+a-maximum-rrset.example.  5M IN A  10.0.2.131
+a-maximum-rrset.example.  5M IN A  10.0.2.132
+a-maximum-rrset.example.  5M IN A  10.0.2.133
+a-maximum-rrset.example.  5M IN A  10.0.2.134
+a-maximum-rrset.example.  5M IN A  10.0.2.135
+a-maximum-rrset.example.  5M IN A  10.0.2.136
+a-maximum-rrset.example.  5M IN A  10.0.2.137
+a-maximum-rrset.example.  5M IN A  10.0.2.138
+a-maximum-rrset.example.  5M IN A  10.0.2.139
+a-maximum-rrset.example.  5M IN A  10.0.2.140
+a-maximum-rrset.example.  5M IN A  10.0.2.141
+a-maximum-rrset.example.  5M IN A  10.0.2.142
+a-maximum-rrset.example.  5M IN A  10.0.2.143
+a-maximum-rrset.example.  5M IN A  10.0.2.144
+a-maximum-rrset.example.  5M IN A  10.0.2.145
+a-maximum-rrset.example.  5M IN A  10.0.2.146
+a-maximum-rrset.example.  5M IN A  10.0.2.147
+a-maximum-rrset.example.  5M IN A  10.0.2.148
+a-maximum-rrset.example.  5M IN A  10.0.2.149
+a-maximum-rrset.example.  5M IN A  10.0.2.150
+a-maximum-rrset.example.  5M IN A  10.0.2.151
+a-maximum-rrset.example.  5M IN A  10.0.2.152
+a-maximum-rrset.example.  5M IN A  10.0.2.153
+a-maximum-rrset.example.  5M IN A  10.0.2.154
+a-maximum-rrset.example.  5M IN A  10.0.2.155
+a-maximum-rrset.example.  5M IN A  10.0.2.156
+a-maximum-rrset.example.  5M IN A  10.0.2.157
+a-maximum-rrset.example.  5M IN A  10.0.2.158
+a-maximum-rrset.example.  5M IN A  10.0.2.159
+a-maximum-rrset.example.  5M IN A  10.0.2.160
+a-maximum-rrset.example.  5M IN A  10.0.2.161
+a-maximum-rrset.example.  5M IN A  10.0.2.162
+a-maximum-rrset.example.  5M IN A  10.0.2.163
+a-maximum-rrset.example.  5M IN A  10.0.2.164
+a-maximum-rrset.example.  5M IN A  10.0.2.165
+a-maximum-rrset.example.  5M IN A  10.0.2.166
+a-maximum-rrset.example.  5M IN A  10.0.2.167
+a-maximum-rrset.example.  5M IN A  10.0.2.168
+a-maximum-rrset.example.  5M IN A  10.0.2.169
+a-maximum-rrset.example.  5M IN A  10.0.2.170
+a-maximum-rrset.example.  5M IN A  10.0.2.171
+a-maximum-rrset.example.  5M IN A  10.0.2.172
+a-maximum-rrset.example.  5M IN A  10.0.2.173
+a-maximum-rrset.example.  5M IN A  10.0.2.174
+a-maximum-rrset.example.  5M IN A  10.0.2.175
+a-maximum-rrset.example.  5M IN A  10.0.2.176
+a-maximum-rrset.example.  5M IN A  10.0.2.177
+a-maximum-rrset.example.  5M IN A  10.0.2.178
+a-maximum-rrset.example.  5M IN A  10.0.2.179
+a-maximum-rrset.example.  5M IN A  10.0.2.180
+a-maximum-rrset.example.  5M IN A  10.0.2.181
+a-maximum-rrset.example.  5M IN A  10.0.2.182
+a-maximum-rrset.example.  5M IN A  10.0.2.183
+a-maximum-rrset.example.  5M IN A  10.0.2.184
+a-maximum-rrset.example.  5M IN A  10.0.2.185
+a-maximum-rrset.example.  5M IN A  10.0.2.186
+a-maximum-rrset.example.  5M IN A  10.0.2.187
+a-maximum-rrset.example.  5M IN A  10.0.2.188
+a-maximum-rrset.example.  5M IN A  10.0.2.189
+a-maximum-rrset.example.  5M IN A  10.0.2.190
+a-maximum-rrset.example.  5M IN A  10.0.2.191
+a-maximum-rrset.example.  5M IN A  10.0.2.192
+a-maximum-rrset.example.  5M IN A  10.0.2.193
+a-maximum-rrset.example.  5M IN A  10.0.2.194
+a-maximum-rrset.example.  5M IN A  10.0.2.195
+a-maximum-rrset.example.  5M IN A  10.0.2.196
+a-maximum-rrset.example.  5M IN A  10.0.2.197
+a-maximum-rrset.example.  5M IN A  10.0.2.198
+a-maximum-rrset.example.  5M IN A  10.0.2.199
+a-maximum-rrset.example.  5M IN A  10.0.2.200
+a-maximum-rrset.example.  5M IN A  10.0.2.201
+a-maximum-rrset.example.  5M IN A  10.0.2.202
+a-maximum-rrset.example.  5M IN A  10.0.2.203
+a-maximum-rrset.example.  5M IN A  10.0.2.204
+a-maximum-rrset.example.  5M IN A  10.0.2.205
+a-maximum-rrset.example.  5M IN A  10.0.2.206
+a-maximum-rrset.example.  5M IN A  10.0.2.207
+a-maximum-rrset.example.  5M IN A  10.0.2.208
+a-maximum-rrset.example.  5M IN A  10.0.2.209
+a-maximum-rrset.example.  5M IN A  10.0.2.210
+a-maximum-rrset.example.  5M IN A  10.0.2.211
+a-maximum-rrset.example.  5M IN A  10.0.2.212
+a-maximum-rrset.example.  5M IN A  10.0.2.213
+a-maximum-rrset.example.  5M IN A  10.0.2.214
+a-maximum-rrset.example.  5M IN A  10.0.2.215
+a-maximum-rrset.example.  5M IN A  10.0.2.216
+a-maximum-rrset.example.  5M IN A  10.0.2.217
+a-maximum-rrset.example.  5M IN A  10.0.2.218
+a-maximum-rrset.example.  5M IN A  10.0.2.219
+a-maximum-rrset.example.  5M IN A  10.0.2.220
+a-maximum-rrset.example.  5M IN A  10.0.2.221
+a-maximum-rrset.example.  5M IN A  10.0.2.222
+a-maximum-rrset.example.  5M IN A  10.0.2.223
+a-maximum-rrset.example.  5M IN A  10.0.2.224
+a-maximum-rrset.example.  5M IN A  10.0.2.225
+a-maximum-rrset.example.  5M IN A  10.0.2.226
+a-maximum-rrset.example.  5M IN A  10.0.2.227
+a-maximum-rrset.example.  5M IN A  10.0.2.228
+a-maximum-rrset.example.  5M IN A  10.0.2.229
+a-maximum-rrset.example.  5M IN A  10.0.2.230
+a-maximum-rrset.example.  5M IN A  10.0.2.231
+a-maximum-rrset.example.  5M IN A  10.0.2.232
+a-maximum-rrset.example.  5M IN A  10.0.2.233
+a-maximum-rrset.example.  5M IN A  10.0.2.234
+a-maximum-rrset.example.  5M IN A  10.0.2.235
+a-maximum-rrset.example.  5M IN A  10.0.2.236
+a-maximum-rrset.example.  5M IN A  10.0.2.237
+a-maximum-rrset.example.  5M IN A  10.0.2.238
+a-maximum-rrset.example.  5M IN A  10.0.2.239
+a-maximum-rrset.example.  5M IN A  10.0.2.240
+a-maximum-rrset.example.  5M IN A  10.0.2.241
+a-maximum-rrset.example.  5M IN A  10.0.2.242
+a-maximum-rrset.example.  5M IN A  10.0.2.243
+a-maximum-rrset.example.  5M IN A  10.0.2.244
+a-maximum-rrset.example.  5M IN A  10.0.2.245
+a-maximum-rrset.example.  5M IN A  10.0.2.246
+a-maximum-rrset.example.  5M IN A  10.0.2.247
+a-maximum-rrset.example.  5M IN A  10.0.2.248
+a-maximum-rrset.example.  5M IN A  10.0.2.249
+a-maximum-rrset.example.  5M IN A  10.0.2.250
+a-maximum-rrset.example.  5M IN A  10.0.2.251
+a-maximum-rrset.example.  5M IN A  10.0.2.252
+a-maximum-rrset.example.  5M IN A  10.0.2.253
+a-maximum-rrset.example.  5M IN A  10.0.2.254
+a-maximum-rrset.example.  5M IN A  10.0.2.255
+a-maximum-rrset.example.  5M IN A  10.0.3.0
+a-maximum-rrset.example.  5M IN A  10.0.3.1
+a-maximum-rrset.example.  5M IN A  10.0.3.2
+a-maximum-rrset.example.  5M IN A  10.0.3.3
+a-maximum-rrset.example.  5M IN A  10.0.3.4
+a-maximum-rrset.example.  5M IN A  10.0.3.5
+a-maximum-rrset.example.  5M IN A  10.0.3.6
+a-maximum-rrset.example.  5M IN A  10.0.3.7
+a-maximum-rrset.example.  5M IN A  10.0.3.8
+a-maximum-rrset.example.  5M IN A  10.0.3.9
+a-maximum-rrset.example.  5M IN A  10.0.3.10
+a-maximum-rrset.example.  5M IN A  10.0.3.11
+a-maximum-rrset.example.  5M IN A  10.0.3.12
+a-maximum-rrset.example.  5M IN A  10.0.3.13
+a-maximum-rrset.example.  5M IN A  10.0.3.14
+a-maximum-rrset.example.  5M IN A  10.0.3.15
+a-maximum-rrset.example.  5M IN A  10.0.3.16
+a-maximum-rrset.example.  5M IN A  10.0.3.17
+a-maximum-rrset.example.  5M IN A  10.0.3.18
+a-maximum-rrset.example.  5M IN A  10.0.3.19
+a-maximum-rrset.example.  5M IN A  10.0.3.20
+a-maximum-rrset.example.  5M IN A  10.0.3.21
+a-maximum-rrset.example.  5M IN A  10.0.3.22
+a-maximum-rrset.example.  5M IN A  10.0.3.23
+a-maximum-rrset.example.  5M IN A  10.0.3.24
+a-maximum-rrset.example.  5M IN A  10.0.3.25
+a-maximum-rrset.example.  5M IN A  10.0.3.26
+a-maximum-rrset.example.  5M IN A  10.0.3.27
+a-maximum-rrset.example.  5M IN A  10.0.3.28
+a-maximum-rrset.example.  5M IN A  10.0.3.29
+a-maximum-rrset.example.  5M IN A  10.0.3.30
+a-maximum-rrset.example.  5M IN A  10.0.3.31
+a-maximum-rrset.example.  5M IN A  10.0.3.32
+a-maximum-rrset.example.  5M IN A  10.0.3.33
+a-maximum-rrset.example.  5M IN A  10.0.3.34
+a-maximum-rrset.example.  5M IN A  10.0.3.35
+a-maximum-rrset.example.  5M IN A  10.0.3.36
+a-maximum-rrset.example.  5M IN A  10.0.3.37
+a-maximum-rrset.example.  5M IN A  10.0.3.38
+a-maximum-rrset.example.  5M IN A  10.0.3.39
+a-maximum-rrset.example.  5M IN A  10.0.3.40
+a-maximum-rrset.example.  5M IN A  10.0.3.41
+a-maximum-rrset.example.  5M IN A  10.0.3.42
+a-maximum-rrset.example.  5M IN A  10.0.3.43
+a-maximum-rrset.example.  5M IN A  10.0.3.44
+a-maximum-rrset.example.  5M IN A  10.0.3.45
+a-maximum-rrset.example.  5M IN A  10.0.3.46
+a-maximum-rrset.example.  5M IN A  10.0.3.47
+a-maximum-rrset.example.  5M IN A  10.0.3.48
+a-maximum-rrset.example.  5M IN A  10.0.3.49
+a-maximum-rrset.example.  5M IN A  10.0.3.50
+a-maximum-rrset.example.  5M IN A  10.0.3.51
+a-maximum-rrset.example.  5M IN A  10.0.3.52
+a-maximum-rrset.example.  5M IN A  10.0.3.53
+a-maximum-rrset.example.  5M IN A  10.0.3.54
+a-maximum-rrset.example.  5M IN A  10.0.3.55
+a-maximum-rrset.example.  5M IN A  10.0.3.56
+a-maximum-rrset.example.  5M IN A  10.0.3.57
+a-maximum-rrset.example.  5M IN A  10.0.3.58
+a-maximum-rrset.example.  5M IN A  10.0.3.59
+a-maximum-rrset.example.  5M IN A  10.0.3.60
+a-maximum-rrset.example.  5M IN A  10.0.3.61
+a-maximum-rrset.example.  5M IN A  10.0.3.62
+a-maximum-rrset.example.  5M IN A  10.0.3.63
+a-maximum-rrset.example.  5M IN A  10.0.3.64
+a-maximum-rrset.example.  5M IN A  10.0.3.65
+a-maximum-rrset.example.  5M IN A  10.0.3.66
+a-maximum-rrset.example.  5M IN A  10.0.3.67
+a-maximum-rrset.example.  5M IN A  10.0.3.68
+a-maximum-rrset.example.  5M IN A  10.0.3.69
+a-maximum-rrset.example.  5M IN A  10.0.3.70
+a-maximum-rrset.example.  5M IN A  10.0.3.71
+a-maximum-rrset.example.  5M IN A  10.0.3.72
+a-maximum-rrset.example.  5M IN A  10.0.3.73
+a-maximum-rrset.example.  5M IN A  10.0.3.74
+a-maximum-rrset.example.  5M IN A  10.0.3.75
+a-maximum-rrset.example.  5M IN A  10.0.3.76
+a-maximum-rrset.example.  5M IN A  10.0.3.77
+a-maximum-rrset.example.  5M IN A  10.0.3.78
+a-maximum-rrset.example.  5M IN A  10.0.3.79
+a-maximum-rrset.example.  5M IN A  10.0.3.80
+a-maximum-rrset.example.  5M IN A  10.0.3.81
+a-maximum-rrset.example.  5M IN A  10.0.3.82
+a-maximum-rrset.example.  5M IN A  10.0.3.83
+a-maximum-rrset.example.  5M IN A  10.0.3.84
+a-maximum-rrset.example.  5M IN A  10.0.3.85
+a-maximum-rrset.example.  5M IN A  10.0.3.86
+a-maximum-rrset.example.  5M IN A  10.0.3.87
+a-maximum-rrset.example.  5M IN A  10.0.3.88
+a-maximum-rrset.example.  5M IN A  10.0.3.89
+a-maximum-rrset.example.  5M IN A  10.0.3.90
+a-maximum-rrset.example.  5M IN A  10.0.3.91
+a-maximum-rrset.example.  5M IN A  10.0.3.92
+a-maximum-rrset.example.  5M IN A  10.0.3.93
+a-maximum-rrset.example.  5M IN A  10.0.3.94
+a-maximum-rrset.example.  5M IN A  10.0.3.95
+a-maximum-rrset.example.  5M IN A  10.0.3.96
+a-maximum-rrset.example.  5M IN A  10.0.3.97
+a-maximum-rrset.example.  5M IN A  10.0.3.98
+a-maximum-rrset.example.  5M IN A  10.0.3.99
+a-maximum-rrset.example.  5M IN A  10.0.3.100
+a-maximum-rrset.example.  5M IN A  10.0.3.101
+a-maximum-rrset.example.  5M IN A  10.0.3.102
+a-maximum-rrset.example.  5M IN A  10.0.3.103
+a-maximum-rrset.example.  5M IN A  10.0.3.104
+a-maximum-rrset.example.  5M IN A  10.0.3.105
+a-maximum-rrset.example.  5M IN A  10.0.3.106
+a-maximum-rrset.example.  5M IN A  10.0.3.107
+a-maximum-rrset.example.  5M IN A  10.0.3.108
+a-maximum-rrset.example.  5M IN A  10.0.3.109
+a-maximum-rrset.example.  5M IN A  10.0.3.110
+a-maximum-rrset.example.  5M IN A  10.0.3.111
+a-maximum-rrset.example.  5M IN A  10.0.3.112
+a-maximum-rrset.example.  5M IN A  10.0.3.113
+a-maximum-rrset.example.  5M IN A  10.0.3.114
+a-maximum-rrset.example.  5M IN A  10.0.3.115
+a-maximum-rrset.example.  5M IN A  10.0.3.116
+a-maximum-rrset.example.  5M IN A  10.0.3.117
+a-maximum-rrset.example.  5M IN A  10.0.3.118
+a-maximum-rrset.example.  5M IN A  10.0.3.119
+a-maximum-rrset.example.  5M IN A  10.0.3.120
+a-maximum-rrset.example.  5M IN A  10.0.3.121
+a-maximum-rrset.example.  5M IN A  10.0.3.122
+a-maximum-rrset.example.  5M IN A  10.0.3.123
+a-maximum-rrset.example.  5M IN A  10.0.3.124
+a-maximum-rrset.example.  5M IN A  10.0.3.125
+a-maximum-rrset.example.  5M IN A  10.0.3.126
+a-maximum-rrset.example.  5M IN A  10.0.3.127
+a-maximum-rrset.example.  5M IN A  10.0.3.128
+a-maximum-rrset.example.  5M IN A  10.0.3.129
+a-maximum-rrset.example.  5M IN A  10.0.3.130
+a-maximum-rrset.example.  5M IN A  10.0.3.131
+a-maximum-rrset.example.  5M IN A  10.0.3.132
+a-maximum-rrset.example.  5M IN A  10.0.3.133
+a-maximum-rrset.example.  5M IN A  10.0.3.134
+a-maximum-rrset.example.  5M IN A  10.0.3.135
+a-maximum-rrset.example.  5M IN A  10.0.3.136
+a-maximum-rrset.example.  5M IN A  10.0.3.137
+a-maximum-rrset.example.  5M IN A  10.0.3.138
+a-maximum-rrset.example.  5M IN A  10.0.3.139
+a-maximum-rrset.example.  5M IN A  10.0.3.140
+a-maximum-rrset.example.  5M IN A  10.0.3.141
+a-maximum-rrset.example.  5M IN A  10.0.3.142
+a-maximum-rrset.example.  5M IN A  10.0.3.143
+a-maximum-rrset.example.  5M IN A  10.0.3.144
+a-maximum-rrset.example.  5M IN A  10.0.3.145
+a-maximum-rrset.example.  5M IN A  10.0.3.146
+a-maximum-rrset.example.  5M IN A  10.0.3.147
+a-maximum-rrset.example.  5M IN A  10.0.3.148
+a-maximum-rrset.example.  5M IN A  10.0.3.149
+a-maximum-rrset.example.  5M IN A  10.0.3.150
+a-maximum-rrset.example.  5M IN A  10.0.3.151
+a-maximum-rrset.example.  5M IN A  10.0.3.152
+a-maximum-rrset.example.  5M IN A  10.0.3.153
+a-maximum-rrset.example.  5M IN A  10.0.3.154
+a-maximum-rrset.example.  5M IN A  10.0.3.155
+a-maximum-rrset.example.  5M IN A  10.0.3.156
+a-maximum-rrset.example.  5M IN A  10.0.3.157
+a-maximum-rrset.example.  5M IN A  10.0.3.158
+a-maximum-rrset.example.  5M IN A  10.0.3.159
+a-maximum-rrset.example.  5M IN A  10.0.3.160
+a-maximum-rrset.example.  5M IN A  10.0.3.161
+a-maximum-rrset.example.  5M IN A  10.0.3.162
+a-maximum-rrset.example.  5M IN A  10.0.3.163
+a-maximum-rrset.example.  5M IN A  10.0.3.164
+a-maximum-rrset.example.  5M IN A  10.0.3.165
+a-maximum-rrset.example.  5M IN A  10.0.3.166
+a-maximum-rrset.example.  5M IN A  10.0.3.167
+a-maximum-rrset.example.  5M IN A  10.0.3.168
+a-maximum-rrset.example.  5M IN A  10.0.3.169
+a-maximum-rrset.example.  5M IN A  10.0.3.170
+a-maximum-rrset.example.  5M IN A  10.0.3.171
+a-maximum-rrset.example.  5M IN A  10.0.3.172
+a-maximum-rrset.example.  5M IN A  10.0.3.173
+a-maximum-rrset.example.  5M IN A  10.0.3.174
+a-maximum-rrset.example.  5M IN A  10.0.3.175
+a-maximum-rrset.example.  5M IN A  10.0.3.176
+a-maximum-rrset.example.  5M IN A  10.0.3.177
+a-maximum-rrset.example.  5M IN A  10.0.3.178
+a-maximum-rrset.example.  5M IN A  10.0.3.179
+a-maximum-rrset.example.  5M IN A  10.0.3.180
+a-maximum-rrset.example.  5M IN A  10.0.3.181
+a-maximum-rrset.example.  5M IN A  10.0.3.182
+a-maximum-rrset.example.  5M IN A  10.0.3.183
+a-maximum-rrset.example.  5M IN A  10.0.3.184
+a-maximum-rrset.example.  5M IN A  10.0.3.185
+a-maximum-rrset.example.  5M IN A  10.0.3.186
+a-maximum-rrset.example.  5M IN A  10.0.3.187
+a-maximum-rrset.example.  5M IN A  10.0.3.188
+a-maximum-rrset.example.  5M IN A  10.0.3.189
+a-maximum-rrset.example.  5M IN A  10.0.3.190
+a-maximum-rrset.example.  5M IN A  10.0.3.191
+a-maximum-rrset.example.  5M IN A  10.0.3.192
+a-maximum-rrset.example.  5M IN A  10.0.3.193
+a-maximum-rrset.example.  5M IN A  10.0.3.194
+a-maximum-rrset.example.  5M IN A  10.0.3.195
+a-maximum-rrset.example.  5M IN A  10.0.3.196
+a-maximum-rrset.example.  5M IN A  10.0.3.197
+a-maximum-rrset.example.  5M IN A  10.0.3.198
+a-maximum-rrset.example.  5M IN A  10.0.3.199
+a-maximum-rrset.example.  5M IN A  10.0.3.200
+a-maximum-rrset.example.  5M IN A  10.0.3.201
+a-maximum-rrset.example.  5M IN A  10.0.3.202
+a-maximum-rrset.example.  5M IN A  10.0.3.203
+a-maximum-rrset.example.  5M IN A  10.0.3.204
+a-maximum-rrset.example.  5M IN A  10.0.3.205
+a-maximum-rrset.example.  5M IN A  10.0.3.206
+a-maximum-rrset.example.  5M IN A  10.0.3.207
+a-maximum-rrset.example.  5M IN A  10.0.3.208
+a-maximum-rrset.example.  5M IN A  10.0.3.209
+a-maximum-rrset.example.  5M IN A  10.0.3.210
+a-maximum-rrset.example.  5M IN A  10.0.3.211
+a-maximum-rrset.example.  5M IN A  10.0.3.212
+a-maximum-rrset.example.  5M IN A  10.0.3.213
+a-maximum-rrset.example.  5M IN A  10.0.3.214
+a-maximum-rrset.example.  5M IN A  10.0.3.215
+a-maximum-rrset.example.  5M IN A  10.0.3.216
+a-maximum-rrset.example.  5M IN A  10.0.3.217
+a-maximum-rrset.example.  5M IN A  10.0.3.218
+a-maximum-rrset.example.  5M IN A  10.0.3.219
+a-maximum-rrset.example.  5M IN A  10.0.3.220
+a-maximum-rrset.example.  5M IN A  10.0.3.221
+a-maximum-rrset.example.  5M IN A  10.0.3.222
+a-maximum-rrset.example.  5M IN A  10.0.3.223
+a-maximum-rrset.example.  5M IN A  10.0.3.224
+a-maximum-rrset.example.  5M IN A  10.0.3.225
+a-maximum-rrset.example.  5M IN A  10.0.3.226
+a-maximum-rrset.example.  5M IN A  10.0.3.227
+a-maximum-rrset.example.  5M IN A  10.0.3.228
+a-maximum-rrset.example.  5M IN A  10.0.3.229
+a-maximum-rrset.example.  5M IN A  10.0.3.230
+a-maximum-rrset.example.  5M IN A  10.0.3.231
+a-maximum-rrset.example.  5M IN A  10.0.3.232
+a-maximum-rrset.example.  5M IN A  10.0.3.233
+a-maximum-rrset.example.  5M IN A  10.0.3.234
+a-maximum-rrset.example.  5M IN A  10.0.3.235
+a-maximum-rrset.example.  5M IN A  10.0.3.236
+a-maximum-rrset.example.  5M IN A  10.0.3.237
+a-maximum-rrset.example.  5M IN A  10.0.3.238
+a-maximum-rrset.example.  5M IN A  10.0.3.239
+a-maximum-rrset.example.  5M IN A  10.0.3.240
+a-maximum-rrset.example.  5M IN A  10.0.3.241
+a-maximum-rrset.example.  5M IN A  10.0.3.242
+a-maximum-rrset.example.  5M IN A  10.0.3.243
+a-maximum-rrset.example.  5M IN A  10.0.3.244
+a-maximum-rrset.example.  5M IN A  10.0.3.245
+a-maximum-rrset.example.  5M IN A  10.0.3.246
+a-maximum-rrset.example.  5M IN A  10.0.3.247
+a-maximum-rrset.example.  5M IN A  10.0.3.248
+a-maximum-rrset.example.  5M IN A  10.0.3.249
+a-maximum-rrset.example.  5M IN A  10.0.3.250
+a-maximum-rrset.example.  5M IN A  10.0.3.251
+a-maximum-rrset.example.  5M IN A  10.0.3.252
+a-maximum-rrset.example.  5M IN A  10.0.3.253
+a-maximum-rrset.example.  5M IN A  10.0.3.254
+a-maximum-rrset.example.  5M IN A  10.0.3.255
+a-maximum-rrset.example.  5M IN A  10.0.4.0
+a-maximum-rrset.example.  5M IN A  10.0.4.1
+a-maximum-rrset.example.  5M IN A  10.0.4.2
+a-maximum-rrset.example.  5M IN A  10.0.4.3
+a-maximum-rrset.example.  5M IN A  10.0.4.4
+a-maximum-rrset.example.  5M IN A  10.0.4.5
+a-maximum-rrset.example.  5M IN A  10.0.4.6
+a-maximum-rrset.example.  5M IN A  10.0.4.7
+a-maximum-rrset.example.  5M IN A  10.0.4.8
+a-maximum-rrset.example.  5M IN A  10.0.4.9
+a-maximum-rrset.example.  5M IN A  10.0.4.10
+a-maximum-rrset.example.  5M IN A  10.0.4.11
+a-maximum-rrset.example.  5M IN A  10.0.4.12
+a-maximum-rrset.example.  5M IN A  10.0.4.13
+a-maximum-rrset.example.  5M IN A  10.0.4.14
+a-maximum-rrset.example.  5M IN A  10.0.4.15
+a-maximum-rrset.example.  5M IN A  10.0.4.16
+a-maximum-rrset.example.  5M IN A  10.0.4.17
+a-maximum-rrset.example.  5M IN A  10.0.4.18
+a-maximum-rrset.example.  5M IN A  10.0.4.19
+a-maximum-rrset.example.  5M IN A  10.0.4.20
+a-maximum-rrset.example.  5M IN A  10.0.4.21
+a-maximum-rrset.example.  5M IN A  10.0.4.22
+a-maximum-rrset.example.  5M IN A  10.0.4.23
+a-maximum-rrset.example.  5M IN A  10.0.4.24
+a-maximum-rrset.example.  5M IN A  10.0.4.25
+a-maximum-rrset.example.  5M IN A  10.0.4.26
+a-maximum-rrset.example.  5M IN A  10.0.4.27
+a-maximum-rrset.example.  5M IN A  10.0.4.28
+a-maximum-rrset.example.  5M IN A  10.0.4.29
+a-maximum-rrset.example.  5M IN A  10.0.4.30
+a-maximum-rrset.example.  5M IN A  10.0.4.31
+a-maximum-rrset.example.  5M IN A  10.0.4.32
+a-maximum-rrset.example.  5M IN A  10.0.4.33
+a-maximum-rrset.example.  5M IN A  10.0.4.34
+a-maximum-rrset.example.  5M IN A  10.0.4.35
+a-maximum-rrset.example.  5M IN A  10.0.4.36
+a-maximum-rrset.example.  5M IN A  10.0.4.37
+a-maximum-rrset.example.  5M IN A  10.0.4.38
+a-maximum-rrset.example.  5M IN A  10.0.4.39
+a-maximum-rrset.example.  5M IN A  10.0.4.40
+a-maximum-rrset.example.  5M IN A  10.0.4.41
+a-maximum-rrset.example.  5M IN A  10.0.4.42
+a-maximum-rrset.example.  5M IN A  10.0.4.43
+a-maximum-rrset.example.  5M IN A  10.0.4.44
+a-maximum-rrset.example.  5M IN A  10.0.4.45
+a-maximum-rrset.example.  5M IN A  10.0.4.46
+a-maximum-rrset.example.  5M IN A  10.0.4.47
+a-maximum-rrset.example.  5M IN A  10.0.4.48
+a-maximum-rrset.example.  5M IN A  10.0.4.49
+a-maximum-rrset.example.  5M IN A  10.0.4.50
+a-maximum-rrset.example.  5M IN A  10.0.4.51
+a-maximum-rrset.example.  5M IN A  10.0.4.52
+a-maximum-rrset.example.  5M IN A  10.0.4.53
+a-maximum-rrset.example.  5M IN A  10.0.4.54
+a-maximum-rrset.example.  5M IN A  10.0.4.55
+a-maximum-rrset.example.  5M IN A  10.0.4.56
+a-maximum-rrset.example.  5M IN A  10.0.4.57
+a-maximum-rrset.example.  5M IN A  10.0.4.58
+a-maximum-rrset.example.  5M IN A  10.0.4.59
+a-maximum-rrset.example.  5M IN A  10.0.4.60
+a-maximum-rrset.example.  5M IN A  10.0.4.61
+a-maximum-rrset.example.  5M IN A  10.0.4.62
+a-maximum-rrset.example.  5M IN A  10.0.4.63
+a-maximum-rrset.example.  5M IN A  10.0.4.64
+a-maximum-rrset.example.  5M IN A  10.0.4.65
+a-maximum-rrset.example.  5M IN A  10.0.4.66
+a-maximum-rrset.example.  5M IN A  10.0.4.67
+a-maximum-rrset.example.  5M IN A  10.0.4.68
+a-maximum-rrset.example.  5M IN A  10.0.4.69
+a-maximum-rrset.example.  5M IN A  10.0.4.70
+a-maximum-rrset.example.  5M IN A  10.0.4.71
+a-maximum-rrset.example.  5M IN A  10.0.4.72
+a-maximum-rrset.example.  5M IN A  10.0.4.73
+a-maximum-rrset.example.  5M IN A  10.0.4.74
+a-maximum-rrset.example.  5M IN A  10.0.4.75
+a-maximum-rrset.example.  5M IN A  10.0.4.76
+a-maximum-rrset.example.  5M IN A  10.0.4.77
+a-maximum-rrset.example.  5M IN A  10.0.4.78
+a-maximum-rrset.example.  5M IN A  10.0.4.79
+a-maximum-rrset.example.  5M IN A  10.0.4.80
+a-maximum-rrset.example.  5M IN A  10.0.4.81
+a-maximum-rrset.example.  5M IN A  10.0.4.82
+a-maximum-rrset.example.  5M IN A  10.0.4.83
+a-maximum-rrset.example.  5M IN A  10.0.4.84
+a-maximum-rrset.example.  5M IN A  10.0.4.85
+a-maximum-rrset.example.  5M IN A  10.0.4.86
+a-maximum-rrset.example.  5M IN A  10.0.4.87
+a-maximum-rrset.example.  5M IN A  10.0.4.88
+a-maximum-rrset.example.  5M IN A  10.0.4.89
+a-maximum-rrset.example.  5M IN A  10.0.4.90
+a-maximum-rrset.example.  5M IN A  10.0.4.91
+a-maximum-rrset.example.  5M IN A  10.0.4.92
+a-maximum-rrset.example.  5M IN A  10.0.4.93
+a-maximum-rrset.example.  5M IN A  10.0.4.94
+a-maximum-rrset.example.  5M IN A  10.0.4.95
+a-maximum-rrset.example.  5M IN A  10.0.4.96
+a-maximum-rrset.example.  5M IN A  10.0.4.97
+a-maximum-rrset.example.  5M IN A  10.0.4.98
+a-maximum-rrset.example.  5M IN A  10.0.4.99
+a-maximum-rrset.example.  5M IN A  10.0.4.100
+a-maximum-rrset.example.  5M IN A  10.0.4.101
+a-maximum-rrset.example.  5M IN A  10.0.4.102
+a-maximum-rrset.example.  5M IN A  10.0.4.103
+a-maximum-rrset.example.  5M IN A  10.0.4.104
+a-maximum-rrset.example.  5M IN A  10.0.4.105
+a-maximum-rrset.example.  5M IN A  10.0.4.106
+a-maximum-rrset.example.  5M IN A  10.0.4.107
+a-maximum-rrset.example.  5M IN A  10.0.4.108
+a-maximum-rrset.example.  5M IN A  10.0.4.109
+a-maximum-rrset.example.  5M IN A  10.0.4.110
+a-maximum-rrset.example.  5M IN A  10.0.4.111
+a-maximum-rrset.example.  5M IN A  10.0.4.112
+a-maximum-rrset.example.  5M IN A  10.0.4.113
+a-maximum-rrset.example.  5M IN A  10.0.4.114
+a-maximum-rrset.example.  5M IN A  10.0.4.115
+a-maximum-rrset.example.  5M IN A  10.0.4.116
+a-maximum-rrset.example.  5M IN A  10.0.4.117
+a-maximum-rrset.example.  5M IN A  10.0.4.118
+a-maximum-rrset.example.  5M IN A  10.0.4.119
+a-maximum-rrset.example.  5M IN A  10.0.4.120
+a-maximum-rrset.example.  5M IN A  10.0.4.121
+a-maximum-rrset.example.  5M IN A  10.0.4.122
+a-maximum-rrset.example.  5M IN A  10.0.4.123
+a-maximum-rrset.example.  5M IN A  10.0.4.124
+a-maximum-rrset.example.  5M IN A  10.0.4.125
+a-maximum-rrset.example.  5M IN A  10.0.4.126
+a-maximum-rrset.example.  5M IN A  10.0.4.127
+a-maximum-rrset.example.  5M IN A  10.0.4.128
+a-maximum-rrset.example.  5M IN A  10.0.4.129
+a-maximum-rrset.example.  5M IN A  10.0.4.130
+a-maximum-rrset.example.  5M IN A  10.0.4.131
+a-maximum-rrset.example.  5M IN A  10.0.4.132
+a-maximum-rrset.example.  5M IN A  10.0.4.133
+a-maximum-rrset.example.  5M IN A  10.0.4.134
+a-maximum-rrset.example.  5M IN A  10.0.4.135
+a-maximum-rrset.example.  5M IN A  10.0.4.136
+a-maximum-rrset.example.  5M IN A  10.0.4.137
+a-maximum-rrset.example.  5M IN A  10.0.4.138
+a-maximum-rrset.example.  5M IN A  10.0.4.139
+a-maximum-rrset.example.  5M IN A  10.0.4.140
+a-maximum-rrset.example.  5M IN A  10.0.4.141
+a-maximum-rrset.example.  5M IN A  10.0.4.142
+a-maximum-rrset.example.  5M IN A  10.0.4.143
+a-maximum-rrset.example.  5M IN A  10.0.4.144
+a-maximum-rrset.example.  5M IN A  10.0.4.145
+a-maximum-rrset.example.  5M IN A  10.0.4.146
+a-maximum-rrset.example.  5M IN A  10.0.4.147
+a-maximum-rrset.example.  5M IN A  10.0.4.148
+a-maximum-rrset.example.  5M IN A  10.0.4.149
+a-maximum-rrset.example.  5M IN A  10.0.4.150
+a-maximum-rrset.example.  5M IN A  10.0.4.151
+a-maximum-rrset.example.  5M IN A  10.0.4.152
+a-maximum-rrset.example.  5M IN A  10.0.4.153
+a-maximum-rrset.example.  5M IN A  10.0.4.154
+a-maximum-rrset.example.  5M IN A  10.0.4.155
+a-maximum-rrset.example.  5M IN A  10.0.4.156
+a-maximum-rrset.example.  5M IN A  10.0.4.157
+a-maximum-rrset.example.  5M IN A  10.0.4.158
+a-maximum-rrset.example.  5M IN A  10.0.4.159
+a-maximum-rrset.example.  5M IN A  10.0.4.160
+a-maximum-rrset.example.  5M IN A  10.0.4.161
+a-maximum-rrset.example.  5M IN A  10.0.4.162
+a-maximum-rrset.example.  5M IN A  10.0.4.163
+a-maximum-rrset.example.  5M IN A  10.0.4.164
+a-maximum-rrset.example.  5M IN A  10.0.4.165
+a-maximum-rrset.example.  5M IN A  10.0.4.166
+a-maximum-rrset.example.  5M IN A  10.0.4.167
+a-maximum-rrset.example.  5M IN A  10.0.4.168
+a-maximum-rrset.example.  5M IN A  10.0.4.169
+a-maximum-rrset.example.  5M IN A  10.0.4.170
+a-maximum-rrset.example.  5M IN A  10.0.4.171
+a-maximum-rrset.example.  5M IN A  10.0.4.172
+a-maximum-rrset.example.  5M IN A  10.0.4.173
+a-maximum-rrset.example.  5M IN A  10.0.4.174
+a-maximum-rrset.example.  5M IN A  10.0.4.175
+a-maximum-rrset.example.  5M IN A  10.0.4.176
+a-maximum-rrset.example.  5M IN A  10.0.4.177
+a-maximum-rrset.example.  5M IN A  10.0.4.178
+a-maximum-rrset.example.  5M IN A  10.0.4.179
+a-maximum-rrset.example.  5M IN A  10.0.4.180
+a-maximum-rrset.example.  5M IN A  10.0.4.181
+a-maximum-rrset.example.  5M IN A  10.0.4.182
+a-maximum-rrset.example.  5M IN A  10.0.4.183
+a-maximum-rrset.example.  5M IN A  10.0.4.184
+a-maximum-rrset.example.  5M IN A  10.0.4.185
+a-maximum-rrset.example.  5M IN A  10.0.4.186
+a-maximum-rrset.example.  5M IN A  10.0.4.187
+a-maximum-rrset.example.  5M IN A  10.0.4.188
+a-maximum-rrset.example.  5M IN A  10.0.4.189
+a-maximum-rrset.example.  5M IN A  10.0.4.190
+a-maximum-rrset.example.  5M IN A  10.0.4.191
+a-maximum-rrset.example.  5M IN A  10.0.4.192
+a-maximum-rrset.example.  5M IN A  10.0.4.193
+a-maximum-rrset.example.  5M IN A  10.0.4.194
+a-maximum-rrset.example.  5M IN A  10.0.4.195
+a-maximum-rrset.example.  5M IN A  10.0.4.196
+a-maximum-rrset.example.  5M IN A  10.0.4.197
+a-maximum-rrset.example.  5M IN A  10.0.4.198
+a-maximum-rrset.example.  5M IN A  10.0.4.199
+a-maximum-rrset.example.  5M IN A  10.0.4.200
+a-maximum-rrset.example.  5M IN A  10.0.4.201
+a-maximum-rrset.example.  5M IN A  10.0.4.202
+a-maximum-rrset.example.  5M IN A  10.0.4.203
+a-maximum-rrset.example.  5M IN A  10.0.4.204
+a-maximum-rrset.example.  5M IN A  10.0.4.205
+a-maximum-rrset.example.  5M IN A  10.0.4.206
+a-maximum-rrset.example.  5M IN A  10.0.4.207
+a-maximum-rrset.example.  5M IN A  10.0.4.208
+a-maximum-rrset.example.  5M IN A  10.0.4.209
+a-maximum-rrset.example.  5M IN A  10.0.4.210
+a-maximum-rrset.example.  5M IN A  10.0.4.211
+a-maximum-rrset.example.  5M IN A  10.0.4.212
+a-maximum-rrset.example.  5M IN A  10.0.4.213
+a-maximum-rrset.example.  5M IN A  10.0.4.214
+a-maximum-rrset.example.  5M IN A  10.0.4.215
+a-maximum-rrset.example.  5M IN A  10.0.4.216
+a-maximum-rrset.example.  5M IN A  10.0.4.217
+a-maximum-rrset.example.  5M IN A  10.0.4.218
+a-maximum-rrset.example.  5M IN A  10.0.4.219
+a-maximum-rrset.example.  5M IN A  10.0.4.220
+a-maximum-rrset.example.  5M IN A  10.0.4.221
+a-maximum-rrset.example.  5M IN A  10.0.4.222
+a-maximum-rrset.example.  5M IN A  10.0.4.223
+a-maximum-rrset.example.  5M IN A  10.0.4.224
+a-maximum-rrset.example.  5M IN A  10.0.4.225
+a-maximum-rrset.example.  5M IN A  10.0.4.226
+a-maximum-rrset.example.  5M IN A  10.0.4.227
+a-maximum-rrset.example.  5M IN A  10.0.4.228
+a-maximum-rrset.example.  5M IN A  10.0.4.229
+a-maximum-rrset.example.  5M IN A  10.0.4.230
+a-maximum-rrset.example.  5M IN A  10.0.4.231
+a-maximum-rrset.example.  5M IN A  10.0.4.232
+a-maximum-rrset.example.  5M IN A  10.0.4.233
+a-maximum-rrset.example.  5M IN A  10.0.4.234
+a-maximum-rrset.example.  5M IN A  10.0.4.235
+a-maximum-rrset.example.  5M IN A  10.0.4.236
+a-maximum-rrset.example.  5M IN A  10.0.4.237
+a-maximum-rrset.example.  5M IN A  10.0.4.238
+a-maximum-rrset.example.  5M IN A  10.0.4.239
+a-maximum-rrset.example.  5M IN A  10.0.4.240
+a-maximum-rrset.example.  5M IN A  10.0.4.241
+a-maximum-rrset.example.  5M IN A  10.0.4.242
+a-maximum-rrset.example.  5M IN A  10.0.4.243
+a-maximum-rrset.example.  5M IN A  10.0.4.244
+a-maximum-rrset.example.  5M IN A  10.0.4.245
+a-maximum-rrset.example.  5M IN A  10.0.4.246
+a-maximum-rrset.example.  5M IN A  10.0.4.247
+a-maximum-rrset.example.  5M IN A  10.0.4.248
+a-maximum-rrset.example.  5M IN A  10.0.4.249
+a-maximum-rrset.example.  5M IN A  10.0.4.250
+a-maximum-rrset.example.  5M IN A  10.0.4.251
+a-maximum-rrset.example.  5M IN A  10.0.4.252
+a-maximum-rrset.example.  5M IN A  10.0.4.253
+a-maximum-rrset.example.  5M IN A  10.0.4.254
+a-maximum-rrset.example.  5M IN A  10.0.4.255
+a-maximum-rrset.example.  5M IN A  10.0.5.0
+a-maximum-rrset.example.  5M IN A  10.0.5.1
+a-maximum-rrset.example.  5M IN A  10.0.5.2
+a-maximum-rrset.example.  5M IN A  10.0.5.3
+a-maximum-rrset.example.  5M IN A  10.0.5.4
+a-maximum-rrset.example.  5M IN A  10.0.5.5
+a-maximum-rrset.example.  5M IN A  10.0.5.6
+a-maximum-rrset.example.  5M IN A  10.0.5.7
+a-maximum-rrset.example.  5M IN A  10.0.5.8
+a-maximum-rrset.example.  5M IN A  10.0.5.9
+a-maximum-rrset.example.  5M IN A  10.0.5.10
+a-maximum-rrset.example.  5M IN A  10.0.5.11
+a-maximum-rrset.example.  5M IN A  10.0.5.12
+a-maximum-rrset.example.  5M IN A  10.0.5.13
+a-maximum-rrset.example.  5M IN A  10.0.5.14
+a-maximum-rrset.example.  5M IN A  10.0.5.15
+a-maximum-rrset.example.  5M IN A  10.0.5.16
+a-maximum-rrset.example.  5M IN A  10.0.5.17
+a-maximum-rrset.example.  5M IN A  10.0.5.18
+a-maximum-rrset.example.  5M IN A  10.0.5.19
+a-maximum-rrset.example.  5M IN A  10.0.5.20
+a-maximum-rrset.example.  5M IN A  10.0.5.21
+a-maximum-rrset.example.  5M IN A  10.0.5.22
+a-maximum-rrset.example.  5M IN A  10.0.5.23
+a-maximum-rrset.example.  5M IN A  10.0.5.24
+a-maximum-rrset.example.  5M IN A  10.0.5.25
+a-maximum-rrset.example.  5M IN A  10.0.5.26
+a-maximum-rrset.example.  5M IN A  10.0.5.27
+a-maximum-rrset.example.  5M IN A  10.0.5.28
+a-maximum-rrset.example.  5M IN A  10.0.5.29
+a-maximum-rrset.example.  5M IN A  10.0.5.30
+a-maximum-rrset.example.  5M IN A  10.0.5.31
+a-maximum-rrset.example.  5M IN A  10.0.5.32
+a-maximum-rrset.example.  5M IN A  10.0.5.33
+a-maximum-rrset.example.  5M IN A  10.0.5.34
+a-maximum-rrset.example.  5M IN A  10.0.5.35
+a-maximum-rrset.example.  5M IN A  10.0.5.36
+a-maximum-rrset.example.  5M IN A  10.0.5.37
+a-maximum-rrset.example.  5M IN A  10.0.5.38
+a-maximum-rrset.example.  5M IN A  10.0.5.39
+a-maximum-rrset.example.  5M IN A  10.0.5.40
+a-maximum-rrset.example.  5M IN A  10.0.5.41
+a-maximum-rrset.example.  5M IN A  10.0.5.42
+a-maximum-rrset.example.  5M IN A  10.0.5.43
+a-maximum-rrset.example.  5M IN A  10.0.5.44
+a-maximum-rrset.example.  5M IN A  10.0.5.45
+a-maximum-rrset.example.  5M IN A  10.0.5.46
+a-maximum-rrset.example.  5M IN A  10.0.5.47
+a-maximum-rrset.example.  5M IN A  10.0.5.48
+a-maximum-rrset.example.  5M IN A  10.0.5.49
+a-maximum-rrset.example.  5M IN A  10.0.5.50
+a-maximum-rrset.example.  5M IN A  10.0.5.51
+a-maximum-rrset.example.  5M IN A  10.0.5.52
+a-maximum-rrset.example.  5M IN A  10.0.5.53
+a-maximum-rrset.example.  5M IN A  10.0.5.54
+a-maximum-rrset.example.  5M IN A  10.0.5.55
+a-maximum-rrset.example.  5M IN A  10.0.5.56
+a-maximum-rrset.example.  5M IN A  10.0.5.57
+a-maximum-rrset.example.  5M IN A  10.0.5.58
+a-maximum-rrset.example.  5M IN A  10.0.5.59
+a-maximum-rrset.example.  5M IN A  10.0.5.60
+a-maximum-rrset.example.  5M IN A  10.0.5.61
+a-maximum-rrset.example.  5M IN A  10.0.5.62
+a-maximum-rrset.example.  5M IN A  10.0.5.63
+a-maximum-rrset.example.  5M IN A  10.0.5.64
+a-maximum-rrset.example.  5M IN A  10.0.5.65
+a-maximum-rrset.example.  5M IN A  10.0.5.66
+a-maximum-rrset.example.  5M IN A  10.0.5.67
+a-maximum-rrset.example.  5M IN A  10.0.5.68
+a-maximum-rrset.example.  5M IN A  10.0.5.69
+a-maximum-rrset.example.  5M IN A  10.0.5.70
+a-maximum-rrset.example.  5M IN A  10.0.5.71
+a-maximum-rrset.example.  5M IN A  10.0.5.72
+a-maximum-rrset.example.  5M IN A  10.0.5.73
+a-maximum-rrset.example.  5M IN A  10.0.5.74
+a-maximum-rrset.example.  5M IN A  10.0.5.75
+a-maximum-rrset.example.  5M IN A  10.0.5.76
+a-maximum-rrset.example.  5M IN A  10.0.5.77
+a-maximum-rrset.example.  5M IN A  10.0.5.78
+a-maximum-rrset.example.  5M IN A  10.0.5.79
+a-maximum-rrset.example.  5M IN A  10.0.5.80
+a-maximum-rrset.example.  5M IN A  10.0.5.81
+a-maximum-rrset.example.  5M IN A  10.0.5.82
+a-maximum-rrset.example.  5M IN A  10.0.5.83
+a-maximum-rrset.example.  5M IN A  10.0.5.84
+a-maximum-rrset.example.  5M IN A  10.0.5.85
+a-maximum-rrset.example.  5M IN A  10.0.5.86
+a-maximum-rrset.example.  5M IN A  10.0.5.87
+a-maximum-rrset.example.  5M IN A  10.0.5.88
+a-maximum-rrset.example.  5M IN A  10.0.5.89
+a-maximum-rrset.example.  5M IN A  10.0.5.90
+a-maximum-rrset.example.  5M IN A  10.0.5.91
+a-maximum-rrset.example.  5M IN A  10.0.5.92
+a-maximum-rrset.example.  5M IN A  10.0.5.93
+a-maximum-rrset.example.  5M IN A  10.0.5.94
+a-maximum-rrset.example.  5M IN A  10.0.5.95
+a-maximum-rrset.example.  5M IN A  10.0.5.96
+a-maximum-rrset.example.  5M IN A  10.0.5.97
+a-maximum-rrset.example.  5M IN A  10.0.5.98
+a-maximum-rrset.example.  5M IN A  10.0.5.99
+a-maximum-rrset.example.  5M IN A  10.0.5.100
+a-maximum-rrset.example.  5M IN A  10.0.5.101
+a-maximum-rrset.example.  5M IN A  10.0.5.102
+a-maximum-rrset.example.  5M IN A  10.0.5.103
+a-maximum-rrset.example.  5M IN A  10.0.5.104
+a-maximum-rrset.example.  5M IN A  10.0.5.105
+a-maximum-rrset.example.  5M IN A  10.0.5.106
+a-maximum-rrset.example.  5M IN A  10.0.5.107
+a-maximum-rrset.example.  5M IN A  10.0.5.108
+a-maximum-rrset.example.  5M IN A  10.0.5.109
+a-maximum-rrset.example.  5M IN A  10.0.5.110
+a-maximum-rrset.example.  5M IN A  10.0.5.111
+a-maximum-rrset.example.  5M IN A  10.0.5.112
+a-maximum-rrset.example.  5M IN A  10.0.5.113
+a-maximum-rrset.example.  5M IN A  10.0.5.114
+a-maximum-rrset.example.  5M IN A  10.0.5.115
+a-maximum-rrset.example.  5M IN A  10.0.5.116
+a-maximum-rrset.example.  5M IN A  10.0.5.117
+a-maximum-rrset.example.  5M IN A  10.0.5.118
+a-maximum-rrset.example.  5M IN A  10.0.5.119
+a-maximum-rrset.example.  5M IN A  10.0.5.120
+a-maximum-rrset.example.  5M IN A  10.0.5.121
+a-maximum-rrset.example.  5M IN A  10.0.5.122
+a-maximum-rrset.example.  5M IN A  10.0.5.123
+a-maximum-rrset.example.  5M IN A  10.0.5.124
+a-maximum-rrset.example.  5M IN A  10.0.5.125
+a-maximum-rrset.example.  5M IN A  10.0.5.126
+a-maximum-rrset.example.  5M IN A  10.0.5.127
+a-maximum-rrset.example.  5M IN A  10.0.5.128
+a-maximum-rrset.example.  5M IN A  10.0.5.129
+a-maximum-rrset.example.  5M IN A  10.0.5.130
+a-maximum-rrset.example.  5M IN A  10.0.5.131
+a-maximum-rrset.example.  5M IN A  10.0.5.132
+a-maximum-rrset.example.  5M IN A  10.0.5.133
+a-maximum-rrset.example.  5M IN A  10.0.5.134
+a-maximum-rrset.example.  5M IN A  10.0.5.135
+a-maximum-rrset.example.  5M IN A  10.0.5.136
+a-maximum-rrset.example.  5M IN A  10.0.5.137
+a-maximum-rrset.example.  5M IN A  10.0.5.138
+a-maximum-rrset.example.  5M IN A  10.0.5.139
+a-maximum-rrset.example.  5M IN A  10.0.5.140
+a-maximum-rrset.example.  5M IN A  10.0.5.141
+a-maximum-rrset.example.  5M IN A  10.0.5.142
+a-maximum-rrset.example.  5M IN A  10.0.5.143
+a-maximum-rrset.example.  5M IN A  10.0.5.144
+a-maximum-rrset.example.  5M IN A  10.0.5.145
+a-maximum-rrset.example.  5M IN A  10.0.5.146
+a-maximum-rrset.example.  5M IN A  10.0.5.147
+a-maximum-rrset.example.  5M IN A  10.0.5.148
+a-maximum-rrset.example.  5M IN A  10.0.5.149
+a-maximum-rrset.example.  5M IN A  10.0.5.150
+a-maximum-rrset.example.  5M IN A  10.0.5.151
+a-maximum-rrset.example.  5M IN A  10.0.5.152
+a-maximum-rrset.example.  5M IN A  10.0.5.153
+a-maximum-rrset.example.  5M IN A  10.0.5.154
+a-maximum-rrset.example.  5M IN A  10.0.5.155
+a-maximum-rrset.example.  5M IN A  10.0.5.156
+a-maximum-rrset.example.  5M IN A  10.0.5.157
+a-maximum-rrset.example.  5M IN A  10.0.5.158
+a-maximum-rrset.example.  5M IN A  10.0.5.159
+a-maximum-rrset.example.  5M IN A  10.0.5.160
+a-maximum-rrset.example.  5M IN A  10.0.5.161
+a-maximum-rrset.example.  5M IN A  10.0.5.162
+a-maximum-rrset.example.  5M IN A  10.0.5.163
+a-maximum-rrset.example.  5M IN A  10.0.5.164
+a-maximum-rrset.example.  5M IN A  10.0.5.165
+a-maximum-rrset.example.  5M IN A  10.0.5.166
+a-maximum-rrset.example.  5M IN A  10.0.5.167
+a-maximum-rrset.example.  5M IN A  10.0.5.168
+a-maximum-rrset.example.  5M IN A  10.0.5.169
+a-maximum-rrset.example.  5M IN A  10.0.5.170
+a-maximum-rrset.example.  5M IN A  10.0.5.171
+a-maximum-rrset.example.  5M IN A  10.0.5.172
+a-maximum-rrset.example.  5M IN A  10.0.5.173
+a-maximum-rrset.example.  5M IN A  10.0.5.174
+a-maximum-rrset.example.  5M IN A  10.0.5.175
+a-maximum-rrset.example.  5M IN A  10.0.5.176
+a-maximum-rrset.example.  5M IN A  10.0.5.177
+a-maximum-rrset.example.  5M IN A  10.0.5.178
+a-maximum-rrset.example.  5M IN A  10.0.5.179
+a-maximum-rrset.example.  5M IN A  10.0.5.180
+a-maximum-rrset.example.  5M IN A  10.0.5.181
+a-maximum-rrset.example.  5M IN A  10.0.5.182
+a-maximum-rrset.example.  5M IN A  10.0.5.183
+a-maximum-rrset.example.  5M IN A  10.0.5.184
+a-maximum-rrset.example.  5M IN A  10.0.5.185
+a-maximum-rrset.example.  5M IN A  10.0.5.186
+a-maximum-rrset.example.  5M IN A  10.0.5.187
+a-maximum-rrset.example.  5M IN A  10.0.5.188
+a-maximum-rrset.example.  5M IN A  10.0.5.189
+a-maximum-rrset.example.  5M IN A  10.0.5.190
+a-maximum-rrset.example.  5M IN A  10.0.5.191
+a-maximum-rrset.example.  5M IN A  10.0.5.192
+a-maximum-rrset.example.  5M IN A  10.0.5.193
+a-maximum-rrset.example.  5M IN A  10.0.5.194
+a-maximum-rrset.example.  5M IN A  10.0.5.195
+a-maximum-rrset.example.  5M IN A  10.0.5.196
+a-maximum-rrset.example.  5M IN A  10.0.5.197
+a-maximum-rrset.example.  5M IN A  10.0.5.198
+a-maximum-rrset.example.  5M IN A  10.0.5.199
+a-maximum-rrset.example.  5M IN A  10.0.5.200
+a-maximum-rrset.example.  5M IN A  10.0.5.201
+a-maximum-rrset.example.  5M IN A  10.0.5.202
+a-maximum-rrset.example.  5M IN A  10.0.5.203
+a-maximum-rrset.example.  5M IN A  10.0.5.204
+a-maximum-rrset.example.  5M IN A  10.0.5.205
+a-maximum-rrset.example.  5M IN A  10.0.5.206
+a-maximum-rrset.example.  5M IN A  10.0.5.207
+a-maximum-rrset.example.  5M IN A  10.0.5.208
+a-maximum-rrset.example.  5M IN A  10.0.5.209
+a-maximum-rrset.example.  5M IN A  10.0.5.210
+a-maximum-rrset.example.  5M IN A  10.0.5.211
+a-maximum-rrset.example.  5M IN A  10.0.5.212
+a-maximum-rrset.example.  5M IN A  10.0.5.213
+a-maximum-rrset.example.  5M IN A  10.0.5.214
+a-maximum-rrset.example.  5M IN A  10.0.5.215
+a-maximum-rrset.example.  5M IN A  10.0.5.216
+a-maximum-rrset.example.  5M IN A  10.0.5.217
+a-maximum-rrset.example.  5M IN A  10.0.5.218
+a-maximum-rrset.example.  5M IN A  10.0.5.219
+a-maximum-rrset.example.  5M IN A  10.0.5.220
+a-maximum-rrset.example.  5M IN A  10.0.5.221
+a-maximum-rrset.example.  5M IN A  10.0.5.222
+a-maximum-rrset.example.  5M IN A  10.0.5.223
+a-maximum-rrset.example.  5M IN A  10.0.5.224
+a-maximum-rrset.example.  5M IN A  10.0.5.225
+a-maximum-rrset.example.  5M IN A  10.0.5.226
+a-maximum-rrset.example.  5M IN A  10.0.5.227
+a-maximum-rrset.example.  5M IN A  10.0.5.228
+a-maximum-rrset.example.  5M IN A  10.0.5.229
+a-maximum-rrset.example.  5M IN A  10.0.5.230
+a-maximum-rrset.example.  5M IN A  10.0.5.231
+a-maximum-rrset.example.  5M IN A  10.0.5.232
+a-maximum-rrset.example.  5M IN A  10.0.5.233
+a-maximum-rrset.example.  5M IN A  10.0.5.234
+a-maximum-rrset.example.  5M IN A  10.0.5.235
+a-maximum-rrset.example.  5M IN A  10.0.5.236
+a-maximum-rrset.example.  5M IN A  10.0.5.237
+a-maximum-rrset.example.  5M IN A  10.0.5.238
+a-maximum-rrset.example.  5M IN A  10.0.5.239
+a-maximum-rrset.example.  5M IN A  10.0.5.240
+a-maximum-rrset.example.  5M IN A  10.0.5.241
+a-maximum-rrset.example.  5M IN A  10.0.5.242
+a-maximum-rrset.example.  5M IN A  10.0.5.243
+a-maximum-rrset.example.  5M IN A  10.0.5.244
+a-maximum-rrset.example.  5M IN A  10.0.5.245
+a-maximum-rrset.example.  5M IN A  10.0.5.246
+a-maximum-rrset.example.  5M IN A  10.0.5.247
+a-maximum-rrset.example.  5M IN A  10.0.5.248
+a-maximum-rrset.example.  5M IN A  10.0.5.249
+a-maximum-rrset.example.  5M IN A  10.0.5.250
+a-maximum-rrset.example.  5M IN A  10.0.5.251
+a-maximum-rrset.example.  5M IN A  10.0.5.252
+a-maximum-rrset.example.  5M IN A  10.0.5.253
+a-maximum-rrset.example.  5M IN A  10.0.5.254
+a-maximum-rrset.example.  5M IN A  10.0.5.255
+a-maximum-rrset.example.  5M IN A  10.0.6.0
+a-maximum-rrset.example.  5M IN A  10.0.6.1
+a-maximum-rrset.example.  5M IN A  10.0.6.2
+a-maximum-rrset.example.  5M IN A  10.0.6.3
+a-maximum-rrset.example.  5M IN A  10.0.6.4
+a-maximum-rrset.example.  5M IN A  10.0.6.5
+a-maximum-rrset.example.  5M IN A  10.0.6.6
+a-maximum-rrset.example.  5M IN A  10.0.6.7
+a-maximum-rrset.example.  5M IN A  10.0.6.8
+a-maximum-rrset.example.  5M IN A  10.0.6.9
+a-maximum-rrset.example.  5M IN A  10.0.6.10
+a-maximum-rrset.example.  5M IN A  10.0.6.11
+a-maximum-rrset.example.  5M IN A  10.0.6.12
+a-maximum-rrset.example.  5M IN A  10.0.6.13
+a-maximum-rrset.example.  5M IN A  10.0.6.14
+a-maximum-rrset.example.  5M IN A  10.0.6.15
+a-maximum-rrset.example.  5M IN A  10.0.6.16
+a-maximum-rrset.example.  5M IN A  10.0.6.17
+a-maximum-rrset.example.  5M IN A  10.0.6.18
+a-maximum-rrset.example.  5M IN A  10.0.6.19
+a-maximum-rrset.example.  5M IN A  10.0.6.20
+a-maximum-rrset.example.  5M IN A  10.0.6.21
+a-maximum-rrset.example.  5M IN A  10.0.6.22
+a-maximum-rrset.example.  5M IN A  10.0.6.23
+a-maximum-rrset.example.  5M IN A  10.0.6.24
+a-maximum-rrset.example.  5M IN A  10.0.6.25
+a-maximum-rrset.example.  5M IN A  10.0.6.26
+a-maximum-rrset.example.  5M IN A  10.0.6.27
+a-maximum-rrset.example.  5M IN A  10.0.6.28
+a-maximum-rrset.example.  5M IN A  10.0.6.29
+a-maximum-rrset.example.  5M IN A  10.0.6.30
+a-maximum-rrset.example.  5M IN A  10.0.6.31
+a-maximum-rrset.example.  5M IN A  10.0.6.32
+a-maximum-rrset.example.  5M IN A  10.0.6.33
+a-maximum-rrset.example.  5M IN A  10.0.6.34
+a-maximum-rrset.example.  5M IN A  10.0.6.35
+a-maximum-rrset.example.  5M IN A  10.0.6.36
+a-maximum-rrset.example.  5M IN A  10.0.6.37
+a-maximum-rrset.example.  5M IN A  10.0.6.38
+a-maximum-rrset.example.  5M IN A  10.0.6.39
+a-maximum-rrset.example.  5M IN A  10.0.6.40
+a-maximum-rrset.example.  5M IN A  10.0.6.41
+a-maximum-rrset.example.  5M IN A  10.0.6.42
+a-maximum-rrset.example.  5M IN A  10.0.6.43
+a-maximum-rrset.example.  5M IN A  10.0.6.44
+a-maximum-rrset.example.  5M IN A  10.0.6.45
+a-maximum-rrset.example.  5M IN A  10.0.6.46
+a-maximum-rrset.example.  5M IN A  10.0.6.47
+a-maximum-rrset.example.  5M IN A  10.0.6.48
+a-maximum-rrset.example.  5M IN A  10.0.6.49
+a-maximum-rrset.example.  5M IN A  10.0.6.50
+a-maximum-rrset.example.  5M IN A  10.0.6.51
+a-maximum-rrset.example.  5M IN A  10.0.6.52
+a-maximum-rrset.example.  5M IN A  10.0.6.53
+a-maximum-rrset.example.  5M IN A  10.0.6.54
+a-maximum-rrset.example.  5M IN A  10.0.6.55
+a-maximum-rrset.example.  5M IN A  10.0.6.56
+a-maximum-rrset.example.  5M IN A  10.0.6.57
+a-maximum-rrset.example.  5M IN A  10.0.6.58
+a-maximum-rrset.example.  5M IN A  10.0.6.59
+a-maximum-rrset.example.  5M IN A  10.0.6.60
+a-maximum-rrset.example.  5M IN A  10.0.6.61
+a-maximum-rrset.example.  5M IN A  10.0.6.62
+a-maximum-rrset.example.  5M IN A  10.0.6.63
+a-maximum-rrset.example.  5M IN A  10.0.6.64
+a-maximum-rrset.example.  5M IN A  10.0.6.65
+a-maximum-rrset.example.  5M IN A  10.0.6.66
+a-maximum-rrset.example.  5M IN A  10.0.6.67
+a-maximum-rrset.example.  5M IN A  10.0.6.68
+a-maximum-rrset.example.  5M IN A  10.0.6.69
+a-maximum-rrset.example.  5M IN A  10.0.6.70
+a-maximum-rrset.example.  5M IN A  10.0.6.71
+a-maximum-rrset.example.  5M IN A  10.0.6.72
+a-maximum-rrset.example.  5M IN A  10.0.6.73
+a-maximum-rrset.example.  5M IN A  10.0.6.74
+a-maximum-rrset.example.  5M IN A  10.0.6.75
+a-maximum-rrset.example.  5M IN A  10.0.6.76
+a-maximum-rrset.example.  5M IN A  10.0.6.77
+a-maximum-rrset.example.  5M IN A  10.0.6.78
+a-maximum-rrset.example.  5M IN A  10.0.6.79
+a-maximum-rrset.example.  5M IN A  10.0.6.80
+a-maximum-rrset.example.  5M IN A  10.0.6.81
+a-maximum-rrset.example.  5M IN A  10.0.6.82
+a-maximum-rrset.example.  5M IN A  10.0.6.83
+a-maximum-rrset.example.  5M IN A  10.0.6.84
+a-maximum-rrset.example.  5M IN A  10.0.6.85
+a-maximum-rrset.example.  5M IN A  10.0.6.86
+a-maximum-rrset.example.  5M IN A  10.0.6.87
+a-maximum-rrset.example.  5M IN A  10.0.6.88
+a-maximum-rrset.example.  5M IN A  10.0.6.89
+a-maximum-rrset.example.  5M IN A  10.0.6.90
+a-maximum-rrset.example.  5M IN A  10.0.6.91
+a-maximum-rrset.example.  5M IN A  10.0.6.92
+a-maximum-rrset.example.  5M IN A  10.0.6.93
+a-maximum-rrset.example.  5M IN A  10.0.6.94
+a-maximum-rrset.example.  5M IN A  10.0.6.95
+a-maximum-rrset.example.  5M IN A  10.0.6.96
+a-maximum-rrset.example.  5M IN A  10.0.6.97
+a-maximum-rrset.example.  5M IN A  10.0.6.98
+a-maximum-rrset.example.  5M IN A  10.0.6.99
+a-maximum-rrset.example.  5M IN A  10.0.6.100
+a-maximum-rrset.example.  5M IN A  10.0.6.101
+a-maximum-rrset.example.  5M IN A  10.0.6.102
+a-maximum-rrset.example.  5M IN A  10.0.6.103
+a-maximum-rrset.example.  5M IN A  10.0.6.104
+a-maximum-rrset.example.  5M IN A  10.0.6.105
+a-maximum-rrset.example.  5M IN A  10.0.6.106
+a-maximum-rrset.example.  5M IN A  10.0.6.107
+a-maximum-rrset.example.  5M IN A  10.0.6.108
+a-maximum-rrset.example.  5M IN A  10.0.6.109
+a-maximum-rrset.example.  5M IN A  10.0.6.110
+a-maximum-rrset.example.  5M IN A  10.0.6.111
+a-maximum-rrset.example.  5M IN A  10.0.6.112
+a-maximum-rrset.example.  5M IN A  10.0.6.113
+a-maximum-rrset.example.  5M IN A  10.0.6.114
+a-maximum-rrset.example.  5M IN A  10.0.6.115
+a-maximum-rrset.example.  5M IN A  10.0.6.116
+a-maximum-rrset.example.  5M IN A  10.0.6.117
+a-maximum-rrset.example.  5M IN A  10.0.6.118
+a-maximum-rrset.example.  5M IN A  10.0.6.119
+a-maximum-rrset.example.  5M IN A  10.0.6.120
+a-maximum-rrset.example.  5M IN A  10.0.6.121
+a-maximum-rrset.example.  5M IN A  10.0.6.122
+a-maximum-rrset.example.  5M IN A  10.0.6.123
+a-maximum-rrset.example.  5M IN A  10.0.6.124
+a-maximum-rrset.example.  5M IN A  10.0.6.125
+a-maximum-rrset.example.  5M IN A  10.0.6.126
+a-maximum-rrset.example.  5M IN A  10.0.6.127
+a-maximum-rrset.example.  5M IN A  10.0.6.128
+a-maximum-rrset.example.  5M IN A  10.0.6.129
+a-maximum-rrset.example.  5M IN A  10.0.6.130
+a-maximum-rrset.example.  5M IN A  10.0.6.131
+a-maximum-rrset.example.  5M IN A  10.0.6.132
+a-maximum-rrset.example.  5M IN A  10.0.6.133
+a-maximum-rrset.example.  5M IN A  10.0.6.134
+a-maximum-rrset.example.  5M IN A  10.0.6.135
+a-maximum-rrset.example.  5M IN A  10.0.6.136
+a-maximum-rrset.example.  5M IN A  10.0.6.137
+a-maximum-rrset.example.  5M IN A  10.0.6.138
+a-maximum-rrset.example.  5M IN A  10.0.6.139
+a-maximum-rrset.example.  5M IN A  10.0.6.140
+a-maximum-rrset.example.  5M IN A  10.0.6.141
+a-maximum-rrset.example.  5M IN A  10.0.6.142
+a-maximum-rrset.example.  5M IN A  10.0.6.143
+a-maximum-rrset.example.  5M IN A  10.0.6.144
+a-maximum-rrset.example.  5M IN A  10.0.6.145
+a-maximum-rrset.example.  5M IN A  10.0.6.146
+a-maximum-rrset.example.  5M IN A  10.0.6.147
+a-maximum-rrset.example.  5M IN A  10.0.6.148
+a-maximum-rrset.example.  5M IN A  10.0.6.149
+a-maximum-rrset.example.  5M IN A  10.0.6.150
+a-maximum-rrset.example.  5M IN A  10.0.6.151
+a-maximum-rrset.example.  5M IN A  10.0.6.152
+a-maximum-rrset.example.  5M IN A  10.0.6.153
+a-maximum-rrset.example.  5M IN A  10.0.6.154
+a-maximum-rrset.example.  5M IN A  10.0.6.155
+a-maximum-rrset.example.  5M IN A  10.0.6.156
+a-maximum-rrset.example.  5M IN A  10.0.6.157
+a-maximum-rrset.example.  5M IN A  10.0.6.158
+a-maximum-rrset.example.  5M IN A  10.0.6.159
+a-maximum-rrset.example.  5M IN A  10.0.6.160
+a-maximum-rrset.example.  5M IN A  10.0.6.161
+a-maximum-rrset.example.  5M IN A  10.0.6.162
+a-maximum-rrset.example.  5M IN A  10.0.6.163
+a-maximum-rrset.example.  5M IN A  10.0.6.164
+a-maximum-rrset.example.  5M IN A  10.0.6.165
+a-maximum-rrset.example.  5M IN A  10.0.6.166
+a-maximum-rrset.example.  5M IN A  10.0.6.167
+a-maximum-rrset.example.  5M IN A  10.0.6.168
+a-maximum-rrset.example.  5M IN A  10.0.6.169
+a-maximum-rrset.example.  5M IN A  10.0.6.170
+a-maximum-rrset.example.  5M IN A  10.0.6.171
+a-maximum-rrset.example.  5M IN A  10.0.6.172
+a-maximum-rrset.example.  5M IN A  10.0.6.173
+a-maximum-rrset.example.  5M IN A  10.0.6.174
+a-maximum-rrset.example.  5M IN A  10.0.6.175
+a-maximum-rrset.example.  5M IN A  10.0.6.176
+a-maximum-rrset.example.  5M IN A  10.0.6.177
+a-maximum-rrset.example.  5M IN A  10.0.6.178
+a-maximum-rrset.example.  5M IN A  10.0.6.179
+a-maximum-rrset.example.  5M IN A  10.0.6.180
+a-maximum-rrset.example.  5M IN A  10.0.6.181
+a-maximum-rrset.example.  5M IN A  10.0.6.182
+a-maximum-rrset.example.  5M IN A  10.0.6.183
+a-maximum-rrset.example.  5M IN A  10.0.6.184
+a-maximum-rrset.example.  5M IN A  10.0.6.185
+a-maximum-rrset.example.  5M IN A  10.0.6.186
+a-maximum-rrset.example.  5M IN A  10.0.6.187
+a-maximum-rrset.example.  5M IN A  10.0.6.188
+a-maximum-rrset.example.  5M IN A  10.0.6.189
+a-maximum-rrset.example.  5M IN A  10.0.6.190
+a-maximum-rrset.example.  5M IN A  10.0.6.191
+a-maximum-rrset.example.  5M IN A  10.0.6.192
+a-maximum-rrset.example.  5M IN A  10.0.6.193
+a-maximum-rrset.example.  5M IN A  10.0.6.194
+a-maximum-rrset.example.  5M IN A  10.0.6.195
+a-maximum-rrset.example.  5M IN A  10.0.6.196
+a-maximum-rrset.example.  5M IN A  10.0.6.197
+a-maximum-rrset.example.  5M IN A  10.0.6.198
+a-maximum-rrset.example.  5M IN A  10.0.6.199
+a-maximum-rrset.example.  5M IN A  10.0.6.200
+a-maximum-rrset.example.  5M IN A  10.0.6.201
+a-maximum-rrset.example.  5M IN A  10.0.6.202
+a-maximum-rrset.example.  5M IN A  10.0.6.203
+a-maximum-rrset.example.  5M IN A  10.0.6.204
+a-maximum-rrset.example.  5M IN A  10.0.6.205
+a-maximum-rrset.example.  5M IN A  10.0.6.206
+a-maximum-rrset.example.  5M IN A  10.0.6.207
+a-maximum-rrset.example.  5M IN A  10.0.6.208
+a-maximum-rrset.example.  5M IN A  10.0.6.209
+a-maximum-rrset.example.  5M IN A  10.0.6.210
+a-maximum-rrset.example.  5M IN A  10.0.6.211
+a-maximum-rrset.example.  5M IN A  10.0.6.212
+a-maximum-rrset.example.  5M IN A  10.0.6.213
+a-maximum-rrset.example.  5M IN A  10.0.6.214
+a-maximum-rrset.example.  5M IN A  10.0.6.215
+a-maximum-rrset.example.  5M IN A  10.0.6.216
+a-maximum-rrset.example.  5M IN A  10.0.6.217
+a-maximum-rrset.example.  5M IN A  10.0.6.218
+a-maximum-rrset.example.  5M IN A  10.0.6.219
+a-maximum-rrset.example.  5M IN A  10.0.6.220
+a-maximum-rrset.example.  5M IN A  10.0.6.221
+a-maximum-rrset.example.  5M IN A  10.0.6.222
+a-maximum-rrset.example.  5M IN A  10.0.6.223
+a-maximum-rrset.example.  5M IN A  10.0.6.224
+a-maximum-rrset.example.  5M IN A  10.0.6.225
+a-maximum-rrset.example.  5M IN A  10.0.6.226
+a-maximum-rrset.example.  5M IN A  10.0.6.227
+a-maximum-rrset.example.  5M IN A  10.0.6.228
+a-maximum-rrset.example.  5M IN A  10.0.6.229
+a-maximum-rrset.example.  5M IN A  10.0.6.230
+a-maximum-rrset.example.  5M IN A  10.0.6.231
+a-maximum-rrset.example.  5M IN A  10.0.6.232
+a-maximum-rrset.example.  5M IN A  10.0.6.233
+a-maximum-rrset.example.  5M IN A  10.0.6.234
+a-maximum-rrset.example.  5M IN A  10.0.6.235
+a-maximum-rrset.example.  5M IN A  10.0.6.236
+a-maximum-rrset.example.  5M IN A  10.0.6.237
+a-maximum-rrset.example.  5M IN A  10.0.6.238
+a-maximum-rrset.example.  5M IN A  10.0.6.239
+a-maximum-rrset.example.  5M IN A  10.0.6.240
+a-maximum-rrset.example.  5M IN A  10.0.6.241
+a-maximum-rrset.example.  5M IN A  10.0.6.242
+a-maximum-rrset.example.  5M IN A  10.0.6.243
+a-maximum-rrset.example.  5M IN A  10.0.6.244
+a-maximum-rrset.example.  5M IN A  10.0.6.245
+a-maximum-rrset.example.  5M IN A  10.0.6.246
+a-maximum-rrset.example.  5M IN A  10.0.6.247
+a-maximum-rrset.example.  5M IN A  10.0.6.248
+a-maximum-rrset.example.  5M IN A  10.0.6.249
+a-maximum-rrset.example.  5M IN A  10.0.6.250
+a-maximum-rrset.example.  5M IN A  10.0.6.251
+a-maximum-rrset.example.  5M IN A  10.0.6.252
+a-maximum-rrset.example.  5M IN A  10.0.6.253
+a-maximum-rrset.example.  5M IN A  10.0.6.254
+a-maximum-rrset.example.  5M IN A  10.0.6.255
+a-maximum-rrset.example.  5M IN A  10.0.7.0
+a-maximum-rrset.example.  5M IN A  10.0.7.1
+a-maximum-rrset.example.  5M IN A  10.0.7.2
+a-maximum-rrset.example.  5M IN A  10.0.7.3
+a-maximum-rrset.example.  5M IN A  10.0.7.4
+a-maximum-rrset.example.  5M IN A  10.0.7.5
+a-maximum-rrset.example.  5M IN A  10.0.7.6
+a-maximum-rrset.example.  5M IN A  10.0.7.7
+a-maximum-rrset.example.  5M IN A  10.0.7.8
+a-maximum-rrset.example.  5M IN A  10.0.7.9
+a-maximum-rrset.example.  5M IN A  10.0.7.10
+a-maximum-rrset.example.  5M IN A  10.0.7.11
+a-maximum-rrset.example.  5M IN A  10.0.7.12
+a-maximum-rrset.example.  5M IN A  10.0.7.13
+a-maximum-rrset.example.  5M IN A  10.0.7.14
+a-maximum-rrset.example.  5M IN A  10.0.7.15
+a-maximum-rrset.example.  5M IN A  10.0.7.16
+a-maximum-rrset.example.  5M IN A  10.0.7.17
+a-maximum-rrset.example.  5M IN A  10.0.7.18
+a-maximum-rrset.example.  5M IN A  10.0.7.19
+a-maximum-rrset.example.  5M IN A  10.0.7.20
+a-maximum-rrset.example.  5M IN A  10.0.7.21
+a-maximum-rrset.example.  5M IN A  10.0.7.22
+a-maximum-rrset.example.  5M IN A  10.0.7.23
+a-maximum-rrset.example.  5M IN A  10.0.7.24
+a-maximum-rrset.example.  5M IN A  10.0.7.25
+a-maximum-rrset.example.  5M IN A  10.0.7.26
+a-maximum-rrset.example.  5M IN A  10.0.7.27
+a-maximum-rrset.example.  5M IN A  10.0.7.28
+a-maximum-rrset.example.  5M IN A  10.0.7.29
+a-maximum-rrset.example.  5M IN A  10.0.7.30
+a-maximum-rrset.example.  5M IN A  10.0.7.31
+a-maximum-rrset.example.  5M IN A  10.0.7.32
+a-maximum-rrset.example.  5M IN A  10.0.7.33
+a-maximum-rrset.example.  5M IN A  10.0.7.34
+a-maximum-rrset.example.  5M IN A  10.0.7.35
+a-maximum-rrset.example.  5M IN A  10.0.7.36
+a-maximum-rrset.example.  5M IN A  10.0.7.37
+a-maximum-rrset.example.  5M IN A  10.0.7.38
+a-maximum-rrset.example.  5M IN A  10.0.7.39
+a-maximum-rrset.example.  5M IN A  10.0.7.40
+a-maximum-rrset.example.  5M IN A  10.0.7.41
+a-maximum-rrset.example.  5M IN A  10.0.7.42
+a-maximum-rrset.example.  5M IN A  10.0.7.43
+a-maximum-rrset.example.  5M IN A  10.0.7.44
+a-maximum-rrset.example.  5M IN A  10.0.7.45
+a-maximum-rrset.example.  5M IN A  10.0.7.46
+a-maximum-rrset.example.  5M IN A  10.0.7.47
+a-maximum-rrset.example.  5M IN A  10.0.7.48
+a-maximum-rrset.example.  5M IN A  10.0.7.49
+a-maximum-rrset.example.  5M IN A  10.0.7.50
+a-maximum-rrset.example.  5M IN A  10.0.7.51
+a-maximum-rrset.example.  5M IN A  10.0.7.52
+a-maximum-rrset.example.  5M IN A  10.0.7.53
+a-maximum-rrset.example.  5M IN A  10.0.7.54
+a-maximum-rrset.example.  5M IN A  10.0.7.55
+a-maximum-rrset.example.  5M IN A  10.0.7.56
+a-maximum-rrset.example.  5M IN A  10.0.7.57
+a-maximum-rrset.example.  5M IN A  10.0.7.58
+a-maximum-rrset.example.  5M IN A  10.0.7.59
+a-maximum-rrset.example.  5M IN A  10.0.7.60
+a-maximum-rrset.example.  5M IN A  10.0.7.61
+a-maximum-rrset.example.  5M IN A  10.0.7.62
+a-maximum-rrset.example.  5M IN A  10.0.7.63
+a-maximum-rrset.example.  5M IN A  10.0.7.64
+a-maximum-rrset.example.  5M IN A  10.0.7.65
+a-maximum-rrset.example.  5M IN A  10.0.7.66
+a-maximum-rrset.example.  5M IN A  10.0.7.67
+a-maximum-rrset.example.  5M IN A  10.0.7.68
+a-maximum-rrset.example.  5M IN A  10.0.7.69
+a-maximum-rrset.example.  5M IN A  10.0.7.70
+a-maximum-rrset.example.  5M IN A  10.0.7.71
+a-maximum-rrset.example.  5M IN A  10.0.7.72
+a-maximum-rrset.example.  5M IN A  10.0.7.73
+a-maximum-rrset.example.  5M IN A  10.0.7.74
+a-maximum-rrset.example.  5M IN A  10.0.7.75
+a-maximum-rrset.example.  5M IN A  10.0.7.76
+a-maximum-rrset.example.  5M IN A  10.0.7.77
+a-maximum-rrset.example.  5M IN A  10.0.7.78
+a-maximum-rrset.example.  5M IN A  10.0.7.79
+a-maximum-rrset.example.  5M IN A  10.0.7.80
+a-maximum-rrset.example.  5M IN A  10.0.7.81
+a-maximum-rrset.example.  5M IN A  10.0.7.82
+a-maximum-rrset.example.  5M IN A  10.0.7.83
+a-maximum-rrset.example.  5M IN A  10.0.7.84
+a-maximum-rrset.example.  5M IN A  10.0.7.85
+a-maximum-rrset.example.  5M IN A  10.0.7.86
+a-maximum-rrset.example.  5M IN A  10.0.7.87
+a-maximum-rrset.example.  5M IN A  10.0.7.88
+a-maximum-rrset.example.  5M IN A  10.0.7.89
+a-maximum-rrset.example.  5M IN A  10.0.7.90
+a-maximum-rrset.example.  5M IN A  10.0.7.91
+a-maximum-rrset.example.  5M IN A  10.0.7.92
+a-maximum-rrset.example.  5M IN A  10.0.7.93
+a-maximum-rrset.example.  5M IN A  10.0.7.94
+a-maximum-rrset.example.  5M IN A  10.0.7.95
+a-maximum-rrset.example.  5M IN A  10.0.7.96
+a-maximum-rrset.example.  5M IN A  10.0.7.97
+a-maximum-rrset.example.  5M IN A  10.0.7.98
+a-maximum-rrset.example.  5M IN A  10.0.7.99
+a-maximum-rrset.example.  5M IN A  10.0.7.100
+a-maximum-rrset.example.  5M IN A  10.0.7.101
+a-maximum-rrset.example.  5M IN A  10.0.7.102
+a-maximum-rrset.example.  5M IN A  10.0.7.103
+a-maximum-rrset.example.  5M IN A  10.0.7.104
+a-maximum-rrset.example.  5M IN A  10.0.7.105
+a-maximum-rrset.example.  5M IN A  10.0.7.106
+a-maximum-rrset.example.  5M IN A  10.0.7.107
+a-maximum-rrset.example.  5M IN A  10.0.7.108
+a-maximum-rrset.example.  5M IN A  10.0.7.109
+a-maximum-rrset.example.  5M IN A  10.0.7.110
+a-maximum-rrset.example.  5M IN A  10.0.7.111
+a-maximum-rrset.example.  5M IN A  10.0.7.112
+a-maximum-rrset.example.  5M IN A  10.0.7.113
+a-maximum-rrset.example.  5M IN A  10.0.7.114
+a-maximum-rrset.example.  5M IN A  10.0.7.115
+a-maximum-rrset.example.  5M IN A  10.0.7.116
+a-maximum-rrset.example.  5M IN A  10.0.7.117
+a-maximum-rrset.example.  5M IN A  10.0.7.118
+a-maximum-rrset.example.  5M IN A  10.0.7.119
+a-maximum-rrset.example.  5M IN A  10.0.7.120
+a-maximum-rrset.example.  5M IN A  10.0.7.121
+a-maximum-rrset.example.  5M IN A  10.0.7.122
+a-maximum-rrset.example.  5M IN A  10.0.7.123
+a-maximum-rrset.example.  5M IN A  10.0.7.124
+a-maximum-rrset.example.  5M IN A  10.0.7.125
+a-maximum-rrset.example.  5M IN A  10.0.7.126
+a-maximum-rrset.example.  5M IN A  10.0.7.127
+a-maximum-rrset.example.  5M IN A  10.0.7.128
+a-maximum-rrset.example.  5M IN A  10.0.7.129
+a-maximum-rrset.example.  5M IN A  10.0.7.130
+a-maximum-rrset.example.  5M IN A  10.0.7.131
+a-maximum-rrset.example.  5M IN A  10.0.7.132
+a-maximum-rrset.example.  5M IN A  10.0.7.133
+a-maximum-rrset.example.  5M IN A  10.0.7.134
+a-maximum-rrset.example.  5M IN A  10.0.7.135
+a-maximum-rrset.example.  5M IN A  10.0.7.136
+a-maximum-rrset.example.  5M IN A  10.0.7.137
+a-maximum-rrset.example.  5M IN A  10.0.7.138
+a-maximum-rrset.example.  5M IN A  10.0.7.139
+a-maximum-rrset.example.  5M IN A  10.0.7.140
+a-maximum-rrset.example.  5M IN A  10.0.7.141
+a-maximum-rrset.example.  5M IN A  10.0.7.142
+a-maximum-rrset.example.  5M IN A  10.0.7.143
+a-maximum-rrset.example.  5M IN A  10.0.7.144
+a-maximum-rrset.example.  5M IN A  10.0.7.145
+a-maximum-rrset.example.  5M IN A  10.0.7.146
+a-maximum-rrset.example.  5M IN A  10.0.7.147
+a-maximum-rrset.example.  5M IN A  10.0.7.148
+a-maximum-rrset.example.  5M IN A  10.0.7.149
+a-maximum-rrset.example.  5M IN A  10.0.7.150
+a-maximum-rrset.example.  5M IN A  10.0.7.151
+a-maximum-rrset.example.  5M IN A  10.0.7.152
+a-maximum-rrset.example.  5M IN A  10.0.7.153
+a-maximum-rrset.example.  5M IN A  10.0.7.154
+a-maximum-rrset.example.  5M IN A  10.0.7.155
+a-maximum-rrset.example.  5M IN A  10.0.7.156
+a-maximum-rrset.example.  5M IN A  10.0.7.157
+a-maximum-rrset.example.  5M IN A  10.0.7.158
+a-maximum-rrset.example.  5M IN A  10.0.7.159
+a-maximum-rrset.example.  5M IN A  10.0.7.160
+a-maximum-rrset.example.  5M IN A  10.0.7.161
+a-maximum-rrset.example.  5M IN A  10.0.7.162
+a-maximum-rrset.example.  5M IN A  10.0.7.163
+a-maximum-rrset.example.  5M IN A  10.0.7.164
+a-maximum-rrset.example.  5M IN A  10.0.7.165
+a-maximum-rrset.example.  5M IN A  10.0.7.166
+a-maximum-rrset.example.  5M IN A  10.0.7.167
+a-maximum-rrset.example.  5M IN A  10.0.7.168
+a-maximum-rrset.example.  5M IN A  10.0.7.169
+a-maximum-rrset.example.  5M IN A  10.0.7.170
+a-maximum-rrset.example.  5M IN A  10.0.7.171
+a-maximum-rrset.example.  5M IN A  10.0.7.172
+a-maximum-rrset.example.  5M IN A  10.0.7.173
+a-maximum-rrset.example.  5M IN A  10.0.7.174
+a-maximum-rrset.example.  5M IN A  10.0.7.175
+a-maximum-rrset.example.  5M IN A  10.0.7.176
+a-maximum-rrset.example.  5M IN A  10.0.7.177
+a-maximum-rrset.example.  5M IN A  10.0.7.178
+a-maximum-rrset.example.  5M IN A  10.0.7.179
+a-maximum-rrset.example.  5M IN A  10.0.7.180
+a-maximum-rrset.example.  5M IN A  10.0.7.181
+a-maximum-rrset.example.  5M IN A  10.0.7.182
+a-maximum-rrset.example.  5M IN A  10.0.7.183
+a-maximum-rrset.example.  5M IN A  10.0.7.184
+a-maximum-rrset.example.  5M IN A  10.0.7.185
+a-maximum-rrset.example.  5M IN A  10.0.7.186
+a-maximum-rrset.example.  5M IN A  10.0.7.187
+a-maximum-rrset.example.  5M IN A  10.0.7.188
+a-maximum-rrset.example.  5M IN A  10.0.7.189
+a-maximum-rrset.example.  5M IN A  10.0.7.190
+a-maximum-rrset.example.  5M IN A  10.0.7.191
+a-maximum-rrset.example.  5M IN A  10.0.7.192
+a-maximum-rrset.example.  5M IN A  10.0.7.193
+a-maximum-rrset.example.  5M IN A  10.0.7.194
+a-maximum-rrset.example.  5M IN A  10.0.7.195
+a-maximum-rrset.example.  5M IN A  10.0.7.196
+a-maximum-rrset.example.  5M IN A  10.0.7.197
+a-maximum-rrset.example.  5M IN A  10.0.7.198
+a-maximum-rrset.example.  5M IN A  10.0.7.199
+a-maximum-rrset.example.  5M IN A  10.0.7.200
+a-maximum-rrset.example.  5M IN A  10.0.7.201
+a-maximum-rrset.example.  5M IN A  10.0.7.202
+a-maximum-rrset.example.  5M IN A  10.0.7.203
+a-maximum-rrset.example.  5M IN A  10.0.7.204
+a-maximum-rrset.example.  5M IN A  10.0.7.205
+a-maximum-rrset.example.  5M IN A  10.0.7.206
+a-maximum-rrset.example.  5M IN A  10.0.7.207
+a-maximum-rrset.example.  5M IN A  10.0.7.208
+a-maximum-rrset.example.  5M IN A  10.0.7.209
+a-maximum-rrset.example.  5M IN A  10.0.7.210
+a-maximum-rrset.example.  5M IN A  10.0.7.211
+a-maximum-rrset.example.  5M IN A  10.0.7.212
+a-maximum-rrset.example.  5M IN A  10.0.7.213
+a-maximum-rrset.example.  5M IN A  10.0.7.214
+a-maximum-rrset.example.  5M IN A  10.0.7.215
+a-maximum-rrset.example.  5M IN A  10.0.7.216
+a-maximum-rrset.example.  5M IN A  10.0.7.217
+a-maximum-rrset.example.  5M IN A  10.0.7.218
+a-maximum-rrset.example.  5M IN A  10.0.7.219
+a-maximum-rrset.example.  5M IN A  10.0.7.220
+a-maximum-rrset.example.  5M IN A  10.0.7.221
+a-maximum-rrset.example.  5M IN A  10.0.7.222
+a-maximum-rrset.example.  5M IN A  10.0.7.223
+a-maximum-rrset.example.  5M IN A  10.0.7.224
+a-maximum-rrset.example.  5M IN A  10.0.7.225
+a-maximum-rrset.example.  5M IN A  10.0.7.226
+a-maximum-rrset.example.  5M IN A  10.0.7.227
+a-maximum-rrset.example.  5M IN A  10.0.7.228
+a-maximum-rrset.example.  5M IN A  10.0.7.229
+a-maximum-rrset.example.  5M IN A  10.0.7.230
+a-maximum-rrset.example.  5M IN A  10.0.7.231
+a-maximum-rrset.example.  5M IN A  10.0.7.232
+a-maximum-rrset.example.  5M IN A  10.0.7.233
+a-maximum-rrset.example.  5M IN A  10.0.7.234
+a-maximum-rrset.example.  5M IN A  10.0.7.235
+a-maximum-rrset.example.  5M IN A  10.0.7.236
+a-maximum-rrset.example.  5M IN A  10.0.7.237
+a-maximum-rrset.example.  5M IN A  10.0.7.238
+a-maximum-rrset.example.  5M IN A  10.0.7.239
+a-maximum-rrset.example.  5M IN A  10.0.7.240
+a-maximum-rrset.example.  5M IN A  10.0.7.241
+a-maximum-rrset.example.  5M IN A  10.0.7.242
+a-maximum-rrset.example.  5M IN A  10.0.7.243
+a-maximum-rrset.example.  5M IN A  10.0.7.244
+a-maximum-rrset.example.  5M IN A  10.0.7.245
+a-maximum-rrset.example.  5M IN A  10.0.7.246
+a-maximum-rrset.example.  5M IN A  10.0.7.247
+a-maximum-rrset.example.  5M IN A  10.0.7.248
+a-maximum-rrset.example.  5M IN A  10.0.7.249
+a-maximum-rrset.example.  5M IN A  10.0.7.250
+a-maximum-rrset.example.  5M IN A  10.0.7.251
+a-maximum-rrset.example.  5M IN A  10.0.7.252
+a-maximum-rrset.example.  5M IN A  10.0.7.253
+a-maximum-rrset.example.  5M IN A  10.0.7.254
+a-maximum-rrset.example.  5M IN A  10.0.7.255
+a-maximum-rrset.example.  5M IN A  10.0.8.0
+a-maximum-rrset.example.  5M IN A  10.0.8.1
+a-maximum-rrset.example.  5M IN A  10.0.8.2
+a-maximum-rrset.example.  5M IN A  10.0.8.3
+a-maximum-rrset.example.  5M IN A  10.0.8.4
+a-maximum-rrset.example.  5M IN A  10.0.8.5
+a-maximum-rrset.example.  5M IN A  10.0.8.6
+a-maximum-rrset.example.  5M IN A  10.0.8.7
+a-maximum-rrset.example.  5M IN A  10.0.8.8
+a-maximum-rrset.example.  5M IN A  10.0.8.9
+a-maximum-rrset.example.  5M IN A  10.0.8.10
+a-maximum-rrset.example.  5M IN A  10.0.8.11
+a-maximum-rrset.example.  5M IN A  10.0.8.12
+a-maximum-rrset.example.  5M IN A  10.0.8.13
+a-maximum-rrset.example.  5M IN A  10.0.8.14
+a-maximum-rrset.example.  5M IN A  10.0.8.15
+a-maximum-rrset.example.  5M IN A  10.0.8.16
+a-maximum-rrset.example.  5M IN A  10.0.8.17
+a-maximum-rrset.example.  5M IN A  10.0.8.18
+a-maximum-rrset.example.  5M IN A  10.0.8.19
+a-maximum-rrset.example.  5M IN A  10.0.8.20
+a-maximum-rrset.example.  5M IN A  10.0.8.21
+a-maximum-rrset.example.  5M IN A  10.0.8.22
+a-maximum-rrset.example.  5M IN A  10.0.8.23
+a-maximum-rrset.example.  5M IN A  10.0.8.24
+a-maximum-rrset.example.  5M IN A  10.0.8.25
+a-maximum-rrset.example.  5M IN A  10.0.8.26
+a-maximum-rrset.example.  5M IN A  10.0.8.27
+a-maximum-rrset.example.  5M IN A  10.0.8.28
+a-maximum-rrset.example.  5M IN A  10.0.8.29
+a-maximum-rrset.example.  5M IN A  10.0.8.30
+a-maximum-rrset.example.  5M IN A  10.0.8.31
+a-maximum-rrset.example.  5M IN A  10.0.8.32
+a-maximum-rrset.example.  5M IN A  10.0.8.33
+a-maximum-rrset.example.  5M IN A  10.0.8.34
+a-maximum-rrset.example.  5M IN A  10.0.8.35
+a-maximum-rrset.example.  5M IN A  10.0.8.36
+a-maximum-rrset.example.  5M IN A  10.0.8.37
+a-maximum-rrset.example.  5M IN A  10.0.8.38
+a-maximum-rrset.example.  5M IN A  10.0.8.39
+a-maximum-rrset.example.  5M IN A  10.0.8.40
+a-maximum-rrset.example.  5M IN A  10.0.8.41
+a-maximum-rrset.example.  5M IN A  10.0.8.42
+a-maximum-rrset.example.  5M IN A  10.0.8.43
+a-maximum-rrset.example.  5M IN A  10.0.8.44
+a-maximum-rrset.example.  5M IN A  10.0.8.45
+a-maximum-rrset.example.  5M IN A  10.0.8.46
+a-maximum-rrset.example.  5M IN A  10.0.8.47
+a-maximum-rrset.example.  5M IN A  10.0.8.48
+a-maximum-rrset.example.  5M IN A  10.0.8.49
+a-maximum-rrset.example.  5M IN A  10.0.8.50
+a-maximum-rrset.example.  5M IN A  10.0.8.51
+a-maximum-rrset.example.  5M IN A  10.0.8.52
+a-maximum-rrset.example.  5M IN A  10.0.8.53
+a-maximum-rrset.example.  5M IN A  10.0.8.54
+a-maximum-rrset.example.  5M IN A  10.0.8.55
+a-maximum-rrset.example.  5M IN A  10.0.8.56
+a-maximum-rrset.example.  5M IN A  10.0.8.57
+a-maximum-rrset.example.  5M IN A  10.0.8.58
+a-maximum-rrset.example.  5M IN A  10.0.8.59
+a-maximum-rrset.example.  5M IN A  10.0.8.60
+a-maximum-rrset.example.  5M IN A  10.0.8.61
+a-maximum-rrset.example.  5M IN A  10.0.8.62
+a-maximum-rrset.example.  5M IN A  10.0.8.63
+a-maximum-rrset.example.  5M IN A  10.0.8.64
+a-maximum-rrset.example.  5M IN A  10.0.8.65
+a-maximum-rrset.example.  5M IN A  10.0.8.66
+a-maximum-rrset.example.  5M IN A  10.0.8.67
+a-maximum-rrset.example.  5M IN A  10.0.8.68
+a-maximum-rrset.example.  5M IN A  10.0.8.69
+a-maximum-rrset.example.  5M IN A  10.0.8.70
+a-maximum-rrset.example.  5M IN A  10.0.8.71
+a-maximum-rrset.example.  5M IN A  10.0.8.72
+a-maximum-rrset.example.  5M IN A  10.0.8.73
+a-maximum-rrset.example.  5M IN A  10.0.8.74
+a-maximum-rrset.example.  5M IN A  10.0.8.75
+a-maximum-rrset.example.  5M IN A  10.0.8.76
+a-maximum-rrset.example.  5M IN A  10.0.8.77
+a-maximum-rrset.example.  5M IN A  10.0.8.78
+a-maximum-rrset.example.  5M IN A  10.0.8.79
+a-maximum-rrset.example.  5M IN A  10.0.8.80
+a-maximum-rrset.example.  5M IN A  10.0.8.81
+a-maximum-rrset.example.  5M IN A  10.0.8.82
+a-maximum-rrset.example.  5M IN A  10.0.8.83
+a-maximum-rrset.example.  5M IN A  10.0.8.84
+a-maximum-rrset.example.  5M IN A  10.0.8.85
+a-maximum-rrset.example.  5M IN A  10.0.8.86
+a-maximum-rrset.example.  5M IN A  10.0.8.87
+a-maximum-rrset.example.  5M IN A  10.0.8.88
+a-maximum-rrset.example.  5M IN A  10.0.8.89
+a-maximum-rrset.example.  5M IN A  10.0.8.90
+a-maximum-rrset.example.  5M IN A  10.0.8.91
+a-maximum-rrset.example.  5M IN A  10.0.8.92
+a-maximum-rrset.example.  5M IN A  10.0.8.93
+a-maximum-rrset.example.  5M IN A  10.0.8.94
+a-maximum-rrset.example.  5M IN A  10.0.8.95
+a-maximum-rrset.example.  5M IN A  10.0.8.96
+a-maximum-rrset.example.  5M IN A  10.0.8.97
+a-maximum-rrset.example.  5M IN A  10.0.8.98
+a-maximum-rrset.example.  5M IN A  10.0.8.99
+a-maximum-rrset.example.  5M IN A  10.0.8.100
+a-maximum-rrset.example.  5M IN A  10.0.8.101
+a-maximum-rrset.example.  5M IN A  10.0.8.102
+a-maximum-rrset.example.  5M IN A  10.0.8.103
+a-maximum-rrset.example.  5M IN A  10.0.8.104
+a-maximum-rrset.example.  5M IN A  10.0.8.105
+a-maximum-rrset.example.  5M IN A  10.0.8.106
+a-maximum-rrset.example.  5M IN A  10.0.8.107
+a-maximum-rrset.example.  5M IN A  10.0.8.108
+a-maximum-rrset.example.  5M IN A  10.0.8.109
+a-maximum-rrset.example.  5M IN A  10.0.8.110
+a-maximum-rrset.example.  5M IN A  10.0.8.111
+a-maximum-rrset.example.  5M IN A  10.0.8.112
+a-maximum-rrset.example.  5M IN A  10.0.8.113
+a-maximum-rrset.example.  5M IN A  10.0.8.114
+a-maximum-rrset.example.  5M IN A  10.0.8.115
+a-maximum-rrset.example.  5M IN A  10.0.8.116
+a-maximum-rrset.example.  5M IN A  10.0.8.117
+a-maximum-rrset.example.  5M IN A  10.0.8.118
+a-maximum-rrset.example.  5M IN A  10.0.8.119
+a-maximum-rrset.example.  5M IN A  10.0.8.120
+a-maximum-rrset.example.  5M IN A  10.0.8.121
+a-maximum-rrset.example.  5M IN A  10.0.8.122
+a-maximum-rrset.example.  5M IN A  10.0.8.123
+a-maximum-rrset.example.  5M IN A  10.0.8.124
+a-maximum-rrset.example.  5M IN A  10.0.8.125
+a-maximum-rrset.example.  5M IN A  10.0.8.126
+a-maximum-rrset.example.  5M IN A  10.0.8.127
+a-maximum-rrset.example.  5M IN A  10.0.8.128
+a-maximum-rrset.example.  5M IN A  10.0.8.129
+a-maximum-rrset.example.  5M IN A  10.0.8.130
+a-maximum-rrset.example.  5M IN A  10.0.8.131
+a-maximum-rrset.example.  5M IN A  10.0.8.132
+a-maximum-rrset.example.  5M IN A  10.0.8.133
+a-maximum-rrset.example.  5M IN A  10.0.8.134
+a-maximum-rrset.example.  5M IN A  10.0.8.135
+a-maximum-rrset.example.  5M IN A  10.0.8.136
+a-maximum-rrset.example.  5M IN A  10.0.8.137
+a-maximum-rrset.example.  5M IN A  10.0.8.138
+a-maximum-rrset.example.  5M IN A  10.0.8.139
+a-maximum-rrset.example.  5M IN A  10.0.8.140
+a-maximum-rrset.example.  5M IN A  10.0.8.141
+a-maximum-rrset.example.  5M IN A  10.0.8.142
+a-maximum-rrset.example.  5M IN A  10.0.8.143
+a-maximum-rrset.example.  5M IN A  10.0.8.144
+a-maximum-rrset.example.  5M IN A  10.0.8.145
+a-maximum-rrset.example.  5M IN A  10.0.8.146
+a-maximum-rrset.example.  5M IN A  10.0.8.147
+a-maximum-rrset.example.  5M IN A  10.0.8.148
+a-maximum-rrset.example.  5M IN A  10.0.8.149
+a-maximum-rrset.example.  5M IN A  10.0.8.150
+a-maximum-rrset.example.  5M IN A  10.0.8.151
+a-maximum-rrset.example.  5M IN A  10.0.8.152
+a-maximum-rrset.example.  5M IN A  10.0.8.153
+a-maximum-rrset.example.  5M IN A  10.0.8.154
+a-maximum-rrset.example.  5M IN A  10.0.8.155
+a-maximum-rrset.example.  5M IN A  10.0.8.156
+a-maximum-rrset.example.  5M IN A  10.0.8.157
+a-maximum-rrset.example.  5M IN A  10.0.8.158
+a-maximum-rrset.example.  5M IN A  10.0.8.159
+a-maximum-rrset.example.  5M IN A  10.0.8.160
+a-maximum-rrset.example.  5M IN A  10.0.8.161
+a-maximum-rrset.example.  5M IN A  10.0.8.162
+a-maximum-rrset.example.  5M IN A  10.0.8.163
+a-maximum-rrset.example.  5M IN A  10.0.8.164
+a-maximum-rrset.example.  5M IN A  10.0.8.165
+a-maximum-rrset.example.  5M IN A  10.0.8.166
+a-maximum-rrset.example.  5M IN A  10.0.8.167
+a-maximum-rrset.example.  5M IN A  10.0.8.168
+a-maximum-rrset.example.  5M IN A  10.0.8.169
+a-maximum-rrset.example.  5M IN A  10.0.8.170
+a-maximum-rrset.example.  5M IN A  10.0.8.171
+a-maximum-rrset.example.  5M IN A  10.0.8.172
+a-maximum-rrset.example.  5M IN A  10.0.8.173
+a-maximum-rrset.example.  5M IN A  10.0.8.174
+a-maximum-rrset.example.  5M IN A  10.0.8.175
+a-maximum-rrset.example.  5M IN A  10.0.8.176
+a-maximum-rrset.example.  5M IN A  10.0.8.177
+a-maximum-rrset.example.  5M IN A  10.0.8.178
+a-maximum-rrset.example.  5M IN A  10.0.8.179
+a-maximum-rrset.example.  5M IN A  10.0.8.180
+a-maximum-rrset.example.  5M IN A  10.0.8.181
+a-maximum-rrset.example.  5M IN A  10.0.8.182
+a-maximum-rrset.example.  5M IN A  10.0.8.183
+a-maximum-rrset.example.  5M IN A  10.0.8.184
+a-maximum-rrset.example.  5M IN A  10.0.8.185
+a-maximum-rrset.example.  5M IN A  10.0.8.186
+a-maximum-rrset.example.  5M IN A  10.0.8.187
+a-maximum-rrset.example.  5M IN A  10.0.8.188
+a-maximum-rrset.example.  5M IN A  10.0.8.189
+a-maximum-rrset.example.  5M IN A  10.0.8.190
+a-maximum-rrset.example.  5M IN A  10.0.8.191
+a-maximum-rrset.example.  5M IN A  10.0.8.192
+a-maximum-rrset.example.  5M IN A  10.0.8.193
+a-maximum-rrset.example.  5M IN A  10.0.8.194
+a-maximum-rrset.example.  5M IN A  10.0.8.195
+a-maximum-rrset.example.  5M IN A  10.0.8.196
+a-maximum-rrset.example.  5M IN A  10.0.8.197
+a-maximum-rrset.example.  5M IN A  10.0.8.198
+a-maximum-rrset.example.  5M IN A  10.0.8.199
+a-maximum-rrset.example.  5M IN A  10.0.8.200
+a-maximum-rrset.example.  5M IN A  10.0.8.201
+a-maximum-rrset.example.  5M IN A  10.0.8.202
+a-maximum-rrset.example.  5M IN A  10.0.8.203
+a-maximum-rrset.example.  5M IN A  10.0.8.204
+a-maximum-rrset.example.  5M IN A  10.0.8.205
+a-maximum-rrset.example.  5M IN A  10.0.8.206
+a-maximum-rrset.example.  5M IN A  10.0.8.207
+a-maximum-rrset.example.  5M IN A  10.0.8.208
+a-maximum-rrset.example.  5M IN A  10.0.8.209
+a-maximum-rrset.example.  5M IN A  10.0.8.210
+a-maximum-rrset.example.  5M IN A  10.0.8.211
+a-maximum-rrset.example.  5M IN A  10.0.8.212
+a-maximum-rrset.example.  5M IN A  10.0.8.213
+a-maximum-rrset.example.  5M IN A  10.0.8.214
+a-maximum-rrset.example.  5M IN A  10.0.8.215
+a-maximum-rrset.example.  5M IN A  10.0.8.216
+a-maximum-rrset.example.  5M IN A  10.0.8.217
+a-maximum-rrset.example.  5M IN A  10.0.8.218
+a-maximum-rrset.example.  5M IN A  10.0.8.219
+a-maximum-rrset.example.  5M IN A  10.0.8.220
+a-maximum-rrset.example.  5M IN A  10.0.8.221
+a-maximum-rrset.example.  5M IN A  10.0.8.222
+a-maximum-rrset.example.  5M IN A  10.0.8.223
+a-maximum-rrset.example.  5M IN A  10.0.8.224
+a-maximum-rrset.example.  5M IN A  10.0.8.225
+a-maximum-rrset.example.  5M IN A  10.0.8.226
+a-maximum-rrset.example.  5M IN A  10.0.8.227
+a-maximum-rrset.example.  5M IN A  10.0.8.228
+a-maximum-rrset.example.  5M IN A  10.0.8.229
+a-maximum-rrset.example.  5M IN A  10.0.8.230
+a-maximum-rrset.example.  5M IN A  10.0.8.231
+a-maximum-rrset.example.  5M IN A  10.0.8.232
+a-maximum-rrset.example.  5M IN A  10.0.8.233
+a-maximum-rrset.example.  5M IN A  10.0.8.234
+a-maximum-rrset.example.  5M IN A  10.0.8.235
+a-maximum-rrset.example.  5M IN A  10.0.8.236
+a-maximum-rrset.example.  5M IN A  10.0.8.237
+a-maximum-rrset.example.  5M IN A  10.0.8.238
+a-maximum-rrset.example.  5M IN A  10.0.8.239
+a-maximum-rrset.example.  5M IN A  10.0.8.240
+a-maximum-rrset.example.  5M IN A  10.0.8.241
+a-maximum-rrset.example.  5M IN A  10.0.8.242
+a-maximum-rrset.example.  5M IN A  10.0.8.243
+a-maximum-rrset.example.  5M IN A  10.0.8.244
+a-maximum-rrset.example.  5M IN A  10.0.8.245
+a-maximum-rrset.example.  5M IN A  10.0.8.246
+a-maximum-rrset.example.  5M IN A  10.0.8.247
+a-maximum-rrset.example.  5M IN A  10.0.8.248
+a-maximum-rrset.example.  5M IN A  10.0.8.249
+a-maximum-rrset.example.  5M IN A  10.0.8.250
+a-maximum-rrset.example.  5M IN A  10.0.8.251
+a-maximum-rrset.example.  5M IN A  10.0.8.252
+a-maximum-rrset.example.  5M IN A  10.0.8.253
+a-maximum-rrset.example.  5M IN A  10.0.8.254
+a-maximum-rrset.example.  5M IN A  10.0.8.255
+a-maximum-rrset.example.  5M IN A  10.0.9.0
+a-maximum-rrset.example.  5M IN A  10.0.9.1
+a-maximum-rrset.example.  5M IN A  10.0.9.2
+a-maximum-rrset.example.  5M IN A  10.0.9.3
+a-maximum-rrset.example.  5M IN A  10.0.9.4
+a-maximum-rrset.example.  5M IN A  10.0.9.5
+a-maximum-rrset.example.  5M IN A  10.0.9.6
+a-maximum-rrset.example.  5M IN A  10.0.9.7
+a-maximum-rrset.example.  5M IN A  10.0.9.8
+a-maximum-rrset.example.  5M IN A  10.0.9.9
+a-maximum-rrset.example.  5M IN A  10.0.9.10
+a-maximum-rrset.example.  5M IN A  10.0.9.11
+a-maximum-rrset.example.  5M IN A  10.0.9.12
+a-maximum-rrset.example.  5M IN A  10.0.9.13
+a-maximum-rrset.example.  5M IN A  10.0.9.14
+a-maximum-rrset.example.  5M IN A  10.0.9.15
+a-maximum-rrset.example.  5M IN A  10.0.9.16
+a-maximum-rrset.example.  5M IN A  10.0.9.17
+a-maximum-rrset.example.  5M IN A  10.0.9.18
+a-maximum-rrset.example.  5M IN A  10.0.9.19
+a-maximum-rrset.example.  5M IN A  10.0.9.20
+a-maximum-rrset.example.  5M IN A  10.0.9.21
+a-maximum-rrset.example.  5M IN A  10.0.9.22
+a-maximum-rrset.example.  5M IN A  10.0.9.23
+a-maximum-rrset.example.  5M IN A  10.0.9.24
+a-maximum-rrset.example.  5M IN A  10.0.9.25
+a-maximum-rrset.example.  5M IN A  10.0.9.26
+a-maximum-rrset.example.  5M IN A  10.0.9.27
+a-maximum-rrset.example.  5M IN A  10.0.9.28
+a-maximum-rrset.example.  5M IN A  10.0.9.29
+a-maximum-rrset.example.  5M IN A  10.0.9.30
+a-maximum-rrset.example.  5M IN A  10.0.9.31
+a-maximum-rrset.example.  5M IN A  10.0.9.32
+a-maximum-rrset.example.  5M IN A  10.0.9.33
+a-maximum-rrset.example.  5M IN A  10.0.9.34
+a-maximum-rrset.example.  5M IN A  10.0.9.35
+a-maximum-rrset.example.  5M IN A  10.0.9.36
+a-maximum-rrset.example.  5M IN A  10.0.9.37
+a-maximum-rrset.example.  5M IN A  10.0.9.38
+a-maximum-rrset.example.  5M IN A  10.0.9.39
+a-maximum-rrset.example.  5M IN A  10.0.9.40
+a-maximum-rrset.example.  5M IN A  10.0.9.41
+a-maximum-rrset.example.  5M IN A  10.0.9.42
+a-maximum-rrset.example.  5M IN A  10.0.9.43
+a-maximum-rrset.example.  5M IN A  10.0.9.44
+a-maximum-rrset.example.  5M IN A  10.0.9.45
+a-maximum-rrset.example.  5M IN A  10.0.9.46
+a-maximum-rrset.example.  5M IN A  10.0.9.47
+a-maximum-rrset.example.  5M IN A  10.0.9.48
+a-maximum-rrset.example.  5M IN A  10.0.9.49
+a-maximum-rrset.example.  5M IN A  10.0.9.50
+a-maximum-rrset.example.  5M IN A  10.0.9.51
+a-maximum-rrset.example.  5M IN A  10.0.9.52
+a-maximum-rrset.example.  5M IN A  10.0.9.53
+a-maximum-rrset.example.  5M IN A  10.0.9.54
+a-maximum-rrset.example.  5M IN A  10.0.9.55
+a-maximum-rrset.example.  5M IN A  10.0.9.56
+a-maximum-rrset.example.  5M IN A  10.0.9.57
+a-maximum-rrset.example.  5M IN A  10.0.9.58
+a-maximum-rrset.example.  5M IN A  10.0.9.59
+a-maximum-rrset.example.  5M IN A  10.0.9.60
+a-maximum-rrset.example.  5M IN A  10.0.9.61
+a-maximum-rrset.example.  5M IN A  10.0.9.62
+a-maximum-rrset.example.  5M IN A  10.0.9.63
+a-maximum-rrset.example.  5M IN A  10.0.9.64
+a-maximum-rrset.example.  5M IN A  10.0.9.65
+a-maximum-rrset.example.  5M IN A  10.0.9.66
+a-maximum-rrset.example.  5M IN A  10.0.9.67
+a-maximum-rrset.example.  5M IN A  10.0.9.68
+a-maximum-rrset.example.  5M IN A  10.0.9.69
+a-maximum-rrset.example.  5M IN A  10.0.9.70
+a-maximum-rrset.example.  5M IN A  10.0.9.71
+a-maximum-rrset.example.  5M IN A  10.0.9.72
+a-maximum-rrset.example.  5M IN A  10.0.9.73
+a-maximum-rrset.example.  5M IN A  10.0.9.74
+a-maximum-rrset.example.  5M IN A  10.0.9.75
+a-maximum-rrset.example.  5M IN A  10.0.9.76
+a-maximum-rrset.example.  5M IN A  10.0.9.77
+a-maximum-rrset.example.  5M IN A  10.0.9.78
+a-maximum-rrset.example.  5M IN A  10.0.9.79
+a-maximum-rrset.example.  5M IN A  10.0.9.80
+a-maximum-rrset.example.  5M IN A  10.0.9.81
+a-maximum-rrset.example.  5M IN A  10.0.9.82
+a-maximum-rrset.example.  5M IN A  10.0.9.83
+a-maximum-rrset.example.  5M IN A  10.0.9.84
+a-maximum-rrset.example.  5M IN A  10.0.9.85
+a-maximum-rrset.example.  5M IN A  10.0.9.86
+a-maximum-rrset.example.  5M IN A  10.0.9.87
+a-maximum-rrset.example.  5M IN A  10.0.9.88
+a-maximum-rrset.example.  5M IN A  10.0.9.89
+a-maximum-rrset.example.  5M IN A  10.0.9.90
+a-maximum-rrset.example.  5M IN A  10.0.9.91
+a-maximum-rrset.example.  5M IN A  10.0.9.92
+a-maximum-rrset.example.  5M IN A  10.0.9.93
+a-maximum-rrset.example.  5M IN A  10.0.9.94
+a-maximum-rrset.example.  5M IN A  10.0.9.95
+a-maximum-rrset.example.  5M IN A  10.0.9.96
+a-maximum-rrset.example.  5M IN A  10.0.9.97
+a-maximum-rrset.example.  5M IN A  10.0.9.98
+a-maximum-rrset.example.  5M IN A  10.0.9.99
+a-maximum-rrset.example.  5M IN A  10.0.9.100
+a-maximum-rrset.example.  5M IN A  10.0.9.101
+a-maximum-rrset.example.  5M IN A  10.0.9.102
+a-maximum-rrset.example.  5M IN A  10.0.9.103
+a-maximum-rrset.example.  5M IN A  10.0.9.104
+a-maximum-rrset.example.  5M IN A  10.0.9.105
+a-maximum-rrset.example.  5M IN A  10.0.9.106
+a-maximum-rrset.example.  5M IN A  10.0.9.107
+a-maximum-rrset.example.  5M IN A  10.0.9.108
+a-maximum-rrset.example.  5M IN A  10.0.9.109
+a-maximum-rrset.example.  5M IN A  10.0.9.110
+a-maximum-rrset.example.  5M IN A  10.0.9.111
+a-maximum-rrset.example.  5M IN A  10.0.9.112
+a-maximum-rrset.example.  5M IN A  10.0.9.113
+a-maximum-rrset.example.  5M IN A  10.0.9.114
+a-maximum-rrset.example.  5M IN A  10.0.9.115
+a-maximum-rrset.example.  5M IN A  10.0.9.116
+a-maximum-rrset.example.  5M IN A  10.0.9.117
+a-maximum-rrset.example.  5M IN A  10.0.9.118
+a-maximum-rrset.example.  5M IN A  10.0.9.119
+a-maximum-rrset.example.  5M IN A  10.0.9.120
+a-maximum-rrset.example.  5M IN A  10.0.9.121
+a-maximum-rrset.example.  5M IN A  10.0.9.122
+a-maximum-rrset.example.  5M IN A  10.0.9.123
+a-maximum-rrset.example.  5M IN A  10.0.9.124
+a-maximum-rrset.example.  5M IN A  10.0.9.125
+a-maximum-rrset.example.  5M IN A  10.0.9.126
+a-maximum-rrset.example.  5M IN A  10.0.9.127
+a-maximum-rrset.example.  5M IN A  10.0.9.128
+a-maximum-rrset.example.  5M IN A  10.0.9.129
+a-maximum-rrset.example.  5M IN A  10.0.9.130
+a-maximum-rrset.example.  5M IN A  10.0.9.131
+a-maximum-rrset.example.  5M IN A  10.0.9.132
+a-maximum-rrset.example.  5M IN A  10.0.9.133
+a-maximum-rrset.example.  5M IN A  10.0.9.134
+a-maximum-rrset.example.  5M IN A  10.0.9.135
+a-maximum-rrset.example.  5M IN A  10.0.9.136
+a-maximum-rrset.example.  5M IN A  10.0.9.137
+a-maximum-rrset.example.  5M IN A  10.0.9.138
+a-maximum-rrset.example.  5M IN A  10.0.9.139
+a-maximum-rrset.example.  5M IN A  10.0.9.140
+a-maximum-rrset.example.  5M IN A  10.0.9.141
+a-maximum-rrset.example.  5M IN A  10.0.9.142
+a-maximum-rrset.example.  5M IN A  10.0.9.143
+a-maximum-rrset.example.  5M IN A  10.0.9.144
+a-maximum-rrset.example.  5M IN A  10.0.9.145
+a-maximum-rrset.example.  5M IN A  10.0.9.146
+a-maximum-rrset.example.  5M IN A  10.0.9.147
+a-maximum-rrset.example.  5M IN A  10.0.9.148
+a-maximum-rrset.example.  5M IN A  10.0.9.149
+a-maximum-rrset.example.  5M IN A  10.0.9.150
+a-maximum-rrset.example.  5M IN A  10.0.9.151
+a-maximum-rrset.example.  5M IN A  10.0.9.152
+a-maximum-rrset.example.  5M IN A  10.0.9.153
+a-maximum-rrset.example.  5M IN A  10.0.9.154
+a-maximum-rrset.example.  5M IN A  10.0.9.155
+a-maximum-rrset.example.  5M IN A  10.0.9.156
+a-maximum-rrset.example.  5M IN A  10.0.9.157
+a-maximum-rrset.example.  5M IN A  10.0.9.158
+a-maximum-rrset.example.  5M IN A  10.0.9.159
+a-maximum-rrset.example.  5M IN A  10.0.9.160
+a-maximum-rrset.example.  5M IN A  10.0.9.161
+a-maximum-rrset.example.  5M IN A  10.0.9.162
+a-maximum-rrset.example.  5M IN A  10.0.9.163
+a-maximum-rrset.example.  5M IN A  10.0.9.164
+a-maximum-rrset.example.  5M IN A  10.0.9.165
+a-maximum-rrset.example.  5M IN A  10.0.9.166
+a-maximum-rrset.example.  5M IN A  10.0.9.167
+a-maximum-rrset.example.  5M IN A  10.0.9.168
+a-maximum-rrset.example.  5M IN A  10.0.9.169
+a-maximum-rrset.example.  5M IN A  10.0.9.170
+a-maximum-rrset.example.  5M IN A  10.0.9.171
+a-maximum-rrset.example.  5M IN A  10.0.9.172
+a-maximum-rrset.example.  5M IN A  10.0.9.173
+a-maximum-rrset.example.  5M IN A  10.0.9.174
+a-maximum-rrset.example.  5M IN A  10.0.9.175
+a-maximum-rrset.example.  5M IN A  10.0.9.176
+a-maximum-rrset.example.  5M IN A  10.0.9.177
+a-maximum-rrset.example.  5M IN A  10.0.9.178
+a-maximum-rrset.example.  5M IN A  10.0.9.179
+a-maximum-rrset.example.  5M IN A  10.0.9.180
+a-maximum-rrset.example.  5M IN A  10.0.9.181
+a-maximum-rrset.example.  5M IN A  10.0.9.182
+a-maximum-rrset.example.  5M IN A  10.0.9.183
+a-maximum-rrset.example.  5M IN A  10.0.9.184
+a-maximum-rrset.example.  5M IN A  10.0.9.185
+a-maximum-rrset.example.  5M IN A  10.0.9.186
+a-maximum-rrset.example.  5M IN A  10.0.9.187
+a-maximum-rrset.example.  5M IN A  10.0.9.188
+a-maximum-rrset.example.  5M IN A  10.0.9.189
+a-maximum-rrset.example.  5M IN A  10.0.9.190
+a-maximum-rrset.example.  5M IN A  10.0.9.191
+a-maximum-rrset.example.  5M IN A  10.0.9.192
+a-maximum-rrset.example.  5M IN A  10.0.9.193
+a-maximum-rrset.example.  5M IN A  10.0.9.194
+a-maximum-rrset.example.  5M IN A  10.0.9.195
+a-maximum-rrset.example.  5M IN A  10.0.9.196
+a-maximum-rrset.example.  5M IN A  10.0.9.197
+a-maximum-rrset.example.  5M IN A  10.0.9.198
+a-maximum-rrset.example.  5M IN A  10.0.9.199
+a-maximum-rrset.example.  5M IN A  10.0.9.200
+a-maximum-rrset.example.  5M IN A  10.0.9.201
+a-maximum-rrset.example.  5M IN A  10.0.9.202
+a-maximum-rrset.example.  5M IN A  10.0.9.203
+a-maximum-rrset.example.  5M IN A  10.0.9.204
+a-maximum-rrset.example.  5M IN A  10.0.9.205
+a-maximum-rrset.example.  5M IN A  10.0.9.206
+a-maximum-rrset.example.  5M IN A  10.0.9.207
+a-maximum-rrset.example.  5M IN A  10.0.9.208
+a-maximum-rrset.example.  5M IN A  10.0.9.209
+a-maximum-rrset.example.  5M IN A  10.0.9.210
+a-maximum-rrset.example.  5M IN A  10.0.9.211
+a-maximum-rrset.example.  5M IN A  10.0.9.212
+a-maximum-rrset.example.  5M IN A  10.0.9.213
+a-maximum-rrset.example.  5M IN A  10.0.9.214
+a-maximum-rrset.example.  5M IN A  10.0.9.215
+a-maximum-rrset.example.  5M IN A  10.0.9.216
+a-maximum-rrset.example.  5M IN A  10.0.9.217
+a-maximum-rrset.example.  5M IN A  10.0.9.218
+a-maximum-rrset.example.  5M IN A  10.0.9.219
+a-maximum-rrset.example.  5M IN A  10.0.9.220
+a-maximum-rrset.example.  5M IN A  10.0.9.221
+a-maximum-rrset.example.  5M IN A  10.0.9.222
+a-maximum-rrset.example.  5M IN A  10.0.9.223
+a-maximum-rrset.example.  5M IN A  10.0.9.224
+a-maximum-rrset.example.  5M IN A  10.0.9.225
+a-maximum-rrset.example.  5M IN A  10.0.9.226
+a-maximum-rrset.example.  5M IN A  10.0.9.227
+a-maximum-rrset.example.  5M IN A  10.0.9.228
+a-maximum-rrset.example.  5M IN A  10.0.9.229
+a-maximum-rrset.example.  5M IN A  10.0.9.230
+a-maximum-rrset.example.  5M IN A  10.0.9.231
+a-maximum-rrset.example.  5M IN A  10.0.9.232
+a-maximum-rrset.example.  5M IN A  10.0.9.233
+a-maximum-rrset.example.  5M IN A  10.0.9.234
+a-maximum-rrset.example.  5M IN A  10.0.9.235
+a-maximum-rrset.example.  5M IN A  10.0.9.236
+a-maximum-rrset.example.  5M IN A  10.0.9.237
+a-maximum-rrset.example.  5M IN A  10.0.9.238
+a-maximum-rrset.example.  5M IN A  10.0.9.239
+a-maximum-rrset.example.  5M IN A  10.0.9.240
+a-maximum-rrset.example.  5M IN A  10.0.9.241
+a-maximum-rrset.example.  5M IN A  10.0.9.242
+a-maximum-rrset.example.  5M IN A  10.0.9.243
+a-maximum-rrset.example.  5M IN A  10.0.9.244
+a-maximum-rrset.example.  5M IN A  10.0.9.245
+a-maximum-rrset.example.  5M IN A  10.0.9.246
+a-maximum-rrset.example.  5M IN A  10.0.9.247
+a-maximum-rrset.example.  5M IN A  10.0.9.248
+a-maximum-rrset.example.  5M IN A  10.0.9.249
+a-maximum-rrset.example.  5M IN A  10.0.9.250
+a-maximum-rrset.example.  5M IN A  10.0.9.251
+a-maximum-rrset.example.  5M IN A  10.0.9.252
+a-maximum-rrset.example.  5M IN A  10.0.9.253
+a-maximum-rrset.example.  5M IN A  10.0.9.254
+a-maximum-rrset.example.  5M IN A  10.0.9.255
+a-maximum-rrset.example.  5M IN A  10.0.10.0
+a-maximum-rrset.example.  5M IN A  10.0.10.1
+a-maximum-rrset.example.  5M IN A  10.0.10.2
+a-maximum-rrset.example.  5M IN A  10.0.10.3
+a-maximum-rrset.example.  5M IN A  10.0.10.4
+a-maximum-rrset.example.  5M IN A  10.0.10.5
+a-maximum-rrset.example.  5M IN A  10.0.10.6
+a-maximum-rrset.example.  5M IN A  10.0.10.7
+a-maximum-rrset.example.  5M IN A  10.0.10.8
+a-maximum-rrset.example.  5M IN A  10.0.10.9
+a-maximum-rrset.example.  5M IN A  10.0.10.10
+a-maximum-rrset.example.  5M IN A  10.0.10.11
+a-maximum-rrset.example.  5M IN A  10.0.10.12
+a-maximum-rrset.example.  5M IN A  10.0.10.13
+a-maximum-rrset.example.  5M IN A  10.0.10.14
+a-maximum-rrset.example.  5M IN A  10.0.10.15
+a-maximum-rrset.example.  5M IN A  10.0.10.16
+a-maximum-rrset.example.  5M IN A  10.0.10.17
+a-maximum-rrset.example.  5M IN A  10.0.10.18
+a-maximum-rrset.example.  5M IN A  10.0.10.19
+a-maximum-rrset.example.  5M IN A  10.0.10.20
+a-maximum-rrset.example.  5M IN A  10.0.10.21
+a-maximum-rrset.example.  5M IN A  10.0.10.22
+a-maximum-rrset.example.  5M IN A  10.0.10.23
+a-maximum-rrset.example.  5M IN A  10.0.10.24
+a-maximum-rrset.example.  5M IN A  10.0.10.25
+a-maximum-rrset.example.  5M IN A  10.0.10.26
+a-maximum-rrset.example.  5M IN A  10.0.10.27
+a-maximum-rrset.example.  5M IN A  10.0.10.28
+a-maximum-rrset.example.  5M IN A  10.0.10.29
+a-maximum-rrset.example.  5M IN A  10.0.10.30
+a-maximum-rrset.example.  5M IN A  10.0.10.31
+a-maximum-rrset.example.  5M IN A  10.0.10.32
+a-maximum-rrset.example.  5M IN A  10.0.10.33
+a-maximum-rrset.example.  5M IN A  10.0.10.34
+a-maximum-rrset.example.  5M IN A  10.0.10.35
+a-maximum-rrset.example.  5M IN A  10.0.10.36
+a-maximum-rrset.example.  5M IN A  10.0.10.37
+a-maximum-rrset.example.  5M IN A  10.0.10.38
+a-maximum-rrset.example.  5M IN A  10.0.10.39
+a-maximum-rrset.example.  5M IN A  10.0.10.40
+a-maximum-rrset.example.  5M IN A  10.0.10.41
+a-maximum-rrset.example.  5M IN A  10.0.10.42
+a-maximum-rrset.example.  5M IN A  10.0.10.43
+a-maximum-rrset.example.  5M IN A  10.0.10.44
+a-maximum-rrset.example.  5M IN A  10.0.10.45
+a-maximum-rrset.example.  5M IN A  10.0.10.46
+a-maximum-rrset.example.  5M IN A  10.0.10.47
+a-maximum-rrset.example.  5M IN A  10.0.10.48
+a-maximum-rrset.example.  5M IN A  10.0.10.49
+a-maximum-rrset.example.  5M IN A  10.0.10.50
+a-maximum-rrset.example.  5M IN A  10.0.10.51
+a-maximum-rrset.example.  5M IN A  10.0.10.52
+a-maximum-rrset.example.  5M IN A  10.0.10.53
+a-maximum-rrset.example.  5M IN A  10.0.10.54
+a-maximum-rrset.example.  5M IN A  10.0.10.55
+a-maximum-rrset.example.  5M IN A  10.0.10.56
+a-maximum-rrset.example.  5M IN A  10.0.10.57
+a-maximum-rrset.example.  5M IN A  10.0.10.58
+a-maximum-rrset.example.  5M IN A  10.0.10.59
+a-maximum-rrset.example.  5M IN A  10.0.10.60
+a-maximum-rrset.example.  5M IN A  10.0.10.61
+a-maximum-rrset.example.  5M IN A  10.0.10.62
+a-maximum-rrset.example.  5M IN A  10.0.10.63
+a-maximum-rrset.example.  5M IN A  10.0.10.64
+a-maximum-rrset.example.  5M IN A  10.0.10.65
+a-maximum-rrset.example.  5M IN A  10.0.10.66
+a-maximum-rrset.example.  5M IN A  10.0.10.67
+a-maximum-rrset.example.  5M IN A  10.0.10.68
+a-maximum-rrset.example.  5M IN A  10.0.10.69
+a-maximum-rrset.example.  5M IN A  10.0.10.70
+a-maximum-rrset.example.  5M IN A  10.0.10.71
+a-maximum-rrset.example.  5M IN A  10.0.10.72
+a-maximum-rrset.example.  5M IN A  10.0.10.73
+a-maximum-rrset.example.  5M IN A  10.0.10.74
+a-maximum-rrset.example.  5M IN A  10.0.10.75
+a-maximum-rrset.example.  5M IN A  10.0.10.76
+a-maximum-rrset.example.  5M IN A  10.0.10.77
+a-maximum-rrset.example.  5M IN A  10.0.10.78
+a-maximum-rrset.example.  5M IN A  10.0.10.79
+a-maximum-rrset.example.  5M IN A  10.0.10.80
+a-maximum-rrset.example.  5M IN A  10.0.10.81
+a-maximum-rrset.example.  5M IN A  10.0.10.82
+a-maximum-rrset.example.  5M IN A  10.0.10.83
+a-maximum-rrset.example.  5M IN A  10.0.10.84
+a-maximum-rrset.example.  5M IN A  10.0.10.85
+a-maximum-rrset.example.  5M IN A  10.0.10.86
+a-maximum-rrset.example.  5M IN A  10.0.10.87
+a-maximum-rrset.example.  5M IN A  10.0.10.88
+a-maximum-rrset.example.  5M IN A  10.0.10.89
+a-maximum-rrset.example.  5M IN A  10.0.10.90
+a-maximum-rrset.example.  5M IN A  10.0.10.91
+a-maximum-rrset.example.  5M IN A  10.0.10.92
+a-maximum-rrset.example.  5M IN A  10.0.10.93
+a-maximum-rrset.example.  5M IN A  10.0.10.94
+a-maximum-rrset.example.  5M IN A  10.0.10.95
+a-maximum-rrset.example.  5M IN A  10.0.10.96
+a-maximum-rrset.example.  5M IN A  10.0.10.97
+a-maximum-rrset.example.  5M IN A  10.0.10.98
+a-maximum-rrset.example.  5M IN A  10.0.10.99
+a-maximum-rrset.example.  5M IN A  10.0.10.100
+a-maximum-rrset.example.  5M IN A  10.0.10.101
+a-maximum-rrset.example.  5M IN A  10.0.10.102
+a-maximum-rrset.example.  5M IN A  10.0.10.103
+a-maximum-rrset.example.  5M IN A  10.0.10.104
+a-maximum-rrset.example.  5M IN A  10.0.10.105
+a-maximum-rrset.example.  5M IN A  10.0.10.106
+a-maximum-rrset.example.  5M IN A  10.0.10.107
+a-maximum-rrset.example.  5M IN A  10.0.10.108
+a-maximum-rrset.example.  5M IN A  10.0.10.109
+a-maximum-rrset.example.  5M IN A  10.0.10.110
+a-maximum-rrset.example.  5M IN A  10.0.10.111
+a-maximum-rrset.example.  5M IN A  10.0.10.112
+a-maximum-rrset.example.  5M IN A  10.0.10.113
+a-maximum-rrset.example.  5M IN A  10.0.10.114
+a-maximum-rrset.example.  5M IN A  10.0.10.115
+a-maximum-rrset.example.  5M IN A  10.0.10.116
+a-maximum-rrset.example.  5M IN A  10.0.10.117
+a-maximum-rrset.example.  5M IN A  10.0.10.118
+a-maximum-rrset.example.  5M IN A  10.0.10.119
+a-maximum-rrset.example.  5M IN A  10.0.10.120
+a-maximum-rrset.example.  5M IN A  10.0.10.121
+a-maximum-rrset.example.  5M IN A  10.0.10.122
+a-maximum-rrset.example.  5M IN A  10.0.10.123
+a-maximum-rrset.example.  5M IN A  10.0.10.124
+a-maximum-rrset.example.  5M IN A  10.0.10.125
+a-maximum-rrset.example.  5M IN A  10.0.10.126
+a-maximum-rrset.example.  5M IN A  10.0.10.127
+a-maximum-rrset.example.  5M IN A  10.0.10.128
+a-maximum-rrset.example.  5M IN A  10.0.10.129
+a-maximum-rrset.example.  5M IN A  10.0.10.130
+a-maximum-rrset.example.  5M IN A  10.0.10.131
+a-maximum-rrset.example.  5M IN A  10.0.10.132
+a-maximum-rrset.example.  5M IN A  10.0.10.133
+a-maximum-rrset.example.  5M IN A  10.0.10.134
+a-maximum-rrset.example.  5M IN A  10.0.10.135
+a-maximum-rrset.example.  5M IN A  10.0.10.136
+a-maximum-rrset.example.  5M IN A  10.0.10.137
+a-maximum-rrset.example.  5M IN A  10.0.10.138
+a-maximum-rrset.example.  5M IN A  10.0.10.139
+a-maximum-rrset.example.  5M IN A  10.0.10.140
+a-maximum-rrset.example.  5M IN A  10.0.10.141
+a-maximum-rrset.example.  5M IN A  10.0.10.142
+a-maximum-rrset.example.  5M IN A  10.0.10.143
+a-maximum-rrset.example.  5M IN A  10.0.10.144
+a-maximum-rrset.example.  5M IN A  10.0.10.145
+a-maximum-rrset.example.  5M IN A  10.0.10.146
+a-maximum-rrset.example.  5M IN A  10.0.10.147
+a-maximum-rrset.example.  5M IN A  10.0.10.148
+a-maximum-rrset.example.  5M IN A  10.0.10.149
+a-maximum-rrset.example.  5M IN A  10.0.10.150
+a-maximum-rrset.example.  5M IN A  10.0.10.151
+a-maximum-rrset.example.  5M IN A  10.0.10.152
+a-maximum-rrset.example.  5M IN A  10.0.10.153
+a-maximum-rrset.example.  5M IN A  10.0.10.154
+a-maximum-rrset.example.  5M IN A  10.0.10.155
+a-maximum-rrset.example.  5M IN A  10.0.10.156
+a-maximum-rrset.example.  5M IN A  10.0.10.157
+a-maximum-rrset.example.  5M IN A  10.0.10.158
+a-maximum-rrset.example.  5M IN A  10.0.10.159
+a-maximum-rrset.example.  5M IN A  10.0.10.160
+a-maximum-rrset.example.  5M IN A  10.0.10.161
+a-maximum-rrset.example.  5M IN A  10.0.10.162
+a-maximum-rrset.example.  5M IN A  10.0.10.163
+a-maximum-rrset.example.  5M IN A  10.0.10.164
+a-maximum-rrset.example.  5M IN A  10.0.10.165
+a-maximum-rrset.example.  5M IN A  10.0.10.166
+a-maximum-rrset.example.  5M IN A  10.0.10.167
+a-maximum-rrset.example.  5M IN A  10.0.10.168
+a-maximum-rrset.example.  5M IN A  10.0.10.169
+a-maximum-rrset.example.  5M IN A  10.0.10.170
+a-maximum-rrset.example.  5M IN A  10.0.10.171
+a-maximum-rrset.example.  5M IN A  10.0.10.172
+a-maximum-rrset.example.  5M IN A  10.0.10.173
+a-maximum-rrset.example.  5M IN A  10.0.10.174
+a-maximum-rrset.example.  5M IN A  10.0.10.175
+a-maximum-rrset.example.  5M IN A  10.0.10.176
+a-maximum-rrset.example.  5M IN A  10.0.10.177
+a-maximum-rrset.example.  5M IN A  10.0.10.178
+a-maximum-rrset.example.  5M IN A  10.0.10.179
+a-maximum-rrset.example.  5M IN A  10.0.10.180
+a-maximum-rrset.example.  5M IN A  10.0.10.181
+a-maximum-rrset.example.  5M IN A  10.0.10.182
+a-maximum-rrset.example.  5M IN A  10.0.10.183
+a-maximum-rrset.example.  5M IN A  10.0.10.184
+a-maximum-rrset.example.  5M IN A  10.0.10.185
+a-maximum-rrset.example.  5M IN A  10.0.10.186
+a-maximum-rrset.example.  5M IN A  10.0.10.187
+a-maximum-rrset.example.  5M IN A  10.0.10.188
+a-maximum-rrset.example.  5M IN A  10.0.10.189
+a-maximum-rrset.example.  5M IN A  10.0.10.190
+a-maximum-rrset.example.  5M IN A  10.0.10.191
+a-maximum-rrset.example.  5M IN A  10.0.10.192
+a-maximum-rrset.example.  5M IN A  10.0.10.193
+a-maximum-rrset.example.  5M IN A  10.0.10.194
+a-maximum-rrset.example.  5M IN A  10.0.10.195
+a-maximum-rrset.example.  5M IN A  10.0.10.196
+a-maximum-rrset.example.  5M IN A  10.0.10.197
+a-maximum-rrset.example.  5M IN A  10.0.10.198
+a-maximum-rrset.example.  5M IN A  10.0.10.199
+a-maximum-rrset.example.  5M IN A  10.0.10.200
+a-maximum-rrset.example.  5M IN A  10.0.10.201
+a-maximum-rrset.example.  5M IN A  10.0.10.202
+a-maximum-rrset.example.  5M IN A  10.0.10.203
+a-maximum-rrset.example.  5M IN A  10.0.10.204
+a-maximum-rrset.example.  5M IN A  10.0.10.205
+a-maximum-rrset.example.  5M IN A  10.0.10.206
+a-maximum-rrset.example.  5M IN A  10.0.10.207
+a-maximum-rrset.example.  5M IN A  10.0.10.208
+a-maximum-rrset.example.  5M IN A  10.0.10.209
+a-maximum-rrset.example.  5M IN A  10.0.10.210
+a-maximum-rrset.example.  5M IN A  10.0.10.211
+a-maximum-rrset.example.  5M IN A  10.0.10.212
+a-maximum-rrset.example.  5M IN A  10.0.10.213
+a-maximum-rrset.example.  5M IN A  10.0.10.214
+a-maximum-rrset.example.  5M IN A  10.0.10.215
+a-maximum-rrset.example.  5M IN A  10.0.10.216
+a-maximum-rrset.example.  5M IN A  10.0.10.217
+a-maximum-rrset.example.  5M IN A  10.0.10.218
+a-maximum-rrset.example.  5M IN A  10.0.10.219
+a-maximum-rrset.example.  5M IN A  10.0.10.220
+a-maximum-rrset.example.  5M IN A  10.0.10.221
+a-maximum-rrset.example.  5M IN A  10.0.10.222
+a-maximum-rrset.example.  5M IN A  10.0.10.223
+a-maximum-rrset.example.  5M IN A  10.0.10.224
+a-maximum-rrset.example.  5M IN A  10.0.10.225
+a-maximum-rrset.example.  5M IN A  10.0.10.226
+a-maximum-rrset.example.  5M IN A  10.0.10.227
+a-maximum-rrset.example.  5M IN A  10.0.10.228
+a-maximum-rrset.example.  5M IN A  10.0.10.229
+a-maximum-rrset.example.  5M IN A  10.0.10.230
+a-maximum-rrset.example.  5M IN A  10.0.10.231
+a-maximum-rrset.example.  5M IN A  10.0.10.232
+a-maximum-rrset.example.  5M IN A  10.0.10.233
+a-maximum-rrset.example.  5M IN A  10.0.10.234
+a-maximum-rrset.example.  5M IN A  10.0.10.235
+a-maximum-rrset.example.  5M IN A  10.0.10.236
+a-maximum-rrset.example.  5M IN A  10.0.10.237
+a-maximum-rrset.example.  5M IN A  10.0.10.238
+a-maximum-rrset.example.  5M IN A  10.0.10.239
+a-maximum-rrset.example.  5M IN A  10.0.10.240
+a-maximum-rrset.example.  5M IN A  10.0.10.241
+a-maximum-rrset.example.  5M IN A  10.0.10.242
+a-maximum-rrset.example.  5M IN A  10.0.10.243
+a-maximum-rrset.example.  5M IN A  10.0.10.244
+a-maximum-rrset.example.  5M IN A  10.0.10.245
+a-maximum-rrset.example.  5M IN A  10.0.10.246
+a-maximum-rrset.example.  5M IN A  10.0.10.247
+a-maximum-rrset.example.  5M IN A  10.0.10.248
+a-maximum-rrset.example.  5M IN A  10.0.10.249
+a-maximum-rrset.example.  5M IN A  10.0.10.250
+a-maximum-rrset.example.  5M IN A  10.0.10.251
+a-maximum-rrset.example.  5M IN A  10.0.10.252
+a-maximum-rrset.example.  5M IN A  10.0.10.253
+a-maximum-rrset.example.  5M IN A  10.0.10.254
+a-maximum-rrset.example.  5M IN A  10.0.10.255
+a-maximum-rrset.example.  5M IN A  10.0.11.0
+a-maximum-rrset.example.  5M IN A  10.0.11.1
+a-maximum-rrset.example.  5M IN A  10.0.11.2
+a-maximum-rrset.example.  5M IN A  10.0.11.3
+a-maximum-rrset.example.  5M IN A  10.0.11.4
+a-maximum-rrset.example.  5M IN A  10.0.11.5
+a-maximum-rrset.example.  5M IN A  10.0.11.6
+a-maximum-rrset.example.  5M IN A  10.0.11.7
+a-maximum-rrset.example.  5M IN A  10.0.11.8
+a-maximum-rrset.example.  5M IN A  10.0.11.9
+a-maximum-rrset.example.  5M IN A  10.0.11.10
+a-maximum-rrset.example.  5M IN A  10.0.11.11
+a-maximum-rrset.example.  5M IN A  10.0.11.12
+a-maximum-rrset.example.  5M IN A  10.0.11.13
+a-maximum-rrset.example.  5M IN A  10.0.11.14
+a-maximum-rrset.example.  5M IN A  10.0.11.15
+a-maximum-rrset.example.  5M IN A  10.0.11.16
+a-maximum-rrset.example.  5M IN A  10.0.11.17
+a-maximum-rrset.example.  5M IN A  10.0.11.18
+a-maximum-rrset.example.  5M IN A  10.0.11.19
+a-maximum-rrset.example.  5M IN A  10.0.11.20
+a-maximum-rrset.example.  5M IN A  10.0.11.21
+a-maximum-rrset.example.  5M IN A  10.0.11.22
+a-maximum-rrset.example.  5M IN A  10.0.11.23
+a-maximum-rrset.example.  5M IN A  10.0.11.24
+a-maximum-rrset.example.  5M IN A  10.0.11.25
+a-maximum-rrset.example.  5M IN A  10.0.11.26
+a-maximum-rrset.example.  5M IN A  10.0.11.27
+a-maximum-rrset.example.  5M IN A  10.0.11.28
+a-maximum-rrset.example.  5M IN A  10.0.11.29
+a-maximum-rrset.example.  5M IN A  10.0.11.30
+a-maximum-rrset.example.  5M IN A  10.0.11.31
+a-maximum-rrset.example.  5M IN A  10.0.11.32
+a-maximum-rrset.example.  5M IN A  10.0.11.33
+a-maximum-rrset.example.  5M IN A  10.0.11.34
+a-maximum-rrset.example.  5M IN A  10.0.11.35
+a-maximum-rrset.example.  5M IN A  10.0.11.36
+a-maximum-rrset.example.  5M IN A  10.0.11.37
+a-maximum-rrset.example.  5M IN A  10.0.11.38
+a-maximum-rrset.example.  5M IN A  10.0.11.39
+a-maximum-rrset.example.  5M IN A  10.0.11.40
+a-maximum-rrset.example.  5M IN A  10.0.11.41
+a-maximum-rrset.example.  5M IN A  10.0.11.42
+a-maximum-rrset.example.  5M IN A  10.0.11.43
+a-maximum-rrset.example.  5M IN A  10.0.11.44
+a-maximum-rrset.example.  5M IN A  10.0.11.45
+a-maximum-rrset.example.  5M IN A  10.0.11.46
+a-maximum-rrset.example.  5M IN A  10.0.11.47
+a-maximum-rrset.example.  5M IN A  10.0.11.48
+a-maximum-rrset.example.  5M IN A  10.0.11.49
+a-maximum-rrset.example.  5M IN A  10.0.11.50
+a-maximum-rrset.example.  5M IN A  10.0.11.51
+a-maximum-rrset.example.  5M IN A  10.0.11.52
+a-maximum-rrset.example.  5M IN A  10.0.11.53
+a-maximum-rrset.example.  5M IN A  10.0.11.54
+a-maximum-rrset.example.  5M IN A  10.0.11.55
+a-maximum-rrset.example.  5M IN A  10.0.11.56
+a-maximum-rrset.example.  5M IN A  10.0.11.57
+a-maximum-rrset.example.  5M IN A  10.0.11.58
+a-maximum-rrset.example.  5M IN A  10.0.11.59
+a-maximum-rrset.example.  5M IN A  10.0.11.60
+a-maximum-rrset.example.  5M IN A  10.0.11.61
+a-maximum-rrset.example.  5M IN A  10.0.11.62
+a-maximum-rrset.example.  5M IN A  10.0.11.63
+a-maximum-rrset.example.  5M IN A  10.0.11.64
+a-maximum-rrset.example.  5M IN A  10.0.11.65
+a-maximum-rrset.example.  5M IN A  10.0.11.66
+a-maximum-rrset.example.  5M IN A  10.0.11.67
+a-maximum-rrset.example.  5M IN A  10.0.11.68
+a-maximum-rrset.example.  5M IN A  10.0.11.69
+a-maximum-rrset.example.  5M IN A  10.0.11.70
+a-maximum-rrset.example.  5M IN A  10.0.11.71
+a-maximum-rrset.example.  5M IN A  10.0.11.72
+a-maximum-rrset.example.  5M IN A  10.0.11.73
+a-maximum-rrset.example.  5M IN A  10.0.11.74
+a-maximum-rrset.example.  5M IN A  10.0.11.75
+a-maximum-rrset.example.  5M IN A  10.0.11.76
+a-maximum-rrset.example.  5M IN A  10.0.11.77
+a-maximum-rrset.example.  5M IN A  10.0.11.78
+a-maximum-rrset.example.  5M IN A  10.0.11.79
+a-maximum-rrset.example.  5M IN A  10.0.11.80
+a-maximum-rrset.example.  5M IN A  10.0.11.81
+a-maximum-rrset.example.  5M IN A  10.0.11.82
+a-maximum-rrset.example.  5M IN A  10.0.11.83
+a-maximum-rrset.example.  5M IN A  10.0.11.84
+a-maximum-rrset.example.  5M IN A  10.0.11.85
+a-maximum-rrset.example.  5M IN A  10.0.11.86
+a-maximum-rrset.example.  5M IN A  10.0.11.87
+a-maximum-rrset.example.  5M IN A  10.0.11.88
+a-maximum-rrset.example.  5M IN A  10.0.11.89
+a-maximum-rrset.example.  5M IN A  10.0.11.90
+a-maximum-rrset.example.  5M IN A  10.0.11.91
+a-maximum-rrset.example.  5M IN A  10.0.11.92
+a-maximum-rrset.example.  5M IN A  10.0.11.93
+a-maximum-rrset.example.  5M IN A  10.0.11.94
+a-maximum-rrset.example.  5M IN A  10.0.11.95
+a-maximum-rrset.example.  5M IN A  10.0.11.96
+a-maximum-rrset.example.  5M IN A  10.0.11.97
+a-maximum-rrset.example.  5M IN A  10.0.11.98
+a-maximum-rrset.example.  5M IN A  10.0.11.99
+a-maximum-rrset.example.  5M IN A  10.0.11.100
+a-maximum-rrset.example.  5M IN A  10.0.11.101
+a-maximum-rrset.example.  5M IN A  10.0.11.102
+a-maximum-rrset.example.  5M IN A  10.0.11.103
+a-maximum-rrset.example.  5M IN A  10.0.11.104
+a-maximum-rrset.example.  5M IN A  10.0.11.105
+a-maximum-rrset.example.  5M IN A  10.0.11.106
+a-maximum-rrset.example.  5M IN A  10.0.11.107
+a-maximum-rrset.example.  5M IN A  10.0.11.108
+a-maximum-rrset.example.  5M IN A  10.0.11.109
+a-maximum-rrset.example.  5M IN A  10.0.11.110
+a-maximum-rrset.example.  5M IN A  10.0.11.111
+a-maximum-rrset.example.  5M IN A  10.0.11.112
+a-maximum-rrset.example.  5M IN A  10.0.11.113
+a-maximum-rrset.example.  5M IN A  10.0.11.114
+a-maximum-rrset.example.  5M IN A  10.0.11.115
+a-maximum-rrset.example.  5M IN A  10.0.11.116
+a-maximum-rrset.example.  5M IN A  10.0.11.117
+a-maximum-rrset.example.  5M IN A  10.0.11.118
+a-maximum-rrset.example.  5M IN A  10.0.11.119
+a-maximum-rrset.example.  5M IN A  10.0.11.120
+a-maximum-rrset.example.  5M IN A  10.0.11.121
+a-maximum-rrset.example.  5M IN A  10.0.11.122
+a-maximum-rrset.example.  5M IN A  10.0.11.123
+a-maximum-rrset.example.  5M IN A  10.0.11.124
+a-maximum-rrset.example.  5M IN A  10.0.11.125
+a-maximum-rrset.example.  5M IN A  10.0.11.126
+a-maximum-rrset.example.  5M IN A  10.0.11.127
+a-maximum-rrset.example.  5M IN A  10.0.11.128
+a-maximum-rrset.example.  5M IN A  10.0.11.129
+a-maximum-rrset.example.  5M IN A  10.0.11.130
+a-maximum-rrset.example.  5M IN A  10.0.11.131
+a-maximum-rrset.example.  5M IN A  10.0.11.132
+a-maximum-rrset.example.  5M IN A  10.0.11.133
+a-maximum-rrset.example.  5M IN A  10.0.11.134
+a-maximum-rrset.example.  5M IN A  10.0.11.135
+a-maximum-rrset.example.  5M IN A  10.0.11.136
+a-maximum-rrset.example.  5M IN A  10.0.11.137
+a-maximum-rrset.example.  5M IN A  10.0.11.138
+a-maximum-rrset.example.  5M IN A  10.0.11.139
+a-maximum-rrset.example.  5M IN A  10.0.11.140
+a-maximum-rrset.example.  5M IN A  10.0.11.141
+a-maximum-rrset.example.  5M IN A  10.0.11.142
+a-maximum-rrset.example.  5M IN A  10.0.11.143
+a-maximum-rrset.example.  5M IN A  10.0.11.144
+a-maximum-rrset.example.  5M IN A  10.0.11.145
+a-maximum-rrset.example.  5M IN A  10.0.11.146
+a-maximum-rrset.example.  5M IN A  10.0.11.147
+a-maximum-rrset.example.  5M IN A  10.0.11.148
+a-maximum-rrset.example.  5M IN A  10.0.11.149
+a-maximum-rrset.example.  5M IN A  10.0.11.150
+a-maximum-rrset.example.  5M IN A  10.0.11.151
+a-maximum-rrset.example.  5M IN A  10.0.11.152
+a-maximum-rrset.example.  5M IN A  10.0.11.153
+a-maximum-rrset.example.  5M IN A  10.0.11.154
+a-maximum-rrset.example.  5M IN A  10.0.11.155
+a-maximum-rrset.example.  5M IN A  10.0.11.156
+a-maximum-rrset.example.  5M IN A  10.0.11.157
+a-maximum-rrset.example.  5M IN A  10.0.11.158
+a-maximum-rrset.example.  5M IN A  10.0.11.159
+a-maximum-rrset.example.  5M IN A  10.0.11.160
+a-maximum-rrset.example.  5M IN A  10.0.11.161
+a-maximum-rrset.example.  5M IN A  10.0.11.162
+a-maximum-rrset.example.  5M IN A  10.0.11.163
+a-maximum-rrset.example.  5M IN A  10.0.11.164
+a-maximum-rrset.example.  5M IN A  10.0.11.165
+a-maximum-rrset.example.  5M IN A  10.0.11.166
+a-maximum-rrset.example.  5M IN A  10.0.11.167
+a-maximum-rrset.example.  5M IN A  10.0.11.168
+a-maximum-rrset.example.  5M IN A  10.0.11.169
+a-maximum-rrset.example.  5M IN A  10.0.11.170
+a-maximum-rrset.example.  5M IN A  10.0.11.171
+a-maximum-rrset.example.  5M IN A  10.0.11.172
+a-maximum-rrset.example.  5M IN A  10.0.11.173
+a-maximum-rrset.example.  5M IN A  10.0.11.174
+a-maximum-rrset.example.  5M IN A  10.0.11.175
+a-maximum-rrset.example.  5M IN A  10.0.11.176
+a-maximum-rrset.example.  5M IN A  10.0.11.177
+a-maximum-rrset.example.  5M IN A  10.0.11.178
+a-maximum-rrset.example.  5M IN A  10.0.11.179
+a-maximum-rrset.example.  5M IN A  10.0.11.180
+a-maximum-rrset.example.  5M IN A  10.0.11.181
+a-maximum-rrset.example.  5M IN A  10.0.11.182
+a-maximum-rrset.example.  5M IN A  10.0.11.183
+a-maximum-rrset.example.  5M IN A  10.0.11.184
+a-maximum-rrset.example.  5M IN A  10.0.11.185
+a-maximum-rrset.example.  5M IN A  10.0.11.186
+a-maximum-rrset.example.  5M IN A  10.0.11.187
+a-maximum-rrset.example.  5M IN A  10.0.11.188
+a-maximum-rrset.example.  5M IN A  10.0.11.189
+a-maximum-rrset.example.  5M IN A  10.0.11.190
+a-maximum-rrset.example.  5M IN A  10.0.11.191
+a-maximum-rrset.example.  5M IN A  10.0.11.192
+a-maximum-rrset.example.  5M IN A  10.0.11.193
+a-maximum-rrset.example.  5M IN A  10.0.11.194
+a-maximum-rrset.example.  5M IN A  10.0.11.195
+a-maximum-rrset.example.  5M IN A  10.0.11.196
+a-maximum-rrset.example.  5M IN A  10.0.11.197
+a-maximum-rrset.example.  5M IN A  10.0.11.198
+a-maximum-rrset.example.  5M IN A  10.0.11.199
+a-maximum-rrset.example.  5M IN A  10.0.11.200
+a-maximum-rrset.example.  5M IN A  10.0.11.201
+a-maximum-rrset.example.  5M IN A  10.0.11.202
+a-maximum-rrset.example.  5M IN A  10.0.11.203
+a-maximum-rrset.example.  5M IN A  10.0.11.204
+a-maximum-rrset.example.  5M IN A  10.0.11.205
+a-maximum-rrset.example.  5M IN A  10.0.11.206
+a-maximum-rrset.example.  5M IN A  10.0.11.207
+a-maximum-rrset.example.  5M IN A  10.0.11.208
+a-maximum-rrset.example.  5M IN A  10.0.11.209
+a-maximum-rrset.example.  5M IN A  10.0.11.210
+a-maximum-rrset.example.  5M IN A  10.0.11.211
+a-maximum-rrset.example.  5M IN A  10.0.11.212
+a-maximum-rrset.example.  5M IN A  10.0.11.213
+a-maximum-rrset.example.  5M IN A  10.0.11.214
+a-maximum-rrset.example.  5M IN A  10.0.11.215
+a-maximum-rrset.example.  5M IN A  10.0.11.216
+a-maximum-rrset.example.  5M IN A  10.0.11.217
+a-maximum-rrset.example.  5M IN A  10.0.11.218
+a-maximum-rrset.example.  5M IN A  10.0.11.219
+a-maximum-rrset.example.  5M IN A  10.0.11.220
+a-maximum-rrset.example.  5M IN A  10.0.11.221
+a-maximum-rrset.example.  5M IN A  10.0.11.222
+a-maximum-rrset.example.  5M IN A  10.0.11.223
+a-maximum-rrset.example.  5M IN A  10.0.11.224
+a-maximum-rrset.example.  5M IN A  10.0.11.225
+a-maximum-rrset.example.  5M IN A  10.0.11.226
+a-maximum-rrset.example.  5M IN A  10.0.11.227
+a-maximum-rrset.example.  5M IN A  10.0.11.228
+a-maximum-rrset.example.  5M IN A  10.0.11.229
+a-maximum-rrset.example.  5M IN A  10.0.11.230
+a-maximum-rrset.example.  5M IN A  10.0.11.231
+a-maximum-rrset.example.  5M IN A  10.0.11.232
+a-maximum-rrset.example.  5M IN A  10.0.11.233
+a-maximum-rrset.example.  5M IN A  10.0.11.234
+a-maximum-rrset.example.  5M IN A  10.0.11.235
+a-maximum-rrset.example.  5M IN A  10.0.11.236
+a-maximum-rrset.example.  5M IN A  10.0.11.237
+a-maximum-rrset.example.  5M IN A  10.0.11.238
+a-maximum-rrset.example.  5M IN A  10.0.11.239
+a-maximum-rrset.example.  5M IN A  10.0.11.240
+a-maximum-rrset.example.  5M IN A  10.0.11.241
+a-maximum-rrset.example.  5M IN A  10.0.11.242
+a-maximum-rrset.example.  5M IN A  10.0.11.243
+a-maximum-rrset.example.  5M IN A  10.0.11.244
+a-maximum-rrset.example.  5M IN A  10.0.11.245
+a-maximum-rrset.example.  5M IN A  10.0.11.246
+a-maximum-rrset.example.  5M IN A  10.0.11.247
+a-maximum-rrset.example.  5M IN A  10.0.11.248
+a-maximum-rrset.example.  5M IN A  10.0.11.249
+a-maximum-rrset.example.  5M IN A  10.0.11.250
+a-maximum-rrset.example.  5M IN A  10.0.11.251
+a-maximum-rrset.example.  5M IN A  10.0.11.252
+a-maximum-rrset.example.  5M IN A  10.0.11.253
+a-maximum-rrset.example.  5M IN A  10.0.11.254
+a-maximum-rrset.example.  5M IN A  10.0.11.255
+a-maximum-rrset.example.  5M IN A  10.0.12.0
+a-maximum-rrset.example.  5M IN A  10.0.12.1
+a-maximum-rrset.example.  5M IN A  10.0.12.2
+a-maximum-rrset.example.  5M IN A  10.0.12.3
+a-maximum-rrset.example.  5M IN A  10.0.12.4
+a-maximum-rrset.example.  5M IN A  10.0.12.5
+a-maximum-rrset.example.  5M IN A  10.0.12.6
+a-maximum-rrset.example.  5M IN A  10.0.12.7
+a-maximum-rrset.example.  5M IN A  10.0.12.8
+a-maximum-rrset.example.  5M IN A  10.0.12.9
+a-maximum-rrset.example.  5M IN A  10.0.12.10
+a-maximum-rrset.example.  5M IN A  10.0.12.11
+a-maximum-rrset.example.  5M IN A  10.0.12.12
+a-maximum-rrset.example.  5M IN A  10.0.12.13
+a-maximum-rrset.example.  5M IN A  10.0.12.14
+a-maximum-rrset.example.  5M IN A  10.0.12.15
+a-maximum-rrset.example.  5M IN A  10.0.12.16
+a-maximum-rrset.example.  5M IN A  10.0.12.17
+a-maximum-rrset.example.  5M IN A  10.0.12.18
+a-maximum-rrset.example.  5M IN A  10.0.12.19
+a-maximum-rrset.example.  5M IN A  10.0.12.20
+a-maximum-rrset.example.  5M IN A  10.0.12.21
+a-maximum-rrset.example.  5M IN A  10.0.12.22
+a-maximum-rrset.example.  5M IN A  10.0.12.23
+a-maximum-rrset.example.  5M IN A  10.0.12.24
+a-maximum-rrset.example.  5M IN A  10.0.12.25
+a-maximum-rrset.example.  5M IN A  10.0.12.26
+a-maximum-rrset.example.  5M IN A  10.0.12.27
+a-maximum-rrset.example.  5M IN A  10.0.12.28
+a-maximum-rrset.example.  5M IN A  10.0.12.29
+a-maximum-rrset.example.  5M IN A  10.0.12.30
+a-maximum-rrset.example.  5M IN A  10.0.12.31
+a-maximum-rrset.example.  5M IN A  10.0.12.32
+a-maximum-rrset.example.  5M IN A  10.0.12.33
+a-maximum-rrset.example.  5M IN A  10.0.12.34
+a-maximum-rrset.example.  5M IN A  10.0.12.35
+a-maximum-rrset.example.  5M IN A  10.0.12.36
+a-maximum-rrset.example.  5M IN A  10.0.12.37
+a-maximum-rrset.example.  5M IN A  10.0.12.38
+a-maximum-rrset.example.  5M IN A  10.0.12.39
+a-maximum-rrset.example.  5M IN A  10.0.12.40
+a-maximum-rrset.example.  5M IN A  10.0.12.41
+a-maximum-rrset.example.  5M IN A  10.0.12.42
+a-maximum-rrset.example.  5M IN A  10.0.12.43
+a-maximum-rrset.example.  5M IN A  10.0.12.44
+a-maximum-rrset.example.  5M IN A  10.0.12.45
+a-maximum-rrset.example.  5M IN A  10.0.12.46
+a-maximum-rrset.example.  5M IN A  10.0.12.47
+a-maximum-rrset.example.  5M IN A  10.0.12.48
+a-maximum-rrset.example.  5M IN A  10.0.12.49
+a-maximum-rrset.example.  5M IN A  10.0.12.50
+a-maximum-rrset.example.  5M IN A  10.0.12.51
+a-maximum-rrset.example.  5M IN A  10.0.12.52
+a-maximum-rrset.example.  5M IN A  10.0.12.53
+a-maximum-rrset.example.  5M IN A  10.0.12.54
+a-maximum-rrset.example.  5M IN A  10.0.12.55
+a-maximum-rrset.example.  5M IN A  10.0.12.56
+a-maximum-rrset.example.  5M IN A  10.0.12.57
+a-maximum-rrset.example.  5M IN A  10.0.12.58
+a-maximum-rrset.example.  5M IN A  10.0.12.59
+a-maximum-rrset.example.  5M IN A  10.0.12.60
+a-maximum-rrset.example.  5M IN A  10.0.12.61
+a-maximum-rrset.example.  5M IN A  10.0.12.62
+a-maximum-rrset.example.  5M IN A  10.0.12.63
+a-maximum-rrset.example.  5M IN A  10.0.12.64
+a-maximum-rrset.example.  5M IN A  10.0.12.65
+a-maximum-rrset.example.  5M IN A  10.0.12.66
+a-maximum-rrset.example.  5M IN A  10.0.12.67
+a-maximum-rrset.example.  5M IN A  10.0.12.68
+a-maximum-rrset.example.  5M IN A  10.0.12.69
+a-maximum-rrset.example.  5M IN A  10.0.12.70
+a-maximum-rrset.example.  5M IN A  10.0.12.71
+a-maximum-rrset.example.  5M IN A  10.0.12.72
+a-maximum-rrset.example.  5M IN A  10.0.12.73
+a-maximum-rrset.example.  5M IN A  10.0.12.74
+a-maximum-rrset.example.  5M IN A  10.0.12.75
+a-maximum-rrset.example.  5M IN A  10.0.12.76
+a-maximum-rrset.example.  5M IN A  10.0.12.77
+a-maximum-rrset.example.  5M IN A  10.0.12.78
+a-maximum-rrset.example.  5M IN A  10.0.12.79
+a-maximum-rrset.example.  5M IN A  10.0.12.80
+a-maximum-rrset.example.  5M IN A  10.0.12.81
+a-maximum-rrset.example.  5M IN A  10.0.12.82
+a-maximum-rrset.example.  5M IN A  10.0.12.83
+a-maximum-rrset.example.  5M IN A  10.0.12.84
+a-maximum-rrset.example.  5M IN A  10.0.12.85
+a-maximum-rrset.example.  5M IN A  10.0.12.86
+a-maximum-rrset.example.  5M IN A  10.0.12.87
+a-maximum-rrset.example.  5M IN A  10.0.12.88
+a-maximum-rrset.example.  5M IN A  10.0.12.89
+a-maximum-rrset.example.  5M IN A  10.0.12.90
+a-maximum-rrset.example.  5M IN A  10.0.12.91
+a-maximum-rrset.example.  5M IN A  10.0.12.92
+a-maximum-rrset.example.  5M IN A  10.0.12.93
+a-maximum-rrset.example.  5M IN A  10.0.12.94
+a-maximum-rrset.example.  5M IN A  10.0.12.95
+a-maximum-rrset.example.  5M IN A  10.0.12.96
+a-maximum-rrset.example.  5M IN A  10.0.12.97
+a-maximum-rrset.example.  5M IN A  10.0.12.98
+a-maximum-rrset.example.  5M IN A  10.0.12.99
+a-maximum-rrset.example.  5M IN A  10.0.12.100
+a-maximum-rrset.example.  5M IN A  10.0.12.101
+a-maximum-rrset.example.  5M IN A  10.0.12.102
+a-maximum-rrset.example.  5M IN A  10.0.12.103
+a-maximum-rrset.example.  5M IN A  10.0.12.104
+a-maximum-rrset.example.  5M IN A  10.0.12.105
+a-maximum-rrset.example.  5M IN A  10.0.12.106
+a-maximum-rrset.example.  5M IN A  10.0.12.107
+a-maximum-rrset.example.  5M IN A  10.0.12.108
+a-maximum-rrset.example.  5M IN A  10.0.12.109
+a-maximum-rrset.example.  5M IN A  10.0.12.110
+a-maximum-rrset.example.  5M IN A  10.0.12.111
+a-maximum-rrset.example.  5M IN A  10.0.12.112
+a-maximum-rrset.example.  5M IN A  10.0.12.113
+a-maximum-rrset.example.  5M IN A  10.0.12.114
+a-maximum-rrset.example.  5M IN A  10.0.12.115
+a-maximum-rrset.example.  5M IN A  10.0.12.116
+a-maximum-rrset.example.  5M IN A  10.0.12.117
+a-maximum-rrset.example.  5M IN A  10.0.12.118
+a-maximum-rrset.example.  5M IN A  10.0.12.119
+a-maximum-rrset.example.  5M IN A  10.0.12.120
+a-maximum-rrset.example.  5M IN A  10.0.12.121
+a-maximum-rrset.example.  5M IN A  10.0.12.122
+a-maximum-rrset.example.  5M IN A  10.0.12.123
+a-maximum-rrset.example.  5M IN A  10.0.12.124
+a-maximum-rrset.example.  5M IN A  10.0.12.125
+a-maximum-rrset.example.  5M IN A  10.0.12.126
+a-maximum-rrset.example.  5M IN A  10.0.12.127
+a-maximum-rrset.example.  5M IN A  10.0.12.128
+a-maximum-rrset.example.  5M IN A  10.0.12.129
+a-maximum-rrset.example.  5M IN A  10.0.12.130
+a-maximum-rrset.example.  5M IN A  10.0.12.131
+a-maximum-rrset.example.  5M IN A  10.0.12.132
+a-maximum-rrset.example.  5M IN A  10.0.12.133
+a-maximum-rrset.example.  5M IN A  10.0.12.134
+a-maximum-rrset.example.  5M IN A  10.0.12.135
+a-maximum-rrset.example.  5M IN A  10.0.12.136
+a-maximum-rrset.example.  5M IN A  10.0.12.137
+a-maximum-rrset.example.  5M IN A  10.0.12.138
+a-maximum-rrset.example.  5M IN A  10.0.12.139
+a-maximum-rrset.example.  5M IN A  10.0.12.140
+a-maximum-rrset.example.  5M IN A  10.0.12.141
+a-maximum-rrset.example.  5M IN A  10.0.12.142
+a-maximum-rrset.example.  5M IN A  10.0.12.143
+a-maximum-rrset.example.  5M IN A  10.0.12.144
+a-maximum-rrset.example.  5M IN A  10.0.12.145
+a-maximum-rrset.example.  5M IN A  10.0.12.146
+a-maximum-rrset.example.  5M IN A  10.0.12.147
+a-maximum-rrset.example.  5M IN A  10.0.12.148
+a-maximum-rrset.example.  5M IN A  10.0.12.149
+a-maximum-rrset.example.  5M IN A  10.0.12.150
+a-maximum-rrset.example.  5M IN A  10.0.12.151
+a-maximum-rrset.example.  5M IN A  10.0.12.152
+a-maximum-rrset.example.  5M IN A  10.0.12.153
+a-maximum-rrset.example.  5M IN A  10.0.12.154
+a-maximum-rrset.example.  5M IN A  10.0.12.155
+a-maximum-rrset.example.  5M IN A  10.0.12.156
+a-maximum-rrset.example.  5M IN A  10.0.12.157
+a-maximum-rrset.example.  5M IN A  10.0.12.158
+a-maximum-rrset.example.  5M IN A  10.0.12.159
+a-maximum-rrset.example.  5M IN A  10.0.12.160
+a-maximum-rrset.example.  5M IN A  10.0.12.161
+a-maximum-rrset.example.  5M IN A  10.0.12.162
+a-maximum-rrset.example.  5M IN A  10.0.12.163
+a-maximum-rrset.example.  5M IN A  10.0.12.164
+a-maximum-rrset.example.  5M IN A  10.0.12.165
+a-maximum-rrset.example.  5M IN A  10.0.12.166
+a-maximum-rrset.example.  5M IN A  10.0.12.167
+a-maximum-rrset.example.  5M IN A  10.0.12.168
+a-maximum-rrset.example.  5M IN A  10.0.12.169
+a-maximum-rrset.example.  5M IN A  10.0.12.170
+a-maximum-rrset.example.  5M IN A  10.0.12.171
+a-maximum-rrset.example.  5M IN A  10.0.12.172
+a-maximum-rrset.example.  5M IN A  10.0.12.173
+a-maximum-rrset.example.  5M IN A  10.0.12.174
+a-maximum-rrset.example.  5M IN A  10.0.12.175
+a-maximum-rrset.example.  5M IN A  10.0.12.176
+a-maximum-rrset.example.  5M IN A  10.0.12.177
+a-maximum-rrset.example.  5M IN A  10.0.12.178
+a-maximum-rrset.example.  5M IN A  10.0.12.179
+a-maximum-rrset.example.  5M IN A  10.0.12.180
+a-maximum-rrset.example.  5M IN A  10.0.12.181
+a-maximum-rrset.example.  5M IN A  10.0.12.182
+a-maximum-rrset.example.  5M IN A  10.0.12.183
+a-maximum-rrset.example.  5M IN A  10.0.12.184
+a-maximum-rrset.example.  5M IN A  10.0.12.185
+a-maximum-rrset.example.  5M IN A  10.0.12.186
+a-maximum-rrset.example.  5M IN A  10.0.12.187
+a-maximum-rrset.example.  5M IN A  10.0.12.188
+a-maximum-rrset.example.  5M IN A  10.0.12.189
+a-maximum-rrset.example.  5M IN A  10.0.12.190
+a-maximum-rrset.example.  5M IN A  10.0.12.191
+a-maximum-rrset.example.  5M IN A  10.0.12.192
+a-maximum-rrset.example.  5M IN A  10.0.12.193
+a-maximum-rrset.example.  5M IN A  10.0.12.194
+a-maximum-rrset.example.  5M IN A  10.0.12.195
+a-maximum-rrset.example.  5M IN A  10.0.12.196
+a-maximum-rrset.example.  5M IN A  10.0.12.197
+a-maximum-rrset.example.  5M IN A  10.0.12.198
+a-maximum-rrset.example.  5M IN A  10.0.12.199
+a-maximum-rrset.example.  5M IN A  10.0.12.200
+a-maximum-rrset.example.  5M IN A  10.0.12.201
+a-maximum-rrset.example.  5M IN A  10.0.12.202
+a-maximum-rrset.example.  5M IN A  10.0.12.203
+a-maximum-rrset.example.  5M IN A  10.0.12.204
+a-maximum-rrset.example.  5M IN A  10.0.12.205
+a-maximum-rrset.example.  5M IN A  10.0.12.206
+a-maximum-rrset.example.  5M IN A  10.0.12.207
+a-maximum-rrset.example.  5M IN A  10.0.12.208
+a-maximum-rrset.example.  5M IN A  10.0.12.209
+a-maximum-rrset.example.  5M IN A  10.0.12.210
+a-maximum-rrset.example.  5M IN A  10.0.12.211
+a-maximum-rrset.example.  5M IN A  10.0.12.212
+a-maximum-rrset.example.  5M IN A  10.0.12.213
+a-maximum-rrset.example.  5M IN A  10.0.12.214
+a-maximum-rrset.example.  5M IN A  10.0.12.215
+a-maximum-rrset.example.  5M IN A  10.0.12.216
+a-maximum-rrset.example.  5M IN A  10.0.12.217
+a-maximum-rrset.example.  5M IN A  10.0.12.218
+a-maximum-rrset.example.  5M IN A  10.0.12.219
+a-maximum-rrset.example.  5M IN A  10.0.12.220
+a-maximum-rrset.example.  5M IN A  10.0.12.221
+a-maximum-rrset.example.  5M IN A  10.0.12.222
+a-maximum-rrset.example.  5M IN A  10.0.12.223
+a-maximum-rrset.example.  5M IN A  10.0.12.224
+a-maximum-rrset.example.  5M IN A  10.0.12.225
+a-maximum-rrset.example.  5M IN A  10.0.12.226
+a-maximum-rrset.example.  5M IN A  10.0.12.227
+a-maximum-rrset.example.  5M IN A  10.0.12.228
+a-maximum-rrset.example.  5M IN A  10.0.12.229
+a-maximum-rrset.example.  5M IN A  10.0.12.230
+a-maximum-rrset.example.  5M IN A  10.0.12.231
+a-maximum-rrset.example.  5M IN A  10.0.12.232
+a-maximum-rrset.example.  5M IN A  10.0.12.233
+a-maximum-rrset.example.  5M IN A  10.0.12.234
+a-maximum-rrset.example.  5M IN A  10.0.12.235
+a-maximum-rrset.example.  5M IN A  10.0.12.236
+a-maximum-rrset.example.  5M IN A  10.0.12.237
+a-maximum-rrset.example.  5M IN A  10.0.12.238
+a-maximum-rrset.example.  5M IN A  10.0.12.239
+a-maximum-rrset.example.  5M IN A  10.0.12.240
+a-maximum-rrset.example.  5M IN A  10.0.12.241
+a-maximum-rrset.example.  5M IN A  10.0.12.242
+a-maximum-rrset.example.  5M IN A  10.0.12.243
+a-maximum-rrset.example.  5M IN A  10.0.12.244
+a-maximum-rrset.example.  5M IN A  10.0.12.245
+a-maximum-rrset.example.  5M IN A  10.0.12.246
+a-maximum-rrset.example.  5M IN A  10.0.12.247
+a-maximum-rrset.example.  5M IN A  10.0.12.248
+a-maximum-rrset.example.  5M IN A  10.0.12.249
+a-maximum-rrset.example.  5M IN A  10.0.12.250
+a-maximum-rrset.example.  5M IN A  10.0.12.251
+a-maximum-rrset.example.  5M IN A  10.0.12.252
+a-maximum-rrset.example.  5M IN A  10.0.12.253
+a-maximum-rrset.example.  5M IN A  10.0.12.254
+a-maximum-rrset.example.  5M IN A  10.0.12.255
+a-maximum-rrset.example.  5M IN A  10.0.13.0
+a-maximum-rrset.example.  5M IN A  10.0.13.1
+a-maximum-rrset.example.  5M IN A  10.0.13.2
+a-maximum-rrset.example.  5M IN A  10.0.13.3
+a-maximum-rrset.example.  5M IN A  10.0.13.4
+a-maximum-rrset.example.  5M IN A  10.0.13.5
+a-maximum-rrset.example.  5M IN A  10.0.13.6
+a-maximum-rrset.example.  5M IN A  10.0.13.7
+a-maximum-rrset.example.  5M IN A  10.0.13.8
+a-maximum-rrset.example.  5M IN A  10.0.13.9
+a-maximum-rrset.example.  5M IN A  10.0.13.10
+a-maximum-rrset.example.  5M IN A  10.0.13.11
+a-maximum-rrset.example.  5M IN A  10.0.13.12
+a-maximum-rrset.example.  5M IN A  10.0.13.13
+a-maximum-rrset.example.  5M IN A  10.0.13.14
+a-maximum-rrset.example.  5M IN A  10.0.13.15
+a-maximum-rrset.example.  5M IN A  10.0.13.16
+a-maximum-rrset.example.  5M IN A  10.0.13.17
+a-maximum-rrset.example.  5M IN A  10.0.13.18
+a-maximum-rrset.example.  5M IN A  10.0.13.19
+a-maximum-rrset.example.  5M IN A  10.0.13.20
+a-maximum-rrset.example.  5M IN A  10.0.13.21
+a-maximum-rrset.example.  5M IN A  10.0.13.22
+a-maximum-rrset.example.  5M IN A  10.0.13.23
+a-maximum-rrset.example.  5M IN A  10.0.13.24
+a-maximum-rrset.example.  5M IN A  10.0.13.25
+a-maximum-rrset.example.  5M IN A  10.0.13.26
+a-maximum-rrset.example.  5M IN A  10.0.13.27
+a-maximum-rrset.example.  5M IN A  10.0.13.28
+a-maximum-rrset.example.  5M IN A  10.0.13.29
+a-maximum-rrset.example.  5M IN A  10.0.13.30
+a-maximum-rrset.example.  5M IN A  10.0.13.31
+a-maximum-rrset.example.  5M IN A  10.0.13.32
+a-maximum-rrset.example.  5M IN A  10.0.13.33
+a-maximum-rrset.example.  5M IN A  10.0.13.34
+a-maximum-rrset.example.  5M IN A  10.0.13.35
+a-maximum-rrset.example.  5M IN A  10.0.13.36
+a-maximum-rrset.example.  5M IN A  10.0.13.37
+a-maximum-rrset.example.  5M IN A  10.0.13.38
+a-maximum-rrset.example.  5M IN A  10.0.13.39
+a-maximum-rrset.example.  5M IN A  10.0.13.40
+a-maximum-rrset.example.  5M IN A  10.0.13.41
+a-maximum-rrset.example.  5M IN A  10.0.13.42
+a-maximum-rrset.example.  5M IN A  10.0.13.43
+a-maximum-rrset.example.  5M IN A  10.0.13.44
+a-maximum-rrset.example.  5M IN A  10.0.13.45
+a-maximum-rrset.example.  5M IN A  10.0.13.46
+a-maximum-rrset.example.  5M IN A  10.0.13.47
+a-maximum-rrset.example.  5M IN A  10.0.13.48
+a-maximum-rrset.example.  5M IN A  10.0.13.49
+a-maximum-rrset.example.  5M IN A  10.0.13.50
+a-maximum-rrset.example.  5M IN A  10.0.13.51
+a-maximum-rrset.example.  5M IN A  10.0.13.52
+a-maximum-rrset.example.  5M IN A  10.0.13.53
+a-maximum-rrset.example.  5M IN A  10.0.13.54
+a-maximum-rrset.example.  5M IN A  10.0.13.55
+a-maximum-rrset.example.  5M IN A  10.0.13.56
+a-maximum-rrset.example.  5M IN A  10.0.13.57
+a-maximum-rrset.example.  5M IN A  10.0.13.58
+a-maximum-rrset.example.  5M IN A  10.0.13.59
+a-maximum-rrset.example.  5M IN A  10.0.13.60
+a-maximum-rrset.example.  5M IN A  10.0.13.61
+a-maximum-rrset.example.  5M IN A  10.0.13.62
+a-maximum-rrset.example.  5M IN A  10.0.13.63
+a-maximum-rrset.example.  5M IN A  10.0.13.64
+a-maximum-rrset.example.  5M IN A  10.0.13.65
+a-maximum-rrset.example.  5M IN A  10.0.13.66
+a-maximum-rrset.example.  5M IN A  10.0.13.67
+a-maximum-rrset.example.  5M IN A  10.0.13.68
+a-maximum-rrset.example.  5M IN A  10.0.13.69
+a-maximum-rrset.example.  5M IN A  10.0.13.70
+a-maximum-rrset.example.  5M IN A  10.0.13.71
+a-maximum-rrset.example.  5M IN A  10.0.13.72
+a-maximum-rrset.example.  5M IN A  10.0.13.73
+a-maximum-rrset.example.  5M IN A  10.0.13.74
+a-maximum-rrset.example.  5M IN A  10.0.13.75
+a-maximum-rrset.example.  5M IN A  10.0.13.76
+a-maximum-rrset.example.  5M IN A  10.0.13.77
+a-maximum-rrset.example.  5M IN A  10.0.13.78
+a-maximum-rrset.example.  5M IN A  10.0.13.79
+a-maximum-rrset.example.  5M IN A  10.0.13.80
+a-maximum-rrset.example.  5M IN A  10.0.13.81
+a-maximum-rrset.example.  5M IN A  10.0.13.82
+a-maximum-rrset.example.  5M IN A  10.0.13.83
+a-maximum-rrset.example.  5M IN A  10.0.13.84
+a-maximum-rrset.example.  5M IN A  10.0.13.85
+a-maximum-rrset.example.  5M IN A  10.0.13.86
+a-maximum-rrset.example.  5M IN A  10.0.13.87
+a-maximum-rrset.example.  5M IN A  10.0.13.88
+a-maximum-rrset.example.  5M IN A  10.0.13.89
+a-maximum-rrset.example.  5M IN A  10.0.13.90
+a-maximum-rrset.example.  5M IN A  10.0.13.91
+a-maximum-rrset.example.  5M IN A  10.0.13.92
+a-maximum-rrset.example.  5M IN A  10.0.13.93
+a-maximum-rrset.example.  5M IN A  10.0.13.94
+a-maximum-rrset.example.  5M IN A  10.0.13.95
+a-maximum-rrset.example.  5M IN A  10.0.13.96
+a-maximum-rrset.example.  5M IN A  10.0.13.97
+a-maximum-rrset.example.  5M IN A  10.0.13.98
+a-maximum-rrset.example.  5M IN A  10.0.13.99
+a-maximum-rrset.example.  5M IN A  10.0.13.100
+a-maximum-rrset.example.  5M IN A  10.0.13.101
+a-maximum-rrset.example.  5M IN A  10.0.13.102
+a-maximum-rrset.example.  5M IN A  10.0.13.103
+a-maximum-rrset.example.  5M IN A  10.0.13.104
+a-maximum-rrset.example.  5M IN A  10.0.13.105
+a-maximum-rrset.example.  5M IN A  10.0.13.106
+a-maximum-rrset.example.  5M IN A  10.0.13.107
+a-maximum-rrset.example.  5M IN A  10.0.13.108
+a-maximum-rrset.example.  5M IN A  10.0.13.109
+a-maximum-rrset.example.  5M IN A  10.0.13.110
+a-maximum-rrset.example.  5M IN A  10.0.13.111
+a-maximum-rrset.example.  5M IN A  10.0.13.112
+a-maximum-rrset.example.  5M IN A  10.0.13.113
+a-maximum-rrset.example.  5M IN A  10.0.13.114
+a-maximum-rrset.example.  5M IN A  10.0.13.115
+a-maximum-rrset.example.  5M IN A  10.0.13.116
+a-maximum-rrset.example.  5M IN A  10.0.13.117
+a-maximum-rrset.example.  5M IN A  10.0.13.118
+a-maximum-rrset.example.  5M IN A  10.0.13.119
+a-maximum-rrset.example.  5M IN A  10.0.13.120
+a-maximum-rrset.example.  5M IN A  10.0.13.121
+a-maximum-rrset.example.  5M IN A  10.0.13.122
+a-maximum-rrset.example.  5M IN A  10.0.13.123
+a-maximum-rrset.example.  5M IN A  10.0.13.124
+a-maximum-rrset.example.  5M IN A  10.0.13.125
+a-maximum-rrset.example.  5M IN A  10.0.13.126
+a-maximum-rrset.example.  5M IN A  10.0.13.127
+a-maximum-rrset.example.  5M IN A  10.0.13.128
+a-maximum-rrset.example.  5M IN A  10.0.13.129
+a-maximum-rrset.example.  5M IN A  10.0.13.130
+a-maximum-rrset.example.  5M IN A  10.0.13.131
+a-maximum-rrset.example.  5M IN A  10.0.13.132
+a-maximum-rrset.example.  5M IN A  10.0.13.133
+a-maximum-rrset.example.  5M IN A  10.0.13.134
+a-maximum-rrset.example.  5M IN A  10.0.13.135
+a-maximum-rrset.example.  5M IN A  10.0.13.136
+a-maximum-rrset.example.  5M IN A  10.0.13.137
+a-maximum-rrset.example.  5M IN A  10.0.13.138
+a-maximum-rrset.example.  5M IN A  10.0.13.139
+a-maximum-rrset.example.  5M IN A  10.0.13.140
+a-maximum-rrset.example.  5M IN A  10.0.13.141
+a-maximum-rrset.example.  5M IN A  10.0.13.142
+a-maximum-rrset.example.  5M IN A  10.0.13.143
+a-maximum-rrset.example.  5M IN A  10.0.13.144
+a-maximum-rrset.example.  5M IN A  10.0.13.145
+a-maximum-rrset.example.  5M IN A  10.0.13.146
+a-maximum-rrset.example.  5M IN A  10.0.13.147
+a-maximum-rrset.example.  5M IN A  10.0.13.148
+a-maximum-rrset.example.  5M IN A  10.0.13.149
+a-maximum-rrset.example.  5M IN A  10.0.13.150
+a-maximum-rrset.example.  5M IN A  10.0.13.151
+a-maximum-rrset.example.  5M IN A  10.0.13.152
+a-maximum-rrset.example.  5M IN A  10.0.13.153
+a-maximum-rrset.example.  5M IN A  10.0.13.154
+a-maximum-rrset.example.  5M IN A  10.0.13.155
+a-maximum-rrset.example.  5M IN A  10.0.13.156
+a-maximum-rrset.example.  5M IN A  10.0.13.157
+a-maximum-rrset.example.  5M IN A  10.0.13.158
+a-maximum-rrset.example.  5M IN A  10.0.13.159
+a-maximum-rrset.example.  5M IN A  10.0.13.160
+a-maximum-rrset.example.  5M IN A  10.0.13.161
+a-maximum-rrset.example.  5M IN A  10.0.13.162
+a-maximum-rrset.example.  5M IN A  10.0.13.163
+a-maximum-rrset.example.  5M IN A  10.0.13.164
+a-maximum-rrset.example.  5M IN A  10.0.13.165
+a-maximum-rrset.example.  5M IN A  10.0.13.166
+a-maximum-rrset.example.  5M IN A  10.0.13.167
+a-maximum-rrset.example.  5M IN A  10.0.13.168
+a-maximum-rrset.example.  5M IN A  10.0.13.169
+a-maximum-rrset.example.  5M IN A  10.0.13.170
+a-maximum-rrset.example.  5M IN A  10.0.13.171
+a-maximum-rrset.example.  5M IN A  10.0.13.172
+a-maximum-rrset.example.  5M IN A  10.0.13.173
+a-maximum-rrset.example.  5M IN A  10.0.13.174
+a-maximum-rrset.example.  5M IN A  10.0.13.175
+a-maximum-rrset.example.  5M IN A  10.0.13.176
+a-maximum-rrset.example.  5M IN A  10.0.13.177
+a-maximum-rrset.example.  5M IN A  10.0.13.178
+a-maximum-rrset.example.  5M IN A  10.0.13.179
+a-maximum-rrset.example.  5M IN A  10.0.13.180
+a-maximum-rrset.example.  5M IN A  10.0.13.181
+a-maximum-rrset.example.  5M IN A  10.0.13.182
+a-maximum-rrset.example.  5M IN A  10.0.13.183
+a-maximum-rrset.example.  5M IN A  10.0.13.184
+a-maximum-rrset.example.  5M IN A  10.0.13.185
+a-maximum-rrset.example.  5M IN A  10.0.13.186
+a-maximum-rrset.example.  5M IN A  10.0.13.187
+a-maximum-rrset.example.  5M IN A  10.0.13.188
+a-maximum-rrset.example.  5M IN A  10.0.13.189
+a-maximum-rrset.example.  5M IN A  10.0.13.190
+a-maximum-rrset.example.  5M IN A  10.0.13.191
+a-maximum-rrset.example.  5M IN A  10.0.13.192
+a-maximum-rrset.example.  5M IN A  10.0.13.193
+a-maximum-rrset.example.  5M IN A  10.0.13.194
+a-maximum-rrset.example.  5M IN A  10.0.13.195
+a-maximum-rrset.example.  5M IN A  10.0.13.196
+a-maximum-rrset.example.  5M IN A  10.0.13.197
+a-maximum-rrset.example.  5M IN A  10.0.13.198
+a-maximum-rrset.example.  5M IN A  10.0.13.199
+a-maximum-rrset.example.  5M IN A  10.0.13.200
+a-maximum-rrset.example.  5M IN A  10.0.13.201
+a-maximum-rrset.example.  5M IN A  10.0.13.202
+a-maximum-rrset.example.  5M IN A  10.0.13.203
+a-maximum-rrset.example.  5M IN A  10.0.13.204
+a-maximum-rrset.example.  5M IN A  10.0.13.205
+a-maximum-rrset.example.  5M IN A  10.0.13.206
+a-maximum-rrset.example.  5M IN A  10.0.13.207
+a-maximum-rrset.example.  5M IN A  10.0.13.208
+a-maximum-rrset.example.  5M IN A  10.0.13.209
+a-maximum-rrset.example.  5M IN A  10.0.13.210
+a-maximum-rrset.example.  5M IN A  10.0.13.211
+a-maximum-rrset.example.  5M IN A  10.0.13.212
+a-maximum-rrset.example.  5M IN A  10.0.13.213
+a-maximum-rrset.example.  5M IN A  10.0.13.214
+a-maximum-rrset.example.  5M IN A  10.0.13.215
+a-maximum-rrset.example.  5M IN A  10.0.13.216
+a-maximum-rrset.example.  5M IN A  10.0.13.217
+a-maximum-rrset.example.  5M IN A  10.0.13.218
+a-maximum-rrset.example.  5M IN A  10.0.13.219
+a-maximum-rrset.example.  5M IN A  10.0.13.220
+a-maximum-rrset.example.  5M IN A  10.0.13.221
+a-maximum-rrset.example.  5M IN A  10.0.13.222
+a-maximum-rrset.example.  5M IN A  10.0.13.223
+a-maximum-rrset.example.  5M IN A  10.0.13.224
+a-maximum-rrset.example.  5M IN A  10.0.13.225
+a-maximum-rrset.example.  5M IN A  10.0.13.226
+a-maximum-rrset.example.  5M IN A  10.0.13.227
+a-maximum-rrset.example.  5M IN A  10.0.13.228
+a-maximum-rrset.example.  5M IN A  10.0.13.229
+a-maximum-rrset.example.  5M IN A  10.0.13.230
+a-maximum-rrset.example.  5M IN A  10.0.13.231
+a-maximum-rrset.example.  5M IN A  10.0.13.232
+a-maximum-rrset.example.  5M IN A  10.0.13.233
+a-maximum-rrset.example.  5M IN A  10.0.13.234
+a-maximum-rrset.example.  5M IN A  10.0.13.235
+a-maximum-rrset.example.  5M IN A  10.0.13.236
+a-maximum-rrset.example.  5M IN A  10.0.13.237
+a-maximum-rrset.example.  5M IN A  10.0.13.238
+a-maximum-rrset.example.  5M IN A  10.0.13.239
+a-maximum-rrset.example.  5M IN A  10.0.13.240
+a-maximum-rrset.example.  5M IN A  10.0.13.241
+a-maximum-rrset.example.  5M IN A  10.0.13.242
+a-maximum-rrset.example.  5M IN A  10.0.13.243
+a-maximum-rrset.example.  5M IN A  10.0.13.244
+a-maximum-rrset.example.  5M IN A  10.0.13.245
+a-maximum-rrset.example.  5M IN A  10.0.13.246
+a-maximum-rrset.example.  5M IN A  10.0.13.247
+a-maximum-rrset.example.  5M IN A  10.0.13.248
+a-maximum-rrset.example.  5M IN A  10.0.13.249
+a-maximum-rrset.example.  5M IN A  10.0.13.250
+a-maximum-rrset.example.  5M IN A  10.0.13.251
+a-maximum-rrset.example.  5M IN A  10.0.13.252
+a-maximum-rrset.example.  5M IN A  10.0.13.253
+a-maximum-rrset.example.  5M IN A  10.0.13.254
+a-maximum-rrset.example.  5M IN A  10.0.13.255
+a-maximum-rrset.example.  5M IN A  10.0.14.0
+a-maximum-rrset.example.  5M IN A  10.0.14.1
+a-maximum-rrset.example.  5M IN A  10.0.14.2
+a-maximum-rrset.example.  5M IN A  10.0.14.3
+a-maximum-rrset.example.  5M IN A  10.0.14.4
+a-maximum-rrset.example.  5M IN A  10.0.14.5
+a-maximum-rrset.example.  5M IN A  10.0.14.6
+a-maximum-rrset.example.  5M IN A  10.0.14.7
+a-maximum-rrset.example.  5M IN A  10.0.14.8
+a-maximum-rrset.example.  5M IN A  10.0.14.9
+a-maximum-rrset.example.  5M IN A  10.0.14.10
+a-maximum-rrset.example.  5M IN A  10.0.14.11
+a-maximum-rrset.example.  5M IN A  10.0.14.12
+a-maximum-rrset.example.  5M IN A  10.0.14.13
+a-maximum-rrset.example.  5M IN A  10.0.14.14
+a-maximum-rrset.example.  5M IN A  10.0.14.15
+a-maximum-rrset.example.  5M IN A  10.0.14.16
+a-maximum-rrset.example.  5M IN A  10.0.14.17
+a-maximum-rrset.example.  5M IN A  10.0.14.18
+a-maximum-rrset.example.  5M IN A  10.0.14.19
+a-maximum-rrset.example.  5M IN A  10.0.14.20
+a-maximum-rrset.example.  5M IN A  10.0.14.21
+a-maximum-rrset.example.  5M IN A  10.0.14.22
+a-maximum-rrset.example.  5M IN A  10.0.14.23
+a-maximum-rrset.example.  5M IN A  10.0.14.24
+a-maximum-rrset.example.  5M IN A  10.0.14.25
+a-maximum-rrset.example.  5M IN A  10.0.14.26
+a-maximum-rrset.example.  5M IN A  10.0.14.27
+a-maximum-rrset.example.  5M IN A  10.0.14.28
+a-maximum-rrset.example.  5M IN A  10.0.14.29
+a-maximum-rrset.example.  5M IN A  10.0.14.30
+a-maximum-rrset.example.  5M IN A  10.0.14.31
+a-maximum-rrset.example.  5M IN A  10.0.14.32
+a-maximum-rrset.example.  5M IN A  10.0.14.33
+a-maximum-rrset.example.  5M IN A  10.0.14.34
+a-maximum-rrset.example.  5M IN A  10.0.14.35
+a-maximum-rrset.example.  5M IN A  10.0.14.36
+a-maximum-rrset.example.  5M IN A  10.0.14.37
+a-maximum-rrset.example.  5M IN A  10.0.14.38
+a-maximum-rrset.example.  5M IN A  10.0.14.39
+a-maximum-rrset.example.  5M IN A  10.0.14.40
+a-maximum-rrset.example.  5M IN A  10.0.14.41
+a-maximum-rrset.example.  5M IN A  10.0.14.42
+a-maximum-rrset.example.  5M IN A  10.0.14.43
+a-maximum-rrset.example.  5M IN A  10.0.14.44
+a-maximum-rrset.example.  5M IN A  10.0.14.45
+a-maximum-rrset.example.  5M IN A  10.0.14.46
+a-maximum-rrset.example.  5M IN A  10.0.14.47
+a-maximum-rrset.example.  5M IN A  10.0.14.48
+a-maximum-rrset.example.  5M IN A  10.0.14.49
+a-maximum-rrset.example.  5M IN A  10.0.14.50
+a-maximum-rrset.example.  5M IN A  10.0.14.51
+a-maximum-rrset.example.  5M IN A  10.0.14.52
+a-maximum-rrset.example.  5M IN A  10.0.14.53
+a-maximum-rrset.example.  5M IN A  10.0.14.54
+a-maximum-rrset.example.  5M IN A  10.0.14.55
+a-maximum-rrset.example.  5M IN A  10.0.14.56
+a-maximum-rrset.example.  5M IN A  10.0.14.57
+a-maximum-rrset.example.  5M IN A  10.0.14.58
+a-maximum-rrset.example.  5M IN A  10.0.14.59
+a-maximum-rrset.example.  5M IN A  10.0.14.60
+a-maximum-rrset.example.  5M IN A  10.0.14.61
+a-maximum-rrset.example.  5M IN A  10.0.14.62
+a-maximum-rrset.example.  5M IN A  10.0.14.63
+a-maximum-rrset.example.  5M IN A  10.0.14.64
+a-maximum-rrset.example.  5M IN A  10.0.14.65
+a-maximum-rrset.example.  5M IN A  10.0.14.66
+a-maximum-rrset.example.  5M IN A  10.0.14.67
+a-maximum-rrset.example.  5M IN A  10.0.14.68
+a-maximum-rrset.example.  5M IN A  10.0.14.69
+a-maximum-rrset.example.  5M IN A  10.0.14.70
+a-maximum-rrset.example.  5M IN A  10.0.14.71
+a-maximum-rrset.example.  5M IN A  10.0.14.72
+a-maximum-rrset.example.  5M IN A  10.0.14.73
+a-maximum-rrset.example.  5M IN A  10.0.14.74
+a-maximum-rrset.example.  5M IN A  10.0.14.75
+a-maximum-rrset.example.  5M IN A  10.0.14.76
+a-maximum-rrset.example.  5M IN A  10.0.14.77
+a-maximum-rrset.example.  5M IN A  10.0.14.78
+a-maximum-rrset.example.  5M IN A  10.0.14.79
+a-maximum-rrset.example.  5M IN A  10.0.14.80
+a-maximum-rrset.example.  5M IN A  10.0.14.81
+a-maximum-rrset.example.  5M IN A  10.0.14.82
+a-maximum-rrset.example.  5M IN A  10.0.14.83
+a-maximum-rrset.example.  5M IN A  10.0.14.84
+a-maximum-rrset.example.  5M IN A  10.0.14.85
+a-maximum-rrset.example.  5M IN A  10.0.14.86
+a-maximum-rrset.example.  5M IN A  10.0.14.87
+a-maximum-rrset.example.  5M IN A  10.0.14.88
+a-maximum-rrset.example.  5M IN A  10.0.14.89
+a-maximum-rrset.example.  5M IN A  10.0.14.90
+a-maximum-rrset.example.  5M IN A  10.0.14.91
+a-maximum-rrset.example.  5M IN A  10.0.14.92
+a-maximum-rrset.example.  5M IN A  10.0.14.93
+a-maximum-rrset.example.  5M IN A  10.0.14.94
+a-maximum-rrset.example.  5M IN A  10.0.14.95
+a-maximum-rrset.example.  5M IN A  10.0.14.96
+a-maximum-rrset.example.  5M IN A  10.0.14.97
+a-maximum-rrset.example.  5M IN A  10.0.14.98
+a-maximum-rrset.example.  5M IN A  10.0.14.99
+a-maximum-rrset.example.  5M IN A  10.0.14.100
+a-maximum-rrset.example.  5M IN A  10.0.14.101
+a-maximum-rrset.example.  5M IN A  10.0.14.102
+a-maximum-rrset.example.  5M IN A  10.0.14.103
+a-maximum-rrset.example.  5M IN A  10.0.14.104
+a-maximum-rrset.example.  5M IN A  10.0.14.105
+a-maximum-rrset.example.  5M IN A  10.0.14.106
+a-maximum-rrset.example.  5M IN A  10.0.14.107
+a-maximum-rrset.example.  5M IN A  10.0.14.108
+a-maximum-rrset.example.  5M IN A  10.0.14.109
+a-maximum-rrset.example.  5M IN A  10.0.14.110
+a-maximum-rrset.example.  5M IN A  10.0.14.111
+a-maximum-rrset.example.  5M IN A  10.0.14.112
+a-maximum-rrset.example.  5M IN A  10.0.14.113
+a-maximum-rrset.example.  5M IN A  10.0.14.114
+a-maximum-rrset.example.  5M IN A  10.0.14.115
+a-maximum-rrset.example.  5M IN A  10.0.14.116
+a-maximum-rrset.example.  5M IN A  10.0.14.117
+a-maximum-rrset.example.  5M IN A  10.0.14.118
+a-maximum-rrset.example.  5M IN A  10.0.14.119
+a-maximum-rrset.example.  5M IN A  10.0.14.120
+a-maximum-rrset.example.  5M IN A  10.0.14.121
+a-maximum-rrset.example.  5M IN A  10.0.14.122
+a-maximum-rrset.example.  5M IN A  10.0.14.123
+a-maximum-rrset.example.  5M IN A  10.0.14.124
+a-maximum-rrset.example.  5M IN A  10.0.14.125
+a-maximum-rrset.example.  5M IN A  10.0.14.126
+a-maximum-rrset.example.  5M IN A  10.0.14.127
+a-maximum-rrset.example.  5M IN A  10.0.14.128
+a-maximum-rrset.example.  5M IN A  10.0.14.129
+a-maximum-rrset.example.  5M IN A  10.0.14.130
+a-maximum-rrset.example.  5M IN A  10.0.14.131
+a-maximum-rrset.example.  5M IN A  10.0.14.132
+a-maximum-rrset.example.  5M IN A  10.0.14.133
+a-maximum-rrset.example.  5M IN A  10.0.14.134
+a-maximum-rrset.example.  5M IN A  10.0.14.135
+a-maximum-rrset.example.  5M IN A  10.0.14.136
+a-maximum-rrset.example.  5M IN A  10.0.14.137
+a-maximum-rrset.example.  5M IN A  10.0.14.138
+a-maximum-rrset.example.  5M IN A  10.0.14.139
+a-maximum-rrset.example.  5M IN A  10.0.14.140
+a-maximum-rrset.example.  5M IN A  10.0.14.141
+a-maximum-rrset.example.  5M IN A  10.0.14.142
+a-maximum-rrset.example.  5M IN A  10.0.14.143
+a-maximum-rrset.example.  5M IN A  10.0.14.144
+a-maximum-rrset.example.  5M IN A  10.0.14.145
+a-maximum-rrset.example.  5M IN A  10.0.14.146
+a-maximum-rrset.example.  5M IN A  10.0.14.147
+a-maximum-rrset.example.  5M IN A  10.0.14.148
+a-maximum-rrset.example.  5M IN A  10.0.14.149
+a-maximum-rrset.example.  5M IN A  10.0.14.150
+a-maximum-rrset.example.  5M IN A  10.0.14.151
+a-maximum-rrset.example.  5M IN A  10.0.14.152
+a-maximum-rrset.example.  5M IN A  10.0.14.153
+a-maximum-rrset.example.  5M IN A  10.0.14.154
+a-maximum-rrset.example.  5M IN A  10.0.14.155
+a-maximum-rrset.example.  5M IN A  10.0.14.156
+a-maximum-rrset.example.  5M IN A  10.0.14.157
+a-maximum-rrset.example.  5M IN A  10.0.14.158
+a-maximum-rrset.example.  5M IN A  10.0.14.159
+a-maximum-rrset.example.  5M IN A  10.0.14.160
+a-maximum-rrset.example.  5M IN A  10.0.14.161
+a-maximum-rrset.example.  5M IN A  10.0.14.162
+a-maximum-rrset.example.  5M IN A  10.0.14.163
+a-maximum-rrset.example.  5M IN A  10.0.14.164
+a-maximum-rrset.example.  5M IN A  10.0.14.165
+a-maximum-rrset.example.  5M IN A  10.0.14.166
+a-maximum-rrset.example.  5M IN A  10.0.14.167
+a-maximum-rrset.example.  5M IN A  10.0.14.168
+a-maximum-rrset.example.  5M IN A  10.0.14.169
+a-maximum-rrset.example.  5M IN A  10.0.14.170
+a-maximum-rrset.example.  5M IN A  10.0.14.171
+a-maximum-rrset.example.  5M IN A  10.0.14.172
+a-maximum-rrset.example.  5M IN A  10.0.14.173
+a-maximum-rrset.example.  5M IN A  10.0.14.174
+a-maximum-rrset.example.  5M IN A  10.0.14.175
+a-maximum-rrset.example.  5M IN A  10.0.14.176
+a-maximum-rrset.example.  5M IN A  10.0.14.177
+a-maximum-rrset.example.  5M IN A  10.0.14.178
+a-maximum-rrset.example.  5M IN A  10.0.14.179
+a-maximum-rrset.example.  5M IN A  10.0.14.180
+a-maximum-rrset.example.  5M IN A  10.0.14.181
+a-maximum-rrset.example.  5M IN A  10.0.14.182
+a-maximum-rrset.example.  5M IN A  10.0.14.183
+a-maximum-rrset.example.  5M IN A  10.0.14.184
+a-maximum-rrset.example.  5M IN A  10.0.14.185
+a-maximum-rrset.example.  5M IN A  10.0.14.186
+a-maximum-rrset.example.  5M IN A  10.0.14.187
+a-maximum-rrset.example.  5M IN A  10.0.14.188
+a-maximum-rrset.example.  5M IN A  10.0.14.189
+a-maximum-rrset.example.  5M IN A  10.0.14.190
+a-maximum-rrset.example.  5M IN A  10.0.14.191
+a-maximum-rrset.example.  5M IN A  10.0.14.192
+a-maximum-rrset.example.  5M IN A  10.0.14.193
+a-maximum-rrset.example.  5M IN A  10.0.14.194
+a-maximum-rrset.example.  5M IN A  10.0.14.195
+a-maximum-rrset.example.  5M IN A  10.0.14.196
+a-maximum-rrset.example.  5M IN A  10.0.14.197
+a-maximum-rrset.example.  5M IN A  10.0.14.198
+a-maximum-rrset.example.  5M IN A  10.0.14.199
+a-maximum-rrset.example.  5M IN A  10.0.14.200
+a-maximum-rrset.example.  5M IN A  10.0.14.201
+a-maximum-rrset.example.  5M IN A  10.0.14.202
+a-maximum-rrset.example.  5M IN A  10.0.14.203
+a-maximum-rrset.example.  5M IN A  10.0.14.204
+a-maximum-rrset.example.  5M IN A  10.0.14.205
+a-maximum-rrset.example.  5M IN A  10.0.14.206
+a-maximum-rrset.example.  5M IN A  10.0.14.207
+a-maximum-rrset.example.  5M IN A  10.0.14.208
+a-maximum-rrset.example.  5M IN A  10.0.14.209
+a-maximum-rrset.example.  5M IN A  10.0.14.210
+a-maximum-rrset.example.  5M IN A  10.0.14.211
+a-maximum-rrset.example.  5M IN A  10.0.14.212
+a-maximum-rrset.example.  5M IN A  10.0.14.213
+a-maximum-rrset.example.  5M IN A  10.0.14.214
+a-maximum-rrset.example.  5M IN A  10.0.14.215
+a-maximum-rrset.example.  5M IN A  10.0.14.216
+a-maximum-rrset.example.  5M IN A  10.0.14.217
+a-maximum-rrset.example.  5M IN A  10.0.14.218
+a-maximum-rrset.example.  5M IN A  10.0.14.219
+a-maximum-rrset.example.  5M IN A  10.0.14.220
+a-maximum-rrset.example.  5M IN A  10.0.14.221
+a-maximum-rrset.example.  5M IN A  10.0.14.222
+a-maximum-rrset.example.  5M IN A  10.0.14.223
+a-maximum-rrset.example.  5M IN A  10.0.14.224
+a-maximum-rrset.example.  5M IN A  10.0.14.225
+a-maximum-rrset.example.  5M IN A  10.0.14.226
+a-maximum-rrset.example.  5M IN A  10.0.14.227
+a-maximum-rrset.example.  5M IN A  10.0.14.228
+a-maximum-rrset.example.  5M IN A  10.0.14.229
+a-maximum-rrset.example.  5M IN A  10.0.14.230
+a-maximum-rrset.example.  5M IN A  10.0.14.231
+a-maximum-rrset.example.  5M IN A  10.0.14.232
+a-maximum-rrset.example.  5M IN A  10.0.14.233
+a-maximum-rrset.example.  5M IN A  10.0.14.234
+a-maximum-rrset.example.  5M IN A  10.0.14.235
+a-maximum-rrset.example.  5M IN A  10.0.14.236
+a-maximum-rrset.example.  5M IN A  10.0.14.237
+a-maximum-rrset.example.  5M IN A  10.0.14.238
+a-maximum-rrset.example.  5M IN A  10.0.14.239
+a-maximum-rrset.example.  5M IN A  10.0.14.240
+a-maximum-rrset.example.  5M IN A  10.0.14.241
+a-maximum-rrset.example.  5M IN A  10.0.14.242
+a-maximum-rrset.example.  5M IN A  10.0.14.243
+a-maximum-rrset.example.  5M IN A  10.0.14.244
+a-maximum-rrset.example.  5M IN A  10.0.14.245
+a-maximum-rrset.example.  5M IN A  10.0.14.246
+a-maximum-rrset.example.  5M IN A  10.0.14.247
+a-maximum-rrset.example.  5M IN A  10.0.14.248
+a-maximum-rrset.example.  5M IN A  10.0.14.249
+a-maximum-rrset.example.  5M IN A  10.0.14.250
+a-maximum-rrset.example.  5M IN A  10.0.14.251
+a-maximum-rrset.example.  5M IN A  10.0.14.252
+a-maximum-rrset.example.  5M IN A  10.0.14.253
+a-maximum-rrset.example.  5M IN A  10.0.14.254
+a-maximum-rrset.example.  5M IN A  10.0.14.255
+a-maximum-rrset.example.  5M IN A  10.0.15.0
+a-maximum-rrset.example.  5M IN A  10.0.15.1
+a-maximum-rrset.example.  5M IN A  10.0.15.2
+a-maximum-rrset.example.  5M IN A  10.0.15.3
+a-maximum-rrset.example.  5M IN A  10.0.15.4
+a-maximum-rrset.example.  5M IN A  10.0.15.5
+a-maximum-rrset.example.  5M IN A  10.0.15.6
+a-maximum-rrset.example.  5M IN A  10.0.15.7
+a-maximum-rrset.example.  5M IN A  10.0.15.8
+a-maximum-rrset.example.  5M IN A  10.0.15.9
+a-maximum-rrset.example.  5M IN A  10.0.15.10
+a-maximum-rrset.example.  5M IN A  10.0.15.11
+a-maximum-rrset.example.  5M IN A  10.0.15.12
+a-maximum-rrset.example.  5M IN A  10.0.15.13
+a-maximum-rrset.example.  5M IN A  10.0.15.14
+a-maximum-rrset.example.  5M IN A  10.0.15.15
+a-maximum-rrset.example.  5M IN A  10.0.15.16
+a-maximum-rrset.example.  5M IN A  10.0.15.17
+a-maximum-rrset.example.  5M IN A  10.0.15.18
+a-maximum-rrset.example.  5M IN A  10.0.15.19
+a-maximum-rrset.example.  5M IN A  10.0.15.20
+a-maximum-rrset.example.  5M IN A  10.0.15.21
+a-maximum-rrset.example.  5M IN A  10.0.15.22
+a-maximum-rrset.example.  5M IN A  10.0.15.23
+a-maximum-rrset.example.  5M IN A  10.0.15.24
+a-maximum-rrset.example.  5M IN A  10.0.15.25
+a-maximum-rrset.example.  5M IN A  10.0.15.26
+a-maximum-rrset.example.  5M IN A  10.0.15.27
+a-maximum-rrset.example.  5M IN A  10.0.15.28
+a-maximum-rrset.example.  5M IN A  10.0.15.29
+a-maximum-rrset.example.  5M IN A  10.0.15.30
+a-maximum-rrset.example.  5M IN A  10.0.15.31
+a-maximum-rrset.example.  5M IN A  10.0.15.32
+a-maximum-rrset.example.  5M IN A  10.0.15.33
+a-maximum-rrset.example.  5M IN A  10.0.15.34
+a-maximum-rrset.example.  5M IN A  10.0.15.35
+a-maximum-rrset.example.  5M IN A  10.0.15.36
+a-maximum-rrset.example.  5M IN A  10.0.15.37
+a-maximum-rrset.example.  5M IN A  10.0.15.38
+a-maximum-rrset.example.  5M IN A  10.0.15.39
+a-maximum-rrset.example.  5M IN A  10.0.15.40
+a-maximum-rrset.example.  5M IN A  10.0.15.41
+a-maximum-rrset.example.  5M IN A  10.0.15.42
+a-maximum-rrset.example.  5M IN A  10.0.15.43
+a-maximum-rrset.example.  5M IN A  10.0.15.44
+a-maximum-rrset.example.  5M IN A  10.0.15.45
+a-maximum-rrset.example.  5M IN A  10.0.15.46
+a-maximum-rrset.example.  5M IN A  10.0.15.47
+a-maximum-rrset.example.  5M IN A  10.0.15.48
+a-maximum-rrset.example.  5M IN A  10.0.15.49
+a-maximum-rrset.example.  5M IN A  10.0.15.50
+a-maximum-rrset.example.  5M IN A  10.0.15.51
+a-maximum-rrset.example.  5M IN A  10.0.15.52
+a-maximum-rrset.example.  5M IN A  10.0.15.53
+a-maximum-rrset.example.  5M IN A  10.0.15.54
+a-maximum-rrset.example.  5M IN A  10.0.15.55
+a-maximum-rrset.example.  5M IN A  10.0.15.56
+a-maximum-rrset.example.  5M IN A  10.0.15.57
+a-maximum-rrset.example.  5M IN A  10.0.15.58
+a-maximum-rrset.example.  5M IN A  10.0.15.59
+a-maximum-rrset.example.  5M IN A  10.0.15.60
+a-maximum-rrset.example.  5M IN A  10.0.15.61
+a-maximum-rrset.example.  5M IN A  10.0.15.62
+a-maximum-rrset.example.  5M IN A  10.0.15.63
+a-maximum-rrset.example.  5M IN A  10.0.15.64
+a-maximum-rrset.example.  5M IN A  10.0.15.65
+a-maximum-rrset.example.  5M IN A  10.0.15.66
+a-maximum-rrset.example.  5M IN A  10.0.15.67
+a-maximum-rrset.example.  5M IN A  10.0.15.68
+a-maximum-rrset.example.  5M IN A  10.0.15.69
+a-maximum-rrset.example.  5M IN A  10.0.15.70
+a-maximum-rrset.example.  5M IN A  10.0.15.71
+a-maximum-rrset.example.  5M IN A  10.0.15.72
+a-maximum-rrset.example.  5M IN A  10.0.15.73
+a-maximum-rrset.example.  5M IN A  10.0.15.74
+a-maximum-rrset.example.  5M IN A  10.0.15.75
+a-maximum-rrset.example.  5M IN A  10.0.15.76
+a-maximum-rrset.example.  5M IN A  10.0.15.77
+a-maximum-rrset.example.  5M IN A  10.0.15.78
+a-maximum-rrset.example.  5M IN A  10.0.15.79
+a-maximum-rrset.example.  5M IN A  10.0.15.80
+a-maximum-rrset.example.  5M IN A  10.0.15.81
+a-maximum-rrset.example.  5M IN A  10.0.15.82
+a-maximum-rrset.example.  5M IN A  10.0.15.83
+a-maximum-rrset.example.  5M IN A  10.0.15.84
+a-maximum-rrset.example.  5M IN A  10.0.15.85
+a-maximum-rrset.example.  5M IN A  10.0.15.86
+a-maximum-rrset.example.  5M IN A  10.0.15.87
+a-maximum-rrset.example.  5M IN A  10.0.15.88
+a-maximum-rrset.example.  5M IN A  10.0.15.89
+a-maximum-rrset.example.  5M IN A  10.0.15.90
+a-maximum-rrset.example.  5M IN A  10.0.15.91
+a-maximum-rrset.example.  5M IN A  10.0.15.92
+a-maximum-rrset.example.  5M IN A  10.0.15.93
+a-maximum-rrset.example.  5M IN A  10.0.15.94
+a-maximum-rrset.example.  5M IN A  10.0.15.95
+a-maximum-rrset.example.  5M IN A  10.0.15.96
+a-maximum-rrset.example.  5M IN A  10.0.15.97
+a-maximum-rrset.example.  5M IN A  10.0.15.98
+a-maximum-rrset.example.  5M IN A  10.0.15.99
+a-maximum-rrset.example.  5M IN A  10.0.15.100
+a-maximum-rrset.example.  5M IN A  10.0.15.101
+a-maximum-rrset.example.  5M IN A  10.0.15.102
+a-maximum-rrset.example.  5M IN A  10.0.15.103
+a-maximum-rrset.example.  5M IN A  10.0.15.104
+a-maximum-rrset.example.  5M IN A  10.0.15.105
+a-maximum-rrset.example.  5M IN A  10.0.15.106
+a-maximum-rrset.example.  5M IN A  10.0.15.107
+a-maximum-rrset.example.  5M IN A  10.0.15.108
+a-maximum-rrset.example.  5M IN A  10.0.15.109
+a-maximum-rrset.example.  5M IN A  10.0.15.110
+a-maximum-rrset.example.  5M IN A  10.0.15.111
+a-maximum-rrset.example.  5M IN A  10.0.15.112
+a-maximum-rrset.example.  5M IN A  10.0.15.113
+a-maximum-rrset.example.  5M IN A  10.0.15.114
+a-maximum-rrset.example.  5M IN A  10.0.15.115
+a-maximum-rrset.example.  5M IN A  10.0.15.116
+a-maximum-rrset.example.  5M IN A  10.0.15.117
+a-maximum-rrset.example.  5M IN A  10.0.15.118
+a-maximum-rrset.example.  5M IN A  10.0.15.119
+a-maximum-rrset.example.  5M IN A  10.0.15.120
+a-maximum-rrset.example.  5M IN A  10.0.15.121
+a-maximum-rrset.example.  5M IN A  10.0.15.122
+a-maximum-rrset.example.  5M IN A  10.0.15.123
+a-maximum-rrset.example.  5M IN A  10.0.15.124
+a-maximum-rrset.example.  5M IN A  10.0.15.125
+a-maximum-rrset.example.  5M IN A  10.0.15.126
+a-maximum-rrset.example.  5M IN A  10.0.15.127
+a-maximum-rrset.example.  5M IN A  10.0.15.128
+a-maximum-rrset.example.  5M IN A  10.0.15.129
+a-maximum-rrset.example.  5M IN A  10.0.15.130
+a-maximum-rrset.example.  5M IN A  10.0.15.131
+a-maximum-rrset.example.  5M IN A  10.0.15.132
+a-maximum-rrset.example.  5M IN A  10.0.15.133
+a-maximum-rrset.example.  5M IN A  10.0.15.134
+a-maximum-rrset.example.  5M IN A  10.0.15.135
+a-maximum-rrset.example.  5M IN A  10.0.15.136
+a-maximum-rrset.example.  5M IN A  10.0.15.137
+a-maximum-rrset.example.  5M IN A  10.0.15.138
+a-maximum-rrset.example.  5M IN A  10.0.15.139
+a-maximum-rrset.example.  5M IN A  10.0.15.140
+a-maximum-rrset.example.  5M IN A  10.0.15.141
+a-maximum-rrset.example.  5M IN A  10.0.15.142
+a-maximum-rrset.example.  5M IN A  10.0.15.143
+a-maximum-rrset.example.  5M IN A  10.0.15.144
+a-maximum-rrset.example.  5M IN A  10.0.15.145
+a-maximum-rrset.example.  5M IN A  10.0.15.146
+a-maximum-rrset.example.  5M IN A  10.0.15.147
+a-maximum-rrset.example.  5M IN A  10.0.15.148
+a-maximum-rrset.example.  5M IN A  10.0.15.149
+a-maximum-rrset.example.  5M IN A  10.0.15.150
+a-maximum-rrset.example.  5M IN A  10.0.15.151
+a-maximum-rrset.example.  5M IN A  10.0.15.152
+a-maximum-rrset.example.  5M IN A  10.0.15.153
+a-maximum-rrset.example.  5M IN A  10.0.15.154
+a-maximum-rrset.example.  5M IN A  10.0.15.155
+a-maximum-rrset.example.  5M IN A  10.0.15.156
+a-maximum-rrset.example.  5M IN A  10.0.15.157
+a-maximum-rrset.example.  5M IN A  10.0.15.158
+a-maximum-rrset.example.  5M IN A  10.0.15.159
+a-maximum-rrset.example.  5M IN A  10.1.0.0
+a-maximum-rrset.example.  5M IN A  10.1.0.1
+a-maximum-rrset.example.  5M IN A  10.1.0.2
+a-maximum-rrset.example.  5M IN A  10.1.0.3
+a-maximum-rrset.example.  5M IN A  10.1.0.4
+a-maximum-rrset.example.  5M IN A  10.1.0.5
+a-maximum-rrset.example.  5M IN A  10.1.0.6
+a-maximum-rrset.example.  5M IN A  10.1.0.7
+a-maximum-rrset.example.  5M IN A  10.1.0.8
+a-maximum-rrset.example.  5M IN A  10.1.0.9
+a-maximum-rrset.example.  5M IN A  10.1.0.10
+a-maximum-rrset.example.  5M IN A  10.1.0.11
+a-maximum-rrset.example.  5M IN A  10.1.0.12
+a-maximum-rrset.example.  5M IN A  10.1.0.13
+a-maximum-rrset.example.  5M IN A  10.1.0.14
+a-maximum-rrset.example.  5M IN A  10.1.0.15
+a-maximum-rrset.example.  5M IN A  10.1.0.16
+a-maximum-rrset.example.  5M IN A  10.1.0.17
+a-maximum-rrset.example.  5M IN A  10.1.0.18
+a-maximum-rrset.example.  5M IN A  10.1.0.19
+a-maximum-rrset.example.  5M IN A  10.1.0.20
+a-maximum-rrset.example.  5M IN A  10.1.0.21
+a-maximum-rrset.example.  5M IN A  10.1.0.22
+a-maximum-rrset.example.  5M IN A  10.1.0.23
+a-maximum-rrset.example.  5M IN A  10.1.0.24
+a-maximum-rrset.example.  5M IN A  10.1.0.25
+a-maximum-rrset.example.  5M IN A  10.1.0.26
+a-maximum-rrset.example.  5M IN A  10.1.0.27
+a-maximum-rrset.example.  5M IN A  10.1.0.28
+a-maximum-rrset.example.  5M IN A  10.1.0.29
+a-maximum-rrset.example.  5M IN A  10.1.0.30
+a-maximum-rrset.example.  5M IN A  10.1.0.31
+a-maximum-rrset.example.  5M IN A  10.1.0.32
+a-maximum-rrset.example.  5M IN A  10.1.0.33
+a-maximum-rrset.example.  5M IN A  10.1.0.34
+a-maximum-rrset.example.  5M IN A  10.1.0.35
+a-maximum-rrset.example.  5M IN A  10.1.0.36
+a-maximum-rrset.example.  5M IN A  10.1.0.37
+a-maximum-rrset.example.  5M IN A  10.1.0.38
+a-maximum-rrset.example.  5M IN A  10.1.0.39
+a-maximum-rrset.example.  5M IN A  10.1.0.40
+a-maximum-rrset.example.  5M IN A  10.1.0.41
+a-maximum-rrset.example.  5M IN A  10.1.0.42
+a-maximum-rrset.example.  5M IN A  10.1.0.43
+a-maximum-rrset.example.  5M IN A  10.1.0.44
+a-maximum-rrset.example.  5M IN A  10.1.0.45
+a-maximum-rrset.example.  5M IN A  10.1.0.46
+a-maximum-rrset.example.  5M IN A  10.1.0.47
+a-maximum-rrset.example.  5M IN A  10.1.0.48
+a-maximum-rrset.example.  5M IN A  10.1.0.49
+a-maximum-rrset.example.  5M IN A  10.1.0.50
+a-maximum-rrset.example.  5M IN A  10.1.0.51
+a-maximum-rrset.example.  5M IN A  10.1.0.52
+a-maximum-rrset.example.  5M IN A  10.1.0.53
+a-maximum-rrset.example.  5M IN A  10.1.0.54
+a-maximum-rrset.example.  5M IN A  10.1.0.55
+a-maximum-rrset.example.  5M IN A  10.1.0.56
+a-maximum-rrset.example.  5M IN A  10.1.0.57
+a-maximum-rrset.example.  5M IN A  10.1.0.58
+a-maximum-rrset.example.  5M IN A  10.1.0.59
+a-maximum-rrset.example.  5M IN A  10.1.0.60
+a-maximum-rrset.example.  5M IN A  10.1.0.61
+a-maximum-rrset.example.  5M IN A  10.1.0.62
+a-maximum-rrset.example.  5M IN A  10.1.0.63
+a-maximum-rrset.example.  5M IN A  10.1.0.64
+a-maximum-rrset.example.  5M IN A  10.1.0.65
+a-maximum-rrset.example.  5M IN A  10.1.0.66
+a-maximum-rrset.example.  5M IN A  10.1.0.67
+a-maximum-rrset.example.  5M IN A  10.1.0.68
+a-maximum-rrset.example.  5M IN A  10.1.0.69
+a-maximum-rrset.example.  5M IN A  10.1.0.70
+a-maximum-rrset.example.  5M IN A  10.1.0.71
+a-maximum-rrset.example.  5M IN A  10.1.0.72
+a-maximum-rrset.example.  5M IN A  10.1.0.73
+a-maximum-rrset.example.  5M IN A  10.1.0.74
+a-maximum-rrset.example.  5M IN A  10.1.0.75
+a-maximum-rrset.example.  5M IN A  10.1.0.76
+a-maximum-rrset.example.  5M IN A  10.1.0.77
+a-maximum-rrset.example.  5M IN A  10.1.0.78
+a-maximum-rrset.example.  5M IN A  10.1.0.79
+a-maximum-rrset.example.  5M IN A  10.1.0.80
+a-maximum-rrset.example.  5M IN A  10.1.0.81
+a-maximum-rrset.example.  5M IN A  10.1.0.82
+a-maximum-rrset.example.  5M IN A  10.1.0.83
+a-maximum-rrset.example.  5M IN A  10.1.0.84
+a-maximum-rrset.example.  5M IN A  10.1.0.85
+a-maximum-rrset.example.  5M IN A  10.1.0.86
+a-maximum-rrset.example.  5M IN A  10.1.0.87
+a-maximum-rrset.example.  5M IN A  10.1.0.88
+a-maximum-rrset.example.  5M IN A  10.1.0.89
+a-maximum-rrset.example.  5M IN A  10.1.0.90
+
+;; AUTHORITY SECTION:
+example.		5M IN NS	ns1.example.
+
+;; ADDITIONAL SECTION:
+ns1.example.		5M IN A		10.53.0.1
+
+;; Total query time: 308 msec
+;; FROM: draco to SERVER: 10.53.0.1
+;; WHEN: Fri Jun 23 12:58:22 2000
+;; MSG SIZE  sent: 41  rcvd: 65535
+
diff --git a/bin/tests/system/limits/ns1/example.db b/bin/tests/system/limits/ns1/example.db
new file mode 100644
index 0000000..8998018
--- /dev/null
+++ b/bin/tests/system/limits/ns1/example.db
@@ -0,0 +1,19112 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300        ; 5 minutes
+@                 IN SOA  ns1.example. hostmaster.example. (
+                                2000042795 ; serial
+                                20         ; refresh (20 seconds)
+                                20         ; retry (20 seconds)
+                                1814400    ; expire (3 weeks)
+                                3600       ; minimum (1 hour)
+                                )
+@                NS      ns1.example.
+ns1           A       10.53.0.1
+1000	A	10.0.0.0
+	A	10.0.0.1
+	A	10.0.0.2
+	A	10.0.0.3
+	A	10.0.0.4
+	A	10.0.0.5
+	A	10.0.0.6
+	A	10.0.0.7
+	A	10.0.0.8
+	A	10.0.0.9
+	A	10.0.0.10
+	A	10.0.0.11
+	A	10.0.0.12
+	A	10.0.0.13
+	A	10.0.0.14
+	A	10.0.0.15
+	A	10.0.0.16
+	A	10.0.0.17
+	A	10.0.0.18
+	A	10.0.0.19
+	A	10.0.0.20
+	A	10.0.0.21
+	A	10.0.0.22
+	A	10.0.0.23
+	A	10.0.0.24
+	A	10.0.0.25
+	A	10.0.0.26
+	A	10.0.0.27
+	A	10.0.0.28
+	A	10.0.0.29
+	A	10.0.0.30
+	A	10.0.0.31
+	A	10.0.0.32
+	A	10.0.0.33
+	A	10.0.0.34
+	A	10.0.0.35
+	A	10.0.0.36
+	A	10.0.0.37
+	A	10.0.0.38
+	A	10.0.0.39
+	A	10.0.0.40
+	A	10.0.0.41
+	A	10.0.0.42
+	A	10.0.0.43
+	A	10.0.0.44
+	A	10.0.0.45
+	A	10.0.0.46
+	A	10.0.0.47
+	A	10.0.0.48
+	A	10.0.0.49
+	A	10.0.0.50
+	A	10.0.0.51
+	A	10.0.0.52
+	A	10.0.0.53
+	A	10.0.0.54
+	A	10.0.0.55
+	A	10.0.0.56
+	A	10.0.0.57
+	A	10.0.0.58
+	A	10.0.0.59
+	A	10.0.0.60
+	A	10.0.0.61
+	A	10.0.0.62
+	A	10.0.0.63
+	A	10.0.0.64
+	A	10.0.0.65
+	A	10.0.0.66
+	A	10.0.0.67
+	A	10.0.0.68
+	A	10.0.0.69
+	A	10.0.0.70
+	A	10.0.0.71
+	A	10.0.0.72
+	A	10.0.0.73
+	A	10.0.0.74
+	A	10.0.0.75
+	A	10.0.0.76
+	A	10.0.0.77
+	A	10.0.0.78
+	A	10.0.0.79
+	A	10.0.0.80
+	A	10.0.0.81
+	A	10.0.0.82
+	A	10.0.0.83
+	A	10.0.0.84
+	A	10.0.0.85
+	A	10.0.0.86
+	A	10.0.0.87
+	A	10.0.0.88
+	A	10.0.0.89
+	A	10.0.0.90
+	A	10.0.0.91
+	A	10.0.0.92
+	A	10.0.0.93
+	A	10.0.0.94
+	A	10.0.0.95
+	A	10.0.0.96
+	A	10.0.0.97
+	A	10.0.0.98
+	A	10.0.0.99
+	A	10.0.0.100
+	A	10.0.0.101
+	A	10.0.0.102
+	A	10.0.0.103
+	A	10.0.0.104
+	A	10.0.0.105
+	A	10.0.0.106
+	A	10.0.0.107
+	A	10.0.0.108
+	A	10.0.0.109
+	A	10.0.0.110
+	A	10.0.0.111
+	A	10.0.0.112
+	A	10.0.0.113
+	A	10.0.0.114
+	A	10.0.0.115
+	A	10.0.0.116
+	A	10.0.0.117
+	A	10.0.0.118
+	A	10.0.0.119
+	A	10.0.0.120
+	A	10.0.0.121
+	A	10.0.0.122
+	A	10.0.0.123
+	A	10.0.0.124
+	A	10.0.0.125
+	A	10.0.0.126
+	A	10.0.0.127
+	A	10.0.0.128
+	A	10.0.0.129
+	A	10.0.0.130
+	A	10.0.0.131
+	A	10.0.0.132
+	A	10.0.0.133
+	A	10.0.0.134
+	A	10.0.0.135
+	A	10.0.0.136
+	A	10.0.0.137
+	A	10.0.0.138
+	A	10.0.0.139
+	A	10.0.0.140
+	A	10.0.0.141
+	A	10.0.0.142
+	A	10.0.0.143
+	A	10.0.0.144
+	A	10.0.0.145
+	A	10.0.0.146
+	A	10.0.0.147
+	A	10.0.0.148
+	A	10.0.0.149
+	A	10.0.0.150
+	A	10.0.0.151
+	A	10.0.0.152
+	A	10.0.0.153
+	A	10.0.0.154
+	A	10.0.0.155
+	A	10.0.0.156
+	A	10.0.0.157
+	A	10.0.0.158
+	A	10.0.0.159
+	A	10.0.0.160
+	A	10.0.0.161
+	A	10.0.0.162
+	A	10.0.0.163
+	A	10.0.0.164
+	A	10.0.0.165
+	A	10.0.0.166
+	A	10.0.0.167
+	A	10.0.0.168
+	A	10.0.0.169
+	A	10.0.0.170
+	A	10.0.0.171
+	A	10.0.0.172
+	A	10.0.0.173
+	A	10.0.0.174
+	A	10.0.0.175
+	A	10.0.0.176
+	A	10.0.0.177
+	A	10.0.0.178
+	A	10.0.0.179
+	A	10.0.0.180
+	A	10.0.0.181
+	A	10.0.0.182
+	A	10.0.0.183
+	A	10.0.0.184
+	A	10.0.0.185
+	A	10.0.0.186
+	A	10.0.0.187
+	A	10.0.0.188
+	A	10.0.0.189
+	A	10.0.0.190
+	A	10.0.0.191
+	A	10.0.0.192
+	A	10.0.0.193
+	A	10.0.0.194
+	A	10.0.0.195
+	A	10.0.0.196
+	A	10.0.0.197
+	A	10.0.0.198
+	A	10.0.0.199
+	A	10.0.0.200
+	A	10.0.0.201
+	A	10.0.0.202
+	A	10.0.0.203
+	A	10.0.0.204
+	A	10.0.0.205
+	A	10.0.0.206
+	A	10.0.0.207
+	A	10.0.0.208
+	A	10.0.0.209
+	A	10.0.0.210
+	A	10.0.0.211
+	A	10.0.0.212
+	A	10.0.0.213
+	A	10.0.0.214
+	A	10.0.0.215
+	A	10.0.0.216
+	A	10.0.0.217
+	A	10.0.0.218
+	A	10.0.0.219
+	A	10.0.0.220
+	A	10.0.0.221
+	A	10.0.0.222
+	A	10.0.0.223
+	A	10.0.0.224
+	A	10.0.0.225
+	A	10.0.0.226
+	A	10.0.0.227
+	A	10.0.0.228
+	A	10.0.0.229
+	A	10.0.0.230
+	A	10.0.0.231
+	A	10.0.0.232
+	A	10.0.0.233
+	A	10.0.0.234
+	A	10.0.0.235
+	A	10.0.0.236
+	A	10.0.0.237
+	A	10.0.0.238
+	A	10.0.0.239
+	A	10.0.0.240
+	A	10.0.0.241
+	A	10.0.0.242
+	A	10.0.0.243
+	A	10.0.0.244
+	A	10.0.0.245
+	A	10.0.0.246
+	A	10.0.0.247
+	A	10.0.0.248
+	A	10.0.0.249
+	A	10.0.0.250
+	A	10.0.0.251
+	A	10.0.0.252
+	A	10.0.0.253
+	A	10.0.0.254
+	A	10.0.0.255
+	A	10.0.1.0
+	A	10.0.1.1
+	A	10.0.1.2
+	A	10.0.1.3
+	A	10.0.1.4
+	A	10.0.1.5
+	A	10.0.1.6
+	A	10.0.1.7
+	A	10.0.1.8
+	A	10.0.1.9
+	A	10.0.1.10
+	A	10.0.1.11
+	A	10.0.1.12
+	A	10.0.1.13
+	A	10.0.1.14
+	A	10.0.1.15
+	A	10.0.1.16
+	A	10.0.1.17
+	A	10.0.1.18
+	A	10.0.1.19
+	A	10.0.1.20
+	A	10.0.1.21
+	A	10.0.1.22
+	A	10.0.1.23
+	A	10.0.1.24
+	A	10.0.1.25
+	A	10.0.1.26
+	A	10.0.1.27
+	A	10.0.1.28
+	A	10.0.1.29
+	A	10.0.1.30
+	A	10.0.1.31
+	A	10.0.1.32
+	A	10.0.1.33
+	A	10.0.1.34
+	A	10.0.1.35
+	A	10.0.1.36
+	A	10.0.1.37
+	A	10.0.1.38
+	A	10.0.1.39
+	A	10.0.1.40
+	A	10.0.1.41
+	A	10.0.1.42
+	A	10.0.1.43
+	A	10.0.1.44
+	A	10.0.1.45
+	A	10.0.1.46
+	A	10.0.1.47
+	A	10.0.1.48
+	A	10.0.1.49
+	A	10.0.1.50
+	A	10.0.1.51
+	A	10.0.1.52
+	A	10.0.1.53
+	A	10.0.1.54
+	A	10.0.1.55
+	A	10.0.1.56
+	A	10.0.1.57
+	A	10.0.1.58
+	A	10.0.1.59
+	A	10.0.1.60
+	A	10.0.1.61
+	A	10.0.1.62
+	A	10.0.1.63
+	A	10.0.1.64
+	A	10.0.1.65
+	A	10.0.1.66
+	A	10.0.1.67
+	A	10.0.1.68
+	A	10.0.1.69
+	A	10.0.1.70
+	A	10.0.1.71
+	A	10.0.1.72
+	A	10.0.1.73
+	A	10.0.1.74
+	A	10.0.1.75
+	A	10.0.1.76
+	A	10.0.1.77
+	A	10.0.1.78
+	A	10.0.1.79
+	A	10.0.1.80
+	A	10.0.1.81
+	A	10.0.1.82
+	A	10.0.1.83
+	A	10.0.1.84
+	A	10.0.1.85
+	A	10.0.1.86
+	A	10.0.1.87
+	A	10.0.1.88
+	A	10.0.1.89
+	A	10.0.1.90
+	A	10.0.1.91
+	A	10.0.1.92
+	A	10.0.1.93
+	A	10.0.1.94
+	A	10.0.1.95
+	A	10.0.1.96
+	A	10.0.1.97
+	A	10.0.1.98
+	A	10.0.1.99
+	A	10.0.1.100
+	A	10.0.1.101
+	A	10.0.1.102
+	A	10.0.1.103
+	A	10.0.1.104
+	A	10.0.1.105
+	A	10.0.1.106
+	A	10.0.1.107
+	A	10.0.1.108
+	A	10.0.1.109
+	A	10.0.1.110
+	A	10.0.1.111
+	A	10.0.1.112
+	A	10.0.1.113
+	A	10.0.1.114
+	A	10.0.1.115
+	A	10.0.1.116
+	A	10.0.1.117
+	A	10.0.1.118
+	A	10.0.1.119
+	A	10.0.1.120
+	A	10.0.1.121
+	A	10.0.1.122
+	A	10.0.1.123
+	A	10.0.1.124
+	A	10.0.1.125
+	A	10.0.1.126
+	A	10.0.1.127
+	A	10.0.1.128
+	A	10.0.1.129
+	A	10.0.1.130
+	A	10.0.1.131
+	A	10.0.1.132
+	A	10.0.1.133
+	A	10.0.1.134
+	A	10.0.1.135
+	A	10.0.1.136
+	A	10.0.1.137
+	A	10.0.1.138
+	A	10.0.1.139
+	A	10.0.1.140
+	A	10.0.1.141
+	A	10.0.1.142
+	A	10.0.1.143
+	A	10.0.1.144
+	A	10.0.1.145
+	A	10.0.1.146
+	A	10.0.1.147
+	A	10.0.1.148
+	A	10.0.1.149
+	A	10.0.1.150
+	A	10.0.1.151
+	A	10.0.1.152
+	A	10.0.1.153
+	A	10.0.1.154
+	A	10.0.1.155
+	A	10.0.1.156
+	A	10.0.1.157
+	A	10.0.1.158
+	A	10.0.1.159
+	A	10.0.1.160
+	A	10.0.1.161
+	A	10.0.1.162
+	A	10.0.1.163
+	A	10.0.1.164
+	A	10.0.1.165
+	A	10.0.1.166
+	A	10.0.1.167
+	A	10.0.1.168
+	A	10.0.1.169
+	A	10.0.1.170
+	A	10.0.1.171
+	A	10.0.1.172
+	A	10.0.1.173
+	A	10.0.1.174
+	A	10.0.1.175
+	A	10.0.1.176
+	A	10.0.1.177
+	A	10.0.1.178
+	A	10.0.1.179
+	A	10.0.1.180
+	A	10.0.1.181
+	A	10.0.1.182
+	A	10.0.1.183
+	A	10.0.1.184
+	A	10.0.1.185
+	A	10.0.1.186
+	A	10.0.1.187
+	A	10.0.1.188
+	A	10.0.1.189
+	A	10.0.1.190
+	A	10.0.1.191
+	A	10.0.1.192
+	A	10.0.1.193
+	A	10.0.1.194
+	A	10.0.1.195
+	A	10.0.1.196
+	A	10.0.1.197
+	A	10.0.1.198
+	A	10.0.1.199
+	A	10.0.1.200
+	A	10.0.1.201
+	A	10.0.1.202
+	A	10.0.1.203
+	A	10.0.1.204
+	A	10.0.1.205
+	A	10.0.1.206
+	A	10.0.1.207
+	A	10.0.1.208
+	A	10.0.1.209
+	A	10.0.1.210
+	A	10.0.1.211
+	A	10.0.1.212
+	A	10.0.1.213
+	A	10.0.1.214
+	A	10.0.1.215
+	A	10.0.1.216
+	A	10.0.1.217
+	A	10.0.1.218
+	A	10.0.1.219
+	A	10.0.1.220
+	A	10.0.1.221
+	A	10.0.1.222
+	A	10.0.1.223
+	A	10.0.1.224
+	A	10.0.1.225
+	A	10.0.1.226
+	A	10.0.1.227
+	A	10.0.1.228
+	A	10.0.1.229
+	A	10.0.1.230
+	A	10.0.1.231
+	A	10.0.1.232
+	A	10.0.1.233
+	A	10.0.1.234
+	A	10.0.1.235
+	A	10.0.1.236
+	A	10.0.1.237
+	A	10.0.1.238
+	A	10.0.1.239
+	A	10.0.1.240
+	A	10.0.1.241
+	A	10.0.1.242
+	A	10.0.1.243
+	A	10.0.1.244
+	A	10.0.1.245
+	A	10.0.1.246
+	A	10.0.1.247
+	A	10.0.1.248
+	A	10.0.1.249
+	A	10.0.1.250
+	A	10.0.1.251
+	A	10.0.1.252
+	A	10.0.1.253
+	A	10.0.1.254
+	A	10.0.1.255
+	A	10.0.2.0
+	A	10.0.2.1
+	A	10.0.2.2
+	A	10.0.2.3
+	A	10.0.2.4
+	A	10.0.2.5
+	A	10.0.2.6
+	A	10.0.2.7
+	A	10.0.2.8
+	A	10.0.2.9
+	A	10.0.2.10
+	A	10.0.2.11
+	A	10.0.2.12
+	A	10.0.2.13
+	A	10.0.2.14
+	A	10.0.2.15
+	A	10.0.2.16
+	A	10.0.2.17
+	A	10.0.2.18
+	A	10.0.2.19
+	A	10.0.2.20
+	A	10.0.2.21
+	A	10.0.2.22
+	A	10.0.2.23
+	A	10.0.2.24
+	A	10.0.2.25
+	A	10.0.2.26
+	A	10.0.2.27
+	A	10.0.2.28
+	A	10.0.2.29
+	A	10.0.2.30
+	A	10.0.2.31
+	A	10.0.2.32
+	A	10.0.2.33
+	A	10.0.2.34
+	A	10.0.2.35
+	A	10.0.2.36
+	A	10.0.2.37
+	A	10.0.2.38
+	A	10.0.2.39
+	A	10.0.2.40
+	A	10.0.2.41
+	A	10.0.2.42
+	A	10.0.2.43
+	A	10.0.2.44
+	A	10.0.2.45
+	A	10.0.2.46
+	A	10.0.2.47
+	A	10.0.2.48
+	A	10.0.2.49
+	A	10.0.2.50
+	A	10.0.2.51
+	A	10.0.2.52
+	A	10.0.2.53
+	A	10.0.2.54
+	A	10.0.2.55
+	A	10.0.2.56
+	A	10.0.2.57
+	A	10.0.2.58
+	A	10.0.2.59
+	A	10.0.2.60
+	A	10.0.2.61
+	A	10.0.2.62
+	A	10.0.2.63
+	A	10.0.2.64
+	A	10.0.2.65
+	A	10.0.2.66
+	A	10.0.2.67
+	A	10.0.2.68
+	A	10.0.2.69
+	A	10.0.2.70
+	A	10.0.2.71
+	A	10.0.2.72
+	A	10.0.2.73
+	A	10.0.2.74
+	A	10.0.2.75
+	A	10.0.2.76
+	A	10.0.2.77
+	A	10.0.2.78
+	A	10.0.2.79
+	A	10.0.2.80
+	A	10.0.2.81
+	A	10.0.2.82
+	A	10.0.2.83
+	A	10.0.2.84
+	A	10.0.2.85
+	A	10.0.2.86
+	A	10.0.2.87
+	A	10.0.2.88
+	A	10.0.2.89
+	A	10.0.2.90
+	A	10.0.2.91
+	A	10.0.2.92
+	A	10.0.2.93
+	A	10.0.2.94
+	A	10.0.2.95
+	A	10.0.2.96
+	A	10.0.2.97
+	A	10.0.2.98
+	A	10.0.2.99
+	A	10.0.2.100
+	A	10.0.2.101
+	A	10.0.2.102
+	A	10.0.2.103
+	A	10.0.2.104
+	A	10.0.2.105
+	A	10.0.2.106
+	A	10.0.2.107
+	A	10.0.2.108
+	A	10.0.2.109
+	A	10.0.2.110
+	A	10.0.2.111
+	A	10.0.2.112
+	A	10.0.2.113
+	A	10.0.2.114
+	A	10.0.2.115
+	A	10.0.2.116
+	A	10.0.2.117
+	A	10.0.2.118
+	A	10.0.2.119
+	A	10.0.2.120
+	A	10.0.2.121
+	A	10.0.2.122
+	A	10.0.2.123
+	A	10.0.2.124
+	A	10.0.2.125
+	A	10.0.2.126
+	A	10.0.2.127
+	A	10.0.2.128
+	A	10.0.2.129
+	A	10.0.2.130
+	A	10.0.2.131
+	A	10.0.2.132
+	A	10.0.2.133
+	A	10.0.2.134
+	A	10.0.2.135
+	A	10.0.2.136
+	A	10.0.2.137
+	A	10.0.2.138
+	A	10.0.2.139
+	A	10.0.2.140
+	A	10.0.2.141
+	A	10.0.2.142
+	A	10.0.2.143
+	A	10.0.2.144
+	A	10.0.2.145
+	A	10.0.2.146
+	A	10.0.2.147
+	A	10.0.2.148
+	A	10.0.2.149
+	A	10.0.2.150
+	A	10.0.2.151
+	A	10.0.2.152
+	A	10.0.2.153
+	A	10.0.2.154
+	A	10.0.2.155
+	A	10.0.2.156
+	A	10.0.2.157
+	A	10.0.2.158
+	A	10.0.2.159
+	A	10.0.2.160
+	A	10.0.2.161
+	A	10.0.2.162
+	A	10.0.2.163
+	A	10.0.2.164
+	A	10.0.2.165
+	A	10.0.2.166
+	A	10.0.2.167
+	A	10.0.2.168
+	A	10.0.2.169
+	A	10.0.2.170
+	A	10.0.2.171
+	A	10.0.2.172
+	A	10.0.2.173
+	A	10.0.2.174
+	A	10.0.2.175
+	A	10.0.2.176
+	A	10.0.2.177
+	A	10.0.2.178
+	A	10.0.2.179
+	A	10.0.2.180
+	A	10.0.2.181
+	A	10.0.2.182
+	A	10.0.2.183
+	A	10.0.2.184
+	A	10.0.2.185
+	A	10.0.2.186
+	A	10.0.2.187
+	A	10.0.2.188
+	A	10.0.2.189
+	A	10.0.2.190
+	A	10.0.2.191
+	A	10.0.2.192
+	A	10.0.2.193
+	A	10.0.2.194
+	A	10.0.2.195
+	A	10.0.2.196
+	A	10.0.2.197
+	A	10.0.2.198
+	A	10.0.2.199
+	A	10.0.2.200
+	A	10.0.2.201
+	A	10.0.2.202
+	A	10.0.2.203
+	A	10.0.2.204
+	A	10.0.2.205
+	A	10.0.2.206
+	A	10.0.2.207
+	A	10.0.2.208
+	A	10.0.2.209
+	A	10.0.2.210
+	A	10.0.2.211
+	A	10.0.2.212
+	A	10.0.2.213
+	A	10.0.2.214
+	A	10.0.2.215
+	A	10.0.2.216
+	A	10.0.2.217
+	A	10.0.2.218
+	A	10.0.2.219
+	A	10.0.2.220
+	A	10.0.2.221
+	A	10.0.2.222
+	A	10.0.2.223
+	A	10.0.2.224
+	A	10.0.2.225
+	A	10.0.2.226
+	A	10.0.2.227
+	A	10.0.2.228
+	A	10.0.2.229
+	A	10.0.2.230
+	A	10.0.2.231
+	A	10.0.2.232
+	A	10.0.2.233
+	A	10.0.2.234
+	A	10.0.2.235
+	A	10.0.2.236
+	A	10.0.2.237
+	A	10.0.2.238
+	A	10.0.2.239
+	A	10.0.2.240
+	A	10.0.2.241
+	A	10.0.2.242
+	A	10.0.2.243
+	A	10.0.2.244
+	A	10.0.2.245
+	A	10.0.2.246
+	A	10.0.2.247
+	A	10.0.2.248
+	A	10.0.2.249
+	A	10.0.2.250
+	A	10.0.2.251
+	A	10.0.2.252
+	A	10.0.2.253
+	A	10.0.2.254
+	A	10.0.2.255
+	A	10.0.3.0
+	A	10.0.3.1
+	A	10.0.3.2
+	A	10.0.3.3
+	A	10.0.3.4
+	A	10.0.3.5
+	A	10.0.3.6
+	A	10.0.3.7
+	A	10.0.3.8
+	A	10.0.3.9
+	A	10.0.3.10
+	A	10.0.3.11
+	A	10.0.3.12
+	A	10.0.3.13
+	A	10.0.3.14
+	A	10.0.3.15
+	A	10.0.3.16
+	A	10.0.3.17
+	A	10.0.3.18
+	A	10.0.3.19
+	A	10.0.3.20
+	A	10.0.3.21
+	A	10.0.3.22
+	A	10.0.3.23
+	A	10.0.3.24
+	A	10.0.3.25
+	A	10.0.3.26
+	A	10.0.3.27
+	A	10.0.3.28
+	A	10.0.3.29
+	A	10.0.3.30
+	A	10.0.3.31
+	A	10.0.3.32
+	A	10.0.3.33
+	A	10.0.3.34
+	A	10.0.3.35
+	A	10.0.3.36
+	A	10.0.3.37
+	A	10.0.3.38
+	A	10.0.3.39
+	A	10.0.3.40
+	A	10.0.3.41
+	A	10.0.3.42
+	A	10.0.3.43
+	A	10.0.3.44
+	A	10.0.3.45
+	A	10.0.3.46
+	A	10.0.3.47
+	A	10.0.3.48
+	A	10.0.3.49
+	A	10.0.3.50
+	A	10.0.3.51
+	A	10.0.3.52
+	A	10.0.3.53
+	A	10.0.3.54
+	A	10.0.3.55
+	A	10.0.3.56
+	A	10.0.3.57
+	A	10.0.3.58
+	A	10.0.3.59
+	A	10.0.3.60
+	A	10.0.3.61
+	A	10.0.3.62
+	A	10.0.3.63
+	A	10.0.3.64
+	A	10.0.3.65
+	A	10.0.3.66
+	A	10.0.3.67
+	A	10.0.3.68
+	A	10.0.3.69
+	A	10.0.3.70
+	A	10.0.3.71
+	A	10.0.3.72
+	A	10.0.3.73
+	A	10.0.3.74
+	A	10.0.3.75
+	A	10.0.3.76
+	A	10.0.3.77
+	A	10.0.3.78
+	A	10.0.3.79
+	A	10.0.3.80
+	A	10.0.3.81
+	A	10.0.3.82
+	A	10.0.3.83
+	A	10.0.3.84
+	A	10.0.3.85
+	A	10.0.3.86
+	A	10.0.3.87
+	A	10.0.3.88
+	A	10.0.3.89
+	A	10.0.3.90
+	A	10.0.3.91
+	A	10.0.3.92
+	A	10.0.3.93
+	A	10.0.3.94
+	A	10.0.3.95
+	A	10.0.3.96
+	A	10.0.3.97
+	A	10.0.3.98
+	A	10.0.3.99
+	A	10.0.3.100
+	A	10.0.3.101
+	A	10.0.3.102
+	A	10.0.3.103
+	A	10.0.3.104
+	A	10.0.3.105
+	A	10.0.3.106
+	A	10.0.3.107
+	A	10.0.3.108
+	A	10.0.3.109
+	A	10.0.3.110
+	A	10.0.3.111
+	A	10.0.3.112
+	A	10.0.3.113
+	A	10.0.3.114
+	A	10.0.3.115
+	A	10.0.3.116
+	A	10.0.3.117
+	A	10.0.3.118
+	A	10.0.3.119
+	A	10.0.3.120
+	A	10.0.3.121
+	A	10.0.3.122
+	A	10.0.3.123
+	A	10.0.3.124
+	A	10.0.3.125
+	A	10.0.3.126
+	A	10.0.3.127
+	A	10.0.3.128
+	A	10.0.3.129
+	A	10.0.3.130
+	A	10.0.3.131
+	A	10.0.3.132
+	A	10.0.3.133
+	A	10.0.3.134
+	A	10.0.3.135
+	A	10.0.3.136
+	A	10.0.3.137
+	A	10.0.3.138
+	A	10.0.3.139
+	A	10.0.3.140
+	A	10.0.3.141
+	A	10.0.3.142
+	A	10.0.3.143
+	A	10.0.3.144
+	A	10.0.3.145
+	A	10.0.3.146
+	A	10.0.3.147
+	A	10.0.3.148
+	A	10.0.3.149
+	A	10.0.3.150
+	A	10.0.3.151
+	A	10.0.3.152
+	A	10.0.3.153
+	A	10.0.3.154
+	A	10.0.3.155
+	A	10.0.3.156
+	A	10.0.3.157
+	A	10.0.3.158
+	A	10.0.3.159
+	A	10.0.3.160
+	A	10.0.3.161
+	A	10.0.3.162
+	A	10.0.3.163
+	A	10.0.3.164
+	A	10.0.3.165
+	A	10.0.3.166
+	A	10.0.3.167
+	A	10.0.3.168
+	A	10.0.3.169
+	A	10.0.3.170
+	A	10.0.3.171
+	A	10.0.3.172
+	A	10.0.3.173
+	A	10.0.3.174
+	A	10.0.3.175
+	A	10.0.3.176
+	A	10.0.3.177
+	A	10.0.3.178
+	A	10.0.3.179
+	A	10.0.3.180
+	A	10.0.3.181
+	A	10.0.3.182
+	A	10.0.3.183
+	A	10.0.3.184
+	A	10.0.3.185
+	A	10.0.3.186
+	A	10.0.3.187
+	A	10.0.3.188
+	A	10.0.3.189
+	A	10.0.3.190
+	A	10.0.3.191
+	A	10.0.3.192
+	A	10.0.3.193
+	A	10.0.3.194
+	A	10.0.3.195
+	A	10.0.3.196
+	A	10.0.3.197
+	A	10.0.3.198
+	A	10.0.3.199
+	A	10.0.3.200
+	A	10.0.3.201
+	A	10.0.3.202
+	A	10.0.3.203
+	A	10.0.3.204
+	A	10.0.3.205
+	A	10.0.3.206
+	A	10.0.3.207
+	A	10.0.3.208
+	A	10.0.3.209
+	A	10.0.3.210
+	A	10.0.3.211
+	A	10.0.3.212
+	A	10.0.3.213
+	A	10.0.3.214
+	A	10.0.3.215
+	A	10.0.3.216
+	A	10.0.3.217
+	A	10.0.3.218
+	A	10.0.3.219
+	A	10.0.3.220
+	A	10.0.3.221
+	A	10.0.3.222
+	A	10.0.3.223
+	A	10.0.3.224
+	A	10.0.3.225
+	A	10.0.3.226
+	A	10.0.3.227
+	A	10.0.3.228
+	A	10.0.3.229
+	A	10.0.3.230
+	A	10.0.3.231
+2000	A	10.0.0.0
+	A	10.0.0.1
+	A	10.0.0.2
+	A	10.0.0.3
+	A	10.0.0.4
+	A	10.0.0.5
+	A	10.0.0.6
+	A	10.0.0.7
+	A	10.0.0.8
+	A	10.0.0.9
+	A	10.0.0.10
+	A	10.0.0.11
+	A	10.0.0.12
+	A	10.0.0.13
+	A	10.0.0.14
+	A	10.0.0.15
+	A	10.0.0.16
+	A	10.0.0.17
+	A	10.0.0.18
+	A	10.0.0.19
+	A	10.0.0.20
+	A	10.0.0.21
+	A	10.0.0.22
+	A	10.0.0.23
+	A	10.0.0.24
+	A	10.0.0.25
+	A	10.0.0.26
+	A	10.0.0.27
+	A	10.0.0.28
+	A	10.0.0.29
+	A	10.0.0.30
+	A	10.0.0.31
+	A	10.0.0.32
+	A	10.0.0.33
+	A	10.0.0.34
+	A	10.0.0.35
+	A	10.0.0.36
+	A	10.0.0.37
+	A	10.0.0.38
+	A	10.0.0.39
+	A	10.0.0.40
+	A	10.0.0.41
+	A	10.0.0.42
+	A	10.0.0.43
+	A	10.0.0.44
+	A	10.0.0.45
+	A	10.0.0.46
+	A	10.0.0.47
+	A	10.0.0.48
+	A	10.0.0.49
+	A	10.0.0.50
+	A	10.0.0.51
+	A	10.0.0.52
+	A	10.0.0.53
+	A	10.0.0.54
+	A	10.0.0.55
+	A	10.0.0.56
+	A	10.0.0.57
+	A	10.0.0.58
+	A	10.0.0.59
+	A	10.0.0.60
+	A	10.0.0.61
+	A	10.0.0.62
+	A	10.0.0.63
+	A	10.0.0.64
+	A	10.0.0.65
+	A	10.0.0.66
+	A	10.0.0.67
+	A	10.0.0.68
+	A	10.0.0.69
+	A	10.0.0.70
+	A	10.0.0.71
+	A	10.0.0.72
+	A	10.0.0.73
+	A	10.0.0.74
+	A	10.0.0.75
+	A	10.0.0.76
+	A	10.0.0.77
+	A	10.0.0.78
+	A	10.0.0.79
+	A	10.0.0.80
+	A	10.0.0.81
+	A	10.0.0.82
+	A	10.0.0.83
+	A	10.0.0.84
+	A	10.0.0.85
+	A	10.0.0.86
+	A	10.0.0.87
+	A	10.0.0.88
+	A	10.0.0.89
+	A	10.0.0.90
+	A	10.0.0.91
+	A	10.0.0.92
+	A	10.0.0.93
+	A	10.0.0.94
+	A	10.0.0.95
+	A	10.0.0.96
+	A	10.0.0.97
+	A	10.0.0.98
+	A	10.0.0.99
+	A	10.0.0.100
+	A	10.0.0.101
+	A	10.0.0.102
+	A	10.0.0.103
+	A	10.0.0.104
+	A	10.0.0.105
+	A	10.0.0.106
+	A	10.0.0.107
+	A	10.0.0.108
+	A	10.0.0.109
+	A	10.0.0.110
+	A	10.0.0.111
+	A	10.0.0.112
+	A	10.0.0.113
+	A	10.0.0.114
+	A	10.0.0.115
+	A	10.0.0.116
+	A	10.0.0.117
+	A	10.0.0.118
+	A	10.0.0.119
+	A	10.0.0.120
+	A	10.0.0.121
+	A	10.0.0.122
+	A	10.0.0.123
+	A	10.0.0.124
+	A	10.0.0.125
+	A	10.0.0.126
+	A	10.0.0.127
+	A	10.0.0.128
+	A	10.0.0.129
+	A	10.0.0.130
+	A	10.0.0.131
+	A	10.0.0.132
+	A	10.0.0.133
+	A	10.0.0.134
+	A	10.0.0.135
+	A	10.0.0.136
+	A	10.0.0.137
+	A	10.0.0.138
+	A	10.0.0.139
+	A	10.0.0.140
+	A	10.0.0.141
+	A	10.0.0.142
+	A	10.0.0.143
+	A	10.0.0.144
+	A	10.0.0.145
+	A	10.0.0.146
+	A	10.0.0.147
+	A	10.0.0.148
+	A	10.0.0.149
+	A	10.0.0.150
+	A	10.0.0.151
+	A	10.0.0.152
+	A	10.0.0.153
+	A	10.0.0.154
+	A	10.0.0.155
+	A	10.0.0.156
+	A	10.0.0.157
+	A	10.0.0.158
+	A	10.0.0.159
+	A	10.0.0.160
+	A	10.0.0.161
+	A	10.0.0.162
+	A	10.0.0.163
+	A	10.0.0.164
+	A	10.0.0.165
+	A	10.0.0.166
+	A	10.0.0.167
+	A	10.0.0.168
+	A	10.0.0.169
+	A	10.0.0.170
+	A	10.0.0.171
+	A	10.0.0.172
+	A	10.0.0.173
+	A	10.0.0.174
+	A	10.0.0.175
+	A	10.0.0.176
+	A	10.0.0.177
+	A	10.0.0.178
+	A	10.0.0.179
+	A	10.0.0.180
+	A	10.0.0.181
+	A	10.0.0.182
+	A	10.0.0.183
+	A	10.0.0.184
+	A	10.0.0.185
+	A	10.0.0.186
+	A	10.0.0.187
+	A	10.0.0.188
+	A	10.0.0.189
+	A	10.0.0.190
+	A	10.0.0.191
+	A	10.0.0.192
+	A	10.0.0.193
+	A	10.0.0.194
+	A	10.0.0.195
+	A	10.0.0.196
+	A	10.0.0.197
+	A	10.0.0.198
+	A	10.0.0.199
+	A	10.0.0.200
+	A	10.0.0.201
+	A	10.0.0.202
+	A	10.0.0.203
+	A	10.0.0.204
+	A	10.0.0.205
+	A	10.0.0.206
+	A	10.0.0.207
+	A	10.0.0.208
+	A	10.0.0.209
+	A	10.0.0.210
+	A	10.0.0.211
+	A	10.0.0.212
+	A	10.0.0.213
+	A	10.0.0.214
+	A	10.0.0.215
+	A	10.0.0.216
+	A	10.0.0.217
+	A	10.0.0.218
+	A	10.0.0.219
+	A	10.0.0.220
+	A	10.0.0.221
+	A	10.0.0.222
+	A	10.0.0.223
+	A	10.0.0.224
+	A	10.0.0.225
+	A	10.0.0.226
+	A	10.0.0.227
+	A	10.0.0.228
+	A	10.0.0.229
+	A	10.0.0.230
+	A	10.0.0.231
+	A	10.0.0.232
+	A	10.0.0.233
+	A	10.0.0.234
+	A	10.0.0.235
+	A	10.0.0.236
+	A	10.0.0.237
+	A	10.0.0.238
+	A	10.0.0.239
+	A	10.0.0.240
+	A	10.0.0.241
+	A	10.0.0.242
+	A	10.0.0.243
+	A	10.0.0.244
+	A	10.0.0.245
+	A	10.0.0.246
+	A	10.0.0.247
+	A	10.0.0.248
+	A	10.0.0.249
+	A	10.0.0.250
+	A	10.0.0.251
+	A	10.0.0.252
+	A	10.0.0.253
+	A	10.0.0.254
+	A	10.0.0.255
+	A	10.0.1.0
+	A	10.0.1.1
+	A	10.0.1.2
+	A	10.0.1.3
+	A	10.0.1.4
+	A	10.0.1.5
+	A	10.0.1.6
+	A	10.0.1.7
+	A	10.0.1.8
+	A	10.0.1.9
+	A	10.0.1.10
+	A	10.0.1.11
+	A	10.0.1.12
+	A	10.0.1.13
+	A	10.0.1.14
+	A	10.0.1.15
+	A	10.0.1.16
+	A	10.0.1.17
+	A	10.0.1.18
+	A	10.0.1.19
+	A	10.0.1.20
+	A	10.0.1.21
+	A	10.0.1.22
+	A	10.0.1.23
+	A	10.0.1.24
+	A	10.0.1.25
+	A	10.0.1.26
+	A	10.0.1.27
+	A	10.0.1.28
+	A	10.0.1.29
+	A	10.0.1.30
+	A	10.0.1.31
+	A	10.0.1.32
+	A	10.0.1.33
+	A	10.0.1.34
+	A	10.0.1.35
+	A	10.0.1.36
+	A	10.0.1.37
+	A	10.0.1.38
+	A	10.0.1.39
+	A	10.0.1.40
+	A	10.0.1.41
+	A	10.0.1.42
+	A	10.0.1.43
+	A	10.0.1.44
+	A	10.0.1.45
+	A	10.0.1.46
+	A	10.0.1.47
+	A	10.0.1.48
+	A	10.0.1.49
+	A	10.0.1.50
+	A	10.0.1.51
+	A	10.0.1.52
+	A	10.0.1.53
+	A	10.0.1.54
+	A	10.0.1.55
+	A	10.0.1.56
+	A	10.0.1.57
+	A	10.0.1.58
+	A	10.0.1.59
+	A	10.0.1.60
+	A	10.0.1.61
+	A	10.0.1.62
+	A	10.0.1.63
+	A	10.0.1.64
+	A	10.0.1.65
+	A	10.0.1.66
+	A	10.0.1.67
+	A	10.0.1.68
+	A	10.0.1.69
+	A	10.0.1.70
+	A	10.0.1.71
+	A	10.0.1.72
+	A	10.0.1.73
+	A	10.0.1.74
+	A	10.0.1.75
+	A	10.0.1.76
+	A	10.0.1.77
+	A	10.0.1.78
+	A	10.0.1.79
+	A	10.0.1.80
+	A	10.0.1.81
+	A	10.0.1.82
+	A	10.0.1.83
+	A	10.0.1.84
+	A	10.0.1.85
+	A	10.0.1.86
+	A	10.0.1.87
+	A	10.0.1.88
+	A	10.0.1.89
+	A	10.0.1.90
+	A	10.0.1.91
+	A	10.0.1.92
+	A	10.0.1.93
+	A	10.0.1.94
+	A	10.0.1.95
+	A	10.0.1.96
+	A	10.0.1.97
+	A	10.0.1.98
+	A	10.0.1.99
+	A	10.0.1.100
+	A	10.0.1.101
+	A	10.0.1.102
+	A	10.0.1.103
+	A	10.0.1.104
+	A	10.0.1.105
+	A	10.0.1.106
+	A	10.0.1.107
+	A	10.0.1.108
+	A	10.0.1.109
+	A	10.0.1.110
+	A	10.0.1.111
+	A	10.0.1.112
+	A	10.0.1.113
+	A	10.0.1.114
+	A	10.0.1.115
+	A	10.0.1.116
+	A	10.0.1.117
+	A	10.0.1.118
+	A	10.0.1.119
+	A	10.0.1.120
+	A	10.0.1.121
+	A	10.0.1.122
+	A	10.0.1.123
+	A	10.0.1.124
+	A	10.0.1.125
+	A	10.0.1.126
+	A	10.0.1.127
+	A	10.0.1.128
+	A	10.0.1.129
+	A	10.0.1.130
+	A	10.0.1.131
+	A	10.0.1.132
+	A	10.0.1.133
+	A	10.0.1.134
+	A	10.0.1.135
+	A	10.0.1.136
+	A	10.0.1.137
+	A	10.0.1.138
+	A	10.0.1.139
+	A	10.0.1.140
+	A	10.0.1.141
+	A	10.0.1.142
+	A	10.0.1.143
+	A	10.0.1.144
+	A	10.0.1.145
+	A	10.0.1.146
+	A	10.0.1.147
+	A	10.0.1.148
+	A	10.0.1.149
+	A	10.0.1.150
+	A	10.0.1.151
+	A	10.0.1.152
+	A	10.0.1.153
+	A	10.0.1.154
+	A	10.0.1.155
+	A	10.0.1.156
+	A	10.0.1.157
+	A	10.0.1.158
+	A	10.0.1.159
+	A	10.0.1.160
+	A	10.0.1.161
+	A	10.0.1.162
+	A	10.0.1.163
+	A	10.0.1.164
+	A	10.0.1.165
+	A	10.0.1.166
+	A	10.0.1.167
+	A	10.0.1.168
+	A	10.0.1.169
+	A	10.0.1.170
+	A	10.0.1.171
+	A	10.0.1.172
+	A	10.0.1.173
+	A	10.0.1.174
+	A	10.0.1.175
+	A	10.0.1.176
+	A	10.0.1.177
+	A	10.0.1.178
+	A	10.0.1.179
+	A	10.0.1.180
+	A	10.0.1.181
+	A	10.0.1.182
+	A	10.0.1.183
+	A	10.0.1.184
+	A	10.0.1.185
+	A	10.0.1.186
+	A	10.0.1.187
+	A	10.0.1.188
+	A	10.0.1.189
+	A	10.0.1.190
+	A	10.0.1.191
+	A	10.0.1.192
+	A	10.0.1.193
+	A	10.0.1.194
+	A	10.0.1.195
+	A	10.0.1.196
+	A	10.0.1.197
+	A	10.0.1.198
+	A	10.0.1.199
+	A	10.0.1.200
+	A	10.0.1.201
+	A	10.0.1.202
+	A	10.0.1.203
+	A	10.0.1.204
+	A	10.0.1.205
+	A	10.0.1.206
+	A	10.0.1.207
+	A	10.0.1.208
+	A	10.0.1.209
+	A	10.0.1.210
+	A	10.0.1.211
+	A	10.0.1.212
+	A	10.0.1.213
+	A	10.0.1.214
+	A	10.0.1.215
+	A	10.0.1.216
+	A	10.0.1.217
+	A	10.0.1.218
+	A	10.0.1.219
+	A	10.0.1.220
+	A	10.0.1.221
+	A	10.0.1.222
+	A	10.0.1.223
+	A	10.0.1.224
+	A	10.0.1.225
+	A	10.0.1.226
+	A	10.0.1.227
+	A	10.0.1.228
+	A	10.0.1.229
+	A	10.0.1.230
+	A	10.0.1.231
+	A	10.0.1.232
+	A	10.0.1.233
+	A	10.0.1.234
+	A	10.0.1.235
+	A	10.0.1.236
+	A	10.0.1.237
+	A	10.0.1.238
+	A	10.0.1.239
+	A	10.0.1.240
+	A	10.0.1.241
+	A	10.0.1.242
+	A	10.0.1.243
+	A	10.0.1.244
+	A	10.0.1.245
+	A	10.0.1.246
+	A	10.0.1.247
+	A	10.0.1.248
+	A	10.0.1.249
+	A	10.0.1.250
+	A	10.0.1.251
+	A	10.0.1.252
+	A	10.0.1.253
+	A	10.0.1.254
+	A	10.0.1.255
+	A	10.0.2.0
+	A	10.0.2.1
+	A	10.0.2.2
+	A	10.0.2.3
+	A	10.0.2.4
+	A	10.0.2.5
+	A	10.0.2.6
+	A	10.0.2.7
+	A	10.0.2.8
+	A	10.0.2.9
+	A	10.0.2.10
+	A	10.0.2.11
+	A	10.0.2.12
+	A	10.0.2.13
+	A	10.0.2.14
+	A	10.0.2.15
+	A	10.0.2.16
+	A	10.0.2.17
+	A	10.0.2.18
+	A	10.0.2.19
+	A	10.0.2.20
+	A	10.0.2.21
+	A	10.0.2.22
+	A	10.0.2.23
+	A	10.0.2.24
+	A	10.0.2.25
+	A	10.0.2.26
+	A	10.0.2.27
+	A	10.0.2.28
+	A	10.0.2.29
+	A	10.0.2.30
+	A	10.0.2.31
+	A	10.0.2.32
+	A	10.0.2.33
+	A	10.0.2.34
+	A	10.0.2.35
+	A	10.0.2.36
+	A	10.0.2.37
+	A	10.0.2.38
+	A	10.0.2.39
+	A	10.0.2.40
+	A	10.0.2.41
+	A	10.0.2.42
+	A	10.0.2.43
+	A	10.0.2.44
+	A	10.0.2.45
+	A	10.0.2.46
+	A	10.0.2.47
+	A	10.0.2.48
+	A	10.0.2.49
+	A	10.0.2.50
+	A	10.0.2.51
+	A	10.0.2.52
+	A	10.0.2.53
+	A	10.0.2.54
+	A	10.0.2.55
+	A	10.0.2.56
+	A	10.0.2.57
+	A	10.0.2.58
+	A	10.0.2.59
+	A	10.0.2.60
+	A	10.0.2.61
+	A	10.0.2.62
+	A	10.0.2.63
+	A	10.0.2.64
+	A	10.0.2.65
+	A	10.0.2.66
+	A	10.0.2.67
+	A	10.0.2.68
+	A	10.0.2.69
+	A	10.0.2.70
+	A	10.0.2.71
+	A	10.0.2.72
+	A	10.0.2.73
+	A	10.0.2.74
+	A	10.0.2.75
+	A	10.0.2.76
+	A	10.0.2.77
+	A	10.0.2.78
+	A	10.0.2.79
+	A	10.0.2.80
+	A	10.0.2.81
+	A	10.0.2.82
+	A	10.0.2.83
+	A	10.0.2.84
+	A	10.0.2.85
+	A	10.0.2.86
+	A	10.0.2.87
+	A	10.0.2.88
+	A	10.0.2.89
+	A	10.0.2.90
+	A	10.0.2.91
+	A	10.0.2.92
+	A	10.0.2.93
+	A	10.0.2.94
+	A	10.0.2.95
+	A	10.0.2.96
+	A	10.0.2.97
+	A	10.0.2.98
+	A	10.0.2.99
+	A	10.0.2.100
+	A	10.0.2.101
+	A	10.0.2.102
+	A	10.0.2.103
+	A	10.0.2.104
+	A	10.0.2.105
+	A	10.0.2.106
+	A	10.0.2.107
+	A	10.0.2.108
+	A	10.0.2.109
+	A	10.0.2.110
+	A	10.0.2.111
+	A	10.0.2.112
+	A	10.0.2.113
+	A	10.0.2.114
+	A	10.0.2.115
+	A	10.0.2.116
+	A	10.0.2.117
+	A	10.0.2.118
+	A	10.0.2.119
+	A	10.0.2.120
+	A	10.0.2.121
+	A	10.0.2.122
+	A	10.0.2.123
+	A	10.0.2.124
+	A	10.0.2.125
+	A	10.0.2.126
+	A	10.0.2.127
+	A	10.0.2.128
+	A	10.0.2.129
+	A	10.0.2.130
+	A	10.0.2.131
+	A	10.0.2.132
+	A	10.0.2.133
+	A	10.0.2.134
+	A	10.0.2.135
+	A	10.0.2.136
+	A	10.0.2.137
+	A	10.0.2.138
+	A	10.0.2.139
+	A	10.0.2.140
+	A	10.0.2.141
+	A	10.0.2.142
+	A	10.0.2.143
+	A	10.0.2.144
+	A	10.0.2.145
+	A	10.0.2.146
+	A	10.0.2.147
+	A	10.0.2.148
+	A	10.0.2.149
+	A	10.0.2.150
+	A	10.0.2.151
+	A	10.0.2.152
+	A	10.0.2.153
+	A	10.0.2.154
+	A	10.0.2.155
+	A	10.0.2.156
+	A	10.0.2.157
+	A	10.0.2.158
+	A	10.0.2.159
+	A	10.0.2.160
+	A	10.0.2.161
+	A	10.0.2.162
+	A	10.0.2.163
+	A	10.0.2.164
+	A	10.0.2.165
+	A	10.0.2.166
+	A	10.0.2.167
+	A	10.0.2.168
+	A	10.0.2.169
+	A	10.0.2.170
+	A	10.0.2.171
+	A	10.0.2.172
+	A	10.0.2.173
+	A	10.0.2.174
+	A	10.0.2.175
+	A	10.0.2.176
+	A	10.0.2.177
+	A	10.0.2.178
+	A	10.0.2.179
+	A	10.0.2.180
+	A	10.0.2.181
+	A	10.0.2.182
+	A	10.0.2.183
+	A	10.0.2.184
+	A	10.0.2.185
+	A	10.0.2.186
+	A	10.0.2.187
+	A	10.0.2.188
+	A	10.0.2.189
+	A	10.0.2.190
+	A	10.0.2.191
+	A	10.0.2.192
+	A	10.0.2.193
+	A	10.0.2.194
+	A	10.0.2.195
+	A	10.0.2.196
+	A	10.0.2.197
+	A	10.0.2.198
+	A	10.0.2.199
+	A	10.0.2.200
+	A	10.0.2.201
+	A	10.0.2.202
+	A	10.0.2.203
+	A	10.0.2.204
+	A	10.0.2.205
+	A	10.0.2.206
+	A	10.0.2.207
+	A	10.0.2.208
+	A	10.0.2.209
+	A	10.0.2.210
+	A	10.0.2.211
+	A	10.0.2.212
+	A	10.0.2.213
+	A	10.0.2.214
+	A	10.0.2.215
+	A	10.0.2.216
+	A	10.0.2.217
+	A	10.0.2.218
+	A	10.0.2.219
+	A	10.0.2.220
+	A	10.0.2.221
+	A	10.0.2.222
+	A	10.0.2.223
+	A	10.0.2.224
+	A	10.0.2.225
+	A	10.0.2.226
+	A	10.0.2.227
+	A	10.0.2.228
+	A	10.0.2.229
+	A	10.0.2.230
+	A	10.0.2.231
+	A	10.0.2.232
+	A	10.0.2.233
+	A	10.0.2.234
+	A	10.0.2.235
+	A	10.0.2.236
+	A	10.0.2.237
+	A	10.0.2.238
+	A	10.0.2.239
+	A	10.0.2.240
+	A	10.0.2.241
+	A	10.0.2.242
+	A	10.0.2.243
+	A	10.0.2.244
+	A	10.0.2.245
+	A	10.0.2.246
+	A	10.0.2.247
+	A	10.0.2.248
+	A	10.0.2.249
+	A	10.0.2.250
+	A	10.0.2.251
+	A	10.0.2.252
+	A	10.0.2.253
+	A	10.0.2.254
+	A	10.0.2.255
+	A	10.0.3.0
+	A	10.0.3.1
+	A	10.0.3.2
+	A	10.0.3.3
+	A	10.0.3.4
+	A	10.0.3.5
+	A	10.0.3.6
+	A	10.0.3.7
+	A	10.0.3.8
+	A	10.0.3.9
+	A	10.0.3.10
+	A	10.0.3.11
+	A	10.0.3.12
+	A	10.0.3.13
+	A	10.0.3.14
+	A	10.0.3.15
+	A	10.0.3.16
+	A	10.0.3.17
+	A	10.0.3.18
+	A	10.0.3.19
+	A	10.0.3.20
+	A	10.0.3.21
+	A	10.0.3.22
+	A	10.0.3.23
+	A	10.0.3.24
+	A	10.0.3.25
+	A	10.0.3.26
+	A	10.0.3.27
+	A	10.0.3.28
+	A	10.0.3.29
+	A	10.0.3.30
+	A	10.0.3.31
+	A	10.0.3.32
+	A	10.0.3.33
+	A	10.0.3.34
+	A	10.0.3.35
+	A	10.0.3.36
+	A	10.0.3.37
+	A	10.0.3.38
+	A	10.0.3.39
+	A	10.0.3.40
+	A	10.0.3.41
+	A	10.0.3.42
+	A	10.0.3.43
+	A	10.0.3.44
+	A	10.0.3.45
+	A	10.0.3.46
+	A	10.0.3.47
+	A	10.0.3.48
+	A	10.0.3.49
+	A	10.0.3.50
+	A	10.0.3.51
+	A	10.0.3.52
+	A	10.0.3.53
+	A	10.0.3.54
+	A	10.0.3.55
+	A	10.0.3.56
+	A	10.0.3.57
+	A	10.0.3.58
+	A	10.0.3.59
+	A	10.0.3.60
+	A	10.0.3.61
+	A	10.0.3.62
+	A	10.0.3.63
+	A	10.0.3.64
+	A	10.0.3.65
+	A	10.0.3.66
+	A	10.0.3.67
+	A	10.0.3.68
+	A	10.0.3.69
+	A	10.0.3.70
+	A	10.0.3.71
+	A	10.0.3.72
+	A	10.0.3.73
+	A	10.0.3.74
+	A	10.0.3.75
+	A	10.0.3.76
+	A	10.0.3.77
+	A	10.0.3.78
+	A	10.0.3.79
+	A	10.0.3.80
+	A	10.0.3.81
+	A	10.0.3.82
+	A	10.0.3.83
+	A	10.0.3.84
+	A	10.0.3.85
+	A	10.0.3.86
+	A	10.0.3.87
+	A	10.0.3.88
+	A	10.0.3.89
+	A	10.0.3.90
+	A	10.0.3.91
+	A	10.0.3.92
+	A	10.0.3.93
+	A	10.0.3.94
+	A	10.0.3.95
+	A	10.0.3.96
+	A	10.0.3.97
+	A	10.0.3.98
+	A	10.0.3.99
+	A	10.0.3.100
+	A	10.0.3.101
+	A	10.0.3.102
+	A	10.0.3.103
+	A	10.0.3.104
+	A	10.0.3.105
+	A	10.0.3.106
+	A	10.0.3.107
+	A	10.0.3.108
+	A	10.0.3.109
+	A	10.0.3.110
+	A	10.0.3.111
+	A	10.0.3.112
+	A	10.0.3.113
+	A	10.0.3.114
+	A	10.0.3.115
+	A	10.0.3.116
+	A	10.0.3.117
+	A	10.0.3.118
+	A	10.0.3.119
+	A	10.0.3.120
+	A	10.0.3.121
+	A	10.0.3.122
+	A	10.0.3.123
+	A	10.0.3.124
+	A	10.0.3.125
+	A	10.0.3.126
+	A	10.0.3.127
+	A	10.0.3.128
+	A	10.0.3.129
+	A	10.0.3.130
+	A	10.0.3.131
+	A	10.0.3.132
+	A	10.0.3.133
+	A	10.0.3.134
+	A	10.0.3.135
+	A	10.0.3.136
+	A	10.0.3.137
+	A	10.0.3.138
+	A	10.0.3.139
+	A	10.0.3.140
+	A	10.0.3.141
+	A	10.0.3.142
+	A	10.0.3.143
+	A	10.0.3.144
+	A	10.0.3.145
+	A	10.0.3.146
+	A	10.0.3.147
+	A	10.0.3.148
+	A	10.0.3.149
+	A	10.0.3.150
+	A	10.0.3.151
+	A	10.0.3.152
+	A	10.0.3.153
+	A	10.0.3.154
+	A	10.0.3.155
+	A	10.0.3.156
+	A	10.0.3.157
+	A	10.0.3.158
+	A	10.0.3.159
+	A	10.0.3.160
+	A	10.0.3.161
+	A	10.0.3.162
+	A	10.0.3.163
+	A	10.0.3.164
+	A	10.0.3.165
+	A	10.0.3.166
+	A	10.0.3.167
+	A	10.0.3.168
+	A	10.0.3.169
+	A	10.0.3.170
+	A	10.0.3.171
+	A	10.0.3.172
+	A	10.0.3.173
+	A	10.0.3.174
+	A	10.0.3.175
+	A	10.0.3.176
+	A	10.0.3.177
+	A	10.0.3.178
+	A	10.0.3.179
+	A	10.0.3.180
+	A	10.0.3.181
+	A	10.0.3.182
+	A	10.0.3.183
+	A	10.0.3.184
+	A	10.0.3.185
+	A	10.0.3.186
+	A	10.0.3.187
+	A	10.0.3.188
+	A	10.0.3.189
+	A	10.0.3.190
+	A	10.0.3.191
+	A	10.0.3.192
+	A	10.0.3.193
+	A	10.0.3.194
+	A	10.0.3.195
+	A	10.0.3.196
+	A	10.0.3.197
+	A	10.0.3.198
+	A	10.0.3.199
+	A	10.0.3.200
+	A	10.0.3.201
+	A	10.0.3.202
+	A	10.0.3.203
+	A	10.0.3.204
+	A	10.0.3.205
+	A	10.0.3.206
+	A	10.0.3.207
+	A	10.0.3.208
+	A	10.0.3.209
+	A	10.0.3.210
+	A	10.0.3.211
+	A	10.0.3.212
+	A	10.0.3.213
+	A	10.0.3.214
+	A	10.0.3.215
+	A	10.0.3.216
+	A	10.0.3.217
+	A	10.0.3.218
+	A	10.0.3.219
+	A	10.0.3.220
+	A	10.0.3.221
+	A	10.0.3.222
+	A	10.0.3.223
+	A	10.0.3.224
+	A	10.0.3.225
+	A	10.0.3.226
+	A	10.0.3.227
+	A	10.0.3.228
+	A	10.0.3.229
+	A	10.0.3.230
+	A	10.0.3.231
+	A	10.0.3.232
+	A	10.0.3.233
+	A	10.0.3.234
+	A	10.0.3.235
+	A	10.0.3.236
+	A	10.0.3.237
+	A	10.0.3.238
+	A	10.0.3.239
+	A	10.0.3.240
+	A	10.0.3.241
+	A	10.0.3.242
+	A	10.0.3.243
+	A	10.0.3.244
+	A	10.0.3.245
+	A	10.0.3.246
+	A	10.0.3.247
+	A	10.0.3.248
+	A	10.0.3.249
+	A	10.0.3.250
+	A	10.0.3.251
+	A	10.0.3.252
+	A	10.0.3.253
+	A	10.0.3.254
+	A	10.0.3.255
+	A	10.0.4.0
+	A	10.0.4.1
+	A	10.0.4.2
+	A	10.0.4.3
+	A	10.0.4.4
+	A	10.0.4.5
+	A	10.0.4.6
+	A	10.0.4.7
+	A	10.0.4.8
+	A	10.0.4.9
+	A	10.0.4.10
+	A	10.0.4.11
+	A	10.0.4.12
+	A	10.0.4.13
+	A	10.0.4.14
+	A	10.0.4.15
+	A	10.0.4.16
+	A	10.0.4.17
+	A	10.0.4.18
+	A	10.0.4.19
+	A	10.0.4.20
+	A	10.0.4.21
+	A	10.0.4.22
+	A	10.0.4.23
+	A	10.0.4.24
+	A	10.0.4.25
+	A	10.0.4.26
+	A	10.0.4.27
+	A	10.0.4.28
+	A	10.0.4.29
+	A	10.0.4.30
+	A	10.0.4.31
+	A	10.0.4.32
+	A	10.0.4.33
+	A	10.0.4.34
+	A	10.0.4.35
+	A	10.0.4.36
+	A	10.0.4.37
+	A	10.0.4.38
+	A	10.0.4.39
+	A	10.0.4.40
+	A	10.0.4.41
+	A	10.0.4.42
+	A	10.0.4.43
+	A	10.0.4.44
+	A	10.0.4.45
+	A	10.0.4.46
+	A	10.0.4.47
+	A	10.0.4.48
+	A	10.0.4.49
+	A	10.0.4.50
+	A	10.0.4.51
+	A	10.0.4.52
+	A	10.0.4.53
+	A	10.0.4.54
+	A	10.0.4.55
+	A	10.0.4.56
+	A	10.0.4.57
+	A	10.0.4.58
+	A	10.0.4.59
+	A	10.0.4.60
+	A	10.0.4.61
+	A	10.0.4.62
+	A	10.0.4.63
+	A	10.0.4.64
+	A	10.0.4.65
+	A	10.0.4.66
+	A	10.0.4.67
+	A	10.0.4.68
+	A	10.0.4.69
+	A	10.0.4.70
+	A	10.0.4.71
+	A	10.0.4.72
+	A	10.0.4.73
+	A	10.0.4.74
+	A	10.0.4.75
+	A	10.0.4.76
+	A	10.0.4.77
+	A	10.0.4.78
+	A	10.0.4.79
+	A	10.0.4.80
+	A	10.0.4.81
+	A	10.0.4.82
+	A	10.0.4.83
+	A	10.0.4.84
+	A	10.0.4.85
+	A	10.0.4.86
+	A	10.0.4.87
+	A	10.0.4.88
+	A	10.0.4.89
+	A	10.0.4.90
+	A	10.0.4.91
+	A	10.0.4.92
+	A	10.0.4.93
+	A	10.0.4.94
+	A	10.0.4.95
+	A	10.0.4.96
+	A	10.0.4.97
+	A	10.0.4.98
+	A	10.0.4.99
+	A	10.0.4.100
+	A	10.0.4.101
+	A	10.0.4.102
+	A	10.0.4.103
+	A	10.0.4.104
+	A	10.0.4.105
+	A	10.0.4.106
+	A	10.0.4.107
+	A	10.0.4.108
+	A	10.0.4.109
+	A	10.0.4.110
+	A	10.0.4.111
+	A	10.0.4.112
+	A	10.0.4.113
+	A	10.0.4.114
+	A	10.0.4.115
+	A	10.0.4.116
+	A	10.0.4.117
+	A	10.0.4.118
+	A	10.0.4.119
+	A	10.0.4.120
+	A	10.0.4.121
+	A	10.0.4.122
+	A	10.0.4.123
+	A	10.0.4.124
+	A	10.0.4.125
+	A	10.0.4.126
+	A	10.0.4.127
+	A	10.0.4.128
+	A	10.0.4.129
+	A	10.0.4.130
+	A	10.0.4.131
+	A	10.0.4.132
+	A	10.0.4.133
+	A	10.0.4.134
+	A	10.0.4.135
+	A	10.0.4.136
+	A	10.0.4.137
+	A	10.0.4.138
+	A	10.0.4.139
+	A	10.0.4.140
+	A	10.0.4.141
+	A	10.0.4.142
+	A	10.0.4.143
+	A	10.0.4.144
+	A	10.0.4.145
+	A	10.0.4.146
+	A	10.0.4.147
+	A	10.0.4.148
+	A	10.0.4.149
+	A	10.0.4.150
+	A	10.0.4.151
+	A	10.0.4.152
+	A	10.0.4.153
+	A	10.0.4.154
+	A	10.0.4.155
+	A	10.0.4.156
+	A	10.0.4.157
+	A	10.0.4.158
+	A	10.0.4.159
+	A	10.0.4.160
+	A	10.0.4.161
+	A	10.0.4.162
+	A	10.0.4.163
+	A	10.0.4.164
+	A	10.0.4.165
+	A	10.0.4.166
+	A	10.0.4.167
+	A	10.0.4.168
+	A	10.0.4.169
+	A	10.0.4.170
+	A	10.0.4.171
+	A	10.0.4.172
+	A	10.0.4.173
+	A	10.0.4.174
+	A	10.0.4.175
+	A	10.0.4.176
+	A	10.0.4.177
+	A	10.0.4.178
+	A	10.0.4.179
+	A	10.0.4.180
+	A	10.0.4.181
+	A	10.0.4.182
+	A	10.0.4.183
+	A	10.0.4.184
+	A	10.0.4.185
+	A	10.0.4.186
+	A	10.0.4.187
+	A	10.0.4.188
+	A	10.0.4.189
+	A	10.0.4.190
+	A	10.0.4.191
+	A	10.0.4.192
+	A	10.0.4.193
+	A	10.0.4.194
+	A	10.0.4.195
+	A	10.0.4.196
+	A	10.0.4.197
+	A	10.0.4.198
+	A	10.0.4.199
+	A	10.0.4.200
+	A	10.0.4.201
+	A	10.0.4.202
+	A	10.0.4.203
+	A	10.0.4.204
+	A	10.0.4.205
+	A	10.0.4.206
+	A	10.0.4.207
+	A	10.0.4.208
+	A	10.0.4.209
+	A	10.0.4.210
+	A	10.0.4.211
+	A	10.0.4.212
+	A	10.0.4.213
+	A	10.0.4.214
+	A	10.0.4.215
+	A	10.0.4.216
+	A	10.0.4.217
+	A	10.0.4.218
+	A	10.0.4.219
+	A	10.0.4.220
+	A	10.0.4.221
+	A	10.0.4.222
+	A	10.0.4.223
+	A	10.0.4.224
+	A	10.0.4.225
+	A	10.0.4.226
+	A	10.0.4.227
+	A	10.0.4.228
+	A	10.0.4.229
+	A	10.0.4.230
+	A	10.0.4.231
+	A	10.0.4.232
+	A	10.0.4.233
+	A	10.0.4.234
+	A	10.0.4.235
+	A	10.0.4.236
+	A	10.0.4.237
+	A	10.0.4.238
+	A	10.0.4.239
+	A	10.0.4.240
+	A	10.0.4.241
+	A	10.0.4.242
+	A	10.0.4.243
+	A	10.0.4.244
+	A	10.0.4.245
+	A	10.0.4.246
+	A	10.0.4.247
+	A	10.0.4.248
+	A	10.0.4.249
+	A	10.0.4.250
+	A	10.0.4.251
+	A	10.0.4.252
+	A	10.0.4.253
+	A	10.0.4.254
+	A	10.0.4.255
+	A	10.0.5.0
+	A	10.0.5.1
+	A	10.0.5.2
+	A	10.0.5.3
+	A	10.0.5.4
+	A	10.0.5.5
+	A	10.0.5.6
+	A	10.0.5.7
+	A	10.0.5.8
+	A	10.0.5.9
+	A	10.0.5.10
+	A	10.0.5.11
+	A	10.0.5.12
+	A	10.0.5.13
+	A	10.0.5.14
+	A	10.0.5.15
+	A	10.0.5.16
+	A	10.0.5.17
+	A	10.0.5.18
+	A	10.0.5.19
+	A	10.0.5.20
+	A	10.0.5.21
+	A	10.0.5.22
+	A	10.0.5.23
+	A	10.0.5.24
+	A	10.0.5.25
+	A	10.0.5.26
+	A	10.0.5.27
+	A	10.0.5.28
+	A	10.0.5.29
+	A	10.0.5.30
+	A	10.0.5.31
+	A	10.0.5.32
+	A	10.0.5.33
+	A	10.0.5.34
+	A	10.0.5.35
+	A	10.0.5.36
+	A	10.0.5.37
+	A	10.0.5.38
+	A	10.0.5.39
+	A	10.0.5.40
+	A	10.0.5.41
+	A	10.0.5.42
+	A	10.0.5.43
+	A	10.0.5.44
+	A	10.0.5.45
+	A	10.0.5.46
+	A	10.0.5.47
+	A	10.0.5.48
+	A	10.0.5.49
+	A	10.0.5.50
+	A	10.0.5.51
+	A	10.0.5.52
+	A	10.0.5.53
+	A	10.0.5.54
+	A	10.0.5.55
+	A	10.0.5.56
+	A	10.0.5.57
+	A	10.0.5.58
+	A	10.0.5.59
+	A	10.0.5.60
+	A	10.0.5.61
+	A	10.0.5.62
+	A	10.0.5.63
+	A	10.0.5.64
+	A	10.0.5.65
+	A	10.0.5.66
+	A	10.0.5.67
+	A	10.0.5.68
+	A	10.0.5.69
+	A	10.0.5.70
+	A	10.0.5.71
+	A	10.0.5.72
+	A	10.0.5.73
+	A	10.0.5.74
+	A	10.0.5.75
+	A	10.0.5.76
+	A	10.0.5.77
+	A	10.0.5.78
+	A	10.0.5.79
+	A	10.0.5.80
+	A	10.0.5.81
+	A	10.0.5.82
+	A	10.0.5.83
+	A	10.0.5.84
+	A	10.0.5.85
+	A	10.0.5.86
+	A	10.0.5.87
+	A	10.0.5.88
+	A	10.0.5.89
+	A	10.0.5.90
+	A	10.0.5.91
+	A	10.0.5.92
+	A	10.0.5.93
+	A	10.0.5.94
+	A	10.0.5.95
+	A	10.0.5.96
+	A	10.0.5.97
+	A	10.0.5.98
+	A	10.0.5.99
+	A	10.0.5.100
+	A	10.0.5.101
+	A	10.0.5.102
+	A	10.0.5.103
+	A	10.0.5.104
+	A	10.0.5.105
+	A	10.0.5.106
+	A	10.0.5.107
+	A	10.0.5.108
+	A	10.0.5.109
+	A	10.0.5.110
+	A	10.0.5.111
+	A	10.0.5.112
+	A	10.0.5.113
+	A	10.0.5.114
+	A	10.0.5.115
+	A	10.0.5.116
+	A	10.0.5.117
+	A	10.0.5.118
+	A	10.0.5.119
+	A	10.0.5.120
+	A	10.0.5.121
+	A	10.0.5.122
+	A	10.0.5.123
+	A	10.0.5.124
+	A	10.0.5.125
+	A	10.0.5.126
+	A	10.0.5.127
+	A	10.0.5.128
+	A	10.0.5.129
+	A	10.0.5.130
+	A	10.0.5.131
+	A	10.0.5.132
+	A	10.0.5.133
+	A	10.0.5.134
+	A	10.0.5.135
+	A	10.0.5.136
+	A	10.0.5.137
+	A	10.0.5.138
+	A	10.0.5.139
+	A	10.0.5.140
+	A	10.0.5.141
+	A	10.0.5.142
+	A	10.0.5.143
+	A	10.0.5.144
+	A	10.0.5.145
+	A	10.0.5.146
+	A	10.0.5.147
+	A	10.0.5.148
+	A	10.0.5.149
+	A	10.0.5.150
+	A	10.0.5.151
+	A	10.0.5.152
+	A	10.0.5.153
+	A	10.0.5.154
+	A	10.0.5.155
+	A	10.0.5.156
+	A	10.0.5.157
+	A	10.0.5.158
+	A	10.0.5.159
+	A	10.0.5.160
+	A	10.0.5.161
+	A	10.0.5.162
+	A	10.0.5.163
+	A	10.0.5.164
+	A	10.0.5.165
+	A	10.0.5.166
+	A	10.0.5.167
+	A	10.0.5.168
+	A	10.0.5.169
+	A	10.0.5.170
+	A	10.0.5.171
+	A	10.0.5.172
+	A	10.0.5.173
+	A	10.0.5.174
+	A	10.0.5.175
+	A	10.0.5.176
+	A	10.0.5.177
+	A	10.0.5.178
+	A	10.0.5.179
+	A	10.0.5.180
+	A	10.0.5.181
+	A	10.0.5.182
+	A	10.0.5.183
+	A	10.0.5.184
+	A	10.0.5.185
+	A	10.0.5.186
+	A	10.0.5.187
+	A	10.0.5.188
+	A	10.0.5.189
+	A	10.0.5.190
+	A	10.0.5.191
+	A	10.0.5.192
+	A	10.0.5.193
+	A	10.0.5.194
+	A	10.0.5.195
+	A	10.0.5.196
+	A	10.0.5.197
+	A	10.0.5.198
+	A	10.0.5.199
+	A	10.0.5.200
+	A	10.0.5.201
+	A	10.0.5.202
+	A	10.0.5.203
+	A	10.0.5.204
+	A	10.0.5.205
+	A	10.0.5.206
+	A	10.0.5.207
+	A	10.0.5.208
+	A	10.0.5.209
+	A	10.0.5.210
+	A	10.0.5.211
+	A	10.0.5.212
+	A	10.0.5.213
+	A	10.0.5.214
+	A	10.0.5.215
+	A	10.0.5.216
+	A	10.0.5.217
+	A	10.0.5.218
+	A	10.0.5.219
+	A	10.0.5.220
+	A	10.0.5.221
+	A	10.0.5.222
+	A	10.0.5.223
+	A	10.0.5.224
+	A	10.0.5.225
+	A	10.0.5.226
+	A	10.0.5.227
+	A	10.0.5.228
+	A	10.0.5.229
+	A	10.0.5.230
+	A	10.0.5.231
+	A	10.0.5.232
+	A	10.0.5.233
+	A	10.0.5.234
+	A	10.0.5.235
+	A	10.0.5.236
+	A	10.0.5.237
+	A	10.0.5.238
+	A	10.0.5.239
+	A	10.0.5.240
+	A	10.0.5.241
+	A	10.0.5.242
+	A	10.0.5.243
+	A	10.0.5.244
+	A	10.0.5.245
+	A	10.0.5.246
+	A	10.0.5.247
+	A	10.0.5.248
+	A	10.0.5.249
+	A	10.0.5.250
+	A	10.0.5.251
+	A	10.0.5.252
+	A	10.0.5.253
+	A	10.0.5.254
+	A	10.0.5.255
+	A	10.0.6.0
+	A	10.0.6.1
+	A	10.0.6.2
+	A	10.0.6.3
+	A	10.0.6.4
+	A	10.0.6.5
+	A	10.0.6.6
+	A	10.0.6.7
+	A	10.0.6.8
+	A	10.0.6.9
+	A	10.0.6.10
+	A	10.0.6.11
+	A	10.0.6.12
+	A	10.0.6.13
+	A	10.0.6.14
+	A	10.0.6.15
+	A	10.0.6.16
+	A	10.0.6.17
+	A	10.0.6.18
+	A	10.0.6.19
+	A	10.0.6.20
+	A	10.0.6.21
+	A	10.0.6.22
+	A	10.0.6.23
+	A	10.0.6.24
+	A	10.0.6.25
+	A	10.0.6.26
+	A	10.0.6.27
+	A	10.0.6.28
+	A	10.0.6.29
+	A	10.0.6.30
+	A	10.0.6.31
+	A	10.0.6.32
+	A	10.0.6.33
+	A	10.0.6.34
+	A	10.0.6.35
+	A	10.0.6.36
+	A	10.0.6.37
+	A	10.0.6.38
+	A	10.0.6.39
+	A	10.0.6.40
+	A	10.0.6.41
+	A	10.0.6.42
+	A	10.0.6.43
+	A	10.0.6.44
+	A	10.0.6.45
+	A	10.0.6.46
+	A	10.0.6.47
+	A	10.0.6.48
+	A	10.0.6.49
+	A	10.0.6.50
+	A	10.0.6.51
+	A	10.0.6.52
+	A	10.0.6.53
+	A	10.0.6.54
+	A	10.0.6.55
+	A	10.0.6.56
+	A	10.0.6.57
+	A	10.0.6.58
+	A	10.0.6.59
+	A	10.0.6.60
+	A	10.0.6.61
+	A	10.0.6.62
+	A	10.0.6.63
+	A	10.0.6.64
+	A	10.0.6.65
+	A	10.0.6.66
+	A	10.0.6.67
+	A	10.0.6.68
+	A	10.0.6.69
+	A	10.0.6.70
+	A	10.0.6.71
+	A	10.0.6.72
+	A	10.0.6.73
+	A	10.0.6.74
+	A	10.0.6.75
+	A	10.0.6.76
+	A	10.0.6.77
+	A	10.0.6.78
+	A	10.0.6.79
+	A	10.0.6.80
+	A	10.0.6.81
+	A	10.0.6.82
+	A	10.0.6.83
+	A	10.0.6.84
+	A	10.0.6.85
+	A	10.0.6.86
+	A	10.0.6.87
+	A	10.0.6.88
+	A	10.0.6.89
+	A	10.0.6.90
+	A	10.0.6.91
+	A	10.0.6.92
+	A	10.0.6.93
+	A	10.0.6.94
+	A	10.0.6.95
+	A	10.0.6.96
+	A	10.0.6.97
+	A	10.0.6.98
+	A	10.0.6.99
+	A	10.0.6.100
+	A	10.0.6.101
+	A	10.0.6.102
+	A	10.0.6.103
+	A	10.0.6.104
+	A	10.0.6.105
+	A	10.0.6.106
+	A	10.0.6.107
+	A	10.0.6.108
+	A	10.0.6.109
+	A	10.0.6.110
+	A	10.0.6.111
+	A	10.0.6.112
+	A	10.0.6.113
+	A	10.0.6.114
+	A	10.0.6.115
+	A	10.0.6.116
+	A	10.0.6.117
+	A	10.0.6.118
+	A	10.0.6.119
+	A	10.0.6.120
+	A	10.0.6.121
+	A	10.0.6.122
+	A	10.0.6.123
+	A	10.0.6.124
+	A	10.0.6.125
+	A	10.0.6.126
+	A	10.0.6.127
+	A	10.0.6.128
+	A	10.0.6.129
+	A	10.0.6.130
+	A	10.0.6.131
+	A	10.0.6.132
+	A	10.0.6.133
+	A	10.0.6.134
+	A	10.0.6.135
+	A	10.0.6.136
+	A	10.0.6.137
+	A	10.0.6.138
+	A	10.0.6.139
+	A	10.0.6.140
+	A	10.0.6.141
+	A	10.0.6.142
+	A	10.0.6.143
+	A	10.0.6.144
+	A	10.0.6.145
+	A	10.0.6.146
+	A	10.0.6.147
+	A	10.0.6.148
+	A	10.0.6.149
+	A	10.0.6.150
+	A	10.0.6.151
+	A	10.0.6.152
+	A	10.0.6.153
+	A	10.0.6.154
+	A	10.0.6.155
+	A	10.0.6.156
+	A	10.0.6.157
+	A	10.0.6.158
+	A	10.0.6.159
+	A	10.0.6.160
+	A	10.0.6.161
+	A	10.0.6.162
+	A	10.0.6.163
+	A	10.0.6.164
+	A	10.0.6.165
+	A	10.0.6.166
+	A	10.0.6.167
+	A	10.0.6.168
+	A	10.0.6.169
+	A	10.0.6.170
+	A	10.0.6.171
+	A	10.0.6.172
+	A	10.0.6.173
+	A	10.0.6.174
+	A	10.0.6.175
+	A	10.0.6.176
+	A	10.0.6.177
+	A	10.0.6.178
+	A	10.0.6.179
+	A	10.0.6.180
+	A	10.0.6.181
+	A	10.0.6.182
+	A	10.0.6.183
+	A	10.0.6.184
+	A	10.0.6.185
+	A	10.0.6.186
+	A	10.0.6.187
+	A	10.0.6.188
+	A	10.0.6.189
+	A	10.0.6.190
+	A	10.0.6.191
+	A	10.0.6.192
+	A	10.0.6.193
+	A	10.0.6.194
+	A	10.0.6.195
+	A	10.0.6.196
+	A	10.0.6.197
+	A	10.0.6.198
+	A	10.0.6.199
+	A	10.0.6.200
+	A	10.0.6.201
+	A	10.0.6.202
+	A	10.0.6.203
+	A	10.0.6.204
+	A	10.0.6.205
+	A	10.0.6.206
+	A	10.0.6.207
+	A	10.0.6.208
+	A	10.0.6.209
+	A	10.0.6.210
+	A	10.0.6.211
+	A	10.0.6.212
+	A	10.0.6.213
+	A	10.0.6.214
+	A	10.0.6.215
+	A	10.0.6.216
+	A	10.0.6.217
+	A	10.0.6.218
+	A	10.0.6.219
+	A	10.0.6.220
+	A	10.0.6.221
+	A	10.0.6.222
+	A	10.0.6.223
+	A	10.0.6.224
+	A	10.0.6.225
+	A	10.0.6.226
+	A	10.0.6.227
+	A	10.0.6.228
+	A	10.0.6.229
+	A	10.0.6.230
+	A	10.0.6.231
+	A	10.0.6.232
+	A	10.0.6.233
+	A	10.0.6.234
+	A	10.0.6.235
+	A	10.0.6.236
+	A	10.0.6.237
+	A	10.0.6.238
+	A	10.0.6.239
+	A	10.0.6.240
+	A	10.0.6.241
+	A	10.0.6.242
+	A	10.0.6.243
+	A	10.0.6.244
+	A	10.0.6.245
+	A	10.0.6.246
+	A	10.0.6.247
+	A	10.0.6.248
+	A	10.0.6.249
+	A	10.0.6.250
+	A	10.0.6.251
+	A	10.0.6.252
+	A	10.0.6.253
+	A	10.0.6.254
+	A	10.0.6.255
+	A	10.0.7.0
+	A	10.0.7.1
+	A	10.0.7.2
+	A	10.0.7.3
+	A	10.0.7.4
+	A	10.0.7.5
+	A	10.0.7.6
+	A	10.0.7.7
+	A	10.0.7.8
+	A	10.0.7.9
+	A	10.0.7.10
+	A	10.0.7.11
+	A	10.0.7.12
+	A	10.0.7.13
+	A	10.0.7.14
+	A	10.0.7.15
+	A	10.0.7.16
+	A	10.0.7.17
+	A	10.0.7.18
+	A	10.0.7.19
+	A	10.0.7.20
+	A	10.0.7.21
+	A	10.0.7.22
+	A	10.0.7.23
+	A	10.0.7.24
+	A	10.0.7.25
+	A	10.0.7.26
+	A	10.0.7.27
+	A	10.0.7.28
+	A	10.0.7.29
+	A	10.0.7.30
+	A	10.0.7.31
+	A	10.0.7.32
+	A	10.0.7.33
+	A	10.0.7.34
+	A	10.0.7.35
+	A	10.0.7.36
+	A	10.0.7.37
+	A	10.0.7.38
+	A	10.0.7.39
+	A	10.0.7.40
+	A	10.0.7.41
+	A	10.0.7.42
+	A	10.0.7.43
+	A	10.0.7.44
+	A	10.0.7.45
+	A	10.0.7.46
+	A	10.0.7.47
+	A	10.0.7.48
+	A	10.0.7.49
+	A	10.0.7.50
+	A	10.0.7.51
+	A	10.0.7.52
+	A	10.0.7.53
+	A	10.0.7.54
+	A	10.0.7.55
+	A	10.0.7.56
+	A	10.0.7.57
+	A	10.0.7.58
+	A	10.0.7.59
+	A	10.0.7.60
+	A	10.0.7.61
+	A	10.0.7.62
+	A	10.0.7.63
+	A	10.0.7.64
+	A	10.0.7.65
+	A	10.0.7.66
+	A	10.0.7.67
+	A	10.0.7.68
+	A	10.0.7.69
+	A	10.0.7.70
+	A	10.0.7.71
+	A	10.0.7.72
+	A	10.0.7.73
+	A	10.0.7.74
+	A	10.0.7.75
+	A	10.0.7.76
+	A	10.0.7.77
+	A	10.0.7.78
+	A	10.0.7.79
+	A	10.0.7.80
+	A	10.0.7.81
+	A	10.0.7.82
+	A	10.0.7.83
+	A	10.0.7.84
+	A	10.0.7.85
+	A	10.0.7.86
+	A	10.0.7.87
+	A	10.0.7.88
+	A	10.0.7.89
+	A	10.0.7.90
+	A	10.0.7.91
+	A	10.0.7.92
+	A	10.0.7.93
+	A	10.0.7.94
+	A	10.0.7.95
+	A	10.0.7.96
+	A	10.0.7.97
+	A	10.0.7.98
+	A	10.0.7.99
+	A	10.0.7.100
+	A	10.0.7.101
+	A	10.0.7.102
+	A	10.0.7.103
+	A	10.0.7.104
+	A	10.0.7.105
+	A	10.0.7.106
+	A	10.0.7.107
+	A	10.0.7.108
+	A	10.0.7.109
+	A	10.0.7.110
+	A	10.0.7.111
+	A	10.0.7.112
+	A	10.0.7.113
+	A	10.0.7.114
+	A	10.0.7.115
+	A	10.0.7.116
+	A	10.0.7.117
+	A	10.0.7.118
+	A	10.0.7.119
+	A	10.0.7.120
+	A	10.0.7.121
+	A	10.0.7.122
+	A	10.0.7.123
+	A	10.0.7.124
+	A	10.0.7.125
+	A	10.0.7.126
+	A	10.0.7.127
+	A	10.0.7.128
+	A	10.0.7.129
+	A	10.0.7.130
+	A	10.0.7.131
+	A	10.0.7.132
+	A	10.0.7.133
+	A	10.0.7.134
+	A	10.0.7.135
+	A	10.0.7.136
+	A	10.0.7.137
+	A	10.0.7.138
+	A	10.0.7.139
+	A	10.0.7.140
+	A	10.0.7.141
+	A	10.0.7.142
+	A	10.0.7.143
+	A	10.0.7.144
+	A	10.0.7.145
+	A	10.0.7.146
+	A	10.0.7.147
+	A	10.0.7.148
+	A	10.0.7.149
+	A	10.0.7.150
+	A	10.0.7.151
+	A	10.0.7.152
+	A	10.0.7.153
+	A	10.0.7.154
+	A	10.0.7.155
+	A	10.0.7.156
+	A	10.0.7.157
+	A	10.0.7.158
+	A	10.0.7.159
+	A	10.0.7.160
+	A	10.0.7.161
+	A	10.0.7.162
+	A	10.0.7.163
+	A	10.0.7.164
+	A	10.0.7.165
+	A	10.0.7.166
+	A	10.0.7.167
+	A	10.0.7.168
+	A	10.0.7.169
+	A	10.0.7.170
+	A	10.0.7.171
+	A	10.0.7.172
+	A	10.0.7.173
+	A	10.0.7.174
+	A	10.0.7.175
+	A	10.0.7.176
+	A	10.0.7.177
+	A	10.0.7.178
+	A	10.0.7.179
+	A	10.0.7.180
+	A	10.0.7.181
+	A	10.0.7.182
+	A	10.0.7.183
+	A	10.0.7.184
+	A	10.0.7.185
+	A	10.0.7.186
+	A	10.0.7.187
+	A	10.0.7.188
+	A	10.0.7.189
+	A	10.0.7.190
+	A	10.0.7.191
+	A	10.0.7.192
+	A	10.0.7.193
+	A	10.0.7.194
+	A	10.0.7.195
+	A	10.0.7.196
+	A	10.0.7.197
+	A	10.0.7.198
+	A	10.0.7.199
+	A	10.0.7.200
+	A	10.0.7.201
+	A	10.0.7.202
+	A	10.0.7.203
+	A	10.0.7.204
+	A	10.0.7.205
+	A	10.0.7.206
+	A	10.0.7.207
+3000	A	10.0.0.0
+	A	10.0.0.1
+	A	10.0.0.2
+	A	10.0.0.3
+	A	10.0.0.4
+	A	10.0.0.5
+	A	10.0.0.6
+	A	10.0.0.7
+	A	10.0.0.8
+	A	10.0.0.9
+	A	10.0.0.10
+	A	10.0.0.11
+	A	10.0.0.12
+	A	10.0.0.13
+	A	10.0.0.14
+	A	10.0.0.15
+	A	10.0.0.16
+	A	10.0.0.17
+	A	10.0.0.18
+	A	10.0.0.19
+	A	10.0.0.20
+	A	10.0.0.21
+	A	10.0.0.22
+	A	10.0.0.23
+	A	10.0.0.24
+	A	10.0.0.25
+	A	10.0.0.26
+	A	10.0.0.27
+	A	10.0.0.28
+	A	10.0.0.29
+	A	10.0.0.30
+	A	10.0.0.31
+	A	10.0.0.32
+	A	10.0.0.33
+	A	10.0.0.34
+	A	10.0.0.35
+	A	10.0.0.36
+	A	10.0.0.37
+	A	10.0.0.38
+	A	10.0.0.39
+	A	10.0.0.40
+	A	10.0.0.41
+	A	10.0.0.42
+	A	10.0.0.43
+	A	10.0.0.44
+	A	10.0.0.45
+	A	10.0.0.46
+	A	10.0.0.47
+	A	10.0.0.48
+	A	10.0.0.49
+	A	10.0.0.50
+	A	10.0.0.51
+	A	10.0.0.52
+	A	10.0.0.53
+	A	10.0.0.54
+	A	10.0.0.55
+	A	10.0.0.56
+	A	10.0.0.57
+	A	10.0.0.58
+	A	10.0.0.59
+	A	10.0.0.60
+	A	10.0.0.61
+	A	10.0.0.62
+	A	10.0.0.63
+	A	10.0.0.64
+	A	10.0.0.65
+	A	10.0.0.66
+	A	10.0.0.67
+	A	10.0.0.68
+	A	10.0.0.69
+	A	10.0.0.70
+	A	10.0.0.71
+	A	10.0.0.72
+	A	10.0.0.73
+	A	10.0.0.74
+	A	10.0.0.75
+	A	10.0.0.76
+	A	10.0.0.77
+	A	10.0.0.78
+	A	10.0.0.79
+	A	10.0.0.80
+	A	10.0.0.81
+	A	10.0.0.82
+	A	10.0.0.83
+	A	10.0.0.84
+	A	10.0.0.85
+	A	10.0.0.86
+	A	10.0.0.87
+	A	10.0.0.88
+	A	10.0.0.89
+	A	10.0.0.90
+	A	10.0.0.91
+	A	10.0.0.92
+	A	10.0.0.93
+	A	10.0.0.94
+	A	10.0.0.95
+	A	10.0.0.96
+	A	10.0.0.97
+	A	10.0.0.98
+	A	10.0.0.99
+	A	10.0.0.100
+	A	10.0.0.101
+	A	10.0.0.102
+	A	10.0.0.103
+	A	10.0.0.104
+	A	10.0.0.105
+	A	10.0.0.106
+	A	10.0.0.107
+	A	10.0.0.108
+	A	10.0.0.109
+	A	10.0.0.110
+	A	10.0.0.111
+	A	10.0.0.112
+	A	10.0.0.113
+	A	10.0.0.114
+	A	10.0.0.115
+	A	10.0.0.116
+	A	10.0.0.117
+	A	10.0.0.118
+	A	10.0.0.119
+	A	10.0.0.120
+	A	10.0.0.121
+	A	10.0.0.122
+	A	10.0.0.123
+	A	10.0.0.124
+	A	10.0.0.125
+	A	10.0.0.126
+	A	10.0.0.127
+	A	10.0.0.128
+	A	10.0.0.129
+	A	10.0.0.130
+	A	10.0.0.131
+	A	10.0.0.132
+	A	10.0.0.133
+	A	10.0.0.134
+	A	10.0.0.135
+	A	10.0.0.136
+	A	10.0.0.137
+	A	10.0.0.138
+	A	10.0.0.139
+	A	10.0.0.140
+	A	10.0.0.141
+	A	10.0.0.142
+	A	10.0.0.143
+	A	10.0.0.144
+	A	10.0.0.145
+	A	10.0.0.146
+	A	10.0.0.147
+	A	10.0.0.148
+	A	10.0.0.149
+	A	10.0.0.150
+	A	10.0.0.151
+	A	10.0.0.152
+	A	10.0.0.153
+	A	10.0.0.154
+	A	10.0.0.155
+	A	10.0.0.156
+	A	10.0.0.157
+	A	10.0.0.158
+	A	10.0.0.159
+	A	10.0.0.160
+	A	10.0.0.161
+	A	10.0.0.162
+	A	10.0.0.163
+	A	10.0.0.164
+	A	10.0.0.165
+	A	10.0.0.166
+	A	10.0.0.167
+	A	10.0.0.168
+	A	10.0.0.169
+	A	10.0.0.170
+	A	10.0.0.171
+	A	10.0.0.172
+	A	10.0.0.173
+	A	10.0.0.174
+	A	10.0.0.175
+	A	10.0.0.176
+	A	10.0.0.177
+	A	10.0.0.178
+	A	10.0.0.179
+	A	10.0.0.180
+	A	10.0.0.181
+	A	10.0.0.182
+	A	10.0.0.183
+	A	10.0.0.184
+	A	10.0.0.185
+	A	10.0.0.186
+	A	10.0.0.187
+	A	10.0.0.188
+	A	10.0.0.189
+	A	10.0.0.190
+	A	10.0.0.191
+	A	10.0.0.192
+	A	10.0.0.193
+	A	10.0.0.194
+	A	10.0.0.195
+	A	10.0.0.196
+	A	10.0.0.197
+	A	10.0.0.198
+	A	10.0.0.199
+	A	10.0.0.200
+	A	10.0.0.201
+	A	10.0.0.202
+	A	10.0.0.203
+	A	10.0.0.204
+	A	10.0.0.205
+	A	10.0.0.206
+	A	10.0.0.207
+	A	10.0.0.208
+	A	10.0.0.209
+	A	10.0.0.210
+	A	10.0.0.211
+	A	10.0.0.212
+	A	10.0.0.213
+	A	10.0.0.214
+	A	10.0.0.215
+	A	10.0.0.216
+	A	10.0.0.217
+	A	10.0.0.218
+	A	10.0.0.219
+	A	10.0.0.220
+	A	10.0.0.221
+	A	10.0.0.222
+	A	10.0.0.223
+	A	10.0.0.224
+	A	10.0.0.225
+	A	10.0.0.226
+	A	10.0.0.227
+	A	10.0.0.228
+	A	10.0.0.229
+	A	10.0.0.230
+	A	10.0.0.231
+	A	10.0.0.232
+	A	10.0.0.233
+	A	10.0.0.234
+	A	10.0.0.235
+	A	10.0.0.236
+	A	10.0.0.237
+	A	10.0.0.238
+	A	10.0.0.239
+	A	10.0.0.240
+	A	10.0.0.241
+	A	10.0.0.242
+	A	10.0.0.243
+	A	10.0.0.244
+	A	10.0.0.245
+	A	10.0.0.246
+	A	10.0.0.247
+	A	10.0.0.248
+	A	10.0.0.249
+	A	10.0.0.250
+	A	10.0.0.251
+	A	10.0.0.252
+	A	10.0.0.253
+	A	10.0.0.254
+	A	10.0.0.255
+	A	10.0.1.0
+	A	10.0.1.1
+	A	10.0.1.2
+	A	10.0.1.3
+	A	10.0.1.4
+	A	10.0.1.5
+	A	10.0.1.6
+	A	10.0.1.7
+	A	10.0.1.8
+	A	10.0.1.9
+	A	10.0.1.10
+	A	10.0.1.11
+	A	10.0.1.12
+	A	10.0.1.13
+	A	10.0.1.14
+	A	10.0.1.15
+	A	10.0.1.16
+	A	10.0.1.17
+	A	10.0.1.18
+	A	10.0.1.19
+	A	10.0.1.20
+	A	10.0.1.21
+	A	10.0.1.22
+	A	10.0.1.23
+	A	10.0.1.24
+	A	10.0.1.25
+	A	10.0.1.26
+	A	10.0.1.27
+	A	10.0.1.28
+	A	10.0.1.29
+	A	10.0.1.30
+	A	10.0.1.31
+	A	10.0.1.32
+	A	10.0.1.33
+	A	10.0.1.34
+	A	10.0.1.35
+	A	10.0.1.36
+	A	10.0.1.37
+	A	10.0.1.38
+	A	10.0.1.39
+	A	10.0.1.40
+	A	10.0.1.41
+	A	10.0.1.42
+	A	10.0.1.43
+	A	10.0.1.44
+	A	10.0.1.45
+	A	10.0.1.46
+	A	10.0.1.47
+	A	10.0.1.48
+	A	10.0.1.49
+	A	10.0.1.50
+	A	10.0.1.51
+	A	10.0.1.52
+	A	10.0.1.53
+	A	10.0.1.54
+	A	10.0.1.55
+	A	10.0.1.56
+	A	10.0.1.57
+	A	10.0.1.58
+	A	10.0.1.59
+	A	10.0.1.60
+	A	10.0.1.61
+	A	10.0.1.62
+	A	10.0.1.63
+	A	10.0.1.64
+	A	10.0.1.65
+	A	10.0.1.66
+	A	10.0.1.67
+	A	10.0.1.68
+	A	10.0.1.69
+	A	10.0.1.70
+	A	10.0.1.71
+	A	10.0.1.72
+	A	10.0.1.73
+	A	10.0.1.74
+	A	10.0.1.75
+	A	10.0.1.76
+	A	10.0.1.77
+	A	10.0.1.78
+	A	10.0.1.79
+	A	10.0.1.80
+	A	10.0.1.81
+	A	10.0.1.82
+	A	10.0.1.83
+	A	10.0.1.84
+	A	10.0.1.85
+	A	10.0.1.86
+	A	10.0.1.87
+	A	10.0.1.88
+	A	10.0.1.89
+	A	10.0.1.90
+	A	10.0.1.91
+	A	10.0.1.92
+	A	10.0.1.93
+	A	10.0.1.94
+	A	10.0.1.95
+	A	10.0.1.96
+	A	10.0.1.97
+	A	10.0.1.98
+	A	10.0.1.99
+	A	10.0.1.100
+	A	10.0.1.101
+	A	10.0.1.102
+	A	10.0.1.103
+	A	10.0.1.104
+	A	10.0.1.105
+	A	10.0.1.106
+	A	10.0.1.107
+	A	10.0.1.108
+	A	10.0.1.109
+	A	10.0.1.110
+	A	10.0.1.111
+	A	10.0.1.112
+	A	10.0.1.113
+	A	10.0.1.114
+	A	10.0.1.115
+	A	10.0.1.116
+	A	10.0.1.117
+	A	10.0.1.118
+	A	10.0.1.119
+	A	10.0.1.120
+	A	10.0.1.121
+	A	10.0.1.122
+	A	10.0.1.123
+	A	10.0.1.124
+	A	10.0.1.125
+	A	10.0.1.126
+	A	10.0.1.127
+	A	10.0.1.128
+	A	10.0.1.129
+	A	10.0.1.130
+	A	10.0.1.131
+	A	10.0.1.132
+	A	10.0.1.133
+	A	10.0.1.134
+	A	10.0.1.135
+	A	10.0.1.136
+	A	10.0.1.137
+	A	10.0.1.138
+	A	10.0.1.139
+	A	10.0.1.140
+	A	10.0.1.141
+	A	10.0.1.142
+	A	10.0.1.143
+	A	10.0.1.144
+	A	10.0.1.145
+	A	10.0.1.146
+	A	10.0.1.147
+	A	10.0.1.148
+	A	10.0.1.149
+	A	10.0.1.150
+	A	10.0.1.151
+	A	10.0.1.152
+	A	10.0.1.153
+	A	10.0.1.154
+	A	10.0.1.155
+	A	10.0.1.156
+	A	10.0.1.157
+	A	10.0.1.158
+	A	10.0.1.159
+	A	10.0.1.160
+	A	10.0.1.161
+	A	10.0.1.162
+	A	10.0.1.163
+	A	10.0.1.164
+	A	10.0.1.165
+	A	10.0.1.166
+	A	10.0.1.167
+	A	10.0.1.168
+	A	10.0.1.169
+	A	10.0.1.170
+	A	10.0.1.171
+	A	10.0.1.172
+	A	10.0.1.173
+	A	10.0.1.174
+	A	10.0.1.175
+	A	10.0.1.176
+	A	10.0.1.177
+	A	10.0.1.178
+	A	10.0.1.179
+	A	10.0.1.180
+	A	10.0.1.181
+	A	10.0.1.182
+	A	10.0.1.183
+	A	10.0.1.184
+	A	10.0.1.185
+	A	10.0.1.186
+	A	10.0.1.187
+	A	10.0.1.188
+	A	10.0.1.189
+	A	10.0.1.190
+	A	10.0.1.191
+	A	10.0.1.192
+	A	10.0.1.193
+	A	10.0.1.194
+	A	10.0.1.195
+	A	10.0.1.196
+	A	10.0.1.197
+	A	10.0.1.198
+	A	10.0.1.199
+	A	10.0.1.200
+	A	10.0.1.201
+	A	10.0.1.202
+	A	10.0.1.203
+	A	10.0.1.204
+	A	10.0.1.205
+	A	10.0.1.206
+	A	10.0.1.207
+	A	10.0.1.208
+	A	10.0.1.209
+	A	10.0.1.210
+	A	10.0.1.211
+	A	10.0.1.212
+	A	10.0.1.213
+	A	10.0.1.214
+	A	10.0.1.215
+	A	10.0.1.216
+	A	10.0.1.217
+	A	10.0.1.218
+	A	10.0.1.219
+	A	10.0.1.220
+	A	10.0.1.221
+	A	10.0.1.222
+	A	10.0.1.223
+	A	10.0.1.224
+	A	10.0.1.225
+	A	10.0.1.226
+	A	10.0.1.227
+	A	10.0.1.228
+	A	10.0.1.229
+	A	10.0.1.230
+	A	10.0.1.231
+	A	10.0.1.232
+	A	10.0.1.233
+	A	10.0.1.234
+	A	10.0.1.235
+	A	10.0.1.236
+	A	10.0.1.237
+	A	10.0.1.238
+	A	10.0.1.239
+	A	10.0.1.240
+	A	10.0.1.241
+	A	10.0.1.242
+	A	10.0.1.243
+	A	10.0.1.244
+	A	10.0.1.245
+	A	10.0.1.246
+	A	10.0.1.247
+	A	10.0.1.248
+	A	10.0.1.249
+	A	10.0.1.250
+	A	10.0.1.251
+	A	10.0.1.252
+	A	10.0.1.253
+	A	10.0.1.254
+	A	10.0.1.255
+	A	10.0.2.0
+	A	10.0.2.1
+	A	10.0.2.2
+	A	10.0.2.3
+	A	10.0.2.4
+	A	10.0.2.5
+	A	10.0.2.6
+	A	10.0.2.7
+	A	10.0.2.8
+	A	10.0.2.9
+	A	10.0.2.10
+	A	10.0.2.11
+	A	10.0.2.12
+	A	10.0.2.13
+	A	10.0.2.14
+	A	10.0.2.15
+	A	10.0.2.16
+	A	10.0.2.17
+	A	10.0.2.18
+	A	10.0.2.19
+	A	10.0.2.20
+	A	10.0.2.21
+	A	10.0.2.22
+	A	10.0.2.23
+	A	10.0.2.24
+	A	10.0.2.25
+	A	10.0.2.26
+	A	10.0.2.27
+	A	10.0.2.28
+	A	10.0.2.29
+	A	10.0.2.30
+	A	10.0.2.31
+	A	10.0.2.32
+	A	10.0.2.33
+	A	10.0.2.34
+	A	10.0.2.35
+	A	10.0.2.36
+	A	10.0.2.37
+	A	10.0.2.38
+	A	10.0.2.39
+	A	10.0.2.40
+	A	10.0.2.41
+	A	10.0.2.42
+	A	10.0.2.43
+	A	10.0.2.44
+	A	10.0.2.45
+	A	10.0.2.46
+	A	10.0.2.47
+	A	10.0.2.48
+	A	10.0.2.49
+	A	10.0.2.50
+	A	10.0.2.51
+	A	10.0.2.52
+	A	10.0.2.53
+	A	10.0.2.54
+	A	10.0.2.55
+	A	10.0.2.56
+	A	10.0.2.57
+	A	10.0.2.58
+	A	10.0.2.59
+	A	10.0.2.60
+	A	10.0.2.61
+	A	10.0.2.62
+	A	10.0.2.63
+	A	10.0.2.64
+	A	10.0.2.65
+	A	10.0.2.66
+	A	10.0.2.67
+	A	10.0.2.68
+	A	10.0.2.69
+	A	10.0.2.70
+	A	10.0.2.71
+	A	10.0.2.72
+	A	10.0.2.73
+	A	10.0.2.74
+	A	10.0.2.75
+	A	10.0.2.76
+	A	10.0.2.77
+	A	10.0.2.78
+	A	10.0.2.79
+	A	10.0.2.80
+	A	10.0.2.81
+	A	10.0.2.82
+	A	10.0.2.83
+	A	10.0.2.84
+	A	10.0.2.85
+	A	10.0.2.86
+	A	10.0.2.87
+	A	10.0.2.88
+	A	10.0.2.89
+	A	10.0.2.90
+	A	10.0.2.91
+	A	10.0.2.92
+	A	10.0.2.93
+	A	10.0.2.94
+	A	10.0.2.95
+	A	10.0.2.96
+	A	10.0.2.97
+	A	10.0.2.98
+	A	10.0.2.99
+	A	10.0.2.100
+	A	10.0.2.101
+	A	10.0.2.102
+	A	10.0.2.103
+	A	10.0.2.104
+	A	10.0.2.105
+	A	10.0.2.106
+	A	10.0.2.107
+	A	10.0.2.108
+	A	10.0.2.109
+	A	10.0.2.110
+	A	10.0.2.111
+	A	10.0.2.112
+	A	10.0.2.113
+	A	10.0.2.114
+	A	10.0.2.115
+	A	10.0.2.116
+	A	10.0.2.117
+	A	10.0.2.118
+	A	10.0.2.119
+	A	10.0.2.120
+	A	10.0.2.121
+	A	10.0.2.122
+	A	10.0.2.123
+	A	10.0.2.124
+	A	10.0.2.125
+	A	10.0.2.126
+	A	10.0.2.127
+	A	10.0.2.128
+	A	10.0.2.129
+	A	10.0.2.130
+	A	10.0.2.131
+	A	10.0.2.132
+	A	10.0.2.133
+	A	10.0.2.134
+	A	10.0.2.135
+	A	10.0.2.136
+	A	10.0.2.137
+	A	10.0.2.138
+	A	10.0.2.139
+	A	10.0.2.140
+	A	10.0.2.141
+	A	10.0.2.142
+	A	10.0.2.143
+	A	10.0.2.144
+	A	10.0.2.145
+	A	10.0.2.146
+	A	10.0.2.147
+	A	10.0.2.148
+	A	10.0.2.149
+	A	10.0.2.150
+	A	10.0.2.151
+	A	10.0.2.152
+	A	10.0.2.153
+	A	10.0.2.154
+	A	10.0.2.155
+	A	10.0.2.156
+	A	10.0.2.157
+	A	10.0.2.158
+	A	10.0.2.159
+	A	10.0.2.160
+	A	10.0.2.161
+	A	10.0.2.162
+	A	10.0.2.163
+	A	10.0.2.164
+	A	10.0.2.165
+	A	10.0.2.166
+	A	10.0.2.167
+	A	10.0.2.168
+	A	10.0.2.169
+	A	10.0.2.170
+	A	10.0.2.171
+	A	10.0.2.172
+	A	10.0.2.173
+	A	10.0.2.174
+	A	10.0.2.175
+	A	10.0.2.176
+	A	10.0.2.177
+	A	10.0.2.178
+	A	10.0.2.179
+	A	10.0.2.180
+	A	10.0.2.181
+	A	10.0.2.182
+	A	10.0.2.183
+	A	10.0.2.184
+	A	10.0.2.185
+	A	10.0.2.186
+	A	10.0.2.187
+	A	10.0.2.188
+	A	10.0.2.189
+	A	10.0.2.190
+	A	10.0.2.191
+	A	10.0.2.192
+	A	10.0.2.193
+	A	10.0.2.194
+	A	10.0.2.195
+	A	10.0.2.196
+	A	10.0.2.197
+	A	10.0.2.198
+	A	10.0.2.199
+	A	10.0.2.200
+	A	10.0.2.201
+	A	10.0.2.202
+	A	10.0.2.203
+	A	10.0.2.204
+	A	10.0.2.205
+	A	10.0.2.206
+	A	10.0.2.207
+	A	10.0.2.208
+	A	10.0.2.209
+	A	10.0.2.210
+	A	10.0.2.211
+	A	10.0.2.212
+	A	10.0.2.213
+	A	10.0.2.214
+	A	10.0.2.215
+	A	10.0.2.216
+	A	10.0.2.217
+	A	10.0.2.218
+	A	10.0.2.219
+	A	10.0.2.220
+	A	10.0.2.221
+	A	10.0.2.222
+	A	10.0.2.223
+	A	10.0.2.224
+	A	10.0.2.225
+	A	10.0.2.226
+	A	10.0.2.227
+	A	10.0.2.228
+	A	10.0.2.229
+	A	10.0.2.230
+	A	10.0.2.231
+	A	10.0.2.232
+	A	10.0.2.233
+	A	10.0.2.234
+	A	10.0.2.235
+	A	10.0.2.236
+	A	10.0.2.237
+	A	10.0.2.238
+	A	10.0.2.239
+	A	10.0.2.240
+	A	10.0.2.241
+	A	10.0.2.242
+	A	10.0.2.243
+	A	10.0.2.244
+	A	10.0.2.245
+	A	10.0.2.246
+	A	10.0.2.247
+	A	10.0.2.248
+	A	10.0.2.249
+	A	10.0.2.250
+	A	10.0.2.251
+	A	10.0.2.252
+	A	10.0.2.253
+	A	10.0.2.254
+	A	10.0.2.255
+	A	10.0.3.0
+	A	10.0.3.1
+	A	10.0.3.2
+	A	10.0.3.3
+	A	10.0.3.4
+	A	10.0.3.5
+	A	10.0.3.6
+	A	10.0.3.7
+	A	10.0.3.8
+	A	10.0.3.9
+	A	10.0.3.10
+	A	10.0.3.11
+	A	10.0.3.12
+	A	10.0.3.13
+	A	10.0.3.14
+	A	10.0.3.15
+	A	10.0.3.16
+	A	10.0.3.17
+	A	10.0.3.18
+	A	10.0.3.19
+	A	10.0.3.20
+	A	10.0.3.21
+	A	10.0.3.22
+	A	10.0.3.23
+	A	10.0.3.24
+	A	10.0.3.25
+	A	10.0.3.26
+	A	10.0.3.27
+	A	10.0.3.28
+	A	10.0.3.29
+	A	10.0.3.30
+	A	10.0.3.31
+	A	10.0.3.32
+	A	10.0.3.33
+	A	10.0.3.34
+	A	10.0.3.35
+	A	10.0.3.36
+	A	10.0.3.37
+	A	10.0.3.38
+	A	10.0.3.39
+	A	10.0.3.40
+	A	10.0.3.41
+	A	10.0.3.42
+	A	10.0.3.43
+	A	10.0.3.44
+	A	10.0.3.45
+	A	10.0.3.46
+	A	10.0.3.47
+	A	10.0.3.48
+	A	10.0.3.49
+	A	10.0.3.50
+	A	10.0.3.51
+	A	10.0.3.52
+	A	10.0.3.53
+	A	10.0.3.54
+	A	10.0.3.55
+	A	10.0.3.56
+	A	10.0.3.57
+	A	10.0.3.58
+	A	10.0.3.59
+	A	10.0.3.60
+	A	10.0.3.61
+	A	10.0.3.62
+	A	10.0.3.63
+	A	10.0.3.64
+	A	10.0.3.65
+	A	10.0.3.66
+	A	10.0.3.67
+	A	10.0.3.68
+	A	10.0.3.69
+	A	10.0.3.70
+	A	10.0.3.71
+	A	10.0.3.72
+	A	10.0.3.73
+	A	10.0.3.74
+	A	10.0.3.75
+	A	10.0.3.76
+	A	10.0.3.77
+	A	10.0.3.78
+	A	10.0.3.79
+	A	10.0.3.80
+	A	10.0.3.81
+	A	10.0.3.82
+	A	10.0.3.83
+	A	10.0.3.84
+	A	10.0.3.85
+	A	10.0.3.86
+	A	10.0.3.87
+	A	10.0.3.88
+	A	10.0.3.89
+	A	10.0.3.90
+	A	10.0.3.91
+	A	10.0.3.92
+	A	10.0.3.93
+	A	10.0.3.94
+	A	10.0.3.95
+	A	10.0.3.96
+	A	10.0.3.97
+	A	10.0.3.98
+	A	10.0.3.99
+	A	10.0.3.100
+	A	10.0.3.101
+	A	10.0.3.102
+	A	10.0.3.103
+	A	10.0.3.104
+	A	10.0.3.105
+	A	10.0.3.106
+	A	10.0.3.107
+	A	10.0.3.108
+	A	10.0.3.109
+	A	10.0.3.110
+	A	10.0.3.111
+	A	10.0.3.112
+	A	10.0.3.113
+	A	10.0.3.114
+	A	10.0.3.115
+	A	10.0.3.116
+	A	10.0.3.117
+	A	10.0.3.118
+	A	10.0.3.119
+	A	10.0.3.120
+	A	10.0.3.121
+	A	10.0.3.122
+	A	10.0.3.123
+	A	10.0.3.124
+	A	10.0.3.125
+	A	10.0.3.126
+	A	10.0.3.127
+	A	10.0.3.128
+	A	10.0.3.129
+	A	10.0.3.130
+	A	10.0.3.131
+	A	10.0.3.132
+	A	10.0.3.133
+	A	10.0.3.134
+	A	10.0.3.135
+	A	10.0.3.136
+	A	10.0.3.137
+	A	10.0.3.138
+	A	10.0.3.139
+	A	10.0.3.140
+	A	10.0.3.141
+	A	10.0.3.142
+	A	10.0.3.143
+	A	10.0.3.144
+	A	10.0.3.145
+	A	10.0.3.146
+	A	10.0.3.147
+	A	10.0.3.148
+	A	10.0.3.149
+	A	10.0.3.150
+	A	10.0.3.151
+	A	10.0.3.152
+	A	10.0.3.153
+	A	10.0.3.154
+	A	10.0.3.155
+	A	10.0.3.156
+	A	10.0.3.157
+	A	10.0.3.158
+	A	10.0.3.159
+	A	10.0.3.160
+	A	10.0.3.161
+	A	10.0.3.162
+	A	10.0.3.163
+	A	10.0.3.164
+	A	10.0.3.165
+	A	10.0.3.166
+	A	10.0.3.167
+	A	10.0.3.168
+	A	10.0.3.169
+	A	10.0.3.170
+	A	10.0.3.171
+	A	10.0.3.172
+	A	10.0.3.173
+	A	10.0.3.174
+	A	10.0.3.175
+	A	10.0.3.176
+	A	10.0.3.177
+	A	10.0.3.178
+	A	10.0.3.179
+	A	10.0.3.180
+	A	10.0.3.181
+	A	10.0.3.182
+	A	10.0.3.183
+	A	10.0.3.184
+	A	10.0.3.185
+	A	10.0.3.186
+	A	10.0.3.187
+	A	10.0.3.188
+	A	10.0.3.189
+	A	10.0.3.190
+	A	10.0.3.191
+	A	10.0.3.192
+	A	10.0.3.193
+	A	10.0.3.194
+	A	10.0.3.195
+	A	10.0.3.196
+	A	10.0.3.197
+	A	10.0.3.198
+	A	10.0.3.199
+	A	10.0.3.200
+	A	10.0.3.201
+	A	10.0.3.202
+	A	10.0.3.203
+	A	10.0.3.204
+	A	10.0.3.205
+	A	10.0.3.206
+	A	10.0.3.207
+	A	10.0.3.208
+	A	10.0.3.209
+	A	10.0.3.210
+	A	10.0.3.211
+	A	10.0.3.212
+	A	10.0.3.213
+	A	10.0.3.214
+	A	10.0.3.215
+	A	10.0.3.216
+	A	10.0.3.217
+	A	10.0.3.218
+	A	10.0.3.219
+	A	10.0.3.220
+	A	10.0.3.221
+	A	10.0.3.222
+	A	10.0.3.223
+	A	10.0.3.224
+	A	10.0.3.225
+	A	10.0.3.226
+	A	10.0.3.227
+	A	10.0.3.228
+	A	10.0.3.229
+	A	10.0.3.230
+	A	10.0.3.231
+	A	10.0.3.232
+	A	10.0.3.233
+	A	10.0.3.234
+	A	10.0.3.235
+	A	10.0.3.236
+	A	10.0.3.237
+	A	10.0.3.238
+	A	10.0.3.239
+	A	10.0.3.240
+	A	10.0.3.241
+	A	10.0.3.242
+	A	10.0.3.243
+	A	10.0.3.244
+	A	10.0.3.245
+	A	10.0.3.246
+	A	10.0.3.247
+	A	10.0.3.248
+	A	10.0.3.249
+	A	10.0.3.250
+	A	10.0.3.251
+	A	10.0.3.252
+	A	10.0.3.253
+	A	10.0.3.254
+	A	10.0.3.255
+	A	10.0.4.0
+	A	10.0.4.1
+	A	10.0.4.2
+	A	10.0.4.3
+	A	10.0.4.4
+	A	10.0.4.5
+	A	10.0.4.6
+	A	10.0.4.7
+	A	10.0.4.8
+	A	10.0.4.9
+	A	10.0.4.10
+	A	10.0.4.11
+	A	10.0.4.12
+	A	10.0.4.13
+	A	10.0.4.14
+	A	10.0.4.15
+	A	10.0.4.16
+	A	10.0.4.17
+	A	10.0.4.18
+	A	10.0.4.19
+	A	10.0.4.20
+	A	10.0.4.21
+	A	10.0.4.22
+	A	10.0.4.23
+	A	10.0.4.24
+	A	10.0.4.25
+	A	10.0.4.26
+	A	10.0.4.27
+	A	10.0.4.28
+	A	10.0.4.29
+	A	10.0.4.30
+	A	10.0.4.31
+	A	10.0.4.32
+	A	10.0.4.33
+	A	10.0.4.34
+	A	10.0.4.35
+	A	10.0.4.36
+	A	10.0.4.37
+	A	10.0.4.38
+	A	10.0.4.39
+	A	10.0.4.40
+	A	10.0.4.41
+	A	10.0.4.42
+	A	10.0.4.43
+	A	10.0.4.44
+	A	10.0.4.45
+	A	10.0.4.46
+	A	10.0.4.47
+	A	10.0.4.48
+	A	10.0.4.49
+	A	10.0.4.50
+	A	10.0.4.51
+	A	10.0.4.52
+	A	10.0.4.53
+	A	10.0.4.54
+	A	10.0.4.55
+	A	10.0.4.56
+	A	10.0.4.57
+	A	10.0.4.58
+	A	10.0.4.59
+	A	10.0.4.60
+	A	10.0.4.61
+	A	10.0.4.62
+	A	10.0.4.63
+	A	10.0.4.64
+	A	10.0.4.65
+	A	10.0.4.66
+	A	10.0.4.67
+	A	10.0.4.68
+	A	10.0.4.69
+	A	10.0.4.70
+	A	10.0.4.71
+	A	10.0.4.72
+	A	10.0.4.73
+	A	10.0.4.74
+	A	10.0.4.75
+	A	10.0.4.76
+	A	10.0.4.77
+	A	10.0.4.78
+	A	10.0.4.79
+	A	10.0.4.80
+	A	10.0.4.81
+	A	10.0.4.82
+	A	10.0.4.83
+	A	10.0.4.84
+	A	10.0.4.85
+	A	10.0.4.86
+	A	10.0.4.87
+	A	10.0.4.88
+	A	10.0.4.89
+	A	10.0.4.90
+	A	10.0.4.91
+	A	10.0.4.92
+	A	10.0.4.93
+	A	10.0.4.94
+	A	10.0.4.95
+	A	10.0.4.96
+	A	10.0.4.97
+	A	10.0.4.98
+	A	10.0.4.99
+	A	10.0.4.100
+	A	10.0.4.101
+	A	10.0.4.102
+	A	10.0.4.103
+	A	10.0.4.104
+	A	10.0.4.105
+	A	10.0.4.106
+	A	10.0.4.107
+	A	10.0.4.108
+	A	10.0.4.109
+	A	10.0.4.110
+	A	10.0.4.111
+	A	10.0.4.112
+	A	10.0.4.113
+	A	10.0.4.114
+	A	10.0.4.115
+	A	10.0.4.116
+	A	10.0.4.117
+	A	10.0.4.118
+	A	10.0.4.119
+	A	10.0.4.120
+	A	10.0.4.121
+	A	10.0.4.122
+	A	10.0.4.123
+	A	10.0.4.124
+	A	10.0.4.125
+	A	10.0.4.126
+	A	10.0.4.127
+	A	10.0.4.128
+	A	10.0.4.129
+	A	10.0.4.130
+	A	10.0.4.131
+	A	10.0.4.132
+	A	10.0.4.133
+	A	10.0.4.134
+	A	10.0.4.135
+	A	10.0.4.136
+	A	10.0.4.137
+	A	10.0.4.138
+	A	10.0.4.139
+	A	10.0.4.140
+	A	10.0.4.141
+	A	10.0.4.142
+	A	10.0.4.143
+	A	10.0.4.144
+	A	10.0.4.145
+	A	10.0.4.146
+	A	10.0.4.147
+	A	10.0.4.148
+	A	10.0.4.149
+	A	10.0.4.150
+	A	10.0.4.151
+	A	10.0.4.152
+	A	10.0.4.153
+	A	10.0.4.154
+	A	10.0.4.155
+	A	10.0.4.156
+	A	10.0.4.157
+	A	10.0.4.158
+	A	10.0.4.159
+	A	10.0.4.160
+	A	10.0.4.161
+	A	10.0.4.162
+	A	10.0.4.163
+	A	10.0.4.164
+	A	10.0.4.165
+	A	10.0.4.166
+	A	10.0.4.167
+	A	10.0.4.168
+	A	10.0.4.169
+	A	10.0.4.170
+	A	10.0.4.171
+	A	10.0.4.172
+	A	10.0.4.173
+	A	10.0.4.174
+	A	10.0.4.175
+	A	10.0.4.176
+	A	10.0.4.177
+	A	10.0.4.178
+	A	10.0.4.179
+	A	10.0.4.180
+	A	10.0.4.181
+	A	10.0.4.182
+	A	10.0.4.183
+	A	10.0.4.184
+	A	10.0.4.185
+	A	10.0.4.186
+	A	10.0.4.187
+	A	10.0.4.188
+	A	10.0.4.189
+	A	10.0.4.190
+	A	10.0.4.191
+	A	10.0.4.192
+	A	10.0.4.193
+	A	10.0.4.194
+	A	10.0.4.195
+	A	10.0.4.196
+	A	10.0.4.197
+	A	10.0.4.198
+	A	10.0.4.199
+	A	10.0.4.200
+	A	10.0.4.201
+	A	10.0.4.202
+	A	10.0.4.203
+	A	10.0.4.204
+	A	10.0.4.205
+	A	10.0.4.206
+	A	10.0.4.207
+	A	10.0.4.208
+	A	10.0.4.209
+	A	10.0.4.210
+	A	10.0.4.211
+	A	10.0.4.212
+	A	10.0.4.213
+	A	10.0.4.214
+	A	10.0.4.215
+	A	10.0.4.216
+	A	10.0.4.217
+	A	10.0.4.218
+	A	10.0.4.219
+	A	10.0.4.220
+	A	10.0.4.221
+	A	10.0.4.222
+	A	10.0.4.223
+	A	10.0.4.224
+	A	10.0.4.225
+	A	10.0.4.226
+	A	10.0.4.227
+	A	10.0.4.228
+	A	10.0.4.229
+	A	10.0.4.230
+	A	10.0.4.231
+	A	10.0.4.232
+	A	10.0.4.233
+	A	10.0.4.234
+	A	10.0.4.235
+	A	10.0.4.236
+	A	10.0.4.237
+	A	10.0.4.238
+	A	10.0.4.239
+	A	10.0.4.240
+	A	10.0.4.241
+	A	10.0.4.242
+	A	10.0.4.243
+	A	10.0.4.244
+	A	10.0.4.245
+	A	10.0.4.246
+	A	10.0.4.247
+	A	10.0.4.248
+	A	10.0.4.249
+	A	10.0.4.250
+	A	10.0.4.251
+	A	10.0.4.252
+	A	10.0.4.253
+	A	10.0.4.254
+	A	10.0.4.255
+	A	10.0.5.0
+	A	10.0.5.1
+	A	10.0.5.2
+	A	10.0.5.3
+	A	10.0.5.4
+	A	10.0.5.5
+	A	10.0.5.6
+	A	10.0.5.7
+	A	10.0.5.8
+	A	10.0.5.9
+	A	10.0.5.10
+	A	10.0.5.11
+	A	10.0.5.12
+	A	10.0.5.13
+	A	10.0.5.14
+	A	10.0.5.15
+	A	10.0.5.16
+	A	10.0.5.17
+	A	10.0.5.18
+	A	10.0.5.19
+	A	10.0.5.20
+	A	10.0.5.21
+	A	10.0.5.22
+	A	10.0.5.23
+	A	10.0.5.24
+	A	10.0.5.25
+	A	10.0.5.26
+	A	10.0.5.27
+	A	10.0.5.28
+	A	10.0.5.29
+	A	10.0.5.30
+	A	10.0.5.31
+	A	10.0.5.32
+	A	10.0.5.33
+	A	10.0.5.34
+	A	10.0.5.35
+	A	10.0.5.36
+	A	10.0.5.37
+	A	10.0.5.38
+	A	10.0.5.39
+	A	10.0.5.40
+	A	10.0.5.41
+	A	10.0.5.42
+	A	10.0.5.43
+	A	10.0.5.44
+	A	10.0.5.45
+	A	10.0.5.46
+	A	10.0.5.47
+	A	10.0.5.48
+	A	10.0.5.49
+	A	10.0.5.50
+	A	10.0.5.51
+	A	10.0.5.52
+	A	10.0.5.53
+	A	10.0.5.54
+	A	10.0.5.55
+	A	10.0.5.56
+	A	10.0.5.57
+	A	10.0.5.58
+	A	10.0.5.59
+	A	10.0.5.60
+	A	10.0.5.61
+	A	10.0.5.62
+	A	10.0.5.63
+	A	10.0.5.64
+	A	10.0.5.65
+	A	10.0.5.66
+	A	10.0.5.67
+	A	10.0.5.68
+	A	10.0.5.69
+	A	10.0.5.70
+	A	10.0.5.71
+	A	10.0.5.72
+	A	10.0.5.73
+	A	10.0.5.74
+	A	10.0.5.75
+	A	10.0.5.76
+	A	10.0.5.77
+	A	10.0.5.78
+	A	10.0.5.79
+	A	10.0.5.80
+	A	10.0.5.81
+	A	10.0.5.82
+	A	10.0.5.83
+	A	10.0.5.84
+	A	10.0.5.85
+	A	10.0.5.86
+	A	10.0.5.87
+	A	10.0.5.88
+	A	10.0.5.89
+	A	10.0.5.90
+	A	10.0.5.91
+	A	10.0.5.92
+	A	10.0.5.93
+	A	10.0.5.94
+	A	10.0.5.95
+	A	10.0.5.96
+	A	10.0.5.97
+	A	10.0.5.98
+	A	10.0.5.99
+	A	10.0.5.100
+	A	10.0.5.101
+	A	10.0.5.102
+	A	10.0.5.103
+	A	10.0.5.104
+	A	10.0.5.105
+	A	10.0.5.106
+	A	10.0.5.107
+	A	10.0.5.108
+	A	10.0.5.109
+	A	10.0.5.110
+	A	10.0.5.111
+	A	10.0.5.112
+	A	10.0.5.113
+	A	10.0.5.114
+	A	10.0.5.115
+	A	10.0.5.116
+	A	10.0.5.117
+	A	10.0.5.118
+	A	10.0.5.119
+	A	10.0.5.120
+	A	10.0.5.121
+	A	10.0.5.122
+	A	10.0.5.123
+	A	10.0.5.124
+	A	10.0.5.125
+	A	10.0.5.126
+	A	10.0.5.127
+	A	10.0.5.128
+	A	10.0.5.129
+	A	10.0.5.130
+	A	10.0.5.131
+	A	10.0.5.132
+	A	10.0.5.133
+	A	10.0.5.134
+	A	10.0.5.135
+	A	10.0.5.136
+	A	10.0.5.137
+	A	10.0.5.138
+	A	10.0.5.139
+	A	10.0.5.140
+	A	10.0.5.141
+	A	10.0.5.142
+	A	10.0.5.143
+	A	10.0.5.144
+	A	10.0.5.145
+	A	10.0.5.146
+	A	10.0.5.147
+	A	10.0.5.148
+	A	10.0.5.149
+	A	10.0.5.150
+	A	10.0.5.151
+	A	10.0.5.152
+	A	10.0.5.153
+	A	10.0.5.154
+	A	10.0.5.155
+	A	10.0.5.156
+	A	10.0.5.157
+	A	10.0.5.158
+	A	10.0.5.159
+	A	10.0.5.160
+	A	10.0.5.161
+	A	10.0.5.162
+	A	10.0.5.163
+	A	10.0.5.164
+	A	10.0.5.165
+	A	10.0.5.166
+	A	10.0.5.167
+	A	10.0.5.168
+	A	10.0.5.169
+	A	10.0.5.170
+	A	10.0.5.171
+	A	10.0.5.172
+	A	10.0.5.173
+	A	10.0.5.174
+	A	10.0.5.175
+	A	10.0.5.176
+	A	10.0.5.177
+	A	10.0.5.178
+	A	10.0.5.179
+	A	10.0.5.180
+	A	10.0.5.181
+	A	10.0.5.182
+	A	10.0.5.183
+	A	10.0.5.184
+	A	10.0.5.185
+	A	10.0.5.186
+	A	10.0.5.187
+	A	10.0.5.188
+	A	10.0.5.189
+	A	10.0.5.190
+	A	10.0.5.191
+	A	10.0.5.192
+	A	10.0.5.193
+	A	10.0.5.194
+	A	10.0.5.195
+	A	10.0.5.196
+	A	10.0.5.197
+	A	10.0.5.198
+	A	10.0.5.199
+	A	10.0.5.200
+	A	10.0.5.201
+	A	10.0.5.202
+	A	10.0.5.203
+	A	10.0.5.204
+	A	10.0.5.205
+	A	10.0.5.206
+	A	10.0.5.207
+	A	10.0.5.208
+	A	10.0.5.209
+	A	10.0.5.210
+	A	10.0.5.211
+	A	10.0.5.212
+	A	10.0.5.213
+	A	10.0.5.214
+	A	10.0.5.215
+	A	10.0.5.216
+	A	10.0.5.217
+	A	10.0.5.218
+	A	10.0.5.219
+	A	10.0.5.220
+	A	10.0.5.221
+	A	10.0.5.222
+	A	10.0.5.223
+	A	10.0.5.224
+	A	10.0.5.225
+	A	10.0.5.226
+	A	10.0.5.227
+	A	10.0.5.228
+	A	10.0.5.229
+	A	10.0.5.230
+	A	10.0.5.231
+	A	10.0.5.232
+	A	10.0.5.233
+	A	10.0.5.234
+	A	10.0.5.235
+	A	10.0.5.236
+	A	10.0.5.237
+	A	10.0.5.238
+	A	10.0.5.239
+	A	10.0.5.240
+	A	10.0.5.241
+	A	10.0.5.242
+	A	10.0.5.243
+	A	10.0.5.244
+	A	10.0.5.245
+	A	10.0.5.246
+	A	10.0.5.247
+	A	10.0.5.248
+	A	10.0.5.249
+	A	10.0.5.250
+	A	10.0.5.251
+	A	10.0.5.252
+	A	10.0.5.253
+	A	10.0.5.254
+	A	10.0.5.255
+	A	10.0.6.0
+	A	10.0.6.1
+	A	10.0.6.2
+	A	10.0.6.3
+	A	10.0.6.4
+	A	10.0.6.5
+	A	10.0.6.6
+	A	10.0.6.7
+	A	10.0.6.8
+	A	10.0.6.9
+	A	10.0.6.10
+	A	10.0.6.11
+	A	10.0.6.12
+	A	10.0.6.13
+	A	10.0.6.14
+	A	10.0.6.15
+	A	10.0.6.16
+	A	10.0.6.17
+	A	10.0.6.18
+	A	10.0.6.19
+	A	10.0.6.20
+	A	10.0.6.21
+	A	10.0.6.22
+	A	10.0.6.23
+	A	10.0.6.24
+	A	10.0.6.25
+	A	10.0.6.26
+	A	10.0.6.27
+	A	10.0.6.28
+	A	10.0.6.29
+	A	10.0.6.30
+	A	10.0.6.31
+	A	10.0.6.32
+	A	10.0.6.33
+	A	10.0.6.34
+	A	10.0.6.35
+	A	10.0.6.36
+	A	10.0.6.37
+	A	10.0.6.38
+	A	10.0.6.39
+	A	10.0.6.40
+	A	10.0.6.41
+	A	10.0.6.42
+	A	10.0.6.43
+	A	10.0.6.44
+	A	10.0.6.45
+	A	10.0.6.46
+	A	10.0.6.47
+	A	10.0.6.48
+	A	10.0.6.49
+	A	10.0.6.50
+	A	10.0.6.51
+	A	10.0.6.52
+	A	10.0.6.53
+	A	10.0.6.54
+	A	10.0.6.55
+	A	10.0.6.56
+	A	10.0.6.57
+	A	10.0.6.58
+	A	10.0.6.59
+	A	10.0.6.60
+	A	10.0.6.61
+	A	10.0.6.62
+	A	10.0.6.63
+	A	10.0.6.64
+	A	10.0.6.65
+	A	10.0.6.66
+	A	10.0.6.67
+	A	10.0.6.68
+	A	10.0.6.69
+	A	10.0.6.70
+	A	10.0.6.71
+	A	10.0.6.72
+	A	10.0.6.73
+	A	10.0.6.74
+	A	10.0.6.75
+	A	10.0.6.76
+	A	10.0.6.77
+	A	10.0.6.78
+	A	10.0.6.79
+	A	10.0.6.80
+	A	10.0.6.81
+	A	10.0.6.82
+	A	10.0.6.83
+	A	10.0.6.84
+	A	10.0.6.85
+	A	10.0.6.86
+	A	10.0.6.87
+	A	10.0.6.88
+	A	10.0.6.89
+	A	10.0.6.90
+	A	10.0.6.91
+	A	10.0.6.92
+	A	10.0.6.93
+	A	10.0.6.94
+	A	10.0.6.95
+	A	10.0.6.96
+	A	10.0.6.97
+	A	10.0.6.98
+	A	10.0.6.99
+	A	10.0.6.100
+	A	10.0.6.101
+	A	10.0.6.102
+	A	10.0.6.103
+	A	10.0.6.104
+	A	10.0.6.105
+	A	10.0.6.106
+	A	10.0.6.107
+	A	10.0.6.108
+	A	10.0.6.109
+	A	10.0.6.110
+	A	10.0.6.111
+	A	10.0.6.112
+	A	10.0.6.113
+	A	10.0.6.114
+	A	10.0.6.115
+	A	10.0.6.116
+	A	10.0.6.117
+	A	10.0.6.118
+	A	10.0.6.119
+	A	10.0.6.120
+	A	10.0.6.121
+	A	10.0.6.122
+	A	10.0.6.123
+	A	10.0.6.124
+	A	10.0.6.125
+	A	10.0.6.126
+	A	10.0.6.127
+	A	10.0.6.128
+	A	10.0.6.129
+	A	10.0.6.130
+	A	10.0.6.131
+	A	10.0.6.132
+	A	10.0.6.133
+	A	10.0.6.134
+	A	10.0.6.135
+	A	10.0.6.136
+	A	10.0.6.137
+	A	10.0.6.138
+	A	10.0.6.139
+	A	10.0.6.140
+	A	10.0.6.141
+	A	10.0.6.142
+	A	10.0.6.143
+	A	10.0.6.144
+	A	10.0.6.145
+	A	10.0.6.146
+	A	10.0.6.147
+	A	10.0.6.148
+	A	10.0.6.149
+	A	10.0.6.150
+	A	10.0.6.151
+	A	10.0.6.152
+	A	10.0.6.153
+	A	10.0.6.154
+	A	10.0.6.155
+	A	10.0.6.156
+	A	10.0.6.157
+	A	10.0.6.158
+	A	10.0.6.159
+	A	10.0.6.160
+	A	10.0.6.161
+	A	10.0.6.162
+	A	10.0.6.163
+	A	10.0.6.164
+	A	10.0.6.165
+	A	10.0.6.166
+	A	10.0.6.167
+	A	10.0.6.168
+	A	10.0.6.169
+	A	10.0.6.170
+	A	10.0.6.171
+	A	10.0.6.172
+	A	10.0.6.173
+	A	10.0.6.174
+	A	10.0.6.175
+	A	10.0.6.176
+	A	10.0.6.177
+	A	10.0.6.178
+	A	10.0.6.179
+	A	10.0.6.180
+	A	10.0.6.181
+	A	10.0.6.182
+	A	10.0.6.183
+	A	10.0.6.184
+	A	10.0.6.185
+	A	10.0.6.186
+	A	10.0.6.187
+	A	10.0.6.188
+	A	10.0.6.189
+	A	10.0.6.190
+	A	10.0.6.191
+	A	10.0.6.192
+	A	10.0.6.193
+	A	10.0.6.194
+	A	10.0.6.195
+	A	10.0.6.196
+	A	10.0.6.197
+	A	10.0.6.198
+	A	10.0.6.199
+	A	10.0.6.200
+	A	10.0.6.201
+	A	10.0.6.202
+	A	10.0.6.203
+	A	10.0.6.204
+	A	10.0.6.205
+	A	10.0.6.206
+	A	10.0.6.207
+	A	10.0.6.208
+	A	10.0.6.209
+	A	10.0.6.210
+	A	10.0.6.211
+	A	10.0.6.212
+	A	10.0.6.213
+	A	10.0.6.214
+	A	10.0.6.215
+	A	10.0.6.216
+	A	10.0.6.217
+	A	10.0.6.218
+	A	10.0.6.219
+	A	10.0.6.220
+	A	10.0.6.221
+	A	10.0.6.222
+	A	10.0.6.223
+	A	10.0.6.224
+	A	10.0.6.225
+	A	10.0.6.226
+	A	10.0.6.227
+	A	10.0.6.228
+	A	10.0.6.229
+	A	10.0.6.230
+	A	10.0.6.231
+	A	10.0.6.232
+	A	10.0.6.233
+	A	10.0.6.234
+	A	10.0.6.235
+	A	10.0.6.236
+	A	10.0.6.237
+	A	10.0.6.238
+	A	10.0.6.239
+	A	10.0.6.240
+	A	10.0.6.241
+	A	10.0.6.242
+	A	10.0.6.243
+	A	10.0.6.244
+	A	10.0.6.245
+	A	10.0.6.246
+	A	10.0.6.247
+	A	10.0.6.248
+	A	10.0.6.249
+	A	10.0.6.250
+	A	10.0.6.251
+	A	10.0.6.252
+	A	10.0.6.253
+	A	10.0.6.254
+	A	10.0.6.255
+	A	10.0.7.0
+	A	10.0.7.1
+	A	10.0.7.2
+	A	10.0.7.3
+	A	10.0.7.4
+	A	10.0.7.5
+	A	10.0.7.6
+	A	10.0.7.7
+	A	10.0.7.8
+	A	10.0.7.9
+	A	10.0.7.10
+	A	10.0.7.11
+	A	10.0.7.12
+	A	10.0.7.13
+	A	10.0.7.14
+	A	10.0.7.15
+	A	10.0.7.16
+	A	10.0.7.17
+	A	10.0.7.18
+	A	10.0.7.19
+	A	10.0.7.20
+	A	10.0.7.21
+	A	10.0.7.22
+	A	10.0.7.23
+	A	10.0.7.24
+	A	10.0.7.25
+	A	10.0.7.26
+	A	10.0.7.27
+	A	10.0.7.28
+	A	10.0.7.29
+	A	10.0.7.30
+	A	10.0.7.31
+	A	10.0.7.32
+	A	10.0.7.33
+	A	10.0.7.34
+	A	10.0.7.35
+	A	10.0.7.36
+	A	10.0.7.37
+	A	10.0.7.38
+	A	10.0.7.39
+	A	10.0.7.40
+	A	10.0.7.41
+	A	10.0.7.42
+	A	10.0.7.43
+	A	10.0.7.44
+	A	10.0.7.45
+	A	10.0.7.46
+	A	10.0.7.47
+	A	10.0.7.48
+	A	10.0.7.49
+	A	10.0.7.50
+	A	10.0.7.51
+	A	10.0.7.52
+	A	10.0.7.53
+	A	10.0.7.54
+	A	10.0.7.55
+	A	10.0.7.56
+	A	10.0.7.57
+	A	10.0.7.58
+	A	10.0.7.59
+	A	10.0.7.60
+	A	10.0.7.61
+	A	10.0.7.62
+	A	10.0.7.63
+	A	10.0.7.64
+	A	10.0.7.65
+	A	10.0.7.66
+	A	10.0.7.67
+	A	10.0.7.68
+	A	10.0.7.69
+	A	10.0.7.70
+	A	10.0.7.71
+	A	10.0.7.72
+	A	10.0.7.73
+	A	10.0.7.74
+	A	10.0.7.75
+	A	10.0.7.76
+	A	10.0.7.77
+	A	10.0.7.78
+	A	10.0.7.79
+	A	10.0.7.80
+	A	10.0.7.81
+	A	10.0.7.82
+	A	10.0.7.83
+	A	10.0.7.84
+	A	10.0.7.85
+	A	10.0.7.86
+	A	10.0.7.87
+	A	10.0.7.88
+	A	10.0.7.89
+	A	10.0.7.90
+	A	10.0.7.91
+	A	10.0.7.92
+	A	10.0.7.93
+	A	10.0.7.94
+	A	10.0.7.95
+	A	10.0.7.96
+	A	10.0.7.97
+	A	10.0.7.98
+	A	10.0.7.99
+	A	10.0.7.100
+	A	10.0.7.101
+	A	10.0.7.102
+	A	10.0.7.103
+	A	10.0.7.104
+	A	10.0.7.105
+	A	10.0.7.106
+	A	10.0.7.107
+	A	10.0.7.108
+	A	10.0.7.109
+	A	10.0.7.110
+	A	10.0.7.111
+	A	10.0.7.112
+	A	10.0.7.113
+	A	10.0.7.114
+	A	10.0.7.115
+	A	10.0.7.116
+	A	10.0.7.117
+	A	10.0.7.118
+	A	10.0.7.119
+	A	10.0.7.120
+	A	10.0.7.121
+	A	10.0.7.122
+	A	10.0.7.123
+	A	10.0.7.124
+	A	10.0.7.125
+	A	10.0.7.126
+	A	10.0.7.127
+	A	10.0.7.128
+	A	10.0.7.129
+	A	10.0.7.130
+	A	10.0.7.131
+	A	10.0.7.132
+	A	10.0.7.133
+	A	10.0.7.134
+	A	10.0.7.135
+	A	10.0.7.136
+	A	10.0.7.137
+	A	10.0.7.138
+	A	10.0.7.139
+	A	10.0.7.140
+	A	10.0.7.141
+	A	10.0.7.142
+	A	10.0.7.143
+	A	10.0.7.144
+	A	10.0.7.145
+	A	10.0.7.146
+	A	10.0.7.147
+	A	10.0.7.148
+	A	10.0.7.149
+	A	10.0.7.150
+	A	10.0.7.151
+	A	10.0.7.152
+	A	10.0.7.153
+	A	10.0.7.154
+	A	10.0.7.155
+	A	10.0.7.156
+	A	10.0.7.157
+	A	10.0.7.158
+	A	10.0.7.159
+	A	10.0.7.160
+	A	10.0.7.161
+	A	10.0.7.162
+	A	10.0.7.163
+	A	10.0.7.164
+	A	10.0.7.165
+	A	10.0.7.166
+	A	10.0.7.167
+	A	10.0.7.168
+	A	10.0.7.169
+	A	10.0.7.170
+	A	10.0.7.171
+	A	10.0.7.172
+	A	10.0.7.173
+	A	10.0.7.174
+	A	10.0.7.175
+	A	10.0.7.176
+	A	10.0.7.177
+	A	10.0.7.178
+	A	10.0.7.179
+	A	10.0.7.180
+	A	10.0.7.181
+	A	10.0.7.182
+	A	10.0.7.183
+	A	10.0.7.184
+	A	10.0.7.185
+	A	10.0.7.186
+	A	10.0.7.187
+	A	10.0.7.188
+	A	10.0.7.189
+	A	10.0.7.190
+	A	10.0.7.191
+	A	10.0.7.192
+	A	10.0.7.193
+	A	10.0.7.194
+	A	10.0.7.195
+	A	10.0.7.196
+	A	10.0.7.197
+	A	10.0.7.198
+	A	10.0.7.199
+	A	10.0.7.200
+	A	10.0.7.201
+	A	10.0.7.202
+	A	10.0.7.203
+	A	10.0.7.204
+	A	10.0.7.205
+	A	10.0.7.206
+	A	10.0.7.207
+	A	10.0.7.208
+	A	10.0.7.209
+	A	10.0.7.210
+	A	10.0.7.211
+	A	10.0.7.212
+	A	10.0.7.213
+	A	10.0.7.214
+	A	10.0.7.215
+	A	10.0.7.216
+	A	10.0.7.217
+	A	10.0.7.218
+	A	10.0.7.219
+	A	10.0.7.220
+	A	10.0.7.221
+	A	10.0.7.222
+	A	10.0.7.223
+	A	10.0.7.224
+	A	10.0.7.225
+	A	10.0.7.226
+	A	10.0.7.227
+	A	10.0.7.228
+	A	10.0.7.229
+	A	10.0.7.230
+	A	10.0.7.231
+	A	10.0.7.232
+	A	10.0.7.233
+	A	10.0.7.234
+	A	10.0.7.235
+	A	10.0.7.236
+	A	10.0.7.237
+	A	10.0.7.238
+	A	10.0.7.239
+	A	10.0.7.240
+	A	10.0.7.241
+	A	10.0.7.242
+	A	10.0.7.243
+	A	10.0.7.244
+	A	10.0.7.245
+	A	10.0.7.246
+	A	10.0.7.247
+	A	10.0.7.248
+	A	10.0.7.249
+	A	10.0.7.250
+	A	10.0.7.251
+	A	10.0.7.252
+	A	10.0.7.253
+	A	10.0.7.254
+	A	10.0.7.255
+	A	10.0.8.0
+	A	10.0.8.1
+	A	10.0.8.2
+	A	10.0.8.3
+	A	10.0.8.4
+	A	10.0.8.5
+	A	10.0.8.6
+	A	10.0.8.7
+	A	10.0.8.8
+	A	10.0.8.9
+	A	10.0.8.10
+	A	10.0.8.11
+	A	10.0.8.12
+	A	10.0.8.13
+	A	10.0.8.14
+	A	10.0.8.15
+	A	10.0.8.16
+	A	10.0.8.17
+	A	10.0.8.18
+	A	10.0.8.19
+	A	10.0.8.20
+	A	10.0.8.21
+	A	10.0.8.22
+	A	10.0.8.23
+	A	10.0.8.24
+	A	10.0.8.25
+	A	10.0.8.26
+	A	10.0.8.27
+	A	10.0.8.28
+	A	10.0.8.29
+	A	10.0.8.30
+	A	10.0.8.31
+	A	10.0.8.32
+	A	10.0.8.33
+	A	10.0.8.34
+	A	10.0.8.35
+	A	10.0.8.36
+	A	10.0.8.37
+	A	10.0.8.38
+	A	10.0.8.39
+	A	10.0.8.40
+	A	10.0.8.41
+	A	10.0.8.42
+	A	10.0.8.43
+	A	10.0.8.44
+	A	10.0.8.45
+	A	10.0.8.46
+	A	10.0.8.47
+	A	10.0.8.48
+	A	10.0.8.49
+	A	10.0.8.50
+	A	10.0.8.51
+	A	10.0.8.52
+	A	10.0.8.53
+	A	10.0.8.54
+	A	10.0.8.55
+	A	10.0.8.56
+	A	10.0.8.57
+	A	10.0.8.58
+	A	10.0.8.59
+	A	10.0.8.60
+	A	10.0.8.61
+	A	10.0.8.62
+	A	10.0.8.63
+	A	10.0.8.64
+	A	10.0.8.65
+	A	10.0.8.66
+	A	10.0.8.67
+	A	10.0.8.68
+	A	10.0.8.69
+	A	10.0.8.70
+	A	10.0.8.71
+	A	10.0.8.72
+	A	10.0.8.73
+	A	10.0.8.74
+	A	10.0.8.75
+	A	10.0.8.76
+	A	10.0.8.77
+	A	10.0.8.78
+	A	10.0.8.79
+	A	10.0.8.80
+	A	10.0.8.81
+	A	10.0.8.82
+	A	10.0.8.83
+	A	10.0.8.84
+	A	10.0.8.85
+	A	10.0.8.86
+	A	10.0.8.87
+	A	10.0.8.88
+	A	10.0.8.89
+	A	10.0.8.90
+	A	10.0.8.91
+	A	10.0.8.92
+	A	10.0.8.93
+	A	10.0.8.94
+	A	10.0.8.95
+	A	10.0.8.96
+	A	10.0.8.97
+	A	10.0.8.98
+	A	10.0.8.99
+	A	10.0.8.100
+	A	10.0.8.101
+	A	10.0.8.102
+	A	10.0.8.103
+	A	10.0.8.104
+	A	10.0.8.105
+	A	10.0.8.106
+	A	10.0.8.107
+	A	10.0.8.108
+	A	10.0.8.109
+	A	10.0.8.110
+	A	10.0.8.111
+	A	10.0.8.112
+	A	10.0.8.113
+	A	10.0.8.114
+	A	10.0.8.115
+	A	10.0.8.116
+	A	10.0.8.117
+	A	10.0.8.118
+	A	10.0.8.119
+	A	10.0.8.120
+	A	10.0.8.121
+	A	10.0.8.122
+	A	10.0.8.123
+	A	10.0.8.124
+	A	10.0.8.125
+	A	10.0.8.126
+	A	10.0.8.127
+	A	10.0.8.128
+	A	10.0.8.129
+	A	10.0.8.130
+	A	10.0.8.131
+	A	10.0.8.132
+	A	10.0.8.133
+	A	10.0.8.134
+	A	10.0.8.135
+	A	10.0.8.136
+	A	10.0.8.137
+	A	10.0.8.138
+	A	10.0.8.139
+	A	10.0.8.140
+	A	10.0.8.141
+	A	10.0.8.142
+	A	10.0.8.143
+	A	10.0.8.144
+	A	10.0.8.145
+	A	10.0.8.146
+	A	10.0.8.147
+	A	10.0.8.148
+	A	10.0.8.149
+	A	10.0.8.150
+	A	10.0.8.151
+	A	10.0.8.152
+	A	10.0.8.153
+	A	10.0.8.154
+	A	10.0.8.155
+	A	10.0.8.156
+	A	10.0.8.157
+	A	10.0.8.158
+	A	10.0.8.159
+	A	10.0.8.160
+	A	10.0.8.161
+	A	10.0.8.162
+	A	10.0.8.163
+	A	10.0.8.164
+	A	10.0.8.165
+	A	10.0.8.166
+	A	10.0.8.167
+	A	10.0.8.168
+	A	10.0.8.169
+	A	10.0.8.170
+	A	10.0.8.171
+	A	10.0.8.172
+	A	10.0.8.173
+	A	10.0.8.174
+	A	10.0.8.175
+	A	10.0.8.176
+	A	10.0.8.177
+	A	10.0.8.178
+	A	10.0.8.179
+	A	10.0.8.180
+	A	10.0.8.181
+	A	10.0.8.182
+	A	10.0.8.183
+	A	10.0.8.184
+	A	10.0.8.185
+	A	10.0.8.186
+	A	10.0.8.187
+	A	10.0.8.188
+	A	10.0.8.189
+	A	10.0.8.190
+	A	10.0.8.191
+	A	10.0.8.192
+	A	10.0.8.193
+	A	10.0.8.194
+	A	10.0.8.195
+	A	10.0.8.196
+	A	10.0.8.197
+	A	10.0.8.198
+	A	10.0.8.199
+	A	10.0.8.200
+	A	10.0.8.201
+	A	10.0.8.202
+	A	10.0.8.203
+	A	10.0.8.204
+	A	10.0.8.205
+	A	10.0.8.206
+	A	10.0.8.207
+	A	10.0.8.208
+	A	10.0.8.209
+	A	10.0.8.210
+	A	10.0.8.211
+	A	10.0.8.212
+	A	10.0.8.213
+	A	10.0.8.214
+	A	10.0.8.215
+	A	10.0.8.216
+	A	10.0.8.217
+	A	10.0.8.218
+	A	10.0.8.219
+	A	10.0.8.220
+	A	10.0.8.221
+	A	10.0.8.222
+	A	10.0.8.223
+	A	10.0.8.224
+	A	10.0.8.225
+	A	10.0.8.226
+	A	10.0.8.227
+	A	10.0.8.228
+	A	10.0.8.229
+	A	10.0.8.230
+	A	10.0.8.231
+	A	10.0.8.232
+	A	10.0.8.233
+	A	10.0.8.234
+	A	10.0.8.235
+	A	10.0.8.236
+	A	10.0.8.237
+	A	10.0.8.238
+	A	10.0.8.239
+	A	10.0.8.240
+	A	10.0.8.241
+	A	10.0.8.242
+	A	10.0.8.243
+	A	10.0.8.244
+	A	10.0.8.245
+	A	10.0.8.246
+	A	10.0.8.247
+	A	10.0.8.248
+	A	10.0.8.249
+	A	10.0.8.250
+	A	10.0.8.251
+	A	10.0.8.252
+	A	10.0.8.253
+	A	10.0.8.254
+	A	10.0.8.255
+	A	10.0.9.0
+	A	10.0.9.1
+	A	10.0.9.2
+	A	10.0.9.3
+	A	10.0.9.4
+	A	10.0.9.5
+	A	10.0.9.6
+	A	10.0.9.7
+	A	10.0.9.8
+	A	10.0.9.9
+	A	10.0.9.10
+	A	10.0.9.11
+	A	10.0.9.12
+	A	10.0.9.13
+	A	10.0.9.14
+	A	10.0.9.15
+	A	10.0.9.16
+	A	10.0.9.17
+	A	10.0.9.18
+	A	10.0.9.19
+	A	10.0.9.20
+	A	10.0.9.21
+	A	10.0.9.22
+	A	10.0.9.23
+	A	10.0.9.24
+	A	10.0.9.25
+	A	10.0.9.26
+	A	10.0.9.27
+	A	10.0.9.28
+	A	10.0.9.29
+	A	10.0.9.30
+	A	10.0.9.31
+	A	10.0.9.32
+	A	10.0.9.33
+	A	10.0.9.34
+	A	10.0.9.35
+	A	10.0.9.36
+	A	10.0.9.37
+	A	10.0.9.38
+	A	10.0.9.39
+	A	10.0.9.40
+	A	10.0.9.41
+	A	10.0.9.42
+	A	10.0.9.43
+	A	10.0.9.44
+	A	10.0.9.45
+	A	10.0.9.46
+	A	10.0.9.47
+	A	10.0.9.48
+	A	10.0.9.49
+	A	10.0.9.50
+	A	10.0.9.51
+	A	10.0.9.52
+	A	10.0.9.53
+	A	10.0.9.54
+	A	10.0.9.55
+	A	10.0.9.56
+	A	10.0.9.57
+	A	10.0.9.58
+	A	10.0.9.59
+	A	10.0.9.60
+	A	10.0.9.61
+	A	10.0.9.62
+	A	10.0.9.63
+	A	10.0.9.64
+	A	10.0.9.65
+	A	10.0.9.66
+	A	10.0.9.67
+	A	10.0.9.68
+	A	10.0.9.69
+	A	10.0.9.70
+	A	10.0.9.71
+	A	10.0.9.72
+	A	10.0.9.73
+	A	10.0.9.74
+	A	10.0.9.75
+	A	10.0.9.76
+	A	10.0.9.77
+	A	10.0.9.78
+	A	10.0.9.79
+	A	10.0.9.80
+	A	10.0.9.81
+	A	10.0.9.82
+	A	10.0.9.83
+	A	10.0.9.84
+	A	10.0.9.85
+	A	10.0.9.86
+	A	10.0.9.87
+	A	10.0.9.88
+	A	10.0.9.89
+	A	10.0.9.90
+	A	10.0.9.91
+	A	10.0.9.92
+	A	10.0.9.93
+	A	10.0.9.94
+	A	10.0.9.95
+	A	10.0.9.96
+	A	10.0.9.97
+	A	10.0.9.98
+	A	10.0.9.99
+	A	10.0.9.100
+	A	10.0.9.101
+	A	10.0.9.102
+	A	10.0.9.103
+	A	10.0.9.104
+	A	10.0.9.105
+	A	10.0.9.106
+	A	10.0.9.107
+	A	10.0.9.108
+	A	10.0.9.109
+	A	10.0.9.110
+	A	10.0.9.111
+	A	10.0.9.112
+	A	10.0.9.113
+	A	10.0.9.114
+	A	10.0.9.115
+	A	10.0.9.116
+	A	10.0.9.117
+	A	10.0.9.118
+	A	10.0.9.119
+	A	10.0.9.120
+	A	10.0.9.121
+	A	10.0.9.122
+	A	10.0.9.123
+	A	10.0.9.124
+	A	10.0.9.125
+	A	10.0.9.126
+	A	10.0.9.127
+	A	10.0.9.128
+	A	10.0.9.129
+	A	10.0.9.130
+	A	10.0.9.131
+	A	10.0.9.132
+	A	10.0.9.133
+	A	10.0.9.134
+	A	10.0.9.135
+	A	10.0.9.136
+	A	10.0.9.137
+	A	10.0.9.138
+	A	10.0.9.139
+	A	10.0.9.140
+	A	10.0.9.141
+	A	10.0.9.142
+	A	10.0.9.143
+	A	10.0.9.144
+	A	10.0.9.145
+	A	10.0.9.146
+	A	10.0.9.147
+	A	10.0.9.148
+	A	10.0.9.149
+	A	10.0.9.150
+	A	10.0.9.151
+	A	10.0.9.152
+	A	10.0.9.153
+	A	10.0.9.154
+	A	10.0.9.155
+	A	10.0.9.156
+	A	10.0.9.157
+	A	10.0.9.158
+	A	10.0.9.159
+	A	10.0.9.160
+	A	10.0.9.161
+	A	10.0.9.162
+	A	10.0.9.163
+	A	10.0.9.164
+	A	10.0.9.165
+	A	10.0.9.166
+	A	10.0.9.167
+	A	10.0.9.168
+	A	10.0.9.169
+	A	10.0.9.170
+	A	10.0.9.171
+	A	10.0.9.172
+	A	10.0.9.173
+	A	10.0.9.174
+	A	10.0.9.175
+	A	10.0.9.176
+	A	10.0.9.177
+	A	10.0.9.178
+	A	10.0.9.179
+	A	10.0.9.180
+	A	10.0.9.181
+	A	10.0.9.182
+	A	10.0.9.183
+	A	10.0.9.184
+	A	10.0.9.185
+	A	10.0.9.186
+	A	10.0.9.187
+	A	10.0.9.188
+	A	10.0.9.189
+	A	10.0.9.190
+	A	10.0.9.191
+	A	10.0.9.192
+	A	10.0.9.193
+	A	10.0.9.194
+	A	10.0.9.195
+	A	10.0.9.196
+	A	10.0.9.197
+	A	10.0.9.198
+	A	10.0.9.199
+	A	10.0.9.200
+	A	10.0.9.201
+	A	10.0.9.202
+	A	10.0.9.203
+	A	10.0.9.204
+	A	10.0.9.205
+	A	10.0.9.206
+	A	10.0.9.207
+	A	10.0.9.208
+	A	10.0.9.209
+	A	10.0.9.210
+	A	10.0.9.211
+	A	10.0.9.212
+	A	10.0.9.213
+	A	10.0.9.214
+	A	10.0.9.215
+	A	10.0.9.216
+	A	10.0.9.217
+	A	10.0.9.218
+	A	10.0.9.219
+	A	10.0.9.220
+	A	10.0.9.221
+	A	10.0.9.222
+	A	10.0.9.223
+	A	10.0.9.224
+	A	10.0.9.225
+	A	10.0.9.226
+	A	10.0.9.227
+	A	10.0.9.228
+	A	10.0.9.229
+	A	10.0.9.230
+	A	10.0.9.231
+	A	10.0.9.232
+	A	10.0.9.233
+	A	10.0.9.234
+	A	10.0.9.235
+	A	10.0.9.236
+	A	10.0.9.237
+	A	10.0.9.238
+	A	10.0.9.239
+	A	10.0.9.240
+	A	10.0.9.241
+	A	10.0.9.242
+	A	10.0.9.243
+	A	10.0.9.244
+	A	10.0.9.245
+	A	10.0.9.246
+	A	10.0.9.247
+	A	10.0.9.248
+	A	10.0.9.249
+	A	10.0.9.250
+	A	10.0.9.251
+	A	10.0.9.252
+	A	10.0.9.253
+	A	10.0.9.254
+	A	10.0.9.255
+	A	10.0.10.0
+	A	10.0.10.1
+	A	10.0.10.2
+	A	10.0.10.3
+	A	10.0.10.4
+	A	10.0.10.5
+	A	10.0.10.6
+	A	10.0.10.7
+	A	10.0.10.8
+	A	10.0.10.9
+	A	10.0.10.10
+	A	10.0.10.11
+	A	10.0.10.12
+	A	10.0.10.13
+	A	10.0.10.14
+	A	10.0.10.15
+	A	10.0.10.16
+	A	10.0.10.17
+	A	10.0.10.18
+	A	10.0.10.19
+	A	10.0.10.20
+	A	10.0.10.21
+	A	10.0.10.22
+	A	10.0.10.23
+	A	10.0.10.24
+	A	10.0.10.25
+	A	10.0.10.26
+	A	10.0.10.27
+	A	10.0.10.28
+	A	10.0.10.29
+	A	10.0.10.30
+	A	10.0.10.31
+	A	10.0.10.32
+	A	10.0.10.33
+	A	10.0.10.34
+	A	10.0.10.35
+	A	10.0.10.36
+	A	10.0.10.37
+	A	10.0.10.38
+	A	10.0.10.39
+	A	10.0.10.40
+	A	10.0.10.41
+	A	10.0.10.42
+	A	10.0.10.43
+	A	10.0.10.44
+	A	10.0.10.45
+	A	10.0.10.46
+	A	10.0.10.47
+	A	10.0.10.48
+	A	10.0.10.49
+	A	10.0.10.50
+	A	10.0.10.51
+	A	10.0.10.52
+	A	10.0.10.53
+	A	10.0.10.54
+	A	10.0.10.55
+	A	10.0.10.56
+	A	10.0.10.57
+	A	10.0.10.58
+	A	10.0.10.59
+	A	10.0.10.60
+	A	10.0.10.61
+	A	10.0.10.62
+	A	10.0.10.63
+	A	10.0.10.64
+	A	10.0.10.65
+	A	10.0.10.66
+	A	10.0.10.67
+	A	10.0.10.68
+	A	10.0.10.69
+	A	10.0.10.70
+	A	10.0.10.71
+	A	10.0.10.72
+	A	10.0.10.73
+	A	10.0.10.74
+	A	10.0.10.75
+	A	10.0.10.76
+	A	10.0.10.77
+	A	10.0.10.78
+	A	10.0.10.79
+	A	10.0.10.80
+	A	10.0.10.81
+	A	10.0.10.82
+	A	10.0.10.83
+	A	10.0.10.84
+	A	10.0.10.85
+	A	10.0.10.86
+	A	10.0.10.87
+	A	10.0.10.88
+	A	10.0.10.89
+	A	10.0.10.90
+	A	10.0.10.91
+	A	10.0.10.92
+	A	10.0.10.93
+	A	10.0.10.94
+	A	10.0.10.95
+	A	10.0.10.96
+	A	10.0.10.97
+	A	10.0.10.98
+	A	10.0.10.99
+	A	10.0.10.100
+	A	10.0.10.101
+	A	10.0.10.102
+	A	10.0.10.103
+	A	10.0.10.104
+	A	10.0.10.105
+	A	10.0.10.106
+	A	10.0.10.107
+	A	10.0.10.108
+	A	10.0.10.109
+	A	10.0.10.110
+	A	10.0.10.111
+	A	10.0.10.112
+	A	10.0.10.113
+	A	10.0.10.114
+	A	10.0.10.115
+	A	10.0.10.116
+	A	10.0.10.117
+	A	10.0.10.118
+	A	10.0.10.119
+	A	10.0.10.120
+	A	10.0.10.121
+	A	10.0.10.122
+	A	10.0.10.123
+	A	10.0.10.124
+	A	10.0.10.125
+	A	10.0.10.126
+	A	10.0.10.127
+	A	10.0.10.128
+	A	10.0.10.129
+	A	10.0.10.130
+	A	10.0.10.131
+	A	10.0.10.132
+	A	10.0.10.133
+	A	10.0.10.134
+	A	10.0.10.135
+	A	10.0.10.136
+	A	10.0.10.137
+	A	10.0.10.138
+	A	10.0.10.139
+	A	10.0.10.140
+	A	10.0.10.141
+	A	10.0.10.142
+	A	10.0.10.143
+	A	10.0.10.144
+	A	10.0.10.145
+	A	10.0.10.146
+	A	10.0.10.147
+	A	10.0.10.148
+	A	10.0.10.149
+	A	10.0.10.150
+	A	10.0.10.151
+	A	10.0.10.152
+	A	10.0.10.153
+	A	10.0.10.154
+	A	10.0.10.155
+	A	10.0.10.156
+	A	10.0.10.157
+	A	10.0.10.158
+	A	10.0.10.159
+	A	10.0.10.160
+	A	10.0.10.161
+	A	10.0.10.162
+	A	10.0.10.163
+	A	10.0.10.164
+	A	10.0.10.165
+	A	10.0.10.166
+	A	10.0.10.167
+	A	10.0.10.168
+	A	10.0.10.169
+	A	10.0.10.170
+	A	10.0.10.171
+	A	10.0.10.172
+	A	10.0.10.173
+	A	10.0.10.174
+	A	10.0.10.175
+	A	10.0.10.176
+	A	10.0.10.177
+	A	10.0.10.178
+	A	10.0.10.179
+	A	10.0.10.180
+	A	10.0.10.181
+	A	10.0.10.182
+	A	10.0.10.183
+	A	10.0.10.184
+	A	10.0.10.185
+	A	10.0.10.186
+	A	10.0.10.187
+	A	10.0.10.188
+	A	10.0.10.189
+	A	10.0.10.190
+	A	10.0.10.191
+	A	10.0.10.192
+	A	10.0.10.193
+	A	10.0.10.194
+	A	10.0.10.195
+	A	10.0.10.196
+	A	10.0.10.197
+	A	10.0.10.198
+	A	10.0.10.199
+	A	10.0.10.200
+	A	10.0.10.201
+	A	10.0.10.202
+	A	10.0.10.203
+	A	10.0.10.204
+	A	10.0.10.205
+	A	10.0.10.206
+	A	10.0.10.207
+	A	10.0.10.208
+	A	10.0.10.209
+	A	10.0.10.210
+	A	10.0.10.211
+	A	10.0.10.212
+	A	10.0.10.213
+	A	10.0.10.214
+	A	10.0.10.215
+	A	10.0.10.216
+	A	10.0.10.217
+	A	10.0.10.218
+	A	10.0.10.219
+	A	10.0.10.220
+	A	10.0.10.221
+	A	10.0.10.222
+	A	10.0.10.223
+	A	10.0.10.224
+	A	10.0.10.225
+	A	10.0.10.226
+	A	10.0.10.227
+	A	10.0.10.228
+	A	10.0.10.229
+	A	10.0.10.230
+	A	10.0.10.231
+	A	10.0.10.232
+	A	10.0.10.233
+	A	10.0.10.234
+	A	10.0.10.235
+	A	10.0.10.236
+	A	10.0.10.237
+	A	10.0.10.238
+	A	10.0.10.239
+	A	10.0.10.240
+	A	10.0.10.241
+	A	10.0.10.242
+	A	10.0.10.243
+	A	10.0.10.244
+	A	10.0.10.245
+	A	10.0.10.246
+	A	10.0.10.247
+	A	10.0.10.248
+	A	10.0.10.249
+	A	10.0.10.250
+	A	10.0.10.251
+	A	10.0.10.252
+	A	10.0.10.253
+	A	10.0.10.254
+	A	10.0.10.255
+	A	10.0.11.0
+	A	10.0.11.1
+	A	10.0.11.2
+	A	10.0.11.3
+	A	10.0.11.4
+	A	10.0.11.5
+	A	10.0.11.6
+	A	10.0.11.7
+	A	10.0.11.8
+	A	10.0.11.9
+	A	10.0.11.10
+	A	10.0.11.11
+	A	10.0.11.12
+	A	10.0.11.13
+	A	10.0.11.14
+	A	10.0.11.15
+	A	10.0.11.16
+	A	10.0.11.17
+	A	10.0.11.18
+	A	10.0.11.19
+	A	10.0.11.20
+	A	10.0.11.21
+	A	10.0.11.22
+	A	10.0.11.23
+	A	10.0.11.24
+	A	10.0.11.25
+	A	10.0.11.26
+	A	10.0.11.27
+	A	10.0.11.28
+	A	10.0.11.29
+	A	10.0.11.30
+	A	10.0.11.31
+	A	10.0.11.32
+	A	10.0.11.33
+	A	10.0.11.34
+	A	10.0.11.35
+	A	10.0.11.36
+	A	10.0.11.37
+	A	10.0.11.38
+	A	10.0.11.39
+	A	10.0.11.40
+	A	10.0.11.41
+	A	10.0.11.42
+	A	10.0.11.43
+	A	10.0.11.44
+	A	10.0.11.45
+	A	10.0.11.46
+	A	10.0.11.47
+	A	10.0.11.48
+	A	10.0.11.49
+	A	10.0.11.50
+	A	10.0.11.51
+	A	10.0.11.52
+	A	10.0.11.53
+	A	10.0.11.54
+	A	10.0.11.55
+	A	10.0.11.56
+	A	10.0.11.57
+	A	10.0.11.58
+	A	10.0.11.59
+	A	10.0.11.60
+	A	10.0.11.61
+	A	10.0.11.62
+	A	10.0.11.63
+	A	10.0.11.64
+	A	10.0.11.65
+	A	10.0.11.66
+	A	10.0.11.67
+	A	10.0.11.68
+	A	10.0.11.69
+	A	10.0.11.70
+	A	10.0.11.71
+	A	10.0.11.72
+	A	10.0.11.73
+	A	10.0.11.74
+	A	10.0.11.75
+	A	10.0.11.76
+	A	10.0.11.77
+	A	10.0.11.78
+	A	10.0.11.79
+	A	10.0.11.80
+	A	10.0.11.81
+	A	10.0.11.82
+	A	10.0.11.83
+	A	10.0.11.84
+	A	10.0.11.85
+	A	10.0.11.86
+	A	10.0.11.87
+	A	10.0.11.88
+	A	10.0.11.89
+	A	10.0.11.90
+	A	10.0.11.91
+	A	10.0.11.92
+	A	10.0.11.93
+	A	10.0.11.94
+	A	10.0.11.95
+	A	10.0.11.96
+	A	10.0.11.97
+	A	10.0.11.98
+	A	10.0.11.99
+	A	10.0.11.100
+	A	10.0.11.101
+	A	10.0.11.102
+	A	10.0.11.103
+	A	10.0.11.104
+	A	10.0.11.105
+	A	10.0.11.106
+	A	10.0.11.107
+	A	10.0.11.108
+	A	10.0.11.109
+	A	10.0.11.110
+	A	10.0.11.111
+	A	10.0.11.112
+	A	10.0.11.113
+	A	10.0.11.114
+	A	10.0.11.115
+	A	10.0.11.116
+	A	10.0.11.117
+	A	10.0.11.118
+	A	10.0.11.119
+	A	10.0.11.120
+	A	10.0.11.121
+	A	10.0.11.122
+	A	10.0.11.123
+	A	10.0.11.124
+	A	10.0.11.125
+	A	10.0.11.126
+	A	10.0.11.127
+	A	10.0.11.128
+	A	10.0.11.129
+	A	10.0.11.130
+	A	10.0.11.131
+	A	10.0.11.132
+	A	10.0.11.133
+	A	10.0.11.134
+	A	10.0.11.135
+	A	10.0.11.136
+	A	10.0.11.137
+	A	10.0.11.138
+	A	10.0.11.139
+	A	10.0.11.140
+	A	10.0.11.141
+	A	10.0.11.142
+	A	10.0.11.143
+	A	10.0.11.144
+	A	10.0.11.145
+	A	10.0.11.146
+	A	10.0.11.147
+	A	10.0.11.148
+	A	10.0.11.149
+	A	10.0.11.150
+	A	10.0.11.151
+	A	10.0.11.152
+	A	10.0.11.153
+	A	10.0.11.154
+	A	10.0.11.155
+	A	10.0.11.156
+	A	10.0.11.157
+	A	10.0.11.158
+	A	10.0.11.159
+	A	10.0.11.160
+	A	10.0.11.161
+	A	10.0.11.162
+	A	10.0.11.163
+	A	10.0.11.164
+	A	10.0.11.165
+	A	10.0.11.166
+	A	10.0.11.167
+	A	10.0.11.168
+	A	10.0.11.169
+	A	10.0.11.170
+	A	10.0.11.171
+	A	10.0.11.172
+	A	10.0.11.173
+	A	10.0.11.174
+	A	10.0.11.175
+	A	10.0.11.176
+	A	10.0.11.177
+	A	10.0.11.178
+	A	10.0.11.179
+	A	10.0.11.180
+	A	10.0.11.181
+	A	10.0.11.182
+	A	10.0.11.183
+4000	A	10.0.0.0
+	A	10.0.0.1
+	A	10.0.0.2
+	A	10.0.0.3
+	A	10.0.0.4
+	A	10.0.0.5
+	A	10.0.0.6
+	A	10.0.0.7
+	A	10.0.0.8
+	A	10.0.0.9
+	A	10.0.0.10
+	A	10.0.0.11
+	A	10.0.0.12
+	A	10.0.0.13
+	A	10.0.0.14
+	A	10.0.0.15
+	A	10.0.0.16
+	A	10.0.0.17
+	A	10.0.0.18
+	A	10.0.0.19
+	A	10.0.0.20
+	A	10.0.0.21
+	A	10.0.0.22
+	A	10.0.0.23
+	A	10.0.0.24
+	A	10.0.0.25
+	A	10.0.0.26
+	A	10.0.0.27
+	A	10.0.0.28
+	A	10.0.0.29
+	A	10.0.0.30
+	A	10.0.0.31
+	A	10.0.0.32
+	A	10.0.0.33
+	A	10.0.0.34
+	A	10.0.0.35
+	A	10.0.0.36
+	A	10.0.0.37
+	A	10.0.0.38
+	A	10.0.0.39
+	A	10.0.0.40
+	A	10.0.0.41
+	A	10.0.0.42
+	A	10.0.0.43
+	A	10.0.0.44
+	A	10.0.0.45
+	A	10.0.0.46
+	A	10.0.0.47
+	A	10.0.0.48
+	A	10.0.0.49
+	A	10.0.0.50
+	A	10.0.0.51
+	A	10.0.0.52
+	A	10.0.0.53
+	A	10.0.0.54
+	A	10.0.0.55
+	A	10.0.0.56
+	A	10.0.0.57
+	A	10.0.0.58
+	A	10.0.0.59
+	A	10.0.0.60
+	A	10.0.0.61
+	A	10.0.0.62
+	A	10.0.0.63
+	A	10.0.0.64
+	A	10.0.0.65
+	A	10.0.0.66
+	A	10.0.0.67
+	A	10.0.0.68
+	A	10.0.0.69
+	A	10.0.0.70
+	A	10.0.0.71
+	A	10.0.0.72
+	A	10.0.0.73
+	A	10.0.0.74
+	A	10.0.0.75
+	A	10.0.0.76
+	A	10.0.0.77
+	A	10.0.0.78
+	A	10.0.0.79
+	A	10.0.0.80
+	A	10.0.0.81
+	A	10.0.0.82
+	A	10.0.0.83
+	A	10.0.0.84
+	A	10.0.0.85
+	A	10.0.0.86
+	A	10.0.0.87
+	A	10.0.0.88
+	A	10.0.0.89
+	A	10.0.0.90
+	A	10.0.0.91
+	A	10.0.0.92
+	A	10.0.0.93
+	A	10.0.0.94
+	A	10.0.0.95
+	A	10.0.0.96
+	A	10.0.0.97
+	A	10.0.0.98
+	A	10.0.0.99
+	A	10.0.0.100
+	A	10.0.0.101
+	A	10.0.0.102
+	A	10.0.0.103
+	A	10.0.0.104
+	A	10.0.0.105
+	A	10.0.0.106
+	A	10.0.0.107
+	A	10.0.0.108
+	A	10.0.0.109
+	A	10.0.0.110
+	A	10.0.0.111
+	A	10.0.0.112
+	A	10.0.0.113
+	A	10.0.0.114
+	A	10.0.0.115
+	A	10.0.0.116
+	A	10.0.0.117
+	A	10.0.0.118
+	A	10.0.0.119
+	A	10.0.0.120
+	A	10.0.0.121
+	A	10.0.0.122
+	A	10.0.0.123
+	A	10.0.0.124
+	A	10.0.0.125
+	A	10.0.0.126
+	A	10.0.0.127
+	A	10.0.0.128
+	A	10.0.0.129
+	A	10.0.0.130
+	A	10.0.0.131
+	A	10.0.0.132
+	A	10.0.0.133
+	A	10.0.0.134
+	A	10.0.0.135
+	A	10.0.0.136
+	A	10.0.0.137
+	A	10.0.0.138
+	A	10.0.0.139
+	A	10.0.0.140
+	A	10.0.0.141
+	A	10.0.0.142
+	A	10.0.0.143
+	A	10.0.0.144
+	A	10.0.0.145
+	A	10.0.0.146
+	A	10.0.0.147
+	A	10.0.0.148
+	A	10.0.0.149
+	A	10.0.0.150
+	A	10.0.0.151
+	A	10.0.0.152
+	A	10.0.0.153
+	A	10.0.0.154
+	A	10.0.0.155
+	A	10.0.0.156
+	A	10.0.0.157
+	A	10.0.0.158
+	A	10.0.0.159
+	A	10.0.0.160
+	A	10.0.0.161
+	A	10.0.0.162
+	A	10.0.0.163
+	A	10.0.0.164
+	A	10.0.0.165
+	A	10.0.0.166
+	A	10.0.0.167
+	A	10.0.0.168
+	A	10.0.0.169
+	A	10.0.0.170
+	A	10.0.0.171
+	A	10.0.0.172
+	A	10.0.0.173
+	A	10.0.0.174
+	A	10.0.0.175
+	A	10.0.0.176
+	A	10.0.0.177
+	A	10.0.0.178
+	A	10.0.0.179
+	A	10.0.0.180
+	A	10.0.0.181
+	A	10.0.0.182
+	A	10.0.0.183
+	A	10.0.0.184
+	A	10.0.0.185
+	A	10.0.0.186
+	A	10.0.0.187
+	A	10.0.0.188
+	A	10.0.0.189
+	A	10.0.0.190
+	A	10.0.0.191
+	A	10.0.0.192
+	A	10.0.0.193
+	A	10.0.0.194
+	A	10.0.0.195
+	A	10.0.0.196
+	A	10.0.0.197
+	A	10.0.0.198
+	A	10.0.0.199
+	A	10.0.0.200
+	A	10.0.0.201
+	A	10.0.0.202
+	A	10.0.0.203
+	A	10.0.0.204
+	A	10.0.0.205
+	A	10.0.0.206
+	A	10.0.0.207
+	A	10.0.0.208
+	A	10.0.0.209
+	A	10.0.0.210
+	A	10.0.0.211
+	A	10.0.0.212
+	A	10.0.0.213
+	A	10.0.0.214
+	A	10.0.0.215
+	A	10.0.0.216
+	A	10.0.0.217
+	A	10.0.0.218
+	A	10.0.0.219
+	A	10.0.0.220
+	A	10.0.0.221
+	A	10.0.0.222
+	A	10.0.0.223
+	A	10.0.0.224
+	A	10.0.0.225
+	A	10.0.0.226
+	A	10.0.0.227
+	A	10.0.0.228
+	A	10.0.0.229
+	A	10.0.0.230
+	A	10.0.0.231
+	A	10.0.0.232
+	A	10.0.0.233
+	A	10.0.0.234
+	A	10.0.0.235
+	A	10.0.0.236
+	A	10.0.0.237
+	A	10.0.0.238
+	A	10.0.0.239
+	A	10.0.0.240
+	A	10.0.0.241
+	A	10.0.0.242
+	A	10.0.0.243
+	A	10.0.0.244
+	A	10.0.0.245
+	A	10.0.0.246
+	A	10.0.0.247
+	A	10.0.0.248
+	A	10.0.0.249
+	A	10.0.0.250
+	A	10.0.0.251
+	A	10.0.0.252
+	A	10.0.0.253
+	A	10.0.0.254
+	A	10.0.0.255
+	A	10.0.1.0
+	A	10.0.1.1
+	A	10.0.1.2
+	A	10.0.1.3
+	A	10.0.1.4
+	A	10.0.1.5
+	A	10.0.1.6
+	A	10.0.1.7
+	A	10.0.1.8
+	A	10.0.1.9
+	A	10.0.1.10
+	A	10.0.1.11
+	A	10.0.1.12
+	A	10.0.1.13
+	A	10.0.1.14
+	A	10.0.1.15
+	A	10.0.1.16
+	A	10.0.1.17
+	A	10.0.1.18
+	A	10.0.1.19
+	A	10.0.1.20
+	A	10.0.1.21
+	A	10.0.1.22
+	A	10.0.1.23
+	A	10.0.1.24
+	A	10.0.1.25
+	A	10.0.1.26
+	A	10.0.1.27
+	A	10.0.1.28
+	A	10.0.1.29
+	A	10.0.1.30
+	A	10.0.1.31
+	A	10.0.1.32
+	A	10.0.1.33
+	A	10.0.1.34
+	A	10.0.1.35
+	A	10.0.1.36
+	A	10.0.1.37
+	A	10.0.1.38
+	A	10.0.1.39
+	A	10.0.1.40
+	A	10.0.1.41
+	A	10.0.1.42
+	A	10.0.1.43
+	A	10.0.1.44
+	A	10.0.1.45
+	A	10.0.1.46
+	A	10.0.1.47
+	A	10.0.1.48
+	A	10.0.1.49
+	A	10.0.1.50
+	A	10.0.1.51
+	A	10.0.1.52
+	A	10.0.1.53
+	A	10.0.1.54
+	A	10.0.1.55
+	A	10.0.1.56
+	A	10.0.1.57
+	A	10.0.1.58
+	A	10.0.1.59
+	A	10.0.1.60
+	A	10.0.1.61
+	A	10.0.1.62
+	A	10.0.1.63
+	A	10.0.1.64
+	A	10.0.1.65
+	A	10.0.1.66
+	A	10.0.1.67
+	A	10.0.1.68
+	A	10.0.1.69
+	A	10.0.1.70
+	A	10.0.1.71
+	A	10.0.1.72
+	A	10.0.1.73
+	A	10.0.1.74
+	A	10.0.1.75
+	A	10.0.1.76
+	A	10.0.1.77
+	A	10.0.1.78
+	A	10.0.1.79
+	A	10.0.1.80
+	A	10.0.1.81
+	A	10.0.1.82
+	A	10.0.1.83
+	A	10.0.1.84
+	A	10.0.1.85
+	A	10.0.1.86
+	A	10.0.1.87
+	A	10.0.1.88
+	A	10.0.1.89
+	A	10.0.1.90
+	A	10.0.1.91
+	A	10.0.1.92
+	A	10.0.1.93
+	A	10.0.1.94
+	A	10.0.1.95
+	A	10.0.1.96
+	A	10.0.1.97
+	A	10.0.1.98
+	A	10.0.1.99
+	A	10.0.1.100
+	A	10.0.1.101
+	A	10.0.1.102
+	A	10.0.1.103
+	A	10.0.1.104
+	A	10.0.1.105
+	A	10.0.1.106
+	A	10.0.1.107
+	A	10.0.1.108
+	A	10.0.1.109
+	A	10.0.1.110
+	A	10.0.1.111
+	A	10.0.1.112
+	A	10.0.1.113
+	A	10.0.1.114
+	A	10.0.1.115
+	A	10.0.1.116
+	A	10.0.1.117
+	A	10.0.1.118
+	A	10.0.1.119
+	A	10.0.1.120
+	A	10.0.1.121
+	A	10.0.1.122
+	A	10.0.1.123
+	A	10.0.1.124
+	A	10.0.1.125
+	A	10.0.1.126
+	A	10.0.1.127
+	A	10.0.1.128
+	A	10.0.1.129
+	A	10.0.1.130
+	A	10.0.1.131
+	A	10.0.1.132
+	A	10.0.1.133
+	A	10.0.1.134
+	A	10.0.1.135
+	A	10.0.1.136
+	A	10.0.1.137
+	A	10.0.1.138
+	A	10.0.1.139
+	A	10.0.1.140
+	A	10.0.1.141
+	A	10.0.1.142
+	A	10.0.1.143
+	A	10.0.1.144
+	A	10.0.1.145
+	A	10.0.1.146
+	A	10.0.1.147
+	A	10.0.1.148
+	A	10.0.1.149
+	A	10.0.1.150
+	A	10.0.1.151
+	A	10.0.1.152
+	A	10.0.1.153
+	A	10.0.1.154
+	A	10.0.1.155
+	A	10.0.1.156
+	A	10.0.1.157
+	A	10.0.1.158
+	A	10.0.1.159
+	A	10.0.1.160
+	A	10.0.1.161
+	A	10.0.1.162
+	A	10.0.1.163
+	A	10.0.1.164
+	A	10.0.1.165
+	A	10.0.1.166
+	A	10.0.1.167
+	A	10.0.1.168
+	A	10.0.1.169
+	A	10.0.1.170
+	A	10.0.1.171
+	A	10.0.1.172
+	A	10.0.1.173
+	A	10.0.1.174
+	A	10.0.1.175
+	A	10.0.1.176
+	A	10.0.1.177
+	A	10.0.1.178
+	A	10.0.1.179
+	A	10.0.1.180
+	A	10.0.1.181
+	A	10.0.1.182
+	A	10.0.1.183
+	A	10.0.1.184
+	A	10.0.1.185
+	A	10.0.1.186
+	A	10.0.1.187
+	A	10.0.1.188
+	A	10.0.1.189
+	A	10.0.1.190
+	A	10.0.1.191
+	A	10.0.1.192
+	A	10.0.1.193
+	A	10.0.1.194
+	A	10.0.1.195
+	A	10.0.1.196
+	A	10.0.1.197
+	A	10.0.1.198
+	A	10.0.1.199
+	A	10.0.1.200
+	A	10.0.1.201
+	A	10.0.1.202
+	A	10.0.1.203
+	A	10.0.1.204
+	A	10.0.1.205
+	A	10.0.1.206
+	A	10.0.1.207
+	A	10.0.1.208
+	A	10.0.1.209
+	A	10.0.1.210
+	A	10.0.1.211
+	A	10.0.1.212
+	A	10.0.1.213
+	A	10.0.1.214
+	A	10.0.1.215
+	A	10.0.1.216
+	A	10.0.1.217
+	A	10.0.1.218
+	A	10.0.1.219
+	A	10.0.1.220
+	A	10.0.1.221
+	A	10.0.1.222
+	A	10.0.1.223
+	A	10.0.1.224
+	A	10.0.1.225
+	A	10.0.1.226
+	A	10.0.1.227
+	A	10.0.1.228
+	A	10.0.1.229
+	A	10.0.1.230
+	A	10.0.1.231
+	A	10.0.1.232
+	A	10.0.1.233
+	A	10.0.1.234
+	A	10.0.1.235
+	A	10.0.1.236
+	A	10.0.1.237
+	A	10.0.1.238
+	A	10.0.1.239
+	A	10.0.1.240
+	A	10.0.1.241
+	A	10.0.1.242
+	A	10.0.1.243
+	A	10.0.1.244
+	A	10.0.1.245
+	A	10.0.1.246
+	A	10.0.1.247
+	A	10.0.1.248
+	A	10.0.1.249
+	A	10.0.1.250
+	A	10.0.1.251
+	A	10.0.1.252
+	A	10.0.1.253
+	A	10.0.1.254
+	A	10.0.1.255
+	A	10.0.2.0
+	A	10.0.2.1
+	A	10.0.2.2
+	A	10.0.2.3
+	A	10.0.2.4
+	A	10.0.2.5
+	A	10.0.2.6
+	A	10.0.2.7
+	A	10.0.2.8
+	A	10.0.2.9
+	A	10.0.2.10
+	A	10.0.2.11
+	A	10.0.2.12
+	A	10.0.2.13
+	A	10.0.2.14
+	A	10.0.2.15
+	A	10.0.2.16
+	A	10.0.2.17
+	A	10.0.2.18
+	A	10.0.2.19
+	A	10.0.2.20
+	A	10.0.2.21
+	A	10.0.2.22
+	A	10.0.2.23
+	A	10.0.2.24
+	A	10.0.2.25
+	A	10.0.2.26
+	A	10.0.2.27
+	A	10.0.2.28
+	A	10.0.2.29
+	A	10.0.2.30
+	A	10.0.2.31
+	A	10.0.2.32
+	A	10.0.2.33
+	A	10.0.2.34
+	A	10.0.2.35
+	A	10.0.2.36
+	A	10.0.2.37
+	A	10.0.2.38
+	A	10.0.2.39
+	A	10.0.2.40
+	A	10.0.2.41
+	A	10.0.2.42
+	A	10.0.2.43
+	A	10.0.2.44
+	A	10.0.2.45
+	A	10.0.2.46
+	A	10.0.2.47
+	A	10.0.2.48
+	A	10.0.2.49
+	A	10.0.2.50
+	A	10.0.2.51
+	A	10.0.2.52
+	A	10.0.2.53
+	A	10.0.2.54
+	A	10.0.2.55
+	A	10.0.2.56
+	A	10.0.2.57
+	A	10.0.2.58
+	A	10.0.2.59
+	A	10.0.2.60
+	A	10.0.2.61
+	A	10.0.2.62
+	A	10.0.2.63
+	A	10.0.2.64
+	A	10.0.2.65
+	A	10.0.2.66
+	A	10.0.2.67
+	A	10.0.2.68
+	A	10.0.2.69
+	A	10.0.2.70
+	A	10.0.2.71
+	A	10.0.2.72
+	A	10.0.2.73
+	A	10.0.2.74
+	A	10.0.2.75
+	A	10.0.2.76
+	A	10.0.2.77
+	A	10.0.2.78
+	A	10.0.2.79
+	A	10.0.2.80
+	A	10.0.2.81
+	A	10.0.2.82
+	A	10.0.2.83
+	A	10.0.2.84
+	A	10.0.2.85
+	A	10.0.2.86
+	A	10.0.2.87
+	A	10.0.2.88
+	A	10.0.2.89
+	A	10.0.2.90
+	A	10.0.2.91
+	A	10.0.2.92
+	A	10.0.2.93
+	A	10.0.2.94
+	A	10.0.2.95
+	A	10.0.2.96
+	A	10.0.2.97
+	A	10.0.2.98
+	A	10.0.2.99
+	A	10.0.2.100
+	A	10.0.2.101
+	A	10.0.2.102
+	A	10.0.2.103
+	A	10.0.2.104
+	A	10.0.2.105
+	A	10.0.2.106
+	A	10.0.2.107
+	A	10.0.2.108
+	A	10.0.2.109
+	A	10.0.2.110
+	A	10.0.2.111
+	A	10.0.2.112
+	A	10.0.2.113
+	A	10.0.2.114
+	A	10.0.2.115
+	A	10.0.2.116
+	A	10.0.2.117
+	A	10.0.2.118
+	A	10.0.2.119
+	A	10.0.2.120
+	A	10.0.2.121
+	A	10.0.2.122
+	A	10.0.2.123
+	A	10.0.2.124
+	A	10.0.2.125
+	A	10.0.2.126
+	A	10.0.2.127
+	A	10.0.2.128
+	A	10.0.2.129
+	A	10.0.2.130
+	A	10.0.2.131
+	A	10.0.2.132
+	A	10.0.2.133
+	A	10.0.2.134
+	A	10.0.2.135
+	A	10.0.2.136
+	A	10.0.2.137
+	A	10.0.2.138
+	A	10.0.2.139
+	A	10.0.2.140
+	A	10.0.2.141
+	A	10.0.2.142
+	A	10.0.2.143
+	A	10.0.2.144
+	A	10.0.2.145
+	A	10.0.2.146
+	A	10.0.2.147
+	A	10.0.2.148
+	A	10.0.2.149
+	A	10.0.2.150
+	A	10.0.2.151
+	A	10.0.2.152
+	A	10.0.2.153
+	A	10.0.2.154
+	A	10.0.2.155
+	A	10.0.2.156
+	A	10.0.2.157
+	A	10.0.2.158
+	A	10.0.2.159
+	A	10.0.2.160
+	A	10.0.2.161
+	A	10.0.2.162
+	A	10.0.2.163
+	A	10.0.2.164
+	A	10.0.2.165
+	A	10.0.2.166
+	A	10.0.2.167
+	A	10.0.2.168
+	A	10.0.2.169
+	A	10.0.2.170
+	A	10.0.2.171
+	A	10.0.2.172
+	A	10.0.2.173
+	A	10.0.2.174
+	A	10.0.2.175
+	A	10.0.2.176
+	A	10.0.2.177
+	A	10.0.2.178
+	A	10.0.2.179
+	A	10.0.2.180
+	A	10.0.2.181
+	A	10.0.2.182
+	A	10.0.2.183
+	A	10.0.2.184
+	A	10.0.2.185
+	A	10.0.2.186
+	A	10.0.2.187
+	A	10.0.2.188
+	A	10.0.2.189
+	A	10.0.2.190
+	A	10.0.2.191
+	A	10.0.2.192
+	A	10.0.2.193
+	A	10.0.2.194
+	A	10.0.2.195
+	A	10.0.2.196
+	A	10.0.2.197
+	A	10.0.2.198
+	A	10.0.2.199
+	A	10.0.2.200
+	A	10.0.2.201
+	A	10.0.2.202
+	A	10.0.2.203
+	A	10.0.2.204
+	A	10.0.2.205
+	A	10.0.2.206
+	A	10.0.2.207
+	A	10.0.2.208
+	A	10.0.2.209
+	A	10.0.2.210
+	A	10.0.2.211
+	A	10.0.2.212
+	A	10.0.2.213
+	A	10.0.2.214
+	A	10.0.2.215
+	A	10.0.2.216
+	A	10.0.2.217
+	A	10.0.2.218
+	A	10.0.2.219
+	A	10.0.2.220
+	A	10.0.2.221
+	A	10.0.2.222
+	A	10.0.2.223
+	A	10.0.2.224
+	A	10.0.2.225
+	A	10.0.2.226
+	A	10.0.2.227
+	A	10.0.2.228
+	A	10.0.2.229
+	A	10.0.2.230
+	A	10.0.2.231
+	A	10.0.2.232
+	A	10.0.2.233
+	A	10.0.2.234
+	A	10.0.2.235
+	A	10.0.2.236
+	A	10.0.2.237
+	A	10.0.2.238
+	A	10.0.2.239
+	A	10.0.2.240
+	A	10.0.2.241
+	A	10.0.2.242
+	A	10.0.2.243
+	A	10.0.2.244
+	A	10.0.2.245
+	A	10.0.2.246
+	A	10.0.2.247
+	A	10.0.2.248
+	A	10.0.2.249
+	A	10.0.2.250
+	A	10.0.2.251
+	A	10.0.2.252
+	A	10.0.2.253
+	A	10.0.2.254
+	A	10.0.2.255
+	A	10.0.3.0
+	A	10.0.3.1
+	A	10.0.3.2
+	A	10.0.3.3
+	A	10.0.3.4
+	A	10.0.3.5
+	A	10.0.3.6
+	A	10.0.3.7
+	A	10.0.3.8
+	A	10.0.3.9
+	A	10.0.3.10
+	A	10.0.3.11
+	A	10.0.3.12
+	A	10.0.3.13
+	A	10.0.3.14
+	A	10.0.3.15
+	A	10.0.3.16
+	A	10.0.3.17
+	A	10.0.3.18
+	A	10.0.3.19
+	A	10.0.3.20
+	A	10.0.3.21
+	A	10.0.3.22
+	A	10.0.3.23
+	A	10.0.3.24
+	A	10.0.3.25
+	A	10.0.3.26
+	A	10.0.3.27
+	A	10.0.3.28
+	A	10.0.3.29
+	A	10.0.3.30
+	A	10.0.3.31
+	A	10.0.3.32
+	A	10.0.3.33
+	A	10.0.3.34
+	A	10.0.3.35
+	A	10.0.3.36
+	A	10.0.3.37
+	A	10.0.3.38
+	A	10.0.3.39
+	A	10.0.3.40
+	A	10.0.3.41
+	A	10.0.3.42
+	A	10.0.3.43
+	A	10.0.3.44
+	A	10.0.3.45
+	A	10.0.3.46
+	A	10.0.3.47
+	A	10.0.3.48
+	A	10.0.3.49
+	A	10.0.3.50
+	A	10.0.3.51
+	A	10.0.3.52
+	A	10.0.3.53
+	A	10.0.3.54
+	A	10.0.3.55
+	A	10.0.3.56
+	A	10.0.3.57
+	A	10.0.3.58
+	A	10.0.3.59
+	A	10.0.3.60
+	A	10.0.3.61
+	A	10.0.3.62
+	A	10.0.3.63
+	A	10.0.3.64
+	A	10.0.3.65
+	A	10.0.3.66
+	A	10.0.3.67
+	A	10.0.3.68
+	A	10.0.3.69
+	A	10.0.3.70
+	A	10.0.3.71
+	A	10.0.3.72
+	A	10.0.3.73
+	A	10.0.3.74
+	A	10.0.3.75
+	A	10.0.3.76
+	A	10.0.3.77
+	A	10.0.3.78
+	A	10.0.3.79
+	A	10.0.3.80
+	A	10.0.3.81
+	A	10.0.3.82
+	A	10.0.3.83
+	A	10.0.3.84
+	A	10.0.3.85
+	A	10.0.3.86
+	A	10.0.3.87
+	A	10.0.3.88
+	A	10.0.3.89
+	A	10.0.3.90
+	A	10.0.3.91
+	A	10.0.3.92
+	A	10.0.3.93
+	A	10.0.3.94
+	A	10.0.3.95
+	A	10.0.3.96
+	A	10.0.3.97
+	A	10.0.3.98
+	A	10.0.3.99
+	A	10.0.3.100
+	A	10.0.3.101
+	A	10.0.3.102
+	A	10.0.3.103
+	A	10.0.3.104
+	A	10.0.3.105
+	A	10.0.3.106
+	A	10.0.3.107
+	A	10.0.3.108
+	A	10.0.3.109
+	A	10.0.3.110
+	A	10.0.3.111
+	A	10.0.3.112
+	A	10.0.3.113
+	A	10.0.3.114
+	A	10.0.3.115
+	A	10.0.3.116
+	A	10.0.3.117
+	A	10.0.3.118
+	A	10.0.3.119
+	A	10.0.3.120
+	A	10.0.3.121
+	A	10.0.3.122
+	A	10.0.3.123
+	A	10.0.3.124
+	A	10.0.3.125
+	A	10.0.3.126
+	A	10.0.3.127
+	A	10.0.3.128
+	A	10.0.3.129
+	A	10.0.3.130
+	A	10.0.3.131
+	A	10.0.3.132
+	A	10.0.3.133
+	A	10.0.3.134
+	A	10.0.3.135
+	A	10.0.3.136
+	A	10.0.3.137
+	A	10.0.3.138
+	A	10.0.3.139
+	A	10.0.3.140
+	A	10.0.3.141
+	A	10.0.3.142
+	A	10.0.3.143
+	A	10.0.3.144
+	A	10.0.3.145
+	A	10.0.3.146
+	A	10.0.3.147
+	A	10.0.3.148
+	A	10.0.3.149
+	A	10.0.3.150
+	A	10.0.3.151
+	A	10.0.3.152
+	A	10.0.3.153
+	A	10.0.3.154
+	A	10.0.3.155
+	A	10.0.3.156
+	A	10.0.3.157
+	A	10.0.3.158
+	A	10.0.3.159
+	A	10.0.3.160
+	A	10.0.3.161
+	A	10.0.3.162
+	A	10.0.3.163
+	A	10.0.3.164
+	A	10.0.3.165
+	A	10.0.3.166
+	A	10.0.3.167
+	A	10.0.3.168
+	A	10.0.3.169
+	A	10.0.3.170
+	A	10.0.3.171
+	A	10.0.3.172
+	A	10.0.3.173
+	A	10.0.3.174
+	A	10.0.3.175
+	A	10.0.3.176
+	A	10.0.3.177
+	A	10.0.3.178
+	A	10.0.3.179
+	A	10.0.3.180
+	A	10.0.3.181
+	A	10.0.3.182
+	A	10.0.3.183
+	A	10.0.3.184
+	A	10.0.3.185
+	A	10.0.3.186
+	A	10.0.3.187
+	A	10.0.3.188
+	A	10.0.3.189
+	A	10.0.3.190
+	A	10.0.3.191
+	A	10.0.3.192
+	A	10.0.3.193
+	A	10.0.3.194
+	A	10.0.3.195
+	A	10.0.3.196
+	A	10.0.3.197
+	A	10.0.3.198
+	A	10.0.3.199
+	A	10.0.3.200
+	A	10.0.3.201
+	A	10.0.3.202
+	A	10.0.3.203
+	A	10.0.3.204
+	A	10.0.3.205
+	A	10.0.3.206
+	A	10.0.3.207
+	A	10.0.3.208
+	A	10.0.3.209
+	A	10.0.3.210
+	A	10.0.3.211
+	A	10.0.3.212
+	A	10.0.3.213
+	A	10.0.3.214
+	A	10.0.3.215
+	A	10.0.3.216
+	A	10.0.3.217
+	A	10.0.3.218
+	A	10.0.3.219
+	A	10.0.3.220
+	A	10.0.3.221
+	A	10.0.3.222
+	A	10.0.3.223
+	A	10.0.3.224
+	A	10.0.3.225
+	A	10.0.3.226
+	A	10.0.3.227
+	A	10.0.3.228
+	A	10.0.3.229
+	A	10.0.3.230
+	A	10.0.3.231
+	A	10.0.3.232
+	A	10.0.3.233
+	A	10.0.3.234
+	A	10.0.3.235
+	A	10.0.3.236
+	A	10.0.3.237
+	A	10.0.3.238
+	A	10.0.3.239
+	A	10.0.3.240
+	A	10.0.3.241
+	A	10.0.3.242
+	A	10.0.3.243
+	A	10.0.3.244
+	A	10.0.3.245
+	A	10.0.3.246
+	A	10.0.3.247
+	A	10.0.3.248
+	A	10.0.3.249
+	A	10.0.3.250
+	A	10.0.3.251
+	A	10.0.3.252
+	A	10.0.3.253
+	A	10.0.3.254
+	A	10.0.3.255
+	A	10.0.4.0
+	A	10.0.4.1
+	A	10.0.4.2
+	A	10.0.4.3
+	A	10.0.4.4
+	A	10.0.4.5
+	A	10.0.4.6
+	A	10.0.4.7
+	A	10.0.4.8
+	A	10.0.4.9
+	A	10.0.4.10
+	A	10.0.4.11
+	A	10.0.4.12
+	A	10.0.4.13
+	A	10.0.4.14
+	A	10.0.4.15
+	A	10.0.4.16
+	A	10.0.4.17
+	A	10.0.4.18
+	A	10.0.4.19
+	A	10.0.4.20
+	A	10.0.4.21
+	A	10.0.4.22
+	A	10.0.4.23
+	A	10.0.4.24
+	A	10.0.4.25
+	A	10.0.4.26
+	A	10.0.4.27
+	A	10.0.4.28
+	A	10.0.4.29
+	A	10.0.4.30
+	A	10.0.4.31
+	A	10.0.4.32
+	A	10.0.4.33
+	A	10.0.4.34
+	A	10.0.4.35
+	A	10.0.4.36
+	A	10.0.4.37
+	A	10.0.4.38
+	A	10.0.4.39
+	A	10.0.4.40
+	A	10.0.4.41
+	A	10.0.4.42
+	A	10.0.4.43
+	A	10.0.4.44
+	A	10.0.4.45
+	A	10.0.4.46
+	A	10.0.4.47
+	A	10.0.4.48
+	A	10.0.4.49
+	A	10.0.4.50
+	A	10.0.4.51
+	A	10.0.4.52
+	A	10.0.4.53
+	A	10.0.4.54
+	A	10.0.4.55
+	A	10.0.4.56
+	A	10.0.4.57
+	A	10.0.4.58
+	A	10.0.4.59
+	A	10.0.4.60
+	A	10.0.4.61
+	A	10.0.4.62
+	A	10.0.4.63
+	A	10.0.4.64
+	A	10.0.4.65
+	A	10.0.4.66
+	A	10.0.4.67
+	A	10.0.4.68
+	A	10.0.4.69
+	A	10.0.4.70
+	A	10.0.4.71
+	A	10.0.4.72
+	A	10.0.4.73
+	A	10.0.4.74
+	A	10.0.4.75
+	A	10.0.4.76
+	A	10.0.4.77
+	A	10.0.4.78
+	A	10.0.4.79
+	A	10.0.4.80
+	A	10.0.4.81
+	A	10.0.4.82
+	A	10.0.4.83
+	A	10.0.4.84
+	A	10.0.4.85
+	A	10.0.4.86
+	A	10.0.4.87
+	A	10.0.4.88
+	A	10.0.4.89
+	A	10.0.4.90
+	A	10.0.4.91
+	A	10.0.4.92
+	A	10.0.4.93
+	A	10.0.4.94
+	A	10.0.4.95
+	A	10.0.4.96
+	A	10.0.4.97
+	A	10.0.4.98
+	A	10.0.4.99
+	A	10.0.4.100
+	A	10.0.4.101
+	A	10.0.4.102
+	A	10.0.4.103
+	A	10.0.4.104
+	A	10.0.4.105
+	A	10.0.4.106
+	A	10.0.4.107
+	A	10.0.4.108
+	A	10.0.4.109
+	A	10.0.4.110
+	A	10.0.4.111
+	A	10.0.4.112
+	A	10.0.4.113
+	A	10.0.4.114
+	A	10.0.4.115
+	A	10.0.4.116
+	A	10.0.4.117
+	A	10.0.4.118
+	A	10.0.4.119
+	A	10.0.4.120
+	A	10.0.4.121
+	A	10.0.4.122
+	A	10.0.4.123
+	A	10.0.4.124
+	A	10.0.4.125
+	A	10.0.4.126
+	A	10.0.4.127
+	A	10.0.4.128
+	A	10.0.4.129
+	A	10.0.4.130
+	A	10.0.4.131
+	A	10.0.4.132
+	A	10.0.4.133
+	A	10.0.4.134
+	A	10.0.4.135
+	A	10.0.4.136
+	A	10.0.4.137
+	A	10.0.4.138
+	A	10.0.4.139
+	A	10.0.4.140
+	A	10.0.4.141
+	A	10.0.4.142
+	A	10.0.4.143
+	A	10.0.4.144
+	A	10.0.4.145
+	A	10.0.4.146
+	A	10.0.4.147
+	A	10.0.4.148
+	A	10.0.4.149
+	A	10.0.4.150
+	A	10.0.4.151
+	A	10.0.4.152
+	A	10.0.4.153
+	A	10.0.4.154
+	A	10.0.4.155
+	A	10.0.4.156
+	A	10.0.4.157
+	A	10.0.4.158
+	A	10.0.4.159
+	A	10.0.4.160
+	A	10.0.4.161
+	A	10.0.4.162
+	A	10.0.4.163
+	A	10.0.4.164
+	A	10.0.4.165
+	A	10.0.4.166
+	A	10.0.4.167
+	A	10.0.4.168
+	A	10.0.4.169
+	A	10.0.4.170
+	A	10.0.4.171
+	A	10.0.4.172
+	A	10.0.4.173
+	A	10.0.4.174
+	A	10.0.4.175
+	A	10.0.4.176
+	A	10.0.4.177
+	A	10.0.4.178
+	A	10.0.4.179
+	A	10.0.4.180
+	A	10.0.4.181
+	A	10.0.4.182
+	A	10.0.4.183
+	A	10.0.4.184
+	A	10.0.4.185
+	A	10.0.4.186
+	A	10.0.4.187
+	A	10.0.4.188
+	A	10.0.4.189
+	A	10.0.4.190
+	A	10.0.4.191
+	A	10.0.4.192
+	A	10.0.4.193
+	A	10.0.4.194
+	A	10.0.4.195
+	A	10.0.4.196
+	A	10.0.4.197
+	A	10.0.4.198
+	A	10.0.4.199
+	A	10.0.4.200
+	A	10.0.4.201
+	A	10.0.4.202
+	A	10.0.4.203
+	A	10.0.4.204
+	A	10.0.4.205
+	A	10.0.4.206
+	A	10.0.4.207
+	A	10.0.4.208
+	A	10.0.4.209
+	A	10.0.4.210
+	A	10.0.4.211
+	A	10.0.4.212
+	A	10.0.4.213
+	A	10.0.4.214
+	A	10.0.4.215
+	A	10.0.4.216
+	A	10.0.4.217
+	A	10.0.4.218
+	A	10.0.4.219
+	A	10.0.4.220
+	A	10.0.4.221
+	A	10.0.4.222
+	A	10.0.4.223
+	A	10.0.4.224
+	A	10.0.4.225
+	A	10.0.4.226
+	A	10.0.4.227
+	A	10.0.4.228
+	A	10.0.4.229
+	A	10.0.4.230
+	A	10.0.4.231
+	A	10.0.4.232
+	A	10.0.4.233
+	A	10.0.4.234
+	A	10.0.4.235
+	A	10.0.4.236
+	A	10.0.4.237
+	A	10.0.4.238
+	A	10.0.4.239
+	A	10.0.4.240
+	A	10.0.4.241
+	A	10.0.4.242
+	A	10.0.4.243
+	A	10.0.4.244
+	A	10.0.4.245
+	A	10.0.4.246
+	A	10.0.4.247
+	A	10.0.4.248
+	A	10.0.4.249
+	A	10.0.4.250
+	A	10.0.4.251
+	A	10.0.4.252
+	A	10.0.4.253
+	A	10.0.4.254
+	A	10.0.4.255
+	A	10.0.5.0
+	A	10.0.5.1
+	A	10.0.5.2
+	A	10.0.5.3
+	A	10.0.5.4
+	A	10.0.5.5
+	A	10.0.5.6
+	A	10.0.5.7
+	A	10.0.5.8
+	A	10.0.5.9
+	A	10.0.5.10
+	A	10.0.5.11
+	A	10.0.5.12
+	A	10.0.5.13
+	A	10.0.5.14
+	A	10.0.5.15
+	A	10.0.5.16
+	A	10.0.5.17
+	A	10.0.5.18
+	A	10.0.5.19
+	A	10.0.5.20
+	A	10.0.5.21
+	A	10.0.5.22
+	A	10.0.5.23
+	A	10.0.5.24
+	A	10.0.5.25
+	A	10.0.5.26
+	A	10.0.5.27
+	A	10.0.5.28
+	A	10.0.5.29
+	A	10.0.5.30
+	A	10.0.5.31
+	A	10.0.5.32
+	A	10.0.5.33
+	A	10.0.5.34
+	A	10.0.5.35
+	A	10.0.5.36
+	A	10.0.5.37
+	A	10.0.5.38
+	A	10.0.5.39
+	A	10.0.5.40
+	A	10.0.5.41
+	A	10.0.5.42
+	A	10.0.5.43
+	A	10.0.5.44
+	A	10.0.5.45
+	A	10.0.5.46
+	A	10.0.5.47
+	A	10.0.5.48
+	A	10.0.5.49
+	A	10.0.5.50
+	A	10.0.5.51
+	A	10.0.5.52
+	A	10.0.5.53
+	A	10.0.5.54
+	A	10.0.5.55
+	A	10.0.5.56
+	A	10.0.5.57
+	A	10.0.5.58
+	A	10.0.5.59
+	A	10.0.5.60
+	A	10.0.5.61
+	A	10.0.5.62
+	A	10.0.5.63
+	A	10.0.5.64
+	A	10.0.5.65
+	A	10.0.5.66
+	A	10.0.5.67
+	A	10.0.5.68
+	A	10.0.5.69
+	A	10.0.5.70
+	A	10.0.5.71
+	A	10.0.5.72
+	A	10.0.5.73
+	A	10.0.5.74
+	A	10.0.5.75
+	A	10.0.5.76
+	A	10.0.5.77
+	A	10.0.5.78
+	A	10.0.5.79
+	A	10.0.5.80
+	A	10.0.5.81
+	A	10.0.5.82
+	A	10.0.5.83
+	A	10.0.5.84
+	A	10.0.5.85
+	A	10.0.5.86
+	A	10.0.5.87
+	A	10.0.5.88
+	A	10.0.5.89
+	A	10.0.5.90
+	A	10.0.5.91
+	A	10.0.5.92
+	A	10.0.5.93
+	A	10.0.5.94
+	A	10.0.5.95
+	A	10.0.5.96
+	A	10.0.5.97
+	A	10.0.5.98
+	A	10.0.5.99
+	A	10.0.5.100
+	A	10.0.5.101
+	A	10.0.5.102
+	A	10.0.5.103
+	A	10.0.5.104
+	A	10.0.5.105
+	A	10.0.5.106
+	A	10.0.5.107
+	A	10.0.5.108
+	A	10.0.5.109
+	A	10.0.5.110
+	A	10.0.5.111
+	A	10.0.5.112
+	A	10.0.5.113
+	A	10.0.5.114
+	A	10.0.5.115
+	A	10.0.5.116
+	A	10.0.5.117
+	A	10.0.5.118
+	A	10.0.5.119
+	A	10.0.5.120
+	A	10.0.5.121
+	A	10.0.5.122
+	A	10.0.5.123
+	A	10.0.5.124
+	A	10.0.5.125
+	A	10.0.5.126
+	A	10.0.5.127
+	A	10.0.5.128
+	A	10.0.5.129
+	A	10.0.5.130
+	A	10.0.5.131
+	A	10.0.5.132
+	A	10.0.5.133
+	A	10.0.5.134
+	A	10.0.5.135
+	A	10.0.5.136
+	A	10.0.5.137
+	A	10.0.5.138
+	A	10.0.5.139
+	A	10.0.5.140
+	A	10.0.5.141
+	A	10.0.5.142
+	A	10.0.5.143
+	A	10.0.5.144
+	A	10.0.5.145
+	A	10.0.5.146
+	A	10.0.5.147
+	A	10.0.5.148
+	A	10.0.5.149
+	A	10.0.5.150
+	A	10.0.5.151
+	A	10.0.5.152
+	A	10.0.5.153
+	A	10.0.5.154
+	A	10.0.5.155
+	A	10.0.5.156
+	A	10.0.5.157
+	A	10.0.5.158
+	A	10.0.5.159
+	A	10.0.5.160
+	A	10.0.5.161
+	A	10.0.5.162
+	A	10.0.5.163
+	A	10.0.5.164
+	A	10.0.5.165
+	A	10.0.5.166
+	A	10.0.5.167
+	A	10.0.5.168
+	A	10.0.5.169
+	A	10.0.5.170
+	A	10.0.5.171
+	A	10.0.5.172
+	A	10.0.5.173
+	A	10.0.5.174
+	A	10.0.5.175
+	A	10.0.5.176
+	A	10.0.5.177
+	A	10.0.5.178
+	A	10.0.5.179
+	A	10.0.5.180
+	A	10.0.5.181
+	A	10.0.5.182
+	A	10.0.5.183
+	A	10.0.5.184
+	A	10.0.5.185
+	A	10.0.5.186
+	A	10.0.5.187
+	A	10.0.5.188
+	A	10.0.5.189
+	A	10.0.5.190
+	A	10.0.5.191
+	A	10.0.5.192
+	A	10.0.5.193
+	A	10.0.5.194
+	A	10.0.5.195
+	A	10.0.5.196
+	A	10.0.5.197
+	A	10.0.5.198
+	A	10.0.5.199
+	A	10.0.5.200
+	A	10.0.5.201
+	A	10.0.5.202
+	A	10.0.5.203
+	A	10.0.5.204
+	A	10.0.5.205
+	A	10.0.5.206
+	A	10.0.5.207
+	A	10.0.5.208
+	A	10.0.5.209
+	A	10.0.5.210
+	A	10.0.5.211
+	A	10.0.5.212
+	A	10.0.5.213
+	A	10.0.5.214
+	A	10.0.5.215
+	A	10.0.5.216
+	A	10.0.5.217
+	A	10.0.5.218
+	A	10.0.5.219
+	A	10.0.5.220
+	A	10.0.5.221
+	A	10.0.5.222
+	A	10.0.5.223
+	A	10.0.5.224
+	A	10.0.5.225
+	A	10.0.5.226
+	A	10.0.5.227
+	A	10.0.5.228
+	A	10.0.5.229
+	A	10.0.5.230
+	A	10.0.5.231
+	A	10.0.5.232
+	A	10.0.5.233
+	A	10.0.5.234
+	A	10.0.5.235
+	A	10.0.5.236
+	A	10.0.5.237
+	A	10.0.5.238
+	A	10.0.5.239
+	A	10.0.5.240
+	A	10.0.5.241
+	A	10.0.5.242
+	A	10.0.5.243
+	A	10.0.5.244
+	A	10.0.5.245
+	A	10.0.5.246
+	A	10.0.5.247
+	A	10.0.5.248
+	A	10.0.5.249
+	A	10.0.5.250
+	A	10.0.5.251
+	A	10.0.5.252
+	A	10.0.5.253
+	A	10.0.5.254
+	A	10.0.5.255
+	A	10.0.6.0
+	A	10.0.6.1
+	A	10.0.6.2
+	A	10.0.6.3
+	A	10.0.6.4
+	A	10.0.6.5
+	A	10.0.6.6
+	A	10.0.6.7
+	A	10.0.6.8
+	A	10.0.6.9
+	A	10.0.6.10
+	A	10.0.6.11
+	A	10.0.6.12
+	A	10.0.6.13
+	A	10.0.6.14
+	A	10.0.6.15
+	A	10.0.6.16
+	A	10.0.6.17
+	A	10.0.6.18
+	A	10.0.6.19
+	A	10.0.6.20
+	A	10.0.6.21
+	A	10.0.6.22
+	A	10.0.6.23
+	A	10.0.6.24
+	A	10.0.6.25
+	A	10.0.6.26
+	A	10.0.6.27
+	A	10.0.6.28
+	A	10.0.6.29
+	A	10.0.6.30
+	A	10.0.6.31
+	A	10.0.6.32
+	A	10.0.6.33
+	A	10.0.6.34
+	A	10.0.6.35
+	A	10.0.6.36
+	A	10.0.6.37
+	A	10.0.6.38
+	A	10.0.6.39
+	A	10.0.6.40
+	A	10.0.6.41
+	A	10.0.6.42
+	A	10.0.6.43
+	A	10.0.6.44
+	A	10.0.6.45
+	A	10.0.6.46
+	A	10.0.6.47
+	A	10.0.6.48
+	A	10.0.6.49
+	A	10.0.6.50
+	A	10.0.6.51
+	A	10.0.6.52
+	A	10.0.6.53
+	A	10.0.6.54
+	A	10.0.6.55
+	A	10.0.6.56
+	A	10.0.6.57
+	A	10.0.6.58
+	A	10.0.6.59
+	A	10.0.6.60
+	A	10.0.6.61
+	A	10.0.6.62
+	A	10.0.6.63
+	A	10.0.6.64
+	A	10.0.6.65
+	A	10.0.6.66
+	A	10.0.6.67
+	A	10.0.6.68
+	A	10.0.6.69
+	A	10.0.6.70
+	A	10.0.6.71
+	A	10.0.6.72
+	A	10.0.6.73
+	A	10.0.6.74
+	A	10.0.6.75
+	A	10.0.6.76
+	A	10.0.6.77
+	A	10.0.6.78
+	A	10.0.6.79
+	A	10.0.6.80
+	A	10.0.6.81
+	A	10.0.6.82
+	A	10.0.6.83
+	A	10.0.6.84
+	A	10.0.6.85
+	A	10.0.6.86
+	A	10.0.6.87
+	A	10.0.6.88
+	A	10.0.6.89
+	A	10.0.6.90
+	A	10.0.6.91
+	A	10.0.6.92
+	A	10.0.6.93
+	A	10.0.6.94
+	A	10.0.6.95
+	A	10.0.6.96
+	A	10.0.6.97
+	A	10.0.6.98
+	A	10.0.6.99
+	A	10.0.6.100
+	A	10.0.6.101
+	A	10.0.6.102
+	A	10.0.6.103
+	A	10.0.6.104
+	A	10.0.6.105
+	A	10.0.6.106
+	A	10.0.6.107
+	A	10.0.6.108
+	A	10.0.6.109
+	A	10.0.6.110
+	A	10.0.6.111
+	A	10.0.6.112
+	A	10.0.6.113
+	A	10.0.6.114
+	A	10.0.6.115
+	A	10.0.6.116
+	A	10.0.6.117
+	A	10.0.6.118
+	A	10.0.6.119
+	A	10.0.6.120
+	A	10.0.6.121
+	A	10.0.6.122
+	A	10.0.6.123
+	A	10.0.6.124
+	A	10.0.6.125
+	A	10.0.6.126
+	A	10.0.6.127
+	A	10.0.6.128
+	A	10.0.6.129
+	A	10.0.6.130
+	A	10.0.6.131
+	A	10.0.6.132
+	A	10.0.6.133
+	A	10.0.6.134
+	A	10.0.6.135
+	A	10.0.6.136
+	A	10.0.6.137
+	A	10.0.6.138
+	A	10.0.6.139
+	A	10.0.6.140
+	A	10.0.6.141
+	A	10.0.6.142
+	A	10.0.6.143
+	A	10.0.6.144
+	A	10.0.6.145
+	A	10.0.6.146
+	A	10.0.6.147
+	A	10.0.6.148
+	A	10.0.6.149
+	A	10.0.6.150
+	A	10.0.6.151
+	A	10.0.6.152
+	A	10.0.6.153
+	A	10.0.6.154
+	A	10.0.6.155
+	A	10.0.6.156
+	A	10.0.6.157
+	A	10.0.6.158
+	A	10.0.6.159
+	A	10.0.6.160
+	A	10.0.6.161
+	A	10.0.6.162
+	A	10.0.6.163
+	A	10.0.6.164
+	A	10.0.6.165
+	A	10.0.6.166
+	A	10.0.6.167
+	A	10.0.6.168
+	A	10.0.6.169
+	A	10.0.6.170
+	A	10.0.6.171
+	A	10.0.6.172
+	A	10.0.6.173
+	A	10.0.6.174
+	A	10.0.6.175
+	A	10.0.6.176
+	A	10.0.6.177
+	A	10.0.6.178
+	A	10.0.6.179
+	A	10.0.6.180
+	A	10.0.6.181
+	A	10.0.6.182
+	A	10.0.6.183
+	A	10.0.6.184
+	A	10.0.6.185
+	A	10.0.6.186
+	A	10.0.6.187
+	A	10.0.6.188
+	A	10.0.6.189
+	A	10.0.6.190
+	A	10.0.6.191
+	A	10.0.6.192
+	A	10.0.6.193
+	A	10.0.6.194
+	A	10.0.6.195
+	A	10.0.6.196
+	A	10.0.6.197
+	A	10.0.6.198
+	A	10.0.6.199
+	A	10.0.6.200
+	A	10.0.6.201
+	A	10.0.6.202
+	A	10.0.6.203
+	A	10.0.6.204
+	A	10.0.6.205
+	A	10.0.6.206
+	A	10.0.6.207
+	A	10.0.6.208
+	A	10.0.6.209
+	A	10.0.6.210
+	A	10.0.6.211
+	A	10.0.6.212
+	A	10.0.6.213
+	A	10.0.6.214
+	A	10.0.6.215
+	A	10.0.6.216
+	A	10.0.6.217
+	A	10.0.6.218
+	A	10.0.6.219
+	A	10.0.6.220
+	A	10.0.6.221
+	A	10.0.6.222
+	A	10.0.6.223
+	A	10.0.6.224
+	A	10.0.6.225
+	A	10.0.6.226
+	A	10.0.6.227
+	A	10.0.6.228
+	A	10.0.6.229
+	A	10.0.6.230
+	A	10.0.6.231
+	A	10.0.6.232
+	A	10.0.6.233
+	A	10.0.6.234
+	A	10.0.6.235
+	A	10.0.6.236
+	A	10.0.6.237
+	A	10.0.6.238
+	A	10.0.6.239
+	A	10.0.6.240
+	A	10.0.6.241
+	A	10.0.6.242
+	A	10.0.6.243
+	A	10.0.6.244
+	A	10.0.6.245
+	A	10.0.6.246
+	A	10.0.6.247
+	A	10.0.6.248
+	A	10.0.6.249
+	A	10.0.6.250
+	A	10.0.6.251
+	A	10.0.6.252
+	A	10.0.6.253
+	A	10.0.6.254
+	A	10.0.6.255
+	A	10.0.7.0
+	A	10.0.7.1
+	A	10.0.7.2
+	A	10.0.7.3
+	A	10.0.7.4
+	A	10.0.7.5
+	A	10.0.7.6
+	A	10.0.7.7
+	A	10.0.7.8
+	A	10.0.7.9
+	A	10.0.7.10
+	A	10.0.7.11
+	A	10.0.7.12
+	A	10.0.7.13
+	A	10.0.7.14
+	A	10.0.7.15
+	A	10.0.7.16
+	A	10.0.7.17
+	A	10.0.7.18
+	A	10.0.7.19
+	A	10.0.7.20
+	A	10.0.7.21
+	A	10.0.7.22
+	A	10.0.7.23
+	A	10.0.7.24
+	A	10.0.7.25
+	A	10.0.7.26
+	A	10.0.7.27
+	A	10.0.7.28
+	A	10.0.7.29
+	A	10.0.7.30
+	A	10.0.7.31
+	A	10.0.7.32
+	A	10.0.7.33
+	A	10.0.7.34
+	A	10.0.7.35
+	A	10.0.7.36
+	A	10.0.7.37
+	A	10.0.7.38
+	A	10.0.7.39
+	A	10.0.7.40
+	A	10.0.7.41
+	A	10.0.7.42
+	A	10.0.7.43
+	A	10.0.7.44
+	A	10.0.7.45
+	A	10.0.7.46
+	A	10.0.7.47
+	A	10.0.7.48
+	A	10.0.7.49
+	A	10.0.7.50
+	A	10.0.7.51
+	A	10.0.7.52
+	A	10.0.7.53
+	A	10.0.7.54
+	A	10.0.7.55
+	A	10.0.7.56
+	A	10.0.7.57
+	A	10.0.7.58
+	A	10.0.7.59
+	A	10.0.7.60
+	A	10.0.7.61
+	A	10.0.7.62
+	A	10.0.7.63
+	A	10.0.7.64
+	A	10.0.7.65
+	A	10.0.7.66
+	A	10.0.7.67
+	A	10.0.7.68
+	A	10.0.7.69
+	A	10.0.7.70
+	A	10.0.7.71
+	A	10.0.7.72
+	A	10.0.7.73
+	A	10.0.7.74
+	A	10.0.7.75
+	A	10.0.7.76
+	A	10.0.7.77
+	A	10.0.7.78
+	A	10.0.7.79
+	A	10.0.7.80
+	A	10.0.7.81
+	A	10.0.7.82
+	A	10.0.7.83
+	A	10.0.7.84
+	A	10.0.7.85
+	A	10.0.7.86
+	A	10.0.7.87
+	A	10.0.7.88
+	A	10.0.7.89
+	A	10.0.7.90
+	A	10.0.7.91
+	A	10.0.7.92
+	A	10.0.7.93
+	A	10.0.7.94
+	A	10.0.7.95
+	A	10.0.7.96
+	A	10.0.7.97
+	A	10.0.7.98
+	A	10.0.7.99
+	A	10.0.7.100
+	A	10.0.7.101
+	A	10.0.7.102
+	A	10.0.7.103
+	A	10.0.7.104
+	A	10.0.7.105
+	A	10.0.7.106
+	A	10.0.7.107
+	A	10.0.7.108
+	A	10.0.7.109
+	A	10.0.7.110
+	A	10.0.7.111
+	A	10.0.7.112
+	A	10.0.7.113
+	A	10.0.7.114
+	A	10.0.7.115
+	A	10.0.7.116
+	A	10.0.7.117
+	A	10.0.7.118
+	A	10.0.7.119
+	A	10.0.7.120
+	A	10.0.7.121
+	A	10.0.7.122
+	A	10.0.7.123
+	A	10.0.7.124
+	A	10.0.7.125
+	A	10.0.7.126
+	A	10.0.7.127
+	A	10.0.7.128
+	A	10.0.7.129
+	A	10.0.7.130
+	A	10.0.7.131
+	A	10.0.7.132
+	A	10.0.7.133
+	A	10.0.7.134
+	A	10.0.7.135
+	A	10.0.7.136
+	A	10.0.7.137
+	A	10.0.7.138
+	A	10.0.7.139
+	A	10.0.7.140
+	A	10.0.7.141
+	A	10.0.7.142
+	A	10.0.7.143
+	A	10.0.7.144
+	A	10.0.7.145
+	A	10.0.7.146
+	A	10.0.7.147
+	A	10.0.7.148
+	A	10.0.7.149
+	A	10.0.7.150
+	A	10.0.7.151
+	A	10.0.7.152
+	A	10.0.7.153
+	A	10.0.7.154
+	A	10.0.7.155
+	A	10.0.7.156
+	A	10.0.7.157
+	A	10.0.7.158
+	A	10.0.7.159
+	A	10.0.7.160
+	A	10.0.7.161
+	A	10.0.7.162
+	A	10.0.7.163
+	A	10.0.7.164
+	A	10.0.7.165
+	A	10.0.7.166
+	A	10.0.7.167
+	A	10.0.7.168
+	A	10.0.7.169
+	A	10.0.7.170
+	A	10.0.7.171
+	A	10.0.7.172
+	A	10.0.7.173
+	A	10.0.7.174
+	A	10.0.7.175
+	A	10.0.7.176
+	A	10.0.7.177
+	A	10.0.7.178
+	A	10.0.7.179
+	A	10.0.7.180
+	A	10.0.7.181
+	A	10.0.7.182
+	A	10.0.7.183
+	A	10.0.7.184
+	A	10.0.7.185
+	A	10.0.7.186
+	A	10.0.7.187
+	A	10.0.7.188
+	A	10.0.7.189
+	A	10.0.7.190
+	A	10.0.7.191
+	A	10.0.7.192
+	A	10.0.7.193
+	A	10.0.7.194
+	A	10.0.7.195
+	A	10.0.7.196
+	A	10.0.7.197
+	A	10.0.7.198
+	A	10.0.7.199
+	A	10.0.7.200
+	A	10.0.7.201
+	A	10.0.7.202
+	A	10.0.7.203
+	A	10.0.7.204
+	A	10.0.7.205
+	A	10.0.7.206
+	A	10.0.7.207
+	A	10.0.7.208
+	A	10.0.7.209
+	A	10.0.7.210
+	A	10.0.7.211
+	A	10.0.7.212
+	A	10.0.7.213
+	A	10.0.7.214
+	A	10.0.7.215
+	A	10.0.7.216
+	A	10.0.7.217
+	A	10.0.7.218
+	A	10.0.7.219
+	A	10.0.7.220
+	A	10.0.7.221
+	A	10.0.7.222
+	A	10.0.7.223
+	A	10.0.7.224
+	A	10.0.7.225
+	A	10.0.7.226
+	A	10.0.7.227
+	A	10.0.7.228
+	A	10.0.7.229
+	A	10.0.7.230
+	A	10.0.7.231
+	A	10.0.7.232
+	A	10.0.7.233
+	A	10.0.7.234
+	A	10.0.7.235
+	A	10.0.7.236
+	A	10.0.7.237
+	A	10.0.7.238
+	A	10.0.7.239
+	A	10.0.7.240
+	A	10.0.7.241
+	A	10.0.7.242
+	A	10.0.7.243
+	A	10.0.7.244
+	A	10.0.7.245
+	A	10.0.7.246
+	A	10.0.7.247
+	A	10.0.7.248
+	A	10.0.7.249
+	A	10.0.7.250
+	A	10.0.7.251
+	A	10.0.7.252
+	A	10.0.7.253
+	A	10.0.7.254
+	A	10.0.7.255
+	A	10.0.8.0
+	A	10.0.8.1
+	A	10.0.8.2
+	A	10.0.8.3
+	A	10.0.8.4
+	A	10.0.8.5
+	A	10.0.8.6
+	A	10.0.8.7
+	A	10.0.8.8
+	A	10.0.8.9
+	A	10.0.8.10
+	A	10.0.8.11
+	A	10.0.8.12
+	A	10.0.8.13
+	A	10.0.8.14
+	A	10.0.8.15
+	A	10.0.8.16
+	A	10.0.8.17
+	A	10.0.8.18
+	A	10.0.8.19
+	A	10.0.8.20
+	A	10.0.8.21
+	A	10.0.8.22
+	A	10.0.8.23
+	A	10.0.8.24
+	A	10.0.8.25
+	A	10.0.8.26
+	A	10.0.8.27
+	A	10.0.8.28
+	A	10.0.8.29
+	A	10.0.8.30
+	A	10.0.8.31
+	A	10.0.8.32
+	A	10.0.8.33
+	A	10.0.8.34
+	A	10.0.8.35
+	A	10.0.8.36
+	A	10.0.8.37
+	A	10.0.8.38
+	A	10.0.8.39
+	A	10.0.8.40
+	A	10.0.8.41
+	A	10.0.8.42
+	A	10.0.8.43
+	A	10.0.8.44
+	A	10.0.8.45
+	A	10.0.8.46
+	A	10.0.8.47
+	A	10.0.8.48
+	A	10.0.8.49
+	A	10.0.8.50
+	A	10.0.8.51
+	A	10.0.8.52
+	A	10.0.8.53
+	A	10.0.8.54
+	A	10.0.8.55
+	A	10.0.8.56
+	A	10.0.8.57
+	A	10.0.8.58
+	A	10.0.8.59
+	A	10.0.8.60
+	A	10.0.8.61
+	A	10.0.8.62
+	A	10.0.8.63
+	A	10.0.8.64
+	A	10.0.8.65
+	A	10.0.8.66
+	A	10.0.8.67
+	A	10.0.8.68
+	A	10.0.8.69
+	A	10.0.8.70
+	A	10.0.8.71
+	A	10.0.8.72
+	A	10.0.8.73
+	A	10.0.8.74
+	A	10.0.8.75
+	A	10.0.8.76
+	A	10.0.8.77
+	A	10.0.8.78
+	A	10.0.8.79
+	A	10.0.8.80
+	A	10.0.8.81
+	A	10.0.8.82
+	A	10.0.8.83
+	A	10.0.8.84
+	A	10.0.8.85
+	A	10.0.8.86
+	A	10.0.8.87
+	A	10.0.8.88
+	A	10.0.8.89
+	A	10.0.8.90
+	A	10.0.8.91
+	A	10.0.8.92
+	A	10.0.8.93
+	A	10.0.8.94
+	A	10.0.8.95
+	A	10.0.8.96
+	A	10.0.8.97
+	A	10.0.8.98
+	A	10.0.8.99
+	A	10.0.8.100
+	A	10.0.8.101
+	A	10.0.8.102
+	A	10.0.8.103
+	A	10.0.8.104
+	A	10.0.8.105
+	A	10.0.8.106
+	A	10.0.8.107
+	A	10.0.8.108
+	A	10.0.8.109
+	A	10.0.8.110
+	A	10.0.8.111
+	A	10.0.8.112
+	A	10.0.8.113
+	A	10.0.8.114
+	A	10.0.8.115
+	A	10.0.8.116
+	A	10.0.8.117
+	A	10.0.8.118
+	A	10.0.8.119
+	A	10.0.8.120
+	A	10.0.8.121
+	A	10.0.8.122
+	A	10.0.8.123
+	A	10.0.8.124
+	A	10.0.8.125
+	A	10.0.8.126
+	A	10.0.8.127
+	A	10.0.8.128
+	A	10.0.8.129
+	A	10.0.8.130
+	A	10.0.8.131
+	A	10.0.8.132
+	A	10.0.8.133
+	A	10.0.8.134
+	A	10.0.8.135
+	A	10.0.8.136
+	A	10.0.8.137
+	A	10.0.8.138
+	A	10.0.8.139
+	A	10.0.8.140
+	A	10.0.8.141
+	A	10.0.8.142
+	A	10.0.8.143
+	A	10.0.8.144
+	A	10.0.8.145
+	A	10.0.8.146
+	A	10.0.8.147
+	A	10.0.8.148
+	A	10.0.8.149
+	A	10.0.8.150
+	A	10.0.8.151
+	A	10.0.8.152
+	A	10.0.8.153
+	A	10.0.8.154
+	A	10.0.8.155
+	A	10.0.8.156
+	A	10.0.8.157
+	A	10.0.8.158
+	A	10.0.8.159
+	A	10.0.8.160
+	A	10.0.8.161
+	A	10.0.8.162
+	A	10.0.8.163
+	A	10.0.8.164
+	A	10.0.8.165
+	A	10.0.8.166
+	A	10.0.8.167
+	A	10.0.8.168
+	A	10.0.8.169
+	A	10.0.8.170
+	A	10.0.8.171
+	A	10.0.8.172
+	A	10.0.8.173
+	A	10.0.8.174
+	A	10.0.8.175
+	A	10.0.8.176
+	A	10.0.8.177
+	A	10.0.8.178
+	A	10.0.8.179
+	A	10.0.8.180
+	A	10.0.8.181
+	A	10.0.8.182
+	A	10.0.8.183
+	A	10.0.8.184
+	A	10.0.8.185
+	A	10.0.8.186
+	A	10.0.8.187
+	A	10.0.8.188
+	A	10.0.8.189
+	A	10.0.8.190
+	A	10.0.8.191
+	A	10.0.8.192
+	A	10.0.8.193
+	A	10.0.8.194
+	A	10.0.8.195
+	A	10.0.8.196
+	A	10.0.8.197
+	A	10.0.8.198
+	A	10.0.8.199
+	A	10.0.8.200
+	A	10.0.8.201
+	A	10.0.8.202
+	A	10.0.8.203
+	A	10.0.8.204
+	A	10.0.8.205
+	A	10.0.8.206
+	A	10.0.8.207
+	A	10.0.8.208
+	A	10.0.8.209
+	A	10.0.8.210
+	A	10.0.8.211
+	A	10.0.8.212
+	A	10.0.8.213
+	A	10.0.8.214
+	A	10.0.8.215
+	A	10.0.8.216
+	A	10.0.8.217
+	A	10.0.8.218
+	A	10.0.8.219
+	A	10.0.8.220
+	A	10.0.8.221
+	A	10.0.8.222
+	A	10.0.8.223
+	A	10.0.8.224
+	A	10.0.8.225
+	A	10.0.8.226
+	A	10.0.8.227
+	A	10.0.8.228
+	A	10.0.8.229
+	A	10.0.8.230
+	A	10.0.8.231
+	A	10.0.8.232
+	A	10.0.8.233
+	A	10.0.8.234
+	A	10.0.8.235
+	A	10.0.8.236
+	A	10.0.8.237
+	A	10.0.8.238
+	A	10.0.8.239
+	A	10.0.8.240
+	A	10.0.8.241
+	A	10.0.8.242
+	A	10.0.8.243
+	A	10.0.8.244
+	A	10.0.8.245
+	A	10.0.8.246
+	A	10.0.8.247
+	A	10.0.8.248
+	A	10.0.8.249
+	A	10.0.8.250
+	A	10.0.8.251
+	A	10.0.8.252
+	A	10.0.8.253
+	A	10.0.8.254
+	A	10.0.8.255
+	A	10.0.9.0
+	A	10.0.9.1
+	A	10.0.9.2
+	A	10.0.9.3
+	A	10.0.9.4
+	A	10.0.9.5
+	A	10.0.9.6
+	A	10.0.9.7
+	A	10.0.9.8
+	A	10.0.9.9
+	A	10.0.9.10
+	A	10.0.9.11
+	A	10.0.9.12
+	A	10.0.9.13
+	A	10.0.9.14
+	A	10.0.9.15
+	A	10.0.9.16
+	A	10.0.9.17
+	A	10.0.9.18
+	A	10.0.9.19
+	A	10.0.9.20
+	A	10.0.9.21
+	A	10.0.9.22
+	A	10.0.9.23
+	A	10.0.9.24
+	A	10.0.9.25
+	A	10.0.9.26
+	A	10.0.9.27
+	A	10.0.9.28
+	A	10.0.9.29
+	A	10.0.9.30
+	A	10.0.9.31
+	A	10.0.9.32
+	A	10.0.9.33
+	A	10.0.9.34
+	A	10.0.9.35
+	A	10.0.9.36
+	A	10.0.9.37
+	A	10.0.9.38
+	A	10.0.9.39
+	A	10.0.9.40
+	A	10.0.9.41
+	A	10.0.9.42
+	A	10.0.9.43
+	A	10.0.9.44
+	A	10.0.9.45
+	A	10.0.9.46
+	A	10.0.9.47
+	A	10.0.9.48
+	A	10.0.9.49
+	A	10.0.9.50
+	A	10.0.9.51
+	A	10.0.9.52
+	A	10.0.9.53
+	A	10.0.9.54
+	A	10.0.9.55
+	A	10.0.9.56
+	A	10.0.9.57
+	A	10.0.9.58
+	A	10.0.9.59
+	A	10.0.9.60
+	A	10.0.9.61
+	A	10.0.9.62
+	A	10.0.9.63
+	A	10.0.9.64
+	A	10.0.9.65
+	A	10.0.9.66
+	A	10.0.9.67
+	A	10.0.9.68
+	A	10.0.9.69
+	A	10.0.9.70
+	A	10.0.9.71
+	A	10.0.9.72
+	A	10.0.9.73
+	A	10.0.9.74
+	A	10.0.9.75
+	A	10.0.9.76
+	A	10.0.9.77
+	A	10.0.9.78
+	A	10.0.9.79
+	A	10.0.9.80
+	A	10.0.9.81
+	A	10.0.9.82
+	A	10.0.9.83
+	A	10.0.9.84
+	A	10.0.9.85
+	A	10.0.9.86
+	A	10.0.9.87
+	A	10.0.9.88
+	A	10.0.9.89
+	A	10.0.9.90
+	A	10.0.9.91
+	A	10.0.9.92
+	A	10.0.9.93
+	A	10.0.9.94
+	A	10.0.9.95
+	A	10.0.9.96
+	A	10.0.9.97
+	A	10.0.9.98
+	A	10.0.9.99
+	A	10.0.9.100
+	A	10.0.9.101
+	A	10.0.9.102
+	A	10.0.9.103
+	A	10.0.9.104
+	A	10.0.9.105
+	A	10.0.9.106
+	A	10.0.9.107
+	A	10.0.9.108
+	A	10.0.9.109
+	A	10.0.9.110
+	A	10.0.9.111
+	A	10.0.9.112
+	A	10.0.9.113
+	A	10.0.9.114
+	A	10.0.9.115
+	A	10.0.9.116
+	A	10.0.9.117
+	A	10.0.9.118
+	A	10.0.9.119
+	A	10.0.9.120
+	A	10.0.9.121
+	A	10.0.9.122
+	A	10.0.9.123
+	A	10.0.9.124
+	A	10.0.9.125
+	A	10.0.9.126
+	A	10.0.9.127
+	A	10.0.9.128
+	A	10.0.9.129
+	A	10.0.9.130
+	A	10.0.9.131
+	A	10.0.9.132
+	A	10.0.9.133
+	A	10.0.9.134
+	A	10.0.9.135
+	A	10.0.9.136
+	A	10.0.9.137
+	A	10.0.9.138
+	A	10.0.9.139
+	A	10.0.9.140
+	A	10.0.9.141
+	A	10.0.9.142
+	A	10.0.9.143
+	A	10.0.9.144
+	A	10.0.9.145
+	A	10.0.9.146
+	A	10.0.9.147
+	A	10.0.9.148
+	A	10.0.9.149
+	A	10.0.9.150
+	A	10.0.9.151
+	A	10.0.9.152
+	A	10.0.9.153
+	A	10.0.9.154
+	A	10.0.9.155
+	A	10.0.9.156
+	A	10.0.9.157
+	A	10.0.9.158
+	A	10.0.9.159
+	A	10.0.9.160
+	A	10.0.9.161
+	A	10.0.9.162
+	A	10.0.9.163
+	A	10.0.9.164
+	A	10.0.9.165
+	A	10.0.9.166
+	A	10.0.9.167
+	A	10.0.9.168
+	A	10.0.9.169
+	A	10.0.9.170
+	A	10.0.9.171
+	A	10.0.9.172
+	A	10.0.9.173
+	A	10.0.9.174
+	A	10.0.9.175
+	A	10.0.9.176
+	A	10.0.9.177
+	A	10.0.9.178
+	A	10.0.9.179
+	A	10.0.9.180
+	A	10.0.9.181
+	A	10.0.9.182
+	A	10.0.9.183
+	A	10.0.9.184
+	A	10.0.9.185
+	A	10.0.9.186
+	A	10.0.9.187
+	A	10.0.9.188
+	A	10.0.9.189
+	A	10.0.9.190
+	A	10.0.9.191
+	A	10.0.9.192
+	A	10.0.9.193
+	A	10.0.9.194
+	A	10.0.9.195
+	A	10.0.9.196
+	A	10.0.9.197
+	A	10.0.9.198
+	A	10.0.9.199
+	A	10.0.9.200
+	A	10.0.9.201
+	A	10.0.9.202
+	A	10.0.9.203
+	A	10.0.9.204
+	A	10.0.9.205
+	A	10.0.9.206
+	A	10.0.9.207
+	A	10.0.9.208
+	A	10.0.9.209
+	A	10.0.9.210
+	A	10.0.9.211
+	A	10.0.9.212
+	A	10.0.9.213
+	A	10.0.9.214
+	A	10.0.9.215
+	A	10.0.9.216
+	A	10.0.9.217
+	A	10.0.9.218
+	A	10.0.9.219
+	A	10.0.9.220
+	A	10.0.9.221
+	A	10.0.9.222
+	A	10.0.9.223
+	A	10.0.9.224
+	A	10.0.9.225
+	A	10.0.9.226
+	A	10.0.9.227
+	A	10.0.9.228
+	A	10.0.9.229
+	A	10.0.9.230
+	A	10.0.9.231
+	A	10.0.9.232
+	A	10.0.9.233
+	A	10.0.9.234
+	A	10.0.9.235
+	A	10.0.9.236
+	A	10.0.9.237
+	A	10.0.9.238
+	A	10.0.9.239
+	A	10.0.9.240
+	A	10.0.9.241
+	A	10.0.9.242
+	A	10.0.9.243
+	A	10.0.9.244
+	A	10.0.9.245
+	A	10.0.9.246
+	A	10.0.9.247
+	A	10.0.9.248
+	A	10.0.9.249
+	A	10.0.9.250
+	A	10.0.9.251
+	A	10.0.9.252
+	A	10.0.9.253
+	A	10.0.9.254
+	A	10.0.9.255
+	A	10.0.10.0
+	A	10.0.10.1
+	A	10.0.10.2
+	A	10.0.10.3
+	A	10.0.10.4
+	A	10.0.10.5
+	A	10.0.10.6
+	A	10.0.10.7
+	A	10.0.10.8
+	A	10.0.10.9
+	A	10.0.10.10
+	A	10.0.10.11
+	A	10.0.10.12
+	A	10.0.10.13
+	A	10.0.10.14
+	A	10.0.10.15
+	A	10.0.10.16
+	A	10.0.10.17
+	A	10.0.10.18
+	A	10.0.10.19
+	A	10.0.10.20
+	A	10.0.10.21
+	A	10.0.10.22
+	A	10.0.10.23
+	A	10.0.10.24
+	A	10.0.10.25
+	A	10.0.10.26
+	A	10.0.10.27
+	A	10.0.10.28
+	A	10.0.10.29
+	A	10.0.10.30
+	A	10.0.10.31
+	A	10.0.10.32
+	A	10.0.10.33
+	A	10.0.10.34
+	A	10.0.10.35
+	A	10.0.10.36
+	A	10.0.10.37
+	A	10.0.10.38
+	A	10.0.10.39
+	A	10.0.10.40
+	A	10.0.10.41
+	A	10.0.10.42
+	A	10.0.10.43
+	A	10.0.10.44
+	A	10.0.10.45
+	A	10.0.10.46
+	A	10.0.10.47
+	A	10.0.10.48
+	A	10.0.10.49
+	A	10.0.10.50
+	A	10.0.10.51
+	A	10.0.10.52
+	A	10.0.10.53
+	A	10.0.10.54
+	A	10.0.10.55
+	A	10.0.10.56
+	A	10.0.10.57
+	A	10.0.10.58
+	A	10.0.10.59
+	A	10.0.10.60
+	A	10.0.10.61
+	A	10.0.10.62
+	A	10.0.10.63
+	A	10.0.10.64
+	A	10.0.10.65
+	A	10.0.10.66
+	A	10.0.10.67
+	A	10.0.10.68
+	A	10.0.10.69
+	A	10.0.10.70
+	A	10.0.10.71
+	A	10.0.10.72
+	A	10.0.10.73
+	A	10.0.10.74
+	A	10.0.10.75
+	A	10.0.10.76
+	A	10.0.10.77
+	A	10.0.10.78
+	A	10.0.10.79
+	A	10.0.10.80
+	A	10.0.10.81
+	A	10.0.10.82
+	A	10.0.10.83
+	A	10.0.10.84
+	A	10.0.10.85
+	A	10.0.10.86
+	A	10.0.10.87
+	A	10.0.10.88
+	A	10.0.10.89
+	A	10.0.10.90
+	A	10.0.10.91
+	A	10.0.10.92
+	A	10.0.10.93
+	A	10.0.10.94
+	A	10.0.10.95
+	A	10.0.10.96
+	A	10.0.10.97
+	A	10.0.10.98
+	A	10.0.10.99
+	A	10.0.10.100
+	A	10.0.10.101
+	A	10.0.10.102
+	A	10.0.10.103
+	A	10.0.10.104
+	A	10.0.10.105
+	A	10.0.10.106
+	A	10.0.10.107
+	A	10.0.10.108
+	A	10.0.10.109
+	A	10.0.10.110
+	A	10.0.10.111
+	A	10.0.10.112
+	A	10.0.10.113
+	A	10.0.10.114
+	A	10.0.10.115
+	A	10.0.10.116
+	A	10.0.10.117
+	A	10.0.10.118
+	A	10.0.10.119
+	A	10.0.10.120
+	A	10.0.10.121
+	A	10.0.10.122
+	A	10.0.10.123
+	A	10.0.10.124
+	A	10.0.10.125
+	A	10.0.10.126
+	A	10.0.10.127
+	A	10.0.10.128
+	A	10.0.10.129
+	A	10.0.10.130
+	A	10.0.10.131
+	A	10.0.10.132
+	A	10.0.10.133
+	A	10.0.10.134
+	A	10.0.10.135
+	A	10.0.10.136
+	A	10.0.10.137
+	A	10.0.10.138
+	A	10.0.10.139
+	A	10.0.10.140
+	A	10.0.10.141
+	A	10.0.10.142
+	A	10.0.10.143
+	A	10.0.10.144
+	A	10.0.10.145
+	A	10.0.10.146
+	A	10.0.10.147
+	A	10.0.10.148
+	A	10.0.10.149
+	A	10.0.10.150
+	A	10.0.10.151
+	A	10.0.10.152
+	A	10.0.10.153
+	A	10.0.10.154
+	A	10.0.10.155
+	A	10.0.10.156
+	A	10.0.10.157
+	A	10.0.10.158
+	A	10.0.10.159
+	A	10.0.10.160
+	A	10.0.10.161
+	A	10.0.10.162
+	A	10.0.10.163
+	A	10.0.10.164
+	A	10.0.10.165
+	A	10.0.10.166
+	A	10.0.10.167
+	A	10.0.10.168
+	A	10.0.10.169
+	A	10.0.10.170
+	A	10.0.10.171
+	A	10.0.10.172
+	A	10.0.10.173
+	A	10.0.10.174
+	A	10.0.10.175
+	A	10.0.10.176
+	A	10.0.10.177
+	A	10.0.10.178
+	A	10.0.10.179
+	A	10.0.10.180
+	A	10.0.10.181
+	A	10.0.10.182
+	A	10.0.10.183
+	A	10.0.10.184
+	A	10.0.10.185
+	A	10.0.10.186
+	A	10.0.10.187
+	A	10.0.10.188
+	A	10.0.10.189
+	A	10.0.10.190
+	A	10.0.10.191
+	A	10.0.10.192
+	A	10.0.10.193
+	A	10.0.10.194
+	A	10.0.10.195
+	A	10.0.10.196
+	A	10.0.10.197
+	A	10.0.10.198
+	A	10.0.10.199
+	A	10.0.10.200
+	A	10.0.10.201
+	A	10.0.10.202
+	A	10.0.10.203
+	A	10.0.10.204
+	A	10.0.10.205
+	A	10.0.10.206
+	A	10.0.10.207
+	A	10.0.10.208
+	A	10.0.10.209
+	A	10.0.10.210
+	A	10.0.10.211
+	A	10.0.10.212
+	A	10.0.10.213
+	A	10.0.10.214
+	A	10.0.10.215
+	A	10.0.10.216
+	A	10.0.10.217
+	A	10.0.10.218
+	A	10.0.10.219
+	A	10.0.10.220
+	A	10.0.10.221
+	A	10.0.10.222
+	A	10.0.10.223
+	A	10.0.10.224
+	A	10.0.10.225
+	A	10.0.10.226
+	A	10.0.10.227
+	A	10.0.10.228
+	A	10.0.10.229
+	A	10.0.10.230
+	A	10.0.10.231
+	A	10.0.10.232
+	A	10.0.10.233
+	A	10.0.10.234
+	A	10.0.10.235
+	A	10.0.10.236
+	A	10.0.10.237
+	A	10.0.10.238
+	A	10.0.10.239
+	A	10.0.10.240
+	A	10.0.10.241
+	A	10.0.10.242
+	A	10.0.10.243
+	A	10.0.10.244
+	A	10.0.10.245
+	A	10.0.10.246
+	A	10.0.10.247
+	A	10.0.10.248
+	A	10.0.10.249
+	A	10.0.10.250
+	A	10.0.10.251
+	A	10.0.10.252
+	A	10.0.10.253
+	A	10.0.10.254
+	A	10.0.10.255
+	A	10.0.11.0
+	A	10.0.11.1
+	A	10.0.11.2
+	A	10.0.11.3
+	A	10.0.11.4
+	A	10.0.11.5
+	A	10.0.11.6
+	A	10.0.11.7
+	A	10.0.11.8
+	A	10.0.11.9
+	A	10.0.11.10
+	A	10.0.11.11
+	A	10.0.11.12
+	A	10.0.11.13
+	A	10.0.11.14
+	A	10.0.11.15
+	A	10.0.11.16
+	A	10.0.11.17
+	A	10.0.11.18
+	A	10.0.11.19
+	A	10.0.11.20
+	A	10.0.11.21
+	A	10.0.11.22
+	A	10.0.11.23
+	A	10.0.11.24
+	A	10.0.11.25
+	A	10.0.11.26
+	A	10.0.11.27
+	A	10.0.11.28
+	A	10.0.11.29
+	A	10.0.11.30
+	A	10.0.11.31
+	A	10.0.11.32
+	A	10.0.11.33
+	A	10.0.11.34
+	A	10.0.11.35
+	A	10.0.11.36
+	A	10.0.11.37
+	A	10.0.11.38
+	A	10.0.11.39
+	A	10.0.11.40
+	A	10.0.11.41
+	A	10.0.11.42
+	A	10.0.11.43
+	A	10.0.11.44
+	A	10.0.11.45
+	A	10.0.11.46
+	A	10.0.11.47
+	A	10.0.11.48
+	A	10.0.11.49
+	A	10.0.11.50
+	A	10.0.11.51
+	A	10.0.11.52
+	A	10.0.11.53
+	A	10.0.11.54
+	A	10.0.11.55
+	A	10.0.11.56
+	A	10.0.11.57
+	A	10.0.11.58
+	A	10.0.11.59
+	A	10.0.11.60
+	A	10.0.11.61
+	A	10.0.11.62
+	A	10.0.11.63
+	A	10.0.11.64
+	A	10.0.11.65
+	A	10.0.11.66
+	A	10.0.11.67
+	A	10.0.11.68
+	A	10.0.11.69
+	A	10.0.11.70
+	A	10.0.11.71
+	A	10.0.11.72
+	A	10.0.11.73
+	A	10.0.11.74
+	A	10.0.11.75
+	A	10.0.11.76
+	A	10.0.11.77
+	A	10.0.11.78
+	A	10.0.11.79
+	A	10.0.11.80
+	A	10.0.11.81
+	A	10.0.11.82
+	A	10.0.11.83
+	A	10.0.11.84
+	A	10.0.11.85
+	A	10.0.11.86
+	A	10.0.11.87
+	A	10.0.11.88
+	A	10.0.11.89
+	A	10.0.11.90
+	A	10.0.11.91
+	A	10.0.11.92
+	A	10.0.11.93
+	A	10.0.11.94
+	A	10.0.11.95
+	A	10.0.11.96
+	A	10.0.11.97
+	A	10.0.11.98
+	A	10.0.11.99
+	A	10.0.11.100
+	A	10.0.11.101
+	A	10.0.11.102
+	A	10.0.11.103
+	A	10.0.11.104
+	A	10.0.11.105
+	A	10.0.11.106
+	A	10.0.11.107
+	A	10.0.11.108
+	A	10.0.11.109
+	A	10.0.11.110
+	A	10.0.11.111
+	A	10.0.11.112
+	A	10.0.11.113
+	A	10.0.11.114
+	A	10.0.11.115
+	A	10.0.11.116
+	A	10.0.11.117
+	A	10.0.11.118
+	A	10.0.11.119
+	A	10.0.11.120
+	A	10.0.11.121
+	A	10.0.11.122
+	A	10.0.11.123
+	A	10.0.11.124
+	A	10.0.11.125
+	A	10.0.11.126
+	A	10.0.11.127
+	A	10.0.11.128
+	A	10.0.11.129
+	A	10.0.11.130
+	A	10.0.11.131
+	A	10.0.11.132
+	A	10.0.11.133
+	A	10.0.11.134
+	A	10.0.11.135
+	A	10.0.11.136
+	A	10.0.11.137
+	A	10.0.11.138
+	A	10.0.11.139
+	A	10.0.11.140
+	A	10.0.11.141
+	A	10.0.11.142
+	A	10.0.11.143
+	A	10.0.11.144
+	A	10.0.11.145
+	A	10.0.11.146
+	A	10.0.11.147
+	A	10.0.11.148
+	A	10.0.11.149
+	A	10.0.11.150
+	A	10.0.11.151
+	A	10.0.11.152
+	A	10.0.11.153
+	A	10.0.11.154
+	A	10.0.11.155
+	A	10.0.11.156
+	A	10.0.11.157
+	A	10.0.11.158
+	A	10.0.11.159
+	A	10.0.11.160
+	A	10.0.11.161
+	A	10.0.11.162
+	A	10.0.11.163
+	A	10.0.11.164
+	A	10.0.11.165
+	A	10.0.11.166
+	A	10.0.11.167
+	A	10.0.11.168
+	A	10.0.11.169
+	A	10.0.11.170
+	A	10.0.11.171
+	A	10.0.11.172
+	A	10.0.11.173
+	A	10.0.11.174
+	A	10.0.11.175
+	A	10.0.11.176
+	A	10.0.11.177
+	A	10.0.11.178
+	A	10.0.11.179
+	A	10.0.11.180
+	A	10.0.11.181
+	A	10.0.11.182
+	A	10.0.11.183
+	A	10.0.11.184
+	A	10.0.11.185
+	A	10.0.11.186
+	A	10.0.11.187
+	A	10.0.11.188
+	A	10.0.11.189
+	A	10.0.11.190
+	A	10.0.11.191
+	A	10.0.11.192
+	A	10.0.11.193
+	A	10.0.11.194
+	A	10.0.11.195
+	A	10.0.11.196
+	A	10.0.11.197
+	A	10.0.11.198
+	A	10.0.11.199
+	A	10.0.11.200
+	A	10.0.11.201
+	A	10.0.11.202
+	A	10.0.11.203
+	A	10.0.11.204
+	A	10.0.11.205
+	A	10.0.11.206
+	A	10.0.11.207
+	A	10.0.11.208
+	A	10.0.11.209
+	A	10.0.11.210
+	A	10.0.11.211
+	A	10.0.11.212
+	A	10.0.11.213
+	A	10.0.11.214
+	A	10.0.11.215
+	A	10.0.11.216
+	A	10.0.11.217
+	A	10.0.11.218
+	A	10.0.11.219
+	A	10.0.11.220
+	A	10.0.11.221
+	A	10.0.11.222
+	A	10.0.11.223
+	A	10.0.11.224
+	A	10.0.11.225
+	A	10.0.11.226
+	A	10.0.11.227
+	A	10.0.11.228
+	A	10.0.11.229
+	A	10.0.11.230
+	A	10.0.11.231
+	A	10.0.11.232
+	A	10.0.11.233
+	A	10.0.11.234
+	A	10.0.11.235
+	A	10.0.11.236
+	A	10.0.11.237
+	A	10.0.11.238
+	A	10.0.11.239
+	A	10.0.11.240
+	A	10.0.11.241
+	A	10.0.11.242
+	A	10.0.11.243
+	A	10.0.11.244
+	A	10.0.11.245
+	A	10.0.11.246
+	A	10.0.11.247
+	A	10.0.11.248
+	A	10.0.11.249
+	A	10.0.11.250
+	A	10.0.11.251
+	A	10.0.11.252
+	A	10.0.11.253
+	A	10.0.11.254
+	A	10.0.11.255
+	A	10.0.12.0
+	A	10.0.12.1
+	A	10.0.12.2
+	A	10.0.12.3
+	A	10.0.12.4
+	A	10.0.12.5
+	A	10.0.12.6
+	A	10.0.12.7
+	A	10.0.12.8
+	A	10.0.12.9
+	A	10.0.12.10
+	A	10.0.12.11
+	A	10.0.12.12
+	A	10.0.12.13
+	A	10.0.12.14
+	A	10.0.12.15
+	A	10.0.12.16
+	A	10.0.12.17
+	A	10.0.12.18
+	A	10.0.12.19
+	A	10.0.12.20
+	A	10.0.12.21
+	A	10.0.12.22
+	A	10.0.12.23
+	A	10.0.12.24
+	A	10.0.12.25
+	A	10.0.12.26
+	A	10.0.12.27
+	A	10.0.12.28
+	A	10.0.12.29
+	A	10.0.12.30
+	A	10.0.12.31
+	A	10.0.12.32
+	A	10.0.12.33
+	A	10.0.12.34
+	A	10.0.12.35
+	A	10.0.12.36
+	A	10.0.12.37
+	A	10.0.12.38
+	A	10.0.12.39
+	A	10.0.12.40
+	A	10.0.12.41
+	A	10.0.12.42
+	A	10.0.12.43
+	A	10.0.12.44
+	A	10.0.12.45
+	A	10.0.12.46
+	A	10.0.12.47
+	A	10.0.12.48
+	A	10.0.12.49
+	A	10.0.12.50
+	A	10.0.12.51
+	A	10.0.12.52
+	A	10.0.12.53
+	A	10.0.12.54
+	A	10.0.12.55
+	A	10.0.12.56
+	A	10.0.12.57
+	A	10.0.12.58
+	A	10.0.12.59
+	A	10.0.12.60
+	A	10.0.12.61
+	A	10.0.12.62
+	A	10.0.12.63
+	A	10.0.12.64
+	A	10.0.12.65
+	A	10.0.12.66
+	A	10.0.12.67
+	A	10.0.12.68
+	A	10.0.12.69
+	A	10.0.12.70
+	A	10.0.12.71
+	A	10.0.12.72
+	A	10.0.12.73
+	A	10.0.12.74
+	A	10.0.12.75
+	A	10.0.12.76
+	A	10.0.12.77
+	A	10.0.12.78
+	A	10.0.12.79
+	A	10.0.12.80
+	A	10.0.12.81
+	A	10.0.12.82
+	A	10.0.12.83
+	A	10.0.12.84
+	A	10.0.12.85
+	A	10.0.12.86
+	A	10.0.12.87
+	A	10.0.12.88
+	A	10.0.12.89
+	A	10.0.12.90
+	A	10.0.12.91
+	A	10.0.12.92
+	A	10.0.12.93
+	A	10.0.12.94
+	A	10.0.12.95
+	A	10.0.12.96
+	A	10.0.12.97
+	A	10.0.12.98
+	A	10.0.12.99
+	A	10.0.12.100
+	A	10.0.12.101
+	A	10.0.12.102
+	A	10.0.12.103
+	A	10.0.12.104
+	A	10.0.12.105
+	A	10.0.12.106
+	A	10.0.12.107
+	A	10.0.12.108
+	A	10.0.12.109
+	A	10.0.12.110
+	A	10.0.12.111
+	A	10.0.12.112
+	A	10.0.12.113
+	A	10.0.12.114
+	A	10.0.12.115
+	A	10.0.12.116
+	A	10.0.12.117
+	A	10.0.12.118
+	A	10.0.12.119
+	A	10.0.12.120
+	A	10.0.12.121
+	A	10.0.12.122
+	A	10.0.12.123
+	A	10.0.12.124
+	A	10.0.12.125
+	A	10.0.12.126
+	A	10.0.12.127
+	A	10.0.12.128
+	A	10.0.12.129
+	A	10.0.12.130
+	A	10.0.12.131
+	A	10.0.12.132
+	A	10.0.12.133
+	A	10.0.12.134
+	A	10.0.12.135
+	A	10.0.12.136
+	A	10.0.12.137
+	A	10.0.12.138
+	A	10.0.12.139
+	A	10.0.12.140
+	A	10.0.12.141
+	A	10.0.12.142
+	A	10.0.12.143
+	A	10.0.12.144
+	A	10.0.12.145
+	A	10.0.12.146
+	A	10.0.12.147
+	A	10.0.12.148
+	A	10.0.12.149
+	A	10.0.12.150
+	A	10.0.12.151
+	A	10.0.12.152
+	A	10.0.12.153
+	A	10.0.12.154
+	A	10.0.12.155
+	A	10.0.12.156
+	A	10.0.12.157
+	A	10.0.12.158
+	A	10.0.12.159
+	A	10.0.12.160
+	A	10.0.12.161
+	A	10.0.12.162
+	A	10.0.12.163
+	A	10.0.12.164
+	A	10.0.12.165
+	A	10.0.12.166
+	A	10.0.12.167
+	A	10.0.12.168
+	A	10.0.12.169
+	A	10.0.12.170
+	A	10.0.12.171
+	A	10.0.12.172
+	A	10.0.12.173
+	A	10.0.12.174
+	A	10.0.12.175
+	A	10.0.12.176
+	A	10.0.12.177
+	A	10.0.12.178
+	A	10.0.12.179
+	A	10.0.12.180
+	A	10.0.12.181
+	A	10.0.12.182
+	A	10.0.12.183
+	A	10.0.12.184
+	A	10.0.12.185
+	A	10.0.12.186
+	A	10.0.12.187
+	A	10.0.12.188
+	A	10.0.12.189
+	A	10.0.12.190
+	A	10.0.12.191
+	A	10.0.12.192
+	A	10.0.12.193
+	A	10.0.12.194
+	A	10.0.12.195
+	A	10.0.12.196
+	A	10.0.12.197
+	A	10.0.12.198
+	A	10.0.12.199
+	A	10.0.12.200
+	A	10.0.12.201
+	A	10.0.12.202
+	A	10.0.12.203
+	A	10.0.12.204
+	A	10.0.12.205
+	A	10.0.12.206
+	A	10.0.12.207
+	A	10.0.12.208
+	A	10.0.12.209
+	A	10.0.12.210
+	A	10.0.12.211
+	A	10.0.12.212
+	A	10.0.12.213
+	A	10.0.12.214
+	A	10.0.12.215
+	A	10.0.12.216
+	A	10.0.12.217
+	A	10.0.12.218
+	A	10.0.12.219
+	A	10.0.12.220
+	A	10.0.12.221
+	A	10.0.12.222
+	A	10.0.12.223
+	A	10.0.12.224
+	A	10.0.12.225
+	A	10.0.12.226
+	A	10.0.12.227
+	A	10.0.12.228
+	A	10.0.12.229
+	A	10.0.12.230
+	A	10.0.12.231
+	A	10.0.12.232
+	A	10.0.12.233
+	A	10.0.12.234
+	A	10.0.12.235
+	A	10.0.12.236
+	A	10.0.12.237
+	A	10.0.12.238
+	A	10.0.12.239
+	A	10.0.12.240
+	A	10.0.12.241
+	A	10.0.12.242
+	A	10.0.12.243
+	A	10.0.12.244
+	A	10.0.12.245
+	A	10.0.12.246
+	A	10.0.12.247
+	A	10.0.12.248
+	A	10.0.12.249
+	A	10.0.12.250
+	A	10.0.12.251
+	A	10.0.12.252
+	A	10.0.12.253
+	A	10.0.12.254
+	A	10.0.12.255
+	A	10.0.13.0
+	A	10.0.13.1
+	A	10.0.13.2
+	A	10.0.13.3
+	A	10.0.13.4
+	A	10.0.13.5
+	A	10.0.13.6
+	A	10.0.13.7
+	A	10.0.13.8
+	A	10.0.13.9
+	A	10.0.13.10
+	A	10.0.13.11
+	A	10.0.13.12
+	A	10.0.13.13
+	A	10.0.13.14
+	A	10.0.13.15
+	A	10.0.13.16
+	A	10.0.13.17
+	A	10.0.13.18
+	A	10.0.13.19
+	A	10.0.13.20
+	A	10.0.13.21
+	A	10.0.13.22
+	A	10.0.13.23
+	A	10.0.13.24
+	A	10.0.13.25
+	A	10.0.13.26
+	A	10.0.13.27
+	A	10.0.13.28
+	A	10.0.13.29
+	A	10.0.13.30
+	A	10.0.13.31
+	A	10.0.13.32
+	A	10.0.13.33
+	A	10.0.13.34
+	A	10.0.13.35
+	A	10.0.13.36
+	A	10.0.13.37
+	A	10.0.13.38
+	A	10.0.13.39
+	A	10.0.13.40
+	A	10.0.13.41
+	A	10.0.13.42
+	A	10.0.13.43
+	A	10.0.13.44
+	A	10.0.13.45
+	A	10.0.13.46
+	A	10.0.13.47
+	A	10.0.13.48
+	A	10.0.13.49
+	A	10.0.13.50
+	A	10.0.13.51
+	A	10.0.13.52
+	A	10.0.13.53
+	A	10.0.13.54
+	A	10.0.13.55
+	A	10.0.13.56
+	A	10.0.13.57
+	A	10.0.13.58
+	A	10.0.13.59
+	A	10.0.13.60
+	A	10.0.13.61
+	A	10.0.13.62
+	A	10.0.13.63
+	A	10.0.13.64
+	A	10.0.13.65
+	A	10.0.13.66
+	A	10.0.13.67
+	A	10.0.13.68
+	A	10.0.13.69
+	A	10.0.13.70
+	A	10.0.13.71
+	A	10.0.13.72
+	A	10.0.13.73
+	A	10.0.13.74
+	A	10.0.13.75
+	A	10.0.13.76
+	A	10.0.13.77
+	A	10.0.13.78
+	A	10.0.13.79
+	A	10.0.13.80
+	A	10.0.13.81
+	A	10.0.13.82
+	A	10.0.13.83
+	A	10.0.13.84
+	A	10.0.13.85
+	A	10.0.13.86
+	A	10.0.13.87
+	A	10.0.13.88
+	A	10.0.13.89
+	A	10.0.13.90
+	A	10.0.13.91
+	A	10.0.13.92
+	A	10.0.13.93
+	A	10.0.13.94
+	A	10.0.13.95
+	A	10.0.13.96
+	A	10.0.13.97
+	A	10.0.13.98
+	A	10.0.13.99
+	A	10.0.13.100
+	A	10.0.13.101
+	A	10.0.13.102
+	A	10.0.13.103
+	A	10.0.13.104
+	A	10.0.13.105
+	A	10.0.13.106
+	A	10.0.13.107
+	A	10.0.13.108
+	A	10.0.13.109
+	A	10.0.13.110
+	A	10.0.13.111
+	A	10.0.13.112
+	A	10.0.13.113
+	A	10.0.13.114
+	A	10.0.13.115
+	A	10.0.13.116
+	A	10.0.13.117
+	A	10.0.13.118
+	A	10.0.13.119
+	A	10.0.13.120
+	A	10.0.13.121
+	A	10.0.13.122
+	A	10.0.13.123
+	A	10.0.13.124
+	A	10.0.13.125
+	A	10.0.13.126
+	A	10.0.13.127
+	A	10.0.13.128
+	A	10.0.13.129
+	A	10.0.13.130
+	A	10.0.13.131
+	A	10.0.13.132
+	A	10.0.13.133
+	A	10.0.13.134
+	A	10.0.13.135
+	A	10.0.13.136
+	A	10.0.13.137
+	A	10.0.13.138
+	A	10.0.13.139
+	A	10.0.13.140
+	A	10.0.13.141
+	A	10.0.13.142
+	A	10.0.13.143
+	A	10.0.13.144
+	A	10.0.13.145
+	A	10.0.13.146
+	A	10.0.13.147
+	A	10.0.13.148
+	A	10.0.13.149
+	A	10.0.13.150
+	A	10.0.13.151
+	A	10.0.13.152
+	A	10.0.13.153
+	A	10.0.13.154
+	A	10.0.13.155
+	A	10.0.13.156
+	A	10.0.13.157
+	A	10.0.13.158
+	A	10.0.13.159
+	A	10.0.13.160
+	A	10.0.13.161
+	A	10.0.13.162
+	A	10.0.13.163
+	A	10.0.13.164
+	A	10.0.13.165
+	A	10.0.13.166
+	A	10.0.13.167
+	A	10.0.13.168
+	A	10.0.13.169
+	A	10.0.13.170
+	A	10.0.13.171
+	A	10.0.13.172
+	A	10.0.13.173
+	A	10.0.13.174
+	A	10.0.13.175
+	A	10.0.13.176
+	A	10.0.13.177
+	A	10.0.13.178
+	A	10.0.13.179
+	A	10.0.13.180
+	A	10.0.13.181
+	A	10.0.13.182
+	A	10.0.13.183
+	A	10.0.13.184
+	A	10.0.13.185
+	A	10.0.13.186
+	A	10.0.13.187
+	A	10.0.13.188
+	A	10.0.13.189
+	A	10.0.13.190
+	A	10.0.13.191
+	A	10.0.13.192
+	A	10.0.13.193
+	A	10.0.13.194
+	A	10.0.13.195
+	A	10.0.13.196
+	A	10.0.13.197
+	A	10.0.13.198
+	A	10.0.13.199
+	A	10.0.13.200
+	A	10.0.13.201
+	A	10.0.13.202
+	A	10.0.13.203
+	A	10.0.13.204
+	A	10.0.13.205
+	A	10.0.13.206
+	A	10.0.13.207
+	A	10.0.13.208
+	A	10.0.13.209
+	A	10.0.13.210
+	A	10.0.13.211
+	A	10.0.13.212
+	A	10.0.13.213
+	A	10.0.13.214
+	A	10.0.13.215
+	A	10.0.13.216
+	A	10.0.13.217
+	A	10.0.13.218
+	A	10.0.13.219
+	A	10.0.13.220
+	A	10.0.13.221
+	A	10.0.13.222
+	A	10.0.13.223
+	A	10.0.13.224
+	A	10.0.13.225
+	A	10.0.13.226
+	A	10.0.13.227
+	A	10.0.13.228
+	A	10.0.13.229
+	A	10.0.13.230
+	A	10.0.13.231
+	A	10.0.13.232
+	A	10.0.13.233
+	A	10.0.13.234
+	A	10.0.13.235
+	A	10.0.13.236
+	A	10.0.13.237
+	A	10.0.13.238
+	A	10.0.13.239
+	A	10.0.13.240
+	A	10.0.13.241
+	A	10.0.13.242
+	A	10.0.13.243
+	A	10.0.13.244
+	A	10.0.13.245
+	A	10.0.13.246
+	A	10.0.13.247
+	A	10.0.13.248
+	A	10.0.13.249
+	A	10.0.13.250
+	A	10.0.13.251
+	A	10.0.13.252
+	A	10.0.13.253
+	A	10.0.13.254
+	A	10.0.13.255
+	A	10.0.14.0
+	A	10.0.14.1
+	A	10.0.14.2
+	A	10.0.14.3
+	A	10.0.14.4
+	A	10.0.14.5
+	A	10.0.14.6
+	A	10.0.14.7
+	A	10.0.14.8
+	A	10.0.14.9
+	A	10.0.14.10
+	A	10.0.14.11
+	A	10.0.14.12
+	A	10.0.14.13
+	A	10.0.14.14
+	A	10.0.14.15
+	A	10.0.14.16
+	A	10.0.14.17
+	A	10.0.14.18
+	A	10.0.14.19
+	A	10.0.14.20
+	A	10.0.14.21
+	A	10.0.14.22
+	A	10.0.14.23
+	A	10.0.14.24
+	A	10.0.14.25
+	A	10.0.14.26
+	A	10.0.14.27
+	A	10.0.14.28
+	A	10.0.14.29
+	A	10.0.14.30
+	A	10.0.14.31
+	A	10.0.14.32
+	A	10.0.14.33
+	A	10.0.14.34
+	A	10.0.14.35
+	A	10.0.14.36
+	A	10.0.14.37
+	A	10.0.14.38
+	A	10.0.14.39
+	A	10.0.14.40
+	A	10.0.14.41
+	A	10.0.14.42
+	A	10.0.14.43
+	A	10.0.14.44
+	A	10.0.14.45
+	A	10.0.14.46
+	A	10.0.14.47
+	A	10.0.14.48
+	A	10.0.14.49
+	A	10.0.14.50
+	A	10.0.14.51
+	A	10.0.14.52
+	A	10.0.14.53
+	A	10.0.14.54
+	A	10.0.14.55
+	A	10.0.14.56
+	A	10.0.14.57
+	A	10.0.14.58
+	A	10.0.14.59
+	A	10.0.14.60
+	A	10.0.14.61
+	A	10.0.14.62
+	A	10.0.14.63
+	A	10.0.14.64
+	A	10.0.14.65
+	A	10.0.14.66
+	A	10.0.14.67
+	A	10.0.14.68
+	A	10.0.14.69
+	A	10.0.14.70
+	A	10.0.14.71
+	A	10.0.14.72
+	A	10.0.14.73
+	A	10.0.14.74
+	A	10.0.14.75
+	A	10.0.14.76
+	A	10.0.14.77
+	A	10.0.14.78
+	A	10.0.14.79
+	A	10.0.14.80
+	A	10.0.14.81
+	A	10.0.14.82
+	A	10.0.14.83
+	A	10.0.14.84
+	A	10.0.14.85
+	A	10.0.14.86
+	A	10.0.14.87
+	A	10.0.14.88
+	A	10.0.14.89
+	A	10.0.14.90
+	A	10.0.14.91
+	A	10.0.14.92
+	A	10.0.14.93
+	A	10.0.14.94
+	A	10.0.14.95
+	A	10.0.14.96
+	A	10.0.14.97
+	A	10.0.14.98
+	A	10.0.14.99
+	A	10.0.14.100
+	A	10.0.14.101
+	A	10.0.14.102
+	A	10.0.14.103
+	A	10.0.14.104
+	A	10.0.14.105
+	A	10.0.14.106
+	A	10.0.14.107
+	A	10.0.14.108
+	A	10.0.14.109
+	A	10.0.14.110
+	A	10.0.14.111
+	A	10.0.14.112
+	A	10.0.14.113
+	A	10.0.14.114
+	A	10.0.14.115
+	A	10.0.14.116
+	A	10.0.14.117
+	A	10.0.14.118
+	A	10.0.14.119
+	A	10.0.14.120
+	A	10.0.14.121
+	A	10.0.14.122
+	A	10.0.14.123
+	A	10.0.14.124
+	A	10.0.14.125
+	A	10.0.14.126
+	A	10.0.14.127
+	A	10.0.14.128
+	A	10.0.14.129
+	A	10.0.14.130
+	A	10.0.14.131
+	A	10.0.14.132
+	A	10.0.14.133
+	A	10.0.14.134
+	A	10.0.14.135
+	A	10.0.14.136
+	A	10.0.14.137
+	A	10.0.14.138
+	A	10.0.14.139
+	A	10.0.14.140
+	A	10.0.14.141
+	A	10.0.14.142
+	A	10.0.14.143
+	A	10.0.14.144
+	A	10.0.14.145
+	A	10.0.14.146
+	A	10.0.14.147
+	A	10.0.14.148
+	A	10.0.14.149
+	A	10.0.14.150
+	A	10.0.14.151
+	A	10.0.14.152
+	A	10.0.14.153
+	A	10.0.14.154
+	A	10.0.14.155
+	A	10.0.14.156
+	A	10.0.14.157
+	A	10.0.14.158
+	A	10.0.14.159
+	A	10.0.14.160
+	A	10.0.14.161
+	A	10.0.14.162
+	A	10.0.14.163
+	A	10.0.14.164
+	A	10.0.14.165
+	A	10.0.14.166
+	A	10.0.14.167
+	A	10.0.14.168
+	A	10.0.14.169
+	A	10.0.14.170
+	A	10.0.14.171
+	A	10.0.14.172
+	A	10.0.14.173
+	A	10.0.14.174
+	A	10.0.14.175
+	A	10.0.14.176
+	A	10.0.14.177
+	A	10.0.14.178
+	A	10.0.14.179
+	A	10.0.14.180
+	A	10.0.14.181
+	A	10.0.14.182
+	A	10.0.14.183
+	A	10.0.14.184
+	A	10.0.14.185
+	A	10.0.14.186
+	A	10.0.14.187
+	A	10.0.14.188
+	A	10.0.14.189
+	A	10.0.14.190
+	A	10.0.14.191
+	A	10.0.14.192
+	A	10.0.14.193
+	A	10.0.14.194
+	A	10.0.14.195
+	A	10.0.14.196
+	A	10.0.14.197
+	A	10.0.14.198
+	A	10.0.14.199
+	A	10.0.14.200
+	A	10.0.14.201
+	A	10.0.14.202
+	A	10.0.14.203
+	A	10.0.14.204
+	A	10.0.14.205
+	A	10.0.14.206
+	A	10.0.14.207
+	A	10.0.14.208
+	A	10.0.14.209
+	A	10.0.14.210
+	A	10.0.14.211
+	A	10.0.14.212
+	A	10.0.14.213
+	A	10.0.14.214
+	A	10.0.14.215
+	A	10.0.14.216
+	A	10.0.14.217
+	A	10.0.14.218
+	A	10.0.14.219
+	A	10.0.14.220
+	A	10.0.14.221
+	A	10.0.14.222
+	A	10.0.14.223
+	A	10.0.14.224
+	A	10.0.14.225
+	A	10.0.14.226
+	A	10.0.14.227
+	A	10.0.14.228
+	A	10.0.14.229
+	A	10.0.14.230
+	A	10.0.14.231
+	A	10.0.14.232
+	A	10.0.14.233
+	A	10.0.14.234
+	A	10.0.14.235
+	A	10.0.14.236
+	A	10.0.14.237
+	A	10.0.14.238
+	A	10.0.14.239
+	A	10.0.14.240
+	A	10.0.14.241
+	A	10.0.14.242
+	A	10.0.14.243
+	A	10.0.14.244
+	A	10.0.14.245
+	A	10.0.14.246
+	A	10.0.14.247
+	A	10.0.14.248
+	A	10.0.14.249
+	A	10.0.14.250
+	A	10.0.14.251
+	A	10.0.14.252
+	A	10.0.14.253
+	A	10.0.14.254
+	A	10.0.14.255
+	A	10.0.15.0
+	A	10.0.15.1
+	A	10.0.15.2
+	A	10.0.15.3
+	A	10.0.15.4
+	A	10.0.15.5
+	A	10.0.15.6
+	A	10.0.15.7
+	A	10.0.15.8
+	A	10.0.15.9
+	A	10.0.15.10
+	A	10.0.15.11
+	A	10.0.15.12
+	A	10.0.15.13
+	A	10.0.15.14
+	A	10.0.15.15
+	A	10.0.15.16
+	A	10.0.15.17
+	A	10.0.15.18
+	A	10.0.15.19
+	A	10.0.15.20
+	A	10.0.15.21
+	A	10.0.15.22
+	A	10.0.15.23
+	A	10.0.15.24
+	A	10.0.15.25
+	A	10.0.15.26
+	A	10.0.15.27
+	A	10.0.15.28
+	A	10.0.15.29
+	A	10.0.15.30
+	A	10.0.15.31
+	A	10.0.15.32
+	A	10.0.15.33
+	A	10.0.15.34
+	A	10.0.15.35
+	A	10.0.15.36
+	A	10.0.15.37
+	A	10.0.15.38
+	A	10.0.15.39
+	A	10.0.15.40
+	A	10.0.15.41
+	A	10.0.15.42
+	A	10.0.15.43
+	A	10.0.15.44
+	A	10.0.15.45
+	A	10.0.15.46
+	A	10.0.15.47
+	A	10.0.15.48
+	A	10.0.15.49
+	A	10.0.15.50
+	A	10.0.15.51
+	A	10.0.15.52
+	A	10.0.15.53
+	A	10.0.15.54
+	A	10.0.15.55
+	A	10.0.15.56
+	A	10.0.15.57
+	A	10.0.15.58
+	A	10.0.15.59
+	A	10.0.15.60
+	A	10.0.15.61
+	A	10.0.15.62
+	A	10.0.15.63
+	A	10.0.15.64
+	A	10.0.15.65
+	A	10.0.15.66
+	A	10.0.15.67
+	A	10.0.15.68
+	A	10.0.15.69
+	A	10.0.15.70
+	A	10.0.15.71
+	A	10.0.15.72
+	A	10.0.15.73
+	A	10.0.15.74
+	A	10.0.15.75
+	A	10.0.15.76
+	A	10.0.15.77
+	A	10.0.15.78
+	A	10.0.15.79
+	A	10.0.15.80
+	A	10.0.15.81
+	A	10.0.15.82
+	A	10.0.15.83
+	A	10.0.15.84
+	A	10.0.15.85
+	A	10.0.15.86
+	A	10.0.15.87
+	A	10.0.15.88
+	A	10.0.15.89
+	A	10.0.15.90
+	A	10.0.15.91
+	A	10.0.15.92
+	A	10.0.15.93
+	A	10.0.15.94
+	A	10.0.15.95
+	A	10.0.15.96
+	A	10.0.15.97
+	A	10.0.15.98
+	A	10.0.15.99
+	A	10.0.15.100
+	A	10.0.15.101
+	A	10.0.15.102
+	A	10.0.15.103
+	A	10.0.15.104
+	A	10.0.15.105
+	A	10.0.15.106
+	A	10.0.15.107
+	A	10.0.15.108
+	A	10.0.15.109
+	A	10.0.15.110
+	A	10.0.15.111
+	A	10.0.15.112
+	A	10.0.15.113
+	A	10.0.15.114
+	A	10.0.15.115
+	A	10.0.15.116
+	A	10.0.15.117
+	A	10.0.15.118
+	A	10.0.15.119
+	A	10.0.15.120
+	A	10.0.15.121
+	A	10.0.15.122
+	A	10.0.15.123
+	A	10.0.15.124
+	A	10.0.15.125
+	A	10.0.15.126
+	A	10.0.15.127
+	A	10.0.15.128
+	A	10.0.15.129
+	A	10.0.15.130
+	A	10.0.15.131
+	A	10.0.15.132
+	A	10.0.15.133
+	A	10.0.15.134
+	A	10.0.15.135
+	A	10.0.15.136
+	A	10.0.15.137
+	A	10.0.15.138
+	A	10.0.15.139
+	A	10.0.15.140
+	A	10.0.15.141
+	A	10.0.15.142
+	A	10.0.15.143
+	A	10.0.15.144
+	A	10.0.15.145
+	A	10.0.15.146
+	A	10.0.15.147
+	A	10.0.15.148
+	A	10.0.15.149
+	A	10.0.15.150
+	A	10.0.15.151
+	A	10.0.15.152
+	A	10.0.15.153
+	A	10.0.15.154
+	A	10.0.15.155
+	A	10.0.15.156
+	A	10.0.15.157
+	A	10.0.15.158
+	A	10.0.15.159
+5000	A	10.0.0.0
+	A	10.0.0.1
+	A	10.0.0.2
+	A	10.0.0.3
+	A	10.0.0.4
+	A	10.0.0.5
+	A	10.0.0.6
+	A	10.0.0.7
+	A	10.0.0.8
+	A	10.0.0.9
+	A	10.0.0.10
+	A	10.0.0.11
+	A	10.0.0.12
+	A	10.0.0.13
+	A	10.0.0.14
+	A	10.0.0.15
+	A	10.0.0.16
+	A	10.0.0.17
+	A	10.0.0.18
+	A	10.0.0.19
+	A	10.0.0.20
+	A	10.0.0.21
+	A	10.0.0.22
+	A	10.0.0.23
+	A	10.0.0.24
+	A	10.0.0.25
+	A	10.0.0.26
+	A	10.0.0.27
+	A	10.0.0.28
+	A	10.0.0.29
+	A	10.0.0.30
+	A	10.0.0.31
+	A	10.0.0.32
+	A	10.0.0.33
+	A	10.0.0.34
+	A	10.0.0.35
+	A	10.0.0.36
+	A	10.0.0.37
+	A	10.0.0.38
+	A	10.0.0.39
+	A	10.0.0.40
+	A	10.0.0.41
+	A	10.0.0.42
+	A	10.0.0.43
+	A	10.0.0.44
+	A	10.0.0.45
+	A	10.0.0.46
+	A	10.0.0.47
+	A	10.0.0.48
+	A	10.0.0.49
+	A	10.0.0.50
+	A	10.0.0.51
+	A	10.0.0.52
+	A	10.0.0.53
+	A	10.0.0.54
+	A	10.0.0.55
+	A	10.0.0.56
+	A	10.0.0.57
+	A	10.0.0.58
+	A	10.0.0.59
+	A	10.0.0.60
+	A	10.0.0.61
+	A	10.0.0.62
+	A	10.0.0.63
+	A	10.0.0.64
+	A	10.0.0.65
+	A	10.0.0.66
+	A	10.0.0.67
+	A	10.0.0.68
+	A	10.0.0.69
+	A	10.0.0.70
+	A	10.0.0.71
+	A	10.0.0.72
+	A	10.0.0.73
+	A	10.0.0.74
+	A	10.0.0.75
+	A	10.0.0.76
+	A	10.0.0.77
+	A	10.0.0.78
+	A	10.0.0.79
+	A	10.0.0.80
+	A	10.0.0.81
+	A	10.0.0.82
+	A	10.0.0.83
+	A	10.0.0.84
+	A	10.0.0.85
+	A	10.0.0.86
+	A	10.0.0.87
+	A	10.0.0.88
+	A	10.0.0.89
+	A	10.0.0.90
+	A	10.0.0.91
+	A	10.0.0.92
+	A	10.0.0.93
+	A	10.0.0.94
+	A	10.0.0.95
+	A	10.0.0.96
+	A	10.0.0.97
+	A	10.0.0.98
+	A	10.0.0.99
+	A	10.0.0.100
+	A	10.0.0.101
+	A	10.0.0.102
+	A	10.0.0.103
+	A	10.0.0.104
+	A	10.0.0.105
+	A	10.0.0.106
+	A	10.0.0.107
+	A	10.0.0.108
+	A	10.0.0.109
+	A	10.0.0.110
+	A	10.0.0.111
+	A	10.0.0.112
+	A	10.0.0.113
+	A	10.0.0.114
+	A	10.0.0.115
+	A	10.0.0.116
+	A	10.0.0.117
+	A	10.0.0.118
+	A	10.0.0.119
+	A	10.0.0.120
+	A	10.0.0.121
+	A	10.0.0.122
+	A	10.0.0.123
+	A	10.0.0.124
+	A	10.0.0.125
+	A	10.0.0.126
+	A	10.0.0.127
+	A	10.0.0.128
+	A	10.0.0.129
+	A	10.0.0.130
+	A	10.0.0.131
+	A	10.0.0.132
+	A	10.0.0.133
+	A	10.0.0.134
+	A	10.0.0.135
+	A	10.0.0.136
+	A	10.0.0.137
+	A	10.0.0.138
+	A	10.0.0.139
+	A	10.0.0.140
+	A	10.0.0.141
+	A	10.0.0.142
+	A	10.0.0.143
+	A	10.0.0.144
+	A	10.0.0.145
+	A	10.0.0.146
+	A	10.0.0.147
+	A	10.0.0.148
+	A	10.0.0.149
+	A	10.0.0.150
+	A	10.0.0.151
+	A	10.0.0.152
+	A	10.0.0.153
+	A	10.0.0.154
+	A	10.0.0.155
+	A	10.0.0.156
+	A	10.0.0.157
+	A	10.0.0.158
+	A	10.0.0.159
+	A	10.0.0.160
+	A	10.0.0.161
+	A	10.0.0.162
+	A	10.0.0.163
+	A	10.0.0.164
+	A	10.0.0.165
+	A	10.0.0.166
+	A	10.0.0.167
+	A	10.0.0.168
+	A	10.0.0.169
+	A	10.0.0.170
+	A	10.0.0.171
+	A	10.0.0.172
+	A	10.0.0.173
+	A	10.0.0.174
+	A	10.0.0.175
+	A	10.0.0.176
+	A	10.0.0.177
+	A	10.0.0.178
+	A	10.0.0.179
+	A	10.0.0.180
+	A	10.0.0.181
+	A	10.0.0.182
+	A	10.0.0.183
+	A	10.0.0.184
+	A	10.0.0.185
+	A	10.0.0.186
+	A	10.0.0.187
+	A	10.0.0.188
+	A	10.0.0.189
+	A	10.0.0.190
+	A	10.0.0.191
+	A	10.0.0.192
+	A	10.0.0.193
+	A	10.0.0.194
+	A	10.0.0.195
+	A	10.0.0.196
+	A	10.0.0.197
+	A	10.0.0.198
+	A	10.0.0.199
+	A	10.0.0.200
+	A	10.0.0.201
+	A	10.0.0.202
+	A	10.0.0.203
+	A	10.0.0.204
+	A	10.0.0.205
+	A	10.0.0.206
+	A	10.0.0.207
+	A	10.0.0.208
+	A	10.0.0.209
+	A	10.0.0.210
+	A	10.0.0.211
+	A	10.0.0.212
+	A	10.0.0.213
+	A	10.0.0.214
+	A	10.0.0.215
+	A	10.0.0.216
+	A	10.0.0.217
+	A	10.0.0.218
+	A	10.0.0.219
+	A	10.0.0.220
+	A	10.0.0.221
+	A	10.0.0.222
+	A	10.0.0.223
+	A	10.0.0.224
+	A	10.0.0.225
+	A	10.0.0.226
+	A	10.0.0.227
+	A	10.0.0.228
+	A	10.0.0.229
+	A	10.0.0.230
+	A	10.0.0.231
+	A	10.0.0.232
+	A	10.0.0.233
+	A	10.0.0.234
+	A	10.0.0.235
+	A	10.0.0.236
+	A	10.0.0.237
+	A	10.0.0.238
+	A	10.0.0.239
+	A	10.0.0.240
+	A	10.0.0.241
+	A	10.0.0.242
+	A	10.0.0.243
+	A	10.0.0.244
+	A	10.0.0.245
+	A	10.0.0.246
+	A	10.0.0.247
+	A	10.0.0.248
+	A	10.0.0.249
+	A	10.0.0.250
+	A	10.0.0.251
+	A	10.0.0.252
+	A	10.0.0.253
+	A	10.0.0.254
+	A	10.0.0.255
+	A	10.0.1.0
+	A	10.0.1.1
+	A	10.0.1.2
+	A	10.0.1.3
+	A	10.0.1.4
+	A	10.0.1.5
+	A	10.0.1.6
+	A	10.0.1.7
+	A	10.0.1.8
+	A	10.0.1.9
+	A	10.0.1.10
+	A	10.0.1.11
+	A	10.0.1.12
+	A	10.0.1.13
+	A	10.0.1.14
+	A	10.0.1.15
+	A	10.0.1.16
+	A	10.0.1.17
+	A	10.0.1.18
+	A	10.0.1.19
+	A	10.0.1.20
+	A	10.0.1.21
+	A	10.0.1.22
+	A	10.0.1.23
+	A	10.0.1.24
+	A	10.0.1.25
+	A	10.0.1.26
+	A	10.0.1.27
+	A	10.0.1.28
+	A	10.0.1.29
+	A	10.0.1.30
+	A	10.0.1.31
+	A	10.0.1.32
+	A	10.0.1.33
+	A	10.0.1.34
+	A	10.0.1.35
+	A	10.0.1.36
+	A	10.0.1.37
+	A	10.0.1.38
+	A	10.0.1.39
+	A	10.0.1.40
+	A	10.0.1.41
+	A	10.0.1.42
+	A	10.0.1.43
+	A	10.0.1.44
+	A	10.0.1.45
+	A	10.0.1.46
+	A	10.0.1.47
+	A	10.0.1.48
+	A	10.0.1.49
+	A	10.0.1.50
+	A	10.0.1.51
+	A	10.0.1.52
+	A	10.0.1.53
+	A	10.0.1.54
+	A	10.0.1.55
+	A	10.0.1.56
+	A	10.0.1.57
+	A	10.0.1.58
+	A	10.0.1.59
+	A	10.0.1.60
+	A	10.0.1.61
+	A	10.0.1.62
+	A	10.0.1.63
+	A	10.0.1.64
+	A	10.0.1.65
+	A	10.0.1.66
+	A	10.0.1.67
+	A	10.0.1.68
+	A	10.0.1.69
+	A	10.0.1.70
+	A	10.0.1.71
+	A	10.0.1.72
+	A	10.0.1.73
+	A	10.0.1.74
+	A	10.0.1.75
+	A	10.0.1.76
+	A	10.0.1.77
+	A	10.0.1.78
+	A	10.0.1.79
+	A	10.0.1.80
+	A	10.0.1.81
+	A	10.0.1.82
+	A	10.0.1.83
+	A	10.0.1.84
+	A	10.0.1.85
+	A	10.0.1.86
+	A	10.0.1.87
+	A	10.0.1.88
+	A	10.0.1.89
+	A	10.0.1.90
+	A	10.0.1.91
+	A	10.0.1.92
+	A	10.0.1.93
+	A	10.0.1.94
+	A	10.0.1.95
+	A	10.0.1.96
+	A	10.0.1.97
+	A	10.0.1.98
+	A	10.0.1.99
+	A	10.0.1.100
+	A	10.0.1.101
+	A	10.0.1.102
+	A	10.0.1.103
+	A	10.0.1.104
+	A	10.0.1.105
+	A	10.0.1.106
+	A	10.0.1.107
+	A	10.0.1.108
+	A	10.0.1.109
+	A	10.0.1.110
+	A	10.0.1.111
+	A	10.0.1.112
+	A	10.0.1.113
+	A	10.0.1.114
+	A	10.0.1.115
+	A	10.0.1.116
+	A	10.0.1.117
+	A	10.0.1.118
+	A	10.0.1.119
+	A	10.0.1.120
+	A	10.0.1.121
+	A	10.0.1.122
+	A	10.0.1.123
+	A	10.0.1.124
+	A	10.0.1.125
+	A	10.0.1.126
+	A	10.0.1.127
+	A	10.0.1.128
+	A	10.0.1.129
+	A	10.0.1.130
+	A	10.0.1.131
+	A	10.0.1.132
+	A	10.0.1.133
+	A	10.0.1.134
+	A	10.0.1.135
+	A	10.0.1.136
+	A	10.0.1.137
+	A	10.0.1.138
+	A	10.0.1.139
+	A	10.0.1.140
+	A	10.0.1.141
+	A	10.0.1.142
+	A	10.0.1.143
+	A	10.0.1.144
+	A	10.0.1.145
+	A	10.0.1.146
+	A	10.0.1.147
+	A	10.0.1.148
+	A	10.0.1.149
+	A	10.0.1.150
+	A	10.0.1.151
+	A	10.0.1.152
+	A	10.0.1.153
+	A	10.0.1.154
+	A	10.0.1.155
+	A	10.0.1.156
+	A	10.0.1.157
+	A	10.0.1.158
+	A	10.0.1.159
+	A	10.0.1.160
+	A	10.0.1.161
+	A	10.0.1.162
+	A	10.0.1.163
+	A	10.0.1.164
+	A	10.0.1.165
+	A	10.0.1.166
+	A	10.0.1.167
+	A	10.0.1.168
+	A	10.0.1.169
+	A	10.0.1.170
+	A	10.0.1.171
+	A	10.0.1.172
+	A	10.0.1.173
+	A	10.0.1.174
+	A	10.0.1.175
+	A	10.0.1.176
+	A	10.0.1.177
+	A	10.0.1.178
+	A	10.0.1.179
+	A	10.0.1.180
+	A	10.0.1.181
+	A	10.0.1.182
+	A	10.0.1.183
+	A	10.0.1.184
+	A	10.0.1.185
+	A	10.0.1.186
+	A	10.0.1.187
+	A	10.0.1.188
+	A	10.0.1.189
+	A	10.0.1.190
+	A	10.0.1.191
+	A	10.0.1.192
+	A	10.0.1.193
+	A	10.0.1.194
+	A	10.0.1.195
+	A	10.0.1.196
+	A	10.0.1.197
+	A	10.0.1.198
+	A	10.0.1.199
+	A	10.0.1.200
+	A	10.0.1.201
+	A	10.0.1.202
+	A	10.0.1.203
+	A	10.0.1.204
+	A	10.0.1.205
+	A	10.0.1.206
+	A	10.0.1.207
+	A	10.0.1.208
+	A	10.0.1.209
+	A	10.0.1.210
+	A	10.0.1.211
+	A	10.0.1.212
+	A	10.0.1.213
+	A	10.0.1.214
+	A	10.0.1.215
+	A	10.0.1.216
+	A	10.0.1.217
+	A	10.0.1.218
+	A	10.0.1.219
+	A	10.0.1.220
+	A	10.0.1.221
+	A	10.0.1.222
+	A	10.0.1.223
+	A	10.0.1.224
+	A	10.0.1.225
+	A	10.0.1.226
+	A	10.0.1.227
+	A	10.0.1.228
+	A	10.0.1.229
+	A	10.0.1.230
+	A	10.0.1.231
+	A	10.0.1.232
+	A	10.0.1.233
+	A	10.0.1.234
+	A	10.0.1.235
+	A	10.0.1.236
+	A	10.0.1.237
+	A	10.0.1.238
+	A	10.0.1.239
+	A	10.0.1.240
+	A	10.0.1.241
+	A	10.0.1.242
+	A	10.0.1.243
+	A	10.0.1.244
+	A	10.0.1.245
+	A	10.0.1.246
+	A	10.0.1.247
+	A	10.0.1.248
+	A	10.0.1.249
+	A	10.0.1.250
+	A	10.0.1.251
+	A	10.0.1.252
+	A	10.0.1.253
+	A	10.0.1.254
+	A	10.0.1.255
+	A	10.0.2.0
+	A	10.0.2.1
+	A	10.0.2.2
+	A	10.0.2.3
+	A	10.0.2.4
+	A	10.0.2.5
+	A	10.0.2.6
+	A	10.0.2.7
+	A	10.0.2.8
+	A	10.0.2.9
+	A	10.0.2.10
+	A	10.0.2.11
+	A	10.0.2.12
+	A	10.0.2.13
+	A	10.0.2.14
+	A	10.0.2.15
+	A	10.0.2.16
+	A	10.0.2.17
+	A	10.0.2.18
+	A	10.0.2.19
+	A	10.0.2.20
+	A	10.0.2.21
+	A	10.0.2.22
+	A	10.0.2.23
+	A	10.0.2.24
+	A	10.0.2.25
+	A	10.0.2.26
+	A	10.0.2.27
+	A	10.0.2.28
+	A	10.0.2.29
+	A	10.0.2.30
+	A	10.0.2.31
+	A	10.0.2.32
+	A	10.0.2.33
+	A	10.0.2.34
+	A	10.0.2.35
+	A	10.0.2.36
+	A	10.0.2.37
+	A	10.0.2.38
+	A	10.0.2.39
+	A	10.0.2.40
+	A	10.0.2.41
+	A	10.0.2.42
+	A	10.0.2.43
+	A	10.0.2.44
+	A	10.0.2.45
+	A	10.0.2.46
+	A	10.0.2.47
+	A	10.0.2.48
+	A	10.0.2.49
+	A	10.0.2.50
+	A	10.0.2.51
+	A	10.0.2.52
+	A	10.0.2.53
+	A	10.0.2.54
+	A	10.0.2.55
+	A	10.0.2.56
+	A	10.0.2.57
+	A	10.0.2.58
+	A	10.0.2.59
+	A	10.0.2.60
+	A	10.0.2.61
+	A	10.0.2.62
+	A	10.0.2.63
+	A	10.0.2.64
+	A	10.0.2.65
+	A	10.0.2.66
+	A	10.0.2.67
+	A	10.0.2.68
+	A	10.0.2.69
+	A	10.0.2.70
+	A	10.0.2.71
+	A	10.0.2.72
+	A	10.0.2.73
+	A	10.0.2.74
+	A	10.0.2.75
+	A	10.0.2.76
+	A	10.0.2.77
+	A	10.0.2.78
+	A	10.0.2.79
+	A	10.0.2.80
+	A	10.0.2.81
+	A	10.0.2.82
+	A	10.0.2.83
+	A	10.0.2.84
+	A	10.0.2.85
+	A	10.0.2.86
+	A	10.0.2.87
+	A	10.0.2.88
+	A	10.0.2.89
+	A	10.0.2.90
+	A	10.0.2.91
+	A	10.0.2.92
+	A	10.0.2.93
+	A	10.0.2.94
+	A	10.0.2.95
+	A	10.0.2.96
+	A	10.0.2.97
+	A	10.0.2.98
+	A	10.0.2.99
+	A	10.0.2.100
+	A	10.0.2.101
+	A	10.0.2.102
+	A	10.0.2.103
+	A	10.0.2.104
+	A	10.0.2.105
+	A	10.0.2.106
+	A	10.0.2.107
+	A	10.0.2.108
+	A	10.0.2.109
+	A	10.0.2.110
+	A	10.0.2.111
+	A	10.0.2.112
+	A	10.0.2.113
+	A	10.0.2.114
+	A	10.0.2.115
+	A	10.0.2.116
+	A	10.0.2.117
+	A	10.0.2.118
+	A	10.0.2.119
+	A	10.0.2.120
+	A	10.0.2.121
+	A	10.0.2.122
+	A	10.0.2.123
+	A	10.0.2.124
+	A	10.0.2.125
+	A	10.0.2.126
+	A	10.0.2.127
+	A	10.0.2.128
+	A	10.0.2.129
+	A	10.0.2.130
+	A	10.0.2.131
+	A	10.0.2.132
+	A	10.0.2.133
+	A	10.0.2.134
+	A	10.0.2.135
+	A	10.0.2.136
+	A	10.0.2.137
+	A	10.0.2.138
+	A	10.0.2.139
+	A	10.0.2.140
+	A	10.0.2.141
+	A	10.0.2.142
+	A	10.0.2.143
+	A	10.0.2.144
+	A	10.0.2.145
+	A	10.0.2.146
+	A	10.0.2.147
+	A	10.0.2.148
+	A	10.0.2.149
+	A	10.0.2.150
+	A	10.0.2.151
+	A	10.0.2.152
+	A	10.0.2.153
+	A	10.0.2.154
+	A	10.0.2.155
+	A	10.0.2.156
+	A	10.0.2.157
+	A	10.0.2.158
+	A	10.0.2.159
+	A	10.0.2.160
+	A	10.0.2.161
+	A	10.0.2.162
+	A	10.0.2.163
+	A	10.0.2.164
+	A	10.0.2.165
+	A	10.0.2.166
+	A	10.0.2.167
+	A	10.0.2.168
+	A	10.0.2.169
+	A	10.0.2.170
+	A	10.0.2.171
+	A	10.0.2.172
+	A	10.0.2.173
+	A	10.0.2.174
+	A	10.0.2.175
+	A	10.0.2.176
+	A	10.0.2.177
+	A	10.0.2.178
+	A	10.0.2.179
+	A	10.0.2.180
+	A	10.0.2.181
+	A	10.0.2.182
+	A	10.0.2.183
+	A	10.0.2.184
+	A	10.0.2.185
+	A	10.0.2.186
+	A	10.0.2.187
+	A	10.0.2.188
+	A	10.0.2.189
+	A	10.0.2.190
+	A	10.0.2.191
+	A	10.0.2.192
+	A	10.0.2.193
+	A	10.0.2.194
+	A	10.0.2.195
+	A	10.0.2.196
+	A	10.0.2.197
+	A	10.0.2.198
+	A	10.0.2.199
+	A	10.0.2.200
+	A	10.0.2.201
+	A	10.0.2.202
+	A	10.0.2.203
+	A	10.0.2.204
+	A	10.0.2.205
+	A	10.0.2.206
+	A	10.0.2.207
+	A	10.0.2.208
+	A	10.0.2.209
+	A	10.0.2.210
+	A	10.0.2.211
+	A	10.0.2.212
+	A	10.0.2.213
+	A	10.0.2.214
+	A	10.0.2.215
+	A	10.0.2.216
+	A	10.0.2.217
+	A	10.0.2.218
+	A	10.0.2.219
+	A	10.0.2.220
+	A	10.0.2.221
+	A	10.0.2.222
+	A	10.0.2.223
+	A	10.0.2.224
+	A	10.0.2.225
+	A	10.0.2.226
+	A	10.0.2.227
+	A	10.0.2.228
+	A	10.0.2.229
+	A	10.0.2.230
+	A	10.0.2.231
+	A	10.0.2.232
+	A	10.0.2.233
+	A	10.0.2.234
+	A	10.0.2.235
+	A	10.0.2.236
+	A	10.0.2.237
+	A	10.0.2.238
+	A	10.0.2.239
+	A	10.0.2.240
+	A	10.0.2.241
+	A	10.0.2.242
+	A	10.0.2.243
+	A	10.0.2.244
+	A	10.0.2.245
+	A	10.0.2.246
+	A	10.0.2.247
+	A	10.0.2.248
+	A	10.0.2.249
+	A	10.0.2.250
+	A	10.0.2.251
+	A	10.0.2.252
+	A	10.0.2.253
+	A	10.0.2.254
+	A	10.0.2.255
+	A	10.0.3.0
+	A	10.0.3.1
+	A	10.0.3.2
+	A	10.0.3.3
+	A	10.0.3.4
+	A	10.0.3.5
+	A	10.0.3.6
+	A	10.0.3.7
+	A	10.0.3.8
+	A	10.0.3.9
+	A	10.0.3.10
+	A	10.0.3.11
+	A	10.0.3.12
+	A	10.0.3.13
+	A	10.0.3.14
+	A	10.0.3.15
+	A	10.0.3.16
+	A	10.0.3.17
+	A	10.0.3.18
+	A	10.0.3.19
+	A	10.0.3.20
+	A	10.0.3.21
+	A	10.0.3.22
+	A	10.0.3.23
+	A	10.0.3.24
+	A	10.0.3.25
+	A	10.0.3.26
+	A	10.0.3.27
+	A	10.0.3.28
+	A	10.0.3.29
+	A	10.0.3.30
+	A	10.0.3.31
+	A	10.0.3.32
+	A	10.0.3.33
+	A	10.0.3.34
+	A	10.0.3.35
+	A	10.0.3.36
+	A	10.0.3.37
+	A	10.0.3.38
+	A	10.0.3.39
+	A	10.0.3.40
+	A	10.0.3.41
+	A	10.0.3.42
+	A	10.0.3.43
+	A	10.0.3.44
+	A	10.0.3.45
+	A	10.0.3.46
+	A	10.0.3.47
+	A	10.0.3.48
+	A	10.0.3.49
+	A	10.0.3.50
+	A	10.0.3.51
+	A	10.0.3.52
+	A	10.0.3.53
+	A	10.0.3.54
+	A	10.0.3.55
+	A	10.0.3.56
+	A	10.0.3.57
+	A	10.0.3.58
+	A	10.0.3.59
+	A	10.0.3.60
+	A	10.0.3.61
+	A	10.0.3.62
+	A	10.0.3.63
+	A	10.0.3.64
+	A	10.0.3.65
+	A	10.0.3.66
+	A	10.0.3.67
+	A	10.0.3.68
+	A	10.0.3.69
+	A	10.0.3.70
+	A	10.0.3.71
+	A	10.0.3.72
+	A	10.0.3.73
+	A	10.0.3.74
+	A	10.0.3.75
+	A	10.0.3.76
+	A	10.0.3.77
+	A	10.0.3.78
+	A	10.0.3.79
+	A	10.0.3.80
+	A	10.0.3.81
+	A	10.0.3.82
+	A	10.0.3.83
+	A	10.0.3.84
+	A	10.0.3.85
+	A	10.0.3.86
+	A	10.0.3.87
+	A	10.0.3.88
+	A	10.0.3.89
+	A	10.0.3.90
+	A	10.0.3.91
+	A	10.0.3.92
+	A	10.0.3.93
+	A	10.0.3.94
+	A	10.0.3.95
+	A	10.0.3.96
+	A	10.0.3.97
+	A	10.0.3.98
+	A	10.0.3.99
+	A	10.0.3.100
+	A	10.0.3.101
+	A	10.0.3.102
+	A	10.0.3.103
+	A	10.0.3.104
+	A	10.0.3.105
+	A	10.0.3.106
+	A	10.0.3.107
+	A	10.0.3.108
+	A	10.0.3.109
+	A	10.0.3.110
+	A	10.0.3.111
+	A	10.0.3.112
+	A	10.0.3.113
+	A	10.0.3.114
+	A	10.0.3.115
+	A	10.0.3.116
+	A	10.0.3.117
+	A	10.0.3.118
+	A	10.0.3.119
+	A	10.0.3.120
+	A	10.0.3.121
+	A	10.0.3.122
+	A	10.0.3.123
+	A	10.0.3.124
+	A	10.0.3.125
+	A	10.0.3.126
+	A	10.0.3.127
+	A	10.0.3.128
+	A	10.0.3.129
+	A	10.0.3.130
+	A	10.0.3.131
+	A	10.0.3.132
+	A	10.0.3.133
+	A	10.0.3.134
+	A	10.0.3.135
+	A	10.0.3.136
+	A	10.0.3.137
+	A	10.0.3.138
+	A	10.0.3.139
+	A	10.0.3.140
+	A	10.0.3.141
+	A	10.0.3.142
+	A	10.0.3.143
+	A	10.0.3.144
+	A	10.0.3.145
+	A	10.0.3.146
+	A	10.0.3.147
+	A	10.0.3.148
+	A	10.0.3.149
+	A	10.0.3.150
+	A	10.0.3.151
+	A	10.0.3.152
+	A	10.0.3.153
+	A	10.0.3.154
+	A	10.0.3.155
+	A	10.0.3.156
+	A	10.0.3.157
+	A	10.0.3.158
+	A	10.0.3.159
+	A	10.0.3.160
+	A	10.0.3.161
+	A	10.0.3.162
+	A	10.0.3.163
+	A	10.0.3.164
+	A	10.0.3.165
+	A	10.0.3.166
+	A	10.0.3.167
+	A	10.0.3.168
+	A	10.0.3.169
+	A	10.0.3.170
+	A	10.0.3.171
+	A	10.0.3.172
+	A	10.0.3.173
+	A	10.0.3.174
+	A	10.0.3.175
+	A	10.0.3.176
+	A	10.0.3.177
+	A	10.0.3.178
+	A	10.0.3.179
+	A	10.0.3.180
+	A	10.0.3.181
+	A	10.0.3.182
+	A	10.0.3.183
+	A	10.0.3.184
+	A	10.0.3.185
+	A	10.0.3.186
+	A	10.0.3.187
+	A	10.0.3.188
+	A	10.0.3.189
+	A	10.0.3.190
+	A	10.0.3.191
+	A	10.0.3.192
+	A	10.0.3.193
+	A	10.0.3.194
+	A	10.0.3.195
+	A	10.0.3.196
+	A	10.0.3.197
+	A	10.0.3.198
+	A	10.0.3.199
+	A	10.0.3.200
+	A	10.0.3.201
+	A	10.0.3.202
+	A	10.0.3.203
+	A	10.0.3.204
+	A	10.0.3.205
+	A	10.0.3.206
+	A	10.0.3.207
+	A	10.0.3.208
+	A	10.0.3.209
+	A	10.0.3.210
+	A	10.0.3.211
+	A	10.0.3.212
+	A	10.0.3.213
+	A	10.0.3.214
+	A	10.0.3.215
+	A	10.0.3.216
+	A	10.0.3.217
+	A	10.0.3.218
+	A	10.0.3.219
+	A	10.0.3.220
+	A	10.0.3.221
+	A	10.0.3.222
+	A	10.0.3.223
+	A	10.0.3.224
+	A	10.0.3.225
+	A	10.0.3.226
+	A	10.0.3.227
+	A	10.0.3.228
+	A	10.0.3.229
+	A	10.0.3.230
+	A	10.0.3.231
+	A	10.0.3.232
+	A	10.0.3.233
+	A	10.0.3.234
+	A	10.0.3.235
+	A	10.0.3.236
+	A	10.0.3.237
+	A	10.0.3.238
+	A	10.0.3.239
+	A	10.0.3.240
+	A	10.0.3.241
+	A	10.0.3.242
+	A	10.0.3.243
+	A	10.0.3.244
+	A	10.0.3.245
+	A	10.0.3.246
+	A	10.0.3.247
+	A	10.0.3.248
+	A	10.0.3.249
+	A	10.0.3.250
+	A	10.0.3.251
+	A	10.0.3.252
+	A	10.0.3.253
+	A	10.0.3.254
+	A	10.0.3.255
+	A	10.0.4.0
+	A	10.0.4.1
+	A	10.0.4.2
+	A	10.0.4.3
+	A	10.0.4.4
+	A	10.0.4.5
+	A	10.0.4.6
+	A	10.0.4.7
+	A	10.0.4.8
+	A	10.0.4.9
+	A	10.0.4.10
+	A	10.0.4.11
+	A	10.0.4.12
+	A	10.0.4.13
+	A	10.0.4.14
+	A	10.0.4.15
+	A	10.0.4.16
+	A	10.0.4.17
+	A	10.0.4.18
+	A	10.0.4.19
+	A	10.0.4.20
+	A	10.0.4.21
+	A	10.0.4.22
+	A	10.0.4.23
+	A	10.0.4.24
+	A	10.0.4.25
+	A	10.0.4.26
+	A	10.0.4.27
+	A	10.0.4.28
+	A	10.0.4.29
+	A	10.0.4.30
+	A	10.0.4.31
+	A	10.0.4.32
+	A	10.0.4.33
+	A	10.0.4.34
+	A	10.0.4.35
+	A	10.0.4.36
+	A	10.0.4.37
+	A	10.0.4.38
+	A	10.0.4.39
+	A	10.0.4.40
+	A	10.0.4.41
+	A	10.0.4.42
+	A	10.0.4.43
+	A	10.0.4.44
+	A	10.0.4.45
+	A	10.0.4.46
+	A	10.0.4.47
+	A	10.0.4.48
+	A	10.0.4.49
+	A	10.0.4.50
+	A	10.0.4.51
+	A	10.0.4.52
+	A	10.0.4.53
+	A	10.0.4.54
+	A	10.0.4.55
+	A	10.0.4.56
+	A	10.0.4.57
+	A	10.0.4.58
+	A	10.0.4.59
+	A	10.0.4.60
+	A	10.0.4.61
+	A	10.0.4.62
+	A	10.0.4.63
+	A	10.0.4.64
+	A	10.0.4.65
+	A	10.0.4.66
+	A	10.0.4.67
+	A	10.0.4.68
+	A	10.0.4.69
+	A	10.0.4.70
+	A	10.0.4.71
+	A	10.0.4.72
+	A	10.0.4.73
+	A	10.0.4.74
+	A	10.0.4.75
+	A	10.0.4.76
+	A	10.0.4.77
+	A	10.0.4.78
+	A	10.0.4.79
+	A	10.0.4.80
+	A	10.0.4.81
+	A	10.0.4.82
+	A	10.0.4.83
+	A	10.0.4.84
+	A	10.0.4.85
+	A	10.0.4.86
+	A	10.0.4.87
+	A	10.0.4.88
+	A	10.0.4.89
+	A	10.0.4.90
+	A	10.0.4.91
+	A	10.0.4.92
+	A	10.0.4.93
+	A	10.0.4.94
+	A	10.0.4.95
+	A	10.0.4.96
+	A	10.0.4.97
+	A	10.0.4.98
+	A	10.0.4.99
+	A	10.0.4.100
+	A	10.0.4.101
+	A	10.0.4.102
+	A	10.0.4.103
+	A	10.0.4.104
+	A	10.0.4.105
+	A	10.0.4.106
+	A	10.0.4.107
+	A	10.0.4.108
+	A	10.0.4.109
+	A	10.0.4.110
+	A	10.0.4.111
+	A	10.0.4.112
+	A	10.0.4.113
+	A	10.0.4.114
+	A	10.0.4.115
+	A	10.0.4.116
+	A	10.0.4.117
+	A	10.0.4.118
+	A	10.0.4.119
+	A	10.0.4.120
+	A	10.0.4.121
+	A	10.0.4.122
+	A	10.0.4.123
+	A	10.0.4.124
+	A	10.0.4.125
+	A	10.0.4.126
+	A	10.0.4.127
+	A	10.0.4.128
+	A	10.0.4.129
+	A	10.0.4.130
+	A	10.0.4.131
+	A	10.0.4.132
+	A	10.0.4.133
+	A	10.0.4.134
+	A	10.0.4.135
+	A	10.0.4.136
+	A	10.0.4.137
+	A	10.0.4.138
+	A	10.0.4.139
+	A	10.0.4.140
+	A	10.0.4.141
+	A	10.0.4.142
+	A	10.0.4.143
+	A	10.0.4.144
+	A	10.0.4.145
+	A	10.0.4.146
+	A	10.0.4.147
+	A	10.0.4.148
+	A	10.0.4.149
+	A	10.0.4.150
+	A	10.0.4.151
+	A	10.0.4.152
+	A	10.0.4.153
+	A	10.0.4.154
+	A	10.0.4.155
+	A	10.0.4.156
+	A	10.0.4.157
+	A	10.0.4.158
+	A	10.0.4.159
+	A	10.0.4.160
+	A	10.0.4.161
+	A	10.0.4.162
+	A	10.0.4.163
+	A	10.0.4.164
+	A	10.0.4.165
+	A	10.0.4.166
+	A	10.0.4.167
+	A	10.0.4.168
+	A	10.0.4.169
+	A	10.0.4.170
+	A	10.0.4.171
+	A	10.0.4.172
+	A	10.0.4.173
+	A	10.0.4.174
+	A	10.0.4.175
+	A	10.0.4.176
+	A	10.0.4.177
+	A	10.0.4.178
+	A	10.0.4.179
+	A	10.0.4.180
+	A	10.0.4.181
+	A	10.0.4.182
+	A	10.0.4.183
+	A	10.0.4.184
+	A	10.0.4.185
+	A	10.0.4.186
+	A	10.0.4.187
+	A	10.0.4.188
+	A	10.0.4.189
+	A	10.0.4.190
+	A	10.0.4.191
+	A	10.0.4.192
+	A	10.0.4.193
+	A	10.0.4.194
+	A	10.0.4.195
+	A	10.0.4.196
+	A	10.0.4.197
+	A	10.0.4.198
+	A	10.0.4.199
+	A	10.0.4.200
+	A	10.0.4.201
+	A	10.0.4.202
+	A	10.0.4.203
+	A	10.0.4.204
+	A	10.0.4.205
+	A	10.0.4.206
+	A	10.0.4.207
+	A	10.0.4.208
+	A	10.0.4.209
+	A	10.0.4.210
+	A	10.0.4.211
+	A	10.0.4.212
+	A	10.0.4.213
+	A	10.0.4.214
+	A	10.0.4.215
+	A	10.0.4.216
+	A	10.0.4.217
+	A	10.0.4.218
+	A	10.0.4.219
+	A	10.0.4.220
+	A	10.0.4.221
+	A	10.0.4.222
+	A	10.0.4.223
+	A	10.0.4.224
+	A	10.0.4.225
+	A	10.0.4.226
+	A	10.0.4.227
+	A	10.0.4.228
+	A	10.0.4.229
+	A	10.0.4.230
+	A	10.0.4.231
+	A	10.0.4.232
+	A	10.0.4.233
+	A	10.0.4.234
+	A	10.0.4.235
+	A	10.0.4.236
+	A	10.0.4.237
+	A	10.0.4.238
+	A	10.0.4.239
+	A	10.0.4.240
+	A	10.0.4.241
+	A	10.0.4.242
+	A	10.0.4.243
+	A	10.0.4.244
+	A	10.0.4.245
+	A	10.0.4.246
+	A	10.0.4.247
+	A	10.0.4.248
+	A	10.0.4.249
+	A	10.0.4.250
+	A	10.0.4.251
+	A	10.0.4.252
+	A	10.0.4.253
+	A	10.0.4.254
+	A	10.0.4.255
+	A	10.0.5.0
+	A	10.0.5.1
+	A	10.0.5.2
+	A	10.0.5.3
+	A	10.0.5.4
+	A	10.0.5.5
+	A	10.0.5.6
+	A	10.0.5.7
+	A	10.0.5.8
+	A	10.0.5.9
+	A	10.0.5.10
+	A	10.0.5.11
+	A	10.0.5.12
+	A	10.0.5.13
+	A	10.0.5.14
+	A	10.0.5.15
+	A	10.0.5.16
+	A	10.0.5.17
+	A	10.0.5.18
+	A	10.0.5.19
+	A	10.0.5.20
+	A	10.0.5.21
+	A	10.0.5.22
+	A	10.0.5.23
+	A	10.0.5.24
+	A	10.0.5.25
+	A	10.0.5.26
+	A	10.0.5.27
+	A	10.0.5.28
+	A	10.0.5.29
+	A	10.0.5.30
+	A	10.0.5.31
+	A	10.0.5.32
+	A	10.0.5.33
+	A	10.0.5.34
+	A	10.0.5.35
+	A	10.0.5.36
+	A	10.0.5.37
+	A	10.0.5.38
+	A	10.0.5.39
+	A	10.0.5.40
+	A	10.0.5.41
+	A	10.0.5.42
+	A	10.0.5.43
+	A	10.0.5.44
+	A	10.0.5.45
+	A	10.0.5.46
+	A	10.0.5.47
+	A	10.0.5.48
+	A	10.0.5.49
+	A	10.0.5.50
+	A	10.0.5.51
+	A	10.0.5.52
+	A	10.0.5.53
+	A	10.0.5.54
+	A	10.0.5.55
+	A	10.0.5.56
+	A	10.0.5.57
+	A	10.0.5.58
+	A	10.0.5.59
+	A	10.0.5.60
+	A	10.0.5.61
+	A	10.0.5.62
+	A	10.0.5.63
+	A	10.0.5.64
+	A	10.0.5.65
+	A	10.0.5.66
+	A	10.0.5.67
+	A	10.0.5.68
+	A	10.0.5.69
+	A	10.0.5.70
+	A	10.0.5.71
+	A	10.0.5.72
+	A	10.0.5.73
+	A	10.0.5.74
+	A	10.0.5.75
+	A	10.0.5.76
+	A	10.0.5.77
+	A	10.0.5.78
+	A	10.0.5.79
+	A	10.0.5.80
+	A	10.0.5.81
+	A	10.0.5.82
+	A	10.0.5.83
+	A	10.0.5.84
+	A	10.0.5.85
+	A	10.0.5.86
+	A	10.0.5.87
+	A	10.0.5.88
+	A	10.0.5.89
+	A	10.0.5.90
+	A	10.0.5.91
+	A	10.0.5.92
+	A	10.0.5.93
+	A	10.0.5.94
+	A	10.0.5.95
+	A	10.0.5.96
+	A	10.0.5.97
+	A	10.0.5.98
+	A	10.0.5.99
+	A	10.0.5.100
+	A	10.0.5.101
+	A	10.0.5.102
+	A	10.0.5.103
+	A	10.0.5.104
+	A	10.0.5.105
+	A	10.0.5.106
+	A	10.0.5.107
+	A	10.0.5.108
+	A	10.0.5.109
+	A	10.0.5.110
+	A	10.0.5.111
+	A	10.0.5.112
+	A	10.0.5.113
+	A	10.0.5.114
+	A	10.0.5.115
+	A	10.0.5.116
+	A	10.0.5.117
+	A	10.0.5.118
+	A	10.0.5.119
+	A	10.0.5.120
+	A	10.0.5.121
+	A	10.0.5.122
+	A	10.0.5.123
+	A	10.0.5.124
+	A	10.0.5.125
+	A	10.0.5.126
+	A	10.0.5.127
+	A	10.0.5.128
+	A	10.0.5.129
+	A	10.0.5.130
+	A	10.0.5.131
+	A	10.0.5.132
+	A	10.0.5.133
+	A	10.0.5.134
+	A	10.0.5.135
+	A	10.0.5.136
+	A	10.0.5.137
+	A	10.0.5.138
+	A	10.0.5.139
+	A	10.0.5.140
+	A	10.0.5.141
+	A	10.0.5.142
+	A	10.0.5.143
+	A	10.0.5.144
+	A	10.0.5.145
+	A	10.0.5.146
+	A	10.0.5.147
+	A	10.0.5.148
+	A	10.0.5.149
+	A	10.0.5.150
+	A	10.0.5.151
+	A	10.0.5.152
+	A	10.0.5.153
+	A	10.0.5.154
+	A	10.0.5.155
+	A	10.0.5.156
+	A	10.0.5.157
+	A	10.0.5.158
+	A	10.0.5.159
+	A	10.0.5.160
+	A	10.0.5.161
+	A	10.0.5.162
+	A	10.0.5.163
+	A	10.0.5.164
+	A	10.0.5.165
+	A	10.0.5.166
+	A	10.0.5.167
+	A	10.0.5.168
+	A	10.0.5.169
+	A	10.0.5.170
+	A	10.0.5.171
+	A	10.0.5.172
+	A	10.0.5.173
+	A	10.0.5.174
+	A	10.0.5.175
+	A	10.0.5.176
+	A	10.0.5.177
+	A	10.0.5.178
+	A	10.0.5.179
+	A	10.0.5.180
+	A	10.0.5.181
+	A	10.0.5.182
+	A	10.0.5.183
+	A	10.0.5.184
+	A	10.0.5.185
+	A	10.0.5.186
+	A	10.0.5.187
+	A	10.0.5.188
+	A	10.0.5.189
+	A	10.0.5.190
+	A	10.0.5.191
+	A	10.0.5.192
+	A	10.0.5.193
+	A	10.0.5.194
+	A	10.0.5.195
+	A	10.0.5.196
+	A	10.0.5.197
+	A	10.0.5.198
+	A	10.0.5.199
+	A	10.0.5.200
+	A	10.0.5.201
+	A	10.0.5.202
+	A	10.0.5.203
+	A	10.0.5.204
+	A	10.0.5.205
+	A	10.0.5.206
+	A	10.0.5.207
+	A	10.0.5.208
+	A	10.0.5.209
+	A	10.0.5.210
+	A	10.0.5.211
+	A	10.0.5.212
+	A	10.0.5.213
+	A	10.0.5.214
+	A	10.0.5.215
+	A	10.0.5.216
+	A	10.0.5.217
+	A	10.0.5.218
+	A	10.0.5.219
+	A	10.0.5.220
+	A	10.0.5.221
+	A	10.0.5.222
+	A	10.0.5.223
+	A	10.0.5.224
+	A	10.0.5.225
+	A	10.0.5.226
+	A	10.0.5.227
+	A	10.0.5.228
+	A	10.0.5.229
+	A	10.0.5.230
+	A	10.0.5.231
+	A	10.0.5.232
+	A	10.0.5.233
+	A	10.0.5.234
+	A	10.0.5.235
+	A	10.0.5.236
+	A	10.0.5.237
+	A	10.0.5.238
+	A	10.0.5.239
+	A	10.0.5.240
+	A	10.0.5.241
+	A	10.0.5.242
+	A	10.0.5.243
+	A	10.0.5.244
+	A	10.0.5.245
+	A	10.0.5.246
+	A	10.0.5.247
+	A	10.0.5.248
+	A	10.0.5.249
+	A	10.0.5.250
+	A	10.0.5.251
+	A	10.0.5.252
+	A	10.0.5.253
+	A	10.0.5.254
+	A	10.0.5.255
+	A	10.0.6.0
+	A	10.0.6.1
+	A	10.0.6.2
+	A	10.0.6.3
+	A	10.0.6.4
+	A	10.0.6.5
+	A	10.0.6.6
+	A	10.0.6.7
+	A	10.0.6.8
+	A	10.0.6.9
+	A	10.0.6.10
+	A	10.0.6.11
+	A	10.0.6.12
+	A	10.0.6.13
+	A	10.0.6.14
+	A	10.0.6.15
+	A	10.0.6.16
+	A	10.0.6.17
+	A	10.0.6.18
+	A	10.0.6.19
+	A	10.0.6.20
+	A	10.0.6.21
+	A	10.0.6.22
+	A	10.0.6.23
+	A	10.0.6.24
+	A	10.0.6.25
+	A	10.0.6.26
+	A	10.0.6.27
+	A	10.0.6.28
+	A	10.0.6.29
+	A	10.0.6.30
+	A	10.0.6.31
+	A	10.0.6.32
+	A	10.0.6.33
+	A	10.0.6.34
+	A	10.0.6.35
+	A	10.0.6.36
+	A	10.0.6.37
+	A	10.0.6.38
+	A	10.0.6.39
+	A	10.0.6.40
+	A	10.0.6.41
+	A	10.0.6.42
+	A	10.0.6.43
+	A	10.0.6.44
+	A	10.0.6.45
+	A	10.0.6.46
+	A	10.0.6.47
+	A	10.0.6.48
+	A	10.0.6.49
+	A	10.0.6.50
+	A	10.0.6.51
+	A	10.0.6.52
+	A	10.0.6.53
+	A	10.0.6.54
+	A	10.0.6.55
+	A	10.0.6.56
+	A	10.0.6.57
+	A	10.0.6.58
+	A	10.0.6.59
+	A	10.0.6.60
+	A	10.0.6.61
+	A	10.0.6.62
+	A	10.0.6.63
+	A	10.0.6.64
+	A	10.0.6.65
+	A	10.0.6.66
+	A	10.0.6.67
+	A	10.0.6.68
+	A	10.0.6.69
+	A	10.0.6.70
+	A	10.0.6.71
+	A	10.0.6.72
+	A	10.0.6.73
+	A	10.0.6.74
+	A	10.0.6.75
+	A	10.0.6.76
+	A	10.0.6.77
+	A	10.0.6.78
+	A	10.0.6.79
+	A	10.0.6.80
+	A	10.0.6.81
+	A	10.0.6.82
+	A	10.0.6.83
+	A	10.0.6.84
+	A	10.0.6.85
+	A	10.0.6.86
+	A	10.0.6.87
+	A	10.0.6.88
+	A	10.0.6.89
+	A	10.0.6.90
+	A	10.0.6.91
+	A	10.0.6.92
+	A	10.0.6.93
+	A	10.0.6.94
+	A	10.0.6.95
+	A	10.0.6.96
+	A	10.0.6.97
+	A	10.0.6.98
+	A	10.0.6.99
+	A	10.0.6.100
+	A	10.0.6.101
+	A	10.0.6.102
+	A	10.0.6.103
+	A	10.0.6.104
+	A	10.0.6.105
+	A	10.0.6.106
+	A	10.0.6.107
+	A	10.0.6.108
+	A	10.0.6.109
+	A	10.0.6.110
+	A	10.0.6.111
+	A	10.0.6.112
+	A	10.0.6.113
+	A	10.0.6.114
+	A	10.0.6.115
+	A	10.0.6.116
+	A	10.0.6.117
+	A	10.0.6.118
+	A	10.0.6.119
+	A	10.0.6.120
+	A	10.0.6.121
+	A	10.0.6.122
+	A	10.0.6.123
+	A	10.0.6.124
+	A	10.0.6.125
+	A	10.0.6.126
+	A	10.0.6.127
+	A	10.0.6.128
+	A	10.0.6.129
+	A	10.0.6.130
+	A	10.0.6.131
+	A	10.0.6.132
+	A	10.0.6.133
+	A	10.0.6.134
+	A	10.0.6.135
+	A	10.0.6.136
+	A	10.0.6.137
+	A	10.0.6.138
+	A	10.0.6.139
+	A	10.0.6.140
+	A	10.0.6.141
+	A	10.0.6.142
+	A	10.0.6.143
+	A	10.0.6.144
+	A	10.0.6.145
+	A	10.0.6.146
+	A	10.0.6.147
+	A	10.0.6.148
+	A	10.0.6.149
+	A	10.0.6.150
+	A	10.0.6.151
+	A	10.0.6.152
+	A	10.0.6.153
+	A	10.0.6.154
+	A	10.0.6.155
+	A	10.0.6.156
+	A	10.0.6.157
+	A	10.0.6.158
+	A	10.0.6.159
+	A	10.0.6.160
+	A	10.0.6.161
+	A	10.0.6.162
+	A	10.0.6.163
+	A	10.0.6.164
+	A	10.0.6.165
+	A	10.0.6.166
+	A	10.0.6.167
+	A	10.0.6.168
+	A	10.0.6.169
+	A	10.0.6.170
+	A	10.0.6.171
+	A	10.0.6.172
+	A	10.0.6.173
+	A	10.0.6.174
+	A	10.0.6.175
+	A	10.0.6.176
+	A	10.0.6.177
+	A	10.0.6.178
+	A	10.0.6.179
+	A	10.0.6.180
+	A	10.0.6.181
+	A	10.0.6.182
+	A	10.0.6.183
+	A	10.0.6.184
+	A	10.0.6.185
+	A	10.0.6.186
+	A	10.0.6.187
+	A	10.0.6.188
+	A	10.0.6.189
+	A	10.0.6.190
+	A	10.0.6.191
+	A	10.0.6.192
+	A	10.0.6.193
+	A	10.0.6.194
+	A	10.0.6.195
+	A	10.0.6.196
+	A	10.0.6.197
+	A	10.0.6.198
+	A	10.0.6.199
+	A	10.0.6.200
+	A	10.0.6.201
+	A	10.0.6.202
+	A	10.0.6.203
+	A	10.0.6.204
+	A	10.0.6.205
+	A	10.0.6.206
+	A	10.0.6.207
+	A	10.0.6.208
+	A	10.0.6.209
+	A	10.0.6.210
+	A	10.0.6.211
+	A	10.0.6.212
+	A	10.0.6.213
+	A	10.0.6.214
+	A	10.0.6.215
+	A	10.0.6.216
+	A	10.0.6.217
+	A	10.0.6.218
+	A	10.0.6.219
+	A	10.0.6.220
+	A	10.0.6.221
+	A	10.0.6.222
+	A	10.0.6.223
+	A	10.0.6.224
+	A	10.0.6.225
+	A	10.0.6.226
+	A	10.0.6.227
+	A	10.0.6.228
+	A	10.0.6.229
+	A	10.0.6.230
+	A	10.0.6.231
+	A	10.0.6.232
+	A	10.0.6.233
+	A	10.0.6.234
+	A	10.0.6.235
+	A	10.0.6.236
+	A	10.0.6.237
+	A	10.0.6.238
+	A	10.0.6.239
+	A	10.0.6.240
+	A	10.0.6.241
+	A	10.0.6.242
+	A	10.0.6.243
+	A	10.0.6.244
+	A	10.0.6.245
+	A	10.0.6.246
+	A	10.0.6.247
+	A	10.0.6.248
+	A	10.0.6.249
+	A	10.0.6.250
+	A	10.0.6.251
+	A	10.0.6.252
+	A	10.0.6.253
+	A	10.0.6.254
+	A	10.0.6.255
+	A	10.0.7.0
+	A	10.0.7.1
+	A	10.0.7.2
+	A	10.0.7.3
+	A	10.0.7.4
+	A	10.0.7.5
+	A	10.0.7.6
+	A	10.0.7.7
+	A	10.0.7.8
+	A	10.0.7.9
+	A	10.0.7.10
+	A	10.0.7.11
+	A	10.0.7.12
+	A	10.0.7.13
+	A	10.0.7.14
+	A	10.0.7.15
+	A	10.0.7.16
+	A	10.0.7.17
+	A	10.0.7.18
+	A	10.0.7.19
+	A	10.0.7.20
+	A	10.0.7.21
+	A	10.0.7.22
+	A	10.0.7.23
+	A	10.0.7.24
+	A	10.0.7.25
+	A	10.0.7.26
+	A	10.0.7.27
+	A	10.0.7.28
+	A	10.0.7.29
+	A	10.0.7.30
+	A	10.0.7.31
+	A	10.0.7.32
+	A	10.0.7.33
+	A	10.0.7.34
+	A	10.0.7.35
+	A	10.0.7.36
+	A	10.0.7.37
+	A	10.0.7.38
+	A	10.0.7.39
+	A	10.0.7.40
+	A	10.0.7.41
+	A	10.0.7.42
+	A	10.0.7.43
+	A	10.0.7.44
+	A	10.0.7.45
+	A	10.0.7.46
+	A	10.0.7.47
+	A	10.0.7.48
+	A	10.0.7.49
+	A	10.0.7.50
+	A	10.0.7.51
+	A	10.0.7.52
+	A	10.0.7.53
+	A	10.0.7.54
+	A	10.0.7.55
+	A	10.0.7.56
+	A	10.0.7.57
+	A	10.0.7.58
+	A	10.0.7.59
+	A	10.0.7.60
+	A	10.0.7.61
+	A	10.0.7.62
+	A	10.0.7.63
+	A	10.0.7.64
+	A	10.0.7.65
+	A	10.0.7.66
+	A	10.0.7.67
+	A	10.0.7.68
+	A	10.0.7.69
+	A	10.0.7.70
+	A	10.0.7.71
+	A	10.0.7.72
+	A	10.0.7.73
+	A	10.0.7.74
+	A	10.0.7.75
+	A	10.0.7.76
+	A	10.0.7.77
+	A	10.0.7.78
+	A	10.0.7.79
+	A	10.0.7.80
+	A	10.0.7.81
+	A	10.0.7.82
+	A	10.0.7.83
+	A	10.0.7.84
+	A	10.0.7.85
+	A	10.0.7.86
+	A	10.0.7.87
+	A	10.0.7.88
+	A	10.0.7.89
+	A	10.0.7.90
+	A	10.0.7.91
+	A	10.0.7.92
+	A	10.0.7.93
+	A	10.0.7.94
+	A	10.0.7.95
+	A	10.0.7.96
+	A	10.0.7.97
+	A	10.0.7.98
+	A	10.0.7.99
+	A	10.0.7.100
+	A	10.0.7.101
+	A	10.0.7.102
+	A	10.0.7.103
+	A	10.0.7.104
+	A	10.0.7.105
+	A	10.0.7.106
+	A	10.0.7.107
+	A	10.0.7.108
+	A	10.0.7.109
+	A	10.0.7.110
+	A	10.0.7.111
+	A	10.0.7.112
+	A	10.0.7.113
+	A	10.0.7.114
+	A	10.0.7.115
+	A	10.0.7.116
+	A	10.0.7.117
+	A	10.0.7.118
+	A	10.0.7.119
+	A	10.0.7.120
+	A	10.0.7.121
+	A	10.0.7.122
+	A	10.0.7.123
+	A	10.0.7.124
+	A	10.0.7.125
+	A	10.0.7.126
+	A	10.0.7.127
+	A	10.0.7.128
+	A	10.0.7.129
+	A	10.0.7.130
+	A	10.0.7.131
+	A	10.0.7.132
+	A	10.0.7.133
+	A	10.0.7.134
+	A	10.0.7.135
+	A	10.0.7.136
+	A	10.0.7.137
+	A	10.0.7.138
+	A	10.0.7.139
+	A	10.0.7.140
+	A	10.0.7.141
+	A	10.0.7.142
+	A	10.0.7.143
+	A	10.0.7.144
+	A	10.0.7.145
+	A	10.0.7.146
+	A	10.0.7.147
+	A	10.0.7.148
+	A	10.0.7.149
+	A	10.0.7.150
+	A	10.0.7.151
+	A	10.0.7.152
+	A	10.0.7.153
+	A	10.0.7.154
+	A	10.0.7.155
+	A	10.0.7.156
+	A	10.0.7.157
+	A	10.0.7.158
+	A	10.0.7.159
+	A	10.0.7.160
+	A	10.0.7.161
+	A	10.0.7.162
+	A	10.0.7.163
+	A	10.0.7.164
+	A	10.0.7.165
+	A	10.0.7.166
+	A	10.0.7.167
+	A	10.0.7.168
+	A	10.0.7.169
+	A	10.0.7.170
+	A	10.0.7.171
+	A	10.0.7.172
+	A	10.0.7.173
+	A	10.0.7.174
+	A	10.0.7.175
+	A	10.0.7.176
+	A	10.0.7.177
+	A	10.0.7.178
+	A	10.0.7.179
+	A	10.0.7.180
+	A	10.0.7.181
+	A	10.0.7.182
+	A	10.0.7.183
+	A	10.0.7.184
+	A	10.0.7.185
+	A	10.0.7.186
+	A	10.0.7.187
+	A	10.0.7.188
+	A	10.0.7.189
+	A	10.0.7.190
+	A	10.0.7.191
+	A	10.0.7.192
+	A	10.0.7.193
+	A	10.0.7.194
+	A	10.0.7.195
+	A	10.0.7.196
+	A	10.0.7.197
+	A	10.0.7.198
+	A	10.0.7.199
+	A	10.0.7.200
+	A	10.0.7.201
+	A	10.0.7.202
+	A	10.0.7.203
+	A	10.0.7.204
+	A	10.0.7.205
+	A	10.0.7.206
+	A	10.0.7.207
+	A	10.0.7.208
+	A	10.0.7.209
+	A	10.0.7.210
+	A	10.0.7.211
+	A	10.0.7.212
+	A	10.0.7.213
+	A	10.0.7.214
+	A	10.0.7.215
+	A	10.0.7.216
+	A	10.0.7.217
+	A	10.0.7.218
+	A	10.0.7.219
+	A	10.0.7.220
+	A	10.0.7.221
+	A	10.0.7.222
+	A	10.0.7.223
+	A	10.0.7.224
+	A	10.0.7.225
+	A	10.0.7.226
+	A	10.0.7.227
+	A	10.0.7.228
+	A	10.0.7.229
+	A	10.0.7.230
+	A	10.0.7.231
+	A	10.0.7.232
+	A	10.0.7.233
+	A	10.0.7.234
+	A	10.0.7.235
+	A	10.0.7.236
+	A	10.0.7.237
+	A	10.0.7.238
+	A	10.0.7.239
+	A	10.0.7.240
+	A	10.0.7.241
+	A	10.0.7.242
+	A	10.0.7.243
+	A	10.0.7.244
+	A	10.0.7.245
+	A	10.0.7.246
+	A	10.0.7.247
+	A	10.0.7.248
+	A	10.0.7.249
+	A	10.0.7.250
+	A	10.0.7.251
+	A	10.0.7.252
+	A	10.0.7.253
+	A	10.0.7.254
+	A	10.0.7.255
+	A	10.0.8.0
+	A	10.0.8.1
+	A	10.0.8.2
+	A	10.0.8.3
+	A	10.0.8.4
+	A	10.0.8.5
+	A	10.0.8.6
+	A	10.0.8.7
+	A	10.0.8.8
+	A	10.0.8.9
+	A	10.0.8.10
+	A	10.0.8.11
+	A	10.0.8.12
+	A	10.0.8.13
+	A	10.0.8.14
+	A	10.0.8.15
+	A	10.0.8.16
+	A	10.0.8.17
+	A	10.0.8.18
+	A	10.0.8.19
+	A	10.0.8.20
+	A	10.0.8.21
+	A	10.0.8.22
+	A	10.0.8.23
+	A	10.0.8.24
+	A	10.0.8.25
+	A	10.0.8.26
+	A	10.0.8.27
+	A	10.0.8.28
+	A	10.0.8.29
+	A	10.0.8.30
+	A	10.0.8.31
+	A	10.0.8.32
+	A	10.0.8.33
+	A	10.0.8.34
+	A	10.0.8.35
+	A	10.0.8.36
+	A	10.0.8.37
+	A	10.0.8.38
+	A	10.0.8.39
+	A	10.0.8.40
+	A	10.0.8.41
+	A	10.0.8.42
+	A	10.0.8.43
+	A	10.0.8.44
+	A	10.0.8.45
+	A	10.0.8.46
+	A	10.0.8.47
+	A	10.0.8.48
+	A	10.0.8.49
+	A	10.0.8.50
+	A	10.0.8.51
+	A	10.0.8.52
+	A	10.0.8.53
+	A	10.0.8.54
+	A	10.0.8.55
+	A	10.0.8.56
+	A	10.0.8.57
+	A	10.0.8.58
+	A	10.0.8.59
+	A	10.0.8.60
+	A	10.0.8.61
+	A	10.0.8.62
+	A	10.0.8.63
+	A	10.0.8.64
+	A	10.0.8.65
+	A	10.0.8.66
+	A	10.0.8.67
+	A	10.0.8.68
+	A	10.0.8.69
+	A	10.0.8.70
+	A	10.0.8.71
+	A	10.0.8.72
+	A	10.0.8.73
+	A	10.0.8.74
+	A	10.0.8.75
+	A	10.0.8.76
+	A	10.0.8.77
+	A	10.0.8.78
+	A	10.0.8.79
+	A	10.0.8.80
+	A	10.0.8.81
+	A	10.0.8.82
+	A	10.0.8.83
+	A	10.0.8.84
+	A	10.0.8.85
+	A	10.0.8.86
+	A	10.0.8.87
+	A	10.0.8.88
+	A	10.0.8.89
+	A	10.0.8.90
+	A	10.0.8.91
+	A	10.0.8.92
+	A	10.0.8.93
+	A	10.0.8.94
+	A	10.0.8.95
+	A	10.0.8.96
+	A	10.0.8.97
+	A	10.0.8.98
+	A	10.0.8.99
+	A	10.0.8.100
+	A	10.0.8.101
+	A	10.0.8.102
+	A	10.0.8.103
+	A	10.0.8.104
+	A	10.0.8.105
+	A	10.0.8.106
+	A	10.0.8.107
+	A	10.0.8.108
+	A	10.0.8.109
+	A	10.0.8.110
+	A	10.0.8.111
+	A	10.0.8.112
+	A	10.0.8.113
+	A	10.0.8.114
+	A	10.0.8.115
+	A	10.0.8.116
+	A	10.0.8.117
+	A	10.0.8.118
+	A	10.0.8.119
+	A	10.0.8.120
+	A	10.0.8.121
+	A	10.0.8.122
+	A	10.0.8.123
+	A	10.0.8.124
+	A	10.0.8.125
+	A	10.0.8.126
+	A	10.0.8.127
+	A	10.0.8.128
+	A	10.0.8.129
+	A	10.0.8.130
+	A	10.0.8.131
+	A	10.0.8.132
+	A	10.0.8.133
+	A	10.0.8.134
+	A	10.0.8.135
+	A	10.0.8.136
+	A	10.0.8.137
+	A	10.0.8.138
+	A	10.0.8.139
+	A	10.0.8.140
+	A	10.0.8.141
+	A	10.0.8.142
+	A	10.0.8.143
+	A	10.0.8.144
+	A	10.0.8.145
+	A	10.0.8.146
+	A	10.0.8.147
+	A	10.0.8.148
+	A	10.0.8.149
+	A	10.0.8.150
+	A	10.0.8.151
+	A	10.0.8.152
+	A	10.0.8.153
+	A	10.0.8.154
+	A	10.0.8.155
+	A	10.0.8.156
+	A	10.0.8.157
+	A	10.0.8.158
+	A	10.0.8.159
+	A	10.0.8.160
+	A	10.0.8.161
+	A	10.0.8.162
+	A	10.0.8.163
+	A	10.0.8.164
+	A	10.0.8.165
+	A	10.0.8.166
+	A	10.0.8.167
+	A	10.0.8.168
+	A	10.0.8.169
+	A	10.0.8.170
+	A	10.0.8.171
+	A	10.0.8.172
+	A	10.0.8.173
+	A	10.0.8.174
+	A	10.0.8.175
+	A	10.0.8.176
+	A	10.0.8.177
+	A	10.0.8.178
+	A	10.0.8.179
+	A	10.0.8.180
+	A	10.0.8.181
+	A	10.0.8.182
+	A	10.0.8.183
+	A	10.0.8.184
+	A	10.0.8.185
+	A	10.0.8.186
+	A	10.0.8.187
+	A	10.0.8.188
+	A	10.0.8.189
+	A	10.0.8.190
+	A	10.0.8.191
+	A	10.0.8.192
+	A	10.0.8.193
+	A	10.0.8.194
+	A	10.0.8.195
+	A	10.0.8.196
+	A	10.0.8.197
+	A	10.0.8.198
+	A	10.0.8.199
+	A	10.0.8.200
+	A	10.0.8.201
+	A	10.0.8.202
+	A	10.0.8.203
+	A	10.0.8.204
+	A	10.0.8.205
+	A	10.0.8.206
+	A	10.0.8.207
+	A	10.0.8.208
+	A	10.0.8.209
+	A	10.0.8.210
+	A	10.0.8.211
+	A	10.0.8.212
+	A	10.0.8.213
+	A	10.0.8.214
+	A	10.0.8.215
+	A	10.0.8.216
+	A	10.0.8.217
+	A	10.0.8.218
+	A	10.0.8.219
+	A	10.0.8.220
+	A	10.0.8.221
+	A	10.0.8.222
+	A	10.0.8.223
+	A	10.0.8.224
+	A	10.0.8.225
+	A	10.0.8.226
+	A	10.0.8.227
+	A	10.0.8.228
+	A	10.0.8.229
+	A	10.0.8.230
+	A	10.0.8.231
+	A	10.0.8.232
+	A	10.0.8.233
+	A	10.0.8.234
+	A	10.0.8.235
+	A	10.0.8.236
+	A	10.0.8.237
+	A	10.0.8.238
+	A	10.0.8.239
+	A	10.0.8.240
+	A	10.0.8.241
+	A	10.0.8.242
+	A	10.0.8.243
+	A	10.0.8.244
+	A	10.0.8.245
+	A	10.0.8.246
+	A	10.0.8.247
+	A	10.0.8.248
+	A	10.0.8.249
+	A	10.0.8.250
+	A	10.0.8.251
+	A	10.0.8.252
+	A	10.0.8.253
+	A	10.0.8.254
+	A	10.0.8.255
+	A	10.0.9.0
+	A	10.0.9.1
+	A	10.0.9.2
+	A	10.0.9.3
+	A	10.0.9.4
+	A	10.0.9.5
+	A	10.0.9.6
+	A	10.0.9.7
+	A	10.0.9.8
+	A	10.0.9.9
+	A	10.0.9.10
+	A	10.0.9.11
+	A	10.0.9.12
+	A	10.0.9.13
+	A	10.0.9.14
+	A	10.0.9.15
+	A	10.0.9.16
+	A	10.0.9.17
+	A	10.0.9.18
+	A	10.0.9.19
+	A	10.0.9.20
+	A	10.0.9.21
+	A	10.0.9.22
+	A	10.0.9.23
+	A	10.0.9.24
+	A	10.0.9.25
+	A	10.0.9.26
+	A	10.0.9.27
+	A	10.0.9.28
+	A	10.0.9.29
+	A	10.0.9.30
+	A	10.0.9.31
+	A	10.0.9.32
+	A	10.0.9.33
+	A	10.0.9.34
+	A	10.0.9.35
+	A	10.0.9.36
+	A	10.0.9.37
+	A	10.0.9.38
+	A	10.0.9.39
+	A	10.0.9.40
+	A	10.0.9.41
+	A	10.0.9.42
+	A	10.0.9.43
+	A	10.0.9.44
+	A	10.0.9.45
+	A	10.0.9.46
+	A	10.0.9.47
+	A	10.0.9.48
+	A	10.0.9.49
+	A	10.0.9.50
+	A	10.0.9.51
+	A	10.0.9.52
+	A	10.0.9.53
+	A	10.0.9.54
+	A	10.0.9.55
+	A	10.0.9.56
+	A	10.0.9.57
+	A	10.0.9.58
+	A	10.0.9.59
+	A	10.0.9.60
+	A	10.0.9.61
+	A	10.0.9.62
+	A	10.0.9.63
+	A	10.0.9.64
+	A	10.0.9.65
+	A	10.0.9.66
+	A	10.0.9.67
+	A	10.0.9.68
+	A	10.0.9.69
+	A	10.0.9.70
+	A	10.0.9.71
+	A	10.0.9.72
+	A	10.0.9.73
+	A	10.0.9.74
+	A	10.0.9.75
+	A	10.0.9.76
+	A	10.0.9.77
+	A	10.0.9.78
+	A	10.0.9.79
+	A	10.0.9.80
+	A	10.0.9.81
+	A	10.0.9.82
+	A	10.0.9.83
+	A	10.0.9.84
+	A	10.0.9.85
+	A	10.0.9.86
+	A	10.0.9.87
+	A	10.0.9.88
+	A	10.0.9.89
+	A	10.0.9.90
+	A	10.0.9.91
+	A	10.0.9.92
+	A	10.0.9.93
+	A	10.0.9.94
+	A	10.0.9.95
+	A	10.0.9.96
+	A	10.0.9.97
+	A	10.0.9.98
+	A	10.0.9.99
+	A	10.0.9.100
+	A	10.0.9.101
+	A	10.0.9.102
+	A	10.0.9.103
+	A	10.0.9.104
+	A	10.0.9.105
+	A	10.0.9.106
+	A	10.0.9.107
+	A	10.0.9.108
+	A	10.0.9.109
+	A	10.0.9.110
+	A	10.0.9.111
+	A	10.0.9.112
+	A	10.0.9.113
+	A	10.0.9.114
+	A	10.0.9.115
+	A	10.0.9.116
+	A	10.0.9.117
+	A	10.0.9.118
+	A	10.0.9.119
+	A	10.0.9.120
+	A	10.0.9.121
+	A	10.0.9.122
+	A	10.0.9.123
+	A	10.0.9.124
+	A	10.0.9.125
+	A	10.0.9.126
+	A	10.0.9.127
+	A	10.0.9.128
+	A	10.0.9.129
+	A	10.0.9.130
+	A	10.0.9.131
+	A	10.0.9.132
+	A	10.0.9.133
+	A	10.0.9.134
+	A	10.0.9.135
+	A	10.0.9.136
+	A	10.0.9.137
+	A	10.0.9.138
+	A	10.0.9.139
+	A	10.0.9.140
+	A	10.0.9.141
+	A	10.0.9.142
+	A	10.0.9.143
+	A	10.0.9.144
+	A	10.0.9.145
+	A	10.0.9.146
+	A	10.0.9.147
+	A	10.0.9.148
+	A	10.0.9.149
+	A	10.0.9.150
+	A	10.0.9.151
+	A	10.0.9.152
+	A	10.0.9.153
+	A	10.0.9.154
+	A	10.0.9.155
+	A	10.0.9.156
+	A	10.0.9.157
+	A	10.0.9.158
+	A	10.0.9.159
+	A	10.0.9.160
+	A	10.0.9.161
+	A	10.0.9.162
+	A	10.0.9.163
+	A	10.0.9.164
+	A	10.0.9.165
+	A	10.0.9.166
+	A	10.0.9.167
+	A	10.0.9.168
+	A	10.0.9.169
+	A	10.0.9.170
+	A	10.0.9.171
+	A	10.0.9.172
+	A	10.0.9.173
+	A	10.0.9.174
+	A	10.0.9.175
+	A	10.0.9.176
+	A	10.0.9.177
+	A	10.0.9.178
+	A	10.0.9.179
+	A	10.0.9.180
+	A	10.0.9.181
+	A	10.0.9.182
+	A	10.0.9.183
+	A	10.0.9.184
+	A	10.0.9.185
+	A	10.0.9.186
+	A	10.0.9.187
+	A	10.0.9.188
+	A	10.0.9.189
+	A	10.0.9.190
+	A	10.0.9.191
+	A	10.0.9.192
+	A	10.0.9.193
+	A	10.0.9.194
+	A	10.0.9.195
+	A	10.0.9.196
+	A	10.0.9.197
+	A	10.0.9.198
+	A	10.0.9.199
+	A	10.0.9.200
+	A	10.0.9.201
+	A	10.0.9.202
+	A	10.0.9.203
+	A	10.0.9.204
+	A	10.0.9.205
+	A	10.0.9.206
+	A	10.0.9.207
+	A	10.0.9.208
+	A	10.0.9.209
+	A	10.0.9.210
+	A	10.0.9.211
+	A	10.0.9.212
+	A	10.0.9.213
+	A	10.0.9.214
+	A	10.0.9.215
+	A	10.0.9.216
+	A	10.0.9.217
+	A	10.0.9.218
+	A	10.0.9.219
+	A	10.0.9.220
+	A	10.0.9.221
+	A	10.0.9.222
+	A	10.0.9.223
+	A	10.0.9.224
+	A	10.0.9.225
+	A	10.0.9.226
+	A	10.0.9.227
+	A	10.0.9.228
+	A	10.0.9.229
+	A	10.0.9.230
+	A	10.0.9.231
+	A	10.0.9.232
+	A	10.0.9.233
+	A	10.0.9.234
+	A	10.0.9.235
+	A	10.0.9.236
+	A	10.0.9.237
+	A	10.0.9.238
+	A	10.0.9.239
+	A	10.0.9.240
+	A	10.0.9.241
+	A	10.0.9.242
+	A	10.0.9.243
+	A	10.0.9.244
+	A	10.0.9.245
+	A	10.0.9.246
+	A	10.0.9.247
+	A	10.0.9.248
+	A	10.0.9.249
+	A	10.0.9.250
+	A	10.0.9.251
+	A	10.0.9.252
+	A	10.0.9.253
+	A	10.0.9.254
+	A	10.0.9.255
+	A	10.0.10.0
+	A	10.0.10.1
+	A	10.0.10.2
+	A	10.0.10.3
+	A	10.0.10.4
+	A	10.0.10.5
+	A	10.0.10.6
+	A	10.0.10.7
+	A	10.0.10.8
+	A	10.0.10.9
+	A	10.0.10.10
+	A	10.0.10.11
+	A	10.0.10.12
+	A	10.0.10.13
+	A	10.0.10.14
+	A	10.0.10.15
+	A	10.0.10.16
+	A	10.0.10.17
+	A	10.0.10.18
+	A	10.0.10.19
+	A	10.0.10.20
+	A	10.0.10.21
+	A	10.0.10.22
+	A	10.0.10.23
+	A	10.0.10.24
+	A	10.0.10.25
+	A	10.0.10.26
+	A	10.0.10.27
+	A	10.0.10.28
+	A	10.0.10.29
+	A	10.0.10.30
+	A	10.0.10.31
+	A	10.0.10.32
+	A	10.0.10.33
+	A	10.0.10.34
+	A	10.0.10.35
+	A	10.0.10.36
+	A	10.0.10.37
+	A	10.0.10.38
+	A	10.0.10.39
+	A	10.0.10.40
+	A	10.0.10.41
+	A	10.0.10.42
+	A	10.0.10.43
+	A	10.0.10.44
+	A	10.0.10.45
+	A	10.0.10.46
+	A	10.0.10.47
+	A	10.0.10.48
+	A	10.0.10.49
+	A	10.0.10.50
+	A	10.0.10.51
+	A	10.0.10.52
+	A	10.0.10.53
+	A	10.0.10.54
+	A	10.0.10.55
+	A	10.0.10.56
+	A	10.0.10.57
+	A	10.0.10.58
+	A	10.0.10.59
+	A	10.0.10.60
+	A	10.0.10.61
+	A	10.0.10.62
+	A	10.0.10.63
+	A	10.0.10.64
+	A	10.0.10.65
+	A	10.0.10.66
+	A	10.0.10.67
+	A	10.0.10.68
+	A	10.0.10.69
+	A	10.0.10.70
+	A	10.0.10.71
+	A	10.0.10.72
+	A	10.0.10.73
+	A	10.0.10.74
+	A	10.0.10.75
+	A	10.0.10.76
+	A	10.0.10.77
+	A	10.0.10.78
+	A	10.0.10.79
+	A	10.0.10.80
+	A	10.0.10.81
+	A	10.0.10.82
+	A	10.0.10.83
+	A	10.0.10.84
+	A	10.0.10.85
+	A	10.0.10.86
+	A	10.0.10.87
+	A	10.0.10.88
+	A	10.0.10.89
+	A	10.0.10.90
+	A	10.0.10.91
+	A	10.0.10.92
+	A	10.0.10.93
+	A	10.0.10.94
+	A	10.0.10.95
+	A	10.0.10.96
+	A	10.0.10.97
+	A	10.0.10.98
+	A	10.0.10.99
+	A	10.0.10.100
+	A	10.0.10.101
+	A	10.0.10.102
+	A	10.0.10.103
+	A	10.0.10.104
+	A	10.0.10.105
+	A	10.0.10.106
+	A	10.0.10.107
+	A	10.0.10.108
+	A	10.0.10.109
+	A	10.0.10.110
+	A	10.0.10.111
+	A	10.0.10.112
+	A	10.0.10.113
+	A	10.0.10.114
+	A	10.0.10.115
+	A	10.0.10.116
+	A	10.0.10.117
+	A	10.0.10.118
+	A	10.0.10.119
+	A	10.0.10.120
+	A	10.0.10.121
+	A	10.0.10.122
+	A	10.0.10.123
+	A	10.0.10.124
+	A	10.0.10.125
+	A	10.0.10.126
+	A	10.0.10.127
+	A	10.0.10.128
+	A	10.0.10.129
+	A	10.0.10.130
+	A	10.0.10.131
+	A	10.0.10.132
+	A	10.0.10.133
+	A	10.0.10.134
+	A	10.0.10.135
+	A	10.0.10.136
+	A	10.0.10.137
+	A	10.0.10.138
+	A	10.0.10.139
+	A	10.0.10.140
+	A	10.0.10.141
+	A	10.0.10.142
+	A	10.0.10.143
+	A	10.0.10.144
+	A	10.0.10.145
+	A	10.0.10.146
+	A	10.0.10.147
+	A	10.0.10.148
+	A	10.0.10.149
+	A	10.0.10.150
+	A	10.0.10.151
+	A	10.0.10.152
+	A	10.0.10.153
+	A	10.0.10.154
+	A	10.0.10.155
+	A	10.0.10.156
+	A	10.0.10.157
+	A	10.0.10.158
+	A	10.0.10.159
+	A	10.0.10.160
+	A	10.0.10.161
+	A	10.0.10.162
+	A	10.0.10.163
+	A	10.0.10.164
+	A	10.0.10.165
+	A	10.0.10.166
+	A	10.0.10.167
+	A	10.0.10.168
+	A	10.0.10.169
+	A	10.0.10.170
+	A	10.0.10.171
+	A	10.0.10.172
+	A	10.0.10.173
+	A	10.0.10.174
+	A	10.0.10.175
+	A	10.0.10.176
+	A	10.0.10.177
+	A	10.0.10.178
+	A	10.0.10.179
+	A	10.0.10.180
+	A	10.0.10.181
+	A	10.0.10.182
+	A	10.0.10.183
+	A	10.0.10.184
+	A	10.0.10.185
+	A	10.0.10.186
+	A	10.0.10.187
+	A	10.0.10.188
+	A	10.0.10.189
+	A	10.0.10.190
+	A	10.0.10.191
+	A	10.0.10.192
+	A	10.0.10.193
+	A	10.0.10.194
+	A	10.0.10.195
+	A	10.0.10.196
+	A	10.0.10.197
+	A	10.0.10.198
+	A	10.0.10.199
+	A	10.0.10.200
+	A	10.0.10.201
+	A	10.0.10.202
+	A	10.0.10.203
+	A	10.0.10.204
+	A	10.0.10.205
+	A	10.0.10.206
+	A	10.0.10.207
+	A	10.0.10.208
+	A	10.0.10.209
+	A	10.0.10.210
+	A	10.0.10.211
+	A	10.0.10.212
+	A	10.0.10.213
+	A	10.0.10.214
+	A	10.0.10.215
+	A	10.0.10.216
+	A	10.0.10.217
+	A	10.0.10.218
+	A	10.0.10.219
+	A	10.0.10.220
+	A	10.0.10.221
+	A	10.0.10.222
+	A	10.0.10.223
+	A	10.0.10.224
+	A	10.0.10.225
+	A	10.0.10.226
+	A	10.0.10.227
+	A	10.0.10.228
+	A	10.0.10.229
+	A	10.0.10.230
+	A	10.0.10.231
+	A	10.0.10.232
+	A	10.0.10.233
+	A	10.0.10.234
+	A	10.0.10.235
+	A	10.0.10.236
+	A	10.0.10.237
+	A	10.0.10.238
+	A	10.0.10.239
+	A	10.0.10.240
+	A	10.0.10.241
+	A	10.0.10.242
+	A	10.0.10.243
+	A	10.0.10.244
+	A	10.0.10.245
+	A	10.0.10.246
+	A	10.0.10.247
+	A	10.0.10.248
+	A	10.0.10.249
+	A	10.0.10.250
+	A	10.0.10.251
+	A	10.0.10.252
+	A	10.0.10.253
+	A	10.0.10.254
+	A	10.0.10.255
+	A	10.0.11.0
+	A	10.0.11.1
+	A	10.0.11.2
+	A	10.0.11.3
+	A	10.0.11.4
+	A	10.0.11.5
+	A	10.0.11.6
+	A	10.0.11.7
+	A	10.0.11.8
+	A	10.0.11.9
+	A	10.0.11.10
+	A	10.0.11.11
+	A	10.0.11.12
+	A	10.0.11.13
+	A	10.0.11.14
+	A	10.0.11.15
+	A	10.0.11.16
+	A	10.0.11.17
+	A	10.0.11.18
+	A	10.0.11.19
+	A	10.0.11.20
+	A	10.0.11.21
+	A	10.0.11.22
+	A	10.0.11.23
+	A	10.0.11.24
+	A	10.0.11.25
+	A	10.0.11.26
+	A	10.0.11.27
+	A	10.0.11.28
+	A	10.0.11.29
+	A	10.0.11.30
+	A	10.0.11.31
+	A	10.0.11.32
+	A	10.0.11.33
+	A	10.0.11.34
+	A	10.0.11.35
+	A	10.0.11.36
+	A	10.0.11.37
+	A	10.0.11.38
+	A	10.0.11.39
+	A	10.0.11.40
+	A	10.0.11.41
+	A	10.0.11.42
+	A	10.0.11.43
+	A	10.0.11.44
+	A	10.0.11.45
+	A	10.0.11.46
+	A	10.0.11.47
+	A	10.0.11.48
+	A	10.0.11.49
+	A	10.0.11.50
+	A	10.0.11.51
+	A	10.0.11.52
+	A	10.0.11.53
+	A	10.0.11.54
+	A	10.0.11.55
+	A	10.0.11.56
+	A	10.0.11.57
+	A	10.0.11.58
+	A	10.0.11.59
+	A	10.0.11.60
+	A	10.0.11.61
+	A	10.0.11.62
+	A	10.0.11.63
+	A	10.0.11.64
+	A	10.0.11.65
+	A	10.0.11.66
+	A	10.0.11.67
+	A	10.0.11.68
+	A	10.0.11.69
+	A	10.0.11.70
+	A	10.0.11.71
+	A	10.0.11.72
+	A	10.0.11.73
+	A	10.0.11.74
+	A	10.0.11.75
+	A	10.0.11.76
+	A	10.0.11.77
+	A	10.0.11.78
+	A	10.0.11.79
+	A	10.0.11.80
+	A	10.0.11.81
+	A	10.0.11.82
+	A	10.0.11.83
+	A	10.0.11.84
+	A	10.0.11.85
+	A	10.0.11.86
+	A	10.0.11.87
+	A	10.0.11.88
+	A	10.0.11.89
+	A	10.0.11.90
+	A	10.0.11.91
+	A	10.0.11.92
+	A	10.0.11.93
+	A	10.0.11.94
+	A	10.0.11.95
+	A	10.0.11.96
+	A	10.0.11.97
+	A	10.0.11.98
+	A	10.0.11.99
+	A	10.0.11.100
+	A	10.0.11.101
+	A	10.0.11.102
+	A	10.0.11.103
+	A	10.0.11.104
+	A	10.0.11.105
+	A	10.0.11.106
+	A	10.0.11.107
+	A	10.0.11.108
+	A	10.0.11.109
+	A	10.0.11.110
+	A	10.0.11.111
+	A	10.0.11.112
+	A	10.0.11.113
+	A	10.0.11.114
+	A	10.0.11.115
+	A	10.0.11.116
+	A	10.0.11.117
+	A	10.0.11.118
+	A	10.0.11.119
+	A	10.0.11.120
+	A	10.0.11.121
+	A	10.0.11.122
+	A	10.0.11.123
+	A	10.0.11.124
+	A	10.0.11.125
+	A	10.0.11.126
+	A	10.0.11.127
+	A	10.0.11.128
+	A	10.0.11.129
+	A	10.0.11.130
+	A	10.0.11.131
+	A	10.0.11.132
+	A	10.0.11.133
+	A	10.0.11.134
+	A	10.0.11.135
+	A	10.0.11.136
+	A	10.0.11.137
+	A	10.0.11.138
+	A	10.0.11.139
+	A	10.0.11.140
+	A	10.0.11.141
+	A	10.0.11.142
+	A	10.0.11.143
+	A	10.0.11.144
+	A	10.0.11.145
+	A	10.0.11.146
+	A	10.0.11.147
+	A	10.0.11.148
+	A	10.0.11.149
+	A	10.0.11.150
+	A	10.0.11.151
+	A	10.0.11.152
+	A	10.0.11.153
+	A	10.0.11.154
+	A	10.0.11.155
+	A	10.0.11.156
+	A	10.0.11.157
+	A	10.0.11.158
+	A	10.0.11.159
+	A	10.0.11.160
+	A	10.0.11.161
+	A	10.0.11.162
+	A	10.0.11.163
+	A	10.0.11.164
+	A	10.0.11.165
+	A	10.0.11.166
+	A	10.0.11.167
+	A	10.0.11.168
+	A	10.0.11.169
+	A	10.0.11.170
+	A	10.0.11.171
+	A	10.0.11.172
+	A	10.0.11.173
+	A	10.0.11.174
+	A	10.0.11.175
+	A	10.0.11.176
+	A	10.0.11.177
+	A	10.0.11.178
+	A	10.0.11.179
+	A	10.0.11.180
+	A	10.0.11.181
+	A	10.0.11.182
+	A	10.0.11.183
+	A	10.0.11.184
+	A	10.0.11.185
+	A	10.0.11.186
+	A	10.0.11.187
+	A	10.0.11.188
+	A	10.0.11.189
+	A	10.0.11.190
+	A	10.0.11.191
+	A	10.0.11.192
+	A	10.0.11.193
+	A	10.0.11.194
+	A	10.0.11.195
+	A	10.0.11.196
+	A	10.0.11.197
+	A	10.0.11.198
+	A	10.0.11.199
+	A	10.0.11.200
+	A	10.0.11.201
+	A	10.0.11.202
+	A	10.0.11.203
+	A	10.0.11.204
+	A	10.0.11.205
+	A	10.0.11.206
+	A	10.0.11.207
+	A	10.0.11.208
+	A	10.0.11.209
+	A	10.0.11.210
+	A	10.0.11.211
+	A	10.0.11.212
+	A	10.0.11.213
+	A	10.0.11.214
+	A	10.0.11.215
+	A	10.0.11.216
+	A	10.0.11.217
+	A	10.0.11.218
+	A	10.0.11.219
+	A	10.0.11.220
+	A	10.0.11.221
+	A	10.0.11.222
+	A	10.0.11.223
+	A	10.0.11.224
+	A	10.0.11.225
+	A	10.0.11.226
+	A	10.0.11.227
+	A	10.0.11.228
+	A	10.0.11.229
+	A	10.0.11.230
+	A	10.0.11.231
+	A	10.0.11.232
+	A	10.0.11.233
+	A	10.0.11.234
+	A	10.0.11.235
+	A	10.0.11.236
+	A	10.0.11.237
+	A	10.0.11.238
+	A	10.0.11.239
+	A	10.0.11.240
+	A	10.0.11.241
+	A	10.0.11.242
+	A	10.0.11.243
+	A	10.0.11.244
+	A	10.0.11.245
+	A	10.0.11.246
+	A	10.0.11.247
+	A	10.0.11.248
+	A	10.0.11.249
+	A	10.0.11.250
+	A	10.0.11.251
+	A	10.0.11.252
+	A	10.0.11.253
+	A	10.0.11.254
+	A	10.0.11.255
+	A	10.0.12.0
+	A	10.0.12.1
+	A	10.0.12.2
+	A	10.0.12.3
+	A	10.0.12.4
+	A	10.0.12.5
+	A	10.0.12.6
+	A	10.0.12.7
+	A	10.0.12.8
+	A	10.0.12.9
+	A	10.0.12.10
+	A	10.0.12.11
+	A	10.0.12.12
+	A	10.0.12.13
+	A	10.0.12.14
+	A	10.0.12.15
+	A	10.0.12.16
+	A	10.0.12.17
+	A	10.0.12.18
+	A	10.0.12.19
+	A	10.0.12.20
+	A	10.0.12.21
+	A	10.0.12.22
+	A	10.0.12.23
+	A	10.0.12.24
+	A	10.0.12.25
+	A	10.0.12.26
+	A	10.0.12.27
+	A	10.0.12.28
+	A	10.0.12.29
+	A	10.0.12.30
+	A	10.0.12.31
+	A	10.0.12.32
+	A	10.0.12.33
+	A	10.0.12.34
+	A	10.0.12.35
+	A	10.0.12.36
+	A	10.0.12.37
+	A	10.0.12.38
+	A	10.0.12.39
+	A	10.0.12.40
+	A	10.0.12.41
+	A	10.0.12.42
+	A	10.0.12.43
+	A	10.0.12.44
+	A	10.0.12.45
+	A	10.0.12.46
+	A	10.0.12.47
+	A	10.0.12.48
+	A	10.0.12.49
+	A	10.0.12.50
+	A	10.0.12.51
+	A	10.0.12.52
+	A	10.0.12.53
+	A	10.0.12.54
+	A	10.0.12.55
+	A	10.0.12.56
+	A	10.0.12.57
+	A	10.0.12.58
+	A	10.0.12.59
+	A	10.0.12.60
+	A	10.0.12.61
+	A	10.0.12.62
+	A	10.0.12.63
+	A	10.0.12.64
+	A	10.0.12.65
+	A	10.0.12.66
+	A	10.0.12.67
+	A	10.0.12.68
+	A	10.0.12.69
+	A	10.0.12.70
+	A	10.0.12.71
+	A	10.0.12.72
+	A	10.0.12.73
+	A	10.0.12.74
+	A	10.0.12.75
+	A	10.0.12.76
+	A	10.0.12.77
+	A	10.0.12.78
+	A	10.0.12.79
+	A	10.0.12.80
+	A	10.0.12.81
+	A	10.0.12.82
+	A	10.0.12.83
+	A	10.0.12.84
+	A	10.0.12.85
+	A	10.0.12.86
+	A	10.0.12.87
+	A	10.0.12.88
+	A	10.0.12.89
+	A	10.0.12.90
+	A	10.0.12.91
+	A	10.0.12.92
+	A	10.0.12.93
+	A	10.0.12.94
+	A	10.0.12.95
+	A	10.0.12.96
+	A	10.0.12.97
+	A	10.0.12.98
+	A	10.0.12.99
+	A	10.0.12.100
+	A	10.0.12.101
+	A	10.0.12.102
+	A	10.0.12.103
+	A	10.0.12.104
+	A	10.0.12.105
+	A	10.0.12.106
+	A	10.0.12.107
+	A	10.0.12.108
+	A	10.0.12.109
+	A	10.0.12.110
+	A	10.0.12.111
+	A	10.0.12.112
+	A	10.0.12.113
+	A	10.0.12.114
+	A	10.0.12.115
+	A	10.0.12.116
+	A	10.0.12.117
+	A	10.0.12.118
+	A	10.0.12.119
+	A	10.0.12.120
+	A	10.0.12.121
+	A	10.0.12.122
+	A	10.0.12.123
+	A	10.0.12.124
+	A	10.0.12.125
+	A	10.0.12.126
+	A	10.0.12.127
+	A	10.0.12.128
+	A	10.0.12.129
+	A	10.0.12.130
+	A	10.0.12.131
+	A	10.0.12.132
+	A	10.0.12.133
+	A	10.0.12.134
+	A	10.0.12.135
+	A	10.0.12.136
+	A	10.0.12.137
+	A	10.0.12.138
+	A	10.0.12.139
+	A	10.0.12.140
+	A	10.0.12.141
+	A	10.0.12.142
+	A	10.0.12.143
+	A	10.0.12.144
+	A	10.0.12.145
+	A	10.0.12.146
+	A	10.0.12.147
+	A	10.0.12.148
+	A	10.0.12.149
+	A	10.0.12.150
+	A	10.0.12.151
+	A	10.0.12.152
+	A	10.0.12.153
+	A	10.0.12.154
+	A	10.0.12.155
+	A	10.0.12.156
+	A	10.0.12.157
+	A	10.0.12.158
+	A	10.0.12.159
+	A	10.0.12.160
+	A	10.0.12.161
+	A	10.0.12.162
+	A	10.0.12.163
+	A	10.0.12.164
+	A	10.0.12.165
+	A	10.0.12.166
+	A	10.0.12.167
+	A	10.0.12.168
+	A	10.0.12.169
+	A	10.0.12.170
+	A	10.0.12.171
+	A	10.0.12.172
+	A	10.0.12.173
+	A	10.0.12.174
+	A	10.0.12.175
+	A	10.0.12.176
+	A	10.0.12.177
+	A	10.0.12.178
+	A	10.0.12.179
+	A	10.0.12.180
+	A	10.0.12.181
+	A	10.0.12.182
+	A	10.0.12.183
+	A	10.0.12.184
+	A	10.0.12.185
+	A	10.0.12.186
+	A	10.0.12.187
+	A	10.0.12.188
+	A	10.0.12.189
+	A	10.0.12.190
+	A	10.0.12.191
+	A	10.0.12.192
+	A	10.0.12.193
+	A	10.0.12.194
+	A	10.0.12.195
+	A	10.0.12.196
+	A	10.0.12.197
+	A	10.0.12.198
+	A	10.0.12.199
+	A	10.0.12.200
+	A	10.0.12.201
+	A	10.0.12.202
+	A	10.0.12.203
+	A	10.0.12.204
+	A	10.0.12.205
+	A	10.0.12.206
+	A	10.0.12.207
+	A	10.0.12.208
+	A	10.0.12.209
+	A	10.0.12.210
+	A	10.0.12.211
+	A	10.0.12.212
+	A	10.0.12.213
+	A	10.0.12.214
+	A	10.0.12.215
+	A	10.0.12.216
+	A	10.0.12.217
+	A	10.0.12.218
+	A	10.0.12.219
+	A	10.0.12.220
+	A	10.0.12.221
+	A	10.0.12.222
+	A	10.0.12.223
+	A	10.0.12.224
+	A	10.0.12.225
+	A	10.0.12.226
+	A	10.0.12.227
+	A	10.0.12.228
+	A	10.0.12.229
+	A	10.0.12.230
+	A	10.0.12.231
+	A	10.0.12.232
+	A	10.0.12.233
+	A	10.0.12.234
+	A	10.0.12.235
+	A	10.0.12.236
+	A	10.0.12.237
+	A	10.0.12.238
+	A	10.0.12.239
+	A	10.0.12.240
+	A	10.0.12.241
+	A	10.0.12.242
+	A	10.0.12.243
+	A	10.0.12.244
+	A	10.0.12.245
+	A	10.0.12.246
+	A	10.0.12.247
+	A	10.0.12.248
+	A	10.0.12.249
+	A	10.0.12.250
+	A	10.0.12.251
+	A	10.0.12.252
+	A	10.0.12.253
+	A	10.0.12.254
+	A	10.0.12.255
+	A	10.0.13.0
+	A	10.0.13.1
+	A	10.0.13.2
+	A	10.0.13.3
+	A	10.0.13.4
+	A	10.0.13.5
+	A	10.0.13.6
+	A	10.0.13.7
+	A	10.0.13.8
+	A	10.0.13.9
+	A	10.0.13.10
+	A	10.0.13.11
+	A	10.0.13.12
+	A	10.0.13.13
+	A	10.0.13.14
+	A	10.0.13.15
+	A	10.0.13.16
+	A	10.0.13.17
+	A	10.0.13.18
+	A	10.0.13.19
+	A	10.0.13.20
+	A	10.0.13.21
+	A	10.0.13.22
+	A	10.0.13.23
+	A	10.0.13.24
+	A	10.0.13.25
+	A	10.0.13.26
+	A	10.0.13.27
+	A	10.0.13.28
+	A	10.0.13.29
+	A	10.0.13.30
+	A	10.0.13.31
+	A	10.0.13.32
+	A	10.0.13.33
+	A	10.0.13.34
+	A	10.0.13.35
+	A	10.0.13.36
+	A	10.0.13.37
+	A	10.0.13.38
+	A	10.0.13.39
+	A	10.0.13.40
+	A	10.0.13.41
+	A	10.0.13.42
+	A	10.0.13.43
+	A	10.0.13.44
+	A	10.0.13.45
+	A	10.0.13.46
+	A	10.0.13.47
+	A	10.0.13.48
+	A	10.0.13.49
+	A	10.0.13.50
+	A	10.0.13.51
+	A	10.0.13.52
+	A	10.0.13.53
+	A	10.0.13.54
+	A	10.0.13.55
+	A	10.0.13.56
+	A	10.0.13.57
+	A	10.0.13.58
+	A	10.0.13.59
+	A	10.0.13.60
+	A	10.0.13.61
+	A	10.0.13.62
+	A	10.0.13.63
+	A	10.0.13.64
+	A	10.0.13.65
+	A	10.0.13.66
+	A	10.0.13.67
+	A	10.0.13.68
+	A	10.0.13.69
+	A	10.0.13.70
+	A	10.0.13.71
+	A	10.0.13.72
+	A	10.0.13.73
+	A	10.0.13.74
+	A	10.0.13.75
+	A	10.0.13.76
+	A	10.0.13.77
+	A	10.0.13.78
+	A	10.0.13.79
+	A	10.0.13.80
+	A	10.0.13.81
+	A	10.0.13.82
+	A	10.0.13.83
+	A	10.0.13.84
+	A	10.0.13.85
+	A	10.0.13.86
+	A	10.0.13.87
+	A	10.0.13.88
+	A	10.0.13.89
+	A	10.0.13.90
+	A	10.0.13.91
+	A	10.0.13.92
+	A	10.0.13.93
+	A	10.0.13.94
+	A	10.0.13.95
+	A	10.0.13.96
+	A	10.0.13.97
+	A	10.0.13.98
+	A	10.0.13.99
+	A	10.0.13.100
+	A	10.0.13.101
+	A	10.0.13.102
+	A	10.0.13.103
+	A	10.0.13.104
+	A	10.0.13.105
+	A	10.0.13.106
+	A	10.0.13.107
+	A	10.0.13.108
+	A	10.0.13.109
+	A	10.0.13.110
+	A	10.0.13.111
+	A	10.0.13.112
+	A	10.0.13.113
+	A	10.0.13.114
+	A	10.0.13.115
+	A	10.0.13.116
+	A	10.0.13.117
+	A	10.0.13.118
+	A	10.0.13.119
+	A	10.0.13.120
+	A	10.0.13.121
+	A	10.0.13.122
+	A	10.0.13.123
+	A	10.0.13.124
+	A	10.0.13.125
+	A	10.0.13.126
+	A	10.0.13.127
+	A	10.0.13.128
+	A	10.0.13.129
+	A	10.0.13.130
+	A	10.0.13.131
+	A	10.0.13.132
+	A	10.0.13.133
+	A	10.0.13.134
+	A	10.0.13.135
+	A	10.0.13.136
+	A	10.0.13.137
+	A	10.0.13.138
+	A	10.0.13.139
+	A	10.0.13.140
+	A	10.0.13.141
+	A	10.0.13.142
+	A	10.0.13.143
+	A	10.0.13.144
+	A	10.0.13.145
+	A	10.0.13.146
+	A	10.0.13.147
+	A	10.0.13.148
+	A	10.0.13.149
+	A	10.0.13.150
+	A	10.0.13.151
+	A	10.0.13.152
+	A	10.0.13.153
+	A	10.0.13.154
+	A	10.0.13.155
+	A	10.0.13.156
+	A	10.0.13.157
+	A	10.0.13.158
+	A	10.0.13.159
+	A	10.0.13.160
+	A	10.0.13.161
+	A	10.0.13.162
+	A	10.0.13.163
+	A	10.0.13.164
+	A	10.0.13.165
+	A	10.0.13.166
+	A	10.0.13.167
+	A	10.0.13.168
+	A	10.0.13.169
+	A	10.0.13.170
+	A	10.0.13.171
+	A	10.0.13.172
+	A	10.0.13.173
+	A	10.0.13.174
+	A	10.0.13.175
+	A	10.0.13.176
+	A	10.0.13.177
+	A	10.0.13.178
+	A	10.0.13.179
+	A	10.0.13.180
+	A	10.0.13.181
+	A	10.0.13.182
+	A	10.0.13.183
+	A	10.0.13.184
+	A	10.0.13.185
+	A	10.0.13.186
+	A	10.0.13.187
+	A	10.0.13.188
+	A	10.0.13.189
+	A	10.0.13.190
+	A	10.0.13.191
+	A	10.0.13.192
+	A	10.0.13.193
+	A	10.0.13.194
+	A	10.0.13.195
+	A	10.0.13.196
+	A	10.0.13.197
+	A	10.0.13.198
+	A	10.0.13.199
+	A	10.0.13.200
+	A	10.0.13.201
+	A	10.0.13.202
+	A	10.0.13.203
+	A	10.0.13.204
+	A	10.0.13.205
+	A	10.0.13.206
+	A	10.0.13.207
+	A	10.0.13.208
+	A	10.0.13.209
+	A	10.0.13.210
+	A	10.0.13.211
+	A	10.0.13.212
+	A	10.0.13.213
+	A	10.0.13.214
+	A	10.0.13.215
+	A	10.0.13.216
+	A	10.0.13.217
+	A	10.0.13.218
+	A	10.0.13.219
+	A	10.0.13.220
+	A	10.0.13.221
+	A	10.0.13.222
+	A	10.0.13.223
+	A	10.0.13.224
+	A	10.0.13.225
+	A	10.0.13.226
+	A	10.0.13.227
+	A	10.0.13.228
+	A	10.0.13.229
+	A	10.0.13.230
+	A	10.0.13.231
+	A	10.0.13.232
+	A	10.0.13.233
+	A	10.0.13.234
+	A	10.0.13.235
+	A	10.0.13.236
+	A	10.0.13.237
+	A	10.0.13.238
+	A	10.0.13.239
+	A	10.0.13.240
+	A	10.0.13.241
+	A	10.0.13.242
+	A	10.0.13.243
+	A	10.0.13.244
+	A	10.0.13.245
+	A	10.0.13.246
+	A	10.0.13.247
+	A	10.0.13.248
+	A	10.0.13.249
+	A	10.0.13.250
+	A	10.0.13.251
+	A	10.0.13.252
+	A	10.0.13.253
+	A	10.0.13.254
+	A	10.0.13.255
+	A	10.0.14.0
+	A	10.0.14.1
+	A	10.0.14.2
+	A	10.0.14.3
+	A	10.0.14.4
+	A	10.0.14.5
+	A	10.0.14.6
+	A	10.0.14.7
+	A	10.0.14.8
+	A	10.0.14.9
+	A	10.0.14.10
+	A	10.0.14.11
+	A	10.0.14.12
+	A	10.0.14.13
+	A	10.0.14.14
+	A	10.0.14.15
+	A	10.0.14.16
+	A	10.0.14.17
+	A	10.0.14.18
+	A	10.0.14.19
+	A	10.0.14.20
+	A	10.0.14.21
+	A	10.0.14.22
+	A	10.0.14.23
+	A	10.0.14.24
+	A	10.0.14.25
+	A	10.0.14.26
+	A	10.0.14.27
+	A	10.0.14.28
+	A	10.0.14.29
+	A	10.0.14.30
+	A	10.0.14.31
+	A	10.0.14.32
+	A	10.0.14.33
+	A	10.0.14.34
+	A	10.0.14.35
+	A	10.0.14.36
+	A	10.0.14.37
+	A	10.0.14.38
+	A	10.0.14.39
+	A	10.0.14.40
+	A	10.0.14.41
+	A	10.0.14.42
+	A	10.0.14.43
+	A	10.0.14.44
+	A	10.0.14.45
+	A	10.0.14.46
+	A	10.0.14.47
+	A	10.0.14.48
+	A	10.0.14.49
+	A	10.0.14.50
+	A	10.0.14.51
+	A	10.0.14.52
+	A	10.0.14.53
+	A	10.0.14.54
+	A	10.0.14.55
+	A	10.0.14.56
+	A	10.0.14.57
+	A	10.0.14.58
+	A	10.0.14.59
+	A	10.0.14.60
+	A	10.0.14.61
+	A	10.0.14.62
+	A	10.0.14.63
+	A	10.0.14.64
+	A	10.0.14.65
+	A	10.0.14.66
+	A	10.0.14.67
+	A	10.0.14.68
+	A	10.0.14.69
+	A	10.0.14.70
+	A	10.0.14.71
+	A	10.0.14.72
+	A	10.0.14.73
+	A	10.0.14.74
+	A	10.0.14.75
+	A	10.0.14.76
+	A	10.0.14.77
+	A	10.0.14.78
+	A	10.0.14.79
+	A	10.0.14.80
+	A	10.0.14.81
+	A	10.0.14.82
+	A	10.0.14.83
+	A	10.0.14.84
+	A	10.0.14.85
+	A	10.0.14.86
+	A	10.0.14.87
+	A	10.0.14.88
+	A	10.0.14.89
+	A	10.0.14.90
+	A	10.0.14.91
+	A	10.0.14.92
+	A	10.0.14.93
+	A	10.0.14.94
+	A	10.0.14.95
+	A	10.0.14.96
+	A	10.0.14.97
+	A	10.0.14.98
+	A	10.0.14.99
+	A	10.0.14.100
+	A	10.0.14.101
+	A	10.0.14.102
+	A	10.0.14.103
+	A	10.0.14.104
+	A	10.0.14.105
+	A	10.0.14.106
+	A	10.0.14.107
+	A	10.0.14.108
+	A	10.0.14.109
+	A	10.0.14.110
+	A	10.0.14.111
+	A	10.0.14.112
+	A	10.0.14.113
+	A	10.0.14.114
+	A	10.0.14.115
+	A	10.0.14.116
+	A	10.0.14.117
+	A	10.0.14.118
+	A	10.0.14.119
+	A	10.0.14.120
+	A	10.0.14.121
+	A	10.0.14.122
+	A	10.0.14.123
+	A	10.0.14.124
+	A	10.0.14.125
+	A	10.0.14.126
+	A	10.0.14.127
+	A	10.0.14.128
+	A	10.0.14.129
+	A	10.0.14.130
+	A	10.0.14.131
+	A	10.0.14.132
+	A	10.0.14.133
+	A	10.0.14.134
+	A	10.0.14.135
+	A	10.0.14.136
+	A	10.0.14.137
+	A	10.0.14.138
+	A	10.0.14.139
+	A	10.0.14.140
+	A	10.0.14.141
+	A	10.0.14.142
+	A	10.0.14.143
+	A	10.0.14.144
+	A	10.0.14.145
+	A	10.0.14.146
+	A	10.0.14.147
+	A	10.0.14.148
+	A	10.0.14.149
+	A	10.0.14.150
+	A	10.0.14.151
+	A	10.0.14.152
+	A	10.0.14.153
+	A	10.0.14.154
+	A	10.0.14.155
+	A	10.0.14.156
+	A	10.0.14.157
+	A	10.0.14.158
+	A	10.0.14.159
+	A	10.0.14.160
+	A	10.0.14.161
+	A	10.0.14.162
+	A	10.0.14.163
+	A	10.0.14.164
+	A	10.0.14.165
+	A	10.0.14.166
+	A	10.0.14.167
+	A	10.0.14.168
+	A	10.0.14.169
+	A	10.0.14.170
+	A	10.0.14.171
+	A	10.0.14.172
+	A	10.0.14.173
+	A	10.0.14.174
+	A	10.0.14.175
+	A	10.0.14.176
+	A	10.0.14.177
+	A	10.0.14.178
+	A	10.0.14.179
+	A	10.0.14.180
+	A	10.0.14.181
+	A	10.0.14.182
+	A	10.0.14.183
+	A	10.0.14.184
+	A	10.0.14.185
+	A	10.0.14.186
+	A	10.0.14.187
+	A	10.0.14.188
+	A	10.0.14.189
+	A	10.0.14.190
+	A	10.0.14.191
+	A	10.0.14.192
+	A	10.0.14.193
+	A	10.0.14.194
+	A	10.0.14.195
+	A	10.0.14.196
+	A	10.0.14.197
+	A	10.0.14.198
+	A	10.0.14.199
+	A	10.0.14.200
+	A	10.0.14.201
+	A	10.0.14.202
+	A	10.0.14.203
+	A	10.0.14.204
+	A	10.0.14.205
+	A	10.0.14.206
+	A	10.0.14.207
+	A	10.0.14.208
+	A	10.0.14.209
+	A	10.0.14.210
+	A	10.0.14.211
+	A	10.0.14.212
+	A	10.0.14.213
+	A	10.0.14.214
+	A	10.0.14.215
+	A	10.0.14.216
+	A	10.0.14.217
+	A	10.0.14.218
+	A	10.0.14.219
+	A	10.0.14.220
+	A	10.0.14.221
+	A	10.0.14.222
+	A	10.0.14.223
+	A	10.0.14.224
+	A	10.0.14.225
+	A	10.0.14.226
+	A	10.0.14.227
+	A	10.0.14.228
+	A	10.0.14.229
+	A	10.0.14.230
+	A	10.0.14.231
+	A	10.0.14.232
+	A	10.0.14.233
+	A	10.0.14.234
+	A	10.0.14.235
+	A	10.0.14.236
+	A	10.0.14.237
+	A	10.0.14.238
+	A	10.0.14.239
+	A	10.0.14.240
+	A	10.0.14.241
+	A	10.0.14.242
+	A	10.0.14.243
+	A	10.0.14.244
+	A	10.0.14.245
+	A	10.0.14.246
+	A	10.0.14.247
+	A	10.0.14.248
+	A	10.0.14.249
+	A	10.0.14.250
+	A	10.0.14.251
+	A	10.0.14.252
+	A	10.0.14.253
+	A	10.0.14.254
+	A	10.0.14.255
+	A	10.0.15.0
+	A	10.0.15.1
+	A	10.0.15.2
+	A	10.0.15.3
+	A	10.0.15.4
+	A	10.0.15.5
+	A	10.0.15.6
+	A	10.0.15.7
+	A	10.0.15.8
+	A	10.0.15.9
+	A	10.0.15.10
+	A	10.0.15.11
+	A	10.0.15.12
+	A	10.0.15.13
+	A	10.0.15.14
+	A	10.0.15.15
+	A	10.0.15.16
+	A	10.0.15.17
+	A	10.0.15.18
+	A	10.0.15.19
+	A	10.0.15.20
+	A	10.0.15.21
+	A	10.0.15.22
+	A	10.0.15.23
+	A	10.0.15.24
+	A	10.0.15.25
+	A	10.0.15.26
+	A	10.0.15.27
+	A	10.0.15.28
+	A	10.0.15.29
+	A	10.0.15.30
+	A	10.0.15.31
+	A	10.0.15.32
+	A	10.0.15.33
+	A	10.0.15.34
+	A	10.0.15.35
+	A	10.0.15.36
+	A	10.0.15.37
+	A	10.0.15.38
+	A	10.0.15.39
+	A	10.0.15.40
+	A	10.0.15.41
+	A	10.0.15.42
+	A	10.0.15.43
+	A	10.0.15.44
+	A	10.0.15.45
+	A	10.0.15.46
+	A	10.0.15.47
+	A	10.0.15.48
+	A	10.0.15.49
+	A	10.0.15.50
+	A	10.0.15.51
+	A	10.0.15.52
+	A	10.0.15.53
+	A	10.0.15.54
+	A	10.0.15.55
+	A	10.0.15.56
+	A	10.0.15.57
+	A	10.0.15.58
+	A	10.0.15.59
+	A	10.0.15.60
+	A	10.0.15.61
+	A	10.0.15.62
+	A	10.0.15.63
+	A	10.0.15.64
+	A	10.0.15.65
+	A	10.0.15.66
+	A	10.0.15.67
+	A	10.0.15.68
+	A	10.0.15.69
+	A	10.0.15.70
+	A	10.0.15.71
+	A	10.0.15.72
+	A	10.0.15.73
+	A	10.0.15.74
+	A	10.0.15.75
+	A	10.0.15.76
+	A	10.0.15.77
+	A	10.0.15.78
+	A	10.0.15.79
+	A	10.0.15.80
+	A	10.0.15.81
+	A	10.0.15.82
+	A	10.0.15.83
+	A	10.0.15.84
+	A	10.0.15.85
+	A	10.0.15.86
+	A	10.0.15.87
+	A	10.0.15.88
+	A	10.0.15.89
+	A	10.0.15.90
+	A	10.0.15.91
+	A	10.0.15.92
+	A	10.0.15.93
+	A	10.0.15.94
+	A	10.0.15.95
+	A	10.0.15.96
+	A	10.0.15.97
+	A	10.0.15.98
+	A	10.0.15.99
+	A	10.0.15.100
+	A	10.0.15.101
+	A	10.0.15.102
+	A	10.0.15.103
+	A	10.0.15.104
+	A	10.0.15.105
+	A	10.0.15.106
+	A	10.0.15.107
+	A	10.0.15.108
+	A	10.0.15.109
+	A	10.0.15.110
+	A	10.0.15.111
+	A	10.0.15.112
+	A	10.0.15.113
+	A	10.0.15.114
+	A	10.0.15.115
+	A	10.0.15.116
+	A	10.0.15.117
+	A	10.0.15.118
+	A	10.0.15.119
+	A	10.0.15.120
+	A	10.0.15.121
+	A	10.0.15.122
+	A	10.0.15.123
+	A	10.0.15.124
+	A	10.0.15.125
+	A	10.0.15.126
+	A	10.0.15.127
+	A	10.0.15.128
+	A	10.0.15.129
+	A	10.0.15.130
+	A	10.0.15.131
+	A	10.0.15.132
+	A	10.0.15.133
+	A	10.0.15.134
+	A	10.0.15.135
+	A	10.0.15.136
+	A	10.0.15.137
+	A	10.0.15.138
+	A	10.0.15.139
+	A	10.0.15.140
+	A	10.0.15.141
+	A	10.0.15.142
+	A	10.0.15.143
+	A	10.0.15.144
+	A	10.0.15.145
+	A	10.0.15.146
+	A	10.0.15.147
+	A	10.0.15.148
+	A	10.0.15.149
+	A	10.0.15.150
+	A	10.0.15.151
+	A	10.0.15.152
+	A	10.0.15.153
+	A	10.0.15.154
+	A	10.0.15.155
+	A	10.0.15.156
+	A	10.0.15.157
+	A	10.0.15.158
+	A	10.0.15.159
+	A	10.0.15.160
+	A	10.0.15.161
+	A	10.0.15.162
+	A	10.0.15.163
+	A	10.0.15.164
+	A	10.0.15.165
+	A	10.0.15.166
+	A	10.0.15.167
+	A	10.0.15.168
+	A	10.0.15.169
+	A	10.0.15.170
+	A	10.0.15.171
+	A	10.0.15.172
+	A	10.0.15.173
+	A	10.0.15.174
+	A	10.0.15.175
+	A	10.0.15.176
+	A	10.0.15.177
+	A	10.0.15.178
+	A	10.0.15.179
+	A	10.0.15.180
+	A	10.0.15.181
+	A	10.0.15.182
+	A	10.0.15.183
+	A	10.0.15.184
+	A	10.0.15.185
+	A	10.0.15.186
+	A	10.0.15.187
+	A	10.0.15.188
+	A	10.0.15.189
+	A	10.0.15.190
+	A	10.0.15.191
+	A	10.0.15.192
+	A	10.0.15.193
+	A	10.0.15.194
+	A	10.0.15.195
+	A	10.0.15.196
+	A	10.0.15.197
+	A	10.0.15.198
+	A	10.0.15.199
+	A	10.0.15.200
+	A	10.0.15.201
+	A	10.0.15.202
+	A	10.0.15.203
+	A	10.0.15.204
+	A	10.0.15.205
+	A	10.0.15.206
+	A	10.0.15.207
+	A	10.0.15.208
+	A	10.0.15.209
+	A	10.0.15.210
+	A	10.0.15.211
+	A	10.0.15.212
+	A	10.0.15.213
+	A	10.0.15.214
+	A	10.0.15.215
+	A	10.0.15.216
+	A	10.0.15.217
+	A	10.0.15.218
+	A	10.0.15.219
+	A	10.0.15.220
+	A	10.0.15.221
+	A	10.0.15.222
+	A	10.0.15.223
+	A	10.0.15.224
+	A	10.0.15.225
+	A	10.0.15.226
+	A	10.0.15.227
+	A	10.0.15.228
+	A	10.0.15.229
+	A	10.0.15.230
+	A	10.0.15.231
+	A	10.0.15.232
+	A	10.0.15.233
+	A	10.0.15.234
+	A	10.0.15.235
+	A	10.0.15.236
+	A	10.0.15.237
+	A	10.0.15.238
+	A	10.0.15.239
+	A	10.0.15.240
+	A	10.0.15.241
+	A	10.0.15.242
+	A	10.0.15.243
+	A	10.0.15.244
+	A	10.0.15.245
+	A	10.0.15.246
+	A	10.0.15.247
+	A	10.0.15.248
+	A	10.0.15.249
+	A	10.0.15.250
+	A	10.0.15.251
+	A	10.0.15.252
+	A	10.0.15.253
+	A	10.0.15.254
+	A	10.0.15.255
+	A	10.0.16.0
+	A	10.0.16.1
+	A	10.0.16.2
+	A	10.0.16.3
+	A	10.0.16.4
+	A	10.0.16.5
+	A	10.0.16.6
+	A	10.0.16.7
+	A	10.0.16.8
+	A	10.0.16.9
+	A	10.0.16.10
+	A	10.0.16.11
+	A	10.0.16.12
+	A	10.0.16.13
+	A	10.0.16.14
+	A	10.0.16.15
+	A	10.0.16.16
+	A	10.0.16.17
+	A	10.0.16.18
+	A	10.0.16.19
+	A	10.0.16.20
+	A	10.0.16.21
+	A	10.0.16.22
+	A	10.0.16.23
+	A	10.0.16.24
+	A	10.0.16.25
+	A	10.0.16.26
+	A	10.0.16.27
+	A	10.0.16.28
+	A	10.0.16.29
+	A	10.0.16.30
+	A	10.0.16.31
+	A	10.0.16.32
+	A	10.0.16.33
+	A	10.0.16.34
+	A	10.0.16.35
+	A	10.0.16.36
+	A	10.0.16.37
+	A	10.0.16.38
+	A	10.0.16.39
+	A	10.0.16.40
+	A	10.0.16.41
+	A	10.0.16.42
+	A	10.0.16.43
+	A	10.0.16.44
+	A	10.0.16.45
+	A	10.0.16.46
+	A	10.0.16.47
+	A	10.0.16.48
+	A	10.0.16.49
+	A	10.0.16.50
+	A	10.0.16.51
+	A	10.0.16.52
+	A	10.0.16.53
+	A	10.0.16.54
+	A	10.0.16.55
+	A	10.0.16.56
+	A	10.0.16.57
+	A	10.0.16.58
+	A	10.0.16.59
+	A	10.0.16.60
+	A	10.0.16.61
+	A	10.0.16.62
+	A	10.0.16.63
+	A	10.0.16.64
+	A	10.0.16.65
+	A	10.0.16.66
+	A	10.0.16.67
+	A	10.0.16.68
+	A	10.0.16.69
+	A	10.0.16.70
+	A	10.0.16.71
+	A	10.0.16.72
+	A	10.0.16.73
+	A	10.0.16.74
+	A	10.0.16.75
+	A	10.0.16.76
+	A	10.0.16.77
+	A	10.0.16.78
+	A	10.0.16.79
+	A	10.0.16.80
+	A	10.0.16.81
+	A	10.0.16.82
+	A	10.0.16.83
+	A	10.0.16.84
+	A	10.0.16.85
+	A	10.0.16.86
+	A	10.0.16.87
+	A	10.0.16.88
+	A	10.0.16.89
+	A	10.0.16.90
+	A	10.0.16.91
+	A	10.0.16.92
+	A	10.0.16.93
+	A	10.0.16.94
+	A	10.0.16.95
+	A	10.0.16.96
+	A	10.0.16.97
+	A	10.0.16.98
+	A	10.0.16.99
+	A	10.0.16.100
+	A	10.0.16.101
+	A	10.0.16.102
+	A	10.0.16.103
+	A	10.0.16.104
+	A	10.0.16.105
+	A	10.0.16.106
+	A	10.0.16.107
+	A	10.0.16.108
+	A	10.0.16.109
+	A	10.0.16.110
+	A	10.0.16.111
+	A	10.0.16.112
+	A	10.0.16.113
+	A	10.0.16.114
+	A	10.0.16.115
+	A	10.0.16.116
+	A	10.0.16.117
+	A	10.0.16.118
+	A	10.0.16.119
+	A	10.0.16.120
+	A	10.0.16.121
+	A	10.0.16.122
+	A	10.0.16.123
+	A	10.0.16.124
+	A	10.0.16.125
+	A	10.0.16.126
+	A	10.0.16.127
+	A	10.0.16.128
+	A	10.0.16.129
+	A	10.0.16.130
+	A	10.0.16.131
+	A	10.0.16.132
+	A	10.0.16.133
+	A	10.0.16.134
+	A	10.0.16.135
+	A	10.0.16.136
+	A	10.0.16.137
+	A	10.0.16.138
+	A	10.0.16.139
+	A	10.0.16.140
+	A	10.0.16.141
+	A	10.0.16.142
+	A	10.0.16.143
+	A	10.0.16.144
+	A	10.0.16.145
+	A	10.0.16.146
+	A	10.0.16.147
+	A	10.0.16.148
+	A	10.0.16.149
+	A	10.0.16.150
+	A	10.0.16.151
+	A	10.0.16.152
+	A	10.0.16.153
+	A	10.0.16.154
+	A	10.0.16.155
+	A	10.0.16.156
+	A	10.0.16.157
+	A	10.0.16.158
+	A	10.0.16.159
+	A	10.0.16.160
+	A	10.0.16.161
+	A	10.0.16.162
+	A	10.0.16.163
+	A	10.0.16.164
+	A	10.0.16.165
+	A	10.0.16.166
+	A	10.0.16.167
+	A	10.0.16.168
+	A	10.0.16.169
+	A	10.0.16.170
+	A	10.0.16.171
+	A	10.0.16.172
+	A	10.0.16.173
+	A	10.0.16.174
+	A	10.0.16.175
+	A	10.0.16.176
+	A	10.0.16.177
+	A	10.0.16.178
+	A	10.0.16.179
+	A	10.0.16.180
+	A	10.0.16.181
+	A	10.0.16.182
+	A	10.0.16.183
+	A	10.0.16.184
+	A	10.0.16.185
+	A	10.0.16.186
+	A	10.0.16.187
+	A	10.0.16.188
+	A	10.0.16.189
+	A	10.0.16.190
+	A	10.0.16.191
+	A	10.0.16.192
+	A	10.0.16.193
+	A	10.0.16.194
+	A	10.0.16.195
+	A	10.0.16.196
+	A	10.0.16.197
+	A	10.0.16.198
+	A	10.0.16.199
+	A	10.0.16.200
+	A	10.0.16.201
+	A	10.0.16.202
+	A	10.0.16.203
+	A	10.0.16.204
+	A	10.0.16.205
+	A	10.0.16.206
+	A	10.0.16.207
+	A	10.0.16.208
+	A	10.0.16.209
+	A	10.0.16.210
+	A	10.0.16.211
+	A	10.0.16.212
+	A	10.0.16.213
+	A	10.0.16.214
+	A	10.0.16.215
+	A	10.0.16.216
+	A	10.0.16.217
+	A	10.0.16.218
+	A	10.0.16.219
+	A	10.0.16.220
+	A	10.0.16.221
+	A	10.0.16.222
+	A	10.0.16.223
+	A	10.0.16.224
+	A	10.0.16.225
+	A	10.0.16.226
+	A	10.0.16.227
+	A	10.0.16.228
+	A	10.0.16.229
+	A	10.0.16.230
+	A	10.0.16.231
+	A	10.0.16.232
+	A	10.0.16.233
+	A	10.0.16.234
+	A	10.0.16.235
+	A	10.0.16.236
+	A	10.0.16.237
+	A	10.0.16.238
+	A	10.0.16.239
+	A	10.0.16.240
+	A	10.0.16.241
+	A	10.0.16.242
+	A	10.0.16.243
+	A	10.0.16.244
+	A	10.0.16.245
+	A	10.0.16.246
+	A	10.0.16.247
+	A	10.0.16.248
+	A	10.0.16.249
+	A	10.0.16.250
+	A	10.0.16.251
+	A	10.0.16.252
+	A	10.0.16.253
+	A	10.0.16.254
+	A	10.0.16.255
+	A	10.0.17.0
+	A	10.0.17.1
+	A	10.0.17.2
+	A	10.0.17.3
+	A	10.0.17.4
+	A	10.0.17.5
+	A	10.0.17.6
+	A	10.0.17.7
+	A	10.0.17.8
+	A	10.0.17.9
+	A	10.0.17.10
+	A	10.0.17.11
+	A	10.0.17.12
+	A	10.0.17.13
+	A	10.0.17.14
+	A	10.0.17.15
+	A	10.0.17.16
+	A	10.0.17.17
+	A	10.0.17.18
+	A	10.0.17.19
+	A	10.0.17.20
+	A	10.0.17.21
+	A	10.0.17.22
+	A	10.0.17.23
+	A	10.0.17.24
+	A	10.0.17.25
+	A	10.0.17.26
+	A	10.0.17.27
+	A	10.0.17.28
+	A	10.0.17.29
+	A	10.0.17.30
+	A	10.0.17.31
+	A	10.0.17.32
+	A	10.0.17.33
+	A	10.0.17.34
+	A	10.0.17.35
+	A	10.0.17.36
+	A	10.0.17.37
+	A	10.0.17.38
+	A	10.0.17.39
+	A	10.0.17.40
+	A	10.0.17.41
+	A	10.0.17.42
+	A	10.0.17.43
+	A	10.0.17.44
+	A	10.0.17.45
+	A	10.0.17.46
+	A	10.0.17.47
+	A	10.0.17.48
+	A	10.0.17.49
+	A	10.0.17.50
+	A	10.0.17.51
+	A	10.0.17.52
+	A	10.0.17.53
+	A	10.0.17.54
+	A	10.0.17.55
+	A	10.0.17.56
+	A	10.0.17.57
+	A	10.0.17.58
+	A	10.0.17.59
+	A	10.0.17.60
+	A	10.0.17.61
+	A	10.0.17.62
+	A	10.0.17.63
+	A	10.0.17.64
+	A	10.0.17.65
+	A	10.0.17.66
+	A	10.0.17.67
+	A	10.0.17.68
+	A	10.0.17.69
+	A	10.0.17.70
+	A	10.0.17.71
+	A	10.0.17.72
+	A	10.0.17.73
+	A	10.0.17.74
+	A	10.0.17.75
+	A	10.0.17.76
+	A	10.0.17.77
+	A	10.0.17.78
+	A	10.0.17.79
+	A	10.0.17.80
+	A	10.0.17.81
+	A	10.0.17.82
+	A	10.0.17.83
+	A	10.0.17.84
+	A	10.0.17.85
+	A	10.0.17.86
+	A	10.0.17.87
+	A	10.0.17.88
+	A	10.0.17.89
+	A	10.0.17.90
+	A	10.0.17.91
+	A	10.0.17.92
+	A	10.0.17.93
+	A	10.0.17.94
+	A	10.0.17.95
+	A	10.0.17.96
+	A	10.0.17.97
+	A	10.0.17.98
+	A	10.0.17.99
+	A	10.0.17.100
+	A	10.0.17.101
+	A	10.0.17.102
+	A	10.0.17.103
+	A	10.0.17.104
+	A	10.0.17.105
+	A	10.0.17.106
+	A	10.0.17.107
+	A	10.0.17.108
+	A	10.0.17.109
+	A	10.0.17.110
+	A	10.0.17.111
+	A	10.0.17.112
+	A	10.0.17.113
+	A	10.0.17.114
+	A	10.0.17.115
+	A	10.0.17.116
+	A	10.0.17.117
+	A	10.0.17.118
+	A	10.0.17.119
+	A	10.0.17.120
+	A	10.0.17.121
+	A	10.0.17.122
+	A	10.0.17.123
+	A	10.0.17.124
+	A	10.0.17.125
+	A	10.0.17.126
+	A	10.0.17.127
+	A	10.0.17.128
+	A	10.0.17.129
+	A	10.0.17.130
+	A	10.0.17.131
+	A	10.0.17.132
+	A	10.0.17.133
+	A	10.0.17.134
+	A	10.0.17.135
+	A	10.0.17.136
+	A	10.0.17.137
+	A	10.0.17.138
+	A	10.0.17.139
+	A	10.0.17.140
+	A	10.0.17.141
+	A	10.0.17.142
+	A	10.0.17.143
+	A	10.0.17.144
+	A	10.0.17.145
+	A	10.0.17.146
+	A	10.0.17.147
+	A	10.0.17.148
+	A	10.0.17.149
+	A	10.0.17.150
+	A	10.0.17.151
+	A	10.0.17.152
+	A	10.0.17.153
+	A	10.0.17.154
+	A	10.0.17.155
+	A	10.0.17.156
+	A	10.0.17.157
+	A	10.0.17.158
+	A	10.0.17.159
+	A	10.0.17.160
+	A	10.0.17.161
+	A	10.0.17.162
+	A	10.0.17.163
+	A	10.0.17.164
+	A	10.0.17.165
+	A	10.0.17.166
+	A	10.0.17.167
+	A	10.0.17.168
+	A	10.0.17.169
+	A	10.0.17.170
+	A	10.0.17.171
+	A	10.0.17.172
+	A	10.0.17.173
+	A	10.0.17.174
+	A	10.0.17.175
+	A	10.0.17.176
+	A	10.0.17.177
+	A	10.0.17.178
+	A	10.0.17.179
+	A	10.0.17.180
+	A	10.0.17.181
+	A	10.0.17.182
+	A	10.0.17.183
+	A	10.0.17.184
+	A	10.0.17.185
+	A	10.0.17.186
+	A	10.0.17.187
+	A	10.0.17.188
+	A	10.0.17.189
+	A	10.0.17.190
+	A	10.0.17.191
+	A	10.0.17.192
+	A	10.0.17.193
+	A	10.0.17.194
+	A	10.0.17.195
+	A	10.0.17.196
+	A	10.0.17.197
+	A	10.0.17.198
+	A	10.0.17.199
+	A	10.0.17.200
+	A	10.0.17.201
+	A	10.0.17.202
+	A	10.0.17.203
+	A	10.0.17.204
+	A	10.0.17.205
+	A	10.0.17.206
+	A	10.0.17.207
+	A	10.0.17.208
+	A	10.0.17.209
+	A	10.0.17.210
+	A	10.0.17.211
+	A	10.0.17.212
+	A	10.0.17.213
+	A	10.0.17.214
+	A	10.0.17.215
+	A	10.0.17.216
+	A	10.0.17.217
+	A	10.0.17.218
+	A	10.0.17.219
+	A	10.0.17.220
+	A	10.0.17.221
+	A	10.0.17.222
+	A	10.0.17.223
+	A	10.0.17.224
+	A	10.0.17.225
+	A	10.0.17.226
+	A	10.0.17.227
+	A	10.0.17.228
+	A	10.0.17.229
+	A	10.0.17.230
+	A	10.0.17.231
+	A	10.0.17.232
+	A	10.0.17.233
+	A	10.0.17.234
+	A	10.0.17.235
+	A	10.0.17.236
+	A	10.0.17.237
+	A	10.0.17.238
+	A	10.0.17.239
+	A	10.0.17.240
+	A	10.0.17.241
+	A	10.0.17.242
+	A	10.0.17.243
+	A	10.0.17.244
+	A	10.0.17.245
+	A	10.0.17.246
+	A	10.0.17.247
+	A	10.0.17.248
+	A	10.0.17.249
+	A	10.0.17.250
+	A	10.0.17.251
+	A	10.0.17.252
+	A	10.0.17.253
+	A	10.0.17.254
+	A	10.0.17.255
+	A	10.0.18.0
+	A	10.0.18.1
+	A	10.0.18.2
+	A	10.0.18.3
+	A	10.0.18.4
+	A	10.0.18.5
+	A	10.0.18.6
+	A	10.0.18.7
+	A	10.0.18.8
+	A	10.0.18.9
+	A	10.0.18.10
+	A	10.0.18.11
+	A	10.0.18.12
+	A	10.0.18.13
+	A	10.0.18.14
+	A	10.0.18.15
+	A	10.0.18.16
+	A	10.0.18.17
+	A	10.0.18.18
+	A	10.0.18.19
+	A	10.0.18.20
+	A	10.0.18.21
+	A	10.0.18.22
+	A	10.0.18.23
+	A	10.0.18.24
+	A	10.0.18.25
+	A	10.0.18.26
+	A	10.0.18.27
+	A	10.0.18.28
+	A	10.0.18.29
+	A	10.0.18.30
+	A	10.0.18.31
+	A	10.0.18.32
+	A	10.0.18.33
+	A	10.0.18.34
+	A	10.0.18.35
+	A	10.0.18.36
+	A	10.0.18.37
+	A	10.0.18.38
+	A	10.0.18.39
+	A	10.0.18.40
+	A	10.0.18.41
+	A	10.0.18.42
+	A	10.0.18.43
+	A	10.0.18.44
+	A	10.0.18.45
+	A	10.0.18.46
+	A	10.0.18.47
+	A	10.0.18.48
+	A	10.0.18.49
+	A	10.0.18.50
+	A	10.0.18.51
+	A	10.0.18.52
+	A	10.0.18.53
+	A	10.0.18.54
+	A	10.0.18.55
+	A	10.0.18.56
+	A	10.0.18.57
+	A	10.0.18.58
+	A	10.0.18.59
+	A	10.0.18.60
+	A	10.0.18.61
+	A	10.0.18.62
+	A	10.0.18.63
+	A	10.0.18.64
+	A	10.0.18.65
+	A	10.0.18.66
+	A	10.0.18.67
+	A	10.0.18.68
+	A	10.0.18.69
+	A	10.0.18.70
+	A	10.0.18.71
+	A	10.0.18.72
+	A	10.0.18.73
+	A	10.0.18.74
+	A	10.0.18.75
+	A	10.0.18.76
+	A	10.0.18.77
+	A	10.0.18.78
+	A	10.0.18.79
+	A	10.0.18.80
+	A	10.0.18.81
+	A	10.0.18.82
+	A	10.0.18.83
+	A	10.0.18.84
+	A	10.0.18.85
+	A	10.0.18.86
+	A	10.0.18.87
+	A	10.0.18.88
+	A	10.0.18.89
+	A	10.0.18.90
+	A	10.0.18.91
+	A	10.0.18.92
+	A	10.0.18.93
+	A	10.0.18.94
+	A	10.0.18.95
+	A	10.0.18.96
+	A	10.0.18.97
+	A	10.0.18.98
+	A	10.0.18.99
+	A	10.0.18.100
+	A	10.0.18.101
+	A	10.0.18.102
+	A	10.0.18.103
+	A	10.0.18.104
+	A	10.0.18.105
+	A	10.0.18.106
+	A	10.0.18.107
+	A	10.0.18.108
+	A	10.0.18.109
+	A	10.0.18.110
+	A	10.0.18.111
+	A	10.0.18.112
+	A	10.0.18.113
+	A	10.0.18.114
+	A	10.0.18.115
+	A	10.0.18.116
+	A	10.0.18.117
+	A	10.0.18.118
+	A	10.0.18.119
+	A	10.0.18.120
+	A	10.0.18.121
+	A	10.0.18.122
+	A	10.0.18.123
+	A	10.0.18.124
+	A	10.0.18.125
+	A	10.0.18.126
+	A	10.0.18.127
+	A	10.0.18.128
+	A	10.0.18.129
+	A	10.0.18.130
+	A	10.0.18.131
+	A	10.0.18.132
+	A	10.0.18.133
+	A	10.0.18.134
+	A	10.0.18.135
+	A	10.0.18.136
+	A	10.0.18.137
+	A	10.0.18.138
+	A	10.0.18.139
+	A	10.0.18.140
+	A	10.0.18.141
+	A	10.0.18.142
+	A	10.0.18.143
+	A	10.0.18.144
+	A	10.0.18.145
+	A	10.0.18.146
+	A	10.0.18.147
+	A	10.0.18.148
+	A	10.0.18.149
+	A	10.0.18.150
+	A	10.0.18.151
+	A	10.0.18.152
+	A	10.0.18.153
+	A	10.0.18.154
+	A	10.0.18.155
+	A	10.0.18.156
+	A	10.0.18.157
+	A	10.0.18.158
+	A	10.0.18.159
+	A	10.0.18.160
+	A	10.0.18.161
+	A	10.0.18.162
+	A	10.0.18.163
+	A	10.0.18.164
+	A	10.0.18.165
+	A	10.0.18.166
+	A	10.0.18.167
+	A	10.0.18.168
+	A	10.0.18.169
+	A	10.0.18.170
+	A	10.0.18.171
+	A	10.0.18.172
+	A	10.0.18.173
+	A	10.0.18.174
+	A	10.0.18.175
+	A	10.0.18.176
+	A	10.0.18.177
+	A	10.0.18.178
+	A	10.0.18.179
+	A	10.0.18.180
+	A	10.0.18.181
+	A	10.0.18.182
+	A	10.0.18.183
+	A	10.0.18.184
+	A	10.0.18.185
+	A	10.0.18.186
+	A	10.0.18.187
+	A	10.0.18.188
+	A	10.0.18.189
+	A	10.0.18.190
+	A	10.0.18.191
+	A	10.0.18.192
+	A	10.0.18.193
+	A	10.0.18.194
+	A	10.0.18.195
+	A	10.0.18.196
+	A	10.0.18.197
+	A	10.0.18.198
+	A	10.0.18.199
+	A	10.0.18.200
+	A	10.0.18.201
+	A	10.0.18.202
+	A	10.0.18.203
+	A	10.0.18.204
+	A	10.0.18.205
+	A	10.0.18.206
+	A	10.0.18.207
+	A	10.0.18.208
+	A	10.0.18.209
+	A	10.0.18.210
+	A	10.0.18.211
+	A	10.0.18.212
+	A	10.0.18.213
+	A	10.0.18.214
+	A	10.0.18.215
+	A	10.0.18.216
+	A	10.0.18.217
+	A	10.0.18.218
+	A	10.0.18.219
+	A	10.0.18.220
+	A	10.0.18.221
+	A	10.0.18.222
+	A	10.0.18.223
+	A	10.0.18.224
+	A	10.0.18.225
+	A	10.0.18.226
+	A	10.0.18.227
+	A	10.0.18.228
+	A	10.0.18.229
+	A	10.0.18.230
+	A	10.0.18.231
+	A	10.0.18.232
+	A	10.0.18.233
+	A	10.0.18.234
+	A	10.0.18.235
+	A	10.0.18.236
+	A	10.0.18.237
+	A	10.0.18.238
+	A	10.0.18.239
+	A	10.0.18.240
+	A	10.0.18.241
+	A	10.0.18.242
+	A	10.0.18.243
+	A	10.0.18.244
+	A	10.0.18.245
+	A	10.0.18.246
+	A	10.0.18.247
+	A	10.0.18.248
+	A	10.0.18.249
+	A	10.0.18.250
+	A	10.0.18.251
+	A	10.0.18.252
+	A	10.0.18.253
+	A	10.0.18.254
+	A	10.0.18.255
+	A	10.0.19.0
+	A	10.0.19.1
+	A	10.0.19.2
+	A	10.0.19.3
+	A	10.0.19.4
+	A	10.0.19.5
+	A	10.0.19.6
+	A	10.0.19.7
+	A	10.0.19.8
+	A	10.0.19.9
+	A	10.0.19.10
+	A	10.0.19.11
+	A	10.0.19.12
+	A	10.0.19.13
+	A	10.0.19.14
+	A	10.0.19.15
+	A	10.0.19.16
+	A	10.0.19.17
+	A	10.0.19.18
+	A	10.0.19.19
+	A	10.0.19.20
+	A	10.0.19.21
+	A	10.0.19.22
+	A	10.0.19.23
+	A	10.0.19.24
+	A	10.0.19.25
+	A	10.0.19.26
+	A	10.0.19.27
+	A	10.0.19.28
+	A	10.0.19.29
+	A	10.0.19.30
+	A	10.0.19.31
+	A	10.0.19.32
+	A	10.0.19.33
+	A	10.0.19.34
+	A	10.0.19.35
+	A	10.0.19.36
+	A	10.0.19.37
+	A	10.0.19.38
+	A	10.0.19.39
+	A	10.0.19.40
+	A	10.0.19.41
+	A	10.0.19.42
+	A	10.0.19.43
+	A	10.0.19.44
+	A	10.0.19.45
+	A	10.0.19.46
+	A	10.0.19.47
+	A	10.0.19.48
+	A	10.0.19.49
+	A	10.0.19.50
+	A	10.0.19.51
+	A	10.0.19.52
+	A	10.0.19.53
+	A	10.0.19.54
+	A	10.0.19.55
+	A	10.0.19.56
+	A	10.0.19.57
+	A	10.0.19.58
+	A	10.0.19.59
+	A	10.0.19.60
+	A	10.0.19.61
+	A	10.0.19.62
+	A	10.0.19.63
+	A	10.0.19.64
+	A	10.0.19.65
+	A	10.0.19.66
+	A	10.0.19.67
+	A	10.0.19.68
+	A	10.0.19.69
+	A	10.0.19.70
+	A	10.0.19.71
+	A	10.0.19.72
+	A	10.0.19.73
+	A	10.0.19.74
+	A	10.0.19.75
+	A	10.0.19.76
+	A	10.0.19.77
+	A	10.0.19.78
+	A	10.0.19.79
+	A	10.0.19.80
+	A	10.0.19.81
+	A	10.0.19.82
+	A	10.0.19.83
+	A	10.0.19.84
+	A	10.0.19.85
+	A	10.0.19.86
+	A	10.0.19.87
+	A	10.0.19.88
+	A	10.0.19.89
+	A	10.0.19.90
+	A	10.0.19.91
+	A	10.0.19.92
+	A	10.0.19.93
+	A	10.0.19.94
+	A	10.0.19.95
+	A	10.0.19.96
+	A	10.0.19.97
+	A	10.0.19.98
+	A	10.0.19.99
+	A	10.0.19.100
+	A	10.0.19.101
+	A	10.0.19.102
+	A	10.0.19.103
+	A	10.0.19.104
+	A	10.0.19.105
+	A	10.0.19.106
+	A	10.0.19.107
+	A	10.0.19.108
+	A	10.0.19.109
+	A	10.0.19.110
+	A	10.0.19.111
+	A	10.0.19.112
+	A	10.0.19.113
+	A	10.0.19.114
+	A	10.0.19.115
+	A	10.0.19.116
+	A	10.0.19.117
+	A	10.0.19.118
+	A	10.0.19.119
+	A	10.0.19.120
+	A	10.0.19.121
+	A	10.0.19.122
+	A	10.0.19.123
+	A	10.0.19.124
+	A	10.0.19.125
+	A	10.0.19.126
+	A	10.0.19.127
+	A	10.0.19.128
+	A	10.0.19.129
+	A	10.0.19.130
+	A	10.0.19.131
+	A	10.0.19.132
+	A	10.0.19.133
+	A	10.0.19.134
+	A	10.0.19.135
+a-maximum-rrset	A	10.0.0.0
+	A	10.0.0.1
+	A	10.0.0.2
+	A	10.0.0.3
+	A	10.0.0.4
+	A	10.0.0.5
+	A	10.0.0.6
+	A	10.0.0.7
+	A	10.0.0.8
+	A	10.0.0.9
+	A	10.0.0.10
+	A	10.0.0.11
+	A	10.0.0.12
+	A	10.0.0.13
+	A	10.0.0.14
+	A	10.0.0.15
+	A	10.0.0.16
+	A	10.0.0.17
+	A	10.0.0.18
+	A	10.0.0.19
+	A	10.0.0.20
+	A	10.0.0.21
+	A	10.0.0.22
+	A	10.0.0.23
+	A	10.0.0.24
+	A	10.0.0.25
+	A	10.0.0.26
+	A	10.0.0.27
+	A	10.0.0.28
+	A	10.0.0.29
+	A	10.0.0.30
+	A	10.0.0.31
+	A	10.0.0.32
+	A	10.0.0.33
+	A	10.0.0.34
+	A	10.0.0.35
+	A	10.0.0.36
+	A	10.0.0.37
+	A	10.0.0.38
+	A	10.0.0.39
+	A	10.0.0.40
+	A	10.0.0.41
+	A	10.0.0.42
+	A	10.0.0.43
+	A	10.0.0.44
+	A	10.0.0.45
+	A	10.0.0.46
+	A	10.0.0.47
+	A	10.0.0.48
+	A	10.0.0.49
+	A	10.0.0.50
+	A	10.0.0.51
+	A	10.0.0.52
+	A	10.0.0.53
+	A	10.0.0.54
+	A	10.0.0.55
+	A	10.0.0.56
+	A	10.0.0.57
+	A	10.0.0.58
+	A	10.0.0.59
+	A	10.0.0.60
+	A	10.0.0.61
+	A	10.0.0.62
+	A	10.0.0.63
+	A	10.0.0.64
+	A	10.0.0.65
+	A	10.0.0.66
+	A	10.0.0.67
+	A	10.0.0.68
+	A	10.0.0.69
+	A	10.0.0.70
+	A	10.0.0.71
+	A	10.0.0.72
+	A	10.0.0.73
+	A	10.0.0.74
+	A	10.0.0.75
+	A	10.0.0.76
+	A	10.0.0.77
+	A	10.0.0.78
+	A	10.0.0.79
+	A	10.0.0.80
+	A	10.0.0.81
+	A	10.0.0.82
+	A	10.0.0.83
+	A	10.0.0.84
+	A	10.0.0.85
+	A	10.0.0.86
+	A	10.0.0.87
+	A	10.0.0.88
+	A	10.0.0.89
+	A	10.0.0.90
+	A	10.0.0.91
+	A	10.0.0.92
+	A	10.0.0.93
+	A	10.0.0.94
+	A	10.0.0.95
+	A	10.0.0.96
+	A	10.0.0.97
+	A	10.0.0.98
+	A	10.0.0.99
+	A	10.0.0.100
+	A	10.0.0.101
+	A	10.0.0.102
+	A	10.0.0.103
+	A	10.0.0.104
+	A	10.0.0.105
+	A	10.0.0.106
+	A	10.0.0.107
+	A	10.0.0.108
+	A	10.0.0.109
+	A	10.0.0.110
+	A	10.0.0.111
+	A	10.0.0.112
+	A	10.0.0.113
+	A	10.0.0.114
+	A	10.0.0.115
+	A	10.0.0.116
+	A	10.0.0.117
+	A	10.0.0.118
+	A	10.0.0.119
+	A	10.0.0.120
+	A	10.0.0.121
+	A	10.0.0.122
+	A	10.0.0.123
+	A	10.0.0.124
+	A	10.0.0.125
+	A	10.0.0.126
+	A	10.0.0.127
+	A	10.0.0.128
+	A	10.0.0.129
+	A	10.0.0.130
+	A	10.0.0.131
+	A	10.0.0.132
+	A	10.0.0.133
+	A	10.0.0.134
+	A	10.0.0.135
+	A	10.0.0.136
+	A	10.0.0.137
+	A	10.0.0.138
+	A	10.0.0.139
+	A	10.0.0.140
+	A	10.0.0.141
+	A	10.0.0.142
+	A	10.0.0.143
+	A	10.0.0.144
+	A	10.0.0.145
+	A	10.0.0.146
+	A	10.0.0.147
+	A	10.0.0.148
+	A	10.0.0.149
+	A	10.0.0.150
+	A	10.0.0.151
+	A	10.0.0.152
+	A	10.0.0.153
+	A	10.0.0.154
+	A	10.0.0.155
+	A	10.0.0.156
+	A	10.0.0.157
+	A	10.0.0.158
+	A	10.0.0.159
+	A	10.0.0.160
+	A	10.0.0.161
+	A	10.0.0.162
+	A	10.0.0.163
+	A	10.0.0.164
+	A	10.0.0.165
+	A	10.0.0.166
+	A	10.0.0.167
+	A	10.0.0.168
+	A	10.0.0.169
+	A	10.0.0.170
+	A	10.0.0.171
+	A	10.0.0.172
+	A	10.0.0.173
+	A	10.0.0.174
+	A	10.0.0.175
+	A	10.0.0.176
+	A	10.0.0.177
+	A	10.0.0.178
+	A	10.0.0.179
+	A	10.0.0.180
+	A	10.0.0.181
+	A	10.0.0.182
+	A	10.0.0.183
+	A	10.0.0.184
+	A	10.0.0.185
+	A	10.0.0.186
+	A	10.0.0.187
+	A	10.0.0.188
+	A	10.0.0.189
+	A	10.0.0.190
+	A	10.0.0.191
+	A	10.0.0.192
+	A	10.0.0.193
+	A	10.0.0.194
+	A	10.0.0.195
+	A	10.0.0.196
+	A	10.0.0.197
+	A	10.0.0.198
+	A	10.0.0.199
+	A	10.0.0.200
+	A	10.0.0.201
+	A	10.0.0.202
+	A	10.0.0.203
+	A	10.0.0.204
+	A	10.0.0.205
+	A	10.0.0.206
+	A	10.0.0.207
+	A	10.0.0.208
+	A	10.0.0.209
+	A	10.0.0.210
+	A	10.0.0.211
+	A	10.0.0.212
+	A	10.0.0.213
+	A	10.0.0.214
+	A	10.0.0.215
+	A	10.0.0.216
+	A	10.0.0.217
+	A	10.0.0.218
+	A	10.0.0.219
+	A	10.0.0.220
+	A	10.0.0.221
+	A	10.0.0.222
+	A	10.0.0.223
+	A	10.0.0.224
+	A	10.0.0.225
+	A	10.0.0.226
+	A	10.0.0.227
+	A	10.0.0.228
+	A	10.0.0.229
+	A	10.0.0.230
+	A	10.0.0.231
+	A	10.0.0.232
+	A	10.0.0.233
+	A	10.0.0.234
+	A	10.0.0.235
+	A	10.0.0.236
+	A	10.0.0.237
+	A	10.0.0.238
+	A	10.0.0.239
+	A	10.0.0.240
+	A	10.0.0.241
+	A	10.0.0.242
+	A	10.0.0.243
+	A	10.0.0.244
+	A	10.0.0.245
+	A	10.0.0.246
+	A	10.0.0.247
+	A	10.0.0.248
+	A	10.0.0.249
+	A	10.0.0.250
+	A	10.0.0.251
+	A	10.0.0.252
+	A	10.0.0.253
+	A	10.0.0.254
+	A	10.0.0.255
+	A	10.0.1.0
+	A	10.0.1.1
+	A	10.0.1.2
+	A	10.0.1.3
+	A	10.0.1.4
+	A	10.0.1.5
+	A	10.0.1.6
+	A	10.0.1.7
+	A	10.0.1.8
+	A	10.0.1.9
+	A	10.0.1.10
+	A	10.0.1.11
+	A	10.0.1.12
+	A	10.0.1.13
+	A	10.0.1.14
+	A	10.0.1.15
+	A	10.0.1.16
+	A	10.0.1.17
+	A	10.0.1.18
+	A	10.0.1.19
+	A	10.0.1.20
+	A	10.0.1.21
+	A	10.0.1.22
+	A	10.0.1.23
+	A	10.0.1.24
+	A	10.0.1.25
+	A	10.0.1.26
+	A	10.0.1.27
+	A	10.0.1.28
+	A	10.0.1.29
+	A	10.0.1.30
+	A	10.0.1.31
+	A	10.0.1.32
+	A	10.0.1.33
+	A	10.0.1.34
+	A	10.0.1.35
+	A	10.0.1.36
+	A	10.0.1.37
+	A	10.0.1.38
+	A	10.0.1.39
+	A	10.0.1.40
+	A	10.0.1.41
+	A	10.0.1.42
+	A	10.0.1.43
+	A	10.0.1.44
+	A	10.0.1.45
+	A	10.0.1.46
+	A	10.0.1.47
+	A	10.0.1.48
+	A	10.0.1.49
+	A	10.0.1.50
+	A	10.0.1.51
+	A	10.0.1.52
+	A	10.0.1.53
+	A	10.0.1.54
+	A	10.0.1.55
+	A	10.0.1.56
+	A	10.0.1.57
+	A	10.0.1.58
+	A	10.0.1.59
+	A	10.0.1.60
+	A	10.0.1.61
+	A	10.0.1.62
+	A	10.0.1.63
+	A	10.0.1.64
+	A	10.0.1.65
+	A	10.0.1.66
+	A	10.0.1.67
+	A	10.0.1.68
+	A	10.0.1.69
+	A	10.0.1.70
+	A	10.0.1.71
+	A	10.0.1.72
+	A	10.0.1.73
+	A	10.0.1.74
+	A	10.0.1.75
+	A	10.0.1.76
+	A	10.0.1.77
+	A	10.0.1.78
+	A	10.0.1.79
+	A	10.0.1.80
+	A	10.0.1.81
+	A	10.0.1.82
+	A	10.0.1.83
+	A	10.0.1.84
+	A	10.0.1.85
+	A	10.0.1.86
+	A	10.0.1.87
+	A	10.0.1.88
+	A	10.0.1.89
+	A	10.0.1.90
+	A	10.0.1.91
+	A	10.0.1.92
+	A	10.0.1.93
+	A	10.0.1.94
+	A	10.0.1.95
+	A	10.0.1.96
+	A	10.0.1.97
+	A	10.0.1.98
+	A	10.0.1.99
+	A	10.0.1.100
+	A	10.0.1.101
+	A	10.0.1.102
+	A	10.0.1.103
+	A	10.0.1.104
+	A	10.0.1.105
+	A	10.0.1.106
+	A	10.0.1.107
+	A	10.0.1.108
+	A	10.0.1.109
+	A	10.0.1.110
+	A	10.0.1.111
+	A	10.0.1.112
+	A	10.0.1.113
+	A	10.0.1.114
+	A	10.0.1.115
+	A	10.0.1.116
+	A	10.0.1.117
+	A	10.0.1.118
+	A	10.0.1.119
+	A	10.0.1.120
+	A	10.0.1.121
+	A	10.0.1.122
+	A	10.0.1.123
+	A	10.0.1.124
+	A	10.0.1.125
+	A	10.0.1.126
+	A	10.0.1.127
+	A	10.0.1.128
+	A	10.0.1.129
+	A	10.0.1.130
+	A	10.0.1.131
+	A	10.0.1.132
+	A	10.0.1.133
+	A	10.0.1.134
+	A	10.0.1.135
+	A	10.0.1.136
+	A	10.0.1.137
+	A	10.0.1.138
+	A	10.0.1.139
+	A	10.0.1.140
+	A	10.0.1.141
+	A	10.0.1.142
+	A	10.0.1.143
+	A	10.0.1.144
+	A	10.0.1.145
+	A	10.0.1.146
+	A	10.0.1.147
+	A	10.0.1.148
+	A	10.0.1.149
+	A	10.0.1.150
+	A	10.0.1.151
+	A	10.0.1.152
+	A	10.0.1.153
+	A	10.0.1.154
+	A	10.0.1.155
+	A	10.0.1.156
+	A	10.0.1.157
+	A	10.0.1.158
+	A	10.0.1.159
+	A	10.0.1.160
+	A	10.0.1.161
+	A	10.0.1.162
+	A	10.0.1.163
+	A	10.0.1.164
+	A	10.0.1.165
+	A	10.0.1.166
+	A	10.0.1.167
+	A	10.0.1.168
+	A	10.0.1.169
+	A	10.0.1.170
+	A	10.0.1.171
+	A	10.0.1.172
+	A	10.0.1.173
+	A	10.0.1.174
+	A	10.0.1.175
+	A	10.0.1.176
+	A	10.0.1.177
+	A	10.0.1.178
+	A	10.0.1.179
+	A	10.0.1.180
+	A	10.0.1.181
+	A	10.0.1.182
+	A	10.0.1.183
+	A	10.0.1.184
+	A	10.0.1.185
+	A	10.0.1.186
+	A	10.0.1.187
+	A	10.0.1.188
+	A	10.0.1.189
+	A	10.0.1.190
+	A	10.0.1.191
+	A	10.0.1.192
+	A	10.0.1.193
+	A	10.0.1.194
+	A	10.0.1.195
+	A	10.0.1.196
+	A	10.0.1.197
+	A	10.0.1.198
+	A	10.0.1.199
+	A	10.0.1.200
+	A	10.0.1.201
+	A	10.0.1.202
+	A	10.0.1.203
+	A	10.0.1.204
+	A	10.0.1.205
+	A	10.0.1.206
+	A	10.0.1.207
+	A	10.0.1.208
+	A	10.0.1.209
+	A	10.0.1.210
+	A	10.0.1.211
+	A	10.0.1.212
+	A	10.0.1.213
+	A	10.0.1.214
+	A	10.0.1.215
+	A	10.0.1.216
+	A	10.0.1.217
+	A	10.0.1.218
+	A	10.0.1.219
+	A	10.0.1.220
+	A	10.0.1.221
+	A	10.0.1.222
+	A	10.0.1.223
+	A	10.0.1.224
+	A	10.0.1.225
+	A	10.0.1.226
+	A	10.0.1.227
+	A	10.0.1.228
+	A	10.0.1.229
+	A	10.0.1.230
+	A	10.0.1.231
+	A	10.0.1.232
+	A	10.0.1.233
+	A	10.0.1.234
+	A	10.0.1.235
+	A	10.0.1.236
+	A	10.0.1.237
+	A	10.0.1.238
+	A	10.0.1.239
+	A	10.0.1.240
+	A	10.0.1.241
+	A	10.0.1.242
+	A	10.0.1.243
+	A	10.0.1.244
+	A	10.0.1.245
+	A	10.0.1.246
+	A	10.0.1.247
+	A	10.0.1.248
+	A	10.0.1.249
+	A	10.0.1.250
+	A	10.0.1.251
+	A	10.0.1.252
+	A	10.0.1.253
+	A	10.0.1.254
+	A	10.0.1.255
+	A	10.0.2.0
+	A	10.0.2.1
+	A	10.0.2.2
+	A	10.0.2.3
+	A	10.0.2.4
+	A	10.0.2.5
+	A	10.0.2.6
+	A	10.0.2.7
+	A	10.0.2.8
+	A	10.0.2.9
+	A	10.0.2.10
+	A	10.0.2.11
+	A	10.0.2.12
+	A	10.0.2.13
+	A	10.0.2.14
+	A	10.0.2.15
+	A	10.0.2.16
+	A	10.0.2.17
+	A	10.0.2.18
+	A	10.0.2.19
+	A	10.0.2.20
+	A	10.0.2.21
+	A	10.0.2.22
+	A	10.0.2.23
+	A	10.0.2.24
+	A	10.0.2.25
+	A	10.0.2.26
+	A	10.0.2.27
+	A	10.0.2.28
+	A	10.0.2.29
+	A	10.0.2.30
+	A	10.0.2.31
+	A	10.0.2.32
+	A	10.0.2.33
+	A	10.0.2.34
+	A	10.0.2.35
+	A	10.0.2.36
+	A	10.0.2.37
+	A	10.0.2.38
+	A	10.0.2.39
+	A	10.0.2.40
+	A	10.0.2.41
+	A	10.0.2.42
+	A	10.0.2.43
+	A	10.0.2.44
+	A	10.0.2.45
+	A	10.0.2.46
+	A	10.0.2.47
+	A	10.0.2.48
+	A	10.0.2.49
+	A	10.0.2.50
+	A	10.0.2.51
+	A	10.0.2.52
+	A	10.0.2.53
+	A	10.0.2.54
+	A	10.0.2.55
+	A	10.0.2.56
+	A	10.0.2.57
+	A	10.0.2.58
+	A	10.0.2.59
+	A	10.0.2.60
+	A	10.0.2.61
+	A	10.0.2.62
+	A	10.0.2.63
+	A	10.0.2.64
+	A	10.0.2.65
+	A	10.0.2.66
+	A	10.0.2.67
+	A	10.0.2.68
+	A	10.0.2.69
+	A	10.0.2.70
+	A	10.0.2.71
+	A	10.0.2.72
+	A	10.0.2.73
+	A	10.0.2.74
+	A	10.0.2.75
+	A	10.0.2.76
+	A	10.0.2.77
+	A	10.0.2.78
+	A	10.0.2.79
+	A	10.0.2.80
+	A	10.0.2.81
+	A	10.0.2.82
+	A	10.0.2.83
+	A	10.0.2.84
+	A	10.0.2.85
+	A	10.0.2.86
+	A	10.0.2.87
+	A	10.0.2.88
+	A	10.0.2.89
+	A	10.0.2.90
+	A	10.0.2.91
+	A	10.0.2.92
+	A	10.0.2.93
+	A	10.0.2.94
+	A	10.0.2.95
+	A	10.0.2.96
+	A	10.0.2.97
+	A	10.0.2.98
+	A	10.0.2.99
+	A	10.0.2.100
+	A	10.0.2.101
+	A	10.0.2.102
+	A	10.0.2.103
+	A	10.0.2.104
+	A	10.0.2.105
+	A	10.0.2.106
+	A	10.0.2.107
+	A	10.0.2.108
+	A	10.0.2.109
+	A	10.0.2.110
+	A	10.0.2.111
+	A	10.0.2.112
+	A	10.0.2.113
+	A	10.0.2.114
+	A	10.0.2.115
+	A	10.0.2.116
+	A	10.0.2.117
+	A	10.0.2.118
+	A	10.0.2.119
+	A	10.0.2.120
+	A	10.0.2.121
+	A	10.0.2.122
+	A	10.0.2.123
+	A	10.0.2.124
+	A	10.0.2.125
+	A	10.0.2.126
+	A	10.0.2.127
+	A	10.0.2.128
+	A	10.0.2.129
+	A	10.0.2.130
+	A	10.0.2.131
+	A	10.0.2.132
+	A	10.0.2.133
+	A	10.0.2.134
+	A	10.0.2.135
+	A	10.0.2.136
+	A	10.0.2.137
+	A	10.0.2.138
+	A	10.0.2.139
+	A	10.0.2.140
+	A	10.0.2.141
+	A	10.0.2.142
+	A	10.0.2.143
+	A	10.0.2.144
+	A	10.0.2.145
+	A	10.0.2.146
+	A	10.0.2.147
+	A	10.0.2.148
+	A	10.0.2.149
+	A	10.0.2.150
+	A	10.0.2.151
+	A	10.0.2.152
+	A	10.0.2.153
+	A	10.0.2.154
+	A	10.0.2.155
+	A	10.0.2.156
+	A	10.0.2.157
+	A	10.0.2.158
+	A	10.0.2.159
+	A	10.0.2.160
+	A	10.0.2.161
+	A	10.0.2.162
+	A	10.0.2.163
+	A	10.0.2.164
+	A	10.0.2.165
+	A	10.0.2.166
+	A	10.0.2.167
+	A	10.0.2.168
+	A	10.0.2.169
+	A	10.0.2.170
+	A	10.0.2.171
+	A	10.0.2.172
+	A	10.0.2.173
+	A	10.0.2.174
+	A	10.0.2.175
+	A	10.0.2.176
+	A	10.0.2.177
+	A	10.0.2.178
+	A	10.0.2.179
+	A	10.0.2.180
+	A	10.0.2.181
+	A	10.0.2.182
+	A	10.0.2.183
+	A	10.0.2.184
+	A	10.0.2.185
+	A	10.0.2.186
+	A	10.0.2.187
+	A	10.0.2.188
+	A	10.0.2.189
+	A	10.0.2.190
+	A	10.0.2.191
+	A	10.0.2.192
+	A	10.0.2.193
+	A	10.0.2.194
+	A	10.0.2.195
+	A	10.0.2.196
+	A	10.0.2.197
+	A	10.0.2.198
+	A	10.0.2.199
+	A	10.0.2.200
+	A	10.0.2.201
+	A	10.0.2.202
+	A	10.0.2.203
+	A	10.0.2.204
+	A	10.0.2.205
+	A	10.0.2.206
+	A	10.0.2.207
+	A	10.0.2.208
+	A	10.0.2.209
+	A	10.0.2.210
+	A	10.0.2.211
+	A	10.0.2.212
+	A	10.0.2.213
+	A	10.0.2.214
+	A	10.0.2.215
+	A	10.0.2.216
+	A	10.0.2.217
+	A	10.0.2.218
+	A	10.0.2.219
+	A	10.0.2.220
+	A	10.0.2.221
+	A	10.0.2.222
+	A	10.0.2.223
+	A	10.0.2.224
+	A	10.0.2.225
+	A	10.0.2.226
+	A	10.0.2.227
+	A	10.0.2.228
+	A	10.0.2.229
+	A	10.0.2.230
+	A	10.0.2.231
+	A	10.0.2.232
+	A	10.0.2.233
+	A	10.0.2.234
+	A	10.0.2.235
+	A	10.0.2.236
+	A	10.0.2.237
+	A	10.0.2.238
+	A	10.0.2.239
+	A	10.0.2.240
+	A	10.0.2.241
+	A	10.0.2.242
+	A	10.0.2.243
+	A	10.0.2.244
+	A	10.0.2.245
+	A	10.0.2.246
+	A	10.0.2.247
+	A	10.0.2.248
+	A	10.0.2.249
+	A	10.0.2.250
+	A	10.0.2.251
+	A	10.0.2.252
+	A	10.0.2.253
+	A	10.0.2.254
+	A	10.0.2.255
+	A	10.0.3.0
+	A	10.0.3.1
+	A	10.0.3.2
+	A	10.0.3.3
+	A	10.0.3.4
+	A	10.0.3.5
+	A	10.0.3.6
+	A	10.0.3.7
+	A	10.0.3.8
+	A	10.0.3.9
+	A	10.0.3.10
+	A	10.0.3.11
+	A	10.0.3.12
+	A	10.0.3.13
+	A	10.0.3.14
+	A	10.0.3.15
+	A	10.0.3.16
+	A	10.0.3.17
+	A	10.0.3.18
+	A	10.0.3.19
+	A	10.0.3.20
+	A	10.0.3.21
+	A	10.0.3.22
+	A	10.0.3.23
+	A	10.0.3.24
+	A	10.0.3.25
+	A	10.0.3.26
+	A	10.0.3.27
+	A	10.0.3.28
+	A	10.0.3.29
+	A	10.0.3.30
+	A	10.0.3.31
+	A	10.0.3.32
+	A	10.0.3.33
+	A	10.0.3.34
+	A	10.0.3.35
+	A	10.0.3.36
+	A	10.0.3.37
+	A	10.0.3.38
+	A	10.0.3.39
+	A	10.0.3.40
+	A	10.0.3.41
+	A	10.0.3.42
+	A	10.0.3.43
+	A	10.0.3.44
+	A	10.0.3.45
+	A	10.0.3.46
+	A	10.0.3.47
+	A	10.0.3.48
+	A	10.0.3.49
+	A	10.0.3.50
+	A	10.0.3.51
+	A	10.0.3.52
+	A	10.0.3.53
+	A	10.0.3.54
+	A	10.0.3.55
+	A	10.0.3.56
+	A	10.0.3.57
+	A	10.0.3.58
+	A	10.0.3.59
+	A	10.0.3.60
+	A	10.0.3.61
+	A	10.0.3.62
+	A	10.0.3.63
+	A	10.0.3.64
+	A	10.0.3.65
+	A	10.0.3.66
+	A	10.0.3.67
+	A	10.0.3.68
+	A	10.0.3.69
+	A	10.0.3.70
+	A	10.0.3.71
+	A	10.0.3.72
+	A	10.0.3.73
+	A	10.0.3.74
+	A	10.0.3.75
+	A	10.0.3.76
+	A	10.0.3.77
+	A	10.0.3.78
+	A	10.0.3.79
+	A	10.0.3.80
+	A	10.0.3.81
+	A	10.0.3.82
+	A	10.0.3.83
+	A	10.0.3.84
+	A	10.0.3.85
+	A	10.0.3.86
+	A	10.0.3.87
+	A	10.0.3.88
+	A	10.0.3.89
+	A	10.0.3.90
+	A	10.0.3.91
+	A	10.0.3.92
+	A	10.0.3.93
+	A	10.0.3.94
+	A	10.0.3.95
+	A	10.0.3.96
+	A	10.0.3.97
+	A	10.0.3.98
+	A	10.0.3.99
+	A	10.0.3.100
+	A	10.0.3.101
+	A	10.0.3.102
+	A	10.0.3.103
+	A	10.0.3.104
+	A	10.0.3.105
+	A	10.0.3.106
+	A	10.0.3.107
+	A	10.0.3.108
+	A	10.0.3.109
+	A	10.0.3.110
+	A	10.0.3.111
+	A	10.0.3.112
+	A	10.0.3.113
+	A	10.0.3.114
+	A	10.0.3.115
+	A	10.0.3.116
+	A	10.0.3.117
+	A	10.0.3.118
+	A	10.0.3.119
+	A	10.0.3.120
+	A	10.0.3.121
+	A	10.0.3.122
+	A	10.0.3.123
+	A	10.0.3.124
+	A	10.0.3.125
+	A	10.0.3.126
+	A	10.0.3.127
+	A	10.0.3.128
+	A	10.0.3.129
+	A	10.0.3.130
+	A	10.0.3.131
+	A	10.0.3.132
+	A	10.0.3.133
+	A	10.0.3.134
+	A	10.0.3.135
+	A	10.0.3.136
+	A	10.0.3.137
+	A	10.0.3.138
+	A	10.0.3.139
+	A	10.0.3.140
+	A	10.0.3.141
+	A	10.0.3.142
+	A	10.0.3.143
+	A	10.0.3.144
+	A	10.0.3.145
+	A	10.0.3.146
+	A	10.0.3.147
+	A	10.0.3.148
+	A	10.0.3.149
+	A	10.0.3.150
+	A	10.0.3.151
+	A	10.0.3.152
+	A	10.0.3.153
+	A	10.0.3.154
+	A	10.0.3.155
+	A	10.0.3.156
+	A	10.0.3.157
+	A	10.0.3.158
+	A	10.0.3.159
+	A	10.0.3.160
+	A	10.0.3.161
+	A	10.0.3.162
+	A	10.0.3.163
+	A	10.0.3.164
+	A	10.0.3.165
+	A	10.0.3.166
+	A	10.0.3.167
+	A	10.0.3.168
+	A	10.0.3.169
+	A	10.0.3.170
+	A	10.0.3.171
+	A	10.0.3.172
+	A	10.0.3.173
+	A	10.0.3.174
+	A	10.0.3.175
+	A	10.0.3.176
+	A	10.0.3.177
+	A	10.0.3.178
+	A	10.0.3.179
+	A	10.0.3.180
+	A	10.0.3.181
+	A	10.0.3.182
+	A	10.0.3.183
+	A	10.0.3.184
+	A	10.0.3.185
+	A	10.0.3.186
+	A	10.0.3.187
+	A	10.0.3.188
+	A	10.0.3.189
+	A	10.0.3.190
+	A	10.0.3.191
+	A	10.0.3.192
+	A	10.0.3.193
+	A	10.0.3.194
+	A	10.0.3.195
+	A	10.0.3.196
+	A	10.0.3.197
+	A	10.0.3.198
+	A	10.0.3.199
+	A	10.0.3.200
+	A	10.0.3.201
+	A	10.0.3.202
+	A	10.0.3.203
+	A	10.0.3.204
+	A	10.0.3.205
+	A	10.0.3.206
+	A	10.0.3.207
+	A	10.0.3.208
+	A	10.0.3.209
+	A	10.0.3.210
+	A	10.0.3.211
+	A	10.0.3.212
+	A	10.0.3.213
+	A	10.0.3.214
+	A	10.0.3.215
+	A	10.0.3.216
+	A	10.0.3.217
+	A	10.0.3.218
+	A	10.0.3.219
+	A	10.0.3.220
+	A	10.0.3.221
+	A	10.0.3.222
+	A	10.0.3.223
+	A	10.0.3.224
+	A	10.0.3.225
+	A	10.0.3.226
+	A	10.0.3.227
+	A	10.0.3.228
+	A	10.0.3.229
+	A	10.0.3.230
+	A	10.0.3.231
+	A	10.0.3.232
+	A	10.0.3.233
+	A	10.0.3.234
+	A	10.0.3.235
+	A	10.0.3.236
+	A	10.0.3.237
+	A	10.0.3.238
+	A	10.0.3.239
+	A	10.0.3.240
+	A	10.0.3.241
+	A	10.0.3.242
+	A	10.0.3.243
+	A	10.0.3.244
+	A	10.0.3.245
+	A	10.0.3.246
+	A	10.0.3.247
+	A	10.0.3.248
+	A	10.0.3.249
+	A	10.0.3.250
+	A	10.0.3.251
+	A	10.0.3.252
+	A	10.0.3.253
+	A	10.0.3.254
+	A	10.0.3.255
+	A	10.0.4.0
+	A	10.0.4.1
+	A	10.0.4.2
+	A	10.0.4.3
+	A	10.0.4.4
+	A	10.0.4.5
+	A	10.0.4.6
+	A	10.0.4.7
+	A	10.0.4.8
+	A	10.0.4.9
+	A	10.0.4.10
+	A	10.0.4.11
+	A	10.0.4.12
+	A	10.0.4.13
+	A	10.0.4.14
+	A	10.0.4.15
+	A	10.0.4.16
+	A	10.0.4.17
+	A	10.0.4.18
+	A	10.0.4.19
+	A	10.0.4.20
+	A	10.0.4.21
+	A	10.0.4.22
+	A	10.0.4.23
+	A	10.0.4.24
+	A	10.0.4.25
+	A	10.0.4.26
+	A	10.0.4.27
+	A	10.0.4.28
+	A	10.0.4.29
+	A	10.0.4.30
+	A	10.0.4.31
+	A	10.0.4.32
+	A	10.0.4.33
+	A	10.0.4.34
+	A	10.0.4.35
+	A	10.0.4.36
+	A	10.0.4.37
+	A	10.0.4.38
+	A	10.0.4.39
+	A	10.0.4.40
+	A	10.0.4.41
+	A	10.0.4.42
+	A	10.0.4.43
+	A	10.0.4.44
+	A	10.0.4.45
+	A	10.0.4.46
+	A	10.0.4.47
+	A	10.0.4.48
+	A	10.0.4.49
+	A	10.0.4.50
+	A	10.0.4.51
+	A	10.0.4.52
+	A	10.0.4.53
+	A	10.0.4.54
+	A	10.0.4.55
+	A	10.0.4.56
+	A	10.0.4.57
+	A	10.0.4.58
+	A	10.0.4.59
+	A	10.0.4.60
+	A	10.0.4.61
+	A	10.0.4.62
+	A	10.0.4.63
+	A	10.0.4.64
+	A	10.0.4.65
+	A	10.0.4.66
+	A	10.0.4.67
+	A	10.0.4.68
+	A	10.0.4.69
+	A	10.0.4.70
+	A	10.0.4.71
+	A	10.0.4.72
+	A	10.0.4.73
+	A	10.0.4.74
+	A	10.0.4.75
+	A	10.0.4.76
+	A	10.0.4.77
+	A	10.0.4.78
+	A	10.0.4.79
+	A	10.0.4.80
+	A	10.0.4.81
+	A	10.0.4.82
+	A	10.0.4.83
+	A	10.0.4.84
+	A	10.0.4.85
+	A	10.0.4.86
+	A	10.0.4.87
+	A	10.0.4.88
+	A	10.0.4.89
+	A	10.0.4.90
+	A	10.0.4.91
+	A	10.0.4.92
+	A	10.0.4.93
+	A	10.0.4.94
+	A	10.0.4.95
+	A	10.0.4.96
+	A	10.0.4.97
+	A	10.0.4.98
+	A	10.0.4.99
+	A	10.0.4.100
+	A	10.0.4.101
+	A	10.0.4.102
+	A	10.0.4.103
+	A	10.0.4.104
+	A	10.0.4.105
+	A	10.0.4.106
+	A	10.0.4.107
+	A	10.0.4.108
+	A	10.0.4.109
+	A	10.0.4.110
+	A	10.0.4.111
+	A	10.0.4.112
+	A	10.0.4.113
+	A	10.0.4.114
+	A	10.0.4.115
+	A	10.0.4.116
+	A	10.0.4.117
+	A	10.0.4.118
+	A	10.0.4.119
+	A	10.0.4.120
+	A	10.0.4.121
+	A	10.0.4.122
+	A	10.0.4.123
+	A	10.0.4.124
+	A	10.0.4.125
+	A	10.0.4.126
+	A	10.0.4.127
+	A	10.0.4.128
+	A	10.0.4.129
+	A	10.0.4.130
+	A	10.0.4.131
+	A	10.0.4.132
+	A	10.0.4.133
+	A	10.0.4.134
+	A	10.0.4.135
+	A	10.0.4.136
+	A	10.0.4.137
+	A	10.0.4.138
+	A	10.0.4.139
+	A	10.0.4.140
+	A	10.0.4.141
+	A	10.0.4.142
+	A	10.0.4.143
+	A	10.0.4.144
+	A	10.0.4.145
+	A	10.0.4.146
+	A	10.0.4.147
+	A	10.0.4.148
+	A	10.0.4.149
+	A	10.0.4.150
+	A	10.0.4.151
+	A	10.0.4.152
+	A	10.0.4.153
+	A	10.0.4.154
+	A	10.0.4.155
+	A	10.0.4.156
+	A	10.0.4.157
+	A	10.0.4.158
+	A	10.0.4.159
+	A	10.0.4.160
+	A	10.0.4.161
+	A	10.0.4.162
+	A	10.0.4.163
+	A	10.0.4.164
+	A	10.0.4.165
+	A	10.0.4.166
+	A	10.0.4.167
+	A	10.0.4.168
+	A	10.0.4.169
+	A	10.0.4.170
+	A	10.0.4.171
+	A	10.0.4.172
+	A	10.0.4.173
+	A	10.0.4.174
+	A	10.0.4.175
+	A	10.0.4.176
+	A	10.0.4.177
+	A	10.0.4.178
+	A	10.0.4.179
+	A	10.0.4.180
+	A	10.0.4.181
+	A	10.0.4.182
+	A	10.0.4.183
+	A	10.0.4.184
+	A	10.0.4.185
+	A	10.0.4.186
+	A	10.0.4.187
+	A	10.0.4.188
+	A	10.0.4.189
+	A	10.0.4.190
+	A	10.0.4.191
+	A	10.0.4.192
+	A	10.0.4.193
+	A	10.0.4.194
+	A	10.0.4.195
+	A	10.0.4.196
+	A	10.0.4.197
+	A	10.0.4.198
+	A	10.0.4.199
+	A	10.0.4.200
+	A	10.0.4.201
+	A	10.0.4.202
+	A	10.0.4.203
+	A	10.0.4.204
+	A	10.0.4.205
+	A	10.0.4.206
+	A	10.0.4.207
+	A	10.0.4.208
+	A	10.0.4.209
+	A	10.0.4.210
+	A	10.0.4.211
+	A	10.0.4.212
+	A	10.0.4.213
+	A	10.0.4.214
+	A	10.0.4.215
+	A	10.0.4.216
+	A	10.0.4.217
+	A	10.0.4.218
+	A	10.0.4.219
+	A	10.0.4.220
+	A	10.0.4.221
+	A	10.0.4.222
+	A	10.0.4.223
+	A	10.0.4.224
+	A	10.0.4.225
+	A	10.0.4.226
+	A	10.0.4.227
+	A	10.0.4.228
+	A	10.0.4.229
+	A	10.0.4.230
+	A	10.0.4.231
+	A	10.0.4.232
+	A	10.0.4.233
+	A	10.0.4.234
+	A	10.0.4.235
+	A	10.0.4.236
+	A	10.0.4.237
+	A	10.0.4.238
+	A	10.0.4.239
+	A	10.0.4.240
+	A	10.0.4.241
+	A	10.0.4.242
+	A	10.0.4.243
+	A	10.0.4.244
+	A	10.0.4.245
+	A	10.0.4.246
+	A	10.0.4.247
+	A	10.0.4.248
+	A	10.0.4.249
+	A	10.0.4.250
+	A	10.0.4.251
+	A	10.0.4.252
+	A	10.0.4.253
+	A	10.0.4.254
+	A	10.0.4.255
+	A	10.0.5.0
+	A	10.0.5.1
+	A	10.0.5.2
+	A	10.0.5.3
+	A	10.0.5.4
+	A	10.0.5.5
+	A	10.0.5.6
+	A	10.0.5.7
+	A	10.0.5.8
+	A	10.0.5.9
+	A	10.0.5.10
+	A	10.0.5.11
+	A	10.0.5.12
+	A	10.0.5.13
+	A	10.0.5.14
+	A	10.0.5.15
+	A	10.0.5.16
+	A	10.0.5.17
+	A	10.0.5.18
+	A	10.0.5.19
+	A	10.0.5.20
+	A	10.0.5.21
+	A	10.0.5.22
+	A	10.0.5.23
+	A	10.0.5.24
+	A	10.0.5.25
+	A	10.0.5.26
+	A	10.0.5.27
+	A	10.0.5.28
+	A	10.0.5.29
+	A	10.0.5.30
+	A	10.0.5.31
+	A	10.0.5.32
+	A	10.0.5.33
+	A	10.0.5.34
+	A	10.0.5.35
+	A	10.0.5.36
+	A	10.0.5.37
+	A	10.0.5.38
+	A	10.0.5.39
+	A	10.0.5.40
+	A	10.0.5.41
+	A	10.0.5.42
+	A	10.0.5.43
+	A	10.0.5.44
+	A	10.0.5.45
+	A	10.0.5.46
+	A	10.0.5.47
+	A	10.0.5.48
+	A	10.0.5.49
+	A	10.0.5.50
+	A	10.0.5.51
+	A	10.0.5.52
+	A	10.0.5.53
+	A	10.0.5.54
+	A	10.0.5.55
+	A	10.0.5.56
+	A	10.0.5.57
+	A	10.0.5.58
+	A	10.0.5.59
+	A	10.0.5.60
+	A	10.0.5.61
+	A	10.0.5.62
+	A	10.0.5.63
+	A	10.0.5.64
+	A	10.0.5.65
+	A	10.0.5.66
+	A	10.0.5.67
+	A	10.0.5.68
+	A	10.0.5.69
+	A	10.0.5.70
+	A	10.0.5.71
+	A	10.0.5.72
+	A	10.0.5.73
+	A	10.0.5.74
+	A	10.0.5.75
+	A	10.0.5.76
+	A	10.0.5.77
+	A	10.0.5.78
+	A	10.0.5.79
+	A	10.0.5.80
+	A	10.0.5.81
+	A	10.0.5.82
+	A	10.0.5.83
+	A	10.0.5.84
+	A	10.0.5.85
+	A	10.0.5.86
+	A	10.0.5.87
+	A	10.0.5.88
+	A	10.0.5.89
+	A	10.0.5.90
+	A	10.0.5.91
+	A	10.0.5.92
+	A	10.0.5.93
+	A	10.0.5.94
+	A	10.0.5.95
+	A	10.0.5.96
+	A	10.0.5.97
+	A	10.0.5.98
+	A	10.0.5.99
+	A	10.0.5.100
+	A	10.0.5.101
+	A	10.0.5.102
+	A	10.0.5.103
+	A	10.0.5.104
+	A	10.0.5.105
+	A	10.0.5.106
+	A	10.0.5.107
+	A	10.0.5.108
+	A	10.0.5.109
+	A	10.0.5.110
+	A	10.0.5.111
+	A	10.0.5.112
+	A	10.0.5.113
+	A	10.0.5.114
+	A	10.0.5.115
+	A	10.0.5.116
+	A	10.0.5.117
+	A	10.0.5.118
+	A	10.0.5.119
+	A	10.0.5.120
+	A	10.0.5.121
+	A	10.0.5.122
+	A	10.0.5.123
+	A	10.0.5.124
+	A	10.0.5.125
+	A	10.0.5.126
+	A	10.0.5.127
+	A	10.0.5.128
+	A	10.0.5.129
+	A	10.0.5.130
+	A	10.0.5.131
+	A	10.0.5.132
+	A	10.0.5.133
+	A	10.0.5.134
+	A	10.0.5.135
+	A	10.0.5.136
+	A	10.0.5.137
+	A	10.0.5.138
+	A	10.0.5.139
+	A	10.0.5.140
+	A	10.0.5.141
+	A	10.0.5.142
+	A	10.0.5.143
+	A	10.0.5.144
+	A	10.0.5.145
+	A	10.0.5.146
+	A	10.0.5.147
+	A	10.0.5.148
+	A	10.0.5.149
+	A	10.0.5.150
+	A	10.0.5.151
+	A	10.0.5.152
+	A	10.0.5.153
+	A	10.0.5.154
+	A	10.0.5.155
+	A	10.0.5.156
+	A	10.0.5.157
+	A	10.0.5.158
+	A	10.0.5.159
+	A	10.0.5.160
+	A	10.0.5.161
+	A	10.0.5.162
+	A	10.0.5.163
+	A	10.0.5.164
+	A	10.0.5.165
+	A	10.0.5.166
+	A	10.0.5.167
+	A	10.0.5.168
+	A	10.0.5.169
+	A	10.0.5.170
+	A	10.0.5.171
+	A	10.0.5.172
+	A	10.0.5.173
+	A	10.0.5.174
+	A	10.0.5.175
+	A	10.0.5.176
+	A	10.0.5.177
+	A	10.0.5.178
+	A	10.0.5.179
+	A	10.0.5.180
+	A	10.0.5.181
+	A	10.0.5.182
+	A	10.0.5.183
+	A	10.0.5.184
+	A	10.0.5.185
+	A	10.0.5.186
+	A	10.0.5.187
+	A	10.0.5.188
+	A	10.0.5.189
+	A	10.0.5.190
+	A	10.0.5.191
+	A	10.0.5.192
+	A	10.0.5.193
+	A	10.0.5.194
+	A	10.0.5.195
+	A	10.0.5.196
+	A	10.0.5.197
+	A	10.0.5.198
+	A	10.0.5.199
+	A	10.0.5.200
+	A	10.0.5.201
+	A	10.0.5.202
+	A	10.0.5.203
+	A	10.0.5.204
+	A	10.0.5.205
+	A	10.0.5.206
+	A	10.0.5.207
+	A	10.0.5.208
+	A	10.0.5.209
+	A	10.0.5.210
+	A	10.0.5.211
+	A	10.0.5.212
+	A	10.0.5.213
+	A	10.0.5.214
+	A	10.0.5.215
+	A	10.0.5.216
+	A	10.0.5.217
+	A	10.0.5.218
+	A	10.0.5.219
+	A	10.0.5.220
+	A	10.0.5.221
+	A	10.0.5.222
+	A	10.0.5.223
+	A	10.0.5.224
+	A	10.0.5.225
+	A	10.0.5.226
+	A	10.0.5.227
+	A	10.0.5.228
+	A	10.0.5.229
+	A	10.0.5.230
+	A	10.0.5.231
+	A	10.0.5.232
+	A	10.0.5.233
+	A	10.0.5.234
+	A	10.0.5.235
+	A	10.0.5.236
+	A	10.0.5.237
+	A	10.0.5.238
+	A	10.0.5.239
+	A	10.0.5.240
+	A	10.0.5.241
+	A	10.0.5.242
+	A	10.0.5.243
+	A	10.0.5.244
+	A	10.0.5.245
+	A	10.0.5.246
+	A	10.0.5.247
+	A	10.0.5.248
+	A	10.0.5.249
+	A	10.0.5.250
+	A	10.0.5.251
+	A	10.0.5.252
+	A	10.0.5.253
+	A	10.0.5.254
+	A	10.0.5.255
+	A	10.0.6.0
+	A	10.0.6.1
+	A	10.0.6.2
+	A	10.0.6.3
+	A	10.0.6.4
+	A	10.0.6.5
+	A	10.0.6.6
+	A	10.0.6.7
+	A	10.0.6.8
+	A	10.0.6.9
+	A	10.0.6.10
+	A	10.0.6.11
+	A	10.0.6.12
+	A	10.0.6.13
+	A	10.0.6.14
+	A	10.0.6.15
+	A	10.0.6.16
+	A	10.0.6.17
+	A	10.0.6.18
+	A	10.0.6.19
+	A	10.0.6.20
+	A	10.0.6.21
+	A	10.0.6.22
+	A	10.0.6.23
+	A	10.0.6.24
+	A	10.0.6.25
+	A	10.0.6.26
+	A	10.0.6.27
+	A	10.0.6.28
+	A	10.0.6.29
+	A	10.0.6.30
+	A	10.0.6.31
+	A	10.0.6.32
+	A	10.0.6.33
+	A	10.0.6.34
+	A	10.0.6.35
+	A	10.0.6.36
+	A	10.0.6.37
+	A	10.0.6.38
+	A	10.0.6.39
+	A	10.0.6.40
+	A	10.0.6.41
+	A	10.0.6.42
+	A	10.0.6.43
+	A	10.0.6.44
+	A	10.0.6.45
+	A	10.0.6.46
+	A	10.0.6.47
+	A	10.0.6.48
+	A	10.0.6.49
+	A	10.0.6.50
+	A	10.0.6.51
+	A	10.0.6.52
+	A	10.0.6.53
+	A	10.0.6.54
+	A	10.0.6.55
+	A	10.0.6.56
+	A	10.0.6.57
+	A	10.0.6.58
+	A	10.0.6.59
+	A	10.0.6.60
+	A	10.0.6.61
+	A	10.0.6.62
+	A	10.0.6.63
+	A	10.0.6.64
+	A	10.0.6.65
+	A	10.0.6.66
+	A	10.0.6.67
+	A	10.0.6.68
+	A	10.0.6.69
+	A	10.0.6.70
+	A	10.0.6.71
+	A	10.0.6.72
+	A	10.0.6.73
+	A	10.0.6.74
+	A	10.0.6.75
+	A	10.0.6.76
+	A	10.0.6.77
+	A	10.0.6.78
+	A	10.0.6.79
+	A	10.0.6.80
+	A	10.0.6.81
+	A	10.0.6.82
+	A	10.0.6.83
+	A	10.0.6.84
+	A	10.0.6.85
+	A	10.0.6.86
+	A	10.0.6.87
+	A	10.0.6.88
+	A	10.0.6.89
+	A	10.0.6.90
+	A	10.0.6.91
+	A	10.0.6.92
+	A	10.0.6.93
+	A	10.0.6.94
+	A	10.0.6.95
+	A	10.0.6.96
+	A	10.0.6.97
+	A	10.0.6.98
+	A	10.0.6.99
+	A	10.0.6.100
+	A	10.0.6.101
+	A	10.0.6.102
+	A	10.0.6.103
+	A	10.0.6.104
+	A	10.0.6.105
+	A	10.0.6.106
+	A	10.0.6.107
+	A	10.0.6.108
+	A	10.0.6.109
+	A	10.0.6.110
+	A	10.0.6.111
+	A	10.0.6.112
+	A	10.0.6.113
+	A	10.0.6.114
+	A	10.0.6.115
+	A	10.0.6.116
+	A	10.0.6.117
+	A	10.0.6.118
+	A	10.0.6.119
+	A	10.0.6.120
+	A	10.0.6.121
+	A	10.0.6.122
+	A	10.0.6.123
+	A	10.0.6.124
+	A	10.0.6.125
+	A	10.0.6.126
+	A	10.0.6.127
+	A	10.0.6.128
+	A	10.0.6.129
+	A	10.0.6.130
+	A	10.0.6.131
+	A	10.0.6.132
+	A	10.0.6.133
+	A	10.0.6.134
+	A	10.0.6.135
+	A	10.0.6.136
+	A	10.0.6.137
+	A	10.0.6.138
+	A	10.0.6.139
+	A	10.0.6.140
+	A	10.0.6.141
+	A	10.0.6.142
+	A	10.0.6.143
+	A	10.0.6.144
+	A	10.0.6.145
+	A	10.0.6.146
+	A	10.0.6.147
+	A	10.0.6.148
+	A	10.0.6.149
+	A	10.0.6.150
+	A	10.0.6.151
+	A	10.0.6.152
+	A	10.0.6.153
+	A	10.0.6.154
+	A	10.0.6.155
+	A	10.0.6.156
+	A	10.0.6.157
+	A	10.0.6.158
+	A	10.0.6.159
+	A	10.0.6.160
+	A	10.0.6.161
+	A	10.0.6.162
+	A	10.0.6.163
+	A	10.0.6.164
+	A	10.0.6.165
+	A	10.0.6.166
+	A	10.0.6.167
+	A	10.0.6.168
+	A	10.0.6.169
+	A	10.0.6.170
+	A	10.0.6.171
+	A	10.0.6.172
+	A	10.0.6.173
+	A	10.0.6.174
+	A	10.0.6.175
+	A	10.0.6.176
+	A	10.0.6.177
+	A	10.0.6.178
+	A	10.0.6.179
+	A	10.0.6.180
+	A	10.0.6.181
+	A	10.0.6.182
+	A	10.0.6.183
+	A	10.0.6.184
+	A	10.0.6.185
+	A	10.0.6.186
+	A	10.0.6.187
+	A	10.0.6.188
+	A	10.0.6.189
+	A	10.0.6.190
+	A	10.0.6.191
+	A	10.0.6.192
+	A	10.0.6.193
+	A	10.0.6.194
+	A	10.0.6.195
+	A	10.0.6.196
+	A	10.0.6.197
+	A	10.0.6.198
+	A	10.0.6.199
+	A	10.0.6.200
+	A	10.0.6.201
+	A	10.0.6.202
+	A	10.0.6.203
+	A	10.0.6.204
+	A	10.0.6.205
+	A	10.0.6.206
+	A	10.0.6.207
+	A	10.0.6.208
+	A	10.0.6.209
+	A	10.0.6.210
+	A	10.0.6.211
+	A	10.0.6.212
+	A	10.0.6.213
+	A	10.0.6.214
+	A	10.0.6.215
+	A	10.0.6.216
+	A	10.0.6.217
+	A	10.0.6.218
+	A	10.0.6.219
+	A	10.0.6.220
+	A	10.0.6.221
+	A	10.0.6.222
+	A	10.0.6.223
+	A	10.0.6.224
+	A	10.0.6.225
+	A	10.0.6.226
+	A	10.0.6.227
+	A	10.0.6.228
+	A	10.0.6.229
+	A	10.0.6.230
+	A	10.0.6.231
+	A	10.0.6.232
+	A	10.0.6.233
+	A	10.0.6.234
+	A	10.0.6.235
+	A	10.0.6.236
+	A	10.0.6.237
+	A	10.0.6.238
+	A	10.0.6.239
+	A	10.0.6.240
+	A	10.0.6.241
+	A	10.0.6.242
+	A	10.0.6.243
+	A	10.0.6.244
+	A	10.0.6.245
+	A	10.0.6.246
+	A	10.0.6.247
+	A	10.0.6.248
+	A	10.0.6.249
+	A	10.0.6.250
+	A	10.0.6.251
+	A	10.0.6.252
+	A	10.0.6.253
+	A	10.0.6.254
+	A	10.0.6.255
+	A	10.0.7.0
+	A	10.0.7.1
+	A	10.0.7.2
+	A	10.0.7.3
+	A	10.0.7.4
+	A	10.0.7.5
+	A	10.0.7.6
+	A	10.0.7.7
+	A	10.0.7.8
+	A	10.0.7.9
+	A	10.0.7.10
+	A	10.0.7.11
+	A	10.0.7.12
+	A	10.0.7.13
+	A	10.0.7.14
+	A	10.0.7.15
+	A	10.0.7.16
+	A	10.0.7.17
+	A	10.0.7.18
+	A	10.0.7.19
+	A	10.0.7.20
+	A	10.0.7.21
+	A	10.0.7.22
+	A	10.0.7.23
+	A	10.0.7.24
+	A	10.0.7.25
+	A	10.0.7.26
+	A	10.0.7.27
+	A	10.0.7.28
+	A	10.0.7.29
+	A	10.0.7.30
+	A	10.0.7.31
+	A	10.0.7.32
+	A	10.0.7.33
+	A	10.0.7.34
+	A	10.0.7.35
+	A	10.0.7.36
+	A	10.0.7.37
+	A	10.0.7.38
+	A	10.0.7.39
+	A	10.0.7.40
+	A	10.0.7.41
+	A	10.0.7.42
+	A	10.0.7.43
+	A	10.0.7.44
+	A	10.0.7.45
+	A	10.0.7.46
+	A	10.0.7.47
+	A	10.0.7.48
+	A	10.0.7.49
+	A	10.0.7.50
+	A	10.0.7.51
+	A	10.0.7.52
+	A	10.0.7.53
+	A	10.0.7.54
+	A	10.0.7.55
+	A	10.0.7.56
+	A	10.0.7.57
+	A	10.0.7.58
+	A	10.0.7.59
+	A	10.0.7.60
+	A	10.0.7.61
+	A	10.0.7.62
+	A	10.0.7.63
+	A	10.0.7.64
+	A	10.0.7.65
+	A	10.0.7.66
+	A	10.0.7.67
+	A	10.0.7.68
+	A	10.0.7.69
+	A	10.0.7.70
+	A	10.0.7.71
+	A	10.0.7.72
+	A	10.0.7.73
+	A	10.0.7.74
+	A	10.0.7.75
+	A	10.0.7.76
+	A	10.0.7.77
+	A	10.0.7.78
+	A	10.0.7.79
+	A	10.0.7.80
+	A	10.0.7.81
+	A	10.0.7.82
+	A	10.0.7.83
+	A	10.0.7.84
+	A	10.0.7.85
+	A	10.0.7.86
+	A	10.0.7.87
+	A	10.0.7.88
+	A	10.0.7.89
+	A	10.0.7.90
+	A	10.0.7.91
+	A	10.0.7.92
+	A	10.0.7.93
+	A	10.0.7.94
+	A	10.0.7.95
+	A	10.0.7.96
+	A	10.0.7.97
+	A	10.0.7.98
+	A	10.0.7.99
+	A	10.0.7.100
+	A	10.0.7.101
+	A	10.0.7.102
+	A	10.0.7.103
+	A	10.0.7.104
+	A	10.0.7.105
+	A	10.0.7.106
+	A	10.0.7.107
+	A	10.0.7.108
+	A	10.0.7.109
+	A	10.0.7.110
+	A	10.0.7.111
+	A	10.0.7.112
+	A	10.0.7.113
+	A	10.0.7.114
+	A	10.0.7.115
+	A	10.0.7.116
+	A	10.0.7.117
+	A	10.0.7.118
+	A	10.0.7.119
+	A	10.0.7.120
+	A	10.0.7.121
+	A	10.0.7.122
+	A	10.0.7.123
+	A	10.0.7.124
+	A	10.0.7.125
+	A	10.0.7.126
+	A	10.0.7.127
+	A	10.0.7.128
+	A	10.0.7.129
+	A	10.0.7.130
+	A	10.0.7.131
+	A	10.0.7.132
+	A	10.0.7.133
+	A	10.0.7.134
+	A	10.0.7.135
+	A	10.0.7.136
+	A	10.0.7.137
+	A	10.0.7.138
+	A	10.0.7.139
+	A	10.0.7.140
+	A	10.0.7.141
+	A	10.0.7.142
+	A	10.0.7.143
+	A	10.0.7.144
+	A	10.0.7.145
+	A	10.0.7.146
+	A	10.0.7.147
+	A	10.0.7.148
+	A	10.0.7.149
+	A	10.0.7.150
+	A	10.0.7.151
+	A	10.0.7.152
+	A	10.0.7.153
+	A	10.0.7.154
+	A	10.0.7.155
+	A	10.0.7.156
+	A	10.0.7.157
+	A	10.0.7.158
+	A	10.0.7.159
+	A	10.0.7.160
+	A	10.0.7.161
+	A	10.0.7.162
+	A	10.0.7.163
+	A	10.0.7.164
+	A	10.0.7.165
+	A	10.0.7.166
+	A	10.0.7.167
+	A	10.0.7.168
+	A	10.0.7.169
+	A	10.0.7.170
+	A	10.0.7.171
+	A	10.0.7.172
+	A	10.0.7.173
+	A	10.0.7.174
+	A	10.0.7.175
+	A	10.0.7.176
+	A	10.0.7.177
+	A	10.0.7.178
+	A	10.0.7.179
+	A	10.0.7.180
+	A	10.0.7.181
+	A	10.0.7.182
+	A	10.0.7.183
+	A	10.0.7.184
+	A	10.0.7.185
+	A	10.0.7.186
+	A	10.0.7.187
+	A	10.0.7.188
+	A	10.0.7.189
+	A	10.0.7.190
+	A	10.0.7.191
+	A	10.0.7.192
+	A	10.0.7.193
+	A	10.0.7.194
+	A	10.0.7.195
+	A	10.0.7.196
+	A	10.0.7.197
+	A	10.0.7.198
+	A	10.0.7.199
+	A	10.0.7.200
+	A	10.0.7.201
+	A	10.0.7.202
+	A	10.0.7.203
+	A	10.0.7.204
+	A	10.0.7.205
+	A	10.0.7.206
+	A	10.0.7.207
+	A	10.0.7.208
+	A	10.0.7.209
+	A	10.0.7.210
+	A	10.0.7.211
+	A	10.0.7.212
+	A	10.0.7.213
+	A	10.0.7.214
+	A	10.0.7.215
+	A	10.0.7.216
+	A	10.0.7.217
+	A	10.0.7.218
+	A	10.0.7.219
+	A	10.0.7.220
+	A	10.0.7.221
+	A	10.0.7.222
+	A	10.0.7.223
+	A	10.0.7.224
+	A	10.0.7.225
+	A	10.0.7.226
+	A	10.0.7.227
+	A	10.0.7.228
+	A	10.0.7.229
+	A	10.0.7.230
+	A	10.0.7.231
+	A	10.0.7.232
+	A	10.0.7.233
+	A	10.0.7.234
+	A	10.0.7.235
+	A	10.0.7.236
+	A	10.0.7.237
+	A	10.0.7.238
+	A	10.0.7.239
+	A	10.0.7.240
+	A	10.0.7.241
+	A	10.0.7.242
+	A	10.0.7.243
+	A	10.0.7.244
+	A	10.0.7.245
+	A	10.0.7.246
+	A	10.0.7.247
+	A	10.0.7.248
+	A	10.0.7.249
+	A	10.0.7.250
+	A	10.0.7.251
+	A	10.0.7.252
+	A	10.0.7.253
+	A	10.0.7.254
+	A	10.0.7.255
+	A	10.0.8.0
+	A	10.0.8.1
+	A	10.0.8.2
+	A	10.0.8.3
+	A	10.0.8.4
+	A	10.0.8.5
+	A	10.0.8.6
+	A	10.0.8.7
+	A	10.0.8.8
+	A	10.0.8.9
+	A	10.0.8.10
+	A	10.0.8.11
+	A	10.0.8.12
+	A	10.0.8.13
+	A	10.0.8.14
+	A	10.0.8.15
+	A	10.0.8.16
+	A	10.0.8.17
+	A	10.0.8.18
+	A	10.0.8.19
+	A	10.0.8.20
+	A	10.0.8.21
+	A	10.0.8.22
+	A	10.0.8.23
+	A	10.0.8.24
+	A	10.0.8.25
+	A	10.0.8.26
+	A	10.0.8.27
+	A	10.0.8.28
+	A	10.0.8.29
+	A	10.0.8.30
+	A	10.0.8.31
+	A	10.0.8.32
+	A	10.0.8.33
+	A	10.0.8.34
+	A	10.0.8.35
+	A	10.0.8.36
+	A	10.0.8.37
+	A	10.0.8.38
+	A	10.0.8.39
+	A	10.0.8.40
+	A	10.0.8.41
+	A	10.0.8.42
+	A	10.0.8.43
+	A	10.0.8.44
+	A	10.0.8.45
+	A	10.0.8.46
+	A	10.0.8.47
+	A	10.0.8.48
+	A	10.0.8.49
+	A	10.0.8.50
+	A	10.0.8.51
+	A	10.0.8.52
+	A	10.0.8.53
+	A	10.0.8.54
+	A	10.0.8.55
+	A	10.0.8.56
+	A	10.0.8.57
+	A	10.0.8.58
+	A	10.0.8.59
+	A	10.0.8.60
+	A	10.0.8.61
+	A	10.0.8.62
+	A	10.0.8.63
+	A	10.0.8.64
+	A	10.0.8.65
+	A	10.0.8.66
+	A	10.0.8.67
+	A	10.0.8.68
+	A	10.0.8.69
+	A	10.0.8.70
+	A	10.0.8.71
+	A	10.0.8.72
+	A	10.0.8.73
+	A	10.0.8.74
+	A	10.0.8.75
+	A	10.0.8.76
+	A	10.0.8.77
+	A	10.0.8.78
+	A	10.0.8.79
+	A	10.0.8.80
+	A	10.0.8.81
+	A	10.0.8.82
+	A	10.0.8.83
+	A	10.0.8.84
+	A	10.0.8.85
+	A	10.0.8.86
+	A	10.0.8.87
+	A	10.0.8.88
+	A	10.0.8.89
+	A	10.0.8.90
+	A	10.0.8.91
+	A	10.0.8.92
+	A	10.0.8.93
+	A	10.0.8.94
+	A	10.0.8.95
+	A	10.0.8.96
+	A	10.0.8.97
+	A	10.0.8.98
+	A	10.0.8.99
+	A	10.0.8.100
+	A	10.0.8.101
+	A	10.0.8.102
+	A	10.0.8.103
+	A	10.0.8.104
+	A	10.0.8.105
+	A	10.0.8.106
+	A	10.0.8.107
+	A	10.0.8.108
+	A	10.0.8.109
+	A	10.0.8.110
+	A	10.0.8.111
+	A	10.0.8.112
+	A	10.0.8.113
+	A	10.0.8.114
+	A	10.0.8.115
+	A	10.0.8.116
+	A	10.0.8.117
+	A	10.0.8.118
+	A	10.0.8.119
+	A	10.0.8.120
+	A	10.0.8.121
+	A	10.0.8.122
+	A	10.0.8.123
+	A	10.0.8.124
+	A	10.0.8.125
+	A	10.0.8.126
+	A	10.0.8.127
+	A	10.0.8.128
+	A	10.0.8.129
+	A	10.0.8.130
+	A	10.0.8.131
+	A	10.0.8.132
+	A	10.0.8.133
+	A	10.0.8.134
+	A	10.0.8.135
+	A	10.0.8.136
+	A	10.0.8.137
+	A	10.0.8.138
+	A	10.0.8.139
+	A	10.0.8.140
+	A	10.0.8.141
+	A	10.0.8.142
+	A	10.0.8.143
+	A	10.0.8.144
+	A	10.0.8.145
+	A	10.0.8.146
+	A	10.0.8.147
+	A	10.0.8.148
+	A	10.0.8.149
+	A	10.0.8.150
+	A	10.0.8.151
+	A	10.0.8.152
+	A	10.0.8.153
+	A	10.0.8.154
+	A	10.0.8.155
+	A	10.0.8.156
+	A	10.0.8.157
+	A	10.0.8.158
+	A	10.0.8.159
+	A	10.0.8.160
+	A	10.0.8.161
+	A	10.0.8.162
+	A	10.0.8.163
+	A	10.0.8.164
+	A	10.0.8.165
+	A	10.0.8.166
+	A	10.0.8.167
+	A	10.0.8.168
+	A	10.0.8.169
+	A	10.0.8.170
+	A	10.0.8.171
+	A	10.0.8.172
+	A	10.0.8.173
+	A	10.0.8.174
+	A	10.0.8.175
+	A	10.0.8.176
+	A	10.0.8.177
+	A	10.0.8.178
+	A	10.0.8.179
+	A	10.0.8.180
+	A	10.0.8.181
+	A	10.0.8.182
+	A	10.0.8.183
+	A	10.0.8.184
+	A	10.0.8.185
+	A	10.0.8.186
+	A	10.0.8.187
+	A	10.0.8.188
+	A	10.0.8.189
+	A	10.0.8.190
+	A	10.0.8.191
+	A	10.0.8.192
+	A	10.0.8.193
+	A	10.0.8.194
+	A	10.0.8.195
+	A	10.0.8.196
+	A	10.0.8.197
+	A	10.0.8.198
+	A	10.0.8.199
+	A	10.0.8.200
+	A	10.0.8.201
+	A	10.0.8.202
+	A	10.0.8.203
+	A	10.0.8.204
+	A	10.0.8.205
+	A	10.0.8.206
+	A	10.0.8.207
+	A	10.0.8.208
+	A	10.0.8.209
+	A	10.0.8.210
+	A	10.0.8.211
+	A	10.0.8.212
+	A	10.0.8.213
+	A	10.0.8.214
+	A	10.0.8.215
+	A	10.0.8.216
+	A	10.0.8.217
+	A	10.0.8.218
+	A	10.0.8.219
+	A	10.0.8.220
+	A	10.0.8.221
+	A	10.0.8.222
+	A	10.0.8.223
+	A	10.0.8.224
+	A	10.0.8.225
+	A	10.0.8.226
+	A	10.0.8.227
+	A	10.0.8.228
+	A	10.0.8.229
+	A	10.0.8.230
+	A	10.0.8.231
+	A	10.0.8.232
+	A	10.0.8.233
+	A	10.0.8.234
+	A	10.0.8.235
+	A	10.0.8.236
+	A	10.0.8.237
+	A	10.0.8.238
+	A	10.0.8.239
+	A	10.0.8.240
+	A	10.0.8.241
+	A	10.0.8.242
+	A	10.0.8.243
+	A	10.0.8.244
+	A	10.0.8.245
+	A	10.0.8.246
+	A	10.0.8.247
+	A	10.0.8.248
+	A	10.0.8.249
+	A	10.0.8.250
+	A	10.0.8.251
+	A	10.0.8.252
+	A	10.0.8.253
+	A	10.0.8.254
+	A	10.0.8.255
+	A	10.0.9.0
+	A	10.0.9.1
+	A	10.0.9.2
+	A	10.0.9.3
+	A	10.0.9.4
+	A	10.0.9.5
+	A	10.0.9.6
+	A	10.0.9.7
+	A	10.0.9.8
+	A	10.0.9.9
+	A	10.0.9.10
+	A	10.0.9.11
+	A	10.0.9.12
+	A	10.0.9.13
+	A	10.0.9.14
+	A	10.0.9.15
+	A	10.0.9.16
+	A	10.0.9.17
+	A	10.0.9.18
+	A	10.0.9.19
+	A	10.0.9.20
+	A	10.0.9.21
+	A	10.0.9.22
+	A	10.0.9.23
+	A	10.0.9.24
+	A	10.0.9.25
+	A	10.0.9.26
+	A	10.0.9.27
+	A	10.0.9.28
+	A	10.0.9.29
+	A	10.0.9.30
+	A	10.0.9.31
+	A	10.0.9.32
+	A	10.0.9.33
+	A	10.0.9.34
+	A	10.0.9.35
+	A	10.0.9.36
+	A	10.0.9.37
+	A	10.0.9.38
+	A	10.0.9.39
+	A	10.0.9.40
+	A	10.0.9.41
+	A	10.0.9.42
+	A	10.0.9.43
+	A	10.0.9.44
+	A	10.0.9.45
+	A	10.0.9.46
+	A	10.0.9.47
+	A	10.0.9.48
+	A	10.0.9.49
+	A	10.0.9.50
+	A	10.0.9.51
+	A	10.0.9.52
+	A	10.0.9.53
+	A	10.0.9.54
+	A	10.0.9.55
+	A	10.0.9.56
+	A	10.0.9.57
+	A	10.0.9.58
+	A	10.0.9.59
+	A	10.0.9.60
+	A	10.0.9.61
+	A	10.0.9.62
+	A	10.0.9.63
+	A	10.0.9.64
+	A	10.0.9.65
+	A	10.0.9.66
+	A	10.0.9.67
+	A	10.0.9.68
+	A	10.0.9.69
+	A	10.0.9.70
+	A	10.0.9.71
+	A	10.0.9.72
+	A	10.0.9.73
+	A	10.0.9.74
+	A	10.0.9.75
+	A	10.0.9.76
+	A	10.0.9.77
+	A	10.0.9.78
+	A	10.0.9.79
+	A	10.0.9.80
+	A	10.0.9.81
+	A	10.0.9.82
+	A	10.0.9.83
+	A	10.0.9.84
+	A	10.0.9.85
+	A	10.0.9.86
+	A	10.0.9.87
+	A	10.0.9.88
+	A	10.0.9.89
+	A	10.0.9.90
+	A	10.0.9.91
+	A	10.0.9.92
+	A	10.0.9.93
+	A	10.0.9.94
+	A	10.0.9.95
+	A	10.0.9.96
+	A	10.0.9.97
+	A	10.0.9.98
+	A	10.0.9.99
+	A	10.0.9.100
+	A	10.0.9.101
+	A	10.0.9.102
+	A	10.0.9.103
+	A	10.0.9.104
+	A	10.0.9.105
+	A	10.0.9.106
+	A	10.0.9.107
+	A	10.0.9.108
+	A	10.0.9.109
+	A	10.0.9.110
+	A	10.0.9.111
+	A	10.0.9.112
+	A	10.0.9.113
+	A	10.0.9.114
+	A	10.0.9.115
+	A	10.0.9.116
+	A	10.0.9.117
+	A	10.0.9.118
+	A	10.0.9.119
+	A	10.0.9.120
+	A	10.0.9.121
+	A	10.0.9.122
+	A	10.0.9.123
+	A	10.0.9.124
+	A	10.0.9.125
+	A	10.0.9.126
+	A	10.0.9.127
+	A	10.0.9.128
+	A	10.0.9.129
+	A	10.0.9.130
+	A	10.0.9.131
+	A	10.0.9.132
+	A	10.0.9.133
+	A	10.0.9.134
+	A	10.0.9.135
+	A	10.0.9.136
+	A	10.0.9.137
+	A	10.0.9.138
+	A	10.0.9.139
+	A	10.0.9.140
+	A	10.0.9.141
+	A	10.0.9.142
+	A	10.0.9.143
+	A	10.0.9.144
+	A	10.0.9.145
+	A	10.0.9.146
+	A	10.0.9.147
+	A	10.0.9.148
+	A	10.0.9.149
+	A	10.0.9.150
+	A	10.0.9.151
+	A	10.0.9.152
+	A	10.0.9.153
+	A	10.0.9.154
+	A	10.0.9.155
+	A	10.0.9.156
+	A	10.0.9.157
+	A	10.0.9.158
+	A	10.0.9.159
+	A	10.0.9.160
+	A	10.0.9.161
+	A	10.0.9.162
+	A	10.0.9.163
+	A	10.0.9.164
+	A	10.0.9.165
+	A	10.0.9.166
+	A	10.0.9.167
+	A	10.0.9.168
+	A	10.0.9.169
+	A	10.0.9.170
+	A	10.0.9.171
+	A	10.0.9.172
+	A	10.0.9.173
+	A	10.0.9.174
+	A	10.0.9.175
+	A	10.0.9.176
+	A	10.0.9.177
+	A	10.0.9.178
+	A	10.0.9.179
+	A	10.0.9.180
+	A	10.0.9.181
+	A	10.0.9.182
+	A	10.0.9.183
+	A	10.0.9.184
+	A	10.0.9.185
+	A	10.0.9.186
+	A	10.0.9.187
+	A	10.0.9.188
+	A	10.0.9.189
+	A	10.0.9.190
+	A	10.0.9.191
+	A	10.0.9.192
+	A	10.0.9.193
+	A	10.0.9.194
+	A	10.0.9.195
+	A	10.0.9.196
+	A	10.0.9.197
+	A	10.0.9.198
+	A	10.0.9.199
+	A	10.0.9.200
+	A	10.0.9.201
+	A	10.0.9.202
+	A	10.0.9.203
+	A	10.0.9.204
+	A	10.0.9.205
+	A	10.0.9.206
+	A	10.0.9.207
+	A	10.0.9.208
+	A	10.0.9.209
+	A	10.0.9.210
+	A	10.0.9.211
+	A	10.0.9.212
+	A	10.0.9.213
+	A	10.0.9.214
+	A	10.0.9.215
+	A	10.0.9.216
+	A	10.0.9.217
+	A	10.0.9.218
+	A	10.0.9.219
+	A	10.0.9.220
+	A	10.0.9.221
+	A	10.0.9.222
+	A	10.0.9.223
+	A	10.0.9.224
+	A	10.0.9.225
+	A	10.0.9.226
+	A	10.0.9.227
+	A	10.0.9.228
+	A	10.0.9.229
+	A	10.0.9.230
+	A	10.0.9.231
+	A	10.0.9.232
+	A	10.0.9.233
+	A	10.0.9.234
+	A	10.0.9.235
+	A	10.0.9.236
+	A	10.0.9.237
+	A	10.0.9.238
+	A	10.0.9.239
+	A	10.0.9.240
+	A	10.0.9.241
+	A	10.0.9.242
+	A	10.0.9.243
+	A	10.0.9.244
+	A	10.0.9.245
+	A	10.0.9.246
+	A	10.0.9.247
+	A	10.0.9.248
+	A	10.0.9.249
+	A	10.0.9.250
+	A	10.0.9.251
+	A	10.0.9.252
+	A	10.0.9.253
+	A	10.0.9.254
+	A	10.0.9.255
+	A	10.0.10.0
+	A	10.0.10.1
+	A	10.0.10.2
+	A	10.0.10.3
+	A	10.0.10.4
+	A	10.0.10.5
+	A	10.0.10.6
+	A	10.0.10.7
+	A	10.0.10.8
+	A	10.0.10.9
+	A	10.0.10.10
+	A	10.0.10.11
+	A	10.0.10.12
+	A	10.0.10.13
+	A	10.0.10.14
+	A	10.0.10.15
+	A	10.0.10.16
+	A	10.0.10.17
+	A	10.0.10.18
+	A	10.0.10.19
+	A	10.0.10.20
+	A	10.0.10.21
+	A	10.0.10.22
+	A	10.0.10.23
+	A	10.0.10.24
+	A	10.0.10.25
+	A	10.0.10.26
+	A	10.0.10.27
+	A	10.0.10.28
+	A	10.0.10.29
+	A	10.0.10.30
+	A	10.0.10.31
+	A	10.0.10.32
+	A	10.0.10.33
+	A	10.0.10.34
+	A	10.0.10.35
+	A	10.0.10.36
+	A	10.0.10.37
+	A	10.0.10.38
+	A	10.0.10.39
+	A	10.0.10.40
+	A	10.0.10.41
+	A	10.0.10.42
+	A	10.0.10.43
+	A	10.0.10.44
+	A	10.0.10.45
+	A	10.0.10.46
+	A	10.0.10.47
+	A	10.0.10.48
+	A	10.0.10.49
+	A	10.0.10.50
+	A	10.0.10.51
+	A	10.0.10.52
+	A	10.0.10.53
+	A	10.0.10.54
+	A	10.0.10.55
+	A	10.0.10.56
+	A	10.0.10.57
+	A	10.0.10.58
+	A	10.0.10.59
+	A	10.0.10.60
+	A	10.0.10.61
+	A	10.0.10.62
+	A	10.0.10.63
+	A	10.0.10.64
+	A	10.0.10.65
+	A	10.0.10.66
+	A	10.0.10.67
+	A	10.0.10.68
+	A	10.0.10.69
+	A	10.0.10.70
+	A	10.0.10.71
+	A	10.0.10.72
+	A	10.0.10.73
+	A	10.0.10.74
+	A	10.0.10.75
+	A	10.0.10.76
+	A	10.0.10.77
+	A	10.0.10.78
+	A	10.0.10.79
+	A	10.0.10.80
+	A	10.0.10.81
+	A	10.0.10.82
+	A	10.0.10.83
+	A	10.0.10.84
+	A	10.0.10.85
+	A	10.0.10.86
+	A	10.0.10.87
+	A	10.0.10.88
+	A	10.0.10.89
+	A	10.0.10.90
+	A	10.0.10.91
+	A	10.0.10.92
+	A	10.0.10.93
+	A	10.0.10.94
+	A	10.0.10.95
+	A	10.0.10.96
+	A	10.0.10.97
+	A	10.0.10.98
+	A	10.0.10.99
+	A	10.0.10.100
+	A	10.0.10.101
+	A	10.0.10.102
+	A	10.0.10.103
+	A	10.0.10.104
+	A	10.0.10.105
+	A	10.0.10.106
+	A	10.0.10.107
+	A	10.0.10.108
+	A	10.0.10.109
+	A	10.0.10.110
+	A	10.0.10.111
+	A	10.0.10.112
+	A	10.0.10.113
+	A	10.0.10.114
+	A	10.0.10.115
+	A	10.0.10.116
+	A	10.0.10.117
+	A	10.0.10.118
+	A	10.0.10.119
+	A	10.0.10.120
+	A	10.0.10.121
+	A	10.0.10.122
+	A	10.0.10.123
+	A	10.0.10.124
+	A	10.0.10.125
+	A	10.0.10.126
+	A	10.0.10.127
+	A	10.0.10.128
+	A	10.0.10.129
+	A	10.0.10.130
+	A	10.0.10.131
+	A	10.0.10.132
+	A	10.0.10.133
+	A	10.0.10.134
+	A	10.0.10.135
+	A	10.0.10.136
+	A	10.0.10.137
+	A	10.0.10.138
+	A	10.0.10.139
+	A	10.0.10.140
+	A	10.0.10.141
+	A	10.0.10.142
+	A	10.0.10.143
+	A	10.0.10.144
+	A	10.0.10.145
+	A	10.0.10.146
+	A	10.0.10.147
+	A	10.0.10.148
+	A	10.0.10.149
+	A	10.0.10.150
+	A	10.0.10.151
+	A	10.0.10.152
+	A	10.0.10.153
+	A	10.0.10.154
+	A	10.0.10.155
+	A	10.0.10.156
+	A	10.0.10.157
+	A	10.0.10.158
+	A	10.0.10.159
+	A	10.0.10.160
+	A	10.0.10.161
+	A	10.0.10.162
+	A	10.0.10.163
+	A	10.0.10.164
+	A	10.0.10.165
+	A	10.0.10.166
+	A	10.0.10.167
+	A	10.0.10.168
+	A	10.0.10.169
+	A	10.0.10.170
+	A	10.0.10.171
+	A	10.0.10.172
+	A	10.0.10.173
+	A	10.0.10.174
+	A	10.0.10.175
+	A	10.0.10.176
+	A	10.0.10.177
+	A	10.0.10.178
+	A	10.0.10.179
+	A	10.0.10.180
+	A	10.0.10.181
+	A	10.0.10.182
+	A	10.0.10.183
+	A	10.0.10.184
+	A	10.0.10.185
+	A	10.0.10.186
+	A	10.0.10.187
+	A	10.0.10.188
+	A	10.0.10.189
+	A	10.0.10.190
+	A	10.0.10.191
+	A	10.0.10.192
+	A	10.0.10.193
+	A	10.0.10.194
+	A	10.0.10.195
+	A	10.0.10.196
+	A	10.0.10.197
+	A	10.0.10.198
+	A	10.0.10.199
+	A	10.0.10.200
+	A	10.0.10.201
+	A	10.0.10.202
+	A	10.0.10.203
+	A	10.0.10.204
+	A	10.0.10.205
+	A	10.0.10.206
+	A	10.0.10.207
+	A	10.0.10.208
+	A	10.0.10.209
+	A	10.0.10.210
+	A	10.0.10.211
+	A	10.0.10.212
+	A	10.0.10.213
+	A	10.0.10.214
+	A	10.0.10.215
+	A	10.0.10.216
+	A	10.0.10.217
+	A	10.0.10.218
+	A	10.0.10.219
+	A	10.0.10.220
+	A	10.0.10.221
+	A	10.0.10.222
+	A	10.0.10.223
+	A	10.0.10.224
+	A	10.0.10.225
+	A	10.0.10.226
+	A	10.0.10.227
+	A	10.0.10.228
+	A	10.0.10.229
+	A	10.0.10.230
+	A	10.0.10.231
+	A	10.0.10.232
+	A	10.0.10.233
+	A	10.0.10.234
+	A	10.0.10.235
+	A	10.0.10.236
+	A	10.0.10.237
+	A	10.0.10.238
+	A	10.0.10.239
+	A	10.0.10.240
+	A	10.0.10.241
+	A	10.0.10.242
+	A	10.0.10.243
+	A	10.0.10.244
+	A	10.0.10.245
+	A	10.0.10.246
+	A	10.0.10.247
+	A	10.0.10.248
+	A	10.0.10.249
+	A	10.0.10.250
+	A	10.0.10.251
+	A	10.0.10.252
+	A	10.0.10.253
+	A	10.0.10.254
+	A	10.0.10.255
+	A	10.0.11.0
+	A	10.0.11.1
+	A	10.0.11.2
+	A	10.0.11.3
+	A	10.0.11.4
+	A	10.0.11.5
+	A	10.0.11.6
+	A	10.0.11.7
+	A	10.0.11.8
+	A	10.0.11.9
+	A	10.0.11.10
+	A	10.0.11.11
+	A	10.0.11.12
+	A	10.0.11.13
+	A	10.0.11.14
+	A	10.0.11.15
+	A	10.0.11.16
+	A	10.0.11.17
+	A	10.0.11.18
+	A	10.0.11.19
+	A	10.0.11.20
+	A	10.0.11.21
+	A	10.0.11.22
+	A	10.0.11.23
+	A	10.0.11.24
+	A	10.0.11.25
+	A	10.0.11.26
+	A	10.0.11.27
+	A	10.0.11.28
+	A	10.0.11.29
+	A	10.0.11.30
+	A	10.0.11.31
+	A	10.0.11.32
+	A	10.0.11.33
+	A	10.0.11.34
+	A	10.0.11.35
+	A	10.0.11.36
+	A	10.0.11.37
+	A	10.0.11.38
+	A	10.0.11.39
+	A	10.0.11.40
+	A	10.0.11.41
+	A	10.0.11.42
+	A	10.0.11.43
+	A	10.0.11.44
+	A	10.0.11.45
+	A	10.0.11.46
+	A	10.0.11.47
+	A	10.0.11.48
+	A	10.0.11.49
+	A	10.0.11.50
+	A	10.0.11.51
+	A	10.0.11.52
+	A	10.0.11.53
+	A	10.0.11.54
+	A	10.0.11.55
+	A	10.0.11.56
+	A	10.0.11.57
+	A	10.0.11.58
+	A	10.0.11.59
+	A	10.0.11.60
+	A	10.0.11.61
+	A	10.0.11.62
+	A	10.0.11.63
+	A	10.0.11.64
+	A	10.0.11.65
+	A	10.0.11.66
+	A	10.0.11.67
+	A	10.0.11.68
+	A	10.0.11.69
+	A	10.0.11.70
+	A	10.0.11.71
+	A	10.0.11.72
+	A	10.0.11.73
+	A	10.0.11.74
+	A	10.0.11.75
+	A	10.0.11.76
+	A	10.0.11.77
+	A	10.0.11.78
+	A	10.0.11.79
+	A	10.0.11.80
+	A	10.0.11.81
+	A	10.0.11.82
+	A	10.0.11.83
+	A	10.0.11.84
+	A	10.0.11.85
+	A	10.0.11.86
+	A	10.0.11.87
+	A	10.0.11.88
+	A	10.0.11.89
+	A	10.0.11.90
+	A	10.0.11.91
+	A	10.0.11.92
+	A	10.0.11.93
+	A	10.0.11.94
+	A	10.0.11.95
+	A	10.0.11.96
+	A	10.0.11.97
+	A	10.0.11.98
+	A	10.0.11.99
+	A	10.0.11.100
+	A	10.0.11.101
+	A	10.0.11.102
+	A	10.0.11.103
+	A	10.0.11.104
+	A	10.0.11.105
+	A	10.0.11.106
+	A	10.0.11.107
+	A	10.0.11.108
+	A	10.0.11.109
+	A	10.0.11.110
+	A	10.0.11.111
+	A	10.0.11.112
+	A	10.0.11.113
+	A	10.0.11.114
+	A	10.0.11.115
+	A	10.0.11.116
+	A	10.0.11.117
+	A	10.0.11.118
+	A	10.0.11.119
+	A	10.0.11.120
+	A	10.0.11.121
+	A	10.0.11.122
+	A	10.0.11.123
+	A	10.0.11.124
+	A	10.0.11.125
+	A	10.0.11.126
+	A	10.0.11.127
+	A	10.0.11.128
+	A	10.0.11.129
+	A	10.0.11.130
+	A	10.0.11.131
+	A	10.0.11.132
+	A	10.0.11.133
+	A	10.0.11.134
+	A	10.0.11.135
+	A	10.0.11.136
+	A	10.0.11.137
+	A	10.0.11.138
+	A	10.0.11.139
+	A	10.0.11.140
+	A	10.0.11.141
+	A	10.0.11.142
+	A	10.0.11.143
+	A	10.0.11.144
+	A	10.0.11.145
+	A	10.0.11.146
+	A	10.0.11.147
+	A	10.0.11.148
+	A	10.0.11.149
+	A	10.0.11.150
+	A	10.0.11.151
+	A	10.0.11.152
+	A	10.0.11.153
+	A	10.0.11.154
+	A	10.0.11.155
+	A	10.0.11.156
+	A	10.0.11.157
+	A	10.0.11.158
+	A	10.0.11.159
+	A	10.0.11.160
+	A	10.0.11.161
+	A	10.0.11.162
+	A	10.0.11.163
+	A	10.0.11.164
+	A	10.0.11.165
+	A	10.0.11.166
+	A	10.0.11.167
+	A	10.0.11.168
+	A	10.0.11.169
+	A	10.0.11.170
+	A	10.0.11.171
+	A	10.0.11.172
+	A	10.0.11.173
+	A	10.0.11.174
+	A	10.0.11.175
+	A	10.0.11.176
+	A	10.0.11.177
+	A	10.0.11.178
+	A	10.0.11.179
+	A	10.0.11.180
+	A	10.0.11.181
+	A	10.0.11.182
+	A	10.0.11.183
+	A	10.0.11.184
+	A	10.0.11.185
+	A	10.0.11.186
+	A	10.0.11.187
+	A	10.0.11.188
+	A	10.0.11.189
+	A	10.0.11.190
+	A	10.0.11.191
+	A	10.0.11.192
+	A	10.0.11.193
+	A	10.0.11.194
+	A	10.0.11.195
+	A	10.0.11.196
+	A	10.0.11.197
+	A	10.0.11.198
+	A	10.0.11.199
+	A	10.0.11.200
+	A	10.0.11.201
+	A	10.0.11.202
+	A	10.0.11.203
+	A	10.0.11.204
+	A	10.0.11.205
+	A	10.0.11.206
+	A	10.0.11.207
+	A	10.0.11.208
+	A	10.0.11.209
+	A	10.0.11.210
+	A	10.0.11.211
+	A	10.0.11.212
+	A	10.0.11.213
+	A	10.0.11.214
+	A	10.0.11.215
+	A	10.0.11.216
+	A	10.0.11.217
+	A	10.0.11.218
+	A	10.0.11.219
+	A	10.0.11.220
+	A	10.0.11.221
+	A	10.0.11.222
+	A	10.0.11.223
+	A	10.0.11.224
+	A	10.0.11.225
+	A	10.0.11.226
+	A	10.0.11.227
+	A	10.0.11.228
+	A	10.0.11.229
+	A	10.0.11.230
+	A	10.0.11.231
+	A	10.0.11.232
+	A	10.0.11.233
+	A	10.0.11.234
+	A	10.0.11.235
+	A	10.0.11.236
+	A	10.0.11.237
+	A	10.0.11.238
+	A	10.0.11.239
+	A	10.0.11.240
+	A	10.0.11.241
+	A	10.0.11.242
+	A	10.0.11.243
+	A	10.0.11.244
+	A	10.0.11.245
+	A	10.0.11.246
+	A	10.0.11.247
+	A	10.0.11.248
+	A	10.0.11.249
+	A	10.0.11.250
+	A	10.0.11.251
+	A	10.0.11.252
+	A	10.0.11.253
+	A	10.0.11.254
+	A	10.0.11.255
+	A	10.0.12.0
+	A	10.0.12.1
+	A	10.0.12.2
+	A	10.0.12.3
+	A	10.0.12.4
+	A	10.0.12.5
+	A	10.0.12.6
+	A	10.0.12.7
+	A	10.0.12.8
+	A	10.0.12.9
+	A	10.0.12.10
+	A	10.0.12.11
+	A	10.0.12.12
+	A	10.0.12.13
+	A	10.0.12.14
+	A	10.0.12.15
+	A	10.0.12.16
+	A	10.0.12.17
+	A	10.0.12.18
+	A	10.0.12.19
+	A	10.0.12.20
+	A	10.0.12.21
+	A	10.0.12.22
+	A	10.0.12.23
+	A	10.0.12.24
+	A	10.0.12.25
+	A	10.0.12.26
+	A	10.0.12.27
+	A	10.0.12.28
+	A	10.0.12.29
+	A	10.0.12.30
+	A	10.0.12.31
+	A	10.0.12.32
+	A	10.0.12.33
+	A	10.0.12.34
+	A	10.0.12.35
+	A	10.0.12.36
+	A	10.0.12.37
+	A	10.0.12.38
+	A	10.0.12.39
+	A	10.0.12.40
+	A	10.0.12.41
+	A	10.0.12.42
+	A	10.0.12.43
+	A	10.0.12.44
+	A	10.0.12.45
+	A	10.0.12.46
+	A	10.0.12.47
+	A	10.0.12.48
+	A	10.0.12.49
+	A	10.0.12.50
+	A	10.0.12.51
+	A	10.0.12.52
+	A	10.0.12.53
+	A	10.0.12.54
+	A	10.0.12.55
+	A	10.0.12.56
+	A	10.0.12.57
+	A	10.0.12.58
+	A	10.0.12.59
+	A	10.0.12.60
+	A	10.0.12.61
+	A	10.0.12.62
+	A	10.0.12.63
+	A	10.0.12.64
+	A	10.0.12.65
+	A	10.0.12.66
+	A	10.0.12.67
+	A	10.0.12.68
+	A	10.0.12.69
+	A	10.0.12.70
+	A	10.0.12.71
+	A	10.0.12.72
+	A	10.0.12.73
+	A	10.0.12.74
+	A	10.0.12.75
+	A	10.0.12.76
+	A	10.0.12.77
+	A	10.0.12.78
+	A	10.0.12.79
+	A	10.0.12.80
+	A	10.0.12.81
+	A	10.0.12.82
+	A	10.0.12.83
+	A	10.0.12.84
+	A	10.0.12.85
+	A	10.0.12.86
+	A	10.0.12.87
+	A	10.0.12.88
+	A	10.0.12.89
+	A	10.0.12.90
+	A	10.0.12.91
+	A	10.0.12.92
+	A	10.0.12.93
+	A	10.0.12.94
+	A	10.0.12.95
+	A	10.0.12.96
+	A	10.0.12.97
+	A	10.0.12.98
+	A	10.0.12.99
+	A	10.0.12.100
+	A	10.0.12.101
+	A	10.0.12.102
+	A	10.0.12.103
+	A	10.0.12.104
+	A	10.0.12.105
+	A	10.0.12.106
+	A	10.0.12.107
+	A	10.0.12.108
+	A	10.0.12.109
+	A	10.0.12.110
+	A	10.0.12.111
+	A	10.0.12.112
+	A	10.0.12.113
+	A	10.0.12.114
+	A	10.0.12.115
+	A	10.0.12.116
+	A	10.0.12.117
+	A	10.0.12.118
+	A	10.0.12.119
+	A	10.0.12.120
+	A	10.0.12.121
+	A	10.0.12.122
+	A	10.0.12.123
+	A	10.0.12.124
+	A	10.0.12.125
+	A	10.0.12.126
+	A	10.0.12.127
+	A	10.0.12.128
+	A	10.0.12.129
+	A	10.0.12.130
+	A	10.0.12.131
+	A	10.0.12.132
+	A	10.0.12.133
+	A	10.0.12.134
+	A	10.0.12.135
+	A	10.0.12.136
+	A	10.0.12.137
+	A	10.0.12.138
+	A	10.0.12.139
+	A	10.0.12.140
+	A	10.0.12.141
+	A	10.0.12.142
+	A	10.0.12.143
+	A	10.0.12.144
+	A	10.0.12.145
+	A	10.0.12.146
+	A	10.0.12.147
+	A	10.0.12.148
+	A	10.0.12.149
+	A	10.0.12.150
+	A	10.0.12.151
+	A	10.0.12.152
+	A	10.0.12.153
+	A	10.0.12.154
+	A	10.0.12.155
+	A	10.0.12.156
+	A	10.0.12.157
+	A	10.0.12.158
+	A	10.0.12.159
+	A	10.0.12.160
+	A	10.0.12.161
+	A	10.0.12.162
+	A	10.0.12.163
+	A	10.0.12.164
+	A	10.0.12.165
+	A	10.0.12.166
+	A	10.0.12.167
+	A	10.0.12.168
+	A	10.0.12.169
+	A	10.0.12.170
+	A	10.0.12.171
+	A	10.0.12.172
+	A	10.0.12.173
+	A	10.0.12.174
+	A	10.0.12.175
+	A	10.0.12.176
+	A	10.0.12.177
+	A	10.0.12.178
+	A	10.0.12.179
+	A	10.0.12.180
+	A	10.0.12.181
+	A	10.0.12.182
+	A	10.0.12.183
+	A	10.0.12.184
+	A	10.0.12.185
+	A	10.0.12.186
+	A	10.0.12.187
+	A	10.0.12.188
+	A	10.0.12.189
+	A	10.0.12.190
+	A	10.0.12.191
+	A	10.0.12.192
+	A	10.0.12.193
+	A	10.0.12.194
+	A	10.0.12.195
+	A	10.0.12.196
+	A	10.0.12.197
+	A	10.0.12.198
+	A	10.0.12.199
+	A	10.0.12.200
+	A	10.0.12.201
+	A	10.0.12.202
+	A	10.0.12.203
+	A	10.0.12.204
+	A	10.0.12.205
+	A	10.0.12.206
+	A	10.0.12.207
+	A	10.0.12.208
+	A	10.0.12.209
+	A	10.0.12.210
+	A	10.0.12.211
+	A	10.0.12.212
+	A	10.0.12.213
+	A	10.0.12.214
+	A	10.0.12.215
+	A	10.0.12.216
+	A	10.0.12.217
+	A	10.0.12.218
+	A	10.0.12.219
+	A	10.0.12.220
+	A	10.0.12.221
+	A	10.0.12.222
+	A	10.0.12.223
+	A	10.0.12.224
+	A	10.0.12.225
+	A	10.0.12.226
+	A	10.0.12.227
+	A	10.0.12.228
+	A	10.0.12.229
+	A	10.0.12.230
+	A	10.0.12.231
+	A	10.0.12.232
+	A	10.0.12.233
+	A	10.0.12.234
+	A	10.0.12.235
+	A	10.0.12.236
+	A	10.0.12.237
+	A	10.0.12.238
+	A	10.0.12.239
+	A	10.0.12.240
+	A	10.0.12.241
+	A	10.0.12.242
+	A	10.0.12.243
+	A	10.0.12.244
+	A	10.0.12.245
+	A	10.0.12.246
+	A	10.0.12.247
+	A	10.0.12.248
+	A	10.0.12.249
+	A	10.0.12.250
+	A	10.0.12.251
+	A	10.0.12.252
+	A	10.0.12.253
+	A	10.0.12.254
+	A	10.0.12.255
+	A	10.0.13.0
+	A	10.0.13.1
+	A	10.0.13.2
+	A	10.0.13.3
+	A	10.0.13.4
+	A	10.0.13.5
+	A	10.0.13.6
+	A	10.0.13.7
+	A	10.0.13.8
+	A	10.0.13.9
+	A	10.0.13.10
+	A	10.0.13.11
+	A	10.0.13.12
+	A	10.0.13.13
+	A	10.0.13.14
+	A	10.0.13.15
+	A	10.0.13.16
+	A	10.0.13.17
+	A	10.0.13.18
+	A	10.0.13.19
+	A	10.0.13.20
+	A	10.0.13.21
+	A	10.0.13.22
+	A	10.0.13.23
+	A	10.0.13.24
+	A	10.0.13.25
+	A	10.0.13.26
+	A	10.0.13.27
+	A	10.0.13.28
+	A	10.0.13.29
+	A	10.0.13.30
+	A	10.0.13.31
+	A	10.0.13.32
+	A	10.0.13.33
+	A	10.0.13.34
+	A	10.0.13.35
+	A	10.0.13.36
+	A	10.0.13.37
+	A	10.0.13.38
+	A	10.0.13.39
+	A	10.0.13.40
+	A	10.0.13.41
+	A	10.0.13.42
+	A	10.0.13.43
+	A	10.0.13.44
+	A	10.0.13.45
+	A	10.0.13.46
+	A	10.0.13.47
+	A	10.0.13.48
+	A	10.0.13.49
+	A	10.0.13.50
+	A	10.0.13.51
+	A	10.0.13.52
+	A	10.0.13.53
+	A	10.0.13.54
+	A	10.0.13.55
+	A	10.0.13.56
+	A	10.0.13.57
+	A	10.0.13.58
+	A	10.0.13.59
+	A	10.0.13.60
+	A	10.0.13.61
+	A	10.0.13.62
+	A	10.0.13.63
+	A	10.0.13.64
+	A	10.0.13.65
+	A	10.0.13.66
+	A	10.0.13.67
+	A	10.0.13.68
+	A	10.0.13.69
+	A	10.0.13.70
+	A	10.0.13.71
+	A	10.0.13.72
+	A	10.0.13.73
+	A	10.0.13.74
+	A	10.0.13.75
+	A	10.0.13.76
+	A	10.0.13.77
+	A	10.0.13.78
+	A	10.0.13.79
+	A	10.0.13.80
+	A	10.0.13.81
+	A	10.0.13.82
+	A	10.0.13.83
+	A	10.0.13.84
+	A	10.0.13.85
+	A	10.0.13.86
+	A	10.0.13.87
+	A	10.0.13.88
+	A	10.0.13.89
+	A	10.0.13.90
+	A	10.0.13.91
+	A	10.0.13.92
+	A	10.0.13.93
+	A	10.0.13.94
+	A	10.0.13.95
+	A	10.0.13.96
+	A	10.0.13.97
+	A	10.0.13.98
+	A	10.0.13.99
+	A	10.0.13.100
+	A	10.0.13.101
+	A	10.0.13.102
+	A	10.0.13.103
+	A	10.0.13.104
+	A	10.0.13.105
+	A	10.0.13.106
+	A	10.0.13.107
+	A	10.0.13.108
+	A	10.0.13.109
+	A	10.0.13.110
+	A	10.0.13.111
+	A	10.0.13.112
+	A	10.0.13.113
+	A	10.0.13.114
+	A	10.0.13.115
+	A	10.0.13.116
+	A	10.0.13.117
+	A	10.0.13.118
+	A	10.0.13.119
+	A	10.0.13.120
+	A	10.0.13.121
+	A	10.0.13.122
+	A	10.0.13.123
+	A	10.0.13.124
+	A	10.0.13.125
+	A	10.0.13.126
+	A	10.0.13.127
+	A	10.0.13.128
+	A	10.0.13.129
+	A	10.0.13.130
+	A	10.0.13.131
+	A	10.0.13.132
+	A	10.0.13.133
+	A	10.0.13.134
+	A	10.0.13.135
+	A	10.0.13.136
+	A	10.0.13.137
+	A	10.0.13.138
+	A	10.0.13.139
+	A	10.0.13.140
+	A	10.0.13.141
+	A	10.0.13.142
+	A	10.0.13.143
+	A	10.0.13.144
+	A	10.0.13.145
+	A	10.0.13.146
+	A	10.0.13.147
+	A	10.0.13.148
+	A	10.0.13.149
+	A	10.0.13.150
+	A	10.0.13.151
+	A	10.0.13.152
+	A	10.0.13.153
+	A	10.0.13.154
+	A	10.0.13.155
+	A	10.0.13.156
+	A	10.0.13.157
+	A	10.0.13.158
+	A	10.0.13.159
+	A	10.0.13.160
+	A	10.0.13.161
+	A	10.0.13.162
+	A	10.0.13.163
+	A	10.0.13.164
+	A	10.0.13.165
+	A	10.0.13.166
+	A	10.0.13.167
+	A	10.0.13.168
+	A	10.0.13.169
+	A	10.0.13.170
+	A	10.0.13.171
+	A	10.0.13.172
+	A	10.0.13.173
+	A	10.0.13.174
+	A	10.0.13.175
+	A	10.0.13.176
+	A	10.0.13.177
+	A	10.0.13.178
+	A	10.0.13.179
+	A	10.0.13.180
+	A	10.0.13.181
+	A	10.0.13.182
+	A	10.0.13.183
+	A	10.0.13.184
+	A	10.0.13.185
+	A	10.0.13.186
+	A	10.0.13.187
+	A	10.0.13.188
+	A	10.0.13.189
+	A	10.0.13.190
+	A	10.0.13.191
+	A	10.0.13.192
+	A	10.0.13.193
+	A	10.0.13.194
+	A	10.0.13.195
+	A	10.0.13.196
+	A	10.0.13.197
+	A	10.0.13.198
+	A	10.0.13.199
+	A	10.0.13.200
+	A	10.0.13.201
+	A	10.0.13.202
+	A	10.0.13.203
+	A	10.0.13.204
+	A	10.0.13.205
+	A	10.0.13.206
+	A	10.0.13.207
+	A	10.0.13.208
+	A	10.0.13.209
+	A	10.0.13.210
+	A	10.0.13.211
+	A	10.0.13.212
+	A	10.0.13.213
+	A	10.0.13.214
+	A	10.0.13.215
+	A	10.0.13.216
+	A	10.0.13.217
+	A	10.0.13.218
+	A	10.0.13.219
+	A	10.0.13.220
+	A	10.0.13.221
+	A	10.0.13.222
+	A	10.0.13.223
+	A	10.0.13.224
+	A	10.0.13.225
+	A	10.0.13.226
+	A	10.0.13.227
+	A	10.0.13.228
+	A	10.0.13.229
+	A	10.0.13.230
+	A	10.0.13.231
+	A	10.0.13.232
+	A	10.0.13.233
+	A	10.0.13.234
+	A	10.0.13.235
+	A	10.0.13.236
+	A	10.0.13.237
+	A	10.0.13.238
+	A	10.0.13.239
+	A	10.0.13.240
+	A	10.0.13.241
+	A	10.0.13.242
+	A	10.0.13.243
+	A	10.0.13.244
+	A	10.0.13.245
+	A	10.0.13.246
+	A	10.0.13.247
+	A	10.0.13.248
+	A	10.0.13.249
+	A	10.0.13.250
+	A	10.0.13.251
+	A	10.0.13.252
+	A	10.0.13.253
+	A	10.0.13.254
+	A	10.0.13.255
+	A	10.0.14.0
+	A	10.0.14.1
+	A	10.0.14.2
+	A	10.0.14.3
+	A	10.0.14.4
+	A	10.0.14.5
+	A	10.0.14.6
+	A	10.0.14.7
+	A	10.0.14.8
+	A	10.0.14.9
+	A	10.0.14.10
+	A	10.0.14.11
+	A	10.0.14.12
+	A	10.0.14.13
+	A	10.0.14.14
+	A	10.0.14.15
+	A	10.0.14.16
+	A	10.0.14.17
+	A	10.0.14.18
+	A	10.0.14.19
+	A	10.0.14.20
+	A	10.0.14.21
+	A	10.0.14.22
+	A	10.0.14.23
+	A	10.0.14.24
+	A	10.0.14.25
+	A	10.0.14.26
+	A	10.0.14.27
+	A	10.0.14.28
+	A	10.0.14.29
+	A	10.0.14.30
+	A	10.0.14.31
+	A	10.0.14.32
+	A	10.0.14.33
+	A	10.0.14.34
+	A	10.0.14.35
+	A	10.0.14.36
+	A	10.0.14.37
+	A	10.0.14.38
+	A	10.0.14.39
+	A	10.0.14.40
+	A	10.0.14.41
+	A	10.0.14.42
+	A	10.0.14.43
+	A	10.0.14.44
+	A	10.0.14.45
+	A	10.0.14.46
+	A	10.0.14.47
+	A	10.0.14.48
+	A	10.0.14.49
+	A	10.0.14.50
+	A	10.0.14.51
+	A	10.0.14.52
+	A	10.0.14.53
+	A	10.0.14.54
+	A	10.0.14.55
+	A	10.0.14.56
+	A	10.0.14.57
+	A	10.0.14.58
+	A	10.0.14.59
+	A	10.0.14.60
+	A	10.0.14.61
+	A	10.0.14.62
+	A	10.0.14.63
+	A	10.0.14.64
+	A	10.0.14.65
+	A	10.0.14.66
+	A	10.0.14.67
+	A	10.0.14.68
+	A	10.0.14.69
+	A	10.0.14.70
+	A	10.0.14.71
+	A	10.0.14.72
+	A	10.0.14.73
+	A	10.0.14.74
+	A	10.0.14.75
+	A	10.0.14.76
+	A	10.0.14.77
+	A	10.0.14.78
+	A	10.0.14.79
+	A	10.0.14.80
+	A	10.0.14.81
+	A	10.0.14.82
+	A	10.0.14.83
+	A	10.0.14.84
+	A	10.0.14.85
+	A	10.0.14.86
+	A	10.0.14.87
+	A	10.0.14.88
+	A	10.0.14.89
+	A	10.0.14.90
+	A	10.0.14.91
+	A	10.0.14.92
+	A	10.0.14.93
+	A	10.0.14.94
+	A	10.0.14.95
+	A	10.0.14.96
+	A	10.0.14.97
+	A	10.0.14.98
+	A	10.0.14.99
+	A	10.0.14.100
+	A	10.0.14.101
+	A	10.0.14.102
+	A	10.0.14.103
+	A	10.0.14.104
+	A	10.0.14.105
+	A	10.0.14.106
+	A	10.0.14.107
+	A	10.0.14.108
+	A	10.0.14.109
+	A	10.0.14.110
+	A	10.0.14.111
+	A	10.0.14.112
+	A	10.0.14.113
+	A	10.0.14.114
+	A	10.0.14.115
+	A	10.0.14.116
+	A	10.0.14.117
+	A	10.0.14.118
+	A	10.0.14.119
+	A	10.0.14.120
+	A	10.0.14.121
+	A	10.0.14.122
+	A	10.0.14.123
+	A	10.0.14.124
+	A	10.0.14.125
+	A	10.0.14.126
+	A	10.0.14.127
+	A	10.0.14.128
+	A	10.0.14.129
+	A	10.0.14.130
+	A	10.0.14.131
+	A	10.0.14.132
+	A	10.0.14.133
+	A	10.0.14.134
+	A	10.0.14.135
+	A	10.0.14.136
+	A	10.0.14.137
+	A	10.0.14.138
+	A	10.0.14.139
+	A	10.0.14.140
+	A	10.0.14.141
+	A	10.0.14.142
+	A	10.0.14.143
+	A	10.0.14.144
+	A	10.0.14.145
+	A	10.0.14.146
+	A	10.0.14.147
+	A	10.0.14.148
+	A	10.0.14.149
+	A	10.0.14.150
+	A	10.0.14.151
+	A	10.0.14.152
+	A	10.0.14.153
+	A	10.0.14.154
+	A	10.0.14.155
+	A	10.0.14.156
+	A	10.0.14.157
+	A	10.0.14.158
+	A	10.0.14.159
+	A	10.0.14.160
+	A	10.0.14.161
+	A	10.0.14.162
+	A	10.0.14.163
+	A	10.0.14.164
+	A	10.0.14.165
+	A	10.0.14.166
+	A	10.0.14.167
+	A	10.0.14.168
+	A	10.0.14.169
+	A	10.0.14.170
+	A	10.0.14.171
+	A	10.0.14.172
+	A	10.0.14.173
+	A	10.0.14.174
+	A	10.0.14.175
+	A	10.0.14.176
+	A	10.0.14.177
+	A	10.0.14.178
+	A	10.0.14.179
+	A	10.0.14.180
+	A	10.0.14.181
+	A	10.0.14.182
+	A	10.0.14.183
+	A	10.0.14.184
+	A	10.0.14.185
+	A	10.0.14.186
+	A	10.0.14.187
+	A	10.0.14.188
+	A	10.0.14.189
+	A	10.0.14.190
+	A	10.0.14.191
+	A	10.0.14.192
+	A	10.0.14.193
+	A	10.0.14.194
+	A	10.0.14.195
+	A	10.0.14.196
+	A	10.0.14.197
+	A	10.0.14.198
+	A	10.0.14.199
+	A	10.0.14.200
+	A	10.0.14.201
+	A	10.0.14.202
+	A	10.0.14.203
+	A	10.0.14.204
+	A	10.0.14.205
+	A	10.0.14.206
+	A	10.0.14.207
+	A	10.0.14.208
+	A	10.0.14.209
+	A	10.0.14.210
+	A	10.0.14.211
+	A	10.0.14.212
+	A	10.0.14.213
+	A	10.0.14.214
+	A	10.0.14.215
+	A	10.0.14.216
+	A	10.0.14.217
+	A	10.0.14.218
+	A	10.0.14.219
+	A	10.0.14.220
+	A	10.0.14.221
+	A	10.0.14.222
+	A	10.0.14.223
+	A	10.0.14.224
+	A	10.0.14.225
+	A	10.0.14.226
+	A	10.0.14.227
+	A	10.0.14.228
+	A	10.0.14.229
+	A	10.0.14.230
+	A	10.0.14.231
+	A	10.0.14.232
+	A	10.0.14.233
+	A	10.0.14.234
+	A	10.0.14.235
+	A	10.0.14.236
+	A	10.0.14.237
+	A	10.0.14.238
+	A	10.0.14.239
+	A	10.0.14.240
+	A	10.0.14.241
+	A	10.0.14.242
+	A	10.0.14.243
+	A	10.0.14.244
+	A	10.0.14.245
+	A	10.0.14.246
+	A	10.0.14.247
+	A	10.0.14.248
+	A	10.0.14.249
+	A	10.0.14.250
+	A	10.0.14.251
+	A	10.0.14.252
+	A	10.0.14.253
+	A	10.0.14.254
+	A	10.0.14.255
+	A	10.0.15.0
+	A	10.0.15.1
+	A	10.0.15.2
+	A	10.0.15.3
+	A	10.0.15.4
+	A	10.0.15.5
+	A	10.0.15.6
+	A	10.0.15.7
+	A	10.0.15.8
+	A	10.0.15.9
+	A	10.0.15.10
+	A	10.0.15.11
+	A	10.0.15.12
+	A	10.0.15.13
+	A	10.0.15.14
+	A	10.0.15.15
+	A	10.0.15.16
+	A	10.0.15.17
+	A	10.0.15.18
+	A	10.0.15.19
+	A	10.0.15.20
+	A	10.0.15.21
+	A	10.0.15.22
+	A	10.0.15.23
+	A	10.0.15.24
+	A	10.0.15.25
+	A	10.0.15.26
+	A	10.0.15.27
+	A	10.0.15.28
+	A	10.0.15.29
+	A	10.0.15.30
+	A	10.0.15.31
+	A	10.0.15.32
+	A	10.0.15.33
+	A	10.0.15.34
+	A	10.0.15.35
+	A	10.0.15.36
+	A	10.0.15.37
+	A	10.0.15.38
+	A	10.0.15.39
+	A	10.0.15.40
+	A	10.0.15.41
+	A	10.0.15.42
+	A	10.0.15.43
+	A	10.0.15.44
+	A	10.0.15.45
+	A	10.0.15.46
+	A	10.0.15.47
+	A	10.0.15.48
+	A	10.0.15.49
+	A	10.0.15.50
+	A	10.0.15.51
+	A	10.0.15.52
+	A	10.0.15.53
+	A	10.0.15.54
+	A	10.0.15.55
+	A	10.0.15.56
+	A	10.0.15.57
+	A	10.0.15.58
+	A	10.0.15.59
+	A	10.0.15.60
+	A	10.0.15.61
+	A	10.0.15.62
+	A	10.0.15.63
+	A	10.0.15.64
+	A	10.0.15.65
+	A	10.0.15.66
+	A	10.0.15.67
+	A	10.0.15.68
+	A	10.0.15.69
+	A	10.0.15.70
+	A	10.0.15.71
+	A	10.0.15.72
+	A	10.0.15.73
+	A	10.0.15.74
+	A	10.0.15.75
+	A	10.0.15.76
+	A	10.0.15.77
+	A	10.0.15.78
+	A	10.0.15.79
+	A	10.0.15.80
+	A	10.0.15.81
+	A	10.0.15.82
+	A	10.0.15.83
+	A	10.0.15.84
+	A	10.0.15.85
+	A	10.0.15.86
+	A	10.0.15.87
+	A	10.0.15.88
+	A	10.0.15.89
+	A	10.0.15.90
+	A	10.0.15.91
+	A	10.0.15.92
+	A	10.0.15.93
+	A	10.0.15.94
+	A	10.0.15.95
+	A	10.0.15.96
+	A	10.0.15.97
+	A	10.0.15.98
+	A	10.0.15.99
+	A	10.0.15.100
+	A	10.0.15.101
+	A	10.0.15.102
+	A	10.0.15.103
+	A	10.0.15.104
+	A	10.0.15.105
+	A	10.0.15.106
+	A	10.0.15.107
+	A	10.0.15.108
+	A	10.0.15.109
+	A	10.0.15.110
+	A	10.0.15.111
+	A	10.0.15.112
+	A	10.0.15.113
+	A	10.0.15.114
+	A	10.0.15.115
+	A	10.0.15.116
+	A	10.0.15.117
+	A	10.0.15.118
+	A	10.0.15.119
+	A	10.0.15.120
+	A	10.0.15.121
+	A	10.0.15.122
+	A	10.0.15.123
+	A	10.0.15.124
+	A	10.0.15.125
+	A	10.0.15.126
+	A	10.0.15.127
+	A	10.0.15.128
+	A	10.0.15.129
+	A	10.0.15.130
+	A	10.0.15.131
+	A	10.0.15.132
+	A	10.0.15.133
+	A	10.0.15.134
+	A	10.0.15.135
+	A	10.0.15.136
+	A	10.0.15.137
+	A	10.0.15.138
+	A	10.0.15.139
+	A	10.0.15.140
+	A	10.0.15.141
+	A	10.0.15.142
+	A	10.0.15.143
+	A	10.0.15.144
+	A	10.0.15.145
+	A	10.0.15.146
+	A	10.0.15.147
+	A	10.0.15.148
+	A	10.0.15.149
+	A	10.0.15.150
+	A	10.0.15.151
+	A	10.0.15.152
+	A	10.0.15.153
+	A	10.0.15.154
+	A	10.0.15.155
+	A	10.0.15.156
+	A	10.0.15.157
+	A	10.0.15.158
+	A	10.0.15.159
+	A	10.1.0.0
+	A	10.1.0.1
+	A	10.1.0.2
+	A	10.1.0.3
+	A	10.1.0.4
+	A	10.1.0.5
+	A	10.1.0.6
+	A	10.1.0.7
+	A	10.1.0.8
+	A	10.1.0.9
+	A	10.1.0.10
+	A	10.1.0.11
+	A	10.1.0.12
+	A	10.1.0.13
+	A	10.1.0.14
+	A	10.1.0.15
+	A	10.1.0.16
+	A	10.1.0.17
+	A	10.1.0.18
+	A	10.1.0.19
+	A	10.1.0.20
+	A	10.1.0.21
+	A	10.1.0.22
+	A	10.1.0.23
+	A	10.1.0.24
+	A	10.1.0.25
+	A	10.1.0.26
+	A	10.1.0.27
+	A	10.1.0.28
+	A	10.1.0.29
+	A	10.1.0.30
+	A	10.1.0.31
+	A	10.1.0.32
+	A	10.1.0.33
+	A	10.1.0.34
+	A	10.1.0.35
+	A	10.1.0.36
+	A	10.1.0.37
+	A	10.1.0.38
+	A	10.1.0.39
+	A	10.1.0.40
+	A	10.1.0.41
+	A	10.1.0.42
+	A	10.1.0.43
+	A	10.1.0.44
+	A	10.1.0.45
+	A	10.1.0.46
+	A	10.1.0.47
+	A	10.1.0.48
+	A	10.1.0.49
+	A	10.1.0.50
+	A	10.1.0.51
+	A	10.1.0.52
+	A	10.1.0.53
+	A	10.1.0.54
+	A	10.1.0.55
+	A	10.1.0.56
+	A	10.1.0.57
+	A	10.1.0.58
+	A	10.1.0.59
+	A	10.1.0.60
+	A	10.1.0.61
+	A	10.1.0.62
+	A	10.1.0.63
+	A	10.1.0.64
+	A	10.1.0.65
+	A	10.1.0.66
+	A	10.1.0.67
+	A	10.1.0.68
+	A	10.1.0.69
+	A	10.1.0.70
+	A	10.1.0.71
+	A	10.1.0.72
+	A	10.1.0.73
+	A	10.1.0.74
+	A	10.1.0.75
+	A	10.1.0.76
+	A	10.1.0.77
+	A	10.1.0.78
+	A	10.1.0.79
+	A	10.1.0.80
+	A	10.1.0.81
+	A	10.1.0.82
+	A	10.1.0.83
+	A	10.1.0.84
+	A	10.1.0.85
+	A	10.1.0.86
+	A	10.1.0.87
+	A	10.1.0.88
+	A	10.1.0.89
+	A	10.1.0.90
diff --git a/bin/tests/system/limits/ns1/named.conf.in b/bin/tests/system/limits/ns1/named.conf.in
new file mode 100644
index 0000000..118fdbd
--- /dev/null
+++ b/bin/tests/system/limits/ns1/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/limits/ns1/root.db b/bin/tests/system/limits/ns1/root.db
new file mode 100644
index 0000000..b93cf32
--- /dev/null
+++ b/bin/tests/system/limits/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns1.example.
+ns1.example.		A	10.53.0.1
diff --git a/bin/tests/system/limits/setup.sh b/bin/tests/system/limits/setup.sh
new file mode 100644
index 0000000..e46affa
--- /dev/null
+++ b/bin/tests/system/limits/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/limits/tests.sh b/bin/tests/system/limits/tests.sh
new file mode 100644
index 0000000..ff774f5
--- /dev/null
+++ b/bin/tests/system/limits/tests.sh
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+
+status=0
+
+echo_i "1000 A records"
+$DIG $DIGOPTS +tcp +norec 1000.example. @10.53.0.1 a > dig.out.1000 || status=1
+# $DIG $DIGOPTS 1000.example. @10.53.0.1 a > knowngood.dig.out.1000
+digcomp knowngood.dig.out.1000 dig.out.1000 || status=1
+
+echo_i "2000 A records"
+$DIG $DIGOPTS +tcp +norec 2000.example. @10.53.0.1 a > dig.out.2000 || status=1
+# $DIG $DIGOPTS 2000.example. @10.53.0.1 a > knowngood.dig.out.2000
+digcomp knowngood.dig.out.2000 dig.out.2000 || status=1
+
+echo_i "3000 A records"
+$DIG $DIGOPTS +tcp +norec 3000.example. @10.53.0.1 a > dig.out.3000 || status=1
+# $DIG $DIGOPTS 3000.example. @10.53.0.1 a > knowngood.dig.out.3000
+digcomp knowngood.dig.out.3000 dig.out.3000 || status=1
+
+echo_i "4000 A records"
+$DIG $DIGOPTS +tcp +norec 4000.example. @10.53.0.1 a > dig.out.4000 || status=1
+# $DIG $DIGOPTS 4000.example. @10.53.0.1 a > knowngood.dig.out.4000
+digcomp knowngood.dig.out.4000 dig.out.4000 || status=1
+
+echo_i "exactly maximum rrset"
+$DIG $DIGOPTS +tcp +norec +noedns a-maximum-rrset.example. @10.53.0.1 a > dig.out.a-maximum-rrset \
+	|| status=1
+# $DIG $DIGOPTS a-maximum-rrset.example. @10.53.0.1 a > knowngood.dig.out.a-maximum-rrset
+digcomp knowngood.dig.out.a-maximum-rrset dig.out.a-maximum-rrset || status=1
+
+echo_i "exceed maximum rrset (5000 A records)"
+$DIG $DIGOPTS +tcp +norec +noadd 5000.example. @10.53.0.1 a > dig.out.exceed || status=1
+# Look for truncation bit (tc).
+grep 'flags: .*tc.*;' dig.out.exceed > /dev/null || {
+    echo_i "TC bit was not set"
+    status=1
+}
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/logfileconfig/clean.sh b/bin/tests/system/logfileconfig/clean.sh
new file mode 100644
index 0000000..18aa5de
--- /dev/null
+++ b/bin/tests/system/logfileconfig/clean.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after log file tests
+#
+rm -f ns1/named.conf
+rm -f ns1/named.args
+rm -f ns1/named.pid ns1/named.run ns1/named.run.prev
+rm -f ns1/named.memstats ns1/dig.out
+rm -f ns1/named_log ns1/named_pipe ns1/named_sym
+rm -rf ns1/named_dir
+rm -f ns1/named_deflog
+rm -f ns*/named.lock
+rm -f ns1/query_log
+rm -f ns1/named_iso8601
+rm -f ns1/named_iso8601_utc
+rm -f ns1/rndc.out.test*
+rm -f ns1/dig.out.test*
+rm -f ns1/named_vers
+rm -f ns1/named_vers.*
+rm -f ns1/named_ts
+rm -f ns1/named_ts.*
+rm -f ns1/named_unlimited
+rm -f ns1/named_unlimited.*
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/logfileconfig/named1.args b/bin/tests/system/logfileconfig/named1.args
new file mode 100644
index 0000000..764d4c9
--- /dev/null
+++ b/bin/tests/system/logfileconfig/named1.args
@@ -0,0 +1 @@
+-c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4
diff --git a/bin/tests/system/logfileconfig/named2.args b/bin/tests/system/logfileconfig/named2.args
new file mode 100644
index 0000000..fb9fe57
--- /dev/null
+++ b/bin/tests/system/logfileconfig/named2.args
@@ -0,0 +1 @@
+-c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 -L named_deflog
diff --git a/bin/tests/system/logfileconfig/ns1/named.dirconf.in b/bin/tests/system/logfileconfig/ns1/named.dirconf.in
new file mode 100644
index 0000000..12b3e96
--- /dev/null
+++ b/bin/tests/system/logfileconfig/ns1/named.dirconf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion no;
+	notify yes;
+};
+
+logging {
+	channel default_log {
+	  file "/tmp";
+	  print-time yes;
+	};
+	category default { default_log; default_debug; };
+	category lame-servers { null; };
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
+};
+
+key rndc-key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in b/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in
new file mode 100644
index 0000000..2b4b181
--- /dev/null
+++ b/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion no;
+	notify yes;
+};
+
+logging {
+	channel default_log {
+		file "named_iso8601_utc";
+		print-time iso8601-utc;
+		severity debug 9;
+	};
+	category default { default_log; default_debug; };
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
+};
+
+key rndc-key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/logfileconfig/ns1/named.iso8601.in b/bin/tests/system/logfileconfig/ns1/named.iso8601.in
new file mode 100644
index 0000000..1eb1aa8
--- /dev/null
+++ b/bin/tests/system/logfileconfig/ns1/named.iso8601.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion no;
+	notify yes;
+};
+
+logging {
+	channel default_log {
+		file "named_iso8601";
+		print-time iso8601;
+		severity debug 9;
+	};
+	category default { default_log; default_debug; };
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
+};
+
+key rndc-key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/logfileconfig/ns1/named.pipeconf.in b/bin/tests/system/logfileconfig/ns1/named.pipeconf.in
new file mode 100644
index 0000000..5497b62
--- /dev/null
+++ b/bin/tests/system/logfileconfig/ns1/named.pipeconf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion no;
+	notify yes;
+};
+
+logging {
+	channel default_log {
+	  file "named_pipe";
+	  print-time yes;
+	};
+	category default { default_log; default_debug; };
+	category lame-servers { null; };
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
+};
+
+key rndc-key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/logfileconfig/ns1/named.plain.in b/bin/tests/system/logfileconfig/ns1/named.plain.in
new file mode 100644
index 0000000..53a1946
--- /dev/null
+++ b/bin/tests/system/logfileconfig/ns1/named.plain.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion no;
+	notify yes;
+};
+
+logging {
+	channel default_log {
+	  file "named_log";
+	  print-time yes;
+	};
+	category default { default_log; default_debug; };
+	category lame-servers { null; };
+
+	channel query_log {
+	  file "query_log";
+	  print-time yes;
+	  buffered yes;
+	};
+	category queries { query_log; };
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
+};
+
+key rndc-key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/logfileconfig/ns1/named.plainconf.in b/bin/tests/system/logfileconfig/ns1/named.plainconf.in
new file mode 100644
index 0000000..8a70ca0
--- /dev/null
+++ b/bin/tests/system/logfileconfig/ns1/named.plainconf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion no;
+	notify yes;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
+};
+
+key rndc-key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/logfileconfig/ns1/named.symconf.in b/bin/tests/system/logfileconfig/ns1/named.symconf.in
new file mode 100644
index 0000000..5b30e57
--- /dev/null
+++ b/bin/tests/system/logfileconfig/ns1/named.symconf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion no;
+	notify yes;
+};
+
+logging {
+	channel default_log {
+	  file "named_sym";
+	  print-time yes;
+	};
+	category default { default_log; default_debug; };
+	category lame-servers { null; };
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
+};
+
+key rndc-key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/logfileconfig/ns1/named.tsconf.in b/bin/tests/system/logfileconfig/ns1/named.tsconf.in
new file mode 100644
index 0000000..4b0f8af
--- /dev/null
+++ b/bin/tests/system/logfileconfig/ns1/named.tsconf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion no;
+	notify yes;
+};
+
+logging {
+	channel default_log {
+	  buffered no;
+	  file "named_ts" versions 3 size 1000 suffix timestamp; # small size
+	  severity debug 100;
+	  print-time yes;
+	};
+	category default { default_log; default_debug; };
+	category lame-servers { null; };
+
+	channel query_log {
+	  file "query_log";
+	  print-time yes;
+	  buffered yes;
+	};
+	category queries { query_log; };
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
+};
+
+key rndc-key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/logfileconfig/ns1/named.unlimited.in b/bin/tests/system/logfileconfig/ns1/named.unlimited.in
new file mode 100644
index 0000000..506b49b
--- /dev/null
+++ b/bin/tests/system/logfileconfig/ns1/named.unlimited.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion no;
+	notify yes;
+};
+
+logging {
+	channel default_log {
+	  buffered no;
+	  file "named_unlimited" versions unlimited size 1000;
+	  severity debug 100;
+	  print-time yes;
+	};
+	category default { default_log; default_debug; };
+	category lame-servers { null; };
+
+	channel query_log {
+	  file "query_log";
+	  print-time yes;
+	  buffered yes;
+	};
+	category queries { query_log; };
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
+};
+
+key rndc-key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/logfileconfig/ns1/named.versconf.in b/bin/tests/system/logfileconfig/ns1/named.versconf.in
new file mode 100644
index 0000000..3860ae8
--- /dev/null
+++ b/bin/tests/system/logfileconfig/ns1/named.versconf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion no;
+	notify yes;
+};
+
+logging {
+	channel default_log {
+	  buffered no;
+	  file "named_vers" versions 5 size 1000;	// really small size
+	  severity debug 100;
+	  print-time yes;
+	};
+	category default { default_log; default_debug; };
+	category lame-servers { null; };
+
+	channel query_log {
+	  file "query_log";
+	  print-time yes;
+	  buffered yes;
+	};
+	category queries { query_log; };
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; };
+};
+
+key rndc-key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/logfileconfig/setup.sh b/bin/tests/system/logfileconfig/setup.sh
new file mode 100644
index 0000000..0e0cc89
--- /dev/null
+++ b/bin/tests/system/logfileconfig/setup.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.plain.in ns1/named.conf
diff --git a/bin/tests/system/logfileconfig/tests.sh b/bin/tests/system/logfileconfig/tests.sh
new file mode 100644
index 0000000..2cfb558
--- /dev/null
+++ b/bin/tests/system/logfileconfig/tests.sh
@@ -0,0 +1,244 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+THISDIR=`pwd`
+CONFDIR="ns1"
+
+# Test given condition.  If true, test again after a second.  Used for testing
+# filesystem-dependent conditions in order to prevent false negatives caused by
+# directory contents not being synchronized immediately after rename() returns.
+test_with_retry() {
+	if test "$@"; then
+		sleep 1
+		if test "$@"; then
+			return 0
+		fi
+	fi
+	return 1
+}
+
+status=0
+n=0
+
+echo_i "testing log file validity (named -g + only plain files allowed)"
+
+# First run with a known good config.
+n=$((n+1))
+echo_i "testing log file validity (only plain files allowed) ($n)"
+ret=0
+cat /dev/null > ns1/named_log
+copy_setports ns1/named.plainconf.in ns1/named.conf
+nextpart ns1/named.run > /dev/null
+rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Now try directory, expect failure
+n=$((n+1))
+echo_i "testing directory as log file ($n)"
+ret=0
+nextpart ns1/named.run > /dev/null
+copy_setports ns1/named.dirconf.in ns1/named.conf
+rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Now try pipe file, expect failure
+n=$((n+1))
+echo_i "testing pipe file as log file ($n)"
+ret=0
+nextpart ns1/named.run > /dev/null
+rm -f ns1/named_pipe
+if mkfifo ns1/named_pipe >/dev/null 2>&1; then
+    copy_setports ns1/named.pipeconf.in ns1/named.conf
+    rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+    wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1
+    if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+else
+    echo_i "skipping pipe test (unable to create pipe)"
+fi
+
+# Now try symlink file to plain file, expect success
+n=$((n+1))
+echo_i "testing symlink to plain file as log file ($n)"
+ret=0
+rm -f ns1/named_log ns1/named_sym
+touch ns1/named_log
+if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then
+    nextpart ns1/named.run > /dev/null
+    copy_setports ns1/named.symconf.in ns1/named.conf
+    rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+    wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1
+    if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+else
+	echo_i "skipping symlink test (unable to create symlink)"
+fi
+
+echo_i "repeat previous tests without named -g"
+copy_setports ns1/named.plain.in ns1/named.conf
+$PERL ../stop.pl --use-rndc --port ${CONTROLPORT} logfileconfig ns1
+cp named1.args ns1/named.args
+start_server --noclean --restart --port ${PORT} ns1
+
+n=$((n+1))
+echo_i "testing log file validity (only plain files allowed) ($n)"
+ret=0
+cat /dev/null > ns1/named_log
+copy_setports ns1/named.plainconf.in ns1/named.conf
+nextpart ns1/named.run > /dev/null
+rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Now try directory, expect failure
+n=$((n+1))
+echo_i "testing directory as log file ($n)"
+ret=0
+nextpart ns1/named.run > /dev/null
+copy_setports ns1/named.dirconf.in ns1/named.conf
+rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Now try pipe file, expect failure
+n=$((n+1))
+echo_i "testing pipe file as log file ($n)"
+ret=0
+nextpart ns1/named.run > /dev/null
+rm -f ns1/named_pipe
+if mkfifo ns1/named_pipe >/dev/null 2>&1; then
+    copy_setports ns1/named.pipeconf.in ns1/named.conf
+    rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+    wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1
+    if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+else
+    echo_i "skipping pipe test (unable to create pipe)"
+fi
+
+# Now try symlink file to plain file, expect success
+n=$((n+1))
+echo_i "testing symlink to plain file as log file ($n)"
+ret=0
+rm -f ns1/named_log ns1/named_sym
+touch ns1/named_log
+if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then
+    nextpart ns1/named.run > /dev/null
+    copy_setports ns1/named.symconf.in ns1/named.conf
+    rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+    wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1
+    if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+else
+	echo_i "skipping symlink test (unable to create symlink)"
+fi
+
+echo_i "testing logging functionality"
+n=$((n+1))
+ret=0
+echo_i "testing iso8601 timestamp ($n)"
+copy_setports ns1/named.iso8601.in ns1/named.conf
+rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+grep '^....-..-..T..:..:..\.... ' ns1/named_iso8601 > /dev/null || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing iso8601-utc timestamp ($n)"
+ret=0
+copy_setports ns1/named.iso8601-utc.in ns1/named.conf
+rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+grep '^....-..-..T..:..:..\....Z' ns1/named_iso8601_utc > /dev/null || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing explicit versions ($n)"
+ret=0
+copy_setports ns1/named.versconf.in ns1/named.conf
+# a seconds since epoch version number
+touch ns1/named_vers.1480039317
+rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+# we are configured to retain five logfiles (a current file
+# and 4 backups). so files with version number 5 or higher
+# should be removed.
+test_with_retry -f ns1/named_vers.1480039317 && ret=1
+test_with_retry -f ns1/named_vers.5 && ret=1
+test_with_retry -f ns1/named_vers.4 || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing timestamped versions ($n)"
+ret=0
+copy_setports ns1/named.tsconf.in ns1/named.conf
+# a seconds since epoch version number
+touch ns1/named_ts.1480039317
+# a timestamp version number
+touch ns1/named_ts.20150101120000120
+rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+_found2() (
+        $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n
+        grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+
+        # we are configured to keep three versions, so the oldest
+        # timestamped versions should be gone, and there should
+        # be two or three backup ones.
+        [ -f ns1/named_ts.1480039317 ] && return 1
+        [ -f ns1/named_ts.20150101120000120 ] && return 1
+        set -- ns1/named_ts.*
+        [ "$#" -eq 2 -o "$#" -eq 3 ] || return 1
+)
+retry_quiet 5 _found2 || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing unlimited versions ($n)"
+ret=0
+copy_setports ns1/named.unlimited.in ns1/named.conf
+# a seconds since epoch version number
+touch ns1/named_unlimited.1480039317
+rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n
+$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+test_with_retry -f ns1/named_unlimited.1480039317 || ret=1
+test_with_retry -f ns1/named_unlimited.4 || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "testing default logfile using named -L file ($n)"
+ret=0
+$PERL ../stop.pl logfileconfig ns1
+cp named2.args ns1/named.args
+test -f ns1/named.pid && ret=1
+rm -f ns1/named_deflog
+copy_setports ns1/named.plainconf.in ns1/named.conf
+start_server --noclean --restart --port ${PORT} ns1
+[ -f "ns1/named_deflog" ] || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/masterfile/clean.sh b/bin/tests/system/masterfile/clean.sh
new file mode 100644
index 0000000..97aa377
--- /dev/null
+++ b/bin/tests/system/masterfile/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.*
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f checkzone.out*
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/masterfile/knowngood.dig.out b/bin/tests/system/masterfile/knowngood.dig.out
new file mode 100644
index 0000000..d4cbac8
--- /dev/null
+++ b/bin/tests/system/masterfile/knowngood.dig.out
@@ -0,0 +1,32 @@
+include.		300	IN	SOA	ns.include. hostmaster.include. 1 3600 1800 1814400 3600
+include.		300	IN	NS	ns.include.
+a.include.		300	IN	A	10.0.0.1
+a.include.		300	IN	A	10.0.0.99
+a.a.include.		300	IN	A	10.0.1.1
+b.foo.a.include.	300	IN	A	10.0.2.2
+b.include.		300	IN	A	10.0.0.2
+a.b.include.		300	IN	A	10.0.1.1
+c.b.include.		300	IN	A	10.0.0.3
+b.foo.b.include.	300	IN	A	10.0.2.2
+ns.include.		300	IN	A	127.0.0.1
+include.		300	IN	SOA	ns.include. hostmaster.include. 1 3600 1800 1814400 3600
+ttl2.			1	IN	SOA	ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3
+ttl2.			1	IN	NS	ns.ttl2.
+a.ttl2.			1	IN	TXT	"inherited ttl 1"
+b.ttl2.			2	IN	TXT	"explicit ttl 2"
+c.ttl2.			2	IN	TXT	"inherited ttl 2"
+d.ttl2.			3	IN	TXT	"default ttl 3"
+e.ttl2.			2	IN	TXT	"explicit ttl 2"
+f.ttl2.			3	IN	TXT	"default ttl 3"
+ns.ttl2.		1	IN	A	10.53.0.1
+ttl2.			1	IN	SOA	ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3
+ttl2.			1	IN	SOA	ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3
+ttl2.			1	IN	NS	ns.ttl2.
+a.ttl2.			1	IN	TXT	"inherited ttl 1"
+b.ttl2.			2	IN	TXT	"explicit ttl 2"
+c.ttl2.			2	IN	TXT	"inherited ttl 2"
+d.ttl2.			3	IN	TXT	"default ttl 3"
+e.ttl2.			2	IN	TXT	"explicit ttl 2"
+f.ttl2.			3	IN	TXT	"default ttl 3"
+ns.ttl2.		1	IN	A	10.53.0.1
+ttl2.			1	IN	SOA	ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3
diff --git a/bin/tests/system/masterfile/ns1/include.db b/bin/tests/system/masterfile/ns1/include.db
new file mode 100644
index 0000000..149c819
--- /dev/null
+++ b/bin/tests/system/masterfile/ns1/include.db
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; Test $INCLUDE current domain name and origin semantics
+
+$TTL 300
+@			IN SOA	ns hostmaster (
+				1        ; serial
+				3600
+				1800
+				1814400
+				3600
+				)
+			NS	ns
+
+ns			A	127.0.0.1
+
+a			A	10.0.0.1
+$INCLUDE sub.db a
+; use the current domain name
+			A	10.0.0.99
+b			A	10.0.0.2
+$ORIGIN b
+$INCLUDE sub.db
+; use the current domain name
+;			A	10.0.0.99
+c			A	10.0.0.3
diff --git a/bin/tests/system/masterfile/ns1/named.conf.in b/bin/tests/system/masterfile/ns1/named.conf.in
new file mode 100644
index 0000000..5ab72a5
--- /dev/null
+++ b/bin/tests/system/masterfile/ns1/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+zone "include" {
+	type primary;
+	file "include.db";
+};
+
+zone "ttl1" {
+	type primary;
+	file "ttl1.db";
+};
+
+zone "ttl2" {
+	type primary;
+	file "ttl2.db";
+};
diff --git a/bin/tests/system/masterfile/ns1/sub.db b/bin/tests/system/masterfile/ns1/sub.db
new file mode 100644
index 0000000..7e027b0
--- /dev/null
+++ b/bin/tests/system/masterfile/ns1/sub.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+a		A	10.0.1.1
+$ORIGIN foo
+b		A	10.0.2.2
+
diff --git a/bin/tests/system/masterfile/ns1/ttl1.db b/bin/tests/system/masterfile/ns1/ttl1.db
new file mode 100644
index 0000000..56afe9d
--- /dev/null
+++ b/bin/tests/system/masterfile/ns1/ttl1.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@			IN SOA	ns hostmaster (
+				1        ; serial
+				3600
+				1800
+				1814400
+				3
+				)
+			NS	ns
+ns			A	10.53.0.1
+a			TXT	"soa minttl 3"
+b		2	TXT	"explicit ttl 2"
+c			TXT	"soa minttl 3"
+$TTL 1
+d			TXT	"default ttl 1"
+e		4	TXT	"explicit ttl 4"
+f			TXT	"default ttl 1"
diff --git a/bin/tests/system/masterfile/ns1/ttl2.db b/bin/tests/system/masterfile/ns1/ttl2.db
new file mode 100644
index 0000000..778e8d3
--- /dev/null
+++ b/bin/tests/system/masterfile/ns1/ttl2.db
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@		1	IN SOA	ns hostmaster (
+				1        ; serial
+				3600
+				1800
+				1814400
+				3
+				)
+			NS	ns
+ns			A	10.53.0.1
+a			TXT	"inherited ttl 1"
+b		2	TXT	"explicit ttl 2"
+c			TXT	"inherited ttl 2"
+$TTL 3
+d			TXT	"default ttl 3"
+e		2	TXT	"explicit ttl 2"
+f			TXT	"default ttl 3"
+
+
+
diff --git a/bin/tests/system/masterfile/ns2/example.db b/bin/tests/system/masterfile/ns2/example.db
new file mode 100644
index 0000000..414403a
--- /dev/null
+++ b/bin/tests/system/masterfile/ns2/example.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2010042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
diff --git a/bin/tests/system/masterfile/ns2/named.conf.in b/bin/tests/system/masterfile/ns2/named.conf.in
new file mode 100644
index 0000000..1f4ef91
--- /dev/null
+++ b/bin/tests/system/masterfile/ns2/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "missing" {
+	type primary;
+	file "missing.db";
+};
diff --git a/bin/tests/system/masterfile/setup.sh b/bin/tests/system/masterfile/setup.sh
new file mode 100644
index 0000000..65fdd58
--- /dev/null
+++ b/bin/tests/system/masterfile/setup.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
diff --git a/bin/tests/system/masterfile/tests.sh b/bin/tests/system/masterfile/tests.sh
new file mode 100644
index 0000000..1948a69
--- /dev/null
+++ b/bin/tests/system/masterfile/tests.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+
+status=0
+n=0
+
+ret=0
+n=`expr $n + 1`
+echo_i "test master file \$INCLUDE semantics ($n)"
+$DIG $DIGOPTS +nostats +nocmd include. axfr @10.53.0.1 >dig.out.$n
+
+echo_i "test master file BIND 8 compatibility TTL and \$TTL semantics ($n)"
+$DIG $DIGOPTS +nostats +nocmd ttl2. axfr @10.53.0.1 >>dig.out.$n
+
+echo_i "test of master file RFC1035 TTL and \$TTL semantics ($n)"
+$DIG $DIGOPTS +nostats +nocmd ttl2. axfr @10.53.0.1 >>dig.out.$n
+
+$DIFF dig.out.$n knowngood.dig.out || status=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+ret=0
+n=`expr $n + 1`
+echo_i "test that the nameserver is running with a missing master file ($n)"
+$DIG $DIGOPTS +tcp +noall +answer example soa @10.53.0.2 > dig.out.$n
+grep SOA dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+ret=0
+n=`expr $n + 1`
+echo_i "test that the nameserver returns SERVFAIL for a missing master file ($n)"
+$DIG $DIGOPTS +tcp +all missing soa @10.53.0.2 > dig.out.$n
+grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+ret=0
+n=`expr $n + 1`
+echo_i "test owner inheritance after "'$INCLUDE'" ($n)"
+$CHECKZONE -Dq example zone/inheritownerafterinclude.db > checkzone.out$n
+$DIFF checkzone.out$n zone/inheritownerafterinclude.good || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/masterfile/zone/inheritownerafterinclude.db b/bin/tests/system/masterfile/zone/inheritownerafterinclude.db
new file mode 100644
index 0000000..11b97ea
--- /dev/null
+++ b/bin/tests/system/masterfile/zone/inheritownerafterinclude.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0	IN	SOA	. . 0 0 0 0 0
+$INCLUDE zone/nameservers.db
+	IN	TXT	"this should be at the zone apex"
diff --git a/bin/tests/system/masterfile/zone/inheritownerafterinclude.good b/bin/tests/system/masterfile/zone/inheritownerafterinclude.good
new file mode 100644
index 0000000..3877ed5
--- /dev/null
+++ b/bin/tests/system/masterfile/zone/inheritownerafterinclude.good
@@ -0,0 +1,3 @@
+example.				      0	IN SOA		. . 0 0 0 0 0
+example.				      0	IN NS		.
+example.				      0	IN TXT		"this should be at the zone apex"
diff --git a/bin/tests/system/masterfile/zone/nameservers.db b/bin/tests/system/masterfile/zone/nameservers.db
new file mode 100644
index 0000000..f7b6525
--- /dev/null
+++ b/bin/tests/system/masterfile/zone/nameservers.db
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	IN	NS	.
diff --git a/bin/tests/system/masterformat/clean.sh b/bin/tests/system/masterformat/clean.sh
new file mode 100755
index 0000000..c53c7ab
--- /dev/null
+++ b/bin/tests/system/masterformat/clean.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ./ns1/example.db.raw*
+rm -f ./ns1/example.db.compat
+rm -f ./ns1/example.db.serial.raw
+rm -f ./ns1/large.db ./ns1/large.db.raw
+rm -f ./ns1/example.db.map ./ns1/signed.db.map
+rm -f ./ns1/session.key
+rm -f ./dig.out.*
+rm -f ./dig.out
+rm -f ./*/named.memstats
+rm -f ./*/named.conf
+rm -f ./*/named.run
+rm -f ./ns2/example.db
+rm -f ./ns2/transfer.db.*
+rm -f ./ns2/formerly-text.db
+rm -f ./ns2/db-*
+rm -f ./ns2/large.bk
+rm -f ./ns3/example.db.map ./ns3/dynamic.db.map
+rm -f ./baseline.txt ./text.* ./raw.* ./map.* ./badmap
+rm -f ./ns1/Ksigned.* ./ns1/dsset-signed. ./ns1/signed.db.signed
+rm -f ./rndc.out
+rm -f ./ns*/named.lock
+rm -f ./ns*/managed-keys.bind*
diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh
new file mode 100755
index 0000000..6626c17
--- /dev/null
+++ b/bin/tests/system/masterformat/ns1/compile.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+$CHECKZONE -D -F raw -o example.db.raw example \
+        example.db > /dev/null 2>&1
+$CHECKZONE -D -F map -o ../ns3/example.db.map example \
+        example.db > /dev/null 2>&1
+$CHECKZONE -D -F map -o ../ns3/dynamic.db.map dynamic \
+        example.db > /dev/null 2>&1
+$CHECKZONE -D -F raw=1 -o example.db.raw1 example-explicit \
+        example.db > /dev/null 2>&1
+$CHECKZONE -D -F raw=0 -o example.db.compat example-compat \
+        example.db > /dev/null 2>&1
+$CHECKZONE -D -F raw -L 3333 -o example.db.serial.raw example \
+        example.db > /dev/null 2>&1
+$CHECKZONE -D -F raw -o large.db.raw large large.db > /dev/null 2>&1
+$CHECKZONE -D -F map -o example.db.map example-map \
+        example.db > /dev/null 2>&1
+
+$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed > /dev/null 2>&1
+$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed > /dev/null 2>&1
+$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null
+$CHECKZONE -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1
diff --git a/bin/tests/system/masterformat/ns1/example.db b/bin/tests/system/masterformat/ns1/example.db
new file mode 100644
index 0000000..5ca0ae2
--- /dev/null
+++ b/bin/tests/system/masterformat/ns1/example.db
@@ -0,0 +1,58 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1D
+
+@			IN SOA	ns hostmaster (
+				1
+				3600
+				1800
+				1814400
+				3
+				)
+			NS	ns
+ns			A	10.53.0.1
+mx			MX	10 mail
+a			A	10.53.0.1
+			A	10.53.0.2
+aaaa			AAAA	2001:db8::53
+cname			CNAME	cname-target
+dname			DNAME	dname-target
+txt			TXT	"this is text"
+
+;;
+;; we are not testing DNSSEC behavior, so we don't care about the semantics
+;; of the following records.
+dnskey			300	DNSKEY	256 3 13 (
+					TEcpWeW1mJp+OujqyInMbjGRODJIYen/4kMR
+					wO6zW3RzrvmNIMgFag6G uXofiSwJ6YDeQ0O
+					3uhPJsJ7ivpbh+w==
+					)
+private-dnskey		300	DNSKEY	256 3 253 ( AAo= )
+ds			300	DS	30795 1 1 (
+					310D27F4D82C1FC2400704EA9939FE6E1CEA
+					A3B9 )
+cdnskey			300	CDNSKEY	256 3 13 (
+					TEcpWeW1mJp+OujqyInMbjGRODJIYen/4kMR
+					wO6zW3RzrvmNIMgFag6G uXofiSwJ6YDeQ0O
+					3uhPJsJ7ivpbh+w==
+					)
+private-cdnskey		300	CDNSKEY	256 3 253 ( AAo= )
+cds			300	CDS	30795 1 1 (
+					310D27F4D82C1FC2400704EA9939FE6E1CEA
+					A3B9 )
+nsec			600	NSEC	nsecnext NS DS RRSIG NSEC
+rrsig			300	RRSIG	SOA 1 0 300 20050714214747 (
+					20050614214747 30795 .
+					yi/RRPAQmn6rnjDQaCqVValBa+ICF00ZldKf
+					ZSDaoew5mMUh83DlrrPPNeAxrzMSNzDGlJ6P
+					fdyIFgzPn/CvthF4kjBUAiJTp4r2zhlaUJQ+
+					QFo+drYXYgVJo6aA36fj )
diff --git a/bin/tests/system/masterformat/ns1/large.db.in b/bin/tests/system/masterformat/ns1/large.db.in
new file mode 100644
index 0000000..5a81863
--- /dev/null
+++ b/bin/tests/system/masterformat/ns1/large.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1D
+
+@			IN SOA	ns hostmaster (
+				1
+				3600
+				1800
+				1814400
+				3
+				)
+			NS	ns
+ns			A	10.53.0.1
diff --git a/bin/tests/system/masterformat/ns1/named.conf.in b/bin/tests/system/masterformat/ns1/named.conf.in
new file mode 100644
index 0000000..cc95655
--- /dev/null
+++ b/bin/tests/system/masterformat/ns1/named.conf.in
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	pid-file "named.pid";
+	listen-on port @PORT@ { 10.53.0.1; };
+	port @PORT@;
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	session-keyfile "session.key";
+	servfail-ttl 0;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type primary;
+	masterfile-format raw;
+	file "example.db.raw";
+};
+
+zone "compat-example" {
+	type primary;
+	masterfile-format raw;
+	file "example.db.compat";
+};
+
+zone "transfer1" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
+
+zone "transfer2" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
+
+zone "transfer3" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
+
+zone "transfer4" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
+
+
+zone "large" {
+	type primary;
+	file "large.db.raw";
+	masterfile-format raw;
+	allow-transfer { any; };
+};
+
+zone "signed" {
+	type primary;
+	file "signed.db.map";
+	masterfile-format map;
+	allow-transfer { any; };
+	update-policy local;
+	auto-dnssec maintain;
+};
diff --git a/bin/tests/system/masterformat/ns1/signed.db b/bin/tests/system/masterformat/ns1/signed.db
new file mode 100644
index 0000000..55d6fae
--- /dev/null
+++ b/bin/tests/system/masterformat/ns1/signed.db
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1D
+
+@			IN SOA	ns hostmaster (
+				1
+				3600
+				1800
+				1814400
+				3
+				)
+			NS	ns
+ns			A	10.53.0.1
+mx			MX	10 mail
+a			A	10.53.0.1
+			A	10.53.0.2
+aaaa			AAAA	2001:db8::53
+cname			CNAME	cname-target
+dname			DNAME	dname-target
+txt			TXT	"this is text"
diff --git a/bin/tests/system/masterformat/ns2/formerly-text.db.in b/bin/tests/system/masterformat/ns2/formerly-text.db.in
new file mode 100644
index 0000000..02ce216
--- /dev/null
+++ b/bin/tests/system/masterformat/ns2/formerly-text.db.in
@@ -0,0 +1,48 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 86400	; 1 day
+transfer3		IN SOA	ns.transfer3. hostmaster.transfer3. (
+				1          ; serial
+				3600       ; refresh (1 hour)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3          ; minimum (3 seconds)
+				)
+			NS	ns.transfer3.
+$ORIGIN transfer3.
+a			A	10.53.0.1
+			A	10.53.0.2
+aaaa			AAAA	2001:db8::53
+cname			CNAME	cname-target
+dname			DNAME	dname-target
+$TTL 300	; 5 minutes
+dnskey			DNSKEY	256 3 13 (
+				TEcpWeW1mJp+OujqyInMbjGRODJIYen/4kMR
+				wO6zW3RzrvmNIMgFag6G uXofiSwJ6YDeQ0O
+				3uhPJsJ7ivpbh+w==
+				)
+ds			DS	30795 1 1 (
+				310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 )
+$TTL 86400	; 1 day
+mx			MX	10 mail
+ns			A	10.53.0.1
+$TTL 600	; 10 minutes
+nsec			NSEC	nsecnext.transfer3. NS DS RRSIG NSEC
+$TTL 300	; 5 minutes
+rrsig			RRSIG	SOA 1 0 300 (
+				20050714214747 20050614214747 30795 .
+				yi/RRPAQmn6rnjDQaCqVValBa+ICF00ZldKfZSDaoew5
+				mMUh83DlrrPPNeAxrzMSNzDGlJ6PfdyIFgzPn/CvthF4
+				kjBUAiJTp4r2zhlaUJQ+QFo+drYXYgVJo6aA36fj )
+$TTL 86400	; 1 day
+txt			TXT	"this is text"
diff --git a/bin/tests/system/masterformat/ns2/named.conf.in b/bin/tests/system/masterformat/ns2/named.conf.in
new file mode 100644
index 0000000..c0f2987
--- /dev/null
+++ b/bin/tests/system/masterformat/ns2/named.conf.in
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	pid-file "named.pid";
+	listen-on port @PORT@ { 10.53.0.2; };
+	listen-on-v6 { none; };
+	port @PORT@;
+	recursion no;
+	notify no;
+	servfail-ttl 0;
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "transfer1" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "transfer.db.raw";
+};
+
+zone "transfer2" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	masterfile-format text;
+	file "transfer.db.txt";
+};
+
+zone "transfer3" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "formerly-text.db";
+};
+
+zone "transfer4" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	masterfile-format text;
+	masterfile-style full;
+	file "transfer.db.full";
+};
+
+zone "large" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	masterfile-format raw;
+	file "large.bk";
+};
diff --git a/bin/tests/system/masterformat/ns3/named.conf.in b/bin/tests/system/masterformat/ns3/named.conf.in
new file mode 100644
index 0000000..a41b7a8
--- /dev/null
+++ b/bin/tests/system/masterformat/ns3/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	pid-file "named.pid";
+	listen-on port @PORT@ { 10.53.0.3; };
+	port @PORT@;
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type primary;
+	masterfile-format map;
+	file "example.db.map";
+};
+
+zone "dynamic" {
+	type primary;
+	masterfile-format map;
+	file "dynamic.db.map";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh
new file mode 100755
index 0000000..ba2605c
--- /dev/null
+++ b/bin/tests/system/masterformat/setup.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+
+cp ns1/example.db ns2/
+cp ns2/formerly-text.db.in ns2/formerly-text.db
+cp ns1/large.db.in ns1/large.db
+awk 'END {
+	 for (i = 0; i < 512; i++ ) { print "a TXT", i; }
+	 for (i = 0; i < 1024; i++ ) { print "b TXT", i; }
+	 for (i = 0; i < 2000; i++ ) { print "c TXT", i; }
+}' < /dev/null >> ns1/large.db
+cd ns1 && $SHELL compile.sh
diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh
new file mode 100755
index 0000000..d78cf37
--- /dev/null
+++ b/bin/tests/system/masterformat/tests.sh
@@ -0,0 +1,357 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+SYSTEMTESTTOP=..
+. "$SYSTEMTESTTOP/conf.sh"
+
+status=0
+n=1
+
+ismap () {
+    # shellcheck disable=SC2016
+    $PERL -e 'binmode STDIN;
+	     read(STDIN, $input, 8);
+             ($style, $version) = unpack("NN", $input);
+             exit 1 if ($style != 3 || $version > 1);' < "$1"
+    return $?
+}
+
+israw () {
+    # shellcheck disable=SC2016
+    $PERL -e 'binmode STDIN;
+             read(STDIN, $input, 8);
+             ($style, $version) = unpack("NN", $input);
+             exit 1 if ($style != 2 || $version > 1);' < "$1"
+    return $?
+}
+
+isfull () {
+    # there should be no whitespace at the beginning of a line
+    if grep '^[ 	][ 	]*' "$1" > /dev/null 2>&1; then
+	return 1
+    else
+	return 0
+    fi
+}
+
+rawversion () {
+    # shellcheck disable=SC2016
+    $PERL -e 'binmode STDIN;
+             read(STDIN, $input, 8);
+             if (length($input) < 8) { print "not raw\n"; exit 0; };
+             ($style, $version) = unpack("NN", $input);
+             print ($style == 2 || $style == 3 ? "$version\n" :
+		"not raw or map\n");' < "$1"
+}
+
+sourceserial () {
+    # shellcheck disable=SC2016
+    $PERL -e 'binmode STDIN;
+             read(STDIN, $input, 20);
+             if (length($input) < 20) { print "UNSET\n"; exit; };
+             ($format, $version, $dumptime, $flags, $sourceserial) =
+                     unpack("NNNNN", $input);
+             if ($format != 2 || $version <  1) { print "UNSET\n"; exit; };
+             if ($flags & 02) {
+                     print $sourceserial . "\n";
+             } else {
+                     print "UNSET\n";
+             }' < "$1"
+}
+
+stomp () {
+    # shellcheck disable=SC2016
+    $PERL -e 'open(my $file, "+<", $ARGV[0]);
+              binmode $file;
+              seek($file, $ARGV[1], 0);
+              for (my $i = 0; $i < $ARGV[2]; $i++) {
+                      print $file pack("C", $ARGV[3]);
+              }
+              close($file);' "$@"
+}
+
+restart () {
+    sleep 1
+    start_server --noclean --restart --port "${PORT}" ns3
+}
+
+dig_with_opts() {
+    "$DIG" +tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@"
+}
+
+rndccmd() {
+    "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@"
+}
+
+status=0
+
+echo_i "checking that files in raw format loaded ($n)"
+ret=0
+set -- 1 2 3
+for zone in example example-explicit example-compat; do
+    for server in "$@"; do
+	for qname in ns mx a aaaa cname dname txt rrsig nsec \
+                dnskey ds cdnskey cds; do
+            qtype="$qname"
+	    dig_with_opts  @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype}
+	    echo
+	done > dig.out.${zone}.${server}.test${n}
+        for qname in private-dnskey private-cdnskey; do
+            qtype=$(expr "$qname" : '.*-\(.*\)')
+	    dig_with_opts  @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype}
+	done >> dig.out.${zone}.${server}.test${n}
+    done
+    digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.2.test${n} || ret=1
+    if [ "$zone" = "example" ]; then
+        set -- 1 2
+        digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.3.test${n} || ret=1
+    fi
+done
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking raw format versions ($n)"
+ret=0
+israw ns1/example.db.raw || ret=1
+israw ns1/example.db.raw1 || ret=1
+israw ns1/example.db.compat || ret=1
+ismap ns1/example.db.map || ret=1
+[ "$(rawversion ns1/example.db.raw)" -eq 1 ] || ret=1
+[ "$(rawversion ns1/example.db.raw1)" -eq 1 ] || ret=1
+[ "$(rawversion ns1/example.db.compat)" -eq 0 ] || ret=1
+[ "$(rawversion ns1/example.db.map)" -eq 1 ] || ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking source serial numbers ($n)"
+ret=0
+[ "$(sourceserial ns1/example.db.raw)" = "UNSET" ] || ret=1
+[ "$(sourceserial ns1/example.db.serial.raw)" = "3333" ] || ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "waiting for transfers to complete"
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	test -f ns2/transfer.db.raw -a -f ns2/transfer.db.txt && break
+	sleep 1
+done
+
+echo_i "checking that secondary was saved in raw format by default ($n)"
+ret=0
+israw ns2/transfer.db.raw || ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that secondary was saved in text format when configured ($n)"
+ret=0
+israw ns2/transfer.db.txt && ret=1
+isfull ns2/transfer.db.txt && ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that secondary was saved in 'full' style when configured ($n)"
+ret=0
+isfull ns2/transfer.db.full > /dev/null 2>&1 || ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that secondary formerly in text format is now raw ($n)"
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+    ret=0
+    israw ns2/formerly-text.db > /dev/null 2>&1 || ret=1
+    [ "$(rawversion ns2/formerly-text.db)" -eq 1 ] || ret=1
+    [ $ret -eq 0 ] && break
+    sleep 1
+done
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that large rdatasets loaded ($n)"
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+ret=0
+for a in a b c
+do
+	$DIG +tcp txt "${a}.large" @10.53.0.2 -p "${PORT}" > "dig.out.ns2.test$n"
+	grep "status: NOERROR" "dig.out.ns2.test$n" > /dev/null || ret=1
+done
+[ $ret -eq 0 ] && break
+sleep 1
+done
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking format transitions: text->raw->map->text ($n)"
+ret=0
+$CHECKZONE -D -f text -F text -o baseline.txt example.nil ns1/example.db > /dev/null
+$CHECKZONE -D -f text -F raw -o raw.1 example.nil baseline.txt > /dev/null
+$CHECKZONE -D -f raw -F map -o map.1 example.nil raw.1 > /dev/null
+$CHECKZONE -D -f map -F text -o text.1 example.nil map.1 > /dev/null
+cmp -s baseline.txt text.1 || ret=0
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking format transitions: text->map->raw->text ($n)"
+ret=0
+$CHECKZONE -D -f text -F map -o map.2 example.nil baseline.txt > /dev/null
+$CHECKZONE -D -f map -F raw -o raw.2 example.nil map.2 > /dev/null
+$CHECKZONE -D -f raw -F text -o text.2 example.nil raw.2 > /dev/null
+cmp -s baseline.txt text.2 || ret=0
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking map format loading with journal file rollforward ($n)"
+ret=0
+$NSUPDATE <<END > /dev/null || status=1
+server 10.53.0.3 ${PORT}
+ttl 600
+update add newtext.dynamic IN TXT "added text"
+update delete aaaa.dynamic
+send
+END
+dig_with_opts @10.53.0.3 newtext.dynamic txt > "dig.out.dynamic1.ns3.test$n"
+grep "added text" "dig.out.dynamic1.ns3.test$n" > /dev/null 2>&1 || ret=1
+dig_with_opts +comm @10.53.0.3 added.dynamic txt > "dig.out.dynamic2.ns3.test$n"
+grep "NXDOMAIN" "dig.out.dynamic2.ns3.test$n" > /dev/null 2>&1 || ret=1
+# using "rndc halt" ensures that we don't dump the zone file
+stop_server --use-rndc --halt --port ${CONTROLPORT} ns3
+restart
+check_added_text() {
+	dig_with_opts @10.53.0.3 newtext.dynamic txt > "dig.out.dynamic3.ns3.test$n" || return 1
+	grep "added text" "dig.out.dynamic3.ns3.test$n" > /dev/null || return 1
+	return 0
+}
+retry_quiet 10 check_added_text || ret=1
+dig_with_opts +comm @10.53.0.3 added.dynamic txt > "dig.out.dynamic4.ns3.test$n"
+grep "NXDOMAIN" "dig.out.dynamic4.ns3.test$n" > /dev/null 2>&1 || ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking map format file dumps correctly ($n)"
+ret=0
+$NSUPDATE <<END > /dev/null || status=1
+server 10.53.0.3 ${PORT}
+ttl 600
+update add moretext.dynamic IN TXT "more text"
+send
+END
+dig_with_opts @10.53.0.3 moretext.dynamic txt > "dig.out.dynamic1.ns3.test$n"
+grep "more text" "dig.out.dynamic1.ns3.test$n" > /dev/null 2>&1 || ret=1
+# using "rndc stop" will cause the zone file to flush before shutdown
+stop_server --use-rndc --port ${CONTROLPORT} ns3
+rm ns3/*.jnl
+restart
+#shellcheck disable=SC2034
+for i in 0 1 2 3 4 5 6 7 8 9; do
+    lret=0
+    dig_with_opts +comm @10.53.0.3 moretext.dynamic txt > "dig.out.dynamic2.ns3.test$n"
+    grep "more text" "dig.out.dynamic2.ns3.test$n" > /dev/null 2>&1 || lret=1
+    [ $lret -eq 0 ] && break;
+done
+[ $lret -eq 1 ] && ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+# stomp on the file header
+echo_i "checking corrupt map files fail to load (bad file header) ($n)"
+ret=0
+$CHECKZONE -D -f text -F map -o map.5 example.nil baseline.txt > /dev/null
+cp map.5 badmap
+stomp badmap 0 32 99
+$CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null
+[ $? = 1 ] || ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+# stomp on the file data so it hashes differently.
+# these are small and subtle changes, so that the resulting file
+# would appear to be a legitimate map file and would not trigger an
+# assertion failure if loaded into memory, but should still fail to
+# load because of a SHA1 hash mismatch.
+echo_i "checking corrupt map files fail to load (bad node header) ($n)"
+ret=0
+cp map.5 badmap
+stomp badmap 2754 2 99
+$CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null
+[ $? = 1 ] || ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking corrupt map files fail to load (bad node data) ($n)"
+ret=0
+cp map.5 badmap
+stomp badmap 2897 5 127
+$CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null
+[ $? = 1 ] || ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking map format zone is scheduled for resigning (compilezone) ($n)"
+ret=0
+rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1
+grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking map format zone is scheduled for resigning (signzone) ($n)"
+ret=0
+rndccmd 10.53.0.1 freeze signed > rndc.out 2>&1 || ret=1
+(cd ns1 || exit 1; $SIGNER -S -O map -f signed.db.map -o signed signed.db > /dev/null)
+rndc_reload ns1 10.53.0.1 signed
+rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1
+grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1
+n=$((n+1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status+ret))
+
+# The following test is disabled by default because it is very slow.
+# It fails on Windows, because a single read() call (specifically
+# the one in isc_file_mmap()) cannot process more than INT_MAX (2^31)
+# bytes of data.
+if [ -n "${TEST_LARGE_MAP}" ]; then
+    echo_i "checking map file size > 2GB can be loaded ($n)"
+    ret=0
+    $PERL ../../startperf/mkzonefile.pl test 9000000 > text.$n
+    # convert to map
+    $CHECKZONE -D -f text -F map -o map.$n test text.$n > /dev/null || ret=1
+    # check map file size is over 2GB to ensure the test is valid
+    size=$(ls -l map.$n | awk '{print $5}')
+    [ "$size" -gt 2147483648 ] || ret=1
+    # convert back to text
+    $CHECKZONE -f map test map.$n > /dev/null || ret=1
+    n=$((n+1))
+    [ $ret -eq 0 ] || echo_i "failed"
+    status=$((status+ret))
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/metadata/child.db b/bin/tests/system/metadata/child.db
new file mode 100644
index 0000000..35fff9c
--- /dev/null
+++ b/bin/tests/system/metadata/child.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 20
+child.parent.nil		IN SOA	ns.child.parent.nil. hostmaster.parent.nil. (
+				1          ; serial
+				2000       ; refresh (33 minutes 20 seconds)
+				2000       ; retry (33 minutes 20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns.child.parent.nil.
+$ORIGIN child.parent.nil.
+$TTL 300	; 5 minutes
+ns			A	10.53.0.3
diff --git a/bin/tests/system/metadata/clean.sh b/bin/tests/system/metadata/clean.sh
new file mode 100644
index 0000000..58cd7ce
--- /dev/null
+++ b/bin/tests/system/metadata/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f K* dsset-* *.signed *.new
+rm -f zsk.key ksk.key parent.ksk.key parent.zsk.key 
+rm -f pending.key rolling.key standby.key inact.key
+rm -f prerev.key postrev.key oldstyle.key
+rm -f keys sigs
+rm -f tmp.out
+rm -f settime1.test* settime2.test*
+rm -f ns*/named.lock
diff --git a/bin/tests/system/metadata/parent.db b/bin/tests/system/metadata/parent.db
new file mode 100644
index 0000000..a5484e3
--- /dev/null
+++ b/bin/tests/system/metadata/parent.db
@@ -0,0 +1,31 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+parent.nil		IN SOA	ns1.parent.nil. hostmaster.parent.nil. (
+				1          ; serial
+				2000       ; refresh (33 minutes 20 seconds)
+				2000       ; retry (33 minutes 20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns1.parent.nil.
+			NS	ns2.parent.nil.
+$ORIGIN parent.nil.
+$TTL 3600	; 1 hour
+a			A	1.1.1.1
+$TTL 300	; 5 minutes
+ns1			A	10.53.0.1
+ns2			A	10.53.0.2
+
+child			NS     	ns.child
+ns.child		A	10.53.0.3
diff --git a/bin/tests/system/metadata/setup.sh b/bin/tests/system/metadata/setup.sh
new file mode 100644
index 0000000..fd9ac60
--- /dev/null
+++ b/bin/tests/system/metadata/setup.sh
@@ -0,0 +1,61 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+pzone=parent.nil
+czone=child.parent.nil
+
+echo_i "generating keys"
+
+# active zsk
+zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $czone)
+echo $zsk > zsk.key
+
+# not yet published or active
+pending=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P none -A none $czone)
+echo $pending > pending.key
+
+# published but not active
+standby=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A none $czone)
+echo $standby > standby.key
+
+# inactive
+inact=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P now-24h -A now-24h -I now $czone)
+echo $inact > inact.key
+
+# active ksk
+ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone)
+echo $ksk > ksk.key
+
+# published but not YET active; will be active in 15 seconds
+rolling=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone)
+$SETTIME -A now+15s $rolling > /dev/null
+echo $rolling > rolling.key
+
+# revoked
+revoke1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone)
+echo $revoke1 > prerev.key
+revoke2=$($REVOKE $revoke1)
+echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key
+
+pzsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $pzone)
+echo $pzsk > parent.zsk.key
+
+pksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $pzone)
+echo $pksk > parent.ksk.key
+
+oldstyle=$($KEYGEN -Cq -a ${DEFAULT_ALGORITHM} $pzone)
+echo $oldstyle > oldstyle.key
+
diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh
new file mode 100644
index 0000000..626559d
--- /dev/null
+++ b/bin/tests/system/metadata/tests.sh
@@ -0,0 +1,213 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+pzone=parent.nil pfile=parent.db
+czone=child.parent.nil cfile=child.db
+status=0
+n=1
+
+echo_i "setting key timers"
+$SETTIME -A now+15s $(cat rolling.key) > /dev/null
+
+inact=$(keyfile_to_key_id "$(cat inact.key)")
+ksk=$(keyfile_to_key_id "$(cat ksk.key)")
+pending=$(keyfile_to_key_id "$(cat pending.key)")
+postrev=$(keyfile_to_key_id "$(cat postrev.key)")
+prerev=$(keyfile_to_key_id "$(cat prerev.key)")
+rolling=$(keyfile_to_key_id "$(cat rolling.key)")
+standby=$(keyfile_to_key_id "$(cat standby.key)")
+zsk=$(keyfile_to_key_id "$(cat zsk.key)")
+
+echo_i "signing zones"
+$SIGNER -Sg -o $czone $cfile > /dev/null
+$SIGNER -Sg -o $pzone $pfile > /dev/null
+
+awk '$2 ~ /RRSIG/ {
+        type = $3;
+        getline;
+	id = $3;
+	if ($4 ~ /'${czone}'/) {
+		print type, id
+	}
+}' < ${cfile}.signed > sigs
+
+awk '$2 ~ /DNSKEY/ {
+	flags = $3;
+	while ($0 !~ /key id =/)
+		getline;
+	id = $NF;
+	print flags, id;
+}' < ${cfile}.signed > keys
+
+echo_i "checking that KSK signed DNSKEY only ($n)"
+ret=0
+grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1
+grep "SOA $ksk"'$' sigs > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that ZSK signed ($n)"
+ret=0
+grep "SOA $zsk"'$' sigs > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that standby ZSK did not sign ($n)"
+ret=0
+grep " $standby"'$' sigs > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that inactive key did not sign ($n)"
+ret=0
+grep " $inact"'$' sigs > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that pending key was not published ($n)"
+ret=0
+grep " $pending"'$' keys > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that standby KSK did not sign but is delegated ($n)"
+ret=0
+grep " $rolling"'$' sigs > /dev/null && ret=1
+grep " $rolling"'$' keys > /dev/null || ret=1
+grep -E "DS[ 	]*$rolling[ 	]" ${pfile}.signed > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that key was revoked ($n)"
+ret=0
+grep " $prerev"'$' keys > /dev/null && ret=1
+grep " $postrev"'$' keys > /dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking that revoked key self-signed ($n)"
+ret=0
+grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1
+grep "SOA $postrev"'$' sigs > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "waiting 20 seconds for key changes to occur"
+sleep 20
+
+echo_i "re-signing zone"
+$SIGNER  -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null
+
+echo_i "checking that standby KSK is now active ($n)"
+ret=0
+grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking update of an old-style key ($n)"
+ret=0
+# printing metadata should not work with an old-style key
+$SETTIME -pall $(cat oldstyle.key) > /dev/null 2>&1 && ret=1
+$SETTIME -f $(cat oldstyle.key) > /dev/null 2>&1 || ret=1
+# but now it should
+$SETTIME -pall $(cat oldstyle.key) > /dev/null 2>&1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking warning about permissions change on key with dnssec-settime ($n)"
+uname=$(uname -o 2> /dev/null)
+if [ Cygwin = "$uname"  ]; then
+	echo_i "Cygwin detected, skipping"
+else
+	ret=0
+	# settime should print a warning about changing the permissions
+	chmod 644 $(cat oldstyle.key).private
+	$SETTIME -P none $(cat oldstyle.key) > settime1.test$n 2>&1 || ret=1
+	grep "warning: Permissions on the file.*have changed" settime1.test$n > /dev/null 2>&1 || ret=1
+	$SETTIME -P none $(cat oldstyle.key) > settime2.test$n 2>&1 || ret=1
+	grep "warning: Permissions on the file.*have changed" settime2.test$n > /dev/null 2>&1 && ret=1
+	n=$((n + 1))
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status + ret))
+fi
+
+echo_i "checking warning about delete date < inactive date with dnssec-settime ($n)"
+ret=0
+# settime should print a warning about delete < inactive
+$SETTIME -I now+15s -D now $(cat oldstyle.key) > tmp.out 2>&1 || ret=1
+grep "warning" tmp.out > /dev/null 2>&1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking no warning about delete date < inactive date with dnssec-settime when delete date is unset ($n)"
+ret=0
+$SETTIME -D none $(cat oldstyle.key) > tmp.out 2>&1 || ret=1
+$SETTIME -p all $(cat oldstyle.key) > tmp.out 2>&1 || ret=1
+grep "warning" tmp.out > /dev/null 2>&1 && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking warning about delete date < inactive date with dnssec-keygen ($n)"
+ret=0
+# keygen should print a warning about delete < inactive
+$KEYGEN -q -a ${DEFAULT_ALGORITHM} -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
+grep "warning" tmp.out > /dev/null 2>&1 || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking correct behavior setting activation without publication date ($n)"
+ret=0
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w $czone)
+pub=$($SETTIME -upP $key | awk '{print $2}')
+act=$($SETTIME -upA $key | awk '{print $2}')
+[ $pub -eq $act ] || ret=1
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w -i 1d $czone)
+pub=$($SETTIME -upP $key | awk '{print $2}')
+act=$($SETTIME -upA $key | awk '{print $2}')
+[ $pub -lt $act ] || ret=1
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w -P never $czone)
+pub=$($SETTIME -upP $key | awk '{print $2}')
+[ $pub = "UNSET" ] || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking calculation of dates for a successor key ($n)"
+ret=0
+oldkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone)
+newkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone)
+$SETTIME -A -2d -I +2d $oldkey > settime1.test$n 2>&1 || ret=1
+$SETTIME -i 1d -S $oldkey $newkey > settime2.test$n 2>&1 || ret=1
+$SETTIME -pA $newkey | grep "1970" > /dev/null && ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/mirror/README b/bin/tests/system/mirror/README
new file mode 100644
index 0000000..f76b41b
--- /dev/null
+++ b/bin/tests/system/mirror/README
@@ -0,0 +1,26 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+
+This test checks whether zones configured with "type mirror;" behave as
+expected.
+
+ns1 is an authoritative-only server.  It only serves the root zone, which is
+mirrored by ns3.
+
+ns2 is an authoritative-only server.  It serves a number of zones, some of which
+are delegated to it by ns1 and used in recursive resolution tests aimed at ns3
+while others are only served so that ns3 has a primary server to mirror zones
+from during various tests of the mirror zone implementation.
+
+ns3 is a recursive resolver.  It has a number of mirror zones configured.  This
+is the only server whose behavior is being examined by this system test.
diff --git a/bin/tests/system/mirror/clean.sh b/bin/tests/system/mirror/clean.sh
new file mode 100644
index 0000000..2e02183
--- /dev/null
+++ b/bin/tests/system/mirror/clean.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */*.conf
+rm -f */*.db
+rm -f */*.jnl
+rm -f */*.mirror
+rm -f */*.nzd*
+rm -f */*.prev
+rm -f */*.signed
+rm -f */K*
+rm -f */db-*
+rm -f */dsset-*
+rm -f */jn-*
+rm -f */_default.nzf
+rm -f */managed-keys.bind*
+rm -f */named.memstats
+rm -f */named.run
+rm -f dig.out.*
+rm -f rndc.out.*
diff --git a/bin/tests/system/mirror/ns1/named.conf.in b/bin/tests/system/mirror/ns1/named.conf.in
new file mode 100644
index 0000000..5334786
--- /dev/null
+++ b/bin/tests/system/mirror/ns1/named.conf.in
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
diff --git a/bin/tests/system/mirror/ns1/root.db.in b/bin/tests/system/mirror/ns1/root.db.in
new file mode 100644
index 0000000..98ecf1f
--- /dev/null
+++ b/bin/tests/system/mirror/ns1/root.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@				SOA	a.root-servers.nil. hostmaster 1 3600 1200 604800 3600
+@				NS	a.root-servers.nil.
+a.root-servers.nil.		A	10.53.0.1
+example				NS	ns2.example.
+ns2.example.			A	10.53.0.2
+initially-unavailable.		NS	ns2.initially-unavailable.
+ns2.initially-unavailable.	A	10.53.0.2
diff --git a/bin/tests/system/mirror/ns1/sign.sh b/bin/tests/system/mirror/ns1/sign.sh
new file mode 100644
index 0000000..c3affbf
--- /dev/null
+++ b/bin/tests/system/mirror/ns1/sign.sh
@@ -0,0 +1,38 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+( cd ../ns2 && $SHELL -e sign.sh )
+
+cp ../ns2/dsset-* .
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null)
+keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+# Add a trust anchor for a name whose non-existence can be securely proved
+# without recursing when the root zone is mirrored.  This will exercise code
+# attempting to send TAT queries for such names (in ns3).  Key data is
+# irrelevant here, so just reuse the root zone key generated above.
+sed "s/^\./nonexistent./;" $keyname1.key > $keyname1.modified.key
+
+keyfile_to_static_ds $keyname1 $keyname1.modified > trusted.conf
diff --git a/bin/tests/system/mirror/ns2/example.db.in b/bin/tests/system/mirror/ns2/example.db.in
new file mode 100644
index 0000000..5472399
--- /dev/null
+++ b/bin/tests/system/mirror/ns2/example.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	ns2 hostmaster 1 3600 1200 604800 3600
+@		NS	ns2
+ns2		A	10.53.0.2
+foo		A	127.0.0.1
+sub		NS	ns2
diff --git a/bin/tests/system/mirror/ns2/initially-unavailable.db.in b/bin/tests/system/mirror/ns2/initially-unavailable.db.in
new file mode 100644
index 0000000..cf809e3
--- /dev/null
+++ b/bin/tests/system/mirror/ns2/initially-unavailable.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	a.root-servers.nil. hostmaster 1 3600 1200 604800 3600
+@		NS	ns2
+ns2		A	10.53.0.2
+foo		CNAME	foo.example.
diff --git a/bin/tests/system/mirror/ns2/named.conf.in b/bin/tests/system/mirror/ns2/named.conf.in
new file mode 100644
index 0000000..5df56c2
--- /dev/null
+++ b/bin/tests/system/mirror/ns2/named.conf.in
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+zone "example" {
+	type primary;
+	file "example.db.signed";
+};
+
+zone "sub.example" {
+	type primary;
+	file "sub.example.db.signed";
+};
+
+zone "initially-unavailable" {
+	type primary;
+	file "initially-unavailable.db.signed";
+	allow-transfer { 10.53.0.254; };
+};
+
+zone "verify-addzone" {
+	type primary;
+	file "verify-addzone.db.original.signed";
+};
+
+zone "verify-axfr" {
+	type primary;
+	file "verify-axfr.db.signed";
+};
+
+zone "verify-csk" {
+	type primary;
+	file "verify-csk.db.signed";
+};
+
+zone "verify-ixfr" {
+	type primary;
+	file "verify-ixfr.db.signed";
+	ixfr-from-differences yes;
+	allow-transfer { 10.53.0.3; };
+};
+
+zone "verify-reconfig" {
+	type primary;
+	file "verify-reconfig.db.signed";
+};
+
+zone "verify-unsigned" {
+	type primary;
+	file "verify.db.in";
+};
+
+zone "verify-untrusted" {
+	type primary;
+	file "verify-untrusted.db.signed";
+};
diff --git a/bin/tests/system/mirror/ns2/sign.sh b/bin/tests/system/mirror/ns2/sign.sh
new file mode 100644
index 0000000..2c48f22
--- /dev/null
+++ b/bin/tests/system/mirror/ns2/sign.sh
@@ -0,0 +1,80 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+keys_to_trust=""
+
+for zonename in sub.example example initially-unavailable; do
+	zone=$zonename
+	infile=$zonename.db.in
+	zonefile=$zonename.db
+
+	keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null)
+	keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null)
+
+	cat $infile $keyname1.key $keyname2.key > $zonefile
+
+	$SIGNER -P -g -o $zone $zonefile > /dev/null
+done
+
+# Only add the key for "initially-unavailable" to the list of keys trusted by
+# ns3.  "example" is expected to be validated using a chain of trust starting in
+# the "root" zone on ns1.
+keys_to_trust="$keys_to_trust $keyname1"
+
+# Prepare a zone signed using a Combined Signing Key (CSK) without the SEP bit
+# set and add that key to the list of keys to trust.
+zone=verify-csk
+infile=verify.db.in
+zonefile=verify-csk.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null)
+cat $infile $keyname.key > $zonefile
+$SIGNER -P -o $zone $zonefile > /dev/null
+keys_to_trust="$keys_to_trust $keyname"
+
+# Prepare remaining zones used in the test.
+ORIGINAL_SERIAL=$(awk '$2 == "SOA" {print $5}' verify.db.in)
+UPDATED_SERIAL_BAD=$((ORIGINAL_SERIAL + 1))
+UPDATED_SERIAL_GOOD=$((ORIGINAL_SERIAL + 2))
+
+for variant in addzone axfr ixfr load reconfig untrusted; do
+	zone=verify-$variant
+	infile=verify.db.in
+	zonefile=verify-$variant.db
+
+	keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null)
+	keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null)
+
+	cat $infile $keyname1.key $keyname2.key > $zonefile
+
+	# Prepare a properly signed version of the zone ("*.original.signed").
+	$SIGNER -P -o $zone $zonefile > /dev/null
+	cp $zonefile.signed $zonefile.original.signed
+	# Prepare a version of the zone with a bogus SOA RRSIG ("*.bad.signed").
+	sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_BAD}/;" $zonefile.signed > $zonefile.bad.signed
+	# Prepare another properly signed version of the zone ("*.good.signed").
+	sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_GOOD}/;" $zonefile > $zonefile.good
+	$SIGNER -P -o $zone $zonefile.good > /dev/null
+	rm -f $zonefile.good
+
+	# Except for the "verify-untrusted" zone, declare the KSK used for
+	# signing the zone to be a trust anchor for ns3.
+	if [ "$variant" != "untrusted" ]; then
+		keys_to_trust="$keys_to_trust $keyname1"
+	fi
+done
+
+keyfile_to_static_ds $keys_to_trust > trusted-mirror.conf
diff --git a/bin/tests/system/mirror/ns2/sub.example.db.in b/bin/tests/system/mirror/ns2/sub.example.db.in
new file mode 100644
index 0000000..d2c15c7
--- /dev/null
+++ b/bin/tests/system/mirror/ns2/sub.example.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	ns2.example. hostmaster 1 3600 1200 604800 3600
+@		NS	ns2.example.
+foo		A	127.0.0.1
diff --git a/bin/tests/system/mirror/ns2/verify.db.in b/bin/tests/system/mirror/ns2/verify.db.in
new file mode 100644
index 0000000..b3ed22a
--- /dev/null
+++ b/bin/tests/system/mirror/ns2/verify.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	ns2 hostmaster 2000010100 3600 1200 604800 3600
+@		NS	ns2
+ns2		A	10.53.0.2
diff --git a/bin/tests/system/mirror/ns3/named.args b/bin/tests/system/mirror/ns3/named.args
new file mode 100644
index 0000000..7519c8f
--- /dev/null
+++ b/bin/tests/system/mirror/ns3/named.args
@@ -0,0 +1 @@
+-D mirror-ns3 -X named.lock -m record,size,mctx -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152 -T tat=3
diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in
new file mode 100644
index 0000000..58d8bd5
--- /dev/null
+++ b/bin/tests/system/mirror/ns3/named.conf.in
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	allow-query-cache { 10.53.0.1; };
+	trust-anchor-telemetry yes;
+	allow-new-zones yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "." {
+	type mirror;
+	primaries { 10.53.0.1; };
+	file "root.db.mirror";
+};
+
+zone "initially-unavailable" {
+	type mirror;
+	primaries { 10.53.0.2; };
+	file "initially-unavailable.db.mirror";
+	use-alt-transfer-source no;
+};
+
+zone "verify-axfr" {
+	type mirror;
+	primaries { 10.53.0.2; };
+	file "verify-axfr.db.mirror";
+};
+
+zone "verify-csk" {
+	type mirror;
+	primaries { 10.53.0.2; };
+	file "verify-csk.db.mirror";
+};
+
+zone "verify-ixfr" {
+	type mirror;
+	primaries { 10.53.0.2; };
+	file "verify-ixfr.db.mirror";
+	masterfile-format text;
+};
+
+zone "verify-load" {
+	type mirror;
+	primaries { 10.53.0.2; };
+	file "verify-load.db.mirror";
+	masterfile-format text;
+};
+
+zone "verify-reconfig" {
+	type mirror;
+	primaries { 10.53.0.2; };
+	file "verify-reconfig.db.mirror";
+	masterfile-format text;
+};
+
+zone "verify-unsigned" {
+	type mirror;
+	primaries { 10.53.0.2; };
+	file "verify-unsigned.db.mirror";
+};
+
+zone "verify-untrusted" {
+	type mirror;
+	primaries { 10.53.0.2; };
+	file "verify-untrusted.db.mirror";
+};
+
+include "../ns1/trusted.conf";
+include "../ns2/trusted-mirror.conf";
diff --git a/bin/tests/system/mirror/setup.sh b/bin/tests/system/mirror/setup.sh
new file mode 100644
index 0000000..b91c06d
--- /dev/null
+++ b/bin/tests/system/mirror/setup.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+
+( cd ns1 && $SHELL -e sign.sh )
+
+cat ns2/verify-axfr.db.bad.signed > ns2/verify-axfr.db.signed
+cat ns2/verify-load.db.bad.signed > ns3/verify-load.db.mirror
diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh
new file mode 100644
index 0000000..c93c58d
--- /dev/null
+++ b/bin/tests/system/mirror/tests.sh
@@ -0,0 +1,557 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT} -b 10.53.0.1 +dnssec +time=2 +tries=1 +multi"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+# Wait until the transfer of the given zone to ns3 either completes
+# successfully or is aborted by a verification failure or a REFUSED response
+# from the primary.  Note that matching on any transfer status is deliberately
+# avoided because some checks performed by this test cause transfer attempts to
+# end with the "IXFR failed" status, which is followed by an AXFR retry and
+# this test needs to check what the result of the latter transfer attempt is.
+wait_for_transfer() {
+	zone=$1
+	for i in 1 2 3 4 5 6 7 8 9 10; do
+		# Wait until a "freeing transfer context" message is logged
+		# after one of the transfer results we are looking for is
+		# logged.  This is needed to prevent races when checking for
+		# "mirror zone is now in use" messages.
+		nextpartpeek ns3/named.run | \
+			awk "matched; /'$zone\/IN'.*Transfer status: (success|verify failure|REFUSED)/ {matched=1}" | \
+			grep "'$zone/IN'.*freeing transfer context" > /dev/null && return
+		sleep 1
+	done
+	echo_i "exceeded time limit waiting for proof of '$zone' being transferred to appear in ns3/named.run"
+	ret=1
+}
+
+# Wait until loading the given zone on the given server either completes
+# successfully for the specified serial number or fails.
+wait_for_load() {
+	zone=$1
+	serial=$2
+	log=$3
+	for i in 1 2 3 4 5 6 7 8 9 10; do
+		# Wait until a "zone_postload: (...): done" message is logged
+		# after one of the loading-related messages we are looking for
+		# is logged.  This is needed to prevent races when checking for
+		# "mirror zone is now in use" messages.
+		nextpartpeek $log | \
+			awk "matched; /$zone.*(loaded serial $serial|unable to load)/ {matched=1}" | \
+			grep "zone_postload: zone $zone/IN: done" > /dev/null && return
+		sleep 1
+	done
+	echo_i "exceeded time limit waiting for proof of '$zone' being loaded to appear in $log"
+	ret=1
+}
+
+# Trigger a reload of ns2 and wait until loading the given zone completes.
+reload_zone() {
+	zone=$1
+	serial=$2
+	rndc_reload ns2 10.53.0.2
+	wait_for_load $zone $serial ns2/named.run
+}
+
+status=0
+n=0
+
+ORIGINAL_SERIAL=$(awk '$2 == "SOA" {print $5}' ns2/verify.db.in)
+UPDATED_SERIAL_BAD=$((ORIGINAL_SERIAL + 1))
+UPDATED_SERIAL_GOOD=$((ORIGINAL_SERIAL + 2))
+
+n=$((n + 1))
+echo_i "checking that an unsigned mirror zone is rejected ($n)"
+ret=0
+wait_for_transfer verify-unsigned
+$DIG $DIGOPTS @10.53.0.3 +norec verify-unsigned SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
+nextpartpeek ns3/named.run | grep "verify-unsigned.*Zone contains no DNSSEC keys" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-unsigned.*mirror zone is now in use" > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that a mirror zone signed using an untrusted key is rejected ($n)"
+ret=0
+nextpartreset ns3/named.run
+wait_for_transfer verify-untrusted
+$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
+nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that a mirror zone signed using a CSK without the SEP bit set is accepted ($n)"
+ret=0
+nextpartreset ns3/named.run
+wait_for_transfer verify-csk
+$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ($n)"
+ret=0
+nextpartreset ns3/named.run
+wait_for_transfer verify-axfr
+$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
+nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-axfr SOA" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that an AXFR of an updated, correctly signed mirror zone is accepted ($n)"
+ret=0
+nextpart ns3/named.run > /dev/null
+cat ns2/verify-axfr.db.good.signed > ns2/verify-axfr.db.signed
+reload_zone verify-axfr ${UPDATED_SERIAL_GOOD}
+$RNDCCMD 10.53.0.3 retransfer verify-axfr > /dev/null 2>&1
+wait_for_transfer verify-axfr
+$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that an IXFR of an incorrectly signed mirror zone is rejected ($n)"
+nextpartreset ns3/named.run
+ret=0
+wait_for_transfer verify-ixfr
+# Sanity check: the initial, properly signed version of the zone should have
+# been announced as coming into effect.
+nextpart ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1
+# Make a copy of the original zone file for reuse in journal tests below.
+cp ns2/verify-ixfr.db.signed ns3/verify-journal.db.mirror
+# Wait 1 second so that the zone file timestamp changes and the subsequent
+# invocation of "rndc reload" triggers a zone reload.
+sleep 1
+cat ns2/verify-ixfr.db.bad.signed > ns2/verify-ixfr.db.signed
+reload_zone verify-ixfr ${UPDATED_SERIAL_BAD}
+# Make a copy of the bad zone journal for reuse in journal tests below.
+cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.bad.mirror.jnl
+# Trigger IXFR.
+$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1
+wait_for_transfer verify-ixfr
+# Ensure the transfer was incremental as expected.
+if [ $(nextpartpeek ns3/named.run | grep "verify-ixfr.*got incremental response" | wc -l) -eq 0 ]; then
+	echo_i "failed: did not get an incremental response"
+	ret=1
+fi
+# Ensure the new, bad version of the zone was not accepted.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
+# A positive answer is expected as the original version of the "verify-ixfr"
+# zone should have been successfully verified.
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
+nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" > /dev/null || ret=1
+# Despite the verification failure for this IXFR, this mirror zone should still
+# be in use as its previous version should have been verified successfully.
+nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is no longer in use" > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that an IXFR of an updated, correctly signed mirror zone is accepted after AXFR failover ($n)"
+ret=0
+nextpart ns3/named.run > /dev/null
+# Wait 1 second so that the zone file timestamp changes and the subsequent
+# invocation of "rndc reload" triggers a zone reload.
+sleep 1
+cat ns2/verify-ixfr.db.good.signed > ns2/verify-ixfr.db.signed
+reload_zone verify-ixfr ${UPDATED_SERIAL_GOOD}
+# Make a copy of the good zone journal for reuse in journal tests below.
+cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.good.mirror.jnl
+# Trigger IXFR.
+$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1
+wait_for_transfer verify-ixfr
+# Ensure the new, good version of the zone was accepted.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
+# The log message announcing the mirror zone coming into effect should not have
+# been logged this time since the mirror zone in question is expected to
+# already be in use before this test case is checked.
+nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that loading an incorrectly signed mirror zone from disk fails ($n)"
+ret=0
+nextpartreset ns3/named.run
+wait_for_load verify-load ${UPDATED_SERIAL_BAD} ns3/named.run
+$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
+nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-load SOA" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "ensuring trust anchor telemetry queries are sent upstream for a mirror zone ($n)"
+ret=0
+# ns3 is started with "-T tat=3", so TAT queries should have already been sent.
+grep "_ta-[-0-9a-f]*/NULL" ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that loading a correctly signed mirror zone from disk succeeds ($n)"
+ret=0
+stop_server --use-rndc --port ${CONTROLPORT} ns3
+cat ns2/verify-load.db.good.signed > ns3/verify-load.db.mirror
+nextpart ns3/named.run > /dev/null
+start_server --noclean --restart --port ${PORT} ns3
+wait_for_load verify-load ${UPDATED_SERIAL_GOOD} ns3/named.run
+$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that loading a journal for an incorrectly signed mirror zone fails ($n)"
+ret=0
+stop_server --use-rndc --port ${CONTROLPORT} ns3
+cp ns3/verify-journal.db.mirror ns3/verify-ixfr.db.mirror
+cp ns3/verify-journal.db.bad.mirror.jnl ns3/verify-ixfr.db.mirror.jnl
+# Temporarily disable transfers of the "verify-ixfr" zone on ns2.  This is
+# required to reliably test whether the message announcing the mirror zone
+# coming into effect is not logged after a failed journal verification since
+# otherwise a corrected version of the zone may be transferred after
+# verification fails but before we look for the aforementioned log message.
+# (NOTE: Keep the embedded newline in the sed function list below.)
+sed '/^zone "verify-ixfr" {$/,/^};$/ {
+	s/10.53.0.3/10.53.0.254/
+}' ns2/named.conf > ns2/named.conf.modified
+mv ns2/named.conf.modified ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+nextpart ns3/named.run > /dev/null
+start_server --noclean --restart --port ${PORT} ns3
+wait_for_load verify-ixfr ${UPDATED_SERIAL_BAD} ns3/named.run
+$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
+nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1
+# Restore transfers for the "verify-ixfr" zone on ns2.
+# (NOTE: Keep the embedded newline in the sed function list below.)
+sed '/^zone "verify-ixfr" {$/,/^};$/ {
+	s/10.53.0.254/10.53.0.3/
+}' ns2/named.conf > ns2/named.conf.modified
+mv ns2/named.conf.modified ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that loading a journal for a correctly signed mirror zone succeeds ($n)"
+ret=0
+stop_server --use-rndc --port ${CONTROLPORT} ns3
+cp ns3/verify-journal.db.mirror ns3/verify-ixfr.db.mirror
+cp ns3/verify-journal.db.good.mirror.jnl ns3/verify-ixfr.db.mirror.jnl
+nextpart ns3/named.run > /dev/null
+start_server --noclean --restart --port ${PORT} ns3
+wait_for_load verify-ixfr ${UPDATED_SERIAL_GOOD} ns3/named.run
+$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking delegations sourced from a mirror zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 foo.example A +norec > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1
+# Check that a delegation containing a DS RRset and glue is present.
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "example.*IN.*NS" dig.out.ns3.test$n > /dev/null || ret=1
+grep "example.*IN.*DS" dig.out.ns3.test$n > /dev/null || ret=1
+grep "ns2.example.*A.*10.53.0.2" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that resolution involving a mirror zone works as expected ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 foo.example A > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
+# Ensure ns1 was not queried.
+grep "query 'foo.example/A/IN'" ns1/named.run > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that non-recursive queries for names below mirror zone get responded from cache ($n)"
+ret=0
+# Issue a non-recursive query for an RRset which is expected to be in cache.
+$DIG $DIGOPTS @10.53.0.3 +norec foo.example. A > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
+# Ensure the response is not a delegation.
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
+grep "foo.example.*IN.*A.*127.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that delegations from cache which improve mirror zone delegations are properly handled ($n)"
+ret=0
+# First, issue a recursive query in order to cache an RRset which is not within
+# the mirror zone's bailiwick.
+$DIG $DIGOPTS @10.53.0.3 sub.example. NS > dig.out.ns3.test$n.1 2>&1 || ret=1
+# Ensure the child-side NS RRset is returned.
+grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1
+grep "ANSWER: 2" dig.out.ns3.test$n.1 > /dev/null || ret=1
+grep "sub.example.*IN.*NS" dig.out.ns3.test$n.1 > /dev/null || ret=1
+# Issue a non-recursive query for something below the cached zone cut.
+$DIG $DIGOPTS @10.53.0.3 +norec foo.sub.example. A > dig.out.ns3.test$n.2 2>&1 || ret=1
+# Ensure the cached NS RRset is returned in a delegation, along with the
+# parent-side DS RRset.
+grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "sub.example.*IN.*NS" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "sub.example.*IN.*DS" dig.out.ns3.test$n.2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that resolution succeeds with unavailable mirror zone data ($n)"
+ret=0
+wait_for_transfer initially-unavailable
+# Query for a record in a zone that is set up to be mirrored, but
+# untransferrable from the configured primary.  Resolution should still succeed.
+$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.1 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1
+# Sanity check: the authoritative server should have been queried.
+nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1
+# Reconfigure ns2 so that the zone can be mirrored on ns3.
+sed '/^zone "initially-unavailable" {$/,/^};$/ {
+	s/10.53.0.254/10.53.0.3/
+}' ns2/named.conf > ns2/named.conf.modified
+mv ns2/named.conf.modified ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+# Flush the cache on ns3 and retransfer the mirror zone.
+$RNDCCMD 10.53.0.3 flush > /dev/null 2>&1
+nextpart ns3/named.run > /dev/null
+$RNDCCMD 10.53.0.3 retransfer initially-unavailable > /dev/null 2>&1
+wait_for_transfer initially-unavailable
+# Query for the same record again.  Resolution should still succeed.
+$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.2 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1
+# Ensure the authoritative server was not queried.
+nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that resolution succeeds with expired mirror zone data ($n)"
+ret=0
+# Reconfigure ns2 so that the zone from the previous test can no longer be
+# mirrored on ns3.
+sed '/^zone "initially-unavailable" {$/,/^};$/ {
+	s/10.53.0.3/10.53.0.254/
+}' ns2/named.conf > ns2/named.conf.modified
+mv ns2/named.conf.modified ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+# Stop ns3, update the timestamp of the zone file to one far in the past, then
+# restart ns3.
+stop_server --use-rndc --port ${CONTROLPORT} ns3
+touch -t 200001010000 ns3/initially-unavailable.db.mirror
+nextpart ns3/named.run > /dev/null
+start_server --noclean --restart --port ${PORT} ns3
+# Ensure named attempts to retransfer the zone due to its expiry.
+wait_for_transfer initially-unavailable
+# Ensure the expected messages were logged.
+nextpartpeek ns3/named.run | grep "initially-unavailable.*expired" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "initially-unavailable.*mirror zone is no longer in use" > /dev/null || ret=1
+# Query for a record in the expired zone.  Resolution should still succeed.
+$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
+# Sanity check: the authoritative server should have been queried.
+nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that clients without cache access cannot retrieve mirror zone data ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "REFUSED" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that outgoing transfers of mirror zones are disabled by default ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 . AXFR > dig.out.ns3.test$n 2>&1 || ret=1
+grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that notifies are disabled by default for mirror zones ($n)"
+ret=0
+grep "initially-unavailable.*sending notifies" ns3/named.run > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking output of \"rndc zonestatus\" for a mirror zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 zonestatus . > rndc.out.ns3.test$n 2>&1
+grep "type: mirror" rndc.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that \"rndc reconfig\" properly handles a mirror -> secondary zone type change ($n)"
+ret=0
+# Sanity check before we start.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1
+grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1
+# Reconfigure the zone so that it is no longer a mirror zone.
+# (NOTE: Keep the embedded newline in the sed function list below.)
+sed '/^zone "verify-reconfig" {$/,/^};$/ {
+	s/type mirror;/type secondary;/
+}' ns3/named.conf > ns3/named.conf.modified
+mv ns3/named.conf.modified ns3/named.conf
+nextpart ns3/named.run > /dev/null
+rndc_reconfig ns3 10.53.0.3
+# Zones whose type was changed should not be reusable, which means the tested
+# zone should have been reloaded from disk.
+wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run
+# Ensure responses sourced from the reconfigured zone have AA=1 and AD=0.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1
+grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that \"rndc reconfig\" properly handles a secondary -> mirror zone type change ($n)"
+ret=0
+# Put an incorrectly signed version of the zone in the zone file used by ns3.
+nextpart ns3/named.run > /dev/null
+cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror
+# Reconfigure the zone so that it is a mirror zone again.
+# (NOTE: Keep the embedded newline in the sed function list below.)
+sed '/^zone "verify-reconfig" {$/,/^};$/ {
+	s/type secondary;/type mirror;/
+}' ns3/named.conf > ns3/named.conf.modified
+mv ns3/named.conf.modified ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+# The reconfigured zone should fail verification.
+wait_for_load verify-reconfig ${UPDATED_SERIAL_BAD} ns3/named.run
+$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
+nextpart ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-reconfig SOA" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that a mirror zone can be added using rndc ($n)"
+ret=0
+# Sanity check: the zone should not exist in the root zone.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.1 2>&1 || ret=1
+grep "NXDOMAIN" dig.out.ns3.test$n.1 > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1
+# Mirror a zone which does not exist in the root zone.
+nextpart ns3/named.run > /dev/null
+$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; primaries { 10.53.0.2; }; };' > rndc.out.ns3.test$n 2>&1 || ret=1
+wait_for_transfer verify-addzone
+# Check whether the mirror zone was added and whether it behaves as expected.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.2 2>&1 || ret=1
+grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that a mirror zone can be deleted using rndc ($n)"
+ret=0
+# Remove the mirror zone added in the previous test.
+nextpart ns3/named.run > /dev/null
+$RNDCCMD 10.53.0.3 delzone verify-addzone > rndc.out.ns3.test$n 2>&1 || ret=1
+wait_for_log 20 "zone verify-addzone/IN: mirror zone is no longer in use; reverting to normal recursion" ns3/named.run || ret=1
+# Check whether the mirror zone was removed.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README
new file mode 100644
index 0000000..25637bf
--- /dev/null
+++ b/bin/tests/system/mkeys/README
@@ -0,0 +1,34 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+This is for testing RFC 5011 Automated Updates of DNSSEC Trust Anchors.
+
+ns1 is the root server that offers new KSKs and hosts one record for
+testing. The TTL for the zone's records is 2 seconds.
+
+ns2 is a validator that uses managed keys.  "-T mkeytimers=2/20/40"
+is used so it will attempt do automated updates frequently. "-T tat=1"
+is used so it will send TAT queries once per second.
+
+ns3 is a validator with a broken initializing key in trust-anchors.
+
+ns4 is a validator with a deliberately broken managed-keys.bind and
+managed-keys.jnl, causing RFC 5011 initialization to fail.
+
+ns5 is a validator which is prevented from getting a response from the
+root server, causing key refresh queries to fail.
+
+ns6 is a validator which has unsupported algorithms, one at start up,
+one because of an algorithm rollover.
+
+ns7 is a validator with multiple views configured.  It is used for
+testing per-view rndc commands and checking interactions between options
+related to and potentially affecting RFC 5011 processing.
diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh
new file mode 100644
index 0000000..3f297a2
--- /dev/null
+++ b/bin/tests/system/mkeys/clean.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk
+rm -f */island.conf
+rm -f */private.conf
+rm -f */managed*.conf ns1/managed.key ns1/managed.key.id
+rm -f */managed-keys.bind* */named.secroots
+rm -f */named.conf
+rm -f */named.memstats */named.run */named.run.prev
+rm -f dig.out* delv.out* rndc.out* signer.out*
+rm -f dsset-. ns1/dsset-.
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.lock
+rm -f ns1/dsset-sub.tld.
+rm -f ns1/dsset-tld.
+rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
+rm -f ns1/zone.key
+rm -f ns3/broken.conf
+rm -f ns4/dsset-sub.foo.
+rm -f ns5/named.args
+rm -f ns7/view1.mkeys ns7/view2.mkeys
+rm -rf ns4/nope
diff --git a/bin/tests/system/mkeys/ns1/named1.conf.in b/bin/tests/system/mkeys/ns1/named1.conf.in
new file mode 100644
index 0000000..6ca16e1
--- /dev/null
+++ b/bin/tests/system/mkeys/ns1/named1.conf.in
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+acl allowed {
+	! 10.53.0.5;
+	any;
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	dnssec-validation yes;
+	allow-query { allowed; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
+zone "tld" {
+	type primary;
+	file "tld.db.signed";
+};
+
+zone "sub.tld" {
+	type primary;
+	file "sub.tld.db.signed";
+};
diff --git a/bin/tests/system/mkeys/ns1/named2.conf.in b/bin/tests/system/mkeys/ns1/named2.conf.in
new file mode 100644
index 0000000..4bfb436
--- /dev/null
+++ b/bin/tests/system/mkeys/ns1/named2.conf.in
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+acl allowed {
+	! 10.53.0.5;
+	any;
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	dnssec-validation yes;
+	allow-query { allowed; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+zone "tld" {
+	type primary;
+	file "tld.db.signed";
+};
+
+zone "sub.tld" {
+	type primary;
+	file "sub.tld.db.signed";
+};
diff --git a/bin/tests/system/mkeys/ns1/named3.conf.in b/bin/tests/system/mkeys/ns1/named3.conf.in
new file mode 100644
index 0000000..aa8709b
--- /dev/null
+++ b/bin/tests/system/mkeys/ns1/named3.conf.in
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+zone "tld" {
+	type primary;
+	file "tld.db.signed";
+};
+
+zone "sub.tld" {
+	type primary;
+	file "sub.tld.db.signed";
+};
diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db
new file mode 100644
index 0000000..bc83788
--- /dev/null
+++ b/bin/tests/system/mkeys/ns1/root.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+.                      IN SOA  gson.nominum.com. a.root.servers.nil. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               2               ; minimum
+                               )
+.                      NS      a.root-servers.nil.
+a.root-servers.nil.    A       10.53.0.1
+
+; no delegation
+
+example.               TXT     "This is a test."
+
+tld.		       NS      ns.tld.
+ns.tld.		       A       10.53.0.1
diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh
new file mode 100644
index 0000000..fa57307
--- /dev/null
+++ b/bin/tests/system/mkeys/ns1/sign.sh
@@ -0,0 +1,94 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=sub.tld
+zonefile=sub.tld.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
+zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
+
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+keyfile_to_initial_ds $keyname > island.conf
+cp island.conf ../ns5/island.conf
+
+zone=tld
+zonefile=tld.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
+zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
+
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+
+zone=.
+zonefile=root.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
+zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
+
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+
+# Configure the resolving server with an initializing key.
+keyfile_to_initial_ds $keyname > managed.conf
+cp managed.conf ../ns2/managed.conf
+cp managed.conf ../ns4/managed.conf
+cp managed.conf ../ns5/managed.conf
+
+# Configure broken trust anchor for ns3
+# Rotate each nibble in the digest by -1
+$DSFROMKEY $keyname.key |
+awk '!/^; /{
+            printf "trust-anchors {\n"
+            printf "\t\""$1"\" initial-ds "
+            printf $4 " " $5 " " $6 " \""
+            for (i=7; i<=NF; i++) {
+		# rotate digest
+		digest=$i
+		gsub("0", ":", digest)
+		gsub("1", "0", digest)
+		gsub("2", "1", digest)
+		gsub("3", "2", digest)
+		gsub("4", "3", digest)
+		gsub("5", "4", digest)
+		gsub("6", "5", digest)
+		gsub("7", "6", digest)
+		gsub("8", "7", digest)
+		gsub("9", "8", digest)
+		gsub("A", "9", digest)
+		gsub("B", "A", digest)
+		gsub("C", "B", digest)
+		gsub("D", "C", digest)
+		gsub("E", "D", digest)
+		gsub("F", "E", digest)
+		gsub(":", "F", digest)
+		printf digest
+	    }
+	    printf "\";\n"
+	    printf "};\n"
+	}' > ../ns3/broken.conf
+
+# Configure a static key to be used by delv.
+keyfile_to_static_ds $keyname > trusted.conf
+
+# Prepare an unsupported algorithm key.
+unsupportedkey=Kunknown.+255+00000
+cp unsupported.key "${unsupportedkey}.key"
+
+#
+#  Save keyname and keyid for managed key id test.
+#
+echo "$keyname" > managed.key
+echo "$zskkeyname" > zone.key
+keyfile_to_key_id $keyname > managed.key.id
diff --git a/bin/tests/system/mkeys/ns1/sub.tld.db b/bin/tests/system/mkeys/ns1/sub.tld.db
new file mode 100644
index 0000000..35d4361
--- /dev/null
+++ b/bin/tests/system/mkeys/ns1/sub.tld.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+sub.tld.               IN SOA  marka.isc.org. ns.sub.tld. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               2               ; minimum
+                               )
+sub.tld.	       NS      ns.sub.tld.
+ns.sub.tld.	       A       10.53.0.1
diff --git a/bin/tests/system/mkeys/ns1/tld.db b/bin/tests/system/mkeys/ns1/tld.db
new file mode 100644
index 0000000..5c54e0e
--- /dev/null
+++ b/bin/tests/system/mkeys/ns1/tld.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+tld.                   IN SOA  marka.isc.org. ns.tld. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               2               ; minimum
+                               )
+tld.		       NS      ns.tld.
+ns.tld.		       A       10.53.0.1
+sub.tld.	       NS      ns.sub.tld.
+ns.sub.tld.	       A       10.53.0.1
diff --git a/bin/tests/system/mkeys/ns1/unsupported.key b/bin/tests/system/mkeys/ns1/unsupported.key
new file mode 100644
index 0000000..7435d03
--- /dev/null
+++ b/bin/tests/system/mkeys/ns1/unsupported.key
@@ -0,0 +1 @@
+.	IN	DNSKEY	257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB
diff --git a/bin/tests/system/mkeys/ns2/named.args b/bin/tests/system/mkeys/ns2/named.args
new file mode 100644
index 0000000..2f752bd
--- /dev/null
+++ b/bin/tests/system/mkeys/ns2/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D mkeys-ns2 -X named.lock -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T tat=1
diff --git a/bin/tests/system/mkeys/ns2/named.conf.in b/bin/tests/system/mkeys/ns2/named.conf.in
new file mode 100644
index 0000000..2f823b8
--- /dev/null
+++ b/bin/tests/system/mkeys/ns2/named.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation auto;
+	bindkeys-file "managed.conf";
+	servfail-ttl 0;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/mkeys/ns3/named.args b/bin/tests/system/mkeys/ns3/named.args
new file mode 100644
index 0000000..2015ee5
--- /dev/null
+++ b/bin/tests/system/mkeys/ns3/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -D mkeys-ns3 -X named.lock -g -T maxcachesize=2097152 -T mkeytimers=5/10/20
diff --git a/bin/tests/system/mkeys/ns3/named.conf.in b/bin/tests/system/mkeys/ns3/named.conf.in
new file mode 100644
index 0000000..d5e483f
--- /dev/null
+++ b/bin/tests/system/mkeys/ns3/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation yes;
+	bindkeys-file "managed.conf";
+	trust-anchor-telemetry no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "broken.conf";
diff --git a/bin/tests/system/mkeys/ns4/named.conf.in b/bin/tests/system/mkeys/ns4/named.conf.in
new file mode 100644
index 0000000..f72c081
--- /dev/null
+++ b/bin/tests/system/mkeys/ns4/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation auto;
+	bindkeys-file "managed.conf";
+	managed-keys-directory "nope";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "sub.foo" {
+	type primary;
+	file "sub.foo.db.signed";
+};
diff --git a/bin/tests/system/mkeys/ns4/sign.sh b/bin/tests/system/mkeys/ns4/sign.sh
new file mode 100644
index 0000000..13d7640
--- /dev/null
+++ b/bin/tests/system/mkeys/ns4/sign.sh
@@ -0,0 +1,25 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=sub.foo
+zonefile=sub.foo.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
+zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
+
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+keyfile_to_initial_ds $keyname > private.conf
+cp private.conf ../ns5/private.conf
diff --git a/bin/tests/system/mkeys/ns4/sub.foo.db b/bin/tests/system/mkeys/ns4/sub.foo.db
new file mode 100644
index 0000000..7bc3104
--- /dev/null
+++ b/bin/tests/system/mkeys/ns4/sub.foo.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+sub.foo.               IN SOA  marka.isc.org. ns.foo. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               2               ; minimum
+                               )
+sub.foo.	       NS      ns.sub.foo.
+ns.sub.foo.	       A       10.53.0.4
diff --git a/bin/tests/system/mkeys/ns5/foo.db b/bin/tests/system/mkeys/ns5/foo.db
new file mode 100644
index 0000000..092a1c3
--- /dev/null
+++ b/bin/tests/system/mkeys/ns5/foo.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+foo.                   IN SOA  marka.isc.org. ns.foo. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               2               ; minimum
+                               )
+foo.		       NS      ns.foo.
+ns.foo.		       A       10.53.0.5
+sub.foo.	       NS      ns.sub.foo.
+ns.sub.foo.	       A       10.53.0.4
diff --git a/bin/tests/system/mkeys/ns5/named.conf.in b/bin/tests/system/mkeys/ns5/named.conf.in
new file mode 100644
index 0000000..8af1a46
--- /dev/null
+++ b/bin/tests/system/mkeys/ns5/named.conf.in
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation auto;
+	bindkeys-file "managed.conf";
+	servfail-ttl 0;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "foo" {
+	type primary;
+	file "foo.db";
+};
+
+include "island.conf";
+include "private.conf";
diff --git a/bin/tests/system/mkeys/ns5/named1.args b/bin/tests/system/mkeys/ns5/named1.args
new file mode 100644
index 0000000..c4c8a55
--- /dev/null
+++ b/bin/tests/system/mkeys/ns5/named1.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -X named.lock -g -T maxcachesize=2097152
diff --git a/bin/tests/system/mkeys/ns5/named2.args b/bin/tests/system/mkeys/ns5/named2.args
new file mode 100644
index 0000000..3fd830a
--- /dev/null
+++ b/bin/tests/system/mkeys/ns5/named2.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -X named.lock -g -T maxcachesize=2097152 -T mkeytimers=2/20/40
diff --git a/bin/tests/system/mkeys/ns6/named.args b/bin/tests/system/mkeys/ns6/named.args
new file mode 100644
index 0000000..65a8fca
--- /dev/null
+++ b/bin/tests/system/mkeys/ns6/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 99 -X named.lock -g -T maxcachesize=2097152 -T mkeytimers=5/10/20
diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in
new file mode 100644
index 0000000..ff8137a
--- /dev/null
+++ b/bin/tests/system/mkeys/ns6/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation yes;
+	trust-anchor-telemetry no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "managed.conf";
diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh
new file mode 100644
index 0000000..1bfdc7f
--- /dev/null
+++ b/bin/tests/system/mkeys/ns6/setup.sh
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+zonefile=root.db
+
+# a key for a trust island
+islandkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk island.)
+
+# a key with unsupported algorithm
+unsupportedkey=Kunknown.+255+00000
+cp unsupported-managed.key "${unsupportedkey}.key"
+
+# root key
+rootkey=$(cat ../ns1/managed.key)
+cp "../ns1/${rootkey}.key" .
+
+# Configure the resolving server with an initializing key.
+# (We use key-format trust anchors here because otherwise the
+# unsupported algorithm test won't work.)
+keyfile_to_initial_keys $unsupportedkey $islandkey $rootkey > managed.conf
diff --git a/bin/tests/system/mkeys/ns6/unsupported-managed.key b/bin/tests/system/mkeys/ns6/unsupported-managed.key
new file mode 100644
index 0000000..be872a0
--- /dev/null
+++ b/bin/tests/system/mkeys/ns6/unsupported-managed.key
@@ -0,0 +1 @@
+unsupported.	IN	DNSKEY	257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6
diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in
new file mode 100644
index 0000000..2c0d69e
--- /dev/null
+++ b/bin/tests/system/mkeys/ns7/named.conf.in
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS7
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation auto;
+	bindkeys-file "managed.conf";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view view1 {
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+};
+
+view view2 {
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+};
diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh
new file mode 100644
index 0000000..b110094
--- /dev/null
+++ b/bin/tests/system/mkeys/setup.sh
@@ -0,0 +1,45 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+
+export ALGORITHM_SET="ecc_default"
+. $SYSTEMTESTTOP/conf.sh
+
+# Ensure the selected algorithm set is okay.
+if [ "$ALGORITHM_SET" = "error" ]; then
+    echofail "Algorithm selection failed." >&2
+    exit 1
+fi
+
+copy_setports ns1/named1.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+
+cp ns5/named1.args ns5/named.args
+
+( cd ns1 && $SHELL sign.sh )
+( cd ns4 && $SHELL sign.sh )
+( cd ns6 && $SHELL setup.sh )
+
+cp ns2/managed.conf ns2/managed1.conf
+
+cd ns4
+mkdir nope
+touch nope/managed-keys.bind
+touch nope/managed.keys.bind.jnl
+chmod 444 nope/*
diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh
new file mode 100644
index 0000000..5999e21
--- /dev/null
+++ b/bin/tests/system/mkeys/tests.sh
@@ -0,0 +1,885 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+SYSTEMTESTTOP=..
+export ALGORITHM_SET="ecc_default"
+#shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+dig_with_opts() (
+	"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@"
+)
+
+delv_with_opts() (
+	"$DELV" -a ns1/trusted.conf -p "${PORT}" "$@"
+)
+
+rndccmd() (
+	"$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@"
+)
+
+mkeys_reconfig_on() (
+	nsidx=$1
+	rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i
+)
+
+mkeys_reload_on() (
+	nsidx=$1
+	nextpart "ns${nsidx}"/named.run > /dev/null
+	rndc_reload "ns${nsidx}" "10.53.0.${nsidx}"
+	wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1
+)
+
+mkeys_loadkeys_on() (
+	nsidx=$1
+	nextpart "ns${nsidx}"/named.run > /dev/null
+	rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i
+	wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1
+)
+
+mkeys_refresh_on() (
+	nsidx=$1
+	nextpart "ns${nsidx}"/named.run > /dev/null
+	rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i
+	wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1
+)
+
+mkeys_sync_on() (
+	# No race with mkeys_refresh_on() is possible as even if the latter
+	# returns immediately after the expected log message is written, the
+	# managed-keys zone is already locked and the command below calls
+	# dns_zone_flush(), which also attempts to take that zone's lock
+	nsidx=$1
+	nextpart "ns${nsidx}"/named.run > /dev/null
+	rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i
+	wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1
+)
+
+mkeys_status_on() (
+	# No race with mkeys_refresh_on() is possible as even if the latter
+	# returns immediately after the expected log message is written, the
+	# managed-keys zone is already locked and the command below calls
+	# mkey_status(), which in turn calls dns_zone_getrefreshkeytime(),
+	# which also attempts to take that zone's lock
+	nsidx=$1
+	rndccmd "10.53.0.${nsidx}" managed-keys status
+)
+
+mkeys_flush_on() (
+	nsidx=$1
+	rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i
+)
+
+mkeys_secroots_on() (
+	nsidx=$1
+	rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i
+)
+
+original=$(cat ns1/managed.key)
+originalid=$(cat ns1/managed.key.id)
+
+status=0
+n=1
+
+rm -f dig.out.*
+
+echo_i "check for signed record ($n)"
+ret=0
+dig_with_opts +norec example.  @10.53.0.1 TXT > dig.out.ns1.test$n || ret=1
+grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1
+grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check positive validation with valid trust anchor ($n)"
+ret=0
+dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+if [ -x "$DELV" ]; then
+	n=$((n+1))
+	ret=0
+	echo_i "check positive validation using delv ($n)"
+	delv_with_opts @10.53.0.1 txt example > delv.out$n || ret=1
+	grep "; fully validated" delv.out$n > /dev/null || ret=1	# redundant
+	grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1
+	grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+fi
+
+n=$((n+1))
+echo_i "check for failed validation due to wrong key in managed-keys ($n)"
+ret=0
+dig_with_opts +noauth example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1
+grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n > /dev/null && ret=1
+grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check new trust anchor can be added ($n)"
+ret=0
+standby1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .)
+mkeys_loadkeys_on 1 || ret=1
+mkeys_refresh_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
+# there should be two keys listed now
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# one indicates current trust
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# one indicates pending trust
+count=$(grep -c "trust pending" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check new trust anchor can't be added with bad initial key ($n)"
+ret=0
+mkeys_refresh_on 3 || ret=1
+mkeys_status_on 3 > rndc.out.$n 2>&1 || ret=1
+# there should be one key listed now
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# one line indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# ... and the key is not trusted
+count=$(grep -c "no trust" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "remove untrusted standby key, check timer restarts ($n)"
+ret=0
+mkeys_sync_on 2 || ret=1
+t1=$(grep "trust pending" ns2/managed-keys.bind) || true
+$SETTIME -D now -K ns1 "$standby1" > /dev/null
+mkeys_loadkeys_on 1 || ret=1
+# Less than a second may have passed since the last time ns2 received a
+# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
+# timestamp to prevent false negatives caused by the acceptance timer getting
+# reset to the same timestamp.
+sleep 1
+mkeys_refresh_on 2 || ret=1
+mkeys_sync_on 2 || ret=1
+t2=$(grep "trust pending" ns2/managed-keys.bind) || true
+# trust pending date must be different
+[ -n "$t2" ] || ret=1
+[ "$t1" = "$t2" ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "restore untrusted standby key, revoke original key ($n)"
+t1=$t2
+$SETTIME -D none -K ns1 "$standby1" > /dev/null
+$SETTIME -R now -K ns1 "$original" > /dev/null
+mkeys_loadkeys_on 1 || ret=1
+# Less than a second may have passed since the last time ns2 received a
+# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
+# timestamp to prevent false negatives caused by the acceptance timer getting
+# reset to the same timestamp.
+sleep 1
+mkeys_refresh_on 2 || ret=1
+mkeys_sync_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
+# two keys listed
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# trust is revoked
+count=$(grep -c "trust revoked" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# removal scheduled
+count=$(grep -c "remove at" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# trust is still pending on the standby key
+count=$(grep -c "trust pending" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# pending date moved forward for the standby key
+t2=$(grep "trust pending" ns2/managed-keys.bind) || true
+[ -n "$t2" ] || ret=1
+[ "$t1" = "$t2" ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "refresh managed-keys, ensure same result ($n)"
+t1=$t2
+# Less than a second may have passed since the last time ns2 received a
+# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
+# timestamp to prevent false negatives caused by the acceptance timer getting
+# reset to the same timestamp.
+sleep 1
+mkeys_refresh_on 2 || ret=1
+mkeys_sync_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
+# two keys listed
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# trust is revoked
+count=$(grep -c "trust revoked" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# removal scheduled
+count=$(grep -c "remove at" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# trust is still pending on the standby key
+count=$(grep -c "trust pending" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# pending date moved forward for the standby key
+t2=$(grep "trust pending" ns2/managed-keys.bind) || true
+[ -n "$t2" ] || ret=1
+[ "$t1" = "$t2" ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "restore revoked key, ensure same result ($n)"
+t1=$t2
+$SETTIME -R none -D now -K ns1 "$original" > /dev/null
+mkeys_loadkeys_on 1 || ret=1
+$SETTIME -D none -K ns1 "$original" > /dev/null
+mkeys_loadkeys_on 1 || ret=1
+# Less than a second may have passed since the last time ns2 received a
+# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
+# timestamp to prevent false negatives caused by the acceptance timer getting
+# reset to the same timestamp.
+sleep 1
+mkeys_refresh_on 2 || ret=1
+mkeys_sync_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
+# two keys listed
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# trust is revoked
+count=$(grep -c "trust revoked" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# removal scheduled
+count=$(grep -c "remove at" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# trust is still pending on the standby key
+count=$(grep -c "trust pending" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# pending date moved forward for the standby key
+t2=$(grep "trust pending" ns2/managed-keys.bind) || true
+[ -n "$t2" ] || ret=1
+[ "$t1" = "$t2" ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "reinitialize trust anchors, add second key to bind.keys"
+stop_server --use-rndc --port "${CONTROLPORT}" ns2
+rm -f ns2/managed-keys.bind*
+keyfile_to_initial_ds ns1/"$original" ns1/"$standby1" > ns2/managed.conf
+nextpart ns2/named.run > /dev/null
+start_server --noclean --restart --port "${PORT}" ns2
+
+n=$((n+1))
+echo_i "check that no key from bind.keys is marked as an initializing key ($n)"
+ret=0
+wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1
+mkeys_secroots_on 2 || ret=1
+grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "reinitialize trust anchors, revert to one key in bind.keys"
+stop_server --use-rndc --port "${CONTROLPORT}" ns2
+rm -f ns2/managed-keys.bind*
+mv ns2/managed1.conf ns2/managed.conf
+nextpart ns2/named.run > /dev/null
+start_server --noclean --restart --port "${PORT}" ns2
+
+n=$((n+1))
+echo_i "check that standby key is now trusted ($n)"
+ret=0
+wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1
+mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
+# two keys listed
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# both indicate current trust
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "revoke original key, add new standby ($n)"
+ret=0
+standby2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .)
+$SETTIME -R now -K ns1 "$original" > /dev/null
+mkeys_loadkeys_on 1 || ret=1
+mkeys_refresh_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
+# three keys listed
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# one is revoked
+count=$(grep -c "REVOKE" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# three lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# one indicates current trust
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# one indicates revoked trust
+count=$(grep -c "trust revoked" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# one indicates trust pending
+count=$(grep -c "trust pending" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# removal scheduled
+count=$(grep -c "remove at" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "revoke standby before it is trusted ($n)"
+ret=0
+standby3=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .)
+mkeys_loadkeys_on 1 || ret=1
+mkeys_refresh_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
+# four keys listed
+count=$(grep -c "keyid: " rndc.out.1.$n) || true
+[ "$count" -eq 4 ] || { echo_i "keyid: count ($count) != 4"; ret=1; }
+# one revoked
+count=$(grep -c "trust revoked" rndc.out.1.$n) || true
+[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; }
+# two pending
+count=$(grep -c "trust pending" rndc.out.1.$n) || true
+[ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; }
+$SETTIME -R now -K ns1 "$standby3" > /dev/null
+mkeys_loadkeys_on 1 || ret=1
+mkeys_refresh_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
+# now three keys listed
+count=$(grep -c "keyid: " rndc.out.2.$n) || true
+[ "$count" -eq 3 ] || { echo_i "keyid: count ($count) != 3"; ret=1; }
+# one revoked
+count=$(grep -c "trust revoked" rndc.out.2.$n) || true
+[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; }
+# one pending
+count=$(grep -c "trust pending" rndc.out.2.$n) || true
+[ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; }
+$SETTIME -D now -K ns1 "$standby3" > /dev/null
+mkeys_loadkeys_on 1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "wait 20 seconds for key add/remove holddowns to expire ($n)"
+ret=0
+sleep 20
+mkeys_refresh_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
+# two keys listed
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# none revoked
+count=$(grep -c "REVOKE" rndc.out.$n) || true
+[ "$count" -eq 0 ] || ret=1
+# two lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# both indicate current trust
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "revoke all keys, confirm roll to insecure ($n)"
+ret=0
+$SETTIME -D now -K ns1 "$original" > /dev/null
+$SETTIME -R now -K ns1 "$standby1" > /dev/null
+$SETTIME -R now -K ns1 "$standby2" > /dev/null
+mkeys_loadkeys_on 1 || ret=1
+mkeys_refresh_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
+# two keys listed
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# both revoked
+count=$(grep -c "REVOKE" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# both indicate trust revoked
+count=$(grep -c "trust revoked" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# both have removal scheduled
+count=$(grep -c "remove at" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check for insecure response ($n)"
+ret=0
+mkeys_refresh_on 2 || ret=1
+dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1
+grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "reset the root server ($n)"
+ret=0
+$SETTIME -D none -R none -K ns1 "$original" > /dev/null
+$SETTIME -D now -K ns1 "$standby1" > /dev/null
+$SETTIME -D now -K ns1 "$standby2" > /dev/null
+sleep 1 # ensure modification time changes
+$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
+copy_setports ns1/named2.conf.in ns1/named.conf
+rm -f ns1/root.db.signed.jnl
+mkeys_reconfig_on 1 || ret=1
+mkeys_reload_on 1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "reinitialize trust anchors"
+stop_server --use-rndc --port "${CONTROLPORT}" ns2
+rm -f ns2/managed-keys.bind*
+nextpart ns2/named.run > /dev/null
+start_server --noclean --restart --port "${PORT}" ns2
+
+n=$((n+1))
+echo_i "check positive validation ($n)"
+ret=0
+wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1
+dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "revoke key with bad signature, check revocation is ignored ($n)"
+ret=0
+revoked=$($REVOKE -K ns1 "$original")
+rkeyid=$(keyfile_to_key_id "$revoked")
+rm -f ns1/root.db.signed.jnl
+# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from
+# failing.  Alternatively, we could use -P to disable post-sign verification,
+# but we actually do want post-sign verification to happen to ensure the zone
+# is correct before we break it on purpose.
+$SETTIME -R none -D none -K ns1 "$standby1" > /dev/null
+$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null
+cp -f ns1/root.db.signed ns1/root.db.tmp
+BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg=="
+# Less than a second may have passed since ns1 was started.  If we call
+# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
+# subsequent "rndc reload ." call on platforms which do not set the
+# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
+# equal to master file modification time.
+sleep 1
+sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed
+mkeys_reload_on 1 || ret=1
+mkeys_refresh_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
+# one key listed
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 1 ] || { echo_i "'keyid:' count ($count) != 1"; ret=1; }
+# it's the original key id
+count=$(grep -c "keyid: $originalid" rndc.out.$n) || true
+[ "$count" -eq 1 ] || { echo_i "'keyid: $originalid' count ($count) != 1"; ret=1; }
+# not revoked
+count=$(grep -c "REVOKE" rndc.out.$n) || true
+[ "$count" -eq 0 ] || { echo_i "'REVOKE' count ($count) != 0"; ret=1; }
+# trust is still current
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 1 ] || { echo_i "'trust' count != 1"; ret=1; }
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 1 ] || { echo_i "'trusted since' count != 1"; ret=1; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check validation fails with bad DNSKEY rrset ($n)"
+ret=0
+mkeys_flush_on 2 || ret=1
+dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "restore DNSKEY rrset, check validation succeeds again ($n)"
+ret=0
+rm -f "${revoked}".key "${revoked}".private
+rm -f ns1/root.db.signed.jnl
+$SETTIME -D none -R none -K ns1 "$original" > /dev/null
+$SETTIME -D now -K ns1 "$standby1" > /dev/null
+# Less than a second may have passed since ns1 was started.  If we call
+# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
+# subsequent "rndc reload ." call on platforms which do not set the
+# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
+# equal to master file modification time.
+sleep 1
+$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
+mkeys_reload_on 1 || ret=1
+mkeys_flush_on 2 || ret=1
+dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+if [ ! "$CYGWIN" ]; then
+	n=$((n+1))
+	echo_i "reset the root server with no keys, check for minimal update ($n)"
+	ret=0
+	# Refresh keys first to prevent previous checks from influencing this one.
+	# Note that we might still get occasional false negatives on some really slow
+	# machines, when $t1 equals $t2 due to the time elapsed between "rndc
+	# managed-keys status" calls being equal to the normal active refresh period
+	# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as
+	# set using -T mkeytimers).
+	mkeys_refresh_on 2 || ret=1
+	mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
+	t1=$(grep 'next refresh:' rndc.out.1.$n) || true
+	stop_server --use-rndc --port "${CONTROLPORT}" ns1
+	rm -f ns1/root.db.signed.jnl
+	cp ns1/root.db ns1/root.db.signed
+	nextpart ns1/named.run > /dev/null
+	start_server --noclean --restart --port "${PORT}" ns1
+	wait_for_log 20 "all zones loaded" ns1/named.run || ret=1
+	mkeys_refresh_on 2 || ret=1
+	mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
+	# one key listed
+	count=$(grep -c "keyid: " rndc.out.2.$n) || true
+	[ "$count" -eq 1 ] || ret=1
+	# it's the original key id
+	count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true
+	[ "$count" -eq 1 ] || ret=1
+	# not revoked
+	count=$(grep -c "REVOKE" rndc.out.2.$n) || true
+	[ "$count" -eq 0 ] || ret=1
+	# trust is still current
+	count=$(grep -c "trust" rndc.out.2.$n) || true
+	[ "$count" -eq 1 ] || ret=1
+	count=$(grep -c "trusted since" rndc.out.2.$n) || true
+	[ "$count" -eq 1 ] || ret=1
+	t2=$(grep 'next refresh:' rndc.out.2.$n) || true
+	[ "$t1" = "$t2" ] && ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+fi
+
+n=$((n+1))
+echo_i "reset the root server with no signatures, check for minimal update ($n)"
+ret=0
+# Refresh keys first to prevent previous checks from influencing this one
+mkeys_refresh_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
+t1=$(grep 'next refresh:' rndc.out.1.$n) || true
+stop_server --use-rndc --port "${CONTROLPORT}" ns1
+rm -f ns1/root.db.signed.jnl
+cat ns1/K*.key >> ns1/root.db.signed
+nextpart ns1/named.run > /dev/null
+start_server --noclean --restart --port "${PORT}" ns1
+wait_for_log 20 "all zones loaded" ns1/named.run || ret=1
+# Less than a second may have passed since the last time ns2 received a
+# ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
+# timestamp to prevent minimal update from resetting it to the same timestamp.
+sleep 1
+mkeys_refresh_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
+# one key listed
+count=$(grep -c "keyid: " rndc.out.2.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# it's the original key id
+count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true
+[ "$count" -eq 1 ] || ret=1
+# not revoked
+count=$(grep -c "REVOKE" rndc.out.2.$n) || true
+[ "$count" -eq 0 ] || ret=1
+# trust is still current
+count=$(grep -c "trust" rndc.out.2.$n) || true
+[ "$count" -eq 1 ] || ret=1
+count=$(grep -c "trusted since" rndc.out.2.$n) || true
+[ "$count" -eq 1 ] || ret=1
+t2=$(grep 'next refresh:' rndc.out.2.$n) || true
+[ "$t1" = "$t2" ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "restore root server, check validation succeeds again ($n)"
+ret=0
+rm -f ns1/root.db.signed.jnl
+$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
+mkeys_reload_on 1 || ret=1
+mkeys_refresh_on 2 || ret=1
+mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
+dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check that trust-anchor-telemetry queries are logged ($n)"
+ret=0
+grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check that trust-anchor-telemetry queries are received ($n)"
+ret=0
+grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc-managed-keys destroy' ($n)"
+ret=0
+rndccmd 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i
+mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
+grep "no views with managed keys" rndc.out.1.$n > /dev/null || ret=1
+mkeys_reconfig_on 2 || ret=1
+check_root_trust_anchor_is_present_in_status() {
+	mkeys_status_on 2 > rndc.out.2.$n 2>&1 || return 1
+	grep "name: \." rndc.out.2.$n > /dev/null || return 1
+	return 0
+}
+retry_quiet 5 check_root_trust_anchor_is_present_in_status || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check that trust-anchor-telemetry queries contain the correct key ($n)"
+ret=0
+# convert the hexadecimal key from the TAT query into decimal and
+# compare against the known key.
+tathex=$(grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([0-9a-f][0-9a-f]*\)):/\1/') || true
+tatkey=$($PERL -e 'printf("%d\n", hex(@ARGV[0]));' "$tathex")
+realkey=$(rndccmd 10.53.0.2 secroots - | sed -n "s#.*${DEFAULT_ALGORITHM}/\([0-9][0-9]*\) ; .*managed.*#\1#p")
+[ "$tatkey" -eq "$realkey" ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check initialization fails if managed-keys can't be created ($n)"
+ret=0
+mkeys_secroots_on 4 || ret=1
+grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1
+grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1
+grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check failure to contact root servers does not prevent key refreshes after restart ($n)"
+ret=0
+# By the time we get here, ns5 should have attempted refreshing its managed
+# keys.  These attempts should fail as ns1 is configured to REFUSE all queries
+# from ns5.  Note that named1.args does not contain "-T mkeytimers"; this is to
+# ensure key refresh retry will be scheduled to one actual hour after the first
+# key refresh failure instead of just a few seconds, in order to prevent races
+# between the next scheduled key refresh time and startup time of restarted ns5.
+stop_server --use-rndc --port "${CONTROLPORT}" ns5
+nextpart ns5/named.run > /dev/null
+start_server --noclean --restart --port "${PORT}" ns5
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1
+# ns5/named.run will contain logs from both the old instance and the new
+# instance.  In order for the test to pass, both must attempt a fetch.
+count=$(grep -c "Creating key fetch" ns5/named.run) || true
+[ "$count" -lt 2 ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)"
+ret=0
+mkeys_sync_on 5
+mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1
+# there should be three keys listed now
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# three lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# one indicates current trust
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check key refreshes are resumed after root servers become available ($n)"
+ret=0
+stop_server --use-rndc --port "${CONTROLPORT}" ns5
+# Prevent previous check from affecting this one
+rm -f ns5/managed-keys.bind*
+# named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for
+# an "hour" until keys are refreshed again after initial failure
+cp ns5/named2.args ns5/named.args
+nextpart ns5/named.run > /dev/null
+start_server --noclean --restart --port "${PORT}" ns5
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1
+mkeys_secroots_on 5 || ret=1
+grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
+# ns1 should still REFUSE queries from ns5, so resolving should be impossible
+dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n > /dev/null && ret=1
+grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n > /dev/null && ret=1
+grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1
+# Allow queries from ns5 to ns1
+copy_setports ns1/named3.conf.in ns1/named.conf
+rm -f ns1/root.db.signed.jnl
+nextpart ns5/named.run > /dev/null
+mkeys_reconfig_on 1 || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1
+mkeys_secroots_on 5 || ret=1
+grep '; managed' ns5/named.secroots > /dev/null || ret=1
+# ns1 should not longer REFUSE queries from ns5, so managed keys should be
+# correctly refreshed and resolving should succeed
+dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n > /dev/null || ret=1
+grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
+ret=0
+stop_server --use-rndc --port "${CONTROLPORT}" ns6
+rm -f ns6/managed-keys.bind*
+nextpart ns6/named.run > /dev/null
+start_server --noclean --restart --port "${PORT}" ns6
+# log when an unsupported algorithm is encountered during startup
+wait_for_log 20 "ignoring initial-key for 'unsupported.': algorithm is unsupported" ns6/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "ignoring unsupported algorithm in managed-keys ($n)"
+ret=0
+mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1
+# there should still be only two keys listed (for . and island.)
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+
+n=$((n+1))
+echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
+ret=0
+cp ns1/root.db ns1/root.db.orig
+ksk=$(cat ns1/managed.key)
+zsk=$(cat ns1/zone.key)
+cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
+grep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db > /dev/null || ret=1
+$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" > /dev/null 2>/dev/null || ret=1
+grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
+cp ns1/root.db.orig ns1/root.db
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "ignoring unsupported algorithm in rollover ($n)"
+ret=0
+mkeys_reload_on 1 || ret=1
+mkeys_refresh_on 6 || ret=1
+mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1
+# there should still be only two keys listed (for . and island.)
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# two lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 2 ] || ret=1
+# log when an unsupported algorithm is encountered during rollover
+wait_for_log 20 "Cannot compute tag for key in zone .: algorithm is unsupported" ns6/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc managed-keys' and views ($n)"
+ret=0
+rndccmd 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1
+grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1
+lines=$(wc -l < rndc.out.ns7.view1.test$n)
+[ "$lines" -eq 1 ] || ret=1
+rndccmd 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1
+lines=$(wc -l < rndc.out.ns7.view2.test$n)
+grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
+grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
+[ "$lines" -eq 2 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)"
+ret=0
+mkeys_sync_on 5
+mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1
+# there should be three keys listed now
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# theee lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# three indicates current trust
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/names/clean.sh b/bin/tests/system/names/clean.sh
new file mode 100644
index 0000000..1f8371b
--- /dev/null
+++ b/bin/tests/system/names/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.*.test*
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/named.pid
+rm -f ns*/named.conf
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
diff --git a/bin/tests/system/names/ns1/example.db b/bin/tests/system/names/ns1/example.db
new file mode 100644
index 0000000..a3e9f90
--- /dev/null
+++ b/bin/tests/system/names/ns1/example.db
@@ -0,0 +1,50 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns1
+ns1			A	10.53.0.1
+@			MX	0 m1.mail-servers.example.
+@			MX	0 m2.mail-servers.example.
+@			MX	0 m3.mail-servers.example.
+@			MX	0 m4.mail-servers.example.
+@			MX	0 m5.mail-servers.example.
+@			MX	0 m6.mail-servers.example.
+@			MX	0 m7.mail-servers.example.
+@			MX	0 m8.mail-servers.example.
+@			MX	0 m9.mail-servers.example.
+@			MX	0 m10.mail-servers.example.
+@			MX	0 m11.mail-servers.example.
+@			MX	0 m12.mail-servers.example.
+@			MX	0 m13.mail-servers.example.
+@			MX	0 m14.mail-servers.example.
+@			MX	0 m15.mail-servers.example.
+@			MX	0 m16.mail-servers.example.
+@			MX	0 m17.mail-servers.example.
+@			MX	0 m18.mail-servers.example.
+@			MX	0 m19.mail-servers.example.
+@			MX	0 m20.mail-servers.example.
+@			MX	0 m21.mail-servers.example.
+@			MX	0 m22.mail-servers.example.
+@			MX	0 m23.mail-servers.example.
+@			MX	0 m24.mail-servers.example.
+@			MX	0 m25.mail-servers.example.
+@			MX	0 m26.mail-servers.example.
+@			MX	0 m27.mail-servers.example.
+@			MX	0 m28.mail-servers.example.
+@			MX	0 m29.mail-servers.example.
diff --git a/bin/tests/system/names/ns1/named.conf.in b/bin/tests/system/names/ns1/named.conf.in
new file mode 100644
index 0000000..50211bc
--- /dev/null
+++ b/bin/tests/system/names/ns1/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+};
+
+
+view compress {
+	match-clients { 10.53.0.1/32; };
+	zone "example" {
+		type primary;
+		file "example.db";
+	};
+};
+
+view nocompress {
+	match-clients { 10.53.0.2/32; };
+	message-compression no;
+	zone "example" {
+		type primary;
+		file "example.db";
+	};
+};
diff --git a/bin/tests/system/names/setup.sh b/bin/tests/system/names/setup.sh
new file mode 100644
index 0000000..e46affa
--- /dev/null
+++ b/bin/tests/system/names/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/names/tests.sh b/bin/tests/system/names/tests.sh
new file mode 100644
index 0000000..1718830
--- /dev/null
+++ b/bin/tests/system/names/tests.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+nosea +stat +noquest +nocomm +nocmd -p ${PORT}"
+
+status=0
+
+echo_i "Getting message size with compression enabled"
+$DIG $DIGOPTS -b 10.53.0.1 @10.53.0.1 mx example > dig.compen.test
+COMPEN=`grep ';; MSG SIZE' dig.compen.test |sed -e "s/.*: //g"`
+cat dig.compen.test  |grep -v ';;' |sort > dig.compen.sorted.test
+
+echo_i "Getting message size with compression disabled"
+$DIG $DIGOPTS -b 10.53.0.2 @10.53.0.1 mx example > dig.compdis.test
+COMPDIS=`grep ';; MSG SIZE' dig.compdis.test |sed -e "s/.*: //g"`
+cat dig.compdis.test  |grep -v ';;' |sort > dig.compdis.sorted.test
+
+# the compression disabled message should be at least twice as large as with
+# compression disabled, but the content should be the same
+echo_i "Checking if responses are identical other than in message size"
+$DIFF dig.compdis.sorted.test dig.compen.sorted.test >/dev/null
+ret=$?
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "Checking if message with compression disabled is significantly larger"
+echo_i "Disabled $COMPDIS vs enabled $COMPEN"
+val=`expr \( $COMPDIS \* 3 / 2 \) / $COMPEN`
+if [ $val -le 1 ]; then
+	echo_i "failed"
+	status=`expr $status + 1`
+fi;
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/notify/clean.sh b/bin/tests/system/notify/clean.sh
new file mode 100644
index 0000000..3e18850
--- /dev/null
+++ b/bin/tests/system/notify/clean.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.port
+rm -f */named.run */named.run.prev
+rm -f awk.out.ns?.test*
+rm -f dig.out.?.ns5.test*
+rm -f dig.out.ns2.test*
+rm -f dig.out.ns3.test*
+rm -f dig.out.ns4.test*
+rm -f log.out
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
+rm -f ns*/named.lock
+rm -f ns2/example.db
+rm -f ns2/x21.db*
+rm -f ns3/example.bk
+rm -f ns4/x21.bk*
+rm -f ns5/x21.bk-b
+rm -f ns5/x21.bk-b.jnl
+rm -f ns5/x21.bk-c
+rm -f ns5/x21.bk-c.jnl
+rm -f ns5/x21.db.jnl
+rm -f tmp
diff --git a/bin/tests/system/notify/ns1/named.conf.in b/bin/tests/system/notify/ns1/named.conf.in
new file mode 100644
index 0000000..eb079c9
--- /dev/null
+++ b/bin/tests/system/notify/ns1/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/notify/ns1/root.db b/bin/tests/system/notify/ns1/root.db
new file mode 100644
index 0000000..17780d1
--- /dev/null
+++ b/bin/tests/system/notify/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/notify/ns2/example1.db b/bin/tests/system/notify/ns2/example1.db
new file mode 100644
index 0000000..3b8d33b
--- /dev/null
+++ b/bin/tests/system/notify/ns2/example1.db
@@ -0,0 +1,144 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.0.0.1
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/notify/ns2/example2.db b/bin/tests/system/notify/ns2/example2.db
new file mode 100644
index 0000000..c762dd6
--- /dev/null
+++ b/bin/tests/system/notify/ns2/example2.db
@@ -0,0 +1,144 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				2          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.0.0.2
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/notify/ns2/example3.db b/bin/tests/system/notify/ns2/example3.db
new file mode 100644
index 0000000..dd3371b
--- /dev/null
+++ b/bin/tests/system/notify/ns2/example3.db
@@ -0,0 +1,144 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				3          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.0.0.3
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/notify/ns2/example4.db b/bin/tests/system/notify/ns2/example4.db
new file mode 100644
index 0000000..86d9bf2
--- /dev/null
+++ b/bin/tests/system/notify/ns2/example4.db
@@ -0,0 +1,144 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				4          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.0.0.4
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/notify/ns2/generic.db b/bin/tests/system/notify/ns2/generic.db
new file mode 100644
index 0000000..108b552
--- /dev/null
+++ b/bin/tests/system/notify/ns2/generic.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				1          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+        		NS	ns2
+        		NS	ns3
+ns2     		A	10.53.0.2
+ns3     		A	10.53.0.3
+
+a			A	10.0.0.1
diff --git a/bin/tests/system/notify/ns2/named.conf.in b/bin/tests/system/notify/ns2/named.conf.in
new file mode 100644
index 0000000..13b3797
--- /dev/null
+++ b/bin/tests/system/notify/ns2/named.conf.in
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	startup-notify-rate 5;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	// Check that named can handle a empty also-notify.
+	also-notify { /* empty */ };
+};
+
+# use both 'primaries' and 'masters' to test that they
+# can work correctly together.
+primaries noport { 10.53.0.4; };
+masters x21 port @EXTRAPORT1@ { noport; };
+
+zone x1 {
+    type primary;
+	file "generic.db";
+	also-notify { 10.53.0.3; };
+    notify primary-only;
+};
+zone x2 {
+    type primary;
+	file "generic.db";
+	also-notify { 10.53.0.3; };
+    notify master-only; # test old syntax
+};
+
+zone x3 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x4 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x5 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x6 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x7 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x8 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x9 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x10 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x11 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x12 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x13 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x14 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x15 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x16 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x17 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x18 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x19 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x20 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
+zone x21 { type primary; file "x21.db"; allow-update { any; }; also-notify { x21; }; };
diff --git a/bin/tests/system/notify/ns3/named.conf.in b/bin/tests/system/notify/ns3/named.conf.in
new file mode 100644
index 0000000..e364e60
--- /dev/null
+++ b/bin/tests/system/notify/ns3/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "example.bk";
+};
diff --git a/bin/tests/system/notify/ns4/named.conf.in b/bin/tests/system/notify/ns4/named.conf.in
new file mode 100644
index 0000000..f20d2eb
--- /dev/null
+++ b/bin/tests/system/notify/ns4/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @EXTRAPORT1@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "x21" {
+	type secondary;
+	primaries { 10.53.0.2 port @PORT@; };
+	file "x21.bk";
+};
diff --git a/bin/tests/system/notify/ns4/named.port.in b/bin/tests/system/notify/ns4/named.port.in
new file mode 100644
index 0000000..8e94a3c
--- /dev/null
+++ b/bin/tests/system/notify/ns4/named.port.in
@@ -0,0 +1 @@
+@EXTRAPORT1@
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
new file mode 100644
index 0000000..5cab276
--- /dev/null
+++ b/bin/tests/system/notify/ns5/named.conf.in
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key "a" {
+	algorithm "hmac-md5";
+	secret "aaaaaaaaaaaaaaaaaaaa";
+};
+
+key "b" {
+	algorithm "hmac-md5";
+	secret "bbbbbbbbbbbbbbbbbbbb";
+};
+
+key "c" {
+	algorithm "hmac-md5";
+	secret "cccccccccccccccccccc";
+};
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+view "a" {
+	match-clients { key "a"; };
+	zone "x21" {
+		type primary;
+		also-notify { 10.53.0.5 key "b"; 10.53.0.5 key "c"; };
+		file "x21.db";
+		allow-update { any; };
+	};
+};
+
+view "b" {
+	match-clients { key "b"; };
+	zone "x21" {
+		type secondary;
+		primaries { 10.53.0.5 key "a"; };
+		file "x21.bk-b";
+		notify no;
+	};
+};
+
+view "c" {
+	match-clients { key "c"; };
+	zone "x21" {
+		type secondary;
+		primaries { 10.53.0.5 key "a"; };
+		file "x21.bk-c";
+		notify no;
+	};
+};
diff --git a/bin/tests/system/notify/ns5/x21.db b/bin/tests/system/notify/ns5/x21.db
new file mode 100644
index 0000000..8f2ac7d
--- /dev/null
+++ b/bin/tests/system/notify/ns5/x21.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				1          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+        		NS	ns5
+ns5     		A	10.53.0.5
+a			A	10.0.0.1
diff --git a/bin/tests/system/notify/setup.sh b/bin/tests/system/notify/setup.sh
new file mode 100644
index 0000000..6b36b33
--- /dev/null
+++ b/bin/tests/system/notify/setup.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+
+copy_setports ns4/named.port.in ns4/named.port
+
+cp -f ns2/example1.db ns2/example.db
+cp -f ns2/generic.db ns2/x21.db
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
new file mode 100644
index 0000000..c02654e
--- /dev/null
+++ b/bin/tests/system/notify/tests.sh
@@ -0,0 +1,242 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+n=0
+
+#
+# Wait up to 10 seconds for the servers to finish starting before testing.
+#
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG +tcp -p ${PORT} example @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
+	grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+	grep "flags:.* aa[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
+	$DIG +tcp -p ${PORT} example @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+	grep "flags:.* aa[ ;]" dig.out.ns3.test$n > /dev/null || ret=1
+        nr=`grep 'x[0-9].*sending notify to' ns2/named.run | wc -l`
+        [ $nr -eq 20 ] || ret=1
+	[ $ret = 0 ] && break
+	sleep 1
+done
+
+n=`expr $n + 1`
+echo_i "checking initial status ($n)"
+ret=0
+$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "10.0.0.1" dig.out.ns2.test$n > /dev/null || ret=1
+
+$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+grep "10.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1
+
+digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
+
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $ret + $status`
+
+n=`expr $n + 1`
+echo_i "checking startup notify rate limit ($n)"
+ret=0
+awk '/x[0-9].*sending notify to/ {
+	split($2, a, ":");
+	this = a[1] * 3600 + a[2] * 60 + a[3];
+	if (lasta1 && lasta1 > a[1]) {
+		fix = 3600 * 24;
+	}
+	this += fix;
+	if (last) {
+		delta = this - last;
+		print delta;
+
+		total += delta;
+		if (!maxdelta || delta > maxdelta) {
+			maxdelta = delta;
+		}
+		if (!mindelta || delta < mindelta) {
+			mindelta = delta;
+		}
+	}
+	lasta1 = a[1];
+	last = this;
+	count++;
+}
+END {
+	average = total / count;
+	print "mindelta:", mindelta;
+	print "maxdelta:" maxdelta;
+	print "count:", count;
+	print "average:", average;
+	if (average < 0.180) exit(1);
+	if (count < 20) exit(1);
+}' ns2/named.run > awk.out.ns2.test$n || ret=1
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $ret + $status`
+
+nextpart ns3/named.run > /dev/null
+
+sleep 1 # make sure filesystem time stamp is newer for reload.
+rm -f ns2/example.db
+cp -f ns2/example2.db ns2/example.db
+if [ ! "$CYGWIN" ]; then
+    echo_i "reloading with example2 using HUP and waiting up to 45 seconds"
+    $KILL -HUP `cat ns2/named.pid`
+else
+    echo_i "reloading with example2 using rndc and waiting up to 45 seconds"
+    rndc_reload ns2 10.53.0.2
+fi
+
+try=0
+while test $try -lt 45
+do
+    nextpart ns3/named.run > tmp
+    grep "transfer of 'example/IN' from 10.53.0.2#.*success" tmp > /dev/null && break
+    sleep 1
+    try=`expr $try + 1`
+done
+
+n=`expr $n + 1`
+echo_i "checking notify message was logged ($n)"
+ret=0
+grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 2$' ns3/named.run > /dev/null || ret=1
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $ret + $status`
+
+n=`expr $n + 1`
+echo_i "checking example2 loaded ($n)"
+ret=0
+$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "10.0.0.2" dig.out.ns2.test$n > /dev/null || ret=1
+
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $ret + $status`
+
+n=`expr $n + 1`
+echo_i "checking example2 contents have been transferred after HUP reload ($n)"
+ret=0
+$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "10.0.0.2" dig.out.ns2.test$n > /dev/null || ret=1
+
+$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+grep "10.0.0.2" dig.out.ns3.test$n > /dev/null || ret=1
+
+digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
+
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $ret + $status`
+
+echo_i "stopping master and restarting with example4 then waiting up to 45 seconds"
+stop_server ns2
+
+rm -f ns2/example.db
+cp -f ns2/example4.db ns2/example.db
+
+start_server --noclean --restart --port "${PORT}" ns2
+
+try=0
+while test $try -lt 45
+do
+    nextpart ns3/named.run > tmp
+    grep "transfer of 'example/IN' from 10.53.0.2#.*success" tmp > /dev/null && break
+    sleep 1
+    try=`expr $try + 1`
+done
+
+n=`expr $n + 1`
+echo_i "checking notify message was logged ($n)"
+ret=0
+grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 4$' ns3/named.run > /dev/null || ret=1
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $ret + $status`
+
+n=`expr $n + 1`
+echo_i "checking example4 loaded ($n)"
+ret=0
+$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1
+
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $ret + $status`
+
+n=`expr $n + 1`
+echo_i "checking example4 contents have been transferred after restart ($n)"
+ret=0
+$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1
+
+$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+grep "10.0.0.4" dig.out.ns3.test$n > /dev/null || ret=1
+
+digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
+
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $ret + $status`
+
+n=`expr $n + 1`
+echo_i "checking notify to alternate port with master inheritance ($n)"
+$NSUPDATE << EOF
+server 10.53.0.2 ${PORT}
+zone x21
+update add added.x21 0 in txt "test string"
+send
+EOF
+for i in 1 2 3 4 5 6 7 8 9
+do
+	$DIG $DIGOPTS added.x21. @10.53.0.4 txt -p $EXTRAPORT1 > dig.out.ns4.test$n || ret=1
+	grep "test string" dig.out.ns4.test$n > /dev/null && break
+	sleep 1
+done
+grep "test string" dig.out.ns4.test$n > /dev/null || ret=1
+
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $ret + $status`
+
+n=`expr $n + 1`
+echo_i "checking notify to multiple views using tsig ($n)"
+ret=0
+$NSUPDATE << EOF
+server 10.53.0.5 ${PORT}
+zone x21
+key a aaaaaaaaaaaaaaaaaaaa
+update add added.x21 0 in txt "test string"
+send
+EOF
+
+for i in 1 2 3 4 5 6 7 8 9
+do
+	$DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+		txt > dig.out.b.ns5.test$n || ret=1
+	$DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
+		txt > dig.out.c.ns5.test$n || ret=1
+	grep "test string" dig.out.b.ns5.test$n > /dev/null &&
+	grep "test string" dig.out.c.ns5.test$n > /dev/null &&
+	break
+	sleep 1
+done
+grep "test string" dig.out.b.ns5.test$n > /dev/null || ret=1
+grep "test string" dig.out.c.ns5.test$n > /dev/null || ret=1
+grep "sending notify to 10.53.0.5#[0-9]* : TSIG (b)" ns5/named.run > /dev/null || ret=1
+grep "sending notify to 10.53.0.5#[0-9]* : TSIG (c)" ns5/named.run > /dev/null || ret=1
+
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $ret + $status`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh
new file mode 100644
index 0000000..b8e8317
--- /dev/null
+++ b/bin/tests/system/nsec3/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f dig.out.* rndc.signing.* update.out.* verify.out.*
+rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
+rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
+
diff --git a/bin/tests/system/nsec3/ns2/named.conf.in b/bin/tests/system/nsec3/ns2/named.conf.in
new file mode 100644
index 0000000..d6caf15
--- /dev/null
+++ b/bin/tests/system/nsec3/ns2/named.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+dnssec-policy "nsec3" {
+	nsec3param;
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "nsec3-xfr-inline.kasp" {
+	type primary;
+	file "nsec3-xfr-inline.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
diff --git a/bin/tests/system/nsec3/ns2/setup.sh b/bin/tests/system/nsec3/ns2/setup.sh
new file mode 100644
index 0000000..1cbe02f
--- /dev/null
+++ b/bin/tests/system/nsec3/ns2/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns2/setup.sh"
+
+zone="nsec3-xfr-inline.kasp"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+cp template.db.in "$zonefile"
diff --git a/bin/tests/system/nsec3/ns2/template.db.in b/bin/tests/system/nsec3/ns2/template.db.in
new file mode 100644
index 0000000..8379c37
--- /dev/null
+++ b/bin/tests/system/nsec3/ns2/template.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns2
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
new file mode 100644
index 0000000..4324f2d
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+	// no need to change configuration: if no 'nsec3param' is set,
+	// NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+	nsec3param;
+};
+
+dnssec-policy "optout" {
+	nsec3param optout yes;
+};
+
+dnssec-policy "nsec3-other" {
+	nsec3param iterations 11 optout yes salt-length 0;
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+	type primary;
+	file "nsec-to-nsec3.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec";
+};
+
+/* These zones use the default NSEC3 settings. */
+zone "nsec3.kasp" {
+	type primary;
+	file "nsec3.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic.kasp" {
+	type primary;
+	file "nsec3-dynamic.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+	type primary;
+	file "nsec3-other.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3-other";
+};
+
+/* These zones will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+	type primary;
+	file "nsec3-change.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic-change.kasp" {
+	type primary;
+	file "nsec3-dynamic-change.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+	type primary;
+	file "nsec3-to-optout.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+	type primary;
+	file "nsec3-from-optout.kasp.db";
+	inline-signing yes;
+	dnssec-policy "optout";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+	type primary;
+	file "nsec3-to-nsec.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+/* The zone fails to load, this should not prevent shutdown. */
+zone "nsec3-fails-to-load.kasp" {
+	type primary;
+	file "nsec3-fails-to-load.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+/* These zones switch from dynamic to inline-signing or vice versa. */
+zone "nsec3-dynamic-to-inline.kasp" {
+	type primary;
+	file "nsec3-dynamic-to-inline.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+zone "nsec3-inline-to-dynamic.kasp" {
+	type primary;
+	file "nsec3-inline-to-dynamic.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
+zone "nsec3-dynamic-update-inline.kasp" {
+	type primary;
+	file "nsec3-dynamic-update-inline.kasp.db";
+	inline-signing yes;
+	allow-update { any; };
+	dnssec-policy "nsec";
+};
+
+zone "nsec3-xfr-inline.kasp" {
+	type secondary;
+	file "nsec3-xfr-inline.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec";
+	primaries { 10.53.0.2; };
+};
diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in
new file mode 100644
index 0000000..5c3b970
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+	// no need to change configuration: if no 'nsec3param' is set,
+	// NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+	nsec3param;
+};
+
+dnssec-policy "optout" {
+	nsec3param optout yes;
+};
+
+dnssec-policy "nsec3-other" {
+	nsec3param iterations 11 optout yes salt-length 0;
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+	type primary;
+	file "nsec-to-nsec3.kasp.db";
+	inline-signing yes;
+	//dnssec-policy "nsec";
+	dnssec-policy "nsec3";
+};
+
+/* These zones use the default NSEC3 settings. */
+zone "nsec3.kasp" {
+	type primary;
+	file "nsec3.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic.kasp" {
+	type primary;
+	file "nsec3-dynamic.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+	type primary;
+	file "nsec3-other.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3-other";
+};
+
+/* These zone will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+	type primary;
+	file "nsec3-change.kasp.db";
+	inline-signing yes;
+	//dnssec-policy "nsec3";
+	dnssec-policy "nsec3-other";
+};
+
+zone "nsec3-dynamic-change.kasp" {
+	type primary;
+	file "nsec3-dynamic-change.kasp.db";
+	//dnssec-policy "nsec3";
+	dnssec-policy "nsec3-other";
+	allow-update { any; };
+};
+
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+	type primary;
+	file "nsec3-to-optout.kasp.db";
+	inline-signing yes;
+	//dnssec-policy "nsec3";
+	dnssec-policy "optout";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+	type primary;
+	file "nsec3-from-optout.kasp.db";
+	inline-signing yes;
+	//dnssec-policy "optout";
+	dnssec-policy "nsec3";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+	type primary;
+	file "nsec3-to-nsec.kasp.db";
+	inline-signing yes;
+	//dnssec-policy "nsec3";
+	dnssec-policy "nsec";
+};
+
+/* The zone fails to load, but is fixed after a reload. */
+zone "nsec3-fails-to-load.kasp" {
+	type primary;
+	file "nsec3-fails-to-load.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+/* These zones switch from dynamic to inline-signing or vice versa. */
+zone "nsec3-dynamic-to-inline.kasp" {
+	type primary;
+	file "nsec3-dynamic-to-inline.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
+
+zone "nsec3-inline-to-dynamic.kasp" {
+	type primary;
+	file "nsec3-inline-to-dynamic.kasp.db";
+	inline-signing no;
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in b/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in
new file mode 100644
index 0000000..77b0d10
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@			IN SOA  kasp. nsec3-fails-to-load.kasp. (
+                                1          ; serial
+                                30         ; refresh (30 seconds)
+                                10         ; retry (10 seconds)
+                                3600000    ; expire (5 weeks 6 days 16 hours)
+                                300        ; minimum (5 minutes)
+                                )
+                        NS      nsec3-fails-to-load.kasp.
diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
new file mode 100644
index 0000000..b7c449a
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -0,0 +1,35 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+setup() {
+	zone="$1"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	infile="${zone}.db.infile"
+	cp template.db.in "$zonefile"
+}
+
+for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
+	  nsec3-to-optout nsec3-from-optout nsec3-dynamic \
+	  nsec3-dynamic-change nsec3-dynamic-to-inline \
+	  nsec3-inline-to-dynamic nsec3-dynamic-update-inline
+do
+	setup "${zn}.kasp"
+done
+
+cp nsec3-fails-to-load.kasp.db.in nsec3-fails-to-load.kasp.db
diff --git a/bin/tests/system/nsec3/ns3/template.db.in b/bin/tests/system/nsec3/ns3/template.db.in
new file mode 100644
index 0000000..010b05b
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/template.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
diff --git a/bin/tests/system/nsec3/setup.sh b/bin/tests/system/nsec3/setup.sh
new file mode 100644
index 0000000..bdd1ae9
--- /dev/null
+++ b/bin/tests/system/nsec3/setup.sh
@@ -0,0 +1,30 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns2/named.conf.in ns2/named.conf
+(
+	cd ns2
+	$SHELL setup.sh
+)
+copy_setports ns3/named.conf.in ns3/named.conf
+(
+	cd ns3
+	$SHELL setup.sh
+)
diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
new file mode 100644
index 0000000..0141103
--- /dev/null
+++ b/bin/tests/system/nsec3/tests.sh
@@ -0,0 +1,388 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+# shellcheck source=kasp.sh
+. ../kasp.sh
+
+# Log errors and increment $ret.
+log_error() {
+	echo_i "error: $1"
+	ret=$((ret+1))
+}
+
+# Call dig with default options.
+dig_with_opts() {
+	$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+# Call rndc.
+rndccmd() {
+    "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
+}
+
+# Set zone name ($1) and policy ($2) for testing nsec3.
+set_zone_policy() {
+	ZONE=$1
+	POLICY=$2
+}
+# Set expected NSEC3 parameters: flags ($1), iterations ($2), and
+# salt length ($3).
+set_nsec3param() {
+	FLAGS=$1
+	ITERATIONS=$2
+	SALTLEN=$3
+	# Reset salt.
+	SALT=""
+}
+
+# The apex NSEC3PARAM record indicates that it is signed.
+_wait_for_nsec3param() {
+	dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1
+	grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" > /dev/null || return 1
+	grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1
+        return 0
+}
+# The apex NSEC record indicates that it is signed.
+_wait_for_nsec() {
+	dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC > "dig.out.test$n.wait" || return 1
+	grep "NS SOA" "dig.out.test$n.wait" > /dev/null || return 1
+	grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1
+	grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" > /dev/null && return 1
+        return 0
+}
+
+# Wait for the zone to be signed.
+wait_for_zone_is_signed() {
+	n=$((n+1))
+	ret=0
+	echo_i "wait for ${ZONE} to be signed ($n)"
+
+	if [ "$1" = "nsec3" ]; then
+		retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed"
+	else
+		retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed"
+	fi
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Test: check NSEC in answers
+_check_nsec_nsec3param()
+{
+	dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
+	grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1
+	return 0
+}
+
+_check_nsec_nxdomain()
+{
+	dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
+	grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
+	grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1
+	return 0
+}
+
+check_nsec()
+{
+	n=$((n+1))
+	echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+
+	n=$((n+1))
+	echo_i "check NXDOMAIN response for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Test: check NSEC3 parameters in answers
+_check_nsec3_nsec3param()
+{
+	dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
+	grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1
+
+	if [ -z "$SALT" ]; then
+		SALT=`awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE`
+	fi
+	return 0
+}
+
+_check_nsec3_nxdomain()
+{
+	dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
+	grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
+	return 0
+}
+
+check_nsec3()
+{
+	n=$((n+1))
+	echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+
+	n=$((n+1))
+	echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+start_time="$(TZ=UTC date +%s)"
+status=0
+n=0
+
+# Zone: nsec-to-nsec3.kasp.
+set_zone_policy "nsec-to-nsec3.kasp" "nsec"
+set_server "ns3" "10.53.0.3"
+echo_i "initial check zone ${ZONE}"
+check_nsec
+dnssec_verify
+
+# Zone: nsec3.kasp.
+set_zone_policy "nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-dynamic.kasp.
+set_zone_policy "nsec3-dynamic.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-change.kasp.
+set_zone_policy "nsec3-change.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-dynamic-change.kasp.
+set_zone_policy "nsec3-dynamic-change.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-dynamic-to-inline.kasp.
+set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-inline-to-dynamic.kasp.
+set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-to-nsec.kasp.
+set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-to-optout.kasp.
+set_zone_policy "nsec3-to-optout.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-from-optout.kasp.
+set_zone_policy "nsec3-from-optout.kasp" "optout"
+set_nsec3param "1" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-other.kasp.
+set_zone_policy "nsec3-other.kasp" "nsec3-other"
+set_nsec3param "1" "11" "0"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-xfr-inline.kasp.
+# This is a secondary zone, where the primary is signed with NSEC3 but
+# the dnssec-policy dictates NSEC.
+set_zone_policy "nsec3-xfr-inline.kasp" "nsec" 1 3600
+echo_i "initial check zone ${ZONE}"
+check_nsec
+
+# Zone: nsec3-dynamic-update-inline.kasp.
+set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600
+echo_i "initial check zone ${ZONE}"
+check_nsec
+
+n=$((n+1))
+echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)"
+ret=0
+$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1
+server 10.53.0.3 ${PORT}
+zone ${ZONE}.
+update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG
+send
+END
+wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1
+check_nsec
+
+# Reconfig named.
+ret=0
+echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+
+# Zone: nsec-to-nsec3.kasp. (reconfigured)
+set_zone_policy "nsec-to-nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3.kasp. (same)
+set_zone_policy "nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-dyamic.kasp. (same)
+set_zone_policy "nsec3-dynamic.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-change.kasp. (reconfigured)
+set_zone_policy "nsec3-change.kasp" "nsec3-other"
+set_nsec3param "1" "11" "0"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-dynamic-change.kasp. (reconfigured)
+set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other"
+set_nsec3param "1" "11" "0"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-dynamic-to-inline.kasp. (same)
+set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
+set_nsec3param "0" "5" "8"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
+# Zone: nsec3-inline-to-dynamic.kasp. (same)
+set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-to-nsec.kasp. (reconfigured)
+set_zone_policy "nsec3-to-nsec.kasp" "nsec"
+set_nsec3param "1" "11" "0"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec
+dnssec_verify
+
+# Zone: nsec3-to-optout.kasp. (reconfigured)
+# DISABLED:
+# There is a bug in the nsec3param building code that thinks when the
+# optout bit is changed, the chain already exists. [GL #2216]
+#set_zone_policy "nsec3-to-optout.kasp" "optout"
+#set_nsec3param "1" "5" "8"
+#echo_i "check zone ${ZONE} after reconfig"
+#check_nsec3
+#dnssec_verify
+
+# Zone: nsec3-from-optout.kasp. (reconfigured)
+# DISABLED:
+# There is a bug in the nsec3param building code that thinks when the
+# optout bit is changed, the chain already exists. [GL #2216]
+#set_zone_policy "nsec3-from-optout.kasp" "nsec3"
+#set_nsec3param "0" "5" "8"
+#echo_i "check zone ${ZONE} after reconfig"
+#check_nsec3
+#dnssec_verify
+
+# Zone: nsec3-other.kasp. (same)
+set_zone_policy "nsec3-other.kasp" "nsec3-other"
+set_nsec3param "1" "11" "0"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Using rndc signing -nsec3param (should fail)
+set_zone_policy "nsec3-change.kasp" "nsec3-other"
+echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
+rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
+grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail"
+check_nsec3
+dnssec_verify
+
+# Test NSEC3 and NSEC3PARAM is the same after restart
+set_zone_policy "nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "check zone ${ZONE} before restart"
+check_nsec3
+dnssec_verify
+
+# Restart named, NSEC3 should stay the same.
+ret=0
+echo "stop ns3"
+stop_server --use-rndc --port ${CONTROLPORT} ${DIR} || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+ret=0
+echo "start ns3"
+start_server --noclean --restart --port ${PORT} ${DIR}
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+prevsalt="${SALT}"
+set_zone_policy "nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+SALT="${prevsalt}"
+echo_i "check zone ${ZONE} after restart has salt ${SALT}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-fails-to-load.kasp. (should be fixed after reload)
+cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db
+rndc_reload ns3 10.53.0.3
+
+set_zone_policy "nsec3-fails-to-load.kasp" "nsec3"
+set_nsec3param "0" "5" "8"
+echo_i "check zone ${ZONE} after reload"
+check_nsec3
+dnssec_verify
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/nslookup/clean.sh b/bin/tests/system/nslookup/clean.sh
new file mode 100644
index 0000000..439f90d
--- /dev/null
+++ b/bin/tests/system/nslookup/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns1/example.db
+rm -f nslookup.out*
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/named.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/nslookup/ns1/example.net.db b/bin/tests/system/nslookup/ns1/example.net.db
new file mode 100644
index 0000000..73aeeb1
--- /dev/null
+++ b/bin/tests/system/nslookup/ns1/example.net.db
@@ -0,0 +1,31 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+
+@		86400	IN SOA	ns1 hostmaster (
+					1397051952 ; "SER0"
+					5
+					5
+					1814400
+					3600 )
+@			NS	ns1
+ns1			A	10.53.0.1
+
+a-only			A	1.2.3.4
+aaaa-only		AAAA	2001::ffff
+
+dual			A	1.2.3.4
+			AAAA	2001::ffff
+
+cname-a-only		CNAME	a-only
+cname-aaaa-only		CNAME	aaaa-only
+cname-dual		CNAME	dual
diff --git a/bin/tests/system/nslookup/ns1/named.conf.in b/bin/tests/system/nslookup/ns1/named.conf.in
new file mode 100644
index 0000000..67b4f4f
--- /dev/null
+++ b/bin/tests/system/nslookup/ns1/named.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+};
diff --git a/bin/tests/system/nslookup/setup.sh b/bin/tests/system/nslookup/setup.sh
new file mode 100644
index 0000000..8e4016e
--- /dev/null
+++ b/bin/tests/system/nslookup/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+$SHELL ../genzone.sh 1 >ns1/example.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/nslookup/tests.sh b/bin/tests/system/nslookup/tests.sh
new file mode 100644
index 0000000..2be4eac
--- /dev/null
+++ b/bin/tests/system/nslookup/tests.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "Check that domain names that are too big when applying a search list entry are handled cleanly ($n)"
+ret=0
+l=012345678901234567890123456789012345678901234567890123456789012
+t=0123456789012345678901234567890123456789012345678901234567890
+d=$l.$l.$l.$t
+$NSLOOKUP -port=${PORT} -domain=$d -type=soa example 10.53.0.1 > nslookup.out${n} || ret=1
+grep "origin = ns1.example" nslookup.out${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Check A only lookup"
+ret=0
+$NSLOOKUP -port=${PORT} a-only.example.net 10.53.0.1 > nslookup.out${n} || ret=1
+lines=`grep "Server:" nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+lines=`grep a-only.example.net nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Check AAAA only lookup"
+ret=0
+$NSLOOKUP -port=${PORT} aaaa-only.example.net 10.53.0.1 > nslookup.out${n} || ret=1
+lines=`grep "Server:" nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+lines=`grep aaaa-only.example.net nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Check dual A + AAAA lookup"
+ret=0
+$NSLOOKUP -port=${PORT} dual.example.net 10.53.0.1 > nslookup.out${n} || ret=1
+lines=`grep "Server:" nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+lines=`grep dual.example.net nslookup.out${n} | wc -l`
+test $lines = 2 || ret=1
+grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1
+grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Check CNAME to A only lookup"
+ret=0
+$NSLOOKUP -port=${PORT} cname-a-only.example.net 10.53.0.1 > nslookup.out${n} || ret=1
+lines=`grep "Server:" nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+lines=`grep "canonical name" nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+lines=`grep a-only.example.net nslookup.out${n} | grep -v "canonical name" | wc -l`
+test $lines = 1 || ret=1
+grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Check CNAME to AAAA only lookup"
+ret=0
+$NSLOOKUP -port=${PORT} cname-aaaa-only.example.net 10.53.0.1 > nslookup.out${n} || ret=1
+lines=`grep "Server:" nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+lines=`grep "canonical name" nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+lines=`grep aaaa-only.example.net nslookup.out${n} | grep -v "canonical name" |wc -l`
+test $lines = 1 || ret=1
+grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "Check CNAME to dual A + AAAA lookup"
+ret=0
+$NSLOOKUP -port=${PORT} cname-dual.example.net 10.53.0.1 > nslookup.out${n} || ret=1
+lines=`grep "Server:" nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+lines=`grep "canonical name" nslookup.out${n} | wc -l`
+test $lines = 1 || ret=1
+lines=`grep dual.example.net nslookup.out${n} | grep -v "canonical name" | wc -l`
+test $lines = 2 || ret=1
+grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1
+grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/nsupdate/ans4/ans.pl b/bin/tests/system/nsupdate/ans4/ans.pl
new file mode 100644
index 0000000..d4299c4
--- /dev/null
+++ b/bin/tests/system/nsupdate/ans4/ans.pl
@@ -0,0 +1,60 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use IO::Socket;
+use IO::File;
+use strict;
+
+# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early
+local $SIG{PIPE} = 'IGNORE';
+
+# Flush logged output after every line
+local $| = 1;
+
+my $server_addr = "10.53.0.4";
+if (@ARGV > 0) {
+	$server_addr = @ARGV[0];
+}
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!";
+
+print "listening on $server_addr:$localport.\n";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";;
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+# Main
+for (;;) {
+	my $rin;
+	my $rout;
+
+	$rin = '';
+	vec($rin, fileno($udpsock), 1) = 1;
+
+	select($rout = $rin, undef, undef, undef);
+
+	if (vec($rout, fileno($udpsock), 1)) {
+		printf "UDP request\n";
+		my $buf;
+		$udpsock->recv($buf, 512);
+	}
+}
diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
new file mode 100644
index 0000000..1746ec1
--- /dev/null
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -0,0 +1,69 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f */*.jnl
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run */ans.run
+rm -f */named.run.prev
+rm -f Kxxx.*
+rm -f check.out.*
+rm -f dig.out.*
+rm -f jp.out.ns3.*
+rm -f nextpart.out.*
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
+rm -f ns*/named.lock
+rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.db ns1/keytests.db
+rm -f ns1/many.test.db
+rm -f ns1/maxjournal.db
+rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key
+rm -f ns1/sample.db
+rm -f ns1/sha512.key ns1/ddns.key
+rm -f ns10/_default.tsigkeys
+rm -f ns10/example.com.db
+rm -f ns10/in-addr.db
+rm -f ns2/example.bk
+rm -f ns2/sample.db
+rm -f ns2/update.bk ns2/update.alt.bk
+rm -f ns3/*.signed
+rm -f ns3/K*
+rm -f ns3/delegation.test.db
+rm -f ns3/dnskey.test.db
+rm -f ns3/dsset-*
+rm -f ns3/example.db
+rm -f ns3/multisigner.test.db
+rm -f ns3/many.test.bk
+rm -f ns3/nsec3param.test.db
+rm -f ns3/too-big.test.db
+rm -f ns5/local.db
+rm -f ns6/in-addr.db
+rm -f ns7/_default.tsigkeys
+rm -f ns7/example.com.db
+rm -f ns7/in-addr.db
+rm -f ns8/_default.tsigkeys
+rm -f ns8/example.com.db
+rm -f ns8/in-addr.db
+rm -f ns9/_default.tsigkeys
+rm -f ns9/denyname.example.db
+rm -f ns9/example.com.db
+rm -f ns9/in-addr.db
+rm -f perl.update_test.out
+rm -f nsupdate.out*
+rm -f typelist.out.*
+rm -f update.out.*
+rm -f update.in.*
+rm -f verylarge
diff --git a/bin/tests/system/nsupdate/commandlist b/bin/tests/system/nsupdate/commandlist
new file mode 100644
index 0000000..41c8049
--- /dev/null
+++ b/bin/tests/system/nsupdate/commandlist
@@ -0,0 +1,15 @@
+server 127.0.0.1
+server 127.0.0.1 port
+update
+update delete
+update delete dummy
+update delete dummy in
+update delete dummy in a
+update delete dummy in a 127.0.0.1
+update add
+update add domain
+update add domain 0
+update add domain 0 in
+update add domain 0 in a
+update add domain 0 a
+update add domain 0 a in
diff --git a/bin/tests/system/nsupdate/knowngood.ns1.after b/bin/tests/system/nsupdate/knowngood.ns1.after
new file mode 100644
index 0000000..4114159
--- /dev/null
+++ b/bin/tests/system/nsupdate/knowngood.ns1.after
@@ -0,0 +1,99 @@
+example.nil.		300	IN	SOA	ns1.example.nil. hostmaster.example.nil. 2 2000 2000 1814400 3600
+example.nil.		300	IN	NS	ns1.example.nil.
+example.nil.		300	IN	NS	ns2.example.nil.
+*.example.nil.		300	IN	MX	10 mail.example.nil.
+a.example.nil.		300	IN	TXT	"foo foo foo"
+a.example.nil.		300	IN	PTR	foo.net.
+a01.example.nil.	3600	IN	A	0.0.0.0
+a02.example.nil.	3600	IN	A	255.255.255.255
+a601.example.nil.	3600	IN	AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+afsdb01.example.nil.	3600	IN	AFSDB	0 hostname.example.nil.
+afsdb02.example.nil.	3600	IN	AFSDB	65535 .
+b.example.nil.		300	IN	CNAME	foo.net.
+c.example.nil.		300	IN	A	73.80.65.49
+cert01.example.nil.	3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+cname01.example.nil.	3600	IN	CNAME	cname-target.
+cname02.example.nil.	3600	IN	CNAME	cname-target.example.nil.
+cname03.example.nil.	3600	IN	CNAME	.
+d.example.nil.		300	IN	A	73.80.65.49
+dname01.example.nil.	3600	IN	DNAME	dname-target.
+dname02.example.nil.	3600	IN	DNAME	dname-target.example.nil.
+dname03.example.nil.	3600	IN	DNAME	.
+e.example.nil.		300	IN	MX	10 mail.example.nil.
+e.example.nil.		300	IN	TXT	"one"
+e.example.nil.		300	IN	TXT	"two"
+e.example.nil.		300	IN	TXT	"three"
+e.example.nil.		300	IN	A	73.80.65.49
+e.example.nil.		300	IN	A	73.80.65.50
+e.example.nil.		300	IN	A	73.80.65.51
+e.example.nil.		300	IN	A	73.80.65.52
+f.example.nil.		300	IN	A	73.80.65.52
+gpos01.example.nil.	3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
+gpos02.example.nil.	3600	IN	GPOS	"" "" ""
+hinfo01.example.nil.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02.example.nil.	3600	IN	HINFO	"PC" "NetBSD"
+isdn01.example.nil.	3600	IN	ISDN	"isdn-address"
+isdn02.example.nil.	3600	IN	ISDN	"isdn-address" "subaddress"
+isdn03.example.nil.	3600	IN	ISDN	"isdn-address"
+isdn04.example.nil.	3600	IN	ISDN	"isdn-address" "subaddress"
+key01.example.nil.	3600	IN	KEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+kx01.example.nil.	3600	IN	KX	10 kdc.example.nil.
+kx02.example.nil.	3600	IN	KX	10 .
+loc01.example.nil.	3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02.example.nil.	3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01.example.nil.	3600	IN	MG	madname.example.nil.
+mb02.example.nil.	3600	IN	MG	.
+mg01.example.nil.	3600	IN	MG	mgmname.example.nil.
+mg02.example.nil.	3600	IN	MG	.
+minfo01.example.nil.	3600	IN	MINFO	rmailbx.example.nil. emailbx.example.nil.
+minfo02.example.nil.	3600	IN	MINFO	. .
+mr01.example.nil.	3600	IN	MR	mrname.example.nil.
+mr02.example.nil.	3600	IN	MR	.
+mx01.example.nil.	3600	IN	MX	10 mail.example.nil.
+mx02.example.nil.	3600	IN	MX	10 .
+naptr01.example.nil.	3600	IN	NAPTR	0 0 "" "" "" .
+naptr02.example.nil.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
+ns1.example.nil.	300	IN	A	10.53.0.1
+ns2.example.nil.	300	IN	A	10.53.0.2
+nsap-ptr01.example.nil.	3600	IN	NSAP-PTR .
+nsap-ptr01.example.nil.	3600	IN	NSAP-PTR foo.
+nsap01.example.nil.	3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02.example.nil.	3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01.example.nil.	3600	IN	NXT	a.secure.example.nil. NS SOA MX SIG KEY LOC NXT
+nxt02.example.nil.	3600	IN	NXT	. NSAP-PTR NXT
+nxt03.example.nil.	3600	IN	NXT	. A
+nxt04.example.nil.	3600	IN	NXT	. 127
+ptr01.example.nil.	3600	IN	PTR	example.nil.
+px01.example.nil.	3600	IN	PX	65535 foo. bar.
+px02.example.nil.	3600	IN	PX	65535 . .
+rp01.example.nil.	3600	IN	RP	mbox-dname.example.nil. txt-dname.example.nil.
+rp02.example.nil.	3600	IN	RP	. .
+rt01.example.nil.	3600	IN	RT	0 intermediate-host.example.nil.
+rt02.example.nil.	3600	IN	RT	65535 .
+s.example.nil.		300	IN	NS	ns.s.example.nil.
+ns.s.example.nil.	300	IN	A	73.80.65.49
+sig01.example.nil.	3600	IN	SIG	NXT 1 3 3600 20000102030405 19961211100908 2143 foo.example.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+srv01.example.nil.	3600	IN	SRV	0 0 0 .
+srv02.example.nil.	3600	IN	SRV	65535 65535 65535 old-slow-box.example.com.
+txt01.example.nil.	3600	IN	TXT	"foo"
+txt02.example.nil.	3600	IN	TXT	"foo" "bar"
+txt03.example.nil.	3600	IN	TXT	"foo"
+txt04.example.nil.	3600	IN	TXT	"foo" "bar"
+txt05.example.nil.	3600	IN	TXT	"foo bar"
+txt06.example.nil.	3600	IN	TXT	"foo bar"
+txt07.example.nil.	3600	IN	TXT	"foo bar"
+txt08.example.nil.	3600	IN	TXT	"foo\010bar"
+txt09.example.nil.	3600	IN	TXT	"foo\010bar"
+txt10.example.nil.	3600	IN	TXT	"foo bar"
+txt11.example.nil.	3600	IN	TXT	"\"foo\""
+txt12.example.nil.	3600	IN	TXT	"\"foo\""
+u.example.nil.		300	IN	TXT	"txt-not-in-nxt"
+a.u.example.nil.	300	IN	A	73.80.65.49
+b.u.example.nil.	300	IN	A	73.80.65.49
+updated.example.nil.	600	IN	TXT	"Foo"
+updated.example.nil.	600	IN	A	10.10.10.1
+wks01.example.nil.	3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
+wks02.example.nil.	3600	IN	WKS	10.0.0.1 17 0 1 2 53
+wks03.example.nil.	3600	IN	WKS	10.0.0.2 6 65535
+x2501.example.nil.	3600	IN	X25	"123456789"
+example.nil.		300	IN	SOA	ns1.example.nil. hostmaster.example.nil. 2 2000 2000 1814400 3600
diff --git a/bin/tests/system/nsupdate/knowngood.ns1.afterstop b/bin/tests/system/nsupdate/knowngood.ns1.afterstop
new file mode 100644
index 0000000..e871d4c
--- /dev/null
+++ b/bin/tests/system/nsupdate/knowngood.ns1.afterstop
@@ -0,0 +1,3 @@
+updated4.example.nil.	600	IN	A	10.10.10.3
+example.nil.		300	IN	NS	ns1.example.nil.
+example.nil.		300	IN	NS	ns2.example.nil.
diff --git a/bin/tests/system/nsupdate/knowngood.ns1.before b/bin/tests/system/nsupdate/knowngood.ns1.before
new file mode 100644
index 0000000..4a5e630
--- /dev/null
+++ b/bin/tests/system/nsupdate/knowngood.ns1.before
@@ -0,0 +1,98 @@
+example.nil.		300	IN	SOA	ns1.example.nil. hostmaster.example.nil. 1 2000 2000 1814400 3600
+example.nil.		300	IN	NS	ns1.example.nil.
+example.nil.		300	IN	NS	ns2.example.nil.
+*.example.nil.		300	IN	MX	10 mail.example.nil.
+a.example.nil.		300	IN	TXT	"foo foo foo"
+a.example.nil.		300	IN	PTR	foo.net.
+a01.example.nil.	3600	IN	A	0.0.0.0
+a02.example.nil.	3600	IN	A	255.255.255.255
+a601.example.nil.	3600	IN	AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+afsdb01.example.nil.	3600	IN	AFSDB	0 hostname.example.nil.
+afsdb02.example.nil.	3600	IN	AFSDB	65535 .
+b.example.nil.		300	IN	CNAME	foo.net.
+c.example.nil.		300	IN	A	73.80.65.49
+cert01.example.nil.	3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+cname01.example.nil.	3600	IN	CNAME	cname-target.
+cname02.example.nil.	3600	IN	CNAME	cname-target.example.nil.
+cname03.example.nil.	3600	IN	CNAME	.
+d.example.nil.		300	IN	A	73.80.65.49
+dname01.example.nil.	3600	IN	DNAME	dname-target.
+dname02.example.nil.	3600	IN	DNAME	dname-target.example.nil.
+dname03.example.nil.	3600	IN	DNAME	.
+e.example.nil.		300	IN	MX	10 mail.example.nil.
+e.example.nil.		300	IN	TXT	"one"
+e.example.nil.		300	IN	TXT	"two"
+e.example.nil.		300	IN	TXT	"three"
+e.example.nil.		300	IN	A	73.80.65.49
+e.example.nil.		300	IN	A	73.80.65.50
+e.example.nil.		300	IN	A	73.80.65.51
+e.example.nil.		300	IN	A	73.80.65.52
+f.example.nil.		300	IN	A	73.80.65.52
+gpos01.example.nil.	3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
+gpos02.example.nil.	3600	IN	GPOS	"" "" ""
+hinfo01.example.nil.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02.example.nil.	3600	IN	HINFO	"PC" "NetBSD"
+isdn01.example.nil.	3600	IN	ISDN	"isdn-address"
+isdn02.example.nil.	3600	IN	ISDN	"isdn-address" "subaddress"
+isdn03.example.nil.	3600	IN	ISDN	"isdn-address"
+isdn04.example.nil.	3600	IN	ISDN	"isdn-address" "subaddress"
+key01.example.nil.	3600	IN	KEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+kx01.example.nil.	3600	IN	KX	10 kdc.example.nil.
+kx02.example.nil.	3600	IN	KX	10 .
+loc01.example.nil.	3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02.example.nil.	3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01.example.nil.	3600	IN	MG	madname.example.nil.
+mb02.example.nil.	3600	IN	MG	.
+mg01.example.nil.	3600	IN	MG	mgmname.example.nil.
+mg02.example.nil.	3600	IN	MG	.
+minfo01.example.nil.	3600	IN	MINFO	rmailbx.example.nil. emailbx.example.nil.
+minfo02.example.nil.	3600	IN	MINFO	. .
+mr01.example.nil.	3600	IN	MR	mrname.example.nil.
+mr02.example.nil.	3600	IN	MR	.
+mx01.example.nil.	3600	IN	MX	10 mail.example.nil.
+mx02.example.nil.	3600	IN	MX	10 .
+naptr01.example.nil.	3600	IN	NAPTR	0 0 "" "" "" .
+naptr02.example.nil.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
+ns1.example.nil.	300	IN	A	10.53.0.1
+ns2.example.nil.	300	IN	A	10.53.0.2
+nsap-ptr01.example.nil.	3600	IN	NSAP-PTR .
+nsap-ptr01.example.nil.	3600	IN	NSAP-PTR foo.
+nsap01.example.nil.	3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02.example.nil.	3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01.example.nil.	3600	IN	NXT	a.secure.example.nil. NS SOA MX SIG KEY LOC NXT
+nxt02.example.nil.	3600	IN	NXT	. NSAP-PTR NXT
+nxt03.example.nil.	3600	IN	NXT	. A
+nxt04.example.nil.	3600	IN	NXT	. 127
+ptr01.example.nil.	3600	IN	PTR	example.nil.
+px01.example.nil.	3600	IN	PX	65535 foo. bar.
+px02.example.nil.	3600	IN	PX	65535 . .
+rp01.example.nil.	3600	IN	RP	mbox-dname.example.nil. txt-dname.example.nil.
+rp02.example.nil.	3600	IN	RP	. .
+rt01.example.nil.	3600	IN	RT	0 intermediate-host.example.nil.
+rt02.example.nil.	3600	IN	RT	65535 .
+s.example.nil.		300	IN	NS	ns.s.example.nil.
+ns.s.example.nil.	300	IN	A	73.80.65.49
+sig01.example.nil.	3600	IN	SIG	NXT 1 3 3600 20000102030405 19961211100908 2143 foo.example.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+srv01.example.nil.	3600	IN	SRV	0 0 0 .
+srv02.example.nil.	3600	IN	SRV	65535 65535 65535 old-slow-box.example.com.
+t.example.nil.		301	IN	A	73.80.65.49
+txt01.example.nil.	3600	IN	TXT	"foo"
+txt02.example.nil.	3600	IN	TXT	"foo" "bar"
+txt03.example.nil.	3600	IN	TXT	"foo"
+txt04.example.nil.	3600	IN	TXT	"foo" "bar"
+txt05.example.nil.	3600	IN	TXT	"foo bar"
+txt06.example.nil.	3600	IN	TXT	"foo bar"
+txt07.example.nil.	3600	IN	TXT	"foo bar"
+txt08.example.nil.	3600	IN	TXT	"foo\010bar"
+txt09.example.nil.	3600	IN	TXT	"foo\010bar"
+txt10.example.nil.	3600	IN	TXT	"foo bar"
+txt11.example.nil.	3600	IN	TXT	"\"foo\""
+txt12.example.nil.	3600	IN	TXT	"\"foo\""
+u.example.nil.		300	IN	TXT	"txt-not-in-nxt"
+a.u.example.nil.	300	IN	A	73.80.65.49
+b.u.example.nil.	300	IN	A	73.80.65.49
+wks01.example.nil.	3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
+wks02.example.nil.	3600	IN	WKS	10.0.0.1 17 0 1 2 53
+wks03.example.nil.	3600	IN	WKS	10.0.0.2 6 65535
+x2501.example.nil.	3600	IN	X25	"123456789"
+example.nil.		300	IN	SOA	ns1.example.nil. hostmaster.example.nil. 1 2000 2000 1814400 3600
diff --git a/bin/tests/system/nsupdate/krb/setup.sh b/bin/tests/system/nsupdate/krb/setup.sh
new file mode 100644
index 0000000..5ac116c
--- /dev/null
+++ b/bin/tests/system/nsupdate/krb/setup.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -x
+
+PWD=`pwd`
+
+KRB5_CONFIG="${PWD}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5_KDC_PROFILE=${PWD}/krb5kdc
+export KRB5_KDC_PROFILE
+
+now=`date +%s`
+lifetime=`expr 2147483647 - $now`
+lifetime=`expr $lifetime / 3600 / 24 - 30`
+
+cat << EOF > "${KRB5_CONFIG}"
+[libdefaults]
+   default_realm = EXAMPLE.COM
+   dns_lookup_kdc = false
+   # Depending on what you are testing, you may want something like:
+   # default_keytab_name = FILE:/usr/local/var/keytab
+[realms]
+   EXAMPLE.COM = {
+     admin_server = 127.0.0.1:50001
+     kdc = 127.0.0.1:50000
+     database_module = DB2
+     kdc_ports = 50000
+     kadmind_port = 50001
+   }
+[dbmodules]
+   DB2 = {
+     db_library = db2
+   }
+[logging]
+   # Use any pathnames you want here.
+   kdc = FILE:${PWD}/kdc.log
+   admin_server = FILE:${PWD}/kadmin.log
+# Depending on what you are testing, you may want:
+# [domain_realm]
+#   your.domain = EXAMPLE.COM
+EOF
+
+rm -rf ${KRB5_KDC_PROFILE}
+mkdir -p ${KRB5_KDC_PROFILE}
+chmod 700 ${KRB5_KDC_PROFILE}
+
+cat << EOF > "${KRB5_KDC_PROFILE}"/kdc.conf
+[kdcdefaults]
+  kdc_ports = 50000
+  kdc_tcp_ports = 50000
+
+[realms]
+  EXAMPLE.COM = {
+    key_stash_file = ${KRB5_KDC_PROFILE}/.k5.EXAMPLE.COM
+    database_module = EXAMPLE.COM
+    max_life = ${lifetime}d
+}
+
+[dbmodules]
+  EXAMPLE.COM = {
+    db_library = db2
+    database_name = ${KRB5_KDC_PROFILE}/principal
+  }
+EOF
+
+kdb5_util create -s <<EOF
+master
+master
+EOF
+
+krb5kdc -n &
+krb5kdcpid=$!
+#trap "kill $krb5kdcpid; wait; trap 0; exit" 0 15
+
+
+kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns7.example.com@EXAMPLE.COM
+kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns8.example.com@EXAMPLE.COM
+kadmin.local addprinc -maxlife ${lifetime}d -randkey host/machine.example.com@EXAMPLE.COM
+
+kadmin.local ktadd -k ns7-server.keytab DNS/ns7.example.com@EXAMPLE.COM
+kadmin.local ktadd -k ns8-server.keytab DNS/ns8.example.com@EXAMPLE.COM
+kadmin.local ktadd -k krb5-machine.keytab host/machine.example.com@EXAMPLE.COM
+
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns9.example.com@EXAMPLE.COM'
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns10.example.com@EXAMPLE.COM'
+kadmin.local addprinc -maxlife ${lifetime}d -randkey 'machine$@EXAMPLE.COM'
+
+kadmin.local ktadd -k ns9-server.keytab 'DNS/ns9.example.com@EXAMPLE.COM'
+kadmin.local ktadd -k ns10-server.keytab 'DNS/ns10.example.com@EXAMPLE.COM'
+kadmin.local ktadd -k ms-machine.keytab 'machine$@EXAMPLE.COM'
+
+kinit -V -k -t krb5-machine.keytab -l ${lifetime}d -c krb5-machine.ccache host/machine.example.com@EXAMPLE.COM
+kinit -V -k -t ms-machine.keytab -l ${lifetime}d -c ms-machine.ccache 'machine$@EXAMPLE.COM'
+
+cp ns7-server.keytab ../ns7/dns.keytab
+cp ns8-server.keytab ../ns8/dns-other-than-KRB5_KTNAME.keytab
+cp ns9-server.keytab ../ns9/dns.keytab
+cp ns10-server.keytab ../ns10/dns.keytab
+
+cp krb5-machine.ccache ../ns7/machine.ccache
+cp krb5-machine.ccache ../ns8/machine.ccache
+cp ms-machine.ccache ../ns9/machine.ccache
+cp ms-machine.ccache ../ns10/machine.ccache
+
+echo krb5kdc pid:$krb5kdcpid
diff --git a/bin/tests/system/nsupdate/ns1/example1.db b/bin/tests/system/nsupdate/ns1/example1.db
new file mode 100644
index 0000000..566b0a0
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns1/example1.db
@@ -0,0 +1,146 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example.nil		IN SOA	ns1.example.nil. hostmaster.example.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.nil.		NS	ns1.example.nil.
+ns1.example.nil.	A	10.53.0.1
+example.nil.		NS	ns2.example.nil.
+ns2.example.nil.	A	10.53.0.2
+
+$ORIGIN example.nil.
+*			MX	10 mail
+a			TXT	"foo foo foo"
+			PTR	foo.net.
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.nil.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.nil.
+ns			A	73.80.65.49
+$ORIGIN example.nil.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.nil.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.nil.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/nsupdate/ns1/many.test.db.in b/bin/tests/system/nsupdate/ns1/many.test.db.in
new file mode 100644
index 0000000..824971b
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns1/many.test.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns1.example.nil. hostmaster.example.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@		NS	ns1.example.nil.
+		NS	ns2.example.nil.
diff --git a/bin/tests/system/nsupdate/ns1/max-ttl.db b/bin/tests/system/nsupdate/ns1/max-ttl.db
new file mode 100644
index 0000000..fea00b9
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns1/max-ttl.db
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+max-ttl.nil		IN SOA	ns1.max-ttl.nil. hostmaster.max-ttl.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+max-ttl.nil.		NS	ns1.max-ttl.nil.
+ns1.max-ttl.nil.	A	10.53.0.1
+max-ttl.nil.		NS	ns2.max-ttl.nil.
+ns2.max-ttl.nil.	A	10.53.0.2
+
+$ORIGIN max-ttl.nil.
+*			MX	10 mail
+a			TXT	"foo foo foo"
+			PTR	foo.net.
diff --git a/bin/tests/system/nsupdate/ns1/maxjournal.db.in b/bin/tests/system/nsupdate/ns1/maxjournal.db.in
new file mode 100644
index 0000000..d64842b
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns1/maxjournal.db.in
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns1.example.nil. hostmaster.example.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@		NS	ns1.example.nil.
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
new file mode 100644
index 0000000..a5cc36d
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1 dscp 1;
+	notify-source 10.53.0.1 dscp 22;
+	transfer-source 10.53.0.1 dscp 3;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.1; 127.0.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	update-quota 1;
+};
+
+acl named-acl {
+	any;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key altkey {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key restricted.example.nil {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+key zonesub-key.example.nil {
+	algorithm hmac-md5;
+	secret "1234subk8765";
+};
+
+include "ddns.key";
+
+zone "example.nil" {
+	type primary;
+	file "example.db";
+	check-integrity no;
+	check-mx ignore;
+	update-policy {
+		grant zonesub-key.example.nil zonesub TXT;
+		grant ddns-key.example.nil subdomain example.nil ANY;
+		grant restricted.example.nil subdomain restricted.example.nil ANY;
+	};
+	allow-transfer { any; };
+};
+
+zone "max-ttl.nil" {
+	type primary;
+	file "max-ttl.db";
+	max-zone-ttl 300;
+	check-integrity no;
+	allow-update { named-acl; };
+	allow-transfer { any; };
+};
+
+zone "other.nil" {
+	type primary;
+	file "other.db";
+	check-integrity no;
+	check-mx warn;
+	update-policy local;
+	allow-query { !10.53.0.2; any; };
+	allow-query-on { 10.53.0.1; 127.0.0.1; };
+	allow-transfer { any; };
+};
+
+primaries others {
+	10.53.0.2 port @PORT@;
+	10.53.0.2 port @PORT@ key altkey;
+};
+
+zone "update.nil" {
+	type primary;
+	file "update.db";
+	check-integrity no;
+	check-mx fail;
+	allow-update { any; };
+	allow-transfer { any; };
+	also-notify { others; };
+};
+
+zone "unixtime.nil" {
+	type primary;
+	file "unixtime.db";
+	check-integrity no;
+	allow-update { any; };
+	allow-transfer { any; };
+	serial-update-method unixtime;
+};
+
+zone "yyyymmddvv.nil" {
+	type primary;
+	file "yyyymmddvv.db";
+	check-integrity no;
+	allow-update { any; };
+	allow-transfer { any; };
+	serial-update-method date;
+};
+
+include "md5.key";
+include "sha1.key";
+include "sha224.key";
+include "sha256.key";
+include "sha384.key";
+include "sha512.key";
+
+zone "keytests.nil" {
+	type primary;
+	file "keytests.db";
+	update-policy {
+	    grant md5-key name md5.keytests.nil. ANY;
+	    grant sha1-key name sha1.keytests.nil. ANY;
+	    grant sha224-key name sha224.keytests.nil. ANY;
+	    grant sha256-key name sha256.keytests.nil. ANY;
+	    grant sha384-key name sha384.keytests.nil. ANY;
+	    grant sha512-key name sha512.keytests.nil. ANY;
+	};
+};
+
+zone "many.test" {
+	type primary;
+	allow-update { any; };
+	file "many.test.db";
+};
+
+zone "sample" {
+	type primary;
+	allow-update { any; };
+	file "sample.db";
+};
+
+zone "maxjournal.test" {
+	type primary;
+	allow-update { any; };
+	file "maxjournal.db";
+	max-journal-size default;
+};
diff --git a/bin/tests/system/nsupdate/ns1/sample.db.in b/bin/tests/system/nsupdate/ns1/sample.db.in
new file mode 100644
index 0000000..9118bef
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns1/sample.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 SOA ns1 . 0 0 0 0 0
+@ 0 NS ns1
+ns1 0 A 10.53.0.1
+; a RRset that exists
+exists 0 TXT This RRset exists.
+; nxdomain
+; A named without a TXT RRset
+no-txt 0 A 1.2.3.4
diff --git a/bin/tests/system/nsupdate/ns10/dns.keytab b/bin/tests/system/nsupdate/ns10/dns.keytab
new file mode 100644
index 0000000..95eea90
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns10/dns.keytab
diff --git a/bin/tests/system/nsupdate/ns10/example.com.db.in b/bin/tests/system/nsupdate/ns10/example.com.db.in
new file mode 100644
index 0000000..da5cedf
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns10/example.com.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns10.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns10
+ns10			A	10.53.0.10
diff --git a/bin/tests/system/nsupdate/ns10/in-addr.db.in b/bin/tests/system/nsupdate/ns10/in-addr.db.in
new file mode 100644
index 0000000..da5cedf
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns10/in-addr.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns10.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns10
+ns10			A	10.53.0.10
diff --git a/bin/tests/system/nsupdate/ns10/machine.ccache b/bin/tests/system/nsupdate/ns10/machine.ccache
new file mode 100644
index 0000000..ced26bd
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns10/machine.ccache
diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in
new file mode 100644
index 0000000..001f78d
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns10/named.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.10;
+	notify-source 10.53.0.10;
+	transfer-source 10.53.0.10;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.10; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	@TKEY_CONFIGURATION@
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type primary;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM ms-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM ms-selfsub . ANY;
+		grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
+	};
+};
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
new file mode 100644
index 0000000..f1a1735
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2 dscp 4;
+	notify-source 10.53.0.2 dscp 5;
+	transfer-source 10.53.0.2 dscp 6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	serial-query-rate 1; // workaround for KB AA-01213
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key altkey {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+view alternate {
+	match-clients { key altkey; };
+
+	zone "update.nil" {
+		type secondary;
+		primaries { 10.53.0.1; };
+		file "update.alt.bk";
+		allow-transfer { any; };
+	};
+};
+
+view primary {
+	match-clients { any; };
+
+	zone "example.nil" {
+		type secondary;
+		primaries { 10.53.0.1; };
+		file "example.bk";
+		allow-transfer { any; };
+	};
+
+	zone "update.nil" {
+		type secondary;
+		primaries { 10.53.0.1; };
+		file "update.bk";
+		allow-transfer { any; };
+	};
+
+	zone "sample" {
+		type primary;
+		allow-update { any; };
+		file "sample.db";
+	};
+};
diff --git a/bin/tests/system/nsupdate/ns2/sample.db.in b/bin/tests/system/nsupdate/ns2/sample.db.in
new file mode 100644
index 0000000..848cc86
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns2/sample.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 SOA ns2 . 0 0 0 0 0
+@ 0 NS ns2
+ns2 0 A 10.53.0.2
+;
+; These prerequistes are reversed, relative to ns1/sample.db.in:
+; 'exists' does not exist.
+nxdomain 0 TXT This RRset exists.
+
+; a name with a TXT RRset
+no-txt 0 TXT This RRset exists
diff --git a/bin/tests/system/nsupdate/ns3/delegation.test.db.in b/bin/tests/system/nsupdate/ns3/delegation.test.db.in
new file mode 100644
index 0000000..195c73b
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/delegation.test.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 10
+delegation.test. IN SOA delegation.test. hostmaster.delegation.test. 1 3600 900 2419200 3600
+delegation.test. IN NS delegation.test.
+delegation.test. IN A 10.53.0.3
diff --git a/bin/tests/system/nsupdate/ns3/dnskey.test.db.in b/bin/tests/system/nsupdate/ns3/dnskey.test.db.in
new file mode 100644
index 0000000..df503fe
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/dnskey.test.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 10
+dnskey.test. IN SOA dnskey.test. hostmaster.dnskey.test. 1 3600 900 2419200 3600
+dnskey.test. IN NS dnskey.test.
+dnskey.test. IN A 10.53.0.3
diff --git a/bin/tests/system/nsupdate/ns3/example.db.in b/bin/tests/system/nsupdate/ns3/example.db.in
new file mode 100644
index 0000000..92c0998
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/example.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example. 10 IN SOA example. hostmaster.example. 1 3600 900 2419200 3600
+example. 10 IN NS example.
+example. 10 IN A 10.53.0.3
+example. 10 IN NSEC3PARAM 1 1 0 -
diff --git a/bin/tests/system/nsupdate/ns3/multisigner.test.db.in b/bin/tests/system/nsupdate/ns3/multisigner.test.db.in
new file mode 100644
index 0000000..7b4d91c
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/multisigner.test.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+multisigner.test. 10 IN SOA multisigner.test. hostmaster.multisigner.test. 1 3600 900 2419200 3600
+multisigner.test. 10 IN NS multisigner.test.
+multisigner.test. 10 IN A 10.53.0.3
diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in
new file mode 100644
index 0000000..f87048a
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/named.conf.in
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3 dscp 7;
+	notify-source 10.53.0.3 dscp 8;
+	transfer-source 10.53.0.3 dscp 9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "example" {
+	type primary;
+	allow-update { any; };
+	file "example.db";
+};
+
+zone "nsec3param.test" {
+	type primary;
+	allow-update { any; };
+	file "nsec3param.test.db.signed";
+};
+
+zone "dnskey.test" {
+	type primary;
+	allow-update { any; };
+	file "dnskey.test.db.signed";
+};
+
+zone "many.test" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	allow-update-forwarding { any; };
+	file "many.test.bk";
+};
+
+zone "delegation.test" {
+	type primary;
+	allow-update { any; };
+	file "delegation.test.db.signed";
+};
+
+zone "too-big.test" {
+	type primary;
+	allow-update { any; };
+	max-records 3;
+	file "too-big.test.db";
+};
+
+/* Zone for testing CDS and CDNSKEY updates from other provider */
+zone "multisigner.test" {
+	type primary;
+	allow-update { any; };
+	dnssec-policy "default";
+	file "multisigner.test.db";
+};
diff --git a/bin/tests/system/nsupdate/ns3/nsec3param.test.db.in b/bin/tests/system/nsupdate/ns3/nsec3param.test.db.in
new file mode 100644
index 0000000..b26f5bd
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/nsec3param.test.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 10
+nsec3param.test. IN SOA nsec3param.test. hostmaster.nsec3param.test. 1 3600 900 2419200 3600
+nsec3param.test. IN NS nsec3param.test.
+nsec3param.test. IN A 10.53.0.3
diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh
new file mode 100644
index 0000000..c3db402
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/sign.sh
@@ -0,0 +1,51 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=nsec3param.test.
+infile=nsec3param.test.db.in
+zonefile=nsec3param.test.db
+
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -P -3 - -H 1 -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+
+zone=dnskey.test.
+infile=dnskey.test.db.in
+zonefile=dnskey.test.db
+
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+
+zone=delegation.test.
+infile=delegation.test.db.in
+zonefile=delegation.test.db
+
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 -f KSK $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone)
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+
+# Just copy multisigner.db.in because it is signed with dnssec-policy.
+cp multisigner.test.db.in multisigner.test.db
diff --git a/bin/tests/system/nsupdate/ns3/too-big.test.db.in b/bin/tests/system/nsupdate/ns3/too-big.test.db.in
new file mode 100644
index 0000000..45ee9ad
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/too-big.test.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 10
+too-big.test. IN SOA too-big.test. hostmaster.too-big.test. 1 3600 900 2419200 3600
+too-big.test. IN NS too-big.test.
+too-big.test. IN A 10.53.0.3
diff --git a/bin/tests/system/nsupdate/ns5/local.db.in b/bin/tests/system/nsupdate/ns5/local.db.in
new file mode 100644
index 0000000..12a5d8b
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns5/local.db.in
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+local.nil		IN SOA	ns5.local.nil. hostmaster.local.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+local.nil.		NS	ns5.local.nil.
+ns5.local.nil.		A	10.53.0.5
+
+$ORIGIN local.nil.
+a			A	10.10.10.10
diff --git a/bin/tests/system/nsupdate/ns5/named.args b/bin/tests/system/nsupdate/ns5/named.args
new file mode 100644
index 0000000..a1ebb6f
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns5/named.args
@@ -0,0 +1 @@
+-D nsupdate-ns5 -m record,size,mctx -c named.conf -d 99 -X named.lock -g -U 4 -T maxcachesize=2097152 -T fixedlocal
diff --git a/bin/tests/system/nsupdate/ns5/named.conf.in b/bin/tests/system/nsupdate/ns5/named.conf.in
new file mode 100644
index 0000000..c36777d
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns5/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.5; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "local.nil" {
+	type primary;
+	file "local.db";
+	update-policy local;
+};
diff --git a/bin/tests/system/nsupdate/ns6/in-addr.db.in b/bin/tests/system/nsupdate/ns6/in-addr.db.in
new file mode 100644
index 0000000..9ac2b61
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns6/in-addr.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns5.local.nil. hostmaster.local.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns5
+ns5			A	10.53.0.5
diff --git a/bin/tests/system/nsupdate/ns6/named.args b/bin/tests/system/nsupdate/ns6/named.args
new file mode 100644
index 0000000..11e5449
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns6/named.args
@@ -0,0 +1 @@
+-D nsupdate-ns6 -m record,size,mctx -c named.conf -d 99 -X named.lock -g -U 4 -T maxcachesize=2097152 -T fixedlocal
diff --git a/bin/tests/system/nsupdate/ns6/named.conf.in b/bin/tests/system/nsupdate/ns6/named.conf.in
new file mode 100644
index 0000000..a2bc409
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns6/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.6; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type primary;
+	file "in-addr.db";
+	update-policy {	grant * tcp-self . PTR; };
+};
diff --git a/bin/tests/system/nsupdate/ns7/dns.keytab b/bin/tests/system/nsupdate/ns7/dns.keytab
new file mode 100644
index 0000000..08d5ef4
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns7/dns.keytab
diff --git a/bin/tests/system/nsupdate/ns7/example.com.db.in b/bin/tests/system/nsupdate/ns7/example.com.db.in
new file mode 100644
index 0000000..34a0885
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns7/example.com.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns7.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns7
+ns7			A	10.53.0.7
diff --git a/bin/tests/system/nsupdate/ns7/in-addr.db.in b/bin/tests/system/nsupdate/ns7/in-addr.db.in
new file mode 100644
index 0000000..34a0885
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns7/in-addr.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns7.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns7
+ns7			A	10.53.0.7
diff --git a/bin/tests/system/nsupdate/ns7/machine.ccache b/bin/tests/system/nsupdate/ns7/machine.ccache
new file mode 100644
index 0000000..7dcd959
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns7/machine.ccache
diff --git a/bin/tests/system/nsupdate/ns7/named.conf.in b/bin/tests/system/nsupdate/ns7/named.conf.in
new file mode 100644
index 0000000..9d28bf5
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns7/named.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.7; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type primary;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM krb5-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM krb5-self . ANY;
+		grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
+	};
+};
diff --git a/bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab b/bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab
new file mode 100644
index 0000000..3340049
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab
diff --git a/bin/tests/system/nsupdate/ns8/example.com.db.in b/bin/tests/system/nsupdate/ns8/example.com.db.in
new file mode 100644
index 0000000..f83a3eb
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns8/example.com.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns8.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns8
+ns8			A	10.53.0.8
diff --git a/bin/tests/system/nsupdate/ns8/in-addr.db.in b/bin/tests/system/nsupdate/ns8/in-addr.db.in
new file mode 100644
index 0000000..f83a3eb
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns8/in-addr.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns8.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns8
+ns8			A	10.53.0.8
diff --git a/bin/tests/system/nsupdate/ns8/machine.ccache b/bin/tests/system/nsupdate/ns8/machine.ccache
new file mode 100644
index 0000000..6e75aff
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns8/machine.ccache
diff --git a/bin/tests/system/nsupdate/ns8/named.conf.in b/bin/tests/system/nsupdate/ns8/named.conf.in
new file mode 100644
index 0000000..ead3cfe
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns8/named.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.8; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	tkey-gssapi-keytab "dns-other-than-KRB5_KTNAME.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type primary;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM krb5-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM krb5-selfsub . ANY;
+		grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
+	};
+};
diff --git a/bin/tests/system/nsupdate/ns9/dns.keytab b/bin/tests/system/nsupdate/ns9/dns.keytab
new file mode 100644
index 0000000..470317f
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns9/dns.keytab
diff --git a/bin/tests/system/nsupdate/ns9/example.com.db.in b/bin/tests/system/nsupdate/ns9/example.com.db.in
new file mode 100644
index 0000000..cb3fae5
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns9/example.com.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns9.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns9
+ns9			A	10.53.0.9
diff --git a/bin/tests/system/nsupdate/ns9/in-addr.db.in b/bin/tests/system/nsupdate/ns9/in-addr.db.in
new file mode 100644
index 0000000..cb3fae5
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns9/in-addr.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns9.example.com. hostmaster.example.com. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns9
+ns9			A	10.53.0.9
diff --git a/bin/tests/system/nsupdate/ns9/machine.ccache b/bin/tests/system/nsupdate/ns9/machine.ccache
new file mode 100644
index 0000000..2b59cec
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns9/machine.ccache
diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in
new file mode 100644
index 0000000..5115b15
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns9/named.conf.in
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.9; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+	@TKEY_CONFIGURATION@
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+key subkey {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+	type primary;
+	file "in-addr.db";
+	update-policy {	grant EXAMPLE.COM ms-subdomain . PTR; };
+};
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant EXAMPLE.COM ms-self . ANY;
+		grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
+	};
+};
+
+zone "denyname.example" {
+	type master;
+	file "denyname.example.db";
+	update-policy {
+		deny subkey name denyname.example;
+		grant subkey subdomain denyname.example;
+	};
+};
diff --git a/bin/tests/system/nsupdate/prereq.sh b/bin/tests/system/nsupdate/prereq.sh
new file mode 100644
index 0000000..1079c7e
--- /dev/null
+++ b/bin/tests/system/nsupdate/prereq.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null
+    then
+        :
+    else
+        echo_i "Net::DNS versions 0.69 to 0.70 have bugs that cause this test to fail: please update." >&2
+        exit 1
+    fi
+fi
+
+exit 0
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
new file mode 100644
index 0000000..fac39d4
--- /dev/null
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -0,0 +1,106 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+#
+# jnl and database files MUST be removed before we start
+#
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+
+# If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is
+# not available, named will refuse to start.  As the test system framework does
+# not support starting named instances conditionally, ensure that
+# "tkey-gssapi-credential" is only present in named.conf if GSSAPI support is
+# available.
+copy_setports ns9/named.conf.in ns9/named.conf.in.tkey
+copy_setports ns10/named.conf.in ns10/named.conf.in.tkey
+if $FEATURETEST --gssapi; then
+	sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";|' ns9/named.conf.in.tkey > ns9/named.conf
+	sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";|' ns10/named.conf.in.tkey > ns10/named.conf
+else
+	sed 's|@TKEY_CONFIGURATION@||' ns9/named.conf.in.tkey > ns9/named.conf
+	sed 's|@TKEY_CONFIGURATION@||' ns10/named.conf.in.tkey > ns10/named.conf
+fi
+rm -f ns9/named.conf.in.tkey
+rm -f ns10/named.conf.in.tkey
+
+copy_setports verylarge.in verylarge
+
+cp -f ns1/example1.db ns1/example.db
+sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db
+sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db
+sed 's/example.nil/yyyymmddvv.nil/g' ns1/example1.db > ns1/yyyymmddvv.db
+sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db
+cp -f ns3/example.db.in ns3/example.db
+cp -f ns3/too-big.test.db.in ns3/too-big.test.db
+
+# update_test.pl has its own zone file because it
+# requires a specific NS record set.
+cat <<\EOF >ns1/update.db
+$ORIGIN .
+$TTL 300        ; 5 minutes
+update.nil              IN SOA  ns1.example.nil. hostmaster.example.nil. (
+                                1          ; serial
+                                2000       ; refresh (2000 seconds)
+                                2000       ; retry (2000 seconds)
+                                1814400    ; expire (3 weeks)
+                                3600       ; minimum (1 hour)
+                                )
+update.nil.             NS      ns1.update.nil.
+ns1.update.nil.         A       10.53.0.2
+ns2.update.nil.		AAAA	::1
+EOF
+
+$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
+
+if $FEATURETEST --md5; then
+	$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+else
+	echo -n > ns1/md5.key
+fi
+$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
+$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
+$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
+$DDNSCONFGEN -q -a hmac-sha384 -k sha384-key -z keytests.nil > ns1/sha384.key
+$DDNSCONFGEN -q -a hmac-sha512 -k sha512-key -z keytests.nil > ns1/sha512.key
+
+(cd ns3; $SHELL -e sign.sh)
+
+cp -f ns1/many.test.db.in ns1/many.test.db
+
+cp ns1/sample.db.in ns1/sample.db
+cp ns2/sample.db.in ns2/sample.db
+
+cp -f ns1/maxjournal.db.in ns1/maxjournal.db
+
+cp -f ns5/local.db.in ns5/local.db
+cp -f ns6/in-addr.db.in ns6/in-addr.db
+cp -f ns7/in-addr.db.in ns7/in-addr.db
+cp -f ns7/example.com.db.in ns7/example.com.db
+cp -f ns8/in-addr.db.in ns8/in-addr.db
+cp -f ns8/example.com.db.in ns8/example.com.db
+cp -f ns9/in-addr.db.in ns9/in-addr.db
+cp -f ns9/example.com.db.in ns9/example.com.db
+cp -f ns9/example.com.db.in ns9/denyname.example.db
+cp -f ns10/in-addr.db.in ns10/in-addr.db
+cp -f ns10/example.com.db.in ns10/example.com.db
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
new file mode 100755
index 0000000..2cf23ac
--- /dev/null
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -0,0 +1,1552 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+#
+# Uncomment when creating credential cache files.
+#
+# KRB5_CONFIG="$(pwd)/krb/krb5.conf"
+#
+# Cd krb and run krb/setup.sh to create new keys.
+# Run nsupdate system test.
+# Kill the krb5kdc server started by krb/setup.sh.
+# Check the expiry date on the cached machine.ccache with klist is in 2038.
+# Comment out KRB5_CONFIG.
+# Re-run nsupdate system test to confirm everything still works.
+# git add and commit the resulting ns*/machine.ccache and ns*/dns.keytab files.
+# Clean up krb.
+#
+
+status=0
+n=0
+
+nextpartreset ns3/named.run
+
+# wait for zone transfer to complete
+tries=0
+while true; do
+    if [ $tries -eq 10 ]
+    then
+        exit 1
+    fi
+
+    if grep "example.nil/IN.*Transfer status" ns2/named.run > /dev/null
+    then
+        break
+    else
+        echo_i "zones are not fully loaded, waiting..."
+        tries=$((tries + 1))
+        sleep 1
+    fi
+done
+
+has_positive_response() {
+	zone=$1
+	type=$2
+	ns=$3
+	$DIG $DIGOPTS +tcp +norec $zone $type @$ns > dig.out.post.test$n || return 1
+	grep "status: NOERROR" dig.out.post.test$n > /dev/null || return 1
+	grep "ANSWER: 0," dig.out.post.test$n > /dev/null && return 1
+	return 0
+}
+
+ret=0
+echo_i "fetching first copy of zone before update"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "fetching second copy of zone before update"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "comparing pre-update copies to known good data"
+digcomp knowngood.ns1.before dig.out.ns1 || ret=1
+digcomp knowngood.ns1.before dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone unconfigured.test
+update add unconfigured.test 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' unconfigured.test: not authoritative' ns1/named.run \
+     > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure a subdomain is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone sub.sub.example.nil
+update add sub.sub.sub.example.nil 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' sub.sub.example.nil: not authoritative' ns1/named.run \
+     > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "updating zone"
+# nsupdate will print a ">" prompt to stdout as it gets each input line.
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add updated.example.nil. 600 A 10.10.10.1
+add updated.example.nil. 600 TXT Foo
+delete t.example.nil.
+
+END
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "sleeping 5 seconds for server to incorporate changes"
+sleep 5
+
+ret=0
+echo_i "fetching first copy of zone after update"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "fetching second copy of zone after update"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "comparing post-update copies to known good data"
+digcomp knowngood.ns1.after dig.out.ns1 || ret=1
+digcomp knowngood.ns1.after dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "testing local update policy"
+pre=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1
+[ -z "$pre" ] || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "updating zone"
+# nsupdate will print a ">" prompt to stdout as it gets each input line.
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null <<END || ret=1
+zone other.nil.
+update add new.other.nil. 600 IN A 10.10.10.1
+send
+END
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "sleeping 5 seconds for server to incorporate changes"
+sleep 5
+
+ret=0
+echo_i "checking result of update"
+post=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1
+[ "$post" = "10.10.10.1" ] || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "comparing post-update copy to known good data"
+digcomp knowngood.ns1.after dig.out.ns1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "testing zone consistency checks"
+# inserting an NS record without a corresponding A or AAAA record should fail
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END && ret=1
+update add other.nil. 600 in ns ns3.other.nil.
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1
+# ...but should work if an A record is inserted first:
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
+update add ns4.other.nil 600 in a 10.53.0.1
+send
+update add other.nil. 600 in ns ns4.other.nil.
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+# ...or if an AAAA record does:
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
+update add ns5.other.nil 600 in aaaa 2001:db8::1
+send
+update add other.nil. 600 in ns ns5.other.nil.
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+# ...or if the NS and A/AAAA are inserted together:
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
+update add other.nil. 600 in ns ns6.other.nil.
+update add ns6.other.nil 600 in a 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "sleeping 5 seconds for server to incorporate changes"
+sleep 5
+
+ret=0
+echo_i "checking result of update"
+$DIG $DIGOPTS +short @10.53.0.1 ns other.nil > dig.out.ns1 || ret=1
+grep ns3.other.nil dig.out.ns1 > /dev/null 2>&1 && ret=1
+grep ns4.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
+grep ns5.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
+grep ns6.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure 'check-mx ignore' allows adding MX records containing an address without a warning"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END || ret=1
+server 10.53.0.1 ${PORT}
+update add mx03.example.nil 600 IN MX 10 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure 'check-mx warn' allows adding MX records containing an address with a warning"
+$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1
+update add mx03.other.nil 600 IN MX 10 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1
+grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure 'check-mx fail' prevents adding MX records containing an address with a warning"
+$NSUPDATE > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+update add mx03.update.nil 600 IN MX 10 10.53.0.1
+send
+END
+grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1
+grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "check SIG(0) key is accepted"
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -T KEY -n ENTITY xxx)
+echo "" | $NSUPDATE -k ${key}.private > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check TYPE=0 update is rejected by nsupdate ($n)"
+$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
+    server 10.53.0.1 ${PORT}
+    ttl 300
+    update add example.nil. in type0 ""
+    send
+END
+grep "unknown class/type" nsupdate.out > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check TYPE=0 prerequisite is handled ($n)"
+$NSUPDATE -k ns1/ddns.key <<END > nsupdate.out 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    prereq nxrrset example.nil. type0
+    send
+END
+$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that TYPE=0 update is handled ($n)"
+echo "a0e4280000010000000100000000060001c00c000000fe000000000000" |
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
+$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that TYPE=0 additional data is handled ($n)"
+echo "a0e4280000010000000000010000060001c00c000000fe000000000000" |
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
+$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update to undefined class is handled ($n)"
+echo "a0e4280000010001000000000000060101c00c000000fe000000000000" |
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1
+$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that address family mismatch is handled ($n)"
+$NSUPDATE <<END > /dev/null 2>&1 && ret=1
+server ::1
+local 127.0.0.1
+update add 600 txt.example.nil in txt "test"
+send
+END
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+
+n=$((n + 1))
+ret=0
+echo_i "check that unixtime serial number is correctly generated ($n)"
+$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.old.test$n || ret=1
+oldserial=$(awk '{print $3}' dig.out.old.test$n) || ret=1
+start=$($PERL -e 'print time()."\n";')
+$NSUPDATE <<END > /dev/null 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    ttl 600
+    update add new.unixtime.nil in a 1.2.3.4
+    send
+END
+now=$($PERL -e 'print time()."\n";')
+sleep 1
+$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.new.test$n || ret=1
+serial=$(awk '{print $3}' dig.out.new.test$n) || ret=1
+[ "$oldserial" = "$serial" ] && { echo_i "oldserial == serial"; ret=1; }
+if [ "$serial" -lt "$start" ]; then
+    echo_i "out-of-range serial=$serial < start=$start"; ret=1;
+elif [ "$serial" -gt "$now" ]; then
+    echo_i "out-of-range serial=$serial > now=$now"; ret=1;
+fi
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    n=$((n + 1))
+    ret=0
+    echo_i "running update.pl test ($n)"
+    $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. > perl.update_test.out || ret=1
+    [ $ret -eq 1 ] && { echo_i "failed"; status=1; }
+
+    if $PERL -e 'use Net::DNS; die "Net::DNS too old ($Net::DNS::VERSION < 1.01)" if ($Net::DNS::VERSION < 1.01)' > /dev/null
+    then
+	n=$((n + 1))
+	ret=0
+	echo_i "check for too many NSEC3 iterations log ($n)"
+	grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run > /dev/null || ret=1
+	[ $ret -eq 1 ] && { echo_i "failed"; status=1; }
+    fi
+else
+    echo_i "The second part of this test requires the Net::DNS library." >&2
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "fetching first copy of test zone ($n)"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "fetching second copy of test zone ($n)"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "comparing zones ($n)"
+digcomp dig.out.ns1 dig.out.ns2 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "SIGKILL and restart server ns1"
+cd ns1
+$KILL -KILL $(cat named.pid)
+rm named.pid
+cd ..
+sleep 10
+if
+	start_server --noclean --restart --port ${PORT} ns1
+then
+	echo_i "restarted server ns1"
+else
+	echo_i "could not restart server ns1"
+	exit 1
+fi
+sleep 10
+
+n=$((n + 1))
+ret=0
+echo_i "fetching ns1 after hard restart ($n)"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
+	@10.53.0.1 axfr > dig.out.ns1.after || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "comparing zones ($n)"
+digcomp dig.out.ns1 dig.out.ns1.after || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "begin RT #482 regression test"
+
+n=$((n + 1))
+ret=0
+echo_i "update primary ($n)"
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add updated2.example.nil. 600 A 10.10.10.2
+update add updated2.example.nil. 600 TXT Bar
+update delete c.example.nil.
+send
+END
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+sleep 5
+
+if [ ! "$CYGWIN" ]; then
+    echo_i "SIGHUP secondary"
+    $KILL -HUP $(cat ns2/named.pid)
+else
+    echo_i "reload secondary"
+    rndc_reload ns2 10.53.0.2
+fi
+
+sleep 5
+
+n=$((n + 1))
+ret=0
+echo_i "update primary again ($n)"
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add updated3.example.nil. 600 A 10.10.10.3
+update add updated3.example.nil. 600 TXT Zap
+del d.example.nil.
+send
+END
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+sleep 5
+
+if [ ! "$CYGWIN" ]; then
+    echo_i "SIGHUP secondary again"
+    $KILL -HUP $(cat ns2/named.pid)
+else
+    echo_i "reload secondary again"
+    rndc_reload ns2 10.53.0.2
+fi
+
+sleep 5
+
+n=$((n + 1))
+echo_i "check to 'out of sync' message ($n)"
+if grep "out of sync" ns2/named.run
+then
+	echo_i "failed (found 'out of sync')"
+	status=1
+fi
+
+echo_i "end RT #482 regression test"
+
+n=$((n + 1))
+ret=0
+echo_i "start NSEC3PARAM changes via UPDATE on a unsigned zone test ($n)"
+$NSUPDATE << EOF
+server 10.53.0.3 ${PORT}
+update add example 3600 nsec3param 1 0 0 -
+send
+EOF
+
+# the zone is not signed.  The nsec3param records should be removed.
+# this also proves that the server is still running.
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
+	@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "change the NSEC3PARAM ttl via update ($n)"
+$NSUPDATE << EOF
+server 10.53.0.3 ${PORT}
+update add nsec3param.test 3600 NSEC3PARAM 1 0 1 -
+send
+EOF
+
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
+        @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
+grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "add a new NSEC3PARAM via update ($n)"
+$NSUPDATE << EOF
+server 10.53.0.3 ${PORT}
+update add nsec3param.test 3600 NSEC3PARAM 1 0 4 -
+send
+EOF
+
+_ret=1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+	$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
+	if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
+		_ret=0
+		break
+	fi
+	sleep 1
+done
+
+if [ $_ret -ne 0 ]; then ret=1; fi
+grep "NSEC3PARAM 1 0 4 -" dig.out.ns3.$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=$((ret + status)); fi
+
+n=$((n + 1))
+ret=0
+echo_i "add, delete and change the ttl of the NSEC3PARAM rrset via update ($n)"
+$NSUPDATE << EOF
+server 10.53.0.3 ${PORT}
+update delete nsec3param.test NSEC3PARAM
+update add nsec3param.test 7200 NSEC3PARAM 1 0 5 -
+send
+EOF
+
+_ret=1
+for i in 0 1 2 3 4 5 6 7 8 9; do
+	$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
+	if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
+		_ret=0
+		break
+	fi
+	sleep 1
+done
+
+if [ $_ret -ne 0 ]; then ret=1; fi
+grep "7200.*NSEC3PARAM 1 0 5 -" dig.out.ns3.$n > /dev/null || ret=1
+grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
+$JOURNALPRINT ns3/nsec3param.test.db.signed.jnl > jp.out.ns3.$n
+# intermediate TTL changes.
+grep "add nsec3param.test.	7200	IN	NSEC3PARAM 1 0 4 -" jp.out.ns3.$n > /dev/null || ret=1
+grep "add nsec3param.test.	7200	IN	NSEC3PARAM 1 0 1 -" jp.out.ns3.$n > /dev/null || ret=1
+# delayed adds and deletes.
+grep "add nsec3param.test.	0	IN	TYPE65534 .# 6 000180000500" jp.out.ns3.$n > /dev/null || ret=1
+grep "add nsec3param.test.	0	IN	TYPE65534 .# 6 000140000100" jp.out.ns3.$n > /dev/null || ret=1
+grep "add nsec3param.test.	0	IN	TYPE65534 .# 6 000140000400" jp.out.ns3.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=$((ret + status)); fi
+
+
+ret=0
+echo_i "testing that rndc stop updates the file"
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add updated4.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 3
+stop_server --use-rndc --port ${CONTROLPORT} ns1
+sleep 3
+# Removing the journal file and restarting the server means
+# that the data served by the new server process are exactly
+# those dumped to the file by "rndc stop".
+rm -f ns1/*jnl
+start_server --noclean --restart --port ${PORT} ns1
+for try in 0 1 2 3 4 5 6 7 8 9; do
+    iret=0
+    $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+	updated4.example.nil. @10.53.0.1 a > dig.out.ns1 || iret=1
+    digcomp knowngood.ns1.afterstop dig.out.ns1 || iret=1
+    [ "$iret" -eq 0 ] && break
+    sleep 1
+done
+[ "$iret" -ne 0 ] && ret=1
+[ "$ret" -eq 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "check that 'nsupdate -l' with a missing keyfile reports the missing file"
+$NSUPDATE -4 -p ${PORT} -l -k ns1/nonexistent.key 2> nsupdate.out < /dev/null
+grep ns1/nonexistent.key nsupdate.out > /dev/null || ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy local' works from localhost address ($n)"
+$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END || ret=1
+server 10.53.0.5 ${PORT}
+local 127.0.0.1
+update add fromlocal.local.nil. 600 A 1.2.3.4
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1
+$DIG $DIGOPTS @10.53.0.5 \
+        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+        fromlocal.local.nil. > dig.out.ns5.$n || ret=1
+grep fromlocal dig.out.ns5.$n > /dev/null 2>&1 || ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy local' fails from non-localhost address ($n)"
+grep 'match on session key not from localhost' ns5/named.run > /dev/null && ret=1
+$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1
+server 10.53.0.5 ${PORT}
+local 10.53.0.1
+update add nonlocal.local.nil. 600 A 4.3.2.1
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
+grep 'match on session key not from localhost' ns5/named.run > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.5 \
+        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+        nonlocal.local.nil. > dig.out.ns5.$n || ret=1
+grep nonlocal dig.out.ns5.$n > /dev/null 2>&1 && ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy tcp-self' refuses update of records via UDP ($n)"
+$NSUPDATE > nsupdate.out.$n 2>&1 << END
+server 10.53.0.6 ${PORT}
+local 127.0.0.1
+update add 1.0.0.127.in-addr.arpa. 600 PTR localhost.
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @10.53.0.6 \
+        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+        -x 127.0.0.1 > dig.out.ns6.$n
+grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy tcp-self' permits update of records for the client's own address via TCP ($n)"
+$NSUPDATE -v > nsupdate.out.$n 2>&1 << END || ret=1
+server 10.53.0.6 ${PORT}
+local 127.0.0.1
+update add 1.0.0.127.in-addr.arpa. 600 PTR localhost.
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1
+$DIG $DIGOPTS @10.53.0.6 \
+        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+        -x 127.0.0.1 > dig.out.ns6.$n || ret=1
+grep localhost. dig.out.ns6.$n > /dev/null 2>&1 || ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy tcp-self' refuses update of records for a different address from the client's own address via TCP ($n)"
+$NSUPDATE -v > nsupdate.out.$n 2>&1 << END
+server 10.53.0.6 ${PORT}
+local 127.0.0.1
+update add 1.0.168.192.in-addr.arpa. 600 PTR localhost.
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @10.53.0.6 \
+        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+        -x 192.168.0.1 > dig.out.ns6.$n
+grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
+# and thus this UPDATE should succeed.
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add restricted.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
+# thus this UPDATE should fail.
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
+# grant zonesub-key.example.nil zonesub TXT;
+# the A record update should be rejected as it is not in the type list
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN A 1.2.3.4
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
+# the TXT record update should be accepted as it is in the type list
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check 'grant' in deny name + grant subdomain ($n)"
+$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+key hmac-sha256:subkey 1234abcd8765
+server 10.53.0.9 ${PORT}
+zone denyname.example
+update add foo.denyname.example 3600 IN TXT added
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT > dig.out.ns9.test$n
+grep "added" dig.out.ns9.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check 'deny' in deny name + grant subdomain ($n)"
+$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+key hmac-sha256:subkey 1234abcd8765
+server 10.53.0.9 ${PORT}
+zone denyname.example
+update add denyname.example 3600 IN TXT added
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT > dig.out.ns9.test$n
+grep "added" dig.out.ns9.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
+        @10.53.0.3 dnskey | \
+	awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; }
+	$2 == 10 && $3 == "IN" && $4 == "DNSKEY" { $2 = 600; print "update add", $0 }
+	END { print "send" }' > update.in.$n
+$NSUPDATE update.in.$n
+
+$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
+	@10.53.0.3 any > dig.out.ns3.$n
+
+grep "600.*DNSKEY" dig.out.ns3.$n > /dev/null || ret=1
+grep TYPE65534 dig.out.ns3.$n > /dev/null && ret=1
+if test $ret -ne 0
+then
+echo_i "failed"; status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check notify with TSIG worked ($n)"
+# if the alternate view received a notify--meaning, the notify was
+# validly signed by "altkey"--then the zonefile update.alt.bk will
+# will have been created.
+[ -f ns2/update.alt.bk ] || ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check type list options ($n)"
+$NSUPDATE -T > typelist.out.T.${n} || { ret=1; echo_i "nsupdate -T failed"; }
+$NSUPDATE -P > typelist.out.P.${n} || { ret=1; echo_i "nsupdate -P failed"; }
+$NSUPDATE -TP > typelist.out.TP.${n} || { ret=1; echo_i "nsupdate -TP failed"; }
+grep ANY typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-T)"; }
+grep ANY typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-P)"; }
+grep ANY typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-TP)"; }
+grep KEYDATA typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-T)"; }
+grep KEYDATA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-P)"; }
+grep KEYDATA typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-TP)"; }
+grep AAAA typelist.out.T.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-T)"; }
+grep AAAA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: AAAA found (-P)"; }
+grep AAAA typelist.out.TP.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-TP)"; }
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check command list ($n)"
+(
+while read cmd
+do
+    echo "$cmd" | $NSUPDATE  > /dev/null 2>&1
+    if test $? -gt 1 ; then
+	echo_i "failed ($cmd)"
+	ret=1
+    fi
+    echo "$cmd " | $NSUPDATE  > /dev/null 2>&1
+    if test $? -gt 1 ; then
+	echo_i "failed ($cmd)"
+	ret=1
+    fi
+done
+exit $ret
+) < commandlist || ret=1
+if [ $ret -ne 0 ]; then
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
+if $FEATURETEST --md5
+then
+	ALGS="md5 sha1 sha224 sha256 sha384 sha512"
+else
+	ALGS="sha1 sha224 sha256 sha384 sha512"
+	echo_i "skipping disabled md5 algorithm"
+fi
+for alg in $ALGS; do
+    $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add ${alg}.keytests.nil. 600 A 10.10.10.3
+send
+END
+done
+sleep 2
+for alg in $ALGS; do
+    $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
+done
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
+for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+    secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
+    $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add ${alg}.keytests.nil. 600 A 10.10.10.50
+send
+END
+done
+sleep 2
+for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+    $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
+done
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that ttl is capped by max-ttl ($n)"
+$NSUPDATE <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add cap.max-ttl.nil. 600 A 10.10.10.3
+update add nocap.max-ttl.nil. 150 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS @10.53.0.1  cap.max-ttl.nil | grep "^cap.max-ttl.nil.	300" > /dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @10.53.0.1  nocap.max-ttl.nil | grep "^nocap.max-ttl.nil.	150" > /dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "add a record which is truncated when logged. ($n)"
+$NSUPDATE verylarge || ret=1
+$DIG $DIGOPTS +tcp @10.53.0.1 txt txt.update.nil > dig.out.ns1.test$n
+grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1
+grep "adding an RR at 'txt.update.nil' TXT .* \[TRUNCATED\]"  ns1/named.run > /dev/null || ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check that yyyymmddvv serial number is correctly generated ($n)"
+oldserial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1
+$NSUPDATE <<END > /dev/null 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    ttl 600
+    update add new.yyyymmddvv.nil in a 1.2.3.4
+    send
+END
+now=$($PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];')
+sleep 1
+serial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1
+[ "$oldserial" -ne "$serial" ] || ret=1
+[ "$serial" -eq "$now" ] || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+#
+#  Refactor to use perl to launch the parallel updates.
+#
+if false
+then
+n=$((n + 1))
+echo_i "send many simultaneous updates via a update forwarder ($n)"
+ret=0
+for i in 0 1 2 3 4 5 6 7
+do
+(
+    for j in 0 1 2 3 4 5 6 7
+    do
+    (
+	$NSUPDATE << EOF
+server 10.53.0.3 ${PORT}
+zone many.test
+update add $i-$j.many.test 0 IN A 1.2.3.4
+send
+EOF
+    ) &
+    done
+    wait
+) &
+done
+wait
+dig axfr many.test @10.53.0.1 > dig.out.test$n
+lines=$(awk '$4 == "A" { l++ } END { print l }' dig.out.test$n)
+test ${lines:-0} -eq 64 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+fi
+
+n=$((n + 1))
+echo_i "check max-journal-size limits ($n)"
+ret=0
+rm -f nsupdate.out1-$n
+# add one record
+$NSUPDATE << EOF >> nsupdate.out1-$n 2>&1
+server 10.53.0.1 ${PORT}
+zone maxjournal.test
+update add z.maxjournal.test 300 IN A 10.20.30.40
+send
+EOF
+for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
+    # repeatedly add and remove the same set of records to fill up
+    # the journal file without changing the zone content
+    $NSUPDATE << EOF >> nsupdate.out1-$n 2>&1
+server 10.53.0.1 ${PORT}
+zone maxjournal.test
+update add a.maxjournal.test 300 IN A 1.2.3.4
+update add b.maxjournal.test 300 IN A 1.2.3.4
+update add c.maxjournal.test 300 IN A 1.2.3.4
+update add d.maxjournal.test 300 IN A 1.2.3.4
+send
+update del a.maxjournal.test
+update del b.maxjournal.test
+update del c.maxjournal.test
+update del d.maxjournal.test
+send
+EOF
+done
+# check that the journal is big enough to require truncation.
+size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl)
+[ "$size" -gt 6000 ] || ret=1
+sleep 1
+$RNDCCMD 10.53.0.1 sync maxjournal.test
+check_size_lt_5000() (
+    size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl)
+    [ "$size" -lt 5000 ]
+)
+retry_quiet 20 check_size_lt_5000 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+echo_i "check check-names processing ($n)"
+ret=0
+$NSUPDATE << EOF > nsupdate.out1-$n 2>&1
+update add # 0 in a 1.2.3.4
+EOF
+grep "bad owner" nsupdate.out1-$n > /dev/null || ret=1
+
+$NSUPDATE << EOF > nsupdate.out2-$n 2>&1
+check-names off
+update add # 0 in a 1.2.3.4
+EOF
+grep "bad owner" nsupdate.out2-$n > /dev/null && ret=1
+
+$NSUPDATE << EOF > nsupdate.out3-$n 2>&1
+update add . 0 in mx 0 #
+EOF
+grep "bad name" nsupdate.out3-$n > /dev/null || ret=1
+
+$NSUPDATE << EOF > nsupdate.out4-$n 2>&1
+check-names off
+update add . 0 in mx 0 #
+EOF
+grep "bad name" nsupdate.out4-$n > /dev/null && ret=1
+
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+echo_i "check adding of delegating NS records processing ($n)"
+ret=0
+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone delegation.test.
+update add child.delegation.test. 3600 NS foo.example.net.
+update add child.delegation.test. 3600 NS bar.example.net.
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+echo_i "check deleting of delegating NS records processing ($n)"
+ret=0
+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone delegation.test.
+update del child.delegation.test. 3600 NS foo.example.net.
+update del child.delegation.test. 3600 NS bar.example.net.
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+echo_i "check that adding too many records is blocked ($n)"
+ret=0
+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone too-big.test.
+update add r1.too-big.test 3600 IN TXT r1.too-big.test
+send
+EOF
+grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1
+$DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT > dig.out.ns3.test$n
+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check whether valid addresses are used for primary failover ($n)"
+$NSUPDATE -t 1 <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.4 ${PORT}
+zone unreachable.
+update add unreachable. 600 A 192.0.2.1
+send
+END
+grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+grep "not implemented" nsupdate.out-$n > /dev/null 2>&1 && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure bad owner name is fatal in non-interactive mode ($n)"
+$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
+    update add emptylabel..nil. 600 A 10.10.10.1
+END
+grep "invalid owner name: empty label" nsupdate.out > /dev/null || ret=1
+grep "syntax error" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure bad owner name is not fatal in interactive mode ($n)"
+$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1
+    update add emptylabel..nil. 600 A 10.10.10.1
+END
+grep "invalid owner name: empty label" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure invalid key type is fatal in non-interactive mode ($n)"
+$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
+    key badkeytype:example abcd12345678
+END
+grep "unknown key type 'badkeytype'" nsupdate.out > /dev/null || ret=1
+grep "syntax error" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure invalid key type is not fatal in interactive mode ($n)"
+$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1
+    key badkeytype:example abcd12345678
+END
+grep "unknown key type 'badkeytype'" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure unresolvable server name is fatal in non-interactive mode ($n)"
+$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
+    server unresolvable..
+END
+grep "couldn't get address for 'unresolvable..':" nsupdate.out > /dev/null || ret=1
+grep "syntax error" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "ensure unresolvable server name is not fatal in interactive mode ($n)"
+$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1
+    server unresolvable..
+END
+grep "couldn't get address for 'unresolvable..':" nsupdate.out > /dev/null || ret=1
+grep "syntax error" nsupdate.out > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check nsupdate -4 -6 ($n)"
+$NSUPDATE -4 -6 <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone delegation.test.
+update del child.delegation.test. 3600 NS foo.example.net.
+update del child.delegation.test. 3600 NS bar.example.net.
+send
+END
+grep "only one of -4 and -6 allowed" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check nsupdate -4 with an IPv6 server address ($n)"
+$NSUPDATE -4 <<END > nsupdate.out-$n 2>&1 && ret=1
+server fd92:7065:b8e:ffff::2 ${PORT}
+zone delegation.test.
+update del child.delegation.test. 3600 NS foo.example.net.
+update del child.delegation.test. 3600 NS bar.example.net.
+send
+END
+grep "address family not supported" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that TKEY in a update is rejected ($n)"
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+update add tkey.example 0 in tkey invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw==
+send
+END
+grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that DS to the zone apex is ignored ($n)"
+$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+nextpart ns3/named.run > /dev/null
+# specify zone to override the default of adding to parent zone
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone example
+update add example 0 in DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
+send
+END
+msg=": attempt to add a DS record at zone apex ignored"
+nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1
+$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.post.test$n || ret=1
+grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
+send
+END
+msg=": bad CDS RRset"
+nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1
+$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.post.test$n || ret=1
+grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that CDNSKEY with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+nextpart ns3/named.run > /dev/null
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
+send
+END
+msg=": bad CDNSKEY RRset"
+nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1
+$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1
+grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
+send
+END
+retry_quiet 5 has_positive_response multisigner.test CDS 10.53.0.3 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
+send
+END
+retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone example
+update add example 0 in NSEC3PARAM 1 0 151 -
+END
+grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if query is not allowed ($n)"
+{
+  $NSUPDATE -d <<END
+  local 10.53.0.2
+  server 10.53.0.1 ${PORT}
+  update add reject.other.nil 3600 IN TXT Whatever
+  send
+END
+} > nsupdate.out.test$n 2>&1
+grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+# This check is unstable on Windows.
+if [ ! "$CYGWIN" ]; then
+  n=$((n + 1))
+  ret=0
+  echo_i "check that update is rejected if quota is exceeded ($n)"
+  for loop in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
+  {
+    $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
+    update add txt-$loop.other.nil 3600 IN TXT Whatever
+    send
+END
+  } &
+  done
+  wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+fi
+
+if ! $FEATURETEST --gssapi ; then
+  echo_i "SKIPPED: GSSAPI tests"
+else
+  n=$((n + 1))
+  ret=0
+  echo_i "check krb5-self match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add machine.example.com 3600 IN A 10.53.0.7
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A > dig.out.ns7.test$n
+  grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
+  grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n + 1))
+  ret=0
+  echo_i "check krb5-self no-match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.7
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n
+  grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n + 1))
+  ret=0
+  echo_i "check krb5-subdomain match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV > dig.out.ns7.test$n
+  grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
+  grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n + 1))
+  ret=0
+  echo_i "check krb5-subdomain no-match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n
+  grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n+1))
+  ret=0
+  echo_i "check krb5-selfsub match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.8 ${PORT}
+  zone example.com
+  update add xxx.machine.example.com 3600 IN A 10.53.0.8
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A > dig.out.ns8.test$n
+  grep "status: NOERROR" dig.out.ns8.test$n > /dev/null || ret=1
+  grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n + 1))
+  ret=0
+  echo_i "check krb5-selfsub no-match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.8 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.8
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n
+  grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n + 1))
+  ret=0
+
+  echo_i "check ms-self match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add machine.example.com 3600 IN A 10.53.0.9
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A > dig.out.ns9.test$n
+  grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1
+  grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n + 1))
+  ret=0
+  echo_i "check ms-self no-match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.9
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n
+  grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n + 1))
+  ret=0
+  echo_i "check ms-subdomain match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV > dig.out.ns9.test$n
+  grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1
+  grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n + 1))
+  ret=0
+  echo_i "check ms-subdomain no-match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.9 ${PORT}
+  zone example.com
+  update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n
+  grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n+1))
+  ret=0
+  echo_i "check ms-selfsub match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.10 ${PORT}
+  zone example.com
+  update add xxx.machine.example.com 3600 IN A 10.53.0.10
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A > dig.out.ns10.test$n
+  grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
+  grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  n=$((n + 1))
+  ret=0
+  echo_i "check ms-selfsub no-match ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.10 ${PORT}
+  zone example.com
+  update add foo.example.com 3600 IN A 10.53.0.10
+  send
+EOF
+  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n
+  grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/nsupdate/update_test.pl b/bin/tests/system/nsupdate/update_test.pl
new file mode 100644
index 0000000..835f1f8
--- /dev/null
+++ b/bin/tests/system/nsupdate/update_test.pl
@@ -0,0 +1,429 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Dynamic update test suite.
+#
+# Usage:
+#
+#   perl update_test.pl [-s server] [-p port] zone
+#
+# The server defaults to 127.0.0.1.
+# The port defaults to 53.
+#
+# The "Special NS rules" tests will only work correctly if the
+# zone has no NS records to begin with, or alternatively has a
+# single NS record pointing at the name "ns1" (relative to
+# the zone name).
+#
+# Installation notes:
+#
+# This program uses the Net::DNS::Resolver module.
+# You can install it by saying
+#
+#    perl -MCPAN -e "install Net::DNS"
+#
+
+use Getopt::Std;
+use Net::DNS;
+use Net::DNS::Update;
+use Net::DNS::Resolver;
+
+$opt_s = "127.0.0.1";
+$opt_p = 53;
+
+getopt('s:p:');
+
+$res = new Net::DNS::Resolver;
+$res->nameservers($opt_s);
+$res->port($opt_p);
+$res->defnames(0); # Do not append default domain.
+
+@ARGV == 1 or die
+    "usage: perl update_test.pl [-s server] [-p port] zone\n";
+
+$zone = shift @ARGV;
+
+my $failures = 0;
+
+sub assert {
+    my ($cond, $explanation) = @_;
+    if (!$cond) {
+	print "Test Failed: $explanation ***\n";
+	$failures++;
+    }
+}
+
+sub test {
+    my ($expected, @records) = @_;
+
+    my $update = new Net::DNS::Update("$zone");
+
+    foreach $rec (@records) {
+	$update->push(@$rec);
+    }
+
+    $reply = $res->send($update);
+
+    # Did it work?
+    if (defined $reply) {
+	my $rcode = $reply->header->rcode;
+        assert($rcode eq $expected, "expected $expected, got $rcode");
+    } else {
+	print "Update failed: ", $res->errorstring, "\n";
+	$failures++;
+    }
+}
+
+sub section {
+    my ($msg) = @_;
+    print "$msg\n";
+}
+
+section("Delete any leftovers from previous tests");
+test("NOERROR", ["update", rr_del("a.$zone")]);
+test("NOERROR", ["update", rr_del("b.$zone")]);
+test("NOERROR", ["update", rr_del("c.$zone")]);
+test("NOERROR", ["update", rr_del("d.$zone")]);
+test("NOERROR", ["update", rr_del("e.$zone")]);
+test("NOERROR", ["update", rr_del("f.$zone")]);
+test("NOERROR", ["update", rr_del("ns.s.$zone")]);
+test("NOERROR", ["update", rr_del("s.$zone")]);
+test("NOERROR", ["update", rr_del("t.$zone")]);
+test("NOERROR", ["update", rr_del("*.$zone")]);
+test("NOERROR", ["update", rr_del("u.$zone")]);
+test("NOERROR", ["update", rr_del("a.u.$zone")]);
+test("NOERROR", ["update", rr_del("b.u.$zone")]);
+
+section("Simple prerequisites in the absence of data");
+# Name is in Use
+test("NXDOMAIN", ["pre", yxdomain("a.$zone")]);
+# RRset exists (value independent)
+test("NXRRSET", ["pre", yxrrset("a.$zone A")]);
+# Name is not in use
+test("NOERROR", ["pre", nxdomain("a.$zone")]);
+# RRset does not exist
+test("NOERROR", ["pre", nxrrset("a.$zone A")]);
+# RRset exists (value dependent)
+test("NXRRSET", ["pre", yxrrset("a.$zone A 73.80.65.49")]);
+
+
+section ("Simple creation of data");
+test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]);
+
+section ("Simple prerequisites in the presence of data");
+# Name is in use
+test("NOERROR", ["pre", yxdomain("a.$zone")]);
+# RRset exists (value independent)
+test("NOERROR", ["pre", yxrrset("a.$zone A")]);
+# Name is not in use
+test("YXDOMAIN", ["pre", nxdomain("a.$zone")]);
+# RRset does not exist
+test("YXRRSET", ["pre", nxrrset("a.$zone A")]);
+# RRset exists (value dependent)
+test("NOERROR", ["pre", yxrrset("a.$zone A 73.80.65.49")]);
+
+#
+# Merging of RRsets
+#
+test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.50")]);
+
+section("Detailed tests of \"RRset exists (value dependent)\" prerequisites");
+test("NOERROR", ["pre",
+		 yxrrset("a.$zone A 73.80.65.49"),
+		 yxrrset("a.$zone A 73.80.65.50")]);
+test("NOERROR", ["pre",
+		 yxrrset("a.$zone A 73.80.65.50"),
+		 yxrrset("a.$zone A 73.80.65.49")]);
+test("NXRRSET", ["pre", yxrrset("a.$zone A 73.80.65.49")]);
+test("NXRRSET", ["pre", yxrrset("a.$zone A 73.80.65.50")]);
+test("NXRRSET", ["pre",
+		 yxrrset("a.$zone A 73.80.65.49"),
+		 yxrrset("a.$zone A 73.80.65.50"),
+		 yxrrset("a.$zone A 73.80.65.51")]);
+
+
+section("Torture test of \"RRset exists (value dependent)\" prerequisites.");
+
+test("NOERROR", ["update",
+		 rr_add("e.$zone 300 A 73.80.65.49"),
+		 rr_add("e.$zone 300 TXT 'one'"),
+		 rr_add("e.$zone 300 A 73.80.65.50")]);
+test("NOERROR", ["update",
+		 rr_add("e.$zone 300 A 73.80.65.52"),
+		 rr_add("f.$zone 300 A 73.80.65.52"),
+		 rr_add("e.$zone 300 A 73.80.65.51")]);
+test("NOERROR", ["update",
+		 rr_add("e.$zone 300 TXT 'three'"),
+		 rr_add("e.$zone 300 TXT 'two'")]);
+test("NOERROR", ["update",
+		 rr_add("e.$zone 300 MX 10 mail.$zone")]);
+
+test("NOERROR", ["pre",
+		 yxrrset("e.$zone A 73.80.65.52"),
+		 yxrrset("e.$zone TXT 'two'"),
+		 yxrrset("e.$zone A 73.80.65.51"),
+		 yxrrset("e.$zone TXT 'three'"),
+		 yxrrset("e.$zone A 73.80.65.50"),
+		 yxrrset("f.$zone A 73.80.65.52"),
+		 yxrrset("e.$zone A 73.80.65.49"),
+		 yxrrset("e.$zone TXT 'one'")]);
+
+
+section("Subtraction of RRsets");
+test("NOERROR", ["update", rr_del("a.$zone A 73.80.65.49")]);
+test("NOERROR", ["pre",
+		 yxrrset("a.$zone A 73.80.65.50")]);
+
+test("NOERROR", ["update", rr_del("a.$zone A 73.80.65.50")]);
+test("NOERROR", ["pre", nxrrset("a.$zone A")]);
+test("NOERROR", ["pre", nxdomain("a.$zone")]);
+
+section("Other forms of deletion");
+test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]);
+test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.50")]);
+test("NOERROR", ["update", rr_add("a.$zone 300 MX 10 mail.$zone")]);
+test("NOERROR", ["update", rr_del("a.$zone A")]);
+test("NOERROR", ["pre", nxrrset("a.$zone A")]);
+test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]);
+test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.50")]);
+test("NOERROR", ["update", rr_del("a.$zone")]);
+test("NOERROR", ["pre", nxdomain("a.$zone")]);
+
+section("Case insensitivity");
+test("NOERROR", ["update", rr_add("a.$zone 300 PTR foo.net.")]);
+test("NOERROR", ["pre", yxrrset("A.$zone PTR fOo.NeT.")]);
+
+section("Special CNAME rules");
+test("NOERROR", ["update", rr_add("b.$zone 300 CNAME foo.net.")]);
+test("NOERROR", ["update", rr_add("b.$zone 300 A 73.80.65.49")]);
+test("NOERROR", ["pre", yxrrset("b.$zone CNAME foo.net.")]);
+test("NOERROR", ["pre", nxrrset("b.$zone A")]);
+
+test("NOERROR", ["update", rr_add("c.$zone 300 A 73.80.65.49")]);
+test("NOERROR", ["update", rr_add("c.$zone 300 CNAME foo.net.")]);
+test("NOERROR", ["pre", yxrrset("c.$zone A")]);
+test("NOERROR", ["pre", nxrrset("c.$zone CNAME")]);
+
+# XXX should test with SIG, KEY, NXT, too.
+
+#
+# Currently commented out because Net::DNS does not properly
+# support WKS records.
+#
+#section("Special WKS rules");
+#test("NOERROR", ["update", rr_add("c.$zone 300 WKS 73.80.65.49 TCP telnet ftp")]);
+#test("NOERROR", ["update", rr_add("c.$zone 300 WKS 73.80.65.49 UDP telnet ftp")]);
+#test("NOERROR", ["update", rr_add("c.$zone 300 WKS 73.80.65.50 TCP telnet ftp")]);
+#test("NOERROR", ["update", rr_add("c.$zone 300 WKS 73.80.65.49 TCP smtp")]);
+#test("NOERROR", ["pre",
+#		 yxrrset("c.$zone WKS 73.80.65.49 TCP smtp"),
+#		 yxrrset("c.$zone WKS 73.80.65.49 UDP telnet ftp"),
+#		 yxrrset("c.$zone WKS 73.80.65.50 TCP telnet ftp")]);
+
+
+section("Special NS rules");
+
+# Deleting the last NS record using "Delete an RR from an RRset"
+# should fail at the zone apex and work elsewhere.  The pseudocode
+# in RFC2136 says it should fail everywhere, but this is in conflict
+# with the actual text.
+
+# Apex
+test("NOERROR", ["update",
+		 rr_add("$zone 300 NS ns1.$zone"),
+		 rr_add("$zone 300 NS ns2.$zone")]);
+test("NOERROR", ["update", rr_del("$zone NS ns1.$zone")]);
+test("NOERROR", ["update", rr_del("$zone NS ns2.$zone")]);
+test("NOERROR", ["pre",
+		 yxrrset("$zone NS ns2.$zone")]);
+
+# Non-apex
+test("NOERROR", ["update", rr_add("n.$zone 300 NS ns1.$zone")]);
+test("NOERROR", ["update", rr_del("n.$zone NS ns1.$zone")]);
+test("NOERROR", ["pre", nxrrset("n.$zone NS")]);
+
+# Other ways of deleting NS records should also fail at the apex
+# and work elsewhere.
+
+# Non-apex
+test("NOERROR", ["update", rr_add("n.$zone 300 NS ns1.$zone")]);
+test("NOERROR", ["update", rr_del("n.$zone NS")]);
+test("NOERROR", ["pre", nxrrset("n.$zone NS")]);
+
+test("NOERROR", ["update", rr_add("n.$zone 300 NS ns1.$zone")]);
+test("NOERROR", ["pre", yxrrset("n.$zone NS")]);
+test("NOERROR", ["update", rr_del("n.$zone")]);
+test("NOERROR", ["pre", nxrrset("n.$zone NS")]);
+
+# Apex
+test("NOERROR", ["update", rr_del("$zone NS")]);
+test("NOERROR", ["pre",
+		 yxrrset("$zone NS ns2.$zone")]);
+
+test("NOERROR", ["update", rr_del("$zone")]);
+test("NOERROR", ["pre",
+		 yxrrset("$zone NS ns2.$zone")]);
+
+# They should not touch the SOA, either.
+
+test("NOERROR", ["update", rr_del("$zone SOA")]);
+test("NOERROR", ["pre", yxrrset("$zone SOA")]);
+
+
+section("Idempotency");
+
+test("NOERROR", ["update", rr_add("d.$zone 300 A 73.80.65.49")]);
+test("NOERROR", ["pre", yxrrset("d.$zone A 73.80.65.49")]);
+test("NOERROR", ["update",
+		 rr_add("d.$zone 300 A 73.80.65.49"),
+		 rr_del("d.$zone A")]);
+test("NOERROR", ["pre", nxrrset("d.$zone A")]);
+
+test("NOERROR", ["update", rr_del("d.$zone A 73.80.65.49")]);
+test("NOERROR", ["pre", nxrrset("d.$zone A")]);
+test("NOERROR", ["update",
+		   rr_del("d.$zone A"),
+		   rr_add("d.$zone 300 A 73.80.65.49")]);
+
+test("NOERROR", ["pre", yxrrset("d.$zone A")]);
+
+section("Out-of-zone prerequisites and updates");
+test("NOTZONE", ["pre", yxrrset("a.somewhere.else. A 73.80.65.49")]);
+test("NOTZONE", ["update", rr_add("a.somewhere.else. 300 A 73.80.65.49")]);
+
+
+section("Glue");
+test("NOERROR", ["update", rr_add("s.$zone 300 NS ns.s.$zone")]);
+test("NOERROR", ["update", rr_add("ns.s.$zone 300 A 73.80.65.49")]);
+test("NOERROR", ["pre", yxrrset("ns.s.$zone A 73.80.65.49")]);
+
+section("Wildcards");
+test("NOERROR", ["update", rr_add("*.$zone 300 MX 10 mail.$zone")]);
+test("NOERROR", ["pre", yxrrset("*.$zone MX 10 mail.$zone")]);
+test("NXRRSET", ["pre", yxrrset("w.$zone MX 10 mail.$zone")]);
+test("NOERROR", ["pre", nxrrset("w.$zone MX")]);
+test("NOERROR", ["pre", nxdomain("w.$zone")]);
+
+
+section("SOA serial handling");
+
+my $soatimers = "20 20 1814400 3600";
+
+# Get the current SOA serial number.
+my $query = $res->query($zone, "SOA");
+my ($old_soa) = $query->answer;
+
+my $old_serial = $old_soa->serial;
+
+# Increment it by 10.
+my $new_serial = $old_serial + 10;
+if ($new_serial > 0xFFFFFFFF) {
+    $new_serial -= 0x80000000;
+    $new_serial -= 0x80000000;
+}
+
+# Replace the SOA with a new one.
+test("NOERROR", ["update", rr_add("$zone 300 SOA mname1. . $new_serial $soatimers")]);
+
+# Check that the SOA really got replaced.
+($db_soa) = $res->query($zone, "SOA")->answer;
+assert($db_soa->mname eq "mname1");
+
+# Check that attempts to decrement the serial number are ignored.
+$new_serial = $old_serial - 10;
+if ($new_serial < 0) {
+    $new_serial += 0x80000000;
+    $new_serial += 0x80000000;
+}
+test("NOERROR", ["update", rr_add("$zone 300 SOA mname2. . $new_serial $soatimers")]);
+assert($db_soa->mname eq "mname1");
+
+# Check that attempts to leave the serial number unchanged are ignored.
+($old_soa) = $res->query($zone, "SOA")->answer;
+$old_serial = $old_soa->serial;
+test("NOERROR", ["update", rr_add("$zone 300 SOA mname3. . $old_serial " .
+				  $soatimers)]);
+($db_soa) = $res->query($zone, "SOA")->answer;
+assert($db_soa->mname eq "mname1");
+
+#
+# Currently commented out because Net::DNS does not properly
+# support multiple strings in TXT records.
+#
+#section("Big data");
+#test("NOERROR", ["update", rr_add("a.$zone 300 TXT aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc")]);
+#test("NOERROR", ["update", rr_del("a.$zone TXT aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc")]);
+test("NOERROR", ["update", rr_add("a.$zone 300 TXT " . ("foo " x 3))]);
+
+section("Updating TTLs only");
+
+test("NOERROR", ["update", rr_add("t.$zone 300 A 73.80.65.49")]);
+($a) = $res->query("t.$zone", "A")->answer;
+$ttl = $a->ttl;
+assert($ttl == 300, "incorrect TTL value $ttl != 300");
+test("NOERROR", ["update",
+		 rr_del("t.$zone A 73.80.65.49"),
+		 rr_add("t.$zone 301 A 73.80.65.49")]);
+($a) = $res->query("t.$zone", "A")->answer;
+$ttl = $a->ttl;
+assert($ttl == 301, "incorrect TTL value $ttl != 301");
+
+# Add an RR that is identical to an existing one except for the TTL.
+# RFC2136 is not clear about what this should do; it says "duplicate RRs
+# will be silently ignored" but is an RR differing only in TTL
+# to be considered a duplicate or not?  The test assumes that it
+# should not be considered a duplicate.
+test("NOERROR", ["update", rr_add("t.$zone 302 A 73.80.65.50")]);
+($a) = $res->query("t.$zone", "A")->answer;
+$ttl = $a->ttl;
+assert($ttl == 302, "incorrect TTL value $ttl != 302");
+
+section("TTL normalization");
+
+# The desired behaviour is that the old RRs get their TTL
+# changed to match the new one.  RFC2136 does not explicitly
+# specify this, but I think it makes more sense than the
+# alternatives.
+
+test("NOERROR", ["update", rr_add("t.$zone 303 A 73.80.65.51")]);
+(@answers) = $res->query("t.$zone", "A")->answer;
+$nanswers = scalar @answers;
+assert($nanswers == 3, "wrong number of answers $nanswers != 3");
+foreach $a (@answers) {
+    $ttl = $a->ttl;
+    assert($ttl == 303, "incorrect TTL value $ttl != 303");
+}
+
+section("Obscuring existing data by zone cut");
+test("NOERROR", ["update", rr_add("a.u.$zone 300 A 73.80.65.49")]);
+test("NOERROR", ["update", rr_add("b.u.$zone 300 A 73.80.65.49")]);
+test("NOERROR", ["update", rr_add("u.$zone 300 TXT txt-not-in-nxt")]);
+test("NOERROR", ["update", rr_add("u.$zone 300 NS ns.u.$zone")]);
+
+test("NOERROR", ["update", rr_del("u.$zone NS ns.u.$zone")]);
+
+if ($Net::DNS::VERSION < 1.01) {
+    print "skipped Excessive NSEC3PARAM iterations; Net::DNS too old.\n";
+} else {
+    section("Excessive NSEC3PARAM iterations");
+    test("REFUSED", ["update", rr_add("$zone 300 NSEC3PARAM 1 0 151 -")]);
+    test("NOERROR", ["update", rr_add("$zone 300 NSEC3PARAM 1 0 150 -")]);
+}
+
+if ($failures) {
+    print "$failures tests failed.\n";
+} else {
+    print "All tests successful.\n";
+}
+exit $failures;
diff --git a/bin/tests/system/nsupdate/verylarge.in b/bin/tests/system/nsupdate/verylarge.in
new file mode 100644
index 0000000..2e66221
--- /dev/null
+++ b/bin/tests/system/nsupdate/verylarge.in
@@ -0,0 +1,3 @@
+server 10.53.0.1 @PORT@
+update add txt.update.nil. 600 TXT 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890
+send
diff --git a/bin/tests/system/nzd2nzf/clean.sh b/bin/tests/system/nzd2nzf/clean.sh
new file mode 100644
index 0000000..153cca1
--- /dev/null
+++ b/bin/tests/system/nzd2nzf/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.conf
+rm -f */named.run
+rm -f */named.memstats
+rm -f dig.out.*
+rm -f rndc.out*
+rm -f ns*/*.nzf
+rm -f ns*/*.nzd ns*/*.nzd-lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/nzd2nzf/ns1/added.db b/bin/tests/system/nzd2nzf/ns1/added.db
new file mode 100644
index 0000000..286e717
--- /dev/null
+++ b/bin/tests/system/nzd2nzf/ns1/added.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;$ORIGIN added.example.
+$TTL 300	; 5 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a			A	10.0.0.1
+mail			A	10.0.0.2
diff --git a/bin/tests/system/nzd2nzf/ns1/named.conf.in b/bin/tests/system/nzd2nzf/ns1/named.conf.in
new file mode 100644
index 0000000..d8fc51f
--- /dev/null
+++ b/bin/tests/system/nzd2nzf/ns1/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	allow-query { any; };
+	recursion no;
+	allow-new-zones yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/nzd2nzf/prereq.sh b/bin/tests/system/nzd2nzf/prereq.sh
new file mode 100644
index 0000000..5498945
--- /dev/null
+++ b/bin/tests/system/nzd2nzf/prereq.sh
@@ -0,0 +1,20 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if ! $FEATURETEST --with-lmdb; then
+        echo_i "This test requires LMDB support (--with-lmdb)"
+        exit 255
+fi
+
+exit 0
diff --git a/bin/tests/system/nzd2nzf/setup.sh b/bin/tests/system/nzd2nzf/setup.sh
new file mode 100644
index 0000000..e46affa
--- /dev/null
+++ b/bin/tests/system/nzd2nzf/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/nzd2nzf/tests.sh b/bin/tests/system/nzd2nzf/tests.sh
new file mode 100644
index 0000000..9f86d4a
--- /dev/null
+++ b/bin/tests/system/nzd2nzf/tests.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "querying for non-existing zone data ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 a.added.example a > dig.out.ns1.$n || ret=1
+grep 'status: REFUSED' dig.out.ns1.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "adding a new zone into default NZD using rndc addzone ($n)"
+$RNDCCMD 10.53.0.1 addzone "added.example { type master; file \"added.db\"; };" 2>&1 | sed 's/^/I:ns1 /' | cat_i
+sleep 2
+
+n=`expr $n + 1`
+echo_i "querying for existing zone data ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 a.added.example a > dig.out.ns1.$n || ret=1
+grep 'status: NOERROR' dig.out.ns1.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "stopping ns1"
+stop_server ns1
+
+n=`expr $n + 1`
+echo_i "dumping _default.nzd to _default.nzf ($n)"
+$NZD2NZF ns1/_default.nzd > ns1/_default.nzf || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that _default.nzf contains the expected content ($n)"
+grep 'zone "added.example" { type master; file "added.db"; };' ns1/_default.nzf > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "deleting _default.nzd database"
+rm -f ns1/_default.nzd
+
+echo_i "starting ns1 which should migrate the .nzf to .nzd"
+start_server --noclean --restart --port ${PORT} ns1
+
+n=`expr $n + 1`
+echo_i "querying for zone data from migrated zone config ($n)"
+# retry loop in case the server restart above causes transient failures
+for try in 0 1 2 3 4 5 6 7 8 9; do
+    ret=0
+    $DIG $DIGOPTS @10.53.0.1 a.added.example a > dig.out.ns1.$n || ret=1
+    grep 'status: NOERROR' dig.out.ns1.$n > /dev/null || ret=1
+    [ "$ret" -eq 0 ] && break
+    sleep 1
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+exit $status
diff --git a/bin/tests/system/org.isc.bind.system b/bin/tests/system/org.isc.bind.system
new file mode 100644
index 0000000..276437a
--- /dev/null
+++ b/bin/tests/system/org.isc.bind.system
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+ifup() {
+	/sbin/ifconfig lo0 10.53.$1.$3 alias
+	/sbin/ifconfig lo0 inet6 fd92:7065:b8e:${2}ff::${3} alias
+}
+
+for ns in 1 2 3 4 5 6 7 8 9 10
+do
+	ifup 0 ff $ns
+done
+for ns in 1 2
+do
+	ifup 1 99 $ns
+	ifup 2 00 $ns
+done
diff --git a/bin/tests/system/org.isc.bind.system.plist b/bin/tests/system/org.isc.bind.system.plist
new file mode 100644
index 0000000..18d3c5d
--- /dev/null
+++ b/bin/tests/system/org.isc.bind.system.plist
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
+	"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>org.isc.bind.system</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/bin/bash</string>
+		<string>/Library/LaunchDaemons/org.isc.bind.system</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+</dict>
+</plist>
+
diff --git a/bin/tests/system/packet.pl b/bin/tests/system/packet.pl
new file mode 100644
index 0000000..900a0c0
--- /dev/null
+++ b/bin/tests/system/packet.pl
@@ -0,0 +1,164 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# This is a tool for sending an arbitrary packet via UDP or TCP to an
+# arbitrary address and port.  The packet is specified in a file or on
+# the standard input, in the form of a series of bytes in hexadecimal.
+# Whitespace is ignored, as is anything following a '#' symbol.
+#
+# For example, the following input would generate normal query for
+# isc.org/NS/IN":
+#
+#     # QID:
+#     0c d8
+#     # header:
+#     01 00 00 01 00 00 00 00 00 00
+#     # qname isc.org:
+#     03 69 73 63 03 6f 72 67 00
+#     # qtype NS:
+#     00 02
+#     # qclass IN:
+#     00 01
+#
+# Note that we do not wait for a response for the server.  This is simply
+# a way of injecting arbitrary packets to test server resposnes.
+#
+# Usage: packet.pl [-a <address>] [-d] [-p <port>] [-t (udp|tcp)] [-r <repeats>] [filename]
+#
+# Options:
+# -a <address>:  specify address (XXX: no IPv6 support yet)
+# -p <port>:     specify port
+# -t <protocol>: specify UDP or TCP
+# -r <num>:      send packet <num> times
+# -d:            dump response packets
+#
+# If not specified, address defaults to 127.0.0.1, port to 53, protocol
+# to udp, and file to stdin.
+
+require 5.006.001;
+
+use strict;
+use Getopt::Std;
+use IO::File;
+use IO::Socket;
+
+sub usage {
+    print ("Usage: packet.pl [-a address] [-d] [-p port] [-t (tcp|udp)] [-r <repeats>] [file]\n");
+    exit 1;
+}
+
+my $sock;
+my $proto;
+
+sub dumppacket {
+    use Net::DNS;
+    use Net::DNS::Packet;
+
+    my $rin;
+    my $rout;
+    $rin = '';
+    vec($rin, fileno($sock), 1) = 1;
+    select($rout = $rin, undef, undef, 1);
+    if (vec($rout, fileno($sock), 1)) {
+        my $buf;
+
+        if ($proto eq "udp") {
+            $sock->recv($buf, 512);
+        } else {
+            my $n = $sock->sysread($buf, 2);
+            return unless $n == 2;
+            my $len = unpack("n", $buf);
+            $n = $sock->sysread($buf, $len);
+            return unless $n == $len;
+        }
+
+        my $response;
+        if ($Net::DNS::VERSION > 0.68) {
+            $response = new Net::DNS::Packet(\$buf, 0);
+            $@ and die $@;
+        } else {
+            my $err;
+            ($response, $err) = new Net::DNS::Packet(\$buf, 0);
+            $err and die $err;
+        }
+        $response->print;
+    }
+}
+
+my %options={};
+getopts("a:dp:t:r:", \%options);
+
+my $addr = "127.0.0.1";
+$addr = $options{a} if defined $options{a};
+
+my $port = 53;
+$port = $options{p} if defined $options{p};
+
+$proto = "udp";
+$proto = lc $options{t} if defined $options{t};
+usage if ($proto !~ /^(udp|tcp)$/);
+
+my $repeats = 1;
+$repeats = $options{r} if defined $options{r};
+
+my $file = "STDIN";
+if (@ARGV >= 1) {
+    my $filename = shift @ARGV;
+    open FH, "<$filename" or die "$filename: $!";
+    $file = "FH";
+}
+
+my $input = "";
+while (defined(my $line = <$file>) ) {
+    chomp $line;
+    $line =~ s/#.*$//;
+    $input .= $line;
+}
+
+$input =~ s/\s+//g;
+my $data = pack("H*", $input);
+my $len = length $data;
+
+my $output = unpack("H*", $data);
+print ("sending $repeats time(s): $output\n");
+
+$sock = IO::Socket::INET->new(PeerAddr => $addr, PeerPort => $port,
+				 Blocking => 0,
+				 Proto => $proto,) or die "$!";
+
+STDOUT->autoflush(1);
+
+my $bytes = 0;
+while ($repeats > 0) {
+    if ($proto eq "udp") {
+	$bytes += $sock->send($data);
+    } else {
+	$bytes += $sock->syswrite(pack("n", $len), 2);
+	$bytes += $sock->syswrite($data, $len);
+    }
+
+    $repeats = $repeats - 1;
+
+    if ($repeats % 1000 == 0) {
+	print ".";
+    }
+}
+
+$sock->shutdown(SHUT_WR);
+if (defined $options{d}) {
+    dumppacket;
+}
+
+$sock->close;
+close $file;
+print ("\nsent $bytes bytes to $addr:$port\n");
diff --git a/bin/tests/system/padding/clean.sh b/bin/tests/system/padding/clean.sh
new file mode 100644
index 0000000..eef2174
--- /dev/null
+++ b/bin/tests/system/padding/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.*
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/named.stats
+rm -f ns*/named.stats.prev
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/padding/ns1/named.conf.in b/bin/tests/system/padding/ns1/named.conf.in
new file mode 100644
index 0000000..26cf4b3
--- /dev/null
+++ b/bin/tests/system/padding/ns1/named.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/padding/ns1/root.db b/bin/tests/system/padding/ns1/root.db
new file mode 100644
index 0000000..17780d1
--- /dev/null
+++ b/bin/tests/system/padding/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/padding/ns2/example.db b/bin/tests/system/padding/ns2/example.db
new file mode 100644
index 0000000..f6a4b03
--- /dev/null
+++ b/bin/tests/system/padding/ns2/example.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	SOA	ns2 hostmaster.isc.org. 1 600 600 1200 600
+@ 	NS	ns2
+ns2 	A	10.53.0.2
+foo	A	10.53.1.1
diff --git a/bin/tests/system/padding/ns2/named.conf.in b/bin/tests/system/padding/ns2/named.conf.in
new file mode 100644
index 0000000..318f23a
--- /dev/null
+++ b/bin/tests/system/padding/ns2/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	acache-enable yes;
+	send-cookie yes;
+	response-padding { !10.53.0.8; any; } block-size 64;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/padding/ns3/named.conf.in b/bin/tests/system/padding/ns3/named.conf.in
new file mode 100644
index 0000000..cf9434f
--- /dev/null
+++ b/bin/tests/system/padding/ns3/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+server 10.53.0.2 {
+	tcp-only yes;
+	padding 64;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/padding/ns4/named.conf.in b/bin/tests/system/padding/ns4/named.conf.in
new file mode 100644
index 0000000..9a1651e
--- /dev/null
+++ b/bin/tests/system/padding/ns4/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+server 10.53.0.2 {
+	tcp-only no;
+	padding 64;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/padding/setup.sh b/bin/tests/system/padding/setup.sh
new file mode 100644
index 0000000..9e4f563
--- /dev/null
+++ b/bin/tests/system/padding/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL ./clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+touch ns2/named.stats
diff --git a/bin/tests/system/padding/tests.sh b/bin/tests/system/padding/tests.sh
new file mode 100644
index 0000000..e50a5ab
--- /dev/null
+++ b/bin/tests/system/padding/tests.sh
@@ -0,0 +1,134 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+n=0
+status=0
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+getcookie() {
+	awk '$2 == "COOKIE:" {
+		print $3;
+	}' < $1
+}
+
+echo_i "checking that dig handles padding ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +qr +padding=128 foo.example @10.53.0.2 > dig.out.test$n
+grep "; PAD" dig.out.test$n > /dev/null || ret=1
+grep "; QUERY SIZE: 128" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that dig added padding ($n)"
+ret=0
+n=`expr $n + 1`
+nextpart ns2/named.stats > /dev/null
+$RNDCCMD 10.53.0.2 stats
+wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1
+nextpart ns2/named.stats | grep "EDNS padding option received" > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that padding is added for TCP responses ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +vc +padding=128 foo.example @10.53.0.2 > dig.out.test$n
+grep "; PAD" dig.out.test$n > /dev/null || ret=1
+grep "rcvd: 128" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that padding is added to valid cookie responses ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +cookie foo.example @10.53.0.2 > dig.out.testc
+cookie=`getcookie dig.out.testc`
+$DIG $DIGOPTS +cookie=$cookie +padding=128 foo.example @10.53.0.2 > dig.out.test$n
+grep "; PAD" dig.out.test$n > /dev/null || ret=1
+grep "rcvd: 128" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that padding must be requested (TCP) ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +vc foo.example @10.53.0.2 > dig.out.test$n
+grep "; PAD" dig.out.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that padding must be requested (valid cookie) ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +cookie=$cookie foo.example @10.53.0.2 > dig.out.test$n
+grep "; PAD" dig.out.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that padding can be filtered out ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +vc +padding=128 -b 10.53.0.8 foo.example @10.53.0.2 > dig.out.test$n
+grep "; PAD" dig.out.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that a TCP and padding server config enables padding ($n)"
+ret=0
+n=`expr $n + 1`
+nextpart ns2/named.stats > /dev/null
+$RNDCCMD 10.53.0.2 stats
+wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1
+opad=`nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}'`
+$DIG $DIGOPTS foo.example @10.53.0.3 > dig.out.test$n
+$RNDCCMD 10.53.0.2 stats
+wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1
+npad=`nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}'`
+if [ "$opad" -eq "$npad" ]; then echo_i "error: opad ($opad) == npad ($npad)"; ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that a padding server config should enforce TCP ($n)"
+ret=0
+n=`expr $n + 1`
+nextpart ns2/named.stats > /dev/null
+$RNDCCMD 10.53.0.2 stats
+wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1
+opad=`nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}'`
+$DIG $DIGOPTS foo.example @10.53.0.4 > dig.out.test$n
+$RNDCCMD 10.53.0.2 stats
+wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1
+npad=`nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}'`
+if [ "$opad" -ne "$npad" ]; then echo_i "error: opad ($opad) != npad ($npad)"; ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that zero-length padding option has no effect ($n)"
+ret=0
+n=`expr $n + 1`
+$DIG $DIGOPTS +qr +ednsopt=12 foo.example @10.53.0.2 > dig.out.test$n.1
+grep "; PAD" dig.out.test$n.1 > /dev/null || ret=1
+$DIG $DIGOPTS +qr +ednsopt=12:00 foo.example @10.53.0.2 > dig.out.test$n.2
+grep "; PAD" dig.out.test$n.2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/parallel.sh b/bin/tests/system/parallel.sh
new file mode 100644
index 0000000..8d156cf
--- /dev/null
+++ b/bin/tests/system/parallel.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ./conf.sh
+
+PARALLELS=`echo $PARALLELDIRS | sed "s|\([^ ][^ ]*\)|test-\1|g;" | tr _ -`
+
+echo ".PHONY: $PARALLELS"
+echo
+echo "check_interfaces:"
+echo "	@${PERL} testsock.pl > /dev/null 2>&1 || { \\"
+echo "		echo \"I:NOTE: System tests were skipped because they require the\"; \\"
+echo "		echo \"I:      test IP addresses 10.53.0.* to be configured as alias\"; \\"
+echo "		echo \"I:      addresses on the loopback interface.  Please run\"; \\"
+echo "		echo \"I:      \"bin/tests/system/ifconfig.sh up\" as root to configure them.\"; \\"
+echo "		exit 1; \\"
+echo "	}"
+echo
+echo "test check: $PARALLELS"
+port=${STARTPORT:-5000}
+for directory in $PARALLELDIRS ; do
+        echo
+        echo "test-`echo $directory | tr _ -`: check_interfaces"
+        echo "	@${SHELL} ./run.sh -p $port $directory 2>&1 | tee test.output.$directory"
+        port=`expr $port + 100`
+done
diff --git a/bin/tests/system/pending/clean.sh b/bin/tests/system/pending/clean.sh
new file mode 100644
index 0000000..89a4b5b
--- /dev/null
+++ b/bin/tests/system/pending/clean.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -rf */*.signed
+rm -rf */*.jnl
+rm -rf */K*
+rm -rf */dsset-*
+rm -rf */named.memstats
+rm -rf */named.run
+rm -rf */trusted.conf
+rm -rf ns1/root.db
+rm -rf ns2/example.db
+rm -rf ns2/example.com.db
+rm -rf nsupdate.out.test
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/pending/ns1/named.conf.in b/bin/tests/system/pending/ns1/named.conf.in
new file mode 100644
index 0000000..f09c3c9
--- /dev/null
+++ b/bin/tests/system/pending/ns1/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "trusted.conf";
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
diff --git a/bin/tests/system/pending/ns1/root.db.in b/bin/tests/system/pending/ns1/root.db.in
new file mode 100644
index 0000000..fe7fe92
--- /dev/null
+++ b/bin/tests/system/pending/ns1/root.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30
+. 			IN SOA	marka.isc.org. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.com.		NS	ns2.example.com.
+ns2.example.com.	A	10.53.0.2
+hostile.		NS	ns3.hostile.
+ns3.hostile.		A	10.53.0.3
+nice.good.		A	10.10.10.10
diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh
new file mode 100644
index 0000000..c29ebe2
--- /dev/null
+++ b/bin/tests/system/pending/ns1/sign.sh
@@ -0,0 +1,36 @@
+#!/bin/sh 
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+(cd ../ns2 && $SHELL -e sign.sh )
+
+cp ../ns2/dsset-example$TP .
+cp ../ns2/dsset-example.com$TP .
+
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone)
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -g -o $zone $zonefile > /dev/null
+
+# Configure the resolving server with a static key.
+keyfile_to_static_ds $keyname2 > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns4/trusted.conf
diff --git a/bin/tests/system/pending/ns2/example.com.db.in b/bin/tests/system/pending/ns2/example.com.db.in
new file mode 100644
index 0000000..ee3a1b8
--- /dev/null
+++ b/bin/tests/system/pending/ns2/example.com.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30
+@			IN SOA	mname1. . (
+				2009110300 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			MX	10 mail
+ns2			A	10.53.0.2
+mail			A	192.0.2.2
+			AAAA	2001:db8::2
+pending-ok		A	192.0.2.2
+pending-ng		A	192.0.2.102
+removed			A	10.9.8.7
diff --git a/bin/tests/system/pending/ns2/example.db.in b/bin/tests/system/pending/ns2/example.db.in
new file mode 100644
index 0000000..5b42e2a
--- /dev/null
+++ b/bin/tests/system/pending/ns2/example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30
+$ORIGIN example.
+@			IN SOA	mname1. . (
+				2009110300 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			MX	10 mail
+ns2			A	10.53.0.2
+mail			A	10.0.0.2
+bad			CNAME	nice.good.
+worse                   A       6.6.6.6
diff --git a/bin/tests/system/pending/ns2/forgery.db b/bin/tests/system/pending/ns2/forgery.db
new file mode 100644
index 0000000..fbf42bc
--- /dev/null
+++ b/bin/tests/system/pending/ns2/forgery.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30
+$ORIGIN good.
+@			IN SOA	mname1. . (
+				2009110300 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+
+nice.good.		CNAME	worse.example.
diff --git a/bin/tests/system/pending/ns2/named.conf.in b/bin/tests/system/pending/ns2/named.conf.in
new file mode 100644
index 0000000..59824df
--- /dev/null
+++ b/bin/tests/system/pending/ns2/named.conf.in
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+include "trusted.conf";
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db.signed";
+};
+
+zone "example.com" {
+	type primary;
+	file "example.com.db.signed";
+	allow-update { 10.53.0.0/16; };
+};
+
+zone "good" {
+	type primary;
+	file "forgery.db";
+	allow-query { any; };
+};
diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh
new file mode 100644
index 0000000..df408f8
--- /dev/null
+++ b/bin/tests/system/pending/ns2/sign.sh
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+for domain in example example.com; do
+	zone=${domain}.
+	infile=${domain}.db.in
+	zonefile=${domain}.db
+
+	keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+	keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone)
+
+	cat $infile $keyname1.key $keyname2.key > $zonefile
+
+	$SIGNER -3 bebe -o $zone $zonefile > /dev/null
+done
+
+# remove "removed" record from example.com, causing the server to
+# send an apparently-invalid NXDOMAIN
+sed '/^removed/d' example.com.db.signed > example.com.db.new
+rm -f example.com.db.signed
+mv example.com.db.new example.com.db.signed
diff --git a/bin/tests/system/pending/ns3/hostile.db b/bin/tests/system/pending/ns3/hostile.db
new file mode 100644
index 0000000..a199922
--- /dev/null
+++ b/bin/tests/system/pending/ns3/hostile.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30
+@			IN SOA	mname1. . (
+				2009110500 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+			MX	10 mail.example.
+ns3			A	10.53.0.3
diff --git a/bin/tests/system/pending/ns3/mail.example.db b/bin/tests/system/pending/ns3/mail.example.db
new file mode 100644
index 0000000..77eb731
--- /dev/null
+++ b/bin/tests/system/pending/ns3/mail.example.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30
+@			IN SOA	mname1. . (
+				2009110300 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			NS	ns3
+ns3			A	10.53.0.3
+;mail			A	10.0.0.2	// the correct record
+@			A	10.0.0.3
diff --git a/bin/tests/system/pending/ns3/named.conf.in b/bin/tests/system/pending/ns3/named.conf.in
new file mode 100644
index 0000000..29afd19
--- /dev/null
+++ b/bin/tests/system/pending/ns3/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+include "trusted.conf";
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "mail.example" {
+	type primary;
+	file "mail.example.db";
+};
+
+zone "hostile" {
+	type primary;
+	file "hostile.db";
+};
diff --git a/bin/tests/system/pending/ns4/named.conf.in b/bin/tests/system/pending/ns4/named.conf.in
new file mode 100644
index 0000000..6be9085
--- /dev/null
+++ b/bin/tests/system/pending/ns4/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "trusted.conf";
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/pending/setup.sh b/bin/tests/system/pending/setup.sh
new file mode 100644
index 0000000..2d52f1c
--- /dev/null
+++ b/bin/tests/system/pending/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+cd ns1 && $SHELL -e sign.sh
diff --git a/bin/tests/system/pending/tests.sh b/bin/tests/system/pending/tests.sh
new file mode 100644
index 0000000..049172f
--- /dev/null
+++ b/bin/tests/system/pending/tests.sh
@@ -0,0 +1,199 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+# replace_data dname RR old_data new_data
+replace_data()
+{
+	if [ $# -ne 4 ]; then
+		echo_i "unexpected input for replace_data"
+		return 1
+	fi
+
+	_dname=$1
+	_rr=$2
+	_olddata=$3
+	_newdata=$4
+
+	_ret=0
+	$NSUPDATE -d <<END >> nsupdate.out.test 2>&1 || _ret=1
+server 10.53.0.2 ${PORT}
+update delete ${_dname} 30 ${_rr} ${_olddata}
+update add ${_dname} 30 ${_rr} ${_newdata}
+send
+END
+
+	if [ $_ret != 0 ]; then
+		echo_i "failed to update the test data"
+		return 1
+	fi
+
+	return 0
+}
+
+status=0
+n=0
+
+DIGOPTS="+short +tcp -p ${PORT}"
+DIGOPTS_CD="$DIGOPTS +cd"
+
+echo_i "Priming cache."
+ret=0
+expect="10 mail.example."
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 hostile MX` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+echo_i "Checking that bogus additional is not returned with +CD."
+ret=0
+expect="10.0.0.2"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 mail.example A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+#
+# Prime cache with pending additional records.  These should not be promoted
+# to answer.
+#
+echo_i "Priming cache (pending additional A and AAAA)"
+ret=0
+expect="10 mail.example.com."
+ans=`$DIG $DIGOPTS @10.53.0.4 example.com MX` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+echo_i "Replacing pending A"
+ret=0
+replace_data mail.example.com. A 192.0.2.2 192.0.2.3 || ret=1
+status=`expr $status + $ret`
+
+echo_i "Replacing pending AAAA"
+ret=0
+replace_data mail.example.com. AAAA 2001:db8::2 2001:db8::3 || ret=1
+status=`expr $status + $ret`
+
+echo_i "Checking updated data to be returned (without CD)"
+ret=0
+expect="192.0.2.3"
+ans=`$DIG $DIGOPTS @10.53.0.4 mail.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+echo_i "Checking updated data to be returned (with CD)"
+ret=0
+expect="2001:db8::3"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 mail.example.com AAAA` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+#
+# Prime cache with a pending answer record.  It can be returned (without
+# validation) with +CD.
+#
+echo_i "Priming cache (pending answer)"
+ret=0
+expect="192.0.2.2"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ok.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+echo_i "Replacing pending data"
+ret=0
+replace_data pending-ok.example.com. A 192.0.2.2 192.0.2.3 || ret=1
+status=`expr $status + $ret`
+
+echo_i "Confirming cached pending data to be returned with CD"
+ret=0
+expect="192.0.2.2"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ok.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+#
+# Prime cache with a pending answer record.  It should not be returned
+# to no-DNSSEC clients.
+#
+echo_i "Priming cache (pending answer)"
+ret=0
+expect="192.0.2.102"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ng.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+echo_i "Replacing pending data"
+ret=0
+replace_data pending-ng.example.com. A 192.0.2.102 192.0.2.103 || ret=1
+status=`expr $status + $ret`
+
+echo_i "Confirming updated data returned, not the cached one, without CD"
+ret=0
+expect="192.0.2.103"
+ans=`$DIG $DIGOPTS @10.53.0.4 pending-ng.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+#
+# Try to fool the resolver with an out-of-bailiwick CNAME
+#
+echo_i "Trying to Prime out-of-bailiwick pending answer with CD"
+ret=0
+expect="10.10.10.10"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 bad.example. A` || ret=1
+ans=`echo $ans | awk '{print $NF}'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+echo_i "Confirming the out-of-bailiwick answer is not cached or reused with CD"
+ret=0
+expect="10.10.10.10"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 nice.good. A` || ret=1
+ans=`echo $ans | awk '{print $NF}'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+#
+# Make sure the resolver doesn't cache bogus NXDOMAIN
+#
+echo_i "Trying to Prime bogus NXDOMAIN"
+ret=0
+expect="SERVFAIL"
+ans=`$DIG +tcp -p ${PORT} @10.53.0.4 removed.example.com. A` || ret=1
+ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+echo_i "Confirming the bogus NXDOMAIN was not cached"
+ret=0
+expect="SERVFAIL"
+ans=`$DIG +tcp -p ${PORT} @10.53.0.4 removed.example.com. A` || ret=1
+ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'"
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/pipelined/Makefile.in b/bin/tests/system/pipelined/Makefile.in
new file mode 100644
index 0000000..fe88628
--- /dev/null
+++ b/bin/tests/system/pipelined/Makefile.in
@@ -0,0 +1,49 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCLIBS =	../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+DNSDEPLIBS =	../../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+TARGETS =	pipequeries@EXEEXT@
+
+SRCS =		pipequeries.c
+
+@BIND9_MAKE_RULES@
+
+all: pipequeries@EXEEXT@
+
+pipequeries@EXEEXT@: pipequeries.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ pipequeries.@O@ ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
diff --git a/bin/tests/system/pipelined/ans5/ans.py b/bin/tests/system/pipelined/ans5/ans.py
new file mode 100644
index 0000000..bac5ed3
--- /dev/null
+++ b/bin/tests/system/pipelined/ans5/ans.py
@@ -0,0 +1,212 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+############################################################################
+#
+# This tool acts as a TCP/UDP proxy and delays all incoming packets by 500
+# milliseconds.
+#
+# We use it to check pipelining - a client sents 8 questions over a
+# pipelined connection - that require asking a normal (examplea) and a
+# slow-responding (exampleb) servers:
+# a.examplea
+# a.exampleb
+# b.examplea
+# b.exampleb
+# c.examplea
+# c.exampleb
+# d.examplea
+# d.exampleb
+#
+# If pipelining works properly the answers will be returned out of order
+# with all answers from examplea returned first, and then all answers
+# from exampleb.
+#
+############################################################################
+
+from __future__ import print_function
+
+import datetime
+import os
+import select
+import signal
+import socket
+import sys
+import time
+import threading
+import struct
+
+DELAY = 0.5
+THREADS = []
+
+
+def log(msg):
+    print(datetime.datetime.now().strftime("%d-%b-%Y %H:%M:%S.%f ") + msg)
+
+
+def sigterm(*_):
+    log("SIGTERM received, shutting down")
+    for thread in THREADS:
+        thread.close()
+        thread.join()
+    os.remove("ans.pid")
+    sys.exit(0)
+
+
+class TCPDelayer(threading.Thread):
+    """For a given TCP connection conn we open a connection to (ip, port),
+    and then we delay each incoming packet by DELAY by putting it in a
+    queue.
+    In the pipelined test TCP should not be used, but it's here for
+    completnes.
+    """
+
+    def __init__(self, conn, ip, port):
+        threading.Thread.__init__(self)
+        self.conn = conn
+        self.cconn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.cconn.connect((ip, port))
+        self.queue = []
+        self.running = True
+
+    def close(self):
+        self.running = False
+
+    def run(self):
+        while self.running:
+            curr_timeout = 0.5
+            try:
+                curr_timeout = self.queue[0][0] - time.time()
+            except StopIteration:
+                pass
+            if curr_timeout > 0:
+                if curr_timeout == 0:
+                    curr_timeout = 0.5
+                rfds, _, _ = select.select(
+                    [self.conn, self.cconn], [], [], curr_timeout
+                )
+                if self.conn in rfds:
+                    data = self.conn.recv(65535)
+                    if not data:
+                        return
+                    self.queue.append((time.time() + DELAY, data))
+                if self.cconn in rfds:
+                    data = self.cconn.recv(65535)
+                    if not data == 0:
+                        return
+                    self.conn.send(data)
+            try:
+                while self.queue[0][0] - time.time() < 0:
+                    _, data = self.queue.pop(0)
+                    self.cconn.send(data)
+            except StopIteration:
+                pass
+
+
+class UDPDelayer(threading.Thread):
+    """Every incoming UDP packet is put in a queue for DELAY time, then
+    it's sent to (ip, port). We remember the query id to send the
+    response we get to a proper source, responses are not delayed.
+    """
+
+    def __init__(self, usock, ip, port):
+        threading.Thread.__init__(self)
+        self.sock = usock
+        self.csock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        self.dst = (ip, port)
+        self.queue = []
+        self.qid_mapping = {}
+        self.running = True
+
+    def close(self):
+        self.running = False
+
+    def run(self):
+        while self.running:
+            curr_timeout = 0.5
+            if self.queue:
+                curr_timeout = self.queue[0][0] - time.time()
+            if curr_timeout >= 0:
+                if curr_timeout == 0:
+                    curr_timeout = 0.5
+                rfds, _, _ = select.select(
+                    [self.sock, self.csock], [], [], curr_timeout
+                )
+                if self.sock in rfds:
+                    data, addr = self.sock.recvfrom(65535)
+                    if not data:
+                        return
+                    self.queue.append((time.time() + DELAY, data))
+                    qid = struct.unpack(">H", data[:2])[0]
+                    log("Received a query from %s, queryid %d" % (str(addr), qid))
+                    self.qid_mapping[qid] = addr
+                if self.csock in rfds:
+                    data, addr = self.csock.recvfrom(65535)
+                    if not data:
+                        return
+                    qid = struct.unpack(">H", data[:2])[0]
+                    dst = self.qid_mapping.get(qid)
+                    if dst is not None:
+                        self.sock.sendto(data, dst)
+                        log(
+                            "Received a response from %s, queryid %d, sending to %s"
+                            % (str(addr), qid, str(dst))
+                        )
+            while self.queue and self.queue[0][0] - time.time() < 0:
+                _, data = self.queue.pop(0)
+                qid = struct.unpack(">H", data[:2])[0]
+                log("Sending a query to %s, queryid %d" % (str(self.dst), qid))
+                self.csock.sendto(data, self.dst)
+
+
+def main():
+    signal.signal(signal.SIGTERM, sigterm)
+    signal.signal(signal.SIGINT, sigterm)
+
+    with open("ans.pid", "w") as pidfile:
+        print(os.getpid(), file=pidfile)
+
+    listenip = "10.53.0.5"
+    serverip = "10.53.0.2"
+
+    try:
+        port = int(os.environ["PORT"])
+    except KeyError:
+        port = 5300
+
+    log("Listening on %s:%d" % (listenip, port))
+
+    usock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    usock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    usock.bind((listenip, port))
+    thread = UDPDelayer(usock, serverip, port)
+    thread.start()
+    THREADS.append(thread)
+
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    sock.bind((listenip, port))
+    sock.listen(1)
+    sock.settimeout(1)
+
+    while True:
+        try:
+            (clientsock, _) = sock.accept()
+            log("Accepted connection from %s" % clientsock)
+            thread = TCPDelayer(clientsock, serverip, port)
+            thread.start()
+            THREADS.append(thread)
+        except socket.timeout:
+            pass
+
+
+if __name__ == "__main__":
+    main()
diff --git a/bin/tests/system/pipelined/clean.sh b/bin/tests/system/pipelined/clean.sh
new file mode 100644
index 0000000..12c1733
--- /dev/null
+++ b/bin/tests/system/pipelined/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f raw* output*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/pipelined/input b/bin/tests/system/pipelined/input
new file mode 100644
index 0000000..485cf81
--- /dev/null
+++ b/bin/tests/system/pipelined/input
@@ -0,0 +1,8 @@
+a.examplea
+a.exampleb
+b.examplea
+b.exampleb
+c.examplea
+c.exampleb
+d.examplea
+d.exampleb
diff --git a/bin/tests/system/pipelined/inputb b/bin/tests/system/pipelined/inputb
new file mode 100644
index 0000000..6ea367e
--- /dev/null
+++ b/bin/tests/system/pipelined/inputb
@@ -0,0 +1,8 @@
+e.examplea
+e.exampleb
+f.examplea
+f.exampleb
+g.examplea
+g.exampleb
+h.examplea
+h.exampleb
diff --git a/bin/tests/system/pipelined/ns1/named.conf.in b/bin/tests/system/pipelined/ns1/named.conf.in
new file mode 100644
index 0000000..848a022
--- /dev/null
+++ b/bin/tests/system/pipelined/ns1/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/pipelined/ns1/root.db b/bin/tests/system/pipelined/ns1/root.db
new file mode 100644
index 0000000..f2819a1
--- /dev/null
+++ b/bin/tests/system/pipelined/ns1/root.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+examplea.		NS	ns2.examplea.
+ns2.examplea.		A	10.53.0.5
+
+exampleb.		NS	ns3.exampleb.
+ns3.exampleb.		A	10.53.0.3
diff --git a/bin/tests/system/pipelined/ns2/examplea.db b/bin/tests/system/pipelined/ns2/examplea.db
new file mode 100644
index 0000000..1be2d11
--- /dev/null
+++ b/bin/tests/system/pipelined/ns2/examplea.db
@@ -0,0 +1,32 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+examplea		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+examplea.		NS	ns2.examplea.
+ns2.examplea.		A	10.53.0.5
+
+$ORIGIN examplea.
+a			A	10.0.1.1
+b			A	10.0.1.2
+c			A	10.0.1.3
+d			A	10.0.1.4
+e			A	10.0.1.5
+f			A	10.0.1.6
+g			A	10.0.1.7
+h			A	10.0.1.8
diff --git a/bin/tests/system/pipelined/ns2/named.conf.in b/bin/tests/system/pipelined/ns2/named.conf.in
new file mode 100644
index 0000000..40ed7b9
--- /dev/null
+++ b/bin/tests/system/pipelined/ns2/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "examplea" {
+	type primary;
+	file "examplea.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/pipelined/ns3/exampleb.db b/bin/tests/system/pipelined/ns3/exampleb.db
new file mode 100644
index 0000000..91b94c3
--- /dev/null
+++ b/bin/tests/system/pipelined/ns3/exampleb.db
@@ -0,0 +1,32 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+exampleb		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+exampleb.		NS	ns3.exampleb.
+ns3.exampleb.		A	10.53.0.3
+
+$ORIGIN exampleb.
+a			A	10.0.2.1
+b			A	10.0.2.2
+c			A	10.0.2.3
+d			A	10.0.2.4
+e			A	10.0.2.5
+f			A	10.0.2.6
+g			A	10.0.2.7
+h			A	10.0.2.8
diff --git a/bin/tests/system/pipelined/ns3/named.conf.in b/bin/tests/system/pipelined/ns3/named.conf.in
new file mode 100644
index 0000000..428da7d
--- /dev/null
+++ b/bin/tests/system/pipelined/ns3/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "exampleb" {
+	type primary;
+	file "exampleb.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/pipelined/ns4/named.conf.in b/bin/tests/system/pipelined/ns4/named.conf.in
new file mode 100644
index 0000000..922cebd
--- /dev/null
+++ b/bin/tests/system/pipelined/ns4/named.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	keep-response-order { 10.53.0.7/32; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
new file mode 100644
index 0000000..e158de1
--- /dev/null
+++ b/bin/tests/system/pipelined/pipequeries.c
@@ -0,0 +1,322 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/commandline.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/parseint.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/view.h>
+
+#include <dst/result.h>
+
+#define CHECK(str, x)                                        \
+	{                                                    \
+		if ((x) != ISC_R_SUCCESS) {                  \
+			fprintf(stderr, "I:%s: %s\n", (str), \
+				isc_result_totext(x));       \
+			exit(-1);                            \
+		}                                            \
+	}
+
+#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
+
+#define PORT	5300
+#define TIMEOUT 30
+
+static isc_mem_t *mctx = NULL;
+static dns_requestmgr_t *requestmgr = NULL;
+static bool have_src = false;
+static isc_sockaddr_t srcaddr;
+static isc_sockaddr_t dstaddr;
+static int onfly;
+
+static void
+recvresponse(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = (dns_requestevent_t *)event;
+	isc_result_t result;
+	dns_message_t *query = NULL, *response = NULL;
+	isc_buffer_t outbuf;
+	char output[1024];
+
+	UNUSED(task);
+
+	REQUIRE(reqev != NULL);
+
+	if (reqev->result != ISC_R_SUCCESS) {
+		fprintf(stderr, "I:request event result: %s\n",
+			isc_result_totext(reqev->result));
+		exit(-1);
+	}
+
+	query = reqev->ev_arg;
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
+
+	result = dns_request_getresponse(reqev->request, response,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	CHECK("dns_request_getresponse", result);
+
+	if (response->rcode != dns_rcode_noerror) {
+		result = ISC_RESULTCLASS_DNSRCODE + response->rcode;
+		fprintf(stderr, "I:response rcode: %s\n",
+			isc_result_totext(result));
+		exit(-1);
+	}
+	if (response->counts[DNS_SECTION_ANSWER] != 1U) {
+		fprintf(stderr, "I:response answer count (%u!=1)\n",
+			response->counts[DNS_SECTION_ANSWER]);
+	}
+
+	isc_buffer_init(&outbuf, output, sizeof(output));
+	result = dns_message_sectiontotext(
+		response, DNS_SECTION_ANSWER, &dns_master_style_simple,
+		DNS_MESSAGETEXTFLAG_NOCOMMENTS, &outbuf);
+	CHECK("dns_message_sectiontotext", result);
+	printf("%.*s", (int)isc_buffer_usedlength(&outbuf),
+	       (char *)isc_buffer_base(&outbuf));
+	fflush(stdout);
+
+	dns_message_detach(&query);
+	dns_message_detach(&response);
+	dns_request_destroy(&reqev->request);
+	isc_event_free(&event);
+
+	if (--onfly == 0) {
+		isc_app_shutdown();
+	}
+	return;
+}
+
+static isc_result_t
+sendquery(isc_task_t *task) {
+	dns_request_t *request = NULL;
+	dns_message_t *message = NULL;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+	dns_fixedname_t queryname;
+	isc_buffer_t buf;
+	static char host[256];
+	int c;
+
+	c = scanf("%255s", host);
+	if (c == EOF) {
+		return (ISC_R_NOMORE);
+	}
+
+	onfly++;
+
+	dns_fixedname_init(&queryname);
+	isc_buffer_init(&buf, host, strlen(host));
+	isc_buffer_add(&buf, strlen(host));
+	result = dns_name_fromtext(dns_fixedname_name(&queryname), &buf,
+				   dns_rootname, 0, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &message);
+
+	message->opcode = dns_opcode_query;
+	message->flags |= DNS_MESSAGEFLAG_RD;
+	message->rdclass = dns_rdataclass_in;
+	message->id = (unsigned short)(random() & 0xFFFF);
+
+	result = dns_message_gettempname(message, &qname);
+	CHECK("dns_message_gettempname", result);
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	CHECK("dns_message_gettemprdataset", result);
+
+	dns_name_clone(dns_fixedname_name(&queryname), qname);
+	dns_rdataset_makequestion(qrdataset, dns_rdataclass_in,
+				  dns_rdatatype_a);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	result = dns_request_createvia(
+		requestmgr, message, have_src ? &srcaddr : NULL, &dstaddr, -1,
+		DNS_REQUESTOPT_TCP | DNS_REQUESTOPT_SHARE, NULL, TIMEOUT, 0, 0,
+		task, recvresponse, message, &request);
+	CHECK("dns_request_create", result);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+sendqueries(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+
+	isc_event_free(&event);
+
+	do {
+		result = sendquery(task);
+	} while (result == ISC_R_SUCCESS);
+
+	if (onfly == 0) {
+		isc_app_shutdown();
+	}
+	return;
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_sockaddr_t bind_any;
+	struct in_addr inaddr;
+	isc_result_t result;
+	isc_log_t *lctx = NULL;
+	isc_logconfig_t *lcfg = NULL;
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_task_t *task = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	unsigned int attrs, attrmask;
+	dns_dispatch_t *dispatchv4 = NULL;
+	dns_view_t *view = NULL;
+	uint16_t port = PORT;
+	int c;
+
+	RUNCHECK(isc_app_start());
+
+	isc_commandline_errprint = false;
+	while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) {
+		switch (c) {
+		case 'p':
+			result = isc_parse_uint16(&port,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad port '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		case 'r':
+			fprintf(stderr, "The -r option has been deprecated.\n");
+			break;
+		case '?':
+			fprintf(stderr, "%s: invalid argument '%c'", argv[0],
+				c);
+			break;
+		default:
+			break;
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	POST(argv);
+
+	if (argc > 0) {
+		have_src = true;
+	}
+
+	dns_result_register();
+
+	isc_sockaddr_any(&bind_any);
+
+	result = ISC_R_FAILURE;
+	if (inet_pton(AF_INET, "10.53.0.7", &inaddr) != 1) {
+		CHECK("inet_pton", result);
+	}
+	isc_sockaddr_fromin(&srcaddr, &inaddr, 0);
+
+	result = ISC_R_FAILURE;
+	if (inet_pton(AF_INET, "10.53.0.4", &inaddr) != 1) {
+		CHECK("inet_pton", result);
+	}
+	isc_sockaddr_fromin(&dstaddr, &inaddr, port);
+
+	isc_mem_create(&mctx);
+
+	isc_log_create(mctx, &lctx, &lcfg);
+
+	RUNCHECK(dst_lib_init(mctx, NULL));
+
+	RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr));
+	RUNCHECK(isc_task_create(taskmgr, 0, &task));
+
+	RUNCHECK(isc_timermgr_create(mctx, &timermgr));
+	RUNCHECK(isc_socketmgr_create(mctx, &socketmgr));
+	RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr));
+
+	attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY |
+		DNS_DISPATCHATTR_IPV4;
+	attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP |
+		   DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
+	RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
+				     have_src ? &srcaddr : &bind_any, 4096, 4,
+				     2, 3, 5, attrs, attrmask, &dispatchv4));
+	RUNCHECK(dns_requestmgr_create(mctx, timermgr, socketmgr, taskmgr,
+				       dispatchmgr, dispatchv4, NULL,
+				       &requestmgr));
+
+	RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
+
+	RUNCHECK(isc_app_onrun(mctx, task, sendqueries, NULL));
+
+	(void)isc_app_run();
+
+	dns_view_detach(&view);
+
+	dns_requestmgr_shutdown(requestmgr);
+	dns_requestmgr_detach(&requestmgr);
+
+	dns_dispatch_detach(&dispatchv4);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+
+	isc_socketmgr_destroy(&socketmgr);
+	isc_timermgr_destroy(&timermgr);
+
+	isc_task_shutdown(task);
+	isc_task_detach(&task);
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	dst_lib_destroy();
+
+	isc_log_destroy(&lctx);
+
+	isc_mem_destroy(&mctx);
+
+	isc_app_finish();
+
+	return (0);
+}
diff --git a/bin/tests/system/pipelined/prereq.sh b/bin/tests/system/pipelined/prereq.sh
new file mode 100644
index 0000000..aa97ae2
--- /dev/null
+++ b/bin/tests/system/pipelined/prereq.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/pipelined/ref b/bin/tests/system/pipelined/ref
new file mode 100644
index 0000000..fe123f6
--- /dev/null
+++ b/bin/tests/system/pipelined/ref
@@ -0,0 +1,8 @@
+a.examplea. 10.0.1.1
+a.exampleb. 10.0.2.1
+b.examplea. 10.0.1.2
+b.exampleb. 10.0.2.2
+c.examplea. 10.0.1.3
+c.exampleb. 10.0.2.3
+d.examplea. 10.0.1.4
+d.exampleb. 10.0.2.4
diff --git a/bin/tests/system/pipelined/refb b/bin/tests/system/pipelined/refb
new file mode 100644
index 0000000..a24c6bc
--- /dev/null
+++ b/bin/tests/system/pipelined/refb
@@ -0,0 +1,8 @@
+e.examplea. 10.0.1.5
+e.exampleb. 10.0.2.5
+f.examplea. 10.0.1.6
+f.exampleb. 10.0.2.6
+g.examplea. 10.0.1.7
+g.exampleb. 10.0.2.7
+h.examplea. 10.0.1.8
+h.exampleb. 10.0.2.8
diff --git a/bin/tests/system/pipelined/setup.sh b/bin/tests/system/pipelined/setup.sh
new file mode 100644
index 0000000..064230a
--- /dev/null
+++ b/bin/tests/system/pipelined/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh
new file mode 100644
index 0000000..76383e8
--- /dev/null
+++ b/bin/tests/system/pipelined/tests.sh
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+MDIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+
+echo_i "check pipelined TCP queries"
+ret=0
+$PIPEQUERIES -p ${PORT} < input > raw || ret=1
+awk '{ print $1 " " $5 }' < raw > output
+sort < output > output-sorted
+$DIFF ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; }
+$DIFF ref output > /dev/null && { ret=1 ; echo_i "diff out of order failed"; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check pipelined TCP queries using mdig"
+ret=0
+$RNDCCMD 10.53.0.4 flush
+sleep 1
+$MDIG $MDIGOPTS +noall +answer +vc -f input -b 10.53.0.4 @10.53.0.4 > raw.mdig
+awk '{ print $1 " " $5 }' < raw.mdig > output.mdig
+sort < output.mdig > output-sorted.mdig
+$DIFF ref output-sorted.mdig || { ret=1 ; echo_i "diff sorted failed"; }
+$DIFF ref output.mdig > /dev/null && { ret=1 ; echo_i "diff out of order failed"; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check keep-response-order"
+ret=0
+$RNDCCMD 10.53.0.4 flush
+sleep 1
+$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1
+awk '{ print $1 " " $5 }' < rawb > outputb
+$DIFF refb outputb || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check keep-response-order using mdig"
+ret=0
+$RNDCCMD 10.53.0.4 flush
+sleep 1
+$MDIG $MDIGOPTS +noall +answer +vc -f inputb -b 10.53.0.7 @10.53.0.4 > rawb.mdig
+awk '{ print $1 " " $5 }' < rawb.mdig > outputb.mdig
+$DIFF refb outputb.mdig || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check mdig -4 -6"
+ret=0
+$RNDCCMD 10.53.0.4 flush
+sleep 1
+$MDIG $MDIGOPTS -4 -6 -f input @10.53.0.4 > output46.mdig 2>&1 && ret=1
+grep "only one of -4 and -6 allowed" output46.mdig > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "check mdig -4 with an IPv6 server address"
+ret=0
+$MDIG $MDIGOPTS -4 -f input @fd92:7065:b8e:ffff::2 > output4.mdig 2>&1 && ret=1
+grep "address family not supported" output4.mdig > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt b/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt
new file mode 100644
index 0000000..09b06f0
--- /dev/null
+++ b/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt
@@ -0,0 +1,20 @@
+edda 2800 0001 0000 0001 0000 0972 7361
+7368 6132 3536 0765 7861 6d70 6c65 0000
+0600 01c0 0c00 3000 0100 0001 2c01 0801
+0003 0803 0100 0100 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 00
diff --git a/bin/tests/system/pkcs11/clean.sh b/bin/tests/system/pkcs11/clean.sh
new file mode 100644
index 0000000..b790cd8
--- /dev/null
+++ b/bin/tests/system/pkcs11/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
+rm -f dig.out* pin upd.log* upd.cmd* pkcs11-list.out*
+rm -f ns1/*.ksk ns1/*.zsk ns1/named.memstats
+rm -f supported
+rm -f ns*/named.run ns*/named.lock ns*/named.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/pkcs11/ns1/example.db.in b/bin/tests/system/pkcs11/ns1/example.db.in
new file mode 100644
index 0000000..8e06212
--- /dev/null
+++ b/bin/tests/system/pkcs11/ns1/example.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+txt			TXT	"recursed"
+
diff --git a/bin/tests/system/pkcs11/ns1/named.conf.in b/bin/tests/system/pkcs11/ns1/named.conf.in
new file mode 100644
index 0000000..8f2687d
--- /dev/null
+++ b/bin/tests/system/pkcs11/ns1/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh
new file mode 100644
index 0000000..274ccf6
--- /dev/null
+++ b/bin/tests/system/pkcs11/setup.sh
@@ -0,0 +1,96 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -u
+
+echo_i "Generating keys for Native PKCS#11" >&2
+
+infile=ns1/example.db.in
+
+printf '%s' "${HSMPIN:-1234}" > pin
+PWD=$(pwd)
+
+copy_setports ns1/named.conf.in ns1/named.conf
+
+get_random() {
+    dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An
+}
+
+genpkcs() (
+    alg="$1"
+    bits="$2"
+    label="$3"
+    id="$(get_random)"
+
+    $PK11DEL -l "$label" -w0 >/dev/null || true
+    $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null
+)
+
+keyfrlab() (
+    alg="$1"
+    bits="$2"
+    label="$3"
+    zone="$4"
+    shift 4
+
+    $KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone"
+)
+
+genzsk() (
+    genpkcs "$@"
+    keyfrlab "$@"
+)
+
+genksk() (
+    genpkcs "$@"
+    keyfrlab "$@" -f ksk
+)
+
+algs=
+for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do
+    alg=$(echo "$algbits" | cut -f 1 -d :)
+    bits=$(echo "$algbits" | cut -f 2 -d :)
+    zone="$alg.example"
+    zonefile="ns1/$alg.example.db"
+    if $SHELL "$SYSTEMTESTTOP/testcrypto.sh" "$alg"; then
+	echo "$alg" >> supported
+	algs="$algs$alg "
+
+	zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone")
+	zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone")
+	ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone")
+	ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone")
+
+	cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile"
+	$SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null
+	cp "$zsk2.key" "ns1/$alg.zsk"
+	cp "$ksk2.key" "ns1/$alg.ksk"
+	mv "K$alg"* ns1/
+
+	cat >> ns1/named.conf <<EOF
+zone "$alg.example." {
+	type primary;
+	file "$alg.example.db.signed";
+	allow-update { any; };
+};
+
+EOF
+    fi
+done
+echo_i "Generated keys for Native PKCS#11: $algs"
diff --git a/bin/tests/system/pkcs11/tests.sh b/bin/tests/system/pkcs11/tests.sh
new file mode 100644
index 0000000..e8d7cb6
--- /dev/null
+++ b/bin/tests/system/pkcs11/tests.sh
@@ -0,0 +1,149 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+count_rrsigs() (
+    grep -c "IN[[:space:]]*RRSIG" "$@" || true
+)
+
+dig_with_opts() (
+    $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+)
+
+dig_for_rr() (
+    alg=$1
+    rrtype=$2
+    count0=$3
+    dig_with_opts "$alg.example." @10.53.0.1 "$rrtype" > "dig.out.$rrtype.$alg" &&
+    count=$(count_rrsigs "dig.out.$rrtype.$alg") &&
+    test "$count" -gt "$count0"
+)
+
+test_done() {
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+    ret=0
+}
+
+status=0
+ret=0
+
+n=0
+while read -r alg; do
+    zonefile=ns1/$alg.example.db
+    echo_i "testing PKCS#11 key generation ($alg)"
+    count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true)
+    [ "$count" -eq 4 ] || ret=1
+    test_done
+
+    echo_i "testing offline signing with PKCS#11 keys ($alg)"
+
+    count=$(grep -c "[0-9][[:space:]]*RRSIG" "$zonefile.signed")
+    [ "$count" -eq 9 ] || ret=1
+    test_done
+
+    echo_i "testing inline signing with new PKCS#11 ZSK ($alg)"
+
+    dig_with_opts "$alg.example." @10.53.0.1 "SOA" > "dig.out.SOA.$alg.0" || ret=1
+    countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0")
+    new_zsk=$(grep -v ';' "ns1/$alg.zsk")
+
+    cat > "upd.cmd.ZSK.$alg" <<EOF
+server 10.53.0.1 $PORT
+ttl 300
+zone $alg.example.
+update add $new_zsk
+send
+EOF
+
+    $NSUPDATE -v > "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1
+
+    retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1
+    test_done
+
+    echo_i "testing inline signing with new PKCS#11 KSK ($alg)"
+
+    dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1
+    countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0")
+    new_ksk=$(grep -v ';' "ns1/$alg.ksk")
+
+    cat > "upd.cmd.KSK.$alg" <<EOF
+server 10.53.0.1 $PORT
+ttl 300
+zone $alg.example.
+update add $new_ksk
+send
+EOF
+
+    $NSUPDATE -v > "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1
+
+    retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1
+    test_done
+
+    echo_i "testing PKCS#11 key destroy ($alg)"
+
+    # Lookup all existing keys
+    echo_i "looking up all existing keys ($alg)"
+    $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1
+    test_done
+
+    echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)"
+    $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1
+    test_done
+
+    echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)"
+    $PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1
+    test_done
+
+    id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
+    echo_i "destroying key with $id id ($alg)"
+    if [ -n "$id" ]; then
+	$PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
+    else
+	ret=1
+    fi
+    test_done
+
+    id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg")
+    echo_i "destroying key with $id id ($alg)"
+    if [ -n "$id" ]; then
+	$PK11DEL -i "$id" > /dev/null 2>&1 || ret=1
+    else
+	ret=1
+    fi
+    test_done
+
+    echo_i "checking if all keys have been destroyed ($alg)"
+    $PK11LIST > "pkcs11-list.out.$alg" || ret=1
+    count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true)
+    [ "$count" -eq 0 ] || ret=1
+    test_done
+    n=$((n+1))
+done < supported
+
+echo_i "Checking if all supported algorithms were tested"
+[ "$n" -eq "$(wc -l < supported)" ] || ret=1
+test_done
+
+echo_i "Checking for assertion failure in pk11_numbits()"
+$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
+dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
+test_done
+
+echo_i "exit status: $status"
+[ "$status" -eq 0 ] || exit 1
diff --git a/bin/tests/system/pkcs11/usepkcs11 b/bin/tests/system/pkcs11/usepkcs11
new file mode 100644
index 0000000..ef46412
--- /dev/null
+++ b/bin/tests/system/pkcs11/usepkcs11
@@ -0,0 +1 @@
+This test relies on PKCS#11!
diff --git a/bin/tests/system/pytest_custom_markers.py b/bin/tests/system/pytest_custom_markers.py
new file mode 100644
index 0000000..ba3a9d4
--- /dev/null
+++ b/bin/tests/system/pytest_custom_markers.py
@@ -0,0 +1,60 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+import subprocess
+
+import pytest
+
+
+long_test = pytest.mark.skipif(
+    not os.environ.get("CI_ENABLE_ALL_TESTS"), reason="CI_ENABLE_ALL_TESTS not set"
+)
+
+
+def feature_test(feature):
+    feature_test_bin = os.environ["FEATURETEST"]
+    try:
+        subprocess.run([feature_test_bin, feature], check=True)
+    except subprocess.CalledProcessError as exc:
+        if exc.returncode != 1:
+            raise
+        return False
+    return True
+
+
+have_libxml2 = pytest.mark.skipif(
+    not feature_test("--have-libxml2"), reason="libxml2 support disabled in the build"
+)
+
+have_json_c = pytest.mark.skipif(
+    not feature_test("--have-json-c"), reason="json-c support disabled in the build"
+)
+
+
+try:
+    import flaky as flaky_pkg
+except ModuleNotFoundError:
+    # In case the flaky package is not installed, run the tests as usual
+    # without any attempts to re-run them.
+    # pylint: disable=unused-argument
+    def flaky(*args, **kwargs):
+        """Mock decorator that doesn't do anything special, just returns the function."""
+
+        def wrapper(wrapped_obj):
+            return wrapped_obj
+
+        return wrapper
+
+else:
+    flaky = flaky_pkg.flaky
diff --git a/bin/tests/system/qmin/ans2/ans.py b/bin/tests/system/qmin/ans2/ans.py
new file mode 100755
index 0000000..1994ff3
--- /dev/null
+++ b/bin/tests/system/qmin/ans2/ans.py
@@ -0,0 +1,401 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import time
+import functools
+
+import dns, dns.message, dns.query, dns.flags
+from dns.rdatatype import *
+from dns.rdataclass import *
+from dns.rcode import *
+from dns.name import *
+
+
+# Log query to file
+def logquery(type, qname):
+    with open("qlog", "a") as f:
+        f.write("%s %s\n", type, qname)
+
+
+def endswith(domain, labels):
+    return domain.endswith("." + labels) or domain == labels
+
+
+############################################################################
+# Respond to a DNS query.
+# For good. it serves:
+# ns2.good. IN A 10.53.0.2
+# zoop.boing.good. NS ns3.good.
+# ns3.good. IN A 10.53.0.3
+# too.many.labels.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.good. A 192.0.2.2
+# it responds properly (with NODATA empty response) to non-empty terminals
+#
+# For slow. it works the same as for good., but each response is delayed by 400 milliseconds
+#
+# For bad. it works the same as for good., but returns NXDOMAIN to non-empty terminals
+#
+# For ugly. it works the same as for good., but returns garbage to non-empty terminals
+#
+# For 1.0.0.2.ip6.arpa it serves
+# 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. IN PTR nee.com.
+# 8.2.6.0.1.0.0.2.ip6.arpa IN NS ns3.good
+# 1.0.0.2.ip6.arpa. IN NS ns2.good
+# ip6.arpa. IN NS ns2.good
+#
+# For stale. it serves:
+# a.b. NS ns.a.b.stale.
+# ns.a.b.stale. IN A 10.53.0.3
+# b. NS ns.b.stale.
+# ns.b.stale. IN A 10.53.0.4
+############################################################################
+def create_response(msg):
+    m = dns.message.from_wire(msg)
+    qname = m.question[0].name.to_text()
+    lqname = qname.lower()
+    labels = lqname.split(".")
+
+    # get qtype
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+    if typename == "A" or typename == "AAAA":
+        typename = "ADDR"
+    bad = False
+    ugly = False
+    slow = False
+
+    # log this query
+    with open("query.log", "a") as f:
+        f.write("%s %s\n" % (typename, lqname))
+        print("%s %s" % (typename, lqname), end=" ")
+
+    r = dns.message.make_response(m)
+    r.set_rcode(NOERROR)
+
+    if endswith(lqname, "1.0.0.2.ip6.arpa."):
+        # Direct query - give direct answer
+        if endswith(lqname, "8.2.6.0.1.0.0.2.ip6.arpa."):
+            # Delegate to ns3
+            r.authority.append(
+                dns.rrset.from_text(
+                    "8.2.6.0.1.0.0.2.ip6.arpa.", 60, IN, NS, "ns3.good."
+                )
+            )
+            r.additional.append(
+                dns.rrset.from_text("ns3.good.", 60, IN, A, "10.53.0.3")
+            )
+        elif (
+            lqname
+            == "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa."
+            and rrtype == PTR
+        ):
+            # Direct query - give direct answer
+            r.answer.append(
+                dns.rrset.from_text(
+                    "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.",
+                    1,
+                    IN,
+                    PTR,
+                    "nee.com.",
+                )
+            )
+            r.flags |= dns.flags.AA
+        elif lqname == "1.0.0.2.ip6.arpa." and rrtype == NS:
+            # NS query at the apex
+            r.answer.append(
+                dns.rrset.from_text("1.0.0.2.ip6.arpa.", 30, IN, NS, "ns2.good.")
+            )
+            r.flags |= dns.flags.AA
+        elif endswith(
+            "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.",
+            lqname,
+        ):
+            # NODATA answer
+            r.authority.append(
+                dns.rrset.from_text(
+                    "1.0.0.2.ip6.arpa.",
+                    30,
+                    IN,
+                    SOA,
+                    "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1",
+                )
+            )
+        else:
+            # NXDOMAIN
+            r.authority.append(
+                dns.rrset.from_text(
+                    "1.0.0.2.ip6.arpa.",
+                    30,
+                    IN,
+                    SOA,
+                    "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1",
+                )
+            )
+            r.set_rcode(NXDOMAIN)
+        return r
+    elif endswith(lqname, "ip6.arpa."):
+        if lqname == "ip6.arpa." and rrtype == NS:
+            # NS query at the apex
+            r.answer.append(dns.rrset.from_text("ip6.arpa.", 30, IN, NS, "ns2.good."))
+            r.flags |= dns.flags.AA
+        elif endswith("1.0.0.2.ip6.arpa.", lqname):
+            # NODATA answer
+            r.authority.append(
+                dns.rrset.from_text(
+                    "ip6.arpa.",
+                    30,
+                    IN,
+                    SOA,
+                    "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1",
+                )
+            )
+        else:
+            # NXDOMAIN
+            r.authority.append(
+                dns.rrset.from_text(
+                    "ip6.arpa.",
+                    30,
+                    IN,
+                    SOA,
+                    "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1",
+                )
+            )
+            r.set_rcode(NXDOMAIN)
+        return r
+    elif endswith(lqname, "stale."):
+        if endswith(lqname, "a.b.stale."):
+            # Delegate to ns.a.b.stale.
+            r.authority.append(
+                dns.rrset.from_text("a.b.stale.", 2, IN, NS, "ns.a.b.stale.")
+            )
+            r.additional.append(
+                dns.rrset.from_text("ns.a.b.stale.", 2, IN, A, "10.53.0.3")
+            )
+        elif endswith(lqname, "b.stale."):
+            # Delegate to ns.b.stale.
+            r.authority.append(
+                dns.rrset.from_text("b.stale.", 2, IN, NS, "ns.b.stale.")
+            )
+            r.additional.append(
+                dns.rrset.from_text("ns.b.stale.", 2, IN, A, "10.53.0.4")
+            )
+        elif lqname == "stale." and rrtype == NS:
+            # NS query at the apex.
+            r.answer.append(dns.rrset.from_text("stale.", 2, IN, NS, "ns2.stale."))
+            r.flags |= dns.flags.AA
+        elif lqname == "stale." and rrtype == SOA:
+            # SOA query at the apex.
+            r.answer.append(
+                dns.rrset.from_text(
+                    "stale.", 2, IN, SOA, "ns2.stale. hostmaster.stale. 1 2 3 4 5"
+                )
+            )
+            r.flags |= dns.flags.AA
+        elif lqname == "stale.":
+            # NODATA answer
+            r.authority.append(
+                dns.rrset.from_text(
+                    "stale.", 2, IN, SOA, "ns2.stale. hostmaster.arpa. 1 2 3 4 5"
+                )
+            )
+        else:
+            # NXDOMAIN
+            r.authority.append(
+                dns.rrset.from_text(
+                    "stale.", 2, IN, SOA, "ns2.stale. hostmaster.arpa. 1 2 3 4 5"
+                )
+            )
+            r.set_rcode(NXDOMAIN)
+        return r
+    elif endswith(lqname, "bad."):
+        bad = True
+        suffix = "bad."
+        lqname = lqname[:-4]
+    elif endswith(lqname, "ugly."):
+        ugly = True
+        suffix = "ugly."
+        lqname = lqname[:-5]
+    elif endswith(lqname, "good."):
+        suffix = "good."
+        lqname = lqname[:-5]
+    elif endswith(lqname, "slow."):
+        slow = True
+        suffix = "slow."
+        lqname = lqname[:-5]
+    elif endswith(lqname, "fwd."):
+        suffix = "fwd."
+        lqname = lqname[:-4]
+    else:
+        r.set_rcode(REFUSED)
+        return r
+
+    # Good/bad/ugly differs only in how we treat non-empty terminals
+    if endswith(lqname, "zoop.boing."):
+        r.authority.append(
+            dns.rrset.from_text("zoop.boing." + suffix, 1, IN, NS, "ns3." + suffix)
+        )
+    elif (
+        lqname == "many.labels.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z."
+        and rrtype == A
+    ):
+        r.answer.append(dns.rrset.from_text(lqname + suffix, 1, IN, A, "192.0.2.2"))
+        r.flags |= dns.flags.AA
+    elif lqname == "" and rrtype == NS:
+        r.answer.append(dns.rrset.from_text(suffix, 30, IN, NS, "ns2." + suffix))
+        r.flags |= dns.flags.AA
+    elif lqname == "ns2." and rrtype == A:
+        r.answer.append(dns.rrset.from_text("ns2." + suffix, 30, IN, A, "10.53.0.2"))
+        r.flags |= dns.flags.AA
+    elif lqname == "ns2." and rrtype == AAAA:
+        r.answer.append(
+            dns.rrset.from_text("ns2." + suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::2")
+        )
+        r.flags |= dns.flags.AA
+    elif lqname == "ns3." and rrtype == A:
+        r.answer.append(dns.rrset.from_text("ns3." + suffix, 30, IN, A, "10.53.0.3"))
+        r.flags |= dns.flags.AA
+    elif lqname == "ns3." and rrtype == AAAA:
+        r.answer.append(
+            dns.rrset.from_text("ns3." + suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::3")
+        )
+        r.flags |= dns.flags.AA
+    elif lqname == "ns4." and rrtype == A:
+        r.answer.append(dns.rrset.from_text("ns4." + suffix, 30, IN, A, "10.53.0.4"))
+        r.flags |= dns.flags.AA
+    elif lqname == "ns4." and rrtype == AAAA:
+        r.answer.append(
+            dns.rrset.from_text("ns4." + suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::4")
+        )
+        r.flags |= dns.flags.AA
+    elif lqname == "a.bit.longer.ns.name." and rrtype == A:
+        r.answer.append(
+            dns.rrset.from_text("a.bit.longer.ns.name." + suffix, 1, IN, A, "10.53.0.4")
+        )
+        r.flags |= dns.flags.AA
+    elif lqname == "a.bit.longer.ns.name." and rrtype == AAAA:
+        r.answer.append(
+            dns.rrset.from_text(
+                "a.bit.longer.ns.name." + suffix, 1, IN, AAAA, "fd92:7065:b8e:ffff::4"
+            )
+        )
+        r.flags |= dns.flags.AA
+    else:
+        r.authority.append(
+            dns.rrset.from_text(
+                suffix,
+                1,
+                IN,
+                SOA,
+                "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
+            )
+        )
+        if bad or not (
+            endswith("icky.icky.icky.ptang.zoop.boing.", lqname)
+            or endswith(
+                "many.labels.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.",
+                lqname,
+            )
+            or endswith("a.bit.longer.ns.name.", lqname)
+        ):
+            r.set_rcode(NXDOMAIN)
+        if ugly:
+            r.set_rcode(FORMERR)
+    if slow:
+        time.sleep(0.2)
+    return r
+
+
+def sigterm(signum, frame):
+    print("Shutting down now...")
+    os.remove("ans.pid")
+    running = False
+    sys.exit(0)
+
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4 = "10.53.0.2"
+ip6 = "fd92:7065:b8e:ffff::2"
+
+try:
+    port = int(os.environ["PORT"])
+except:
+    port = 5300
+
+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_socket.bind((ip4, port))
+
+havev6 = True
+try:
+    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    try:
+        query6_socket.bind((ip6, port))
+    except:
+        query6_socket.close()
+        havev6 = False
+except:
+    havev6 = False
+
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open("ans.pid", "w")
+pid = os.getpid()
+print(pid, file=f)
+f.close()
+
+running = True
+
+print("Listening on %s port %d" % (ip4, port))
+if havev6:
+    print("Listening on %s port %d" % (ip6, port))
+print("Ctrl-c to quit")
+
+if havev6:
+    input = [query4_socket, query6_socket]
+else:
+    input = [query4_socket]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        if s == query4_socket or s == query6_socket:
+            print(
+                "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" "
+            )
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            rsp = create_response(msg[0])
+            if rsp:
+                print(dns.rcode.to_text(rsp.rcode()))
+                s.sendto(rsp.to_wire(), msg[1])
+            else:
+                print("NO RESPONSE")
+    if not running:
+        break
diff --git a/bin/tests/system/qmin/ans3/ans.py b/bin/tests/system/qmin/ans3/ans.py
new file mode 100755
index 0000000..079c3d2
--- /dev/null
+++ b/bin/tests/system/qmin/ans3/ans.py
@@ -0,0 +1,274 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import time
+import functools
+
+import dns, dns.message, dns.query, dns.flags
+from dns.rdatatype import *
+from dns.rdataclass import *
+from dns.rcode import *
+from dns.name import *
+
+
+# Log query to file
+def logquery(type, qname):
+    with open("qlog", "a") as f:
+        f.write("%s %s\n", type, qname)
+
+
+def endswith(domain, labels):
+    return domain.endswith("." + labels) or domain == labels
+
+
+############################################################################
+# Respond to a DNS query.
+# For good. it serves:
+# zoop.boing.good. NS ns3.good.
+# icky.ptang.zoop.boing.good. NS a.bit.longer.ns.name.good.
+# it responds properly (with NODATA empty response) to non-empty terminals
+#
+# For slow. it works the same as for good., but each response is delayed by 400 milliseconds
+#
+# For bad. it works the same as for good., but returns NXDOMAIN to non-empty terminals
+#
+# For ugly. it works the same as for good., but returns garbage to non-empty terminals
+#
+# For stale. it serves:
+# a.b.stale. IN TXT peekaboo (resolver did not do qname minimization)
+############################################################################
+def create_response(msg):
+    m = dns.message.from_wire(msg)
+    qname = m.question[0].name.to_text()
+    lqname = qname.lower()
+    labels = lqname.split(".")
+    suffix = ""
+
+    # get qtype
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+    if typename == "A" or typename == "AAAA":
+        typename = "ADDR"
+    bad = False
+    ugly = False
+    slow = False
+
+    # log this query
+    with open("query.log", "a") as f:
+        f.write("%s %s\n" % (typename, lqname))
+        print("%s %s" % (typename, lqname), end=" ")
+
+    r = dns.message.make_response(m)
+    r.set_rcode(NOERROR)
+
+    ip6req = False
+
+    if endswith(lqname, "bad."):
+        bad = True
+        suffix = "bad."
+        lqname = lqname[:-4]
+    elif endswith(lqname, "ugly."):
+        ugly = True
+        suffix = "ugly."
+        lqname = lqname[:-5]
+    elif endswith(lqname, "good."):
+        suffix = "good."
+        lqname = lqname[:-5]
+    elif endswith(lqname, "slow."):
+        slow = True
+        suffix = "slow."
+        lqname = lqname[:-5]
+    elif endswith(lqname, "8.2.6.0.1.0.0.2.ip6.arpa."):
+        ip6req = True
+    elif endswith(lqname, "a.b.stale."):
+        if lqname == "a.b.stale.":
+            if rrtype == TXT:
+                # Direct query.
+                r.answer.append(dns.rrset.from_text(lqname, 1, IN, TXT, "peekaboo"))
+                r.flags |= dns.flags.AA
+            elif rrtype == NS:
+                # NS a.b.
+                r.answer.append(dns.rrset.from_text(lqname, 1, IN, NS, "ns.a.b.stale."))
+                r.additional.append(
+                    dns.rrset.from_text("ns.a.b.stale.", 1, IN, A, "10.53.0.3")
+                )
+                r.flags |= dns.flags.AA
+            elif rrtype == SOA:
+                # SOA a.b.
+                r.answer.append(
+                    dns.rrset.from_text(
+                        lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5"
+                    )
+                )
+                r.flags |= dns.flags.AA
+            else:
+                # NODATA.
+                r.authority.append(
+                    dns.rrset.from_text(
+                        lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5"
+                    )
+                )
+        else:
+            r.authority.append(
+                dns.rrset.from_text(
+                    lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5"
+                )
+            )
+            r.set_rcode(NXDOMAIN)
+            # NXDOMAIN.
+        return r
+    else:
+        r.set_rcode(REFUSED)
+        return r
+
+    # Good/bad differs only in how we treat non-empty terminals
+    if lqname == "zoop.boing." and rrtype == NS:
+        r.answer.append(
+            dns.rrset.from_text(lqname + suffix, 1, IN, NS, "ns3." + suffix)
+        )
+        r.flags |= dns.flags.AA
+    elif endswith(lqname, "icky.ptang.zoop.boing."):
+        r.authority.append(
+            dns.rrset.from_text(
+                "icky.ptang.zoop.boing." + suffix,
+                1,
+                IN,
+                NS,
+                "a.bit.longer.ns.name." + suffix,
+            )
+        )
+    elif endswith("icky.ptang.zoop.boing.", lqname):
+        r.authority.append(
+            dns.rrset.from_text(
+                "zoop.boing." + suffix,
+                1,
+                IN,
+                SOA,
+                "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
+            )
+        )
+        if bad:
+            r.set_rcode(NXDOMAIN)
+        if ugly:
+            r.set_rcode(FORMERR)
+    elif endswith(lqname, "zoop.boing."):
+        r.authority.append(
+            dns.rrset.from_text(
+                "zoop.boing." + suffix,
+                1,
+                IN,
+                SOA,
+                "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
+            )
+        )
+        r.set_rcode(NXDOMAIN)
+    elif ip6req:
+        r.authority.append(
+            dns.rrset.from_text(
+                "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", 60, IN, NS, "ns4.good."
+            )
+        )
+        r.additional.append(dns.rrset.from_text("ns4.good.", 60, IN, A, "10.53.0.4"))
+    else:
+        r.set_rcode(REFUSED)
+
+    if slow:
+        time.sleep(0.4)
+    return r
+
+
+def sigterm(signum, frame):
+    print("Shutting down now...")
+    os.remove("ans.pid")
+    running = False
+    sys.exit(0)
+
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4 = "10.53.0.3"
+ip6 = "fd92:7065:b8e:ffff::3"
+
+try:
+    port = int(os.environ["PORT"])
+except:
+    port = 5300
+
+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_socket.bind((ip4, port))
+
+havev6 = True
+try:
+    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    try:
+        query6_socket.bind((ip6, port))
+    except:
+        query6_socket.close()
+        havev6 = False
+except:
+    havev6 = False
+
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open("ans.pid", "w")
+pid = os.getpid()
+print(pid, file=f)
+f.close()
+
+running = True
+
+print("Listening on %s port %d" % (ip4, port))
+if havev6:
+    print("Listening on %s port %d" % (ip6, port))
+print("Ctrl-c to quit")
+
+if havev6:
+    input = [query4_socket, query6_socket]
+else:
+    input = [query4_socket]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        if s == query4_socket or s == query6_socket:
+            print(
+                "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" "
+            )
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            rsp = create_response(msg[0])
+            if rsp:
+                print(dns.rcode.to_text(rsp.rcode()))
+                s.sendto(rsp.to_wire(), msg[1])
+            else:
+                print("NO RESPONSE")
+    if not running:
+        break
diff --git a/bin/tests/system/qmin/ans4/ans.py b/bin/tests/system/qmin/ans4/ans.py
new file mode 100755
index 0000000..f3d00c3
--- /dev/null
+++ b/bin/tests/system/qmin/ans4/ans.py
@@ -0,0 +1,320 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from __future__ import print_function
+import os
+import sys
+import signal
+import socket
+import select
+from datetime import datetime, timedelta
+import time
+import functools
+
+import dns, dns.message, dns.query, dns.flags
+from dns.rdatatype import *
+from dns.rdataclass import *
+from dns.rcode import *
+from dns.name import *
+
+
+# Log query to file
+def logquery(type, qname):
+    with open("qlog", "a") as f:
+        f.write("%s %s\n", type, qname)
+
+
+def endswith(domain, labels):
+    return domain.endswith("." + labels) or domain == labels
+
+
+############################################################################
+# Respond to a DNS query.
+# For good. it serves:
+# icky.ptang.zoop.boing.good. NS a.bit.longer.ns.name.
+# icky.icky.icky.ptang.zoop.boing.good. A 192.0.2.1
+# more.icky.icky.icky.ptang.zoop.boing.good. A 192.0.2.2
+# it responds properly (with NODATA empty response) to non-empty terminals
+#
+# For slow. it works the same as for good., but each response is delayed by 400 milliseconds
+#
+# For bad. it works the same as for good., but returns NXDOMAIN to non-empty terminals
+#
+# For ugly. it works the same as for good., but returns garbage to non-empty terminals
+#
+# For stale. it serves:
+# a.b.stale. IN TXT hooray (resolver did do qname minimization)
+############################################################################
+def create_response(msg):
+    m = dns.message.from_wire(msg)
+    qname = m.question[0].name.to_text()
+    lqname = qname.lower()
+    labels = lqname.split(".")
+    suffix = ""
+
+    # get qtype
+    rrtype = m.question[0].rdtype
+    typename = dns.rdatatype.to_text(rrtype)
+    if typename == "A" or typename == "AAAA":
+        typename = "ADDR"
+    bad = False
+    slow = False
+    ugly = False
+
+    # log this query
+    with open("query.log", "a") as f:
+        f.write("%s %s\n" % (typename, lqname))
+        print("%s %s" % (typename, lqname), end=" ")
+
+    r = dns.message.make_response(m)
+    r.set_rcode(NOERROR)
+
+    ip6req = False
+
+    if endswith(lqname, "bad."):
+        bad = True
+        suffix = "bad."
+        lqname = lqname[:-4]
+    elif endswith(lqname, "ugly."):
+        ugly = True
+        suffix = "ugly."
+        lqname = lqname[:-5]
+    elif endswith(lqname, "good."):
+        suffix = "good."
+        lqname = lqname[:-5]
+    elif endswith(lqname, "slow."):
+        slow = True
+        suffix = "slow."
+        lqname = lqname[:-5]
+    elif endswith(lqname, "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa."):
+        ip6req = True
+    elif endswith(lqname, "b.stale."):
+        if lqname == "a.b.stale.":
+            if rrtype == TXT:
+                # Direct query.
+                r.answer.append(dns.rrset.from_text(lqname, 1, IN, TXT, "hooray"))
+                r.flags |= dns.flags.AA
+            elif rrtype == NS:
+                # NS a.b.
+                r.answer.append(dns.rrset.from_text(lqname, 1, IN, NS, "ns.a.b.stale."))
+                r.additional.append(
+                    dns.rrset.from_text("ns.a.b.stale.", 1, IN, A, "10.53.0.3")
+                )
+                r.flags |= dns.flags.AA
+            elif rrtype == SOA:
+                # SOA a.b.
+                r.answer.append(
+                    dns.rrset.from_text(
+                        lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5"
+                    )
+                )
+                r.flags |= dns.flags.AA
+            else:
+                # NODATA.
+                r.authority.append(
+                    dns.rrset.from_text(
+                        lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5"
+                    )
+                )
+        elif lqname == "b.stale.":
+            if rrtype == NS:
+                # NS b.
+                r.answer.append(dns.rrset.from_text(lqname, 1, IN, NS, "ns.b.stale."))
+                r.additional.append(
+                    dns.rrset.from_text("ns.b.stale.", 1, IN, A, "10.53.0.4")
+                )
+                r.flags |= dns.flags.AA
+            elif rrtype == SOA:
+                # SOA b.
+                r.answer.append(
+                    dns.rrset.from_text(
+                        lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5"
+                    )
+                )
+                r.flags |= dns.flags.AA
+            else:
+                # NODATA.
+                r.authority.append(
+                    dns.rrset.from_text(
+                        lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5"
+                    )
+                )
+        else:
+            r.authority.append(
+                dns.rrset.from_text(
+                    lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5"
+                )
+            )
+            r.set_rcode(NXDOMAIN)
+            # NXDOMAIN.
+        return r
+    else:
+        r.set_rcode(REFUSED)
+        return r
+
+    # Good/bad differs only in how we treat non-empty terminals
+    if lqname == "icky.icky.icky.ptang.zoop.boing." and rrtype == A:
+        r.answer.append(dns.rrset.from_text(lqname + suffix, 1, IN, A, "192.0.2.1"))
+        r.flags |= dns.flags.AA
+    elif lqname == "more.icky.icky.icky.ptang.zoop.boing." and rrtype == A:
+        r.answer.append(dns.rrset.from_text(lqname + suffix, 1, IN, A, "192.0.2.2"))
+        r.flags |= dns.flags.AA
+    elif lqname == "icky.ptang.zoop.boing." and rrtype == NS:
+        r.answer.append(
+            dns.rrset.from_text(
+                lqname + suffix, 1, IN, NS, "a.bit.longer.ns.name." + suffix
+            )
+        )
+        r.flags |= dns.flags.AA
+    elif endswith(lqname, "icky.ptang.zoop.boing."):
+        r.authority.append(
+            dns.rrset.from_text(
+                "icky.ptang.zoop.boing." + suffix,
+                1,
+                IN,
+                SOA,
+                "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
+            )
+        )
+        if bad or not endswith("more.icky.icky.icky.ptang.zoop.boing.", lqname):
+            r.set_rcode(NXDOMAIN)
+        if ugly:
+            r.set_rcode(FORMERR)
+    elif ip6req:
+        r.flags |= dns.flags.AA
+        if (
+            lqname
+            == "test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa."
+            and rrtype == TXT
+        ):
+            r.answer.append(
+                dns.rrset.from_text(
+                    "test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.",
+                    1,
+                    IN,
+                    TXT,
+                    "long_ip6_name",
+                )
+            )
+        elif endswith(
+            "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.",
+            lqname,
+        ):
+            # NODATA answer
+            r.authority.append(
+                dns.rrset.from_text(
+                    "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.",
+                    60,
+                    IN,
+                    SOA,
+                    "ns4.good. hostmaster.arpa. 2018050100 120 30 320 16",
+                )
+            )
+        else:
+            # NXDOMAIN
+            r.authority.append(
+                dns.rrset.from_text(
+                    "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.",
+                    60,
+                    IN,
+                    SOA,
+                    "ns4.good. hostmaster.arpa. 2018050100 120 30 320 16",
+                )
+            )
+            r.set_rcode(NXDOMAIN)
+    else:
+        r.set_rcode(REFUSED)
+
+    if slow:
+        time.sleep(0.4)
+    return r
+
+
+def sigterm(signum, frame):
+    print("Shutting down now...")
+    os.remove("ans.pid")
+    running = False
+    sys.exit(0)
+
+
+############################################################################
+# Main
+#
+# Set up responder and control channel, open the pid file, and start
+# the main loop, listening for queries on the query channel or commands
+# on the control channel and acting on them.
+############################################################################
+ip4 = "10.53.0.4"
+ip6 = "fd92:7065:b8e:ffff::4"
+
+try:
+    port = int(os.environ["PORT"])
+except:
+    port = 5300
+
+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+query4_socket.bind((ip4, port))
+
+havev6 = True
+try:
+    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    try:
+        query6_socket.bind((ip6, port))
+    except:
+        query6_socket.close()
+        havev6 = False
+except:
+    havev6 = False
+
+signal.signal(signal.SIGTERM, sigterm)
+
+f = open("ans.pid", "w")
+pid = os.getpid()
+print(pid, file=f)
+f.close()
+
+running = True
+
+print("Listening on %s port %d" % (ip4, port))
+if havev6:
+    print("Listening on %s port %d" % (ip6, port))
+print("Ctrl-c to quit")
+
+if havev6:
+    input = [query4_socket, query6_socket]
+else:
+    input = [query4_socket]
+
+while running:
+    try:
+        inputready, outputready, exceptready = select.select(input, [], [])
+    except select.error as e:
+        break
+    except socket.error as e:
+        break
+    except KeyboardInterrupt:
+        break
+
+    for s in inputready:
+        if s == query4_socket or s == query6_socket:
+            print(
+                "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" "
+            )
+            # Handle incoming queries
+            msg = s.recvfrom(65535)
+            rsp = create_response(msg[0])
+            if rsp:
+                print(dns.rcode.to_text(rsp.rcode()))
+                s.sendto(rsp.to_wire(), msg[1])
+            else:
+                print("NO RESPONSE")
+    if not running:
+        break
diff --git a/bin/tests/system/qmin/clean.sh b/bin/tests/system/qmin/clean.sh
new file mode 100644
index 0000000..172a423
--- /dev/null
+++ b/bin/tests/system/qmin/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f dig.out.*
+rm -f ns*/named.lock
+rm -f ans*/query.log*
+rm -f query*.log
diff --git a/bin/tests/system/qmin/ns1/named.conf.in b/bin/tests/system/qmin/ns1/named.conf.in
new file mode 100644
index 0000000..e366cca
--- /dev/null
+++ b/bin/tests/system/qmin/ns1/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/qmin/ns1/root.db b/bin/tests/system/qmin/ns1/root.db
new file mode 100644
index 0000000..325f607
--- /dev/null
+++ b/bin/tests/system/qmin/ns1/root.db
@@ -0,0 +1,41 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+. 			IN SOA	wpk.isc.org. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				2       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+ip6.arpa.		NS	ns2.good.
+
+good.			NS	ns2.good.
+ns2.good.		A	10.53.0.2
+
+bad.			NS	ns2.bad.
+ns2.bad.		A	10.53.0.2
+
+slow			NS	ns2.slow.
+ns2.slow.		A	10.53.0.2
+
+ugly.			NS	ns2.ugly.
+ns2.ugly.		A	10.53.0.2
+
+fwd.			NS	ns2.fwd.
+ns2.fwd.		A	10.53.0.2
+
+$TTL 2
+stale.			NS	ns2.stale.
+ns2.stale.		A	10.53.0.2
diff --git a/bin/tests/system/qmin/ns5/named.conf.in b/bin/tests/system/qmin/ns5/named.conf.in
new file mode 100644
index 0000000..7d9e9e6
--- /dev/null
+++ b/bin/tests/system/qmin/ns5/named.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	qname-minimization disabled;
+	querylog yes;
+	resolver-query-timeout 30;
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/qmin/ns6/named.conf.in b/bin/tests/system/qmin/ns6/named.conf.in
new file mode 100644
index 0000000..36651f2
--- /dev/null
+++ b/bin/tests/system/qmin/ns6/named.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion yes;
+	qname-minimization strict;
+	querylog yes;
+	resolver-query-timeout 30;
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/qmin/ns7/named.conf.in b/bin/tests/system/qmin/ns7/named.conf.in
new file mode 100644
index 0000000..32b8b48
--- /dev/null
+++ b/bin/tests/system/qmin/ns7/named.conf.in
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS7
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion yes;
+	qname-minimization relaxed;
+	querylog yes;
+	resolver-query-timeout 30;
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "fwd." IN {
+	type forward;
+	forwarders {
+		10.53.0.2;
+	};
+	forward only;
+};
diff --git a/bin/tests/system/qmin/prereq.sh b/bin/tests/system/qmin/prereq.sh
new file mode 100644
index 0000000..aa97ae2
--- /dev/null
+++ b/bin/tests/system/qmin/prereq.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/qmin/setup.sh b/bin/tests/system/qmin/setup.sh
new file mode 100644
index 0000000..8af413f
--- /dev/null
+++ b/bin/tests/system/qmin/setup.sh
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
diff --git a/bin/tests/system/qmin/tests.sh b/bin/tests/system/qmin/tests.sh
new file mode 100755
index 0000000..728d535
--- /dev/null
+++ b/bin/tests/system/qmin/tests.sh
@@ -0,0 +1,541 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+CLEANQL="rm -f ans*/query.log"
+status=0
+n=0
+
+n=$((n+1))
+echo_i "query for .good is not minimized when qname-minimization is off ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.5 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.5 > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "icky.icky.icky.ptang.zoop.boing.good. 1	IN A	192.0.2.1" dig.out.test$n > /dev/null || ret=1
+sleep 1
+cat << __EOF | $DIFF ans2/query.log - > /dev/null || ret=1
+ADDR icky.icky.icky.ptang.zoop.boing.good.
+ADDR ns3.good.
+ADDR ns3.good.
+ADDR a.bit.longer.ns.name.good.
+ADDR a.bit.longer.ns.name.good.
+__EOF
+echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | $DIFF ans3/query.log - > /dev/null || ret=1
+echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | $DIFF ans4/query.log - > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .bad is not minimized when qname-minimization is off ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.5 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.5 > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A	192.0.2.1" dig.out.test$n > /dev/null || ret=1
+sleep 1
+cat << __EOF | $DIFF ans2/query.log - > /dev/null || ret=1
+ADDR icky.icky.icky.ptang.zoop.boing.bad.
+ADDR ns3.bad.
+ADDR ns3.bad.
+ADDR a.bit.longer.ns.name.bad.
+ADDR a.bit.longer.ns.name.bad.
+__EOF
+echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | $DIFF ans3/query.log - > /dev/null || ret=1
+echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | $DIFF ans4/query.log - > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .slow is not minimized when qname-minimization is off ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.5 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.5 > dig.out.test$n
+sleep 5
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "icky.icky.icky.ptang.zoop.boing.slow. 1	IN A	192.0.2.1" dig.out.test$n > /dev/null || ret=1
+sleep 1
+cat << __EOF | $DIFF ans2/query.log - > /dev/null || ret=1
+ADDR icky.icky.icky.ptang.zoop.boing.slow.
+ADDR ns3.slow.
+ADDR ns3.slow.
+ADDR a.bit.longer.ns.name.slow.
+ADDR a.bit.longer.ns.name.slow.
+__EOF
+echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | $DIFF ans3/query.log - > /dev/null || ret=1
+echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | $DIFF ans4/query.log - > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .ugly is not minimized when qname-minimization is off ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.5 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.5 > dig.out.test$n
+sleep 5
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "icky.icky.icky.ptang.zoop.boing.ugly. 1	IN A	192.0.2.1" dig.out.test$n > /dev/null || ret=1
+sleep 1
+cat << __EOF | $DIFF ans2/query.log - > /dev/null || ret=1
+ADDR icky.icky.icky.ptang.zoop.boing.ugly.
+ADDR ns3.ugly.
+ADDR ns3.ugly.
+ADDR a.bit.longer.ns.name.ugly.
+ADDR a.bit.longer.ns.name.ugly.
+__EOF
+echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | $DIFF ans3/query.log - > /dev/null || ret=1
+echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | $DIFF ans4/query.log - > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .good is properly minimized when qname-minimization is in strict mode ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.6 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "icky.icky.icky.ptang.zoop.boing.good. 1	IN A	192.0.2.1" dig.out.test$n > /dev/null || ret=1
+sleep 1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR a.bit.longer.ns.name.good.
+ADDR a.bit.longer.ns.name.good.
+ADDR ns2.good.
+ADDR ns3.good.
+ADDR ns3.good.
+NS boing.good.
+NS good.
+NS zoop.boing.good.
+__EOF
+cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1
+NS zoop.boing.good.
+NS ptang.zoop.boing.good.
+NS icky.ptang.zoop.boing.good.
+__EOF
+cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1
+NS icky.ptang.zoop.boing.good.
+NS icky.icky.ptang.zoop.boing.good.
+ADDR icky.icky.icky.ptang.zoop.boing.good.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .good is properly minimized when qname-minimization is in relaxed mode ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.7 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.7 > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "icky.icky.icky.ptang.zoop.boing.good. 1	IN A	192.0.2.1" dig.out.test$n > /dev/null || ret=1
+sleep 1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR _.boing.good.
+ADDR _.zoop.boing.good.
+ADDR a.bit.longer.ns.name.good.
+ADDR a.bit.longer.ns.name.good.
+ADDR ns2.good.
+ADDR ns3.good.
+ADDR ns3.good.
+__EOF
+cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1
+ADDR _.ptang.zoop.boing.good.
+ADDR _.icky.ptang.zoop.boing.good.
+__EOF
+cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1
+ADDR _.icky.icky.ptang.zoop.boing.good.
+ADDR icky.icky.icky.ptang.zoop.boing.good.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .bad fails when qname-minimization is in strict mode ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.6 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.6 > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+sleep 1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR ns2.bad.
+NS bad.
+NS boing.bad.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .bad succeeds when qname-minimization is in relaxed mode ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.7 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.7 > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A	192.0.2.1" dig.out.test$n > /dev/null || ret=1
+sleep 1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR _.boing.bad.
+ADDR _.zoop.boing.bad.
+ADDR a.bit.longer.ns.name.bad.
+ADDR a.bit.longer.ns.name.bad.
+ADDR ns2.bad.
+ADDR ns3.bad.
+ADDR ns3.bad.
+__EOF
+cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1
+ADDR _.ptang.zoop.boing.bad.
+ADDR _.icky.ptang.zoop.boing.bad.
+__EOF
+cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1
+ADDR _.icky.icky.ptang.zoop.boing.bad.
+ADDR icky.icky.icky.ptang.zoop.boing.bad.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .ugly fails when qname-minimization is in strict mode ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.6 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.6 > dig.out.test$n
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+sleep 1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR ns2.ugly.
+NS boing.ugly.
+NS boing.ugly.
+NS ugly.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+$RNDCCMD 10.53.0.6 flush
+
+n=$((n+1))
+echo_i "query for .ugly succeeds when qname-minimization is in relaxed mode ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.7 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.7 > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "icky.icky.icky.ptang.zoop.boing.ugly. 1	IN A	192.0.2.1" dig.out.test$n > /dev/null || ret=1
+sleep 1
+
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR _.boing.ugly.
+ADDR _.boing.ugly.
+ADDR a.bit.longer.ns.name.ugly.
+ADDR a.bit.longer.ns.name.ugly.
+ADDR icky.icky.icky.ptang.zoop.boing.ugly.
+ADDR ns2.ugly.
+ADDR ns3.ugly.
+ADDR ns3.ugly.
+__EOF
+echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | $DIFF ans3/query.log - > /dev/null || ret=1
+echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | $DIFF ans4/query.log - > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+$RNDCCMD 10.53.0.7 flush
+
+n=$((n+1))
+echo_i "information that minimization was unsuccessful for .ugly is logged ($n)"
+ret=0
+grep "success resolving 'icky.icky.icky.ptang.zoop.boing.ugly/A' after disabling qname minimization due to 'FORMERR'" ns7/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .slow is properly minimized when qname-minimization is on ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.6 flush
+$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.6 > dig.out.test$n
+sleep 5
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "icky.icky.icky.ptang.zoop.boing.slow. 1	IN A	192.0.2.1" dig.out.test$n > /dev/null || ret=1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR a.bit.longer.ns.name.slow.
+ADDR a.bit.longer.ns.name.slow.
+ADDR ns2.slow.
+ADDR ns3.slow.
+ADDR ns3.slow.
+NS boing.slow.
+NS slow.
+NS zoop.boing.slow.
+__EOF
+cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1
+NS zoop.boing.slow.
+NS ptang.zoop.boing.slow.
+NS icky.ptang.zoop.boing.slow.
+__EOF
+cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1
+NS icky.ptang.zoop.boing.slow.
+NS icky.icky.ptang.zoop.boing.slow.
+ADDR icky.icky.icky.ptang.zoop.boing.slow.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .ip6.arpa succeeds and skips on proper boundaries when qname-minimization is on ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.6 flush
+$DIG $DIGOPTS -x 2001:4f8::1 @10.53.0.6 > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. 1 IN PTR nee.com." dig.out.test$n > /dev/null || ret=1
+sleep 1
+grep -v ADDR ans2/query.log > ans2/query.log.trimmed
+cat << __EOF | $DIFF ans2/query.log.trimmed - > /dev/null || ret=1
+NS 1.0.0.2.ip6.arpa.
+NS 8.f.4.0.1.0.0.2.ip6.arpa.
+NS 0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.
+NS 0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.
+NS 0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.
+PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for multiple label name skips after 7th label ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.6 flush
+$DIG $DIGOPTS more.icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "more.icky.icky.icky.ptang.zoop.boing.good. 1 IN	A 192.0.2.2" dig.out.test$n > /dev/null || ret=1
+sleep 1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR a.bit.longer.ns.name.good.
+ADDR a.bit.longer.ns.name.good.
+ADDR ns2.good.
+ADDR ns3.good.
+ADDR ns3.good.
+NS boing.good.
+NS good.
+NS zoop.boing.good.
+__EOF
+cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1
+NS zoop.boing.good.
+NS ptang.zoop.boing.good.
+NS icky.ptang.zoop.boing.good.
+__EOF
+# There's no NS icky.icky.icky.ptang.zoop.boing.good. query - we skipped it.
+cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1
+NS icky.ptang.zoop.boing.good.
+NS icky.icky.ptang.zoop.boing.good.
+ADDR more.icky.icky.icky.ptang.zoop.boing.good.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "qname minimization is disabled when forwarding ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.7 flush
+$DIG $DIGOPTS a.bit.longer.ns.name.fwd. @10.53.0.7 > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "a.bit.longer.ns.name.fwd. 1	IN	A	10.53.0.4" dig.out.test$n >/dev/null || ret=1
+sleep 1
+cat << __EOF | $DIFF ans2/query.log - > /dev/null || ret=1
+ADDR a.bit.longer.ns.name.fwd.
+__EOF
+for ans in ans2; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "qname minimization resolves unusual ip6.arpa. names ($n)"
+ret=0
+$CLEANQL
+$DIG $DIGOPTS test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. txt @10.53.0.7 > dig.out.test$n 2>&1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+# Expected output in dig.out.test$n:
+# ;; ANSWER SECTION:
+# test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. 1 IN TXT "long_ip6_name"
+grep 'ip6\.arpa.*TXT.*long_ip6_name' dig.out.test$n > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Below are test cases for GL #2665: The QNAME minimization (if enabled) should
+# also occur on the second query, after the RRsets have expired from cache.
+# BIND will still have the entries in cache, but marked stale. These stale
+# entries should not prevent the resolver from minimizing the QNAME.
+# We query for the test domain a.b.stale. in all cases (QNAME minimization off,
+# strict mode, and relaxed mode) and expect it to behave the same the second
+# time when we have a stale delegation structure in cache.
+n=$((n+1))
+echo_i "query for .stale is not minimized when qname-minimization is off ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.5 flush
+$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n > /dev/null || ret=1
+sleep 1
+echo "TXT a.b.stale." | $DIFF ans2/query.log - > /dev/null || ret=1
+echo "TXT a.b.stale." | $DIFF ans3/query.log - > /dev/null || ret=1
+test -f  ans4/query.log && ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .stale is properly minimized when qname-minimization is in strict mode ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.6 flush
+$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1
+sleep 1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR ns.b.stale.
+ADDR ns2.stale.
+NS b.stale.
+NS stale.
+__EOF
+test -f  ans3/query.log && ret=1
+sort ans4/query.log > ans4/query.log.sorted
+cat << __EOF | $DIFF ans4/query.log.sorted - > /dev/null || ret=1
+ADDR ns.b.stale.
+NS b.stale.
+TXT a.b.stale.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .stale is properly minimized when qname-minimization is in relaxed mode ($n)"
+ret=0
+$CLEANQL
+$RNDCCMD 10.53.0.7 flush
+$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1
+sleep 1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR _.b.stale.
+ADDR ns.b.stale.
+ADDR ns2.stale.
+__EOF
+test -f  ans3/query.log && ret=1
+sort ans4/query.log > ans4/query.log.sorted
+cat << __EOF | $DIFF ans4/query.log.sorted - > /dev/null || ret=1
+ADDR ns.b.stale.
+TXT a.b.stale.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "sleep 2, allow entries in cache to go stale"
+sleep 2
+
+n=$((n+1))
+echo_i "query for .stale is not minimized when qname-minimization is off (stale cache) ($n)"
+ret=0
+$CLEANQL
+$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n > /dev/null || ret=1
+sleep 1
+echo "TXT a.b.stale." | $DIFF ans2/query.log - > /dev/null || ret=1
+echo "TXT a.b.stale." | $DIFF ans3/query.log - > /dev/null || ret=1
+test -f  ans4/query.log && ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .stale is properly minimized when qname-minimization is in strict mode (stale cache) ($n)"
+ret=0
+$CLEANQL
+$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1
+sleep 1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+NS b.stale.
+NS stale.
+__EOF
+test -f  ans3/query.log && ret=1
+sort ans4/query.log > ans4/query.log.sorted
+cat << __EOF | $DIFF ans4/query.log.sorted - > /dev/null || ret=1
+NS b.stale.
+TXT a.b.stale.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "query for .stale is properly minimized when qname-minimization is in relaxed mode (stale cache) ($n)"
+ret=0
+$CLEANQL
+$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1
+sleep 1
+sort ans2/query.log > ans2/query.log.sorted
+cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
+ADDR _.b.stale.
+__EOF
+test -f  ans3/query.log && ret=1
+sort ans4/query.log > ans4/query.log.sorted
+cat << __EOF | $DIFF ans4/query.log.sorted - > /dev/null || ret=1
+TXT a.b.stale.
+__EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/reclimit/README b/bin/tests/system/reclimit/README
new file mode 100644
index 0000000..e474907
--- /dev/null
+++ b/bin/tests/system/reclimit/README
@@ -0,0 +1,19 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+system test for recursion limits
+
+ns1  -- root server
+ans2 -- for example.org: delegate to ns1.(n+1).example.org for all n, up to the
+                         value specified in ans.limit (or forever if limit is 0)
+ns3  -- resolver under test
+ans4 -- for ns*.example.com: return address records.
+ans7 -- "victim" server
diff --git a/bin/tests/system/reclimit/ans2/ans.pl b/bin/tests/system/reclimit/ans2/ans.pl
new file mode 100644
index 0000000..4576951
--- /dev/null
+++ b/bin/tests/system/reclimit/ans2/ans.pl
@@ -0,0 +1,235 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+
+my $localaddr = "10.53.0.2";
+my $limit = getlimit();
+my $no_more_waiting = 0;
+my @delayed_response;
+my $timeout;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $udpsock = IO::Socket::INET->new(LocalAddr => "$localaddr",
+   LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my $count = 0;
+my $send_response = 0;
+
+sub getlimit {
+    if ( -e "ans.limit") {
+	open(FH, "<", "ans.limit");
+	my $line = <FH>;
+	chomp $line;
+	close FH;
+	if ($line =~ /^\d+$/) {
+	    return $line;
+	}
+    }
+
+    return 0;
+}
+
+# If $wait == 0 is returned, returned reply will be sent immediately.
+# If $wait == 1 is returned, sending the returned reply might be delayed; see
+# comments inside handle_UDP() for details.
+sub reply_handler {
+    my ($qname, $qclass, $qtype) = @_;
+    my ($rcode, @ans, @auth, @add, $wait);
+
+    print ("request: $qname/$qtype\n");
+    STDOUT->flush();
+
+    $wait = 0;
+    $count += 1;
+
+    if ($qname eq "count" ) {
+	if ($qtype eq "TXT") {
+	    my ($ttl, $rdata) = (0, "$count");
+	    my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+	    push @ans, $rr;
+	    print ("\tcount: $count\n");
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "reset" ) {
+	$count = 0;
+	$send_response = 0;
+	$limit = getlimit();
+	$rcode = "NOERROR";
+	print ("\tlimit: $limit\n");
+    } elsif ($qname eq "direct.example.org" ) {
+	if ($qtype eq "A") {
+	    my ($ttl, $rdata) = (3600, $localaddr);
+	    my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+	    push @ans, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "indirect1.example.org" ||
+	     $qname eq "indirect2.example.org" ||
+	     $qname eq "indirect3.example.org" ||
+	     $qname eq "indirect4.example.org" ||
+	     $qname eq "indirect5.example.org" ||
+	     $qname eq "indirect6.example.org" ||
+	     $qname eq "indirect7.example.org" ||
+	     $qname eq "indirect8.example.org") {
+	if (! $send_response) {
+	    my $rr = new Net::DNS::RR("$qname 86400 $qclass NS ns1.1.example.org");
+	    push @auth, $rr;
+	} elsif ($qtype eq "A") {
+	    my ($ttl, $rdata) = (3600, $localaddr);
+	    my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+	    push @ans, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname =~ /^ns1\.(\d+)\.example\.org$/) {
+	my $next = $1 + 1;
+	$wait = 1;
+	if ($limit == 0 || (! $send_response && $next <= $limit)) {
+	    my $rr = new Net::DNS::RR("$1.example.org 86400 $qclass NS ns1.$next.example.org");
+	    push @auth, $rr;
+	} else {
+	    $send_response = 1;
+	    if ($qtype eq "A") {
+		my ($ttl, $rdata) = (3600, "10.53.0.4");
+		my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+		print("\tresponse: $qname $ttl $qclass $qtype $rdata\n");
+		push @ans, $rr;
+	    }
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "direct.example.net" ) {
+	if ($qtype eq "A") {
+	    my ($ttl, $rdata) = (3600, $localaddr);
+	    my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+	    push @ans, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif( $qname =~ /^ns1\.(\d+)\.example\.net$/ ) {
+	my $next = ($1 + 1) * 16;
+	for (my $i = 1; $i < 16; $i++) {
+	    my $s = $next + $i;
+	    my $rr = new Net::DNS::RR("$1.example.net 86400 $qclass NS ns1.$s.example.net");
+	    push @auth, $rr;
+	    $rr = new Net::DNS::RR("ns1.$s.example.net 86400 $qclass A 10.53.0.7");
+	    push @add, $rr;
+	}
+	$rcode = "NOERROR";
+    } else {
+	$rcode = "NXDOMAIN";
+    }
+
+    return ($rcode, \@ans, \@auth, \@add, $wait);
+}
+
+sub handleUDP {
+	my ($buf, $peer) = @_;
+	my ($request, $rcode, $ans, $auth, $add, $wait);
+
+	$request = new Net::DNS::Packet(\$buf, 0);
+	$@ and die $@;
+
+	my ($question) = $request->question;
+	my $qname = $question->qname;
+	my $qclass = $question->qclass;
+	my $qtype = $question->qtype;
+
+	($rcode, $ans, $auth, $add, $wait) = reply_handler($qname, $qclass, $qtype);
+
+	my $reply = $request->reply();
+
+	$reply->header->rcode($rcode);
+	$reply->header->aa(@$ans ? 1 : 0);
+	$reply->header->id($request->header->id);
+	$reply->{answer} = $ans if $ans;
+	$reply->{authority} = $auth if $auth;
+	$reply->{additional} = $add if $add;
+
+	if ($wait) {
+		# reply_handler() asked us to delay sending this reply until
+		# another reply with $wait == 1 is generated or a timeout
+		# occurs.
+		if (@delayed_response) {
+			# A delayed reply is already queued, so we can now send
+			# both the delayed reply and the current reply.
+			send_delayed_response();
+			return $reply;
+		} elsif ($no_more_waiting) {
+			# It was determined before that there is no point in
+			# waiting for "accompanying" queries.  Thus, send the
+			# current reply immediately.
+			return $reply;
+		} else {
+			# No delayed reply is queued and the client is expected
+			# to send an "accompanying" query shortly.  Do not send
+			# the current reply right now, just save it for later
+			# and wait for an "accompanying" query to be received.
+			@delayed_response = ($reply, $peer);
+			$timeout = 0.5;
+			return;
+		}
+	} else {
+		# Send reply immediately.
+		return $reply;
+	}
+}
+
+sub send_delayed_response {
+	my ($reply, $peer) = @delayed_response;
+	# Truncation to 512 bytes is required for triggering "NS explosion" on
+	# builds without IPv6 support
+	$udpsock->send($reply->data(512), 0, $peer);
+	undef @delayed_response;
+	undef $timeout;
+}
+
+# Main
+my $rin;
+my $rout;
+for (;;) {
+	$rin = '';
+	vec($rin, fileno($udpsock), 1) = 1;
+
+	select($rout = $rin, undef, undef, $timeout);
+
+	if (vec($rout, fileno($udpsock), 1)) {
+		my ($buf, $peer, $reply);
+		$udpsock->recv($buf, 512);
+		$peer = $udpsock->peername();
+		$reply = handleUDP($buf, $peer);
+		# Truncation to 512 bytes is required for triggering "NS
+		# explosion" on builds without IPv6 support
+		$udpsock->send($reply->data(512), 0, $peer) if $reply;
+	} else {
+		# An "accompanying" query was expected to come in, but did not.
+		# Assume the client never sends "accompanying" queries to
+		# prevent pointlessly waiting for them ever again.
+		$no_more_waiting = 1;
+		# Send the delayed reply to the query which caused us to wait.
+		send_delayed_response();
+	}
+}
diff --git a/bin/tests/system/reclimit/ans4/ans.pl b/bin/tests/system/reclimit/ans4/ans.pl
new file mode 100644
index 0000000..d5002aa
--- /dev/null
+++ b/bin/tests/system/reclimit/ans4/ans.pl
@@ -0,0 +1,240 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+
+my $localaddr = "10.53.0.4";
+my $limit = getlimit();
+my $no_more_waiting = 0;
+my @delayed_response;
+my $timeout;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $udpsock = IO::Socket::INET->new(LocalAddr => "$localaddr",
+   LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my $count = 0;
+my $send_response = 1;
+
+sub getlimit {
+    if ( -e "ans.limit") {
+	open(FH, "<", "ans.limit");
+	my $line = <FH>;
+	chomp $line;
+	close FH;
+	if ($line =~ /^\d+$/) {
+	    return $line;
+	}
+    }
+
+    return 0;
+}
+
+# If $wait == 0 is returned, returned reply will be sent immediately.
+# If $wait == 1 is returned, sending the returned reply might be delayed; see
+# comments inside handle_UDP() for details.
+sub reply_handler {
+    my ($qname, $qclass, $qtype) = @_;
+    my ($rcode, @ans, @auth, @add, $wait);
+
+    print ("request: $qname/$qtype\n");
+    STDOUT->flush();
+
+    $wait = 0;
+    $count += 1;
+
+    if ($qname eq "count" ) {
+	if ($qtype eq "TXT") {
+	    my ($ttl, $rdata) = (0, "$count");
+	    my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+	    push @ans, $rr;
+	    print ("\tcount: $count\n");
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "reset" ) {
+	$count = 0;
+	$send_response = 1;
+	$limit = getlimit();
+	$rcode = "NOERROR";
+	print ("\tlimit: $limit\n");
+    } elsif ($qname eq "direct.example.org" ) {
+	if ($qtype eq "A") {
+	    my ($ttl, $rdata) = (3600, $localaddr);
+	    my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+	    push @ans, $rr;
+	    print ("\twait=$wait ans: $qname $ttl $qclass $qtype $rdata\n");
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "indirect1.example.org" ||
+	     $qname eq "indirect2.example.org" ||
+	     $qname eq "indirect3.example.org" ||
+	     $qname eq "indirect4.example.org" ||
+	     $qname eq "indirect5.example.org" ||
+	     $qname eq "indirect6.example.org" ||
+	     $qname eq "indirect7.example.org" ||
+	     $qname eq "indirect8.example.org") {
+	if ($qtype eq "A") {
+	    my ($ttl, $rdata) = (3600, $localaddr);
+	    my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+	    push @ans, $rr;
+	    print ("\twait=$wait ans: $qname $ttl $qclass $qtype $rdata\n");
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname =~ /^ns1\.(\d+)\.example\.org$/) {
+	my $next = $1 + 1;
+	$wait = 1;
+	if ($limit == 0) {
+	    my $rr = new Net::DNS::RR("$1.example.org 86400 $qclass NS ns1.$next.example.org");
+	    push @auth, $rr;
+	    print ("\twait=$wait auth: $1.example.org 86400 $qclass NS ns1.$next.example.org\n");
+	} else {
+	    $send_response = 1;
+	    if ($qtype eq "A") {
+		my ($ttl, $rdata) = (3600, $localaddr);
+		my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+		print("\tresponse: $qname $ttl $qclass $qtype $rdata\n");
+		push @ans, $rr;
+	    }
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "direct.example.net" ) {
+        if ($qtype eq "A") {
+            my ($ttl, $rdata) = (3600, $localaddr);
+            my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+            push @ans, $rr;
+	    print ("\twait=$wait ans: $qname $ttl $qclass $qtype $rdata\n");
+        }
+        $rcode = "NOERROR";
+    } elsif( $qname =~ /^ns1\.(\d+)\.example\.net$/ ) {
+        my $next = ($1 + 1) * 16;
+        for (my $i = 1; $i < 16; $i++) {
+            my $s = $next + $i;
+            my $rr = new Net::DNS::RR("$1.example.net 86400 $qclass NS ns1.$s.example.net");
+            push @auth, $rr;
+	    print ("\twait=$wait auth: $1.example.net 86400 $qclass NS ns1.$s.example.net\n");
+            $rr = new Net::DNS::RR("ns1.$s.example.net 86400 $qclass A 10.53.0.7");
+	    print ("\twait=$wait add: ns1.$s.example.net 86400 $qclass A 10.53.0.7\n");
+            push @add, $rr;
+        }
+        $rcode = "NOERROR";
+    } else {
+	$rcode = "NXDOMAIN";
+	    print ("\twait=$wait NXDOMAIN\n");
+    }
+
+    return ($rcode, \@ans, \@auth, \@add, $wait);
+}
+
+sub handleUDP {
+	my ($buf, $peer) = @_;
+	my ($request, $rcode, $ans, $auth, $add, $wait);
+
+	$request = new Net::DNS::Packet(\$buf, 0);
+	$@ and die $@;
+
+	my ($question) = $request->question;
+	my $qname = $question->qname;
+	my $qclass = $question->qclass;
+	my $qtype = $question->qtype;
+
+	($rcode, $ans, $auth, $add, $wait) = reply_handler($qname, $qclass, $qtype);
+
+	my $reply = $request->reply();
+
+	$reply->header->rcode($rcode);
+	$reply->header->aa(@$ans ? 1 : 0);
+	$reply->header->id($request->header->id);
+	$reply->{answer} = $ans if $ans;
+	$reply->{authority} = $auth if $auth;
+	$reply->{additional} = $add if $add;
+
+	if ($wait) {
+		# reply_handler() asked us to delay sending this reply until
+		# another reply with $wait == 1 is generated or a timeout
+		# occurs.
+		if (@delayed_response) {
+			# A delayed reply is already queued, so we can now send
+			# both the delayed reply and the current reply.
+			send_delayed_response();
+			return $reply;
+		} elsif ($no_more_waiting) {
+			# It was determined before that there is no point in
+			# waiting for "accompanying" queries.  Thus, send the
+			# current reply immediately.
+			return $reply;
+		} else {
+			# No delayed reply is queued and the client is expected
+			# to send an "accompanying" query shortly.  Do not send
+			# the current reply right now, just save it for later
+			# and wait for an "accompanying" query to be received.
+			@delayed_response = ($reply, $peer);
+			$timeout = 0.5;
+			return;
+		}
+	} else {
+		# Send reply immediately.
+		return $reply;
+	}
+}
+
+sub send_delayed_response {
+	my ($reply, $peer) = @delayed_response;
+	# Truncation to 512 bytes is required for triggering "NS explosion" on
+	# builds without IPv6 support
+	$udpsock->send($reply->data(512), 0, $peer);
+	undef @delayed_response;
+	undef $timeout;
+	print ("send_delayed_response\n");
+}
+
+# Main
+my $rin;
+my $rout;
+for (;;) {
+	$rin = '';
+	vec($rin, fileno($udpsock), 1) = 1;
+
+	select($rout = $rin, undef, undef, $timeout);
+
+	if (vec($rout, fileno($udpsock), 1)) {
+		my ($buf, $peer, $reply);
+		$udpsock->recv($buf, 512);
+		$peer = $udpsock->peername();
+		$reply = handleUDP($buf, $peer);
+		# Truncation to 512 bytes is required for triggering "NS
+		# explosion" on builds without IPv6 support
+		$udpsock->send($reply->data(512), 0, $peer) if $reply;
+	} else {
+		# An "accompanying" query was expected to come in, but did not.
+		# Assume the client never sends "accompanying" queries to
+		# prevent pointlessly waiting for them ever again.
+		$no_more_waiting = 1;
+		# Send the delayed reply to the query which caused us to wait.
+		send_delayed_response();
+	}
+}
diff --git a/bin/tests/system/reclimit/ans7/ans.pl b/bin/tests/system/reclimit/ans7/ans.pl
new file mode 100644
index 0000000..41a44a6
--- /dev/null
+++ b/bin/tests/system/reclimit/ans7/ans.pl
@@ -0,0 +1,76 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+use IO::File;
+use Getopt::Long;
+use Net::DNS::Nameserver;
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my $count = 0;
+
+my $localaddr = "10.53.0.7";
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+my $verbose = 0;
+
+sub reply_handler {
+    my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_;
+    my ($rcode, @ans, @auth, @add);
+
+    print ("request: $qname/$qtype\n");
+    STDOUT->flush();
+
+    $count += 1;
+
+    if ($qname eq "count" ) {
+        if ($qtype eq "TXT") {
+            my ($ttl, $rdata) = (0, "$count");
+            my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata");
+            push @ans, $rr;
+            print ("\tcount: $count\n");
+        }
+        $rcode = "NOERROR";
+    } elsif ($qname eq "reset") {
+        $count = 0;
+        $rcode = "NOERROR";
+    } else {
+        $rcode = "REFUSED";
+    }
+
+    # mark the answer as authoritative (by setting the 'aa' flag
+    return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+}
+
+GetOptions(
+    'port=i' => \$localport,
+    'verbose!' => \$verbose,
+);
+
+my $ns = Net::DNS::Nameserver->new(
+    LocalAddr => $localaddr,
+    LocalPort => $localport,
+    ReplyHandler => \&reply_handler,
+    Verbose => $verbose,
+);
+
+$ns->main_loop;
diff --git a/bin/tests/system/reclimit/clean.sh b/bin/tests/system/reclimit/clean.sh
new file mode 100644
index 0000000..0a92f90
--- /dev/null
+++ b/bin/tests/system/reclimit/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out*
+rm -f ans?/ans.run
+rm -f ans2/ans.limit
+rm -f ans4/ans.limit
+rm -f ns?/named.memstats
+rm -f ns?/named.run
+rm -f ns*/named.conf
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/reclimit/ns1/named.conf.in b/bin/tests/system/reclimit/ns1/named.conf.in
new file mode 100644
index 0000000..63cb706
--- /dev/null
+++ b/bin/tests/system/reclimit/ns1/named.conf.in
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "." { type primary; file "root.db"; };
diff --git a/bin/tests/system/reclimit/ns1/root.db b/bin/tests/system/reclimit/ns1/root.db
new file mode 100644
index 0000000..412715c
--- /dev/null
+++ b/bin/tests/system/reclimit/ns1/root.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 60 IN SOA ns.nil. hostmaster.ns.nil. 1 0 0 0 0
+. 60 IN NS ns.nil.
+ns.nil. 60 IN A 10.53.0.1
+ns.tld1. 60 IN A 10.53.0.1
+example.org. 60 IN NS direct.example.org.
+direct.example.org. 60 IN A 10.53.0.2
+example.net. 60 IN NS direct.example.net.
+direct.example.net. 60 IN A 10.53.0.2
+example.com. 60 IN NS direct.example.com.
+direct.example.com. 60 IN A 10.53.0.4
diff --git a/bin/tests/system/reclimit/ns3/hints.db b/bin/tests/system/reclimit/ns3/hints.db
new file mode 100644
index 0000000..c9264bf
--- /dev/null
+++ b/bin/tests/system/reclimit/ns3/hints.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 60 IN NS ns.nil.
+ns.nil. 60 IN A 10.53.0.1
diff --git a/bin/tests/system/reclimit/ns3/named1.conf.in b/bin/tests/system/reclimit/ns3/named1.conf.in
new file mode 100644
index 0000000..3eaaf6a
--- /dev/null
+++ b/bin/tests/system/reclimit/ns3/named1.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	servfail-ttl 0;
+	qname-minimization disabled;
+	max-recursion-depth 12;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints.db"; };
diff --git a/bin/tests/system/reclimit/ns3/named2.conf.in b/bin/tests/system/reclimit/ns3/named2.conf.in
new file mode 100644
index 0000000..12bf35f
--- /dev/null
+++ b/bin/tests/system/reclimit/ns3/named2.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	servfail-ttl 0;
+	qname-minimization disabled;
+	max-recursion-depth 5;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints.db"; };
diff --git a/bin/tests/system/reclimit/ns3/named3.conf.in b/bin/tests/system/reclimit/ns3/named3.conf.in
new file mode 100644
index 0000000..0910f94
--- /dev/null
+++ b/bin/tests/system/reclimit/ns3/named3.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	servfail-ttl 0;
+	qname-minimization disabled;
+	max-recursion-depth 100;
+	max-recursion-queries 50;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints.db"; };
diff --git a/bin/tests/system/reclimit/ns3/named4.conf.in b/bin/tests/system/reclimit/ns3/named4.conf.in
new file mode 100644
index 0000000..84b5f4b
--- /dev/null
+++ b/bin/tests/system/reclimit/ns3/named4.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	servfail-ttl 0;
+	qname-minimization disabled;
+	max-recursion-depth 100;
+	max-recursion-queries 40;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints.db"; };
diff --git a/bin/tests/system/reclimit/prereq.sh b/bin/tests/system/reclimit/prereq.sh
new file mode 100644
index 0000000..8c587c3
--- /dev/null
+++ b/bin/tests/system/reclimit/prereq.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION <= 0.78);' 2>/dev/null
+    then
+        :
+    else
+        echo_i "Net::DNS versions up to 0.78 have a bug that causes this test to fail: please update." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
+
+if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null
+then
+    :
+else
+    echo_i "This test requires the Net::DNS::Nameserver library." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/reclimit/setup.sh b/bin/tests/system/reclimit/setup.sh
new file mode 100644
index 0000000..5b39cdf
--- /dev/null
+++ b/bin/tests/system/reclimit/setup.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
diff --git a/bin/tests/system/reclimit/tests.sh b/bin/tests/system/reclimit/tests.sh
new file mode 100644
index 0000000..7fe8ee9
--- /dev/null
+++ b/bin/tests/system/reclimit/tests.sh
@@ -0,0 +1,211 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+
+status=0
+n=0
+
+ns3_reset() {
+	copy_setports $1 ns3/named.conf
+	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/I:ns3 /'
+	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush | sed 's/^/I:ns3 /'
+}
+
+ns3_sends_aaaa_queries() {
+	if grep "started AAAA fetch" ns3/named.run >/dev/null; then
+		return 0
+	else
+		return 1
+	fi
+}
+
+# Check whether the number of queries ans2 received from ns3 (this value is
+# read from dig output stored in file $1) is as expected.  The expected query
+# count is variable:
+#   - if ns3 sends AAAA queries, the query count should equal $2,
+#   - if ns3 does not send AAAA queries, the query count should equal $3.
+check_query_count() {
+	count1=`sed 's/[^0-9]//g;' $1`
+	count2=`sed 's/[^0-9]//g;' $2`
+	count=`expr $count1 + $count2`
+	#echo_i "count1=$count1 count2=$count2 count=$count"
+	expected_count_with_aaaa=$3
+	expected_count_without_aaaa=$4
+
+	if ns3_sends_aaaa_queries; then
+		expected_count=$expected_count_with_aaaa
+	else
+		expected_count=$expected_count_without_aaaa
+	fi
+
+	if [ $count -ne $expected_count ]; then
+		echo_i "count $count (actual) != $expected_count (expected)"
+		ret=1
+	fi
+}
+
+echo_i "set max-recursion-depth=12"
+
+n=`expr $n + 1`
+echo_i "attempt excessive-depth lookup ($n)"
+ret=0
+echo "1000" > ans2/ans.limit
+echo "1000" > ans4/ans.limit
+$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 indirect1.example.org > dig.out.1.test$n || ret=1
+grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
+$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1
+check_query_count dig.out.2.test$n dig.out.4.test$n 27 14
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "attempt permissible lookup ($n)"
+ret=0
+echo "12" > ans2/ans.limit
+echo "12" > ans4/ans.limit
+ns3_reset ns3/named1.conf.in
+$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 indirect2.example.org > dig.out.1.test$n || ret=1
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
+$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1
+check_query_count dig.out.2.test$n dig.out.4.test$n 50 26
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "set max-recursion-depth=5"
+
+n=`expr $n + 1`
+echo_i "attempt excessive-depth lookup ($n)"
+ret=0
+echo "12" > ans2/ans.limit
+ns3_reset ns3/named2.conf.in
+$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 indirect3.example.org > dig.out.1.test$n || ret=1
+grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
+$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1
+check_query_count dig.out.2.test$n dig.out.4.test$n 13 7
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "attempt permissible lookup ($n)"
+ret=0
+echo "5" > ans2/ans.limit
+echo "5" > ans4/ans.limit
+ns3_reset ns3/named2.conf.in
+$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 indirect4.example.org > dig.out.1.test$n || ret=1
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
+$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1
+check_query_count dig.out.2.test$n dig.out.4.test$n 22 12
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "set max-recursion-depth=100, max-recursion-queries=50"
+
+n=`expr $n + 1`
+echo_i "attempt excessive-queries lookup ($n)"
+ret=0
+echo "13" > ans2/ans.limit
+echo "13" > ans4/ans.limit
+ns3_reset ns3/named3.conf.in
+$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 indirect5.example.org > dig.out.1.test$n || ret=1
+if ns3_sends_aaaa_queries; then
+  grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1
+fi
+$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
+$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1
+eval count=`cat dig.out.2.test$n`
+[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "attempt permissible lookup ($n)"
+ret=0
+echo "12" > ans2/ans.limit
+ns3_reset ns3/named3.conf.in
+$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 indirect6.example.org > dig.out.1.test$n || ret=1
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
+eval count=`cat dig.out.2.test$n`
+[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "set max-recursion-depth=100, max-recursion-queries=40"
+
+n=`expr $n + 1`
+echo_i "attempt excessive-queries lookup ($n)"
+ret=0
+echo "11" > ans2/ans.limit
+ns3_reset ns3/named4.conf.in
+$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 indirect7.example.org > dig.out.1.test$n || ret=1
+if ns3_sends_aaaa_queries; then
+  grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1
+fi
+$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
+eval count=`cat dig.out.2.test$n`
+[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "attempt permissible lookup ($n)"
+ret=0
+echo "9" > ans2/ans.limit
+ns3_reset ns3/named4.conf.in
+$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 indirect8.example.org > dig.out.1.test$n || ret=1
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
+eval count=`cat dig.out.2.test$n`
+[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "attempting NS explosion ($n)"
+ret=0
+ns3_reset ns3/named4.conf.in
+$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1
+$DIG $DIGOPTS +short @10.53.0.3 ns1.1.example.net > dig.out.1.test$n || ret=1
+$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1
+eval count=`cat dig.out.2.test$n`
+[ $count -lt 50 ] || ret=1
+$DIG $DIGOPTS +short @10.53.0.7 count txt > dig.out.3.test$n || ret=1
+eval count=`cat dig.out.3.test$n`
+[ $count -lt 50 ] || { ret=1; echo_i "count ($count) !<= 50";  }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+#grep "duplicate query" ns3/named.run
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/redirect/clean.sh b/bin/tests/system/redirect/clean.sh
new file mode 100644
index 0000000..9489c94
--- /dev/null
+++ b/bin/tests/system/redirect/clean.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.stats
+rm -f dig.out.*
+rm -f ns*/named.lock
+rm -f ns1/K*
+rm -f ns1/dsset-nsec3.
+rm -f ns1/dsset-signed.
+rm -f ns1/nsec3.db*
+rm -f ns1/signed.db*
+rm -f ns2/*.db
+rm -f ns3/K*
+rm -f ns3/dsset-nsec3.
+rm -f ns3/dsset-signed.
+rm -f ns3/nsec3.db*
+rm -f ns3/signed.db*
+rm -f ns4/*.db
+rm -f ns5/dsset-*
+rm -f ns5/K* ns5/sign.ns5.*
+rm -f ns5/root.db ns5/root.db.signed
+rm -f ns5/signed.db ns5/signed.db.signed
+rm -f ns6/signed.db.signed
+rm -f rndc.out
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/redirect/conf/bad1.conf b/bin/tests/system/redirect/conf/bad1.conf
new file mode 100644
index 0000000..5ff4fee
--- /dev/null
+++ b/bin/tests/system/redirect/conf/bad1.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
+
+zone "." {
+	type redirect;
+	file "redirect.db";
+	allow-query { 10.0.1.0; };
+/* option 'forwarders' is not allowed in 'redirect' zone '.' */
+	forwarders { 1.2.3.4; };
+};
diff --git a/bin/tests/system/redirect/conf/bad2.conf b/bin/tests/system/redirect/conf/bad2.conf
new file mode 100644
index 0000000..0cf0a68
--- /dev/null
+++ b/bin/tests/system/redirect/conf/bad2.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
+
+zone "." {
+	type redirect;
+	file "redirect.db";
+	allow-query { 10.0.1.0; };
+/* option 'also-notify' is not allowed in 'redirect' zone '.' */
+	also-notify { 1.2.3.4; };
+};
diff --git a/bin/tests/system/redirect/conf/bad3.conf b/bin/tests/system/redirect/conf/bad3.conf
new file mode 100644
index 0000000..b034c5b
--- /dev/null
+++ b/bin/tests/system/redirect/conf/bad3.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
+
+/* redirect zones must be called "." */
+zone "x" {
+	type redirect;
+	file "redirect.db";
+	allow-query { 10.0.1.0; };
+};
diff --git a/bin/tests/system/redirect/conf/good1.conf b/bin/tests/system/redirect/conf/good1.conf
new file mode 100644
index 0000000..c5711e5
--- /dev/null
+++ b/bin/tests/system/redirect/conf/good1.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
+
+zone "." {
+	type redirect;
+	file "redirect.db";
+};
diff --git a/bin/tests/system/redirect/conf/good2.conf b/bin/tests/system/redirect/conf/good2.conf
new file mode 100644
index 0000000..156995b
--- /dev/null
+++ b/bin/tests/system/redirect/conf/good2.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type master;
+	file "master.db";
+};
+
+zone "." {
+	type redirect;
+	file "redirect.db";
+};
diff --git a/bin/tests/system/redirect/conf/good3.conf b/bin/tests/system/redirect/conf/good3.conf
new file mode 100644
index 0000000..dcdd954
--- /dev/null
+++ b/bin/tests/system/redirect/conf/good3.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type secondary;
+	file "sec.db";
+	primaries { 1.2.3.4; };
+};
+
+zone "." {
+	type redirect;
+	file "redirect.db";
+};
diff --git a/bin/tests/system/redirect/conf/good4.conf b/bin/tests/system/redirect/conf/good4.conf
new file mode 100644
index 0000000..e046577
--- /dev/null
+++ b/bin/tests/system/redirect/conf/good4.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
+
+zone "." {
+	type redirect;
+	file "redirect.db";
+	allow-query { 10.0.1.0; };
+};
diff --git a/bin/tests/system/redirect/ns1/example.db b/bin/tests/system/redirect/ns1/example.db
new file mode 100644
index 0000000..90c09d4
--- /dev/null
+++ b/bin/tests/system/redirect/ns1/example.db
@@ -0,0 +1,50 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@	SOA ns1 marka.isc.org. 0 0 0 0 1200
+@	NS ns1
+ns1	A	10.53.0.1
+excluded-good-a	AAAA	2001:eeee::1
+		A	1.2.3.4
+excluded-bad-a	AAAA	2001:eeee::2
+		A	10.0.0.1
+excluded-only	AAAA	2001:eeee::3
+partially-excluded-good-a	AAAA	2001:eeee::1
+		AAAA	2001::1
+		A	1.2.3.4
+partially-excluded-bad-a	AAAA	2001:eeee::2
+		AAAA	2001::2
+		A	10.0.0.1
+partially-excluded-only	AAAA	2001:eeee::3
+		AAAA	2001::3
+a-only		A	1.2.3.5
+a-and-aaaa	AAAA	2001::1
+		A	1.2.3.6
+aaaa-only	AAAA	2001::2
+a-not-mapped	A	10.0.0.2
+mx-only		MX	10 ns.example.
+cname-excluded-good-a CNAME excluded-good-a
+cname-excluded-bad-a CNAME excluded-bad-a
+cname-excluded-only CNAME excluded-only
+cname-partial-excluded-good-a CNAME partial-excluded-good-a
+cname-partial-excluded-bad-a CNAME partial-excluded-bad-a
+cname-partial-excluded-only CNAME partial-excluded-only
+cname-a-only CNAME a-only
+cname-a-and-aaaa CNAME a-and-aaaa
+cname-aaaa-only CNAME aaaa-only
+cname-a-not-mapped CNAME a-not-mapped
+cname-mx-only CNAME mx-only
+cname-non-existent CNAME non-existent
+ttl-less-than-600 500 A 5.6.7.8
+ttl-more-than-600 700 A 5.6.7.8
+ttl-less-than-minimum 1100 A 5.6.7.8
+ttl-more-than-minimum 1300 A 5.6.7.8
diff --git a/bin/tests/system/redirect/ns1/named.conf.in b/bin/tests/system/redirect/ns1/named.conf.in
new file mode 100644
index 0000000..412b874
--- /dev/null
+++ b/bin/tests/system/redirect/ns1/named.conf.in
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	allow-recursion { 10.53.0.1; };
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "signed" {
+	type primary;
+	file "signed.db.signed";
+};
+
+zone "nsec3" {
+	type primary;
+	file "nsec3.db.signed";
+};
+
+zone "." {
+	type redirect;
+	file "redirect.db";
+	allow-query { !10.53.0.2; !10.53.0.4; any; };
+};
+
+// include "trusted.conf";
diff --git a/bin/tests/system/redirect/ns1/redirect.db b/bin/tests/system/redirect/ns1/redirect.db
new file mode 100644
index 0000000..b2a60bb
--- /dev/null
+++ b/bin/tests/system/redirect/ns1/redirect.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
+@ IN NS ns.example.net
+;
+; NS records do not need address records in this zone as it is not in the
+; normal namespace.
+;
+*. IN A 100.100.100.2
+*. IN AAAA 2001:ffff:ffff::100.100.100.2
diff --git a/bin/tests/system/redirect/ns1/root.db b/bin/tests/system/redirect/ns1/root.db
new file mode 100644
index 0000000..6df215f
--- /dev/null
+++ b/bin/tests/system/redirect/ns1/root.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	a.root-servers.nil. marka.isc.org. 0 0 0 0 0
+@		NS	a.root-servers.nil.
+a.root-servers.nil.      A   10.53.0.1
+example		NS	ns1.example.
+ns1.example.	A	10.53.0.1
+signed		NS	ns1.example.
+ns1.signed.	A	10.53.0.1
diff --git a/bin/tests/system/redirect/ns1/sign.sh b/bin/tests/system/redirect/ns1/sign.sh
new file mode 100644
index 0000000..500dee6
--- /dev/null
+++ b/bin/tests/system/redirect/ns1/sign.sh
@@ -0,0 +1,37 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=signed
+infile=example.db
+zonefile=signed.db
+
+key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone)
+
+cat $infile $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+zone=nsec3
+infile=example.db
+zonefile=nsec3.db
+
+key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone)
+key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 -fk $zone)
+
+cat $infile $key1.key $key2.key > $zonefile
+
+$SIGNER -P -3 - -g -o $zone $zonefile > /dev/null
diff --git a/bin/tests/system/redirect/ns2/example.db.in b/bin/tests/system/redirect/ns2/example.db.in
new file mode 100644
index 0000000..a87ae7d
--- /dev/null
+++ b/bin/tests/system/redirect/ns2/example.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
+@       NS	ns2
+ns2	A	10.53.0.2
+a	A	10.53.0.2
diff --git a/bin/tests/system/redirect/ns2/named.conf.in b/bin/tests/system/redirect/ns2/named.conf.in
new file mode 100644
index 0000000..9e8cbde
--- /dev/null
+++ b/bin/tests/system/redirect/ns2/named.conf.in
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "." {
+	type redirect;
+	file "redirect.db";
+	allow-query { !10.53.0.4; any; };
+};
+
+zone "example.nil" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/redirect/ns2/redirect.db.in b/bin/tests/system/redirect/ns2/redirect.db.in
new file mode 100644
index 0000000..e05d64d
--- /dev/null
+++ b/bin/tests/system/redirect/ns2/redirect.db.in
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
+@ IN NS ns.example.net
+;
+; NS records do not need address records in this zone as it is not in the
+; normal namespace.
+;
+*. IN A 100.100.100.1
+*. IN AAAA 2001:ffff:ffff::100.100.100.1
diff --git a/bin/tests/system/redirect/ns3/example.db b/bin/tests/system/redirect/ns3/example.db
new file mode 100644
index 0000000..4cceedf
--- /dev/null
+++ b/bin/tests/system/redirect/ns3/example.db
@@ -0,0 +1,50 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@	SOA ns3 marka.isc.org. 0 0 0 0 1200
+@	NS ns3
+ns3	A	10.53.0.3
+excluded-good-a	AAAA	2001:eeee::1
+		A	1.2.3.4
+excluded-bad-a	AAAA	2001:eeee::2
+		A	10.0.0.1
+excluded-only	AAAA	2001:eeee::3
+partially-excluded-good-a	AAAA	2001:eeee::1
+		AAAA	2001::1
+		A	1.2.3.4
+partially-excluded-bad-a	AAAA	2001:eeee::2
+		AAAA	2001::2
+		A	10.0.0.1
+partially-excluded-only	AAAA	2001:eeee::3
+		AAAA	2001::3
+a-only		A	1.2.3.5
+a-and-aaaa	AAAA	2001::1
+		A	1.2.3.6
+aaaa-only	AAAA	2001::2
+a-not-mapped	A	10.0.0.2
+mx-only		MX	10 ns.example.
+cname-excluded-good-a CNAME excluded-good-a
+cname-excluded-bad-a CNAME excluded-bad-a
+cname-excluded-only CNAME excluded-only
+cname-partial-excluded-good-a CNAME partial-excluded-good-a
+cname-partial-excluded-bad-a CNAME partial-excluded-bad-a
+cname-partial-excluded-only CNAME partial-excluded-only
+cname-a-only CNAME a-only
+cname-a-and-aaaa CNAME a-and-aaaa
+cname-aaaa-only CNAME aaaa-only
+cname-a-not-mapped CNAME a-not-mapped
+cname-mx-only CNAME mx-only
+cname-non-existent CNAME non-existent
+ttl-less-than-600 500 A 5.6.7.8
+ttl-more-than-600 700 A 5.6.7.8
+ttl-less-than-minimum 1100 A 5.6.7.8
+ttl-more-than-minimum 1300 A 5.6.7.8
diff --git a/bin/tests/system/redirect/ns3/named.conf.in b/bin/tests/system/redirect/ns3/named.conf.in
new file mode 100644
index 0000000..2113dd5
--- /dev/null
+++ b/bin/tests/system/redirect/ns3/named.conf.in
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-recursion { 10.53.0.3; };
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "signed" {
+	type primary;
+	file "signed.db.signed";
+};
+
+zone "nsec3" {
+	type primary;
+	file "nsec3.db.signed";
+};
+
+zone "redirect" {
+	type primary;
+	file "redirect.db";
+};
+
+// include "trusted.conf";
diff --git a/bin/tests/system/redirect/ns3/redirect.db b/bin/tests/system/redirect/ns3/redirect.db
new file mode 100644
index 0000000..b5b63da
--- /dev/null
+++ b/bin/tests/system/redirect/ns3/redirect.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA a.root-servers.nil. hostmaster.example.net. 0 0 0 0 0
+@ IN NS a.root-servers.nil.
+* IN A 100.100.100.1
+* IN AAAA 2001:ffff:ffff::100.100.100.1
diff --git a/bin/tests/system/redirect/ns3/root.db b/bin/tests/system/redirect/ns3/root.db
new file mode 100644
index 0000000..13433ef
--- /dev/null
+++ b/bin/tests/system/redirect/ns3/root.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	a.root-servers.nil. marka.isc.org. 0 0 0 0 0
+@		NS	a.root-servers.nil.
+a.root-servers.nil.      A   10.53.0.3
+example 	NS	ns1.example.
+ns1.example.	A	10.53.0.3
+signed		NS	ns1.example.
+ns1.signed.	A	10.53.0.3
+redirect	NS	a.root-servers.nil
diff --git a/bin/tests/system/redirect/ns3/sign.sh b/bin/tests/system/redirect/ns3/sign.sh
new file mode 100644
index 0000000..500dee6
--- /dev/null
+++ b/bin/tests/system/redirect/ns3/sign.sh
@@ -0,0 +1,37 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=signed
+infile=example.db
+zonefile=signed.db
+
+key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone)
+
+cat $infile $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+zone=nsec3
+infile=example.db
+zonefile=nsec3.db
+
+key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone)
+key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 -fk $zone)
+
+cat $infile $key1.key $key2.key > $zonefile
+
+$SIGNER -P -3 - -g -o $zone $zonefile > /dev/null
diff --git a/bin/tests/system/redirect/ns4/example.db.in b/bin/tests/system/redirect/ns4/example.db.in
new file mode 100644
index 0000000..8057d1b
--- /dev/null
+++ b/bin/tests/system/redirect/ns4/example.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
+@       NS	ns4
+ns4	A	10.53.0.4
+a	A	10.53.0.2
diff --git a/bin/tests/system/redirect/ns4/named.conf.in b/bin/tests/system/redirect/ns4/named.conf.in
new file mode 100644
index 0000000..698d5a4
--- /dev/null
+++ b/bin/tests/system/redirect/ns4/named.conf.in
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+options {
+	query-source address 10.53.0.2;	/* note this is not 10.53.0.4 */
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+	nxdomain-redirect "redirect";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/redirect/ns4/root.hint b/bin/tests/system/redirect/ns4/root.hint
new file mode 100644
index 0000000..3889a8b
--- /dev/null
+++ b/bin/tests/system/redirect/ns4/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.3
diff --git a/bin/tests/system/redirect/ns5/named.conf.in b/bin/tests/system/redirect/ns5/named.conf.in
new file mode 100644
index 0000000..74df436
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	port @PORT@;
+	listen-on port @PORT@ { 10.53.0.5; };
+	pid-file "named.pid";
+	nxdomain-redirect signed;
+};
+
+zone "." {
+        type primary;
+        file "root.db.signed";
+};
+
+// An unsigned zone that ns6 has a delegation for.
+zone "unsigned." {
+        type primary;
+        file "unsigned.db";
+};
diff --git a/bin/tests/system/redirect/ns5/root.db.in b/bin/tests/system/redirect/ns5/root.db.in
new file mode 100644
index 0000000..19aa61d
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/root.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.			86400	IN	SOA	a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400
+.			518400	IN	NS	a.root-servers.nil.
+a.root-servers.nil.	518400	IN	A	10.53.0.5
+signed.			172800	IN	NS	ns.signed.
+ns.signed.		172800	IN	A	10.53.0.6
+unsigned.		172800	IN	NS	ns.unsigned.
+ns.unsigned.		172800	IN	A	10.53.0.5
diff --git a/bin/tests/system/redirect/ns5/sign.sh b/bin/tests/system/redirect/ns5/sign.sh
new file mode 100644
index 0000000..efa986a
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/sign.sh
@@ -0,0 +1,45 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+# We sign the zone here and move the signed zone to ns6.
+# The ns5 server actually does not serve this zone but
+# the DS and NS records are in the test root zone, and
+# delegate to ns6.
+zone=signed.
+infile=signed.db.in
+zonefile=signed.db
+
+key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null)
+key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null)
+
+cat $infile $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out
+
+cp signed.db.signed ../ns6
+
+# Root zone.
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null)
+key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null)
+
+# cat $infile $key1.key $key2.key > $zonefile
+cat $infile dsset-signed. $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out
diff --git a/bin/tests/system/redirect/ns5/signed.db.in b/bin/tests/system/redirect/ns5/signed.db.in
new file mode 100644
index 0000000..6579227
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/signed.db.in
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN SOA	ns.signed. hostmaster.signed. 0 0 0 0 0
+@			IN NS	ns.signed.
+
+ns.signed.		IN A	10.0.53.6
+domain.signed.		IN A	10.0.53.1
+
+*			IN A	100.100.100.1
+*			IN AAAA	2001:ffff:ffff::100.100.100.1
diff --git a/bin/tests/system/redirect/ns5/unsigned.db b/bin/tests/system/redirect/ns5/unsigned.db
new file mode 100644
index 0000000..10e06ff
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/unsigned.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN SOA	ns.unsigned. hostmaster.unsigned. 0 0 0 0 0
+@			IN NS	ns.unsigned.
+
+ns.unsigned.		IN A	10.53.0.6
+domain.unsigned.	IN A	10.0.53.1
+
+*			IN A	100.100.100.1
+*			IN AAAA	2001:ffff:ffff::100.100.100.1
diff --git a/bin/tests/system/redirect/ns6/named.conf.in b/bin/tests/system/redirect/ns6/named.conf.in
new file mode 100644
index 0000000..d211715
--- /dev/null
+++ b/bin/tests/system/redirect/ns6/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+options {
+	port @PORT@;
+	listen-on port @PORT@ { 10.53.0.6; };
+	pid-file "named.pid";
+	nxdomain-redirect unsigned;
+};
+
+zone "." {
+        type primary;
+        file "root.db";
+};
+
+// A signed zone that ns5 has a delegation for.
+zone "signed." {
+        type primary;
+        file "signed.db.signed";
+};
diff --git a/bin/tests/system/redirect/ns6/root.db b/bin/tests/system/redirect/ns6/root.db
new file mode 100644
index 0000000..a8e6a45
--- /dev/null
+++ b/bin/tests/system/redirect/ns6/root.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.			86400	IN	SOA	a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400
+.			518400	IN	NS	a.root-servers.nil.
+a.root-servers.nil.	518400	IN	A	10.53.0.6
+signed.			172800	IN	NS	ns.signed.
+ns.signed.		172800	IN	A	10.53.0.6
+unsigned.		172800	IN	NS	ns.unsigned.
+ns.unsigned.		172800	IN	A	10.53.0.5
diff --git a/bin/tests/system/redirect/setup.sh b/bin/tests/system/redirect/setup.sh
new file mode 100644
index 0000000..29a75b7
--- /dev/null
+++ b/bin/tests/system/redirect/setup.sh
@@ -0,0 +1,30 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+
+cp ns2/redirect.db.in ns2/redirect.db
+cp ns2/example.db.in ns2/example.db
+( cd ns1 && $SHELL sign.sh )
+
+cp ns4/example.db.in ns4/example.db
+( cd ns3 && $SHELL sign.sh )
+( cd ns5 && $SHELL sign.sh )
diff --git a/bin/tests/system/redirect/tests.sh b/bin/tests/system/redirect/tests.sh
new file mode 100644
index 0000000..f56b85f
--- /dev/null
+++ b/bin/tests/system/redirect/tests.sh
@@ -0,0 +1,539 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=1
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+for conf in conf/good*.conf
+do
+        echo_i "checking that $conf is accepted ($n)"
+        ret=0
+        $CHECKCONF "$conf" || ret=1
+        n=`expr $n + 1`
+        if [ $ret != 0 ]; then echo_i "failed"; fi
+        status=`expr $status + $ret`
+done
+
+for conf in conf/bad*.conf
+do
+        echo_i "checking that $conf is rejected ($n)"
+        ret=0
+        $CHECKCONF "$conf" >/dev/null && ret=1
+	n=`expr $n + 1`
+        if [ $ret != 0 ]; then echo_i "failed"; fi
+        status=`expr $status + $ret`
+done
+
+echo_i "checking A zone redirect works for nonexist ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A zone redirect updates statistics ($n)"
+ret=0
+rm ns2/named.stats 2>/dev/null
+$RNDCCMD 10.53.0.2 stats || ret=1
+PRE=`tr -d '\r' < ns2/named.stats | sed -n -e "s/[    ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p"`
+$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1
+rm ns2/named.stats 2>/dev/null
+$RNDCCMD 10.53.0.2 stats || ret=1
+POST=`tr -d '\r' < ns2/named.stats | sed -n -e "s/[    ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p"`
+if [ `expr $POST - $PRE` != 1 ]; then ret=1; fi
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA zone redirect works for nonexist ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY zone redirect works for nonexist ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A zone redirect doesn't work for acl miss ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 a > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA zone redirect doesn't work for acl miss ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY zone redirect doesn't work for acl miss ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 any > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A zone redirect works for signed nonexist, DO=0 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA zone redirect works for signed nonexist, DO=0 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY zone redirect works for signed nonexist, DO=0 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A zone redirect fails for signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA zone redirect fails for signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY zone redirect fails for signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A zone redirect fails for nsec3 signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1
+grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA zone redirect fails for nsec3 signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1
+grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY zone redirect fails for nsec3 signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1
+grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A zone redirect works for nonexist authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA zone redirect works for nonexist authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY zone redirect works for nonexist authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A zone redirect doesn't work for acl miss authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 a > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA zone redirect doesn't work for acl miss authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 aaaa > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY zone redirect doesn't work for acl miss authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 any > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1
+grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A zone redirect works for signed nonexist, DO=0 authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA zone redirect works for signed nonexist, DO=0 authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY zone redirect works for signed nonexist, DO=0 authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A zone redirect fails for signed nonexist, DO=1 authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA zone redirect fails for signed nonexist, DO=1 authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY zone redirect fails for signed nonexist, DO=1 authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1
+grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1
+grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1
+grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1
+grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1
+grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking zone redirect works (with noerror) when qtype is not found ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that redirect zones reload correctly"
+ret=0
+sleep 1 # ensure file mtime will have changed
+tr -d '\r' < ns2/example.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' > ns2/example.db
+tr -d '\r' < ns2/redirect.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' -e 's/\.1$/.2/' > ns2/redirect.db
+rndc_reload ns2 10.53.0.2
+for i in 1 2 3 4 5 6 7 8 9; do
+    tmp=0
+    $DIG $DIGOPTS +short @10.53.0.2 soa example.nil > dig.out.ns1.test$n || tmp=1
+    set -- `cat dig.out.ns1.test$n`
+    [ $3 = 1 ] || tmp=1
+    $DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || tmp=1
+    grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || tmp=1
+    grep "100.100.100.2" dig.out.ns2.test$n > /dev/null || tmp=1
+    [ $tmp -eq 0 ] && break
+    sleep 1
+done
+[ $tmp -eq 1 ] && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A nxdomain-redirect works for nonexist ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "nonexist.	.*100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA nxdomain-redirect works for nonexist ($n)"
+ret=0
+rm ns4/named.stats 2>/dev/null
+$RNDCCMD 10.53.0.4 stats || ret=1
+PRE_RED=`tr -d '\r' < ns4/named.stats | sed -n -e "s/[    ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p"`
+PRE_SUC=`tr -d '\r' < ns4/named.stats | sed -n -e "s/[    ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected and resulted in a successful remote lookup$/\1/p"`
+$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "nonexist.	.*2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA nxdomain-redirect updates statistics ($n)"
+ret=0
+rm ns4/named.stats 2>/dev/null
+$RNDCCMD 10.53.0.4 stats || ret=1
+POST_RED=`tr -d '\r' < ns4/named.stats | sed -n -e "s/[    ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p"`
+POST_SUC=`tr -d '\r' < ns4/named.stats | sed -n -e "s/[    ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected and resulted in a successful remote lookup$/\1/p"`
+if [ `expr $POST_RED - $PRE_RED` != 1 ]; then ret=1; fi
+if [ `expr $POST_SUC - $PRE_SUC` != 1 ]; then ret=1; fi
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY nxdomain-redirect works for nonexist ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A nxdomain-redirect works for signed nonexist, DO=0 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA nxdomain-redirect works for signed nonexist, DO=0 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY nxdomain-redirect works for signed nonexist, DO=0 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A nxdomain-redirect fails for signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA nxdomain-redirect fails for signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY nxdomain-redirect fails for signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking A nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1
+grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking AAAA nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1
+grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking ANY nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1
+grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1
+grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking nxdomain-redirect works (with noerror) when qtype is not found ($n)"
+ret=0
+$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 txt > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking nxdomain-redirect against authoritative zone ($n)"
+ret=0
+$DIG $DIGOPTS nonexist.example @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking tld nxdomain-redirect against signed root zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.5 asdfasdfasdf > dig.out.ns5.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking tld nxdomain-redirect against unsigned root zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.6 asdfasdfasdf > dig.out.ns6.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns6.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/resolve.c b/bin/tests/system/resolve.c
new file mode 100644
index 0000000..8915773
--- /dev/null
+++ b/bin/tests/system/resolve.c
@@ -0,0 +1,501 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef WIN32
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h>
+#endif /* ifndef WIN32 */
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/lib.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/lib.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+#include <irs/resconf.h>
+
+static char *algname;
+
+static isc_result_t
+printdata(dns_rdataset_t *rdataset, dns_name_t *owner) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	if (!dns_rdataset_isassociated(rdataset)) {
+		printf("[WARN: empty]\n");
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	result = dns_rdataset_totext(rdataset, owner, false, false, &target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "resolve [-t RRtype] "
+			"[[-a algorithm] [-e] -k keyname -K keystring] "
+			"[-S domain:serveraddr_for_domain ] [-s server_address]"
+			"[-b address[#port]] hostname\n");
+
+	exit(1);
+}
+
+static void
+set_key(dns_client_t *client, char *keynamestr, char *keystr, bool is_sep,
+	isc_mem_t **mctxp) {
+	isc_result_t result;
+	dns_fixedname_t fkeyname;
+	unsigned int namelen;
+	dns_name_t *keyname;
+	dns_rdata_dnskey_t keystruct;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_buffer_t b;
+	isc_textregion_t tr;
+	isc_region_t r;
+	dns_secalg_t alg;
+
+	isc_mem_create(mctxp);
+
+	if (algname != NULL) {
+		tr.base = algname;
+		tr.length = strlen(algname);
+		result = dns_secalg_fromtext(&alg, &tr);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to identify the algorithm\n");
+			exit(1);
+		}
+	} else {
+		alg = DNS_KEYALG_RSASHA1;
+	}
+
+	keystruct.common.rdclass = dns_rdataclass_in;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
+	keystruct.flags = DNS_KEYOWNER_ZONE; /* fixed */
+	if (is_sep) {
+		keystruct.flags |= DNS_KEYFLAG_KSK;
+	}
+	keystruct.protocol = DNS_KEYPROTO_DNSSEC; /* fixed */
+	keystruct.algorithm = alg;
+
+	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+	result = isc_base64_decodestring(keystr, &keydatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "base64 decode failed\n");
+		exit(1);
+	}
+	isc_buffer_usedregion(&keydatabuf, &r);
+	keystruct.datalen = r.length;
+	keystruct.data = r.base;
+
+	result = dns_rdata_fromstruct(NULL, keystruct.common.rdclass,
+				      keystruct.common.rdtype, &keystruct,
+				      &rrdatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to construct key rdata\n");
+		exit(1);
+	}
+	namelen = strlen(keynamestr);
+	isc_buffer_init(&b, keynamestr, namelen);
+	isc_buffer_add(&b, namelen);
+	keyname = dns_fixedname_initname(&fkeyname);
+	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to construct key name\n");
+		exit(1);
+	}
+	result = dns_client_addtrustedkey(client, dns_rdataclass_in,
+					  dns_rdatatype_dnskey, keyname,
+					  &rrdatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to add key for %s\n", keynamestr);
+		exit(1);
+	}
+}
+
+static void
+addserver(dns_client_t *client, const char *addrstr, const char *port,
+	  const char *name_space) {
+	struct addrinfo hints, *res;
+	int gaierror;
+	isc_sockaddr_t sa;
+	isc_sockaddrlist_t servers;
+	isc_result_t result;
+	unsigned int namelen;
+	isc_buffer_t b;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+	hints.ai_flags = AI_NUMERICHOST;
+	gaierror = getaddrinfo(addrstr, port, &hints, &res);
+	if (gaierror != 0) {
+		fprintf(stderr, "getaddrinfo failed: %s\n",
+			gai_strerror(gaierror));
+		exit(1);
+	}
+	INSIST(res->ai_addrlen <= sizeof(sa.type));
+	memmove(&sa.type, res->ai_addr, res->ai_addrlen);
+	sa.length = (unsigned int)res->ai_addrlen;
+	freeaddrinfo(res);
+	ISC_LINK_INIT(&sa, link);
+	ISC_LIST_INIT(servers);
+	ISC_LIST_APPEND(servers, &sa, link);
+
+	if (name_space != NULL) {
+		namelen = strlen(name_space);
+		isc_buffer_constinit(&b, name_space, namelen);
+		isc_buffer_add(&b, namelen);
+		name = dns_fixedname_initname(&fname);
+		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to convert qname: %u\n",
+				result);
+			exit(1);
+		}
+	}
+
+	result = dns_client_setservers(client, dns_rdataclass_in, name,
+				       &servers);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "set server failed: %u\n", result);
+		exit(1);
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	isc_textregion_t tr;
+	char *server = NULL;
+	char *altserver = NULL;
+	char *altserveraddr = NULL;
+	char *altservername = NULL;
+	dns_client_t *client = NULL;
+	char *keynamestr = NULL;
+	char *keystr = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_fixedname_t qname0;
+	unsigned int namelen;
+	dns_name_t *qname, *name;
+	dns_rdatatype_t type = dns_rdatatype_a;
+	dns_rdataset_t *rdataset;
+	dns_namelist_t namelist;
+	isc_mem_t *keymctx = NULL;
+	unsigned int clientopt, resopt = 0;
+	bool is_sep = false;
+	const char *port = "53";
+	isc_mem_t *mctx = NULL;
+	isc_appctx_t *actx = NULL;
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	struct in_addr in4;
+	struct in6_addr in6;
+	isc_sockaddr_t a4, a6;
+	isc_sockaddr_t *addr4 = NULL, *addr6 = NULL;
+
+	while ((ch = isc_commandline_parse(argc, argv, "a:b:es:t:k:K:p:S:")) !=
+	       -1)
+	{
+		switch (ch) {
+		case 't':
+			tr.base = isc_commandline_argument;
+			tr.length = strlen(isc_commandline_argument);
+			result = dns_rdatatype_fromtext(&type, &tr);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid RRtype: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		case 'a':
+			algname = isc_commandline_argument;
+			break;
+		case 'b':
+			if (inet_pton(AF_INET, isc_commandline_argument,
+				      &in4) == 1)
+			{
+				if (addr4 != NULL) {
+					fprintf(stderr, "only one local "
+							"address per family "
+							"can be specified\n");
+					exit(1);
+				}
+				isc_sockaddr_fromin(&a4, &in4, 0);
+				addr4 = &a4;
+			} else if (inet_pton(AF_INET6, isc_commandline_argument,
+					     &in6) == 1)
+			{
+				if (addr6 != NULL) {
+					fprintf(stderr, "only one local "
+							"address per family "
+							"can be specified\n");
+					exit(1);
+				}
+				isc_sockaddr_fromin6(&a6, &in6, 0);
+				addr6 = &a6;
+			} else {
+				fprintf(stderr, "invalid address %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		case 'e':
+			is_sep = true;
+			break;
+		case 'S':
+			if (altserver != NULL) {
+				fprintf(stderr,
+					"alternate server "
+					"already defined: %s\n",
+					altserver);
+				exit(1);
+			}
+			altserver = isc_commandline_argument;
+			break;
+		case 's':
+			if (server != NULL) {
+				fprintf(stderr,
+					"server "
+					"already defined: %s\n",
+					server);
+				exit(1);
+			}
+			server = isc_commandline_argument;
+			break;
+		case 'k':
+			keynamestr = isc_commandline_argument;
+			break;
+		case 'K':
+			keystr = isc_commandline_argument;
+			break;
+		case 'p':
+			port = isc_commandline_argument;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	if (argc < 1) {
+		usage();
+	}
+
+	if (altserver != NULL) {
+		char *cp;
+
+		cp = strchr(altserver, ':');
+		if (cp == NULL) {
+			fprintf(stderr, "invalid alternate server: %s\n",
+				altserver);
+			exit(1);
+		}
+		*cp = '\0';
+		altservername = altserver;
+		altserveraddr = cp + 1;
+	}
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
+		exit(1);
+	}
+
+	isc_mem_create(&mctx);
+
+	result = isc_appctx_create(mctx, &actx);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = isc_app_ctxstart(actx);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = isc_socketmgr_create(mctx, &socketmgr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = isc_timermgr_create(mctx, &timermgr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	clientopt = 0;
+	result = dns_client_create(mctx, actx, taskmgr, socketmgr, timermgr,
+				   clientopt, &client, addr4, addr6);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_create failed: %u, %s\n", result,
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	/* Set the nameserver */
+	if (server == NULL) {
+		irs_resconf_t *resconf = NULL;
+		isc_sockaddrlist_t *nameservers;
+
+		result = irs_resconf_load(mctx, "/etc/resolv.conf", &resconf);
+		if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+			fprintf(stderr, "irs_resconf_load failed: %u\n",
+				result);
+			exit(1);
+		}
+		nameservers = irs_resconf_getnameservers(resconf);
+		result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+					       nameservers);
+		if (result != ISC_R_SUCCESS) {
+			irs_resconf_destroy(&resconf);
+			fprintf(stderr, "dns_client_setservers failed: %u\n",
+				result);
+			exit(1);
+		}
+		irs_resconf_destroy(&resconf);
+	} else {
+		addserver(client, server, port, NULL);
+	}
+
+	/* Set the alternate nameserver (when specified) */
+	if (altserver != NULL) {
+		addserver(client, altserveraddr, port, altservername);
+	}
+
+	/* Install DNSSEC key (if given) */
+	if (keynamestr != NULL) {
+		if (keystr == NULL) {
+			fprintf(stderr, "key string is missing "
+					"while key name is provided\n");
+			exit(1);
+		}
+		set_key(client, keynamestr, keystr, is_sep, &keymctx);
+	}
+
+	/* Construct qname */
+	namelen = strlen(argv[0]);
+	isc_buffer_init(&b, argv[0], namelen);
+	isc_buffer_add(&b, namelen);
+	qname = dns_fixedname_initname(&qname0);
+	result = dns_name_fromtext(qname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to convert qname: %u\n", result);
+	}
+
+	/* Perform resolution */
+	if (keynamestr == NULL) {
+		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
+	}
+	ISC_LIST_INIT(namelist);
+	result = dns_client_resolve(client, qname, dns_rdataclass_in, type,
+				    resopt, &namelist);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "resolution failed: %s\n",
+			dns_result_totext(result));
+	}
+	for (name = ISC_LIST_HEAD(namelist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link))
+	{
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (printdata(rdataset, name) != ISC_R_SUCCESS) {
+				fprintf(stderr, "print data failed\n");
+			}
+		}
+	}
+
+	dns_client_freeresanswer(client, &namelist);
+
+	/* Cleanup */
+cleanup:
+	dns_client_destroy(&client);
+
+	if (taskmgr != NULL) {
+		isc_managers_destroy(&netmgr, &taskmgr);
+	}
+	if (timermgr != NULL) {
+		isc_timermgr_destroy(&timermgr);
+	}
+	if (socketmgr != NULL) {
+		isc_socketmgr_destroy(&socketmgr);
+	}
+	if (actx != NULL) {
+		isc_appctx_destroy(&actx);
+	}
+	isc_mem_detach(&mctx);
+
+	if (keynamestr != NULL) {
+		isc_mem_destroy(&keymctx);
+	}
+	dns_lib_shutdown();
+
+	return (0);
+}
diff --git a/bin/tests/system/resolver/ans2/ans.pl b/bin/tests/system/resolver/ans2/ans.pl
new file mode 100644
index 0000000..7876508
--- /dev/null
+++ b/bin/tests/system/resolver/ans2/ans.pl
@@ -0,0 +1,140 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Ad hoc name server
+#
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.2",
+   LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+for (;;) {
+	$sock->recv($buf, 512);
+
+	print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	print "REQUEST:\n";
+	$packet->print;
+
+	$packet->header->qr(1);
+
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+
+	if ($qname eq "com" && $qtype eq "NS") {
+		$packet->header->aa(1);
+		$packet->push("answer", new Net::DNS::RR("com 300 NS a.root-servers.nil."));
+	} elsif ($qname eq "example.com" && $qtype eq "NS") {
+		$packet->header->aa(1);
+		$packet->push("answer", new Net::DNS::RR("example.com 300 NS a.root-servers.nil."));
+	} elsif ($qname eq "cname1.example.com") {
+		# Data for the "cname + other data / 1" test
+		$packet->push("answer", new Net::DNS::RR("cname1.example.com 300 CNAME cname1.example.com"));
+		$packet->push("answer", new Net::DNS::RR("cname1.example.com 300 A 1.2.3.4"));
+	} elsif ($qname eq "cname2.example.com") {
+		# Data for the "cname + other data / 2" test: same RRs in opposite order
+		$packet->push("answer", new Net::DNS::RR("cname2.example.com 300 A 1.2.3.4"));
+		$packet->push("answer", new Net::DNS::RR("cname2.example.com 300 CNAME cname2.example.com"));
+	} elsif ($qname =~ /redirect\.com/) {
+		$packet->push("authority", new Net::DNS::RR("redirect.com 300 NS ns.redirect.com"));
+		$packet->push("additional", new Net::DNS::RR("ns.redirect.com 300 A 10.53.0.6"));
+	} elsif ($qname =~ /\.tld1/) {
+		$packet->push("authority", new Net::DNS::RR("tld1 300 NS ns.tld1"));
+		$packet->push("additional", new Net::DNS::RR("ns.tld1 300 A 10.53.0.6"));
+	} elsif ($qname =~ /\.tld2/) {
+		$packet->push("authority", new Net::DNS::RR("tld2 300 NS ns.tld2"));
+		$packet->push("additional", new Net::DNS::RR("ns.tld2 300 A 10.53.0.7"));
+	} elsif ($qname eq "org" && $qtype eq "NS") {
+		$packet->header->aa(1);
+		$packet->push("answer", new Net::DNS::RR("org 300 NS a.root-servers.nil."));
+	} elsif ($qname eq "example.org" && $qtype eq "NS") {
+		$packet->header->aa(1);
+		$packet->push("answer", new Net::DNS::RR("example.org 300 NS a.root-servers.nil."));
+	} elsif (($qname eq "baddname.example.org" || $qname eq "gooddname.example.org") && $qtype eq "NS") {
+		$packet->header->aa(1);
+		$packet->push("answer", new Net::DNS::RR("example.org 300 NS a.root-servers.nil."));
+	} elsif ($qname eq "www.example.org" ||
+		 $qname eq "badcname.example.org" ||
+		 $qname eq "goodcname.example.org" ||
+		 $qname eq "foo.baddname.example.org" ||
+		 $qname eq "foo.gooddname.example.org") {
+		# Data for address/alias filtering.
+		$packet->header->aa(1);
+		if ($qtype eq "A") {
+			$packet->push("answer",
+				      new Net::DNS::RR($qname .
+						       " 300 A 192.0.2.1"));
+		} elsif ($qtype eq "AAAA") {
+			$packet->push("answer",
+				      new Net::DNS::RR($qname .
+						" 300 AAAA 2001:db8:beef::1"));
+		}
+	} elsif ($qname eq "net" && $qtype eq "NS") {
+		$packet->header->aa(1);
+		$packet->push("answer", new Net::DNS::RR("net 300 NS a.root-servers.nil."));
+	} elsif ($qname =~ /example\.net/) {
+		$packet->push("authority", new Net::DNS::RR("example.net 300 NS ns.example.net"));
+		$packet->push("additional", new Net::DNS::RR("ns.example.net 300 A 10.53.0.3"));
+	} elsif ($qname =~ /sub\.example\.org/) {
+		# Data for CNAME/DNAME filtering.  The final answers are
+		# expected to be accepted regardless of the filter setting.
+		$packet->push("authority", new Net::DNS::RR("sub.example.org 300 NS ns.sub.example.org"));
+		$packet->push("additional", new Net::DNS::RR("ns.sub.example.org 300 A 10.53.0.3"));
+	} elsif ($qname =~ /glue-in-answer\.example\.org/) {
+		$packet->push("answer", new Net::DNS::RR("ns.glue-in-answer.example.org 300 A 10.53.0.3"));
+		$packet->push("authority", new Net::DNS::RR("glue-in-answer.example.org 300 NS ns.glue-in-answer.example.org"));
+		$packet->push("additional", new Net::DNS::RR("ns.glue-in-answer.example.org 300 A 10.53.0.3"));
+	} elsif ($qname =~ /\.broken/ || $qname =~ /^broken/) {
+		# Delegation to broken TLD.
+		$packet->push("authority", new Net::DNS::RR("broken 300 NS ns.broken"));
+		$packet->push("additional", new Net::DNS::RR("ns.broken 300 A 10.53.0.4"));
+	} else {
+		# Data for the "bogus referrals" test
+		$packet->push("authority", new Net::DNS::RR("below.www.example.com 300 NS ns.below.www.example.com"));
+		$packet->push("additional", new Net::DNS::RR("ns.below.www.example.com 300 A 10.53.0.3"));
+	}
+
+	$sock->send($packet->data);
+
+	print "RESPONSE:\n";
+	$packet->print;
+	print "\n";
+}
diff --git a/bin/tests/system/resolver/ans3/ans.pl b/bin/tests/system/resolver/ans3/ans.pl
new file mode 100644
index 0000000..d4d7ae7
--- /dev/null
+++ b/bin/tests/system/resolver/ans3/ans.pl
@@ -0,0 +1,183 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Ad hoc name server
+#
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early
+local $SIG{PIPE} = 'IGNORE';
+
+# Flush logged output after every line
+local $| = 1;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $server_addr = "10.53.0.3";
+
+my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!";
+my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+sub handleQuery {
+	my $buf = shift;
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	print "REQUEST:\n";
+	$packet->print;
+
+	$packet->header->qr(1);
+	$packet->header->aa(1);
+
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+
+	if ($qname eq "example.net" && $qtype eq "NS") {
+		$packet->push("answer", new Net::DNS::RR($qname . " 300 NS ns.example.net"));
+		$packet->push("additional", new Net::DNS::RR("ns.example.net 300 A 10.53.0.3"));
+	} elsif ($qname eq "ns.example.net") {
+		$packet->push("answer", new Net::DNS::RR($qname . " 300 A 10.53.0.3"));
+	} elsif ($qname eq "nodata.example.net") {
+		# Do not add a SOA RRset.
+	} elsif ($qname eq "nxdomain.example.net") {
+		# Do not add a SOA RRset.
+		$packet->header->rcode(NXDOMAIN);
+	} elsif ($qname eq "www.example.net") {
+		# Data for address/alias filtering.
+		if ($qtype eq "A") {
+			$packet->push("answer", new Net::DNS::RR($qname . " 300 A 192.0.2.1"));
+		} elsif ($qtype eq "AAAA") {
+			$packet->push("answer", new Net::DNS::RR($qname . " 300 AAAA 2001:db8:beef::1"));
+		}
+	} elsif ($qname eq "badcname.example.net") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+				       " 300 CNAME badcname.example.org"));
+	} elsif (($qname eq "baddname.example.net" || $qname eq "gooddname.example.net") && $qtype eq "NS") {
+		$packet->push("authority", new Net::DNS::RR("example.net IN SOA (1 2 3 4 5)"))
+	} elsif ($qname eq "foo.baddname.example.net") {
+		$packet->push("answer",
+			      new Net::DNS::RR("baddname.example.net" .
+				       " 300 DNAME baddname.example.org"));
+	} elsif ($qname eq "foo.gooddname.example.net") {
+		$packet->push("answer",
+			      new Net::DNS::RR("gooddname.example.net" .
+				       " 300 DNAME gooddname.example.org"));
+	} elsif ($qname eq "goodcname.example.net") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+				       " 300 CNAME goodcname.example.org"));
+	} elsif ($qname =~ /^nodata\.example\.net$/i) {
+		$packet->header->aa(1);
+	} elsif ($qname =~ /^nxdomain\.example\.net$/i) {
+		$packet->header->aa(1);
+		$packet->header->rcode(NXDOMAIN);
+	} elsif ($qname eq "large-referral.example.net") {
+		for (my $i = 1; $i < 1000; $i++) {
+			$packet->push("authority", new Net::DNS::RR("large-referral.example.net 300 NS ns" . $i . ".fake.redirect.com"));
+		}
+		# No glue records
+	} elsif ($qname eq "foo.bar.sub.tld1") {
+		$packet->push("answer", new Net::DNS::RR("$qname 300 TXT baz"));
+	} elsif ($qname eq "cname.sub.example.org") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+				       " 300 CNAME ok.sub.example.org"));
+	} elsif ($qname eq "ok.sub.example.org") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname . " 300 A 192.0.2.1"));
+	} elsif ($qname eq "www.dname.sub.example.org") {
+		$packet->push("answer",
+			      new Net::DNS::RR("dname.sub.example.org" .
+				       " 300 DNAME ok.sub.example.org"));
+	} elsif ($qname eq "www.ok.sub.example.org") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname . " 300 A 192.0.2.1"));
+	} elsif ($qname eq "foo.glue-in-answer.example.org") {
+		$packet->push("answer", new Net::DNS::RR($qname . " 300 A 192.0.2.1"));
+	} elsif ($qname eq "ns.example.net") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+				       " 300 A 10.53.0.3"));
+	} else {
+		$packet->push("answer", new Net::DNS::RR("www.example.com 300 A 1.2.3.4"));
+	}
+
+	print "RESPONSE:\n";
+	$packet->print;
+
+	return $packet->data;
+}
+
+# Main
+my $rin;
+my $rout;
+for (;;) {
+	$rin = '';
+	vec($rin, fileno($tcpsock), 1) = 1;
+	vec($rin, fileno($udpsock), 1) = 1;
+
+	select($rout = $rin, undef, undef, undef);
+
+	if (vec($rout, fileno($udpsock), 1)) {
+		printf "UDP request\n";
+		my $buf;
+		$udpsock->recv($buf, 512);
+		my $result = handleQuery($buf);
+		my $num_chars = $udpsock->send($result);
+		print "  Sent $num_chars bytes via UDP\n";
+	} elsif (vec($rout, fileno($tcpsock), 1)) {
+		my $conn = $tcpsock->accept;
+		my $buf;
+		for (;;) {
+			my $lenbuf;
+			my $n = $conn->sysread($lenbuf, 2);
+			last unless $n == 2;
+			my $len = unpack("n", $lenbuf);
+			$n = $conn->sysread($buf, $len);
+			last unless $n == $len;
+			print "TCP request\n";
+			my $result = handleQuery($buf);
+			$len = length($result);
+			$conn->syswrite(pack("n", $len), 2);
+			$n = $conn->syswrite($result, $len);
+			print "    Sent: $n chars via TCP\n";
+		}
+		$conn->close;
+	}
+}
diff --git a/bin/tests/system/resolver/ans8/ans.pl b/bin/tests/system/resolver/ans8/ans.pl
new file mode 100644
index 0000000..8c32915
--- /dev/null
+++ b/bin/tests/system/resolver/ans8/ans.pl
@@ -0,0 +1,168 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use IO::File;
+use IO::Socket;
+use Data::Dumper;
+use Net::DNS;
+use Net::DNS::Packet;
+use strict;
+
+# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early
+local $SIG{PIPE} = 'IGNORE';
+
+# Flush logged output after every line
+local $| = 1;
+
+my $server_addr = "10.53.0.8";
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!";
+my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
+
+print "listening on $server_addr:$localport.\n";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";;
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+sub handleUDP {
+	my ($buf) = @_;
+	my $request;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$request = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($request, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	my @questions = $request->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+	my $qclass = $questions[0]->qclass;
+	my $id = $request->header->id;
+
+	my $response = new Net::DNS::Packet($qname, $qtype, $qclass);
+	$response->header->qr(1);
+	$response->header->aa(1);
+	$response->header->tc(0);
+	$response->header->id($id);
+
+	# Responses to queries for no-questions/NS and ns.no-questions/A are
+	# _not_ malformed or truncated.
+	if ($qname eq "no-questions" && $qtype eq "NS") {
+		$response->push("answer", new Net::DNS::RR($qname . " 300 NS ns.no-questions"));
+		$response->push("additional", new Net::DNS::RR("ns.no-questions. 300 A 10.53.0.8"));
+		return $response->data;
+	} elsif ($qname eq "ns.no-questions") {
+		$response->push("answer", new Net::DNS::RR($qname . " 300 A 10.53.0.8"))
+			if ($qtype eq "A");
+		return $response->data;
+	} elsif ($qname =~ /\.formerr-to-all$/) {
+		$response->header->rcode("FORMERR");
+		return $response->data;
+	}
+
+	# don't use Net::DNS to construct the header only reply as early
+	# versions just get it completely wrong.
+
+	if ($qname eq "truncated.no-questions") {
+		# QR, AA, TC
+		return (pack("nnnnnn", $id, 0x8600, 0, 0, 0, 0));
+	}
+	# QR, AA
+	return (pack("nnnnnn", $id, 0x8400, 0, 0, 0, 0));
+}
+
+sub handleTCP {
+	my ($buf) = @_;
+	my $request;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$request = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($request, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	my @questions = $request->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+	my $qclass = $questions[0]->qclass;
+	my $id = $request->header->id;
+
+	my @results = ();
+	my $response = new Net::DNS::Packet($qname, $qtype, $qclass);
+
+	$response->header->qr(1);
+	$response->header->aa(1);
+	$response->header->id($id);
+
+	$response->push("answer", new Net::DNS::RR("$qname 300 A 1.2.3.4"));
+	push(@results, $response->data);
+
+	return \@results;
+}
+
+# Main
+my $rin;
+my $rout;
+for (;;) {
+	$rin = '';
+	vec($rin, fileno($tcpsock), 1) = 1;
+	vec($rin, fileno($udpsock), 1) = 1;
+
+	select($rout = $rin, undef, undef, undef);
+
+	if (vec($rout, fileno($udpsock), 1)) {
+		printf "UDP request\n";
+		my $buf;
+		$udpsock->recv($buf, 512);
+		my $result = handleUDP($buf);
+		my $num_chars = $udpsock->send($result);
+		print "  Sent $num_chars bytes via UDP\n";
+	} elsif (vec($rout, fileno($tcpsock), 1)) {
+		my $conn = $tcpsock->accept;
+		my $buf;
+		for (;;) {
+			my $lenbuf;
+			my $n = $conn->sysread($lenbuf, 2);
+			last unless $n == 2;
+			my $len = unpack("n", $lenbuf);
+			$n = $conn->sysread($buf, $len);
+			last unless $n == $len;
+			print "TCP request\n";
+			my $result = handleTCP($buf);
+			foreach my $response (@$result) {
+				$len = length($response);
+				$n = $conn->syswrite(pack("n", $len), 2);
+				$n = $conn->syswrite($response, $len);
+				print "    Sent: $n chars via TCP\n";
+			}
+		}
+		$conn->close;
+	}
+}
diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
new file mode 100644
index 0000000..06d74fc
--- /dev/null
+++ b/bin/tests/system/resolver/clean.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after resolver tests.
+#
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f */ans.run
+rm -f */*.jdb
+rm -f dig.out dig.out.* dig.*.out.*
+rm -f dig.*.foo.*
+rm -f dig.*.bar.*
+rm -f dig.*.prime.*
+rm -f ns4/tld.db
+rm -f ns6/K*
+rm -f ns6/example.net.db.signed ns6/example.net.db
+rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
+rm -f ns6/dsset-ds.example.net*
+rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
+rm -f ns6/named.stats*
+rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
+rm -f ns7/server.db ns7/server.db.jnl
+rm -f resolve.out.*.test*
+rm -f .digrc
+rm -f ns*/named.lock
+rm -f ns5/trusted.conf
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
diff --git a/bin/tests/system/resolver/ns1/chaostest.db b/bin/tests/system/resolver/ns1/chaostest.db
new file mode 100644
index 0000000..153f31d
--- /dev/null
+++ b/bin/tests/system/resolver/ns1/chaostest.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL		3600
+@		CHAOS SOA       @ @ 1970010100 86400 600 86400 300
+@		CHAOS NS        @
+version         CHAOS TXT       "CH 1.0"
+hostname        CHAOS TXT       "unknown"
diff --git a/bin/tests/system/resolver/ns1/named.conf.in b/bin/tests/system/resolver/ns1/named.conf.in
new file mode 100644
index 0000000..7ca1caf
--- /dev/null
+++ b/bin/tests/system/resolver/ns1/named.conf.in
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1 dscp 1;
+	notify-source 10.53.0.1 dscp 2;
+	transfer-source 10.53.0.1 dscp 3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
+		 except-from { "example.org"; };
+	deny-answer-aliases { "example.org"; }
+		except-from { "goodcname.example.net";
+			      "gooddname.example.net"; };
+	allow-query {!10.53.0.8; any; };
+	max-zone-ttl unlimited;
+	attach-cache "globalcache";
+};
+
+server 10.53.0.3 {
+	tcp-only yes;
+};
+
+server 10.42.23.3/32 {
+     notify-source 10.42.22.1;
+     query-source address 10.42.22.1 port 0;
+     transfer-source 10.42.22.1;
+};
+
+server fd92:7065:b8e:ffff::1000 {
+     notify-source-v6 fd92:7065:b8e:ffff::1001;
+     query-source-v6 address fd92:7065:b8e:ffff::1001 port 0;
+     transfer-source-v6 fd92:7065:b8e:ffff::1001;
+};
+
+/*
+ * Must be first view so that there is a CH cache with name
+ * "globalcache" before the recursive "default"/IN view is configured.
+ */
+view "class" chaos {
+	zone "chaostest" CHAOS {
+                type primary;
+                file "chaostest.db";
+        };
+};
+
+/*
+ * Must be second view so that so that we can check we don't attach to the
+ * "globalcache"/CH cache.
+ */
+view "default" {
+	zone "." {
+		type hint;
+		file "root.hint";
+	};
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/resolver/ns1/root.hint b/bin/tests/system/resolver/ns1/root.hint
new file mode 100644
index 0000000..993227d
--- /dev/null
+++ b/bin/tests/system/resolver/ns1/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.2
diff --git a/bin/tests/system/resolver/ns4/broken.db b/bin/tests/system/resolver/ns4/broken.db
new file mode 100644
index 0000000..eb64f85
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/broken.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns.tld.
+ns			A	10.53.0.4
+$TTL 5
+sub.broken. 		NS	ns.sub.broken.
+ns.sub.broken.		A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns4/child.server.db b/bin/tests/system/resolver/ns4/child.server.db
new file mode 100644
index 0000000..188eb4a
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/child.server.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns
+ns			A	10.53.0.4
+foo			TXT	"From NS 4"
+bar			TXT	"From NS 4"
diff --git a/bin/tests/system/resolver/ns4/moves.db b/bin/tests/system/resolver/ns4/moves.db
new file mode 100644
index 0000000..dc1c396
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/moves.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns.server.
+foo			TXT	"From NS 4"
+bar			TXT	"From NS 4"
diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in
new file mode 100644
index 0000000..74a4066
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/named.conf.in
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4 dscp 4;
+	notify-source 10.53.0.4 dscp 5;
+	transfer-source 10.53.0.4 dscp 6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	/* test that named loads with root-delegation-only */
+	root-delegation-only;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "moves" {
+	type primary;
+	file "moves.db";
+};
+
+zone "child.server" {
+	type primary;
+	file "child.server.db";
+};
+
+zone "tld" {
+	type primary;
+	file "tld.db";
+};
+
+zone "broken" {
+	type primary;
+	file "broken.db";
+};
+
+zone "sourcens" {
+    type primary;
+    file "sourcens.db";
+};
+
+zone "v4only.net" {
+	type primary;
+	file "v4only.net.db";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
new file mode 100644
index 0000000..be78cc2
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/named.noaa
@@ -0,0 +1,12 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+Add -T noaa.
diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db
new file mode 100644
index 0000000..71d90e3
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/root.db
@@ -0,0 +1,34 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	marka.isc.org. a.root.servers.nil. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.4
+all-cnames		NS	cname.tld
+delegation-only.	NS	ns.delegation-only.
+ns.delegation-only.	A	10.53.0.6
+example.net.		NS	ns.example.net.
+ns.example.net.		A	10.53.0.6
+no-questions.		NS	ns.no-questions.
+ns.no-questions.	A	10.53.0.8
+formerr-to-all.		NS	ns.formerr-to-all.
+ns.formerr-to-all.	A	10.53.0.8
+sourcens.		NS	ns.sourcens.
+ns.sourcens.		A	10.53.0.4
+targetns. 		NS	ns.targetns.
+ns.targetns.		A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db
new file mode 100644
index 0000000..3567cfb
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/sourcens.db
@@ -0,0 +1,91 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This zone contains a set of delegations with varying numbers of NS
+; records.  This is used to check that BIND is limiting the number of
+; NS records it follows when resolving a delegation.  It tests all
+; numbers of NS records up to twice the number followed.
+
+$TTL 60
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns
+ns			A	10.53.0.4
+
+target1  		NS	ns.fake11.targetns.
+
+target2  		NS	ns.fake21.targetns.
+			NS	ns.fake22.targetns.
+
+target3  		NS	ns.fake31.targetns.
+			NS	ns.fake32.targetns.
+			NS	ns.fake33.targetns.
+
+target4  		NS	ns.fake41.targetns.
+			NS	ns.fake42.targetns.
+			NS	ns.fake43.targetns.
+			NS	ns.fake44.targetns.
+
+target5  		NS	ns.fake51.targetns.
+			NS	ns.fake52.targetns.
+			NS	ns.fake53.targetns.
+			NS	ns.fake54.targetns.
+			NS	ns.fake55.targetns.
+
+target6  		NS	ns.fake61.targetns.
+			NS	ns.fake62.targetns.
+			NS	ns.fake63.targetns.
+			NS	ns.fake64.targetns.
+			NS	ns.fake65.targetns.
+			NS	ns.fake66.targetns.
+
+target7  		NS	ns.fake71.targetns.
+			NS	ns.fake72.targetns.
+			NS	ns.fake73.targetns.
+			NS	ns.fake74.targetns.
+			NS	ns.fake75.targetns.
+			NS	ns.fake76.targetns.
+			NS	ns.fake77.targetns.
+
+target8  		NS	ns.fake81.targetns.
+			NS	ns.fake82.targetns.
+			NS	ns.fake83.targetns.
+			NS	ns.fake84.targetns.
+			NS	ns.fake85.targetns.
+			NS	ns.fake86.targetns.
+			NS	ns.fake87.targetns.
+			NS	ns.fake88.targetns.
+
+target9  		NS	ns.fake91.targetns.
+			NS	ns.fake92.targetns.
+			NS	ns.fake93.targetns.
+			NS	ns.fake94.targetns.
+			NS	ns.fake95.targetns.
+			NS	ns.fake96.targetns.
+			NS	ns.fake97.targetns.
+			NS	ns.fake98.targetns.
+			NS	ns.fake99.targetns.
+
+target10  		NS	ns.fake101.targetns.
+			NS	ns.fake102.targetns.
+			NS	ns.fake103.targetns.
+			NS	ns.fake104.targetns.
+			NS	ns.fake105.targetns.
+			NS	ns.fake106.targetns.
+			NS	ns.fake107.targetns.
+			NS	ns.fake108.targetns.
+			NS	ns.fake109.targetns.
+			NS	ns.fake1010.targetns.
diff --git a/bin/tests/system/resolver/ns4/tld1.db b/bin/tests/system/resolver/ns4/tld1.db
new file mode 100644
index 0000000..03d7908
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/tld1.db
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns.tld.
+ns			A	10.53.0.4
+$TTL 5
+to-be-removed 		NS	ns.to-be-removed
+ns.to-be-removed	A	10.53.0.6
+fetch.tld.		NS	ns.fetch.tld.
+ns.fetch.tld.		A	10.53.0.6
+no-edns-version.tld.	NS	ns.no-edns-version.tld.
+ns.no-edns-version.tld.	A	10.53.0.6
+edns-version.tld.	NS	ns.edns-version.tld.
+ns.edns-version.tld.	A	10.53.0.7
+cname			CNAME	ns7
+ns7			A	10.53.0.7
+mixedttl 10		A	10.0.0.1
+mixedttl 15		TXT	a TXT record
+mixedttl 20		AAAA	2001:db8::1
diff --git a/bin/tests/system/resolver/ns4/tld2.db b/bin/tests/system/resolver/ns4/tld2.db
new file mode 100644
index 0000000..c3a96d9
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/tld2.db
@@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns.tld.
+ns			A	10.53.0.4
+fetch.tld.		NS	ns.fetch.tld.
+ns.fetch.tld.		A	10.53.0.6
+fetchall  10              A     1.2.3.4
+fetchall  10              AAAA  ::1
+fetchall  10              TXT   A short ttl
+no-edns-version.tld.	NS	ns.no-edns-version.tld.
+ns.no-edns-version.tld.	A	10.53.0.6
+edns-version.tld.	NS	ns.edns-version.tld.
+ns.edns-version.tld.	A	10.53.0.7
+cname			CNAME	ns7
+ns7			A	10.53.0.7
+mixedttl 10		A	10.0.0.1
+mixedttl 15		TXT	a TXT record
+mixedttl 20		AAAA	2001:db8::1
diff --git a/bin/tests/system/resolver/ns4/v4only.net.db b/bin/tests/system/resolver/ns4/v4only.net.db
new file mode 100644
index 0000000..b097f3a
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/v4only.net.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	v4.nameserver.
+			A	10.0.0.1
+*			CNAME	@
diff --git a/bin/tests/system/resolver/ns5/child.server.db b/bin/tests/system/resolver/ns5/child.server.db
new file mode 100644
index 0000000..2517b6c
--- /dev/null
+++ b/bin/tests/system/resolver/ns5/child.server.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns
+ns			A	10.53.0.5
+foo			TXT	"From NS 5"
+bar			TXT	"From NS 5"
diff --git a/bin/tests/system/resolver/ns5/moves.db b/bin/tests/system/resolver/ns5/moves.db
new file mode 100644
index 0000000..57f4e91
--- /dev/null
+++ b/bin/tests/system/resolver/ns5/moves.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns.server.
+foo			TXT	"From NS 5"
+bar			TXT	"From NS 5"
diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in
new file mode 100644
index 0000000..eada94c
--- /dev/null
+++ b/bin/tests/system/resolver/ns5/named.conf.in
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	query-source address 10.53.0.5 dscp 7;
+	notify-source 10.53.0.5 dscp 8;
+	transfer-source 10.53.0.5 dscp 9;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	querylog yes;
+	prefetch 4 10;
+};
+
+server 10.53.0.7 {
+	edns-version 0;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "moves" {
+	type primary;
+	file "moves.db";
+};
+
+zone "child.server" {
+	type primary;
+	file "child.server.db";
+};
+
+zone "delegation-only" {
+       type delegation-only;
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-sha256;
+};
+
+controls {
+        inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/resolver/ns5/root.hint b/bin/tests/system/resolver/ns5/root.hint
new file mode 100644
index 0000000..3685f54
--- /dev/null
+++ b/bin/tests/system/resolver/ns5/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.4
diff --git a/bin/tests/system/resolver/ns6/broken.db b/bin/tests/system/resolver/ns6/broken.db
new file mode 100644
index 0000000..85b36bf
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/broken.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@	IN SOA	ns hostmaster 1 1800 900 604800 600
+@	IN NS	ns
+ns	IN A	10.53.0.6
+ns0	IN A	10.53.0.6
+ns1	IN A	10.53.0.6
+ns2	IN A	10.53.0.6
+ns3	IN A	10.53.0.6
+ns4	IN A	10.53.0.6
+ns5	IN A	10.53.0.6
+ns6	IN A	10.53.0.6
+ns7	IN A	10.53.0.6
+ns8	IN A	10.53.0.6
+ns9	IN A	10.53.0.6
+$TTL 1
+@	IN A	10.53.0.6
+www.sub	IN A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns6/delegation-only.db b/bin/tests/system/resolver/ns6/delegation-only.db
new file mode 100644
index 0000000..b144338
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/delegation-only.db
@@ -0,0 +1,33 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@	IN	SOA	ns	marka.isc.org. 1 0 0 0 120
+@	IN	NS	ns
+@	IN	DNSKEY	256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF
+;
+;	Delegation only test CDS and CDNSKEY records.  These should be
+;	returned even if delegation-only is set for this zone.
+;
+@	IN	A	1.2.3.4
+@	IN	AAAA	c::1.2.3.4
+@	IN	CDS 	12023 7 2 36FB69A752615831B47EA6EF9EA4619D0FB08ABDA69EA3ED200F4C02FF4921D4
+@	IN	CDNSKEY	256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF
+;
+;	Delegation only test CDS and CDNSKEY records.  These should be rejected
+;	as they are not at the zone apex.
+;
+a	IN	A	1.2.3.4
+aaaa	IN	AAAA	c::1.2.3.4
+cds	IN	CDS	21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2
+cdnskey	IN	CDNSKEY	256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF
+;
+ns	IN	A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns6/ds.example.net.db.in b/bin/tests/system/resolver/ns6/ds.example.net.db.in
new file mode 100644
index 0000000..fad382b
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/ds.example.net.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@	IN SOA	ns hostmaster 1 1800 900 604800 600
+@	IN NS	ns
+ns	IN A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns6/example.net.db.in b/bin/tests/system/resolver/ns6/example.net.db.in
new file mode 100644
index 0000000..740804a
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/example.net.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@	IN SOA	ns hostmaster 1 1800 900 604800 600
+@	IN NS	ns
+@	IN MX	0 mail
+ns	IN A	10.53.0.6
+mail	IN A	10.53.0.6
+fetch 10 IN TXT A short ttl
+non-zero 10 IN TXT A short ttl
+zero 0  IN TXT	A zero ttl
+$TTL 13
+ds 	IN NS	ns.ds
+ns.ds	IN A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns6/fetch.tld.db b/bin/tests/system/resolver/ns6/fetch.tld.db
new file mode 100644
index 0000000..1d59e5a
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/fetch.tld.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.fetch.tld. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns.fetch.tld.
+ns.fetch.tld.		A	10.53.0.6
+
+@	13		TXT	A short ttl
diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh
new file mode 100644
index 0000000..e992154
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/keygen.sh
@@ -0,0 +1,39 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+#
+# We use rsasha256 here to get a ZSK + KSK that don't fit in 512 bytes.
+#
+zone=ds.example.net
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a rsasha256 -fk $zone)
+zsk=$($KEYGEN -q -a rsasha256 -b 2048 $zone)
+cat $ksk.key $zsk.key >> $zonefile
+$SIGNER -P -o $zone $zonefile > /dev/null
+
+zone=example.net
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone)
+zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone)
+cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile
+$SIGNER -P -o $zone $zonefile > /dev/null
+
+# Configure a static key to be used by delv
+keyfile_to_static_ds $ksk > ../ns5/trusted.conf
diff --git a/bin/tests/system/resolver/ns6/moves.db b/bin/tests/system/resolver/ns6/moves.db
new file mode 100644
index 0000000..06634ee
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/moves.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns.server.
+foo			TXT	"From NS 6"
+bar			TXT	"From NS 6"
diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in
new file mode 100644
index 0000000..9ed68be
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/named.conf.in
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+options {
+	query-source address 10.53.0.6 dscp 10;
+	notify-source 10.53.0.6 dscp 11;
+	transfer-source 10.53.0.6 dscp 12;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { fd92:7065:b8e:ffff::6; };
+	recursion no;
+	dnssec-validation no;
+	querylog yes;
+	statistics-file "named.stats";
+	/*
+	 * test that named loads with root-delegation-only that
+	 * has a exclude list.
+	 */
+	root-delegation-only exclude { "a"; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db.signed";
+	allow-update { any; };
+};
+
+zone "ds.example.net" {
+	type primary;
+	file "ds.example.net.db.signed";
+	allow-update { any; };
+};
+
+zone "to-be-removed.tld" {
+	type primary;
+	file "to-be-removed.tld.db";
+	allow-update { any; };
+};
+
+zone "broken" {
+	type primary;
+	file "broken.db";
+	allow-update { any; };
+};
+
+zone "redirect.com" {
+	type primary;
+	file "redirect.com.db";
+};
+
+zone "tld1" {
+	type primary;
+	file "tld1.db";
+};
+
+zone "no-edns-version.tld" {
+	type primary;
+	file "no-edns-version.tld.db";
+};
+
+zone "delegation-only" {
+	type primary;
+	file "delegation-only.db";
+};
+
+zone "fetch.tld" {
+	type primary;
+	file "fetch.tld.db";
+};
+
+zone "targetns" {
+	type primary;
+	file "targetns.db";
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-sha256;
+};
+
+controls {
+        inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/resolver/ns6/no-edns-version.tld.db b/bin/tests/system/resolver/ns6/no-edns-version.tld.db
new file mode 100644
index 0000000..9ab654d
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/no-edns-version.tld.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	SOA	. . 0 0 0 0 0
+@	NS	ns
+ns	A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns6/redirect.com.db b/bin/tests/system/resolver/ns6/redirect.com.db
new file mode 100644
index 0000000..f79f6dd
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/redirect.com.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@	IN SOA	ns hostmaster 1 1800 900 604800 600
+@	IN NS	ns
+ns	IN A	10.53.0.6
+
+; 10.53.1.* are non-responsive IP addresses
+$GENERATE 1-100    ns$.fake IN A 10.53.1.$
+$GENERATE 101-200  ns$.fake IN A 10.53.1.${-100}
+$GENERATE 201-300  ns$.fake IN A 10.53.1.${-200}
+$GENERATE 301-400  ns$.fake IN A 10.53.1.${-300}
+$GENERATE 401-500  ns$.fake IN A 10.53.1.${-400}
+$GENERATE 501-600  ns$.fake IN A 10.53.1.${-500}
+$GENERATE 601-700  ns$.fake IN A 10.53.1.${-600}
+$GENERATE 701-800  ns$.fake IN A 10.53.1.${-700}
+$GENERATE 801-900  ns$.fake IN A 10.53.1.${-800}
+$GENERATE 901-1000 ns$.fake IN A 10.53.1.${-900}
diff --git a/bin/tests/system/resolver/ns6/root.db b/bin/tests/system/resolver/ns6/root.db
new file mode 100644
index 0000000..096381c
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/root.db
@@ -0,0 +1,36 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	marka.isc.org. a.root.servers.nil. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.6
+a.root-servers.nil.	AAAA	fd92:7065:b8e:ffff::6
+moves.			NS	ns.server.
+server.			NS	ns7.server.
+ns7.server.		A	10.53.0.7
+;
+; These two delegations are strictly not necessary as the test resolver (ns5)
+; doesn't have this zone as its root.  They are just done for consistency with
+; the delegations in ns4/tld.
+;
+no-edns-version.tld.	NS	ns.no-edns-version.tld.
+ns.no-edns-version.tld.	A	10.53.0.6
+edns-version.tld.	NS	ns.edns-version.tld.
+ns.edns-version.tld.	A	10.53.0.7
+v4only.net.		NS	v4.nameserver.
+v4.nameserver.		A	10.53.0.4
diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db
new file mode 100644
index 0000000..4d9496b
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/targetns.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; In the test for checking how many NS records BIND will follow, this
+; zone marks the server as the one to which the NS lookups will be
+; directed.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+			NS	ns
+ns			A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns6/tld1.db b/bin/tests/system/resolver/ns6/tld1.db
new file mode 100644
index 0000000..412509b
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/tld1.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@	IN SOA	ns hostmaster 1 1800 900 604800 600
+@	IN NS	ns
+ns	IN A	10.53.0.6
+
+$GENERATE 1-21 sub IN NS sub-ns$.tld2.
diff --git a/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in b/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in
new file mode 100644
index 0000000..5638090
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@	IN SOA	ns hostmaster 1 1800 900 604800 600
+@	IN NS	ns
+ns	IN A	10.53.0.6
+ns0	IN A	10.53.0.6
+ns1	IN A	10.53.0.6
+ns2	IN A	10.53.0.6
+ns3	IN A	10.53.0.6
+ns4	IN A	10.53.0.6
+ns5	IN A	10.53.0.6
+ns6	IN A	10.53.0.6
+ns7	IN A	10.53.0.6
+ns8	IN A	10.53.0.6
+ns9	IN A	10.53.0.6
+$TTL 1
+@	IN A	10.53.0.6
+www	IN A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns7/all-cnames.db b/bin/tests/system/resolver/ns7/all-cnames.db
new file mode 100644
index 0000000..85003ee
--- /dev/null
+++ b/bin/tests/system/resolver/ns7/all-cnames.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	cname.tld.
diff --git a/bin/tests/system/resolver/ns7/edns-version.tld.db b/bin/tests/system/resolver/ns7/edns-version.tld.db
new file mode 100644
index 0000000..bcfae40
--- /dev/null
+++ b/bin/tests/system/resolver/ns7/edns-version.tld.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	SOA	. . 0 0 0 0 0
+@	NS	ns
+ns	A	10.53.0.7
diff --git a/bin/tests/system/resolver/ns7/named1.conf.in b/bin/tests/system/resolver/ns7/named1.conf.in
new file mode 100644
index 0000000..2070ffa
--- /dev/null
+++ b/bin/tests/system/resolver/ns7/named1.conf.in
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS7
+
+options {
+	query-source address 10.53.0.7 dscp 13;
+	notify-source 10.53.0.7 dscp 14;
+	transfer-source 10.53.0.7 dscp 15;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { fd92:7065:b8e:ffff::7; };
+	recursion yes;
+	dnssec-validation yes;
+	empty-zones-enable yes;
+	disable-empty-zone 20.172.in-addr.arpa;
+	/*
+	 * check prefetch disabled
+	 * check zero ttl not returned
+	 */
+	prefetch 0;
+	querylog yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "server" {
+	type primary;
+	file "server.db";
+	allow-update { any; };
+};
+
+zone "edns-version.tld" {
+	type primary;
+	file "edns-version.tld.db";
+};
+
+zone "all-cnames" {
+	type primary;
+	file "all-cnames.db";
+};
+
+zone "tld2" {
+	type primary;
+	file "tld2.db";
+};
+
+zone "sub.tld1" {
+	type primary;
+	file "sub.tld1.db";
+};
diff --git a/bin/tests/system/resolver/ns7/named2.conf.in b/bin/tests/system/resolver/ns7/named2.conf.in
new file mode 100644
index 0000000..2070ffa
--- /dev/null
+++ b/bin/tests/system/resolver/ns7/named2.conf.in
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS7
+
+options {
+	query-source address 10.53.0.7 dscp 13;
+	notify-source 10.53.0.7 dscp 14;
+	transfer-source 10.53.0.7 dscp 15;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { fd92:7065:b8e:ffff::7; };
+	recursion yes;
+	dnssec-validation yes;
+	empty-zones-enable yes;
+	disable-empty-zone 20.172.in-addr.arpa;
+	/*
+	 * check prefetch disabled
+	 * check zero ttl not returned
+	 */
+	prefetch 0;
+	querylog yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "server" {
+	type primary;
+	file "server.db";
+	allow-update { any; };
+};
+
+zone "edns-version.tld" {
+	type primary;
+	file "edns-version.tld.db";
+};
+
+zone "all-cnames" {
+	type primary;
+	file "all-cnames.db";
+};
+
+zone "tld2" {
+	type primary;
+	file "tld2.db";
+};
+
+zone "sub.tld1" {
+	type primary;
+	file "sub.tld1.db";
+};
diff --git a/bin/tests/system/resolver/ns7/root.hint b/bin/tests/system/resolver/ns7/root.hint
new file mode 100644
index 0000000..3337bd5
--- /dev/null
+++ b/bin/tests/system/resolver/ns7/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns7/server.db.in b/bin/tests/system/resolver/ns7/server.db.in
new file mode 100644
index 0000000..7d5169a
--- /dev/null
+++ b/bin/tests/system/resolver/ns7/server.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. a.root.servers.nil. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns7
+ns7			A	10.53.0.7
+ns			A	10.53.0.5
+child			NS	ns.child
+ns.child		A	10.53.0.5
diff --git a/bin/tests/system/resolver/ns7/sub.tld1.db b/bin/tests/system/resolver/ns7/sub.tld1.db
new file mode 100644
index 0000000..b2d46c6
--- /dev/null
+++ b/bin/tests/system/resolver/ns7/sub.tld1.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@	IN SOA	ns hostmaster 1 1800 900 604800 600
+
+$GENERATE 1-21 @ IN NS sub-ns$.tld2.
+
+$GENERATE 1-21 bar IN NS bar-sub-ns$.tld2.
diff --git a/bin/tests/system/resolver/ns7/tld2.db b/bin/tests/system/resolver/ns7/tld2.db
new file mode 100644
index 0000000..1f31b51
--- /dev/null
+++ b/bin/tests/system/resolver/ns7/tld2.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@	IN SOA	ns hostmaster 1 1800 900 604800 600
+@	IN NS	ns
+ns	IN A	10.53.0.7
+
+$GENERATE 1-21 sub-ns$ IN A 10.53.0.7
+$GENERATE 1-21 bar-sub-ns$ IN A 10.53.0.3
diff --git a/bin/tests/system/resolver/ns9/named.args b/bin/tests/system/resolver/ns9/named.args
new file mode 100644
index 0000000..0c66bc0
--- /dev/null
+++ b/bin/tests/system/resolver/ns9/named.args
@@ -0,0 +1,2 @@
+# this server is IPv6 only
+-6 -m record -c named.conf -d 99 -D resolver-ns9 -X named.lock -g -T maxcachesize=2097152
diff --git a/bin/tests/system/resolver/ns9/named.conf.in b/bin/tests/system/resolver/ns9/named.conf.in
new file mode 100644
index 0000000..3be31db
--- /dev/null
+++ b/bin/tests/system/resolver/ns9/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS9
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { none; };
+	listen-on-v6 { fd92:7065:b8e:ffff::9; };
+	recursion yes;
+	dnssec-validation yes;
+	dual-stack-servers { fd92:7065:b8e:ffff::7; };
+	qname-minimization off;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet fd92:7065:b8e:ffff::9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
diff --git a/bin/tests/system/resolver/ns9/named.ipv6-only b/bin/tests/system/resolver/ns9/named.ipv6-only
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/bin/tests/system/resolver/ns9/named.ipv6-only
diff --git a/bin/tests/system/resolver/ns9/root.hint b/bin/tests/system/resolver/ns9/root.hint
new file mode 100644
index 0000000..f74fbf1
--- /dev/null
+++ b/bin/tests/system/resolver/ns9/root.hint
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	 a.root-servers.nil.
+a.root-servers.nil.	 IN A	 10.53.0.6
+a.root-servers.nil.	 IN AAAA fd92:7065:b8e:ffff::6;
diff --git a/bin/tests/system/resolver/prereq.sh b/bin/tests/system/resolver/prereq.sh
new file mode 100644
index 0000000..902f8db
--- /dev/null
+++ b/bin/tests/system/resolver/prereq.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION eq "0.76" || $Net::DNS::VERSION eq "0.77");' 2>/dev/null
+    then
+	:
+    else
+	echo_i "Net::DNS version 0.76 and 0.77 have a bug that causes this test to fail: please update." >&2
+	exit 1
+    fi
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/resolver/setup.sh b/bin/tests/system/resolver/setup.sh
new file mode 100644
index 0000000..0f0832c
--- /dev/null
+++ b/bin/tests/system/resolver/setup.sh
@@ -0,0 +1,28 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+cp ns4/tld1.db ns4/tld.db
+cp ns6/to-be-removed.tld.db.in ns6/to-be-removed.tld.db
+cp ns7/server.db.in ns7/server.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named1.conf.in ns7/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
+
+(cd ns6 && $SHELL keygen.sh)
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
new file mode 100755
index 0000000..379b1d7
--- /dev/null
+++ b/bin/tests/system/resolver/tests.sh
@@ -0,0 +1,927 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+dig_with_opts() {
+	"${DIG}" -p "${PORT}" "${@}"
+}
+
+resolve_with_opts() {
+	"${RESOLVE}" -p "${PORT}" "${@}"
+}
+
+rndccmd() {
+	"${RNDC}" -c "${SYSTEMTESTTOP}/common/rndc.conf" -p "${CONTROLPORT}" -s "${@}"
+}
+
+status=0
+n=0
+
+n=$((n+1))
+echo_i "checking non-cachable NXDOMAIN response handling ($n)"
+ret=0
+dig_with_opts +tcp nxdomain.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+if [ -x "${RESOLVE}" ] ; then
+   n=$((n+1))
+   echo_i "checking non-cachable NXDOMAIN response handling using dns_client ($n)"
+   ret=0
+   resolve_with_opts -t a -s 10.53.0.1 nxdomain.example.net 2> resolve.out.ns1.test${n} || ret=1
+   grep "resolution failed: ncache nxdomain" resolve.out.ns1.test${n} > /dev/null || ret=1
+   if [ $ret != 0 ]; then echo_i "failed"; fi
+   status=$((status + ret))
+fi
+
+if [ -x "${RESOLVE}" ] ; then
+   n=$((n+1))
+   echo_i "checking that local bound address can be set (Can't query from a denied address) ($n)"
+   ret=0
+   resolve_with_opts -b 10.53.0.8 -t a -s 10.53.0.1 www.example.org 2> resolve.out.ns1.test${n} || ret=1
+   grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1
+   if [ $ret != 0 ]; then echo_i "failed"; fi
+   status=$((status + ret))
+
+   n=$((n+1))
+   echo_i "checking that local bound address can be set (Can query from an allowed address) ($n)"
+   ret=0
+   resolve_with_opts -b 10.53.0.1 -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1
+   grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1
+   if [ $ret != 0 ]; then echo_i "failed"; fi
+   status=$((status + ret))
+fi
+
+n=$((n+1))
+echo_i "checking non-cachable NODATA response handling ($n)"
+ret=0
+dig_with_opts +tcp nodata.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+if [ -x "${RESOLVE}" ] ; then
+    n=$((n+1))
+    echo_i "checking non-cachable NODATA response handling using dns_client ($n)"
+    ret=0
+    resolve_with_opts -t a -s 10.53.0.1 nodata.example.net 2> resolve.out.ns1.test${n} || ret=1
+    grep "resolution failed: ncache nxrrset" resolve.out.ns1.test${n} > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+n=$((n+1))
+echo_i "checking handling of bogus referrals ($n)"
+# If the server has the "INSIST(!external)" bug, this query will kill it.
+dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); }
+
+if [ -x "${RESOLVE}" ] ; then
+    n=$((n+1))
+    echo_i "checking handling of bogus referrals using dns_client ($n)"
+    ret=0
+    resolve_with_opts -t a -s 10.53.0.1 www.example.com 2> resolve.out.ns1.test${n} || ret=1
+    grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+n=$((n+1))
+echo_i "check handling of cname + other data / 1 ($n)"
+dig_with_opts +tcp cname1.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); }
+
+n=$((n+1))
+echo_i "check handling of cname + other data / 2 ($n)"
+dig_with_opts +tcp cname2.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); }
+
+n=$((n+1))
+echo_i "check that server is still running ($n)"
+dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); }
+
+n=$((n+1))
+echo_i "checking answer IPv4 address filtering (deny) ($n)"
+ret=0
+dig_with_opts +tcp www.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "checking answer IPv6 address filtering (deny) ($n)"
+ret=0
+dig_with_opts +tcp www.example.net @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1
+grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "checking answer IPv4 address filtering (accept) ($n)"
+ret=0
+dig_with_opts +tcp www.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+
+if [ -x "${RESOLVE}" ] ; then
+    n=$((n+1))
+    echo_i "checking answer IPv4 address filtering using dns_client (accept) ($n)"
+    ret=0
+    resolve_with_opts -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1
+    grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+n=$((n+1))
+echo_i "checking answer IPv6 address filtering (accept) ($n)"
+ret=0
+dig_with_opts +tcp www.example.org @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+if [ -x "${RESOLVE}" ] ; then
+    n=$((n+1))
+    echo_i "checking answer IPv6 address filtering using dns_client (accept) ($n)"
+    ret=0
+    resolve_with_opts -t aaaa -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1
+    grep "www.example.org..*.2001:db8:beef::1" resolve.out.ns1.test${n} > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+n=$((n+1))
+echo_i "checking CNAME target filtering (deny) ($n)"
+ret=0
+dig_with_opts +tcp badcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "checking CNAME target filtering (accept) ($n)"
+ret=0
+dig_with_opts +tcp goodcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+if [ -x "${RESOLVE}" ] ; then
+    n=$((n+1))
+    echo_i "checking CNAME target filtering using dns_client (accept) ($n)"
+    ret=0
+    resolve_with_opts -t a -s 10.53.0.1 goodcname.example.net > resolve.out.ns1.test${n} || ret=1
+    grep "goodcname.example.net..*.goodcname.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1
+    grep "goodcname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+n=$((n+1))
+echo_i "checking CNAME target filtering (accept due to subdomain) ($n)"
+ret=0
+dig_with_opts +tcp cname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+if [ -x "${RESOLVE}" ] ; then
+    n=$((n+1))
+    echo_i "checking CNAME target filtering using dns_client (accept due to subdomain) ($n)"
+    ret=0
+    resolve_with_opts -t a -s 10.53.0.1 cname.sub.example.org > resolve.out.ns1.test${n} || ret=1
+    grep "cname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1
+    grep "ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+n=$((n+1))
+echo_i "checking DNAME target filtering (deny) ($n)"
+ret=0
+dig_with_opts +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1
+grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "checking DNAME target filtering (accept) ($n)"
+ret=0
+dig_with_opts +tcp foo.gooddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+if [ -x "${RESOLVE}" ] ; then
+    n=$((n+1))
+    echo_i "checking DNAME target filtering using dns_client (accept) ($n)"
+    ret=0
+    resolve_with_opts -t a -s 10.53.0.1 foo.gooddname.example.net > resolve.out.ns1.test${n} || ret=1
+    grep "foo.gooddname.example.net..*.gooddname.example.org" resolve.out.ns1.test${n} > /dev/null || ret=1
+    grep "foo.gooddname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+n=$((n+1))
+echo_i "checking DNAME target filtering (accept due to subdomain) ($n)"
+ret=0
+dig_with_opts +tcp www.dname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+if [ -x "${RESOLVE}" ] ; then
+    n=$((n+1))
+    echo_i "checking DNAME target filtering using dns_client (accept due to subdomain) ($n)"
+    ret=0
+    resolve_with_opts -t a -s 10.53.0.1 www.dname.sub.example.org > resolve.out.ns1.test${n} || ret=1
+    grep "www.dname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1
+    grep "www.ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+n=$((n+1))
+echo_i "check that the resolver accepts a referral response with a non-empty ANSWER section ($n)"
+ret=0
+dig_with_opts @10.53.0.1 foo.glue-in-answer.example.org. A > dig.ns1.out.${n} || ret=1
+grep "status: NOERROR" dig.ns1.out.${n} > /dev/null || ret=1
+grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
+# ns5 is the recusor being tested.  ns4 holds the sourcens zone containing names with varying numbers of NS
+# records pointing to non-existent nameservers in the targetns zone on ns6.
+ret=0
+rndccmd 10.53.0.5 flush || ret=1   # Ensure cache is empty before doing this test
+for nscount in 1 2 3 4 5 6 7 8 9 10
+do
+        # Verify number of NS records at source server
+        dig_with_opts +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
+        sourcerecs=$(grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l)
+        test "${sourcerecs}" -eq "${nscount}" || ret=1
+        test "${sourcerecs}" -eq "${nscount}" || echo_i "NS count incorrect for target${nscount}.sourcens"
+        # Expected queries = 2 * number of NS records, up to a maximum of 10.
+        expected=$((nscount*2))
+        if [ "$expected" -gt 10 ]; then expected=10; fi
+        # Work out the queries made by checking statistics on the target before and after the test
+        rndccmd 10.53.0.6 stats || ret=1
+        initial_count=$(awk '/responses sent/ {print $1}' ns6/named.stats)
+        mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
+        dig_with_opts @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
+        rndccmd 10.53.0.6 stats || ret=1
+        final_count=$(awk '/responses sent/ {print $1}' ns6/named.stats)
+        mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
+        # Check number of queries during the test is as expected
+        actual=$((final_count - initial_count))
+        if [ "$actual" -ne "$expected" ]; then
+                echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
+                ret=1
+        fi
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "RT21594 regression test check setup ($n)"
+ret=0
+# Check that "aa" is not being set by the authoritative server.
+dig_with_opts +tcp . @10.53.0.4 soa > dig.ns4.out.${n} || ret=1
+grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "RT21594 regression test positive answers ($n)"
+ret=0
+# Check that resolver accepts the non-authoritative positive answers.
+dig_with_opts +tcp . @10.53.0.5 soa > dig.ns5.out.${n} || ret=1
+grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "RT21594 regression test NODATA answers ($n)"
+ret=0
+# Check that resolver accepts the non-authoritative nodata answers.
+dig_with_opts +tcp . @10.53.0.5 txt > dig.ns5.out.${n} || ret=1
+grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "RT21594 regression test NXDOMAIN answers ($n)"
+ret=0
+# Check that resolver accepts the non-authoritative positive answers.
+dig_with_opts +tcp noexistent @10.53.0.5 txt > dig.ns5.out.${n} || ret=1
+grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
+ret=0
+dig_with_opts +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=1
+grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1
+if [ $ret = 1 ]; then echo_i "mx priming failed"; fi
+$NSUPDATE << EOF
+server 10.53.0.6 ${PORT}
+zone example.net
+update delete mail.example.net A
+update add mail.example.net 0 AAAA ::1
+send
+EOF
+dig_with_opts +tcp a mail.example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2
+grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2
+grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2
+if [ $ret = 2 ]; then echo_i "ncache priming failed"; fi
+dig_with_opts +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=3
+grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3
+dig_with_opts +tcp rrsig mail.example.net +norec @10.53.0.7 > dig.ns7.out.${n}  || ret=4
+grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4
+grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "checking that update a nameservers address has immediate effects ($n)"
+ret=0
+dig_with_opts +tcp TXT foo.moves @10.53.0.7 > dig.ns7.foo.${n} || ret=1
+grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1
+$NSUPDATE << EOF
+server 10.53.0.7 ${PORT}
+zone server
+update delete ns.server A
+update add ns.server 300 A 10.53.0.4
+send
+EOF
+sleep 1
+dig_with_opts +tcp TXT bar.moves @10.53.0.7 > dig.ns7.bar.${n} || ret=1
+grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; status=1; fi
+
+n=$((n+1))
+echo_i "checking that update a nameservers glue has immediate effects ($n)"
+ret=0
+dig_with_opts +tcp TXT foo.child.server @10.53.0.7 > dig.ns7.foo.${n} || ret=1
+grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1
+$NSUPDATE << EOF
+server 10.53.0.7 ${PORT}
+zone server
+update delete ns.child.server A
+update add ns.child.server 300 A 10.53.0.4
+send
+EOF
+sleep 1
+dig_with_opts +tcp TXT bar.child.server @10.53.0.7 > dig.ns7.bar.${n} || ret=1
+grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; status=1; fi
+
+n=$((n+1))
+echo_i "checking empty RFC 1918 reverse zones ($n)"
+ret=0
+# Check that "aa" is being set by the resolver for RFC 1918 zones
+# except the one that has been deliberately disabled
+dig_with_opts @10.53.0.7 -x 10.1.1.1 > dig.ns4.out.1.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 192.168.1.1 > dig.ns4.out.2.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.16.1.1  > dig.ns4.out.3.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.17.1.1 > dig.ns4.out.4.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.18.1.1 > dig.ns4.out.5.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.19.1.1 > dig.ns4.out.6.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.21.1.1 > dig.ns4.out.7.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.22.1.1 > dig.ns4.out.8.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.23.1.1 > dig.ns4.out.9.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.24.1.1 > dig.ns4.out.11.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.25.1.1 > dig.ns4.out.12.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.26.1.1 > dig.ns4.out.13.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.27.1.1 > dig.ns4.out.14.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.28.1.1 > dig.ns4.out.15.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.29.1.1 > dig.ns4.out.16.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.30.1.1 > dig.ns4.out.17.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} > /dev/null || ret=1
+dig_with_opts @10.53.0.7 -x 172.31.1.1 > dig.ns4.out.18.${n} || ret=1
+grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} > /dev/null || ret=1
+# but this one should NOT be authoritative
+dig_with_opts @10.53.0.7 -x 172.20.1.1 > dig.ns4.out.19.${n} || ret=1
+grep 'flags: qr rd ra;' dig.ns4.out.19.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; status=1; fi
+
+n=$((n+1))
+echo_i "checking that removal of a delegation is honoured ($n)"
+ret=0
+dig_with_opts @10.53.0.5 www.to-be-removed.tld A > dig.ns5.prime.${n}
+grep "status: NOERROR" dig.ns5.prime.${n} > /dev/null || { ret=1; echo_i "priming failed"; }
+cp ns4/tld2.db ns4/tld.db
+rndc_reload ns4 10.53.0.4 tld
+old=
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	foo=0
+	dig_with_opts @10.53.0.5 ns$i.to-be-removed.tld A > /dev/null
+	dig_with_opts @10.53.0.5 www.to-be-removed.tld A > dig.ns5.out.${n}
+	grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || foo=1
+	[ $foo = 0 ] && break
+	$NSUPDATE << EOF
+server 10.53.0.6 ${PORT}
+zone to-be-removed.tld
+update add to-be-removed.tld 100 NS ns${i}.to-be-removed.tld
+update delete to-be-removed.tld NS ns${old}.to-be-removed.tld
+send
+EOF
+	old=$i
+	sleep 1
+done
+[ $ret = 0 ] && ret=$foo;
+if [ $ret != 0 ]; then echo_i "failed"; status=1; fi
+
+n=$((n+1))
+echo_i "check for improved error message with SOA mismatch ($n)"
+ret=0
+dig_with_opts @10.53.0.1 www.sub.broken aaaa > dig.out.ns1.test${n} || ret=1
+grep "not subdomain of zone" ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+copy_setports ns7/named2.conf.in ns7/named.conf
+rndccmd 10.53.0.7 reconfig 2>&1 | sed 's/^/ns7 /' | cat_i
+
+n=$((n+1))
+echo_i "check resolution on the listening port ($n)"
+ret=0
+dig_with_opts +tcp +tries=2 +time=5 mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2
+grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1
+grep "ANSWER: 1" dig.ns7.out.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check prefetch (${n})"
+ret=0
+# read prefetch value from config.
+PREFETCH=$(sed -n "s/[[:space:]]*prefetch \([0-9]\).*/\1/p" ns5/named.conf)
+dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.1.${n} || ret=1
+ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n})
+interval=$((ttl1 - PREFETCH + 1))
+# sleep so we are in prefetch range
+sleep ${interval:-0}
+# trigger prefetch
+dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.2.${n} || ret=1
+ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n})
+sleep 1
+# check that prefetch occurred
+dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.3.${n} || ret=1
+ttl=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n})
+test "${ttl:-0}" -gt "${ttl2:-1}" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check prefetch of validated DS's RRSIG TTL is updated (${n})"
+ret=0
+dig_with_opts +dnssec @10.53.0.5 ds.example.net ds > dig.out.1.${n} || ret=1
+dsttl1=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.1.${n})
+interval=$((dsttl1 - PREFETCH + 1))
+# sleep so we are in prefetch range
+sleep ${interval:-0}
+# trigger prefetch
+dig_with_opts @10.53.0.5 ds.example.net ds > dig.out.2.${n} || ret=1
+dsttl2=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.2.${n})
+sleep 1
+# check that prefetch occurred
+dig_with_opts @10.53.0.5 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1
+dsttl=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.3.${n})
+sigttl=$(awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n})
+test "${dsttl:-0}" -gt "${dsttl2:-1}" || ret=1
+test "${sigttl:-0}" -gt "${dsttl2:-1}" || ret=1
+test "${dsttl:-0}" -eq "${sigttl:-1}" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check prefetch disabled (${n})"
+ret=0
+dig_with_opts @10.53.0.7 fetch.example.net txt > dig.out.1.${n} || ret=1
+ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n})
+interval=$((ttl1 - PREFETCH + 1))
+# sleep so we are in expire range
+sleep ${interval:-0}
+tmp_ttl=$ttl1
+no_prefetch() {
+	# fetch record and ensure its ttl is in range 0 < ttl < tmp_ttl.
+	# since prefetch is disabled, updated ttl must be a lower value than
+	# the previous one.
+	dig_with_opts @10.53.0.7 fetch.example.net txt > dig.out.2.${n} || return 1
+	ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n})
+        # check that prefetch has not occurred
+        if [ "$ttl2" -ge "${tmp_ttl}" ]; then
+                return 1
+        fi
+        tmp_ttl=$ttl2
+}
+retry_quiet 3 no_prefetch || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check prefetch qtype * (${n})"
+ret=0
+dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.1.${n} || ret=1
+ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n})
+# sleep so we are in prefetch range
+sleep "${ttl1:-0}"
+# trigger prefetch
+dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.2.${n} || ret=1
+ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n})
+sleep 1
+# check that prefetch occurred;
+# note that only one record is prefetched, which is the TXT record in this case,
+# because of the order of the records in the cache
+dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.3.${n} || ret=1
+ttl3=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n})
+test "${ttl3:-0}" -gt "${ttl2:-1}" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that E was logged on EDNS queries in the query log (${n})"
+ret=0
+dig_with_opts @10.53.0.5 +edns edns.fetchall.tld any > dig.out.2.${n} || ret=1
+grep "query: edns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null || ret=1
+dig_with_opts @10.53.0.5 +noedns noedns.fetchall.tld any > dig.out.2.${n} || ret=1
+grep "query: noedns.fetchall.tld IN ANY" ns5/named.run > /dev/null || ret=1
+grep "query: noedns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that '-t aaaa' in .digrc does not have unexpected side effects ($n)"
+ret=0
+echo "-t aaaa" > .digrc
+(HOME="$(pwd)" dig_with_opts @10.53.0.4 . > dig.out.1.${n}) || ret=1
+(HOME="$(pwd)" dig_with_opts @10.53.0.4 . A > dig.out.2.${n}) || ret=1
+(HOME="$(pwd)" dig_with_opts @10.53.0.4 -x 127.0.0.1 > dig.out.3.${n}) || ret=1
+grep ';\..*IN.*AAAA$' dig.out.1.${n} > /dev/null || ret=1
+grep ';\..*IN.*A$' dig.out.2.${n} > /dev/null || ret=1
+grep 'extra type option' dig.out.2.${n} > /dev/null && ret=1
+grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+edns=$($FEATURETEST --edns-version)
+
+n=$((n+1))
+echo_i "check that EDNS version is logged (${n})"
+ret=0
+dig_with_opts @10.53.0.5 +edns edns0.fetchall.tld any > dig.out.2.${n} || ret=1
+grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run > /dev/null || ret=1
+if test "${edns:-0}" != 0; then
+    dig_with_opts @10.53.0.5 +edns=1 edns1.fetchall.tld any > dig.out.2.${n} || ret=1
+    grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run > /dev/null || ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+if test "${edns:-0}" != 0; then
+    n=$((n+1))
+    echo_i "check that edns-version is honoured (${n})"
+    ret=0
+    dig_with_opts @10.53.0.5 +edns no-edns-version.tld > dig.out.1.${n} || ret=1
+    grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run > /dev/null || ret=1
+    dig_with_opts @10.53.0.5 +edns edns-version.tld > dig.out.2.${n} || ret=1
+    grep "query: edns-version.tld IN A -E(0)" ns7/named.run > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+n=$((n+1))
+echo_i "check that CNAME nameserver is logged correctly (${n})"
+ret=0
+dig_with_opts soa all-cnames @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: SERVFAIL" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "skipping nameserver 'cname.tld' because it is a CNAME, while resolving 'all-cnames/SOA'" ns5/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that unexpected opcodes are handled correctly (${n})"
+ret=0
+dig_with_opts soa all-cnames @10.53.0.5 +opcode=15 +cd +rec +ad +zflag > dig.out.ns5.test${n} || ret=1
+grep "status: NOTIMP" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} > /dev/null && ret=1
+grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1
+grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1
+grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} > /dev/null && ret=1
+grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that EDNS client subnet with non-zeroed bits is handled correctly (${n})"
+ret=0
+# 0001 (IPv4) 1f (31 significant bits) 00 (0) ffffffff (255.255.255.255)
+dig_with_opts soa . @10.53.0.5 +ednsopt=8:00011f00ffffffff > dig.out.ns5.test${n} || ret=1
+grep "status: FORMERR" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "; EDNS: version:" dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that dig +subnet zeros address bits correctly (${n})"
+ret=0
+dig_with_opts soa . @10.53.0.5 +subnet=255.255.255.255/23 > dig.out.ns5.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that SOA query returns data for delegation-only apex (${n})"
+ret=0
+dig_with_opts soa delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+n=$((n+1))
+
+n=$((n+1))
+echo_i "check that NS query returns data for delegation-only apex (${n})"
+ret=0
+dig_with_opts ns delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that A query returns data for delegation-only A apex (${n})"
+ret=0
+dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that CDS query returns data for delegation-only apex (${n})"
+ret=0
+dig_with_opts cds delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that AAAA query returns data for delegation-only AAAA apex (${n})"
+ret=0
+dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+n=$((n+1))
+
+echo_i "check that DNSKEY query returns data for delegation-only apex (${n})"
+ret=0
+dig_with_opts dnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that CDNSKEY query returns data for delegation-only apex (${n})"
+ret=0
+dig_with_opts cdnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that NXDOMAIN is returned for delegation-only non-apex A data (${n})"
+ret=0
+dig_with_opts a a.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDS data (${n})"
+ret=0
+dig_with_opts cds cds.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that NXDOMAIN is returned for delegation-only non-apex AAAA data (${n})"
+ret=0
+dig_with_opts aaaa aaaa.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+n=$((n+1))
+
+echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDNSKEY data (${n})"
+ret=0
+dig_with_opts cdnskey cdnskey.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1
+grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check zero ttl not returned for learnt non zero ttl records (${n})"
+ret=0
+# use prefetch disabled server
+dig_with_opts @10.53.0.7 non-zero.example.net txt > dig.out.1.${n} || ret=1
+ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 2 }' dig.out.1.${n})
+# sleep so we are in expire range
+sleep "${ttl1:-0}"
+# look for ttl = 1, allow for one miss at getting zero ttl
+zerotonine="0 1 2 3 4 5 6 7 8 9"
+zerotonine="$zerotonine $zerotonine $zerotonine"
+for i in $zerotonine $zerotonine $zerotonine $zerotonine
+do
+	dig_with_opts @10.53.0.7 non-zero.example.net txt > dig.out.2.${n} || ret=1
+	ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n})
+	test "${ttl2:-1}" -eq 0 && break
+	test "${ttl2:-1}" -ge "${ttl1:-0}" && break
+	"${PERL}" -e 'select(undef, undef, undef, 0.05);'
+done
+test "${ttl2:-1}" -eq 0 && ret=1
+test "${ttl2:-1}" -ge "${ttl1:-0}" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check zero ttl is returned for learnt zero ttl records (${n})"
+ret=0
+dig_with_opts @10.53.0.7 zero.example.net txt > dig.out.1.${n} || ret=1
+ttl=$(awk '/"A" "zero" "ttl"/ { print $2 }' dig.out.1.${n})
+test "${ttl:-1}" -eq 0 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +ad (${n})"
+ret=0
+dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec > dig.out.$n
+grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +dnssec (${n})"
+ret=0
+dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec > dig.out.$n
+grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that the resolver accepts a reply with empty question section with TC=1 and retries over TCP ($n)"
+ret=0
+dig_with_opts @10.53.0.5 truncated.no-questions. a +tries=3 +time=5 > dig.ns5.out.${n} || ret=1
+grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1
+grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null || ret=1
+grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that the resolver rejects a reply with empty question section with TC=0 ($n)"
+ret=0
+dig_with_opts @10.53.0.5 not-truncated.no-questions. a +tries=3 +time=5 > dig.ns5.out.${n} || ret=1
+grep "status: NOERROR" dig.ns5.out.${n} > /dev/null && ret=1
+grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null && ret=1
+grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "checking SERVFAIL is returned when all authoritative servers return FORMERR ($n)"
+ret=0
+dig_with_opts @10.53.0.5 ns.formerr-to-all. a > dig.ns5.out.${n} || ret=1
+grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check logged command line ($n)"
+ret=0
+grep "running as: .* -m record,size,mctx " ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "checking NXDOMAIN is returned when querying non existing domain in CH class ($n)"
+ret=0
+dig_with_opts @10.53.0.1 id.hostname txt ch > dig.ns1.out.${n} || ret=1
+grep "status: NXDOMAIN" dig.ns1.out.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check handling of large referrals to unresponsive name servers ($n)"
+ret=0
+dig_with_opts +timeout=15 large-referral.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1
+# Check the total number of findname() calls triggered by a single query
+# for large-referral.example.net/A.
+findname_call_count="$(grep -c "large-referral\.example\.net.*FINDNAME" ns1/named.run)"
+if [ "${findname_call_count}" -gt 1000 ]; then
+	echo_i "failed: ${findname_call_count} (> 1000) findname() calls detected for large-referral.example.net"
+	ret=1
+fi
+# Check whether the limit of NS RRs processed for any delegation
+# encountered was not exceeded.
+if grep -Eq "dns_adb_createfind: started (A|AAAA) fetch for name ns21.fake.redirect.com" ns1/named.run; then
+	echo_i "failed: unexpected address fetch(es) were triggered for ns21.fake.redirect.com"
+	ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "checking query resolution for a domain with a valid glueless delegation chain ($n)"
+ret=0
+rndccmd 10.53.0.1 flush || ret=1
+dig_with_opts foo.bar.sub.tld1 @10.53.0.1 TXT > dig.out.ns1.test${n} || ret=1
+grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1
+grep "IN.*TXT.*baz" dig.out.ns1.test${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check that correct namespace is chosen for dual-stack-servers ($n)"
+ret=0
+#
+# The two priming queries are needed until we fix dual-stack-servers fully
+#
+dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver A > dig.out.prime1.${n} || ret=1
+dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver AAAA > dig.out.prime2.${n} || ret=1
+dig_with_opts @fd92:7065:b8e:ffff::9 foo.v4only.net A > dig.out.ns9.${n} || ret=1
+grep "status: NOERROR" dig.out.ns9.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "check expired TTLs with qtype * (${n})"
+ret=0
+dig_with_opts +tcp @10.53.0.5 mixedttl.tld any > dig.out.1.${n} || ret=1
+ttl1=$(awk '$1 == "mixedttl.tld." && $4 == "A" { print $2 + 1 }' dig.out.1.${n})
+# sleep TTL + 1 so that record has expired
+sleep "${ttl1:-0}"
+dig_with_opts +tcp @10.53.0.5 mixedttl.tld any > dig.out.2.${n} || ret=1
+# check preconditions
+grep "ANSWER: 3," dig.out.1.${n} > /dev/null || ret=1
+lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.1.${n} | wc -l)
+test ${lines:-1} -ne 0 && ret=1
+# check behaviour (there may be 1 answer on very slow machines)
+grep "ANSWER: [12]," dig.out.2.${n} > /dev/null || ret=1
+lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.2.${n} | wc -l)
+test ${lines:-1} -ne 0 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/rndc/Makefile.in b/bin/tests/system/rndc/Makefile.in
new file mode 100644
index 0000000..a17c5df
--- /dev/null
+++ b/bin/tests/system/rndc/Makefile.in
@@ -0,0 +1,48 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+DNSDEPLIBS =
+ISCDEPLIBS =	../../../../lib/isc/libisc.@A@
+
+DEPLIBS =
+
+LIBS =		@LIBS@
+
+TARGETS =	gencheck@EXEEXT@
+
+GENCHECKOBJS =	gencheck.@O@
+
+SRCS =		gencheck.c
+
+@BIND9_MAKE_RULES@
+
+all: gencheck@EXEEXT@
+
+gencheck@EXEEXT@: ${GENCHECKOBJS} ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${GENCHECKOBJS} ${ISCLIBS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
diff --git a/bin/tests/system/rndc/clean.sh b/bin/tests/system/rndc/clean.sh
new file mode 100644
index 0000000..d18b5a5
--- /dev/null
+++ b/bin/tests/system/rndc/clean.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.*.test*
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/named.run ns*/named.run.prev
+rm -f ns2/named.stats
+rm -f ns2/nil.db ns2/other.db ns2/static.db ns2/*.jnl
+rm -f ns2/session.key
+rm -f ns3/named_dump.db*
+rm -f ns4/*.nta
+rm -f ns4/example.db ns4/example.db.jnl
+rm -f ns4/key?.conf
+rm -f ns6/huge.zone.db
+rm -f ns7/include.db ns7/test.db ns7/*.jnl
+rm -f ns7/named_dump.db*
+rm -f ns*/named.conf
+rm -f nsupdate.out.*.test*
+rm -f python.out.*.test*
+rm -f rndc.out.*.test*
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
+rm -f ns*/*.nta
diff --git a/bin/tests/system/rndc/gencheck.c b/bin/tests/system/rndc/gencheck.c
new file mode 100644
index 0000000..c0bd718
--- /dev/null
+++ b/bin/tests/system/rndc/gencheck.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <isc/print.h>
+
+#define USAGE "usage: gencheck <filename>\n"
+
+static int
+check(const char *buf, ssize_t count, size_t *start) {
+	const char chars[] = "abcdefghijklmnopqrstuvwxyz0123456789";
+	ssize_t i;
+
+	for (i = 0; i < count; i++, *start = (*start + 1) % (sizeof(chars) - 1))
+	{
+		/* Just ignore the trailing newline */
+		if (buf[i] == '\n') {
+			continue;
+		}
+		if (buf[i] != chars[*start]) {
+			return (0);
+		}
+	}
+
+	return (1);
+}
+
+int
+main(int argc, char **argv) {
+	int ret;
+	int fd;
+	ssize_t count;
+	char buf[1024];
+	size_t start;
+	size_t length;
+
+	ret = EXIT_FAILURE;
+	fd = -1;
+	length = 0;
+
+	if (argc != 2) {
+		fputs(USAGE, stderr);
+		goto out;
+	}
+
+	fd = open(argv[1], O_RDONLY);
+	if (fd == -1) {
+		goto out;
+	}
+
+	start = 0;
+	while ((count = read(fd, buf, sizeof(buf))) != 0) {
+		if (count < 0) {
+			goto out;
+		}
+
+		if (!check(buf, count, &start)) {
+			goto out;
+		}
+
+		length += count;
+	}
+
+	ret = EXIT_SUCCESS;
+
+out:
+	printf("%lu\n", (unsigned long)length);
+
+	if (fd != -1) {
+		close(fd);
+	}
+
+	return (ret);
+}
diff --git a/bin/tests/system/rndc/ns2/incl.db b/bin/tests/system/rndc/ns2/incl.db
new file mode 100644
index 0000000..bb8b343
--- /dev/null
+++ b/bin/tests/system/rndc/ns2/incl.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; Used for testing $INCLUDE
+$INCLUDE "static.db"
diff --git a/bin/tests/system/rndc/ns2/named.conf.in b/bin/tests/system/rndc/ns2/named.conf.in
new file mode 100644
index 0000000..1af5346
--- /dev/null
+++ b/bin/tests/system/rndc/ns2/named.conf.in
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+key secondkey {
+	secret "abcd1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; secondkey; };
+};
+
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "nil" {
+	type primary;
+	update-policy local;
+	file "nil.db";
+	ixfr-from-differences yes;
+};
+
+zone "other" {
+	type primary;
+	update-policy local;
+	file "other.db";
+};
+
+zone "static" {
+	type primary;
+	file "static.db";
+};
+
+zone "incl" {
+	type primary;
+	file "incl.db";
+};
diff --git a/bin/tests/system/rndc/ns2/secondkey.conf b/bin/tests/system/rndc/ns2/secondkey.conf
new file mode 100644
index 0000000..1b6af7b
--- /dev/null
+++ b/bin/tests/system/rndc/ns2/secondkey.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	default-key     "secondkey";
+};
+
+key secondkey {
+	secret "abcd1234abcd8765";
+	algorithm hmac-sha256;
+};
diff --git a/bin/tests/system/rndc/ns3/named.conf.in b/bin/tests/system/rndc/ns3/named.conf.in
new file mode 100644
index 0000000..378ab67
--- /dev/null
+++ b/bin/tests/system/rndc/ns3/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+key secondkey {
+	secret "abcd1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view all {
+	match-clients { any; };
+
+	recursion no;
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+};
+
+view none {
+	match-clients { none; };
+};
diff --git a/bin/tests/system/rndc/ns4/named.conf.in b/bin/tests/system/rndc/ns4/named.conf.in
new file mode 100644
index 0000000..6dc37ec
--- /dev/null
+++ b/bin/tests/system/rndc/ns4/named.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+};
+
+view normal {
+	match-clients { any; };
+
+	zone example {
+		type primary;
+		file "example.db";
+		allow-update { any; };
+	};
+};
+
+view "view with a space" {
+	match-clients { none; };
+	zone example {
+		in-view normal;
+	};
+};
diff --git a/bin/tests/system/rndc/ns5/named.conf.in b/bin/tests/system/rndc/ns5/named.conf.in
new file mode 100644
index 0000000..ef38b17
--- /dev/null
+++ b/bin/tests/system/rndc/ns5/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; } read-only yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/rndc/ns6/named.args b/bin/tests/system/rndc/ns6/named.args
new file mode 100644
index 0000000..9d7d03a
--- /dev/null
+++ b/bin/tests/system/rndc/ns6/named.args
@@ -0,0 +1,3 @@
+# teardown of a huge zone with tracing enabled takes way too long 
+# -m none is set so that stop.pl does not timeout
+-D rndc-ns6 -X named.lock -m none -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152
diff --git a/bin/tests/system/rndc/ns6/named.conf.in b/bin/tests/system/rndc/ns6/named.conf.in
new file mode 100644
index 0000000..5c35741
--- /dev/null
+++ b/bin/tests/system/rndc/ns6/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/rndc/ns7/include.db.in b/bin/tests/system/rndc/ns7/include.db.in
new file mode 100644
index 0000000..011997b
--- /dev/null
+++ b/bin/tests/system/rndc/ns7/include.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@		86400	IN SOA	ns7 hostmaster 1 5 5 1814400 3600
+@			NS	ns7
+ns7			A	10.53.0.7
+
+text1			TXT	"include 1"
diff --git a/bin/tests/system/rndc/ns7/include2.db.in b/bin/tests/system/rndc/ns7/include2.db.in
new file mode 100644
index 0000000..e5d1981
--- /dev/null
+++ b/bin/tests/system/rndc/ns7/include2.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@		86400	IN SOA	ns7 hostmaster 4 5 5 1814400 3600
+@			NS	ns7
+ns7			A	10.53.0.7
+
+text1			TXT	"include 2"
diff --git a/bin/tests/system/rndc/ns7/named.conf.in b/bin/tests/system/rndc/ns7/named.conf.in
new file mode 100644
index 0000000..adca731
--- /dev/null
+++ b/bin/tests/system/rndc/ns7/named.conf.in
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+key int {
+	algorithm @DEFAULT_HMAC@;
+	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+};
+
+key ext {
+	algorithm @DEFAULT_HMAC@;
+	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view internal {
+	match-clients { key "int"; };
+
+	zone "test" {
+		type primary;
+		update-policy { grant int zonesub any; };
+		file "test.db";
+		ixfr-from-differences yes;
+	};
+};
+
+view external {
+	match-clients { key "ext"; };
+
+	zone "test" {
+		in-view internal;
+	};
+};
diff --git a/bin/tests/system/rndc/ns7/test.db.in b/bin/tests/system/rndc/ns7/test.db.in
new file mode 100644
index 0000000..0bff14e
--- /dev/null
+++ b/bin/tests/system/rndc/ns7/test.db.in
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+$INCLUDE "include.db"
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
new file mode 100644
index 0000000..7292818
--- /dev/null
+++ b/bin/tests/system/rndc/setup.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL ../genzone.sh 2 >ns2/nil.db
+$SHELL ../genzone.sh 2 >ns2/other.db
+$SHELL ../genzone.sh 2 >ns2/static.db
+$SHELL ../genzone.sh 2 >ns4/example.db
+
+cp ns7/test.db.in ns7/test.db
+cp ns7/include.db.in ns7/include.db
+
+$SHELL ../genzone.sh 2 >ns6/huge.zone.db
+awk 'END { for (i = 1; i <= 1000000; i++)
+     printf "host%d IN A 10.53.0.6\n", i; }' < /dev/null >> ns6/huge.zone.db
+
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+
+make_key () {
+    $RNDCCONFGEN -k key$1 -A $3 -s 10.53.0.4 -p $2 \
+            > ns4/key${1}.conf 2> /dev/null
+    grep -E -v '(^# Start|^# End|^# Use|^[^#])' ns4/key$1.conf | cut -c3- | \
+            sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
+}
+
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
+make_key 2 ${EXTRAPORT2} hmac-sha1
+make_key 3 ${EXTRAPORT3} hmac-sha224
+make_key 4 ${EXTRAPORT4} hmac-sha256
+make_key 5 ${EXTRAPORT5} hmac-sha384
+make_key 6 ${EXTRAPORT6} hmac-sha512
+
+cat >> ns4/named.conf <<- EOF
+
+controls {
+	inet 10.53.0.4 port ${EXTRAPORT7}
+		allow { any; } keys { "key1"; "key2"; "key3";
+                                      "key4"; "key5"; "key6"; };
+};
+EOF
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
new file mode 100644
index 0000000..4c40062
--- /dev/null
+++ b/bin/tests/system/rndc/tests.sh
@@ -0,0 +1,839 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd"
+DIGOPTS=""
+DIGCMD="$DIG $DIGOPTS -p ${PORT}"
+RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf -s"
+
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "preparing ($n)"
+ret=0
+$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 <<END || ret=1
+server 10.53.0.2
+zone nil.
+update add text1.nil. 600 IN TXT "addition 1"
+send
+zone other.
+update add text1.other. 600 IN TXT "addition 1"
+send
+END
+[ -s ns2/nil.db.jnl ] || {
+	echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1;
+}
+[ -s ns2/other.db.jnl ] || {
+	echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have"; ret=1;
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "rndc freeze"
+$RNDCCMD 10.53.0.2 freeze | sed 's/^/ns2 /' | cat_i
+
+n=`expr $n + 1`
+echo_i "checking zone was dumped ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	grep "addition 1" ns2/nil.db > /dev/null && break
+	sleep 1
+done
+grep "addition 1" ns2/nil.db > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking journal file is still present ($n)"
+ret=0
+[ -s ns2/nil.db.jnl ] || {
+	echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1;
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking zone not writable ($n)"
+ret=0
+$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 <<END && ret=1
+server 10.53.0.2
+zone nil.
+update add text2.nil. 600 IN TXT "addition 2"
+send
+END
+
+$DIGCMD @10.53.0.2 text2.nil. TXT > dig.out.1.test$n
+grep 'addition 2' dig.out.1.test$n >/dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "rndc thaw"
+$RNDCCMD 10.53.0.2 thaw | sed 's/^/ns2 /' | cat_i
+
+n=`expr $n + 1`
+echo_i "checking zone now writable ($n)"
+ret=0
+$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1
+server 10.53.0.2
+zone nil.
+update add text3.nil. 600 IN TXT "addition 3"
+send
+END
+$DIGCMD @10.53.0.2 text3.nil. TXT > dig.out.1.test$n
+grep 'addition 3' dig.out.1.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "rndc sync"
+ret=0
+$RNDCCMD 10.53.0.2 sync nil | sed 's/^/ns2 /' | cat_i
+
+n=`expr $n + 1`
+echo_i "checking zone was dumped ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	grep "addition 3" ns2/nil.db > /dev/null && break
+	sleep 1
+done
+grep "addition 3" ns2/nil.db > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking journal file is still present ($n)"
+ret=0
+[ -s ns2/nil.db.jnl ] || {
+	echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1;
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking zone is still writable ($n)"
+ret=0
+$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1
+server 10.53.0.2
+zone nil.
+update add text4.nil. 600 IN TXT "addition 4"
+send
+END
+
+$DIGCMD @10.53.0.2 text4.nil. TXT > dig.out.1.test$n
+grep 'addition 4' dig.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "rndc sync -clean"
+ret=0
+$RNDCCMD 10.53.0.2 sync -clean nil | sed 's/^/ns2 /' | cat_i
+
+n=`expr $n + 1`
+echo_i "checking zone was dumped ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	grep "addition 4" ns2/nil.db > /dev/null && break
+	sleep 1
+done
+grep "addition 4" ns2/nil.db > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking journal file is deleted ($n)"
+ret=0
+[ -s ns2/nil.db.jnl ] && {
+	echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1;
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking zone is still writable ($n)"
+ret=0
+$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 <<END || ret=1
+server 10.53.0.2
+zone nil.
+update add text5.nil. 600 IN TXT "addition 5"
+send
+END
+
+$DIGCMD @10.53.0.2 text4.nil. TXT > dig.out.1.test$n
+grep 'addition 4' dig.out.1.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking other journal files not removed ($n)"
+ret=0
+[ -s ns2/other.db.jnl ] || {
+	echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have"; ret=1;
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "cleaning all zones ($n)"
+$RNDCCMD 10.53.0.2 sync -clean | sed 's/^/ns2 /' | cat_i
+
+n=`expr $n + 1`
+echo_i "checking all journals removed ($n)"
+ret=0
+[ -s ns2/nil.db.jnl ] && {
+	echo_i "'test -s ns2/nil.db.jnl' succeeded when it shouldn't have"; ret=1;
+}
+[ -s ns2/other.db.jnl ] && {
+	echo_i "'test -s ns2/other.db.jnl' succeeded when it shouldn't have"; ret=1;
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that freezing static zones is not allowed ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 freeze static > rndc.out.1.test$n 2>&1
+grep 'not dynamic' rndc.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that journal is removed when serial is changed before thaw ($n)"
+ret=0
+sleep 1
+$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1
+server 10.53.0.2
+zone other.
+update add text6.other. 600 IN TXT "addition 6"
+send
+END
+[ -s ns2/other.db.jnl ] || {
+	echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have"; ret=1;
+}
+$RNDCCMD 10.53.0.2 freeze other 2>&1 | sed 's/^/ns2 /' | cat_i
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	grep "addition 6" ns2/other.db > /dev/null && break
+	sleep 1
+done
+serial=`awk '$3 ~ /serial/ {print $1}' ns2/other.db`
+newserial=`expr $serial + 1`
+sed s/$serial/$newserial/ ns2/other.db > ns2/other.db.new
+echo 'frozen TXT "frozen addition"' >> ns2/other.db.new
+mv -f ns2/other.db.new ns2/other.db
+$RNDCCMD 10.53.0.2 thaw 2>&1 | sed 's/^/ns2 /' | cat_i
+sleep 1
+[ -f ns2/other.db.jnl ] && {
+	echo_i "'test -f ns2/other.db.jnl' succeeded when it shouldn't have"; ret=1;
+}
+$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.2.test$n 2>&1 <<END || ret=1
+server 10.53.0.2
+zone other.
+update add text7.other. 600 IN TXT "addition 7"
+send
+END
+$DIGCMD @10.53.0.2 text6.other. TXT > dig.out.1.test$n
+grep 'addition 6' dig.out.1.test$n >/dev/null || ret=1
+$DIGCMD @10.53.0.2 text7.other. TXT > dig.out.2.test$n
+grep 'addition 7' dig.out.2.test$n >/dev/null || ret=1
+$DIGCMD @10.53.0.2 frozen.other. TXT > dig.out.3.test$n
+grep 'frozen addition' dig.out.3.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that journal is kept when ixfr-from-differences is in use ($n)"
+ret=0
+$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1
+server 10.53.0.2
+zone nil.
+update add text6.nil. 600 IN TXT "addition 6"
+send
+END
+[ -s ns2/nil.db.jnl ] || {
+	echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1;
+}
+$RNDCCMD 10.53.0.2 freeze nil 2>&1 | sed 's/^/ns2 /' | cat_i
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	grep "addition 6" ns2/nil.db > /dev/null && break
+	sleep 1
+done
+serial=`awk '$3 ~ /serial/ {print $1}' ns2/nil.db`
+newserial=`expr $serial + 1`
+sed s/$serial/$newserial/ ns2/nil.db > ns2/nil.db.new
+echo 'frozen TXT "frozen addition"' >> ns2/nil.db.new
+mv -f ns2/nil.db.new ns2/nil.db
+$RNDCCMD 10.53.0.2 thaw 2>&1 | sed 's/^/ns2 /' | cat_i
+sleep 1
+[ -s ns2/nil.db.jnl ] || {
+	echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1;
+}
+$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.2.test$n 2>&1 <<END || ret=1
+server 10.53.0.2
+zone nil.
+update add text7.nil. 600 IN TXT "addition 7"
+send
+END
+$DIGCMD @10.53.0.2 text6.nil. TXT > dig.out.1.test$n
+grep 'addition 6' dig.out.1.test$n > /dev/null || ret=1
+$DIGCMD @10.53.0.2 text7.nil. TXT > dig.out.2.test$n
+grep 'addition 7' dig.out.2.test$n > /dev/null || ret=1
+$DIGCMD @10.53.0.2 frozen.nil. TXT > dig.out.3.test$n
+grep 'frozen addition' dig.out.3.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# temp test
+echo_i "dumping stats ($n)"
+$RNDCCMD 10.53.0.2 stats
+n=`expr $n + 1`
+echo_i "verifying adb records in named.stats ($n)"
+grep "ADB stats" ns2/named.stats > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test using second key ($n)"
+ret=0
+$RNDC -s 10.53.0.2 -p ${CONTROLPORT} -c ns2/secondkey.conf status > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test 'rndc dumpdb' on a empty cache ($n)"
+ret=0
+rndc_dumpdb ns3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test 'rndc reload' on a zone with include files ($n)"
+ret=0
+grep "incl/IN: skipping load" ns2/named.run > /dev/null && ret=1
+loads=`grep "incl/IN: starting load" ns2/named.run | wc -l`
+[ "$loads" -eq 1 ] || ret=1
+$RNDCCMD 10.53.0.2 reload > /dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9
+do
+    tmp=0
+    grep "incl/IN: skipping load" ns2/named.run > /dev/null || tmp=1
+    [ $tmp -eq 0 ] && break
+    sleep 1
+done
+[ $tmp -eq 1 ] && ret=1
+touch ns2/static.db
+$RNDCCMD 10.53.0.2 reload > /dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9
+do
+    tmp=0
+    loads=`grep "incl/IN: starting load" ns2/named.run | wc -l`
+    [ "$loads" -eq 2 ] || tmp=1
+    [ $tmp -eq 0 ] && break
+    sleep 1
+done
+[ $tmp -eq 1 ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=$((n+1))
+if $FEATURETEST --md5; then
+	echo_i "testing rndc with hmac-md5 ($n)"
+	ret=0
+	$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+	for i in 2 3 4 5 6
+	do
+		$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+	done
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+else
+	echo_i "skipping rndc with hmac-md5 ($n)"
+fi
+
+n=`expr $n + 1`
+echo_i "testing rndc with hmac-sha1 ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key2.conf status > /dev/null 2>&1 || ret=1
+for i in 1 3 4 5 6
+do
+        $RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing rndc with hmac-sha224 ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key3.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 4 5 6
+do
+        $RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing rndc with hmac-sha256 ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key4.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 3 5 6
+do
+        $RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing rndc with hmac-sha384 ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key5.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 3 4 6
+do
+        $RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing rndc with hmac-sha512 ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 3 4 5
+do
+        $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing single control channel with multiple algorithms ($n)"
+ret=0
+for i in 1 2 3 4 5 6
+do
+        $RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status > /dev/null 2>&1 || ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing automatic zones are reported ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n || ret=1
+grep "number of zones: 201 (198 automatic)" rndc.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing rndc with null command ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing rndc with unknown control channel command ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf obviouslynotacommand >/dev/null 2>&1 && ret=1
+# rndc: 'obviouslynotacommand' failed: unknown command
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing rndc with querylog command ($n)"
+ret=0
+# first enable it with querylog on option
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog on >/dev/null 2>&1 || ret=1
+grep "query logging is now on" ns4/named.run > /dev/null || ret=1
+# query for builtin and check if query was logged (without +subnet)
+$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo12345.bind +qr > dig.out.1.test$n 2>&1 || ret=1
+grep "query: foo12345.bind CH TXT.*(.*)$" ns4/named.run > /dev/null || ret=1
+# query for another builtin zone and check if query was logged (with +subnet=127.0.0.1)
+$DIG +subnet=127.0.0.1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12346.bind +qr > dig.out.2.test$n 2>&1 || ret=1
+grep "query: foo12346.bind CH TXT.*\[ECS 127\.0\.0\.1/32/0]" ns4/named.run > /dev/null || ret=1
+# query for another builtin zone and check if query was logged (with +subnet=127.0.0.1/24)
+$DIG +subnet=127.0.0.1/24 @10.53.0.4 -p ${PORT} -c ch -t txt foo12347.bind +qr > dig.out.3.test$n 2>&1 || ret=1
+grep "query: foo12347.bind CH TXT.*\[ECS 127\.0\.0\.0/24/0]" ns4/named.run > /dev/null || ret=1
+# query for another builtin zone and check if query was logged (with +subnet=::1)
+$DIG +subnet=::1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12348.bind +qr > dig.out.4.test$n 2>&1 || ret=1
+grep "query: foo12348.bind CH TXT.*\[ECS ::1/128/0]" ns4/named.run > /dev/null || ret=1
+# toggle query logging and check again
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog > /dev/null 2>&1 || ret=1
+grep "query logging is now off" ns4/named.run > /dev/null || ret=1
+# query for another builtin zone and check if query was logged (without +subnet)
+$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo9876.bind +qr > dig.out.5.test$n 2>&1 || ret=1
+grep "query: foo9876.bind CH TXT.*(.*)$" ns4/named.run > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+RNDCCMD4="$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf"
+n=`expr $n + 1`
+echo_i "testing rndc nta time limits ($n)"
+ret=0
+$RNDCCMD4 nta -l 2h nta1.example > rndc.out.1.test$n 2>&1
+grep "Negative trust anchor added" rndc.out.1.test$n > /dev/null || ret=1
+$RNDCCMD4 nta -l 1d nta2.example > rndc.out.2.test$n 2>&1
+grep "Negative trust anchor added" rndc.out.2.test$n > /dev/null || ret=1
+$RNDCCMD4 nta -l 1w nta3.example > rndc.out.3.test$n 2>&1
+grep "Negative trust anchor added" rndc.out.3.test$n > /dev/null || ret=1
+$RNDCCMD4 nta -l 8d nta4.example > rndc.out.4.test$n 2>&1
+grep "NTA lifetime cannot exceed one week" rndc.out.4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing rndc nta -class option ($n)"
+ret=0
+nextpart ns4/named.run > /dev/null
+$RNDCCMD4 nta -c in nta1.example > rndc.out.1.test$n 2>&1
+nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1
+$RNDCCMD4 nta -c any nta1.example > rndc.out.2.test$n 2>&1
+nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1
+$RNDCCMD4 nta -c ch nta1.example > rndc.out.3.test$n 2>&1
+nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1
+$RNDCCMD4 nta -c fake nta1.example > rndc.out.4.test$n 2>&1
+nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1
+grep 'unknown class' rndc.out.4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288
+do
+	n=`expr $n + 1`
+	echo_i "testing rndc buffer size limits (size=${i}) ($n)"
+	ret=0
+	$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf testgen ${i} 2>&1 > rndc.out.$i.test$n || ret=1
+	actual_size=`$GENCHECK rndc.out.$i.test$n`
+	if [ "$?" = "0" ]; then
+	    expected_size=`expr $i + 1`
+	    if [ $actual_size != $expected_size ]; then ret=1; fi
+	else
+	    ret=1
+	fi
+
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+n=`expr $n + 1`
+echo_i "testing rndc -r (show result) ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r testgen 0 2>&1 > rndc.out.1.test$n || ret=1
+grep "ISC_R_SUCCESS 0" rndc.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "testing rndc with a token containing a space ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r flush '"view with a space"' 2>&1 > rndc.out.1.test$n || ret=1
+grep "not found" rndc.out.1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test 'rndc reconfig' with a broken config ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > /dev/null || ret=1
+sleep 1
+mv ns4/named.conf ns4/named.conf.save
+echo "error error error" >> ns4/named.conf
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > rndc.out.1.test$n 2>&1 && ret=1
+grep "rndc: 'reconfig' failed: unexpected token" rndc.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check rndc status reports failure ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n 2>&1 || ret=1
+grep "reload/reconfig failed" rndc.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "restore working config ($n)"
+ret=0
+mv ns4/named.conf.save ns4/named.conf
+sleep 1
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > /dev/null || ret=1
+sleep 1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check 'rndc status' 'reload/reconfig failure' is cleared after successful reload/reconfig ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n 2>&1 || ret=1
+grep "reload/reconfig failed" rndc.out.1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test read-only control channel access ($n)"
+ret=0
+$RNDCCMD 10.53.0.5 status > rndc.out.1.test$n 2>&1 || ret=1
+$RNDCCMD 10.53.0.5 nta -dump > rndc.out.2.test$n 2>&1 || ret=1
+$RNDCCMD 10.53.0.5 reconfig > rndc.out.3.test$n 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test rndc status shows running on ($n)"
+ret=0
+$RNDCCMD 10.53.0.5 status > rndc.out.1.test$n 2>&1 || ret=1
+grep "^running on " rndc.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "test 'rndc reconfig' with loading of a large zone ($n)"
+ret=0
+cur=`awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns6/named.run`
+cp ns6/named.conf ns6/named.conf.save
+echo "zone \"huge.zone\" { type primary; file \"huge.zone.db\"; };" >> ns6/named.conf
+echo_i "reloading config"
+$RNDCCMD 10.53.0.6 reconfig > rndc.out.1.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+sleep 1
+n=`expr $n + 1`
+echo_i "check if zone load was scheduled ($n)"
+grep "scheduled loading new zones" ns6/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check if query for the zone returns SERVFAIL ($n)"
+$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone > dig.out.1.test$n
+grep "SERVFAIL" dig.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed (ignored)"; ret=0; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "wait for the zones to be loaded ($n)"
+ret=1
+try=0
+while test $try -lt 180
+do
+    sleep 1
+    sed -n "$cur,"'$p' < ns6/named.run | grep "any newly configured zones are now loaded" > /dev/null && {
+        ret=0
+        break
+    }
+    try=`expr $try + 1`
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check if query for the zone returns NOERROR ($n)"
+$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone > dig.out.1.test$n
+grep "NOERROR" dig.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "verify that the full command is logged ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 null with extra arguments > /dev/null 2>&1
+grep "received control channel command 'null with extra arguments'" ns2/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+mv ns6/named.conf.save ns6/named.conf
+sleep 1
+$RNDCCMD 10.53.0.6 reconfig > /dev/null || ret=1
+sleep 1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+if [ -x "$PYTHON" ]; then
+    n=`expr $n + 1`
+    echo_i "test rndc python bindings ($n)"
+    ret=0
+    $PYTHON > python.out.1.test$n << EOF
+import sys
+sys.path.insert(0, '../../../../bin/python')
+from isc import *
+r = rndc(('10.53.0.5', ${CONTROLPORT}), 'hmac-sha256', '1234abcd8765')
+result = r.call('status')
+print(result['text'])
+EOF
+    grep 'server is up and running' python.out.1.test$n > /dev/null 2>&1 || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+fi
+
+n=`expr $n + 1`
+echo_i "check 'rndc \"\"' is handled ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 "" > rndc.out.1.test$n 2>&1 && ret=1
+grep "rndc: '' failed: failure" rndc.out.1.test$n > /dev/null
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check rndc -4 -6 ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 -4 -6 status > rndc.out.1.test$n 2>&1 && ret=1
+grep "only one of -4 and -6 allowed" rndc.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check rndc -4 with an IPv6 server address ($n)"
+ret=0
+$RNDCCMD fd92:7065:b8e:ffff::2 -4 status > rndc.out.1.test$n 2>&1 && ret=1
+grep "address family not supported" rndc.out.1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check rndc nta reports adding to multiple views ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 nta test.com > rndc.out.test$n 2>&1 || ret=1
+lines=`cat rndc.out.test$n | wc -l`
+[ ${lines:-0} -eq 2 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check 'rndc retransfer' of primary error message ($n)"
+ret=0
+$RNDCCMD 10.53.0.2 retransfer nil > rndc.out.test$n 2>&1 && ret=1
+grep "rndc: 'retransfer' failed: failure" rndc.out.test$n > /dev/null || ret=1
+grep "retransfer: inappropriate zone type: primary" rndc.out.test$n > /dev/null || ret=1
+lines=`cat rndc.out.test$n | wc -l`
+[ ${lines:-0} -eq 2 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=$((n+1))
+echo_i "check 'rndc freeze' with in-view zones works ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf freeze > rndc.out.test$n 2>&1 || ret=1
+test -s rndc.out.test$n && sed 's/^/ns2 /' rndc.out.test$n | cat_i
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking non in-view zone instance is not writable ($n)"
+ret=0
+$NSUPDATE -p ${PORT} > /dev/null 2>&1 <<END && ret=1
+server 10.53.0.4
+zone example.
+update add text2.example. 600 IN TXT "addition 3"
+send
+END
+$DIGCMD @10.53.0.4 -p ${PORT} text2.example. TXT > dig.out.1.test$n
+grep 'addition 3' dig.out.1.test$n >/dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc thaw' with in-view zones works ($n)"
+ret=0
+$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf thaw > rndc.out.test$n 2>&1 || ret=1
+test -s rndc.out.test$n && sed 's/^/ns2 /' rndc.out.test$n | cat_i
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking non in-view zone instance is now writable ($n)"
+ret=0
+$NSUPDATE -p ${PORT} > nsupdate.out.test$n 2>&1 <<END || ret=1
+server 10.53.0.4
+zone example.
+update add text2.example. 600 IN TXT "addition 3"
+send
+END
+$DIGCMD @10.53.0.4 -p ${PORT} text2.example. TXT > dig.out.1.test$n
+grep 'addition 3' dig.out.1.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking initial in-view zone file is loaded ($n)"
+ret=0
+TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.1.test$n
+grep 'include 1' dig.out.1.test$n >/dev/null || ret=1
+TSIG="$DEFAULT_HMAC:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.2.test$n
+grep 'include 1' dig.out.2.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "update in-view zone ($n)"
+ret=0
+TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+$NSUPDATE -p ${PORT} -y "$TSIG" > /dev/null 2>&1 <<END || ret=1
+server 10.53.0.7
+zone test.
+update add text2.test. 600 IN TXT "addition 1"
+send
+END
+[ -s ns7/test.db.jnl ] || {
+	echo_i "'test -s ns7/test.db.jnl' failed when it shouldn't have"; ret=1;
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking update ($n)"
+ret=0
+TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+$DIGCMD @10.53.0.7 -y "$TSIG" text2.test. TXT > dig.out.1.test$n
+grep 'addition 1' dig.out.1.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns7/named.run > /dev/null
+
+echo_i "rndc freeze"
+$RNDCCMD 10.53.0.7 freeze | sed 's/^/ns7 /' | cat_i | cat_i
+
+wait_for_log 3 "dump_done: zone test/IN/internal: enter" ns7/named.run
+
+echo_i "edit zone files"
+cp ns7/test.db.in ns7/test.db
+cp ns7/include2.db.in ns7/include.db
+
+echo_i "rndc thaw"
+$RNDCCMD 10.53.0.7 thaw | sed 's/^/ns7 /' | cat_i
+
+wait_for_log 3 "zone_postload: zone test/IN/internal: done" ns7/named.run
+
+echo_i "rndc reload"
+$RNDCCMD 10.53.0.7 reload | sed 's/^/ns7 /' | cat_i
+
+wait_for_log 3 "all zones loaded" ns7/named.run
+
+n=$((n+1))
+echo_i "checking zone file edits are loaded ($n)"
+ret=0
+TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.1.test$n
+grep 'include 2' dig.out.1.test$n >/dev/null || ret=1
+TSIG="$DEFAULT_HMAC:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0="
+$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.2.test$n
+grep 'include 2' dig.out.2.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/rootkeysentinel/clean.sh b/bin/tests/system/rootkeysentinel/clean.sh
new file mode 100644
index 0000000..e9cd3cc
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/clean.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.ns?.test*
+rm -f */dsset-*
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f */trusted.conf
+rm -f ns1/K.*
+rm -f ns1/root.db
+rm -f ns1/root.db.signed
+rm -f ns2/Kexample.*
+rm -f ns2/example.db
+rm -f ns2/example.db.signed
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/rootkeysentinel/ns1/named.conf.in b/bin/tests/system/rootkeysentinel/ns1/named.conf.in
new file mode 100644
index 0000000..930f3bc
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/ns1/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/rootkeysentinel/ns1/root.db.in b/bin/tests/system/rootkeysentinel/ns1/root.db.in
new file mode 100644
index 0000000..cc97041
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/ns1/root.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	marka.isc.org. a.root.servers.nil. (
+				2018031400   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/rootkeysentinel/ns1/sign.sh b/bin/tests/system/rootkeysentinel/ns1/sign.sh
new file mode 100644
index 0000000..4a1770e
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/ns1/sign.sh
@@ -0,0 +1,36 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyid=$(expr ${keyname} : 'K.+[0-9][0-9][0-9]+\(.*\)')
+
+(cd ../ns2 && $SHELL sign.sh ${keyid:-00000} )
+
+cp ../ns2/dsset-example$TP .
+
+cat $infile $keyname.key > $zonefile
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+# Configure the resolving server with a static key.
+keyfile_to_static_ds $keyname > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns4/trusted.conf
diff --git a/bin/tests/system/rootkeysentinel/ns2/example.db.in b/bin/tests/system/rootkeysentinel/ns2/example.db.in
new file mode 100644
index 0000000..92ca3bf
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/ns2/example.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2018031400 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
diff --git a/bin/tests/system/rootkeysentinel/ns2/named.conf.in b/bin/tests/system/rootkeysentinel/ns2/named.conf.in
new file mode 100644
index 0000000..25e4e50
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/ns2/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "example" {
+	type primary;
+	file "example.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/rootkeysentinel/ns2/sign.sh b/bin/tests/system/rootkeysentinel/ns2/sign.sh
new file mode 100644
index 0000000..bae212e
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/ns2/sign.sh
@@ -0,0 +1,44 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# leave as expr as expr treats arguments with leading 0's as base 10
+# handle exit code 1 from expr when the result is 0
+oldid=${1:-00000}
+newid=$(expr \( ${oldid} + 1000 \) % 65536 || true)
+newid=$(expr "0000${newid}" : '.*\(.....\)$')	# prepend leading 0's
+badid=$(expr \( ${oldid} + 7777 \) % 65536 || true)
+badid=$(expr "0000${badid}" : '.*\(.....\)$')	# prepend leading 0's
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=example.
+infile=example.db.in
+zonefile=example.db
+
+keyname1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
+keyname2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+echo root-key-sentinel-is-ta-$oldid A 10.53.0.1 >> $zonefile
+echo root-key-sentinel-not-ta-$oldid A 10.53.0.2 >> $zonefile
+echo root-key-sentinel-is-ta-$newid A 10.53.0.3 >> $zonefile
+echo root-key-sentinel-not-ta-$newid A 10.53.0.4 >> $zonefile
+echo old-is-ta CNAME root-key-sentinel-is-ta-$oldid >> $zonefile
+echo old-not-ta CNAME root-key-sentinel-not-ta-$oldid >> $zonefile
+echo new-is-ta CNAME root-key-sentinel-is-ta-$newid >> $zonefile
+echo new-not-ta CNAME root-key-sentinel-not-ta-$newid >> $zonefile
+echo bad-is-ta CNAME root-key-sentinel-is-ta-$badid >> $zonefile
+echo bad-not-ta CNAME root-key-sentinel-not-ta-$badid >> $zonefile
+
+$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
diff --git a/bin/tests/system/rootkeysentinel/ns3/hint.db b/bin/tests/system/rootkeysentinel/ns3/hint.db
new file mode 100644
index 0000000..0018b52
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/ns3/hint.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.                       NS      a.root-servers.nil.
+a.root-servers.nil.     A       10.53.0.1
diff --git a/bin/tests/system/rootkeysentinel/ns3/named.conf.in b/bin/tests/system/rootkeysentinel/ns3/named.conf.in
new file mode 100644
index 0000000..c9682c9
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/ns3/named.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+	root-key-sentinel yes;
+};
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/rootkeysentinel/ns4/hint.db b/bin/tests/system/rootkeysentinel/ns4/hint.db
new file mode 100644
index 0000000..0018b52
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/ns4/hint.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.                       NS      a.root-servers.nil.
+a.root-servers.nil.     A       10.53.0.1
diff --git a/bin/tests/system/rootkeysentinel/ns4/named.conf.in b/bin/tests/system/rootkeysentinel/ns4/named.conf.in
new file mode 100644
index 0000000..6f60ffd
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/ns4/named.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+	root-key-sentinel no;
+};
+
+zone "." {
+	type hint;
+	file "hint.db";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/rootkeysentinel/setup.sh b/bin/tests/system/rootkeysentinel/setup.sh
new file mode 100644
index 0000000..a84f2e7
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/setup.sh
@@ -0,0 +1,23 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+cd ns1
+$SHELL sign.sh
diff --git a/bin/tests/system/rootkeysentinel/tests.sh b/bin/tests/system/rootkeysentinel/tests.sh
new file mode 100644
index 0000000..c1b43b1
--- /dev/null
+++ b/bin/tests/system/rootkeysentinel/tests.sh
@@ -0,0 +1,296 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
+
+newtest() {
+	n=`expr $n + 1`
+	case $# in
+	1)
+		echo_i "$1 ($n)"
+		;;
+	2)
+		echo_i "$1"
+		echo_ic "$2 ($n)"
+		;;
+	esac
+	ret=0
+}
+
+newtest "get test ids"
+$DIG $DIGOPTS . dnskey +short +rrcomm @10.53.0.1 > dig.out.ns1.test$n || ret=1
+oldid=`sed -n 's/.*key id = //p' < dig.out.ns1.test$n`
+oldid=`expr "0000${oldid}" : '.*\(.....\)$'`
+newid=`expr \( ${oldid} + 1000 \) % 65536`
+newid=`expr "0000${newid}" : '.*\(.....\)$'`
+badid=`expr \( ${oldid} + 7777 \) % 65536`
+badid=`expr "0000${badid}" : '.*\(.....\)$'`
+echo_i "test id: oldid=${oldid} (configured)"
+echo_i "test id: newid=${newid} (not configured)"
+echo_i "test id: badid=${badid}"
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check authoritative server (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.2 example SOA > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check test zone resolves with 'root-key-sentinel yes;'" " (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.3 example SOA > dig.out.ns3.test$n
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)"
+$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with old ta, CD=1 and" " 'root-key-sentinel yes;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)"
+$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${newid}.example A > dig.out.ns3.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with new ta, CD=1 and" " 'root-key-sentinel yes;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${newid}.example A > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${newid}.example A > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)"
+$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${badid}.example A > dig.out.ns3.test$n || ret=1
+grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with bad ta, CD=1 and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${badid}.example A > dig.out.ns3.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${badid}.example A > dig.out.ns3.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with out-of-range ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-72345.example A > dig.out.ns3.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with out-of-range ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-72345.example A > dig.out.ns3.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with no-zero-pad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-1234.example A > dig.out.ns3.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with no-zero-pad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-1234.example A > dig.out.ns3.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.3 old-is-ta.example A > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.3 old-not-ta.example A > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.3 new-is-ta.example A > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.3 new-not-ta.example A > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.3 bad-is-ta.example A > dig.out.ns3.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.3 bad-not-ta.example A > dig.out.ns3.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check test zone resolves with 'root-key-sentinel no;'" " (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.4 example SOA > dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${oldid}.example A > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${newid}.example A > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${newid}.example A > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${badid}.example A > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${badid}.example A > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with out-of-range ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-72345.example A > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with out-of-range ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-72345.example A > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-is-ta with no-zero-pad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-1234.example A > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check root-key-sentinel-not-ta with no-zero-pad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-1234.example A > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.4 old-is-ta.example A > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.4 old-not-ta.example A > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.4 new-is-ta.example A > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)"
+$DIG $DIGOPTS @10.53.0.4 new-not-ta.example A > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.4 bad-is-ta.example A > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+newtest "check CNAME to root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)"
+$DIG $DIGOPTS @10.53.0.4 bad-not-ta.example A > dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/rpz/Makefile.in b/bin/tests/system/rpz/Makefile.in
new file mode 100644
index 0000000..bc73907
--- /dev/null
+++ b/bin/tests/system/rpz/Makefile.in
@@ -0,0 +1,48 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =     ${ISC_INCLUDES} ${DNS_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+ISCDEPLIBS =    ../../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${ISCDEPLIBS}
+
+LIBS =		${ISCLIBS} @LIBS@
+
+TARGETS =	dnsrps@EXEEXT@
+
+DNSRPSOBJS =	dnsrps.@O@
+
+SRCS =		dnsrps.c
+
+@BIND9_MAKE_RULES@
+
+all: dnsrps@EXEEXT@
+
+dnsrps@EXEEXT@: ${DNSRPSOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${DNSRPSOBJS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
diff --git a/bin/tests/system/rpz/README b/bin/tests/system/rpz/README
new file mode 100644
index 0000000..238e360
--- /dev/null
+++ b/bin/tests/system/rpz/README
@@ -0,0 +1,36 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+The test setup for the RPZ tests prepares a query perf tool and sets up
+policy zones.
+
+Name servers
+------------
+
+ns1 is the root server.
+
+ns2 and ns4 are authoritative servers for the various test domains.
+
+ns3 is the main rewriting resolver.
+
+ns5 and ns7 are additional rewriting resolvers.
+
+ns6 is a forwarding server.
+
+
+Updating the response policy zones
+----------------------------------
+
+test1, test2, test3, test4, test5, and test6 are dynamic update files.  These
+updates are made against ns3.  The script function "start_group" is called to
+start an new batch of tests that may depend on certain server updates.  The
+function takes an optional file name and if provided the server updates are
+performed before executing the test batch.
diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh
new file mode 100644
index 0000000..1a3127c
--- /dev/null
+++ b/bin/tests/system/rpz/clean.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Clean up after rpz tests.
+
+USAGE="$0: [-Px]"
+DEBUG=
+while getopts "Px" c; do
+    case $c in
+	x) set -x ;;
+	P) PARTIAL=set ;;
+	*) echo "$USAGE" 1>&2; exit 1;;
+    esac
+done
+shift `expr $OPTIND - 1 || true`
+if test "$#" -ne 0; then
+    echo "$USAGE" 1>&2
+    exit 1
+fi
+
+# this might be called from setup.sh to partially clean up the files
+# from the first test pass so the second pass can be set up correctly.
+# remove those files first, then decide whether to remove the others.
+rm -f ns*/*.key ns*/*.private
+rm -f ns2/tld2s.db */bl.tld2.db */bl.tld2s.db
+rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db
+rm -f ns3/manual-update-rpz.db
+rm -f ns3/mixed-case-rpz.db
+rm -f ns5/example.db ns5/bl.db ns5/fast-expire.db ns5/expire.conf
+rm -f ns8/manual-update-rpz.db
+rm -f */policy2.db
+rm -f */*.jnl
+
+if [ ${PARTIAL:-unset} = unset ]; then
+    rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
+    rm -f ns5/requests ns5/*.perf
+    rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key
+    rm -f */*.log */*core */*.pid
+    rm -f ns*/named.lock
+    rm -f ns*/named.conf
+    rm -f ns*/*switch
+    rm -f dnsrps*.conf
+    rm -f dnsrpzd.conf
+    rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid
+    rm -f ns*/managed-keys.bind*
+    rm -f tmp
+fi
diff --git a/bin/tests/system/rpz/dnsrps.c b/bin/tests/system/rpz/dnsrps.c
new file mode 100644
index 0000000..82ee05f
--- /dev/null
+++ b/bin/tests/system/rpz/dnsrps.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * -a		exit(0) if dnsrps is available or dlopen() msg if not
+ * -p		print the path to dnsrpzd configured in dnsrps so that
+ *		    dnsrpzd can be run by a setup.sh script.
+ *		    Exit(1) if dnsrps is not available
+ * -n domain	print the serial number of a domain to check if a new
+ *		    version of a policy zone has been transferred to dnsrpzd.
+ *		    Exit(1) if dnsrps is not available
+ * -w sec.ond	wait for seconds, because `sleep 0.1` is not portable
+ */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <isc/print.h>
+#include <isc/util.h>
+
+#ifdef USE_DNSRPS
+#define LIBRPZ_LIB_OPEN DNSRPS_LIB_OPEN
+#include <dns/librpz.h>
+
+librpz_t *librpz;
+#else  /* ifdef USE_DNSRPS */
+typedef struct {
+	char c[120];
+} librpz_emsg_t;
+#endif /* ifdef USE_DNSRPS */
+
+static bool
+link_dnsrps(librpz_emsg_t *emsg);
+
+#define USAGE "usage: [-ap] [-n domain] [-w sec.onds]\n"
+
+int
+main(int argc, char **argv) {
+#ifdef USE_DNSRPS
+	char cstr[sizeof("zone ") + 1024 + 10];
+	librpz_clist_t *clist;
+	librpz_client_t *client;
+	librpz_rsp_t *rsp;
+	uint32_t serial;
+#endif /* ifdef USE_DNSRPS */
+	double seconds;
+	librpz_emsg_t emsg;
+	char *p;
+	int i;
+
+	while ((i = getopt(argc, argv, "apn:w:")) != -1) {
+		switch (i) {
+		case 'a':
+			if (!link_dnsrps(&emsg)) {
+				printf("I:%s\n", emsg.c);
+				return (1);
+			}
+			return (0);
+
+		case 'p':
+			if (!link_dnsrps(&emsg)) {
+				fprintf(stderr, "## %s\n", emsg.c);
+				return (1);
+			}
+#ifdef USE_DNSRPS
+			printf("%s\n", librpz->dnsrpzd_path);
+#else  /* ifdef USE_DNSRPS */
+			UNREACHABLE();
+#endif /* ifdef USE_DNSRPS */
+			return (0);
+
+		case 'n':
+			if (!link_dnsrps(&emsg)) {
+				fprintf(stderr, "## %s\n", emsg.c);
+				return (1);
+			}
+#ifdef USE_DNSRPS
+			/*
+			 * Get the serial number of a policy zone from
+			 * a running dnsrpzd daemon.
+			 */
+			clist = librpz->clist_create(&emsg, NULL, NULL, NULL,
+						     NULL, NULL);
+			if (clist == NULL) {
+				fprintf(stderr, "## %s: %s\n", optarg, emsg.c);
+				return (1);
+			}
+			snprintf(cstr, sizeof(cstr),
+				 "zone %s; dnsrpzd \"\";"
+				 " dnsrpzd-sock dnsrpzd.sock;"
+				 " dnsrpzd-rpzf dnsrpzd.rpzf",
+				 optarg);
+			client = librpz->client_create(&emsg, clist, cstr,
+						       true);
+			if (client == NULL) {
+				fprintf(stderr, "## %s\n", emsg.c);
+				return (1);
+			}
+
+			rsp = NULL;
+			if (!librpz->rsp_create(&emsg, &rsp, NULL, client, true,
+						false) ||
+			    rsp == NULL)
+			{
+				fprintf(stderr, "## %s\n", emsg.c);
+				librpz->client_detach(&client);
+				return (1);
+			}
+
+			if (!librpz->soa_serial(&emsg, &serial, optarg, rsp)) {
+				fprintf(stderr, "## %s\n", emsg.c);
+				librpz->client_detach(&client);
+				return (1);
+			}
+			librpz->rsp_detach(&rsp);
+			librpz->client_detach(&client);
+			printf("%u\n", serial);
+#else  /* ifdef USE_DNSRPS */
+			UNREACHABLE();
+#endif /* ifdef USE_DNSRPS */
+			return (0);
+
+		case 'w':
+			seconds = strtod(optarg, &p);
+			if (seconds <= 0 || *p != '\0') {
+				fputs(USAGE, stderr);
+				return (1);
+			}
+			usleep((int)(seconds * 1000.0 * 1000.0));
+			return (0);
+
+		default:
+			fputs(USAGE, stderr);
+			return (1);
+		}
+	}
+	fputs(USAGE, stderr);
+	return (1);
+}
+
+static bool
+link_dnsrps(librpz_emsg_t *emsg) {
+#ifdef USE_DNSRPS
+	librpz = librpz_lib_open(emsg, NULL, DNSRPS_LIBRPZ_PATH);
+	if (librpz == NULL) {
+		return (false);
+	}
+
+	return (true);
+#else  /* ifdef USE_DNSRPS */
+	snprintf(emsg->c, sizeof(emsg->c), "DNSRPS not configured");
+	return (false);
+#endif /* ifdef USE_DNSRPS */
+}
diff --git a/bin/tests/system/rpz/dnsrpzd-license.conf b/bin/tests/system/rpz/dnsrpzd-license.conf
new file mode 100644
index 0000000..d9cf2b5
--- /dev/null
+++ b/bin/tests/system/rpz/dnsrpzd-license.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone isc.license.fastrpz.com {
+    masters port 53 {
+        KEY farsight_fastrpz_license 104.244.14.176;
+        KEY farsight_fastrpz_license 2620:11c:f008::176;
+    };
+};
+
+key farsight_fastrpz_license {
+    algorithm hmac-sha256; secret "f405d02b4c8af54855fcebc1";
+};
diff --git a/bin/tests/system/rpz/dnsrpzd.conf.in b/bin/tests/system/rpz/dnsrpzd.conf.in
new file mode 100644
index 0000000..ce2442c
--- /dev/null
+++ b/bin/tests/system/rpz/dnsrpzd.conf.in
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# dnsrpzd configuration.
+
+pid-file ../dnsrpzd.pid
+
+include ../dnsrpzd-license-cur.conf
+
+# configure NOTIFY and zone transfers
+port @EXTRAPORT1@;
+listen-on port @EXTRAPORT1@ { 10.53.0.3; };
+allow-notify { 10.53.0.0/24; };
+
+zone "bl0"		{type primary; file "../ns5/bl.db"; };
+zone "bl1"		{type primary; file "../ns5/bl.db"; };
+zone "bl2"		{type primary; file "../ns5/bl.db"; };
+zone "bl3"		{type primary; file "../ns5/bl.db"; };
+zone "bl4"		{type primary; file "../ns5/bl.db"; };
+zone "bl5"		{type primary; file "../ns5/bl.db"; };
+zone "bl6"		{type primary; file "../ns5/bl.db"; };
+zone "bl7"		{type primary; file "../ns5/bl.db"; };
+zone "bl8"		{type primary; file "../ns5/bl.db"; };
+zone "bl9"		{type primary; file "../ns5/bl.db"; };
+zone "bl10"		{type primary; file "../ns5/bl.db"; };
+zone "bl11"		{type primary; file "../ns5/bl.db"; };
+zone "bl12"		{type primary; file "../ns5/bl.db"; };
+zone "bl13"		{type primary; file "../ns5/bl.db"; };
+zone "bl14"		{type primary; file "../ns5/bl.db"; };
+zone "bl15"		{type primary; file "../ns5/bl.db"; };
+zone "bl16"		{type primary; file "../ns5/bl.db"; };
+zone "bl17"		{type primary; file "../ns5/bl.db"; };
+zone "bl18"		{type primary; file "../ns5/bl.db"; };
+zone "bl19"		{type primary; file "../ns5/bl.db"; };
+
+zone "bl"		{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-2"		{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-given"		{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-passthru"	{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-no-op"		{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-disabled"	{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-nodata"	{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-nxdomain"	{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-cname"		{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-wildcname"	{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-garden"	{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-drop"		{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl-tcp-only"	{type slave; masters port @PORT@ { 10.53.0.3; }; };
+zone "bl.tld2"		{type slave; masters port @PORT@ { 10.53.0.3; }; };
+
+zone "policy1"		{type slave; masters port @PORT@ { 10.53.0.6; }; };
+zone "policy2"		{type slave; masters port @PORT@ { 10.53.0.7; }; };
diff --git a/bin/tests/system/rpz/ns1/named.conf.in b/bin/tests/system/rpz/ns1/named.conf.in
new file mode 100644
index 0000000..439ecff
--- /dev/null
+++ b/bin/tests/system/rpz/ns1/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	notify no;
+	minimal-responses no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {type primary; file "root.db";};
diff --git a/bin/tests/system/rpz/ns1/root.db b/bin/tests/system/rpz/ns1/root.db
new file mode 100644
index 0000000..6bf3d5a
--- /dev/null
+++ b/bin/tests/system/rpz/ns1/root.db
@@ -0,0 +1,42 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	120
+.		SOA	ns. hostmaster.ns. ( 1 3600 1200 604800 60 )
+		NS	ns.
+ns.		A	10.53.0.1
+
+; rewrite responses from this zone
+tld2.		NS	ns.tld2.
+ns.tld2.	A	10.53.0.2
+
+; rewrite responses from this secure zone unless dnssec requested (DO=1)
+tld2s.		NS	ns.tld2.
+
+; requests come from here
+tld3.		NS	ns.tld3.
+ns.tld3.	A	10.53.0.3
+
+; rewrite responses from this zone
+tld4.		NS	ns.tld4.
+ns.tld4.	A	10.53.0.4
+
+; performance test
+tld5.		NS	ns.tld5.
+ns.tld5.	A	10.53.0.5
+
+; generate SERVFAIL
+servfail	NS	ns.tld2.
+
+a-only.example	A	1.2.3.4
+no-a-no-aaaa.example	TXT	placeholder
+a-plus-aaaa.example	A	1.2.3.4
+a-plus-aaaa.example	AAAA	::1
diff --git a/bin/tests/system/rpz/ns10/hints b/bin/tests/system/rpz/ns10/hints
new file mode 100644
index 0000000..b657c39
--- /dev/null
+++ b/bin/tests/system/rpz/ns10/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1
diff --git a/bin/tests/system/rpz/ns10/named.conf.in b/bin/tests/system/rpz/ns10/named.conf.in
new file mode 100644
index 0000000..b34ce79
--- /dev/null
+++ b/bin/tests/system/rpz/ns10/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.10;
+	notify-source 10.53.0.10;
+	transfer-source 10.53.0.10;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.10; };
+	listen-on-v6 { none; };
+	notify no;
+	minimal-responses no;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+controls {
+	inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";
+zone "." { type hint; file "hints"; };
+
+# grafted on zones using stub and static-stub
+zone "stub-nomatch."		    {type primary; file "stub.db"; };
+zone "static-stub-nomatch."	    {type primary; file "stub.db"; };
diff --git a/bin/tests/system/rpz/ns10/stub.db b/bin/tests/system/rpz/ns10/stub.db
new file mode 100644
index 0000000..8ecac8c
--- /dev/null
+++ b/bin/tests/system/rpz/ns10/stub.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ rewrite responses from this zone
+
+$TTL	120
+@		SOA	ns  hostmaster.ns ( 1 3600 1200 604800 60 )
+		NS	ns
+ns		A	10.53.0.10
+
+a3-1		A	10.53.99.99
+
+a4-1		A	10.53.99.99
diff --git a/bin/tests/system/rpz/ns2/base-tld2s.db b/bin/tests/system/rpz/ns2/base-tld2s.db
new file mode 100644
index 0000000..77114ec
--- /dev/null
+++ b/bin/tests/system/rpz/ns2/base-tld2s.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ rewrite responses from this signed zone
+
+$TTL	120
+@		SOA	tld2s.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+		NS	ns
+		NS	.			; check for RT 24985
+ns		A	10.53.0.2
+
+
+a0-1		A	192.168.0.1
+a0-1-scname	CNAME	a0-1.tld2.
+
+a3-5		A	192.168.3.5
+
+a7-2		A	192.168.7.2
diff --git a/bin/tests/system/rpz/ns2/bl.tld2.db.in b/bin/tests/system/rpz/ns2/bl.tld2.db.in
new file mode 100644
index 0000000..25780b7
--- /dev/null
+++ b/bin/tests/system/rpz/ns2/bl.tld2.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; primary for secondary RPZ zone
+
+$TTL	3600
+@		SOA	rpz.tld2.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+		NS	ns2
+		NS	ns3
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3
+
+32.1.7.168.192.rpz-ip	 CNAME	.
diff --git a/bin/tests/system/rpz/ns2/blv2.tld2.db.in b/bin/tests/system/rpz/ns2/blv2.tld2.db.in
new file mode 100644
index 0000000..123e1b4
--- /dev/null
+++ b/bin/tests/system/rpz/ns2/blv2.tld2.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; primary for secondary RPZ zone
+
+$TTL	3600
+@		SOA	rpz.tld2.  hostmaster.ns.tld2. ( 2 3600 1200 604800 60 )
+		NS	ns2
+		NS	ns3
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3
diff --git a/bin/tests/system/rpz/ns2/blv3.tld2.db.in b/bin/tests/system/rpz/ns2/blv3.tld2.db.in
new file mode 100644
index 0000000..b8ba587
--- /dev/null
+++ b/bin/tests/system/rpz/ns2/blv3.tld2.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; primary for secondary RPZ zone
+
+$TTL	3600
+@		SOA	rpz.tld2.  hostmaster.ns.tld2. ( 3 3600 1200 604800 60 )
+		NS	ns2
+		NS	ns3
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3
+
+32.1.7.168.192.rpz-ip	 CNAME	.
diff --git a/bin/tests/system/rpz/ns2/hints b/bin/tests/system/rpz/ns2/hints
new file mode 100644
index 0000000..b657c39
--- /dev/null
+++ b/bin/tests/system/rpz/ns2/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1
diff --git a/bin/tests/system/rpz/ns2/named.conf.in b/bin/tests/system/rpz/ns2/named.conf.in
new file mode 100644
index 0000000..1dde354
--- /dev/null
+++ b/bin/tests/system/rpz/ns2/named.conf.in
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	notify no;
+	minimal-responses no;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";
+zone "." { type hint; file "hints"; };
+
+zone "tld2."		    {type primary; file "tld2.db";};
+zone "sub1.tld2."	    {type primary; file "tld2.db";};
+zone "subsub.sub1.tld2."    {type primary; file "tld2.db";};
+zone "sub2.tld2."	    {type primary; file "tld2.db";};
+zone "subsub.sub2.tld2."    {type primary; file "tld2.db";};
+zone "sub3.tld2."	    {type primary; file "tld2.db";};
+zone "subsub.sub3.tld2."    {type primary; file "tld2.db";};
+
+zone "tld2s."		    {type primary; file "tld2s.db";};
+
+zone "bl.tld2."		    {type primary; file "bl.tld2.db";
+				notify yes; notify-delay 0;};
+
+# grafted on zones using stub and static-stub
+zone "stub."		    {type primary; file "stub.db"; };
+zone "static-stub."	    {type primary; file "stub.db"; };
diff --git a/bin/tests/system/rpz/ns2/stub.db b/bin/tests/system/rpz/ns2/stub.db
new file mode 100644
index 0000000..e4b8781
--- /dev/null
+++ b/bin/tests/system/rpz/ns2/stub.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ rewrite responses from this zone
+
+$TTL	120
+@		SOA	tld2.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+		NS	ns.sub1.tld2.
+
+a3-1		A	10.53.99.99
+
+a4-1		A	10.53.99.99
diff --git a/bin/tests/system/rpz/ns2/tld2.db b/bin/tests/system/rpz/ns2/tld2.db
new file mode 100644
index 0000000..c6f2556
--- /dev/null
+++ b/bin/tests/system/rpz/ns2/tld2.db
@@ -0,0 +1,125 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ rewrite responses from this zone
+
+$TTL	120
+@		SOA	tld2.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+		NS	ns
+		NS	.			; check for RT 24985
+ns		A	10.53.0.2
+
+
+txt-only	TXT	"txt-only-tld2"
+
+a12		A	12.12.12.12
+		AAAA	2001::12
+		TXT	"a12 tld2 text"
+a12-cname	CNAME	a12
+
+a0-1		A	192.168.0.1
+		AAAA	2001:2::1
+		TXT	"a0-1 tld2 text"
+a0-1-scname	CNAME	a0-1.tld2s.
+
+
+a3-1		A	192.168.3.1
+		AAAA	2001:2:3::1
+		TXT	"a3-1 tld2 text"
+
+a3-2		A	192.168.3.2
+		AAAA	2001:2:3::2
+		TXT	"a3-2 tld2 text"
+
+a3-3		A	192.168.3.3
+		AAAA	2001:2:3::3
+		TXT	"a3-3 tld2 text"
+
+a3-4		A	192.168.3.4
+		AAAA	2001:2:3::4
+		TXT	"a3-4 tld2 text"
+
+a3-5		A	192.168.3.5
+		AAAA	2001:2:3::5
+		TXT	"a3-5 tld2 text"
+
+a3-6		A	192.168.3.6
+		AAAA	2001:2:3::6
+		TXT	"a3-6 tld2 text"
+
+a3-7		A	192.168.3.7
+		AAAA	2001:2:3::7
+		TXT	"a3-7 tld2 text"
+
+a3-8		A	192.168.3.8
+		AAAA	2001:2:3::8
+		TXT	"a3-8 tld2 text"
+
+a3-9		A	192.168.3.9
+		AAAA	2001:2:3::9
+		TXT	"a3-9 tld2 text"
+
+a4-1		A	192.168.4.1
+		AAAA	2001:2:4::1
+		TXT	"a4-1 tld2 text"
+a4-1-aaaa	AAAA	2001:2:4::1
+
+a4-2		A	192.168.4.2
+		AAAA	2001:2:4::2
+		TXT	"a4-2 tld2 text"
+a4-2-cname	CNAME	a4-2
+
+a4-3		A	192.168.4.3
+		AAAA	2001:2:4::3
+		TXT	"a4-3 tld2 text"
+a4-3-cname	CNAME	a4-3
+
+a4-4		A	192.168.4.4
+		AAAA	2001:2:4::4
+		TXT	"a4-4 tld2 text"
+
+a4-5		A	192.168.4.5
+		AAAA	2001:2:4::5
+		TXT	"a4-5 tld2 text"
+a4-5-cname	CNAME	a4-5
+a4-5-cname2	CNAME	a4-5-cname
+a4-5-cname3	CNAME	a4-5-cname2
+
+a4-6		A	192.168.4.6
+		AAAA	2001:2:4::6
+		TXT	"a4-6 tld2 text"
+a4-6-cname	CNAME	a4-6
+a4-6-cname2	CNAME	a4-6-cname
+a4-6-cname3	CNAME	a4-6-cname2
+
+a5-1-2		A	192.168.5.1
+		A	192.168.5.2
+		TXT	"a5-1-2 tld2 text"
+
+a5-2		A	192.168.5.2
+		TXT	"a5-2 tld2 text"
+
+a5-3		A	192.168.5.3
+		TXT	"a5-3 tld2 text"
+
+a5-4		A	192.168.5.4
+		TXT	"a5-4 tld2 text"
+
+a6-1		A	192.168.6.1
+		TXT	"a6-1 tld2 text"
+a6-2		A	192.168.6.2
+		TXT	"a6-2 tld2 text"
+
+a7-1		A	192.168.7.1
+		TXT	"a7-1 tld2 text"
+
+a7-2		A	192.168.7.2
+		TXT	"a7-2 tld2 text"
diff --git a/bin/tests/system/rpz/ns3/base.db b/bin/tests/system/rpz/ns3/base.db
new file mode 100644
index 0000000..f2f15a0
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/base.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+$TTL	300
+@	SOA	blx.  hostmaster.ns.blx. ( 1 3600 1200 604800 60 )
+	NS	ns.tld3.
+
+; regression testing for some old crashes
+example.com     NS	example.org.
+
+domain.com	cname	foobar.com
diff --git a/bin/tests/system/rpz/ns3/broken.db.in b/bin/tests/system/rpz/ns3/broken.db.in
new file mode 100644
index 0000000..80aa313
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/broken.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+; broken zone
+foobar
diff --git a/bin/tests/system/rpz/ns3/crash1 b/bin/tests/system/rpz/ns3/crash1
new file mode 100644
index 0000000..0c85191
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/crash1
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+
+; a bad zone that caused a crash related to dns_rdataset_disassociate()
+
+$TTL	120
+@	SOA	crash1.tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+
+	NS	tld2.
diff --git a/bin/tests/system/rpz/ns3/crash2 b/bin/tests/system/rpz/ns3/crash2
new file mode 100644
index 0000000..ab70283
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/crash2
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+
+; a valid zone containing records that caused crashes
+
+$TTL	120
+@	SOA	crash2.tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 )
+	NS	ns
+ns	A	10.53.0.3
+
+; #24 in test1, crashed new ASSERT() in rbtdb.c
+c1	A	172.16.1.24
+
+; #16 in test2, crashed new ASSERT() in rbtdb.c
+c2	A	172.16.1.16
diff --git a/bin/tests/system/rpz/ns3/hints b/bin/tests/system/rpz/ns3/hints
new file mode 100644
index 0000000..b657c39
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1
diff --git a/bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in b/bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in
new file mode 100644
index 0000000..f670b0c
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+$TTL 300
+@				SOA	bl-reload.  hostmaster.ns.bl-reload. ( 2 3600 1200 604800 60 )
+				NS	ns.tld3.
+
+walled.tld2.bl-reload.	 300	A	10.0.0.2
+
diff --git a/bin/tests/system/rpz/ns3/manual-update-rpz.db.in b/bin/tests/system/rpz/ns3/manual-update-rpz.db.in
new file mode 100644
index 0000000..a823448
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/manual-update-rpz.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+$TTL 300
+@					SOA	manual-update-rpz.  hostmaster.ns.manual-rpz-update. ( 1 3600 1200 604800 60 )
+					NS	ns.tld3.
+
+walled.tld2.manual-update-rpz.	 300	A	10.0.0.1
diff --git a/bin/tests/system/rpz/ns3/mixed-case-rpz-1.db.in b/bin/tests/system/rpz/ns3/mixed-case-rpz-1.db.in
new file mode 100644
index 0000000..c8548fc
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/mixed-case-rpz-1.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	mixed-case-rpz.  hostmaster.ns.mixed-case-rpz. ( 1 3600 1200 604800 60 )
+		NS	ns.tld3.
+
+A6-2.TLD2	CNAME	.
diff --git a/bin/tests/system/rpz/ns3/mixed-case-rpz-2.db.in b/bin/tests/system/rpz/ns3/mixed-case-rpz-2.db.in
new file mode 100644
index 0000000..7d99c5a
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/mixed-case-rpz-2.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	mixed-case-rpz.  hostmaster.ns.mixed-case-rpz. ( 2 3600 1200 604800 60 )
+		NS	ns.tld3.
+
+a6-1.tld2	CNAME	.
+A6-2.TLD2	CNAME	.
diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in
new file mode 100644
index 0000000..dc069d8
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Main rpz test DNS server.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	statistics-file	"named.stats";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	notify yes;
+	minimal-responses no;
+	recursion yes;
+	dnssec-validation yes;
+	min-refresh-time 1;
+	min-retry-time 1;
+
+	response-policy {
+	    zone "fast-expire";
+	    zone "bl"					max-policy-ttl 100;
+	    zone "bl-2";
+	    zone "bl-given"	policy given		recursive-only yes;
+	    zone "bl-passthru"	policy passthru;
+	    zone "bl-no-op"	policy no-op;		# obsolete for passthru
+	    zone "bl-disabled"	policy disabled;
+	    zone "bl-nodata"	policy nodata		recursive-only no;
+	    zone "bl-nxdomain"	policy nxdomain;
+	    zone "bl-cname"	policy cname txt-only.tld2.;
+	    zone "bl-wildcname"	policy cname *.tld4.;
+	    zone "bl-garden"	policy cname a12.tld2.;
+	    zone "bl-drop"	policy drop;
+	    zone "bl-tcp-only"	policy tcp-only;
+	    zone "bl.tld2";
+	    zone "manual-update-rpz";
+	    zone "mixed-case-rpz";
+	}
+	add-soa yes
+	min-ns-dots 0
+	qname-wait-recurse yes
+	min-update-interval 0
+	nsdname-enable yes
+	nsip-enable yes
+	;
+
+	include "../dnsrps.conf";
+	also-notify { 10.53.0.3 port @EXTRAPORT1@; };
+	notify-delay 0;
+};
+
+logging { category rpz { default_debug; }; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "." { type hint; file "hints"; };
+
+zone "bl."		{type primary; file "bl.db";
+				allow-update {any;};};
+zone "bl-2."		{type primary; file "bl-2.db";
+				allow-update {any;};};
+zone "bl-given."	{type primary; file "bl-given.db";
+				allow-update {any;};};
+zone "bl-passthru."	{type primary; file "bl-passthru.db";
+				allow-update {any;};};
+zone "bl-no-op."	{type primary; file "bl-no-op.db";
+				allow-update {any;};};
+zone "bl-disabled."	{type primary; file "bl-disabled.db";
+				allow-update {any;};};
+zone "bl-nodata."	{type primary; file "bl-nodata.db";
+				allow-update {any;};};
+zone "bl-nxdomain."	{type primary; file "bl-nxdomain.db";
+				allow-update {any;};};
+zone "bl-cname."	{type primary; file "bl-cname.db";
+				allow-update {any;};};
+zone "bl-wildcname."	{type primary; file "bl-wildcname.db";
+				allow-update {any;};};
+zone "bl-garden."	{type primary; file "bl-garden.db";
+				allow-update {any;};};
+zone "bl-drop."		{type primary; file "bl-drop.db";
+				allow-update {any;};};
+zone "bl-tcp-only."	{type primary; file "bl-tcp-only.db";
+				allow-update {any;};};
+
+zone "bl.tld2."		{type secondary; file "bl.tld2.db"; primaries {10.53.0.2;};
+				request-ixfr no; masterfile-format text;};
+
+zone "crash1.tld2"	{type primary; file "crash1"; notify no;};
+zone "crash2.tld3."	{type primary; file "crash2"; notify no;};
+
+zone "manual-update-rpz." {
+	type primary;
+	file "manual-update-rpz.db";
+	notify no;
+};
+
+zone "mixed-case-rpz." {
+	type primary;
+	file "mixed-case-rpz.db";
+	notify no;
+};
+
+zone "fast-expire." {
+	type secondary;
+	file "fast-expire.db";
+	primaries { 10.53.0.5; };
+	notify no;
+};
+
+zone "stub." {
+	type stub;
+	primaries { 10.53.0.2; };
+};
+
+zone "static-stub." {
+	type static-stub;
+	server-addresses { 10.53.0.2; };
+};
+
+zone "stub-nomatch." {
+	type stub;
+	primaries { 10.53.0.10; };
+};
+
+zone "static-stub-nomatch." {
+	type static-stub;
+	server-addresses { 10.53.0.10; };
+};
+
+# A faulty dlz configuration to check if named with response policy zones
+# survives a certain class of failed configuration attempts (see GL #3880).
+# "dlz" is used because the dlz processing code is located in an ideal place in
+# the view configuration function for the test to cover the view reverting code.
+# The "BAD" comments below are necessary, because they will be removed using
+# 'sed' by tests.sh in order to activate the faulty configuration.
+#BAD	dlz "bad-dlz" {
+#BAD		database "dlopen bad-dlz.so example.org";
+#BAD	};
diff --git a/bin/tests/system/rpz/ns4/hints b/bin/tests/system/rpz/ns4/hints
new file mode 100644
index 0000000..b657c39
--- /dev/null
+++ b/bin/tests/system/rpz/ns4/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1
diff --git a/bin/tests/system/rpz/ns4/named.conf.in b/bin/tests/system/rpz/ns4/named.conf.in
new file mode 100644
index 0000000..e2a9546
--- /dev/null
+++ b/bin/tests/system/rpz/ns4/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	notify no;
+	minimal-responses no;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";
+zone "." { type hint; file "hints"; };
+
+zone "tld4."		    {type primary; file "tld4.db";};
+zone "sub1.tld4."	    {type primary; file "tld4.db";};
+zone "subsub.sub1.tld4."    {type primary; file "tld4.db";};
+zone "sub2.tld4."	    {type primary; file "tld4.db";};
+zone "subsub.sub2.tld4."    {type primary; file "tld4.db";};
diff --git a/bin/tests/system/rpz/ns4/tld4.db b/bin/tests/system/rpz/ns4/tld4.db
new file mode 100644
index 0000000..fca419c
--- /dev/null
+++ b/bin/tests/system/rpz/ns4/tld4.db
@@ -0,0 +1,66 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ rewrite responses from this zone
+
+$TTL	120
+@		SOA	tld4.  hostmaster.ns.tld4. ( 1 3600 1200 604800 60 )
+		NS	ns
+ns		A	10.53.0.4
+
+
+txt-only	TXT	"txt-only-tld4"
+
+a14		A	14.14.14.14
+		AAAA	2001::14
+		TXT	"a14 text"
+a14-cname	CNAME	a14
+
+a0-1		A	192.168.0.1
+		AAAA	2001:2::1
+		TXT	"a0-1 text"
+
+a3-1		A	192.168.3.1
+		AAAA	2001:2:3::1
+		TXT	"a3-1 text"
+
+a3-2		A	192.168.3.2
+		AAAA	2001:2:3::2
+		TXT	"a3-2 text"
+
+a4-1		A	192.168.4.1
+		AAAA	2001:2:4::1
+		TXT	"a4-1 text"
+a4-1-aaaa	AAAA	2001:2:4::1
+
+a4-2		A	192.168.4.2
+		AAAA	2001:2:4::2
+		TXT	"a4-2 text"
+a4-2-cname	CNAME	a4-2
+
+a4-3		A	192.168.4.3
+		AAAA	2001:2:4::3
+		TXT	"a4-3 text"
+a4-3-cname	CNAME	a4-3
+
+a4-4		A	192.168.4.4
+		AAAA	2001:2:4::4
+		TXT	"a4-4 text"
+
+a3-6.tld2	A	56.56.56.56
+
+a3-7.sub1.tld2	A	57.57.57.57
+
+a3-8.tld2	A	58.58.58.58
+
+a3-9.sub9.tld2	A	59.59.59.59
+
+a3-10.tld2	A	60.60.60.60
diff --git a/bin/tests/system/rpz/ns5/empty.db.in b/bin/tests/system/rpz/ns5/empty.db.in
new file mode 100644
index 0000000..a7e9144
--- /dev/null
+++ b/bin/tests/system/rpz/ns5/empty.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	120
+@	SOA	.  hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
+	NS	.
diff --git a/bin/tests/system/rpz/ns5/expire.conf.in b/bin/tests/system/rpz/ns5/expire.conf.in
new file mode 100644
index 0000000..4c1c228
--- /dev/null
+++ b/bin/tests/system/rpz/ns5/expire.conf.in
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "fast-expire." {
+	type primary;
+	file "fast-expire.db";
+	allow-transfer { any; };
+	notify no;
+};
diff --git a/bin/tests/system/rpz/ns5/fast-expire.db.in b/bin/tests/system/rpz/ns5/fast-expire.db.in
new file mode 100644
index 0000000..cb2672e
--- /dev/null
+++ b/bin/tests/system/rpz/ns5/fast-expire.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@					SOA	fast-expire. hostmaster (
+						1 3 1 5 60
+						)
+					NS	ns.tld3.
+
+expired.fast-expire.		        A	10.0.0.10
diff --git a/bin/tests/system/rpz/ns5/hints b/bin/tests/system/rpz/ns5/hints
new file mode 100644
index 0000000..b657c39
--- /dev/null
+++ b/bin/tests/system/rpz/ns5/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1
diff --git a/bin/tests/system/rpz/ns5/named.args b/bin/tests/system/rpz/ns5/named.args
new file mode 100644
index 0000000..56edbe3
--- /dev/null
+++ b/bin/tests/system/rpz/ns5/named.args
@@ -0,0 +1,2 @@
+# run the performance test close to real life
+-c named.conf -D rpz-ns5 -X named.lock -gd3 -T maxcachesize=2097152
diff --git a/bin/tests/system/rpz/ns5/named.conf.in b/bin/tests/system/rpz/ns5/named.conf.in
new file mode 100644
index 0000000..b0fecdf
--- /dev/null
+++ b/bin/tests/system/rpz/ns5/named.conf.in
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Test rpz performance.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	statistics-file "named.stats";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	ixfr-from-differences yes;
+	notify-delay 0;
+	notify yes;
+	minimal-responses no;
+	recursion yes;
+	dnssec-validation yes;
+
+	# turn rpz on or off
+	include "rpz-switch";
+
+	include "../dnsrps-slave.conf";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";
+zone "."		{type hint; file "hints"; };
+
+zone "tld5."		{type primary; file "tld5.db"; };
+zone "example.tld5."	{type primary; file "example.db"; };
+
+zone "bl0."		{type primary; file "bl.db"; };
+zone "bl1."		{type primary; file "bl.db"; };
+zone "bl2."		{type primary; file "bl.db"; };
+zone "bl3."		{type primary; file "bl.db"; };
+zone "bl4."		{type primary; file "bl.db"; };
+zone "bl5."		{type primary; file "bl.db"; };
+zone "bl6."		{type primary; file "bl.db"; };
+zone "bl7."		{type primary; file "bl.db"; };
+zone "bl8."		{type primary; file "bl.db"; };
+zone "bl9."		{type primary; file "bl.db"; };
+zone "bl10."		{type primary; file "bl.db"; };
+zone "bl11."		{type primary; file "bl.db"; };
+zone "bl12."		{type primary; file "bl.db"; };
+zone "bl13."		{type primary; file "bl.db"; };
+zone "bl14."		{type primary; file "bl.db"; };
+zone "bl15."		{type primary; file "bl.db"; };
+zone "bl16."		{type primary; file "bl.db"; };
+zone "bl17."		{type primary; file "bl.db"; };
+zone "bl18."		{type primary; file "bl.db"; };
+zone "bl19."		{type primary; file "bl.db"; };
+
+zone "policy1" {
+	type primary;
+	file "empty.db";
+	also-notify { 10.53.0.6; };
+	allow-update { any; };
+	allow-transfer { any; };
+};
+
+zone "policy2" {
+	type primary;
+	file "policy2.db";
+	allow-update { any; };
+	allow-transfer { any; };
+};
+
+include "expire.conf";
diff --git a/bin/tests/system/rpz/ns5/tld5.db b/bin/tests/system/rpz/ns5/tld5.db
new file mode 100644
index 0000000..b75e72f
--- /dev/null
+++ b/bin/tests/system/rpz/ns5/tld5.db
@@ -0,0 +1,32 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ performance test
+
+$TTL	120
+@	SOA	.  hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
+	NS	ns
+	NS	ns1
+	NS	ns2
+	NS	ns3
+ns	A	10.53.0.5
+ns1	A	10.53.0.5
+ns2	A	10.53.0.5
+ns3	A	10.53.0.5
+
+
+$ORIGIN	example.tld5.
+example.tld5.	NS	ns
+		NS	ns1
+ns		A	10.53.0.5
+ns1		A	10.53.0.5
+
+as-ns	TXT	"rewritten with ip-as-ns and qname-as-ns"
diff --git a/bin/tests/system/rpz/ns6/bl.tld2s.db.in b/bin/tests/system/rpz/ns6/bl.tld2s.db.in
new file mode 100644
index 0000000..4538050
--- /dev/null
+++ b/bin/tests/system/rpz/ns6/bl.tld2s.db.in
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@		SOA	rpz.tld2.  hostmaster.ns.tld2. ( 3 3600 1200 604800 60 )
+		NS	ns2
+		NS	ns3
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3
+
+32.2.7.168.192.rpz-ip	 A 1.1.1.1
+                        AAAA ::1
diff --git a/bin/tests/system/rpz/ns6/hints b/bin/tests/system/rpz/ns6/hints
new file mode 100644
index 0000000..b657c39
--- /dev/null
+++ b/bin/tests/system/rpz/ns6/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1
diff --git a/bin/tests/system/rpz/ns6/named.conf.in b/bin/tests/system/rpz/ns6/named.conf.in
new file mode 100644
index 0000000..4c05207
--- /dev/null
+++ b/bin/tests/system/rpz/ns6/named.conf.in
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	statistics-file "named.stats";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	forward only;
+	forwarders { 10.53.0.3; };
+	minimal-responses no;
+	recursion yes;
+	dnssec-validation yes;
+	qname-minimization disabled;
+
+	response-policy {
+	    zone "policy1" min-update-interval 0;
+	    zone "bl.tld2s" policy given;
+	} qname-wait-recurse yes
+	// add-soa yes # leave add-soa as default for unset test
+	nsip-enable yes
+	nsdname-enable yes;
+
+	include "../dnsrps-slave.conf";
+};
+
+logging { category rpz { default_debug; }; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";
+
+zone "policy1" {
+	type secondary;
+	primaries { 10.53.0.5; };
+	file "empty.db";
+	also-notify { 10.53.0.3 port @EXTRAPORT1@; };
+	notify-delay 0;
+	allow-transfer  { any; };
+};
+
+zone "bl.tld2s." {
+    type primary;
+    file "bl.tld2s.db";
+};
diff --git a/bin/tests/system/rpz/ns7/hints b/bin/tests/system/rpz/ns7/hints
new file mode 100644
index 0000000..b657c39
--- /dev/null
+++ b/bin/tests/system/rpz/ns7/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1
diff --git a/bin/tests/system/rpz/ns7/named.conf.in b/bin/tests/system/rpz/ns7/named.conf.in
new file mode 100644
index 0000000..24d9c62
--- /dev/null
+++ b/bin/tests/system/rpz/ns7/named.conf.in
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	statistics-file "named.stats";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	minimal-responses no;
+	recursion yes;
+	dnssec-validation yes;
+
+	response-policy {
+	    zone "policy2" add-soa no;
+	} qname-wait-recurse no
+	nsip-enable yes
+	nsdname-enable yes
+	min-update-interval 0;
+
+	include "../dnsrps-slave.conf";
+};
+
+logging { category rpz { default_debug; }; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";
+
+zone "policy2" {
+	type secondary;
+	primaries { 10.53.0.5; };
+	file "policy2.db";
+	also-notify { 10.53.0.3 port @EXTRAPORT1@; };
+	notify-delay 0;
+	allow-transfer  { any; };
+	request-ixfr no; // force axfr on rndc reload
+};
diff --git a/bin/tests/system/rpz/ns8/hints b/bin/tests/system/rpz/ns8/hints
new file mode 100644
index 0000000..b657c39
--- /dev/null
+++ b/bin/tests/system/rpz/ns8/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1
diff --git a/bin/tests/system/rpz/ns8/manual-update-rpz.db.in b/bin/tests/system/rpz/ns8/manual-update-rpz.db.in
new file mode 100644
index 0000000..a823448
--- /dev/null
+++ b/bin/tests/system/rpz/ns8/manual-update-rpz.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+$TTL 300
+@					SOA	manual-update-rpz.  hostmaster.ns.manual-rpz-update. ( 1 3600 1200 604800 60 )
+					NS	ns.tld3.
+
+walled.tld2.manual-update-rpz.	 300	A	10.0.0.1
diff --git a/bin/tests/system/rpz/ns8/named.conf.in b/bin/tests/system/rpz/ns8/named.conf.in
new file mode 100644
index 0000000..f228c00
--- /dev/null
+++ b/bin/tests/system/rpz/ns8/named.conf.in
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Main rpz test DNS server.
+ */
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	statistics-file	"named.stats";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	notify yes;
+	minimal-responses no;
+	recursion yes;
+	dnssec-validation yes;
+
+	response-policy {
+	    zone "manual-update-rpz";
+	}
+	// add-soa yes // do not set testing default mode
+	min-ns-dots 0
+	qname-wait-recurse yes
+	min-update-interval 0
+	nsdname-enable yes
+	nsip-enable yes
+	;
+
+	include "../dnsrps.conf";
+	also-notify { 10.53.0.8 port @EXTRAPORT1@; };
+	notify-delay 0;
+};
+
+logging { category rpz { default_debug; }; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "." { type hint; file "hints"; };
+
+zone "manual-update-rpz." {
+	type primary;
+	file "manual-update-rpz.db";
+	notify no;
+};
diff --git a/bin/tests/system/rpz/ns9/hints b/bin/tests/system/rpz/ns9/hints
new file mode 100644
index 0000000..b657c39
--- /dev/null
+++ b/bin/tests/system/rpz/ns9/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1
diff --git a/bin/tests/system/rpz/ns9/named.conf.in b/bin/tests/system/rpz/ns9/named.conf.in
new file mode 100644
index 0000000..e57591c
--- /dev/null
+++ b/bin/tests/system/rpz/ns9/named.conf.in
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * DNS64 / RPZ server.
+ */
+
+options {
+	query-source address 10.53.0.9;
+	notify-source 10.53.0.9;
+	transfer-source 10.53.0.9;
+	port @PORT@;
+	pid-file "named.pid";
+	statistics-file	"named.stats";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.9; };
+	listen-on-v6 { none; };
+	notify yes;
+	minimal-responses no;
+	recursion yes;
+	dnssec-validation yes;
+	dns64-server "example.localdomain.";
+        dns64 64:ff9b::/96 { };
+	response-policy {
+	    zone "rpz";
+	}
+	qname-wait-recurse no ;
+
+	include "../dnsrps.conf";
+	notify-delay 0;
+};
+
+logging { category rpz { default_debug; }; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+controls {
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "." { type hint; file "hints"; };
+
+zone "rpz." {
+	type primary;
+	file "rpz.db";
+	notify no;
+};
diff --git a/bin/tests/system/rpz/ns9/rpz.db b/bin/tests/system/rpz/ns9/rpz.db
new file mode 100644
index 0000000..dcbe5d6
--- /dev/null
+++ b/bin/tests/system/rpz/ns9/rpz.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+rpz.                                    28800 IN SOA      rpz. hostmaster.rpz. 6 10800 3600 2419200 900
+rpz.                                    28800 IN NS       .
+a-only.example.rpz.                     28800 IN CNAME    *.
+no-a-no-aaaa.example.rpz.               28800 IN CNAME    *.
+a-plus-aaaa.example.rpz.                28800 IN CNAME    *.
diff --git a/bin/tests/system/rpz/qperf.sh b/bin/tests/system/rpz/qperf.sh
new file mode 100644
index 0000000..dc79de9
--- /dev/null
+++ b/bin/tests/system/rpz/qperf.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+for QDIR in `echo "$PATH" | tr : ' '` ../../../../contrib/queryperf; do
+    QPERF=$QDIR/queryperf
+    if test -f "$QPERF" -a -x "$QPERF"; then
+	echo $QPERF
+	exit 0
+    fi
+done
+
+exit 0
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
new file mode 100644
index 0000000..10ab738
--- /dev/null
+++ b/bin/tests/system/rpz/setup.sh
@@ -0,0 +1,180 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# touch dnsrps-off to not test with DNSRPS
+
+set -e
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+QPERF=$($SHELL qperf.sh)
+
+USAGE="$0: [-DNx]"
+DEBUG=
+while getopts "DNx" c; do
+    case $c in
+	x) set -x; DEBUG=-x ;;
+        D) TEST_DNSRPS="-D" ;;
+	N) PARTIAL=-P ;;
+	*) echo "$USAGE" 1>&2; exit 1 ;;
+    esac
+done
+shift $((OPTIND - 1))
+if test "$#" -ne 0; then
+    echo "$USAGE" 1>&2
+    exit 1
+fi
+
+if [ ${NOCLEAN:-unset} = unset ]; then
+    $SHELL clean.sh $PARTIAL $DEBUG
+fi
+
+for dir in ns*; do
+    touch $dir/named.run
+    nextpart $dir/named.run > /dev/null
+done
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
+
+copy_setports dnsrpzd.conf.in dnsrpzd.conf
+
+# decide whether to test DNSRPS
+# Note that dnsrps.conf and dnsrps-slave.conf are included in named.conf
+# and differ from dnsrpz.conf which is used by dnsrpzd.
+$SHELL ../ckdnsrps.sh -A $TEST_DNSRPS $DEBUG
+test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS=
+
+# set up test policy zones.
+#   bl is the main test zone
+#   bl-2 is used to check competing zones.
+#   bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden,
+#	    drop,tcp-only} are used to check policy overrides in named.conf.
+#   NO-OP is an obsolete synonym for PASSHTRU
+for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do
+    sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db
+done
+#  bl zones are dynamically updated.  Add one zone that is updated manually.
+cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
+cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db
+
+cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
+
+# a zone that expires quickly and then can't be refreshed
+cp ns5/fast-expire.db.in ns5/fast-expire.db
+cp ns5/expire.conf.in ns5/expire.conf
+
+# $1=directory
+# $2=domain name
+# $3=input zone file
+# $4=output file
+signzone () {
+    KEYNAME=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -K $1 $2)
+    cat $1/$3 $1/$KEYNAME.key > $1/tmp
+    $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
+    sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
+    DSFILENAME=dsset-${2}${TP}
+    rm $DSFILENAME $1/tmp
+}
+signzone ns2 tld2s base-tld2s.db tld2s.db
+
+# Performance and a few other checks.
+cat <<EOF >ns5/rpz-switch
+response-policy {
+	zone "bl0"; zone "bl1"; zone "bl2"; zone "bl3"; zone "bl4";
+	zone "bl5"; zone "bl6"; zone "bl7"; zone "bl8"; zone "bl9";
+	zone "bl10"; zone "bl11"; zone "bl12"; zone "bl13"; zone "bl14";
+	zone "bl15"; zone "bl16"; zone "bl17"; zone "bl18"; zone "bl19";
+    } recursive-only no
+    qname-wait-recurse no
+    nsip-enable yes
+    nsdname-enable yes
+    max-policy-ttl 90
+    break-dnssec yes
+    ;
+EOF
+
+cat <<EOF >ns5/example.db
+\$TTL	300
+@	SOA	.  hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
+	NS	ns
+	NS	ns1
+ns	A	10.53.0.5
+ns1	A	10.53.0.5
+EOF
+
+cat <<EOF >ns5/bl.db
+\$TTL	300
+@		SOA	.  hostmaster.ns.blperf. ( 1 3600 1200 604800 60 )
+		NS	ns.tld5.
+
+; for "qname-wait-recurse no" in #35 test1
+x.servfail	A	35.35.35.35
+; for "recursive-only no" in #8 test5
+a3-5.tld2	CNAME	.
+; for "break-dnssec" in #9 & #10 test5
+a3-5.tld2s	CNAME	.
+; for "max-policy-ttl 90" in #17 test5
+a3-17.tld2	500 A	17.17.17.17
+
+; dummy NSDNAME policy to trigger lookups
+ns1.x.rpz-nsdname	CNAME	.
+EOF
+
+if test -n "$QPERF"; then
+    # Do not build the full zones if we will not use them.
+    $PERL -e 'for ($val = 1; $val <= 65535; ++$val) {
+	printf("host-%05d\tA    192.168.%d.%d\n", $val, $val/256, $val%256);
+	}' >>ns5/example.db
+
+    echo >>ns5/bl.db
+    echo "; rewrite some names" >>ns5/bl.db
+    $PERL -e 'for ($val = 2; $val <= 65535; $val += 69) {
+	printf("host-%05d.example.tld5\tCNAME\t.\n", $val);
+	}' >>ns5/bl.db
+
+    echo >>ns5/bl.db
+    echo "; rewrite with some not entirely trivial patricia trees" >>ns5/bl.db
+    $PERL -e 'for ($val = 3; $val <= 65535; $val += 69) {
+	printf("32.%d.%d.168.192.rpz-ip  \tCNAME\t.\n",
+		$val%256, $val/256);
+	}' >>ns5/bl.db
+fi
+
+# some psuedo-random queryperf requests
+$PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {
+	printf("host-%05d.example.tld5 A\n", $val);
+	$val = ($val * 9 + 32771) % 65536;
+	}' >ns5/requests
+
+cp ns2/bl.tld2.db.in ns2/bl.tld2.db
+cp ns5/empty.db.in ns5/empty.db
+cp ns5/empty.db.in ns5/policy2.db
+cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db
+
+# Run dnsrpzd to get the license and prime the static policy zones
+if test -n "$TEST_DNSRPS"; then
+   DNSRPZD="$(../rpz/dnsrps -p)"
+   cd ns3
+   "$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \
+             -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1
+fi
diff --git a/bin/tests/system/rpz/test1 b/bin/tests/system/rpz/test1
new file mode 100644
index 0000000..3dc0375
--- /dev/null
+++ b/bin/tests/system/rpz/test1
@@ -0,0 +1,99 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+
+
+
+; Use comment lines instead of blank lines to combine update requests into
+;	single requests
+; Separate update requests for distinct TLDs with blank lines or 'send'
+; End the file with a blank line or 'send'
+
+server 10.53.0.3 @PORT@
+
+; QNAME tests
+
+; NXDOMAIN
+;	2, 25
+update add  a0-1.tld2.bl.	300 CNAME .
+; NODATA
+;	3
+update add  a3-1.tld2.bl.	300 CNAME *.
+; and no assert-botch
+;	4, 5
+update add  a3-2.tld2.bl.	300 DNAME example.com.
+;
+; NXDOMAIN for a4-2-cname.tld2 via its target a4-2.tld2.
+;	6 and 7
+update add  a4-2.tld2.bl	300 CNAME .
+;	8
+; NODATA for a4-3-cname.tld2 via its target a4-3.tld2.
+update add  a4-3.tld2.bl	300 CNAME *.
+;
+; replace the A for a4-1.sub1.tld2 with 12.12.12.12
+;	9
+update add  a4-1.sub1.tld2.bl.	300 A 12.12.12.12
+;
+; replace the A for *.sub2.tld2 with 12.12.12.12
+;	10
+update add  a4-1.sub2.tld2.bl.	300 A 12.12.12.12
+;
+; replace NXDOMAIN for {nxc1,nxc2}.sub1.tld2 with 12.12.12.12 using CNAMEs
+;	11
+update add nxc1.sub1.tld2.bl.	300 CNAME a12.tld2.
+;	12
+update add nxc2.sub1.tld2.bl.	300 CNAME a12-cname.tld2.
+;
+; prefer the first conflicting zone
+;	13
+update add a4-4.tld2.bl.	300 A	127.4.4.1
+update add a6-1.tld2.bl.	300 CNAME a6-1.tld2.
+update add a6-2.tld2.bl.	300 A	127.6.2.1
+update add a6-1.tld2.bl.	300 A	127.6.1.1
+update add a6-2.tld2.bl.	300 CNAME a6-2.tld2.
+send
+update add a4-4.tld2.bl-2.	300 A	127.4.4.2
+send
+
+; wildcard CNAME
+;	16
+update add  a3-6.tld2.bl.	300 CNAME *.tld4.
+;	17
+update add  *.sub1.tld2.bl.	300 CNAME *.tld4.
+; CNAME chain
+;	18
+update add  a4-5.tld2.bl.	300 A	127.0.0.16
+; stop at first hit in CNAME chain
+;	19
+update add  a4-6.tld2.bl.	300 CNAME .
+update add  a4-6-cname.tld2.bl.	300 A	127.0.0.17
+; no change instead of NXDOMAIN because +norecurse
+;	20
+update add  a5-2.tld2.bl.	300 CNAME .
+; no change instead of NODATA because +norecurse
+;	21
+update add  a5-3.tld2.bl.	300 CNAME *.
+;	22, 23
+update add  a5-4.tld2.bl.	300 DNAME example.com.
+;
+; assert in rbtdb.c
+;	24
+update	add c1.crash2.tld3.bl.	300 CNAME .
+; DO=1 without signatures, DO=0 with signatures are rewritten
+;	26 - 27
+update add  a0-1.tld2s.bl.	300 CNAME .
+;	32
+update add  a3-8.tld2.bl.	300 CNAME rpz-drop.
+;	33
+update add  a3-9.tld2.bl.	300 CNAME rpz-tcp-only.
+;	34 qname-wait-recurse yes
+update add  x.servfail.bl.	300 A	127.0.0.34
+send
diff --git a/bin/tests/system/rpz/test2 b/bin/tests/system/rpz/test2
new file mode 100644
index 0000000..ad71e3a
--- /dev/null
+++ b/bin/tests/system/rpz/test2
@@ -0,0 +1,77 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+
+
+
+; Use comment lines instead of blank lines to combine update requests into
+;	single requests
+; Separate update requests for distinct TLDs with blank lines or 'send'
+; End the file with a blank line or 'send'
+; CNAME targets are absolute even without trailing "."
+
+; IP tests
+
+server 10.53.0.3 @PORT@
+
+; NODATA a3-1.tld2
+;	1
+update add  32.1.3.168.192.rpz-ip.bl	300 CNAME *.
+;
+; NXDOMAIN for 192.168.4.0/24, the network of a4-1.tld2 and a4-2.tld2
+;	4
+update add  24.0.4.168.192.rpz-ip.bl	300 CNAME .
+;
+; old passthru in NXDOMAIN CIDR block to leave a4-1.tld2 unchanged
+;	3
+update add  32.1.4.168.192.rpz-ip.bl	300 CNAME 32.1.4.168.192
+;
+; NODATA for a4-3.tld2
+;	8
+update add  32.3.4.168.192.rpz-ip.bl	300 CNAME *.
+;
+; NXDOMAIN for IPv6 a3-1.tld2
+;	9
+update add  128.1.zz.3.2.2001.rpz-ip.bl	300 CNAME .
+;
+; apply the policy with the lexically smaller trigger address of 192.168.5.1
+; to an RRset of more than one A RR
+;	11
+update add  32.1.5.168.192.rpz-ip.bl	300 A	127.0.0.1
+update add  32.2.5.168.192.rpz-ip.bl	300 A	127.0.0.2
+;
+; prefer first conflicting IP zone for a5-3.tld2
+;	12
+update add 32.3.5.168.192.rpz-ip.bl	300 A	127.0.0.1
+send
+update add 32.3.5.168.192.rpz-ip.bl-2	300 A	127.0.0.2
+send
+
+; prefer QNAME to IP for a5-4.tld2
+;	13, 14
+update add 32.4.5.168.192.rpz-ip.bl	300 CNAME a12.tld2.
+update add a5-4.tld2.bl			300 CNAME a14.tld4.
+;
+; poke hole in NXDOMAIN CIDR block to leave a4-4.tld2 unchanged
+;	15
+update add  32.4.4.168.192.rpz-ip.bl	300 CNAME rpz-passthru.
+;
+; assert in rbtdb.c
+;	16
+update add 32.16.1.16.172.rpz-ip.bl	300 CNAME .
+send
+update add c2.crash2.tld3.bl-2		300 A	127.0.0.16
+send
+
+; client-IP address trigger
+;	17
+update add 32.1.0.53.10.rpz-client-ip.bl 300 A	127.0.0.17
+send
diff --git a/bin/tests/system/rpz/test3 b/bin/tests/system/rpz/test3
new file mode 100644
index 0000000..222b757
--- /dev/null
+++ b/bin/tests/system/rpz/test3
@@ -0,0 +1,47 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+
+
+; Use comment lines instead of blank lines to combine update requests into
+;	single requests
+; Separate update requests for distinct TLDs with blank lines or 'send'
+; End the file with a blank line or 'send'
+
+; NSDNAME tests
+
+server 10.53.0.3 @PORT@
+
+;	3, 4, 5
+; NXDOMAIN for *.sub1.tld2 by NSDNAME
+update add  *.sub1.tld2.rpz-nsdname.bl.	300 CNAME .
+;
+;	6
+; walled garden for *.sub2.tld2
+update add  *.sub2.tld2.rpz-nsdname.bl.	300 CNAME a12-cname.tld2.
+;
+;	7, 8
+; exempt a3-2.tld2 and anything in 192.168.0.0/24
+;   also checks that IP policies are preferred over NSDNAME policies
+update add  a3-2.tld2.bl		300 CNAME a3-2.tld2.
+update add  24.0.0.168.192.rpz-ip.bl	300 CNAME 24.0.0.168.192.
+;
+;	9
+; prefer QNAME policy to NSDNAME policy
+update add  a4-1.tld2.bl.		300 A 12.12.12.12
+;	10
+; prefer policy for largest NS name
+update add  ns.sub3.tld2.rpz-nsdname.bl.	300 A	127.0.0.1
+update add  ns.subsub.sub3.tld2.rpz-nsdname.bl. 300 A	127.0.0.2
+
+; ip-as-qname rewrites all of tld5
+update add  ns.tld5.bl.			300 A 12.12.12.12
+send
diff --git a/bin/tests/system/rpz/test4 b/bin/tests/system/rpz/test4
new file mode 100644
index 0000000..7b95dd3
--- /dev/null
+++ b/bin/tests/system/rpz/test4
@@ -0,0 +1,36 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+
+
+; Use comment lines instead of blank lines to combine update requests into
+;	single requests
+; Separate update requests for distinct TLDs with blank lines or 'send'
+; End the file with a blank line or 'send'
+
+; NSIP tests
+
+server 10.53.0.3 @PORT@
+
+; NXDOMAIN for all of tld2 based on its server IP address
+update add  32.2.0.53.10.rpz-nsip.bl.	300 CNAME .
+;
+; exempt a3-2.tld2 and anything in 192.168.0.0/24
+;   also checks that IP policies are preferred over NSIP policies
+update add  a3-2.tld2.bl		300 CNAME a3-2.tld2.
+update add  24.0.0.168.192.rpz-ip.bl	300 CNAME 24.0.0.168.192.
+;
+; prefer NSIP policy to NSDNAME policy
+update add  ns.tld2.rpz-nsdname.bl.	300 CNAME 10.0.0.1
+
+; ip-as-ns rewrites all of tld5
+update add  32.5.0.53.10.rpz-ip.bl.	300 A 12.12.12.12
+send
diff --git a/bin/tests/system/rpz/test4a b/bin/tests/system/rpz/test4a
new file mode 100644
index 0000000..83a175d
--- /dev/null
+++ b/bin/tests/system/rpz/test4a
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+
+
+; Use comment lines instead of blank lines to combine update requests into
+;	single requests
+; Separate update requests for distinct TLDs with blank lines or 'send'
+; End the file with a blank line or 'send'
+
+; walled-garden NSIP tests
+
+server 10.53.0.3 @PORT@
+
+; rewrite all of tld2 based on its server IP address
+update add  32.2.0.53.10.rpz-nsip.bl.	300 A	    41.41.41.41
+update add  32.2.0.53.10.rpz-nsip.bl.	300 AAAA    2041::41
+update add  32.2.0.53.10.rpz-nsip.bl.	300 TXT	    "NSIP walled garden"
+send
diff --git a/bin/tests/system/rpz/test5 b/bin/tests/system/rpz/test5
new file mode 100644
index 0000000..f30a6be
--- /dev/null
+++ b/bin/tests/system/rpz/test5
@@ -0,0 +1,60 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+
+
+; Use comment lines instead of blank lines to combine update requests into
+;	single requests
+; Separate update requests for distinct TLDs with blank lines or 'send'
+; End the file with a blank line or 'send'
+
+; the policies or replacements specified in ns3/named.conf override these
+
+server 10.53.0.3 @PORT@
+
+;	1
+update add  a3-1.tld2.bl-given.	    300 A 127.0.0.1
+send
+;	2
+update add  a3-2.tld2.bl-passthru.  300 A 127.0.0.2
+send
+;	3
+update add  a3-3.tld2.bl-no-op.	    300 A 127.0.0.3
+send
+;	4
+update add  a3-4.tld2.bl-disabled.  300 A 127.0.0.4
+send
+;	5 - 7
+update add  a3-5.tld2.bl-nodata.    300 A 127.0.0.5
+send
+;	11
+update add  a3-6.tld2.bl-nxdomain.  300 A 127.0.0.11
+send
+;	12
+update add  a3-7.tld2.bl-cname.	    300 A 127.0.0.12
+send
+;	13
+update add  a3-8.tld2.bl-wildcname. 300 A 127.0.0.13
+;	14
+update add  *.sub9.tld2.bl-wildcname. 300 A 127.0.1.14
+send
+;	15
+update add  a3-15.tld2.bl-garden.   300 A 127.0.0.15
+send
+;	16
+update add  a3-16.tld2.bl.	    300 A 127.0.0.16
+send
+;	18
+update add  a3-18.tld2.bl-drop.	    300 A 127.0.0.18
+send
+;	19
+update add  a3-19.tld2.bl-tcp-only. 300 A 127.0.0.19
+send
diff --git a/bin/tests/system/rpz/test6 b/bin/tests/system/rpz/test6
new file mode 100644
index 0000000..e5c2381
--- /dev/null
+++ b/bin/tests/system/rpz/test6
@@ -0,0 +1,37 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+
+
+; Use comment lines instead of blank lines to combine update requests into
+;	single requests
+; Separate update requests for distinct TLDs with blank lines or 'send'
+; End the file with a blank line or 'send'
+
+server 10.53.0.3 @PORT@
+
+; Poke the radix tree a little.
+update add  128.1111.2222.3333.4444.5555.6666.7777.8888.rpz-ip.bl. 300 CNAME .
+update add  128.1111.2222.3333.4444.5555.6666.zz.rpz-ip.bl.	300 CNAME   .
+update add  128.1111.2222.3333.4444.5555.zz.8888.rpz-ip.bl.	300 CNAME   .
+update add  128.1111.2222.3333.4444.zz.8888.rpz-ip.bl.		300 CNAME   .
+update add  128.zz.3333.4444.0.0.8888.rpz-ip.bl.		300 CNAME   .
+update add  128.zz.3333.4444.0.7777.8888.rpz-ip.bl.		300 CNAME   .
+update add  128.zz.3333.4444.0.8777.8888.rpz-ip.bl.		300 CNAME   .
+update add  127.zz.3333.4444.0.8777.8888.rpz-ip.bl.		300 CNAME   .
+;
+;
+; regression testing for some old crashes
+update add  redirect.bl.	300 A		127.0.0.1
+update add  *.redirect.bl.	300 A		127.0.0.1
+update add  *.credirect.bl.	300 CNAME	google.com.
+;
+send
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
new file mode 100644
index 0000000..738df3c
--- /dev/null
+++ b/bin/tests/system/rpz/tests.sh
@@ -0,0 +1,1012 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# test response policy zones (RPZ)
+
+# touch dnsrps-off to not test with DNSRPS
+# touch dnsrps-only to not test with classic RPZ
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+ns=10.53.0
+ns1=$ns.1		# root, defining the others
+ns2=$ns.2		# authoritative server whose records are rewritten
+ns3=$ns.3		# main rewriting resolver
+ns4=$ns.4		# another authoritative server that is rewritten
+ns5=$ns.5		# another rewriting resolver
+ns6=$ns.6		# a forwarding server
+ns7=$ns.7		# another rewriting resolver
+ns8=$ns.8		# another rewriting resolver
+ns9=$ns.9		# another rewriting resolver
+ns10=$ns.10		# authoritative server
+
+HAVE_CORE=
+
+status=0
+t=0
+
+DEBUG=
+SAVE_RESULTS=
+ARGS=
+
+USAGE="$0: [-xS]"
+while getopts "xS:" c; do
+    case $c in
+	x) set -x; DEBUG=-x; ARGS="$ARGS -x";;
+	S) SAVE_RESULTS=-S; ARGS="$ARGS -S";;
+	*) echo "$USAGE" 1>&2; exit 1;;
+    esac
+done
+shift `expr $OPTIND - 1 || true`
+if test "$#" -ne 0; then
+    echo "$USAGE" 1>&2
+    exit 1
+fi
+# really quit on control-C
+trap 'exit 1' 1 2 15
+
+TS='%H:%M:%S '
+TS=
+comment () {
+    if test -n "$TS"; then
+	date "+${TS}$*" | cat_i
+    fi
+}
+
+DNSRPSCMD=./dnsrps
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+if test -x "$DNSRPSCMD"; then
+    # speed up the many delays for dnsrpzd by waiting only 0.1 seconds
+    WAIT_CMD="$DNSRPSCMD -w 0.1"
+    TEN_SECS=100
+else
+    WAIT_CMD="sleep 1"
+    TEN_SECS=10
+fi
+
+digcmd () {
+    if test "$1" = TCP; then
+	shift
+    fi
+    # Default to +noauth and @$ns3
+    # Also default to -bX where X is the @value so that OS X will choose
+    #	    the right IP source address.
+    digcmd_args=`echo "+nocookie +noadd +time=2 +tries=1 -p ${PORT} $*" |	\
+	    sed -e "/@/!s/.*/& @$ns3/"					\
+		-e '/-b/!s/@\([^ ]*\)/@\1 -b\1/'			\
+		-e '/+n?o?auth/!s/.*/+noauth &/'`
+    #echo_i "dig $digcmd_args 1>&2
+    $DIG $digcmd_args
+}
+
+# set DIGNM=file name for dig output
+GROUP_NM=
+TEST_NUM=0
+make_dignm () {
+    TEST_NUM=`expr $TEST_NUM : '\([0-9]*\).*'`	    # trim '+' characters
+    TEST_NUM=`expr $TEST_NUM + 1`
+    DIGNM=dig.out$GROUP_NM-$TEST_NUM
+    while test -f $DIGNM; do
+	TEST_NUM="$TEST_NUM+"
+	DIGNM=dig.out$GROUP_NM-$TEST_NUM
+    done
+}
+
+setret () {
+    ret=1
+    status=`expr $status + 1`
+    echo_i "$*"
+}
+
+# set $SN to the SOA serial number of a zone
+# $1=domain
+# $2=DNS server and client IP address
+get_sn() {
+    SOA=`$DIG -p ${PORT} +short +norecurse soa "$1" "@$2" "-b$2"`
+    SN=`expr "$SOA" : '[^ ]* [^ ]* \([^ ]*\) .*'`
+    test "$SN" != "" && return
+    echo_i "no serial number from \`dig -p ${PORT} soa $1 @$2\` in \"$SOA\""
+    exit 1
+}
+
+get_sn_fast () {
+    RSN=`$DNSRPSCMD -n "$1"`
+    #echo "dnsrps serial for $1 is $RSN"
+    if test -z "$RSN"; then
+	echo_i "dnsrps failed to get SOA serial number for $1"
+	exit 1
+    fi
+}
+
+# check that dnsrpzd has loaded its zones
+# $1=domain
+# $2=DNS server IP address
+FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf`
+dnsrps_loaded() {
+    test "$mode" = dnsrps || return
+    n=0
+    for V in $FZONES; do
+	eval "$V"
+	get_sn $Z $M
+	while true; do
+	    get_sn_fast "$Z"
+	    if test "$SN" -eq "0$RSN"; then
+		#echo "$Z @$M serial=$SN"
+		break
+	    fi
+	    n=`expr $n + 1`
+	    if test "$n" -gt $TEN_SECS; then
+		echo_i "dnsrps serial for $Z is $RSN instead of $SN"
+		exit 1
+	    fi
+	    $WAIT_CMD
+	done
+    done
+}
+
+# check the serial number in an SOA to ensure that a policy zone has
+#   been (re)loaded
+# $1=serial number
+# $2=domain
+# $3=DNS server
+ck_soa() {
+    n=0
+    while true; do
+	if test "$mode" = dnsrps; then
+	    get_sn_fast "$2"
+	    test "$RSN" -eq "$1" && return
+	else
+	    get_sn "$2" "$3"
+	    test "$SN" -eq "$1" && return
+	fi
+	n=`expr $n + 1`
+	if test "$n" -gt $TEN_SECS; then
+	    echo_i "got serial number \"$SN\" instead of \"$1\" from $2 @$3"
+	    return
+	fi
+	$WAIT_CMD
+    done
+}
+
+# (re)load the response policy zones with the rules in the file $TEST_FILE
+load_db () {
+    if test -n "$TEST_FILE"; then
+        copy_setports $TEST_FILE tmp
+	if $NSUPDATE -v tmp; then :
+	    $RNDCCMD $ns3 sync
+	else
+	    echo_i "failed to update policy zone with $TEST_FILE"
+	    $RNDCCMD $ns3 sync
+	    exit 1
+	fi
+        rm -f tmp
+    fi
+}
+
+# restart name server
+# $1 ns number
+# $2 rebuild bl rpz zones if "rebuild-bl-rpz"
+restart () {
+    # try to ensure that the server really has stopped
+    # and won't mess with ns$1/name.pid
+    if test -z "$HAVE_CORE" -a -f ns$1/named.pid; then
+	$RNDCCMD $ns$1 halt >/dev/null 2>&1
+	if test -f ns$1/named.pid; then
+	    sleep 1
+	    PID=`cat ns$1/named.pid 2>/dev/null`
+	    if test -n "$PID"; then
+		echo_i "killing ns$1 server $PID"
+		$KILL -9 $PID
+	    fi
+	fi
+    fi
+    rm -f ns$1/*.jnl
+    if [ "$2" = "rebuild-bl-rpz" ]; then
+        if test -f ns$1/base.db; then
+	    for NM in ns$1/bl*.db; do
+	        cp -f ns$1/base.db $NM
+            done
+        fi
+    fi
+    start_server --noclean --restart --port ${PORT} ns$1
+    load_db
+    dnsrps_loaded
+    sleep 1
+}
+
+# $1=server and irrelevant args
+# $2=error message
+ckalive () {
+    CKALIVE_NS=`expr "$1" : '.*@ns\([1-9]\).*'`
+    if test -z "$CKALIVE_NS"; then
+	CKALIVE_NS=3
+    fi
+    eval CKALIVE_IP=\$ns$CKALIVE_NS
+    $RNDCCMD $CKALIVE_IP status >/dev/null 2>&1 && return 0
+    HAVE_CORE=yes
+    setret "$2"
+    # restart the server to avoid stalling waiting for it to stop
+    restart $CKALIVE_NS "rebuild-bl-rpz"
+    return 1
+}
+
+resetstats () {
+        NSDIR=$1
+        eval "${NSDIR}_CNT=''"
+}
+
+ckstats () {
+    HOST=$1
+    LABEL="$2"
+    NSDIR="$3"
+    EXPECTED="$4"
+    $RNDCCMD $HOST stats
+    NEW_CNT=0`sed -n -e 's/[	 ]*\([0-9]*\).response policy.*/\1/p'  \
+		    $NSDIR/named.stats | tail -1`
+    eval "OLD_CNT=0\$${NSDIR}_CNT"
+    GOT=`expr $NEW_CNT - $OLD_CNT`
+    if test "$GOT" -ne "$EXPECTED"; then
+	setret "wrong $LABEL $NSDIR statistics of $GOT instead of $EXPECTED"
+    fi
+    eval "${NSDIR}_CNT=$NEW_CNT"
+}
+
+ckstatsrange () {
+    HOST=$1
+    LABEL="$2"
+    NSDIR="$3"
+    MIN="$4"
+    MAX="$5"
+    $RNDCCMD $HOST stats
+    NEW_CNT=0`sed -n -e 's/[	 ]*\([0-9]*\).response policy.*/\1/p'  \
+		    $NSDIR/named.stats | tail -1`
+    eval "OLD_CNT=0\$${NSDIR}_CNT"
+    GOT=`expr $NEW_CNT - $OLD_CNT`
+    if test "$GOT" -lt "$MIN" -o "$GOT" -gt "$MAX"; then
+	setret "wrong $LABEL $NSDIR statistics of $GOT instead of ${MIN}..${MAX}"
+    fi
+    eval "${NSDIR}_CNT=$NEW_CNT"
+}
+
+# $1=message
+# $2=optional test file name
+start_group () {
+    ret=0
+    t=`expr $t + 1`
+    test -n "$1" && date "+${TS}checking $1 (${t})" | cat_i
+    TEST_FILE=$2
+    if test -n "$TEST_FILE"; then
+	GROUP_NM="-$TEST_FILE"
+	load_db
+    else
+	GROUP_NM=
+    fi
+    dnsrps_loaded
+    TEST_NUM=0
+}
+
+end_group () {
+    if test -n "$TEST_FILE"; then
+	# remove the previous set of test rules
+        copy_setports $TEST_FILE tmp
+	sed -e 's/[	 ]add[	 ]/ delete /' tmp | $NSUPDATE
+        rm -f tmp
+	TEST_FILE=
+    fi
+    ckalive $ns3 "failed; ns3 server crashed and restarted"
+    dnsrps_loaded
+    GROUP_NM=
+}
+
+clean_result () {
+    if test -z "$SAVE_RESULTS"; then
+	rm -f $*
+    fi
+}
+
+# $1=dig args
+# $2=other dig output file
+ckresult () {
+    #ckalive "$1" "server crashed by 'dig $1'" || return 1
+    expr "$1" : 'TCP ' > /dev/null && tcp=1 || tcp=0
+    digarg=${1#TCP }
+
+    if grep "flags:.* aa .*ad;" $DIGNM; then
+	setret "'dig $digarg' AA and AD set;"
+    elif grep "flags:.* aa .*ad;" $DIGNM; then
+	setret "'dig $digarg' AD set;"
+    fi
+
+    if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then
+	grep -q 'Truncated, retrying in TCP' $DIGNM && trunc=1 || trunc=0
+	if [ "$tcp" -ne "$trunc" ]; then
+	    setret "'dig $digarg' wrong; no or unexpected truncation in $DIGNM"
+	    return 1
+	fi
+	clean_result ${DIGNM}*
+	return 0
+    fi
+    setret "'dig $digarg' wrong; diff $DIGNM $2"
+    return 1
+}
+
+# check only that the server does not crash
+# $1=target domain
+# $2=optional query type
+nocrash () {
+    digcmd $* >/dev/null
+    ckalive "$*" "server crashed by 'dig $*'"
+}
+
+
+# check rewrite to NXDOMAIN
+# $1=target domain
+# $2=optional query type
+nxdomain () {
+    make_dignm
+    digcmd $*								\
+	| sed -e 's/^[a-z].*	IN	CNAME	/;xxx &/'		\
+		-e 's/^[a-z].*	IN	RRSIG	/;xxx &/'		\
+	    >$DIGNM
+    ckresult "$*" proto.nxdomain
+}
+
+# check rewrite to NODATA
+# $1=target domain
+# $2=optional query type
+nodata () {
+    make_dignm
+    digcmd $*								\
+	| sed -e 's/^[a-z].*	IN	CNAME	/;xxx &/' >$DIGNM
+    ckresult "$*" proto.nodata
+}
+
+# check rewrite to an address
+#   modify the output so that it is easily compared, but save the original line
+# $1=IPv4 address
+# $2=digcmd args
+# $3=optional TTL
+addr () {
+    ADDR=$1
+    make_dignm
+    digcmd $2 >$DIGNM
+    #ckalive "$2" "server crashed by 'dig $2'" || return 1
+    ADDR_ESC=`echo "$ADDR" | sed -e 's/\./\\\\./g'`
+    ADDR_TTL=`tr -d '\r' < $DIGNM | sed -n -e "s/^[-.a-z0-9]\{1,\}[	 ]*\([0-9]*\)	IN	AA*	${ADDR_ESC}\$/\1/p"`
+    if test -z "$ADDR_TTL"; then
+	setret "'dig $2' wrong; no address $ADDR record in $DIGNM"
+	return 1
+    fi
+    if test -n "$3" && test "$ADDR_TTL" -ne "$3"; then
+	setret "'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM"
+	return 1
+    fi
+    clean_result ${DIGNM}*
+}
+
+# Check that a response is not rewritten
+#   Use $ns1 instead of the authority for most test domains, $ns2 to prevent
+#   spurious differences for `dig +norecurse`
+# $1=optional "TCP"
+# remaining args for dig
+nochange () {
+    make_dignm
+    digcmd $* >$DIGNM
+    digcmd $* @$ns1 >${DIGNM}_OK
+    ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK
+}
+
+nochange_ns10 () {
+    make_dignm
+    digcmd $* >$DIGNM
+    digcmd $* @$ns10 >${DIGNM}_OK
+    ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK
+}
+
+# check against a 'here document'
+here () {
+    make_dignm
+    sed -e 's/^[	 ]*//' >${DIGNM}_OK
+    digcmd $* >$DIGNM
+    ckresult "$*" ${DIGNM}_OK
+}
+
+# check dropped response
+DROPPED='^;; connection timed out; no servers could be reached'
+drop () {
+    make_dignm
+    digcmd $* >$DIGNM
+    if grep "$DROPPED" $DIGNM >/dev/null; then
+	clean_result ${DIGNM}*
+	return 0
+    fi
+    setret "'dig $1' wrong; response in $DIGNM"
+    return 1
+}
+
+nsd() {
+  $NSUPDATE -p ${PORT} << EOF
+  server $1
+  ttl 300
+  update $2 $3 IN CNAME .
+  update $2 $4 IN CNAME .
+  send
+EOF
+  sleep 2
+}
+
+#
+# generate prototype NXDOMAIN response to compare against.
+#
+make_proto_nxdomain() {
+  digcmd nonexistent @$ns2 >proto.nxdomain || return 1
+  grep "status: NXDOMAIN" proto.nxdomain >/dev/null || return 1
+  return 0
+}
+
+#
+# generate prototype NODATA response to compare against.
+#
+make_proto_nodata() {
+  digcmd txt-only.tld2 @$ns2 >proto.nodata || return 1
+  grep "status: NOERROR" proto.nodata >/dev/null || return 1
+  return 0
+}
+
+for mode in native dnsrps; do
+  status=0
+  case ${mode} in
+  native)
+    if [ -e dnsrps-only ] ; then
+      echo_i "'dnsrps-only' found: skipping native RPZ sub-test"
+      continue
+    else
+      echo_i "running native RPZ sub-test"
+    fi
+    ;;
+  dnsrps)
+    if [ -e dnsrps-off ] ; then
+      echo_i "'dnsrps-off' found: skipping DNSRPS sub-test"
+      continue
+    fi
+    echo_i "attempting to configure servers with DNSRPS..."
+    stop_server --use-rndc --port ${CONTROLPORT}
+    $SHELL ./setup.sh -N -D $DEBUG
+    for server in ns*; do
+      resetstats $server
+    done
+    sed -n 's/^## //p' dnsrps.conf | cat_i
+    if grep '^#fail' dnsrps.conf >/dev/null; then
+      echo_i "exit status: 1"
+      exit 1
+    fi
+    if grep '^#skip' dnsrps.conf > /dev/null; then
+      echo_i "DNSRPS sub-test skipped"
+      continue
+    else
+      echo_i "running DNSRPS sub-test"
+      start_server --noclean --restart --port ${PORT}
+      sleep 3
+    fi
+    ;;
+  esac
+
+  # make prototype files to check against rewritten results
+  retry_quiet 10 make_proto_nxdomain
+  retry_quiet 10 make_proto_nodata
+
+  start_group "QNAME rewrites" test1
+  nochange .					# 1 do not crash or rewrite root
+  nxdomain a0-1.tld2				# 2
+  nodata a3-1.tld2				# 3
+  nodata a3-2.tld2				# 4 nodata at DNAME itself
+  nochange sub.a3-2.tld2			# 5 miss where DNAME might work
+  nxdomain a4-2.tld2				# 6 rewrite based on CNAME target
+  nxdomain a4-2-cname.tld2			# 7
+  nodata a4-3-cname.tld2			# 8
+  addr 12.12.12.12  a4-1.sub1.tld2		# 9 A replacement
+  addr 12.12.12.12  a4-1.sub2.tld2		# 10 A replacement with wildcard
+  addr 12.12.12.12  nxc1.sub1.tld2		# 11 replace NXDOMAIN with CNAME
+  addr 12.12.12.12  nxc2.sub1.tld2		# 12 replace NXDOMAIN with CNAME chain
+  addr 127.4.4.1    a4-4.tld2			# 13 prefer 1st conflicting QNAME zone
+  nochange a6-1.tld2				# 14
+  addr 127.6.2.1    a6-2.tld2			# 15
+  addr 56.56.56.56  a3-6.tld2			# 16 wildcard CNAME
+  addr 57.57.57.57  a3-7.sub1.tld2		# 17 wildcard CNAME
+  addr 127.0.0.16   a4-5-cname3.tld2		# 18 CNAME chain
+  addr 127.0.0.17   a4-6-cname3.tld2		# 19 stop short in CNAME chain
+  nochange a5-2.tld2 +norecurse			# 20 check that RD=1 is required
+  nochange a5-3.tld2 +norecurse			# 21
+  nochange a5-4.tld2 +norecurse			# 22
+  nochange sub.a5-4.tld2 +norecurse		# 23
+  nxdomain c1.crash2.tld3			# 24 assert in rbtdb.c
+  nxdomain a0-1.tld2  +dnssec			# 25 simple DO=1 without signatures
+  nxdomain a0-1.tld2s +nodnssec			# 26 simple DO=0 with signatures
+  nochange a0-1.tld2s +dnssec			# 27 simple DO=1 with signatures
+  nxdomain a0-1s-cname.tld2s +dnssec		# 28 DNSSEC too early in CNAME chain
+  nochange a0-1-scname.tld2  +dnssec		# 29 DNSSEC on target in CNAME chain
+  nochange a0-1.tld2s srv +auth +dnssec		# 30 no write for DNSSEC and no record
+  nxdomain a0-1.tld2s srv +nodnssec		# 31
+  drop a3-8.tld2 any				# 32 drop
+  nochange TCP a3-9.tld2			# 33 tcp-only
+  here x.servfail <<'EOF'			# 34 qname-wait-recurse yes
+    ;; status: SERVFAIL, x
+EOF
+  addr 35.35.35.35 "x.servfail @$ns5"		# 35 qname-wait-recurse no
+  end_group
+  ckstats $ns3 test1 ns3 22
+  ckstats $ns5 test1 ns5 1
+  ckstats $ns6 test1 ns6 0
+
+  start_group "NXDOMAIN/NODATA action on QNAME trigger" test1
+  nxdomain a0-1.tld2 @$ns6			# 1
+  nodata a3-1.tld2 @$ns6			# 2
+  nodata a3-2.tld2 @$ns6			# 3 nodata at DNAME itself
+  nxdomain a4-2.tld2 @$ns6			# 4 rewrite based on CNAME target
+  nxdomain a4-2-cname.tld2 @$ns6		# 5
+  nodata a4-3-cname.tld2 @$ns6			# 6
+  addr 12.12.12.12  "a4-1.sub1.tld2 @$ns6"	# 7 A replacement
+  addr 12.12.12.12  "a4-1.sub2.tld2 @$ns6"	# 8 A replacement with wildcard
+  addr 127.4.4.1    "a4-4.tld2 @$ns6"		# 9 prefer 1st conflicting QNAME zone
+  addr 12.12.12.12  "nxc1.sub1.tld2 @$ns6"	# 10 replace NXDOMAIN w/ CNAME
+  addr 12.12.12.12  "nxc2.sub1.tld2 @$ns6"	# 11 replace NXDOMAIN w/ CNAME chain
+  addr 127.6.2.1    "a6-2.tld2 @$ns6"		# 12
+  addr 56.56.56.56  "a3-6.tld2 @$ns6"		# 13 wildcard CNAME
+  addr 57.57.57.57  "a3-7.sub1.tld2 @$ns6"	# 14 wildcard CNAME
+  addr 127.0.0.16   "a4-5-cname3.tld2 @$ns6"	# 15 CNAME chain
+  addr 127.0.0.17   "a4-6-cname3.tld2 @$ns6"	# 16 stop short in CNAME chain
+  nxdomain c1.crash2.tld3 @$ns6			# 17 assert in rbtdb.c
+  nxdomain a0-1.tld2 +dnssec @$ns6		# 18 simple DO=1 without sigs
+  nxdomain a0-1s-cname.tld2s  +dnssec @$ns6	# 19
+  drop a3-8.tld2 any @$ns6			# 20 drop
+  end_group
+  ckstatsrange $ns3 test1 ns3 22 30
+  ckstats $ns5 test1 ns5 0
+  ckstats $ns6 test1 ns6 0
+
+  start_group "IP rewrites" test2
+  nodata a3-1.tld2				# 1 NODATA
+  nochange a3-2.tld2				# 2 no policy record so no change
+  nochange a4-1.tld2				# 3 obsolete PASSTHRU record style
+  nxdomain a4-2.tld2				# 4
+  nochange a4-2.tld2 -taaaa			# 5 no A => no policy rewrite
+  nochange a4-2.tld2 -ttxt			# 6 no A => no policy rewrite
+  nxdomain a4-2.tld2 -tany			# 7 no A => no policy rewrite
+  nodata a4-3.tld2				# 8
+  nxdomain a3-1.tld2 -taaaa			# 9 IPv6 policy
+  nochange a4-1-aaaa.tld2 -taaaa		# 10
+  addr 127.0.0.1 a5-1-2.tld2			# 11 prefer smallest policy address
+  addr 127.0.0.1 a5-3.tld2			# 12 prefer first conflicting IP zone
+  nochange a5-4.tld2 +norecurse			# 13 check that RD=1 is required for #14
+  addr 14.14.14.14 a5-4.tld2			# 14 prefer QNAME to IP
+  nochange a4-4.tld2				# 15 PASSTHRU
+  nxdomain c2.crash2.tld3			# 16 assert in rbtdb.c
+  addr 127.0.0.17 "a4-4.tld2 -b $ns1"		# 17 client-IP address trigger
+  nxdomain a7-1.tld2				# 18 secondary policy zone (RT34450)
+  # updating an response zone policy
+  cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
+  rndc_reload ns2 $ns2 bl.tld2
+  ck_soa 2 bl.tld2 $ns3
+  nochange a7-1.tld2				# 19 PASSTHRU
+  # ensure that a clock tick has occurred so that named will do the reload
+  sleep 1
+  cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
+  rndc_reload ns2 $ns2 bl.tld2
+  ck_soa 3 bl.tld2 $ns3
+  nxdomain a7-1.tld2				# 20 secondary policy zone (RT34450)
+  end_group
+  ckstats $ns3 test2 ns3 12
+
+  # check that IP addresses for previous group were deleted from the radix tree
+  start_group "radix tree deletions"
+  nochange a3-1.tld2
+  nochange a3-2.tld2
+  nochange a4-1.tld2
+  nochange a4-2.tld2
+  nochange a4-2.tld2 -taaaa
+  nochange a4-2.tld2 -ttxt
+  nochange a4-2.tld2 -tany
+  nochange a4-3.tld2
+  nochange a3-1.tld2 -tAAAA
+  nochange a4-1-aaaa.tld2 -tAAAA
+  nochange a5-1-2.tld2
+  end_group
+  ckstats $ns3 'radix tree deletions' ns3 0
+
+  # these tests assume "min-ns-dots 0"
+  start_group "NSDNAME rewrites" test3
+  nextpart ns3/named.run > /dev/null
+  nochange a3-1.tld2				# 1
+  nochange a3-1.tld2 +dnssec			# 2 this once caused problems
+  nxdomain a3-1.sub1.tld2			# 3 NXDOMAIN *.sub1.tld2 by NSDNAME
+  nxdomain a3-1.subsub.sub1.tld2		# 4
+  nxdomain a3-1.subsub.sub1.tld2 -tany		# 5
+  addr 12.12.12.12 a4-2.subsub.sub2.tld2	# 6 walled garden for *.sub2.tld2
+  nochange a3-2.tld2.				# 7 exempt rewrite by name
+  nochange a0-1.tld2.				# 8 exempt rewrite by address block
+  addr 12.12.12.12 a4-1.tld2			# 9 prefer QNAME policy to NSDNAME
+  addr 127.0.0.1 a3-1.sub3.tld2			# 10 prefer policy for largest NSDNAME
+  addr 127.0.0.2 a3-1.subsub.sub3.tld2		# 11
+  nxdomain xxx.crash1.tld2			# 12 dns_db_detachnode() crash
+
+  nxdomain a3-1.stub				# 13
+  nxdomain a3-1.static-stub			# 14
+  nochange_ns10 a3-1.stub-nomatch		# 15
+  nochange_ns10 a3-1.static-stub-nomatch	# 16
+  if [ "$mode" = dnsrps ]; then
+    addr 12.12.12.12 as-ns.tld5.		# 17 qname-as-ns
+  fi
+  nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" &&
+  setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
+  end_group
+  if [ "$mode" = dnsrps ]; then
+    ckstats $ns3 test3 ns3 10
+  else
+    ckstats $ns3 test3 ns3 9
+  fi
+
+  # these tests assume "min-ns-dots 0"
+  start_group "NSIP rewrites" test4
+  nextpart ns3/named.run > /dev/null
+  nxdomain a3-1.tld2				# 1 NXDOMAIN for all of tld2
+  nochange a3-2.tld2.				# 2 exempt rewrite by name
+  nochange a0-1.tld2.				# 3 exempt rewrite by address block
+  nochange a3-1.tld4				# 4 different NS IP address
+  nxdomain a4-1.stub				# 5
+  nxdomain a4-1.static-stub			# 6
+  nochange_ns10 a4-1.stub-nomatch		# 7
+  nochange_ns10 a4-1.static-stub-nomatch	# 8
+  if [ "$mode" = dnsrps ]; then
+      addr 12.12.12.12 as-ns.tld5.		# 9 ip-as-ns
+  fi
+  nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" &&
+  setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
+  end_group
+
+  start_group "walled garden NSIP rewrites" test4a
+  addr 41.41.41.41 a3-1.tld2			# 1 walled garden for all of tld2
+  addr 2041::41   'a3-1.tld2 AAAA'		# 2 walled garden for all of tld2
+  here a3-1.tld2 TXT <<'EOF'			# 3 text message for all of tld2
+    ;; status: NOERROR, x
+    a3-1.tld2.	    x	IN	TXT   "NSIP walled garden"
+EOF
+  end_group
+  if [ "$mode" = dnsrps ]; then
+    ckstats $ns3 test4 ns3 7
+  else
+    ckstats $ns3 test4 ns3 6
+  fi
+
+  # policies in ./test5 overridden by response-policy{} in ns3/named.conf
+  # and in ns5/named.conf
+  start_group "policy overrides" test5
+  addr 127.0.0.1 a3-1.tld2			# 1 bl-given
+  nochange a3-2.tld2				# 2 bl-passthru
+  nochange a3-3.tld2				# 3 bl-no-op (obsolete for passthru)
+  nochange a3-4.tld2				# 4 bl-disabled
+  nodata a3-5.tld2				# 5 bl-nodata zone recursive-only no
+  nodata a3-5.tld2 +norecurse			# 6 bl-nodata zone recursive-only no
+  nodata a3-5.tld2				# 7 bl-nodata not needed
+  nxdomain a3-5.tld2 +norecurse @$ns5		# 8 bl-nodata global recursive-only no
+  nxdomain a3-5.tld2s @$ns5			# 9 bl-nodata global break-dnssec
+  nxdomain a3-5.tld2s +dnssec @$ns5		# 10 bl-nodata global break-dnssec
+  nxdomain a3-6.tld2				# 11 bl-nxdomain
+  here a3-7.tld2 -tany <<'EOF'			# 12
+    ;; status: NOERROR, x
+    a3-7.tld2.	    x	IN	CNAME   txt-only.tld2.
+    txt-only.tld2.  x	IN	TXT     "txt-only-tld2"
+EOF
+  addr 58.58.58.58 a3-8.tld2			# 13 bl_wildcname
+  addr 59.59.59.59 a3-9.sub9.tld2		# 14 bl_wildcname
+  addr 12.12.12.12 a3-15.tld2			# 15 bl-garden via CNAME to a12.tld2
+  addr 127.0.0.16 a3-16.tld2 100		# 16 bl	max-policy-ttl 100
+  addr 17.17.17.17 "a3-17.tld2 @$ns5" 90	# 17 ns5 bl max-policy-ttl 90
+  drop a3-18.tld2 any				# 18 bl-drop
+  nxdomain TCP a3-19.tld2			# 19 bl-tcp-only
+  end_group
+  ckstats $ns3 test5 ns3 12
+  ckstats $ns5 test5 ns5 4
+
+  # check that miscellaneous bugs are still absent
+  start_group "crashes" test6
+  for Q in RRSIG SIG ANY 'ANY +dnssec'; do
+    nocrash a3-1.tld2 -t$Q
+    nocrash a3-2.tld2 -t$Q
+    nocrash a3-5.tld2 -t$Q
+    nocrash www.redirect -t$Q
+    nocrash www.credirect -t$Q
+  done
+
+  # This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip
+  # (or whatever) is available by publishing "foo A 10.2.3.4" and then
+  # resolving foo.
+  # nxdomain 32.3.2.1.127.rpz-ip
+  end_group
+  ckstats $ns3 bugs ns3 8
+
+  # superficial test for major performance bugs
+  QPERF=`sh qperf.sh`
+  if test -n "$QPERF"; then
+    perf () {
+	date "+${TS}checking performance $1" | cat_i
+	# Dry run to prime everything
+	comment "before dry run $1"
+	$RNDCCMD $ns5 notrace
+	$QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >/dev/null
+	comment "before real test $1"
+	PFILE="ns5/$2.perf"
+	$QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >$PFILE
+	comment "after test $1"
+	X=`sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \
+		| tr '\n' ' '`
+	if test "$X" != "$3"; then
+	    setret "wrong results '$X' in $PFILE"
+	fi
+	ckalive $ns5 "failed; server #5 crashed"
+    }
+    trim () {
+	sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf
+    }
+
+    # get qps with rpz
+    perf 'with RPZ' rpz 'NOERROR:2900 NXDOMAIN:100 '
+    RPZ=`trim rpz`
+    # turn off rpz and measure qps again
+    echo "# RPZ off" >ns5/rpz-switch
+    RNDCCMD_OUT=`$RNDCCMD $ns5 reload`
+    perf 'without RPZ' norpz 'NOERROR:3000 '
+    NORPZ=`trim norpz`
+
+    PERCENT=`expr \( "$RPZ" \* 100 + \( $NORPZ / 2 \) \) / $NORPZ`
+    echo_i "$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ"
+
+    MIN_PERCENT=30
+    if test "$PERCENT" -lt $MIN_PERCENT; then
+	echo_i "$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps"
+    fi
+
+    if test "$PERCENT" -ge 100; then
+	echo_i "$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high"
+    fi
+
+    ckstats $ns5 performance ns5 200
+
+  else
+    echo_i "performance not checked; queryperf not available"
+  fi
+
+  if [ "$mode" = dnsrps ]; then
+    echo_i "checking that dnsrpzd is automatically restarted"
+    OLD_PID=`cat dnsrpzd.pid`
+    $KILL "$OLD_PID"
+    n=0
+    while true; do
+	NEW_PID=`cat dnsrpzd.pid 2>/dev/null`
+	if test -n "$NEW_PID" -a "0$OLD_PID" -ne "0$NEW_PID"; then
+	    #echo "OLD_PID=$OLD_PID  NEW_PID=$NEW_PID"
+	    break;
+	fi
+	$DIG -p ${PORT} +short +norecurse a0-1.tld2 @$ns3 >/dev/null
+	n=`expr $n + 1`
+	if test "$n" -gt $TEN_SECS; then
+	    setret "dnsrpzd did not restart"
+	    break
+	fi
+	$WAIT_CMD
+    done
+  fi
+
+  # Ensure ns3 manages to transfer the fast-expire zone before shutdown.
+  nextpartreset ns3/named.run
+  wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run
+
+  # reconfigure the ns5 primary server without the fast-expire zone, so
+  # it can't be refreshed on ns3, and will expire in 5 seconds.
+  cat /dev/null > ns5/expire.conf
+  rndc_reconfig ns5 10.53.0.5
+
+  # restart the main test RPZ server to see if that creates a core file
+  if test -z "$HAVE_CORE"; then
+    stop_server --use-rndc --port ${CONTROLPORT} ns3
+    restart 3 "rebuild-bl-rpz"
+    HAVE_CORE=`find ns* -name '*core*' -print`
+    test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?"
+  fi
+
+  # look for complaints from lib/dns/rpz.c and bin/name/query.c
+  for runfile in ns*/named.run; do
+    EMSGS=`nextpart $runfile | grep -E -l 'invalid rpz|rpz.*failed'`
+    if test -n "$EMSGS"; then
+      setret "error messages in $runfile starting with:"
+      grep -E 'invalid rpz|rpz.*failed' ns*/named.run | \
+              sed -e '10,$d' -e 's/^//' | cat_i
+    fi
+  done
+
+  if [ native = "$mode" ]; then
+    # restart the main test RPZ server with a bad zone.
+    t=`expr $t + 1`
+    echo_i "checking that ns3 with broken rpz does not crash (${t})"
+    stop_server --use-rndc --port ${CONTROLPORT} ns3
+    cp ns3/broken.db.in ns3/bl.db
+    restart 3 # do not rebuild rpz zones
+    nocrash a3-1.tld2 -tA
+    stop_server --use-rndc --port ${CONTROLPORT} ns3
+    restart 3 "rebuild-bl-rpz"
+
+    t=`expr $t + 1`
+    echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})"
+    sed -e "s/^#BAD//" < ns3/named.conf.in > ns3/named.conf.tmp
+    copy_setports ns3/named.conf.tmp ns3/named.conf
+    rm ns3/named.conf.tmp
+    $RNDCCMD $ns3 reconfig > /dev/null 2>&1 && setret "failed"
+    sleep 1
+    copy_setports ns3/named.conf.in ns3/named.conf
+    $RNDCCMD $ns3 reconfig || setret "failed"
+
+    # reload a RPZ zone that is now deliberately broken.
+    t=`expr $t + 1`
+    echo_i "checking rpz failed update will keep previous rpz rules (${t})"
+    $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.before
+    grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.before > /dev/null || setret "failed"
+    cp ns3/broken.db.in ns3/manual-update-rpz.db
+    rndc_reload ns3 $ns3 manual-update-rpz
+    sleep 1
+    # ensure previous RPZ rules still apply.
+    $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.after
+    grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after > /dev/null || setret "failed"
+
+    t=`expr $t + 1`
+    echo_i "checking reload of a mixed-case RPZ zone (${t})"
+    # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should
+    # cause a6-2.tld2 NOERROR answers to be rewritten to NXDOMAIN answers.
+    $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t.before
+    grep "status: NXDOMAIN" dig.out.$t.before >/dev/null || setret "failed"
+    # Add a sibling name (a6-1.tld2.mixed-case-rpz, with "tld2" in lowercase
+    # rather than uppercase) before A6-2.TLD.mixed-case-rpz.
+    nextpart ns3/named.run > /dev/null
+    cp ns3/mixed-case-rpz-2.db.in ns3/mixed-case-rpz.db
+    rndc_reload ns3 $ns3 mixed-case-rpz
+    wait_for_log 20 "rpz: mixed-case-rpz: reload done" ns3/named.run
+    # a6-2.tld2 NOERROR answers should still be rewritten to NXDOMAIN answers.
+    # (The bug we try to trigger here caused a6-2.tld2.mixed-case-rpz to be
+    # erroneously removed from the summary RPZ database after reload.)
+    $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t.after
+    grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed"
+  fi
+
+  t=`expr $t + 1`
+  echo_i "checking that ttl values are not zeroed when qtype is '*' (${t})"
+  $DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 > dig.out.$t
+  ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.$t`
+  if test ${ttl:=0} -eq 0; then setret "failed"; fi
+
+  t=`expr $t + 1`
+  echo_i "checking rpz updates/transfers with parent nodes added after children (${t})"
+  # regression test for RT #36272: the success condition
+  # is the secondary server not crashing.
+  for i in 1 2 3 4 5; do
+    nsd $ns5 add example.com.policy1. '*.example.com.policy1.'
+    nsd $ns5 delete example.com.policy1. '*.example.com.policy1.'
+  done
+  for i in 1 2 3 4 5; do
+    nsd $ns5 add '*.example.com.policy1.' example.com.policy1.
+    nsd $ns5 delete '*.example.com.policy1.' example.com.policy1.
+  done
+
+  t=`expr $t + 1`
+  echo_i "checking that going from an empty policy zone works (${t})"
+  nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
+  sleep 1
+  rndc_reload ns7 $ns7 policy2
+  $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t}
+  grep NXDOMAIN dig.out.${t} > /dev/null || setret "failed"
+
+  t=`expr $t + 1`
+  echo_i "checking that "add-soa no" at rpz zone level works (${t})"
+  $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t}
+  grep SOA dig.out.${t} > /dev/null && setret "failed"
+
+  if [ native = "$mode" ]; then
+    t=`expr $t + 1`
+    echo_i "checking that "add-soa yes" at response-policy level works (${t})"
+    $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t}
+    grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed"
+  fi
+
+  if [ native = "$mode" ]; then
+    t=`expr $t + 1`
+    echo_i "reconfiguring server with 'add-soa no' (${t})"
+    cp ns3/named.conf ns3/named.conf.tmp
+    sed -e "s/add-soa yes/add-soa no/g" < ns3/named.conf.tmp > ns3/named.conf
+    rndc_reconfig ns3 $ns3
+    echo_i "checking that 'add-soa no' at response-policy level works (${t})"
+    $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t}
+    grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null && setret "failed"
+  fi
+
+  if [ native = "$mode" ]; then
+    t=`expr $t + 1`
+    echo_i "checking that 'add-soa unset' works (${t})"
+    $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 > dig.out.${t}
+    grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed"
+  fi
+
+  # dnsrps does not allow NS RRs in policy zones, so this check
+  # with dnsrps results in no rewriting.
+  if [ native = "$mode" ]; then
+    t=`expr $t + 1`
+    echo_i "checking rpz with delegation fails correctly (${t})"
+    $DIG -p ${PORT} @$ns3 ns example.com > dig.out.$t
+    grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "failed"
+
+    t=`expr $t + 1`
+    echo_i "checking policies from expired zone are no longer in effect ($t)"
+    $DIG -p ${PORT} @$ns3 a expired > dig.out.$t
+    grep "expired.*10.0.0.10" dig.out.$t > /dev/null && setret "failed"
+    grep "fast-expire/IN: response-policy zone expired" ns3/named.run > /dev/null || setret "failed"
+  fi
+
+  # RPZ 'CNAME *.' (NODATA) trumps DNS64.  Test against various DNS64 scenarios.
+  for label in a-only no-a-no-aaaa a-plus-aaaa
+  do
+    for type in AAAA A
+    do
+      t=`expr $t + 1`
+      case $label in
+      a-only)
+	echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})"
+	;;
+      no-a-no-aaaa)
+	echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})"
+	;;
+      a-plus-aaaa)
+	echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})"
+	;;
+      esac
+      ret=0
+      $DIG ${label}.example -p ${PORT} $type @10.53.0.9 > dig.out.${t}
+      grep "status: NOERROR" dig.out.$t > /dev/null || ret=1
+      grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t > /dev/null || ret=1
+      grep "^rpz"  dig.out.$t > /dev/null || ret=1
+      [ $ret -eq 0 ] || echo_i "failed"
+      status=`expr $status + $ret`
+    done
+  done
+
+  if [ native = "$mode" ]; then
+    t=`expr $t + 1`
+    echo_i "checking that rewriting CD=1 queries handles pending data correctly (${t})"
+    $RNDCCMD $ns3 flush
+    $RNDCCMD $ns6 flush
+    $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd > dig.out.${t}
+    grep -w "1.1.1.1" dig.out.${t} > /dev/null || setret "failed"
+  fi
+
+  [ $status -ne 0 ] && pf=fail || pf=pass
+  case $mode in
+  native)
+    native=$status
+    echo_i "status (native RPZ sub-test): $status ($pf)";;
+
+  dnsrps)
+    dnsrps=$status
+    echo_i "status (DNSRPS sub-test): $status ($pf)";;
+  *) echo_i "invalid test mode";;
+  esac
+done
+status=`expr ${native:-0} + ${dnsrps:-0}`
+
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/rpzrecurse/README b/bin/tests/system/rpzrecurse/README
new file mode 100644
index 0000000..5936e05
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/README
@@ -0,0 +1,124 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+These tests check RPZ recursion behavior (including skipping
+recursion when appropriate).
+
+The general structure of the tests is:
+
+* The resolver (ns2) with an unqualified view containing the policy
+  zones, the response-policy statement, and a root hint zone
+
+* The auth server that contains two authoritative zones, l1.l0 and
+  l2.l1.l0, both delegated to itself. l2.l1.l0 specifies a non-existent
+  zone data file and so will generate SERVFAILs for any queries to it.
+
+The l2.l1.l0 zone was chosen to generate SERVFAIL responses because RPZ
+evaluation will use that error response whenever it encounters it during
+processing, thus making it a binary indicator for whether or not
+recursion was attempted.  This also allows us to not worry about having
+to craft 'ip', 'nsdname', and 'nsip' rules that matched the queries.
+
+Each test is intended to be fed a number of queries constructed as
+qXX.l2.l1.l0, where XX is the 1-based query sequence number (e.g. the
+first query of each test is q01.l2.l1.l0).
+
+For all the tests the triggers are constructed as follows:
+client-ip - match 127.0.0.1/32
+ip - match 255.255.255.255/32 (does not matter due to SERVFAIL)
+nsdname - match ns.example.org (also does not matter)
+nsip - match 255.255.255.255/32 (also does not matter)
+qname - match qXX.l2.l1.l0, where XX is the query sequence number that
+is intended to be matched by this qname rule.
+
+Here's the detail on the test cases:
+
+Group 1 - testing skipping recursion for a single policy zone with only
+records that allow recursion to be skipped
+
+Test 1a:
+    1 policy zone containing 1 'client-ip' trigger
+    1 query, expected to skip recursion
+
+Test 1b:
+    1 policy zone containing 1 'qname' trigger (q01)
+    2 queries, q01 is expected to skip recursion, q02 is expected to
+      recurse
+
+Test 1c:
+    1 policy zone containing both a 'client-ip' and 'qname' trigger (q02)
+    1 query, expected to skip recursion
+
+Group 2 - testing skipping recursion with multiple policy zones when all
+zones have only trigger types eligible to skip recursion with
+
+Test 2a:
+    32 policy zones, each containing 1 'qname' trigger (qNN, where NN is
+       the zone's sequence 1-based sequence number formatted to 2 digits,
+       so each of the first 32 queries should match a different zone)
+    33 queries, the first 32 of which are expected to skip recursion
+       while the 33rd is expected to recurse
+
+Group 3 - Testing interaction of triggers that require recursion when in
+a single zone, both alone and with triggers that allow recursion to be
+skipped
+
+Test 3a:
+    1 policy zone containing 1 'ip' trigger
+    1 query, expected to recurse
+
+Test 3b:
+    1 policy zone containing 1 'nsdname' trigger
+    1 query, expected to recurse
+
+Test 3c:
+    1 policy zone containing 1 'nsip' trigger
+    1 query, expected to recurse
+
+Test 3d:
+    1 policy zone containing 1 'ip' trigger and 1 'qname' trigger (q02)
+    2 queries, the first should not recurse and the second should recurse
+
+Test 3e:
+    1 policy zone containing 1 'nsdname' trigger and 1 'qname' trigger
+      (q02)
+    2 queries, the first should not recurse and the second should recurse
+
+Test 3f:
+    1 policy zone containing 1 'nsip' trigger and 1 'qname' trigger (q02)
+    2 queries, the first should not recurse and the second should recurse
+
+Group 4 - contains 32 subtests designed to verify that recursion is
+skippable for only the appropriate zones based on the order specified in
+the 'response-policy' statement
+
+Tests 4aa to 4bf:
+    32 policy zones per test, one of which is configured with 1 'ip'
+       trigger and one 'qname' trigger while the others are configured
+       only with 1 'qname' trigger.  The zone with both triggers starts
+       listed first and is moved backwards by one position with each
+       test.  The 'qname' triggers in the zones are structured so that
+       the zones are tested starting with the first zone and the 'ip'
+       trigger is tested before the 'qname' trigger for that zone.
+    33 queries per test, where the number expected to skip recursion
+       matches the test sequence number: e.g. 1 skip for 4aa, 26 skips
+       for 4az, and 32 skips for 4bf
+
+Group 5 - This test verifies that the "pivot" policy zone for whether or
+not recursion can be skipped is the first listed zone with applicable
+trigger types rather than a later listed zone.
+
+Test 5a:
+    5 policy zones, the 1st, 3rd, and 5th configured with 1 'qname'
+      trigger each (q01, q04, and q06, respectively), the 2nd and 4th
+      each configured with an 'ip' and 'qname' trigger (q02 and q05,
+      respectively for the 'qname' triggers
+    6 queries, of which only q01 and q02 are expected to skip recursion
diff --git a/bin/tests/system/rpzrecurse/ans5/ans.pl b/bin/tests/system/rpzrecurse/ans5/ans.pl
new file mode 100644
index 0000000..9c5efb3
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ans5/ans.pl
@@ -0,0 +1,81 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5",
+   LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+for (;;) {
+	$sock->recv($buf, 512);
+
+	print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	print "REQUEST:\n";
+	$packet->print;
+
+	$packet->header->qr(1);
+
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+
+	my $donotrespond = 0;
+
+	$packet->header->aa(1);
+	if ($qtype eq "A") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+					       " 300 A 10.53.0.5"));
+	#} elsif ($qtype eq "AAAA") {
+		#$packet->push("answer",
+			      #new Net::DNS::RR($qname .
+					#" 300 AAAA 2001:db8:beef::1"));
+	} elsif ($qtype eq "NS") {
+		$donotrespond = 1;
+	}
+
+	if ($donotrespond == 0) {
+		$sock->send($packet->data);
+		print "RESPONSE:\n";
+		$packet->print;
+		print "\n";
+	} else {
+		print "DROP:\n";
+	}
+}
diff --git a/bin/tests/system/rpzrecurse/clean.sh b/bin/tests/system/rpzrecurse/clean.sh
new file mode 100644
index 0000000..7b1a8a9
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/clean.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Clean up after rpz tests.
+
+rm -f dig.out.*
+
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/*.run
+rm -f ns*/*core *core
+rm -f ns*/named.conf
+
+rm -f ns2/*.local
+rm -f ns2/*.queries
+rm -f ns2/named.[0-9]*.conf
+rm -f ns2/named.conf.header
+
+rm -f ns3/named2.conf
+rm -f ns3/named.run.prev
+
+rm -f dnsrps*.conf dnsrpzd*
+rm -f ns*/session.key
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
diff --git a/bin/tests/system/rpzrecurse/ns1/db.l0 b/bin/tests/system/rpzrecurse/ns1/db.l0
new file mode 100644
index 0000000..e6077fc
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns1/db.l0
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 10.53.0.1
+l1 NS ns.l1
+ns.l1 A 10.53.0.1
diff --git a/bin/tests/system/rpzrecurse/ns1/db.l1.l0 b/bin/tests/system/rpzrecurse/ns1/db.l1.l0
new file mode 100644
index 0000000..f51d5f7
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns1/db.l1.l0
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 10.53.0.1
+l2 NS ns.l2
+ns.l2 A 10.53.0.1
diff --git a/bin/tests/system/rpzrecurse/ns1/example.com.db b/bin/tests/system/rpzrecurse/ns1/example.com.db
new file mode 100644
index 0000000..3bd11ec
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns1/example.com.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ IN SOA ns.example.com. root.example.com. 1 3600 3600 3600 3600
+@    NS	 ns.example.com.
+
+ns.example.com.     A   10.53.0.1
+@                   A   1.2.3.4
+www                 A   1.2.3.5
diff --git a/bin/tests/system/rpzrecurse/ns1/example.db b/bin/tests/system/rpzrecurse/ns1/example.db
new file mode 100644
index 0000000..0e71776
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns1/example.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ IN SOA root.example. example. 1 3600 3600 3600 3600
+@ IN NS ns.example.
+www IN CNAME cname
+cname IN A 10.53.0.1
diff --git a/bin/tests/system/rpzrecurse/ns1/named.conf.in b/bin/tests/system/rpzrecurse/ns1/named.conf.in
new file mode 100644
index 0000000..f1e4c5c
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns1/named.conf.in
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	querylog yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
+
+zone "test.example.org" {
+	type master;
+	file "example.db";
+};
+
+zone "l0" {
+	type master;
+	file "db.l0";
+};
+
+zone "l1.l0" {
+	type master;
+	file "db.l1.l0";
+};
+
+zone "l2.l1.l0" {
+	type master;
+	file "does-not-exist";
+};
+
+zone "test1.example.net" {
+	type master;
+	file "test1.example.net.db";
+};
+
+zone "test2.example.net" {
+	type master;
+	file "test2.example.net.db";
+};
+
+zone "example.com" {
+	type master;
+	file "example.com.db";
+};
diff --git a/bin/tests/system/rpzrecurse/ns1/root.db b/bin/tests/system/rpzrecurse/ns1/root.db
new file mode 100644
index 0000000..51be203
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	muks.isc.org. a.root.servers.nil. (
+				2010   	        ; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns.example.
+ns.example.             A       10.53.0.1
+
+l0.			NS	ns.l0.
+ns.l0.			A	10.53.0.1
diff --git a/bin/tests/system/rpzrecurse/ns1/test1.example.net.db b/bin/tests/system/rpzrecurse/ns1/test1.example.net.db
new file mode 100644
index 0000000..66ca007
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns1/test1.example.net.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ IN SOA root.example. example. 1 3600 3600 3600 3600
+@			NS	ns.example.
+ns.example.             A       10.53.0.1
+test1.example.net.	A	1.2.3.4
+www.test1.example.net.	A	5.6.7.8
diff --git a/bin/tests/system/rpzrecurse/ns1/test2.example.net.db b/bin/tests/system/rpzrecurse/ns1/test2.example.net.db
new file mode 100644
index 0000000..57db115
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns1/test2.example.net.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@ IN SOA root.example. example. 1 3600 3600 3600 3600
+@			NS	ns.example.
+ns.example.             A       10.53.0.1
+test2.example.net.	A	8.7.6.5
+www.test2.example.net.	A	4.3.2.1
diff --git a/bin/tests/system/rpzrecurse/ns2/db.clientip1 b/bin/tests/system/rpzrecurse/ns2/db.clientip1
new file mode 100644
index 0000000..f0d53d2
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.clientip1
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+32.4.0.53.10.rpz-client-ip A 10.53.0.2
+24.0.0.53.10.rpz-client-ip A 10.53.0.1
diff --git a/bin/tests/system/rpzrecurse/ns2/db.clientip2 b/bin/tests/system/rpzrecurse/ns2/db.clientip2
new file mode 100644
index 0000000..dfcc341
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.clientip2
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+24.0.0.53.10.rpz-client-ip A 10.53.0.3
diff --git a/bin/tests/system/rpzrecurse/ns2/db.clientip21 b/bin/tests/system/rpzrecurse/ns2/db.clientip21
new file mode 100644
index 0000000..4ce2af1
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.clientip21
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+32.3.0.53.10.rpz-client-ip A 10.53.0.1
+31.2.0.53.10.rpz-client-ip CNAME .
diff --git a/bin/tests/system/rpzrecurse/ns2/db.given b/bin/tests/system/rpzrecurse/ns2/db.given
new file mode 100644
index 0000000..d464a53
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.given
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN given.zone.
+$TTL 3600
+@               IN SOA ns.given.zone.  hostmaster.given.zone. 1 600 300 604800 3600
+                IN NS  ns.given.zone.
+
+ns.given.zone. IN A 127.0.0.1
+; this should be ignored as it matches an earlier passthru entry.
+example.com CNAME .
+; this should be ignored as it matches an earlier wildcard passthru entry.
+www.example.com CNAME .
diff --git a/bin/tests/system/rpzrecurse/ns2/db.invalidprefixlength b/bin/tests/system/rpzrecurse/ns2/db.invalidprefixlength
new file mode 100644
index 0000000..f496670
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.invalidprefixlength
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+1000.4.0.53.10.rpz-client-ip A 10.53.0.1
diff --git a/bin/tests/system/rpzrecurse/ns2/db.log1 b/bin/tests/system/rpzrecurse/ns2/db.log1
new file mode 100644
index 0000000..495885b
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.log1
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+32.4.0.53.10.rpz-client-ip A 10.53.0.4
diff --git a/bin/tests/system/rpzrecurse/ns2/db.log2 b/bin/tests/system/rpzrecurse/ns2/db.log2
new file mode 100644
index 0000000..91ff8c5
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.log2
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+32.4.0.53.10.rpz-client-ip A 10.53.0.4
+32.3.0.53.10.rpz-client-ip A 10.53.0.3
diff --git a/bin/tests/system/rpzrecurse/ns2/db.log3 b/bin/tests/system/rpzrecurse/ns2/db.log3
new file mode 100644
index 0000000..65ed980
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.log3
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+32.4.0.53.10.rpz-client-ip A 10.53.0.4
+32.3.0.53.10.rpz-client-ip A 10.53.0.3
+32.2.0.53.10.rpz-client-ip A 10.53.0.2
diff --git a/bin/tests/system/rpzrecurse/ns2/db.passthru b/bin/tests/system/rpzrecurse/ns2/db.passthru
new file mode 100644
index 0000000..eac3533
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.passthru
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN passthru.zone.
+$TTL 3600
+@               IN SOA ns.passthru.zone.  hostmaster.passthru.zone. 1 600 300 604800 3600
+                IN NS  ns.passthru.zone.
+
+ns.passthru.zone. IN A 127.0.0.1
+
+example.com         CNAME rpz-passthru.
+*.example.com       CNAME rpz-passthru.
diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard1 b/bin/tests/system/rpzrecurse/ns2/db.wildcard1
new file mode 100644
index 0000000..3e5c78f
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard1
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+*.test1.example.net CNAME .
+test1.example.net CNAME .
diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard2a b/bin/tests/system/rpzrecurse/ns2/db.wildcard2a
new file mode 100644
index 0000000..3e5c78f
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard2a
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+*.test1.example.net CNAME .
+test1.example.net CNAME .
diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard2b b/bin/tests/system/rpzrecurse/ns2/db.wildcard2b
new file mode 100644
index 0000000..f8e6123
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard2b
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+*.test2.example.net CNAME .
+test2.example.net CNAME .
diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard3 b/bin/tests/system/rpzrecurse/ns2/db.wildcard3
new file mode 100644
index 0000000..5354c04
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard3
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+*.test1.example.net CNAME .
diff --git a/bin/tests/system/rpzrecurse/ns2/named.clientip.conf b/bin/tests/system/rpzrecurse/ns2/named.clientip.conf
new file mode 100644
index 0000000..8df90a3
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.clientip.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+	zone "clientip1";
+	zone "clientip2";
+    } qname-wait-recurse no
+	nsdname-enable yes
+	nsip-enable yes;
+
+    # policy zones to be tested
+    zone "clientip1" { type master; file "db.clientip1"; };
+    zone "clientip2" { type master; file "db.clientip2"; };
+
+    recursion yes;
+    dnssec-validation yes;
+};
diff --git a/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf b/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf
new file mode 100644
index 0000000..8c15909
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    servfail-ttl 0;
+
+    # policy configuration to be tested
+    response-policy {
+	zone "clientip21";
+    } qname-wait-recurse no
+	nsdname-enable yes
+	nsip-enable yes;
+
+    # policy zones to be tested
+    zone "clientip21" { type master; file "db.clientip21"; };
+
+    recursion yes;
+    dnssec-validation yes;
+};
diff --git a/bin/tests/system/rpzrecurse/ns2/named.conf.header.in b/bin/tests/system/rpzrecurse/ns2/named.conf.header.in
new file mode 100644
index 0000000..77c3c6a
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.conf.header.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	querylog yes;
+
+	# let ns3 start dnsrpzd
+	include "../dnsrps-slave.conf";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
diff --git a/bin/tests/system/rpzrecurse/ns2/named.default.conf b/bin/tests/system/rpzrecurse/ns2/named.default.conf
new file mode 100644
index 0000000..929b88f
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.default.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    recursion yes;
+    dnssec-validation yes;
+};
diff --git a/bin/tests/system/rpzrecurse/ns2/named.invalidprefixlength.conf b/bin/tests/system/rpzrecurse/ns2/named.invalidprefixlength.conf
new file mode 100644
index 0000000..c7dad28
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.invalidprefixlength.conf
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+	zone "invalidprefixlength";
+    };
+
+    # policy zones to be tested
+    zone "invalidprefixlength" { type master; file "db.invalidprefixlength"; };
+};
diff --git a/bin/tests/system/rpzrecurse/ns2/named.log.conf b/bin/tests/system/rpzrecurse/ns2/named.log.conf
new file mode 100644
index 0000000..c3b4df6
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.log.conf
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+	zone "log1" log no;
+	zone "log2" log yes;
+	zone "log3"; # missing log clause
+    } qname-wait-recurse no
+	nsdname-enable yes
+	nsip-enable yes;
+
+    # policy zones to be tested
+    zone "log1" { type master; file "db.log1"; };
+    zone "log2" { type master; file "db.log2"; };
+    zone "log3" { type master; file "db.log3"; };
+
+    recursion yes;
+    dnssec-validation yes;
+};
diff --git a/bin/tests/system/rpzrecurse/ns2/named.max.conf b/bin/tests/system/rpzrecurse/ns2/named.max.conf
new file mode 100644
index 0000000..5b9f8a2
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.max.conf
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+	zone "max1";
+	zone "max2";
+	zone "max3";
+	zone "max4";
+	zone "max5";
+	zone "max6";
+	zone "max7";
+	zone "max8";
+	zone "max9";
+	zone "max10";
+	zone "max11";
+	zone "max12";
+	zone "max13";
+	zone "max14";
+	zone "max15";
+	zone "max16";
+	zone "max17";
+	zone "max18";
+	zone "max19";
+	zone "max20";
+	zone "max21";
+	zone "max22";
+	zone "max23";
+	zone "max24";
+	zone "max25";
+	zone "max26";
+	zone "max27";
+	zone "max28";
+	zone "max29";
+	zone "max30";
+	zone "max31";
+	zone "max32";
+	zone "max33";
+	zone "max34";
+	zone "max35";
+	zone "max36";
+	zone "max37";
+	zone "max38";
+	zone "max39";
+	zone "max40";
+	zone "max41";
+	zone "max42";
+	zone "max43";
+	zone "max44";
+	zone "max45";
+	zone "max46";
+	zone "max47";
+	zone "max48";
+	zone "max49";
+	zone "max50";
+	zone "max51";
+	zone "max52";
+	zone "max53";
+	zone "max54";
+	zone "max55";
+	zone "max56";
+	zone "max57";
+	zone "max58";
+	zone "max59";
+	zone "max60";
+	zone "max61";
+	zone "max62";
+	zone "max63";
+	zone "max64";
+    } qname-wait-recurse no
+	nsdname-enable yes
+	nsip-enable yes;
+
+    # policy zones to be tested
+    zone "max1" { type master; file "db.max1.local"; };
+    zone "max2" { type master; file "db.max2.local"; };
+    zone "max3" { type master; file "db.max3.local"; };
+    zone "max4" { type master; file "db.max4.local"; };
+    zone "max5" { type master; file "db.max5.local"; };
+    zone "max6" { type master; file "db.max6.local"; };
+    zone "max7" { type master; file "db.max7.local"; };
+    zone "max8" { type master; file "db.max8.local"; };
+    zone "max9" { type master; file "db.max9.local"; };
+    zone "max10" { type master; file "db.max10.local"; };
+    zone "max11" { type master; file "db.max11.local"; };
+    zone "max12" { type master; file "db.max12.local"; };
+    zone "max13" { type master; file "db.max13.local"; };
+    zone "max14" { type master; file "db.max14.local"; };
+    zone "max15" { type master; file "db.max15.local"; };
+    zone "max16" { type master; file "db.max16.local"; };
+    zone "max17" { type master; file "db.max17.local"; };
+    zone "max18" { type master; file "db.max18.local"; };
+    zone "max19" { type master; file "db.max19.local"; };
+    zone "max20" { type master; file "db.max20.local"; };
+    zone "max21" { type master; file "db.max21.local"; };
+    zone "max22" { type master; file "db.max22.local"; };
+    zone "max23" { type master; file "db.max23.local"; };
+    zone "max24" { type master; file "db.max24.local"; };
+    zone "max25" { type master; file "db.max25.local"; };
+    zone "max26" { type master; file "db.max26.local"; };
+    zone "max27" { type master; file "db.max27.local"; };
+    zone "max28" { type master; file "db.max28.local"; };
+    zone "max29" { type master; file "db.max29.local"; };
+    zone "max30" { type master; file "db.max30.local"; };
+    zone "max31" { type master; file "db.max31.local"; };
+    zone "max32" { type master; file "db.max32.local"; };
+    zone "max33" { type master; file "db.max33.local"; };
+    zone "max34" { type master; file "db.max34.local"; };
+    zone "max35" { type master; file "db.max35.local"; };
+    zone "max36" { type master; file "db.max36.local"; };
+    zone "max37" { type master; file "db.max37.local"; };
+    zone "max38" { type master; file "db.max38.local"; };
+    zone "max39" { type master; file "db.max39.local"; };
+    zone "max40" { type master; file "db.max40.local"; };
+    zone "max41" { type master; file "db.max41.local"; };
+    zone "max42" { type master; file "db.max42.local"; };
+    zone "max43" { type master; file "db.max43.local"; };
+    zone "max44" { type master; file "db.max44.local"; };
+    zone "max45" { type master; file "db.max45.local"; };
+    zone "max46" { type master; file "db.max46.local"; };
+    zone "max47" { type master; file "db.max47.local"; };
+    zone "max48" { type master; file "db.max48.local"; };
+    zone "max49" { type master; file "db.max49.local"; };
+    zone "max50" { type master; file "db.max50.local"; };
+    zone "max51" { type master; file "db.max51.local"; };
+    zone "max52" { type master; file "db.max52.local"; };
+    zone "max53" { type master; file "db.max53.local"; };
+    zone "max54" { type master; file "db.max54.local"; };
+    zone "max55" { type master; file "db.max55.local"; };
+    zone "max56" { type master; file "db.max56.local"; };
+    zone "max57" { type master; file "db.max57.local"; };
+    zone "max58" { type master; file "db.max58.local"; };
+    zone "max59" { type master; file "db.max59.local"; };
+    zone "max60" { type master; file "db.max60.local"; };
+    zone "max61" { type master; file "db.max61.local"; };
+    zone "max62" { type master; file "db.max62.local"; };
+    zone "max63" { type master; file "db.max63.local"; };
+    zone "max64" { type master; file "db.max64.local"; };
+
+    recursion yes;
+    dnssec-validation yes;
+};
diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf
new file mode 100644
index 0000000..f9e205d
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+	zone "wildcard1" policy NXDOMAIN;
+    } qname-wait-recurse yes
+	nsdname-enable yes
+	nsip-enable yes;
+
+    # policy zones to be tested
+    zone "wildcard1" { type master; file "db.wildcard1"; };
+
+    recursion yes;
+    dnssec-validation yes;
+};
diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf
new file mode 100644
index 0000000..31d05c6
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+	zone "wildcard2a" policy NXDOMAIN;
+	zone "wildcard2b" policy NXDOMAIN;
+    } qname-wait-recurse yes
+	nsdname-enable yes
+	nsip-enable yes;
+
+    # policy zones to be tested
+    zone "wildcard2a" { type master; file "db.wildcard2a"; };
+    zone "wildcard2b" { type master; file "db.wildcard2b"; };
+
+    recursion yes;
+    dnssec-validation yes;
+};
diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf
new file mode 100644
index 0000000..7164d70
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+	zone "wildcard3" policy NXDOMAIN;
+    } qname-wait-recurse yes
+	nsdname-enable yes
+	nsip-enable yes;
+
+    # policy zones to be tested
+    zone "wildcard3" { type master; file "db.wildcard3"; };
+
+    recursion yes;
+    dnssec-validation yes;
+};
diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf
new file mode 100644
index 0000000..b6a76d0
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+	# policy configuration to be tested
+	response-policy {
+		zone "passthru.zone" policy passthru;
+		zone "given.zone" policy given;
+	} qname-wait-recurse yes
+	nsdname-enable yes
+	nsip-enable yes;
+
+	# policy zones to be tested
+	zone "passthru.zone" { type master; file "db.passthru"; };
+	zone "given.zone" { type master; file "db.given"; };
+
+	zone "." {
+		type hint;
+		file "root.hint";
+	};
+
+	recursion yes;
+	dnssec-validation yes;
+};
diff --git a/bin/tests/system/rpzrecurse/ns2/root.hint b/bin/tests/system/rpzrecurse/ns2/root.hint
new file mode 100644
index 0000000..ced47f3
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			IN NS	ns.example.
+ns.example.		IN A	10.53.0.1
diff --git a/bin/tests/system/rpzrecurse/ns3/example.db b/bin/tests/system/rpzrecurse/ns3/example.db
new file mode 100644
index 0000000..201a174
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns3/example.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+@			SOA	. . 0 0 0 0 0
+@			NS	ns
+ns			A	10.53.0.3
+child			NS	ns.child
+ns.child		A	10.53.0.4
diff --git a/bin/tests/system/rpzrecurse/ns3/named1.conf.in b/bin/tests/system/rpzrecurse/ns3/named1.conf.in
new file mode 100644
index 0000000..1a56066
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns3/named1.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	response-policy { zone "policy"; }
+		qname-wait-recurse yes
+		nsip-enable yes
+		nsdname-enable yes;
+
+	include "../dnsrps.conf";
+};
+
+zone "policy" { type master; file "policy.db"; };
+
+zone "example.tld" { type master; file "example.db"; };
+
+zone "." { type master; file "root.db"; };
diff --git a/bin/tests/system/rpzrecurse/ns3/named2.conf.in b/bin/tests/system/rpzrecurse/ns3/named2.conf.in
new file mode 100644
index 0000000..b5370bf
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns3/named2.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	response-policy { zone "policy"; } nsip-wait-recurse no
+		qname-wait-recurse yes
+		nsip-enable yes
+		nsdname-enable yes;
+
+	include "../dnsrps.conf";
+};
+
+zone "policy" { type master; file "policy.db"; };
+
+zone "example.tld" { type master; file "example.db"; };
+
+zone "." { type master; file "root.db"; };
diff --git a/bin/tests/system/rpzrecurse/ns3/policy.db b/bin/tests/system/rpzrecurse/ns3/policy.db
new file mode 100644
index 0000000..526d75c
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns3/policy.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+@			SOA	. . 0 0 0 0 0
+@			NS	.
+32.100.0.53.10.rpz-nsip	CNAME	.
diff --git a/bin/tests/system/rpzrecurse/ns3/root.db b/bin/tests/system/rpzrecurse/ns3/root.db
new file mode 100644
index 0000000..665953d
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns3/root.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+@			SOA	. . 0 0 0 0 0
+@			NS	ns
+ns			A	10.53.0.3
+foo			NS	foo.ns5
+ns5.foo			A	10.53.0.5
diff --git a/bin/tests/system/rpzrecurse/ns4/child.example.db b/bin/tests/system/rpzrecurse/ns4/child.example.db
new file mode 100644
index 0000000..47a90fb
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns4/child.example.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+@			SOA	. . 0 0 0 0 0
+@			NS	ns
+ns			A	10.53.0.4
+foo			NS	ns.foo
+foo			NS	ns.foo.
+ns.foo			A	10.53.0.5
diff --git a/bin/tests/system/rpzrecurse/ns4/named.conf.in b/bin/tests/system/rpzrecurse/ns4/named.conf.in
new file mode 100644
index 0000000..372f5ad
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns4/named.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "child.example.tld" { type master; file "child.example.db"; };
diff --git a/bin/tests/system/rpzrecurse/prereq.sh b/bin/tests/system/rpzrecurse/prereq.sh
new file mode 100644
index 0000000..b30cb41
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/prereq.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    :
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/rpzrecurse/setup.sh b/bin/tests/system/rpzrecurse/setup.sh
new file mode 100644
index 0000000..7c15414
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/setup.sh
@@ -0,0 +1,89 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# touch dnsrps-off to not test with DNSRPS
+
+set -e
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+USAGE="$0: [-DNx]"
+DEBUG=
+while getopts "DNx" c; do
+    case $c in
+	x) set -x; DEBUG=-x;;
+        D) TEST_DNSRPS="-D";;
+	N) NOCLEAN=set;;
+	*) echo "$USAGE" 1>&2; exit 1;;
+    esac
+done
+shift `expr $OPTIND - 1 || true`
+if test "$#" -ne 0; then
+    echo "$USAGE" 1>&2
+    exit 1
+fi
+
+[ ${NOCLEAN:-unset} = unset ] && $SHELL clean.sh $DEBUG
+
+$PERL testgen.pl
+
+copy_setports ns1/named.conf.in ns1/named.conf
+
+copy_setports ns2/named.conf.header.in ns2/named.conf.header
+copy_setports ns2/named.default.conf ns2/named.conf
+
+copy_setports ns3/named1.conf.in ns3/named.conf
+copy_setports ns3/named2.conf.in ns3/named2.conf
+
+copy_setports ns4/named.conf.in ns4/named.conf
+
+# setup policy zones for a 64-zone test
+i=1
+while test $i -le 64
+do
+    echo "\$TTL 60" > ns2/db.max$i.local
+    echo "@ IN SOA root.ns ns 1996072700 3600 1800 86400 60" >> ns2/db.max$i.local
+    echo "     NS ns" >> ns2/db.max$i.local
+    echo "ns   A 127.0.0.1" >> ns2/db.max$i.local
+
+    j=1
+    while test $j -le $i
+    do
+	echo "name$j A 10.53.0.$i" >> ns2/db.max$i.local
+	j=`expr $j + 1`
+    done
+    i=`expr $i + 1`
+done
+
+# decide whether to test DNSRPS
+$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG
+test -z "`grep 'dnsrps-enable yes' dnsrps.conf`" && TEST_DNSRPS=
+
+CWD=`pwd`
+cat <<EOF >dnsrpzd.conf
+PID-FILE $CWD/dnsrpzd.pid;
+
+include $CWD/dnsrpzd-license-cur.conf
+
+zone "policy" { type master; file "`pwd`/ns3/policy.db"; };
+EOF
+sed -n -e 's/^ *//' -e "/zone.*.*master/s@file \"@&$CWD/ns2/@p" ns2/*.conf \
+    >>dnsrpzd.conf
+
+# Run dnsrpzd to get the license and prime the static policy zones
+if test -n "$TEST_DNSRPS"; then
+    DNSRPZD="`../rpz/dnsrps -p`"
+    "$DNSRPZD" -D./dnsrpzd.rpzf -S./dnsrpzd.sock -C./dnsrpzd.conf \
+		-w 0 -dddd -L stdout >./dnsrpzd.run 2>&1
+fi
diff --git a/bin/tests/system/rpzrecurse/testgen.pl b/bin/tests/system/rpzrecurse/testgen.pl
new file mode 100755
index 0000000..399f343
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/testgen.pl
@@ -0,0 +1,343 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+my $boilerplate_header = <<'EOB';
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+        type hint;
+        file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+EOB
+
+my $no_option = <<'EOB';
+    } nsdname-enable yes nsip-enable yes;
+
+    # policy zones to be tested
+EOB
+
+my $qname_wait_recurse = <<'EOB';
+    } nsdname-enable yes nsip-enable yes qname-wait-recurse no;
+
+    # policy zones to be tested
+EOB
+
+my $boilerplate_end = <<'EOB';
+};
+EOB
+
+my $policy_option = $qname_wait_recurse;
+
+my $serialnum = "1";
+my $policy_zone_header = <<'EOH';
+$TTL 60
+@ IN SOA root.ns ns SERIAL 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+EOH
+
+sub policy_client_ip {
+    return "32.1.0.0.127.rpz-client-ip CNAME .\n";
+}
+
+sub policy_qname {
+    my $query_nbr = shift;
+    return sprintf "q%02d.l2.l1.l0 CNAME .\n", $query_nbr;
+}
+
+sub policy_ip {
+    return "32.255.255.255.255.rpz-ip CNAME .\n";
+}
+
+sub policy_nsdname {
+    return "ns.example.org.rpz-nsdname CNAME .\n";
+}
+
+sub policy_nsip {
+    return "32.255.255.255.255.rpz-ip CNAME .\n";
+}
+
+my %static_triggers = (
+    'client-ip' => \&policy_client_ip,
+    'ip'        => \&policy_ip,
+    'nsdname'   => \&policy_nsdname,
+    'nsip'      => \&policy_nsip,
+);
+
+sub mkconf {
+    my $case_id = shift;
+    my $n_queries = shift;
+
+    { # generate the query list
+        my $query_list_filename = "ns2/$case_id.queries";
+        my $query_list_fh;
+
+        open $query_list_fh, ">$query_list_filename" or die;
+
+        for( my $i = 1; $i <= $n_queries; $i++ ) {
+            print $query_list_fh sprintf "q%02d.l2.l1.l0\n", $i;
+        }
+    }
+
+    my @zones;
+
+    { # generate the conf file
+        my $conf_filename = "ns2/named.$case_id.conf";
+
+        my $conf_fh;
+
+        open $conf_fh, ">$conf_filename" or die;
+
+        print $conf_fh $boilerplate_header;
+
+        my $zone_seq = 0;
+
+        @zones = map {
+            [
+                sprintf( "$case_id.%02d.policy.local", $zone_seq++ ),
+                $_,
+            ];
+        } @_;
+
+        print $conf_fh map { qq{        zone "$_->[0]";\n} } @zones;
+
+        print $conf_fh $policy_option;
+
+        print $conf_fh map { qq{    zone "$_->[0]" { type master; file "db.$_->[0]"; };\n} } @zones;
+
+        print $conf_fh $boilerplate_end;
+    }
+
+    # generate the policy zone contents
+    foreach my $policy_zone_info( @zones ) {
+        my $policy_zone_name = $policy_zone_info->[0];
+        my $policy_zone_contents = $policy_zone_info->[1];
+
+        my $policy_zone_filename = "ns2/db.$policy_zone_name";
+        my $policy_zone_fh;
+
+        open $policy_zone_fh, ">$policy_zone_filename" or die;
+
+        my $header = $policy_zone_header;
+        $header =~ s/SERIAL/$serialnum/;
+        print $policy_zone_fh $header;
+
+        foreach my $trigger( @$policy_zone_contents ) {
+            if( exists $static_triggers{$trigger} ) {
+                # matches a trigger type with a static value
+                print $policy_zone_fh $static_triggers{$trigger}->();
+            }
+            else {
+                # a qname trigger, where what was specified is the query number it should match
+                print $policy_zone_fh policy_qname( $trigger );
+            }
+        }
+    }
+}
+
+mkconf(
+    '1a',
+    1,
+    [ 'client-ip' ],
+);
+
+mkconf(
+    '1b',
+    2,
+    [ 1 ],
+);
+
+mkconf(
+    '1c',
+    1,
+    [ 'client-ip', 2 ],
+);
+
+mkconf(
+    '2a',
+    33,
+    map { [ $_ ]; }  1 .. 32
+);
+
+mkconf(
+    '3a',
+    1,
+    [ 'ip' ],
+);
+
+mkconf(
+    '3b',
+    1,
+    [ 'nsdname' ],
+);
+
+mkconf(
+    '3c',
+    1,
+    [ 'nsip' ],
+);
+
+mkconf(
+    '3d',
+    2,
+    [ 'ip', 1 ]
+);
+
+mkconf(
+    '3e',
+    2,
+    [ 'nsdname', 1 ]
+);
+
+mkconf(
+    '3f',
+    2,
+    [ 'nsip', 1 ]
+);
+
+{
+    my $seq_code = 'aa';
+    my $seq_nbr = 0;
+
+    while( $seq_nbr < 32 ) {
+
+        mkconf(
+            "4$seq_code",
+            33,
+            ( map { [ $_ ]; } 1 .. $seq_nbr ),
+            [ 'ip', $seq_nbr + 2 ],
+            ( map { [ $_ + 2 ]; } ($seq_nbr + 1) .. 31 ),
+        );
+
+        $seq_code++;
+        $seq_nbr++;
+    }
+}
+
+mkconf(
+    '5a',
+    6,
+    [ 1 ],
+    [ 2, 'ip' ],
+    [ 4 ],
+    [ 5, 'ip' ],
+    [ 6 ],
+);
+
+$policy_option = $no_option;
+
+mkconf(
+    '6a',
+    0,
+    [ ],
+);
+
+$serialnum = "2";
+mkconf(
+    '6b',
+    0,
+    [ 'nsdname' ],
+);
+
+$serialnum = "3";
+mkconf(
+    '6c',
+    0,
+    [ ],
+);
+
+__END__
+
+0x01 - has client-ip
+    32.1.0.0.127.rpz-client-ip CNAME .
+0x02 - has qname
+    qX.l2.l1.l0 CNAME .
+0x10 - has ip
+    32.255.255.255.255.rpz-ip CNAME .
+0x20 - has nsdname
+    ns.example.org.rpz-nsdname CNAME .
+0x40 - has nsip
+    32.255.255.255.255.rpz-nsip CNAME .
+
+$case.$seq.policy.local
+
+case 1a = 0x01
+    .q01 = (00,0x01)=-r
+case 1b = 0x02
+    .q01 = (00,0x02)=-r
+    .q02 = (--,----)=+r
+case 1c = 0x03
+    .q01 = (00,0x01)=-r
+
+case 2a = 0x03{32}
+    .q01 = (00,0x02)=-r
+    .q02 = (01,0x02)=-r
+     ...
+    .q31 = (30,0x02)=-r
+    .q32 = (31,0x02)=-r
+    .q33 = (--,----)=+r
+
+case 3a = 0x10
+    .q01 = (00,0x10)=+r
+case 3b = 0x20
+    .q01 = (00,0x20)=+r
+case 3c = 0x40
+    .q01 = (00,0x40)=+r
+case 3d = 0x12
+    .q01 = (00,0x10)=+r
+    .q02 = (00,0x02)=-r
+case 3e = 0x22
+    .q01 = (00,0x20)=+r
+    .q02 = (00,0x02)=-r
+case 3f = 0x42
+    .q01 = (00,0x40)=+r
+    .q02 = (00,0x02)=-r
+
+case 4aa = 0x12,0x02{31}
+    .q01 = (00,0x10)=+r
+    .q02 = (00,0x02)=-r
+    .q03 = (01,0x02)=+r
+     ...
+    .q32 = (30,0x02)=+r
+    .q33 = (31,0x02)=+r
+case 4__ = 0x02{n(1->30)},0x12,0x02{31-n}
+    .q01 = (00,0x02)=-r
+     ...
+    .q(n+1) = (n,0x10)=+r
+    .q(n+2) = (n,0x02)=-r
+     ...
+    .q33 = (31,0x02)=+r
+case 4bf = 0x02{31},0x12
+    .q01 = (00,0x02)=-r
+    .q02 = (01,0x02)=-r
+     ...
+    .q31 = (30,0x02)=-r
+    .q32 = (31,0x10)=+r
+    .q33 = (31,0x02)=-r
+
+case 5a = 0x02,0x12,0x02,0x12,0x02
+    .q01 = (00,0x02)=-r
+    .q02 = (01,0x02)=-r
+    .q03 = (01,0x10)=+r
+    .q04 = (02,0x02)=+r
+    .q05 = (03,0x02)=+r
+    .q06 = (04,0x02)=+r
+
diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh
new file mode 100644
index 0000000..950b610
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/tests.sh
@@ -0,0 +1,545 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# touch dnsrps-off to not test with DNSRPS
+# touch dnsrps-only to not test with classic RPZ
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+t=0
+
+DEBUG=
+ARGS=
+
+USAGE="$0: [-xS]"
+while getopts "xS:" c; do
+    case $c in
+	x) set -x; DEBUG=-x; ARGS="$ARGS -x";;
+	S) SAVE_RESULTS=-S; ARGS="$ARGS -S";;
+	*) echo "$USAGE" 1>&2; exit 1;;
+    esac
+done
+shift `expr $OPTIND - 1 || true`
+if test "$#" -ne 0; then
+    echo "$USAGE" 1>&2
+    exit 1
+fi
+# really quit on control-C
+trap 'exit 1' 1 2 15
+
+DNSRPSCMD=../rpz/dnsrps
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+# $1 = test name (such as 1a, 1b, etc. for which named.$1.conf exists)
+run_server() {
+    TESTNAME=$1
+
+    echo_i "stopping resolver"
+    stop_server --use-rndc --port ${CONTROLPORT} ns2
+
+    sleep 1
+
+    echo_i "starting resolver using named.$TESTNAME.conf"
+    cp -f ns2/named.$TESTNAME.conf ns2/named.conf
+    start_server --noclean --restart --port ${PORT} ns2
+    sleep 3
+}
+
+run_query() {
+    TESTNAME=$1
+    LINE=$2
+
+    NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1`
+    $DIG $DIGOPTS $NAME a @10.53.0.2 -p ${PORT} -b 127.0.0.1 > dig.out.${t}
+    grep "status: SERVFAIL" dig.out.${t} > /dev/null 2>&1 && return 1
+    return 0
+}
+
+# $1 = test name (such as 1a, 1b, etc. for which $1.queries exists)
+# $2 = line number in query file to test (the name to query is taken from this line)
+expect_norecurse() {
+    TESTNAME=$1
+    LINE=$2
+
+    NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1`
+    t=`expr $t + 1`
+    echo_i "testing $NAME doesn't recurse (${t})"
+    add_test_marker 10.53.0.2
+    run_query $TESTNAME $LINE || {
+	echo_i "test ${t} failed"
+	status=1
+    }
+}
+
+# $1 = test name (such as 1a, 1b, etc. for which $1.queries exists)
+# $2 = line number in query file to test (the name to query is taken from this line)
+expect_recurse() {
+    TESTNAME=$1
+    LINE=$2
+
+    NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1`
+    t=`expr $t + 1`
+    echo_i "testing $NAME recurses (${t})"
+    add_test_marker 10.53.0.2
+    run_query $TESTNAME $LINE && {
+	echo_i "test ${t} failed"
+	status=1
+    }
+}
+
+add_test_marker() {
+    for ns in $@
+    do
+	$RNDCCMD $ns null ---- test ${t} ----
+    done
+}
+
+for mode in native dnsrps; do
+  status=0
+  case $mode in
+  native)
+    if [ -e dnsrps-only ] ; then
+      echo_i "'dnsrps-only' found: skipping native RPZ sub-test"
+      continue
+    else
+      echo_i "running native RPZ sub-test"
+    fi
+    ;;
+  dnsrps)
+    if [ -e dnsrps-off ] ; then
+      echo_i "'dnsrps-off' found: skipping DNSRPS sub-test"
+      continue
+    fi
+    echo_i "attempting to configure servers with DNSRPS..."
+    stop_server --use-rndc --port ${CONTROLPORT}
+    $SHELL ./setup.sh -N -D $DEBUG
+    sed -n 's/^## //p' dnsrps.conf | cat_i
+    if grep '^#fail' dnsrps.conf >/dev/null; then
+      echo_i "exit status: 1"
+      exit 1
+    fi
+    if grep '^#skip' dnsrps.conf > /dev/null; then
+      echo_i "DNSRPS sub-test skipped"
+      continue
+    else
+      echo_i "running DNSRPS sub-test"
+      start_server --noclean --restart --port ${PORT}
+      sleep 3
+    fi
+    ;;
+  esac
+
+  # show whether and why DNSRPS is enabled or disabled
+  sed -n 's/^## //p' dnsrps.conf | cat_i
+
+  t=`expr $t + 1`
+  echo_i "testing that l1.l0 exists without RPZ (${t})"
+  add_test_marker 10.53.0.2
+  $DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t}
+  grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || {
+    echo_i "test ${t} failed"
+    status=1
+  }
+
+  t=`expr $t + 1`
+  echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})"
+  add_test_marker 10.53.0.2
+  $DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t}
+  grep "status: SERVFAIL" dig.out.${t} > /dev/null 2>&1 || {
+    echo_i "test ${t} failed"
+    status=1
+  }
+
+  # Group 1
+  run_server 1a
+  expect_norecurse 1a 1
+  run_server 1b
+  expect_norecurse 1b 1
+  expect_recurse 1b 2
+  run_server 1c
+  expect_norecurse 1c 1
+
+  # Group 2
+  run_server 2a
+  for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
+	   21 22 23 24 25 26 27 28 29 30 31 32
+  do
+    expect_norecurse 2a $n
+  done
+  expect_recurse 2a 33
+
+  # Group 3
+  run_server 3a
+  expect_recurse 3a 1
+  run_server 3b
+  expect_recurse 3b 1
+  run_server 3c
+  expect_recurse 3c 1
+  run_server 3d
+  expect_norecurse 3d 1
+  expect_recurse 3d 2
+  run_server 3e
+  expect_norecurse 3e 1
+  expect_recurse 3e 2
+  run_server 3f
+  expect_norecurse 3f 1
+  expect_recurse 3f 2
+
+  # Group 4
+  testlist="aa ap bf"
+  values="1 16 32"
+  # Uncomment the following to test every skip value instead of
+  # only a sample of values
+  #
+  #testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \
+  #          aq ar as at au av aw ax ay az ba bb bc bd be bf"
+  #values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \
+  #        21 22 23 24 25 26 27 28 29 30 31 32"
+  set -- $values
+  for n in $testlist; do
+    run_server 4$n
+    ni=$1
+    t=`expr $t + 1`
+    echo_i "testing that ${ni} of 33 queries skip recursion (${t})"
+    add_test_marker 10.53.0.2
+    c=0
+    for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \
+	     17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
+    do
+      run_query 4$n $i
+      c=`expr $c + $?`
+    done
+    skipped=`expr 33 - $c`
+    if [ $skipped != $ni ]; then
+      echo_i "test $t failed (actual=$skipped, expected=$ni)"
+      status=1
+    fi
+    shift
+  done
+
+  # Group 5
+  run_server 5a
+  expect_norecurse 5a 1
+  expect_norecurse 5a 2
+  expect_recurse 5a 3
+  expect_recurse 5a 4
+  expect_recurse 5a 5
+  expect_recurse 5a 6
+
+  if [ ! "$CYGWIN" -o -n "$PSSUSPEND" ]
+  then
+    # Group 6
+    echo_i "check recursive behavior consistency during policy update races"
+    run_server 6a
+    sleep 1
+    t=`expr $t + 1`
+    echo_i "running dig to cache CNAME record (${t})"
+    add_test_marker 10.53.0.1 10.53.0.2
+    $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t}
+    sleep 1
+    echo_i "suspending authority server"
+    PID=`cat ns1/named.pid`
+    if [ "$CYGWIN" ]
+    then
+      $PSSUSPEND $PID
+    else
+      $KILL -STOP $PID
+    fi
+    echo_i "adding an NSDNAME policy"
+    cp ns2/db.6a.00.policy.local ns2/saved.policy.local
+    cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
+    $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
+    test -f dnsrpzd.pid && $KILL -USR1 `cat dnsrpzd.pid`
+    sleep 1
+    t=`expr $t + 1`
+    echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
+    add_test_marker 10.53.0.2
+    $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} &
+    sleep 1
+    echo_i "removing the NSDNAME policy"
+    cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local
+    $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
+    test -f dnsrpzd.pid && $KILL -USR1 `cat dnsrpzd.pid`
+    sleep 1
+    echo_i "resuming authority server"
+    PID=`cat ns1/named.pid`
+    if [ "$CYGWIN" ]
+    then
+      $PSSUSPEND -r $PID
+    else
+      $KILL -CONT $PID
+    fi
+    add_test_marker 10.53.0.1
+    for n in 1 2 3 4 5 6 7 8 9
+    do
+      sleep 1
+      [ -s dig.out.${t} ] || continue
+      grep "status: .*," dig.out.${t} > /dev/null 2>&1 && break
+    done
+    grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || {
+      echo_i "test ${t} failed"
+      status=1
+    }
+
+    echo_i "check recursive behavior consistency during policy removal races"
+    cp ns2/saved.policy.local ns2/db.6a.00.policy.local
+    run_server 6a
+    sleep 1
+    t=`expr $t + 1`
+    echo_i "running dig to cache CNAME record (${t})"
+    add_test_marker 10.53.0.1 10.53.0.2
+    $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t}
+    sleep 1
+    echo_i "suspending authority server"
+    PID=`cat ns1/named.pid`
+    if [ "$CYGWIN" ]
+    then
+      $PSSUSPEND $PID
+    else
+      $KILL -STOP $PID
+    fi
+    echo_i "adding an NSDNAME policy"
+    cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local
+    $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i
+    test -f dnsrpzd.pid && $KILL -USR1 `cat dnsrpzd.pid`
+    sleep 1
+    t=`expr $t + 1`
+    echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})"
+    add_test_marker 10.53.0.2
+    $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} &
+    sleep 1
+    echo_i "removing the policy zone"
+    cp ns2/named.default.conf ns2/named.conf
+    rndc_reconfig ns2 10.53.0.2
+    test -f dnsrpzd.pid && $KILL -USR1 `cat dnsrpzd.pid`
+    sleep 1
+    echo_i "resuming authority server"
+    PID=`cat ns1/named.pid`
+    if [ "$CYGWIN" ]
+    then
+      $PSSUSPEND -r $PID
+    else
+      $KILL -CONT $PID
+    fi
+    add_test_marker 10.53.0.1
+    for n in 1 2 3 4 5 6 7 8 9; do
+      sleep 1
+      [ -s dig.out.${t} ] || continue
+      grep "status: .*," dig.out.${t} > /dev/null 2>&1 && break
+    done
+    grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || {
+      echo_i "test ${t} failed"
+      status=1
+    }
+  fi
+
+  # Check maximum number of RPZ zones (64)
+  t=`expr $t + 1`
+  echo_i "testing maximum number of RPZ zones (${t})"
+  add_test_marker 10.53.0.2
+  run_server max
+  i=1
+  while test $i -le 64
+  do
+      $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 > dig.out.${t}.${i}
+      grep "^name$i.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.$i" dig.out.${t}.${i} > /dev/null 2>&1 || {
+	  echo_i "test $t failed: didn't get expected answer from policy zone $i"
+	  status=1
+      }
+      i=`expr $i + 1`
+  done
+
+  # Check CLIENT-IP behavior
+  t=`expr $t + 1`
+  echo_i "testing CLIENT-IP behavior (${t})"
+  add_test_marker 10.53.0.2
+  run_server clientip
+  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t}
+  grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || {
+    echo_i "test $t failed: query failed"
+    status=1
+  }
+  grep "^l2.l1.l0.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.2" dig.out.${t} > /dev/null 2>&1 || {
+    echo_i "test $t failed: didn't get expected answer"
+    status=1
+  }
+
+  # Check CLIENT-IP behavior #2
+  t=`expr $t + 1`
+  echo_i "testing CLIENT-IP behavior #2 (${t})"
+  add_test_marker 10.53.0.2
+  run_server clientip2
+  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 > dig.out.${t}.1
+  grep "status: SERVFAIL" dig.out.${t}.1 > /dev/null 2>&1 || {
+    echo_i "test $t failed: query failed"
+    status=1
+  }
+  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 > dig.out.${t}.2
+  grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null 2>&1 || {
+    echo_i "test $t failed: query failed"
+    status=1
+  }
+  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 > dig.out.${t}.3
+  grep "status: NOERROR" dig.out.${t}.3 > /dev/null 2>&1 || {
+    echo_i "test $t failed: query failed"
+    status=1
+  }
+  grep "^l2.l1.l0.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.1" dig.out.${t}.3 > /dev/null 2>&1 || {
+    echo_i "test $t failed: didn't get expected answer"
+    status=1
+  }
+  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t}.4
+  grep "status: SERVFAIL" dig.out.${t}.4 > /dev/null 2>&1 || {
+    echo_i "test $t failed: query failed"
+    status=1
+  }
+
+  # Check RPZ log clause
+  t=`expr $t + 1`
+  echo_i "testing RPZ log clause (${t})"
+  add_test_marker 10.53.0.2
+  run_server log
+  cur=`awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run`
+  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t}
+  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >> dig.out.${t}
+  $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >> dig.out.${t}
+  sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" > /dev/null && {
+    echo_ic "failed: unexpected rewrite message for policy zone log1 was logged"
+    status=1
+  }
+  sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" > /dev/null || {
+    echo_ic "failed: expected rewrite message for policy zone log2 was not logged"
+    status=1
+  }
+  sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" > /dev/null || {
+    echo_ic "failed: expected rewrite message for policy zone log3 was not logged"
+    status=1
+  }
+
+  # Check wildcard behavior
+
+  t=`expr $t + 1`
+  echo_i "testing wildcard behavior with 1 RPZ zone (${t})"
+  add_test_marker 10.53.0.2
+  run_server wildcard1
+  $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1
+  grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || {
+    echo_i "test ${t} failed"
+    status=1
+  }
+  $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2
+  grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || {
+    echo_i "test ${t} failed"
+    status=1
+  }
+
+  t=`expr $t + 1`
+  echo_i "testing wildcard behavior with 2 RPZ zones (${t})"
+  add_test_marker 10.53.0.2
+  run_server wildcard2
+  $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1
+  grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || {
+    echo_i "test ${t} failed"
+    status=1
+  }
+  $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2
+  grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || {
+    echo_i "test ${t} failed"
+    status=1
+  }
+
+  t=`expr $t + 1`
+  echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
+  add_test_marker 10.53.0.2
+  run_server wildcard3
+  $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1
+  grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || {
+    echo_i "test ${t} failed"
+    status=1
+  }
+  $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2
+  grep "status: NOERROR" dig.out.${t}.2 > /dev/null || {
+    echo_i "test ${t} failed"
+    status=1
+  }
+
+  # Check for invalid prefix length error
+  t=`expr $t + 1`
+  echo_i "testing for invalid prefix length error (${t})"
+  add_test_marker 10.53.0.2
+  run_server invalidprefixlength
+  grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run > /dev/null || {
+    echo_ic "failed: expected that invalid prefix length error would be logged"
+    status=1
+  }
+
+  t=`expr $t + 1`
+  echo_i "testing wildcard passthru before explicit drop (${t})"
+  add_test_marker 10.53.0.2
+  run_server wildcard4
+  $DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.1
+  grep "status: NOERROR" dig.out.${t}.1 > /dev/null || {
+    echo_i "test ${t} failed"
+    status=1
+  }
+  $DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.2
+  grep "status: NOERROR" dig.out.${t}.2 > /dev/null || {
+    echo_i "test ${t} failed"
+    status=1
+  }
+
+  t=`expr $t + 1`
+  echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
+  add_test_marker 10.53.0.2 10.53.0.3
+  echo_i "timing 'nsip-wait-recurse yes' (default)"
+  ret=0
+  t1=`$PERL -e 'print time()."\n";'`
+  $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
+  t2=`$PERL -e 'print time()."\n";'`
+  p1=`expr $t2 - $t1`
+  echo_i "elasped time $p1 seconds"
+
+  $RNDC  -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush
+  copy_setports ns3/named2.conf.in ns3/named.conf
+  nextpart ns3/named.run > /dev/null
+  $RNDC  -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null
+  wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1
+
+  echo_i "timing 'nsip-wait-recurse no'"
+  t3=`$PERL -e 'print time()."\n";'`
+  $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
+  t4=`$PERL -e 'print time()."\n";'`
+  p2=`expr $t4 - $t3`
+  echo_i "elasped time $p2 seconds"
+
+  if test $p1 -le $p2; then ret=1; fi
+  if test $ret != 0; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
+  [ $status -ne 0 ] && pf=fail || pf=pass
+  case $mode in
+  native)
+    native=$status
+    echo_i "status (native RPZ sub-test): $status ($pf)";;
+  dnsrps)
+    dnsrps=$status
+    echo_i "status (DNSRPS sub-test): $status ($pf)";;
+  *) echo_i "invalid test mode";;
+  esac
+done
+status=`expr ${native:-0} + ${dnsrps:-0}`
+
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/rrchecker/classlist.good b/bin/tests/system/rrchecker/classlist.good
new file mode 100644
index 0000000..f0fff1a
--- /dev/null
+++ b/bin/tests/system/rrchecker/classlist.good
@@ -0,0 +1,3 @@
+IN
+CH
+HS
diff --git a/bin/tests/system/rrchecker/clean.sh b/bin/tests/system/rrchecker/clean.sh
new file mode 100644
index 0000000..166247d
--- /dev/null
+++ b/bin/tests/system/rrchecker/clean.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f classlist.out privatelist.out typelist.out tempzone checkzone.out* checker.out
+rm -f ns*/named.lock
diff --git a/bin/tests/system/rrchecker/privatelist.good b/bin/tests/system/rrchecker/privatelist.good
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/bin/tests/system/rrchecker/privatelist.good
diff --git a/bin/tests/system/rrchecker/tests.sh b/bin/tests/system/rrchecker/tests.sh
new file mode 100644
index 0000000..7990e65
--- /dev/null
+++ b/bin/tests/system/rrchecker/tests.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+n=`expr $n + 1`
+echo_i "class list ($n)"
+$RRCHECKER -C > classlist.out
+$DIFF classlist.out classlist.good || { echo_i "failed"; status=`expr $status + 1`; }
+
+n=`expr $n + 1`
+echo_i "type list ($n)"
+$RRCHECKER -T > typelist.out
+$DIFF typelist.out typelist.good || { echo_i "failed"; status=`expr $status + 1`; }
+
+n=`expr $n + 1`
+echo_i "private type list ($n)"
+$RRCHECKER -P > privatelist.out
+$DIFF privatelist.out privatelist.good || { echo_i "failed"; status=`expr $status + 1`; }
+
+myecho() {
+cat << EOF
+$*
+EOF
+}
+
+n=`expr $n + 1`
+echo_i "check conversions to canonical format ($n)"
+ret=0
+$SHELL ../genzone.sh 0 > tempzone
+$CHECKZONE -Dq . tempzone | sed '/^;/d' > checkzone.out$n
+while read -r name tt cl ty rest
+do
+	myecho "$cl $ty $rest" | $RRCHECKER -p > checker.out || {
+		ret=1
+		echo_i "'$cl $ty $rest' not handled."
+	}
+	read -r cl0 ty0 rest0 < checker.out
+	test "$cl $ty $rest" = "$cl0 $ty0 $rest0" || {
+		ret=1
+		echo_i "'$cl $ty $rest' != '$cl0 $ty0 $rest0'"
+	}
+done < checkzone.out$n
+test $ret -eq 0 || { echo_i "failed"; status=`expr $status + 1`; }
+
+n=`expr $n + 1`
+echo_i "check conversions to and from unknown record format ($n)"
+ret=0
+$CHECKZONE -Dq . tempzone | sed '/^;/d' > checkzone.out$n
+while read -r name tt cl ty rest
+do
+	myecho "$cl $ty $rest" | $RRCHECKER -u > checker.out || {
+		ret=1
+		echo_i "'$cl $ty $rest' not converted to unknown record format"
+	}
+	read -r clu tyu restu < checker.out
+	myecho "$clu $tyu $restu" | $RRCHECKER -p > checker.out || {
+		ret=1
+		echo_i "'$cl $ty $rest' not converted back to canonical format"
+	}
+	read -r cl0 ty0 rest0 < checker.out
+	test "$cl $ty $rest" = "$cl0 $ty0 $rest0" || {
+		ret=1
+		echo_i "'$cl $ty $rest' != '$cl0 $ty0 $rest0'"
+	}
+done < checkzone.out$n
+test $ret -eq 0 || { echo_i "failed"; status=`expr $status + 1`; }
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/rrchecker/typelist.good b/bin/tests/system/rrchecker/typelist.good
new file mode 100644
index 0000000..3c3e5cd
--- /dev/null
+++ b/bin/tests/system/rrchecker/typelist.good
@@ -0,0 +1,81 @@
+A
+NS
+MD
+MF
+CNAME
+SOA
+MB
+MG
+MR
+NULL
+WKS
+PTR
+HINFO
+MINFO
+MX
+TXT
+RP
+AFSDB
+X25
+ISDN
+RT
+NSAP
+NSAP-PTR
+SIG
+KEY
+PX
+GPOS
+AAAA
+LOC
+NXT
+EID
+NIMLOC
+SRV
+ATMA
+NAPTR
+KX
+CERT
+A6
+DNAME
+SINK
+APL
+DS
+SSHFP
+IPSECKEY
+RRSIG
+NSEC
+DNSKEY
+DHCID
+NSEC3
+NSEC3PARAM
+TLSA
+SMIMEA
+HIP
+NINFO
+RKEY
+TALINK
+CDS
+CDNSKEY
+OPENPGPKEY
+CSYNC
+ZONEMD
+SVCB
+HTTPS
+SPF
+UINFO
+UID
+GID
+UNSPEC
+NID
+L32
+L64
+LP
+EUI48
+EUI64
+URI
+CAA
+AVC
+DOA
+AMTRELAY
+TA
+DLV
diff --git a/bin/tests/system/rrl/broken.conf.in b/bin/tests/system/rrl/broken.conf.in
new file mode 100644
index 0000000..020542c
--- /dev/null
+++ b/bin/tests/system/rrl/broken.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	statistics-file	"named.stats";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	notify no;
+
+	rate-limit {
+	    responses-per-second 2;
+	    all-per-second 50;
+	    slip 3;
+	    exempt-clients { 10.53.0.7; };
+	    log-only yes;
+
+	    min-table-size 0;
+	    max-table-size 0;
+	};
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
diff --git a/bin/tests/system/rrl/clean.sh b/bin/tests/system/rrl/clean.sh
new file mode 100644
index 0000000..739366a
--- /dev/null
+++ b/bin/tests/system/rrl/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Clean up after rrl tests.
+
+rm -f dig.out* *mdig.out*
+rm -f  */named.memstats */named.run */named.stats */log-* */session.key
+rm -f ns3/bl*.db */*.jnl */*.core */*.pid
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f broken.conf
+rm -f broken.out
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/rrl/ns1/named.conf.in b/bin/tests/system/rrl/ns1/named.conf.in
new file mode 100644
index 0000000..e4da6ef
--- /dev/null
+++ b/bin/tests/system/rrl/ns1/named.conf.in
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	notify no;
+	recursion yes;
+	dnssec-validation yes;
+};
+
+zone "." {type primary; file "root.db";};
diff --git a/bin/tests/system/rrl/ns1/root.db b/bin/tests/system/rrl/ns1/root.db
new file mode 100644
index 0000000..68265fe
--- /dev/null
+++ b/bin/tests/system/rrl/ns1/root.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	120
+@		SOA	ns. hostmaster.ns. ( 1 3600 1200 604800 60 )
+@		NS	ns.
+ns.		A	10.53.0.1
+.		A	10.53.0.1
+
+; limit responses from here
+tld2.		NS	ns.tld2.
+ns.tld2.	A	10.53.0.2
+
+; limit recursion to here
+tld3.		NS	ns.tld3.
+ns.tld3.	A	10.53.0.3
+
+; generate SERVFAIL
+tld4.		NS	ns.tld3.
diff --git a/bin/tests/system/rrl/ns2/hints b/bin/tests/system/rrl/ns2/hints
new file mode 100644
index 0000000..a1d435e
--- /dev/null
+++ b/bin/tests/system/rrl/ns2/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	0	NS	ns1.
+ns1.	0	A	10.53.0.1
diff --git a/bin/tests/system/rrl/ns2/named.conf.in b/bin/tests/system/rrl/ns2/named.conf.in
new file mode 100644
index 0000000..987d42f
--- /dev/null
+++ b/bin/tests/system/rrl/ns2/named.conf.in
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	statistics-file	"named.stats";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	notify no;
+	recursion yes;
+	dnssec-validation yes;
+
+	rate-limit {
+	    responses-per-second 2;
+	    all-per-second 50;
+	    slip 3;
+	    exempt-clients { 10.53.0.7; };
+
+	    // small enough to force a table expansion
+	    min-table-size 75;
+	};
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/*
+ * These log settings have no effect unless "-g" is removed from ../../start.pl
+ */
+logging {
+	channel debug {
+	    file "log-debug";
+	    print-category yes; print-severity yes; severity debug 10;
+	};
+	channel queries {
+	    file "log-queries";
+	    print-category yes; print-severity yes; severity info;
+	};
+	category rate-limit { debug; queries; };
+	category queries { debug; queries; };
+};
+
+zone "." { type hint; file "hints"; };
+
+zone "tld2."{ type primary; file "tld2.db"; };
diff --git a/bin/tests/system/rrl/ns2/tld2.db b/bin/tests/system/rrl/ns2/tld2.db
new file mode 100644
index 0000000..a1a832b
--- /dev/null
+++ b/bin/tests/system/rrl/ns2/tld2.db
@@ -0,0 +1,42 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; rate limit response from this zone
+
+$TTL	120
+@		SOA	tld2.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+		NS	ns
+		NS	.
+ns		A	10.53.0.2
+
+; basic rate limiting
+a1		A	192.0.2.1
+
+; wildcards
+*.a2		A	192.0.2.2
+
+; a3 is in tld3
+
+; a4 does not exist to give NXDOMAIN
+
+; a5 for TCP requests
+a5		A	192.0.2.5
+
+; a6 for whitelisted clients
+a6		A	192.0.2.6
+
+; a7 for SERVFAIL
+
+; a8 for NODATA
+a8		A	192.0.2.8
+
+; a9 for all-per-second limit
+$GENERATE 101-180 all$.a9 A 192.0.2.8
diff --git a/bin/tests/system/rrl/ns3/hints b/bin/tests/system/rrl/ns3/hints
new file mode 100644
index 0000000..a1d435e
--- /dev/null
+++ b/bin/tests/system/rrl/ns3/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	0	NS	ns1.
+ns1.	0	A	10.53.0.1
diff --git a/bin/tests/system/rrl/ns3/named.conf.in b/bin/tests/system/rrl/ns3/named.conf.in
new file mode 100644
index 0000000..8807f44
--- /dev/null
+++ b/bin/tests/system/rrl/ns3/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	notify no;
+	recursion yes;
+	dnssec-validation yes;
+
+	// check that all of the options are parsed without limiting anything
+	rate-limit {
+	    responses-per-second 200;
+	    referrals-per-second 220;
+	    nodata-per-second 230;
+	    nxdomains-per-second 240;
+	    errors-per-second 250;
+	    all-per-second 700;
+	    ipv4-prefix-length 24;
+	    ipv6-prefix-length 64;
+	    qps-scale 10;
+	    window 1;
+	    max-table-size 1000;
+	    log-only no;
+	    min-table-size 0;
+	};
+
+};
+
+zone "." { type hint; file "hints"; };
+
+zone "tld3."{ type primary; file "tld3.db"; };
diff --git a/bin/tests/system/rrl/ns3/tld3.db b/bin/tests/system/rrl/ns3/tld3.db
new file mode 100644
index 0000000..a534c6e
--- /dev/null
+++ b/bin/tests/system/rrl/ns3/tld3.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; rate limit response from this zone
+
+$TTL	120
+@		SOA	tld3.  hostmaster.ns.tld3. ( 1 3600 1200 604800 60 )
+		NS	ns
+		NS	.
+ns		A	10.53.0.3
+
+*.a3		A	192.0.3.3
diff --git a/bin/tests/system/rrl/ns4/hints b/bin/tests/system/rrl/ns4/hints
new file mode 100644
index 0000000..a1d435e
--- /dev/null
+++ b/bin/tests/system/rrl/ns4/hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	0	NS	ns1.
+ns1.	0	A	10.53.0.1
diff --git a/bin/tests/system/rrl/ns4/named.conf.in b/bin/tests/system/rrl/ns4/named.conf.in
new file mode 100644
index 0000000..cc17b91
--- /dev/null
+++ b/bin/tests/system/rrl/ns4/named.conf.in
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	statistics-file	"named.stats";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	notify no;
+	recursion yes;
+	dnssec-validation yes;
+	max-udp-size 4096;
+
+	rate-limit {
+	    responses-per-second 2;
+	    all-per-second 50;
+	    slip 3;
+	    exempt-clients { 10.53.0.7; };
+	    log-only yes;
+
+	    // small enough to force a table expansion
+	    min-table-size 75;
+	};
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/*
+ * These log settings have no effect unless "-g" is removed from ../../start.pl
+ */
+logging {
+	channel debug {
+	    file "log-debug";
+	    print-category yes; print-severity yes; severity debug 10;
+	};
+	channel queries {
+	    file "log-queries";
+	    print-category yes; print-severity yes; severity info;
+	};
+	category rate-limit { debug; queries; };
+	category queries { debug; queries; };
+};
+
+zone "." { type hint; file "hints"; };
+
+zone "tld4."{ type primary; file "tld4.db"; };
diff --git a/bin/tests/system/rrl/ns4/tld4.db b/bin/tests/system/rrl/ns4/tld4.db
new file mode 100644
index 0000000..a7bc319
--- /dev/null
+++ b/bin/tests/system/rrl/ns4/tld4.db
@@ -0,0 +1,45 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; rate limit response from this zone
+
+$TTL	120
+@		SOA	tld4.  hostmaster.ns.tld4. ( 1 3600 1200 604800 60 )
+		NS	ns
+		NS	.
+ns		A	10.53.0.2
+
+; basic rate limiting
+a1		A	192.0.2.1
+
+; wildcards
+*.a2		A	192.0.2.2
+
+; a3 is in tld3
+
+; a4 does not exist to give NXDOMAIN
+
+; a5 for TCP requests
+a5		A	192.0.2.5
+
+; a6 for whitelisted clients
+a6		A	192.0.2.6
+
+; a7 for SERVFAIL
+
+; a8 for NODATA
+a8		A	192.0.2.8
+
+; a9 for all-per-second limit
+$GENERATE 101-180 all$.a9 A 192.0.2.8
+
+; oversized TXT record
+$GENERATE 1-100    big    1    TXT    "txt$"
diff --git a/bin/tests/system/rrl/setup.sh b/bin/tests/system/rrl/setup.sh
new file mode 100644
index 0000000..be63ed9
--- /dev/null
+++ b/bin/tests/system/rrl/setup.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports broken.conf.in broken.conf
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
diff --git a/bin/tests/system/rrl/tests.sh b/bin/tests/system/rrl/tests.sh
new file mode 100644
index 0000000..d4d2a83
--- /dev/null
+++ b/bin/tests/system/rrl/tests.sh
@@ -0,0 +1,291 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# test response rate limiting
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+#set -x
+
+ns1=10.53.0.1			    # root, defining the others
+ns2=10.53.0.2			    # test server
+ns3=10.53.0.3			    # secondary test server
+ns4=10.53.0.4			    # log-only test server
+ns7=10.53.0.7			    # whitelisted client
+
+USAGE="$0: [-x]"
+while getopts "x" c; do
+    case $c in
+	x) set -x;;
+	*) echo "$USAGE" 1>&2; exit 1;;
+    esac
+done
+shift `expr $OPTIND - 1 || true`
+if test "$#" -ne 0; then
+    echo "$USAGE" 1>&2
+    exit 1
+fi
+# really quit on control-C
+trap 'exit 1' 1 2 15
+
+
+ret=0
+setret () {
+    ret=1
+    echo_i "$*"
+}
+
+
+# Wait until soon after the start of a second to make results consistent.
+#   The start of a second credits a rate limit.
+#   This would be far easier in C or by assuming a modern version of perl.
+sec_start () {
+    START=`date`
+    while true; do
+	NOW=`date`
+	if test "$START" != "$NOW"; then
+	    return
+	fi
+	$PERL -e 'select(undef, undef, undef, 0.05)' || true
+    done
+}
+
+
+# turn off ${HOME}/.digrc
+HOME=/dev/null; export HOME
+
+#   $1=number of tests  $2=target domain  $3=dig options
+QNUM=1
+burst () {
+    BURST_LIMIT=$1; shift
+    BURST_DOM_BASE="$1"; shift
+
+    XCNT=$CNT
+    CNT='XXX'
+    eval FILENAME="mdig.out-$BURST_DOM_BASE"
+    CNT=$XCNT
+
+    DOMS=""
+    CNTS=`$PERL -e 'for ( $i = 0; $i < '$BURST_LIMIT'; $i++) { printf "%03d\n", '$QNUM' + $i; }'`
+    for CNT in $CNTS
+    do
+        eval BURST_DOM="$BURST_DOM_BASE"
+        DOMS="$DOMS $BURST_DOM"
+    done
+    ARGS="+burst +nocookie +continue +time=1 +tries=1 -p ${PORT} $* @$ns2 $DOMS"
+    $MDIG $ARGS 2>&1 |                                                  \
+        tr -d '\r' |                                                    \
+        tee -a full-$FILENAME |                                         \
+        sed -n -e '/^;; AUTHORITY/,/^$/d'			        \
+		-e '/^;; ADDITIONAL/,/^$/d'				\
+		-e 's/^[^;].*	\([^	 ]\{1,\}\)$/\1/p'		\
+		-e 's/;; flags.* tc .*/TC/p'				\
+		-e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p'		\
+		-e 's/;; .* status: NOERROR.*/NOERROR/p'		\
+		-e 's/;; .* status: SERVFAIL.*/SERVFAIL/p'		\
+		-e 's/response failed with timed out.*/drop/p'		\
+		-e 's/;; communications error to.*/drop/p' >> $FILENAME &
+    QNUM=`expr $QNUM + $BURST_LIMIT`
+}
+
+# compare integers $1 and $2; ensure the difference is no more than $3
+range () {
+    $PERL -e 'if (abs(int($ARGV[0]) - int($ARGV[1])) > int($ARGV[2])) { exit(1) }' $1 $2 $3
+}
+
+#   $1=domain  $2=IP address  $3=# of IP addresses  $4=TC  $5=drop
+#	$6=NXDOMAIN  $7=SERVFAIL or other errors
+ck_result() {
+    # wait to the background mdig calls to complete.
+    wait
+    BAD=no
+    ADDRS=`grep -E "^$2$" mdig.out-$1				2>/dev/null | wc -l`
+    # count simple truncated and truncated NXDOMAIN as TC
+    TC=`grep -E "^TC|NXDOMAINTC$" mdig.out-$1			2>/dev/null | wc -l`
+    DROP=`grep -E "^drop$" mdig.out-$1				2>/dev/null | wc -l`
+    # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN
+    NXDOMAIN=`grep -E "^NXDOMAIN|NXDOMAINTC$" mdig.out-$1		2>/dev/null | wc -l`
+    SERVFAIL=`grep -E "^SERVFAIL$" mdig.out-$1			2>/dev/null | wc -l`
+    NOERROR=`grep -E "^NOERROR$" mdig.out-$1			2>/dev/null | wc -l`
+    
+    range $ADDRS "$3" 1 ||
+    setret "$ADDRS instead of $3 '$2' responses for $1" &&
+    BAD=yes
+    
+    range $TC "$4" 1 ||
+    setret "$TC instead of $4 truncation responses for $1" &&
+    BAD=yes
+    
+    range $DROP "$5" 1 ||
+    setret "$DROP instead of $5 dropped responses for $1" &&
+    BAD=yes
+    
+    range $NXDOMAIN "$6" 1 ||
+    setret "$NXDOMAIN instead of $6 NXDOMAIN responses for $1" &&
+    BAD=yes
+    
+    range $SERVFAIL "$7" 1 ||
+    setret "$SERVFAIL instead of $7 error responses for $1" &&
+    BAD=yes
+
+    range $NOERROR "$8" 1 ||
+    setret "$NOERROR instead of $8 NOERROR responses for $1" &&
+    BAD=yes
+    
+    if test -z "$BAD"; then
+	rm -f mdig.out-$1
+    fi
+}
+
+
+ckstats () {
+    LABEL="$1"; shift
+    TYPE="$1"; shift
+    EXPECTED="$1"; shift
+    C=`tr -d '\r' < ns2/named.stats |
+        sed -n -e "s/[	 ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" |
+        tail -1`
+    C=`expr 0$C + 0`
+    
+    range "$C" $EXPECTED 1 ||
+    setret "wrong $LABEL $TYPE statistics of $C instead of $EXPECTED"
+}
+
+
+#########
+sec_start
+
+# Tests of referrals to "." must be done before the hints are loaded
+#   or with "additional-from-cache no"
+burst 5 a1.tld3 +norec
+# basic rate limiting
+burst 3 a1.tld2
+# delay allows an additional response.
+sleep 1
+burst 10 a1.tld2
+# Request 30 different qnames to try a wildcard.
+burst 30 'y.x$CNT.a2.tld2'
+
+#					IP      TC      drop  NXDOMAIN SERVFAIL NOERROR
+# referrals to "."
+ck_result   a1.tld3	x		0	1	2	0	0	2
+# check 13 results including 1 second delay that allows an additional response
+ck_result   a1.tld2	192.0.2.1	3	4	6	0	0	8
+
+# Check the wildcard answers.
+# The zone origin name of the 30 requests is counted.
+ck_result 'y.x*.a2.tld2'	192.0.2.2	2	10	18	0	0	12
+
+#########
+sec_start
+
+burst 10 'x.a3.tld3'
+burst 10 'y$CNT.a3.tld3'
+burst 10 'z$CNT.a4.tld2'
+
+# 10 identical recursive responses are limited
+ck_result 'x.a3.tld3'	192.0.3.3	2	3	5	0	0	5
+
+# 10 different recursive responses are not limited
+ck_result 'y*.a3.tld3'	192.0.3.3	10	0	0	0	0	10
+
+# 10 different NXDOMAIN responses are limited based on the parent name.
+#   We count 13 responses because we count truncated NXDOMAIN responses
+#   as both truncated and NXDOMAIN.
+ck_result 'z*.a4.tld2'	x		0	3	5	5	0	0
+
+$RNDCCMD $ns2 stats
+ckstats first dropped 36
+ckstats first truncated 21
+
+
+#########
+sec_start
+
+burst 10 a5.tld2 +tcp
+burst 10 a6.tld2 -b $ns7
+burst 10 a7.tld4
+burst 2 a8.tld2 -t AAAA
+burst 2 a8.tld2 -t TXT
+burst 2 a8.tld2 -t SPF
+
+#					IP      TC      drop  NXDOMAIN SERVFAIL NOERROR
+# TCP responses are not rate limited
+ck_result a5.tld2	192.0.2.5	10	0	0	0	0	10
+
+# whitelisted client is not rate limited
+ck_result a6.tld2	192.0.2.6	10	0	0	0	0	10
+
+# Errors such as SERVFAIL are rate limited.
+ck_result a7.tld4	x		0	0	8	0	2	0
+
+# NODATA responses are counted as the same regardless of qtype.
+ck_result a8.tld2	x		0	2	2	0	0	4
+
+$RNDCCMD $ns2 stats
+ckstats second dropped 46
+ckstats second truncated 23
+
+
+#########
+sec_start
+
+#					IP      TC      drop  NXDOMAIN SERVFAIL NOERROR
+# all-per-second
+#   The qnames are all unique but the client IP address is constant.
+QNUM=101
+burst 60 'all$CNT.a9.tld2'
+
+ck_result 'a*.a9.tld2'	192.0.2.8	50	0	10	0	0	50
+
+$RNDCCMD $ns2 stats
+ckstats final dropped 56
+ckstats final truncated 23
+
+#########
+sec_start
+
+DIGOPTS="+nocookie +nosearch +time=1 +tries=1 +ignore -p ${PORT}"
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
+
+# regression test for GL #2839
+DIGOPTS="+bufsize=4096 +ignore -p ${PORT}"
+$DIG $DIGOPTS @$ns4 TXT big.tld4 > /dev/null 2>&1
+
+grep "would limit" ns4/named.run >/dev/null 2>&1 ||
+setret "\"would limit\" not found in log file."
+
+$NAMED -D rrl-ns5 -gc broken.conf > broken.out 2>&1 &
+sleep 2
+grep "min-table-size 1" broken.out > /dev/null || setret "min-table-size 0 was not changed to 1"
+
+if [ -f named.pid ]; then
+    $KILL `cat named.pid`
+    setret "named should not have started, but did"
+fi
+
+echo_i "exit status: $ret"
+[ $ret -eq 0 ] || exit 1
diff --git a/bin/tests/system/rrsetorder/clean.sh b/bin/tests/system/rrsetorder/clean.sh
new file mode 100644
index 0000000..c64ae34
--- /dev/null
+++ b/bin/tests/system/rrsetorder/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.test*
+rm -f dig.out.cyclic dig.out.fixed dig.out.random dig.out.nomatch dig.out.none
+rm -f dig.out.0 dig.out.1 dig.out.2 dig.out.3
+rm -f dig.out.cyclic2
+rm -f ns2/root.bk
+rm -f ns?/named.run ns?/named.core
+rm -f */named.memstats
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/rrsetorder/dig.out.fixed.good b/bin/tests/system/rrsetorder/dig.out.fixed.good
new file mode 100644
index 0000000..eaf9c63
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.fixed.good
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.3
+1.2.3.1
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good1 b/bin/tests/system/rrsetorder/dig.out.random.good1
new file mode 100644
index 0000000..c272c75
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good1
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.2
+1.2.3.3
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good10 b/bin/tests/system/rrsetorder/dig.out.random.good10
new file mode 100644
index 0000000..6a39e3f
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good10
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.3
+1.2.3.4
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good11 b/bin/tests/system/rrsetorder/dig.out.random.good11
new file mode 100644
index 0000000..efbc792
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good11
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.4
+1.2.3.1
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good12 b/bin/tests/system/rrsetorder/dig.out.random.good12
new file mode 100644
index 0000000..c859a2e
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good12
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.4
+1.2.3.3
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good13 b/bin/tests/system/rrsetorder/dig.out.random.good13
new file mode 100644
index 0000000..49bf54b
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good13
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.1
+1.2.3.2
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good14 b/bin/tests/system/rrsetorder/dig.out.random.good14
new file mode 100644
index 0000000..974aa89
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good14
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.1
+1.2.3.4
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good15 b/bin/tests/system/rrsetorder/dig.out.random.good15
new file mode 100644
index 0000000..e8deb67
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good15
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.2
+1.2.3.1
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good16 b/bin/tests/system/rrsetorder/dig.out.random.good16
new file mode 100644
index 0000000..f467087
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good16
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.2
+1.2.3.4
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good17 b/bin/tests/system/rrsetorder/dig.out.random.good17
new file mode 100644
index 0000000..6082a25
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good17
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.4
+1.2.3.1
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good18 b/bin/tests/system/rrsetorder/dig.out.random.good18
new file mode 100644
index 0000000..07eefa0
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good18
@@ -0,0 +1,4 @@
+1.2.3.3
+1.2.3.4
+1.2.3.2
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good19 b/bin/tests/system/rrsetorder/dig.out.random.good19
new file mode 100644
index 0000000..a5530c6
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good19
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.1
+1.2.3.2
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good2 b/bin/tests/system/rrsetorder/dig.out.random.good2
new file mode 100644
index 0000000..00da93a
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good2
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.2
+1.2.3.4
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good20 b/bin/tests/system/rrsetorder/dig.out.random.good20
new file mode 100644
index 0000000..6dcf6da
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good20
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.1
+1.2.3.3
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good21 b/bin/tests/system/rrsetorder/dig.out.random.good21
new file mode 100644
index 0000000..9dcc63f
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good21
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.2
+1.2.3.1
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good22 b/bin/tests/system/rrsetorder/dig.out.random.good22
new file mode 100644
index 0000000..4c51aa6
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good22
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.2
+1.2.3.3
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good23 b/bin/tests/system/rrsetorder/dig.out.random.good23
new file mode 100644
index 0000000..eaf9c63
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good23
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.3
+1.2.3.1
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good24 b/bin/tests/system/rrsetorder/dig.out.random.good24
new file mode 100644
index 0000000..c25c756
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good24
@@ -0,0 +1,4 @@
+1.2.3.4
+1.2.3.3
+1.2.3.2
+1.2.3.1
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good3 b/bin/tests/system/rrsetorder/dig.out.random.good3
new file mode 100644
index 0000000..4d50059
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good3
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.3
+1.2.3.2
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good4 b/bin/tests/system/rrsetorder/dig.out.random.good4
new file mode 100644
index 0000000..0b34afa
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good4
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.3
+1.2.3.4
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good5 b/bin/tests/system/rrsetorder/dig.out.random.good5
new file mode 100644
index 0000000..efe0e25
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good5
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.4
+1.2.3.2
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good6 b/bin/tests/system/rrsetorder/dig.out.random.good6
new file mode 100644
index 0000000..d2ca6fc
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good6
@@ -0,0 +1,4 @@
+1.2.3.1
+1.2.3.4
+1.2.3.3
+1.2.3.2
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good7 b/bin/tests/system/rrsetorder/dig.out.random.good7
new file mode 100644
index 0000000..0d8312a
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good7
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.1
+1.2.3.3
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good8 b/bin/tests/system/rrsetorder/dig.out.random.good8
new file mode 100644
index 0000000..3b27693
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good8
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.1
+1.2.3.4
+1.2.3.3
diff --git a/bin/tests/system/rrsetorder/dig.out.random.good9 b/bin/tests/system/rrsetorder/dig.out.random.good9
new file mode 100644
index 0000000..61192af
--- /dev/null
+++ b/bin/tests/system/rrsetorder/dig.out.random.good9
@@ -0,0 +1,4 @@
+1.2.3.2
+1.2.3.3
+1.2.3.1
+1.2.3.4
diff --git a/bin/tests/system/rrsetorder/ns1/named.conf.in b/bin/tests/system/rrsetorder/ns1/named.conf.in
new file mode 100644
index 0000000..98301c2
--- /dev/null
+++ b/bin/tests/system/rrsetorder/ns1/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify no;
+	rrset-order {
+		name "fixed.example" order fixed;
+		name "random.example" order random;
+		name "cyclic.example" order cyclic;
+		name "none.example" order none;
+		type NS order random;
+		order cyclic;
+	};
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+	notify explicit;
+	also-notify { 10.53.0.2; };
+};
diff --git a/bin/tests/system/rrsetorder/ns1/root.db b/bin/tests/system/rrsetorder/ns1/root.db
new file mode 100644
index 0000000..094eec7
--- /dev/null
+++ b/bin/tests/system/rrsetorder/ns1/root.db
@@ -0,0 +1,51 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+.                       SOA	hostmaster.isc.org. a.root-servers.nil. (
+				2000042100
+				600
+				600
+				1200
+				600 )
+.                       NS      a.root-servers.nil.
+.                       NS      cyclic.example.
+a.root-servers.nil.	A       10.53.0.1
+;
+fixed.example.		A	1.2.3.4
+fixed.example.		A	1.2.3.3
+fixed.example.		A	1.2.3.1
+fixed.example.		A	1.2.3.2
+;
+random.example.		A	1.2.3.1
+random.example.		A	1.2.3.2
+random.example.		A	1.2.3.3
+random.example.		A	1.2.3.4
+;
+cyclic.example.		A	1.2.3.4
+cyclic.example.		A	1.2.3.3
+cyclic.example.		A	1.2.3.2
+cyclic.example.		A	1.2.3.1
+;
+cyclic2.example.	A	1.2.3.4
+cyclic2.example.	A	1.2.3.3
+cyclic2.example.	A	1.2.3.2
+cyclic2.example.	A	1.2.3.1
+;
+nomatch.example.	A	1.2.3.1
+nomatch.example.	A	1.2.3.2
+nomatch.example.	A	1.2.3.3
+nomatch.example.	A	1.2.3.4
+;
+none.example.		A	1.2.3.1
+none.example.		A	1.2.3.2
+none.example.		A	1.2.3.3
+none.example.		A	1.2.3.4
diff --git a/bin/tests/system/rrsetorder/ns2/named.conf.in b/bin/tests/system/rrsetorder/ns2/named.conf.in
new file mode 100644
index 0000000..164400a
--- /dev/null
+++ b/bin/tests/system/rrsetorder/ns2/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+	rrset-order {
+		name "fixed.example" order fixed;
+		name "random.example" order random;
+		name "cyclic.example" order cyclic;
+		name "none.example" order none;
+		type NS order random;
+		order cyclic;
+	};
+};
+
+zone "." {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "root.bk";
+};
diff --git a/bin/tests/system/rrsetorder/ns3/named.conf.in b/bin/tests/system/rrsetorder/ns3/named.conf.in
new file mode 100644
index 0000000..a5850ca
--- /dev/null
+++ b/bin/tests/system/rrsetorder/ns3/named.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	rrset-order {
+		name "fixed.example" order fixed;
+		name "random.example" order random;
+		name "cyclic.example" order cyclic;
+		name "none.example" order none;
+		type NS order random;
+		order cyclic;
+	};
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/rrsetorder/ns4/named.conf.in b/bin/tests/system/rrsetorder/ns4/named.conf.in
new file mode 100644
index 0000000..d12f50f
--- /dev/null
+++ b/bin/tests/system/rrsetorder/ns4/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	rrset-order {
+		class IN type A name "host.example.com" order random;
+	};
+
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/rrsetorder/ns5/named.conf.in b/bin/tests/system/rrsetorder/ns5/named.conf.in
new file mode 100644
index 0000000..d1a4cfa
--- /dev/null
+++ b/bin/tests/system/rrsetorder/ns5/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/rrsetorder/setup.sh b/bin/tests/system/rrsetorder/setup.sh
new file mode 100644
index 0000000..4b4a4c8
--- /dev/null
+++ b/bin/tests/system/rrsetorder/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
diff --git a/bin/tests/system/rrsetorder/tests.sh b/bin/tests/system/rrsetorder/tests.sh
new file mode 100644
index 0000000..0f5ce8a
--- /dev/null
+++ b/bin/tests/system/rrsetorder/tests.sh
@@ -0,0 +1,553 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short +nocookie"
+DIGCMD="$DIG $DIGOPTS -p ${PORT}"
+
+status=0
+
+GOOD_RANDOM="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24"
+GOOD_RANDOM_NO=24
+
+if grep "^#define DNS_RDATASET_FIXED" $TOP/config.h > /dev/null 2>&1 ; then
+    test_fixed=true
+else
+    echo_i "Order 'fixed' disabled at compile time"
+    test_fixed=false
+fi
+
+#
+#
+#
+if $test_fixed; then
+    echo_i "Checking order fixed (primary)"
+    ret=0
+    for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+    do
+    $DIGCMD @10.53.0.1 fixed.example > dig.out.fixed || ret=1
+    $DIFF dig.out.fixed dig.out.fixed.good >/dev/null || ret=1
+    done
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+else
+    echo_i "Checking order fixed behaves as cyclic when disabled (primary)"
+    ret=0
+    matches=0
+    for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+    do
+	j=$((i % 4))
+	$DIGCMD @10.53.0.1 fixed.example > dig.out.fixed  || ret=1
+	if [ $i -le 4 ]; then
+	    cp dig.out.fixed dig.out.$j
+	else
+	    $DIFF dig.out.fixed dig.out.$j >/dev/null && matches=$((matches + 1))
+	fi
+    done
+    $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1
+    $DIFF dig.out.0 dig.out.2 >/dev/null && ret=1
+    $DIFF dig.out.0 dig.out.3 >/dev/null && ret=1
+    $DIFF dig.out.1 dig.out.2 >/dev/null && ret=1
+    $DIFF dig.out.1 dig.out.3 >/dev/null && ret=1
+    $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1
+    if [ $matches -ne 16 ]; then ret=1; fi
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+#
+#
+#
+echo_i "Checking order cyclic (primary + additional)"
+ret=0
+matches=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+do
+    j=$((i % 4))
+    $DIGCMD @10.53.0.1 cyclic.example > dig.out.cyclic || ret=1
+    if [ $i -le 4 ]; then
+	cp dig.out.cyclic dig.out.$j
+    else
+	$DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1))
+    fi
+done
+$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1
+if [ $matches -ne 16 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+#
+#
+echo_i "Checking order cyclic (primary)"
+ret=0
+matches=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+do
+    j=$((i % 4))
+    $DIGCMD @10.53.0.1 cyclic2.example > dig.out.cyclic2 || ret=1
+    if [ $i -le 4 ]; then
+	cp dig.out.cyclic2 dig.out.$j
+    else
+	$DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1))
+    fi
+done
+$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1
+if [ $matches -ne 16 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+echo_i "Checking order random (primary)"
+ret=0
+for i in $GOOD_RANDOM
+do
+    eval match$i=0
+done
+for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9
+do
+    $DIGCMD @10.53.0.1 random.example > dig.out.random || ret=1
+    match=0
+    for j in $GOOD_RANDOM
+    do
+	eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1"
+	if [ $match -eq 1 ]; then break; fi
+    done
+    if [ $match -eq 0 ]; then ret=1; fi
+done
+match=0
+for i in $GOOD_RANDOM
+do
+     eval "match=\$((match + match$i))"
+done
+echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples"
+if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking order none (primary)"
+ret=0
+# Fetch the "reference" response and ensure it contains the expected records.
+$DIGCMD @10.53.0.1 none.example > dig.out.none || ret=1
+for i in 1 2 3 4; do
+    grep -F -q 1.2.3.$i dig.out.none || ret=1
+done
+# Ensure 20 further queries result in the same response as the "reference" one.
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
+    $DIGCMD @10.53.0.1 none.example > dig.out.test$i || ret=1
+    $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+#
+#
+if $test_fixed; then
+    echo_i "Checking order fixed (secondary)"
+    ret=0
+    for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+    do
+    $DIGCMD @10.53.0.2 fixed.example > dig.out.fixed || ret=1
+    $DIFF dig.out.fixed dig.out.fixed.good || ret=1
+    done
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+#
+#
+#
+echo_i "Checking order cyclic (secondary + additional)"
+ret=0
+matches=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+do
+    j=$((i % 4))
+    $DIGCMD @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1
+    if [ $i -le 4 ]; then
+	cp dig.out.cyclic dig.out.$j
+    else
+	$DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1))
+    fi
+done
+$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1
+if [ $matches -ne 16 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+#
+#
+echo_i "Checking order cyclic (secondary)"
+ret=0
+matches=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+do
+    j=$((i % 4))
+    $DIGCMD @10.53.0.2 cyclic2.example > dig.out.cyclic2 || ret=1
+    if [ $i -le 4 ]; then
+	cp dig.out.cyclic2 dig.out.$j
+    else
+	$DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1))
+    fi
+done
+$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1
+if [ $matches -ne 16 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking order random (secondary)"
+ret=0
+for i in $GOOD_RANDOM
+do
+    eval match$i=0
+done
+for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9
+do
+    $DIGCMD @10.53.0.2 random.example > dig.out.random || ret=1
+    match=0
+    for j in $GOOD_RANDOM
+    do
+	eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1"
+	if [ $match -eq 1 ]; then break; fi
+    done
+    if [ $match -eq 0 ]; then ret=1; fi
+done
+match=0
+for i in $GOOD_RANDOM
+do
+     eval "match=\$((match + match$i))"
+done
+echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples"
+if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking order none (secondary)"
+ret=0
+# Fetch the "reference" response and ensure it contains the expected records.
+$DIGCMD @10.53.0.2 none.example > dig.out.none || ret=1
+for i in 1 2 3 4; do
+    grep -F -q 1.2.3.$i dig.out.none || ret=1
+done
+# Ensure 20 further queries result in the same response as the "reference" one.
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
+    $DIGCMD @10.53.0.2 none.example > dig.out.test$i || ret=1
+    $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Shutting down secondary"
+
+stop_server ns2
+
+echo_i "Checking for secondary's on disk copy of zone"
+
+if [ ! -f ns2/root.bk ]
+then
+    echo_i "failed";
+    status=$((status + 1))
+fi
+
+echo_i "Re-starting secondary"
+
+start_server --noclean --restart --port ${PORT} ns2
+
+#
+#
+#
+if $test_fixed; then
+    echo_i "Checking order fixed (secondary loaded from disk)"
+    ret=0
+    for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+    do
+    $DIGCMD @10.53.0.2 fixed.example > dig.out.fixed || ret=1
+    $DIFF dig.out.fixed dig.out.fixed.good || ret=1
+    done
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+#
+#
+#
+echo_i "Checking order cyclic (secondary + additional, loaded from disk)"
+ret=0
+matches=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+do
+    j=$((i % 4))
+    $DIGCMD @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1
+    if [ $i -le 4 ]; then
+	cp dig.out.cyclic dig.out.$j
+    else
+	$DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1))
+    fi
+done
+$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1
+if [ $matches -ne 16 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+#
+#
+echo_i "Checking order cyclic (secondary loaded from disk)"
+ret=0
+matches=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+do
+    j=$((i % 4))
+    $DIGCMD @10.53.0.2 cyclic2.example > dig.out.cyclic2 || ret=1
+    if [ $i -le 4 ]; then
+	cp dig.out.cyclic2 dig.out.$j
+    else
+	$DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1))
+    fi
+done
+$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1
+if [ $matches -ne 16 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking order random (secondary loaded from disk)"
+ret=0
+for i in $GOOD_RANDOM
+do
+    eval match$i=0
+done
+for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9
+do
+    $DIGCMD @10.53.0.2 random.example > dig.out.random || ret=1
+    match=0
+    for j in $GOOD_RANDOM
+    do
+	eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1"
+	if [ $match -eq 1 ]; then break; fi
+    done
+    if [ $match -eq 0 ]; then ret=1; fi
+done
+match=0
+for i in $GOOD_RANDOM
+do
+    eval "match=\$((match + match$i))"
+done
+echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples"
+if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking order none (secondary loaded from disk)"
+ret=0
+# Fetch the "reference" response and ensure it contains the expected records.
+$DIGCMD @10.53.0.2 none.example > dig.out.none || ret=1
+for i in 1 2 3 4; do
+    grep -F -q 1.2.3.$i dig.out.none || ret=1
+done
+# Ensure 20 further queries result in the same response as the "reference" one.
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
+    $DIGCMD @10.53.0.2 none.example > dig.out.test$i || ret=1
+    $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+#
+#
+if $test_fixed; then
+    echo_i "Checking order fixed (cache)"
+    ret=0
+    for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+    do
+    $DIGCMD @10.53.0.3 fixed.example > dig.out.fixed || ret=1
+    $DIFF dig.out.fixed dig.out.fixed.good || ret=1
+    done
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+fi
+
+#
+#
+#
+echo_i "Checking order cyclic (cache + additional)"
+ret=0
+# prime acache
+$DIGCMD @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1
+matches=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+do
+    j=$((i % 4))
+    $DIGCMD @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1
+    if [ $i -le 4 ]; then
+	cp dig.out.cyclic dig.out.$j
+    else
+	$DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1))
+    fi
+done
+$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1
+if [ $matches -ne 16 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+#
+#
+echo_i "Checking order cyclic (cache)"
+ret=0
+# prime acache
+$DIGCMD @10.53.0.3 cyclic2.example > dig.out.cyclic2 || ret=1
+matches=0
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+do
+    j=$((i % 4))
+    $DIGCMD @10.53.0.3 cyclic2.example > dig.out.cyclic2 || ret=1
+    if [ $i -le 4 ]; then
+	cp dig.out.cyclic2 dig.out.$j
+    else
+	$DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1))
+    fi
+done
+$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1
+$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1
+$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1
+if [ $matches -ne 16 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking order random (cache)"
+ret=0
+for i in $GOOD_RANDOM
+do
+    eval match$i=0
+done
+for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9
+do
+    $DIGCMD @10.53.0.3 random.example > dig.out.random || ret=1
+    match=0
+    for j in $GOOD_RANDOM
+    do
+	eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1"
+	if [ $match -eq 1 ]; then break; fi
+    done
+    if [ $match -eq 0 ]; then ret=1; fi
+done
+match=0
+for i in $GOOD_RANDOM
+do
+     eval "match=\$((match + match$i))"
+done
+echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples"
+if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking order none (cache)"
+ret=0
+# Fetch the "reference" response and ensure it contains the expected records.
+$DIGCMD @10.53.0.3 none.example > dig.out.none || ret=1
+for i in 1 2 3 4; do
+    grep -F -q 1.2.3.$i dig.out.none || ret=1
+done
+# Ensure 20 further queries result in the same response as the "reference" one.
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
+    $DIGCMD @10.53.0.3 none.example > dig.out.test$i || ret=1
+    $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking default order (cache)"
+ret=0
+for i in $GOOD_RANDOM
+do
+    eval match$i=0
+done
+for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9
+do
+    $DIGCMD @10.53.0.5 random.example > dig.out.random || ret=1
+    match=0
+    for j in $GOOD_RANDOM
+    do
+	eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1"
+	if [ $match -eq 1 ]; then break; fi
+    done
+    if [ $match -eq 0 ]; then ret=1; fi
+done
+match=0
+for i in $GOOD_RANDOM
+do
+     eval "match=\$((match + match$i))"
+done
+echo_i "Default selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples"
+if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking default order no match in rrset-order (cache)"
+ret=0
+# Fetch the "reference" response and ensure it contains the expected records.
+$DIGCMD @10.53.0.4 nomatch.example > dig.out.nomatch || ret=1
+for i in 1 2 3 4; do
+    grep -F -q 1.2.3.$i dig.out.nomatch || ret=1
+done
+# Ensure 20 further queries result in the same response as the "reference" one.
+for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
+    $DIGCMD @10.53.0.4 nomatch.example > dig.out.test$i || ret=1
+    $DIFF dig.out.nomatch dig.out.test$i >/dev/null || ret=1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/rsabigexponent/Makefile.in b/bin/tests/system/rsabigexponent/Makefile.in
new file mode 100644
index 0000000..550263c
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/Makefile.in
@@ -0,0 +1,51 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCLIBS =	../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+DNSDEPLIBS =	../../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} ${OPENSSL_LIBS} @LIBS@
+
+TARGETS =	bigkey@EXEEXT@
+
+OBJS =		bigkey.@O@
+
+SRCS =		bigkey.c
+
+@BIND9_MAKE_RULES@
+
+all: bigkey@EXEEXT@
+
+bigkey@EXEEXT@: ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
diff --git a/bin/tests/system/rsabigexponent/README.md b/bin/tests/system/rsabigexponent/README.md
new file mode 100644
index 0000000..44afdbd
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/README.md
@@ -0,0 +1,39 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+The `rsabigexponent` test is used to `check max-rsa-exponent-size`.
+
+We only run this test on builds without PKCS#11, as we have control over
+the RSA exponent size with plain OpenSSL. We have not explored how to do
+this with PKCS#11, which would require generating such a key and then
+signing a zone with it. Additionally, even with control of the exponent
+size with PKCS#11, generating a DNSKEY with this property and signing
+such a zone would be slow and undesirable for each test run; instead, we
+use a pregenerated DNSKEY and a saved signed zone.  These are located in
+`rsabigexponent/ns2` and currently use RSASHA1 for the `DNSKEY`
+algorithm; however, that may need to be changed in the future.
+
+To generate the `DNSKEY` used in this test, we used `bigkey.c`, as
+dnssec-keygen is not capable of generating such keys.
+
+Do **not** remove `bigkey.c` as it may be needed to generate a new
+`DNSKEY` for testing purposes.
+
+`bigkey` is used to both test that we are not running under PKCS#11 and
+generate a `DNSKEY` key with a large RSA exponent.
+
+To regenerate `ns2/example.db.bad` comment out the range test in
+opensslrsa_parse before signing the zone with a ZSK key generated
+by `bigkey`.
+
+        if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
+                DST_RET(ISC_R_RANGE);
+        }
diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c
new file mode 100644
index 0000000..ea57b34
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/bigkey.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define DST_KEY_INTERNAL
+
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+dst_key_t *key;
+dns_fixedname_t fname;
+dns_name_t *name;
+unsigned int bits = 2048U;
+isc_mem_t *mctx;
+isc_log_t *log_;
+isc_logconfig_t *logconfig;
+int level = ISC_LOG_WARNING;
+isc_logdestination_t destination;
+char filename[255];
+isc_result_t result;
+isc_buffer_t buf;
+RSA *rsa;
+BIGNUM *e;
+EVP_PKEY *pkey;
+
+#define CHECK(op, msg)                                                        \
+	do {                                                                  \
+		result = (op);                                                \
+		if (result != ISC_R_SUCCESS) {                                \
+			fprintf(stderr,                                       \
+				"fatal error: %s returns %s at file %s line " \
+				"%d\n",                                       \
+				msg, isc_result_totext(result), __FILE__,     \
+				__LINE__);                                    \
+			exit(1);                                              \
+		}                                                             \
+	} while (0)
+
+int
+main(int argc, char **argv) {
+	UNUSED(argc);
+	UNUSED(argv);
+
+#if !USE_PKCS11
+
+	rsa = RSA_new();
+	e = BN_new();
+	pkey = EVP_PKEY_new();
+
+	if ((rsa == NULL) || (e == NULL) || (pkey == NULL) ||
+	    !EVP_PKEY_set1_RSA(pkey, rsa))
+	{
+		fprintf(stderr, "fatal error: basic OpenSSL failure\n");
+		exit(1);
+	}
+
+	/* e = 0x1000000000001 */
+	BN_set_bit(e, 0);
+	BN_set_bit(e, 48);
+
+	if (RSA_generate_key_ex(rsa, bits, e, NULL)) {
+		BN_free(e);
+		RSA_free(rsa);
+	} else {
+		fprintf(stderr,
+			"fatal error: RSA_generate_key_ex() fails "
+			"at file %s line %d\n",
+			__FILE__, __LINE__);
+		exit(1);
+	}
+
+	dns_result_register();
+
+	isc_mem_create(&mctx);
+	CHECK(dst_lib_init(mctx, NULL), "dst_lib_init()");
+	isc_log_create(mctx, &log_, &logconfig);
+	isc_log_setcontext(log_);
+	dns_log_init(log_);
+	dns_log_setcontext(log_);
+	isc_log_settag(logconfig, "bigkey");
+
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC, level,
+			      &destination,
+			      ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL);
+
+	CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL), "isc_log_"
+								   "usechannel("
+								   ")");
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_constinit(&buf, "example.", strlen("example."));
+	isc_buffer_add(&buf, strlen("example."));
+	CHECK(dns_name_fromtext(name, &buf, dns_rootname, 0, NULL), "dns_name_"
+								    "fromtext("
+								    "\"example."
+								    "\")");
+
+	CHECK(dst_key_buildinternal(name, DNS_KEYALG_RSASHA256, bits,
+				    DNS_KEYOWNER_ZONE, DNS_KEYPROTO_DNSSEC,
+				    dns_rdataclass_in, pkey, mctx, &key),
+	      "dst_key_buildinternal(...)");
+
+	CHECK(dst_key_tofile(key, DST_TYPE_PRIVATE | DST_TYPE_PUBLIC, NULL),
+	      "dst_key_tofile()");
+	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
+	isc_buffer_clear(&buf);
+	CHECK(dst_key_buildfilename(key, 0, NULL, &buf), "dst_key_"
+							 "buildfilename()");
+	printf("%s\n", filename);
+	dst_key_free(&key);
+
+	isc_log_destroy(&log_);
+	isc_log_setcontext(NULL);
+	dns_log_setcontext(NULL);
+	dst_lib_destroy();
+	isc_mem_destroy(&mctx);
+	return (0);
+#else  /* !USE_PKCS11 */
+	return (1);
+#endif /* !USE_PKC11 */
+}
+
+/*! \file */
diff --git a/bin/tests/system/rsabigexponent/clean.sh b/bin/tests/system/rsabigexponent/clean.sh
new file mode 100644
index 0000000..22ea41a
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f K* */K* */dsset-*. */*.signed */trusted.conf */tmp*
+rm -f ns*/dsset-example
+rm -f ns*/named.run
+rm -f ns*/named.memstats
+rm -f ns1/root.db
+rm -f ns2/signer.err
+rm -f dig.out.*
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/rsabigexponent/conf/bad01.conf b/bin/tests/system/rsabigexponent/conf/bad01.conf
new file mode 100644
index 0000000..720d197
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/bad01.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	max-rsa-exponent-size 1;
+};
diff --git a/bin/tests/system/rsabigexponent/conf/bad02.conf b/bin/tests/system/rsabigexponent/conf/bad02.conf
new file mode 100644
index 0000000..bd1e827
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/bad02.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	max-rsa-exponent-size 34;
+};
diff --git a/bin/tests/system/rsabigexponent/conf/bad03.conf b/bin/tests/system/rsabigexponent/conf/bad03.conf
new file mode 100644
index 0000000..4331b52
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/bad03.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	max-rsa-exponent-size 4097;
+};
diff --git a/bin/tests/system/rsabigexponent/conf/good01.conf b/bin/tests/system/rsabigexponent/conf/good01.conf
new file mode 100644
index 0000000..1d2cd01
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/good01.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	max-rsa-exponent-size 0;
+};
diff --git a/bin/tests/system/rsabigexponent/conf/good02.conf b/bin/tests/system/rsabigexponent/conf/good02.conf
new file mode 100644
index 0000000..861e054
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/good02.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	max-rsa-exponent-size 35;
+};
diff --git a/bin/tests/system/rsabigexponent/conf/good03.conf b/bin/tests/system/rsabigexponent/conf/good03.conf
new file mode 100644
index 0000000..14a98f8
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/conf/good03.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	max-rsa-exponent-size 4096;
+};
diff --git a/bin/tests/system/rsabigexponent/ns1/named.conf.in b/bin/tests/system/rsabigexponent/ns1/named.conf.in
new file mode 100644
index 0000000..4a9822d
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns1/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/rsabigexponent/ns1/root.db.in b/bin/tests/system/rsabigexponent/ns1/root.db.in
new file mode 100644
index 0000000..0486325
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns1/root.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	300
+.		IN SOA	gson.nominum.com. a.root.servers.nil. (
+			2012050600	; serial
+			3600		; refresh
+			1200		; retry
+			604800		; expire
+			60		; minimum			
+			)
+@		NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+;
+example.	NS	ns2.example.
+ns2.example.	A	10.53.0.2
diff --git a/bin/tests/system/rsabigexponent/ns1/sign.sh b/bin/tests/system/rsabigexponent/ns1/sign.sh
new file mode 100755
index 0000000..d045fe2
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns1/sign.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+cp ../ns2/dsset-example.in dsset-example$TP
+
+keyname=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone`
+
+cat $infile $keyname.key > $zonefile
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+# Configure the resolving server with a static key.
+keyfile_to_static_ds $keyname > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+
+cd ../ns2 && $SHELL -e ./sign.sh
diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key
new file mode 100644
index 0000000..60ff187
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 51650, for example.
+; Created: 20220721024334 (Thu Jul 21 12:43:34 2022)
+; Publish: 20220721024334 (Thu Jul 21 12:43:34 2022)
+; Activate: 20220721024334 (Thu Jul 21 12:43:34 2022)
+example. IN DNSKEY 257 3 8 AwEAAeeXAGBcXxSNj5X/PWT8XDBk4U9OUkZ7YKQBf2IN3V6OZomt/s3F UWIh70Wot+z1Ld3Rfswq1DjCaWNRFOMhs+9j3Fhc46wMZ4pnsDW1nLHk 2TnQRdrbiuhLkQy5oNMjSRxu924XLw5ylsuqjxE7vXcCeKSFe674roSq wo39atWsTJMDz0FQGxlPucnXai0nHoCeC7+u1s+wLaGcpNSZlsab7Zny FD4HZ3HKUCJw/Jjr5CZjqal9KdmWSC1SINRtlAN6PX5VSiNEncnYMCdj iv+ZhRGn+aHh1BmEWomGbAm2Jjw5mrYMgDs9lJRc5Vtg0YXb9OkYvxNF V4QGw1oeF+M=
diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private
new file mode 100644
index 0000000..d38a0b3
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 55cAYFxfFI2Plf89ZPxcMGThT05SRntgpAF/Yg3dXo5mia3+zcVRYiHvRai37PUt3dF+zCrUOMJpY1EU4yGz72PcWFzjrAxnimewNbWcseTZOdBF2tuK6EuRDLmg0yNJHG73bhcvDnKWy6qPETu9dwJ4pIV7rviuhKrCjf1q1axMkwPPQVAbGU+5yddqLScegJ4Lv67Wz7AtoZyk1JmWxpvtmfIUPgdnccpQInD8mOvkJmOpqX0p2ZZILVIg1G2UA3o9flVKI0SdydgwJ2OK/5mFEaf5oeHUGYRaiYZsCbYmPDmatgyAOz2UlFzlW2DRhdv06Ri/E0VXhAbDWh4X4w==
+PublicExponent: AQAB
+PrivateExponent: QaMgBa+YeRxIElS1g14tCMBGxXHmyrgkI0eTYWiZkbedYy8v1QU0NDJ2/NC9VEkHF2PNYrNO08lyEiaEW32NYG92n4qwMm6PmAAcRpSzFQ5N7N9VNRrdK0pjkW45IS5Shd8DfK3QdfFPQOkVxGYgpE7Mf6Cfde9gkxRMsO6erXEud6KyBm8kwBR/ipDeUQvpyGkZEQPjLxJG6REjMVhPKTzCV+82DWEf+Ok/3Uxa94+ocAbySHAV3j4YcWpVGWT002gc6CGk8c6TsPYnDkfKQ3moPQZijH7F8zrARtoobCX9TsMFhBqReceZrbzN7en2cZGR5MSISzoTNSr4rGo6aQ==
+Prime1: 8AV9EllWtclD62XHo95Z3h7JJ9t2gY7fUFG0WMbkI0Wj6kcr7k3bFfLj7GEJ1qgVW4Qpu7XnBvPB9hnqoCkbHLzc8ws1D2tY+PsXzvw9IxoXNM/eCobeulu/rYhJl2PcpY9bPcaaR0hldGoCHdFYSo8oi+C5hfRtIMVjnDtHSmk=
+Prime2: 9wHRxgyHjtl8ro9HAkvujxFkhChm4xLxIRM8pfZ+D1VHpzFRD3/RK8CVYVRB8GsQoFRygHBMOW1oHqynN9jddvJrQbHOqFZAbQQlesp0jRPd9Mm6q0cDwYcD4apscB2CUrUswMzoD3H4saIjGnitCsG/t+sLTvuK/giuMdS2Tms=
+Exponent1: pnSH+pOuiL+dtMCPJVvsoxhilJukodD9mewv0GmOic+gD7dwBgJEcAJUgvgBJLbIqQENGDrcj3u5Bf2PM6eOP+3SpVMeZyUhPPqV1lwj4hYUBfIqoM5L5J4AXk5oCu+cc8zpj/wNvmW8xnFGKnumaX7Ctc8Rmo6ap+F8ZTrPBBE=
+Exponent2: txXZKIRnAkJAwZ6f0pr3w4Hv0GmmAZArvQlmPdncDH94sfvDCssB/v0rfE4Y5hxl4YFWsc8LINHwiDQPajzLwvvi9nnWJT5xWJznLwHbrCparbPNMmFb7lmmTeGlqOCmlamG942qQLCI1xnIDTn/gWalNaz539xhZPSIMZVqX+s=
+Coefficient: eK9cQKFRLaU4udqB8t8KSQxlNl0x9J+9bcaEzn0+579LrZUZvspfiR4DNGwr9qK+PWk+CU7/6xsWbq2zbKIEWucoR97t+E8Zhx00GCDbiu/QI2wviEcYbB2udznRv1WSIDoCWf2TXeh5G2E2ugt5F4+b56qMXmT7IudxYGPtQCY=
+Created: 20220721024334
+Publish: 20220721024334
+Activate: 20220721024334
diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key
new file mode 100644
index 0000000..a1f14c9
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key
@@ -0,0 +1,2 @@
+; This is a zone-signing key, keyid 52810, for example.
+example. IN DNSKEY 256 3 8 BwEAAAAAAAHYYy161+wCg6yFHRlyex8oVkcK+K2SBUryI1+DEKzjusH6 yLfzzlJCPGrubmD+jseKYwXfzelJkRQbMDjWbMYLHKytuPtwnJMSeVh+ a/Ore6oVPXy716EYpsEBSmVjfQyS0mGHpwrYk4QaKjJDM7Q173EFl/sE eXjHqInlzOgJbXqsCrSfA94anSt42DGhJeeIfQ8b3vqD/nCnA6C7khIt AWlfJto7d42Ev8tckjr3CrTW9tn9pHb2DKeh85rKeJBBLMYQU3jfF5KH EEsjztLGMnPLlXTteh8wKrk/0IJrot17w0FR0H2v8oG3xDXxfhJ0OeTW 7dtBHD6ISgqeJ9zt
diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private
new file mode 100644
index 0000000..bbb5ad9
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 2GMtetfsAoOshR0ZcnsfKFZHCvitkgVK8iNfgxCs47rB+si3885SQjxq7m5g/o7HimMF383pSZEUGzA41mzGCxysrbj7cJyTEnlYfmvzq3uqFT18u9ehGKbBAUplY30MktJhh6cK2JOEGioyQzO0Ne9xBZf7BHl4x6iJ5czoCW16rAq0nwPeGp0reNgxoSXniH0PG976g/5wpwOgu5ISLQFpXybaO3eNhL/LXJI69wq01vbZ/aR29gynofOayniQQSzGEFN43xeShxBLI87SxjJzy5V07XofMCq5P9CCa6Lde8NBUdB9r/KBt8Q18X4SdDnk1u3bQRw+iEoKnifc7Q==
+PublicExponent: AQAAAAAAAQ==
+PrivateExponent: aD+JLNdCtAk1++UwcGdPslSoWq2szZHGrY+I+YfhfcBZrPP13exC40hgUgRNuYJOaJ3WMpgsKI4p8YDVNttF6LI7WNBURQhmBSwquB5BWWkoh7uR4PfKWGB0ZkDwUQcA2IdMVS4+QAKVQMmUXGnXhQI1p8duAORZp0gE71VsHTEzwf5AIEG2+f/oCjDsMJN0J7X3qktJr5ho64aMHyHf5+yKk6fFcy7wfC175SkIZ53uBfpCsFXkgq8YukXfcyoG5o4FUHheGnDwkVOzviEUHk8xweJnNNRbV6n/ck9AXzq3VSA9BbrXtRzZmre/L6tJvEnbH0EycwDkxCMlOSqGbQ==
+Prime1: /hnW5M2vzAoAjx2wum98YZZ6gv1IpV88c4HDLA3vY79Qxd8FYanldxPNjgQJEPjHD5hG6tGN+cjZdXv/X+sk5j3fmCB7RKwMKcoD8A/jyH2JaQLTbXm6EBd1BCMIN+w3W+A2E6evYYyINLwMUwqRlUcAaD8HoDLK8iz6iAUhFss=
+Prime2: 2gEuuug1PDnbWWFVzzMUrVXiRiFqJVTTvR3AjJVJNZPwAL4FMenh98rtI3s1zSB6P4RSyvRJ6YMOAT0ZrMxviJy76EExGgCB5F4w7g67I7VGPuA1tLn5kt5j9j5wQmdq1yMG5QpCJWr7bxjSDYvIzy2sZjZ/KTuHGtUzFUnHrCc=
+Exponent1: MaDlpmDYxZ2QvM+cp58Bj160u+21qIA/UZ2ysh6102uQmYHm92481z2+AvCJuq2PpkuROMd/4i2w7L0RbfZ2MYzUFndLZ8NgmNDjNDfUzeRQl2KQdAOLK4DNXmf3mKwLO0Sbj/pxgj0vYAe9gcU4Pe8ukVuSX0nkehbDi4cjfr0=
+Exponent2: cNHFlVCwvEPNVnpQCZS3iqF/D3HN8FtP2st0CrYbjQI8DYpcQUWVMqUqdqFOkYM0/qadpkX+JMlPJTjJZ8YDYYWIZGSC2ruMPIxB7DayVDBbgugmsC1isZjyApdQ44xtdNVyMYmcYeHUz5gR1x/eWdGNyjzMEvfbEjXIKbRykAM=
+Coefficient: ovH/7MP64Dai8draXD3t+jl6UTchig+LDwXA2GvlZY0HVP+9yvE49VSKhoYxolL/ZmabIgzzOAyJ66SyYq31ozxbpKrBGiFdzAbgkJgFIbdYMgfLHXNkH1vissGeY0KdS5ee6sKDfk1VmE94UOVHi11oslvnTiG2RF/I3koYV7Q=
diff --git a/bin/tests/system/rsabigexponent/ns2/dsset-example.in b/bin/tests/system/rsabigexponent/ns2/dsset-example.in
new file mode 100644
index 0000000..9ad254b
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/dsset-example.in
@@ -0,0 +1 @@
+example. IN DS 51650 8 2 F225122667540159A30620B2D0888036BDF76276D245DE3453C883F0C3276705
diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.bad b/bin/tests/system/rsabigexponent/ns2/example.db.bad
new file mode 100644
index 0000000..b105978
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/example.db.bad
@@ -0,0 +1,156 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example.		300	IN SOA	mname1. . (
+					2012050601 ; serial
+					3600       ; refresh (1 hour)
+					600        ; retry (10 minutes)
+					604800     ; expire (1 week)
+					3600       ; minimum (1 hour)
+					)
+			300	RRSIG	SOA 8 1 300 (
+					20361231235959 20000101000000 52810 example.
+					IfZrUTjdr4Ull5MSQW4eHxrub6X5O8VWB3vG
+					kg6TBT8f2Aw4hLcwT0X47xRqL9nU1kKA3qpu
+					mi71wqiZPbYI+suHYGuqRO/V6YujdQRpLhGS
+					gTpLmETa46unkMDY6sze41AlCyzR79yaDxVS
+					+pS2V1AVYzQzzeswJXHwSLO5HKtClPL3izpV
+					AJD1+dL0UZRs9yOqbxU1RgvASPFEt+1Wd2p6
+					qwyeadJ7PB0PL7QQXSDsQ09Ms1BGoKq5p6Os
+					HtgXPo+aZQR2gczm3Yals9I1tZnk/ZM86aS0
+					63NrEEUQycMNCr100WgWzYQzO90SmJMqpdeZ
+					fxzlRQbY7jN4qRbM7A== )
+			300	NS	ns2.example.
+			300	RRSIG	NS 8 1 300 (
+					20361231235959 20000101000000 52810 example.
+					VUPhDucH6rlx93V13b7OSAQ6fE/9jlxhCTXv
+					peBD69WOa4jZHMZf60gqy10gLVMx35gZdEaU
+					cJqaBcAniSwPY3a7mxclMja7fmuCB9wcSbiP
+					pwk5KIYSgIvoWp3ro2I19C0IDQDVWtH1xqdQ
+					Dv+3MV39Zpf0AnXB05mBopI2DQI9mYHCnmis
+					F3pfcfs+h/ipyodE5kccBBRvtfKWHly342Xe
+					azHKM4eyuGj9NLwuwsoVgnyQ3I9hrKVAiUjS
+					fQ4cxyBVhh+Wb1/VrVSbX+X9VNzQ04mcREHS
+					yXIPoIQBNju3dyOSTQ+VIeasRvRU8nqMS/1f
+					oeqj5ehTjtfejF6Jfw== )
+			300	NSEC	a.example. NS SOA RRSIG NSEC DNSKEY
+			300	RRSIG	NSEC 8 1 300 (
+					20361231235959 20000101000000 52810 example.
+					bG90DOCaN7BhihvtCUs2eJhSHkRaV582ROQi
+					AbamawevX8NQGJeVpHb3t5ekQuK5EWjLFr6i
+					bga5TpeP8HOv3lDb8w7kb7xOrHycw5Sizws5
+					PZTvtuty9nT6dZ9h4pfLNTbW+SBV904xv3JT
+					ZlXoxtm4JAdmKUcGiCFLjMvwbQ5SKEZq27uN
+					9xCeY0CPkQmiGbTrySYFyNZsBBsL2OI5ec2V
+					TbQVSDhnnEhbVdMb8Yh2sTt9H/CT1yG2s4U9
+					a9ccxguFzt6mk+f5ZL+WKgxkTOMOrZW3dyiI
+					x53dNQyZN/tczibox/LLG/SaET5wR/V5gDsh
+					9DObfc9u1+of/H0lhg== )
+			300	DNSKEY	257 3 8 (
+					AwEAAeeXAGBcXxSNj5X/PWT8XDBk4U9OUkZ7
+					YKQBf2IN3V6OZomt/s3FUWIh70Wot+z1Ld3R
+					fswq1DjCaWNRFOMhs+9j3Fhc46wMZ4pnsDW1
+					nLHk2TnQRdrbiuhLkQy5oNMjSRxu924XLw5y
+					lsuqjxE7vXcCeKSFe674roSqwo39atWsTJMD
+					z0FQGxlPucnXai0nHoCeC7+u1s+wLaGcpNSZ
+					lsab7ZnyFD4HZ3HKUCJw/Jjr5CZjqal9KdmW
+					SC1SINRtlAN6PX5VSiNEncnYMCdjiv+ZhRGn
+					+aHh1BmEWomGbAm2Jjw5mrYMgDs9lJRc5Vtg
+					0YXb9OkYvxNFV4QGw1oeF+M=
+					) ; KSK; alg = RSASHA256 ; key id = 51650
+			300	DNSKEY	256 3 8 (
+					BwEAAAAAAAHYYy161+wCg6yFHRlyex8oVkcK
+					+K2SBUryI1+DEKzjusH6yLfzzlJCPGrubmD+
+					jseKYwXfzelJkRQbMDjWbMYLHKytuPtwnJMS
+					eVh+a/Ore6oVPXy716EYpsEBSmVjfQyS0mGH
+					pwrYk4QaKjJDM7Q173EFl/sEeXjHqInlzOgJ
+					bXqsCrSfA94anSt42DGhJeeIfQ8b3vqD/nCn
+					A6C7khItAWlfJto7d42Ev8tckjr3CrTW9tn9
+					pHb2DKeh85rKeJBBLMYQU3jfF5KHEEsjztLG
+					MnPLlXTteh8wKrk/0IJrot17w0FR0H2v8oG3
+					xDXxfhJ0OeTW7dtBHD6ISgqeJ9zt
+					) ; ZSK; alg = RSASHA256 ; key id = 52810
+			300	RRSIG	DNSKEY 8 1 300 (
+					20361231235959 20000101000000 52810 example.
+					O4q1oueEgPoWHhrLiobGvMQLS2KHN+xxSddf
+					y6fqksqivRLgj0633fnEZrFtc44YueV+L4gQ
+					kaoWCCpR0yQH4BOw4p3FVjEgl+jXLzIc7amw
+					ZfKAnSOtMoTaBCQ2hN8b2ducUHgKV7ta9bca
+					lO0wuqqp2OOO/n9S3YMBVfrCW4jL2w1QPC+b
+					lm/4ka8OwqKKGAcO0d/nGeOPJZnfbddSzqEQ
+					C3j1tGavwBC4RAGilxw3XoyoICDp0LQR7M9a
+					tWAxYmMfilEEfpip9R3HhCa+ynIVsHP8yTXE
+					dlWM3LUZePm44aV38YeObJpRMkb8sO5VrbZn
+					8hJoIs3eyguC4HKKTg== )
+			300	RRSIG	DNSKEY 8 1 300 (
+					20361231235959 20000101000000 51650 example.
+					Eaw79mOoImGg+ymMJ+9paoanUgR/Od0Pxv/X
+					mevid1TRbssSc2KynAToxSXRcOQwRQjto9sC
+					qj0pOekPPmW1I6DRlMOGDS6l0Uuk51GvUuRD
+					Xbr19BG73mcPuKfYHNbx6cUHvBlPilnjM803
+					m9E8DK6Ba9uo/MNhgtWoWj8wQxqP2YS+HW3v
+					bOv/p4en9Dc5ft6ATtSYj84ejuPAKnfVbleI
+					fJW+qIQ7q9A24xEZ4QlWuRovjsoASVsuLnX+
+					X4sQYlWBIPMQYQ8RIN1CgSRPGb603pAq9ru6
+					ySpjlxHQRtdOGBNJleg9Wz612rHRd3x7BM+8
+					/Lvz31Ot/JSh3u4DSQ== )
+a.example.		300	IN A	10.0.0.1
+			300	RRSIG	A 8 2 300 (
+					20361231235959 20000101000000 52810 example.
+					zp4L0Um0guehtT+4GQaMeYx5PiwEbSRyi7sg
+					Xv2uFn/wFML/Df0PgCxCYkWKL2Db/j15IZON
+					uz2CNRG7lDMZsb+JgyLZ6R3OuSKjwzA++kUu
+					8ExPpdrFHxZFMPefkU1vjf7E1yt4/aSaO23T
+					m0F6yFHcVfBE1DElG1vLWO6cWtSIMKjXOo15
+					Zy2hHhT/7jKhqcHnwwCBHLuV9/e9OmI34H7I
+					Sd3Ik8dnNEjRTVbLem3tQMfQ9ZfYDHPHli+z
+					Z5dGgPmpyNPq5bfs7O5uCO5cNCbouFdEnc6O
+					DA9QiyOGba8w7vI1gHMvA+rWPpA+fTGgrVRq
+					7bTfa0jTOsybR8rZjg== )
+			300	NSEC	ns2.example. A RRSIG NSEC
+			300	RRSIG	NSEC 8 2 300 (
+					20361231235959 20000101000000 52810 example.
+					oh6oqdC9OIoO0jIN0x9MIBlYlzAg2LFYffrP
+					QlgPAtPn8A9cPCxU2i6hJ1ubqc6o1LVD7LH6
+					GVj842Ytys1uO2Nwf9xXS4gbchJ6NE9IjQh6
+					IoBNmlgdfprzJEJlEFx73dytakfcjc+hIj8t
+					b14Lu2/5BBDSamw+uVyeV8Wg2jNdrN7UEqyA
+					ccnhLPWHAOtspzxrmCrBDPc6Geelu8KzARs5
+					qOZ/p9CKffmKL/65K/N8WWKQWVNI22tAbiWT
+					J1t3BNkOLUSKMvEVLFcgStV4QtFcQrSB96Hu
+					D2rSbAGsH5Ujmz4GTxhOSqd8OJ7XDEWlhZod
+					LhUBltfjmakorhGqqg== )
+ns2.example.		300	IN A	10.53.0.2
+			300	RRSIG	A 8 2 300 (
+					20361231235959 20000101000000 52810 example.
+					sDlETJwDoWqYZdcwYBW/l+Ot4Tb3mSXJvW3R
+					1fsoiq/obWZeC+bU2MszckcZKPET2CRqBD+c
+					uLCcOhZrcH0m25Y02SAzOOG2V12KNvWVznSz
+					bZw+/+ucYhxhiNKherdwpHOAdjlhG//zFHDy
+					sAxmrtjWO2DT9pv1Hd/Hm3aGgAYTs0ryyeyo
+					k05sTgdr43APFkX4SNoNXGUEt8E0uMghIvhi
+					mgKSQ45fZFsZeUiEfwvtQ8uAuDNOLWK49Bw5
+					184QrQ/NZ3YVyJercg7wm/jFMVkgxggiOl2q
+					ZCLadaSQNnsvtbwgyTktRJb5YovzZEQrH7O0
+					vW/DAN1Cqa1nXw/kZA== )
+			300	NSEC	example. A RRSIG NSEC
+			300	RRSIG	NSEC 8 2 300 (
+					20361231235959 20000101000000 52810 example.
+					DyLuymW3Bv6irCLzfUGnz2cy1XctqfW7ycLc
+					7wgDzDLNvJ6tqr8tjHKMdCODJDiG+lR5oFo7
+					8RA604OYcmJjLIAMj3fCxzBkIlH5SXRcJ86X
+					a8U6oXrgt6IvUMC2crdWMVgVnSWlqBS4TNNg
+					QhUa+vt+Em8ce3fveqh1tXm1hzysSroOQtMk
+					HOPAtwYR9XP4mTdbC43AU/67jsYPqXq59lm4
+					sE1tmnVdhXuOk7yNAt8O2CSZGGZl5bYMC4On
+					IgWZP7liebXAmhmXpHbBf5/BaE9dVfvWzYTT
+					4wUch+f8TDwwyTqumrlrPsVnvkQ9V0LwODox
+					PxWWxFAznmUMEtlo3g== )
diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.in b/bin/tests/system/rsabigexponent/ns2/example.db.in
new file mode 100644
index 0000000..a2a6964
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/example.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	mname1. . (
+			2012050601 ; serial
+			3600	   ; refresh
+			600	   ; retry
+			604800	   ; expire
+			3600	   ; minimum
+			)
+		NS	ns2
+ns2		A	10.53.0.2
+
+a		A	10.0.0.1
diff --git a/bin/tests/system/rsabigexponent/ns2/named.conf.in b/bin/tests/system/rsabigexponent/ns2/named.conf.in
new file mode 100644
index 0000000..7a15fd7
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/named.conf.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db.bad";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/rsabigexponent/ns2/sign.sh b/bin/tests/system/rsabigexponent/ns2/sign.sh
new file mode 100755
index 0000000..015f6a9
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns2/sign.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=example.
+infile=example.db.in
+outfile=example.db.bad
+
+for i in Xexample.+008+51650.key Xexample.+008+51650.private \
+	 Xexample.+008+52810.key Xexample.+008+52810.private
+do
+	cp $i `echo $i | sed s/X/K/`
+done
+
+$SIGNER -g -s 20000101000000 -e 20361231235959 -o $zone \
+	$infile Kexample.+008+52810.key \
+	> /dev/null 2> signer.err || true
diff --git a/bin/tests/system/rsabigexponent/ns3/named.conf.in b/bin/tests/system/rsabigexponent/ns3/named.conf.in
new file mode 100644
index 0000000..bc63656
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/ns3/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+	max-rsa-exponent-size 35;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/rsabigexponent/prereq.sh b/bin/tests/system/rsabigexponent/prereq.sh
new file mode 100644
index 0000000..c18f6c8
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/prereq.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $BIGKEY > /dev/null 2>&1
+then
+    rm -f Kexample.*
+else
+    echo_i "This test requires OpenSSL cryptography provider" >&2
+    echo_i "configure with --with-openssl, and make sure you disable --with-pkcs11 and --enable-native-pkcs11" >&2
+    exit 255
+fi
diff --git a/bin/tests/system/rsabigexponent/setup.sh b/bin/tests/system/rsabigexponent/setup.sh
new file mode 100644
index 0000000..53f56b9
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+
+cd ns1 && $SHELL -e sign.sh
diff --git a/bin/tests/system/rsabigexponent/tests.sh b/bin/tests/system/rsabigexponent/tests.sh
new file mode 100644
index 0000000..c3c7a3f
--- /dev/null
+++ b/bin/tests/system/rsabigexponent/tests.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
+
+for f in conf/good*.conf
+do
+	echo_i "checking '$f'"
+	ret=0
+	$CHECKCONF $f > /dev/null || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+for f in conf/bad*.conf
+do
+	echo_i "checking '$f'"
+	ret=0
+	$CHECKCONF $f > /dev/null && ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+echo_i "checking that RSA big exponent keys can't be loaded"
+ret=0
+grep "out of range" ns2/signer.err > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking that RSA big exponent signature can't validate"
+ret=0
+$DIG $DIGOPTS a.example @10.53.0.2 > dig.out.ns2 || ret=1
+$DIG $DIGOPTS a.example @10.53.0.3 > dig.out.ns3 || ret=1
+grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1
+grep "status: SERVFAIL" dig.out.ns3 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/run.gdb b/bin/tests/system/run.gdb
new file mode 100644
index 0000000..60981e1
--- /dev/null
+++ b/bin/tests/system/run.gdb
@@ -0,0 +1 @@
+thread apply all bt full
diff --git a/bin/tests/system/run.sh b/bin/tests/system/run.sh
new file mode 100755
index 0000000..2330d7c
--- /dev/null
+++ b/bin/tests/system/run.sh
@@ -0,0 +1,346 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Run a system test.
+#
+
+SYSTEMTESTTOP="$(cd -P -- "$(dirname -- "$0")" && pwd -P)"
+. $SYSTEMTESTTOP/conf.sh
+
+if [ "$CI_SERVER" != "yes" ] && [ "$(id -u)" -eq "0" ] && ! ${NAMED} -V | grep -q -F -- "enable-developer"; then
+    echofail "Refusing to run test as root. Build with --enable-developer to override." >&2
+    exit 1
+fi
+
+export SYSTEMTESTTOP
+
+date_with_args() (
+    date "+%Y-%m-%dT%T%z"
+)
+
+stopservers=true
+baseport=5300
+
+if [ ${SYSTEMTEST_NO_CLEAN:-0} -eq 1 ]; then
+    clean=false
+else
+    clean=true
+fi
+
+restart=false
+while getopts "knp:r-:t" flag; do
+    case "$flag" in
+    -) case "${OPTARG}" in
+               keep) stopservers=false ;;
+               noclean) clean=false ;;
+           esac
+           ;;
+    k) stopservers=false ;;
+    n) clean=false ;;
+    p) baseport=$OPTARG ;;
+    t) restart=true ;;
+    esac
+done
+shift `expr $OPTIND - 1`
+
+if [ $# -eq 0 ]; then
+    echofail "Usage: $0 [-k] [-n] [-p <PORT>] test-directory [test-options]" >&2;
+    exit 1
+fi
+
+systest=${1%%/}
+shift
+
+if [ ! -d $systest ]; then
+    echofail "$0: $systest: no such test" >&2
+    exit 1
+fi
+
+# Define the number of ports allocated for each test, and the lowest and
+# highest valid values for the "-p" option.
+#
+# The lowest valid value is one more than the highest privileged port number
+# (1024).
+#
+# The highest valid value is calculated by noting that the value passed on the
+# command line is the lowest port number in a block of "numports" consecutive
+# ports and that the highest valid port number is 65,535.
+numport=100
+minvalid=`expr 1024 + 1`
+maxvalid=`expr 65535 - $numport + 1`
+
+test "$baseport" -eq "$baseport" > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+    echofail "$0: $systest: must specify a numeric value for the port" >&2
+    exit 1
+elif [ $baseport -lt $minvalid -o $baseport -gt $maxvalid  ]; then
+    echofail "$0: $systest: the specified port must be in the range $minvalid to $maxvalid" >&2
+    exit 1
+fi
+
+# Name the first 10 ports in the set (it is assumed that each test has access
+# to ten or more ports): the query port, the control port and eight extra
+# ports.  Since the lowest numbered port (specified in the command line)
+# will usually be a multiple of 10, the names are chosen so that if this is
+# true, the last digit of EXTRAPORTn is "n".
+PORT=$baseport
+EXTRAPORT1=`expr $baseport + 1`
+EXTRAPORT2=`expr $baseport + 2`
+EXTRAPORT3=`expr $baseport + 3`
+EXTRAPORT4=`expr $baseport + 4`
+EXTRAPORT5=`expr $baseport + 5`
+EXTRAPORT6=`expr $baseport + 6`
+EXTRAPORT7=`expr $baseport + 7`
+EXTRAPORT8=`expr $baseport + 8`
+CONTROLPORT=`expr $baseport + 9`
+
+LOWPORT=$baseport
+HIGHPORT=`expr $baseport + $numport - 1`
+
+export PORT
+export EXTRAPORT1
+export EXTRAPORT2
+export EXTRAPORT3
+export EXTRAPORT4
+export EXTRAPORT5
+export EXTRAPORT6
+export EXTRAPORT7
+export EXTRAPORT8
+export CONTROLPORT
+
+export LOWPORT
+export HIGHPORT
+
+# Start all servers used by the system test.  Ensure all log files written
+# during a system test (tests.sh + potentially multiple *.py scripts) are
+# retained for each run by calling start.pl with the --restart command-line
+# option for all invocations except the first one.
+start_servers() {
+    echoinfo "I:$systest:starting servers"
+    if $restart || [ "$run" -gt 0 ]; then
+        restart_opt="--restart"
+    fi
+    if ! $PERL start.pl ${restart_opt} --port "$PORT" "$systest"; then
+        echoinfo "I:$systest:starting servers failed"
+        return 1
+    fi
+}
+
+stop_servers() {
+    if $stopservers; then
+        echoinfo "I:$systest:stopping servers"
+        if ! $PERL stop.pl "$systest"; then
+            echoinfo "I:$systest:stopping servers failed"
+            return 1
+        fi
+    fi
+}
+
+echostart "S:$systest:$(date_with_args)"
+echoinfo  "T:$systest:1:A"
+echoinfo  "A:$systest:System test $systest"
+echoinfo  "I:$systest:PORTRANGE:${LOWPORT} - ${HIGHPORT}"
+
+if [ x${PERL:+set} = x ]
+then
+    echowarn "I:$systest:Perl not available.  Skipping test."
+    echowarn "R:$systest:SKIPPED"
+    echoend  "E:$systest:$(date_with_args)"
+    exit 0;
+fi
+
+$PERL testsock.pl -p $PORT  || {
+    echowarn "I:$systest:Network interface aliases not set up.  Skipping test."
+    echowarn "R:$systest:SKIPPED"
+    echoend  "E:$systest:$(date_with_args)"
+    exit 0;
+}
+
+# Check for test-specific prerequisites.
+test ! -f $systest/prereq.sh || ( cd $systest && $SHELL prereq.sh "$@" )
+result=$?
+
+if [ $result -eq 0 ]; then
+    : prereqs ok
+else
+    echowarn "I:$systest:Prerequisites missing, skipping test."
+    echowarn "R:$systest:SKIPPED";
+    echoend "E:$systest:$(date_with_args)"
+    exit 0
+fi
+
+# Check for PKCS#11 support
+if
+    test ! -f $systest/usepkcs11 || $SHELL cleanpkcs11.sh
+then
+    : pkcs11 ok
+else
+    echowarn "I:$systest:Need PKCS#11, skipping test."
+    echowarn "R:$systest:PKCS11ONLY"
+    echoend  "E:$systest:$(date_with_args)"
+    exit 0
+fi
+
+# Clean up files left from any potential previous runs except when
+# started with the --restart option.
+if ! $restart; then
+    if test -f "$systest/clean.sh"; then
+        if ! ( cd "${systest}" && $SHELL clean.sh "$@" ); then
+            echowarn "I:$systest:clean.sh script failed"
+            echofail "R:$systest:FAIL"
+            echoend  "E:$systest:$(date_with_args)"
+            exit 1
+        fi
+    fi
+fi
+
+# Set up any dynamically generated test data
+if test -f $systest/setup.sh
+then
+    if ! ( cd "${systest}" && $SHELL setup.sh "$@" ); then
+        echowarn "I:$systest:setup.sh script failed"
+        echofail "R:$systest:FAIL"
+        echoend  "E:$systest:$(date_with_args)"
+        exit 1
+    fi
+fi
+
+status=0
+run=0
+# Run the tests
+if [ -r "$systest/tests.sh" ]; then
+    if start_servers; then
+        ( cd "$systest" && $SHELL tests.sh "$@" )
+        status=$?
+        run=$((run+1))
+        stop_servers || status=1
+    else
+        status=1
+    fi
+fi
+
+if [ $status -eq 0 ]; then
+    if [ -n "$PYTEST" ]; then
+        for test in $(cd "${systest}" && find . -name "tests*.py"); do
+            rm -f "$systest/$test.status"
+            if start_servers; then
+                run=$((run+1))
+                test_status=0
+                (cd "$systest" && "$PYTEST" --confcutdir ../ -rsxX -v "$test" "$@" || echo "$?" > "$test.status") | SYSTESTDIR="$systest" cat_d
+                if [ -f "$systest/$test.status" ]; then
+                    if [ "$(cat "$systest/$test.status")" != "5" ]; then
+                        test_status=$(cat "$systest/$test.status")
+                    fi
+                fi
+                status=$((status+test_status))
+                stop_servers || status=1
+            else
+                status=1
+            fi
+            if [ $status -ne 0 ]; then
+                break
+            fi
+        done
+        rm -f "$systest/$test.status"
+    else
+        echoinfo "I:$systest:pytest not installed, skipping python tests"
+    fi
+fi
+
+if [ "$run" -eq "0" ]; then
+    echoinfo "I:$systest:No tests were found and run"
+    status=255
+fi
+
+
+if $stopservers
+then
+    :
+else
+    exit $status
+fi
+
+get_core_dumps() {
+    find "$systest/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort
+}
+
+core_dumps=$(get_core_dumps | tr '\n' ' ')
+if [ -n "$core_dumps" ]; then
+    echoinfo "I:$systest:Core dump(s) found: $core_dumps"
+    get_core_dumps | while read -r coredump; do
+        SYSTESTDIR="$systest"
+        echoinfo "D:$systest:backtrace from $coredump:"
+        echoinfo "D:$systest:--------------------------------------------------------------------------------"
+        binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p")
+        if [ ! -f "${binary}" ]; then
+            binary=$(find "${TOP}" -path "*/.libs/${binary}" -type f)
+        fi
+        "${TOP}/libtool" --mode=execute gdb \
+                                  -batch \
+                                  -ex bt \
+                                  -core="$coredump" \
+                                  -- \
+                                  "$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d
+        echoinfo "D:$systest:--------------------------------------------------------------------------------"
+        coredump_backtrace="${coredump}-backtrace.txt"
+        echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace"
+        "${TOP}/libtool" --mode=execute gdb \
+                      -batch \
+                      -command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \
+                      -core="$coredump" \
+                      -- \
+                      "$binary" > "$coredump_backtrace" 2>&1
+        echoinfo "D:$systest:core dump $coredump archived as $coredump.gz"
+        gzip -1 "${coredump}"
+    done
+    status=$((status+1))
+fi
+
+assertion_failures=$(find "$systest/" -name named.run -exec grep "assertion failure" {} + | wc -l)
+if [ "$assertion_failures" -ne 0 ]; then
+    SYSTESTDIR="$systest"
+    echoinfo "I:$systest:$assertion_failures assertion failure(s) found"
+    status=$((status+1))
+fi
+
+tsan_failures=$(find "$systest/" -name 'tsan.*' | wc -l)
+if [ "$tsan_failures" -ne 0 ]; then
+    echoinfo "I:$systest:$tsan_failures sanitizer report(s) found"
+    find "$systest/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d
+    status=$((status+1))
+fi
+
+if [ "$status" -ne 0 ]; then
+    echofail "R:$systest:FAIL"
+else
+    echopass "R:$systest:PASS"
+    if $clean && ! $restart; then
+       ( cd $systest && $SHELL clean.sh "$@" )
+       if test -d ../../../.git; then
+           git status -su --ignored "${systest}/" 2>/dev/null | \
+           sed -n -e 's|^?? \(.*\)|I:'${systest}':file \1 not removed|p' \
+           -e 's|^!! \(.*/named.run\)$|I:'${systest}':file \1 not removed|p' \
+           -e 's|^!! \(.*/named.memstats\)$|I:'${systest}':file \1 not removed|p'
+       fi
+    fi
+fi
+
+NAMED_RUN_LINES_THRESHOLD=200000
+find "${systest}" -type f -name "named.run" -exec wc -l {} \; | awk "\$1 > ${NAMED_RUN_LINES_THRESHOLD} { print \$2 }" | sort | while read -r LOG_FILE; do
+    echowarn "I:${systest}:${LOG_FILE} contains more than ${NAMED_RUN_LINES_THRESHOLD} lines, consider tweaking the test to limit disk I/O"
+done
+
+echoend "E:$systest:$(date_with_args)"
+
+exit $status
diff --git a/bin/tests/system/runall.sh b/bin/tests/system/runall.sh
new file mode 100755
index 0000000..0391633
--- /dev/null
+++ b/bin/tests/system/runall.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Run all the system tests.
+#
+# Usage:
+#    runall.sh [-c] [-n] [numprocesses]
+#
+#   -c          Force colored output.
+#
+#   -n          Noclean.  Keep all output files produced by all tests.  These
+#               can later be removed by running "cleanall.sh".
+#
+#   numprocess  Number of concurrent processes to use when running the tests.
+#               The default is one, which causes the tests to run sequentially.
+#               (This is ignored when running on Windows as the tests are always
+#               run sequentially on that platform.)
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+usage="Usage: ./runall.sh [-c] [-n] [numprocesses]"
+
+# Preserve values of environment variables which are already set.
+
+SYSTEMTEST_FORCE_COLOR=${SYSTEMTEST_FORCE_COLOR:-0}
+SYSTEMTEST_NO_CLEAN=${SYSTEMTEST_NO_CLEAN:-0}
+
+# Handle command line switches if present.
+
+while getopts "cn" flag; do
+    case "$flag" in
+        c) SYSTEMTEST_FORCE_COLOR=1 ;;
+        n) SYSTEMTEST_NO_CLEAN=1 ;;
+    esac
+done
+export NOCLEAN
+shift `expr $OPTIND - 1`
+
+# Obtain number of processes to use.
+
+if [ $# -eq 0 ]; then
+    numproc=1
+elif [ $# -eq 1 ]; then
+    test "$1" -eq "$1" > /dev/null 2>&1
+    if [ $? -ne 0 ]; then
+        # Value passed is not numeric
+        echo "$usage" >&2
+        exit 1
+    fi
+    numproc=$1
+else
+    echo "$usage" >&2
+    exit 1
+fi
+
+# Run the tests.
+
+export SYSTEMTEST_FORCE_COLOR
+export SYSTEMTEST_NO_CLEAN
+
+status=0
+
+if [ "$NOPARALLEL" = "" ]; then
+    if [ "$CYGWIN" = "" ]; then
+        # Running on Unix, use "make" to run tests in parallel.
+        make -j $numproc check
+        status=$?
+    else
+        # Running on Windows: Cygwin "make" is available, but isn't being
+        # used for the build. So we create a special makefile for the purpose
+        # of parallel execution of system tests, and use that.
+        $SHELL parallel.sh > parallel.mk
+        make -f parallel.mk -j $numproc check
+        $SHELL ./runsequential.sh
+        $SHELL ./testsummary.sh || status=1
+    fi
+else
+    # the NOPARALLEL environment variable indicates that tests must be
+    # run sequentially.
+    $PERL testsock.pl || {
+        cat <<-EOF
+	I:NOTE: System tests were skipped because they require the
+	I:      test IP addresses 10.53.0.* to be configured as alias
+	I:      addresses on the loopback interface.  Please run
+	I:      "bin/tests/system/ifconfig.sh up" as root to configure them.
+	EOF
+        exit 1
+    }
+    {
+        for testdir in $SUBDIRS; do
+            $SHELL run.sh $testdir || status=1
+        done
+    } 2>&1 | tee "systests.output"
+fi
+
+exit $status
diff --git a/bin/tests/system/runsequential.sh b/bin/tests/system/runsequential.sh
new file mode 100755
index 0000000..41f9c83
--- /dev/null
+++ b/bin/tests/system/runsequential.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Run system tests that must be run sequentially
+#
+# Note: Use "make check" (or runall.sh) to run all the system tests.  This
+# script will just run those tests that require that each of their nameservers
+# is the only one running on an IP address.
+#
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+for d in $SEQUENTIALDIRS
+do
+    $SHELL run.sh "${@}" $d 2>&1 | tee test.output.$d
+done
diff --git a/bin/tests/system/runtime/README b/bin/tests/system/runtime/README
new file mode 100644
index 0000000..9272f12
--- /dev/null
+++ b/bin/tests/system/runtime/README
@@ -0,0 +1,13 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+Tests of runtime checks, e.g., that named prevents duplicate processes
+from running.
diff --git a/bin/tests/system/runtime/clean.sh b/bin/tests/system/runtime/clean.sh
new file mode 100644
index 0000000..39fdc0c
--- /dev/null
+++ b/bin/tests/system/runtime/clean.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+[ -d ns2/nope ] && chmod 755 ns2/nope
+
+rm -f *.pid
+rm -f */named*.run
+rm -f */named.memstats
+rm -f kill*.out
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.lock ns*/named*.pid ns*/other.lock
+rm -f ns2/named.conf ns2/named-alt*.conf
+rm -f rndc.out*
+rm -rf ns2/nope
+rm -rf ns2/tmp.*
diff --git a/bin/tests/system/runtime/ctrl-chars b/bin/tests/system/runtime/ctrl-chars
new file mode 100644
index 0000000..4ce1650
--- /dev/null
+++ b/bin/tests/system/runtime/ctrl-chars
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/bin/tests/system/runtime/long-cmd-line b/bin/tests/system/runtime/long-cmd-line
new file mode 100644
index 0000000..e691a71
--- /dev/null
+++ b/bin/tests/system/runtime/long-cmd-line
@@ -0,0 +1 @@
+-m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage
diff --git a/bin/tests/system/runtime/ns2/named-alt1.conf.in b/bin/tests/system/runtime/ns2/named-alt1.conf.in
new file mode 100644
index 0000000..4efb3d7
--- /dev/null
+++ b/bin/tests/system/runtime/ns2/named-alt1.conf.in
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	notify yes;
+	dnssec-validation no;
+};
diff --git a/bin/tests/system/runtime/ns2/named-alt2.conf.in b/bin/tests/system/runtime/ns2/named-alt2.conf.in
new file mode 100644
index 0000000..ab374f8
--- /dev/null
+++ b/bin/tests/system/runtime/ns2/named-alt2.conf.in
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; 10.53.0.3; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	notify yes;
+	dnssec-validation no;
+};
diff --git a/bin/tests/system/runtime/ns2/named-alt3.conf.in b/bin/tests/system/runtime/ns2/named-alt3.conf.in
new file mode 100644
index 0000000..0f351aa
--- /dev/null
+++ b/bin/tests/system/runtime/ns2/named-alt3.conf.in
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	port @PORT@;
+	pid-file "named-alt3.pid";
+	lock-file none;
+	listen-on { 10.53.0.2; 10.53.0.3; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	notify yes;
+	dnssec-validation no;
+};
diff --git a/bin/tests/system/runtime/ns2/named-alt4.conf.in b/bin/tests/system/runtime/ns2/named-alt4.conf.in
new file mode 100644
index 0000000..aa3a010
--- /dev/null
+++ b/bin/tests/system/runtime/ns2/named-alt4.conf.in
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory "./nope";
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
diff --git a/bin/tests/system/runtime/ns2/named-alt5.conf.in b/bin/tests/system/runtime/ns2/named-alt5.conf.in
new file mode 100644
index 0000000..23d09b5
--- /dev/null
+++ b/bin/tests/system/runtime/ns2/named-alt5.conf.in
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	managed-keys-directory "./nope";
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
diff --git a/bin/tests/system/runtime/ns2/named-alt6.conf.in b/bin/tests/system/runtime/ns2/named-alt6.conf.in
new file mode 100644
index 0000000..3ebc140
--- /dev/null
+++ b/bin/tests/system/runtime/ns2/named-alt6.conf.in
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	new-zones-directory "./nope";
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
diff --git a/bin/tests/system/runtime/ns2/named-alt7.conf.in b/bin/tests/system/runtime/ns2/named-alt7.conf.in
new file mode 100644
index 0000000..49f38b4
--- /dev/null
+++ b/bin/tests/system/runtime/ns2/named-alt7.conf.in
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+};
diff --git a/bin/tests/system/runtime/ns2/named-alt9.conf.in b/bin/tests/system/runtime/ns2/named-alt9.conf.in
new file mode 100644
index 0000000..6ae88e5
--- /dev/null
+++ b/bin/tests/system/runtime/ns2/named-alt9.conf.in
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named9.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+};
diff --git a/bin/tests/system/runtime/ns2/named1.conf.in b/bin/tests/system/runtime/ns2/named1.conf.in
new file mode 100644
index 0000000..b389863
--- /dev/null
+++ b/bin/tests/system/runtime/ns2/named1.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion no;
+	notify yes;
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/runtime/setup.sh b/bin/tests/system/runtime/setup.sh
new file mode 100644
index 0000000..8ab72a3
--- /dev/null
+++ b/bin/tests/system/runtime/setup.sh
@@ -0,0 +1,36 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh 
+
+copy_setports ns2/named1.conf.in ns2/named.conf
+
+copy_setports ns2/named-alt1.conf.in ns2/named-alt1.conf
+copy_setports ns2/named-alt2.conf.in ns2/named-alt2.conf
+copy_setports ns2/named-alt3.conf.in ns2/named-alt3.conf
+copy_setports ns2/named-alt4.conf.in ns2/named-alt4.conf
+copy_setports ns2/named-alt5.conf.in ns2/named-alt5.conf
+copy_setports ns2/named-alt6.conf.in ns2/named-alt6.conf
+copy_setports ns2/named-alt7.conf.in ns2/named-alt7.conf
+
+mkdir ns2/nope
+
+if [ 1 = "${CYGWIN:-0}" ]
+then
+    setfacl -s user::r-x,group::r-x,other::r-x ns2/nope
+else
+    chmod 555 ns2/nope
+fi
diff --git a/bin/tests/system/runtime/tests.sh b/bin/tests/system/runtime/tests.sh
new file mode 100644
index 0000000..d5e4277
--- /dev/null
+++ b/bin/tests/system/runtime/tests.sh
@@ -0,0 +1,254 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+SYSTEMTESTTOP=..
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+NAMED_DEFAULT_ARGS="-m record,size,mctx -d 99 -g -U 4"
+
+kill_named() {
+	pidfile="${1}"
+	if [ ! -r "${pidfile}" ]; then
+		return 1
+	fi
+
+	pid=$(cat "${pidfile}" 2>/dev/null)
+	if [ "${pid:+set}" = "set" ]; then
+		$KILL -15 "${pid}" >/dev/null 2>&1
+		retries=10
+		while [ "$retries" -gt 0 ]; do
+			if ! $KILL -0 "${pid}" >/dev/null 2>&1; then
+				break
+			fi
+			sleep 1
+			retries=$((retries-1))
+		done
+		# Timed-out
+		if [ "$retries" -eq 0 ]; then
+			echo_i "failed to kill named ($pidfile)"
+			return 1
+		fi
+	fi
+	rm -f "${pidfile}"
+	return 0
+}
+
+check_named_log() {
+	grep "$@" >/dev/null 2>&1
+}
+
+run_named() (
+	dir="$1"
+	shift
+	run="$1"
+	shift
+	if cd "$dir" > /dev/null 2>&1
+	then
+		"${NAMED}" "$@" ${NAMED_DEFAULT_ARGS} >> "$run" 2>&1 &
+		echo $!
+	fi
+)
+
+check_pid() (
+	return $(! $KILL -0 "${1}" >/dev/null 2>&1)
+)
+
+status=0
+n=0
+
+n=$((n+1))
+echo_i "verifying that named started normally ($n)"
+ret=0
+[ -s ns2/named.pid ] || ret=1
+grep "unable to listen on any configured interface" ns2/named.run > /dev/null && ret=1
+grep "another named process" ns2/named.run > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verifying that named checks for conflicting named processes ($n)"
+ret=0
+testpid=$(run_named ns2 named$n.run -c named-alt2.conf -D runtime-ns2-extra-2 -X named.lock)
+test -n "$testpid" || ret=1
+retry_quiet 10 check_named_log "another named process" ns2/named$n.run || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+test -n "$testpid" && $KILL -15 $testpid > kill$n.out 2>&1 && ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verifying that 'lock-file none' disables process check ($n)"
+ret=0
+testpid=$(run_named ns2 named$n.run -c named-alt3.conf -D runtime-ns2-extra-3)
+test -n "$testpid" || ret=1
+retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
+grep "another named process" ns2/named$n.run > /dev/null && ret=1
+kill_named ns2/named-alt3.pid || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that named refuses to reconfigure if working directory is not writable ($n)"
+ret=0
+copy_setports ns2/named-alt4.conf.in ns2/named.conf
+$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
+sleep 1
+grep "[^-]directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)"
+ret=0
+copy_setports ns2/named-alt5.conf.in ns2/named.conf
+$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
+sleep 1
+grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that named refuses to reconfigure if new-zones-directory is not writable ($n)"
+ret=0
+copy_setports ns2/named-alt6.conf.in ns2/named.conf
+$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
+sleep 1
+grep "new-zones-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that named recovers when configuration file is valid again ($n)"
+ret=0
+copy_setports ns2/named1.conf.in ns2/named.conf
+$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 || ret=1
+[ -s ns2/named.pid ] || ret=1
+kill_named ns2/named.pid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that named refuses to start if working directory is not writable ($n)"
+ret=0
+testpid=$(run_named ns2 named$n.run -c named-alt4.conf -D runtime-ns2-extra-4)
+test -n "$testpid" || ret=1
+retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1
+grep "[^-]directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1
+kill_named ns2/named.pid && ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that named refuses to start if managed-keys-directory is not writable ($n)"
+ret=0
+testpid=$(run_named ns2 named$n.run -c named-alt5.conf -D runtime-ns2-extra-5)
+test -n "$testpid" || ret=1
+retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1
+grep "managed-keys-directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1
+kill_named named.pid && ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that named refuses to start if new-zones-directory is not writable ($n)"
+ret=0
+testpid=$(run_named ns2 named$n.run -c named-alt6.conf -D runtime-ns2-extra-6)
+test -n "$testpid" || ret=1
+retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1
+grep "new-zones-directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1
+kill_named ns2/named.pid && ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that named logs control characters in octal notation ($n)"
+ret=0
+INSTANCE_NAME="runtime-ns2-extra-7-$(cat ctrl-chars)"
+testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}")
+test -n "$testpid" || ret=1
+retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
+grep 'running as.*\\177\\033' ns2/named$n.run > /dev/null || ret=1
+kill_named ns2/named.pid || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that named escapes special characters in the logs ($n)"
+ret=0
+INSTANCE_NAME="runtime-ns2-extra-8-$;"
+testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}")
+test -n "$testpid" || ret=1
+retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
+grep 'running as.*\\$\\;' ns2/named$n.run > /dev/null || ret=1
+kill_named ns2/named.pid || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that named logs an ellipsis when the command line is larger than 8k bytes ($n)"
+ret=0
+LONG_CMD_LINE=$(cat long-cmd-line)
+# shellcheck disable=SC2086
+testpid=$(run_named ns2 named$n.run $LONG_CMD_LINE -c "named-alt7.conf")
+test -n "$testpid" || ret=1
+retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
+grep "running as.*\.\.\.$" ns2/named$n.run > /dev/null || ret=1
+kill_named ns2/named.pid || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verifying that named switches UID ($n)"
+if [ "$(id -u)" -eq 0 ] && [ -z "$CYGWIN" ]; then
+    ret=0
+    TEMP_NAMED_DIR=$(mktemp -d "$(pwd)/ns2/tmp.XXXXXXXX")
+    if [ "$?" -eq 0 ]; then
+	copy_setports ns2/named-alt9.conf.in "${TEMP_NAMED_DIR}/named-alt9.conf"
+	export SOFTHSM2_CONF="${TEMP_NAMED_DIR}/softhsm2.conf"
+	sh "$TOP/bin/tests/prepare-softhsm2.sh"
+	chown -R nobody: "${TEMP_NAMED_DIR}"
+	chmod 0700 "${TEMP_NAMED_DIR}"
+	testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf)
+	test -n "$testpid" || ret=1
+	retry_quiet 60 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1
+	[ -s "${TEMP_NAMED_DIR}/named9.pid" ] || ret=1
+	grep "loading configuration: permission denied" "${TEMP_NAMED_DIR}/named$n.run" > /dev/null && ret=1
+	kill_named "${TEMP_NAMED_DIR}/named9.pid" || ret=1
+	test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+    else
+	echo_i "mktemp failed"
+	ret=1
+    fi
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+else
+    echo_i "skipped, not running as root or running on Windows"
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/send.pl b/bin/tests/system/send.pl
new file mode 100644
index 0000000..62b4f7a
--- /dev/null
+++ b/bin/tests/system/send.pl
@@ -0,0 +1,33 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Send a file to a given address and port using TCP.  Used for
+# configuring the test server in ans.pl.
+#
+
+use IO::File;
+use IO::Socket;
+
+@ARGV == 2 or die "usage: send.pl host port [file ...]\n";
+
+my $host = shift @ARGV;
+my $port = shift @ARGV;
+
+my $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
+				 Proto => "tcp",) or die "$!";
+while (<>) {
+	$sock->syswrite($_, length $_);
+}
+
+$sock->close;
diff --git a/bin/tests/system/serve-stale/ans2/ans.pl b/bin/tests/system/serve-stale/ans2/ans.pl
new file mode 100644
index 0000000..3fdc1fc
--- /dev/null
+++ b/bin/tests/system/serve-stale/ans2/ans.pl
@@ -0,0 +1,331 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+use IO::File;
+use IO::Socket;
+use Getopt::Long;
+use Net::DNS;
+use Time::HiRes qw(usleep nanosleep);
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+# If send_response is set, the server will respond, otherwise the query will
+# be dropped.
+my $send_response = 1;
+# If slow_response is set, a lookup for the CNAME target (target.example) is
+# delayed. Other lookups will not be delayed.
+my $slow_response = 0;
+
+my $localaddr = "10.53.0.2";
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $udpsock = IO::Socket::INET->new(LocalAddr => "$localaddr",
+   LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!";
+
+#
+# Delegation
+#
+my $SOA = "example 300 IN SOA . . 0 0 0 0 300";
+my $NS = "example 300 IN NS ns.example";
+my $A = "ns.example 300 IN A $localaddr";
+
+#
+# Slow delegation
+#
+my $slowSOA = "slow 300 IN SOA . . 0 0 0 0 300";
+my $slowNS = "slow 300 IN NS ns.slow";
+my $slowA = "ns.slow 300 IN A $localaddr";
+my $slowTXT = "data.slow 2 IN TXT \"A slow text record with a 2 second ttl\"";
+my $slownegSOA = "slow 2 IN SOA . . 0 0 0 0 300";
+
+#
+# Records to be TTL stretched
+#
+my $TXT = "data.example 2 IN TXT \"A text record with a 2 second ttl\"";
+my $LONGTXT = "longttl.example 600 IN TXT \"A text record with a 600 second ttl\"";
+my $CAA = "othertype.example 2 IN CAA 0 issue \"ca1.example.net\"";
+my $negSOA = "example 2 IN SOA . . 0 0 0 0 300";
+my $CNAME = "cname.example 7 IN CNAME target.example";
+my $TARGET = "target.example 9 IN A $localaddr";
+my $SHORTCNAME = "shortttl.cname.example 1 IN CNAME longttl.target.example";
+my $LONGTARGET = "longttl.target.example 600 IN A $localaddr";
+
+sub reply_handler {
+    my ($qname, $qclass, $qtype) = @_;
+    my ($rcode, @ans, @auth, @add);
+
+    print ("request: $qname/$qtype\n");
+    STDOUT->flush();
+
+    # Control whether we send a response or not.
+    # We always respond to control commands.
+    if ($qname eq "enable" ) {
+	if ($qtype eq "TXT") {
+	    $send_response = 1;
+            my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"$send_response\"");
+            push @ans, $rr;
+	}
+	$rcode = "NOERROR";
+        return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+    } elsif ($qname eq "disable" ) {
+	if ($qtype eq "TXT") {
+	    $send_response = 0;
+            my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"$send_response\"");
+            push @ans, $rr;
+	}
+	$rcode = "NOERROR";
+        return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+    } elsif ($qname eq "slowdown" ) {
+	if ($qtype eq "TXT") {
+	    $send_response = 1;
+	    $slow_response = 1;
+            my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"$send_response\"");
+            push @ans, $rr;
+	}
+	$rcode = "NOERROR";
+        return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+    }
+
+    # If we are not responding to queries we are done.
+    return if (!$send_response);
+
+    if (index($qname, "latency") == 0) {
+        # simulate network latency before answering
+        print "  Sleeping 50 milliseconds\n";
+        select(undef, undef, undef, 0.05);
+    }
+
+    # Construct the response and send it.
+    if ($qname eq "ns.example" ) {
+	if ($qtype eq "A") {
+	    my $rr = new Net::DNS::RR($A);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($SOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "example") {
+	if ($qtype eq "NS") {
+	    my $rr = new Net::DNS::RR($NS);
+	    push @auth, $rr;
+	    $rr = new Net::DNS::RR($A);
+	    push @add, $rr;
+	} elsif ($qtype eq "SOA") {
+	    my $rr = new Net::DNS::RR($SOA);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($SOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "nodata.example") {
+	my $rr = new Net::DNS::RR($negSOA);
+	push @auth, $rr;
+	$rcode = "NOERROR";
+    } elsif ($qname eq "data.example") {
+	if ($qtype eq "TXT") {
+	    my $rr = new Net::DNS::RR($TXT);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($negSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "a-only.example") {
+	if ($qtype eq "A") {
+	    my $rr = new Net::DNS::RR("a-only.example 2 IN A $localaddr");
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($negSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "cname.example") {
+	if ($qtype eq "A") {
+	    my $rr = new Net::DNS::RR($CNAME);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($negSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "target.example") {
+	if ($slow_response) {
+                print "  Sleeping 3 seconds\n";
+		sleep(3);
+	}
+	if ($qtype eq "A") {
+	    my $rr = new Net::DNS::RR($TARGET);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($negSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "shortttl.cname.example") {
+	if ($qtype eq "A") {
+	    my $rr = new Net::DNS::RR($SHORTCNAME);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($negSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "longttl.target.example") {
+	if ($slow_response) {
+                print "  Sleeping 3 seconds\n";
+		sleep(3);
+	}
+	if ($qtype eq "A") {
+	    my $rr = new Net::DNS::RR($LONGTARGET);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($negSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "longttl.example") {
+	if ($qtype eq "TXT") {
+	    my $rr = new Net::DNS::RR($LONGTXT);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($negSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "nxdomain.example") {
+	my $rr = new Net::DNS::RR($negSOA);
+	push @auth, $rr;
+	$rcode = "NXDOMAIN";
+    } elsif ($qname eq "othertype.example") {
+	if ($qtype eq "CAA") {
+	    my $rr = new Net::DNS::RR($CAA);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($negSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "ns.slow" ) {
+	if ($qtype eq "A") {
+	    my $rr = new Net::DNS::RR($slowA);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($slowSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "slow") {
+	if ($qtype eq "NS") {
+	    my $rr = new Net::DNS::RR($slowNS);
+	    push @auth, $rr;
+	    $rr = new Net::DNS::RR($slowA);
+	    push @add, $rr;
+	} elsif ($qtype eq "SOA") {
+	    my $rr = new Net::DNS::RR($slowSOA);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($slowSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } elsif ($qname eq "data.slow") {
+	if ($slow_response) {
+                print "  Sleeping 3 seconds\n";
+		sleep(3);
+		# only one time
+		$slow_response = 0;
+	}
+	if ($qtype eq "TXT") {
+	    my $rr = new Net::DNS::RR($slowTXT);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($slownegSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
+    } else {
+        my $rr = new Net::DNS::RR($SOA);
+	push @auth, $rr;
+	$rcode = "NXDOMAIN";
+    }
+
+    # mark the answer as authoritative (by setting the 'aa' flag)
+    return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+}
+
+GetOptions(
+    'port=i' => \$localport,
+);
+
+my $rin;
+my $rout;
+
+for (;;) {
+	$rin = '';
+	vec($rin, fileno($udpsock), 1) = 1;
+
+	select($rout = $rin, undef, undef, undef);
+
+	if (vec($rout, fileno($udpsock), 1)) {
+		my ($buf, $request, $err);
+		$udpsock->recv($buf, 512);
+
+		if ($Net::DNS::VERSION > 0.68) {
+			$request = new Net::DNS::Packet(\$buf, 0);
+			$@ and die $@;
+		} else {
+			my $err;
+			($request, $err) = new Net::DNS::Packet(\$buf, 0);
+			$err and die $err;
+		}
+
+		my @questions = $request->question;
+		my $qname = $questions[0]->qname;
+		my $qclass = $questions[0]->qclass;
+		my $qtype = $questions[0]->qtype;
+		my $id = $request->header->id;
+
+		my ($rcode, $ans, $auth, $add, $headermask) = reply_handler($qname, $qclass, $qtype);
+
+		if (!defined($rcode)) {
+			print "  Silently ignoring query\n";
+			next;
+		}
+
+		my $reply = Net::DNS::Packet->new();
+		$reply->header->qr(1);
+		$reply->header->aa(1) if $headermask->{'aa'};
+		$reply->header->id($id);
+		$reply->header->rcode($rcode);
+		$reply->push("question",   @questions);
+		$reply->push("answer",     @$ans)  if $ans;
+		$reply->push("authority",  @$auth) if $auth;
+		$reply->push("additional", @$add)  if $add;
+
+		my $num_chars = $udpsock->send($reply->data);
+		print "  Sent $num_chars bytes via UDP\n";
+	}
+}
diff --git a/bin/tests/system/serve-stale/clean.sh b/bin/tests/system/serve-stale/clean.sh
new file mode 100644
index 0000000..b4a0d50
--- /dev/null
+++ b/bin/tests/system/serve-stale/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out*
+rm -f ns*/named.conf
+rm -f ns*/root.bk
+rm -f rndc.out.test*
+rm -f */named.run */named.memstats
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named_dump*
+rm -f ns*/named.stats*
+rm -f ns*/named.run.prev
diff --git a/bin/tests/system/serve-stale/ns1/named1.conf.in b/bin/tests/system/serve-stale/ns1/named1.conf.in
new file mode 100644
index 0000000..c0dd5b8
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns1/named1.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	max-stale-ttl 3600;
+	stale-answer-ttl 4;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-refresh-time 30;
+	servfail-ttl 0;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/serve-stale/ns1/named2.conf.in b/bin/tests/system/serve-stale/ns1/named2.conf.in
new file mode 100644
index 0000000..985cddb
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns1/named2.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	max-stale-ttl 20;
+	stale-answer-ttl 3;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	servfail-ttl 0;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/serve-stale/ns1/named3.conf.in b/bin/tests/system/serve-stale/ns1/named3.conf.in
new file mode 100644
index 0000000..23f1baa
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns1/named3.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	max-stale-ttl 20;
+	stale-answer-ttl 3;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-refresh-time 0;
+	servfail-ttl 0;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "stale.test" {
+	type primary;
+	file "stale.test.db";
+};
diff --git a/bin/tests/system/serve-stale/ns1/root.db b/bin/tests/system/serve-stale/ns1/root.db
new file mode 100644
index 0000000..aef8e31
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns1/root.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.		300	SOA	. . 0 0 0 0 0
+.		300	NS	ns.nil.
+ns.nil.		300	A	10.53.0.1
+example.	300	NS	ns.example.
+ns.example.	300	A	10.53.0.2
+slow.		300	NS	ns.slow.
+ns.slow.	300	A	10.53.0.2
diff --git a/bin/tests/system/serve-stale/ns1/stale.test.db b/bin/tests/system/serve-stale/ns1/stale.test.db
new file mode 100644
index 0000000..d389e7c
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns1/stale.test.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN stale.test.
+stale.test.		300	SOA	. . 0 0 0 0 0
+stale.test.		300	NS	ns.stale.test.
+ns.stale.test.		300	A	10.53.0.1
+cname1.stale.test.	1	CNAME	a1.stale.test.
+a1.stale.test.		1	A	192.0.2.1
+cname2.stale.test.	1	CNAME	a2.stale.test.
+a2.stale.test.		300	A	192.0.2.2
diff --git a/bin/tests/system/serve-stale/ns3/named1.conf.in b/bin/tests/system/serve-stale/ns3/named1.conf.in
new file mode 100644
index 0000000..09ad864
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns3/named1.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dump-file "named_dump3.db";
+};
+
+zone "." {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "root.bk";
+};
diff --git a/bin/tests/system/serve-stale/ns3/named2.conf.in b/bin/tests/system/serve-stale/ns3/named2.conf.in
new file mode 100644
index 0000000..a2b1d5a
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns3/named2.conf.in
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Test default stale-answer-client-timeout value
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion yes;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-answer-ttl 3;
+	stale-refresh-time 0;
+	stale-answer-client-timeout 1800;
+	recursive-clients 10; # CVE-2022-3924
+	max-stale-ttl 3600;
+	resolver-query-timeout 10;
+	qname-minimization disabled;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
diff --git a/bin/tests/system/serve-stale/ns3/named3.conf.in b/bin/tests/system/serve-stale/ns3/named3.conf.in
new file mode 100644
index 0000000..2d2a250
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns3/named3.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Test disable of stale-answer-client-timeout.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion yes;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-answer-ttl 3;
+	stale-refresh-time 0;
+	max-stale-ttl 3600;
+	resolver-query-timeout 10;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
diff --git a/bin/tests/system/serve-stale/ns3/named4.conf.in b/bin/tests/system/serve-stale/ns3/named4.conf.in
new file mode 100644
index 0000000..d04b3aa
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns3/named4.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Test stale-answer-client-timeout 0.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion yes;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-answer-ttl 3;
+	stale-answer-client-timeout 0;
+	stale-refresh-time 0;
+	resolver-query-timeout 10;
+	max-stale-ttl 3600;
+	recursive-clients 10;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
diff --git a/bin/tests/system/serve-stale/ns3/named5.conf.in b/bin/tests/system/serve-stale/ns3/named5.conf.in
new file mode 100644
index 0000000..35399b8
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns3/named5.conf.in
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Test stale-answer-client-timeout 0.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion yes;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-answer-ttl 3;
+	stale-answer-client-timeout 0;
+	stale-refresh-time 4;
+	resolver-query-timeout 10;
+	max-stale-ttl 3600;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
diff --git a/bin/tests/system/serve-stale/ns3/named6.conf.in b/bin/tests/system/serve-stale/ns3/named6.conf.in
new file mode 100644
index 0000000..6e468d5
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns3/named6.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion yes;
+	stale-answer-enable no;
+	stale-cache-enable yes;
+	stale-answer-ttl 3;
+	stale-refresh-time 4;
+	resolver-query-timeout 10;
+	fetches-per-zone 1 fail;
+	fetches-per-server 1 fail;
+	max-stale-ttl 3600;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
diff --git a/bin/tests/system/serve-stale/ns3/named7.conf.in b/bin/tests/system/serve-stale/ns3/named7.conf.in
new file mode 100644
index 0000000..3e05341
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns3/named7.conf.in
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Test serve-stale interaction with fetch-limits (dual-mode).
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	dnssec-validation no;
+	recursion yes;
+	/*
+	 * stale-answer-enable is not strictly required because serving
+	 * stale answers is enabled in the test via rndc.
+	 */
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-answer-ttl 3;
+	stale-refresh-time 4;
+	resolver-query-timeout 10;
+	fetches-per-zone 1 fail;
+	fetches-per-server 1 fail;
+	max-stale-ttl 3600;
+};
+
+zone "." {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "root.bk";
+};
diff --git a/bin/tests/system/serve-stale/ns3/named8.conf.in b/bin/tests/system/serve-stale/ns3/named8.conf.in
new file mode 100644
index 0000000..a292b5a
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns3/named8.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-answer-client-timeout 1800;
+	prefetch 2 8;
+	dns64 2001:aaaa::/96 {
+		clients { any; };
+		mapped { any; };
+	};
+};
+
+zone "." {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "root.bk";
+};
diff --git a/bin/tests/system/serve-stale/ns3/root.db b/bin/tests/system/serve-stale/ns3/root.db
new file mode 100644
index 0000000..bbf039c
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns3/root.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.           300 NS  ns.nil.
+ns.nil.     300 A   10.53.0.1
diff --git a/bin/tests/system/serve-stale/ns4/named.conf.in b/bin/tests/system/serve-stale/ns4/named.conf.in
new file mode 100644
index 0000000..13a6d1d
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns4/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dump-file "named_dump.db";
+	stale-answer-enable no;
+};
+
+zone "." {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "root.bk";
+};
diff --git a/bin/tests/system/serve-stale/ns5/named.conf.in b/bin/tests/system/serve-stale/ns5/named.conf.in
new file mode 100644
index 0000000..9a6c444
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns5/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dump-file "named_dump.db";
+	stale-answer-enable yes;
+	stale-cache-enable no;
+	max-cache-ttl 24h;
+};
+
+zone "." {
+	type secondary;
+	masters { 10.53.0.1; };
+	file "root.bk";
+};
diff --git a/bin/tests/system/serve-stale/prereq.sh b/bin/tests/system/serve-stale/prereq.sh
new file mode 100644
index 0000000..b42a5ed
--- /dev/null
+++ b/bin/tests/system/serve-stale/prereq.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null
+    then
+        :
+    else
+        echo_i "Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
+if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null
+then
+	:
+else
+	echo_i "This test requires the Net::DNS::Nameserver library." >&2
+	exit 1
+fi
+if $PERL -e 'use Time::HiRes;' 2>/dev/null
+then
+	:
+else
+	echo_i "This test requires the Time::HiRes library." >&2
+	exit 1
+fi
diff --git a/bin/tests/system/serve-stale/setup.sh b/bin/tests/system/serve-stale/setup.sh
new file mode 100644
index 0000000..7441e0c
--- /dev/null
+++ b/bin/tests/system/serve-stale/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named1.conf.in ns1/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
diff --git a/bin/tests/system/serve-stale/tests.sh b/bin/tests/system/serve-stale/tests.sh
new file mode 100755
index 0000000..d4a52e6
--- /dev/null
+++ b/bin/tests/system/serve-stale/tests.sh
@@ -0,0 +1,2621 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
+DIG="$DIG +time=11"
+
+max_stale_ttl=$(sed -ne 's,^[[:space:]]*max-stale-ttl \([[:digit:]]*\).*,\1,p' $TOP_SRCDIR/bin/named/config.c)
+stale_answer_ttl=$(sed -ne 's,^[[:space:]]*stale-answer-ttl \([[:digit:]]*\).*,\1,p' $TOP_SRCDIR/bin/named/config.c)
+
+status=0
+n=0
+
+#
+# First test server with serve-stale options set.
+#
+echo_i "test server with serve-stale options set"
+
+n=$((n+1))
+echo_i "prime cache longttl.example TXT ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache data.example TXT ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache othertype.example CAA ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nodata.example TXT ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nxdomain.example TXT ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verify prime cache statistics ($n)"
+ret=0
+rm -f ns1/named.stats
+$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1
+[ -f ns1/named.stats ] || ret=1
+cp ns1/named.stats ns1/named.stats.$n
+# Check first 10 lines of Cache DB statistics.  After prime queries, we expect
+# two active TXT, one active Others, one nxrrset TXT, and one NXDOMAIN.
+grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1
+grep "1 Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "2 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 !TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: on (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+sleep 2
+
+# Run rndc dumpdb, test whether the stale data has correct comment printed.
+# The max-stale-ttl is 3600 seconds, so the comment should say the data is
+# stale for somewhere between 3500-3599 seconds.
+echo_i "check rndc dump stale data.example ($n)"
+rndc_dumpdb ns1 || ret=1
+awk '/; stale/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n |
+    grep "; stale data\.example.*3[56]...*TXT.*A text record with a 2 second ttl" > /dev/null 2>&1 || ret=1
+# Also make sure the not expired data does not have a stale comment.
+awk '/; answer/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n |
+    grep "; answer longttl\.example.*[56]...*TXT.*A text record with a 600 second ttl" > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+4)) &
+$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+5))
+
+wait
+
+n=$((n+1))
+echo_i "check stale data.example TXT ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check non-stale longttl.example TXT ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "longttl\.example\..*59[0-9].*IN.*TXT.*A text record with a 600 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale othertype.example CAA ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nodata.example TXT ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nxdomain.example TXT ($n)"
+ret=0
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verify stale cache statistics ($n)"
+ret=0
+rm -f ns1/named.stats
+$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1
+[ -f ns1/named.stats ] || ret=1
+cp ns1/named.stats ns1/named.stats.$n
+# Check first 10 lines of Cache DB statistics.  After serve-stale queries, we
+# expect one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one
+# stale NXDOMAIN.
+grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1
+grep "1 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #!TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+# Test stale-refresh-time when serve-stale is enabled via configuration.
+# Steps for testing stale-refresh-time option (default).
+# 1. Prime cache data.example txt
+# 2. Disable responses from authoritative server.
+# 3. Sleep for TTL duration so rrset TTL expires (2 sec)
+# 4. Query data.example
+# 5. Check if response come from stale rrset (4 sec TTL)
+# 6. Enable responses from authoritative server.
+# 7. Query data.example
+# 8. Check if response come from stale rrset, since the query
+#    is within stale-refresh-time window.
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: on (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 1-3 done above.
+
+# Step 4.
+n=$((n+1))
+echo_i "sending query for test ($n)"
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n
+
+# Step 5.
+echo_i "check stale data.example TXT (stale-refresh-time) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 6.
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 7.
+echo_i "sending query for test $((n+1))"
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1))
+
+# Step 8.
+n=$((n+1))
+echo_i "check stale data.example TXT comes from cache (stale-refresh-time) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# Test disabling serve-stale via rndc.
+#
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "running 'rndc serve-stale off' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale off || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: off (rndc) (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4))
+
+wait
+
+n=$((n+1))
+echo_i "check stale data.example TXT (serve-stale off) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale othertype.example CAA (serve-stale off) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nodata.example TXT (serve-stale off) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nxdomain.example TXT (serve-stale off) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# Test enabling serve-stale via rndc.
+#
+n=$((n+1))
+echo_i "running 'rndc serve-stale on' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale on || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: on (rndc) (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4))
+
+wait
+
+n=$((n+1))
+echo_i "check stale data.example TXT (serve-stale on) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale othertype.example CAA (serve-stale on) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nodata.example TXT (serve-stale on) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nxdomain.example TXT (serve-stale on) ($n)"
+ret=0
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "running 'rndc serve-stale off' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale off || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "running 'rndc serve-stale reset' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale reset || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: on (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4))
+
+wait
+
+n=$((n+1))
+echo_i "check stale data.example TXT (serve-stale reset) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale othertype.example CAA (serve-stale reset) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "othertype.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nodata.example TXT (serve-stale reset) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nxdomain.example TXT (serve-stale reset) ($n)"
+ret=0
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "running 'rndc serve-stale off' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale off || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: off (rndc) (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# Update named.conf.
+# Test server with low max-stale-ttl.
+#
+echo_i "test server with serve-stale options set, low max-stale-ttl"
+
+n=$((n+1))
+echo_i "updating ns1/named.conf ($n)"
+ret=0
+copy_setports ns1/named2.conf.in ns1/named.conf
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "running 'rndc reload' ($n)"
+ret=0
+rndc_reload ns1 10.53.0.1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: off (rndc) (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "flush cache, re-enable serve-stale and query again ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1
+$RNDCCMD 10.53.0.1 serve-stale on > rndc.out.test$n.2 2>&1 || ret=1
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: on (rndc) (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache longttl.example TXT (low max-stale-ttl) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache data.example TXT (low max-stale-ttl) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache othertype.example CAA (low max-stale-ttl) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nodata.example TXT (low max-stale-ttl) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nxdomain.example TXT (low max-stale-ttl) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Keep track of time so we can access these RRset later, when we expect them
+# to become ancient.
+t1=`$PERL -e 'print time()'`
+
+n=$((n+1))
+echo_i "verify prime cache statistics (low max-stale-ttl) ($n)"
+ret=0
+rm -f ns1/named.stats
+$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1
+[ -f ns1/named.stats ] || ret=1
+cp ns1/named.stats ns1/named.stats.$n
+# Check first 10 lines of Cache DB statistics.  After prime queries, we expect
+# two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN.
+grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1
+grep "2 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 !TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+sleep 2
+
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4))
+
+wait
+
+n=$((n+1))
+echo_i "check stale data.example TXT (low max-stale-ttl) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale othertype.example CAA (low max-stale-ttl) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "othertype\.example\..*3.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nodata.example TXT (low max-stale-ttl) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nxdomain.example TXT (low max-stale-ttl) ($n)"
+ret=0
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verify stale cache statistics (low max-stale-ttl) ($n)"
+ret=0
+rm -f ns1/named.stats
+$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1
+[ -f ns1/named.stats ] || ret=1
+cp ns1/named.stats ns1/named.stats.$n
+# Check first 10 lines of Cache DB statistics.  After serve-stale queries, we
+# expect one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one
+# stale NXDOMAIN.
+grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1
+grep "1 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #!TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1
+
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+# Retrieve max-stale-ttl value.
+interval_to_ancient=`grep 'max-stale-ttl' ns1/named2.conf.in  | awk '{ print $2 }' | tr -d ';'`
+# We add 2 seconds to it since this is the ttl value of the records being
+# tested.
+interval_to_ancient=$((interval_to_ancient + 2))
+t2=`$PERL -e 'print time()'`
+elapsed=$((t2 - t1))
+
+# If elapsed time so far is less than max-stale-ttl + 2 seconds, then we sleep
+# enough to ensure that we'll ask for ancient RRsets in the next queries.
+if [ $elapsed -lt $interval_to_ancient ]; then
+    sleep $((interval_to_ancient - elapsed))
+fi
+
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4))
+
+wait
+
+n=$((n+1))
+echo_i "check ancient data.example TXT (low max-stale-ttl) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check ancient othertype.example CAA (low max-stale-ttl) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check ancient nodata.example TXT (low max-stale-ttl) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check ancient nxdomain.example TXT (low max-stale-ttl) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Test stale-refresh-time when serve-stale is enabled via rndc.
+# Steps for testing stale-refresh-time option (default).
+# 1. Prime cache data.example txt
+# 2. Disable responses from authoritative server.
+# 3. Sleep for TTL duration so rrset TTL expires (2 sec)
+# 4. Query data.example
+# 5. Check if response come from stale rrset (3 sec TTL)
+# 6. Enable responses from authoritative server.
+# 7. Query data.example
+# 8. Check if response come from stale rrset, since the query
+#    is within stale-refresh-time window.
+n=$((n+1))
+echo_i "flush cache, enable responses from authoritative server ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: on (rndc) (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 1.
+n=$((n+1))
+echo_i "prime cache data.example TXT (stale-refresh-time rndc) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 2.
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 3.
+sleep 2
+
+# Step 4.
+n=$((n+1))
+echo_i "sending query for test ($n)"
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n
+
+# Step 5.
+echo_i "check stale data.example TXT (stale-refresh-time rndc) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 6.
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 7.
+echo_i "sending query for test $((n+1))"
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1))
+
+# Step 8.
+n=$((n+1))
+echo_i "check stale data.example TXT comes from cache (stale-refresh-time rndc) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Steps for testing stale-refresh-time option (disabled).
+# 1. Prime cache data.example txt
+# 2. Disable responses from authoritative server.
+# 3. Sleep for TTL duration so rrset TTL expires (2 sec)
+# 4. Query data.example
+# 5. Check if response come from stale rrset (3 sec TTL)
+# 6. Enable responses from authoritative server.
+# 7. Query data.example
+# 8. Check if response come from stale rrset, since the query
+#    is within stale-refresh-time window.
+n=$((n+1))
+echo_i "updating ns1/named.conf ($n)"
+ret=0
+copy_setports ns1/named3.conf.in ns1/named.conf
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "running 'rndc reload' ($n)"
+ret=0
+rndc_reload ns1 10.53.0.1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: on (rndc) (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "flush cache, enable responses from authoritative server ($n)"
+ret=0
+$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 1.
+n=$((n+1))
+echo_i "prime cache data.example TXT (stale-refresh-time disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 2.
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 3.
+sleep 2
+
+# Step 4.
+n=$((n+1))
+echo_i "sending query for test ($n)"
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n
+
+# Step 5.
+echo_i "check stale data.example TXT (stale-refresh-time disabled) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 6.
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Step 7.
+echo_i "sending query for test $((n+1))"
+$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1))
+
+# Step 8.
+n=$((n+1))
+echo_i "check data.example TXT comes from authoritative (stale-refresh-time disabled) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# Now test server with no serve-stale options set.
+#
+echo_i "test server with no serve-stale options set"
+
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache longttl.example TXT (max-stale-ttl default) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 longttl.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache data.example TXT (max-stale-ttl default) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache othertype.example CAA (max-stale-ttl default) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nodata.example TXT (max-stale-ttl default) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nxdomain.example TXT (max-stale-ttl default) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verify prime cache statistics (max-stale-ttl default) ($n)"
+ret=0
+rm -f ns3/named.stats
+$RNDCCMD 10.53.0.3 stats > /dev/null 2>&1
+[ -f ns3/named.stats ] || ret=1
+cp ns3/named.stats ns3/named.stats.$n
+# Check first 10 lines of Cache DB statistics.  After prime queries, we expect
+# two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN.
+grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n > ns3/named.stats.$n.cachedb || ret=1
+grep "2 TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 Others" ns3/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 !TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 NXDOMAIN" ns3/named.stats.$n.cachedb > /dev/null || ret=1
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep "_default: off (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+sleep 2
+
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4))
+
+wait
+
+n=$((n+1))
+echo_i "check fail of data.example TXT (max-stale-ttl default) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check fail of othertype.example CAA (max-stale-ttl default) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check fail of nodata.example TXT (max-stale-ttl default) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check fail of nxdomain.example TXT (max-stale-ttl default) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verify stale cache statistics (max-stale-ttl default) ($n)"
+ret=0
+rm -f ns3/named.stats
+$RNDCCMD 10.53.0.3 stats > /dev/null 2>&1
+[ -f ns3/named.stats ] || ret=1
+cp ns3/named.stats ns3/named.stats.$n
+# Check first 10 lines of Cache DB statistics. After last queries, we expect
+# one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one stale
+# NXDOMAIN.
+grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n > ns3/named.stats.$n.cachedb || ret=1
+grep "1 TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #Others" ns3/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #!TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #NXDOMAIN" ns3/named.stats.$n.cachedb > /dev/null || ret=1
+
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale on' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 serve-stale on > rndc.out.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep "_default: on (rndc) (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+sleep 2
+
+# Check that if we don't have stale data for a domain name, we will
+# not answer anything until the resolver query timeout.
+n=$((n+1))
+echo_i "check notincache.example TXT times out (max-stale-ttl default) ($n)"
+ret=0
+$DIG -p ${PORT} +tries=1 +timeout=3  @10.53.0.3 notfound.example TXT > dig.out.test$n 2>&1
+grep "connection timed out" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) &
+$DIG -p ${PORT} @10.53.0.3 notfound.example TXT > dig.out.test$((n+5))
+
+wait
+
+n=$((n+1))
+echo_i "check data.example TXT (max-stale-ttl default) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*30.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check othertype.example CAA (max-stale-ttl default) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "example\..*30.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check nodata.example TXT (max-stale-ttl default) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*30.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check nxdomain.example TXT (max-stale-ttl default) ($n)"
+ret=0
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*30.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# The notfound.example check is different than nxdomain.example because
+# we didn't send a prime query to add notfound.example to the cache.
+n=$((n+1))
+echo_i "check notfound.example TXT (max-stale-ttl default) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# Now test server with serve-stale answers disabled.
+#
+echo_i "test server with serve-stale disabled"
+
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache longttl.example TTL (serve-stale answers disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.4 longttl.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache data.example TTL (serve-stale answers disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.4 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache othertype.example CAA (serve-stale answers disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.4 othertype.example CAA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nodata.example TXT (serve-stale answers disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.4 nodata.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nxdomain.example TXT (serve-stale answers disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verify prime cache statistics (serve-stale answers disabled) ($n)"
+ret=0
+rm -f ns4/named.stats
+$RNDCCMD 10.53.0.4 stats > /dev/null 2>&1
+[ -f ns4/named.stats ] || ret=1
+cp ns4/named.stats ns4/named.stats.$n
+# Check first 10 lines of Cache DB statistics.  After prime queries, we expect
+# two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN.
+grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1
+grep "2 TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 Others" ns4/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 !TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 NXDOMAIN" ns4/named.stats.$n.cachedb > /dev/null || ret=1
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.4 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep "_default: off (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+sleep 2
+
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.4 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.4 othertype.example CAA > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.4 nodata.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT > dig.out.test$((n+4))
+
+wait
+
+n=$((n+1))
+echo_i "check fail of data.example TXT (serve-stale answers disabled) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check fail of othertype.example TXT (serve-stale answers disabled) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check fail of nodata.example TXT (serve-stale answers disabled) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check fail of nxdomain.example TXT (serve-stale answers disabled) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verify stale cache statistics (serve-stale answers disabled) ($n)"
+ret=0
+rm -f ns4/named.stats
+$RNDCCMD 10.53.0.4 stats > /dev/null 2>&1
+[ -f ns4/named.stats ] || ret=1
+cp ns4/named.stats ns4/named.stats.$n
+# Check first 10 lines of Cache DB statistics. After last queries, we expect
+# one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one stale
+# NXDOMAIN.
+grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1
+grep "1 TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #Others" ns4/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #!TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 #NXDOMAIN" ns4/named.stats.$n.cachedb > /dev/null || ret=1
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+# Dump the cache.
+n=$((n+1))
+echo_i "dump the cache (serve-stale answers disabled) ($n)"
+ret=0
+rndc_dumpdb ns4 -cache || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "stop ns4"
+stop_server --use-rndc --port ${CONTROLPORT} ns4
+
+# Load the cache as if it was five minutes (RBTDB_VIRTUAL) older. Since
+# max-stale-ttl defaults to a week, we need to adjust the date by one week and
+# five minutes.
+LASTWEEK=`TZ=UTC perl -e 'my $now = time();
+        my $oneWeekAgo = $now - 604800;
+        my $fiveMinutesAgo = $oneWeekAgo - 300;
+        my ($s, $m, $h, $d, $mo, $y) = (localtime($fiveMinutesAgo))[0, 1, 2, 3, 4, 5];
+        printf("%04d%02d%02d%02d%02d%02d", $y+1900, $mo+1, $d, $h, $m, $s);'`
+
+echo_i "mock the cache date to $LASTWEEK (serve-stale answers disabled) ($n)"
+ret=0
+sed -E "s/DATE [0-9]{14}/DATE $LASTWEEK/g" ns4/named_dump.db.test$n > ns4/named_dump.db.out || ret=1
+cp ns4/named_dump.db.out ns4/named_dump.db
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "start ns4"
+start_server --noclean --restart --port ${PORT} ns4
+
+n=$((n+1))
+echo_i "verify ancient cache statistics (serve-stale answers disabled) ($n)"
+ret=0
+rm -f ns4/named.stats
+$RNDCCMD 10.53.0.4 stats #> /dev/null 2>&1
+[ -f ns4/named.stats ] || ret=1
+cp ns4/named.stats ns4/named.stats.$n
+# Check first 10 lines of Cache DB statistics. After last queries, we expect
+# everything to be removed or scheduled to be removed.
+grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1
+grep "#TXT" ns4/named.stats.$n.cachedb > /dev/null && ret=1
+grep "#Others" ns4/named.stats.$n.cachedb > /dev/null && ret=1
+grep "#!TXT" ns4/named.stats.$n.cachedb > /dev/null && ret=1
+grep "#NXDOMAIN" ns4/named.stats.$n.cachedb > /dev/null && ret=1
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+#
+# Test the server with stale-cache disabled.
+#
+echo_i "test server with serve-stale cache disabled"
+
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache longttl.example TXT (serve-stale cache disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.5 longttl.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache data.example TXT (serve-stale cache disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.5 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache othertype.example CAA (serve-stale cache disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.5 othertype.example CAA > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nodata.example TXT (serve-stale cache disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.5 nodata.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nxdomain.example TXT (serve-stale cache disabled) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verify prime cache statistics (serve-stale cache disabled) ($n)"
+ret=0
+rm -f ns5/named.stats
+$RNDCCMD 10.53.0.5 stats > /dev/null 2>&1
+[ -f ns5/named.stats ] || ret=1
+cp ns5/named.stats ns5/named.stats.$n
+# Check first 10 lines of Cache DB statistics.  After serve-stale queries,
+# we expect two active TXT RRsets, one active Others, one nxrrset TXT, and
+# one NXDOMAIN.
+grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1
+grep "2 TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 Others" ns5/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 !TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1
+grep "1 NXDOMAIN" ns5/named.stats.$n.cachedb > /dev/null || ret=1
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.5 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep "_default: off (not-cached)" rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+sleep 2
+
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.5 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.5 othertype.example CAA > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.5 nodata.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT > dig.out.test$((n+4))
+
+wait
+
+n=$((n+1))
+echo_i "check fail of data.example TXT (serve-stale cache disabled) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check fail of othertype.example CAA (serve-stale cache disabled) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check fail of nodata.example TXT (serve-stale cache disabled) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check fail of nxdomain.example TXT (serve-stale cache disabled) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "verify stale cache statistics (serve-stale cache disabled) ($n)"
+ret=0
+rm -f ns5/named.stats
+$RNDCCMD 10.53.0.5 stats > /dev/null 2>&1
+[ -f ns5/named.stats ] || ret=1
+cp ns5/named.stats ns5/named.stats.$n
+# Check first 10 lines of Cache DB statistics.  After serve-stale queries,
+# we expect one active TXT (longttl) and the rest to be expired from cache,
+# but since we keep everything for 5 minutes (RBTDB_VIRTUAL) in the cache
+# after expiry, they still show up in the stats.
+grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1
+grep -F "1 Others" ns5/named.stats.$n.cachedb > /dev/null || ret=1
+grep -F "2 TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1
+grep -F "1 !TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1
+grep -F "1 NXDOMAIN" ns5/named.stats.$n.cachedb > /dev/null || ret=1
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+# Dump the cache.
+n=$((n+1))
+echo_i "dump the cache (serve-stale cache disabled) ($n)"
+ret=0
+rndc_dumpdb ns5 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+# Check that expired records are not dumped.
+ret=0
+grep "; expired since .* (awaiting cleanup)" ns5/named_dump.db.test$n && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Dump the cache including expired entries.
+n=$((n+1))
+echo_i "dump the cache including expired entries (serve-stale cache disabled) ($n)"
+ret=0
+rndc_dumpdb ns5 -expired || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Check that expired records are dumped.
+echo_i "check rndc dump expired data.example ($n)"
+ret=0
+awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n |
+    grep "; expired since .* (awaiting cleanup) data\.example\..*A text record with a 2 second ttl" > /dev/null 2>&1 || ret=1
+awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n |
+    grep "; expired since .* (awaiting cleanup) nodata\.example\." > /dev/null 2>&1 || ret=1
+awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n |
+    grep "; expired since .* (awaiting cleanup) nxdomain\.example\." > /dev/null 2>&1 || ret=1
+awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n |
+    grep "; expired since .* (awaiting cleanup) othertype\.example\." > /dev/null 2>&1 || ret=1
+# Also make sure the not expired data does not have an expired comment.
+awk '/; answer/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n |
+    grep "; answer longttl\.example.*A text record with a 600 second ttl" > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "stop ns5"
+stop_server --use-rndc --port ${CONTROLPORT} ns5
+
+# Load the cache as if it was five minutes (RBTDB_VIRTUAL) older.
+cp ns5/named_dump.db.test$n ns5/named_dump.db
+FIVEMINUTESAGO=`TZ=UTC perl -e 'my $now = time();
+        my $fiveMinutesAgo = 300;
+        my ($s, $m, $h, $d, $mo, $y) = (localtime($fiveMinutesAgo))[0, 1, 2, 3, 4, 5];
+        printf("%04d%02d%02d%02d%02d%02d", $y+1900, $mo+1, $d, $h, $m, $s);'`
+
+n=$((n+1))
+echo_i "mock the cache date to $FIVEMINUTESAGO (serve-stale cache disabled) ($n)"
+ret=0
+sed -E "s/DATE [0-9]{14}/DATE $FIVEMINUTESAGO/g" ns5/named_dump.db > ns5/named_dump.db.out || ret=1
+cp ns5/named_dump.db.out ns5/named_dump.db
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "start ns5"
+start_server --noclean --restart --port ${PORT} ns5
+
+n=$((n+1))
+echo_i "verify ancient cache statistics (serve-stale cache disabled) ($n)"
+ret=0
+rm -f ns5/named.stats
+$RNDCCMD 10.53.0.5 stats #> /dev/null 2>&1
+[ -f ns5/named.stats ] || ret=1
+cp ns5/named.stats ns5/named.stats.$n
+# Check first 10 lines of Cache DB statistics. After last queries, we expect
+# everything to be removed or scheduled to be removed.
+grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1
+grep -F "#TXT" ns5/named.stats.$n.cachedb > /dev/null && ret=1
+grep -F "#Others" ns5/named.stats.$n.cachedb > /dev/null && ret=1
+grep -F "#!TXT" ns5/named.stats.$n.cachedb > /dev/null && ret=1
+grep -F "#NXDOMAIN" ns5/named.stats.$n.cachedb > /dev/null && ret=1
+status=$((status+ret))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+
+################################################
+# Test for stale-answer-client-timeout (1.8s). #
+################################################
+echo_i "test stale-answer-client-timeout (1.8)"
+
+n=$((n+1))
+echo_i "updating ns3/named.conf ($n)"
+ret=0
+copy_setports ns3/named2.conf.in ns3/named.conf
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "restart ns3"
+stop_server --use-rndc --port ${CONTROLPORT} ns3
+start_server --noclean --restart --port ${PORT} ns3
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: on (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache data.example TXT (stale-answer-client-timeout) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nodata.example TXT (stale-answer-client-timeout) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "delay responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt slowdown  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache data.slow TXT (stale-answer-client-timeout) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Allow RRset to become stale.
+sleep 2
+
+nextpart ns3/named.run > /dev/null
+
+echo_i "sending queries for tests $((n+1))-$((n+3))..."
+t1=`$PERL -e 'print time()'`
+$DIG -p ${PORT} +tries=1 +timeout=10  @10.53.0.3 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} +tries=1 +timeout=10  @10.53.0.3 nodata.example TXT > dig.out.test$((n+2))
+$DIG -p ${PORT} +tries=1 +timeout=10  @10.53.0.3 data.slow TXT > dig.out.test$((n+3)) &
+wait
+t2=`$PERL -e 'print time()'`
+
+# We configured a long value of 30 seconds for resolver-query-timeout.
+# That should give us enough time to receive an stale answer from cache
+# after stale-answer-client-timeout timer of 1.8 sec triggers.
+n=$((n+1))
+echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+wait_for_log 5 "data.example client timeout, stale answer used" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+# Configured stale-answer-client-timeout is 1.8s, we allow some extra time
+# just in case other tests are taking too much cpu.
+[ $((t2 - t1)) -le 10 ] || { echo_i "query took $((t2 - t1))s to resolve.";  ret=1; }
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale data.slow TXT comes from cache (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.slow\..*3.*IN.*TXT.*A slow text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Now query for RRset not in cache. The first query should time out, but once
+# we enable the authoritative server, the second query should be able to get a
+# response.
+
+nextpart ns3/named.run > /dev/null
+
+echo_i "sending queries for tests $((n+2))-$((n+4))..."
+$DIG -p ${PORT} +tries=1 +timeout=3   @10.53.0.3 longttl.example TXT > dig.out.test$((n+2)) &
+$DIG -p ${PORT} +tries=1 +timeout=10  @10.53.0.3 longttl.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} +tries=1 +timeout=3   @10.53.0.3 longttl.example RRSIG > dig.out.test$((n+4)) &
+
+# Enable the authoritative name server after stale-answer-client-timeout.
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+sleep 4
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check not in cache longttl.example TXT times out (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+wait_for_log 4 "longttl.example client timeout, stale answer unavailable" ns3/named.run || ret=1
+check_results() {
+    [ -s "$1" ] || return 1
+    grep "connection timed out" "$1" > /dev/null || return 1
+    return 0
+}
+retry_quiet 4 check_results dig.out.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check not in cache longttl.example TXT comes from authoritative (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+check_results() {
+    [ -s "$1" ] || return 1
+    grep "status: NOERROR" "$1" > /dev/null || return 1
+    grep "ANSWER: 1," "$1" > /dev/null || return 1
+    return 0
+}
+retry_quiet 8 check_results dig.out.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check not in cache longttl.example RRSIG times out (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+check_results() {
+    [ -s "$1" ] || return 1
+    grep "connection timed out" "$1" > /dev/null || return 1
+    return 0
+}
+retry_quiet 8 check_results dig.out.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# CVE-2022-3924, GL #3619
+n=$((n+1))
+echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+num=0
+# Make sure to exceed the configured value of 'recursive-clients 10;' by running
+# 20 parallel queries with simulated network latency.
+while [ $num -lt 20 ]; do
+    $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 &
+    num=$((num+1))
+done;
+check_server_responds() {
+    $DIG -p ${PORT} @10.53.0.3 version.bind txt ch >dig.out.test$n || return 1
+    grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
+}
+retry_quiet 5 check_server_responds || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#############################################
+# Test for stale-answer-client-timeout off. #
+#############################################
+echo_i "test stale-answer-client-timeout (off)"
+
+n=$((n+1))
+echo_i "updating ns3/named.conf ($n)"
+ret=0
+copy_setports ns3/named3.conf.in ns3/named.conf
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "running 'rndc reload' ($n)"
+ret=0
+rndc_reload ns3 10.53.0.3
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Send a query, auth server is disabled, we will enable it after a while in
+# order to receive an answer before resolver-query-timeout expires. Since
+# stale-answer-client-timeout is disabled we must receive an answer from
+# authoritative server.
+echo_i "sending query for test $((n+2))"
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+2)) &
+sleep 3
+
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Wait until dig is done.
+wait
+
+n=$((n+1))
+echo_i "check data.example TXT comes from authoritative server (stale-answer-client-timeout off) ($n)"
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+##############################################################
+# Test for stale-answer-client-timeout off and CNAME record. #
+##############################################################
+echo_i "test stale-answer-client-timeout (0) and CNAME record"
+
+n=$((n+1))
+echo_i "prime cache shortttl.cname.example (stale-answer-client-timeout off) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "shortttl\.cname\.example\..*1.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n > /dev/null || ret=1
+grep "longttl\.target\.example\..*600.*IN.*A.*10\.53\.0\.2" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Allow RRset to become stale.
+sleep 1
+
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "check stale shortttl.cname.example comes from cache (stale-answer-client-timeout off) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A > dig.out.test$n
+wait_for_log 5 "shortttl.cname.example resolver failure, stale answer used" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "shortttl\.cname\.example\..*3.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n > /dev/null || ret=1
+# We can't reliably test the TTL of the longttl.target.example A record.
+grep "longttl\.target\.example\..*IN.*A.*10\.53\.0\.2" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check server is alive or restart ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo_i "failed"
+    echo_i "restart ns3"
+    start_server --noclean --restart --port ${PORT} serve-stale ns3
+fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check server is alive or restart ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo_i "failed"
+    echo_i "restart ns3"
+    start_server --noclean --restart --port ${PORT} serve-stale ns3
+fi
+status=$((status+ret))
+
+#############################################
+# Test for stale-answer-client-timeout 0.   #
+#############################################
+echo_i "test stale-answer-client-timeout (0)"
+
+n=$((n+1))
+echo_i "updating ns3/named.conf ($n)"
+ret=0
+copy_setports ns3/named4.conf.in ns3/named.conf
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "restart ns3"
+stop_server --use-rndc --port ${CONTROLPORT} ns3
+start_server --noclean --restart --port ${PORT} ns3
+
+n=$((n+1))
+echo_i "prime cache data.example TXT (stale-answer-client-timeout 0)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache nodata.example TXT (stale-answer-client-timeout 0)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Allow RRset to become stale.
+sleep 2
+
+n=$((n+1))
+ret=0
+echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 0) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n
+wait_for_log 5 "nodata.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+wait_for_rrset_refresh() {
+	$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+	grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
+	grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1
+	grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || return 1
+}
+
+# This test ensures that after we get stale data due to
+# stale-answer-client-timeout 0, enabling the authoritative server will allow
+# the RRset to be updated.
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0) ($n)"
+retry_quiet 10 wait_for_rrset_refresh || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+wait_for_nodata_refresh() {
+	$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n
+	grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
+	grep "ANSWER: 0," dig.out.test$n > /dev/null || return 1
+	grep "example\..*[12].*IN.*SOA" dig.out.test$n > /dev/null || return 1
+	return 0
+}
+
+n=$((n+1))
+ret=0
+echo_i "check stale nodata.example TXT was refreshed (stale-answer-client-timeout 0) ($n)"
+retry_quiet 10 wait_for_nodata_refresh || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+####################################################################
+# Test for stale-answer-client-timeout 0 and recursive-clients 10. #
+# CVE-2023-2911, GL #4089                                          #
+# ##################################################################
+echo_i "test stale-answer-client-timeout (0) and recursive-clients 10"
+
+n=$((n+1))
+echo_i "prime cache data.slow TXT (stale-answer-client-timeout 0) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Run the following check twice. Sometimes a priming query interrupts the first
+# attempt to exceed the quota.
+attempt=0
+while [ $ret -eq 0 ] && [ $attempt -lt 2 ]; do
+        n=$((n+1))
+        echo_i "slow down response from authoritative server ($n)"
+        ret=0
+        $DIG -p ${PORT} @10.53.0.2 slowdown TXT  > dig.out.test$n
+        grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+        grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+        if [ $ret != 0 ]; then echo_i "failed"; fi
+        status=$((status+ret))
+
+        # Let the data.slow TTL expire
+        sleep 2
+
+        n=$((n+1))
+        echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 0) ($n)"
+        ret=0
+        num=0
+        # Attempt to exceed the configured value of 'recursive-clients 10;' by running
+        # 20 parallel queries for the stale domain which has slow auth.
+        while [ $num -lt 20 ]; do
+            $DIG +tries=1 +timeout=10 -p ${PORT} @10.53.0.3 data.slow TXT >/dev/null 2>&1 &
+            num=$((num+1))
+        done;
+        # Let the dig processes finish.
+        wait
+        retry_quiet 5 check_server_responds || ret=1
+        if [ $ret != 0 ]; then echo_i "failed"; fi
+        status=$((status+ret))
+
+        attempt=$((attempt+1))
+done
+
+# Restart ns3 to avoid the exceeded recursive-clients limit from previous check
+# to interfere with subsequent checks.
+echo_i "restart ns3"
+stop_server --use-rndc --port ${CONTROLPORT} ns3
+start_server --noclean --restart --port ${PORT} ns3
+
+############################################################
+# Test for stale-answer-client-timeout 0 and CNAME record. #
+############################################################
+echo_i "test stale-answer-client-timeout (0) and CNAME record"
+
+n=$((n+1))
+echo_i "prime cache cname1.stale.test A (stale-answer-client-timeout 0) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "cname1\.stale\.test\..*1.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n > /dev/null || ret=1
+grep "a1\.stale\.test\..*1.*IN.*A.*192\.0\.2\.1" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Allow RRset to become stale.
+sleep 1
+
+n=$((n+1))
+ret=0
+echo_i "check stale cname1.stale.test A comes from cache (stale-answer-client-timeout 0) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A > dig.out.test$n
+wait_for_log 5 "cname1.stale.test stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "cname1\.stale\.test\..*3.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n > /dev/null || ret=1
+grep "a1\.stale\.test\..*3.*IN.*A.*192\.0\.2\.1" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check server is alive or restart ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo_i "failed"
+    echo_i "restart ns3"
+    start_server --noclean --restart --port ${PORT} ns3
+fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache cname2.stale.test A (stale-answer-client-timeout 0) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "cname2\.stale\.test\..*1.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n > /dev/null || ret=1
+grep "a2\.stale\.test\..*300.*IN.*A.*192\.0\.2\.2" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Allow CNAME record in the RRSET to become stale.
+sleep 1
+
+n=$((n+1))
+ret=0
+echo_i "check stale cname2.stale.test A comes from cache (stale-answer-client-timeout 0) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A > dig.out.test$n
+wait_for_log 5 "cname2.stale.test stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "cname2\.stale\.test\..*3.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n > /dev/null || ret=1
+# We can't reliably test the TTL of the a2.stale.test A record.
+grep "a2\.stale\.test\..*IN.*A.*192\.0\.2\.2" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check server is alive or restart ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo_i "failed"
+    echo_i "restart ns3"
+    start_server --noclean --restart --port ${PORT} ns3
+fi
+status=$((status+ret))
+
+####################################################################
+# Test for stale-answer-client-timeout 0 and stale-refresh-time 4. #
+####################################################################
+echo_i "test stale-answer-client-timeout (0) and stale-refresh-time (4)"
+
+n=$((n+1))
+echo_i "updating ns3/named.conf ($n)"
+ret=0
+copy_setports ns3/named5.conf.in ns3/named.conf
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "running 'rndc reload' ($n)"
+ret=0
+rndc_reload ns3 10.53.0.3
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "flush cache, enable responses from authoritative server ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 flushtree example > rndc.out.test$n.1 2>&1 || ret=1
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "prime cache data.example TXT (stale-answer-client-timeout 0, stale-refresh-time 4) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Allow RRset to become stale.
+sleep 2
+
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# This test ensures that after we get stale data due to
+# stale-answer-client-timeout 0, enabling the authoritative server will allow
+# the RRset to be updated.
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)"
+retry_quiet 10 wait_for_rrset_refresh || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Allow RRset to become stale.
+sleep 2
+
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Allow stale-refresh-time to be activated.
+n=$((n+1))
+ret=0
+echo_i "wait until resolver query times out, activating stale-refresh-time"
+wait_for_log 15 "data.example resolver failure, stale answer used" ns3/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT comes from cache within stale-refresh-time (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+wait_for_log 5 "data.example query within stale refresh time" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# We give BIND some time to ensure that after we enable authoritative server,
+# this RRset is still not refreshed because it was hit during
+# stale-refresh-time window.
+sleep 1
+
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT was not refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+wait_for_log 5 "data.example query within stale refresh time" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# After the refresh-time-window, the RRset will be refreshed.
+sleep 4
+
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)"
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)"
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+####################################################################
+# Test serve-stale's interaction with fetch limits (cache only) #
+#################################################################
+echo_i "test serve-stale's interaction with fetch-limits (cache only)"
+
+# We update the named configuration to enable fetch-limits. The fetch-limits
+# are set to 1, which is ridiciously low, but that is because for this test we
+# want to reach the fetch-limits.
+n=$((n+1))
+echo_i "updating ns3/named.conf ($n)"
+ret=0
+copy_setports ns3/named6.conf.in ns3/named.conf
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "running 'rndc reload' ($n)"
+ret=0
+rndc_reload ns3 10.53.0.3
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Disable responses from authoritative server. If we can't resolve the example
+# zone, fetch limits will be reached.
+n=$((n+1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Allow RRset to become stale.
+sleep 2
+
+# Turn on serve-stale.
+n=$((n+1))
+echo_i "running 'rndc serve-stale on' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 serve-stale on || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check 'rndc serve-stale status' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1
+grep '_default: on (rndc) (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Hit the fetch-limits. We burst the name server with a small batch of queries.
+# Only 2 queries are required to hit the fetch-limits. The first query will
+# start to resolve, the second one hit the fetch-limits.
+burst() {
+	num=${1}
+	rm -f burst.input.$$
+	while [ $num -gt 0 ]; do
+		num=`expr $num - 1`
+		echo "fetch${num}.example A" >> burst.input.$$
+	done
+	$PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$
+	rm -f burst.input.$$
+}
+
+wait_for_fetchlimits() {
+	burst 2
+	# We expect a query for nx.example to fail because fetch-limits for
+	# the domain 'example.' (and everything below) has been reached.
+	$DIG -p ${PORT} +tries=1 +timeout=1 @10.53.0.3 nx.example > dig.out.test$n
+	grep "status: SERVFAIL" dig.out.test$n > /dev/null || return 1
+}
+
+n=$((n+1))
+echo_i "hit fetch limits ($n)"
+ret=0
+retry_quiet 10 wait_for_fetchlimits || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Expect stale data now (because fetch-limits for the domain 'example.' (and
+# everything below) has been reached. But we have a stale RRset for
+# 'data.example/TXT' that can be used.
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT comes from cache (fetch-limits) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+wait_for_log 5 "data.example resolver failure, stale answer used" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# The previous query should not have started the stale-refresh-time window.
+n=$((n+1))
+ret=0
+echo_i "check stale data.example TXT comes from cache again (fetch-limits) ($n)"
+nextpart ns3/named.run > /dev/null
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n
+wait_for_log 5 "data.example resolver failure, stale answer used" ns3/named.run || ret=1
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+########################################################################
+# Test serve-stale's interaction with fetch limits (dual-mode) #
+########################################################################
+echo_i "test serve-stale's interaction with fetch limits (dual-mode)"
+
+# Update named configuration so that ns3 becomes a recursive resolver which is
+# also a secondary server for the root zone.
+n=$((n+1))
+echo_i "updating ns3/named.conf ($n)"
+ret=0
+copy_setports ns3/named7.conf.in ns3/named.conf
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "running 'rndc reload' ($n)"
+ret=0
+rndc_reload ns3 10.53.0.3
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Flush the cache to ensure the example/NS RRset cached during previous tests
+# does not override the authoritative delegation found in the root zone.
+n=$((n+1))
+echo_i "flush cache ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 flush > rndc.out.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# Query name server with low fetch limits. The authoritative server (ans2) is
+# not responding. Sending queries for multiple names in the 'example' zone
+# in parallel causes the fetch limit for that zone (set to 1) to be
+# reached. This should not trigger a crash.
+echo_i "sending queries for tests $((n+1))-$((n+4))..."
+$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) &
+$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) &
+$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) &
+$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4))
+
+wait
+
+# Expect SERVFAIL for the entries not in cache.
+n=$((n+1))
+echo_i "check stale data.example TXT (fetch-limits dual-mode) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale othertype.example CAA (fetch-limits dual-mode) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nodata.example TXT (fetch-limits dual-mode) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check stale nxdomain.example TXT (fetch-limits dual-mode) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check DNS64 processing of a stale negative answer ($n)"
+ret=0
+# configure ns3 with dns64
+copy_setports ns3/named8.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+# flush cache, enable ans2 responses, make sure serve-stale is on
+$RNDCCMD 10.53.0.3 flush > rndc.out.test$n.1 2>&1 || ret=1
+$DIG -p ${PORT} @10.53.0.2 txt enable > /dev/null
+$RNDCCMD 10.53.0.3 serve-stale on > rndc.out.test$n.2 2>&1 || ret=1
+# prime the cache with an AAAA NXRRSET response
+$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA > dig.out.1.test$n
+grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1
+grep "2001:aaaa" dig.out.1.test$n > /dev/null || ret=1
+# disable responses from the auth server
+$DIG -p ${PORT} @10.53.0.2 txt disable > /dev/null
+# wait two seconds for the previous answer to become stale
+sleep 2
+# resend the query and wait in the background; we should get a stale answer
+$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA > dig.out.2.test$n &
+# re-enable queries after a pause, so the server gets a real answer too
+sleep 2
+$DIG -p ${PORT} @10.53.0.2 txt enable > /dev/null
+wait
+grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
+grep "2001:aaaa" dig.out.2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+###########################################################
+# Test serve-stale's interaction with prefetch processing #
+###########################################################
+echo_i "test serve-stale's interaction with prefetch processing"
+
+# Test case for #2733, ensuring that prefetch queries do not trigger
+# a lookup due to stale-answer-client-timeout.
+#
+# 1. Cache the following records:
+#    cname.example 7 IN CNAME target.example.
+#    target.example 9 IN A <addr>.
+# 2. Let the CNAME RRset expire.
+# 3. Query for 'cname.example/A'.
+#
+# This starts recursion because cname.example/CNAME is expired.
+# The authoritative server is up so likely it will respond before
+#  stale-answer-client-timeout is triggered.
+# The 'target.example/A' RRset is found in cache with a positive value
+#  and is eligble for prefetching.
+# A prefetch is done for 'target.example/A', our ans2 server will
+#  delay the request.
+# The 'prefetch_done()' callback should have the right event type
+#  (DNS_EVENT_FETCHDONE).
+
+# flush cache
+n=$((n+1))
+echo_i "flush cache ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 flushtree example > rndc.out.test$n.1 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# prime the cache with CNAME and A; CNAME expires sooner
+n=$((n+1))
+echo_i "prime cache cname.example A (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 cname.example A > dig.out.test$n
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n > /dev/null || ret=1
+grep "target\.example\..*9.*IN.*A" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# wait for the CNAME to be stale; A will still be valid and in prefetch window.
+# (the longer TTL is needed, otherwise data won't be prefetch-eligible.)
+sleep 7
+
+# re-enable auth responses, but with a delay answering the A
+n=$((n+1))
+echo_i "delay responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt slowdown  > dig.out.test$n
+grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+# resend the query and wait in the background; we should get a stale answer
+n=$((n+1))
+echo_i "check prefetch processing of a stale CNAME target ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.3 cname.example A > dig.out.test$n &
+sleep 2
+wait
+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1
+grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n > /dev/null || ret=1
+grep "target\.example\..*[1-2].*IN.*A" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/setup.sh b/bin/tests/system/setup.sh
new file mode 100644
index 0000000..1667acd
--- /dev/null
+++ b/bin/tests/system/setup.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Run a system test.
+#
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+test $# -gt 0 || { echo "usage: $0 test-directory" >&2; exit 1; }
+
+test=$1
+shift
+
+test -d $test || { echo "$0: $test: no such test" >&2; exit 1; }
+
+# Set up any dynamically generated test data
+if test -f $test/setup.sh
+then
+   ( cd $test && $SHELL setup.sh "$@" )
+fi
+
+
diff --git a/bin/tests/system/sfcache/README b/bin/tests/system/sfcache/README
new file mode 100644
index 0000000..91b2126
--- /dev/null
+++ b/bin/tests/system/sfcache/README
@@ -0,0 +1,19 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+The test setup for the SERVFAIL ncache tests has a secure root.
+
+ns1 is the root server.
+
+ns2 is an authoritative server for the various test domains.
+
+ns5 is a caching-only server, configured with the an incorrect trusted
+key for the root.  It is used for testing failure cases.
diff --git a/bin/tests/system/sfcache/clean.sh b/bin/tests/system/sfcache/clean.sh
new file mode 100644
index 0000000..e8bd818
--- /dev/null
+++ b/bin/tests/system/sfcache/clean.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f ./*/K*.key ./*/K*.private ./*/*.signed ./*/*.db ./*/dsset-*
+rm -f ./*/managed.conf ./*/trusted.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.conf
+rm -f ./*/named.run ./*/named.run.prev
+rm -f ./dig.*
+rm -f ./rndc.*
+rm -f ./sfcache.*
+rm -f ./ns*/managed-keys.bind*
+rm -f ./ns*/named.lock
+rm -f ./ns5/named.run.part*
+rm -f ./ns5/named_dump*
diff --git a/bin/tests/system/sfcache/ns1/named.conf.in b/bin/tests/system/sfcache/ns1/named.conf.in
new file mode 100644
index 0000000..4a9822d
--- /dev/null
+++ b/bin/tests/system/sfcache/ns1/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/sfcache/ns1/root.db.in b/bin/tests/system/sfcache/ns1/root.db.in
new file mode 100644
index 0000000..1deb998
--- /dev/null
+++ b/bin/tests/system/sfcache/ns1/root.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example2.		NS	ns2.example2.
+ns2.example2.		A	10.53.0.2
diff --git a/bin/tests/system/sfcache/ns1/sign.sh b/bin/tests/system/sfcache/ns1/sign.sh
new file mode 100644
index 0000000..d97b63d
--- /dev/null
+++ b/bin/tests/system/sfcache/ns1/sign.sh
@@ -0,0 +1,38 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+(cd ../ns2 && $SHELL sign.sh )
+
+cp "../ns2/dsset-example$TP" .
+
+keyname=$($KEYGEN -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone $zone)
+
+cat "$infile" "$keyname.key" > "$zonefile"
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+# Configure the resolving server with a static key.
+keyfile_to_static_ds "$keyname" > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+
+# ...or with an initializing key.
+keyfile_to_initial_ds "$keyname" > managed.conf
diff --git a/bin/tests/system/sfcache/ns2/example.db.in b/bin/tests/system/sfcache/ns2/example.db.in
new file mode 100644
index 0000000..c035ee8
--- /dev/null
+++ b/bin/tests/system/sfcache/ns2/example.db.in
@@ -0,0 +1,103 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+
+; Used for testing ANY queries
+foo			TXT	"testing"
+foo			A	10.0.1.0
+
+bad-cname		CNAME   a
+bad-dname		DNAME   @
+
+; Used for testing CNAME queries
+cname1			CNAME	cname1-target
+cname1-target		TXT	"testing cname"
+
+cname2			CNAME	cname2-target
+cname2-target		TXT	"testing cname"
+
+; Used for testing DNAME queries
+dname1			DNAME	dname1-target
+foo.dname1-target	TXT	"testing dname"
+
+dname2			DNAME	dname2-target
+foo.dname2-target	TXT	"testing dname"
+
+; A secure subdomain
+secure			NS	ns.secure
+ns.secure		A	10.53.0.3
+
+; An insecure subdomain
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.3
+
+; A secure subdomain we're going to inject bogus data into
+bogus			NS	ns.bogus
+ns.bogus		A	10.53.0.3
+
+; A dynamic secure subdomain
+dynamic			NS	dynamic
+dynamic			A	10.53.0.3
+
+; A insecure subdomain
+mustbesecure		NS	ns.mustbesecure
+ns.mustbesecure		A	10.53.0.3
+
+; A rfc2535 signed zone w/ CNAME
+rfc2535			NS	ns.rfc2535
+ns.rfc2535		A	10.53.0.3
+
+z			A	10.0.0.26
+
+keyless			NS	ns.keyless
+ns.keyless		A	10.53.0.3
+
+nsec3			NS	ns.nsec3
+ns.nsec3		A	10.53.0.3
+
+optout			NS	ns.optout
+ns.optout		A	10.53.0.3
+
+nsec3-unknown		NS	ns.nsec3-unknown
+ns.nsec3-unknown	A	10.53.0.3
+
+optout-unknown		NS	ns.optout-unknown
+ns.optout-unknown	A	10.53.0.3
+
+multiple		NS	ns.multiple
+ns.multiple		A	10.53.0.3
+
+*.wild			A	10.0.0.27
+
+rsasha256		NS	ns.rsasha256
+ns.rsasha256		A	10.53.0.3
+
+rsasha512		NS	ns.rsasha512
+ns.rsasha512		A	10.53.0.3
+
+kskonly 		NS	ns.kskonly
+ns.kskonly		A	10.53.0.3
diff --git a/bin/tests/system/sfcache/ns2/named.conf.in b/bin/tests/system/sfcache/ns2/named.conf.in
new file mode 100644
index 0000000..2ec6675
--- /dev/null
+++ b/bin/tests/system/sfcache/ns2/named.conf.in
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db.signed";
+	allow-update { any; };
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/sfcache/ns2/sign.sh b/bin/tests/system/sfcache/ns2/sign.sh
new file mode 100644
index 0000000..bbdf086
--- /dev/null
+++ b/bin/tests/system/sfcache/ns2/sign.sh
@@ -0,0 +1,28 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+zone=example.
+infile=example.db.in
+zonefile=example.db
+
+keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
+
+"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null
diff --git a/bin/tests/system/sfcache/ns5/named.conf.in b/bin/tests/system/sfcache/ns5/named.conf.in
new file mode 100644
index 0000000..df3938b
--- /dev/null
+++ b/bin/tests/system/sfcache/ns5/named.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	servfail-ttl 30;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/sfcache/ns5/sign.sh b/bin/tests/system/sfcache/ns5/sign.sh
new file mode 100644
index 0000000..40d7095
--- /dev/null
+++ b/bin/tests/system/sfcache/ns5/sign.sh
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".")
+
+keyfile_to_static_ds "$keyname" > trusted.conf
diff --git a/bin/tests/system/sfcache/setup.sh b/bin/tests/system/sfcache/setup.sh
new file mode 100644
index 0000000..3e09fe9
--- /dev/null
+++ b/bin/tests/system/sfcache/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+
+cd ns1 && $SHELL sign.sh && cd ..
+cd ns5 && $SHELL sign.sh && cd ..
diff --git a/bin/tests/system/sfcache/tests.sh b/bin/tests/system/sfcache/tests.sh
new file mode 100644
index 0000000..4c47e08
--- /dev/null
+++ b/bin/tests/system/sfcache/tests.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+SYSTEMTESTTOP=..
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+dig_with_opts() {
+    "$DIG" +tcp +noadd +nosea +nostat +nocmd -p "$PORT" "$@"
+}
+
+rndc_with_opts() {
+    "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@"
+}
+
+echo_i "checking DNSSEC SERVFAIL is cached ($n)"
+ret=0
+dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
+rndc_dumpdb ns5 -all
+awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n > sfcache.$n
+grep "^; foo.example/A" sfcache.$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking SERVFAIL is returned from cache ($n)"
+ret=0
+dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking that +cd bypasses cache check ($n)"
+ret=0
+dig_with_opts +dnssec +cd foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "SERVFAIL" dig.out.ns5.test$n > /dev/null && ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "switching to non-dnssec SERVFAIL tests"
+ret=0
+rndc_with_opts 10.53.0.5 flush 2>&1 | sed 's/^/I:ns5 /'
+rndc_dumpdb ns5 -all
+mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.1
+awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db.test$n.1 > sfcache.$n.1
+[ -s "sfcache.$n.1" ] && ret=1
+echo_i "checking SERVFAIL is cached ($n)"
+dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
+rndc_dumpdb ns5 -all
+mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.2
+awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n.2 > sfcache.$n.2
+grep "^; bar.example2/A" sfcache.$n.2 > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking SERVFAIL is returned from cache ($n)"
+ret=0
+nextpart ns5/named.run > /dev/null
+dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+nextpart ns5/named.run > ns5/named.run.part$n
+grep 'servfail cache hit bar.example2/A (CD=0)' ns5/named.run.part$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking cache is bypassed with +cd query ($n)"
+ret=0
+dig_with_opts +cd bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+nextpart ns5/named.run > ns5/named.run.part$n
+grep 'servfail cache hit' ns5/named.run.part$n > /dev/null && ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "checking cache is used for subsequent +cd query ($n)"
+ret=0
+dig_with_opts +dnssec bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+nextpart ns5/named.run > ns5/named.run.part$n
+grep 'servfail cache hit bar.example2/A (CD=1)' ns5/named.run.part$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/shutdown/clean.sh b/bin/tests/system/shutdown/clean.sh
new file mode 100644
index 0000000..d958521
--- /dev/null
+++ b/bin/tests/system/shutdown/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/*.jnl
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/rpz*.txt
+rm -f */named.conf
+rm -f */named.run
+rm -rf __pycache__
diff --git a/bin/tests/system/shutdown/ns1/named.conf.in b/bin/tests/system/shutdown/ns1/named.conf.in
new file mode 100644
index 0000000..dc20259
--- /dev/null
+++ b/bin/tests/system/shutdown/ns1/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+    secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	listen-on { 10.53.0.1; };
+	pid-file "named.pid";
+	notify no;
+	dnssec-validation no;
+	allow-query { any; };
+	recursion yes;
+	allow-recursion { any; };
+};
+
+# Delegate .test domain to 10.53.0.2
+zone "." {
+    type master;
+    file "root.db";
+    allow-transfer { none; };
+};
diff --git a/bin/tests/system/shutdown/ns1/root.db b/bin/tests/system/shutdown/ns1/root.db
new file mode 100644
index 0000000..60f1b30
--- /dev/null
+++ b/bin/tests/system/shutdown/ns1/root.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	a.root. root.test. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+
+.         IN   NS a.root.
+a.root.   IN   A  10.53.0.1
+
+test      IN   NS   ns1.test
+ns1.test  IN   A    10.53.0.2
diff --git a/bin/tests/system/shutdown/ns2/named.conf.in b/bin/tests/system/shutdown/ns2/named.conf.in
new file mode 100644
index 0000000..4679c1e
--- /dev/null
+++ b/bin/tests/system/shutdown/ns2/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+    secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	listen-on { 10.53.0.2; };
+	pid-file "named.pid";
+	notify no;
+	dnssec-validation no;
+	allow-query { any; };
+};
+
+# 10.53.0.2 is authoritative for .test domain
+zone "test" {
+    type master;
+	file "test.db";
+	allow-transfer { none; };
+};
diff --git a/bin/tests/system/shutdown/ns2/test.db b/bin/tests/system/shutdown/ns2/test.db
new file mode 100644
index 0000000..91c16ec
--- /dev/null
+++ b/bin/tests/system/shutdown/ns2/test.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+@	IN	SOA	ns1 root.test. 2020040101 4h 1h 1w 60
+@	IN	NS	ns1
+ns1	IN	A	10.53.0.2
+@	IN	A	10.53.0.2
+www	IN	A	10.53.0.2
diff --git a/bin/tests/system/shutdown/prereq.sh b/bin/tests/system/shutdown/prereq.sh
new file mode 100755
index 0000000..9f46512
--- /dev/null
+++ b/bin/tests/system/shutdown/prereq.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import pytest" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the pytest framework." >&2
+    fi
+
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python, the pytest framework and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/shutdown/resolver/named.conf.in b/bin/tests/system/shutdown/resolver/named.conf.in
new file mode 100644
index 0000000..f8444e3
--- /dev/null
+++ b/bin/tests/system/shutdown/resolver/named.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+logging {
+	channel basic {
+		file "named.run";
+		severity debug 999;
+		print-time yes;
+	};
+	category default { basic; };
+};
+key rndc_key {
+    secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	listen-on { 10.53.0.3; };
+	pid-file "named.pid";
+	notify no;
+	dnssec-validation no;
+	allow-query { any; };
+	allow-recursion { any; };
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
diff --git a/bin/tests/system/shutdown/resolver/root.db b/bin/tests/system/shutdown/resolver/root.db
new file mode 100644
index 0000000..88e0ba8
--- /dev/null
+++ b/bin/tests/system/shutdown/resolver/root.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	a.root. root.root. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.         IN   NS  a.root.
+a.root.   IN   A   10.53.0.1
diff --git a/bin/tests/system/shutdown/setup.sh b/bin/tests/system/shutdown/setup.sh
new file mode 100644
index 0000000..575abc6
--- /dev/null
+++ b/bin/tests/system/shutdown/setup.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# touch dnsrps-off to not test with DNSRPS
+
+set -e
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports resolver/named.conf.in resolver/named.conf
diff --git a/bin/tests/system/shutdown/tests_shutdown.py b/bin/tests/system/shutdown/tests_shutdown.py
new file mode 100755
index 0000000..b6083b7
--- /dev/null
+++ b/bin/tests/system/shutdown/tests_shutdown.py
@@ -0,0 +1,209 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from concurrent.futures import ThreadPoolExecutor, as_completed
+import os
+import random
+import signal
+import subprocess
+from string import ascii_lowercase as letters
+import time
+
+import pytest
+
+pytest.importorskip("dns")
+import dns.exception
+import dns.resolver
+
+
+def do_work(named_proc, resolver, rndc_cmd, kill_method, n_workers, n_queries):
+    """Creates a number of A queries to run in parallel
+    in order simulate a slightly more realistic test scenario.
+
+    The main idea of this function is to create and send a bunch
+    of A queries to a target named instance and during this process
+    a request for shutting down named will be issued.
+
+    In the process of shutting down named, a couple control connections
+    are created (by launching rndc) to ensure that the crash was fixed.
+
+    if kill_method=="rndc" named will be asked to shutdown by
+    means of rndc stop.
+    if kill_method=="sigterm" named will be killed by SIGTERM on
+    POSIX systems or by TerminateProcess() on Windows systems.
+
+    :param named_proc: named process instance
+    :type named_proc: subprocess.Popen
+
+    :param resolver: target resolver
+    :type resolver: dns.resolver.Resolver
+
+    :param rndc_cmd: rndc command with default arguments
+    :type rndc_cmd: list of strings, e.g. ["rndc", "-p", "23750"]
+
+    :kill_method: "rndc" or "sigterm"
+    :type kill_method: str
+
+    :param n_workers: Number of worker threads to create
+    :type n_workers: int
+
+    :param n_queries: Total number of queries to send
+    :type n_queries: int
+    """
+    # pylint: disable-msg=too-many-arguments
+    # pylint: disable-msg=too-many-locals
+
+    # helper function, args must be a list or tuple with arguments to rndc.
+    def launch_rndc(args):
+        return subprocess.call(rndc_cmd + args, timeout=10)
+
+    # We're going to execute queries in parallel by means of a thread pool.
+    # dnspython functions block, so we need to circunvent that.
+    with ThreadPoolExecutor(n_workers + 1) as executor:
+        # Helper dict, where keys=Future objects and values are tags used
+        # to process results later.
+        futures = {}
+
+        # 50% of work will be A queries.
+        # 1 work will be rndc stop.
+        # Remaining work will be rndc status (so we test parallel control
+        #  connections that were crashing named).
+        shutdown = True
+        for i in range(n_queries):
+            if i < (n_queries // 2):
+                # Half work will be standard A queries.
+                # Among those we split 50% queries relname='www',
+                # 50% queries relname=random characters
+                if random.randrange(2) == 1:
+                    tag = "good"
+                    relname = "www"
+                else:
+                    tag = "bad"
+                    length = random.randint(4, 10)
+                    relname = "".join(
+                        letters[random.randrange(len(letters))] for i in range(length)
+                    )
+
+                qname = relname + ".test"
+                futures[executor.submit(resolver.query, qname, "A")] = tag
+            elif shutdown:  # We attempt to stop named in the middle
+                shutdown = False
+                if kill_method == "rndc":
+                    futures[executor.submit(launch_rndc, ["stop"])] = "stop"
+                else:
+                    futures[executor.submit(named_proc.terminate)] = "kill"
+            else:
+                # We attempt to send couple rndc commands while named is
+                # being shutdown
+                futures[executor.submit(launch_rndc, ["status"])] = "status"
+
+        ret_code = -1
+        for future in as_completed(futures):
+            try:
+                result = future.result()
+                # If tag is "stop", result is an instance of
+                # subprocess.CompletedProcess, then we check returncode
+                # attribute to know if rncd stop command finished successfully.
+                #
+                # if tag is "kill" then the main function will check if
+                # named process exited gracefully after SIGTERM signal.
+                if futures[future] == "stop":
+                    ret_code = result
+
+            except (
+                dns.resolver.NXDOMAIN,
+                dns.resolver.NoNameservers,
+                dns.exception.Timeout,
+            ):
+                pass
+
+        if kill_method == "rndc":
+            assert ret_code == 0
+
+
+def wait_for_named_loaded(resolver, retries=10):
+    for _ in range(retries):
+        try:
+            resolver.query("version.bind", "TXT", "CH")
+            return True
+        except (dns.resolver.NoNameservers, dns.exception.Timeout):
+            time.sleep(1)
+    return False
+
+
+def wait_for_proc_termination(proc, max_timeout=10):
+    for _ in range(max_timeout):
+        if proc.poll() is not None:
+            return True
+        time.sleep(1)
+
+    proc.send_signal(signal.SIGABRT)
+    for _ in range(max_timeout):
+        if proc.poll() is not None:
+            return True
+        time.sleep(1)
+
+    return False
+
+
+def test_named_shutdown(named_port, control_port):
+    # pylint: disable-msg=too-many-locals
+    cfg_dir = os.path.join(os.getcwd(), "resolver")
+    assert os.path.isdir(cfg_dir)
+
+    cfg_file = os.path.join(cfg_dir, "named.conf")
+    assert os.path.isfile(cfg_file)
+
+    named = os.getenv("NAMED")
+    assert named is not None
+
+    rndc = os.getenv("RNDC")
+    assert rndc is not None
+
+    systest_dir = os.getenv("SYSTEMTESTTOP")
+    assert systest_dir is not None
+
+    # rndc configuration resides in $SYSTEMTESTTOP/common/rndc.conf
+    rndc_cfg = os.path.join(systest_dir, "common", "rndc.conf")
+    assert os.path.isfile(rndc_cfg)
+
+    # rndc command with default arguments.
+    rndc_cmd = [rndc, "-c", rndc_cfg, "-p", str(control_port), "-s", "10.53.0.3"]
+
+    # We create a resolver instance that will be used to send queries.
+    resolver = dns.resolver.Resolver()
+    resolver.nameservers = ["10.53.0.3"]
+    resolver.port = named_port
+
+    # We test named shutting down using two methods:
+    # Method 1: using rndc ctop
+    # Method 2: killing with SIGTERM
+    # In both methods named should exit gracefully.
+    for kill_method in ("rndc", "sigterm"):
+        named_cmdline = [named, "-c", cfg_file, "-f"]
+        with subprocess.Popen(named_cmdline, cwd=cfg_dir) as named_proc:
+            try:
+                assert named_proc.poll() is None, "named isn't running"
+                assert wait_for_named_loaded(resolver)
+                do_work(
+                    named_proc,
+                    resolver,
+                    rndc_cmd,
+                    kill_method,
+                    n_workers=12,
+                    n_queries=16,
+                )
+                assert wait_for_proc_termination(named_proc)
+                assert named_proc.returncode == 0, "named crashed"
+            finally:  # Ensure named is terminated in case of an exception
+                named_proc.kill()
diff --git a/bin/tests/system/smartsign/child.db b/bin/tests/system/smartsign/child.db
new file mode 100644
index 0000000..878df45
--- /dev/null
+++ b/bin/tests/system/smartsign/child.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 60		; 1 minute
+child.parent.nil		IN SOA	ns.child.parent.nil. hostmaster.parent.nil. (
+				1          ; serial
+				2000       ; refresh (33 minutes 20 seconds)
+				2000       ; retry (33 minutes 20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns.child.parent.nil.
+$ORIGIN child.parent.nil.
+$TTL 300	; 5 minutes
+ns			A	10.53.0.3
diff --git a/bin/tests/system/smartsign/clean.sh b/bin/tests/system/smartsign/clean.sh
new file mode 100644
index 0000000..ad975af
--- /dev/null
+++ b/bin/tests/system/smartsign/clean.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f K* dsset-* *.signed dnskey.sigs other.sigs dsset.out
+rm -f ns*/named.lock
diff --git a/bin/tests/system/smartsign/parent.db b/bin/tests/system/smartsign/parent.db
new file mode 100644
index 0000000..a5484e3
--- /dev/null
+++ b/bin/tests/system/smartsign/parent.db
@@ -0,0 +1,31 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+parent.nil		IN SOA	ns1.parent.nil. hostmaster.parent.nil. (
+				1          ; serial
+				2000       ; refresh (33 minutes 20 seconds)
+				2000       ; retry (33 minutes 20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns1.parent.nil.
+			NS	ns2.parent.nil.
+$ORIGIN parent.nil.
+$TTL 3600	; 1 hour
+a			A	1.1.1.1
+$TTL 300	; 5 minutes
+ns1			A	10.53.0.1
+ns2			A	10.53.0.2
+
+child			NS     	ns.child
+ns.child		A	10.53.0.3
diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh
new file mode 100644
index 0000000..ffde69e
--- /dev/null
+++ b/bin/tests/system/smartsign/tests.sh
@@ -0,0 +1,368 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+pzone=parent.nil
+pfile=parent.db
+
+czone=child.parent.nil
+cfile=child.db
+
+echo_i "generating child's keys"
+# active zsk
+czsk1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -L 30 $czone)
+
+# not yet published or active
+czsk2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P none -A none $czone)
+
+# published but not active
+czsk3=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A none $czone)
+
+# inactive
+czsk4=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P now-24h -A now-24h -I now $czone)
+
+# active in 12 hours, inactive 12 hours after that...
+czsk5=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P now+12h -A now+12h -I now+24h $czone)
+
+# explicit successor to czk5
+# (suppressing warning about lack of removal date)
+czsk6=$($KEYGEN -q -S $czsk5 -i 6h 2>/dev/null)
+
+# active ksk
+cksk1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk -L 30 $czone)
+
+# published but not YET active; will be active in 20 seconds
+cksk2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone)
+# $SETTIME moved after other $KEYGENs
+
+echo_i "revoking key"
+# revoking key changes its ID
+cksk3=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone)
+cksk4=$($REVOKE $cksk3)
+
+echo_i "setting up sync key"
+cksk5=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk -P now+1mo -A now+1mo -Psync now $czone)
+
+echo_i "and future sync key"
+cksk6=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk -P now+1mo -A now+1mo -Psync now+1mo $czone)
+
+echo_i "generating parent keys"
+pzsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $pzone)
+pksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $pzone)
+
+echo_i "setting child's activation time"
+# using now+30s to fix RT 24561
+$SETTIME -A now+30s $cksk2 > /dev/null
+
+echo_i "signing child zone"
+czoneout=$($SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile)
+
+echo_i "signing parent zone"
+pzoneout=$($SIGNER -Sg -o $pzone $pfile)
+
+czactive=$(keyfile_to_key_id $czsk1)
+czgenerated=$(keyfile_to_key_id $czsk2)
+czpublished=$(keyfile_to_key_id $czsk3)
+czinactive=$(keyfile_to_key_id $czsk4)
+czpredecessor=$(keyfile_to_key_id $czsk5)
+czsuccessor=$(keyfile_to_key_id $czsk6)
+ckactive=$(keyfile_to_key_id $cksk1)
+ckpublished=$(keyfile_to_key_id $cksk2)
+ckprerevoke=$(keyfile_to_key_id $cksk3)
+ckrevoked=$(keyfile_to_key_id $cksk4)
+
+pzid=$(keyfile_to_key_id $pzsk)
+pkid=$(keyfile_to_key_id $pksk)
+
+echo_i "checking dnssec-signzone output matches expectations"
+ret=0
+echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
+echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
+echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
+echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1
+if [ $ret != 0 ]; then
+	echo_i "parent $pzoneout"
+	echo_i "child $czoneout"
+	echo_i "failed";
+fi
+status=$((status + ret))
+
+echo_i "rechecking dnssec-signzone output with -x"
+ret=0
+# use an alternate output file so -x doesn't interfere with later checks
+pzoneout=$($SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile)
+czoneout=$($SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile)
+echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
+echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1
+echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
+echo "$czoneout" | grep 'ZSKs: 1 active, 2 present, 0 revoked' > /dev/null || ret=1
+if [ $ret != 0 ]; then
+	echo_i "parent $pzoneout"
+	echo_i "child $czoneout"
+	echo_i "failed";
+fi
+status=$((status + ret))
+
+echo_i "checking parent zone DNSKEY set"
+ret=0
+grep "key id = $pzid" $pfile.signed > /dev/null || {
+	ret=1
+	echo_i "missing expected parent ZSK id = $pzid"
+}
+grep "key id = $pkid" $pfile.signed > /dev/null || {
+	ret=1
+	echo_i "missing expected parent KSK id = $pkid"
+}
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking parent zone DS records"
+ret=0
+awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out
+grep -w "$ckactive" dsset.out > /dev/null || ret=1
+grep -w "$ckpublished" dsset.out > /dev/null || ret=1
+# revoked key should not be there, hence the &&
+grep -w "$ckprerevoke" dsset.out > /dev/null && ret=1
+grep -w "$ckrevoked" dsset.out > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking child zone DNSKEY set"
+ret=0
+grep "key id = $ckactive\$" $cfile.signed > /dev/null || {
+	ret=1
+	echo_i "missing expected child KSK id = $ckactive"
+}
+grep "key id = $ckpublished\$" $cfile.signed > /dev/null || {
+	ret=1
+	echo_i "missing expected child prepublished KSK id = $ckpublished"
+}
+grep "key id = $ckrevoked\$" $cfile.signed > /dev/null || {
+	ret=1
+	echo_i "missing expected child revoked KSK id = $ckrevoked"
+}
+grep "key id = $czactive\$" $cfile.signed > /dev/null || {
+	ret=1
+	echo_i "missing expected child ZSK id = $czactive"
+}
+grep "key id = $czpublished\$" $cfile.signed > /dev/null || {
+	ret=1
+	echo_i "missing expected child prepublished ZSK id = $czpublished"
+}
+grep "key id = $czinactive\$" $cfile.signed > /dev/null || {
+	ret=1
+	echo_i "missing expected child inactive ZSK id = $czinactive"
+}
+# should not be there, hence the &&
+grep "key id = $ckprerevoke\$" $cfile.signed > /dev/null && {
+	ret=1
+	echo_i "found unexpected child pre-revoke ZSK id = $ckprerevoke"
+}
+grep "key id = $czgenerated\$" $cfile.signed > /dev/null && {
+	ret=1
+	echo_i "found unexpected child generated ZSK id = $czgenerated"
+}
+grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && {
+	echo_i "found unexpected ZSK predecessor id = $czpredecessor (ignored)"
+}
+grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && {
+	echo_i "found unexpected ZSK successor id = $czsuccessor (ignored)"
+}
+#grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && ret=1
+#grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking key TTLs are correct"
+ret=0
+grep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1
+grep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1
+grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
+$SETTIME -L 45 ${czsk2} > /dev/null
+grep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
+$SETTIME -L 0 ${czsk2} > /dev/null
+grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking key TTLs were imported correctly"
+ret=0
+awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \
+        ${cfile}.signed || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "re-signing and checking imported TTLs again"
+ret=0
+$SETTIME -L 15 ${czsk2} > /dev/null
+czoneout=$($SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile)
+awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \
+        ${cfile}.signed || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# There is some weirdness in Solaris 10 (Generic_120011-14), which
+# is why the next section has all those echo $ret > /dev/null;sync
+# commands
+echo_i "checking child zone signatures"
+ret=0
+# check DNSKEY signatures first
+awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs
+sub=0
+grep -w "$ckactive" dnskey.sigs > /dev/null || sub=1
+if [ $sub != 0 ]; then echo_i "missing ckactive $ckactive (dnskey)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$ckrevoked" dnskey.sigs > /dev/null || sub=1
+if [ $sub != 0 ]; then echo_i "missing ckrevoke $ckrevoke (dnskey)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$czactive" dnskey.sigs > /dev/null || sub=1
+if [ $sub != 0 ]; then echo_i "missing czactive $czactive (dnskey)"; ret=1; fi
+# should not be there:
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$ckprerevoke" dnskey.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (dnskey)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$ckpublished" dnskey.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (dnskey)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$czpublished" dnskey.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (dnskey)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$czinactive" dnskey.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (dnskey)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$czgenerated" dnskey.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (dnskey)"; ret=1; fi
+# now check other signatures first
+awk '$2 == "RRSIG" && $3 != "DNSKEY" && $3 != "CDNSKEY" && $3 != "CDS" { getline; print $3 }' $cfile.signed | sort -un > other.sigs
+# should not be there:
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$ckactive" other.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found ckactive $ckactive (other)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$ckpublished" other.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (other)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$ckprerevoke" other.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (other)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$ckrevoked" other.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found ckrevoked $ckrevoked (other)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$czpublished" other.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (other)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$czinactive" other.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (other)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$czgenerated" other.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (other)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$czpredecessor" other.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found czpredecessor $czpredecessor (other)"; ret=1; fi
+echo $ret > /dev/null
+sync
+sub=0
+grep -w "$czsuccessor" other.sigs > /dev/null && sub=1
+if [ $sub != 0 ]; then echo_i "found czsuccessor $czsuccessor (other)"; ret=1; fi
+if [ $ret != 0 ]; then
+    sed 's/^/I:dnskey sigs: /' < dnskey.sigs
+    sed 's/^/I:other sigs: /' < other.sigs
+    echo_i "failed";
+fi
+status=$((status + ret))
+
+echo_i "checking RRSIG expiry date correctness"
+dnskey_expiry=$($CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
+              awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}' |
+              cut -c1-10)
+soa_expiry=$($CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
+           awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}' |
+           cut -c1-10)
+[ $dnskey_expiry -gt $soa_expiry ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "waiting 30 seconds for key activation"
+sleep 30
+echo_i "re-signing child zone"
+czoneout2=$($SIGNER -Sg -o $czone -f $cfile.new $cfile.signed)
+mv $cfile.new $cfile.signed
+
+echo_i "checking dnssec-signzone output matches expectations"
+ret=0
+echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking child zone signatures again"
+ret=0
+awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs
+grep -w "$ckpublished" dnskey.sigs > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "checking sync record publication"
+ret=0
+awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed || ret=1
+awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# this also checks that the future sync record is not yet published
+echo_i "checking sync record deletion"
+ret=0
+$SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null
+$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null
+mv $cfile.new $cfile.signed
+awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed && ret=1
+awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/sortlist/clean.sh b/bin/tests/system/sortlist/clean.sh
new file mode 100644
index 0000000..b490f46
--- /dev/null
+++ b/bin/tests/system/sortlist/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f *.dig *.good *.out
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.conf
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/sortlist/ns1/example.db b/bin/tests/system/sortlist/ns1/example.db
new file mode 100644
index 0000000..b68e215
--- /dev/null
+++ b/bin/tests/system/sortlist/ns1/example.db
@@ -0,0 +1,37 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns1.example. hostmaster.example. (
+				2000042795 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns1.example.
+ns1.example.		A	10.53.0.1
+
+; Let's see what the sortlist picks out of this...
+a			A	1.1.1.1
+a			A	1.1.1.5
+a			A	1.1.1.2
+a			A	192.168.3.1
+a			A	1.1.1.3
+a			A	192.168.1.1
+a			A	1.1.1.4
+
+b			A	10.53.0.1
+b			A	10.53.0.2
+b			A	10.53.0.3
+b			A	10.53.0.4
+b			A	10.53.0.5
+
diff --git a/bin/tests/system/sortlist/ns1/named.conf.in b/bin/tests/system/sortlist/ns1/named.conf.in
new file mode 100644
index 0000000..33081ff
--- /dev/null
+++ b/bin/tests/system/sortlist/ns1/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+
+	sortlist {
+	    { 10.53.0.1;				   // IF 10.53.0.1
+		{
+		    !1.1.1.4; !1.1.1.2; !1.1.1.3; !1.1.1.1; // sort these last,
+		    192.168.3/24;			    // this first
+		    { 192.168.2/24; 192.168.1/24; }; }; };  // and these next
+	    { { 10.53.0.2; 10.53.0.3; }; };		    // Prefer self
+	    10.53.0.4;					    // BIND 8 compat
+	    { 10.53.0.5; 10.53.0.5; };    		    // BIND 8 compat
+	};
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/sortlist/ns1/root.db b/bin/tests/system/sortlist/ns1/root.db
new file mode 100644
index 0000000..17780d1
--- /dev/null
+++ b/bin/tests/system/sortlist/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/sortlist/setup.sh b/bin/tests/system/sortlist/setup.sh
new file mode 100644
index 0000000..e46affa
--- /dev/null
+++ b/bin/tests/system/sortlist/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/sortlist/tests.sh b/bin/tests/system/sortlist/tests.sh
new file mode 100644
index 0000000..b290a99
--- /dev/null
+++ b/bin/tests/system/sortlist/tests.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +noadd +nosea +nostat +noquest +noauth +nocomm +nocmd -p ${PORT}"
+
+status=0
+
+echo_i "test 2-element sortlist statement"
+cat <<EOF >test1.good
+a.example.		300	IN	A	192.168.3.1
+a.example.		300	IN	A	192.168.1.1
+a.example.		300	IN	A	1.1.1.5
+a.example.		300	IN	A	1.1.1.1
+a.example.		300	IN	A	1.1.1.3
+a.example.		300	IN	A	1.1.1.2
+a.example.		300	IN	A	1.1.1.4
+EOF
+$DIG $DIGOPTS a.example. @10.53.0.1 -b 10.53.0.1 >test1.dig
+# Note that this can't use digcomp.pl because here, the ordering of the
+# result RRs is significant.
+$DIFF test1.dig test1.good || status=1
+
+echo_i "test 1-element sortlist statement and undocumented BIND 8 features"
+	cat <<EOF >test2.good
+b.example.		300	IN	A	10.53.0.$n
+EOF
+
+$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.2 | sed 1q | \
+        grep -E '10.53.0.(2|3)$' > test2.out &&
+$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.3 | sed 1q | \
+        grep -E '10.53.0.(2|3)$' >> test2.out &&
+$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.4 | sed 1q | \
+        grep -E '10.53.0.4$' >> test2.out &&
+$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.5 | sed 1q | \
+        grep -E '10.53.0.5$' >> test2.out || status=1
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/spf/clean.sh b/bin/tests/system/spf/clean.sh
new file mode 100644
index 0000000..90dc7b6
--- /dev/null
+++ b/bin/tests/system/spf/clean.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns1/named.run
+rm -f ns1/named.memstats
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/spf/ns1/named.conf.in b/bin/tests/system/spf/ns1/named.conf.in
new file mode 100644
index 0000000..f828586
--- /dev/null
+++ b/bin/tests/system/spf/ns1/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+};
+
+zone "spf" {
+	type primary;
+	file "spf.db";
+};
+
+zone "warn" {
+	type primary;
+	file "spf.db";
+	check-spf warn;
+};
+
+zone "nowarn" {
+	type primary;
+	file "spf.db";
+	check-spf ignore;
+};
diff --git a/bin/tests/system/spf/ns1/spf.db b/bin/tests/system/spf/ns1/spf.db
new file mode 100644
index 0000000..9527b1b
--- /dev/null
+++ b/bin/tests/system/spf/ns1/spf.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 IN SOA . . 0 0 0 0 0
+@ 0 IN NS .
+@ 0 IN TXT "v=spf1 -all"
+@ 0 IN SPF "v=spf1 -all"
+x 0 IN TXT "v=spf1"
+y 0 IN SPF "v=spf1"
+y 0 IN TXT "a non spf record"
diff --git a/bin/tests/system/spf/setup.sh b/bin/tests/system/spf/setup.sh
new file mode 100644
index 0000000..e46affa
--- /dev/null
+++ b/bin/tests/system/spf/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/spf/tests.sh b/bin/tests/system/spf/tests.sh
new file mode 100644
index 0000000..b7e86f0
--- /dev/null
+++ b/bin/tests/system/spf/tests.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+n=1
+status=0
+
+# Wait until all zones are loaded before checking SPF related logs
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	grep "all zones loaded" ns1/named.run > /dev/null && break
+	sleep 1
+done
+
+echo_i "checking that SPF warnings have been correctly generated ($n)"
+ret=0
+
+grep "zone spf/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1
+grep "'y.spf' found type SPF" ns1/named.run > /dev/null || ret=1
+grep "'spf' found type SPF" ns1/named.run > /dev/null && ret=1
+
+grep "zone warn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1
+grep "'y.warn' found type SPF" ns1/named.run > /dev/null || ret=1
+grep "'warn' found type SPF" ns1/named.run > /dev/null && ret=1
+
+grep "zone nowarn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1
+grep "'y.nowarn' found type SPF" ns1/named.run > /dev/null && ret=1
+grep "'nowarn' found type SPF" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
new file mode 100755
index 0000000..80d25ee
--- /dev/null
+++ b/bin/tests/system/start.pl
@@ -0,0 +1,451 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Framework for starting test servers.
+# Based on the type of server specified, check for port availability, remove
+# temporary files, start the server, and verify that the server is running.
+# If a server is specified, start it. Otherwise, start all servers for test.
+
+use strict;
+use warnings;
+
+use Cwd ':DEFAULT', 'abs_path';
+use English '-no_match_vars';
+use Getopt::Long;
+use Time::HiRes 'sleep'; # allows sleeping fractional seconds
+
+# Usage:
+#   perl start.pl [--noclean] [--restart] [--port port] [--taskset cpus] test [server [options]]
+#
+#   --noclean       Do not cleanup files in server directory.
+#
+#   --restart       Indicate that the server is being restarted, so get the
+#                   server to append output to an existing log file instead of
+#                   starting a new one.
+#
+#   --port port     Specify the default port being used by the server to answer
+#                   queries (default 5300).  This script will interrogate the
+#                   server on this port to see if it is running. (Note: for
+#                   "named" nameservers, this can be overridden by the presence
+#                   of the file "named.port" in the server directory containing
+#                   the number of the query port.)
+#
+#   --taskset cpus  Use taskset to signal which cpus can be used. For example
+#                   cpus=fff0 means all cpus aexcept for 0, 1, 2, and 3 are
+#                   eligible.
+#
+#   test            Name of the test directory.
+#
+#   server          Name of the server directory.  This will be of the form
+#                   "nsN" or "ansN", where "N" is an integer between 1 and 8.
+#                   If not given, the script will start all the servers in the
+#                   test directory.
+#
+#   options         Alternate options for the server.
+#
+#                   NOTE: options must be specified with '-- "<option list>"',
+#                   for instance: start.pl . ns1 -- "-c n.conf -d 43"
+#
+#                   ALSO NOTE: this variable will be filled with the contents
+#                   of the first non-commented/non-blank line of args in a file
+#                   called "named.args" in an ns*/ subdirectory. Only the FIRST
+#                   non-commented/non-blank line is used (everything else in
+#                   the file is ignored). If "options" is already set, then
+#                   "named.args" is ignored.
+
+my $usage = "usage: $0 [--noclean] [--restart] [--port <port>] [--taskset <cpus>] test-directory [server-directory [server-options]]";
+my $clean = 1;
+my $restart = 0;
+my $queryport = 5300;
+my $taskset = "";
+
+GetOptions(
+	'clean!'    => \$clean,
+	'restart!'  => \$restart,
+	'port=i'    => \$queryport,
+	'taskset=s' => \$taskset,
+) or die "$usage\n";
+
+my( $test, $server_arg, $options_arg ) = @ARGV;
+
+if (!$test) {
+	die "$usage\n";
+}
+
+# Global variables
+my $topdir = abs_path($ENV{'SYSTEMTESTTOP'});
+my $testdir = abs_path($topdir . "/" . $test);
+
+if (! -d $testdir) {
+	die "No test directory: \"$testdir\"\n";
+}
+
+if ($server_arg && ! -d "$testdir/$server_arg") {
+	die "No server directory: \"$testdir/$server_arg\"\n";
+}
+
+my $NAMED = $ENV{'NAMED'};
+my $DIG = $ENV{'DIG'};
+my $PERL = $ENV{'PERL'};
+my $PYTHON = $ENV{'PYTHON'};
+
+# Start the server(s)
+
+my @ns;
+my @ans;
+
+if ($server_arg) {
+	if ($server_arg =~ /^ns/) {
+		push(@ns, $server_arg);
+	} elsif ($server_arg =~ /^ans/) {
+		push(@ans, $server_arg);
+	} else {
+		print "$0: ns or ans directory expected";
+		print "I:$test:failed";
+	}
+} else {
+	# Determine which servers need to be started for this test.
+	opendir DIR, $testdir or die "unable to read test directory: \"$test\" ($OS_ERROR)\n";
+	my @files = sort readdir DIR;
+	closedir DIR;
+
+	@ns = grep /^ns[0-9]*$/, @files;
+	@ans = grep /^ans[0-9]*$/, @files;
+}
+
+# Start the servers we found.
+
+foreach my $name(@ns) {
+	my $instances_so_far = count_running_lines($name);
+	&check_ns_port($name);
+	&start_ns_server($name, $options_arg);
+	&verify_ns_server($name, $instances_so_far);
+}
+
+foreach my $name(@ans) {
+	&start_ans_server($name);
+}
+
+# Subroutines
+
+sub read_ns_port {
+	my ( $server ) = @_;
+	my $port = $queryport;
+	my $options = "";
+
+	if ($server) {
+		my $file = $testdir . "/" . $server . "/named.port";
+
+		if (-e $file) {
+			open(my $fh, "<", $file) or die "unable to read ports file \"$file\" ($OS_ERROR)";
+
+			my $line = <$fh>;
+
+			if ($line) {
+				chomp $line;
+				$port = $line;
+			}
+		}
+	}
+	return ($port);
+}
+
+sub check_ns_port {
+	my ( $server ) = @_;
+	my $options = "";
+	my $port = read_ns_port($server);
+
+	if ($server =~ /(\d+)$/) {
+		$options = "-i $1";
+	}
+
+	my $tries = 0;
+
+	while (1) {
+		my $return = system("$PERL $topdir/testsock.pl -p $port $options");
+
+		if ($return == 0) {
+			last;
+		}
+
+		$tries++;
+
+		if ($tries > 4) {
+			print "$0: could not bind to server addresses, still running?\n";
+			print "I:$test:server sockets not available\n";
+			print "I:$test:failed\n";
+
+			system("$PERL $topdir/stop.pl $test"); # Is this the correct behavior?
+
+			exit 1;
+		}
+
+		print "I:$test:Couldn't bind to socket (yet)\n";
+		sleep 2;
+	}
+}
+
+sub start_server {
+	my ( $server, $command, $pid_file ) = @_;
+
+	chdir "$testdir/$server" or die "unable to chdir \"$testdir/$server\" ($OS_ERROR)\n";
+
+	# start the server
+	my $child = `$command`;
+	chomp($child);
+
+	# wait up to 14 seconds for the server to start and to write the
+	# pid file otherwise kill this server and any others that have
+	# already been started
+	my $tries = 0;
+	while (!-s $pid_file) {
+		if (++$tries > 140) {
+			print "I:$test:Couldn't start server $command (pid=$child)\n";
+			print "I:$test:failed\n";
+			kill "ABRT", $child if ("$child" ne "");
+			chdir "$testdir";
+			system "$PERL $topdir/stop.pl $test";
+			exit 1;
+		}
+		sleep 0.1;
+	}
+
+	# go back to the top level directory
+	chdir $topdir;
+}
+
+sub construct_ns_command {
+	my ( $server, $options ) = @_;
+
+	my $command;
+
+	if ($ENV{'USE_VALGRIND'}) {
+		$command = "valgrind -q --gen-suppressions=all --num-callers=48 --fullpath-after= --log-file=named-$server-valgrind-%p.log ";
+
+		if ($ENV{'USE_VALGRIND'} eq 'helgrind') {
+			$command .= "--tool=helgrind ";
+		} else {
+			$command .= "--tool=memcheck --track-origins=yes --leak-check=full ";
+		}
+
+		$command .= "$NAMED -m none -M external ";
+	} else {
+		if ($taskset) {
+			$command = "taskset $taskset $NAMED ";
+		} else {
+			$command = "$NAMED ";
+		}
+	}
+
+	my $args_file = $testdir . "/" . $server . "/" . "named.args";
+
+	if ($options) {
+		$command .= $options;
+	} elsif (-e $args_file) {
+		open(my $fh, "<", $args_file) or die "unable to read args_file \"$args_file\" ($OS_ERROR)\n";
+
+		while(my $line=<$fh>) {
+			next if ($line =~ /^\s*$/); #discard blank lines
+			next if ($line =~ /^\s*#/); #discard comment lines
+
+			chomp $line;
+
+			$line =~ s/#.*$//;
+
+			$command .= $line;
+
+			last;
+		}
+	} else {
+		$command .= "-D $test-$server ";
+		$command .= "-X named.lock ";
+		$command .= "-m record,size,mctx ";
+
+		foreach my $t_option(
+			"dropedns", "ednsformerr", "ednsnotimp", "ednsrefused",
+			"noaa", "noedns", "nosoa", "maxudp512", "maxudp1460",
+		    ) {
+			if (-e "$testdir/$server/named.$t_option") {
+				$command .= "-T $t_option "
+			}
+		}
+
+		$command .= "-c named.conf -d 99 -g -U 4 -T maxcachesize=2097152";
+	}
+
+	if (-e "$testdir/$server/named.notcp") {
+		$command .= " -T notcp"
+	}
+
+	if ($restart) {
+		$command .= " >>named.run 2>&1 &";
+	} else {
+		$command .= " >named.run 2>&1 &";
+	}
+
+	# get the shell to report the pid of the server ($!)
+	$command .= " echo \$!";
+
+	return $command;
+}
+
+sub start_ns_server {
+	my ( $server, $options ) = @_;
+
+	my $cleanup_files;
+	my $command;
+	my $pid_file;
+
+	$cleanup_files = "{./*.jnl,./*.bk,./*.st,./named.run}";
+
+	$command = construct_ns_command($server, $options);
+
+	$pid_file = "named.pid";
+
+	if ($clean) {
+		unlink glob $cleanup_files;
+	}
+
+	start_server($server, $command, $pid_file);
+}
+
+sub construct_ans_command {
+	my ( $server, $options ) = @_;
+
+	my $command;
+	my $n;
+
+	if ($server =~ /^ans(\d+)/) {
+		$n = $1;
+	} else {
+		die "unable to parse server number from name \"$server\"\n";
+	}
+
+	if (-e "$testdir/$server/ans.py") {
+		$command = "$PYTHON -u ans.py 10.53.0.$n $queryport";
+	} elsif (-e "$testdir/$server/ans.pl") {
+		$command = "$PERL ans.pl";
+	} else {
+		$command = "$PERL $topdir/ans.pl 10.53.0.$n";
+	}
+
+	if ($options) {
+		$command .= $options;
+	}
+
+	if ($restart) {
+		$command .= " >>ans.run 2>&1 &";
+	} else {
+		$command .= " >ans.run 2>&1 &";
+	}
+
+	# get the shell to report the pid of the server ($!)
+	$command .= " echo \$!";
+
+	return $command;
+}
+
+sub start_ans_server {
+	my ( $server, $options ) = @_;
+
+	my $cleanup_files;
+	my $command;
+	my $pid_file;
+
+	$cleanup_files = "{./ans.run}";
+	$command = construct_ans_command($server, $options);
+	$pid_file = "ans.pid";
+
+	if ($clean) {
+		unlink glob $cleanup_files;
+	}
+
+	start_server($server, $command, $pid_file);
+}
+
+sub count_running_lines {
+	my ( $server ) = @_;
+
+	my $runfile = "$testdir/$server/named.run";
+
+	# the shell *ought* to have created the file immediately, but this
+	# logic allows the creation to be delayed without issues
+	if (open(my $fh, "<", $runfile)) {
+		# the two non-whitespace blobs should be the date and time
+		# but we don't care about them really, only that they are there
+		return scalar(grep /^\S+ \S+ running\R/, <$fh>);
+	} else {
+		return 0;
+	}
+}
+
+sub verify_ns_server {
+	my ( $server, $instances_so_far ) = @_;
+
+	my $tries = 0;
+
+	while (count_running_lines($server) < $instances_so_far + 1) {
+		$tries++;
+
+		if ($tries >= 30) {
+			print "I:$test:server $server seems to have not started\n";
+			print "I:$test:failed\n";
+
+			system("$PERL $topdir/stop.pl $test");
+
+			exit 1;
+		}
+
+		sleep 2;
+	}
+
+	$tries = 0;
+
+	my $port = read_ns_port($server);
+	my $tcp = "+tcp";
+	my $n;
+
+	if ($server =~ /^ns(\d+)/) {
+		$n = $1;
+	} else {
+		die "unable to parse server number from name \"$server\"\n";
+	}
+
+	if (-e "$testdir/$server/named.notcp") {
+		$tcp = "";
+	}
+
+	my $ip = "10.53.0.$n";
+	if (-e "$testdir/$server/named.ipv6-only") {
+		$ip = "fd92:7065:b8e:ffff::$n";
+	}
+
+	while (1) {
+		my $return = system("$DIG $tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noedns -p $port version.bind. chaos txt \@$ip > /dev/null");
+
+		last if ($return == 0);
+
+		$tries++;
+
+		if ($tries >= 30) {
+			print "I:$test:no response from $server\n";
+			print "I:$test:failed\n";
+
+			system("$PERL $topdir/stop.pl $test");
+
+			exit 1;
+		}
+
+		sleep 2;
+	}
+}
diff --git a/bin/tests/system/start.sh b/bin/tests/system/start.sh
new file mode 100755
index 0000000..06261cf
--- /dev/null
+++ b/bin/tests/system/start.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP="$(cd -P -- "$(dirname -- "$0")" && pwd -P)"
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+export SYSTEMTESTTOP
+
+$PERL "$SYSTEMTESTTOP/start.pl" "$@"
diff --git a/bin/tests/system/staticstub/clean.sh b/bin/tests/system/staticstub/clean.sh
new file mode 100755
index 0000000..f0dbe28
--- /dev/null
+++ b/bin/tests/system/staticstub/clean.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f tmp
+rm -f dig.out.*
+rm -f ns*/named.lock
+rm -f ns*/named.conf
+rm -f ns3/example.db
+rm -f ns3/undelegated.db
+rm -f ns4/sub.example.db
+rm -f ns?/named.memstats
+rm -f ns?/named.run
+rm -f ns?/named_dump.db
+rm -rf */*.signed
+rm -rf */K*
+rm -rf */dsset-*
+rm -rf */trusted.conf
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/staticstub/conf/bad01.conf b/bin/tests/system/staticstub/conf/bad01.conf
new file mode 100644
index 0000000..a849de4
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad01.conf
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# prefix cannot be specified in the address list field.
+zone "example.com" {
+	type static-stub;
+	server-addresses { 192.0.2.0/24; };
+};
diff --git a/bin/tests/system/staticstub/conf/bad02.conf b/bin/tests/system/staticstub/conf/bad02.conf
new file mode 100644
index 0000000..9c85d00
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad02.conf
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# server-names must be valid domain names.
+zone "example.com" {
+     type static-stub;
+     server-names { "\11.example.net"; };
+};
diff --git a/bin/tests/system/staticstub/conf/bad03.conf b/bin/tests/system/staticstub/conf/bad03.conf
new file mode 100644
index 0000000..b5aa0f4
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad03.conf
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# Explicit port specification is not allowed (for now).
+zone "example.com" {
+	type static-stub;
+	server-addresses { 192.0.2.2 port 5301; };
+};
diff --git a/bin/tests/system/staticstub/conf/bad04.conf b/bin/tests/system/staticstub/conf/bad04.conf
new file mode 100644
index 0000000..ec25b7a
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad04.conf
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# scoped address is not allowed.
+zone "example.com" {
+	type static-stub;
+	server-addresses { fe80::1%1; };
+};
diff --git a/bin/tests/system/staticstub/conf/bad05.conf b/bin/tests/system/staticstub/conf/bad05.conf
new file mode 100644
index 0000000..e47f412
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad05.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# server-name must not be a subdomain of the zone name.
+zone "example.com" {
+	type static-stub;
+	# server-name equals to the zone name.
+	server-names { "example.com"; };
+};
diff --git a/bin/tests/system/staticstub/conf/bad06.conf b/bin/tests/system/staticstub/conf/bad06.conf
new file mode 100644
index 0000000..be75748
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad06.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# server-name must not be a subdomain of the zone name.
+zone "example.com" {
+	type static-stub;
+	# server-name is a real subdomain of the zone name.
+	server-names { "ns.example.com"; };
+};
diff --git a/bin/tests/system/staticstub/conf/bad07.conf b/bin/tests/system/staticstub/conf/bad07.conf
new file mode 100644
index 0000000..dd1879f
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad07.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# server-addresses must not be specified more than once.
+zone "example.com" {
+	type static-stub;
+	server-addresses { 192.0.2.1; };
+	server-addresses { 192.0.2.2; };
+};
diff --git a/bin/tests/system/staticstub/conf/bad08.conf b/bin/tests/system/staticstub/conf/bad08.conf
new file mode 100644
index 0000000..c389c9d
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad08.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# server-names must not be specified more than once.
+zone "example.com" {
+	type static-stub;
+	server-names { ns1.example.net; };
+	server-names { ns2.example.net; };
+};
diff --git a/bin/tests/system/staticstub/conf/bad09.conf b/bin/tests/system/staticstub/conf/bad09.conf
new file mode 100644
index 0000000..7e7144a
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad09.conf
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# "masters" isn't allowed for a static-stub zone (unlike a stub zone).
+zone "example.com" {
+	type static-stub;
+	masters { 192.0.2.1; };
+};
diff --git a/bin/tests/system/staticstub/conf/bad10.conf b/bin/tests/system/staticstub/conf/bad10.conf
new file mode 100644
index 0000000..b9d2862
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad10.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# "server-addresses" isn't allowed for a pure stub zone.
+# (or most of other types of zones, but confirming one case should be good
+# enough)
+zone "example.com" {
+	type stub;
+	server-addresses { 192.0.2.1; };
+};
diff --git a/bin/tests/system/staticstub/conf/bad11.conf b/bin/tests/system/staticstub/conf/bad11.conf
new file mode 100644
index 0000000..0b97e70
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/bad11.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# "server-names" isn't allowed for a pure stub zone.
+# (or most of other types of zones, but confirming one case should be good
+# enough)
+zone "example.com" {
+	type stub;
+	server-names { "ns.example.net"; };
+};
diff --git a/bin/tests/system/staticstub/conf/good01.conf b/bin/tests/system/staticstub/conf/good01.conf
new file mode 100644
index 0000000..93f19af
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/good01.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# both server-addresses and server-names can be specified.
+zone "example.com" {
+	type static-stub;
+	server-addresses { 192.0.2.1; };
+	server-names { "ns.example.net"; };
+};
diff --git a/bin/tests/system/staticstub/conf/good02.conf b/bin/tests/system/staticstub/conf/good02.conf
new file mode 100644
index 0000000..6a8a413
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/good02.conf
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# both IPv4 and IPv6 server-addresses should be allowable.
+zone "example.com" {
+	type static-stub;
+	server-addresses { 192.0.2.1; 2001:db8::53; };
+};
diff --git a/bin/tests/system/staticstub/conf/good03.conf b/bin/tests/system/staticstub/conf/good03.conf
new file mode 100644
index 0000000..faa9ab3
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/good03.conf
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# server-addresses can be empty, though it's meaningless.
+zone "example.com" {
+	type static-stub;
+	server-addresses {};
+};
diff --git a/bin/tests/system/staticstub/conf/good04.conf b/bin/tests/system/staticstub/conf/good04.conf
new file mode 100644
index 0000000..161e4f0
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/good04.conf
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# server-names can be empty, though it's meaningless.
+zone "example.com" {
+	type static-stub;
+	server-names {};
+};
diff --git a/bin/tests/system/staticstub/conf/good05.conf b/bin/tests/system/staticstub/conf/good05.conf
new file mode 100644
index 0000000..e1db2fd
--- /dev/null
+++ b/bin/tests/system/staticstub/conf/good05.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# less common options
+zone "example.com" {
+	type static-stub;
+	allow-query { 127.0.0.1; };
+	zone-statistics yes;
+};
diff --git a/bin/tests/system/staticstub/knowngood.dig.out.rec b/bin/tests/system/staticstub/knowngood.dig.out.rec
new file mode 100644
index 0000000..e854082
--- /dev/null
+++ b/bin/tests/system/staticstub/knowngood.dig.out.rec
@@ -0,0 +1,18 @@
+
+; <<>> DiG 8.2 <<>> -p @10.53.0.3 data.child.example txt
+; (1 server found)
+;; res options: init recurs defnam dnsrch
+;; got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
+;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
+;; QUERY SECTION:
+;;	data.example, type = TXT, class = IN
+
+;; ANSWER SECTION:
+data.example.	5M IN TXT	"some" "test" "data"
+
+;; Total query time: 8 msec
+;; FROM: draco to SERVER: 10.53.0.3
+;; WHEN: Wed Jun 21 10:58:54 2000
+;; MSG SIZE  sent: 36  rcvd: 97
+
diff --git a/bin/tests/system/staticstub/ns1/named.conf.in b/bin/tests/system/staticstub/ns1/named.conf.in
new file mode 100644
index 0000000..985b932
--- /dev/null
+++ b/bin/tests/system/staticstub/ns1/named.conf.in
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify no;
+};
+
+zone "." { type primary; file "root.db"; };
diff --git a/bin/tests/system/staticstub/ns1/root.db b/bin/tests/system/staticstub/ns1/root.db
new file mode 100644
index 0000000..26bc039
--- /dev/null
+++ b/bin/tests/system/staticstub/ns1/root.db
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	120
+@			SOA	a.root-servers.nil. hostmaster.isc.org. 1 600 600 1200 600
+@			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.com.		NS	example.
+
+ns.example.net.		A	10.53.0.3
diff --git a/bin/tests/system/staticstub/ns2/named.conf.in b/bin/tests/system/staticstub/ns2/named.conf.in
new file mode 100644
index 0000000..0724607
--- /dev/null
+++ b/bin/tests/system/staticstub/ns2/named.conf.in
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "trusted.conf";
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type static-stub;
+	server-addresses { 10.53.0.3; };
+	allow-query { !10.53.0.7; any; };
+};
+
+zone "example.org" {
+	type static-stub;
+	SERVER_CONFIG_PLACEHOLDER
+};
+
+zone "example.info" {
+	type static-stub;
+	server-addresses { ::1; }; #ns4
+};
+
+zone "undelegated" {
+	type static-stub;
+	server-addresses { 10.53.0.3; };
+};
diff --git a/bin/tests/system/staticstub/ns3/example.db.in b/bin/tests/system/staticstub/ns3/example.db.in
new file mode 100644
index 0000000..c3b7d81
--- /dev/null
+++ b/bin/tests/system/staticstub/ns3/example.db.in
@@ -0,0 +1,32 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	ns3.example. hostmaster.example. (
+				2010080900 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns4.example. ; fake
+example.		A	10.53.0.4    ; fake
+example.		AAAA	::1	     ; fake
+
+ns4.example.		A	10.53.0.4
+data.example.		TXT	"some" "test" "data"
+data2.example.		TXT	"2nd test data"
+data3.example.		TXT	"3rd test data"
+data4.example.		TXT	"4th test data"
+
+sub.example.		NS	ns.sub.example.
+ns.sub.example.		A	10.53.0.4
diff --git a/bin/tests/system/staticstub/ns3/example.org.db b/bin/tests/system/staticstub/ns3/example.org.db
new file mode 100644
index 0000000..aec2f99
--- /dev/null
+++ b/bin/tests/system/staticstub/ns3/example.org.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example.org		IN SOA	ns.example.org. hostmaster.example.org. (
+				2010080906 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.org.		NS	ns.example.org.
+ns.example.org.		A	10.53.0.3
+
+data.example.org.	TXT	"example org data"
diff --git a/bin/tests/system/staticstub/ns3/named.conf.in b/bin/tests/system/staticstub/ns3/named.conf.in
new file mode 100644
index 0000000..cbff743
--- /dev/null
+++ b/bin/tests/system/staticstub/ns3/named.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify no;
+};
+
+EXAMPLE_ZONE_PLACEHOLDER
+
+zone "example.org" {
+	type primary;
+	file "example.org.db";
+};
+
+zone "undelegated" {
+	type primary;
+	file "undelegated.db.signed";
+};
diff --git a/bin/tests/system/staticstub/ns3/sign.sh b/bin/tests/system/staticstub/ns3/sign.sh
new file mode 100755
index 0000000..111ffaf
--- /dev/null
+++ b/bin/tests/system/staticstub/ns3/sign.sh
@@ -0,0 +1,44 @@
+#!/bin/sh 
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=example.
+infile=example.db.in
+zonefile=example.db
+
+(cd ../ns4 && $SHELL -e sign.sh )
+
+cp ../ns4/dsset-sub.example$TP .
+
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone)
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -g -o $zone $zonefile > /dev/null
+
+# Configure the resolving server with a trusted key.
+keyfile_to_static_ds $keyname2 > trusted.conf
+
+zone=undelegated
+infile=undelegated.db.in
+zonefile=undelegated.db
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone)
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -g -o $zone $zonefile > /dev/null
+
+keyfile_to_static_ds $keyname2 >> trusted.conf
+cp trusted.conf ../ns2/trusted.conf
diff --git a/bin/tests/system/staticstub/ns3/undelegated.db.in b/bin/tests/system/staticstub/ns3/undelegated.db.in
new file mode 100644
index 0000000..a7010ef
--- /dev/null
+++ b/bin/tests/system/staticstub/ns3/undelegated.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+undelegated.		IN SOA	ns3.undelegated. hostmaster.undelegated. (
+				2010080900 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+undelegated.		NS	ns3.undelegated.
+undelegated.		A	10.53.0.4
+undelegated.		AAAA	::1
+ns3.undelegated.		A	10.53.0.3
diff --git a/bin/tests/system/staticstub/ns4/example.com.db b/bin/tests/system/staticstub/ns4/example.com.db
new file mode 100644
index 0000000..3db8fa4
--- /dev/null
+++ b/bin/tests/system/staticstub/ns4/example.com.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example.com		IN SOA	example. hostmaster.example. (
+				2010080701 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.com.		NS	example.
+
+data.example.com.	TXT	"example com data"
diff --git a/bin/tests/system/staticstub/ns4/example.info.db b/bin/tests/system/staticstub/ns4/example.info.db
new file mode 100644
index 0000000..169c70d
--- /dev/null
+++ b/bin/tests/system/staticstub/ns4/example.info.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example.info		IN SOA	ns.example.info. hostmaster.example.info. (
+				2010080902 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.info.		NS	ns.example.info.
+ns.example.info.	A	10.53.0.4
+
+data.example.info.	TXT	"example info data"
diff --git a/bin/tests/system/staticstub/ns4/example.org.db b/bin/tests/system/staticstub/ns4/example.org.db
new file mode 100644
index 0000000..69dc7e3
--- /dev/null
+++ b/bin/tests/system/staticstub/ns4/example.org.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example.org		IN SOA	ns.example.org. hostmaster.example.org. (
+				2010080908 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.org.		NS	ns.example.org.
+ns.example.org.		A	10.53.0.3
+
+data.example.org.	TXT	"example org data"
+data2.example.org.	TXT	"2nd example org data"
diff --git a/bin/tests/system/staticstub/ns4/named.conf.in b/bin/tests/system/staticstub/ns4/named.conf.in
new file mode 100644
index 0000000..40c2a17
--- /dev/null
+++ b/bin/tests/system/staticstub/ns4/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { ::1; };
+	recursion no;
+	dnssec-validation no;
+	notify no;
+};
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+};
+
+zone "example.org" {
+	type primary;
+	file "example.org.db";
+};
+
+zone "sub.example" {
+	type primary;
+	file "sub.example.db.signed";
+};
+
+zone "example.info" {
+	type primary;
+	file "example.info.db";
+};
diff --git a/bin/tests/system/staticstub/ns4/sign.sh b/bin/tests/system/staticstub/ns4/sign.sh
new file mode 100755
index 0000000..14c5072
--- /dev/null
+++ b/bin/tests/system/staticstub/ns4/sign.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=sub.example
+infile=${zone}.db.in
+zonefile=${zone}.db
+
+keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone)
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -o $zone $zonefile > /dev/null
diff --git a/bin/tests/system/staticstub/ns4/sub.example.db.in b/bin/tests/system/staticstub/ns4/sub.example.db.in
new file mode 100644
index 0000000..255396b
--- /dev/null
+++ b/bin/tests/system/staticstub/ns4/sub.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+sub.example.		IN SOA	ns.sub.example. hostmaster.example. (
+				2010080900 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+sub.example.		NS	ns.sub.example.
+ns.sub.example.		A	10.53.0.4
+
+data1.sub.example.	TXT	"1st sub test data"
+data2.sub.example.	TXT	"2nd sub test data"
+data3.sub.example.	TXT	"3rd sub test data"
diff --git a/bin/tests/system/staticstub/setup.sh b/bin/tests/system/staticstub/setup.sh
new file mode 100755
index 0000000..8d8037d
--- /dev/null
+++ b/bin/tests/system/staticstub/setup.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in tmp
+sed 's/SERVER_CONFIG_PLACEHOLDER/server-names { "ns.example.net"; };/' tmp > ns2/named.conf
+
+copy_setports ns3/named.conf.in tmp
+sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type master; file "example.db.signed"; };/' tmp > ns3/named.conf
+
+copy_setports ns4/named.conf.in ns4/named.conf
+
+cd ns3 && $SHELL -e sign.sh
diff --git a/bin/tests/system/staticstub/tests.sh b/bin/tests/system/staticstub/tests.sh
new file mode 100755
index 0000000..bd4167e
--- /dev/null
+++ b/bin/tests/system/staticstub/tests.sh
@@ -0,0 +1,218 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+n=0
+
+for conf in conf/good*.conf
+do
+	n=`expr $n + 1`
+	echo_i "checking that $conf is accepted ($n)"
+	ret=0
+	$CHECKCONF "$conf" || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+for conf in conf/bad*.conf
+do
+	n=`expr $n + 1`
+	echo_i "checking that $conf is rejected ($n)"
+	ret=0
+	$CHECKCONF "$conf" >/dev/null && ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+done
+
+n=`expr $n + 1`
+echo_i "trying an axfr that should be denied (NOTAUTH) ($n)"
+ret=0
+$DIG $DIGOPTS +tcp data.example. @10.53.0.2 axfr > dig.out.ns2.test$n || ret=1
+grep "; Transfer failed." dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)"
+ret=0
+ $DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt > dig.out.ns2.test$n \
+ 	|| ret=1
+grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +norec data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n \
+	|| ret=1
+grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "allow-query ACL ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt -b 10.53.0.7 \
+	> dig.out.ns2.test$n || ret=1
+grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "look for static-stub zone data with recursion (should be found) ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +noauth data.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+digcomp knowngood.dig.out.rec dig.out.ns2.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking authoritative NS is ignored for delegation ($n)"
+ret=0
+# the auth server returns a different (and incorrect) NS for .example.
+$DIG $DIGOPTS +tcp example. @10.53.0.2 ns > dig.out.ns2.test1.$n || ret=1
+grep "ns4.example." dig.out.ns2.test1.$n > /dev/null || ret=1
+# but static-stub configuration should still be used
+$DIG $DIGOPTS +tcp data2.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1
+grep "2nd test data" dig.out.ns2.test2.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking queries for a child zone of the static-stub zone ($n)"
+ret=0
+# prime the delegation to a child zone of the static-stub zone
+$DIG $DIGOPTS +tcp data1.sub.example. @10.53.0.2 txt > dig.out.ns2.test1.$n || ret=1
+grep "1st sub test data" dig.out.ns2.test1.$n > /dev/null || ret=1
+# temporarily disable the the parent zone
+copy_setports ns3/named.conf.in tmp
+sed 's/EXAMPLE_ZONE_PLACEHOLDER//' tmp > ns3/named.conf
+rndc_reload ns3 10.53.0.3
+# query the child zone again.  this should directly go to the child and
+# succeed.
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	$DIG $DIGOPTS +tcp data2.sub.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1
+	grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null && break
+	sleep 1
+done
+grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null || ret=1
+# re-enable the parent
+copy_setports ns3/named.conf.in tmp
+sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type master; file "example.db.signed"; };/' tmp > ns3/named.conf
+rndc_reload ns3 10.53.0.3
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking authoritative NS addresses are ignored for delegation ($n)"
+ret=0
+# the auth server returns a different (and incorrect) A/AAA RR for .example.
+$DIG $DIGOPTS +tcp example. @10.53.0.2 a > dig.out.ns2.test1.$n || ret=1
+grep "10.53.0.4" dig.out.ns2.test1.$n > /dev/null || ret=1
+$DIG $DIGOPTS +tcp example. @10.53.0.2 aaaa > dig.out.ns2.test2.$n || ret=1
+grep "::1" dig.out.ns2.test2.$n > /dev/null || ret=1
+# reload the server.  this will flush the ADB.
+rndc_reload ns2 10.53.0.2
+# ask another RR that would require delegation.  static-stub configuration
+# should still be used instead of the authoritative A/AAAA cached above.
+$DIG $DIGOPTS +tcp data3.example. @10.53.0.2 txt > dig.out.ns2.test3.$n || ret=1
+grep "3rd test data" dig.out.ns2.test3.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# the authoritative server of the query domain (example.com) is the apex
+# name of the static-stub zone (example).  in this case the static-stub
+# configuration must be ignored and cached information must be used.
+n=`expr $n + 1`
+echo_i "checking NS of static-stub is ignored when referenced from other domain ($n)"
+ret=0
+$DIG $DIGOPTS +tcp data.example.com. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "example com data" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# check server-names
+n=`expr $n + 1`
+echo_i "checking static-stub with a server-name ($n)"
+ret=0
+$DIG $DIGOPTS +tcp data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "example org data" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+# Note: for a short term workaround we use ::1, assuming it's configured and
+# usable for our tests.  We should eventually use the test ULA and available
+# checks introduced in change 2916.
+if testsock6 ::1
+then
+    echo_i "checking IPv6 static-stub address ($n)"
+    ret=0
+    $DIG $DIGOPTS +tcp data.example.info. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+    grep "example info data" dig.out.ns2.test$n > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+else
+    echo_i "SKIPPED: checking IPv6 static-stub address ($n)"
+fi
+
+n=`expr $n + 1`
+echo_i "look for static-stub zone data with DNSSEC validation ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +dnssec data4.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep "4th test data" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "look for a child of static-stub zone data with DNSSEC validation ($n)"
+ret=0
+$DIG $DIGOPTS +tcp +dnssec data3.sub.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+grep "3rd sub test data" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+# reload with a different name server: existing zone shouldn't be reused.
+n=`expr $n + 1`
+echo_i "checking server reload with a different static-stub config ($n)"
+ret=0
+copy_setports ns2/named.conf.in tmp
+sed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' tmp > ns2/named.conf
+rndc_reload ns2 10.53.0.2
+$DIG $DIGOPTS +tcp data2.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+grep "2nd example org data" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking static-stub of a undelegated tld resolves after DS query ($n)"
+ret=0
+$DIG $DIGOPTS undelegated. @10.53.0.2 ds > dig.out.ns2.ds.test$n
+$DIG $DIGOPTS undelegated. @10.53.0.2 soa > dig.out.ns2.soa.test$n
+grep "status: NXDOMAIN" dig.out.ns2.ds.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns2.soa.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/statistics/ans4/ans.pl b/bin/tests/system/statistics/ans4/ans.pl
new file mode 100644
index 0000000..3a37a82
--- /dev/null
+++ b/bin/tests/system/statistics/ans4/ans.pl
@@ -0,0 +1,118 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Ad hoc name server
+#
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.4",
+   LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+for (;;) {
+	$sock->recv($buf, 512);
+
+	print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	print "REQUEST:\n";
+	$packet->print;
+
+	$packet->header->qr(1);
+
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+
+	my $donotrespond = 0;
+
+	if ($qname eq "foo.info") {
+		$donotrespond = 1;
+	} elsif ($qname eq "cname1.example.com") {
+		# Data for the "cname + other data / 1" test
+		$packet->push("answer", new Net::DNS::RR("cname1.example.com 300 CNAME cname1.example.com"));
+		$packet->push("answer", new Net::DNS::RR("cname1.example.com 300 A 1.2.3.4"));
+	} elsif ($qname eq "cname2.example.com") {
+		# Data for the "cname + other data / 2" test: same RRs in opposite order
+		$packet->push("answer", new Net::DNS::RR("cname2.example.com 300 A 1.2.3.4"));
+		$packet->push("answer", new Net::DNS::RR("cname2.example.com 300 CNAME cname2.example.com"));
+	} elsif ($qname eq "www.example.org" || $qname eq "www.example.net" ||
+		 $qname eq "badcname.example.org" ||
+		 $qname eq "goodcname.example.org" ||
+		 $qname eq "foo.baddname.example.org" ||
+		 $qname eq "foo.gooddname.example.org") {
+		# Data for address/alias filtering.
+		$packet->header->aa(1);
+		if ($qtype eq "A") {
+			$packet->push("answer",
+				      new Net::DNS::RR($qname .
+						       " 300 A 192.0.2.1"));
+		} elsif ($qtype eq "AAAA") {
+			$packet->push("answer",
+				      new Net::DNS::RR($qname .
+						" 300 AAAA 2001:db8:beef::1"));
+		}
+	} elsif ($qname eq "badcname.example.net" ||
+		 $qname eq "goodcname.example.net") {
+		# Data for CNAME/DNAME filtering.  We need to make one-level
+		# delegation to avoid automatic acceptance for subdomain aliases
+		$packet->push("authority", new Net::DNS::RR("example.net 300 NS ns.example.net"));
+		$packet->push("additional", new Net::DNS::RR("ns.example.net 300 A 10.53.0.3"));
+	} elsif ($qname =~ /^nodata\.example\.net$/i) {
+		$packet->header->aa(1);
+	} elsif ($qname =~ /^nxdomain\.example\.net$/i) {
+		$packet->header->aa(1);
+		$packet->header->rcode(NXDOMAIN);
+	} elsif ($qname =~ /sub\.example\.org/) {
+		# Data for CNAME/DNAME filtering.  The final answers are
+		# expected to be accepted regardless of the filter setting.
+		$packet->push("authority", new Net::DNS::RR("sub.example.org 300 NS ns.sub.example.org"));
+		$packet->push("additional", new Net::DNS::RR("ns.sub.example.org 300 A 10.53.0.3"));
+	} else {
+		# Data for the "bogus referrals" test
+		$packet->push("authority", new Net::DNS::RR("below.www.example.com 300 NS ns.below.www.example.com"));
+		$packet->push("additional", new Net::DNS::RR("ns.below.www.example.com 300 A 10.53.0.3"));
+	}
+
+	if ($donotrespond == 0) {
+		$sock->send($packet->data);
+		print "RESPONSE:\n";
+		$packet->print;
+		print "\n";
+	}
+}
diff --git a/bin/tests/system/statistics/clean.sh b/bin/tests/system/statistics/clean.sh
new file mode 100644
index 0000000..da49585
--- /dev/null
+++ b/bin/tests/system/statistics/clean.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ns3/example.bk
+rm -f ns3/internal.bk
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f */ans.run
+rm -f */named.stats
+rm -f */named.stats-stage*
+rm -f dig.out*
+rm -f curl.out.*
+rm -f ns*/named.lock
+rm -f stats*out
+rm -f ns*/managed-keys.bind*
+rm -f xsltproc.out.*
+rm -f named.stats.*
diff --git a/bin/tests/system/statistics/ns1/named.conf.in b/bin/tests/system/statistics/ns1/named.conf.in
new file mode 100644
index 0000000..8fd14f9
--- /dev/null
+++ b/bin/tests/system/statistics/ns1/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+statistics-channels {
+	inet 10.53.0.1 port @EXTRAPORT1@ allow { any; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "example.info." {
+	type primary;
+	file "example-info.db";
+};
+
+zone "32/1.0.0.127-in-addr.example." {
+	type primary;
+	file "zone.db";
+};
diff --git a/bin/tests/system/statistics/ns1/root.db b/bin/tests/system/statistics/ns1/root.db
new file mode 100644
index 0000000..17780d1
--- /dev/null
+++ b/bin/tests/system/statistics/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/statistics/ns1/zone.db b/bin/tests/system/statistics/ns1/zone.db
new file mode 100644
index 0000000..7feee2c
--- /dev/null
+++ b/bin/tests/system/statistics/ns1/zone.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@		3600	IN SOA	ns.example. hostmaster.example. 1 3600 1200 604800 3600
+@		3600	IN NS	ns.example.
+ns.example.	3600	IN A	10.53.0.1
diff --git a/bin/tests/system/statistics/ns2/example.db b/bin/tests/system/statistics/ns2/example.db
new file mode 100644
index 0000000..4d60ce3
--- /dev/null
+++ b/bin/tests/system/statistics/ns2/example.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+
+$ORIGIN example.
+a			A	10.0.0.1
+			MX	10 mail.example.
+
+mail			A	10.0.0.2
diff --git a/bin/tests/system/statistics/ns2/internal.db b/bin/tests/system/statistics/ns2/internal.db
new file mode 100644
index 0000000..4f1014f
--- /dev/null
+++ b/bin/tests/system/statistics/ns2/internal.db
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				2          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.1.0.1
+			MX	10 intmail.example.
+
+intmail			A	10.1.0.2
diff --git a/bin/tests/system/statistics/ns2/named.conf.in b/bin/tests/system/statistics/ns2/named.conf.in
new file mode 100644
index 0000000..4e02037
--- /dev/null
+++ b/bin/tests/system/statistics/ns2/named.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+};
+
+statistics-channels {
+	inet 10.53.0.2 port @EXTRAPORT1@ allow { any; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/statistics/ns2/named2.conf.in b/bin/tests/system/statistics/ns2/named2.conf.in
new file mode 100644
index 0000000..f2deebf
--- /dev/null
+++ b/bin/tests/system/statistics/ns2/named2.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+statistics-channels {
+	inet 10.53.0.2 port @EXTRAPORT1@ allow { any; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-update { any; };
+	zone-statistics full;
+};
diff --git a/bin/tests/system/statistics/ns3/internal.db b/bin/tests/system/statistics/ns3/internal.db
new file mode 100644
index 0000000..c93c2b0
--- /dev/null
+++ b/bin/tests/system/statistics/ns3/internal.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.1.0.1
+			MX	10 intmail.example.
+
+intmail			A	10.1.0.2
diff --git a/bin/tests/system/statistics/ns3/named.conf.in b/bin/tests/system/statistics/ns3/named.conf.in
new file mode 100644
index 0000000..62613a1
--- /dev/null
+++ b/bin/tests/system/statistics/ns3/named.conf.in
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	qname-minimization disabled;
+	zone-statistics yes;
+	glue-cache yes;
+};
+
+statistics-channels {
+	inet 10.53.0.3 port @EXTRAPORT1@ allow { any; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "example" {
+	type primary;
+	allow-update { any; };
+	file "internal.db";
+};
+
+zone "a-secondary" {
+	type secondary;
+	file "sec.bk";
+	primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/statistics/ns3/root.hint b/bin/tests/system/statistics/ns3/root.hint
new file mode 100644
index 0000000..dbc4a42
--- /dev/null
+++ b/bin/tests/system/statistics/ns3/root.hint
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	d.root-servers.nil.
+d.root-servers.nil.	 IN A	10.53.0.4
diff --git a/bin/tests/system/statistics/prereq.sh b/bin/tests/system/statistics/prereq.sh
new file mode 100644
index 0000000..221138f
--- /dev/null
+++ b/bin/tests/system/statistics/prereq.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.76 && $Net::DNS::VERSION <= 0.77);' 2>/dev/null
+    then
+        :
+    else
+        echo_i "Net::DNS version 0.76 and 0.77 have a bug that causes this test to fail: please update." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/statistics/setup.sh b/bin/tests/system/statistics/setup.sh
new file mode 100644
index 0000000..57e0575
--- /dev/null
+++ b/bin/tests/system/statistics/setup.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/statistics/tests.sh b/bin/tests/system/statistics/tests.sh
new file mode 100644
index 0000000..5e0b237
--- /dev/null
+++ b/bin/tests/system/statistics/tests.sh
@@ -0,0 +1,280 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd"
+DIGCMD="$DIG $DIGOPTS -p ${PORT}"
+RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf"
+
+status=0
+
+ret=0
+n=1
+stats=0
+rndc_stats() {
+	_ns=$1
+	_ip=$2
+
+	$RNDCCMD -s $_ip stats > /dev/null 2>&1 || return 1
+	[ -f "${_ns}/named.stats" ] || return 1
+
+	last_stats=named.stats.$_ns-$stats-$n
+	mv ${_ns}/named.stats $last_stats
+	stats=$((stats+1))
+}
+
+echo_i "fetching a.example from ns2's initial configuration ($n)"
+$DIGCMD +noauth a.example. @10.53.0.2 any > dig.out.ns2.1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "dumping initial stats for ns2 ($n)"
+rndc_stats ns2 10.53.0.2 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "verifying adb records in named.stats ($n)"
+grep "ADB stats" $last_stats > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "checking for 1 entry in adb hash table in named.stats ($n)"
+grep "1 Addresses in hash table" $last_stats > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "verifying cache statistics in named.stats ($n)"
+grep "Cache Statistics" $last_stats > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "checking for 2 entries in adb hash table in named.stats ($n)"
+$DIGCMD a.example.info. @10.53.0.2 any > /dev/null 2>&1
+rndc_stats ns2 10.53.0.2 || ret=1
+grep "2 Addresses in hash table" $last_stats > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "dumping initial stats for ns3 ($n)"
+rndc_stats ns3 10.53.0.3 || ret=1
+if [ ! "$CYGWIN" ]; then
+    nsock0nstat=`grep "UDP/IPv4 sockets active" $last_stats | awk '{print $1}'`
+    [ 0 -ne ${nsock0nstat:-0} ] || ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "sending queries to ns3"
+$DIGCMD +tries=2 +time=1 +recurse @10.53.0.3 foo.info. any > /dev/null 2>&1
+
+ret=0
+echo_i "dumping updated stats for ns3 ($n)"
+getstats() {
+    rndc_stats ns3 10.53.0.3 || return 1
+    grep "2 recursing clients" $last_stats > /dev/null || return 1
+}
+retry_quiet 5 getstats || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "verifying recursing clients output in named.stats ($n)"
+grep "2 recursing clients" $last_stats > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "verifying active fetches output in named.stats ($n)"
+grep "1 active fetches" $last_stats > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+if [ ! "$CYGWIN" ]; then
+    ret=0
+    echo_i "verifying active sockets output in named.stats ($n)"
+    nsock1nstat=`grep "UDP/IPv4 sockets active" $last_stats | awk '{print $1}'`
+    [ `expr ${nsock1nstat:-0} - ${nsock0nstat:-0}` -eq 1 ] || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=`expr $status + $ret`
+    n=`expr $n + 1`
+fi
+
+# there should be 1 UDP and no TCP queries.  As the TCP counter is zero
+# no status line is emitted.
+ret=0
+echo_i "verifying queries in progress in named.stats ($n)"
+grep "1 UDP queries in progress" $last_stats > /dev/null || ret=1
+grep "TCP queries in progress" $last_stats > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "verifying bucket size output ($n)"
+grep "bucket size" $last_stats > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "checking priming queries are counted ($n)"
+grep "priming queries" $last_stats > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "checking that zones with slash are properly shown in XML output ($n)"
+if $FEATURETEST --have-libxml2 && [ -x ${CURL} ] ; then
+    ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones > curl.out.${n} 2>/dev/null || ret=1
+    grep '<zone name="32/1.0.0.127-in-addr.example" rdataclass="IN">' curl.out.${n} > /dev/null || ret=1
+else
+    echo_i "skipping test as libxml2 and/or curl was not found"
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "checking that zones return their type ($n)"
+if $FEATURETEST --have-libxml2 && [ -x ${CURL} ] ; then
+    ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones > curl.out.${n} 2>/dev/null || ret=1
+    grep '<zone name="32/1.0.0.127-in-addr.example" rdataclass="IN"><type>master</type>' curl.out.${n} > /dev/null || ret=1
+else
+    echo_i "skipping test as libxml2 and/or curl was not found"
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "checking bind9.xsl vs xml ($n)"
+if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] && [ -x "${XSLTPROC}" ]  ; then
+    $DIGCMD +notcp +recurse @10.53.0.3 soa . > /dev/null 2>&1
+    $DIGCMD +notcp +recurse @10.53.0.3 soa example > /dev/null 2>&1
+    ${CURL} http://10.53.0.3:${EXTRAPORT1}/xml/v3 > curl.out.${n}.xml 2>/dev/null || ret=1
+    ${CURL} http://10.53.0.3:${EXTRAPORT1}/bind9.xsl > curl.out.${n}.xsl 2>/dev/null || ret=1
+    ${XSLTPROC} curl.out.${n}.xsl - < curl.out.${n}.xml > xsltproc.out.${n} 2>/dev/null || ret=1
+    cp curl.out.${n}.xml stats.xml.out || ret=1
+
+    #
+    # grep for expected sections.
+    #
+    grep "<h1>ISC Bind 9 Configuration and Statistics</h1>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Server Status</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Incoming Requests by DNS Opcode</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h3>Incoming Queries by Query Type</h3>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Outgoing Queries per view</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h3>View " xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Server Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Zone Maintenance Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Resolver Statistics (Common)</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h3>Resolver Statistics for View " xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h3>ADB Statistics for View " xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h3>Cache Statistics for View " xsltproc.out.${n} >/dev/null || ret=1
+    # grep "<h3>Cache DB RRsets for View " xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Traffic Size Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h4>UDP Requests Received</h4>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h4>UDP Responses Sent</h4>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h4>TCP Requests Received</h4>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h4>TCP Responses Sent</h4>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Socket I/O Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h3>Zones for View " xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Received QTYPES per view/zone</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Response Codes per view/zone</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1
+    # grep "<h2>Glue cache statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Network Status</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Task Manager Configuration</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Tasks</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Memory Usage Summary</h2>" xsltproc.out.${n} >/dev/null || ret=1
+    grep "<h2>Memory Contexts</h2>" xsltproc.out.${n} >/dev/null || ret=1
+else
+    echo_i "skipping test as libxml2 and/or curl and/or xsltproc was not found"
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "checking bind9.xml socket statistics ($n)"
+if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] && [ -x "${XSLTPROC}" ]  ; then
+    # Socket statistics (expect no errors)
+    grep "<counter name=\"TCP4AcceptFail\">0</counter>" stats.xml.out >/dev/null || ret=1
+    grep "<counter name=\"TCP4BindFail\">0</counter>" stats.xml.out >/dev/null || ret=1
+    grep "<counter name=\"TCP4ConnFail\">0</counter>" stats.xml.out >/dev/null || ret=1
+    grep "<counter name=\"TCP4OpenFail\">0</counter>" stats.xml.out >/dev/null || ret=1
+    grep "<counter name=\"TCP4RecvErr\">0</counter>" stats.xml.out >/dev/null || ret=1
+    grep "<counter name=\"TCP4SendErr\">0</counter>" stats.xml.out >/dev/null || ret=1
+
+    grep "<counter name=\"TCP6AcceptFail\">0</counter>" stats.xml.out >/dev/null || ret=1
+    grep "<counter name=\"TCP6BindFail\">0</counter>" stats.xml.out >/dev/null || ret=1
+    grep "<counter name=\"TCP6ConnFail\">0</counter>" stats.xml.out >/dev/null || ret=1
+    grep "<counter name=\"TCP6OpenFail\">0</counter>" stats.xml.out >/dev/null || ret=1
+    grep "<counter name=\"TCP6RecvErr\">0</counter>" stats.xml.out >/dev/null || ret=1
+    grep "<counter name=\"TCP6SendErr\">0</counter>" stats.xml.out >/dev/null || ret=1
+else
+    echo_i "skipping test as libxml2 and/or curl and/or xsltproc was not found"
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "Check that 'zone-statistics full;' is processed by 'rndc reconfig' ($n)"
+ret=0
+# off by default
+rndc_stats ns2 10.53.0.2 || ret=1
+sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null && ret=0
+# turn on
+copy_setports ns2/named2.conf.in ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+rndc_stats ns2 10.53.0.2 || ret=1
+sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null || ret=1
+# turn off
+copy_setports ns2/named.conf.in ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+rndc_stats ns2 10.53.0.2 || ret=1
+sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null && ret=0
+# turn on
+copy_setports ns2/named2.conf.in ns2/named.conf
+rndc_reconfig ns2 10.53.0.2
+rndc_stats ns2 10.53.0.2 || ret=1
+sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/statschannel/clean.sh b/bin/tests/system/statschannel/clean.sh
new file mode 100644
index 0000000..5ad2a2c
--- /dev/null
+++ b/bin/tests/system/statschannel/clean.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f compressed.headers regular.headers compressed.out regular.out
+rm -f dig.out*
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.conf
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/named.run*
+rm -f ns*/named.stats
+rm -f ns*/signzone.out.*
+rm -f ns2/*.db.signed* ns2/dsset-*. ns2/*.jbk
+rm -f ns2/Kdnssec* ns2/dnssec.*.id
+rm -f ns2/Kmanykeys* ns2/manykeys.*.id
+rm -f ns2/dnssec.db.signed* ns2/dsset-dnssec.
+rm -f ns3/*.db
+rm -f traffic traffic.out.* traffic.json.* traffic.xml.*
+rm -f xml.*mem json.*mem
+rm -f xml.*stats json.*stats
+rm -f zones zones.out.* zones.json.* zones.xml.* zones.expect.*
+rm -rf ./__pycache__
diff --git a/bin/tests/system/statschannel/conftest.py b/bin/tests/system/statschannel/conftest.py
new file mode 100644
index 0000000..363dd7a
--- /dev/null
+++ b/bin/tests/system/statschannel/conftest.py
@@ -0,0 +1,25 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+import pytest
+
+
+@pytest.fixture
+def statsport(request):
+    # pylint: disable=unused-argument
+    env_port = os.getenv("EXTRAPORT1")
+    if env_port is None:
+        env_port = 5301
+    else:
+        env_port = int(env_port)
+
+    return env_port
diff --git a/bin/tests/system/statschannel/fetch.pl b/bin/tests/system/statschannel/fetch.pl
new file mode 100644
index 0000000..b09ed54
--- /dev/null
+++ b/bin/tests/system/statschannel/fetch.pl
@@ -0,0 +1,43 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# fetch.pl:
+# Simple script to fetch HTTP content from the statistics channel
+# of a BIND server. Fetches the full XML stats from 10.53.0.2 port
+# 8853 by default; these can be overridden by command line arguments.
+
+use File::Fetch;
+use Getopt::Std;
+
+sub usage {
+    print ("Usage: fetch.pl [-s address] [-p port] [path]\n");
+    exit 1;
+}
+
+my %options={};
+getopts("s:p:", \%options);
+
+my $addr = "10.53.0.2";
+$addr = $options{s} if defined $options{s};
+
+my $path = 'xml/v3';
+if (@ARGV >= 1) {
+    $path = shift @ARGV;
+}
+
+my $port = 8853;
+$port = $options{p} if defined $options{p};
+
+my $ff = File::Fetch->new(uri => "http://$addr:$port/$path");
+my $file = $ff->fetch() or die $ff->error;
+print ("$file\n");
diff --git a/bin/tests/system/statschannel/generic.py b/bin/tests/system/statschannel/generic.py
new file mode 100644
index 0000000..5ff09e2
--- /dev/null
+++ b/bin/tests/system/statschannel/generic.py
@@ -0,0 +1,106 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from datetime import datetime, timedelta
+import os
+
+
+# ISO datetime format without msec
+fmt = "%Y-%m-%dT%H:%M:%SZ"
+
+# The constants were taken from BIND 9 source code (lib/dns/zone.c)
+max_refresh = timedelta(seconds=2419200)  # 4 weeks
+max_expires = timedelta(seconds=14515200)  # 24 weeks
+now = datetime.utcnow().replace(microsecond=0)
+dayzero = datetime.utcfromtimestamp(0).replace(microsecond=0)
+
+
+# Generic helper functions
+def check_expires(expires, min_time, max_time):
+    assert expires >= min_time
+    assert expires <= max_time
+
+
+def check_refresh(refresh, min_time, max_time):
+    assert refresh >= min_time
+    assert refresh <= max_time
+
+
+def check_loaded(loaded, expected):
+    # Sanity check the zone timers values
+    assert loaded == expected
+    assert loaded < now
+
+
+def check_zone_timers(loaded, expires, refresh, loaded_exp):
+    # Sanity checks the zone timers values
+    if expires is not None:
+        check_expires(expires, now, now + max_expires)
+    if refresh is not None:
+        check_refresh(refresh, now, now + max_refresh)
+    check_loaded(loaded, loaded_exp)
+
+
+#
+# The output is gibberish, but at least make sure it does not crash.
+#
+def check_manykeys(name, zone=None):
+    # pylint: disable=unused-argument
+    assert name == "manykeys"
+
+
+def zone_mtime(zonedir, name):
+    try:
+        si = os.stat(os.path.join(zonedir, "{}.db".format(name)))
+    except FileNotFoundError:
+        return dayzero
+
+    mtime = datetime.utcfromtimestamp(si.st_mtime).replace(microsecond=0)
+
+    return mtime
+
+
+def test_zone_timers_primary(fetch_zones, load_timers, **kwargs):
+    statsip = kwargs["statsip"]
+    statsport = kwargs["statsport"]
+    zonedir = kwargs["zonedir"]
+
+    zones = fetch_zones(statsip, statsport)
+
+    for zone in zones:
+        (name, loaded, expires, refresh) = load_timers(zone, True)
+        mtime = zone_mtime(zonedir, name)
+        check_zone_timers(loaded, expires, refresh, mtime)
+
+
+def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs):
+    statsip = kwargs["statsip"]
+    statsport = kwargs["statsport"]
+    zonedir = kwargs["zonedir"]
+
+    zones = fetch_zones(statsip, statsport)
+
+    for zone in zones:
+        (name, loaded, expires, refresh) = load_timers(zone, False)
+        mtime = zone_mtime(zonedir, name)
+        check_zone_timers(loaded, expires, refresh, mtime)
+
+
+def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs):
+    statsip = kwargs["statsip"]
+    statsport = kwargs["statsport"]
+
+    zones = fetch_zones(statsip, statsport)
+
+    for zone in zones:
+        name = load_zone(zone)
+        if name == "manykeys":
+            check_manykeys(name)
diff --git a/bin/tests/system/statschannel/generic_dnspython.py b/bin/tests/system/statschannel/generic_dnspython.py
new file mode 100644
index 0000000..34a0398
--- /dev/null
+++ b/bin/tests/system/statschannel/generic_dnspython.py
@@ -0,0 +1,128 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from collections import defaultdict
+
+import dns.message
+import dns.query
+import dns.rcode
+
+
+TIMEOUT = 10
+
+
+def create_msg(qname, qtype):
+    msg = dns.message.make_query(
+        qname, qtype, want_dnssec=True, use_edns=0, payload=4096
+    )
+
+    return msg
+
+
+def udp_query(ip, port, msg):
+    ans = dns.query.udp(msg, ip, TIMEOUT, port=port)
+    assert ans.rcode() == dns.rcode.NOERROR
+
+    return ans
+
+
+def tcp_query(ip, port, msg):
+    ans = dns.query.tcp(msg, ip, TIMEOUT, port=port)
+    assert ans.rcode() == dns.rcode.NOERROR
+
+    return ans
+
+
+def create_expected(data):
+    expected = {
+        "dns-tcp-requests-sizes-received-ipv4": defaultdict(int),
+        "dns-tcp-responses-sizes-sent-ipv4": defaultdict(int),
+        "dns-tcp-requests-sizes-received-ipv6": defaultdict(int),
+        "dns-tcp-responses-sizes-sent-ipv6": defaultdict(int),
+        "dns-udp-requests-sizes-received-ipv4": defaultdict(int),
+        "dns-udp-requests-sizes-received-ipv6": defaultdict(int),
+        "dns-udp-responses-sizes-sent-ipv4": defaultdict(int),
+        "dns-udp-responses-sizes-sent-ipv6": defaultdict(int),
+    }
+
+    for k, v in data.items():
+        for kk, vv in v.items():
+            expected[k][kk] += vv
+
+    return expected
+
+
+def update_expected(expected, key, msg):
+    msg_len = len(msg.to_wire())
+    bucket_num = (msg_len // 16) * 16
+    bucket = "{}-{}".format(bucket_num, bucket_num + 15)
+
+    expected[key][bucket] += 1
+
+
+def check_traffic(data, expected):
+    def ordered(obj):
+        if isinstance(obj, dict):
+            return sorted((k, ordered(v)) for k, v in obj.items())
+        if isinstance(obj, list):
+            return sorted(ordered(x) for x in obj)
+        return obj
+
+    ordered_data = ordered(data)
+    ordered_expected = ordered(expected)
+
+    assert len(ordered_data) == 8
+    assert len(ordered_expected) == 8
+    assert len(data) == len(ordered_data)
+    assert len(expected) == len(ordered_expected)
+
+    assert ordered_data == ordered_expected
+
+
+def test_traffic(fetch_traffic, **kwargs):
+    statsip = kwargs["statsip"]
+    statsport = kwargs["statsport"]
+    port = kwargs["port"]
+
+    data = fetch_traffic(statsip, statsport)
+    exp = create_expected(data)
+
+    msg = create_msg("short.example.", "TXT")
+    update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg)
+    ans = udp_query(statsip, port, msg)
+    update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans)
+    data = fetch_traffic(statsip, statsport)
+
+    check_traffic(data, exp)
+
+    msg = create_msg("long.example.", "TXT")
+    update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg)
+    ans = udp_query(statsip, port, msg)
+    update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans)
+    data = fetch_traffic(statsip, statsport)
+
+    check_traffic(data, exp)
+
+    msg = create_msg("short.example.", "TXT")
+    update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg)
+    ans = tcp_query(statsip, port, msg)
+    update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans)
+    data = fetch_traffic(statsip, statsport)
+
+    check_traffic(data, exp)
+
+    msg = create_msg("long.example.", "TXT")
+    update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg)
+    ans = tcp_query(statsip, port, msg)
+    update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans)
+    data = fetch_traffic(statsip, statsport)
+
+    check_traffic(data, exp)
diff --git a/bin/tests/system/statschannel/mem-xml.pl b/bin/tests/system/statschannel/mem-xml.pl
new file mode 100644
index 0000000..4483aae
--- /dev/null
+++ b/bin/tests/system/statschannel/mem-xml.pl
@@ -0,0 +1,21 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# server-xml.pl:
+# Parses the XML version of the server stats into a normalized format.
+
+use XML::Simple;
+use Data::Dumper;
+
+my $ref = XMLin("xml.mem");
+print Dumper($ref);
diff --git a/bin/tests/system/statschannel/ns1/example.db b/bin/tests/system/statschannel/ns1/example.db
new file mode 100644
index 0000000..5c2635e
--- /dev/null
+++ b/bin/tests/system/statschannel/ns1/example.db
@@ -0,0 +1,49 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+
+$ORIGIN example.
+a			A	10.0.0.1
+			MX	10 mail.example.
+short                   TXT     "short text"
+long                    TXT     (
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                )
+
+mail			A	10.0.0.2
diff --git a/bin/tests/system/statschannel/ns1/named.conf.in b/bin/tests/system/statschannel/ns1/named.conf.in
new file mode 100644
index 0000000..04ead33
--- /dev/null
+++ b/bin/tests/system/statschannel/ns1/named.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify explicit;
+	minimal-responses no;
+	version none;  // make statistics independent of the version number
+};
+
+statistics-channels { inet 10.53.0.1 port @EXTRAPORT1@ allow { localhost; }; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/statschannel/ns2/dnssec.db.in b/bin/tests/system/statschannel/ns2/dnssec.db.in
new file mode 100644
index 0000000..90ae166
--- /dev/null
+++ b/bin/tests/system/statschannel/ns2/dnssec.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300
+
+dnssec.			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+dnssec.			NS	ns2.dnssec.
+ns2.dnssec.		A	10.53.0.2
+
+$ORIGIN dnssec.
+a			A	10.0.0.1
+			MX	10 mail.dnssec.
+mail			A	10.0.0.2
diff --git a/bin/tests/system/statschannel/ns2/example.db b/bin/tests/system/statschannel/ns2/example.db
new file mode 100644
index 0000000..5c2635e
--- /dev/null
+++ b/bin/tests/system/statschannel/ns2/example.db
@@ -0,0 +1,49 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+
+$ORIGIN example.
+a			A	10.0.0.1
+			MX	10 mail.example.
+short                   TXT     "short text"
+long                    TXT     (
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                  "longlonglonglonglonglonglonglonglonglong"
+                                )
+
+mail			A	10.0.0.2
diff --git a/bin/tests/system/statschannel/ns2/manykeys.db.in b/bin/tests/system/statschannel/ns2/manykeys.db.in
new file mode 100644
index 0000000..3281a39
--- /dev/null
+++ b/bin/tests/system/statschannel/ns2/manykeys.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300
+
+manykeys.			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+manykeys.			NS	ns2.manykeys.
+ns2.manykeys.		A	10.53.0.2
+
+$ORIGIN manykeys.
+a			A	10.0.0.1
+			MX	10 mail.manykeys.
+mail			A	10.0.0.2
diff --git a/bin/tests/system/statschannel/ns2/named.conf.in b/bin/tests/system/statschannel/ns2/named.conf.in
new file mode 100644
index 0000000..fd25fff
--- /dev/null
+++ b/bin/tests/system/statschannel/ns2/named.conf.in
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	minimal-responses no;
+	version none;  // make statistics independent of the version number
+};
+
+statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+dnssec-policy "manykeys" {
+	keys {
+		ksk lifetime unlimited algorithm 8;
+		zsk lifetime unlimited algorithm 8;
+		ksk lifetime unlimited algorithm 13;
+		zsk lifetime unlimited algorithm 13;
+		ksk lifetime unlimited algorithm 14;
+		zsk lifetime unlimited algorithm 14;
+	};
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
+
+zone "dnssec" {
+	type primary;
+	file "dnssec.db.signed";
+	auto-dnssec maintain;
+	allow-update { any; };
+	zone-statistics full;
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+};
+
+zone "manykeys" {
+	type primary;
+	file "manykeys.db.signed";
+	allow-update { any; };
+	zone-statistics full;
+	dnssec-policy "manykeys";
+};
diff --git a/bin/tests/system/statschannel/ns2/named2.conf.in b/bin/tests/system/statschannel/ns2/named2.conf.in
new file mode 100644
index 0000000..d45f9f5
--- /dev/null
+++ b/bin/tests/system/statschannel/ns2/named2.conf.in
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	minimal-responses no;
+	version none;  // make statistics independent of the version number
+};
+
+statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+dnssec-policy "manykeys" {
+	keys {
+		ksk lifetime unlimited algorithm 8;
+		zsk lifetime unlimited algorithm 8;
+	};
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
+
+zone "dnssec" {
+	type primary;
+	file "dnssec.db.signed";
+	auto-dnssec maintain;
+	allow-update { any; };
+	zone-statistics full;
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+};
+
+zone "manykeys" {
+	type primary;
+	file "manykeys.db.signed";
+	allow-update { any; };
+	zone-statistics full;
+	dnssec-policy "manykeys";
+};
diff --git a/bin/tests/system/statschannel/ns2/sign.sh b/bin/tests/system/statschannel/ns2/sign.sh
new file mode 100644
index 0000000..ab23550
--- /dev/null
+++ b/bin/tests/system/statschannel/ns2/sign.sh
@@ -0,0 +1,45 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+zone=dnssec.
+infile=dnssec.db.in
+zonefile=dnssec.db.signed
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+# Sign deliberately with a very short expiration date.
+"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > "signzone.out.$zone" 2>&1
+keyfile_to_key_id "$ksk" > dnssec.ksk.id
+keyfile_to_key_id "$zsk" > dnssec.zsk.id
+
+zone=manykeys.
+infile=manykeys.db.in
+zonefile=manykeys.db.signed
+ksk8=$("$KEYGEN" -q -a RSASHA256 -b 2048 -f KSK "$zone")
+zsk8=$("$KEYGEN" -q -a RSASHA256 -b 2048 "$zone")
+ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -b 256 -f KSK "$zone")
+zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -b 256 "$zone")
+ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 -f KSK "$zone")
+zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 "$zone")
+# Sign deliberately with a very short expiration date.
+"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > "signzone.out.$zone" 2>&1
+keyfile_to_key_id "$ksk8" > manykeys.ksk8.id
+keyfile_to_key_id "$zsk8" > manykeys.zsk8.id
+keyfile_to_key_id "$ksk13" > manykeys.ksk13.id
+keyfile_to_key_id "$zsk13" > manykeys.zsk13.id
+keyfile_to_key_id "$ksk14" > manykeys.ksk14.id
+keyfile_to_key_id "$zsk14" > manykeys.zsk14.id
diff --git a/bin/tests/system/statschannel/ns3/named.conf.in b/bin/tests/system/statschannel/ns3/named.conf.in
new file mode 100644
index 0000000..5f08c3f
--- /dev/null
+++ b/bin/tests/system/statschannel/ns3/named.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	minimal-responses no;
+	version none;  // make statistics independent of the version number
+};
+
+statistics-channels { inet 10.53.0.3 port @EXTRAPORT1@ allow { localhost; }; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type secondary;
+	file "example.db";
+	primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/statschannel/prereq.sh b/bin/tests/system/statschannel/prereq.sh
new file mode 100644
index 0000000..4f8a444
--- /dev/null
+++ b/bin/tests/system/statschannel/prereq.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+fail=0
+
+if $PERL -e 'use File::Fetch;' 2>/dev/null
+then
+        :
+else
+    echo_i "This test requires the File::Fetch library." >&2
+    fail=1
+fi
+
+exit $fail
diff --git a/bin/tests/system/statschannel/server-json.pl b/bin/tests/system/statschannel/server-json.pl
new file mode 100644
index 0000000..3715318
--- /dev/null
+++ b/bin/tests/system/statschannel/server-json.pl
@@ -0,0 +1,35 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# server-json.pl:
+# Parses the JSON version of the server stats into a normalized format.
+
+use JSON;
+
+open(INPUT, "<json.stats");
+my $text = do{local$/;<INPUT>};
+close(INPUT);
+
+my $ref = decode_json($text);
+foreach $key (keys %{$ref->{opcodes}}) {
+    print "opcode " . $key . ": " . $ref->{opcodes}->{$key} . "\n";
+}
+foreach $key (keys %{$ref->{rcodes}}) {
+    print "rcode " . $key . ": " . $ref->{rcodes}->{$key} . "\n";
+}
+foreach $key (keys %{$ref->{qtypes}}) {
+    print "qtype " . $key . ": " . $ref->{qtypes}->{$key} . "\n";
+}
+foreach $key (keys %{$ref->{nsstats}}) {
+    print "nsstat " . $key . ": " . $ref->{nsstats}->{$key} . "\n";
+}
diff --git a/bin/tests/system/statschannel/server-xml.pl b/bin/tests/system/statschannel/server-xml.pl
new file mode 100644
index 0000000..5f76360
--- /dev/null
+++ b/bin/tests/system/statschannel/server-xml.pl
@@ -0,0 +1,25 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# server-xml.pl:
+# Parses the XML version of the server stats into a normalized format.
+
+use XML::Simple;
+
+my $ref = XMLin("xml.stats");
+my $counters = $ref->{server}->{counters};
+foreach $group (@$counters) {
+    foreach $key (keys %{$group->{counter}}) {
+        print $group->{type} . " " . $key . ": ". $group->{counter}->{$key}->{content} . "\n";
+    }
+}
diff --git a/bin/tests/system/statschannel/setup.sh b/bin/tests/system/statschannel/setup.sh
new file mode 100644
index 0000000..4ebc39b
--- /dev/null
+++ b/bin/tests/system/statschannel/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+for conf in ns*/named.conf.in; do
+    copy_setports "$conf" "$(dirname "$conf")/$(basename "$conf" .in)"
+done
+
+(cd ns2 && $SHELL sign.sh)
diff --git a/bin/tests/system/statschannel/tests.sh b/bin/tests/system/statschannel/tests.sh
new file mode 100644
index 0000000..0480b01
--- /dev/null
+++ b/bin/tests/system/statschannel/tests.sh
@@ -0,0 +1,392 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+DIGCMD="$DIG @10.53.0.2 -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+if ! $FEATURETEST --have-json-c
+then
+    unset PERL_JSON
+    echo_i "JSON was not configured; skipping" >&2
+elif $PERL -e 'use JSON;' 2>/dev/null
+then
+    PERL_JSON=1
+else
+    unset PERL_JSON
+    echo_i "JSON tests require JSON library; skipping" >&2
+fi
+
+if ! $FEATURETEST --have-libxml2
+then
+    unset PERL_XML
+    echo_i "XML was not configured; skipping" >&2
+elif $PERL -e 'use XML::Simple;' 2>/dev/null
+then
+    PERL_XML=1
+else
+    unset PERL_XML
+    echo_i "XML tests require XML::Simple; skipping" >&2
+fi
+
+if [ ! "$PERL_JSON" -a ! "$PERL_XML" ]; then
+    echo_i "skipping all tests"
+    exit 0
+fi
+
+
+getzones() {
+    sleep 1
+    echo_i "... using $1"
+    case $1 in
+        xml) path='xml/v3/zones' ;;
+        json) path='json/v1/zones' ;;
+        *) return 1 ;;
+    esac
+    file=`$PERL fetch.pl -p ${EXTRAPORT1} $path`
+    cp $file $file.$1.$3
+    $PERL zones-${1}.pl $file $2 2>/dev/null | sort > zones.out.$3
+    result=$?
+    return $result
+}
+
+# TODO: Move loadkeys_on to conf.sh.common
+loadkeys_on() {
+    nsidx=$1
+    zone=$2
+    nextpart ns${nsidx}/named.run > /dev/null
+    $RNDCCMD 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i
+    wait_for_log 20 "next key event" ns${nsidx}/named.run
+}
+
+status=0
+n=1
+ret=0
+echo_i "checking consistency between named.stats and xml/json ($n)"
+rm -f ns2/named.stats
+$DIGCMD +tcp example ns > dig.out.$n || ret=1
+$RNDCCMD 10.53.0.2 stats 2>&1 | sed 's/^/I:ns1 /'
+query_count=`awk '/QUERY/ {print $1}' ns2/named.stats`
+txt_count=`awk '/TXT/ {print $1}' ns2/named.stats`
+noerror_count=`awk '/NOERROR/ {print $1}' ns2/named.stats`
+if [ $PERL_XML ]; then
+    file=`$PERL fetch.pl -p ${EXTRAPORT1} xml/v3/server`
+    mv $file xml.stats
+    $PERL server-xml.pl > xml.fmtstats 2> /dev/null
+    xml_query_count=`awk '/opcode QUERY/ { print $NF }' xml.fmtstats`
+    xml_query_count=${xml_query_count:-0}
+    [ "$query_count" -eq "$xml_query_count" ] || ret=1
+    xml_txt_count=`awk '/qtype TXT/ { print $NF }' xml.fmtstats`
+    xml_txt_count=${xml_txt_count:-0}
+    [ "$txt_count" -eq "$xml_txt_count" ] || ret=1
+    xml_noerror_count=`awk '/rcode NOERROR/ { print $NF }' xml.fmtstats`
+    xml_noerror_count=${xml_noerror_count:-0}
+    [ "$noerror_count" -eq "$xml_noerror_count" ] || ret=1
+fi
+if [ $PERL_JSON ]; then
+    file=`$PERL fetch.pl -p ${EXTRAPORT1} json/v1/server`
+    mv $file json.stats
+    $PERL server-json.pl > json.fmtstats 2> /dev/null
+    json_query_count=`awk '/opcode QUERY/ { print $NF }' json.fmtstats`
+    json_query_count=${json_query_count:-0}
+    [ "$query_count" -eq "$json_query_count" ] || ret=1
+    json_txt_count=`awk '/qtype TXT/ { print $NF }' json.fmtstats`
+    json_txt_count=${json_txt_count:-0}
+    [ "$txt_count" -eq "$json_txt_count" ] || ret=1
+    json_noerror_count=`awk '/rcode NOERROR/ { print $NF }' json.fmtstats`
+    json_noerror_count=${json_noerror_count:-0}
+    [ "$noerror_count" -eq "$json_noerror_count" ] || ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "checking malloced memory statistics xml/json ($n)"
+if [ $PERL_XML ]; then
+    file=`$PERL fetch.pl -p ${EXTRAPORT1} xml/v3/mem`
+    mv $file xml.mem
+    $PERL mem-xml.pl $file > xml.fmtmem
+    grep "'Malloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1
+    grep "'malloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1
+    grep "'maxmalloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1
+fi
+if [ $PERL_JSON ]; then
+    file=`$PERL fetch.pl -p ${EXTRAPORT1} json/v1/mem`
+    mv $file json.mem
+    grep '"malloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1
+    grep '"maxmalloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1
+    grep '"Malloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "checking consistency between regular and compressed output ($n)"
+for i in 1 2 3 4 5; do
+	ret=0
+	if $FEATURETEST --have-libxml2;
+	then
+		URL=http://10.53.0.2:${EXTRAPORT1}/xml/v3/server
+		filter_str='s#<current-time>.*</current-time>##g'
+	else
+		URL=http://10.53.0.2:${EXTRAPORT1}/json/v1/server
+		filter_str='s#"current-time.*",##g'
+	fi
+	$CURL -D regular.headers $URL 2>/dev/null | \
+		sed -e "$filter_str" > regular.out
+	$CURL -D compressed.headers --compressed $URL 2>/dev/null | \
+		sed -e "$filter_str" > compressed.out
+	diff regular.out compressed.out >/dev/null || ret=1
+	if [ $ret != 0 ]; then
+		echo_i "failed on try $i, probably a timing issue, trying again"
+		sleep 1
+	else
+		break
+	fi
+done
+
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+ret=0
+echo_i "checking if compressed output is really compressed ($n)"
+if $FEATURETEST --with-zlib;
+then
+    REGSIZE=`cat regular.headers | \
+	grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/"`
+    COMPSIZE=`cat compressed.headers | \
+	grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/"`
+    if [ ! `expr $REGSIZE / $COMPSIZE` -gt 2 ]; then
+	ret=1
+    fi
+else
+    echo_i "skipped"
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Test dnssec sign statistics.
+zone="dnssec"
+sign_prefix="dnssec-sign operations"
+refresh_prefix="dnssec-refresh operations"
+ksk_id=`cat ns2/$zone.ksk.id`
+zsk_id=`cat ns2/$zone.zsk.id`
+
+# Test sign operations for scheduled resigning.
+ret=0
+# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSK and one
+# RRset (DNSKEY) with the KSK. So starting named with signatures that expire
+# almost right away, this should trigger 10 zsk and 1 ksk sign operations.
+echo "${refresh_prefix} ${zsk_id}: 10" > zones.expect
+echo "${refresh_prefix} ${ksk_id}: 1" >> zones.expect
+echo "${sign_prefix} ${zsk_id}: 10" >> zones.expect
+echo "${sign_prefix} ${ksk_id}: 1" >> zones.expect
+cat zones.expect | sort > zones.expect.$n
+rm -f zones.expect
+# Fetch and check the dnssec sign statistics.
+echo_i "fetching zone '$zone' stats data after zone maintenance at startup ($n)"
+if [ $PERL_XML ]; then
+    getzones xml $zone x$n || ret=1
+    cmp zones.out.x$n zones.expect.$n || ret=1
+fi
+if [ $PERL_JSON ]; then
+    getzones json 0 j$n || ret=1
+    cmp zones.out.j$n zones.expect.$n || ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Test sign operations after dynamic update.
+ret=0
+(
+# Update dnssec zone to trigger signature creation.
+echo zone $zone
+echo server 10.53.0.2 "$PORT"
+echo update add $zone. 300 in txt "nsupdate added me"
+echo send
+) | $NSUPDATE
+# This should trigger the resign of SOA, TXT and NSEC (+3 zsk).
+echo "${refresh_prefix} ${zsk_id}: 10" > zones.expect
+echo "${refresh_prefix} ${ksk_id}: 1" >> zones.expect
+echo "${sign_prefix} ${zsk_id}: 13" >> zones.expect
+echo "${sign_prefix} ${ksk_id}: 1" >> zones.expect
+cat zones.expect | sort > zones.expect.$n
+rm -f zones.expect
+# Fetch and check the dnssec sign statistics.
+echo_i "fetching zone '$zone' stats data after dynamic update ($n)"
+if [ $PERL_XML ]; then
+    getzones xml $zone x$n || ret=1
+    cmp zones.out.x$n zones.expect.$n || ret=1
+fi
+if [ $PERL_JSON ]; then
+    getzones json 0 j$n || ret=1
+    cmp zones.out.j$n zones.expect.$n || ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Test sign operations of KSK.
+ret=0
+echo_i "fetch zone '$zone' stats data after updating DNSKEY RRset ($n)"
+# Add a standby DNSKEY, this triggers resigning the DNSKEY RRset.
+zsk=$("$KEYGEN" -K ns2 -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+$SETTIME -K ns2 -P now -A never $zsk.key > /dev/null
+loadkeys_on 2 $zone || ret=1
+# This should trigger the resign of SOA (+1 zsk) and DNSKEY (+1 ksk).
+echo "${refresh_prefix} ${zsk_id}: 11" > zones.expect
+echo "${refresh_prefix} ${ksk_id}: 2" >> zones.expect
+echo "${sign_prefix} ${zsk_id}: 14" >> zones.expect
+echo "${sign_prefix} ${ksk_id}: 2" >> zones.expect
+cat zones.expect | sort > zones.expect.$n
+rm -f zones.expect
+# Fetch and check the dnssec sign statistics.
+if [ $PERL_XML ]; then
+    getzones xml $zone x$n || ret=1
+    cmp zones.out.x$n zones.expect.$n || ret=1
+fi
+if [ $PERL_JSON ]; then
+    getzones json 0 j$n || ret=1
+    cmp zones.out.j$n zones.expect.$n || ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Test sign operations for scheduled resigning (many keys).
+ret=0
+zone="manykeys"
+ksk8_id=`cat ns2/$zone.ksk8.id`
+zsk8_id=`cat ns2/$zone.zsk8.id`
+ksk13_id=`cat ns2/$zone.ksk13.id`
+zsk13_id=`cat ns2/$zone.zsk13.id`
+ksk14_id=`cat ns2/$zone.ksk14.id`
+zsk14_id=`cat ns2/$zone.zsk14.id`
+num_ids=$( (echo $ksk8_id; echo $zsk8_id; echo $ksk13_id; echo $zsk13_id; echo $ksk14_id; echo $zsk14_id;) | sort -u | wc -l)
+# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and one
+# RRset (DNSKEY) with the KSKs. So starting named with signatures that expire
+# almost right away, this should trigger 10 zsk and 1 ksk sign operations per
+# key.
+echo "${refresh_prefix} ${zsk8_id}: 10" > zones.expect
+echo "${refresh_prefix} ${zsk13_id}: 10" >> zones.expect
+echo "${refresh_prefix} ${zsk14_id}: 10" >> zones.expect
+echo "${refresh_prefix} ${ksk8_id}: 1" >> zones.expect
+echo "${refresh_prefix} ${ksk13_id}: 1" >> zones.expect
+echo "${refresh_prefix} ${ksk14_id}: 1" >> zones.expect
+echo "${sign_prefix} ${zsk8_id}: 10" >> zones.expect
+echo "${sign_prefix} ${zsk13_id}: 10" >> zones.expect
+echo "${sign_prefix} ${zsk14_id}: 10" >> zones.expect
+echo "${sign_prefix} ${ksk8_id}: 1" >> zones.expect
+echo "${sign_prefix} ${ksk13_id}: 1" >> zones.expect
+echo "${sign_prefix} ${ksk14_id}: 1" >> zones.expect
+cat zones.expect | sort > zones.expect.$n
+rm -f zones.expect
+# Fetch and check the dnssec sign statistics.
+echo_i "fetching zone '$zone' stats data after zone maintenance at startup ($n)"
+if test $num_ids -eq 6
+then
+    if [ $PERL_XML ]; then
+        getzones xml $zone x$n || ret=1
+        cmp zones.out.x$n zones.expect.$n || ret=1
+    fi
+    if [ $PERL_JSON ]; then
+        getzones json 2 j$n || ret=1
+        cmp zones.out.j$n zones.expect.$n || ret=1
+    fi
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+else
+    echo_i "skipped: duplicate key id detected (fixed in BIND 9.19)"
+fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Test sign operations after dynamic update (many keys).
+ret=0
+(
+# Update dnssec zone to trigger signature creation.
+echo zone $zone
+echo server 10.53.0.2 "$PORT"
+echo update add $zone. 300 in txt "nsupdate added me"
+echo send
+) | $NSUPDATE
+# This should trigger the resign of SOA, TXT and NSEC (+3 zsk).
+echo "${refresh_prefix} ${zsk8_id}: 10" > zones.expect
+echo "${refresh_prefix} ${zsk13_id}: 10" >> zones.expect
+echo "${refresh_prefix} ${zsk14_id}: 10" >> zones.expect
+echo "${refresh_prefix} ${ksk8_id}: 1" >> zones.expect
+echo "${refresh_prefix} ${ksk13_id}: 1" >> zones.expect
+echo "${refresh_prefix} ${ksk14_id}: 1" >> zones.expect
+echo "${sign_prefix} ${zsk8_id}: 13" >> zones.expect
+echo "${sign_prefix} ${zsk13_id}: 13" >> zones.expect
+echo "${sign_prefix} ${zsk14_id}: 13" >> zones.expect
+echo "${sign_prefix} ${ksk8_id}: 1" >> zones.expect
+echo "${sign_prefix} ${ksk13_id}: 1" >> zones.expect
+echo "${sign_prefix} ${ksk14_id}: 1" >> zones.expect
+cat zones.expect | sort > zones.expect.$n
+rm -f zones.expect
+# Fetch and check the dnssec sign statistics.
+echo_i "fetching zone '$zone' stats data after dynamic update ($n)"
+if test $num_ids -eq 6
+then
+    if [ $PERL_XML ]; then
+        getzones xml $zone x$n || ret=1
+        cmp zones.out.x$n zones.expect.$n || ret=1
+    fi
+    if [ $PERL_JSON ]; then
+        getzones json 2 j$n || ret=1
+        cmp zones.out.j$n zones.expect.$n || ret=1
+    fi
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+else
+    echo_i "skipped: duplicate key id detected (fixed in BIND 9.19)"
+fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Test sign operations after dnssec-policy change (removing keys).
+ret=0
+copy_setports ns2/named2.conf.in ns2/named.conf
+$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/I:ns2 /'
+# This should trigger the resign of DNSKEY (+1 ksk), and SOA, NSEC,
+# TYPE65534 (+3 zsk). The dnssec-sign statistics for the removed keys should
+# be cleared and thus no longer visible. But NSEC and SOA are (mistakenly)
+# counted double, one time because of zone_resigninc and one time because of
+# zone_nsec3chain. So +5 zsk in total.
+echo "${refresh_prefix} ${zsk8_id}: 15" > zones.expect
+echo "${refresh_prefix} ${ksk8_id}: 2" >> zones.expect
+echo "${sign_prefix} ${zsk8_id}: 18" >> zones.expect
+echo "${sign_prefix} ${ksk8_id}: 2" >> zones.expect
+cat zones.expect | sort > zones.expect.$n
+rm -f zones.expect
+# Fetch and check the dnssec sign statistics.
+echo_i "fetching zone '$zone' stats data after dnssec-policy change ($n)"
+if [ $PERL_XML ]; then
+    getzones xml $zone x$n || ret=1
+    cmp zones.out.x$n zones.expect.$n || ret=1
+fi
+if [ $PERL_JSON ]; then
+    getzones json 2 j$n || ret=1
+    cmp zones.out.j$n zones.expect.$n || ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/statschannel/tests_json.py b/bin/tests/system/statschannel/tests_json.py
new file mode 100755
index 0000000..c459925
--- /dev/null
+++ b/bin/tests/system/statschannel/tests_json.py
@@ -0,0 +1,105 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from datetime import datetime
+
+import pytest
+
+import generic
+import pytest_custom_markers
+
+pytestmark = pytest_custom_markers.have_json_c
+requests = pytest.importorskip("requests")
+
+
+# JSON helper functions
+def fetch_zones_json(statsip, statsport):
+    r = requests.get(
+        "http://{}:{}/json/v1/zones".format(statsip, statsport), timeout=600
+    )
+    assert r.status_code == 200
+
+    data = r.json()
+    return data["views"]["_default"]["zones"]
+
+
+def fetch_traffic_json(statsip, statsport):
+    r = requests.get(
+        "http://{}:{}/json/v1/traffic".format(statsip, statsport), timeout=600
+    )
+    assert r.status_code == 200
+
+    data = r.json()
+
+    return data["traffic"]
+
+
+def load_timers_json(zone, primary=True):
+    name = zone["name"]
+
+    # Check if the primary zone timer exists
+    assert "loaded" in zone
+    loaded = datetime.strptime(zone["loaded"], generic.fmt)
+
+    if primary:
+        # Check if the secondary zone timers does not exist
+        assert "expires" not in zone
+        assert "refresh" not in zone
+        expires = None
+        refresh = None
+    else:
+        assert "expires" in zone
+        assert "refresh" in zone
+        expires = datetime.strptime(zone["expires"], generic.fmt)
+        refresh = datetime.strptime(zone["refresh"], generic.fmt)
+
+    return (name, loaded, expires, refresh)
+
+
+def load_zone_json(zone):
+    name = zone["name"]
+
+    return name
+
+
+def test_zone_timers_primary_json(statsport):
+    generic.test_zone_timers_primary(
+        fetch_zones_json,
+        load_timers_json,
+        statsip="10.53.0.1",
+        statsport=statsport,
+        zonedir="ns1",
+    )
+
+
+def test_zone_timers_secondary_json(statsport):
+    generic.test_zone_timers_secondary(
+        fetch_zones_json,
+        load_timers_json,
+        statsip="10.53.0.3",
+        statsport=statsport,
+        zonedir="ns3",
+    )
+
+
+def test_zone_with_many_keys_json(statsport):
+    generic.test_zone_with_many_keys(
+        fetch_zones_json, load_zone_json, statsip="10.53.0.2", statsport=statsport
+    )
+
+
+def test_traffic_json(named_port, statsport):
+    generic_dnspython = pytest.importorskip("generic_dnspython")
+    generic_dnspython.test_traffic(
+        fetch_traffic_json, statsip="10.53.0.2", statsport=statsport, port=named_port
+    )
diff --git a/bin/tests/system/statschannel/tests_xml.py b/bin/tests/system/statschannel/tests_xml.py
new file mode 100755
index 0000000..7f0b37e
--- /dev/null
+++ b/bin/tests/system/statschannel/tests_xml.py
@@ -0,0 +1,135 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from datetime import datetime
+import xml.etree.ElementTree as ET
+
+import pytest
+
+import generic
+import pytest_custom_markers
+
+pytestmark = pytest_custom_markers.have_libxml2
+requests = pytest.importorskip("requests")
+
+
+# XML helper functions
+def fetch_zones_xml(statsip, statsport):
+    r = requests.get(
+        "http://{}:{}/xml/v3/zones".format(statsip, statsport), timeout=600
+    )
+    assert r.status_code == 200
+
+    root = ET.fromstring(r.text)
+
+    default_view = None
+    for view in root.find("views").iter("view"):
+        if view.attrib["name"] == "_default":
+            default_view = view
+            break
+    assert default_view is not None
+
+    return default_view.find("zones").findall("zone")
+
+
+def fetch_traffic_xml(statsip, statsport):
+    def load_counters(data):
+        out = {}
+        for counter in data.findall("counter"):
+            out[counter.attrib["name"]] = int(counter.text)
+
+        return out
+
+    r = requests.get(
+        "http://{}:{}/xml/v3/traffic".format(statsip, statsport), timeout=600
+    )
+    assert r.status_code == 200
+
+    root = ET.fromstring(r.text)
+
+    traffic = {}
+    for ip in ["ipv4", "ipv6"]:
+        for proto in ["udp", "tcp"]:
+            proto_root = root.find("traffic").find(ip).find(proto)
+            for counters in proto_root.findall("counters"):
+                if counters.attrib["type"] == "request-size":
+                    key = "dns-{}-requests-sizes-received-{}".format(proto, ip)
+                else:
+                    key = "dns-{}-responses-sizes-sent-{}".format(proto, ip)
+
+                values = load_counters(counters)
+                traffic[key] = values
+
+    return traffic
+
+
+def load_timers_xml(zone, primary=True):
+    name = zone.attrib["name"]
+
+    loaded_el = zone.find("loaded")
+    assert loaded_el is not None
+    loaded = datetime.strptime(loaded_el.text, generic.fmt)
+
+    expires_el = zone.find("expires")
+    refresh_el = zone.find("refresh")
+    if primary:
+        assert expires_el is None
+        assert refresh_el is None
+        expires = None
+        refresh = None
+    else:
+        assert expires_el is not None
+        assert refresh_el is not None
+        expires = datetime.strptime(expires_el.text, generic.fmt)
+        refresh = datetime.strptime(refresh_el.text, generic.fmt)
+
+    return (name, loaded, expires, refresh)
+
+
+def load_zone_xml(zone):
+    name = zone.attrib["name"]
+
+    return name
+
+
+def test_zone_timers_primary_xml(statsport):
+    generic.test_zone_timers_primary(
+        fetch_zones_xml,
+        load_timers_xml,
+        statsip="10.53.0.1",
+        statsport=statsport,
+        zonedir="ns1",
+    )
+
+
+def test_zone_timers_secondary_xml(statsport):
+    generic.test_zone_timers_secondary(
+        fetch_zones_xml,
+        load_timers_xml,
+        statsip="10.53.0.3",
+        statsport=statsport,
+        zonedir="ns3",
+    )
+
+
+def test_zone_with_many_keys_xml(statsport):
+    generic.test_zone_with_many_keys(
+        fetch_zones_xml, load_zone_xml, statsip="10.53.0.2", statsport=statsport
+    )
+
+
+def test_traffic_xml(named_port, statsport):
+    generic_dnspython = pytest.importorskip("generic_dnspython")
+    generic_dnspython.test_traffic(
+        fetch_traffic_xml, statsip="10.53.0.2", statsport=statsport, port=named_port
+    )
diff --git a/bin/tests/system/statschannel/traffic-json.pl b/bin/tests/system/statschannel/traffic-json.pl
new file mode 100644
index 0000000..353d6c7
--- /dev/null
+++ b/bin/tests/system/statschannel/traffic-json.pl
@@ -0,0 +1,49 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# traffic-json.pl:
+# Parses the JSON version of the RSSAC002 traffic stats into a
+# normalized format.
+
+use JSON;
+
+my $file = $ARGV[0];
+open(INPUT, "<$file");
+my $text = do{local$/;<INPUT>};
+close(INPUT);
+
+my $ref = decode_json($text);
+
+my $tcprcvd = $ref->{traffic}->{"dns-tcp-requests-sizes-received-ipv4"};
+my $type = "tcp request-size ";
+foreach $key (keys %{$tcprcvd}) {
+    print $type . $key . ": ". $tcprcvd->{$key} ."\n";
+}
+
+my $tcpsent = $ref->{traffic}->{"dns-tcp-responses-sizes-sent-ipv4"};
+my $type = "tcp response-size ";
+foreach $key (keys %{$tcpsent}) {
+    print $type . $key . ": ". $tcpsent->{$key} ."\n";
+}
+
+my $udprcvd = $ref->{traffic}->{"dns-udp-requests-sizes-received-ipv4"};
+my $type = "udp request-size ";
+foreach $key (keys %{$udprcvd}) {
+    print $type . $key . ": ". $udprcvd->{$key} ."\n";
+}
+
+my $udpsent = $ref->{traffic}->{"dns-udp-responses-sizes-sent-ipv4"};
+my $type = "udp response-size ";
+foreach $key (keys %{$udpsent}) {
+    print $type . $key . ": ". $udpsent->{$key} ."\n";
+}
diff --git a/bin/tests/system/statschannel/traffic-xml.pl b/bin/tests/system/statschannel/traffic-xml.pl
new file mode 100644
index 0000000..5552cc5
--- /dev/null
+++ b/bin/tests/system/statschannel/traffic-xml.pl
@@ -0,0 +1,46 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# traffic-xml.pl:
+# Parses the XML version of the RSSAC002 traffic stats into a
+# normalized format.
+
+use XML::Simple;
+
+my $file = $ARGV[0];
+
+my $ref = XMLin($file);
+
+my $udp = $ref->{traffic}->{ipv4}->{udp}->{counters};
+foreach $group (@$udp) {
+    my $type = "udp " . $group->{type} . " ";
+    if (exists $group->{counter}->{name}) {
+        print $type . $group->{counter}->{name} . ": " . $group->{counter}->{content} . "\n";
+    } else {
+        foreach $key (keys %{$group->{counter}}) {
+            print $type . $key . ": ". $group->{counter}->{$key}->{content} ."\n";
+        }
+    }
+}
+
+my $tcp = $ref->{traffic}->{ipv4}->{tcp}->{counters};
+foreach $group (@$tcp) {
+    my $type = "tcp " . $group->{type} . " ";
+    if (exists $group->{counter}->{name}) {
+        print $type . $group->{counter}->{name} . ": " . $group->{counter}->{content} . "\n";
+    } else {
+        foreach $key (keys %{$group->{counter}}) {
+            print $type . $key . ": ". $group->{counter}->{$key}->{content} ."\n";
+        }
+    }
+}
diff --git a/bin/tests/system/statschannel/traffic.expect.1 b/bin/tests/system/statschannel/traffic.expect.1
new file mode 100644
index 0000000..5938d5d
--- /dev/null
+++ b/bin/tests/system/statschannel/traffic.expect.1
@@ -0,0 +1,2 @@
+tcp request-size 16-31: 1
+tcp response-size 64-79: 1
diff --git a/bin/tests/system/statschannel/traffic.expect.2 b/bin/tests/system/statschannel/traffic.expect.2
new file mode 100644
index 0000000..6c9e25a
--- /dev/null
+++ b/bin/tests/system/statschannel/traffic.expect.2
@@ -0,0 +1,4 @@
+tcp request-size 16-31: 1
+tcp response-size 64-79: 1
+udp request-size 48-63: 1
+udp response-size 112-127: 1
diff --git a/bin/tests/system/statschannel/traffic.expect.4 b/bin/tests/system/statschannel/traffic.expect.4
new file mode 100644
index 0000000..3f892f5
--- /dev/null
+++ b/bin/tests/system/statschannel/traffic.expect.4
@@ -0,0 +1,5 @@
+tcp request-size 16-31: 1
+tcp response-size 64-79: 1
+udp request-size 48-63: 2
+udp response-size 112-127: 1
+udp response-size 848-863: 1
diff --git a/bin/tests/system/statschannel/traffic.expect.5 b/bin/tests/system/statschannel/traffic.expect.5
new file mode 100644
index 0000000..15911b1
--- /dev/null
+++ b/bin/tests/system/statschannel/traffic.expect.5
@@ -0,0 +1,7 @@
+tcp request-size 16-31: 1
+tcp request-size 48-63: 1
+tcp response-size 112-127: 1
+tcp response-size 64-79: 1
+udp request-size 48-63: 2
+udp response-size 112-127: 1
+udp response-size 848-863: 1
diff --git a/bin/tests/system/statschannel/traffic.expect.6 b/bin/tests/system/statschannel/traffic.expect.6
new file mode 100644
index 0000000..73fc8f1
--- /dev/null
+++ b/bin/tests/system/statschannel/traffic.expect.6
@@ -0,0 +1,8 @@
+tcp request-size 16-31: 1
+tcp request-size 48-63: 2
+tcp response-size 112-127: 1
+tcp response-size 64-79: 1
+tcp response-size 848-863: 1
+udp request-size 48-63: 2
+udp response-size 112-127: 1
+udp response-size 848-863: 1
diff --git a/bin/tests/system/statschannel/zones-json.pl b/bin/tests/system/statschannel/zones-json.pl
new file mode 100644
index 0000000..9eec9db
--- /dev/null
+++ b/bin/tests/system/statschannel/zones-json.pl
@@ -0,0 +1,37 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# zones-json.pl:
+# Parses the JSON version of the dnssec sign stats for the
+# "dnssec" zone in the default view into a normalized format.
+
+use JSON;
+
+my $file = $ARGV[0];
+my $zone = $ARGV[1];
+open(INPUT, "<$file");
+my $text = do{local$/;<INPUT>};
+close(INPUT);
+
+my $ref = decode_json($text);
+
+my $dnssecsign = $ref->{views}->{_default}->{zones}[$zone]->{"dnssec-sign"};
+my $type = "dnssec-sign operations ";
+foreach $key (keys %{$dnssecsign}) {
+    print $type . $key . ": ". $dnssecsign->{$key} ."\n";
+}
+my $dnssecrefresh = $ref->{views}->{_default}->{zones}[$zone]->{"dnssec-refresh"};
+my $type = "dnssec-refresh operations ";
+foreach $key (keys %{$dnssecrefresh}) {
+    print $type . $key . ": ". $dnssecrefresh->{$key} ."\n";
+}
diff --git a/bin/tests/system/statschannel/zones-xml.pl b/bin/tests/system/statschannel/zones-xml.pl
new file mode 100644
index 0000000..be86852
--- /dev/null
+++ b/bin/tests/system/statschannel/zones-xml.pl
@@ -0,0 +1,40 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# zones-xml.pl:
+# Parses the XML version of the dnssec sign stats for the
+# "dnssec" zone in the default view into a normalized format.
+
+use XML::Simple;
+
+my $file = $ARGV[0];
+my $zone = $ARGV[1];
+
+my $ref = XMLin($file);
+
+my $counters = $ref->{views}->{view}->{_default}->{zones}->{zone}->{$zone}->{counters};
+
+foreach $group (@$counters) {
+
+    my $type = $group->{type};
+
+    if ($type eq "dnssec-sign" || $type eq "dnssec-refresh") {
+        if (exists $group->{counter}->{name}) {
+            print $type . " operations " . $group->{counter}->{name} . ": " . $group->{counter}->{content} . "\n";
+	} else {
+            foreach $key (keys %{$group->{counter}}) {
+                print $type . " operations " . $key . ": ". $group->{counter}->{$key}->{content} ."\n";
+            }
+        }
+    }
+}
diff --git a/bin/tests/system/stop.pl b/bin/tests/system/stop.pl
new file mode 100644
index 0000000..6783b85
--- /dev/null
+++ b/bin/tests/system/stop.pl
@@ -0,0 +1,292 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Framework for stopping test servers
+# Based on the type of server specified, signal the server to stop, wait
+# briefly for it to die, and then kill it if it is still alive.
+# If a server is specified, stop it. Otherwise, stop all servers for test.
+
+use strict;
+use warnings;
+
+use Cwd ':DEFAULT', 'abs_path';
+use English '-no_match_vars';
+use Getopt::Long;
+
+# Usage:
+#   perl stop.pl [--use-rndc [--port port]] test [server]
+#
+#   --use-rndc      Attempt to stop the server via the "rndc stop" command.
+#
+#   --port port     Only relevant if --use-rndc is specified, this sets the
+#                   command port over which the attempt should be made.  If
+#                   not specified, port 9953 is used.
+#
+#   test            Name of the test directory.
+#
+#   server          Name of the server directory.
+
+my $usage = "usage: $0 [--use-rndc [--halt] [--port port]] test-directory [server-directory]";
+
+my $use_rndc = 0;
+my $halt = 0;
+my $rndc_port = 9953;
+my $errors = 0;
+
+GetOptions(
+	'use-rndc!' => \$use_rndc,
+	'halt!' => \$halt,
+	'port=i' => \$rndc_port
+    ) or die "$usage\n";
+
+my ( $test, $server_arg ) = @ARGV;
+
+if (!$test) {
+	die "$usage\n";
+}
+
+# Global variables
+my $topdir = abs_path($ENV{'SYSTEMTESTTOP'});
+my $testdir = abs_path($topdir . "/" . $test);
+
+if (! -d $testdir) {
+	die "No test directory: \"$testdir\"\n";
+}
+
+if ($server_arg && ! -d "$testdir/$server_arg") {
+	die "No server directory: \"$testdir/$server_arg\"\n";
+}
+
+my $RNDC = $ENV{RNDC};
+
+my @ns;
+my @ans;
+
+if ($server_arg) {
+	if ($server_arg =~ /^ns/) {
+		push(@ns, $server_arg);
+	} elsif ($server_arg =~ /^ans/) {
+		push(@ans, $server_arg);
+	} else {
+		print "$0: ns or ans directory expected";
+		print "I:$test:failed";
+	}
+} else {
+	# Determine which servers need to be stopped for this test.
+	opendir DIR, $testdir or die "unable to read test directory: \"$test\" ($OS_ERROR)\n";
+	my @files = sort readdir DIR;
+	closedir DIR;
+
+	@ns = grep /^ns[0-9]*$/, @files;
+	@ans = grep /^ans[0-9]*$/, @files;
+}
+
+# Stop the server(s), pass 1: rndc.
+if ($use_rndc) {
+	foreach my $name(@ns) {
+		stop_rndc($name, $rndc_port);
+	}
+
+	@ns = wait_for_servers(30, @ns);
+}
+
+# Pass 2: SIGTERM
+foreach my $name (@ns) {
+	stop_signal($name, "TERM");
+}
+
+@ns = wait_for_servers(60, @ns);
+
+foreach my $name(@ans) {
+	stop_signal($name, "TERM", 1);
+}
+
+@ans = wait_for_servers(1200, @ans);
+
+# Pass 3: SIGABRT
+foreach my $name (@ns) {
+	print "I:$test:$name didn't die when sent a SIGTERM\n";
+	stop_signal($name, "ABRT");
+	$errors = 1;
+}
+foreach my $name (@ans) {
+	print "I:$test:$name didn't die when sent a SIGTERM\n";
+	stop_signal($name, "ABRT", 1);
+	$errors = 1;
+}
+
+exit($errors);
+
+# Subroutines
+
+# Return the full path to a given server's lock file.
+sub server_lock_file {
+	my ( $server ) = @_;
+
+	return if (defined($ENV{'CYGWIN'}) && $ENV{'CYGWIN'});
+
+	return $testdir . "/" . $server . "/named.lock" if ($server =~ /^ns/);
+	return if ($server =~ /^ans/);
+
+	die "Unknown server type $server\n";
+}
+
+# Return the full path to a given server's PID file.
+sub server_pid_file {
+	my ( $server ) = @_;
+
+	return $testdir . "/" . $server . "/named.pid" if ($server =~ /^ns/);
+	return $testdir . "/" . $server . "/ans.pid" if ($server =~ /^ans/);
+
+	die "Unknown server type $server\n";
+}
+
+# Read a PID.
+sub read_pid {
+	my ( $pid_file ) = @_;
+
+	return unless -f $pid_file;
+	# we don't really care about the race condition here
+	my $result = open(my $fh, "<", $pid_file);
+	if (!defined($result)) {
+		print "I:$test:$pid_file: $!\n";
+		unlink $pid_file;
+		return;
+	}
+
+	my $pid = <$fh>;
+	return unless defined($pid);
+
+	chomp($pid);
+	return $pid;
+}
+
+# Stop a named process with rndc.
+sub stop_rndc {
+	my ( $server, $port ) = @_;
+	my $n;
+
+	if ($server =~ /^ns(\d+)/) {
+		$n = $1;
+	} else {
+		die "unable to parse server number from name \"$server\"\n";
+	}
+
+	my $ip = "10.53.0.$n";
+	if (-e "$testdir/$server/named.ipv6-only") {
+		$ip = "fd92:7065:b8e:ffff::$n";
+	}
+
+	my $how = $halt ? "halt" : "stop";
+
+	# Ugly, but should work.
+	system("$RNDC -c ../common/rndc.conf -s $ip -p $port $how | sed 's/^/I:$test:$server /'");
+	return;
+}
+
+sub server_died {
+	my ( $server, $signal ) = @_;
+	
+	print "I:$test:$server died before a SIG$signal was sent\n";
+	$errors = 1;
+
+	my $pid_file = server_pid_file($server);
+	unlink($pid_file);
+
+	return;
+}
+
+sub send_signal {
+	my ( $signal, $pid, $ans ) = @_;
+
+	if (! defined $ans) {
+		$ans = 0;
+	}
+
+	my $result = 0;
+
+	if (!$ans && ($^O eq 'cygwin' || $^O eq 'msys')) {
+		my $killout = `/bin/kill -f -$signal $pid 2>&1`;
+		chomp($killout);
+		$result = 1 if ($killout eq '');
+	} else {
+		$result = kill $signal, $pid;
+	}
+	return $result;
+}
+
+# Stop a server by sending a signal to it.
+sub stop_signal {
+	my ( $server, $signal, $ans ) = @_;
+	if (! defined $ans) {
+		$ans = 0;
+	}
+
+	my $pid_file = server_pid_file($server);
+	my $pid = read_pid($pid_file);
+
+	return unless defined($pid);
+
+	# Send signal to the server, and bail out if signal can't be sent
+	if (send_signal($signal, $pid, $ans) != 1) {
+		server_died($server, $signal);
+		return;
+	}
+
+	return;
+}
+
+sub pid_file_exists {
+	my ( $server ) = @_;
+
+	my $pid_file = server_pid_file($server);
+	my $pid = read_pid($pid_file);
+
+	return unless defined($pid);
+
+	# If we're here, the PID file hasn't been cleaned up yet
+	if (send_signal(0, $pid) == 0) {
+		# XXX: on windows this is likely to result in a
+		# false positive, so don't bother reporting the error.
+		if (!defined($ENV{'CYGWIN'}) || !$ENV{'CYGWIN'}) {
+			print "I:$test:$server crashed on shutdown\n";
+			$errors = 1;
+		}
+		return;
+	}
+
+	return $server;
+}
+
+sub lock_file_exists {
+	my ( $server ) = @_;
+	my $lock_file = server_lock_file($server);
+
+	return unless defined($lock_file) && -f $lock_file;
+
+	return $server;
+}
+
+sub wait_for_servers {
+	my ( $timeout, @servers ) = @_;
+
+	while ($timeout > 0 && @servers > 0) {
+		sleep 1 if (@servers > 0);
+		@servers =
+			grep { defined($_) }
+			map  { pid_file_exists($_) || lock_file_exists($_) } @servers;
+		$timeout--;
+	}
+
+	return @servers;
+}
diff --git a/bin/tests/system/stop.sh b/bin/tests/system/stop.sh
new file mode 100755
index 0000000..d01ca1d
--- /dev/null
+++ b/bin/tests/system/stop.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP="$(cd -P -- "$(dirname -- "$0")" && pwd -P)"
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+export SYSTEMTESTTOP
+
+$PERL "$SYSTEMTESTTOP/stop.pl" "$@"
diff --git a/bin/tests/system/stopall.sh b/bin/tests/system/stopall.sh
new file mode 100644
index 0000000..0d63ecf
--- /dev/null
+++ b/bin/tests/system/stopall.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Stop all hanging processes from any system tests.
+#
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+for d in $SUBDIRS
+do
+   $SHELL stop.sh $d
+done
diff --git a/bin/tests/system/stress/clean.sh b/bin/tests/system/stress/clean.sh
new file mode 100644
index 0000000..4833fa7
--- /dev/null
+++ b/bin/tests/system/stress/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns?/zone*.bk
+
+rm -f ns2/zone0*.db
+rm -f ns2/zone0*.jnl
+rm -f */named.memstats
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.run
+rm -f ns*/named.conf
diff --git a/bin/tests/system/stress/ns2/named.conf.in b/bin/tests/system/stress/ns2/named.conf.in
new file mode 100644
index 0000000..607e0b5
--- /dev/null
+++ b/bin/tests/system/stress/ns2/named.conf.in
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "zone000000.example" {
+	type primary;
+	allow-update { any; };
+	file "zone000000.example.db";
+};
+
+zone "zone000001.example" {
+	type primary;
+	allow-update { any; };
+	file "zone000001.example.db";
+};
+
+zone "zone000002.example" {
+	type primary;
+	allow-update { any; };
+	file "zone000002.example.db";
+};
+
+zone "zone000003.example" {
+	type primary;
+	allow-update { any; };
+	file "zone000003.example.db";
+};
+
+zone "zone000004.example" {
+	type primary;
+	allow-update { any; };
+	file "zone000004.example.db";
+};
diff --git a/bin/tests/system/stress/ns2/zone.template.db b/bin/tests/system/stress/ns2/zone.template.db
new file mode 100644
index 0000000..7ca1cc3
--- /dev/null
+++ b/bin/tests/system/stress/ns2/zone.template.db
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	IN SOA 	ns2 hostmaster 1 300 120 3600 86400
+@	NS	ns2
+	NS	ns3
+	NS	ns4
+ns2	A	10.53.0.2
+ns3	A	10.53.0.3
+ns4	A	10.53.0.4
+
+$GENERATE 0-999 name${0,6} A 10.0.0.1
diff --git a/bin/tests/system/stress/ns3/named.conf.in b/bin/tests/system/stress/ns3/named.conf.in
new file mode 100644
index 0000000..7a568d6
--- /dev/null
+++ b/bin/tests/system/stress/ns3/named.conf.in
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+server 10.53.0.4 {
+	provide-ixfr no;
+};
+
+server 10.53.0.2 {
+	request-ixfr no;
+};
+
+zone "zone000000.example" {
+	type secondary;
+	file "zone000000.example.bk";
+	primaries { 10.53.0.2; };
+};
+
+zone "zone000001.example" {
+	type secondary;
+	file "zone000001.example.bk";
+	primaries { 10.53.0.2; };
+};
+
+zone "zone000002.example" {
+	type secondary;
+	file "zone000002.example.bk";
+	primaries { 10.53.0.2; };
+};
+
+zone "zone000003.example" {
+	type secondary;
+	file "zone000003.example.bk";
+	primaries { 10.53.0.2; };
+};
+
+zone "zone000004.example" {
+	type secondary;
+	file "zone000004.example.bk";
+	primaries { 10.53.0.2; };
+};
diff --git a/bin/tests/system/stress/ns4/named.conf.in b/bin/tests/system/stress/ns4/named.conf.in
new file mode 100644
index 0000000..26296f5
--- /dev/null
+++ b/bin/tests/system/stress/ns4/named.conf.in
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+};
+
+zone "zone000000.example" {
+	type secondary;
+	file "zone000000.example.bk";
+	primaries { 10.53.0.3; };
+};
+
+zone "zone000001.example" {
+	type secondary;
+	file "zone000001.example.bk";
+	primaries { 10.53.0.3; };
+};
+
+zone "zone000002.example" {
+	type secondary;
+	file "zone000002.example.bk";
+	primaries { 10.53.0.3; };
+};
+
+zone "zone000003.example" {
+	type secondary;
+	file "zone000003.example.bk";
+	primaries { 10.53.0.3; };
+};
+
+zone "zone000004.example" {
+	type secondary;
+	file "zone000004.example.bk";
+	primaries { 10.53.0.3; };
+};
diff --git a/bin/tests/system/stress/prereq.sh b/bin/tests/system/stress/prereq.sh
new file mode 100644
index 0000000..aa97ae2
--- /dev/null
+++ b/bin/tests/system/stress/prereq.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/stress/setup.sh b/bin/tests/system/stress/setup.sh
new file mode 100644
index 0000000..a19b4a1
--- /dev/null
+++ b/bin/tests/system/stress/setup.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+cp ns2/zone.template.db ns2/zone000000.example.db
+cp ns2/zone.template.db ns2/zone000001.example.db
+cp ns2/zone.template.db ns2/zone000002.example.db
+cp ns2/zone.template.db ns2/zone000003.example.db
+cp ns2/zone.template.db ns2/zone000004.example.db
+
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
diff --git a/bin/tests/system/stress/tests_stress_update.py b/bin/tests/system/stress/tests_stress_update.py
new file mode 100644
index 0000000..638cda0
--- /dev/null
+++ b/bin/tests/system/stress/tests_stress_update.py
@@ -0,0 +1,77 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import concurrent.futures
+import os
+import subprocess
+import time
+import dns.query
+import dns.update
+
+
+def rndc_loop(test_state, server):
+    rndc = os.getenv("RNDC")
+    port = os.getenv("CONTROLPORT")
+
+    cmdline = [
+        rndc,
+        "-c",
+        "../common/rndc.conf",
+        "-p",
+        port,
+        "-s",
+        server,
+        "reload",
+    ]
+
+    while not test_state["finished"]:
+        subprocess.run(cmdline, check=False)
+        time.sleep(1)
+
+
+def update_zone(test_state, zone, named_port):
+    server = "10.53.0.2"
+    for i in range(1000):
+        if test_state["finished"]:
+            return
+        update = dns.update.UpdateMessage(zone)
+        update.add(f"dynamic-{i}.{zone}", 300, "TXT", f"txt-{i}")
+        try:
+            response = dns.query.udp(update, server, 10, named_port)
+            assert response.rcode() == dns.rcode.NOERROR
+        except dns.exception.Timeout:
+            print(f"error: query timeout for {zone}")
+
+    print(f"Update of {server} zone {zone} successful")
+
+
+# If the test has run to completion without named crashing, it has succeeded.
+def test_update_stress(named_port):
+    test_state = {"finished": False}
+
+    with concurrent.futures.ThreadPoolExecutor() as executor:
+        executor.submit(rndc_loop, test_state, "10.53.0.3")
+
+        updaters = []
+        for i in range(5):
+            zone = f"zone00000{i}.example."
+            updaters.append(executor.submit(update_zone, test_state, zone, named_port))
+
+        # All the update_zone() tasks are expected to complete within 5
+        # minutes.  If they do not, we cannot assert immediately as that will
+        # cause the ThreadPoolExecutor context manager to wait indefinitely;
+        # instead, we first signal all tasks that it is time to exit and only
+        # check whether any task failed to finish within 5 minutes outside of
+        # the ThreadPoolExecutor context manager.
+        unfinished_tasks = concurrent.futures.wait(updaters, timeout=300).not_done
+        test_state["finished"] = True
+
+    assert not unfinished_tasks
diff --git a/bin/tests/system/stub/clean.sh b/bin/tests/system/stub/clean.sh
new file mode 100644
index 0000000..504df03
--- /dev/null
+++ b/bin/tests/system/stub/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after stub tests.
+#
+rm -f dig.out.ns[35] ns3/child.example.st
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
+rm -f ns5/example.db
diff --git a/bin/tests/system/stub/knowngood.dig.out.norec b/bin/tests/system/stub/knowngood.dig.out.norec
new file mode 100644
index 0000000..ca0e458
--- /dev/null
+++ b/bin/tests/system/stub/knowngood.dig.out.norec
@@ -0,0 +1,21 @@
+
+; <<>> DiG 8.2 <<>> -p @10.53.0.3 +norec data.child.example txt
+; (1 server found)
+;; res options: init defnam dnsrch
+;; got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 216
+;; flags: qr ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
+;; QUERY SECTION:
+;;	data.child.example, type = TXT, class = IN
+
+;; AUTHORITY SECTION:
+child.example.		5M IN NS	ns2.child.example.
+
+;; ADDITIONAL SECTION:
+ns2.child.example.	5M IN A		10.53.0.2
+
+;; Total query time: 3 msec
+;; FROM: draco to SERVER: 10.53.0.3
+;; WHEN: Wed Jun 21 10:58:37 2000
+;; MSG SIZE  sent: 36  rcvd: 70
+
diff --git a/bin/tests/system/stub/knowngood.dig.out.rec b/bin/tests/system/stub/knowngood.dig.out.rec
new file mode 100644
index 0000000..8ea1968
--- /dev/null
+++ b/bin/tests/system/stub/knowngood.dig.out.rec
@@ -0,0 +1,18 @@
+
+; <<>> DiG 8.2 <<>> -p @10.53.0.3 data.child.example txt
+; (1 server found)
+;; res options: init recurs defnam dnsrch
+;; got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
+;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
+;; QUERY SECTION:
+;;	data.child.example, type = TXT, class = IN
+
+;; ANSWER SECTION:
+data.child.example.	5M IN TXT	"some" "test" "data"
+
+;; Total query time: 8 msec
+;; FROM: draco to SERVER: 10.53.0.3
+;; WHEN: Wed Jun 21 10:58:54 2000
+;; MSG SIZE  sent: 36  rcvd: 97
+
diff --git a/bin/tests/system/stub/ns1/named.conf.in b/bin/tests/system/stub/ns1/named.conf.in
new file mode 100644
index 0000000..765cf69
--- /dev/null
+++ b/bin/tests/system/stub/ns1/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/stub/ns1/root.db b/bin/tests/system/stub/ns1/root.db
new file mode 100644
index 0000000..361f93e
--- /dev/null
+++ b/bin/tests/system/stub/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
diff --git a/bin/tests/system/stub/ns2/child.example.db b/bin/tests/system/stub/ns2/child.example.db
new file mode 100644
index 0000000..9b50a2a
--- /dev/null
+++ b/bin/tests/system/stub/ns2/child.example.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+child.example.		IN SOA	ns2.child.example. hostmaster.child.example. (
+				2000042795 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+child.example.		NS	ns2.child.example.
+ns2.child.example.	A	10.53.0.2
+data			TXT     some test data
diff --git a/bin/tests/system/stub/ns2/named.conf.in b/bin/tests/system/stub/ns2/named.conf.in
new file mode 100644
index 0000000..2936482
--- /dev/null
+++ b/bin/tests/system/stub/ns2/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "child.example" {
+	type primary;
+	file "child.example.db";
+};
diff --git a/bin/tests/system/stub/ns3/example.db b/bin/tests/system/stub/ns3/example.db
new file mode 100644
index 0000000..4d0b3f0
--- /dev/null
+++ b/bin/tests/system/stub/ns3/example.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	ns3.example. hostmaster.example. (
+				2000042795 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
diff --git a/bin/tests/system/stub/ns3/named.conf.in b/bin/tests/system/stub/ns3/named.conf.in
new file mode 100644
index 0000000..3236889
--- /dev/null
+++ b/bin/tests/system/stub/ns3/named.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	minimal-responses no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "child.example" {
+	type stub;
+	file "child.example.st";
+	primaries { 10.53.0.2; };
+};
diff --git a/bin/tests/system/stub/ns4/example.db b/bin/tests/system/stub/ns4/example.db
new file mode 100644
index 0000000..1afe983
--- /dev/null
+++ b/bin/tests/system/stub/ns4/example.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns4.example. hostmaster.example. (
+				2000042795 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@        IN    NS      ns4
+ns4      IN    A       10.53.0.4
+         IN    AAAA    fd92:7065:b8e:ffff::4
+target   IN    TXT     "test"
diff --git a/bin/tests/system/stub/ns4/named.conf.in b/bin/tests/system/stub/ns4/named.conf.in
new file mode 100644
index 0000000..7e53972
--- /dev/null
+++ b/bin/tests/system/stub/ns4/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	minimal-responses yes;
+	dnssec-validation no;
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/stub/ns5/named.conf.in b/bin/tests/system/stub/ns5/named.conf.in
new file mode 100644
index 0000000..8897eac
--- /dev/null
+++ b/bin/tests/system/stub/ns5/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+    dnssec-validation no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type stub;
+	file "example.db";
+    masters { 10.53.0.4 port @PORT@; };
+};
diff --git a/bin/tests/system/stub/setup.sh b/bin/tests/system/stub/setup.sh
new file mode 100644
index 0000000..ccb59d4
--- /dev/null
+++ b/bin/tests/system/stub/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
diff --git a/bin/tests/system/stub/tests.sh b/bin/tests/system/stub/tests.sh
new file mode 100644
index 0000000..6d5d110
--- /dev/null
+++ b/bin/tests/system/stub/tests.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp -p ${PORT}"
+
+status=0
+echo_i "check that the stub zone has been saved to disk"
+for i in 1 2 3 4 5 6 7 8 9 20
+do
+	[ -f ns3/child.example.st ] && break
+	sleep 1
+done
+[ -f ns3/child.example.st ] || { status=1;  echo_i "failed"; }
+
+for pass in 1 2
+do
+
+echo_i "trying an axfr that should be denied (NOTAUTH) (pass=$pass)"
+ret=0
+$DIG $DIGOPTS child.example. @10.53.0.3 axfr > dig.out.ns3 || ret=1
+grep "; Transfer failed." dig.out.ns3 > /dev/null || ret=1
+[ $ret = 0 ] || { status=1;  echo_i "failed"; }
+
+echo_i "look for stub zone data without recursion (should not be found) (pass=$pass)"
+for i in 1 2 3 4 5 6 7 8 9
+do
+	ret=0
+	$DIG $DIGOPTS +norec data.child.example. \
+		@10.53.0.3 txt > dig.out.ns3 || ret=1
+	grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1
+	[ $ret = 0 ] && break
+	sleep 1
+done
+digcomp knowngood.dig.out.norec dig.out.ns3 || ret=1
+[ $ret = 0 ] || { status=1;  echo_i "failed"; }
+
+echo_i "look for stub zone data with recursion (should be found) (pass=$pass)"
+ret=0
+$DIG $DIGOPTS +noauth +noadd data.child.example. @10.53.0.3 txt > dig.out.ns3 || ret=1
+digcomp knowngood.dig.out.rec dig.out.ns3 || ret=1
+[ $ret = 0 ] || { status=1;  echo_i "failed"; }
+
+[ $pass = 1 ] && {
+	echo_i "stopping stub server"
+	stop_server ns3
+
+	echo_i "re-starting stub server"
+	start_server --noclean --restart --port ${PORT} ns3
+}
+done
+
+echo_i "check that glue record is correctly transferred from master when minimal-responses is on"
+ret=0
+# First ensure that zone data was transfered.
+for i in 1 2 3 4 5 6 7; do
+    [ -f ns5/example.db ] && break
+    sleep 1
+done
+
+if [ -f ns5/example.db ]; then
+    # If NS glue wasn't transferred,  this query would fail.
+    $DIG $DIGOPTS +nodnssec @10.53.0.5 target.example. txt > dig.out.ns5 || ret=1
+    grep  'target\.example.*TXT.*"test"' dig.out.ns5 > /dev/null || ret=1
+    # Ensure both ipv4 and ipv6 glue records were transferred.
+    grep -E 'ns4[[:space:]]+A[[:space:]]+10.53.0.4' ns5/example.db > /dev/null || ret=1
+    grep -E 'AAAA[[:space:]]+fd92:7065:b8e:ffff::4' ns5/example.db > /dev/null || ret=1
+    [ $ret = 0 ] || { status=1;  echo_i "failed"; }
+else
+    status=1
+    echo_i "failed: stub zone transfer failed ns4(master) <---> ns5/example.db"
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh
new file mode 100644
index 0000000..56ec876
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/clean.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f ./*/named.memstats
+rm -f ./*/named.conf
+rm -f ./*/named.run
+rm -f ./dig.out.*
+rm -f ./ns1/K*+*+*.key
+rm -f ./ns1/K*+*+*.private
+rm -f ./ns1/dsset-*
+rm -f ./ns1/example.db
+rm -f ./ns1/example.db.signed
+rm -f ./ns1/dnamed.db
+rm -f ./ns1/dnamed.db.signed
+rm -f ./ns1/root.db
+rm -f ./ns1/root.db.signed
+rm -f ./ns1/trusted.conf
+rm -f ./ns2/named_dump.db
+rm -f ./ns*/managed-keys.bind*
diff --git a/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in
new file mode 100644
index 0000000..299adb2
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	ns1 hostmaster 1 3600 1200 604800 3600
+@		NS	ns1
+ns1		A	10.53.0.1
+a		A	10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns1/example.db.in b/bin/tests/system/synthfromdnssec/ns1/example.db.in
new file mode 100644
index 0000000..90629a7
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/example.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	ns1 hostmaster 1 3600 1200 604800 3600
+@		NS	ns1
+ns1		A	10.53.0.1
+nodata		TXT	nodata
+*.wild-a	A	1.2.3.4
+*.wild-cname 	CNAME	ns1
+dnamed		DNAME	dnamed.
diff --git a/bin/tests/system/synthfromdnssec/ns1/named.conf.in b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
new file mode 100644
index 0000000..8b1954f
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};
+
+zone "example" {
+	type primary;
+	file "example.db.signed";
+};
+
+zone "dnamed" {
+	type primary;
+	file "dnamed.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns1/root.db.in b/bin/tests/system/synthfromdnssec/ns1/root.db.in
new file mode 100644
index 0000000..ad43527
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/root.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	ns1 hostmaster 1 3600 1200 604800 3600
+@		NS	ns1
+ns1		A	10.53.0.1
+example		NS	ns1.example
+ns1.example	A	10.53.0.1
+dnamed		NS	ns1.dnamed
+ns1.dnamed	A	10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh
new file mode 100644
index 0000000..2240767
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh
@@ -0,0 +1,45 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+zone=example
+infile=example.db.in
+zonefile=example.db
+
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+$SIGNER -P -o $zone $zonefile > /dev/null
+
+zone=dnamed
+infile=dnamed.db.in
+zonefile=dnamed.db
+
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+$SIGNER -P -o $zone $zonefile > /dev/null
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+# Configure the resolving server with a static key.
+keyfile_to_static_ds "$keyname" > trusted.conf
diff --git a/bin/tests/system/synthfromdnssec/ns2/named.conf.in b/bin/tests/system/synthfromdnssec/ns2/named.conf.in
new file mode 100644
index 0000000..8b0e8d4
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns2/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
+
+include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns2/root.hints b/bin/tests/system/synthfromdnssec/ns2/root.hints
new file mode 100644
index 0000000..6b80b9e
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns2/root.hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	NS	ns1
+ns1	A	10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns3/named.conf.in b/bin/tests/system/synthfromdnssec/ns3/named.conf.in
new file mode 100644
index 0000000..a260561
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns3/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
+
+zone "." {
+	type redirect;
+	file "redirect.db";
+};
+
+include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns3/redirect.db b/bin/tests/system/synthfromdnssec/ns3/redirect.db
new file mode 100644
index 0000000..c529ad2
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns3/redirect.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0
+@ IN NS ns.example.net
+;
+; NS records do not need address records in this zone as it is not in the
+; normal namespace.
+;
+*.redirect. IN A 100.100.100.2
+*.redirect. IN AAAA 2001:ffff:ffff::100.100.100.2
diff --git a/bin/tests/system/synthfromdnssec/ns3/root.hints b/bin/tests/system/synthfromdnssec/ns3/root.hints
new file mode 100644
index 0000000..6b80b9e
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns3/root.hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	NS	ns1
+ns1	A	10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns4/named.conf.in b/bin/tests/system/synthfromdnssec/ns4/named.conf.in
new file mode 100644
index 0000000..9ecdd0e
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns4/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation yes;
+	synth-from-dnssec no;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
+
+include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns4/root.hints b/bin/tests/system/synthfromdnssec/ns4/root.hints
new file mode 100644
index 0000000..6b80b9e
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns4/root.hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	NS	ns1
+ns1	A	10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns5/named.conf.in b/bin/tests/system/synthfromdnssec/ns5/named.conf.in
new file mode 100644
index 0000000..6fa0009
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns5/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+	dnssec-validation yes;
+	synth-from-dnssec yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
+
+include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns5/root.hints b/bin/tests/system/synthfromdnssec/ns5/root.hints
new file mode 100644
index 0000000..6b80b9e
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns5/root.hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	NS	ns1
+ns1	A	10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/setup.sh b/bin/tests/system/synthfromdnssec/setup.sh
new file mode 100644
index 0000000..6f7bc7c
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/setup.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+
+(
+    cd ns1
+    $SHELL sign.sh
+)
diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
new file mode 100644
index 0000000..95cfc60
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -0,0 +1,202 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+SYSTEMTESTTOP=..
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+status=0
+n=1
+
+rm -f dig.out.*
+
+dig_with_opts() {
+    "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+for ns in 2 4 5
+do
+    case $ns in
+    2) description="<default>";;
+    4) description="no";;
+    5) description="yes";;
+    *) exit 1;;
+    esac
+    echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NXDOMAIN," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    [ $ns -eq ${ns} ] && nxdomain=dig.out.ns${ns}.test$n
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    [ $ns -eq 2 ] && nodata=dig.out.ns${ns}.test$n
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "a.wild-a.example.*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "a.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+done
+
+echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
+ret=0
+dig_with_opts +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1
+grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null && ret=1
+grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
+grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns2.test$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# ensure TTL of synthesised answers differs from direct answers.
+#
+sleep 1
+
+for ns in 2 4 5
+do
+    case $ns in
+    2) synth=no description="<default>";;
+    4) synth=no  description="no";;
+    5) synth=yes description="yes";;
+    *) exit 1;;
+    esac
+    echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NXDOMAIN," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    if [ ${synth} = yes ]
+    then
+	grep "example.*IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+	grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null && ret=1
+    else
+	grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    fi
+    digcomp $nxdomain dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    if [ ${synth} = yes ]
+    then
+	grep "example.*IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+	grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null && ret=1
+    else
+	grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    fi
+    digcomp $nodata dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    if [ ${synth} = yes ]
+    then
+	    grep "b\.wild-a\.example\..*IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+	    grep "b\.wild-a\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null && ret=1
+    else
+	    grep "b\.wild-a\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    fi
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
+    if [ ${synth} = yes ]
+    then
+	grep "b.wild-cname.example.*IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1
+	grep "b.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null && ret=1
+    else
+	grep "b.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    fi
+    grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+done
+
+echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"
+ret=0
+dig_with_opts b.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1
+grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN," dig.out.ns2.test$n > /dev/null || ret=1
+grep "\..*3600.IN.SOA" dig.out.ns2.test$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
+ret=0
+dig_with_opts +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1
+grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null && ret=1
+grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
+grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns2.test$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
+echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)"
+ret=0
+dig_with_opts dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1
+dig_with_opts a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NOERROR," dig.out.ns5-1.test$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/system-test-driver.sh b/bin/tests/system/system-test-driver.sh
new file mode 100755
index 0000000..cf4d5f2
--- /dev/null
+++ b/bin/tests/system/system-test-driver.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck disable=SC2181
+# shellcheck disable=SC2034
+
+usage() {
+    echo "$0 --test-name=NAME --log-file=PATH.log --trs-file=PATH.trs --color-tests={yes|no} --expect-failure={yes|no} --enable-hard-errors={yes|no}"
+}
+
+#
+# This requires GNU getopt
+#
+getopt --test >/dev/null
+if [ "$?" -ne 4 ]; then
+    echo "fatal: GNU getopt is required"
+    exit 1
+fi
+
+OPTS=$(getopt --shell "sh" --name "$(basename "$0")" --options '' --longoptions test-name:,log-file:,trs-file:,color-tests:,expect-failure:,enable-hard-errors: -- "$@")
+
+if [ "$?" != 0 ] ; then echo "Failed parsing options." >&2 ; exit 1 ; fi
+
+eval set -- "$OPTS"
+
+TEST_NAME=
+LOG_FILE=
+TRS_FILE=
+COLOR_TESTS=yes
+EXPECT_FAILURE=no
+HARD_ERRORS=yes
+
+while true; do
+    case "$1" in
+	--test-name ) TEST_NAME="$2"; shift; shift ;;
+	--log-file ) LOG_FILE="$2"; shift; shift ;;
+	--trs-file ) TRS_FILE="$2"; shift; shift ;;
+	--color-tests ) COLOR_TESTS="$2"; shift; shift ;;
+	--expect-failure ) EXPECT_FAILURE="$2"; shift; shift ;;
+	--hard-errors ) HARD_ERRORS="$2"; shift; shift ;;
+	-- ) shift; break ;;
+	*) break ;;
+    esac
+done
+
+if [ -z "$1" ]; then
+    echo "fatal: test name required"
+    usage
+    exit 1
+fi
+
+TEST_PROGRAM="$1"
+shift
+
+if [ -z "$TEST_NAME" ]; then
+    TEST_NAME="$(basename "$TEST_PROGRAM")"
+fi
+if [ -z "$LOG_FILE" ]; then
+    LOG_FILE="$TEST_PROGRAM.log"
+fi
+if [ -z "$TRS_FILE" ]; then
+    TRS_FILE="$TEST_PROGRAM.trs"
+fi
+
+echo "Running $TEST_PROGRAM"
+
+random=$(awk 'BEGIN { srand(); print int(rand()*32768) }' /dev/null)
+./run.sh -p "$((random%32000+32000))" "$@" "$TEST_PROGRAM"
+
+exit $?
diff --git a/bin/tests/system/tcp/1996-alloc_dnsbuf-crash-test.pkt b/bin/tests/system/tcp/1996-alloc_dnsbuf-crash-test.pkt
new file mode 100644
index 0000000..7520c3a
--- /dev/null
+++ b/bin/tests/system/tcp/1996-alloc_dnsbuf-crash-test.pkt
@@ -0,0 +1,12 @@
+# Transaction ID
+0001
+# Standard query
+0000
+# Questions: 1, Additional: 1
+0001 0000 0000 0000
+# QNAME: www.isc.org
+03 697363 03 6F7267 00
+# Type: AXFR
+00fc
+# Class: IN
+0001
diff --git a/bin/tests/system/tcp/ans6/ans.py b/bin/tests/system/tcp/ans6/ans.py
new file mode 100644
index 0000000..4595ddc
--- /dev/null
+++ b/bin/tests/system/tcp/ans6/ans.py
@@ -0,0 +1,157 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+############################################################################
+#
+# This tool allows an arbitrary number of TCP connections to be made to the
+# specified service and to keep them open until told otherwise.  It is
+# controlled by writing text commands to a TCP socket (default port: 5309).
+#
+# Currently supported commands:
+#
+#   - open <COUNT> <HOST> <PORT>
+#
+#     Opens <COUNT> TCP connections to <HOST>:<PORT> and keeps them open.
+#     <HOST> must be an IP address (IPv4 or IPv6).
+#
+#   - close <COUNT>
+#
+#     Close the oldest <COUNT> previously established connections.
+#
+############################################################################
+
+from __future__ import print_function
+
+import datetime
+import errno
+import os
+import select
+import signal
+import socket
+import sys
+import time
+
+
+# Timeout for establishing all connections requested by a single 'open' command.
+OPEN_TIMEOUT = 2
+VERSION_QUERY = b"\x00\x1e\xaf\xb8\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x07version\x04bind\x00\x00\x10\x00\x03"
+
+
+def log(msg):
+    print(datetime.datetime.now().strftime("%d-%b-%Y %H:%M:%S.%f ") + msg)
+
+
+def open_connections(active_conns, count, host, port):
+    queued = []
+    errors = []
+
+    try:
+        socket.inet_aton(host)
+        family = socket.AF_INET
+    except socket.error:
+        family = socket.AF_INET6
+
+    log("Opening %d connections..." % count)
+
+    for _ in range(count):
+        sock = socket.socket(family, socket.SOCK_STREAM)
+        sock.setblocking(0)
+        err = sock.connect_ex((host, port))
+        if err not in (0, errno.EINPROGRESS):
+            log("%s on connect for socket %s" % (errno.errorcode[err], sock))
+            errors.append(sock)
+        else:
+            queued.append(sock)
+
+    start = time.time()
+    while queued:
+        now = time.time()
+        time_left = OPEN_TIMEOUT - (now - start)
+        if time_left <= 0:
+            break
+        _, wsocks, _ = select.select([], queued, [], time_left)
+        for sock in wsocks:
+            queued.remove(sock)
+            err = sock.getsockopt(socket.SOL_SOCKET, socket.SO_ERROR)
+            if err:
+                log("%s for socket %s" % (errno.errorcode[err], sock))
+                errors.append(sock)
+            else:
+                sock.send(VERSION_QUERY)
+                active_conns.append(sock)
+
+    if errors:
+        log("result=FAIL: %d connection(s) failed" % len(errors))
+    elif queued:
+        log("result=FAIL: Timed out, aborting %d pending connections" % len(queued))
+        for sock in queued:
+            sock.close()
+    else:
+        log("result=OK: Successfully opened %d connections" % count)
+
+
+def close_connections(active_conns, count):
+    log("Closing %s connections..." % "all" if count == 0 else str(count))
+    if count == 0:
+        count = len(active_conns)
+    for _ in range(count):
+        sock = active_conns.pop(0)
+        sock.close()
+    log("result=OK: Successfully closed %d connections" % count)
+
+
+def sigterm(*_):
+    log("SIGTERM received, shutting down")
+    os.remove("ans.pid")
+    sys.exit(0)
+
+
+def main():
+    active_conns = []
+
+    signal.signal(signal.SIGTERM, sigterm)
+
+    with open("ans.pid", "w") as pidfile:
+        print(os.getpid(), file=pidfile)
+
+    listenip = "10.53.0.6"
+    try:
+        port = int(os.environ["CONTROLPORT"])
+    except KeyError:
+        port = 5309
+
+    log("Listening on %s:%d" % (listenip, port))
+
+    ctlsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    ctlsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    ctlsock.bind((listenip, port))
+    ctlsock.listen(1)
+
+    while True:
+        (clientsock, _) = ctlsock.accept()
+        log("Accepted control connection from %s" % clientsock)
+        cmdline = clientsock.recv(512).decode("ascii").strip()
+        if cmdline:
+            log("Received command: %s" % cmdline)
+            cmd = cmdline.split()
+            if cmd[0] == "open":
+                count, host, port = cmd[1:]
+                open_connections(active_conns, int(count), host, int(port))
+            elif cmd[0] == "close":
+                (count,) = cmd[1:]
+                close_connections(active_conns, int(count))
+            else:
+                log("result=FAIL: Unknown command")
+        clientsock.close()
+
+
+if __name__ == "__main__":
+    main()
diff --git a/bin/tests/system/tcp/clean.sh b/bin/tests/system/tcp/clean.sh
new file mode 100644
index 0000000..ae4cb25
--- /dev/null
+++ b/bin/tests/system/tcp/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ans6/ans.run*
+rm -f dig.out*
+rm -f rndc.out*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/named.conf
+rm -f ns*/named.stats*
diff --git a/bin/tests/system/tcp/ns1/named.conf.in b/bin/tests/system/tcp/ns1/named.conf.in
new file mode 100644
index 0000000..24c8746
--- /dev/null
+++ b/bin/tests/system/tcp/ns1/named.conf.in
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	statistics-file "named.stats";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/tcp/ns1/root.db b/bin/tests/system/tcp/ns1/root.db
new file mode 100644
index 0000000..17780d1
--- /dev/null
+++ b/bin/tests/system/tcp/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/tcp/ns2/example.db b/bin/tests/system/tcp/ns2/example.db
new file mode 100644
index 0000000..4d60ce3
--- /dev/null
+++ b/bin/tests/system/tcp/ns2/example.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+
+$ORIGIN example.
+a			A	10.0.0.1
+			MX	10 mail.example.
+
+mail			A	10.0.0.2
diff --git a/bin/tests/system/tcp/ns2/named.conf.in b/bin/tests/system/tcp/ns2/named.conf.in
new file mode 100644
index 0000000..5737800
--- /dev/null
+++ b/bin/tests/system/tcp/ns2/named.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	statistics-file "named.stats";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/tcp/ns3/named.conf.in b/bin/tests/system/tcp/ns3/named.conf.in
new file mode 100644
index 0000000..5b3b982
--- /dev/null
+++ b/bin/tests/system/tcp/ns3/named.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+server 10.53.0.1 { tcp-only yes; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/tcp/ns4/named.conf.in b/bin/tests/system/tcp/ns4/named.conf.in
new file mode 100644
index 0000000..a7a0546
--- /dev/null
+++ b/bin/tests/system/tcp/ns4/named.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	forwarders { 10.53.0.2; };
+	forward only;
+};
+
+server 10.53.0.2 { tcp-only yes; };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/tcp/ns5/named.conf.in b/bin/tests/system/tcp/ns5/named.conf.in
new file mode 100644
index 0000000..7827d9d
--- /dev/null
+++ b/bin/tests/system/tcp/ns5/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+        tcp-listen-queue 32;
+	recursion yes;
+	notify yes;
+        tcp-clients 17;
+	dnssec-validation no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/tcp/ns7/named.conf.in b/bin/tests/system/tcp/ns7/named.conf.in
new file mode 100644
index 0000000..bf434d9
--- /dev/null
+++ b/bin/tests/system/tcp/ns7/named.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	statistics-file "named.stats";
+	tcp-clients 1;
+	keep-response-order { any; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/tcp/ns7/named.dropedns b/bin/tests/system/tcp/ns7/named.dropedns
new file mode 100644
index 0000000..37dd9cf
--- /dev/null
+++ b/bin/tests/system/tcp/ns7/named.dropedns
@@ -0,0 +1 @@
+dropedns
diff --git a/bin/tests/system/tcp/ns7/root.db b/bin/tests/system/tcp/ns7/root.db
new file mode 100644
index 0000000..bb31741
--- /dev/null
+++ b/bin/tests/system/tcp/ns7/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.7
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/tcp/prereq.sh b/bin/tests/system/tcp/prereq.sh
new file mode 100644
index 0000000..51e8c66
--- /dev/null
+++ b/bin/tests/system/tcp/prereq.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if ! test -n "$PYTHON"; then
+	echo_i "This test requires Python."
+	exit 1
+fi
+
diff --git a/bin/tests/system/tcp/setup.sh b/bin/tests/system/tcp/setup.sh
new file mode 100644
index 0000000..70aee8c
--- /dev/null
+++ b/bin/tests/system/tcp/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
diff --git a/bin/tests/system/tcp/tests.sh b/bin/tests/system/tcp/tests.sh
new file mode 100644
index 0000000..a24a199
--- /dev/null
+++ b/bin/tests/system/tcp/tests.sh
@@ -0,0 +1,204 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+SYSTEMTESTTOP=..
+# shellcheck source=../conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+dig_with_opts() {
+	"${DIG}" -p "${PORT}" "$@"
+}
+
+rndccmd() {
+	"${RNDC}" -p "${CONTROLPORT}" -c ../common/rndc.conf -s "$@"
+}
+
+status=0
+n=0
+
+n=$((n + 1))
+echo_i "initializing TCP statistics ($n)"
+ret=0
+rndccmd 10.53.0.1 stats || ret=1
+rndccmd 10.53.0.2 stats || ret=1
+mv ns1/named.stats ns1/named.stats.test$n
+mv ns2/named.stats ns2/named.stats.test$n
+ntcp10="$(grep "TCP requests received" ns1/named.stats.test$n | tail -1 | awk '{print $1}')"
+ntcp20="$(grep "TCP requests received" ns2/named.stats.test$n | tail -1 | awk '{print $1}')"
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking TCP request statistics (resolver) ($n)"
+ret=0
+dig_with_opts @10.53.0.3 txt.example. > dig.out.test$n
+sleep 1
+rndccmd 10.53.0.1 stats || ret=1
+rndccmd 10.53.0.2 stats || ret=1
+mv ns1/named.stats ns1/named.stats.test$n
+mv ns2/named.stats ns2/named.stats.test$n
+ntcp11="$(grep "TCP requests received" ns1/named.stats.test$n | tail -1 | awk '{print $1}')"
+ntcp21="$(grep "TCP requests received" ns2/named.stats.test$n | tail -1 | awk '{print $1}')"
+if [ "$ntcp10" -ge "$ntcp11" ]; then ret=1; fi
+if [ "$ntcp20" -ne "$ntcp21" ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking TCP request statistics (forwarder) ($n)"
+ret=0
+dig_with_opts @10.53.0.4 txt.example. > dig.out.test$n
+sleep 1
+rndccmd 10.53.0.1 stats || ret=1
+rndccmd 10.53.0.2 stats || ret=1
+mv ns1/named.stats ns1/named.stats.test$n
+mv ns2/named.stats ns2/named.stats.test$n
+ntcp12="$(grep "TCP requests received" ns1/named.stats.test$n | tail -1 | awk '{print $1}')"
+ntcp22="$(grep "TCP requests received" ns2/named.stats.test$n | tail -1 | awk '{print $1}')"
+if [ "$ntcp11" -ne "$ntcp12" ]; then ret=1; fi
+if [ "$ntcp21" -ge "$ntcp22" ];then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# -------- TCP high-water tests ----------
+refresh_tcp_stats() {
+	rndccmd 10.53.0.5 status > rndc.out.$n || ret=1
+	TCP_CUR="$(sed -n "s/^tcp clients: \([0-9][0-9]*\).*/\1/p" rndc.out.$n)"
+	TCP_LIMIT="$(sed -n "s/^tcp clients: .*\/\([0-9][0-9]*\)/\1/p" rndc.out.$n)"
+	TCP_HIGH="$(sed -n "s/^TCP high-water: \([0-9][0-9]*\)/\1/p" rndc.out.$n)"
+}
+
+# Send a command to the tool script listening on 10.53.0.6.
+send_command() {
+	nextpart ans6/ans.run > /dev/null
+	echo "$*" | "${PERL}" "${SYSTEMTESTTOP}/send.pl" 10.53.0.6 "${CONTROLPORT}"
+	wait_for_log_peek 10 "result=" ans6/ans.run || ret=1
+	if ! nextpartpeek ans6/ans.run | grep -qF "result=OK"; then
+		return 1
+	fi
+}
+
+# Instructs ans6 to open $1 TCP connections to 10.53.0.5.
+open_connections() {
+	send_command "open" "${1}" 10.53.0.5 "${PORT}" || return 1
+}
+
+# Instructs ans6 to close $1 TCP connections to 10.53.0.5.
+close_connections() {
+	send_command "close" "${1}" || return 1
+}
+
+# Check TCP connections are working normally before opening
+# multiple connections
+n=$((n + 1))
+echo_i "checking TCP query repsonse ($n)"
+ret=0
+dig_with_opts +tcp @10.53.0.5 txt.example > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Check TCP statistics after server startup before using them as a baseline for
+# subsequent checks.
+n=$((n + 1))
+echo_i "TCP high-water: check initial statistics ($n)"
+ret=0
+refresh_tcp_stats
+assert_int_equal "${TCP_CUR}" 0 "current TCP clients count" || ret=1
+# We compare initial tcp-highwater value with 1 because as part of the
+# system test startup, the script start.pl executes dig to check if target
+# named is running, and that increments tcp-quota by one.
+assert_int_equal "${TCP_HIGH}" 1 "tcp-highwater count" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Ensure the TCP high-water statistic gets updated after some TCP connections
+# are established.
+n=$((n + 1))
+echo_i "TCP high-water: check value after some TCP connections are established ($n)"
+ret=0
+OLD_TCP_CUR="${TCP_CUR}"
+TCP_ADDED=9
+open_connections "${TCP_ADDED}" || ret=1
+check_stats_added() {
+	refresh_tcp_stats
+	assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR + TCP_ADDED)) "current TCP clients count" || return 1
+	assert_int_equal "${TCP_HIGH}" $((OLD_TCP_CUR + TCP_ADDED)) "TCP high-water value" || return 1
+}
+retry 2 check_stats_added || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Ensure the TCP high-water statistic remains unchanged after some TCP
+# connections are closed.
+n=$((n + 1))
+echo_i "TCP high-water: check value after some TCP connections are closed ($n)"
+ret=0
+OLD_TCP_CUR="${TCP_CUR}"
+OLD_TCP_HIGH="${TCP_HIGH}"
+TCP_REMOVED=5
+close_connections "${TCP_REMOVED}" || ret=1
+check_stats_removed() {
+	refresh_tcp_stats
+	assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR - TCP_REMOVED)) "current TCP clients count" || return 1
+	assert_int_equal "${TCP_HIGH}" "${OLD_TCP_HIGH}" "TCP high-water value" || return 1
+}
+retry 2 check_stats_removed || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Ensure the TCP high-water statistic never exceeds the configured TCP clients
+# limit.
+n=$((n + 1))
+echo_i "TCP high-water: ensure tcp-clients is an upper bound ($n)"
+ret=0
+open_connections $((TCP_LIMIT + 1)) || ret=1
+check_stats_limit() {
+	refresh_tcp_stats
+	assert_int_equal "${TCP_CUR}" "${TCP_LIMIT}" "current TCP clients count" || return 1
+	assert_int_equal "${TCP_HIGH}" "${TCP_LIMIT}" "TCP high-water value" || return 1
+}
+retry 2 check_stats_limit || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Check TCP connections are working normally before opening
+# multiple connections
+n=$((n + 1))
+echo_i "checking TCP response recovery ($n)"
+ret=0
+# "0" closes all connections
+close_connections 0 || ret=1
+dig_with_opts +tcp @10.53.0.5 txt.example > dig.out.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+####################################################
+# NOTE: The next test resets the debug level to 1. #
+####################################################
+
+n=$((n + 1))
+echo_i "checking that BIND 9 doesn't crash on long TCP messages ($n)"
+ret=0
+# Avoid logging useless information.
+rndccmd 10.53.0.1 trace 1 || ret=1
+{ $PERL ../packet.pl -a "10.53.0.1" -p "${PORT}" -t tcp -r 300000 1996-alloc_dnsbuf-crash-test.pkt || ret=1 ; } | cat_i
+dig_with_opts +tcp @10.53.0.1 txt.example > dig.out.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/tcp/tests_tcp.py b/bin/tests/system/tcp/tests_tcp.py
new file mode 100644
index 0000000..3a0a7ae
--- /dev/null
+++ b/bin/tests/system/tcp/tests_tcp.py
@@ -0,0 +1,70 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=unused-variable
+
+import socket
+import time
+
+import pytest
+
+pytest.importorskip("dns", minversion="2.0.0")
+import dns.message
+import dns.query
+
+TIMEOUT = 10
+
+
+def create_msg(qname, qtype, edns=-1):
+    msg = dns.message.make_query(qname, qtype, use_edns=edns)
+    return msg
+
+
+def timeout():
+    return time.time() + TIMEOUT
+
+
+def create_socket(host, port):
+    sock = socket.create_connection((host, port), timeout=10)
+    sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, True)
+    return sock
+
+
+# Regression test for CVE-2022-0396
+def test_close_wait(named_port):
+    with create_socket("10.53.0.7", named_port) as sock:
+        msg = create_msg("a.example.", "A")
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+        msg = dns.message.make_query("a.example.", "A", use_edns=0, payload=1232)
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+
+        # Shutdown the socket, but ignore the other side closing the socket
+        # first because we sent DNS message with EDNS0
+        try:
+            sock.shutdown(socket.SHUT_RDWR)
+        except ConnectionError:
+            pass
+        except OSError:
+            pass
+
+    # BIND allows one TCP client, the part above sends DNS messaage with EDNS0
+    # after the first query. BIND should react adequately because of
+    # ns7/named.dropedns and close the socket, making room for the next
+    # request. If it gets stuck in CLOSE_WAIT state, there is no connection
+    # available for the query below and it will time out.
+    with create_socket("10.53.0.7", named_port) as sock:
+        msg = create_msg("a.example.", "A")
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())
diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh
new file mode 100755
index 0000000..020aa9a
--- /dev/null
+++ b/bin/tests/system/testcrypto.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=${SYSTEMTESTTOP:=..}
+prog=$0
+args=""
+quiet=0
+dir=""
+msg="cryptography"
+
+if test -z "$KEYGEN"; then
+    . $SYSTEMTESTTOP/conf.sh
+    alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS"
+else
+    alg=""
+    quiet=1
+    args="-q"
+fi
+
+while test "$#" -gt 0; do
+    case $1 in
+    -q)
+        if test $quiet -eq 0; then
+            args="$args -q"
+            quiet=1
+        fi
+        ;;
+    rsa|RSA|rsasha1|RSASHA1)
+        alg="-a RSASHA1"
+        msg="RSA cryptography"
+        ;;
+    rsasha256|RSASHA256)
+        alg="-a RSASHA256"
+        msg="RSA cryptography"
+        ;;
+    rsasha512|RSASHA512)
+        alg="-a RSASHA512"
+        msg="RSA cryptography"
+        ;;
+    ecdsa|ECDSA|ecdsap256sha256|ECDSAP256SHA256)
+        alg="-a ECDSAP256SHA256"
+        msg="ECDSA cryptography"
+        ;;
+    ecdsap384sha384|ECDSAP384SHA384)
+        alg="-a ECDSAP384SHA384"
+        msg="ECDSA cryptography"
+        ;;
+    eddsa|EDDSA|ed25519|ED25519)
+        alg="-a ED25519"
+        msg="EDDSA cryptography"
+        ;;
+    ed448|ED448)
+        alg="-a ED448"
+        msg="EDDSA cryptography"
+        ;;
+    *)
+        echo "${prog}: unknown argument"
+        exit 1
+        ;;
+    esac
+    shift
+done
+
+if test -z "$alg"; then
+    echo "${prog}: no algorithm selected"
+    exit 1
+fi
+
+if test -n "$TMPDIR"; then
+    dir=$(mktemp -d "$TMPDIR/XXXXXX")
+    args="$args -K $dir"
+fi
+
+if $KEYGEN $args $alg foo > /dev/null 2>&1
+then
+    if test -z "$dir"; then
+        rm -f Kfoo*
+    else
+        rm -rf "$dir"
+    fi
+else
+    if test $quiet -eq 0; then
+        echo_i "This test requires support for $msg" >&2
+        echo_i "configure with --with-openssl, or --enable-native-pkcs11" \
+            "--with-pkcs11" >&2
+    fi
+    exit 255
+fi
diff --git a/bin/tests/system/testsock.pl b/bin/tests/system/testsock.pl
new file mode 100755
index 0000000..e9448ed
--- /dev/null
+++ b/bin/tests/system/testsock.pl
@@ -0,0 +1,44 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Test whether the interfaces on 10.53.0.* are up.
+
+require 5.001;
+
+use Socket;
+use Getopt::Long;
+
+my $port = 0;
+my $id = 0;
+GetOptions("p=i" => \$port,
+           "i=i" => \$id);
+
+my @ids;
+if ($id != 0) {
+	@ids = ($id);
+} else {
+	@ids = (1..8);
+}
+
+foreach $id (@ids) {
+        my $addr = pack("C4", 10, 53, 0, $id);
+	my $sa = pack_sockaddr_in($port, $addr);
+	socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname("tcp"))
+      		or die "$0: socket: $!\n";
+	setsockopt(SOCK, SOL_SOCKET, SO_REUSEADDR, pack("l", 1));
+
+	bind(SOCK, $sa)
+	    	or die sprintf("$0: bind(%s, %d): $!\n",
+			       inet_ntoa($addr), $port);
+	close(SOCK);
+}
diff --git a/bin/tests/system/testsock6.pl b/bin/tests/system/testsock6.pl
new file mode 100644
index 0000000..5903684
--- /dev/null
+++ b/bin/tests/system/testsock6.pl
@@ -0,0 +1,25 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+require 5.001;
+
+use IO::Socket::INET6;
+
+foreach $addr (@ARGV) {
+	my $sock;
+	$sock = IO::Socket::INET6->new(LocalAddr => $addr,
+                                       LocalPort => 0,
+                                       Proto     => tcp)
+                             or die "Can't bind : $@\n";
+	close($sock);
+}
diff --git a/bin/tests/system/testsummary.sh b/bin/tests/system/testsummary.sh
new file mode 100644
index 0000000..97b2716
--- /dev/null
+++ b/bin/tests/system/testsummary.sh
@@ -0,0 +1,86 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Creates the system tests output file from the various test.output.* files.  It
+# then searches that file and prints the number of tests passed, failed, not
+# run.  It also checks whether the IP addresses 10.53.0.[1-8] were set up and,
+# if not, prints a warning.
+#
+# Usage:
+#    testsummary.sh [-n]
+#
+# -n	Do NOT delete the individual test.output.* files after concatenating
+#	them into systests.output.
+#
+# Status return:
+# 0 - no tests failed
+# 1 - one or more tests failed
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+keepfile=0
+
+while getopts "n" flag; do
+    case $flag in
+	n) keepfile=1 ;;
+    esac
+done
+
+if [ `ls test.output.* 2> /dev/null | wc -l` -eq 0 ]; then
+    echowarn "I:No 'test.output.*' files were found."
+    echowarn "I:Printing summary from pre-existing 'systests.output'."
+else
+    cat test.output.* > systests.output
+    if [ $keepfile -eq 0 ]; then
+        rm -f test.output.*
+    fi
+fi
+
+status=0
+echoinfo "I:System test result summary:"
+echoinfo "`grep 'R:[a-z0-9_-][a-z0-9_-]*:[A-Z][A-Z]*' systests.output | cut -d':' -f3 | sort | uniq -c | sed -e 's/^/I:/'`"
+
+FAILED_TESTS=`grep 'R:[a-z0-9_-][a-z0-9_-]*:FAIL' systests.output | cut -d':' -f2 | sort | sed -e 's/^/I:      /'`
+if [ -n "${FAILED_TESTS}" ]; then
+	echoinfo "I:The following system tests failed:"
+	echoinfo "${FAILED_TESTS}"
+	status=1
+fi
+
+CRASHED_TESTS=$(find . \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.txt' | cut -d'/' -f2 | sort -u | sed -e 's/^/I:      /')
+if [ -n "${CRASHED_TESTS}" ]; then
+	echoinfo "I:Core dumps were found for the following system tests:"
+	echoinfo "${CRASHED_TESTS}"
+fi
+
+ASSERTION_FAILED_TESTS=`find . -name named.run | xargs grep "assertion failure" | cut -d'/' -f2 | sort -u | sed -e 's/^/I:      /'`
+if [ -n "${ASSERTION_FAILED_TESTS}" ]; then
+	echoinfo "I:Assertion failures were detected for the following system tests:"
+	echoinfo "${ASSERTION_FAILED_TESTS}"
+fi
+
+TSAN_REPORT_TESTS=`find . -name 'tsan.*' | cut -d'/' -f2 | sort -u | sed -e 's/^/I:      /'`
+if [ -n "${TSAN_REPORT_TESTS}" ]; then
+	echoinfo "I:ThreadSanitizer reported issues for the following system tests:"
+	echoinfo "${TSAN_REPORT_TESTS}"
+fi
+
+RESULTS_FOUND=`grep -c 'R:[a-z0-9_-][a-z0-9_-]*:[A-Z][A-Z]*' systests.output`
+TESTS_RUN=`echo "${SUBDIRS}" | wc -w`
+if [ "${RESULTS_FOUND}" -ne "${TESTS_RUN}" ]; then
+	echofail "I:Found ${RESULTS_FOUND} test results, but ${TESTS_RUN} tests were run"
+	status=1
+fi
+
+exit $status
diff --git a/bin/tests/system/timeouts/clean.sh b/bin/tests/system/timeouts/clean.sh
new file mode 100644
index 0000000..0da8a9c
--- /dev/null
+++ b/bin/tests/system/timeouts/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ./ns*/managed-keys.bind*
+rm -f ./ns*/named.conf
+rm -f ./ns*/named.lock
+rm -f ./ns*/named.memstats
+rm -f ./ns*/named.run*
+rm -f ./ns*/named.stats
+rm -rf ./__pycache__
+rm -f ./ns*/large.db
diff --git a/bin/tests/system/timeouts/ns1/example.db b/bin/tests/system/timeouts/ns1/example.db
new file mode 100644
index 0000000..cb321ff
--- /dev/null
+++ b/bin/tests/system/timeouts/ns1/example.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			SOA	mname1. . (
+				2000062101 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns1
+ns1			A	10.53.0.1
+@			A	10.53.0.1
+a			A	10.53.0.1
+b			A	10.53.0.1
+$INCLUDE large.db
diff --git a/bin/tests/system/timeouts/ns1/named.args b/bin/tests/system/timeouts/ns1/named.args
new file mode 100644
index 0000000..2df2be2
--- /dev/null
+++ b/bin/tests/system/timeouts/ns1/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 1 -D timeouts-ns1 -X named.lock -g -T maxcachesize=2097152
diff --git a/bin/tests/system/timeouts/ns1/named.conf.in b/bin/tests/system/timeouts/ns1/named.conf.in
new file mode 100644
index 0000000..4b422e2
--- /dev/null
+++ b/bin/tests/system/timeouts/ns1/named.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	tcp-initial-timeout 20;
+	tcp-idle-timeout 50;
+	tcp-keepalive-timeout 70;
+	max-transfer-time-out 5; /* minutes */
+	max-transfer-idle-out 1; /* minutes */
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "example." {
+	type primary;
+	file "example.db";
+	check-integrity no;
+};
diff --git a/bin/tests/system/timeouts/ns1/root.db b/bin/tests/system/timeouts/ns1/root.db
new file mode 100644
index 0000000..cb48acd
--- /dev/null
+++ b/bin/tests/system/timeouts/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+.			IN SOA	gson.isc.org. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns1.example.
+ns1.example.		A	10.53.0.1
diff --git a/bin/tests/system/timeouts/prereq.sh b/bin/tests/system/timeouts/prereq.sh
new file mode 100644
index 0000000..2204695
--- /dev/null
+++ b/bin/tests/system/timeouts/prereq.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if test -n "$PYTHON"
+then
+    if [ "$($PYTHON -c "import dns.version; print(dns.version.MAJOR)" 2> /dev/null)" -ge 2 ]
+    then
+        :
+    else
+        echo_i "This test requires the dnspython >= 2.0.0 module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/timeouts/setup.sh b/bin/tests/system/timeouts/setup.sh
new file mode 100644
index 0000000..65bb057
--- /dev/null
+++ b/bin/tests/system/timeouts/setup.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+
+#
+# Generate a large enough zone, so the transfer takes longer than
+# tcp-initial-timeout interval
+#
+$PYTHON -c "
+from __future__ import print_function
+print('large IN TXT', end=' ')
+for a in range(128):
+    print('\"%s\"' % ('A' * 240), end=' ')
+print('')
+
+for a in range(150000):
+    print('%s IN NS a' % (a))
+    print('%s IN NS b' % (a))" > ns1/large.db
diff --git a/bin/tests/system/timeouts/tests_tcp_timeouts.py b/bin/tests/system/timeouts/tests_tcp_timeouts.py
new file mode 100644
index 0000000..d3ee357
--- /dev/null
+++ b/bin/tests/system/timeouts/tests_tcp_timeouts.py
@@ -0,0 +1,284 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=unused-variable
+
+import socket
+import time
+
+import pytest
+
+pytest.importorskip("dns", minversion="2.0.0")
+import dns.edns
+import dns.message
+import dns.name
+import dns.query
+import dns.rdataclass
+import dns.rdatatype
+
+import pytest_custom_markers  # pylint: disable=import-error
+
+
+TIMEOUT = 10
+
+
+def create_msg(qname, qtype):
+    msg = dns.message.make_query(
+        qname, qtype, want_dnssec=True, use_edns=0, payload=4096
+    )
+    return msg
+
+
+def timeout():
+    return time.time() + TIMEOUT
+
+
+def test_initial_timeout(named_port):
+    #
+    # The initial timeout is 2.5 seconds, so this should timeout
+    #
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.connect(("10.53.0.1", named_port))
+
+        time.sleep(3)
+
+        msg = create_msg("example.", "A")
+
+        with pytest.raises(EOFError):
+            try:
+                (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+                (response, rtime) = dns.query.receive_tcp(sock, timeout())
+            except ConnectionError as e:
+                raise EOFError from e
+
+
+def test_idle_timeout(named_port):
+    #
+    # The idle timeout is 5 seconds, so the third message should fail
+    #
+    msg = create_msg("example.", "A")
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.connect(("10.53.0.1", named_port))
+
+        time.sleep(1)
+
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+        time.sleep(2)
+
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+        time.sleep(6)
+
+        with pytest.raises(EOFError):
+            try:
+                (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+                (response, rtime) = dns.query.receive_tcp(sock, timeout())
+            except ConnectionError as e:
+                raise EOFError from e
+
+
+def test_keepalive_timeout(named_port):
+    #
+    # Keepalive is 7 seconds, so the third message should succeed.
+    #
+    msg = create_msg("example.", "A")
+    kopt = dns.edns.GenericOption(11, b"\x00")
+    msg.use_edns(edns=True, payload=4096, options=[kopt])
+
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.connect(("10.53.0.1", named_port))
+
+        time.sleep(1)
+
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+        time.sleep(2)
+
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+        time.sleep(6)
+
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+
+def test_pipelining_timeout(named_port):
+    #
+    # The pipelining should only timeout after the last message is received
+    #
+    msg = create_msg("example.", "A")
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.connect(("10.53.0.1", named_port))
+
+        time.sleep(1)
+
+        # Send and receive 25 DNS queries
+        for n in range(25):
+            (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        for n in range(25):
+            (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+        time.sleep(3)
+
+        # Send and receive 25 DNS queries
+        for n in range(25):
+            (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        for n in range(25):
+            (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+        time.sleep(6)
+
+        with pytest.raises(EOFError):
+            try:
+                (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+                (response, rtime) = dns.query.receive_tcp(sock, timeout())
+            except ConnectionError as e:
+                raise EOFError from e
+
+
+def test_long_axfr(named_port):
+    #
+    # The timers should not fire during AXFR, thus the connection should not
+    # close abruptly
+    #
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.connect(("10.53.0.1", named_port))
+
+        name = dns.name.from_text("example.")
+        msg = create_msg("example.", "AXFR")
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+
+        # Receive the initial DNS message with SOA
+        (response, rtime) = dns.query.receive_tcp(
+            sock, timeout(), one_rr_per_rrset=True
+        )
+        soa = response.get_rrset(
+            dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA
+        )
+        assert soa is not None
+
+        # Pull DNS message from wire until the second SOA is received
+        while True:
+            (response, rtime) = dns.query.receive_tcp(
+                sock, timeout(), one_rr_per_rrset=True
+            )
+            soa = response.get_rrset(
+                dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA
+            )
+            if soa is not None:
+                break
+        assert soa is not None
+
+
+# This test relies on the maximum socket send buffer size (wmem_max) being set
+# to 212992 bytes (the typical default value on Linux systems).  Environments
+# that use a different value for this setting (for example, FreeBSD defaults to
+# 32768 bytes) may need their system-level settings to be tweaked in order for
+# this test to pass.
+@pytest_custom_markers.flaky(max_runs=3)
+def test_send_timeout(named_port):
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.connect(("10.53.0.1", named_port))
+
+        # Send and receive single large RDATA over TCP
+        msg = create_msg("large.example.", "TXT")
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+        # Send and receive 28 large (~32k) DNS queries that should
+        # fill the default maximum 208k TCP send buffer
+        for n in range(28):
+            (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+
+        # configure idle interval is 5 seconds, sleep 6 to make sure we are
+        # above the interval
+        time.sleep(6)
+
+        with pytest.raises(EOFError):
+            try:
+                (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+                (response, rtime) = dns.query.receive_tcp(sock, timeout())
+            except ConnectionError as e:
+                raise EOFError from e
+
+
+@pytest_custom_markers.long_test
+def test_max_transfer_idle_out(named_port):
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.connect(("10.53.0.1", named_port))
+
+        name = dns.name.from_text("example.")
+        msg = create_msg("example.", "AXFR")
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+
+        # Receive the initial DNS message with SOA
+        (response, rtime) = dns.query.receive_tcp(
+            sock, timeout(), one_rr_per_rrset=True
+        )
+        soa = response.get_rrset(
+            dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA
+        )
+        assert soa is not None
+
+        time.sleep(61)  # max-transfer-idle-out is 1 minute
+
+        with pytest.raises(ConnectionResetError):
+            # Process queued TCP messages
+            while True:
+                (response, rtime) = dns.query.receive_tcp(
+                    sock, timeout(), one_rr_per_rrset=True
+                )
+                soa = response.get_rrset(
+                    dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA
+                )
+                if soa is not None:
+                    break
+            assert soa is None
+
+
+@pytest_custom_markers.long_test
+def test_max_transfer_time_out(named_port):
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.connect(("10.53.0.1", named_port))
+
+        name = dns.name.from_text("example.")
+        msg = create_msg("example.", "AXFR")
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+
+        # Receive the initial DNS message with SOA
+        (response, rtime) = dns.query.receive_tcp(
+            sock, timeout(), one_rr_per_rrset=True
+        )
+        soa = response.get_rrset(
+            dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA
+        )
+        assert soa is not None
+
+        # The loop should timeout at the 5 minutes (max-transfer-time-out)
+        with pytest.raises(EOFError):
+            while True:
+                time.sleep(1)
+                (response, rtime) = dns.query.receive_tcp(
+                    sock, timeout(), one_rr_per_rrset=True
+                )
+                soa = response.get_rrset(
+                    dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA
+                )
+                if soa is not None:
+                    break
+        assert soa is None
diff --git a/bin/tests/system/tkey/Makefile.in b/bin/tests/system/tkey/Makefile.in
new file mode 100644
index 0000000..1e62132
--- /dev/null
+++ b/bin/tests/system/tkey/Makefile.in
@@ -0,0 +1,55 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCLIBS =	../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+DNSDEPLIBS =	../../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+TARGETS =	keycreate@EXEEXT@ keydelete@EXEEXT@
+
+CREATEOBJS =	keycreate.@O@
+DELETEOBJS =	keydelete.@O@
+
+SRCS =		keycreate.c keydelete.c
+
+@BIND9_MAKE_RULES@
+
+all: keycreate@EXEEXT@ keydelete@EXEEXT@
+
+keycreate@EXEEXT@: ${CREATEOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${CREATEOBJS} ${LIBS}
+
+keydelete@EXEEXT@: ${DELETEOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${DELETEOBJS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
diff --git a/bin/tests/system/tkey/clean.sh b/bin/tests/system/tkey/clean.sh
new file mode 100644
index 0000000..ac54e79
--- /dev/null
+++ b/bin/tests/system/tkey/clean.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out.* rndc.out.* ns1/named.conf
+rm -f K* ns1/K*
+rm -f */named.memstats
+rm -f */named.run
+rm -f ns1/_default.tsigkeys
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
new file mode 100644
index 0000000..c62fec1
--- /dev/null
+++ b/bin/tests/system/tkey/keycreate.c
@@ -0,0 +1,301 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/nonce.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/dispatch.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/request.h>
+#include <dns/result.h>
+#include <dns/tkey.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+
+#include <dst/result.h>
+
+#define CHECK(str, x)                                        \
+	{                                                    \
+		if ((x) != ISC_R_SUCCESS) {                  \
+			fprintf(stderr, "I:%s: %s\n", (str), \
+				isc_result_totext(x));       \
+			exit(-1);                            \
+		}                                            \
+	}
+
+#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
+
+#define PORT	5300
+#define TIMEOUT 30
+
+static dst_key_t *ourkey = NULL;
+static isc_mem_t *mctx = NULL;
+static dns_tsigkey_t *tsigkey = NULL, *initialkey = NULL;
+static dns_tsig_keyring_t *ring = NULL;
+static unsigned char noncedata[16];
+static isc_buffer_t nonce;
+static dns_requestmgr_t *requestmgr = NULL;
+static const char *ownername_str = ".";
+
+static void
+recvquery(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = (dns_requestevent_t *)event;
+	isc_result_t result;
+	dns_message_t *query = NULL, *response = NULL;
+	char keyname[256];
+	isc_buffer_t keynamebuf;
+	int type;
+
+	UNUSED(task);
+
+	REQUIRE(reqev != NULL);
+
+	if (reqev->result != ISC_R_SUCCESS) {
+		fprintf(stderr, "I:request event result: %s\n",
+			isc_result_totext(reqev->result));
+		exit(-1);
+	}
+
+	query = reqev->ev_arg;
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
+
+	result = dns_request_getresponse(reqev->request, response,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	CHECK("dns_request_getresponse", result);
+
+	if (response->rcode != dns_rcode_noerror) {
+		result = ISC_RESULTCLASS_DNSRCODE + response->rcode;
+		fprintf(stderr, "I:response rcode: %s\n",
+			isc_result_totext(result));
+		exit(-1);
+	}
+
+	result = dns_tkey_processdhresponse(query, response, ourkey, &nonce,
+					    &tsigkey, ring);
+	CHECK("dns_tkey_processdhresponse", result);
+
+	/*
+	 * Yes, this is a hack.
+	 */
+	isc_buffer_init(&keynamebuf, keyname, sizeof(keyname));
+	result = dst_key_buildfilename(tsigkey->key, 0, "", &keynamebuf);
+	CHECK("dst_key_buildfilename", result);
+	printf("%.*s\n", (int)isc_buffer_usedlength(&keynamebuf),
+	       (char *)isc_buffer_base(&keynamebuf));
+	type = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_KEY;
+	result = dst_key_tofile(tsigkey->key, type, "");
+	CHECK("dst_key_tofile", result);
+
+	dns_message_detach(&query);
+	dns_message_detach(&response);
+	dns_request_destroy(&reqev->request);
+	isc_event_free(&event);
+	isc_app_shutdown();
+	return;
+}
+
+static void
+sendquery(isc_task_t *task, isc_event_t *event) {
+	struct in_addr inaddr;
+	isc_sockaddr_t address;
+	isc_region_t r;
+	isc_result_t result;
+	dns_fixedname_t keyname;
+	dns_fixedname_t ownername;
+	isc_buffer_t namestr, keybuf;
+	unsigned char keydata[9];
+	dns_message_t *query = NULL;
+	dns_request_t *request = NULL;
+	static char keystr[] = "0123456789ab";
+
+	isc_event_free(&event);
+
+	result = ISC_R_FAILURE;
+	if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) {
+		CHECK("inet_pton", result);
+	}
+	isc_sockaddr_fromin(&address, &inaddr, PORT);
+
+	dns_fixedname_init(&keyname);
+	isc_buffer_constinit(&namestr, "tkeytest.", 9);
+	isc_buffer_add(&namestr, 9);
+	result = dns_name_fromtext(dns_fixedname_name(&keyname), &namestr, NULL,
+				   0, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	dns_fixedname_init(&ownername);
+	isc_buffer_constinit(&namestr, ownername_str, strlen(ownername_str));
+	isc_buffer_add(&namestr, strlen(ownername_str));
+	result = dns_name_fromtext(dns_fixedname_name(&ownername), &namestr,
+				   NULL, 0, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	isc_buffer_init(&keybuf, keydata, 9);
+	result = isc_base64_decodestring(keystr, &keybuf);
+	CHECK("isc_base64_decodestring", result);
+
+	isc_buffer_usedregion(&keybuf, &r);
+
+	result = dns_tsigkey_create(
+		dns_fixedname_name(&keyname), DNS_TSIG_HMACMD5_NAME,
+		isc_buffer_base(&keybuf), isc_buffer_usedlength(&keybuf), false,
+		NULL, 0, 0, mctx, ring, &initialkey);
+	CHECK("dns_tsigkey_create", result);
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
+
+	result = dns_tkey_builddhquery(query, ourkey,
+				       dns_fixedname_name(&ownername),
+				       DNS_TSIG_HMACMD5_NAME, &nonce, 3600);
+	CHECK("dns_tkey_builddhquery", result);
+
+	result = dns_request_create(requestmgr, query, &address,
+				    DNS_REQUESTOPT_TCP, initialkey, TIMEOUT,
+				    task, recvquery, query, &request);
+	CHECK("dns_request_create", result);
+}
+
+int
+main(int argc, char *argv[]) {
+	char *ourkeyname = NULL;
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_socket_t *sock = NULL;
+	unsigned int attrs, attrmask;
+	isc_sockaddr_t bind_any;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	dns_dispatch_t *dispatchv4 = NULL;
+	dns_view_t *view = NULL;
+	dns_tkeyctx_t *tctx = NULL;
+	isc_log_t *log = NULL;
+	isc_logconfig_t *logconfig = NULL;
+	isc_task_t *task = NULL;
+	isc_result_t result;
+	int type;
+
+	RUNCHECK(isc_app_start());
+
+	if (argc < 2) {
+		fprintf(stderr, "I:no DH key provided\n");
+		exit(-1);
+	}
+	if (strcmp(argv[1], "-r") == 0) {
+		fprintf(stderr, "I:the -r option has been deprecated\n");
+		exit(-1);
+	}
+	ourkeyname = argv[1];
+
+	if (argc >= 3) {
+		ownername_str = argv[2];
+	}
+
+	dns_result_register();
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+	isc_mem_create(&mctx);
+
+	isc_log_create(mctx, &log, &logconfig);
+
+	RUNCHECK(dst_lib_init(mctx, NULL));
+
+	RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr));
+	RUNCHECK(isc_task_create(taskmgr, 0, &task));
+	RUNCHECK(isc_timermgr_create(mctx, &timermgr));
+	RUNCHECK(isc_socketmgr_create(mctx, &socketmgr));
+	RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr));
+	isc_sockaddr_any(&bind_any);
+	attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY |
+		DNS_DISPATCHATTR_IPV4;
+	attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP |
+		   DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
+	RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, &bind_any,
+				     4096, 4, 2, 3, 5, attrs, attrmask,
+				     &dispatchv4));
+	RUNCHECK(dns_requestmgr_create(mctx, timermgr, socketmgr, taskmgr,
+				       dispatchmgr, dispatchv4, NULL,
+				       &requestmgr));
+
+	RUNCHECK(dns_tsigkeyring_create(mctx, &ring));
+	RUNCHECK(dns_tkeyctx_create(mctx, &tctx));
+
+	RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
+	dns_view_setkeyring(view, ring);
+	dns_tsigkeyring_detach(&ring);
+
+	RUNCHECK(isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp,
+				   &sock));
+
+	RUNCHECK(isc_app_onrun(mctx, task, sendquery, NULL));
+
+	type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
+	result = dst_key_fromnamedfile(ourkeyname, NULL, type, mctx, &ourkey);
+	CHECK("dst_key_fromnamedfile", result);
+
+	isc_buffer_init(&nonce, noncedata, sizeof(noncedata));
+	isc_nonce_buf(noncedata, sizeof(noncedata));
+	isc_buffer_add(&nonce, sizeof(noncedata));
+
+	(void)isc_app_run();
+
+	dns_requestmgr_shutdown(requestmgr);
+	dns_requestmgr_detach(&requestmgr);
+	dns_dispatch_detach(&dispatchv4);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+	isc_task_shutdown(task);
+	isc_task_detach(&task);
+	isc_managers_destroy(&netmgr, &taskmgr);
+	isc_socket_detach(&sock);
+	isc_socketmgr_destroy(&socketmgr);
+	isc_timermgr_destroy(&timermgr);
+
+	dst_key_free(&ourkey);
+	dns_tsigkey_detach(&initialkey);
+	dns_tsigkey_detach(&tsigkey);
+
+	dns_tkeyctx_destroy(&tctx);
+
+	dns_view_detach(&view);
+
+	isc_log_destroy(&log);
+
+	dst_lib_destroy();
+
+	isc_mem_destroy(&mctx);
+
+	isc_app_finish();
+
+	return (0);
+}
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
new file mode 100644
index 0000000..bd67d39
--- /dev/null
+++ b/bin/tests/system/tkey/keydelete.c
@@ -0,0 +1,242 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/dispatch.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/request.h>
+#include <dns/result.h>
+#include <dns/tkey.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+
+#include <dst/result.h>
+
+#define CHECK(str, x)                                        \
+	{                                                    \
+		if ((x) != ISC_R_SUCCESS) {                  \
+			fprintf(stderr, "I:%s: %s\n", (str), \
+				isc_result_totext(x));       \
+			exit(-1);                            \
+		}                                            \
+	}
+
+#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
+
+#define PORT	5300
+#define TIMEOUT 30
+
+static isc_mem_t *mctx = NULL;
+static dns_tsigkey_t *tsigkey = NULL;
+static dns_tsig_keyring_t *ring = NULL;
+static dns_requestmgr_t *requestmgr = NULL;
+
+static void
+recvquery(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = (dns_requestevent_t *)event;
+	isc_result_t result;
+	dns_message_t *query = NULL, *response = NULL;
+
+	UNUSED(task);
+
+	REQUIRE(reqev != NULL);
+
+	if (reqev->result != ISC_R_SUCCESS) {
+		fprintf(stderr, "I:request event result: %s\n",
+			isc_result_totext(reqev->result));
+		exit(-1);
+	}
+
+	query = reqev->ev_arg;
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
+
+	result = dns_request_getresponse(reqev->request, response,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	CHECK("dns_request_getresponse", result);
+
+	if (response->rcode != dns_rcode_noerror) {
+		result = ISC_RESULTCLASS_DNSRCODE + response->rcode;
+		fprintf(stderr, "I:response rcode: %s\n",
+			isc_result_totext(result));
+		exit(-1);
+	}
+
+	result = dns_tkey_processdeleteresponse(query, response, ring);
+	CHECK("dns_tkey_processdhresponse", result);
+
+	dns_message_detach(&query);
+	dns_message_detach(&response);
+	dns_request_destroy(&reqev->request);
+	isc_event_free(&event);
+	isc_app_shutdown();
+	return;
+}
+
+static void
+sendquery(isc_task_t *task, isc_event_t *event) {
+	struct in_addr inaddr;
+	isc_sockaddr_t address;
+	isc_result_t result;
+	dns_message_t *query = NULL;
+	dns_request_t *request = NULL;
+
+	isc_event_free(&event);
+
+	result = ISC_R_FAILURE;
+	if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) {
+		CHECK("inet_pton", result);
+	}
+	isc_sockaddr_fromin(&address, &inaddr, PORT);
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
+
+	result = dns_tkey_builddeletequery(query, tsigkey);
+	CHECK("dns_tkey_builddeletequery", result);
+
+	result = dns_request_create(requestmgr, query, &address,
+				    DNS_REQUESTOPT_TCP, tsigkey, TIMEOUT, task,
+				    recvquery, query, &request);
+	CHECK("dns_request_create", result);
+}
+
+int
+main(int argc, char **argv) {
+	char *keyname = NULL;
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_socket_t *sock = NULL;
+	unsigned int attrs, attrmask;
+	isc_sockaddr_t bind_any;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	dns_dispatch_t *dispatchv4 = NULL;
+	dns_view_t *view = NULL;
+	dns_tkeyctx_t *tctx = NULL;
+	dst_key_t *dstkey = NULL;
+	isc_log_t *log = NULL;
+	isc_logconfig_t *logconfig = NULL;
+	isc_task_t *task = NULL;
+	isc_result_t result;
+	int type;
+
+	RUNCHECK(isc_app_start());
+
+	if (argc < 2) {
+		fprintf(stderr, "I:no key to delete\n");
+		exit(-1);
+	}
+	if (strcmp(argv[1], "-r") == 0) {
+		fprintf(stderr, "I:The -r options has been deprecated\n");
+		exit(-1);
+	}
+	keyname = argv[1];
+
+	dns_result_register();
+
+	isc_mem_create(&mctx);
+
+	isc_log_create(mctx, &log, &logconfig);
+
+	RUNCHECK(dst_lib_init(mctx, NULL));
+
+	RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr));
+	RUNCHECK(isc_task_create(taskmgr, 0, &task));
+	RUNCHECK(isc_timermgr_create(mctx, &timermgr));
+	RUNCHECK(isc_socketmgr_create(mctx, &socketmgr));
+	RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr));
+	isc_sockaddr_any(&bind_any);
+	attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY |
+		DNS_DISPATCHATTR_IPV4;
+	attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP |
+		   DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
+	RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, &bind_any,
+				     4096, 4, 2, 3, 5, attrs, attrmask,
+				     &dispatchv4));
+	RUNCHECK(dns_requestmgr_create(mctx, timermgr, socketmgr, taskmgr,
+				       dispatchmgr, dispatchv4, NULL,
+				       &requestmgr));
+
+	RUNCHECK(dns_tsigkeyring_create(mctx, &ring));
+	RUNCHECK(dns_tkeyctx_create(mctx, &tctx));
+
+	RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
+	dns_view_setkeyring(view, ring);
+
+	RUNCHECK(isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp,
+				   &sock));
+
+	RUNCHECK(isc_app_onrun(mctx, task, sendquery, NULL));
+
+	type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
+	result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
+	CHECK("dst_key_fromnamedfile", result);
+	result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
+					   DNS_TSIG_HMACMD5_NAME, dstkey, true,
+					   NULL, 0, 0, mctx, ring, &tsigkey);
+	dst_key_free(&dstkey);
+	CHECK("dns_tsigkey_createfromkey", result);
+
+	(void)isc_app_run();
+
+	dns_requestmgr_shutdown(requestmgr);
+	dns_requestmgr_detach(&requestmgr);
+	dns_dispatch_detach(&dispatchv4);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+	isc_task_shutdown(task);
+	isc_task_detach(&task);
+	isc_managers_destroy(&netmgr, &taskmgr);
+	isc_socket_detach(&sock);
+	isc_socketmgr_destroy(&socketmgr);
+	isc_timermgr_destroy(&timermgr);
+
+	dns_tsigkeyring_detach(&ring);
+
+	dns_tsigkey_detach(&tsigkey);
+
+	dns_tkeyctx_destroy(&tctx);
+
+	dns_view_detach(&view);
+
+	isc_log_destroy(&log);
+
+	dst_lib_destroy();
+
+	isc_mem_destroy(&mctx);
+
+	isc_app_finish();
+
+	return (0);
+}
diff --git a/bin/tests/system/tkey/ns1/example.db b/bin/tests/system/tkey/ns1/example.db
new file mode 100644
index 0000000..a847946
--- /dev/null
+++ b/bin/tests/system/tkey/ns1/example.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1D
+
+@			IN SOA	ns hostmaster (
+				1
+				3600
+				1800
+				1814400
+				3
+				)
+			NS	ns
+ns			A	10.53.0.1
+mx			MX	10 mail
+a			A	10.53.0.1
+			A	10.53.0.2
+txt			TXT	"this is text"
+
diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in
new file mode 100644
index 0000000..c183880
--- /dev/null
+++ b/bin/tests/system/tkey/ns1/named.conf.in
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	tkey-domain "server";
+	tkey-dhkey "server" KEYID;
+	allow-query-cache { any; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+key "tkeytest." {
+	algorithm hmac-md5;
+	secret "0123456789ab";
+};
+
+zone example {
+	type primary;
+	file "example.db";
+	allow-query { key tkeytest.; none; };
+};
diff --git a/bin/tests/system/tkey/ns1/setup.sh b/bin/tests/system/tkey/ns1/setup.sh
new file mode 100644
index 0000000..6471905
--- /dev/null
+++ b/bin/tests/system/tkey/ns1/setup.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+keyname=`$KEYGEN -T KEY -a DH -b 768 -n host server`
+keyid=$(keyfile_to_key_id $keyname)
+rm -f named.conf
+sed -e "s;KEYID;$keyid;" < named.conf.in > named.conf
diff --git a/bin/tests/system/tkey/setup.sh b/bin/tests/system/tkey/setup.sh
new file mode 100644
index 0000000..68a50ad
--- /dev/null
+++ b/bin/tests/system/tkey/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+cd ns1 && $SHELL setup.sh
diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
new file mode 100644
index 0000000..ca466e4
--- /dev/null
+++ b/bin/tests/system/tkey/tests.sh
@@ -0,0 +1,160 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="@10.53.0.1 -p 5300"
+
+status=0
+n=1
+
+echo_i "generating new DH key ($n)"
+ret=0
+dhkeyname=`$KEYGEN -T KEY -a DH -b 768 -n host client` || ret=1
+if [ $ret != 0 ]; then
+	echo_i "failed"
+	status=$((status+ret))
+	echo_i "exit status: $status"
+	exit $status
+fi
+status=`expr $status + $ret`
+n=$((n+1))
+
+for owner in . foo.example.
+do
+	echo_i "creating new key using owner name \"$owner\" ($n)"
+	ret=0
+	keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
+	if [ $ret != 0 ]; then
+		echo_i "failed"
+		status=$((status+ret))
+		echo_i "exit status: $status"
+		exit $status
+	fi
+	status=`expr $status + $ret`
+	n=$((n+1))
+
+	echo_i "checking the new key ($n)"
+	ret=0
+	$DIG $DIGOPTS txt txt.example -k $keyname > dig.out.1 || ret=1
+	grep "status: NOERROR" dig.out.1 > /dev/null || ret=1
+	grep "TSIG.*hmac-md5.*NOERROR" dig.out.1 > /dev/null || ret=1
+	grep "Some TSIG could not be validated" dig.out.1 > /dev/null && ret=1
+	if [ $ret != 0 ]; then
+		echo_i "failed"
+	fi
+	status=`expr $status + $ret`
+	n=$((n+1))
+
+	echo_i "deleting new key ($n)"
+	ret=0
+	$KEYDELETE $keyname || ret=1
+	if [ $ret != 0 ]; then
+		echo_i "failed"
+	fi
+	status=`expr $status + $ret`
+	n=$((n+1))
+
+	echo_i "checking that new key has been deleted ($n)"
+	ret=0
+	$DIG $DIGOPTS txt txt.example -k $keyname > dig.out.2 || ret=1
+	grep "status: NOERROR" dig.out.2 > /dev/null && ret=1
+	grep "TSIG.*hmac-md5.*NOERROR" dig.out.2 > /dev/null && ret=1
+	grep "Some TSIG could not be validated" dig.out.2 > /dev/null || ret=1
+	if [ $ret != 0 ]; then
+		echo_i "failed"
+	fi
+	status=`expr $status + $ret`
+	n=$((n+1))
+done
+
+echo_i "creating new key using owner name bar.example. ($n)"
+ret=0
+keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
+if [ $ret != 0 ]; then
+        echo_i "failed"
+	status=$((status+ret))
+        echo_i "exit status: $status"
+        exit $status
+fi
+status=`expr $status + $ret`
+n=$((n+1))
+
+echo_i "checking the key with 'rndc tsig-list' ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.1
+grep "key \"bar.example.server" rndc.out.1 > /dev/null || ret=1
+if [ $ret != 0 ]; then
+        echo_i "failed"
+fi
+status=`expr $status + $ret`
+n=$((n+1))
+
+echo_i "using key in a request ($n)"
+ret=0
+$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.3 || ret=1
+grep "status: NOERROR" dig.out.3 > /dev/null || ret=1
+if [ $ret != 0 ]; then
+        echo_i "failed"
+fi
+status=`expr $status + $ret`
+n=$((n+1))
+
+echo_i "deleting the key with 'rndc tsig-delete' ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-delete bar.example.server > /dev/null || ret=1
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.2
+grep "key \"bar.example.server" rndc.out.2 > /dev/null && ret=1
+$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.4 || ret=1
+grep "TSIG could not be validated" dig.out.4 > /dev/null || ret=1
+if [ $ret != 0 ]; then
+        echo_i "failed"
+fi
+status=`expr $status + $ret`
+n=$((n+1))
+
+echo_i "recreating the bar.example. key ($n)"
+ret=0
+keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
+if [ $ret != 0 ]; then
+        echo_i "failed"
+	status=$((status+ret))
+        echo_i "exit status: $status"
+        exit $status
+fi
+status=`expr $status + $ret`
+n=$((n+1))
+
+echo_i "checking the new key with 'rndc tsig-list' ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.3
+grep "key \"bar.example.server" rndc.out.3 > /dev/null || ret=1
+if [ $ret != 0 ]; then
+        echo_i "failed"
+fi
+status=`expr $status + $ret`
+n=$((n+1))
+
+echo_i "using the new key in a request ($n)"
+ret=0
+$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.5 || ret=1
+grep "status: NOERROR" dig.out.5 > /dev/null || ret=1
+if [ $ret != 0 ]; then
+        echo_i "failed"
+fi
+status=`expr $status + $ret`
+n=$((n+1))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/tools/clean.sh b/bin/tests/system/tools/clean.sh
new file mode 100644
index 0000000..32a8e97
--- /dev/null
+++ b/bin/tests/system/tools/clean.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f NSEC3
+rm -f nsec3hash
+rm -f nsec3param
+rm -f testcases
diff --git a/bin/tests/system/tools/setup.sh b/bin/tests/system/tools/setup.sh
new file mode 100644
index 0000000..913e217
--- /dev/null
+++ b/bin/tests/system/tools/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+$SHELL clean.sh
diff --git a/bin/tests/system/tools/tests.sh b/bin/tests/system/tools/tests.sh
new file mode 100644
index 0000000..4ce73e1
--- /dev/null
+++ b/bin/tests/system/tools/tests.sh
@@ -0,0 +1,105 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+checkout() {
+	case $? in
+	0) : ok ;;
+	*) echo_i "failed"
+	   status=`expr $status + 1`
+	   return 1 ;;
+	esac
+	case $out in
+	*$hash*) : ok ;;
+	*) echo_i "expect $hash"
+	   echo_i "output $out"
+	   echo_i "failed"
+	   status=`expr $status + 1` ;;
+	esac
+}
+
+# test cases taken from RFC 5155 appendix A
+algo=1 flags=0 iters=12 salt="aabbccdd"
+while	read name hash
+do
+	echo_i "checking $NSEC3HASH $name"
+	out=`$NSEC3HASH $salt $algo $iters $name`
+	checkout
+
+	echo_i "checking $NSEC3HASH -r $name"
+	out=`$NSEC3HASH -r $algo $flags $iters $salt $name`
+	checkout
+
+done <<EOF
+*.w.example R53BQ7CC2UVMUBFU5OCMM6PERS9TK9EN
+2t7b4g4vsa5smi47k61mv5bv1a22bojr.example KOHAR7MBB8DC2CE8A9QVL8HON4K53UHI
+a.example 35MTHGPGCU1QG68FAB165KLNSNK3DPVL
+ai.example GJEQE526PLBF1G8MKLP59ENFD789NJGI
+example 0P9MHAVEQVM6T7VBL5LOP2U3T2RP3TOM
+ns1.example 2T7B4G4VSA5SMI47K61MV5BV1A22BOJR
+ns2.example Q04JKCEVQVMU85R014C7DKBA38O0JI5R
+w.example K8UDEMVP1J2F7EG6JEBPS17VP3N8I58H
+x.w.example B4UM86EGHHDS6NEA196SMVMLO4ORS995
+x.y.w.example 2VPTU5TIMAMQTTGL4LUU9KG21E0AOR3S
+xx.example T644EBQK9BIBCNA874GIVR6JOJ62MLHV
+y.w.example JI6NEOAEPV8B5O6K4EV33ABHA8HT9FGC
+EOF
+
+# test empty salt
+checkempty() {
+	hash=CK0POJMG874LJREF7EFN8430QVIT8BSM checkout &&
+	hash=- checkout
+}
+name=com algo=1 flags=1 iters=0
+echo_i "checking $NSEC3HASH '' $name"
+out=`$NSEC3HASH '' $algo $iters $name`
+checkempty
+echo_i "checking $NSEC3HASH - $name"
+out=`$NSEC3HASH - $algo $iters $name`
+checkempty
+echo_i "checking $NSEC3HASH -- '' $name"
+out=`$NSEC3HASH -- '' $algo $iters $name`
+checkempty
+echo_i "checking $NSEC3HASH -- - $name"
+out=`$NSEC3HASH -- - $algo $iters $name`
+checkempty
+echo_i "checking $NSEC3HASH -r '' $name"
+out=`$NSEC3HASH -r $algo $flags $iters '' $name`
+checkempty
+echo_i "checking $NSEC3HASH -r - $name"
+out=`$NSEC3HASH -r $algo $flags $iters - $name`
+checkempty
+
+checkfail() {
+	case $? in
+	0) echo_i "failed to fail"
+	   status=`expr $status + 1`
+	   return 1 ;;
+	esac
+}
+echo_i "checking $NSEC3HASH missing args"
+out=`$NSEC3HASH 00 1 0 2>&1`
+checkfail
+echo_i "checking $NSEC3HASH extra args"
+out=`$NSEC3HASH 00 1 0 two names 2>&1`
+checkfail
+echo_i "checking $NSEC3HASH bad option"
+out=`$NSEC3HASH -? 2>&1`
+checkfail
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/tsig/ans2/ans.pl b/bin/tests/system/tsig/ans2/ans.pl
new file mode 100644
index 0000000..09ab29b
--- /dev/null
+++ b/bin/tests/system/tsig/ans2/ans.pl
@@ -0,0 +1,52 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# An adhoc server that returns a TC=1 response with the final byte
+# removed to generate UNEXPECTEDEND form dns_message_parse.
+#
+
+use IO::File;
+use IO::Socket;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+printf "localport %u\n", $localport;
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.2",
+   LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+sub arraystring {
+    my $string = join("", @_);
+    return $string;
+}
+
+for (;;) {
+	$from = $sock->recv($buf, 512);
+	($port, $ip_address) = unpack_sockaddr_in($from);
+	$l = length($buf);
+	printf "received %u bytes from %s#%u\n", $l, inet_ntoa($ip_address), $port;
+	@up = unpack("C[$l]", $buf);
+	$up[2] |= 0x80; # QR
+	$up[2] |= 0x02; # TC
+	$up[3] |= 0x80; # RA
+	$l -= 1;	# truncate the response 1 byte
+	$replydata = pack("C[$l]", @up);
+	printf "sent %u bytes\n", $sock->send($replydata);
+}
diff --git a/bin/tests/system/tsig/badlocation b/bin/tests/system/tsig/badlocation
new file mode 100644
index 0000000..4477423
--- /dev/null
+++ b/bin/tests/system/tsig/badlocation
@@ -0,0 +1,37 @@
+# Transaction ID
+1122
+# Standard query
+0000
+# Questions: 1, Additional: 1
+0001 0000 0001 0000
+# QNAME: isc.org
+03 69 73 63 03 6F 72 67 00
+# Type: A (Host Address)
+0001
+# Class: IN
+0001
+# Specially crafted TSIG Resource Record
+# Name: "sha256"
+06 73 68 61 32 35 36 00
+# Type: TSIG (Transaction Signature)
+00fa
+# Class: ANY
+00ff
+# TTL: 0
+00000000
+# RdLen: 29
+001d
+# Algorithm Name: hmac-sha256
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
+00 00 00 00 00 00
+# Fudge: 300
+012c
+# MAC Size: 0; MAC: empty
+0000
+# Original ID: 0
+0000
+# Error: no error
+0000
+# Other Data Length: 0
+0000
diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime
new file mode 100644
index 0000000..7926404
--- /dev/null
+++ b/bin/tests/system/tsig/badtime
@@ -0,0 +1,37 @@
+# Transaction ID
+1122
+# Standard query
+0000
+# Questions: 1, Additional: 1
+0001 0000 0000 0001
+# QNAME: isc.org
+03 69 73 63 03 6F 72 67 00
+# Type: A (Host Address)
+0001
+# Class: IN
+0001
+# Specially crafted TSIG Resource Record
+# Name: "sha256"
+06 73 68 61 32 35 36 00
+# Type: TSIG (Transaction Signature)
+00fa
+# Class: ANY
+00ff
+# TTL: 0
+00000000
+# RdLen: 29
+001d
+# Algorithm Name: hmac-sha256
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
+00 00 00 00 00 00
+# Fudge: 300
+012c
+# MAC Size: 0; MAC: empty
+0000
+# Original ID: 0
+0000
+# Error: BADSIG
+0010
+# Other Data Length: 0
+0000
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
new file mode 100644
index 0000000..b173ffe
--- /dev/null
+++ b/bin/tests/system/tsig/clean.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after tsig tests.
+#
+
+rm -f dig.out.*
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f Kexample.net.*
+rm -f keygen.out?
+rm -f ns*/managed-keys.bind*
+rm -f packet.out
diff --git a/bin/tests/system/tsig/ns1/example.db b/bin/tests/system/tsig/ns1/example.db
new file mode 100644
index 0000000..7854613
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/example.db
@@ -0,0 +1,163 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example.nil		IN SOA	ns1.example.nil. hostmaster.example.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.nil.		NS	ns1.example.nil.
+ns1.example.nil.	A	10.53.0.1
+example.nil.		NS	ns2.example.nil.
+ns2.example.nil.	A	10.53.0.2
+
+$ORIGIN example.nil.
+*			MX	10 mail
+a			TXT	"foo foo foo"
+			PTR	foo.net.
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" ":(.*):\\1:" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.nil.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.nil.
+ns			A	73.80.65.49
+$ORIGIN example.nil.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.nil.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.nil.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
+large			TXT	( 1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890
+				  1234567890 1234567890 1234567890 1234567890 )
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
new file mode 100644
index 0000000..22637af
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/named.conf.in
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify no;
+};
+
+# md5 key appended by setup.sh at the end
+
+key "sha1" {
+	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+	algorithm hmac-sha1;
+};
+
+key "sha224" {
+	secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
+	algorithm hmac-sha224;
+};
+
+key "sha256" {
+	secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
+	algorithm hmac-sha256;
+};
+
+key "sha384" {
+	secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h";
+	algorithm hmac-sha384;
+};
+
+key "sha512" {
+	secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==";
+	algorithm hmac-sha512;
+};
+
+# md5-trunc key appended by setup.sh at the end
+
+key "sha1-trunc" {
+	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+	algorithm hmac-sha1-80;
+};
+
+key "sha224-trunc" {
+	secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
+	algorithm hmac-sha224-112;
+};
+
+key "sha256-trunc" {
+	secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
+	algorithm hmac-sha256-128;
+};
+
+key "sha384-trunc" {
+	secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h";
+	algorithm hmac-sha384-192;
+};
+
+key "sha512-trunc" {
+	secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==";
+	algorithm hmac-sha512-256;
+};
+
+zone "example.nil" {
+	type primary;
+	file "example.db";
+};
+
+server 10.53.0.2 {
+	keys sha256;
+};
+
+zone "bad-tsig" {
+	type forward;
+	forwarders { 10.53.0.2; };
+	forward only;
+};
diff --git a/bin/tests/system/tsig/prereq.sh b/bin/tests/system/tsig/prereq.sh
new file mode 100644
index 0000000..a663cfe
--- /dev/null
+++ b/bin/tests/system/tsig/prereq.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. "$SYSTEMTESTTOP/conf.sh"
+
+set -e
+
+if test -z "$PERL"; then
+    echo_i "This test requires Perl." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
new file mode 100644
index 0000000..420e513
--- /dev/null
+++ b/bin/tests/system/tsig/setup.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+
+if $FEATURETEST --md5
+then
+	cat >> ns1/named.conf << EOF
+# Conditionally included when support for MD5 is available
+key "md5" {
+        secret "97rnFx24Tfna4mHPfgnerA==";
+        algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+        secret "97rnFx24Tfna4mHPfgnerA==";
+        algorithm hmac-md5-80;
+};
+EOF
+fi
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
new file mode 100644
index 0000000..affc6d0
--- /dev/null
+++ b/bin/tests/system/tsig/tests.sh
@@ -0,0 +1,262 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+
+#
+# Shared secrets.
+#
+md5="97rnFx24Tfna4mHPfgnerA=="
+sha1="FrSt77yPTFx6hTs4i2tKLB9LmE0="
+sha224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="
+sha256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="
+sha384="OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"
+sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="
+
+status=0
+
+if $FEATURETEST --md5
+then
+	echo_i "fetching using hmac-md5 (old form)"
+	ret=0
+	$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
+	if [ $ret -eq 1 ] ; then
+		echo_i "failed"; status=1
+	fi
+
+	echo_i "fetching using hmac-md5 (new form)"
+	ret=0
+	$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
+	if [ $ret -eq 1 ] ; then
+		echo_i "failed"; status=1
+	fi
+else
+	echo_i "skipping using hmac-md5"
+fi
+
+echo_i "fetching using hmac-sha1"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1 || ret=1
+grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha224"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224 || ret=1
+grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha256"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256 || ret=1
+grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha384"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384 || ret=1
+grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha512"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512 || ret=1
+grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+#
+#
+#	Truncated TSIG
+#
+#
+if $FEATURETEST --md5
+then
+	echo_i "fetching using hmac-md5 (trunc)"
+	ret=0
+	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
+	grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
+	if [ $ret -eq 1 ] ; then
+		echo_i "failed"; status=1
+	fi
+else
+	echo_i "skipping using hmac-md5 (trunc)"
+fi
+
+echo_i "fetching using hmac-sha1 (trunc)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa > dig.out.sha1.trunc || ret=1
+grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha224 (trunc)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa > dig.out.sha224.trunc || ret=1
+grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha256 (trunc)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa > dig.out.sha256.trunc || ret=1
+grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha384 (trunc)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa > dig.out.sha384.trunc || ret=1
+grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha512-256 (trunc)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa > dig.out.sha512.trunc || ret=1
+grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+
+#
+#
+#	Check for bad truncation.
+#
+#
+if $FEATURETEST --md5
+then
+	echo_i "fetching using hmac-md5-80 (BADTRUNC)"
+	ret=0
+	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
+	grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
+	if [ $ret -eq 1 ] ; then
+		echo_i "failed"; status=1
+	fi
+else
+	echo_i "skipping using hmac-md5-80 (BADTRUNC)"
+fi
+
+echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1-80 || ret=1
+grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha224-112 (BADTRUNC)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224-112 || ret=1
+grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha256-128 (BADTRUNC)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256-128 || ret=1
+grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha384-192 (BADTRUNC)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384-192 || ret=1
+grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha512-256 (BADTRUNC)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512-256 || ret=1
+grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "attempting fetch with bad tsig algorithm"
+ret=0
+$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa > dig.out.badalgo 2>&1 || ret=1
+grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "checking both OPT and TSIG records are returned when TC=1"
+ret=0
+$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt > dig.out.large 2>&1 || ret=1
+grep "flags:.* tc[ ;]" dig.out.large > /dev/null || ret=1
+grep "status: NOERROR" dig.out.large > /dev/null || ret=1
+grep "EDNS:" dig.out.large > /dev/null || ret=1
+grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+	echo_i "failed"; status=1
+fi
+
+echo_i "check that dnssec-keygen won't generate TSIG keys"
+ret=0
+$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1
+grep "unknown algorithm" keygen.out3 > /dev/null || ret=1
+
+echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
+ret=0
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null || ret=1
+$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
+grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=1
+fi
+
+if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' > /dev/null 2>&1
+then
+  echo_i "check that TSIG in the wrong place returns FORMERR"
+  ret=0
+  $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d < badlocation > packet.out
+  grep "rcode  = FORMERR" packet.out > /dev/null || ret=1
+  if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=1
+  fi
+fi
+
+echo_i "check that a malformed truncated response to a TSIG query is handled"
+ret=0
+$DIG -p $PORT @10.53.0.1 bad-tsig > dig.out.bad-tsig || ret=1
+grep "status: SERVFAIL" dig.out.bad-tsig > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo_i "failed"; status=1
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
new file mode 100644
index 0000000..d629c65
--- /dev/null
+++ b/bin/tests/system/tsiggss/authsock.pl
@@ -0,0 +1,96 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# test the update-policy external protocol
+
+require 5.6.0;
+
+use IO::Socket::UNIX;
+use Getopt::Long;
+
+my $path;
+my $typeallowed = "A";
+my $pidfile = "authsock.pid";
+my $timeout = 0;
+
+GetOptions("path=s" => \$path,
+	   "type=s" => \$typeallowed,
+	   "pidfile=s" => \$pidfile,
+	   "timeout=i" => \$timeout);
+
+if (!defined($path)) {
+	print("Usage: authsock.pl --path=<sockpath> --type=type --pidfile=pidfile\n");
+	exit(1);
+}
+
+unlink($path);
+my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
+    die "unable to create socket $path";
+chmod 0777, $path;
+
+# setup our pidfile
+open(my $pid,">",$pidfile)
+    or die "unable to open pidfile $pidfile";
+print $pid "$$\n";
+close($pid);
+
+# close gracefully
+sub rmpid { unlink "$pidfile"; exit 1; };
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+if ($timeout != 0) {
+    # die after the given timeout
+    alarm($timeout);
+}
+
+while (my $client = $server->accept()) {
+	$client->recv(my $buf, 8, 0);
+	my ($version, $req_len) = unpack('N N', $buf);
+
+	if ($version != 1 || $req_len < 17) {
+		printf("Badly formatted request\n");
+		$client->send(pack('N', 2));
+		next;
+	}
+
+	$client->recv(my $buf, $req_len - 8, 0);
+
+	my ($signer,
+	    $name,
+	    $addr,
+	    $type,
+	    $key,
+	    $key_data) = unpack('Z* Z* Z* Z* Z* N/a', $buf);
+
+	if ($req_len != length($buf)+8) {
+		printf("Length mismatch %u %u\n", $req_len, length($buf)+8);
+		$client->send(pack('N', 2));
+		next;
+	}
+
+	printf("version=%u signer=%s name=%s addr=%s type=%s key=%s key_data_len=%u\n",
+	       $version, $signer, $name, $addr, $type, $key, length($key_data));
+
+	my $result;
+	if ($typeallowed eq $type) {
+		$result = 1;
+		printf("allowed type %s == %s\n", $type, $typeallowed);
+	} else {
+		printf("disallowed type %s != %s\n", $type, $typeallowed);
+		$result = 0;
+	}
+
+	$reply = pack('N', $result);
+	$client->send($reply);
+}
diff --git a/bin/tests/system/tsiggss/clean.sh b/bin/tests/system/tsiggss/clean.sh
new file mode 100644
index 0000000..0ace209
--- /dev/null
+++ b/bin/tests/system/tsiggss/clean.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after tsiggss tests.
+#
+
+rm -f ns1/*.jnl ns1/update.txt ns1/auth.sock
+rm -f ns1/*.db ns1/K*.key ns1/K*.private
+rm -f ns1/_default.tsigkeys
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f authsock.pid
+rm -f ns1/core
+rm -f nsupdate.out*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/tsiggss/ns1/administrator.ccache b/bin/tests/system/tsiggss/ns1/administrator.ccache
new file mode 100644
index 0000000..e6c2e74
--- /dev/null
+++ b/bin/tests/system/tsiggss/ns1/administrator.ccache
diff --git a/bin/tests/system/tsiggss/ns1/dns.keytab b/bin/tests/system/tsiggss/ns1/dns.keytab
new file mode 100644
index 0000000..dcb863b
--- /dev/null
+++ b/bin/tests/system/tsiggss/ns1/dns.keytab
diff --git a/bin/tests/system/tsiggss/ns1/example.nil.db.in b/bin/tests/system/tsiggss/ns1/example.nil.db.in
new file mode 100644
index 0000000..536ef29
--- /dev/null
+++ b/bin/tests/system/tsiggss/ns1/example.nil.db.in
@@ -0,0 +1,62 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; -*- zone -*-
+; this was generated by a Samba4 provision, and is typical 
+; of a AD DNS zone
+$ORIGIN example.nil.
+$TTL 1W
+@               IN SOA  blu   hostmaster (
+                                2010113027   ; serial
+                                2D              ; refresh
+                                4H              ; retry
+                                6W              ; expiry
+                                1W )            ; minimum
+			IN NS	blu
+
+            IN A    10.53.0.1
+;
+
+blu        IN A    10.53.0.1
+gc._msdcs               IN A    10.53.0.1
+
+fb33eb58-5d58-4100-a114-256e0a97ffc1._msdcs	IN CNAME	blu
+;
+; global catalog servers
+_gc._tcp		IN SRV 0 100 3268	blu
+_gc._tcp.Default-First-Site-Name._sites	IN SRV 0 100 3268	blu
+_ldap._tcp.gc._msdcs	IN SRV 0 100 3268	blu
+_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs	IN SRV 0 100 3268 blu
+;
+; ldap servers
+_ldap._tcp		IN SRV 0 100 389	blu
+_ldap._tcp.dc._msdcs	IN SRV 0 100 389	blu
+_ldap._tcp.pdc._msdcs	IN SRV 0 100 389	blu
+_ldap._tcp.d86745b4-f3e0-4af3-be03-2130d1534be8.domains._msdcs		IN SRV 0 100 389 blu
+_ldap._tcp.Default-First-Site-Name._sites		IN SRV 0 100 389 blu
+_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs	IN SRV 0 100 389 blu
+;
+; krb5 servers
+_kerberos._tcp		IN SRV 0 100 88		blu
+_kerberos._tcp.dc._msdcs	IN SRV 0 100 88	blu
+_kerberos._tcp.Default-First-Site-Name._sites	IN SRV 0 100 88	blu
+_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs	IN SRV 0 100 88 blu
+_kerberos._udp		IN SRV 0 100 88		blu
+; MIT kpasswd likes to lookup this name on password change
+_kerberos-master._tcp		IN SRV 0 100 88		blu
+_kerberos-master._udp		IN SRV 0 100 88		blu
+;
+; kpasswd
+_kpasswd._tcp		IN SRV 0 100 464	blu
+_kpasswd._udp		IN SRV 0 100 464 	blu
+;
+; heimdal 'find realm for host' hack
+_kerberos		IN TXT	EXAMPLE.NIL
diff --git a/bin/tests/system/tsiggss/ns1/named.conf.in b/bin/tests/system/tsiggss/ns1/named.conf.in
new file mode 100644
index 0000000..1dfa49a
--- /dev/null
+++ b/bin/tests/system/tsiggss/ns1/named.conf.in
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.1; 127.0.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example.nil." IN {
+	type primary;
+	file "example.nil.db";
+
+	update-policy {
+		grant Administrator@EXAMPLE.NIL wildcard * A AAAA SRV CNAME;
+		grant testdenied@EXAMPLE.NIL wildcard * TXT;
+		grant "local:auth.sock" external * CNAME;
+	};
+
+	/* we need to use check-names ignore so _msdcs A records can be created */
+	check-names ignore;
+};
diff --git a/bin/tests/system/tsiggss/ns1/testdenied.ccache b/bin/tests/system/tsiggss/ns1/testdenied.ccache
new file mode 100644
index 0000000..070e85b
--- /dev/null
+++ b/bin/tests/system/tsiggss/ns1/testdenied.ccache
diff --git a/bin/tests/system/tsiggss/prereq.sh b/bin/tests/system/tsiggss/prereq.sh
new file mode 100644
index 0000000..20ae6b6
--- /dev/null
+++ b/bin/tests/system/tsiggss/prereq.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+# enable the tsiggss test only if gssapi was enabled
+$FEATURETEST --gssapi ||  {
+        echo_i "gssapi and krb5 not supported - skipping tsiggss test"
+        exit 255
+}
+
+exit 0
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
new file mode 100644
index 0000000..3b07647
--- /dev/null
+++ b/bin/tests/system/tsiggss/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+
+key=`$KEYGEN -Cq -K ns1 -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n HOST -T KEY key.example.nil.`
+cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
new file mode 100644
index 0000000..2d5dc8e
--- /dev/null
+++ b/bin/tests/system/tsiggss/tests.sh
@@ -0,0 +1,177 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# tests for TSIG-GSS updates
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=1
+
+DIGOPTS="@10.53.0.1 -p ${PORT}"
+
+test_update () {
+    num="$1"
+    host="$2"
+    type="$3"
+    cmd="$4"
+    digout="$5"
+
+    cat <<EOF > ns1/update.txt
+server 10.53.0.1 ${PORT}
+update add $host $cmd
+send
+answer
+EOF
+    echo_i "testing update for $host $type $cmd"
+    $NSUPDATE -g -d ns1/update.txt > nsupdate.out${num} 2>&1 || {
+	echo_i "update failed for $host $type $cmd"
+	sed "s/^/I:/" nsupdate.out${num}
+	return 1
+    }
+
+    # Verify that TKEY response is signed.
+    tkeyout=`awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}`
+    pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0"
+    echo $tkeyout | grep "$pattern" > /dev/null || {
+	echo_i "bad tkey response (not tsig signed)"
+	return 1
+    }
+
+    # Weak verification that TKEY response is signed.
+    grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || {
+	echo_i "bad tkey response (not tsig signed)"
+	return 1
+    }
+
+    out=`$DIG $DIGOPTS -t $type -q $host | grep -E "^${host}"`
+    lines=`echo "$out" | grep "$digout" | wc -l`
+    [ $lines -eq 1 ] || {
+	echo_i "dig output incorrect for $host $type $cmd: $out"
+	return 1
+    }
+    return 0
+}
+
+
+# Testing updates with good credentials.
+KRB5CCNAME="FILE:"`pwd`/ns1/administrator.ccache
+export KRB5CCNAME
+
+echo_i "testing updates to testdc1 as administrator ($n)"
+ret=0
+test_update $n testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "testing updates to testdc2 as administrator ($n)"
+ret=0
+test_update $n testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "testing updates to denied as administrator ($n)"
+ret=0
+test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
+# Testing denied updates.
+KRB5CCNAME="FILE:"`pwd`/ns1/testdenied.ccache
+export KRB5CCNAME
+
+echo_i "testing updates to denied (A) as a user ($n)"
+ret=0
+test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "testing updates to denied (TXT) as a user ($n)"
+ret=0
+test_update $n testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "testing external update policy (CNAME) ($n)"
+ret=0
+test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "testing external update policy (CNAME) with auth sock ($n)"
+ret=0
+$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
+sleep 1
+test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "testing external update policy (A) ($n)"
+ret=0
+test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "testing external policy with SIG(0) key ($n)"
+ret=0
+$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+zone example.nil
+update add fred.example.nil 120 cname foo.bar.
+send
+END
+output=`$DIG $DIGOPTS +short cname fred.example.nil.`
+[ -n "$output" ] || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "ensure too long realm name is fatal in non-interactive mode ($n)"
+ret=0
+$NSUPDATE <<END > nsupdate.out${n} 2>&1 && ret=1
+    realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename
+END
+grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1
+grep "syntax error" nsupdate.out${n} > /dev/null || ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "ensure too long realm name is not fatal in interactive mode ($n)"
+ret=0
+$NSUPDATE -i <<END > nsupdate.out${n} 2>&1 || ret=1
+    realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename
+END
+grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+[ $status -eq 0 ] && echo_i "tsiggss tests all OK"
+
+kill `cat authsock.pid`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/tsiggss/tests_isc_spnego_flaws.py b/bin/tests/system/tsiggss/tests_isc_spnego_flaws.py
new file mode 100755
index 0000000..6340b5a
--- /dev/null
+++ b/bin/tests/system/tsiggss/tests_isc_spnego_flaws.py
@@ -0,0 +1,219 @@
+#!/usr/bin/python
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+"""
+A tool for reproducing ISC SPNEGO vulnerabilities
+"""
+
+import argparse
+import datetime
+import struct
+import time
+
+import pytest
+
+pytest.importorskip("dns")
+import dns.message
+import dns.name
+import dns.query
+import dns.rdata
+import dns.rdataclass
+import dns.rdatatype
+import dns.rrset
+
+
+class CraftedTKEYQuery:
+    # pylint: disable=too-few-public-methods
+
+    """
+    A class for preparing crafted TKEY queries
+    """
+
+    def __init__(self, opts: argparse.Namespace) -> None:
+        # Prepare crafted key data
+        tkey_data = ASN1Encoder(opts).get_tkey_data()
+        # Prepare TKEY RDATA containing crafted key data
+        rdata = dns.rdata.GenericRdata(
+            dns.rdataclass.ANY, dns.rdatatype.TKEY, self._get_tkey_rdata(tkey_data)
+        )
+        # Prepare TKEY RRset with crafted RDATA (for the ADDITIONAL section)
+        rrset = dns.rrset.from_rdata(dns.name.root, dns.rdatatype.TKEY, rdata)
+
+        # Prepare complete TKEY query to send
+        self.msg = dns.message.make_query(
+            dns.name.root, dns.rdatatype.TKEY, dns.rdataclass.ANY
+        )
+        self.msg.additional.append(rrset)
+
+    def _get_tkey_rdata(self, tkey_data: bytes) -> bytes:
+        """
+        Return the RDATA to be used for the TKEY RRset sent in the ADDITIONAL
+        section
+        """
+        tkey_rdata = dns.name.from_text("gss-tsig.").to_wire()  # domain
+        if not tkey_rdata:
+            return b""
+        tkey_rdata += struct.pack(">I", int(time.time()) - 3600)  # inception
+        tkey_rdata += struct.pack(">I", int(time.time()) + 86400)  # expiration
+        tkey_rdata += struct.pack(">H", 3)  # mode
+        tkey_rdata += struct.pack(">H", 0)  # error
+        tkey_rdata += self._with_len(tkey_data)  # key
+        tkey_rdata += struct.pack(">H", 0)  # other size
+        return tkey_rdata
+
+    def _with_len(self, data: bytes) -> bytes:
+        """
+        Return 'data' with its length prepended as a 16-bit big-endian integer
+        """
+        return struct.pack(">H", len(data)) + data
+
+
+class ASN1Encoder:
+    # pylint: disable=too-few-public-methods
+
+    """
+    A custom ASN1 encoder which allows preparing malformed GSSAPI tokens
+    """
+
+    SPNEGO_OID = b"\x06\x06\x2b\x06\x01\x05\x05\x02"
+
+    def __init__(self, opts: argparse.Namespace) -> None:
+        self._real_oid_length = opts.real_oid_length
+        self._extra_oid_length = opts.extra_oid_length
+
+    # The TKEY RR being sent contains an encoded negTokenInit SPNEGO message.
+    # RFC 4178 section 4.2 specifies how such a message is constructed.
+
+    def get_tkey_data(self) -> bytes:
+        """
+        Return the key data field of the TKEY RR to be sent
+        """
+        return self._asn1(
+            data_id=b"\x60", data=self.SPNEGO_OID + self._get_negtokeninit()
+        )
+
+    def _get_negtokeninit(self) -> bytes:
+        """
+        Return the ASN.1 DER-encoded form of the negTokenInit message to send
+        """
+        return self._asn1(
+            data_id=b"\xa0",
+            data=self._asn1(
+                data_id=b"\x30",
+                data=self._get_mechtypelist(),
+                extra_length=self._extra_oid_length,
+            ),
+            extra_length=self._extra_oid_length,
+        )
+
+    def _get_mechtypelist(self) -> bytes:
+        """
+        Return the ASN.1 DER-encoded form of the MechTypeList to send
+        """
+        return self._asn1(
+            data_id=b"\xa0",
+            data=self._asn1(
+                data_id=b"\x30",
+                data=self._get_mechtype(),
+                extra_length=self._extra_oid_length,
+            ),
+            extra_length=self._extra_oid_length,
+        )
+
+    def _get_mechtype(self) -> bytes:
+        """
+        Return the ASN.1 DER-encoded form of a bogus security mechanism OID
+        which consists of 'self._real_oid_length' 0x01 bytes
+        """
+        return self._asn1(
+            data_id=b"\x06",
+            data=b"\x01" * self._real_oid_length,
+            extra_length=self._extra_oid_length,
+        )
+
+    def _asn1(self, data_id: bytes, data: bytes, extra_length: int = 0) -> bytes:
+        """
+        Return the ASN.1 DER-encoded form of 'data' to be included in GSSAPI
+        key data, designated with 'data_id' as the content identifier.  Setting
+        'extra_length' to a positive integer allows data length indicated in
+        the ASN.1 DER representation of 'data' to be increased beyond its
+        actual size.
+        """
+        data_len = struct.pack(">I", len(data) + extra_length)
+        return data_id + b"\x84" + data_len + data
+
+
+def parse_options() -> argparse.Namespace:
+    """
+    Parse command line options
+    """
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--server-ip", required=True)
+    parser.add_argument("--server-port", type=int, default=53)
+    parser.add_argument("--real-oid-length", type=int, default=1)
+    parser.add_argument("--extra-oid-length", type=int, default=0)
+
+    return parser.parse_args()
+
+
+def send_crafted_tkey_query(opts: argparse.Namespace) -> None:
+    """
+    Script entry point
+    """
+
+    query = CraftedTKEYQuery(opts).msg
+    print("# > " + str(datetime.datetime.now()))
+    print(query.to_text())
+    print()
+
+    response = dns.query.tcp(query, opts.server_ip, timeout=2, port=opts.server_port)
+    print("# < " + str(datetime.datetime.now()))
+    print(response.to_text())
+    print()
+
+
+def test_cve_2020_8625(named_port):
+    """
+    Reproducer for CVE-2020-8625.  When run for an affected BIND 9 version,
+    send_crafted_tkey_query() will raise a network-related exception due to
+    named (ns1) becoming unavailable after crashing.
+    """
+    for i in range(0, 50):
+        opts = argparse.Namespace(
+            server_ip="10.53.0.1",
+            server_port=named_port,
+            real_oid_length=i,
+            extra_oid_length=0,
+        )
+        send_crafted_tkey_query(opts)
+
+
+def test_cve_2021_25216(named_port):
+    """
+    Reproducer for CVE-2021-25216.  When run for an affected BIND 9 version,
+    send_crafted_tkey_query() will raise a network-related exception due to
+    named (ns1) becoming unavailable after crashing.
+    """
+    opts = argparse.Namespace(
+        server_ip="10.53.0.1",
+        server_port=named_port,
+        real_oid_length=1,
+        extra_oid_length=1073741824,
+    )
+    send_crafted_tkey_query(opts)
+
+
+if __name__ == "__main__":
+    cli_opts = parse_options()
+    send_crafted_tkey_query(cli_opts)
diff --git a/bin/tests/system/ttl/clean.sh b/bin/tests/system/ttl/clean.sh
new file mode 100644
index 0000000..3bb41d9
--- /dev/null
+++ b/bin/tests/system/ttl/clean.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run
+rm -f ./ns*/managed-keys.bind*
diff --git a/bin/tests/system/ttl/ns1/max-example.db b/bin/tests/system/ttl/ns1/max-example.db
new file mode 100644
index 0000000..aeaafc7
--- /dev/null
+++ b/bin/tests/system/ttl/ns1/max-example.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+max-example.	1209600	IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				1209600    ; minimum (2 weeks)
+				)
+max-example.	1209600	IN NS	ns.max-example.
+ns.max-example.	1209600	IN A	10.53.0.1
diff --git a/bin/tests/system/ttl/ns1/min-example.db b/bin/tests/system/ttl/ns1/min-example.db
new file mode 100644
index 0000000..87d6e7e
--- /dev/null
+++ b/bin/tests/system/ttl/ns1/min-example.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+min-example.	0	IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				0          ; minimum (0 seconds)
+				)
+min-example.	0	IN NS	ns.min-example.
+ns.min-example.	0	IN A	10.53.0.1
diff --git a/bin/tests/system/ttl/ns1/named.conf.in b/bin/tests/system/ttl/ns1/named.conf.in
new file mode 100644
index 0000000..4c771c9
--- /dev/null
+++ b/bin/tests/system/ttl/ns1/named.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	check-integrity no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "min-example" {
+	type primary;
+	file "min-example.db";
+};
+
+zone "max-example" {
+	type primary;
+	file "max-example.db";
+};
diff --git a/bin/tests/system/ttl/ns2/hints.db b/bin/tests/system/ttl/ns2/hints.db
new file mode 100644
index 0000000..c9264bf
--- /dev/null
+++ b/bin/tests/system/ttl/ns2/hints.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 60 IN NS ns.nil.
+ns.nil. 60 IN A 10.53.0.1
diff --git a/bin/tests/system/ttl/ns2/named.conf.in b/bin/tests/system/ttl/ns2/named.conf.in
new file mode 100644
index 0000000..d1c56ac
--- /dev/null
+++ b/bin/tests/system/ttl/ns2/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	servfail-ttl 0;
+	max-recursion-depth 12;
+	recursion yes;
+	dnssec-validation no;
+	min-cache-ttl 60;
+	min-ncache-ttl 30;
+	max-cache-ttl 120;
+	max-ncache-ttl 60;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints.db"; };
diff --git a/bin/tests/system/ttl/prereq.sh b/bin/tests/system/ttl/prereq.sh
new file mode 100644
index 0000000..aa97ae2
--- /dev/null
+++ b/bin/tests/system/ttl/prereq.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "import dns" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/bin/tests/system/ttl/setup.sh b/bin/tests/system/ttl/setup.sh
new file mode 100644
index 0000000..87c524f
--- /dev/null
+++ b/bin/tests/system/ttl/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
diff --git a/bin/tests/system/ttl/tests_cache_ttl.py b/bin/tests/system/ttl/tests_cache_ttl.py
new file mode 100644
index 0000000..9025283
--- /dev/null
+++ b/bin/tests/system/ttl/tests_cache_ttl.py
@@ -0,0 +1,32 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+pytest.importorskip("dns")
+import dns.message
+import dns.query
+
+
+@pytest.mark.parametrize(
+    "qname,rdtype,expected_ttl",
+    [
+        ("min-example.", "SOA", 60),
+        ("min-example.", "MX", 30),
+        ("max-example.", "SOA", 120),
+        ("max-example.", "MX", 60),
+    ],
+)
+def test_cache_ttl(qname, rdtype, expected_ttl, named_port):
+    msg = dns.message.make_query(qname, rdtype)
+    response = dns.query.udp(msg, "10.53.0.2", timeout=10, port=named_port)
+    for rr in response.answer + response.authority:
+        assert rr.ttl == expected_ttl
diff --git a/bin/tests/system/unknown/clean.sh b/bin/tests/system/unknown/clean.sh
new file mode 100644
index 0000000..1d73edd
--- /dev/null
+++ b/bin/tests/system/unknown/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f dig.out* check.out
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f */*.bk
+rm -f */*.bk.*
+rm -f ns3/Kexample.*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
diff --git a/bin/tests/system/unknown/large.out b/bin/tests/system/unknown/large.out
new file mode 100644
index 0000000..812bde5
--- /dev/null
+++ b/bin/tests/system/unknown/large.out
@@ -0,0 +1 @@
+\# 48000 45841674994E4F5E4BA43AADA754D631DFB7E12155E7F10C551032B3 E56ED5BA5136C15CDA201E7E5E54FB60A99388B61A565C1CF74CD8AA E1AEE7FBEB54CEBEE065CF2B1B317F67277AE733183C668BA81A7EFE C322D36FB5CC6293AD7F7AE3544A7C64D404C4EEB1B889E9780A213B D548A018BE2E1B6A3B8840D714DDB8C0A66BEAA4C2A1471D216AD0EB 8D2C884960D30FD3FAD058C47EACE42AAB0F0D40A690CA3BAF9616B7 373B889788E891757AE0EEACCD291D87D05DAED8631D1EBF9202F816 59754CA11221E902A69C7BF0039310EDF5305ACE5404DDD02163BE0A 22334879A27BFA7702E13D06F15887261A12ABFD0C01966FA67F97ED 38C521DBCFF8A2AA8DAF53F1EAA7991B6767DA0E68B2EBB38BEB8F1A ADAA30C1185870DAD0091E7AF0BBED453CE081BA5DC87CA5A764592E D7312C6A26F7E358EF35182A49763A61C9A0C5DBDDCF199251381215 51EB3C3CED9F529F03A85429F42F75503EFA6E1301AA7AD9B29C5AAA A1EF6EE5BBE9E2639D65BAF98A6B06243483A2453969F65F9A0DAD3D 8630522079B8C1079E28057D63696739B71F57EE85AB20A596865D77 EF70412C7A4BE7D9D5A4EB13709F0EC1AF6A4CF962364761EBD62EFB 4F16EE843C1B214944EFF2C81563C4AC4C854C32972DF761F17FDCAC 3E40E02757FDF1FA57F77E1C86C3D488B02D4634501801BE4F929FFD E0ED07112093D9018D59CEE1733BFDC8A968A831D42B95C087A578E3 C6EEFACFA1C9089072AB490D631B2D00CB75CB33586917F103842856 CA2F5CCD449465B4A86A37F8147D626969F02DAFACD4BA81B680E5DC 288037ADA3BE902E2EF9C129710200AC93F5D3BF1C1418B65D98BDF1 01D38D9B2C5F25A3D09A4638DCC2C0D0CF411F3ED747E6745AC7A8BE 03EA2EE990979CF3B8398C4BFB058012DE25FBF0E1081C4205AFC54D 3BDA63565BC0BC3F6AF91F083ABC26AC7047E2759F28525498AE6461 A1F66B900FDE5D8CD6C842C587F28620444AD5BD3B522F0294C14E22 79B5C577F3F41C15A723A20259805AA18360F6B954B75D98BEECD0C0 A0AD151B0027CCA891932ADFCA9B7ECA33FD585031C188F8D851E3BB C8552F340E1319553BFE776975BAEE6ACF025B8C4849C0A430049734 114B75345228D19846B39580F1C328068A4B36C43EF13380BE7E5406 0ACD9494EE99908F57E779A4C20728135D509B52D5066CC7BAC77F1C 4FCF81E9F0C7CF621593E90F398C56B14FDDC74F62A4854655CB27B1 DC94A83F9A4A52055EA74EA3129F88CB8D01870BFD5157CB966CFA41 21E018C2DD72F363DFA5011D1072FD9350DDE79BEC213520CD68CCEA 356EE24B2C3E84871540C410353E9514188A46771B07B2B0E261287D 353A8D55A71077B4B509FB99C80D7D07F6739CBC9ED82A5A40E624C0 860A42049585C0ABC164B6E5E726DA58B6FAF8384E0C8E9A03BAE074 415335BAC4E72AAD561CB77A8D7AAD25C67F3D74F38B62F43A2012FB E62C0DEF6BE948098DBCBB0F06769663B8E6A7C0D88AC914DBB8BAA7 85F4509B2DECAD57F85516D2AEF23A24202B4123F4CE41E97653B5F3 8E7E092C8EBFDC36A46D204237AE71484F4249740C2ECA7BEACE1699 CCAAC0DAA6AD8C1A0C5AEB59086C2179A235085D0C68942C8FBD67EC 7FCF627049DF4790757F40D7D027FBEAE4A358EDD5867C7F56710460 38E3086D76D3E22F868DBE60C64EB123BBF15358FD7D5B6511CEDECF A701494B143F77F7463D8E3099B811E8AB53092B3EF6E995A655086B CF61EB773900D425132A04530BEFC404F5BC27D98DD2367BB815580F 8BB7CBEF4793680648959A44A6CD216196A4BD61D1CC44326869877E 2BE943C6C7BB95B854117B1A0B00D33083AFE54461024BD791B2724B ED82EDD289F9376C7E0502627E1E3672345DC53F1F25AFB60568CA28 C84B9214D32FB5D805CDD31324640519C3DD0B6519FA93AB15D734FC 0C5ABBFA90C910C90C3F38B0688B584B6285427F760414C9445B415F E433908035081F5CA081AB53CC7C2701F65A18A5E64EBA887BAD3343 2735C1E62AD2B35F0A258892D919835DFA523E2BAC6DDEBDC0C57640 1F21D937711D774153A7EC42125D24D115240FADB90FE0061D9EC041 EF2905E4AA3E81C453572DF0F72A43D070492261DCAD28174F8B1697 9DB03C2F96D9E53CBFEF510A1BB5D6CFBC4F92A9E94C0C018738E2A9 30922603083124284B076FC1F93AFB20878CCF756C8DE07DC6D01C27 3FF2608136A8DCE64BA4287CC19E35B72B40A32B435F3BFBE94A97F0 972AEBB4C54D95F4993EB831307D22647A1EB7C525FD470FB9CA13D3 404CA5ECFF99E87B73C5B88FD4A905220DB8D183C325E7D27A4D70F7 1469ED347AB68A9F7F1A5EA235BCD9F9BBBEF91A9DF227109D715941 F54EA464C9F8A9D0724BD4C9772023B086BD521C516449C780500CB3 3630AE28CF02C19C0958FAEE545B953CA46217B7AD600679ACD85DCF ECCF4012AA9D5A7E1A1B1A43C7D9A91F8766ED3A5EF61A7A0840BEE2 B8EECCD5932CB1438A7AA271CE6906BDC3D9230AB8D0B095BE53869B 37455D0BAC413F518E39767F23FC669AA0742B8B5196FEDD1284C27D 05372F4653618962468AE24A6C575DAEA152D036619ADB965487D063 1B6182A0EBDD5AAC519ABBC1CBE766283788E8FCE8CE91760EDB4CDA C1636DE694364FED377B9DD5512BB258FF28533CA454EE161E69A58F 7964A88AFAFE768340ED78896D02FCC6D00090728C86C3C21CF4B89E EB975E2A674B64DA5BC5D05F6D647252E7B3394031BC9B4565C466E5 D9B8D9C2DD96A9950AE0D879BFD8C343709968F0D4A885D9C0A4AD22 B08FA3CB093DCD583AFD49966CB842F3E739FC665AE78550914896A2 D8F660726E02B7847AFAF327990A3478362C091F2B0BF7DD8AFD4F93 5141E63C7C4A680BB02BF84BA0E2FBCE5FCACF1CD51C7732E97A358D BFF58DC07AE2CFC5F66EF5A8532F31BFCFA86886751ECFE4D3234C3E C84EABCB9DE56BD72847E894AC95103FEB7DE2C89780E7377ED61A1B D813F64957419BD798632AA7B5A43D5E90463FE5DB8373A91487E71A B990C0B68C4F86305A3CB78216C98188D9C4FF715D7CC72BD4B64253 B4A894B2B9A3F7AA6C41A1ED2A7CC3553C3716C6D3CA42E4746A1801 93FF49E0B8063412EF9DF6217C97D30FB7ECC5ABACF22E08105B0B09 807B3F3CDF66A695F46F5ACE7FFF41208859CA38610F6A91368685C9 EF8E68958ACAB3C7F198A484ACD6592CDD0F1507AF662A61E9FE8EB4 0EFEEBED64888802978952DD21C9D903B2BE0845C3611A138C2750B1 35D0D55FAE5AE23A8274DA034E28D2B7760F82AB2F83AB1CD34D9C45 F7FB63527845704A4E68CF578C8604F269F70DB8F4462980EEAAA40A C20076FDDDFA2F2F31AE7E031388ED6BCBF0DA39FD210351C956151C 5A69B8DB3ECBA80B6DA822A858E8D5ABC24D3AFBADE4B8FAC50CD36F 3926AF3CC6917D2A54A83540BBC96ECADBCDBA189849B07B865538B3 B4FE142D2DFC0DEC688DA44B3C0B8C4605A00CC826BD5826A8E43F22 5E75D246DE2C896394AC9169746689010F2E958029F874A084813663 BF14A38111685457842BE8566C634FE7BD34A0846B82929DC357F06B A186A3A6917521881A1B84473B9D6BE8C10DDA27655BCEF81AC6E717 CCA29E9E0F6A02578B7A6F97CEC7B600785C4ACE6EAFE9F7F604F754 0538F96501467456BF132D1F52555DE292C21E3AA5FC24CD57E2A65E 742E2FEC311F3CBD19B9B4F8E9C5A66191F4C19B8F641D9C7FA58338 F179B533DCBF6A88849E4BD01B094B5B8B09BBF3095F683029DFA61A 4C91A582DF0380AA4A0ABC97A7BA9735BC7C2894AE6883B42CDCA772 626C31088C1684F64DEA810199C2D48A5467DB001BA4E274C0F7A5E7 62CC615A91FE537B356C7D76D24D310EF4D6D1E19F1788FED740686E 9BCE08E6B06B99A3BB7100477563992420FC70BB75B783820DF34C3F 7595E7EFC3E225EA5F2B33C05F515E1D3B4DA67B0DD461E1A82260B6 D2B7A0A43265A8003A5FD13F57CF05878211C6E1EB8C635A2C8D1533 F0260FAD1DF4FA41CE398E0974A5EA54AEBECF6E9AE57562BAA826C9 831C56CAB61565E2697E96F563D55B75B48A4FB6F32C02EBC2BFEC9F D519C396FFF42F1C4953DCD2EDE87F62EA90CDB1ACBAC2B187EF7104 7DE4477514612593FD7F849E4190A59BC147EA07B794E0880EA37F5F 27AA5FA78905F6495668253890699E319F14D54996E36E1F6DDED0C9 552605AD9D20F8F4E6DD26FDB7FC681415F15D47E4997995A671F85F 56E54A146D1E16C7909B0EFD42CAFB92F12B9F4F88157A68CCF8DCF3 295AE65D26DD53233CD414F73881A5FED934C577B7C66F484965E1EA 507F2FDB20141A9C6458F22265E26CE6AC906B4BD43F178331328BEA 55C61E737F2F130E51F0ED343A9E9709036ABE6338446B8CA7B9CD83 1F4C63908FCB6EB134626F89DF0A134F9F7CD196BC96A5DDD2B2CC55 30220D4708D5D2FC55EB64ECC1B668970E7DF11FAEB3782630A37920 89E2A0443631AEC02CF8078C8CACB3BBFFF7304670B391690AE1A29B 445A46CF78B84D26E830B8D072C2F0A2292CF29AE11F509855C1972D 5F86A13773FE91954B2EB5C8E75B9554C082FE65EA01D0D6794D621B 231DB56DD59EEEBE4D71144B966C19B402DBAA25D051F9DCAB7F0631 42D35123D9CA28A89A4CF3E771095F794F6A7D495870AC9F47D1E024 B5341C931590225B76931999C9D341D8CDEA4D0443D719E09ED22758 4243480B618246A318ADDF475A70F3BE57C3278E23D48874E2682486 4ABE829CA2318DDEC436D182040F014D4FBCB1FBDBF2AB82B613B7DD B45DC7635796A6AB203F8D9A6A04C08B40BE8452B4058EB6199FF68C A8A570F1A179ED662E4FBC1DDB8364CCABDB7D25EB9BFA6844D4D379 FFF7161F13D287AF0B6B9EF3D2C164BC63D412F04CC3DDBEDA6D9738 38B329108388EF700E42E232009782D380127200412E27671DF2B17D 5D7FA517CE12C66D6B84B11365611CB11E0BF27B06F3B86C4B4572E6 3702DAD0A3F9784656D16F7B731951FAEFD190B4F7E0322871A2733C 30670C311DB6F8C24E51C747525D04E551DFE1EC6A20E796D0B7F4BE 73896895FD6BF922B02BDC0C1412317AC0975D0CBC8C5A01F17F842C 9CDEF7CDB02055425BB1EE0FBE46BAB2FB6C3D3E3D86EB066EDD23B5 7F18C3B9FEC9C6C3D8D41B77DADA06F08890490354F95E97FECEE7F6 BDE50325F659971D8940C6B299531EC9E07413CDB92EA26DB7AE21A1 51CD59BFE72B8A19998384EE8985CC47544EDC79F5F266F0887664DB 09136792E75DFBC306DB725E5D1089DE94E3305A3DB61B799A22EBEA 3A72C52A9EAA89A2983F47FD0C685445D30C6023C855613F33E023E1 A73120762816B70CA46FE2BF0C14B9706DA2F993FE00053AC6828033 7B92FE344695DA64CAE061541164BCADAEFAECEE529AEF20F0530104 26633AAD07A98D8D6453AD0164951D85C5DB7965F6B845C01EE4B13D A933CB152151E8052BD6052B22CED3F3CE96040A23B6661AE0789309 70CD342D2464C0638C7988D06A5DDF9130FD4148A8221FEBF8200323 C42890E57AD3C60AE443C72F60388F755BD0F8D8082BC7CC7C26B280 B6C186FEE3E7161793BE25C8373D7714E1DB51F9AF53809CDE5C1141 A183A84643B4D8CD3D1777E9F5C70F0822C115F2C663D2C02315EB18 3CAA4122703E24792756FFA86077FEB7E4FDE2304CCB5A8AE1B2BB50 6699EBFF1067C50E835F8CACB46E0FC93216764F999687F6BC9F9351 6B777391D03CB2C74DCAB8F5A3CD2F0C2715548F8EB36B1B138D0D95 9513884CE3B6A4F7A835943687C92D9E95C9BD30AEECE528C9965C4C 927F21F584F37B42075188D24E2EDE898E55A6E33B7357792BA7FABE F7CB09E1814D6F2DD1D5C8D029D2421EE6FD905B393D9D47AD6B9F28 05EC387154E88251C2E066A9EB378E00C7EE4E52872DCD718C67308C 6388BF175EC90FF818F49C4F80633DBA8351D0F162A5FFCD9642E553 E6763DFB97B52899FFBD4614568EB13A730B1ADBA54A41445E70BC6F 1BC5723FD236B133B966EE67D9604EFCBC828EAEE587598DAFC81F0C 71EFE2D5D07C41959DF2636B3B3054903534D678E436382EA38D8D24 041B7A254DDDB783FFA19AA7C128D5A932BC8AC3E04DF72305CEE704 33D4920C35D22B21D2DCFA2A4640B7AFA4134C1530CA677D175DE1BE 666B24408CA698AAC57A5D9DD41B9737CE9CF73C3027AD2C50D80AE4 B3966B00459EF11505297E096B86933EFA71830B010FBC41D7832DE0 DA01E9EDDDB1AEA400F535CC4B601E80F95E17E0FA104BCF16A3C451 4A8F2F6AFC59669B1F2DE45895A6CE3800823F3AFAB29E44077F5B46 89240D10E62C1282B6F8E15F922E02CC2D9CBB40F2722FB6EFD6C8E9 21575DF9A46D3FA7E014B0E91E1204F4081052D93A0871C35CE92B92 FF3C49F90FC42727D5C9405540DC8406499FE053FD146423A888E1A3 E0728C69381E0A2221ADC4D0BF9B51F7DDD4A8EA74BFDF20054B9359 98DE4CC852FAF08907F5C2A33686EFF3572D55E6227A3CB9C463D0CF 6A2A617516ED7F5993F4530B46D2791902E12DAF36A73C6CA7B6D486 592C2E85B2FE942492240E3B6012A8D1F28D37F1F2B43CD94D7B93AA 56DE82D4135A84190272CCB9A6AB606D5A929F0BC2B0D0485429F2B8 066307E0404FF7EBFD02EFF231838D43BFE1D8ECB77372ABCE6DAA1A 48B37C9D30D94C12E81388B10845B62BB311325929A21712930C5D61 D058F5F8ABCE4C198DDC482034407B7F360BA1A65B2E3B3037C06C3C AD7C706CDB45AB39C9317BE281BDF524C2FFDB29C6B3BE40B91B62CB 7735A463829C4CB8BAD28CEDA3D8B955791E75B8405A6C039615DBD9 DEE3BA95F922BCA586A39119FEC0F510FCC5C5CE70C9D6B09CB0A47F 314C09C3735C7E7C74784EF20953111F3EB067547167A78827072356 DF64C101F536A075A2ACA016E13A9F8695E2E7C09E56BE291A75958C 3DE58351E50124DCB4846C97B58427C344B773B27F5D49F4B781A13C 87ADACA9FAE45BF53A8E9F6A8485D476297DD31AD7C635DC4BF775D2 F869E79E3E92F0AF0AB2F0C9C610E76B8A83998EEE7EAB21D3B6F428 0754F1653D076DF87FD2C41FB744F41D20F540631DFA55ADAD22879A BE3498A425C035E624BD8032FC55F131319152DA21A415ECFDFBDE3A 847F86EE4221D7C84D76F56ADA0D8895F2545BB4B3F4176934A4C07E 22921B23934B7E08993102D33094042AFA053C95AB0254A0F8DCD930 5569C270CEC22E49DB90462320CFD05642EE9FBCA1A9F28D0AD119CD FE19B7A7902F039FFC484795A0379FE0C83743B9158638811BE89CFA A14A10F3ED22249D5A57C4AFE42314F71445B7146CB4698BBD4D65C7 F399481E131990245EB34495E490D74750CF9CA38AD44C767AD2B653 EA5017277D688CF40E036717E46B379D004B4F705DFB93CB10A821D8 B3D02DF61F3B3E7125C3464BB30CBE4D41E8203A6FF270059E2C32DF B7B9084D23182C98334ED88F7494D5F4415E9FFCB5C282F6EE8C43D2 5EB4BF38B855DA2E956F215616E66A215BD62E834B150BDD0A9C16DA 61FE88FD5EA186F9543BF71D3A7BED4BA24B4B91DCD1736D71B926F6 42A8BDA5C891873795E19865D13D41640293C6F04D6300EC7594630E 8F4B962EE4FD9A19A19F5EA9D0BDF87306A580A6CCDC995EBAC0D9A6 FEFC145F3C1254679D61B2550DB75B3E05EC44BB7B7E1DB2EDDCE797 88EE430C9F394401127A6925CD8686A6EB48DF587B3D97C5A1A093D0 A510FFCDFD99C243A84DA3B2EBDF1F9AC84B19D2385777AA74F4D990 69628E9B0300035816906B45FF35C4E255C6CAE2131CBAADDFF7EE88 D8DF8A70B4DFA16B4EE08B95725B34301C5760422B395CFC6FF2E8BC ACA5D3368B184C25BD1D1F9E3EEF8ACF67ECEE3B3A2848AD8F930A54 474016512B5EED312A0A6E1E4130B430BFC602CA6CADCA9538A60EC4 E797B0F7D72FCA7F4E63D32C7226B0E5DEC95595B648DF8682769DEB CEEBC0451F562CBC4954753DA83DECD988C045B44558AA69B0DAACD2 0507DE0E1D17FD0E81AA483364956C285D6D75DE2E85C7291D70F17E F44D85444B44F7348D9F2BF3B8778D0E75FF2A45E815BE9B82C8FB97 E26575FEA32D8D458F7776E18406F60A2F0BE74921272C095BE2E3A1 108B2E1B598A1B1B9440197363EF48E123279157F233141C90E127AA D98CE05042318765C6FD3625F8D20D6BC269B78F1489EC5DD8747ABD 96631F85FAC2537AF9E4DED1CF292262A59A9ABEAA4644AAE2EF5F1E 78C332A2A7ECA12FFAB4DB02EFE11C5E008D1831BC9F31EF392D9FAB A7C2311E362649FDE64EA9DDE3DBE9556B8C534835681665E7440B62 4D7F43BFAA01F4A911654AAA28728AEBB7EB433C753E2CF25B7B4229 1454E3E0010FF9D62BDD0E2B211CB53963A4C477AF23C452862200BF F51F233E036526F51F6AEF66E923F58AE7611BADBF47C4E13EB509A7 BED7371BA0E1C86ADB8C120006DBCB345F8F2B47CB48D0B905CDF3E3 23E5B63F48E3D8D9D4143744EF2598EBC3343A3CB86AFE9DE6D14611 797E1CDEE2E753259002796BB75378705105E4CEA49F77F3FC4BEB16 AA8524FBB12B9E5D65E4057807E689AE0CF73AFB5C391ADAF34C37BF CD230195CB4FD80FE5A959464339926636670EE65B1FA05EC1B11CD5 9439E0B1C0F903519CB63012B04F2EEB8FD0628B30CD19AAA5AFB965 565CDDEA0DF6828E4729FB154F20D15A071922AE6036A423150302AE 477C6234B53A5189BC0B031409CEBE716E6B63F5AC51618C00422FDB 410C322AFF0D16AD43E1744CB84E2E8C73B997B0C6EEC3276B83A9A7 CD61A2C25F07684AA602251B5CE4A5B1D04580E38EE3F84B57918508 2A24DE6E0F341891A1DD9DEC8D13FBC99BD27393762504AC7FF22F4C ACDFC24F60E86AFA9F5EEEA3260FA150A6E9E5582F9A38E8C5FD1BBA E91149E86EE9C923CA3BBD9C9197AA777EDC9881E48BDC7797D78EA7 AB0F2653D01A5B6575EA262D6B9F8446F12C8829AFF4D0AB393386C3 4A4B7C76B561279B1853541F108C5BCFCBFA409B11BA8F073E5609A1 75BB5D721239DE7C62C0F7D2623F3AA685DBE9A68D46FC1C44C97E91 77034DE301246E605000F780C37A8C3C5D2DEE05AB24A14AE99EF970 3E46C1846BF4E0943D69CC6E26DBF2E6D8520199BC8722BBA0A04D7E 0BE38E5426E6321E87196B60827C152DF6C3FEE15390807E29DFDF95 C167EBE1C798AD241E0CF628C124390EC99A12D2787534E8A7F465D6 0ED174DDE1A549A6048F967E02BBD38507433F1767C62AEA91BADE80 5FBF81DC1016429B1781F5709830765152140780EA7AFCAEBC050105 577002752EBC5FADF6A480C39A400F2A4B4E4D3177AC56F977A834B6 1EC159E3E418B13C593BDA9D1D8ADF700A6E56666DCEE95F0D78EEF5 E7B376F3CC271FD509D6CAF1AAD7F8F39692FC9F089A0B602DA1F673 8F3DFE724AB46043196FF29A05438CFD3E8CCC758B3CBCA2359691E9 6B8BDA93456D8478FBAF17FBEE09F8B92F73DEB36686CD00F1C56D2C 0E8A622761467008E5561CED20783C8CFE58C0BD2F0D2D37D95758B8 F384D1CB53C0C78743F6F592CC12222E40CC3439FF88BC4FCE1F3F86 4490347717DB9CD92188282D71EFD9AF49A24AF48613CCD21E37FE70 3DC9EDDF154FB4F6E5A9AA1A7CF9EFAD397DB7D37FE5B5EEE0ED05D5 2A2B8A9BE809B08BF9E37BA24C112CA7FFB04EB8A5EBF84C8FCBB11B 3CCF5A74B315678843FEDAFF528B2819ED53DF3956BDCFDD430F4F17 FAE4F5DA66381F01BDB4173835C20FB5A53A56CFA9C2E7F9DFF8AFB1 51B99C87E4E664794463076F0ED01E753DC83F59E20D43F687794B73 C87943A83044D7A6DDA34F5E59FDFD08F8DA7F50F849EE986473B3E4 BBA7FB04E059FF72C0182D2D79B5130822E270317F17FBE2275F50A2 F267C0AF86262C93C08C70F40789FBA2F163680AAE1C441A5B473DA6 10D97CB77978FD260C02533D59A25B941D0EB332BB831128EE68C4C8 D132E35B19EA4CB70028611F9C94252323537E24DA9548E2CA8C753D 5325E9412EE2145DACC6E39D75D481FC06E21257FAD4EED7B6945D89 C4512BDA4CA60CC509551DCD36D9E8B43D3100AEE532848A82CA9A30 D280CB08445AC3703AECF12F2F5D386A3B530F7BEC78BDA5B8660C12 31E798170E7FC85E3731D95202588D386F7A95AC980318DD66204B10 CCAC46E3018485F06B99D315D9D00767CCF6BE2DCF76BA07A36AD7FE 8D4BEBCFFBF0E3F0F1E4019911D55E256D97899D2E2AE17047D0AE8B 33B87466DDAE25D509C118D843AC99DE2DCBB4BF65B5CB473DC64E77 03618D19518420A5508F2905D9C3E460F7A564DEB07735CB97B8CA7D 25EE81DA547B24B328AD02477C436050CEE4AA368EBBB8F6AF1E18DF 725BA14F75F0ED274BBDFD33CB70284902352BCC20FD778F261AB0B8 E95773CBD0C885DAB1B5B04C5B030B52740FB178984257519ECE427D 3E3B5CE6EC9D2BF2E3BA311BCF81F2F68FF2C60F18A7D2328C9BDAD1 6BA1804267DEC7594A0A202CDBE6B75A3D01B851322AB4B271DF7633 6DA7558E1B86E50B488D72C65BDEC1C8C91BEFEBB18A7E792645298E 0492842BDE70F404D70321191A05E7E18E88DE01A4FAF66533DC61F1 7B3E5C09BED484CCB11E4E9986247D417B7957ACCA5D52D8A54667B5 2D5FB7F86A498533B5DABA6DE302E3EFFA384BB1A7DC3D655DB991AD 96675C0E211A43AB076494AC22328B7AC6AF9F68B5D1B61E411E832E 20963A59AC3381F0F7B0220E9D0B7644C13B4F342F3D913C0CD40C16 6C8F205552BA0D40AA3CE7536A73F0E37C56F6CF6EC05AD23F4514A0 42456DA61A93C4FEEE283DEE4D06459219FD5B9CC646564599A8374D 118CF50126EE5750334EB053ED02F165D2088E931C448D01B019E99B C6278D28AD51707AF1FDCED96868DB164023B620360980F41B799DFE 5128743D9E846A93CC7E90AAB95FE6CC11C19A7DD63479A64DE91792 93BF80146B3843E4BF4CDD5862DFDDC1C08A7606D2F9581697154CB6 2776FAB5635162EF47E8243D82C42167E3A2D36CE13DC37DCE1D6013 B8A909DF50110A503BC53784EC0790A24CEE85349D94C8DCA95B5471 271A1BDDF96C9CEA5DDFF0E497F3D0E13B4EABEA8663ED398CE1B093 F734E6739B9B2A580BB207B29B8CEF0DFEEC03338F6DED40FC15302D 52CB3F9F0F0655461FF2CA6B478F11FBF5B818B5D7793E6D4395855F 14F8A9F1614EBE7C01653F784A5AFC96DE462284F3D6953785BDD41D 3DBDC1EA583B12A61AB17AC8827313B01248778F76F2B8B8FC6CF3B8 8BEB8D177531348A0AC0543BEEDD87DB164B6E8D791AA04B2133306A 93535726967986EE6701EF923C6C31B38076AC568EB86ACA9C9612DE E1B106E882BB11A46E7021EF694A16DA53CFFBD5D4D2FA9F010C6535 1BACF8B0DEF5A64EE32004FAE90F4E9F37809344E1BC7E695403B844 7C15B5366D1D267B7A21651E0DCCCA745CF75570AB1D8A57B2BB6851 FDD41904BE0200CBA44536E370E923F76BFDA60601E2E841FF09A689 BB648C39A2CEC056B221F33EF0C21178FEBF4E59AE1A1019918AB6B0 A2B491B94794F8FF121D6FCFEE902526F5386360CA48EF37FAC49161 8E7416AD1CEA19358BF23A0808D17F4C8526E524B02F76EC858D7F58 C081D84915CF7F289E3A5AEA019A4536122A50B21AF468FA23E709BB A3752D3592819F174A77BD95330F1734A60303F8C04B17C97E5451E3 B500F9706D53643A6877FA704172A2B04C0EF3CD5E8276184AFB11EF 47892C1FFDFD796D183DA535A983A76334E611D01EF57633C7C8AB9A 7E6194C5E5190D47053CE62DE7872FE24A536E10C7D9F4700F1793ED C71EAC3A4E885D7D34943B3E158B69378C2AE1DB1022D1F76167CDD6 6CEAA97E1000975DDAA3D8293AA9CC2122C9CE145974EB4C39B68273 06AB4631D12534497B8C10DBC0C3B75800A4F7E31F096FF1E3C3E6EC 6007B8BD82271E412E4894320025A7F2C37C555EEED34B433132B93D 780FB5CC7AAD11728E53017565BACD1FD26D078A1454A50BFF4D55D2 BCBFB9FC3AAA810BD848FC0C29CDA6A112162686CE96517AA43C0B99 4A2E95FB603EFEEDB25EBAFFA57764374E51D1CAA9B792AB922A55A0 889B48751F5E2BAF8644CFBD3C78AAE5C705CB8B8ECD507D79B14955 807565988F8DB697DBDD28AEBC2BAAF4B1FF54154F44AAF2F478548A E693230B82712790F3BCB0DC0913D4EFA562582C55D97B4000819777 23487B46B56860FC090AE27A01B5506AD351C283AE7908714528FDB7 D23653B710DC093567892214F2C9FCB716A3DE1DB734B49578407904 3F86984C7BF28DF2A21DD7CF926E8812611888674DE191CD2ECEE86F 2CDA1A5EA144F0BB7B76202D21566507EB386B0DE37CED06898E93B3 A69D7F5E8ACBD89F9E106B5519BE4DB863E4E332CAD22B5B9465F9A8 3AD5CDAF9ED1921338601DC36EFD67A481C145A64E417D122B2577D5 A4821B0E95C5E22704FB390B2DE004B880E885898321BD5696353A9E 221C9AB694797054ACC98787678188007ED2F52C649809234F5C8968 08703C5320DADB6D09B7ED83D955A3139BDB3DE6CF343D77BCB0C993 97EC26660AADC1B01BC00D005A5AB832259D00F6A28B5E62DA422D37 868237C75604E483BD5D977A87ED6095FC4604E498938B123C9EFE9E 93F8A2B19F0780DB7F75454BCDD36285CC994B516191645B81F99041 2A950FC7E6FAE28EFED0DAD9FB749EC7B82BF450283A76D627F911DB 39EA0B5AAB29256E23556A41629D5C39F721B13232A60B52581AB4E6 584141792C7CAF432E1DA87DA74FE9F4BBBAAC01B83D2EE2BD29D6FE DE81A2C2E894B993402C8DBFAA35228FA5F37C8B462DDA4001009E00 D06B10B2694D9099496C9D2F51146EEB2158A14068AFB818C1E28629 337D3DC50DAFBDAD00FF4C8AE6D3391911C255628B7B94E2BE41EC71 54E25208687E305E94A102BC83CF8156C3E460F21CC6877DEC8B7A86 8C374AE5DB60A902086055948B52AA6167CE257F5590BB7F1B38BD43 4F3B28278A4DA0DBC249E22987B7C86E491B222CC60431571B9D6129 322ABE7F0BBDC63E48FAA0C6F595CE02D93799861FFA16EE7C4E7E6D 70DB222CC7122ED2A567E596E20731D5DF7342CC8A69184C0B7DB62A 9D95D2EB893A3B262D03694492452340D18B8FA36D2EB728A13B13A7 CF48D3C7E13040BD20D006EC57E779DFF9AC004DB4A4408EE8640549 6CE288177422B222C186A3845C0C1E218D2CCB570FE29478DA4CD071 E7ADF135EB1762F5C66AE15DCA6EFBF93385236B82C84454ECF904A1 21119ADD36C5FB70549F2BCE09633094C61368F5DE53B22FB772C38E EF77A74FBBE1246CAD6E4EF3245172991C45D7DEAAB0C0E1C0A33CA2 297EB507A3C6833AFBC7B0A6AF1E101F19FABE274C2271C5FA9A4674 094418D5897D570F95B2483979E904ACA9EB76D80263CD639C93E6AB D84D0340CC3553735F0C068D653A274686A33264E85CE37336A8DD88 DA61BE72AFF9775E44D043B75D11BC8C7D7BA9C4934548446156BF92 7E8E070AF4085FE8A832E6BDB8C1A0361ECD792D8059B4F2FD3EB9C9 C1342B444F219F44068E3D2649536EFDD72EAB8B2BA7A3EE20D0E951 67DD263F2E4D3134A0A9D7ED987DCF6AA3C3AE8F295ACC75C2F3200F 5ED5ECB87E34D3BE0A052BED44089128AD60D4F00B637D5C1CA9DB23 67067F3FFE616CE6E9209BDAAEB3EB8F57C63EFC63186BE7E4E097C4 354E3C8E94B91B61166B3BC3D3978E720818BE12B4944B00F4A37986 73E644953256DC41FA44BC0824859493D54B3DF7DD9218BF5A0D5BE9 50093ED39F63832A82484B4ECCB02E1BEADFF1390A8D78037B565CB7 5F1373C9B03AAD7805A9E3D79CF2877127BA9E1FF84D66F76D4926CF FB1791910F52393DD1CA3B2DE172014C08DBAF02F16BFEE6F2A1F67C D69BFE6EF9AEC8DF4D725EFB693CAA2A7B744D749F545F8BFBCF3757 BC39047499829B319748D2949A72938FF0071AE3336334A981BE8DAC ACEDF5B3C4AC2563CC8991F7E5DB47E433646369F9D6E7318226E2EE F40C0D392F202AC52EE1B23C058206FF826CDD85BFF1D8CA63205121 47C3E41BDE7AB06D38A55648590F5AE5389ECC643172130E458826BE D9E11FCF376C019B7B9B662DD7A84F2CC8B06AD6AAC5353EBA572C4F 53D29381CFE8B8815D8889D9DA82118FEB52DD4A369848396418F955 C71ED2F568CB98D24C4C2EED1C47993CE6E03D2DDC4F6AB07F05E37A 01014CAD1AB3E225EAE6DA4A8CF665E60B0D45872DAF193A5FF85177 7426541AE4E0A6756DF40E89A34977DDB976C577366E38B922308E92 6DA7EFF93FB32CB6483F347F2CF97DA028A7973E29A324BE87A2D0A8 7F2133C9E49A7FA9543B2A8D0B1214E0560CC5D25DA0B843172D31D0 8D21D17AF073008B555E3DB7753B9ED413446733756CE47548109B5F 5AB39A586A9DDD008084CCECEE5E7A347489336AB3B5816E8993E228 8F8C2567F7D4288D7228CCE48C091965B45FEE766217CC45B7D61BEF F7941098196507F1EE8AA526A42873070111DE21053A22664B79066E 6318A8AD2B28A5790641130CF641BAC1E25496E33F3665CD317BDBFA 06794E97BCFA6C7F802DFE399A2C442D58EDCD7F9DB7E51E68E74291 0A0039B308B1DAA24B0091920C2F96AF5F1B893B145E833D05E51387 56D2B00262CB7DA3F29A345CC11ADB647D3A5BF300A14139D8D736EE DA87E390FB6107275F4F759DB864B61F2690A7C4CE05F8CCAC507F64 A494F1C2D13F5D22AF2A93B1ECE5BCA3DE764919F6D3D6DFCEFDA9F4 AB99821B5D1F2AA26EFE5F4EBD1E6448FD1E1809F68E48A44B12C5A9 1718A297DA0745A39F4C4B188C81A1112217C8F401D2C1A791942FF2 170B658A762A3E6AE768A209E38D2E150968460789CE3998708884E0 15A09D95B9CEA3D02E2D79D79AF00B90D5C261E4F558246F68CFF10A 8D84495040FF507CB9E5B9FA3E2E730371B667DE3311F441AB53A6AE 38A7FDC6D123F236320EADF7D9855204098A26602163A3747E8F23CD D3C140F4AE01DEB412E59F7F60157F5AB58BBD3147206B96D449F0DD D14C0D5F135E8DA55B451FB330B42B5CB2B4259E0EC123C3111843F5 ADE3873A89A2286D5B59B3897B49595962869F5DE3A5057CF15775F0 558DE9C1E039810239B9E2CA65FA6B435C1C6A972C12C74C5E467B2E 1FA78C5A7A45EA1687E7F4C5B8B6B2337B11E1B7DA0E3B03DE83FA0C 110F25624D75FB6154A1325228C82D54F001792B0EFF004D698F37FB 14B824063DF051969E409447D4990AFEC6DE3AD77E582C84DDD8F44F 6DBA17C79B4CEAB11B7189DB90B2DD571BE84557E52053BB7BF5482F E3DC1348D7F9581687195D8D0F9C834DB3C1F9BBBD53132E7BB48ACC 27B2982E1DDE1C5B82D5705D0CCCD02F8E17C2CB0B27FDD6346FBE90 B3D1DB5D8DBFC48CC3BD59CC8593B30A1FD2A23E0D27AB3F654471FA 980D2E923749EA3A10447D920B8A9CA77C4376DD00CE035E486590FF F276E3073CCFD0D45C548C746BB986CD091E82F4E649AC614C52E87F D8A8B8F86948E5DAA2DD56E3E45C7ABFC4B69A38ECD60596C21E8EA1 861FAF0DA12E7D99DA1F84F379CC686F0E3B32B9801F4562CFB0CBCC A656FCD6954AA720CF1995B58314F974BA9984CA982666629431028C E709EDCDA13DE3E7929E4587D0ACB7A4B55D99DEE00CB98DECF73F6A 1F1FC1992BBB0C3115B02B0033926B89A83FE3189F51390D0D5434EF E43096F6C287A0A06051F918BB48B5161F8C76286896F4577D76B385 61FC750972978CF1D5EE1D6433A97D9E709BE8FA658DF0E58E7BAEC3 4FBFCBF93DC6B7A1D1CBA86F77F169F9A9B60ECEB2EE503694B57D8A 35D491424190A6CF7660F6A4D9607EA70B4F0EE1583B5EF898DCDC82 6F0E9BAFB5BA8F5968DE14D0C961FE4A47C327BB14C573DD9051CC01 688D541EE78CAE8C3396CF35D8E7536A3027F4DBFF12E078B98FA11F D2545005D0288B5C57A854A3F8FE4D08DFAC51EF84D165B9EECF7108 C69DA8B9B0DDC294F651BCC08F28FCE68982394E92FD6E3ECFD242E8 D26CD69F898A21A6F476EEC6196074A4A401E57C1E123373D2C60387 78101FCBF6DD6024314EAC1A3AC562F5B756BB124925426E1152BFDC 6BDB18359FE3620BA2438034E4246572127B287F16059FA0C0F7D378 BF07AC9956138BEDB33D261F393368232EA60CAF6261FD3B4F4BF8B6 42540320AC98D3114AA11D1094B70778F0F889E09421009B0EEA4D36 B7FE90A23CF6C5ABC4078311F3C9BF3A3A38BF093A4B5E913B96922B 54AB0CB8658F73AFBCD2CD4368CE25742460E70F59D1AD49100561F5 32DD0B2DD8F88B4FBBAE7F3AF495A0AFC0B1FF9119F8BA3F982756C2 B13E970BA7A22DA1A80E05B5D5F836DE4319D5541C9DD84A50FC0049 207F35D3D470DC0D5FD84F2FE286DE12839399CEEF4FD9922734D5CA C4A5464A61FC21E9B1C5D48F7247E209DBEFA6EF4ED9743CFC8FE4D0 46F949B82B2AE4CDA5640D8D7C4D10735CA83AF3B6E592E4189CA6A1 39CF59D84E29044993D030824D59396514FCCE071980086FDD311A07 0154C042D55F63AA2B53B045458E619FDC692FF7DF5B150240BEB5D9 A94859D0429DDC7E63E7E77334783DE6F7CD2AE69DFFEF85AB5FF5C5 DEBD0073734A6045BC13A339596C19FAEEFE2F2DF20A44A7AEAA7E99 5A2E5666D23D06D06DC7C4D2315C889F6E5B0A3B8F9EDD732063FA68 5FBA9566BD7893BC75FF75DB360DA205AA1A474A5419F63E2983AE20 1AFFA9362910BA1792B573887A83497BB06C166D6A70775E07B21494 9003F9A017414BB67119294B3960AE2E1B8218112669F43907FCB364 A0FF799BC6C3F51431CC52BD96EBBD2E2762617AEC18A39CB47CDD49 2625ED46CE56F7EEA2238AFE29C27B269C77975733C1D037BA89B601 C02C6F47A62921F0921FB98C0B0D785297E67431132C3DA0B6DFF585 2F00E7E5563B90CF7F1EC86E193CE64F1634E9DCFF5DA7E677D9F518 3554B210BA9FFE473AE1157F05F0D830695FF56D646EEEEBCEC0A946 488797E934DDA791D6ECA75770633CD6F70CFDE8A65DCC0678124477 94E2F641989EDEBADA8811582E935C61B7C1F2C6E6D37CA561D64423 F6582B0DC20CD0A77401566AFAC743B6AC237DA980ED723B96ECD778 57523A5FAB5B078E9B9C5AB801E924F2A7F55E3A0EB3FCF54348E33E BFDC9D1B5AB96630C5F64AEC15A0F8033CD87E398A5B4088E10BD024 EA739495330980853245CF5F6CCDFC90F154972857B03A7BAA03EB4C 513F267A00565E3A7E61734511B3F38CD4858349B61C6F24B34F7332 3F02C57AB456DF142728D6A0FB7378E6B1BEE9E0F79E9AE3A4B9BAEB C7FF3BCC5BDD6C0B59A6971A3EEBB3271DD2053B2CEED6A4C6AC3FFB D20390064D48126BD7459AA31F5C576B82B93EF6C7A7484F556D2415 8B6F061EE683C71CE1F7F0D39F3EAD7BD230BE59A8F5AA38C1B6BDB2 A6341D02444DA8E010B2CD52F857FC7F1824F70A10CE6687410F6B33 E5A30BB2344D32A5644B694054E27ACF2FA6416E80694E355B829B0C 2EE2B2CA9EC24908D2D3F1C1C199844178767DE8CEF61482FF6D6077 5D9DF3648D3BD784D4378AF83E0D10746B64D2B5445EB38F80FA2103 A246F5F953A90C9779EEDC77E036420DAA0BC94A8542EAD9B3996945 0299C95A873732AA0A52FFAA8E726E11E7120E2805B40698A6B06A0A 05312FCCCA61CA85DD506C109E19BE7B57AE8CB67033FE2C2D13AFA1 1759C8BAF5FFF5F8FBA7D58089E9BC5C3C2BC37E4D9C4A47D41CC11F DF2ECB99652C81DCC099A1E977E7C71F3B0099A44D4BD5E6A479C3F7 D7DB6DABCAB0886980A74675592A1EB8BFB6DBC33CE0B7EC358CFDC7 7C00DFC14744E069B29AC7B91EAB4B1A07A281A9CB1AB90D98322797 FB64B1516A257627AB1C87D09E7F56ED5E216A879999EF857AA1C1B4 577D981147832186A7CCECC9E0C1686741304B7864F6F69135B0212C C44CF061EA743AD7F1DDB6124C095A7984D0CE10F64366008D27A2EB 9A480DF823094BE00D83F2E38B043D003B79F576FE8B84A0EA144BAE 9BACF73A9CF5E591B53517CF9AFFFDB100CCDEB7A0823FBAB165FBEB D986A9605BD82699E2E7022F96980944CCFC4AF88D55D75794F96B2B 8D6D036CC0690BF51D8D8D78F6C1BC2A520515A6F4BAFBFD9ACD3CBA 166804A7B80253F24503D9BAE6A774C5BE16E7DB0F84DED4A2347FD4 3A94F747A85C1FC487B9C8FEA43C39B58049FD2E54F1E046321E6947 55CBEC4B1F987C5470E47068C8EC5A81E08D495F8FFC8A8954CC1F23 6BFFC730E92D359E987B68FBDFF3EECB88473BEFA193F8FA3F975ED6 23BE3600C39713F6CF3CC7D55CF38A6DD333CE76D15E4898A874FBB0 50DD0358FCC315D3847BC136280A91720C259DEAF74293BA82690111 33302EF6A5AE3D640B00CEAD988E71805D5714E6903681AFE422572A 93490B20B9ABBF2A581F82A9E8F13D5D89BF2B3A4EB4E05F72A66AD8 79B590A38C2121602270555EE32E0845F1DD6DB4AF24DE314971A6BB 12B50F371D833DFF51193F5536206903F77CD091A76B551A2F0CFA8A DB9922FD782FDAFA235DA37DF81EEE601CF96A98FD60AED68F57421C B5B4C5AC0E628D00AB047874AB021E8B3577DC05D5F10F000019018F 3D1673751A1AA220756E5FF5202E192EB560E331E41471A47A42C5B7 4BE579B849C59CA91BF3E0A2F1EFA9362AA08E8D3008895892896643 434329DFCFDE3EC2D1430EFDBA50316B59E38779C7BBFBBE07CB5A04 A540C646F5101CEC51219B1E07A09872B2463A29F524072207CACD40 7E14901BEB9FBAECDDEA72CF683D04CA4E7EEE27F1F3258C108E6270 D3DF012065259540BCB9B4A030A0BC5874037AFEF6CA161EB235749D 7759521B4CE2E8B1F154BDFD74688B61762EE06C7456D132AF20B3F3 CEC654D43FA9E95346D977C733FAE94EDBC22C9B62D642723DCDDF02 2AD58A8BEB77126C1AF8DF6C7DEAD320A8EBE2FFD3AE76F6AD07B046 44447855E301A094750DC73788B6C51E2D46801ED40558E66AED0BFA 732A381BF019F1255EF7C5E2C247C68596D06E760145433A64D9A3EE E2F541CDCB0647061B17F061401D49D54438D6C53381A50435DD0038 5DEAE225E6D2365EFEE8164B729BD567B3435605C2752469C1824B2C 4995C7078086746A1B5CCAD4CF9862EA315049FB561C236F360070C6 C89FB15DE38BC5B012C8CCB250BC28F28FF9E2B7E2BB02761F8C8FB7 F3E170AE06593493AABD931E6E673128685EC38ACE2C7A61968581F6 B09EEF0AB22F054CBC41186B8EE853465EE31EB7BAF8D725CE1AD62E BF64C3FB4FA361DD4DD0A1DB75DE295C195968B1D4DD700BE5724721 B60013B5CB4664094C6137D7DEAD7AED2F6B3949864A80F4E443F8E8 F6DF2DD3DCD98D87474EFC2AEC2E9ADEB2D7E1CEE0870A04D4494F08 4B844432533475B3522B3709B51A9494BE94285C2A60A7AFBD570FAD 313BEB1971FB009C2E32F5D89AD2019F369AEE7C63CC50DDF1604C3F 604490D792AB81776570D1915801A1C4557B3D5604FE60FEC7B2D74B 907FC55385B0D92F736F02857F0CD36262B4CFC1EC3CF1CC696C3BD1 8D7D6FB54EC07F9AD64EF8F4205EE64633764C86200C97DD48AD5F8C 4346A9D434B5DC494362A16A034E4F4400F20E6AD6D3F79B532A8C2B 696852105C30FEB90BB018170F2F778B0610EB5B0D59E6E6C4F2B50F D96587E9F73B46A4ECF57607BF52CD7C05F790A76FE5713734BDB54A 37645FD5A22114010FDAADC9013932E4AADF0BDADD09193D2014E96E 1BC0137B382819D2941A8FCD34EA252CF4D863B33A8EE186F43A2259 5FD84E47E8F3D23BA60B719F92A4D122C445673AE08703A968F0145D E30F626F6CCBC81A361178E464ED170654A179A2FF84560D97FFD373 0E49837EA71C0290DFBD2D3BB959DFC0A8B2BA1AC7A9404E3D25BCF4 EDE38919323561122C295754666471B32F0A110C01802776C354DCF3 CE8D25A520375A58DE14A8B119B1DFC3E5AD19B33997FCFAB2C8D12D 64CBF62337B37C8CCCFCF529ADF7935977DE3AEF6F2341CCC5F95545 630FFA14603D16F9782ACEAB73E582D85F9ED590CF7DA278857BC1C0 F90BCF5A9D136E2363DA9C6DE091EA25EA4759A80C9D704AF410896C 909FC2625AB5EC578527320FC5AC3408D2881000B84A9F15C3166B34 C0C5193962F70C260B4B90B71860057B2BE4B00C26C21442DD155F6A 1B74F6BBC123FED8D806E0D3488844F1E3F937296C4D110F75C653B2 DB2978DD56C6A849443D623454465BF1CD37B7ABC683AB97689EEF35 B147C1C5BF01714579F1374646455C90CD04CCB40FB6EEA80586B58F 49D5A8A072D9F803AEC8A744EC570D64EB3A8F65D7A9484ABE50A240 6E0A87345FB415CA1C63FE082B3412EF0345BA0B1DB9230FA701AAF4 5C9B2B05933ACD316084BDD3F59BEFDA9B7A3E8B8C40ED537A041E78 C31DE1B104B3FEE5800BC8E8C5EFA07813DCB06E920ED7FD99008337 E1B8E3C9F789F81A430BCBC1AAF6C341FF56BF588992873068441BE9 662C5CF0B3BBAAA0F391921E792D44D0092D6217CF5141EBA59AA0BB E42A15A84D73465C0AA2B4B22A4ABEC7C8C4EEB4176BFB7A2E240DCB A57C2F8D4416FCCC11363767EEB8333340126ED94A3367E0D9926CDF 95340A7BAB9EB145920656FE1C89D70FBF3B918A8905C8AAC45141FB CB88296A286DF74F9C6163616FA2C502222F0F6B46FAAFA66366BF35 27451270FB0F93E70218844644FE8703CF367FD492B5B9470D4A3B52 97538F4E6928513656F960D41B59578E5B5071109D7C7CE6D9FAD1F2 F83B4E6DD187F362CB66212A0C4EEE8C4AC72BC9C65E4C5D812D320B FB6F717C791FE71B0C79BF3801EA097AAC1F4FF7CF8A2B30A7662C7D 65934201C6B103304795E918618ECC2D22C3F53DC1EE88738B175615 38B0B1BD3D0A3F7CD8CB7A0AE79E25E225EE38F00AC7A058653C2099 574B1724C6A3270BE506ED154AFB4F6F040FAA3C48701CD4E12FA1EE FAACBCA94AB0626C210D5D7EDD088FC4D4FDA8F655F9C1B8363E437C A688953AF2926644F1E8CDB71F7D69D34598B6BEEA3F671A1C970D5F 85F56C06CC72C9CD218D6EBFE5478F2F45A187353404C8484BC6A8A2 FC5476272657369AB0361000BB1A92DA51EDEC76653004393C2A2775 73F05ED450E6708E3A5758202D6DC8EB004D733BB1B4353C7B179FBD 3098FE467539C7414D6A7ED11EC35FB46B57A73F45B90A5042B44A51 83ACF28FAA4DAC84611EB07FB59700B14CE74205C63EDF329DEAC51A 22348AFF3FB7509619E87828B3CB4F036A6BD2213E32C0C9DE472593 2763B76F8CD20884E28B0C63446625C29F0ADA0821EBB988B45E6BE8 92228A97A5725D1DF726442FBAE48EA949FFFEF89B71279D1EAB17D6 0AFCC221D4E1F576ADEB025D0A41033CC97ECF711AC17FF3057D8838 2420EC045F81013AB9BD441606B282C6F3B94FC1427C18D947DCD875 364193C551E667CDC9E17F8487DED8A99A419DBD1798C5DE16035835 A78BA5A03810686A9D3197205AE34E1A01A6038E0C834D1104A151D4 9FB25851B74750785862A17188631E1F3D26EAF3B596414299A0B2B1 5E313D2F109684554A07406601BF3E578DFC26F10551AA6F6BE4409C C137640A37F5C5D664FA54C43CE9A2D89E00500A8CAC417F0DF0AE17 6E602ECB3033774F73A12FF5CD6DDF272C121C4D5DB01E14AAF14C53 60F6A9660189B7C3371A59B9F4CE1AAB0E926A05C60FAD09755DE43B 56FF268B93C030D4904B2F0F5351B9DB07A72511D004623488BA7A9D D9AF3BE9F1718F473E6BDA562F5A593CCA040D61B05D23EC05593AE8 F97A285766F99A6FB7636C8DB9C6BDFAEAEE5305E1541F4733CA6B58 5031AF83E139C38F0289A03AD13B15DB21EA0EB94A89C0684AA656EB C9C8DF0FCCE8E2B60F7A7CDB6D03BB0525FFD979DEAC326F26A22AD3 4FD324155E57920A6F8EFF15C4C9E88022E0C00F0919A10827E52AB8 FE8791793BC010B6C97A2083E59AD33AE602ACADDC49CE67FAE1E96F B5D472D87CEA78857C185FF052DBD4D6EDEC0AF6CE8AE267E99002AF 16E8AF1F85A7D9A040A0112EEF52D76A1620B4487349786676F94439 7020C071EDD06B1BE2B149C1D600DC4EC2491988F2961B5B3C54D29F 534F31B227BDBD4622C2ADE53F75D03AE038B39EABA343D169CE8CD0 47302305198C288A1A70317D107D10226B0EAAD2732E109BCF9347A7 B3B7C26B3E0A00D872745DB72F48A708B4D7350F8244AB91D5D68E30 96C629278F1B70B6CB09B55144039BB90F099C32924E19A062D66BC7 DDD1F1411274E59E7C0A965BCC87CD107A96525FE31A1F4D2FFE636C E5621A55E3496411A08DC86D9E05D197733B463AE2E0F096CBD0A26E C13AE6EFB5BA693848CBF327E40C3EE9658A79E46035397FB34AC4C2 1209EBAAC96EA35EDB264173AE3A99A9F1F6FA1A4395BD181F8186B4 70A1115CB3EF224D6C31653247B49EBBD009B596B92C09CB6EA002D2 5C9AED4FEE593BBB0F16C04E80A5816EDEE194985B3E92D9A0CA307E 86413501278DBE46B959317B27FB041CCD960138333181F404C346BF 706C4C6BBFFD712E62E60FCB5AA4671632909AA91BA4CF34CF335D01 311B050FE6F1A97D986FDD787591D97944E33A7ED5C70E0C224621DE 30DE8AFDFDD4AB2D715931BEE9A14AFFE00911D7C2A18C8A7C144109 4C316CC43CC3E46DCFD2D9A75760A347CB4BAEDE5E5FAD6B86A5B484 53ECA73F5AB138CB16925FC3E5F4A9D641E7B15D0040B68D5558969A 441CD7AD54586D42D5E083B3457C96B78F75276619876D45E9505274 F6C0014FA872DB6DD7CDB2D3A4F3FA2CC9F0AF9AD9059019CFF3ABE2 FD87E003861C53BE5F2C60F4A2B070F77C2E577995A521447F326FC5 2D80137BD1C37E9C8EBEBC5C535D313F8AD4E15346D858629B759BB0 E3D32E6EB0830971324B66767C3D0A536813F6899B0C4AC4CB05B17A 93C239D46379E3AE660BD771543CBE9CE43096B3E46D30816E620A54 29DA6B0C3F07A6DBC409B32C976AEC55199C856F2DF6B076457F10E7 CC358D07241AEE41DBD5EA496FDBE74478FD85FF4648631BBDDEBEEE 5B5A5BFA7FC67F7CC60EA08424C43F6BEBD8D3A9F84CD654F71B159F 0029367F4F13DFEE75A0DE78DC9C09A81CD5F1545C526D99D245AB00 380C961DEB2A31EAD63333FCD5799FC409EF7F879F361036ABD2F905 05AA485D39AFDA3D70850CA05B829080B9F509BBE4C9DB2F1648D0AB 7D313CA424248E869C22B43735642616B45292A01CE7DB1F9E9604F7 1A627559DE4E91600B3772E83EC4783DCF5EFAFF69754F0B8C048729 E63CB5723FBFD75CE026F2308C71F813CDB1A846ACA4E2E412B00366 049351512D6C4D69E266F2044E1638C8C2287B46A1F02A82FC6821D5 8031D8D93FA1E879787428B8655446F54E42F8438D3163E7784E5AB7 356EEE6E330B43CBE86892C5683B6383BC5F316DBCC1BA062A3E805B 2DA091AAA4B75A59116151038E46DF5467EF80B7C047F9C8A565DA2E 831279136A5B86B71AEA6DB19437D4B3D366653671605D6244B2BE7D 0CABB0D2B7516FCBED8E11D50E5BF0227BD5C90F53D4E6B154460323 A1CA5739D18DD50EED67FCE861399586FE0EC142E6BB5D426517A869 740AE6208A75B196EB61C75EFEB2BED0736BE74A4BEF3E9DF6C6AD97 904C42AE1A2A344B3C6D9301620DD86D00552FD2026D70AFE443C43C 7AB5AC247972AEECCA551186CF11D7AACEDAAB0809D5C7A3FC90CD6F EFCA458FDEBF338F239B2DF628FBAF0C39C742E7941E960FAAAAD857 50955F0E3D5A29D9415CB1D5F018A665B691AE95E9CF90A6BEB6000B 88CC5FF886D56F81F0F38535502E5D7AF269FB988D05AE1CC92BA397 D485404DE4BFEE81361A1355EB5393580CA7BB5E7D8B7FC97B93DAAF D65B6AC699FD61B071C0152777B89B8FFE8B0413D2846004794BA822 6673F67AF131708F6D3818C32D2410E2C7C5A2E53C3FBDEA32D5ACB5 5BA78C464147120E3B4BD25AEC1AC207D1D50BC18251DB79C44492C0 022E6A709B6A1E500F3CF207B1BB185A17FE29E49457467F9966B959 0C9D8F06D1A91489000887CE35EFECE384F60D42E5DF79BA4BCB3C52 6C9D9F00D18EF37A3C86377F3DC23F8E4183023E1F3A499508FAA998 B316DFDF25052C434096DB419DA17E1C9AAFB767A25F4C4098D369FA 1205B459C63D568985C959E2774C413E3F07A0DD295674C3561B7D63 6AB8C5252D57813FA17475FFA44C29799C146E6DD7472278728A7108 C6949A583412B6AB04C61A71C4D20D549312D280C90015CC4F0DA2A8 1CCFFB2C996EB3B2D3E61BA3FB2543A7D290F637F8714149C2C2BEF2 473B00AE18B2105937112B35DF78372DFD81555034C642DB14EBD87F C191E5C4CE134C94BE62BCEFC2E7F489525FE2ED229A1D67FD4A97EE DCAFD219DAC1266FD546DAAE56E0D46FC0712E48C1000423FA65D835 A95BFEB5963C6F9D4FF3245271C08443A1796767746B31CCCD75FF27 FF99B440F7D995CA43DFC9397E889A025A1DA79040903FB840C08A42 70EAC3AA3800B4A76C2F5DACB46A723667C289478A14BF83B9922691 FD34463DCBCB3D181609927BF831B415A9C7DAC9D9FDDD3029D51B46 81F1933138ED10ACE174AB3AE848BCFB545DB6EB201543C8E02E39C6 250E2088DF30E1F1CE534A43B71F88869CD657A2AD469D501E2AAB32 35509E2B14DAC47A34A518A7464E8F3C48362A17CD29C84638B6699C E87FD070D6DD5871654834F1D3C5F3FAA6ADF480858816AD5E076109 C5A38C78762E9043D981E794F429EF4F1A1FD9DE0EE383AC0BCE9F1D E7A2526BB140DE68643FC2A167FE19D637C5C5133C08141691AB24A2 D62324EFA1901F933DAE04BC0CD9FD35ED515C206D84D465FD6F8EEE D765E5DF1B1AB951B079E470F06AD449996BF3A2E1DB3710C852588B 8517717C7C1B471A7246E2597A3B9AE45B0D91140429C0CD3BE63E3A 02846C57443D64CD97EF7BAC41DEBC1F01D20529E50BBAED79D03ECF E2ABC34820DCA71C0318952B02DAFD08CFCF9895E3B0D27BE12F7C58 BBF4744808DF115D182592A855EA10E2EE226BD16896CD06E3B8DD5F 8225CCB90796BFA15E1EFA92697E19A8A887D208C725086C2C99F576 E60CC9DC9627736894C24D61DE8FFE7559801CFE1FA0A9333C796ED2 51B323BE792348DBF7B76AF08DD1B9EFD65BCE33DC03003449390158 3B0C03F2345E089F413C9AF5B7F6177D7816451D67AB7C06E97EDDFA 1BDC8498CAC4C914D56949EDDBC80FEDD3CA6A0E040CB0028FB98D8D EE20D6DE9574D28C60F262C920C07351C7CA300492B198FA880AF738 F5709C02C28694D97DD36AEC78EAA0008118C333BD2D87BF5C2E990A 37E74A18FBC9854A4E84F7E7EA11D724F44B67CCC618FB8EB65DDF3B 6464C38536A181D502EF617AE7CD74286848353031AEC28487FE8868 74A952623E8828FD6E457F54D82D6E42B8185B9BF0B194080AE5AEB7 E5CB4528818D6E7E8120F6192124CD3EB37F16D5C703F4404F23E475 17AA63BE0F3F690EF9CF742030C78C49574D749BCE2A11B683C70FE2 303B1DE06187B68AA5051B0594A35FBFA937532830755326F66AF7A0 A85DA7A6ED52DA2D9DFE3BDAA640F9CCDAD017A692C54C94B36354CC D3B982D3172E0049D2A08EAED97B665DA9AB2B1C7AC4F35D56842C23 82DD8E7FA6034528D22DC6CB353163C4ACFE65FB9D6D1AE9EC0D195C B3DC6E69541EB2A2FD2AAFF2C898480F56F3FDB6DA1536316E3558BE 99DABBDFF3AC094851B231AC5C38DA0BE56759445C9457DEF0919162 358D40D2459A1C171C97CA15EA33995EA13D59ACA27CE038596A7CF8 B6894B68D41741A16A6283CAA365383D005829D4C7EEB9993C45AD42 39A47C77D2D13A6968B0E7D7A98050703DEE5CA2130CAA5657945504 7FAA2B40CA0BD6F3A52BC609192E4718DE98AAC908EAD2186923A4A0 0A30430C811CDA380612AE0F7BFFC188EEC94B0D8042C5B404C636F3 65CB67927AA3E34A88731ABCCB5CBDAB1F0ED06A58AE06B696471B49 73A69F7D617325D2AF132C531D09F391047FE45A847165755D777AD4 C52659BEBEBA01C68B18246BEBBFED5F2AB0A9F6AAC6EAE83A6FB3EF E20FA2C5372932AE7986205ECE9CC68187ADABAE272C5435EBB0C938 3DA2C42128D5440DDE2EE847DDDD247FB2EEBA35479D96FE24D9AC3B 8D761B76DD77FE7F7A6A57170B17F79D6EB338CB45C3959DD1F98CB3 511E22CF57F13A3A08EAF7C5A08BC4CE364CB9BF9CDBF10C43BBD00A 8C992DEC55813D23B43937CE195CD48D33490A9C513263C3273D0F34 3BAE0494E23FA0D164D17E8FB65FE37423D5D5A63F7946169B7BCDA5 5D8CD4E25BCB09EC34A23D67419FE5D36E27992887A9B53CC0BF8439 6122934FE1597E0EF2CEA9CE8538D8FB0D7C47AAB6299222778C971A 6C9DE945F0F9EAEB3DE40FCFA5578D0EA917F5D38DA1AC99D411323F EF23D9088126DD6E9DE32AEAEBEE1D24581EC433C3E22EE1202A789B C0A447B71A92442FDF8FE581952FEA7383046526719A0B52F2210B37 20AE25C08AA8CDADF1A8CAF9D480851D615310E4AFF0CCF25D2F4400 BC0B32E9DF26B0528F995F44EF7959B61EEAFE90271F7BADC53C8B0A CF7484336F88FDD708F5D51FEBB18EE1EC608CEE42F556B7EEADE7B4 C3519F2B2C74259E41A9D2725E9528890AC11ACB73925180B5B72921 4BFEBBB73BA3E4B6CEB1E9F9BF092D20BC4642DCA9876400F433CF48 B0A22CE413F773791ABFE6DD3563F4FA2C90BC20275F1B3C6E460F20 3CFB17FF6C729036A96EE4037AFA701DC0CCDC05120167FB3926EE61 8D13F07BDDFC44D0E1ED392D082CEE181683C66AE1838339722B9C2F 6B3A8C4B66E49C27133B3C1A24B26064974ED97513281ADB98DE2091 58F9ECFAEF6BEE9BC2FA310A8C4FE947E4D3E5A1E69FB3117FC7CEA9 B34EF02D337DD72337D6831BC73DB7E97E0EEC37C2DE6DE41E9CB8C1 B470CF38D074DB911DFDD5988F9816266526B9C0C857B0C70BDD2FEB FA46C3740696976BB93E3323BB288334988777BF1472667AEB25951D 4BAEE4055C996EA9BB50B1987E52EE4A8FAB2280DD1679E037D77CB3 A6C82B0D195F0E9DC13257966D29336E5D11DD9B584BE0AECCC0F9E0 1C680126D630618DCC4FC42BE574470ECFC9A68E9D18A2B0148C40FD EC0C11D0E4141E1590C23BBF315FB411BB445920EF5DB6CB38ED2CC5 392F75040291A06A1AFB131C580E481ABD844482E3A53EB416215E54 548635766723A1BAC7246C02C342FD25CF680D5CFE2472816DAB546D C9CFA192C3B1C2E602FE87B7E6B64F288E62FBAC4A5EFB9496300C39 95ED7B80105B76BF7522CE26605B87F0DF6B098435A71EAAF1CC52AE AFB0B74BF6787500976BE3265BF4D44403C55ED28979A7A9770AA921 451528769E2BB344698B410A6D66FD9B6932E3E2D74D073D0D5DE770 4C38D5480C24FDAB10C9388CFD262DFC02D6D945D4C1CB13ABE06FC2 DD3273910B1ADDE85C982D0D3ED9E93D7694479B818591C267B9CCB0 CC4F7D973476AE8D622FAF2A837759D1C0BA9771707CC22ED5E7A609 6EEFEE61ED7C8545405DA40CACC403983C17EA620C6AA2E7E9E4395C 84CBD83A506126BE9CCE711B2BD83F806277DE4F6CE7C73BB4CF34E2 6ABCFE9B07EBD7E0EFBEBE91365A5C66446CC4CED906706D43F1556C A9A92804E7AC0C777AC349B0E093778CF278E191CC60475BFEB83781 9E33644635F5D422D0A6CA871E1C784E1902195EA4C16D21F268186D 35CC02B60D8C4FB8BB764B7A220101401A6FB1C46AEFF1C9777A6BEF B252A19D41543E4DF2F6E5021DB40CD6EB98FB2F788061F7CFA33DF6 7F3871D1CD3DEA5DFA9998946EC250F89EF090932B850450874D8A52 7E4D7131F4403783A1D814461AAB61AEC75904793FBA241CA0B04723 67CAF44FF2AAE947C33FCE5B9B0ED7D5304FFA5B35CE371FA5CD4847 B03629F31014BD48CBC32FA8847EC32690B5123F5C94EC0AA601E63B 4981BC4D2C6C0BACCF670C10B420A61DF84A8307DDED712D1D58E3A7 201E849A1EFDE6D9E0608A0D545F0AD897B5DDF1D6051E4552116604 602C51D7F3109A0128C3A6439A8365CC44BD1EE3AD461B36B2FC6392 2CC623D13D4F9397906E3D63D467FAA593765CDB77190ABC1A10C393 F9DCDF28E930538B7758AD608305C1215980143128138857DB62CCC0 BCB132DF5E1CD9DF969704AB715F23407E3FC13698A3CE520D3E861B 37B4E5B75657E49AE98E11561D94A5841D91AB0589063A09F7E5667C FDE1B7102592722CBD48B7053C6F379300D166FC2C415FD87BB0BF00 0B382E0DAEEA49E208CAA99BBFE93413113103F2D699389DF89AC43A E184DE78FC873BF78E8B5D7784304860E3D4BBB34AF21A5C075963ED 405E1B3C641A908A65394A11741B35DBC419C1A74E95662E769D8967 896A88F8637B15A946DB082543F06458D56F69361E913C907B9FCF4C E8B71A825AF82A05D654A642EFA96264C7CDD3116271D4EFF4771104 FB52D28E0A189B129C8112E2DDAEC629D46C392BE39345408163FC98 EA57539BFE5F634C06CB123F60F59216E0FC9884BAE5B81C2BCA5809 65571374417DE68D49774CBD0EB24AA7EC136B4E638BFD2F4B383083 0BE6182732B98C345FD7FCE1C023CDF804456E6F833DDCAAC126DFB8 E1F3A3BF294DDFBF9119AF1F9FAA2FBDD3751A17F1F6D5FDF003F8F8 D9A4EDB06ADCE6EC5C905EA4E0843814B2095E35D8531D33664BC720 0E01C0D193BC46EEA908D0BE537882BD1D448B49A04325CCCFD49E66 AB3283134861280C0F5AFFAB381B216A3E009CAA1BBED05E8AC76384 39FC904C24E1B518D66C1180F428032C65646D94150AACA07C3A33E7 A5D5201C01AAD171BCDCE2CA91C630E4080257FFEBA9089A0CC1E43B EF8C479E2B593789A56F5B95DF4F9E947C31BF01D85FC148A38F469A 022C1021105340199D37DE15026B849A263F0D88E895594901A00AE8 0EFC3C421D60B5872B6A9704D5503BBB8CE868A4381009BE99E6095A 13290159E2AF932FB465931984E3D4E24F210919A5497EEFBF5DA850 3BB8C4B2A0D99E424FDB4A0C716B694171D3C3D91F519F89B0761D42 D5F2FEC884C13350740F35DD8B3CE72BF006BDB1846753965D479863 899381E8ED53A63DF2382503E52BE6F676766F610FEB898574D70196 B4C8CDD8BC0E07146DA50F8BF3A2526D73DC3A5B21AA6E9F9536B4EB AFE0D4576F21B6EBF7ECE5E7A4088E5FB1D954C769F2C6109E8026E8 2161C144F217F028A0ED2678DFEB772FD0A04B0082FA8DEB751981AE 7A093988C4249B41420340375CA7C7C7F6D448F7DF237AF13C201E0C EBEE4914EC6A70D519BCDDDEBD35C38E37FBDD2C0E27E188DF01C34E EE39AD4E5462B3A99BE16037B050B18DA11DDC8B13A1EA1E2DC4CAC5 139F166CC9834B60BAE7C86FDD22C8FE7642C99A70971EC1D69BDAF2 31A1298CE119E220592824E13B798AFB582A742D0A7EFBDE3C24F93A 5182CEA371B3C87FAFCF6E1B1AFEB8945F4B410CBFDF96596890CFD7 1B1455E99821BE651A23E7FD0C20A98EDEA39ADDFF2576B01CC0965C 5A9CE4E69A62BB9BAF812B33D0CA0BCAFC46D95F6D8C574F492F7A7A 064FB98245D13D875F120FD9087623E837434032D086C32F64DB0CFF 06F50C0AD9C42B5A1125152E79E349CB69DD3D34359063EDDB7836AF 513FFF225C2153E088215CF07DDA9B72DC40D08C46AFCF99EE7CF76E 2EEA6DE403FF5067A18B49404E2879AE524E9DC5860524328B3CDA5A 847181C48C6E99849C1C237E53CFFC7762CD9C42D56E8F7D5F6660FD 33E3F610E1B06590EFD9A7049A8ED27EE52E5E03BAEF4AC0433CA441 7BA36DEB9EFF5F697F7E9123F02139BC2BBA0420162AA91D73C943F5 557F8F7FC499FBFB31906A59F147BA8D43C969CE9AA3733C5FCB3913 347292A6960B48524445D579B57F428AED99D4A04756FF7710EE6266 975DC4A160ABA4D9F1B605639415CDB1A877331F58A4093044A32D48 219BBF62F9F0FA1C4D7852C56344898D62EF07BC23939EEA10BA4419 B3253003079ACBD1A647276ABC929F3655B8B5CCD2824D3F3187C22E E0E052DA18BF12552EE6E0F2D3BDF834C3961FB679DB9EAE21CB2A9A 0446543FB2055B455117D6926948F64318E65406E9F3B641DCA9757A 6B1D9264C8B05947786A45FD3071B8149C984235E32315717997DEC5 FBD23D96A889035D419E534DD5950AE8D127C3A5EDB8AEE4F55B4B19 93C42BB071B51622F91570CC5E85E21FFB09EEDCC141A10C7D422B12 52D0E4D2670435F40BBD6E170DED4E9CC9DFA23456303838AE2180E8 F77D3C1B0A4C24D30B8BC0F1C325D9C7AD8D422904C2ADE453B3857E A1392A489AD0AB255259FD102D31AA48379A7F39CBFD3CC9C37F914A 998CF99562CF6B332C10462BCB36734FFFF19BEBAF0F3C5B153CA2CD C9FBB3615D8BEB36794F6EB17631BE53558120C121431D47CCDF594C 40941600200106D02DF2EB4962D1E1EFC34040AD301E7942A7AE6475 742037049E63580033FEA82A0AC72757542DB2B057F5358B35626918 56369AE66DFB1711FF957342ACEA44C76EC40EE5F1339BDD85794D37 4E7B31489A0338DE87FF1E40B2CA5906EA91EF1ADB7C1C5AE7B08CF4 1911FA9B70C6321C931484FFA9B5058905437F4E0234991A404A10D1 13361E9DCB5367B9B916A034A43DF172C82665541F04D4C5F00BFDA4 5AC07F39054682E295A1D9D3A0D31295CB86EEA198F1E41B4B0314F8 B87D2A80450AB5079AD1B05C35FF1473D5A91BA7293597661FA20AEA DAFFCAE57AB2EF23865884ADC629918E070E197EFC89CE5E5B7DCCE6 D49B8EBD227078C28C70238A5FFC011BD5452DF7581E88099DD72037 D52C2B76614CD160789B735A366E14893D0CE00C396471A902836AA4 7418F47B067B0B20B059B36F79A2A58D24FFC02E59E699B9B9A6ABA5 6980048CD7FCCCF1ACA6D54C11D8791293ADC2B8D434088FBD57B288 59BADF097A51296E695FFB2CBB5B7A63C84581A0D7259E8AB5582517 BD0441D1AC9821485444EE4B96F59EBD2229191B70F3FD0E93A9865E D6010F423C4A7CDEF90F82147062202A639C9DEB1BB88DBD32445584 1FFE4BB22E8F4641C2CB76F511257834B6780AE2661C39AA77322D4B D5C42F4257005517170AC9184BD49A6E9005D090260B0DA6020B45B0 905F12670666C59E0A9C90F6AD5AD5D9D8E11C419B07AC90D0A4229A 01932262E6DCD386EFC5E0F722E1D943727D1055B7EB8458F0D807B1 90471AFFC226C88676E8DD42D1C04B007BC8F686DA9C2C8F7CC5243D EE76136ECA5F488FF7F41F0470B17181ABD0E844E5758478D00A43F0 3B5E44F864C730A95C59A485AF034FD76A416CFC23FCD2D0FE90465B C5CDAC67673FC638C4C805297D84D2499CD43F668DB50A3FB1F138F3 8B77B60DD0F2E9E273FA2C3B5EDA2F5465C6ECEE1183C446343A6E1F 7FE96CFCF32E1D5A7DBC57BB78A3957C3B5CE9937F22D30357D12692 085ED0F67B8CBD2348371A5ED34CEF4E0AAF3E8CC67FDE4D9D791590 9232843D989CA2C276125D72C1EAED4A82EB9BF96D74690609C5FBAA DDDB9E7F3069AA0A3C2B9C61008B916BF1C864323BD174B0B71EB35E C9390ED1FDF3065DA917981435D1DB5135D7E3EB2458AB541CB0853E 208140238D6C41D0B56935BBDE440E30DDDA7EB955E7EB07F45AEB80 E28AC4C6B2E9E3E369003730CEB00102D3C8579ED03CE514B3B14CDE FA5128992DAF363DDE067A1DEAAEBFBD2C813F4C3B5537A59583D196 7742E7F0AD62735422C5E81AFF0E07912A210ED85F79E061273AA7AE 5E32689EC9C87A3BCC0E8F5D825F25C4919420C47A4535630F8871D0 A76B526BFF22A3978FF61FC75F9C0FF9CD7CF840D4C1F0F37E643D16 E62E7500A29344D69817AF3C839E722F32252AE14F93353734BA946F B7985FA96F459EA65C9EC94442EB6F405F1097919FB892E0BD7DF0DC A04C41C59759F62380E5BF439CC05C3EEB11628431C44027F494D541 39BFD38934C8A08B724EDF3606D6B6359098325A2799F554FE8599A6 B74D81EB2CC70ED7035B878246FA7128652175AB8775F07294A83676 587037ACACF5F5C83028AF110188D19824C0EC1948D7A6CE803FDDE3 0C11A760ACE49DF1E8C138160004095A6E8A8F20B3139CAE9E1968A2 6D70C34AB01C05B26F1757B22BB1B13AB16A73EF7CD495571D436F71 5E20B66124CB5DAAC27CA33898F7E24B5B349A40C1886584E31699BD C3C67FD07D3100DF15EB9E35D168B72681B74A8A40BDB8EB8E62D1E3 0A7179B7B755245F4F9C72E3676E0C5122C0AC9EA955702E90451070 281257B040943ADA79F84023414AC82A074809B43D0EFD0B7A30E25B 1300D898548735EF3C1D2EB412F7520C1B06291AC7333DE55080BF6A 541AF3D4EE50C1FC507DA9052ACDB7DE663094BD53FEA7743CF10A80 BD8BF14269D2D2994F13DE0C810AE6C47B5D6A4CC05DE86695A9984A CC560225BD62DF0DFCA5C6C29DD1A67352F6AE590896B8FDB6C1A710 7F19A0C2821D3D99C2D1F0F47F36A313F2317E38A8FCCFFCBF53DEE0 2867D05CF0E061DF2E15BFA0F048230208434035CBCA81FE29AD9E4E F0503A7BD987467017E1860EC56FE01BE07F3B617288CD6FC7D83874 7EEF297C2A1B451D9A6412182FDAE162DD959541DA3F3025CD05897D FC00D0FF54040F107CA5FBBBA7F6D891AEE880347D7CD5DC8C4A4DB5 0B838B4A60ACF965B2A9E669A024B2886FAA5CD3161B24E228E6181F 553B12814C45815B42763664538D9E5B24092F36F972F7AF849A2B92 C75A31A9B9A8EE9D520F22AFF3986CFFC7DF7B1959B313EB8346E336 B612264D9884632336ACD303BC2A3772BA3FED7C3388984FE4B10CE3 A6E8CF0000E4C7657B989735C62A0389B395DD39075781DF21505A2E ECAD6782940C2B2534D602BBF09BED5033DF4F797E9A41821CBB9FB0 785E41F6D59652C96C39FEF091DDE2DB2F4F656C4F125FAEFE2811CE 658BCD1FD6F3A4FE90898BC7456B05A94B74FD97BFD00414425B9387 5BF4ACD3FBA06008E77DE01142D737B9AB1142A8CCBEDA8686F18E2E 3F11741A7A1B66BA934D5C737D13BB2804AC7D6EFE8EBD2C24EEEE2A 309DCA022FC8CB847B21F6D8FE0647B3022EE76264788BFBD609D396 61F59C0219764372E19B3DC316A99A988786553D48C2AC8E56F4EDE5 A7044E9A286A417150DBE9CE80A34C703E3568FDDD2D00DD499C3219 15C77BB1D21A8119403F65A53486D7FD6630CF54DBC5B37FC9F9F610 C707A573B7282C829A63E8458883A959E00B054DB2D16FC8FEC6E87B 0DCC37666E796704B1FC7CCB348364F103EA04ECEF12179C8EF9F0FD F0AAADB8D19B425587C3A49250456610CD123EE01C2270A45E1DD7C4 B11738C02C394E5A879A5B919803856B95D7A2543D200F3949CCCF2E 078A11F186934F059E664C4031B27DD42280D90116FD64A3EA6A0A8C FC8623CFEBABE8F9B827E72042F1F4B1C21345F4B63294D764E14F12 003A8A8A48A80DC1D4700696899D042475F4C1947EEEF5B7539B9DCC 334B3D63EA1C6019BD27586F8E9A216D960599738E35E0273E051939 ED91253B108ABC058F8C7C8EA9104214E5EFFEA4B0C82E116AB82CB3 9C0B5FE8D3C291B5ACD370849FB787DCBA0E274E5473ECC9FABD1BA4 52DF90FFF45344844ED5FECFDB1FC48470BC88F3FC7A41AFB030F4C0 9159C5BE9452FACFA507B619013D52241AEC38AE14AD4B7BBCE34696 892850A5F3C84EE901912F6154FB4EE62EFF8C336FEF6D51CFAAB514 9DAEE26A235B8039C3EB5C295735270E98AAEE1FB981772586968E5F B50F535EB75B37C044DF1117F40CEBECE416FC5E6FBE8CC7C0BDE053 73D63D65B7C7D54F10B0421D3195CE2886945003086697F837475078 8BB2A4B741ED5B159166B27A98F80ECEE8A3FDEB5F8C3F18294877D7 5295268E8233F7B406BA230AD904F06C0A586AD8725E9C5B70EA59DC 91F0A74D9D54509B9A419BBA2A27BE35A6736B9B677AEF1C030A0D4C 50C93C0D6E7C823975C087DA2B45172B6D1268C9ABBFC2590E1DB3B7 563617856526015EB926CD99F1A7CAA16833AD364996156C5514B79A F5E49825203826E7CECA020E628F6434689BD64D99007F5A80B79D33 5FA48FCE4D30341E06D27AF4A23C62C611AFDB0136B687828E03A4E0 0303F1CBE91E83094E837B58A8A77888B522964AD29748DD451A464F 6998D08674B447A9F5F371D12D197F6B3B650AB17DF4D2A66B6838EB 918FF353DA90C8E8E40A717825BEBFB5182ABB212C0C6C637D06E5CE 588ECED411FF0BE5427995C2AC8B3AFA8C09B453A576998A97BB1142 B0553E617E6F8064F5A7A6993C8021DF7ADF633D138D865A5B31D610 F333DCD85ED7EC98F3EC0AC23A4929DE69822C6A618994946E90A8F2 E40D51937B8A224BC52261ACC2F52332121991141279F7F3B3F8F6EF 74B780A259E7D67E6768A163683892D5A1D580C92E152A0E74268896 256EF5B8780DF3C6407DA5D962431D2531C24F17C079D27663380A81 9E7F34DC7805367E9BD7DE7DD10B03B6AEC312A16155E3C30307CB2B 4CAA567CFAE5B5233A7F2068A160A3CD618758AC107C839EB0090ED6 C95C037F20A8FA474A3370F83F6D6FFC90345D6E667B4AB3BDD77DDF AA8919C41AC03323D6FD8A20FCF8767BAE66F32F34820BD3E221B09E F542881EFB953076D2731EDA05ED1D98BEFF5D5E65BF60DA4633058F 029AAAA24838F500DB30401E8364DBDE335B50FC2858116FBF432CD2 94FA90B2606D4341CB27A1ADA1A9155A3DE83CA42C296C7A63C71D9F 19E0FBACDB814CFFDD13F39817B26776A2CE6F16D9F42D4D9548E8AF C89C69A89E993A0EE84DB1770601370532BAD928414BBBA386A9841C F5E4014212FDA34B2A8655BEF5695FE90846089E03201B75AAD11D06 5157D5DE991587A2608F780F7572B890C7A625727F1ACA828015E8FA 993A69DA47C04DC5D4D0996C33D3D7CC71640F8D68DCE4F18BE91D1E A2B6216C9A6409A633CD1EC7EBC6A9ABA9EDA8461DD9BF84DD6A1501 65FEE2A177948D523815F6E59D14789ADB89D3F66D383E8A76CB5EBC 5ADAAEDC5CFA373D8343434F05774DEFCE89935F52E00E7728022F4C C0993B56C3F1E295DED438B94937DC889B6EF5BF766853C3B1DF3377 A767E8FC823A7FBBA0B10388CADA8B2EB8B95E3F0DE6C82954801F5C B186086F2B8509A0855981D729E6D30DB04CD14816D49719E2632A17 FC4347B9223F2F8CC53B30D5100D44B73A3334A6D09B26768A8BBBE8 944E3102AD02E03BFE383811EA33DF134D49BD468D0CAB8C5CBFC6E9 FAE490CBDE48DACFA1EB50ABC990FF18A27A547D1A0CA01047092B5A E65B261D302D08DCDC68B950E862EC5387F14F93787F92C6BD83A0FD 71E68F5B52A1FAB2B3AA24D140417820C6AEAB4E47E377C6F1C1BFD8 B026CAD25C9A85257C1CD506DC1B64B6EEBF9FB43BF5F2BFAF064AB6 B2F7B88BF47F33DC910B58F70DF314886FBAC6DF0001D07290EF00CF AEBBB85F6EADFFC37195A56E591021238830D13C8D3D15D6F0D907FF A75AC3550E9579FCF1468267B39CF88071444AA4760AE81272622229 B101E641DAF041B03AD672773C2AA190150D82A36751AD479BD0664B A3A24BB7F512B4C381C1139227086EFFD89E2BEDE2D6A4B773D4CF80 FD47C8653E82C4E815B263D9CBCA16A73BB26CC0110EB27FFF14D484 3F4F220CD4275CA4DB009D0E84B88F099FF620E4366F236FA4B901E8 0FD0F0BA1644441492781FB7D0CED88824E89BAF97371D2E2628C023 209AA34FF0BF775A631C0A4EFA797EEE95C056BC5D8A777F23D1CED3 0DAEA27D7FC1AEA65AEF9D9FE614608F2C10136A5898B6062D8E67EA 4A990C6051D35FD493B61DB67B8CBFF577D02385DE5474DAFC7A77F9 94A4A202BB8231147BC48428422B0C83DD812DDA0A734860DA56FB2B 33118FE4761DD77991FFB5EEC959359A1173863475523751C814765F CC34999D896B661AC2C4255A739DA44ED2930DB07C3205E5F9DEADA0 D03A844300B029E83FC09B54001D2DF2C7B429D75BDEF94E8B742932 CE08BDD43F995481EC91ACD2E6329CB4D52AF3C0104A2D75AD8A48CF 078AC58C34C68545B3705EEDBBF07106692087ECF206DA308F0D380A 083FE85C00668D2D24CFD46B1E649AAE5CD8BACC15561D73E2A70DFF 2A8991D501A632EC0BECA18D4AAED1CAE8698C448E265E30D4A2D5FE D417FAE8BE697F806A1B6C7343B1F27842F0C6AAFF1E57FE911E22E9 C140E95BAD02AE3932CB67755CBAAE80B04F51F16CDE511D4746D003 B8E32F08ED60BBF2B23D470CA8887100484C7035B166046BDF37EFB9 EE219CC279AFD2D67FAB6B513E939F8AF616DA4352C0D41FA58542F3 E2DEE21045503EB27CF2ABFEDC38A0E1E0D16A736262B49C62BC00C6 99D9828DA30A39226509B0A8EE7B49D8041776A4DEA7E2176080C2F8 45FA73505693B4043545A949276A9C10ABF5326C1C3A715B407054A2 FC1E4CDB0BEAF16B0321B3ACF88F403C36FFCC00FF6B3B7250A6AD16 51720E923E25A7F74AE64D3D1BE80BDF917BF26103D72514362C2F33 CB3E053A704BC84AB472B72875DA0F9ED556CCCC4A631D6FD3F69535 8F6882AC54EBB7E5A3E6254DE5764AC671CDE8AA32393C7E8537D446 905347E723E322230781AB9CA9E4BBE0CA57F769CF9D081592F5F1BA F4636D8AC9D4C6D799189B42A1FFA321FFDF40F3EF366F858565E9DF C6E7B4F24CAEBB851E9B9262A0C15E9D762A5FB810E7EDB02A84607B 3C4163CC6C6073EC86F6059FB8D99438AEDEBE72C2E9C610C61FB4D3 F3A7D8267B3896BC71C66EAAA62E5BF4B8E08BF9AEA839362030BBF9 8381EE0EF98C659EA4702CDA5CFD09E4119FBE6411D7277ED2A19D52 8B5599D63E655508D2F30B9F4B1AEA1EBCD02FB6674A46F1041F69B9 9A914C828692FD69556DB3430CFDC927AD6B54D36AC7846CA6300C9F 9C67E94360C122CDDC65D58DD6E5918FB01739EA99414A71A27E1635 05B38141BFFEEED087C7F4F7736305CB1CF2FD867C0C5BD6CAE0B0B8 5096768FDB5F5A589ACAD5A6F32AF707C1B3F13D199FA3CAFB6166CE 6BDCDF9B8E32E1B654F28721CBFBA93EBC1FF077899D43F1B94FA04B B19858321825B1749CBB3A14FC0EEC06CF47EB8482065C393F940964 35174E8FDE959ADE68F4706793D264E0F395500E5D5498D49970EE0B 7CC9FA65E0EEDF8D149EAB53EB39DA143896F63E74ADE5D25E680AC0 40931BE13CFCEFAD7B2EC72B6A600CEADCB964BE5B8F4855578CE89E 549B0BE175655EFD6BDD65B609F4BE6D0F50FC1E8C9570BFD40634FF 3C048F9AE41F035A9C6104962B612BA966A42036468165D6F36FEEB1 CCAAEC8B6F875AF7A25A756DFCCA73A7D3005CB5CDAEA38932C6D2D0 8E2F9F994F242AF5C008E2602FA3A899EE9017E03FC785B14B3EEF94 7D052A420C08F3CB4C38982581F9C648A9A10782E08DA4D2273E7E58 FC62F58EDB673599DA1B2623076EB1717DD43C37C6B7BD264C8D8BF7 6622EA962DC883845265731D8F52E350107EB2A99DC5902878A4C927 D62D735DB14F7A64BFDE3CD3EBE1069F119BF042263CCF3FEA4E8532 2AB0B2BBE85F422947542FA19C5F6DADF21224E8CB1857616133518A 7A9EA51F2CE7CEB5FE34D21C906E8CAEDA6683F24648714C16B10743 65811D3BA273FE9C6DC1F5EEB4A4D054F8AE4F3DC5BA11DB27CDE3E4 3AA711FB5826773A798CAA3F4C89C68BAEA03086B33BE4B309155147 D0A041BA2D167E5214F98B1DFD615869906EB7121FD87A006E915C08 44E6429C0D33CF38AB6DD15D65DE8791DE57CFCF44CB72168458B579 4D269722F3B5E62EF70CA375A47A02608767EC866C76DF92BAE24693 69A708D8751AC546AEB83B96A25A05910786314C1F4B70D386563D35 76DD76F36AE6DB2EB1C6C689470D22BE69A2D8E5A555302DE90C95D0 1B60E4280842D5244442428FEA4E66C379B66833B1C33A78E82A1D3E 7C58F85507E74D9BEB799A6C82DA54C42B61B457737D515A6451B061 3E5E9F211A8BAAD0521E744D1BF162823ADA566CF838DA5B9E24BF53 7427036ED1DA1E22A592884BE2212B599F374FE89DB77561A9D1E962 180D1A399B30E2A0CB587BE0A89913EF46F8497AC202BCA8279DF44B 00C790F9D8F960F6DC8FFB68C55DA5BF5EA94CE5978AB72F42C7A598 34CE133B3954448E4CF35580272405377B8C7D8E4DDF8C2940FF9969 75BE0086D659DF8F80C06A4872BF7243ADE2AA7CB4B8C7682861ACDF 7DB34133E75F54312905FAA6DEE3090B18AC993525C8D73B3E03F4DD 6C56DA112DE976E7BC66D0674E907EAE9A87B48B3ECFF34A28F72224 E5C40723CD68B8D29EE9E8FAC513987394A7D352C3593063DD2C9738 F581F9B2D9DA62BCAAC80AEF3887B50C1FF452757AE4C3359CE43BF0 6E9A2E8472C11049D28B8F192413E1D71EDCA372076E17E25BBD0CF7 785198DFB693DA5C0934B38FA8914FE39459ADAE99063D7A032FE057 259C59B4529CB9123EC4F722BAE2EECE3CDB935B1988C5AF5ABD60D6 C81BBCBA2C6A95508C1A326B373E1076722A169FA0CD7E61FCE7251E 3C3F23B0E3A8319D094EA5F3826983D37278A8D4C8B55E53D72C13D9 9EAB19B4E4A73A134854FDA9A7846A341379C7F45087F19372EDCB5C 56A22145AC925B530B94A98E3FE8E0264543FDFBFD5882DD3D0EC7E1 68261F6752D303203BD02F618C7E0ECDD0B547E6A7A14B0712721FD3 23DB9B4446B29843F2B48555DD79ACFE9FA9B99F5FD2CA5D0A7DFB6A 67942E8AB05A399E1B453B0F044D2823C29AEEF6D1D41E573814535B 02BD11A664F1A99B8B6A8F2A27C46997B087E006ECBDEA939EBD7569 A7607227832F9D2C71C750061EF132BCC8957FF61C2ED16130475272 D92A27F9A8B2D2973532AD7AD2735DF45B8D00F138B7066ED8B35702 52732317BB95960CE831B7A241B6F24B417D6CBC4A646AE3C9BC9761 DB05C88727979F305F506E42D02D2E260FF074E0F6470FB2B59F5195 F631AD49EA2D99CB4F9F1B61741DD1CA696A11FB1233FF672B99114B 9ECBF0463B0AD9E23AD6F5CC478725F377C540B5E22A28FA9E97904D C470AA808E7561A051E14954C9332E955D5BD699C2AD7A81014D67F1 8C040FDCBFEEA1BB54965680FDDE66D87ECDBE20978171B8FBAD8825 010B9EF8C35DB3D238370F8E71ACE3AB9084FED24B3D5A640962944B 086709E28B08569036EDCFFC0146551E3563035A3451DB13729EB19B 7FC4CF759356C985B4E0B201FDF9D38BB515F7C097991A402ED75B30 82F3D008C28C9787F7AAC141A86C2F5496B7BEF71C97BB2F7B83EF46 61E938151F671DEAF116C8EA2ED81E7EAC34F08ECADACA87303207AC 889699328D38BB3216670F7131B2FD271D45DA62A29E8ABC019453B9 CB78C7F8F9551C842E562BCD120BDEB148B662E64AC469786721608E CC6E4A060D762FD45866E4680C1F79F9F0E9865ED6874D1099DB9DD4 B4287AE38DD74AAA414D1A9B096C771A34D85AD47A6F81A2DF990BEB 9B60D9D0F756BCD4677C65B0E44AF76EBAAFC8432D163344D3E90786 DEF2D86203FCB4AF72C383257B0353E75FDEDF6090A9714FEB34EB93 AF5CA7B6F535AACE6ABF802154747F4A6E60C062386CCD3C265CAD4B 573D7167F30C8F981D605A55EA2C961F2499AF83E66796058A184D6A 4626DEBBCE8F9BB7905C2E4836AB874F3E13FBF9E42EE9A7BE38A4F5 AF9047602A753F85D767C266E5050E26C59D8ED651029E80C1954C05 50C2DF9C1A8FE1BEA4AC26FDFB53A9EB04111D1CAE0AAB623EC16FF6 B858E6AAFF69129931E4827D4A347E49A6DA79E8B9BF6EFBF534954B 17D2373027EBD43FEC24B15D62432CBC1E02A666E371BA6C45B6EDDC 31B1F9D49C0591371BD1083242487379CE8C5825C246A5BB703BC694 F452640C015C313A35FAE0EF721746827B59A825A179145FD7B0A3FE 2764A21FC2962F705CAFA1A4BA334BF23E158A06DF43290EF7250B50 DD0DEECCEAC2E87E0FC964AA4F917CD16A1D9B752D7635B4D6E10A59 34C080F2937FE884068D99BB0E19CF20F23EF214217DD94A7837A108 5F528BF97E41629651BAB980A7CA3619B0105FD4CC944D37CBD261B9 BAC5B8C8FC21423F259EC3E32392C315ED607182A4A33C6C5278938E 534F570084EE95497BBBF15AAB9759C1BB2E4D67E9F5F8112EC75627 C47A78D27E84AACDB4072FE1F419EB4795BD0D400CE2BFC84A5F9621 A3C5765FB5C078BF8F663559F60812D99FB66A9C0F3A7D0A7FCC1FD6 FC3D4FD233E447F883F9A94645368271605BD679A47DDE00560C7C9A 1FB228047C4E153BE666D5E851C1D24F039E2D59A90E6AE9F9B355AC 8789679061B875FEF53A11456B664F0D311D7334454D5C1F8EC7695F 6F1563671AA29EFB2655C85E263AB1BD71B631834BD87553501E14C5 9B8144CF20EE7804031AEB1AEA1255BA64E9510A2ECFAC608882751E D574E6C21228B9B54CAA4442A3C58D723F97445A296F98D788171FC4 E516CBBD6F8F5055ED36E59558ABDE1FF07D8A9134409A38E35AC02F 80F71FD7B7B0FF3CD89EB4E595D2A6509C2EA0F9A4F1037AA19CA7E8 E6A73A1B2058B9E265951B7E911762933727F083463E4E5668AF8DFD 49FA6D52BB556788D28B004346597E76F5CBCDFB26CEC90D1A60D84B A0E8898F8E41D20FDED761EF62F42247A8B055DF9819719E8CD6335B 8E4F37923A250347057E1DD7A680E205B5BF3D3069E8C9766A18EB7C 78F7FCFB8FA80949A4BB08AE1B9C5D510E14A2B5289CD975981BA5F5 DB009C1638646F75BA53F969394ED5CFB9DA72AC0B01FDB9CE377AEB AEC33B88ED052D67BD5D2BC60D3F6B19C408B661150FBC7335D17A7C DC955079C13B88C59F68C594BAA601E4D8996ED317FD900F28280261 CF74ED5DF089961F8A2EDA457DE8A99BDF34E4D587FD1571306CC78D 44C8D6493B7717B1384997DEDB7FD787BEFC843054EEE75E21590A30 63797DEF0CB04D63DFF36E7CA8B9E983DA41006F0BCD2C6FBC79B638 DA293DFBF73EB5B1C85EE8981A84FD25BC65649FBE8F8BDE55661CE4 66B8CD2A4DD1F4C4C9753E6C8513ACBC6A1B42C3D98A01667D4EAD79 AF8C6F8E3CF159FA77E8399D7AC470E0F83F9600321D1CBC9B03C4D3 CCADD54183A24ABAB381A5A651BAC93624F9AABBF2C9B823D6828D7F ACB4155423B9FBC17145352CCBA30B8B409D25FC6617072F369D58D4 BF543806E81204D8162A4B612F4428667BBA350924457BE6CB0BBC6C 3A47C60255158CF58A17CA4B9878BF9D63D474611DA7F9677C2F2857 07B90EB1576D799BE450DAF73ACF59BAE5B08D0FD3AE1594A4F41621 55D5064BF76C11F0823A37986039C3C71D822142AADD2ABA828AB63A 839ABF5465761006A8099D9A9303E129C9474C273DC721BBF5DAF9FF ABBF2AE22344D46DAA398AAF736E78F82CD072BE69D1129C8CD75ECB 3D9AAAA28202B6EE2F2FDE58359BA2F67DA7E35E8BBB3EEE3FD84A96 FF9A746AE8D28163F86C5E1D875F4D14F6965AC7E193D4B620731772 A29AB5C4A43F78184CF21C59ADDB1A3EF559579D94C5890C5FF2812C 4CE552A6B657EBAD60DF9D721804A0AB68633DD0D5036670128D6853 CC5FC13E64D37BD6DB01177F916D108BC7996DB91E9D2592A8AB1CEB D7E20C904E4EEA1B6A94A1E33CEE5FC3F36B89E3541C66A8CFE79948 0E134F86010170CF81F4659A3DB698B1405135A2EA171FC04104D27A D12D2917C2E82C81D0A3A2682F2D4B812203DC4230A8EA950502B2DC 983DCC1AF813854306B1F148DFF156FEA2FA8F3DCE4DBED065049D4E B7A08F550832D5C08294645B093499D384F0D3F1ED15811D958C47FD 4377EDC7E6B742969802E17A92EF8D02E0F421F5E03181DEAB5F4B78 FC5A6F42478FC2C1A197017078493F57EAFAD29F2B3B1B7F5CC7E77C F28974AC9CA06FF329B73F5F856DD6C0D9F10643AC7865FD045FA861 B09B6E0FE10F280B5A270D8099904301C5964E0A6D8197700438F2CC 67AE69D2D2A168C3CA11564C7D0A9A2975B068683275C05AD633381F 7905940B2A9862065498C4D900FF82A1B453AC584196DEC3ADC1C79F 3ADAFE12C0AC943AE215A5D43A6723B26D50E9FC116761CA497E23C1 11A58543D971CFF43EC16C72ED9B075F2B9076D7644E8BA30A0AC3AF 89557DEC6B22AB5BC084620223376F5904E138B9C5C3E5F40021E2E0 2DF7755E7EFA268F8C7AD5F21381ED940C0879F16B22DC27461D742A F570348222E912D56342DB6F9FB0270492B67486DE15142839817F2C A7551E518576A3725863B2A64244664BA8A3D5EBFDD5A116EFB6E155 7C5DE44D5D24EB9FB7DA6C9470EA52D22343D5D483D1A43BBCA1D87D E2D4F9FE1921BEAEC00349E6165D009D6D7B94290C4B496586E251F0 EBE3A9279F2142F064F1194C744A491E60D5FDC748E7FDAC3E26FC9B 467536AD4B52F079E0A5EEA8E8118B6F7A4E468A8BAB55ADE9F58675 341C24A311A4900033D67CEE0313B42C50745F8F904480CB1C902B2B 323629A35E848A794863ED560DBC9640C4883F823EB60671D3BDEE51 B7B055800442B4D671A77D9EDA588534C13D4D008CDE28F41E73EBF7 A7BADE42A535DC5FAD570D376F3BA7972E3AEA75F0240120F96E3494 25FB2E91F83EBB789E394EFDB5EE5F4FDBC16222891A10C1360450B1 0DE27ABCF890DBAC751C6E7FE5B15655CB9FA1F56CECF70B5367FD8D DF3DA647CA99F1F5B6B31E75EFC048BBD2217A0540F3A2D8DA122870 49E9813646D1CA97F0632F237F667A19C566D33FDBC0C9DF6B3EF98A 95A9763C045772F5D6F027E251BCDACC89647236F00FDC39976CB33D 184D8AA6517E3A1C32E3E0AE4D5BDDBCA3C1558266F4F6DF3E3D0F31 40AB4E853D8EE049DA7E0FAA01436AF7303412A050C52DF06A44ACD9 67FCCA0FF2C17BA1A19954852A87044B3580E873B2052731538DB055 DCE460BC360E9F0CE9E2586C08E656E35889DAAD8D3908E1A9E453E3 DD9091ED58A34A68B03E7FD0A4187F62E2019D03570101DDA3254957 8649D4F03E6EDE20E5AC2128F3C22C1EEFF0949A02A22ED2F1AF71BC 665ACB7DA162193A80C2A54376B8031A39FAF4A775FD67106BB0C6C3 BCF53429EE5C7A4CB4A26BA915CD8B4E5F2294480E5AE7869D15698F 5F7D17E8B202BB5233409A94B4BACB49180DCB9BAC6E481D8373C949 C301C777926043F7E7EA1B1EBE7108DCEBDE026AF9640AE1C327C8DC 078C77B212974359142850D46CD909A1FB3F75A2554FB850AF532930 1E9614D9ACC9FFD1878E3042B433A312FA905D315E1238425E6518A1 C58E589A8BD98765BD66B8B6E7CFCBAF15A2C55551F5C8D7D8FB28D8 AEDD5BE8E7F11E3AE40AD4A4096E932189076C76A03A70CDDE79F077 15747563F02097638C51C46EBED7B009DB9501440B3180FB663C600B 3882334AE8F072667DEA45245C9F7379A06B6B50CA49488E18CE4FB6 5E1C9A212FB325F5B9276FABB2213AB09B19868544B4C67088290060 17553BEE76C43E9CC6BB0863256FFF9549648C1E8A955D819AA1BFFE 33429DA7B38F484B3054D980730D79BD09DB98B5984FC1F42C30F8D4 5AD5E590BFF6919847C829F0C475C06FE529536F2EB414D3B59217F5 3407068F5BD06A3D53063D49F5B7D573DEDD6754BADB32ED2717560E 485F22CE57DDA485267738550753AF539487355F2B34F498831D9DBA 3B8DA5A856B80905E2BFD9CE7C56A588356E61DFCAD0506C21F1149D 23B660C999BCD3BB351FEFAED9A018900290796B1513F92666B78214 AA5201EEBD2DE23AEC103D41E059D8145CC0434138B1D9A53CBD6385 9139B67B0BC7759C7C0CB068FE09A5C30894158705DC14295F8B38DE AA4403115B7BAD9D334252F4EB5B1DBBC05092939D7519DD0D4782BE 10DB23A0F545854FEE6C98B87448010F0339EDA13C2A3983AD9B299E 33CD2DEC279889A8718D881B43D3F02F1707CF0841D302D9B83EC2B6 1B667C8B9937925DFE24E102E33E4C8FAC736BD708774FB52C57DD0C 5E1DB648CCE6D62D02F2EB184C624EA821B2C07D02E4C9DE1FBB9AE8 2D93EC4BCA6F025AAEEC532618592ED2C0383BCAC2EBF9029B14BA09 9AFBDF4DCAD63B1FEFFFE0850E54D4B55173D3289B1BAEAA45904773 65B42BF7688FE4269653702C6D212F9DBE304A421A28B3804B86244F E0FF9B33CDC4A51C2E8C79179A807ACC2BB31B048323722ACAB36DCC B835B57F653C3E0CAE7C0DBE61E799923B1447ACE41B35FFC3958E42 4E28C7A2FB01F3311065D0AE69E4846132E4AE170BA493E478444465 2EFE40ADB2B6D007D2291CBE3456D373112A7ACAC4B666FC4A63EA4D 956A36EFA4A1CCBBA22FD9F239D26AC63DDE4C7730CF3EA43FDD8B78 3C92DC3BA69F8BD07C1B712C7A156DEEDE7EAF1433FFF654A9B05BEF 9A8563DE6F1AA4CEC9FA05A953B70A404F42EC7620FC75AC88A5B775 35C4C4198AD2B6B9283C6EE76DD3E891CD0B036E7BEC726BB7CAB22C C5F4B236A43A9E32042D88F35EACAEFE750B1E8AEF0A84683804F54F F9D047DDD81B84902D79D1FC9228F43229289B9EF2E4EC606A4C4010 B7558545873BFDDAADA8B68F82C8FC5BA39416ABB87FDF4C46828037 D7E72E93475866FDCC0799D3A655504055CD6C1598CBA627BF38651A 1476A794E10B99428C9C142767DB30606CE64E94450A5B9628F86E7E 8539B8506716B13410AD9A55A31AFA4AC8B6F75229764151AD85EAE0 1BE4F26B1200E3B5E33B5BDF05DC1B5EF8C52ABE7A48D9708F910F52 E4B80696713ED53ACC929334933B98E37351AAEA6C55F8B95900A713 9CE569946D5FAD0FEDF1B41F79ADC82B9C59A163DED1DBBEFD939357 E65A1EF5951F44754937A75A1690B8FD775E9C71FB1A2A7F436D6874 7A86CA7845EC52B666CD4FB95D429D049628BECC224A9F6C32247CE0 591B2A47ED979A0CE60E9344B74EB25252E8B0C23AD7B23398CCC46F F807522B1FA091B990B585BC53FFA68E7431E486BA118204246F2CF9 F274AB6DF21274FED4F717DCFE9FCFE4917351458529444392B87E29 E93FF4C09C02549242726DDFC6FD78071F10566FD5E2C95970E9C918 FF77521A4F7A7611CCD02E3BBDF47E61F4D560BC81A58CA5A1AF4F44 FE03E2F4A2C69321FC36C74D1430F475336EBC2FD630410073F8FBC0 059CB233D9FBEC770E8D13FAA60E3D595F95B57E1902A2A30EDFA5BF 6BB260F51C129558D90AD6977065B4AF30351A3AEAC19B211F7A293B 1D65502D9276117474C45649A5465C7FCBB6A42F5D32F0AB4AFB1760 B3A0A8AB37585E39C82BAE87D244D12CB4C4B1BF6C5A80A221A01E6E 0DD7546B2CAB0AFE248D4D25D3A4745A41E711BD4DBC2B8A9D35BF6A B1BE4A18C8867ED036291F70137D392F4F899EE8779117205FD7A38F A6DE5343FBD9A7D4827684F3E1A098E89E05FC75AF6AAF0A09D6808C 5D03B07213EDCEE5C4F6FB88E01BF2E7D3E05E01EF3EA6544349F95C F44250DCEC069931CBBA04EC85F7E1C076AB5633C5ECB80F27DFFCE2 87D1DAF86A20DC42FFB6B5AF9E68D7BE433AD875C27465EED2EC83B1 D04A338BE17E545A95E29F1A449A46A7EFAF78683897600CA9716BBA C5C4891C84EF7509CB125DEA633533F85680D3F0A166DA6F7C3C1212 D1AAC387EDA156A94329704804B271A10D1F10FB04CE39A393755838 9463DFEF3ED005CC13A4EBD17B0BA4196D5B6ABCB0DB7A3C14E2D2AF E3F32E192B464973D9A18F8663E757FF0E9452D5562650122E874B92 EF2A18A2A4713EE13976CF6FB3A058310C506C2AE9F332C19672F9D4 E3A3F5024E3A1FF20F5D41AADDBD8CA359F873F51443DB1866B41A99 661F621FCC3D3C8EE093B8B0A7CAE480E622B4F4F6EAB7C0C6EEFEB0 BF9D50FBFC92CCF194C94320130DC684CEEFF99C84D72CD78574467C 992C4B3427ED49CFAD72D89D9C774820A73A631D7AFE42DE41F14270 EA4D8B8E5EAFA6CBC142103386B1F7DA86D931AFCB2D0ACCCBEF2192 FFB1305E953C169B9F905EC48F2B3DE5C34A3E1E5CA738B159789F41 E6E7737557952DE547EA39F9840AE12A8576167E83856040C28A2712 10890723C44D87E0CB26E3E839BB2E6E02B9E8ED31C4B6A31006916C 79CF8EDCDB711D7A47662405A80F891B2A668D0060308B91F8E80132 70437C6D4F6F0812EB3B32B458C929C39FF0FBBB805CD5D0D7959EDA B74AD3A7454E7E61BD78894C895A42ED3791B13E0B191770A46E72A4 F51F44698269753086E67F45A248232066A9A4BA472F4041198A1D8C C10E79E63713E614C7297938504CAFC69CAA6EAB6A5E2935AF8C9DF0 DA863897AD5E1D3BB76ACCBAC7B1CCC06A049106BAFA10352C61193A BC577BBFE44B9022FEFD6606247F4F4F9048AA990D72E1A50AF93153 459E0B94422B8F68E12FBCC6AF7434A71C6A335C814B6E9FE15D82E9 46F600E269BB0A4030D06C96F3ECEB502A26B8ABF68911E279C19CD6 7CF450C80DF60B854C32BDCF7A50E8EE76B7352D3428AC4BC99A656B 3026258EA0ED27FF22E0734EC1C2BB9ACA0041819D055928F5F7DA7F 924120F763D7511E8DEF8A793C01E804335A26B972F39DFAC9D14F2C 48861D13E699FAC9B8FB6168415F22DEED1060CEFF7D57FA8DEE3BD1 B0B3A76273B5167AAF10582FA0E060DD351B51349045981E9FE9B1AB 707DA5B2E9F428FAE3DFC6059BEC1AA3D62A51D0357A34D098528FEE B7DE58F2B5EDDF4AD6D1EACD5402017485724E9D0E3C97D04B1B6C89 82AA6C772E5397AF42A9695579BC9D3A046A90022BEE564CC514A90F 86C576EB55553C2B8479B61F5A419C182F21A923D23C2D134EFC59FE ACF5BA4DD70140973C3A9676A3C609541C6658AEB7708A589C38155D 5B1663D2DE1EC37CC21A9F457FB1BA129D457E60E4B53D0B616E2044 2DE58539E152051FC692DC03503C8B7D9B692D677F4307FA4320C70F 30B58462521DD14377A93CBD4DF48DB3D4B760749AE4CD1483EC01E2 99CE9BAA8F2EED6FCE78A4F7AAEC915DF289A330F6CA522FB43DDB69 7223F2196ADE088C674B7C9F3B35732FAE629DF23B30B406BE180E27 6F281C017410D45EB7113B9916747FD7F219F9BE0E56F96C42BD81FC F4227B874A9880760F078175267E1B277BD8207C28A442AA3F8469B3 72337A770EDB7191391FE68EB7BA7BF1D226071DE3472F27D99A10E0 CA2C286607B9C40AE6409F8B0730A778835C2A8753F98C34C9E2E17D 48973826A2E834502544A2BC5AA5B291BD62CB7A7801FBC3DDCF209E EDB7CFE29582CC34C19B270DD99ED9522C9CC24DA86BD0D78656DE42 15F96C29C3A54913B1174F0941E92493166E0A403ABF332C932BA48F 86E45011409C4896E0C232ACE0CEB73DC4A0EE5D1C04C08A8B0270DD BEB4B6A289D25691575E56B3CF540D19E264226C56A371C6EF9F3AA7 28B7645249C056AAEE478209F14D149DC7BEC272F2C54BD4CCE1C740 2D4C7398443DF26ADB28E6604E471509C3153C8FCA1FCE5009EF6816 E4B910790741B0FCCE6A9ED97351A80D9B25F368B295800DCE909253 E4EF9D1CB5A95E62995AC52B01336E4386E97E83EA8B3B739A2789A1 E868A2143E4700B852F5DA11B315DC87E97A930806E5800D14FA6766 31861F1A599BB4A3DBBEF0E1C13B9950021D5CA4C627376C461EFF35 93A6879D2195861A18FF58B7DDC9CF4571048B0D186378D8E5C8CFDE FFDC61E58BF65018BCDBAC16A8094B1027FC4C06DBA77D1E0546FBEB 6E774F165FEA1DE55E431E7484B3BA7E5CB87335064523AF3F963E35 4579DE41AC03EF1E0E17BE23A828616AFA2A5592646C77D3AE58D206 B43441515E68FE8565269EBCA7A49F917B9B4A2DD763B42B40CC6FE8 EB50AA1D1549E59505FE642E6E1CE4B01F6C4030890B0BC5A9DEFD7F AE92701B75F27A40CC2604837F484FD10B43258390197CAB581EC283 FFB5EC62D9C5C76E8E2EF345D6DDA73C22C204FEF8B409EF760106C7 33EFE17DE5A3BD05BE0CA58DCC3936D73D08DAEBCEC605EA46EBA48D 12B975C0B0A0F0BE7CA5FA80FBD5A4BFDD0BB29CF66E67046F27C54D 317F39DA01D1EFB0C8CE55C2940652084105E1CA58792B59ECD8F40B 20032B296CC6A2F7E0C43FB22FEBD76B86114035D2448CB8A75A6F7D 86A6046C75A1D78436A02365400599D186C5430D9BE1136122E99598 223B35331759FAD347878D0AA1CF09E3286BCEF66456FE5E7AC1497C FCE78D9ED8CE0834D4B1CA51C9283E949703AB45BD68ECB4A8AC8D4D 41C4003624EF72CFFB191EE229DD36108D6FC7F9AD9165FDA7515C71 76EE90384F2E7A64590167227A7DD7E8B4B14533B439AF85B5C37561 923F68793C50E9CADCC18502AD7C97A1F5F657DCD89A2D6804B29DC0 0F7DA2FFA71754067057AE28977890F97A8318BD1A17D9973F7A7A67 56120B75E5394ECA829E0CB07EEBD914F168B9A529DD6E9974A37455 8A11FA847271673BFC5CB1BA235F76B232F9B5318FB12D9A2923D426 A38CFDDBA2102622793DB7324342018372CDE495AE7398F78CDC02CB 493415B45AB6AD7286B946CEC69C12160E9B818AE32712A89183B159 F5684F666B96699F30A12B1C08D47078E22B2EA0D353384E7F436188 C170CC558675339796871C1ABCC826B8B4CE4E8F4F30623BDB564F5D D5FF813A072F7605D93E9E5751B10ADA68DFECDC18DE63DBCBE91A22 0913995BE1DEA18B9F29FCC648F34AF6A842B4DE6543F1269796AD55 E950F40626876356C6764CEEA1CA4EDEAC30DEE6F7B9ADEAC0A2D31D 81F9E508163B88F1525022F1EDD91184132E37D33232BFDFB52E5C21 4B3A64EF91727910A09E9B67D8B6A2B365FD1DB5A8479243FE9BAC4E 8EEE2C374907DCA0614CB91D0E57D0CCAD93E1A8FA87E7A33AFDD5A7 6973BB79F175CCC021D9F8CF54064E8C3ECBDF9A05078AF1B377F47D 4EF8B4974B70E60B2138CB4A5DFDC283437C3BBF867B8F685B270E45 D848E765D77A2F75B4DBA216B9B069F546A1BC4A9532A1FC3BCFEF83 C27017D15CDB60CF679F6655E12E4056CF73BD529675D0DA67EB6EB4 F176584970E38093B69761206BAA0AADA82F54B40B247F726CB45AF8 F9F78A5E024D8B4EAABE5A94E7E916803AF9A3A394C005CA752B8F15 AF811CBA87FC7C9573083F01F3158A36BAA0F74021AF11582955006E 1AE2AF18152C1B56A936BC28CA6FB688F8452E92E21458A07FA19617 34EB3BDEE276533C3A0C6F63F107198758C85E201B9234EA8BBA5B19 086709EF903AD6AFA1095B184A0F9222C31670CB7AA942D8A6EEFD29 DAE378C6726A2BC655172BB2B54DC9F657AB074C41C7E55F133DFD8F 34F41D33BA199879CCB9D30D85CD9896F1E38E850864E596F1F544BF 541EE35BE669D934847F639C2A4F63F233B3AA954DCFE747F4EF9144 1E131BFB422EFC900557A06E505E97C814F4E6B479114702DE14AA83 F2C47136BBAB260177EB5236F2229A9715B0F776A851BBAA815E41E3 6BB1495127B117A4D1FD5535FADD38397A7530D6986DC93AB3D600CA C4A8FF163A38C4A9A0C1CCDBAED7CE4EBA7E7383943A40DD79B125DB EB9F3D395406A4686CB6D65BE1B570FD036FD33350544582D0DBE1CC 1E34B9FA284887C2D1A30315B960C3A49924D6FD2EA7B8D945376D23 43FDA5E4CE43518A89DD7FB206172DE267B4C44E48060937E70AF5AB 2D5BDCCC0307C73DA42944986F63965777688C0F95A3292C3880C33E F116BF1A66A54DC7F2A16A1EF19B1054B816A5877CEFD469D62E8FEA AD2501E8085693FDB8E932316FDA51F22025C91539D062D7B4C68444 5D43293164710173392CB06069D154EEDA76750E40B9F6706F5EF42E 07A61BEA2326F0321DBD937037F7B64C9605E70A18BD208AF6C1A785 7BEADD2014B5250DA344673BB3B9B49F31BBD5D485FAE2F6440446FD AB895B14E9F0B50412C7EBEBF5FA0894B2AE507C5E20730E26C442A3 7DC9E19C6743ECED3C34F8DE97350358F7F7F913C18739D8BA42C968 214F593A75EA1207489A9EBE13968C9144E3ABB57BF5192FEDC358AF B15568FE93F44F8567D3791C9C8B0C87002BB87B57327258079465F7 5DCBB2E51183E501B22C1F3913D390681DA4C42802141F4074BC6C9B 1A67151B7D3417C02DF7981CC56F9EE9E41A88CC6EEDEC05BE86CF98 606238799D07F6B49C3A642D9596837588C04AED9C71E28C2AC29A30 A2F0CD9B7086AC9EE0A7E5D5B608B39D420943C608E2D98C56DAA31D 5A4CFA13271B0908FC940DB2384C96364DEE50BE3E2109667164A274 13D21076AC449688305F92E20B616753CBDF6C798B82728BF08806A7 97243E66AD698A794800BA9C2FCE1C7BE98536CE31B9D3A758335838 A0A866BE9E7704758891EC67C40202D32AAC05C8FF1CDBD7264B95CC 6BD1915DD4E8449904484ED252CB601329D543C003166222F215EC34 94DDAFDD8AB1A951BF490D708DF98A390ABF303B55D1EDD918F450DA 38BCF9464A719281768DC0970067C3FC7FCE33D821EBE8B10834E9B0 B03B1768DE41FC060DCADC47CE15CD39CEE8D5BD40E61E20F7145491 04994816E060F444C245486D2C40E9C8DC7C6945E1AD680B7691062B 8AA75B33B564EA721A61113E7D01643D444536A32CB2B4CEBE5A67A9 B72913904FDB87534DB3EF35A912FA0F7F6A82737C390F0EC79EC77A E386499A2F533A160D187E570A072B96E70226C7A48CB1386AD6A28C 9D8801227554B1F7F2DD800A992A772CE50E90A317F810D89BC73C7C 3E1BC8A0CC8E5648B29634A225F9FEE3C828CD03B76B72025D7C3D64 C48066501D19F340D5F3A03A52DFEB7BF65E3E1F14371F3F2E985D71 7D17F7F21BED39E6B54B0157A9134925C61FD0FFC82691F336AFA1A6 1196A6090B75AAC567A00146500587587CE2910F00E1103A701B2DB7 5436417C21B58AF4706F03827F6D7513BC1B2B689467372678BF5F2B 695762D632D7C4ED4754B96A0C36E0142E54FDF3502C0BBDA611309F D9A58FF6005DB674933B903188644724E76A277001ECAFCFE896CE41 74A22A5A2C74237421E1B699FBE8ED4CD7483C608E07737249D89402 082619DB1E25DD8E67940591D7891433278928E39DB1C2276FA27839 3AA4A6A70E703F7FE91775D1686A2D4ADC155325625DB56BC58621B5 4C00F2F02324160DBCF54909C06CCB68DF9DED544A887960617D6878 3A79747C405276FADE0416A978EBA6DE0CA107F4A6308AC04210092A F44E186687102F0E9D6E67B305F8E12814B6F5886208BBFC6F9B930E 631939310A00D5AF89117545AED7750C70029D04043F3A6FB4AF2AC0 FAEFA5E04AD5DF52EFC079366C0DDD722341E8CF9B818A6EC4D0DEAB 785B6BCDE5295289F593B589D42F42C519F4E76A41381AE96CE6DD55 6C8542C631DC2E7BFBCA030B0CE40A9A8287FA5D0A54199324F7B62F 54752351761EDAE30F5FB9F6E4FFC7967E5D97AE10B42A2B4134215D 0D5ECF2A322E54E0B5384DB19B7C02C73895DC4B9E501D67AE4A97A8 8F4EF6B80D40DAD748925D00C7B012E7E1243D1881B5C5C8C2D498B5 EDF194F79CB7EEC75888B732B1A90A10AB005F7A8ACB9BFD3277FC66 FD9EA207AC7333C8CECF32CAC49313CFF854E118EFA62123B130D9BD 5E25175BDAA70593E7967B3B8BA69E6E2931E865C8B02931B68B1275 07FF1C1CB5C9003735FF40EC8E14F5749B0BF8CC2C9BF44A3B3C20B9 D0443986E148C6E0DF05E01BA061B693607D46ED3611DA718BCC060F A93FD15E71671A473E68050D07C99A39A1D49716F0F9FCA49F100569 7F61B37531EBEACE897C7D091A2531A00970BBF02D0059A2847B6612 27387A036B7F0C0896370DEEB75F2A4A818ABC644BFB1F489D404842 30E4C7CACA7D42E8C460CD52062390087852FD9C86BD798562D85E59 FC56D6C3E2805060DDA7474677E651B9FD9985E787CF7CE47CB6479B 05FB243D3883E006240B96F477BA40074928A85395D99B3959306F3C 4A5CD2AB3C3C933A804F3D76B5C4B00CD06929EAFBAEBDD5DE8FDDAD 126B74557C341F9C4B6FCCA925CE81867193157D6F926FA9123D9395 EB2EE2F89FF78C5237B0666070576CA90D329802C4099175605FEEDD D5E292351174101A8FC32487B58243485598D38494544A77DE056DEB D1157C4F908D3AB4327F3E9E8817ECE2F03B5AB10F1DCBDA9CAFDA6D 048FA78404B65DABA32C276982B16D3DB545AD0D190926C097376758 3651B468F205988B86EC95D0AC4AAC7F7785A7D5AF1B81E1295C5EBC 8E45DE27205477D7640EEDB312B113EC52B4145A008F33FF771553FC E0816B989AD8A413BEF0EF37243BA0DD410113CCCA14C4D8F1EC2549 C2CDABD69D64D6D6832565AFA7EEA21A22817BD4511F32185000EB4F E42928ED2D5409C3C9B119CE31B9775AD9D827A7EA14B2D523D1F4CA 581CB0D01B1F9BC27D73526325945BE49EDE71FD6CBCB5EA2050607A F8B1A21323B930CE47A74B3E61C0485AD29C28F440639650465BB325 07C6DB63E7ED32102AEC8B1DA1625458BF605085E5960C0AF9E0C5FC A29BC4D13E8CFC888DD599B0C1A9879441757FF845FAE462ABA8A6DE 8D6608FD29EF9347A3E7130486D3ED5E2D0D175DDA1D150F36AA1028 193B8AC4EE5D4996D4DD2053B8F1DA595E597B4CCEC71CD9D62CCC2A 67B0F290BCA0D02294C3C41D16CA801746ACAB24891EC531211E6104 9C8CC041D85DB2D138654370480E6A1D85CF1DD5B30FFA43DD7E2B7E 4BF556C650B87D4C23AE83F6A74874D3FE7F57FC1E5D2B044A9E5865 F70522545E8E96E581EF01689CCC10DA5896F4EE05DB3A7DD50BCD37 3D322CEF906EFEDFEDB8D8D14F45FE3BEABCCB1FF2105594EAAB3169 6E1EC571855E57084B53C6618ADC0790BABE725A8D263927ABC32864 FCBA5BACC591EB4A165C95223F23C0F0ED46C9D841E7AB66AE4214B2 AFDF5CA80537D60DFF114DE78AE94D32557A1088F45D01060921D6FD 801330E1E3FF1AD0E974B91765B082358BE77CC4C5445DC47A56DAC0 9B4875F9043F5E6156E39DEAF3D44A752DDBD33397A7B42A52A70FAA DA56B32D90BDF808550E4FD51DFDD21B52477F1B776F4CF8C438C1AC 87ABAFF92AD95DFE91D71290F3FB55B9AE26F56CBC0E114CC4DBF728 0977DEB850826FE37CD28FD3BC7BC4096ABC02AC2288D45E746BDE2B BEB93A2AE256F350787A435327D48AE4AC669B4DE56D6CE7B7AFFA7B 65330BAEFA7B88B4754BE553B805674E6CBA41EA64866A26DD15EEF2 9B9D20AEDFE4A5351CEC523950CF031215F0221C5267EDD8482913C2 4122E59D5DA63D2900EBDDA36011998383BC7F098A5FC03E2B00CF4C A1096AE6D12A728154629B488481B5F14724301AF4DAE2B0B042C01C DCEBEB157C99F0104315F2DBDB7E778D8A5D13D3E8EA38115827D3EB B063384AA5D78AB644DCF525488ABA367A987F355FE5D097CC650BFE 8DACEF6D44837D21C691815AF3C7DD9B859483E0C1CA7D0F93F86038 E90C90B6EB28E2114073741B7D08E4A2461E41BCB5CAF526EEA7E225 233DFB74F4ED35B526B026814401D41CD9557BC49104A5DAED3E6020 2C0AA20ABE8C3FA72B32AFA3ED7903E0DAB7770235CC0CF5278785D0 807615F94622291280F231995BF31D923A99C8C88E5780F3D2B699AE DEB371B726C4307E9A2EBEFB08C69660A8522C4158F68A4E4CBECDC7 E7CFA75F2B43C59A79AB62DB3694A93CBC7DC316719D7F510C863421 7726E8CEBCA5E34EECD0732F6557BB602278BC2F38F7DCC35CB55B5E A732C93C996D6F3946C42B8D69937D8B0DE6D5265FDB301AD88507BE 97E2A1C3778526B063AEE095493C1597F4A70206121CFC5E3D8E3DC3 F0B8483A89267C22715EB78AEEEB3BA051CFB9229532ABE0ACBAFAB9 80EA8F9152564CBFC27A0EEF1235C7C3E7B31A0C4A58351898CF5EDF B0E83D3D2BA69A9B31F85C2340F7CFEC40561785A4EDC427AB784A9B 10628AA433E9DB78C8A927D76F3BF55ED5E77233DA80AA72BA63884B F588C25DE63D20DD208A1B2CF5B9B6A2262250DA09AFBEA29745575E FD08BE41566B9A410134D2FFE716AD1E15E6FE5782FDCD0DE6AB8CA6 99C80DA41D77273ED1D1E1119D271E14D607ABA17BD00904C81A850D 537BC63BE50705E1D445713CD869F781D2B9E49EB0F15E6C2D493B8C D62C34B92FC1170D7D9C988B2F637A3406025893BF4254C9A29C5ABA 31BE7E0A230CFAE88C26CDF166119FCF45A556D96FAAE67DDB5C8531 5374398A4B40708DD8B02580F7E0E1F7C25CA4BD0D8B2D09C9683F13 E2479708A65E6CF48DE2B613E7809A8B480EFD915F0900C9B56921DF C54CBA5CD8CD3FE2F7A6FD3BED5294180D6583D6450F6032A0689B90 35BC4FD1D267704E83915D7484EEE88EC1F05E3B0A10557FA4DCB2BA 23B768D4023032D686A4BC2BBFFD10C23A371FE7231B39F8C252FAD8 B1456CFBFA83EE4CDB9186057809ABF067AAB8DA36EBC07F8E14F75B 74D4F3D29207FF4351ADC4603CC0717EA6CA061FFD682293EAC803DE CFB64604EA830700C4C8AA7350E18DB6BCB61D92CC27DE15BC80CDED A44615A3CDA1466A10A641F6E75487BE6DCD3A1552DDB74FD12F926D 7CAD9F0D61C46290933AEC59022D924C42F0C809813C78189124276C D3A40B7A9D71AE793E635F809B198DC11D6B58B320F37058406FAA18 1A6C82CF99EF4820634A2A11731B7DF9AEAD2240CB70F66C978B6A46 0E7FA7A3225916C66935FD7B75505436DED0C4D7138B240578811EEA E0B58221F9526A9749F83C56855380972C0231979168CC0ECCBF6189 F6688A8A4FE3E64EC3B68AFB42261E9CCB3B28931CD56CD8216FC6A7 4D967220640455C31F9F1B85D11BEB593BD1CB1720CA0C99E4342F3F 7CF627ACCEAFC9DDDDF48AAA6BEB59BE6F351B2C59030EE461FE1BAA B532D326EDD5E8E3EF1AC266A8420252996A4348CD51DA8B0D478A51 E9D4C187D8F22DFDBF917119029B9876037A97AF6ADD6C5AD9031941 700E69ACEC93810DA968945606840FFF4C4150C18B95AFD0B3C349D3 03448F8B66723C06866E2512A5F1E9A1A47BFDBCEBED8FCE69C00A74 C3B5D5C4F348A102040763CCB0038FB8535670C24FCC1A6810806443 941E02D6F76DCC070FB1314D209E8B98F932E703AA5371F962D9B17D 622A72E3C4FDFEB247359DA41E6123799D58F2C1FE4E2E3E0037FD6E 85B652E1DA41719B9D14526D9EB990526757DE1EB64E22D4D20284CD E61CE186212D7E0D5B9CCA32651342C26500DC018B92B98934273308 1CCBA272671A251232C953FCA368DA319915D2694855EEF15B476DFB FD8295176C966550589A2974D9581BFF36A471588FD305D1D0FA7042 5323BE771B7AB965FFC4533CEDBBA10740D0E61DA4E121B10CCED3B3 061C17FDE0D225E9BA9D2E144DA8A1258C588E5A2906B84EA306CD35 26752CBD977970B021C96ADF28D76A40BDCA678BC76160FF20CE1FB3 C0DB80E6FDBF0CFCCD9445225E93059AC708514EDF91B75563A78C43 740D59D79702E3ADD3284A5A4853F3D4F8134AB7487C8AC8BBE1FAB1 AE90AFF36CD4CD80605D737D12321AA4971B3DC9047F582AAD5D31CE 27767D7207EBFEEC89794C54FCD3F3D686F9ACF563264151DEC93E08 3CF0AA32FDD65FFB2C77511E882A40FD8BF2BD330319F7F8F32A96D4 F00638527AB2DEBBBD4F605DE0E272A45EEB0B1B7ADD8E9B9888EFA1 CC4F6D9D70E120A3A49878232141EB0B4651DB7C22525D35B4A4E861 93612EECD4AED19CE22B4CE5261549CC0ACD2F3BB53BBAA1C86E8527 22148D4F70D67ED095FFDB4502348D9FE6B0C0947901806939747BF0 F6442EE8F6A15220C18386FEE0B96DCE544C999F297F6770D0E7CE70 1CB0671D52703B3515A0B06E0677FEF304DBB931A0193E9E3FDE242D 3323F70F455E63C3C62077EB1B98275B954D7E9B6BCF63FC8DD21C8C 5F1675FC2CDAD0622F0907828B0B4A9DA5AE29F9114B6AB2D174D228 D6DB1802D9940F9603C9A5D9BA6C039EC3C268911BB4CEDFD292F476 8902416E62FE498E94DA5453FA26A54DE35DB5A8A6BC78BDD2465521 352678553B5D34839F6F406F752BE2AD1900B40C32F8BC2F6916E41B DEE04C7468EBCCC9512224536AB00B56B9A3D05E26898B068CA08F81 E5F0FEA43EDFBBB5D5B8F2FA4DA62CB2B1679120EEF305ADDEC0E059 D5CF7914FE9016E8AB9456AE6AB9AAF8ED676950EAE9553F3149203A 5FA85A9D1123FB24A1082B88F78F32756396A4535F71848D114F71C7 6A6CA881032DFA961A3294D1E1E6450B786C061344411A7CCB4B729C 7428A1EE4FB0748317D5B286C6B5E2C810BDDC6B641472D95FD9E078 EEE54B18F171F0D39398F0146468D89190D3E68BEEA430EE60F3DB8B 9785E020E9446F5370F6B08E458E96458AB2B5B235E20159B4CA8AD8 8D95C46BA933B4CB26219F8D47EE769478A0A2534D3C2F23793A2D14 857394E32BBCDB24683B2FDA15A5AA61A35B60585F11F07609481E5C 5EE2EDC11E9904A9F71D351FE4A3D96870F591001F1B2FE0732CA1B4 8C5D27570D946B469817B63C2EDF55C468B9132CEC0CCA2492D77126 41178491FCA52EEDD6AB8B0B718DBF9B4BF42F7594026165A7B0B373 4697A3042BEA76EA2A7F1CE622FE9CC678F25F9A0781DBAE9CEA0E57 EB3B6709C49243731731FD72AD96B1FC0806402B84452A3F19740FE4 4C906A5DA93DB8C7F94AC62E0B28EE59F7C565FC8B2104A26513DBB2 BE75397D30ECE1E1A95A052ED6FE74FD3DF7151F81A1372A1D9E46C3 917C658FB090B16F417D23B89694A4AC3CA3F84F13DC2CB03A823612 8F1F078F4D7FA7338B59D89A139F858D0FFF7EA5C3258ED71D60BB39 0859137DDBE2980F5BEC8F9199462688F104B31B528F38873B133345 10F7093945904D9067424E276B2BF49D50A2F9423C1C439B6A2C8A1B 28FC1266A0662BDE76B45CF05DC5A4FF161362A2D2CA43096587E274 06905F9FB4EB121B6C664AA9A30A06A139359DBD0D1DEC4AD960C434 DB5D5C0EDEE56A187194B4A32ADD3C60203B99E60D2436FE785BAFF7 89250DDD5957598C6587C128A173CE8AD632F24083384C00D3FD47F1 C871C61E1499EB5496F24CF3136762B32B167FC59C1B0FA0F2EA4677 68FA763F3321A271D57802BB1D6B939C80E21E1610FF92045B7EAFDB 32D340BE7ED9B6AACD6FC0E08A361072C2A4B38B1B4ED8A89EFABE98 AFA5E7996B89977B347421D1690CB7BDF44A183AD003EAF2CE01786B 4378C97D98260E20B46C6C546EAB906677A6AB8651F167AC459093BC FB23F9526490D4112830D5A65224043A4E5B05F8268DB23752BF4F86 57A21FE92036D96DAD7399BE6984C4F79456A477FB0BDB71EE005658 14E721BD4E029D7F6D944C60ED9AF3851DB74AE5686438974C6DC8A7 802E9E77BC2411EF3B38FE979BB9E095DF9EA1C0D40D67DFD91D74A2 D710224A5B45C41CB31E4C9D5A060500F3D12F42D0196B5B80AB1125 3DC5A4A5D03AEB6465B10988E147628695FCCA43D7EC2E0A1E826234 BF4824C56BFFE3098EEA53DB2DF0C5A8DACA79026F2491B84257D7A5 2BF54192DB6556A8AEC8F6279CE2228361A331936BBEFE96D0C26904 47AFE5B9FE503C06AF0B4F39408EF34B077D5DFCF3CD939D01CDDA9B 1DAA9F3D03EC36502931458255DC7AA21316204170701AED92E3B34C 9EE5559578F5032500060D4B6498561BA57204CBFDD89C7A680EF087 A7A7F8A64B8A6BBF209B5412F57FF65B89EE8268F1799DD05CAF2E91 36CA70C3388A679B7B63B3CF4E57073FD09C73188944870A77788326 0A393D64FFB9408DF70E6E750C83DB8EA21B73CF988EE723D83762B6 BD05319725A0F66E321B5B2F8936392063E9654F9D2900C8D9002115 2F0BBBFFF50557AE78427FE065DCF4FE2EBD2052AD5F693131EE1A0D D630FE5739745813E96FDF07688BA86EA00660876F75ACB35544D336 E6909F1B892259246CBA5E1ECD9527CD73849DA318CE566220EF7510 20DC952E8B06EEB64A2F37C5F2D56158DFED4BD9ACD8B93DF7BD665C F2A46C49E0CC23961E2AF74553298D21F12516C2655777EAC267F02A EF794DD329B242A3445B107466CCA029F061A4C49DC9F6F9F0071C0C A17CD3F7BFA41CAB168723E10C2C5003D1B480FD765E3DA8E956C5DC 309C1C2FCA0024117A1C8F819D46B3E1F253C209ED735B9542895637 31B6846E6A7BE8AF802BDB6B27104EF6BE8B743E32FA95FDA605A094 1650CDF22C424D9E78B499C981058EA5E0AF0892B2BC3DBB85835A6D 71E382E1E48CED52F9D3F03A87129B0EE4D436DE062AB9AA6A1A4006 DAA7AE0777A62EA822E3AE64E759E51D15958807F64B3504B1B6BA34 A712E1CCB0AB8D0DAAAD5A2B8529C77B7A5BE1C65C34AFFF6AD15B5E 5B5AA92153EF83D9437FFED05DB0C2C94F95E3C2A7DC959E458999E6 0288D2CB0838DA67450B9D441BC74FC4DD9EC10CDA172D381721C03C 8458EF33D16A915D098EF47D8E6F7EB9FFD03E93310836AA04B2ABE8 1A24A35142B056FF2AA4022948B1A8E9F75974107091F7222CB87D31 C8F0C30528A6E05B83F7A5CD84DE98CA779E97FE1030E1C4F7AC3150 A8E1D51B94BFE9DA9B79885B7A91E7B5810BAC58F2EE96181193AB07 98B20013C82CC538FBC9AB780807EBD9ECCD3390D356514618E89F54 BCFD858CF524C3D8D23A71B08388BA389D02508CE402B6B2EB752B22 E5BB4121FB278299C4FE418D6F46AE17FBD53032F40F9961FB30FA6A 22833B1BD555CA39BDF5B8620B337D2A33A27D2E7674E781CF430028 42FEB5B0C52FBB1C3329023A79C826D7598118CE2AF4AC2EFB1DC998 00CD58523C027C76C8C54D938D7817219B93B8B6E529756903C7BD93 C5DAC1A0557677B11714DAE7CCDFA35630F0969F90F8F1DEDBA31091 8C969775A2C41B7FF75EA219C3380E5F987BC88DAEFCB43C1A6E3ECB 9CC5C2F23FF11633B2413A462785A59098681677156798D5D3C418F5 46BBCA6CD301DF97A1214C57BFCFF791E1317651AE8DB9A53BF80863 10A8D596A73C406E0393E3F50213213E794700635ED2FB683B44A15F 234A626AD7CDF828F76B5892FE107FF2FE81C672AA74FB906B713104 70E42D61A1B10F73FE95BF92F5D8C14F7B106952A8482707A14E74D2 36DA9FC6DB8EC56C267816C04205D265863BBAFD5FE274DEC567505E 418AC3A835D3005B170C8EB83C7D52D4717175D464E11ADCE0B713E4 7058A43E3F7ED261F4EAB44BBD46F66CB23B485A885222884F4A9F01 81B362D7ADAF1F8B3E5EA25B35BD2C35DEA1261BD90BFAD6AC6DFD00 05E7770A6A7104923A17C62331EA9203EB445F04750D8570573A0D1E 33776887E8954456B69701C08CB0D5718E7D4A952AE0366FF86D342D D377A242EB2D63C700C70846BB57A2C84FB302C812286A1A1173FE16 7BA14490883C0F24BF9A355C6FB85EBB7D041E7EDB809EE920F6C815 60A42D6326F380DDBDAEB8E5639E30E6CECDC88009F10AD9ADC010BA DABB231137DAE2D9FF2C6C06D7EFA835C83DF828C26E73737D1C3E9B 36EF80D13B159674884A6E7D805A4D3ABE061084CFCAE2BF413E3C6C F471E45FCF8B4C6D4DE5A374239B0146CDFC535FFA5959F83403D2B6 B145904DD649D2F4CBE5A42947897443C6390392822E452C198130C2 EE38B1F8FBDAAB0789EF7F578E669ED58152266B18F4C1287AB7D6CF 7D3E5C4D65B96DCA9092F3B1158684AD5872E4DA8935B16A5E35D2EE F99FE06B11B222CBAD282820B51F62D562A57E63D37BCE7A33DF0706 ABAA826370A3B71ACEF42B59C54A1610D8232DBC9A6A9F002614185E 9AF14433454867F743175565E0D267CF17B7A4F10C097849776E17D1 A655876A7FFE75F0E8D120D1097811D5A63E3B717D7149342CEE643E 6C8E3C2F2E3E4340D1788CFB463109C7DE0AB94A0D7A2F3B30383ACE B9F18DABB95B4AD59ED2EE79AB232F259122B91C8FB49094EFF359ED F1ABF842FF8E8E135C427B4CE0AB68715758C45DEC71DDD0A5ED3023 A0592B38B6CDFDA92340B3446F08DD4497E142AB4E5EABD02226806A 8BBC375ABD13EF6FB1A0A56461F1BAB4DD13985B40F89BD14A165E5B DD4CCC7B1AD70E743FFC13ED28F918973B704E070DC2842F0CDB9D1B 2E3858FD8E6B1DCDB20F4D85446EAE55E53E28D698F8F6EF0B279D8D F7F58E00AC91E8CF7BC6E445E4B555385F42D9ED06ED83A0DCB6ADCF F66ABB5FB4918DFDC05F83C8D1CA22E44C1E1041F7D37553CB15E310 DBDC2724DB893B3327DCACEAB11585E156CB0686D279FD9D4C8FC274 6A7EF20C32A7F1444881A99BF68C7311D724EA4E867F9F34381C00C5 7E4390A2DE0FB699031715460A577C514036803654A5D13C3E6F44FB 088B3C2E63B8BDEB214223562DB00914ACE5818EE2ED2482F66DD375 66B6C33CB1A93A15FA2103BCC0BD0AD7A53132A36B8CBCE5211C04D2 95697033D0F9BE0D93F912A3883C92DC621A37740BE53575376786DA B8227CD62A74B28C85ACDCD65FC93EF4FD6B3EB1E5AEB392242F116C 7EBF1DBE74638F3A0E0737576171AF5BB9909C1E4564A5849F462B3F FE580E117D2E8277C0A201003A6139BF5AB125BF8B442E12E693FACB 53D5E3BDCD2582295AD5B6179CFC1E429AEE28735D4FE882AE83C747 6EF56B547F501D2234A77A2077BF3F61360899295840482CA0647D4C 0053E658083419F4CBBD2BAE777F4B7A00AB98735C31456D0EE3FE6D 6012ED3FA2E7E3554BBFD431A6DC447B5E07AF00DEB631B17463E568 B7ABB9DDDCF6C9E7BA1F74BC561B036C573A183313E591AE32ADD1FF A01CC909145154924E1C05D4439D718603B96707ACFA1E17349B8D27 C35CDBEB4F529A5B6BCC46938A74622740616E0C82E71CA6F03A3A6E A89AE11EB4D138A55EE22B439F502A4DF61651093E5D04BD28BE75BF 478FB5334D09734E4B48F9513B9ED8C1FA8E106C6B7E94320180D2C6 54B980AB947196031767F8025FF010A7250F67A8D93DC7F63C6AB6B6 60CE02510BF2BA6941659908B652893E815FB6FA2C72D8EF3A904060 D42C1F9EFF2AE64419C27DCA97ECF0C5B010CE43D52F8C31834B31F3 34F94A0D518094863818BAEAB173BB6C9127F71A4A9AF53D2ADE3909 EC0ED6288E4ECD27CC3311310641BE7CB70F9B6FFAD9C7357A62B083 41405956EBA3993FA674E27EF91629BA13B6274AC0DBCB3DED211049 F3AB6E9ECE59D25447EDF778E58139A53A2504B0B6FB533EA8A7BE6E AF359931824C34FBF6CD37BEFAB71E08FC1258D1052799A61AAD78EE 35BBAA678CD9BE1BDCB9FD33F0858E184801E0E4E3E83D1B27306C2A B83BAF84AE69F658CA1BB27D9DA9B4E7AE629904F2E0EEFFE412BEF2 6835F0187EE5FB4304FDDDA0C1E8A21D8F75C37ACD5653D38C3E8627 9B87B44D22FB02B94308E0A1C9E92531EAE8AFCE9D514DD9969393B2 DCC52FE19F63D084162BA59FED448967C7E29006C0B1C9BD64D2E8C5 99F2F1A349B9F307C7EF9B220E63DE6AD31146D375BC074F12CC2E6E 6B611245C646D2CB2EF942D35CE8531DB705C55ABCFCB643E5D7B292 E8A332046064C08D05907016BFADE7333C0B5A9FEBD89691DCCB5096 8F464E8C965A4FEDCD5EC65C3D3625D31D7B414DAA07C4F5A38DAEEF C3F8FE066437B3DED8B7CBE2C15A5CD206B49FC82C34FDC18DAC0CCB D1057C7CF48827D588436BFD052E3067B6AC107B38DC267C25337072 6B0DB7ADEDE25F020C67AE7F16456C7A2AF72DC04A9D3FF9E4EBE252 3A1A788124391C6A7E3CAEC8C73EB68A7B5AFA01C3A2E38822B7BD1F 13C1B7EC236507596B10DA999748F66083C6870B14FA6B241805E16A B6516C52D0F411FAD563ED69B57A063D77936ED323372A1207F7524E 568F6CDBB71091010FB5383E998D3880177096C61EB1A23E16FA2BA9 D6DCC4C7D1765A3121301A7B2D68760BF90FA28C9962B8E35DAB7F54 FC5FA641E6C7C07805F811F6DF136E4842CF7D4AE0335C8C6930CBDE 32BBF68C4C05A75FC4548CC51FDBD977523EEA8D69A80D7120790E59 FFB6396A8A6DB4878B4E3E3FE2190159B50E2EF57028EC77360BE8FD 0325CE6AF2A0A664FBBE8EC64B90774A61E259F753B053ECD2E3F9CE 4F195CDEE748A7D56B7245A2CA7B7998FE7C9B36BDE4DCBB616A7796 8455F11F042D6D9E5912638F53534AF82568A6BE645B37A5D00A0EEF 9723908344B2796E5260BEAC9187D5003AAFC09A22FAEF40DD64C889 361D1869DFA590FD4A067E1B34C88130CCDDF3FEEE45C4152BE43609 1E3280D2DF5BF218E1A19C6258999B0EAB850674EC5EBAD5EEE1D93B 691E7CEFCD5194D5534BA2EF91D9556219F5A08A07903B3F165707A9 87C13C4C673B28044D1C76647643C0D9EE4EA5A9CA661E783C3CD109 5E407171F4F71E40C14BCFBA4FDD990A31B1109E242DF74A20A89567 3A59F17E205D889AF060CCF5850AD21AD777FE8E25DB82F189CDA7F4 383085A35E95E4A97249DA56D87B7F54757D785437207C5469784CE2 C5A4EAECF0CDB56AF6A8952CD3118436B794182B0ACBE17A89A5B6B0 CB7D0CB848CFFE629FA3A6A55FFB9E8822725F89CA7A868545EB6B56 88137188786D631D06ADA4BB04AD456680CB6BD0215E5BD9AA06CEF9 DECF71BD1F4837DE157A0E7AC0C46BD8C1D48FD75B48456B45EEEE62 9C74DEBF39FBB251C578AF9FAC00C2A966398037DF7C580EB3F8A00B 46C4FDD3B28DC259DE09199805E15F7C822677FCAD0891DDF9A292D4 18F92FEBB18D5EF999CAA77AF84A47A5F4A3EE4B1065E627FD6A0545 3E0FB914E33118D34CA9B1E25D0182561DB7A7C8F3B1C7DDA03CE434 2298629955C91095E6925E467C8567F4520FDBC986E64F62D7C154C6 D3BD0444141F0EC5A872D6D7190E1171C476C80B2E3B9FADE59C4152 01C284D73548C1F099F25A43FB4E14834C75D71AAD5038C8C2448ECE E85E535405374ACCEC5B2871276E064A73702DE4916D7B784906AF99 6757285CBB4AEECC25C9438787342DF987F16727069C72218C84E2C9 A1CE2C5F2BB46E340AEBB265EBEFACFC1A99450E3474F8D2CC14A561 7985CFC1C70ABA028E347BD7BE0C5403675310263AFD2AB8CC006FEB 487FD77FF73BF03B84E962D4E9E0C24F6EFB6B045423F129E0525C54 AA0663C34524008F3A2F06BA6DEA62CC763523241FA5FD9390047327 327FBE08F8F2D0E89E1083BB44973AD5C05AC887DA1F635111B00113 76BCCD217EEB2DC3BC569F735134502B9ED72086DFBBB91EE58A102F 8568BF10110D447C5C68771385BB14A56B7865B1626DAC4B8C60C17B F147A85759E4873FDC0256F6564E160C9225CAF60DC187EA2AE2D400 1C12015F714740421221C79C10E56CDA4B98D7B721D15E545E78F663 714EF95A021758AAFA31C53E6EA9AB928ACF55E3A0BF9B49D1F991E6 AC876DDEA607AC91B632EEF4840C34CE7777A8B73883B6864AB51D8C 9A800187E9B12FBE393EF861577E0BE5EA12403DDD202A7D2E080AC6 D24867636BC7106B01AF7829306CBC3A636F83DA0D5782F038D194E7 96A892B1B07519B4833E3FCC62188098BD7B3F9F797F1A716EFA8208 AB2A034CC2F247D957F17FCAD307A3E907C6284B9FF894D1A960CF63 5605D78FE922BB989FCBF105C93CC5914D4348475A55C8410B1DD68B 071983957FAE7B23C8566DE5DE0C79F50BCB172430640355935E8545 1507F0CED1BAF985BE8E87EFA7ADD72CEC928E089A4A6BA917991FA5 40F4B68B66BD12F298FF9F15998747077E83CEFAAED6E9ED08A334C8 0DBECEDAE9AD779163391F7AAD751BA7B502DE9A29F6390E1C05B829 D707263FD876D1A5D6B8052FE5661049143F6CCD6BA0868803C5D3F0 0B94D205FDBF1FB0E52B492EAA2DAC0C14F891D4CA89D16CAA89D7AA 3355BB4E94CD8379C0BE5E471CD95806E0B6D546B3816043D3B3808F AC478B385AFD3E3A74A50D38EFA321FA284C43510CA8C10C8A846305 ED11AB5A17C182054BBA8ADBFC2DF6F17C519A48E51006BAFAC393EA F639CA163B250EF7DF36ACD69FC99EE7B1954E9D489C445F0C7393CC ABBE4ED82CFE017354FF2F69C60C9C50DE37BD436B9E4D04FC49096B 00425741F9F9361F5A5C89D3864AC5D3C8334689E8E317BDADD81BE8 72F1A8EF614AE5745375E29EC1A0E2E28787AC2A2A1786AC320C66D5 791BD00CFAEF79198EE1B405F5EB918939C63FB459488827E2990995 9E573389AB21F4A02065A3BC0ECFA0032A298039DD0F21E1951358BA 8D655732FC940E1354B1C9735D79DD788180ED99CC2238297A780267 A5BF4DB254B72F03FFDD87B1E1876B956C118194B207BF273FC6D99C 8631D598FB39903CAE7E90B617ED8CD9FB3C27D73FE5376340FE7C01 218C2A15A5FA4D430F877E005D07C9BC69D162A7B0276F770DB00F06 2ADC72F329A82A5E6BB170499FDB50161EC4E8CEB8FB2A0320721DB0 D210A1F72CD1C6AD9FA8FFB5C85066808D7C88500B30EFF0E05409DE 770839F628EB52AAE627AA8E9A549EBB577C2BD90288769CA026B379 0FD2048AA97FC32B5D14D528EA90CEB4518E54ED54985CA47804BF17 337FECE08B14F4BE3456D74546386D894AA471EA164CAB9B3261D92E 5ED63C61C106545CA8247F0FCB2B01284305DFE546EDD070DBFEF2CF 4DB93E508D8802DB86557AE42FC48FDC914B4A0D9483B4880BAEFFC6 1C34A5D48322CFDFCAE7AC726DCF55724750D033517AD00CE13D19A0 39418DF8A23A05283336B598B84E7D131D9E51ECF00FACA8398DE34E B8422F18F149FEA650C07FF3E95D33C4774936C56906003D8CB1EF75 52A0B27723A77EACB1F1A6D0E5B9AD3327BE8E168FAEA2B438BE2062 BC182E74A6117E703E98D9AA2A0D771000A241B065D03A1E2630D557 879928A7B68B8A287FADEC4FCF8CCD091DC034657E08FFCABA224D72 0B2929EA5A8A84966E4C4A2CB322F8A9D5378914C9400178ED00B79C 4A53ADF4FC5EDFB66E6E61E1A3277A0D92914A16AF328585F360216C 6D3514D2EFA1A710F68B442FA035ED78F57BB3949A4D159DBBCBEE5C C734B4F1F17E04E70674F192F079D5270F1F19B53EF2CFED9DE81D6B 7D1AA9F8E3ED8800B45ED4A3A110DF60BF6D0C26891BE05378F214DE F3FB68C937977A8E91DFF2AF6C33D5264514A9401ED00D47D8B2173F 7FE12BE2433359E9C1E455B69405F84D397CE89ECF41598C34EC2D2C 15326FCA242F48EDB6741E8A9AEE351F449C05697B8005AEEA6679CD EEF281CA22A32CEA717A769AF48FF7E3A46A9796B86C5C5FFD71449D 42A46D890AB3696005C0132EFDC24D97E6C78AF550A3E0C475E8F4EC C69C9E8DA9BA494A0EADDF1ADAA5606287400772BB205EE5216E8125 02993DE510A88DB1B12884BB83020DC5372097E1E9C323AD2EE0D811 E4C6161E086F471D1CD0E5DAD9657145C620F78EDF98DC4EDABAF82A CDD472FB7251F17FC354C824882AC8529AEE91836A80B89EFD006D23 4F5CFA9E486317CA6433457937EC50B6C1EFDF55B0776D29B8C36F70 67ECEA41D62B7E57D7C2C12FEAFF83380CB96423AFA0BA51DA333FEE DF3969F7E6095893E99714D55409F266D85EDDA8A6677F319EED020F 20CE41A03337D42A1C1FCE7C26C951A6C8B128343375E3BF99969188 E0AAA485749DD92FE14CE8882B3B4CDA3C7E7FBC08702407F057C9C2 AE0EC540E553ADC118D9AFD51AEF7303C3A128D01E432D292FB1510A 29979E4028A7F02869397C73B571FA3F84A09A9CB70CC52C36CEC79D 3D5331113594F1C842E75C87C0A79A745AD2B26F7B673CB57790B0B0 734E399AA0A835F3FF711F45BFF3CF6B97CDB74A5A1B53F9CDC0547F 04C5076D20B178AB4D01465D9B96E23C28A269A4786FA7C33FFFCFCD AB07B8CD88E7AA3CB670D9301D535FB42ECF9B85B0D8A7431A2CB123 7F2899AF67E1CF09819E01E1CBB2EDAB0CD1AE2FC6E07E7B194EE18F 8821D144DCCC49D0550E6AFE464FDC7ED36903AB42A2BFDAEE5FAF95 B909742E3F30D567D09B928A61E23B30970E8AEF268FD27CC1A76BAE 51E95EBA7A04CC574DB34127F41F48AD0F60F3CB522DE070B533C0B0 060275E300D767B7F767C4AA3FA465DC24B84F2CFD8AD4A61038D225 CA4DC038201C8D094EA1B9443338A351D9BC43FA73059EB3C2C173A5 647046441DC3AD6F71FE1A37E90095B6D1799E5D749E1953417477B0 70A2465EFBED1A5267A9AA4EC2FD10B609039690FBCF9EA57E875803 1BCE78B8ADF94C539753E35DE5E8E300A527E7EC9C04E3B6E7E56F86 F32400B25895C90AD3E03CA49226548F6808A70081CD75D99BB561DA 5390F2D3418C4079311549F89E7E4E6539AC904756A7557DE633C817 9DF1B9B98C8AC5763C3854EE0743EF600BBB4F698FAC7982B5944E81 DE5B84903DE5D692E00A390291A4FD85E6080CEE16B5AC1DC70348F4 F037F7C3A87E003AF3ECBB184AD9E8F0802E66748E3CBAA73D286424 2278A7C12F5A741FA4A2BDD65302DDB14DC2F466FF960082E4281593 22115FDAE1F8022CBB1F58DF88CC724FCE517512F87BCF4DD7EB1BD5 DDA30BAAE2CDDFE95059F19680C51089F4EFFB3C6B8BC66CBB5B9157 4D352DB346C260BA58BBD6C1EA29EBE4D03335B3E7B34B2DA5AE1C69 CEBC4DB7822752AC827AF8934C9EFF227B72844626BB97ADCFE1DD7A 4407320C3D81C136759F5DF02FB50719B5D7078F15CBD37D25A2F9C3 88E98EA4D33CDA3977A886B97D607B2FF1D564E2B9D6A044B40FB5EB F0B46ED087287F9FA0A9D4382C98965004011815EFCC28ECD159D68A D96932A35FDEA0EFE3CEB317CC537A55E7464B066A6FDA767F872EA0 2C12FF8C89686236273BA562E4EC6FCF0E166190814DBC08DD30654A 84DB902FCBFBDA00C09BB4EF56A3A54139FB230618426675D6661866 EF870E26DAA0F275E5C680EA4B8AA5CC048D1F4C93CE3A28ED6D2B67 5336CB20A00FF06AD6CF40ED779B93E3BCB71227BFB374F58C96D69A 874008D82295316EBD6394DAFC393922DE1719DAE26A1A309CC42065 35C88A55DA7C4A0F7CFA29A9D0F21BB9DC4D8448FCB5D807D3700276 9FD786525FC5F365E2EC2DACEA3287F0D203B3DF87A3CB09562FCB8B 45BB6AC955FF94C4B72F3B18F0DF78648B5A339A0BCCBEB35D8E5BD9 CF58D1D77E957790F18E2BF6018E32080BCA6BD34EFEC9760518C9E6 5416DBD9EC0E7D9F242892FC45B66E862298FBAB0D1855B762D1C505 072D06FAB0FA99CC518D8830E6FA0AEF5977E116606874DFEF1756ED 555798DAAA3FE8078A19E892B94DB166BA6A99C63C79F1F62AF6A319 601CC304CA52A8883ECFC3647C069B832169D91BCE1145995B514CA7 3D70EDC34A3887E5217279251946241447B7AAC95DDE21FAF82AC2C0 44B0013E7577877A8ED5320F8E874058D96EAAC621566A0994D762EA 58C9A3A9029645273D27AF538215B3CF672FAB49838D87CAAB2A91C9 B80E8E80306F73143A00D6AF61037D196E593D585892835BF6B87ECE 1EF5D439780BEB20CB674F5B885CC368EBAFF8D4BA43BCA4962A09D6 DCB771BAEF7E3DF9
diff --git a/bin/tests/system/unknown/ns1/broken1.db b/bin/tests/system/unknown/ns1/broken1.db
new file mode 100644
index 0000000..cee3832
--- /dev/null
+++ b/bin/tests/system/unknown/ns1/broken1.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			SOA	mname1. . (
+				2000062101 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+a			A	\# 5 0A000001
diff --git a/bin/tests/system/unknown/ns1/broken2.db b/bin/tests/system/unknown/ns1/broken2.db
new file mode 100644
index 0000000..b06ce83
--- /dev/null
+++ b/bin/tests/system/unknown/ns1/broken2.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			SOA	mname1. . (
+				2000062101 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+a			A	\# 4 0A00000100
diff --git a/bin/tests/system/unknown/ns1/broken3.db b/bin/tests/system/unknown/ns1/broken3.db
new file mode 100644
index 0000000..24c0aed
--- /dev/null
+++ b/bin/tests/system/unknown/ns1/broken3.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			SOA	mname1. . (
+				2000062101 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+a			A	\# 5 0A00000100
diff --git a/bin/tests/system/unknown/ns1/broken4.db b/bin/tests/system/unknown/ns1/broken4.db
new file mode 100644
index 0000000..448bc4b
--- /dev/null
+++ b/bin/tests/system/unknown/ns1/broken4.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			SOA	mname1. . (
+				2000062101 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+soa			SOA	\# 32 026E73013300 04726F6F74C4 00000001 00000001 00000001 00000001 00000001
diff --git a/bin/tests/system/unknown/ns1/broken5.db b/bin/tests/system/unknown/ns1/broken5.db
new file mode 100644
index 0000000..b868a6c
--- /dev/null
+++ b/bin/tests/system/unknown/ns1/broken5.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			SOA	mname1. . (
+				2000062101 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+any			TYPE255	\# 2 AB CD
diff --git a/bin/tests/system/unknown/ns1/class10.hints b/bin/tests/system/unknown/ns1/class10.hints
new file mode 100644
index 0000000..cf78245
--- /dev/null
+++ b/bin/tests/system/unknown/ns1/class10.hints
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+.	NS	ns.
diff --git a/bin/tests/system/unknown/ns1/example-class10.db b/bin/tests/system/unknown/ns1/example-class10.db
new file mode 100644
index 0000000..ba69aad
--- /dev/null
+++ b/bin/tests/system/unknown/ns1/example-class10.db
@@ -0,0 +1,31 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			SOA	mname1. . (
+				2000062101 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+
+a1			A	\# 4 0A000001
+a2		CLASS10	A	\# 4 0A000001
+
+txt1			TXT	\# 6 0568656C6C6F
+txt2			TXT	"hello"
+txt3		CLASS10	TXT	\# 6 0568656C6C6F
+txt4		CLASS10	TXT	"hello"
+
+unk1                    TYPE123 \# 1 00
+unk2            CLASS10 TYPE123 \# 1 00
diff --git a/bin/tests/system/unknown/ns1/example-in.db b/bin/tests/system/unknown/ns1/example-in.db
new file mode 100644
index 0000000..9b4b8ec
--- /dev/null
+++ b/bin/tests/system/unknown/ns1/example-in.db
@@ -0,0 +1,56 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			SOA	mname1. . (
+				2000062101 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+a1			A	\# 4 0A000001
+a2			A	\# 4 0A 00 00 01
+a3		CLASS1	A	10.0.0.1
+a4		CLASS1	A	\# 4 0A000001
+a5			TYPE1	10.0.0.1
+a6			TYPE1	\# 4 0A000001
+a7		CLASS1	TYPE1	10.0.0.1
+a8		CLASS1	TYPE1	\# 4 0A000001
+a9		IN	TYPE1	10.0.0.1
+a10		IN	TYPE1	\# 4 0A000001
+a11		IN	TYPE1	\# 4 0a000001
+a12		IN	A	\# 4 0A000001
+
+null		IN	NULL	\# 1 00
+empty		IN	NULL	\# 0
+empty		IN	TYPE124	\# 0
+
+emptyplus	IN	TYPE125 \# 0
+emptyplus	IN	TYPE125 \# 1 11
+
+txt1		IN	TXT	"hello"
+txt2		CLASS1	TXT	"hello"
+txt3		IN	TYPE16	"hello"
+txt4		CLASS1	TYPE16	"hello"
+txt5			TXT	\# 6 0568656C6C6F
+txt6			TYPE16	\# 6 0568656C6C6F
+txt7		IN	TXT	\# 6 0568656C6C6F
+txt8		IN	TXT	"\#" 2 0145
+txt9		IN	TXT	\# text
+
+unk1			TYPE123	\# 1 00
+unk2		CLASS1	TYPE123	\# 1 00
+unk3		IN	TYPE123	\# 1 00
+$INCLUDE large.db
diff --git a/bin/tests/system/unknown/ns1/large.db b/bin/tests/system/unknown/ns1/large.db
new file mode 100644
index 0000000..ada9930
--- /dev/null
+++ b/bin/tests/system/unknown/ns1/large.db
@@ -0,0 +1,3011 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+large	IN TYPE45234	\# 48000 ( 45841674994e4f5e4ba43aada754d631
+			dfb7e12155e7f10c551032b3e56ed5ba
+			5136c15cda201e7e5e54fb60a99388b6
+			1a565c1cf74cd8aae1aee7fbeb54cebe
+			e065cf2b1b317f67277ae733183c668b
+			a81a7efec322d36fb5cc6293ad7f7ae3
+			544a7c64d404c4eeb1b889e9780a213b
+			d548a018be2e1b6a3b8840d714ddb8c0
+			a66beaa4c2a1471d216ad0eb8d2c8849
+			60d30fd3fad058c47eace42aab0f0d40
+			a690ca3baf9616b7373b889788e89175
+			7ae0eeaccd291d87d05daed8631d1ebf
+			9202f81659754ca11221e902a69c7bf0
+			039310edf5305ace5404ddd02163be0a
+			22334879a27bfa7702e13d06f1588726
+			1a12abfd0c01966fa67f97ed38c521db
+			cff8a2aa8daf53f1eaa7991b6767da0e
+			68b2ebb38beb8f1aadaa30c1185870da
+			d0091e7af0bbed453ce081ba5dc87ca5
+			a764592ed7312c6a26f7e358ef35182a
+			49763a61c9a0c5dbddcf199251381215
+			51eb3c3ced9f529f03a85429f42f7550
+			3efa6e1301aa7ad9b29c5aaaa1ef6ee5
+			bbe9e2639d65baf98a6b06243483a245
+			3969f65f9a0dad3d8630522079b8c107
+			9e28057d63696739b71f57ee85ab20a5
+			96865d77ef70412c7a4be7d9d5a4eb13
+			709f0ec1af6a4cf962364761ebd62efb
+			4f16ee843c1b214944eff2c81563c4ac
+			4c854c32972df761f17fdcac3e40e027
+			57fdf1fa57f77e1c86c3d488b02d4634
+			501801be4f929ffde0ed07112093d901
+			8d59cee1733bfdc8a968a831d42b95c0
+			87a578e3c6eefacfa1c9089072ab490d
+			631b2d00cb75cb33586917f103842856
+			ca2f5ccd449465b4a86a37f8147d6269
+			69f02dafacd4ba81b680e5dc288037ad
+			a3be902e2ef9c129710200ac93f5d3bf
+			1c1418b65d98bdf101d38d9b2c5f25a3
+			d09a4638dcc2c0d0cf411f3ed747e674
+			5ac7a8be03ea2ee990979cf3b8398c4b
+			fb058012de25fbf0e1081c4205afc54d
+			3bda63565bc0bc3f6af91f083abc26ac
+			7047e2759f28525498ae6461a1f66b90
+			0fde5d8cd6c842c587f28620444ad5bd
+			3b522f0294c14e2279b5c577f3f41c15
+			a723a20259805aa18360f6b954b75d98
+			beecd0c0a0ad151b0027cca891932adf
+			ca9b7eca33fd585031c188f8d851e3bb
+			c8552f340e1319553bfe776975baee6a
+			cf025b8c4849c0a430049734114b7534
+			5228d19846b39580f1c328068a4b36c4
+			3ef13380be7e54060acd9494ee99908f
+			57e779a4c20728135d509b52d5066cc7
+			bac77f1c4fcf81e9f0c7cf621593e90f
+			398c56b14fddc74f62a4854655cb27b1
+			dc94a83f9a4a52055ea74ea3129f88cb
+			8d01870bfd5157cb966cfa4121e018c2
+			dd72f363dfa5011d1072fd9350dde79b
+			ec213520cd68ccea356ee24b2c3e8487
+			1540c410353e9514188a46771b07b2b0
+			e261287d353a8d55a71077b4b509fb99
+			c80d7d07f6739cbc9ed82a5a40e624c0
+			860a42049585c0abc164b6e5e726da58
+			b6faf8384e0c8e9a03bae074415335ba
+			c4e72aad561cb77a8d7aad25c67f3d74
+			f38b62f43a2012fbe62c0def6be94809
+			8dbcbb0f06769663b8e6a7c0d88ac914
+			dbb8baa785f4509b2decad57f85516d2
+			aef23a24202b4123f4ce41e97653b5f3
+			8e7e092c8ebfdc36a46d204237ae7148
+			4f4249740c2eca7beace1699ccaac0da
+			a6ad8c1a0c5aeb59086c2179a235085d
+			0c68942c8fbd67ec7fcf627049df4790
+			757f40d7d027fbeae4a358edd5867c7f
+			5671046038e3086d76d3e22f868dbe60
+			c64eb123bbf15358fd7d5b6511cedecf
+			a701494b143f77f7463d8e3099b811e8
+			ab53092b3ef6e995a655086bcf61eb77
+			3900d425132a04530befc404f5bc27d9
+			8dd2367bb815580f8bb7cbef47936806
+			48959a44a6cd216196a4bd61d1cc4432
+			6869877e2be943c6c7bb95b854117b1a
+			0b00d33083afe54461024bd791b2724b
+			ed82edd289f9376c7e0502627e1e3672
+			345dc53f1f25afb60568ca28c84b9214
+			d32fb5d805cdd31324640519c3dd0b65
+			19fa93ab15d734fc0c5abbfa90c910c9
+			0c3f38b0688b584b6285427f760414c9
+			445b415fe433908035081f5ca081ab53
+			cc7c2701f65a18a5e64eba887bad3343
+			2735c1e62ad2b35f0a258892d919835d
+			fa523e2bac6ddebdc0c576401f21d937
+			711d774153a7ec42125d24d115240fad
+			b90fe0061d9ec041ef2905e4aa3e81c4
+			53572df0f72a43d070492261dcad2817
+			4f8b16979db03c2f96d9e53cbfef510a
+			1bb5d6cfbc4f92a9e94c0c018738e2a9
+			30922603083124284b076fc1f93afb20
+			878ccf756c8de07dc6d01c273ff26081
+			36a8dce64ba4287cc19e35b72b40a32b
+			435f3bfbe94a97f0972aebb4c54d95f4
+			993eb831307d22647a1eb7c525fd470f
+			b9ca13d3404ca5ecff99e87b73c5b88f
+			d4a905220db8d183c325e7d27a4d70f7
+			1469ed347ab68a9f7f1a5ea235bcd9f9
+			bbbef91a9df227109d715941f54ea464
+			c9f8a9d0724bd4c9772023b086bd521c
+			516449c780500cb33630ae28cf02c19c
+			0958faee545b953ca46217b7ad600679
+			acd85dcfeccf4012aa9d5a7e1a1b1a43
+			c7d9a91f8766ed3a5ef61a7a0840bee2
+			b8eeccd5932cb1438a7aa271ce6906bd
+			c3d9230ab8d0b095be53869b37455d0b
+			ac413f518e39767f23fc669aa0742b8b
+			5196fedd1284c27d05372f4653618962
+			468ae24a6c575daea152d036619adb96
+			5487d0631b6182a0ebdd5aac519abbc1
+			cbe766283788e8fce8ce91760edb4cda
+			c1636de694364fed377b9dd5512bb258
+			ff28533ca454ee161e69a58f7964a88a
+			fafe768340ed78896d02fcc6d0009072
+			8c86c3c21cf4b89eeb975e2a674b64da
+			5bc5d05f6d647252e7b3394031bc9b45
+			65c466e5d9b8d9c2dd96a9950ae0d879
+			bfd8c343709968f0d4a885d9c0a4ad22
+			b08fa3cb093dcd583afd49966cb842f3
+			e739fc665ae78550914896a2d8f66072
+			6e02b7847afaf327990a3478362c091f
+			2b0bf7dd8afd4f935141e63c7c4a680b
+			b02bf84ba0e2fbce5fcacf1cd51c7732
+			e97a358dbff58dc07ae2cfc5f66ef5a8
+			532f31bfcfa86886751ecfe4d3234c3e
+			c84eabcb9de56bd72847e894ac95103f
+			eb7de2c89780e7377ed61a1bd813f649
+			57419bd798632aa7b5a43d5e90463fe5
+			db8373a91487e71ab990c0b68c4f8630
+			5a3cb78216c98188d9c4ff715d7cc72b
+			d4b64253b4a894b2b9a3f7aa6c41a1ed
+			2a7cc3553c3716c6d3ca42e4746a1801
+			93ff49e0b8063412ef9df6217c97d30f
+			b7ecc5abacf22e08105b0b09807b3f3c
+			df66a695f46f5ace7fff41208859ca38
+			610f6a91368685c9ef8e68958acab3c7
+			f198a484acd6592cdd0f1507af662a61
+			e9fe8eb40efeebed64888802978952dd
+			21c9d903b2be0845c3611a138c2750b1
+			35d0d55fae5ae23a8274da034e28d2b7
+			760f82ab2f83ab1cd34d9c45f7fb6352
+			7845704a4e68cf578c8604f269f70db8
+			f4462980eeaaa40ac20076fdddfa2f2f
+			31ae7e031388ed6bcbf0da39fd210351
+			c956151c5a69b8db3ecba80b6da822a8
+			58e8d5abc24d3afbade4b8fac50cd36f
+			3926af3cc6917d2a54a83540bbc96eca
+			dbcdba189849b07b865538b3b4fe142d
+			2dfc0dec688da44b3c0b8c4605a00cc8
+			26bd5826a8e43f225e75d246de2c8963
+			94ac9169746689010f2e958029f874a0
+			84813663bf14a38111685457842be856
+			6c634fe7bd34a0846b82929dc357f06b
+			a186a3a6917521881a1b84473b9d6be8
+			c10dda27655bcef81ac6e717cca29e9e
+			0f6a02578b7a6f97cec7b600785c4ace
+			6eafe9f7f604f7540538f96501467456
+			bf132d1f52555de292c21e3aa5fc24cd
+			57e2a65e742e2fec311f3cbd19b9b4f8
+			e9c5a66191f4c19b8f641d9c7fa58338
+			f179b533dcbf6a88849e4bd01b094b5b
+			8b09bbf3095f683029dfa61a4c91a582
+			df0380aa4a0abc97a7ba9735bc7c2894
+			ae6883b42cdca772626c31088c1684f6
+			4dea810199c2d48a5467db001ba4e274
+			c0f7a5e762cc615a91fe537b356c7d76
+			d24d310ef4d6d1e19f1788fed740686e
+			9bce08e6b06b99a3bb71004775639924
+			20fc70bb75b783820df34c3f7595e7ef
+			c3e225ea5f2b33c05f515e1d3b4da67b
+			0dd461e1a82260b6d2b7a0a43265a800
+			3a5fd13f57cf05878211c6e1eb8c635a
+			2c8d1533f0260fad1df4fa41ce398e09
+			74a5ea54aebecf6e9ae57562baa826c9
+			831c56cab61565e2697e96f563d55b75
+			b48a4fb6f32c02ebc2bfec9fd519c396
+			fff42f1c4953dcd2ede87f62ea90cdb1
+			acbac2b187ef71047de4477514612593
+			fd7f849e4190a59bc147ea07b794e088
+			0ea37f5f27aa5fa78905f64956682538
+			90699e319f14d54996e36e1f6dded0c9
+			552605ad9d20f8f4e6dd26fdb7fc6814
+			15f15d47e4997995a671f85f56e54a14
+			6d1e16c7909b0efd42cafb92f12b9f4f
+			88157a68ccf8dcf3295ae65d26dd5323
+			3cd414f73881a5fed934c577b7c66f48
+			4965e1ea507f2fdb20141a9c6458f222
+			65e26ce6ac906b4bd43f178331328bea
+			55c61e737f2f130e51f0ed343a9e9709
+			036abe6338446b8ca7b9cd831f4c6390
+			8fcb6eb134626f89df0a134f9f7cd196
+			bc96a5ddd2b2cc5530220d4708d5d2fc
+			55eb64ecc1b668970e7df11faeb37826
+			30a3792089e2a0443631aec02cf8078c
+			8cacb3bbfff7304670b391690ae1a29b
+			445a46cf78b84d26e830b8d072c2f0a2
+			292cf29ae11f509855c1972d5f86a137
+			73fe91954b2eb5c8e75b9554c082fe65
+			ea01d0d6794d621b231db56dd59eeebe
+			4d71144b966c19b402dbaa25d051f9dc
+			ab7f063142d35123d9ca28a89a4cf3e7
+			71095f794f6a7d495870ac9f47d1e024
+			b5341c931590225b76931999c9d341d8
+			cdea4d0443d719e09ed227584243480b
+			618246a318addf475a70f3be57c3278e
+			23d48874e26824864abe829ca2318dde
+			c436d182040f014d4fbcb1fbdbf2ab82
+			b613b7ddb45dc7635796a6ab203f8d9a
+			6a04c08b40be8452b4058eb6199ff68c
+			a8a570f1a179ed662e4fbc1ddb8364cc
+			abdb7d25eb9bfa6844d4d379fff7161f
+			13d287af0b6b9ef3d2c164bc63d412f0
+			4cc3ddbeda6d973838b329108388ef70
+			0e42e232009782d380127200412e2767
+			1df2b17d5d7fa517ce12c66d6b84b113
+			65611cb11e0bf27b06f3b86c4b4572e6
+			3702dad0a3f9784656d16f7b731951fa
+			efd190b4f7e0322871a2733c30670c31
+			1db6f8c24e51c747525d04e551dfe1ec
+			6a20e796d0b7f4be73896895fd6bf922
+			b02bdc0c1412317ac0975d0cbc8c5a01
+			f17f842c9cdef7cdb02055425bb1ee0f
+			be46bab2fb6c3d3e3d86eb066edd23b5
+			7f18c3b9fec9c6c3d8d41b77dada06f0
+			8890490354f95e97fecee7f6bde50325
+			f659971d8940c6b299531ec9e07413cd
+			b92ea26db7ae21a151cd59bfe72b8a19
+			998384ee8985cc47544edc79f5f266f0
+			887664db09136792e75dfbc306db725e
+			5d1089de94e3305a3db61b799a22ebea
+			3a72c52a9eaa89a2983f47fd0c685445
+			d30c6023c855613f33e023e1a7312076
+			2816b70ca46fe2bf0c14b9706da2f993
+			fe00053ac68280337b92fe344695da64
+			cae061541164bcadaefaecee529aef20
+			f053010426633aad07a98d8d6453ad01
+			64951d85c5db7965f6b845c01ee4b13d
+			a933cb152151e8052bd6052b22ced3f3
+			ce96040a23b6661ae078930970cd342d
+			2464c0638c7988d06a5ddf9130fd4148
+			a8221febf8200323c42890e57ad3c60a
+			e443c72f60388f755bd0f8d8082bc7cc
+			7c26b280b6c186fee3e7161793be25c8
+			373d7714e1db51f9af53809cde5c1141
+			a183a84643b4d8cd3d1777e9f5c70f08
+			22c115f2c663d2c02315eb183caa4122
+			703e24792756ffa86077feb7e4fde230
+			4ccb5a8ae1b2bb506699ebff1067c50e
+			835f8cacb46e0fc93216764f999687f6
+			bc9f93516b777391d03cb2c74dcab8f5
+			a3cd2f0c2715548f8eb36b1b138d0d95
+			9513884ce3b6a4f7a835943687c92d9e
+			95c9bd30aeece528c9965c4c927f21f5
+			84f37b42075188d24e2ede898e55a6e3
+			3b7357792ba7fabef7cb09e1814d6f2d
+			d1d5c8d029d2421ee6fd905b393d9d47
+			ad6b9f2805ec387154e88251c2e066a9
+			eb378e00c7ee4e52872dcd718c67308c
+			6388bf175ec90ff818f49c4f80633dba
+			8351d0f162a5ffcd9642e553e6763dfb
+			97b52899ffbd4614568eb13a730b1adb
+			a54a41445e70bc6f1bc5723fd236b133
+			b966ee67d9604efcbc828eaee587598d
+			afc81f0c71efe2d5d07c41959df2636b
+			3b3054903534d678e436382ea38d8d24
+			041b7a254dddb783ffa19aa7c128d5a9
+			32bc8ac3e04df72305cee70433d4920c
+			35d22b21d2dcfa2a4640b7afa4134c15
+			30ca677d175de1be666b24408ca698aa
+			c57a5d9dd41b9737ce9cf73c3027ad2c
+			50d80ae4b3966b00459ef11505297e09
+			6b86933efa71830b010fbc41d7832de0
+			da01e9edddb1aea400f535cc4b601e80
+			f95e17e0fa104bcf16a3c4514a8f2f6a
+			fc59669b1f2de45895a6ce3800823f3a
+			fab29e44077f5b4689240d10e62c1282
+			b6f8e15f922e02cc2d9cbb40f2722fb6
+			efd6c8e921575df9a46d3fa7e014b0e9
+			1e1204f4081052d93a0871c35ce92b92
+			ff3c49f90fc42727d5c9405540dc8406
+			499fe053fd146423a888e1a3e0728c69
+			381e0a2221adc4d0bf9b51f7ddd4a8ea
+			74bfdf20054b935998de4cc852faf089
+			07f5c2a33686eff3572d55e6227a3cb9
+			c463d0cf6a2a617516ed7f5993f4530b
+			46d2791902e12daf36a73c6ca7b6d486
+			592c2e85b2fe942492240e3b6012a8d1
+			f28d37f1f2b43cd94d7b93aa56de82d4
+			135a84190272ccb9a6ab606d5a929f0b
+			c2b0d0485429f2b8066307e0404ff7eb
+			fd02eff231838d43bfe1d8ecb77372ab
+			ce6daa1a48b37c9d30d94c12e81388b1
+			0845b62bb311325929a21712930c5d61
+			d058f5f8abce4c198ddc482034407b7f
+			360ba1a65b2e3b3037c06c3cad7c706c
+			db45ab39c9317be281bdf524c2ffdb29
+			c6b3be40b91b62cb7735a463829c4cb8
+			bad28ceda3d8b955791e75b8405a6c03
+			9615dbd9dee3ba95f922bca586a39119
+			fec0f510fcc5c5ce70c9d6b09cb0a47f
+			314c09c3735c7e7c74784ef20953111f
+			3eb067547167a78827072356df64c101
+			f536a075a2aca016e13a9f8695e2e7c0
+			9e56be291a75958c3de58351e50124dc
+			b4846c97b58427c344b773b27f5d49f4
+			b781a13c87adaca9fae45bf53a8e9f6a
+			8485d476297dd31ad7c635dc4bf775d2
+			f869e79e3e92f0af0ab2f0c9c610e76b
+			8a83998eee7eab21d3b6f4280754f165
+			3d076df87fd2c41fb744f41d20f54063
+			1dfa55adad22879abe3498a425c035e6
+			24bd8032fc55f131319152da21a415ec
+			fdfbde3a847f86ee4221d7c84d76f56a
+			da0d8895f2545bb4b3f4176934a4c07e
+			22921b23934b7e08993102d33094042a
+			fa053c95ab0254a0f8dcd9305569c270
+			cec22e49db90462320cfd05642ee9fbc
+			a1a9f28d0ad119cdfe19b7a7902f039f
+			fc484795a0379fe0c83743b915863881
+			1be89cfaa14a10f3ed22249d5a57c4af
+			e42314f71445b7146cb4698bbd4d65c7
+			f399481e131990245eb34495e490d747
+			50cf9ca38ad44c767ad2b653ea501727
+			7d688cf40e036717e46b379d004b4f70
+			5dfb93cb10a821d8b3d02df61f3b3e71
+			25c3464bb30cbe4d41e8203a6ff27005
+			9e2c32dfb7b9084d23182c98334ed88f
+			7494d5f4415e9ffcb5c282f6ee8c43d2
+			5eb4bf38b855da2e956f215616e66a21
+			5bd62e834b150bdd0a9c16da61fe88fd
+			5ea186f9543bf71d3a7bed4ba24b4b91
+			dcd1736d71b926f642a8bda5c8918737
+			95e19865d13d41640293c6f04d6300ec
+			7594630e8f4b962ee4fd9a19a19f5ea9
+			d0bdf87306a580a6ccdc995ebac0d9a6
+			fefc145f3c1254679d61b2550db75b3e
+			05ec44bb7b7e1db2eddce79788ee430c
+			9f394401127a6925cd8686a6eb48df58
+			7b3d97c5a1a093d0a510ffcdfd99c243
+			a84da3b2ebdf1f9ac84b19d2385777aa
+			74f4d99069628e9b0300035816906b45
+			ff35c4e255c6cae2131cbaaddff7ee88
+			d8df8a70b4dfa16b4ee08b95725b3430
+			1c5760422b395cfc6ff2e8bcaca5d336
+			8b184c25bd1d1f9e3eef8acf67ecee3b
+			3a2848ad8f930a54474016512b5eed31
+			2a0a6e1e4130b430bfc602ca6cadca95
+			38a60ec4e797b0f7d72fca7f4e63d32c
+			7226b0e5dec95595b648df8682769deb
+			ceebc0451f562cbc4954753da83decd9
+			88c045b44558aa69b0daacd20507de0e
+			1d17fd0e81aa483364956c285d6d75de
+			2e85c7291d70f17ef44d85444b44f734
+			8d9f2bf3b8778d0e75ff2a45e815be9b
+			82c8fb97e26575fea32d8d458f7776e1
+			8406f60a2f0be74921272c095be2e3a1
+			108b2e1b598a1b1b9440197363ef48e1
+			23279157f233141c90e127aad98ce050
+			42318765c6fd3625f8d20d6bc269b78f
+			1489ec5dd8747abd96631f85fac2537a
+			f9e4ded1cf292262a59a9abeaa4644aa
+			e2ef5f1e78c332a2a7eca12ffab4db02
+			efe11c5e008d1831bc9f31ef392d9fab
+			a7c2311e362649fde64ea9dde3dbe955
+			6b8c534835681665e7440b624d7f43bf
+			aa01f4a911654aaa28728aebb7eb433c
+			753e2cf25b7b42291454e3e0010ff9d6
+			2bdd0e2b211cb53963a4c477af23c452
+			862200bff51f233e036526f51f6aef66
+			e923f58ae7611badbf47c4e13eb509a7
+			bed7371ba0e1c86adb8c120006dbcb34
+			5f8f2b47cb48d0b905cdf3e323e5b63f
+			48e3d8d9d4143744ef2598ebc3343a3c
+			b86afe9de6d14611797e1cdee2e75325
+			9002796bb75378705105e4cea49f77f3
+			fc4beb16aa8524fbb12b9e5d65e40578
+			07e689ae0cf73afb5c391adaf34c37bf
+			cd230195cb4fd80fe5a9594643399266
+			36670ee65b1fa05ec1b11cd59439e0b1
+			c0f903519cb63012b04f2eeb8fd0628b
+			30cd19aaa5afb965565cddea0df6828e
+			4729fb154f20d15a071922ae6036a423
+			150302ae477c6234b53a5189bc0b0314
+			09cebe716e6b63f5ac51618c00422fdb
+			410c322aff0d16ad43e1744cb84e2e8c
+			73b997b0c6eec3276b83a9a7cd61a2c2
+			5f07684aa602251b5ce4a5b1d04580e3
+			8ee3f84b579185082a24de6e0f341891
+			a1dd9dec8d13fbc99bd27393762504ac
+			7ff22f4cacdfc24f60e86afa9f5eeea3
+			260fa150a6e9e5582f9a38e8c5fd1bba
+			e91149e86ee9c923ca3bbd9c9197aa77
+			7edc9881e48bdc7797d78ea7ab0f2653
+			d01a5b6575ea262d6b9f8446f12c8829
+			aff4d0ab393386c34a4b7c76b561279b
+			1853541f108c5bcfcbfa409b11ba8f07
+			3e5609a175bb5d721239de7c62c0f7d2
+			623f3aa685dbe9a68d46fc1c44c97e91
+			77034de301246e605000f780c37a8c3c
+			5d2dee05ab24a14ae99ef9703e46c184
+			6bf4e0943d69cc6e26dbf2e6d8520199
+			bc8722bba0a04d7e0be38e5426e6321e
+			87196b60827c152df6c3fee15390807e
+			29dfdf95c167ebe1c798ad241e0cf628
+			c124390ec99a12d2787534e8a7f465d6
+			0ed174dde1a549a6048f967e02bbd385
+			07433f1767c62aea91bade805fbf81dc
+			1016429b1781f5709830765152140780
+			ea7afcaebc050105577002752ebc5fad
+			f6a480c39a400f2a4b4e4d3177ac56f9
+			77a834b61ec159e3e418b13c593bda9d
+			1d8adf700a6e56666dcee95f0d78eef5
+			e7b376f3cc271fd509d6caf1aad7f8f3
+			9692fc9f089a0b602da1f6738f3dfe72
+			4ab46043196ff29a05438cfd3e8ccc75
+			8b3cbca2359691e96b8bda93456d8478
+			fbaf17fbee09f8b92f73deb36686cd00
+			f1c56d2c0e8a622761467008e5561ced
+			20783c8cfe58c0bd2f0d2d37d95758b8
+			f384d1cb53c0c78743f6f592cc12222e
+			40cc3439ff88bc4fce1f3f8644903477
+			17db9cd92188282d71efd9af49a24af4
+			8613ccd21e37fe703dc9eddf154fb4f6
+			e5a9aa1a7cf9efad397db7d37fe5b5ee
+			e0ed05d52a2b8a9be809b08bf9e37ba2
+			4c112ca7ffb04eb8a5ebf84c8fcbb11b
+			3ccf5a74b315678843fedaff528b2819
+			ed53df3956bdcfdd430f4f17fae4f5da
+			66381f01bdb4173835c20fb5a53a56cf
+			a9c2e7f9dff8afb151b99c87e4e66479
+			4463076f0ed01e753dc83f59e20d43f6
+			87794b73c87943a83044d7a6dda34f5e
+			59fdfd08f8da7f50f849ee986473b3e4
+			bba7fb04e059ff72c0182d2d79b51308
+			22e270317f17fbe2275f50a2f267c0af
+			86262c93c08c70f40789fba2f163680a
+			ae1c441a5b473da610d97cb77978fd26
+			0c02533d59a25b941d0eb332bb831128
+			ee68c4c8d132e35b19ea4cb70028611f
+			9c94252323537e24da9548e2ca8c753d
+			5325e9412ee2145dacc6e39d75d481fc
+			06e21257fad4eed7b6945d89c4512bda
+			4ca60cc509551dcd36d9e8b43d3100ae
+			e532848a82ca9a30d280cb08445ac370
+			3aecf12f2f5d386a3b530f7bec78bda5
+			b8660c1231e798170e7fc85e3731d952
+			02588d386f7a95ac980318dd66204b10
+			ccac46e3018485f06b99d315d9d00767
+			ccf6be2dcf76ba07a36ad7fe8d4bebcf
+			fbf0e3f0f1e4019911d55e256d97899d
+			2e2ae17047d0ae8b33b87466ddae25d5
+			09c118d843ac99de2dcbb4bf65b5cb47
+			3dc64e7703618d19518420a5508f2905
+			d9c3e460f7a564deb07735cb97b8ca7d
+			25ee81da547b24b328ad02477c436050
+			cee4aa368ebbb8f6af1e18df725ba14f
+			75f0ed274bbdfd33cb70284902352bcc
+			20fd778f261ab0b8e95773cbd0c885da
+			b1b5b04c5b030b52740fb17898425751
+			9ece427d3e3b5ce6ec9d2bf2e3ba311b
+			cf81f2f68ff2c60f18a7d2328c9bdad1
+			6ba1804267dec7594a0a202cdbe6b75a
+			3d01b851322ab4b271df76336da7558e
+			1b86e50b488d72c65bdec1c8c91befeb
+			b18a7e792645298e0492842bde70f404
+			d70321191a05e7e18e88de01a4faf665
+			33dc61f17b3e5c09bed484ccb11e4e99
+			86247d417b7957acca5d52d8a54667b5
+			2d5fb7f86a498533b5daba6de302e3ef
+			fa384bb1a7dc3d655db991ad96675c0e
+			211a43ab076494ac22328b7ac6af9f68
+			b5d1b61e411e832e20963a59ac3381f0
+			f7b0220e9d0b7644c13b4f342f3d913c
+			0cd40c166c8f205552ba0d40aa3ce753
+			6a73f0e37c56f6cf6ec05ad23f4514a0
+			42456da61a93c4feee283dee4d064592
+			19fd5b9cc646564599a8374d118cf501
+			26ee5750334eb053ed02f165d2088e93
+			1c448d01b019e99bc6278d28ad51707a
+			f1fdced96868db164023b620360980f4
+			1b799dfe5128743d9e846a93cc7e90aa
+			b95fe6cc11c19a7dd63479a64de91792
+			93bf80146b3843e4bf4cdd5862dfddc1
+			c08a7606d2f9581697154cb62776fab5
+			635162ef47e8243d82c42167e3a2d36c
+			e13dc37dce1d6013b8a909df50110a50
+			3bc53784ec0790a24cee85349d94c8dc
+			a95b5471271a1bddf96c9cea5ddff0e4
+			97f3d0e13b4eabea8663ed398ce1b093
+			f734e6739b9b2a580bb207b29b8cef0d
+			feec03338f6ded40fc15302d52cb3f9f
+			0f0655461ff2ca6b478f11fbf5b818b5
+			d7793e6d4395855f14f8a9f1614ebe7c
+			01653f784a5afc96de462284f3d69537
+			85bdd41d3dbdc1ea583b12a61ab17ac8
+			827313b01248778f76f2b8b8fc6cf3b8
+			8beb8d177531348a0ac0543beedd87db
+			164b6e8d791aa04b2133306a93535726
+			967986ee6701ef923c6c31b38076ac56
+			8eb86aca9c9612dee1b106e882bb11a4
+			6e7021ef694a16da53cffbd5d4d2fa9f
+			010c65351bacf8b0def5a64ee32004fa
+			e90f4e9f37809344e1bc7e695403b844
+			7c15b5366d1d267b7a21651e0dccca74
+			5cf75570ab1d8a57b2bb6851fdd41904
+			be0200cba44536e370e923f76bfda606
+			01e2e841ff09a689bb648c39a2cec056
+			b221f33ef0c21178febf4e59ae1a1019
+			918ab6b0a2b491b94794f8ff121d6fcf
+			ee902526f5386360ca48ef37fac49161
+			8e7416ad1cea19358bf23a0808d17f4c
+			8526e524b02f76ec858d7f58c081d849
+			15cf7f289e3a5aea019a4536122a50b2
+			1af468fa23e709bba3752d3592819f17
+			4a77bd95330f1734a60303f8c04b17c9
+			7e5451e3b500f9706d53643a6877fa70
+			4172a2b04c0ef3cd5e8276184afb11ef
+			47892c1ffdfd796d183da535a983a763
+			34e611d01ef57633c7c8ab9a7e6194c5
+			e5190d47053ce62de7872fe24a536e10
+			c7d9f4700f1793edc71eac3a4e885d7d
+			34943b3e158b69378c2ae1db1022d1f7
+			6167cdd66ceaa97e1000975ddaa3d829
+			3aa9cc2122c9ce145974eb4c39b68273
+			06ab4631d12534497b8c10dbc0c3b758
+			00a4f7e31f096ff1e3c3e6ec6007b8bd
+			82271e412e4894320025a7f2c37c555e
+			eed34b433132b93d780fb5cc7aad1172
+			8e53017565bacd1fd26d078a1454a50b
+			ff4d55d2bcbfb9fc3aaa810bd848fc0c
+			29cda6a112162686ce96517aa43c0b99
+			4a2e95fb603efeedb25ebaffa5776437
+			4e51d1caa9b792ab922a55a0889b4875
+			1f5e2baf8644cfbd3c78aae5c705cb8b
+			8ecd507d79b14955807565988f8db697
+			dbdd28aebc2baaf4b1ff54154f44aaf2
+			f478548ae693230b82712790f3bcb0dc
+			0913d4efa562582c55d97b4000819777
+			23487b46b56860fc090ae27a01b5506a
+			d351c283ae7908714528fdb7d23653b7
+			10dc093567892214f2c9fcb716a3de1d
+			b734b495784079043f86984c7bf28df2
+			a21dd7cf926e8812611888674de191cd
+			2ecee86f2cda1a5ea144f0bb7b76202d
+			21566507eb386b0de37ced06898e93b3
+			a69d7f5e8acbd89f9e106b5519be4db8
+			63e4e332cad22b5b9465f9a83ad5cdaf
+			9ed1921338601dc36efd67a481c145a6
+			4e417d122b2577d5a4821b0e95c5e227
+			04fb390b2de004b880e885898321bd56
+			96353a9e221c9ab694797054acc98787
+			678188007ed2f52c649809234f5c8968
+			08703c5320dadb6d09b7ed83d955a313
+			9bdb3de6cf343d77bcb0c99397ec2666
+			0aadc1b01bc00d005a5ab832259d00f6
+			a28b5e62da422d37868237c75604e483
+			bd5d977a87ed6095fc4604e498938b12
+			3c9efe9e93f8a2b19f0780db7f75454b
+			cdd36285cc994b516191645b81f99041
+			2a950fc7e6fae28efed0dad9fb749ec7
+			b82bf450283a76d627f911db39ea0b5a
+			ab29256e23556a41629d5c39f721b132
+			32a60b52581ab4e6584141792c7caf43
+			2e1da87da74fe9f4bbbaac01b83d2ee2
+			bd29d6fede81a2c2e894b993402c8dbf
+			aa35228fa5f37c8b462dda4001009e00
+			d06b10b2694d9099496c9d2f51146eeb
+			2158a14068afb818c1e28629337d3dc5
+			0dafbdad00ff4c8ae6d3391911c25562
+			8b7b94e2be41ec7154e25208687e305e
+			94a102bc83cf8156c3e460f21cc6877d
+			ec8b7a868c374ae5db60a90208605594
+			8b52aa6167ce257f5590bb7f1b38bd43
+			4f3b28278a4da0dbc249e22987b7c86e
+			491b222cc60431571b9d6129322abe7f
+			0bbdc63e48faa0c6f595ce02d9379986
+			1ffa16ee7c4e7e6d70db222cc7122ed2
+			a567e596e20731d5df7342cc8a69184c
+			0b7db62a9d95d2eb893a3b262d036944
+			92452340d18b8fa36d2eb728a13b13a7
+			cf48d3c7e13040bd20d006ec57e779df
+			f9ac004db4a4408ee86405496ce28817
+			7422b222c186a3845c0c1e218d2ccb57
+			0fe29478da4cd071e7adf135eb1762f5
+			c66ae15dca6efbf93385236b82c84454
+			ecf904a121119add36c5fb70549f2bce
+			09633094c61368f5de53b22fb772c38e
+			ef77a74fbbe1246cad6e4ef324517299
+			1c45d7deaab0c0e1c0a33ca2297eb507
+			a3c6833afbc7b0a6af1e101f19fabe27
+			4c2271c5fa9a4674094418d5897d570f
+			95b2483979e904aca9eb76d80263cd63
+			9c93e6abd84d0340cc3553735f0c068d
+			653a274686a33264e85ce37336a8dd88
+			da61be72aff9775e44d043b75d11bc8c
+			7d7ba9c4934548446156bf927e8e070a
+			f4085fe8a832e6bdb8c1a0361ecd792d
+			8059b4f2fd3eb9c9c1342b444f219f44
+			068e3d2649536efdd72eab8b2ba7a3ee
+			20d0e95167dd263f2e4d3134a0a9d7ed
+			987dcf6aa3c3ae8f295acc75c2f3200f
+			5ed5ecb87e34d3be0a052bed44089128
+			ad60d4f00b637d5c1ca9db2367067f3f
+			fe616ce6e9209bdaaeb3eb8f57c63efc
+			63186be7e4e097c4354e3c8e94b91b61
+			166b3bc3d3978e720818be12b4944b00
+			f4a3798673e644953256dc41fa44bc08
+			24859493d54b3df7dd9218bf5a0d5be9
+			50093ed39f63832a82484b4eccb02e1b
+			eadff1390a8d78037b565cb75f1373c9
+			b03aad7805a9e3d79cf2877127ba9e1f
+			f84d66f76d4926cffb1791910f52393d
+			d1ca3b2de172014c08dbaf02f16bfee6
+			f2a1f67cd69bfe6ef9aec8df4d725efb
+			693caa2a7b744d749f545f8bfbcf3757
+			bc39047499829b319748d2949a72938f
+			f0071ae3336334a981be8dacacedf5b3
+			c4ac2563cc8991f7e5db47e433646369
+			f9d6e7318226e2eef40c0d392f202ac5
+			2ee1b23c058206ff826cdd85bff1d8ca
+			6320512147c3e41bde7ab06d38a55648
+			590f5ae5389ecc643172130e458826be
+			d9e11fcf376c019b7b9b662dd7a84f2c
+			c8b06ad6aac5353eba572c4f53d29381
+			cfe8b8815d8889d9da82118feb52dd4a
+			369848396418f955c71ed2f568cb98d2
+			4c4c2eed1c47993ce6e03d2ddc4f6ab0
+			7f05e37a01014cad1ab3e225eae6da4a
+			8cf665e60b0d45872daf193a5ff85177
+			7426541ae4e0a6756df40e89a34977dd
+			b976c577366e38b922308e926da7eff9
+			3fb32cb6483f347f2cf97da028a7973e
+			29a324be87a2d0a87f2133c9e49a7fa9
+			543b2a8d0b1214e0560cc5d25da0b843
+			172d31d08d21d17af073008b555e3db7
+			753b9ed413446733756ce47548109b5f
+			5ab39a586a9ddd008084ccecee5e7a34
+			7489336ab3b5816e8993e2288f8c2567
+			f7d4288d7228cce48c091965b45fee76
+			6217cc45b7d61beff7941098196507f1
+			ee8aa526a42873070111de21053a2266
+			4b79066e6318a8ad2b28a5790641130c
+			f641bac1e25496e33f3665cd317bdbfa
+			06794e97bcfa6c7f802dfe399a2c442d
+			58edcd7f9db7e51e68e742910a0039b3
+			08b1daa24b0091920c2f96af5f1b893b
+			145e833d05e5138756d2b00262cb7da3
+			f29a345cc11adb647d3a5bf300a14139
+			d8d736eeda87e390fb6107275f4f759d
+			b864b61f2690a7c4ce05f8ccac507f64
+			a494f1c2d13f5d22af2a93b1ece5bca3
+			de764919f6d3d6dfcefda9f4ab99821b
+			5d1f2aa26efe5f4ebd1e6448fd1e1809
+			f68e48a44b12c5a91718a297da0745a3
+			9f4c4b188c81a1112217c8f401d2c1a7
+			91942ff2170b658a762a3e6ae768a209
+			e38d2e150968460789ce3998708884e0
+			15a09d95b9cea3d02e2d79d79af00b90
+			d5c261e4f558246f68cff10a8d844950
+			40ff507cb9e5b9fa3e2e730371b667de
+			3311f441ab53a6ae38a7fdc6d123f236
+			320eadf7d9855204098a26602163a374
+			7e8f23cdd3c140f4ae01deb412e59f7f
+			60157f5ab58bbd3147206b96d449f0dd
+			d14c0d5f135e8da55b451fb330b42b5c
+			b2b4259e0ec123c3111843f5ade3873a
+			89a2286d5b59b3897b49595962869f5d
+			e3a5057cf15775f0558de9c1e0398102
+			39b9e2ca65fa6b435c1c6a972c12c74c
+			5e467b2e1fa78c5a7a45ea1687e7f4c5
+			b8b6b2337b11e1b7da0e3b03de83fa0c
+			110f25624d75fb6154a1325228c82d54
+			f001792b0eff004d698f37fb14b82406
+			3df051969e409447d4990afec6de3ad7
+			7e582c84ddd8f44f6dba17c79b4ceab1
+			1b7189db90b2dd571be84557e52053bb
+			7bf5482fe3dc1348d7f9581687195d8d
+			0f9c834db3c1f9bbbd53132e7bb48acc
+			27b2982e1dde1c5b82d5705d0cccd02f
+			8e17c2cb0b27fdd6346fbe90b3d1db5d
+			8dbfc48cc3bd59cc8593b30a1fd2a23e
+			0d27ab3f654471fa980d2e923749ea3a
+			10447d920b8a9ca77c4376dd00ce035e
+			486590fff276e3073ccfd0d45c548c74
+			6bb986cd091e82f4e649ac614c52e87f
+			d8a8b8f86948e5daa2dd56e3e45c7abf
+			c4b69a38ecd60596c21e8ea1861faf0d
+			a12e7d99da1f84f379cc686f0e3b32b9
+			801f4562cfb0cbcca656fcd6954aa720
+			cf1995b58314f974ba9984ca98266662
+			9431028ce709edcda13de3e7929e4587
+			d0acb7a4b55d99dee00cb98decf73f6a
+			1f1fc1992bbb0c3115b02b0033926b89
+			a83fe3189f51390d0d5434efe43096f6
+			c287a0a06051f918bb48b5161f8c7628
+			6896f4577d76b38561fc750972978cf1
+			d5ee1d6433a97d9e709be8fa658df0e5
+			8e7baec34fbfcbf93dc6b7a1d1cba86f
+			77f169f9a9b60eceb2ee503694b57d8a
+			35d491424190a6cf7660f6a4d9607ea7
+			0b4f0ee1583b5ef898dcdc826f0e9baf
+			b5ba8f5968de14d0c961fe4a47c327bb
+			14c573dd9051cc01688d541ee78cae8c
+			3396cf35d8e7536a3027f4dbff12e078
+			b98fa11fd2545005d0288b5c57a854a3
+			f8fe4d08dfac51ef84d165b9eecf7108
+			c69da8b9b0ddc294f651bcc08f28fce6
+			8982394e92fd6e3ecfd242e8d26cd69f
+			898a21a6f476eec6196074a4a401e57c
+			1e123373d2c6038778101fcbf6dd6024
+			314eac1a3ac562f5b756bb124925426e
+			1152bfdc6bdb18359fe3620ba2438034
+			e4246572127b287f16059fa0c0f7d378
+			bf07ac9956138bedb33d261f39336823
+			2ea60caf6261fd3b4f4bf8b642540320
+			ac98d3114aa11d1094b70778f0f889e0
+			9421009b0eea4d36b7fe90a23cf6c5ab
+			c4078311f3c9bf3a3a38bf093a4b5e91
+			3b96922b54ab0cb8658f73afbcd2cd43
+			68ce25742460e70f59d1ad49100561f5
+			32dd0b2dd8f88b4fbbae7f3af495a0af
+			c0b1ff9119f8ba3f982756c2b13e970b
+			a7a22da1a80e05b5d5f836de4319d554
+			1c9dd84a50fc0049207f35d3d470dc0d
+			5fd84f2fe286de12839399ceef4fd992
+			2734d5cac4a5464a61fc21e9b1c5d48f
+			7247e209dbefa6ef4ed9743cfc8fe4d0
+			46f949b82b2ae4cda5640d8d7c4d1073
+			5ca83af3b6e592e4189ca6a139cf59d8
+			4e29044993d030824d59396514fcce07
+			1980086fdd311a070154c042d55f63aa
+			2b53b045458e619fdc692ff7df5b1502
+			40beb5d9a94859d0429ddc7e63e7e773
+			34783de6f7cd2ae69dffef85ab5ff5c5
+			debd0073734a6045bc13a339596c19fa
+			eefe2f2df20a44a7aeaa7e995a2e5666
+			d23d06d06dc7c4d2315c889f6e5b0a3b
+			8f9edd732063fa685fba9566bd7893bc
+			75ff75db360da205aa1a474a5419f63e
+			2983ae201affa9362910ba1792b57388
+			7a83497bb06c166d6a70775e07b21494
+			9003f9a017414bb67119294b3960ae2e
+			1b8218112669f43907fcb364a0ff799b
+			c6c3f51431cc52bd96ebbd2e2762617a
+			ec18a39cb47cdd492625ed46ce56f7ee
+			a2238afe29c27b269c77975733c1d037
+			ba89b601c02c6f47a62921f0921fb98c
+			0b0d785297e67431132c3da0b6dff585
+			2f00e7e5563b90cf7f1ec86e193ce64f
+			1634e9dcff5da7e677d9f5183554b210
+			ba9ffe473ae1157f05f0d830695ff56d
+			646eeeebcec0a946488797e934dda791
+			d6eca75770633cd6f70cfde8a65dcc06
+			7812447794e2f641989edebada881158
+			2e935c61b7c1f2c6e6d37ca561d64423
+			f6582b0dc20cd0a77401566afac743b6
+			ac237da980ed723b96ecd77857523a5f
+			ab5b078e9b9c5ab801e924f2a7f55e3a
+			0eb3fcf54348e33ebfdc9d1b5ab96630
+			c5f64aec15a0f8033cd87e398a5b4088
+			e10bd024ea739495330980853245cf5f
+			6ccdfc90f154972857b03a7baa03eb4c
+			513f267a00565e3a7e61734511b3f38c
+			d4858349b61c6f24b34f73323f02c57a
+			b456df142728d6a0fb7378e6b1bee9e0
+			f79e9ae3a4b9baebc7ff3bcc5bdd6c0b
+			59a6971a3eebb3271dd2053b2ceed6a4
+			c6ac3ffbd20390064d48126bd7459aa3
+			1f5c576b82b93ef6c7a7484f556d2415
+			8b6f061ee683c71ce1f7f0d39f3ead7b
+			d230be59a8f5aa38c1b6bdb2a6341d02
+			444da8e010b2cd52f857fc7f1824f70a
+			10ce6687410f6b33e5a30bb2344d32a5
+			644b694054e27acf2fa6416e80694e35
+			5b829b0c2ee2b2ca9ec24908d2d3f1c1
+			c199844178767de8cef61482ff6d6077
+			5d9df3648d3bd784d4378af83e0d1074
+			6b64d2b5445eb38f80fa2103a246f5f9
+			53a90c9779eedc77e036420daa0bc94a
+			8542ead9b39969450299c95a873732aa
+			0a52ffaa8e726e11e7120e2805b40698
+			a6b06a0a05312fccca61ca85dd506c10
+			9e19be7b57ae8cb67033fe2c2d13afa1
+			1759c8baf5fff5f8fba7d58089e9bc5c
+			3c2bc37e4d9c4a47d41cc11fdf2ecb99
+			652c81dcc099a1e977e7c71f3b0099a4
+			4d4bd5e6a479c3f7d7db6dabcab08869
+			80a74675592a1eb8bfb6dbc33ce0b7ec
+			358cfdc77c00dfc14744e069b29ac7b9
+			1eab4b1a07a281a9cb1ab90d98322797
+			fb64b1516a257627ab1c87d09e7f56ed
+			5e216a879999ef857aa1c1b4577d9811
+			47832186a7ccecc9e0c1686741304b78
+			64f6f69135b0212cc44cf061ea743ad7
+			f1ddb6124c095a7984d0ce10f6436600
+			8d27a2eb9a480df823094be00d83f2e3
+			8b043d003b79f576fe8b84a0ea144bae
+			9bacf73a9cf5e591b53517cf9afffdb1
+			00ccdeb7a0823fbab165fbebd986a960
+			5bd82699e2e7022f96980944ccfc4af8
+			8d55d75794f96b2b8d6d036cc0690bf5
+			1d8d8d78f6c1bc2a520515a6f4bafbfd
+			9acd3cba166804a7b80253f24503d9ba
+			e6a774c5be16e7db0f84ded4a2347fd4
+			3a94f747a85c1fc487b9c8fea43c39b5
+			8049fd2e54f1e046321e694755cbec4b
+			1f987c5470e47068c8ec5a81e08d495f
+			8ffc8a8954cc1f236bffc730e92d359e
+			987b68fbdff3eecb88473befa193f8fa
+			3f975ed623be3600c39713f6cf3cc7d5
+			5cf38a6dd333ce76d15e4898a874fbb0
+			50dd0358fcc315d3847bc136280a9172
+			0c259deaf74293ba8269011133302ef6
+			a5ae3d640b00cead988e71805d5714e6
+			903681afe422572a93490b20b9abbf2a
+			581f82a9e8f13d5d89bf2b3a4eb4e05f
+			72a66ad879b590a38c2121602270555e
+			e32e0845f1dd6db4af24de314971a6bb
+			12b50f371d833dff51193f5536206903
+			f77cd091a76b551a2f0cfa8adb9922fd
+			782fdafa235da37df81eee601cf96a98
+			fd60aed68f57421cb5b4c5ac0e628d00
+			ab047874ab021e8b3577dc05d5f10f00
+			0019018f3d1673751a1aa220756e5ff5
+			202e192eb560e331e41471a47a42c5b7
+			4be579b849c59ca91bf3e0a2f1efa936
+			2aa08e8d3008895892896643434329df
+			cfde3ec2d1430efdba50316b59e38779
+			c7bbfbbe07cb5a04a540c646f5101cec
+			51219b1e07a09872b2463a29f5240722
+			07cacd407e14901beb9fbaecddea72cf
+			683d04ca4e7eee27f1f3258c108e6270
+			d3df012065259540bcb9b4a030a0bc58
+			74037afef6ca161eb235749d7759521b
+			4ce2e8b1f154bdfd74688b61762ee06c
+			7456d132af20b3f3cec654d43fa9e953
+			46d977c733fae94edbc22c9b62d64272
+			3dcddf022ad58a8beb77126c1af8df6c
+			7dead320a8ebe2ffd3ae76f6ad07b046
+			44447855e301a094750dc73788b6c51e
+			2d46801ed40558e66aed0bfa732a381b
+			f019f1255ef7c5e2c247c68596d06e76
+			0145433a64d9a3eee2f541cdcb064706
+			1b17f061401d49d54438d6c53381a504
+			35dd00385deae225e6d2365efee8164b
+			729bd567b3435605c2752469c1824b2c
+			4995c7078086746a1b5ccad4cf9862ea
+			315049fb561c236f360070c6c89fb15d
+			e38bc5b012c8ccb250bc28f28ff9e2b7
+			e2bb02761f8c8fb7f3e170ae06593493
+			aabd931e6e673128685ec38ace2c7a61
+			968581f6b09eef0ab22f054cbc41186b
+			8ee853465ee31eb7baf8d725ce1ad62e
+			bf64c3fb4fa361dd4dd0a1db75de295c
+			195968b1d4dd700be5724721b60013b5
+			cb4664094c6137d7dead7aed2f6b3949
+			864a80f4e443f8e8f6df2dd3dcd98d87
+			474efc2aec2e9adeb2d7e1cee0870a04
+			d4494f084b844432533475b3522b3709
+			b51a9494be94285c2a60a7afbd570fad
+			313beb1971fb009c2e32f5d89ad2019f
+			369aee7c63cc50ddf1604c3f604490d7
+			92ab81776570d1915801a1c4557b3d56
+			04fe60fec7b2d74b907fc55385b0d92f
+			736f02857f0cd36262b4cfc1ec3cf1cc
+			696c3bd18d7d6fb54ec07f9ad64ef8f4
+			205ee64633764c86200c97dd48ad5f8c
+			4346a9d434b5dc494362a16a034e4f44
+			00f20e6ad6d3f79b532a8c2b69685210
+			5c30feb90bb018170f2f778b0610eb5b
+			0d59e6e6c4f2b50fd96587e9f73b46a4
+			ecf57607bf52cd7c05f790a76fe57137
+			34bdb54a37645fd5a22114010fdaadc9
+			013932e4aadf0bdadd09193d2014e96e
+			1bc0137b382819d2941a8fcd34ea252c
+			f4d863b33a8ee186f43a22595fd84e47
+			e8f3d23ba60b719f92a4d122c445673a
+			e08703a968f0145de30f626f6ccbc81a
+			361178e464ed170654a179a2ff84560d
+			97ffd3730e49837ea71c0290dfbd2d3b
+			b959dfc0a8b2ba1ac7a9404e3d25bcf4
+			ede38919323561122c295754666471b3
+			2f0a110c01802776c354dcf3ce8d25a5
+			20375a58de14a8b119b1dfc3e5ad19b3
+			3997fcfab2c8d12d64cbf62337b37c8c
+			ccfcf529adf7935977de3aef6f2341cc
+			c5f95545630ffa14603d16f9782aceab
+			73e582d85f9ed590cf7da278857bc1c0
+			f90bcf5a9d136e2363da9c6de091ea25
+			ea4759a80c9d704af410896c909fc262
+			5ab5ec578527320fc5ac3408d2881000
+			b84a9f15c3166b34c0c5193962f70c26
+			0b4b90b71860057b2be4b00c26c21442
+			dd155f6a1b74f6bbc123fed8d806e0d3
+			488844f1e3f937296c4d110f75c653b2
+			db2978dd56c6a849443d623454465bf1
+			cd37b7abc683ab97689eef35b147c1c5
+			bf01714579f1374646455c90cd04ccb4
+			0fb6eea80586b58f49d5a8a072d9f803
+			aec8a744ec570d64eb3a8f65d7a9484a
+			be50a2406e0a87345fb415ca1c63fe08
+			2b3412ef0345ba0b1db9230fa701aaf4
+			5c9b2b05933acd316084bdd3f59befda
+			9b7a3e8b8c40ed537a041e78c31de1b1
+			04b3fee5800bc8e8c5efa07813dcb06e
+			920ed7fd99008337e1b8e3c9f789f81a
+			430bcbc1aaf6c341ff56bf5889928730
+			68441be9662c5cf0b3bbaaa0f391921e
+			792d44d0092d6217cf5141eba59aa0bb
+			e42a15a84d73465c0aa2b4b22a4abec7
+			c8c4eeb4176bfb7a2e240dcba57c2f8d
+			4416fccc11363767eeb8333340126ed9
+			4a3367e0d9926cdf95340a7bab9eb145
+			920656fe1c89d70fbf3b918a8905c8aa
+			c45141fbcb88296a286df74f9c616361
+			6fa2c502222f0f6b46faafa66366bf35
+			27451270fb0f93e70218844644fe8703
+			cf367fd492b5b9470d4a3b5297538f4e
+			6928513656f960d41b59578e5b507110
+			9d7c7ce6d9fad1f2f83b4e6dd187f362
+			cb66212a0c4eee8c4ac72bc9c65e4c5d
+			812d320bfb6f717c791fe71b0c79bf38
+			01ea097aac1f4ff7cf8a2b30a7662c7d
+			65934201c6b103304795e918618ecc2d
+			22c3f53dc1ee88738b17561538b0b1bd
+			3d0a3f7cd8cb7a0ae79e25e225ee38f0
+			0ac7a058653c2099574b1724c6a3270b
+			e506ed154afb4f6f040faa3c48701cd4
+			e12fa1eefaacbca94ab0626c210d5d7e
+			dd088fc4d4fda8f655f9c1b8363e437c
+			a688953af2926644f1e8cdb71f7d69d3
+			4598b6beea3f671a1c970d5f85f56c06
+			cc72c9cd218d6ebfe5478f2f45a18735
+			3404c8484bc6a8a2fc5476272657369a
+			b0361000bb1a92da51edec7665300439
+			3c2a277573f05ed450e6708e3a575820
+			2d6dc8eb004d733bb1b4353c7b179fbd
+			3098fe467539c7414d6a7ed11ec35fb4
+			6b57a73f45b90a5042b44a5183acf28f
+			aa4dac84611eb07fb59700b14ce74205
+			c63edf329deac51a22348aff3fb75096
+			19e87828b3cb4f036a6bd2213e32c0c9
+			de4725932763b76f8cd20884e28b0c63
+			446625c29f0ada0821ebb988b45e6be8
+			92228a97a5725d1df726442fbae48ea9
+			49fffef89b71279d1eab17d60afcc221
+			d4e1f576adeb025d0a41033cc97ecf71
+			1ac17ff3057d88382420ec045f81013a
+			b9bd441606b282c6f3b94fc1427c18d9
+			47dcd875364193c551e667cdc9e17f84
+			87ded8a99a419dbd1798c5de16035835
+			a78ba5a03810686a9d3197205ae34e1a
+			01a6038e0c834d1104a151d49fb25851
+			b74750785862a17188631e1f3d26eaf3
+			b596414299a0b2b15e313d2f10968455
+			4a07406601bf3e578dfc26f10551aa6f
+			6be4409cc137640a37f5c5d664fa54c4
+			3ce9a2d89e00500a8cac417f0df0ae17
+			6e602ecb3033774f73a12ff5cd6ddf27
+			2c121c4d5db01e14aaf14c5360f6a966
+			0189b7c3371a59b9f4ce1aab0e926a05
+			c60fad09755de43b56ff268b93c030d4
+			904b2f0f5351b9db07a72511d0046234
+			88ba7a9dd9af3be9f1718f473e6bda56
+			2f5a593cca040d61b05d23ec05593ae8
+			f97a285766f99a6fb7636c8db9c6bdfa
+			eaee5305e1541f4733ca6b585031af83
+			e139c38f0289a03ad13b15db21ea0eb9
+			4a89c0684aa656ebc9c8df0fcce8e2b6
+			0f7a7cdb6d03bb0525ffd979deac326f
+			26a22ad34fd324155e57920a6f8eff15
+			c4c9e88022e0c00f0919a10827e52ab8
+			fe8791793bc010b6c97a2083e59ad33a
+			e602acaddc49ce67fae1e96fb5d472d8
+			7cea78857c185ff052dbd4d6edec0af6
+			ce8ae267e99002af16e8af1f85a7d9a0
+			40a0112eef52d76a1620b44873497866
+			76f944397020c071edd06b1be2b149c1
+			d600dc4ec2491988f2961b5b3c54d29f
+			534f31b227bdbd4622c2ade53f75d03a
+			e038b39eaba343d169ce8cd047302305
+			198c288a1a70317d107d10226b0eaad2
+			732e109bcf9347a7b3b7c26b3e0a00d8
+			72745db72f48a708b4d7350f8244ab91
+			d5d68e3096c629278f1b70b6cb09b551
+			44039bb90f099c32924e19a062d66bc7
+			ddd1f1411274e59e7c0a965bcc87cd10
+			7a96525fe31a1f4d2ffe636ce5621a55
+			e3496411a08dc86d9e05d197733b463a
+			e2e0f096cbd0a26ec13ae6efb5ba6938
+			48cbf327e40c3ee9658a79e46035397f
+			b34ac4c21209ebaac96ea35edb264173
+			ae3a99a9f1f6fa1a4395bd181f8186b4
+			70a1115cb3ef224d6c31653247b49ebb
+			d009b596b92c09cb6ea002d25c9aed4f
+			ee593bbb0f16c04e80a5816edee19498
+			5b3e92d9a0ca307e86413501278dbe46
+			b959317b27fb041ccd960138333181f4
+			04c346bf706c4c6bbffd712e62e60fcb
+			5aa4671632909aa91ba4cf34cf335d01
+			311b050fe6f1a97d986fdd787591d979
+			44e33a7ed5c70e0c224621de30de8afd
+			fdd4ab2d715931bee9a14affe00911d7
+			c2a18c8a7c1441094c316cc43cc3e46d
+			cfd2d9a75760a347cb4baede5e5fad6b
+			86a5b48453eca73f5ab138cb16925fc3
+			e5f4a9d641e7b15d0040b68d5558969a
+			441cd7ad54586d42d5e083b3457c96b7
+			8f75276619876d45e9505274f6c0014f
+			a872db6dd7cdb2d3a4f3fa2cc9f0af9a
+			d9059019cff3abe2fd87e003861c53be
+			5f2c60f4a2b070f77c2e577995a52144
+			7f326fc52d80137bd1c37e9c8ebebc5c
+			535d313f8ad4e15346d858629b759bb0
+			e3d32e6eb0830971324b66767c3d0a53
+			6813f6899b0c4ac4cb05b17a93c239d4
+			6379e3ae660bd771543cbe9ce43096b3
+			e46d30816e620a5429da6b0c3f07a6db
+			c409b32c976aec55199c856f2df6b076
+			457f10e7cc358d07241aee41dbd5ea49
+			6fdbe74478fd85ff4648631bbddebeee
+			5b5a5bfa7fc67f7cc60ea08424c43f6b
+			ebd8d3a9f84cd654f71b159f0029367f
+			4f13dfee75a0de78dc9c09a81cd5f154
+			5c526d99d245ab00380c961deb2a31ea
+			d63333fcd5799fc409ef7f879f361036
+			abd2f90505aa485d39afda3d70850ca0
+			5b829080b9f509bbe4c9db2f1648d0ab
+			7d313ca424248e869c22b43735642616
+			b45292a01ce7db1f9e9604f71a627559
+			de4e91600b3772e83ec4783dcf5efaff
+			69754f0b8c048729e63cb5723fbfd75c
+			e026f2308c71f813cdb1a846aca4e2e4
+			12b00366049351512d6c4d69e266f204
+			4e1638c8c2287b46a1f02a82fc6821d5
+			8031d8d93fa1e879787428b8655446f5
+			4e42f8438d3163e7784e5ab7356eee6e
+			330b43cbe86892c5683b6383bc5f316d
+			bcc1ba062a3e805b2da091aaa4b75a59
+			116151038e46df5467ef80b7c047f9c8
+			a565da2e831279136a5b86b71aea6db1
+			9437d4b3d366653671605d6244b2be7d
+			0cabb0d2b7516fcbed8e11d50e5bf022
+			7bd5c90f53d4e6b154460323a1ca5739
+			d18dd50eed67fce861399586fe0ec142
+			e6bb5d426517a869740ae6208a75b196
+			eb61c75efeb2bed0736be74a4bef3e9d
+			f6c6ad97904c42ae1a2a344b3c6d9301
+			620dd86d00552fd2026d70afe443c43c
+			7ab5ac247972aeecca551186cf11d7aa
+			cedaab0809d5c7a3fc90cd6fefca458f
+			debf338f239b2df628fbaf0c39c742e7
+			941e960faaaad85750955f0e3d5a29d9
+			415cb1d5f018a665b691ae95e9cf90a6
+			beb6000b88cc5ff886d56f81f0f38535
+			502e5d7af269fb988d05ae1cc92ba397
+			d485404de4bfee81361a1355eb539358
+			0ca7bb5e7d8b7fc97b93daafd65b6ac6
+			99fd61b071c0152777b89b8ffe8b0413
+			d2846004794ba8226673f67af131708f
+			6d3818c32d2410e2c7c5a2e53c3fbdea
+			32d5acb55ba78c464147120e3b4bd25a
+			ec1ac207d1d50bc18251db79c44492c0
+			022e6a709b6a1e500f3cf207b1bb185a
+			17fe29e49457467f9966b9590c9d8f06
+			d1a91489000887ce35efece384f60d42
+			e5df79ba4bcb3c526c9d9f00d18ef37a
+			3c86377f3dc23f8e4183023e1f3a4995
+			08faa998b316dfdf25052c434096db41
+			9da17e1c9aafb767a25f4c4098d369fa
+			1205b459c63d568985c959e2774c413e
+			3f07a0dd295674c3561b7d636ab8c525
+			2d57813fa17475ffa44c29799c146e6d
+			d7472278728a7108c6949a583412b6ab
+			04c61a71c4d20d549312d280c90015cc
+			4f0da2a81ccffb2c996eb3b2d3e61ba3
+			fb2543a7d290f637f8714149c2c2bef2
+			473b00ae18b2105937112b35df78372d
+			fd81555034c642db14ebd87fc191e5c4
+			ce134c94be62bcefc2e7f489525fe2ed
+			229a1d67fd4a97eedcafd219dac1266f
+			d546daae56e0d46fc0712e48c1000423
+			fa65d835a95bfeb5963c6f9d4ff32452
+			71c08443a1796767746b31cccd75ff27
+			ff99b440f7d995ca43dfc9397e889a02
+			5a1da79040903fb840c08a4270eac3aa
+			3800b4a76c2f5dacb46a723667c28947
+			8a14bf83b9922691fd34463dcbcb3d18
+			1609927bf831b415a9c7dac9d9fddd30
+			29d51b4681f1933138ed10ace174ab3a
+			e848bcfb545db6eb201543c8e02e39c6
+			250e2088df30e1f1ce534a43b71f8886
+			9cd657a2ad469d501e2aab3235509e2b
+			14dac47a34a518a7464e8f3c48362a17
+			cd29c84638b6699ce87fd070d6dd5871
+			654834f1d3c5f3faa6adf480858816ad
+			5e076109c5a38c78762e9043d981e794
+			f429ef4f1a1fd9de0ee383ac0bce9f1d
+			e7a2526bb140de68643fc2a167fe19d6
+			37c5c5133c08141691ab24a2d62324ef
+			a1901f933dae04bc0cd9fd35ed515c20
+			6d84d465fd6f8eeed765e5df1b1ab951
+			b079e470f06ad449996bf3a2e1db3710
+			c852588b8517717c7c1b471a7246e259
+			7a3b9ae45b0d91140429c0cd3be63e3a
+			02846c57443d64cd97ef7bac41debc1f
+			01d20529e50bbaed79d03ecfe2abc348
+			20dca71c0318952b02dafd08cfcf9895
+			e3b0d27be12f7c58bbf4744808df115d
+			182592a855ea10e2ee226bd16896cd06
+			e3b8dd5f8225ccb90796bfa15e1efa92
+			697e19a8a887d208c725086c2c99f576
+			e60cc9dc9627736894c24d61de8ffe75
+			59801cfe1fa0a9333c796ed251b323be
+			792348dbf7b76af08dd1b9efd65bce33
+			dc030034493901583b0c03f2345e089f
+			413c9af5b7f6177d7816451d67ab7c06
+			e97eddfa1bdc8498cac4c914d56949ed
+			dbc80fedd3ca6a0e040cb0028fb98d8d
+			ee20d6de9574d28c60f262c920c07351
+			c7ca300492b198fa880af738f5709c02
+			c28694d97dd36aec78eaa0008118c333
+			bd2d87bf5c2e990a37e74a18fbc9854a
+			4e84f7e7ea11d724f44b67ccc618fb8e
+			b65ddf3b6464c38536a181d502ef617a
+			e7cd74286848353031aec28487fe8868
+			74a952623e8828fd6e457f54d82d6e42
+			b8185b9bf0b194080ae5aeb7e5cb4528
+			818d6e7e8120f6192124cd3eb37f16d5
+			c703f4404f23e47517aa63be0f3f690e
+			f9cf742030c78c49574d749bce2a11b6
+			83c70fe2303b1de06187b68aa5051b05
+			94a35fbfa937532830755326f66af7a0
+			a85da7a6ed52da2d9dfe3bdaa640f9cc
+			dad017a692c54c94b36354ccd3b982d3
+			172e0049d2a08eaed97b665da9ab2b1c
+			7ac4f35d56842c2382dd8e7fa6034528
+			d22dc6cb353163c4acfe65fb9d6d1ae9
+			ec0d195cb3dc6e69541eb2a2fd2aaff2
+			c898480f56f3fdb6da1536316e3558be
+			99dabbdff3ac094851b231ac5c38da0b
+			e56759445c9457def0919162358d40d2
+			459a1c171c97ca15ea33995ea13d59ac
+			a27ce038596a7cf8b6894b68d41741a1
+			6a6283caa365383d005829d4c7eeb999
+			3c45ad4239a47c77d2d13a6968b0e7d7
+			a98050703dee5ca2130caa5657945504
+			7faa2b40ca0bd6f3a52bc609192e4718
+			de98aac908ead2186923a4a00a30430c
+			811cda380612ae0f7bffc188eec94b0d
+			8042c5b404c636f365cb67927aa3e34a
+			88731abccb5cbdab1f0ed06a58ae06b6
+			96471b4973a69f7d617325d2af132c53
+			1d09f391047fe45a847165755d777ad4
+			c52659bebeba01c68b18246bebbfed5f
+			2ab0a9f6aac6eae83a6fb3efe20fa2c5
+			372932ae7986205ece9cc68187adabae
+			272c5435ebb0c9383da2c42128d5440d
+			de2ee847dddd247fb2eeba35479d96fe
+			24d9ac3b8d761b76dd77fe7f7a6a5717
+			0b17f79d6eb338cb45c3959dd1f98cb3
+			511e22cf57f13a3a08eaf7c5a08bc4ce
+			364cb9bf9cdbf10c43bbd00a8c992dec
+			55813d23b43937ce195cd48d33490a9c
+			513263c3273d0f343bae0494e23fa0d1
+			64d17e8fb65fe37423d5d5a63f794616
+			9b7bcda55d8cd4e25bcb09ec34a23d67
+			419fe5d36e27992887a9b53cc0bf8439
+			6122934fe1597e0ef2cea9ce8538d8fb
+			0d7c47aab6299222778c971a6c9de945
+			f0f9eaeb3de40fcfa5578d0ea917f5d3
+			8da1ac99d411323fef23d9088126dd6e
+			9de32aeaebee1d24581ec433c3e22ee1
+			202a789bc0a447b71a92442fdf8fe581
+			952fea7383046526719a0b52f2210b37
+			20ae25c08aa8cdadf1a8caf9d480851d
+			615310e4aff0ccf25d2f4400bc0b32e9
+			df26b0528f995f44ef7959b61eeafe90
+			271f7badc53c8b0acf7484336f88fdd7
+			08f5d51febb18ee1ec608cee42f556b7
+			eeade7b4c3519f2b2c74259e41a9d272
+			5e9528890ac11acb73925180b5b72921
+			4bfebbb73ba3e4b6ceb1e9f9bf092d20
+			bc4642dca9876400f433cf48b0a22ce4
+			13f773791abfe6dd3563f4fa2c90bc20
+			275f1b3c6e460f203cfb17ff6c729036
+			a96ee4037afa701dc0ccdc05120167fb
+			3926ee618d13f07bddfc44d0e1ed392d
+			082cee181683c66ae1838339722b9c2f
+			6b3a8c4b66e49c27133b3c1a24b26064
+			974ed97513281adb98de209158f9ecfa
+			ef6bee9bc2fa310a8c4fe947e4d3e5a1
+			e69fb3117fc7cea9b34ef02d337dd723
+			37d6831bc73db7e97e0eec37c2de6de4
+			1e9cb8c1b470cf38d074db911dfdd598
+			8f9816266526b9c0c857b0c70bdd2feb
+			fa46c3740696976bb93e3323bb288334
+			988777bf1472667aeb25951d4baee405
+			5c996ea9bb50b1987e52ee4a8fab2280
+			dd1679e037d77cb3a6c82b0d195f0e9d
+			c13257966d29336e5d11dd9b584be0ae
+			ccc0f9e01c680126d630618dcc4fc42b
+			e574470ecfc9a68e9d18a2b0148c40fd
+			ec0c11d0e4141e1590c23bbf315fb411
+			bb445920ef5db6cb38ed2cc5392f7504
+			0291a06a1afb131c580e481abd844482
+			e3a53eb416215e54548635766723a1ba
+			c7246c02c342fd25cf680d5cfe247281
+			6dab546dc9cfa192c3b1c2e602fe87b7
+			e6b64f288e62fbac4a5efb9496300c39
+			95ed7b80105b76bf7522ce26605b87f0
+			df6b098435a71eaaf1cc52aeafb0b74b
+			f6787500976be3265bf4d44403c55ed2
+			8979a7a9770aa921451528769e2bb344
+			698b410a6d66fd9b6932e3e2d74d073d
+			0d5de7704c38d5480c24fdab10c9388c
+			fd262dfc02d6d945d4c1cb13abe06fc2
+			dd3273910b1adde85c982d0d3ed9e93d
+			7694479b818591c267b9ccb0cc4f7d97
+			3476ae8d622faf2a837759d1c0ba9771
+			707cc22ed5e7a6096eefee61ed7c8545
+			405da40cacc403983c17ea620c6aa2e7
+			e9e4395c84cbd83a506126be9cce711b
+			2bd83f806277de4f6ce7c73bb4cf34e2
+			6abcfe9b07ebd7e0efbebe91365a5c66
+			446cc4ced906706d43f1556ca9a92804
+			e7ac0c777ac349b0e093778cf278e191
+			cc60475bfeb837819e33644635f5d422
+			d0a6ca871e1c784e1902195ea4c16d21
+			f268186d35cc02b60d8c4fb8bb764b7a
+			220101401a6fb1c46aeff1c9777a6bef
+			b252a19d41543e4df2f6e5021db40cd6
+			eb98fb2f788061f7cfa33df67f3871d1
+			cd3dea5dfa9998946ec250f89ef09093
+			2b850450874d8a527e4d7131f4403783
+			a1d814461aab61aec75904793fba241c
+			a0b0472367caf44ff2aae947c33fce5b
+			9b0ed7d5304ffa5b35ce371fa5cd4847
+			b03629f31014bd48cbc32fa8847ec326
+			90b5123f5c94ec0aa601e63b4981bc4d
+			2c6c0baccf670c10b420a61df84a8307
+			dded712d1d58e3a7201e849a1efde6d9
+			e0608a0d545f0ad897b5ddf1d6051e45
+			52116604602c51d7f3109a0128c3a643
+			9a8365cc44bd1ee3ad461b36b2fc6392
+			2cc623d13d4f9397906e3d63d467faa5
+			93765cdb77190abc1a10c393f9dcdf28
+			e930538b7758ad608305c12159801431
+			28138857db62ccc0bcb132df5e1cd9df
+			969704ab715f23407e3fc13698a3ce52
+			0d3e861b37b4e5b75657e49ae98e1156
+			1d94a5841d91ab0589063a09f7e5667c
+			fde1b7102592722cbd48b7053c6f3793
+			00d166fc2c415fd87bb0bf000b382e0d
+			aeea49e208caa99bbfe93413113103f2
+			d699389df89ac43ae184de78fc873bf7
+			8e8b5d7784304860e3d4bbb34af21a5c
+			075963ed405e1b3c641a908a65394a11
+			741b35dbc419c1a74e95662e769d8967
+			896a88f8637b15a946db082543f06458
+			d56f69361e913c907b9fcf4ce8b71a82
+			5af82a05d654a642efa96264c7cdd311
+			6271d4eff4771104fb52d28e0a189b12
+			9c8112e2ddaec629d46c392be3934540
+			8163fc98ea57539bfe5f634c06cb123f
+			60f59216e0fc9884bae5b81c2bca5809
+			65571374417de68d49774cbd0eb24aa7
+			ec136b4e638bfd2f4b3830830be61827
+			32b98c345fd7fce1c023cdf804456e6f
+			833ddcaac126dfb8e1f3a3bf294ddfbf
+			9119af1f9faa2fbdd3751a17f1f6d5fd
+			f003f8f8d9a4edb06adce6ec5c905ea4
+			e0843814b2095e35d8531d33664bc720
+			0e01c0d193bc46eea908d0be537882bd
+			1d448b49a04325cccfd49e66ab328313
+			4861280c0f5affab381b216a3e009caa
+			1bbed05e8ac7638439fc904c24e1b518
+			d66c1180f428032c65646d94150aaca0
+			7c3a33e7a5d5201c01aad171bcdce2ca
+			91c630e4080257ffeba9089a0cc1e43b
+			ef8c479e2b593789a56f5b95df4f9e94
+			7c31bf01d85fc148a38f469a022c1021
+			105340199d37de15026b849a263f0d88
+			e895594901a00ae80efc3c421d60b587
+			2b6a9704d5503bbb8ce868a4381009be
+			99e6095a13290159e2af932fb4659319
+			84e3d4e24f210919a5497eefbf5da850
+			3bb8c4b2a0d99e424fdb4a0c716b6941
+			71d3c3d91f519f89b0761d42d5f2fec8
+			84c13350740f35dd8b3ce72bf006bdb1
+			846753965d479863899381e8ed53a63d
+			f2382503e52be6f676766f610feb8985
+			74d70196b4c8cdd8bc0e07146da50f8b
+			f3a2526d73dc3a5b21aa6e9f9536b4eb
+			afe0d4576f21b6ebf7ece5e7a4088e5f
+			b1d954c769f2c6109e8026e82161c144
+			f217f028a0ed2678dfeb772fd0a04b00
+			82fa8deb751981ae7a093988c4249b41
+			420340375ca7c7c7f6d448f7df237af1
+			3c201e0cebee4914ec6a70d519bcddde
+			bd35c38e37fbdd2c0e27e188df01c34e
+			ee39ad4e5462b3a99be16037b050b18d
+			a11ddc8b13a1ea1e2dc4cac5139f166c
+			c9834b60bae7c86fdd22c8fe7642c99a
+			70971ec1d69bdaf231a1298ce119e220
+			592824e13b798afb582a742d0a7efbde
+			3c24f93a5182cea371b3c87fafcf6e1b
+			1afeb8945f4b410cbfdf96596890cfd7
+			1b1455e99821be651a23e7fd0c20a98e
+			dea39addff2576b01cc0965c5a9ce4e6
+			9a62bb9baf812b33d0ca0bcafc46d95f
+			6d8c574f492f7a7a064fb98245d13d87
+			5f120fd9087623e837434032d086c32f
+			64db0cff06f50c0ad9c42b5a1125152e
+			79e349cb69dd3d34359063eddb7836af
+			513fff225c2153e088215cf07dda9b72
+			dc40d08c46afcf99ee7cf76e2eea6de4
+			03ff5067a18b49404e2879ae524e9dc5
+			860524328b3cda5a847181c48c6e9984
+			9c1c237e53cffc7762cd9c42d56e8f7d
+			5f6660fd33e3f610e1b06590efd9a704
+			9a8ed27ee52e5e03baef4ac0433ca441
+			7ba36deb9eff5f697f7e9123f02139bc
+			2bba0420162aa91d73c943f5557f8f7f
+			c499fbfb31906a59f147ba8d43c969ce
+			9aa3733c5fcb3913347292a6960b4852
+			4445d579b57f428aed99d4a04756ff77
+			10ee6266975dc4a160aba4d9f1b60563
+			9415cdb1a877331f58a4093044a32d48
+			219bbf62f9f0fa1c4d7852c56344898d
+			62ef07bc23939eea10ba4419b3253003
+			079acbd1a647276abc929f3655b8b5cc
+			d2824d3f3187c22ee0e052da18bf1255
+			2ee6e0f2d3bdf834c3961fb679db9eae
+			21cb2a9a0446543fb2055b455117d692
+			6948f64318e65406e9f3b641dca9757a
+			6b1d9264c8b05947786a45fd3071b814
+			9c984235e32315717997dec5fbd23d96
+			a889035d419e534dd5950ae8d127c3a5
+			edb8aee4f55b4b1993c42bb071b51622
+			f91570cc5e85e21ffb09eedcc141a10c
+			7d422b1252d0e4d2670435f40bbd6e17
+			0ded4e9cc9dfa23456303838ae2180e8
+			f77d3c1b0a4c24d30b8bc0f1c325d9c7
+			ad8d422904c2ade453b3857ea1392a48
+			9ad0ab255259fd102d31aa48379a7f39
+			cbfd3cc9c37f914a998cf99562cf6b33
+			2c10462bcb36734ffff19bebaf0f3c5b
+			153ca2cdc9fbb3615d8beb36794f6eb1
+			7631be53558120c121431d47ccdf594c
+			40941600200106d02df2eb4962d1e1ef
+			c34040ad301e7942a7ae647574203704
+			9e63580033fea82a0ac72757542db2b0
+			57f5358b3562691856369ae66dfb1711
+			ff957342acea44c76ec40ee5f1339bdd
+			85794d374e7b31489a0338de87ff1e40
+			b2ca5906ea91ef1adb7c1c5ae7b08cf4
+			1911fa9b70c6321c931484ffa9b50589
+			05437f4e0234991a404a10d113361e9d
+			cb5367b9b916a034a43df172c8266554
+			1f04d4c5f00bfda45ac07f39054682e2
+			95a1d9d3a0d31295cb86eea198f1e41b
+			4b0314f8b87d2a80450ab5079ad1b05c
+			35ff1473d5a91ba7293597661fa20aea
+			daffcae57ab2ef23865884adc629918e
+			070e197efc89ce5e5b7dcce6d49b8ebd
+			227078c28c70238a5ffc011bd5452df7
+			581e88099dd72037d52c2b76614cd160
+			789b735a366e14893d0ce00c396471a9
+			02836aa47418f47b067b0b20b059b36f
+			79a2a58d24ffc02e59e699b9b9a6aba5
+			6980048cd7fcccf1aca6d54c11d87912
+			93adc2b8d434088fbd57b28859badf09
+			7a51296e695ffb2cbb5b7a63c84581a0
+			d7259e8ab5582517bd0441d1ac982148
+			5444ee4b96f59ebd2229191b70f3fd0e
+			93a9865ed6010f423c4a7cdef90f8214
+			7062202a639c9deb1bb88dbd32445584
+			1ffe4bb22e8f4641c2cb76f511257834
+			b6780ae2661c39aa77322d4bd5c42f42
+			57005517170ac9184bd49a6e9005d090
+			260b0da6020b45b0905f12670666c59e
+			0a9c90f6ad5ad5d9d8e11c419b07ac90
+			d0a4229a01932262e6dcd386efc5e0f7
+			22e1d943727d1055b7eb8458f0d807b1
+			90471affc226c88676e8dd42d1c04b00
+			7bc8f686da9c2c8f7cc5243dee76136e
+			ca5f488ff7f41f0470b17181abd0e844
+			e5758478d00a43f03b5e44f864c730a9
+			5c59a485af034fd76a416cfc23fcd2d0
+			fe90465bc5cdac67673fc638c4c80529
+			7d84d2499cd43f668db50a3fb1f138f3
+			8b77b60dd0f2e9e273fa2c3b5eda2f54
+			65c6ecee1183c446343a6e1f7fe96cfc
+			f32e1d5a7dbc57bb78a3957c3b5ce993
+			7f22d30357d12692085ed0f67b8cbd23
+			48371a5ed34cef4e0aaf3e8cc67fde4d
+			9d7915909232843d989ca2c276125d72
+			c1eaed4a82eb9bf96d74690609c5fbaa
+			dddb9e7f3069aa0a3c2b9c61008b916b
+			f1c864323bd174b0b71eb35ec9390ed1
+			fdf3065da917981435d1db5135d7e3eb
+			2458ab541cb0853e208140238d6c41d0
+			b56935bbde440e30ddda7eb955e7eb07
+			f45aeb80e28ac4c6b2e9e3e369003730
+			ceb00102d3c8579ed03ce514b3b14cde
+			fa5128992daf363dde067a1deaaebfbd
+			2c813f4c3b5537a59583d1967742e7f0
+			ad62735422c5e81aff0e07912a210ed8
+			5f79e061273aa7ae5e32689ec9c87a3b
+			cc0e8f5d825f25c4919420c47a453563
+			0f8871d0a76b526bff22a3978ff61fc7
+			5f9c0ff9cd7cf840d4c1f0f37e643d16
+			e62e7500a29344d69817af3c839e722f
+			32252ae14f93353734ba946fb7985fa9
+			6f459ea65c9ec94442eb6f405f109791
+			9fb892e0bd7df0dca04c41c59759f623
+			80e5bf439cc05c3eeb11628431c44027
+			f494d54139bfd38934c8a08b724edf36
+			06d6b6359098325a2799f554fe8599a6
+			b74d81eb2cc70ed7035b878246fa7128
+			652175ab8775f07294a83676587037ac
+			acf5f5c83028af110188d19824c0ec19
+			48d7a6ce803fdde30c11a760ace49df1
+			e8c138160004095a6e8a8f20b3139cae
+			9e1968a26d70c34ab01c05b26f1757b2
+			2bb1b13ab16a73ef7cd495571d436f71
+			5e20b66124cb5daac27ca33898f7e24b
+			5b349a40c1886584e31699bdc3c67fd0
+			7d3100df15eb9e35d168b72681b74a8a
+			40bdb8eb8e62d1e30a7179b7b755245f
+			4f9c72e3676e0c5122c0ac9ea955702e
+			90451070281257b040943ada79f84023
+			414ac82a074809b43d0efd0b7a30e25b
+			1300d898548735ef3c1d2eb412f7520c
+			1b06291ac7333de55080bf6a541af3d4
+			ee50c1fc507da9052acdb7de663094bd
+			53fea7743cf10a80bd8bf14269d2d299
+			4f13de0c810ae6c47b5d6a4cc05de866
+			95a9984acc560225bd62df0dfca5c6c2
+			9dd1a67352f6ae590896b8fdb6c1a710
+			7f19a0c2821d3d99c2d1f0f47f36a313
+			f2317e38a8fccffcbf53dee02867d05c
+			f0e061df2e15bfa0f048230208434035
+			cbca81fe29ad9e4ef0503a7bd9874670
+			17e1860ec56fe01be07f3b617288cd6f
+			c7d838747eef297c2a1b451d9a641218
+			2fdae162dd959541da3f3025cd05897d
+			fc00d0ff54040f107ca5fbbba7f6d891
+			aee880347d7cd5dc8c4a4db50b838b4a
+			60acf965b2a9e669a024b2886faa5cd3
+			161b24e228e6181f553b12814c45815b
+			42763664538d9e5b24092f36f972f7af
+			849a2b92c75a31a9b9a8ee9d520f22af
+			f3986cffc7df7b1959b313eb8346e336
+			b612264d9884632336acd303bc2a3772
+			ba3fed7c3388984fe4b10ce3a6e8cf00
+			00e4c7657b989735c62a0389b395dd39
+			075781df21505a2eecad6782940c2b25
+			34d602bbf09bed5033df4f797e9a4182
+			1cbb9fb0785e41f6d59652c96c39fef0
+			91dde2db2f4f656c4f125faefe2811ce
+			658bcd1fd6f3a4fe90898bc7456b05a9
+			4b74fd97bfd00414425b93875bf4acd3
+			fba06008e77de01142d737b9ab1142a8
+			ccbeda8686f18e2e3f11741a7a1b66ba
+			934d5c737d13bb2804ac7d6efe8ebd2c
+			24eeee2a309dca022fc8cb847b21f6d8
+			fe0647b3022ee76264788bfbd609d396
+			61f59c0219764372e19b3dc316a99a98
+			8786553d48c2ac8e56f4ede5a7044e9a
+			286a417150dbe9ce80a34c703e3568fd
+			dd2d00dd499c321915c77bb1d21a8119
+			403f65a53486d7fd6630cf54dbc5b37f
+			c9f9f610c707a573b7282c829a63e845
+			8883a959e00b054db2d16fc8fec6e87b
+			0dcc37666e796704b1fc7ccb348364f1
+			03ea04ecef12179c8ef9f0fdf0aaadb8
+			d19b425587c3a49250456610cd123ee0
+			1c2270a45e1dd7c4b11738c02c394e5a
+			879a5b919803856b95d7a2543d200f39
+			49cccf2e078a11f186934f059e664c40
+			31b27dd42280d90116fd64a3ea6a0a8c
+			fc8623cfebabe8f9b827e72042f1f4b1
+			c21345f4b63294d764e14f12003a8a8a
+			48a80dc1d4700696899d042475f4c194
+			7eeef5b7539b9dcc334b3d63ea1c6019
+			bd27586f8e9a216d960599738e35e027
+			3e051939ed91253b108abc058f8c7c8e
+			a9104214e5effea4b0c82e116ab82cb3
+			9c0b5fe8d3c291b5acd370849fb787dc
+			ba0e274e5473ecc9fabd1ba452df90ff
+			f45344844ed5fecfdb1fc48470bc88f3
+			fc7a41afb030f4c09159c5be9452facf
+			a507b619013d52241aec38ae14ad4b7b
+			bce34696892850a5f3c84ee901912f61
+			54fb4ee62eff8c336fef6d51cfaab514
+			9daee26a235b8039c3eb5c295735270e
+			98aaee1fb981772586968e5fb50f535e
+			b75b37c044df1117f40cebece416fc5e
+			6fbe8cc7c0bde05373d63d65b7c7d54f
+			10b0421d3195ce2886945003086697f8
+			374750788bb2a4b741ed5b159166b27a
+			98f80ecee8a3fdeb5f8c3f18294877d7
+			5295268e8233f7b406ba230ad904f06c
+			0a586ad8725e9c5b70ea59dc91f0a74d
+			9d54509b9a419bba2a27be35a6736b9b
+			677aef1c030a0d4c50c93c0d6e7c8239
+			75c087da2b45172b6d1268c9abbfc259
+			0e1db3b7563617856526015eb926cd99
+			f1a7caa16833ad364996156c5514b79a
+			f5e49825203826e7ceca020e628f6434
+			689bd64d99007f5a80b79d335fa48fce
+			4d30341e06d27af4a23c62c611afdb01
+			36b687828e03a4e00303f1cbe91e8309
+			4e837b58a8a77888b522964ad29748dd
+			451a464f6998d08674b447a9f5f371d1
+			2d197f6b3b650ab17df4d2a66b6838eb
+			918ff353da90c8e8e40a717825bebfb5
+			182abb212c0c6c637d06e5ce588eced4
+			11ff0be5427995c2ac8b3afa8c09b453
+			a576998a97bb1142b0553e617e6f8064
+			f5a7a6993c8021df7adf633d138d865a
+			5b31d610f333dcd85ed7ec98f3ec0ac2
+			3a4929de69822c6a618994946e90a8f2
+			e40d51937b8a224bc52261acc2f52332
+			121991141279f7f3b3f8f6ef74b780a2
+			59e7d67e6768a163683892d5a1d580c9
+			2e152a0e74268896256ef5b8780df3c6
+			407da5d962431d2531c24f17c079d276
+			63380a819e7f34dc7805367e9bd7de7d
+			d10b03b6aec312a16155e3c30307cb2b
+			4caa567cfae5b5233a7f2068a160a3cd
+			618758ac107c839eb0090ed6c95c037f
+			20a8fa474a3370f83f6d6ffc90345d6e
+			667b4ab3bdd77ddfaa8919c41ac03323
+			d6fd8a20fcf8767bae66f32f34820bd3
+			e221b09ef542881efb953076d2731eda
+			05ed1d98beff5d5e65bf60da4633058f
+			029aaaa24838f500db30401e8364dbde
+			335b50fc2858116fbf432cd294fa90b2
+			606d4341cb27a1ada1a9155a3de83ca4
+			2c296c7a63c71d9f19e0fbacdb814cff
+			dd13f39817b26776a2ce6f16d9f42d4d
+			9548e8afc89c69a89e993a0ee84db177
+			0601370532bad928414bbba386a9841c
+			f5e4014212fda34b2a8655bef5695fe9
+			0846089e03201b75aad11d065157d5de
+			991587a2608f780f7572b890c7a62572
+			7f1aca828015e8fa993a69da47c04dc5
+			d4d0996c33d3d7cc71640f8d68dce4f1
+			8be91d1ea2b6216c9a6409a633cd1ec7
+			ebc6a9aba9eda8461dd9bf84dd6a1501
+			65fee2a177948d523815f6e59d14789a
+			db89d3f66d383e8a76cb5ebc5adaaedc
+			5cfa373d8343434f05774defce89935f
+			52e00e7728022f4cc0993b56c3f1e295
+			ded438b94937dc889b6ef5bf766853c3
+			b1df3377a767e8fc823a7fbba0b10388
+			cada8b2eb8b95e3f0de6c82954801f5c
+			b186086f2b8509a0855981d729e6d30d
+			b04cd14816d49719e2632a17fc4347b9
+			223f2f8cc53b30d5100d44b73a3334a6
+			d09b26768a8bbbe8944e3102ad02e03b
+			fe383811ea33df134d49bd468d0cab8c
+			5cbfc6e9fae490cbde48dacfa1eb50ab
+			c990ff18a27a547d1a0ca01047092b5a
+			e65b261d302d08dcdc68b950e862ec53
+			87f14f93787f92c6bd83a0fd71e68f5b
+			52a1fab2b3aa24d140417820c6aeab4e
+			47e377c6f1c1bfd8b026cad25c9a8525
+			7c1cd506dc1b64b6eebf9fb43bf5f2bf
+			af064ab6b2f7b88bf47f33dc910b58f7
+			0df314886fbac6df0001d07290ef00cf
+			aebbb85f6eadffc37195a56e59102123
+			8830d13c8d3d15d6f0d907ffa75ac355
+			0e9579fcf1468267b39cf88071444aa4
+			760ae81272622229b101e641daf041b0
+			3ad672773c2aa190150d82a36751ad47
+			9bd0664ba3a24bb7f512b4c381c11392
+			27086effd89e2bede2d6a4b773d4cf80
+			fd47c8653e82c4e815b263d9cbca16a7
+			3bb26cc0110eb27fff14d4843f4f220c
+			d4275ca4db009d0e84b88f099ff620e4
+			366f236fa4b901e80fd0f0ba16444414
+			92781fb7d0ced88824e89baf97371d2e
+			2628c023209aa34ff0bf775a631c0a4e
+			fa797eee95c056bc5d8a777f23d1ced3
+			0daea27d7fc1aea65aef9d9fe614608f
+			2c10136a5898b6062d8e67ea4a990c60
+			51d35fd493b61db67b8cbff577d02385
+			de5474dafc7a77f994a4a202bb823114
+			7bc48428422b0c83dd812dda0a734860
+			da56fb2b33118fe4761dd77991ffb5ee
+			c959359a1173863475523751c814765f
+			cc34999d896b661ac2c4255a739da44e
+			d2930db07c3205e5f9deada0d03a8443
+			00b029e83fc09b54001d2df2c7b429d7
+			5bdef94e8b742932ce08bdd43f995481
+			ec91acd2e6329cb4d52af3c0104a2d75
+			ad8a48cf078ac58c34c68545b3705eed
+			bbf07106692087ecf206da308f0d380a
+			083fe85c00668d2d24cfd46b1e649aae
+			5cd8bacc15561d73e2a70dff2a8991d5
+			01a632ec0beca18d4aaed1cae8698c44
+			8e265e30d4a2d5fed417fae8be697f80
+			6a1b6c7343b1f27842f0c6aaff1e57fe
+			911e22e9c140e95bad02ae3932cb6775
+			5cbaae80b04f51f16cde511d4746d003
+			b8e32f08ed60bbf2b23d470ca8887100
+			484c7035b166046bdf37efb9ee219cc2
+			79afd2d67fab6b513e939f8af616da43
+			52c0d41fa58542f3e2dee21045503eb2
+			7cf2abfedc38a0e1e0d16a736262b49c
+			62bc00c699d9828da30a39226509b0a8
+			ee7b49d8041776a4dea7e2176080c2f8
+			45fa73505693b4043545a949276a9c10
+			abf5326c1c3a715b407054a2fc1e4cdb
+			0beaf16b0321b3acf88f403c36ffcc00
+			ff6b3b7250a6ad1651720e923e25a7f7
+			4ae64d3d1be80bdf917bf26103d72514
+			362c2f33cb3e053a704bc84ab472b728
+			75da0f9ed556cccc4a631d6fd3f69535
+			8f6882ac54ebb7e5a3e6254de5764ac6
+			71cde8aa32393c7e8537d446905347e7
+			23e322230781ab9ca9e4bbe0ca57f769
+			cf9d081592f5f1baf4636d8ac9d4c6d7
+			99189b42a1ffa321ffdf40f3ef366f85
+			8565e9dfc6e7b4f24caebb851e9b9262
+			a0c15e9d762a5fb810e7edb02a84607b
+			3c4163cc6c6073ec86f6059fb8d99438
+			aedebe72c2e9c610c61fb4d3f3a7d826
+			7b3896bc71c66eaaa62e5bf4b8e08bf9
+			aea839362030bbf98381ee0ef98c659e
+			a4702cda5cfd09e4119fbe6411d7277e
+			d2a19d528b5599d63e655508d2f30b9f
+			4b1aea1ebcd02fb6674a46f1041f69b9
+			9a914c828692fd69556db3430cfdc927
+			ad6b54d36ac7846ca6300c9f9c67e943
+			60c122cddc65d58dd6e5918fb01739ea
+			99414a71a27e163505b38141bffeeed0
+			87c7f4f7736305cb1cf2fd867c0c5bd6
+			cae0b0b85096768fdb5f5a589acad5a6
+			f32af707c1b3f13d199fa3cafb6166ce
+			6bdcdf9b8e32e1b654f28721cbfba93e
+			bc1ff077899d43f1b94fa04bb1985832
+			1825b1749cbb3a14fc0eec06cf47eb84
+			82065c393f94096435174e8fde959ade
+			68f4706793d264e0f395500e5d5498d4
+			9970ee0b7cc9fa65e0eedf8d149eab53
+			eb39da143896f63e74ade5d25e680ac0
+			40931be13cfcefad7b2ec72b6a600cea
+			dcb964be5b8f4855578ce89e549b0be1
+			75655efd6bdd65b609f4be6d0f50fc1e
+			8c9570bfd40634ff3c048f9ae41f035a
+			9c6104962b612ba966a42036468165d6
+			f36feeb1ccaaec8b6f875af7a25a756d
+			fcca73a7d3005cb5cdaea38932c6d2d0
+			8e2f9f994f242af5c008e2602fa3a899
+			ee9017e03fc785b14b3eef947d052a42
+			0c08f3cb4c38982581f9c648a9a10782
+			e08da4d2273e7e58fc62f58edb673599
+			da1b2623076eb1717dd43c37c6b7bd26
+			4c8d8bf76622ea962dc883845265731d
+			8f52e350107eb2a99dc5902878a4c927
+			d62d735db14f7a64bfde3cd3ebe1069f
+			119bf042263ccf3fea4e85322ab0b2bb
+			e85f422947542fa19c5f6dadf21224e8
+			cb1857616133518a7a9ea51f2ce7ceb5
+			fe34d21c906e8caeda6683f24648714c
+			16b1074365811d3ba273fe9c6dc1f5ee
+			b4a4d054f8ae4f3dc5ba11db27cde3e4
+			3aa711fb5826773a798caa3f4c89c68b
+			aea03086b33be4b309155147d0a041ba
+			2d167e5214f98b1dfd615869906eb712
+			1fd87a006e915c0844e6429c0d33cf38
+			ab6dd15d65de8791de57cfcf44cb7216
+			8458b5794d269722f3b5e62ef70ca375
+			a47a02608767ec866c76df92bae24693
+			69a708d8751ac546aeb83b96a25a0591
+			0786314c1f4b70d386563d3576dd76f3
+			6ae6db2eb1c6c689470d22be69a2d8e5
+			a555302de90c95d01b60e4280842d524
+			4442428fea4e66c379b66833b1c33a78
+			e82a1d3e7c58f85507e74d9beb799a6c
+			82da54c42b61b457737d515a6451b061
+			3e5e9f211a8baad0521e744d1bf16282
+			3ada566cf838da5b9e24bf537427036e
+			d1da1e22a592884be2212b599f374fe8
+			9db77561a9d1e962180d1a399b30e2a0
+			cb587be0a89913ef46f8497ac202bca8
+			279df44b00c790f9d8f960f6dc8ffb68
+			c55da5bf5ea94ce5978ab72f42c7a598
+			34ce133b3954448e4cf3558027240537
+			7b8c7d8e4ddf8c2940ff996975be0086
+			d659df8f80c06a4872bf7243ade2aa7c
+			b4b8c7682861acdf7db34133e75f5431
+			2905faa6dee3090b18ac993525c8d73b
+			3e03f4dd6c56da112de976e7bc66d067
+			4e907eae9a87b48b3ecff34a28f72224
+			e5c40723cd68b8d29ee9e8fac5139873
+			94a7d352c3593063dd2c9738f581f9b2
+			d9da62bcaac80aef3887b50c1ff45275
+			7ae4c3359ce43bf06e9a2e8472c11049
+			d28b8f192413e1d71edca372076e17e2
+			5bbd0cf7785198dfb693da5c0934b38f
+			a8914fe39459adae99063d7a032fe057
+			259c59b4529cb9123ec4f722bae2eece
+			3cdb935b1988c5af5abd60d6c81bbcba
+			2c6a95508c1a326b373e1076722a169f
+			a0cd7e61fce7251e3c3f23b0e3a8319d
+			094ea5f3826983d37278a8d4c8b55e53
+			d72c13d99eab19b4e4a73a134854fda9
+			a7846a341379c7f45087f19372edcb5c
+			56a22145ac925b530b94a98e3fe8e026
+			4543fdfbfd5882dd3d0ec7e168261f67
+			52d303203bd02f618c7e0ecdd0b547e6
+			a7a14b0712721fd323db9b4446b29843
+			f2b48555dd79acfe9fa9b99f5fd2ca5d
+			0a7dfb6a67942e8ab05a399e1b453b0f
+			044d2823c29aeef6d1d41e573814535b
+			02bd11a664f1a99b8b6a8f2a27c46997
+			b087e006ecbdea939ebd7569a7607227
+			832f9d2c71c750061ef132bcc8957ff6
+			1c2ed16130475272d92a27f9a8b2d297
+			3532ad7ad2735df45b8d00f138b7066e
+			d8b3570252732317bb95960ce831b7a2
+			41b6f24b417d6cbc4a646ae3c9bc9761
+			db05c88727979f305f506e42d02d2e26
+			0ff074e0f6470fb2b59f5195f631ad49
+			ea2d99cb4f9f1b61741dd1ca696a11fb
+			1233ff672b99114b9ecbf0463b0ad9e2
+			3ad6f5cc478725f377c540b5e22a28fa
+			9e97904dc470aa808e7561a051e14954
+			c9332e955d5bd699c2ad7a81014d67f1
+			8c040fdcbfeea1bb54965680fdde66d8
+			7ecdbe20978171b8fbad8825010b9ef8
+			c35db3d238370f8e71ace3ab9084fed2
+			4b3d5a640962944b086709e28b085690
+			36edcffc0146551e3563035a3451db13
+			729eb19b7fc4cf759356c985b4e0b201
+			fdf9d38bb515f7c097991a402ed75b30
+			82f3d008c28c9787f7aac141a86c2f54
+			96b7bef71c97bb2f7b83ef4661e93815
+			1f671deaf116c8ea2ed81e7eac34f08e
+			cadaca87303207ac889699328d38bb32
+			16670f7131b2fd271d45da62a29e8abc
+			019453b9cb78c7f8f9551c842e562bcd
+			120bdeb148b662e64ac469786721608e
+			cc6e4a060d762fd45866e4680c1f79f9
+			f0e9865ed6874d1099db9dd4b4287ae3
+			8dd74aaa414d1a9b096c771a34d85ad4
+			7a6f81a2df990beb9b60d9d0f756bcd4
+			677c65b0e44af76ebaafc8432d163344
+			d3e90786def2d86203fcb4af72c38325
+			7b0353e75fdedf6090a9714feb34eb93
+			af5ca7b6f535aace6abf802154747f4a
+			6e60c062386ccd3c265cad4b573d7167
+			f30c8f981d605a55ea2c961f2499af83
+			e66796058a184d6a4626debbce8f9bb7
+			905c2e4836ab874f3e13fbf9e42ee9a7
+			be38a4f5af9047602a753f85d767c266
+			e5050e26c59d8ed651029e80c1954c05
+			50c2df9c1a8fe1bea4ac26fdfb53a9eb
+			04111d1cae0aab623ec16ff6b858e6aa
+			ff69129931e4827d4a347e49a6da79e8
+			b9bf6efbf534954b17d2373027ebd43f
+			ec24b15d62432cbc1e02a666e371ba6c
+			45b6eddc31b1f9d49c0591371bd10832
+			42487379ce8c5825c246a5bb703bc694
+			f452640c015c313a35fae0ef72174682
+			7b59a825a179145fd7b0a3fe2764a21f
+			c2962f705cafa1a4ba334bf23e158a06
+			df43290ef7250b50dd0deecceac2e87e
+			0fc964aa4f917cd16a1d9b752d7635b4
+			d6e10a5934c080f2937fe884068d99bb
+			0e19cf20f23ef214217dd94a7837a108
+			5f528bf97e41629651bab980a7ca3619
+			b0105fd4cc944d37cbd261b9bac5b8c8
+			fc21423f259ec3e32392c315ed607182
+			a4a33c6c5278938e534f570084ee9549
+			7bbbf15aab9759c1bb2e4d67e9f5f811
+			2ec75627c47a78d27e84aacdb4072fe1
+			f419eb4795bd0d400ce2bfc84a5f9621
+			a3c5765fb5c078bf8f663559f60812d9
+			9fb66a9c0f3a7d0a7fcc1fd6fc3d4fd2
+			33e447f883f9a94645368271605bd679
+			a47dde00560c7c9a1fb228047c4e153b
+			e666d5e851c1d24f039e2d59a90e6ae9
+			f9b355ac8789679061b875fef53a1145
+			6b664f0d311d7334454d5c1f8ec7695f
+			6f1563671aa29efb2655c85e263ab1bd
+			71b631834bd87553501e14c59b8144cf
+			20ee7804031aeb1aea1255ba64e9510a
+			2ecfac608882751ed574e6c21228b9b5
+			4caa4442a3c58d723f97445a296f98d7
+			88171fc4e516cbbd6f8f5055ed36e595
+			58abde1ff07d8a9134409a38e35ac02f
+			80f71fd7b7b0ff3cd89eb4e595d2a650
+			9c2ea0f9a4f1037aa19ca7e8e6a73a1b
+			2058b9e265951b7e911762933727f083
+			463e4e5668af8dfd49fa6d52bb556788
+			d28b004346597e76f5cbcdfb26cec90d
+			1a60d84ba0e8898f8e41d20fded761ef
+			62f42247a8b055df9819719e8cd6335b
+			8e4f37923a250347057e1dd7a680e205
+			b5bf3d3069e8c9766a18eb7c78f7fcfb
+			8fa80949a4bb08ae1b9c5d510e14a2b5
+			289cd975981ba5f5db009c1638646f75
+			ba53f969394ed5cfb9da72ac0b01fdb9
+			ce377aebaec33b88ed052d67bd5d2bc6
+			0d3f6b19c408b661150fbc7335d17a7c
+			dc955079c13b88c59f68c594baa601e4
+			d8996ed317fd900f28280261cf74ed5d
+			f089961f8a2eda457de8a99bdf34e4d5
+			87fd1571306cc78d44c8d6493b7717b1
+			384997dedb7fd787befc843054eee75e
+			21590a3063797def0cb04d63dff36e7c
+			a8b9e983da41006f0bcd2c6fbc79b638
+			da293dfbf73eb5b1c85ee8981a84fd25
+			bc65649fbe8f8bde55661ce466b8cd2a
+			4dd1f4c4c9753e6c8513acbc6a1b42c3
+			d98a01667d4ead79af8c6f8e3cf159fa
+			77e8399d7ac470e0f83f9600321d1cbc
+			9b03c4d3ccadd54183a24abab381a5a6
+			51bac93624f9aabbf2c9b823d6828d7f
+			acb4155423b9fbc17145352ccba30b8b
+			409d25fc6617072f369d58d4bf543806
+			e81204d8162a4b612f4428667bba3509
+			24457be6cb0bbc6c3a47c60255158cf5
+			8a17ca4b9878bf9d63d474611da7f967
+			7c2f285707b90eb1576d799be450daf7
+			3acf59bae5b08d0fd3ae1594a4f41621
+			55d5064bf76c11f0823a37986039c3c7
+			1d822142aadd2aba828ab63a839abf54
+			65761006a8099d9a9303e129c9474c27
+			3dc721bbf5daf9ffabbf2ae22344d46d
+			aa398aaf736e78f82cd072be69d1129c
+			8cd75ecb3d9aaaa28202b6ee2f2fde58
+			359ba2f67da7e35e8bbb3eee3fd84a96
+			ff9a746ae8d28163f86c5e1d875f4d14
+			f6965ac7e193d4b620731772a29ab5c4
+			a43f78184cf21c59addb1a3ef559579d
+			94c5890c5ff2812c4ce552a6b657ebad
+			60df9d721804a0ab68633dd0d5036670
+			128d6853cc5fc13e64d37bd6db01177f
+			916d108bc7996db91e9d2592a8ab1ceb
+			d7e20c904e4eea1b6a94a1e33cee5fc3
+			f36b89e3541c66a8cfe799480e134f86
+			010170cf81f4659a3db698b1405135a2
+			ea171fc04104d27ad12d2917c2e82c81
+			d0a3a2682f2d4b812203dc4230a8ea95
+			0502b2dc983dcc1af813854306b1f148
+			dff156fea2fa8f3dce4dbed065049d4e
+			b7a08f550832d5c08294645b093499d3
+			84f0d3f1ed15811d958c47fd4377edc7
+			e6b742969802e17a92ef8d02e0f421f5
+			e03181deab5f4b78fc5a6f42478fc2c1
+			a197017078493f57eafad29f2b3b1b7f
+			5cc7e77cf28974ac9ca06ff329b73f5f
+			856dd6c0d9f10643ac7865fd045fa861
+			b09b6e0fe10f280b5a270d8099904301
+			c5964e0a6d8197700438f2cc67ae69d2
+			d2a168c3ca11564c7d0a9a2975b06868
+			3275c05ad633381f7905940b2a986206
+			5498c4d900ff82a1b453ac584196dec3
+			adc1c79f3adafe12c0ac943ae215a5d4
+			3a6723b26d50e9fc116761ca497e23c1
+			11a58543d971cff43ec16c72ed9b075f
+			2b9076d7644e8ba30a0ac3af89557dec
+			6b22ab5bc084620223376f5904e138b9
+			c5c3e5f40021e2e02df7755e7efa268f
+			8c7ad5f21381ed940c0879f16b22dc27
+			461d742af570348222e912d56342db6f
+			9fb0270492b67486de15142839817f2c
+			a7551e518576a3725863b2a64244664b
+			a8a3d5ebfdd5a116efb6e1557c5de44d
+			5d24eb9fb7da6c9470ea52d22343d5d4
+			83d1a43bbca1d87de2d4f9fe1921beae
+			c00349e6165d009d6d7b94290c4b4965
+			86e251f0ebe3a9279f2142f064f1194c
+			744a491e60d5fdc748e7fdac3e26fc9b
+			467536ad4b52f079e0a5eea8e8118b6f
+			7a4e468a8bab55ade9f58675341c24a3
+			11a4900033d67cee0313b42c50745f8f
+			904480cb1c902b2b323629a35e848a79
+			4863ed560dbc9640c4883f823eb60671
+			d3bdee51b7b055800442b4d671a77d9e
+			da588534c13d4d008cde28f41e73ebf7
+			a7bade42a535dc5fad570d376f3ba797
+			2e3aea75f0240120f96e349425fb2e91
+			f83ebb789e394efdb5ee5f4fdbc16222
+			891a10c1360450b10de27abcf890dbac
+			751c6e7fe5b15655cb9fa1f56cecf70b
+			5367fd8ddf3da647ca99f1f5b6b31e75
+			efc048bbd2217a0540f3a2d8da122870
+			49e9813646d1ca97f0632f237f667a19
+			c566d33fdbc0c9df6b3ef98a95a9763c
+			045772f5d6f027e251bcdacc89647236
+			f00fdc39976cb33d184d8aa6517e3a1c
+			32e3e0ae4d5bddbca3c1558266f4f6df
+			3e3d0f3140ab4e853d8ee049da7e0faa
+			01436af7303412a050c52df06a44acd9
+			67fcca0ff2c17ba1a19954852a87044b
+			3580e873b2052731538db055dce460bc
+			360e9f0ce9e2586c08e656e35889daad
+			8d3908e1a9e453e3dd9091ed58a34a68
+			b03e7fd0a4187f62e2019d03570101dd
+			a32549578649d4f03e6ede20e5ac2128
+			f3c22c1eeff0949a02a22ed2f1af71bc
+			665acb7da162193a80c2a54376b8031a
+			39faf4a775fd67106bb0c6c3bcf53429
+			ee5c7a4cb4a26ba915cd8b4e5f229448
+			0e5ae7869d15698f5f7d17e8b202bb52
+			33409a94b4bacb49180dcb9bac6e481d
+			8373c949c301c777926043f7e7ea1b1e
+			be7108dcebde026af9640ae1c327c8dc
+			078c77b212974359142850d46cd909a1
+			fb3f75a2554fb850af5329301e9614d9
+			acc9ffd1878e3042b433a312fa905d31
+			5e1238425e6518a1c58e589a8bd98765
+			bd66b8b6e7cfcbaf15a2c55551f5c8d7
+			d8fb28d8aedd5be8e7f11e3ae40ad4a4
+			096e932189076c76a03a70cdde79f077
+			15747563f02097638c51c46ebed7b009
+			db9501440b3180fb663c600b3882334a
+			e8f072667dea45245c9f7379a06b6b50
+			ca49488e18ce4fb65e1c9a212fb325f5
+			b9276fabb2213ab09b19868544b4c670
+			8829006017553bee76c43e9cc6bb0863
+			256fff9549648c1e8a955d819aa1bffe
+			33429da7b38f484b3054d980730d79bd
+			09db98b5984fc1f42c30f8d45ad5e590
+			bff6919847c829f0c475c06fe529536f
+			2eb414d3b59217f53407068f5bd06a3d
+			53063d49f5b7d573dedd6754badb32ed
+			2717560e485f22ce57dda48526773855
+			0753af539487355f2b34f498831d9dba
+			3b8da5a856b80905e2bfd9ce7c56a588
+			356e61dfcad0506c21f1149d23b660c9
+			99bcd3bb351fefaed9a018900290796b
+			1513f92666b78214aa5201eebd2de23a
+			ec103d41e059d8145cc0434138b1d9a5
+			3cbd63859139b67b0bc7759c7c0cb068
+			fe09a5c30894158705dc14295f8b38de
+			aa4403115b7bad9d334252f4eb5b1dbb
+			c05092939d7519dd0d4782be10db23a0
+			f545854fee6c98b87448010f0339eda1
+			3c2a3983ad9b299e33cd2dec279889a8
+			718d881b43d3f02f1707cf0841d302d9
+			b83ec2b61b667c8b9937925dfe24e102
+			e33e4c8fac736bd708774fb52c57dd0c
+			5e1db648cce6d62d02f2eb184c624ea8
+			21b2c07d02e4c9de1fbb9ae82d93ec4b
+			ca6f025aaeec532618592ed2c0383bca
+			c2ebf9029b14ba099afbdf4dcad63b1f
+			efffe0850e54d4b55173d3289b1baeaa
+			4590477365b42bf7688fe4269653702c
+			6d212f9dbe304a421a28b3804b86244f
+			e0ff9b33cdc4a51c2e8c79179a807acc
+			2bb31b048323722acab36dccb835b57f
+			653c3e0cae7c0dbe61e799923b1447ac
+			e41b35ffc3958e424e28c7a2fb01f331
+			1065d0ae69e4846132e4ae170ba493e4
+			784444652efe40adb2b6d007d2291cbe
+			3456d373112a7acac4b666fc4a63ea4d
+			956a36efa4a1ccbba22fd9f239d26ac6
+			3dde4c7730cf3ea43fdd8b783c92dc3b
+			a69f8bd07c1b712c7a156deede7eaf14
+			33fff654a9b05bef9a8563de6f1aa4ce
+			c9fa05a953b70a404f42ec7620fc75ac
+			88a5b77535c4c4198ad2b6b9283c6ee7
+			6dd3e891cd0b036e7bec726bb7cab22c
+			c5f4b236a43a9e32042d88f35eacaefe
+			750b1e8aef0a84683804f54ff9d047dd
+			d81b84902d79d1fc9228f43229289b9e
+			f2e4ec606a4c4010b7558545873bfdda
+			ada8b68f82c8fc5ba39416abb87fdf4c
+			46828037d7e72e93475866fdcc0799d3
+			a655504055cd6c1598cba627bf38651a
+			1476a794e10b99428c9c142767db3060
+			6ce64e94450a5b9628f86e7e8539b850
+			6716b13410ad9a55a31afa4ac8b6f752
+			29764151ad85eae01be4f26b1200e3b5
+			e33b5bdf05dc1b5ef8c52abe7a48d970
+			8f910f52e4b80696713ed53acc929334
+			933b98e37351aaea6c55f8b95900a713
+			9ce569946d5fad0fedf1b41f79adc82b
+			9c59a163ded1dbbefd939357e65a1ef5
+			951f44754937a75a1690b8fd775e9c71
+			fb1a2a7f436d68747a86ca7845ec52b6
+			66cd4fb95d429d049628becc224a9f6c
+			32247ce0591b2a47ed979a0ce60e9344
+			b74eb25252e8b0c23ad7b23398ccc46f
+			f807522b1fa091b990b585bc53ffa68e
+			7431e486ba118204246f2cf9f274ab6d
+			f21274fed4f717dcfe9fcfe491735145
+			8529444392b87e29e93ff4c09c025492
+			42726ddfc6fd78071f10566fd5e2c959
+			70e9c918ff77521a4f7a7611ccd02e3b
+			bdf47e61f4d560bc81a58ca5a1af4f44
+			fe03e2f4a2c69321fc36c74d1430f475
+			336ebc2fd630410073f8fbc0059cb233
+			d9fbec770e8d13faa60e3d595f95b57e
+			1902a2a30edfa5bf6bb260f51c129558
+			d90ad6977065b4af30351a3aeac19b21
+			1f7a293b1d65502d9276117474c45649
+			a5465c7fcbb6a42f5d32f0ab4afb1760
+			b3a0a8ab37585e39c82bae87d244d12c
+			b4c4b1bf6c5a80a221a01e6e0dd7546b
+			2cab0afe248d4d25d3a4745a41e711bd
+			4dbc2b8a9d35bf6ab1be4a18c8867ed0
+			36291f70137d392f4f899ee877911720
+			5fd7a38fa6de5343fbd9a7d4827684f3
+			e1a098e89e05fc75af6aaf0a09d6808c
+			5d03b07213edcee5c4f6fb88e01bf2e7
+			d3e05e01ef3ea6544349f95cf44250dc
+			ec069931cbba04ec85f7e1c076ab5633
+			c5ecb80f27dffce287d1daf86a20dc42
+			ffb6b5af9e68d7be433ad875c27465ee
+			d2ec83b1d04a338be17e545a95e29f1a
+			449a46a7efaf78683897600ca9716bba
+			c5c4891c84ef7509cb125dea633533f8
+			5680d3f0a166da6f7c3c1212d1aac387
+			eda156a94329704804b271a10d1f10fb
+			04ce39a3937558389463dfef3ed005cc
+			13a4ebd17b0ba4196d5b6abcb0db7a3c
+			14e2d2afe3f32e192b464973d9a18f86
+			63e757ff0e9452d5562650122e874b92
+			ef2a18a2a4713ee13976cf6fb3a05831
+			0c506c2ae9f332c19672f9d4e3a3f502
+			4e3a1ff20f5d41aaddbd8ca359f873f5
+			1443db1866b41a99661f621fcc3d3c8e
+			e093b8b0a7cae480e622b4f4f6eab7c0
+			c6eefeb0bf9d50fbfc92ccf194c94320
+			130dc684ceeff99c84d72cd78574467c
+			992c4b3427ed49cfad72d89d9c774820
+			a73a631d7afe42de41f14270ea4d8b8e
+			5eafa6cbc142103386b1f7da86d931af
+			cb2d0acccbef2192ffb1305e953c169b
+			9f905ec48f2b3de5c34a3e1e5ca738b1
+			59789f41e6e7737557952de547ea39f9
+			840ae12a8576167e83856040c28a2712
+			10890723c44d87e0cb26e3e839bb2e6e
+			02b9e8ed31c4b6a31006916c79cf8edc
+			db711d7a47662405a80f891b2a668d00
+			60308b91f8e8013270437c6d4f6f0812
+			eb3b32b458c929c39ff0fbbb805cd5d0
+			d7959edab74ad3a7454e7e61bd78894c
+			895a42ed3791b13e0b191770a46e72a4
+			f51f44698269753086e67f45a2482320
+			66a9a4ba472f4041198a1d8cc10e79e6
+			3713e614c7297938504cafc69caa6eab
+			6a5e2935af8c9df0da863897ad5e1d3b
+			b76accbac7b1ccc06a049106bafa1035
+			2c61193abc577bbfe44b9022fefd6606
+			247f4f4f9048aa990d72e1a50af93153
+			459e0b94422b8f68e12fbcc6af7434a7
+			1c6a335c814b6e9fe15d82e946f600e2
+			69bb0a4030d06c96f3eceb502a26b8ab
+			f68911e279c19cd67cf450c80df60b85
+			4c32bdcf7a50e8ee76b7352d3428ac4b
+			c99a656b3026258ea0ed27ff22e0734e
+			c1c2bb9aca0041819d055928f5f7da7f
+			924120f763d7511e8def8a793c01e804
+			335a26b972f39dfac9d14f2c48861d13
+			e699fac9b8fb6168415f22deed1060ce
+			ff7d57fa8dee3bd1b0b3a76273b5167a
+			af10582fa0e060dd351b51349045981e
+			9fe9b1ab707da5b2e9f428fae3dfc605
+			9bec1aa3d62a51d0357a34d098528fee
+			b7de58f2b5eddf4ad6d1eacd54020174
+			85724e9d0e3c97d04b1b6c8982aa6c77
+			2e5397af42a9695579bc9d3a046a9002
+			2bee564cc514a90f86c576eb55553c2b
+			8479b61f5a419c182f21a923d23c2d13
+			4efc59feacf5ba4dd70140973c3a9676
+			a3c609541c6658aeb7708a589c38155d
+			5b1663d2de1ec37cc21a9f457fb1ba12
+			9d457e60e4b53d0b616e20442de58539
+			e152051fc692dc03503c8b7d9b692d67
+			7f4307fa4320c70f30b58462521dd143
+			77a93cbd4df48db3d4b760749ae4cd14
+			83ec01e299ce9baa8f2eed6fce78a4f7
+			aaec915df289a330f6ca522fb43ddb69
+			7223f2196ade088c674b7c9f3b35732f
+			ae629df23b30b406be180e276f281c01
+			7410d45eb7113b9916747fd7f219f9be
+			0e56f96c42bd81fcf4227b874a988076
+			0f078175267e1b277bd8207c28a442aa
+			3f8469b372337a770edb7191391fe68e
+			b7ba7bf1d226071de3472f27d99a10e0
+			ca2c286607b9c40ae6409f8b0730a778
+			835c2a8753f98c34c9e2e17d48973826
+			a2e834502544a2bc5aa5b291bd62cb7a
+			7801fbc3ddcf209eedb7cfe29582cc34
+			c19b270dd99ed9522c9cc24da86bd0d7
+			8656de4215f96c29c3a54913b1174f09
+			41e92493166e0a403abf332c932ba48f
+			86e45011409c4896e0c232ace0ceb73d
+			c4a0ee5d1c04c08a8b0270ddbeb4b6a2
+			89d25691575e56b3cf540d19e264226c
+			56a371c6ef9f3aa728b7645249c056aa
+			ee478209f14d149dc7bec272f2c54bd4
+			cce1c7402d4c7398443df26adb28e660
+			4e471509c3153c8fca1fce5009ef6816
+			e4b910790741b0fcce6a9ed97351a80d
+			9b25f368b295800dce909253e4ef9d1c
+			b5a95e62995ac52b01336e4386e97e83
+			ea8b3b739a2789a1e868a2143e4700b8
+			52f5da11b315dc87e97a930806e5800d
+			14fa676631861f1a599bb4a3dbbef0e1
+			c13b9950021d5ca4c627376c461eff35
+			93a6879d2195861a18ff58b7ddc9cf45
+			71048b0d186378d8e5c8cfdeffdc61e5
+			8bf65018bcdbac16a8094b1027fc4c06
+			dba77d1e0546fbeb6e774f165fea1de5
+			5e431e7484b3ba7e5cb87335064523af
+			3f963e354579de41ac03ef1e0e17be23
+			a828616afa2a5592646c77d3ae58d206
+			b43441515e68fe8565269ebca7a49f91
+			7b9b4a2dd763b42b40cc6fe8eb50aa1d
+			1549e59505fe642e6e1ce4b01f6c4030
+			890b0bc5a9defd7fae92701b75f27a40
+			cc2604837f484fd10b43258390197cab
+			581ec283ffb5ec62d9c5c76e8e2ef345
+			d6dda73c22c204fef8b409ef760106c7
+			33efe17de5a3bd05be0ca58dcc3936d7
+			3d08daebcec605ea46eba48d12b975c0
+			b0a0f0be7ca5fa80fbd5a4bfdd0bb29c
+			f66e67046f27c54d317f39da01d1efb0
+			c8ce55c2940652084105e1ca58792b59
+			ecd8f40b20032b296cc6a2f7e0c43fb2
+			2febd76b86114035d2448cb8a75a6f7d
+			86a6046c75a1d78436a02365400599d1
+			86c5430d9be1136122e99598223b3533
+			1759fad347878d0aa1cf09e3286bcef6
+			6456fe5e7ac1497cfce78d9ed8ce0834
+			d4b1ca51c9283e949703ab45bd68ecb4
+			a8ac8d4d41c4003624ef72cffb191ee2
+			29dd36108d6fc7f9ad9165fda7515c71
+			76ee90384f2e7a64590167227a7dd7e8
+			b4b14533b439af85b5c37561923f6879
+			3c50e9cadcc18502ad7c97a1f5f657dc
+			d89a2d6804b29dc00f7da2ffa7175406
+			7057ae28977890f97a8318bd1a17d997
+			3f7a7a6756120b75e5394eca829e0cb0
+			7eebd914f168b9a529dd6e9974a37455
+			8a11fa847271673bfc5cb1ba235f76b2
+			32f9b5318fb12d9a2923d426a38cfddb
+			a2102622793db7324342018372cde495
+			ae7398f78cdc02cb493415b45ab6ad72
+			86b946cec69c12160e9b818ae32712a8
+			9183b159f5684f666b96699f30a12b1c
+			08d47078e22b2ea0d353384e7f436188
+			c170cc558675339796871c1abcc826b8
+			b4ce4e8f4f30623bdb564f5dd5ff813a
+			072f7605d93e9e5751b10ada68dfecdc
+			18de63dbcbe91a220913995be1dea18b
+			9f29fcc648f34af6a842b4de6543f126
+			9796ad55e950f40626876356c6764cee
+			a1ca4edeac30dee6f7b9adeac0a2d31d
+			81f9e508163b88f1525022f1edd91184
+			132e37d33232bfdfb52e5c214b3a64ef
+			91727910a09e9b67d8b6a2b365fd1db5
+			a8479243fe9bac4e8eee2c374907dca0
+			614cb91d0e57d0ccad93e1a8fa87e7a3
+			3afdd5a76973bb79f175ccc021d9f8cf
+			54064e8c3ecbdf9a05078af1b377f47d
+			4ef8b4974b70e60b2138cb4a5dfdc283
+			437c3bbf867b8f685b270e45d848e765
+			d77a2f75b4dba216b9b069f546a1bc4a
+			9532a1fc3bcfef83c27017d15cdb60cf
+			679f6655e12e4056cf73bd529675d0da
+			67eb6eb4f176584970e38093b6976120
+			6baa0aada82f54b40b247f726cb45af8
+			f9f78a5e024d8b4eaabe5a94e7e91680
+			3af9a3a394c005ca752b8f15af811cba
+			87fc7c9573083f01f3158a36baa0f740
+			21af11582955006e1ae2af18152c1b56
+			a936bc28ca6fb688f8452e92e21458a0
+			7fa1961734eb3bdee276533c3a0c6f63
+			f107198758c85e201b9234ea8bba5b19
+			086709ef903ad6afa1095b184a0f9222
+			c31670cb7aa942d8a6eefd29dae378c6
+			726a2bc655172bb2b54dc9f657ab074c
+			41c7e55f133dfd8f34f41d33ba199879
+			ccb9d30d85cd9896f1e38e850864e596
+			f1f544bf541ee35be669d934847f639c
+			2a4f63f233b3aa954dcfe747f4ef9144
+			1e131bfb422efc900557a06e505e97c8
+			14f4e6b479114702de14aa83f2c47136
+			bbab260177eb5236f2229a9715b0f776
+			a851bbaa815e41e36bb1495127b117a4
+			d1fd5535fadd38397a7530d6986dc93a
+			b3d600cac4a8ff163a38c4a9a0c1ccdb
+			aed7ce4eba7e7383943a40dd79b125db
+			eb9f3d395406a4686cb6d65be1b570fd
+			036fd33350544582d0dbe1cc1e34b9fa
+			284887c2d1a30315b960c3a49924d6fd
+			2ea7b8d945376d2343fda5e4ce43518a
+			89dd7fb206172de267b4c44e48060937
+			e70af5ab2d5bdccc0307c73da4294498
+			6f63965777688c0f95a3292c3880c33e
+			f116bf1a66a54dc7f2a16a1ef19b1054
+			b816a5877cefd469d62e8feaad2501e8
+			085693fdb8e932316fda51f22025c915
+			39d062d7b4c684445d43293164710173
+			392cb06069d154eeda76750e40b9f670
+			6f5ef42e07a61bea2326f0321dbd9370
+			37f7b64c9605e70a18bd208af6c1a785
+			7beadd2014b5250da344673bb3b9b49f
+			31bbd5d485fae2f6440446fdab895b14
+			e9f0b50412c7ebebf5fa0894b2ae507c
+			5e20730e26c442a37dc9e19c6743eced
+			3c34f8de97350358f7f7f913c18739d8
+			ba42c968214f593a75ea1207489a9ebe
+			13968c9144e3abb57bf5192fedc358af
+			b15568fe93f44f8567d3791c9c8b0c87
+			002bb87b57327258079465f75dcbb2e5
+			1183e501b22c1f3913d390681da4c428
+			02141f4074bc6c9b1a67151b7d3417c0
+			2df7981cc56f9ee9e41a88cc6eedec05
+			be86cf98606238799d07f6b49c3a642d
+			9596837588c04aed9c71e28c2ac29a30
+			a2f0cd9b7086ac9ee0a7e5d5b608b39d
+			420943c608e2d98c56daa31d5a4cfa13
+			271b0908fc940db2384c96364dee50be
+			3e2109667164a27413d21076ac449688
+			305f92e20b616753cbdf6c798b82728b
+			f08806a797243e66ad698a794800ba9c
+			2fce1c7be98536ce31b9d3a758335838
+			a0a866be9e7704758891ec67c40202d3
+			2aac05c8ff1cdbd7264b95cc6bd1915d
+			d4e8449904484ed252cb601329d543c0
+			03166222f215ec3494ddafdd8ab1a951
+			bf490d708df98a390abf303b55d1edd9
+			18f450da38bcf9464a719281768dc097
+			0067c3fc7fce33d821ebe8b10834e9b0
+			b03b1768de41fc060dcadc47ce15cd39
+			cee8d5bd40e61e20f714549104994816
+			e060f444c245486d2c40e9c8dc7c6945
+			e1ad680b7691062b8aa75b33b564ea72
+			1a61113e7d01643d444536a32cb2b4ce
+			be5a67a9b72913904fdb87534db3ef35
+			a912fa0f7f6a82737c390f0ec79ec77a
+			e386499a2f533a160d187e570a072b96
+			e70226c7a48cb1386ad6a28c9d880122
+			7554b1f7f2dd800a992a772ce50e90a3
+			17f810d89bc73c7c3e1bc8a0cc8e5648
+			b29634a225f9fee3c828cd03b76b7202
+			5d7c3d64c48066501d19f340d5f3a03a
+			52dfeb7bf65e3e1f14371f3f2e985d71
+			7d17f7f21bed39e6b54b0157a9134925
+			c61fd0ffc82691f336afa1a61196a609
+			0b75aac567a00146500587587ce2910f
+			00e1103a701b2db75436417c21b58af4
+			706f03827f6d7513bc1b2b6894673726
+			78bf5f2b695762d632d7c4ed4754b96a
+			0c36e0142e54fdf3502c0bbda611309f
+			d9a58ff6005db674933b903188644724
+			e76a277001ecafcfe896ce4174a22a5a
+			2c74237421e1b699fbe8ed4cd7483c60
+			8e07737249d89402082619db1e25dd8e
+			67940591d7891433278928e39db1c227
+			6fa278393aa4a6a70e703f7fe91775d1
+			686a2d4adc155325625db56bc58621b5
+			4c00f2f02324160dbcf54909c06ccb68
+			df9ded544a887960617d68783a79747c
+			405276fade0416a978eba6de0ca107f4
+			a6308ac04210092af44e186687102f0e
+			9d6e67b305f8e12814b6f5886208bbfc
+			6f9b930e631939310a00d5af89117545
+			aed7750c70029d04043f3a6fb4af2ac0
+			faefa5e04ad5df52efc079366c0ddd72
+			2341e8cf9b818a6ec4d0deab785b6bcd
+			e5295289f593b589d42f42c519f4e76a
+			41381ae96ce6dd556c8542c631dc2e7b
+			fbca030b0ce40a9a8287fa5d0a541993
+			24f7b62f54752351761edae30f5fb9f6
+			e4ffc7967e5d97ae10b42a2b4134215d
+			0d5ecf2a322e54e0b5384db19b7c02c7
+			3895dc4b9e501d67ae4a97a88f4ef6b8
+			0d40dad748925d00c7b012e7e1243d18
+			81b5c5c8c2d498b5edf194f79cb7eec7
+			5888b732b1a90a10ab005f7a8acb9bfd
+			3277fc66fd9ea207ac7333c8cecf32ca
+			c49313cff854e118efa62123b130d9bd
+			5e25175bdaa70593e7967b3b8ba69e6e
+			2931e865c8b02931b68b127507ff1c1c
+			b5c9003735ff40ec8e14f5749b0bf8cc
+			2c9bf44a3b3c20b9d0443986e148c6e0
+			df05e01ba061b693607d46ed3611da71
+			8bcc060fa93fd15e71671a473e68050d
+			07c99a39a1d49716f0f9fca49f100569
+			7f61b37531ebeace897c7d091a2531a0
+			0970bbf02d0059a2847b661227387a03
+			6b7f0c0896370deeb75f2a4a818abc64
+			4bfb1f489d40484230e4c7caca7d42e8
+			c460cd52062390087852fd9c86bd7985
+			62d85e59fc56d6c3e2805060dda74746
+			77e651b9fd9985e787cf7ce47cb6479b
+			05fb243d3883e006240b96f477ba4007
+			4928a85395d99b3959306f3c4a5cd2ab
+			3c3c933a804f3d76b5c4b00cd06929ea
+			fbaebdd5de8fddad126b74557c341f9c
+			4b6fcca925ce81867193157d6f926fa9
+			123d9395eb2ee2f89ff78c5237b06660
+			70576ca90d329802c4099175605feedd
+			d5e292351174101a8fc32487b5824348
+			5598d38494544a77de056debd1157c4f
+			908d3ab4327f3e9e8817ece2f03b5ab1
+			0f1dcbda9cafda6d048fa78404b65dab
+			a32c276982b16d3db545ad0d190926c0
+			973767583651b468f205988b86ec95d0
+			ac4aac7f7785a7d5af1b81e1295c5ebc
+			8e45de27205477d7640eedb312b113ec
+			52b4145a008f33ff771553fce0816b98
+			9ad8a413bef0ef37243ba0dd410113cc
+			ca14c4d8f1ec2549c2cdabd69d64d6d6
+			832565afa7eea21a22817bd4511f3218
+			5000eb4fe42928ed2d5409c3c9b119ce
+			31b9775ad9d827a7ea14b2d523d1f4ca
+			581cb0d01b1f9bc27d73526325945be4
+			9ede71fd6cbcb5ea2050607af8b1a213
+			23b930ce47a74b3e61c0485ad29c28f4
+			40639650465bb32507c6db63e7ed3210
+			2aec8b1da1625458bf605085e5960c0a
+			f9e0c5fca29bc4d13e8cfc888dd599b0
+			c1a9879441757ff845fae462aba8a6de
+			8d6608fd29ef9347a3e7130486d3ed5e
+			2d0d175dda1d150f36aa1028193b8ac4
+			ee5d4996d4dd2053b8f1da595e597b4c
+			cec71cd9d62ccc2a67b0f290bca0d022
+			94c3c41d16ca801746acab24891ec531
+			211e61049c8cc041d85db2d138654370
+			480e6a1d85cf1dd5b30ffa43dd7e2b7e
+			4bf556c650b87d4c23ae83f6a74874d3
+			fe7f57fc1e5d2b044a9e5865f7052254
+			5e8e96e581ef01689ccc10da5896f4ee
+			05db3a7dd50bcd373d322cef906efedf
+			edb8d8d14f45fe3beabccb1ff2105594
+			eaab31696e1ec571855e57084b53c661
+			8adc0790babe725a8d263927abc32864
+			fcba5bacc591eb4a165c95223f23c0f0
+			ed46c9d841e7ab66ae4214b2afdf5ca8
+			0537d60dff114de78ae94d32557a1088
+			f45d01060921d6fd801330e1e3ff1ad0
+			e974b91765b082358be77cc4c5445dc4
+			7a56dac09b4875f9043f5e6156e39dea
+			f3d44a752ddbd33397a7b42a52a70faa
+			da56b32d90bdf808550e4fd51dfdd21b
+			52477f1b776f4cf8c438c1ac87abaff9
+			2ad95dfe91d71290f3fb55b9ae26f56c
+			bc0e114cc4dbf7280977deb850826fe3
+			7cd28fd3bc7bc4096abc02ac2288d45e
+			746bde2bbeb93a2ae256f350787a4353
+			27d48ae4ac669b4de56d6ce7b7affa7b
+			65330baefa7b88b4754be553b805674e
+			6cba41ea64866a26dd15eef29b9d20ae
+			dfe4a5351cec523950cf031215f0221c
+			5267edd8482913c24122e59d5da63d29
+			00ebdda36011998383bc7f098a5fc03e
+			2b00cf4ca1096ae6d12a728154629b48
+			8481b5f14724301af4dae2b0b042c01c
+			dcebeb157c99f0104315f2dbdb7e778d
+			8a5d13d3e8ea38115827d3ebb063384a
+			a5d78ab644dcf525488aba367a987f35
+			5fe5d097cc650bfe8dacef6d44837d21
+			c691815af3c7dd9b859483e0c1ca7d0f
+			93f86038e90c90b6eb28e2114073741b
+			7d08e4a2461e41bcb5caf526eea7e225
+			233dfb74f4ed35b526b026814401d41c
+			d9557bc49104a5daed3e60202c0aa20a
+			be8c3fa72b32afa3ed7903e0dab77702
+			35cc0cf5278785d0807615f946222912
+			80f231995bf31d923a99c8c88e5780f3
+			d2b699aedeb371b726c4307e9a2ebefb
+			08c69660a8522c4158f68a4e4cbecdc7
+			e7cfa75f2b43c59a79ab62db3694a93c
+			bc7dc316719d7f510c8634217726e8ce
+			bca5e34eecd0732f6557bb602278bc2f
+			38f7dcc35cb55b5ea732c93c996d6f39
+			46c42b8d69937d8b0de6d5265fdb301a
+			d88507be97e2a1c3778526b063aee095
+			493c1597f4a70206121cfc5e3d8e3dc3
+			f0b8483a89267c22715eb78aeeeb3ba0
+			51cfb9229532abe0acbafab980ea8f91
+			52564cbfc27a0eef1235c7c3e7b31a0c
+			4a58351898cf5edfb0e83d3d2ba69a9b
+			31f85c2340f7cfec40561785a4edc427
+			ab784a9b10628aa433e9db78c8a927d7
+			6f3bf55ed5e77233da80aa72ba63884b
+			f588c25de63d20dd208a1b2cf5b9b6a2
+			262250da09afbea29745575efd08be41
+			566b9a410134d2ffe716ad1e15e6fe57
+			82fdcd0de6ab8ca699c80da41d77273e
+			d1d1e1119d271e14d607aba17bd00904
+			c81a850d537bc63be50705e1d445713c
+			d869f781d2b9e49eb0f15e6c2d493b8c
+			d62c34b92fc1170d7d9c988b2f637a34
+			06025893bf4254c9a29c5aba31be7e0a
+			230cfae88c26cdf166119fcf45a556d9
+			6faae67ddb5c85315374398a4b40708d
+			d8b02580f7e0e1f7c25ca4bd0d8b2d09
+			c9683f13e2479708a65e6cf48de2b613
+			e7809a8b480efd915f0900c9b56921df
+			c54cba5cd8cd3fe2f7a6fd3bed529418
+			0d6583d6450f6032a0689b9035bc4fd1
+			d267704e83915d7484eee88ec1f05e3b
+			0a10557fa4dcb2ba23b768d4023032d6
+			86a4bc2bbffd10c23a371fe7231b39f8
+			c252fad8b1456cfbfa83ee4cdb918605
+			7809abf067aab8da36ebc07f8e14f75b
+			74d4f3d29207ff4351adc4603cc0717e
+			a6ca061ffd682293eac803decfb64604
+			ea830700c4c8aa7350e18db6bcb61d92
+			cc27de15bc80cdeda44615a3cda1466a
+			10a641f6e75487be6dcd3a1552ddb74f
+			d12f926d7cad9f0d61c46290933aec59
+			022d924c42f0c809813c78189124276c
+			d3a40b7a9d71ae793e635f809b198dc1
+			1d6b58b320f37058406faa181a6c82cf
+			99ef4820634a2a11731b7df9aead2240
+			cb70f66c978b6a460e7fa7a3225916c6
+			6935fd7b75505436ded0c4d7138b2405
+			78811eeae0b58221f9526a9749f83c56
+			855380972c0231979168cc0eccbf6189
+			f6688a8a4fe3e64ec3b68afb42261e9c
+			cb3b28931cd56cd8216fc6a74d967220
+			640455c31f9f1b85d11beb593bd1cb17
+			20ca0c99e4342f3f7cf627acceafc9dd
+			ddf48aaa6beb59be6f351b2c59030ee4
+			61fe1baab532d326edd5e8e3ef1ac266
+			a8420252996a4348cd51da8b0d478a51
+			e9d4c187d8f22dfdbf917119029b9876
+			037a97af6add6c5ad9031941700e69ac
+			ec93810da968945606840fff4c4150c1
+			8b95afd0b3c349d303448f8b66723c06
+			866e2512a5f1e9a1a47bfdbcebed8fce
+			69c00a74c3b5d5c4f348a102040763cc
+			b0038fb8535670c24fcc1a6810806443
+			941e02d6f76dcc070fb1314d209e8b98
+			f932e703aa5371f962d9b17d622a72e3
+			c4fdfeb247359da41e6123799d58f2c1
+			fe4e2e3e0037fd6e85b652e1da41719b
+			9d14526d9eb990526757de1eb64e22d4
+			d20284cde61ce186212d7e0d5b9cca32
+			651342c26500dc018b92b98934273308
+			1ccba272671a251232c953fca368da31
+			9915d2694855eef15b476dfbfd829517
+			6c966550589a2974d9581bff36a47158
+			8fd305d1d0fa70425323be771b7ab965
+			ffc4533cedbba10740d0e61da4e121b1
+			0cced3b3061c17fde0d225e9ba9d2e14
+			4da8a1258c588e5a2906b84ea306cd35
+			26752cbd977970b021c96adf28d76a40
+			bdca678bc76160ff20ce1fb3c0db80e6
+			fdbf0cfccd9445225e93059ac708514e
+			df91b75563a78c43740d59d79702e3ad
+			d3284a5a4853f3d4f8134ab7487c8ac8
+			bbe1fab1ae90aff36cd4cd80605d737d
+			12321aa4971b3dc9047f582aad5d31ce
+			27767d7207ebfeec89794c54fcd3f3d6
+			86f9acf563264151dec93e083cf0aa32
+			fdd65ffb2c77511e882a40fd8bf2bd33
+			0319f7f8f32a96d4f00638527ab2debb
+			bd4f605de0e272a45eeb0b1b7add8e9b
+			9888efa1cc4f6d9d70e120a3a4987823
+			2141eb0b4651db7c22525d35b4a4e861
+			93612eecd4aed19ce22b4ce5261549cc
+			0acd2f3bb53bbaa1c86e852722148d4f
+			70d67ed095ffdb4502348d9fe6b0c094
+			7901806939747bf0f6442ee8f6a15220
+			c18386fee0b96dce544c999f297f6770
+			d0e7ce701cb0671d52703b3515a0b06e
+			0677fef304dbb931a0193e9e3fde242d
+			3323f70f455e63c3c62077eb1b98275b
+			954d7e9b6bcf63fc8dd21c8c5f1675fc
+			2cdad0622f0907828b0b4a9da5ae29f9
+			114b6ab2d174d228d6db1802d9940f96
+			03c9a5d9ba6c039ec3c268911bb4cedf
+			d292f4768902416e62fe498e94da5453
+			fa26a54de35db5a8a6bc78bdd2465521
+			352678553b5d34839f6f406f752be2ad
+			1900b40c32f8bc2f6916e41bdee04c74
+			68ebccc9512224536ab00b56b9a3d05e
+			26898b068ca08f81e5f0fea43edfbbb5
+			d5b8f2fa4da62cb2b1679120eef305ad
+			dec0e059d5cf7914fe9016e8ab9456ae
+			6ab9aaf8ed676950eae9553f3149203a
+			5fa85a9d1123fb24a1082b88f78f3275
+			6396a4535f71848d114f71c76a6ca881
+			032dfa961a3294d1e1e6450b786c0613
+			44411a7ccb4b729c7428a1ee4fb07483
+			17d5b286c6b5e2c810bddc6b641472d9
+			5fd9e078eee54b18f171f0d39398f014
+			6468d89190d3e68beea430ee60f3db8b
+			9785e020e9446f5370f6b08e458e9645
+			8ab2b5b235e20159b4ca8ad88d95c46b
+			a933b4cb26219f8d47ee769478a0a253
+			4d3c2f23793a2d14857394e32bbcdb24
+			683b2fda15a5aa61a35b60585f11f076
+			09481e5c5ee2edc11e9904a9f71d351f
+			e4a3d96870f591001f1b2fe0732ca1b4
+			8c5d27570d946b469817b63c2edf55c4
+			68b9132cec0cca2492d7712641178491
+			fca52eedd6ab8b0b718dbf9b4bf42f75
+			94026165a7b0b3734697a3042bea76ea
+			2a7f1ce622fe9cc678f25f9a0781dbae
+			9cea0e57eb3b6709c49243731731fd72
+			ad96b1fc0806402b84452a3f19740fe4
+			4c906a5da93db8c7f94ac62e0b28ee59
+			f7c565fc8b2104a26513dbb2be75397d
+			30ece1e1a95a052ed6fe74fd3df7151f
+			81a1372a1d9e46c3917c658fb090b16f
+			417d23b89694a4ac3ca3f84f13dc2cb0
+			3a8236128f1f078f4d7fa7338b59d89a
+			139f858d0fff7ea5c3258ed71d60bb39
+			0859137ddbe2980f5bec8f9199462688
+			f104b31b528f38873b13334510f70939
+			45904d9067424e276b2bf49d50a2f942
+			3c1c439b6a2c8a1b28fc1266a0662bde
+			76b45cf05dc5a4ff161362a2d2ca4309
+			6587e27406905f9fb4eb121b6c664aa9
+			a30a06a139359dbd0d1dec4ad960c434
+			db5d5c0edee56a187194b4a32add3c60
+			203b99e60d2436fe785baff789250ddd
+			5957598c6587c128a173ce8ad632f240
+			83384c00d3fd47f1c871c61e1499eb54
+			96f24cf3136762b32b167fc59c1b0fa0
+			f2ea467768fa763f3321a271d57802bb
+			1d6b939c80e21e1610ff92045b7eafdb
+			32d340be7ed9b6aacd6fc0e08a361072
+			c2a4b38b1b4ed8a89efabe98afa5e799
+			6b89977b347421d1690cb7bdf44a183a
+			d003eaf2ce01786b4378c97d98260e20
+			b46c6c546eab906677a6ab8651f167ac
+			459093bcfb23f9526490d4112830d5a6
+			5224043a4e5b05f8268db23752bf4f86
+			57a21fe92036d96dad7399be6984c4f7
+			9456a477fb0bdb71ee00565814e721bd
+			4e029d7f6d944c60ed9af3851db74ae5
+			686438974c6dc8a7802e9e77bc2411ef
+			3b38fe979bb9e095df9ea1c0d40d67df
+			d91d74a2d710224a5b45c41cb31e4c9d
+			5a060500f3d12f42d0196b5b80ab1125
+			3dc5a4a5d03aeb6465b10988e1476286
+			95fcca43d7ec2e0a1e826234bf4824c5
+			6bffe3098eea53db2df0c5a8daca7902
+			6f2491b84257d7a52bf54192db6556a8
+			aec8f6279ce2228361a331936bbefe96
+			d0c2690447afe5b9fe503c06af0b4f39
+			408ef34b077d5dfcf3cd939d01cdda9b
+			1daa9f3d03ec36502931458255dc7aa2
+			1316204170701aed92e3b34c9ee55595
+			78f5032500060d4b6498561ba57204cb
+			fdd89c7a680ef087a7a7f8a64b8a6bbf
+			209b5412f57ff65b89ee8268f1799dd0
+			5caf2e9136ca70c3388a679b7b63b3cf
+			4e57073fd09c73188944870a77788326
+			0a393d64ffb9408df70e6e750c83db8e
+			a21b73cf988ee723d83762b6bd053197
+			25a0f66e321b5b2f8936392063e9654f
+			9d2900c8d90021152f0bbbfff50557ae
+			78427fe065dcf4fe2ebd2052ad5f6931
+			31ee1a0dd630fe5739745813e96fdf07
+			688ba86ea00660876f75acb35544d336
+			e6909f1b892259246cba5e1ecd9527cd
+			73849da318ce566220ef751020dc952e
+			8b06eeb64a2f37c5f2d56158dfed4bd9
+			acd8b93df7bd665cf2a46c49e0cc2396
+			1e2af74553298d21f12516c2655777ea
+			c267f02aef794dd329b242a3445b1074
+			66cca029f061a4c49dc9f6f9f0071c0c
+			a17cd3f7bfa41cab168723e10c2c5003
+			d1b480fd765e3da8e956c5dc309c1c2f
+			ca0024117a1c8f819d46b3e1f253c209
+			ed735b954289563731b6846e6a7be8af
+			802bdb6b27104ef6be8b743e32fa95fd
+			a605a0941650cdf22c424d9e78b499c9
+			81058ea5e0af0892b2bc3dbb85835a6d
+			71e382e1e48ced52f9d3f03a87129b0e
+			e4d436de062ab9aa6a1a4006daa7ae07
+			77a62ea822e3ae64e759e51d15958807
+			f64b3504b1b6ba34a712e1ccb0ab8d0d
+			aaad5a2b8529c77b7a5be1c65c34afff
+			6ad15b5e5b5aa92153ef83d9437ffed0
+			5db0c2c94f95e3c2a7dc959e458999e6
+			0288d2cb0838da67450b9d441bc74fc4
+			dd9ec10cda172d381721c03c8458ef33
+			d16a915d098ef47d8e6f7eb9ffd03e93
+			310836aa04b2abe81a24a35142b056ff
+			2aa4022948b1a8e9f75974107091f722
+			2cb87d31c8f0c30528a6e05b83f7a5cd
+			84de98ca779e97fe1030e1c4f7ac3150
+			a8e1d51b94bfe9da9b79885b7a91e7b5
+			810bac58f2ee96181193ab0798b20013
+			c82cc538fbc9ab780807ebd9eccd3390
+			d356514618e89f54bcfd858cf524c3d8
+			d23a71b08388ba389d02508ce402b6b2
+			eb752b22e5bb4121fb278299c4fe418d
+			6f46ae17fbd53032f40f9961fb30fa6a
+			22833b1bd555ca39bdf5b8620b337d2a
+			33a27d2e7674e781cf43002842feb5b0
+			c52fbb1c3329023a79c826d7598118ce
+			2af4ac2efb1dc99800cd58523c027c76
+			c8c54d938d7817219b93b8b6e5297569
+			03c7bd93c5dac1a0557677b11714dae7
+			ccdfa35630f0969f90f8f1dedba31091
+			8c969775a2c41b7ff75ea219c3380e5f
+			987bc88daefcb43c1a6e3ecb9cc5c2f2
+			3ff11633b2413a462785a59098681677
+			156798d5d3c418f546bbca6cd301df97
+			a1214c57bfcff791e1317651ae8db9a5
+			3bf8086310a8d596a73c406e0393e3f5
+			0213213e794700635ed2fb683b44a15f
+			234a626ad7cdf828f76b5892fe107ff2
+			fe81c672aa74fb906b71310470e42d61
+			a1b10f73fe95bf92f5d8c14f7b106952
+			a8482707a14e74d236da9fc6db8ec56c
+			267816c04205d265863bbafd5fe274de
+			c567505e418ac3a835d3005b170c8eb8
+			3c7d52d4717175d464e11adce0b713e4
+			7058a43e3f7ed261f4eab44bbd46f66c
+			b23b485a885222884f4a9f0181b362d7
+			adaf1f8b3e5ea25b35bd2c35dea1261b
+			d90bfad6ac6dfd0005e7770a6a710492
+			3a17c62331ea9203eb445f04750d8570
+			573a0d1e33776887e8954456b69701c0
+			8cb0d5718e7d4a952ae0366ff86d342d
+			d377a242eb2d63c700c70846bb57a2c8
+			4fb302c812286a1a1173fe167ba14490
+			883c0f24bf9a355c6fb85ebb7d041e7e
+			db809ee920f6c81560a42d6326f380dd
+			bdaeb8e5639e30e6cecdc88009f10ad9
+			adc010badabb231137dae2d9ff2c6c06
+			d7efa835c83df828c26e73737d1c3e9b
+			36ef80d13b159674884a6e7d805a4d3a
+			be061084cfcae2bf413e3c6cf471e45f
+			cf8b4c6d4de5a374239b0146cdfc535f
+			fa5959f83403d2b6b145904dd649d2f4
+			cbe5a42947897443c6390392822e452c
+			198130c2ee38b1f8fbdaab0789ef7f57
+			8e669ed58152266b18f4c1287ab7d6cf
+			7d3e5c4d65b96dca9092f3b1158684ad
+			5872e4da8935b16a5e35d2eef99fe06b
+			11b222cbad282820b51f62d562a57e63
+			d37bce7a33df0706abaa826370a3b71a
+			cef42b59c54a1610d8232dbc9a6a9f00
+			2614185e9af14433454867f743175565
+			e0d267cf17b7a4f10c097849776e17d1
+			a655876a7ffe75f0e8d120d1097811d5
+			a63e3b717d7149342cee643e6c8e3c2f
+			2e3e4340d1788cfb463109c7de0ab94a
+			0d7a2f3b30383aceb9f18dabb95b4ad5
+			9ed2ee79ab232f259122b91c8fb49094
+			eff359edf1abf842ff8e8e135c427b4c
+			e0ab68715758c45dec71ddd0a5ed3023
+			a0592b38b6cdfda92340b3446f08dd44
+			97e142ab4e5eabd02226806a8bbc375a
+			bd13ef6fb1a0a56461f1bab4dd13985b
+			40f89bd14a165e5bdd4ccc7b1ad70e74
+			3ffc13ed28f918973b704e070dc2842f
+			0cdb9d1b2e3858fd8e6b1dcdb20f4d85
+			446eae55e53e28d698f8f6ef0b279d8d
+			f7f58e00ac91e8cf7bc6e445e4b55538
+			5f42d9ed06ed83a0dcb6adcff66abb5f
+			b4918dfdc05f83c8d1ca22e44c1e1041
+			f7d37553cb15e310dbdc2724db893b33
+			27dcaceab11585e156cb0686d279fd9d
+			4c8fc2746a7ef20c32a7f1444881a99b
+			f68c7311d724ea4e867f9f34381c00c5
+			7e4390a2de0fb699031715460a577c51
+			4036803654a5d13c3e6f44fb088b3c2e
+			63b8bdeb214223562db00914ace5818e
+			e2ed2482f66dd37566b6c33cb1a93a15
+			fa2103bcc0bd0ad7a53132a36b8cbce5
+			211c04d295697033d0f9be0d93f912a3
+			883c92dc621a37740be53575376786da
+			b8227cd62a74b28c85acdcd65fc93ef4
+			fd6b3eb1e5aeb392242f116c7ebf1dbe
+			74638f3a0e0737576171af5bb9909c1e
+			4564a5849f462b3ffe580e117d2e8277
+			c0a201003a6139bf5ab125bf8b442e12
+			e693facb53d5e3bdcd2582295ad5b617
+			9cfc1e429aee28735d4fe882ae83c747
+			6ef56b547f501d2234a77a2077bf3f61
+			360899295840482ca0647d4c0053e658
+			083419f4cbbd2bae777f4b7a00ab9873
+			5c31456d0ee3fe6d6012ed3fa2e7e355
+			4bbfd431a6dc447b5e07af00deb631b1
+			7463e568b7abb9dddcf6c9e7ba1f74bc
+			561b036c573a183313e591ae32add1ff
+			a01cc909145154924e1c05d4439d7186
+			03b96707acfa1e17349b8d27c35cdbeb
+			4f529a5b6bcc46938a74622740616e0c
+			82e71ca6f03a3a6ea89ae11eb4d138a5
+			5ee22b439f502a4df61651093e5d04bd
+			28be75bf478fb5334d09734e4b48f951
+			3b9ed8c1fa8e106c6b7e94320180d2c6
+			54b980ab947196031767f8025ff010a7
+			250f67a8d93dc7f63c6ab6b660ce0251
+			0bf2ba6941659908b652893e815fb6fa
+			2c72d8ef3a904060d42c1f9eff2ae644
+			19c27dca97ecf0c5b010ce43d52f8c31
+			834b31f334f94a0d518094863818baea
+			b173bb6c9127f71a4a9af53d2ade3909
+			ec0ed6288e4ecd27cc3311310641be7c
+			b70f9b6ffad9c7357a62b08341405956
+			eba3993fa674e27ef91629ba13b6274a
+			c0dbcb3ded211049f3ab6e9ece59d254
+			47edf778e58139a53a2504b0b6fb533e
+			a8a7be6eaf359931824c34fbf6cd37be
+			fab71e08fc1258d1052799a61aad78ee
+			35bbaa678cd9be1bdcb9fd33f0858e18
+			4801e0e4e3e83d1b27306c2ab83baf84
+			ae69f658ca1bb27d9da9b4e7ae629904
+			f2e0eeffe412bef26835f0187ee5fb43
+			04fddda0c1e8a21d8f75c37acd5653d3
+			8c3e86279b87b44d22fb02b94308e0a1
+			c9e92531eae8afce9d514dd9969393b2
+			dcc52fe19f63d084162ba59fed448967
+			c7e29006c0b1c9bd64d2e8c599f2f1a3
+			49b9f307c7ef9b220e63de6ad31146d3
+			75bc074f12cc2e6e6b611245c646d2cb
+			2ef942d35ce8531db705c55abcfcb643
+			e5d7b292e8a332046064c08d05907016
+			bfade7333c0b5a9febd89691dccb5096
+			8f464e8c965a4fedcd5ec65c3d3625d3
+			1d7b414daa07c4f5a38daeefc3f8fe06
+			6437b3ded8b7cbe2c15a5cd206b49fc8
+			2c34fdc18dac0ccbd1057c7cf48827d5
+			88436bfd052e3067b6ac107b38dc267c
+			253370726b0db7adede25f020c67ae7f
+			16456c7a2af72dc04a9d3ff9e4ebe252
+			3a1a788124391c6a7e3caec8c73eb68a
+			7b5afa01c3a2e38822b7bd1f13c1b7ec
+			236507596b10da999748f66083c6870b
+			14fa6b241805e16ab6516c52d0f411fa
+			d563ed69b57a063d77936ed323372a12
+			07f7524e568f6cdbb71091010fb5383e
+			998d3880177096c61eb1a23e16fa2ba9
+			d6dcc4c7d1765a3121301a7b2d68760b
+			f90fa28c9962b8e35dab7f54fc5fa641
+			e6c7c07805f811f6df136e4842cf7d4a
+			e0335c8c6930cbde32bbf68c4c05a75f
+			c4548cc51fdbd977523eea8d69a80d71
+			20790e59ffb6396a8a6db4878b4e3e3f
+			e2190159b50e2ef57028ec77360be8fd
+			0325ce6af2a0a664fbbe8ec64b90774a
+			61e259f753b053ecd2e3f9ce4f195cde
+			e748a7d56b7245a2ca7b7998fe7c9b36
+			bde4dcbb616a77968455f11f042d6d9e
+			5912638f53534af82568a6be645b37a5
+			d00a0eef9723908344b2796e5260beac
+			9187d5003aafc09a22faef40dd64c889
+			361d1869dfa590fd4a067e1b34c88130
+			ccddf3feee45c4152be436091e3280d2
+			df5bf218e1a19c6258999b0eab850674
+			ec5ebad5eee1d93b691e7cefcd5194d5
+			534ba2ef91d9556219f5a08a07903b3f
+			165707a987c13c4c673b28044d1c7664
+			7643c0d9ee4ea5a9ca661e783c3cd109
+			5e407171f4f71e40c14bcfba4fdd990a
+			31b1109e242df74a20a895673a59f17e
+			205d889af060ccf5850ad21ad777fe8e
+			25db82f189cda7f4383085a35e95e4a9
+			7249da56d87b7f54757d785437207c54
+			69784ce2c5a4eaecf0cdb56af6a8952c
+			d3118436b794182b0acbe17a89a5b6b0
+			cb7d0cb848cffe629fa3a6a55ffb9e88
+			22725f89ca7a868545eb6b5688137188
+			786d631d06ada4bb04ad456680cb6bd0
+			215e5bd9aa06cef9decf71bd1f4837de
+			157a0e7ac0c46bd8c1d48fd75b48456b
+			45eeee629c74debf39fbb251c578af9f
+			ac00c2a966398037df7c580eb3f8a00b
+			46c4fdd3b28dc259de09199805e15f7c
+			822677fcad0891ddf9a292d418f92feb
+			b18d5ef999caa77af84a47a5f4a3ee4b
+			1065e627fd6a05453e0fb914e33118d3
+			4ca9b1e25d0182561db7a7c8f3b1c7dd
+			a03ce4342298629955c91095e6925e46
+			7c8567f4520fdbc986e64f62d7c154c6
+			d3bd0444141f0ec5a872d6d7190e1171
+			c476c80b2e3b9fade59c415201c284d7
+			3548c1f099f25a43fb4e14834c75d71a
+			ad5038c8c2448ecee85e535405374acc
+			ec5b2871276e064a73702de4916d7b78
+			4906af996757285cbb4aeecc25c94387
+			87342df987f16727069c72218c84e2c9
+			a1ce2c5f2bb46e340aebb265ebefacfc
+			1a99450e3474f8d2cc14a5617985cfc1
+			c70aba028e347bd7be0c540367531026
+			3afd2ab8cc006feb487fd77ff73bf03b
+			84e962d4e9e0c24f6efb6b045423f129
+			e0525c54aa0663c34524008f3a2f06ba
+			6dea62cc763523241fa5fd9390047327
+			327fbe08f8f2d0e89e1083bb44973ad5
+			c05ac887da1f635111b0011376bccd21
+			7eeb2dc3bc569f735134502b9ed72086
+			dfbbb91ee58a102f8568bf10110d447c
+			5c68771385bb14a56b7865b1626dac4b
+			8c60c17bf147a85759e4873fdc0256f6
+			564e160c9225caf60dc187ea2ae2d400
+			1c12015f714740421221c79c10e56cda
+			4b98d7b721d15e545e78f663714ef95a
+			021758aafa31c53e6ea9ab928acf55e3
+			a0bf9b49d1f991e6ac876ddea607ac91
+			b632eef4840c34ce7777a8b73883b686
+			4ab51d8c9a800187e9b12fbe393ef861
+			577e0be5ea12403ddd202a7d2e080ac6
+			d24867636bc7106b01af7829306cbc3a
+			636f83da0d5782f038d194e796a892b1
+			b07519b4833e3fcc62188098bd7b3f9f
+			797f1a716efa8208ab2a034cc2f247d9
+			57f17fcad307a3e907c6284b9ff894d1
+			a960cf635605d78fe922bb989fcbf105
+			c93cc5914d4348475a55c8410b1dd68b
+			071983957fae7b23c8566de5de0c79f5
+			0bcb172430640355935e85451507f0ce
+			d1baf985be8e87efa7add72cec928e08
+			9a4a6ba917991fa540f4b68b66bd12f2
+			98ff9f15998747077e83cefaaed6e9ed
+			08a334c80dbecedae9ad779163391f7a
+			ad751ba7b502de9a29f6390e1c05b829
+			d707263fd876d1a5d6b8052fe5661049
+			143f6ccd6ba0868803c5d3f00b94d205
+			fdbf1fb0e52b492eaa2dac0c14f891d4
+			ca89d16caa89d7aa3355bb4e94cd8379
+			c0be5e471cd95806e0b6d546b3816043
+			d3b3808fac478b385afd3e3a74a50d38
+			efa321fa284c43510ca8c10c8a846305
+			ed11ab5a17c182054bba8adbfc2df6f1
+			7c519a48e51006bafac393eaf639ca16
+			3b250ef7df36acd69fc99ee7b1954e9d
+			489c445f0c7393ccabbe4ed82cfe0173
+			54ff2f69c60c9c50de37bd436b9e4d04
+			fc49096b00425741f9f9361f5a5c89d3
+			864ac5d3c8334689e8e317bdadd81be8
+			72f1a8ef614ae5745375e29ec1a0e2e2
+			8787ac2a2a1786ac320c66d5791bd00c
+			faef79198ee1b405f5eb918939c63fb4
+			59488827e29909959e573389ab21f4a0
+			2065a3bc0ecfa0032a298039dd0f21e1
+			951358ba8d655732fc940e1354b1c973
+			5d79dd788180ed99cc2238297a780267
+			a5bf4db254b72f03ffdd87b1e1876b95
+			6c118194b207bf273fc6d99c8631d598
+			fb39903cae7e90b617ed8cd9fb3c27d7
+			3fe5376340fe7c01218c2a15a5fa4d43
+			0f877e005d07c9bc69d162a7b0276f77
+			0db00f062adc72f329a82a5e6bb17049
+			9fdb50161ec4e8ceb8fb2a0320721db0
+			d210a1f72cd1c6ad9fa8ffb5c8506680
+			8d7c88500b30eff0e05409de770839f6
+			28eb52aae627aa8e9a549ebb577c2bd9
+			0288769ca026b3790fd2048aa97fc32b
+			5d14d528ea90ceb4518e54ed54985ca4
+			7804bf17337fece08b14f4be3456d745
+			46386d894aa471ea164cab9b3261d92e
+			5ed63c61c106545ca8247f0fcb2b0128
+			4305dfe546edd070dbfef2cf4db93e50
+			8d8802db86557ae42fc48fdc914b4a0d
+			9483b4880baeffc61c34a5d48322cfdf
+			cae7ac726dcf55724750d033517ad00c
+			e13d19a039418df8a23a05283336b598
+			b84e7d131d9e51ecf00faca8398de34e
+			b8422f18f149fea650c07ff3e95d33c4
+			774936c56906003d8cb1ef7552a0b277
+			23a77eacb1f1a6d0e5b9ad3327be8e16
+			8faea2b438be2062bc182e74a6117e70
+			3e98d9aa2a0d771000a241b065d03a1e
+			2630d557879928a7b68b8a287fadec4f
+			cf8ccd091dc034657e08ffcaba224d72
+			0b2929ea5a8a84966e4c4a2cb322f8a9
+			d5378914c9400178ed00b79c4a53adf4
+			fc5edfb66e6e61e1a3277a0d92914a16
+			af328585f360216c6d3514d2efa1a710
+			f68b442fa035ed78f57bb3949a4d159d
+			bbcbee5cc734b4f1f17e04e70674f192
+			f079d5270f1f19b53ef2cfed9de81d6b
+			7d1aa9f8e3ed8800b45ed4a3a110df60
+			bf6d0c26891be05378f214def3fb68c9
+			37977a8e91dff2af6c33d5264514a940
+			1ed00d47d8b2173f7fe12be2433359e9
+			c1e455b69405f84d397ce89ecf41598c
+			34ec2d2c15326fca242f48edb6741e8a
+			9aee351f449c05697b8005aeea6679cd
+			eef281ca22a32cea717a769af48ff7e3
+			a46a9796b86c5c5ffd71449d42a46d89
+			0ab3696005c0132efdc24d97e6c78af5
+			50a3e0c475e8f4ecc69c9e8da9ba494a
+			0eaddf1adaa5606287400772bb205ee5
+			216e812502993de510a88db1b12884bb
+			83020dc5372097e1e9c323ad2ee0d811
+			e4c6161e086f471d1cd0e5dad9657145
+			c620f78edf98dc4edabaf82acdd472fb
+			7251f17fc354c824882ac8529aee9183
+			6a80b89efd006d234f5cfa9e486317ca
+			6433457937ec50b6c1efdf55b0776d29
+			b8c36f7067ecea41d62b7e57d7c2c12f
+			eaff83380cb96423afa0ba51da333fee
+			df3969f7e6095893e99714d55409f266
+			d85edda8a6677f319eed020f20ce41a0
+			3337d42a1c1fce7c26c951a6c8b12834
+			3375e3bf99969188e0aaa485749dd92f
+			e14ce8882b3b4cda3c7e7fbc08702407
+			f057c9c2ae0ec540e553adc118d9afd5
+			1aef7303c3a128d01e432d292fb1510a
+			29979e4028a7f02869397c73b571fa3f
+			84a09a9cb70cc52c36cec79d3d533111
+			3594f1c842e75c87c0a79a745ad2b26f
+			7b673cb57790b0b0734e399aa0a835f3
+			ff711f45bff3cf6b97cdb74a5a1b53f9
+			cdc0547f04c5076d20b178ab4d01465d
+			9b96e23c28a269a4786fa7c33fffcfcd
+			ab07b8cd88e7aa3cb670d9301d535fb4
+			2ecf9b85b0d8a7431a2cb1237f2899af
+			67e1cf09819e01e1cbb2edab0cd1ae2f
+			c6e07e7b194ee18f8821d144dccc49d0
+			550e6afe464fdc7ed36903ab42a2bfda
+			ee5faf95b909742e3f30d567d09b928a
+			61e23b30970e8aef268fd27cc1a76bae
+			51e95eba7a04cc574db34127f41f48ad
+			0f60f3cb522de070b533c0b0060275e3
+			00d767b7f767c4aa3fa465dc24b84f2c
+			fd8ad4a61038d225ca4dc038201c8d09
+			4ea1b9443338a351d9bc43fa73059eb3
+			c2c173a5647046441dc3ad6f71fe1a37
+			e90095b6d1799e5d749e1953417477b0
+			70a2465efbed1a5267a9aa4ec2fd10b6
+			09039690fbcf9ea57e8758031bce78b8
+			adf94c539753e35de5e8e300a527e7ec
+			9c04e3b6e7e56f86f32400b25895c90a
+			d3e03ca49226548f6808a70081cd75d9
+			9bb561da5390f2d3418c4079311549f8
+			9e7e4e6539ac904756a7557de633c817
+			9df1b9b98c8ac5763c3854ee0743ef60
+			0bbb4f698fac7982b5944e81de5b8490
+			3de5d692e00a390291a4fd85e6080cee
+			16b5ac1dc70348f4f037f7c3a87e003a
+			f3ecbb184ad9e8f0802e66748e3cbaa7
+			3d2864242278a7c12f5a741fa4a2bdd6
+			5302ddb14dc2f466ff960082e4281593
+			22115fdae1f8022cbb1f58df88cc724f
+			ce517512f87bcf4dd7eb1bd5dda30baa
+			e2cddfe95059f19680c51089f4effb3c
+			6b8bc66cbb5b91574d352db346c260ba
+			58bbd6c1ea29ebe4d03335b3e7b34b2d
+			a5ae1c69cebc4db7822752ac827af893
+			4c9eff227b72844626bb97adcfe1dd7a
+			4407320c3d81c136759f5df02fb50719
+			b5d7078f15cbd37d25a2f9c388e98ea4
+			d33cda3977a886b97d607b2ff1d564e2
+			b9d6a044b40fb5ebf0b46ed087287f9f
+			a0a9d4382c98965004011815efcc28ec
+			d159d68ad96932a35fdea0efe3ceb317
+			cc537a55e7464b066a6fda767f872ea0
+			2c12ff8c89686236273ba562e4ec6fcf
+			0e166190814dbc08dd30654a84db902f
+			cbfbda00c09bb4ef56a3a54139fb2306
+			18426675d6661866ef870e26daa0f275
+			e5c680ea4b8aa5cc048d1f4c93ce3a28
+			ed6d2b675336cb20a00ff06ad6cf40ed
+			779b93e3bcb71227bfb374f58c96d69a
+			874008d82295316ebd6394dafc393922
+			de1719dae26a1a309cc4206535c88a55
+			da7c4a0f7cfa29a9d0f21bb9dc4d8448
+			fcb5d807d37002769fd786525fc5f365
+			e2ec2dacea3287f0d203b3df87a3cb09
+			562fcb8b45bb6ac955ff94c4b72f3b18
+			f0df78648b5a339a0bccbeb35d8e5bd9
+			cf58d1d77e957790f18e2bf6018e3208
+			0bca6bd34efec9760518c9e65416dbd9
+			ec0e7d9f242892fc45b66e862298fbab
+			0d1855b762d1c505072d06fab0fa99cc
+			518d8830e6fa0aef5977e116606874df
+			ef1756ed555798daaa3fe8078a19e892
+			b94db166ba6a99c63c79f1f62af6a319
+			601cc304ca52a8883ecfc3647c069b83
+			2169d91bce1145995b514ca73d70edc3
+			4a3887e5217279251946241447b7aac9
+			5dde21faf82ac2c044b0013e7577877a
+			8ed5320f8e874058d96eaac621566a09
+			94d762ea58c9a3a9029645273d27af53
+			8215b3cf672fab49838d87caab2a91c9
+			b80e8e80306f73143a00d6af61037d19
+			6e593d585892835bf6b87ece1ef5d439
+			780beb20cb674f5b885cc368ebaff8d4
+			ba43bca4962a09d6dcb771baef7e3df9 )
diff --git a/bin/tests/system/unknown/ns1/named.conf.in b/bin/tests/system/unknown/ns1/named.conf.in
new file mode 100644
index 0000000..a240cbe
--- /dev/null
+++ b/bin/tests/system/unknown/ns1/named.conf.in
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+};
+
+view "in" {
+	zone "example." {
+		type primary;
+		file "example-in.db";
+	};
+
+	zone "broken1." {
+		type primary;
+		file "broken1.db";
+	};
+
+	zone "broken2." {
+		type primary;
+		file "broken2.db";
+	};
+
+	zone "broken3." {
+		type primary;
+		file "broken3.db";
+	};
+
+	zone "broken4." {
+		type primary;
+		file "broken4.db";
+	};
+
+	zone "broken5." {
+		type primary;
+		file "broken5.db";
+	};
+};
+
+view "class10" class10 {
+	zone "." class10 {
+		type hint;
+		file "class10.hints";
+	};
+
+	zone "example." class10 {
+		type primary;
+		file "example-class10.db";
+	};
+};
diff --git a/bin/tests/system/unknown/ns2/named.conf.in b/bin/tests/system/unknown/ns2/named.conf.in
new file mode 100644
index 0000000..01361c7
--- /dev/null
+++ b/bin/tests/system/unknown/ns2/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+};
+
+view "in" {
+	zone "example." {
+		type secondary;
+		primaries { 10.53.0.1; };
+		file "example-in.bk";
+	};
+};
diff --git a/bin/tests/system/unknown/ns3/named.conf.in b/bin/tests/system/unknown/ns3/named.conf.in
new file mode 100644
index 0000000..828d667
--- /dev/null
+++ b/bin/tests/system/unknown/ns3/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+};
+
+view "in" {
+	zone "example." {
+		type secondary;
+		primaries { 10.53.0.1; };
+		inline-signing yes;
+		auto-dnssec maintain;
+		file "example-in.bk";
+	};
+};
diff --git a/bin/tests/system/unknown/ns3/sign.sh b/bin/tests/system/unknown/ns3/sign.sh
new file mode 100644
index 0000000..76063a7
--- /dev/null
+++ b/bin/tests/system/unknown/ns3/sign.sh
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=example
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
diff --git a/bin/tests/system/unknown/setup.sh b/bin/tests/system/unknown/setup.sh
new file mode 100644
index 0000000..9b65d05
--- /dev/null
+++ b/bin/tests/system/unknown/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+
+(cd ns3; $SHELL -e sign.sh)
diff --git a/bin/tests/system/unknown/tests.sh b/bin/tests/system/unknown/tests.sh
new file mode 100644
index 0000000..e324fae
--- /dev/null
+++ b/bin/tests/system/unknown/tests.sh
@@ -0,0 +1,229 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+DIGOPTS="-p ${PORT}"
+
+n=$((n+1))
+echo_i "querying for various representations of an IN A record ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10 11 12
+do
+	ret=0
+	$DIG +short $DIGOPTS @10.53.0.1 a$i.example a in > dig.out.$i.test$n || ret=1
+	echo 10.0.0.1 | $DIFF - dig.out.$i.test$n || ret=1
+	if [ $ret != 0 ]
+	then
+		echo_i "#$i failed"
+	fi
+	status=`expr $status + $ret`
+done
+
+n=$((n+1))
+echo_i "querying for various representations of an IN TXT record ($n)"
+for i in 1 2 3 4 5 6 7
+do
+	ret=0
+	$DIG +short $DIGOPTS @10.53.0.1 txt$i.example txt in > dig.out.$i.test$n || ret=1
+	echo '"hello"' | $DIFF - dig.out.$i.test$n || ret=1
+	if [ $ret != 0 ]
+	then
+		echo_i "#$i failed"
+	fi
+	status=`expr $status + $ret`
+done
+
+n=$((n+1))
+echo_i "querying for various representations of an IN TYPE123 record ($n)"
+for i in 1 2 3
+do
+	ret=0
+	$DIG +short $DIGOPTS @10.53.0.1 unk$i.example type123 in > dig.out.$i.test$n || ret=1
+	echo '\# 1 00' | $DIFF - dig.out.$i.test$n || ret=1
+	if [ $ret != 0 ]
+	then
+		echo_i "#$i failed"
+	fi
+	status=`expr $status + $ret`
+done
+
+n=$((n+1))
+echo_i "querying for NULL record ($n)"
+ret=0
+$DIG +short $DIGOPTS @10.53.0.1 null.example null in > dig.out.test$n || ret=1
+echo '\# 1 00' | $DIFF - dig.out.test$n || ret=1
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=$((n+1))
+echo_i "querying for empty NULL record ($n)"
+ret=0
+$DIG +short $DIGOPTS @10.53.0.1 empty.example null in > dig.out.test$n || ret=1
+echo '\# 0' | $DIFF - dig.out.test$n || ret=1
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=$((n+1))
+echo_i "querying for various representations of a CLASS10 TYPE1 record ($n)"
+for i in 1 2
+do
+	ret=0
+	$DIG +short $DIGOPTS @10.53.0.1 a$i.example a class10 > dig.out.$i.test$n || ret=1
+	echo '\# 4 0A000001' | $DIFF - dig.out.$i.test$n || ret=1
+	if [ $ret != 0 ]
+	then
+		echo_i "#$i failed"
+	fi
+	status=`expr $status + $ret`
+done
+
+n=$((n+1))
+echo_i "querying for various representations of a CLASS10 TXT record ($n)"
+for i in 1 2 3 4
+do
+	ret=0
+	$DIG +short $DIGOPTS @10.53.0.1 txt$i.example txt class10 > dig.out.$i.test$n || ret=1
+	echo '"hello"' | $DIFF - dig.out.$i.test$n || ret=1
+	if [ $ret != 0 ]
+	then
+		echo_i "#$i failed"
+	fi
+	status=`expr $status + $ret`
+done
+
+n=$((n+1))
+echo_i "querying for various representations of a CLASS10 TYPE123 record ($n)"
+for i in 1 2
+do
+	ret=0
+	$DIG +short $DIGOPTS @10.53.0.1 unk$i.example type123 class10 > dig.out.$i.test$n || ret=1
+	echo '\# 1 00' | $DIFF - dig.out.$i.test$n || ret=1
+	if [ $ret != 0 ]
+	then
+		echo_i "#$i failed"
+	fi
+	status=`expr $status + $ret`
+done
+
+n=$((n+1))
+echo_i "querying for SOAs of zone that should have failed to load ($n)"
+for i in 1 2 3 4
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.1 broken$i. soa in > dig.out.$i.test$n || ret=1
+	grep "SERVFAIL" dig.out.$i.test$n > /dev/null || ret=1
+	if [ $ret != 0 ]
+	then
+		echo_i "#$i failed"
+	fi
+	status=`expr $status + $ret`
+done
+
+n=$((n+1))
+echo_i "checking large unknown record loading on primary ($n)"
+for try in 0 1 2 3 4 5 6 7 8 9; do
+    ret=0
+    $DIG $DIGOPTS @10.53.0.1 +tcp +short large.example TYPE45234 > dig.out.$i.test$n || { ret=1 ; echo_i "dig failed" ; }
+    $DIFF -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "$DIFF failed"; }
+    [ "$ret" -eq 0 ] && break
+    sleep 1
+done
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=$((n+1))
+echo_i "checking large unknown record loading on secondary ($n)"
+for try in 0 1 2 3 4 5 6 7 8 9; do
+    ret=0
+    $DIG $DIGOPTS @10.53.0.2 +tcp +short large.example TYPE45234 > dig.out.$i.test$n || { ret=1 ; echo_i "dig failed" ; }
+    $DIFF -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "$DIFF failed"; }
+    [ "$ret" -eq 0 ] && break
+    sleep 1
+done
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "stop and restart secondary"
+stop_server ns2
+start_server --noclean --restart --port ${PORT} ns2
+
+# server may be answering queries before zones are loaded,
+# so retry a few times if this query fails
+n=$((n+1))
+echo_i "checking large unknown record loading on secondary ($n)"
+for try in 0 1 2 3 4 5 6 7 8 9; do
+    ret=0
+    $DIG $DIGOPTS @10.53.0.2 +tcp +short large.example TYPE45234 > dig.out.$i.test$n || { ret=1 ; echo_i "dig failed" ; }
+    $DIFF -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "$DIFF failed"; }
+    [ "$ret" -eq 0 ] && break
+    sleep 1
+done
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=$((n+1))
+echo_i "checking large unknown record loading on inline secondary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 +tcp +short large.example TYPE45234 > dig.out.test$n || { ret=1 ; echo_i "dig failed" ; }
+$DIFF large.out dig.out.test$n > /dev/null || { ret=1 ; echo_i "$DIFF failed"; }
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "stop and restart inline secondary"
+stop_server ns3
+start_server --noclean --restart --port ${PORT} ns3
+
+# server may be answering queries before zones are loaded,
+# so retry a few times if this query fails
+n=$((n+1))
+echo_i "checking large unknown record loading on inline secondary ($n)"
+for try in 0 1 2 3 4 5 6 7 8 9; do
+    ret=0
+    $DIG $DIGOPTS @10.53.0.3 +tcp +short large.example TYPE45234 > dig.out.$i.test$n || { ret=1 ; echo_i "dig failed" ; }
+    $DIFF large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "$DIFF failed"; }
+    [ "$ret" -eq 0 ] && break
+    sleep 1
+done
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=$((n+1))
+echo_i "check that '"'"\\#"'"' is not treated as the unknown escape sequence ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 +tcp +short txt8.example txt > dig.out.test$n
+echo '"#" "2" "0145"' | $DIFF - dig.out.test$n || ret=1
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=$((n+1))
+echo_i "check that 'TXT \# text' is not treated as the unknown escape sequence ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 +tcp +short txt9.example txt > dig.out.test$n
+echo '"#" "text"' | $DIFF - dig.out.test$n || ret=1
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+n=$((n+1))
+echo_i "check that 'TYPE353 \# cat' produces 'not a valid number' ($n)"
+ret=0
+$CHECKZONE nan.bad zones/nan.bad > check.out 2>&1
+grep "not a valid number" check.out > /dev/null || ret=1
+[ $ret = 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/unknown/zones/nan.bad b/bin/tests/system/unknown/zones/nan.bad
new file mode 100644
index 0000000..4381f88
--- /dev/null
+++ b/bin/tests/system/unknown/zones/nan.bad
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 IN TYPE353 \# cat 010101010101010101
diff --git a/bin/tests/system/upforwd/ans4/ans.pl b/bin/tests/system/upforwd/ans4/ans.pl
new file mode 100644
index 0000000..75ab3ed
--- /dev/null
+++ b/bin/tests/system/upforwd/ans4/ans.pl
@@ -0,0 +1,363 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# This is the name server from hell.  It provides canned
+# responses based on pattern matching the queries, and
+# can be reprogrammed on-the-fly over a TCP connection.
+#
+# The server listens for control connections on port 5301.
+# A control connection is a TCP stream of lines like
+#
+#  /pattern/
+#  name ttl type rdata
+#  name ttl type rdata
+#  ...
+#  /pattern/
+#  name ttl type rdata
+#  name ttl type rdata
+#  ...
+#
+# There can be any number of patterns, each associated
+# with any number of response RRs.  Each pattern is a
+# Perl regular expression.
+#
+# Each incoming query is converted into a string of the form
+# "qname qtype" (the printable query domain name, space,
+# printable query type) and matched against each pattern.
+#
+# The first pattern matching the query is selected, and
+# the RR following the pattern line are sent in the
+# answer section of the response.
+#
+# Each new control connection causes the current set of
+# patterns and responses to be cleared before adding new
+# ones.
+#
+# The server handles UDP and TCP queries.  Zone transfer
+# responses work, but must fit in a single 64 k message.
+#
+# Now you can add TSIG, just specify key/key data with:
+#
+#  /pattern <key> <key_data>/
+#  name ttl type rdata
+#  name ttl type rdata
+#
+#  Note that this data will still be sent with any request for
+#  pattern, only this data will be signed. Currently, this is only
+#  done for TCP.
+
+
+use IO::File;
+use IO::Socket;
+use Data::Dumper;
+use Net::DNS;
+use Net::DNS::Packet;
+use strict;
+
+# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early
+local $SIG{PIPE} = 'IGNORE';
+
+# Flush logged output after every line
+local $| = 1;
+
+my $server_addr = "10.53.0.4";
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!";
+
+my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
+   LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
+
+print "listening on $server_addr:$localport.\n";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";;
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+#my @answers = ();
+my @rules;
+sub handleUDP {
+        my ($buf) = @_;
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+        $packet->header->qr(1);
+        $packet->header->aa(1);
+
+        my @questions = $packet->question;
+        my $qname = $questions[0]->qname;
+        my $qtype = $questions[0]->qtype;
+
+        # get the existing signature if any, and clear the additional section
+        my $prev_tsig;
+        while (my $rr = $packet->pop("additional")) {
+                if ($rr->type eq "TSIG") {
+                        $prev_tsig = $rr;
+                }
+        }
+
+        my $r;
+        foreach $r (@rules) {
+                my $pattern = $r->{pattern};
+		my($dbtype, $key_name, $key_data) = split(/ /,$pattern);
+		print "[handleUDP] $dbtype, $key_name, $key_data \n";
+                if ("$qname $qtype" =~ /$dbtype/) {
+                        my $a;
+                        foreach $a (@{$r->{answer}}) {
+                                $packet->push("answer", $a);
+                        }
+			if(defined($key_name) && defined($key_data)) {
+				# Sign the packet
+				print "  Signing the response with " .
+                                      "$key_name/$key_data\n";
+                                my $tsig = Net::DNS::RR->
+                                        new("$key_name TSIG $key_data");
+
+                                # These kluges are necessary because Net::DNS
+                                # doesn't know how to sign responses.  We
+                                # clear compnames so that the TSIG key and
+                                # algorithm name won't be compressed, and
+                                # add one to arcount because the signing
+                                # function will attempt to decrement it,
+                                # which is incorrect in a response. Finally
+                                # we set request_mac to the previous digest.
+                                $packet->{"compnames"} = {};
+                                $packet->{"header"}{"arcount"} += 1;
+                                if (defined($prev_tsig)) {
+                                        my $rmac = pack('n H*',
+                                                $prev_tsig->mac_size,
+                                                $prev_tsig->mac);
+                                        $tsig->{"request_mac"} =
+                                                unpack("H*", $rmac);
+                                }
+                                
+				$packet->sign_tsig($tsig);
+			}
+                        last;
+                }
+        }
+        #$packet->print;
+
+        return $packet->data;
+}
+
+# namelen:
+# given a stream of data, reads a DNS-formatted name and returns its
+# total length, thus making it possible to skip past it.
+sub namelen {
+        my ($data) = @_;
+        my $len = 0;
+        my $label_len = 0;
+        do {
+                $label_len = unpack("c", $data);
+                $data = substr($data, $label_len + 1);
+                $len += $label_len + 1;
+        } while ($label_len != 0);
+        return ($len);
+}
+
+# packetlen:
+# given a stream of data, reads a DNS wire-format packet and returns
+# its total length, making it possible to skip past it.
+sub packetlen {
+        my ($data) = @_;
+        my $q;
+        my $rr;
+
+        my ($header, $offset) = Net::DNS::Header->parse(\$data);
+        for (1 .. $header->qdcount) {
+                ($q, $offset) = Net::DNS::Question->parse(\$data, $offset);
+        }
+        for (1 .. $header->ancount) {
+                ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset);
+        }
+        for (1 .. $header->nscount) {
+                ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset);
+        }
+        for (1 .. $header->arcount) {
+                ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset);
+        }
+        return $offset;
+}
+
+# sign_tcp_continuation:
+# This is a hack to correct the problem that Net::DNS has no idea how
+# to sign multiple-message TCP responses.  Several data that are included
+# in the digest when signing a query or the first message of a response are
+# omitted when signing subsequent messages in a TCP stream.
+#
+# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing
+# function (specified by calling Packet->sign_func()).  We use this
+# function as the signing function for TCP continuations, and it removes
+# the unwanted data from the digest before calling the default sign_hmac
+# function.
+sub sign_tcp_continuation {
+        my ($key, $data) = @_;
+
+        # copy out first two bytes: size of the previous MAC
+        my $rmacsize = unpack("n", $data);
+        $data = substr($data, 2);
+
+        # copy out previous MAC
+        my $rmac = substr($data, 0, $rmacsize);
+        $data = substr($data, $rmacsize);
+
+        # try parsing out the packet information
+        my $plen = packetlen($data);
+        my $pdata = substr($data, 0, $plen);
+        $data = substr($data, $plen);
+
+        # remove the keyname, ttl, class, and algorithm name
+        $data = substr($data, namelen($data));
+        $data = substr($data, 6);
+        $data = substr($data, namelen($data));
+
+        # preserve the TSIG data
+        my $tdata = substr($data, 0, 8);
+
+        # prepare a new digest and sign with it
+        $data = pack("n", $rmacsize) . $rmac . $pdata . $tdata;
+        return Net::DNS::RR::TSIG::sign_hmac($key, $data);
+}
+
+sub handleTCP {
+	my ($buf) = @_;
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+	
+	$packet->header->qr(1);
+	$packet->header->aa(1);
+	
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+
+        # get the existing signature if any, and clear the additional section
+        my $prev_tsig;
+        my $signer;
+        while (my $rr = $packet->pop("additional")) {
+                if ($rr->type eq "TSIG") {
+                        $prev_tsig = $rr;
+                }
+        }
+
+	my @results = ();
+	my $count_these = 0;
+
+	my $r;
+	foreach $r (@rules) {
+		my $pattern = $r->{pattern};
+		my($dbtype, $key_name, $key_data) = split(/ /,$pattern);
+		print "[handleTCP] $dbtype, $key_name, $key_data \n";
+		if ("$qname $qtype" =~ /$dbtype/) {
+			$count_these++;
+			my $a;
+			foreach $a (@{$r->{answer}}) {
+				$packet->push("answer", $a);
+			}
+			if(defined($key_name) && defined($key_data)) {
+				# sign the packet
+				print "  Signing the data with " . 
+                                      "$key_name/$key_data\n";
+
+                                my $tsig = Net::DNS::RR->
+                                        new("$key_name TSIG $key_data");
+
+                                # These kluges are necessary because Net::DNS
+                                # doesn't know how to sign responses.  We
+                                # clear compnames so that the TSIG key and
+                                # algorithm name won't be compressed, and
+                                # add one to arcount because the signing
+                                # function will attempt to decrement it,
+                                # which is incorrect in a response. Finally
+                                # we set request_mac to the previous digest.
+                                $packet->{"compnames"} = {};
+                                $packet->{"header"}{"arcount"} += 1;
+                                if (defined($prev_tsig)) {
+                                        my $rmac = pack('n H*',
+                                                $prev_tsig->mac_size,
+                                                $prev_tsig->mac);
+                                        $tsig->{"request_mac"} =
+                                                unpack("H*", $rmac);
+                                }
+                                
+                                $tsig->sign_func($signer) if defined($signer);
+				$packet->sign_tsig($tsig);
+                                $signer = \&sign_tcp_continuation;
+
+                                my $copy =
+                                        Net::DNS::Packet->new(\($packet->data));
+                                $prev_tsig = $copy->pop("additional");
+			}
+			#$packet->print;
+			push(@results,$packet->data);
+			$packet = new Net::DNS::Packet(\$buf, 0);
+			$packet->header->qr(1);
+			$packet->header->aa(1);
+		}
+	}
+	print " A total of $count_these patterns matched\n";
+	return \@results;
+}
+
+# Main
+my $rin;
+my $rout;
+for (;;) {
+	$rin = '';
+	vec($rin, fileno($tcpsock), 1) = 1;
+	vec($rin, fileno($udpsock), 1) = 1;
+
+	select($rout = $rin, undef, undef, undef);
+
+	if (vec($rout, fileno($udpsock), 1)) {
+		printf "UDP request\n";
+		my $buf;
+		$udpsock->recv($buf, 512);
+	} elsif (vec($rout, fileno($tcpsock), 1)) {
+		my $conn = $tcpsock->accept;
+		my $buf;
+		for (;;) {
+			my $lenbuf;
+			my $n = $conn->sysread($lenbuf, 2);
+			last unless $n == 2;
+			my $len = unpack("n", $lenbuf);
+			$n = $conn->sysread($buf, $len);
+		}
+		sleep(1);
+	}
+}
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
new file mode 100644
index 0000000..14a7d29
--- /dev/null
+++ b/bin/tests/system/upforwd/clean.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f dig.out.ns1* dig.out.ns2 dig.out.ns1 dig.out.ns3 dig.out.ns1.after
+rm -f ns1/*.jnl ns2/*.jnl ns3/*.jnl ns1/example.db ns2/*.bk ns3/*.bk
+rm -f ns3/nomaster1.db
+rm -f ns3/dnstap.out*
+rm -f ns3/dnstap.conf
+rm -f dnstap.out*
+rm -f dnstapread.out*
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.conf
+rm -f */ans.run
+rm -f Ksig0.example2.*
+rm -f keyname keyname.err
+rm -f ns*/named.lock
+rm -f ns1/example2.db
+rm -f ns*/managed-keys.bind*
+rm -f nsupdate.out.*
+rm -f ns*/named.run.prev
diff --git a/bin/tests/system/upforwd/knowngood.after1 b/bin/tests/system/upforwd/knowngood.after1
new file mode 100644
index 0000000..7fc424c
--- /dev/null
+++ b/bin/tests/system/upforwd/knowngood.after1
@@ -0,0 +1,10 @@
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 2 3600 1200 604800 7200
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+ns1.example.		3600	IN	A	10.53.0.1
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+updated.example.	600	IN	TXT	"Foo"
+updated.example.	600	IN	A	10.10.10.1
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 2 3600 1200 604800 7200
+
diff --git a/bin/tests/system/upforwd/knowngood.after2 b/bin/tests/system/upforwd/knowngood.after2
new file mode 100644
index 0000000..eab7a2c
--- /dev/null
+++ b/bin/tests/system/upforwd/knowngood.after2
@@ -0,0 +1,11 @@
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 3 3600 1200 604800 7200
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+ns1.example.		3600	IN	A	10.53.0.1
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+unsigned.example.	600	IN	TXT	"Foo"
+unsigned.example.	600	IN	A	10.10.10.1
+updated.example.	600	IN	TXT	"Foo"
+updated.example.	600	IN	A	10.10.10.1
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 3 3600 1200 604800 7200
diff --git a/bin/tests/system/upforwd/knowngood.before b/bin/tests/system/upforwd/knowngood.before
new file mode 100644
index 0000000..4bde819
--- /dev/null
+++ b/bin/tests/system/upforwd/knowngood.before
@@ -0,0 +1,8 @@
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+ns1.example.		3600	IN	A	10.53.0.1
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200
+
diff --git a/bin/tests/system/upforwd/knowngood.ns2.before b/bin/tests/system/upforwd/knowngood.ns2.before
new file mode 100644
index 0000000..bb3c355
--- /dev/null
+++ b/bin/tests/system/upforwd/knowngood.ns2.before
@@ -0,0 +1,6 @@
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200
+example.		3600	IN	NS	ns2.example.
+ns1.example.		3600	IN	A	10.53.0.1
+ns2.example.		3600	IN	A	10.53.0.2
+example.		3600	IN	SOA	n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200
+
diff --git a/bin/tests/system/upforwd/ns1/example1.db b/bin/tests/system/upforwd/ns1/example1.db
new file mode 100644
index 0000000..04c47f2
--- /dev/null
+++ b/bin/tests/system/upforwd/ns1/example1.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	SOA	n1.example. hostmaster.ns1.example. (
+			1 3600 1200 604800 7200 )
+		NS	ns2.example.
+		NS	ns3.example.
+ns1		A	10.53.0.1
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
new file mode 100644
index 0000000..c2b57dd
--- /dev/null
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key "update.example." {
+	algorithm "hmac-md5";
+	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-update { key update.example.; 10.53.0.3; };
+};
+
+zone "example2" {
+	type primary;
+	file "example2.db";
+	allow-update { key sig0.example2.; };
+};
diff --git a/bin/tests/system/upforwd/ns2/named.conf.in b/bin/tests/system/upforwd/ns2/named.conf.in
new file mode 100644
index 0000000..dd2de8b
--- /dev/null
+++ b/bin/tests/system/upforwd/ns2/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+zone "example" {
+	type secondary;
+	file "example.bk";
+	primaries { 10.53.0.1; };
+};
+
+zone "example2" {
+	type secondary;
+	file "example2.bk";
+	primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/upforwd/ns3/named1.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
new file mode 100644
index 0000000..61d42c8
--- /dev/null
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	include "dnstap.conf";
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type secondary;
+	file "example.bk";
+	allow-update-forwarding { 10.53.0.1; };
+	primaries { 10.53.0.1; };
+};
+
+zone "example2" {
+	type secondary;
+	file "example2.bk";
+	allow-update-forwarding { 10.53.0.1; };
+	primaries { 10.53.0.1; };
+};
+
+zone "example3" {
+	type secondary;
+	file "example3.bk";
+	allow-update-forwarding { 10.53.0.1; };
+	primaries { 10.53.0.1; };
+};
+
+zone "nomaster" {
+	type secondary;
+	file "nomaster1.db";
+	allow-update-forwarding { any; };
+	masterfile-format text;
+	primaries { 10.53.0.4; };
+};
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
new file mode 100644
index 0000000..86d7469
--- /dev/null
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	update-quota 1;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type secondary;
+	file "example.bk";
+	allow-update-forwarding { any; };
+	primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/upforwd/ns3/nomaster.db b/bin/tests/system/upforwd/ns3/nomaster.db
new file mode 100644
index 0000000..c27e154
--- /dev/null
+++ b/bin/tests/system/upforwd/ns3/nomaster.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 SOA	. . 141235 3600 1200 86400 1200
+@ 0 NS ns4
+ns4 0 A 10.53.0.4
diff --git a/bin/tests/system/upforwd/prereq.sh b/bin/tests/system/upforwd/prereq.sh
new file mode 100644
index 0000000..ec369f8
--- /dev/null
+++ b/bin/tests/system/upforwd/prereq.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    :
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
new file mode 100644
index 0000000..c7c9afc
--- /dev/null
+++ b/bin/tests/system/upforwd/setup.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+cp -f ns1/example1.db ns1/example.db
+cp -f ns3/nomaster.db ns3/nomaster1.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
+
+if $FEATURETEST --enable-dnstap
+then
+	cat <<'EOF' > ns3/dnstap.conf
+	dnstap-identity "ns3";
+	dnstap-version "xxx";
+	dnstap-output file "dnstap.out";
+	dnstap { all; };
+EOF
+else
+	echo "/* DNSTAP NOT ENABLED */" >ns3/dnstap.conf
+fi
+
+
+#
+# SIG(0) required cryptographic support which may not be configured.
+#
+keyname=$($KEYGEN  -q -n HOST -a ${DEFAULT_ALGORITHM} -b 1024 -T KEY sig0.example2 2>keyname.err)
+if test -n "$keyname"
+then
+	cat ns1/example1.db $keyname.key > ns1/example2.db
+	echo $keyname > keyname
+else
+	cat ns1/example1.db > ns1/example2.db
+fi
+cat_i < keyname.err
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
new file mode 100644
index 0000000..35c5588
--- /dev/null
+++ b/bin/tests/system/upforwd/tests.sh
@@ -0,0 +1,294 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# ns1 = stealth primary
+# ns2 = secondary with update forwarding disabled; not currently used
+# ns3 = secondary with update forwarding enabled
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf"
+
+status=0
+n=1
+capture_dnstap() {
+	retry_quiet 20 test -f ns3/dnstap.out && mv ns3/dnstap.out dnstap.out.$n
+	$RNDCCMD -s 10.53.0.3 dnstap -reopen
+}
+
+uq_equals_ur() {
+	"$DNSTAPREAD" dnstap.out.$n |
+        awk '$3 == "UQ" { UQ+=1 } $3 == "UR" { UR += 1 } END { print UQ+0, UR+0 }' > dnstapread.out$n
+        read UQ UR < dnstapread.out$n
+	echo_i "UQ=$UQ UR=$UR"
+        test $UQ -eq $UR || return 1
+}
+
+echo_i "waiting for servers to be ready for testing ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG +tcp -p ${PORT} example. @10.53.0.1 soa > dig.out.ns1 || ret=1
+	grep "status: NOERROR" dig.out.ns1 > /dev/null ||  ret=1
+	$DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2 || ret=1
+	grep "status: NOERROR" dig.out.ns2 > /dev/null ||  ret=1
+	$DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3 || ret=1
+	grep "status: NOERROR" dig.out.ns3 > /dev/null ||  ret=1
+	test $ret = 0 && break
+	sleep 1
+done
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching primary copy of zone before update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 1 copy of zone before update ($n)"
+$DIG $DIGOPTS example.\
+	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 2 copy of zone before update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.3 axfr > dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "comparing pre-update copies to known good data ($n)"
+ret=0
+digcomp knowngood.before dig.out.ns1 || ret=1
+digcomp knowngood.before dig.out.ns2 || ret=1
+digcomp knowngood.before dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "updating zone (signed) ($n)"
+ret=0
+$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+local 10.53.0.1
+server 10.53.0.3 ${PORT}
+update add updated.example. 600 A 10.10.10.1
+update add updated.example. 600 TXT Foo
+send
+EOF
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "sleeping 15 seconds for server to incorporate changes"
+sleep 15
+
+echo_i "fetching primary copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 1 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "fetching secondary 2 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.3 axfr > dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "comparing post-update copies to known good data ($n)"
+ret=0
+digcomp knowngood.after1 dig.out.ns1 || ret=1
+digcomp knowngood.after1 dig.out.ns2 || ret=1
+digcomp knowngood.after1 dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "checking 'forwarding update for zone' is logged ($n)"
+ret=0
+grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+if $FEATURETEST --enable-dnstap
+then
+	echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+	ret=0
+	capture_dnstap
+	uq_equals_ur || ret=1
+	if [ $ret != 0 ] ; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	n=`expr $n + 1`
+fi
+
+echo_i "updating zone (unsigned) ($n)"
+ret=0
+$NSUPDATE -- - <<EOF || ret=1
+local 10.53.0.1
+server 10.53.0.3 ${PORT}
+update add unsigned.example. 600 A 10.10.10.1
+update add unsigned.example. 600 TXT Foo
+send
+EOF
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "sleeping 15 seconds for server to incorporate changes"
+sleep 15
+
+echo_i "fetching primary copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.1 axfr > dig.out.ns1 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "fetching secondary 1 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.2 axfr > dig.out.ns2 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+echo_i "fetching secondary 2 copy of zone after update ($n)"
+ret=0
+$DIG $DIGOPTS example.\
+	@10.53.0.3 axfr > dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+echo_i "comparing post-update copies to known good data ($n)"
+ret=0
+digcomp knowngood.after2 dig.out.ns1 || ret=1
+digcomp knowngood.after2 dig.out.ns2 || ret=1
+digcomp knowngood.after2 dig.out.ns3 || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+if $FEATURETEST --enable-dnstap
+then
+	echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+	ret=0
+	capture_dnstap
+	uq_equals_ur || ret=1
+	if [ $ret != 0 ] ; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	n=`expr $n + 1`
+fi
+n=`expr $n + 1`
+
+echo_i "checking update forwarding to dead primary ($n)"
+count=0
+ret=0
+while [ $count -lt 5 -a $ret -eq 0 ]
+do
+(
+$NSUPDATE -- - <<EOF 
+local 10.53.0.1
+server 10.53.0.3 ${PORT}
+zone nomaster
+update add unsigned.nomaster. 600 A 10.10.10.1
+update add unsigned.nomaster. 600 TXT Foo
+send
+EOF
+) > /dev/null 2>&1 &
+	$DIG -p ${PORT} +noadd +notcp +noauth nomaster. @10.53.0.3 soa > dig.out.ns3 || ret=1
+	grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1
+	count=`expr $count + 1`
+done
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+if $FEATURETEST --enable-dnstap
+then
+	echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+	ret=0
+	capture_dnstap
+	uq_equals_ur && ret=1
+	if [ $ret != 0 ] ; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	n=`expr $n + 1`
+fi
+
+if test -f keyname
+then
+	echo_i "checking update forwarding to with sig0 ($n)"
+	ret=0
+	keyname=`cat keyname`
+	$NSUPDATE -k $keyname.private -- - <<EOF
+	local 10.53.0.1
+	server 10.53.0.3 ${PORT}
+	zone example2
+	update add unsigned.example2. 600 A 10.10.10.1
+	update add unsigned.example2. 600 TXT Foo
+	send
+EOF
+	$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
+	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+	if [ $ret != 0 ] ; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	n=`expr $n + 1`
+
+	if $FEATURETEST --enable-dnstap
+	then
+		echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+		ret=0
+		capture_dnstap
+		uq_equals_ur || ret=1
+		if [ $ret != 0 ] ; then echo_i "failed"; fi
+		status=`expr $status + $ret`
+		n=`expr $n + 1`
+	fi
+fi
+
+echo_i "attempting an update that should be rejected by ACL ($n)"
+ret=0
+{
+        $NSUPDATE -- - << EOF
+        local 10.53.0.2
+        server 10.53.0.3 ${PORT}
+        update add another.unsigned.example. 600 A 10.10.10.2
+        update add another.unsigned.example. 600 TXT Bar
+        send
+EOF
+} > nsupdate.out.$n 2>&1
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+n=$((n + 1))
+ret=0
+echo_i "attempting updates that should exceed quota ($n)"
+# lower the update quota to 1.
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+nextpart ns3/named.run > /dev/null
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+  $NSUPDATE -- - > /dev/null 2>&1 <<END
+  local 10.53.0.1
+  server 10.53.0.3 ${PORT}
+  update add txt-$loop.unsigned.example 300 IN TXT Whatever
+  send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/verify/clean.sh b/bin/tests/system/verify/clean.sh
new file mode 100644
index 0000000..767ca77
--- /dev/null
+++ b/bin/tests/system/verify/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/named.lock
+rm -f verify.out*
+rm -f zones/*.bad
+rm -f zones/*.good
+rm -f zones/*.out*
+rm -f zones/*.tmp
+rm -f zones/K*
+rm -f zones/dsset-*
diff --git a/bin/tests/system/verify/setup.sh b/bin/tests/system/verify/setup.sh
new file mode 100644
index 0000000..55022b9
--- /dev/null
+++ b/bin/tests/system/verify/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+(cd zones && $SHELL genzones.sh)
diff --git a/bin/tests/system/verify/tests.sh b/bin/tests/system/verify/tests.sh
new file mode 100644
index 0000000..cda891a
--- /dev/null
+++ b/bin/tests/system/verify/tests.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+failed () {
+	cat verify.out.$n | sed 's/^/D:/';
+	echo_i "failed";
+	status=1;
+}
+
+n=0
+status=0
+
+for file in zones/*.good
+do
+	n=`expr $n + 1`
+	zone=`expr "$file" : 'zones/\(.*\).good'`
+	echo_i "checking supposedly good zone: $zone ($n)"
+	ret=0
+	case $zone in
+	zsk-only.*) only=-z;;
+	ksk-only.*) only=-z;;
+	*) only=;;
+	esac
+	$VERIFY ${only} -o $zone $file > verify.out.$n 2>&1 || ret=1
+	[ $ret = 0 ] || failed
+done
+
+for file in zones/*.bad
+do
+	n=`expr $n + 1`
+	zone=`expr "$file" : 'zones/\(.*\).bad'`
+	echo_i "checking supposedly bad zone: $zone ($n)"
+	ret=0
+	dumpit=0
+	case $zone in
+	zsk-only.*) only=-z;;
+	ksk-only.*) only=-z;;
+	*) only=;;
+	esac
+	expect1= expect2=
+	case $zone in
+	*.dnskeyonly)
+		expect1="DNSKEY is not signed"
+		;;
+	*.expired)
+		expect1="signature has expired"
+		expect2="No self-signed .*DNSKEY found"
+		;;
+	*.ksk-expired)
+		expect1="signature has expired"
+		expect2="No self-signed .*DNSKEY found"
+		;;
+	*.out-of-zone-nsec|*.below-bottom-of-zone-nsec|*.below-dname-nsec)
+		expect1="unexpected NSEC RRset at"
+		;;
+	*.nsec.broken-chain)
+		expect1="Bad NSEC record for.*, next name mismatch"
+		;;
+	*.bad-bitmap)
+		expect1="bit map mismatch"
+		;;
+	*.missing-empty)
+		expect1="Missing NSEC3 record for";
+		;;
+	unsigned)
+		expect1="Zone contains no DNSSEC keys"
+		;;
+	*.extra-nsec3)
+		expect1="Expected and found NSEC3 chains not equal";
+		;;
+	*)
+		dumpit=1
+		;;
+	esac
+	$VERIFY ${only} -o $zone $file > verify.out.$n 2>&1 && ret=1
+	grep "${expect1:-.}" verify.out.$n > /dev/null || ret=1
+	grep "${expect2:-.}" verify.out.$n > /dev/null || ret=1
+	[ $ret = 0 ] || failed
+	[ $dumpit = 1 ] && cat verify.out.$n
+done
+
+n=`expr $n + 1`
+echo_i "checking error message when -o is not used and a SOA record not at top of zone is found ($n)"
+ret=0
+# When -o is not used, origin is set to zone file name, which should cause an error in this case
+$VERIFY zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1
+grep "not at top of zone" verify.out.$n > /dev/null || ret=1
+grep "use -o to specify a different zone origin" verify.out.$n > /dev/null || ret=1
+[ $ret = 0 ] || failed
+
+n=`expr $n + 1`
+echo_i "checking error message when an invalid -o is specified and a SOA record not at top of zone is found ($n)"
+ret=0
+$VERIFY -o invalid.origin zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1
+grep "not at top of zone" verify.out.$n > /dev/null || ret=1
+grep "use -o to specify a different zone origin" verify.out.$n > /dev/null && ret=1
+[ $ret = 0 ] || failed
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh
new file mode 100644
index 0000000..d0ab4e5
--- /dev/null
+++ b/bin/tests/system/verify/zones/genzones.sh
@@ -0,0 +1,248 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+SYSTESTDIR=verify
+
+dumpit () {
+	echo_d "${debug}: dumping ${1}"
+	cat "${1}" | cat_d
+}
+
+setup () {
+	echo_i "setting up $2 zone: $1"
+	debug="$1"
+	zone="$1"
+	file="$1.$2"
+	n=$((${n:-0} + 1))
+}
+
+# A unsigned zone should fail validation.
+setup unsigned bad
+cp unsigned.db unsigned.bad
+
+# A set of nsec zones.
+setup zsk-only.nsec good
+$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk-only.nsec good
+$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk+zsk.nsec good
+$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk+zsk.nsec.apex-dname good
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cp unsigned.db ${file}.tmp
+echo "@ DNAME data" >> ${file}.tmp
+$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n
+
+# A set of nsec3 zones.
+setup zsk-only.nsec3 good
+$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk-only.nsec3 good
+$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk+zsk.nsec3 good
+$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk+zsk.optout good
+$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk+zsk.nsec3.apex-dname good
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cp unsigned.db ${file}.tmp
+echo "@ DNAME data" >> ${file}.tmp
+$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n
+
+#
+# generate an NSEC record like
+#	aba NSEC FOO ...
+# then downcase all the FOO records so the next name in the database
+# becomes foo when the zone is loaded.
+#
+setup nsec-next-name-case-mismatch good
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cat << EOF > ${zone}.tmp
+\$TTL 0
+@ IN SOA  foo . ( 1 28800 7200 604800 1800 )
+@ NS foo
+\$include $ksk.key
+\$include $zsk.key
+FOO AAAA ::1
+FOO A 127.0.0.2
+aba CNAME FOO
+EOF
+$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n || dumpit s.out$n
+sed 's/^FOO\./foo\./' < ${file}.tmp > ${file}
+
+# A set of zones with only DNSKEY records.
+setup zsk-only.dnskeyonly bad
+key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg.out) || dumpit kg.out$n
+cat unsigned.db $key1.key > ${file}
+
+setup ksk-only.dnskeyonly bad
+key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg.out) || dumpit kg.out$n
+cat unsigned.db $key1.key > ${file}
+
+setup ksk+zsk.dnskeyonly bad
+key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg.out) || dumpit kg.out$n
+key2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg.out) || dumpit kg.out$n
+cat unsigned.db $key1.key $key2.key > ${file}
+
+# A set of zones with expired records
+s="-s -2678400"
+setup zsk-only.nsec.expired bad
+$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk-only.nsec.expired bad
+$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk+zsk.nsec.expired bad
+$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup zsk-only.nsec3.expired bad
+$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk-only.nsec3.expired bad
+$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+setup ksk+zsk.nsec3.expired bad
+$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n
+
+# ksk expired
+setup ksk+zsk.nsec.ksk-expired bad
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n
+$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
+now=$(date -u +%Y%m%d%H%M%S)
+exp=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file})
+[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
+
+setup ksk+zsk.nsec3.ksk-expired bad
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n
+$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
+now=$(date -u +%Y%m%d%H%M%S)
+exp=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file})
+[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
+
+# broken nsec chain
+setup ksk+zsk.nsec.broken-chain bad
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
+awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp
+$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n
+
+# bad nsec bitmap
+setup ksk+zsk.nsec.bad-bitmap bad
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
+awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp
+$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n
+
+# extra NSEC record out side of zone
+setup ksk+zsk.nsec.out-of-zone-nsec bad
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
+echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
+$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n
+
+# extra NSEC record below bottom of zone
+setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
+echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file}
+$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n || dumpit s.out$n
+# dnssec-signzone signs any node with a NSEC record.
+awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file}
+
+# extra NSEC record below DNAME
+setup ksk+zsk.nsec.below-dname-nsec bad
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
+echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file}
+$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n
+
+# missing NSEC3 record at empty node
+# extract the hash fields from the empty node's NSEC 3 record then fix up
+# the NSEC3 chain to remove it
+setup ksk+zsk.nsec3.missing-empty bad
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
+a=$(awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file})
+b=$(awk '$4 == "NSEC3" && NF == 9 { print $9; }' ${file})
+awk '
+$4 == "NSEC3" && $9 == "'$a'" { $9 = "'$b'"; print; next; }
+$4 == "NSEC3" && NF == 9 { next; }
+{ print; }' ${file} > ${file}.tmp
+$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n
+
+# extra NSEC3 record
+setup ksk+zsk.nsec3.extra-nsec3 bad
+zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n
+ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n
+awk '
+BEGIN {
+	ZONE="'${zone}'.";
+}
+$4 == "NSEC3" && NF == 9 {
+	$1 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3H." ZONE;
+	$9 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3I";
+	print;
+}' ${file} > ${file}.tmp
+cat ${file}.tmp >> ${file}
+rm -f ${file}.tmp
+$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n
diff --git a/bin/tests/system/verify/zones/unsigned.db b/bin/tests/system/verify/zones/unsigned.db
new file mode 100644
index 0000000..1e7cd2b
--- /dev/null
+++ b/bin/tests/system/verify/zones/unsigned.db
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	. . 0 0 0 2419200 3600	; 28 day expire
+@		NS	.
+data		A	1.2.3.4
+dname		DNAME	data
+longttl 2419200 A	1.2.3.4
+sub.dname	TXT	sub.dname
+sub.empty	TXT	sub.empty
+sub		NS	ns.sub
+ns.sub  	A	1.2.3.4
+ns.sub  	AAAA	2002::1.2.3.4
+ns.sub		WKS	1.2.3.4 udp domain
+other.sub	TXT	other.sub
+secure		NS	secure
+secure		DS	1312 50 100 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0
+secure  	A	1.2.3.4
+secure  	AAAA	2002::1.2.3.4
+out-of-zone.	A	1.2.3.4
diff --git a/bin/tests/system/views/clean.sh b/bin/tests/system/views/clean.sh
new file mode 100644
index 0000000..d644c2a
--- /dev/null
+++ b/bin/tests/system/views/clean.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ns*/named.conf
+rm -f ns3/example.bk dig.out.ns?.?
+rm -f ns2/example.db ns3/internal.bk
+rm -f -- */*.jnl
+rm -f -- */named.memstats
+rm -f -- */named.run */named.run.prev
+rm -f ns2/external/K*
+rm -f ns2/external/inline.db.jbk
+rm -f ns2/external/inline.db.signed
+rm -f ns2/external/inline.db.signed.jnl
+rm -f ns2/internal/K*
+rm -f ns2/internal/inline.db.jbk
+rm -f ns2/internal/inline.db.signed
+rm -f ns2/internal/inline.db.signed.jnl
+rm -f ns2/zones.conf
+rm -f ns2/db.* ns2/K*
+rm -f dig.out.external dig.out.internal
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
diff --git a/bin/tests/system/views/ns1/named.conf.in b/bin/tests/system/views/ns1/named.conf.in
new file mode 100644
index 0000000..eb079c9
--- /dev/null
+++ b/bin/tests/system/views/ns1/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/views/ns1/root.db b/bin/tests/system/views/ns1/root.db
new file mode 100644
index 0000000..17780d1
--- /dev/null
+++ b/bin/tests/system/views/ns1/root.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/views/ns2/1.10.in-addr.arpa.db b/bin/tests/system/views/ns2/1.10.in-addr.arpa.db
new file mode 100644
index 0000000..7ca723d
--- /dev/null
+++ b/bin/tests/system/views/ns2/1.10.in-addr.arpa.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	IN	SOA	. . 0 0 0 0 0
+@	IN	NS 	.
diff --git a/bin/tests/system/views/ns2/clone.db b/bin/tests/system/views/ns2/clone.db
new file mode 100644
index 0000000..0f2de76
--- /dev/null
+++ b/bin/tests/system/views/ns2/clone.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	600
+@		IN SOA	mname1. . (
+			2          ; serial
+			20         ; refresh (20 seconds)
+			20         ; retry (20 seconds)
+			1814400    ; expire (3 weeks)
+			3600       ; minimum (1 hour)
+			)
+@		IN	NS		ns2
+ns2		IN	A	10.53.0.2
+
+a		IN	A	10.1.0.1
+child		IN	NS	ns3.child
+ns3.child	IN	A	10.53.0.3
diff --git a/bin/tests/system/views/ns2/example1.db b/bin/tests/system/views/ns2/example1.db
new file mode 100644
index 0000000..4d60ce3
--- /dev/null
+++ b/bin/tests/system/views/ns2/example1.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+
+$ORIGIN example.
+a			A	10.0.0.1
+			MX	10 mail.example.
+
+mail			A	10.0.0.2
diff --git a/bin/tests/system/views/ns2/example2.db b/bin/tests/system/views/ns2/example2.db
new file mode 100644
index 0000000..966240e
--- /dev/null
+++ b/bin/tests/system/views/ns2/example2.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				2          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.4
+
+$ORIGIN example.
+a			A	10.0.0.1
+			MX	10 mail.example.
+
+mail			A	10.0.0.2
diff --git a/bin/tests/system/views/ns2/external/inline.db b/bin/tests/system/views/ns2/external/inline.db
new file mode 100644
index 0000000..16d53b9
--- /dev/null
+++ b/bin/tests/system/views/ns2/external/inline.db
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+inline.			IN SOA	mname1. . (
+				2          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+inline.			NS	ns2.inline.
+ns2.inline.		A	10.53.0.2
+inline.			NS	ns3.inline.
+ns3.inline.		A	10.53.0.3
+
+$ORIGIN inline.
+a			A	10.1.0.1
+			MX	10 extmail.inline.
+
+extmail			A	10.1.0.2
diff --git a/bin/tests/system/views/ns2/internal.db b/bin/tests/system/views/ns2/internal.db
new file mode 100644
index 0000000..4f1014f
--- /dev/null
+++ b/bin/tests/system/views/ns2/internal.db
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				2          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.1.0.1
+			MX	10 intmail.example.
+
+intmail			A	10.1.0.2
diff --git a/bin/tests/system/views/ns2/internal/inline.db b/bin/tests/system/views/ns2/internal/inline.db
new file mode 100644
index 0000000..7a30873
--- /dev/null
+++ b/bin/tests/system/views/ns2/internal/inline.db
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+inline.			IN SOA	mname1. . (
+				2          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+inline.			NS	ns2.inline.
+ns2.inline.		A	10.53.0.2
+inline.			NS	ns3.inline.
+ns3.inline.		A	10.53.0.3
+
+$ORIGIN inline.
+a			A	10.1.0.1
+			MX	10 intmail.inline.
+
+intmail			A	10.1.0.2
diff --git a/bin/tests/system/views/ns2/named1.conf.in b/bin/tests/system/views/ns2/named1.conf.in
new file mode 100644
index 0000000..857235d
--- /dev/null
+++ b/bin/tests/system/views/ns2/named1.conf.in
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-update { any; };
+};
+
+zone "inline" {
+	type primary;
+	file "external/inline.db";
+	key-directory "external";
+	auto-dnssec maintain;
+	inline-signing yes;
+};
diff --git a/bin/tests/system/views/ns2/named2.conf.in b/bin/tests/system/views/ns2/named2.conf.in
new file mode 100644
index 0000000..f8759fb
--- /dev/null
+++ b/bin/tests/system/views/ns2/named2.conf.in
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view "internal" {
+	match-clients { 10.53.0.2;
+			10.53.0.3; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "example" {
+		type primary;
+		file "internal.db";
+		allow-update { any; };
+	};
+
+	zone "clone" {
+		type primary;
+		file "clone.db";
+		allow-update { any; };
+	};
+
+	zone "1.10.in-addr.arpa" {
+		type primary;
+		file "1.10.in-addr.arpa.db";
+	};
+
+	zone "inline" {
+		type primary;
+		file "internal/inline.db";
+		key-directory "internal";
+		auto-dnssec maintain;
+		inline-signing yes;
+	};
+};
+
+view "external" {
+	match-clients { any; };
+
+	zone "." {
+		type hint;
+		file "../../common/root.hint";
+	};
+
+	zone "example" {
+		type primary;
+		file "example.db";
+	};
+
+	zone "clone" {
+		in-view internal;
+		forward only;
+		forwarders { 10.53.0.5; };
+	};
+
+	zone "1.10.in-addr.arpa" {
+		in-view internal;
+	};
+
+	zone "inline" {
+		type primary;
+		file "external/inline.db";
+		key-directory "external";
+		auto-dnssec maintain;
+		inline-signing yes;
+	};
+};
diff --git a/bin/tests/system/views/ns2/named3.conf.in b/bin/tests/system/views/ns2/named3.conf.in
new file mode 100644
index 0000000..838cfb8
--- /dev/null
+++ b/bin/tests/system/views/ns2/named3.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "zones.conf";
diff --git a/bin/tests/system/views/ns3/child.clone.db b/bin/tests/system/views/ns3/child.clone.db
new file mode 100644
index 0000000..9b90023
--- /dev/null
+++ b/bin/tests/system/views/ns3/child.clone.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns3. . (
+			1          ; serial
+			20         ; refresh (20 seconds)
+			20         ; retry (20 seconds)
+			1814400    ; expire (3 weeks)
+			3600       ; minimum (1 hour)
+			)
+@		NS	ns3
+@		TXT	This is NS3.
+ns3		A	10.53.0.3
diff --git a/bin/tests/system/views/ns3/internal.db b/bin/tests/system/views/ns3/internal.db
new file mode 100644
index 0000000..c93c2b0
--- /dev/null
+++ b/bin/tests/system/views/ns3/internal.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.1.0.1
+			MX	10 intmail.example.
+
+intmail			A	10.1.0.2
diff --git a/bin/tests/system/views/ns3/named1.conf.in b/bin/tests/system/views/ns3/named1.conf.in
new file mode 100644
index 0000000..bec49f5
--- /dev/null
+++ b/bin/tests/system/views/ns3/named1.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	allow-update { any; };
+	file "internal.db";
+};
+
+zone "child.clone" {
+	type primary;
+	file "child.clone.db";
+};
diff --git a/bin/tests/system/views/ns3/named2.conf.in b/bin/tests/system/views/ns3/named2.conf.in
new file mode 100644
index 0000000..3becdd6
--- /dev/null
+++ b/bin/tests/system/views/ns3/named2.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "internal.bk";
+};
+
+zone "child.clone" {
+	type primary;
+	file "child.clone.db";
+};
diff --git a/bin/tests/system/views/ns5/child.clone.db b/bin/tests/system/views/ns5/child.clone.db
new file mode 100644
index 0000000..e29143b
--- /dev/null
+++ b/bin/tests/system/views/ns5/child.clone.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@		IN SOA	ns3. . (
+			1          ; serial
+			20         ; refresh (20 seconds)
+			20         ; retry (20 seconds)
+			1814400    ; expire (3 weeks)
+			3600       ; minimum (1 hour)
+			)
+@		NS	ns3
+@		TXT	This is NS5.
+ns3		A	10.53.0.3
diff --git a/bin/tests/system/views/ns5/named.conf.in b/bin/tests/system/views/ns5/named.conf.in
new file mode 100644
index 0000000..4b9e236
--- /dev/null
+++ b/bin/tests/system/views/ns5/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "child.clone" {
+	type primary;
+	file "child.clone.db";
+};
diff --git a/bin/tests/system/views/setup.sh b/bin/tests/system/views/setup.sh
new file mode 100644
index 0000000..278cb4d
--- /dev/null
+++ b/bin/tests/system/views/setup.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
+. $SYSTEMTESTTOP/conf.sh
+
+cp -f ns2/example1.db ns2/example.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named1.conf.in ns2/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+
+#
+# We remove k1 and k2 as KEYGEN is deterministic when given the
+# same source of "random" data and we want different keys for
+# internal and external instances of inline.
+#
+$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -q inline > /dev/null 2>&1
+$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -qfk inline > /dev/null 2>&1
+k1=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline 2> /dev/null)
+k2=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline 2> /dev/null)
+$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline > /dev/null 2>&1
+$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline > /dev/null 2>&1
+test -n "$k1" && rm -f ns2/external/"$k1".*
+test -n "$k2" && rm -f ns2/external/"$k2".*
diff --git a/bin/tests/system/views/tests.sh b/bin/tests/system/views/tests.sh
new file mode 100644
index 0000000..5f5daad
--- /dev/null
+++ b/bin/tests/system/views/tests.sh
@@ -0,0 +1,190 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+SYSTEMTESTTOP=..
+# shellcheck source=conf.sh
+. $SYSTEMTESTTOP/conf.sh
+
+dig_with_opts() {
+	"$DIG" +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth -p "${PORT}" "$@"
+}
+
+dig_with_shortopts() {
+	"$DIG" +tcp +short -p "${PORT}" "$@"
+}
+
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+
+echo_i "fetching a.example from ns2's initial configuration"
+dig_with_opts a.example. @10.53.0.2 any > dig.out.ns2.1 || status=1
+
+echo_i "fetching a.example from ns3's initial configuration"
+dig_with_opts a.example. @10.53.0.3 any > dig.out.ns3.1 || status=1
+
+echo_i "copying in new configurations for ns2 and ns3"
+rm -f ns2/named.conf ns3/named.conf ns2/example.db
+cp -f ns2/example2.db ns2/example.db
+copy_setports ns2/named2.conf.in ns2/named.conf
+copy_setports ns3/named2.conf.in ns3/named.conf
+
+echo_i "reloading ns2 and ns3 with rndc"
+nextpart ns2/named.run > /dev/null
+nextpart ns3/named.run > /dev/null
+rndc_reload ns2 10.53.0.2
+rndc_reload ns3 10.53.0.3
+
+echo_i "wait for reload to complete"
+ret=0
+_check_reload() (
+  nextpartpeek ns2/named.run | grep "all zones loaded" > /dev/null && \
+  nextpartpeek ns3/named.run | grep "all zones loaded" > /dev/null && \
+  nextpartpeek ns3/named.run | grep "zone_dump: zone example/IN: enter" > /dev/null
+)
+retry_quiet 10 _check_reload || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "fetching a.example from ns2's 10.53.0.4, source address 10.53.0.4"
+dig_with_opts -b 10.53.0.4 a.example. @10.53.0.4 any > dig.out.ns4.2 || status=1
+
+echo_i "fetching a.example from ns2's 10.53.0.2, source address 10.53.0.2"
+dig_with_opts -b 10.53.0.2 a.example. @10.53.0.2 any > dig.out.ns2.2 || status=1
+
+echo_i "fetching a.example from ns3's 10.53.0.3, source address defaulted"
+dig_with_opts @10.53.0.3 a.example. any > dig.out.ns3.2 || status=1
+
+echo_i "comparing ns3's initial a.example to one from reconfigured 10.53.0.2"
+digcomp dig.out.ns3.1 dig.out.ns2.2 || status=1
+
+echo_i "comparing ns3's initial a.example to one from reconfigured 10.53.0.3"
+digcomp dig.out.ns3.1 dig.out.ns3.2 || status=1
+
+echo_i "comparing ns2's initial a.example to one from reconfigured 10.53.0.4"
+digcomp dig.out.ns2.1 dig.out.ns4.2 || status=1
+
+echo_i "comparing ns2's initial a.example to one from reconfigured 10.53.0.3"
+echo_i "(should be different)"
+if $PERL ../digcomp.pl dig.out.ns2.1 dig.out.ns3.2 >/dev/null
+then
+	echo_i "no differences found.  something's wrong."
+	status=1
+fi
+
+echo_i "updating cloned zone in internal view"
+$NSUPDATE << EOF
+server 10.53.0.2 ${PORT}
+zone clone
+update add b.clone. 300 in a 10.1.0.3
+send
+EOF
+echo_i "sleeping to allow update to take effect"
+sleep 5
+
+echo_i "verifying update affected both views"
+ret=0
+one=$(dig_with_shortopts -b 10.53.0.2 @10.53.0.2 b.clone a)
+two=$(dig_with_shortopts -b 10.53.0.4 @10.53.0.2 b.clone a)
+if [ "$one" != "$two" ]; then
+        echo_i "'$one' does not match '$two'"
+        ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "verifying forwarder in cloned zone works"
+ret=0
+one=$(dig_with_shortopts -b 10.53.0.2 @10.53.0.2 child.clone txt)
+two=$(dig_with_shortopts -b 10.53.0.4 @10.53.0.2 child.clone txt)
+three=$(dig_with_shortopts @10.53.0.3 child.clone txt)
+four=$(dig_with_shortopts @10.53.0.5 child.clone txt)
+echo "$three" | grep NS3 > /dev/null || { ret=1; echo_i "expected response from NS3 got '$three'"; }
+echo "$four" | grep NS5 > /dev/null || { ret=1; echo_i "expected response from NS5 got '$four'"; }
+if [ "$one" = "$two" ]; then
+        echo_i "'$one' matches '$two'"
+        ret=1
+fi
+if [ "$one" != "$three" ]; then
+        echo_i "'$one' does not match '$three'"
+        ret=1
+fi
+if [ "$two" != "$four" ]; then
+        echo_i "'$two' does not match '$four'"
+        ret=1
+fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "verifying inline zones work with views"
+ret=0
+wait_for_signed() {
+    "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.2 +dnssec DNSKEY inline > dig.out.internal
+    "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.5 +dnssec DNSKEY inline > dig.out.external
+    grep "ANSWER: 4," dig.out.internal > /dev/null || return 1
+    grep "ANSWER: 4," dig.out.external > /dev/null || return 1
+    return 0
+}
+retry_quiet 10 wait_for_signed || ret=1
+int=$(awk '$4 == "DNSKEY" { print $8 }' dig.out.internal | sort)
+ext=$(awk '$4 == "DNSKEY" { print $8 }' dig.out.external | sort)
+test "$int" != "$ext" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "verifying adding of multiple inline zones followed by reconfiguration works"
+
+[ ! -f ns2/zones.conf ] && touch ns2/zones.conf
+copy_setports ns2/named3.conf.in ns2/named.conf
+
+i=1
+while [ $i -lt 50 ]; do
+	ret=0
+	zone_name=$(printf "example%03d.com" $i)
+
+	# Add a new zone to the configuration.
+	cat >> ns2/zones.conf <<-EOF
+	zone "${zone_name}" {
+	    type master;
+	    file "db.${zone_name}";
+	    dnssec-dnskey-kskonly yes;
+	    auto-dnssec maintain;
+	    inline-signing yes;
+	};
+	EOF
+
+	# Create a master file for the zone.
+	cat > "ns2/db.${zone_name}" <<-EOF
+	\$TTL 86400
+	@		IN	SOA	localhost. hostmaster.localhost (
+						1612542642 ; serial
+						12H ; refresh
+						1H  ; retry
+						2w  ; expiry
+						1h  ; minimum
+					)
+	@		IN      NS      localhost
+	localhost       IN      A       127.0.0.1
+	EOF
+
+	$KEYGEN -q -Kns2 -fk -aecdsa256 "${zone_name}" > /dev/null
+	$RNDCCMD 10.53.0.2 reconfig || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; break; fi
+	i=$((i + 1))
+done
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ "$status" -eq 0 ] || exit 1
diff --git a/bin/tests/system/wildcard/clean.sh b/bin/tests/system/wildcard/clean.sh
new file mode 100644
index 0000000..c690ade
--- /dev/null
+++ b/bin/tests/system/wildcard/clean.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/named.run
+rm -f ns*/named.conf
+rm -f ns1/K*
+rm -f ns1/*.db
+rm -f ns1/*.signed
+rm -f ns1/dsset-*
+rm -f ns1/keyset-*
+rm -f ns1/trusted.conf
+rm -f ns1/private.nsec.conf
+rm -f ns1/private.nsec3.conf
+rm -f ns1/signer.err
+rm -f */named.memstats
+rm -f dig.out.ns*.test*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/wildcard/ns1/allwild.db.in b/bin/tests/system/wildcard/ns1/allwild.db.in
new file mode 100644
index 0000000..71575c3
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/allwild.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN allwild.test.
+allwild.test.                 3600 IN  SOA   . . 0 0 0 0 0
+allwild.test.                 3600     NS    ns.example.test.
+*.allwild.test.           3600     A     192.0.2.1
diff --git a/bin/tests/system/wildcard/ns1/dlv.db.in b/bin/tests/system/wildcard/ns1/dlv.db.in
new file mode 100644
index 0000000..6156de6
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/dlv.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@	SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@	NS  a.root-servers.nil.
diff --git a/bin/tests/system/wildcard/ns1/example.db.in b/bin/tests/system/wildcard/ns1/example.db.in
new file mode 100644
index 0000000..f23a2cb
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/example.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN example.
+example.                 3600 IN  SOA   . . 0 0 0 0 0
+example.                 3600     NS    ns.example.com.
+example.                 3600     NS    ns.example.net.
+*.example.               3600     TXT   "this is a wildcard"
+*.example.               3600     MX    10 host1.example.
+sub.*.example.           3600     TXT   "this is not a wildcard"
+host1.example.           3600     A     192.0.2.1
+_ssh._tcp.host1.example. 3600     SRV   0 0 22 host1.example.
+_ssh._tcp.host2.example. 3600     SRV   0 0 22 host2.example.
+subdel.example.          3600     NS    ns.example.com.
+subdel.example.          3600     NS    ns.example.net.
diff --git a/bin/tests/system/wildcard/ns1/named.conf.in b/bin/tests/system/wildcard/ns1/named.conf.in
new file mode 100644
index 0000000..ac02abf
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/named.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "." { type primary; file "root.db.signed"; };
+
+/*
+ * RFC 4592 example zone.
+ */
+zone "allwild.test" { type primary; file "allwild.db"; };
+zone "example" { type primary; file "example.db"; };
+zone "nsec" { type primary; file "nsec.db.signed"; };
+zone "private.nsec" { type primary; file "private.nsec.db.signed"; };
+
+/*
+ * The contents of nsec3 and private.nsec3 are specially chosen to
+ * have separate NSEC3 records for the "no qname proof" and the
+ * "closest encloser proof".
+ */
+zone "nsec3" { type primary; file "nsec3.db.signed"; };
+zone "private.nsec3" { type primary; file "private.nsec3.db.signed"; };
diff --git a/bin/tests/system/wildcard/ns1/nsec.db.in b/bin/tests/system/wildcard/ns1/nsec.db.in
new file mode 100644
index 0000000..8869ab9
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/nsec.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@	SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@	NS  a.root-servers.nil.
+private NS  a.root-servers.nil.
+*.wild	CNAME a.
+a.wild	A   1.2.3.5
diff --git a/bin/tests/system/wildcard/ns1/nsec3.db.in b/bin/tests/system/wildcard/ns1/nsec3.db.in
new file mode 100644
index 0000000..8869ab9
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/nsec3.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@	SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@	NS  a.root-servers.nil.
+private NS  a.root-servers.nil.
+*.wild	CNAME a.
+a.wild	A   1.2.3.5
diff --git a/bin/tests/system/wildcard/ns1/private.nsec.db.in b/bin/tests/system/wildcard/ns1/private.nsec.db.in
new file mode 100644
index 0000000..b7cc222
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/private.nsec.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@	SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@	NS  a.root-servers.nil.
+*.wild	CNAME a.
+a.wild	A   1.2.3.5
diff --git a/bin/tests/system/wildcard/ns1/private.nsec3.db.in b/bin/tests/system/wildcard/ns1/private.nsec3.db.in
new file mode 100644
index 0000000..566b3f8
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/private.nsec3.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@	SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@	NS  a.root-servers.nil.
+b	A   1.2.3.4
+*.wild	CNAME a.
+a.wild	A   1.2.3.5
diff --git a/bin/tests/system/wildcard/ns1/root.db.in b/bin/tests/system/wildcard/ns1/root.db.in
new file mode 100644
index 0000000..ffeb0a6
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/root.db.in
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 120
+@	SOA a.root-servers.nil hostmaster.root-servers.nil 1 1800 900 604800 86400
+@	NS  a.root-servers.nil
+a.root-servers.nil A 10.53.0.1
+nsec	NS  a.root-servers.nil
+nsec3	NS  a.root-servers.nil
diff --git a/bin/tests/system/wildcard/ns1/sign.sh b/bin/tests/system/wildcard/ns1/sign.sh
new file mode 100755
index 0000000..493b057
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/sign.sh
@@ -0,0 +1,96 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+SYSTESTDIR=wildcard
+
+dssets=
+
+# RFC 4592 example zone.
+cp allwild.db.in allwild.db
+cp example.db.in example.db
+
+zone=nsec
+infile=nsec.db.in
+zonefile=nsec.db
+outfile=nsec.db.signed
+dssets="$dssets dsset-${zone}${TP}"
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+zone=private.nsec
+infile=private.nsec.db.in
+zonefile=private.nsec.db
+outfile=private.nsec.db.signed
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+keyfile_to_static_ds $keyname2 > private.nsec.conf
+
+zone=nsec3
+infile=nsec3.db.in
+zonefile=nsec3.db
+outfile=nsec3.db.signed
+dssets="$dssets dsset-${zone}${TP}"
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+zone=private.nsec3
+infile=private.nsec3.db.in
+zonefile=private.nsec3.db
+outfile=private.nsec3.db.signed
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+keyfile_to_static_ds $keyname2 > private.nsec3.conf
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+outfile=root.db.signed
+
+keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null)
+
+cat $infile $keyname1.key $keyname2.key $dssets >$zonefile
+
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo_i "signed $zone"
+
+keyfile_to_static_ds $keyname2 > trusted.conf
diff --git a/bin/tests/system/wildcard/ns2/named.conf.in b/bin/tests/system/wildcard/ns2/named.conf.in
new file mode 100644
index 0000000..a9a2a70
--- /dev/null
+++ b/bin/tests/system/wildcard/ns2/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation no;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/wildcard/ns3/named.conf.in b/bin/tests/system/wildcard/ns3/named.conf.in
new file mode 100644
index 0000000..0b958fa
--- /dev/null
+++ b/bin/tests/system/wildcard/ns3/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+};
+
+include "../ns1/trusted.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/wildcard/ns4/named.conf.in b/bin/tests/system/wildcard/ns4/named.conf.in
new file mode 100644
index 0000000..b125fa7
--- /dev/null
+++ b/bin/tests/system/wildcard/ns4/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	forward only;
+	forwarders { 10.53.0.2; };
+};
+
+include "../ns1/trusted.conf";
+include "../ns1/private.nsec.conf";
+include "../ns1/private.nsec3.conf";
diff --git a/bin/tests/system/wildcard/ns5/named.conf.in b/bin/tests/system/wildcard/ns5/named.conf.in
new file mode 100644
index 0000000..1cd358d
--- /dev/null
+++ b/bin/tests/system/wildcard/ns5/named.conf.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+};
+
+include "../ns1/trusted.conf";
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
diff --git a/bin/tests/system/wildcard/setup.sh b/bin/tests/system/wildcard/setup.sh
new file mode 100644
index 0000000..3d20b48
--- /dev/null
+++ b/bin/tests/system/wildcard/setup.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+
+(cd ns1 && $SHELL -e sign.sh)
diff --git a/bin/tests/system/wildcard/tests.sh b/bin/tests/system/wildcard/tests.sh
new file mode 100644
index 0000000..f93150c
--- /dev/null
+++ b/bin/tests/system/wildcard/tests.sh
@@ -0,0 +1,272 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
+
+n=`expr $n + 1`
+echo_i "checking that NSEC wildcard non-existence proof is returned auth ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC wildcard non-existence proof is returned non-validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns2.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC wildcard non-existence proof is returned validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns3.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC wildcard non-existence proof is returned validating + CD ($n)"
+ret=0
+$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns5.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns5.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "checking that returned NSEC wildcard non-existence proof validates ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns4.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC wildcard non-existence proof is returned private, validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC'  dig.out.ns3.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that returned NSEC wildcard non-existence proof for private zone validates ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC'  dig.out.ns4.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC3 wildcard non-existence proof is returned auth ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec3 +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC3 wildcard non-existence proof is returned non-validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns2.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC3 wildcard non-existence proof is returned validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns3.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC3 wildcard non-existence proof is returned validating + CD ($n)"
+ret=0
+$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns5.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns5.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that returned NSEC3 wildcard non-existence proof validates ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns4.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that NSEC3 wildcard non-existence proof is returned private, validating ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns3.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that returned NSEC3 wildcard non-existence proof for private zone validates ($n)"
+ret=0
+$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns4.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking RFC 4592 responses ..."
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: host3.example. QTYPE=MX, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 host3.example. MX IN > dig.out.ns1.test$n || ret=1
+grep '^host3.example..*IN.MX.10 host1.example.' dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: host3.example. QTYPE=A, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 host3.example. A IN > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: foo.bar.example. QTYPE=TXT, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 foo.bar.example TXT IN > dig.out.ns1.test$n || ret=1
+grep '^foo.bar.example..*IN.TXT."this is a wildcard"' dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: sub.*.example. QTYPE=MX, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 "sub.*.example." MX IN > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: _telnet._tcp.host1.example. QTYPE=SRV, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 _telnet._tcp.host1.example. SRV IN > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: host.subdel.example. QTYPE=A, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 host.subdel.example A IN > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1
+grep "subdel.example..*IN.NS.ns.example.com." dig.out.ns1.test$n > /dev/null || ret=1
+grep "subdel.example..*IN.NS.ns.example.net." dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking RFC 4592: ghost.*.example. QTYPE=MX, QCLASS=IN ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 "ghost.*.example" MX IN > dig.out.ns1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "check wild card expansions by code point ($n)"
+ret=0
+i=0
+while test $i -lt 256
+do
+	x=`expr 00$i : '.*\(...\)$'`
+	$DIG $DIGOPTS @10.53.0.1 "\\$x.example" TXT > dig.out.ns1.$x.test$n
+	if test $i -le 32 -o $i -ge 127
+	then
+		grep '^\\'"$x"'\.example\..*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; }
+        # "=34 $=36 (=40 )=41 .=46 ;=59 \=92 @=64
+	elif test $i -eq 34 -o $i -eq 36 -o $i -eq 40 -o $i -eq 41 -o \
+                  $i -eq 46 -o $i -eq 59 -o $i -eq 64 -o $i -eq 92
+	then
+		case $i in
+		34) a='"';;
+		36) a='$';;
+		40) a='(';;
+		41) a=')';;
+		46) a='\.';;
+		59) a=';';;
+		64) a='@';;
+		92) a='\\';;
+		*) a=''; echo_i "code point $x failed" ; ret=1 ;;
+		esac
+		grep '^\\'"$a"'\.example.*.*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; }
+	else
+		grep '^\\' dig.out.ns1.$x.test$n && { echo_i "code point $x failed" ; ret=1; }
+	fi
+	i=`expr $i + 1`
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/wildcard/tests_wildcard.py b/bin/tests/system/wildcard/tests_wildcard.py
new file mode 100755
index 0000000..66166f2
--- /dev/null
+++ b/bin/tests/system/wildcard/tests_wildcard.py
@@ -0,0 +1,112 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+"""
+Example property-based test for wildcard synthesis.
+Verifies that otherwise-empty zone with single wildcard record * A 192.0.2.1
+produces synthesized answers for <random_label>.test. A, and returns NODATA for
+<random_label>.test. when rdtype is not A.
+
+Limitations - untested properties:
+    - expansion works with multiple labels
+    - asterisk in qname does not cause expansion
+    - empty non-terminals prevent expansion
+    - or more generally any existing node prevents expansion
+    - DNSSEC record inclusion
+    - possibly others, see RFC 4592 and company
+    - content of authority & additional sections
+    - flags beyond RCODE
+    - special behavior of rdtypes like CNAME
+"""
+import pytest
+
+pytest.importorskip("dns")
+import dns.message
+import dns.name
+import dns.query
+import dns.rcode
+import dns.rdataclass
+import dns.rdatatype
+import dns.rrset
+
+pytest.importorskip("hypothesis")
+from hypothesis import given
+from hypothesis.strategies import binary, integers
+
+
+# labels of a zone with * A 192.0.2.1 wildcard
+WILDCARD_ZONE = ("allwild", "test", "")
+WILDCARD_RDTYPE = dns.rdatatype.A
+WILDCARD_RDATA = "192.0.2.1"
+IPADDR = "10.53.0.1"
+TIMEOUT = 5  # seconds, just a sanity check
+
+
+# Helpers
+def is_nonexpanding_rdtype(rdtype):
+    """skip meta types to avoid weird rcodes caused by AXFR etc.; RFC 6895"""
+    return not (
+        rdtype == WILDCARD_RDTYPE
+        or dns.rdatatype.is_metatype(rdtype)  # known metatypes: OPT ...
+        or 128 <= rdtype <= 255
+    )  # unknown meta types
+
+
+def tcp_query(where, port, qname, qtype):
+    querymsg = dns.message.make_query(qname, qtype)
+    assert len(querymsg.question) == 1
+    return querymsg, dns.query.tcp(querymsg, where, port=port, timeout=TIMEOUT)
+
+
+def query(where, port, label, rdtype):
+    labels = (label,) + WILDCARD_ZONE
+    qname = dns.name.Name(labels)
+    return tcp_query(where, port, qname, rdtype)
+
+
+# Tests
+@given(
+    label=binary(min_size=1, max_size=63),
+    rdtype=integers(min_value=0, max_value=65535).filter(is_nonexpanding_rdtype),
+)
+def test_wildcard_rdtype_mismatch(label, rdtype, named_port):
+    """any label non-matching rdtype must result in to NODATA"""
+    check_answer_nodata(*query(IPADDR, named_port, label, rdtype))
+
+
+def check_answer_nodata(querymsg, answer):
+    assert querymsg.is_response(answer), str(answer)
+    assert answer.rcode() == dns.rcode.NOERROR, str(answer)
+    assert answer.answer == [], str(answer)
+
+
+@given(label=binary(min_size=1, max_size=63))
+def test_wildcard_match(label, named_port):
+    """any label with maching rdtype must result in wildcard data in answer"""
+    check_answer_noerror(*query(IPADDR, named_port, label, WILDCARD_RDTYPE))
+
+
+def check_answer_noerror(querymsg, answer):
+    assert querymsg.is_response(answer), str(answer)
+    assert answer.rcode() == dns.rcode.NOERROR, str(answer)
+    assert len(querymsg.question) == 1, str(answer)
+    expected_answer = [
+        dns.rrset.from_text(
+            querymsg.question[0].name,
+            300,  # TTL, ignored by dnspython comparison
+            dns.rdataclass.IN,
+            WILDCARD_RDTYPE,
+            WILDCARD_RDATA,
+        )
+    ]
+    assert answer.answer == expected_answer, str(answer)
diff --git a/bin/tests/system/win32/bigkey.vcxproj.filters.in b/bin/tests/system/win32/bigkey.vcxproj.filters.in
new file mode 100644
index 0000000..1b592a6
--- /dev/null
+++ b/bin/tests/system/win32/bigkey.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\rsabigexponent\bigkey.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/bigkey.vcxproj.in b/bin/tests/system/win32/bigkey.vcxproj.in
new file mode 100644
index 0000000..7b4d59b
--- /dev/null
+++ b/bin/tests/system/win32/bigkey.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{61F9D673-EB5C-47A5-8907-24E034C75EF8}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>bigkey</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\rsabigexponent\bigkey.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/system/win32/bigkey.vcxproj.user b/bin/tests/system/win32/bigkey.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/system/win32/bigkey.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/feature-test.vcxproj.filters.in b/bin/tests/system/win32/feature-test.vcxproj.filters.in
new file mode 100644
index 0000000..0e4fe58
--- /dev/null
+++ b/bin/tests/system/win32/feature-test.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\feature-test.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/feature-test.vcxproj.in b/bin/tests/system/win32/feature-test.vcxproj.in
new file mode 100644
index 0000000..92311c9
--- /dev/null
+++ b/bin/tests/system/win32/feature-test.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{63A921F6-1200-4723-828A-98960127B73D}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>feature-test</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\feature-test.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/system/win32/feature-test.vcxproj.user b/bin/tests/system/win32/feature-test.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/system/win32/feature-test.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/gencheck.vcxproj.filters.in b/bin/tests/system/win32/gencheck.vcxproj.filters.in
new file mode 100644
index 0000000..33431cf
--- /dev/null
+++ b/bin/tests/system/win32/gencheck.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\rndc\gencheck.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/gencheck.vcxproj.in b/bin/tests/system/win32/gencheck.vcxproj.in
new file mode 100644
index 0000000..12b51d1
--- /dev/null
+++ b/bin/tests/system/win32/gencheck.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{764DBE24-C8B3-46E8-BE73-196431353A5D}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>gencheck</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\rndc\gencheck.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/system/win32/gencheck.vcxproj.user b/bin/tests/system/win32/gencheck.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/system/win32/gencheck.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/keycreate.vcxproj.filters.in b/bin/tests/system/win32/keycreate.vcxproj.filters.in
new file mode 100644
index 0000000..09f4c3a
--- /dev/null
+++ b/bin/tests/system/win32/keycreate.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\tkey\keycreate.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/keycreate.vcxproj.in b/bin/tests/system/win32/keycreate.vcxproj.in
new file mode 100644
index 0000000..e4313e9
--- /dev/null
+++ b/bin/tests/system/win32/keycreate.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4F9A0F6F-366D-4483-B131-793832840508}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>keycreate</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\tkey\keycreate.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/system/win32/keycreate.vcxproj.user b/bin/tests/system/win32/keycreate.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/system/win32/keycreate.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/keydelete.vcxproj.filters.in b/bin/tests/system/win32/keydelete.vcxproj.filters.in
new file mode 100644
index 0000000..1e8cb3d
--- /dev/null
+++ b/bin/tests/system/win32/keydelete.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\tkey\keydelete.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/keydelete.vcxproj.in b/bin/tests/system/win32/keydelete.vcxproj.in
new file mode 100644
index 0000000..6c77f65
--- /dev/null
+++ b/bin/tests/system/win32/keydelete.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{85ADFF2A-BE31-4B8D-9089-9AD56CE78D7E}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>keydelete</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\tkey\keydelete.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/system/win32/keydelete.vcxproj.user b/bin/tests/system/win32/keydelete.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/system/win32/keydelete.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/pipequeries.vcxproj.filters.in b/bin/tests/system/win32/pipequeries.vcxproj.filters.in
new file mode 100644
index 0000000..62374cd
--- /dev/null
+++ b/bin/tests/system/win32/pipequeries.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\pipelined\pipequeries.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/pipequeries.vcxproj.in b/bin/tests/system/win32/pipequeries.vcxproj.in
new file mode 100644
index 0000000..1ce5b0a
--- /dev/null
+++ b/bin/tests/system/win32/pipequeries.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{E1478F40-786C-4738-8E99-E7A71DD98661}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>pipequeries</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\pipelined\pipequeries.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/system/win32/pipequeries.vcxproj.user b/bin/tests/system/win32/pipequeries.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/system/win32/pipequeries.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/resolve.vcxproj.filters.in b/bin/tests/system/win32/resolve.vcxproj.filters.in
new file mode 100644
index 0000000..882e23f
--- /dev/null
+++ b/bin/tests/system/win32/resolve.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\resolve.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/win32/resolve.vcxproj.in b/bin/tests/system/win32/resolve.vcxproj.in
new file mode 100644
index 0000000..36bd283
--- /dev/null
+++ b/bin/tests/system/win32/resolve.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{F66D8B7E-721D-4602-99AD-820D19AD1313}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>resolve</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;..\..\..\..\lib\irs\win32\include;..\..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);..\..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;..\..\..\..\lib\irs\win32\include;..\..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);..\..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\resolve.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/system/win32/resolve.vcxproj.user b/bin/tests/system/win32/resolve.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/system/win32/resolve.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/system/xfer/ans5/badkeydata b/bin/tests/system/xfer/ans5/badkeydata
new file mode 100644
index 0000000..8dc80fb
--- /dev/null
+++ b/bin/tests/system/xfer/ans5/badkeydata
@@ -0,0 +1,10 @@
+/SOA tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+/AXFR tsig_key abcd1234ffff/
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
+/AXFR tsig_key abcd1234ffff/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"bad keydata AXFR"
+a.nil.		60	A	10.0.0.61
+/AXFR tsig_key abcd1234ffff/
+nil.      	300	SOA	ns.nil. root.nil. 3 300 300 604800 300
diff --git a/bin/tests/system/xfer/ans5/badmessageid b/bin/tests/system/xfer/ans5/badmessageid
new file mode 100644
index 0000000..e0dc041
--- /dev/null
+++ b/bin/tests/system/xfer/ans5/badmessageid
@@ -0,0 +1,10 @@
+/SOA tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR bad-id tsig_key LSAnCU+Z/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"bad message id"
+a.nil.		60	A	10.0.0.61
+/AXFR bad-id tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
diff --git a/bin/tests/system/xfer/ans5/goodaxfr b/bin/tests/system/xfer/ans5/goodaxfr
new file mode 100644
index 0000000..e5ccd43
--- /dev/null
+++ b/bin/tests/system/xfer/ans5/goodaxfr
@@ -0,0 +1,10 @@
+/SOA tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR tsig_key LSAnCU+Z/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"initial AXFR"
+a.nil.		60	A	10.0.0.61
+/AXFR tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
diff --git a/bin/tests/system/xfer/ans5/partial b/bin/tests/system/xfer/ans5/partial
new file mode 100644
index 0000000..e7eff8e
--- /dev/null
+++ b/bin/tests/system/xfer/ans5/partial
@@ -0,0 +1,11 @@
+/SOA tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+/AXFR tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
+/AXFR/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"partially signed AXFR"
+a.nil.		60	A	10.0.0.61
+b.nil.		60	A	10.0.0.62
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 4 300 300 604800 300
diff --git a/bin/tests/system/xfer/ans5/soamismatch b/bin/tests/system/xfer/ans5/soamismatch
new file mode 100644
index 0000000..14cfa41
--- /dev/null
+++ b/bin/tests/system/xfer/ans5/soamismatch
@@ -0,0 +1,10 @@
+/SOA tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR tsig_key LSAnCU+Z/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"SOA mismatch AXFR"
+a.nil.		60	A	10.0.0.61
+/AXFR tsig_key LSAnCU+Z/
+nil.      	300	SOA	whatever. other. 1 300 300 604800 300
diff --git a/bin/tests/system/xfer/ans5/unknownkey b/bin/tests/system/xfer/ans5/unknownkey
new file mode 100644
index 0000000..da7889b
--- /dev/null
+++ b/bin/tests/system/xfer/ans5/unknownkey
@@ -0,0 +1,11 @@
+/SOA bad_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 5 300 300 604800 300
+/AXFR bad_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 5 300 300 604800 300
+/AXFR bad_key LSAnCU+Z/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"unknown key AXFR"
+a.nil.		60	A	10.0.0.61
+b.nil.		60	A	10.0.0.62
+/AXFR bad_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 5 300 300 604800 300
diff --git a/bin/tests/system/xfer/ans5/unsigned b/bin/tests/system/xfer/ans5/unsigned
new file mode 100644
index 0000000..3fe04db
--- /dev/null
+++ b/bin/tests/system/xfer/ans5/unsigned
@@ -0,0 +1,11 @@
+/SOA tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 2 300 300 604800 300
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 2 300 300 604800 300
+/AXFR/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"unsigned AXFR"
+a.nil.		60	A	10.0.0.61
+b.nil.		60	A	10.0.0.62
+/AXFR/
+nil.      	300	SOA	ns.nil. root.nil. 2 300 300 604800 300
diff --git a/bin/tests/system/xfer/ans5/wrongkey b/bin/tests/system/xfer/ans5/wrongkey
new file mode 100644
index 0000000..af120b0
--- /dev/null
+++ b/bin/tests/system/xfer/ans5/wrongkey
@@ -0,0 +1,11 @@
+/SOA unused_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 6 300 300 604800 300
+/AXFR unused_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 6 300 300 604800 300
+/AXFR unused_key LSAnCU+Z/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"incorrect key AXFR"
+a.nil.		60	A	10.0.0.61
+b.nil.		60	A	10.0.0.62
+/AXFR unused_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 6 300 300 604800 300
diff --git a/bin/tests/system/xfer/axfr-stats.good b/bin/tests/system/xfer/axfr-stats.good
new file mode 100644
index 0000000..264af09
--- /dev/null
+++ b/bin/tests/system/xfer/axfr-stats.good
@@ -0,0 +1,3 @@
+messages=16
+records=10003
+bytes=218227
diff --git a/bin/tests/system/xfer/clean.sh b/bin/tests/system/xfer/clean.sh
new file mode 100644
index 0000000..2851553
--- /dev/null
+++ b/bin/tests/system/xfer/clean.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f */ans.run
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.run.prev
+rm -f axfr.out
+rm -f dig.out.*
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.lock
+rm -f ns1/edns-expire.db
+rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl
+rm -f ns1/sec.db ns2/sec.db
+rm -f ns2/example.db ns2/tsigzone.db ns2/example.db.jnl
+rm -f ns2/mapped.db
+rm -f ns3/example.bk ns3/xfer-stats.bk ns3/tsigzone.bk ns3/example.bk.jnl
+rm -f ns3/mapped.bk
+rm -f ns3/primary.bk ns3/primary.bk.jnl
+rm -f ns4/*.db ns4/*.jnl
+rm -f ns6/*.db ns6/*.bk ns6/*.jnl
+rm -f ns7/*.db ns7/*.bk ns7/*.jnl
+rm -f ns8/large.db ns8/small.db
+rm -f stats.*
diff --git a/bin/tests/system/xfer/dig1.good b/bin/tests/system/xfer/dig1.good
new file mode 100644
index 0000000..9fa5437
--- /dev/null
+++ b/bin/tests/system/xfer/dig1.good
@@ -0,0 +1,178 @@
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+a01.example.		3600	IN	A	0.0.0.0
+a02.example.		3600	IN	A	255.255.255.255
+a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+a601.example.		3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
+a601.example.		3600	IN	A6	127 ::1 foo.
+a601.example.		3600	IN	A6	128  .
+aaaa01.example.		3600	IN	AAAA	::1
+aaaa02.example.		3600	IN	AAAA	fd92:7065:b8e:ffff::5
+afsdb01.example.	3600	IN	AFSDB	0 hostname.example.
+afsdb02.example.	3600	IN	AFSDB	65535 .
+amtrelay01.example.	3600	IN	AMTRELAY 0 0 0
+amtrelay02.example.	3600	IN	AMTRELAY 0 1 0
+amtrelay03.example.	3600	IN	AMTRELAY 0 0 1 0.0.0.0
+amtrelay04.example.	3600	IN	AMTRELAY 0 0 2 ::
+amtrelay05.example.	3600	IN	AMTRELAY 0 0 3 example.net.
+amtrelay06.example.	3600	IN	AMTRELAY \# 2 0004
+apl01.example.		3600	IN	APL	!1:10.0.0.1/32 1:10.0.0.0/24
+apl02.example.		3600	IN	APL
+atma01.example.		3600	IN	ATMA	+61200000000
+atma02.example.		3600	IN	ATMA	+61200000000
+atma03.example.		3600	IN	ATMA	1234567890abcdef
+atma04.example.		3600	IN	ATMA	fedcba0987654321
+avc.example.		3600	IN	AVC	"foo:bar"
+caa01.example.		3600	IN	CAA	0 issue "ca.example.net; policy=ev"
+caa02.example.		3600	IN	CAA	128 tbs "Unknown"
+caa03.example.		3600	IN	CAA	128 tbs ""
+cdnskey01.example.	3600	IN	CDNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+cds01.example.		3600	IN	CDS	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
+cert01.example.		3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+cname01.example.	3600	IN	CNAME	cname-target.
+cname02.example.	3600	IN	CNAME	cname-target.example.
+cname03.example.	3600	IN	CNAME	.
+csync01.example.	3600	IN	CSYNC	0 0 A NS AAAA
+csync02.example.	3600	IN	CSYNC	0 0
+dhcid01.example.	3600	IN	DHCID	AAIBY2/AuCccgoJbsaxcQc9TUapptP69lOjxfNuVAA2kjEA=
+dhcid02.example.	3600	IN	DHCID	AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdWL3b/NaiUDlW2No=
+dhcid03.example.	3600	IN	DHCID	AAABxLmlskllE0MVjd57zHcWmEH3pCQ6VytcKD//7es/deY=
+dlv.example.		3600	IN	DLV	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
+dname01.example.	3600	IN	DNAME	dname-target.
+dname02.example.	3600	IN	DNAME	dname-target.example.
+dname03.example.	3600	IN	DNAME	.
+doa01.example.		3600	IN	DOA	1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7
+doa02.example.		3600	IN	DOA	0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8=
+ds01.example.		3600	IN	NS	ns42.example.
+ds01.example.		3600	IN	DS	12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13
+ds02.example.		3600	IN	NS	ns43.example.
+ds02.example.		3600	IN	DS	12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390
+eid01.example.		3600	IN	EID	1289AB
+eui48.example.		3600	IN	EUI48	01-23-45-67-89-ab
+eui64.example.		3600	IN	EUI64	01-23-45-67-89-ab-cd-ef
+gid01.example.		3600	IN	GID	\# 1 03
+unspec01.example.	3600	IN	UNSPEC	\# 1 04
+gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
+gpos02.example.		3600	IN	GPOS	"" "" ""
+hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02.example.	3600	IN	HINFO	"PC" "NetBSD"
+hip1.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+hip2.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
+https0.example.		3600	IN	HTTPS 0 example.net.
+https1.example.		3600	IN	HTTPS 1 . port=60
+ipseckey01.example.	3600	IN	IPSECKEY  10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ipseckey02.example.	3600	IN	IPSECKEY  10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ipseckey03.example.	3600	IN	IPSECKEY  10 1 2 192.0.2.3 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ipseckey04.example.	3600	IN	IPSECKEY  10 3 2 mygateway.example.com. AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ipseckey05.example.	3600	IN	IPSECKEY  10 2 2 2001:db8:0:8002::2000:1 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+isdn01.example.		3600	IN	ISDN	"isdn-address"
+isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+isdn03.example.		3600	IN	ISDN	"isdn-address"
+isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+keydata.example.	3600	IN	TYPE65533 \# 0
+keydata.example.	3600	IN	TYPE65533 \# 6 010203040506
+keydata.example.	3600	IN	TYPE65533 \# 18 010203040506010203040506010203040506
+kx01.example.		3600	IN	KX	10 kdc.example.
+kx02.example.		3600	IN	KX	10 .
+loc01.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+l32.example.		3600	IN	L32	10 1.2.3.4
+l64.example.		3600	IN	L64	10 14:4fff:ff20:ee64
+lp.example.		3600	IN	LP	10 example.net.
+nid.example.		3600	IN	NID	10 14:4fff:ff20:ee64
+mb01.example.		3600	IN	MG	madname.example.
+mb02.example.		3600	IN	MG	.
+mg01.example.		3600	IN	MG	mgmname.example.
+mg02.example.		3600	IN	MG	.
+minfo01.example.	3600	IN	MINFO	rmailbx.example. emailbx.example.
+minfo02.example.	3600	IN	MINFO	. .
+mr01.example.		3600	IN	MR	mrname.example.
+mr02.example.		3600	IN	MR	.
+mx01.example.		3600	IN	MX	10 mail.example.
+mx02.example.		3600	IN	MX	10 .
+naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
+naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
+nimloc01.example.	3600	IN	NIMLOC	1289AB
+ninfo01.example.	3600	IN	NINFO	"foo"
+ninfo02.example.	3600	IN	NINFO	"foo" "bar"
+ninfo03.example.	3600	IN	NINFO	"foo"
+ninfo04.example.	3600	IN	NINFO	"foo" "bar"
+ninfo05.example.	3600	IN	NINFO	"foo bar"
+ninfo06.example.	3600	IN	NINFO	"foo bar"
+ninfo07.example.	3600	IN	NINFO	"foo bar"
+ninfo08.example.	3600	IN	NINFO	"foo\010bar"
+ninfo09.example.	3600	IN	NINFO	"foo\010bar"
+ninfo10.example.	3600	IN	NINFO	"foo bar"
+ninfo11.example.	3600	IN	NINFO	"\"foo\""
+ninfo12.example.	3600	IN	NINFO	"\"foo\""
+ninfo13.example.	3600	IN	NINFO	"foo;"
+ninfo14.example.	3600	IN	NINFO	"foo;"
+ninfo15.example.	3600	IN	NINFO	"bar\\;"
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+nsap-ptr01.example.	3600	IN	NSAP-PTR .
+nsap-ptr01.example.	3600	IN	NSAP-PTR foo.
+nsap01.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsec01.example.		3600	IN	NSEC	a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY
+nsec02.example.		3600	IN	NSEC	. NSAP-PTR NSEC
+nsec03.example.		3600	IN	NSEC	. A
+nsec04.example.		3600	IN	NSEC	. TYPE127
+openpgpkey.example.	3600	IN	OPENPGPKEY  AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+ptr01.example.		3600	IN	PTR	example.
+px01.example.		3600	IN	PX	65535 foo. bar.
+px02.example.		3600	IN	PX	65535 . .
+rkey01.example.		3600	IN	RKEY	0 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+rp01.example.		3600	IN	RP	mbox-dname.example. txt-dname.example.
+rp02.example.		3600	IN	RP	. .
+rt01.example.		3600	IN	RT	0 intermediate-host.example.
+rt02.example.		3600	IN	RT	65535 .
+rrsig01.example.		3600	IN	RRSIG	NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+spf01.example.		3600	IN	SPF	"v=spf1 -all"
+spf02.example.		3600	IN	SPF	"v=spf1" " -all"
+sshfp01.example.	3600	IN	SSHFP	4 2 C76D8329954DA2835751E371544E963EFDA099080D6C58DD2BFD9A31 6E162C83
+sshfp02.example.	3600	IN	SSHFP	1 2 BF29468C83AC58CCF8C85AB7B3BEB054ECF1E38512B8353AB36471FA 88961DCC
+sink01.example.		3600	IN	SINK	1 0 0
+sink02.example.		3600	IN	SINK	8 0 2 l4ik
+smimea.example.		3600	IN	SMIMEA	1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC
+srv01.example.		3600	IN	SRV	0 0 0 .
+srv02.example.		3600	IN	SRV	65535 65535 65535 old-slow-box.example.
+svcb0.example.		3600	IN	SVCB	0 example.net.
+svcb1.example.		3600	IN	SVCB	1 . port=60
+ta.example.		3600	IN	TA	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
+talink0.example.	3600	IN	TALINK	. talink1.example.
+talink1.example.	3600	IN	TALINK	talink0.example. talink2.example.
+talink2.example.	3600	IN	TALINK	talink2.example. .
+tlsa.example.		3600	IN	TLSA	1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC
+txt01.example.		3600	IN	TXT	"foo"
+txt02.example.		3600	IN	TXT	"foo" "bar"
+txt03.example.		3600	IN	TXT	"foo"
+txt04.example.		3600	IN	TXT	"foo" "bar"
+txt05.example.		3600	IN	TXT	"foo bar"
+txt06.example.		3600	IN	TXT	"foo bar"
+txt07.example.		3600	IN	TXT	"foo bar"
+txt08.example.		3600	IN	TXT	"foo\010bar"
+txt09.example.		3600	IN	TXT	"foo\010bar"
+txt10.example.		3600	IN	TXT	"foo bar"
+txt11.example.		3600	IN	TXT	"\"foo\""
+txt12.example.		3600	IN	TXT	"\"foo\""
+txt13.example.		3600	IN	TXT	"foo;"
+txt14.example.		3600	IN	TXT	"foo;"
+txt15.example.		3600	IN	TXT	"bar\\;"
+uid01.example.		3600	IN	UID	\# 1 02
+uinfo01.example.	3600	IN	UINFO	\# 1 01
+uri01.example.		3600	IN	URI	10 20 "https://www.isc.org/"
+uri02.example.		3600	IN	URI	30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/"
+uri03.example.		3600	IN	URI	30 40 ""
+wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
+wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
+wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
+x2501.example.		3600	IN	X25	"123456789"
+zonemd01.example.	3600    IN	ZONEMD	2019020700 1 1 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB
+zonemd02.example.	3600	IN	ZONEMD	2019020700 1 2 08CFA1115C7B948C4163A901270395EA226A930CD2CBCF2FA9A5E6EB 85F37C8A4E114D884E66F176EAB121CB02DB7D652E0CC4827E7A3204 F166B47E5613FD27
+8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
+kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E
+mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
diff --git a/bin/tests/system/xfer/dig2.good b/bin/tests/system/xfer/dig2.good
new file mode 100644
index 0000000..2229f9c
--- /dev/null
+++ b/bin/tests/system/xfer/dig2.good
@@ -0,0 +1,178 @@
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+a01.example.		3600	IN	A	0.0.0.1
+a02.example.		3600	IN	A	255.255.255.255
+a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+a601.example.		3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
+a601.example.		3600	IN	A6	127 ::1 foo.
+a601.example.		3600	IN	A6	128  .
+aaaa01.example.		3600	IN	AAAA	::1
+aaaa02.example.		3600	IN	AAAA	fd92:7065:b8e:ffff::5
+afsdb01.example.	3600	IN	AFSDB	0 hostname.example.
+afsdb02.example.	3600	IN	AFSDB	65535 .
+amtrelay01.example.	3600	IN	AMTRELAY 0 0 0
+amtrelay02.example.	3600	IN	AMTRELAY 0 1 0
+amtrelay03.example.	3600	IN	AMTRELAY 0 0 1 0.0.0.1
+amtrelay04.example.	3600	IN	AMTRELAY 0 0 2 ::
+amtrelay05.example.	3600	IN	AMTRELAY 0 0 3 example.net.
+amtrelay06.example.	3600	IN	AMTRELAY \# 2 0004
+apl01.example.		3600	IN	APL	!1:10.0.0.1/32 1:10.0.0.1/24
+apl02.example.		3600	IN	APL
+atma01.example.		3600	IN	ATMA	+61200000000
+atma02.example.		3600	IN	ATMA	+61200000000
+atma03.example.		3600	IN	ATMA	1234567890abcdef
+atma04.example.		3600	IN	ATMA	fedcba0987654321
+avc.example.		3600	IN	AVC	"foo:bar"
+caa01.example.		3600	IN	CAA	0 issue "ca.example.net; policy=ev"
+caa02.example.		3600	IN	CAA	128 tbs "Unknown"
+caa03.example.		3600	IN	CAA	128 tbs ""
+cdnskey01.example.	3600	IN	CDNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+cds01.example.		3600	IN	CDS	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
+cert01.example.		3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+cname01.example.	3600	IN	CNAME	cname-target.
+cname02.example.	3600	IN	CNAME	cname-target.example.
+cname03.example.	3600	IN	CNAME	.
+csync01.example.	3600	IN	CSYNC	0 0 A NS AAAA
+csync02.example.	3600	IN	CSYNC	0 0
+dhcid01.example.	3600	IN	DHCID	AAIBY2/AuCccgoJbsaxcQc9TUapptP69lOjxfNuVAA2kjEA=
+dhcid02.example.	3600	IN	DHCID	AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdWL3b/NaiUDlW2No=
+dhcid03.example.	3600	IN	DHCID	AAABxLmlskllE0MVjd57zHcWmEH3pCQ6VytcKD//7es/deY=
+dlv.example.		3600	IN	DLV	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
+dname01.example.	3600	IN	DNAME	dname-target.
+dname02.example.	3600	IN	DNAME	dname-target.example.
+dname03.example.	3600	IN	DNAME	.
+doa01.example.		3600	IN	DOA	1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7
+doa02.example.		3600	IN	DOA	0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8=
+ds01.example.		3600	IN	NS	ns42.example.
+ds01.example.		3600	IN	DS	12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13
+ds02.example.		3600	IN	NS	ns43.example.
+ds02.example.		3600	IN	DS	12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390
+eid01.example.		3600	IN	EID	1289AB
+eui48.example.		3600	IN	EUI48   01-23-45-67-89-ab
+eui64.example.		3600	IN	EUI64	01-23-45-67-89-ab-cd-ef
+gid01.example.		3600	IN	GID	\# 1 03
+unspec01.example.	3600	IN	UNSPEC	\# 1 04
+gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
+gpos02.example.		3600	IN	GPOS	"" "" ""
+hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02.example.	3600	IN	HINFO	"PC" "NetBSD"
+ipseckey01.example.	3600	IN	IPSECKEY  10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ipseckey02.example.	3600	IN	IPSECKEY  10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ipseckey03.example.	3600	IN	IPSECKEY  10 1 2 192.0.2.3 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ipseckey04.example.	3600	IN	IPSECKEY  10 3 2 mygateway.example.com. AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ipseckey05.example.	3600	IN	IPSECKEY  10 2 2 2001:db8:0:8002::2000:1 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+isdn01.example.		3600	IN	ISDN	"isdn-address"
+isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+isdn03.example.		3600	IN	ISDN	"isdn-address"
+isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+hip1.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+hip2.example.		3600	IN 	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
+dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+https0.example.		3600	IN	HTTPS 0 example.net.
+https1.example.		3600	IN	HTTPS 1 . port=60
+keydata.example.	3600	IN	TYPE65533 \# 0
+keydata.example.	3600	IN	TYPE65533 \# 6 010203040506
+keydata.example.	3600	IN	TYPE65533 \# 18 010203040506010203040506010203040506
+kx01.example.		3600	IN	KX	10 kdc.example.
+kx02.example.		3600	IN	KX	10 .
+loc01.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+l32.example.		3600	IN	L32	10 1.2.3.4
+l64.example.		3600	IN	L64	10 14:4fff:ff20:ee64
+lp.example.		3600	IN	LP	10 example.net.
+nid.example.		3600	IN	NID	10 14:4fff:ff20:ee64
+mb01.example.		3600	IN	MG	madname.example.
+mb02.example.		3600	IN	MG	.
+mg01.example.		3600	IN	MG	mgmname.example.
+mg02.example.		3600	IN	MG	.
+minfo01.example.	3600	IN	MINFO	rmailbx.example. emailbx.example.
+minfo02.example.	3600	IN	MINFO	. .
+mr01.example.		3600	IN	MR	mrname.example.
+mr02.example.		3600	IN	MR	.
+mx01.example.		3600	IN	MX	10 mail.example.
+mx02.example.		3600	IN	MX	10 .
+naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
+naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
+nimloc01.example.	3600	IN	NIMLOC	1289AB
+ninfo01.example.	3600	IN	NINFO	"foo"
+ninfo02.example.	3600	IN	NINFO	"foo" "bar"
+ninfo03.example.	3600	IN	NINFO	"foo"
+ninfo04.example.	3600	IN	NINFO	"foo" "bar"
+ninfo05.example.	3600	IN	NINFO	"foo bar"
+ninfo06.example.	3600	IN	NINFO	"foo bar"
+ninfo07.example.	3600	IN	NINFO	"foo bar"
+ninfo08.example.	3600	IN	NINFO	"foo\010bar"
+ninfo09.example.	3600	IN	NINFO	"foo\010bar"
+ninfo10.example.	3600	IN	NINFO	"foo bar"
+ninfo11.example.	3600	IN	NINFO	"\"foo\""
+ninfo12.example.	3600	IN	NINFO	"\"foo\""
+ninfo13.example.	3600	IN	NINFO	"foo;"
+ninfo14.example.	3600	IN	NINFO	"foo;"
+ninfo15.example.	3600	IN	NINFO	"bar\\;"
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+nsap-ptr01.example.	3600	IN	NSAP-PTR .
+nsap-ptr01.example.	3600	IN	NSAP-PTR foo.
+nsap01.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsec01.example.		3600	IN	NSEC	a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY
+nsec02.example.		3600	IN	NSEC	. NSAP-PTR NSEC
+nsec03.example.		3600	IN	NSEC	. A
+nsec04.example.		3600	IN	NSEC	. TYPE127
+openpgpkey.example.	3600	IN	OPENPGPKEY  AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+ptr01.example.		3600	IN	PTR	example.
+px01.example.		3600	IN	PX	65535 foo. bar.
+px02.example.		3600	IN	PX	65535 . .
+rkey01.example.		3600	IN	RKEY	0 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+rp01.example.		3600	IN	RP	mbox-dname.example. txt-dname.example.
+rp02.example.		3600	IN	RP	. .
+rt01.example.		3600	IN	RT	0 intermediate-host.example.
+rt02.example.		3600	IN	RT	65535 .
+rrsig01.example.	3600	IN	RRSIG	NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+sink01.example.		3600	IN	SINK	1 0 0
+sink02.example.		3600	IN	SINK	8 0 2 l4ik
+smimea.example.		3600	IN	SMIMEA	1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC
+spf01.example.		3600	IN	SPF	"v=spf1 -all"
+spf02.example.		3600	IN	SPF	"v=spf1" " -all"
+srv01.example.		3600	IN	SRV	0 0 0 .
+srv02.example.		3600	IN	SRV	65535 65535 65535 old-slow-box.example.
+sshfp01.example.	3600	IN	SSHFP	4 2 C76D8329954DA2835751E371544E963EFDA099080D6C58DD2BFD9A31 6E162C83
+sshfp02.example.	3600	IN	SSHFP	1 2 BF29468C83AC58CCF8C85AB7B3BEB054ECF1E38512B8353AB36471FA 88961DCC
+svcb0.example.		3600	IN	SVCB	0 example.net.
+svcb1.example.		3600	IN	SVCB	1 . port=60
+ta.example.		3600	IN	TA	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
+talink0.example.	3600	IN	TALINK	. talink1.example.
+talink1.example.	3600	IN	TALINK	talink0.example. talink2.example.
+talink2.example.	3600	IN	TALINK	talink2.example. .
+tlsa.example.		3600	IN	TLSA	1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC
+txt01.example.		3600	IN	TXT	"foo"
+txt02.example.		3600	IN	TXT	"foo" "bar"
+txt03.example.		3600	IN	TXT	"foo"
+txt04.example.		3600	IN	TXT	"foo" "bar"
+txt05.example.		3600	IN	TXT	"foo bar"
+txt06.example.		3600	IN	TXT	"foo bar"
+txt07.example.		3600	IN	TXT	"foo bar"
+txt08.example.		3600	IN	TXT	"foo\010bar"
+txt09.example.		3600	IN	TXT	"foo\010bar"
+txt10.example.		3600	IN	TXT	"foo bar"
+txt11.example.		3600	IN	TXT	"\"foo\""
+txt12.example.		3600	IN	TXT	"\"foo\""
+txt13.example.		3600	IN	TXT	"foo;"
+txt14.example.		3600	IN	TXT	"foo;"
+txt15.example.		3600	IN	TXT	"bar\\;"
+uid01.example.		3600	IN	UID	\# 1 02
+uinfo01.example.	3600	IN	UINFO	\# 1 01
+uri01.example.		3600	IN	URI	10 20 "https://www.isc.org/"
+uri02.example.		3600	IN	URI	30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/"
+uri03.example.		3600	IN	URI	30 40 ""
+wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
+wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
+wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
+x2501.example.		3600	IN	X25	"123456789"
+zonemd01.example.	3600    IN	ZONEMD	2019020700 1 1 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB
+zonemd02.example.	3600	IN	ZONEMD	2019020700 1 2 08CFA1115C7B948C4163A901270395EA226A930CD2CBCF2FA9A5E6EB 85F37C8A4E114D884E66F176EAB121CB02DB7D652E0CC4827E7A3204 F166B47E5613FD27
+8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
+kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E
+mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
diff --git a/bin/tests/system/xfer/knowngood.mapped b/bin/tests/system/xfer/knowngood.mapped
new file mode 100644
index 0000000..5fcd00b
--- /dev/null
+++ b/bin/tests/system/xfer/knowngood.mapped
@@ -0,0 +1,26 @@
+
+; <<>> DiG 9.10.2-P3 <<>> -p 5300 axfr mapped @10.53.0.3
+;; global options: +cmd
+mapped.			3600	IN	SOA	. . 0 0 0 2147483647 0
+example.aa.		3600	IN	A	1.2.3.4
+example1.aa.		3600	IN	A	1.2.3.4
+example.bb.		3600	IN	A	1.2.3.4
+example1.bb.		3600	IN	A	1.2.3.4
+example.com.		3600	IN	A	1.2.3.4
+example1.com.		3600	IN	A	1.2.3.4
+bar.dd.			3600	IN	A	1.2.3.4
+foo.ee.			3600	IN	A	1.2.3.4
+foo.ff.			3600	IN	A	1.2.3.4
+foo.gg.			3600	IN	A	1.2.3.4
+foo.hh.			3600	IN	A	1.2.3.4
+foo.ii.			3600	IN	A	1.2.3.4
+foo.jj.			3600	IN	A	1.2.3.4
+foo.kk.			3600	IN	A	1.2.3.4
+foo.ll.			3600	IN	A	1.2.3.4
+mapped.			3600	IN	NS	.
+mapped.			3600	IN	SOA	. . 0 0 0 2147483647 0
+;; Query time: 4 msec
+;; SERVER: 10.53.0.3#5300(10.53.0.3)
+;; WHEN: Tue Feb 16 14:38:25 EST 2016
+;; XFR size: 18 records (messages 1, bytes 468)
+
diff --git a/bin/tests/system/xfer/ns1/axfr-too-big.db b/bin/tests/system/xfer/ns1/axfr-too-big.db
new file mode 100644
index 0000000..37987a6
--- /dev/null
+++ b/bin/tests/system/xfer/ns1/axfr-too-big.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@	IN	SOA	. . 0 0 0 0 0
+@	IN	NS	.
+$GENERATE 1-29	host$	A	1.2.3.$
diff --git a/bin/tests/system/xfer/ns1/ixfr-too-big.db.in b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
new file mode 100644
index 0000000..c192316
--- /dev/null
+++ b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@	IN	SOA	. . 0 0 0 0 0
+@	IN	NS	ns1
+@	IN	NS	ns6
+ns1	IN	A	10.53.0.1
+ns6	IN	A	10.53.0.6
+$GENERATE 1-25	host$	A	1.2.3.$
diff --git a/bin/tests/system/xfer/ns1/named.conf.in b/bin/tests/system/xfer/ns1/named.conf.in
new file mode 100644
index 0000000..3ff6cdf
--- /dev/null
+++ b/bin/tests/system/xfer/ns1/named.conf.in
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "secondary" {
+	type primary;
+	file "sec.db";
+};
+
+zone "edns-expire" {
+	type primary;
+	file "edns-expire.db";
+};
+
+zone "axfr-too-big" {
+	type primary;
+	file "axfr-too-big.db";
+};
+
+zone "ixfr-too-big" {
+	type primary;
+	allow-update { any; };
+	file "ixfr-too-big.db";
+};
+
+zone "xfer-stats" {
+	type primary;
+	file "xfer-stats.db";
+};
diff --git a/bin/tests/system/xfer/ns1/root.db b/bin/tests/system/xfer/ns1/root.db
new file mode 100644
index 0000000..58a675c
--- /dev/null
+++ b/bin/tests/system/xfer/ns1/root.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+
+tsigzone.		NS	ns2.tsigzone.
+ns2.tsigzone.		A	10.53.0.2
diff --git a/bin/tests/system/xfer/ns1/xfer-stats.db b/bin/tests/system/xfer/ns1/xfer-stats.db
new file mode 100644
index 0000000..42e1c9c
--- /dev/null
+++ b/bin/tests/system/xfer/ns1/xfer-stats.db
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@				SOA	. . 0 0 0 0 0
+@				NS	.
+$GENERATE 1-10000	$	TXT	$
diff --git a/bin/tests/system/xfer/ns2/mapped.db.in b/bin/tests/system/xfer/ns2/mapped.db.in
new file mode 100644
index 0000000..d928d69
--- /dev/null
+++ b/bin/tests/system/xfer/ns2/mapped.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+mapped.                 3600    IN      SOA     . . 0 0 0 2147483647 0
+example.aa.             3600    IN      A       1.2.3.4
+example1.aa.            3600    IN      A       1.2.3.4
+example.bb.             3600    IN      A       1.2.3.4
+example1.bb.            3600    IN      A       1.2.3.4
+example.com.            3600    IN      A       1.2.3.4
+example1.com.           3600    IN      A       1.2.3.4
+bar.dd.                 3600    IN      A       1.2.3.4
+foo.ee.                 3600    IN      A       1.2.3.4
+foo.ff.                 3600    IN      A       1.2.3.4
+foo.gg.                 3600    IN      A       1.2.3.4
+foo.hh.                 3600    IN      A       1.2.3.4
+foo.ii.                 3600    IN      A       1.2.3.4
+foo.jj.                 3600    IN      A       1.2.3.4
+foo.kk.                 3600    IN      A       1.2.3.4
+foo.ll.                 3600    IN      A       1.2.3.4
+mapped.                 3600    IN      NS      .
diff --git a/bin/tests/system/xfer/ns2/named.conf.in b/bin/tests/system/xfer/ns2/named.conf.in
new file mode 100644
index 0000000..fbde9c1
--- /dev/null
+++ b/bin/tests/system/xfer/ns2/named.conf.in
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key tsigzone. {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+acl tzkey {
+	key tsigzone.;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "tsigzone" {
+	type primary;
+	file "tsigzone.db";
+	allow-transfer { tzkey; };
+};
+
+zone "secondary" {
+	type secondary;
+	file "sec.db";
+	primaries { 10.53.0.1; };
+	masterfile-format text;
+};
+
+zone "mapped" {
+	type secondary;
+	file "mapped.db";
+	masterfile-format text;
+	primaries { 10.53.0.100; };
+};
diff --git a/bin/tests/system/xfer/ns2/sec.db.in b/bin/tests/system/xfer/ns2/sec.db.in
new file mode 100644
index 0000000..7978598
--- /dev/null
+++ b/bin/tests/system/xfer/ns2/sec.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 5
+
+@			IN SOA	ns1 hostmaster 1 5 5 5 5
+@			NS	ns1
+ns1			A	10.53.0.1
+a01			A	1.1.1.1
+a02			A	255.255.255.255
+
diff --git a/bin/tests/system/xfer/ns3/named.conf.in b/bin/tests/system/xfer/ns3/named.conf.in
new file mode 100644
index 0000000..5fc0183
--- /dev/null
+++ b/bin/tests/system/xfer/ns3/named.conf.in
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key tsigzone. {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "example.bk";
+};
+
+zone "primary" {
+	type secondary;
+	primaries { 10.53.0.6; };
+	file "primary.bk";
+};
+
+server 10.53.0.2 {
+	keys { tsigzone.; };
+};
+
+zone "tsigzone" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "tsigzone.bk";
+	allow-transfer { key tsigzone.; };
+};
+
+zone "mapped" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	masterfile-format map;
+	file "mapped.bk";
+};
+
+zone "xfer-stats" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "xfer-stats.bk";
+};
diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base
new file mode 100644
index 0000000..8e77d0c
--- /dev/null
+++ b/bin/tests/system/xfer/ns4/named.conf.base
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	blackhole { none; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+key unused_key. {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+key tsig_key. {
+	secret "LSAnCU+Z";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/xfer/ns4/root.db.in b/bin/tests/system/xfer/ns4/root.db.in
new file mode 100644
index 0000000..29ee0ec
--- /dev/null
+++ b/bin/tests/system/xfer/ns4/root.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 0 SOA . . 0 0 0 0 0
+@ 0 NS .
+@ 0 A 10.53.0.4
diff --git a/bin/tests/system/xfer/ns6/named.conf.in b/bin/tests/system/xfer/ns6/named.conf.in
new file mode 100644
index 0000000..636400c
--- /dev/null
+++ b/bin/tests/system/xfer/ns6/named.conf.in
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences primary;
+	check-integrity no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "primary" {
+	type primary;
+	file "primary.db";
+};
+
+zone "secondary" {
+	type secondary;
+	notify no;
+	primaries { 10.53.0.1; };
+	file "sec.bk";
+};
+
+zone "edns-expire" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "edns-expire.bk";
+};
+
+zone "axfr-too-big" {
+	type secondary;
+	max-records 30;
+	primaries { 10.53.0.1; };
+	file "axfr-too-big.bk";
+};
+
+zone "ixfr-too-big" {
+	type secondary;
+	max-records 30;
+	primaries { 10.53.0.1; };
+	file "ixfr-too-big.bk";
+};
diff --git a/bin/tests/system/xfer/ns7/named.conf.in b/bin/tests/system/xfer/ns7/named.conf.in
new file mode 100644
index 0000000..9bd92b3
--- /dev/null
+++ b/bin/tests/system/xfer/ns7/named.conf.in
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences secondary;
+	check-integrity no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "primary2" {
+	type primary;
+	file "primary2.db";
+};
+
+zone "secondary" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "sec.bk";
+};
+
+zone "edns-expire" {
+	type secondary;
+	primaries { 10.53.0.6; };
+	file "edns-expire.bk";
+};
diff --git a/bin/tests/system/xfer/ns8/example.db b/bin/tests/system/xfer/ns8/example.db
new file mode 100644
index 0000000..8e8ccb9
--- /dev/null
+++ b/bin/tests/system/xfer/ns8/example.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			SOA	mname1. . (
+				2000062101 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+$INCLUDE large.db
+$INCLUDE small.db
diff --git a/bin/tests/system/xfer/ns8/named.conf.in b/bin/tests/system/xfer/ns8/named.conf.in
new file mode 100644
index 0000000..22b3272
--- /dev/null
+++ b/bin/tests/system/xfer/ns8/named.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	transfer-message-size 1024;
+};
+
+key key1. {
+	algorithm hmac-md5;
+	secret "1234abcd8765";
+};
+
+acl tzkey {
+	key key1.;
+};
+
+zone "example." {
+	type primary;
+	file "example.db";
+	allow-transfer { tzkey; };
+};
diff --git a/bin/tests/system/xfer/prereq.sh b/bin/tests/system/xfer/prereq.sh
new file mode 100644
index 0000000..b262501
--- /dev/null
+++ b/bin/tests/system/xfer/prereq.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null
+    then
+        :
+    else
+        echo_i "Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
+
+if ! $PERL -e 'use Digest::HMAC;' 2>/dev/null
+then
+    echo_i "This test requires the Digest::HMAC Perl module." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh
new file mode 100644
index 0000000..3180a7f
--- /dev/null
+++ b/bin/tests/system/xfer/setup.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL ../genzone.sh 1 6 7 >ns1/sec.db
+$SHELL ../genzone.sh 1 6 7 >ns1/edns-expire.db
+$SHELL ../genzone.sh 2 3 >ns2/example.db
+$SHELL ../genzone.sh 2 3 >ns2/tsigzone.db
+$SHELL ../genzone.sh 6 3 >ns6/primary.db
+$SHELL ../genzone.sh 7 >ns7/primary2.db
+
+cp -f ns4/root.db.in ns4/root.db
+$PERL -e 'for ($i=0;$i<10000;$i++){ printf("x%u 0 in a 10.53.0.1\n", $i);}' >> ns4/root.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+
+copy_setports ns4/named.conf.base ns4/named.conf
+
+cp ns2/sec.db.in ns2/sec.db
+touch -t 200101010000 ns2/sec.db
+
+cp ns2/mapped.db.in ns2/mapped.db
+
+$PERL -e 'for ($i=0;$i<4096;$i++){ printf("name%u 259200 A 1.2.3.4\nname%u 259200 TXT \"Hello World %u\"\n", $i, $i, $i);}' > ns8/small.db
+$PERL -e 'printf("large IN TYPE45234 \\# 48000 "); for ($i=0;$i<16*3000;$i++) { printf("%02x", $i % 256); } printf("\n");' > ns8/large.db
+
+cp -f ns1/ixfr-too-big.db.in ns1/ixfr-too-big.db
diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
new file mode 100755
index 0000000..607d68a
--- /dev/null
+++ b/bin/tests/system/xfer/tests.sh
@@ -0,0 +1,547 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+n=0
+
+n=$((n+1))
+echo_i "testing basic zone transfer functionality (from primary) ($n)"
+tmp=0
+$DIG $DIGOPTS example. @10.53.0.2 axfr > dig.out.ns2.test$n || tmp=1
+grep "^;" dig.out.ns2.test$n | cat_i
+digcomp dig1.good dig.out.ns2.test$n || tmp=1
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "testing basic zone transfer functionality (from secondary) ($n)"
+tmp=0
+#
+# Spin to allow the zone to transfer.
+#
+wait_for_xfer () {
+	$DIG $DIGOPTS example. @10.53.0.3 axfr > dig.out.ns3.test$n || return 1
+	grep "^;" dig.out.ns3.test$n > /dev/null && return 1
+	return 0
+}
+retry_quiet 25 wait_for_xfer || tmp=1
+grep "^;" dig.out.ns3.test$n | cat_i
+digcomp dig1.good dig.out.ns3.test$n || tmp=1
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "testing TSIG signed zone transfers ($n)"
+tmp=0
+$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || tmp=1
+grep "^;" dig.out.ns2.test$n | cat_i
+
+#
+# Spin to allow the zone to transfer.
+#
+wait_for_xfer_tsig () {
+	$DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || return 1
+	grep "^;" dig.out.ns3.test$n > /dev/null && return 1
+	return 0
+}
+retry_quiet 25 wait_for_xfer_tsig || tmp=1
+grep "^;" dig.out.ns3.test$n | cat_i
+digcomp dig.out.ns2.test$n dig.out.ns3.test$n || tmp=1
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+echo_i "reload servers for in preparation for ixfr-from-differences tests"
+
+rndc_reload ns1 10.53.0.1
+rndc_reload ns2 10.53.0.2
+rndc_reload ns3 10.53.0.3
+rndc_reload ns6 10.53.0.6
+rndc_reload ns7 10.53.0.7
+
+sleep 2
+
+echo_i "updating primary zones for ixfr-from-differences tests"
+
+$PERL -i -p -e '
+	s/0\.0\.0\.0/0.0.0.1/;
+	s/1397051952/1397051953/
+' ns1/sec.db
+
+rndc_reload ns1 10.53.0.1
+
+$PERL -i -p -e '
+	s/0\.0\.0\.0/0.0.0.1/;
+	s/1397051952/1397051953/
+' ns2/example.db
+
+rndc_reload ns2 10.53.0.2
+
+$PERL -i -p -e '
+	s/0\.0\.0\.0/0.0.0.1/;
+	s/1397051952/1397051953/
+' ns6/primary.db
+
+rndc_reload ns6 10.53.0.6
+
+$PERL -i -p -e '
+	s/0\.0\.0\.0/0.0.0.1/;
+	s/1397051952/1397051953/
+' ns7/primary2.db
+
+rndc_reload ns7 10.53.0.7
+
+sleep 3
+
+n=$((n+1))
+echo_i "testing zone is dumped after successful transfer ($n)"
+tmp=0
+$DIG $DIGOPTS +noall +answer +multi @10.53.0.2 \
+	secondary. soa > dig.out.ns2.test$n || tmp=1
+grep "1397051952 ; serial" dig.out.ns2.test$n > /dev/null 2>&1 || tmp=1
+grep "1397051952 ; serial" ns2/sec.db > /dev/null 2>&1 || tmp=1
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "testing ixfr-from-differences yes; ($n)"
+tmp=0
+
+echo_i "wait for reloads..."
+wait_for_reloads() (
+	$DIG $DIGOPTS @10.53.0.6 +noall +answer soa primary > dig.out.soa1.ns6.test$n
+	grep "1397051953" dig.out.soa1.ns6.test$n > /dev/null || return 1
+	$DIG $DIGOPTS @10.53.0.1 +noall +answer soa secondary  > dig.out.soa2.ns1.test$n
+	grep "1397051953" dig.out.soa2.ns1.test$n > /dev/null || return 1
+	$DIG $DIGOPTS @10.53.0.2 +noall +answer soa example > dig.out.soa3.ns2.test$n
+	grep "1397051953" dig.out.soa3.ns2.test$n > /dev/null || return 1
+	return 0
+)
+retry_quiet 20 wait_for_reloads || tmp=1
+
+echo_i "wait for transfers..."
+wait_for_transfers() (
+	a=0 b=0 c=0 d=0
+	$DIG $DIGOPTS @10.53.0.3 +noall +answer soa example > dig.out.soa1.ns3.test$n
+	grep "1397051953" dig.out.soa1.ns3.test$n > /dev/null && a=1
+	$DIG $DIGOPTS @10.53.0.3 +noall +answer soa primary > dig.out.soa2.ns3.test$n
+	grep "1397051953" dig.out.soa2.ns3.test$n > /dev/null && b=1
+	$DIG $DIGOPTS @10.53.0.6 +noall +answer soa secondary > dig.out.soa3.ns6.test$n
+	grep "1397051953" dig.out.soa3.ns6.test$n > /dev/null && c=1
+	[ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && return 0
+
+	# re-notify if necessary
+	$RNDCCMD 10.53.0.6 notify primary 2>&1 | sed 's/^/ns6 /' | cat_i
+	$RNDCCMD 10.53.0.1 notify secondary 2>&1 | sed 's/^/ns1 /' | cat_i
+	$RNDCCMD 10.53.0.2 notify example 2>&1 | sed 's/^/ns2 /' | cat_i
+	return 1
+)
+retry_quiet 20 wait_for_transfers || tmp=1
+
+$DIG $DIGOPTS example. \
+	@10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1
+grep "^;" dig.out.ns3.test$n | cat_i
+
+digcomp dig2.good dig.out.ns3.test$n || tmp=1
+
+# ns3 has a journal iff it received an IXFR.
+test -f ns3/example.bk || tmp=1
+test -f ns3/example.bk.jnl || tmp=1
+
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "testing ixfr-from-differences primary; (primary zone) ($n)"
+tmp=0
+
+$DIG $DIGOPTS primary. \
+	@10.53.0.6 axfr > dig.out.ns6.test$n || tmp=1
+grep "^;" dig.out.ns6.test$n | cat_i
+
+$DIG $DIGOPTS primary. \
+	@10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1
+grep "^;" dig.out.ns3.test$n > /dev/null && cat_i dig.out.ns3.test$n
+
+digcomp dig.out.ns6.test$n dig.out.ns3.test$n || tmp=1
+
+# ns3 has a journal iff it received an IXFR.
+test -f ns3/primary.bk || tmp=1
+test -f ns3/primary.bk.jnl || tmp=1
+
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "testing ixfr-from-differences primary; (secondary zone) ($n)"
+tmp=0
+
+$DIG $DIGOPTS secondary. \
+	@10.53.0.6 axfr > dig.out.ns6.test$n || tmp=1
+grep "^;" dig.out.ns6.test$n | cat_i
+
+$DIG $DIGOPTS secondary. \
+	@10.53.0.1 axfr > dig.out.ns1.test$n || tmp=1
+grep "^;" dig.out.ns1.test$n | cat_i
+
+digcomp dig.out.ns6.test$n dig.out.ns1.test$n || tmp=1
+
+# ns6 has a journal iff it received an IXFR.
+test -f ns6/sec.bk || tmp=1
+test -f ns6/sec.bk.jnl && tmp=1
+
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "testing ixfr-from-differences secondary; (secondary zone) ($n)"
+tmp=0
+
+# ns7 has a journal iff it generates an IXFR.
+test -f ns7/primary2.db || tmp=1
+test -f ns7/primary2.db.jnl && tmp=1
+
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "testing ixfr-from-differences secondary; (secondary zone) ($n)"
+tmp=0
+
+$DIG $DIGOPTS secondary. \
+	@10.53.0.1 axfr > dig.out.ns1.test$n || tmp=1
+grep "^;" dig.out.ns1.test$n | cat_i
+
+$DIG $DIGOPTS secondary. \
+	@10.53.0.7 axfr > dig.out.ns7.test$n || tmp=1
+grep "^;" dig.out.ns7.test$n | cat_i
+
+digcomp dig.out.ns7.test$n dig.out.ns1.test$n || tmp=1
+
+# ns7 has a journal iff it generates an IXFR.
+test -f ns7/sec.bk || tmp=1
+test -f ns7/sec.bk.jnl || tmp=1
+
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "check that a multi-message uncompressable zone transfers ($n)"
+$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA > axfr.out
+if test `wc -l < axfr.out` != 2
+then
+	 echo_i "failed"
+         status=$((status+1))
+fi
+
+# now we test transfers with assorted TSIG glitches
+DIGCMD="$DIG $DIGOPTS @10.53.0.4"
+SENDCMD="$PERL ../send.pl 10.53.0.5 $EXTRAPORT1"
+
+echo_i "testing that incorrectly signed transfers will fail..."
+n=$((n+1))
+echo_i "initial correctly-signed transfer should succeed ($n)"
+
+$SENDCMD < ans5/goodaxfr
+
+# Initially, ns4 is not authoritative for anything.
+# Now that ans is up and running with the right data, we make ns4
+# a secondary for nil.
+
+cat <<EOF >>ns4/named.conf
+zone "nil" {
+	type secondary;
+	file "nil.db";
+	primaries { 10.53.0.5 key tsig_key; };
+};
+EOF
+
+nextpart ns4/named.run >/dev/null
+
+rndc_reload ns4 10.53.0.4
+
+wait_for_soa() (
+	$DIGCMD nil. SOA > dig.out.ns4.test$n
+	grep SOA dig.out.ns4.test$n > /dev/null
+)
+retry_quiet 10 wait_for_soa
+
+nextpart ns4/named.run | grep "Transfer status: success" > /dev/null || {
+    echo_i "failed: expected status was not logged"
+    status=$((status+1))
+}
+
+$DIGCMD nil. TXT | grep 'initial AXFR' >/dev/null || {
+    echo_i "failed"
+    status=$((status+1))
+}
+
+n=$((n+1))
+echo_i "unsigned transfer ($n)"
+
+$SENDCMD < ans5/unsigned
+
+$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
+
+sleep 2
+
+nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || {
+    echo_i "failed: expected status was not logged"
+    status=$((status+1))
+}
+
+$DIGCMD nil. TXT | grep 'unsigned AXFR' >/dev/null && {
+    echo_i "failed"
+    status=$((status+1))
+}
+
+n=$((n+1))
+echo_i "bad keydata ($n)"
+
+$SENDCMD < ans5/badkeydata
+
+$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
+
+sleep 2
+
+nextpart ns4/named.run | grep "Transfer status: tsig verify failure" > /dev/null || {
+    echo_i "failed: expected status was not logged"
+    status=$((status+1))
+}
+
+$DIGCMD nil. TXT | grep 'bad keydata AXFR' >/dev/null && {
+    echo_i "failed"
+    status=$((status+1))
+}
+
+n=$((n+1))
+echo_i "partially-signed transfer ($n)"
+
+$SENDCMD < ans5/partial
+
+$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
+
+sleep 2
+
+nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || {
+    echo_i "failed: expected status was not logged"
+    status=$((status+1))
+}
+
+$DIGCMD nil. TXT | grep 'partially signed AXFR' >/dev/null && {
+    echo_i "failed"
+    status=$((status+1))
+}
+
+n=$((n+1))
+echo_i "unknown key ($n)"
+
+$SENDCMD < ans5/unknownkey
+
+$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
+
+sleep 2
+
+nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || {
+    echo_i "failed: expected status was not logged"
+    status=$((status+1))
+}
+
+$DIGCMD nil. TXT | grep 'unknown key AXFR' >/dev/null && {
+    echo_i "failed"
+    status=$((status+1))
+}
+
+n=$((n+1))
+echo_i "incorrect key ($n)"
+
+$SENDCMD < ans5/wrongkey
+
+$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
+
+sleep 2
+
+nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || {
+    echo_i "failed: expected status was not logged"
+    status=$((status+1))
+}
+
+$DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && {
+    echo_i "failed"
+    status=$((status+1))
+}
+
+n=$((n+1))
+echo_i "bad message id ($n)"
+
+$SENDCMD < ans5/badmessageid
+
+# Uncomment to see AXFR stream with mismatching IDs.
+# $DIG $DIGOPTS @10.53.0.5 -y tsig_key:LSAnCU+Z nil. AXFR +all
+
+$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
+
+sleep 2
+
+msg="detected message ID mismatch on incoming AXFR stream, transfer will fail in BIND 9.17.2 and later if AXFR source is not fixed"
+nextpart ns4/named.run | grep "$msg" > /dev/null || {
+    echo_i "failed: expected status was not logged"
+    status=$((status+1))
+}
+
+$DIGCMD nil. TXT | grep 'bad message id' >/dev/null || {
+    echo_i "failed"
+    status=$((status+1))
+}
+
+n=$((n+1))
+echo_i "mismatched SOA ($n)"
+
+${SENDCMD} < ans5/soamismatch
+
+$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
+
+sleep 2
+
+nextpart ns4/named.run | grep "Transfer status: FORMERR" > /dev/null || {
+    echo_i "failed: expected status was not logged"
+    status=$((status+1))
+}
+
+$DIGCMD nil. TXT | grep 'SOA mismatch AXFR' >/dev/null && {
+    echo_i "failed"
+    status=$((status+1))
+}
+
+n=$((n+1))
+echo_i "check that we ask for and get a EDNS EXPIRE response ($n)"
+# force a refresh query
+$RNDCCMD 10.53.0.7 refresh edns-expire 2>&1 | sed 's/^/ns7 /' | cat_i
+sleep 10
+
+# there may be multiple log entries so get the last one.
+expire=`awk '/edns-expire\/IN: got EDNS EXPIRE of/ { x=$9 } END { print x }' ns7/named.run`
+test ${expire:-0} -gt 0 -a ${expire:-0} -lt 1814400 || {
+    echo_i "failed (expire=${expire:-0})"
+    status=$((status+1))
+}
+
+n=$((n+1))
+echo_i "test smaller transfer TCP message size ($n)"
+$DIG $DIGOPTS example. @10.53.0.8 axfr \
+	-y key1.:1234abcd8765 > dig.out.msgsize.test$n || status=1
+
+$DOS2UNIX dig.out.msgsize.test$n >/dev/null 2>&1
+
+bytes=`wc -c < dig.out.msgsize.test$n`
+if [ $bytes -ne 459357 ]; then
+	echo_i "failed axfr size check"
+        status=$((status+1))
+fi
+
+num_messages=`cat ns8/named.run | grep "sending TCP message of" | wc -l`
+if [ $num_messages -le 300 ]; then
+	echo_i "failed transfer message count check"
+        status=$((status+1))
+fi
+
+n=$((n+1))
+echo_i "test mapped zone with out of zone data ($n)"
+tmp=0
+$DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.1.test$n
+grep "status: NOERROR," dig.out.1.test$n > /dev/null || tmp=1
+stop_server ns3
+start_server --noclean --restart --port ${PORT} ns3
+check_mapped () {
+	$DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.2.test$n
+	grep "status: NOERROR," dig.out.2.test$n > /dev/null || return 1
+	$DIG -p ${PORT} axfr mapped @10.53.0.3 > dig.out.3.test$n
+	digcomp knowngood.mapped dig.out.3.test$n || return 1
+	return 0
+}
+retry_quiet 10 check_mapped || tmp=1
+[ "$tmp" -ne 0 ] && echo_i "failed"
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "test that a zone with too many records is rejected (AXFR) ($n)"
+tmp=0
+grep "'axfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "test that a zone with too many records is rejected (IXFR) ($n)"
+tmp=0
+nextpart ns6/named.run > /dev/null
+$NSUPDATE << EOF
+zone ixfr-too-big
+server 10.53.0.1 ${PORT}
+update add the-31st-record.ixfr-too-big 0 TXT this is it
+send
+EOF
+msg="'ixfr-too-big/IN' from 10.53.0.1#${PORT}: Transfer status: too many records"
+wait_for_log 10 "$msg" ns6/named.run || tmp=1
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "checking whether dig calculates AXFR statistics correctly ($n)"
+tmp=0
+# Loop until the secondary server manages to transfer the "xfer-stats" zone so
+# that we can both check dig output and immediately proceed with the next test.
+# Use -b so that we can discern between incoming and outgoing transfers in ns3
+# logs later on.
+wait_for_xfer() (
+	$DIG $DIGOPTS +noedns +stat -b 10.53.0.2 @10.53.0.3 xfer-stats. AXFR > dig.out.ns3.test$n
+	grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || return 0
+	return 1
+)
+if retry_quiet 10 wait_for_xfer; then
+	get_dig_xfer_stats dig.out.ns3.test$n > stats.dig
+	diff axfr-stats.good stats.dig || tmp=1
+else
+	echo_i "timed out waiting for zone transfer"
+fi
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+# Note: in the next two tests, we use ns3 logs for checking both incoming and
+# outgoing transfer statistics as ns3 is both a secondary server (for ns1) and a
+# primary server (for dig queries from the previous test) for "xfer-stats".
+n=$((n+1))
+echo_i "checking whether named calculates incoming AXFR statistics correctly ($n)"
+tmp=0
+get_named_xfer_stats ns3/named.run 10.53.0.1 xfer-stats "Transfer completed" > stats.incoming
+diff axfr-stats.good stats.incoming || tmp=1
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+n=$((n+1))
+echo_i "checking whether named calculates outgoing AXFR statistics correctly ($n)"
+tmp=0
+check_xfer_stats() {
+	get_named_xfer_stats ns3/named.run 10.53.0.2 xfer-stats "AXFR ended" > stats.outgoing
+	diff axfr-stats.good stats.outgoing > /dev/null
+}
+retry_quiet 10 check_xfer_stats || tmp=1
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/xferquota/clean.sh b/bin/tests/system/xferquota/clean.sh
new file mode 100644
index 0000000..9cc4057
--- /dev/null
+++ b/bin/tests/system/xferquota/clean.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer quota tests.
+#
+
+rm -f ns1/zone*.example.db ns1/zones.conf
+rm -f ns2/zone*.example.bk ns2/zones.conf
+rm -f dig.out.* ns2/changing.bk
+rm -f ns1/changing.db
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/xferquota/ns1/changing1.db b/bin/tests/system/xferquota/ns1/changing1.db
new file mode 100644
index 0000000..0b5e893
--- /dev/null
+++ b/bin/tests/system/xferquota/ns1/changing1.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	600
+
+@               IN      SOA     dns1.changing. postmaster.changing. (
+                        1               ;; serial
+                        3600            ;; refresh period
+                        1800            ;; retry interval
+                        604800          ;; expire time
+                        600 )           ;; default TTL
+
+		IN	NS		dns1.changing.
+			NS		dns2.changing.
+
+dns1		IN	A		10.53.0.1
+dns2		IN	A		10.53.0.2
+
+a		IN	A		10.0.0.1
diff --git a/bin/tests/system/xferquota/ns1/changing2.db b/bin/tests/system/xferquota/ns1/changing2.db
new file mode 100644
index 0000000..33dd7f4
--- /dev/null
+++ b/bin/tests/system/xferquota/ns1/changing2.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	600
+
+@               IN      SOA     dns1.changing. postmaster.changing. (
+                        2               ;; serial
+                        3600            ;; refresh period
+                        1800            ;; retry interval
+                        604800          ;; expire time
+                        600 )           ;; default TTL
+
+		IN	NS		dns1.changing.
+			NS		dns2.changing.
+
+dns1		IN	A		10.53.0.1
+dns2		IN	A		10.53.0.2
+
+a		IN	A		10.0.0.2
diff --git a/bin/tests/system/xferquota/ns1/named.conf.in b/bin/tests/system/xferquota/ns1/named.conf.in
new file mode 100644
index 0000000..c9f19f9
--- /dev/null
+++ b/bin/tests/system/xferquota/ns1/named.conf.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
+
+zone "changing." {
+	type primary;
+	file "changing.db";
+};
+
+include "zones.conf";
diff --git a/bin/tests/system/xferquota/ns1/root.db b/bin/tests/system/xferquota/ns1/root.db
new file mode 100644
index 0000000..c5049f4
--- /dev/null
+++ b/bin/tests/system/xferquota/ns1/root.db
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+
+changing.		NS	dns1.changing.
+			A	10.53.0.1
+			NS	dns2.changing.
+			A	10.53.0.2
diff --git a/bin/tests/system/xferquota/ns2/example.db b/bin/tests/system/xferquota/ns2/example.db
new file mode 100644
index 0000000..e1d2b82
--- /dev/null
+++ b/bin/tests/system/xferquota/ns2/example.db
@@ -0,0 +1,146 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				2000042795 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+*			MX	10 mail
+a			TXT	"foo foo foo"
+			PTR	foo.net.
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+dnskey01		DNSKEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" ":(.*):\\1:" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsec01			NSEC	a.secure ( NS SOA MX RRSIG DNSKEY LOC NSEC )
+nsec02			NSEC	. ( NSAP-PTR NSEC )
+nsec03			NSEC	. ( A )
+nsec04			NSEC	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+rrsig01			RRSIG	NSEC 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nsec"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/xferquota/ns2/named.conf.in b/bin/tests/system/xferquota/ns2/named.conf.in
new file mode 100644
index 0000000..ef55dc6
--- /dev/null
+++ b/bin/tests/system/xferquota/ns2/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+
+	transfers-in 5;
+	transfers-per-ns 5;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "changing." {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "changing.bk";
+};
+
+include "zones.conf";
diff --git a/bin/tests/system/xferquota/setup.pl b/bin/tests/system/xferquota/setup.pl
new file mode 100644
index 0000000..ab5450c
--- /dev/null
+++ b/bin/tests/system/xferquota/setup.pl
@@ -0,0 +1,40 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Set up test data for zone transfer quota tests.
+#
+use FileHandle;
+
+my $priconf = new FileHandle("ns1/zones.conf", "w") or die;
+my $secconf  = new FileHandle("ns2/zones.conf", "w") or die;
+
+for ($z = 0; $z < 300; $z++) {
+    my $zn = sprintf("zone%06d.example", $z);
+    print $priconf "zone \"$zn\" { type primary; file \"$zn.db\"; };\n";
+    print $secconf  "zone \"$zn\" { type secondary; file \"$zn.bk\"; masterfile-format text; primaries { 10.53.0.1; }; };\n";
+    my $fn = "ns1/$zn.db";
+    my $f = new FileHandle($fn, "w") or die "open: $fn: $!";
+    print $f "\$TTL 300
+\@	IN SOA 	ns1 . 1 300 120 3600 86400
+	NS	ns1
+	NS	ns2
+ns1	A	10.53.0.1
+ns2	A	10.53.0.2
+	MX	10 mail1.isp.example.
+	MX	20 mail2.isp.example.
+www	A	10.0.0.1
+xyzzy   A       10.0.0.2
+";
+    $f->close;
+}
diff --git a/bin/tests/system/xferquota/setup.sh b/bin/tests/system/xferquota/setup.sh
new file mode 100644
index 0000000..c8c488d
--- /dev/null
+++ b/bin/tests/system/xferquota/setup.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Set up test data for zone transfer quota tests.
+#
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$PERL setup.pl
+
+cp -f ns1/changing1.db ns1/changing.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
diff --git a/bin/tests/system/xferquota/tests.sh b/bin/tests/system/xferquota/tests.sh
new file mode 100755
index 0000000..d6e0544
--- /dev/null
+++ b/bin/tests/system/xferquota/tests.sh
@@ -0,0 +1,64 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+#
+# Perform tests
+#
+
+count=0
+ticks=0
+while [ $count != 300 ]; do
+        if [ $ticks = 1 ]; then
+	        echo_i "Changing test zone..."
+		cp -f ns1/changing2.db ns1/changing.db
+		if [ ! "$CYGWIN" ]; then
+			$KILL -HUP `cat ns1/named.pid`
+		else
+			rndc_reload ns1 10.53.0.1
+		fi
+	fi
+	sleep 1
+	ticks=`expr $ticks + 1`
+	seconds=`expr $ticks \* 1`
+	if [ $ticks = 360 ]; then
+		echo_i "Took too long to load zones"
+		exit 1
+	fi
+	count=`cat ns2/zone*.bk | grep xyzzy | wc -l`
+	echo_i "Have $count zones up in $seconds seconds"
+done
+
+status=0
+
+$DIG $DIGOPTS zone000099.example. @10.53.0.1 axfr > dig.out.ns1 || status=1
+
+$DIG $DIGOPTS zone000099.example. @10.53.0.2 axfr > dig.out.ns2 || status=1
+
+digcomp dig.out.ns1 dig.out.ns2 || status=1
+
+sleep 15
+
+$DIG $DIGOPTS a.changing. @10.53.0.1 a > dig.out.ns1 || status=1
+
+$DIG $DIGOPTS a.changing. @10.53.0.2 a > dig.out.ns2 || status=1
+
+digcomp dig.out.ns1 dig.out.ns2 || status=1
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/zero/ans5/ans.pl b/bin/tests/system/zero/ans5/ans.pl
new file mode 100644
index 0000000..3ca1083
--- /dev/null
+++ b/bin/tests/system/zero/ans5/ans.pl
@@ -0,0 +1,81 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Don't respond if the "norespond" file exists; otherwise respond to
+# any A or AAAA query.
+#
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5",
+   LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my $octet = 0;
+
+for (;;) {
+	$sock->recv($buf, 512);
+
+	print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	print "REQUEST:\n";
+	$packet->print;
+
+	$packet->header->qr(1);
+
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+
+	$packet->header->aa(1);
+	if ($qtype eq "A") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+					       " 0 A 192.0.2." . $octet));
+		$octet = $octet + 1;
+	} elsif ($qtype eq "AAAA") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+						" 300 AAAA 2001:db8:beef::1"));
+	}
+
+	$sock->send($packet->data);
+	print "RESPONSE:\n";
+	$packet->print;
+	print "\n";
+}
diff --git a/bin/tests/system/zero/clean.sh b/bin/tests/system/zero/clean.sh
new file mode 100644
index 0000000..2ef5727
--- /dev/null
+++ b/bin/tests/system/zero/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f */named.conf
+rm -f */named.run
+rm -f */named.memstats
+rm -f ns2/example.db
+rm -f ns4/example.bk
+rm -f dig.out*
+rm -f query.list
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/zero/ns1/named.conf.in b/bin/tests/system/zero/ns1/named.conf.in
new file mode 100644
index 0000000..1334c85
--- /dev/null
+++ b/bin/tests/system/zero/ns1/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/zero/ns1/root.db b/bin/tests/system/zero/ns1/root.db
new file mode 100644
index 0000000..fbcb3e2
--- /dev/null
+++ b/bin/tests/system/zero/ns1/root.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@	SOA ns1. hostmaster.warn.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.
+ns1. A 10.53.0.1
+;
+example. NS ns2.example.
+ns2.example. A 10.53.0.2
+example. NS ns4.example.
+ns4.example. A 10.53.0.4
+increment. NS incrementns.
+incrementns. A 10.53.0.5
+tld. NS ns2.tld.
+ns2.tld. A 10.53.0.2
+
diff --git a/bin/tests/system/zero/ns2/named.args b/bin/tests/system/zero/ns2/named.args
new file mode 100644
index 0000000..b20594e
--- /dev/null
+++ b/bin/tests/system/zero/ns2/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 1 -D zero-ns2 -X named.lock -g -T maxcachesize=2097152
diff --git a/bin/tests/system/zero/ns2/named.conf.in b/bin/tests/system/zero/ns2/named.conf.in
new file mode 100644
index 0000000..751eafd
--- /dev/null
+++ b/bin/tests/system/zero/ns2/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "tld" {
+	type primary;
+	file "tld.db";
+};
diff --git a/bin/tests/system/zero/ns2/tld.db b/bin/tests/system/zero/ns2/tld.db
new file mode 100644
index 0000000..0ffeb05
--- /dev/null
+++ b/bin/tests/system/zero/ns2/tld.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1
+@	300	SOA	ns2.tld. hostmaster.ns2.tld. 0 1 1 1 1
+@	300	NS 	ns2.tld.
+ns2	300	A 	10.53.0.2
+;
+;	The TTL of these delegation records needs to 1.
+;
+one	1	NS 	ns4.one.tld.
+ns4.one	1	A	10.53.0.4
diff --git a/bin/tests/system/zero/ns3/named.args b/bin/tests/system/zero/ns3/named.args
new file mode 100644
index 0000000..9d89bd6
--- /dev/null
+++ b/bin/tests/system/zero/ns3/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 1 -D zero-ns3 -X named.lock -g -T maxcachesize=2097152
diff --git a/bin/tests/system/zero/ns3/named.conf.in b/bin/tests/system/zero/ns3/named.conf.in
new file mode 100644
index 0000000..3492b9f
--- /dev/null
+++ b/bin/tests/system/zero/ns3/named.conf.in
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
diff --git a/bin/tests/system/zero/ns3/root.hint b/bin/tests/system/zero/ns3/root.hint
new file mode 100644
index 0000000..206e952
--- /dev/null
+++ b/bin/tests/system/zero/ns3/root.hint
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. NS ns1.
+ns1. A 10.53.0.1
diff --git a/bin/tests/system/zero/ns4/named.args b/bin/tests/system/zero/ns4/named.args
new file mode 100644
index 0000000..09d1fe0
--- /dev/null
+++ b/bin/tests/system/zero/ns4/named.args
@@ -0,0 +1 @@
+-m record,size,mctx -c named.conf -d 1 -D zero-ns4 -X named.lock -g -T maxcachesize=2097152
diff --git a/bin/tests/system/zero/ns4/named.conf.in b/bin/tests/system/zero/ns4/named.conf.in
new file mode 100644
index 0000000..fc8fec6
--- /dev/null
+++ b/bin/tests/system/zero/ns4/named.conf.in
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation yes;
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "example.bk";
+};
+
+zone "one.tld" {
+	type primary;
+	file "one.tld.db";
+};
diff --git a/bin/tests/system/zero/ns4/one.tld.db b/bin/tests/system/zero/ns4/one.tld.db
new file mode 100644
index 0000000..491ba87
--- /dev/null
+++ b/bin/tests/system/zero/ns4/one.tld.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1
+;	The TTL of all these records needs to be 1.
+@	1	SOA	ns4.one.tld. hostmaster.ns4.tld. 0 1 1 1 1
+@	1	NS 	ns4.one.tld.
+ns4	1	A	10.53.0.4
+www	1	A	10.53.0.4
diff --git a/bin/tests/system/zero/prereq.sh b/bin/tests/system/zero/prereq.sh
new file mode 100644
index 0000000..ec369f8
--- /dev/null
+++ b/bin/tests/system/zero/prereq.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    :
+else
+    echo_i "This test requires the Net::DNS library." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/zero/setup.sh b/bin/tests/system/zero/setup.sh
new file mode 100644
index 0000000..592034c
--- /dev/null
+++ b/bin/tests/system/zero/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+$SHELL ../genzone.sh 2 4 | sed -e 's/^$TTL 3600$/$TTL 0 ; force TTL to zero/' -e 's/86400.IN SOA/0 SOA/' > ns2/example.db
diff --git a/bin/tests/system/zero/tests.sh b/bin/tests/system/zero/tests.sh
new file mode 100644
index 0000000..0449552
--- /dev/null
+++ b/bin/tests/system/zero/tests.sh
@@ -0,0 +1,122 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#shellcheck source=conf.sh
+SYSTEMTESTTOP=..
+. "$SYSTEMTESTTOP/conf.sh"
+
+dig_with_opts() {
+	"$DIG" -p "${PORT}" "$@"
+}
+
+wait_for_pid() (
+	for pid in "$@"; do
+		kill -0 "$pid" 2>/dev/null && return 1
+	done
+	return 0
+)
+
+status=0
+n=0
+
+n=$((n+1))
+echo_i "check lookups against TTL=0 records ($n)"
+i=0
+ret=0
+passes=10
+dig_with_opts @10.53.0.2 axfr example | grep -v "^ds0" | \
+awk '$2 == "0" { print "-q", $1, $4; print "-q", "zzz"$1, $4;}' > query.list
+
+# add 1/5 second per query
+timeout=$(($(wc -l < query.list) / 5))
+while [ $i -lt $passes ]
+do
+	(dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.1.test$n") & pid1="$!"
+	(dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.2.test$n") & pid2="$!"
+	(dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.3.test$n") & pid3="$!"
+	(dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.4.test$n") & pid4="$!"
+	(dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.5.test$n") & pid5="$!"
+	(dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.6.test$n") & pid6="$!"
+
+	retry_quiet "$timeout" wait_for_pid "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" || ret=1
+	kill -TERM "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" 2>/dev/null
+
+	wait "$pid1" || ret=1
+	wait "$pid2" || ret=1
+	wait "$pid3" || ret=1
+	wait "$pid4" || ret=1
+	wait "$pid5" || ret=1
+	wait "$pid6" || ret=1
+
+	grep "status: SERVFAIL" "dig.out$i.1.test$n" > /dev/null && ret=1
+	grep "status: SERVFAIL" "dig.out$i.2.test$n" > /dev/null && ret=1
+	grep "status: SERVFAIL" "dig.out$i.3.test$n" > /dev/null && ret=1
+	grep "status: SERVFAIL" "dig.out$i.4.test$n" > /dev/null && ret=1
+	grep "status: SERVFAIL" "dig.out$i.5.test$n" > /dev/null && ret=1
+	grep "status: SERVFAIL" "dig.out$i.6.test$n" > /dev/null && ret=1
+	[ $ret = 1 ] && break
+	i=$((i+1))
+	echo_i "successfully completed pass $i of $passes"
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+repeat_query() (
+	i=0
+	while [ "$i" -lt "$1" ]; do
+		dig_with_opts +short "@$2" "$3" | tee "dig.out$i.test$n" || return 1
+		i=$((i+1))
+	done
+)
+
+count_unique() (
+	repeat_query "$@" | sort -u | wc -l
+)
+
+n=$((n+1))
+echo_i "check repeated recursive lookups of non recurring TTL=0 responses get new values ($n)"
+ret=0
+repeats=9
+count=$(count_unique "$repeats" 10.53.0.3 foo.increment)
+if [ "$count" -ne "$repeats" ] ; then echo_i "failed (count=$count, repeats=$repeats)"; ret=1; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "check lookups against TTL=1 records ($n)"
+i=0
+passes=10
+ret=0
+while [ $i -lt $passes ]
+do
+	dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.1.test$n" || ret=1
+	dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.2.test$n" || ret=1
+	dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.3.test$n" || ret=1
+	dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.4.test$n" || ret=1
+	dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.5.test$n" || ret=1
+	dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.6.test$n" || ret=1
+	grep "status: SERVFAIL" "dig.out$i.1.test$n" > /dev/null && ret=1
+	grep "status: SERVFAIL" "dig.out$i.2.test$n" > /dev/null && ret=1
+	grep "status: SERVFAIL" "dig.out$i.3.test$n" > /dev/null && ret=1
+	grep "status: SERVFAIL" "dig.out$i.4.test$n" > /dev/null && ret=1
+	grep "status: SERVFAIL" "dig.out$i.5.test$n" > /dev/null && ret=1
+	grep "status: SERVFAIL" "dig.out$i.6.test$n" > /dev/null && ret=1
+	[ $ret = 1 ] && break
+	i=$((i+1))
+	echo_i "successfully completed pass $i of $passes"
+	sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ "$status" -eq 0 ] || exit 1
diff --git a/bin/tests/system/zonechecks/a.db b/bin/tests/system/zonechecks/a.db
new file mode 100644
index 0000000..62d1ee7
--- /dev/null
+++ b/bin/tests/system/zonechecks/a.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	127.0.0.1
+127.0.0.1 3600	IN A	127.0.0.1
diff --git a/bin/tests/system/zonechecks/aaaa.db b/bin/tests/system/zonechecks/aaaa.db
new file mode 100644
index 0000000..75724d6
--- /dev/null
+++ b/bin/tests/system/zonechecks/aaaa.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	::1
+::1	3600	IN AAAA	::1
diff --git a/bin/tests/system/zonechecks/bigserial.db b/bin/tests/system/zonechecks/bigserial.db
new file mode 100644
index 0000000..200573a
--- /dev/null
+++ b/bin/tests/system/zonechecks/bigserial.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	IN SOA	ns hostmaster 3003113544 3600 1200 604800 3600
+@	3600	IN NS	ns
+ns	3600	IN A	10.53.0.1
diff --git a/bin/tests/system/zonechecks/clean.sh b/bin/tests/system/zonechecks/clean.sh
new file mode 100644
index 0000000..ed4012a
--- /dev/null
+++ b/bin/tests/system/zonechecks/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f *.out
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f */*.db */*.db.signed */K*.key */K*.private */*.jnl */dsset-*
+rm -f */signer.err
+rm -f rndc.out.*
+rm -f ns*/named.lock
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
diff --git a/bin/tests/system/zonechecks/cname.db b/bin/tests/system/zonechecks/cname.db
new file mode 100644
index 0000000..2e8a123
--- /dev/null
+++ b/bin/tests/system/zonechecks/cname.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	ns
+ns	3600	IN CNAME @
diff --git a/bin/tests/system/zonechecks/dname.db b/bin/tests/system/zonechecks/dname.db
new file mode 100644
index 0000000..b2859d1
--- /dev/null
+++ b/bin/tests/system/zonechecks/dname.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	ns
+@	3600	IN DNAME .
diff --git a/bin/tests/system/zonechecks/noaddress.db b/bin/tests/system/zonechecks/noaddress.db
new file mode 100644
index 0000000..f656197
--- /dev/null
+++ b/bin/tests/system/zonechecks/noaddress.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	ns
+ns	3600	IN TXT	this name has no address records
diff --git a/bin/tests/system/zonechecks/ns1/named.conf.in b/bin/tests/system/zonechecks/ns1/named.conf.in
new file mode 100644
index 0000000..78f087d
--- /dev/null
+++ b/bin/tests/system/zonechecks/ns1/named.conf.in
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+view unused {
+	match-clients { none; };
+
+	zone "duplicate.example" {
+		type primary;
+		file "duplicate.db";
+	};
+};
+
+view primary {
+	match-clients { any; };
+
+	zone "primary.example" {
+		type primary;
+		file "primary.db";
+		allow-update { any; };
+		allow-transfer { any; };
+		auto-dnssec maintain;
+	};
+
+	zone "bigserial.example" {
+		type primary;
+		file "bigserial.db";
+	};
+
+	zone "reload.example" {
+		type primary;
+		file "reload.db";
+	};
+
+	zone "duplicate.example" {
+		type primary;
+		file "duplicate.db";
+	};
+};
diff --git a/bin/tests/system/zonechecks/ns2/named.conf.in b/bin/tests/system/zonechecks/ns2/named.conf.in
new file mode 100644
index 0000000..79e7c18
--- /dev/null
+++ b/bin/tests/system/zonechecks/ns2/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "primary.example" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	file "sec.db";
+};
diff --git a/bin/tests/system/zonechecks/nxdomain.db b/bin/tests/system/zonechecks/nxdomain.db
new file mode 100644
index 0000000..853325d
--- /dev/null
+++ b/bin/tests/system/zonechecks/nxdomain.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	ns
+; There are no records at all with the ownername of "ns".
diff --git a/bin/tests/system/zonechecks/setup.sh b/bin/tests/system/zonechecks/setup.sh
new file mode 100644
index 0000000..a6cbb6f
--- /dev/null
+++ b/bin/tests/system/zonechecks/setup.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+
+$SHELL ../genzone.sh 1 > ns1/primary.db
+$SHELL ../genzone.sh 1 > ns1/duplicate.db
+cp bigserial.db ns1/
+cd ns1
+touch primary.db.signed
+echo '$INCLUDE "primary.db.signed"' >> primary.db
+$KEYGEN -a ${DEFAULT_ALGORITHM} -q primary.example > /dev/null 2>&1
+$KEYGEN -a ${DEFAULT_ALGORITHM} -qfk primary.example > /dev/null 2>&1
+$SIGNER -SD -o primary.example primary.db > /dev/null \
+    2> signer.err || cat signer.err
+echo '$INCLUDE "soa.db"' > reload.db
+echo '@ 0 NS .' >> reload.db
+echo '@ 0 SOA . . 1 0 0 0 0' > soa.db
diff --git a/bin/tests/system/zonechecks/tests.sh b/bin/tests/system/zonechecks/tests.sh
new file mode 100644
index 0000000..e2a6879
--- /dev/null
+++ b/bin/tests/system/zonechecks/tests.sh
@@ -0,0 +1,257 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="-p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+status=0
+
+#
+echo_i "checking that we detect a NS which refers to a CNAME"
+if $CHECKZONE . cname.db > cname.out 2>&1
+then
+	echo_i "failed (status)"; status=`expr $status + 1`
+else
+	if grep "is a CNAME" cname.out > /dev/null
+	then
+		:
+	else
+		echo_i "failed (message)"; status=`expr $status + 1`
+	fi
+fi
+
+#
+echo_i "checking that we detect a NS which is below a DNAME"
+if $CHECKZONE . dname.db > dname.out 2>&1
+then
+	echo_i "failed (status)"; status=`expr $status + 1`
+else
+	if grep "is below a DNAME" dname.out > /dev/null
+	then
+		:
+	else
+		echo_i "failed (message)"; status=`expr $status + 1`
+	fi
+fi
+
+#
+echo_i "checking that we detect a NS which has no address records (A/AAAA)"
+if $CHECKZONE . noaddress.db > noaddress.out
+then
+	echo_i "failed (status)"; status=`expr $status + 1`
+else
+	if grep "has no address records" noaddress.out > /dev/null
+	then
+		:
+	else
+		echo_i "failed (message)"; status=`expr $status + 1`
+	fi
+fi
+
+#
+echo_i "checking that we detect a NS which has no records"
+if $CHECKZONE . nxdomain.db > nxdomain.out
+then
+	echo_i "failed (status)"; status=`expr $status + 1`
+else
+	if grep "has no address records" noaddress.out > /dev/null
+	then
+		:
+	else
+		echo_i "failed (message)"; status=`expr $status + 1`
+	fi
+fi
+
+#
+echo_i "checking that we detect a NS which looks like a A record (fail)"
+if $CHECKZONE -n fail . a.db > a.out 2>&1
+then
+	echo_i "failed (status)"; status=`expr $status + 1`
+else
+	if grep "appears to be an address" a.out > /dev/null
+	then
+		:
+	else
+		echo_i "failed (message)"; status=`expr $status + 1`
+	fi
+fi
+
+#
+echo_i "checking that we detect a NS which looks like a A record (warn=default)"
+if $CHECKZONE . a.db > a.out 2>&1
+then
+	if grep "appears to be an address" a.out > /dev/null
+	then
+		:
+	else
+		echo_i "failed (message)"; status=`expr $status + 1`
+	fi
+else
+	echo_i "failed (status)"; status=`expr $status + 1`
+fi
+
+#
+echo_i "checking that we detect a NS which looks like a A record (ignore)"
+if $CHECKZONE -n ignore . a.db > a.out 2>&1
+then
+	if grep "appears to be an address" a.out > /dev/null
+	then
+		echo_i "failed (message)"; status=`expr $status + 1`
+	else
+		:
+	fi
+else
+	echo_i "failed (status)"; status=`expr $status + 1`
+fi
+
+#
+echo_i "checking that we detect a NS which looks like a AAAA record (fail)"
+if $CHECKZONE -n fail . aaaa.db > aaaa.out 2>&1
+then
+	echo_i "failed (status)"; status=`expr $status + 1`
+else
+	if grep "appears to be an address" aaaa.out > /dev/null
+	then
+		:
+	else
+		echo_i "failed (message)"; status=`expr $status + 1`
+	fi
+fi
+
+#
+echo_i "checking that we detect a NS which looks like a AAAA record (warn=default)"
+if $CHECKZONE . aaaa.db > aaaa.out 2>&1
+then
+	if grep "appears to be an address" aaaa.out > /dev/null
+	then
+		:
+	else
+		echo_i "failed (message)"; status=`expr $status + 1`
+	fi
+else
+	echo_i "failed (status)"; status=`expr $status + 1`
+fi
+
+#
+echo_i "checking that we detect a NS which looks like a AAAA record (ignore)"
+if $CHECKZONE -n ignore . aaaa.db > aaaa.out 2>&1
+then
+	if grep "appears to be an address" aaaa.out > /dev/null
+	then
+		echo_i "failed (message)"; status=`expr $status + 1`
+	else
+		:
+	fi
+else
+	echo_i "failed (status)"; status=`expr $status + 1`
+fi
+
+#
+echo_i "checking 'rdnc zonestatus' output"
+ret=0 
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	$RNDCCMD 10.53.0.1 zonestatus primary.example > rndc.out.pri 2>&1
+	grep "zone not loaded" rndc.out.pri > /dev/null || break
+	sleep 1
+done
+checkfor() {
+	grep "$1" $2 > /dev/null || {
+		ret=1;
+		echo_i "missing string '$1' from '$2'"
+	}
+}
+checkfor "name: primary.example" rndc.out.pri
+checkfor "type: primary" rndc.out.pri
+checkfor "files: primary.db, primary.db.signed" rndc.out.pri
+checkfor "serial: " rndc.out.pri
+checkfor "nodes: " rndc.out.pri
+checkfor "last loaded: " rndc.out.pri
+checkfor "secure: yes" rndc.out.pri
+checkfor "inline signing: no" rndc.out.pri
+checkfor "key maintenance: automatic" rndc.out.pri
+checkfor "next key event: " rndc.out.pri
+checkfor "next resign node: " rndc.out.pri
+checkfor "next resign time: " rndc.out.pri
+checkfor "dynamic: yes" rndc.out.pri
+checkfor "frozen: no" rndc.out.pri
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	$RNDCCMD 10.53.0.2 zonestatus primary.example > rndc.out.sec 2>&1
+	grep "zone not loaded" rndc.out.sec > /dev/null || break
+	sleep 1
+done
+checkfor "name: primary.example" rndc.out.sec
+checkfor "type: secondary" rndc.out.sec
+checkfor "files: sec.db" rndc.out.sec
+checkfor "serial: " rndc.out.sec
+checkfor "nodes: " rndc.out.sec
+checkfor "next refresh: " rndc.out.sec
+checkfor "expires: " rndc.out.sec
+checkfor "secure: yes" rndc.out.sec
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	$RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.prereload 2>&1
+	grep "zone not loaded" rndc.out.prereload > /dev/null || break
+	sleep 1
+done
+checkfor "files: reload.db, soa.db$" rndc.out.prereload
+echo "@ 0 SOA . . 2 0 0 0 0" > ns1/soa.db
+$RNDCCMD 10.53.0.1 reload reload.example | sed 's/^/ns1 /' | cat_i
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	$DIG $DIGOPTS reload.example SOA @10.53.0.1 > dig.out
+	grep " 2 0 0 0 0" dig.out >/dev/null && break
+	sleep 1
+done
+$RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.postreload 2>&1
+checkfor "files: reload.db, soa.db$" rndc.out.postreload
+sleep 1
+echo "@ 0 SOA . . 3 0 0 0 0" > ns1/reload.db
+echo "@ 0 NS ." >> ns1/reload.db
+rndc_reload ns1 10.53.0.1 reload.example
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+	$DIG $DIGOPTS reload.example SOA @10.53.0.1 > dig.out
+	grep " 3 0 0 0 0" dig.out >/dev/null && break
+	sleep 1
+done
+$RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.removeinclude 2>&1
+checkfor "files: reload.db$" rndc.out.removeinclude
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking 'rdnc zonestatus' with duplicated zone name"
+ret=0 
+$RNDCCMD 10.53.0.1 zonestatus duplicate.example > rndc.out.duplicate 2>&1
+checkfor "zone 'duplicate.example' was found in multiple views" rndc.out.duplicate
+$RNDCCMD 10.53.0.1 zonestatus duplicate.example in primary > rndc.out.duplicate 2>&1
+checkfor "name: duplicate.example" rndc.out.duplicate
+$RNDCCMD 10.53.0.1 zonestatus nosuchzone.example > rndc.out.duplicate 2>&1
+checkfor "no matching zone 'nosuchzone.example' in any view" rndc.out.duplicate
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking 'rdnc zonestatus' with big serial value"
+ret=0
+$RNDCCMD 10.53.0.1 zonestatus bigserial.example > rndc.out.bigserial 2>&1
+checkfor "serial: 3003113544" rndc.out.bigserial
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/testdata/wire/wire_test.data b/bin/tests/testdata/wire/wire_test.data
new file mode 100644
index 0000000..cbda586
--- /dev/null
+++ b/bin/tests/testdata/wire/wire_test.data
@@ -0,0 +1,9 @@
+000a 8580 0001 0003 0000 0003	# message header
+0376697803636f6d00 0002 0001 	# question section: vix.com IN NS
+c00c 0002 0001 00000e10 	# vix.com IN NS 3600
+000b 056973727631027061c00c 	# rdlen=0xb  isrv1.pa.vix.com
+c00c 0002 0001 00000e10 0009 066e732d657874c00c
+c00c 0002 0001 00000e10 000e 036e733104676e616303636f6d00
+c025 0001 0001 00000e10 0004 cc98b886
+c03c 0001 0001 00000e10 0004 cc98b840
+c051 0001 0001 0002a14a 0004 c697f8f6
diff --git a/bin/tests/testdata/wire/wire_test.data2 b/bin/tests/testdata/wire/wire_test.data2
new file mode 100644
index 0000000..503eac7
--- /dev/null
+++ b/bin/tests/testdata/wire/wire_test.data2
@@ -0,0 +1,14 @@
+1707 8180
+                         0001 0005 0002 0002 027a 6202 6d78 0361
+                         6f6c 0363 6f6d 0000 0100 01c0 0c00 0100
+                         0100 000b a100 04c6 5110 21c0 0c00 0100
+                         0100 000b a100 04c6 5110 22c0 0c00 0100
+                         0100 000b a100 04c6 5110 23c0 0c00 0100
+                         0100 000b a100 04c6 5110 24c0 0c00 0100
+                         0100 000b a100 04c6 5110 2502 6d78 0341
+                         4f4c 0363 6f6d 0000 0200 0100 000d 9900
+                         0c06 646e 732d 3031 026e 73c0 72c0 6f00
+                         0200 0100 000d 9900 0906 646e 732d 3032
+                         c08c c085 0001 0001 0000 0d99 0004 c651
+                         11e8 c09d 0001 0001 0000 0d99 0004 cdbc
+                         9de8
diff --git a/bin/tests/testdata/wire/wire_test.data3 b/bin/tests/testdata/wire/wire_test.data3
new file mode 100644
index 0000000..86a80ab
--- /dev/null
+++ b/bin/tests/testdata/wire/wire_test.data3
@@ -0,0 +1,14 @@
+1706 8180
+                         0001 0005 0002 0002 027a 6102 6d78 0361
+                         6f6c 0363 6f6d 0000 0100 01c0 0c00 0100
+                         0100 000b a100 04c6 5110 05c0 0c00 0100
+                         0100 000b a100 04c6 5110 01c0 0c00 0100
+                         0100 000b a100 04c6 5110 02c0 0c00 0100
+                         0100 000b a100 04c6 5110 03c0 0c00 0100
+                         0100 000b a100 04c6 5110 0402 6d78 0341
+                         4f4c 0363 6f6d 0000 0200 0100 000d 9900
+                         0c06 646e 732d 3031 026e 73c0 72c0 6f00
+                         0200 0100 000d 9900 0906 646e 732d 3032
+                         c08c c085 0001 0001 0000 0d99 0004 c651
+                         11e8 c09d 0001 0001 0000 0d99 0004 cdbc
+                         9de8
diff --git a/bin/tests/testdata/wire/wire_test.data4 b/bin/tests/testdata/wire/wire_test.data4
new file mode 100644
index 0000000..b934a60
--- /dev/null
+++ b/bin/tests/testdata/wire/wire_test.data4
@@ -0,0 +1,31 @@
+00068180
+000100070002001103616f6c03636f6d
+00000f0001c00c000f000100000d1b00
+0a000f027a64026d78c00cc00c000f00
+0100000d1b0007000f027962c02ac00c
+000f000100000d1b0007000f027963c0
+2ac00c000f000100000d1b0007000f02
+7964c02ac00c000f000100000d1b0007
+000f027a61c02ac00c000f000100000d
+1b0007000f027a62c02ac00c000f0001
+00000d1b0007000f027a63c02ac00c00
+02000100000d1b000c06444e532d3031
+024e53c00cc00c0002000100000d1b00
+0906444e532d3032c0b4c02700010001
+00000d1c0004c6511062c02700010001
+00000d1c0004c6511063c02700010001
+00000d1c0004c6511064c02700010001
+00000d1c0004c6511065c02700010001
+00000d1c0004c6511061c03d00010001
+00000d1c0004cdbc9c63c03d00010001
+00000d1c0004cdbc9c64c03d00010001
+00000d1c0004cdbc9c65c03d00010001
+00000d1c0004cdbc9c61c03d00010001
+00000d1c0004cdbc9c62c05000010001
+00000d1c0004cdbc9c83c05000010001
+00000d1c0004cdbc9c84c05000010001
+00000d1c0004cdbc9c85c05000010001
+00000d1c0004cdbc9c81c05000010001
+00000d1c0004cdbc9c82c0ad00010001
+00000d1c0004c65111e8c0c500010001
+00000d1c0004cdbc9de8
diff --git a/bin/tests/win32/backtrace_test.vcxproj.filters.in b/bin/tests/win32/backtrace_test.vcxproj.filters.in
new file mode 100644
index 0000000..307a6ec
--- /dev/null
+++ b/bin/tests/win32/backtrace_test.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\backtrace_test.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/backtrace_test.vcxproj.in b/bin/tests/win32/backtrace_test.vcxproj.in
new file mode 100644
index 0000000..b23e221
--- /dev/null
+++ b/bin/tests/win32/backtrace_test.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{14751171-C40E-40EE-A2F0-37FFC3CCD4A2}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>backtrace_test</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\backtrace_test.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/win32/backtrace_test.vcxproj.user b/bin/tests/win32/backtrace_test.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/win32/backtrace_test.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/inter_test.vcxproj.filters.in b/bin/tests/win32/inter_test.vcxproj.filters.in
new file mode 100644
index 0000000..2797475
--- /dev/null
+++ b/bin/tests/win32/inter_test.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\inter_test.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/inter_test.vcxproj.in b/bin/tests/win32/inter_test.vcxproj.in
new file mode 100644
index 0000000..af755aa
--- /dev/null
+++ b/bin/tests/win32/inter_test.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{06AA5F16-7121-4C3A-91EF-AFC3BF3B8CE1}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>inter_test</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\inter_test.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/win32/inter_test.vcxproj.user b/bin/tests/win32/inter_test.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/win32/inter_test.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/makejournal.vcxproj.filters.in b/bin/tests/win32/makejournal.vcxproj.filters.in
new file mode 100644
index 0000000..44aa47b
--- /dev/null
+++ b/bin/tests/win32/makejournal.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\makejournal.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/makejournal.vcxproj.in b/bin/tests/win32/makejournal.vcxproj.in
new file mode 100644
index 0000000..167d49d
--- /dev/null
+++ b/bin/tests/win32/makejournal.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{31715139-2C27-47D2-8394-71B71A8AC3D5}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>makejournal</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\makejournal.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/win32/makejournal.vcxproj.user b/bin/tests/win32/makejournal.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/win32/makejournal.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/rwlock_test.vcxproj.filters.in b/bin/tests/win32/rwlock_test.vcxproj.filters.in
new file mode 100644
index 0000000..99ad567
--- /dev/null
+++ b/bin/tests/win32/rwlock_test.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\rwlock_test.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/rwlock_test.vcxproj.in b/bin/tests/win32/rwlock_test.vcxproj.in
new file mode 100644
index 0000000..96af4dc
--- /dev/null
+++ b/bin/tests/win32/rwlock_test.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{7705EEF6-6980-48F9-A045-699DAFE860C9}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>rwlock_test</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\rwlock_test.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/win32/rwlock_test.vcxproj.user b/bin/tests/win32/rwlock_test.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/win32/rwlock_test.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/shutdown_test.vcxproj.filters.in b/bin/tests/win32/shutdown_test.vcxproj.filters.in
new file mode 100644
index 0000000..64f052c
--- /dev/null
+++ b/bin/tests/win32/shutdown_test.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\shutdown_test.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/shutdown_test.vcxproj.in b/bin/tests/win32/shutdown_test.vcxproj.in
new file mode 100644
index 0000000..cbd8c49
--- /dev/null
+++ b/bin/tests/win32/shutdown_test.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{551561F6-4A2A-4824-8A34-A4AF0EB7C179}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>shutdown_test</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\shutdown_test.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/win32/shutdown_test.vcxproj.user b/bin/tests/win32/shutdown_test.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/win32/shutdown_test.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/sock_test.vcxproj.filters.in b/bin/tests/win32/sock_test.vcxproj.filters.in
new file mode 100644
index 0000000..bbe2ff8
--- /dev/null
+++ b/bin/tests/win32/sock_test.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\sock_test.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/sock_test.vcxproj.in b/bin/tests/win32/sock_test.vcxproj.in
new file mode 100644
index 0000000..b5552d0
--- /dev/null
+++ b/bin/tests/win32/sock_test.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{6200ED9D-CAB1-4C00-8D79-478F64A19B8F}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>sock_test</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\sock_test.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/win32/sock_test.vcxproj.user b/bin/tests/win32/sock_test.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/win32/sock_test.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/task_test.vcxproj.filters.in b/bin/tests/win32/task_test.vcxproj.filters.in
new file mode 100644
index 0000000..b229ca1
--- /dev/null
+++ b/bin/tests/win32/task_test.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\task_test.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/task_test.vcxproj.in b/bin/tests/win32/task_test.vcxproj.in
new file mode 100644
index 0000000..e0d2f66
--- /dev/null
+++ b/bin/tests/win32/task_test.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{CC7340C1-CBAF-4145-969A-73AE960401D6}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>task_test</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\task_test.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/win32/task_test.vcxproj.user b/bin/tests/win32/task_test.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/win32/task_test.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/timer_test.vcxproj.filters.in b/bin/tests/win32/timer_test.vcxproj.filters.in
new file mode 100644
index 0000000..40a5b36
--- /dev/null
+++ b/bin/tests/win32/timer_test.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\timer_test.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tests/win32/timer_test.vcxproj.in b/bin/tests/win32/timer_test.vcxproj.in
new file mode 100644
index 0000000..e996717
--- /dev/null
+++ b/bin/tests/win32/timer_test.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{E55653C8-5501-4871-A97C-C926631F40F9}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>timer_test</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\timer_test.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tests/win32/timer_test.vcxproj.user b/bin/tests/win32/timer_test.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tests/win32/timer_test.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tests/wire_test.c b/bin/tests/wire_test.c
new file mode 100644
index 0000000..f3ba949
--- /dev/null
+++ b/bin/tests/wire_test.c
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/message.h>
+#include <dns/result.h>
+
+int parseflags = 0;
+isc_mem_t *mctx = NULL;
+bool printmemstats = false;
+bool dorender = false;
+
+static void
+process_message(isc_buffer_t *source);
+
+static isc_result_t
+printmessage(dns_message_t *msg);
+
+static void
+CHECKRESULT(isc_result_t result, const char *msg) {
+	if (result != ISC_R_SUCCESS) {
+		printf("%s: %s\n", msg, dns_result_totext(result));
+
+		exit(1);
+	}
+}
+
+static int
+fromhex(char c) {
+	if (c >= '0' && c <= '9') {
+		return (c - '0');
+	} else if (c >= 'a' && c <= 'f') {
+		return (c - 'a' + 10);
+	} else if (c >= 'A' && c <= 'F') {
+		return (c - 'A' + 10);
+	}
+
+	fprintf(stderr, "bad input format: %02x\n", c);
+	exit(3);
+}
+
+static void
+usage(void) {
+	fprintf(stderr, "wire_test [-b] [-d] [-p] [-r] [-s]\n");
+	fprintf(stderr, "          [-m {usage|trace|record|size|mctx}]\n");
+	fprintf(stderr, "          [filename]\n\n");
+	fprintf(stderr, "\t-b\tBest-effort parsing (ignore some errors)\n");
+	fprintf(stderr, "\t-d\tRead input as raw binary data\n");
+	fprintf(stderr, "\t-p\tPreserve order of the records in messages\n");
+	fprintf(stderr, "\t-r\tAfter parsing, re-render the message\n");
+	fprintf(stderr, "\t-s\tPrint memory statistics\n");
+	fprintf(stderr, "\t-t\tTCP mode - ignore the first 2 bytes\n");
+}
+
+static isc_result_t
+printmessage(dns_message_t *msg) {
+	isc_buffer_t b;
+	char *buf = NULL;
+	int len = 1024;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	do {
+		buf = isc_mem_get(mctx, len);
+
+		isc_buffer_init(&b, buf, len);
+		result = dns_message_totext(msg, &dns_master_style_debug, 0,
+					    &b);
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(mctx, buf, len);
+			len *= 2;
+		} else if (result == ISC_R_SUCCESS) {
+			printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf);
+		}
+	} while (result == ISC_R_NOSPACE);
+
+	if (buf != NULL) {
+		isc_mem_put(mctx, buf, len);
+	}
+
+	return (result);
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_buffer_t *input = NULL;
+	bool need_close = false;
+	bool tcp = false;
+	bool rawdata = false;
+	isc_result_t result;
+	uint8_t c;
+	FILE *f;
+	int ch;
+
+#define CMDLINE_FLAGS "bdm:prst"
+	/*
+	 * Process memory debugging argument first.
+	 */
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'm':
+			if (strcasecmp(isc_commandline_argument, "record") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			}
+			if (strcasecmp(isc_commandline_argument, "trace") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			}
+			if (strcasecmp(isc_commandline_argument, "usage") == 0)
+			{
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			}
+			if (strcasecmp(isc_commandline_argument, "size") == 0) {
+				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+			}
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0) {
+				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+			}
+			break;
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = true;
+
+	isc_mem_create(&mctx);
+
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'b':
+			parseflags |= DNS_MESSAGEPARSE_BESTEFFORT;
+			break;
+		case 'd':
+			rawdata = true;
+			break;
+		case 'm':
+			break;
+		case 'p':
+			parseflags |= DNS_MESSAGEPARSE_PRESERVEORDER;
+			break;
+		case 'r':
+			dorender = true;
+			break;
+		case 's':
+			printmemstats = true;
+			break;
+		case 't':
+			tcp = true;
+			break;
+		default:
+			usage();
+			exit(1);
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc >= 1) {
+		f = fopen(argv[0], "r");
+		if (f == NULL) {
+			fprintf(stderr, "%s: fopen failed\n", argv[0]);
+			exit(1);
+		}
+		need_close = true;
+	} else {
+		f = stdin;
+	}
+
+	isc_buffer_allocate(mctx, &input, 64 * 1024);
+
+	if (rawdata) {
+		while (fread(&c, 1, 1, f) != 0) {
+			result = isc_buffer_reserve(&input, 1);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_buffer_putuint8(input, (uint8_t)c);
+		}
+	} else {
+		char s[BUFSIZ];
+
+		while (fgets(s, sizeof(s), f) != NULL) {
+			char *rp = s, *wp = s;
+			size_t i, len = 0;
+
+			while (*rp != '\0') {
+				if (*rp == '#') {
+					break;
+				}
+				if (*rp != ' ' && *rp != '\t' && *rp != '\r' &&
+				    *rp != '\n')
+				{
+					*wp++ = *rp;
+					len++;
+				}
+				rp++;
+			}
+			if (len == 0U) {
+				continue;
+			}
+			if (len % 2 != 0U) {
+				fprintf(stderr, "bad input format: %lu\n",
+					(unsigned long)len);
+				exit(1);
+			}
+
+			rp = s;
+			for (i = 0; i < len; i += 2) {
+				c = fromhex(*rp++);
+				c *= 16;
+				c += fromhex(*rp++);
+				result = isc_buffer_reserve(&input, 1);
+				RUNTIME_CHECK(result == ISC_R_SUCCESS);
+				isc_buffer_putuint8(input, (uint8_t)c);
+			}
+		}
+	}
+
+	if (need_close) {
+		fclose(f);
+	}
+
+	if (tcp) {
+		while (isc_buffer_remaininglength(input) != 0) {
+			unsigned int tcplen;
+
+			if (isc_buffer_remaininglength(input) < 2) {
+				fprintf(stderr, "premature end of packet\n");
+				exit(1);
+			}
+			tcplen = isc_buffer_getuint16(input);
+
+			if (isc_buffer_remaininglength(input) < tcplen) {
+				fprintf(stderr, "premature end of packet\n");
+				exit(1);
+			}
+			process_message(input);
+		}
+	} else {
+		process_message(input);
+	}
+
+	isc_buffer_free(&input);
+
+	if (printmemstats) {
+		isc_mem_stats(mctx, stdout);
+	}
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
+
+static void
+process_message(isc_buffer_t *source) {
+	dns_message_t *message;
+	isc_result_t result;
+	int i;
+
+	message = NULL;
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &message);
+
+	result = dns_message_parse(message, source, parseflags);
+	if (result == DNS_R_RECOVERABLE) {
+		result = ISC_R_SUCCESS;
+	}
+	CHECKRESULT(result, "dns_message_parse failed");
+
+	result = printmessage(message);
+	CHECKRESULT(result, "printmessage() failed");
+
+	if (printmemstats) {
+		isc_mem_stats(mctx, stdout);
+	}
+
+	if (dorender) {
+		unsigned char b2[64 * 1024];
+		isc_buffer_t buffer;
+		dns_compress_t cctx;
+
+		isc_buffer_init(&buffer, b2, sizeof(b2));
+
+		/*
+		 * XXXMLG
+		 * Changing this here is a hack, and should not be done in
+		 * reasonable application code, ever.
+		 */
+		message->from_to_wire = DNS_MESSAGE_INTENTRENDER;
+
+		for (i = 0; i < DNS_SECTION_MAX; i++) {
+			message->counts[i] = 0; /* Another hack XXX */
+		}
+
+		result = dns_compress_init(&cctx, -1, mctx);
+		CHECKRESULT(result, "dns_compress_init() failed");
+
+		result = dns_message_renderbegin(message, &cctx, &buffer);
+		CHECKRESULT(result, "dns_message_renderbegin() failed");
+
+		result = dns_message_rendersection(message,
+						   DNS_SECTION_QUESTION, 0);
+		CHECKRESULT(result, "dns_message_rendersection(QUESTION) "
+				    "failed");
+
+		result = dns_message_rendersection(message, DNS_SECTION_ANSWER,
+						   0);
+		CHECKRESULT(result, "dns_message_rendersection(ANSWER) failed");
+
+		result = dns_message_rendersection(message,
+						   DNS_SECTION_AUTHORITY, 0);
+		CHECKRESULT(result, "dns_message_rendersection(AUTHORITY) "
+				    "failed");
+
+		result = dns_message_rendersection(message,
+						   DNS_SECTION_ADDITIONAL, 0);
+		CHECKRESULT(result, "dns_message_rendersection(ADDITIONAL) "
+				    "failed");
+
+		dns_message_renderend(message);
+
+		dns_compress_invalidate(&cctx);
+
+		message->from_to_wire = DNS_MESSAGE_INTENTPARSE;
+		dns_message_detach(&message);
+
+		printf("Message rendered.\n");
+		if (printmemstats) {
+			isc_mem_stats(mctx, stdout);
+		}
+
+		dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &message);
+
+		result = dns_message_parse(message, &buffer, parseflags);
+		CHECKRESULT(result, "dns_message_parse failed");
+
+		result = printmessage(message);
+		CHECKRESULT(result, "printmessage() failed");
+	}
+	dns_message_detach(&message);
+}
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
new file mode 100644
index 0000000..8c22340
--- /dev/null
+++ b/bin/tools/Makefile.in
@@ -0,0 +1,136 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+		${BIND9_INCLUDES} \
+		${LMDB_CFLAGS} ${OPENSSL_CFLAGS} \
+		${PROTOBUF_C_CFLAGS} \
+		${MAXMINDDB_CFLAGS} \
+		${LMDB_CFLAGS}
+
+CDEFINES =	-DVERSION=\"${VERSION}\"
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCCFGLIBS = 	../../lib/isccfg/libisccfg.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
+
+SUBDIRS =
+
+DNSTAPTARGETS =	dnstap-read@EXEEXT@
+NZDTARGETS =	named-nzd2nzf@EXEEXT@
+TARGETS =	arpaname@EXEEXT@ named-journalprint@EXEEXT@ \
+		named-rrchecker@EXEEXT@ nsec3hash@EXEEXT@ \
+		mdig@EXEEXT@ \
+		@DNSTAPTARGETS@ @NZDTARGETS@
+
+DNSTAPSRCS  =	dnstap-read.c
+NZDSRCS  =	named-nzd2nzf.c
+SRCS =		arpaname.c named-journalprint.c named-rrchecker.c \
+		nsec3hash.c mdig.c \
+		@DNSTAPSRCS@ @NZDSRCS@
+
+@BIND9_MAKE_RULES@
+
+arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+		-o $@ arpaname.@O@ ${ISCLIBS} ${LIBS}
+
+named-journalprint@EXEEXT@: named-journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	export BASEOBJS="named-journalprint.@O@"; \
+	export LIBS0="${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+named-rrchecker@EXEEXT@: named-rrchecker.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	export BASEOBJS="named-rrchecker.@O@"; \
+	export LIBS0="${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	export BASEOBJS="nsec3hash.@O@"; \
+	export LIBS0="${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+mdig@EXEEXT@: mdig.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCCFGDEPLIBS}
+	export BASEOBJS="mdig.@O@"; \
+	export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+dnstap-read@EXEEXT@: dnstap-read.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	export BASEOBJS="dnstap-read.@O@"; \
+	export LIBS0="${DNSLIBS} ${PROTOBUF_C_LIBS}"; \
+	${FINALBUILDCMD}
+
+named-nzd2nzf@EXEEXT@: named-nzd2nzf.@O@ ${ISCDEPLIBS}
+	export BASEOBJS="named-nzd2nzf.@O@"; \
+	export LIBS0="${LMDB_LIBS}"; \
+	${FINALBUILDCMD}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+nzd:
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-nzd2nzf@EXEEXT@ \
+		${DESTDIR}${sbindir}
+
+dnstap:
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dnstap-read@EXEEXT@ \
+		${DESTDIR}${bindir}
+
+install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \
+		${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \
+		${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-rrchecker@EXEEXT@ \
+		${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ \
+		${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \
+		${DESTDIR}${bindir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f \
+		${DESTDIR}${bindir}/mdig@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f \
+		${DESTDIR}${sbindir}/nsec3hash@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f \
+		${DESTDIR}${bindir}/named-rrchecker@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f \
+		${DESTDIR}${sbindir}/named-journalprint@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f \
+		${DESTDIR}${bindir}/arpaname@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f \
+		${DESTDIR}${bindir}/dnstap-read@EXEEXT@
+	${LIBTOOL_MODE_UNINSTALL} rm -f \
+		${DESTDIR}${sbindir}/named-nzd2nzf@EXEEXT@
+
+clean distclean::
+	rm -f ${TARGETS}
diff --git a/bin/tools/arpaname.c b/bin/tools/arpaname.c
new file mode 100644
index 0000000..cfbe187
--- /dev/null
+++ b/bin/tools/arpaname.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+
+#include <isc/net.h>
+#include <isc/print.h>
+
+#define UNUSED(x) (void)(x)
+
+int
+main(int argc, char *argv[]) {
+	unsigned char buf[16];
+	int i;
+
+	UNUSED(argc);
+
+	while (argv[1]) {
+		if (inet_pton(AF_INET6, argv[1], buf) == 1) {
+			for (i = 15; i >= 0; i--) {
+				fprintf(stdout, "%X.%X.", buf[i] & 0xf,
+					(buf[i] >> 4) & 0xf);
+			}
+			fprintf(stdout, "IP6.ARPA\n");
+			argv++;
+			continue;
+		}
+		if (inet_pton(AF_INET, argv[1], buf) == 1) {
+			fprintf(stdout, "%u.%u.%u.%u.IN-ADDR.ARPA\n", buf[3],
+				buf[2], buf[1], buf[0]);
+			argv++;
+			continue;
+		}
+		return (1);
+	}
+	fflush(stdout);
+	return (ferror(stdout));
+}
diff --git a/bin/tools/arpaname.rst b/bin/tools/arpaname.rst
new file mode 100644
index 0000000..c932f6e
--- /dev/null
+++ b/bin/tools/arpaname.rst
@@ -0,0 +1,33 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_arpaname:
+
+arpaname - translate IP addresses to the corresponding ARPA names
+-----------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`arpaname` {*ipaddress* ...}
+
+Description
+~~~~~~~~~~~
+
+``arpaname`` translates IP addresses (IPv4 and IPv6) to the
+corresponding IN-ADDR.ARPA or IP6.ARPA names.
+
+See Also
+~~~~~~~~
+
+BIND 9 Administrator Reference Manual.
diff --git a/bin/tools/dnstap-read.c b/bin/tools/dnstap-read.c
new file mode 100644
index 0000000..50985d4
--- /dev/null
+++ b/bin/tools/dnstap-read.c
@@ -0,0 +1,429 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions of this code were adapted from dnstap-ldns:
+ *
+ * Copyright (c) 2014 by Farsight Security, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <protobuf-c/protobuf-c.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/hex.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/dnstap.h>
+#include <dns/fixedname.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/result.h>
+
+#include "lib/dns/dnstap.pb-c.h"
+
+isc_mem_t *mctx = NULL;
+bool memrecord = false;
+bool printmessage = false;
+bool hexmessage = false;
+bool yaml = false;
+
+const char *program = "dnstap-read";
+
+#define CHECKM(op, msg)                                               \
+	do {                                                          \
+		result = (op);                                        \
+		if (result != ISC_R_SUCCESS) {                        \
+			fprintf(stderr, "%s: %s: %s\n", program, msg, \
+				isc_result_totext(result));           \
+			goto cleanup;                                 \
+		}                                                     \
+	} while (0)
+
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(const char *format, ...) ISC_PLATFORM_NORETURN_POST;
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: fatal: ", program);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static void
+usage(void) {
+	fprintf(stderr, "dnstap-read [-mpxy] [filename]\n");
+	fprintf(stderr, "\t-m\ttrace memory allocations\n");
+	fprintf(stderr, "\t-p\tprint the full DNS message\n");
+	fprintf(stderr, "\t-x\tuse hex format to print DNS message\n");
+	fprintf(stderr, "\t-y\tprint YAML format (implies -p)\n");
+}
+
+static void
+print_dtdata(dns_dtdata_t *dt) {
+	isc_result_t result;
+	isc_buffer_t *b = NULL;
+
+	isc_buffer_allocate(mctx, &b, 2048);
+	if (b == NULL) {
+		fatal("out of memory");
+	}
+
+	CHECKM(dns_dt_datatotext(dt, &b), "dns_dt_datatotext");
+	printf("%.*s\n", (int)isc_buffer_usedlength(b),
+	       (char *)isc_buffer_base(b));
+
+cleanup:
+	if (b != NULL) {
+		isc_buffer_free(&b);
+	}
+}
+
+static void
+print_hex(dns_dtdata_t *dt) {
+	isc_buffer_t *b = NULL;
+	isc_result_t result;
+	size_t textlen;
+
+	if (dt->msg == NULL) {
+		return;
+	}
+
+	textlen = (dt->msgdata.length * 2) + 1;
+	isc_buffer_allocate(mctx, &b, textlen);
+	if (b == NULL) {
+		fatal("out of memory");
+	}
+
+	result = isc_hex_totext(&dt->msgdata, 0, "", b);
+	CHECKM(result, "isc_hex_totext");
+
+	printf("%.*s\n", (int)isc_buffer_usedlength(b),
+	       (char *)isc_buffer_base(b));
+
+cleanup:
+	if (b != NULL) {
+		isc_buffer_free(&b);
+	}
+}
+
+static void
+print_packet(dns_dtdata_t *dt, const dns_master_style_t *style) {
+	isc_buffer_t *b = NULL;
+	isc_result_t result;
+
+	if (dt->msg != NULL) {
+		size_t textlen = 2048;
+
+		isc_buffer_allocate(mctx, &b, textlen);
+		if (b == NULL) {
+			fatal("out of memory");
+		}
+
+		for (;;) {
+			isc_buffer_reserve(&b, textlen);
+			if (b == NULL) {
+				fatal("out of memory");
+			}
+
+			result = dns_message_totext(dt->msg, style, 0, b);
+			if (result == ISC_R_NOSPACE) {
+				isc_buffer_clear(b);
+				textlen *= 2;
+				continue;
+			} else if (result == ISC_R_SUCCESS) {
+				printf("%.*s", (int)isc_buffer_usedlength(b),
+				       (char *)isc_buffer_base(b));
+				isc_buffer_free(&b);
+			} else {
+				isc_buffer_free(&b);
+				CHECKM(result, "dns_message_totext");
+			}
+			break;
+		}
+	}
+
+cleanup:
+	if (b != NULL) {
+		isc_buffer_free(&b);
+	}
+}
+
+static void
+print_yaml(dns_dtdata_t *dt) {
+	Dnstap__Dnstap *frame = dt->frame;
+	Dnstap__Message *m = frame->message;
+	const ProtobufCEnumValue *ftype, *mtype;
+	static bool first = true;
+
+	ftype = protobuf_c_enum_descriptor_get_value(
+		&dnstap__dnstap__type__descriptor, frame->type);
+	if (ftype == NULL) {
+		return;
+	}
+
+	if (!first) {
+		printf("---\n");
+	} else {
+		first = false;
+	}
+
+	printf("type: %s\n", ftype->name);
+
+	if (frame->has_identity) {
+		printf("identity: %.*s\n", (int)frame->identity.len,
+		       frame->identity.data);
+	}
+
+	if (frame->has_version) {
+		printf("version: %.*s\n", (int)frame->version.len,
+		       frame->version.data);
+	}
+
+	if (frame->type != DNSTAP__DNSTAP__TYPE__MESSAGE) {
+		return;
+	}
+
+	printf("message:\n");
+
+	mtype = protobuf_c_enum_descriptor_get_value(
+		&dnstap__message__type__descriptor, m->type);
+	if (mtype == NULL) {
+		return;
+	}
+
+	printf("  type: %s\n", mtype->name);
+
+	if (!isc_time_isepoch(&dt->qtime)) {
+		char buf[100];
+		isc_time_formatISO8601(&dt->qtime, buf, sizeof(buf));
+		printf("  query_time: !!timestamp %s\n", buf);
+	}
+
+	if (!isc_time_isepoch(&dt->rtime)) {
+		char buf[100];
+		isc_time_formatISO8601(&dt->rtime, buf, sizeof(buf));
+		printf("  response_time: !!timestamp %s\n", buf);
+	}
+
+	if (dt->msgdata.base != NULL) {
+		printf("  message_size: %zub\n", (size_t)dt->msgdata.length);
+	} else {
+		printf("  message_size: 0b\n");
+	}
+
+	if (m->has_socket_family) {
+		const ProtobufCEnumValue *type =
+			protobuf_c_enum_descriptor_get_value(
+				&dnstap__socket_family__descriptor,
+				m->socket_family);
+		if (type != NULL) {
+			printf("  socket_family: %s\n", type->name);
+		}
+	}
+
+	printf("  socket_protocol: %s\n", dt->tcp ? "TCP" : "UDP");
+
+	if (m->has_query_address) {
+		ProtobufCBinaryData *ip = &m->query_address;
+		char buf[100];
+
+		(void)inet_ntop(ip->len == 4 ? AF_INET : AF_INET6, ip->data,
+				buf, sizeof(buf));
+		printf("  query_address: \"%s\"\n", buf);
+	}
+
+	if (m->has_response_address) {
+		ProtobufCBinaryData *ip = &m->response_address;
+		char buf[100];
+
+		(void)inet_ntop(ip->len == 4 ? AF_INET : AF_INET6, ip->data,
+				buf, sizeof(buf));
+		printf("  response_address: \"%s\"\n", buf);
+	}
+
+	if (m->has_query_port) {
+		printf("  query_port: %u\n", m->query_port);
+	}
+
+	if (m->has_response_port) {
+		printf("  response_port: %u\n", m->response_port);
+	}
+
+	if (m->has_query_zone) {
+		isc_result_t result;
+		dns_fixedname_t fn;
+		dns_name_t *name;
+		isc_buffer_t b;
+		dns_decompress_t dctx;
+
+		name = dns_fixedname_initname(&fn);
+
+		isc_buffer_init(&b, m->query_zone.data, m->query_zone.len);
+		isc_buffer_add(&b, m->query_zone.len);
+
+		dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+		result = dns_name_fromwire(name, &b, &dctx, 0, NULL);
+		if (result == ISC_R_SUCCESS) {
+			printf("  query_zone: ");
+			dns_name_print(name, stdout);
+			printf("\n");
+		}
+	}
+
+	if (dt->msg != NULL) {
+		dt->msg->indent.count = 2;
+		dt->msg->indent.string = "  ";
+		printf("  %s:\n", ((dt->type & DNS_DTTYPE_QUERY) != 0)
+					  ? "query_message_data"
+					  : "response_message_data");
+
+		print_packet(dt, &dns_master_style_yaml);
+
+		printf("  %s: |\n", ((dt->type & DNS_DTTYPE_QUERY) != 0)
+					    ? "query_message"
+					    : "response_message");
+		print_packet(dt, &dns_master_style_indent);
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_buffer_t *b = NULL;
+	dns_dtdata_t *dt = NULL;
+	dns_dthandle_t *handle = NULL;
+	int rv = 0, ch;
+
+	while ((ch = isc_commandline_parse(argc, argv, "mpxy")) != -1) {
+		switch (ch) {
+		case 'm':
+			isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			memrecord = true;
+			break;
+		case 'p':
+			printmessage = true;
+			break;
+		case 'x':
+			hexmessage = true;
+			break;
+		case 'y':
+			yaml = true;
+			break;
+		default:
+			usage();
+			exit(1);
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1) {
+		fatal("no file specified");
+	}
+
+	isc_mem_create(&mctx);
+
+	dns_result_register();
+
+	CHECKM(dns_dt_open(argv[0], dns_dtmode_file, mctx, &handle),
+	       "dns_dt_openfile");
+
+	for (;;) {
+		isc_region_t input;
+		uint8_t *data;
+		size_t datalen;
+
+		result = dns_dt_getframe(handle, &data, &datalen);
+		if (result == ISC_R_NOMORE) {
+			break;
+		} else {
+			CHECKM(result, "dns_dt_getframe");
+		}
+
+		input.base = data;
+		input.length = datalen;
+
+		if (b != NULL) {
+			isc_buffer_free(&b);
+		}
+		isc_buffer_allocate(mctx, &b, 2048);
+		if (b == NULL) {
+			fatal("out of memory");
+		}
+
+		result = dns_dt_parse(mctx, &input, &dt);
+		if (result != ISC_R_SUCCESS) {
+			isc_buffer_free(&b);
+			continue;
+		}
+
+		if (yaml) {
+			print_yaml(dt);
+		} else if (hexmessage) {
+			print_dtdata(dt);
+			print_hex(dt);
+		} else if (printmessage) {
+			print_dtdata(dt);
+			print_packet(dt, &dns_master_style_debug);
+		} else {
+			print_dtdata(dt);
+		}
+
+		dns_dtdata_free(&dt);
+	}
+
+cleanup:
+	if (dt != NULL) {
+		dns_dtdata_free(&dt);
+	}
+	if (handle != NULL) {
+		dns_dt_close(&handle);
+	}
+	if (message != NULL) {
+		dns_message_detach(&message);
+	}
+	if (b != NULL) {
+		isc_buffer_free(&b);
+	}
+	isc_mem_destroy(&mctx);
+
+	exit(rv);
+}
diff --git a/bin/tools/dnstap-read.rst b/bin/tools/dnstap-read.rst
new file mode 100644
index 0000000..104c05f
--- /dev/null
+++ b/bin/tools/dnstap-read.rst
@@ -0,0 +1,52 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnstap-read:
+
+dnstap-read - print dnstap data in human-readable form
+------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnstap-read` [**-m**] [**-p**] [**-x**] [**-y**] {file}
+
+Description
+~~~~~~~~~~~
+
+``dnstap-read`` reads ``dnstap`` data from a specified file and prints
+it in a human-readable format. By default, ``dnstap`` data is printed in
+a short summary format, but if the ``-y`` option is specified, a
+longer and more detailed YAML format is used.
+
+Options
+~~~~~~~
+
+``-m``
+   This option indicates trace memory allocations, and is used for debugging memory leaks.
+
+``-p``
+   This option prints the text form of the DNS
+   message that was encapsulated in the ``dnstap`` frame, after printing the ``dnstap`` data.
+
+``-x``
+   This option prints a hex dump of the wire form
+   of the DNS message that was encapsulated in the ``dnstap`` frame, after printing the ``dnstap`` data.
+
+``-y``
+   This option prints ``dnstap`` data in a detailed YAML format.
+
+See Also
+~~~~~~~~
+
+:manpage:`named(8)`, :manpage:`rndc(8)`, BIND 9 Administrator Reference Manual.
diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
new file mode 100644
index 0000000..5da9d89
--- /dev/null
+++ b/bin/tools/mdig.c
@@ -0,0 +1,2285 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/hash.h>
+#include <isc/hex.h>
+#include <isc/log.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/nonce.h>
+#include <isc/parseint.h>
+#include <isc/portset.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/view.h>
+
+#include <dst/result.h>
+
+#include <bind9/getaddresses.h>
+
+#define CHECK(str, x)                                                       \
+	{                                                                   \
+		if ((x) != ISC_R_SUCCESS) {                                 \
+			fprintf(stderr, "mdig: %s failed with %s\n", (str), \
+				isc_result_totext(x));                      \
+			exit(-1);                                           \
+		}                                                           \
+	}
+
+#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
+
+#define ADD_STRING(b, s)                                        \
+	{                                                       \
+		if (strlen(s) >= isc_buffer_availablelength(b)) \
+			return ((ISC_R_NOSPACE));               \
+		else                                            \
+			isc_buffer_putstr(b, s);                \
+	}
+
+#define MXNAME	   (DNS_NAME_MAXTEXT + 1)
+#define COMMSIZE   0xffff
+#define OUTPUTBUF  32767
+#define MAXPORT	   0xffff
+#define PORT	   53
+#define MAXTIMEOUT 0xffff
+#define TCPTIMEOUT 10
+#define UDPTIMEOUT 5
+#define MAXTRIES   0xffffffff
+
+#define NS_PER_US  1000	   /*%< Nanoseconds per microsecond. */
+#define US_PER_SEC 1000000 /*%< Microseconds per second. */
+#define US_PER_MS  1000	   /*%< Microseconds per millisecond. */
+
+static isc_mem_t *mctx = NULL;
+static dns_requestmgr_t *requestmgr = NULL;
+static const char *batchname = NULL;
+static FILE *batchfp = NULL;
+static bool burst = false;
+static bool have_ipv4 = false;
+static bool have_ipv6 = false;
+static bool have_src = false;
+static bool tcp_mode = false;
+static bool besteffort = true;
+static bool display_short_form = false;
+static bool display_headers = true;
+static bool display_comments = true;
+static int display_rrcomments = 0;
+static bool display_ttlunits = true;
+static bool display_ttl = true;
+static bool display_class = true;
+static bool display_crypto = true;
+static bool display_multiline = false;
+static bool display_question = true;
+static bool display_answer = true;
+static bool display_authority = true;
+static bool display_additional = true;
+static bool display_unknown_format = false;
+static bool yaml = false;
+static bool continue_on_error = false;
+static uint32_t display_splitwidth = 0xffffffff;
+static isc_sockaddr_t srcaddr;
+static char *server = NULL;
+static isc_sockaddr_t dstaddr;
+static in_port_t port = 53;
+static isc_dscp_t dscp = -1;
+static unsigned char cookie_secret[33];
+static int onfly = 0;
+static char hexcookie[81];
+
+struct query {
+	char textname[MXNAME]; /*% Name we're going to be
+				* looking up */
+	bool recurse;
+	bool have_aaonly;
+	bool have_adflag;
+	bool have_cdflag;
+	bool have_zflag;
+	bool dnssec;
+	bool expire;
+	bool send_cookie;
+	char *cookie;
+	bool nsid;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	uint16_t udpsize;
+	int16_t edns;
+	dns_ednsopt_t *ednsopts;
+	unsigned int ednsoptscnt;
+	unsigned int ednsflags;
+	isc_sockaddr_t *ecs_addr;
+	unsigned int timeout;
+	unsigned int udptimeout;
+	unsigned int udpretries;
+	ISC_LINK(struct query) link;
+};
+static struct query default_query;
+static ISC_LIST(struct query) queries;
+
+#define EDNSOPTS 100U
+/*% opcode text */
+static const char *const opcodetext[] = {
+	"QUERY",      "IQUERY",	    "STATUS",	  "RESERVED3",
+	"NOTIFY",     "UPDATE",	    "RESERVED6",  "RESERVED7",
+	"RESERVED8",  "RESERVED9",  "RESERVED10", "RESERVED11",
+	"RESERVED12", "RESERVED13", "RESERVED14", "RESERVED15"
+};
+
+/*% return code text */
+static const char *const rcodetext[] = {
+	"NOERROR",    "FORMERR",    "SERVFAIL",	  "NXDOMAIN",	"NOTIMP",
+	"REFUSED",    "YXDOMAIN",   "YXRRSET",	  "NXRRSET",	"NOTAUTH",
+	"NOTZONE",    "RESERVED11", "RESERVED12", "RESERVED13", "RESERVED14",
+	"RESERVED15", "BADVERS"
+};
+
+/*% safe rcodetext[] */
+static char *
+rcode_totext(dns_rcode_t rcode) {
+	static char buf[sizeof("?65535")];
+	union {
+		const char *consttext;
+		char *deconsttext;
+	} totext;
+
+	if (rcode >= (sizeof(rcodetext) / sizeof(rcodetext[0]))) {
+		snprintf(buf, sizeof(buf), "?%u", rcode);
+		totext.deconsttext = buf;
+	} else {
+		totext.consttext = rcodetext[rcode];
+	}
+	return (totext.deconsttext);
+}
+
+/* receive response event handler */
+static void
+recvresponse(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = (dns_requestevent_t *)event;
+	isc_result_t result;
+	dns_message_t *query = NULL, *response = NULL;
+	unsigned int parseflags = 0;
+	isc_buffer_t *msgbuf = NULL, *buf = NULL;
+	unsigned int len = OUTPUTBUF;
+	dns_master_style_t *style = NULL;
+	unsigned int styleflags = 0;
+	dns_messagetextflag_t flags;
+
+	UNUSED(task);
+
+	REQUIRE(reqev != NULL);
+	query = reqev->ev_arg;
+
+	if (reqev->result != ISC_R_SUCCESS) {
+		fprintf(stderr, "response failed with %s\n",
+			isc_result_totext(reqev->result));
+		if (continue_on_error) {
+			goto cleanup;
+		} else {
+			exit(-1);
+		}
+	}
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
+
+	parseflags |= DNS_MESSAGEPARSE_PRESERVEORDER;
+	if (besteffort) {
+		parseflags |= DNS_MESSAGEPARSE_BESTEFFORT;
+		parseflags |= DNS_MESSAGEPARSE_IGNORETRUNCATION;
+	}
+
+	msgbuf = dns_request_getanswer(reqev->request);
+	result = dns_request_getresponse(reqev->request, response, parseflags);
+	CHECK("dns_request_getresponse", result);
+
+	styleflags |= DNS_STYLEFLAG_REL_OWNER;
+	if (yaml) {
+		styleflags |= DNS_STYLEFLAG_YAML;
+		response->indent.string = "  ";
+		response->indent.count = 3;
+	} else {
+		if (display_comments) {
+			styleflags |= DNS_STYLEFLAG_COMMENT;
+		}
+		if (display_unknown_format) {
+			styleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
+		}
+		if (display_rrcomments > 0) {
+			styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+		}
+		if (display_ttlunits) {
+			styleflags |= DNS_STYLEFLAG_TTL_UNITS;
+		}
+		if (!display_ttl) {
+			styleflags |= DNS_STYLEFLAG_NO_TTL;
+		}
+		if (!display_class) {
+			styleflags |= DNS_STYLEFLAG_NO_CLASS;
+		}
+		if (!display_crypto) {
+			styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+		}
+		if (display_multiline) {
+			styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
+			styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
+			styleflags |= DNS_STYLEFLAG_REL_DATA;
+			styleflags |= DNS_STYLEFLAG_OMIT_TTL;
+			styleflags |= DNS_STYLEFLAG_TTL;
+			styleflags |= DNS_STYLEFLAG_MULTILINE;
+			styleflags |= DNS_STYLEFLAG_COMMENT;
+			/* Turn on rrcomments unless explicitly disabled */
+			if (display_rrcomments >= 0) {
+				styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+			}
+		}
+	}
+	if (display_multiline || (!display_ttl && !display_class)) {
+		result = dns_master_stylecreate(&style, styleflags, 24, 24, 24,
+						32, 80, 8, display_splitwidth,
+						mctx);
+	} else if (!display_ttl || !display_class) {
+		result = dns_master_stylecreate(&style, styleflags, 24, 24, 32,
+						40, 80, 8, display_splitwidth,
+						mctx);
+	} else {
+		result = dns_master_stylecreate(&style, styleflags, 24, 32, 40,
+						48, 80, 8, display_splitwidth,
+						mctx);
+	}
+	CHECK("dns_master_stylecreate2", result);
+
+	flags = 0;
+	if (!display_headers) {
+		flags |= DNS_MESSAGETEXTFLAG_NOHEADERS;
+		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
+	}
+	if (!display_comments) {
+		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
+	}
+
+	isc_buffer_allocate(mctx, &buf, len);
+
+	if (yaml) {
+		char sockstr[ISC_SOCKADDR_FORMATSIZE];
+		uint16_t sport;
+		char *hash;
+		int pf;
+
+		printf("-\n");
+		printf("  type: MESSAGE\n");
+		printf("  message:\n");
+
+		if (((response->flags & DNS_MESSAGEFLAG_RD) != 0) &&
+		    ((response->flags & DNS_MESSAGEFLAG_RA) != 0))
+		{
+			printf("    type: RECURSIVE_RESPONSE\n");
+		} else {
+			printf("    type: AUTH_RESPONSE\n");
+		}
+
+		printf("    message_size: %ub\n",
+		       isc_buffer_usedlength(msgbuf));
+
+		pf = isc_sockaddr_pf(&dstaddr);
+		if (pf == PF_INET || pf == PF_INET6) {
+			printf("    socket_family: %s\n",
+			       pf == PF_INET ? "INET" : "INET6");
+
+			printf("    socket_protocol: %s\n",
+			       tcp_mode ? "TCP" : "UDP");
+
+			sport = isc_sockaddr_getport(&dstaddr);
+			isc_sockaddr_format(&dstaddr, sockstr, sizeof(sockstr));
+			hash = strchr(sockstr, '#');
+			if (hash != NULL) {
+				*hash = '\0';
+			}
+			printf("    response_address: \"%s\"\n", sockstr);
+			printf("    response_port: %u\n", sport);
+		}
+
+		if (have_src) {
+			sport = isc_sockaddr_getport(&srcaddr);
+			isc_sockaddr_format(&srcaddr, sockstr, sizeof(sockstr));
+			hash = strchr(sockstr, '#');
+			if (hash != NULL) {
+				*hash = '\0';
+			}
+			printf("    query_address: \"%s\"\n", sockstr);
+			printf("    query_port: %u\n", sport);
+		}
+
+		printf("    %s:\n", "response_message_data");
+		result = dns_message_headertotext(response, style, flags, buf);
+		CHECK("dns_message_headertotext", result);
+	} else if (display_comments && !display_short_form) {
+		printf(";; Got answer:\n");
+
+		if (display_headers) {
+			printf(";; ->>HEADER<<- opcode: %s, status: %s, "
+			       "id: %u\n",
+			       opcodetext[response->opcode],
+			       rcode_totext(response->rcode), response->id);
+			printf(";; flags:");
+			if ((response->flags & DNS_MESSAGEFLAG_QR) != 0) {
+				printf(" qr");
+			}
+			if ((response->flags & DNS_MESSAGEFLAG_AA) != 0) {
+				printf(" aa");
+			}
+			if ((response->flags & DNS_MESSAGEFLAG_TC) != 0) {
+				printf(" tc");
+			}
+			if ((response->flags & DNS_MESSAGEFLAG_RD) != 0) {
+				printf(" rd");
+			}
+			if ((response->flags & DNS_MESSAGEFLAG_RA) != 0) {
+				printf(" ra");
+			}
+			if ((response->flags & DNS_MESSAGEFLAG_AD) != 0) {
+				printf(" ad");
+			}
+			if ((response->flags & DNS_MESSAGEFLAG_CD) != 0) {
+				printf(" cd");
+			}
+			if ((response->flags & 0x0040U) != 0) {
+				printf("; MBZ: 0x4");
+			}
+
+			printf("; QUERY: %u, ANSWER: %u, "
+			       "AUTHORITY: %u, ADDITIONAL: %u\n",
+			       response->counts[DNS_SECTION_QUESTION],
+			       response->counts[DNS_SECTION_ANSWER],
+			       response->counts[DNS_SECTION_AUTHORITY],
+			       response->counts[DNS_SECTION_ADDITIONAL]);
+
+			if ((response->flags & DNS_MESSAGEFLAG_RD) != 0 &&
+			    (response->flags & DNS_MESSAGEFLAG_RA) == 0)
+			{
+				printf(";; WARNING: recursion requested "
+				       "but not available\n");
+			}
+		}
+	}
+
+repopulate_buffer:
+
+	if (display_comments && display_headers && !display_short_form) {
+		result = dns_message_pseudosectiontotext(
+			response, DNS_PSEUDOSECTION_OPT, style, flags, buf);
+		if (result == ISC_R_NOSPACE) {
+		buftoosmall:
+			len += OUTPUTBUF;
+			isc_buffer_free(&buf);
+			isc_buffer_allocate(mctx, &buf, len);
+			goto repopulate_buffer;
+		}
+		CHECK("dns_message_pseudosectiontotext", result);
+	}
+
+	if (display_question && display_headers && !display_short_form) {
+		result = dns_message_sectiontotext(
+			response, DNS_SECTION_QUESTION, style, flags, buf);
+		if (result == ISC_R_NOSPACE) {
+			goto buftoosmall;
+		}
+		CHECK("dns_message_sectiontotext", result);
+	}
+
+	if (display_answer && !display_short_form) {
+		result = dns_message_sectiontotext(response, DNS_SECTION_ANSWER,
+						   style, flags, buf);
+		if (result == ISC_R_NOSPACE) {
+			goto buftoosmall;
+		}
+		CHECK("dns_message_sectiontotext", result);
+	} else if (display_answer) {
+		dns_name_t *name;
+		dns_rdataset_t *rdataset;
+		isc_result_t loopresult;
+		dns_name_t empty_name;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		unsigned int answerstyleflags = 0;
+
+		if (!display_crypto) {
+			answerstyleflags |= DNS_STYLEFLAG_NOCRYPTO;
+		}
+		if (display_unknown_format) {
+			answerstyleflags |= DNS_STYLEFLAG_UNKNOWNFORMAT;
+		}
+
+		dns_name_init(&empty_name, NULL);
+		result = dns_message_firstname(response, DNS_SECTION_ANSWER);
+		if (result != ISC_R_NOMORE) {
+			CHECK("dns_message_firstname", result);
+		}
+
+		for (;;) {
+			if (result == ISC_R_NOMORE) {
+				break;
+			}
+			CHECK("dns_message_nextname", result);
+			name = NULL;
+			dns_message_currentname(response, DNS_SECTION_ANSWER,
+						&name);
+
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				loopresult = dns_rdataset_first(rdataset);
+				while (loopresult == ISC_R_SUCCESS) {
+					dns_rdataset_current(rdataset, &rdata);
+					result = dns_rdata_tofmttext(
+						&rdata, NULL, answerstyleflags,
+						0, 60, " ", buf);
+					if (result == ISC_R_NOSPACE) {
+						goto buftoosmall;
+					}
+					CHECK("dns_rdata_tofmttext", result);
+					loopresult =
+						dns_rdataset_next(rdataset);
+					dns_rdata_reset(&rdata);
+					if (strlen("\n") >=
+					    isc_buffer_availablelength(buf))
+					{
+						goto buftoosmall;
+					}
+					isc_buffer_putstr(buf, "\n");
+				}
+			}
+			result = dns_message_nextname(response,
+						      DNS_SECTION_ANSWER);
+		}
+	}
+
+	if (display_authority && !display_short_form) {
+		result = dns_message_sectiontotext(
+			response, DNS_SECTION_AUTHORITY, style, flags, buf);
+		if (result == ISC_R_NOSPACE) {
+			goto buftoosmall;
+		}
+		CHECK("dns_message_sectiontotext", result);
+	}
+
+	if (display_additional && !display_short_form) {
+		result = dns_message_sectiontotext(
+			response, DNS_SECTION_ADDITIONAL, style, flags, buf);
+		if (result == ISC_R_NOSPACE) {
+			goto buftoosmall;
+		}
+		CHECK("dns_message_sectiontotext", result);
+	}
+
+	if (display_additional && !display_short_form && display_headers) {
+		/*
+		 * Only print the signature on the first record.
+		 */
+		result = dns_message_pseudosectiontotext(
+			response, DNS_PSEUDOSECTION_TSIG, style, flags, buf);
+		if (result == ISC_R_NOSPACE) {
+			goto buftoosmall;
+		}
+		CHECK("dns_message_pseudosectiontotext", result);
+		result = dns_message_pseudosectiontotext(
+			response, DNS_PSEUDOSECTION_SIG0, style, flags, buf);
+		if (result == ISC_R_NOSPACE) {
+			goto buftoosmall;
+		}
+		CHECK("dns_message_pseudosectiontotext", result);
+	}
+
+	if (display_headers && display_comments && !display_short_form && !yaml)
+	{
+		printf("\n");
+	}
+
+	printf("%.*s", (int)isc_buffer_usedlength(buf),
+	       (char *)isc_buffer_base(buf));
+	isc_buffer_free(&buf);
+
+cleanup:
+	fflush(stdout);
+	if (style != NULL) {
+		dns_master_styledestroy(&style, mctx);
+	}
+	if (query != NULL) {
+		dns_message_detach(&query);
+	}
+	if (response != NULL) {
+		dns_message_detach(&response);
+	}
+	dns_request_destroy(&reqev->request);
+	isc_event_free(&event);
+
+	if (--onfly == 0) {
+		isc_app_shutdown();
+	}
+	return;
+}
+
+/*%
+ * Add EDNS0 option record to a message.  Currently, the only supported
+ * options are UDP buffer size, the DO bit, and EDNS options
+ * (e.g., NSID, COOKIE, client-subnet)
+ */
+static void
+add_opt(dns_message_t *msg, uint16_t udpsize, uint16_t edns, unsigned int flags,
+	dns_ednsopt_t *opts, size_t count) {
+	dns_rdataset_t *rdataset = NULL;
+	isc_result_t result;
+
+	result = dns_message_buildopt(msg, &rdataset, edns, udpsize, flags,
+				      opts, count);
+	CHECK("dns_message_buildopt", result);
+	result = dns_message_setopt(msg, rdataset);
+	CHECK("dns_message_setopt", result);
+}
+
+static void
+compute_cookie(unsigned char *cookie, size_t len) {
+	/* XXXMPA need to fix, should be per server. */
+	INSIST(len >= 8U);
+	memmove(cookie, cookie_secret, 8);
+}
+
+static isc_result_t
+sendquery(struct query *query, isc_task_t *task) {
+	dns_request_t *request = NULL;
+	dns_message_t *message = NULL;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+	dns_fixedname_t queryname;
+	isc_buffer_t buf;
+	unsigned int options;
+
+	onfly++;
+
+	dns_fixedname_init(&queryname);
+	isc_buffer_init(&buf, query->textname, strlen(query->textname));
+	isc_buffer_add(&buf, strlen(query->textname));
+	result = dns_name_fromtext(dns_fixedname_name(&queryname), &buf,
+				   dns_rootname, 0, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &message);
+
+	message->opcode = dns_opcode_query;
+	if (query->recurse) {
+		message->flags |= DNS_MESSAGEFLAG_RD;
+	}
+	if (query->have_aaonly) {
+		message->flags |= DNS_MESSAGEFLAG_AA;
+	}
+	if (query->have_adflag) {
+		message->flags |= DNS_MESSAGEFLAG_AD;
+	}
+	if (query->have_cdflag) {
+		message->flags |= DNS_MESSAGEFLAG_CD;
+	}
+	if (query->have_zflag) {
+		message->flags |= 0x0040U;
+	}
+	message->rdclass = query->rdclass;
+	message->id = (unsigned short)(random() & 0xFFFF);
+
+	result = dns_message_gettempname(message, &qname);
+	CHECK("dns_message_gettempname", result);
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	CHECK("dns_message_gettemprdataset", result);
+
+	dns_name_clone(dns_fixedname_name(&queryname), qname);
+	dns_rdataset_makequestion(qrdataset, query->rdclass, query->rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	if (query->udpsize > 0 || query->dnssec || query->edns > -1 ||
+	    query->ecs_addr != NULL)
+	{
+		dns_ednsopt_t opts[EDNSOPTS + DNS_EDNSOPTIONS];
+		unsigned int flags;
+		int i = 0;
+		char ecsbuf[20];
+		unsigned char cookie[40];
+
+		if (query->udpsize == 0) {
+			query->udpsize = 4096;
+		}
+		if (query->edns < 0) {
+			query->edns = 0;
+		}
+
+		if (query->nsid) {
+			INSIST(i < DNS_EDNSOPTIONS);
+			opts[i].code = DNS_OPT_NSID;
+			opts[i].length = 0;
+			opts[i].value = NULL;
+			i++;
+		}
+
+		if (query->ecs_addr != NULL) {
+			uint8_t addr[16], family;
+			uint32_t plen;
+			struct sockaddr *sa;
+			struct sockaddr_in *sin;
+			struct sockaddr_in6 *sin6;
+			size_t addrl;
+			isc_buffer_t b;
+
+			sa = &query->ecs_addr->type.sa;
+			plen = query->ecs_addr->length;
+
+			/* Round up prefix len to a multiple of 8 */
+			addrl = (plen + 7) / 8;
+
+			INSIST(i < DNS_EDNSOPTIONS);
+			opts[i].code = DNS_OPT_CLIENT_SUBNET;
+			opts[i].length = (uint16_t)addrl + 4;
+			CHECK("isc_buffer_allocate", result);
+			isc_buffer_init(&b, ecsbuf, sizeof(ecsbuf));
+			if (sa->sa_family == AF_INET) {
+				family = 1;
+				sin = (struct sockaddr_in *)sa;
+				memmove(addr, &sin->sin_addr, 4);
+				if ((plen % 8) != 0) {
+					addr[addrl - 1] &= ~0U
+							   << (8 - (plen % 8));
+				}
+			} else {
+				family = 2;
+				sin6 = (struct sockaddr_in6 *)sa;
+				memmove(addr, &sin6->sin6_addr, 16);
+			}
+
+			/* Mask off last address byte */
+			if (addrl > 0 && (plen % 8) != 0) {
+				addr[addrl - 1] &= ~0U << (8 - (plen % 8));
+			}
+
+			/* family */
+			isc_buffer_putuint16(&b, family);
+			/* source prefix-length */
+			isc_buffer_putuint8(&b, plen);
+			/* scope prefix-length */
+			isc_buffer_putuint8(&b, 0);
+			/* address */
+			if (addrl > 0) {
+				isc_buffer_putmem(&b, addr, (unsigned)addrl);
+			}
+
+			opts[i].value = (uint8_t *)ecsbuf;
+			i++;
+		}
+
+		if (query->send_cookie) {
+			INSIST(i < DNS_EDNSOPTIONS);
+			opts[i].code = DNS_OPT_COOKIE;
+			if (query->cookie != NULL) {
+				isc_buffer_t b;
+
+				isc_buffer_init(&b, cookie, sizeof(cookie));
+				result = isc_hex_decodestring(query->cookie,
+							      &b);
+				CHECK("isc_hex_decodestring", result);
+				opts[i].value = isc_buffer_base(&b);
+				opts[i].length = isc_buffer_usedlength(&b);
+			} else {
+				compute_cookie(cookie, 8);
+				opts[i].length = 8;
+				opts[i].value = cookie;
+			}
+			i++;
+		}
+
+		if (query->expire) {
+			INSIST(i < DNS_EDNSOPTIONS);
+			opts[i].code = DNS_OPT_EXPIRE;
+			opts[i].length = 0;
+			opts[i].value = NULL;
+			i++;
+		}
+
+		if (query->ednsoptscnt != 0) {
+			memmove(&opts[i], query->ednsopts,
+				sizeof(dns_ednsopt_t) * query->ednsoptscnt);
+			i += query->ednsoptscnt;
+		}
+
+		flags = query->ednsflags;
+		flags &= ~DNS_MESSAGEEXTFLAG_DO;
+		if (query->dnssec) {
+			flags |= DNS_MESSAGEEXTFLAG_DO;
+		}
+		add_opt(message, query->udpsize, query->edns, flags, opts, i);
+	}
+
+	options = 0;
+	if (tcp_mode) {
+		options |= DNS_REQUESTOPT_TCP | DNS_REQUESTOPT_SHARE;
+	}
+	request = NULL;
+	result = dns_request_createvia(
+		requestmgr, message, have_src ? &srcaddr : NULL, &dstaddr, dscp,
+		options, NULL, query->timeout, query->udptimeout,
+		query->udpretries, task, recvresponse, message, &request);
+	CHECK("dns_request_createvia4", result);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+sendqueries(isc_task_t *task, isc_event_t *event) {
+	struct query *query = (struct query *)event->ev_arg;
+
+	isc_event_free(&event);
+
+	while (query != NULL) {
+		struct query *next = ISC_LIST_NEXT(query, link);
+
+		sendquery(query, task);
+		query = next;
+	}
+
+	if (onfly == 0) {
+		isc_app_shutdown();
+	}
+	return;
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fputs("Usage: mdig @server {global-opt} host\n"
+	      "           {local-opt} [ host {local-opt} [...]]\n",
+	      stderr);
+	fputs("\nUse \"mdig -h\" (or \"mdig -h | more\") "
+	      "for complete list of options\n",
+	      stderr);
+	exit(1);
+}
+
+/*% help */
+static void
+help(void) {
+	fputs("Usage: mdig @server {global-opt} host\n"
+	      "           {local-opt} [ host {local-opt} [...]]\n",
+	      stdout);
+	fputs("Where:\n"
+	      " anywhere opt    is one of:\n"
+	      "                 -f filename         (batch mode)\n"
+	      "                 -h                  (print help and exit)\n"
+	      "                 -v                  (print version and exit)\n"
+	      " global opt      is one of:\n"
+	      "                 -4                  (use IPv4 query transport "
+	      "only)\n"
+	      "                 -6                  (use IPv6 query transport "
+	      "only)\n"
+	      "                 -b address[#port]   (bind to source "
+	      "address/port)\n"
+	      "                 -p port             (specify port number)\n"
+	      "                 -m                  (enable memory usage "
+	      "debugging)\n"
+	      "                 +[no]dscp[=###]     (Set the DSCP value to ### "
+	      "[0..63])\n"
+	      "                 +[no]vc             (TCP mode)\n"
+	      "                 +[no]tcp            (TCP mode, alternate "
+	      "syntax)\n"
+	      "                 +[no]besteffort     (Try to parse even illegal "
+	      "messages)\n"
+	      "                 +[no]cl             (Control display of class "
+	      "in records)\n"
+	      "                 +[no]comments       (Control display of "
+	      "comment lines)\n"
+	      "                 +[no]rrcomments     (Control display of "
+	      "per-record "
+	      "comments)\n"
+	      "                 +[no]crypto         (Control display of "
+	      "cryptographic "
+	      "fields in records)\n"
+	      "                 +[no]question       (Control display of "
+	      "question)\n"
+	      "                 +[no]answer         (Control display of "
+	      "answer)\n"
+	      "                 +[no]authority      (Control display of "
+	      "authority)\n"
+	      "                 +[no]additional     (Control display of "
+	      "additional)\n"
+	      "                 +[no]short          (Disable everything except "
+	      "short\n"
+	      "                                      form of answer)\n"
+	      "                 +[no]ttlid          (Control display of ttls "
+	      "in records)\n"
+	      "                 +[no]ttlunits       (Display TTLs in "
+	      "human-readable units)\n"
+	      "                 +[no]unknownformat  (Print RDATA in RFC 3597 "
+	      "\"unknown\" format)\n"
+	      "                 +[no]all            (Set or clear all display "
+	      "flags)\n"
+	      "                 +[no]multiline      (Print records in an "
+	      "expanded format)\n"
+	      "                 +[no]split=##       (Split hex/base64 fields "
+	      "into chunks)\n"
+	      " local opt       is one of:\n"
+	      "                 -c class            (specify query class)\n"
+	      "                 -t type             (specify query type)\n"
+	      "                 -x dot-notation     (shortcut for reverse "
+	      "lookups)\n"
+	      "                 +timeout=###        (Set query timeout) "
+	      "[UDP=5,TCP=10]\n"
+	      "                 +udptimeout=###     (Set timeout before UDP "
+	      "retry)\n"
+	      "                 +tries=###          (Set number of UDP "
+	      "attempts) [3]\n"
+	      "                 +retry=###          (Set number of UDP "
+	      "retries) [2]\n"
+	      "                 +bufsize=###        (Set EDNS0 Max UDP packet "
+	      "size)\n"
+	      "                 +subnet=addr        (Set edns-client-subnet "
+	      "option)\n"
+	      "                 +[no]edns[=###]     (Set EDNS version) [0]\n"
+	      "                 +ednsflags=###      (Set EDNS flag bits)\n"
+	      "                 +ednsopt=###[:value] (Send specified EDNS "
+	      "option)\n"
+	      "                 +noednsopt          (Clear list of +ednsopt "
+	      "options)\n"
+	      "                 +[no]recurse        (Recursive mode)\n"
+	      "                 +[no]aaonly         (Set AA flag in query "
+	      "(+[no]aaflag))\n"
+	      "                 +[no]adflag         (Set AD flag in query)\n"
+	      "                 +[no]cdflag         (Set CD flag in query)\n"
+	      "                 +[no]zflag          (Set Z flag in query)\n"
+	      "                 +[no]dnssec         (Request DNSSEC records)\n"
+	      "                 +[no]expire         (Request time to expire)\n"
+	      "                 +[no]cookie[=###]   (Send a COOKIE option)\n"
+	      "                 +[no]nsid           (Request Name Server ID)\n",
+	      stdout);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(const char *format, ...)
+	ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fflush(stdout);
+	fprintf(stderr, "mdig: ");
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(-2);
+}
+
+static isc_result_t
+parse_uint_helper(uint32_t *uip, const char *value, uint32_t max,
+		  const char *desc, int base) {
+	uint32_t n;
+	isc_result_t result = isc_parse_uint32(&n, value, base);
+	if (result == ISC_R_SUCCESS && n > max) {
+		result = ISC_R_RANGE;
+	}
+	if (result != ISC_R_SUCCESS) {
+		printf("invalid %s '%s': %s\n", desc, value,
+		       isc_result_totext(result));
+		return (result);
+	}
+	*uip = n;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+parse_uint(uint32_t *uip, const char *value, uint32_t max, const char *desc) {
+	return (parse_uint_helper(uip, value, max, desc, 10));
+}
+
+static isc_result_t
+parse_xint(uint32_t *uip, const char *value, uint32_t max, const char *desc) {
+	return (parse_uint_helper(uip, value, max, desc, 0));
+}
+
+static void
+newopts(struct query *query) {
+	size_t len = sizeof(query->ednsopts[0]) * EDNSOPTS;
+	size_t i;
+
+	query->ednsopts = isc_mem_allocate(mctx, len);
+
+	for (i = 0; i < EDNSOPTS; i++) {
+		query->ednsopts[i].code = 0;
+		query->ednsopts[i].length = 0;
+		query->ednsopts[i].value = NULL;
+	}
+}
+
+static void
+save_opt(struct query *query, char *code, char *value) {
+	uint32_t num;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	if (query->ednsopts == NULL) {
+		newopts(query);
+	}
+
+	if (query->ednsoptscnt == EDNSOPTS) {
+		fatal("too many ednsopts");
+	}
+
+	result = parse_uint(&num, code, 65535, "ednsopt");
+	if (result != ISC_R_SUCCESS) {
+		fatal("bad edns code point: %s", code);
+	}
+
+	query->ednsopts[query->ednsoptscnt].code = num;
+	query->ednsopts[query->ednsoptscnt].length = 0;
+	query->ednsopts[query->ednsoptscnt].value = NULL;
+
+	if (value != NULL) {
+		char *buf;
+		buf = isc_mem_allocate(mctx, strlen(value) / 2 + 1);
+		isc_buffer_init(&b, buf, strlen(value) / 2 + 1);
+		result = isc_hex_decodestring(value, &b);
+		CHECK("isc_hex_decodestring", result);
+		query->ednsopts[query->ednsoptscnt].value = isc_buffer_base(&b);
+		query->ednsopts[query->ednsoptscnt].length =
+			isc_buffer_usedlength(&b);
+	}
+
+	query->ednsoptscnt++;
+}
+
+static isc_result_t
+parse_netprefix(isc_sockaddr_t **sap, const char *value) {
+	isc_sockaddr_t *sa = NULL;
+	struct in_addr in4;
+	struct in6_addr in6;
+	uint32_t netmask = 0xffffffff;
+	char *slash = NULL;
+	bool parsed = false;
+	char buf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX/128")];
+
+	if (strlcpy(buf, value, sizeof(buf)) >= sizeof(buf)) {
+		fatal("invalid prefix '%s'\n", value);
+	}
+
+	slash = strchr(buf, '/');
+	if (slash != NULL) {
+		isc_result_t result;
+		*slash = '\0';
+		result = isc_parse_uint32(&netmask, slash + 1, 10);
+		if (result != ISC_R_SUCCESS) {
+			fatal("invalid prefix length in '%s': %s\n", value,
+			      isc_result_totext(result));
+		}
+	} else if (strcmp(value, "0") == 0) {
+		netmask = 0;
+	}
+
+	sa = isc_mem_allocate(mctx, sizeof(*sa));
+	if (inet_pton(AF_INET6, buf, &in6) == 1) {
+		parsed = true;
+		isc_sockaddr_fromin6(sa, &in6, 0);
+		if (netmask > 128) {
+			netmask = 128;
+		}
+	} else if (inet_pton(AF_INET, buf, &in4) == 1) {
+		parsed = true;
+		isc_sockaddr_fromin(sa, &in4, 0);
+		if (netmask > 32) {
+			netmask = 32;
+		}
+	} else if (netmask != 0xffffffff) {
+		int i;
+
+		for (i = 0; i < 3 && strlen(buf) < sizeof(buf) - 2; i++) {
+			strlcat(buf, ".0", sizeof(buf));
+			if (inet_pton(AF_INET, buf, &in4) == 1) {
+				parsed = true;
+				isc_sockaddr_fromin(sa, &in4, 0);
+				break;
+			}
+		}
+
+		if (netmask > 32) {
+			netmask = 32;
+		}
+	}
+
+	if (!parsed) {
+		fatal("invalid address '%s'", value);
+	}
+
+	sa->length = netmask;
+	*sap = sa;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Append 'len' bytes of 'text' at '*p', failing with
+ * ISC_R_NOSPACE if that would advance p past 'end'.
+ */
+static isc_result_t
+append(const char *text, int len, char **p, char *end) {
+	if (len > end - *p) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(*p, text, len);
+	*p += len;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+reverse_octets(const char *in, char **p, char *end) {
+	const char *dot = strchr(in, '.');
+	int len;
+	if (dot != NULL) {
+		isc_result_t result;
+		result = reverse_octets(dot + 1, p, end);
+		CHECK("reverse_octets", result);
+		result = append(".", 1, p, end);
+		CHECK("append", result);
+		len = (int)(dot - in);
+	} else {
+		len = strlen(in);
+	}
+	return (append(in, len, p, end));
+}
+
+static void
+get_reverse(char *reverse, size_t len, const char *value) {
+	int r;
+	isc_result_t result;
+	isc_netaddr_t addr;
+
+	addr.family = AF_INET6;
+	r = inet_pton(AF_INET6, value, &addr.type.in6);
+	if (r > 0) {
+		/* This is a valid IPv6 address. */
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		unsigned int options = 0;
+
+		name = dns_fixedname_initname(&fname);
+		result = dns_byaddr_createptrname(&addr, options, name);
+		CHECK("dns_byaddr_createptrname2", result);
+		dns_name_format(name, reverse, (unsigned int)len);
+		return;
+	} else {
+		/*
+		 * Not a valid IPv6 address.  Assume IPv4.
+		 * Construct the in-addr.arpa name by blindly
+		 * reversing octets whether or not they look like
+		 * integers, so that this can be used for RFC2317
+		 * names and such.
+		 */
+		char *p = reverse;
+		char *end = reverse + len;
+		result = reverse_octets(value, &p, end);
+		CHECK("reverse_octets", result);
+		/* Append .in-addr.arpa. and a terminating NUL. */
+		result = append(".in-addr.arpa.", 15, &p, end);
+		CHECK("append", result);
+		return;
+	}
+}
+
+/*%
+ * We're not using isc_commandline_parse() here since the command line
+ * syntax of mdig is quite a bit different from that which can be described
+ * by that routine.
+ * XXX doc options
+ */
+
+static void
+plus_option(char *option, struct query *query, bool global) {
+	isc_result_t result;
+	char *cmd, *value, *last = NULL, *code;
+	uint32_t num;
+	bool state = true;
+	size_t n;
+
+	INSIST(option != NULL);
+
+	if ((cmd = strtok_r(option, "=", &last)) == NULL) {
+		printf(";; Invalid option %s\n", option);
+		return;
+	}
+	if (strncasecmp(cmd, "no", 2) == 0) {
+		cmd += 2;
+		state = false;
+	}
+	/* parse the rest of the string */
+	value = strtok_r(NULL, "", &last);
+
+#define FULLCHECK(A)                                                 \
+	do {                                                         \
+		size_t _l = strlen(cmd);                             \
+		if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \
+			goto invalid_option;                         \
+	} while (0)
+#define FULLCHECK2(A, B)                                                 \
+	do {                                                             \
+		size_t _l = strlen(cmd);                                 \
+		if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \
+		    (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0))   \
+			goto invalid_option;                             \
+	} while (0)
+#define GLOBAL()                            \
+	do {                                \
+		if (!global)                \
+			goto global_option; \
+	} while (0)
+
+	switch (cmd[0]) {
+	case 'a':
+		switch (cmd[1]) {
+		case 'a': /* aaonly / aaflag */
+			FULLCHECK2("aaonly", "aaflag");
+			query->have_aaonly = state;
+			break;
+		case 'd':
+			switch (cmd[2]) {
+			case 'd': /* additional */
+				FULLCHECK("additional");
+				display_additional = state;
+				break;
+			case 'f':  /* adflag */
+			case '\0': /* +ad is a synonym for +adflag */
+				FULLCHECK("adflag");
+				query->have_adflag = state;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'l': /* all */
+			FULLCHECK("all");
+			GLOBAL();
+			display_question = state;
+			display_answer = state;
+			display_authority = state;
+			display_additional = state;
+			display_comments = state;
+			display_rrcomments = state ? 1 : -1;
+			break;
+		case 'n': /* answer */
+			FULLCHECK("answer");
+			GLOBAL();
+			display_answer = state;
+			break;
+		case 'u': /* authority */
+			FULLCHECK("authority");
+			GLOBAL();
+			display_authority = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'b':
+		switch (cmd[1]) {
+		case 'e': /* besteffort */
+			FULLCHECK("besteffort");
+			GLOBAL();
+			besteffort = state;
+			break;
+		case 'u':
+			switch (cmd[2]) {
+			case 'f': /* bufsize */
+				FULLCHECK("bufsize");
+				if (value == NULL) {
+					goto need_value;
+				}
+				if (!state) {
+					goto invalid_option;
+				}
+				result = parse_uint(&num, value, COMMSIZE,
+						    "buffer size");
+				CHECK("parse_uint(buffer size)", result);
+				query->udpsize = num;
+				break;
+			case 'r': /* burst */
+				FULLCHECK("burst");
+				GLOBAL();
+				burst = state;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'c':
+		switch (cmd[1]) {
+		case 'd': /* cdflag */
+			switch (cmd[2]) {
+			case 'f':  /* cdflag */
+			case '\0': /* +cd is a synonym for +cdflag */
+				FULLCHECK("cdflag");
+				query->have_cdflag = state;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'l': /* cl */
+			FULLCHECK("cl");
+			GLOBAL();
+			display_class = state;
+			break;
+		case 'o': /* comments */
+			switch (cmd[2]) {
+			case 'm':
+				FULLCHECK("comments");
+				GLOBAL();
+				display_comments = state;
+				break;
+			case 'n':
+				FULLCHECK("continue");
+				GLOBAL();
+				continue_on_error = state;
+				break;
+			case 'o':
+				FULLCHECK("cookie");
+				if (state && query->edns == -1) {
+					query->edns = 0;
+				}
+				query->send_cookie = state;
+				if (value != NULL) {
+					n = strlcpy(hexcookie, value,
+						    sizeof(hexcookie));
+					if (n >= sizeof(hexcookie)) {
+						fatal("COOKIE data too large");
+					}
+					query->cookie = hexcookie;
+				} else {
+					query->cookie = NULL;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'r':
+			FULLCHECK("crypto");
+			GLOBAL();
+			display_crypto = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'd':
+		switch (cmd[1]) {
+		case 'n': /* dnssec */
+			FULLCHECK("dnssec");
+			if (state && query->edns == -1) {
+				query->edns = 0;
+			}
+			query->dnssec = state;
+			break;
+		case 's': /* dscp */
+			FULLCHECK("dscp");
+			GLOBAL();
+			if (!state) {
+				dscp = -1;
+				break;
+			}
+			if (value == NULL) {
+				goto need_value;
+			}
+			result = parse_uint(&num, value, 0x3f, "DSCP");
+			CHECK("parse_uint(DSCP)", result);
+			dscp = num;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'e':
+		switch (cmd[1]) {
+		case 'd':
+			switch (cmd[2]) {
+			case 'n':
+				switch (cmd[3]) {
+				case 's':
+					switch (cmd[4]) {
+					case 0:
+						FULLCHECK("edns");
+						if (!state) {
+							query->edns = -1;
+							break;
+						}
+						if (value == NULL) {
+							query->edns = 0;
+							break;
+						}
+						result = parse_uint(&num, value,
+								    255,
+								    "edns");
+						CHECK("parse_uint(edns)",
+						      result);
+						query->edns = num;
+						break;
+					case 'f':
+						FULLCHECK("ednsflags");
+						if (!state) {
+							query->ednsflags = 0;
+							break;
+						}
+						if (value == NULL) {
+							query->ednsflags = 0;
+							break;
+						}
+						result = parse_xint(
+							&num, value, 0xffff,
+							"ednsflags");
+						CHECK("parse_xint(ednsflags)",
+						      result);
+						query->ednsflags = num;
+						break;
+					case 'o':
+						FULLCHECK("ednsopt");
+						if (!state) {
+							query->ednsoptscnt = 0;
+							break;
+						}
+						code = NULL;
+						if (value != NULL) {
+							code = strtok_r(value,
+									":",
+									&last);
+						}
+						if (code == NULL) {
+							fatal("ednsopt no "
+							      "code point "
+							      "specified");
+						}
+						value = strtok_r(NULL, "\0",
+								 &last);
+						save_opt(query, code, value);
+						break;
+					default:
+						goto invalid_option;
+					}
+					break;
+				default:
+					goto invalid_option;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'x':
+			FULLCHECK("expire");
+			query->expire = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'm': /* multiline */
+		FULLCHECK("multiline");
+		GLOBAL();
+		display_multiline = state;
+		break;
+	case 'n':
+		FULLCHECK("nsid");
+		if (state && query->edns == -1) {
+			query->edns = 0;
+		}
+		query->nsid = state;
+		break;
+	case 'q':
+		FULLCHECK("question");
+		GLOBAL();
+		display_question = state;
+		break;
+	case 'r':
+		switch (cmd[1]) {
+		case 'e':
+			switch (cmd[2]) {
+			case 'c': /* recurse */
+				FULLCHECK("recurse");
+				query->recurse = state;
+				break;
+			case 't': /* retry / retries */
+				FULLCHECK2("retry", "retries");
+				if (value == NULL) {
+					goto need_value;
+				}
+				if (!state) {
+					goto invalid_option;
+				}
+				result = parse_uint(&query->udpretries, value,
+						    MAXTRIES - 1, "udpretries");
+				CHECK("parse_uint(udpretries)", result);
+				query->udpretries++;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'r':
+			FULLCHECK("rrcomments");
+			GLOBAL();
+			display_rrcomments = state ? 1 : -1;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 's':
+		switch (cmd[1]) {
+		case 'h':
+			FULLCHECK("short");
+			GLOBAL();
+			display_short_form = state;
+			if (state) {
+				display_question = false;
+				display_answer = true;
+				display_authority = false;
+				display_additional = false;
+				display_comments = false;
+				display_rrcomments = -1;
+			}
+			break;
+		case 'p': /* split */
+			FULLCHECK("split");
+			GLOBAL();
+			if (value != NULL && !state) {
+				goto invalid_option;
+			}
+			if (!state) {
+				display_splitwidth = 0;
+				break;
+			} else if (value == NULL) {
+				break;
+			}
+
+			result = parse_uint(&display_splitwidth, value, 1023,
+					    "split");
+			if ((display_splitwidth % 4) != 0) {
+				display_splitwidth =
+					((display_splitwidth + 3) / 4) * 4;
+				fprintf(stderr,
+					";; Warning, split must be "
+					"a multiple of 4; adjusting "
+					"to %u\n",
+					display_splitwidth);
+			}
+			/*
+			 * There is an adjustment done in the
+			 * totext_<rrtype>() functions which causes
+			 * splitwidth to shrink.  This is okay when we're
+			 * using the default width but incorrect in this
+			 * case, so we correct for it
+			 */
+			if (display_splitwidth) {
+				display_splitwidth += 3;
+			}
+			CHECK("parse_uint(split)", result);
+			break;
+		case 'u': /* subnet */
+			FULLCHECK("subnet");
+			if (state && value == NULL) {
+				goto need_value;
+			}
+			if (!state) {
+				if (query->ecs_addr != NULL) {
+					isc_mem_free(mctx, query->ecs_addr);
+					query->ecs_addr = NULL;
+				}
+				break;
+			}
+			if (query->edns == -1) {
+				query->edns = 0;
+			}
+			result = parse_netprefix(&query->ecs_addr, value);
+			CHECK("parse_netprefix", result);
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 't':
+		switch (cmd[1]) {
+		case 'c': /* tcp */
+			FULLCHECK("tcp");
+			GLOBAL();
+			tcp_mode = state;
+			break;
+		case 'i': /* timeout */
+			FULLCHECK("timeout");
+			if (value == NULL) {
+				goto need_value;
+			}
+			if (!state) {
+				goto invalid_option;
+			}
+			result = parse_uint(&query->timeout, value, MAXTIMEOUT,
+					    "timeout");
+			CHECK("parse_uint(timeout)", result);
+			if (query->timeout == 0) {
+				query->timeout = 1;
+			}
+			break;
+		case 'r':
+			FULLCHECK("tries");
+			if (value == NULL) {
+				goto need_value;
+			}
+			if (!state) {
+				goto invalid_option;
+			}
+			result = parse_uint(&query->udpretries, value, MAXTRIES,
+					    "udpretries");
+			CHECK("parse_uint(udpretries)", result);
+			if (query->udpretries == 0) {
+				query->udpretries = 1;
+			}
+			break;
+		case 't':
+			switch (cmd[2]) {
+			case 'l':
+				switch (cmd[3]) {
+				case 0:
+				case 'i': /* ttlid */
+					FULLCHECK2("ttl", "ttlid");
+					GLOBAL();
+					display_ttl = state;
+					break;
+				case 'u': /* ttlunits */
+					FULLCHECK("ttlunits");
+					GLOBAL();
+					display_ttl = true;
+					display_ttlunits = state;
+					break;
+				default:
+					goto invalid_option;
+				}
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'u':
+		switch (cmd[1]) {
+		case 'd':
+			FULLCHECK("udptimeout");
+			if (value == NULL) {
+				goto need_value;
+			}
+			if (!state) {
+				goto invalid_option;
+			}
+			result = parse_uint(&query->udptimeout, value,
+					    MAXTIMEOUT, "udptimeout");
+			CHECK("parse_uint(udptimeout)", result);
+			break;
+		case 'n':
+			FULLCHECK("unknownformat");
+			display_unknown_format = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'v':
+		FULLCHECK("vc");
+		GLOBAL();
+		tcp_mode = state;
+		break;
+	case 'y': /* yaml */
+		FULLCHECK("yaml");
+		yaml = state;
+		if (state) {
+			display_rrcomments = state;
+		}
+		break;
+	case 'z': /* zflag */
+		FULLCHECK("zflag");
+		query->have_zflag = state;
+		break;
+	global_option:
+		fprintf(stderr, "Ignored late global option: +%s\n", option);
+		break;
+	default:
+	invalid_option:
+	need_value:
+		fprintf(stderr, "Invalid option: +%s\n", option);
+		usage();
+	}
+	return;
+}
+
+/*%
+ * #true returned if value was used
+ */
+static const char *single_dash_opts = "46himv";
+static const char *dash_opts = "46bcfhiptvx";
+static bool
+dash_option(const char *option, char *next, struct query *query, bool global,
+	    bool *setname) {
+	char opt;
+	const char *value;
+	isc_result_t result;
+	bool value_from_next;
+	isc_consttextregion_t tr;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	char textname[MXNAME];
+	struct in_addr in4;
+	struct in6_addr in6;
+	in_port_t srcport;
+	char *hash;
+	uint32_t num;
+
+	while (strpbrk(option, single_dash_opts) == &option[0]) {
+		/*
+		 * Since the -[46hiv] options do not take an argument,
+		 * account for them (in any number and/or combination)
+		 * if they appear as the first character(s) of an opt.
+		 */
+		opt = option[0];
+		switch (opt) {
+		case '4':
+			GLOBAL();
+			if (have_ipv4) {
+				isc_net_disableipv6();
+				have_ipv6 = false;
+			} else {
+				fatal("can't find IPv4 networking");
+				UNREACHABLE();
+				return (false);
+			}
+			break;
+		case '6':
+			GLOBAL();
+			if (have_ipv6) {
+				isc_net_disableipv4();
+				have_ipv4 = false;
+			} else {
+				fatal("can't find IPv6 networking");
+				UNREACHABLE();
+				return (false);
+			}
+			break;
+		case 'h':
+			help();
+			exit(0);
+			break;
+		case 'i':
+			/* deprecated */
+			break;
+		case 'm':
+			/*
+			 * handled by preparse_args()
+			 */
+			break;
+		case 'v':
+			fputs("mDiG " VERSION "\n", stderr);
+			exit(0);
+			break;
+		}
+		if (strlen(option) > 1U) {
+			option = &option[1];
+		} else {
+			return (false);
+		}
+	}
+	opt = option[0];
+	if (strlen(option) > 1U) {
+		value_from_next = false;
+		value = &option[1];
+	} else {
+		value_from_next = true;
+		value = next;
+	}
+	if (value == NULL) {
+		goto invalid_option;
+	}
+	switch (opt) {
+	case 'b':
+		GLOBAL();
+		hash = strchr(value, '#');
+		if (hash != NULL) {
+			result = parse_uint(&num, hash + 1, MAXPORT,
+					    "port number");
+			CHECK("parse_uint(srcport)", result);
+			srcport = num;
+			*hash = '\0';
+		} else {
+			srcport = 0;
+		}
+		if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1) {
+			isc_sockaddr_fromin6(&srcaddr, &in6, srcport);
+			isc_net_disableipv4();
+		} else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1) {
+			isc_sockaddr_fromin(&srcaddr, &in4, srcport);
+			isc_net_disableipv6();
+		} else {
+			if (hash != NULL) {
+				*hash = '#';
+			}
+			fatal("invalid address %s", value);
+		}
+		if (hash != NULL) {
+			*hash = '#';
+		}
+		have_src = true;
+		return (value_from_next);
+	case 'c':
+		tr.base = value;
+		tr.length = strlen(value);
+		result = dns_rdataclass_fromtext(&rdclass,
+						 (isc_textregion_t *)&tr);
+		CHECK("dns_rdataclass_fromtext", result);
+		query->rdclass = rdclass;
+		return (value_from_next);
+	case 'f':
+		batchname = value;
+		return (value_from_next);
+	case 'p':
+		GLOBAL();
+		result = parse_uint(&num, value, MAXPORT, "port number");
+		CHECK("parse_uint(port)", result);
+		port = num;
+		return (value_from_next);
+	case 't':
+		tr.base = value;
+		tr.length = strlen(value);
+		result = dns_rdatatype_fromtext(&rdtype,
+						(isc_textregion_t *)&tr);
+		CHECK("dns_rdatatype_fromtext", result);
+		query->rdtype = rdtype;
+		return (value_from_next);
+	case 'x':
+		get_reverse(textname, sizeof(textname), value);
+		strlcpy(query->textname, textname, sizeof(query->textname));
+		query->rdtype = dns_rdatatype_ptr;
+		query->rdclass = dns_rdataclass_in;
+		*setname = true;
+		return (value_from_next);
+	global_option:
+		fprintf(stderr, "Ignored late global option: -%s\n", option);
+		usage();
+	default:
+	invalid_option:
+		fprintf(stderr, "Invalid option: -%s\n", option);
+		usage();
+	}
+	UNREACHABLE();
+	return (false);
+}
+
+static struct query *
+clone_default_query() {
+	struct query *query;
+
+	query = isc_mem_allocate(mctx, sizeof(struct query));
+	memmove(query, &default_query, sizeof(struct query));
+	if (default_query.ecs_addr != NULL) {
+		size_t len = sizeof(isc_sockaddr_t);
+
+		query->ecs_addr = isc_mem_allocate(mctx, len);
+		memmove(query->ecs_addr, default_query.ecs_addr, len);
+	}
+
+	if (query->timeout == 0) {
+		query->timeout = tcp_mode ? TCPTIMEOUT : UDPTIMEOUT;
+	}
+
+	return (query);
+}
+
+/*%
+ * Because we may be trying to do memory allocation recording, we're going
+ * to need to parse the arguments for the -m *before* we start the main
+ * argument parsing routine.
+ *
+ * I'd prefer not to have to do this, but I am not quite sure how else to
+ * fix the problem.  Argument parsing in mdig involves memory allocation
+ * by its nature, so it can't be done in the main argument parser.
+ */
+static void
+preparse_args(int argc, char **argv) {
+	int rc;
+	char **rv;
+	char *option;
+	bool ipv4only = false, ipv6only = false;
+
+	rc = argc;
+	rv = argv;
+	for (rc--, rv++; rc > 0; rc--, rv++) {
+		if (rv[0][0] != '-') {
+			continue;
+		}
+		option = &rv[0][1];
+		while (strpbrk(option, single_dash_opts) == &option[0]) {
+			switch (option[0]) {
+			case 'm':
+				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
+						    ISC_MEM_DEBUGRECORD;
+				break;
+			case '4':
+				if (ipv6only) {
+					fatal("only one of -4 and -6 allowed");
+				}
+				ipv4only = true;
+				break;
+			case '6':
+				if (ipv4only) {
+					fatal("only one of -4 and -6 allowed");
+				}
+				ipv6only = true;
+				break;
+			}
+			option = &option[1];
+		}
+		if (strlen(option) == 0U) {
+			continue;
+		}
+		/* Look for dash value option. */
+		if (strpbrk(option, dash_opts) != &option[0] ||
+		    strlen(option) > 1U)
+		{
+			/* Error or value in option. */
+			continue;
+		}
+		/* Dash value is next argument so we need to skip it. */
+		rc--, rv++;
+		/* Handle missing argument */
+		if (rc == 0) {
+			break;
+		}
+	}
+}
+
+static void
+parse_args(bool is_batchfile, int argc, char **argv) {
+	struct query *query = NULL;
+	char batchline[MXNAME];
+	int bargc;
+	char *bargv[64];
+	int rc;
+	char **rv;
+	bool global = true;
+	char *last;
+
+	/*
+	 * The semantics for parsing the args is a bit complex; if
+	 * we don't have a host yet, make the arg apply globally,
+	 * otherwise make it apply to the latest host.  This is
+	 * a bit different than the previous versions, but should
+	 * form a consistent user interface.
+	 *
+	 * First, create a "default query" which won't actually be used
+	 * anywhere, except for cloning into new queries
+	 */
+
+	if (!is_batchfile) {
+		default_query.textname[0] = 0;
+		default_query.recurse = true;
+		default_query.have_aaonly = false;
+		default_query.have_adflag = true; /*XXX*/
+		default_query.have_cdflag = false;
+		default_query.have_zflag = false;
+		default_query.dnssec = false;
+		default_query.expire = false;
+		default_query.send_cookie = false;
+		default_query.cookie = NULL;
+		default_query.nsid = false;
+		default_query.rdtype = dns_rdatatype_a;
+		default_query.rdclass = dns_rdataclass_in;
+		default_query.udpsize = 0;
+		default_query.edns = 0; /*XXX*/
+		default_query.ednsopts = NULL;
+		default_query.ednsoptscnt = 0;
+		default_query.ednsflags = 0;
+		default_query.ecs_addr = NULL;
+		default_query.timeout = 0;
+		default_query.udptimeout = 0;
+		default_query.udpretries = 3;
+		ISC_LINK_INIT(&default_query, link);
+	}
+
+	if (is_batchfile) {
+		/* Processing '-f batchfile'. */
+		query = clone_default_query();
+		global = false;
+	} else {
+		query = &default_query;
+	}
+
+	rc = argc;
+	rv = argv;
+	for (rc--, rv++; rc > 0; rc--, rv++) {
+		if (strncmp(rv[0], "%", 1) == 0) {
+			break;
+		}
+		if (rv[0][0] == '@') {
+			if (server != NULL) {
+				fatal("server already set to @%s", server);
+			}
+			server = &rv[0][1];
+		} else if (rv[0][0] == '+') {
+			plus_option(&rv[0][1], query, global);
+		} else if (rv[0][0] == '-') {
+			bool setname = false;
+
+			if (rc <= 1) {
+				if (dash_option(&rv[0][1], NULL, query, global,
+						&setname))
+				{
+					rc--;
+					rv++;
+				}
+			} else {
+				if (dash_option(&rv[0][1], rv[1], query, global,
+						&setname))
+				{
+					rc--;
+					rv++;
+				}
+			}
+			if (setname) {
+				if (query == &default_query) {
+					query = clone_default_query();
+				}
+				ISC_LIST_APPEND(queries, query, link);
+
+				default_query.textname[0] = 0;
+				query = clone_default_query();
+				global = false;
+			}
+		} else {
+			/*
+			 * Anything which isn't an option
+			 */
+			if (query == &default_query) {
+				query = clone_default_query();
+			}
+			strlcpy(query->textname, rv[0],
+				sizeof(query->textname));
+			ISC_LIST_APPEND(queries, query, link);
+
+			query = clone_default_query();
+			global = false;
+			/* XXX Error message */
+		}
+	}
+
+	/*
+	 * If we have a batchfile, read the query list from it.
+	 */
+	if ((batchname != NULL) && !is_batchfile) {
+		if (strcmp(batchname, "-") == 0) {
+			batchfp = stdin;
+		} else {
+			batchfp = fopen(batchname, "r");
+		}
+		if (batchfp == NULL) {
+			perror(batchname);
+			fatal("couldn't open batch file '%s'", batchname);
+		}
+		while (fgets(batchline, sizeof(batchline), batchfp) != 0) {
+			if (batchline[0] == '\r' || batchline[0] == '\n' ||
+			    batchline[0] == '#' || batchline[0] == ';')
+			{
+				continue;
+			}
+			for (bargc = 1, bargv[bargc] = strtok_r(
+						batchline, " \t\r\n", &last);
+			     (bargc < 14) && bargv[bargc]; bargc++,
+			    bargv[bargc] = strtok_r(NULL, " \t\r\n", &last))
+			{
+				/* empty body */
+			}
+
+			bargv[0] = argv[0];
+			parse_args(true, bargc, (char **)bargv);
+		}
+		if (batchfp != stdin) {
+			fclose(batchfp);
+		}
+	}
+	if (query != &default_query) {
+		if (query->ecs_addr != NULL) {
+			isc_mem_free(mctx, query->ecs_addr);
+		}
+		isc_mem_free(mctx, query);
+	}
+}
+
+/*
+ * Try honoring the operating system's preferred ephemeral port range.
+ */
+static void
+set_source_ports(dns_dispatchmgr_t *manager) {
+	isc_portset_t *v4portset = NULL, *v6portset = NULL;
+	in_port_t udpport_low, udpport_high;
+	isc_result_t result;
+
+	result = isc_portset_create(mctx, &v4portset);
+	if (result != ISC_R_SUCCESS) {
+		fatal("isc_portset_create (v4) failed");
+	}
+
+	result = isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high);
+	if (result != ISC_R_SUCCESS) {
+		fatal("isc_net_getudpportrange (v4) failed");
+	}
+
+	isc_portset_addrange(v4portset, udpport_low, udpport_high);
+
+	result = isc_portset_create(mctx, &v6portset);
+	if (result != ISC_R_SUCCESS) {
+		fatal("isc_portset_create (v6) failed");
+	}
+	result = isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high);
+	if (result != ISC_R_SUCCESS) {
+		fatal("isc_net_getudpportrange (v6) failed");
+	}
+
+	isc_portset_addrange(v6portset, udpport_low, udpport_high);
+
+	result = dns_dispatchmgr_setavailports(manager, v4portset, v6portset);
+	if (result != ISC_R_SUCCESS) {
+		fatal("dns_dispatchmgr_setavailports failed");
+	}
+
+	isc_portset_destroy(mctx, &v4portset);
+	isc_portset_destroy(mctx, &v6portset);
+}
+
+/*% Main processing routine for mdig */
+int
+main(int argc, char *argv[]) {
+	struct query *query = NULL;
+	isc_result_t result;
+	isc_sockaddr_t bind_any;
+	isc_log_t *lctx = NULL;
+	isc_logconfig_t *lcfg = NULL;
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_task_t *task = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	unsigned int attrs, attrmask;
+	dns_dispatch_t *dispatchvx = NULL;
+	dns_view_t *view = NULL;
+	int ns;
+	unsigned int i;
+
+	RUNCHECK(isc_app_start());
+
+	dns_result_register();
+
+	if (isc_net_probeipv4() == ISC_R_SUCCESS) {
+		have_ipv4 = true;
+	}
+	if (isc_net_probeipv6() == ISC_R_SUCCESS) {
+		have_ipv6 = true;
+	}
+	if (!have_ipv4 && !have_ipv6) {
+		fatal("could not find either IPv4 or IPv6");
+	}
+
+	preparse_args(argc, argv);
+
+	isc_mem_create(&mctx);
+
+	isc_log_create(mctx, &lctx, &lcfg);
+
+	RUNCHECK(dst_lib_init(mctx, NULL));
+	isc_nonce_buf(cookie_secret, sizeof(cookie_secret));
+
+	ISC_LIST_INIT(queries);
+	parse_args(false, argc, argv);
+	if (server == NULL) {
+		fatal("a server '@xxx' is required");
+	}
+
+	ns = 0;
+	result = bind9_getaddresses(server, port, &dstaddr, 1, &ns);
+	if (result != ISC_R_SUCCESS) {
+		fatal("couldn't get address for '%s': %s", server,
+		      isc_result_totext(result));
+	}
+
+	if (isc_sockaddr_pf(&dstaddr) == PF_INET && have_ipv6) {
+		isc_net_disableipv6();
+		have_ipv6 = false;
+	} else if (isc_sockaddr_pf(&dstaddr) == PF_INET6 && have_ipv4) {
+		isc_net_disableipv4();
+		have_ipv4 = false;
+	}
+	if (have_ipv4 && have_ipv6) {
+		fatal("can't choose between IPv4 and IPv6");
+	}
+
+	RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr));
+	RUNCHECK(isc_task_create(taskmgr, 0, &task));
+	RUNCHECK(isc_timermgr_create(mctx, &timermgr));
+	RUNCHECK(isc_socketmgr_create(mctx, &socketmgr));
+	RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr));
+
+	set_source_ports(dispatchmgr);
+
+	attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY;
+
+	if (have_ipv4) {
+		isc_sockaddr_any(&bind_any);
+		attrs |= DNS_DISPATCHATTR_IPV4;
+	} else {
+		isc_sockaddr_any6(&bind_any);
+		attrs |= DNS_DISPATCHATTR_IPV6;
+	}
+	attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP |
+		   DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
+	RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
+				     have_src ? &srcaddr : &bind_any, 4096, 100,
+				     100, 17, 19, attrs, attrmask,
+				     &dispatchvx));
+	RUNCHECK(dns_requestmgr_create(
+		mctx, timermgr, socketmgr, taskmgr, dispatchmgr,
+		have_ipv4 ? dispatchvx : NULL, have_ipv6 ? dispatchvx : NULL,
+		&requestmgr));
+
+	RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
+
+	query = ISC_LIST_HEAD(queries);
+	RUNCHECK(isc_app_onrun(mctx, task, sendqueries, query));
+
+	/*
+	 * Stall to the start of a new second.
+	 */
+	if (burst) {
+		isc_time_t start, now;
+		RUNCHECK(isc_time_now(&start));
+		/*
+		 * Sleep to 1ms of the end of the second then run a busy loop
+		 * until the second changes.
+		 */
+		do {
+			RUNCHECK(isc_time_now(&now));
+			if (isc_time_seconds(&start) == isc_time_seconds(&now))
+			{
+				int us = US_PER_SEC -
+					 (isc_time_nanoseconds(&now) /
+					  NS_PER_US);
+				if (us > US_PER_MS) {
+					usleep(us - US_PER_MS);
+				}
+			} else {
+				break;
+			}
+		} while (1);
+	}
+
+	(void)isc_app_run();
+
+	dns_view_detach(&view);
+
+	dns_requestmgr_shutdown(requestmgr);
+	dns_requestmgr_detach(&requestmgr);
+
+	dns_dispatch_detach(&dispatchvx);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+
+	isc_socketmgr_destroy(&socketmgr);
+	isc_timermgr_destroy(&timermgr);
+
+	isc_task_shutdown(task);
+	isc_task_detach(&task);
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	dst_lib_destroy();
+
+	isc_log_destroy(&lctx);
+
+	query = ISC_LIST_HEAD(queries);
+	while (query != NULL) {
+		struct query *next = ISC_LIST_NEXT(query, link);
+
+		if (query->ednsopts != NULL) {
+			for (i = 0; i < EDNSOPTS; i++) {
+				if (query->ednsopts[i].value != NULL) {
+					isc_mem_free(mctx,
+						     query->ednsopts[i].value);
+				}
+			}
+			isc_mem_free(mctx, query->ednsopts);
+		}
+		if (query->ecs_addr != NULL) {
+			isc_mem_free(mctx, query->ecs_addr);
+			query->ecs_addr = NULL;
+		}
+		isc_mem_free(mctx, query);
+		query = next;
+	}
+
+	if (default_query.ecs_addr != NULL) {
+		isc_mem_free(mctx, default_query.ecs_addr);
+	}
+
+	isc_mem_destroy(&mctx);
+
+	isc_app_finish();
+
+	return (0);
+}
diff --git a/bin/tools/mdig.rst b/bin/tools/mdig.rst
new file mode 100644
index 0000000..50aa588
--- /dev/null
+++ b/bin/tools/mdig.rst
@@ -0,0 +1,322 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_mdig:
+
+mdig - DNS pipelined lookup utility
+-----------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`mdig` {@server} [**-f** filename] [**-h**] [**-v**] [ [**-4**] | [**-6**] ] [**-m**] [**-b** address] [**-p** port#] [**-c** class] [**-t** type] [**-i**] [**-x** addr] [plusopt...]
+
+:program:`mdig` {**-h**}
+
+:program:`mdig` [@server] {global-opt...} { {local-opt...} {query} ...}
+
+Description
+~~~~~~~~~~~
+
+``mdig`` is a multiple/pipelined query version of ``dig``: instead of
+waiting for a response after sending each query, it begins by sending
+all queries. Responses are displayed in the order in which they are
+received, not in the order the corresponding queries were sent.
+
+``mdig`` options are a subset of the ``dig`` options, and are divided
+into "anywhere options," which can occur anywhere, "global options," which
+must occur before the query name (or they are ignored with a warning),
+and "local options," which apply to the next query on the command line.
+
+The ``@server`` option is a mandatory global option. It is the name or IP
+address of the name server to query. (Unlike ``dig``, this value is not
+retrieved from ``/etc/resolv.conf``.) It can be an IPv4 address in
+dotted-decimal notation, an IPv6 address in colon-delimited notation, or
+a hostname. When the supplied ``server`` argument is a hostname,
+``mdig`` resolves that name before querying the name server.
+
+``mdig`` provides a number of query options which affect the way in
+which lookups are made and the results displayed. Some of these set or
+reset flag bits in the query header, some determine which sections of
+the answer get printed, and others determine the timeout and retry
+strategies.
+
+Each query option is identified by a keyword preceded by a plus sign
+(``+``). Some keywords set or reset an option. These may be preceded by
+the string ``no`` to negate the meaning of that keyword. Other keywords
+assign values to options like the timeout interval. They have the form
+``+keyword=value``.
+
+Anywhere Options
+~~~~~~~~~~~~~~~~
+
+``-f``
+   This option makes ``mdig`` operate in batch mode by reading a list
+   of lookup requests to process from the file ``filename``. The file
+   contains a number of queries, one per line. Each entry in the file
+   should be organized in the same way they would be presented as queries
+   to ``mdig`` using the command-line interface.
+
+``-h``
+   This option causes ``mdig`` to print detailed help information, with the full list
+   of options, and exit.
+
+``-v``
+   This option causes ``mdig`` to print the version number and exit.
+
+Global Options
+~~~~~~~~~~~~~~
+
+``-4``
+   This option forces ``mdig`` to only use IPv4 query transport.
+
+``-6``
+   This option forces ``mdig`` to only use IPv6 query transport.
+
+``-b address``
+   This option sets the source IP address of the query to
+   ``address``. This must be a valid address on one of the host's network
+   interfaces or "0.0.0.0" or "::". An optional port may be specified by
+   appending "#<port>"
+
+``-m``
+   This option enables memory usage debugging.
+
+``-p port#``
+   This option is used when a non-standard port number is to be
+   queried. ``port#`` is the port number that ``mdig`` sends its
+   queries to, instead of the standard DNS port number 53. This option is
+   used to test a name server that has been configured to listen for
+   queries on a non-standard port number.
+
+The global query options are:
+
+``+[no]additional``
+   This option displays [or does not display] the additional section of a reply. The
+   default is to display it.
+
+``+[no]all``
+   This option sets or clears all display flags.
+
+``+[no]answer``
+   This option displays [or does not display] the answer section of a reply. The default
+   is to display it.
+
+``+[no]authority``
+   This option displays [or does not display] the authority section of a reply. The
+   default is to display it.
+
+``+[no]besteffort``
+   This option attempts to display [or does not display] the contents of messages which are malformed. The
+   default is to not display malformed answers.
+
+``+burst``
+   This option delays queries until the start of the next second.
+
+``+[no]cl``
+   This option displays [or does not display] the CLASS when printing the record.
+
+``+[no]comments``
+   This option toggles the display of comment lines in the output. The default is to
+   print comments.
+
+``+[no]continue``
+   This option toggles continuation on errors (e.g. timeouts).
+
+``+[no]crypto``
+   This option toggles the display of cryptographic fields in DNSSEC records. The
+   contents of these fields are unnecessary to debug most DNSSEC
+   validation failures and removing them makes it easier to see the
+   common failures. The default is to display the fields. When omitted,
+   they are replaced by the string "[omitted]"; in the DNSKEY case, the
+   key ID is displayed as the replacement, e.g., ``[ key id = value ]``.
+
+``+dscp[=value]``
+   This option sets the DSCP code point to be used when sending the query. Valid DSCP
+   code points are in the range [0...63]. By default no code point is
+   explicitly set.
+
+``+[no]multiline``
+   This option toggles printing of records, like the SOA records, in a verbose multi-line format
+   with human-readable comments. The default is to print each record on
+   a single line, to facilitate machine parsing of the ``mdig`` output.
+
+``+[no]question``
+   This option prints [or does not print] the question section of a query when an answer
+   is returned. The default is to print the question section as a
+   comment.
+
+``+[no]rrcomments``
+   This option toggles the display of per-record comments in the output (for example,
+   human-readable key information about DNSKEY records). The default is
+   not to print record comments unless multiline mode is active.
+
+``+[no]short``
+   This option provides [or does not provide] a terse answer. The default is to print the answer in a
+   verbose form.
+
+``+split=W``
+   This option splits long hex- or base64-formatted fields in resource records into
+   chunks of ``W`` characters (where ``W`` is rounded up to the nearest
+   multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
+   split. The default is 56 characters, or 44 characters when
+   multiline mode is active.
+
+``+[no]tcp``
+   This option uses [or does not use] TCP when querying name servers. The default behavior
+   is to use UDP.
+
+``+[no]ttlid``
+   This option displays [or does not display] the TTL when printing the record.
+
+``+[no]ttlunits``
+   This option displays [or does not display] the TTL in friendly human-readable time
+   units of "s", "m", "h", "d", and "w", representing seconds, minutes,
+   hours, days, and weeks. This implies +ttlid.
+
+``+[no]vc``
+   This option uses [or does not use] TCP when querying name servers. This alternate
+   syntax to ``+[no]tcp`` is provided for backwards compatibility. The
+   ``vc`` stands for "virtual circuit".
+
+Local Options
+~~~~~~~~~~~~~
+
+``-c class``
+   This option sets the query class to ``class``. It can be any valid
+   query class which is supported in BIND 9. The default query class is
+   "IN".
+
+``-t type``
+   This option sets the query type to ``type``. It can be any valid
+   query type which is supported in BIND 9. The default query type is "A",
+   unless the ``-x`` option is supplied to indicate a reverse lookup with
+   the "PTR" query type.
+
+``-x addr``
+   Reverse lookups - mapping addresses to names - are simplified by
+   this option. ``addr`` is an IPv4 address in dotted-decimal
+   notation, or a colon-delimited IPv6 address. ``mdig`` automatically
+   performs a lookup for a query name like ``11.12.13.10.in-addr.arpa`` and
+   sets the query type and class to PTR and IN respectively. By default,
+   IPv6 addresses are looked up using nibble format under the IP6.ARPA
+   domain.
+
+The local query options are:
+
+``+[no]aaflag``
+   This is a synonym for ``+[no]aaonly``.
+
+``+[no]aaonly``
+   This sets the ``aa`` flag in the query.
+
+``+[no]adflag``
+   This sets [or does not set] the AD (authentic data) bit in the query. This
+   requests the server to return whether all of the answer and authority
+   sections have all been validated as secure, according to the security
+   policy of the server. AD=1 indicates that all records have been
+   validated as secure and the answer is not from a OPT-OUT range. AD=0
+   indicates that some part of the answer was insecure or not validated.
+   This bit is set by default.
+
+``+bufsize=B``
+   This sets the UDP message buffer size advertised using EDNS0 to ``B``
+   bytes. The maximum and minimum sizes of this buffer are 65535 and 0
+   respectively. Values outside this range are rounded up or down
+   appropriately. Values other than zero cause a EDNS query to be
+   sent.
+
+``+[no]cdflag``
+   This sets [or does not set] the CD (checking disabled) bit in the query. This
+   requests the server to not perform DNSSEC validation of responses.
+
+``+[no]cookie=####``
+   This sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
+   from a previous response allows the server to identify a previous
+   client. The default is ``+nocookie``.
+
+``+[no]dnssec``
+   This requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
+   the OPT record in the additional section of the query.
+
+``+[no]edns[=#]``
+   This specifies [or does not specify] the EDNS version to query with. Valid values are 0 to 255.
+   Setting the EDNS version causes an EDNS query to be sent.
+   ``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
+   default.
+
+``+[no]ednsflags[=#]``
+   This sets the must-be-zero EDNS flag bits (Z bits) to the specified value.
+   Decimal, hex, and octal encodings are accepted. Setting a named flag
+   (e.g. DO) is silently ignored. By default, no Z bits are set.
+
+``+[no]ednsopt[=code[:value]]``
+   This specifies [or does not specify] an EDNS option with code point ``code`` and an optional payload
+   of ``value`` as a hexadecimal string. ``+noednsopt`` clears the EDNS
+   options to be sent.
+
+``+[no]expire``
+   This toggles sending of an EDNS Expire option.
+
+``+[no]nsid``
+   This toggles inclusion of an EDNS name server ID request when sending a query.
+
+``+[no]recurse``
+   This toggles the setting of the RD (recursion desired) bit in the query.
+   This bit is set by default, which means ``mdig`` normally sends
+   recursive queries.
+
+``+retry=T``
+   This sets the number of times to retry UDP queries to server to ``T``
+   instead of the default, 2. Unlike ``+tries``, this does not include
+   the initial query.
+
+``+[no]subnet=addr[/prefix-length]``
+   This sends [or does not send] an EDNS Client Subnet option with the specified IP
+   address or network prefix.
+
+``mdig +subnet=0.0.0.0/0``, or simply ``mdig +subnet=0``
+   This sends an EDNS client-subnet option with an empty address and a source
+   prefix-length of zero, which signals a resolver that the client's
+   address information must *not* be used when resolving this query.
+
+``+timeout=T``
+   This sets the timeout for a query to ``T`` seconds. The default timeout is
+   5 seconds for UDP transport and 10 for TCP. An attempt to set ``T``
+   to less than 1 results in a query timeout of 1 second being
+   applied.
+
+``+tries=T``
+   This sets the number of times to try UDP queries to server to ``T``
+   instead of the default, 3. If ``T`` is less than or equal to zero,
+   the number of tries is silently rounded up to 1.
+
+``+udptimeout=T``
+   This sets the timeout between UDP query retries to ``T``.
+
+``+[no]unknownformat``
+   This prints [or does not print] all RDATA in unknown RR-type presentation format (see :rfc:`3597`).
+   The default is to print RDATA for known types in the type's
+   presentation format.
+
+``+[no]yaml``
+   This toggles printing of the responses in a detailed YAML format.
+
+``+[no]zflag``
+   This sets [or does not set] the last unassigned DNS header flag in a DNS query.
+   This flag is off by default.
+
+See Also
+~~~~~~~~
+
+:manpage:`dig(1)`, :rfc:`1035`.
diff --git a/bin/tools/named-journalprint.c b/bin/tools/named-journalprint.c
new file mode 100644
index 0000000..61df022
--- /dev/null
+++ b/bin/tools/named-journalprint.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdlib.h>
+
+#include <isc/commandline.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/types.h>
+
+const char *progname = NULL;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage: %s [-dux] journal\n", progname);
+	exit(1);
+}
+
+/*
+ * Setup logging to use stderr.
+ */
+static isc_result_t
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+	isc_log_t *log = NULL;
+
+	isc_log_create(mctx, &log, &logconfig);
+	isc_log_setcontext(log);
+	dns_log_init(log);
+	dns_log_setcontext(log);
+
+	destination.file.stream = errout;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, 0);
+
+	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL) ==
+		      ISC_R_SUCCESS);
+
+	*logp = log;
+	return (ISC_R_SUCCESS);
+}
+
+int
+main(int argc, char **argv) {
+	char *file;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	isc_log_t *lctx = NULL;
+	uint32_t flags = 0U;
+	int ch;
+	bool compact = false;
+	bool downgrade = false;
+	bool upgrade = false;
+	unsigned int serial = 0;
+	char *endp = NULL;
+
+	progname = argv[0];
+	while ((ch = isc_commandline_parse(argc, argv, "c:dux")) != -1) {
+		switch (ch) {
+		case 'c':
+			compact = true;
+			serial = strtoul(isc_commandline_argument, &endp, 0);
+			if (endp == isc_commandline_argument || *endp != 0) {
+				fprintf(stderr, "invalid serial: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		case 'd':
+			downgrade = true;
+			break;
+		case 'u':
+			upgrade = true;
+			break;
+		case 'x':
+			flags |= DNS_JOURNAL_PRINTXHDR;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc != 1) {
+		usage();
+	}
+	file = argv[0];
+
+	isc_mem_create(&mctx);
+	RUNTIME_CHECK(setup_logging(mctx, stderr, &lctx) == ISC_R_SUCCESS);
+
+	if (upgrade) {
+		flags = DNS_JOURNAL_COMPACTALL;
+		result = dns_journal_compact(mctx, file, 0, flags, 0);
+	} else if (downgrade) {
+		flags = DNS_JOURNAL_COMPACTALL | DNS_JOURNAL_VERSION1;
+		result = dns_journal_compact(mctx, file, 0, flags, 0);
+	} else if (compact) {
+		flags = 0;
+		result = dns_journal_compact(mctx, file, serial, flags, 0);
+	} else {
+		result = dns_journal_print(mctx, flags, file, stdout);
+		if (result == DNS_R_NOJOURNAL) {
+			fprintf(stderr, "%s\n", dns_result_totext(result));
+		}
+	}
+	isc_log_destroy(&lctx);
+	isc_mem_detach(&mctx);
+	return (result != ISC_R_SUCCESS ? 1 : 0);
+}
diff --git a/bin/tools/named-journalprint.rst b/bin/tools/named-journalprint.rst
new file mode 100644
index 0000000..1b9b057
--- /dev/null
+++ b/bin/tools/named-journalprint.rst
@@ -0,0 +1,64 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_named-journalprint:
+
+named-journalprint - print zone journal in human-readable form
+--------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named-journalprint` [-c serial] [**-dux**] {journal}
+
+Description
+~~~~~~~~~~~
+
+``named-journalprint`` scans the contents of a zone journal file,
+printing it in a human-readable form, or, optionally, converting it
+to a different journal file format.
+
+Journal files are automatically created by ``named`` when changes are
+made to dynamic zones (e.g., by ``nsupdate``). They record each addition
+or deletion of a resource record, in binary format, allowing the changes
+to be re-applied to the zone when the server is restarted after a
+shutdown or crash. By default, the name of the journal file is formed by
+appending the extension ``.jnl`` to the name of the corresponding zone
+file.
+
+``named-journalprint`` converts the contents of a given journal file
+into a human-readable text format. Each line begins with ``add`` or ``del``,
+to indicate whether the record was added or deleted, and continues with
+the resource record in master-file format.
+
+The ``-c`` (compact) option provides a mechanism to reduce the size of
+a journal by removing (most/all) transactions prior to the specified
+serial number. Note: this option *must not* be used while ``named`` is
+running, and can cause data loss if the zone file has not been updated
+to contain the data being removed from the journal. Use with extreme caution.
+
+The ``-x`` option causes additional data about the journal file to be
+printed at the beginning of the output and before each group of changes.
+
+The ``-u`` (upgrade) and ``-d`` (downgrade) options recreate the journal
+file with a modified format version.  The existing journal file is
+replaced.  ``-d`` writes out the journal in the format used by
+versions of BIND up to 9.16.11; ``-u`` writes it out in the format used
+by versions since 9.16.13. (9.16.12 is omitted due to a journal-formatting
+bug in that release.) Note that these options *must not* be used while
+``named`` is running.
+
+See Also
+~~~~~~~~
+
+:manpage:`named(8)`, :manpage:`nsupdate(1)`, BIND 9 Administrator Reference Manual.
diff --git a/bin/tools/named-nzd2nzf.c b/bin/tools/named-nzd2nzf.c
new file mode 100644
index 0000000..519f6fd
--- /dev/null
+++ b/bin/tools/named-nzd2nzf.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef HAVE_LMDB
+#error This program requires the LMDB library.
+#endif /* ifndef HAVE_LMDB */
+
+#include <lmdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/print.h>
+
+#include <dns/lmdb.h>
+#include <dns/view.h>
+
+int
+main(int argc, char *argv[]) {
+	int status;
+	const char *path;
+	MDB_env *env = NULL;
+	MDB_txn *txn = NULL;
+	MDB_cursor *cursor = NULL;
+	MDB_dbi dbi;
+	MDB_val key, data;
+
+	if (argc != 2) {
+		fprintf(stderr, "Usage: named-nzd2nzf <nzd-path>\n");
+		exit(1);
+	}
+
+	path = argv[1];
+
+	status = mdb_env_create(&env);
+	if (status != MDB_SUCCESS) {
+		fprintf(stderr, "named-nzd2nzf: mdb_env_create: %s",
+			mdb_strerror(status));
+		exit(1);
+	}
+
+	status = mdb_env_open(env, path, DNS_LMDB_FLAGS, 0600);
+	if (status != MDB_SUCCESS) {
+		fprintf(stderr, "named-nzd2nzf: mdb_env_open: %s",
+			mdb_strerror(status));
+		exit(1);
+	}
+
+	status = mdb_txn_begin(env, 0, MDB_RDONLY, &txn);
+	if (status != MDB_SUCCESS) {
+		fprintf(stderr, "named-nzd2nzf: mdb_txn_begin: %s",
+			mdb_strerror(status));
+		exit(1);
+	}
+
+	status = mdb_dbi_open(txn, NULL, 0, &dbi);
+	if (status != MDB_SUCCESS) {
+		fprintf(stderr, "named-nzd2nzf: mdb_dbi_open: %s",
+			mdb_strerror(status));
+		exit(1);
+	}
+
+	status = mdb_cursor_open(txn, dbi, &cursor);
+	if (status != MDB_SUCCESS) {
+		fprintf(stderr, "named-nzd2nzf: mdb_cursor_open: %s",
+			mdb_strerror(status));
+		exit(1);
+	}
+
+	for (status = mdb_cursor_get(cursor, &key, &data, MDB_FIRST);
+	     status == MDB_SUCCESS;
+	     status = mdb_cursor_get(cursor, &key, &data, MDB_NEXT))
+	{
+		if (key.mv_data == NULL || key.mv_size == 0 ||
+		    data.mv_data == NULL || data.mv_size == 0)
+		{
+			fprintf(stderr,
+				"named-nzd2nzf: empty column found in "
+				"database '%s'",
+				path);
+			exit(1);
+		}
+
+		/* zone zonename { config; }; */
+		printf("zone \"%.*s\" %.*s;\n", (int)key.mv_size,
+		       (char *)key.mv_data, (int)data.mv_size,
+		       (char *)data.mv_data);
+	}
+
+	mdb_cursor_close(cursor);
+	mdb_txn_abort(txn);
+	mdb_env_close(env);
+	exit(0);
+}
diff --git a/bin/tools/named-nzd2nzf.rst b/bin/tools/named-nzd2nzf.rst
new file mode 100644
index 0000000..d20fc36
--- /dev/null
+++ b/bin/tools/named-nzd2nzf.rst
@@ -0,0 +1,42 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_named-nzd2nzf:
+
+named-nzd2nzf - convert an NZD database to NZF text format
+----------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named-nzd2nzf` {filename}
+
+Description
+~~~~~~~~~~~
+
+``named-nzd2nzf`` converts an NZD database to NZF format and prints it
+to standard output. This can be used to review the configuration of
+zones that were added to ``named`` via ``rndc addzone``. It can also be
+used to restore the old file format when rolling back from a newer
+version of BIND to an older version.
+
+Arguments
+~~~~~~~~~
+
+``filename``
+   This is the name of the ``.nzd`` file whose contents should be printed.
+
+See Also
+~~~~~~~~
+
+BIND 9 Administrator Reference Manual.
diff --git a/bin/tools/named-rrchecker.c b/bin/tools/named-rrchecker.c
new file mode 100644
index 0000000..d0081ca
--- /dev/null
+++ b/bin/tools/named-rrchecker.c
@@ -0,0 +1,335 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+static isc_mem_t *mctx;
+static isc_lex_t *lex;
+
+static isc_lexspecials_t specials;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "usage: named-rrchecker [-o origin] [-hpCPTu]\n");
+	fprintf(stderr, "\t-h: print this help message\n");
+	fprintf(stderr, "\t-o origin: set origin to be used when "
+			"interpreting the record\n");
+	fprintf(stderr, "\t-p: print the record in canonical format\n");
+	fprintf(stderr, "\t-C: list the supported class names\n");
+	fprintf(stderr, "\t-P: list the supported private type names\n");
+	fprintf(stderr, "\t-T: list the supported standard type names\n");
+	fprintf(stderr, "\t-u: print the record in unknown record format\n");
+	exit(0);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(const char *format, ...) ISC_PLATFORM_NORETURN_POST;
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "named-rrchecker: ");
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fputc('\n', stderr);
+	exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_token_t token;
+	isc_result_t result;
+	int c;
+	unsigned int options = 0;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	char text[256 * 1024];
+	char data[64 * 1024];
+	isc_buffer_t tbuf;
+	isc_buffer_t dbuf;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	bool doexit = false;
+	bool once = false;
+	bool print = false;
+	bool unknown = false;
+	unsigned int t;
+	char *origin = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name = NULL;
+
+	while ((c = isc_commandline_parse(argc, argv, "ho:puCPT")) != -1) {
+		switch (c) {
+		case 'o':
+			origin = isc_commandline_argument;
+			break;
+
+		case 'p':
+			print = true;
+			break;
+
+		case 'u':
+			unknown = true;
+			break;
+
+		case 'C':
+			for (t = 1; t <= 0xfeffu; t++) {
+				if (dns_rdataclass_ismeta(t)) {
+					continue;
+				}
+				dns_rdataclass_format(t, text, sizeof(text));
+				if (strncmp(text, "CLASS", 4) != 0) {
+					fprintf(stdout, "%s\n", text);
+				}
+			}
+			exit(0);
+
+		case 'P':
+			for (t = 0xff00; t <= 0xfffeu; t++) {
+				if (dns_rdatatype_ismeta(t)) {
+					continue;
+				}
+				dns_rdatatype_format(t, text, sizeof(text));
+				if (strncmp(text, "TYPE", 4) != 0) {
+					fprintf(stdout, "%s\n", text);
+				}
+			}
+			doexit = true;
+			break;
+
+		case 'T':
+			for (t = 1; t <= 0xfeffu; t++) {
+				if (dns_rdatatype_ismeta(t)) {
+					continue;
+				}
+				dns_rdatatype_format(t, text, sizeof(text));
+				if (strncmp(text, "TYPE", 4) != 0) {
+					fprintf(stdout, "%s\n", text);
+				}
+			}
+			doexit = true;
+			break;
+
+		case '?':
+		case 'h':
+			/* Does not return. */
+			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n", argv[0],
+				isc_commandline_option);
+			exit(1);
+		}
+	}
+	if (doexit) {
+		exit(0);
+	}
+
+	isc_mem_create(&mctx);
+	RUNTIME_CHECK(isc_lex_create(mctx, 256, &lex) == ISC_R_SUCCESS);
+
+	/*
+	 * Set up to lex DNS master file.
+	 */
+
+	specials['('] = 1;
+	specials[')'] = 1;
+	specials['"'] = 1;
+	isc_lex_setspecials(lex, specials);
+	options = ISC_LEXOPT_EOL;
+	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+
+	RUNTIME_CHECK(isc_lex_openstream(lex, stdin) == ISC_R_SUCCESS);
+
+	if (origin != NULL) {
+		name = dns_fixedname_initname(&fixed);
+		result = dns_name_fromstring(name, origin, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			fatal("dns_name_fromstring: %s",
+			      dns_result_totext(result));
+		}
+	}
+
+	while ((result = isc_lex_gettoken(lex, options | ISC_LEXOPT_NUMBER,
+					  &token)) == ISC_R_SUCCESS)
+	{
+		if (token.type == isc_tokentype_eof) {
+			break;
+		}
+		if (token.type == isc_tokentype_eol) {
+			continue;
+		}
+		if (once) {
+			fatal("extra data");
+		}
+		/*
+		 * Get class.
+		 */
+		if (token.type == isc_tokentype_number) {
+			rdclass = (dns_rdataclass_t)token.value.as_ulong;
+			if (token.value.as_ulong > 0xffffu) {
+				fatal("class value too big %lu",
+				      token.value.as_ulong);
+			}
+			if (dns_rdataclass_ismeta(rdclass)) {
+				fatal("class %lu is a meta value",
+				      token.value.as_ulong);
+			}
+		} else if (token.type == isc_tokentype_string) {
+			result = dns_rdataclass_fromtext(
+				&rdclass, &token.value.as_textregion);
+			if (result != ISC_R_SUCCESS) {
+				fatal("dns_rdataclass_fromtext: %s",
+				      dns_result_totext(result));
+			}
+			if (dns_rdataclass_ismeta(rdclass)) {
+				fatal("class %.*s(%d) is a meta value",
+				      (int)token.value.as_textregion.length,
+				      token.value.as_textregion.base, rdclass);
+			}
+		} else {
+			fatal("unexpected token %u", token.type);
+		}
+
+		result = isc_lex_gettoken(lex, options | ISC_LEXOPT_NUMBER,
+					  &token);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		if (token.type == isc_tokentype_eol) {
+			continue;
+		}
+		if (token.type == isc_tokentype_eof) {
+			break;
+		}
+
+		/*
+		 * Get type.
+		 */
+		if (token.type == isc_tokentype_number) {
+			rdtype = (dns_rdatatype_t)token.value.as_ulong;
+			if (token.value.as_ulong > 0xffffu) {
+				fatal("type value too big %lu",
+				      token.value.as_ulong);
+			}
+			if (dns_rdatatype_ismeta(rdtype)) {
+				fatal("type %lu is a meta value",
+				      token.value.as_ulong);
+			}
+		} else if (token.type == isc_tokentype_string) {
+			result = dns_rdatatype_fromtext(
+				&rdtype, &token.value.as_textregion);
+			if (result != ISC_R_SUCCESS) {
+				fatal("dns_rdatatype_fromtext: %s",
+				      dns_result_totext(result));
+			}
+			if (dns_rdatatype_ismeta(rdtype)) {
+				fatal("type %.*s(%d) is a meta value",
+				      (int)token.value.as_textregion.length,
+				      token.value.as_textregion.base, rdtype);
+			}
+		} else {
+			fatal("unexpected token %u", token.type);
+		}
+
+		isc_buffer_init(&dbuf, data, sizeof(data));
+		result = dns_rdata_fromtext(&rdata, rdclass, rdtype, lex, name,
+					    0, mctx, &dbuf, NULL);
+		if (result != ISC_R_SUCCESS) {
+			fatal("dns_rdata_fromtext: %s",
+			      dns_result_totext(result));
+		}
+		once = true;
+	}
+	if (result != ISC_R_EOF) {
+		fatal("eof not found");
+	}
+	if (!once) {
+		fatal("no records found");
+	}
+
+	if (print) {
+		isc_buffer_init(&tbuf, text, sizeof(text));
+		result = dns_rdataclass_totext(rdclass, &tbuf);
+		if (result != ISC_R_SUCCESS) {
+			fatal("dns_rdataclass_totext: %s",
+			      dns_result_totext(result));
+		}
+		isc_buffer_putstr(&tbuf, "\t");
+		result = dns_rdatatype_totext(rdtype, &tbuf);
+		if (result != ISC_R_SUCCESS) {
+			fatal("dns_rdatatype_totext: %s",
+			      dns_result_totext(result));
+		}
+		isc_buffer_putstr(&tbuf, "\t");
+		result = dns_rdata_totext(&rdata, NULL, &tbuf);
+		if (result != ISC_R_SUCCESS) {
+			fatal("dns_rdata_totext: %s",
+			      dns_result_totext(result));
+		}
+
+		printf("%.*s\n", (int)tbuf.used, (char *)tbuf.base);
+		fflush(stdout);
+	}
+
+	if (unknown) {
+		isc_buffer_init(&tbuf, text, sizeof(text));
+		result = dns_rdataclass_tounknowntext(rdclass, &tbuf);
+		if (result != ISC_R_SUCCESS) {
+			fatal("dns_rdataclass_tounknowntext: %s",
+			      dns_result_totext(result));
+		}
+		isc_buffer_putstr(&tbuf, "\t");
+		result = dns_rdatatype_tounknowntext(rdtype, &tbuf);
+		if (result != ISC_R_SUCCESS) {
+			fatal("dns_rdatatype_tounknowntext: %s",
+			      dns_result_totext(result));
+		}
+		isc_buffer_putstr(&tbuf, "\t");
+		result = dns_rdata_tofmttext(&rdata, NULL,
+					     DNS_STYLEFLAG_UNKNOWNFORMAT, 0, 0,
+					     "", &tbuf);
+		if (result != ISC_R_SUCCESS) {
+			fatal("dns_rdata_tofmttext: %sn",
+			      dns_result_totext(result));
+		}
+
+		printf("%.*s\n", (int)tbuf.used, (char *)tbuf.base);
+		fflush(stdout);
+	}
+
+	isc_lex_close(lex);
+	isc_lex_destroy(&lex);
+	isc_mem_destroy(&mctx);
+	return (0);
+}
diff --git a/bin/tools/named-rrchecker.rst b/bin/tools/named-rrchecker.rst
new file mode 100644
index 0000000..191f229
--- /dev/null
+++ b/bin/tools/named-rrchecker.rst
@@ -0,0 +1,55 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_named-rrchecker:
+
+named-rrchecker - syntax checker for individual DNS resource records
+--------------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named-rrchecker` [**-h**] [**-o** origin] [**-p**] [**-u**] [**-C**] [**-T**] [**-P**]
+
+Description
+~~~~~~~~~~~
+
+``named-rrchecker`` reads a individual DNS resource record from standard
+input and checks whether it is syntactically correct.
+
+Options
+~~~~~~~
+
+``-h``
+   This option prints out the help menu.
+
+``-o origin``
+   This option specifies the origin to be used when interpreting
+   the record.
+
+``-p``
+   This option prints out the resulting record in canonical form. If there
+   is no canonical form defined, the record is printed in unknown
+   record format.
+
+``-u``
+   This option prints out the resulting record in unknown record form.
+
+``-C``, ``-T``, and ``-P``
+   These options print out the known class, standard type,
+   and private type mnemonics, respectively.
+
+See Also
+~~~~~~~~
+
+:rfc:`1034`, :rfc:`1035`, :manpage:`named(8)`.
diff --git a/bin/tools/nsec3hash.c b/bin/tools/nsec3hash.c
new file mode 100644
index 0000000..2441bf1
--- /dev/null
+++ b/bin/tools/nsec3hash.c
@@ -0,0 +1,193 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/iterated_hash.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/nsec3.h>
+#include <dns/types.h>
+
+const char *program = "nsec3hash";
+
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(const char *format, ...) ISC_PLATFORM_NORETURN_POST;
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", program);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static void
+check_result(isc_result_t result, const char *message) {
+	if (result != ISC_R_SUCCESS) {
+		fatal("%s: %s", message, isc_result_totext(result));
+	}
+}
+
+static void
+usage() {
+	fprintf(stderr, "Usage: %s salt algorithm iterations domain\n",
+		program);
+	fprintf(stderr, "       %s -r algorithm flags iterations salt domain\n",
+		program);
+	exit(1);
+}
+
+typedef void
+nsec3printer(unsigned algo, unsigned flags, unsigned iters, const char *saltstr,
+	     const char *domain, const char *digest);
+
+static void
+nsec3hash(nsec3printer *nsec3print, const char *algostr, const char *flagstr,
+	  const char *iterstr, const char *saltstr, const char *domain) {
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t buffer;
+	isc_region_t region;
+	isc_result_t result;
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char salt[DNS_NSEC3_SALTSIZE];
+	unsigned char text[1024];
+	unsigned int hash_alg;
+	unsigned int flags;
+	unsigned int length;
+	unsigned int iterations;
+	unsigned int salt_length;
+	const char dash[] = "-";
+
+	if (strcmp(saltstr, "-") == 0) {
+		salt_length = 0;
+		salt[0] = 0;
+	} else {
+		isc_buffer_init(&buffer, salt, sizeof(salt));
+		result = isc_hex_decodestring(saltstr, &buffer);
+		check_result(result, "isc_hex_decodestring(salt)");
+		salt_length = isc_buffer_usedlength(&buffer);
+		if (salt_length > DNS_NSEC3_SALTSIZE) {
+			fatal("salt too long");
+		}
+		if (salt_length == 0) {
+			saltstr = dash;
+		}
+	}
+	hash_alg = atoi(algostr);
+	if (hash_alg > 255U) {
+		fatal("hash algorithm too large");
+	}
+	flags = flagstr == NULL ? 0 : atoi(flagstr);
+	if (flags > 255U) {
+		fatal("flags too large");
+	}
+	iterations = atoi(iterstr);
+	if (iterations > 0xffffU) {
+		fatal("iterations to large");
+	}
+
+	name = dns_fixedname_initname(&fixed);
+	isc_buffer_constinit(&buffer, domain, strlen(domain));
+	isc_buffer_add(&buffer, strlen(domain));
+	result = dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL);
+	check_result(result, "dns_name_fromtext() failed");
+
+	dns_name_downcase(name, name, NULL);
+	length = isc_iterated_hash(hash, hash_alg, iterations, salt,
+				   salt_length, name->ndata, name->length);
+	if (length == 0) {
+		fatal("isc_iterated_hash failed");
+	}
+	region.base = hash;
+	region.length = length;
+	isc_buffer_init(&buffer, text, sizeof(text));
+	isc_base32hexnp_totext(&region, 1, "", &buffer);
+	isc_buffer_putuint8(&buffer, '\0');
+
+	nsec3print(hash_alg, flags, iterations, saltstr, domain, (char *)text);
+}
+
+static void
+nsec3hash_print(unsigned algo, unsigned flags, unsigned iters,
+		const char *saltstr, const char *domain, const char *digest) {
+	UNUSED(flags);
+	UNUSED(domain);
+
+	fprintf(stdout, "%s (salt=%s, hash=%u, iterations=%u)\n", digest,
+		saltstr, algo, iters);
+}
+
+static void
+nsec3hash_rdata_print(unsigned algo, unsigned flags, unsigned iters,
+		      const char *saltstr, const char *domain,
+		      const char *digest) {
+	fprintf(stdout, "%s NSEC3 %u %u %u %s %s\n", domain, algo, flags, iters,
+		saltstr, digest);
+}
+
+int
+main(int argc, char *argv[]) {
+	bool rdata_format = false;
+	int ch;
+
+	while ((ch = isc_commandline_parse(argc, argv, "-r")) != -1) {
+		switch (ch) {
+		case 'r':
+			rdata_format = true;
+			break;
+		case '-':
+			isc_commandline_index -= 1;
+			goto skip;
+		default:
+			break;
+		}
+	}
+
+skip:
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (rdata_format) {
+		if (argc != 5) {
+			usage();
+		}
+		nsec3hash(nsec3hash_rdata_print, argv[0], argv[1], argv[2],
+			  argv[3], argv[4]);
+	} else {
+		if (argc != 4) {
+			usage();
+		}
+		nsec3hash(nsec3hash_print, argv[1], NULL, argv[2], argv[0],
+			  argv[3]);
+	}
+	return (0);
+}
diff --git a/bin/tools/nsec3hash.rst b/bin/tools/nsec3hash.rst
new file mode 100644
index 0000000..9b174ce
--- /dev/null
+++ b/bin/tools/nsec3hash.rst
@@ -0,0 +1,63 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_nsec3hash:
+
+nsec3hash - generate NSEC3 hash
+-------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`nsec3hash` {salt} {algorithm} {iterations} {domain}
+
+:program:`nsec3hash` **-r** {algorithm} {flags} {iterations} {salt} {domain}
+
+Description
+~~~~~~~~~~~
+
+``nsec3hash`` generates an NSEC3 hash based on a set of NSEC3
+parameters. This can be used to check the validity of NSEC3 records in a
+signed zone.
+
+If this command is invoked as ``nsec3hash -r``, it takes arguments in
+order, matching the first four fields of an NSEC3 record followed by the
+domain name: ``algorithm``, ``flags``, ``iterations``, ``salt``, ``domain``. This makes it
+convenient to copy and paste a portion of an NSEC3 or NSEC3PARAM record
+into a command line to confirm the correctness of an NSEC3 hash.
+
+Arguments
+~~~~~~~~~
+
+``salt``
+   This is the salt provided to the hash algorithm.
+
+``algorithm``
+   This is a number indicating the hash algorithm. Currently the only supported
+   hash algorithm for NSEC3 is SHA-1, which is indicated by the number
+   1; consequently "1" is the only useful value for this argument.
+
+``flags``
+   This is provided for compatibility with NSEC3 record presentation format, but
+   is ignored since the flags do not affect the hash.
+
+``iterations``
+   This is the number of additional times the hash should be performed.
+
+``domain``
+   This is the domain name to be hashed.
+
+See Also
+~~~~~~~~
+
+BIND 9 Administrator Reference Manual, :rfc:`5155`.
diff --git a/bin/tools/win32/arpaname.vcxproj.filters.in b/bin/tools/win32/arpaname.vcxproj.filters.in
new file mode 100644
index 0000000..129b93e
--- /dev/null
+++ b/bin/tools/win32/arpaname.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\arpaname.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tools/win32/arpaname.vcxproj.in b/bin/tools/win32/arpaname.vcxproj.in
new file mode 100644
index 0000000..45772b2
--- /dev/null
+++ b/bin/tools/win32/arpaname.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{91E60FDA-E48C-4DA0-92A2-97F963348E00}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>arpaname</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <BrowseInformation>true</BrowseInformation>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\arpaname.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tools/win32/arpaname.vcxproj.user b/bin/tools/win32/arpaname.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tools/win32/arpaname.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tools/win32/journalprint.vcxproj.filters.in b/bin/tools/win32/journalprint.vcxproj.filters.in
new file mode 100644
index 0000000..cb89470
--- /dev/null
+++ b/bin/tools/win32/journalprint.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-journalprint.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tools/win32/journalprint.vcxproj.in b/bin/tools/win32/journalprint.vcxproj.in
new file mode 100644
index 0000000..dc610b5
--- /dev/null
+++ b/bin/tools/win32/journalprint.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{B19042CE-D3D9-469B-BCD2-C3140150939A}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>journalprint</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-journalprint.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tools/win32/journalprint.vcxproj.user b/bin/tools/win32/journalprint.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tools/win32/journalprint.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tools/win32/mdig.vcxproj.filters.in b/bin/tools/win32/mdig.vcxproj.filters.in
new file mode 100644
index 0000000..fbb8ba4
--- /dev/null
+++ b/bin/tools/win32/mdig.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\mdig.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
diff --git a/bin/tools/win32/mdig.vcxproj.in b/bin/tools/win32/mdig.vcxproj.in
new file mode 100644
index 0000000..abbf682
--- /dev/null
+++ b/bin/tools/win32/mdig.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3115091C-8135-481F-9757-F013A26255E0}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>mdig</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libbind9.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\mdig.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tools/win32/mdig.vcxproj.user b/bin/tools/win32/mdig.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tools/win32/mdig.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tools/win32/nsec3hash.vcxproj.filters.in b/bin/tools/win32/nsec3hash.vcxproj.filters.in
new file mode 100644
index 0000000..009e970
--- /dev/null
+++ b/bin/tools/win32/nsec3hash.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\nsec3hash.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/tools/win32/nsec3hash.vcxproj.in b/bin/tools/win32/nsec3hash.vcxproj.in
new file mode 100644
index 0000000..04b7b6a
--- /dev/null
+++ b/bin/tools/win32/nsec3hash.vcxproj.in
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4EE91023-94C3-48C0-B71C-5333B726C2EE}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>nsec3hash</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\nsec3hash.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tools/win32/nsec3hash.vcxproj.user b/bin/tools/win32/nsec3hash.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tools/win32/nsec3hash.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/tools/win32/rrchecker.vcxproj.filters.in b/bin/tools/win32/rrchecker.vcxproj.filters.in
new file mode 100644
index 0000000..d7f077d
--- /dev/null
+++ b/bin/tools/win32/rrchecker.vcxproj.filters.in
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-rrchecker.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
diff --git a/bin/tools/win32/rrchecker.vcxproj.in b/bin/tools/win32/rrchecker.vcxproj.in
new file mode 100644
index 0000000..b878dd7
--- /dev/null
+++ b/bin/tools/win32/rrchecker.vcxproj.in
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{98743A7C-6AF8-467f-9911-FA69C451AF2B}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>rrchecker</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <TargetName>named-$(ProjectName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\named-rrchecker.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/tools/win32/rrchecker.vcxproj.user b/bin/tools/win32/rrchecker.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/tools/win32/rrchecker.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/win32/BINDInstall/AccountInfo.cpp b/bin/win32/BINDInstall/AccountInfo.cpp
new file mode 100644
index 0000000..0aa2601
--- /dev/null
+++ b/bin/win32/BINDInstall/AccountInfo.cpp
@@ -0,0 +1,465 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* Compiled with UNICODE */
+
+#include "stdafx.h"
+
+#include <windows.h>
+#include <lm.h>
+#include <ntsecapi.h>
+
+#include <isc/ntgroups.h>
+#include <isc/result.h>
+#include "AccountInfo.h"
+
+#define MAX_NAME_LENGTH 256
+
+NTSTATUS
+OpenPolicy(
+    LPWSTR ServerName,		/* machine to open policy on (Unicode) */
+    DWORD DesiredAccess,	/* desired access to policy */
+    PLSA_HANDLE PolicyHandle	/* resultant policy handle */
+    );
+
+BOOL
+GetAccountSid(
+    LPTSTR SystemName,		/* where to lookup account */
+    LPTSTR AccountName,		/* account of interest */
+    PSID *Sid			/* resultant buffer containing SID */
+    );
+
+NTSTATUS
+SetPrivilegeOnAccount(
+    LSA_HANDLE PolicyHandle,	/* open policy handle */
+    PSID AccountSid,		/* SID to grant privilege to */
+    LPWSTR PrivilegeName,	/* privilege to grant (Unicode) */
+    BOOL bEnable		/* enable or disable */
+    );
+
+NTSTATUS
+GetPrivilegesOnAccount(
+    LSA_HANDLE PolicyHandle,	/* open policy handle */
+    PSID AccountSid,		/* SID to grant privilege to */
+    wchar_t **PrivList,		/* Ptr to List of Privileges found */
+    unsigned int *PrivCount	/* total number of Privileges in list */
+    );
+
+NTSTATUS
+AddPrivilegeToAcccount(
+    LPTSTR AccountName,		/* Name of the account */
+    LPWSTR PrivilegeName	/* Privilege to Add */
+    );
+
+void
+InitLsaString(
+    PLSA_UNICODE_STRING LsaString,	/* destination */
+    LPWSTR String			/* source (Unicode) */
+    );
+
+void
+DisplayNtStatus(
+    LPSTR szAPI,		/* pointer to function name (ANSI) */
+    NTSTATUS Status		/* NTSTATUS error value */
+    );
+
+void
+DisplayWinError(
+    LPSTR szAPI,		/* pointer to function name (ANSI) */
+    DWORD WinError		/* DWORD WinError */
+    );
+
+#ifndef STATUS_SUCCESS
+#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L)
+#endif
+
+/*
+ * Note that this code only retrieves the list of privileges of the
+ * requested account or group. However, all accounts belong to the
+ * Everyone group even though that group is not returned by the
+ * calls to get the groups to which that account belongs.
+ * The Everyone group has two privileges associated with it:
+ * SeChangeNotifyPrivilege and SeNetworkLogonRight
+ * It is not advisable to disable or remove these privileges
+ * from the group nor can the account be removed from the Everyone
+ * group
+ * The None group has no privileges associated with it and is the group
+ * to which an account belongs if it is associated with no group.
+ */
+
+int
+GetAccountPrivileges(char *name, wchar_t **PrivList, unsigned int *PrivCount,
+		     char **Accounts, unsigned int *totalAccounts,
+		     int maxAccounts)
+{
+	LSA_HANDLE PolicyHandle;
+	TCHAR AccountName[256];		/* static account name buffer */
+	PSID pSid;
+	unsigned int i;
+	NTSTATUS Status;
+	isc_result_t istatus;
+	int iRetVal = RTN_ERROR;	/* assume error from main */
+	int n;
+
+	/*
+	 * Open the policy on the target machine.
+	 */
+	if ((Status = OpenPolicy(NULL,
+				 POLICY_LOOKUP_NAMES,
+				 &PolicyHandle)) != STATUS_SUCCESS)
+		return (RTN_ERROR);
+
+	/*
+	 * Let's see if the account exists. Return if not
+	 */
+	n = wnsprintf(AccountName, sizeof(AccountName), TEXT("%hS"), name);
+	if (n < 0 || (size_t)n >= sizeof(AccountName)) {
+		LsaClose(PolicyHandle);
+		return (RTN_ERROR);
+	}
+
+	if (!GetAccountSid(NULL, AccountName, &pSid)) {
+		LsaClose(PolicyHandle);
+		return (RTN_NOACCOUNT);
+	}
+
+	/*
+	 * Find out what groups the account belongs to
+	 */
+	istatus = isc_ntsecurity_getaccountgroups(name, Accounts, maxAccounts,
+						  totalAccounts);
+	if (istatus == ISC_R_NOMEMORY) {
+		LsaClose(PolicyHandle);
+		return (RTN_NOMEMORY);
+	} else if (istatus != ISC_R_SUCCESS) {
+		LsaClose(PolicyHandle);
+		return (RTN_ERROR);
+	}
+
+	Accounts[*totalAccounts] = name; /* Add the account to the list */
+	(*totalAccounts)++;
+
+	/*
+	 * Loop through each Account to get the list of privileges
+	 */
+	for (i = 0; i < *totalAccounts; i++) {
+		n = wnsprintf(AccountName, sizeof(AccountName), TEXT("%hS"),
+			      Accounts[i]);
+		if (n < 0 || (size_t)n >= sizeof(AccountName)) {
+			continue;
+		}
+
+		/* Obtain the SID of the user/group. */
+		if (!GetAccountSid(NULL, AccountName, &pSid)) {
+			continue;	/* Try the next one */
+		}
+
+		/* Get the Privileges allocated to this SID */
+		if ((Status = GetPrivilegesOnAccount(PolicyHandle, pSid,
+			PrivList, PrivCount)) == STATUS_SUCCESS)
+		{
+			iRetVal=RTN_OK;
+			if (pSid != NULL)
+				HeapFree(GetProcessHeap(), 0, pSid);
+		} else {
+			if (pSid != NULL)
+				HeapFree(GetProcessHeap(), 0, pSid);
+			continue;	/* Try the next one */
+		}
+	}
+
+	/*
+	 * Close the policy handle.
+	 */
+	LsaClose(PolicyHandle);
+
+	(*totalAccounts)--;	/* Correct for the number of groups */
+	return iRetVal;
+}
+
+BOOL
+CreateServiceAccount(char *name, char *password) {
+	NTSTATUS retstat;
+	USER_INFO_1 ui;
+	DWORD dwLevel = 1;
+	DWORD dwError = 0;
+	NET_API_STATUS nStatus;
+
+	size_t namelen = strlen(name);
+	size_t passwdlen = strlen(password);
+	wchar_t AccountName[MAX_NAME_LENGTH];
+	wchar_t AccountPassword[MAX_NAME_LENGTH];
+
+	mbstowcs(AccountName, name, namelen + 1);
+	mbstowcs(AccountPassword, password, passwdlen + 1);
+
+	/*
+	 * Set up the USER_INFO_1 structure.
+	 * USER_PRIV_USER: name is required here when creating an account
+	 * rather than an administrator or a guest.
+	 */
+
+	ui.usri1_name = (LPWSTR) &AccountName;
+	ui.usri1_password = (LPWSTR) &AccountPassword;
+	ui.usri1_priv = USER_PRIV_USER;
+	ui.usri1_home_dir = NULL;
+	ui.usri1_comment = L"ISC BIND Service Account";
+	ui.usri1_flags = UF_PASSWD_CANT_CHANGE | UF_DONT_EXPIRE_PASSWD |
+			 UF_SCRIPT;
+	ui.usri1_script_path = NULL;
+
+	/*
+	 * Call the NetUserAdd function, specifying level 1.
+	 */
+	nStatus = NetUserAdd(NULL, dwLevel, (LPBYTE)&ui, &dwError);
+	if (nStatus != NERR_Success) {
+		return (FALSE);
+	}
+
+	retstat = AddPrivilegeToAcccount(name, SE_SERVICE_LOGON_PRIV);
+	if (retstat != RTN_OK) {
+		return (FALSE);
+	}
+
+	return (TRUE);
+}
+
+NTSTATUS
+AddPrivilegeToAcccount(LPTSTR name, LPWSTR PrivilegeName) {
+	LSA_HANDLE PolicyHandle;
+	TCHAR AccountName[256];		/* static account name buffer */
+	PSID pSid;
+	NTSTATUS Status;
+	unsigned long err;
+	int n;
+
+	/*
+	 * Open the policy on the target machine.
+	 */
+	Status = OpenPolicy(NULL, POLICY_ALL_ACCESS, &PolicyHandle);
+	if (Status != STATUS_SUCCESS) {
+		return (RTN_ERROR);
+	}
+
+	/*
+	 * Let's see if the account exists. Return if not
+	 */
+	n = wnsprintf(AccountName, sizeof(AccountName), TEXT("%hS"), name);
+	if (n < 0 || (size_t)n >= sizeof(AccountName)) {
+		LsaClose(PolicyHandle);
+		return (RTN_ERROR);
+	}
+
+	if (!GetAccountSid(NULL, AccountName, &pSid)) {
+		LsaClose(PolicyHandle);
+		return (RTN_NOACCOUNT);
+	}
+
+	err = LsaNtStatusToWinError(SetPrivilegeOnAccount(PolicyHandle,
+				    pSid, PrivilegeName, TRUE));
+
+	LsaClose(PolicyHandle);
+	if (err == ERROR_SUCCESS) {
+		return (RTN_OK);
+	} else {
+		return (err);
+	}
+}
+
+void
+InitLsaString(PLSA_UNICODE_STRING LsaString, LPWSTR String){
+	size_t StringLength;
+
+	if (String == NULL) {
+		LsaString->Buffer = NULL;
+		LsaString->Length = 0;
+		LsaString->MaximumLength = 0;
+		return;
+	}
+
+	StringLength = wcslen(String);
+	LsaString->Buffer = String;
+	LsaString->Length = (USHORT) StringLength * sizeof(WCHAR);
+	LsaString->MaximumLength = (USHORT)(StringLength+1) * sizeof(WCHAR);
+}
+
+NTSTATUS
+OpenPolicy(LPWSTR ServerName, DWORD DesiredAccess, PLSA_HANDLE PolicyHandle){
+	LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+	LSA_UNICODE_STRING ServerString;
+	PLSA_UNICODE_STRING Server = NULL;
+
+	/*
+	 * Always initialize the object attributes to all zeroes.
+	 */
+	ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
+
+	if (ServerName != NULL) {
+		/*
+		 * Make a LSA_UNICODE_STRING out of the LPWSTR passed in
+		 */
+		InitLsaString(&ServerString, ServerName);
+		Server = &ServerString;
+	}
+
+	/*
+	 * Attempt to open the policy.
+	 */
+	return (LsaOpenPolicy(Server, &ObjectAttributes, DesiredAccess,
+		PolicyHandle));
+}
+
+BOOL
+GetAccountSid(LPTSTR SystemName, LPTSTR AccountName, PSID *Sid) {
+	LPTSTR ReferencedDomain = NULL;
+	DWORD cbSid = 128;    /* initial allocation attempt */
+	DWORD cbReferencedDomain = 16; /* initial allocation size */
+	SID_NAME_USE peUse;
+	BOOL bSuccess = FALSE; /* assume this function will fail */
+
+	__try {
+		/*
+		 * initial memory allocations
+		 */
+		if ((*Sid = HeapAlloc(GetProcessHeap(), 0, cbSid)) == NULL)
+			__leave;
+
+		if ((ReferencedDomain = (LPTSTR) HeapAlloc(GetProcessHeap(), 0,
+				       cbReferencedDomain)) == NULL) __leave;
+
+		/*
+		 * Obtain the SID of the specified account on the specified system.
+		 */
+		while (!LookupAccountName(SystemName, AccountName, *Sid, &cbSid,
+					  ReferencedDomain, &cbReferencedDomain,
+					  &peUse))
+		{
+			if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
+				/* reallocate memory */
+				if ((*Sid = HeapReAlloc(GetProcessHeap(), 0,
+					*Sid, cbSid)) == NULL) __leave;
+
+				if ((ReferencedDomain= (LPTSTR) HeapReAlloc(
+					GetProcessHeap(), 0, ReferencedDomain,
+					cbReferencedDomain)) == NULL)
+				__leave;
+			}
+			else
+				__leave;
+		}
+		bSuccess = TRUE;
+	} /* finally */
+	__finally {
+
+		/* Cleanup and indicate failure, if appropriate. */
+
+		HeapFree(GetProcessHeap(), 0, ReferencedDomain);
+
+		if (!bSuccess) {
+			if (*Sid != NULL) {
+				HeapFree(GetProcessHeap(), 0, *Sid);
+				*Sid = NULL;
+			}
+		}
+
+	}
+
+	return (bSuccess);
+}
+
+NTSTATUS
+SetPrivilegeOnAccount(LSA_HANDLE PolicyHandle, PSID AccountSid,
+		      LPWSTR PrivilegeName, BOOL bEnable)
+{
+	LSA_UNICODE_STRING PrivilegeString;
+
+	/* Create a LSA_UNICODE_STRING for the privilege name. */
+	InitLsaString(&PrivilegeString, PrivilegeName);
+
+	/* grant or revoke the privilege, accordingly */
+	if (bEnable)
+		return (LsaAddAccountRights(PolicyHandle, AccountSid,
+			&PrivilegeString, 1));
+	else
+		return (LsaRemoveAccountRights(PolicyHandle, AccountSid,
+			FALSE, &PrivilegeString, 1));
+}
+
+NTSTATUS
+GetPrivilegesOnAccount(LSA_HANDLE PolicyHandle, PSID AccountSid,
+		       wchar_t **PrivList, unsigned int *PrivCount)
+{
+	NTSTATUS Status;
+	LSA_UNICODE_STRING *UserRights;
+	ULONG CountOfRights;
+	DWORD i, j;
+	int found;
+
+	Status = LsaEnumerateAccountRights(PolicyHandle, AccountSid,
+		&UserRights, &CountOfRights);
+	/* Only continue if there is something */
+	if (UserRights == NULL || Status != STATUS_SUCCESS)
+		return (Status);
+
+	for (i = 0; i < CountOfRights; i++) {
+		unsigned int retlen;
+		found = -1;
+		retlen = UserRights[i].Length/sizeof(wchar_t);
+		for (j = 0; j < *PrivCount; j++) {
+			found = wcsncmp(PrivList[j], UserRights[i].Buffer,
+					retlen);
+			if (found == 0)
+				break;
+		}
+		if (found != 0) {
+			PrivList[*PrivCount] =
+			    (wchar_t *)malloc(UserRights[i].MaximumLength);
+			if (PrivList[*PrivCount] == NULL)
+				return (RTN_NOMEMORY);
+
+			wcsncpy(PrivList[*PrivCount], UserRights[i].Buffer,
+				retlen);
+			PrivList[*PrivCount][retlen] = L'\0';
+			(*PrivCount)++;
+		}
+
+	}
+
+	return (Status);
+}
+
+void
+DisplayNtStatus(LPSTR szAPI, NTSTATUS Status) {
+	/* Convert the NTSTATUS to Winerror. Then call DisplayWinError(). */
+	DisplayWinError(szAPI, LsaNtStatusToWinError(Status));
+}
+
+void
+DisplayWinError(LPSTR szAPI, DWORD WinError) {
+	LPSTR MessageBuffer;
+	DWORD dwBufferLength;
+
+	if (dwBufferLength=FormatMessageA(
+		FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
+		NULL, WinError, GetUserDefaultLangID(),
+		(LPSTR) &MessageBuffer, 0, NULL)){
+		DWORD dwBytesWritten; /* unused */
+
+		/* Output message string on stderr. */
+		WriteFile(GetStdHandle(STD_ERROR_HANDLE), MessageBuffer,
+			  dwBufferLength, &dwBytesWritten, NULL);
+
+		/* Free the buffer allocated by the system. */
+		LocalFree(MessageBuffer);
+	}
+}
diff --git a/bin/win32/BINDInstall/AccountInfo.h b/bin/win32/BINDInstall/AccountInfo.h
new file mode 100644
index 0000000..68b949e
--- /dev/null
+++ b/bin/win32/BINDInstall/AccountInfo.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#define RTN_OK	      0
+#define RTN_NOACCOUNT 1
+#define RTN_NOMEMORY  2
+#define RTN_ERROR     10
+
+#define SE_SERVICE_LOGON_PRIV L"SeServiceLogonRight"
+
+/*
+ * This routine retrieves the list of all Privileges associated with
+ * a given account as well as the groups to which it beongs
+ */
+int
+GetAccountPrivileges(char *name,	      /* Name of Account */
+		     wchar_t **PrivList,      /* List of Privileges returned */
+		     unsigned int *PrivCount, /* Count of Privileges
+						 returned */
+		     char **Groups,	      /* List of Groups to which account
+					       * belongs
+					       */
+		     unsigned int *totalGroups, /* Count of Groups returned
+						 */
+		     int maxGroups /* Maximum number of Groups to return */
+);
+
+/*
+ * This routine creates an account with the given name which has just
+ * the logon service privilege and no membership of any groups,
+ * i.e. it's part of the None group.
+ */
+BOOL
+CreateServiceAccount(char *name, char *password);
diff --git a/bin/win32/BINDInstall/BINDInstall.cpp b/bin/win32/BINDInstall/BINDInstall.cpp
new file mode 100644
index 0000000..4cfe28f
--- /dev/null
+++ b/bin/win32/BINDInstall/BINDInstall.cpp
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1999-2000 by Nortel Networks Corporation
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
+ * BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
+ * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+ * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include "stdafx.h"
+#include "BINDInstall.h"
+#include "BINDInstallDlg.h"
+
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#undef THIS_FILE
+static char THIS_FILE[] = __FILE__;
+#endif
+
+/////////////////////////////////////////////////////////////////////////////
+// CBINDInstallApp
+
+BEGIN_MESSAGE_MAP(CBINDInstallApp, CWinApp)
+	//{{AFX_MSG_MAP(CBINDInstallApp)
+		// NOTE - the ClassWizard will add and remove mapping macros here.
+		//    DO NOT EDIT what you see in these blocks of generated code!
+	//}}AFX_MSG
+	ON_COMMAND(ID_HELP, CWinApp::OnHelp)
+END_MESSAGE_MAP()
+
+/////////////////////////////////////////////////////////////////////////////
+// CBINDInstallApp construction
+
+CBINDInstallApp::CBINDInstallApp()
+{
+	// TODO: add construction code here,
+	// Place all significant initialization in InitInstance
+}
+
+/////////////////////////////////////////////////////////////////////////////
+// The one and only CBINDInstallApp object
+
+CBINDInstallApp theApp;
+
+/////////////////////////////////////////////////////////////////////////////
+// CBINDInstallApp initialization
+
+BOOL CBINDInstallApp::InitInstance()
+{
+	// Standard initialization
+	// If you are not using these features and wish to reduce the size
+	//  of your final executable, you should remove from the following
+	//  the specific initialization routines you do not need.
+#if _MSC_VER < 1300
+#ifdef _AFXDLL
+	Enable3dControls();			// Call this when using MFC in a shared DLL
+#else
+	Enable3dControlsStatic();	// Call this when linking to MFC statically
+#endif
+#endif
+
+	CBINDInstallDlg dlg;
+	m_pMainWnd = &dlg;
+	INT_PTR nResponse = dlg.DoModal();
+	if (nResponse == IDOK)
+	{
+		// TODO: Place code here to handle when the dialog is
+		//  dismissed with OK
+	}
+	else if (nResponse == IDCANCEL)
+	{
+		// TODO: Place code here to handle when the dialog is
+		//  dismissed with Cancel
+	}
+
+	// Since the dialog has been closed, return FALSE so that we exit the
+	//  application, rather than start the application's message pump.
+	return FALSE;
+}
diff --git a/bin/win32/BINDInstall/BINDInstall.h b/bin/win32/BINDInstall/BINDInstall.h
new file mode 100644
index 0000000..c5a97eb
--- /dev/null
+++ b/bin/win32/BINDInstall/BINDInstall.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1999-2000 by Nortel Networks Corporation
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
+ * BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
+ * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+ * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef BINDINSTALL_H
+#define BINDINSTALL_H
+
+#ifndef __AFXWIN_H__
+#error include 'stdafx.h' before including this file for PCH
+#endif /* ifndef __AFXWIN_H__ */
+
+#include "resource.h" /* main symbols */
+
+class CBINDInstallApp : public CWinApp {
+      public:
+	CBINDInstallApp();
+
+	/* ClassWizard generated virtual function overrides */
+	/*{{AFX_VIRTUAL(CBINDInstallApp) */
+      public:
+	virtual BOOL
+	InitInstance();
+	/*}}AFX_VIRTUAL */
+
+	/*{{AFX_MSG(CBINDInstallApp) */
+	/* NOTE - the ClassWizard will add and remove member functions here. */
+	/*    DO NOT EDIT what you see in these blocks of generated code ! */
+	/*}}AFX_MSG */
+	DECLARE_MESSAGE_MAP()
+};
+
+#endif /* ifndef BINDINSTALL_H */
diff --git a/bin/win32/BINDInstall/BINDInstall.rc b/bin/win32/BINDInstall/BINDInstall.rc
new file mode 100644
index 0000000..5c7dd80
--- /dev/null
+++ b/bin/win32/BINDInstall/BINDInstall.rc
@@ -0,0 +1,325 @@
+// Microsoft Visual C++ generated resource script.
+//
+#include "resource.h"
+
+#define APSTUDIO_READONLY_SYMBOLS
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 2 resource.
+//
+#include "afxres.h"
+
+/////////////////////////////////////////////////////////////////////////////
+#undef APSTUDIO_READONLY_SYMBOLS
+
+/////////////////////////////////////////////////////////////////////////////
+// English (U.S.) resources
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
+#ifdef _WIN32
+LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
+#pragma code_page(1252)
+#endif //_WIN32
+
+#ifdef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// TEXTINCLUDE
+//
+
+1 TEXTINCLUDE 
+BEGIN
+    "resource.h\0"
+END
+
+2 TEXTINCLUDE 
+BEGIN
+    "#include ""afxres.h""\r\n"
+    "\0"
+END
+
+3 TEXTINCLUDE 
+BEGIN
+    "#define _AFX_NO_SPLITTER_RESOURCES\r\n"
+    "#define _AFX_NO_OLE_RESOURCES\r\n"
+    "#define _AFX_NO_TRACKER_RESOURCES\r\n"
+    "#define _AFX_NO_PROPERTY_RESOURCES\r\n"
+    "\r\n"
+    "#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)\r\n"
+    "#ifdef _WIN32\r\n"
+    "LANGUAGE 9, 1\r\n"
+    "#pragma code_page(1252)\r\n"
+    "#endif //_WIN32\r\n"
+    "#include ""res\\BINDInstall.rc2""  // non-Microsoft Visual C++ edited resources\r\n"
+    "#include ""afxres.rc""         // Standard components\r\n"
+    "#endif\r\n"
+    "\0"
+END
+
+#endif    // APSTUDIO_INVOKED
+
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Icon
+//
+
+// Icon with lowest ID value placed first to ensure application icon
+// remains consistent on all systems.
+IDR_MAINFRAME           ICON                    "res\\BINDInstall.ico"
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Dialog
+//
+
+IDD_BINDINSTALL_DIALOG DIALOGEX 0, 0, 210, 311
+STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
+EXSTYLE WS_EX_APPWINDOW
+CAPTION "BIND 9 Installer"
+FONT 8, "MS Sans Serif", 0, 0, 0x1
+BEGIN
+    EDITTEXT        IDC_TARGETDIR,7,62,196,14,ES_AUTOHSCROLL
+    EDITTEXT        IDC_ACCOUNT_NAME,7,94,196,14,ES_AUTOHSCROLL
+    EDITTEXT        IDC_ACCOUNT_PASSWORD,7,122,196,14,ES_PASSWORD | ES_AUTOHSCROLL
+    EDITTEXT        IDC_ACCOUNT_PASSWORD_CONFIRM,7,151,196,14,ES_PASSWORD | ES_AUTOHSCROLL
+    DEFPUSHBUTTON   "&Install",IDC_INSTALL,153,7,50,14
+    PUSHBUTTON      "E&xit",IDC_EXIT,153,39,50,14
+    CONTROL         "&Tools Only",IDC_TOOLS_ONLY,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,185,72,10
+    CONTROL         "&Automatic Startup",IDC_AUTO_START,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,195,72,10
+    CONTROL         "&Keep Config Files After Uninstall",IDC_KEEP_FILES,
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,205,116,10
+    CONTROL         "&Start BIND Service After Install",IDC_START,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,215,113,10
+    PUSHBUTTON      "&Uninstall",IDC_UNINSTALL,153,23,50,14
+    PUSHBUTTON      "Browse",IDC_BROWSE,7,22,50,14
+    LTEXT           "Target Directory:",IDC_STATIC,7,53,54,8
+    GROUPBOX        "Progress",IDC_STATIC,7,234,196,70
+    RTEXT           "",IDC_COPY_TAG,14,271,78,8
+    LTEXT           "",IDC_COPY_FILE,105,271,90,8
+    RTEXT           "",IDC_SERVICE_TAG,15,281,77,8
+    LTEXT           "",IDC_REG_SERVICE,105,281,89,8
+    RTEXT           "",IDC_MESSAGE_TAG,15,291,77,8
+    LTEXT           "",IDC_REG_MESSAGE,105,291,88,8
+    RTEXT           "",IDC_DIR_TAG,15,261,77,8
+    GROUPBOX        "Options",IDC_STATIC,7,172,196,60
+    CTEXT           "Version Unknown",IDC_VERSION,7,7,61,10,SS_CENTERIMAGE | SS_SUNKEN
+    RTEXT           "Current Operation:",IDC_CURRENT_TAG,34,245,58,8
+    LTEXT           "",IDC_CURRENT,105,245,90,8
+    LTEXT           "",IDC_CREATE_DIR,105,261,88,8
+    LTEXT           "Service Account Name",IDC_STATIC,7,84,74,8
+    LTEXT           "Service Account Password",IDC_STATIC,7,112,86,8
+    LTEXT           "Confirm Service Account Password",IDC_STATIC,7,140,112,8
+END
+
+IDD_BROWSE DIALOG  0, 0, 227, 117
+STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
+CAPTION "Select Directory"
+FONT 8, "MS Sans Serif"
+BEGIN
+    DEFPUSHBUTTON   "OK",IDOK,170,7,50,14
+    PUSHBUTTON      "Cancel",IDCANCEL,170,24,50,14
+    LISTBOX         IDC_DIRLIST,7,28,155,82,LBS_SORT | LBS_NOINTEGRALHEIGHT | WS_VSCROLL | WS_TABSTOP
+    EDITTEXT        IDC_CURDIR,7,7,155,14,ES_AUTOHSCROLL
+    COMBOBOX        IDC_DRIVES,170,98,50,74,CBS_DROPDOWNLIST | CBS_SORT | WS_VSCROLL | WS_TABSTOP
+END
+
+IDD_DIALOG1 DIALOG  0, 0, 186, 95
+STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
+CAPTION "Dialog"
+FONT 8, "MS Sans Serif"
+BEGIN
+    DEFPUSHBUTTON   "OK",IDOK,129,7,50,14
+    PUSHBUTTON      "Cancel",IDCANCEL,129,24,50,14
+END
+
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION 3,0,0,0
+ PRODUCTVERSION 3,0,0,0
+ FILEFLAGSMASK 0x3fL
+#ifdef _DEBUG
+ FILEFLAGS 0x1L
+#else
+ FILEFLAGS 0x0L
+#endif
+ FILEOS 0x4L
+ FILETYPE 0x1L
+ FILESUBTYPE 0x0L
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904b0"
+        BEGIN
+            VALUE "CompanyName", "Internet Systems Consortium"
+            VALUE "FileDescription", "ISC BIND 9 Install Utility"
+            VALUE "FileVersion", "3.0.0"
+            VALUE "InternalName", "BINDInstall"
+            VALUE "LegalCopyright", "Copyright © 2000,2014"
+            VALUE "OriginalFilename", "BINDInstall.EXE"
+            VALUE "ProductName", "ISC BIND 9"
+            VALUE "ProductVersion", "9.10.0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
+
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// DESIGNINFO
+//
+
+#ifdef APSTUDIO_INVOKED
+GUIDELINES DESIGNINFO 
+BEGIN
+    IDD_BINDINSTALL_DIALOG, DIALOG
+    BEGIN
+        LEFTMARGIN, 7
+        RIGHTMARGIN, 203
+        VERTGUIDE, 14
+        VERTGUIDE, 92
+        VERTGUIDE, 105
+        TOPMARGIN, 7
+        BOTTOMMARGIN, 294
+        HORZGUIDE, 195
+        HORZGUIDE, 205
+        HORZGUIDE, 215
+        HORZGUIDE, 239
+        HORZGUIDE, 255
+        HORZGUIDE, 265
+        HORZGUIDE, 275
+        HORZGUIDE, 285
+        HORZGUIDE, 295
+    END
+
+    IDD_BROWSE, DIALOG
+    BEGIN
+        LEFTMARGIN, 7
+        RIGHTMARGIN, 220
+        TOPMARGIN, 7
+        BOTTOMMARGIN, 110
+    END
+
+    IDD_DIALOG1, DIALOG
+    BEGIN
+        LEFTMARGIN, 7
+        RIGHTMARGIN, 179
+        TOPMARGIN, 7
+        BOTTOMMARGIN, 88
+    END
+END
+#endif    // APSTUDIO_INVOKED
+
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// String Table
+//
+
+STRINGTABLE 
+BEGIN
+    IDS_MAINFRAME           "BIND 9 Installer"
+    IDS_CREATEDIR           "Directory %s does not exist.\nDo you wish to create it?"
+    IDS_SUCCESS             "BIND installation completed successfully"
+    IDS_FAIL                "BIND installation failed"
+    IDS_DIREXIST            "Directory %s exists.\n Install here anyway?"
+    IDS_INSTALL_DIR         "Create Directories..."
+    IDS_INSTALL_FILE        "Copy Files..."
+    IDS_INSTALL_SERVICE     "Register Service..."
+    IDS_INSTALL_MESSAGE     "Register Messages..."
+    IDS_UNINSTALL           "Do you wish to uninstall BIND?"
+    IDS_UNINSTALL_DONE      "BIND Uninstall Completed"
+END
+
+STRINGTABLE 
+BEGIN
+    IDS_CREATE_KEY          "Creating BIND registry key"
+    IDS_ADD_REMOVE          "Setting up Add/Remove Programs entry"
+    IDS_CLEANUP             "Cleaning up"
+    IDS_INSTALL_DONE        "Finished Installing"
+    IDS_CREATE_DIR          "Creating directory %s"
+    IDS_REMOVE_DIR          "Removing directory %s"
+    IDS_COPY_FILE           "Copying file %s"
+    IDS_DELETE_FILE         "Deleting file %s"
+    IDS_OPEN_SCM            "Opening Service Control Manager"
+    IDS_CREATE_SERVICE      "Creating BIND service"
+    IDS_OPEN_SERVICE        "Opening BIND service"
+    IDS_REMOVE_SERVICE      "Removing BIND service"
+    IDS_REGISTER_MESSAGES   "Registering BIND message source"
+    IDS_UNREGISTER_MESSAGES "Unregistering BIND message source"
+    IDS_STOP_SERVICE        "Stopping BIND service"
+    IDS_START_SERVICE       "Starting BIND service"
+END
+
+STRINGTABLE 
+BEGIN
+    IDS_UNINSTALL_DIR       "Remove Directories..."
+    IDS_UNINSTALL_FILES     "Delete Files..."
+    IDS_UNINSTALL_SERVICE   "Unregister Service..."
+    IDS_UNINSTALL_MESSAGE   "Unregister Messages..."
+    IDS_ERR_OPEN_SCM        "Could not open Service Control Manager\n(%s)"
+    IDS_ERR_OPEN_SERVICE    "Could not open BIND Service\n(%s)"
+    IDS_ERR_START_SERVICE   "Could not start BIND Service\n(%s)"
+    IDS_ERR_STOP_SERVICE    "Could not stop BIND Service\n(%s)"
+    IDS_ERR_NONCRIT_FILE    "An error occurred while copying non-critical file %s\n(%s)\nDo you wish to continue?"
+    IDS_ERR_COPY_FILE       "An error occurred while copying file %s\n(%s)\nInstallation will be terminated"
+    IDS_ERR_CREATE_SERVICE  "Error creating service\n(%s)"
+    IDS_ERR_REMOVE_SERVICE  "Error removing service\n(%s)"
+    IDS_REBOOT              "BINDInstall needs to restart Windows.\nDo you wish to restart now?"
+    IDS_BAD_PRIVILEGES      "This user cannot acquire the privileges necessary to install BIND.  Please ensure you are logged on as a member of the Administrators group."
+    IDS_ERR_CREATE_DIR      "An error occurred while creating directory %s\n(%s)"
+    IDS_VERSION             "Version %s"
+    IDS_ERR_CREATE_KEY      "An error occurred while creating registry keys\n(%s)"
+END
+
+STRINGTABLE 
+BEGIN
+    IDS_ERR_SET_VALUE       "An error occurred while setting registry key values\n(%s)"
+    IDS_NO_VERSION          "Version Unknown"
+    IDS_EXISTING_NEWER      "%s\nThe existing version of this file is newer than the version being installed.\nDo you wish to overwrite the existing file?"
+    IDS_FILE_BAD            "Could not retrieve version info for file %s.  Do you wish to continue?\n(Continuing may overwrite a newer version of the file) "
+    IDS_ERR_TOOPRIVED       "Chosen account has too many privileges. Do you wish to choose a different account name?"
+    IDS_ERR_BADACCOUNT      "Error Validating Account. Unable to install service using this account."
+    IDS_ERR_WRONGPRIV       "The wrong privilege: %s was detected.  Only the Service Logon Right privilege should be enabled for this account."
+    IDS_CREATEACCOUNT_FAILED "Unable to Create Account for the Service."
+    IDS_ERR_PASSWORD        "Passwords entered did not match. Please reenter password."
+    IDS_ERR_UPDATE_SERVICE  "Error updating service\n(%s)"
+    IDS_ERR_NULLPASSWORD    "Service account password cannot be null"
+    IDS_ERR_WHITESPACE      "Service account password has leading/trailing whitespace"
+END
+
+#endif    // English (U.S.) resources
+/////////////////////////////////////////////////////////////////////////////
+
+
+
+#ifndef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 3 resource.
+//
+#define _AFX_NO_SPLITTER_RESOURCES
+#define _AFX_NO_OLE_RESOURCES
+#define _AFX_NO_TRACKER_RESOURCES
+#define _AFX_NO_PROPERTY_RESOURCES
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
+#ifdef _WIN32
+LANGUAGE 9, 1
+#pragma code_page(1252)
+#endif //_WIN32
+#include "res\BINDInstall.rc2"  // non-Microsoft Visual C++ edited resources
+#include "afxres.rc"         // Standard components
+#endif
+
+/////////////////////////////////////////////////////////////////////////////
+#endif    // not APSTUDIO_INVOKED
+
diff --git a/bin/win32/BINDInstall/BINDInstall.vcxproj.filters.in b/bin/win32/BINDInstall/BINDInstall.vcxproj.filters.in
new file mode 100644
index 0000000..0cb0eb4
--- /dev/null
+++ b/bin/win32/BINDInstall/BINDInstall.vcxproj.filters.in
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\lib\isc\win32\include\isc\ntgroups.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="AccountInfo.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="BINDInstall.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="BINDInstallDlg.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="DirBrowse.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="resource.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="StdAfx.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="VersionInfo.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="AccountInfo.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="BINDInstall.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="BINDInstallDlg.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="DirBrowse.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="StdAfx.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="VersionInfo.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\lib\isc\win32\ntgroups.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="res\BINDInstall.ico">
+      <Filter>Resource Files</Filter>
+    </None>
+    <None Include="res\BINDInstall.rc2">
+      <Filter>Resource Files</Filter>
+    </None>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="BINDInstall.rc">
+      <Filter>Resource Files</Filter>
+    </ResourceCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/bin/win32/BINDInstall/BINDInstall.vcxproj.in b/bin/win32/BINDInstall/BINDInstall.vcxproj.in
new file mode 100644
index 0000000..d677bd3
--- /dev/null
+++ b/bin/win32/BINDInstall/BINDInstall.vcxproj.in
@@ -0,0 +1,155 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{190CC424-E8CC-46F2-9013-3152D6905118}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>BINDInstall</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+    <UseOfMfc>Static</UseOfMfc>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+    <UseOfMfc>Static</UseOfMfc>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>..\..\..;..\include;..\..\..\include;..\..\named\win32\include;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <StringPooling>
+      </StringPooling>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsCpp</CompileAs>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@nafxcwd.lib;version.lib;netapi32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <EnableUAC>false</EnableUAC>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@USE_GSSAPI@@USE_PYTHON@NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>..\..\..;..\include;..\..\..\include;..\..\named\win32\include;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <CompileAs>CompileAsCpp</CompileAs>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@nafxcw.lib;version.lib;netapi32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <EnableUAC>false</EnableUAC>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\lib\isc\win32\include\isc\ntgroups.h" />
+    <ClInclude Include="AccountInfo.h" />
+    <ClInclude Include="BINDInstall.h" />
+    <ClInclude Include="BINDInstallDlg.h" />
+    <ClInclude Include="DirBrowse.h" />
+    <ClInclude Include="resource.h" />
+    <ClInclude Include="StdAfx.h" />
+    <ClInclude Include="VersionInfo.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\lib\isc\win32\ntgroups.c">
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="AccountInfo.cpp">
+      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Release|x64'">UNICODE;WIN32;@USE_GSSAPI@@USE_PYTHON@NDEBUG;_WINDOWS;_MBCS</PreprocessorDefinitions>
+      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">UNICODE;WIN32;@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;_MBCS</PreprocessorDefinitions>
+    </ClCompile>
+    <ClCompile Include="BINDInstall.cpp" />
+    <ClCompile Include="BINDInstallDlg.cpp" />
+    <ClCompile Include="DirBrowse.cpp" />
+    <ClCompile Include="StdAfx.cpp">
+      <PrecompiledHeader>Create</PrecompiledHeader>
+      <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
+    </ClCompile>
+    <ClCompile Include="VersionInfo.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="res\BINDInstall.ico" />
+    <None Include="res\BINDInstall.rc2" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="BINDInstall.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/bin/win32/BINDInstall/BINDInstall.vcxproj.user b/bin/win32/BINDInstall/BINDInstall.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/bin/win32/BINDInstall/BINDInstall.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
new file mode 100644
index 0000000..a123c4a
--- /dev/null
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -0,0 +1,1601 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1999-2000 by Nortel Networks Corporation
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
+ * BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
+ * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+ * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Define this to make a standalone installer that will copy msvcrt.dll
+ * and/or msvcrtd.dll during the install
+ */
+// #define BINARIES_INSTALL
+
+/*
+ * msvcrt.dll is the release c-runtime library for MSVC.  msvcrtd.dll
+ * is the debug c-runtime library for MSVC.  If you have debug
+ * binaries you want to have DEBUG_BINARIES defined.  If you have
+ * release binaries you want to have RELEASE_BINARIES defined.
+ * If you have both, then define them both.
+ * Of course, you need msvcrt[d].dll present to install it!
+ */
+#ifdef BINARIES_INSTALL
+// #  define DEBUG_BINARIES
+// #  define RELEASE_BINARIES
+#endif
+
+#include "stdafx.h"
+#include "BINDInstall.h"
+#include "BINDInstallDlg.h"
+#include "DirBrowse.h"
+#include <winsvc.h>
+#include <shlobj.h>
+#include <shlwapi.h>
+#include <named/ntservice.h>
+#include <isc/bind_registry.h>
+#include <isc/ntgroups.h>
+#include <direct.h>
+#include "AccountInfo.h"
+#include "versioninfo.h"
+
+#include <fstream>
+#include <iostream>
+#include <string>
+#include <vector>
+
+#include <config.h>
+
+#undef open
+
+#define MAX_GROUPS	100
+#define MAX_PRIVS	 50
+
+#define LOCAL_SERVICE "NT AUTHORITY\\LocalService"
+
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#undef THIS_FILE
+static char THIS_FILE[] = __FILE__;
+#endif
+
+typedef struct _xexception
+{
+	_xexception(UINT string, ...);
+
+	CString resString;
+} Exception;
+
+_xexception::_xexception(UINT string, ...)
+{
+	CString format;
+	va_list va;
+
+	format.LoadString(string);
+
+	va_start(va, string);
+	resString.FormatV(format, va);
+	va_end(va);
+}
+
+typedef struct _filedata {
+	enum FileDestinations {TargetDir, BinDir, EtcDir, WinSystem};
+	enum FileImportance {Trivial, Normal, Critical};
+
+	char filename[128];
+	int destination;
+	int importance;
+	BOOL checkVer;
+	BOOL withTools;
+} FileData;
+
+#if no_longer_used
+
+const FileData installFiles[] =
+{
+#ifdef BINARIES_INSTALL
+#  ifdef DEBUG_BINARIES
+	{"msvcrtd.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE},
+#  endif
+#  ifdef RELEASE_BINARIES
+	{"msvcrt.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE},
+#  endif
+#endif
+#if _MSC_VER < 1400
+#if _MSC_VER >= 1310
+	{"mfc71.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE},
+	{"msvcr71.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE},
+#elif _MSC_VER > 1200 && _MSC_VER < 1310
+	{"mfc70.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE},
+	{"msvcr70.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE},
+#endif
+#endif
+	{"bindevt.dll", FileData::BinDir, FileData::Normal, FALSE, TRUE},
+	{"libbind9.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+	{"libisc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+	{"libisccfg.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+	{"libisccc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+	{"libdns.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+	{"libirs.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+	{"libeay32.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+	{"libuv.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+#ifdef HAVE_LIBXML2
+	{"libxml2.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+#endif
+#ifdef USE_GSSAPI
+#ifndef _WIN64
+	{"gssapi32.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+	{"krb5_32.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+#else
+	{"gssapi64.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+	{"krb5_64.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+#endif
+#endif
+#ifdef HAVE_GEOIP
+	{"libgeoip.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+#endif
+#ifdef WITH_IDN
+	{"idnkit.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+	{"iconv.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+#endif
+	{"named.exe", FileData::BinDir, FileData::Critical, FALSE, FALSE},
+	{"nsupdate.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE},
+	{"BINDInstall.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE},
+	{"rndc.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"dig.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE},
+	{"host.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE},
+	{"mdig.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE},
+	{"nslookup.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE},
+	{"delv.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE},
+	{"arpaname.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE},
+	{"nsec3hash.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"rndc-confgen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"ddns-confgen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"tsig-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"dnssec-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"dnssec-signzone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"dnssec-dsfromkey.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"dnssec-importkey.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"dnssec-keyfromlabel.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"dnssec-revoke.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"dnssec-settime.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"dnssec-verify.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"named-checkconf.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"named-checkzone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"named-compilezone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"named-journalprint.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"named-rrchecker.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+#ifdef USE_PKCS11
+	{"pkcs11-destroy.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"pkcs11-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"pkcs11-list.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"pkcs11-tokens.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+#endif
+#ifdef USE_PYTHON
+	{"dnssec-checkds.py", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+	{"dnssec-coverage.py", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+#endif
+	{"readme1st.txt", FileData::BinDir, FileData::Trivial, FALSE, TRUE},
+	{NULL, -1, -1}
+};
+
+#else
+
+typedef std::vector<FileData> FileDatas;
+FileDatas installFiles;
+BOOL forwin64 = FALSE;
+BOOL runvcredist = FALSE;
+
+#endif
+
+/////////////////////////////////////////////////////////////////////////////
+// CBINDInstallDlg dialog
+
+CBINDInstallDlg::CBINDInstallDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CBINDInstallDlg::IDD, pParent) {
+	char winsys[MAX_PATH];
+
+	//{{AFX_DATA_INIT(CBINDInstallDlg)
+	/* cppcheck-suppress useInitializationList */
+	m_targetDir = _T("");
+	m_version = _T("");
+	m_toolsOnly = FALSE;
+	m_autoStart = FALSE;
+	m_keepFiles = FALSE;
+	m_current = _T("");
+	m_startOnInstall = FALSE;
+	m_accountName = _T("");
+	m_accountPassword = _T("");
+	//}}AFX_DATA_INIT
+	// Note that LoadIcon does not require a subsequent
+	// DestroyIcon in Win32
+	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
+
+	GetSystemDirectory(winsys, MAX_PATH);
+	m_winSysDir = winsys;
+
+	m_defaultDir = "notyetknown";
+
+	m_installed = FALSE;
+	m_accountExists = FALSE;
+	m_accountUsed = FALSE;
+	m_serviceExists = TRUE;
+	GetCurrentServiceAccountName();
+	m_currentAccount = m_accountName;
+	if (m_accountName == "") {
+		m_accountName = "named";
+	}
+}
+
+void CBINDInstallDlg::DoDataExchange(CDataExchange* pDX) {
+	CDialog::DoDataExchange(pDX);
+	//{{AFX_DATA_MAP(CBINDInstallDlg)
+	DDX_Text(pDX, IDC_TARGETDIR, m_targetDir);
+	DDX_Text(pDX, IDC_VERSION, m_version);
+	DDX_Text(pDX, IDC_ACCOUNT_NAME, m_accountName);
+	DDX_Text(pDX, IDC_ACCOUNT_PASSWORD, m_accountPassword);
+	DDX_Text(pDX, IDC_ACCOUNT_PASSWORD_CONFIRM, m_accountPasswordConfirm);
+	DDX_Check(pDX, IDC_TOOLS_ONLY, m_toolsOnly);
+	DDX_Check(pDX, IDC_AUTO_START, m_autoStart);
+	DDX_Check(pDX, IDC_KEEP_FILES, m_keepFiles);
+	DDX_Text(pDX, IDC_CURRENT, m_current);
+	DDX_Check(pDX, IDC_START, m_startOnInstall);
+	//}}AFX_DATA_MAP
+}
+
+BEGIN_MESSAGE_MAP(CBINDInstallDlg, CDialog)
+	//{{AFX_MSG_MAP(CBINDInstallDlg)
+	ON_WM_PAINT()
+	ON_WM_QUERYDRAGICON()
+	ON_BN_CLICKED(IDC_BROWSE, OnBrowse)
+	ON_BN_CLICKED(IDC_INSTALL, OnInstall)
+	ON_BN_CLICKED(IDC_EXIT, OnExit)
+	ON_BN_CLICKED(IDC_UNINSTALL, OnUninstall)
+	//}}AFX_MSG_MAP
+END_MESSAGE_MAP()
+
+/////////////////////////////////////////////////////////////////////////////
+// CBINDInstallDlg message handlers
+
+BOOL CBINDInstallDlg::OnInitDialog() {
+	CDialog::OnInitDialog();
+
+	// Set the icon for this dialog.  The framework does this automatically
+	//  when the application's main window is not a dialog
+	SetIcon(m_hIcon, TRUE);			// Set big icon
+	SetIcon(m_hIcon, FALSE);		// Set small icon
+
+	char filename[MAX_PATH];
+	char dirname[MAX_PATH];
+	char *fptr = &filename[0];
+	GetModuleFileName(NULL, filename, MAX_PATH);
+	char *dptr = strrchr(filename,'\\');
+	size_t index = dptr - fptr;
+	strncpy(dirname, filename, index);
+	dirname[index] = '\0';
+	CString Dirname(dirname);
+	m_currentDir = Dirname;
+
+	ReadInstallFlags();
+	char progfiles[MAX_PATH];
+	int id_program_files;
+	if (forwin64)
+		id_program_files = CSIDL_PROGRAM_FILES;
+	else
+		id_program_files = CSIDL_PROGRAM_FILESX86;
+	SHGetFolderPath(NULL, CSIDL_FLAG_CREATE|id_program_files,
+			NULL, SHGFP_TYPE_CURRENT, progfiles);
+
+	m_defaultDir = progfiles;
+	m_defaultDir += "\\ISC BIND 9";
+
+	CVersionInfo bindInst(filename);
+	if(bindInst.IsValid())
+		m_version.Format(IDS_VERSION, bindInst.GetFileVersionString());
+	else
+		m_version.LoadString(IDS_NO_VERSION);
+
+	DWORD dwBufLen = MAX_PATH;
+	char buf[MAX_PATH];
+	HKEY hKey;
+
+	m_startOnInstall = CheckBINDService();
+
+	/* See if we are installed already */
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, BIND_SUBKEY, 0, KEY_READ, &hKey)
+			== ERROR_SUCCESS) {
+		m_installed = TRUE;
+		memset(buf, 0, MAX_PATH);
+		// Get the install directory
+		if (RegQueryValueEx(hKey, "InstallDir", NULL, NULL, (LPBYTE)buf,
+			&dwBufLen) == ERROR_SUCCESS)
+			if (strcmp(buf, ""))
+				m_defaultDir = buf;
+
+		RegCloseKey(hKey);
+	}
+	m_targetDir = m_defaultDir;
+
+	// Set checkbox defaults
+	m_autoStart = TRUE;
+	m_keepFiles = TRUE;
+
+	UpdateData(FALSE);
+
+	return (TRUE); /* return(TRUE) unless you set the focus to a control */
+}
+
+/*
+ *  If you add a minimize button to your dialog, you will need the code below
+ *  to draw the icon.  For MFC applications using the document/view model,
+ *  this is automatically done for you by the framework.
+ */
+
+void CBINDInstallDlg::OnPaint() {
+	if (IsIconic())	{
+		CPaintDC dc(this); // device context for painting
+
+		SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);
+
+		// Center icon in client rectangle
+		int cxIcon = GetSystemMetrics(SM_CXICON);
+		int cyIcon = GetSystemMetrics(SM_CYICON);
+		CRect rect;
+		GetClientRect(&rect);
+		int x = (rect.Width() - cxIcon + 1) / 2;
+		int y = (rect.Height() - cyIcon + 1) / 2;
+
+		// Draw the icon
+		dc.DrawIcon(x, y, m_hIcon);
+	}
+	else {
+		CDialog::OnPaint();
+	}
+}
+
+// The system calls this to obtain the cursor to display while the user drags
+//  the minimized window.
+HCURSOR CBINDInstallDlg::OnQueryDragIcon() {
+	return((HCURSOR)m_hIcon);
+}
+
+void CBINDInstallDlg::OnBrowse() {
+
+	CDirBrowse browse;
+
+	if (browse.DoModal() == IDOK) 	{
+		//m_targetDir = browse.m_selectedDir;
+		UpdateData(FALSE);
+	}
+}
+
+/*
+ * User pressed the exit button
+ */
+void CBINDInstallDlg::OnExit() {
+	EndDialog(0);
+}
+
+/*
+ * User pressed the uninstall button.  Make it go.
+ */
+void CBINDInstallDlg::OnUninstall() {
+	UpdateData();
+
+	if (MsgBox(IDS_UNINSTALL, MB_YESNO) == IDYES) {
+		if (CheckBINDService())
+			StopBINDService();
+
+		SC_HANDLE hSCManager = OpenSCManager(NULL, NULL,
+					SC_MANAGER_ALL_ACCESS);
+		if (!hSCManager) {
+			MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage());
+			return;
+		}
+
+		SC_HANDLE hService = OpenService(hSCManager, BIND_SERVICE_NAME,
+					      SERVICE_ALL_ACCESS);
+		if (!hService && GetLastError() != ERROR_SERVICE_DOES_NOT_EXIST){
+			MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage());
+			return;
+		}
+
+		SERVICE_STATUS ss;
+		QueryServiceStatus(hService, &ss);
+		if (ss.dwCurrentState == SERVICE_RUNNING) {
+			BOOL rc = ControlService(hService,
+						 SERVICE_CONTROL_STOP, &ss);
+			if (rc == FALSE || ss.dwCurrentState != SERVICE_STOPPED) {
+				MsgBox(IDS_ERR_STOP_SERVICE, GetErrMessage());
+				return;
+			}
+
+		}
+		CloseServiceHandle(hService);
+		CloseServiceHandle(hSCManager);
+
+		// Directories
+		m_etcDir = m_targetDir + "\\etc";
+		m_binDir = m_targetDir + "\\bin";
+
+		UninstallTags();
+		UnregisterMessages(TRUE);
+		UnregisterService(TRUE);
+		ReadInstallFileList();
+		DeleteFiles(TRUE);
+		if (m_keepFiles == FALSE)
+			RemoveDirs(TRUE);
+		else
+			GetDlgItem(IDC_CREATE_DIR)->SetWindowText("Not Removed");
+
+
+		// Delete registry keys for named
+		RegDeleteKey(HKEY_LOCAL_MACHINE, BIND_SESSION_SUBKEY);
+		RegDeleteKey(HKEY_LOCAL_MACHINE, BIND_SUBKEY);
+		RegDeleteKey(HKEY_LOCAL_MACHINE, BIND_UNINSTALL_SUBKEY);
+
+		ProgramGroup(FALSE);
+
+		SetCurrent(IDS_UNINSTALL_DONE);
+		MsgBox(IDS_UNINSTALL_DONE);
+	}
+}
+
+/*
+ * User pressed the install button.  Make it go.
+ */
+void CBINDInstallDlg::OnInstall() {
+	BOOL success = FALSE;
+	int oldlen;
+	int n;
+
+	if (CheckBINDService())
+		StopBINDService();
+
+	InstallTags();
+
+	UpdateData();
+
+	if (!m_toolsOnly && m_accountName != LOCAL_SERVICE) {
+		/*
+		 * Check that the Passwords entered match.
+		 */
+		if (m_accountPassword != m_accountPasswordConfirm) {
+			MsgBox(IDS_ERR_PASSWORD);
+			return;
+		}
+
+		/*
+		 * Check that there is not leading / trailing whitespace.
+		 * This is for compatibility with the standard password dialog.
+		 * Passwords really should be treated as opaque blobs.
+		 */
+		oldlen = m_accountPassword.GetLength();
+		m_accountPassword.TrimLeft();
+		m_accountPassword.TrimRight();
+		if (m_accountPassword.GetLength() != oldlen) {
+			MsgBox(IDS_ERR_WHITESPACE);
+			return;
+		}
+
+		/*
+		 * Check the entered account name.
+		 */
+		if (ValidateServiceAccount() == FALSE)
+			return;
+
+		/*
+		 * For Registration we need to know if account was changed.
+		 */
+		if (m_accountName != m_currentAccount)
+			m_accountUsed = FALSE;
+
+		if (m_accountUsed == FALSE && m_serviceExists == FALSE)
+		{
+		/*
+		 * Check that the Password is not null.
+		 */
+			if (m_accountPassword.GetLength() == 0) {
+				MsgBox(IDS_ERR_NULLPASSWORD);
+				return;
+			}
+		}
+	} else if (m_accountName == LOCAL_SERVICE) {
+		/* The LocalService always exists. */
+		m_accountExists = TRUE;
+		if (m_accountName != m_currentAccount)
+			m_accountUsed = FALSE;
+	}
+
+	/* Directories */
+	m_etcDir = m_targetDir + "\\etc";
+	m_binDir = m_targetDir + "\\bin";
+
+	if (m_defaultDir != m_targetDir) {
+		if (GetFileAttributes(m_targetDir) != 0xFFFFFFFF)
+		{
+			int install = MsgBox(IDS_DIREXIST,
+					MB_YESNO | MB_ICONQUESTION, m_targetDir);
+			if (install == IDNO)
+				return;
+		}
+		else {
+			int createDir = MsgBox(IDS_CREATEDIR,
+					MB_YESNO | MB_ICONQUESTION, m_targetDir);
+			if (createDir == IDNO)
+				return;
+		}
+	}
+
+	if (!m_toolsOnly) {
+		if (m_accountExists == FALSE) {
+			success = CreateServiceAccount(m_accountName.GetBuffer(30),
+						       m_accountPassword.GetBuffer(30));
+			if (success == FALSE) {
+				MsgBox(IDS_CREATEACCOUNT_FAILED);
+				return;
+			}
+			m_accountExists = TRUE;
+		}
+	}
+
+	ProgramGroup(FALSE);
+
+	/*
+	 * Install Visual Studio libraries.  As per:
+	 * http://blogs.msdn.com/astebner/archive/2006/08/23/715755.aspx
+	 *
+	 * Vcredist_x86.exe /q:a /c:"msiexec /i vcredist.msi /qn /l*v %temp%\vcredist_x86.log"
+	 */
+	/*system(".\\Vcredist_x86.exe /q:a /c:\"msiexec /i vcredist.msi /qn /l*v %temp%\vcredist_x86.log\"");*/
+
+	/*
+	 * Enclose full path to Vcredist_x86.exe in quotes as
+	 * m_currentDir may contain spaces.
+	 */
+	if (runvcredist) {
+		char Vcredist_x86[MAX_PATH];
+		if (forwin64)
+			n = snprintf(Vcredist_x86, sizeof(Vcredist_x86),
+				     "\"%s\\Vcredist_x64.exe\"",
+				     (LPCTSTR) m_currentDir);
+		else
+			n = snprintf(Vcredist_x86, sizeof(Vcredist_x86),
+				     "\"%s\\Vcredist_x86.exe\"",
+				     (LPCTSTR) m_currentDir);
+		if (n >= 0 && (size_t)n < sizeof(Vcredist_x86))
+			system(Vcredist_x86);
+	}
+	try {
+		CreateDirs();
+		ReadInstallFileList();
+		CopyFiles();
+		if (!m_toolsOnly)
+			RegisterService();
+		RegisterMessages();
+
+		HKEY hKey;
+
+		/* Create a new key for named */
+		SetCurrent(IDS_CREATE_KEY);
+		if (RegCreateKey(HKEY_LOCAL_MACHINE, BIND_SUBKEY,
+			&hKey) == ERROR_SUCCESS) {
+			// Get the install directory
+			RegSetValueEx(hKey, "InstallDir", 0, REG_SZ,
+					(LPBYTE)(LPCTSTR)m_targetDir,
+					m_targetDir.GetLength());
+			RegCloseKey(hKey);
+		}
+
+
+		SetCurrent(IDS_ADD_REMOVE);
+		if (RegCreateKey(HKEY_LOCAL_MACHINE, BIND_UNINSTALL_SUBKEY,
+				 &hKey) == ERROR_SUCCESS) {
+			CString buf(BIND_DISPLAY_NAME);
+
+			RegSetValueEx(hKey, "DisplayName", 0, REG_SZ,
+					(LPBYTE)(LPCTSTR)buf, buf.GetLength());
+
+			buf.Format("%s\\BINDInstall.exe", m_binDir);
+
+			CStringA installLocA(buf);
+			const char *str = (const char *) installLocA;
+			char pathBuffer[2 * MAX_PATH];
+			strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+			pathBuffer[sizeof(pathBuffer) - 1] = 0;
+			PathQuoteSpaces(pathBuffer);
+
+			RegSetValueEx(hKey, "UninstallString", 0, REG_SZ,
+				      (LPBYTE)(LPCTSTR)pathBuffer, strlen(pathBuffer));
+			RegCloseKey(hKey);
+		}
+
+		ProgramGroup(FALSE);
+
+		if (m_startOnInstall)
+			StartBINDService();
+	}
+	catch(Exception e) {
+		MessageBox(e.resString);
+		SetCurrent(IDS_CLEANUP);
+		FailedInstall();
+		MsgBox(IDS_FAIL);
+		return;
+	}
+	catch(DWORD dw)	{
+		CString msg;
+		msg.Format("A fatal error occurred\n(%s)", GetErrMessage(dw));
+		MessageBox(msg);
+		SetCurrent(IDS_CLEANUP);
+		FailedInstall();
+		MsgBox(IDS_FAIL);
+		return;
+	}
+
+	SetCurrent(IDS_INSTALL_DONE);
+	MsgBox(IDS_SUCCESS);
+}
+
+/*
+ * Methods to do the work
+ */
+void CBINDInstallDlg::CreateDirs() {
+	/* s'OK if the directories already exist */
+	SetCurrent(IDS_CREATE_DIR, m_targetDir);
+	if (!CreateDirectory(m_targetDir, NULL) && GetLastError() != ERROR_ALREADY_EXISTS)
+		throw(Exception(IDS_ERR_CREATE_DIR, m_targetDir, GetErrMessage()));
+
+	SetCurrent(IDS_CREATE_DIR, m_etcDir);
+	if (!CreateDirectory(m_etcDir, NULL) && GetLastError() != ERROR_ALREADY_EXISTS)
+		throw(Exception(IDS_ERR_CREATE_DIR, m_etcDir, GetErrMessage()));
+
+	SetCurrent(IDS_CREATE_DIR, m_binDir);
+	if (!CreateDirectory(m_binDir, NULL) && GetLastError() != ERROR_ALREADY_EXISTS)
+		throw(Exception(IDS_ERR_CREATE_DIR, m_binDir, GetErrMessage()));
+
+	SetItemStatus(IDC_CREATE_DIR);
+}
+
+void CBINDInstallDlg::RemoveDirs(BOOL uninstall) {
+	if (!m_keepFiles) {
+		SetCurrent(IDS_REMOVE_DIR, m_binDir);
+		// Check for existence then remove if present
+		if (GetFileAttributes(m_binDir) != 0xFFFFFFFF)
+			RemoveDirectory(m_binDir);
+
+		SetCurrent(IDS_REMOVE_DIR, m_etcDir);
+		if (GetFileAttributes(m_etcDir) != 0xFFFFFFFF)
+			RemoveDirectory(m_etcDir);
+
+		SetCurrent(IDS_REMOVE_DIR, m_targetDir);
+		if (GetFileAttributes(m_targetDir) != 0xFFFFFFFF)
+			RemoveDirectory(m_targetDir);
+	}
+
+	if (uninstall)
+		SetItemStatus(IDC_CREATE_DIR, TRUE);
+}
+
+// InstallFlags: runvcredist and forwin64 options
+void CBINDInstallDlg::ReadInstallFlags() {
+	std::ifstream ff(m_currentDir + "\\InstallFlags");
+	if (!ff) {
+		throw(Exception(IDS_FILE_BAD, "InstallFlags", "can't open"));
+	}
+	while (!ff.eof()) {
+		std::string line;
+		getline(ff, line);
+		if (line.compare("runvcredist") == 0)
+			runvcredist = TRUE;
+		else if (line.compare("forwin64") == 0)
+			forwin64 = TRUE;
+	}
+}
+
+// InstallFiles: {filename-divt}*
+//   destination: TBEW
+//   importance: TNC
+//   checkVer and withTools: TF (boolean)
+void CBINDInstallDlg::ReadInstallFileList() {
+	std::ifstream fl(m_currentDir + "\\InstallFiles");
+	if (!fl) {
+		throw(Exception(IDS_FILE_BAD, "InstallFiles", "can't open"));
+	}
+	while (!fl.eof()) {
+		std::string line;
+		getline(fl, line);
+		if (line.empty())
+			continue;
+		if (line[0] == '#')
+			continue;
+		// zip -l adds spurious \r: remove trailing space chars
+		size_t finish = line.find_last_not_of(" \t\r\n\t\v");
+		if ((finish != std::string::npos) &&
+		    (finish + 1 != line.size())) {
+			line.erase(finish + 1);
+		}
+		size_t flags = line.find_last_of('-');
+		if ((flags == std::string::npos) ||
+		    (flags + 5 != line.size()))
+			goto bad;
+		std::string file = line.substr(0, flags);
+		if (file.empty() || (file.size() > 127))
+			goto bad;
+		FileData entry;
+		memmove(entry.filename, file.c_str(), file.size() + 1);
+		switch (line[flags + 1]) {
+		case 'T':
+			entry.destination = FileData::TargetDir;
+			break;
+		case 'B':
+			entry.destination = FileData::BinDir;
+			break;
+		case 'E':
+			entry.destination = FileData::EtcDir;
+			break;
+		case 'W':
+			entry.destination = FileData::WinSystem;
+			break;
+		default:
+			goto bad;
+		}
+		switch (line[flags + 2]) {
+		case 'T':
+			entry.importance = FileData::Trivial;
+			break;
+		case 'N':
+			entry.importance = FileData::Normal;
+			break;
+		case 'C':
+			entry.importance = FileData::Critical;
+			break;
+		default:
+			goto bad;
+		}
+		switch (line[flags + 3]) {
+		case 'T':
+			entry.checkVer = TRUE;
+			break;
+		case 'F':
+			entry.checkVer = FALSE;
+			break;
+		default:
+			goto bad;
+		}
+		switch (line[flags + 4]) {
+		case 'T':
+			entry.withTools = TRUE;
+			break;
+		case 'F':
+			entry.withTools = FALSE;
+			break;
+		default:
+			goto bad;
+		}
+		installFiles.push_back(entry);
+	}
+	return;
+
+bad:
+	throw(Exception(IDS_FILE_BAD, "InstallFiles", "syntax error"));
+}
+
+void CBINDInstallDlg::CopyFiles() {
+	CString destFile;
+
+	for (FileDatas::iterator fd = installFiles.begin();
+	     fd != installFiles.end(); ++fd) {
+		if (m_toolsOnly && !fd->withTools)
+			continue;
+		SetCurrent(IDS_COPY_FILE, fd->filename);
+
+		destFile = DestDir(fd->destination) + "\\" + fd->filename;
+		CString filespec = m_currentDir + "\\" + fd->filename;
+		CVersionInfo bindFile(destFile);
+
+		CVersionInfo origFile(filespec);
+		if (!origFile.IsValid() && fd->checkVer) {
+			if (MsgBox(IDS_FILE_BAD, MB_YESNO,
+				   fd->filename) == IDNO)
+				throw(Exception(IDS_ERR_COPY_FILE,
+						fd->filename,
+						GetErrMessage()));
+		}
+
+		try {
+/*
+ * Ignore Version checking.  We need to make sure that all files get
+ * copied regardless of whether or not they are earlier or later
+ * versions since we cannot guarantee that we have either backward or
+ * forward compatibility between versions.
+ */
+			bindFile.CopyFileNoVersion(origFile);
+		}
+		catch(...) {
+			if (fd->importance != FileData::Trivial) {
+				if (fd->importance == FileData::Critical ||
+				    MsgBox(IDS_ERR_NONCRIT_FILE, MB_YESNO,
+					   fd->filename,
+					   GetErrMessage()) == IDNO)
+				{
+					SetItemStatus(IDC_COPY_FILE, FALSE);
+					throw(Exception(IDS_ERR_COPY_FILE,
+							fd->filename,
+							GetErrMessage()));
+				}
+			}
+		}
+	}
+
+	SetItemStatus(IDC_COPY_FILE);
+}
+
+void CBINDInstallDlg::DeleteFiles(BOOL uninstall) {
+	CString destFile;
+
+	for (FileDatas::iterator fd = installFiles.begin();
+	     fd != installFiles.end(); ++fd) {
+		if (fd->checkVer)
+			continue;
+
+		destFile = DestDir(fd->destination) + "\\" + fd->filename;
+
+		if (uninstall)
+			SetCurrent(IDS_DELETE_FILE, fd->filename);
+
+		DeleteFile(destFile);
+	}
+
+	if (!m_keepFiles) {
+		WIN32_FIND_DATA findData;
+		CString file = m_etcDir + "\\*.*";
+		BOOL rc;
+		HANDLE hFile;
+
+		hFile = FindFirstFile(file, &findData);
+		rc = hFile != INVALID_HANDLE_VALUE;
+
+		while (rc == TRUE) {
+			if (strcmp(findData.cFileName, ".") &&
+			    strcmp(findData.cFileName, "..")) {
+				file = m_etcDir + "\\" + findData.cFileName;
+				SetCurrent(IDS_DELETE_FILE, file);
+				DeleteFile(file);
+			}
+			rc = FindNextFile(hFile, &findData);
+		}
+		FindClose(hFile);
+	}
+
+	if (uninstall)
+		SetItemStatus(IDC_COPY_FILE, TRUE);
+}
+
+/*
+ * Get the service account name out of the registry, if any
+ */
+void
+CBINDInstallDlg::GetCurrentServiceAccountName() {
+	HKEY hKey;
+	BOOL keyFound = FALSE;
+	char accountName[MAX_PATH];
+	DWORD nameLen = MAX_PATH;
+	CString Tmp;
+	m_accountUsed = FALSE;
+
+	memset(accountName, 0, nameLen);
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, BIND_SERVICE_SUBKEY, 0, KEY_READ,
+		&hKey) == ERROR_SUCCESS) {
+		keyFound = TRUE;
+	}
+	else {
+		m_serviceExists = FALSE;
+	}
+
+	if (keyFound == TRUE) {
+		/* Get the named service account, if one was specified */
+		if (RegQueryValueEx(hKey, "ObjectName", NULL, NULL,
+			(LPBYTE)accountName, &nameLen) != ERROR_SUCCESS)
+			keyFound = FALSE;
+	}
+
+	RegCloseKey(hKey);
+	if (keyFound == FALSE)
+		m_accountName = "";
+	else if (!strcmp(accountName, LOCAL_SERVICE)) {
+		m_accountName = LOCAL_SERVICE;
+		m_accountUsed = TRUE;
+	} else {
+		/*
+		 * LocalSystem is not a regular account and is equivalent
+		 * to no account but with lots of privileges
+		 */
+		Tmp = accountName;
+		if (Tmp == ".\\LocalSystem")
+			m_accountName = "";
+		/* Found account strip any ".\" from it */
+		if (Tmp.Left(2) == ".\\") {
+			m_accountName = Tmp.Mid(2);
+			m_accountUsed = TRUE;
+		}
+	}
+}
+
+BOOL
+CBINDInstallDlg::ValidateServiceAccount() {
+	wchar_t *PrivList[MAX_PRIVS];
+	unsigned int PrivCount = 0;
+	char *Groups[MAX_GROUPS];
+	unsigned int totalGroups = 0;
+	int status;
+	char *name;
+
+	name = m_accountName.GetBuffer(30);
+
+	status = GetAccountPrivileges(name, PrivList, &PrivCount,
+		 Groups, &totalGroups, MAX_GROUPS);
+	if (status == RTN_NOACCOUNT) {
+		m_accountExists = FALSE;
+		/* We need to do this in case an account was previously used */
+		m_accountUsed = FALSE;
+		return (TRUE);
+	}
+	if (status != RTN_OK) {
+		MsgBox(IDS_ERR_BADACCOUNT);
+		return (FALSE);
+	}
+
+	m_accountExists = TRUE;
+	if (PrivCount > 1) {
+		if (MsgBox(IDS_ERR_TOOPRIVED, MB_YESNO) == IDYES)
+			return (FALSE);
+		else
+			return (TRUE);
+	}
+
+	/* See if we have the correct privilege */
+	if (wcscmp(PrivList[0], SE_SERVICE_LOGON_PRIV) != 0) {
+		MsgBox(IDS_ERR_WRONGPRIV, PrivList[0]);
+		return (FALSE);
+	}
+	return (TRUE);
+}
+
+void
+CBINDInstallDlg::RegisterService() {
+	SC_HANDLE hSCManager;
+	SC_HANDLE hService;
+	CString StartName;
+
+	if (m_accountName == LOCAL_SERVICE)
+		StartName = LOCAL_SERVICE;
+	else
+		StartName = ".\\" + m_accountName;
+	/*
+	 * We need to change the service rather than create it
+	 * if the service already exists. Do nothing if we are already
+	 * using that account
+	 */
+	if (m_serviceExists == TRUE) {
+		if (m_accountUsed == FALSE) {
+			UpdateService(StartName);
+			SetItemStatus(IDC_REG_SERVICE);
+			return;
+		} else {
+			SetItemStatus(IDC_REG_SERVICE);
+			return;
+		}
+	}
+
+	SetCurrent(IDS_OPEN_SCM);
+	hSCManager= OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+	if (!hSCManager)
+		throw(Exception(IDS_ERR_OPEN_SCM, GetErrMessage()));
+
+	DWORD dwStart = SERVICE_DEMAND_START;
+	if (m_autoStart)
+		dwStart = SERVICE_AUTO_START;
+
+	DWORD dwServiceType = SERVICE_WIN32_OWN_PROCESS;
+
+	CString namedLoc;
+	namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
+
+	CStringA namedLocA(namedLoc);
+	const char *str = (const char *) namedLocA;
+	char pathBuffer[2 * MAX_PATH];
+	strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+	pathBuffer[sizeof(pathBuffer) - 1] = 0;
+	PathQuoteSpaces(pathBuffer);
+
+	SetCurrent(IDS_CREATE_SERVICE);
+	hService = CreateService(hSCManager, BIND_SERVICE_NAME,
+		BIND_DISPLAY_NAME, SERVICE_ALL_ACCESS, dwServiceType, dwStart,
+		SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL, StartName,
+		m_accountPassword);
+
+	if (!hService && GetLastError() != ERROR_SERVICE_EXISTS)
+		throw(Exception(IDS_ERR_CREATE_SERVICE, GetErrMessage()));
+
+	if (hService)
+		CloseServiceHandle(hService);
+
+	if (hSCManager)
+		CloseServiceHandle(hSCManager);
+
+	SetItemStatus(IDC_REG_SERVICE);
+}
+
+void
+CBINDInstallDlg::UpdateService(CString StartName) {
+	SC_HANDLE hSCManager;
+	SC_HANDLE hService;
+
+	if(m_toolsOnly)
+		return;
+
+	SetCurrent(IDS_OPEN_SCM);
+	hSCManager= OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+	if (!hSCManager) {
+		MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage());
+		return;
+	}
+
+	DWORD dwStart = SERVICE_DEMAND_START;
+	if (m_autoStart)
+		dwStart = SERVICE_AUTO_START;
+
+	DWORD dwServiceType = SERVICE_WIN32_OWN_PROCESS;
+
+	CString namedLoc;
+	namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
+
+	CStringA namedLocA(namedLoc);
+	const char *str = (const char *) namedLocA;
+	char pathBuffer[2 * MAX_PATH];
+	strncpy(pathBuffer, str, sizeof(pathBuffer) - 1);
+	pathBuffer[sizeof(pathBuffer) - 1] = 0;
+	PathQuoteSpaces(pathBuffer);
+
+	SetCurrent(IDS_OPEN_SERVICE);
+	hService = OpenService(hSCManager, BIND_SERVICE_NAME,
+			       SERVICE_CHANGE_CONFIG);
+	if (!hService)
+	{
+		MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage());
+		if (hSCManager)
+			CloseServiceHandle(hSCManager);
+		return;
+	} else {
+		if (ChangeServiceConfig(hService, dwServiceType, dwStart,
+			SERVICE_ERROR_NORMAL, pathBuffer, NULL, NULL, NULL,
+			StartName, m_accountPassword, BIND_DISPLAY_NAME)
+			!= TRUE) {
+			MsgBox(IDS_ERR_UPDATE_SERVICE, GetErrMessage());
+		}
+	}
+
+	if (hService)
+		CloseServiceHandle(hService);
+
+	if (hSCManager)
+		CloseServiceHandle(hSCManager);
+
+	SetItemStatus(IDC_REG_SERVICE);
+}
+
+void CBINDInstallDlg::UnregisterService(BOOL uninstall) {
+	BOOL rc = FALSE;
+	SC_HANDLE hSCManager;
+	SC_HANDLE hService;
+
+	while(1) {
+		SetCurrent(IDS_OPEN_SCM);
+		hSCManager= OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+		if (!hSCManager && uninstall == TRUE) {
+			MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage());
+			break;
+		}
+
+		SetCurrent(IDS_OPEN_SERVICE);
+		hService = OpenService(hSCManager, BIND_SERVICE_NAME,
+				       STANDARD_RIGHTS_REQUIRED);
+		if (!hService && uninstall == TRUE)
+		{
+			if (GetLastError() != ERROR_SERVICE_DOES_NOT_EXIST) {
+				MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage());
+				break;
+			}
+		}
+		else {
+			SetCurrent(IDS_REMOVE_SERVICE);
+			if (!DeleteService(hService) && uninstall == TRUE) {
+				DWORD err = GetLastError();
+				if (err != ERROR_SERVICE_MARKED_FOR_DELETE &&
+				   err != ERROR_SERVICE_DOES_NOT_EXIST) {
+					MsgBox(IDS_ERR_REMOVE_SERVICE,
+					       GetErrMessage());
+					break;
+				}
+			}
+		}
+
+		rc = TRUE;
+		break;
+	}
+
+	if (hService)
+		CloseServiceHandle(hService);
+
+	if (hSCManager)
+		CloseServiceHandle(hSCManager);
+
+	if (uninstall)
+		SetItemStatus(IDC_REG_SERVICE, rc);
+}
+
+void CBINDInstallDlg::RegisterMessages() {
+	HKEY hKey;
+	DWORD dwData;
+	char pszMsgDLL[MAX_PATH];
+	int n;
+
+	n = snprintf(pszMsgDLL, sizeof(pszMsgDLL), "%s\\%s",
+		     (LPCTSTR)m_binDir, "bindevt.dll");
+	if (n < 0 || (size_t)n >= sizeof(pszMsgDLL))
+		throw(Exception(IDS_ERR_CREATE_KEY,
+				"<m_binDir>\\bindevt.dll too long"));
+
+	SetCurrent(IDS_REGISTER_MESSAGES);
+	/* Create a new key for named */
+	if (RegCreateKey(HKEY_LOCAL_MACHINE, BIND_MESSAGE_SUBKEY, &hKey)
+		!= ERROR_SUCCESS)
+		throw(Exception(IDS_ERR_CREATE_KEY, GetErrMessage()));
+
+	/* Add the Event-ID message-file name to the subkey. */
+	if (RegSetValueEx(hKey, "EventMessageFile", 0, REG_EXPAND_SZ,
+		(LPBYTE)pszMsgDLL, (DWORD)(strlen(pszMsgDLL) + 1)) != ERROR_SUCCESS)
+		throw(Exception(IDS_ERR_SET_VALUE, GetErrMessage()));
+
+	/* Set the supported types flags and addit to the subkey. */
+	dwData = EVENTLOG_ERROR_TYPE | EVENTLOG_WARNING_TYPE | EVENTLOG_INFORMATION_TYPE;
+	if (RegSetValueEx(hKey, "TypesSupported", 0, REG_DWORD,
+		(LPBYTE)&dwData, sizeof(DWORD)) != ERROR_SUCCESS)
+		throw(Exception(IDS_ERR_SET_VALUE, GetErrMessage()));
+
+	RegCloseKey(hKey);
+
+	SetItemStatus(IDC_REG_MESSAGE);
+}
+
+void CBINDInstallDlg::UnregisterMessages(BOOL uninstall) {
+	BOOL rc = FALSE;
+	HKEY hKey = NULL;
+
+	while(1) {
+		SetCurrent(IDS_UNREGISTER_MESSAGES);
+		/* Open key for Application Event Log */
+		if (RegOpenKey(HKEY_LOCAL_MACHINE, EVENTLOG_APP_SUBKEY, &hKey)
+			!= ERROR_SUCCESS)
+			break;
+
+		/* Remove named from the list of messages sources */
+		if (RegDeleteKey(hKey, BIND_MESSAGE_NAME) != ERROR_SUCCESS)
+			break;
+
+		rc = TRUE;
+		break;
+	}
+
+	if (hKey)
+		RegCloseKey(hKey);
+
+	if (uninstall)
+		SetItemStatus(IDC_REG_MESSAGE, rc);
+}
+
+/*
+ * Install failed - clean up quietly
+ */
+void CBINDInstallDlg::FailedInstall() {
+	UnregisterMessages(FALSE);
+	UnregisterService(FALSE);
+	DeleteFiles(FALSE);
+	RemoveDirs(FALSE);
+}
+
+/*
+ * Set the checklist tags for install
+ */
+void CBINDInstallDlg::InstallTags() {
+	CString tag;
+
+	tag.LoadString(IDS_INSTALL_FILE);
+	GetDlgItem(IDC_COPY_TAG)->SetWindowText(tag);
+	GetDlgItem(IDC_COPY_FILE)->SetWindowText("");
+
+	tag.LoadString(IDS_INSTALL_DIR);
+	GetDlgItem(IDC_DIR_TAG)->SetWindowText(tag);
+	GetDlgItem(IDC_CREATE_DIR)->SetWindowText("");
+	GetDlgItem(IDC_REG_SERVICE)->SetWindowText("");
+
+	tag.LoadString(IDS_INSTALL_SERVICE);
+	GetDlgItem(IDC_SERVICE_TAG)->SetWindowText(tag);
+
+	tag.LoadString(IDS_INSTALL_MESSAGE);
+	GetDlgItem(IDC_MESSAGE_TAG)->SetWindowText(tag);
+	GetDlgItem(IDC_REG_MESSAGE)->SetWindowText("");
+}
+
+/*
+ * Set the checklist tags for uninstall
+ */
+void CBINDInstallDlg::UninstallTags() {
+	CString tag;
+
+	tag.LoadString(IDS_UNINSTALL_FILES);
+	GetDlgItem(IDC_COPY_TAG)->SetWindowText(tag);
+	GetDlgItem(IDC_COPY_FILE)->SetWindowText("");
+
+	tag.LoadString(IDS_UNINSTALL_DIR);
+	GetDlgItem(IDC_DIR_TAG)->SetWindowText(tag);
+	GetDlgItem(IDC_CREATE_DIR)->SetWindowText("");
+
+	tag.LoadString(IDS_UNINSTALL_SERVICE);
+	GetDlgItem(IDC_SERVICE_TAG)->SetWindowText(tag);
+	GetDlgItem(IDC_REG_SERVICE)->SetWindowText("");
+
+	tag.LoadString(IDS_UNINSTALL_MESSAGE);
+	GetDlgItem(IDC_MESSAGE_TAG)->SetWindowText(tag);
+	GetDlgItem(IDC_REG_MESSAGE)->SetWindowText("");
+}
+
+void CBINDInstallDlg::SetItemStatus(UINT nID, BOOL bSuccess) {
+	GetDlgItem(nID)->SetWindowText(bSuccess == TRUE ? "Done" : "Failed");
+}
+
+
+/*
+ * Set the text in the current operation field - use a string table string
+ */
+void CBINDInstallDlg::SetCurrent(int id, ...) {
+	CString format;
+	va_list va;
+	char buf[128];
+
+	format.LoadString(id);
+	memset(buf, 0, 128);
+
+	va_start(va, id);
+	(void)vsnprintf(buf, sizeof(buf), format, va);
+	buf[sizeof(buf) - 1] = 0;
+	va_end(va);
+
+	m_current.Format("%s", buf);
+	UpdateData(FALSE);
+}
+
+/*
+ * Stop the BIND service
+ */
+void CBINDInstallDlg::StopBINDService() {
+	SERVICE_STATUS svcStatus;
+
+	SetCurrent(IDS_STOP_SERVICE);
+
+	SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+	if (!hSCManager) {
+		MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage());
+	}
+
+	SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME,
+				      SERVICE_ALL_ACCESS);
+	if (!hBINDSvc) {
+		MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage());
+	}
+
+	BOOL rc = ControlService(hBINDSvc, SERVICE_CONTROL_STOP, &svcStatus);
+	if (!rc) {
+		MsgBox(IDS_ERR_STOP_SERVICE, GetErrMessage());
+	}
+}
+
+/*
+ * Start the BIND service
+ */
+void CBINDInstallDlg::StartBINDService() {
+	SetCurrent(IDS_START_SERVICE);
+
+	SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+	if (!hSCManager) {
+		MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage());
+	}
+
+	SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME,
+					 SERVICE_ALL_ACCESS);
+	if (!hBINDSvc) {
+		MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage());
+	}
+	BOOL rc = StartService(hBINDSvc, 0, NULL);
+	if (!rc) {
+		MsgBox(IDS_ERR_START_SERVICE, GetErrMessage());
+	}
+}
+
+/*
+ * Check to see if the BIND service is running or not
+ */
+BOOL
+CBINDInstallDlg::CheckBINDService() {
+	SERVICE_STATUS svcStatus;
+
+	SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+	if (hSCManager) {
+		SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME,
+						 SERVICE_ALL_ACCESS);
+		if (hBINDSvc) {
+			BOOL rc = ControlService(hBINDSvc,
+						 SERVICE_CONTROL_INTERROGATE,
+						 &svcStatus);
+			if (!rc) {
+				/* cppcheck-suppress unreadVariable */
+				DWORD err = GetLastError();
+			}
+
+			return (rc &&
+				svcStatus.dwCurrentState == SERVICE_RUNNING);
+		}
+	}
+	return (FALSE);
+}
+
+/*
+ * Display message boxes with variable args, using string table strings
+ * for the format specifiers
+ */
+int CBINDInstallDlg::MsgBox(int id, ...) {
+	CString format;
+	va_list va;
+	char buf[BUFSIZ];
+
+	format.LoadString(id);
+	memset(buf, 0, BUFSIZ);
+
+	va_start(va, id);
+	(void)vsnprintf(buf, sizeof(buf), format, va);
+	buf[sizeof(buf) - 1] = 0;
+	va_end(va);
+
+	return (MessageBox(buf));
+}
+
+int CBINDInstallDlg::MsgBox(int id, UINT type, ...) {
+	CString format;
+	va_list va;
+	char buf[BUFSIZ];
+
+	format.LoadString(id);
+	memset(buf, 0, BUFSIZ);
+
+	va_start(va, type);
+	(void)vsnprintf(buf, sizeof(buf), format, va);
+	buf[sizeof(buf) - 1] = 0;
+	va_end(va);
+
+	return(MessageBox(buf, NULL, type));
+}
+
+/*
+ * Call GetLastError(), retrieve the message associated with the error
+ */
+CString CBINDInstallDlg::GetErrMessage(DWORD err) {
+	LPVOID msgBuf;
+	static char buf[BUFSIZ];
+
+	DWORD len = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
+		NULL, err == -1 ? GetLastError() : err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &msgBuf, 0, NULL );
+
+
+	strcpy(buf, (LPTSTR)msgBuf);
+	LocalFree(msgBuf);
+	/* Strip off the period and the \n */
+	buf[len - 3] = 0;
+	return(buf);
+}
+
+void CBINDInstallDlg::ProgramGroupCreate(TCHAR *commonPath) {
+	HRESULT hres;
+	IShellLink *psl = NULL;
+	ITEMIDLIST *itemList = NULL;
+	TCHAR fileloc[MAX_PATH];
+	TCHAR linkpath[MAX_PATH];
+	TCHAR path[MAX_PATH];
+	int n;
+
+	n = snprintf(path, sizeof(path), "%s\\ISC", commonPath);
+	if (n < 0 || (size_t)n >= sizeof(path))
+		return;
+	CreateDirectory(path, NULL);
+
+	n = snprintf(path, sizeof(path), "%s\\ISC\\BIND", commonPath);
+	if (n < 0 || (size_t)n >= sizeof(path))
+		return;
+	CreateDirectory(path, NULL);
+
+	hres = CoInitialize(NULL);
+	if (!SUCCEEDED(hres))
+		return;
+
+	// Get a pointer to the IShellLink interface.
+	hres = CoCreateInstance(CLSID_ShellLink, NULL, CLSCTX_INPROC_SERVER,
+				IID_IShellLink, (LPVOID *)&psl);
+	if (!SUCCEEDED(hres)) {
+		goto cleanup;
+	}
+
+	IPersistFile* ppf;
+	n = snprintf(linkpath, sizeof(linkpath), "%s\\BINDCtrl.lnk", path);
+	if (n < 0 || (size_t)n >= sizeof(path)) {
+		goto cleanup;
+	}
+
+	n = snprintf(fileloc, sizeof(fileloc), "%s\\BINDCtrl.exe",
+		     (LPCTSTR) m_binDir);
+	if (n < 0 || (size_t)n >= sizeof(path)) {
+		goto cleanup;
+	}
+
+	psl->SetPath(fileloc);
+	psl->SetDescription("BIND Control Panel");
+
+	hres = psl->QueryInterface(IID_IPersistFile, (void **)&ppf);
+	if (SUCCEEDED(hres)) {
+		WCHAR wsz[MAX_PATH];
+
+		MultiByteToWideChar(CP_ACP, 0, linkpath, -1, wsz, MAX_PATH);
+		hres = ppf->Save(wsz, TRUE);
+		ppf->Release();
+	}
+
+	if (GetFileAttributes("readme.txt") == -1) {
+		goto cleanup;
+	}
+
+	n = snprintf(fileloc, sizeof(fileloc), "%s\\Readme.txt",
+		     (LPCTSTR) m_targetDir);
+	if (n < 0 || (size_t)n >= sizeof(fileloc)) {
+		goto cleanup;
+	}
+
+	n = snprintf(linkpath, sizeof(linkpath), "%s\\Readme.lnk", path);
+	if (n < 0 || (size_t)n >= sizeof(linkpath)) {
+		goto cleanup;
+	}
+
+	psl->SetPath(fileloc);
+	psl->SetDescription("BIND Readme");
+
+	hres = psl->QueryInterface(IID_IPersistFile, (void **)&ppf);
+	if (SUCCEEDED(hres)) {
+		WCHAR wsz[MAX_PATH];
+
+		MultiByteToWideChar(CP_ACP, 0, linkpath, -1, wsz, MAX_PATH);
+		hres = ppf->Save(wsz, TRUE);
+		ppf->Release();
+	}
+
+ cleanup:
+	if (psl)
+		psl->Release();
+	CoUninitialize();
+}
+
+void CBINDInstallDlg::ProgramGroupRemove(TCHAR *commonPath) {
+	HANDLE hFind;
+	TCHAR filename[MAX_PATH];
+	TCHAR path[MAX_PATH];
+	WIN32_FIND_DATA fd;
+	int n;
+
+	n = snprintf(path, sizeof(path), "%s\\ISC\\BIND", commonPath);
+	if (n < 0 || (size_t)n >= sizeof(path))
+		goto remove_isc;
+
+	n = snprintf(filename, sizeof(filename), "%s\\*.*", path);
+	if (n < 0 || (size_t)n >= sizeof(path))
+		goto remove_isc_bind;
+
+	hFind = FindFirstFile(filename, &fd);
+	if (hFind != INVALID_HANDLE_VALUE) {
+		do {
+			if (strcmp(fd.cFileName, ".") == 0 ||
+			    strcmp(fd.cFileName, "..") == 0)
+				continue;
+			n = snprintf(filename, sizeof(filename), "%s\\%s",
+				     path, fd.cFileName);
+			if (n >= 0 && (size_t)n < sizeof(filename)) {
+				DeleteFile(filename);
+			}
+		} while (FindNextFile(hFind, &fd));
+		FindClose(hFind);
+	}
+
+ remove_isc_bind:
+	RemoveDirectory(path);
+
+ remove_isc:
+	n = snprintf(path, sizeof(path), "%s\\ISC", commonPath);
+	if (n >= 0 && (size_t)n < sizeof(path))
+		RemoveDirectory(path);
+}
+
+void CBINDInstallDlg::ProgramGroup(BOOL create) {
+	HRESULT hr;
+	ITEMIDLIST *itemList = NULL;
+	LPMALLOC pMalloc = NULL;
+	TCHAR commonPath[MAX_PATH];
+
+	hr = SHGetMalloc(&pMalloc);
+	if (hr != NOERROR) {
+		MessageBox("Could not get a handle to Shell memory object");
+		return;
+	}
+
+	hr = SHGetSpecialFolderLocation(m_hWnd, CSIDL_COMMON_PROGRAMS,
+					&itemList);
+	if (hr != NOERROR) {
+		MessageBox("Could not get a handle to the Common Programs "
+			   "folder");
+		if (itemList) {
+			pMalloc->Free(itemList);
+		}
+		return;
+	}
+
+	if (SHGetPathFromIDList(itemList, commonPath)) {
+		if (create) {
+			ProgramGroupCreate(commonPath);
+		} else {
+			ProgramGroupRemove(commonPath);
+		}
+	} else {
+		MessageBox("SHGetPathFromIDList failed");
+	}
+	pMalloc->Free(itemList);
+}
+
+CString CBINDInstallDlg::DestDir(int destination) {
+	switch(destination) {
+		case FileData::TargetDir:
+			return m_targetDir;
+		case FileData::BinDir:
+			return m_binDir;
+		case FileData::EtcDir:
+			return m_etcDir;
+		case FileData::WinSystem:
+			return m_winSysDir;
+	}
+	return("");
+}
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.h b/bin/win32/BINDInstall/BINDInstallDlg.h
new file mode 100644
index 0000000..27ed216
--- /dev/null
+++ b/bin/win32/BINDInstall/BINDInstallDlg.h
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1999-2000 by Nortel Networks Corporation
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
+ * BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
+ * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+ * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef BINDINSTALLDLG_H
+#define BINDINSTALLDLG_H
+
+class CBINDInstallDlg : public CDialog {
+      public:
+	CBINDInstallDlg(CWnd *pParent = NULL); /* standard constructor */
+
+	/*{{AFX_DATA(CBINDInstallDlg) */
+	enum { IDD = IDD_BINDINSTALL_DIALOG };
+	CString m_targetDir;
+	CString m_version;
+	BOOL m_autoStart;
+	BOOL m_keepFiles;
+	BOOL m_toolsOnly;
+	CString m_current;
+	BOOL m_startOnInstall;
+	/*}}AFX_DATA */
+
+	/* ClassWizard generated virtual function overrides */
+	/*{{AFX_VIRTUAL(CBINDInstallDlg) */
+      protected:
+	virtual void
+	DoDataExchange(CDataExchange *pDX); /* DDX/DDV support */
+					    /*}}AFX_VIRTUAL */
+
+      protected:
+	void
+	StartBINDService();
+	void
+	StopBINDService();
+
+	void
+	InstallTags();
+	void
+	UninstallTags();
+
+	void
+	CreateDirs();
+	void
+	RemoveDirs(BOOL uninstall);
+
+	void
+	ReadInstallFlags();
+	void
+	ReadInstallFileList();
+
+	void
+	CopyFiles();
+	void
+	DeleteFiles(BOOL uninstall);
+
+	void
+	RegisterService();
+	void
+	UpdateService(CString StartName);
+	void
+	UnregisterService(BOOL uninstall);
+
+	void
+	RegisterMessages();
+	void
+	UnregisterMessages(BOOL uninstall);
+
+	void
+	FailedInstall();
+	void
+	SetItemStatus(UINT nID, BOOL bSuccess = TRUE);
+
+	void
+	GetCurrentServiceAccountName();
+	BOOL
+	ValidateServiceAccount();
+
+      protected:
+	CString
+	DestDir(int destination);
+	int
+	MsgBox(int id, ...);
+	int
+	MsgBox(int id, UINT type, ...);
+	CString
+	GetErrMessage(DWORD err = -1);
+	BOOL
+	CheckBINDService();
+	void
+	SetCurrent(int id, ...);
+	void
+	ProgramGroup(BOOL create = TRUE);
+	void
+	ProgramGroupCreate(TCHAR *commonPath);
+	void
+	ProgramGroupRemove(TCHAR *commonPath);
+
+	HICON m_hIcon;
+	CString m_defaultDir;
+	CString m_etcDir;
+	CString m_binDir;
+	CString m_winSysDir;
+	BOOL m_installed;
+	CString m_currentDir;
+	BOOL m_accountExists;
+	BOOL m_accountUsed;
+	CString m_currentAccount;
+	CString m_accountName;
+	CString m_accountPasswordConfirm;
+	CString m_accountPassword;
+	BOOL m_serviceExists;
+
+	/* Generated message map functions */
+	/*{{AFX_MSG(CBINDInstallDlg) */
+	virtual BOOL
+	OnInitDialog();
+	afx_msg void
+	OnPaint();
+	afx_msg HCURSOR
+	OnQueryDragIcon();
+	afx_msg void
+	OnBrowse();
+	afx_msg void
+	OnChangeTargetdir();
+	afx_msg void
+	OnInstall();
+	afx_msg void
+	OnExit();
+	afx_msg void
+	OnUninstall();
+	afx_msg void
+	OnAutoStart();
+	afx_msg void
+	OnKeepFiles();
+	afx_msg void
+	OnStartOnInstall();
+	/*}}AFX_MSG */
+	DECLARE_MESSAGE_MAP()
+};
+
+#endif /* ifndef BINDINSTALLDLG_H */
diff --git a/bin/win32/BINDInstall/DirBrowse.cpp b/bin/win32/BINDInstall/DirBrowse.cpp
new file mode 100644
index 0000000..f09e841
--- /dev/null
+++ b/bin/win32/BINDInstall/DirBrowse.cpp
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1999-2000 by Nortel Networks Corporation
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
+ * BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
+ * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+ * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include "stdafx.h"
+#include "BINDInstall.h"
+#include "DirBrowse.h"
+
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#undef THIS_FILE
+static char THIS_FILE[] = __FILE__;
+#endif
+
+/////////////////////////////////////////////////////////////////////////////
+// CDirBrowse dialog
+
+
+CDirBrowse::CDirBrowse(CString initialDir, CWnd* pParent /*=NULL*/)
+	: CDialog(CDirBrowse::IDD, pParent)
+{
+	//{{AFX_DATA_INIT(CDirBrowse)
+		// NOTE: the ClassWizard will add member initialization here
+	//}}AFX_DATA_INIT
+	/* cppcheck-suppress useInitializationList */
+	m_selectedDir = initialDir;
+}
+
+
+void CDirBrowse::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	//{{AFX_DATA_MAP(CDirBrowse)
+		// NOTE: the ClassWizard will add DDX and DDV calls here
+	//}}AFX_DATA_MAP
+}
+
+
+BEGIN_MESSAGE_MAP(CDirBrowse, CDialog)
+	//{{AFX_MSG_MAP(CDirBrowse)
+	ON_LBN_DBLCLK(IDC_DIRLIST, OnDblclkDirlist)
+	ON_LBN_SELCHANGE(IDC_DIRLIST, OnSelchangeDirlist)
+	//}}AFX_MSG_MAP
+END_MESSAGE_MAP()
+
+/////////////////////////////////////////////////////////////////////////////
+// CDirBrowse message handlers
+
+BOOL CDirBrowse::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	DlgDirList((LPTSTR)(LPCTSTR)m_selectedDir, IDC_DIRLIST, IDC_CURDIR, DDL_DIRECTORY);
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+		      // EXCEPTION: OCX Property Pages should return FALSE
+}
+
+void CDirBrowse::OnDblclkDirlist()
+{
+	CListBox *lb = (CListBox *)GetDlgItem(IDC_DIRLIST);
+	CString curSel;
+
+	lb->GetText(lb->GetCurSel(), curSel);
+	DlgDirList((LPTSTR)(LPCTSTR)curSel, IDC_DIRLIST, IDC_CURDIR, DDL_DIRECTORY);
+}
+
+void CDirBrowse::OnSelchangeDirlist()
+{
+	// TODO: Add your control notification handler code here
+
+}
diff --git a/bin/win32/BINDInstall/DirBrowse.h b/bin/win32/BINDInstall/DirBrowse.h
new file mode 100644
index 0000000..0aa2ea0
--- /dev/null
+++ b/bin/win32/BINDInstall/DirBrowse.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1999-2000 by Nortel Networks Corporation
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
+ * BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
+ * OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+ * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DIRBROWSE_H
+#define DIRBROWSE_H
+
+class CDirBrowse : public CDialog {
+	/* Construction */
+      public:
+	CDirBrowse(CString initialDir = "\\",
+		   CWnd *pParent = NULL); /* standard
+					   * constructor
+					   */
+	CString
+	GetSelectedDir() {
+		return (m_selectedDir);
+	}
+
+	/*{{AFX_DATA(CDirBrowse) */
+	enum { IDD = IDD_BROWSE };
+	/* NOTE: the ClassWizard will add data members here */
+	/*}}AFX_DATA */
+
+	/* ClassWizard generated virtual function overrides */
+	/*{{AFX_VIRTUAL(CDirBrowse) */
+      protected:
+	virtual void
+	DoDataExchange(CDataExchange *pDX); /* DDX/DDV support */
+					    /*}}AFX_VIRTUAL */
+
+      protected:
+	/* Generated message map functions */
+	/*{{AFX_MSG(CDirBrowse) */
+	virtual BOOL
+	OnInitDialog();
+	afx_msg void
+	OnDblclkDirlist();
+	afx_msg void
+	OnSelchangeDirlist();
+	/*}}AFX_MSG */
+	DECLARE_MESSAGE_MAP()
+
+      private:
+	CString m_selectedDir;
+};
+
+#endif /* ifndef DIRBROWSE_H */
diff --git a/bin/win32/BINDInstall/StdAfx.cpp b/bin/win32/BINDInstall/StdAfx.cpp
new file mode 100644
index 0000000..10c307b
--- /dev/null
+++ b/bin/win32/BINDInstall/StdAfx.cpp
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// stdafx.cpp : source file that includes just the standard includes
+//	BINDInstall.pch will be the pre-compiled header
+//	stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+
+
diff --git a/bin/win32/BINDInstall/StdAfx.h b/bin/win32/BINDInstall/StdAfx.h
new file mode 100644
index 0000000..00a2ec1
--- /dev/null
+++ b/bin/win32/BINDInstall/StdAfx.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* stdafx.h : include file for standard system include files, */
+/*  or project specific include files that are used frequently, but */
+/*      are changed infrequently */
+/* */
+
+/*
+ * Minimum version is Windows 8 and Windows Server 2012
+ */
+#define _WIN32_WINNT  0x0602
+#define NTDDI_VERSION 0x06020000
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif /* ifndef _CRT_SECURE_NO_DEPRECATE */
+
+#if !defined(AFX_STDAFX_H__61537819_39FC_11D3_A97A_00105A12BD65__INCLUDED_)
+#define AFX_STDAFX_H__61537819_39FC_11D3_A97A_00105A12BD65__INCLUDED_
+
+#if _MSC_VER > 1000
+#pragma once
+#endif /* _MSC_VER > 1000 */
+
+#define VC_EXTRALEAN /* Exclude rarely-used stuff from Windows headers */
+
+#include <afxdtctl.h> /* MFC support for Internet Explorer 4 Common Controls */
+#include <afxext.h>   /* MFC extensions */
+#include <afxwin.h>   /* MFC core and standard components */
+#ifndef _AFX_NO_AFXCMN_SUPPORT
+#include <afxcmn.h> /* MFC support for Windows Common Controls */
+#endif		    /* _AFX_NO_AFXCMN_SUPPORT */
+
+/*{{AFX_INSERT_LOCATION}} */
+/* Microsoft Visual C++ will insert additional declarations immediately before
+ */
+/* the previous line. */
+
+#endif /* !defined(AFX_STDAFX_H__61537819_39FC_11D3_A97A_00105A12BD65__INCLUDED_) \
+	*/
diff --git a/bin/win32/BINDInstall/VersionInfo.cpp b/bin/win32/BINDInstall/VersionInfo.cpp
new file mode 100644
index 0000000..b87c30f
--- /dev/null
+++ b/bin/win32/BINDInstall/VersionInfo.cpp
@@ -0,0 +1,304 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// VersionInfo.cpp: implementation of the CVersionInfo class.
+//
+//////////////////////////////////////////////////////////////////////
+
+#include "stdafx.h"
+#include "bindinstall.h"
+#include "VersionInfo.h"
+#include <winver.h>
+
+#include <config.h>
+
+#ifdef _DEBUG
+#undef THIS_FILE
+static char THIS_FILE[]=__FILE__;
+#define new DEBUG_NEW
+#endif
+
+//////////////////////////////////////////////////////////////////////
+// Construction/Destruction
+//////////////////////////////////////////////////////////////////////
+
+CVersionInfo::CVersionInfo(CString filename)
+{
+	HANDLE hFile;
+	WIN32_FIND_DATA fd;
+	memset(&fd, 0, sizeof(WIN32_FIND_DATA));
+
+	m_status = ERROR_SUCCESS;
+	m_isValid = FALSE;
+	m_filename = filename;
+
+	// See if the given file exists
+	hFile = FindFirstFile(filename, &fd);
+	if(hFile == INVALID_HANDLE_VALUE)
+	{
+		m_status = ERROR_FILE_NOT_FOUND;
+		m_versionInfo = NULL;
+		return;
+	}
+	FindClose(hFile);
+
+	// Extract the file info 
+	DWORD handle;
+	DWORD viSize = GetFileVersionInfoSize((LPTSTR)(LPCTSTR)filename, &handle);
+	m_versionInfo = NULL;
+
+	if(viSize == 0)
+	{
+		m_status = GetLastError();
+	}
+	else
+	{
+		m_versionInfo = new char[viSize];
+
+		// Get the block of version info from the file
+		if(!GetFileVersionInfo((LPTSTR)(LPCTSTR)filename, handle, viSize, m_versionInfo))
+		{
+			if(m_versionInfo)
+			{
+				delete [] m_versionInfo;
+				m_versionInfo = NULL;
+			}
+			return;
+		}
+
+		// Now extract the sub block we are interested in
+		UINT versionLen = 0;
+		LPVOID viBlob = NULL;
+		if(!VerQueryValue(m_versionInfo, "\\", &viBlob, &versionLen))
+		{
+			if(m_versionInfo)
+			{
+				delete [] m_versionInfo;
+				m_versionInfo = NULL;
+			}
+			return;
+		}
+
+		// And finally the version info is ours
+		m_fixedInfo = (VS_FIXEDFILEINFO *)viBlob;
+
+		// If we got here, all is good
+	}
+	m_isValid = TRUE;
+}
+
+CVersionInfo::~CVersionInfo()
+{
+	m_fixedInfo = NULL;
+	if(m_versionInfo)
+	{
+		delete [] m_versionInfo;
+		m_versionInfo = NULL;
+	}
+}
+
+CString CVersionInfo::GetFileVersionString()
+{
+	return(QueryStringValue("FileVersion"));
+}
+
+CString CVersionInfo::GetProductVersionString()
+{
+	return(QueryStringValue("ProductVersion"));
+}
+
+CString CVersionInfo::GetComments()
+{
+	return(QueryStringValue("Comments"));
+}
+
+CString CVersionInfo::GetFileDescription()
+{
+	return(QueryStringValue("FileDescription"));
+}
+
+CString CVersionInfo::GetInternalName()
+{
+	return(QueryStringValue("InternalName"));
+}
+
+CString CVersionInfo::GetLegalCopyright()
+{
+	return(QueryStringValue("LegalCopyright"));
+}
+
+CString CVersionInfo::GetLegalTrademarks()
+{
+	return(QueryStringValue("LegalTrademarks"));
+}
+
+CString CVersionInfo::GetOriginalFileName()
+{
+	return(QueryStringValue("OriginalFilename"));
+}
+
+CString CVersionInfo::GetProductName()
+{
+	return(QueryStringValue("ProductName"));
+}
+
+CString CVersionInfo::GetSpecialBuildString()
+{
+	return(QueryStringValue("SpecialBuild"));
+}
+
+CString CVersionInfo::GetPrivateBuildString()
+{
+	return(QueryStringValue("PrivateBuild"));
+}
+
+CString CVersionInfo::GetCompanyName()
+{
+	return(QueryStringValue("CompanyName"));
+}
+
+#ifdef NOTUSED
+BOOL CVersionInfo::CopyFileCheckVersion(CVersionInfo &originalFile)
+{
+	_int64 myVer = GetFileVersion();
+	_int64 origVer = originalFile.GetFileVersion();
+
+	if(origVer > myVer)
+	{
+		CString msg;
+		msg.Format(IDS_EXISTING_NEWER, m_filename);
+		DWORD query = AfxMessageBox(msg, MB_YESNO);
+		if(query == IDNO)
+			return(TRUE);
+	}
+	
+	return(CopyFileNoVersion(originalFile));
+}
+#endif
+
+BOOL CVersionInfo::CopyFileNoVersion(CVersionInfo &originalFile)
+{
+	return(CopyFile(originalFile.GetFilename(), m_filename, FALSE));
+}
+
+
+_int64 CVersionInfo::GetFileVersion()
+{
+	_int64 ver = 0;
+	
+	if(m_versionInfo)
+	{
+		ver = m_fixedInfo->dwFileVersionMS;
+		ver <<= 32;
+		ver += m_fixedInfo->dwFileVersionLS;
+	}
+	return(ver);
+}
+
+_int64 CVersionInfo::GetProductVersion()
+{
+	_int64 ver = 0;
+
+	if(m_versionInfo)
+	{
+		ver = m_fixedInfo->dwProductVersionMS;
+		ver <<= 32;
+		ver += m_fixedInfo->dwProductVersionLS;
+	}
+	return(ver);
+}
+
+_int64 CVersionInfo::GetFileDate()
+{
+	_int64 fDate = 0;
+
+	if(m_versionInfo)
+	{
+		fDate = m_fixedInfo->dwFileDateMS;
+		fDate <<= 32;
+		fDate += m_fixedInfo->dwFileDateLS;
+	}
+	return(fDate);
+}
+
+DWORD CVersionInfo::GetFileFlagMask()
+{
+	if(m_versionInfo)
+	{
+		return(m_fixedInfo->dwFileFlagsMask);
+	}
+	return(0);
+}
+
+DWORD CVersionInfo::GetFileFlags()
+{
+	if(m_versionInfo)
+	{
+		return(m_fixedInfo->dwFileFlags);
+	}
+	return(0);
+}
+
+DWORD CVersionInfo::GetFileOS()
+{
+	if(m_versionInfo)
+	{
+		return(m_fixedInfo->dwFileOS);
+	}
+	return(VOS_UNKNOWN);
+}
+
+DWORD CVersionInfo::GetFileType()
+{
+	if(m_versionInfo)
+	{
+		return(m_fixedInfo->dwFileType);
+	}
+	return(VFT_UNKNOWN);
+}
+
+DWORD CVersionInfo::GetFileSubType()
+{
+	if(m_versionInfo)
+	{
+		return(m_fixedInfo->dwFileSubtype);
+	}
+	return(VFT2_UNKNOWN);
+}
+
+CString CVersionInfo::QueryStringValue(CString value)
+{
+	UINT blobLen = 0;
+	LPVOID viBlob = NULL;
+	int n;
+
+	if(m_versionInfo)
+	{
+		char queryString[256];
+
+		// This code page value is for American English.
+		// If you change the resources to be other than that
+		// You probably should change this to match it.
+		DWORD codePage = 0x040904B0;
+
+		n = snprintf(queryString, sizeof(queryString),
+			     "\\StringFileInfo\\%08X\\%s",
+			     codePage, (LPCTSTR) value);
+		if (n >= 0 && (size_t)n < sizeof(queryString)) {
+			if(VerQueryValue(m_versionInfo, queryString,
+					 &viBlob, &blobLen))
+				return((char *)viBlob);
+		}
+	}	
+	return("Not Available");
+}
diff --git a/bin/win32/BINDInstall/VersionInfo.h b/bin/win32/BINDInstall/VersionInfo.h
new file mode 100644
index 0000000..7e10c39
--- /dev/null
+++ b/bin/win32/BINDInstall/VersionInfo.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* VersionInfo.h: interface for the CVersionInfo class. */
+/* */
+/*//////////////////////////////////////////////////////////////////// */
+
+#if !defined(AFX_VERSIONINFO_H__F82E9FF3_5298_11D4_AB87_00C04F789BA0__INCLUDED_)
+#define AFX_VERSIONINFO_H__F82E9FF3_5298_11D4_AB87_00C04F789BA0__INCLUDED_
+
+#if _MSC_VER > 1000
+#pragma once
+#endif /* _MSC_VER > 1000 */
+
+class CVersionInfo {
+      public:
+	CVersionInfo(CString filename);
+	virtual ~CVersionInfo();
+	BOOL
+	IsValid() {
+		return (m_isValid);
+	}
+	DWORD
+	GetStatus() { return (m_status); }
+
+	BOOL
+	CopyFileCheckVersion(CVersionInfo &originalFile);
+	BOOL
+	CopyFileNoVersion(CVersionInfo &originalFile);
+
+	const CString &
+	GetFilename() {
+		return (m_filename);
+	}
+
+	/* Extract the elements of the file's string info block */
+	CString
+	GetFileVersionString();
+	CString
+	GetProductVersionString();
+	CString
+	GetComments();
+	CString
+	GetFileDescription();
+	CString
+	GetInternalName();
+	CString
+	GetLegalCopyright();
+	CString
+	GetLegalTrademarks();
+	CString
+	GetOriginalFileName();
+	CString
+	GetProductName();
+	CString
+	GetSpecialBuildString();
+	CString
+	GetPrivateBuildString();
+	CString
+	GetCompanyName();
+
+	/* Extract the elements of the file's VS_FIXEDFILEINFO block */
+	_int64
+	GetFileVersion();
+	_int64
+	GetProductVersion();
+	_int64
+	GetFileDate();
+
+	DWORD
+	GetFileFlagMask();
+	DWORD
+	GetFileFlags();
+	DWORD
+	GetFileOS();
+	DWORD
+	GetFileType();
+	DWORD
+	GetFileSubType();
+
+      private:
+	CString m_filename;
+	BOOL m_isValid;
+	LPVOID m_versionInfo;
+	VS_FIXEDFILEINFO *m_fixedInfo;
+	DWORD m_codePage;
+	DWORD m_status;
+
+	CString
+	QueryStringValue(CString value);
+};
+
+#endif /* !defined(AFX_VERSIONINFO_H__F82E9FF3_5298_11D4_AB87_00C04F789BA0__INCLUDED_) \
+	*/
diff --git a/bin/win32/BINDInstall/res/BINDInstall.ico b/bin/win32/BINDInstall/res/BINDInstall.ico
new file mode 100644
index 0000000..2cf25fe
--- /dev/null
+++ b/bin/win32/BINDInstall/res/BINDInstall.ico
diff --git a/bin/win32/BINDInstall/res/BINDInstall.rc2 b/bin/win32/BINDInstall/res/BINDInstall.rc2
new file mode 100644
index 0000000..4fc93bb
--- /dev/null
+++ b/bin/win32/BINDInstall/res/BINDInstall.rc2
@@ -0,0 +1,13 @@
+//
+// BINDINSTALL.RC2 - resources Microsoft Visual C++ does not edit directly
+//
+
+#ifdef APSTUDIO_INVOKED
+	#error this file is not editable by Microsoft Visual C++
+#endif //APSTUDIO_INVOKED
+
+
+/////////////////////////////////////////////////////////////////////////////
+// Add manually edited resources here...
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/bin/win32/BINDInstall/resource.h b/bin/win32/BINDInstall/resource.h
new file mode 100644
index 0000000..9aba102
--- /dev/null
+++ b/bin/win32/BINDInstall/resource.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*{{NO_DEPENDENCIES}} */
+/* Microsoft Developer Studio generated include file. */
+/* Used by BINDInstall.rc */
+/* */
+#define IDS_MAINFRAME		     1
+#define IDS_CREATEDIR		     2
+#define IDS_SUCCESS		     3
+#define IDS_FAIL		     4
+#define IDS_DIREXIST		     5
+#define IDS_INSTALL_DIR		     6
+#define IDS_INSTALL_FILE	     7
+#define IDS_INSTALL_SERVICE	     8
+#define IDS_INSTALL_MESSAGE	     9
+#define IDS_UNINSTALL		     14
+#define IDS_UNINSTALL_DONE	     15
+#define IDS_CREATE_KEY		     16
+#define IDS_ADD_REMOVE		     17
+#define IDS_CLEANUP		     18
+#define IDS_INSTALL_DONE	     19
+#define IDS_CREATE_DIR		     20
+#define IDS_REMOVE_DIR		     21
+#define IDS_COPY_FILE		     22
+#define IDS_DELETE_FILE		     23
+#define IDS_OPEN_SCM		     24
+#define IDS_CREATE_SERVICE	     25
+#define IDS_OPEN_SERVICE	     26
+#define IDS_REMOVE_SERVICE	     27
+#define IDS_REGISTER_MESSAGES	     28
+#define IDS_UNREGISTER_MESSAGES	     29
+#define IDS_STOP_SERVICE	     30
+#define IDS_START_SERVICE	     31
+#define IDS_UNINSTALL_DIR	     32
+#define IDS_UNINSTALL_FILES	     33
+#define IDS_UNINSTALL_SERVICE	     34
+#define IDS_UNINSTALL_MESSAGE	     35
+#define IDS_ERR_OPEN_SCM	     36
+#define IDS_ERR_OPEN_SERVICE	     37
+#define IDS_ERR_STOP_SERVICE	     38
+#define IDS_ERR_NONCRIT_FILE	     39
+#define IDS_ERR_CRITICAL_FILE	     40
+#define IDS_ERR_COPY_FILE	     40
+#define IDS_ERR_CREATE_SERVICE	     41
+#define IDS_ERR_REMOVE_SERVICE	     42
+#define IDS_REBOOT		     43
+#define IDS_BAD_PRIVILEGES	     44
+#define IDS_ERR_CREATE_DIR	     45
+#define IDS_VERSION		     46
+#define IDS_ERR_CREATE_KEY	     47
+#define IDS_ERR_SET_VALUE	     48
+#define IDS_NO_VERSION		     49
+#define IDS_EXISTING_NEWER	     50
+#define IDS_FILE_BAD		     51
+#define IDS_ERR_TOOPRIVED	     52
+#define IDS_ERR_BADACCOUNT	     53
+#define IDS_ERR_WRONGPRIV	     54
+#define IDS_CREATEACCOUNT_FAILED     55
+#define IDS_ERR_PASSWORD	     56
+#define IDS_ERR_UPDATE_SERVICE	     57
+#define IDS_ERR_NULLPASSWORD	     58
+#define IDS_ERR_WHITESPACE	     59
+#define IDD_BINDINSTALL_DIALOG	     102
+#define IDR_MAINFRAME		     128
+#define IDD_BROWSE		     129
+#define IDI_CHECK		     130
+#define IDI_X			     132
+#define IDC_CURSOR1		     142
+#define IDD_DIALOG1		     143
+#define IDC_TARGETDIR		     1001
+#define IDC_BROWSE		     1002
+#define IDC_DIRLIST		     1004
+#define IDC_CURDIR		     1005
+#define IDC_INSTALL		     1006
+#define IDC_COPY_FILE		     1007
+#define IDC_REG_SERVICE		     1008
+#define IDC_REG_MESSAGE		     1009
+#define IDC_CREATE_DIR		     1010
+#define IDC_EXIT		     1011
+#define IDC_DIR_TAG		     1012
+#define IDC_COPY_TAG		     1013
+#define IDC_SERVICE_TAG		     1014
+#define IDC_MESSAGE_TAG		     1015
+#define IDC_AUTO_START		     1016
+#define IDC_UNINSTALL		     1017
+#define IDC_VERSION		     1018
+#define IDC_KEEP_FILES		     1019
+#define IDC_CURRENT_TAG		     1020
+#define IDC_DRIVES		     1021
+#define IDC_CURRENT		     1021
+#define IDC_START		     1022
+#define IDC_ACCOUNT_NAME	     1030
+#define IDC_ACCOUNT_PASSWORD	     1031
+#define IDC_ACCOUNT_PASSWORD_CONFIRM 1032
+#define IDC_TOOLS_ONLY		     1033
+#define IDS_ERR_START_SERVICE	     1034
+
+/* Next default values for new objects */
+/* */
+#ifdef APSTUDIO_INVOKED
+#ifndef APSTUDIO_READONLY_SYMBOLS
+#define _APS_NEXT_RESOURCE_VALUE 144
+#define _APS_NEXT_COMMAND_VALUE	 32771
+#define _APS_NEXT_CONTROL_VALUE	 1027
+#define _APS_NEXT_SYMED_VALUE	 104
+#endif /* ifndef APSTUDIO_READONLY_SYMBOLS */
+#endif /* ifdef APSTUDIO_INVOKED */
diff --git a/bind.keys b/bind.keys
new file mode 100644
index 0000000..6d4217f
--- /dev/null
+++ b/bind.keys
@@ -0,0 +1,38 @@
+# The bind.keys file is used to override the built-in DNSSEC trust anchors
+# which are included as part of BIND 9.  The only trust anchors it contains
+# are for the DNS root zone (".").  Trust anchors for any other zones MUST
+# be configured elsewhere; if they are configured here, they will not be
+# recognized or used by named.
+#
+# To use the built-in root key, set "dnssec-validation auto;" in the
+# named.conf options, or else leave "dnssec-validation" unset.  If
+# "dnssec-validation" is set to "yes", then the keys in this file are
+# ignored; keys will need to be explicitly configured in named.conf for
+# validation to work.  "auto" is the default setting, unless named is
+# built with "configure --disable-auto-validation", in which case the
+# default is "yes".
+#
+# This file is NOT expected to be user-configured.
+#
+# Servers being set up for the first time can use the contents of this file
+# as initializing keys; thereafter, the keys in the managed key database
+# will be trusted and maintained automatically.
+#
+# These keys are current as of Mar 2019.  If any key fails to initialize
+# correctly, it may have expired.  In that event you should replace this
+# file with a current version.  The latest version of bind.keys can always
+# be obtained from ISC at https://www.isc.org/bind-keys.
+#
+# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
+# anchor information for the root zone.
+
+trust-anchors {
+        # This key (20326) was published in the root zone in 2017.
+        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+                R1AkUTV74bU=";
+};
diff --git a/bind.keys.h b/bind.keys.h
new file mode 100644
index 0000000..13cfc42
--- /dev/null
+++ b/bind.keys.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef BIND_KEYS_H
+#define BIND_KEYS_H 1
+#define TRUST_ANCHORS \
+	"\
+# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
+# which are included as part of BIND 9.  The only trust anchors it contains\n\
+# are for the DNS root zone (\".\").  Trust anchors for any other zones MUST\n\
+# be configured elsewhere; if they are configured here, they will not be\n\
+# recognized or used by named.\n\
+#\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
+# named.conf options, or else leave \"dnssec-validation\" unset.  If\n\
+# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
+# ignored; keys will need to be explicitly configured in named.conf for\n\
+# validation to work.  \"auto\" is the default setting, unless named is\n\
+# built with \"configure --disable-auto-validation\", in which case the\n\
+# default is \"yes\".\n\
+#\n\
+# This file is NOT expected to be user-configured.\n\
+#\n\
+# Servers being set up for the first time can use the contents of this file\n\
+# as initializing keys; thereafter, the keys in the managed key database\n\
+# will be trusted and maintained automatically.\n\
+#\n\
+# These keys are current as of Mar 2019.  If any key fails to initialize\n\
+# correctly, it may have expired.  In that event you should replace this\n\
+# file with a current version.  The latest version of bind.keys can always\n\
+# be obtained from ISC at https://www.isc.org/bind-keys.\n\
+#\n\
+# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
+# anchor information for the root zone.\n\
+\n\
+trust-anchors {\n\
+        # This key (20326) was published in the root zone in 2017.\n\
+        . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
+                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
+                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\
+                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
+                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
+                R1AkUTV74bU=\";\n\
+};\n\
+"
+#endif /* BIND_KEYS_H */
diff --git a/cocci/UV_RUNTIME_CHECK.spatch b/cocci/UV_RUNTIME_CHECK.spatch
new file mode 100644
index 0000000..6a50195
--- /dev/null
+++ b/cocci/UV_RUNTIME_CHECK.spatch
@@ -0,0 +1,8 @@
+@@
+expression E;
+int R;
+@@
+
+  R = E(...);
+- UV_RUNTIME_CHECK(...);
++ UV_RUNTIME_CHECK(E, R);
diff --git a/cocci/config-h.spatch b/cocci/config-h.spatch
new file mode 100644
index 0000000..82ef3e8
--- /dev/null
+++ b/cocci/config-h.spatch
@@ -0,0 +1,4 @@
+@@
+@@
+
+- #include <config.h>
diff --git a/cocci/dns_message_create.spatch b/cocci/dns_message_create.spatch
new file mode 100644
index 0000000..bab6d58
--- /dev/null
+++ b/cocci/dns_message_create.spatch
@@ -0,0 +1,84 @@
+@@
+statement S;
+expression V;
+@@
+
+- V =
+  dns_message_create(...);
+- if (V != ISC_R_SUCCESS) S
+
+@@
+statement S1, S2;
+expression V;
+@@
+
+- V =
+  dns_message_create(...);
+- if (V == ISC_R_SUCCESS)
+  S1
+- else S2
+
+@@
+expression V;
+@@
+
+- V =
+  dns_message_create(...);
+- check_result(V, ...);
+
+@@
+@@
+
+- CHECK(
+  dns_message_create(...)
+- )
+  ;
+
+@@
+@@
+
+- DO(...,
+  dns_message_create(...)
+- )
+  ;
+
+@@
+@@
+
+- RETERR(
+  dns_message_create(...)
+- )
+  ;
+
+@@
+expression V;
+@@
+
+- V =
+  dns_message_create(...);
+- assert_int_equal(V, ISC_R_SUCCESS);
+
+@@
+expression V;
+@@
+
+- V =
+  dns_message_create(...);
+- CHECK(..., V);
+
+@@
+expression V;
+statement S;
+@@
+
+- V =
+  dns_message_create(...);
+- if (ISC_UNLIKELY(V != ISC_R_SUCCESS)) S
+
+@@
+expression V;
+@@
+
+- V =
+  dns_message_create(...);
+- RUNTIME_CHECK(V == ISC_R_SUCCESS);
diff --git a/cocci/dns_message_destroy.spatch b/cocci/dns_message_destroy.spatch
new file mode 100644
index 0000000..4043525
--- /dev/null
+++ b/cocci/dns_message_destroy.spatch
@@ -0,0 +1,6 @@
+@@
+expression M;
+@@
+
+- dns_message_destroy(M);
++ dns_message_detach(M);
diff --git a/cocci/dns_name_copy-with-result.spatch b/cocci/dns_name_copy-with-result.spatch
new file mode 100644
index 0000000..c4555c3
--- /dev/null
+++ b/cocci/dns_name_copy-with-result.spatch
@@ -0,0 +1,30 @@
+@@
+expression V, E1, E2;
+statement S;
+@@
+
+- V = dns_name_copy(E1, E2, NULL);
+- if (V != ISC_R_SUCCESS) S
++ RUNTIME_CHECK(dns_name_copy(E1, E2, NULL) == ISC_R_SUCCESS);
+
+@@
+expression V, E1, E2;
+statement S1, S2;
+@@
+
+- V = dns_name_copy(E1, E2, NULL);
+- if (V == ISC_R_SUCCESS) S1 else S2;
++ RUNTIME_CHECK(dns_name_copy(E1, E2, NULL) == ISC_R_SUCCESS);
++ S2
+
+@@
+expression V, E1, E2;
+statement S1, S2;
+@@
+
+- V = dns_name_copy(E1, E2, NULL);
+- S1
+- if (V == ISC_R_SUCCESS) S2
++ RUNTIME_CHECK(dns_name_copy(E1, E2, NULL) == ISC_R_SUCCESS);
++ S1
++ S2
diff --git a/cocci/dns_name_copy.spatch b/cocci/dns_name_copy.spatch
new file mode 100644
index 0000000..89e340c
--- /dev/null
+++ b/cocci/dns_name_copy.spatch
@@ -0,0 +1,30 @@
+@@
+expression E1, E2;
+@@
+
+- dns_name_copy(E1, E2, NULL);
++ RUNTIME_CHECK(dns_name_copy(E1, E2, NULL) == ISC_R_SUCCESS);
+
+@@
+expression E1, E2;
+@@
+
+- (void)dns_name_copy(E1, E2, NULL);
++ RUNTIME_CHECK(dns_name_copy(E1, E2, NULL) == ISC_R_SUCCESS);
+
+@@
+expression E1, E2;
+@@
+
+- return (dns_name_copy(E1, E2, NULL));
++ RUNTIME_CHECK(dns_name_copy(E1, E2, NULL) == ISC_R_SUCCESS);
++ return (ISC_R_SUCCESS);
+
+// ./bin/named/query.c processing broken with this rule, fix manually
+// @@
+// expression V, E1, E2;
+// @@
+//
+// - V = dns_name_copy(E1, E2, NULL);
+// - RUNTIME_CHECK(V == ISC_R_SUCCESS);
+// + RUNTIME_CHECK(dns_name_copy(E1, E2, NULL) == ISC_R_SUCCESS);
diff --git a/cocci/dns_name_copynf.spatch b/cocci/dns_name_copynf.spatch
new file mode 100644
index 0000000..7853b67
--- /dev/null
+++ b/cocci/dns_name_copynf.spatch
@@ -0,0 +1,6 @@
+@@
+expression E1, E2;
+@@
+
+- RUNTIME_CHECK(dns_name_copy(E1, E2, NULL) == ISC_R_SUCCESS);
++ dns_name_copynf(E1, E2);
diff --git a/cocci/dns_name_dup.disabled b/cocci/dns_name_dup.disabled
new file mode 100644
index 0000000..42eddce
--- /dev/null
+++ b/cocci/dns_name_dup.disabled
@@ -0,0 +1,40 @@
+@@
+expression E1, E2, E3;
+statement S;
+expression V;
+@@
+
+- V = dns_name_dup(E1, E2, E3);
++ dns_name_dup(E1, E2, E3);
+- if (V != ISC_R_SUCCESS) S
+
+@@
+expression E1, E2, E3;
+statement S1, S2;
+expression V;
+@@
+
+- V = dns_name_dup(E1, E2, E3);
+- if (V != ISC_R_SUCCESS) S1 else { S2 }
++ dns_name_dup(E1, E2, E3);
++ S2
+
+@@
+expression E1, E2, E3;
+expression V;
+@@
+
+- V = dns_name_dup(E1, E2, E3);
+- RUNTIME_CHECK(V == ISC_R_SUCCESS);
++ dns_name_dup(E1, E2, E3);
+
+@@
+expression E1, E2, E3;
+statement S1, S2;
+expression V;
+@@
+
+- V = dns_name_dup(E1, E2, E3);
++ dns_name_dup(E1, E2, E3);
+S1
+- if (V != ISC_R_SUCCESS) S2
diff --git a/cocci/dns_rbtnodechain_init.disabled b/cocci/dns_rbtnodechain_init.disabled
new file mode 100644
index 0000000..1c02a83
--- /dev/null
+++ b/cocci/dns_rbtnodechain_init.disabled
@@ -0,0 +1,7 @@
+@@
+expression C;
+expression M;
+@@
+
+- dns_rbtnodechain_init(C, M);
++ dns_rbtnodechain_init(C);
diff --git a/cocci/isc_buffer_allocate_never_fail.spatch b/cocci/isc_buffer_allocate_never_fail.spatch
new file mode 100644
index 0000000..b632e4e
--- /dev/null
+++ b/cocci/isc_buffer_allocate_never_fail.spatch
@@ -0,0 +1,84 @@
+@@
+statement S;
+expression V;
+@@
+
+- V =
+  isc_buffer_allocate(...);
+- if (V != ISC_R_SUCCESS) S
+
+@@
+statement S1, S2;
+expression V;
+@@
+
+- V =
+  isc_buffer_allocate(...);
+- if (V == ISC_R_SUCCESS)
+  S1
+- else S2
+
+@@
+expression V;
+@@
+
+- V =
+  isc_buffer_allocate(...);
+- check_result(V, ...);
+
+@@
+@@
+
+- CHECK(
+  isc_buffer_allocate(...)
+- )
+  ;
+
+@@
+@@
+
+- DO(...,
+  isc_buffer_allocate(...)
+- )
+  ;
+
+@@
+@@
+
+- RETERR(
+  isc_buffer_allocate(...)
+- )
+  ;
+
+@@
+expression V;
+@@
+
+- V =
+  isc_buffer_allocate(...);
+- assert_int_equal(V, ISC_R_SUCCESS);
+
+@@
+expression V;
+@@
+
+- V =
+  isc_buffer_allocate(...);
+- CHECK(..., V);
+
+@@
+expression V;
+statement S;
+@@
+
+- V =
+  isc_buffer_allocate(...);
+- if (ISC_UNLIKELY(V != ISC_R_SUCCESS)) S
+
+@@
+expression V;
+@@
+
+- V =
+  isc_buffer_allocate(...);
+- RUNTIME_CHECK(V == ISC_R_SUCCESS);
diff --git a/cocci/isc_event_allocat_never_fail.spatch b/cocci/isc_event_allocat_never_fail.spatch
new file mode 100644
index 0000000..eab2265
--- /dev/null
+++ b/cocci/isc_event_allocat_never_fail.spatch
@@ -0,0 +1,33 @@
+@@
+statement S;
+expression V;
+@@
+
+V = isc_event_allocate(...);
+- if (V == NULL) S
+
+@@
+type T;
+statement S;
+expression V;
+@@
+
+V = (T *)isc_event_allocate(...);
+- if (V == NULL) S
+
+@@
+statement S;
+expression V;
+@@
+
+if (V == NULL) V = isc_event_allocate(...);
+- if (V == NULL) S
+
+@@
+statement S1, S2;
+expression V;
+@@
+
+V = isc_event_allocate(...);
+- if (V == NULL) S1 else { S2 }
++ S2
diff --git a/cocci/isc_mem_allocate_never_fail.spatch b/cocci/isc_mem_allocate_never_fail.spatch
new file mode 100644
index 0000000..c7e6069
--- /dev/null
+++ b/cocci/isc_mem_allocate_never_fail.spatch
@@ -0,0 +1,41 @@
+@@
+statement S;
+expression V;
+@@
+
+V = isc_mem_allocate(...);
+- if (V == NULL) S
+
+@@
+type T;
+statement S;
+expression V;
+@@
+
+V = (T *)isc_mem_allocate(...);
+- if (V == NULL) S
+
+@@
+statement S;
+expression V;
+@@
+
+if (V == NULL) V = isc_mem_allocate(...);
+- if (V == NULL) S
+
+@@
+statement S1, S2;
+expression V;
+@@
+
+V = isc_mem_allocate(...);
+- if (V == NULL) S1 else { S2 }
++ S2
+
+@@
+type T;
+expression V, E1, E2;
+@@
+
+- V = (T)isc_mem_allocate(E1, E2);
++ V = isc_mem_allocate(E1, E2);
diff --git a/cocci/isc_mem_create_never_fail.disabled b/cocci/isc_mem_create_never_fail.disabled
new file mode 100644
index 0000000..e526506
--- /dev/null
+++ b/cocci/isc_mem_create_never_fail.disabled
@@ -0,0 +1,95 @@
+@@
+statement S;
+expression E;
+@@
+
+- if (isc_mem_create(0, 0, E) != ISC_R_SUCCESS) S;
++ isc_mem_create(E);
+
+@@
+statement S;
+expression V, E;
+@@
+
+- V = isc_mem_create(0, 0, E);
+- if (V == ISC_R_SUCCESS) S
++ isc_mem_create(E);
++ S
+
+
+@@
+statement S;
+expression V, E;
+@@
+
+- V = isc_mem_create(0, 0, E);
+- if (V != ISC_R_SUCCESS) S
++ isc_mem_create(E);
+
+@@
+expression V, E;
+@@
+
+- V = isc_mem_create(0, 0, E);
+- check_result(V, ...);
++ isc_mem_create(E);
+
+@@
+statement S;
+expression V, E, C;
+@@
+
+- if (C) { V = isc_mem_create(0, 0, E); }
+- if (V != ISC_R_SUCCESS) S
++ if (C) { isc_mem_create(E); }
+
+@@
+expression E;
+@@
+
+- RUNTIME_CHECK(isc_mem_create(0, 0, E) == ISC_R_SUCCESS);
++ isc_mem_create(E);
+
+@@
+expression E;
+@@
+
+- RUNCHECK(isc_mem_create(0, 0, E));
++ isc_mem_create(E);
+
+@@
+expression E;
+@@
+
+- CHECK(isc_mem_create(0, 0, E), ...);
++ isc_mem_create(E);
+
+@@
+expression E;
+@@
+
+- CHECK(isc_mem_create(0, 0, E));
++ isc_mem_create(E);
+
+@@
+expression V, E;
+@@
+
+- V = isc_mem_create(0, 0, E);
+- assert_int_equal(V, ISC_R_SUCCESS);
++ isc_mem_create(E);
+
+@@
+expression E;
+statement S;
+@@
+
+- if (isc_mem_create(0, 0, E) != ISC_R_SUCCESS) S
++ isc_mem_create(E);
+
+@@
+expression E;
+@@
+
+- DO(..., isc_mem_create(0, 0, E));
++ isc_mem_create(E);
diff --git a/cocci/isc_mem_get_never_fail.spatch b/cocci/isc_mem_get_never_fail.spatch
new file mode 100644
index 0000000..e79a040
--- /dev/null
+++ b/cocci/isc_mem_get_never_fail.spatch
@@ -0,0 +1,41 @@
+@@
+statement S;
+expression V;
+@@
+
+V = isc_mem_get(...);
+- if (V == NULL) S
+
+@@
+type T;
+statement S;
+expression V;
+@@
+
+V = (T *)isc_mem_get(...);
+- if (V == NULL) S
+
+@@
+statement S;
+expression V;
+@@
+
+if (V == NULL) V = isc_mem_get(...);
+- if (V == NULL) S
+
+@@
+statement S1, S2;
+expression V;
+@@
+
+V = isc_mem_get(...);
+- if (V == NULL) S1 else { S2 }
++ S2
+
+@@
+type T;
+expression V, E1, E2;
+@@
+
+- V = (T)isc_mem_get(E1, E2);
++ V = isc_mem_get(E1, E2);
diff --git a/cocci/isc_mem_putanddetach.spatch b/cocci/isc_mem_putanddetach.spatch
new file mode 100644
index 0000000..0f29779
--- /dev/null
+++ b/cocci/isc_mem_putanddetach.spatch
@@ -0,0 +1,8 @@
+@@
+expression M;
+expression E1, E2;
+@@
+
+- isc_mem_put(M, E1, E2);
+- isc_mem_detach(&M);
++ isc_mem_putanddetach(&M, E1, E2);
diff --git a/cocci/isc_mem_strdup_never_fail.spatch b/cocci/isc_mem_strdup_never_fail.spatch
new file mode 100644
index 0000000..41cccdb
--- /dev/null
+++ b/cocci/isc_mem_strdup_never_fail.spatch
@@ -0,0 +1,33 @@
+@@
+statement S;
+expression V;
+@@
+
+V = isc_mem_strdup(...);
+- if (V == NULL) S
+
+@@
+type T;
+statement S;
+expression V;
+@@
+
+V = (T *)isc_mem_strdup(...);
+- if (V == NULL) S
+
+@@
+statement S;
+expression V;
+@@
+
+if (V == NULL) V = isc_mem_strdup(...);
+- if (V == NULL) S
+
+@@
+statement S1, S2;
+expression V;
+@@
+
+V = isc_mem_strdup(...);
+- if (V == NULL) S1 else { S2 }
++ S2
diff --git a/cocci/isc_mempool_create_cannot_fail.cocci b/cocci/isc_mempool_create_cannot_fail.cocci
new file mode 100644
index 0000000..f3509d2
--- /dev/null
+++ b/cocci/isc_mempool_create_cannot_fail.cocci
@@ -0,0 +1,49 @@
+@@
+expression V;
+@@
+
+- V =
+  isc_mempool_create(...);
+- assert_int_equal(V, ISC_R_SUCCESS);
+
+@@
+expression V;
+@@
+
+- V =
+  isc_mempool_create(...);
+- check_result(V, ...);
+
+@@
+@@
+
+- CHECK(
+  isc_mempool_create(...)
+- )
+  ;
+
+@@
+@@
+
+- RUNTIME_CHECK(
+  isc_mempool_create(...)
+- == ISC_R_SUCCESS)
+  ;
+
+@@
+expression V;
+statement S;
+@@
+
+- V =
+  isc_mempool_create(...);
+- if (V != ISC_R_SUCCESS) S
+
+@@
+statement S;
+@@
+
+- if (
+  isc_mempool_create(...)
+- != ISC_R_SUCCESS) S
++ ;
diff --git a/cocci/memcpy.spatch b/cocci/memcpy.spatch
new file mode 100644
index 0000000..f5e50e7
--- /dev/null
+++ b/cocci/memcpy.spatch
@@ -0,0 +1,14 @@
+@has_string_h@
+@@
+
+#include <string.h>
+
+@depends on has_string_h@
+
+expression D;
+expression S;
+expression N;
+@@
+
+- memcpy(D, S, N);
++ memmove(D, S, N);
diff --git a/cocci/null-the-pointer-early.disabled b/cocci/null-the-pointer-early.disabled
new file mode 100644
index 0000000..46fdffc
--- /dev/null
+++ b/cocci/null-the-pointer-early.disabled
@@ -0,0 +1,21 @@
+@@
+type T;
+T **PP;
+T *P;
+@@
+
+  P = *PP;
++ *PP = NULL;
+  ...
+- *PP = NULL;
+
+@@
+type T;
+identifier PP;
+identifier P;
+@@
+
+  T *P = *PP;
++ *PP = NULL;
+  ...
+- *PP = NULL;
diff --git a/cocci/return-void-from-void.spatch b/cocci/return-void-from-void.spatch
new file mode 100644
index 0000000..fcc639f
--- /dev/null
+++ b/cocci/return-void-from-void.spatch
@@ -0,0 +1,19 @@
+@ rule1 @
+identifier f1;
+@@
+
+void f1(...)
+{
+...
+}
+
+@ rule2 @
+identifier rule1.f1;
+identifier f2;
+@@
+
+void f2(...) {
+...
+* return(f1(...));
+...
+}
diff --git a/cocci/unreachable.spatch b/cocci/unreachable.spatch
new file mode 100644
index 0000000..84c0c34
--- /dev/null
+++ b/cocci/unreachable.spatch
@@ -0,0 +1,19 @@
+@@
+@@
+
+-   INSIST(0);
++   UNREACHABLE();
+    ... when != UNREACHABLE();
+
+@@
+@@
+
+-   INSIST(0);
+-   ISC_UNREACHABLE();
++   UNREACHABLE();
+
+@@
+@@
+
+- UNREACHABLE();
+  UNREACHABLE();
diff --git a/config.guess b/config.guess
new file mode 100755
index 0000000..dbfb978
--- /dev/null
+++ b/config.guess
@@ -0,0 +1,1421 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright 1992-2015 Free Software Foundation, Inc.
+
+timestamp='2015-01-01'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that
+# program.  This Exception is an additional permission under section 7
+# of the GNU General Public License, version 3 ("GPLv3").
+#
+# Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
+#
+# You can get the latest version of this script from:
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
+#
+# Please send patches to <config-patches@gnu.org>.
+
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of the system \`$me' is run on.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.guess ($timestamp)
+
+Originally written by Per Bothner.
+Copyright 1992-2015 Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help" >&2
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+trap 'exit 1' 1 2 15
+
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
+
+# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# use `HOST_CC' if defined, but it is deprecated.
+
+# Portable tmp directory creation inspired by the Autoconf team.
+
+set_cc_for_build='
+trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+: ${TMPDIR=/tmp} ;
+ { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+ { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
+ { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
+dummy=$tmp/dummy ;
+tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,)    echo "int x;" > $dummy.c ;
+	for c in cc gcc c89 c99 ; do
+	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+	     CC_FOR_BUILD="$c"; break ;
+	  fi ;
+	done ;
+	if test x"$CC_FOR_BUILD" = x ; then
+	  CC_FOR_BUILD=no_compiler_found ;
+	fi
+	;;
+ ,,*)   CC_FOR_BUILD=$CC ;;
+ ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
+esac ; set_cc_for_build= ;'
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 1994-08-24)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+case "${UNAME_SYSTEM}" in
+Linux|GNU|GNU/*)
+	# If the system lacks a compiler, then just pick glibc.
+	# We could probably try harder.
+	LIBC=gnu
+
+	eval $set_cc_for_build
+	cat <<-EOF > $dummy.c
+	#include <features.h>
+	#if defined(__UCLIBC__)
+	LIBC=uclibc
+	#elif defined(__dietlibc__)
+	LIBC=dietlibc
+	#else
+	LIBC=gnu
+	#endif
+	EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
+	;;
+esac
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# NetBSD (nbsd) targets should (where applicable) match one or
+	# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	#
+	# Note: NetBSD doesn't particularly care about the vendor
+	# portion of the name.  We always set it to "unknown".
+	sysctl="sysctl -n hw.machine_arch"
+	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	case "${UNAME_MACHINE_ARCH}" in
+	    armeb) machine=armeb-unknown ;;
+	    arm*) machine=arm-unknown ;;
+	    sh3el) machine=shl-unknown ;;
+	    sh3eb) machine=sh-unknown ;;
+	    sh5el) machine=sh5le-unknown ;;
+	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+	esac
+	# The Operating System including object format, if it has switched
+	# to ELF recently, or will in the future.
+	case "${UNAME_MACHINE_ARCH}" in
+	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+		eval $set_cc_for_build
+		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+			| grep -q __ELF__
+		then
+		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+		    # Return netbsd for either.  FIX?
+		    os=netbsd
+		else
+		    os=netbsdelf
+		fi
+		;;
+	    *)
+		os=netbsd
+		;;
+	esac
+	# The OS release
+	# Debian GNU/NetBSD machines have a different userland, and
+	# thus, need a distinct triplet. However, they do not need
+	# kernel version information, so it can be replaced with a
+	# suitable tag, in the style of linux-gnu.
+	case "${UNAME_VERSION}" in
+	    Debian*)
+		release='-gnu'
+		;;
+	    *)
+		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		;;
+	esac
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit ;;
+    *:Bitrig:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
+	exit ;;
+    *:OpenBSD:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
+	exit ;;
+    *:ekkoBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
+	exit ;;
+    *:SolidBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE}
+	exit ;;
+    macppc:MirBSD:*:*)
+	echo powerpc-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    *:MirBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    alpha:OSF1:*:*)
+	case $UNAME_RELEASE in
+	*4.0)
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+		;;
+	*5.*)
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		;;
+	esac
+	# According to Compaq, /usr/sbin/psrinfo has been available on
+	# OSF/1 and Tru64 systems produced since 1995.  I hope that
+	# covers most systems running today.  This code pipes the CPU
+	# types through head -n 1, so we only detect the type of CPU 0.
+	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
+	case "$ALPHA_CPU_TYPE" in
+	    "EV4 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV4.5 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "LCA4 (21066/21068)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV5 (21164)")
+		UNAME_MACHINE="alphaev5" ;;
+	    "EV5.6 (21164A)")
+		UNAME_MACHINE="alphaev56" ;;
+	    "EV5.6 (21164PC)")
+		UNAME_MACHINE="alphapca56" ;;
+	    "EV5.7 (21164PC)")
+		UNAME_MACHINE="alphapca57" ;;
+	    "EV6 (21264)")
+		UNAME_MACHINE="alphaev6" ;;
+	    "EV6.7 (21264A)")
+		UNAME_MACHINE="alphaev67" ;;
+	    "EV6.8CB (21264C)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8AL (21264B)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8CX (21264D)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.9A (21264/EV69A)")
+		UNAME_MACHINE="alphaev69" ;;
+	    "EV7 (21364)")
+		UNAME_MACHINE="alphaev7" ;;
+	    "EV7.9 (21364A)")
+		UNAME_MACHINE="alphaev79" ;;
+	esac
+	# A Pn.n version is a patched version.
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
+	exitcode=$?
+	trap '' 0
+	exit $exitcode ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit ;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit ;;
+    *:[Mm]orph[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-morphos
+	exit ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit ;;
+    *:z/VM:*:*)
+	echo s390-ibm-zvmoe
+	exit ;;
+    *:OS400:*:*)
+	echo powerpc-ibm-os400
+	exit ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit ;;
+    arm*:riscos:*:*|arm*:RISCOS:*:*)
+	echo arm-unknown-riscos
+	exit ;;
+    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit ;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit ;;
+    DRS?6000:unix:4.0:6*)
+	echo sparc-icl-nx6
+	exit ;;
+    DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
+	case `/usr/bin/uname -p` in
+	    sparc) echo sparc-icl-nx7; exit ;;
+	esac ;;
+    s390x:SunOS:*:*)
+	echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*)
+	echo i386-pc-auroraux${UNAME_RELEASE}
+	exit ;;
+    i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
+	eval $set_cc_for_build
+	SUN_ARCH="i386"
+	# If there is a compiler, see if it is configured for 64-bit objects.
+	# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
+	# This test works for both compilers.
+	if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+	    if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
+		(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+		grep IS_64BIT_ARCH >/dev/null
+	    then
+		SUN_ARCH="x86_64"
+	    fi
+	fi
+	echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+	echo m68k-milan-mint${UNAME_RELEASE}
+	exit ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+	echo m68k-hades-mint${UNAME_RELEASE}
+	exit ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+	echo m68k-unknown-mint${UNAME_RELEASE}
+	exit ;;
+    m68k:machten:*:*)
+	echo m68k-apple-machten${UNAME_RELEASE}
+	exit ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c &&
+	  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
+	  SYSTEM_NAME=`$dummy $dummyarg` &&
+	    { echo "$SYSTEM_NAME"; exit; }
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit ;;
+    Motorola:PowerMAX_OS:*:*)
+	echo powerpc-motorola-powermax
+	exit ;;
+    Motorola:*:4.3:PL8-*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit ;;
+    AViiON:dgux:*:*)
+	# DG/UX returns AViiON for all architectures
+	UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+	exit ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
+	exit ;;               # Note that: echo "'`uname -s`'" gives 'AIX '
+    i*86:AIX:*:*)
+	echo i386-ibm-aix
+	exit ;;
+    ia64:AIX:*:*)
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		eval $set_cc_for_build
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
+		then
+			echo "$SYSTEM_NAME"
+		else
+			echo rs6000-ibm-aix3.2.5
+		fi
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit ;;
+    *:AIX:*:[4567])
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/lslpp ] ; then
+		IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc |
+			   awk -F: '{ print $3 }' | sed s/[0-9]*$/0/`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit ;;                             # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit ;;
+    9000/[34678]??:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+		if [ -x /usr/bin/getconf ]; then
+		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
+		    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+		    case "${sc_cpu_version}" in
+		      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+		      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+		      532)                      # CPU_PA_RISC2_0
+			case "${sc_kernel_bits}" in
+			  32) HP_ARCH="hppa2.0n" ;;
+			  64) HP_ARCH="hppa2.0w" ;;
+			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+			esac ;;
+		    esac
+		fi
+		if [ "${HP_ARCH}" = "" ]; then
+		    eval $set_cc_for_build
+		    sed 's/^		//' << EOF >$dummy.c
+
+		#define _HPUX_SOURCE
+		#include <stdlib.h>
+		#include <unistd.h>
+
+		int main ()
+		{
+		#if defined(_SC_KERNEL_BITS)
+		    long bits = sysconf(_SC_KERNEL_BITS);
+		#endif
+		    long cpu  = sysconf (_SC_CPU_VERSION);
+
+		    switch (cpu)
+			{
+			case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+			case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+			case CPU_PA_RISC2_0:
+		#if defined(_SC_KERNEL_BITS)
+			    switch (bits)
+				{
+				case 64: puts ("hppa2.0w"); break;
+				case 32: puts ("hppa2.0n"); break;
+				default: puts ("hppa2.0"); break;
+				} break;
+		#else  /* !defined(_SC_KERNEL_BITS) */
+			    puts ("hppa2.0"); break;
+		#endif
+			default: puts ("hppa1.0"); break;
+			}
+		    exit (0);
+		}
+EOF
+		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    test -z "$HP_ARCH" && HP_ARCH=hppa
+		fi ;;
+	esac
+	if [ ${HP_ARCH} = "hppa2.0w" ]
+	then
+	    eval $set_cc_for_build
+
+	    # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
+	    # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
+	    # generating 64-bit code.  GNU and HP use different nomenclature:
+	    #
+	    # $ CC_FOR_BUILD=cc ./config.guess
+	    # => hppa2.0w-hp-hpux11.23
+	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
+	    # => hppa64-hp-hpux11.23
+
+	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+		grep -q __LP64__
+	    then
+		HP_ARCH="hppa2.0w"
+	    else
+		HP_ARCH="hppa64"
+	    fi
+	fi
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit ;;
+    ia64:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ia64-hp-hpux${HPUX_REV}
+	exit ;;
+    3050*:HI-UX:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
+		{ echo "$SYSTEM_NAME"; exit; }
+	echo unknown-hitachi-hiuxwe2
+	exit ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit ;;
+    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit ;;
+    i*86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+	exit ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+	exit ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+	exit ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+	exit ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
+	      -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*T3E:*:*:*)
+	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    *:UNICOS/mp:*:*)
+	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
+	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+	echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
+    5000:UNIX_System_V:4.*:*)
+	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+	echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
+    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:FreeBSD:*:*)
+	UNAME_PROCESSOR=`/usr/bin/uname -p`
+	case ${UNAME_PROCESSOR} in
+	    amd64)
+		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	    *)
+		echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	esac
+	exit ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit ;;
+    *:MINGW64*:*)
+	echo ${UNAME_MACHINE}-pc-mingw64
+	exit ;;
+    *:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit ;;
+    *:MSYS*:*)
+	echo ${UNAME_MACHINE}-pc-msys
+	exit ;;
+    i*:windows32*:*)
+	# uname -m includes "-pc" on this system.
+	echo ${UNAME_MACHINE}-mingw32
+	exit ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit ;;
+    *:Interix*:*)
+	case ${UNAME_MACHINE} in
+	    x86)
+		echo i586-pc-interix${UNAME_RELEASE}
+		exit ;;
+	    authenticamd | genuineintel | EM64T)
+		echo x86_64-unknown-interix${UNAME_RELEASE}
+		exit ;;
+	    IA64)
+		echo ia64-unknown-interix${UNAME_RELEASE}
+		exit ;;
+	esac ;;
+    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
+	echo i${UNAME_MACHINE}-pc-mks
+	exit ;;
+    8664:Windows_NT:*)
+	echo x86_64-pc-mks
+	exit ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i586-pc-interix
+	exit ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit ;;
+    amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
+	echo x86_64-unknown-cygwin
+	exit ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    *:GNU:*:*)
+	# the GNU system
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit ;;
+    *:GNU/*:*:*)
+	# other systems with GNU libc and userland
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
+	exit ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit ;;
+    aarch64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    aarch64_be:Linux:*:*)
+	UNAME_MACHINE=aarch64_be
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+	esac
+	objdump --private-headers /bin/sh | grep -q ld.so.1
+	if test "$?" = 0 ; then LIBC="gnulibc1" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    arc:Linux:*:* | arceb:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    arm*:Linux:*:*)
+	eval $set_cc_for_build
+	if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
+	    | grep -q __ARM_EABI__
+	then
+	    echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	else
+	    if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
+		| grep -q __ARM_PCS_VFP
+	    then
+		echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi
+	    else
+		echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf
+	    fi
+	fi
+	exit ;;
+    avr32*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    cris:Linux:*:*)
+	echo ${UNAME_MACHINE}-axis-linux-${LIBC}
+	exit ;;
+    crisv32:Linux:*:*)
+	echo ${UNAME_MACHINE}-axis-linux-${LIBC}
+	exit ;;
+    frv:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    hexagon:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    i*86:Linux:*:*)
+	echo ${UNAME_MACHINE}-pc-linux-${LIBC}
+	exit ;;
+    ia64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    m32r*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    m68*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    mips:Linux:*:* | mips64:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef ${UNAME_MACHINE}
+	#undef ${UNAME_MACHINE}el
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=${UNAME_MACHINE}el
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=${UNAME_MACHINE}
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
+	;;
+    openrisc*:Linux:*:*)
+	echo or1k-unknown-linux-${LIBC}
+	exit ;;
+    or32:Linux:*:* | or1k*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    padre:Linux:*:*)
+	echo sparc-unknown-linux-${LIBC}
+	exit ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-${LIBC}
+	exit ;;
+    parisc:Linux:*:* | hppa:Linux:*:*)
+	# Look for CPU level
+	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
+	  PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
+	  PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
+	  *)    echo hppa-unknown-linux-${LIBC} ;;
+	esac
+	exit ;;
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-${LIBC}
+	exit ;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-${LIBC}
+	exit ;;
+    ppc64le:Linux:*:*)
+	echo powerpc64le-unknown-linux-${LIBC}
+	exit ;;
+    ppcle:Linux:*:*)
+	echo powerpcle-unknown-linux-${LIBC}
+	exit ;;
+    s390:Linux:*:* | s390x:Linux:*:*)
+	echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
+	exit ;;
+    sh64*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    sh*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    sparc:Linux:*:* | sparc64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    tile*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    vax:Linux:*:*)
+	echo ${UNAME_MACHINE}-dec-linux-${LIBC}
+	exit ;;
+    x86_64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    xtensa*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    i*86:DYNIX/ptx:4*:*)
+	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
+	# earlier versions are messed up and put the nodename in both
+	# sysname and nodename.
+	echo i386-sequent-sysv4
+	exit ;;
+    i*86:UNIX_SV:4.2MP:2.*)
+	# Unixware is an offshoot of SVR4, but it has its own version
+	# number series starting with 2...
+	# I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+	# Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit ;;
+    i*86:OS/2:*:*)
+	# If we were able to find `uname', then EMX Unix compatibility
+	# is probably installed.
+	echo ${UNAME_MACHINE}-pc-os2-emx
+	exit ;;
+    i*86:XTS-300:*:STOP)
+	echo ${UNAME_MACHINE}-unknown-stop
+	exit ;;
+    i*86:atheos:*:*)
+	echo ${UNAME_MACHINE}-unknown-atheos
+	exit ;;
+    i*86:syllable:*:*)
+	echo ${UNAME_MACHINE}-pc-syllable
+	exit ;;
+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    i*86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit ;;
+    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit ;;
+    i*86:*:5:[678]*)
+	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	case `/bin/uname -X | grep "^Machine"` in
+	    *486*)	     UNAME_MACHINE=i486 ;;
+	    *Pentium)	     UNAME_MACHINE=i586 ;;
+	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
+	esac
+	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+	exit ;;
+    i*86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+	# uname -m prints for DJGPP always 'pc', but it prints nothing about
+	# the processor, so we play safe by assuming i586.
+	# Note: whatever this is, it MUST be the same as what config.sub
+	# prints for the "djgpp" host, or else GDB configury will decide that
+	# this is a cross-build.
+	echo i586-pc-msdosdjgpp
+	exit ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit ;;
+    mc68k:UNIX:SYSTEM5:3.51m)
+	echo m68k-convergent-sysv
+	exit ;;
+    M680?0:D-NIX:5.3:*)
+	echo m68k-diab-dnix
+	exit ;;
+    M68*:*:R3V[5678]*:*)
+	test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
+    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4; exit; } ;;
+    NCR*:*:4.2:* | MPRAS*:*:4.2:*)
+	OS_REL='.3'
+	test -r /etc/.relid \
+	    && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	    && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	    && { echo i586-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \
+	    && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
+    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    rs6000:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*)
+	echo powerpc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit ;;
+    PENTIUM:*:4.0*:*)	# Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+			# says <Richard.M.Bartel@ccMail.Census.GOV>
+	echo i586-unisys-sysv4
+	exit ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit ;;
+    i*86:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo ${UNAME_MACHINE}-stratus-vos
+	exit ;;
+    *:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo hppa1.1-stratus-vos
+	exit ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+		echo mips-nec-sysv${UNAME_RELEASE}
+	else
+		echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+	exit ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit ;;
+    BePC:Haiku:*:*)	# Haiku running on Intel PC compatible.
+	echo i586-pc-haiku
+	exit ;;
+    x86_64:Haiku:*:*)
+	echo x86_64-unknown-haiku
+	exit ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-6:SUPER-UX:*:*)
+	echo sx6-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-7:SUPER-UX:*:*)
+	echo sx7-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-8:SUPER-UX:*:*)
+	echo sx8-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-8R:SUPER-UX:*:*)
+	echo sx8r-nec-superux${UNAME_RELEASE}
+	exit ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Darwin:*:*)
+	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
+	eval $set_cc_for_build
+	if test "$UNAME_PROCESSOR" = unknown ; then
+	    UNAME_PROCESSOR=powerpc
+	fi
+	if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
+	    if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+		if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
+		    (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+		    grep IS_64BIT_ARCH >/dev/null
+		then
+		    case $UNAME_PROCESSOR in
+			i386) UNAME_PROCESSOR=x86_64 ;;
+			powerpc) UNAME_PROCESSOR=powerpc64 ;;
+		    esac
+		fi
+	    fi
+	elif test "$UNAME_PROCESSOR" = i386 ; then
+	    # Avoid executing cc on OS X 10.9, as it ships with a stub
+	    # that puts up a graphical alert prompting to install
+	    # developer tools.  Any system running Mac OS X 10.7 or
+	    # later (Darwin 11 and later) is required to have a 64-bit
+	    # processor. This is not true of the ARM version of Darwin
+	    # that Apple uses in portable devices.
+	    UNAME_PROCESSOR=x86_64
+	fi
+	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+	exit ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	UNAME_PROCESSOR=`uname -p`
+	if test "$UNAME_PROCESSOR" = "x86"; then
+		UNAME_PROCESSOR=i386
+		UNAME_MACHINE=pc
+	fi
+	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+	exit ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit ;;
+    NEO-?:NONSTOP_KERNEL:*:*)
+	echo neo-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    NSE-*:NONSTOP_KERNEL:*:*)
+	echo nse-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    NSR-?:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    *:NonStop-UX:*:*)
+	echo mips-compaq-nonstopux
+	exit ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit ;;
+    *:TOPS-10:*:*)
+	echo pdp10-unknown-tops10
+	exit ;;
+    *:TENEX:*:*)
+	echo pdp10-unknown-tenex
+	exit ;;
+    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
+	echo pdp10-dec-tops20
+	exit ;;
+    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
+	echo pdp10-xkl-tops20
+	exit ;;
+    *:TOPS-20:*:*)
+	echo pdp10-unknown-tops20
+	exit ;;
+    *:ITS:*:*)
+	echo pdp10-unknown-its
+	exit ;;
+    SEI:*:*:SEIUX)
+	echo mips-sei-seiux${UNAME_RELEASE}
+	exit ;;
+    *:DragonFly:*:*)
+	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    *:*VMS:*:*)
+	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	case "${UNAME_MACHINE}" in
+	    A*) echo alpha-dec-vms ; exit ;;
+	    I*) echo ia64-dec-vms ; exit ;;
+	    V*) echo vax-dec-vms ; exit ;;
+	esac ;;
+    *:XENIX:*:SysV)
+	echo i386-pc-xenix
+	exit ;;
+    i*86:skyos:*:*)
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	exit ;;
+    i*86:rdos:*:*)
+	echo ${UNAME_MACHINE}-pc-rdos
+	exit ;;
+    i*86:AROS:*:*)
+	echo ${UNAME_MACHINE}-pc-aros
+	exit ;;
+    x86_64:VMkernel:*:*)
+	echo ${UNAME_MACHINE}-unknown-esx
+	exit ;;
+esac
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+This script, last modified $timestamp, has failed to recognize
+the operating system you are using. It is advised that you
+download the most up to date version of the config scripts from
+
+  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
+and
+  http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess timestamp = $timestamp
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/config.h.in b/config.h.in
new file mode 100644
index 0000000..7806015
--- /dev/null
+++ b/config.h.in
@@ -0,0 +1,692 @@
+/* config.h.in.  Generated from configure.ac by autoheader.  */
+
+/* Define if building universal (internal helper macro) */
+#undef AC_APPLE_UNIVERSAL_BUILD
+
+/* Define if you cannot bind() before connect() for TCP sockets. */
+#undef BROKEN_TCP_BIND_BEFORE_CONNECT
+
+/* dnsrps $librpz_name */
+#undef DNSRPS_LIBRPZ_PATH
+
+/* 0=no DNSRPS 1=static link 2=dlopen() */
+#undef DNSRPS_LIB_OPEN
+
+/* Define to enable "rrset-order fixed" syntax. */
+#undef DNS_RDATASET_FIXED
+
+/* Define to enable American Fuzzy Lop test harness */
+#undef ENABLE_AFL
+
+/* define if you want TCP_FASTOPEN enabled if available */
+#undef ENABLE_TCP_FASTOPEN
+
+/* Solaris hack to get select_large_fdset. */
+#undef FD_SETSIZE
+
+/* Define to nothing if C supports flexible array members, and to 1 if it does
+   not. That way, with a declaration like `struct s { int n; double
+   d[FLEXIBLE_ARRAY_MEMBER]; };', the struct hack can be used with pre-C99
+   compilers. When computing the size of such an object, don't use 'sizeof
+   (struct s)' as it overestimates the size. Use 'offsetof (struct s, d)'
+   instead. Don't use 'offsetof (struct s, d[0])', as this doesn't work with
+   MSVC and with C++ compilers. */
+#undef FLEXIBLE_ARRAY_MEMBER
+
+/* Define to 1 if you have the `arc4random' function. */
+#undef HAVE_ARC4RANDOM
+
+/* Define to 1 if you have the `arc4random_buf' function. */
+#undef HAVE_ARC4RANDOM_BUF
+
+/* Define to 1 if you have the `arc4random_uniform' function. */
+#undef HAVE_ARC4RANDOM_UNIFORM
+
+/* define if the ARM yield instruction is available */
+#undef HAVE_ARM_YIELD
+
+/* Define to 1 if you have the `BIO_read_ex' function. */
+#undef HAVE_BIO_READ_EX
+
+/* Define to 1 if you have the `BIO_write_ex' function. */
+#undef HAVE_BIO_WRITE_EX
+
+/* Define to 1 if you have the `BN_GENCB_new' function. */
+#undef HAVE_BN_GENCB_NEW
+
+/* Define to 1 if the compiler supports __builtin_clz. */
+#undef HAVE_BUILTIN_CLZ
+
+/* Define to 1 if the compiler supports __builtin_expect. */
+#undef HAVE_BUILTIN_EXPECT
+
+/* define if the compiler supports __builtin_unreachable(). */
+#undef HAVE_BUILTIN_UNREACHABLE
+
+/* Define to 1 if you have the `chroot' function. */
+#undef HAVE_CHROOT
+
+/* Define if clock_gettime is available. */
+#undef HAVE_CLOCK_GETTIME
+
+/* Use CMocka */
+#undef HAVE_CMOCKA
+
+/* Define to 1 if you have the `CRYPTO_zalloc' function. */
+#undef HAVE_CRYPTO_ZALLOC
+
+/* Define to 1 if you have the declaration of `UV_UDP_MMSG_CHUNK', and to 0 if
+   you don't. */
+#undef HAVE_DECL_UV_UDP_MMSG_CHUNK
+
+/* Define to 1 if you have the declaration of `UV_UDP_MMSG_FREE', and to 0 if
+   you don't. */
+#undef HAVE_DECL_UV_UDP_MMSG_FREE
+
+/* Define to 1 if you have the declaration of `UV_UDP_RECVMMSG', and to 0 if
+   you don't. */
+#undef HAVE_DECL_UV_UDP_RECVMMSG
+
+/* Define to 1 if you have the <devpoll.h> header file. */
+#undef HAVE_DEVPOLL_H
+
+/* Define to 1 if you have the `DH_get0_key' function. */
+#undef HAVE_DH_GET0_KEY
+
+/* Define to 1 if you have the `dlclose' function. */
+#undef HAVE_DLCLOSE
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#undef HAVE_DLFCN_H
+
+/* Define to 1 if you have the `dlopen' function. */
+#undef HAVE_DLOPEN
+
+/* Define to 1 if you have the `dlsym' function. */
+#undef HAVE_DLSYM
+
+/* Define to 1 to enable dnstap support */
+#undef HAVE_DNSTAP
+
+/* Define to 1 if you have the `ECDSA_sign' function. */
+#undef HAVE_ECDSA_SIGN
+
+/* Define to 1 if you have the `ECDSA_SIG_get0' function. */
+#undef HAVE_ECDSA_SIG_GET0
+
+/* Define to 1 if you have the `ECDSA_verify' function. */
+#undef HAVE_ECDSA_VERIFY
+
+/* Define to 1 if you have the <editline/readline.h> header file. */
+#undef HAVE_EDITLINE_READLINE_H
+
+/* Define to 1 if you have the <edit/readline/history.h> header file. */
+#undef HAVE_EDIT_READLINE_HISTORY_H
+
+/* Define to 1 if you have the <edit/readline/readline.h> header file. */
+#undef HAVE_EDIT_READLINE_READLINE_H
+
+/* Define to 1 if you have the `epoll_create1' function. */
+#undef HAVE_EPOLL_CREATE1
+
+/* Define to 1 if you have the `EVP_aes_128_ecb' function. */
+#undef HAVE_EVP_AES_128_ECB
+
+/* Define to 1 if you have the `EVP_aes_192_ecb' function. */
+#undef HAVE_EVP_AES_192_ECB
+
+/* Define to 1 if you have the `EVP_aes_256_ecb' function. */
+#undef HAVE_EVP_AES_256_ECB
+
+/* Define to 1 if you have the `EVP_CIPHER_CTX_free' function. */
+#undef HAVE_EVP_CIPHER_CTX_FREE
+
+/* Define to 1 if you have the `EVP_CIPHER_CTX_new' function. */
+#undef HAVE_EVP_CIPHER_CTX_NEW
+
+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
+#undef HAVE_EVP_MD_CTX_FREE
+
+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
+#undef HAVE_EVP_MD_CTX_NEW
+
+/* Define to 1 if you have the `EVP_MD_CTX_reset' function. */
+#undef HAVE_EVP_MD_CTX_RESET
+
+/* Define to 1 if you have the `EVP_sha1' function. */
+#undef HAVE_EVP_SHA1
+
+/* Define to 1 if you have the `EVP_sha224' function. */
+#undef HAVE_EVP_SHA224
+
+/* Define to 1 if you have the `EVP_sha256' function. */
+#undef HAVE_EVP_SHA256
+
+/* Define to 1 if you have the `EVP_sha384' function. */
+#undef HAVE_EVP_SHA384
+
+/* Define to 1 if you have the `EVP_sha512' function. */
+#undef HAVE_EVP_SHA512
+
+/* Define to 1 if you have the <fcntl.h> header file. */
+#undef HAVE_FCNTL_H
+
+/* Define to 1 if you have the `FIPS_mode' function. */
+#undef HAVE_FIPS_MODE
+
+/* Define to 1 if you have the `flockfile' function. */
+#undef HAVE_FLOCKFILE
+
+/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
+#undef HAVE_FSEEKO
+
+/* Define to 1 if the system has the `constructor' function attribute */
+#undef HAVE_FUNC_ATTRIBUTE_CONSTRUCTOR
+
+/* Define to 1 if the system has the `destructor' function attribute */
+#undef HAVE_FUNC_ATTRIBUTE_DESTRUCTOR
+
+/* Define to 1 if the system has the `malloc' function attribute */
+#undef HAVE_FUNC_ATTRIBUTE_MALLOC
+
+/* Define to 1 if the system has the `returns_nonnull' function attribute */
+#undef HAVE_FUNC_ATTRIBUTE_RETURNS_NONNULL
+
+/* Build with GeoIP2 support */
+#undef HAVE_GEOIP2
+
+/* Define to 1 if you have the `getc_unlocked' function. */
+#undef HAVE_GETC_UNLOCKED
+
+/* Define to 1 if you have the `getpassphrase' function. */
+#undef HAVE_GETPASSPHRASE
+
+/* Define to 1 if you have the `getrandom' function. */
+#undef HAVE_GETRANDOM
+
+/* Define to use gperftools CPU profiler. */
+#undef HAVE_GPERFTOOLS_PROFILER
+
+/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
+#undef HAVE_GSSAPI_GSSAPI_H
+
+/* Define to 1 if you have the <gssapi/gssapi_krb5.h> header file. */
+#undef HAVE_GSSAPI_GSSAPI_KRB5_H
+
+/* Define to 1 if you have the <gssapi.h> header file. */
+#undef HAVE_GSSAPI_H
+
+/* Define to 1 if you have the <gssapi_krb5.h> header file. */
+#undef HAVE_GSSAPI_KRB5_H
+
+/* Define to 1 if you have the `HMAC_CTX_free' function. */
+#undef HAVE_HMAC_CTX_FREE
+
+/* Define to 1 if you have the `HMAC_CTX_get_md' function. */
+#undef HAVE_HMAC_CTX_GET_MD
+
+/* Define to 1 if you have the `HMAC_CTX_new' function. */
+#undef HAVE_HMAC_CTX_NEW
+
+/* Define to 1 if you have the `HMAC_CTX_reset' function. */
+#undef HAVE_HMAC_CTX_RESET
+
+/* Define to 1 if you have the <idn2.h> header file. */
+#undef HAVE_IDN2_H
+
+/* Define to 1 if you have the `if_nametoindex' function. */
+#undef HAVE_IF_NAMETOINDEX
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#undef HAVE_INTTYPES_H
+
+/* Use json-c library */
+#undef HAVE_JSON_C
+
+/* Define to 1 if you have the <kerberosv5/krb5.h> header file. */
+#undef HAVE_KERBEROSV5_KRB5_H
+
+/* Define to 1 if you have the `kqueue' function. */
+#undef HAVE_KQUEUE
+
+/* Define to 1 if you have the <krb5.h> header file. */
+#undef HAVE_KRB5_H
+
+/* Define to 1 if you have the <krb5/krb5.h> header file. */
+#undef HAVE_KRB5_KRB5_H
+
+/* define if system have backtrace function */
+#undef HAVE_LIBCTRACE
+
+/* Define if libidn2 was found */
+#undef HAVE_LIBIDN2
+
+/* Define to 1 if you have the `nsl' library (-lnsl). */
+#undef HAVE_LIBNSL
+
+/* Define to 1 if you have the `scf' library (-lscf). */
+#undef HAVE_LIBSCF
+
+/* Define to 1 if you have the `socket' library (-lsocket). */
+#undef HAVE_LIBSOCKET
+
+/* Use libxml2 library */
+#undef HAVE_LIBXML2
+
+/* Define to 1 if you have the <linux/netlink.h> header file. */
+#undef HAVE_LINUX_NETLINK_H
+
+/* Define to 1 if you have the <linux/rtnetlink.h> header file. */
+#undef HAVE_LINUX_RTNETLINK_H
+
+/* Define if lmdb was found */
+#undef HAVE_LMDB
+
+/* Define to 1 if you have the <locale.h> header file. */
+#undef HAVE_LOCALE_H
+
+/* define if extended attributes for malloc are available */
+#undef HAVE_MALLOC_EXT_ATTR
+
+/* Define to 1 if you have the <memory.h> header file. */
+#undef HAVE_MEMORY_H
+
+/* Define to 1 if you have the `mmap' function. */
+#undef HAVE_MMAP
+
+/* Define to 1 if you have the <net/if6.h> header file. */
+#undef HAVE_NET_IF6_H
+
+/* Define to 1 if you have the <net/route.h> header file. */
+#undef HAVE_NET_ROUTE_H
+
+/* Define to 1 if you have the `OPENSSL_cleanup' function. */
+#undef HAVE_OPENSSL_CLEANUP
+
+/* define if OpenSSL supports Ed25519 */
+#undef HAVE_OPENSSL_ED25519
+
+/* define if OpenSSL supports Ed448 */
+#undef HAVE_OPENSSL_ED448
+
+/* Define to 1 if you have the `OPENSSL_init_crypto' function. */
+#undef HAVE_OPENSSL_INIT_CRYPTO
+
+/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
+#undef HAVE_OPENSSL_INIT_SSL
+
+/* Define if you have POSIX threads libraries and header files. */
+#undef HAVE_PTHREAD
+
+/* Define to 1 if you have the `pthread_attr_getstacksize' function. */
+#undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
+
+/* Define to 1 if you have the `pthread_attr_setstacksize' function. */
+#undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
+
+/* Support for PTHREAD_MUTEX_ADAPTIVE_NP */
+#undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
+
+/* Define to 1 if you have the <pthread_np.h> header file. */
+#undef HAVE_PTHREAD_NP_H
+
+/* Have PTHREAD_PRIO_INHERIT. */
+#undef HAVE_PTHREAD_PRIO_INHERIT
+
+/* Define to 1 if you have the `pthread_rwlock_rdlock' function. */
+#undef HAVE_PTHREAD_RWLOCK_RDLOCK
+
+/* Define to 1 if you have the `pthread_setname_np' function. */
+#undef HAVE_PTHREAD_SETNAME_NP
+
+/* Define to 1 if you have the `pthread_set_name_np' function. */
+#undef HAVE_PTHREAD_SET_NAME_NP
+
+/* Define to 1 if you have the `pthread_yield' function. */
+#undef HAVE_PTHREAD_YIELD
+
+/* Define to 1 if you have the `pthread_yield_np' function. */
+#undef HAVE_PTHREAD_YIELD_NP
+
+/* Define to 1 if you have the `readline' function. */
+#undef HAVE_READLINE
+
+/* Define to 1 if you have the <readline/history.h> header file. */
+#undef HAVE_READLINE_HISTORY_H
+
+/* Define to 1 if you have the <readline/readline.h> header file. */
+#undef HAVE_READLINE_READLINE_H
+
+/* Define to 1 if you have the <regex.h> header file. */
+#undef HAVE_REGEX_H
+
+/* Define to 1 if you have the `RSA_set0_key' function. */
+#undef HAVE_RSA_SET0_KEY
+
+/* Define to 1 if you have the <sched.h> header file. */
+#undef HAVE_SCHED_H
+
+/* Define to 1 if you have the `sched_yield' function. */
+#undef HAVE_SCHED_YIELD
+
+/* Define to 1 if you have the `setegid' function. */
+#undef HAVE_SETEGID
+
+/* Define to 1 if you have the `seteuid' function. */
+#undef HAVE_SETEUID
+
+/* Define to 1 if you have the `setlocale' function. */
+#undef HAVE_SETLOCALE
+
+/* Define to 1 if you have the `setresgid' function. */
+#undef HAVE_SETRESGID
+
+/* Define to 1 if you have the `setresuid' function. */
+#undef HAVE_SETRESUID
+
+/* define if the SPARC pause instruction is available */
+#undef HAVE_SPARC_PAUSE
+
+/* Define to 1 if you have the `SSL_CTX_set_min_proto_version' function. */
+#undef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+
+/* Define to 1 if you have the `SSL_CTX_up_ref' function. */
+#undef HAVE_SSL_CTX_UP_REF
+
+/* Define to 1 if you have the `SSL_peek_ex' function. */
+#undef HAVE_SSL_PEEK_EX
+
+/* Define to 1 if you have the `SSL_read_ex' function. */
+#undef HAVE_SSL_READ_EX
+
+/* Define to 1 if you have the `SSL_write_ex' function. */
+#undef HAVE_SSL_WRITE_EX
+
+/* define if struct stat has st_mtim.tv_nsec field */
+#undef HAVE_STAT_NSEC
+
+/* Define to 1 if you have the <stdalign.h> header file. */
+#undef HAVE_STDALIGN_H
+
+/* Define to 1 if you have the <stdatomic.h> header file. */
+#undef HAVE_STDATOMIC_H
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#undef HAVE_STDINT_H
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#undef HAVE_STDLIB_H
+
+/* Define to 1 if you have the <strings.h> header file. */
+#undef HAVE_STRINGS_H
+
+/* Define to 1 if you have the <string.h> header file. */
+#undef HAVE_STRING_H
+
+/* Define to 1 if you have the `strlcat' function. */
+#undef HAVE_STRLCAT
+
+/* Define to 1 if you have the `strlcpy' function. */
+#undef HAVE_STRLCPY
+
+/* Define to 1 if you have the `strnstr' function. */
+#undef HAVE_STRNSTR
+
+/* Define to 1 if you have the `sysconf' function. */
+#undef HAVE_SYSCONF
+
+/* Define to 1 if you have the `sysctlbyname' function. */
+#undef HAVE_SYSCTLBYNAME
+
+/* Define to 1 if you have the <sys/capability.h> header file. */
+#undef HAVE_SYS_CAPABILITY_H
+
+/* Define to 1 if you have the <sys/devpoll.h> header file. */
+#undef HAVE_SYS_DEVPOLL_H
+
+/* Define to 1 if you have the <sys/mman.h> header file. */
+#undef HAVE_SYS_MMAN_H
+
+/* Define to 1 if you have the <sys/param.h> header file. */
+#undef HAVE_SYS_PARAM_H
+
+/* Define to 1 if you have the <sys/select.h> header file. */
+#undef HAVE_SYS_SELECT_H
+
+/* Define to 1 if you have the <sys/socket.h> header file. */
+#undef HAVE_SYS_SOCKET_H
+
+/* Define to 1 if you have the <sys/sockio.h> header file. */
+#undef HAVE_SYS_SOCKIO_H
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#undef HAVE_SYS_STAT_H
+
+/* Define to 1 if you have the <sys/sysctl.h> header file. */
+#undef HAVE_SYS_SYSCTL_H
+
+/* Define to 1 if you have the <sys/time.h> header file. */
+#undef HAVE_SYS_TIME_H
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#undef HAVE_SYS_TYPES_H
+
+/* Define to 1 if you have the <sys/un.h> header file. */
+#undef HAVE_SYS_UN_H
+
+/* Define to 1 if you have the <threads.h> header file. */
+#undef HAVE_THREADS_H
+
+/* Define if thread_local keyword is available */
+#undef HAVE_THREAD_LOCAL
+
+/* Define if Thread-Local Storage is available */
+#undef HAVE_TLS
+
+/* Define to 1 if you have the `TLS_client_method' function. */
+#undef HAVE_TLS_CLIENT_METHOD
+
+/* Define to 1 if you have the `TLS_server_method' function. */
+#undef HAVE_TLS_SERVER_METHOD
+
+/* Define to 1 if you have the `tzset' function. */
+#undef HAVE_TZSET
+
+/* Define to 1 if you have the <uchar.h> header file. */
+#undef HAVE_UCHAR_H
+
+/* Define to 1 if the system has the type `uintptr_t'. */
+#undef HAVE_UINTPTR_T
+
+/* define if uname is available */
+#undef HAVE_UNAME
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
+
+/* define if the compiler supports _Unwind_Backtrace() */
+#undef HAVE_UNWIND_BACKTRACE
+
+/* Use zlib library */
+#undef HAVE_ZLIB
+
+/* define if __atomic builtins are not available */
+#undef HAVE___ATOMIC
+
+/* Define if __thread keyword is available */
+#undef HAVE___THREAD
+
+/* Define if you want to use inline buffers */
+#undef ISC_BUFFER_USEINLINE
+
+/* Define to allow building of objects for dlopen(). */
+#undef ISC_DLZ_DLOPEN
+
+/* define if the linker supports --wrap option */
+#undef LD_WRAP
+
+/* have __attribute__s used in librpz.h */
+#undef LIBRPZ_HAVE_ATTR
+
+/* Define to the sub-directory where libtool stores uninstalled libraries. */
+#undef LT_OBJDIR
+
+/* Defined if extern char *optarg is not declared. */
+#undef NEED_OPTARG
+
+/* Define if connect does not honour the permission on the UNIX domain socket.
+   */
+#undef NEED_SECURE_DIRECTORY
+
+/* Define to the address where bug reports for this package should be sent. */
+#undef PACKAGE_BUGREPORT
+
+/* Define to the full name of this package. */
+#undef PACKAGE_NAME
+
+/* Define to the full name and version of this package. */
+#undef PACKAGE_STRING
+
+/* Define to the one symbol short name of this package. */
+#undef PACKAGE_TARNAME
+
+/* Define to the home page for this package. */
+#undef PACKAGE_URL
+
+/* Define to the version of this package. */
+#undef PACKAGE_VERSION
+
+/* define the default PKCS11 library path */
+#undef PK11_LIB_LOCATION
+
+/* Sets which flag to pass to open/fcntl to make non-blocking
+   (O_NDELAY/O_NONBLOCK). */
+#undef PORT_NONBLOCK
+
+/* Define to necessary symbol if this constant uses a non-standard name on
+   your system. */
+#undef PTHREAD_CREATE_JOINABLE
+
+/* Exit code for skipped tests */
+#undef SKIPPED_TEST_EXIT_CODE
+
+/* Define to 1 if you have the ANSI C header files. */
+#undef STDC_HEADERS
+
+/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
+#undef TIME_WITH_SYS_TIME
+
+/* Define to use default system tuning. */
+#undef TUNE_LARGE
+
+/* define if we can use backtrace */
+#undef USE_BACKTRACE
+
+/* Enable DNS Response Policy Service API */
+#undef USE_DNSRPS
+
+/* Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make
+   non-blocking. */
+#undef USE_FIONBIO_IOCTL
+
+/* Define if libtool is used for compilation */
+#undef USE_LIBTOOL
+
+/* define if OpenSSL is used for Public-Key Cryptography */
+#undef USE_OPENSSL
+
+/* define if PKCS11 is used for Public-Key Cryptography */
+#undef USE_PKCS11
+
+/* Define if you want to use pthread rwlock implementation */
+#undef USE_PTHREAD_RWLOCK
+
+/* Enable extensions on AIX 3, Interix.  */
+#ifndef _ALL_SOURCE
+# undef _ALL_SOURCE
+#endif
+/* Enable GNU extensions on systems that have them.  */
+#ifndef _GNU_SOURCE
+# undef _GNU_SOURCE
+#endif
+/* Enable threading extensions on Solaris.  */
+#ifndef _POSIX_PTHREAD_SEMANTICS
+# undef _POSIX_PTHREAD_SEMANTICS
+#endif
+/* Enable extensions on HP NonStop.  */
+#ifndef _TANDEM_SOURCE
+# undef _TANDEM_SOURCE
+#endif
+/* Enable general extensions on Solaris.  */
+#ifndef __EXTENSIONS__
+# undef __EXTENSIONS__
+#endif
+
+
+/* the default value of dnssec-validation option */
+#undef VALIDATION_DEFAULT
+
+/* Define to enable very verbose query trace logging. */
+#undef WANT_QUERYTRACE
+
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+   significant byte first (like Motorola and SPARC, unlike Intel). */
+#if defined AC_APPLE_UNIVERSAL_BUILD
+# if defined __BIG_ENDIAN__
+#  define WORDS_BIGENDIAN 1
+# endif
+#else
+# ifndef WORDS_BIGENDIAN
+#  undef WORDS_BIGENDIAN
+# endif
+#endif
+
+/* Enable large inode numbers on Mac OS X 10.5.  */
+#ifndef _DARWIN_USE_64_BIT_INODE
+# define _DARWIN_USE_64_BIT_INODE 1
+#endif
+
+/* Number of bits in a file offset, on hosts where this is settable. */
+#undef _FILE_OFFSET_BITS
+
+/* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */
+#undef _LARGEFILE_SOURCE
+
+/* Define for large files, on AIX-style hosts. */
+#undef _LARGE_FILES
+
+/* Define to 1 if on MINIX. */
+#undef _MINIX
+
+/* Define to 2 if the system does not provide POSIX.1 features except with
+   this defined. */
+#undef _POSIX_1_SOURCE
+
+/* Define to 1 if you need to in order for `stat' and other things to work. */
+#undef _POSIX_SOURCE
+
+/* Select RFC3542 IPv6 API on macOS */
+#undef __APPLE_USE_RFC_3542
+
+/* Define to empty if `const' does not conform to ANSI C. */
+#undef const
+
+/* Define to `__inline__' or `__inline' if that's what the C compiler
+   calls it, or to nothing if 'inline' is not supported under any name.  */
+#ifndef __cplusplus
+#undef inline
+#endif
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+#undef size_t
+
+/* Define to `int' if <sys/types.h> does not define. */
+#undef ssize_t
+
+/* Define to the type of an unsigned integer type wide enough to hold a
+   pointer, if such a type exists, and if the system does not define it. */
+#undef uintptr_t
+
+/* Define to empty if the keyword `volatile' does not work. Warning: valid
+   code using `volatile' can become incorrect without. Disable with care. */
+#undef volatile
diff --git a/config.h.win32 b/config.h.win32
new file mode 100644
index 0000000..a297627
--- /dev/null
+++ b/config.h.win32
@@ -0,0 +1,417 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * win32 configuration file
+ * All definitions, declarations, macros and includes are
+ * specific to the requirements of the Windows NT and Windows 2000
+ * platforms
+ */
+
+/* Define to empty if the keyword does not work.  */
+/* #undef const */
+
+/* Define as __inline if that's what the C compiler calls it.  */
+#define inline __inline
+
+/* Define to `unsigned int/__int64' if <sys/types.h> doesn't define.  */
+/* #undef size_t */
+
+/*
+ * ANSI C compliance enabled
+ */
+#define __STDC__ 1
+
+/*
+ * Silence compiler warnings about using strcpy and friends.
+ */
+#define _CRT_SECURE_NO_DEPRECATE 1
+
+/*
+ * Use 32 bit time.
+ */
+#ifndef _WIN64
+#define _USE_32BIT_TIME_T 1
+#endif
+
+/*
+ * Minimum version is Windows 8 and Windows Server 2012
+ */
+#ifndef _WIN32_WINNT
+#define _WIN32_WINNT 0x0602
+#endif
+#if _WIN32_WINNT < 0x0602
+#error Minimum Target environment is Windows 8 and Windows Server 2012
+#endif
+#ifndef NTDDI_VERSION
+#define NTDDI_VERSION 0x06020000
+#endif
+#if NTDDI_VERSION < 0x06020000
+#error Minimum Target environment is Windows 8 and Windows Server 2012
+#endif
+
+/* Define if you have the ANSI C header files.  */
+#define STDC_HEADERS 1
+
+/* Define if you can safely include both <sys/time.h> and <time.h>.  */
+#define TIME_WITH_SYS_TIME 1
+
+/* define on DEC OSF to enable 4.4BSD style sa_len support */
+/* #undef _SOCKADDR_LEN */
+
+/* define if your system has sigwait() */
+/* #undef HAVE_SIGWAIT */
+
+/* define on Solaris to get sigwait() to work using pthreads semantics */
+/* #undef _POSIX_PTHREAD_SEMANTICS */
+
+/* define if you need to #define _XPG4_2 before including sys/socket.h */
+/* #undef NEED_XPG4_2_BEFORE_SOCKET_H */
+
+/* define if you need to #define _XOPEN_SOURCE_ENTENDED before including
+ * sys/socket.h
+ */
+/* #undef NEED_XSE_BEFORE_SOCKET_H */
+
+/* Define if you have the <fcntl.h> header file.  */
+#define HAVE_FCNTL_H 1
+
+/* Define if you have the <sys/sockio.h> header file.  */
+#define HAVE_SYS_SOCKIO_H 1
+
+/* Define if you have the <sys/time.h> header file.  */
+#define HAVE_SYS_TIME_H 1
+
+/* Define if you have the <unistd.h> header file.  */
+#define HAVE_UNISTD_H 1
+
+/* Define if you have the c_r library (-lc_r).  */
+/* #undef HAVE_LIBC_R */
+
+/* Define if you have the nsl library (-lnsl).  */
+/* #undef HAVE_LIBNSL */
+
+/* Define if you have the pthread library (-lpthread).  */
+/* #undef HAVE_LIBPTHREAD */
+
+/* Define if you have the socket library (-lsocket).  */
+/* #undef HAVE_LIBSOCKET */
+
+/* Define if you have h_errno */
+#define HAVE_H_ERRNO
+
+/* Define if you have getpassphrase in the C library. */
+#define HAVE_GETPASSPHRASE
+
+char *getpassphrase(const char *);
+
+/*
+ * Define to 1 if you want to use the DLZ "dlopen" driver
+ * (which has the same name on windows even though it uses
+ * LoadLibrary() instead of dlopen()).
+ */
+#define ISC_DLZ_DLOPEN 1
+
+#define S_IFMT   _S_IFMT         /* file type mask */
+#define S_IFDIR  _S_IFDIR        /* directory */
+#define S_IFCHR  _S_IFCHR        /* character special */
+#define S_IFIFO  _S_IFIFO        /* pipe */
+#define S_IFREG  _S_IFREG        /* regular */
+#define S_IREAD  _S_IREAD        /* read permission, owner */
+#define S_IWRITE _S_IWRITE       /* write permission, owner */
+#define S_IEXEC  _S_IEXEC        /* execute/search permission, owner */
+
+#define O_RDONLY        _O_RDONLY
+#define O_WRONLY        _O_WRONLY
+#define O_RDWR          _O_RDWR
+#define O_APPEND        _O_APPEND
+#define O_CREAT         _O_CREAT
+#define O_TRUNC         _O_TRUNC
+#define O_EXCL          _O_EXCL
+
+/* open() under unix allows setting of read/write permissions
+ * at the owner, group and other levels.  These don't exist in NT
+ * We'll just map them all to the NT equivalent
+ */
+
+#define S_IRUSR _S_IREAD	/* Owner read permission */
+#define S_IWUSR _S_IWRITE	/* Owner write permission */
+#define S_IRGRP _S_IREAD	/* Group read permission */
+#define S_IWGRP _S_IWRITE	/* Group write permission */
+#define S_IROTH _S_IREAD	/* Other read permission */
+#define S_IWOTH _S_IWRITE	/* Other write permission */
+
+
+/*
+ * WIN32 specials until some other way of dealing with these is decided.
+ */
+
+#if _MSC_VER < 1900
+#define snprintf _snprintf
+#endif
+#if _MSC_VER < 1800
+#error Use Visual Studio 2013 or later for %zu support.
+#endif
+#if _MSC_VER <= 1400
+#define vsnprintf _vsnprintf
+#endif
+#define strcasecmp  _stricmp
+#define strncasecmp _strnicmp
+#define strdup _strdup
+#define sopen _sopen
+#define isascii __isascii
+#ifndef _WIN64
+#define stat _stat
+#define fstat _fstat
+#else
+#define stat _stat64
+#define fstat _fstat64
+#endif
+#define fileno _fileno
+#define unlink _unlink
+#define chdir _chdir
+#define mkdir _mkdir
+#define rmdir _rmdir
+#define getcwd _getcwd
+#define utime _utime
+#define utimbuf _utimbuf
+#ifndef _WIN64
+#define lseek _lseek
+#else
+#define lseek _lseeki64
+#endif
+
+/* #define EAFNOSUPPORT EINVAL */
+#define chmod _chmod
+#define getpid _getpid
+#define getppid _getpid	/* WARNING!!! For now this gets the same pid */
+#define random rand	/* Random number generator */
+#define srandom srand	/* Random number generator seeding */
+/* for the config file */
+typedef unsigned int    uid_t;          /* user id */
+typedef unsigned int    gid_t;          /* group id */
+typedef long pid_t;			/* PID */
+#ifndef _WIN64
+typedef int ssize_t;
+typedef long off_t;
+#else
+typedef __int64 ssize_t;
+#ifndef _AFX
+/* BINDInstall defines it with another type but doesn't use it */
+typedef __int64 off_t;
+#endif
+#endif
+
+/*
+ * Set up the Version Information
+ */
+#include <versions.h>
+
+#include <stddef.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+/*
+ * Applications may need to get the configuration path
+ */
+#ifndef _USRDLL
+#include <isc/ntpaths.h>
+#endif
+
+#define fdopen	_fdopen
+#define read	_read
+#define open	_open
+#define close	_close
+#define write	_write
+#include <io.h>
+#define isatty	_isatty
+
+#ifndef _WINSOCKAPI_
+#define _WINSOCKAPI_   /* Prevent inclusion of winsock.h in windows.h */
+#endif
+
+/*
+ * Make the number of available sockets large
+ * The number of sockets needed can get large and memory's cheap
+ * This must be defined before winsock2.h gets included as the
+ * macro is used there.
+ */
+
+#ifndef FD_SETSIZE
+#define FD_SETSIZE 16384
+#endif
+#include <windows.h>
+
+/*
+ * main() is hooked
+ */
+#define ISC_MAIN_HOOK 1
+
+/*
+ * Configure sensible arguments
+ */
+@CONFIGARGS@
+
+/*
+ * Define if libxml2 is present
+ */
+@HAVE_LIBXML2@
+
+/* Define to enable "rrset-order fixed" syntax. */
+@DNS_RDATASET_FIXED@
+
+/* Define if OpenSSL includes Ed25519 support */
+#define HAVE_OPENSSL_ED25519 1
+
+/* Define if OpenSSL includes Ed448 support */
+#define HAVE_OPENSSL_ED448 1
+
+/* Define if your OpenSSL version supports DH functions. */
+#define HAVE_DH_GET0_KEY 1
+
+/* Define if your OpenSSL version supports ECDSA functions. */
+#define HAVE_ECDSA_SIG_GET0 1
+
+/* Define if your OpenSSL version supports RSA functions. */
+#define HAVE_RSA_SET0_KEY 1
+
+/* define if OpenSSL is used for Public-Key Cryptography */
+@USE_OPENSSL@
+
+/* Define if native PKCS#11 is used as cryptographic library provider */
+@USE_PKCS11@
+
+/* Define to 1 if you have the `readline' function. */
+@HAVE_READLINE@
+
+/* Build with GeoIP2 support */
+@HAVE_GEOIP2@
+
+/* define if idnkit support is to be included. */
+@WITH_IDN@
+
+/* Define if zlib was found */
+@HAVE_ZLIB@
+
+/* From enable developer */
+@ISC_LIST_CHECKINIT@
+
+/* Large system tuning */
+@TUNE_LARGE@
+
+/* define if we can use backtrace */
+@USE_BACKTRACE@
+
+/* the default value of dnssec-validation option */
+@VALIDATION_DEFAULT@
+
+/* Verbose query trace logging */
+@WANT_QUERYTRACE@
+
+/* Define to 1 if you have the `CRYPTO_zalloc' function. */
+#define HAVE_CRYPTO_ZALLOC 1
+
+/* Define to 1 if you have the declaration of `UV_UDP_MMSG_CHUNK', and to 0 if
+   you don't. */
+#define HAVE_DECL_UV_UDP_MMSG_CHUNK 0
+
+/* Define to 1 if you have the declaration of `UV_UDP_MMSG_FREE', and to 0 if
+   you don't. */
+#define HAVE_DECL_UV_UDP_MMSG_FREE 0
+
+/* Define to 1 if you have the declaration of `UV_UDP_RECVMMSG', and to 0 if
+   you don't. */
+#define HAVE_DECL_UV_UDP_RECVMMSG 0
+
+/* Define to 1 if you have the `EVP_CIPHER_CTX_free' function. */
+#define HAVE_EVP_CIPHER_CTX_FREE 1
+
+/* Define to 1 if you have the `EVP_CIPHER_CTX_new' function. */
+#define HAVE_EVP_CIPHER_CTX_NEW 1
+
+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
+#define HAVE_EVP_MD_CTX_FREE 1
+
+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
+#define HAVE_EVP_MD_CTX_NEW 1
+
+/* Define to 1 if you have the `EVP_MD_CTX_reset' function. */
+#define HAVE_EVP_MD_CTX_RESET 1
+
+/* Define to 1 if you have the `HMAC_CTX_free' function. */
+#define HAVE_HMAC_CTX_FREE 1
+
+/* Define to 1 if you have the `HMAC_CTX_get_md' function. */
+#define HAVE_HMAC_CTX_GET_MD 1
+
+/* Define to 1 if you have the `HMAC_CTX_new' function. */
+#define HAVE_HMAC_CTX_NEW 1
+
+/* Define to 1 if you have the `HMAC_CTX_reset' function. */
+#define HAVE_HMAC_CTX_RESET 1
+
+/* Define to 1 if you have the `SSL_read_ex' function. */
+#define HAVE_SSL_READ_EX 1
+
+/* Define to 1 if you have the `SSL_peek_ex' function. */
+#define HAVE_SSL_PEEK_EX 1
+
+/* Define to 1 if you have the `SSL_write_ex' function. */
+#define HAVE_SSL_WRITE_EX 1
+
+/* Define to 1 if you have the `BIO_read_ex' function. */
+#define HAVE_BIO_READ_EX 1
+
+/* Define to 1 if you have the `BIO_write_ex' function. */
+#define HAVE_BIO_WRITE_EX 1
+
+/* Define to 1 if you have the `BN_GENCB_new' function. */
+#define HAVE_BN_GENCB_NEW 1
+
+/* Define to 1 if you have the `OPENSSL_init_crypto' function. */
+#define HAVE_OPENSSL_INIT_CRYPTO 1
+
+/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
+#define HAVE_OPENSSL_INIT_SSL 1
+
+/* Define to 1 if you have the `TLS_client_method' function. */
+#define HAVE_TLS_CLIENT_METHOD 1
+
+/* Define to 1 if you have the `TLS_server_method' function. */
+#define HAVE_TLS_SERVER_METHOD 1
+
+/* Define to 1 if you have the `SSL_CTX_up_ref' function. */
+#define SSL_CTX_UP_REF 1
+
+/* Define to 1 if you have the `setlocale' function. */
+#define HAVE_SETLOCALE 1
+
+/* Define to 1 if you have the <locale.h> header file. */
+#define HAVE_LOCALE_H 1
+
+/*
+ * Define to nothing if C supports flexible array members, and to 1 if it does
+ * not. That way, with a declaration like `struct s { int n; double
+ * d[FLEXIBLE_ARRAY_MEMBER]; };', the struct hack can be used with pre-C99
+ * compilers. When computing the size of such an object, don't use 'sizeof
+ * (struct s)' as it overestimates the size. Use 'offsetof (struct s, d)'
+ * instead. Don't use 'offsetof (struct s, d[0])', as this doesn't work with
+ * MSVC and with C++ compilers.
+ */
+#define FLEXIBLE_ARRAY_MEMBER /**/
+
+/* Avoid warnings with strlen() */
+#ifdef _WIN64
+#define strlen(x)	(unsigned int) strlen(x)
+#endif
+
+/* Get SRCID */
+#include "srcid.h"
diff --git a/config.sub b/config.sub
new file mode 100755
index 0000000..6d2e94c
--- /dev/null
+++ b/config.sub
@@ -0,0 +1,1807 @@
+#! /bin/sh
+# Configuration validation subroutine script.
+#   Copyright 1992-2015 Free Software Foundation, Inc.
+
+timestamp='2015-01-01'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that
+# program.  This Exception is an additional permission under section 7
+# of the GNU General Public License, version 3 ("GPLv3").
+
+
+# Please send patches to <config-patches@gnu.org>.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# You can get the latest version of this script from:
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright 1992-2015 Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit ;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
+  linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
+  knetbsd*-gnu* | netbsd*-gnu* | \
+  kopensolaris*-gnu* | \
+  storm-chaos* | os2-emx* | rtmk-nova*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  android-linux)
+    os=-linux-android
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis | -knuth | -cray | -microblaze*)
+		os=
+		basic_machine=$1
+		;;
+	-bluegene*)
+		os=-cnk
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-chorusos*)
+		os=-chorusos
+		basic_machine=$1
+		;;
+	-chorusrdb)
+		os=-chorusrdb
+		basic_machine=$1
+		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco6)
+		os=-sco5v6
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco5v6*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*178)
+		os=-lynxos178
+		;;
+	-lynx*5)
+		os=-lynxos5
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	1750a | 580 \
+	| a29k \
+	| aarch64 | aarch64_be \
+	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+	| am33_2.0 \
+	| arc | arceb \
+	| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
+	| avr | avr32 \
+	| be32 | be64 \
+	| bfin \
+	| c4x | c8051 | clipper \
+	| d10v | d30v | dlx | dsp16xx \
+	| epiphany \
+	| fido | fr30 | frv | ft32 \
+	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| hexagon \
+	| i370 | i860 | i960 | ia64 \
+	| ip2k | iq2000 \
+	| k1om \
+	| le32 | le64 \
+	| lm32 \
+	| m32c | m32r | m32rle | m68000 | m68k | m88k \
+	| maxq | mb | microblaze | microblazeel | mcore | mep | metag \
+	| mips | mipsbe | mipseb | mipsel | mipsle \
+	| mips16 \
+	| mips64 | mips64el \
+	| mips64octeon | mips64octeonel \
+	| mips64orion | mips64orionel \
+	| mips64r5900 | mips64r5900el \
+	| mips64vr | mips64vrel \
+	| mips64vr4100 | mips64vr4100el \
+	| mips64vr4300 | mips64vr4300el \
+	| mips64vr5000 | mips64vr5000el \
+	| mips64vr5900 | mips64vr5900el \
+	| mipsisa32 | mipsisa32el \
+	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa32r6 | mipsisa32r6el \
+	| mipsisa64 | mipsisa64el \
+	| mipsisa64r2 | mipsisa64r2el \
+	| mipsisa64r6 | mipsisa64r6el \
+	| mipsisa64sb1 | mipsisa64sb1el \
+	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipsr5900 | mipsr5900el \
+	| mipstx39 | mipstx39el \
+	| mn10200 | mn10300 \
+	| moxie \
+	| mt \
+	| msp430 \
+	| nds32 | nds32le | nds32be \
+	| nios | nios2 | nios2eb | nios2el \
+	| ns16k | ns32k \
+	| open8 | or1k | or1knd | or32 \
+	| pdp10 | pdp11 | pj | pjl \
+	| powerpc | powerpc64 | powerpc64le | powerpcle \
+	| pyramid \
+	| riscv32 | riscv64 \
+	| rl78 | rx \
+	| score \
+	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
+	| sh64 | sh64le \
+	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
+	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
+	| spu \
+	| tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
+	| ubicom32 \
+	| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
+	| visium \
+	| we32k \
+	| x86 | xc16x | xstormy16 | xtensa \
+	| z8k | z80)
+		basic_machine=$basic_machine-unknown
+		;;
+	c54x)
+		basic_machine=tic54x-unknown
+		;;
+	c55x)
+		basic_machine=tic55x-unknown
+		;;
+	c6x)
+		basic_machine=tic6x-unknown
+		;;
+	leon|leon[3-9])
+		basic_machine=sparc-$basic_machine
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+		;;
+	ms1)
+		basic_machine=mt-unknown
+		;;
+
+	strongarm | thumb | xscale)
+		basic_machine=arm-unknown
+		;;
+	xgate)
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	xscaleeb)
+		basic_machine=armeb-unknown
+		;;
+
+	xscaleel)
+		basic_machine=armel-unknown
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i*86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	580-* \
+	| a29k-* \
+	| aarch64-* | aarch64_be-* \
+	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
+	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
+	| avr-* | avr32-* \
+	| be32-* | be64-* \
+	| bfin-* | bs2000-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* \
+	| c8051-* | clipper-* | craynv-* | cydra-* \
+	| d10v-* | d30v-* | dlx-* \
+	| elxsi-* \
+	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
+	| h8300-* | h8500-* \
+	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| hexagon-* \
+	| i*86-* | i860-* | i960-* | ia64-* \
+	| ip2k-* | iq2000-* \
+	| k1om-* \
+	| le32-* | le64-* \
+	| lm32-* \
+	| m32c-* | m32r-* | m32rle-* \
+	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
+	| microblaze-* | microblazeel-* \
+	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+	| mips16-* \
+	| mips64-* | mips64el-* \
+	| mips64octeon-* | mips64octeonel-* \
+	| mips64orion-* | mips64orionel-* \
+	| mips64r5900-* | mips64r5900el-* \
+	| mips64vr-* | mips64vrel-* \
+	| mips64vr4100-* | mips64vr4100el-* \
+	| mips64vr4300-* | mips64vr4300el-* \
+	| mips64vr5000-* | mips64vr5000el-* \
+	| mips64vr5900-* | mips64vr5900el-* \
+	| mipsisa32-* | mipsisa32el-* \
+	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa32r6-* | mipsisa32r6el-* \
+	| mipsisa64-* | mipsisa64el-* \
+	| mipsisa64r2-* | mipsisa64r2el-* \
+	| mipsisa64r6-* | mipsisa64r6el-* \
+	| mipsisa64sb1-* | mipsisa64sb1el-* \
+	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipsr5900-* | mipsr5900el-* \
+	| mipstx39-* | mipstx39el-* \
+	| mmix-* \
+	| mt-* \
+	| msp430-* \
+	| nds32-* | nds32le-* | nds32be-* \
+	| nios-* | nios2-* | nios2eb-* | nios2el-* \
+	| none-* | np1-* | ns16k-* | ns32k-* \
+	| open8-* \
+	| or1k*-* \
+	| orion-* \
+	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
+	| pyramid-* \
+	| rl78-* | romp-* | rs6000-* | rx-* \
+	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
+	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
+	| sparclite-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
+	| tahoe-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tile*-* \
+	| tron-* \
+	| ubicom32-* \
+	| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
+	| vax-* \
+	| visium-* \
+	| we32k-* \
+	| x86-* | x86_64-* | xc16x-* | xps100-* \
+	| xstormy16-* | xtensa*-* \
+	| ymp-* \
+	| z8k-* | z80-*)
+		;;
+	# Recognize the basic CPU types without company name, with glob match.
+	xtensa*)
+		basic_machine=$basic_machine-unknown
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	abacus)
+		basic_machine=abacus-unknown
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amd64)
+		basic_machine=x86_64-pc
+		;;
+	amd64-*)
+		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aros)
+		basic_machine=i386-pc
+		os=-aros
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	blackfin)
+		basic_machine=bfin-unknown
+		os=-linux
+		;;
+	blackfin-*)
+		basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'`
+		os=-linux
+		;;
+	bluegene*)
+		basic_machine=powerpc-ibm
+		os=-cnk
+		;;
+	c54x-*)
+		basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c55x-*)
+		basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c6x-*)
+		basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c90)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	cegcc)
+		basic_machine=arm-unknown
+		os=-cegcc
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | j90)
+		basic_machine=j90-cray
+		os=-unicos
+		;;
+	craynv)
+		basic_machine=craynv-cray
+		os=-unicosmp
+		;;
+	cr16 | cr16-*)
+		basic_machine=cr16-unknown
+		os=-elf
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	crisv32 | crisv32-* | etraxfs*)
+		basic_machine=crisv32-axis
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	crx)
+		basic_machine=crx-unknown
+		os=-elf
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	decsystem10* | dec10*)
+		basic_machine=pdp10-dec
+		os=-tops10
+		;;
+	decsystem20* | dec20*)
+		basic_machine=pdp10-dec
+		os=-tops20
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	dicos)
+		basic_machine=i686-pc
+		os=-dicos
+		;;
+	djgpp)
+		basic_machine=i586-pc
+		os=-msdosdjgpp
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	go32)
+		basic_machine=i386-pc
+		os=-go32
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+	i*86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i*86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i*86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i*86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	leon-*|leon[3-9]-*)
+		basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'`
+		;;
+	m68knommu)
+		basic_machine=m68k-unknown
+		os=-linux
+		;;
+	m68knommu-*)
+		basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'`
+		os=-linux
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	microblaze*)
+		basic_machine=microblaze-xilinx
+		;;
+	mingw64)
+		basic_machine=x86_64-pc
+		os=-mingw64
+		;;
+	mingw32)
+		basic_machine=i686-pc
+		os=-mingw32
+		;;
+	mingw32ce)
+		basic_machine=arm-unknown
+		os=-mingw32ce
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	morphos)
+		basic_machine=powerpc-unknown
+		os=-morphos
+		;;
+	moxiebox)
+		basic_machine=moxie-unknown
+		os=-moxiebox
+		;;
+	msdos)
+		basic_machine=i386-pc
+		os=-msdos
+		;;
+	ms1-*)
+		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
+		;;
+	msys)
+		basic_machine=i686-pc
+		os=-msys
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	nacl)
+		basic_machine=le32-unknown
+		os=-nacl
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	nonstopux)
+		basic_machine=mips-compaq
+		os=-nonstopux
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	neo-tandem)
+		basic_machine=neo-tandem
+		;;
+	nse-tandem)
+		basic_machine=nse-tandem
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	openrisc | openrisc-*)
+		basic_machine=or32-unknown
+		;;
+	os400)
+		basic_machine=powerpc-ibm
+		os=-os400
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	parisc)
+		basic_machine=hppa-unknown
+		os=-linux
+		;;
+	parisc-*)
+		basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'`
+		os=-linux
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+	pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pc98)
+		basic_machine=i386-pc
+		;;
+	pc98-*)
+		basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium | p5 | k5 | k6 | nexgen | viac3)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon | athlon_*)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2 | pentiumiii | pentium3)
+		basic_machine=i686-pc
+		;;
+	pentium4)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium4-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=power-ibm
+		;;
+	ppc | ppcbe)	basic_machine=powerpc-unknown
+		;;
+	ppc-* | ppcbe-*)
+		basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+		;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64)	basic_machine=powerpc64-unknown
+		;;
+	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+		basic_machine=powerpc64le-unknown
+		;;
+	ppc64le-* | powerpc64little-*)
+		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	rdos | rdos64)
+		basic_machine=x86_64-pc
+		os=-rdos
+		;;
+	rdos32)
+		basic_machine=i386-pc
+		os=-rdos
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	s390 | s390-*)
+		basic_machine=s390-ibm
+		;;
+	s390x | s390x-*)
+		basic_machine=s390x-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sb1)
+		basic_machine=mipsisa64sb1-unknown
+		;;
+	sb1el)
+		basic_machine=mipsisa64sb1el-unknown
+		;;
+	sde)
+		basic_machine=mipsisa32-sde
+		os=-elf
+		;;
+	sei)
+		basic_machine=mips-sei
+		os=-seiux
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sh5el)
+		basic_machine=sh5le-unknown
+		;;
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparclite-wrs | simso-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	strongarm-* | thumb-*)
+		basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=alphaev5-cray
+		os=-unicos
+		;;
+	t90)
+		basic_machine=t90-cray
+		os=-unicos
+		;;
+	tile*)
+		basic_machine=$basic_machine-unknown
+		os=-linux-gnu
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	toad1)
+		basic_machine=pdp10-xkl
+		os=-tops20
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	tpf)
+		basic_machine=s390x-ibm
+		os=-tpf
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+		basic_machine=f301-fujitsu
+		;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xbox)
+		basic_machine=i686-pc
+		os=-mingw32
+		;;
+	xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	xscale-* | xscalee[bl]-*)
+		basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'`
+		;;
+	ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	z80-*-coff)
+		basic_machine=z80-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	mmix)
+		basic_machine=mmix-knuth
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp10)
+		# there are many clones, so DEC is not a safe bet
+		basic_machine=pdp10-unknown
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele)
+		basic_machine=sh-unknown
+		;;
+	sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
+		basic_machine=sparc-sun
+		;;
+	cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	*-unknown)
+		# Make sure to match an already-canonicalized machine name.
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+	# First match some system type aliases
+	# that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-auroraux)
+		os=-auroraux
+		;;
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
+	      | -sym* | -kopensolaris* | -plan9* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* | -aros* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
+	      | -bitrig* | -openbsd* | -solidbsd* \
+	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
+	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -chorusos* | -chorusrdb* | -cegcc* \
+	      | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
+	      | -linux-newlib* | -linux-musl* | -linux-uclibc* \
+	      | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
+	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i*86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto-qnx*)
+		;;
+	-nto*)
+		os=`echo $os | sed -e 's|nto|nto-qnx|'`
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux-dietlibc)
+		os=-linux-dietlibc
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+	-os400*)
+		os=-os400
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-atheos*)
+		os=-atheos
+		;;
+	-syllable*)
+		os=-syllable
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-nova*)
+		os=-rtmk-nova
+		;;
+	-ns2 )
+		os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+	-tpf*)
+		os=-tpf
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+		os=-mint
+		;;
+	-aros*)
+		os=-aros
+		;;
+	-zvmoe)
+		os=-zvmoe
+		;;
+	-dicos*)
+		os=-dicos
+		;;
+	-nacl*)
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+	score-*)
+		os=-elf
+		;;
+	spu-*)
+		os=-elf
+		;;
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+	c4x-* | tic4x-*)
+		os=-coff
+		;;
+	c8051-*)
+		os=-elf
+		;;
+	hexagon-*)
+		os=-elf
+		;;
+	tic54x-*)
+		os=-coff
+		;;
+	tic55x-*)
+		os=-coff
+		;;
+	tic6x-*)
+		os=-coff
+		;;
+	# This must come before the *-dec entry.
+	pdp10-*)
+		os=-tops20
+		;;
+	pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mep-*)
+		os=-elf
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	or32-*)
+		os=-coff
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-haiku)
+		os=-haiku
+		;;
+	*-ibm)
+		os=-aix
+		;;
+	*-knuth)
+		os=-mmixware
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+	*-gould)
+		os=-sysv
+		;;
+	*-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+	*-sgi)
+		os=-irix
+		;;
+	*-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f30[01]-fujitsu | f700-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-cnk*|-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-os400*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-tpf*)
+				vendor=ibm
+				;;
+			-vxsim* | -vxworks* | -windiss*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+				vendor=atari
+				;;
+			-vos*)
+				vendor=stratus
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/config.threads.in b/config.threads.in
new file mode 100644
index 0000000..2c007ec
--- /dev/null
+++ b/config.threads.in
@@ -0,0 +1,125 @@
+#
+# Begin pthreads checking.
+#
+# First, decide whether to use multithreading or not.
+#
+# Enable multithreading by default on systems where it is known
+# to work well, and where debugging of multithreaded programs
+# is supported.
+#
+
+AC_MSG_CHECKING(whether to build with thread support)
+
+case $host in
+*-dec-osf*)
+	use_threads=true ;;
+[*-solaris2.[0-6]])
+	# Thread signals are broken on Solaris 2.6; they are sometimes
+	# delivered to the wrong thread.
+	use_threads=false ;;
+*-solaris*)
+	use_threads=true ;;
+*-hp-hpux10*)
+	use_threads=false ;;
+*-hp-hpux11*)
+	use_threads=true ;;
+*-sgi-irix*)
+	use_threads=true ;;
+*-sco-sysv*uw*|*-*-sysv*UnixWare*)
+        # UnixWare
+	use_threads=false ;;
+*-*-sysv*OpenUNIX*)
+        # UnixWare
+	use_threads=true ;;
+[*-netbsd[1234].*])
+	# NetBSD earlier than NetBSD 5.0 has poor pthreads.
+	#  Don't use it by default.
+	use_threads=false ;;
+*-netbsd*)
+	use_threads=true ;;
+*-openbsd*)
+	# OpenBSD users have reported that named dumps core on
+	# startup when built with threads.
+	use_threads=false ;;
+[*-freebsd[1234567].*])
+	# Threads are broken at least up to FreeBSD 4.11.
+	# FreeBSD 5, 6 and 7 we have never officially supported threads
+	# on. YMMV
+	use_threads=false ;;
+*-freebsd*)
+	use_threads=true ;;
+*-linux*)
+	use_threads=true ;;
+*-darwin[[123456789]].*)
+	use_threads=false ;;
+*-darwin*.*)
+	use_threads=true ;;
+*)
+	use_threads=true ;;
+esac
+
+AC_ARG_ENABLE(threads,
+	[  --enable-threads        enable multithreading])
+case "$enable_threads" in
+	yes)
+		use_threads=true
+		;;
+	no)
+		use_threads=false
+		;;
+	'')
+		# Use system-dependent default
+		;;
+	*)
+	    	AC_MSG_ERROR([--enable-threads takes yes or no])
+		;;
+esac
+
+if $use_threads
+then
+	AC_MSG_RESULT(yes)
+else
+	AC_MSG_RESULT(no)
+fi
+
+if $use_threads
+then
+	#
+	# Search for / configure pthreads in a system-dependent fashion.
+	#
+	case "$host" in
+		*-freebsd*)
+			# We don't want to set -lpthread as that break
+			# the ability to choose threads library at final
+			# link time and is not valid for all architectures.
+
+			PTHREAD=
+			if test "X$GCC" = "Xyes"; then
+				saved_cc="$CC"
+				CC="$CC -pthread"
+				AC_MSG_CHECKING(for gcc -pthread support);
+				AC_TRY_LINK([#include <pthread.h>],
+					    [printf("%x\n", pthread_create);],
+					    PTHREAD="yes"
+					    AC_MSG_RESULT(yes),
+					    AC_MSG_RESULT(no))
+				CC="$saved_cc"
+			fi
+			if test "X$PTHREAD" != "Xyes"; then
+				AC_CHECK_LIB(pthread, pthread_create,,
+				AC_CHECK_LIB(thr, thread_create,,
+				AC_CHECK_LIB(c_r, pthread_create,,
+				AC_CHECK_LIB(c, pthread_create,,
+				AC_MSG_ERROR("could not find thread libraries")))))
+			fi
+			;;
+		*)
+			AC_CHECK_LIB(pthread, pthread_create,,
+				AC_CHECK_LIB(pthread, __pthread_create,,
+				AC_CHECK_LIB(pthread, __pthread_create_system,,
+				AC_CHECK_LIB(c_r, pthread_create,,
+				AC_CHECK_LIB(c, pthread_create,,
+				AC_MSG_ERROR("could not find thread libraries"))))))
+		;;
+	esac
+fi
diff --git a/configure b/configure
new file mode 100755
index 0000000..1b436d6
--- /dev/null
+++ b/configure
@@ -0,0 +1,26911 @@
+#! /bin/sh
+# Guess values for system-dependent variables and create Makefiles.
+# Generated by GNU Autoconf 2.69 for BIND 9.16.
+#
+# Report bugs to <https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug>.
+#
+#
+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
+#
+#
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+## -------------------- ##
+## M4sh Initialization. ##
+## -------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+  emulate sh
+  NULLCMD=:
+  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in #(
+  *posix*) :
+    set -o posix ;; #(
+  *) :
+     ;;
+esac
+fi
+
+
+as_nl='
+'
+export as_nl
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+# Prefer a ksh shell builtin over an external printf program on Solaris,
+# but without wasting forks for bash or zsh.
+if test -z "$BASH_VERSION$ZSH_VERSION" \
+    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='print -r --'
+  as_echo_n='print -rn --'
+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='printf %s\n'
+  as_echo_n='printf %s'
+else
+  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+    as_echo_n='/usr/ucb/echo -n'
+  else
+    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
+    as_echo_n_body='eval
+      arg=$1;
+      case $arg in #(
+      *"$as_nl"*)
+	expr "X$arg" : "X\\(.*\\)$as_nl";
+	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
+      esac;
+      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
+    '
+    export as_echo_n_body
+    as_echo_n='sh -c $as_echo_n_body as_echo'
+  fi
+  export as_echo_body
+  as_echo='sh -c $as_echo_body as_echo'
+fi
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  PATH_SEPARATOR=:
+  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
+    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
+      PATH_SEPARATOR=';'
+  }
+fi
+
+
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+as_myself=
+case $0 in #((
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+  done
+IFS=$as_save_IFS
+
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  exit 1
+fi
+
+# Unset variables that we do not need and which cause bugs (e.g. in
+# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
+# suppresses any "Segmentation fault" message there.  '((' could
+# trigger a bug in pdksh 5.2.14.
+for as_var in BASH_ENV ENV MAIL MAILPATH
+do eval test x\${$as_var+set} = xset \
+  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
+
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+# Use a proper internal environment variable to ensure we don't fall
+  # into an infinite loop, continuously re-executing ourselves.
+  if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
+    _as_can_reexec=no; export _as_can_reexec;
+    # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+as_fn_exit 255
+  fi
+  # We don't want this to propagate to other subprocesses.
+          { _as_can_reexec=; unset _as_can_reexec;}
+if test "x$CONFIG_SHELL" = x; then
+  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
+  emulate sh
+  NULLCMD=:
+  # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '\${1+\"\$@\"}'='\"\$@\"'
+  setopt NO_GLOB_SUBST
+else
+  case \`(set -o) 2>/dev/null\` in #(
+  *posix*) :
+    set -o posix ;; #(
+  *) :
+     ;;
+esac
+fi
+"
+  as_required="as_fn_return () { (exit \$1); }
+as_fn_success () { as_fn_return 0; }
+as_fn_failure () { as_fn_return 1; }
+as_fn_ret_success () { return 0; }
+as_fn_ret_failure () { return 1; }
+
+exitcode=0
+as_fn_success || { exitcode=1; echo as_fn_success failed.; }
+as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
+as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
+as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
+if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
+
+else
+  exitcode=1; echo positional parameters were not saved.
+fi
+test x\$exitcode = x0 || exit 1
+test -x / || exit 1"
+  as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
+  as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
+  eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
+  test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
+test \$(( 1 + 1 )) = 2 || exit 1
+
+  test -n \"\${ZSH_VERSION+set}\${BASH_VERSION+set}\" || (
+    ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+    ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO
+    ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO
+    PATH=/empty FPATH=/empty; export PATH FPATH
+    test \"X\`printf %s \$ECHO\`\" = \"X\$ECHO\" \\
+      || test \"X\`print -r -- \$ECHO\`\" = \"X\$ECHO\" ) || exit 1"
+  if (eval "$as_required") 2>/dev/null; then :
+  as_have_required=yes
+else
+  as_have_required=no
+fi
+  if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :
+
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_found=false
+for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  as_found=:
+  case $as_dir in #(
+	 /*)
+	   for as_base in sh bash ksh sh5; do
+	     # Try only shells that exist, to save several forks.
+	     as_shell=$as_dir/$as_base
+	     if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+		    { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
+  CONFIG_SHELL=$as_shell as_have_required=yes
+		   if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
+  break 2
+fi
+fi
+	   done;;
+       esac
+  as_found=false
+done
+$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
+	      { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
+  CONFIG_SHELL=$SHELL as_have_required=yes
+fi; }
+IFS=$as_save_IFS
+
+
+      if test "x$CONFIG_SHELL" != x; then :
+  export CONFIG_SHELL
+             # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+exit 255
+fi
+
+    if test x$as_have_required = xno; then :
+  $as_echo "$0: This script requires a shell more modern than all"
+  $as_echo "$0: the shells that I found on your system."
+  if test x${ZSH_VERSION+set} = xset ; then
+    $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
+    $as_echo "$0: be upgraded to zsh 4.3.4 or later."
+  else
+    $as_echo "$0: Please tell bug-autoconf@gnu.org and
+$0: https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug
+$0: about your system, including any error possibly output
+$0: before this message. Then install a modern shell, or
+$0: manually run the script under such a shell if you do
+$0: have one."
+  fi
+  exit 1
+fi
+fi
+fi
+SHELL=${CONFIG_SHELL-/bin/sh}
+export SHELL
+# Unset more variables known to interfere with behavior of common tools.
+CLICOLOR_FORCE= GREP_OPTIONS=
+unset CLICOLOR_FORCE GREP_OPTIONS
+
+## --------------------- ##
+## M4sh Shell Functions. ##
+## --------------------- ##
+# as_fn_unset VAR
+# ---------------
+# Portably unset VAR.
+as_fn_unset ()
+{
+  { eval $1=; unset $1;}
+}
+as_unset=as_fn_unset
+
+# as_fn_set_status STATUS
+# -----------------------
+# Set $? to STATUS, without forking.
+as_fn_set_status ()
+{
+  return $1
+} # as_fn_set_status
+
+# as_fn_exit STATUS
+# -----------------
+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
+as_fn_exit ()
+{
+  set +e
+  as_fn_set_status $1
+  exit $1
+} # as_fn_exit
+
+# as_fn_mkdir_p
+# -------------
+# Create "$as_dir" as a directory, including parents if necessary.
+as_fn_mkdir_p ()
+{
+
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || eval $as_mkdir_p || {
+    as_dirs=
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
+    done
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
+
+
+} # as_fn_mkdir_p
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
+# as_fn_append VAR VALUE
+# ----------------------
+# Append the text in VALUE to the end of the definition contained in VAR. Take
+# advantage of any shell optimizations that allow amortized linear growth over
+# repeated appends, instead of the typical quadratic growth present in naive
+# implementations.
+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
+  eval 'as_fn_append ()
+  {
+    eval $1+=\$2
+  }'
+else
+  as_fn_append ()
+  {
+    eval $1=\$$1\$2
+  }
+fi # as_fn_append
+
+# as_fn_arith ARG...
+# ------------------
+# Perform arithmetic evaluation on the ARGs, and store the result in the
+# global $as_val. Take advantage of shells that can avoid forks. The arguments
+# must be portable across $(()) and expr.
+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
+  eval 'as_fn_arith ()
+  {
+    as_val=$(( $* ))
+  }'
+else
+  as_fn_arith ()
+  {
+    as_val=`expr "$@" || test $? -eq 1`
+  }
+fi # as_fn_arith
+
+
+# as_fn_error STATUS ERROR [LINENO LOG_FD]
+# ----------------------------------------
+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
+# script with STATUS, using 1 if that was 0.
+as_fn_error ()
+{
+  as_status=$1; test $as_status -eq 0 && as_status=1
+  if test "$4"; then
+    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
+  fi
+  $as_echo "$as_me: error: $2" >&2
+  as_fn_exit $as_status
+} # as_fn_error
+
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+
+  as_lineno_1=$LINENO as_lineno_1a=$LINENO
+  as_lineno_2=$LINENO as_lineno_2a=$LINENO
+  eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
+  test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
+  # Blame Lee E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
+    sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
+      N
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+      t loop
+      s/-\n.*//
+    ' >$as_me.lineno &&
+  chmod +x "$as_me.lineno" ||
+    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
+
+  # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
+  # already done that, so ensure we don't try to do so again and fall
+  # in an infinite loop.  This has already happened in practice.
+  _as_can_reexec=no; export _as_can_reexec
+  # Don't try to exec as it changes $[0], causing all sort of problems
+  # (the dirname of $[0] is not the place where we might find the
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
+  # Exit status is that of the last command.
+  exit
+}
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in #(((((
+-n*)
+  case `echo 'xy\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  xy)  ECHO_C='\c';;
+  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
+       ECHO_T='	';;
+  esac;;
+*)
+  ECHO_N='-n';;
+esac
+
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir 2>/dev/null
+fi
+if (echo >conf$$.file) 2>/dev/null; then
+  if ln -s conf$$.file conf$$ 2>/dev/null; then
+    as_ln_s='ln -s'
+    # ... but there are two gotchas:
+    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+    # In both cases, we have to default to `cp -pR'.
+    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+      as_ln_s='cp -pR'
+  elif ln conf$$.file conf$$ 2>/dev/null; then
+    as_ln_s=ln
+  else
+    as_ln_s='cp -pR'
+  fi
+else
+  as_ln_s='cp -pR'
+fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
+
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p='mkdir -p "$as_dir"'
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
+fi
+
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+
+test -n "$DJDIR" || exec 7<&0 </dev/null
+exec 6>&1
+
+# Name of the host.
+# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
+# so uname gets run too.
+ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+
+#
+# Initializations.
+#
+ac_default_prefix=/usr/local
+ac_clean_files=
+ac_config_libobj_dir=.
+LIBOBJS=
+cross_compiling=no
+subdirs=
+MFLAGS=
+MAKEFLAGS=
+
+# Identity of this package.
+PACKAGE_NAME='BIND'
+PACKAGE_TARNAME='bind'
+PACKAGE_VERSION='9.16'
+PACKAGE_STRING='BIND 9.16'
+PACKAGE_BUGREPORT='https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug'
+PACKAGE_URL='https://www.isc.org/downloads/'
+
+# Factoring default headers for most tests.
+ac_includes_default="\
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif
+#ifdef HAVE_STRING_H
+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
+#  include <memory.h>
+# endif
+# include <string.h>
+#endif
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif"
+
+ac_subst_vars='LTLIBOBJS
+LIBOBJS
+BUILD_LIBS
+BUILD_LDFLAGS
+BUILD_CPPFLAGS
+BUILD_CFLAGS
+BUILD_CC
+DLZ_DRIVER_MYSQL_LIBS
+DLZ_DRIVER_MYSQL_INCLUDES
+DLZ_SYSTEM_TEST
+DLZ_DRIVER_OBJS
+DLZ_DRIVER_SRCS
+DLZ_DRIVER_LIBS
+DLZ_DRIVER_INCLUDES
+CONTRIB_DLZ
+MYSQL_CONFIG
+PG_CONFIG
+SO_TARGETS
+SO_STRIP
+SO_LD
+SO_LDFLAGS
+SO_CFLAGS
+SO
+BIND9_CONFIGARGS
+BIND9_SRCID
+BIND9_VERSIONSTRING
+BIND9_MAJOR
+BIND9_VERSION
+BIND9_DESCRIPTION
+BIND9_PRODUCT
+BIND9_IRS_BUILDINCLUDE
+BIND9_BIND9_BUILDINCLUDE
+BIND9_NS_BUILDINCLUDE
+BIND9_DNS_BUILDINCLUDE
+BIND9_ISCCFG_BUILDINCLUDE
+BIND9_ISCCC_BUILDINCLUDE
+BIND9_ISC_BUILDINCLUDE
+BIND9_TOP_BUILDDIR
+LD_WRAP_TESTS
+UNITTESTS
+KYUA
+CMOCKA_LIBS
+CMOCKA_CFLAGS
+LIBIDN2_LDFLAGS
+LIBIDN2_LIBS
+LIBIDN2_CFLAGS
+XSLTPROC
+CURL
+DOXYGEN
+MANSRCS
+PDFTARGET
+HTMLTARGET
+PDFLATEX
+RELEASE_DATE
+BUILD_MANPAGES
+HAVE_XELATEX_FALSE
+HAVE_XELATEX_TRUE
+LATEXMK
+XELATEX
+HAVE_SPHINX_BUILD_FALSE
+HAVE_SPHINX_BUILD_TRUE
+SPHINX_BUILD
+FSTRM_LIBS
+FSTRM_CFLAGS
+PROTOBUF_C_LIBS
+PROTOBUF_C_CFLAGS
+DNSTAP_MANS
+DNSTAPTARGETS
+DNSTAPOBJS
+DNSTAPSRCS
+DNSTAP
+FSTRM_CAPTURE
+PROTOC_C
+ISC_PLATFORM_HAVESYSUNH
+LIBCAP_LIBS
+DST_EXTRA_SRCS
+DST_EXTRA_OBJS
+READLINE_LIB
+BIND9_CO_RULE
+LIBTOOL_MODE_UNINSTALL
+LIBTOOL_MODE_LINK
+LIBTOOL_MODE_INSTALL
+LIBTOOL_MODE_COMPILE
+LIBTOOL_MKDEP_SED
+SA
+A
+O
+ALWAYS_MAKE_SYMTABLE
+MKSYMTBL_PROGRAM
+PURIFY
+purify_path
+MKDEPPROG
+MKDEPCFLAGS
+MKDEPCC
+ZLIB_LIBS
+ZLIB_CFLAGS
+JSON_C_LIBS
+JSON_C_CFLAGS
+LIBXML2_LIBS
+LIBXML2_CFLAGS
+NZD_MANS
+NZDTARGETS
+NZDSRCS
+NZD_TOOLS
+LMDB_LIBS
+LMDB_CFLAGS
+DNS_CRYPTO_LIBS
+DNS_GSSAPI_LIBS
+DST_GSSAPI_INC
+USE_GSSAPI
+ISC_PLATFORM_KRB5HEADER
+ISC_PLATFORM_GSSAPI_KRB5_HEADER
+ISC_PLATFORM_GSSAPIHEADER
+KRB5_CONFIG
+CRYPTO
+PKCS11_MANS
+PKCS11_TOOLS
+PKCS11_TEST
+OPENSSL_LIBS
+OPENSSL_CFLAGS
+NO_LIBTOOL_DNSLIBS
+NO_LIBTOOL_ISCLIBS
+INSTALL_LIBRARY
+ALWAYS_DEFINES
+LIBUV_LIBS
+LIBUV_CFLAGS
+PTHREAD_CFLAGS
+PTHREAD_LIBS
+PTHREAD_CC
+ax_pthread_config
+GEOIP2LINKOBJS
+GEOIP2LINKSRCS
+MAXMINDDB_PREFIX
+MAXMINDDB_LIBS
+MAXMINDDB_CFLAGS
+ISC_PLATFORM_NORETURN_POST
+ISC_PLATFORM_NORETURN_PRE
+PYTEST
+expanded_sysconfdir
+PYTHON_INSTALL_LIB
+PYTHON_INSTALL_DIR
+PYTHON_TOOLS
+KEYMGR
+COVERAGE
+CHECKDS
+PYTHON
+PERL
+PANDOC
+W3M
+LN
+ARFLAGS
+XTARGETS
+PKG_CONFIG_LIBDIR
+PKG_CONFIG_PATH
+PKG_CONFIG
+BACKTRACECFLAGS
+CCNOOPT
+CCOPT
+STD_CWARNINGS
+STD_CDEFINES
+STD_CINCLUDES
+MKDIR_P
+INSTALL_DATA
+INSTALL_SCRIPT
+INSTALL_PROGRAM
+LT_SYS_LIBRARY_PATH
+OTOOL64
+OTOOL
+LIPO
+NMEDIT
+DSYMUTIL
+MANIFEST_TOOL
+AWK
+RANLIB
+STRIP
+ac_ct_AR
+AR
+DLLTOOL
+OBJDUMP
+LN_S
+NM
+ac_ct_DUMPBIN
+DUMPBIN
+LD
+FGREP
+SED
+LIBTOOL
+SET_MAKE
+LFS_LIBS
+LFS_LDFLAGS
+LFS_CFLAGS
+EGREP
+GREP
+CPP
+OBJEXT
+EXEEXT
+ac_ct_CC
+CPPFLAGS
+LDFLAGS
+CFLAGS
+CC
+host_os
+host_vendor
+host_cpu
+host
+build_os
+build_vendor
+build_cpu
+build
+MAINT
+MAINTAINER_MODE_FALSE
+MAINTAINER_MODE_TRUE
+target_alias
+host_alias
+build_alias
+LIBS
+ECHO_T
+ECHO_N
+ECHO_C
+DEFS
+mandir
+localedir
+libdir
+psdir
+pdfdir
+dvidir
+htmldir
+infodir
+docdir
+oldincludedir
+includedir
+localstatedir
+sharedstatedir
+sysconfdir
+datadir
+datarootdir
+libexecdir
+sbindir
+bindir
+program_transform_name
+prefix
+exec_prefix
+PACKAGE_URL
+PACKAGE_BUGREPORT
+PACKAGE_STRING
+PACKAGE_VERSION
+PACKAGE_TARNAME
+PACKAGE_NAME
+PATH_SEPARATOR
+SHELL'
+ac_subst_files='BIND9_MAKE_INCLUDES
+BIND9_MAKE_RULES
+LIBDNS_MAPAPI
+DLZ_DRIVER_RULES'
+ac_user_opts='
+enable_option_checking
+enable_maintainer_mode
+enable_largefile
+enable_shared
+enable_static
+with_pic
+enable_fast_install
+with_aix_soname
+with_gnu_ld
+with_sysroot
+enable_libtool_lock
+enable_buffer_useinline
+enable_warn_shadow
+enable_warn_error
+enable_developer
+enable_fuzzing
+with_python
+with_python_install_dir
+enable_kqueue
+enable_epoll
+enable_devpoll
+with_geoip2
+enable_geoip
+with_maxminddb
+with_locktype
+with_libtool
+enable_pthread_rwlock
+with_openssl
+enable_fips_mode
+enable_native_pkcs11
+with_pkcs11
+with_gssapi
+with_lmdb
+with_libxml2
+with_libjson
+with_json_c
+with_zlib
+with_purify
+with_gperftools_profiler
+enable_backtrace
+enable_symtable
+enable_tcp_fastopen
+with_readline
+enable_chroot
+enable_linux_caps
+enable_fixed_rrset
+enable_dnstap
+with_protobuf_c
+with_libfstrm
+with_libidn2
+with_cmocka
+with_tuning
+enable_querytrace
+enable_auto_validation
+with_dlopen
+enable_dnsrps_dl
+with_dnsrps_libname
+with_dnsrps_dir
+enable_dnsrps
+with_dlz_postgres
+with_dlz_mysql
+with_dlz_bdb
+with_dlz_filesystem
+with_dlz_ldap
+with_dlz_odbc
+with_dlz_stub
+with_make_clean
+enable_full_report
+'
+      ac_precious_vars='build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+LIBS
+CPPFLAGS
+CPP
+LT_SYS_LIBRARY_PATH
+PKG_CONFIG
+PKG_CONFIG_PATH
+PKG_CONFIG_LIBDIR
+PYTHON
+MAXMINDDB_CFLAGS
+MAXMINDDB_LIBS
+MAXMINDDB_PREFIX
+LIBUV_CFLAGS
+LIBUV_LIBS
+OPENSSL_CFLAGS
+OPENSSL_LIBS
+LIBXML2_CFLAGS
+LIBXML2_LIBS
+JSON_C_CFLAGS
+JSON_C_LIBS
+ZLIB_CFLAGS
+ZLIB_LIBS
+SPHINX_BUILD
+LIBIDN2_CFLAGS
+LIBIDN2_LIBS
+CMOCKA_CFLAGS
+CMOCKA_LIBS
+KYUA'
+
+
+# Initialize some variables set by options.
+ac_init_help=
+ac_init_version=false
+ac_unrecognized_opts=
+ac_unrecognized_sep=
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+cache_file=/dev/null
+exec_prefix=NONE
+no_create=
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+verbose=
+x_includes=NONE
+x_libraries=NONE
+
+# Installation directory options.
+# These are left unexpanded so users can "make install exec_prefix=/foo"
+# and all the variables that are supposed to be based on exec_prefix
+# by default will actually change.
+# Use braces instead of parens because sh, perl, etc. also accept them.
+# (The list follows the same order as the GNU Coding Standards.)
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datarootdir='${prefix}/share'
+datadir='${datarootdir}'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+infodir='${datarootdir}/info'
+htmldir='${docdir}'
+dvidir='${docdir}'
+pdfdir='${docdir}'
+psdir='${docdir}'
+libdir='${exec_prefix}/lib'
+localedir='${datarootdir}/locale'
+mandir='${datarootdir}/man'
+
+ac_prev=
+ac_dashdash=
+for ac_option
+do
+  # If the previous option needs an argument, assign it.
+  if test -n "$ac_prev"; then
+    eval $ac_prev=\$ac_option
+    ac_prev=
+    continue
+  fi
+
+  case $ac_option in
+  *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+  *=)   ac_optarg= ;;
+  *)    ac_optarg=yes ;;
+  esac
+
+  # Accept the important Cygnus configure options, so we can diagnose typos.
+
+  case $ac_dashdash$ac_option in
+  --)
+    ac_dashdash=yes ;;
+
+  -bindir | --bindir | --bindi | --bind | --bin | --bi)
+    ac_prev=bindir ;;
+  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+    bindir=$ac_optarg ;;
+
+  -build | --build | --buil | --bui | --bu)
+    ac_prev=build_alias ;;
+  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+    build_alias=$ac_optarg ;;
+
+  -cache-file | --cache-file | --cache-fil | --cache-fi \
+  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+    ac_prev=cache_file ;;
+  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+    cache_file=$ac_optarg ;;
+
+  --config-cache | -C)
+    cache_file=config.cache ;;
+
+  -datadir | --datadir | --datadi | --datad)
+    ac_prev=datadir ;;
+  -datadir=* | --datadir=* | --datadi=* | --datad=*)
+    datadir=$ac_optarg ;;
+
+  -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
+  | --dataroo | --dataro | --datar)
+    ac_prev=datarootdir ;;
+  -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
+  | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
+    datarootdir=$ac_optarg ;;
+
+  -disable-* | --disable-*)
+    ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+      as_fn_error $? "invalid feature name: $ac_useropt"
+    ac_useropt_orig=$ac_useropt
+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+    case $ac_user_opts in
+      *"
+"enable_$ac_useropt"
+"*) ;;
+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
+	 ac_unrecognized_sep=', ';;
+    esac
+    eval enable_$ac_useropt=no ;;
+
+  -docdir | --docdir | --docdi | --doc | --do)
+    ac_prev=docdir ;;
+  -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
+    docdir=$ac_optarg ;;
+
+  -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
+    ac_prev=dvidir ;;
+  -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
+    dvidir=$ac_optarg ;;
+
+  -enable-* | --enable-*)
+    ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+      as_fn_error $? "invalid feature name: $ac_useropt"
+    ac_useropt_orig=$ac_useropt
+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+    case $ac_user_opts in
+      *"
+"enable_$ac_useropt"
+"*) ;;
+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
+	 ac_unrecognized_sep=', ';;
+    esac
+    eval enable_$ac_useropt=\$ac_optarg ;;
+
+  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+  | --exec | --exe | --ex)
+    ac_prev=exec_prefix ;;
+  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+  | --exec=* | --exe=* | --ex=*)
+    exec_prefix=$ac_optarg ;;
+
+  -gas | --gas | --ga | --g)
+    # Obsolete; use --with-gas.
+    with_gas=yes ;;
+
+  -help | --help | --hel | --he | -h)
+    ac_init_help=long ;;
+  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
+    ac_init_help=recursive ;;
+  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
+    ac_init_help=short ;;
+
+  -host | --host | --hos | --ho)
+    ac_prev=host_alias ;;
+  -host=* | --host=* | --hos=* | --ho=*)
+    host_alias=$ac_optarg ;;
+
+  -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
+    ac_prev=htmldir ;;
+  -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
+  | --ht=*)
+    htmldir=$ac_optarg ;;
+
+  -includedir | --includedir | --includedi | --included | --include \
+  | --includ | --inclu | --incl | --inc)
+    ac_prev=includedir ;;
+  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+  | --includ=* | --inclu=* | --incl=* | --inc=*)
+    includedir=$ac_optarg ;;
+
+  -infodir | --infodir | --infodi | --infod | --info | --inf)
+    ac_prev=infodir ;;
+  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+    infodir=$ac_optarg ;;
+
+  -libdir | --libdir | --libdi | --libd)
+    ac_prev=libdir ;;
+  -libdir=* | --libdir=* | --libdi=* | --libd=*)
+    libdir=$ac_optarg ;;
+
+  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+  | --libexe | --libex | --libe)
+    ac_prev=libexecdir ;;
+  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+  | --libexe=* | --libex=* | --libe=*)
+    libexecdir=$ac_optarg ;;
+
+  -localedir | --localedir | --localedi | --localed | --locale)
+    ac_prev=localedir ;;
+  -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
+    localedir=$ac_optarg ;;
+
+  -localstatedir | --localstatedir | --localstatedi | --localstated \
+  | --localstate | --localstat | --localsta | --localst | --locals)
+    ac_prev=localstatedir ;;
+  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
+    localstatedir=$ac_optarg ;;
+
+  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+    ac_prev=mandir ;;
+  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+    mandir=$ac_optarg ;;
+
+  -nfp | --nfp | --nf)
+    # Obsolete; use --without-fp.
+    with_fp=no ;;
+
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c | -n)
+    no_create=yes ;;
+
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+    no_recursion=yes ;;
+
+  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+  | --oldin | --oldi | --old | --ol | --o)
+    ac_prev=oldincludedir ;;
+  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+    oldincludedir=$ac_optarg ;;
+
+  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+    ac_prev=prefix ;;
+  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+    prefix=$ac_optarg ;;
+
+  -program-prefix | --program-prefix | --program-prefi | --program-pref \
+  | --program-pre | --program-pr | --program-p)
+    ac_prev=program_prefix ;;
+  -program-prefix=* | --program-prefix=* | --program-prefi=* \
+  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+    program_prefix=$ac_optarg ;;
+
+  -program-suffix | --program-suffix | --program-suffi | --program-suff \
+  | --program-suf | --program-su | --program-s)
+    ac_prev=program_suffix ;;
+  -program-suffix=* | --program-suffix=* | --program-suffi=* \
+  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+    program_suffix=$ac_optarg ;;
+
+  -program-transform-name | --program-transform-name \
+  | --program-transform-nam | --program-transform-na \
+  | --program-transform-n | --program-transform- \
+  | --program-transform | --program-transfor \
+  | --program-transfo | --program-transf \
+  | --program-trans | --program-tran \
+  | --progr-tra | --program-tr | --program-t)
+    ac_prev=program_transform_name ;;
+  -program-transform-name=* | --program-transform-name=* \
+  | --program-transform-nam=* | --program-transform-na=* \
+  | --program-transform-n=* | --program-transform-=* \
+  | --program-transform=* | --program-transfor=* \
+  | --program-transfo=* | --program-transf=* \
+  | --program-trans=* | --program-tran=* \
+  | --progr-tra=* | --program-tr=* | --program-t=*)
+    program_transform_name=$ac_optarg ;;
+
+  -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
+    ac_prev=pdfdir ;;
+  -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
+    pdfdir=$ac_optarg ;;
+
+  -psdir | --psdir | --psdi | --psd | --ps)
+    ac_prev=psdir ;;
+  -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
+    psdir=$ac_optarg ;;
+
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil)
+    silent=yes ;;
+
+  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+    ac_prev=sbindir ;;
+  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+  | --sbi=* | --sb=*)
+    sbindir=$ac_optarg ;;
+
+  -sharedstatedir | --sharedstatedir | --sharedstatedi \
+  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+  | --sharedst | --shareds | --shared | --share | --shar \
+  | --sha | --sh)
+    ac_prev=sharedstatedir ;;
+  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+  | --sha=* | --sh=*)
+    sharedstatedir=$ac_optarg ;;
+
+  -site | --site | --sit)
+    ac_prev=site ;;
+  -site=* | --site=* | --sit=*)
+    site=$ac_optarg ;;
+
+  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+    ac_prev=srcdir ;;
+  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+    srcdir=$ac_optarg ;;
+
+  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+  | --syscon | --sysco | --sysc | --sys | --sy)
+    ac_prev=sysconfdir ;;
+  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+    sysconfdir=$ac_optarg ;;
+
+  -target | --target | --targe | --targ | --tar | --ta | --t)
+    ac_prev=target_alias ;;
+  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+    target_alias=$ac_optarg ;;
+
+  -v | -verbose | --verbose | --verbos | --verbo | --verb)
+    verbose=yes ;;
+
+  -version | --version | --versio | --versi | --vers | -V)
+    ac_init_version=: ;;
+
+  -with-* | --with-*)
+    ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+      as_fn_error $? "invalid package name: $ac_useropt"
+    ac_useropt_orig=$ac_useropt
+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+    case $ac_user_opts in
+      *"
+"with_$ac_useropt"
+"*) ;;
+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
+	 ac_unrecognized_sep=', ';;
+    esac
+    eval with_$ac_useropt=\$ac_optarg ;;
+
+  -without-* | --without-*)
+    ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+      as_fn_error $? "invalid package name: $ac_useropt"
+    ac_useropt_orig=$ac_useropt
+    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+    case $ac_user_opts in
+      *"
+"with_$ac_useropt"
+"*) ;;
+      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
+	 ac_unrecognized_sep=', ';;
+    esac
+    eval with_$ac_useropt=no ;;
+
+  --x)
+    # Obsolete; use --with-x.
+    with_x=yes ;;
+
+  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+  | --x-incl | --x-inc | --x-in | --x-i)
+    ac_prev=x_includes ;;
+  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+    x_includes=$ac_optarg ;;
+
+  -x-libraries | --x-libraries | --x-librarie | --x-librari \
+  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+    ac_prev=x_libraries ;;
+  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+    x_libraries=$ac_optarg ;;
+
+  -*) as_fn_error $? "unrecognized option: \`$ac_option'
+Try \`$0 --help' for more information"
+    ;;
+
+  *=*)
+    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+    # Reject names that are not valid shell variable names.
+    case $ac_envvar in #(
+      '' | [0-9]* | *[!_$as_cr_alnum]* )
+      as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
+    esac
+    eval $ac_envvar=\$ac_optarg
+    export $ac_envvar ;;
+
+  *)
+    # FIXME: should be removed in autoconf 3.0.
+    $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+    expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+    : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}"
+    ;;
+
+  esac
+done
+
+if test -n "$ac_prev"; then
+  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+  as_fn_error $? "missing argument to $ac_option"
+fi
+
+if test -n "$ac_unrecognized_opts"; then
+  case $enable_option_checking in
+    no) ;;
+    fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
+    *)     $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
+  esac
+fi
+
+# Check all directory arguments for consistency.
+for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
+		datadir sysconfdir sharedstatedir localstatedir includedir \
+		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+		libdir localedir mandir
+do
+  eval ac_val=\$$ac_var
+  # Remove trailing slashes.
+  case $ac_val in
+    */ )
+      ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
+      eval $ac_var=\$ac_val;;
+  esac
+  # Be sure to have absolute directory names.
+  case $ac_val in
+    [\\/$]* | ?:[\\/]* )  continue;;
+    NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
+  esac
+  as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
+done
+
+# There might be people who depend on the old broken behavior: `$host'
+# used to hold the argument of --host etc.
+# FIXME: To remove some day.
+build=$build_alias
+host=$host_alias
+target=$target_alias
+
+# FIXME: To remove some day.
+if test "x$host_alias" != x; then
+  if test "x$build_alias" = x; then
+    cross_compiling=maybe
+  elif test "x$build_alias" != "x$host_alias"; then
+    cross_compiling=yes
+  fi
+fi
+
+ac_tool_prefix=
+test -n "$host_alias" && ac_tool_prefix=$host_alias-
+
+test "$silent" = yes && exec 6>/dev/null
+
+
+ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ac_ls_di=`ls -di .` &&
+ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+  as_fn_error $? "working directory cannot be determined"
+test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+  as_fn_error $? "pwd does not report name of working directory"
+
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+  ac_srcdir_defaulted=yes
+  # Try the directory containing this script, then the parent directory.
+  ac_confdir=`$as_dirname -- "$as_myself" ||
+$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_myself" : 'X\(//\)[^/]' \| \
+	 X"$as_myself" : 'X\(//\)$' \| \
+	 X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_myself" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  srcdir=$ac_confdir
+  if test ! -r "$srcdir/$ac_unique_file"; then
+    srcdir=..
+  fi
+else
+  ac_srcdir_defaulted=no
+fi
+if test ! -r "$srcdir/$ac_unique_file"; then
+  test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+  as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
+fi
+ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ac_abs_confdir=`(
+	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
+	pwd)`
+# When building in place, set srcdir=.
+if test "$ac_abs_confdir" = "$ac_pwd"; then
+  srcdir=.
+fi
+# Remove unnecessary trailing slashes from srcdir.
+# Double slashes in file names in object file debugging info
+# mess up M-x gdb in Emacs.
+case $srcdir in
+*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
+esac
+for ac_var in $ac_precious_vars; do
+  eval ac_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_env_${ac_var}_value=\$${ac_var}
+  eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_cv_env_${ac_var}_value=\$${ac_var}
+done
+
+#
+# Report the --help message.
+#
+if test "$ac_init_help" = "long"; then
+  # Omit some internal or obsolete options to make the list less imposing.
+  # This message is too long to be a string in the A/UX 3.1 sh.
+  cat <<_ACEOF
+\`configure' configures BIND 9.16 to adapt to many kinds of systems.
+
+Usage: $0 [OPTION]... [VAR=VALUE]...
+
+To assign environment variables (e.g., CC, CFLAGS...), specify them as
+VAR=VALUE.  See below for descriptions of some of the useful variables.
+
+Defaults for the options are specified in brackets.
+
+Configuration:
+  -h, --help              display this help and exit
+      --help=short        display options specific to this package
+      --help=recursive    display the short help of all the included packages
+  -V, --version           display version information and exit
+  -q, --quiet, --silent   do not print \`checking ...' messages
+      --cache-file=FILE   cache test results in FILE [disabled]
+  -C, --config-cache      alias for \`--cache-file=config.cache'
+  -n, --no-create         do not create output files
+      --srcdir=DIR        find the sources in DIR [configure dir or \`..']
+
+Installation directories:
+  --prefix=PREFIX         install architecture-independent files in PREFIX
+                          [$ac_default_prefix]
+  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+                          [PREFIX]
+
+By default, \`make install' will install all the files in
+\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
+an installation prefix other than \`$ac_default_prefix' using \`--prefix',
+for instance \`--prefix=\$HOME'.
+
+For better control, use the options below.
+
+Fine tuning of the installation directories:
+  --bindir=DIR            user executables [EPREFIX/bin]
+  --sbindir=DIR           system admin executables [EPREFIX/sbin]
+  --libexecdir=DIR        program executables [EPREFIX/libexec]
+  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
+  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
+  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --libdir=DIR            object code libraries [EPREFIX/lib]
+  --includedir=DIR        C header files [PREFIX/include]
+  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
+  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
+  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
+  --infodir=DIR           info documentation [DATAROOTDIR/info]
+  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
+  --mandir=DIR            man documentation [DATAROOTDIR/man]
+  --docdir=DIR            documentation root [DATAROOTDIR/doc/bind]
+  --htmldir=DIR           html documentation [DOCDIR]
+  --dvidir=DIR            dvi documentation [DOCDIR]
+  --pdfdir=DIR            pdf documentation [DOCDIR]
+  --psdir=DIR             ps documentation [DOCDIR]
+_ACEOF
+
+  cat <<\_ACEOF
+
+System types:
+  --build=BUILD     configure for building on BUILD [guessed]
+  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
+_ACEOF
+fi
+
+if test -n "$ac_init_help"; then
+  case $ac_init_help in
+     short | recursive ) echo "Configuration of BIND 9.16:";;
+   esac
+  cat <<\_ACEOF
+
+Optional Features:
+  --disable-option-checking  ignore unrecognized --enable/--with options
+  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
+  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --disable-maintainer-mode
+                          disable make rules and dependencies not useful (and
+                          sometimes confusing) to the casual installer
+  --disable-largefile     omit support for large files
+  --enable-shared[=PKGS]  build shared libraries [default=yes]
+  --enable-static[=PKGS]  build static libraries [default=yes]
+  --enable-fast-install[=PKGS]
+                          optimize for fast installation [default=yes]
+  --disable-libtool-lock  avoid locking (might break parallel builds)
+  --enable-buffer-useinline
+                          define ISC_BUFFER_USEINLINE when compiling
+                          [default=yes]
+  --enable-warn-shadow    turn on -Wshadow when compiling
+  --enable-warn-error     turn on -Werror when compiling
+  --enable-developer      enable developer build settings
+  --enable-fuzzing=<afl|libfuzzer>
+                          Enable fuzzing using American Fuzzy Lop or libFuzzer
+                          (default=no)
+  --enable-kqueue         use BSD kqueue when available [default=yes]
+  --enable-epoll          use Linux epoll when available [default=auto]
+  --enable-devpoll        use /dev/poll when available [default=yes]
+  --disable-geoip         support GeoIP2 geolocation ACLs if available
+                          [default=yes]
+  --enable-pthread-rwlock use pthread rwlock instead of internal rwlock
+                          implementation
+  --enable-fips-mode      enable FIPS mode in OpenSSL library [default=no]
+  --enable-native-pkcs11  use native PKCS11 for public-key crypto [default=no]
+  --enable-backtrace      log stack backtrace on abort [default=yes]
+  --enable-symtable       use internal symbol table for backtrace
+                          [all|minimal(default)|none]
+  --disable-tcp-fastopen  disable TCP Fast Open support [default=yes]
+  --disable-chroot        disable chroot
+  --disable-linux-caps    disable Linux capabilities
+  --enable-fixed-rrset    enable fixed rrset ordering [default=no]
+  --enable-dnstap         enable dnstap support (requires fstrm, protobuf-c)
+  --enable-querytrace     enable very verbose query trace logging [default=no]
+  --enable-auto-validation
+                          turn on DNSSEC validation by default, using the IANA
+                          root key [default=yes]
+  --enable-dnsrps-dl      DNS Response Policy Service delayed link
+                          [default=$librpz_dl]
+  --enable-dnsrps         enable DNS Response Policy Service API
+  --enable-full-report    report values of all configure options
+
+Optional Packages:
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
+                          both]
+  --with-aix-soname=aix|svr4|both
+                          shared library versioning (aka "SONAME") variant to
+                          provide on AIX, [default=aix].
+  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
+  --with-sysroot[=DIR]    Search for dependent libraries within DIR (or the
+                          compiler's sysroot if not specified).
+  --with-python=PATH      specify path to Python interpreter
+  --with-python-install-dir=PATH
+                          installation directory for Python modules
+  --with-geoip2           deprecated, use --with-maxminddb
+  --with-maxminddb=PATH   Build with MaxMind GeoIP2 support (auto|yes|no|path)
+                          [default=auto]
+  --with-locktype=ARG     Specify mutex lock type (adaptive or standard)
+  --with-libtool          use GNU libtool
+  --with-openssl=DIR      root of the OpenSSL directory
+  --with-pkcs11=PATH      Build with PKCS11 support [no|path] (PATH is for the
+                          PKCS11 provider)
+  --with-gssapi=PATH|/path/krb5-config
+                          Specify path for system-supplied GSSAPI
+                          [default=auto]
+  --with-lmdb=PATH        build with LMDB library [yes|no|path]
+  --with-libxml2          build with libxml2 library [yes|no|auto] (default is
+                          auto)
+  --with-libjson          deprecated, use --with-json-c
+  --with-json-c           build with json-c library [yes|no|detect] (default
+                          is detect)
+  --with-zlib             build with zlib for HTTP compression [default=yes]
+  --with-purify=PATH      use Rational purify
+  --with-gperftools-profiler
+                          use gperftools CPU profiler
+  --with-readline=LIBSPEC specify readline library [default auto]
+  --with-protobuf-c=path  Path where protobuf-c is installed, for dnstap
+  --with-libfstrm=path    Path where libfstrm is installed, for dnstap
+  --with-libidn2=PATH     enable IDN support using GNU libidn2
+                          [yes|no(default)|path]
+  --with-cmocka=detect    enable CMocka based tests (default is detect)
+  --with-tuning=ARG       Specify server tuning (default or small)
+  --with-dlopen=ARG       support dynamically loadable DLZ and DYNDB drivers
+  --with-dnsrps-libname   DNSRPS provider library name (librpz.so)
+  --with-dnsrps-dir       path to DNSRPS provider library
+  --with-dlz-postgres=PATH
+                          Build with Postgres DLZ driver [yes|no|path].
+                          (Required to use Postgres with DLZ)
+  --with-dlz-mysql=PATH   Build with MySQL DLZ driver [yes|no|path]. (Required
+                          to use MySQL with DLZ)
+  --with-dlz-bdb=PATH     Build with Berkeley DB DLZ driver [yes|no|path].
+                          (Required to use Berkeley DB with DLZ)
+  --with-dlz-filesystem=ARG
+                          Build with filesystem DLZ driver [yes|no]. (Required
+                          to use file system driver with DLZ)
+  --with-dlz-ldap=PATH    Build with LDAP DLZ driver [yes|no|path]. (Required
+                          to use LDAP with DLZ)
+  --with-dlz-odbc=PATH    Build with ODBC DLZ driver [yes|no|path]. (Required
+                          to use ODBC with DLZ)
+  --with-dlz-stub=ARG     Build with stub DLZ driver [yes|no]. (Required to
+                          use stub driver with DLZ)
+  --with-make-clean       run "make clean" at end of configure [yes|no]
+
+Some influential environment variables:
+  CC          C compiler command
+  CFLAGS      C compiler flags
+  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
+              nonstandard directory <lib dir>
+  LIBS        libraries to pass to the linker, e.g. -l<library>
+  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
+              you have headers in a nonstandard directory <include dir>
+  CPP         C preprocessor
+  LT_SYS_LIBRARY_PATH
+              User-defined run-time library search path.
+  PKG_CONFIG  path to pkg-config utility
+  PKG_CONFIG_PATH
+              directories to add to pkg-config's search path
+  PKG_CONFIG_LIBDIR
+              path overriding pkg-config's built-in search path
+  PYTHON      path to python executable
+  MAXMINDDB_CFLAGS
+              C compiler flags for MAXMINDDB, overriding pkg-config
+  MAXMINDDB_LIBS
+              linker flags for MAXMINDDB, overriding pkg-config
+  MAXMINDDB_PREFIX
+              value of prefix for libmaxminddb, overriding pkg-config
+  LIBUV_CFLAGS
+              C compiler flags for LIBUV, overriding pkg-config
+  LIBUV_LIBS  linker flags for LIBUV, overriding pkg-config
+  OPENSSL_CFLAGS
+              C compiler flags for OPENSSL, overriding pkg-config
+  OPENSSL_LIBS
+              linker flags for OPENSSL, overriding pkg-config
+  LIBXML2_CFLAGS
+              C compiler flags for LIBXML2, overriding pkg-config
+  LIBXML2_LIBS
+              linker flags for LIBXML2, overriding pkg-config
+  JSON_C_CFLAGS
+              C compiler flags for JSON_C, overriding pkg-config
+  JSON_C_LIBS linker flags for JSON_C, overriding pkg-config
+  ZLIB_CFLAGS C compiler flags for ZLIB, overriding pkg-config
+  ZLIB_LIBS   linker flags for ZLIB, overriding pkg-config
+  SPHINX_BUILD
+              path to sphinx-build binary used to build the documentation
+  LIBIDN2_CFLAGS
+              C compiler flags for LIBIDN2, overriding pkg-config
+  LIBIDN2_LIBS
+              linker flags for LIBIDN2, overriding pkg-config
+  CMOCKA_CFLAGS
+              C compiler flags for CMOCKA, overriding pkg-config
+  CMOCKA_LIBS linker flags for CMOCKA, overriding pkg-config
+  KYUA        path to kyua execution engine
+
+Use these variables to override the choices made by `configure' or to help
+it to find libraries and programs with nonstandard names/locations.
+
+Report bugs to <https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug>.
+BIND home page: <https://www.isc.org/downloads/>.
+_ACEOF
+ac_status=$?
+fi
+
+if test "$ac_init_help" = "recursive"; then
+  # If there are subdirs, report their specific --help.
+  for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
+    test -d "$ac_dir" ||
+      { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
+      continue
+    ac_builddir=.
+
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
+
+case $srcdir in
+  .)  # We are building in place.
+    ac_srcdir=.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+    cd "$ac_dir" || { ac_status=$?; continue; }
+    # Check for guested configure.
+    if test -f "$ac_srcdir/configure.gnu"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure.gnu" --help=recursive
+    elif test -f "$ac_srcdir/configure"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure" --help=recursive
+    else
+      $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+    fi || ac_status=$?
+    cd "$ac_pwd" || { ac_status=$?; break; }
+  done
+fi
+
+test -n "$ac_init_help" && exit $ac_status
+if $ac_init_version; then
+  cat <<\_ACEOF
+BIND configure 9.16
+generated by GNU Autoconf 2.69
+
+Copyright (C) 2012 Free Software Foundation, Inc.
+This configure script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it.
+_ACEOF
+  exit
+fi
+
+## ------------------------ ##
+## Autoconf initialization. ##
+## ------------------------ ##
+
+# ac_fn_c_try_compile LINENO
+# --------------------------
+# Try to compile conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_compile ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  rm -f conftest.$ac_objext
+  if { { ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_compile") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_retval=1
+fi
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_compile
+
+# ac_fn_c_try_cpp LINENO
+# ----------------------
+# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_cpp ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  if { { ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } > conftest.i && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+    ac_retval=1
+fi
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_cpp
+
+# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES
+# -------------------------------------------------------
+# Tests whether HEADER exists, giving a warning if it cannot be compiled using
+# the include files in INCLUDES and setting the cache variable VAR
+# accordingly.
+ac_fn_c_check_header_mongrel ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  if eval \${$3+:} false; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if eval \${$3+:} false; then :
+  $as_echo_n "(cached) " >&6
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5
+$as_echo_n "checking $2 usability... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+#include <$2>
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_header_compiler=yes
+else
+  ac_header_compiler=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5
+$as_echo_n "checking $2 presence... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <$2>
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
+  ac_header_preproc=yes
+else
+  ac_header_preproc=no
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #((
+  yes:no: )
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
+    ;;
+  no:yes:* )
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: $2:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
+( $as_echo "## ------------------------------------------------------------------------------------------- ##
+## Report this to https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug ##
+## ------------------------------------------------------------------------------------------- ##"
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if eval \${$3+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  eval "$3=\$ac_header_compiler"
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+fi
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_header_mongrel
+
+# ac_fn_c_try_run LINENO
+# ----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes
+# that executables *can* be run.
+ac_fn_c_try_run ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  if { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && { ac_try='./conftest$ac_exeext'
+  { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: program exited with status $ac_status" >&5
+       $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+       ac_retval=$ac_status
+fi
+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_run
+
+# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
+# -------------------------------------------------------
+# Tests whether HEADER exists and can be compiled using the include files in
+# INCLUDES, setting the cache variable VAR accordingly.
+ac_fn_c_check_header_compile ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if eval \${$3+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+#include <$2>
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$3=yes"
+else
+  eval "$3=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_header_compile
+
+# ac_fn_c_try_link LINENO
+# -----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_link ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  rm -f conftest.$ac_objext conftest$ac_exeext
+  if { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 test -x conftest$ac_exeext
+       }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_retval=1
+fi
+  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
+  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
+  # interfere with the next link command; also delete a directory that is
+  # left behind by Apple's compiler.  We do this before executing the actions.
+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_link
+
+# ac_fn_c_check_func LINENO FUNC VAR
+# ----------------------------------
+# Tests whether FUNC exists, setting the cache variable VAR accordingly
+ac_fn_c_check_func ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if eval \${$3+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+/* Define $2 to an innocuous variant, in case <limits.h> declares $2.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $2 innocuous_$2
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $2 (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $2
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $2 ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$2 || defined __stub___$2
+choke me
+#endif
+
+int
+main ()
+{
+return $2 ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  eval "$3=yes"
+else
+  eval "$3=no"
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_func
+
+# ac_fn_c_check_type LINENO TYPE VAR INCLUDES
+# -------------------------------------------
+# Tests whether TYPE exists after having included INCLUDES, setting cache
+# variable VAR accordingly.
+ac_fn_c_check_type ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if eval \${$3+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  eval "$3=no"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+if (sizeof ($2))
+	 return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+if (sizeof (($2)))
+	    return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+else
+  eval "$3=yes"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_type
+
+# ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES
+# ---------------------------------------------
+# Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR
+# accordingly.
+ac_fn_c_check_decl ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  as_decl_name=`echo $2|sed 's/ *(.*//'`
+  as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'`
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5
+$as_echo_n "checking whether $as_decl_name is declared... " >&6; }
+if eval \${$3+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+#ifndef $as_decl_name
+#ifdef __cplusplus
+  (void) $as_decl_use;
+#else
+  (void) $as_decl_name;
+#endif
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$3=yes"
+else
+  eval "$3=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_decl
+cat >config.log <<_ACEOF
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+
+It was created by BIND $as_me 9.16, which was
+generated by GNU Autoconf 2.69.  Invocation command line was
+
+  $ $0 $@
+
+_ACEOF
+exec 5>>config.log
+{
+cat <<_ASUNAME
+## --------- ##
+## Platform. ##
+## --------- ##
+
+hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`
+
+/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
+/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
+/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
+/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
+
+_ASUNAME
+
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    $as_echo "PATH: $as_dir"
+  done
+IFS=$as_save_IFS
+
+} >&5
+
+cat >&5 <<_ACEOF
+
+
+## ----------- ##
+## Core tests. ##
+## ----------- ##
+
+_ACEOF
+
+
+# Keep a trace of the command line.
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Strip out --silent because we don't want to record it for future runs.
+# Also quote any args containing shell meta-characters.
+# Make two passes to allow for proper duplicate-argument suppression.
+ac_configure_args=
+ac_configure_args0=
+ac_configure_args1=
+ac_must_keep_next=false
+for ac_pass in 1 2
+do
+  for ac_arg
+  do
+    case $ac_arg in
+    -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
+    -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+    | -silent | --silent | --silen | --sile | --sil)
+      continue ;;
+    *\'*)
+      ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    esac
+    case $ac_pass in
+    1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
+    2)
+      as_fn_append ac_configure_args1 " '$ac_arg'"
+      if test $ac_must_keep_next = true; then
+	ac_must_keep_next=false # Got value, back to normal.
+      else
+	case $ac_arg in
+	  *=* | --config-cache | -C | -disable-* | --disable-* \
+	  | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
+	  | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
+	  | -with-* | --with-* | -without-* | --without-* | --x)
+	    case "$ac_configure_args0 " in
+	      "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
+	    esac
+	    ;;
+	  -* ) ac_must_keep_next=true ;;
+	esac
+      fi
+      as_fn_append ac_configure_args " '$ac_arg'"
+      ;;
+    esac
+  done
+done
+{ ac_configure_args0=; unset ac_configure_args0;}
+{ ac_configure_args1=; unset ac_configure_args1;}
+
+# When interrupted or exit'd, cleanup temporary files, and complete
+# config.log.  We remove comments because anyway the quotes in there
+# would cause problems or look ugly.
+# WARNING: Use '\'' to represent an apostrophe within the trap.
+# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
+trap 'exit_status=$?
+  # Save into config.log some information that might help in debugging.
+  {
+    echo
+
+    $as_echo "## ---------------- ##
+## Cache variables. ##
+## ---------------- ##"
+    echo
+    # The following way of writing the cache mishandles newlines in values,
+(
+  for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
+      *) { eval $ac_var=; unset $ac_var;} ;;
+      esac ;;
+    esac
+  done
+  (set) 2>&1 |
+    case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
+      sed -n \
+	"s/'\''/'\''\\\\'\'''\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
+      ;; #(
+    *)
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+      ;;
+    esac |
+    sort
+)
+    echo
+
+    $as_echo "## ----------------- ##
+## Output variables. ##
+## ----------------- ##"
+    echo
+    for ac_var in $ac_subst_vars
+    do
+      eval ac_val=\$$ac_var
+      case $ac_val in
+      *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+      esac
+      $as_echo "$ac_var='\''$ac_val'\''"
+    done | sort
+    echo
+
+    if test -n "$ac_subst_files"; then
+      $as_echo "## ------------------- ##
+## File substitutions. ##
+## ------------------- ##"
+      echo
+      for ac_var in $ac_subst_files
+      do
+	eval ac_val=\$$ac_var
+	case $ac_val in
+	*\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+	esac
+	$as_echo "$ac_var='\''$ac_val'\''"
+      done | sort
+      echo
+    fi
+
+    if test -s confdefs.h; then
+      $as_echo "## ----------- ##
+## confdefs.h. ##
+## ----------- ##"
+      echo
+      cat confdefs.h
+      echo
+    fi
+    test "$ac_signal" != 0 &&
+      $as_echo "$as_me: caught signal $ac_signal"
+    $as_echo "$as_me: exit $exit_status"
+  } >&5
+  rm -f core *.core core.conftest.* &&
+    rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
+    exit $exit_status
+' 0
+for ac_signal in 1 2 13 15; do
+  trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
+done
+ac_signal=0
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -f -r conftest* confdefs.h
+
+$as_echo "/* confdefs.h */" > confdefs.h
+
+# Predefined preprocessor variables.
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_NAME "$PACKAGE_NAME"
+_ACEOF
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
+_ACEOF
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_VERSION "$PACKAGE_VERSION"
+_ACEOF
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_STRING "$PACKAGE_STRING"
+_ACEOF
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
+_ACEOF
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_URL "$PACKAGE_URL"
+_ACEOF
+
+
+# Let the site file select an alternate cache file if it wants to.
+# Prefer an explicitly selected file to automatically selected ones.
+ac_site_file1=NONE
+ac_site_file2=NONE
+if test -n "$CONFIG_SITE"; then
+  # We do not want a PATH search for config.site.
+  case $CONFIG_SITE in #((
+    -*)  ac_site_file1=./$CONFIG_SITE;;
+    */*) ac_site_file1=$CONFIG_SITE;;
+    *)   ac_site_file1=./$CONFIG_SITE;;
+  esac
+elif test "x$prefix" != xNONE; then
+  ac_site_file1=$prefix/share/config.site
+  ac_site_file2=$prefix/etc/config.site
+else
+  ac_site_file1=$ac_default_prefix/share/config.site
+  ac_site_file2=$ac_default_prefix/etc/config.site
+fi
+for ac_site_file in "$ac_site_file1" "$ac_site_file2"
+do
+  test "x$ac_site_file" = xNONE && continue
+  if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
+$as_echo "$as_me: loading site script $ac_site_file" >&6;}
+    sed 's/^/| /' "$ac_site_file" >&5
+    . "$ac_site_file" \
+      || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "failed to load site script $ac_site_file
+See \`config.log' for more details" "$LINENO" 5; }
+  fi
+done
+
+if test -r "$cache_file"; then
+  # Some versions of bash will fail to source /dev/null (special files
+  # actually), so we avoid doing that.  DJGPP emulates it as a regular file.
+  if test /dev/null != "$cache_file" && test -f "$cache_file"; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
+$as_echo "$as_me: loading cache $cache_file" >&6;}
+    case $cache_file in
+      [\\/]* | ?:[\\/]* ) . "$cache_file";;
+      *)                      . "./$cache_file";;
+    esac
+  fi
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
+$as_echo "$as_me: creating cache $cache_file" >&6;}
+  >$cache_file
+fi
+
+# Check that the precious variables saved in the cache have kept the same
+# value.
+ac_cache_corrupted=false
+for ac_var in $ac_precious_vars; do
+  eval ac_old_set=\$ac_cv_env_${ac_var}_set
+  eval ac_new_set=\$ac_env_${ac_var}_set
+  eval ac_old_val=\$ac_cv_env_${ac_var}_value
+  eval ac_new_val=\$ac_env_${ac_var}_value
+  case $ac_old_set,$ac_new_set in
+    set,)
+      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+      ac_cache_corrupted=: ;;
+    ,set)
+      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
+$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+      ac_cache_corrupted=: ;;
+    ,);;
+    *)
+      if test "x$ac_old_val" != "x$ac_new_val"; then
+	# differences in whitespace do not lead to failure.
+	ac_old_val_w=`echo x $ac_old_val`
+	ac_new_val_w=`echo x $ac_new_val`
+	if test "$ac_old_val_w" != "$ac_new_val_w"; then
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
+$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+	  ac_cache_corrupted=:
+	else
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
+$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
+	  eval $ac_var=\$ac_old_val
+	fi
+	{ $as_echo "$as_me:${as_lineno-$LINENO}:   former value:  \`$ac_old_val'" >&5
+$as_echo "$as_me:   former value:  \`$ac_old_val'" >&2;}
+	{ $as_echo "$as_me:${as_lineno-$LINENO}:   current value: \`$ac_new_val'" >&5
+$as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
+      fi;;
+  esac
+  # Pass precious variables to config.status.
+  if test "$ac_new_set" = set; then
+    case $ac_new_val in
+    *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+    *) ac_arg=$ac_var=$ac_new_val ;;
+    esac
+    case " $ac_configure_args " in
+      *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
+      *) as_fn_append ac_configure_args " '$ac_arg'" ;;
+    esac
+  fi
+done
+if $ac_cache_corrupted; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+  { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
+$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+  as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
+fi
+## -------------------- ##
+## Main body of script. ##
+## -------------------- ##
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+
+#
+# Enable maintainer mode by default, but allow to disable it in the CI
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable maintainer-specific portions of Makefiles" >&5
+$as_echo_n "checking whether to enable maintainer-specific portions of Makefiles... " >&6; }
+    # Check whether --enable-maintainer-mode was given.
+if test "${enable_maintainer_mode+set}" = set; then :
+  enableval=$enable_maintainer_mode; USE_MAINTAINER_MODE=$enableval
+else
+  USE_MAINTAINER_MODE=yes
+fi
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USE_MAINTAINER_MODE" >&5
+$as_echo "$USE_MAINTAINER_MODE" >&6; }
+   if test $USE_MAINTAINER_MODE = yes; then
+  MAINTAINER_MODE_TRUE=
+  MAINTAINER_MODE_FALSE='#'
+else
+  MAINTAINER_MODE_TRUE='#'
+  MAINTAINER_MODE_FALSE=
+fi
+
+  MAINT=$MAINTAINER_MODE_TRUE
+
+
+
+ac_config_headers="$ac_config_headers config.h"
+
+
+
+ac_aux_dir=
+for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
+  if test -f "$ac_dir/install-sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f "$ac_dir/install.sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  elif test -f "$ac_dir/shtool"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/shtool install -c"
+    break
+  fi
+done
+if test -z "$ac_aux_dir"; then
+  as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5
+fi
+
+# These three variables are undocumented and unsupported,
+# and are intended to be withdrawn in a future Autoconf release.
+# They can cause serious problems if a builder's source tree is in a directory
+# whose full name contains unusual characters.
+ac_config_guess="$SHELL $ac_aux_dir/config.guess"  # Please don't use this var.
+ac_config_sub="$SHELL $ac_aux_dir/config.sub"  # Please don't use this var.
+ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
+
+
+# Make sure we can run config.sub.
+$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
+  as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5
+$as_echo_n "checking build system type... " >&6; }
+if ${ac_cv_build+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_build_alias=$build_alias
+test "x$ac_build_alias" = x &&
+  ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
+test "x$ac_build_alias" = x &&
+  as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5
+ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
+  as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5
+$as_echo "$ac_cv_build" >&6; }
+case $ac_cv_build in
+*-*-*) ;;
+*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;;
+esac
+build=$ac_cv_build
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_build
+shift
+build_cpu=$1
+build_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+build_os=$*
+IFS=$ac_save_IFS
+case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5
+$as_echo_n "checking host system type... " >&6; }
+if ${ac_cv_host+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test "x$host_alias" = x; then
+  ac_cv_host=$ac_cv_build
+else
+  ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
+    as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5
+$as_echo "$ac_cv_host" >&6; }
+case $ac_cv_host in
+*-*-*) ;;
+*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;;
+esac
+host=$ac_cv_host
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_host
+shift
+host_cpu=$1
+host_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+host_os=$*
+IFS=$ac_save_IFS
+case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
+
+
+
+#
+# Enable system extensions to C and POSIX
+#
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_CC="${ac_tool_prefix}gcc"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_CC="gcc"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+          if test -n "$ac_tool_prefix"; then
+    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_CC="${ac_tool_prefix}cc"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  fi
+fi
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+       ac_prog_rejected=yes
+       continue
+     fi
+    ac_cv_prog_CC="cc"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# != 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+  fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in cl.exe
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+    test -n "$CC" && break
+  done
+fi
+if test -z "$CC"; then
+  ac_ct_CC=$CC
+  for ac_prog in cl.exe
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_CC="$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$ac_ct_CC" && break
+done
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+fi
+
+fi
+
+
+test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "no acceptable C compiler found in \$PATH
+See \`config.log' for more details" "$LINENO" 5; }
+
+# Provide some information about the compiler.
+$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
+set X $ac_compile
+ac_compiler=$2
+for ac_option in --version -v -V -qversion; do
+  { { ac_try="$ac_compiler $ac_option >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_compiler $ac_option >&5") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    sed '10a\
+... rest of stderr output deleted ...
+         10q' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+  fi
+  rm -f conftest.er1 conftest.err
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+done
+
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
+# Try to create an executable without -o first, disregard a.out.
+# It will help us diagnose broken compilers, and finding out an intuition
+# of exeext.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
+$as_echo_n "checking whether the C compiler works... " >&6; }
+ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+
+# The possible output files:
+ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
+
+ac_rmfiles=
+for ac_file in $ac_files
+do
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+    * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+  esac
+done
+rm -f $ac_rmfiles
+
+if { { ac_try="$ac_link_default"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link_default") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then :
+  # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+# in a Makefile.  We should not override ac_cv_exeext if it was cached,
+# so that the user can short-circuit this test for compilers unknown to
+# Autoconf.
+for ac_file in $ac_files ''
+do
+  test -f "$ac_file" || continue
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
+	;;
+    [ab].out )
+	# We found the default executable, but exeext='' is most
+	# certainly right.
+	break;;
+    *.* )
+	if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+	then :; else
+	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	fi
+	# We set ac_cv_exeext here because the later test for it is not
+	# safe: cross compilers may not add the suffix if given an `-o'
+	# argument, so we may need to know it at that point already.
+	# Even if this section looks crufty: it has the advantage of
+	# actually working.
+	break;;
+    * )
+	break;;
+  esac
+done
+test "$ac_cv_exeext" = no && ac_cv_exeext=
+
+else
+  ac_file=''
+fi
+if test -z "$ac_file"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+$as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "C compiler cannot create executables
+See \`config.log' for more details" "$LINENO" 5; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
+$as_echo_n "checking for C compiler default output file name... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
+$as_echo "$ac_file" >&6; }
+ac_exeext=$ac_cv_exeext
+
+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
+ac_clean_files=$ac_clean_files_save
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
+$as_echo_n "checking for suffix of executables... " >&6; }
+if { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then :
+  # If both `conftest.exe' and `conftest' are `present' (well, observable)
+# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
+# work properly (i.e., refer to `conftest.exe'), while it won't with
+# `rm'.
+for ac_file in conftest.exe conftest conftest.*; do
+  test -f "$ac_file" || continue
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	  break;;
+    * ) break;;
+  esac
+done
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f conftest conftest$ac_cv_exeext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
+$as_echo "$ac_cv_exeext" >&6; }
+
+rm -f conftest.$ac_ext
+EXEEXT=$ac_cv_exeext
+ac_exeext=$EXEEXT
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdio.h>
+int
+main ()
+{
+FILE *f = fopen ("conftest.out", "w");
+ return ferror (f) || fclose (f) != 0;
+
+  ;
+  return 0;
+}
+_ACEOF
+ac_clean_files="$ac_clean_files conftest.out"
+# Check that the compiler produces executables we can run.  If not, either
+# the compiler is broken, or we cross compile.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
+$as_echo_n "checking whether we are cross compiling... " >&6; }
+if test "$cross_compiling" != yes; then
+  { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+  if { ac_try='./conftest$ac_cv_exeext'
+  { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then
+    cross_compiling=no
+  else
+    if test "$cross_compiling" = maybe; then
+	cross_compiling=yes
+    else
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details" "$LINENO" 5; }
+    fi
+  fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
+$as_echo "$cross_compiling" >&6; }
+
+rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
+ac_clean_files=$ac_clean_files_save
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
+$as_echo_n "checking for suffix of object files... " >&6; }
+if ${ac_cv_objext+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.o conftest.obj
+if { { ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_compile") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then :
+  for ac_file in conftest.o conftest.obj conftest.*; do
+  test -f "$ac_file" || continue;
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
+    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+       break;;
+  esac
+done
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot compute suffix of object files: cannot compile
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f conftest.$ac_cv_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5
+$as_echo "$ac_cv_objext" >&6; }
+OBJEXT=$ac_cv_objext
+ac_objext=$OBJEXT
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
+if ${ac_cv_c_compiler_gnu+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_compiler_gnu=yes
+else
+  ac_compiler_gnu=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
+$as_echo "$ac_cv_c_compiler_gnu" >&6; }
+if test $ac_compiler_gnu = yes; then
+  GCC=yes
+else
+  GCC=
+fi
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
+$as_echo_n "checking whether $CC accepts -g... " >&6; }
+if ${ac_cv_prog_cc_g+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_save_c_werror_flag=$ac_c_werror_flag
+   ac_c_werror_flag=yes
+   ac_cv_prog_cc_g=no
+   CFLAGS="-g"
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_prog_cc_g=yes
+else
+  CFLAGS=""
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+else
+  ac_c_werror_flag=$ac_save_c_werror_flag
+	 CFLAGS="-g"
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_prog_cc_g=yes
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_c_werror_flag=$ac_save_c_werror_flag
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
+$as_echo "$ac_cv_prog_cc_g" >&6; }
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
+if ${ac_cv_prog_cc_c89+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_prog_cc_c89=no
+ac_save_CC=$CC
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdarg.h>
+#include <stdio.h>
+struct stat;
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
+
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
+   function prototypes and stuff, but not '\xHH' hex character constants.
+   These don't provoke an error unfortunately, instead are silently treated
+   as 'x'.  The following induces an error, until -std is added to get
+   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
+   array size at least.  It's necessary to write '\x00'==0 to get something
+   that's true only with -std.  */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+   inside strings and character constants.  */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_prog_cc_c89=$ac_arg
+fi
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c89" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+  x)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
+$as_echo "none needed" >&6; } ;;
+  xno)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
+$as_echo "unsupported" >&6; } ;;
+  *)
+    CC="$CC $ac_cv_prog_cc_c89"
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+esac
+if test "x$ac_cv_prog_cc_c89" != xno; then :
+
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
+$as_echo_n "checking how to run the C preprocessor... " >&6; }
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+  if ${ac_cv_prog_CPP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+      # Double quotes because CPP needs to be expanded
+    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
+    do
+      ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
+
+else
+  # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
+  # Broken: success on invalid input.
+continue
+else
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.i conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then :
+  break
+fi
+
+    done
+    ac_cv_prog_CPP=$CPP
+
+fi
+  CPP=$ac_cv_prog_CPP
+else
+  ac_cv_prog_CPP=$CPP
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
+$as_echo "$CPP" >&6; }
+ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
+
+else
+  # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
+  # Broken: success on invalid input.
+continue
+else
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.i conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then :
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
+$as_echo_n "checking for grep that handles long lines and -e... " >&6; }
+if ${ac_cv_path_GREP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -z "$GREP"; then
+  ac_path_GREP_found=false
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_prog in grep ggrep; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+      as_fn_executable_p "$ac_path_GREP" || continue
+# Check for GNU ac_path_GREP and select it if it is found.
+  # Check for GNU $ac_path_GREP
+case `"$ac_path_GREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
+*)
+  ac_count=0
+  $as_echo_n 0123456789 >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    $as_echo 'GREP' >> "conftest.nl"
+    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    as_fn_arith $ac_count + 1 && ac_count=$as_val
+    if test $ac_count -gt ${ac_path_GREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_GREP="$ac_path_GREP"
+      ac_path_GREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+      $ac_path_GREP_found && break 3
+    done
+  done
+  done
+IFS=$as_save_IFS
+  if test -z "$ac_cv_path_GREP"; then
+    as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+  fi
+else
+  ac_cv_path_GREP=$GREP
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5
+$as_echo "$ac_cv_path_GREP" >&6; }
+ GREP="$ac_cv_path_GREP"
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
+$as_echo_n "checking for egrep... " >&6; }
+if ${ac_cv_path_EGREP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
+   then ac_cv_path_EGREP="$GREP -E"
+   else
+     if test -z "$EGREP"; then
+  ac_path_EGREP_found=false
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_prog in egrep; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+      as_fn_executable_p "$ac_path_EGREP" || continue
+# Check for GNU ac_path_EGREP and select it if it is found.
+  # Check for GNU $ac_path_EGREP
+case `"$ac_path_EGREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
+*)
+  ac_count=0
+  $as_echo_n 0123456789 >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    $as_echo 'EGREP' >> "conftest.nl"
+    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    as_fn_arith $ac_count + 1 && ac_count=$as_val
+    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_EGREP="$ac_path_EGREP"
+      ac_path_EGREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+      $ac_path_EGREP_found && break 3
+    done
+  done
+  done
+IFS=$as_save_IFS
+  if test -z "$ac_cv_path_EGREP"; then
+    as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+  fi
+else
+  ac_cv_path_EGREP=$EGREP
+fi
+
+   fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5
+$as_echo "$ac_cv_path_EGREP" >&6; }
+ EGREP="$ac_cv_path_EGREP"
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
+$as_echo_n "checking for ANSI C header files... " >&6; }
+if ${ac_cv_header_stdc+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_header_stdc=yes
+else
+  ac_cv_header_stdc=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "memchr" >/dev/null 2>&1; then :
+
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "free" >/dev/null 2>&1; then :
+
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then :
+  :
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <ctype.h>
+#include <stdlib.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) \
+		   (('a' <= (c) && (c) <= 'i') \
+		     || ('j' <= (c) && (c) <= 'r') \
+		     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
+
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+	|| toupper (i) != TOUPPER (i))
+      return 2;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+
+else
+  ac_cv_header_stdc=no
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5
+$as_echo "$ac_cv_header_stdc" >&6; }
+if test $ac_cv_header_stdc = yes; then
+
+$as_echo "#define STDC_HEADERS 1" >>confdefs.h
+
+fi
+
+# On IRIX 5.3, sys/types and inttypes.h are conflicting.
+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
+		  inttypes.h stdint.h unistd.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
+"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+  ac_fn_c_check_header_mongrel "$LINENO" "minix/config.h" "ac_cv_header_minix_config_h" "$ac_includes_default"
+if test "x$ac_cv_header_minix_config_h" = xyes; then :
+  MINIX=yes
+else
+  MINIX=
+fi
+
+
+  if test "$MINIX" = yes; then
+
+$as_echo "#define _POSIX_SOURCE 1" >>confdefs.h
+
+
+$as_echo "#define _POSIX_1_SOURCE 2" >>confdefs.h
+
+
+$as_echo "#define _MINIX 1" >>confdefs.h
+
+  fi
+
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether it is safe to define __EXTENSIONS__" >&5
+$as_echo_n "checking whether it is safe to define __EXTENSIONS__... " >&6; }
+if ${ac_cv_safe_to_define___extensions__+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#         define __EXTENSIONS__ 1
+          $ac_includes_default
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_safe_to_define___extensions__=yes
+else
+  ac_cv_safe_to_define___extensions__=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_safe_to_define___extensions__" >&5
+$as_echo "$ac_cv_safe_to_define___extensions__" >&6; }
+  test $ac_cv_safe_to_define___extensions__ = yes &&
+    $as_echo "#define __EXTENSIONS__ 1" >>confdefs.h
+
+  $as_echo "#define _ALL_SOURCE 1" >>confdefs.h
+
+  $as_echo "#define _GNU_SOURCE 1" >>confdefs.h
+
+  $as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h
+
+  $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h
+
+
+
+#
+# Enable large file support
+#
+# Check whether --enable-largefile was given.
+if test "${enable_largefile+set}" = set; then :
+  enableval=$enable_largefile;
+fi
+
+if test "$enable_largefile" != no; then
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for special C compiler options needed for large files" >&5
+$as_echo_n "checking for special C compiler options needed for large files... " >&6; }
+if ${ac_cv_sys_largefile_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_sys_largefile_CC=no
+     if test "$GCC" != yes; then
+       ac_save_CC=$CC
+       while :; do
+	 # IRIX 6.2 and later do not support large files by default,
+	 # so use the C compiler's -n32 option if that helps.
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+    We can't simply define LARGE_OFF_T to be 9223372036854775807,
+    since some C++ compilers masquerading as C compilers
+    incorrectly reject 9223372036854775807.  */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+		       && LARGE_OFF_T % 2147483647 == 1)
+		      ? 1 : -1];
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+	 if ac_fn_c_try_compile "$LINENO"; then :
+  break
+fi
+rm -f core conftest.err conftest.$ac_objext
+	 CC="$CC -n32"
+	 if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_sys_largefile_CC=' -n32'; break
+fi
+rm -f core conftest.err conftest.$ac_objext
+	 break
+       done
+       CC=$ac_save_CC
+       rm -f conftest.$ac_ext
+    fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_largefile_CC" >&5
+$as_echo "$ac_cv_sys_largefile_CC" >&6; }
+  if test "$ac_cv_sys_largefile_CC" != no; then
+    CC=$CC$ac_cv_sys_largefile_CC
+  fi
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _FILE_OFFSET_BITS value needed for large files" >&5
+$as_echo_n "checking for _FILE_OFFSET_BITS value needed for large files... " >&6; }
+if ${ac_cv_sys_file_offset_bits+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  while :; do
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+    We can't simply define LARGE_OFF_T to be 9223372036854775807,
+    since some C++ compilers masquerading as C compilers
+    incorrectly reject 9223372036854775807.  */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+		       && LARGE_OFF_T % 2147483647 == 1)
+		      ? 1 : -1];
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_sys_file_offset_bits=no; break
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#define _FILE_OFFSET_BITS 64
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+    We can't simply define LARGE_OFF_T to be 9223372036854775807,
+    since some C++ compilers masquerading as C compilers
+    incorrectly reject 9223372036854775807.  */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+		       && LARGE_OFF_T % 2147483647 == 1)
+		      ? 1 : -1];
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_sys_file_offset_bits=64; break
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  ac_cv_sys_file_offset_bits=unknown
+  break
+done
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_file_offset_bits" >&5
+$as_echo "$ac_cv_sys_file_offset_bits" >&6; }
+case $ac_cv_sys_file_offset_bits in #(
+  no | unknown) ;;
+  *)
+cat >>confdefs.h <<_ACEOF
+#define _FILE_OFFSET_BITS $ac_cv_sys_file_offset_bits
+_ACEOF
+;;
+esac
+rm -rf conftest*
+  if test $ac_cv_sys_file_offset_bits = unknown; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGE_FILES value needed for large files" >&5
+$as_echo_n "checking for _LARGE_FILES value needed for large files... " >&6; }
+if ${ac_cv_sys_large_files+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  while :; do
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+    We can't simply define LARGE_OFF_T to be 9223372036854775807,
+    since some C++ compilers masquerading as C compilers
+    incorrectly reject 9223372036854775807.  */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+		       && LARGE_OFF_T % 2147483647 == 1)
+		      ? 1 : -1];
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_sys_large_files=no; break
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#define _LARGE_FILES 1
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+    We can't simply define LARGE_OFF_T to be 9223372036854775807,
+    since some C++ compilers masquerading as C compilers
+    incorrectly reject 9223372036854775807.  */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+		       && LARGE_OFF_T % 2147483647 == 1)
+		      ? 1 : -1];
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_sys_large_files=1; break
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  ac_cv_sys_large_files=unknown
+  break
+done
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_large_files" >&5
+$as_echo "$ac_cv_sys_large_files" >&6; }
+case $ac_cv_sys_large_files in #(
+  no | unknown) ;;
+  *)
+cat >>confdefs.h <<_ACEOF
+#define _LARGE_FILES $ac_cv_sys_large_files
+_ACEOF
+;;
+esac
+rm -rf conftest*
+  fi
+
+
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGEFILE_SOURCE value needed for large files" >&5
+$as_echo_n "checking for _LARGEFILE_SOURCE value needed for large files... " >&6; }
+if ${ac_cv_sys_largefile_source+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  while :; do
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h> /* for off_t */
+     #include <stdio.h>
+int
+main ()
+{
+int (*fp) (FILE *, off_t, int) = fseeko;
+     return fseeko (stdin, 0, 0) && fp (stdin, 0, 0);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_sys_largefile_source=no; break
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#define _LARGEFILE_SOURCE 1
+#include <sys/types.h> /* for off_t */
+     #include <stdio.h>
+int
+main ()
+{
+int (*fp) (FILE *, off_t, int) = fseeko;
+     return fseeko (stdin, 0, 0) && fp (stdin, 0, 0);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_sys_largefile_source=1; break
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+  ac_cv_sys_largefile_source=unknown
+  break
+done
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_largefile_source" >&5
+$as_echo "$ac_cv_sys_largefile_source" >&6; }
+case $ac_cv_sys_largefile_source in #(
+  no | unknown) ;;
+  *)
+cat >>confdefs.h <<_ACEOF
+#define _LARGEFILE_SOURCE $ac_cv_sys_largefile_source
+_ACEOF
+;;
+esac
+rm -rf conftest*
+
+# We used to try defining _XOPEN_SOURCE=500 too, to work around a bug
+# in glibc 2.1.3, but that breaks too many other things.
+# If you want fseeko and ftello with glibc, upgrade to a fixed glibc.
+if test $ac_cv_sys_largefile_source != unknown; then
+
+$as_echo "#define HAVE_FSEEKO 1" >>confdefs.h
+
+fi
+
+
+LFS_CFLAGS=`getconf LFS_CFLAGS 2>/dev/null`
+LFS_LDFLAGS=`getconf LFS_LDFLAGS 2>/dev/null`
+LFS_LIBS=`getconf LFS_LIBS 2>/dev/null`
+
+
+
+
+
+# Enable RFC 3542 APIs on macOS
+
+$as_echo "#define __APPLE_USE_RFC_3542 1" >>confdefs.h
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5
+$as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; }
+set x ${MAKE-make}
+ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
+if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat >conftest.make <<\_ACEOF
+SHELL = /bin/sh
+all:
+	@echo '@@@%%%=$(MAKE)=@@@%%%'
+_ACEOF
+# GNU make sometimes prints "make[1]: Entering ...", which would confuse us.
+case `${MAKE-make} -f conftest.make 2>/dev/null` in
+  *@@@%%%=?*=@@@%%%*)
+    eval ac_cv_prog_make_${ac_make}_set=yes;;
+  *)
+    eval ac_cv_prog_make_${ac_make}_set=no;;
+esac
+rm -f conftest.make
+fi
+if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+  SET_MAKE=
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+  SET_MAKE="MAKE=${MAKE-make}"
+fi
+
+
+case `pwd` in
+  *\ * | *\	*)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5
+$as_echo "$as_me: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&2;} ;;
+esac
+
+
+
+macro_version='2.4.6'
+macro_revision='2.4.6'
+
+
+
+
+
+
+
+
+
+
+
+
+
+ltmain=$ac_aux_dir/ltmain.sh
+
+# Backslashify metacharacters that are still active within
+# double-quoted strings.
+sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\(["`\\]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to print strings" >&5
+$as_echo_n "checking how to print strings... " >&6; }
+# Test print first, because it will be a builtin if present.
+if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \
+   test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='print -r --'
+elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='printf %s\n'
+else
+  # Use this function as a fallback that always works.
+  func_fallback_echo ()
+  {
+    eval 'cat <<_LTECHO_EOF
+$1
+_LTECHO_EOF'
+  }
+  ECHO='func_fallback_echo'
+fi
+
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO ""
+}
+
+case $ECHO in
+  printf*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: printf" >&5
+$as_echo "printf" >&6; } ;;
+  print*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: print -r" >&5
+$as_echo "print -r" >&6; } ;;
+  *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: cat" >&5
+$as_echo "cat" >&6; } ;;
+esac
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5
+$as_echo_n "checking for a sed that does not truncate output... " >&6; }
+if ${ac_cv_path_SED+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+            ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/
+     for ac_i in 1 2 3 4 5 6 7; do
+       ac_script="$ac_script$as_nl$ac_script"
+     done
+     echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed
+     { ac_script=; unset ac_script;}
+     if test -z "$SED"; then
+  ac_path_SED_found=false
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_SED="$as_dir/$ac_prog$ac_exec_ext"
+      as_fn_executable_p "$ac_path_SED" || continue
+# Check for GNU ac_path_SED and select it if it is found.
+  # Check for GNU $ac_path_SED
+case `"$ac_path_SED" --version 2>&1` in
+*GNU*)
+  ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;;
+*)
+  ac_count=0
+  $as_echo_n 0123456789 >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    $as_echo '' >> "conftest.nl"
+    "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    as_fn_arith $ac_count + 1 && ac_count=$as_val
+    if test $ac_count -gt ${ac_path_SED_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_SED="$ac_path_SED"
+      ac_path_SED_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+      $ac_path_SED_found && break 3
+    done
+  done
+  done
+IFS=$as_save_IFS
+  if test -z "$ac_cv_path_SED"; then
+    as_fn_error $? "no acceptable sed could be found in \$PATH" "$LINENO" 5
+  fi
+else
+  ac_cv_path_SED=$SED
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_SED" >&5
+$as_echo "$ac_cv_path_SED" >&6; }
+ SED="$ac_cv_path_SED"
+  rm -f conftest.sed
+
+test -z "$SED" && SED=sed
+Xsed="$SED -e 1s/^X//"
+
+
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5
+$as_echo_n "checking for fgrep... " >&6; }
+if ${ac_cv_path_FGREP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1
+   then ac_cv_path_FGREP="$GREP -F"
+   else
+     if test -z "$FGREP"; then
+  ac_path_FGREP_found=false
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_prog in fgrep; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext"
+      as_fn_executable_p "$ac_path_FGREP" || continue
+# Check for GNU ac_path_FGREP and select it if it is found.
+  # Check for GNU $ac_path_FGREP
+case `"$ac_path_FGREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_FGREP="$ac_path_FGREP" ac_path_FGREP_found=:;;
+*)
+  ac_count=0
+  $as_echo_n 0123456789 >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    $as_echo 'FGREP' >> "conftest.nl"
+    "$ac_path_FGREP" FGREP < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    as_fn_arith $ac_count + 1 && ac_count=$as_val
+    if test $ac_count -gt ${ac_path_FGREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_FGREP="$ac_path_FGREP"
+      ac_path_FGREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+      $ac_path_FGREP_found && break 3
+    done
+  done
+  done
+IFS=$as_save_IFS
+  if test -z "$ac_cv_path_FGREP"; then
+    as_fn_error $? "no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+  fi
+else
+  ac_cv_path_FGREP=$FGREP
+fi
+
+   fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_FGREP" >&5
+$as_echo "$ac_cv_path_FGREP" >&6; }
+ FGREP="$ac_cv_path_FGREP"
+
+
+test -z "$GREP" && GREP=grep
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Check whether --with-gnu-ld was given.
+if test "${with_gnu_ld+set}" = set; then :
+  withval=$with_gnu_ld; test no = "$withval" || with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi
+
+ac_prog=ld
+if test yes = "$GCC"; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ld used by $CC" >&5
+$as_echo_n "checking for ld used by $CC... " >&6; }
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return, which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [\\/]* | ?:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'`
+      while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD=$ac_prog
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test yes = "$with_gnu_ld"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU ld" >&5
+$as_echo_n "checking for GNU ld... " >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5
+$as_echo_n "checking for non-GNU ld... " >&6; }
+fi
+if ${lt_cv_path_LD+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -z "$LD"; then
+  lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS=$lt_save_ifs
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD=$ac_dir/$ac_prog
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some variants of GNU ld only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test no != "$with_gnu_ld" && break
+	;;
+      *)
+	test yes != "$with_gnu_ld" && break
+	;;
+      esac
+    fi
+  done
+  IFS=$lt_save_ifs
+else
+  lt_cv_path_LD=$LD # Let the user override the test with a path.
+fi
+fi
+
+LD=$lt_cv_path_LD
+if test -n "$LD"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LD" >&5
+$as_echo "$LD" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5
+$as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; }
+if ${lt_cv_prog_gnu_ld+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  # I'd rather use --version here, but apparently some GNU lds only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_gnu_ld" >&5
+$as_echo "$lt_cv_prog_gnu_ld" >&6; }
+with_gnu_ld=$lt_cv_prog_gnu_ld
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD- or MS-compatible name lister (nm)" >&5
+$as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; }
+if ${lt_cv_path_NM+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM=$NM
+else
+  lt_nm_to_check=${ac_tool_prefix}nm
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
+    lt_nm_to_check="$lt_nm_to_check nm"
+  fi
+  for lt_tmp_nm in $lt_nm_to_check; do
+    lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR
+    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
+      IFS=$lt_save_ifs
+      test -z "$ac_dir" && ac_dir=.
+      tmp_nm=$ac_dir/$lt_tmp_nm
+      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext"; then
+	# Check to see if the nm accepts a BSD-compat flag.
+	# Adding the 'sed 1q' prevents false positives on HP-UX, which says:
+	#   nm: unknown option "B" ignored
+	# Tru64's nm complains that /dev/null is an invalid object file
+	# MSYS converts /dev/null to NUL, MinGW nm treats NUL as empty
+	case $build_os in
+	mingw*) lt_bad_file=conftest.nm/nofile ;;
+	*) lt_bad_file=/dev/null ;;
+	esac
+	case `"$tmp_nm" -B $lt_bad_file 2>&1 | sed '1q'` in
+	*$lt_bad_file* | *'Invalid file or object type'*)
+	  lt_cv_path_NM="$tmp_nm -B"
+	  break 2
+	  ;;
+	*)
+	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	  */dev/null*)
+	    lt_cv_path_NM="$tmp_nm -p"
+	    break 2
+	    ;;
+	  *)
+	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	    continue # so that we can try to find one that supports BSD flags
+	    ;;
+	  esac
+	  ;;
+	esac
+      fi
+    done
+    IFS=$lt_save_ifs
+  done
+  : ${lt_cv_path_NM=no}
+fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_NM" >&5
+$as_echo "$lt_cv_path_NM" >&6; }
+if test no != "$lt_cv_path_NM"; then
+  NM=$lt_cv_path_NM
+else
+  # Didn't find any BSD compatible name lister, look for dumpbin.
+  if test -n "$DUMPBIN"; then :
+    # Let the user override the test.
+  else
+    if test -n "$ac_tool_prefix"; then
+  for ac_prog in dumpbin "link -dump"
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_DUMPBIN+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$DUMPBIN"; then
+  ac_cv_prog_DUMPBIN="$DUMPBIN" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+DUMPBIN=$ac_cv_prog_DUMPBIN
+if test -n "$DUMPBIN"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DUMPBIN" >&5
+$as_echo "$DUMPBIN" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+    test -n "$DUMPBIN" && break
+  done
+fi
+if test -z "$DUMPBIN"; then
+  ac_ct_DUMPBIN=$DUMPBIN
+  for ac_prog in dumpbin "link -dump"
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_DUMPBIN+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_DUMPBIN"; then
+  ac_cv_prog_ac_ct_DUMPBIN="$ac_ct_DUMPBIN" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_DUMPBIN="$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_DUMPBIN=$ac_cv_prog_ac_ct_DUMPBIN
+if test -n "$ac_ct_DUMPBIN"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DUMPBIN" >&5
+$as_echo "$ac_ct_DUMPBIN" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$ac_ct_DUMPBIN" && break
+done
+
+  if test "x$ac_ct_DUMPBIN" = x; then
+    DUMPBIN=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    DUMPBIN=$ac_ct_DUMPBIN
+  fi
+fi
+
+    case `$DUMPBIN -symbols -headers /dev/null 2>&1 | sed '1q'` in
+    *COFF*)
+      DUMPBIN="$DUMPBIN -symbols -headers"
+      ;;
+    *)
+      DUMPBIN=:
+      ;;
+    esac
+  fi
+
+  if test : != "$DUMPBIN"; then
+    NM=$DUMPBIN
+  fi
+fi
+test -z "$NM" && NM=nm
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the name lister ($NM) interface" >&5
+$as_echo_n "checking the name lister ($NM) interface... " >&6; }
+if ${lt_cv_nm_interface+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_nm_interface="BSD nm"
+  echo "int some_variable = 0;" > conftest.$ac_ext
+  (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&5)
+  (eval "$ac_compile" 2>conftest.err)
+  cat conftest.err >&5
+  (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
+  cat conftest.err >&5
+  (eval echo "\"\$as_me:$LINENO: output\"" >&5)
+  cat conftest.out >&5
+  if $GREP 'External.*some_variable' conftest.out > /dev/null; then
+    lt_cv_nm_interface="MS dumpbin"
+  fi
+  rm -f conftest*
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_nm_interface" >&5
+$as_echo "$lt_cv_nm_interface" >&6; }
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5
+$as_echo_n "checking whether ln -s works... " >&6; }
+LN_S=$as_ln_s
+if test "$LN_S" = "ln -s"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5
+$as_echo "no, using $LN_S" >&6; }
+fi
+
+# find the maximum length of command line arguments
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the maximum length of command line arguments" >&5
+$as_echo_n "checking the maximum length of command line arguments... " >&6; }
+if ${lt_cv_sys_max_cmd_len+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+    i=0
+  teststring=ABCD
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw* | cegcc*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  mint*)
+    # On MiNT this can take a long time and run out of memory.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  bitrig* | darwin* | dragonfly* | freebsd* | netbsd* | openbsd*)
+    # This has been around since 386BSD, at least.  Likely further.
+    if test -x /sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
+    elif test -x /usr/sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
+    else
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
+    fi
+    # And add a safety zone
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    ;;
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
+    ;;
+
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
+    ;;
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
+    ;;
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[	 ]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
+    ;;
+  *)
+    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
+    if test -n "$lt_cv_sys_max_cmd_len" && \
+       test undefined != "$lt_cv_sys_max_cmd_len"; then
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    else
+      # Make teststring a little bigger before we do anything with it.
+      # a 1K string should be a reasonable start.
+      for i in 1 2 3 4 5 6 7 8; do
+        teststring=$teststring$teststring
+      done
+      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+      # If test is not a shell built-in, we'll probably end up computing a
+      # maximum length that is only half of the actual maximum length, but
+      # we can't tell.
+      while { test X`env echo "$teststring$teststring" 2>/dev/null` \
+	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
+	      test 17 != "$i" # 1/2 MB should be enough
+      do
+        i=`expr $i + 1`
+        teststring=$teststring$teststring
+      done
+      # Only check the string length outside the loop.
+      lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1`
+      teststring=
+      # Add a significant safety factor because C++ compilers can tack on
+      # massive amounts of additional arguments before passing them to the
+      # linker.  It appears as though 1/2 is a usable value.
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    fi
+    ;;
+  esac
+
+fi
+
+if test -n "$lt_cv_sys_max_cmd_len"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sys_max_cmd_len" >&5
+$as_echo "$lt_cv_sys_max_cmd_len" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: none" >&5
+$as_echo "none" >&6; }
+fi
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+
+
+
+
+
+: ${CP="cp -f"}
+: ${MV="mv -f"}
+: ${RM="rm -f"}
+
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  lt_unset=unset
+else
+  lt_unset=false
+fi
+
+
+
+
+
+# test EBCDIC or ASCII
+case `echo X|tr X '\101'` in
+ A) # ASCII based system
+    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
+  lt_SP2NL='tr \040 \012'
+  lt_NL2SP='tr \015\012 \040\040'
+  ;;
+ *) # EBCDIC based system
+  lt_SP2NL='tr \100 \n'
+  lt_NL2SP='tr \r\n \100\100'
+  ;;
+esac
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to $host format" >&5
+$as_echo_n "checking how to convert $build file names to $host format... " >&6; }
+if ${lt_cv_to_host_file_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32
+        ;;
+    esac
+    ;;
+  *-*-cygwin* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_noop
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin
+        ;;
+    esac
+    ;;
+  * ) # unhandled hosts (and "normal" native builds)
+    lt_cv_to_host_file_cmd=func_convert_file_noop
+    ;;
+esac
+
+fi
+
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_host_file_cmd" >&5
+$as_echo "$lt_cv_to_host_file_cmd" >&6; }
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to toolchain format" >&5
+$as_echo_n "checking how to convert $build file names to toolchain format... " >&6; }
+if ${lt_cv_to_tool_file_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  #assume ordinary cross tools, or native build.
+lt_cv_to_tool_file_cmd=func_convert_file_noop
+case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32
+        ;;
+    esac
+    ;;
+esac
+
+fi
+
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_tool_file_cmd" >&5
+$as_echo "$lt_cv_to_tool_file_cmd" >&6; }
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5
+$as_echo_n "checking for $LD option to reload object files... " >&6; }
+if ${lt_cv_ld_reload_flag+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_ld_reload_flag='-r'
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_reload_flag" >&5
+$as_echo "$lt_cv_ld_reload_flag" >&6; }
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    if test yes != "$GCC"; then
+      reload_cmds=false
+    fi
+    ;;
+  darwin*)
+    if test yes = "$GCC"; then
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib $wl-r -o $output$reload_objs'
+    else
+      reload_cmds='$LD$reload_flag -o $output$reload_objs'
+    fi
+    ;;
+esac
+
+
+
+
+
+
+
+
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args.
+set dummy ${ac_tool_prefix}objdump; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_OBJDUMP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$OBJDUMP"; then
+  ac_cv_prog_OBJDUMP="$OBJDUMP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+OBJDUMP=$ac_cv_prog_OBJDUMP
+if test -n "$OBJDUMP"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OBJDUMP" >&5
+$as_echo "$OBJDUMP" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_OBJDUMP"; then
+  ac_ct_OBJDUMP=$OBJDUMP
+  # Extract the first word of "objdump", so it can be a program name with args.
+set dummy objdump; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_OBJDUMP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_OBJDUMP"; then
+  ac_cv_prog_ac_ct_OBJDUMP="$ac_ct_OBJDUMP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_OBJDUMP="objdump"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP
+if test -n "$ac_ct_OBJDUMP"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OBJDUMP" >&5
+$as_echo "$ac_ct_OBJDUMP" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_OBJDUMP" = x; then
+    OBJDUMP="false"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    OBJDUMP=$ac_ct_OBJDUMP
+  fi
+else
+  OBJDUMP="$ac_cv_prog_OBJDUMP"
+fi
+
+test -z "$OBJDUMP" && OBJDUMP=objdump
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to recognize dependent libraries" >&5
+$as_echo_n "checking how to recognize dependent libraries... " >&6; }
+if ${lt_cv_deplibs_check_method+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# 'unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# that responds to the $file_magic_cmd with a given extended regex.
+# If you have 'file' or equivalent on your system and you're not sure
+# whether 'pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix[4-9]*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi[45]*)
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # func_win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='func_win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # func_win32_libid shell function, so use a weaker test based on 'objdump',
+  # unless we find 'file', for example because we are cross-compiling.
+  if ( file / ) >/dev/null 2>&1; then
+    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+    lt_cv_file_magic_cmd='func_win32_libid'
+  else
+    # Keep this pattern in sync with the one in func_win32_libid.
+    lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)'
+    lt_cv_file_magic_cmd='$OBJDUMP -f'
+  fi
+  ;;
+
+cegcc*)
+  # use the weaker test based on 'objdump'. See mingw*.
+  lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | dragonfly*)
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+haiku*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case $host_cpu in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]'
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9]\.[0-9]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+interix[3-9]*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be glibc/ELF.
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+*nto* | *qnx*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+openbsd* | bitrig*)
+  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+rdos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.3*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+tpf*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+os2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_deplibs_check_method" >&5
+$as_echo "$lt_cv_deplibs_check_method" >&6; }
+
+file_magic_glob=
+want_nocaseglob=no
+if test "$build" = "$host"; then
+  case $host_os in
+  mingw* | pw32*)
+    if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then
+      want_nocaseglob=yes
+    else
+      file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[\1]\/[\1]\/g;/g"`
+    fi
+    ;;
+  esac
+fi
+
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}dlltool", so it can be a program name with args.
+set dummy ${ac_tool_prefix}dlltool; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_DLLTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$DLLTOOL"; then
+  ac_cv_prog_DLLTOOL="$DLLTOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+DLLTOOL=$ac_cv_prog_DLLTOOL
+if test -n "$DLLTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DLLTOOL" >&5
+$as_echo "$DLLTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_DLLTOOL"; then
+  ac_ct_DLLTOOL=$DLLTOOL
+  # Extract the first word of "dlltool", so it can be a program name with args.
+set dummy dlltool; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_DLLTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_DLLTOOL"; then
+  ac_cv_prog_ac_ct_DLLTOOL="$ac_ct_DLLTOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_DLLTOOL="dlltool"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_DLLTOOL=$ac_cv_prog_ac_ct_DLLTOOL
+if test -n "$ac_ct_DLLTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DLLTOOL" >&5
+$as_echo "$ac_ct_DLLTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_DLLTOOL" = x; then
+    DLLTOOL="false"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    DLLTOOL=$ac_ct_DLLTOOL
+  fi
+else
+  DLLTOOL="$ac_cv_prog_DLLTOOL"
+fi
+
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to associate runtime and link libraries" >&5
+$as_echo_n "checking how to associate runtime and link libraries... " >&6; }
+if ${lt_cv_sharedlib_from_linklib_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_sharedlib_from_linklib_cmd='unknown'
+
+case $host_os in
+cygwin* | mingw* | pw32* | cegcc*)
+  # two different shell functions defined in ltmain.sh;
+  # decide which one to use based on capabilities of $DLLTOOL
+  case `$DLLTOOL --help 2>&1` in
+  *--identify-strict*)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib
+    ;;
+  *)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback
+    ;;
+  esac
+  ;;
+*)
+  # fallback: assume linklib IS sharedlib
+  lt_cv_sharedlib_from_linklib_cmd=$ECHO
+  ;;
+esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sharedlib_from_linklib_cmd" >&5
+$as_echo "$lt_cv_sharedlib_from_linklib_cmd" >&6; }
+sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd
+test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO
+
+
+
+
+
+
+
+if test -n "$ac_tool_prefix"; then
+  for ac_prog in ar
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_AR+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$AR"; then
+  ac_cv_prog_AR="$AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_AR="$ac_tool_prefix$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+AR=$ac_cv_prog_AR
+if test -n "$AR"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5
+$as_echo "$AR" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+    test -n "$AR" && break
+  done
+fi
+if test -z "$AR"; then
+  ac_ct_AR=$AR
+  for ac_prog in ar
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_AR+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_AR"; then
+  ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_AR="$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_AR=$ac_cv_prog_ac_ct_AR
+if test -n "$ac_ct_AR"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5
+$as_echo "$ac_ct_AR" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$ac_ct_AR" && break
+done
+
+  if test "x$ac_ct_AR" = x; then
+    AR="false"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    AR=$ac_ct_AR
+  fi
+fi
+
+: ${AR=ar}
+: ${AR_FLAGS=cru}
+
+
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for archiver @FILE support" >&5
+$as_echo_n "checking for archiver @FILE support... " >&6; }
+if ${lt_cv_ar_at_file+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_ar_at_file=no
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  echo conftest.$ac_objext > conftest.lst
+      lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&5'
+      { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5
+  (eval $lt_ar_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+      if test 0 -eq "$ac_status"; then
+	# Ensure the archiver fails upon bogus file names.
+	rm -f conftest.$ac_objext libconftest.a
+	{ { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5
+  (eval $lt_ar_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+	if test 0 -ne "$ac_status"; then
+          lt_cv_ar_at_file=@
+        fi
+      fi
+      rm -f conftest.* libconftest.a
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ar_at_file" >&5
+$as_echo "$lt_cv_ar_at_file" >&6; }
+
+if test no = "$lt_cv_ar_at_file"; then
+  archiver_list_spec=
+else
+  archiver_list_spec=$lt_cv_ar_at_file
+fi
+
+
+
+
+
+
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_STRIP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5
+$as_echo "$STRIP" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_STRIP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_STRIP="strip"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5
+$as_echo "$ac_ct_STRIP" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_STRIP" = x; then
+    STRIP=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    STRIP=$ac_ct_STRIP
+  fi
+else
+  STRIP="$ac_cv_prog_STRIP"
+fi
+
+test -z "$STRIP" && STRIP=:
+
+
+
+
+
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_RANLIB+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+RANLIB=$ac_cv_prog_RANLIB
+if test -n "$RANLIB"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5
+$as_echo "$RANLIB" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_RANLIB"; then
+  ac_ct_RANLIB=$RANLIB
+  # Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_RANLIB+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_RANLIB"; then
+  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_RANLIB="ranlib"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
+if test -n "$ac_ct_RANLIB"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5
+$as_echo "$ac_ct_RANLIB" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_RANLIB" = x; then
+    RANLIB=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    RANLIB=$ac_ct_RANLIB
+  fi
+else
+  RANLIB="$ac_cv_prog_RANLIB"
+fi
+
+test -z "$RANLIB" && RANLIB=:
+
+
+
+
+
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  bitrig* | openbsd*)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
+    ;;
+  *)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
+fi
+
+case $host_os in
+  darwin*)
+    lock_old_archive_extraction=yes ;;
+  *)
+    lock_old_archive_extraction=no ;;
+esac
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+for ac_prog in gawk mawk nawk awk
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_AWK+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_AWK="$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5
+$as_echo "$AWK" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$AWK" && break
+done
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking command to parse $NM output from $compiler object" >&5
+$as_echo_n "checking command to parse $NM output from $compiler object... " >&6; }
+if ${lt_cv_sys_global_symbol_pipe+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[BCDEGRST]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[BCDT]'
+  ;;
+cygwin* | mingw* | pw32* | cegcc*)
+  symcode='[ABCDGISTW]'
+  ;;
+hpux*)
+  if test ia64 = "$host_cpu"; then
+    symcode='[ABCDEGRST]'
+  fi
+  ;;
+irix* | nonstopux*)
+  symcode='[BCDEGRST]'
+  ;;
+osf*)
+  symcode='[BCDEGQRST]'
+  ;;
+solaris*)
+  symcode='[BDRT]'
+  ;;
+sco3.2v5*)
+  symcode='[DT]'
+  ;;
+sysv4.2uw2*)
+  symcode='[DT]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[ABDT]'
+  ;;
+sysv4)
+  symcode='[DFNSTU]'
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[ABCDGIRSTW]' ;;
+esac
+
+if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+  # Gets list of data symbols to import.
+  lt_cv_sys_global_symbol_to_import="sed -n -e 's/^I .* \(.*\)$/\1/p'"
+  # Adjust the below global symbol transforms to fixup imported variables.
+  lt_cdecl_hook=" -e 's/^I .* \(.*\)$/extern __declspec(dllimport) char \1;/p'"
+  lt_c_name_hook=" -e 's/^I .* \(.*\)$/  {\"\1\", (void *) 0},/p'"
+  lt_c_name_lib_hook="\
+  -e 's/^I .* \(lib.*\)$/  {\"\1\", (void *) 0},/p'\
+  -e 's/^I .* \(.*\)$/  {\"lib\1\", (void *) 0},/p'"
+else
+  # Disable hooks by default.
+  lt_cv_sys_global_symbol_to_import=
+  lt_cdecl_hook=
+  lt_c_name_hook=
+  lt_c_name_lib_hook=
+fi
+
+# Transform an extracted symbol line into a proper C declaration.
+# Some systems (esp. on ia64) link data and code symbols differently,
+# so use this general approach.
+lt_cv_sys_global_symbol_to_cdecl="sed -n"\
+$lt_cdecl_hook\
+" -e 's/^T .* \(.*\)$/extern int \1();/p'"\
+" -e 's/^$symcode$symcode* .* \(.*\)$/extern char \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n"\
+$lt_c_name_hook\
+" -e 's/^: \(.*\) .*$/  {\"\1\", (void *) 0},/p'"\
+" -e 's/^$symcode$symcode* .* \(.*\)$/  {\"\1\", (void *) \&\1},/p'"
+
+# Transform an extracted symbol line into symbol name with lib prefix and
+# symbol address.
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n"\
+$lt_c_name_lib_hook\
+" -e 's/^: \(.*\) .*$/  {\"\1\", (void *) 0},/p'"\
+" -e 's/^$symcode$symcode* .* \(lib.*\)$/  {\"\1\", (void *) \&\1},/p'"\
+" -e 's/^$symcode$symcode* .* \(.*\)$/  {\"lib\1\", (void *) \&\1},/p'"
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# Try without a prefix underscore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
+
+  # Write the raw and C identifiers.
+  if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+    # Fake it for dumpbin and say T for any non-static function,
+    # D for any global variable and I for any imported variable.
+    # Also find C++ and __fastcall symbols from MSVC++,
+    # which start with @ or ?.
+    lt_cv_sys_global_symbol_pipe="$AWK '"\
+"     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
+"     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
+"     /^ *Symbol name *: /{split(\$ 0,sn,\":\"); si=substr(sn[2],2)};"\
+"     /^ *Type *: code/{print \"T\",si,substr(si,length(prfx))};"\
+"     /^ *Type *: data/{print \"I\",si,substr(si,length(prfx))};"\
+"     \$ 0!~/External *\|/{next};"\
+"     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
+"     {if(hide[section]) next};"\
+"     {f=\"D\"}; \$ 0~/\(\).*\|/{f=\"T\"};"\
+"     {split(\$ 0,a,/\||\r/); split(a[2],s)};"\
+"     s[1]~/^[@?]/{print f,s[1],s[1]; next};"\
+"     s[1]~prfx {split(s[1],t,\"@\"); print f,t[1],substr(t[1],length(prfx))}"\
+"     ' prfx=^$ac_symprfx"
+  else
+    lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[	 ]\($symcode$symcode*\)[	 ][	 ]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+  fi
+  lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<_LT_EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(void);
+void nm_test_func(void){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+_LT_EOF
+
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5
+  (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
+	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<_LT_EOF > conftest.$ac_ext
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined _WIN32 || defined __CYGWIN__ || defined _WIN32_WCE
+/* DATA imports from DLLs on WIN32 can't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT_DLSYM_CONST
+#elif defined __osf__
+/* This system does not cope well with relocations in const data.  */
+# define LT_DLSYM_CONST
+#else
+# define LT_DLSYM_CONST const
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+_LT_EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext'
+
+	  cat <<_LT_EOF >> conftest.$ac_ext
+
+/* The mapping between symbol names and symbols.  */
+LT_DLSYM_CONST struct {
+  const char *name;
+  void       *address;
+}
+lt__PROGRAM__LTX_preloaded_symbols[] =
+{
+  { "@PROGRAM@", (void *) 0 },
+_LT_EOF
+	  $SED "s/^$symcode$symcode* .* \(.*\)$/  {\"\1\", (void *) \&\1},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext
+	  cat <<\_LT_EOF >> conftest.$ac_ext
+  {0, (void *) 0}
+};
+
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt__PROGRAM__LTX_preloaded_symbols;
+}
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+_LT_EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_globsym_save_LIBS=$LIBS
+	  lt_globsym_save_CFLAGS=$CFLAGS
+	  LIBS=conftstm.$ac_objext
+	  CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag"
+	  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && test -s conftest$ac_exeext; then
+	    pipe_works=yes
+	  fi
+	  LIBS=$lt_globsym_save_LIBS
+	  CFLAGS=$lt_globsym_save_CFLAGS
+	else
+	  echo "cannot find nm_test_func in $nlist" >&5
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&5
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&5
+    fi
+  else
+    echo "$progname: failed program was:" >&5
+    cat conftest.$ac_ext >&5
+  fi
+  rm -rf conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test yes = "$pipe_works"; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+
+fi
+
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5
+$as_echo "failed" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
+$as_echo "ok" >&6; }
+fi
+
+# Response file support.
+if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+  nm_file_list_spec='@'
+elif $NM --help 2>/dev/null | grep '[@]FILE' >/dev/null; then
+  nm_file_list_spec='@'
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sysroot" >&5
+$as_echo_n "checking for sysroot... " >&6; }
+
+# Check whether --with-sysroot was given.
+if test "${with_sysroot+set}" = set; then :
+  withval=$with_sysroot;
+else
+  with_sysroot=no
+fi
+
+
+lt_sysroot=
+case $with_sysroot in #(
+ yes)
+   if test yes = "$GCC"; then
+     lt_sysroot=`$CC --print-sysroot 2>/dev/null`
+   fi
+   ;; #(
+ /*)
+   lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"`
+   ;; #(
+ no|'')
+   ;; #(
+ *)
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_sysroot" >&5
+$as_echo "$with_sysroot" >&6; }
+   as_fn_error $? "The sysroot must be an absolute path." "$LINENO" 5
+   ;;
+esac
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${lt_sysroot:-no}" >&5
+$as_echo "${lt_sysroot:-no}" >&6; }
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a working dd" >&5
+$as_echo_n "checking for a working dd... " >&6; }
+if ${ac_cv_path_lt_DD+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  printf 0123456789abcdef0123456789abcdef >conftest.i
+cat conftest.i conftest.i >conftest2.i
+: ${lt_DD:=$DD}
+if test -z "$lt_DD"; then
+  ac_path_lt_DD_found=false
+  # Loop through the user's path and test for each of PROGNAME-LIST
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_prog in dd; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      ac_path_lt_DD="$as_dir/$ac_prog$ac_exec_ext"
+      as_fn_executable_p "$ac_path_lt_DD" || continue
+if "$ac_path_lt_DD" bs=32 count=1 <conftest2.i >conftest.out 2>/dev/null; then
+  cmp -s conftest.i conftest.out \
+  && ac_cv_path_lt_DD="$ac_path_lt_DD" ac_path_lt_DD_found=:
+fi
+      $ac_path_lt_DD_found && break 3
+    done
+  done
+  done
+IFS=$as_save_IFS
+  if test -z "$ac_cv_path_lt_DD"; then
+    :
+  fi
+else
+  ac_cv_path_lt_DD=$lt_DD
+fi
+
+rm -f conftest.i conftest2.i conftest.out
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_lt_DD" >&5
+$as_echo "$ac_cv_path_lt_DD" >&6; }
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to truncate binary pipes" >&5
+$as_echo_n "checking how to truncate binary pipes... " >&6; }
+if ${lt_cv_truncate_bin+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  printf 0123456789abcdef0123456789abcdef >conftest.i
+cat conftest.i conftest.i >conftest2.i
+lt_cv_truncate_bin=
+if "$ac_cv_path_lt_DD" bs=32 count=1 <conftest2.i >conftest.out 2>/dev/null; then
+  cmp -s conftest.i conftest.out \
+  && lt_cv_truncate_bin="$ac_cv_path_lt_DD bs=4096 count=1"
+fi
+rm -f conftest.i conftest2.i conftest.out
+test -z "$lt_cv_truncate_bin" && lt_cv_truncate_bin="$SED -e 4q"
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_truncate_bin" >&5
+$as_echo "$lt_cv_truncate_bin" >&6; }
+
+
+
+
+
+
+
+# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
+func_cc_basename ()
+{
+    for cc_temp in $*""; do
+      case $cc_temp in
+        compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+        distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+        \-*) ;;
+        *) break;;
+      esac
+    done
+    func_cc_basename_result=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"`
+}
+
+# Check whether --enable-libtool-lock was given.
+if test "${enable_libtool_lock+set}" = set; then :
+  enableval=$enable_libtool_lock;
+fi
+
+test no = "$enable_libtool_lock" || enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out what ABI is being produced by ac_compile, and set mode
+  # options accordingly.
+  echo 'int i;' > conftest.$ac_ext
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+    case `/usr/bin/file conftest.$ac_objext` in
+      *ELF-32*)
+	HPUX_IA64_MODE=32
+	;;
+      *ELF-64*)
+	HPUX_IA64_MODE=64
+	;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out what ABI is being produced by ac_compile, and set linker
+  # options accordingly.
+  echo '#line '$LINENO' "configure"' > conftest.$ac_ext
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+    if test yes = "$lt_cv_prog_gnu_ld"; then
+      case `/usr/bin/file conftest.$ac_objext` in
+	*32-bit*)
+	  LD="${LD-ld} -melf32bsmip"
+	  ;;
+	*N32*)
+	  LD="${LD-ld} -melf32bmipn32"
+	  ;;
+	*64-bit*)
+	  LD="${LD-ld} -melf64bmip"
+	;;
+      esac
+    else
+      case `/usr/bin/file conftest.$ac_objext` in
+	*32-bit*)
+	  LD="${LD-ld} -32"
+	  ;;
+	*N32*)
+	  LD="${LD-ld} -n32"
+	  ;;
+	*64-bit*)
+	  LD="${LD-ld} -64"
+	  ;;
+      esac
+    fi
+  fi
+  rm -rf conftest*
+  ;;
+
+mips64*-*linux*)
+  # Find out what ABI is being produced by ac_compile, and set linker
+  # options accordingly.
+  echo '#line '$LINENO' "configure"' > conftest.$ac_ext
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+    emul=elf
+    case `/usr/bin/file conftest.$ac_objext` in
+      *32-bit*)
+	emul="${emul}32"
+	;;
+      *64-bit*)
+	emul="${emul}64"
+	;;
+    esac
+    case `/usr/bin/file conftest.$ac_objext` in
+      *MSB*)
+	emul="${emul}btsmip"
+	;;
+      *LSB*)
+	emul="${emul}ltsmip"
+	;;
+    esac
+    case `/usr/bin/file conftest.$ac_objext` in
+      *N32*)
+	emul="${emul}n32"
+	;;
+    esac
+    LD="${LD-ld} -m $emul"
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*kfreebsd*-gnu|x86_64-*linux*|powerpc*-*linux*| \
+s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
+  # Find out what ABI is being produced by ac_compile, and set linker
+  # options accordingly.  Note that the listed cases only cover the
+  # situations where additional linker options are needed (such as when
+  # doing 32-bit compilation for a host where ld defaults to 64-bit, or
+  # vice versa); the common cases where no linker options are needed do
+  # not appear in the list.
+  echo 'int i;' > conftest.$ac_ext
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+    case `/usr/bin/file conftest.o` in
+      *32-bit*)
+	case $host in
+	  x86_64-*kfreebsd*-gnu)
+	    LD="${LD-ld} -m elf_i386_fbsd"
+	    ;;
+	  x86_64-*linux*)
+	    case `/usr/bin/file conftest.o` in
+	      *x86-64*)
+		LD="${LD-ld} -m elf32_x86_64"
+		;;
+	      *)
+		LD="${LD-ld} -m elf_i386"
+		;;
+	    esac
+	    ;;
+	  powerpc64le-*linux*)
+	    LD="${LD-ld} -m elf32lppclinux"
+	    ;;
+	  powerpc64-*linux*)
+	    LD="${LD-ld} -m elf32ppclinux"
+	    ;;
+	  s390x-*linux*)
+	    LD="${LD-ld} -m elf_s390"
+	    ;;
+	  sparc64-*linux*)
+	    LD="${LD-ld} -m elf32_sparc"
+	    ;;
+	esac
+	;;
+      *64-bit*)
+	case $host in
+	  x86_64-*kfreebsd*-gnu)
+	    LD="${LD-ld} -m elf_x86_64_fbsd"
+	    ;;
+	  x86_64-*linux*)
+	    LD="${LD-ld} -m elf_x86_64"
+	    ;;
+	  powerpcle-*linux*)
+	    LD="${LD-ld} -m elf64lppc"
+	    ;;
+	  powerpc-*linux*)
+	    LD="${LD-ld} -m elf64ppc"
+	    ;;
+	  s390*-*linux*|s390*-*tpf*)
+	    LD="${LD-ld} -m elf64_s390"
+	    ;;
+	  sparc*-*linux*)
+	    LD="${LD-ld} -m elf64_sparc"
+	    ;;
+	esac
+	;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS=$CFLAGS
+  CFLAGS="$CFLAGS -belf"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler needs -belf" >&5
+$as_echo_n "checking whether the C compiler needs -belf... " >&6; }
+if ${lt_cv_cc_needs_belf+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  lt_cv_cc_needs_belf=yes
+else
+  lt_cv_cc_needs_belf=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+     ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_cc_needs_belf" >&5
+$as_echo "$lt_cv_cc_needs_belf" >&6; }
+  if test yes != "$lt_cv_cc_needs_belf"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS=$SAVE_CFLAGS
+  fi
+  ;;
+*-*solaris*)
+  # Find out what ABI is being produced by ac_compile, and set linker
+  # options accordingly.
+  echo 'int i;' > conftest.$ac_ext
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*)
+        case $host in
+        i?86-*-solaris*|x86_64-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD=${LD-ld}_sol2
+        fi
+        ;;
+      *)
+	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
+	  LD="${LD-ld} -64"
+	fi
+	;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+esac
+
+need_locks=$enable_libtool_lock
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}mt", so it can be a program name with args.
+set dummy ${ac_tool_prefix}mt; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_MANIFEST_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$MANIFEST_TOOL"; then
+  ac_cv_prog_MANIFEST_TOOL="$MANIFEST_TOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+MANIFEST_TOOL=$ac_cv_prog_MANIFEST_TOOL
+if test -n "$MANIFEST_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANIFEST_TOOL" >&5
+$as_echo "$MANIFEST_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_MANIFEST_TOOL"; then
+  ac_ct_MANIFEST_TOOL=$MANIFEST_TOOL
+  # Extract the first word of "mt", so it can be a program name with args.
+set dummy mt; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_MANIFEST_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_MANIFEST_TOOL"; then
+  ac_cv_prog_ac_ct_MANIFEST_TOOL="$ac_ct_MANIFEST_TOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_MANIFEST_TOOL="mt"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_MANIFEST_TOOL=$ac_cv_prog_ac_ct_MANIFEST_TOOL
+if test -n "$ac_ct_MANIFEST_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_MANIFEST_TOOL" >&5
+$as_echo "$ac_ct_MANIFEST_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_MANIFEST_TOOL" = x; then
+    MANIFEST_TOOL=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    MANIFEST_TOOL=$ac_ct_MANIFEST_TOOL
+  fi
+else
+  MANIFEST_TOOL="$ac_cv_prog_MANIFEST_TOOL"
+fi
+
+test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $MANIFEST_TOOL is a manifest tool" >&5
+$as_echo_n "checking if $MANIFEST_TOOL is a manifest tool... " >&6; }
+if ${lt_cv_path_mainfest_tool+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_path_mainfest_tool=no
+  echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&5
+  $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out
+  cat conftest.err >&5
+  if $GREP 'Manifest Tool' conftest.out > /dev/null; then
+    lt_cv_path_mainfest_tool=yes
+  fi
+  rm -f conftest*
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_mainfest_tool" >&5
+$as_echo "$lt_cv_path_mainfest_tool" >&6; }
+if test yes != "$lt_cv_path_mainfest_tool"; then
+  MANIFEST_TOOL=:
+fi
+
+
+
+
+
+
+  case $host_os in
+    rhapsody* | darwin*)
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args.
+set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_DSYMUTIL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$DSYMUTIL"; then
+  ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+DSYMUTIL=$ac_cv_prog_DSYMUTIL
+if test -n "$DSYMUTIL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DSYMUTIL" >&5
+$as_echo "$DSYMUTIL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_DSYMUTIL"; then
+  ac_ct_DSYMUTIL=$DSYMUTIL
+  # Extract the first word of "dsymutil", so it can be a program name with args.
+set dummy dsymutil; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_DSYMUTIL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_DSYMUTIL"; then
+  ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL
+if test -n "$ac_ct_DSYMUTIL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DSYMUTIL" >&5
+$as_echo "$ac_ct_DSYMUTIL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_DSYMUTIL" = x; then
+    DSYMUTIL=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    DSYMUTIL=$ac_ct_DSYMUTIL
+  fi
+else
+  DSYMUTIL="$ac_cv_prog_DSYMUTIL"
+fi
+
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args.
+set dummy ${ac_tool_prefix}nmedit; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_NMEDIT+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$NMEDIT"; then
+  ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+NMEDIT=$ac_cv_prog_NMEDIT
+if test -n "$NMEDIT"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NMEDIT" >&5
+$as_echo "$NMEDIT" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_NMEDIT"; then
+  ac_ct_NMEDIT=$NMEDIT
+  # Extract the first word of "nmedit", so it can be a program name with args.
+set dummy nmedit; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_NMEDIT+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_NMEDIT"; then
+  ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_NMEDIT="nmedit"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT
+if test -n "$ac_ct_NMEDIT"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_NMEDIT" >&5
+$as_echo "$ac_ct_NMEDIT" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_NMEDIT" = x; then
+    NMEDIT=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    NMEDIT=$ac_ct_NMEDIT
+  fi
+else
+  NMEDIT="$ac_cv_prog_NMEDIT"
+fi
+
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}lipo", so it can be a program name with args.
+set dummy ${ac_tool_prefix}lipo; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_LIPO+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$LIPO"; then
+  ac_cv_prog_LIPO="$LIPO" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_LIPO="${ac_tool_prefix}lipo"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+LIPO=$ac_cv_prog_LIPO
+if test -n "$LIPO"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIPO" >&5
+$as_echo "$LIPO" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_LIPO"; then
+  ac_ct_LIPO=$LIPO
+  # Extract the first word of "lipo", so it can be a program name with args.
+set dummy lipo; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_LIPO+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_LIPO"; then
+  ac_cv_prog_ac_ct_LIPO="$ac_ct_LIPO" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_LIPO="lipo"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_LIPO=$ac_cv_prog_ac_ct_LIPO
+if test -n "$ac_ct_LIPO"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_LIPO" >&5
+$as_echo "$ac_ct_LIPO" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_LIPO" = x; then
+    LIPO=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    LIPO=$ac_ct_LIPO
+  fi
+else
+  LIPO="$ac_cv_prog_LIPO"
+fi
+
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}otool", so it can be a program name with args.
+set dummy ${ac_tool_prefix}otool; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_OTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$OTOOL"; then
+  ac_cv_prog_OTOOL="$OTOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_OTOOL="${ac_tool_prefix}otool"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+OTOOL=$ac_cv_prog_OTOOL
+if test -n "$OTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5
+$as_echo "$OTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_OTOOL"; then
+  ac_ct_OTOOL=$OTOOL
+  # Extract the first word of "otool", so it can be a program name with args.
+set dummy otool; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_OTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_OTOOL"; then
+  ac_cv_prog_ac_ct_OTOOL="$ac_ct_OTOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_OTOOL="otool"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_OTOOL=$ac_cv_prog_ac_ct_OTOOL
+if test -n "$ac_ct_OTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL" >&5
+$as_echo "$ac_ct_OTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_OTOOL" = x; then
+    OTOOL=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    OTOOL=$ac_ct_OTOOL
+  fi
+else
+  OTOOL="$ac_cv_prog_OTOOL"
+fi
+
+    if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}otool64", so it can be a program name with args.
+set dummy ${ac_tool_prefix}otool64; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_OTOOL64+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$OTOOL64"; then
+  ac_cv_prog_OTOOL64="$OTOOL64" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+OTOOL64=$ac_cv_prog_OTOOL64
+if test -n "$OTOOL64"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL64" >&5
+$as_echo "$OTOOL64" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_OTOOL64"; then
+  ac_ct_OTOOL64=$OTOOL64
+  # Extract the first word of "otool64", so it can be a program name with args.
+set dummy otool64; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_OTOOL64+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_OTOOL64"; then
+  ac_cv_prog_ac_ct_OTOOL64="$ac_ct_OTOOL64" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_OTOOL64="otool64"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_OTOOL64=$ac_cv_prog_ac_ct_OTOOL64
+if test -n "$ac_ct_OTOOL64"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL64" >&5
+$as_echo "$ac_ct_OTOOL64" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_OTOOL64" = x; then
+    OTOOL64=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    OTOOL64=$ac_ct_OTOOL64
+  fi
+else
+  OTOOL64="$ac_cv_prog_OTOOL64"
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -single_module linker flag" >&5
+$as_echo_n "checking for -single_module linker flag... " >&6; }
+if ${lt_cv_apple_cc_single_mod+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_apple_cc_single_mod=no
+      if test -z "$LT_MULTI_MODULE"; then
+	# By default we will add the -single_module flag. You can override
+	# by either setting the environment variable LT_MULTI_MODULE
+	# non-empty at configure time, or by adding -multi_module to the
+	# link flags.
+	rm -rf libconftest.dylib*
+	echo "int foo(void){return 1;}" > conftest.c
+	echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+-dynamiclib -Wl,-single_module conftest.c" >&5
+	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
+        _lt_result=$?
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&5
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test 0 = "$_lt_result"; then
+	  lt_cv_apple_cc_single_mod=yes
+	else
+	  cat conftest.err >&5
+	fi
+	rm -rf libconftest.dylib*
+	rm -f conftest.*
+      fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5
+$as_echo "$lt_cv_apple_cc_single_mod" >&6; }
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5
+$as_echo_n "checking for -exported_symbols_list linker flag... " >&6; }
+if ${lt_cv_ld_exported_symbols_list+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_ld_exported_symbols_list=no
+      save_LDFLAGS=$LDFLAGS
+      echo "_main" > conftest.sym
+      LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  lt_cv_ld_exported_symbols_list=yes
+else
+  lt_cv_ld_exported_symbols_list=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+	LDFLAGS=$save_LDFLAGS
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5
+$as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5
+$as_echo_n "checking for -force_load linker flag... " >&6; }
+if ${lt_cv_ld_force_load+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_ld_force_load=no
+      cat > conftest.c << _LT_EOF
+int forced_loaded() { return 2;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5
+      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5
+      echo "$AR cru libconftest.a conftest.o" >&5
+      $AR cru libconftest.a conftest.o 2>&5
+      echo "$RANLIB libconftest.a" >&5
+      $RANLIB libconftest.a 2>&5
+      cat > conftest.c << _LT_EOF
+int main() { return 0;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5
+      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
+      _lt_result=$?
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&5
+      elif test -f conftest && test 0 = "$_lt_result" && $GREP forced_load conftest >/dev/null 2>&1; then
+	lt_cv_ld_force_load=yes
+      else
+	cat conftest.err >&5
+      fi
+        rm -f conftest.err libconftest.a conftest conftest.c
+        rm -rf conftest.dSYM
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_force_load" >&5
+$as_echo "$lt_cv_ld_force_load" >&6; }
+    case $host_os in
+    rhapsody* | darwin1.[012])
+      _lt_dar_allow_undefined='$wl-undefined ${wl}suppress' ;;
+    darwin1.*)
+      _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;;
+    darwin*)
+      case ${MACOSX_DEPLOYMENT_TARGET},$host in
+	10.[012],*|,*powerpc*)
+	  _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;;
+	*)
+	  _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;;
+      esac
+    ;;
+  esac
+    if test yes = "$lt_cv_apple_cc_single_mod"; then
+      _lt_dar_single_mod='$single_module'
+    fi
+    if test yes = "$lt_cv_ld_exported_symbols_list"; then
+      _lt_dar_export_syms=' $wl-exported_symbols_list,$output_objdir/$libname-symbols.expsym'
+    else
+      _lt_dar_export_syms='~$NMEDIT -s $output_objdir/$libname-symbols.expsym $lib'
+    fi
+    if test : != "$DSYMUTIL" && test no = "$lt_cv_ld_force_load"; then
+      _lt_dsymutil='~$DSYMUTIL $lib || :'
+    else
+      _lt_dsymutil=
+    fi
+    ;;
+  esac
+
+# func_munge_path_list VARIABLE PATH
+# -----------------------------------
+# VARIABLE is name of variable containing _space_ separated list of
+# directories to be munged by the contents of PATH, which is string
+# having a format:
+# "DIR[:DIR]:"
+#       string "DIR[ DIR]" will be prepended to VARIABLE
+# ":DIR[:DIR]"
+#       string "DIR[ DIR]" will be appended to VARIABLE
+# "DIRP[:DIRP]::[DIRA:]DIRA"
+#       string "DIRP[ DIRP]" will be prepended to VARIABLE and string
+#       "DIRA[ DIRA]" will be appended to VARIABLE
+# "DIR[:DIR]"
+#       VARIABLE will be replaced by "DIR[ DIR]"
+func_munge_path_list ()
+{
+    case x$2 in
+    x)
+        ;;
+    *:)
+        eval $1=\"`$ECHO $2 | $SED 's/:/ /g'` \$$1\"
+        ;;
+    x:*)
+        eval $1=\"\$$1 `$ECHO $2 | $SED 's/:/ /g'`\"
+        ;;
+    *::*)
+        eval $1=\"\$$1\ `$ECHO $2 | $SED -e 's/.*:://' -e 's/:/ /g'`\"
+        eval $1=\"`$ECHO $2 | $SED -e 's/::.*//' -e 's/:/ /g'`\ \$$1\"
+        ;;
+    *)
+        eval $1=\"`$ECHO $2 | $SED 's/:/ /g'`\"
+        ;;
+    esac
+}
+
+for ac_header in dlfcn.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default
+"
+if test "x$ac_cv_header_dlfcn_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DLFCN_H 1
+_ACEOF
+
+fi
+
+done
+
+
+
+
+
+# Set options
+
+
+
+        enable_dlopen=no
+
+
+  enable_win32_dll=no
+
+
+            # Check whether --enable-shared was given.
+if test "${enable_shared+set}" = set; then :
+  enableval=$enable_shared; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
+      for pkg in $enableval; do
+	IFS=$lt_save_ifs
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS=$lt_save_ifs
+      ;;
+    esac
+else
+  enable_shared=yes
+fi
+
+
+
+
+
+
+
+
+
+  # Check whether --enable-static was given.
+if test "${enable_static+set}" = set; then :
+  enableval=$enable_static; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
+      for pkg in $enableval; do
+	IFS=$lt_save_ifs
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS=$lt_save_ifs
+      ;;
+    esac
+else
+  enable_static=yes
+fi
+
+
+
+
+
+
+
+
+
+
+# Check whether --with-pic was given.
+if test "${with_pic+set}" = set; then :
+  withval=$with_pic; lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
+      for lt_pkg in $withval; do
+	IFS=$lt_save_ifs
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS=$lt_save_ifs
+      ;;
+    esac
+else
+  pic_mode=default
+fi
+
+
+
+
+
+
+
+
+  # Check whether --enable-fast-install was given.
+if test "${enable_fast_install+set}" = set; then :
+  enableval=$enable_fast_install; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
+      for pkg in $enableval; do
+	IFS=$lt_save_ifs
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS=$lt_save_ifs
+      ;;
+    esac
+else
+  enable_fast_install=yes
+fi
+
+
+
+
+
+
+
+
+  shared_archive_member_spec=
+case $host,$enable_shared in
+power*-*-aix[5-9]*,yes)
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking which variant of shared library versioning to provide" >&5
+$as_echo_n "checking which variant of shared library versioning to provide... " >&6; }
+
+# Check whether --with-aix-soname was given.
+if test "${with_aix_soname+set}" = set; then :
+  withval=$with_aix_soname; case $withval in
+    aix|svr4|both)
+      ;;
+    *)
+      as_fn_error $? "Unknown argument to --with-aix-soname" "$LINENO" 5
+      ;;
+    esac
+    lt_cv_with_aix_soname=$with_aix_soname
+else
+  if ${lt_cv_with_aix_soname+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_with_aix_soname=aix
+fi
+
+    with_aix_soname=$lt_cv_with_aix_soname
+fi
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_aix_soname" >&5
+$as_echo "$with_aix_soname" >&6; }
+  if test aix != "$with_aix_soname"; then
+    # For the AIX way of multilib, we name the shared archive member
+    # based on the bitwidth used, traditionally 'shr.o' or 'shr_64.o',
+    # and 'shr.imp' or 'shr_64.imp', respectively, for the Import File.
+    # Even when GNU compilers ignore OBJECT_MODE but need '-maix64' flag,
+    # the AIX toolchain works better with OBJECT_MODE set (default 32).
+    if test 64 = "${OBJECT_MODE-32}"; then
+      shared_archive_member_spec=shr_64
+    else
+      shared_archive_member_spec=shr
+    fi
+  fi
+  ;;
+*)
+  with_aix_soname=aix
+  ;;
+esac
+
+
+
+
+
+
+
+
+
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS=$ltmain
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+test -z "$LN_S" && LN_S="ln -s"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+if test -n "${ZSH_VERSION+set}"; then
+   setopt NO_GLOB_SUBST
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for objdir" >&5
+$as_echo_n "checking for objdir... " >&6; }
+if ${lt_cv_objdir+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_objdir" >&5
+$as_echo "$lt_cv_objdir" >&6; }
+objdir=$lt_cv_objdir
+
+
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define LT_OBJDIR "$lt_cv_objdir/"
+_ACEOF
+
+
+
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test set != "${COLLECT_NAMES+set}"; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Global variables:
+ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a '.a' archive for static linking (except MSVC,
+# which needs '.lib').
+libext=a
+
+with_gnu_ld=$lt_cv_prog_gnu_ld
+
+old_CC=$CC
+old_CFLAGS=$CFLAGS
+
+# Set sane defaults for various variables
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
+test -z "$LD" && LD=ld
+test -z "$ac_objext" && ac_objext=o
+
+func_cc_basename $compiler
+cc_basename=$func_cc_basename_result
+
+
+# Only perform the check for file, if the check method requires it
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${ac_tool_prefix}file" >&5
+$as_echo_n "checking for ${ac_tool_prefix}file... " >&6; }
+if ${lt_cv_path_MAGIC_CMD+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $MAGIC_CMD in
+[\\/*] |  ?:[\\/]*)
+  lt_cv_path_MAGIC_CMD=$MAGIC_CMD # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD=$MAGIC_CMD
+  lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR
+  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
+  for ac_dir in $ac_dummy; do
+    IFS=$lt_save_ifs
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/${ac_tool_prefix}file"; then
+      lt_cv_path_MAGIC_CMD=$ac_dir/"${ac_tool_prefix}file"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD=$lt_cv_path_MAGIC_CMD
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<_LT_EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+_LT_EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS=$lt_save_ifs
+  MAGIC_CMD=$lt_save_MAGIC_CMD
+  ;;
+esac
+fi
+
+MAGIC_CMD=$lt_cv_path_MAGIC_CMD
+if test -n "$MAGIC_CMD"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5
+$as_echo "$MAGIC_CMD" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+
+
+
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for file" >&5
+$as_echo_n "checking for file... " >&6; }
+if ${lt_cv_path_MAGIC_CMD+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $MAGIC_CMD in
+[\\/*] |  ?:[\\/]*)
+  lt_cv_path_MAGIC_CMD=$MAGIC_CMD # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD=$MAGIC_CMD
+  lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR
+  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
+  for ac_dir in $ac_dummy; do
+    IFS=$lt_save_ifs
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/file"; then
+      lt_cv_path_MAGIC_CMD=$ac_dir/"file"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD=$lt_cv_path_MAGIC_CMD
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<_LT_EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+_LT_EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS=$lt_save_ifs
+  MAGIC_CMD=$lt_save_MAGIC_CMD
+  ;;
+esac
+fi
+
+MAGIC_CMD=$lt_cv_path_MAGIC_CMD
+if test -n "$MAGIC_CMD"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5
+$as_echo "$MAGIC_CMD" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  else
+    MAGIC_CMD=:
+  fi
+fi
+
+  fi
+  ;;
+esac
+
+# Use C for the default configuration in the libtool script
+
+lt_save_CC=$CC
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+objext=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}'
+
+
+
+
+
+
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+# Save the default compiler, since it gets overwritten when the other
+# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP.
+compiler_DEFAULT=$CC
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$RM conftest*
+
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$RM -r conftest*
+
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+if test -n "$compiler"; then
+
+lt_prog_compiler_no_builtin_flag=
+
+if test yes = "$GCC"; then
+  case $cc_basename in
+  nvcc*)
+    lt_prog_compiler_no_builtin_flag=' -Xcompiler -fno-builtin' ;;
+  *)
+    lt_prog_compiler_no_builtin_flag=' -fno-builtin' ;;
+  esac
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+$as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; }
+if ${lt_cv_prog_compiler_rtti_exceptions+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler_rtti_exceptions=no
+   ac_outfile=conftest.$ac_objext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="-fno-rtti -fno-exceptions"  ## exclude from sc_useless_quotes_in_assignment
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_rtti_exceptions=yes
+     fi
+   fi
+   $RM conftest*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+$as_echo "$lt_cv_prog_compiler_rtti_exceptions" >&6; }
+
+if test yes = "$lt_cv_prog_compiler_rtti_exceptions"; then
+    lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
+else
+    :
+fi
+
+fi
+
+
+
+
+
+
+  lt_prog_compiler_wl=
+lt_prog_compiler_pic=
+lt_prog_compiler_static=
+
+
+  if test yes = "$GCC"; then
+    lt_prog_compiler_wl='-Wl,'
+    lt_prog_compiler_static='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test ia64 = "$host_cpu"; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static='-Bstatic'
+      fi
+      lt_prog_compiler_pic='-fPIC'
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            lt_prog_compiler_pic='-fPIC'
+        ;;
+      m68k)
+            # FIXME: we need at least 68020 code to build shared libraries, but
+            # adding the '-m68020' flag to GCC prevents building anything better,
+            # like '-m68040'.
+            lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4'
+        ;;
+      esac
+      ;;
+
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      lt_prog_compiler_pic='-DDLL_EXPORT'
+      case $host_os in
+      os2*)
+	lt_prog_compiler_static='$wl-static'
+	;;
+      esac
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic='-fno-common'
+      ;;
+
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      lt_prog_compiler_static=
+      ;;
+
+    hpux*)
+      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
+      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
+      # sets the default TLS model and affects inlining.
+      case $host_cpu in
+      hppa*64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic='-fPIC'
+	;;
+      esac
+      ;;
+
+    interix[3-9]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared=no
+      enable_shared=no
+      ;;
+
+    *nto* | *qnx*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      lt_prog_compiler_pic='-fPIC -shared'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic=-Kconform_pic
+      fi
+      ;;
+
+    *)
+      lt_prog_compiler_pic='-fPIC'
+      ;;
+    esac
+
+    case $cc_basename in
+    nvcc*) # Cuda Compiler Driver 2.2
+      lt_prog_compiler_wl='-Xlinker '
+      if test -n "$lt_prog_compiler_pic"; then
+        lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic"
+      fi
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl='-Wl,'
+      if test ia64 = "$host_cpu"; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static='-Bstatic'
+      else
+	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic='-fno-common'
+      case $cc_basename in
+      nagfor*)
+        # NAG Fortran compiler
+        lt_prog_compiler_wl='-Wl,-Wl,,'
+        lt_prog_compiler_pic='-PIC'
+        lt_prog_compiler_static='-Bstatic'
+        ;;
+      esac
+      ;;
+
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic='-DDLL_EXPORT'
+      case $host_os in
+      os2*)
+	lt_prog_compiler_static='$wl-static'
+	;;
+      esac
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static='$wl-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
+    linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+      case $cc_basename in
+      # old Intel for x86_64, which still supported -KPIC.
+      ecc*)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-KPIC'
+	lt_prog_compiler_static='-static'
+        ;;
+      # icc used to be incompatible with GCC.
+      # ICC 10 doesn't accept -KPIC any more.
+      icc* | ifort*)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-fPIC'
+	lt_prog_compiler_static='-static'
+        ;;
+      # Lahey Fortran 8.1.
+      lf95*)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='--shared'
+	lt_prog_compiler_static='--static'
+	;;
+      nagfor*)
+	# NAG Fortran compiler
+	lt_prog_compiler_wl='-Wl,-Wl,,'
+	lt_prog_compiler_pic='-PIC'
+	lt_prog_compiler_static='-Bstatic'
+	;;
+      tcc*)
+	# Fabrice Bellard et al's Tiny C Compiler
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-fPIC'
+	lt_prog_compiler_static='-static'
+	;;
+      pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-fpic'
+	lt_prog_compiler_static='-Bstatic'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static='-non_shared'
+        ;;
+      xl* | bgxl* | bgf* | mpixl*)
+	# IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-qpic'
+	lt_prog_compiler_static='-qstaticlink'
+	;;
+      *)
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl=''
+	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl='-Qoption ld '
+	  ;;
+	*Sun\ C*)
+	  # Sun C 5.9
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl='-Wl,'
+	  ;;
+        *Intel*\ [CF]*Compiler*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fPIC'
+	  lt_prog_compiler_static='-static'
+	  ;;
+	*Portland\ Group*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fpic'
+	  lt_prog_compiler_static='-Bstatic'
+	  ;;
+	esac
+	;;
+      esac
+      ;;
+
+    newsos6)
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    *nto* | *qnx*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      lt_prog_compiler_pic='-fPIC -shared'
+      ;;
+
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
+    rdos*)
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
+    solaris*)
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
+	lt_prog_compiler_wl='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      lt_prog_compiler_wl='-Qoption ld '
+      lt_prog_compiler_pic='-PIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic='-Kconform_pic'
+	lt_prog_compiler_static='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    unicos*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_can_build_shared=no
+      ;;
+
+    uts4*)
+      lt_prog_compiler_pic='-pic'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    *)
+      lt_prog_compiler_can_build_shared=no
+      ;;
+    esac
+  fi
+
+case $host_os in
+  # For platforms that do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic=
+    ;;
+  *)
+    lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
+    ;;
+esac
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5
+$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
+if ${lt_cv_prog_compiler_pic+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler_pic=$lt_prog_compiler_pic
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic" >&5
+$as_echo "$lt_cv_prog_compiler_pic" >&6; }
+lt_prog_compiler_pic=$lt_cv_prog_compiler_pic
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
+$as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; }
+if ${lt_cv_prog_compiler_pic_works+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler_pic_works=no
+   ac_outfile=conftest.$ac_objext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic -DPIC"  ## exclude from sc_useless_quotes_in_assignment
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_pic_works=yes
+     fi
+   fi
+   $RM conftest*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic_works" >&5
+$as_echo "$lt_cv_prog_compiler_pic_works" >&6; }
+
+if test yes = "$lt_cv_prog_compiler_pic_works"; then
+    case $lt_prog_compiler_pic in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;;
+     esac
+else
+    lt_prog_compiler_pic=
+     lt_prog_compiler_can_build_shared=no
+fi
+
+fi
+
+
+
+
+
+
+
+
+
+
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+$as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; }
+if ${lt_cv_prog_compiler_static_works+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler_static_works=no
+   save_LDFLAGS=$LDFLAGS
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_cv_prog_compiler_static_works=yes
+       fi
+     else
+       lt_cv_prog_compiler_static_works=yes
+     fi
+   fi
+   $RM -r conftest*
+   LDFLAGS=$save_LDFLAGS
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_static_works" >&5
+$as_echo "$lt_cv_prog_compiler_static_works" >&6; }
+
+if test yes = "$lt_cv_prog_compiler_static_works"; then
+    :
+else
+    lt_prog_compiler_static=
+fi
+
+
+
+
+
+
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5
+$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
+if ${lt_cv_prog_compiler_c_o+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler_c_o=no
+   $RM -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $RM conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files
+   $RM out/* && rmdir out
+   cd ..
+   $RM -r conftest
+   $RM conftest*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5
+$as_echo "$lt_cv_prog_compiler_c_o" >&6; }
+
+
+
+
+
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5
+$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
+if ${lt_cv_prog_compiler_c_o+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler_c_o=no
+   $RM -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $RM conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files
+   $RM out/* && rmdir out
+   cd ..
+   $RM -r conftest
+   $RM conftest*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5
+$as_echo "$lt_cv_prog_compiler_c_o" >&6; }
+
+
+
+
+hard_links=nottested
+if test no = "$lt_cv_prog_compiler_c_o" && test no != "$need_locks"; then
+  # do not overwrite the value of need_locks provided by the user
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we can lock with hard links" >&5
+$as_echo_n "checking if we can lock with hard links... " >&6; }
+  hard_links=yes
+  $RM conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $hard_links" >&5
+$as_echo "$hard_links" >&6; }
+  if test no = "$hard_links"; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: '$CC' does not support '-c -o', so 'make -j' may be unsafe" >&5
+$as_echo "$as_me: WARNING: '$CC' does not support '-c -o', so 'make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+
+
+
+
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+$as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; }
+
+  runpath_var=
+  allow_undefined_flag=
+  always_export_symbols=no
+  archive_cmds=
+  archive_expsym_cmds=
+  compiler_needs_object=no
+  enable_shared_with_static_runtimes=no
+  export_dynamic_flag_spec=
+  export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  hardcode_automatic=no
+  hardcode_direct=no
+  hardcode_direct_absolute=no
+  hardcode_libdir_flag_spec=
+  hardcode_libdir_separator=
+  hardcode_minus_L=no
+  hardcode_shlibpath_var=unsupported
+  inherit_rpath=no
+  link_all_deplibs=unknown
+  module_cmds=
+  module_expsym_cmds=
+  old_archive_from_new_cmds=
+  old_archive_from_expsyms_cmds=
+  thread_safe_flag_spec=
+  whole_archive_flag_spec=
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ' (' and ')$', so one must not match beginning or
+  # end of line.  Example: 'a|bc|.*d.*' will exclude the symbols 'a' and 'bc',
+  # as well as any symbol that contains 'd'.
+  exclude_expsyms='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  # Exclude shared library initialization/finalization symbols.
+  extract_expsyms_cmds=
+
+  case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test yes != "$GCC"; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd* | bitrig*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  ld_shlibs=yes
+
+  # On some targets, GNU ld is compatible enough with the native linker
+  # that we're better off using the native interface for both.
+  lt_use_gnu_ld_interface=no
+  if test yes = "$with_gnu_ld"; then
+    case $host_os in
+      aix*)
+	# The AIX port of GNU ld has always aspired to compatibility
+	# with the native linker.  However, as the warning in the GNU ld
+	# block says, versions before 2.19.5* couldn't really create working
+	# shared libraries, regardless of the interface used.
+	case `$LD -v 2>&1` in
+	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
+	  *\ \(GNU\ Binutils\)\ 2.[2-9]*) ;;
+	  *\ \(GNU\ Binutils\)\ [3-9]*) ;;
+	  *)
+	    lt_use_gnu_ld_interface=yes
+	    ;;
+	esac
+	;;
+      *)
+	lt_use_gnu_ld_interface=yes
+	;;
+    esac
+  fi
+
+  if test yes = "$lt_use_gnu_ld_interface"; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='$wl'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+    export_dynamic_flag_spec='$wl--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
+      whole_archive_flag_spec=$wlarc'--whole-archive$convenience '$wlarc'--no-whole-archive'
+    else
+      whole_archive_flag_spec=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v | $SED -e 's/(^)\+)\s\+//' 2>&1` in
+      *GNU\ gold*) supports_anon_versioning=yes ;;
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix[3-9]*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test ia64 != "$host_cpu"; then
+	ld_shlibs=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.19, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to install binutils
+*** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
+*** You will then need to restart the configuration process.
+
+_LT_EOF
+      fi
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+            archive_expsym_cmds=''
+        ;;
+      m68k)
+            archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+            hardcode_libdir_flag_spec='-L$libdir'
+            hardcode_minus_L=yes
+        ;;
+      esac
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32* | cegcc*)
+      # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec='-L$libdir'
+      export_dynamic_flag_spec='$wl--export-all-symbols'
+      allow_undefined_flag=unsupported
+      always_export_symbols=no
+      enable_shared_with_static_runtimes=yes
+      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.* //'\'' | sort | uniq > $export_symbols'
+      exclude_expsyms='[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'
+
+      if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file, use it as
+	# is; otherwise, prepend EXPORTS...
+	archive_expsym_cmds='if   test DEF = "`$SED -n     -e '\''s/^[	 ]*//'\''     -e '\''/^\(;.*\)*$/d'\''     -e '\''s/^\(EXPORTS\|LIBRARY\)\([	 ].*\)*$/DEF/p'\''     -e q     $export_symbols`" ; then
+          cp $export_symbols $output_objdir/$soname.def;
+        else
+          echo EXPORTS > $output_objdir/$soname.def;
+          cat $export_symbols >> $output_objdir/$soname.def;
+        fi~
+        $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    haiku*)
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+      link_all_deplibs=yes
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      allow_undefined_flag=unsupported
+      shrext_cmds=.dll
+      archive_cmds='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~
+	$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~
+	$ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~
+	$ECHO EXPORTS >> $output_objdir/$libname.def~
+	emxexp $libobjs | $SED /"_DLL_InitTerm"/d >> $output_objdir/$libname.def~
+	$CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~
+	emximp -o $lib $output_objdir/$libname.def'
+      archive_expsym_cmds='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~
+	$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~
+	$ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~
+	$ECHO EXPORTS >> $output_objdir/$libname.def~
+	prefix_cmds="$SED"~
+	if test EXPORTS = "`$SED 1q $export_symbols`"; then
+	  prefix_cmds="$prefix_cmds -e 1d";
+	fi~
+	prefix_cmds="$prefix_cmds -e \"s/^\(.*\)$/_\1/g\""~
+	cat $export_symbols | $prefix_cmds >> $output_objdir/$libname.def~
+	$CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~
+	emximp -o $lib $output_objdir/$libname.def'
+      old_archive_From_new_cmds='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def'
+      enable_shared_with_static_runtimes=yes
+      ;;
+
+    interix[3-9]*)
+      hardcode_direct=no
+      hardcode_shlibpath_var=no
+      hardcode_libdir_flag_spec='$wl-rpath,$libdir'
+      export_dynamic_flag_spec='$wl-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds='sed "s|^|_|" $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--retain-symbols-file,$output_objdir/$soname.expsym $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu)
+      tmp_diet=no
+      if test linux-dietlibc = "$host_os"; then
+	case $cc_basename in
+	  diet\ *) tmp_diet=yes;;	# linux-dietlibc with static linking (!diet-dyn)
+	esac
+      fi
+      if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
+	 && test no = "$tmp_diet"
+      then
+	tmp_addflag=' $pic_flag'
+	tmp_sharedflag='-shared'
+	case $cc_basename,$host_cpu in
+        pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec='$wl--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95* | pgfortran*)
+					# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec='$wl--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	lf95*)				# Lahey Fortran 8.1
+	  whole_archive_flag_spec=
+	  tmp_sharedflag='--shared' ;;
+        nagfor*)                        # NAGFOR 5.3
+          tmp_sharedflag='-Wl,-shared' ;;
+	xl[cC]* | bgxl[cC]* | mpixl[cC]*) # IBM XL C 8.0 on PPC (deal with xlf below)
+	  tmp_sharedflag='-qmkshrobj'
+	  tmp_addflag= ;;
+	nvcc*)	# Cuda Compiler Driver 2.2
+	  whole_archive_flag_spec='$wl--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
+	  compiler_needs_object=yes
+	  ;;
+	esac
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  whole_archive_flag_spec='$wl--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
+	  compiler_needs_object=yes
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	esac
+	archive_cmds='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+
+        if test yes = "$supports_anon_versioning"; then
+          archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
+            cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+            echo "local: *; };" >> $output_objdir/$libname.ver~
+            $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-version-script $wl$output_objdir/$libname.ver -o $lib'
+        fi
+
+	case $cc_basename in
+	tcc*)
+	  export_dynamic_flag_spec='-rdynamic'
+	  ;;
+	xlf* | bgf* | bgxlf* | mpixlf*)
+	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
+	  whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
+	  hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+	  archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
+	  if test yes = "$supports_anon_versioning"; then
+	    archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
+              cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+              echo "local: *; };" >> $output_objdir/$libname.ver~
+              $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	  fi
+	  ;;
+	esac
+      else
+        ld_shlibs=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then
+	ld_shlibs=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+      elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 cannot
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  # For security reasons, it is highly recommended that you always
+	  # use absolute paths for naming shared libraries, and exclude the
+	  # DT_RUNPATH tag from executables and libraries.  But doing so
+	  # requires that you compile everything twice, which is a pain.
+	  if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+	    archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+	    archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+	  else
+	    ld_shlibs=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+    esac
+
+    if test no = "$ld_shlibs"; then
+      runpath_var=
+      hardcode_libdir_flag_spec=
+      export_dynamic_flag_spec=
+      whole_archive_flag_spec=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag=unsupported
+      always_export_symbols=yes
+      archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L=yes
+      if test yes = "$GCC" && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct=unsupported
+      fi
+      ;;
+
+    aix[4-9]*)
+      if test ia64 = "$host_cpu"; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to GNU nm, but means don't demangle to AIX nm.
+	# Without the "-l" option, or with the "-B" option, AIX nm treats
+	# weak defined symbols like other global defined symbols, whereas
+	# GNU nm marks them as "W".
+	# While the 'weak' keyword is ignored in the Export File, we need
+	# it in the Import File for the 'aix-soname' feature, so we have
+	# to replace the "-B" option with "-P" for AIX nm.
+	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
+	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && (substr(\$ 3,1,1) != ".")) { if (\$ 2 == "W") { print \$ 3 " weak" } else { print \$ 3 } } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds='`func_echo_all $NM | $SED -e '\''s/B\([^B]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && (substr(\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# have runtime linking enabled, and use it for executables.
+	# For shared libraries, we enable/disable runtime linking
+	# depending on the kind of the shared library created -
+	# when "with_aix_soname,aix_use_runtimelinking" is:
+	# "aix,no"   lib.a(lib.so.V) shared, rtl:no,  for executables
+	# "aix,yes"  lib.so          shared, rtl:yes, for executables
+	#            lib.a           static archive
+	# "both,no"  lib.so.V(shr.o) shared, rtl:yes
+	#            lib.a(lib.so.V) shared, rtl:no,  for executables
+	# "both,yes" lib.so.V(shr.o) shared, rtl:yes, for executables
+	#            lib.a(lib.so.V) shared, rtl:no
+	# "svr4,*"   lib.so.V(shr.o) shared, rtl:yes, for executables
+	#            lib.a           static archive
+	case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
+	  for ld_flag in $LDFLAGS; do
+	  if (test x-brtl = "x$ld_flag" || test x-Wl,-brtl = "x$ld_flag"); then
+	    aix_use_runtimelinking=yes
+	    break
+	  fi
+	  done
+	  if test svr4,no = "$with_aix_soname,$aix_use_runtimelinking"; then
+	    # With aix-soname=svr4, we create the lib.so.V shared archives only,
+	    # so we don't have lib.a shared libs to link our executables.
+	    # We have to force runtime linking in this case.
+	    aix_use_runtimelinking=yes
+	    LDFLAGS="$LDFLAGS -Wl,-brtl"
+	  fi
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds=''
+      hardcode_direct=yes
+      hardcode_direct_absolute=yes
+      hardcode_libdir_separator=':'
+      link_all_deplibs=yes
+      file_list_spec='$wl-f,'
+      case $with_aix_soname,$aix_use_runtimelinking in
+      aix,*) ;; # traditional, no import file
+      svr4,* | *,yes) # use import file
+	# The Import File defines what to hardcode.
+	hardcode_direct=no
+	hardcode_direct_absolute=no
+	;;
+      esac
+
+      if test yes = "$GCC"; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`$CC -print-prog-name=collect2`
+	  if test -f "$collect2name" &&
+	   strings "$collect2name" | $GREP resolve_lib_name >/dev/null
+	  then
+	  # We have reworked collect2
+	  :
+	  else
+	  # We have old collect2
+	  hardcode_direct=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  hardcode_minus_L=yes
+	  hardcode_libdir_flag_spec='-L$libdir'
+	  hardcode_libdir_separator=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test yes = "$aix_use_runtimelinking"; then
+	  shared_flag="$shared_flag "'$wl-G'
+	fi
+	# Need to ensure runtime linking is disabled for the traditional
+	# shared library, or the linker may eventually find shared libraries
+	# /with/ Import File - we do not want to mix them.
+	shared_flag_aix='-shared'
+	shared_flag_svr4='-shared $wl-G'
+      else
+	# not using gcc
+	if test ia64 = "$host_cpu"; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test yes = "$aix_use_runtimelinking"; then
+	    shared_flag='$wl-G'
+	  else
+	    shared_flag='$wl-bM:SRE'
+	  fi
+	  shared_flag_aix='$wl-bM:SRE'
+	  shared_flag_svr4='$wl-G'
+	fi
+      fi
+
+      export_dynamic_flag_spec='$wl-bexpall'
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols=yes
+      if test aix,yes = "$with_aix_soname,$aix_use_runtimelinking"; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag='-berok'
+        # Determine the default libpath from the value encoded in an
+        # empty executable.
+        if test set = "${lt_cv_aix_libpath+set}"; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  if ${lt_cv_aix_libpath_+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+  lt_aix_libpath_sed='
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }'
+  lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_=/usr/lib:/lib
+  fi
+
+fi
+
+  aix_libpath=$lt_cv_aix_libpath_
+fi
+
+        hardcode_libdir_flag_spec='$wl-blibpath:$libdir:'"$aix_libpath"
+        archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs $wl'$no_entry_flag' $compiler_flags `if test -n "$allow_undefined_flag"; then func_echo_all "$wl$allow_undefined_flag"; else :; fi` $wl'$exp_sym_flag:\$export_symbols' '$shared_flag
+      else
+	if test ia64 = "$host_cpu"; then
+	  hardcode_libdir_flag_spec='$wl-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag="-z nodefs"
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an
+	 # empty executable.
+	 if test set = "${lt_cv_aix_libpath+set}"; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  if ${lt_cv_aix_libpath_+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+  lt_aix_libpath_sed='
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }'
+  lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_=/usr/lib:/lib
+  fi
+
+fi
+
+  aix_libpath=$lt_cv_aix_libpath_
+fi
+
+	 hardcode_libdir_flag_spec='$wl-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag=' $wl-bernotok'
+	  allow_undefined_flag=' $wl-berok'
+	  if test yes = "$with_gnu_ld"; then
+	    # We only use this code for GNU lds that support --whole-archive.
+	    whole_archive_flag_spec='$wl--whole-archive$convenience $wl--no-whole-archive'
+	  else
+	    # Exported symbols can be pulled into shared objects from archives
+	    whole_archive_flag_spec='$convenience'
+	  fi
+	  archive_cmds_need_lc=yes
+	  archive_expsym_cmds='$RM -r $output_objdir/$realname.d~$MKDIR $output_objdir/$realname.d'
+	  # -brtl affects multiple linker settings, -berok does not and is overridden later
+	  compiler_flags_filtered='`func_echo_all "$compiler_flags " | $SED -e "s%-brtl\\([, ]\\)%-berok\\1%g"`'
+	  if test svr4 != "$with_aix_soname"; then
+	    # This is similar to how AIX traditionally builds its shared libraries.
+	    archive_expsym_cmds="$archive_expsym_cmds"'~$CC '$shared_flag_aix' -o $output_objdir/$realname.d/$soname $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$realname.d/$soname'
+	  fi
+	  if test aix != "$with_aix_soname"; then
+	    archive_expsym_cmds="$archive_expsym_cmds"'~$CC '$shared_flag_svr4' -o $output_objdir/$realname.d/$shared_archive_member_spec.o $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$STRIP -e $output_objdir/$realname.d/$shared_archive_member_spec.o~( func_echo_all "#! $soname($shared_archive_member_spec.o)"; if test shr_64 = "$shared_archive_member_spec"; then func_echo_all "# 64"; else func_echo_all "# 32"; fi; cat $export_symbols ) > $output_objdir/$realname.d/$shared_archive_member_spec.imp~$AR $AR_FLAGS $output_objdir/$soname $output_objdir/$realname.d/$shared_archive_member_spec.o $output_objdir/$realname.d/$shared_archive_member_spec.imp'
+	  else
+	    # used by -dlpreopen to get the symbols
+	    archive_expsym_cmds="$archive_expsym_cmds"'~$MV  $output_objdir/$realname.d/$soname $output_objdir'
+	  fi
+	  archive_expsym_cmds="$archive_expsym_cmds"'~$RM -r $output_objdir/$realname.d'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+            archive_expsym_cmds=''
+        ;;
+      m68k)
+            archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+            hardcode_libdir_flag_spec='-L$libdir'
+            hardcode_minus_L=yes
+        ;;
+      esac
+      ;;
+
+    bsdi[45]*)
+      export_dynamic_flag_spec=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32* | cegcc*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      case $cc_basename in
+      cl*)
+	# Native MSVC
+	hardcode_libdir_flag_spec=' '
+	allow_undefined_flag=unsupported
+	always_export_symbols=yes
+	file_list_spec='@'
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=.dll
+	# FIXME: Setting linknames here is a bad hack.
+	archive_cmds='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~linknames='
+	archive_expsym_cmds='if   test DEF = "`$SED -n     -e '\''s/^[	 ]*//'\''     -e '\''/^\(;.*\)*$/d'\''     -e '\''s/^\(EXPORTS\|LIBRARY\)\([	 ].*\)*$/DEF/p'\''     -e q     $export_symbols`" ; then
+            cp "$export_symbols" "$output_objdir/$soname.def";
+            echo "$tool_output_objdir$soname.def" > "$output_objdir/$soname.exp";
+          else
+            $SED -e '\''s/^/-link -EXPORT:/'\'' < $export_symbols > $output_objdir/$soname.exp;
+          fi~
+          $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+          linknames='
+	# The linker will not automatically build a static lib if we build a DLL.
+	# _LT_TAGVAR(old_archive_from_new_cmds, )='true'
+	enable_shared_with_static_runtimes=yes
+	exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+	export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+	# Don't use ranlib
+	old_postinstall_cmds='chmod 644 $oldlib'
+	postlink_cmds='lt_outputfile="@OUTPUT@"~
+          lt_tool_outputfile="@TOOL_OUTPUT@"~
+          case $lt_outputfile in
+            *.exe|*.EXE) ;;
+            *)
+              lt_outputfile=$lt_outputfile.exe
+              lt_tool_outputfile=$lt_tool_outputfile.exe
+              ;;
+          esac~
+          if test : != "$MANIFEST_TOOL" && test -f "$lt_outputfile.manifest"; then
+            $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+            $RM "$lt_outputfile.manifest";
+          fi'
+	;;
+      *)
+	# Assume MSVC wrapper
+	hardcode_libdir_flag_spec=' '
+	allow_undefined_flag=unsupported
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=.dll
+	# FIXME: Setting linknames here is a bad hack.
+	archive_cmds='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames='
+	# The linker will automatically build a .lib file if we build a DLL.
+	old_archive_from_new_cmds='true'
+	# FIXME: Should let the user specify the lib program.
+	old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
+	enable_shared_with_static_runtimes=yes
+	;;
+      esac
+      ;;
+
+    darwin* | rhapsody*)
+
+
+  archive_cmds_need_lc=no
+  hardcode_direct=no
+  hardcode_automatic=yes
+  hardcode_shlibpath_var=unsupported
+  if test yes = "$lt_cv_ld_force_load"; then
+    whole_archive_flag_spec='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience $wl-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+
+  else
+    whole_archive_flag_spec=''
+  fi
+  link_all_deplibs=yes
+  allow_undefined_flag=$_lt_dar_allow_undefined
+  case $cc_basename in
+     ifort*|nagfor*) _lt_dar_can_shared=yes ;;
+     *) _lt_dar_can_shared=$GCC ;;
+  esac
+  if test yes = "$_lt_dar_can_shared"; then
+    output_verbose_link_cmd=func_echo_all
+    archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dsymutil"
+    module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dsymutil"
+    archive_expsym_cmds="sed 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dar_export_syms$_lt_dsymutil"
+    module_expsym_cmds="sed -e 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dar_export_syms$_lt_dsymutil"
+
+  else
+  ld_shlibs=no
+  fi
+
+      ;;
+
+    dgux*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_shlibpath_var=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2.*)
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | dragonfly*)
+      archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    hpux9*)
+      if test yes = "$GCC"; then
+	archive_cmds='$RM $output_objdir/$soname~$CC -shared $pic_flag $wl+b $wl$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec='$wl+b $wl$libdir'
+      hardcode_libdir_separator=:
+      hardcode_direct=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L=yes
+      export_dynamic_flag_spec='$wl-E'
+      ;;
+
+    hpux10*)
+      if test yes,no = "$GCC,$with_gnu_ld"; then
+	archive_cmds='$CC -shared $pic_flag $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test no = "$with_gnu_ld"; then
+	hardcode_libdir_flag_spec='$wl+b $wl$libdir'
+	hardcode_libdir_separator=:
+	hardcode_direct=yes
+	hardcode_direct_absolute=yes
+	export_dynamic_flag_spec='$wl-E'
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test yes,no = "$GCC,$with_gnu_ld"; then
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds='$CC -shared $wl+h $wl$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds='$CC -shared $pic_flag $wl+h $wl$soname $wl+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds='$CC -shared $pic_flag $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds='$CC -b $wl+h $wl$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds='$CC -b $wl+h $wl$soname $wl+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+
+	  # Older versions of the 11.00 compiler do not understand -b yet
+	  # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does)
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC understands -b" >&5
+$as_echo_n "checking if $CC understands -b... " >&6; }
+if ${lt_cv_prog_compiler__b+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler__b=no
+   save_LDFLAGS=$LDFLAGS
+   LDFLAGS="$LDFLAGS -b"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_cv_prog_compiler__b=yes
+       fi
+     else
+       lt_cv_prog_compiler__b=yes
+     fi
+   fi
+   $RM -r conftest*
+   LDFLAGS=$save_LDFLAGS
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler__b" >&5
+$as_echo "$lt_cv_prog_compiler__b" >&6; }
+
+if test yes = "$lt_cv_prog_compiler__b"; then
+    archive_cmds='$CC -b $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+else
+    archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+fi
+
+	  ;;
+	esac
+      fi
+      if test no = "$with_gnu_ld"; then
+	hardcode_libdir_flag_spec='$wl+b $wl$libdir'
+	hardcode_libdir_separator=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  hardcode_direct=no
+	  hardcode_shlibpath_var=no
+	  ;;
+	*)
+	  hardcode_direct=yes
+	  hardcode_direct_absolute=yes
+	  export_dynamic_flag_spec='$wl-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test yes = "$GCC"; then
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
+	# Try to use the -exported_symbol ld option, if it does not
+	# work, assume that -exports_file does not work either and
+	# implicitly export all symbols.
+	# This should be the same for all languages, so no per-tag cache variable.
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $host_os linker accepts -exported_symbol" >&5
+$as_echo_n "checking whether the $host_os linker accepts -exported_symbol... " >&6; }
+if ${lt_cv_irix_exported_symbol+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  save_LDFLAGS=$LDFLAGS
+	   LDFLAGS="$LDFLAGS -shared $wl-exported_symbol ${wl}foo $wl-update_registry $wl/dev/null"
+	   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+int foo (void) { return 0; }
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  lt_cv_irix_exported_symbol=yes
+else
+  lt_cv_irix_exported_symbol=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+           LDFLAGS=$save_LDFLAGS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_irix_exported_symbol" >&5
+$as_echo "$lt_cv_irix_exported_symbol" >&6; }
+	if test yes = "$lt_cv_irix_exported_symbol"; then
+          archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
+	fi
+      else
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
+      fi
+      archive_cmds_need_lc='no'
+      hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+      hardcode_libdir_separator=:
+      inherit_rpath=yes
+      link_all_deplibs=yes
+      ;;
+
+    linux*)
+      case $cc_basename in
+      tcc*)
+	# Fabrice Bellard et al's Tiny C Compiler
+	ld_shlibs=yes
+	archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      esac
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    newsos6)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+      hardcode_libdir_separator=:
+      hardcode_shlibpath_var=no
+      ;;
+
+    *nto* | *qnx*)
+      ;;
+
+    openbsd* | bitrig*)
+      if test -f /usr/libexec/ld.so; then
+	hardcode_direct=yes
+	hardcode_shlibpath_var=no
+	hardcode_direct_absolute=yes
+	if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then
+	  archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols'
+	  hardcode_libdir_flag_spec='$wl-rpath,$libdir'
+	  export_dynamic_flag_spec='$wl-E'
+	else
+	  archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  hardcode_libdir_flag_spec='$wl-rpath,$libdir'
+	fi
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      allow_undefined_flag=unsupported
+      shrext_cmds=.dll
+      archive_cmds='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~
+	$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~
+	$ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~
+	$ECHO EXPORTS >> $output_objdir/$libname.def~
+	emxexp $libobjs | $SED /"_DLL_InitTerm"/d >> $output_objdir/$libname.def~
+	$CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~
+	emximp -o $lib $output_objdir/$libname.def'
+      archive_expsym_cmds='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~
+	$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~
+	$ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~
+	$ECHO EXPORTS >> $output_objdir/$libname.def~
+	prefix_cmds="$SED"~
+	if test EXPORTS = "`$SED 1q $export_symbols`"; then
+	  prefix_cmds="$prefix_cmds -e 1d";
+	fi~
+	prefix_cmds="$prefix_cmds -e \"s/^\(.*\)$/_\1/g\""~
+	cat $export_symbols | $prefix_cmds >> $output_objdir/$libname.def~
+	$CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~
+	emximp -o $lib $output_objdir/$libname.def'
+      old_archive_From_new_cmds='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def'
+      enable_shared_with_static_runtimes=yes
+      ;;
+
+    osf3*)
+      if test yes = "$GCC"; then
+	allow_undefined_flag=' $wl-expect_unresolved $wl\*'
+	archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
+      else
+	allow_undefined_flag=' -expect_unresolved \*'
+	archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
+      fi
+      archive_cmds_need_lc='no'
+      hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+      hardcode_libdir_separator=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test yes = "$GCC"; then
+	allow_undefined_flag=' $wl-expect_unresolved $wl\*'
+	archive_cmds='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
+	hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+      else
+	allow_undefined_flag=' -expect_unresolved \*'
+	archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
+	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
+          $CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec='-rpath $libdir'
+      fi
+      archive_cmds_need_lc='no'
+      hardcode_libdir_separator=:
+      ;;
+
+    solaris*)
+      no_undefined_flag=' -z defs'
+      if test yes = "$GCC"; then
+	wlarc='$wl'
+	archive_cmds='$CC -shared $pic_flag $wl-z ${wl}text $wl-h $wl$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+          $CC -shared $pic_flag $wl-z ${wl}text $wl-M $wl$lib.exp $wl-h $wl$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+      else
+	case `$CC -V 2>&1` in
+	*"Compilers 5.0"*)
+	  wlarc=''
+	  archive_cmds='$LD -G$allow_undefined_flag -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+            $LD -G$allow_undefined_flag -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp'
+	  ;;
+	*)
+	  wlarc='$wl'
+	  archive_cmds='$CC -G$allow_undefined_flag -h $soname -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+            $CC -G$allow_undefined_flag -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  ;;
+	esac
+      fi
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_shlibpath_var=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *)
+	# The compiler driver will combine and reorder linker options,
+	# but understands '-z linker_flag'.  GCC discards it without '$wl',
+	# but is careful enough not to reorder.
+	# Supported since Solaris 2.6 (maybe 2.5.1?)
+	if test yes = "$GCC"; then
+	  whole_archive_flag_spec='$wl-z ${wl}allextract$convenience $wl-z ${wl}defaultextract'
+	else
+	  whole_archive_flag_spec='-z allextract$convenience -z defaultextract'
+	fi
+	;;
+      esac
+      link_all_deplibs=yes
+      ;;
+
+    sunos4*)
+      if test sequent = "$host_vendor"; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds='$CC -G $wl-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds='$CC -r -o $output$reload_objs'
+	  hardcode_direct=no
+        ;;
+	motorola)
+	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var=no
+      ;;
+
+    sysv4.3*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var=no
+      export_dynamic_flag_spec='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
+      no_undefined_flag='$wl-z,text'
+      archive_cmds_need_lc=no
+      hardcode_shlibpath_var=no
+      runpath_var='LD_RUN_PATH'
+
+      if test yes = "$GCC"; then
+	archive_cmds='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We CANNOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag='$wl-z,text'
+      allow_undefined_flag='$wl-z,nodefs'
+      archive_cmds_need_lc=no
+      hardcode_shlibpath_var=no
+      hardcode_libdir_flag_spec='$wl-R,$libdir'
+      hardcode_libdir_separator=':'
+      link_all_deplibs=yes
+      export_dynamic_flag_spec='$wl-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test yes = "$GCC"; then
+	archive_cmds='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_shlibpath_var=no
+      ;;
+
+    *)
+      ld_shlibs=no
+      ;;
+    esac
+
+    if test sni = "$host_vendor"; then
+      case $host in
+      sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+	export_dynamic_flag_spec='$wl-Blargedynsym'
+	;;
+      esac
+    fi
+  fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ld_shlibs" >&5
+$as_echo "$ld_shlibs" >&6; }
+test no = "$ld_shlibs" && can_build_shared=no
+
+with_gnu_ld=$with_gnu_ld
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc=yes
+
+  if test yes,yes = "$GCC,$enable_shared"; then
+    case $archive_cmds in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -lc should be explicitly linked in" >&5
+$as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
+if ${lt_cv_archive_cmds_need_lc+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  $RM conftest*
+	echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+	if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } 2>conftest.err; then
+	  soname=conftest
+	  lib=conftest
+	  libobjs=conftest.$ac_objext
+	  deplibs=
+	  wl=$lt_prog_compiler_wl
+	  pic_flag=$lt_prog_compiler_pic
+	  compiler_flags=-v
+	  linker_flags=-v
+	  verstring=
+	  output_objdir=.
+	  libname=conftest
+	  lt_save_allow_undefined_flag=$allow_undefined_flag
+	  allow_undefined_flag=
+	  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5
+  (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+	  then
+	    lt_cv_archive_cmds_need_lc=no
+	  else
+	    lt_cv_archive_cmds_need_lc=yes
+	  fi
+	  allow_undefined_flag=$lt_save_allow_undefined_flag
+	else
+	  cat conftest.err 1>&5
+	fi
+	$RM conftest*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_archive_cmds_need_lc" >&5
+$as_echo "$lt_cv_archive_cmds_need_lc" >&6; }
+      archive_cmds_need_lc=$lt_cv_archive_cmds_need_lc
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking dynamic linker characteristics" >&5
+$as_echo_n "checking dynamic linker characteristics... " >&6; }
+
+if test yes = "$GCC"; then
+  case $host_os in
+    darwin*) lt_awk_arg='/^libraries:/,/LR/' ;;
+    *) lt_awk_arg='/^libraries:/' ;;
+  esac
+  case $host_os in
+    mingw* | cegcc*) lt_sed_strip_eq='s|=\([A-Za-z]:\)|\1|g' ;;
+    *) lt_sed_strip_eq='s|=/|/|g' ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq`
+  case $lt_search_path_spec in
+  *\;*)
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'`
+    ;;
+  *)
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"`
+    ;;
+  esac
+  # Ok, now we have the path, separated by spaces, we can step through it
+  # and add multilib dir if necessary...
+  lt_tmp_lt_search_path_spec=
+  lt_multi_os_dir=/`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
+  # ...but if some path component already ends with the multilib dir we assume
+  # that all is fine and trust -print-search-dirs as is (GCC 4.2? or newer).
+  case "$lt_multi_os_dir; $lt_search_path_spec " in
+  "/; "* | "/.; "* | "/./; "* | *"$lt_multi_os_dir "* | *"$lt_multi_os_dir/ "*)
+    lt_multi_os_dir=
+    ;;
+  esac
+  for lt_sys_path in $lt_search_path_spec; do
+    if test -d "$lt_sys_path$lt_multi_os_dir"; then
+      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path$lt_multi_os_dir"
+    elif test -n "$lt_multi_os_dir"; then
+      test -d "$lt_sys_path" && \
+	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
+    fi
+  done
+  lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk '
+BEGIN {RS = " "; FS = "/|\n";} {
+  lt_foo = "";
+  lt_count = 0;
+  for (lt_i = NF; lt_i > 0; lt_i--) {
+    if ($lt_i != "" && $lt_i != ".") {
+      if ($lt_i == "..") {
+        lt_count++;
+      } else {
+        if (lt_count == 0) {
+          lt_foo = "/" $lt_i lt_foo;
+        } else {
+          lt_count--;
+        }
+      }
+    }
+  }
+  if (lt_foo != "") { lt_freq[lt_foo]++; }
+  if (lt_freq[lt_foo] == 1) { print lt_foo; }
+}'`
+  # AWK program above erroneously prepends '/' to C:/dos/paths
+  # for these hosts.
+  case $host_os in
+    mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\
+      $SED 's|/\([A-Za-z]:\)|\1|g'` ;;
+  esac
+  sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP`
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=.so
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+
+
+case $host_os in
+aix3*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  library_names_spec='$libname$release$shared_ext$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='$libname$release$shared_ext$major'
+  ;;
+
+aix[4-9]*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test ia64 = "$host_cpu"; then
+    # AIX 5 supports IA64
+    library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line '#! .'.  This would cause the generated library to
+    # depend on '.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | $CC -E - | $GREP yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # Using Import Files as archive members, it is possible to support
+    # filename-based versioning of shared library archives on AIX. While
+    # this would work for both with and without runtime linking, it will
+    # prevent static linking of such archives. So we do filename-based
+    # shared library versioning with .so extension only, which is used
+    # when both runtime linking and shared linking is enabled.
+    # Unfortunately, runtime linking may impact performance, so we do
+    # not want this to be the default eventually. Also, we use the
+    # versioned .so libs for executables only if there is the -brtl
+    # linker flag in LDFLAGS as well, or --with-aix-soname=svr4 only.
+    # To allow for filename-based versioning support, we need to create
+    # libNAME.so.V as an archive file, containing:
+    # *) an Import File, referring to the versioned filename of the
+    #    archive as well as the shared archive member, telling the
+    #    bitwidth (32 or 64) of that shared object, and providing the
+    #    list of exported symbols of that shared object, eventually
+    #    decorated with the 'weak' keyword
+    # *) the shared object with the F_LOADONLY flag set, to really avoid
+    #    it being seen by the linker.
+    # At run time we better use the real file rather than another symlink,
+    # but for link time we create the symlink libNAME.so -> libNAME.so.V
+
+    case $with_aix_soname,$aix_use_runtimelinking in
+    # AIX (on Power*) has no versioning support, so currently we cannot hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    aix,yes) # traditional libtool
+      dynamic_linker='AIX unversionable lib.so'
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+      ;;
+    aix,no) # traditional AIX only
+      dynamic_linker='AIX lib.a(lib.so.V)'
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='$libname$release.a $libname.a'
+      soname_spec='$libname$release$shared_ext$major'
+      ;;
+    svr4,*) # full svr4 only
+      dynamic_linker="AIX lib.so.V($shared_archive_member_spec.o)"
+      library_names_spec='$libname$release$shared_ext$major $libname$shared_ext'
+      # We do not specify a path in Import Files, so LIBPATH fires.
+      shlibpath_overrides_runpath=yes
+      ;;
+    *,yes) # both, prefer svr4
+      dynamic_linker="AIX lib.so.V($shared_archive_member_spec.o), lib.a(lib.so.V)"
+      library_names_spec='$libname$release$shared_ext$major $libname$shared_ext'
+      # unpreferred sharedlib libNAME.a needs extra handling
+      postinstall_cmds='test -n "$linkname" || linkname="$realname"~func_stripname "" ".so" "$linkname"~$install_shared_prog "$dir/$func_stripname_result.$libext" "$destdir/$func_stripname_result.$libext"~test -z "$tstripme" || test -z "$striplib" || $striplib "$destdir/$func_stripname_result.$libext"'
+      postuninstall_cmds='for n in $library_names $old_library; do :; done~func_stripname "" ".so" "$n"~test "$func_stripname_result" = "$n" || func_append rmfiles " $odir/$func_stripname_result.$libext"'
+      # We do not specify a path in Import Files, so LIBPATH fires.
+      shlibpath_overrides_runpath=yes
+      ;;
+    *,no) # both, prefer aix
+      dynamic_linker="AIX lib.a(lib.so.V), lib.so.V($shared_archive_member_spec.o)"
+      library_names_spec='$libname$release.a $libname.a'
+      soname_spec='$libname$release$shared_ext$major'
+      # unpreferred sharedlib libNAME.so.V and symlink libNAME.so need extra handling
+      postinstall_cmds='test -z "$dlname" || $install_shared_prog $dir/$dlname $destdir/$dlname~test -z "$tstripme" || test -z "$striplib" || $striplib $destdir/$dlname~test -n "$linkname" || linkname=$realname~func_stripname "" ".a" "$linkname"~(cd "$destdir" && $LN_S -f $dlname $func_stripname_result.so)'
+      postuninstall_cmds='test -z "$dlname" || func_append rmfiles " $odir/$dlname"~for n in $old_library $library_names; do :; done~func_stripname "" ".a" "$n"~func_append rmfiles " $odir/$func_stripname_result.so"'
+      ;;
+    esac
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  case $host_cpu in
+  powerpc)
+    # Since July 2007 AmigaOS4 officially supports .so libraries.
+    # When compiling the executable, add -use-dynld -Lsobjs: to the compileline.
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+    ;;
+  m68k)
+    library_names_spec='$libname.ixlibrary $libname.a'
+    # Create ${libname}_ixlibrary.a entries in /sys/libs.
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    ;;
+  esac
+  ;;
+
+beos*)
+  library_names_spec='$libname$shared_ext'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[45]*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32* | cegcc*)
+  version_type=windows
+  shrext_cmds=.dll
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$cc_basename in
+  yes,*)
+    # gcc
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \$file`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname~
+      if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then
+        eval '\''$striplib \$dldir/$dlname'\'' || exit \$?;
+      fi'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo $libname | sed -e 's/^lib/cyg/'``echo $release | $SED -e 's/[.]/-/g'`$versuffix$shared_ext'
+
+      sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"
+      ;;
+    mingw* | cegcc*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='$libname`echo $release | $SED -e 's/[.]/-/g'`$versuffix$shared_ext'
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo $libname | sed -e 's/^lib/pw/'``echo $release | $SED -e 's/[.]/-/g'`$versuffix$shared_ext'
+      ;;
+    esac
+    dynamic_linker='Win32 ld.exe'
+    ;;
+
+  *,cl*)
+    # Native MSVC
+    libname_spec='$name'
+    soname_spec='$libname`echo $release | $SED -e 's/[.]/-/g'`$versuffix$shared_ext'
+    library_names_spec='$libname.dll.lib'
+
+    case $build_os in
+    mingw*)
+      sys_lib_search_path_spec=
+      lt_save_ifs=$IFS
+      IFS=';'
+      for lt_path in $LIB
+      do
+        IFS=$lt_save_ifs
+        # Let DOS variable expansion print the short 8.3 style file name.
+        lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"`
+        sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path"
+      done
+      IFS=$lt_save_ifs
+      # Convert to MSYS style.
+      sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([a-zA-Z]\\):| /\\1|g' -e 's|^ ||'`
+      ;;
+    cygwin*)
+      # Convert to unix form, then to dos form, then back to unix form
+      # but this time dos style (no spaces!) so that the unix form looks
+      # like /cygdrive/c/PROGRA~1:/cygdr...
+      sys_lib_search_path_spec=`cygpath --path --unix "$LIB"`
+      sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null`
+      sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      ;;
+    *)
+      sys_lib_search_path_spec=$LIB
+      if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH.
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      # FIXME: find the short name or the path components, as spaces are
+      # common. (e.g. "Program Files" -> "PROGRA~1")
+      ;;
+    esac
+
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \$file`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+    dynamic_linker='Win32 link.exe'
+    ;;
+
+  *)
+    # Assume MSVC wrapper
+    library_names_spec='$libname`echo $release | $SED -e 's/[.]/-/g'`$versuffix$shared_ext $libname.lib'
+    dynamic_linker='Win32 ld.exe'
+    ;;
+  esac
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$major$shared_ext $libname$shared_ext'
+  soname_spec='$libname$release$major$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+
+  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[23].*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+      soname_spec='$libname$release$shared_ext$major'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2.*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  *) # from 4.6 on, and DragonFly
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+haiku*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  dynamic_linker="$host_os runtime_loader"
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+    soname_spec='$libname$release$shared_ext$major'
+    if test 32 = "$HPUX_IA64_MODE"; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+      sys_lib_dlsearch_path_spec=/usr/lib/hpux32
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+      sys_lib_dlsearch_path_spec=/usr/lib/hpux64
+    fi
+    ;;
+  hppa*64*)
+    shrext_cmds='.sl'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+    soname_spec='$libname$release$shared_ext$major'
+    sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+  *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+    soname_spec='$libname$release$shared_ext$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555, ...
+  postinstall_cmds='chmod 555 $lib'
+  # or fails outright, so override atomically:
+  install_override_mode=555
+  ;;
+
+interix[3-9]*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test yes = "$lt_cv_prog_gnu_ld"; then
+		version_type=linux # correct to gnu/linux during the next big refactor
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='$libname$release$shared_ext$major'
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$release$shared_ext $libname$shared_ext'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
+  sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+linux*android*)
+  version_type=none # Android doesn't support versioned libraries.
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext'
+  soname_spec='$libname$release$shared_ext'
+  finish_cmds=
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  dynamic_linker='Android linker'
+  # Don't embed -rpath directories since the linker doesn't support them.
+  hardcode_libdir_flag_spec='-L$libdir'
+  ;;
+
+# This must be glibc/ELF.
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+
+  # Some binutils ld are patched to set DT_RUNPATH
+  if ${lt_cv_shlibpath_overrides_runpath+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_shlibpath_overrides_runpath=no
+    save_LDFLAGS=$LDFLAGS
+    save_libdir=$libdir
+    eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \
+	 LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\""
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  if  ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then :
+  lt_cv_shlibpath_overrides_runpath=yes
+fi
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+    LDFLAGS=$save_LDFLAGS
+    libdir=$save_libdir
+
+fi
+
+  shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath
+
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Ideally, we could use ldconfig to report *all* directores which are
+  # searched for libraries, however this is still not possible.  Aside from not
+  # being certain /sbin/ldconfig is available, command
+  # 'ldconfig -N -X -v | grep ^/' on 64bit Fedora does not report /usr/lib64,
+  # even though it is searched at run-time.  Try to do the best guess by
+  # appending ld.so.conf contents (and includes) to the search path.
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+    soname_spec='$libname$release$shared_ext$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+*nto* | *qnx*)
+  version_type=qnx
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='ldqnx.so'
+  ;;
+
+openbsd* | bitrig*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec=/usr/lib
+  need_lib_prefix=no
+  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then
+    need_version=no
+  else
+    need_version=yes
+  fi
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+os2*)
+  libname_spec='$name'
+  version_type=windows
+  shrext_cmds=.dll
+  need_version=no
+  need_lib_prefix=no
+  # OS/2 can only load a DLL with a base name of 8 characters or less.
+  soname_spec='`test -n "$os2dllname" && libname="$os2dllname";
+    v=$($ECHO $release$versuffix | tr -d .-);
+    n=$($ECHO $libname | cut -b -$((8 - ${#v})) | tr . _);
+    $ECHO $n$v`$shared_ext'
+  library_names_spec='${libname}_dll.$libext'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=BEGINLIBPATH
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+  postinstall_cmds='base_file=`basename \$file`~
+    dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; $ECHO \$dlname'\''`~
+    dldir=$destdir/`dirname \$dlpath`~
+    test -d \$dldir || mkdir -p \$dldir~
+    $install_prog $dir/$dlname \$dldir/$dlname~
+    chmod a+x \$dldir/$dlname~
+    if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then
+      eval '\''$striplib \$dldir/$dlname'\'' || exit \$?;
+    fi'
+  postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; $ECHO \$dlname'\''`~
+    dlpath=$dir/\$dldll~
+    $RM \$dlpath'
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='$libname$release$shared_ext$major'
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+  ;;
+
+rdos*)
+  dynamic_linker=no
+  ;;
+
+solaris*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test yes = "$with_gnu_ld"; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec; then
+    version_type=linux # correct to gnu/linux during the next big refactor
+    library_names_spec='$libname$shared_ext.$versuffix $libname$shared_ext.$major $libname$shared_ext'
+    soname_spec='$libname$shared_ext.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=sco
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  if test yes = "$with_gnu_ld"; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+tpf*)
+  # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+uts4*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $dynamic_linker" >&5
+$as_echo "$dynamic_linker" >&6; }
+test no = "$dynamic_linker" && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test yes = "$GCC"; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+if test set = "${lt_cv_sys_lib_search_path_spec+set}"; then
+  sys_lib_search_path_spec=$lt_cv_sys_lib_search_path_spec
+fi
+
+if test set = "${lt_cv_sys_lib_dlsearch_path_spec+set}"; then
+  sys_lib_dlsearch_path_spec=$lt_cv_sys_lib_dlsearch_path_spec
+fi
+
+# remember unaugmented sys_lib_dlsearch_path content for libtool script decls...
+configure_time_dlsearch_path=$sys_lib_dlsearch_path_spec
+
+# ... but it needs LT_SYS_LIBRARY_PATH munging for other configure-time code
+func_munge_path_list sys_lib_dlsearch_path_spec "$LT_SYS_LIBRARY_PATH"
+
+# to be used as default LT_SYS_LIBRARY_PATH value in generated libtool
+configure_time_lt_sys_library_path=$LT_SYS_LIBRARY_PATH
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to hardcode library paths into programs" >&5
+$as_echo_n "checking how to hardcode library paths into programs... " >&6; }
+hardcode_action=
+if test -n "$hardcode_libdir_flag_spec" ||
+   test -n "$runpath_var" ||
+   test yes = "$hardcode_automatic"; then
+
+  # We can hardcode non-existent directories.
+  if test no != "$hardcode_direct" &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test no != "$_LT_TAGVAR(hardcode_shlibpath_var, )" &&
+     test no != "$hardcode_minus_L"; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action=unsupported
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $hardcode_action" >&5
+$as_echo "$hardcode_action" >&6; }
+
+if test relink = "$hardcode_action" ||
+   test yes = "$inherit_rpath"; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test yes = "$shlibpath_overrides_runpath" ||
+     test no = "$enable_shared"; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+
+
+
+
+
+  if test yes != "$enable_dlopen"; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen=load_add_on
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32* | cegcc*)
+    lt_cv_dlopen=LoadLibrary
+    lt_cv_dlopen_libs=
+    ;;
+
+  cygwin*)
+    lt_cv_dlopen=dlopen
+    lt_cv_dlopen_libs=
+    ;;
+
+  darwin*)
+    # if libdl is installed we need to link against it
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
+$as_echo_n "checking for dlopen in -ldl... " >&6; }
+if ${ac_cv_lib_dl_dlopen+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_dl_dlopen=yes
+else
+  ac_cv_lib_dl_dlopen=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5
+$as_echo "$ac_cv_lib_dl_dlopen" >&6; }
+if test "x$ac_cv_lib_dl_dlopen" = xyes; then :
+  lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-ldl
+else
+
+    lt_cv_dlopen=dyld
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+
+fi
+
+    ;;
+
+  tpf*)
+    # Don't try to run any link tests for TPF.  We know it's impossible
+    # because TPF is a cross-compiler, and we know how we open DSOs.
+    lt_cv_dlopen=dlopen
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=no
+    ;;
+
+  *)
+    ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load"
+if test "x$ac_cv_func_shl_load" = xyes; then :
+  lt_cv_dlopen=shl_load
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5
+$as_echo_n "checking for shl_load in -ldld... " >&6; }
+if ${ac_cv_lib_dld_shl_load+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load ();
+int
+main ()
+{
+return shl_load ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_dld_shl_load=yes
+else
+  ac_cv_lib_dld_shl_load=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5
+$as_echo "$ac_cv_lib_dld_shl_load" >&6; }
+if test "x$ac_cv_lib_dld_shl_load" = xyes; then :
+  lt_cv_dlopen=shl_load lt_cv_dlopen_libs=-ldld
+else
+  ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen"
+if test "x$ac_cv_func_dlopen" = xyes; then :
+  lt_cv_dlopen=dlopen
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
+$as_echo_n "checking for dlopen in -ldl... " >&6; }
+if ${ac_cv_lib_dl_dlopen+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_dl_dlopen=yes
+else
+  ac_cv_lib_dl_dlopen=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5
+$as_echo "$ac_cv_lib_dl_dlopen" >&6; }
+if test "x$ac_cv_lib_dl_dlopen" = xyes; then :
+  lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-ldl
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5
+$as_echo_n "checking for dlopen in -lsvld... " >&6; }
+if ${ac_cv_lib_svld_dlopen+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsvld  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_svld_dlopen=yes
+else
+  ac_cv_lib_svld_dlopen=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5
+$as_echo "$ac_cv_lib_svld_dlopen" >&6; }
+if test "x$ac_cv_lib_svld_dlopen" = xyes; then :
+  lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-lsvld
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5
+$as_echo_n "checking for dld_link in -ldld... " >&6; }
+if ${ac_cv_lib_dld_dld_link+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dld_link ();
+int
+main ()
+{
+return dld_link ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_dld_dld_link=yes
+else
+  ac_cv_lib_dld_dld_link=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5
+$as_echo "$ac_cv_lib_dld_dld_link" >&6; }
+if test "x$ac_cv_lib_dld_dld_link" = xyes; then :
+  lt_cv_dlopen=dld_link lt_cv_dlopen_libs=-ldld
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+    ;;
+  esac
+
+  if test no = "$lt_cv_dlopen"; then
+    enable_dlopen=no
+  else
+    enable_dlopen=yes
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS=$CPPFLAGS
+    test yes = "$ac_cv_header_dlfcn_h" && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS=$LDFLAGS
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS=$LIBS
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a program can dlopen itself" >&5
+$as_echo_n "checking whether a program can dlopen itself... " >&6; }
+if ${lt_cv_dlopen_self+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  	  if test yes = "$cross_compiling"; then :
+  lt_cv_dlopen_self=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<_LT_EOF
+#line $LINENO "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+/* When -fvisibility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined __GNUC__ && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
+
+  return status;
+}
+_LT_EOF
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && test -s "conftest$ac_exeext" 2>/dev/null; then
+    (./conftest; exit; ) >&5 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self" >&5
+$as_echo "$lt_cv_dlopen_self" >&6; }
+
+    if test yes = "$lt_cv_dlopen_self"; then
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
+      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a statically linked program can dlopen itself" >&5
+$as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; }
+if ${lt_cv_dlopen_self_static+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  	  if test yes = "$cross_compiling"; then :
+  lt_cv_dlopen_self_static=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<_LT_EOF
+#line $LINENO "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+/* When -fvisibility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined __GNUC__ && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
+
+  return status;
+}
+_LT_EOF
+  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && test -s "conftest$ac_exeext" 2>/dev/null; then
+    (./conftest; exit; ) >&5 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self_static=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self_static" >&5
+$as_echo "$lt_cv_dlopen_self_static" >&6; }
+    fi
+
+    CPPFLAGS=$save_CPPFLAGS
+    LDFLAGS=$save_LDFLAGS
+    LIBS=$save_LIBS
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+striplib=
+old_striplib=
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether stripping libraries is possible" >&5
+$as_echo_n "checking whether stripping libraries is possible... " >&6; }
+if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+  darwin*)
+    if test -n "$STRIP"; then
+      striplib="$STRIP -x"
+      old_striplib="$STRIP -S"
+      { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+    else
+      { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+    fi
+    ;;
+  *)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+    ;;
+  esac
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+  # Report what library types will actually be built
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libtool supports shared libraries" >&5
+$as_echo_n "checking if libtool supports shared libraries... " >&6; }
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $can_build_shared" >&5
+$as_echo "$can_build_shared" >&6; }
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build shared libraries" >&5
+$as_echo_n "checking whether to build shared libraries... " >&6; }
+  test no = "$can_build_shared" && enable_shared=no
+
+  # On AIX, shared libraries and static libraries use the same namespace, and
+  # are all built from PIC.
+  case $host_os in
+  aix3*)
+    test yes = "$enable_shared" && enable_static=no
+    if test -n "$RANLIB"; then
+      archive_cmds="$archive_cmds~\$RANLIB \$lib"
+      postinstall_cmds='$RANLIB $lib'
+    fi
+    ;;
+
+  aix[4-9]*)
+    if test ia64 != "$host_cpu"; then
+      case $enable_shared,$with_aix_soname,$aix_use_runtimelinking in
+      yes,aix,yes) ;;			# shared object as lib.so file only
+      yes,svr4,*) ;;			# shared object as lib.so archive member only
+      yes,*) enable_static=no ;;	# shared object in lib.a archive as well
+      esac
+    fi
+    ;;
+  esac
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_shared" >&5
+$as_echo "$enable_shared" >&6; }
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build static libraries" >&5
+$as_echo_n "checking whether to build static libraries... " >&6; }
+  # Make sure either enable_shared or enable_static is yes.
+  test yes = "$enable_shared" || enable_static=yes
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_static" >&5
+$as_echo "$enable_static" >&6; }
+
+
+
+
+fi
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC=$lt_save_CC
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+        ac_config_commands="$ac_config_commands libtool"
+
+
+
+
+# Only expand once:
+
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AmigaOS /C/install, which installs bootblocks on floppy discs
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# OS/2's system install, which has a completely different semantic
+# ./install, which can be erroneously created by make from ./install.sh.
+# Reject install programs that cannot install multiple files.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5
+$as_echo_n "checking for a BSD-compatible install... " >&6; }
+if test -z "$INSTALL"; then
+if ${ac_cv_path_install+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    # Account for people who put trailing slashes in PATH elements.
+case $as_dir/ in #((
+  ./ | .// | /[cC]/* | \
+  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
+  ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \
+  /usr/ucb/* ) ;;
+  *)
+    # OSF1 and SCO ODT 3.0 have their own names for install.
+    # Don't use installbsd from OSF since it installs stuff as root
+    # by default.
+    for ac_prog in ginstall scoinst install; do
+      for ac_exec_ext in '' $ac_executable_extensions; do
+	if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
+	  if test $ac_prog = install &&
+	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  elif test $ac_prog = install &&
+	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # program-specific install script used by HP pwplus--don't use.
+	    :
+	  else
+	    rm -rf conftest.one conftest.two conftest.dir
+	    echo one > conftest.one
+	    echo two > conftest.two
+	    mkdir conftest.dir
+	    if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" &&
+	      test -s conftest.one && test -s conftest.two &&
+	      test -s conftest.dir/conftest.one &&
+	      test -s conftest.dir/conftest.two
+	    then
+	      ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+	      break 3
+	    fi
+	  fi
+	fi
+      done
+    done
+    ;;
+esac
+
+  done
+IFS=$as_save_IFS
+
+rm -rf conftest.one conftest.two conftest.dir
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL=$ac_cv_path_install
+  else
+    # As a last resort, use the slow shell script.  Don't cache a
+    # value for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the value is a relative name.
+    INSTALL=$ac_install_sh
+  fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5
+$as_echo "$INSTALL" >&6; }
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5
+$as_echo_n "checking whether ln -s works... " >&6; }
+LN_S=$as_ln_s
+if test "$LN_S" = "ln -s"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5
+$as_echo "no, using $LN_S" >&6; }
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a POSIX-compatible shell" >&5
+$as_echo_n "checking for a POSIX-compatible shell... " >&6; }
+if ${ac_cv_prog_shell+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_test_shell_script='
+			  test "$(expr 1 + 1)" = "2" &&
+			  test "$(( 1 + 1 ))" = "2"
+			  '
+
+			  for ac_cv_prog_shell in \
+			    "$CONFIG_SHELL" "$SHELL" /bin/sh /bin/bash /bin/ksh /bin/sh5 no; do
+			    case $ac_cv_prog_shell in #(
+  /*) :
+
+				      if "$ac_cv_prog_shell" -c "$ac_test_shell_script" 2>/dev/null; then :
+  break
+fi
+				     ;; #(
+  *) :
+     ;;
+esac
+			  done
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_shell" >&5
+$as_echo "$ac_cv_prog_shell" >&6; }
+	  if test "$ac_cv_prog_shell" = "no"; then :
+  SHELL=/bin/sh
+		 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using $SHELL, even though it does not conform to POSIX" >&5
+$as_echo "$as_me: WARNING: using $SHELL, even though it does not conform to POSIX" >&2;}
+
+else
+  SHELL="$ac_cv_prog_shell"
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5
+$as_echo_n "checking for a thread-safe mkdir -p... " >&6; }
+if test -z "$MKDIR_P"; then
+  if ${ac_cv_path_mkdir+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_prog in mkdir gmkdir; do
+	 for ac_exec_ext in '' $ac_executable_extensions; do
+	   as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue
+	   case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
+	     'mkdir (GNU coreutils) '* | \
+	     'mkdir (coreutils) '* | \
+	     'mkdir (fileutils) '4.1*)
+	       ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext
+	       break 3;;
+	   esac
+	 done
+       done
+  done
+IFS=$as_save_IFS
+
+fi
+
+  test -d ./--version && rmdir ./--version
+  if test "${ac_cv_path_mkdir+set}" = set; then
+    MKDIR_P="$ac_cv_path_mkdir -p"
+  else
+    # As a last resort, use the slow shell script.  Don't cache a
+    # value for MKDIR_P within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the value is a relative name.
+    MKDIR_P="$ac_install_sh -d"
+  fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5
+$as_echo "$MKDIR_P" >&6; }
+
+
+
+
+
+
+
+
+
+#
+# Use pkg-config
+#
+
+
+
+
+
+
+
+
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+	if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PKG_CONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PKG_CONFIG=$ac_cv_path_PKG_CONFIG
+if test -n "$PKG_CONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
+$as_echo "$PKG_CONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_path_PKG_CONFIG"; then
+  ac_pt_PKG_CONFIG=$PKG_CONFIG
+  # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $ac_pt_PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
+if test -n "$ac_pt_PKG_CONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
+$as_echo "$ac_pt_PKG_CONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_pt_PKG_CONFIG" = x; then
+    PKG_CONFIG=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    PKG_CONFIG=$ac_pt_PKG_CONFIG
+  fi
+else
+  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
+fi
+
+fi
+if test -n "$PKG_CONFIG"; then
+	_pkg_min_version=0.9.0
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
+$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	else
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		PKG_CONFIG=""
+	fi
+fi
+if test -z "$PKG_CONFIG"; then :
+  as_fn_error $? "The pkg-config script could not be found or is too old." "$LINENO" 5
+fi
+
+# [pairwise: --enable-buffer-useinline, --disable-buffer-useinline]
+# Check whether --enable-buffer_useinline was given.
+if test "${enable_buffer_useinline+set}" = set; then :
+  enableval=$enable_buffer_useinline; if test yes = "${enable}"
+	      then
+
+$as_echo "#define ISC_BUFFER_USEINLINE 1" >>confdefs.h
+
+	      fi
+else
+  $as_echo "#define ISC_BUFFER_USEINLINE 1" >>confdefs.h
+
+fi
+
+
+# [pairwise: --enable-warn-shadow, --disable-warn-shadow]
+# Check whether --enable-warn_shadow was given.
+if test "${enable_warn_shadow+set}" = set; then :
+  enableval=$enable_warn_shadow;
+fi
+
+
+# [pairwise: --enable-warn-error, --disable-warn-error]
+# Check whether --enable-warn_error was given.
+if test "${enable_warn_error+set}" = set; then :
+  enableval=$enable_warn_error;
+fi
+
+
+# [pairwise: --enable-developer, --disable-developer]
+# Check whether --enable-developer was given.
+if test "${enable_developer+set}" = set; then :
+  enableval=$enable_developer;
+fi
+
+
+XTARGETS=
+if test "$enable_developer" = "yes"; then :
+  STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+       test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+       test "${enable_querytrace+set}" = set || enable_querytrace=yes
+       test "${with_cmocka+set}" = set || with_cmocka=yes
+       test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
+       test "${enable_symtable+set}" = set || enable_symtable=all
+       test "${enable_warn_error+set}" = set || enable_warn_error=yes
+       test "${enable_warn_shadow+set}" = set || enable_warn_shadow=yes
+       test "${with_zlib+set}" = set || with_zlib=yes
+       XTARGETS='${XTARGETS}'
+
+fi
+
+
+# Fuzzing is not included in pairwise testing as fuzzing tools are
+# not present in the relevant Docker image.
+#
+# [pairwise: skip]
+# Check whether --enable-fuzzing was given.
+if test "${enable_fuzzing+set}" = set; then :
+  enableval=$enable_fuzzing;
+else
+  enable_fuzzing=no
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable fuzzing mode" >&5
+$as_echo_n "checking whether to enable fuzzing mode... " >&6; }
+case $enable_fuzzing in #(
+  no) :
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; } ;; #(
+  afl) :
+
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using AFL" >&5
+$as_echo "using AFL" >&6; }
+
+$as_echo "#define ENABLE_AFL 1" >>confdefs.h
+
+	  CFLAGS="$CFLAGS -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"
+	  LIBS="$LIBS -lpthread" ;; #(
+  libfuzzer) :
+
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using libFuzzer" >&5
+$as_echo "using libFuzzer" >&6; }
+	  CFLAGS="$CFLAGS -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -fsanitize=fuzzer,address,undefined"
+	  LDFLAGS="$LDFLAGS -fsanitize=fuzzer,address,undefined" ;; #(
+  *) :
+    as_fn_error $? "You need to explicitly select the fuzzer" "$LINENO" 5 ;; #(
+  *) :
+     ;;
+esac
+
+if test "$enable_fuzzing" = "afl"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking \"for AFL enabled compiler\"" >&5
+$as_echo_n "checking \"for AFL enabled compiler\"... " >&6; }
+       cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+#ifndef __AFL_COMPILER
+					   #error AFL compiler required
+					   #endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  as_fn_error $? "set CC=afl-<gcc|clang> when --enable-fuzzing=afl is used" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+#
+# Make very sure that these are the first files processed by
+# config.status, since we use the processed output as the input for
+# AC_SUBST_FILE() substitutions in other files.
+#
+ac_config_files="$ac_config_files make/rules make/includes"
+
+
+# Extract the first word of "ar", so it can be a program name with args.
+set dummy ar; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_AR+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $AR in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_AR="$AR" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_AR="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+AR=$ac_cv_path_AR
+if test -n "$AR"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5
+$as_echo "$AR" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ARFLAGS="cruv"
+
+
+
+# The POSIX ln(1) program.  Non-POSIX systems may substitute
+# "copy" or something.
+LN=ln
+
+
+case "$AR" in
+	"")
+		as_fn_error $? "
+ar program not found.  Please fix your PATH to include the directory in
+which ar resides, or set AR in the environment with the full path to ar.
+" "$LINENO" 5
+
+		;;
+esac
+
+#
+# Look for w3m
+#
+for ac_prog in w3m
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_W3M+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $W3M in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_W3M="$W3M" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_W3M="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+W3M=$ac_cv_path_W3M
+if test -n "$W3M"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $W3M" >&5
+$as_echo "$W3M" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$W3M" && break
+done
+test -n "$W3M" || W3M="w3m"
+
+
+
+#
+# Look for pandoc
+#
+# Extract the first word of "pandoc", so it can be a program name with args.
+set dummy pandoc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PANDOC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PANDOC in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PANDOC="$PANDOC" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PANDOC="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_path_PANDOC" && ac_cv_path_PANDOC="pandoc"
+  ;;
+esac
+fi
+PANDOC=$ac_cv_path_PANDOC
+if test -n "$PANDOC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PANDOC" >&5
+$as_echo "$PANDOC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+
+
+#
+# Perl is optional; it is used only by some of the system test scripts.
+# Note: the backtrace feature (see below) uses perl to build the symbol table,
+# but it still compiles without perl, in which case an empty table will be used.
+#
+for ac_prog in perl5 perl
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PERL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PERL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PERL=$ac_cv_path_PERL
+if test -n "$PERL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PERL" >&5
+$as_echo "$PERL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$PERL" && break
+done
+
+
+
+#
+# Python is also optional but required by default so that dnssec-keymgr gets
+# installed unless explicitly prevented by the user using --without-python.
+#
+testminvers='import sys
+if (sys.version_info < (2,7)) or (sys.version_info < (3,2) and sys.version_info >= (3,0)):
+   exit(1)'
+
+testargparse='try: import argparse
+except: exit(1)'
+
+testply='try: import ply
+except: exit(1)'
+
+testsetuptools='try: from setuptools import setup
+except: exit(1)'
+
+testdistutils='try: from distutils.core import setup
+except: exit(1)'
+
+default_with_python="python python3 python3.11 python3.10 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
+
+
+
+# [pairwise: --with-python, --without-python]
+
+# Check whether --with-python was given.
+if test "${with_python+set}" = set; then :
+  withval=$with_python;
+else
+  with_python=$default_with_python
+fi
+
+
+# [pairwise: skip]
+
+# Check whether --with-python-install-dir was given.
+if test "${with_python_install_dir+set}" = set; then :
+  withval=$with_python_install_dir;
+else
+  with_python_install_dir=""
+fi
+
+
+if test "$with_python" = "yes"; then :
+  with_python=$default_with_python
+fi
+
+if test "$with_python" = "no"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python support" >&5
+$as_echo_n "checking for Python support... " >&6; }
+       unset PYTHON
+       { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+else
+  for p in $with_python
+       do
+	 case $p in #(
+  /*) :
+    PYTHON="$p" ;; #(
+  *) :
+     ;;
+esac
+
+	 # Extract the first word of "$p", so it can be a program name with args.
+set dummy $p; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PYTHON+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PYTHON in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PYTHON=$ac_cv_path_PYTHON
+if test -n "$PYTHON"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5
+$as_echo "$PYTHON" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+	 # Do not cache the result of the check from the previous line.  If the
+	 # first found Python interpreter has missing module dependencies and
+	 # the result of the above check is cached, subsequent module checks
+	 # will erroneously keep on using the cached path to the first found
+	 # Python interpreter instead of different ones.
+	 unset ac_cv_path_PYTHON
+
+	 if test -z "$PYTHON"; then :
+  continue
+fi
+
+	 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $PYTHON is python2 version >= 2.7 or python3 version >= 3.2" >&5
+$as_echo_n "checking if $PYTHON is python2 version >= 2.7 or python3 version >= 3.2... " >&6; }
+	 if "$PYTHON" -c "$testminvers" 2>/dev/null; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		unset PYTHON
+		continue
+fi
+
+	 { $as_echo "$as_me:${as_lineno-$LINENO}: checking Python module 'argparse'" >&5
+$as_echo_n "checking Python module 'argparse'... " >&6; }
+	 if "$PYTHON" -c "$testargparse" 2>/dev/null; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		unset PYTHON
+		continue
+fi
+
+	 { $as_echo "$as_me:${as_lineno-$LINENO}: checking Python module 'ply'" >&5
+$as_echo_n "checking Python module 'ply'... " >&6; }
+	 if "$PYTHON" -c "$testply" 2>/dev/null; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		unset PYTHON
+		continue
+fi
+
+	 { $as_echo "$as_me:${as_lineno-$LINENO}: checking Python module 'setuptools'" >&5
+$as_echo_n "checking Python module 'setuptools'... " >&6; }
+	 if "$PYTHON" -c "$testsetuptools" 2>/dev/null; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking Python module 'distutils'" >&5
+$as_echo_n "checking Python module 'distutils'... " >&6; }
+		if "$PYTHON" -c "$testdistutils" 2>/dev/null; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		       unset PYTHON
+		       continue
+fi
+fi
+
+	 # Stop looking any further once we find a Python interpreter
+	 # satisfying all requirements.
+	 break
+       done
+
+       if test "X$PYTHON" = "X"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python support" >&5
+$as_echo_n "checking for Python support... " >&6; }
+	      { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	      as_fn_error $? "Python >= 2.7 or >= 3.2 and the PLY package are required for dnssec-keymgr and other Python-based tools. PLY may be available from your OS package manager as python-ply or python3-ply; it can also be installed via pip. To build without Python/PLY, use --without-python." "$LINENO" 5
+fi
+fi
+
+PYTHON_TOOLS=''
+CHECKDS=''
+COVERAGE=''
+KEYMGR=''
+if test "X$PYTHON" != "X"; then :
+  PYTHON_TOOLS=python
+       CHECKDS=checkdstool
+       COVERAGE=coverage
+       KEYMGR=keymgr
+       PYTHON_INSTALL_DIR="$with_python_install_dir"
+       if test -n "$with_python_install_dir"; then :
+  PYTHON_INSTALL_LIB="--install-lib=$with_python_install_dir"
+fi
+fi
+
+
+
+
+
+
+
+#
+# expanded_sysconfdir is needed for replacement in the python utilities
+#
+expanded_sysconfdir=`eval echo $sysconfdir`
+
+
+#
+# Make sure INSTALL uses an absolute path, else it will be wrong in all
+# Makefiles, since they use make/rules.in and INSTALL will be adjusted by
+# configure based on the location of the file where it is substituted.
+# Since in BIND9 INSTALL is only substituted into make/rules.in, an immediate
+# subdirectory of install-sh, This relative path will be wrong for all
+# directories more than one level down from install-sh.
+#
+case "$INSTALL" in
+	/*)
+		;;
+	*)
+		#
+		# Not all systems have dirname.
+		#
+
+		ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
+
+
+		ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
+		test "X$ac_dir" = "X$ac_prog" && ac_dir=.
+		test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
+		INSTALL="$ac_dir/$ac_prog"
+		;;
+esac
+
+for ac_prog in pytest-3 py.test-3 pytest py.test pytest-pypy
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PYTEST+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PYTEST in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PYTEST="$PYTEST" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PYTEST="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PYTEST=$ac_cv_path_PYTEST
+if test -n "$PYTEST"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTEST" >&5
+$as_echo "$PYTEST" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$PYTEST" && break
+done
+
+if test -z "$PYTEST"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: pytest not found, some system tests will be skipped" >&5
+$as_echo "$as_me: WARNING: pytest not found, some system tests will be skipped" >&2;}
+fi
+
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_CC="${ac_tool_prefix}gcc"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_CC="gcc"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+          if test -n "$ac_tool_prefix"; then
+    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_CC="${ac_tool_prefix}cc"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  fi
+fi
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+       ac_prog_rejected=yes
+       continue
+     fi
+    ac_cv_prog_CC="cc"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# != 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+  fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in cl.exe
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+    test -n "$CC" && break
+  done
+fi
+if test -z "$CC"; then
+  ac_ct_CC=$CC
+  for ac_prog in cl.exe
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_CC="$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$ac_ct_CC" && break
+done
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+fi
+
+fi
+
+
+test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "no acceptable C compiler found in \$PATH
+See \`config.log' for more details" "$LINENO" 5; }
+
+# Provide some information about the compiler.
+$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
+set X $ac_compile
+ac_compiler=$2
+for ac_option in --version -v -V -qversion; do
+  { { ac_try="$ac_compiler $ac_option >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_compiler $ac_option >&5") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    sed '10a\
+... rest of stderr output deleted ...
+         10q' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+  fi
+  rm -f conftest.er1 conftest.err
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+done
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
+if ${ac_cv_c_compiler_gnu+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_compiler_gnu=yes
+else
+  ac_compiler_gnu=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
+$as_echo "$ac_cv_c_compiler_gnu" >&6; }
+if test $ac_compiler_gnu = yes; then
+  GCC=yes
+else
+  GCC=
+fi
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
+$as_echo_n "checking whether $CC accepts -g... " >&6; }
+if ${ac_cv_prog_cc_g+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_save_c_werror_flag=$ac_c_werror_flag
+   ac_c_werror_flag=yes
+   ac_cv_prog_cc_g=no
+   CFLAGS="-g"
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_prog_cc_g=yes
+else
+  CFLAGS=""
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+else
+  ac_c_werror_flag=$ac_save_c_werror_flag
+	 CFLAGS="-g"
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_prog_cc_g=yes
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_c_werror_flag=$ac_save_c_werror_flag
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
+$as_echo "$ac_cv_prog_cc_g" >&6; }
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
+if ${ac_cv_prog_cc_c89+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_prog_cc_c89=no
+ac_save_CC=$CC
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdarg.h>
+#include <stdio.h>
+struct stat;
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
+
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
+   function prototypes and stuff, but not '\xHH' hex character constants.
+   These don't provoke an error unfortunately, instead are silently treated
+   as 'x'.  The following induces an error, until -std is added to get
+   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
+   array size at least.  It's necessary to write '\x00'==0 to get something
+   that's true only with -std.  */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+   inside strings and character constants.  */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_prog_cc_c89=$ac_arg
+fi
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c89" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+  x)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
+$as_echo "none needed" >&6; } ;;
+  xno)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
+$as_echo "unsupported" >&6; } ;;
+  *)
+    CC="$CC $ac_cv_prog_cc_c89"
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+esac
+if test "x$ac_cv_prog_cc_c89" != xno; then :
+
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C99" >&5
+$as_echo_n "checking for $CC option to accept ISO C99... " >&6; }
+if ${ac_cv_prog_cc_c99+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_prog_cc_c99=no
+ac_save_CC=$CC
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <wchar.h>
+#include <stdio.h>
+
+// Check varargs macros.  These examples are taken from C99 6.10.3.5.
+#define debug(...) fprintf (stderr, __VA_ARGS__)
+#define showlist(...) puts (#__VA_ARGS__)
+#define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__))
+static void
+test_varargs_macros (void)
+{
+  int x = 1234;
+  int y = 5678;
+  debug ("Flag");
+  debug ("X = %d\n", x);
+  showlist (The first, second, and third items.);
+  report (x>y, "x is %d but y is %d", x, y);
+}
+
+// Check long long types.
+#define BIG64 18446744073709551615ull
+#define BIG32 4294967295ul
+#define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0)
+#if !BIG_OK
+  your preprocessor is broken;
+#endif
+#if BIG_OK
+#else
+  your preprocessor is broken;
+#endif
+static long long int bignum = -9223372036854775807LL;
+static unsigned long long int ubignum = BIG64;
+
+struct incomplete_array
+{
+  int datasize;
+  double data[];
+};
+
+struct named_init {
+  int number;
+  const wchar_t *name;
+  double average;
+};
+
+typedef const char *ccp;
+
+static inline int
+test_restrict (ccp restrict text)
+{
+  // See if C++-style comments work.
+  // Iterate through items via the restricted pointer.
+  // Also check for declarations in for loops.
+  for (unsigned int i = 0; *(text+i) != '\0'; ++i)
+    continue;
+  return 0;
+}
+
+// Check varargs and va_copy.
+static void
+test_varargs (const char *format, ...)
+{
+  va_list args;
+  va_start (args, format);
+  va_list args_copy;
+  va_copy (args_copy, args);
+
+  const char *str;
+  int number;
+  float fnumber;
+
+  while (*format)
+    {
+      switch (*format++)
+	{
+	case 's': // string
+	  str = va_arg (args_copy, const char *);
+	  break;
+	case 'd': // int
+	  number = va_arg (args_copy, int);
+	  break;
+	case 'f': // float
+	  fnumber = va_arg (args_copy, double);
+	  break;
+	default:
+	  break;
+	}
+    }
+  va_end (args_copy);
+  va_end (args);
+}
+
+int
+main ()
+{
+
+  // Check bool.
+  _Bool success = false;
+
+  // Check restrict.
+  if (test_restrict ("String literal") == 0)
+    success = true;
+  char *restrict newvar = "Another string";
+
+  // Check varargs.
+  test_varargs ("s, d' f .", "string", 65, 34.234);
+  test_varargs_macros ();
+
+  // Check flexible array members.
+  struct incomplete_array *ia =
+    malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10));
+  ia->datasize = 10;
+  for (int i = 0; i < ia->datasize; ++i)
+    ia->data[i] = i * 1.234;
+
+  // Check named initializers.
+  struct named_init ni = {
+    .number = 34,
+    .name = L"Test wide string",
+    .average = 543.34343,
+  };
+
+  ni.number = 58;
+
+  int dynamic_array[ni.number];
+  dynamic_array[ni.number - 1] = 543;
+
+  // work around unused variable warnings
+  return (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == 'x'
+	  || dynamic_array[ni.number - 1] != 543);
+
+  ;
+  return 0;
+}
+_ACEOF
+for ac_arg in '' -std=gnu99 -std=c99 -c99 -AC99 -D_STDC_C99= -qlanglvl=extc99
+do
+  CC="$ac_save_CC $ac_arg"
+  if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_prog_cc_c99=$ac_arg
+fi
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c99" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c99" in
+  x)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
+$as_echo "none needed" >&6; } ;;
+  xno)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
+$as_echo "unsupported" >&6; } ;;
+  *)
+    CC="$CC $ac_cv_prog_cc_c99"
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5
+$as_echo "$ac_cv_prog_cc_c99" >&6; } ;;
+esac
+if test "x$ac_cv_prog_cc_c99" != xno; then :
+
+fi
+
+
+
+#
+# Using Solaris linker with gcc on Solaris breaks Thread Local Storage
+#
+case $host in #(
+  *-solaris*) :
+
+	    if test "$GCC" = "yes"; then :
+  LDFLAGS="$LDFLAGS -zrelax=transtls"
+		   { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: When using GNU C Compiler on Solaris, -zrelax=transtls linker flag is used to fix bug in Thread Local Storage" >&5
+$as_echo "$as_me: WARNING: When using GNU C Compiler on Solaris, -zrelax=transtls linker flag is used to fix bug in Thread Local Storage" >&2;}
+
+fi
+	 ;; #(
+  *-darwin*) :
+    LDFLAGS="$LDFLAGS -Wl,-flat_namespace" ;; #(
+  *) :
+     ;;
+esac
+
+#
+# CCNOOPT defaults to -O0 on gcc and disables optimization when is last
+#
+if test "X$CCNOOPT" = "X" -a "X$GCC" = "Xyes"; then
+	CCNOOPT="-O0"
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
+$as_echo_n "checking for ANSI C header files... " >&6; }
+if ${ac_cv_header_stdc+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_header_stdc=yes
+else
+  ac_cv_header_stdc=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "memchr" >/dev/null 2>&1; then :
+
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "free" >/dev/null 2>&1; then :
+
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then :
+  :
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <ctype.h>
+#include <stdlib.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) \
+		   (('a' <= (c) && (c) <= 'i') \
+		     || ('j' <= (c) && (c) <= 'r') \
+		     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
+
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+	|| toupper (i) != TOUPPER (i))
+      return 2;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+
+else
+  ac_cv_header_stdc=no
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5
+$as_echo "$ac_cv_header_stdc" >&6; }
+if test $ac_cv_header_stdc = yes; then
+
+$as_echo "#define STDC_HEADERS 1" >>confdefs.h
+
+fi
+
+
+for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/mman.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h sys/socket.h net/route.h linux/netlink.h linux/rtnetlink.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
+#ifdef HAVE_SYS_PARAM_H
+# include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
+
+"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+#
+# Check for thread local storage
+#
+for ac_header in threads.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "threads.h" "ac_cv_header_threads_h" "$ac_includes_default"
+if test "x$ac_cv_header_threads_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_THREADS_H 1
+_ACEOF
+
+		     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for C11 Thread-Local Storage using thread_local" >&5
+$as_echo_n "checking for C11 Thread-Local Storage using thread_local... " >&6; }
+		     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+				  #include <threads.h>
+
+int
+main ()
+{
+
+				  static thread_local int tls = 0;
+				  return (tls);
+
+  ;
+  return 0;
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+			     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_THREAD_LOCAL 1" >>confdefs.h
+
+
+$as_echo "#define HAVE_TLS 1" >>confdefs.h
+
+
+else
+
+			     as_fn_error $? "Thread Local Storage support required, update your toolchain to build BIND 9" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+
+		     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Thread-Local Storage using __thread" >&5
+$as_echo_n "checking for Thread-Local Storage using __thread... " >&6; }
+		     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+
+				  static __thread int tls = 0;
+				  return (tls);
+
+  ;
+  return 0;
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+			     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE___THREAD 1" >>confdefs.h
+
+
+$as_echo "#define HAVE_TLS 1" >>confdefs.h
+
+
+else
+
+			     as_fn_error $? "Thread Local Storage support required, update your toolchain to build BIND 9" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+done
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5
+$as_echo_n "checking for an ANSI C-conforming const... " >&6; }
+if ${ac_cv_c_const+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+#ifndef __cplusplus
+  /* Ultrix mips cc rejects this sort of thing.  */
+  typedef int charset[2];
+  const charset cs = { 0, 0 };
+  /* SunOS 4.1.1 cc rejects this.  */
+  char const *const *pcpcc;
+  char **ppc;
+  /* NEC SVR4.0.2 mips cc rejects this.  */
+  struct point {int x, y;};
+  static struct point const zero = {0,0};
+  /* AIX XL C 1.02.0.0 rejects this.
+     It does not let you subtract one const X* pointer from another in
+     an arm of an if-expression whose if-part is not a constant
+     expression */
+  const char *g = "string";
+  pcpcc = &g + (g ? g-g : 0);
+  /* HPUX 7.0 cc rejects these. */
+  ++pcpcc;
+  ppc = (char**) pcpcc;
+  pcpcc = (char const *const *) ppc;
+  { /* SCO 3.2v4 cc rejects this sort of thing.  */
+    char tx;
+    char *t = &tx;
+    char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+    *t++ = 0;
+    if (s) return 0;
+  }
+  { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
+    int x[] = {25, 17};
+    const int *foo = &x[0];
+    ++foo;
+  }
+  { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+    typedef const int *iptr;
+    iptr p = 0;
+    ++p;
+  }
+  { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying
+       "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+    struct s { int j; const int *ap[3]; } bx;
+    struct s *b = &bx; b->j = 5;
+  }
+  { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+    const int foo = 10;
+    if (!foo) return 0;
+  }
+  return !cs[0] && !zero.x;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_c_const=yes
+else
+  ac_cv_c_const=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5
+$as_echo "$ac_cv_c_const" >&6; }
+if test $ac_cv_c_const = no; then
+
+$as_echo "#define const /**/" >>confdefs.h
+
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5
+$as_echo_n "checking for inline... " >&6; }
+if ${ac_cv_c_inline+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_c_inline=no
+for ac_kw in inline __inline__ __inline; do
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#ifndef __cplusplus
+typedef int foo_t;
+static $ac_kw foo_t static_foo () {return 0; }
+$ac_kw foo_t foo () {return 0; }
+#endif
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_c_inline=$ac_kw
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  test "$ac_cv_c_inline" != no && break
+done
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5
+$as_echo "$ac_cv_c_inline" >&6; }
+
+case $ac_cv_c_inline in
+  inline | yes) ;;
+  *)
+    case $ac_cv_c_inline in
+      no) ac_val=;;
+      *) ac_val=$ac_cv_c_inline;;
+    esac
+    cat >>confdefs.h <<_ACEOF
+#ifndef __cplusplus
+#define inline $ac_val
+#endif
+_ACEOF
+    ;;
+esac
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working volatile" >&5
+$as_echo_n "checking for working volatile... " >&6; }
+if ${ac_cv_c_volatile+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+volatile int x;
+int * volatile y = (int *) 0;
+return !x && !y;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_c_volatile=yes
+else
+  ac_cv_c_volatile=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_volatile" >&5
+$as_echo "$ac_cv_c_volatile" >&6; }
+if test $ac_cv_c_volatile = no; then
+
+$as_echo "#define volatile /**/" >>confdefs.h
+
+fi
+
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for flexible array members" >&5
+$as_echo_n "checking for flexible array members... " >&6; }
+if ${ac_cv_c_flexmember+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdlib.h>
+	    #include <stdio.h>
+	    #include <stddef.h>
+	    struct s { int n; double d[]; };
+int
+main ()
+{
+int m = getchar ();
+	    struct s *p = malloc (offsetof (struct s, d)
+				  + m * sizeof (double));
+	    p->d[0] = 0.0;
+	    return p->d != (double *) NULL;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_c_flexmember=yes
+else
+  ac_cv_c_flexmember=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_flexmember" >&5
+$as_echo "$ac_cv_c_flexmember" >&6; }
+  if test $ac_cv_c_flexmember = yes; then
+
+$as_echo "#define FLEXIBLE_ARRAY_MEMBER /**/" >>confdefs.h
+
+  else
+    $as_echo "#define FLEXIBLE_ARRAY_MEMBER 1" >>confdefs.h
+
+  fi
+
+
+#
+# Check for yield support on ARM processors
+#
+case $host in #(
+  arm*) :
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for yield instruction support" >&5
+$as_echo_n "checking for yield instruction support... " >&6; }
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+__asm__ __volatile__ ("yield")
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_ARM_YIELD 1" >>confdefs.h
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ;; #(
+  *) :
+     ;;
+esac
+
+#
+# Check for pause support on SPARC processors
+#
+case $host in #(
+  sparc*) :
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pause instruction support" >&5
+$as_echo_n "checking for pause instruction support... " >&6; }
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+__asm__ __volatile__ ("pause")
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_SPARC_PAUSE 1" >>confdefs.h
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ;; #(
+  *) :
+     ;;
+esac
+
+for ac_func in sysctlbyname
+do :
+  ac_fn_c_check_func "$LINENO" "sysctlbyname" "ac_cv_func_sysctlbyname"
+if test "x$ac_cv_func_sysctlbyname" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SYSCTLBYNAME 1
+_ACEOF
+
+fi
+done
+
+
+#
+# Check for the existence of mmap to enable the fast format zones
+#
+for ac_func in mmap
+do :
+  ac_fn_c_check_func "$LINENO" "mmap" "ac_cv_func_mmap"
+if test "x$ac_cv_func_mmap" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_MMAP 1
+_ACEOF
+
+fi
+done
+
+
+#
+# Older versions of HP/UX don't define seteuid() and setegid()
+#
+for ac_func in seteuid setresuid
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+for ac_func in setegid setresgid
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default"
+if test "x$ac_cv_type_size_t" = xyes; then :
+
+else
+
+cat >>confdefs.h <<_ACEOF
+#define size_t unsigned int
+_ACEOF
+
+fi
+
+ac_fn_c_check_type "$LINENO" "ssize_t" "ac_cv_type_ssize_t" "$ac_includes_default"
+if test "x$ac_cv_type_ssize_t" = xyes; then :
+
+else
+
+cat >>confdefs.h <<_ACEOF
+#define ssize_t int
+_ACEOF
+
+fi
+
+
+  ac_fn_c_check_type "$LINENO" "uintptr_t" "ac_cv_type_uintptr_t" "$ac_includes_default"
+if test "x$ac_cv_type_uintptr_t" = xyes; then :
+
+$as_echo "#define HAVE_UINTPTR_T 1" >>confdefs.h
+
+else
+  for ac_type in 'unsigned int' 'unsigned long int' \
+	'unsigned long long int'; do
+       cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$ac_includes_default
+int
+main ()
+{
+static int test_array [1 - 2 * !(sizeof (void *) <= sizeof ($ac_type))];
+test_array [0] = 0;
+return test_array [0];
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+cat >>confdefs.h <<_ACEOF
+#define uintptr_t $ac_type
+_ACEOF
+
+	  ac_type=
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+       test -z "$ac_type" && break
+     done
+fi
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether time.h and sys/time.h may both be included" >&5
+$as_echo_n "checking whether time.h and sys/time.h may both be included... " >&6; }
+if ${ac_cv_header_time+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+
+int
+main ()
+{
+if ((struct tm *) 0)
+return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_header_time=yes
+else
+  ac_cv_header_time=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_time" >&5
+$as_echo "$ac_cv_header_time" >&6; }
+if test $ac_cv_header_time = yes; then
+
+$as_echo "#define TIME_WITH_SYS_TIME 1" >>confdefs.h
+
+fi
+
+
+#
+# check for uname library routine
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uname" >&5
+$as_echo_n "checking for uname... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/utsname.h>
+       #include <stdio.h>
+
+int
+main ()
+{
+
+       struct utsname uts;
+       uname(&uts);
+       printf("running on %s %s %s for %s\n",
+	      uts.sysname, uts.release, uts.version, uts.machine);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_UNAME 1" >>confdefs.h
+
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+   { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: uname is not correctly supported" >&5
+$as_echo "$as_me: WARNING: uname is not correctly supported" >&2;}
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+#
+# check for GCC noreturn attribute
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GCC noreturn attribute" >&5
+$as_echo_n "checking for GCC noreturn attribute... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+void foo() __attribute__((noreturn));
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE"
+		ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST __attribute__((noreturn))"
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE"
+		ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+
+#
+# check for GCC malloc attribute
+#
+
+
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __attribute__((malloc))" >&5
+$as_echo_n "checking for __attribute__((malloc))... " >&6; }
+if ${ax_cv_have_func_attribute_malloc+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+                    void *foo( void ) __attribute__((malloc));
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+                                      if test -s conftest.err; then :
+  ax_cv_have_func_attribute_malloc=no
+else
+  ax_cv_have_func_attribute_malloc=yes
+fi
+else
+  ax_cv_have_func_attribute_malloc=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_func_attribute_malloc" >&5
+$as_echo "$ax_cv_have_func_attribute_malloc" >&6; }
+
+    if test yes = $ax_cv_have_func_attribute_malloc; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_FUNC_ATTRIBUTE_MALLOC 1
+_ACEOF
+
+fi
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for extended malloc attributes" >&5
+$as_echo_n "checking for extended malloc attributes... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+       #include <stddef.h>
+       #include <stdlib.h>
+       __attribute__ ((malloc, malloc (free, 1))
+       void * xmalloc(size_t sz) { return malloc(sz); }
+
+int
+main ()
+{
+
+       void *p = xmalloc(8);
+       free(p);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_MALLOC_EXT_ATTR 1" >>confdefs.h
+
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+#
+# check for GCC returns_nonnull attribute
+#
+
+
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __attribute__((returns_nonnull))" >&5
+$as_echo_n "checking for __attribute__((returns_nonnull))... " >&6; }
+if ${ax_cv_have_func_attribute_returns_nonnull+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+                    void *foo( void ) __attribute__((returns_nonnull));
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+                                      if test -s conftest.err; then :
+  ax_cv_have_func_attribute_returns_nonnull=no
+else
+  ax_cv_have_func_attribute_returns_nonnull=yes
+fi
+else
+  ax_cv_have_func_attribute_returns_nonnull=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_func_attribute_returns_nonnull" >&5
+$as_echo "$ax_cv_have_func_attribute_returns_nonnull" >&6; }
+
+    if test yes = $ax_cv_have_func_attribute_returns_nonnull; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_FUNC_ATTRIBUTE_RETURNS_NONNULL 1
+_ACEOF
+
+fi
+
+
+
+
+#
+# check if we have kqueue
+#
+# [pairwise: --enable-kqueue, --disable-kqueue]
+# Check whether --enable-kqueue was given.
+if test "${enable_kqueue+set}" = set; then :
+  enableval=$enable_kqueue;
+else
+  enable_kqueue="yes"
+fi
+
+
+if test "$enable_kqueue" = "yes"; then :
+  for ac_func in kqueue
+do :
+  ac_fn_c_check_func "$LINENO" "kqueue" "ac_cv_func_kqueue"
+if test "x$ac_cv_func_kqueue" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_KQUEUE 1
+_ACEOF
+
+fi
+done
+
+fi
+
+#
+# check if we have epoll.  Linux kernel 2.4 has epoll_create() which fails,
+# so we need to try running the code, not just test its existence.
+#
+# [pairwise: --enable-epoll, --disable-epoll]
+# Check whether --enable-epoll was given.
+if test "${enable_epoll+set}" = set; then :
+  enableval=$enable_epoll;
+else
+  enable_epoll="yes"
+fi
+
+
+if test "$enable_epoll" = "yes"; then :
+  for ac_func in epoll_create1
+do :
+  ac_fn_c_check_func "$LINENO" "epoll_create1" "ac_cv_func_epoll_create1"
+if test "x$ac_cv_func_epoll_create1" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_EPOLL_CREATE1 1
+_ACEOF
+
+fi
+done
+
+fi
+
+#
+# check if we support /dev/poll
+#
+# [pairwise: --enable-devpoll, --disable-devpoll]
+# Check whether --enable-devpoll was given.
+if test "${enable_devpoll+set}" = set; then :
+  enableval=$enable_devpoll;
+else
+  enable_devpoll="yes"
+fi
+
+if test "$enable_devpoll" = "yes"; then :
+  for ac_header in sys/devpoll.h devpoll.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+fi
+
+#
+# Find the machine's endian flavor.
+#
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5
+$as_echo_n "checking whether byte ordering is bigendian... " >&6; }
+if ${ac_cv_c_bigendian+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_c_bigendian=unknown
+    # See if we're dealing with a universal compiler.
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#ifndef __APPLE_CC__
+	       not a universal capable compiler
+	     #endif
+	     typedef int dummy;
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+	# Check for potential -arch flags.  It is not universal unless
+	# there are at least two -arch flags with different values.
+	ac_arch=
+	ac_prev=
+	for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do
+	 if test -n "$ac_prev"; then
+	   case $ac_word in
+	     i?86 | x86_64 | ppc | ppc64)
+	       if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then
+		 ac_arch=$ac_word
+	       else
+		 ac_cv_c_bigendian=universal
+		 break
+	       fi
+	       ;;
+	   esac
+	   ac_prev=
+	 elif test "x$ac_word" = "x-arch"; then
+	   ac_prev=arch
+	 fi
+       done
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+    if test $ac_cv_c_bigendian = unknown; then
+      # See if sys/param.h defines the BYTE_ORDER macro.
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+	     #include <sys/param.h>
+
+int
+main ()
+{
+#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \
+		     && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \
+		     && LITTLE_ENDIAN)
+	      bogus endian macros
+	     #endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  # It does; now see whether it defined to BIG_ENDIAN or not.
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+		#include <sys/param.h>
+
+int
+main ()
+{
+#if BYTE_ORDER != BIG_ENDIAN
+		 not big endian
+		#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_c_bigendian=yes
+else
+  ac_cv_c_bigendian=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+    fi
+    if test $ac_cv_c_bigendian = unknown; then
+      # See if <limits.h> defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris).
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <limits.h>
+
+int
+main ()
+{
+#if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN)
+	      bogus endian macros
+	     #endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  # It does; now see whether it defined to _BIG_ENDIAN or not.
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <limits.h>
+
+int
+main ()
+{
+#ifndef _BIG_ENDIAN
+		 not big endian
+		#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_c_bigendian=yes
+else
+  ac_cv_c_bigendian=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+    fi
+    if test $ac_cv_c_bigendian = unknown; then
+      # Compile a test program.
+      if test "$cross_compiling" = yes; then :
+  # Try to guess by grepping values from an object file.
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+short int ascii_mm[] =
+		  { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 };
+		short int ascii_ii[] =
+		  { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 };
+		int use_ascii (int i) {
+		  return ascii_mm[i] + ascii_ii[i];
+		}
+		short int ebcdic_ii[] =
+		  { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 };
+		short int ebcdic_mm[] =
+		  { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 };
+		int use_ebcdic (int i) {
+		  return ebcdic_mm[i] + ebcdic_ii[i];
+		}
+		extern int foo;
+
+int
+main ()
+{
+return use_ascii (foo) == use_ebcdic (foo);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then
+	      ac_cv_c_bigendian=yes
+	    fi
+	    if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then
+	      if test "$ac_cv_c_bigendian" = unknown; then
+		ac_cv_c_bigendian=no
+	      else
+		# finding both strings is unlikely to happen, but who knows?
+		ac_cv_c_bigendian=unknown
+	      fi
+	    fi
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$ac_includes_default
+int
+main ()
+{
+
+	     /* Are we little or big endian?  From Harbison&Steele.  */
+	     union
+	     {
+	       long int l;
+	       char c[sizeof (long int)];
+	     } u;
+	     u.l = 1;
+	     return u.c[sizeof (long int) - 1] == 1;
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+  ac_cv_c_bigendian=no
+else
+  ac_cv_c_bigendian=yes
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+    fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5
+$as_echo "$ac_cv_c_bigendian" >&6; }
+ case $ac_cv_c_bigendian in #(
+   yes)
+     $as_echo "#define WORDS_BIGENDIAN 1" >>confdefs.h
+;; #(
+   no)
+      ;; #(
+   universal)
+
+$as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h
+
+     ;; #(
+   *)
+     as_fn_error $? "unknown endianness
+ presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;;
+ esac
+
+
+#
+# GeoIP support?
+#
+# Should be on by default if libmaxminddb exists.
+#
+# [pairwise: skip]
+
+# Check whether --with-geoip2 was given.
+if test "${with_geoip2+set}" = set; then :
+  withval=$with_geoip2; { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: --with-geoip2 is DEPRECATED and will be removed in a future release, use --with-maxminddb instead" >&5
+$as_echo "$as_me: WARNING: --with-geoip2 is DEPRECATED and will be removed in a future release, use --with-maxminddb instead" >&2;}
+else
+  with_geoip2="auto"
+fi
+
+
+# [pairwise: --enable-geoip --with-maxminddb=auto, --enable-geoip --with-maxminddb=yes, --disable-geoip]
+# Check whether --enable-geoip was given.
+if test "${enable_geoip+set}" = set; then :
+  enableval=$enable_geoip;
+else
+  enable_geoip="yes"
+fi
+
+
+# [pairwise: skip]
+
+# Check whether --with-maxminddb was given.
+if test "${with_maxminddb+set}" = set; then :
+  withval=$with_maxminddb;
+else
+  with_maxminddb="$with_geoip2"
+fi
+
+
+GEOIP2LINKSRCS=
+GEOIP2LINKOBJS=
+if test "$enable_geoip" = "yes"; then :
+  case $with_maxminddb in #(
+  no) :
+    as_fn_error $? "Use '--disable-geoip' to disable the GeoIP" "$LINENO" 5 ;; #(
+  auto) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmaxminddb" >&5
+$as_echo_n "checking for libmaxminddb... " >&6; }
+
+if test -n "$MAXMINDDB_CFLAGS"; then
+    pkg_cv_MAXMINDDB_CFLAGS="$MAXMINDDB_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libmaxminddb\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libmaxminddb") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_MAXMINDDB_CFLAGS=`$PKG_CONFIG --cflags "libmaxminddb" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$MAXMINDDB_LIBS"; then
+    pkg_cv_MAXMINDDB_LIBS="$MAXMINDDB_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libmaxminddb\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libmaxminddb") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_MAXMINDDB_LIBS=`$PKG_CONFIG --libs "libmaxminddb" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        MAXMINDDB_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libmaxminddb" 2>&1`
+        else
+	        MAXMINDDB_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libmaxminddb" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$MAXMINDDB_PKG_ERRORS" >&5
+
+	:
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	:
+else
+	MAXMINDDB_CFLAGS=$pkg_cv_MAXMINDDB_CFLAGS
+	MAXMINDDB_LIBS=$pkg_cv_MAXMINDDB_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_GEOIP2 1" >>confdefs.h
+
+
+if test -n "$MAXMINDDB_PREFIX"; then
+    pkg_cv_MAXMINDDB_PREFIX="$MAXMINDDB_PREFIX"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libmaxminddb\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libmaxminddb") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_MAXMINDDB_PREFIX=`$PKG_CONFIG --variable="prefix" "libmaxminddb" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+MAXMINDDB_PREFIX=$pkg_cv_MAXMINDDB_PREFIX
+
+if test "x$MAXMINDDB_PREFIX" = x""; then :
+  as_fn_error $? "libmaxminddb prefix not found in pkg-config; set MAXMINDDB_PREFIX in the environment" "$LINENO" 5
+fi
+					  GEOIP2LINKSRCS='${GEOIP2LINKSRCS}'
+					  GEOIP2LINKOBJS='${GEOIP2LINKOBJS}'
+
+fi ;; #(
+  yes) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmaxminddb" >&5
+$as_echo_n "checking for libmaxminddb... " >&6; }
+
+if test -n "$MAXMINDDB_CFLAGS"; then
+    pkg_cv_MAXMINDDB_CFLAGS="$MAXMINDDB_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libmaxminddb\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libmaxminddb") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_MAXMINDDB_CFLAGS=`$PKG_CONFIG --cflags "libmaxminddb" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$MAXMINDDB_LIBS"; then
+    pkg_cv_MAXMINDDB_LIBS="$MAXMINDDB_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libmaxminddb\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libmaxminddb") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_MAXMINDDB_LIBS=`$PKG_CONFIG --libs "libmaxminddb" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        MAXMINDDB_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libmaxminddb" 2>&1`
+        else
+	        MAXMINDDB_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libmaxminddb" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$MAXMINDDB_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (libmaxminddb) were not met:
+
+$MAXMINDDB_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables MAXMINDDB_CFLAGS
+and MAXMINDDB_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables MAXMINDDB_CFLAGS
+and MAXMINDDB_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	MAXMINDDB_CFLAGS=$pkg_cv_MAXMINDDB_CFLAGS
+	MAXMINDDB_LIBS=$pkg_cv_MAXMINDDB_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_GEOIP2 1" >>confdefs.h
+
+
+if test -n "$MAXMINDDB_PREFIX"; then
+    pkg_cv_MAXMINDDB_PREFIX="$MAXMINDDB_PREFIX"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libmaxminddb\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libmaxminddb") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_MAXMINDDB_PREFIX=`$PKG_CONFIG --variable="prefix" "libmaxminddb" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+MAXMINDDB_PREFIX=$pkg_cv_MAXMINDDB_PREFIX
+
+if test "x$MAXMINDDB_PREFIX" = x""; then :
+  as_fn_error $? "libmaxminddb prefix not found in pkg-config; set MAXMINDDB_PREFIX in the environment" "$LINENO" 5
+fi
+					 GEOIP2LINKSRCS='${GEOIP2LINKSRCS}'
+					 GEOIP2LINKOBJS='${GEOIP2LINKOBJS}'
+
+fi ;; #(
+  *) :
+     # default
+
+
+  CCASFLAGS_maxminddb_ax_save_flags=$CCASFLAGS
+
+
+
+  CFLAGS_maxminddb_ax_save_flags=$CFLAGS
+
+
+
+  CPPFLAGS_maxminddb_ax_save_flags=$CPPFLAGS
+
+
+
+  CXXFLAGS_maxminddb_ax_save_flags=$CXXFLAGS
+
+
+
+  ERLCFLAGS_maxminddb_ax_save_flags=$ERLCFLAGS
+
+
+
+  FCFLAGS_maxminddb_ax_save_flags=$FCFLAGS
+
+
+
+  FCLIBS_maxminddb_ax_save_flags=$FCLIBS
+
+
+
+  FFLAGS_maxminddb_ax_save_flags=$FFLAGS
+
+
+
+  FLIBS_maxminddb_ax_save_flags=$FLIBS
+
+
+
+  GCJFLAGS_maxminddb_ax_save_flags=$GCJFLAGS
+
+
+
+  JAVACFLAGS_maxminddb_ax_save_flags=$JAVACFLAGS
+
+
+
+  LDFLAGS_maxminddb_ax_save_flags=$LDFLAGS
+
+
+
+  LIBS_maxminddb_ax_save_flags=$LIBS
+
+
+
+  OBJCFLAGS_maxminddb_ax_save_flags=$OBJCFLAGS
+
+
+
+  OBJCXXFLAGS_maxminddb_ax_save_flags=$OBJCXXFLAGS
+
+
+
+  UPCFLAGS_maxminddb_ax_save_flags=$UPCFLAGS
+
+
+
+  VALAFLAGS_maxminddb_ax_save_flags=$VALAFLAGS
+
+
+
+		   MAXMINDDB_CFLAGS="-I$with_maxminddb/include"
+		   MAXMINDDB_LIBS="-L$with_maxminddb/lib"
+		   CFLAGS="$CFLAGS $MAXMINDDB_CFLAGS"
+		   LDFLAGS="$LDFLAGS $MAXMINDDB_LIBS"
+		   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing MMDB_open" >&5
+$as_echo_n "checking for library containing MMDB_open... " >&6; }
+if ${ac_cv_search_MMDB_open+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char MMDB_open ();
+int
+main ()
+{
+return MMDB_open ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' maxminddb; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_MMDB_open=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_MMDB_open+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_MMDB_open+:} false; then :
+
+else
+  ac_cv_search_MMDB_open=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_MMDB_open" >&5
+$as_echo "$ac_cv_search_MMDB_open" >&6; }
+ac_res=$ac_cv_search_MMDB_open
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+$as_echo "#define HAVE_GEOIP2 1" >>confdefs.h
+
+				   GEOIP2LINKSRCS='${GEOIP2LINKSRCS}'
+				   GEOIP2LINKOBJS='${GEOIP2LINKOBJS}'
+				   MAXMINDDB_LIBS="$MAXMINDDB_LIBS $ac_cv_search_MMDB_open"
+				   { $as_echo "$as_me:${as_lineno-$LINENO}: GeoIP2 default database path set to $with_maxminddb/share/GeoIP" >&5
+$as_echo "$as_me: GeoIP2 default database path set to $with_maxminddb/share/GeoIP" >&6;}
+				   MAXMINDDB_PREFIX=$with_maxminddb
+
+else
+  as_fn_error $? "GeoIP2 requested, but libmaxminddb not found" "$LINENO" 5
+fi
+
+
+  CCASFLAGS=$CCASFLAGS_maxminddb_ax_save_flags
+
+
+  CFLAGS=$CFLAGS_maxminddb_ax_save_flags
+
+
+  CPPFLAGS=$CPPFLAGS_maxminddb_ax_save_flags
+
+
+  CXXFLAGS=$CXXFLAGS_maxminddb_ax_save_flags
+
+
+  ERLCFLAGS=$ERLCFLAGS_maxminddb_ax_save_flags
+
+
+  FCFLAGS=$FCFLAGS_maxminddb_ax_save_flags
+
+
+  FCLIBS=$FCLIBS_maxminddb_ax_save_flags
+
+
+  FFLAGS=$FFLAGS_maxminddb_ax_save_flags
+
+
+  FLIBS=$FLIBS_maxminddb_ax_save_flags
+
+
+  GCJFLAGS=$GCJFLAGS_maxminddb_ax_save_flags
+
+
+  JAVACFLAGS=$JAVACFLAGS_maxminddb_ax_save_flags
+
+
+  LDFLAGS=$LDFLAGS_maxminddb_ax_save_flags
+
+
+  LIBS=$LIBS_maxminddb_ax_save_flags
+
+
+  OBJCFLAGS=$OBJCFLAGS_maxminddb_ax_save_flags
+
+
+  OBJCXXFLAGS=$OBJCXXFLAGS_maxminddb_ax_save_flags
+
+
+  UPCFLAGS=$UPCFLAGS_maxminddb_ax_save_flags
+
+
+  VALAFLAGS=$VALAFLAGS_maxminddb_ax_save_flags
+
+
+
+	        ;;
+esac
+
+
+fi
+
+
+
+
+
+
+#
+# Do we have arc4random(), etc ?
+#
+for ac_func in arc4random arc4random_buf arc4random_uniform getrandom
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+
+
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+ax_pthread_ok=no
+
+# We used to check for pthread.h first, but this fails if pthread.h
+# requires special compiler flags (e.g. on Tru64 or Sequent).
+# It gets checked for in the link test anyway.
+
+# First of all, check if the user has set any of the PTHREAD_LIBS,
+# etcetera environment variables, and if threads linking works using
+# them:
+if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then
+        ax_pthread_save_CC="$CC"
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        if test "x$PTHREAD_CC" != "x"; then :
+  CC="$PTHREAD_CC"
+fi
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS" >&5
+$as_echo_n "checking for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS... " >&6; }
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_join ();
+int
+main ()
+{
+return pthread_join ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ax_pthread_ok=yes
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_ok" >&5
+$as_echo "$ax_pthread_ok" >&6; }
+        if test "x$ax_pthread_ok" = "xno"; then
+                PTHREAD_LIBS=""
+                PTHREAD_CFLAGS=""
+        fi
+        CC="$ax_pthread_save_CC"
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+fi
+
+# We must check for the threads library under a number of different
+# names; the ordering is very important because some systems
+# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
+# libraries is broken (non-POSIX).
+
+# Create a list of thread flags to try.  Items starting with a "-" are
+# C compiler flags, and other items are library names, except for "none"
+# which indicates that we try without any flags at all, and "pthread-config"
+# which is a program returning the flags for the Pth emulation library.
+
+ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
+
+# The ordering *is* (sometimes) important.  Some notes on the
+# individual items follow:
+
+# pthreads: AIX (must check this before -lpthread)
+# none: in case threads are in libc; should be tried before -Kthread and
+#       other compiler flags to prevent continual compiler warnings
+# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
+# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64
+#           (Note: HP C rejects this with "bad form for `-t' option")
+# -pthreads: Solaris/gcc (Note: HP C also rejects)
+# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
+#      doesn't hurt to check since this sometimes defines pthreads and
+#      -D_REENTRANT too), HP C (must be checked before -lpthread, which
+#      is present but should not be used directly; and before -mthreads,
+#      because the compiler interprets this as "-mt" + "-hreads")
+# -mthreads: Mingw32/gcc, Lynx/gcc
+# pthread: Linux, etcetera
+# --thread-safe: KAI C++
+# pthread-config: use pthread-config program (for GNU Pth library)
+
+case $host_os in
+
+        freebsd*)
+
+        # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
+        # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
+
+        ax_pthread_flags="-kthread lthread $ax_pthread_flags"
+        ;;
+
+        hpux*)
+
+        # From the cc(1) man page: "[-mt] Sets various -D flags to enable
+        # multi-threading and also sets -lpthread."
+
+        ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags"
+        ;;
+
+        openedition*)
+
+        # IBM z/OS requires a feature-test macro to be defined in order to
+        # enable POSIX threads at all, so give the user a hint if this is
+        # not set. (We don't define these ourselves, as they can affect
+        # other portions of the system API in unpredictable ways.)
+
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#            if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS)
+             AX_PTHREAD_ZOS_MISSING
+#            endif
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "AX_PTHREAD_ZOS_MISSING" >/dev/null 2>&1; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support." >&5
+$as_echo "$as_me: WARNING: IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support." >&2;}
+fi
+rm -f conftest*
+
+        ;;
+
+        solaris*)
+
+        # On Solaris (at least, for some versions), libc contains stubbed
+        # (non-functional) versions of the pthreads routines, so link-based
+        # tests will erroneously succeed. (N.B.: The stubs are missing
+        # pthread_cleanup_push, or rather a function called by this macro,
+        # so we could check for that, but who knows whether they'll stub
+        # that too in a future libc.)  So we'll check first for the
+        # standard Solaris way of linking pthreads (-mt -lpthread).
+
+        ax_pthread_flags="-mt,pthread pthread $ax_pthread_flags"
+        ;;
+esac
+
+# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC)
+
+if test "x$GCC" = "xyes"; then :
+  ax_pthread_flags="-pthread -pthreads $ax_pthread_flags"
+fi
+
+# The presence of a feature test macro requesting re-entrant function
+# definitions is, on some systems, a strong hint that pthreads support is
+# correctly enabled
+
+case $host_os in
+        darwin* | hpux* | linux* | osf* | solaris*)
+        ax_pthread_check_macro="_REENTRANT"
+        ;;
+
+        aix*)
+        ax_pthread_check_macro="_THREAD_SAFE"
+        ;;
+
+        *)
+        ax_pthread_check_macro="--"
+        ;;
+esac
+if test "x$ax_pthread_check_macro" = "x--"; then :
+  ax_pthread_check_cond=0
+else
+  ax_pthread_check_cond="!defined($ax_pthread_check_macro)"
+fi
+
+# Are we compiling with Clang?
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC is Clang" >&5
+$as_echo_n "checking whether $CC is Clang... " >&6; }
+if ${ax_cv_PTHREAD_CLANG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ax_cv_PTHREAD_CLANG=no
+     # Note that Autoconf sets GCC=yes for Clang as well as GCC
+     if test "x$GCC" = "xyes"; then
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+/* Note: Clang 2.7 lacks __clang_[a-z]+__ */
+#            if defined(__clang__) && defined(__llvm__)
+             AX_PTHREAD_CC_IS_CLANG
+#            endif
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "AX_PTHREAD_CC_IS_CLANG" >/dev/null 2>&1; then :
+  ax_cv_PTHREAD_CLANG=yes
+fi
+rm -f conftest*
+
+     fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_CLANG" >&5
+$as_echo "$ax_cv_PTHREAD_CLANG" >&6; }
+ax_pthread_clang="$ax_cv_PTHREAD_CLANG"
+
+ax_pthread_clang_warning=no
+
+# Clang needs special handling, because older versions handle the -pthread
+# option in a rather... idiosyncratic way
+
+if test "x$ax_pthread_clang" = "xyes"; then
+
+        # Clang takes -pthread; it has never supported any other flag
+
+        # (Note 1: This will need to be revisited if a system that Clang
+        # supports has POSIX threads in a separate library.  This tends not
+        # to be the way of modern systems, but it's conceivable.)
+
+        # (Note 2: On some systems, notably Darwin, -pthread is not needed
+        # to get POSIX threads support; the API is always present and
+        # active.  We could reasonably leave PTHREAD_CFLAGS empty.  But
+        # -pthread does define _REENTRANT, and while the Darwin headers
+        # ignore this macro, third-party headers might not.)
+
+        PTHREAD_CFLAGS="-pthread"
+        PTHREAD_LIBS=
+
+        ax_pthread_ok=yes
+
+        # However, older versions of Clang make a point of warning the user
+        # that, in an invocation where only linking and no compilation is
+        # taking place, the -pthread option has no effect ("argument unused
+        # during compilation").  They expect -pthread to be passed in only
+        # when source code is being compiled.
+        #
+        # Problem is, this is at odds with the way Automake and most other
+        # C build frameworks function, which is that the same flags used in
+        # compilation (CFLAGS) are also used in linking.  Many systems
+        # supported by AX_PTHREAD require exactly this for POSIX threads
+        # support, and in fact it is often not straightforward to specify a
+        # flag that is used only in the compilation phase and not in
+        # linking.  Such a scenario is extremely rare in practice.
+        #
+        # Even though use of the -pthread flag in linking would only print
+        # a warning, this can be a nuisance for well-run software projects
+        # that build with -Werror.  So if the active version of Clang has
+        # this misfeature, we search for an option to squash it.
+
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether Clang needs flag to prevent \"argument unused\" warning when linking with -pthread" >&5
+$as_echo_n "checking whether Clang needs flag to prevent \"argument unused\" warning when linking with -pthread... " >&6; }
+if ${ax_cv_PTHREAD_CLANG_NO_WARN_FLAG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown
+             # Create an alternate version of $ac_link that compiles and
+             # links in two steps (.c -> .o, .o -> exe) instead of one
+             # (.c -> exe), because the warning occurs only in the second
+             # step
+             ax_pthread_save_ac_link="$ac_link"
+             ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g'
+             ax_pthread_link_step=`$as_echo "$ac_link" | sed "$ax_pthread_sed"`
+             ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)"
+             ax_pthread_save_CFLAGS="$CFLAGS"
+             for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do
+                if test "x$ax_pthread_try" = "xunknown"; then :
+  break
+fi
+                CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS"
+                ac_link="$ax_pthread_save_ac_link"
+                cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+int main(void){return 0;}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_link="$ax_pthread_2step_ac_link"
+                     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+int main(void){return 0;}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  break
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+             done
+             ac_link="$ax_pthread_save_ac_link"
+             CFLAGS="$ax_pthread_save_CFLAGS"
+             if test "x$ax_pthread_try" = "x"; then :
+  ax_pthread_try=no
+fi
+             ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try"
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" >&5
+$as_echo "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" >&6; }
+
+        case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in
+                no | unknown) ;;
+                *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;;
+        esac
+
+fi # $ax_pthread_clang = yes
+
+if test "x$ax_pthread_ok" = "xno"; then
+for ax_pthread_try_flag in $ax_pthread_flags; do
+
+        case $ax_pthread_try_flag in
+                none)
+                { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work without any flags" >&5
+$as_echo_n "checking whether pthreads work without any flags... " >&6; }
+                ;;
+
+                -mt,pthread)
+                { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work with -mt -lpthread" >&5
+$as_echo_n "checking whether pthreads work with -mt -lpthread... " >&6; }
+                PTHREAD_CFLAGS="-mt"
+                PTHREAD_LIBS="-lpthread"
+                ;;
+
+                -*)
+                { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work with $ax_pthread_try_flag" >&5
+$as_echo_n "checking whether pthreads work with $ax_pthread_try_flag... " >&6; }
+                PTHREAD_CFLAGS="$ax_pthread_try_flag"
+                ;;
+
+                pthread-config)
+                # Extract the first word of "pthread-config", so it can be a program name with args.
+set dummy pthread-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ax_pthread_config+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ax_pthread_config"; then
+  ac_cv_prog_ax_pthread_config="$ax_pthread_config" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ax_pthread_config="yes"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_prog_ax_pthread_config" && ac_cv_prog_ax_pthread_config="no"
+fi
+fi
+ax_pthread_config=$ac_cv_prog_ax_pthread_config
+if test -n "$ax_pthread_config"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_config" >&5
+$as_echo "$ax_pthread_config" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+                if test "x$ax_pthread_config" = "xno"; then :
+  continue
+fi
+                PTHREAD_CFLAGS="`pthread-config --cflags`"
+                PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
+                ;;
+
+                *)
+                { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the pthreads library -l$ax_pthread_try_flag" >&5
+$as_echo_n "checking for the pthreads library -l$ax_pthread_try_flag... " >&6; }
+                PTHREAD_LIBS="-l$ax_pthread_try_flag"
+                ;;
+        esac
+
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+
+        # Check for various functions.  We must include pthread.h,
+        # since some functions may be macros.  (On the Sequent, we
+        # need a special flag -Kthread to make this header compile.)
+        # We check for pthread_join because it is in -lpthread on IRIX
+        # while pthread_create is in libc.  We check for pthread_attr_init
+        # due to DEC craziness with -lpthreads.  We check for
+        # pthread_cleanup_push because it is one of the few pthread
+        # functions on Solaris that doesn't have a non-functional libc stub.
+        # We try pthread_create on general principles.
+
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <pthread.h>
+#                       if $ax_pthread_check_cond
+#                        error "$ax_pthread_check_macro must be defined"
+#                       endif
+                        static void routine(void *a) { a = 0; }
+                        static void *start_routine(void *a) { return a; }
+int
+main ()
+{
+pthread_t th; pthread_attr_t attr;
+                        pthread_create(&th, 0, start_routine, 0);
+                        pthread_join(th, 0);
+                        pthread_attr_init(&attr);
+                        pthread_cleanup_push(routine, 0);
+                        pthread_cleanup_pop(0) /* ; */
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ax_pthread_ok=yes
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_ok" >&5
+$as_echo "$ax_pthread_ok" >&6; }
+        if test "x$ax_pthread_ok" = "xyes"; then :
+  break
+fi
+
+        PTHREAD_LIBS=""
+        PTHREAD_CFLAGS=""
+done
+fi
+
+# Various other checks:
+if test "x$ax_pthread_ok" = "xyes"; then
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+
+        # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for joinable pthread attribute" >&5
+$as_echo_n "checking for joinable pthread attribute... " >&6; }
+if ${ax_cv_PTHREAD_JOINABLE_ATTR+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ax_cv_PTHREAD_JOINABLE_ATTR=unknown
+             for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
+                 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <pthread.h>
+int
+main ()
+{
+int attr = $ax_pthread_attr; return attr /* ; */
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+             done
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_JOINABLE_ATTR" >&5
+$as_echo "$ax_cv_PTHREAD_JOINABLE_ATTR" >&6; }
+        if test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \
+               test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \
+               test "x$ax_pthread_joinable_attr_defined" != "xyes"; then :
+
+cat >>confdefs.h <<_ACEOF
+#define PTHREAD_CREATE_JOINABLE $ax_cv_PTHREAD_JOINABLE_ATTR
+_ACEOF
+
+               ax_pthread_joinable_attr_defined=yes
+
+fi
+
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether more special flags are required for pthreads" >&5
+$as_echo_n "checking whether more special flags are required for pthreads... " >&6; }
+if ${ax_cv_PTHREAD_SPECIAL_FLAGS+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ax_cv_PTHREAD_SPECIAL_FLAGS=no
+             case $host_os in
+             solaris*)
+             ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS"
+             ;;
+             esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_SPECIAL_FLAGS" >&5
+$as_echo "$ax_cv_PTHREAD_SPECIAL_FLAGS" >&6; }
+        if test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \
+               test "x$ax_pthread_special_flags_added" != "xyes"; then :
+  PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS"
+               ax_pthread_special_flags_added=yes
+fi
+
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PTHREAD_PRIO_INHERIT" >&5
+$as_echo_n "checking for PTHREAD_PRIO_INHERIT... " >&6; }
+if ${ax_cv_PTHREAD_PRIO_INHERIT+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <pthread.h>
+int
+main ()
+{
+int i = PTHREAD_PRIO_INHERIT;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ax_cv_PTHREAD_PRIO_INHERIT=yes
+else
+  ax_cv_PTHREAD_PRIO_INHERIT=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_PRIO_INHERIT" >&5
+$as_echo "$ax_cv_PTHREAD_PRIO_INHERIT" >&6; }
+        if test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \
+               test "x$ax_pthread_prio_inherit_defined" != "xyes"; then :
+
+$as_echo "#define HAVE_PTHREAD_PRIO_INHERIT 1" >>confdefs.h
+
+               ax_pthread_prio_inherit_defined=yes
+
+fi
+
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+
+        # More AIX lossage: compile with *_r variant
+        if test "x$GCC" != "xyes"; then
+            case $host_os in
+                aix*)
+                case "x/$CC" in #(
+  x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6) :
+    #handle absolute path differently from PATH based program lookup
+                     case "x$CC" in #(
+  x/*) :
+    if as_fn_executable_p ${CC}_r; then :
+  PTHREAD_CC="${CC}_r"
+fi ;; #(
+  *) :
+    for ac_prog in ${CC}_r
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_PTHREAD_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$PTHREAD_CC"; then
+  ac_cv_prog_PTHREAD_CC="$PTHREAD_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_PTHREAD_CC="$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+PTHREAD_CC=$ac_cv_prog_PTHREAD_CC
+if test -n "$PTHREAD_CC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PTHREAD_CC" >&5
+$as_echo "$PTHREAD_CC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$PTHREAD_CC" && break
+done
+test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
+ ;;
+esac ;; #(
+  *) :
+     ;;
+esac
+                ;;
+            esac
+        fi
+fi
+
+test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
+
+
+
+
+
+# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
+if test "x$ax_pthread_ok" = "xyes"; then
+
+$as_echo "#define HAVE_PTHREAD 1" >>confdefs.h
+
+        :
+else
+        ax_pthread_ok=no
+
+fi
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+LIBS="$PTHREAD_LIBS $LIBS"
+CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+CC="$PTHREAD_CC"
+
+for ac_func in pthread_attr_getstacksize pthread_attr_setstacksize
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+# [pairwise: --with-locktype=adaptive, --with-locktype=standard]
+
+# Check whether --with-locktype was given.
+if test "${with_locktype+set}" = set; then :
+  withval=$with_locktype;
+else
+  with_locktype="adaptive"
+fi
+
+
+case $with_locktype in #(
+  adaptive) :
+
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PTHREAD_MUTEX_ADAPTIVE_NP" >&5
+$as_echo_n "checking for PTHREAD_MUTEX_ADAPTIVE_NP... " >&6; }
+	  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+		 #ifndef _GNU_SOURCE
+		 #define _GNU_SOURCE
+		 #endif
+		 #include <pthread.h>
+
+int
+main ()
+{
+
+		 return (PTHREAD_MUTEX_ADAPTIVE_NP);
+
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using adaptive lock type" >&5
+$as_echo "using adaptive lock type" >&6; }
+
+$as_echo "#define HAVE_PTHREAD_MUTEX_ADAPTIVE_NP 1" >>confdefs.h
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using standard lock type" >&5
+$as_echo "using standard lock type" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ;; #(
+  standard) :
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: using standard lock type" >&5
+$as_echo "using standard lock type" >&6; } ;; #(
+  *) :
+    as_fn_error $? "You must specify \"adaptive\" or \"standard\" for --with-locktype." "$LINENO" 5
+        ;;
+esac
+
+for ac_header in sched.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "sched.h" "ac_cv_header_sched_h" "$ac_includes_default"
+if test "x$ac_cv_header_sched_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SCHED_H 1
+_ACEOF
+
+fi
+
+done
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing sched_yield" >&5
+$as_echo_n "checking for library containing sched_yield... " >&6; }
+if ${ac_cv_search_sched_yield+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char sched_yield ();
+int
+main ()
+{
+return sched_yield ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' rt; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_sched_yield=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_sched_yield+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_sched_yield+:} false; then :
+
+else
+  ac_cv_search_sched_yield=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_sched_yield" >&5
+$as_echo "$ac_cv_search_sched_yield" >&6; }
+ac_res=$ac_cv_search_sched_yield
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+fi
+
+for ac_func in sched_yield pthread_yield pthread_yield_np
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+# Look for functions relating to thread naming
+for ac_func in pthread_setname_np pthread_set_name_np
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+for ac_header in pthread_np.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "pthread_np.h" "ac_cv_header_pthread_np_h" "#include <pthread.h>
+"
+if test "x$ac_cv_header_pthread_np_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PTHREAD_NP_H 1
+_ACEOF
+
+fi
+
+done
+
+
+# libuv
+
+pkg_failed=no
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libuv >= 1.37.0" >&5
+printf %s "checking for libuv >= 1.37.0... " >&6; }
+
+if test -n "$LIBUV_CFLAGS"; then
+    pkg_cv_LIBUV_CFLAGS="$LIBUV_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.37.0\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libuv >= 1.37.0") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBUV_CFLAGS=`$PKG_CONFIG --cflags "libuv >= 1.37.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$LIBUV_LIBS"; then
+    pkg_cv_LIBUV_LIBS="$LIBUV_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.37.0\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libuv >= 1.37.0") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBUV_LIBS=`$PKG_CONFIG --libs "libuv >= 1.37.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        LIBUV_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libuv >= 1.37.0" 2>&1`
+        else
+	        LIBUV_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libuv >= 1.37.0" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$LIBUV_PKG_ERRORS" >&5
+
+
+pkg_failed=no
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libuv >= 1.0.0 libuv < 1.35.0" >&5
+printf %s "checking for libuv >= 1.0.0 libuv < 1.35.0... " >&6; }
+
+if test -n "$LIBUV_CFLAGS"; then
+    pkg_cv_LIBUV_CFLAGS="$LIBUV_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.0.0 libuv < 1.35.0\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libuv >= 1.0.0 libuv < 1.35.0") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBUV_CFLAGS=`$PKG_CONFIG --cflags "libuv >= 1.0.0 libuv < 1.35.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$LIBUV_LIBS"; then
+    pkg_cv_LIBUV_LIBS="$LIBUV_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.0.0 libuv < 1.35.0\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libuv >= 1.0.0 libuv < 1.35.0") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBUV_LIBS=`$PKG_CONFIG --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        LIBUV_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>&1`
+        else
+	        LIBUV_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$LIBUV_PKG_ERRORS" >&5
+
+	as_fn_error $? "libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found" "$LINENO" 5
+elif test $pkg_failed = untried; then
+        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+	as_fn_error $? "libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found" "$LINENO" 5
+else
+	LIBUV_CFLAGS=$pkg_cv_LIBUV_CFLAGS
+	LIBUV_LIBS=$pkg_cv_LIBUV_LIBS
+        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+printf "%s\n" "yes" >&6; }
+
+fi
+elif test $pkg_failed = untried; then
+        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+
+pkg_failed=no
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libuv >= 1.0.0 libuv < 1.35.0" >&5
+printf %s "checking for libuv >= 1.0.0 libuv < 1.35.0... " >&6; }
+
+if test -n "$LIBUV_CFLAGS"; then
+    pkg_cv_LIBUV_CFLAGS="$LIBUV_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.0.0 libuv < 1.35.0\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libuv >= 1.0.0 libuv < 1.35.0") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBUV_CFLAGS=`$PKG_CONFIG --cflags "libuv >= 1.0.0 libuv < 1.35.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$LIBUV_LIBS"; then
+    pkg_cv_LIBUV_LIBS="$LIBUV_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.0.0 libuv < 1.35.0\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libuv >= 1.0.0 libuv < 1.35.0") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBUV_LIBS=`$PKG_CONFIG --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        LIBUV_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>&1`
+        else
+	        LIBUV_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$LIBUV_PKG_ERRORS" >&5
+
+	as_fn_error $? "libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found" "$LINENO" 5
+elif test $pkg_failed = untried; then
+        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+	as_fn_error $? "libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found" "$LINENO" 5
+else
+	LIBUV_CFLAGS=$pkg_cv_LIBUV_CFLAGS
+	LIBUV_LIBS=$pkg_cv_LIBUV_LIBS
+        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+printf "%s\n" "yes" >&6; }
+
+fi
+else
+	LIBUV_CFLAGS=$pkg_cv_LIBUV_CFLAGS
+	LIBUV_LIBS=$pkg_cv_LIBUV_LIBS
+        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+printf "%s\n" "yes" >&6; }
+
+fi
+
+
+
+  CCASFLAGS_libuv_ax_save_flags=$CCASFLAGS
+
+
+
+  CFLAGS_libuv_ax_save_flags=$CFLAGS
+
+
+
+  CPPFLAGS_libuv_ax_save_flags=$CPPFLAGS
+
+
+
+  CXXFLAGS_libuv_ax_save_flags=$CXXFLAGS
+
+
+
+  ERLCFLAGS_libuv_ax_save_flags=$ERLCFLAGS
+
+
+
+  FCFLAGS_libuv_ax_save_flags=$FCFLAGS
+
+
+
+  FCLIBS_libuv_ax_save_flags=$FCLIBS
+
+
+
+  FFLAGS_libuv_ax_save_flags=$FFLAGS
+
+
+
+  FLIBS_libuv_ax_save_flags=$FLIBS
+
+
+
+  GCJFLAGS_libuv_ax_save_flags=$GCJFLAGS
+
+
+
+  JAVACFLAGS_libuv_ax_save_flags=$JAVACFLAGS
+
+
+
+  LDFLAGS_libuv_ax_save_flags=$LDFLAGS
+
+
+
+  LIBS_libuv_ax_save_flags=$LIBS
+
+
+
+  OBJCFLAGS_libuv_ax_save_flags=$OBJCFLAGS
+
+
+
+  OBJCXXFLAGS_libuv_ax_save_flags=$OBJCXXFLAGS
+
+
+
+  UPCFLAGS_libuv_ax_save_flags=$UPCFLAGS
+
+
+
+  VALAFLAGS_libuv_ax_save_flags=$VALAFLAGS
+
+
+
+CFLAGS="$CFLAGS $LIBUV_CFLAGS"
+LIBS="$LIBS $LIBUV_LIBS"
+
+# libuv recvmmsg support
+ac_fn_c_check_decl "$LINENO" "UV_UDP_MMSG_FREE" "ac_cv_have_decl_UV_UDP_MMSG_FREE" "#include <uv.h>
+"
+if test "x$ac_cv_have_decl_UV_UDP_MMSG_FREE" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_UV_UDP_MMSG_FREE $ac_have_decl
+_ACEOF
+ac_fn_c_check_decl "$LINENO" "UV_UDP_MMSG_CHUNK" "ac_cv_have_decl_UV_UDP_MMSG_CHUNK" "#include <uv.h>
+"
+if test "x$ac_cv_have_decl_UV_UDP_MMSG_CHUNK" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_UV_UDP_MMSG_CHUNK $ac_have_decl
+_ACEOF
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether struct msghdr uses padding for alignment" >&5
+$as_echo_n "checking whether struct msghdr uses padding for alignment... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/socket.h>
+int
+main ()
+{
+const struct msghdr h = { .__pad1 = 0, .__pad2 = 0 };
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_DECL_UV_UDP_RECVMMSG 0" >>confdefs.h
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		   ac_fn_c_check_decl "$LINENO" "UV_UDP_RECVMMSG" "ac_cv_have_decl_UV_UDP_RECVMMSG" "#include <uv.h>
+"
+if test "x$ac_cv_have_decl_UV_UDP_RECVMMSG" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_UV_UDP_RECVMMSG $ac_have_decl
+_ACEOF
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+  CCASFLAGS=$CCASFLAGS_libuv_ax_save_flags
+
+
+  CFLAGS=$CFLAGS_libuv_ax_save_flags
+
+
+  CPPFLAGS=$CPPFLAGS_libuv_ax_save_flags
+
+
+  CXXFLAGS=$CXXFLAGS_libuv_ax_save_flags
+
+
+  ERLCFLAGS=$ERLCFLAGS_libuv_ax_save_flags
+
+
+  FCFLAGS=$FCFLAGS_libuv_ax_save_flags
+
+
+  FCLIBS=$FCLIBS_libuv_ax_save_flags
+
+
+  FFLAGS=$FFLAGS_libuv_ax_save_flags
+
+
+  FLIBS=$FLIBS_libuv_ax_save_flags
+
+
+  GCJFLAGS=$GCJFLAGS_libuv_ax_save_flags
+
+
+  JAVACFLAGS=$JAVACFLAGS_libuv_ax_save_flags
+
+
+  LDFLAGS=$LDFLAGS_libuv_ax_save_flags
+
+
+  LIBS=$LIBS_libuv_ax_save_flags
+
+
+  OBJCFLAGS=$OBJCFLAGS_libuv_ax_save_flags
+
+
+  OBJCXXFLAGS=$OBJCXXFLAGS_libuv_ax_save_flags
+
+
+  UPCFLAGS=$UPCFLAGS_libuv_ax_save_flags
+
+
+  VALAFLAGS=$VALAFLAGS_libuv_ax_save_flags
+
+
+
+
+#
+# flockfile is usually provided by pthreads
+#
+for ac_func in flockfile getc_unlocked
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+#
+# Look for sysconf to allow detection of the number of processors.
+#
+for ac_func in sysconf
+do :
+  ac_fn_c_check_func "$LINENO" "sysconf" "ac_cv_func_sysconf"
+if test "x$ac_cv_func_sysconf" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SYSCONF 1
+_ACEOF
+
+fi
+done
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libtool" >&5
+$as_echo_n "checking for libtool... " >&6; }
+
+# [pairwise: --with-libtool, --without-libtool]
+
+# Check whether --with-libtool was given.
+if test "${with_libtool+set}" = set; then :
+  withval=$with_libtool; use_libtool="$withval"
+else
+  use_libtool="no"
+fi
+
+NO_LIBTOOL_ISCLIBS=
+NO_LIBTOOL_DNSLIBS=
+case $use_libtool in
+	yes)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+		O=lo
+		A=la
+		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
+		LIBTOOL_MODE_COMPILE='--mode=compile'
+		LIBTOOL_MODE_INSTALL='--mode=install'
+		LIBTOOL_MODE_LINK='--mode=link'
+		LIBTOOL_MODE_UNINSTALL='--mode=uninstall'
+		INSTALL_LIBRARY='${INSTALL_PROGRAM}'
+
+$as_echo "#define USE_LIBTOOL 1" >>confdefs.h
+
+		;;
+	*)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		O=o
+		A=a
+		LIBTOOL=
+
+		LIBTOOL_MKDEP_SED=
+		LIBTOOL_MODE_COMPILE=
+		LIBTOOL_MODE_INSTALL=
+		LIBTOOL_MODE_LINK=
+		LIBTOOL_MODE_UNINSTALL=
+		INSTALL_LIBRARY='${INSTALL_DATA}'
+		NO_LIBTOOL_ISCLIBS='${NO_LIBTOOL_ISCLIBS}'
+		NO_LIBTOOL_DNSLIBS='${NO_LIBTOOL_DNSLIBS}'
+		;;
+esac
+
+
+
+
+#
+# Do we want to use pthread rwlock?
+#
+# [pairwise: --enable-pthread-rwlock, --disable-pthread-rwlock]
+# Check whether --enable-pthread_rwlock was given.
+if test "${enable_pthread_rwlock+set}" = set; then :
+  enableval=$enable_pthread_rwlock;
+else
+  enable_pthread_rwlock=no
+fi
+
+
+if test "$enable_pthread_rwlock" = "yes"; then :
+  for ac_func in pthread_rwlock_rdlock
+do :
+  ac_fn_c_check_func "$LINENO" "pthread_rwlock_rdlock" "ac_cv_func_pthread_rwlock_rdlock"
+if test "x$ac_cv_func_pthread_rwlock_rdlock" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PTHREAD_RWLOCK_RDLOCK 1
+_ACEOF
+
+else
+  as_fn_error $? "pthread_rwlock_rdlock requested but not found" "$LINENO" 5
+fi
+done
+
+
+$as_echo "#define USE_PTHREAD_RWLOCK 1" >>confdefs.h
+
+
+fi
+
+CRYPTO=OpenSSL
+
+#
+# OpenSSL/LibreSSL is mandatory
+#
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libssl libcrypto" >&5
+$as_echo_n "checking for libssl libcrypto... " >&6; }
+
+if test -n "$OPENSSL_CFLAGS"; then
+    pkg_cv_OPENSSL_CFLAGS="$OPENSSL_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libssl libcrypto\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libssl libcrypto") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_OPENSSL_CFLAGS=`$PKG_CONFIG --cflags "libssl libcrypto" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$OPENSSL_LIBS"; then
+    pkg_cv_OPENSSL_LIBS="$OPENSSL_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libssl libcrypto\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libssl libcrypto") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_OPENSSL_LIBS=`$PKG_CONFIG --libs "libssl libcrypto" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        OPENSSL_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libssl libcrypto" 2>&1`
+        else
+	        OPENSSL_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libssl libcrypto" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$OPENSSL_PKG_ERRORS" >&5
+
+
+    found=false
+    default_ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/local/opt/openssl /usr/local/opt/libressl /usr"
+
+# Check whether --with-openssl was given.
+if test "${with_openssl+set}" = set; then :
+  withval=$with_openssl;
+	    case $with_openssl in #(
+  ""|y|ye|yes) :
+    ssldirs="$default_ssldirs" ;; #(
+  n|no) :
+    as_fn_error $? "Invalid --with-openssl value" "$LINENO" 5 ;; #(
+  *) :
+    ssldirs="$withval" ;; #(
+  *) :
+    ssldirs="$default_ssldirs"
+	     ;;
+esac
+
+else
+
+            # if pkg-config is installed and openssl has installed a .pc file,
+            # then use that information and don't search ssldirs
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for crypto" >&5
+$as_echo_n "checking for crypto... " >&6; }
+
+if test -n "$OPENSSL_CFLAGS"; then
+    pkg_cv_OPENSSL_CFLAGS="$OPENSSL_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"crypto\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "crypto") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_OPENSSL_CFLAGS=`$PKG_CONFIG --cflags "crypto" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$OPENSSL_LIBS"; then
+    pkg_cv_OPENSSL_LIBS="$OPENSSL_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"crypto\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "crypto") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_OPENSSL_LIBS=`$PKG_CONFIG --libs "crypto" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        OPENSSL_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "crypto" 2>&1`
+        else
+	        OPENSSL_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "crypto" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$OPENSSL_PKG_ERRORS" >&5
+
+	ssldirs="$default_ssldirs"
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	ssldirs="$default_ssldirs"
+else
+	OPENSSL_CFLAGS=$pkg_cv_OPENSSL_CFLAGS
+	OPENSSL_LIBS=$pkg_cv_OPENSSL_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	found=true
+fi
+
+
+
+fi
+
+
+
+    # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
+    # an 'openssl' subdirectory
+
+    if ! $found; then :
+
+        OPENSSL_CFLAGS=
+        for ssldir in $ssldirs; do
+            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl/ssl.h in $ssldir" >&5
+$as_echo_n "checking for openssl/ssl.h in $ssldir... " >&6; }
+	    if test -f "$ssldir/include/openssl/ssl.h"; then :
+
+		    OPENSSL_CFLAGS="-I$ssldir/include"
+                    OPENSSL_LIBS="-L$ssldir/lib -lssl -lcrypto"
+                    found=true
+                    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                    break
+
+else
+
+		    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+        done
+
+        # if the file wasn't found, well, go ahead and try the link anyway -- maybe
+        # it will just work!
+
+fi
+
+    # try the preprocessor and linker with our new flags,
+    # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiling and linking against OpenSSL works" >&5
+$as_echo_n "checking whether compiling and linking against OpenSSL works... " >&6; }
+    # AC_MSG_NOTICE([Trying link with OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_CFLAGS=$OPENSSL_CFLAGS])
+
+    save_LIBS="$LIBS"
+    save_CPPFLAGS="$CPPFLAGS"
+    LIBS="$OPENSSL_LIBS $LIBS"
+    CPPFLAGS="$OPENSSL_CFLAGS $CPPFLAGS"
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+                #include <openssl/crypto.h>
+
+int
+main ()
+{
+
+	        OPENSSL_free(NULL);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+            { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+            :
+
+else
+
+            { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+            { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "OpenSSL/LibreSSL not found
+See \`config.log' for more details" "$LINENO" 5; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+    CPPFLAGS="$save_CPPFLAGS"
+    LIBS="$save_LIBS"
+
+
+
+
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+    found=false
+    default_ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/local/opt/openssl /usr/local/opt/libressl /usr"
+
+# Check whether --with-openssl was given.
+if test "${with_openssl+set}" = set; then :
+  withval=$with_openssl;
+	    case $with_openssl in #(
+  ""|y|ye|yes) :
+    ssldirs="$default_ssldirs" ;; #(
+  n|no) :
+    as_fn_error $? "Invalid --with-openssl value" "$LINENO" 5 ;; #(
+  *) :
+    ssldirs="$withval" ;; #(
+  *) :
+    ssldirs="$default_ssldirs"
+	     ;;
+esac
+
+else
+
+            # if pkg-config is installed and openssl has installed a .pc file,
+            # then use that information and don't search ssldirs
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for crypto" >&5
+$as_echo_n "checking for crypto... " >&6; }
+
+if test -n "$OPENSSL_CFLAGS"; then
+    pkg_cv_OPENSSL_CFLAGS="$OPENSSL_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"crypto\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "crypto") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_OPENSSL_CFLAGS=`$PKG_CONFIG --cflags "crypto" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$OPENSSL_LIBS"; then
+    pkg_cv_OPENSSL_LIBS="$OPENSSL_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"crypto\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "crypto") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_OPENSSL_LIBS=`$PKG_CONFIG --libs "crypto" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        OPENSSL_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "crypto" 2>&1`
+        else
+	        OPENSSL_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "crypto" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$OPENSSL_PKG_ERRORS" >&5
+
+	ssldirs="$default_ssldirs"
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	ssldirs="$default_ssldirs"
+else
+	OPENSSL_CFLAGS=$pkg_cv_OPENSSL_CFLAGS
+	OPENSSL_LIBS=$pkg_cv_OPENSSL_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	found=true
+fi
+
+
+
+fi
+
+
+
+    # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
+    # an 'openssl' subdirectory
+
+    if ! $found; then :
+
+        OPENSSL_CFLAGS=
+        for ssldir in $ssldirs; do
+            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl/ssl.h in $ssldir" >&5
+$as_echo_n "checking for openssl/ssl.h in $ssldir... " >&6; }
+	    if test -f "$ssldir/include/openssl/ssl.h"; then :
+
+		    OPENSSL_CFLAGS="-I$ssldir/include"
+                    OPENSSL_LIBS="-L$ssldir/lib -lssl -lcrypto"
+                    found=true
+                    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                    break
+
+else
+
+		    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+        done
+
+        # if the file wasn't found, well, go ahead and try the link anyway -- maybe
+        # it will just work!
+
+fi
+
+    # try the preprocessor and linker with our new flags,
+    # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiling and linking against OpenSSL works" >&5
+$as_echo_n "checking whether compiling and linking against OpenSSL works... " >&6; }
+    # AC_MSG_NOTICE([Trying link with OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_CFLAGS=$OPENSSL_CFLAGS])
+
+    save_LIBS="$LIBS"
+    save_CPPFLAGS="$CPPFLAGS"
+    LIBS="$OPENSSL_LIBS $LIBS"
+    CPPFLAGS="$OPENSSL_CFLAGS $CPPFLAGS"
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+                #include <openssl/crypto.h>
+
+int
+main ()
+{
+
+	        OPENSSL_free(NULL);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+            { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+            :
+
+else
+
+            { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+            { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "OpenSSL/LibreSSL not found
+See \`config.log' for more details" "$LINENO" 5; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+    CPPFLAGS="$save_CPPFLAGS"
+    LIBS="$save_LIBS"
+
+
+
+
+else
+	OPENSSL_CFLAGS=$pkg_cv_OPENSSL_CFLAGS
+	OPENSSL_LIBS=$pkg_cv_OPENSSL_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
+
+  CCASFLAGS_openssl_ax_save_flags=$CCASFLAGS
+
+
+
+  CFLAGS_openssl_ax_save_flags=$CFLAGS
+
+
+
+  CPPFLAGS_openssl_ax_save_flags=$CPPFLAGS
+
+
+
+  CXXFLAGS_openssl_ax_save_flags=$CXXFLAGS
+
+
+
+  ERLCFLAGS_openssl_ax_save_flags=$ERLCFLAGS
+
+
+
+  FCFLAGS_openssl_ax_save_flags=$FCFLAGS
+
+
+
+  FCLIBS_openssl_ax_save_flags=$FCLIBS
+
+
+
+  FFLAGS_openssl_ax_save_flags=$FFLAGS
+
+
+
+  FLIBS_openssl_ax_save_flags=$FLIBS
+
+
+
+  GCJFLAGS_openssl_ax_save_flags=$GCJFLAGS
+
+
+
+  JAVACFLAGS_openssl_ax_save_flags=$JAVACFLAGS
+
+
+
+  LDFLAGS_openssl_ax_save_flags=$LDFLAGS
+
+
+
+  LIBS_openssl_ax_save_flags=$LIBS
+
+
+
+  OBJCFLAGS_openssl_ax_save_flags=$OBJCFLAGS
+
+
+
+  OBJCXXFLAGS_openssl_ax_save_flags=$OBJCXXFLAGS
+
+
+
+  UPCFLAGS_openssl_ax_save_flags=$UPCFLAGS
+
+
+
+  VALAFLAGS_openssl_ax_save_flags=$VALAFLAGS
+
+
+
+
+#
+# This maintenance branch of BIND 9 does not support new OpenSSL APIs
+# introduced in version 3.0.0.  Suppress compiler warnings about using
+# functions deprecated in newer OpenSSL versions as they will not be
+# addressed in BIND 9.16.
+#
+OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+
+CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
+LIBS="$LIBS $OPENSSL_LIBS"
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0" >&5
+$as_echo_n "checking for OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <openssl/opensslv.h>
+int
+main ()
+{
+#if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)) || \\
+			   (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x02070000fL))
+		       #error OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0 required
+		       #endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "not found
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+#
+# Check for functions added in OpenSSL or LibreSSL
+#
+
+for ac_func in OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+for ac_func in CRYPTO_zalloc
+do :
+  ac_fn_c_check_func "$LINENO" "CRYPTO_zalloc" "ac_cv_func_CRYPTO_zalloc"
+if test "x$ac_cv_func_CRYPTO_zalloc" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_CRYPTO_ZALLOC 1
+_ACEOF
+
+fi
+done
+
+for ac_func in EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+for ac_func in EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+for ac_func in HMAC_CTX_new HMAC_CTX_free HMAC_CTX_reset HMAC_CTX_get_md
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+for ac_func in SSL_read_ex SSL_peek_ex SSL_write_ex
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+for ac_func in BIO_read_ex BIO_write_ex
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+for ac_func in BN_GENCB_new
+do :
+  ac_fn_c_check_func "$LINENO" "BN_GENCB_new" "ac_cv_func_BN_GENCB_new"
+if test "x$ac_cv_func_BN_GENCB_new" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_BN_GENCB_NEW 1
+_ACEOF
+
+fi
+done
+
+for ac_func in SSL_CTX_up_ref
+do :
+  ac_fn_c_check_func "$LINENO" "SSL_CTX_up_ref" "ac_cv_func_SSL_CTX_up_ref"
+if test "x$ac_cv_func_SSL_CTX_up_ref" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SSL_CTX_UP_REF 1
+_ACEOF
+
+fi
+done
+
+for ac_func in SSL_CTX_set_min_proto_version
+do :
+  ac_fn_c_check_func "$LINENO" "SSL_CTX_set_min_proto_version" "ac_cv_func_SSL_CTX_set_min_proto_version"
+if test "x$ac_cv_func_SSL_CTX_set_min_proto_version" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SSL_CTX_SET_MIN_PROTO_VERSION 1
+_ACEOF
+
+fi
+done
+
+
+#
+# Check for algorithm support in OpenSSL
+#
+
+for ac_func in ECDSA_sign ECDSA_verify
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+ :
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "ECDSA support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+done
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ECDSA P-256 support" >&5
+$as_echo_n "checking for ECDSA P-256 support... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <openssl/evp.h>
+		       #include <openssl/ec.h>
+int
+main ()
+{
+EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "not found.  ECDSA P-256 support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ECDSA P-384 support" >&5
+$as_echo_n "checking for ECDSA P-384 support... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <openssl/evp.h>
+		       #include <openssl/ec.h>
+int
+main ()
+{
+EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "not found.  ECDSA P-384 support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ed25519 support" >&5
+$as_echo_n "checking for Ed25519 support... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <openssl/evp.h>
+		       #include <openssl/ec.h>
+int
+main ()
+{
+EC_KEY *key = EC_KEY_new_by_curve_name(NID_ED25519);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+$as_echo "#define HAVE_OPENSSL_ED25519 1" >>confdefs.h
+
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ed448 support" >&5
+$as_echo_n "checking for Ed448 support... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <openssl/evp.h>
+		       #include <openssl/ec.h>
+int
+main ()
+{
+EC_KEY *key = EC_KEY_new_by_curve_name(NID_ED448);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+$as_echo "#define HAVE_OPENSSL_ED448 1" >>confdefs.h
+
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+#
+# Check for OpenSSL SHA-1 support
+#
+for ac_func in EVP_sha1
+do :
+  ac_fn_c_check_func "$LINENO" "EVP_sha1" "ac_cv_func_EVP_sha1"
+if test "x$ac_cv_func_EVP_sha1" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_EVP_SHA1 1
+_ACEOF
+ :
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "SHA-1 support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+done
+
+
+#
+# Check for OpenSSL SHA-2 support
+#
+for ac_func in EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+ :
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "SHA-2 support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+done
+
+
+#
+# Check for OpenSSL AES support
+#
+for ac_func in EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+ :
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "AES support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+done
+
+
+#
+# Check for OpenSSL 1.1.x/LibreSSL functions
+#
+for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+for ac_func in TLS_server_method TLS_client_method
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+#
+# Check whether FIPS mode is available and whether we should enable it
+#
+# FIPS is not included in pairwise testing as the relevant Docker image
+# does not support FIPS mode.
+#
+# [pairwise: skip]
+# Check whether --enable-fips-mode was given.
+if test "${enable_fips_mode+set}" = set; then :
+  enableval=$enable_fips_mode;
+else
+  enable_fips_mode="no"
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable FIPS mode in OpenSSL library" >&5
+$as_echo_n "checking whether to enable FIPS mode in OpenSSL library... " >&6; }
+case $enable_fips_mode in #(
+  yes) :
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		for ac_func in FIPS_mode
+do :
+  ac_fn_c_check_func "$LINENO" "FIPS_mode" "ac_cv_func_FIPS_mode"
+if test "x$ac_cv_func_FIPS_mode" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_FIPS_MODE 1
+_ACEOF
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "OpenSSL FIPS mode requested but not available.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+done
+ ;; #(
+  no) :
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; } ;; #(
+  *) :
+     ;;
+esac
+
+
+  CCASFLAGS=$CCASFLAGS_openssl_ax_save_flags
+
+
+  CFLAGS=$CFLAGS_openssl_ax_save_flags
+
+
+  CPPFLAGS=$CPPFLAGS_openssl_ax_save_flags
+
+
+  CXXFLAGS=$CXXFLAGS_openssl_ax_save_flags
+
+
+  ERLCFLAGS=$ERLCFLAGS_openssl_ax_save_flags
+
+
+  FCFLAGS=$FCFLAGS_openssl_ax_save_flags
+
+
+  FCLIBS=$FCLIBS_openssl_ax_save_flags
+
+
+  FFLAGS=$FFLAGS_openssl_ax_save_flags
+
+
+  FLIBS=$FLIBS_openssl_ax_save_flags
+
+
+  GCJFLAGS=$GCJFLAGS_openssl_ax_save_flags
+
+
+  JAVACFLAGS=$JAVACFLAGS_openssl_ax_save_flags
+
+
+  LDFLAGS=$LDFLAGS_openssl_ax_save_flags
+
+
+  LIBS=$LIBS_openssl_ax_save_flags
+
+
+  OBJCFLAGS=$OBJCFLAGS_openssl_ax_save_flags
+
+
+  OBJCXXFLAGS=$OBJCXXFLAGS_openssl_ax_save_flags
+
+
+  UPCFLAGS=$UPCFLAGS_openssl_ax_save_flags
+
+
+  VALAFLAGS=$VALAFLAGS_openssl_ax_save_flags
+
+
+
+
+
+
+
+PKCS11_TOOLS=
+PKCS11_TEST=
+PKCS11_MANS=
+#
+# was --enable-native-pkcs11 specified?
+#
+# DNSRPS builds are included in pairwise testing here and not later because both
+# --enable-native-pkcs11 and --enable-dnsrps-dl require --with-dlopen and the
+# ordering of the set of ./configure arguments generated during pairwise testing
+# is random.
+#
+# [pairwise: --enable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --disable-dnsrps --without-dlopen]
+# Check whether --enable-native-pkcs11 was given.
+if test "${enable_native_pkcs11+set}" = set; then :
+  enableval=$enable_native_pkcs11; :
+else
+  enable_native_pkcs11="no"
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 for Public-Key Cryptography" >&5
+$as_echo_n "checking for PKCS11 for Public-Key Cryptography... " >&6; }
+case $enable_native_pkcs11 in #(
+  no) :
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; } ;; #(
+  yes) :
+    PKCS11_TOOLS=pkcs11
+	       PKCS11_TEST=pkcs11
+	       PKCS11_MANS='${pkcs11_man8_MANS}'
+	       CRYPTO=pkcs11
+	       if $use_threads; then :
+  :
+else
+  as_fn_error $? "PKCS11 requires threading support" "$LINENO" 5
+fi
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	       for ac_func in getpassphrase
+do :
+  ac_fn_c_check_func "$LINENO" "getpassphrase" "ac_cv_func_getpassphrase"
+if test "x$ac_cv_func_getpassphrase" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_GETPASSPHRASE 1
+_ACEOF
+
+fi
+done
+
+	       ;; #(
+  *) :
+     ;;
+esac
+
+
+
+
+
+case $CRYPTO in #(
+  pkcs11) :
+
+$as_echo "#define USE_PKCS11 1" >>confdefs.h
+ ;; #(
+  *) :
+
+$as_echo "#define USE_OPENSSL 1" >>confdefs.h
+ ;;
+esac
+
+# preparation for automake
+# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
+
+#
+# was --with-pkcs11 specified?
+#
+# [pairwise: skip]
+
+# Check whether --with-pkcs11 was given.
+if test "${with_pkcs11+set}" = set; then :
+  withval=$with_pkcs11; :
+else
+  with_pkcs11="undefined"
+fi
+
+
+case $with_pkcs11 in #(
+  yes|auto) :
+    as_fn_error $? "--with-pkcs11 needs explicit path to the PKCS11 library" "$LINENO" 5 ;; #(
+  no|undefined) :
+    with_pkcs11="undefined" ;; #(
+  *) :
+     ;;
+esac
+
+cat >>confdefs.h <<_ACEOF
+#define PK11_LIB_LOCATION "$with_pkcs11"
+_ACEOF
+
+
+# for PKCS11 benchmarks
+
+have_clock_gt=no
+ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
+if test "x$ac_cv_func_clock_gettime" = xyes; then :
+  have_clock_gt=yes
+fi
+
+if test "no" = "$have_clock_gt"; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for clock_gettime in -lrt" >&5
+$as_echo_n "checking for clock_gettime in -lrt... " >&6; }
+if ${ac_cv_lib_rt_clock_gettime+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lrt  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char clock_gettime ();
+int
+main ()
+{
+return clock_gettime ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_rt_clock_gettime=yes
+else
+  ac_cv_lib_rt_clock_gettime=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_clock_gettime" >&5
+$as_echo "$ac_cv_lib_rt_clock_gettime" >&6; }
+if test "x$ac_cv_lib_rt_clock_gettime" = xyes; then :
+  have_clock_gt=rt
+fi
+
+fi
+
+if test "no" != "$have_clock_gt"; then
+
+$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
+
+fi
+
+if test "rt" = "$have_clock_gt"; then
+	LIBS="-lrt $LIBS"
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
+$as_echo_n "checking for GSSAPI library... " >&6; }
+
+# [pairwise: --with-gssapi=yes, --with-gssapi=auto, --without-gssapi]
+
+# Check whether --with-gssapi was given.
+if test "${with_gssapi+set}" = set; then :
+  withval=$with_gssapi; use_gssapi="$withval"
+else
+  use_gssapi="auto"
+fi
+
+
+# first try using krb5-config, if that does not work then fall back to "yes" method.
+
+case "$use_gssapi" in
+*/krb5-config|krb5-config)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: trying $use_gssapi" >&5
+$as_echo "trying $use_gssapi" >&6; }
+    if test krb5-config = "$use_gssapi"
+    then
+	# Extract the first word of "$use_gssapi", so it can be a program name with args.
+set dummy $use_gssapi; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_KRB5_CONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $KRB5_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_KRB5_CONFIG="$KRB5_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_KRB5_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+KRB5_CONFIG=$ac_cv_path_KRB5_CONFIG
+if test -n "$KRB5_CONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KRB5_CONFIG" >&5
+$as_echo "$KRB5_CONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+    else
+	KRB5_CONFIG="$use_gssapi"
+    fi
+    gssapi_cflags=`$KRB5_CONFIG --cflags gssapi`
+    gssapi_libs=`$KRB5_CONFIG --libs gssapi`
+    krb5_cflags=`$KRB5_CONFIG --cflags krb5`
+    krb5_libs=`$KRB5_CONFIG --libs krb5`
+    saved_cppflags="$CPPFLAGS"
+    CPPFLAGS="$gssapi_cflags $krb5_cflags $CPPFLAGS"
+    for ac_header in gssapi.h gssapi/gssapi.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
+fi
+
+done
+
+    if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: gssapi.h not found" >&5
+$as_echo "krb5-config: gssapi.h not found" >&6; }
+	CPPFLAGS="$saved_cppflags"
+	use_gssapi="yes"
+    else
+	for ac_header in krb5/krb5.h krb5.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
+fi
+
+done
+
+	if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
+	    { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: krb5.h not found" >&5
+$as_echo "krb5-config: krb5.h not found" >&6; }
+	    CPPFLAGS="$saved_cppflags"
+	    use_gssapi="yes"
+	else
+	    CPPFLAGS="$saved_cppflags"
+	    saved_libs="$LIBS"
+	    LIBS="$gssapi_libs $krb5_libs $LIBS"
+	    { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config linking as $LIBS" >&5
+$as_echo_n "checking krb5-config linking as $LIBS... " >&6; }
+	    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+gss_acquire_cred();krb5_init_context()
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  gssapi_linked=yes
+else
+  gssapi_linked=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+	    case $gssapi_linked in
+		yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: linked" >&5
+$as_echo "krb5-config: linked" >&6; };;
+		no)  { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: could not determine proper GSSAPI linkage" >&5
+$as_echo "krb5-config: could not determine proper GSSAPI linkage" >&6; }
+		    use_gssapi="yes"
+		    ;;
+	    esac
+	    LIBS=$saved_libs
+	fi
+    fi
+    if test "yes" = "$use_gssapi"; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library, non krb5-config method" >&5
+$as_echo_n "checking for GSSAPI library, non krb5-config method... " >&6; }
+    fi
+    ;;
+esac
+
+case "$host" in
+*darwin*)
+	if test "yes" = "$use_gssapi" -o "auto" = "$use_gssapi"
+	then
+		use_gssapi=framework
+	fi
+	;;
+esac
+
+# gssapi is just the framework, we really require kerberos v5, so
+# look for those headers (the gssapi headers must be there, too)
+# The problem with this implementation is that it doesn't allow
+# for the specification of gssapi and krb5 headers in different locations,
+# which probably ought to be fixed although fixing might raise the issue of
+# trying to build with incompatible versions of gssapi and krb5.
+if test "yes" = "$use_gssapi" -o "auto" = "$use_gssapi"
+then
+	# first, deal with the obvious
+	if test \( -f /usr/include/kerberosv5/krb5.h -o \
+		   -f /usr/include/krb5/krb5.h -o \
+		   -f /usr/include/krb5.h \)   -a \
+		\( -f /usr/include/gssapi.h -o \
+		   -f /usr/include/gssapi/gssapi.h \)
+	then
+		use_gssapi=/usr
+	else
+	    krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
+	    for d in $krb5dirs
+	    do
+		if test -f $d/include/gssapi/gssapi_krb5.h -o \
+			-f $d/include/krb5.h
+		then
+			if test -f $d/include/gssapi/gssapi.h -o \
+				-f $d/include/gssapi.h
+			then
+				use_gssapi=$d
+				break
+			fi
+		fi
+	    done
+	    if test "auto" = "$use_gssapi"
+	    then
+		use_gssapi="no"
+	    fi
+	fi
+fi
+
+case "$use_gssapi" in
+	no)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+		USE_GSSAPI=''
+		;;
+	yes)
+		as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
+		;;
+	*/krb5-config|krb5-config)
+		USE_GSSAPI='-DGSSAPI'
+		DST_GSSAPI_INC="$gssapi_cflags $krb5_cflags"
+		DNS_GSSAPI_LIBS="$gssapi_libs $krb5_libs"
+		;;
+	framework)
+		USE_GSSAPI='-DGSSAPI'
+		ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <Kerberos/Kerberos.h>"
+		ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <Kerberos/Kerberos.h>"
+		DNS_GSSAPI_LIBS="-framework Kerberos"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: framework" >&5
+$as_echo "framework" >&6; }
+		;;
+
+	*)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5
+$as_echo "looking in $use_gssapi/lib" >&6; }
+		USE_GSSAPI='-DGSSAPI'
+		saved_cppflags="$CPPFLAGS"
+		CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+		for ac_header in gssapi.h gssapi/gssapi.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
+		     gssapi_hack="#include <$ac_header>"
+fi
+
+done
+
+
+		if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
+		    as_fn_error $? "gssapi.h not found" "$LINENO" 5
+		fi
+
+		for ac_header in gssapi_krb5.h gssapi/gssapi_krb5.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"
+		     gssapi_krb5_hack="#include <$ac_header>"
+fi
+
+done
+
+
+		for ac_header in krb5.h krb5/krb5.h kerberosv5/krb5.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
+		    krb5_hack="#include <$ac_header>"
+fi
+
+done
+
+
+		if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
+		    as_fn_error $? "krb5.h not found" "$LINENO" 5
+		fi
+
+		#
+		# XXXDCL This probably doesn't work right on all systems.
+		# It will need to be worked on as problems become evident.
+		#
+		# Essentially the problems here relate to two different
+		# areas.  The first area is building with either KTH
+		# or MIT Kerberos, particularly when both are present on
+		# the machine.  The other is static versus dynamic linking.
+		#
+		# On the KTH vs MIT issue, Both have libkrb5 that can mess
+		# up the works if one implementation ends up trying to
+		# use the other's krb.  This is unfortunately a situation
+		# that very easily arises.
+		#
+		# Dynamic linking when the dependency information is built
+		# into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+		# all such problems go away, but when that setup is not
+		# present, because either the dynamic libraries lack
+		# dependencies or static linking is being done, then the
+		# problems start to show up.
+		saved_libs="$LIBS"
+		for TRY_LIBS in \
+		    "-lgssapi_krb5" \
+		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+		    "-lgssapi" \
+		    "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgss -lkrb5"
+		do
+		    # Note that this does not include $saved_libs, because
+		    # on FreeBSD machines this configure script has added
+		    # -L/usr/local/lib to LIBS, which can make the
+		    # -lgssapi_krb5 test succeed with shared libraries even
+		    # when you are trying to build with KTH in /usr/lib.
+		    if test "/usr" = "$use_gssapi"
+		    then
+			    LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS"
+		    else
+			    LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS"
+		    fi
+		    { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
+$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
+		    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+$gssapi_hack
+$gssapi_krb5_hack
+$krb5_hack
+
+int
+main ()
+{
+gss_acquire_cred(NULL, NULL, 0, NULL, 0, NULL, NULL, NULL);krb5_init_context(NULL);
+#if defined(HAVE_GSSAPI_KRB5_H) || defined(HAVE_GSSAPI_GSSAPI_KRB5_H)
+gsskrb5_register_acceptor_identity(NULL);
+#endif
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  gssapi_linked=yes
+else
+  gssapi_linked=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+		    case $gssapi_linked in
+		    yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; break ;;
+		    no)  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; } ;;
+		    esac
+		done
+
+		CPPFLAGS="$saved_cppflags"
+
+		case $gssapi_linked in
+		no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
+		esac
+
+		#
+		# XXXDCL Major kludge.  Tries to cope with KTH in /usr/lib
+		# but MIT in /usr/local/lib and trying to build with KTH.
+		# /usr/local/lib can end up earlier on the link lines.
+		# Like most kludges, this one is not only inelegant it
+		# is also likely to be the wrong thing to do at least as
+		# many times as it is the right thing.  Something better
+		# needs to be done.
+		#
+		if test "/usr" = "$use_gssapi" -a \
+			-f /usr/local/lib/libkrb5.a; then
+		    FIX_KTH_VS_MIT=yes
+		fi
+
+		case "$FIX_KTH_VS_MIT" in
+		yes)
+		    case "$enable_static_linking" in
+		    yes) gssapi_lib_suffix=".a"  ;;
+		    *)   gssapi_lib_suffix=".so" ;;
+		    esac
+
+		    for lib in $LIBS; do
+			case $lib in
+			-L*)
+			    ;;
+			-l*)
+			    new_lib=`echo $lib |
+				     sed -e s%^-l%$use_gssapi/lib/lib% \
+					 -e s%$%$gssapi_lib_suffix%`
+			    NEW_LIBS="$NEW_LIBS $new_lib"
+			    ;;
+			*)
+			   as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5
+			    ;;
+			esac
+		    done
+		    LIBS="$NEW_LIBS"
+		    ;;
+		esac
+
+		DST_GSSAPI_INC="-I$use_gssapi/include"
+		DNS_GSSAPI_LIBS="$LIBS"
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
+$as_echo "using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; }
+		LIBS="$saved_libs"
+		;;
+esac
+
+
+
+
+
+
+
+
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
+
+#
+# Applications linking with libdns also need to link with these libraries.
+#
+
+
+
+#
+# was --with-lmdb specified?
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for lmdb library" >&5
+$as_echo_n "checking for lmdb library... " >&6; }
+
+# [pairwise: --with-lmdb=auto, --with-lmdb=yes, --without-lmdb]
+
+# Check whether --with-lmdb was given.
+if test "${with_lmdb+set}" = set; then :
+  withval=$with_lmdb; use_lmdb="$withval"
+else
+  use_lmdb="auto"
+fi
+
+
+have_lmdb=""
+case "$use_lmdb" in
+	no)
+		LMDB_LIBS=""
+		;;
+	auto|yes)
+		for d in /usr /usr/local /opt/local
+		do
+			if test -f "${d}/include/lmdb.h"
+			then
+				if test ${d} != /usr
+				then
+					LMDB_CFLAGS="-I ${d}/include"
+					LMDB_LIBS="-L${d}/lib"
+				fi
+				have_lmdb="yes"
+			fi
+		done
+		;;
+	*)
+		if test -f "${use_lmdb}/include/lmdb.h"
+		then
+			LMDB_CFLAGS="-I${use_lmdb}/include"
+			LMDB_LIBS="-L${use_lmdb}/lib"
+			have_lmdb="yes"
+		else
+			as_fn_error $? "$use_lmdb/include/lmdb.h not found." "$LINENO" 5
+		fi
+		;;
+esac
+
+if test "X${have_lmdb}" != "X"
+then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+
+  CCASFLAGS_lmdb_ax_save_flags=$CCASFLAGS
+
+
+
+  CFLAGS_lmdb_ax_save_flags=$CFLAGS
+
+
+
+  CPPFLAGS_lmdb_ax_save_flags=$CPPFLAGS
+
+
+
+  CXXFLAGS_lmdb_ax_save_flags=$CXXFLAGS
+
+
+
+  ERLCFLAGS_lmdb_ax_save_flags=$ERLCFLAGS
+
+
+
+  FCFLAGS_lmdb_ax_save_flags=$FCFLAGS
+
+
+
+  FCLIBS_lmdb_ax_save_flags=$FCLIBS
+
+
+
+  FFLAGS_lmdb_ax_save_flags=$FFLAGS
+
+
+
+  FLIBS_lmdb_ax_save_flags=$FLIBS
+
+
+
+  GCJFLAGS_lmdb_ax_save_flags=$GCJFLAGS
+
+
+
+  JAVACFLAGS_lmdb_ax_save_flags=$JAVACFLAGS
+
+
+
+  LDFLAGS_lmdb_ax_save_flags=$LDFLAGS
+
+
+
+  LIBS_lmdb_ax_save_flags=$LIBS
+
+
+
+  OBJCFLAGS_lmdb_ax_save_flags=$OBJCFLAGS
+
+
+
+  OBJCXXFLAGS_lmdb_ax_save_flags=$OBJCXXFLAGS
+
+
+
+  UPCFLAGS_lmdb_ax_save_flags=$UPCFLAGS
+
+
+
+  VALAFLAGS_lmdb_ax_save_flags=$VALAFLAGS
+
+
+
+	CFLAGS="$CFLAGS $LMDB_CFLAGS"
+	LIBS="$LIBS $LMDB_LIBS"
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing mdb_env_create" >&5
+$as_echo_n "checking for library containing mdb_env_create... " >&6; }
+if ${ac_cv_search_mdb_env_create+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char mdb_env_create ();
+int
+main ()
+{
+return mdb_env_create ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' lmdb; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_mdb_env_create=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_mdb_env_create+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_mdb_env_create+:} false; then :
+
+else
+  ac_cv_search_mdb_env_create=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_mdb_env_create" >&5
+$as_echo "$ac_cv_search_mdb_env_create" >&6; }
+ac_res=$ac_cv_search_mdb_env_create
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+else
+  as_fn_error $? "found lmdb include but not library." "$LINENO" 5
+			have_lmdb=""
+fi
+
+	LMDB_LIBS="$LMDB_LIBS $ac_cv_search_mdb_env_create"
+
+  CCASFLAGS=$CCASFLAGS_lmdb_ax_save_flags
+
+
+  CFLAGS=$CFLAGS_lmdb_ax_save_flags
+
+
+  CPPFLAGS=$CPPFLAGS_lmdb_ax_save_flags
+
+
+  CXXFLAGS=$CXXFLAGS_lmdb_ax_save_flags
+
+
+  ERLCFLAGS=$ERLCFLAGS_lmdb_ax_save_flags
+
+
+  FCFLAGS=$FCFLAGS_lmdb_ax_save_flags
+
+
+  FCLIBS=$FCLIBS_lmdb_ax_save_flags
+
+
+  FFLAGS=$FFLAGS_lmdb_ax_save_flags
+
+
+  FLIBS=$FLIBS_lmdb_ax_save_flags
+
+
+  GCJFLAGS=$GCJFLAGS_lmdb_ax_save_flags
+
+
+  JAVACFLAGS=$JAVACFLAGS_lmdb_ax_save_flags
+
+
+  LDFLAGS=$LDFLAGS_lmdb_ax_save_flags
+
+
+  LIBS=$LIBS_lmdb_ax_save_flags
+
+
+  OBJCFLAGS=$OBJCFLAGS_lmdb_ax_save_flags
+
+
+  OBJCXXFLAGS=$OBJCXXFLAGS_lmdb_ax_save_flags
+
+
+  UPCFLAGS=$UPCFLAGS_lmdb_ax_save_flags
+
+
+  VALAFLAGS=$VALAFLAGS_lmdb_ax_save_flags
+
+
+
+elif test "X$use_lmdb" = Xyes
+then
+	as_fn_error $? "include/lmdb.h not found." "$LINENO" 5
+else
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+
+NZD_TOOLS=""
+NZDSRCS=
+NZDTARGETS=
+if test "X${have_lmdb}" != "X"
+then
+
+$as_echo "#define HAVE_LMDB 1" >>confdefs.h
+
+	NZD_TOOLS="nzd"
+	NZDSRCS='${NZDSRCS}'
+	NZDTARGETS='${NZDTARGETS}'
+	NZD_MANS='${nzd_man8_MANS}'
+fi
+
+
+
+
+
+#
+# was --with-libxml2 specified?
+#
+# [pairwise: --with-libxml2=auto, --with-libxml2=yes, --without-libxml2]
+
+# Check whether --with-libxml2 was given.
+if test "${with_libxml2+set}" = set; then :
+  withval=$with_libxml2;
+else
+  with_libxml2="auto"
+fi
+
+
+case $with_libxml2 in #(
+  no) :
+     ;; #(
+  auto) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libxml-2.0 >= 2.6.0" >&5
+$as_echo_n "checking for libxml-2.0 >= 2.6.0... " >&6; }
+
+if test -n "$LIBXML2_CFLAGS"; then
+    pkg_cv_LIBXML2_CFLAGS="$LIBXML2_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libxml-2.0 >= 2.6.0\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libxml-2.0 >= 2.6.0") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBXML2_CFLAGS=`$PKG_CONFIG --cflags "libxml-2.0 >= 2.6.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$LIBXML2_LIBS"; then
+    pkg_cv_LIBXML2_LIBS="$LIBXML2_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libxml-2.0 >= 2.6.0\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libxml-2.0 >= 2.6.0") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBXML2_LIBS=`$PKG_CONFIG --libs "libxml-2.0 >= 2.6.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        LIBXML2_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libxml-2.0 >= 2.6.0" 2>&1`
+        else
+	        LIBXML2_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libxml-2.0 >= 2.6.0" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$LIBXML2_PKG_ERRORS" >&5
+
+	:
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	:
+else
+	LIBXML2_CFLAGS=$pkg_cv_LIBXML2_CFLAGS
+	LIBXML2_LIBS=$pkg_cv_LIBXML2_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_LIBXML2 1" >>confdefs.h
+
+fi ;; #(
+  yes) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libxml-2.0 >= 2.6.0" >&5
+$as_echo_n "checking for libxml-2.0 >= 2.6.0... " >&6; }
+
+if test -n "$LIBXML2_CFLAGS"; then
+    pkg_cv_LIBXML2_CFLAGS="$LIBXML2_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libxml-2.0 >= 2.6.0\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libxml-2.0 >= 2.6.0") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBXML2_CFLAGS=`$PKG_CONFIG --cflags "libxml-2.0 >= 2.6.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$LIBXML2_LIBS"; then
+    pkg_cv_LIBXML2_LIBS="$LIBXML2_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libxml-2.0 >= 2.6.0\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libxml-2.0 >= 2.6.0") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBXML2_LIBS=`$PKG_CONFIG --libs "libxml-2.0 >= 2.6.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        LIBXML2_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libxml-2.0 >= 2.6.0" 2>&1`
+        else
+	        LIBXML2_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libxml-2.0 >= 2.6.0" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$LIBXML2_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (libxml-2.0 >= 2.6.0) were not met:
+
+$LIBXML2_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables LIBXML2_CFLAGS
+and LIBXML2_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables LIBXML2_CFLAGS
+and LIBXML2_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	LIBXML2_CFLAGS=$pkg_cv_LIBXML2_CFLAGS
+	LIBXML2_LIBS=$pkg_cv_LIBXML2_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_LIBXML2 1" >>confdefs.h
+
+fi ;; #(
+  *) :
+    as_fn_error $? "Specifying libxml2 installation path is not supported, adjust PKG_CONFIG_PATH instead" "$LINENO" 5 ;;
+esac
+
+#
+# DEPRECATED
+#
+# [pairwise: skip]
+
+# Check whether --with-libjson was given.
+if test "${with_libjson+set}" = set; then :
+  withval=$with_libjson; { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: --with-libjson is DEPRECATED and will be removed in a future release, use --with-json-c instead" >&5
+$as_echo "$as_me: WARNING: --with-libjson is DEPRECATED and will be removed in a future release, use --with-json-c instead" >&2;}
+else
+  with_libjson="detect"
+fi
+
+
+#
+# was --with-json-c specified?
+#
+# [pairwise: --with-json-c=detect, --with-json-c=yes, --without-json-c]
+
+# Check whether --with-json-c was given.
+if test "${with_json_c+set}" = set; then :
+  withval=$with_json_c;
+else
+  with_json_c="$with_libjson"
+fi
+
+
+case $with_json_c in #(
+  no) :
+     ;; #(
+  detect) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for json-c >= 0.11" >&5
+$as_echo_n "checking for json-c >= 0.11... " >&6; }
+
+if test -n "$JSON_C_CFLAGS"; then
+    pkg_cv_JSON_C_CFLAGS="$JSON_C_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json-c >= 0.11\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "json-c >= 0.11") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_JSON_C_CFLAGS=`$PKG_CONFIG --cflags "json-c >= 0.11" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$JSON_C_LIBS"; then
+    pkg_cv_JSON_C_LIBS="$JSON_C_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json-c >= 0.11\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "json-c >= 0.11") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_JSON_C_LIBS=`$PKG_CONFIG --libs "json-c >= 0.11" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        JSON_C_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "json-c >= 0.11" 2>&1`
+        else
+	        JSON_C_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "json-c >= 0.11" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$JSON_C_PKG_ERRORS" >&5
+
+	:
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	:
+else
+	JSON_C_CFLAGS=$pkg_cv_JSON_C_CFLAGS
+	JSON_C_LIBS=$pkg_cv_JSON_C_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_JSON_C 1" >>confdefs.h
+
+fi ;; #(
+  yes) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for json-c >= 0.11" >&5
+$as_echo_n "checking for json-c >= 0.11... " >&6; }
+
+if test -n "$JSON_C_CFLAGS"; then
+    pkg_cv_JSON_C_CFLAGS="$JSON_C_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json-c >= 0.11\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "json-c >= 0.11") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_JSON_C_CFLAGS=`$PKG_CONFIG --cflags "json-c >= 0.11" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$JSON_C_LIBS"; then
+    pkg_cv_JSON_C_LIBS="$JSON_C_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json-c >= 0.11\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "json-c >= 0.11") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_JSON_C_LIBS=`$PKG_CONFIG --libs "json-c >= 0.11" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        JSON_C_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "json-c >= 0.11" 2>&1`
+        else
+	        JSON_C_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "json-c >= 0.11" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$JSON_C_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (json-c >= 0.11) were not met:
+
+$JSON_C_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables JSON_C_CFLAGS
+and JSON_C_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables JSON_C_CFLAGS
+and JSON_C_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	JSON_C_CFLAGS=$pkg_cv_JSON_C_CFLAGS
+	JSON_C_LIBS=$pkg_cv_JSON_C_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_JSON_C 1" >>confdefs.h
+
+fi ;; #(
+  *) :
+    as_fn_error $? "Specifying json-c installation path is not supported, adjust PKG_CONFIG_PATH instead" "$LINENO" 5
+        ;;
+esac
+
+
+
+
+# [pairwise: --with-zlib=auto, --with-zlib=yes, --without-zlib]
+
+# Check whether --with-zlib was given.
+if test "${with_zlib+set}" = set; then :
+  withval=$with_zlib;
+else
+  with_zlib="auto"
+fi
+
+
+case $with_zlib in #(
+  no) :
+     ;; #(
+  auto) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for zlib" >&5
+$as_echo_n "checking for zlib... " >&6; }
+
+if test -n "$ZLIB_CFLAGS"; then
+    pkg_cv_ZLIB_CFLAGS="$ZLIB_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"zlib\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "zlib") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_ZLIB_CFLAGS=`$PKG_CONFIG --cflags "zlib" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$ZLIB_LIBS"; then
+    pkg_cv_ZLIB_LIBS="$ZLIB_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"zlib\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "zlib") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_ZLIB_LIBS=`$PKG_CONFIG --libs "zlib" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        ZLIB_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "zlib" 2>&1`
+        else
+	        ZLIB_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "zlib" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$ZLIB_PKG_ERRORS" >&5
+
+	:
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	:
+else
+	ZLIB_CFLAGS=$pkg_cv_ZLIB_CFLAGS
+	ZLIB_LIBS=$pkg_cv_ZLIB_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_ZLIB 1" >>confdefs.h
+
+fi ;; #(
+  yes) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for zlib" >&5
+$as_echo_n "checking for zlib... " >&6; }
+
+if test -n "$ZLIB_CFLAGS"; then
+    pkg_cv_ZLIB_CFLAGS="$ZLIB_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"zlib\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "zlib") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_ZLIB_CFLAGS=`$PKG_CONFIG --cflags "zlib" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$ZLIB_LIBS"; then
+    pkg_cv_ZLIB_LIBS="$ZLIB_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"zlib\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "zlib") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_ZLIB_LIBS=`$PKG_CONFIG --libs "zlib" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        ZLIB_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "zlib" 2>&1`
+        else
+	        ZLIB_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "zlib" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$ZLIB_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (zlib) were not met:
+
+$ZLIB_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables ZLIB_CFLAGS
+and ZLIB_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables ZLIB_CFLAGS
+and ZLIB_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	ZLIB_CFLAGS=$pkg_cv_ZLIB_CFLAGS
+	ZLIB_LIBS=$pkg_cv_ZLIB_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_ZLIB 1" >>confdefs.h
+
+fi ;; #(
+  *) :
+    as_fn_error $? "Specifying zlib installation path is not supported, adjust PKG_CONFIG_PATH instead" "$LINENO" 5 ;;
+esac
+
+
+
+#
+# In solaris 10, SMF can manage named service
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for smf_enable_instance in -lscf" >&5
+$as_echo_n "checking for smf_enable_instance in -lscf... " >&6; }
+if ${ac_cv_lib_scf_smf_enable_instance+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lscf  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char smf_enable_instance ();
+int
+main ()
+{
+return smf_enable_instance ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_scf_smf_enable_instance=yes
+else
+  ac_cv_lib_scf_smf_enable_instance=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_scf_smf_enable_instance" >&5
+$as_echo "$ac_cv_lib_scf_smf_enable_instance" >&6; }
+if test "x$ac_cv_lib_scf_smf_enable_instance" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSCF 1
+_ACEOF
+
+  LIBS="-lscf $LIBS"
+
+fi
+
+
+#
+# Additional compiler settings.
+#
+MKDEPCC="$CC"
+
+MKDEPCFLAGS="-M"
+case $host in #(
+  *-solaris*) :
+
+	    if test "$GCC" != "yes"; then :
+  MKDEPCFLAGS="-xM"
+fi ;; #(
+  *) :
+     ;;
+esac
+
+if test "$GCC" = "yes"; then :
+  STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -Wno-missing-field-initializers"
+
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-aliasing" >&5
+$as_echo_n "checking whether C compiler accepts -fno-strict-aliasing... " >&6; }
+if ${ax_cv_check_cflags___fno_strict_aliasing+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -fno-strict-aliasing"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ax_cv_check_cflags___fno_strict_aliasing=yes
+else
+  ax_cv_check_cflags___fno_strict_aliasing=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_aliasing" >&5
+$as_echo "$ax_cv_check_cflags___fno_strict_aliasing" >&6; }
+if test "x$ax_cv_check_cflags___fno_strict_aliasing" = xyes; then :
+  STD_CWARNINGS="$STD_CWARNINGS -fno-strict-aliasing"
+else
+  :
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Werror -fno-delete-null-pointer-checks" >&5
+$as_echo_n "checking whether C compiler accepts -Werror -fno-delete-null-pointer-checks... " >&6; }
+if ${ax_cv_check_cflags___Werror__fno_delete_null_pointer_checks+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -Werror -fno-delete-null-pointer-checks"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ax_cv_check_cflags___Werror__fno_delete_null_pointer_checks=yes
+else
+  ax_cv_check_cflags___Werror__fno_delete_null_pointer_checks=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___Werror__fno_delete_null_pointer_checks" >&5
+$as_echo "$ax_cv_check_cflags___Werror__fno_delete_null_pointer_checks" >&6; }
+if test "x$ax_cv_check_cflags___Werror__fno_delete_null_pointer_checks" = xyes; then :
+  STC_CWARNINGS="$STD_CWARNINGS -fno-delete-null-pointer-checks"
+else
+  :
+fi
+
+if test "$enable_warn_shadow" = "yes"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wshadow" >&5
+$as_echo_n "checking whether C compiler accepts -Wshadow... " >&6; }
+if ${ax_cv_check_cflags___Wshadow+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -Wshadow"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ax_cv_check_cflags___Wshadow=yes
+else
+  ax_cv_check_cflags___Wshadow=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___Wshadow" >&5
+$as_echo "$ax_cv_check_cflags___Wshadow" >&6; }
+if test "x$ax_cv_check_cflags___Wshadow" = xyes; then :
+  STD_CWARNINGS="$STD_CWARNINGS -Wshadow"
+else
+  :
+fi
+
+fi
+if test "$enable_warn_error" = "yes"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Werror" >&5
+$as_echo_n "checking whether C compiler accepts -Werror... " >&6; }
+if ${ax_cv_check_cflags___Werror+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -Werror"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ax_cv_check_cflags___Werror=yes
+else
+  ax_cv_check_cflags___Werror=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___Werror" >&5
+$as_echo "$ax_cv_check_cflags___Werror" >&6; }
+if test "x$ax_cv_check_cflags___Werror" = xyes; then :
+  STD_CWARNINGS="$STD_CWARNINGS -Werror"
+else
+  :
+fi
+
+fi
+
+
+
+
+
+#
+# -lxnet buys us one big porting headache...  standards, gotta love 'em.
+#
+# AC_CHECK_LIB(xnet, socket, ,
+#    AC_CHECK_LIB(socket, socket)
+# )
+#
+# Use this for now, instead:
+#
+case "$host" in
+	*-linux*)
+		;;
+	*)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lsocket" >&5
+$as_echo_n "checking for socket in -lsocket... " >&6; }
+if ${ac_cv_lib_socket_socket+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsocket  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char socket ();
+int
+main ()
+{
+return socket ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_socket_socket=yes
+else
+  ac_cv_lib_socket_socket=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_socket" >&5
+$as_echo "$ac_cv_lib_socket_socket" >&6; }
+if test "x$ac_cv_lib_socket_socket" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSOCKET 1
+_ACEOF
+
+  LIBS="-lsocket $LIBS"
+
+fi
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inet_addr in -lnsl" >&5
+$as_echo_n "checking for inet_addr in -lnsl... " >&6; }
+if ${ac_cv_lib_nsl_inet_addr+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lnsl  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char inet_addr ();
+int
+main ()
+{
+return inet_addr ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_nsl_inet_addr=yes
+else
+  ac_cv_lib_nsl_inet_addr=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nsl_inet_addr" >&5
+$as_echo "$ac_cv_lib_nsl_inet_addr" >&6; }
+if test "x$ac_cv_lib_nsl_inet_addr" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBNSL 1
+_ACEOF
+
+  LIBS="-lnsl $LIBS"
+
+fi
+
+		;;
+esac
+
+#
+# Work around Solaris's select() limitations.
+#
+case "$host" in
+	*-solaris2.[89]|*-solaris2.1?)
+
+$as_echo "#define FD_SETSIZE 65536" >>confdefs.h
+
+	;;
+esac
+
+#
+# Purify support
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use purify" >&5
+$as_echo_n "checking whether to use purify... " >&6; }
+
+# Purify is not included in pairwise testing as that tool is not present
+# in the relevant Docker image.
+#
+# [pairwise: skip]
+
+# Check whether --with-purify was given.
+if test "${with_purify+set}" = set; then :
+  withval=$with_purify; use_purify="$withval"
+else
+  use_purify="no"
+fi
+
+
+case "$use_purify" in
+	no)
+		;;
+	yes)
+		# Extract the first word of "purify", so it can be a program name with args.
+set dummy purify; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_purify_path+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $purify_path in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_purify_path="$purify_path" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_purify_path="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_path_purify_path" && ac_cv_path_purify_path="purify"
+  ;;
+esac
+fi
+purify_path=$ac_cv_path_purify_path
+if test -n "$purify_path"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $purify_path" >&5
+$as_echo "$purify_path" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+		;;
+	*)
+		purify_path="$use_purify"
+		;;
+esac
+
+case "$use_purify" in
+	no)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		PURIFY=""
+		;;
+	*)
+		if test -f "$purify_path" || test purify = "$purify_path"; then
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $purify_path" >&5
+$as_echo "$purify_path" >&6; }
+			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
+			PURIFY="$purify_path $PURIFYFLAGS"
+		else
+			as_fn_error $? "$purify_path not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-purify=PATH
+" "$LINENO" 5
+		fi
+		;;
+esac
+
+
+
+#
+# Google/Great Performance Tools CPU Profiler
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use gperftools profiler" >&5
+$as_echo_n "checking whether to use gperftools profiler... " >&6; }
+
+# Google/Great Performance Tools CPU Profiler is not included in
+# pairwise testing as that tool is not present in the relevant Docker
+# image.
+#
+# [pairwise: skip]
+
+# Check whether --with-gperftools-profiler was given.
+if test "${with_gperftools_profiler+set}" = set; then :
+  withval=$with_gperftools_profiler; use_profiler="$withval"
+else
+  use_profiler="no"
+fi
+
+
+case $use_profiler in
+	yes)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_GPERFTOOLS_PROFILER 1" >>confdefs.h
+
+		LIBS="$LIBS -lprofiler"
+		;;
+	*)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		;;
+esac
+
+#
+# enable/disable dumping stack backtrace.  Also check if the system supports
+# glibc-compatible backtrace() function.
+#
+# [pairwise: --enable-backtrace, --disable-backtrace]
+# Check whether --enable-backtrace was given.
+if test "${enable_backtrace+set}" = set; then :
+  enableval=$enable_backtrace;
+else
+  enable_backtrace="yes"
+fi
+
+
+if test "$enable_backtrace" = "yes"; then :
+
+$as_echo "#define USE_BACKTRACE 1" >>confdefs.h
+
+       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for backtrace in -lexecinfo" >&5
+$as_echo_n "checking for backtrace in -lexecinfo... " >&6; }
+if ${ac_cv_lib_execinfo_backtrace+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lexecinfo  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char backtrace ();
+int
+main ()
+{
+return backtrace ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_execinfo_backtrace=yes
+else
+  ac_cv_lib_execinfo_backtrace=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_execinfo_backtrace" >&5
+$as_echo "$ac_cv_lib_execinfo_backtrace" >&6; }
+if test "x$ac_cv_lib_execinfo_backtrace" = xyes; then :
+  EXILIBS=-lexecinfo
+else
+  EXILIBS=
+fi
+
+       LIBS="$LIBS $EXILIBS"
+       cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <execinfo.h>
+int
+main ()
+{
+return (backtrace((void **)0, 0));
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+$as_echo "#define HAVE_LIBCTRACE 1" >>confdefs.h
+
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stddef.h>
+int
+main ()
+{
+return _Unwind_Backtrace(NULL, NULL);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+$as_echo "#define HAVE_UNWIND_BACKTRACE 1" >>confdefs.h
+
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+fi
+
+# [pairwise: --enable-symtable, --disable-symtable]
+# Check whether --enable-symtable was given.
+if test "${enable_symtable+set}" = set; then :
+  enableval=$enable_symtable; want_symtable="$enableval"
+else
+  want_symtable="minimal"
+fi
+
+case $want_symtable in
+yes|all|minimal)     # "yes" is a hidden value equivalent to "minimal"
+	if test "" = "$PERL"
+	then
+		as_fn_error $? "Internal symbol table requires perl but no perl is found.
+Install perl or explicitly disable the feature by --disable-symtable." "$LINENO" 5
+	fi
+	if test "yes" = "$use_libtool"; then
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Internal symbol table does not work with libtool.  Disabling symbol table." >&5
+$as_echo "$as_me: WARNING: Internal symbol table does not work with libtool.  Disabling symbol table." >&2;}
+	else
+		# we generate the internal symbol table only for those systems
+		# known to work to avoid unexpected build failure.  Also, warn
+		# about unsupported systems when the feature is enabled
+		#  manually.
+		case $host_os in
+		freebsd*|netbsd*|openbsd*|linux*|solaris*|darwin*)
+			MKSYMTBL_PROGRAM="$PERL"
+			if test "all" = "$want_symtable"; then
+				ALWAYS_MAKE_SYMTABLE="yes"
+			fi
+			;;
+		*)
+			if test "yes" = "$want_symtable" -o "all" = "$want_symtable"
+			then
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: this system is not known to generate internal symbol table safely; disabling it" >&5
+$as_echo "$as_me: WARNING: this system is not known to generate internal symbol table safely; disabling it" >&2;}
+			fi
+		esac
+	fi
+	;;
+*)
+	;;
+esac
+
+
+
+#
+# File name extension for static archive files, for those few places
+# where they are treated differently from dynamic ones.
+#
+SA=a
+
+
+
+
+
+
+
+
+
+
+BIND9_CO_RULE=".c.$O:"
+
+
+#
+# Here begins a very long section to determine the system's networking
+# capabilities.  The order of the tests is significant.
+#
+
+#
+# We do the IPv6 compilation checking after libtool so that we can put
+# the right suffix on the files.
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for IPv6 structures" >&5
+$as_echo_n "checking for IPv6 structures... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+       #include <sys/types.h>
+       #include <sys/socket.h>
+       #include <netinet/in.h>
+
+int
+main ()
+{
+
+       struct sockaddr_in6 sin6;
+       struct in6_addr in6;
+       struct in6_pktinfo in6_pi;
+       struct sockaddr_storage storage;
+       in6 = in6addr_any;
+       in6 = in6addr_loopback;
+       sin6.sin6_scope_id = 0;
+       return (0);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "IPv6 support is mandatory
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+#
+# Allow forcibly disabling TCP Fast Open support as autodetection might yield
+# confusing results on some systems (e.g. FreeBSD; see set_tcp_fastopen()
+# comment in lib/isc/unix/socket.c).
+#
+# [pairwise: --enable-tcp-fastopen, --disable-tcp-fastopen]
+# Check whether --enable-tcp_fastopen was given.
+if test "${enable_tcp_fastopen+set}" = set; then :
+  enableval=$enable_tcp_fastopen;
+else
+  enable_tcp_fastopen="yes"
+fi
+
+
+if test "$enable_tcp_fastopen" = "yes"; then :
+
+$as_echo "#define ENABLE_TCP_FASTOPEN 1" >>confdefs.h
+
+fi
+
+#
+# Check for some other useful functions that are not ever-present.
+#
+for ac_func in strlcpy strlcat strnstr
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+
+
+# [pairwise: --with-readline=auto, --with-readline=yes, --without-readline]
+
+# Check whether --with-readline was given.
+if test "${with_readline+set}" = set; then :
+  withval=$with_readline; use_readline="$withval"
+else
+  use_readline="auto"
+fi
+
+case "$use_readline" in
+no)	;;
+*)
+	saved_LIBS="$LIBS"
+	case "$use_readline" in
+	yes|auto) try_readline="-ledit"; or_readline="-lreadline" ;;
+	*) try_readline="$use_readline"
+	esac
+	for readline in "$try_readline" $or_readline
+	do
+		LIBS="$readline"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for readline with $readline" >&5
+$as_echo "$as_me: checking for readline with $readline" >&6;}
+		for ac_func in readline
+do :
+  ac_fn_c_check_func "$LINENO" "readline" "ac_cv_func_readline"
+if test "x$ac_cv_func_readline" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_READLINE 1
+_ACEOF
+
+fi
+done
+
+		if test "yes" = "$ac_cv_func_readline"
+		then
+			READLINE_LIB="$readline"
+			break
+		fi
+		for lib in -lterminfo -ltermcap -lncurses -lcurses
+		do
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for readline with $readline $lib" >&5
+$as_echo "$as_me: checking for readline with $readline $lib" >&6;}
+			unset ac_cv_func_readline
+			LIBS="$readline $lib"
+			for ac_func in readline
+do :
+  ac_fn_c_check_func "$LINENO" "readline" "ac_cv_func_readline"
+if test "x$ac_cv_func_readline" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_READLINE 1
+_ACEOF
+
+fi
+done
+
+			if test "yes" = "$ac_cv_func_readline"
+			then
+				READLINE_LIB="$readline $lib"
+				break
+			fi
+		done
+		if test "yes" = "$ac_cv_func_readline"
+		then
+			break
+		fi
+	done
+	if test "auto" != "$use_readline" &&
+	   test "X$READLINE_LIB" = "X"
+	then
+		as_fn_error $? "The readline library was not found." "$LINENO" 5
+	fi
+	LIBS="$saved_LIBS"
+	;;
+esac
+if test "yes" = "$ac_cv_func_readline"
+then
+	case "$READLINE_LIB" in
+	*edit*)
+		for ac_header in editline/readline.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "editline/readline.h" "ac_cv_header_editline_readline_h" "$ac_includes_default"
+if test "x$ac_cv_header_editline_readline_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_EDITLINE_READLINE_H 1
+_ACEOF
+
+fi
+
+done
+
+		for ac_header in edit/readline/readline.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "edit/readline/readline.h" "ac_cv_header_edit_readline_readline_h" "$ac_includes_default"
+if test "x$ac_cv_header_edit_readline_readline_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_EDIT_READLINE_READLINE_H 1
+_ACEOF
+
+fi
+
+done
+
+		for ac_header in edit/readline/history.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "edit/readline/history.h" "ac_cv_header_edit_readline_history_h" "$ac_includes_default"
+if test "x$ac_cv_header_edit_readline_history_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_EDIT_READLINE_HISTORY_H 1
+_ACEOF
+
+fi
+
+done
+
+		;;
+	esac
+	for ac_header in readline/readline.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "readline/readline.h" "ac_cv_header_readline_readline_h" "$ac_includes_default"
+if test "x$ac_cv_header_readline_readline_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_READLINE_READLINE_H 1
+_ACEOF
+
+fi
+
+done
+
+	for ac_header in readline/history.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "readline/history.h" "ac_cv_header_readline_history_h" "$ac_includes_default"
+if test "x$ac_cv_header_readline_history_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_READLINE_HISTORY_H 1
+_ACEOF
+
+fi
+
+done
+
+fi
+
+
+
+
+#
+# Security Stuff
+#
+# Note it is very recommended to *not* disable chroot(),
+# this is only because chroot() was made obsolete by Posix.
+#
+# [pairwise: --enable-chroot, --disable-chroot]
+# Check whether --enable-chroot was given.
+if test "${enable_chroot+set}" = set; then :
+  enableval=$enable_chroot;
+fi
+
+case "$enable_chroot" in
+	yes|'')
+		for ac_func in chroot
+do :
+  ac_fn_c_check_func "$LINENO" "chroot" "ac_cv_func_chroot"
+if test "x$ac_cv_func_chroot" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_CHROOT 1
+_ACEOF
+
+fi
+done
+
+		;;
+	no)
+		;;
+esac
+
+LIBCAP_LIBS=""
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable Linux capabilities" >&5
+$as_echo_n "checking whether to enable Linux capabilities... " >&6; }
+
+# [pairwise: --enable-linux-caps, --disable-linux-caps]
+# Check whether --enable-linux-caps was given.
+if test "${enable_linux_caps+set}" = set; then :
+  enableval=$enable_linux_caps;
+else
+  case $host in #(
+  *-linux*) :
+    enable_linux_caps=yes ;; #(
+  *) :
+    enable_linux_caps=no ;;
+esac
+fi
+
+
+if test "$enable_linux_caps" = "yes"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+       for ac_header in sys/capability.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_capability_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SYS_CAPABILITY_H 1
+_ACEOF
+
+else
+  as_fn_error $? "sys/capability.h header is required for Linux capabilities support. Either install libcap or use --disable-linux-caps." "$LINENO" 5
+fi
+
+done
+
+
+
+  CCASFLAGS_cap_ax_save_flags=$CCASFLAGS
+
+
+
+  CFLAGS_cap_ax_save_flags=$CFLAGS
+
+
+
+  CPPFLAGS_cap_ax_save_flags=$CPPFLAGS
+
+
+
+  CXXFLAGS_cap_ax_save_flags=$CXXFLAGS
+
+
+
+  ERLCFLAGS_cap_ax_save_flags=$ERLCFLAGS
+
+
+
+  FCFLAGS_cap_ax_save_flags=$FCFLAGS
+
+
+
+  FCLIBS_cap_ax_save_flags=$FCLIBS
+
+
+
+  FFLAGS_cap_ax_save_flags=$FFLAGS
+
+
+
+  FLIBS_cap_ax_save_flags=$FLIBS
+
+
+
+  GCJFLAGS_cap_ax_save_flags=$GCJFLAGS
+
+
+
+  JAVACFLAGS_cap_ax_save_flags=$JAVACFLAGS
+
+
+
+  LDFLAGS_cap_ax_save_flags=$LDFLAGS
+
+
+
+  LIBS_cap_ax_save_flags=$LIBS
+
+
+
+  OBJCFLAGS_cap_ax_save_flags=$OBJCFLAGS
+
+
+
+  OBJCXXFLAGS_cap_ax_save_flags=$OBJCXXFLAGS
+
+
+
+  UPCFLAGS_cap_ax_save_flags=$UPCFLAGS
+
+
+
+  VALAFLAGS_cap_ax_save_flags=$VALAFLAGS
+
+
+
+       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing cap_set_proc" >&5
+$as_echo_n "checking for library containing cap_set_proc... " >&6; }
+if ${ac_cv_search_cap_set_proc+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char cap_set_proc ();
+int
+main ()
+{
+return cap_set_proc ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' cap; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_cap_set_proc=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_cap_set_proc+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_cap_set_proc+:} false; then :
+
+else
+  ac_cv_search_cap_set_proc=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_cap_set_proc" >&5
+$as_echo "$ac_cv_search_cap_set_proc" >&6; }
+ac_res=$ac_cv_search_cap_set_proc
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+  LIBCAP_LIBS="$ac_cv_search_cap_set_proc"
+else
+  as_fn_error $? "libcap is required for Linux capabilities support. Either install libcap or use --disable-linux-caps." "$LINENO" 5
+fi
+
+
+  CCASFLAGS=$CCASFLAGS_cap_ax_save_flags
+
+
+  CFLAGS=$CFLAGS_cap_ax_save_flags
+
+
+  CPPFLAGS=$CPPFLAGS_cap_ax_save_flags
+
+
+  CXXFLAGS=$CXXFLAGS_cap_ax_save_flags
+
+
+  ERLCFLAGS=$ERLCFLAGS_cap_ax_save_flags
+
+
+  FCFLAGS=$FCFLAGS_cap_ax_save_flags
+
+
+  FCLIBS=$FCLIBS_cap_ax_save_flags
+
+
+  FFLAGS=$FFLAGS_cap_ax_save_flags
+
+
+  FLIBS=$FLIBS_cap_ax_save_flags
+
+
+  GCJFLAGS=$GCJFLAGS_cap_ax_save_flags
+
+
+  JAVACFLAGS=$JAVACFLAGS_cap_ax_save_flags
+
+
+  LDFLAGS=$LDFLAGS_cap_ax_save_flags
+
+
+  LIBS=$LIBS_cap_ax_save_flags
+
+
+  OBJCFLAGS=$OBJCFLAGS_cap_ax_save_flags
+
+
+  OBJCXXFLAGS=$OBJCXXFLAGS_cap_ax_save_flags
+
+
+  UPCFLAGS=$UPCFLAGS_cap_ax_save_flags
+
+
+  VALAFLAGS=$VALAFLAGS_cap_ax_save_flags
+
+
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+for ac_header in sys/un.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "sys/un.h" "ac_cv_header_sys_un_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_un_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SYS_UN_H 1
+_ACEOF
+ ISC_PLATFORM_HAVESYSUNH="#define ISC_PLATFORM_HAVESYSUNH 1"
+
+else
+  ISC_PLATFORM_HAVESYSUNH="#undef ISC_PLATFORM_HAVESYSUNH"
+
+fi
+
+done
+
+
+
+case "$host" in
+*-solaris*)
+
+$as_echo "#define NEED_SECURE_DIRECTORY 1" >>confdefs.h
+
+	;;
+esac
+
+#
+# Time Zone Stuff
+#
+for ac_func in tzset
+do :
+  ac_fn_c_check_func "$LINENO" "tzset" "ac_cv_func_tzset"
+if test "x$ac_cv_func_tzset" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_TZSET 1
+_ACEOF
+
+fi
+done
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for optarg declaration" >&5
+$as_echo_n "checking for optarg declaration... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <unistd.h>
+
+int
+main ()
+{
+optarg = 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+GEN_NEED_OPTARG="-DNEED_OPTARG=1"
+
+$as_echo "#define NEED_OPTARG 1" >>confdefs.h
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+#
+# Check for nanoseconds in file stats
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for st_mtim.tv_nsec" >&5
+$as_echo_n "checking for st_mtim.tv_nsec... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/fcntl.h>
+int
+main ()
+{
+struct stat s;
+       return(s.st_mtim.tv_nsec);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+$as_echo "#define HAVE_STAT_NSEC 1" >>confdefs.h
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+#
+# Check for if_nametoindex() for IPv6 scoped addresses support
+#
+for ac_func in if_nametoindex
+do :
+  ac_fn_c_check_func "$LINENO" "if_nametoindex" "ac_cv_func_if_nametoindex"
+if test "x$ac_cv_func_if_nametoindex" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_IF_NAMETOINDEX 1
+_ACEOF
+
+fi
+done
+
+
+ISC_ATOMIC_LIBS=""
+for ac_header in stdatomic.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "stdatomic.h" "ac_cv_header_stdatomic_h" "$ac_includes_default"
+if test "x$ac_cv_header_stdatomic_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_STDATOMIC_H 1
+_ACEOF
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for memory model aware atomic operations" >&5
+$as_echo_n "checking for memory model aware atomic operations... " >&6; }
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdatomic.h>
+int
+main ()
+{
+atomic_int_fast32_t val = 0; atomic_fetch_add_explicit(&val, 1, memory_order_relaxed);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: stdatomic.h" >&5
+$as_echo "stdatomic.h" >&6; }
+      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -latomic is needed for 64-bit stdatomic.h functions" >&5
+$as_echo_n "checking whether -latomic is needed for 64-bit stdatomic.h functions... " >&6; }
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdatomic.h>
+int
+main ()
+{
+atomic_int_fast64_t val = 0; atomic_fetch_add_explicit(&val, 1, memory_order_relaxed);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+else
+  ISC_ATOMIC_LIBS="-latomic"
+
+
+  CCASFLAGS_atomic_ax_save_flags=$CCASFLAGS
+
+
+
+  CFLAGS_atomic_ax_save_flags=$CFLAGS
+
+
+
+  CPPFLAGS_atomic_ax_save_flags=$CPPFLAGS
+
+
+
+  CXXFLAGS_atomic_ax_save_flags=$CXXFLAGS
+
+
+
+  ERLCFLAGS_atomic_ax_save_flags=$ERLCFLAGS
+
+
+
+  FCFLAGS_atomic_ax_save_flags=$FCFLAGS
+
+
+
+  FCLIBS_atomic_ax_save_flags=$FCLIBS
+
+
+
+  FFLAGS_atomic_ax_save_flags=$FFLAGS
+
+
+
+  FLIBS_atomic_ax_save_flags=$FLIBS
+
+
+
+  GCJFLAGS_atomic_ax_save_flags=$GCJFLAGS
+
+
+
+  JAVACFLAGS_atomic_ax_save_flags=$JAVACFLAGS
+
+
+
+  LDFLAGS_atomic_ax_save_flags=$LDFLAGS
+
+
+
+  LIBS_atomic_ax_save_flags=$LIBS
+
+
+
+  OBJCFLAGS_atomic_ax_save_flags=$OBJCFLAGS
+
+
+
+  OBJCXXFLAGS_atomic_ax_save_flags=$OBJCXXFLAGS
+
+
+
+  UPCFLAGS_atomic_ax_save_flags=$UPCFLAGS
+
+
+
+  VALAFLAGS_atomic_ax_save_flags=$VALAFLAGS
+
+
+
+	 LIBS="$LIBS $ISC_ATOMIC_LIBS"
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdatomic.h>
+int
+main ()
+{
+atomic_int_fast64_t val = 0; atomic_fetch_add_explicit(&val, 1, memory_order_relaxed);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libatomic needed, but linking with -latomic failed, please fix your toolchain.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+  CCASFLAGS=$CCASFLAGS_atomic_ax_save_flags
+
+
+  CFLAGS=$CFLAGS_atomic_ax_save_flags
+
+
+  CPPFLAGS=$CPPFLAGS_atomic_ax_save_flags
+
+
+  CXXFLAGS=$CXXFLAGS_atomic_ax_save_flags
+
+
+  ERLCFLAGS=$ERLCFLAGS_atomic_ax_save_flags
+
+
+  FCFLAGS=$FCFLAGS_atomic_ax_save_flags
+
+
+  FCLIBS=$FCLIBS_atomic_ax_save_flags
+
+
+  FFLAGS=$FFLAGS_atomic_ax_save_flags
+
+
+  FLIBS=$FLIBS_atomic_ax_save_flags
+
+
+  GCJFLAGS=$GCJFLAGS_atomic_ax_save_flags
+
+
+  JAVACFLAGS=$JAVACFLAGS_atomic_ax_save_flags
+
+
+  LDFLAGS=$LDFLAGS_atomic_ax_save_flags
+
+
+  LIBS=$LIBS_atomic_ax_save_flags
+
+
+  OBJCFLAGS=$OBJCFLAGS_atomic_ax_save_flags
+
+
+  OBJCXXFLAGS=$OBJCXXFLAGS_atomic_ax_save_flags
+
+
+  UPCFLAGS=$UPCFLAGS_atomic_ax_save_flags
+
+
+  VALAFLAGS=$VALAFLAGS_atomic_ax_save_flags
+
+
+
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "stdatomic.h header found, but compilation failed, please fix your toolchain.
+See \`config.log' for more details" "$LINENO" 5; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for memory model aware atomic operations" >&5
+$as_echo_n "checking for memory model aware atomic operations... " >&6; }
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <inttypes.h>
+int
+main ()
+{
+int32_t val = 0; __atomic_fetch_add(&val, 1, __ATOMIC_RELAXED);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: __atomic builtins" >&5
+$as_echo "__atomic builtins" >&6; }
+
+$as_echo "#define HAVE___ATOMIC 1" >>confdefs.h
+
+      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -latomic is needed for 64-bit __atomic builtins" >&5
+$as_echo_n "checking whether -latomic is needed for 64-bit __atomic builtins... " >&6; }
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <inttypes.h>
+int
+main ()
+{
+int64_t val = 0; __atomic_fetch_add(&val, 1, __ATOMIC_RELAXED);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+else
+  ISC_ATOMIC_LIBS="-latomic"
+
+
+  CCASFLAGS_atomic_ax_save_flags=$CCASFLAGS
+
+
+
+  CFLAGS_atomic_ax_save_flags=$CFLAGS
+
+
+
+  CPPFLAGS_atomic_ax_save_flags=$CPPFLAGS
+
+
+
+  CXXFLAGS_atomic_ax_save_flags=$CXXFLAGS
+
+
+
+  ERLCFLAGS_atomic_ax_save_flags=$ERLCFLAGS
+
+
+
+  FCFLAGS_atomic_ax_save_flags=$FCFLAGS
+
+
+
+  FCLIBS_atomic_ax_save_flags=$FCLIBS
+
+
+
+  FFLAGS_atomic_ax_save_flags=$FFLAGS
+
+
+
+  FLIBS_atomic_ax_save_flags=$FLIBS
+
+
+
+  GCJFLAGS_atomic_ax_save_flags=$GCJFLAGS
+
+
+
+  JAVACFLAGS_atomic_ax_save_flags=$JAVACFLAGS
+
+
+
+  LDFLAGS_atomic_ax_save_flags=$LDFLAGS
+
+
+
+  LIBS_atomic_ax_save_flags=$LIBS
+
+
+
+  OBJCFLAGS_atomic_ax_save_flags=$OBJCFLAGS
+
+
+
+  OBJCXXFLAGS_atomic_ax_save_flags=$OBJCXXFLAGS
+
+
+
+  UPCFLAGS_atomic_ax_save_flags=$UPCFLAGS
+
+
+
+  VALAFLAGS_atomic_ax_save_flags=$VALAFLAGS
+
+
+
+	 LIBS="$LIBS $ISC_ATOMIC_LIBS"
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <inttypes.h>
+int
+main ()
+{
+int64_t val = 0; __atomic_fetch_add(&val, 1, __ATOMIC_RELAXED);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libatomic needed, but linking with -latomic failed, please fix your toolchain.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+  CCASFLAGS=$CCASFLAGS_atomic_ax_save_flags
+
+
+  CFLAGS=$CFLAGS_atomic_ax_save_flags
+
+
+  CPPFLAGS=$CPPFLAGS_atomic_ax_save_flags
+
+
+  CXXFLAGS=$CXXFLAGS_atomic_ax_save_flags
+
+
+  ERLCFLAGS=$ERLCFLAGS_atomic_ax_save_flags
+
+
+  FCFLAGS=$FCFLAGS_atomic_ax_save_flags
+
+
+  FCLIBS=$FCLIBS_atomic_ax_save_flags
+
+
+  FFLAGS=$FFLAGS_atomic_ax_save_flags
+
+
+  FLIBS=$FLIBS_atomic_ax_save_flags
+
+
+  GCJFLAGS=$GCJFLAGS_atomic_ax_save_flags
+
+
+  JAVACFLAGS=$JAVACFLAGS_atomic_ax_save_flags
+
+
+  LDFLAGS=$LDFLAGS_atomic_ax_save_flags
+
+
+  LIBS=$LIBS_atomic_ax_save_flags
+
+
+  OBJCFLAGS=$OBJCFLAGS_atomic_ax_save_flags
+
+
+  OBJCXXFLAGS=$OBJCXXFLAGS_atomic_ax_save_flags
+
+
+  UPCFLAGS=$UPCFLAGS_atomic_ax_save_flags
+
+
+  VALAFLAGS=$VALAFLAGS_atomic_ax_save_flags
+
+
+
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: __sync builtins" >&5
+$as_echo "__sync builtins" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+done
+
+LIBS="$LIBS $ISC_ATOMIC_LIBS"
+
+for ac_header in stdalign.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "stdalign.h" "ac_cv_header_stdalign_h" "$ac_includes_default"
+if test "x$ac_cv_header_stdalign_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_STDALIGN_H 1
+_ACEOF
+
+fi
+
+done
+
+
+for ac_header in uchar.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "uchar.h" "ac_cv_header_uchar_h" "$ac_includes_default"
+if test "x$ac_cv_header_uchar_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_UCHAR_H 1
+_ACEOF
+
+fi
+
+done
+
+
+#
+# Check for __builtin_unreachable
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for __builtin_unreachable()" >&5
+$as_echo_n "checking compiler support for __builtin_unreachable()... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+__builtin_unreachable();
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_BUILTIN_UNREACHABLE 1" >>confdefs.h
+
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+#
+# Check for __builtin_expect
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for __builtin_expect" >&5
+$as_echo_n "checking compiler support for __builtin_expect... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+	return (__builtin_expect(1, 1) ? 1 : 0);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+	have_builtin_expect=yes
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+
+	have_builtin_expect=no
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+if test "yes" = "$have_builtin_expect"; then
+
+$as_echo "#define HAVE_BUILTIN_EXPECT 1" >>confdefs.h
+
+fi
+
+#
+# Check for __builtin_clz
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for __builtin_clz" >&5
+$as_echo_n "checking compiler support for __builtin_clz... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+	return (__builtin_clz(0xff) == 24 ? 1 : 0);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+	have_builtin_clz=yes
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+
+	have_builtin_clz=no
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+if test "yes" = "$have_builtin_clz"; then
+
+$as_echo "#define HAVE_BUILTIN_CLZ 1" >>confdefs.h
+
+fi
+
+#
+# Activate "rrset-order fixed" or not?
+#
+# [pairwise: --enable-fixed-rrset, --disable-fixed-rrset]
+# Check whether --enable-fixed-rrset was given.
+if test "${enable_fixed_rrset+set}" = set; then :
+  enableval=$enable_fixed_rrset; enable_fixed="$enableval"
+else
+  enable_fixed="no"
+fi
+
+case "$enable_fixed" in
+	yes)
+
+$as_echo "#define DNS_RDATASET_FIXED 1" >>confdefs.h
+
+		;;
+	no)
+		;;
+	*)
+		;;
+esac
+
+#
+# Activate dnstap?
+#
+# [pairwise: --enable-dnstap, --disable-dnstap]
+# Check whether --enable-dnstap was given.
+if test "${enable_dnstap+set}" = set; then :
+  enableval=$enable_dnstap; use_dnstap=$enableval
+else
+  use_dnstap=no
+fi
+
+
+DNSTAP=
+DNSTAPSRCS=
+DNSTAPOBJS=
+DNSTAPTARGETS=
+if test "x$use_dnstap" != "xno"; then
+
+	# [pairwise: skip]
+
+# Check whether --with-protobuf-c was given.
+if test "${with_protobuf_c+set}" = set; then :
+  withval=$with_protobuf_c;
+	    # workaround for protobuf-c includes at old dir
+	    # before protobuf-c-1.0.0
+	    if test -f $withval/include/google/protobuf-c/protobuf-c.h
+	    then
+		PROTOBUF_C_CFLAGS="-I$withval/include/google"
+	    else
+		PROTOBUF_C_CFLAGS="-I$withval/include"
+	    fi
+	    PROTOBUF_C_LIBS="-L$withval/lib"
+	    # Extract the first word of "protoc-c", so it can be a program name with args.
+set dummy protoc-c; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PROTOC_C+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PROTOC_C in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PROTOC_C="$PROTOC_C" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR$withval/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PROTOC_C="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PROTOC_C=$ac_cv_path_PROTOC_C
+if test -n "$PROTOC_C"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PROTOC_C" >&5
+$as_echo "$PROTOC_C" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+
+else
+
+	    # workaround for protobuf-c includes at old dir
+	    # before protobuf-c-1.0.0
+	    if test -f /usr/include/google/protobuf-c/protobuf-c.h
+	    then
+		PROTOBUF_C_CFLAGS="-I/usr/include/google"
+	    else
+		if test -f /usr/local/include/google/protobuf-c/protobuf-c.h
+		then
+		    PROTOBUF_C_CFLAGS="-I/usr/local/include/google"
+		    PROTOBUF_C_LIBS="-L/usr/local/lib"
+		elif test -f /opt/local/include/google/protobuf-c/protobuf-c.h
+		then
+		    PROTOBUF_C_CFLAGS="-I/opt/local/include/google"
+		    PROTOBUF_C_LIBS="-L/opt/local/lib"
+		fi
+	    fi
+	    # Extract the first word of "protoc-c", so it can be a program name with args.
+set dummy protoc-c; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PROTOC_C+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PROTOC_C in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PROTOC_C="$PROTOC_C" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PROTOC_C="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PROTOC_C=$ac_cv_path_PROTOC_C
+if test -n "$PROTOC_C"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PROTOC_C" >&5
+$as_echo "$PROTOC_C" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+
+fi
+
+	if test -z "$PROTOC_C"; then
+		as_fn_error $? "The protoc-c program was not found." "$LINENO" 5
+	fi
+
+	# [pairwise: skip]
+
+# Check whether --with-libfstrm was given.
+if test "${with_libfstrm+set}" = set; then :
+  withval=$with_libfstrm;
+	    FSTRM_CFLAGS="-I$withval/include"
+	    FSTRM_LIBS="-L$withval/lib"
+	    # Extract the first word of "fstrm_capture", so it can be a program name with args.
+set dummy fstrm_capture; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_FSTRM_CAPTURE+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $FSTRM_CAPTURE in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_FSTRM_CAPTURE="$FSTRM_CAPTURE" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR$withval/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_FSTRM_CAPTURE="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+FSTRM_CAPTURE=$ac_cv_path_FSTRM_CAPTURE
+if test -n "$FSTRM_CAPTURE"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $FSTRM_CAPTURE" >&5
+$as_echo "$FSTRM_CAPTURE" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+
+else
+
+	    for d in /usr /usr/local /opt/local
+	    do
+		if test -f "${d}/include/fstrm.h"
+		then
+		    if test ${d} != /usr
+		    then
+			FSTRM_CFLAGS="-I${d}/include"
+			FSTRM_LIBS="-L${d}/lib"
+		    fi
+		    have_fstrm="$d"
+		    break
+		fi
+	    done
+	    if test -z "$have_fstrm"; then
+		# Extract the first word of "fstrm_capture", so it can be a program name with args.
+set dummy fstrm_capture; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_FSTRM_CAPTURE+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $FSTRM_CAPTURE in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_FSTRM_CAPTURE="$FSTRM_CAPTURE" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_FSTRM_CAPTURE="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+FSTRM_CAPTURE=$ac_cv_path_FSTRM_CAPTURE
+if test -n "$FSTRM_CAPTURE"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $FSTRM_CAPTURE" >&5
+$as_echo "$FSTRM_CAPTURE" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+	    else
+		# Extract the first word of "fstrm_capture", so it can be a program name with args.
+set dummy fstrm_capture; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_FSTRM_CAPTURE+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $FSTRM_CAPTURE in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_FSTRM_CAPTURE="$FSTRM_CAPTURE" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR$have_fstrm/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_FSTRM_CAPTURE="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+FSTRM_CAPTURE=$ac_cv_path_FSTRM_CAPTURE
+if test -n "$FSTRM_CAPTURE"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $FSTRM_CAPTURE" >&5
+$as_echo "$FSTRM_CAPTURE" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+	    fi
+
+fi
+
+
+
+  CCASFLAGS_dnstap_ax_save_flags=$CCASFLAGS
+
+
+
+  CFLAGS_dnstap_ax_save_flags=$CFLAGS
+
+
+
+  CPPFLAGS_dnstap_ax_save_flags=$CPPFLAGS
+
+
+
+  CXXFLAGS_dnstap_ax_save_flags=$CXXFLAGS
+
+
+
+  ERLCFLAGS_dnstap_ax_save_flags=$ERLCFLAGS
+
+
+
+  FCFLAGS_dnstap_ax_save_flags=$FCFLAGS
+
+
+
+  FCLIBS_dnstap_ax_save_flags=$FCLIBS
+
+
+
+  FFLAGS_dnstap_ax_save_flags=$FFLAGS
+
+
+
+  FLIBS_dnstap_ax_save_flags=$FLIBS
+
+
+
+  GCJFLAGS_dnstap_ax_save_flags=$GCJFLAGS
+
+
+
+  JAVACFLAGS_dnstap_ax_save_flags=$JAVACFLAGS
+
+
+
+  LDFLAGS_dnstap_ax_save_flags=$LDFLAGS
+
+
+
+  LIBS_dnstap_ax_save_flags=$LIBS
+
+
+
+  OBJCFLAGS_dnstap_ax_save_flags=$OBJCFLAGS
+
+
+
+  OBJCXXFLAGS_dnstap_ax_save_flags=$OBJCXXFLAGS
+
+
+
+  UPCFLAGS_dnstap_ax_save_flags=$UPCFLAGS
+
+
+
+  VALAFLAGS_dnstap_ax_save_flags=$VALAFLAGS
+
+
+
+	CFLAGS="$CFLAGS $PROTOBUF_C_CFLAGS $FSTRM_CFLAGS"
+	LIBS="$LDFLAGS $PROTOBUF_C_LIBS $FSTRM_LIBS"
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fstrm_iothr_init" >&5
+$as_echo_n "checking for library containing fstrm_iothr_init... " >&6; }
+if ${ac_cv_search_fstrm_iothr_init+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char fstrm_iothr_init ();
+int
+main ()
+{
+return fstrm_iothr_init ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' fstrm; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_fstrm_iothr_init=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_fstrm_iothr_init+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_fstrm_iothr_init+:} false; then :
+
+else
+  ac_cv_search_fstrm_iothr_init=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fstrm_iothr_init" >&5
+$as_echo "$ac_cv_search_fstrm_iothr_init" >&6; }
+ac_res=$ac_cv_search_fstrm_iothr_init
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+else
+  as_fn_error $? "The fstrm library was not found. Please install fstrm!" "$LINENO" 5
+fi
+
+	FSTRM_LIBS="$FSTRM_LIBS $ac_cv_search_fstrm_iothr_init"
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing protobuf_c_message_pack" >&5
+$as_echo_n "checking for library containing protobuf_c_message_pack... " >&6; }
+if ${ac_cv_search_protobuf_c_message_pack+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char protobuf_c_message_pack ();
+int
+main ()
+{
+return protobuf_c_message_pack ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' protobuf-c; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_protobuf_c_message_pack=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_protobuf_c_message_pack+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_protobuf_c_message_pack+:} false; then :
+
+else
+  ac_cv_search_protobuf_c_message_pack=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_protobuf_c_message_pack" >&5
+$as_echo "$ac_cv_search_protobuf_c_message_pack" >&6; }
+ac_res=$ac_cv_search_protobuf_c_message_pack
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+else
+  as_fn_error $? "The protobuf-c library was not found. Please install protobuf-c!" "$LINENO" 5
+fi
+
+	PROTOBUF_C_LIBS="$PROTOBUF_C_LIBS $ac_cv_search_protobuf_c_message_pack"
+
+
+  CCASFLAGS=$CCASFLAGS_dnstap_ax_save_flags
+
+
+  CFLAGS=$CFLAGS_dnstap_ax_save_flags
+
+
+  CPPFLAGS=$CPPFLAGS_dnstap_ax_save_flags
+
+
+  CXXFLAGS=$CXXFLAGS_dnstap_ax_save_flags
+
+
+  ERLCFLAGS=$ERLCFLAGS_dnstap_ax_save_flags
+
+
+  FCFLAGS=$FCFLAGS_dnstap_ax_save_flags
+
+
+  FCLIBS=$FCLIBS_dnstap_ax_save_flags
+
+
+  FFLAGS=$FFLAGS_dnstap_ax_save_flags
+
+
+  FLIBS=$FLIBS_dnstap_ax_save_flags
+
+
+  GCJFLAGS=$GCJFLAGS_dnstap_ax_save_flags
+
+
+  JAVACFLAGS=$JAVACFLAGS_dnstap_ax_save_flags
+
+
+  LDFLAGS=$LDFLAGS_dnstap_ax_save_flags
+
+
+  LIBS=$LIBS_dnstap_ax_save_flags
+
+
+  OBJCFLAGS=$OBJCFLAGS_dnstap_ax_save_flags
+
+
+  OBJCXXFLAGS=$OBJCXXFLAGS_dnstap_ax_save_flags
+
+
+  UPCFLAGS=$UPCFLAGS_dnstap_ax_save_flags
+
+
+  VALAFLAGS=$VALAFLAGS_dnstap_ax_save_flags
+
+
+
+
+$as_echo "#define HAVE_DNSTAP 1" >>confdefs.h
+
+	DNSTAP=dnstap
+	DNSTAPSRCS='${DNSTAPSRCS}'
+	DNSTAPOBJS='${DNSTAPOBJS}'
+	DNSTAPTARGETS='${DNSTAPTARGETS}'
+	DNSTAP_MANS='${dnstap_man1_MANS}'
+fi
+
+
+
+
+
+
+
+
+
+
+#
+#  The following sets up how non-blocking i/o is established.
+#  cygwin and solaris 2.x (x<5) require special handling.
+#
+case "$host" in
+*-cygwin*) $as_echo "#define PORT_NONBLOCK O_NDELAY" >>confdefs.h
+;;
+*-solaris2.[01234])
+	$as_echo "#define PORT_NONBLOCK O_NONBLOCK" >>confdefs.h
+
+
+$as_echo "#define USE_FIONBIO_IOCTL 1" >>confdefs.h
+
+	;;
+*)
+$as_echo "#define PORT_NONBLOCK O_NONBLOCK" >>confdefs.h
+
+	;;
+esac
+#
+# Solaris 2.5.1 and earlier cannot bind() then connect() a TCP socket.
+# This prevents the source address being set.
+#
+case "$host" in
+*-solaris2.[012345]|*-solaris2.5.1)
+
+$as_echo "#define BROKEN_TCP_BIND_BEFORE_CONNECT 1" >>confdefs.h
+
+	;;
+esac
+#
+# The following sections deal with tools used for formatting
+# the documentation.  They are all optional, unless you are
+# a developer editing the documentation source.
+#
+
+#
+# The following sections deal with tools used for formatting
+# the documentation.  They are all optional, unless you are
+# a developer editing the documentation source.
+#
+
+#
+# Look for sphinx-build
+#
+
+# Extract the first word of "sphinx-build", so it can be a program name with args.
+set dummy sphinx-build; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_SPHINX_BUILD+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $SPHINX_BUILD in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_SPHINX_BUILD="$SPHINX_BUILD" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_SPHINX_BUILD="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_path_SPHINX_BUILD" && ac_cv_path_SPHINX_BUILD=":"
+  ;;
+esac
+fi
+SPHINX_BUILD=$ac_cv_path_SPHINX_BUILD
+if test -n "$SPHINX_BUILD"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SPHINX_BUILD" >&5
+$as_echo "$SPHINX_BUILD" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ if test "$SPHINX_BUILD" != ":"; then
+  HAVE_SPHINX_BUILD_TRUE=
+  HAVE_SPHINX_BUILD_FALSE='#'
+else
+  HAVE_SPHINX_BUILD_TRUE='#'
+  HAVE_SPHINX_BUILD_FALSE=
+fi
+
+
+# Extract the first word of "xelatex", so it can be a program name with args.
+set dummy xelatex; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_XELATEX+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $XELATEX in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_XELATEX="$XELATEX" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_XELATEX="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_path_XELATEX" && ac_cv_path_XELATEX=":"
+  ;;
+esac
+fi
+XELATEX=$ac_cv_path_XELATEX
+if test -n "$XELATEX"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XELATEX" >&5
+$as_echo "$XELATEX" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+# Extract the first word of "latexmk", so it can be a program name with args.
+set dummy latexmk; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_LATEXMK+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $LATEXMK in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_LATEXMK="$LATEXMK" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_LATEXMK="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_path_LATEXMK" && ac_cv_path_LATEXMK=":"
+  ;;
+esac
+fi
+LATEXMK=$ac_cv_path_LATEXMK
+if test -n "$LATEXMK"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LATEXMK" >&5
+$as_echo "$LATEXMK" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ if test "$XELATEX" != ":" && test "$LATEXMK" != ":"; then
+  HAVE_XELATEX_TRUE=
+  HAVE_XELATEX_FALSE='#'
+else
+  HAVE_XELATEX_TRUE='#'
+  HAVE_XELATEX_FALSE=
+fi
+
+
+#
+# Build the man pages only if we have prebuilt manpages or we can build them from RST sources
+#
+BUILD_MANPAGES=
+if test -e doc/man/named.conf.5in || test "$SPHINX_BUILD" != ":"
+then :
+  BUILD_MANPAGES=man
+fi
+
+
+#
+# Pull release date from CHANGES file last modification date
+# for reproducible builds
+#
+release_date=`date -u -r CHANGES +%Y-%m-%d`
+RELEASE_DATE=$release_date
+
+
+# Don't build the documentation if the sphinx-build is not present
+PDFTARGET=
+HTMLTARGET=
+MANSRCS=
+if test -n "$SPHINX_BUILD"; then :
+
+	  MANSRCS='$(MANPAGES_IN)'
+	  HTMLTARGET='html dirhtml'
+	  for ac_prog in pdflatex
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PDFLATEX+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PDFLATEX in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PDFLATEX="$PDFLATEX" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PDFLATEX="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PDFLATEX=$ac_cv_path_PDFLATEX
+if test -n "$PDFLATEX"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PDFLATEX" >&5
+$as_echo "$PDFLATEX" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$PDFLATEX" && break
+done
+
+	  for ac_prog in latexmk
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_LATEXMK+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $LATEXMK in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_LATEXMK="$LATEXMK" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_LATEXMK="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+LATEXMK=$ac_cv_path_LATEXMK
+if test -n "$LATEXMK"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LATEXMK" >&5
+$as_echo "$LATEXMK" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$LATEXMK" && break
+done
+
+	  if test -n "$PDFLATEX" && test -n "$LATEXMK"; then :
+
+		    PDFTARGET='pdf'
+
+fi
+
+fi
+
+
+
+
+#
+# Look for Doxygen
+#
+for ac_prog in doxygen
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_DOXYGEN+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $DOXYGEN in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_DOXYGEN="$DOXYGEN" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_DOXYGEN="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+DOXYGEN=$ac_cv_path_DOXYGEN
+if test -n "$DOXYGEN"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DOXYGEN" >&5
+$as_echo "$DOXYGEN" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$DOXYGEN" && break
+done
+
+
+
+#
+# Look for curl
+#
+
+# Extract the first word of "curl", so it can be a program name with args.
+set dummy curl; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_CURL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $CURL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_CURL="$CURL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_CURL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_path_CURL" && ac_cv_path_CURL="curl"
+  ;;
+esac
+fi
+CURL=$ac_cv_path_CURL
+if test -n "$CURL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CURL" >&5
+$as_echo "$CURL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+
+
+#
+# Look for xsltproc
+#
+
+# Extract the first word of "xsltproc", so it can be a program name with args.
+set dummy xsltproc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_XSLTPROC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $XSLTPROC in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_XSLTPROC="$XSLTPROC" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_XSLTPROC="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_path_XSLTPROC" && ac_cv_path_XSLTPROC="xsltproc"
+  ;;
+esac
+fi
+XSLTPROC=$ac_cv_path_XSLTPROC
+if test -n "$XSLTPROC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XSLTPROC" >&5
+$as_echo "$XSLTPROC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+
+
+#
+# IDN support using libidn2
+#
+
+LIBIDN2_CFLAGS=
+LIBIDN2_LDFLAGS=
+LIBIDN2_LIBS=
+
+# [pairwise: --with-libidn2=yes, --without-libidn2]
+
+# Check whether --with-libidn2 was given.
+if test "${with_libidn2+set}" = set; then :
+  withval=$with_libidn2; with_libidn2="$withval"
+else
+  with_libidn2="no"
+fi
+
+case $with_libidn2 in #(
+  yes) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libidn2" >&5
+$as_echo_n "checking for libidn2... " >&6; }
+
+if test -n "$LIBIDN2_CFLAGS"; then
+    pkg_cv_LIBIDN2_CFLAGS="$LIBIDN2_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libidn2\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libidn2") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBIDN2_CFLAGS=`$PKG_CONFIG --cflags "libidn2" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$LIBIDN2_LIBS"; then
+    pkg_cv_LIBIDN2_LIBS="$LIBIDN2_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libidn2\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libidn2") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_LIBIDN2_LIBS=`$PKG_CONFIG --libs "libidn2" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        LIBIDN2_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libidn2" 2>&1`
+        else
+	        LIBIDN2_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libidn2" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$LIBIDN2_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (libidn2) were not met:
+
+$LIBIDN2_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables LIBIDN2_CFLAGS
+and LIBIDN2_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables LIBIDN2_CFLAGS
+and LIBIDN2_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	LIBIDN2_CFLAGS=$pkg_cv_LIBIDN2_CFLAGS
+	LIBIDN2_LIBS=$pkg_cv_LIBIDN2_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_LIBIDN2 1" >>confdefs.h
+
+fi ;; #(
+  no) :
+     ;; #(
+  *) :
+
+
+  CCASFLAGS_libidn2_ax_save_flags=$CCASFLAGS
+
+
+
+  CFLAGS_libidn2_ax_save_flags=$CFLAGS
+
+
+
+  CPPFLAGS_libidn2_ax_save_flags=$CPPFLAGS
+
+
+
+  CXXFLAGS_libidn2_ax_save_flags=$CXXFLAGS
+
+
+
+  ERLCFLAGS_libidn2_ax_save_flags=$ERLCFLAGS
+
+
+
+  FCFLAGS_libidn2_ax_save_flags=$FCFLAGS
+
+
+
+  FCLIBS_libidn2_ax_save_flags=$FCLIBS
+
+
+
+  FFLAGS_libidn2_ax_save_flags=$FFLAGS
+
+
+
+  FLIBS_libidn2_ax_save_flags=$FLIBS
+
+
+
+  GCJFLAGS_libidn2_ax_save_flags=$GCJFLAGS
+
+
+
+  JAVACFLAGS_libidn2_ax_save_flags=$JAVACFLAGS
+
+
+
+  LDFLAGS_libidn2_ax_save_flags=$LDFLAGS
+
+
+
+  LIBS_libidn2_ax_save_flags=$LIBS
+
+
+
+  OBJCFLAGS_libidn2_ax_save_flags=$OBJCFLAGS
+
+
+
+  OBJCXXFLAGS_libidn2_ax_save_flags=$OBJCXXFLAGS
+
+
+
+  UPCFLAGS_libidn2_ax_save_flags=$UPCFLAGS
+
+
+
+  VALAFLAGS_libidn2_ax_save_flags=$VALAFLAGS
+
+
+
+		 LIBIDN2_CFLAGS="-I$with_libidn2/include"
+		 LIBIDN2_LDFLAGS="-L$with_libidn2/lib"
+		 CFLAGS="$LIBIDN2_CFLAGS $CFLAGS"
+		 CPPFLAGS="$LIBIDN2_CFLAGS $CPPFLAGS"
+		 LDFLAGS="$LIBIDN2_LDFLAGS $LDFLAGS"
+		 for ac_header in idn2.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "idn2.h" "ac_cv_header_idn2_h" "$ac_includes_default"
+if test "x$ac_cv_header_idn2_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_IDN2_H 1
+_ACEOF
+
+else
+  as_fn_error $? "idn2.h not found" "$LINENO" 5
+fi
+
+done
+
+		 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing idn2_to_ascii_lz" >&5
+$as_echo_n "checking for library containing idn2_to_ascii_lz... " >&6; }
+if ${ac_cv_search_idn2_to_ascii_lz+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char idn2_to_ascii_lz ();
+int
+main ()
+{
+return idn2_to_ascii_lz ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' idn2; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_idn2_to_ascii_lz=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_idn2_to_ascii_lz+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_idn2_to_ascii_lz+:} false; then :
+
+else
+  ac_cv_search_idn2_to_ascii_lz=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_idn2_to_ascii_lz" >&5
+$as_echo "$ac_cv_search_idn2_to_ascii_lz" >&6; }
+ac_res=$ac_cv_search_idn2_to_ascii_lz
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+  LIBIDN2_LIBS="$ac_cv_search_idn2_to_ascii_lz"
+
+$as_echo "#define HAVE_LIBIDN2 1" >>confdefs.h
+
+else
+  as_fn_error $? "libidn2 requested, but not found" "$LINENO" 5
+fi
+
+
+  CCASFLAGS=$CCASFLAGS_libidn2_ax_save_flags
+
+
+  CFLAGS=$CFLAGS_libidn2_ax_save_flags
+
+
+  CPPFLAGS=$CPPFLAGS_libidn2_ax_save_flags
+
+
+  CXXFLAGS=$CXXFLAGS_libidn2_ax_save_flags
+
+
+  ERLCFLAGS=$ERLCFLAGS_libidn2_ax_save_flags
+
+
+  FCFLAGS=$FCFLAGS_libidn2_ax_save_flags
+
+
+  FCLIBS=$FCLIBS_libidn2_ax_save_flags
+
+
+  FFLAGS=$FFLAGS_libidn2_ax_save_flags
+
+
+  FLIBS=$FLIBS_libidn2_ax_save_flags
+
+
+  GCJFLAGS=$GCJFLAGS_libidn2_ax_save_flags
+
+
+  JAVACFLAGS=$JAVACFLAGS_libidn2_ax_save_flags
+
+
+  LDFLAGS=$LDFLAGS_libidn2_ax_save_flags
+
+
+  LIBS=$LIBS_libidn2_ax_save_flags
+
+
+  OBJCFLAGS=$OBJCFLAGS_libidn2_ax_save_flags
+
+
+  OBJCXXFLAGS=$OBJCXXFLAGS_libidn2_ax_save_flags
+
+
+  UPCFLAGS=$UPCFLAGS_libidn2_ax_save_flags
+
+
+  VALAFLAGS=$VALAFLAGS_libidn2_ax_save_flags
+
+
+ ;; #(
+  *) :
+     ;;
+esac
+
+
+
+
+#
+# Check whether to build with cmocka unit testing framework
+#
+# [pairwise: --with-cmocka=detect, --with-cmocka=yes, --without-cmocka]
+
+# Check whether --with-cmocka was given.
+if test "${with_cmocka+set}" = set; then :
+  withval=$with_cmocka;
+else
+  with_cmocka=detect
+fi
+
+
+case $with_cmocka in #(
+  no) :
+     ;; #(
+  detect) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for cmocka >= 1.1.3" >&5
+$as_echo_n "checking for cmocka >= 1.1.3... " >&6; }
+
+if test -n "$CMOCKA_CFLAGS"; then
+    pkg_cv_CMOCKA_CFLAGS="$CMOCKA_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"cmocka >= 1.1.3\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "cmocka >= 1.1.3") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_CMOCKA_CFLAGS=`$PKG_CONFIG --cflags "cmocka >= 1.1.3" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$CMOCKA_LIBS"; then
+    pkg_cv_CMOCKA_LIBS="$CMOCKA_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"cmocka >= 1.1.3\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "cmocka >= 1.1.3") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_CMOCKA_LIBS=`$PKG_CONFIG --libs "cmocka >= 1.1.3" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        CMOCKA_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "cmocka >= 1.1.3" 2>&1`
+        else
+	        CMOCKA_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "cmocka >= 1.1.3" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$CMOCKA_PKG_ERRORS" >&5
+
+	with_cmocka=no
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	with_cmocka=no
+else
+	CMOCKA_CFLAGS=$pkg_cv_CMOCKA_CFLAGS
+	CMOCKA_LIBS=$pkg_cv_CMOCKA_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_CMOCKA 1" >>confdefs.h
+
+				     with_cmocka=yes
+fi ;; #(
+  yes) :
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for cmocka >= 1.1.3" >&5
+$as_echo_n "checking for cmocka >= 1.1.3... " >&6; }
+
+if test -n "$CMOCKA_CFLAGS"; then
+    pkg_cv_CMOCKA_CFLAGS="$CMOCKA_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"cmocka >= 1.1.3\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "cmocka >= 1.1.3") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_CMOCKA_CFLAGS=`$PKG_CONFIG --cflags "cmocka >= 1.1.3" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$CMOCKA_LIBS"; then
+    pkg_cv_CMOCKA_LIBS="$CMOCKA_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"cmocka >= 1.1.3\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "cmocka >= 1.1.3") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_CMOCKA_LIBS=`$PKG_CONFIG --libs "cmocka >= 1.1.3" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        CMOCKA_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "cmocka >= 1.1.3" 2>&1`
+        else
+	        CMOCKA_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "cmocka >= 1.1.3" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$CMOCKA_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (cmocka >= 1.1.3) were not met:
+
+$CMOCKA_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables CMOCKA_CFLAGS
+and CMOCKA_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables CMOCKA_CFLAGS
+and CMOCKA_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	CMOCKA_CFLAGS=$pkg_cv_CMOCKA_CFLAGS
+	CMOCKA_LIBS=$pkg_cv_CMOCKA_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_CMOCKA 1" >>confdefs.h
+
+fi ;; #(
+  *) :
+    as_fn_error $? "Use PKG_CONFIG_PATH to specify path to CMocka library" "$LINENO" 5
+        ;;
+esac
+
+
+
+
+$as_echo "#define SKIPPED_TEST_EXIT_CODE 0" >>confdefs.h
+
+
+#
+# Check for kyua execution engine if CMocka was requested
+# and bail out if execution engine was not found
+#
+
+if test "$with_cmocka" != "no"; then :
+  for ac_prog in kyua
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_KYUA+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $KYUA in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_KYUA="$KYUA" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_KYUA="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+KYUA=$ac_cv_path_KYUA
+if test -n "$KYUA"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KYUA" >&5
+$as_echo "$KYUA" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$KYUA" && break
+done
+
+       if test -z "$KYUA"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: kyua test execution engine not found" >&5
+$as_echo "$as_me: WARNING: kyua test execution engine not found" >&2;}
+else
+  UNITTESTS=tests
+fi
+fi
+
+
+
+#
+# Check for -Wl,--wrap= support
+#
+
+LD_WRAP_TESTS=false
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for linker support for --wrap option" >&5
+$as_echo_n "checking for linker support for --wrap option... " >&6; }
+
+
+  CCASFLAGS_wrap_ax_save_flags=$CCASFLAGS
+
+
+
+  CFLAGS_wrap_ax_save_flags=$CFLAGS
+
+
+
+  CPPFLAGS_wrap_ax_save_flags=$CPPFLAGS
+
+
+
+  CXXFLAGS_wrap_ax_save_flags=$CXXFLAGS
+
+
+
+  ERLCFLAGS_wrap_ax_save_flags=$ERLCFLAGS
+
+
+
+  FCFLAGS_wrap_ax_save_flags=$FCFLAGS
+
+
+
+  FCLIBS_wrap_ax_save_flags=$FCLIBS
+
+
+
+  FFLAGS_wrap_ax_save_flags=$FFLAGS
+
+
+
+  FLIBS_wrap_ax_save_flags=$FLIBS
+
+
+
+  GCJFLAGS_wrap_ax_save_flags=$GCJFLAGS
+
+
+
+  JAVACFLAGS_wrap_ax_save_flags=$JAVACFLAGS
+
+
+
+  LDFLAGS_wrap_ax_save_flags=$LDFLAGS
+
+
+
+  LIBS_wrap_ax_save_flags=$LIBS
+
+
+
+  OBJCFLAGS_wrap_ax_save_flags=$OBJCFLAGS
+
+
+
+  OBJCXXFLAGS_wrap_ax_save_flags=$OBJCXXFLAGS
+
+
+
+  UPCFLAGS_wrap_ax_save_flags=$UPCFLAGS
+
+
+
+  VALAFLAGS_wrap_ax_save_flags=$VALAFLAGS
+
+
+
+LDFLAGS="-Wl,--wrap,exit"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdlib.h>
+		       void __real_exit (int status);
+		       void __wrap_exit (int status) { __real_exit (0); }
+
+int
+main ()
+{
+exit (1);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  LD_WRAP_TESTS=true
+
+$as_echo "#define LD_WRAP 1" >>confdefs.h
+
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+  CCASFLAGS=$CCASFLAGS_wrap_ax_save_flags
+
+
+  CFLAGS=$CFLAGS_wrap_ax_save_flags
+
+
+  CPPFLAGS=$CPPFLAGS_wrap_ax_save_flags
+
+
+  CXXFLAGS=$CXXFLAGS_wrap_ax_save_flags
+
+
+  ERLCFLAGS=$ERLCFLAGS_wrap_ax_save_flags
+
+
+  FCFLAGS=$FCFLAGS_wrap_ax_save_flags
+
+
+  FCLIBS=$FCLIBS_wrap_ax_save_flags
+
+
+  FFLAGS=$FFLAGS_wrap_ax_save_flags
+
+
+  FLIBS=$FLIBS_wrap_ax_save_flags
+
+
+  GCJFLAGS=$GCJFLAGS_wrap_ax_save_flags
+
+
+  JAVACFLAGS=$JAVACFLAGS_wrap_ax_save_flags
+
+
+  LDFLAGS=$LDFLAGS_wrap_ax_save_flags
+
+
+  LIBS=$LIBS_wrap_ax_save_flags
+
+
+  OBJCFLAGS=$OBJCFLAGS_wrap_ax_save_flags
+
+
+  OBJCXXFLAGS=$OBJCXXFLAGS_wrap_ax_save_flags
+
+
+  UPCFLAGS=$UPCFLAGS_wrap_ax_save_flags
+
+
+  VALAFLAGS=$VALAFLAGS_wrap_ax_save_flags
+
+
+
+
+
+
+#
+# Check for i18n
+#
+for ac_header in locale.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "locale.h" "ac_cv_header_locale_h" "$ac_includes_default"
+if test "x$ac_cv_header_locale_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LOCALE_H 1
+_ACEOF
+
+fi
+
+done
+
+for ac_func in setlocale
+do :
+  ac_fn_c_check_func "$LINENO" "setlocale" "ac_cv_func_setlocale"
+if test "x$ac_cv_func_setlocale" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SETLOCALE 1
+_ACEOF
+
+fi
+done
+
+
+#
+# was --with-tuning specified?
+#
+# [pairwise: --with-tuning=small, --without-tuning]
+
+# Check whether --with-tuning was given.
+if test "${with_tuning+set}" = set; then :
+  withval=$with_tuning;
+else
+  with_tuning=no
+fi
+
+
+case $with_tuning in #(
+  small) :
+    { $as_echo "$as_me:${as_lineno-$LINENO}: using small system tuning" >&5
+$as_echo "$as_me: using small system tuning" >&6;} ;; #(
+  *) :
+
+$as_echo "#define TUNE_LARGE 1" >>confdefs.h
+
+	 { $as_echo "$as_me:${as_lineno-$LINENO}: using default system tuning" >&5
+$as_echo "$as_me: using default system tuning" >&6;} ;;
+esac
+
+#
+# was --enable-querytrace specified?
+#
+# [pairwise: --enable-querytrace, --disable-querytrace]
+# Check whether --enable-querytrace was given.
+if test "${enable_querytrace+set}" = set; then :
+  enableval=$enable_querytrace; want_querytrace="$enableval"
+else
+  want_querytrace="no"
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable query trace logging" >&5
+$as_echo_n "checking whether to enable query trace logging... " >&6; }
+case "$want_querytrace" in
+yes)
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define WANT_QUERYTRACE 1" >>confdefs.h
+
+	;;
+no)
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	;;
+*)
+	as_fn_error $? "\"--enable-querytrace requires yes or no\"" "$LINENO" 5
+	;;
+esac
+
+#
+# Was --disable-auto-validation specified?
+#
+
+validation_default=auto
+
+# [pairwise: --enable-auto-validation, --disable-auto-validation]
+# Check whether --enable-auto-validation was given.
+if test "${enable_auto_validation+set}" = set; then :
+  enableval=$enable_auto_validation; :
+else
+  enable_auto_validation=yes
+fi
+
+if test "$enable_auto_validation" = "no"; then :
+  validation_default=yes
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define VALIDATION_DEFAULT "$validation_default"
+_ACEOF
+
+
+#
+# Substitutions
+#
+
+BIND9_TOP_BUILDDIR=`pwd`
+
+
+
+
+
+
+
+
+if test "X$srcdir" != "X"; then
+	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
+	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
+	BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
+	BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
+	BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
+	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
+	BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
+else
+	BIND9_ISC_BUILDINCLUDE=""
+	BIND9_ISCCC_BUILDINCLUDE=""
+	BIND9_ISCCFG_BUILDINCLUDE=""
+	BIND9_DNS_BUILDINCLUDE=""
+	BIND9_NS_BUILDINCLUDE=""
+	BIND9_BIND9_BUILDINCLUDE=""
+	BIND9_IRS_BUILDINCLUDE=""
+fi
+
+
+BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
+
+
+BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
+
+. "$srcdir/version"
+BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\""
+
+BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\""
+
+BIND9_VERSION="${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}"
+
+BIND9_MAJOR="MAJOR=${MAJORVER}.${MINORVER}"
+
+BIND9_VERSIONSTRING="${PRODUCT} ${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}${DESCRIPTION:+ }${DESCRIPTION}"
+
+
+BIND9_SRCID="SRCID=unset_id"
+if test -f "${srcdir}/srcid"; then
+	. "${srcdir}/srcid"
+	BIND9_SRCID="SRCID=$SRCID"
+elif test -d "${srcdir}/.git"; then
+	BIND9_SRCID="SRCID="`(cd "${srcdir}";git rev-parse --short HEAD)`
+fi
+
+
+
+if test -z "$ac_configure_args"; then
+	BIND9_CONFIGARGS="defaults"
+else
+	for a in $ac_configure_args
+	do
+		BIND9_CONFIGARGS="$BIND9_CONFIGARGS $a"
+	done
+fi
+BIND9_CONFIGARGS="`echo $BIND9_CONFIGARGS | sed 's/^ //'`"
+BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
+
+
+
+LIBDNS_MAPAPI="$srcdir/lib/dns/mapapi"
+
+#
+# Configure any DLZ drivers.
+#
+# If config.dlz.in selects one or more DLZ drivers, it will set
+# CONTRIB_DLZ to a non-empty value, which will be our clue to
+# build DLZ drivers in contrib.
+#
+# This section has to come after the libtool stuff because it needs to
+# know how to name the driver object files.
+#
+
+CONTRIB_DLZ=""
+DLZ_DRIVER_INCLUDES=""
+DLZ_DRIVER_LIBS=""
+DLZ_DRIVER_SRCS=""
+DLZ_DRIVER_OBJS=""
+DLZ_SYSTEM_TEST=""
+DLZ_DRIVER_MYSQL_INCLUDES=""
+DLZ_DRIVER_MYSQL_LIBS=""
+
+#
+# Configure support for building a shared library object
+#
+# Even when libtool is available it can't always be relied upon
+# to build an object that can be dlopen()'ed, but this is necessary
+# for building the dlzexternal system test, so we'll try it the
+# old-fashioned way.
+#
+SO="so"
+SO_CFLAGS=""
+SO_LDFLAGS=""
+SO_LD=""
+SO_TARGETS=""
+SO_STRIP="cat"
+
+# [pairwise: skip]
+
+# Check whether --with-dlopen was given.
+if test "${with_dlopen+set}" = set; then :
+  withval=$with_dlopen;
+else
+  with_dlopen="auto"
+fi
+
+
+
+#
+# If PIC is disabled, dlopen must also be
+#
+if test "$pic_mode" = "no"; then :
+  case $with_dlopen in #(
+  auto) :
+    with_dlopen="no" ;; #(
+  yes) :
+    as_fn_error $? "--with-dlopen requires PIC" "$LINENO" 5 ;; #(
+  *) :
+     ;;
+esac
+fi
+
+case $with_dlopen in #(
+  auto|yes) :
+
+	  # -fsanitize=thread hijacks dlopen and dlclose so use dlsym.
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlsym" >&5
+$as_echo_n "checking for library containing dlsym... " >&6; }
+if ${ac_cv_search_dlsym+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlsym ();
+int
+main ()
+{
+return dlsym ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' dl; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_dlsym=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_dlsym+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_dlsym+:} false; then :
+
+else
+  ac_cv_search_dlsym=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlsym" >&5
+$as_echo "$ac_cv_search_dlsym" >&6; }
+ac_res=$ac_cv_search_dlsym
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+fi
+
+	  for ac_func in dlopen dlclose dlsym
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+ with_dlopen="yes"
+else
+  with_dlopen="no"
+fi
+done
+
+	 ;; #(
+  *) :
+     ;;
+esac
+
+if test "$with_dlopen" = "yes"; then :
+  case $host in #(
+  *-linux*|*-gnu*) :
+
+		 LDFLAGS="${LDFLAGS} -Wl,--export-dynamic"
+		 SO_CFLAGS="-fPIC"
+		 SO_LDFLAGS=""
+		 if test "$use_libtool" = "yes"; then :
+
+			 SO_LDFLAGS="-Xcompiler -shared"
+			 SO_LD="${CC}"
+
+else
+
+			 SO_LDFLAGS="-shared"
+			 SO_LD="${CC}"
+
+fi
+	        ;; #(
+  *-freebsd*|*-openbsd*|*-netbsd*) :
+
+		 LDFLAGS="${LDFLAGS} -Wl,-E"
+		 SO_CFLAGS="-fpic"
+		 if test "$use_libtool" = "yes"; then :
+
+			 SO_LDFLAGS="-Xcompiler -shared"
+			 SO_LD="${CC}"
+
+else
+
+			 SO_LDFLAGS="-shared"
+			 SO_LD="${CC}"
+
+fi
+	        ;; #(
+  *-darwin*) :
+
+		 SO_CFLAGS="-fPIC"
+                 SO_LD="${CC}"
+		 if test "$use_libtool" = "yes"; then :
+
+			 SO_LDFLAGS="-Xcompiler -dynamiclib -undefined dynamic_lookup"
+
+else
+
+			 SO_LDFLAGS="-dynamiclib -undefined dynamic_lookup"
+
+fi
+	        ;; #(
+  *-solaris*) :
+
+		 SO_CFLAGS="-KPIC"
+		 SO_LDFLAGS="-G -z text"
+		 SO_LD="ld"
+	        ;; #(
+  ia64-hp-hpux*) :
+
+		 SO_CFLAGS="+z"
+	         SO_LDFLAGS="-b"
+		 SO_LD="${CC}"
+	        ;; #(
+  *) :
+
+		 SO_CFLAGS="-fPIC"
+	        ;;
+esac
+       if test "$GCC" = "yes"; then :
+
+	       SO_CFLAGS="-fPIC"
+	       if test -z "$SO_LD"; then :
+  if test "$use_libtool" = "yes"; then :
+
+			      SO_LDFLAGS="-Xcompiler -shared"
+			      SO_LD="${CC}"
+
+else
+
+			      SO_LDFLAGS="-shared"
+			      SO_LD="${CC}"
+
+fi
+
+fi
+
+fi
+       # If we still don't know how to make shared objects, don't make any.
+       if test -n "$SO_LD"; then :
+  SO_TARGETS="\${SO_TARGETS}"
+
+$as_echo "#define ISC_DLZ_DLOPEN 1" >>confdefs.h
+
+
+fi
+
+fi
+
+if test "$with_dlopen" = "no" -a "$enable_native_pkcs11" = "yes"; then :
+  as_fn_error $? "PKCS11 requires dlopen() support" "$LINENO" 5
+fi
+
+CFLAGS="$CFLAGS $SO_CFLAGS"
+
+
+
+
+
+
+
+
+#
+# Response policy rewriting using DNS Response Policy Service (DNSRPS)
+# interface.
+#
+# DNSRPS can be compiled into BIND everywhere with a reasonably
+# modern C compiler.  It is enabled on systems with dlopen() and librpz.so.
+#
+dnsrps_avail=yes
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for librpz __attribute__s" >&5
+$as_echo_n "checking for librpz __attribute__s... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+       extern void f(char *p __attribute__((unused)), ...)
+       __attribute__((format(printf,1,2))) __attribute__((__noreturn__));
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+    librpz_have_attr=yes
+
+$as_echo "#define LIBRPZ_HAVE_ATTR 1" >>confdefs.h
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+
+    librpz_have_attr=no
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+# DNSRPS builds are included in pairwise testing along --enable-native-pkcs11
+# tests above as both of these features require --with-dlopen (see also the
+# relevant comment there).
+#
+# [pairwise: skip]
+# Check whether --enable-dnsrps-dl was given.
+if test "${enable_dnsrps_dl+set}" = set; then :
+  enableval=$enable_dnsrps_dl; enable_librpz_dl="$enableval"
+else
+  enable_librpz_dl="$with_dlopen"
+fi
+
+
+if test "$enable_librpz_dl" = "yes" -a "$with_dlopen" = "no"; then :
+  as_fn_error $? "DNS Response Policy Service delayed link requires dlopen to be enabled" "$LINENO" 5
+fi
+
+# [pairwise: skip]
+
+# Check whether --with-dnsrps-libname was given.
+if test "${with_dnsrps_libname+set}" = set; then :
+  withval=$with_dnsrps_libname; librpz_name="$withval"
+else
+  librpz_name="librpz.so"
+fi
+
+
+# [pairwise: skip]
+
+# Check whether --with-dnsrps-dir was given.
+if test "${with_dnsrps_dir+set}" = set; then :
+  withval=$with_dnsrps_dir; librpz_path="$withval/$librpz_name"
+else
+  librpz_path="$librpz_name"
+fi
+
+
+cat >>confdefs.h <<_ACEOF
+#define DNSRPS_LIBRPZ_PATH "$librpz_path"
+_ACEOF
+
+if test "$enable_librpz_dl" = "yes"; then :
+
+	dnsrps_lib_open=2
+
+else
+
+	dnsrps_lib_open=1
+	# Add librpz.so to linked libraries if we are not using dlopen()
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing librpz_client_create" >&5
+$as_echo_n "checking for library containing librpz_client_create... " >&6; }
+if ${ac_cv_search_librpz_client_create+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char librpz_client_create ();
+int
+main ()
+{
+return librpz_client_create ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' rpz; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_librpz_client_create=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_librpz_client_create+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_librpz_client_create+:} false; then :
+
+else
+  ac_cv_search_librpz_client_create=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_librpz_client_create" >&5
+$as_echo "$ac_cv_search_librpz_client_create" >&6; }
+ac_res=$ac_cv_search_librpz_client_create
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+else
+  dnsrps_lib_open=0
+		 dnsrps_avail=no
+fi
+
+
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define DNSRPS_LIB_OPEN $dnsrps_lib_open
+_ACEOF
+
+
+# [pairwise: skip]
+# Check whether --enable-dnsrps was given.
+if test "${enable_dnsrps+set}" = set; then :
+  enableval=$enable_dnsrps; enable_dnsrps=$enableval
+else
+  enable_dnsrps=no
+fi
+
+
+if test "$enable_dnsrps" != "no"; then :
+
+	if test "$dnsrps_avail" != "yes"; then :
+  as_fn_error $? "dlopen and librpz.so needed for DNSRPS" "$LINENO" 5
+fi
+	if test "$dnsrps_lib_open" = "0"; then :
+  as_fn_error $? "dlopen and librpz.so needed for DNSRPS" "$LINENO" 5
+fi
+
+$as_echo "#define USE_DNSRPS 1" >>confdefs.h
+
+
+fi
+
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+#
+# Shorthand.  Note quoting: DLZ_DRIVER_DIR expanded in Makefile, not here.
+#
+dlzdir='${DLZ_DRIVER_DIR}'
+
+#
+# Private autoconf macro to simplify configuring drivers:
+#
+#   DLZ_ADD_DRIVER(DEFINE, DRIVER, INCLUDES, LIBS)
+#
+# where:
+#   DEFINE is FOO (to define -DDLZ_FOO)
+#   DRIVER is dlz_foo_driver (sources without the .c)
+#   INCLUDES is any necessary include definitions
+#   LIBS is any necessary library definitions
+#
+
+
+#
+# Check for the various DLZ drivers
+#
+
+#
+# Was --with-dlz-postgres specified?
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Postgres DLZ driver" >&5
+$as_echo_n "checking for Postgres DLZ driver... " >&6; }
+
+# Check whether --with-dlz_postgres was given.
+if test "${with_dlz_postgres+set}" = set; then :
+  withval=$with_dlz_postgres; use_dlz_postgres="$withval"
+else
+  use_dlz_postgres="no"
+fi
+
+
+if test "$use_dlz_postgres" != "no"
+then
+	if test "$use_dlz_postgres" != "yes"
+        then
+                for ac_prog in pg_config
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PG_CONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PG_CONFIG="$PG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $use_dlz_postgres/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PG_CONFIG=$ac_cv_path_PG_CONFIG
+if test -n "$PG_CONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PG_CONFIG" >&5
+$as_echo "$PG_CONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$PG_CONFIG" && break
+done
+test -n "$PG_CONFIG" || PG_CONFIG="not found"
+
+	else
+                for ac_prog in pg_config
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PG_CONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PG_CONFIG="$PG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PG_CONFIG=$ac_cv_path_PG_CONFIG
+if test -n "$PG_CONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PG_CONFIG" >&5
+$as_echo "$PG_CONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$PG_CONFIG" && break
+done
+test -n "$PG_CONFIG" || PG_CONFIG="not found"
+
+	fi
+
+	if test "$PG_CONFIG" != "not found"
+	then
+		use_dlz_postgres=`$PG_CONFIG --includedir`
+		use_dlz_postgres_lib=`$PG_CONFIG --libdir`
+	else
+		pgprefix="$use_dlz_postgres"
+		use_dlz_postgres="$pgprefix/include"
+		use_dlz_postgres_lib="$pgprefix/lib"
+	fi
+fi
+
+if test "$use_dlz_postgres" = "yes/include"
+then
+	# User did not specify path and Postgres didn't say - guess it
+	pgdirs="/usr /usr/local /usr/local/pgsql /usr/pkg"
+	for d in $pgdirs
+	do
+		if test -f $d/include/libpq-fe.h
+		then
+			use_dlz_postgres=$d/include
+			use_dlz_postgres_lib=$d/lib
+			break
+		fi
+	done
+fi
+
+if test "$use_dlz_postgres" = "yes/include"
+then
+	# Still no joy, give up
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+$as_echo "not found" >&6; }
+	as_fn_error $? "No pg_config and PostgreSQL was not found in any of $pgdirs; use --with-dlz-postgres=/path or put pg_config in your path" "$LINENO" 5
+fi
+
+case "$use_dlz_postgres" in
+	no)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		;;
+	*)
+
+	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_POSTGRES"
+	for i in dlz_postgres_driver
+	do
+		DLZ_DRIVER_SRCS="$DLZ_DRIVER_SRCS $dlzdir/$i.c"
+		DLZ_DRIVER_OBJS="$DLZ_DRIVER_OBJS $i.$O"
+	done
+	if test -n "-I$use_dlz_postgres"
+	then
+		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_postgres"
+		DLZ_DRIVER_POSTGRES_INCLUDES="-I$use_dlz_postgres"
+	fi
+	if test -n "-L$use_dlz_postgres_lib -lpq"
+	then
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_postgres_lib -lpq"
+		DLZ_DRIVER_POSTGRES_LIBS="-L$use_dlz_postgres_lib -lpq"
+	fi
+
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using PostgreSQL from $use_dlz_postgres_lib and $use_dlz_postgres" >&5
+$as_echo "using PostgreSQL from $use_dlz_postgres_lib and $use_dlz_postgres" >&6; }
+		;;
+esac
+
+
+#
+# Was --with-dlz-mysql specified?
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for MySQL DLZ driver" >&5
+$as_echo_n "checking for MySQL DLZ driver... " >&6; }
+
+# Check whether --with-dlz_mysql was given.
+if test "${with_dlz_mysql+set}" = set; then :
+  withval=$with_dlz_mysql; use_dlz_mysql="$withval"
+else
+  use_dlz_mysql="no"
+fi
+
+
+mysql_include=""
+mysql_lib=""
+if test "$use_dlz_mysql" = "yes"
+then
+	for ac_prog in mysql_config
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_MYSQL_CONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$MYSQL_CONFIG"; then
+  ac_cv_prog_MYSQL_CONFIG="$MYSQL_CONFIG" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_MYSQL_CONFIG="$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+MYSQL_CONFIG=$ac_cv_prog_MYSQL_CONFIG
+if test -n "$MYSQL_CONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MYSQL_CONFIG" >&5
+$as_echo "$MYSQL_CONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$MYSQL_CONFIG" && break
+done
+
+	if test -n "$MYSQL_CONFIG"
+	then
+		mysql_include=`${MYSQL_CONFIG} --include`
+		mysql_lib=`${MYSQL_CONFIG} --libs`
+		use_dlz_mysql="config"
+
+	else
+		# User did not specify a path - guess it
+		mysqldirs="/usr /usr/local /usr/local/mysql /usr/pkg"
+		for d in $mysqldirs
+		do
+			if test -f $d/include/mysql/mysql.h
+			then
+				use_dlz_mysql=$d
+				mysql_include=$d/include/mysql
+				break
+			elif test -f $d/include/mysql.h
+			then
+				use_dlz_mysql=$d
+				mysql_include=$d/include
+				break
+			fi
+		done
+	fi
+elif test "$use_dlz_mysql" != "no"
+then
+	d=$use_dlz_mysql
+	if test -f $d/include/mysql/mysql.h
+	then
+		mysql_include=$d/include/mysql
+	elif test -f $d/include/mysql.h
+	then
+		mysql_include=$d/include
+	fi
+fi
+
+if test "$use_dlz_mysql" = "yes"
+then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+$as_echo "not found" >&6; }
+	as_fn_error $? "MySQL was not found in any of $mysqldirs; use --with-dlz-mysql=/path" "$LINENO" 5
+fi
+
+case "$use_dlz_mysql" in
+	no)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		;;
+	config)
+
+	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
+	for i in dlz_mysql_driver
+	do
+		DLZ_DRIVER_SRCS="$DLZ_DRIVER_SRCS $dlzdir/$i.c"
+		DLZ_DRIVER_OBJS="$DLZ_DRIVER_OBJS $i.$O"
+	done
+	if test -n "${mysql_include}"
+	then
+		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES ${mysql_include}"
+		DLZ_DRIVER_MYSQL_INCLUDES="${mysql_include}"
+	fi
+	if test -n "${mysql_lib}"
+	then
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS ${mysql_lib}"
+		DLZ_DRIVER_MYSQL_LIBS="${mysql_lib}"
+	fi
+
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&5
+$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
+		;;
+	*)
+		if test -d "$use_dlz_mysql/lib/mysql"
+		then
+			mysql_lib="$use_dlz_mysql/lib/mysql"
+		else
+			mysql_lib="$use_dlz_mysql/lib"
+		fi
+
+	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
+	for i in dlz_mysql_driver
+	do
+		DLZ_DRIVER_SRCS="$DLZ_DRIVER_SRCS $dlzdir/$i.c"
+		DLZ_DRIVER_OBJS="$DLZ_DRIVER_OBJS $i.$O"
+	done
+	if test -n "-I${mysql_include}"
+	then
+		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I${mysql_include}"
+		DLZ_DRIVER_MYSQL_INCLUDES="-I${mysql_include}"
+	fi
+	if test -n "-L${mysql_lib} -lmysqlclient -lz -lcrypt -lm"
+	then
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L${mysql_lib} -lmysqlclient -lz -lcrypt -lm"
+		DLZ_DRIVER_MYSQL_LIBS="-L${mysql_lib} -lmysqlclient -lz -lcrypt -lm"
+	fi
+
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using mysql from ${mysql_lib} and ${mysql_include}" >&5
+$as_echo "using mysql from ${mysql_lib} and ${mysql_include}" >&6; }
+		;;
+esac
+
+
+#
+# Was --with-dlz-bdb specified?
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Berkeley DB DLZ driver..." >&5
+$as_echo_n "checking for Berkeley DB DLZ driver...... " >&6; }
+
+# Check whether --with-dlz_bdb was given.
+if test "${with_dlz_bdb+set}" = set; then :
+  withval=$with_dlz_bdb; use_dlz_bdb="$withval"
+else
+  use_dlz_bdb="no"
+fi
+
+
+case "$use_dlz_bdb" in
+	no)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		;;
+	*)
+		if test "$use_dlz_bdb" = "yes"
+		then
+			# User did not specify a path - guess directories
+			bdbdirs="/usr/local /usr/pkg /usr"
+		elif test -d "$use_dlz_bdb"
+		then
+			# User specified directory and it exists
+			bdbdirs="$use_dlz_bdb"
+		else
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+$as_echo "not found" >&6; }
+			as_fn_error $? "path $use_dlz_bdb does not exist" "$LINENO" 5
+			bdbdirs=""
+		fi
+
+		# Use path we were given or guessed.  This is insanely
+		# complicated because we have to search for a bunch of
+		# platform-specific variations and have to check
+		# separately for include and library directories.
+
+		# Set both to yes, so we can check them later
+		dlz_bdb_inc="yes"
+		dlz_bdb_libs="yes"
+
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
+$as_echo "" >&6; }
+		for dd in $bdbdirs
+		do
+			# Skip nonexistent directories
+			if test ! -d "$dd"
+			then
+				continue
+			fi
+
+			# Check other locations for includes.
+			# Order is important (sigh).
+
+			bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
+			# include a blank element first
+			for d in "" $bdb_incdirs
+			do
+				if test -f "$dd/include${d}/db.h"
+				then
+					dlz_bdb_inc="-I$dd/include${d}"
+					break
+				fi
+			done
+
+			# Give up on this directory if we couldn't
+			# find the include subdir
+
+			if test "$dlz_bdb_inc" = "yes"
+			then
+				continue
+			fi
+
+			# Look for libname other than libdb.so.
+			# Order is important (sigh).
+
+			bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
+			for d in $bdb_libnames
+			do
+				if test "$dd" = "/usr"
+				then
+					as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5
+$as_echo_n "checking for db_create in -l$d... " >&6; }
+if eval \${$as_ac_Lib+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-l$d  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char db_create ();
+int
+main ()
+{
+return db_create ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  eval "$as_ac_Lib=yes"
+else
+  eval "$as_ac_Lib=no"
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+eval ac_res=\$$as_ac_Lib
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
+  dlz_bdb_libs="-l${d}"
+fi
+
+					if test $dlz_bdb_libs != "yes"
+					then
+						break
+					fi
+				elif test -f "$dd/lib/lib${d}.so"
+				then
+					dlz_bdb_libs="-L${dd}/lib -l${d}"
+					break
+				fi
+			done
+
+			# If we found both incdir and lib, we're done
+			if test "$dlz_bdb_libs" != "yes"
+			then
+				break
+			fi
+
+			# Otherwise, we're starting over
+
+			dlz_bdb_inc="yes"
+			dlz_bdb_libs="yes"
+		done
+
+		# Done searching, now make sure we got everything.
+
+		if test "$dlz_bdb_inc" = "yes"
+		then
+			as_fn_error $? "could not find Berkeley DB include directory" "$LINENO" 5
+		fi
+
+		if test "$dlz_bdb_libs" = "yes"
+		then
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+$as_echo "not found" >&6; }
+			as_fn_error $? "could not find Berkeley DB library" "$LINENO" 5
+		fi
+
+
+	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_BDB"
+	for i in dlz_bdb_driver dlz_bdbhpt_driver
+	do
+		DLZ_DRIVER_SRCS="$DLZ_DRIVER_SRCS $dlzdir/$i.c"
+		DLZ_DRIVER_OBJS="$DLZ_DRIVER_OBJS $i.$O"
+	done
+	if test -n "$dlz_bdb_inc"
+	then
+		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES $dlz_bdb_inc"
+		DLZ_DRIVER_BDB_INCLUDES="$dlz_bdb_inc"
+	fi
+	if test -n "$dlz_bdb_libs"
+	then
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS $dlz_bdb_libs"
+		DLZ_DRIVER_BDB_LIBS="$dlz_bdb_libs"
+	fi
+
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using Berkeley DB: $dlz_bdb_inc $dlz_bdb_libs" >&5
+$as_echo "using Berkeley DB: $dlz_bdb_inc $dlz_bdb_libs" >&6; }
+
+		ac_config_files="$ac_config_files contrib/dlz/bin/dlzbdb/Makefile"
+
+		;;
+esac
+
+
+#
+# Was --with-dlz-filesystem specified?
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for file system DLZ driver" >&5
+$as_echo_n "checking for file system DLZ driver... " >&6; }
+
+# Check whether --with-dlz_filesystem was given.
+if test "${with_dlz_filesystem+set}" = set; then :
+  withval=$with_dlz_filesystem; use_dlz_filesystem="$withval"
+else
+  use_dlz_filesystem="no"
+fi
+
+
+case "$use_dlz_filesystem" in
+	no)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		;;
+	*)
+
+	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_FILESYSTEM"
+	for i in dlz_filesystem_driver
+	do
+		DLZ_DRIVER_SRCS="$DLZ_DRIVER_SRCS $dlzdir/$i.c"
+		DLZ_DRIVER_OBJS="$DLZ_DRIVER_OBJS $i.$O"
+	done
+	if test -n ""
+	then
+		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES "
+		DLZ_DRIVER_FILESYSTEM_INCLUDES=""
+	fi
+	if test -n ""
+	then
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS "
+		DLZ_DRIVER_FILESYSTEM_LIBS=""
+	fi
+
+		DLZ_SYSTEM_TEST=filesystem
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		;;
+esac
+
+
+#
+# Was --with-dlz-ldap specified?
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LDAP DLZ driver" >&5
+$as_echo_n "checking for LDAP DLZ driver... " >&6; }
+
+# Check whether --with-dlz_ldap was given.
+if test "${with_dlz_ldap+set}" = set; then :
+  withval=$with_dlz_ldap; use_dlz_ldap="$withval"
+else
+  use_dlz_ldap="no"
+fi
+
+
+if test "$use_dlz_ldap" = "yes"
+then
+	# User did not specify a path - guess it
+	ldapdirs="/usr /usr/local /usr/pkg"
+	for d in $ldapdirs
+	do
+		if test -f $d/include/ldap.h
+		then
+			use_dlz_ldap=$d
+			break
+		fi
+	done
+fi
+
+if test "$use_dlz_ldap" = "yes"
+then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+$as_echo "not found" >&6; }
+	as_fn_error $? "LDAP headers were not found in any of $ldapdirs; use --with-dlz-ldap=/path" "$LINENO" 5
+fi
+
+case "$use_dlz_ldap" in
+	no)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		;;
+	*)
+
+	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_LDAP"
+	for i in dlz_ldap_driver
+	do
+		DLZ_DRIVER_SRCS="$DLZ_DRIVER_SRCS $dlzdir/$i.c"
+		DLZ_DRIVER_OBJS="$DLZ_DRIVER_OBJS $i.$O"
+	done
+	if test -n "-I$use_dlz_ldap/include"
+	then
+		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
+		DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
+	fi
+	if test -n "-L$use_dlz_ldap/lib -lldap -llber"
+	then
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/lib -lldap -llber"
+		DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/lib -lldap -llber"
+	fi
+
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include" >&5
+$as_echo "using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include" >&6; }
+		;;
+esac
+
+
+#
+# Was --with-dlz-odbc specified?
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ODBC DLZ driver" >&5
+$as_echo_n "checking for ODBC DLZ driver... " >&6; }
+
+# Check whether --with-dlz_odbc was given.
+if test "${with_dlz_odbc+set}" = set; then :
+  withval=$with_dlz_odbc; use_dlz_odbc="$withval"
+else
+  use_dlz_odbc="no"
+fi
+
+
+if test "$use_dlz_odbc" = "yes"
+then
+	# User did not specify a path - guess it
+	libodbc_found=no
+	sql_h_found=no
+	ac_fn_c_check_header_mongrel "$LINENO" "sql.h" "ac_cv_header_sql_h" "$ac_includes_default"
+if test "x$ac_cv_header_sql_h" = xyes; then :
+  sql_h_found=yes
+fi
+
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SQLConnect in -lodbc" >&5
+$as_echo_n "checking for SQLConnect in -lodbc... " >&6; }
+if ${ac_cv_lib_odbc_SQLConnect+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lodbc  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char SQLConnect ();
+int
+main ()
+{
+return SQLConnect ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_odbc_SQLConnect=yes
+else
+  ac_cv_lib_odbc_SQLConnect=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_odbc_SQLConnect" >&5
+$as_echo "$ac_cv_lib_odbc_SQLConnect" >&6; }
+if test "x$ac_cv_lib_odbc_SQLConnect" = xyes; then :
+  libodbc_found=yes
+fi
+
+
+	if test $libodbc_found = "yes" -o $sql_h_found = "yes"
+	then
+		use_dlz_odbc=system
+		dlz_odbc_include=""
+		dlz_odbc_libs="-lodbc"
+	else
+		odbcdirs="/usr /usr/local /usr/pkg"
+		for d in $odbcdirs
+		do
+			if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
+			then
+				use_dlz_odbc=$d
+				dlz_odbc_include="-I$use_dlz_odbc/include"
+				dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
+				break
+			fi
+		done
+	fi
+fi
+
+case "$use_dlz_odbc" in
+	no)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		;;
+	yes)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+$as_echo "not found" >&6; }
+		as_fn_error $? "ODBC headers were not found in any of $odbcdirs; use --with-dlz-odbc=/path" "$LINENO" 5
+		;;
+	*)
+
+	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_ODBC"
+	for i in dlz_odbc_driver
+	do
+		DLZ_DRIVER_SRCS="$DLZ_DRIVER_SRCS $dlzdir/$i.c"
+		DLZ_DRIVER_OBJS="$DLZ_DRIVER_OBJS $i.$O"
+	done
+	if test -n "$dlz_odbc_include"
+	then
+		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES $dlz_odbc_include"
+		DLZ_DRIVER_ODBC_INCLUDES="$dlz_odbc_include"
+	fi
+	if test -n "$dlz_odbc_libs"
+	then
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS $dlz_odbc_libs"
+		DLZ_DRIVER_ODBC_LIBS="$dlz_odbc_libs"
+	fi
+
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using ODBC from $use_dlz_odbc" >&5
+$as_echo "using ODBC from $use_dlz_odbc" >&6; }
+		;;
+esac
+
+
+#
+# Was --with-dlz-stub specified?
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stub DLZ driver" >&5
+$as_echo_n "checking for stub DLZ driver... " >&6; }
+
+# Check whether --with-dlz_stub was given.
+if test "${with_dlz_stub+set}" = set; then :
+  withval=$with_dlz_stub; use_dlz_stub="$withval"
+else
+  use_dlz_stub="no"
+fi
+
+
+case "$use_dlz_stub" in
+	no)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		;;
+	*)
+
+
+	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_STUB"
+	for i in dlz_stub_driver
+	do
+		DLZ_DRIVER_SRCS="$DLZ_DRIVER_SRCS $dlzdir/$i.c"
+		DLZ_DRIVER_OBJS="$DLZ_DRIVER_OBJS $i.$O"
+	done
+	if test -n ""
+	then
+		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES "
+		DLZ_DRIVER_STUB_INCLUDES=""
+	fi
+	if test -n ""
+	then
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS "
+		DLZ_DRIVER_STUB_LIBS=""
+	fi
+
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		;;
+esac
+
+# Add any additional DLZ drivers here.
+
+#
+# Finally, some generic stuff that applies to all drivers, assuming
+# we're compiling contrib DLZ drivers at all.
+#
+if test -n "$CONTRIB_DLZ"
+then
+	CONTRIB_DLZ="-DCONTRIB_DLZ $CONTRIB_DLZ"
+
+	#
+	# Where to find DLZ driver header files.
+	#
+	DLZ_DRIVER_INCLUDES="-I$dlzdir/include $DLZ_DRIVER_INCLUDES"
+
+	#
+	# Initialization and shutdown wrappers, helper functions.
+	#
+	DLZ_DRIVER_SRCS="$dlzdir/dlz_drivers.c $dlzdir/sdlz_helper.c $DLZ_DRIVER_SRCS"
+	DLZ_DRIVER_OBJS="dlz_drivers.$O sdlz_helper.$O $DLZ_DRIVER_OBJS"
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking contributed DLZ drivers" >&5
+$as_echo_n "checking contributed DLZ drivers... " >&6; }
+
+#
+# Support for constructor and destructor attributes
+#
+
+
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __attribute__((constructor))" >&5
+$as_echo_n "checking for __attribute__((constructor))... " >&6; }
+if ${ax_cv_have_func_attribute_constructor+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+                    int foo( void ) __attribute__((constructor));
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+                                      if test -s conftest.err; then :
+  ax_cv_have_func_attribute_constructor=no
+else
+  ax_cv_have_func_attribute_constructor=yes
+fi
+else
+  ax_cv_have_func_attribute_constructor=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_func_attribute_constructor" >&5
+$as_echo "$ax_cv_have_func_attribute_constructor" >&6; }
+
+    if test yes = $ax_cv_have_func_attribute_constructor; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_FUNC_ATTRIBUTE_CONSTRUCTOR 1
+_ACEOF
+
+fi
+
+
+
+
+
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __attribute__((destructor))" >&5
+$as_echo_n "checking for __attribute__((destructor))... " >&6; }
+if ${ax_cv_have_func_attribute_destructor+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+                    int foo( void ) __attribute__((destructor));
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+                                      if test -s conftest.err; then :
+  ax_cv_have_func_attribute_destructor=no
+else
+  ax_cv_have_func_attribute_destructor=yes
+fi
+else
+  ax_cv_have_func_attribute_destructor=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_func_attribute_destructor" >&5
+$as_echo "$ax_cv_have_func_attribute_destructor" >&6; }
+
+    if test yes = $ax_cv_have_func_attribute_destructor; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_FUNC_ATTRIBUTE_DESTRUCTOR 1
+_ACEOF
+
+fi
+
+
+
+
+if test -n "$CONTRIB_DLZ"
+then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	DLZ_DRIVER_RULES=contrib/dlz/drivers/rules
+	ac_config_files="$ac_config_files $DLZ_DRIVER_RULES contrib/dlz/modules/mysql/Makefile contrib/dlz/modules/mysqldyn/Makefile"
+
+else
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	DLZ_DRIVER_RULES=/dev/null
+fi
+
+
+
+
+
+
+
+
+
+
+
+if test "yes" = "$cross_compiling"; then
+	if test -z "$BUILD_CC"; then
+		as_fn_error $? "BUILD_CC not set" "$LINENO" 5
+	fi
+	BUILD_CFLAGS="$BUILD_CFLAGS"
+	BUILD_CPPFLAGS="$BUILD_CPPFLAGS"
+	BUILD_LDFLAGS="$BUILD_LDFLAGS"
+	BUILD_LIBS="$BUILD_LIBS"
+else
+	BUILD_CC="$CC"
+	BUILD_CFLAGS="$CFLAGS"
+	BUILD_CPPFLAGS="$CPPFLAGS $GEN_NEED_OPTARG"
+	BUILD_LDFLAGS="$LDFLAGS"
+	BUILD_LIBS="$LIBS"
+fi
+
+NEWFLAGS=""
+for e in $BUILD_LDFLAGS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+BUILD_LDFLAGS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $DNS_GSSAPI_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+DNS_GSSAPI_LIBS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $ISC_OPENSSL_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+ISC_OPENSSL_LIBS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $DNS_CRYPTO_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+DNS_CRYPTO_LIBS="$NEWFLAGS"
+
+
+
+
+
+
+
+#
+# Commands to run at the end of config.status.
+# Don't just put these into configure, it won't work right if somebody
+# runs config.status directly (which autoconf allows).
+#
+
+ac_config_commands="$ac_config_commands chmod"
+
+
+#
+# Files to configure.  These are listed here because we used to
+# specify them as arguments to AC_OUTPUT.  It's (now) ok to move these
+# elsewhere if there's a good reason for doing so.
+#
+
+ac_config_files="$ac_config_files Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/plugins/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/python/dnssec-keymgr.py bin/python/isc/Makefile bin/python/isc/__init__.py bin/python/isc/checkds.py bin/python/isc/coverage.py bin/python/isc/dnskey.py bin/python/isc/eventlist.py bin/python/isc/keydict.py bin/python/isc/keyevent.py bin/python/isc/keymgr.py bin/python/isc/keyseries.py bin/python/isc/keyzone.py bin/python/isc/policy.py bin/python/isc/rndc.py bin/python/isc/tests/Makefile bin/python/isc/tests/dnskey_test.py bin/python/isc/tests/policy_test.py bin/python/isc/utils.py bin/rndc/Makefile bin/tests/Makefile bin/tests/headerdep_test.sh bin/tests/optional/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/dlzs.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/pipelined/Makefile bin/tests/system/rndc/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/man/Makefile doc/misc/Makefile fuzz/Makefile lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/irs/tests/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/netmgr/Makefile lib/isc/pthreads/Makefile lib/isc/pthreads/include/Makefile lib/isc/pthreads/include/isc/Makefile lib/isc/tests/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccc/tests/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/isccfg/tests/Makefile lib/ns/Makefile lib/ns/include/Makefile lib/ns/include/ns/Makefile lib/ns/tests/Makefile make/Makefile make/mkdep unit/unittest.sh util/check-make-install"
+
+
+#
+# Do it
+#
+
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems.  If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overridden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, we kill variables containing newlines.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(
+  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
+      *) { eval $ac_var=; unset $ac_var;} ;;
+      esac ;;
+    esac
+  done
+
+  (set) 2>&1 |
+    case $as_nl`(ac_space=' '; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
+      # `set' does not quote correctly, so add quotes: double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \.
+      sed -n \
+	"s/'/'\\\\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;; #(
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+      ;;
+    esac |
+    sort
+) |
+  sed '
+     /^ac_cv_env_/b end
+     t clear
+     :clear
+     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+     t end
+     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     :end' >>confcache
+if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+  if test -w "$cache_file"; then
+    if test "x$cache_file" != "x/dev/null"; then
+      { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
+$as_echo "$as_me: updating cache $cache_file" >&6;}
+      if test ! -f "$cache_file" || test -h "$cache_file"; then
+	cat confcache >"$cache_file"
+      else
+        case $cache_file in #(
+        */* | ?:*)
+	  mv -f confcache "$cache_file"$$ &&
+	  mv -f "$cache_file"$$ "$cache_file" ;; #(
+        *)
+	  mv -f confcache "$cache_file" ;;
+	esac
+      fi
+    fi
+  else
+    { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
+$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
+  fi
+fi
+rm -f confcache
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+DEFS=-DHAVE_CONFIG_H
+
+ac_libobjs=
+ac_ltlibobjs=
+U=
+for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+  # 1. Remove the extension, and $U if already installed.
+  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+  ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
+  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
+  #    will be set to the directory where LIBOBJS objects are built.
+  as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+  as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
+done
+LIBOBJS=$ac_libobjs
+
+LTLIBOBJS=$ac_ltlibobjs
+
+
+if test -z "${MAINTAINER_MODE_TRUE}" && test -z "${MAINTAINER_MODE_FALSE}"; then
+  as_fn_error $? "conditional \"MAINTAINER_MODE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+
+if test -z "${HAVE_SPHINX_BUILD_TRUE}" && test -z "${HAVE_SPHINX_BUILD_FALSE}"; then
+  as_fn_error $? "conditional \"HAVE_SPHINX_BUILD\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${HAVE_XELATEX_TRUE}" && test -z "${HAVE_XELATEX_FALSE}"; then
+  as_fn_error $? "conditional \"HAVE_XELATEX\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+
+: "${CONFIG_STATUS=./config.status}"
+ac_write_fail=0
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
+$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
+as_write_fail=0
+cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
+#! $SHELL
+# Generated by $as_me.
+# Run this file to recreate the current configuration.
+# Compiler output produced by configure, useful for debugging
+# configure, is in config.log if it exists.
+
+debug=false
+ac_cs_recheck=false
+ac_cs_silent=false
+
+SHELL=\${CONFIG_SHELL-$SHELL}
+export SHELL
+_ASEOF
+cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
+## -------------------- ##
+## M4sh Initialization. ##
+## -------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+  emulate sh
+  NULLCMD=:
+  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in #(
+  *posix*) :
+    set -o posix ;; #(
+  *) :
+     ;;
+esac
+fi
+
+
+as_nl='
+'
+export as_nl
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+# Prefer a ksh shell builtin over an external printf program on Solaris,
+# but without wasting forks for bash or zsh.
+if test -z "$BASH_VERSION$ZSH_VERSION" \
+    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='print -r --'
+  as_echo_n='print -rn --'
+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+  as_echo='printf %s\n'
+  as_echo_n='printf %s'
+else
+  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+    as_echo_n='/usr/ucb/echo -n'
+  else
+    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
+    as_echo_n_body='eval
+      arg=$1;
+      case $arg in #(
+      *"$as_nl"*)
+	expr "X$arg" : "X\\(.*\\)$as_nl";
+	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
+      esac;
+      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
+    '
+    export as_echo_n_body
+    as_echo_n='sh -c $as_echo_n_body as_echo'
+  fi
+  export as_echo_body
+  as_echo='sh -c $as_echo_body as_echo'
+fi
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  PATH_SEPARATOR=:
+  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
+    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
+      PATH_SEPARATOR=';'
+  }
+fi
+
+
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+as_myself=
+case $0 in #((
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+  done
+IFS=$as_save_IFS
+
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  exit 1
+fi
+
+# Unset variables that we do not need and which cause bugs (e.g. in
+# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
+# suppresses any "Segmentation fault" message there.  '((' could
+# trigger a bug in pdksh 5.2.14.
+for as_var in BASH_ENV ENV MAIL MAILPATH
+do eval test x\${$as_var+set} = xset \
+  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
+
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+
+# as_fn_error STATUS ERROR [LINENO LOG_FD]
+# ----------------------------------------
+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
+# script with STATUS, using 1 if that was 0.
+as_fn_error ()
+{
+  as_status=$1; test $as_status -eq 0 && as_status=1
+  if test "$4"; then
+    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
+  fi
+  $as_echo "$as_me: error: $2" >&2
+  as_fn_exit $as_status
+} # as_fn_error
+
+
+# as_fn_set_status STATUS
+# -----------------------
+# Set $? to STATUS, without forking.
+as_fn_set_status ()
+{
+  return $1
+} # as_fn_set_status
+
+# as_fn_exit STATUS
+# -----------------
+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
+as_fn_exit ()
+{
+  set +e
+  as_fn_set_status $1
+  exit $1
+} # as_fn_exit
+
+# as_fn_unset VAR
+# ---------------
+# Portably unset VAR.
+as_fn_unset ()
+{
+  { eval $1=; unset $1;}
+}
+as_unset=as_fn_unset
+# as_fn_append VAR VALUE
+# ----------------------
+# Append the text in VALUE to the end of the definition contained in VAR. Take
+# advantage of any shell optimizations that allow amortized linear growth over
+# repeated appends, instead of the typical quadratic growth present in naive
+# implementations.
+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
+  eval 'as_fn_append ()
+  {
+    eval $1+=\$2
+  }'
+else
+  as_fn_append ()
+  {
+    eval $1=\$$1\$2
+  }
+fi # as_fn_append
+
+# as_fn_arith ARG...
+# ------------------
+# Perform arithmetic evaluation on the ARGs, and store the result in the
+# global $as_val. Take advantage of shells that can avoid forks. The arguments
+# must be portable across $(()) and expr.
+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
+  eval 'as_fn_arith ()
+  {
+    as_val=$(( $* ))
+  }'
+else
+  as_fn_arith ()
+  {
+    as_val=`expr "$@" || test $? -eq 1`
+  }
+fi # as_fn_arith
+
+
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in #(((((
+-n*)
+  case `echo 'xy\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  xy)  ECHO_C='\c';;
+  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
+       ECHO_T='	';;
+  esac;;
+*)
+  ECHO_N='-n';;
+esac
+
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir 2>/dev/null
+fi
+if (echo >conf$$.file) 2>/dev/null; then
+  if ln -s conf$$.file conf$$ 2>/dev/null; then
+    as_ln_s='ln -s'
+    # ... but there are two gotchas:
+    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+    # In both cases, we have to default to `cp -pR'.
+    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+      as_ln_s='cp -pR'
+  elif ln conf$$.file conf$$ 2>/dev/null; then
+    as_ln_s=ln
+  else
+    as_ln_s='cp -pR'
+  fi
+else
+  as_ln_s='cp -pR'
+fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
+
+
+# as_fn_mkdir_p
+# -------------
+# Create "$as_dir" as a directory, including parents if necessary.
+as_fn_mkdir_p ()
+{
+
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || eval $as_mkdir_p || {
+    as_dirs=
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
+    done
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
+
+
+} # as_fn_mkdir_p
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p='mkdir -p "$as_dir"'
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
+fi
+
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+exec 6>&1
+## ----------------------------------- ##
+## Main body of $CONFIG_STATUS script. ##
+## ----------------------------------- ##
+_ASEOF
+test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+# Save the log message, to keep $0 and so on meaningful, and to
+# report actual input values of CONFIG_FILES etc. instead of their
+# values after options handling.
+ac_log="
+This file was extended by BIND $as_me 9.16, which was
+generated by GNU Autoconf 2.69.  Invocation command line was
+
+  CONFIG_FILES    = $CONFIG_FILES
+  CONFIG_HEADERS  = $CONFIG_HEADERS
+  CONFIG_LINKS    = $CONFIG_LINKS
+  CONFIG_COMMANDS = $CONFIG_COMMANDS
+  $ $0 $@
+
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+"
+
+_ACEOF
+
+case $ac_config_files in *"
+"*) set x $ac_config_files; shift; ac_config_files=$*;;
+esac
+
+case $ac_config_headers in *"
+"*) set x $ac_config_headers; shift; ac_config_headers=$*;;
+esac
+
+
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+# Files that config.status was made for.
+config_files="$ac_config_files"
+config_headers="$ac_config_headers"
+config_commands="$ac_config_commands"
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ac_cs_usage="\
+\`$as_me' instantiates files and other configuration actions
+from templates according to the current configuration.  Unless the files
+and actions are specified as TAGs, all are instantiated by default.
+
+Usage: $0 [OPTION]... [TAG]...
+
+  -h, --help       print this help, then exit
+  -V, --version    print version number and configuration settings, then exit
+      --config     print configuration, then exit
+  -q, --quiet, --silent
+                   do not print progress messages
+  -d, --debug      don't remove temporary files
+      --recheck    update $as_me by reconfiguring in the same conditions
+      --file=FILE[:TEMPLATE]
+                   instantiate the configuration file FILE
+      --header=FILE[:TEMPLATE]
+                   instantiate the configuration header FILE
+
+Configuration files:
+$config_files
+
+Configuration headers:
+$config_headers
+
+Configuration commands:
+$config_commands
+
+Report bugs to <https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug>.
+BIND home page: <https://www.isc.org/downloads/>."
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
+ac_cs_version="\\
+BIND config.status 9.16
+configured by $0, generated by GNU Autoconf 2.69,
+  with options \\"\$ac_cs_config\\"
+
+Copyright (C) 2012 Free Software Foundation, Inc.
+This config.status script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it."
+
+ac_pwd='$ac_pwd'
+srcdir='$srcdir'
+INSTALL='$INSTALL'
+MKDIR_P='$MKDIR_P'
+AWK='$AWK'
+test -n "\$AWK" || AWK=awk
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+# The default lists apply if the user does not specify any file.
+ac_need_defaults=:
+while test $# != 0
+do
+  case $1 in
+  --*=?*)
+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
+    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
+    ac_shift=:
+    ;;
+  --*=)
+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
+    ac_optarg=
+    ac_shift=:
+    ;;
+  *)
+    ac_option=$1
+    ac_optarg=$2
+    ac_shift=shift
+    ;;
+  esac
+
+  case $ac_option in
+  # Handling of the options.
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    ac_cs_recheck=: ;;
+  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+    $as_echo "$ac_cs_version"; exit ;;
+  --config | --confi | --conf | --con | --co | --c )
+    $as_echo "$ac_cs_config"; exit ;;
+  --debug | --debu | --deb | --de | --d | -d )
+    debug=: ;;
+  --file | --fil | --fi | --f )
+    $ac_shift
+    case $ac_optarg in
+    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    '') as_fn_error $? "missing file argument" ;;
+    esac
+    as_fn_append CONFIG_FILES " '$ac_optarg'"
+    ac_need_defaults=false;;
+  --header | --heade | --head | --hea )
+    $ac_shift
+    case $ac_optarg in
+    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    esac
+    as_fn_append CONFIG_HEADERS " '$ac_optarg'"
+    ac_need_defaults=false;;
+  --he | --h)
+    # Conflict between --help and --header
+    as_fn_error $? "ambiguous option: \`$1'
+Try \`$0 --help' for more information.";;
+  --help | --hel | -h )
+    $as_echo "$ac_cs_usage"; exit ;;
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil | --si | --s)
+    ac_cs_silent=: ;;
+
+  # This is an error.
+  -*) as_fn_error $? "unrecognized option: \`$1'
+Try \`$0 --help' for more information." ;;
+
+  *) as_fn_append ac_config_targets " $1"
+     ac_need_defaults=false ;;
+
+  esac
+  shift
+done
+
+ac_configure_extra_args=
+
+if $ac_cs_silent; then
+  exec 6>/dev/null
+  ac_configure_extra_args="$ac_configure_extra_args --silent"
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+if \$ac_cs_recheck; then
+  set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  shift
+  \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
+  CONFIG_SHELL='$SHELL'
+  export CONFIG_SHELL
+  exec "\$@"
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+exec 5>>config.log
+{
+  echo
+  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+  $as_echo "$ac_log"
+} >&5
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+#
+# INIT-COMMANDS
+#
+
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+sed_quote_subst='$sed_quote_subst'
+double_quote_subst='$double_quote_subst'
+delay_variable_subst='$delay_variable_subst'
+macro_version='`$ECHO "$macro_version" | $SED "$delay_single_quote_subst"`'
+macro_revision='`$ECHO "$macro_revision" | $SED "$delay_single_quote_subst"`'
+enable_shared='`$ECHO "$enable_shared" | $SED "$delay_single_quote_subst"`'
+enable_static='`$ECHO "$enable_static" | $SED "$delay_single_quote_subst"`'
+pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`'
+enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`'
+shared_archive_member_spec='`$ECHO "$shared_archive_member_spec" | $SED "$delay_single_quote_subst"`'
+SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`'
+ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`'
+PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`'
+host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`'
+host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`'
+host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`'
+build_alias='`$ECHO "$build_alias" | $SED "$delay_single_quote_subst"`'
+build='`$ECHO "$build" | $SED "$delay_single_quote_subst"`'
+build_os='`$ECHO "$build_os" | $SED "$delay_single_quote_subst"`'
+SED='`$ECHO "$SED" | $SED "$delay_single_quote_subst"`'
+Xsed='`$ECHO "$Xsed" | $SED "$delay_single_quote_subst"`'
+GREP='`$ECHO "$GREP" | $SED "$delay_single_quote_subst"`'
+EGREP='`$ECHO "$EGREP" | $SED "$delay_single_quote_subst"`'
+FGREP='`$ECHO "$FGREP" | $SED "$delay_single_quote_subst"`'
+LD='`$ECHO "$LD" | $SED "$delay_single_quote_subst"`'
+NM='`$ECHO "$NM" | $SED "$delay_single_quote_subst"`'
+LN_S='`$ECHO "$LN_S" | $SED "$delay_single_quote_subst"`'
+max_cmd_len='`$ECHO "$max_cmd_len" | $SED "$delay_single_quote_subst"`'
+ac_objext='`$ECHO "$ac_objext" | $SED "$delay_single_quote_subst"`'
+exeext='`$ECHO "$exeext" | $SED "$delay_single_quote_subst"`'
+lt_unset='`$ECHO "$lt_unset" | $SED "$delay_single_quote_subst"`'
+lt_SP2NL='`$ECHO "$lt_SP2NL" | $SED "$delay_single_quote_subst"`'
+lt_NL2SP='`$ECHO "$lt_NL2SP" | $SED "$delay_single_quote_subst"`'
+lt_cv_to_host_file_cmd='`$ECHO "$lt_cv_to_host_file_cmd" | $SED "$delay_single_quote_subst"`'
+lt_cv_to_tool_file_cmd='`$ECHO "$lt_cv_to_tool_file_cmd" | $SED "$delay_single_quote_subst"`'
+reload_flag='`$ECHO "$reload_flag" | $SED "$delay_single_quote_subst"`'
+reload_cmds='`$ECHO "$reload_cmds" | $SED "$delay_single_quote_subst"`'
+OBJDUMP='`$ECHO "$OBJDUMP" | $SED "$delay_single_quote_subst"`'
+deplibs_check_method='`$ECHO "$deplibs_check_method" | $SED "$delay_single_quote_subst"`'
+file_magic_cmd='`$ECHO "$file_magic_cmd" | $SED "$delay_single_quote_subst"`'
+file_magic_glob='`$ECHO "$file_magic_glob" | $SED "$delay_single_quote_subst"`'
+want_nocaseglob='`$ECHO "$want_nocaseglob" | $SED "$delay_single_quote_subst"`'
+DLLTOOL='`$ECHO "$DLLTOOL" | $SED "$delay_single_quote_subst"`'
+sharedlib_from_linklib_cmd='`$ECHO "$sharedlib_from_linklib_cmd" | $SED "$delay_single_quote_subst"`'
+AR='`$ECHO "$AR" | $SED "$delay_single_quote_subst"`'
+AR_FLAGS='`$ECHO "$AR_FLAGS" | $SED "$delay_single_quote_subst"`'
+archiver_list_spec='`$ECHO "$archiver_list_spec" | $SED "$delay_single_quote_subst"`'
+STRIP='`$ECHO "$STRIP" | $SED "$delay_single_quote_subst"`'
+RANLIB='`$ECHO "$RANLIB" | $SED "$delay_single_quote_subst"`'
+old_postinstall_cmds='`$ECHO "$old_postinstall_cmds" | $SED "$delay_single_quote_subst"`'
+old_postuninstall_cmds='`$ECHO "$old_postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
+old_archive_cmds='`$ECHO "$old_archive_cmds" | $SED "$delay_single_quote_subst"`'
+lock_old_archive_extraction='`$ECHO "$lock_old_archive_extraction" | $SED "$delay_single_quote_subst"`'
+CC='`$ECHO "$CC" | $SED "$delay_single_quote_subst"`'
+CFLAGS='`$ECHO "$CFLAGS" | $SED "$delay_single_quote_subst"`'
+compiler='`$ECHO "$compiler" | $SED "$delay_single_quote_subst"`'
+GCC='`$ECHO "$GCC" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_pipe='`$ECHO "$lt_cv_sys_global_symbol_pipe" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_cdecl='`$ECHO "$lt_cv_sys_global_symbol_to_cdecl" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_import='`$ECHO "$lt_cv_sys_global_symbol_to_import" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $SED "$delay_single_quote_subst"`'
+lt_cv_nm_interface='`$ECHO "$lt_cv_nm_interface" | $SED "$delay_single_quote_subst"`'
+nm_file_list_spec='`$ECHO "$nm_file_list_spec" | $SED "$delay_single_quote_subst"`'
+lt_sysroot='`$ECHO "$lt_sysroot" | $SED "$delay_single_quote_subst"`'
+lt_cv_truncate_bin='`$ECHO "$lt_cv_truncate_bin" | $SED "$delay_single_quote_subst"`'
+objdir='`$ECHO "$objdir" | $SED "$delay_single_quote_subst"`'
+MAGIC_CMD='`$ECHO "$MAGIC_CMD" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_no_builtin_flag='`$ECHO "$lt_prog_compiler_no_builtin_flag" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_pic='`$ECHO "$lt_prog_compiler_pic" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_wl='`$ECHO "$lt_prog_compiler_wl" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_static='`$ECHO "$lt_prog_compiler_static" | $SED "$delay_single_quote_subst"`'
+lt_cv_prog_compiler_c_o='`$ECHO "$lt_cv_prog_compiler_c_o" | $SED "$delay_single_quote_subst"`'
+need_locks='`$ECHO "$need_locks" | $SED "$delay_single_quote_subst"`'
+MANIFEST_TOOL='`$ECHO "$MANIFEST_TOOL" | $SED "$delay_single_quote_subst"`'
+DSYMUTIL='`$ECHO "$DSYMUTIL" | $SED "$delay_single_quote_subst"`'
+NMEDIT='`$ECHO "$NMEDIT" | $SED "$delay_single_quote_subst"`'
+LIPO='`$ECHO "$LIPO" | $SED "$delay_single_quote_subst"`'
+OTOOL='`$ECHO "$OTOOL" | $SED "$delay_single_quote_subst"`'
+OTOOL64='`$ECHO "$OTOOL64" | $SED "$delay_single_quote_subst"`'
+libext='`$ECHO "$libext" | $SED "$delay_single_quote_subst"`'
+shrext_cmds='`$ECHO "$shrext_cmds" | $SED "$delay_single_quote_subst"`'
+extract_expsyms_cmds='`$ECHO "$extract_expsyms_cmds" | $SED "$delay_single_quote_subst"`'
+archive_cmds_need_lc='`$ECHO "$archive_cmds_need_lc" | $SED "$delay_single_quote_subst"`'
+enable_shared_with_static_runtimes='`$ECHO "$enable_shared_with_static_runtimes" | $SED "$delay_single_quote_subst"`'
+export_dynamic_flag_spec='`$ECHO "$export_dynamic_flag_spec" | $SED "$delay_single_quote_subst"`'
+whole_archive_flag_spec='`$ECHO "$whole_archive_flag_spec" | $SED "$delay_single_quote_subst"`'
+compiler_needs_object='`$ECHO "$compiler_needs_object" | $SED "$delay_single_quote_subst"`'
+old_archive_from_new_cmds='`$ECHO "$old_archive_from_new_cmds" | $SED "$delay_single_quote_subst"`'
+old_archive_from_expsyms_cmds='`$ECHO "$old_archive_from_expsyms_cmds" | $SED "$delay_single_quote_subst"`'
+archive_cmds='`$ECHO "$archive_cmds" | $SED "$delay_single_quote_subst"`'
+archive_expsym_cmds='`$ECHO "$archive_expsym_cmds" | $SED "$delay_single_quote_subst"`'
+module_cmds='`$ECHO "$module_cmds" | $SED "$delay_single_quote_subst"`'
+module_expsym_cmds='`$ECHO "$module_expsym_cmds" | $SED "$delay_single_quote_subst"`'
+with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`'
+allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`'
+no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`'
+hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`'
+hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`'
+hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`'
+hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`'
+hardcode_minus_L='`$ECHO "$hardcode_minus_L" | $SED "$delay_single_quote_subst"`'
+hardcode_shlibpath_var='`$ECHO "$hardcode_shlibpath_var" | $SED "$delay_single_quote_subst"`'
+hardcode_automatic='`$ECHO "$hardcode_automatic" | $SED "$delay_single_quote_subst"`'
+inherit_rpath='`$ECHO "$inherit_rpath" | $SED "$delay_single_quote_subst"`'
+link_all_deplibs='`$ECHO "$link_all_deplibs" | $SED "$delay_single_quote_subst"`'
+always_export_symbols='`$ECHO "$always_export_symbols" | $SED "$delay_single_quote_subst"`'
+export_symbols_cmds='`$ECHO "$export_symbols_cmds" | $SED "$delay_single_quote_subst"`'
+exclude_expsyms='`$ECHO "$exclude_expsyms" | $SED "$delay_single_quote_subst"`'
+include_expsyms='`$ECHO "$include_expsyms" | $SED "$delay_single_quote_subst"`'
+prelink_cmds='`$ECHO "$prelink_cmds" | $SED "$delay_single_quote_subst"`'
+postlink_cmds='`$ECHO "$postlink_cmds" | $SED "$delay_single_quote_subst"`'
+file_list_spec='`$ECHO "$file_list_spec" | $SED "$delay_single_quote_subst"`'
+variables_saved_for_relink='`$ECHO "$variables_saved_for_relink" | $SED "$delay_single_quote_subst"`'
+need_lib_prefix='`$ECHO "$need_lib_prefix" | $SED "$delay_single_quote_subst"`'
+need_version='`$ECHO "$need_version" | $SED "$delay_single_quote_subst"`'
+version_type='`$ECHO "$version_type" | $SED "$delay_single_quote_subst"`'
+runpath_var='`$ECHO "$runpath_var" | $SED "$delay_single_quote_subst"`'
+shlibpath_var='`$ECHO "$shlibpath_var" | $SED "$delay_single_quote_subst"`'
+shlibpath_overrides_runpath='`$ECHO "$shlibpath_overrides_runpath" | $SED "$delay_single_quote_subst"`'
+libname_spec='`$ECHO "$libname_spec" | $SED "$delay_single_quote_subst"`'
+library_names_spec='`$ECHO "$library_names_spec" | $SED "$delay_single_quote_subst"`'
+soname_spec='`$ECHO "$soname_spec" | $SED "$delay_single_quote_subst"`'
+install_override_mode='`$ECHO "$install_override_mode" | $SED "$delay_single_quote_subst"`'
+postinstall_cmds='`$ECHO "$postinstall_cmds" | $SED "$delay_single_quote_subst"`'
+postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
+finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`'
+finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`'
+hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`'
+sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`'
+configure_time_dlsearch_path='`$ECHO "$configure_time_dlsearch_path" | $SED "$delay_single_quote_subst"`'
+configure_time_lt_sys_library_path='`$ECHO "$configure_time_lt_sys_library_path" | $SED "$delay_single_quote_subst"`'
+hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`'
+enable_dlopen='`$ECHO "$enable_dlopen" | $SED "$delay_single_quote_subst"`'
+enable_dlopen_self='`$ECHO "$enable_dlopen_self" | $SED "$delay_single_quote_subst"`'
+enable_dlopen_self_static='`$ECHO "$enable_dlopen_self_static" | $SED "$delay_single_quote_subst"`'
+old_striplib='`$ECHO "$old_striplib" | $SED "$delay_single_quote_subst"`'
+striplib='`$ECHO "$striplib" | $SED "$delay_single_quote_subst"`'
+
+LTCC='$LTCC'
+LTCFLAGS='$LTCFLAGS'
+compiler='$compiler_DEFAULT'
+
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$1
+_LTECHO_EOF'
+}
+
+# Quote evaled strings.
+for var in SHELL \
+ECHO \
+PATH_SEPARATOR \
+SED \
+GREP \
+EGREP \
+FGREP \
+LD \
+NM \
+LN_S \
+lt_SP2NL \
+lt_NL2SP \
+reload_flag \
+OBJDUMP \
+deplibs_check_method \
+file_magic_cmd \
+file_magic_glob \
+want_nocaseglob \
+DLLTOOL \
+sharedlib_from_linklib_cmd \
+AR \
+AR_FLAGS \
+archiver_list_spec \
+STRIP \
+RANLIB \
+CC \
+CFLAGS \
+compiler \
+lt_cv_sys_global_symbol_pipe \
+lt_cv_sys_global_symbol_to_cdecl \
+lt_cv_sys_global_symbol_to_import \
+lt_cv_sys_global_symbol_to_c_name_address \
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix \
+lt_cv_nm_interface \
+nm_file_list_spec \
+lt_cv_truncate_bin \
+lt_prog_compiler_no_builtin_flag \
+lt_prog_compiler_pic \
+lt_prog_compiler_wl \
+lt_prog_compiler_static \
+lt_cv_prog_compiler_c_o \
+need_locks \
+MANIFEST_TOOL \
+DSYMUTIL \
+NMEDIT \
+LIPO \
+OTOOL \
+OTOOL64 \
+shrext_cmds \
+export_dynamic_flag_spec \
+whole_archive_flag_spec \
+compiler_needs_object \
+with_gnu_ld \
+allow_undefined_flag \
+no_undefined_flag \
+hardcode_libdir_flag_spec \
+hardcode_libdir_separator \
+exclude_expsyms \
+include_expsyms \
+file_list_spec \
+variables_saved_for_relink \
+libname_spec \
+library_names_spec \
+soname_spec \
+install_override_mode \
+finish_eval \
+old_striplib \
+striplib; do
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
+    *[\\\\\\\`\\"\\\$]*)
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" ## exclude from sc_prohibit_nested_quotes
+      ;;
+    *)
+      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
+      ;;
+    esac
+done
+
+# Double-quote double-evaled strings.
+for var in reload_cmds \
+old_postinstall_cmds \
+old_postuninstall_cmds \
+old_archive_cmds \
+extract_expsyms_cmds \
+old_archive_from_new_cmds \
+old_archive_from_expsyms_cmds \
+archive_cmds \
+archive_expsym_cmds \
+module_cmds \
+module_expsym_cmds \
+export_symbols_cmds \
+prelink_cmds \
+postlink_cmds \
+postinstall_cmds \
+postuninstall_cmds \
+finish_cmds \
+sys_lib_search_path_spec \
+configure_time_dlsearch_path \
+configure_time_lt_sys_library_path; do
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
+    *[\\\\\\\`\\"\\\$]*)
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" ## exclude from sc_prohibit_nested_quotes
+      ;;
+    *)
+      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
+      ;;
+    esac
+done
+
+ac_aux_dir='$ac_aux_dir'
+
+# See if we are running on zsh, and set the options that allow our
+# commands through without removal of \ escapes INIT.
+if test -n "\${ZSH_VERSION+set}"; then
+   setopt NO_GLOB_SUBST
+fi
+
+
+    PACKAGE='$PACKAGE'
+    VERSION='$VERSION'
+    RM='$RM'
+    ofile='$ofile'
+
+
+
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+
+# Handling of arguments.
+for ac_config_target in $ac_config_targets
+do
+  case $ac_config_target in
+    "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+    "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;;
+    "make/rules") CONFIG_FILES="$CONFIG_FILES make/rules" ;;
+    "make/includes") CONFIG_FILES="$CONFIG_FILES make/includes" ;;
+    "contrib/dlz/bin/dlzbdb/Makefile") CONFIG_FILES="$CONFIG_FILES contrib/dlz/bin/dlzbdb/Makefile" ;;
+    "$DLZ_DRIVER_RULES") CONFIG_FILES="$CONFIG_FILES $DLZ_DRIVER_RULES" ;;
+    "contrib/dlz/modules/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES contrib/dlz/modules/mysql/Makefile" ;;
+    "contrib/dlz/modules/mysqldyn/Makefile") CONFIG_FILES="$CONFIG_FILES contrib/dlz/modules/mysqldyn/Makefile" ;;
+    "chmod") CONFIG_COMMANDS="$CONFIG_COMMANDS chmod" ;;
+    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "bin/Makefile") CONFIG_FILES="$CONFIG_FILES bin/Makefile" ;;
+    "bin/check/Makefile") CONFIG_FILES="$CONFIG_FILES bin/check/Makefile" ;;
+    "bin/confgen/Makefile") CONFIG_FILES="$CONFIG_FILES bin/confgen/Makefile" ;;
+    "bin/confgen/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/confgen/unix/Makefile" ;;
+    "bin/delv/Makefile") CONFIG_FILES="$CONFIG_FILES bin/delv/Makefile" ;;
+    "bin/dig/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dig/Makefile" ;;
+    "bin/dnssec/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
+    "bin/named/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/Makefile" ;;
+    "bin/named/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/unix/Makefile" ;;
+    "bin/nsupdate/Makefile") CONFIG_FILES="$CONFIG_FILES bin/nsupdate/Makefile" ;;
+    "bin/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/pkcs11/Makefile" ;;
+    "bin/plugins/Makefile") CONFIG_FILES="$CONFIG_FILES bin/plugins/Makefile" ;;
+    "bin/python/Makefile") CONFIG_FILES="$CONFIG_FILES bin/python/Makefile" ;;
+    "bin/python/dnssec-checkds.py") CONFIG_FILES="$CONFIG_FILES bin/python/dnssec-checkds.py" ;;
+    "bin/python/dnssec-coverage.py") CONFIG_FILES="$CONFIG_FILES bin/python/dnssec-coverage.py" ;;
+    "bin/python/dnssec-keymgr.py") CONFIG_FILES="$CONFIG_FILES bin/python/dnssec-keymgr.py" ;;
+    "bin/python/isc/Makefile") CONFIG_FILES="$CONFIG_FILES bin/python/isc/Makefile" ;;
+    "bin/python/isc/__init__.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/__init__.py" ;;
+    "bin/python/isc/checkds.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/checkds.py" ;;
+    "bin/python/isc/coverage.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/coverage.py" ;;
+    "bin/python/isc/dnskey.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/dnskey.py" ;;
+    "bin/python/isc/eventlist.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/eventlist.py" ;;
+    "bin/python/isc/keydict.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/keydict.py" ;;
+    "bin/python/isc/keyevent.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/keyevent.py" ;;
+    "bin/python/isc/keymgr.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/keymgr.py" ;;
+    "bin/python/isc/keyseries.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/keyseries.py" ;;
+    "bin/python/isc/keyzone.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/keyzone.py" ;;
+    "bin/python/isc/policy.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/policy.py" ;;
+    "bin/python/isc/rndc.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/rndc.py" ;;
+    "bin/python/isc/tests/Makefile") CONFIG_FILES="$CONFIG_FILES bin/python/isc/tests/Makefile" ;;
+    "bin/python/isc/tests/dnskey_test.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/tests/dnskey_test.py" ;;
+    "bin/python/isc/tests/policy_test.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/tests/policy_test.py" ;;
+    "bin/python/isc/utils.py") CONFIG_FILES="$CONFIG_FILES bin/python/isc/utils.py" ;;
+    "bin/rndc/Makefile") CONFIG_FILES="$CONFIG_FILES bin/rndc/Makefile" ;;
+    "bin/tests/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/Makefile" ;;
+    "bin/tests/headerdep_test.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/headerdep_test.sh" ;;
+    "bin/tests/optional/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/optional/Makefile" ;;
+    "bin/tests/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/pkcs11/Makefile" ;;
+    "bin/tests/pkcs11/benchmarks/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/pkcs11/benchmarks/Makefile" ;;
+    "bin/tests/system/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/Makefile" ;;
+    "bin/tests/system/conf.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/conf.sh" ;;
+    "bin/tests/system/dlzexternal/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/dlzexternal/Makefile" ;;
+    "bin/tests/system/dlzexternal/ns1/dlzs.conf") CONFIG_FILES="$CONFIG_FILES bin/tests/system/dlzexternal/ns1/dlzs.conf" ;;
+    "bin/tests/system/dyndb/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/dyndb/Makefile" ;;
+    "bin/tests/system/dyndb/driver/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/dyndb/driver/Makefile" ;;
+    "bin/tests/system/pipelined/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/pipelined/Makefile" ;;
+    "bin/tests/system/rndc/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/rndc/Makefile" ;;
+    "bin/tests/system/rpz/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/rpz/Makefile" ;;
+    "bin/tests/system/rsabigexponent/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/rsabigexponent/Makefile" ;;
+    "bin/tests/system/tkey/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/tkey/Makefile" ;;
+    "bin/tools/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tools/Makefile" ;;
+    "contrib/scripts/check-secure-delegation.pl") CONFIG_FILES="$CONFIG_FILES contrib/scripts/check-secure-delegation.pl" ;;
+    "contrib/scripts/zone-edit.sh") CONFIG_FILES="$CONFIG_FILES contrib/scripts/zone-edit.sh" ;;
+    "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
+    "doc/arm/Makefile") CONFIG_FILES="$CONFIG_FILES doc/arm/Makefile" ;;
+    "doc/doxygen/Doxyfile") CONFIG_FILES="$CONFIG_FILES doc/doxygen/Doxyfile" ;;
+    "doc/doxygen/Makefile") CONFIG_FILES="$CONFIG_FILES doc/doxygen/Makefile" ;;
+    "doc/doxygen/doxygen-input-filter") CONFIG_FILES="$CONFIG_FILES doc/doxygen/doxygen-input-filter" ;;
+    "doc/man/Makefile") CONFIG_FILES="$CONFIG_FILES doc/man/Makefile" ;;
+    "doc/misc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/misc/Makefile" ;;
+    "fuzz/Makefile") CONFIG_FILES="$CONFIG_FILES fuzz/Makefile" ;;
+    "lib/Makefile") CONFIG_FILES="$CONFIG_FILES lib/Makefile" ;;
+    "lib/bind9/Makefile") CONFIG_FILES="$CONFIG_FILES lib/bind9/Makefile" ;;
+    "lib/bind9/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/bind9/include/Makefile" ;;
+    "lib/bind9/include/bind9/Makefile") CONFIG_FILES="$CONFIG_FILES lib/bind9/include/bind9/Makefile" ;;
+    "lib/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/Makefile" ;;
+    "lib/dns/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/include/Makefile" ;;
+    "lib/dns/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/include/dns/Makefile" ;;
+    "lib/dns/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/include/dst/Makefile" ;;
+    "lib/dns/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/tests/Makefile" ;;
+    "lib/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/irs/Makefile" ;;
+    "lib/irs/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/irs/include/Makefile" ;;
+    "lib/irs/include/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/irs/include/irs/Makefile" ;;
+    "lib/irs/include/irs/netdb.h") CONFIG_FILES="$CONFIG_FILES lib/irs/include/irs/netdb.h" ;;
+    "lib/irs/include/irs/platform.h") CONFIG_FILES="$CONFIG_FILES lib/irs/include/irs/platform.h" ;;
+    "lib/irs/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/irs/tests/Makefile" ;;
+    "lib/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/Makefile" ;;
+    "lib/isc/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/Makefile" ;;
+    "lib/isc/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/isc/Makefile" ;;
+    "lib/isc/include/isc/platform.h") CONFIG_FILES="$CONFIG_FILES lib/isc/include/isc/platform.h" ;;
+    "lib/isc/include/pk11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/pk11/Makefile" ;;
+    "lib/isc/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/pkcs11/Makefile" ;;
+    "lib/isc/netmgr/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/netmgr/Makefile" ;;
+    "lib/isc/pthreads/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/pthreads/Makefile" ;;
+    "lib/isc/pthreads/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/pthreads/include/Makefile" ;;
+    "lib/isc/pthreads/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/pthreads/include/isc/Makefile" ;;
+    "lib/isc/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/tests/Makefile" ;;
+    "lib/isc/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/Makefile" ;;
+    "lib/isc/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/Makefile" ;;
+    "lib/isc/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/isc/Makefile" ;;
+    "lib/isccc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/Makefile" ;;
+    "lib/isccc/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/include/Makefile" ;;
+    "lib/isccc/include/isccc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/include/isccc/Makefile" ;;
+    "lib/isccc/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/tests/Makefile" ;;
+    "lib/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/Makefile" ;;
+    "lib/isccfg/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/include/Makefile" ;;
+    "lib/isccfg/include/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/include/isccfg/Makefile" ;;
+    "lib/isccfg/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/tests/Makefile" ;;
+    "lib/ns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/ns/Makefile" ;;
+    "lib/ns/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/ns/include/Makefile" ;;
+    "lib/ns/include/ns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/ns/include/ns/Makefile" ;;
+    "lib/ns/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/ns/tests/Makefile" ;;
+    "make/Makefile") CONFIG_FILES="$CONFIG_FILES make/Makefile" ;;
+    "make/mkdep") CONFIG_FILES="$CONFIG_FILES make/mkdep" ;;
+    "unit/unittest.sh") CONFIG_FILES="$CONFIG_FILES unit/unittest.sh" ;;
+    "util/check-make-install") CONFIG_FILES="$CONFIG_FILES util/check-make-install" ;;
+
+  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
+  esac
+done
+
+
+# If the user did not use the arguments to specify the items to instantiate,
+# then the envvar interface is used.  Set only those that are not.
+# We use the long form for the default assignment because of an extremely
+# bizarre bug on SunOS 4.1.3.
+if $ac_need_defaults; then
+  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
+  test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
+  test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands
+fi
+
+# Have a temporary directory for convenience.  Make it in the build tree
+# simply because there is no reason against having it here, and in addition,
+# creating and moving files from /tmp can sometimes cause problems.
+# Hook for its removal unless debugging.
+# Note that there is a small window in which the directory will not be cleaned:
+# after its creation but before its name has been assigned to `$tmp'.
+$debug ||
+{
+  tmp= ac_tmp=
+  trap 'exit_status=$?
+  : "${ac_tmp:=$tmp}"
+  { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status
+' 0
+  trap 'as_fn_exit 1' 1 2 13 15
+}
+# Create a (secure) tmp directory for tmp files.
+
+{
+  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
+  test -d "$tmp"
+}  ||
+{
+  tmp=./conf$$-$RANDOM
+  (umask 077 && mkdir "$tmp")
+} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
+ac_tmp=$tmp
+
+# Set up the scripts for CONFIG_FILES section.
+# No need to generate them if there are no CONFIG_FILES.
+# This happens for instance with `./config.status config.h'.
+if test -n "$CONFIG_FILES"; then
+
+if $AWK 'BEGIN { getline <"/dev/null" }' </dev/null 2>/dev/null; then
+  ac_cs_awk_getline=:
+  ac_cs_awk_pipe_init=
+  ac_cs_awk_read_file='
+      while ((getline aline < (F[key])) > 0)
+	print(aline)
+      close(F[key])'
+  ac_cs_awk_pipe_fini=
+else
+  ac_cs_awk_getline=false
+  ac_cs_awk_pipe_init="print \"cat <<'|#_!!_#|' &&\""
+  ac_cs_awk_read_file='
+      print "|#_!!_#|"
+      print "cat " F[key] " &&"
+      '$ac_cs_awk_pipe_init
+  # The final `:' finishes the AND list.
+  ac_cs_awk_pipe_fini='END { print "|#_!!_#|"; print ":" }'
+fi
+ac_cr=`echo X | tr X '\015'`
+# On cygwin, bash can eat \r inside `` if the user requested igncr.
+# But we know of no other shell where ac_cr would be empty at this
+# point, so we can use a bashism as a fallback.
+if test "x$ac_cr" = x; then
+  eval ac_cr=\$\'\\r\'
+fi
+ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
+if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
+  ac_cs_awk_cr='\\r'
+else
+  ac_cs_awk_cr=$ac_cr
+fi
+
+echo 'BEGIN {' >"$ac_tmp/subs1.awk" &&
+_ACEOF
+
+# Create commands to substitute file output variables.
+{
+  echo "cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1" &&
+  echo 'cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK &&' &&
+  echo "$ac_subst_files" | sed 's/.*/F["&"]="$&"/' &&
+  echo "_ACAWK" &&
+  echo "_ACEOF"
+} >conf$$files.sh &&
+. ./conf$$files.sh ||
+  as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+rm -f conf$$files.sh
+
+{
+  echo "cat >conf$$subs.awk <<_ACEOF" &&
+  echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
+  echo "_ACEOF"
+} >conf$$subs.sh ||
+  as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  . ./conf$$subs.sh ||
+    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+
+  ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
+  if test $ac_delim_n = $ac_delim_num; then
+    break
+  elif $ac_last_try; then
+    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+rm -f conf$$subs.sh
+
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK &&
+_ACEOF
+sed -n '
+h
+s/^/S["/; s/!.*/"]=/
+p
+g
+s/^[^!]*!//
+:repl
+t repl
+s/'"$ac_delim"'$//
+t delim
+:nl
+h
+s/\(.\{148\}\)..*/\1/
+t more1
+s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
+p
+n
+b repl
+:more1
+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
+p
+g
+s/.\{148\}//
+t nl
+:delim
+h
+s/\(.\{148\}\)..*/\1/
+t more2
+s/["\\]/\\&/g; s/^/"/; s/$/"/
+p
+b
+:more2
+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
+p
+g
+s/.\{148\}//
+t delim
+' <conf$$subs.awk | sed '
+/^[^""]/{
+  N
+  s/\n//
+}
+' >>$CONFIG_STATUS || ac_write_fail=1
+rm -f conf$$subs.awk
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+_ACAWK
+cat >>"\$ac_tmp/subs1.awk" <<_ACAWK &&
+  for (key in S) S_is_set[key] = 1
+  FS = ""
+  \$ac_cs_awk_pipe_init
+}
+{
+  line = $ 0
+  nfields = split(line, field, "@")
+  substed = 0
+  len = length(field[1])
+  for (i = 2; i < nfields; i++) {
+    key = field[i]
+    keylen = length(key)
+    if (S_is_set[key]) {
+      value = S[key]
+      line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
+      len += length(value) + length(field[++i])
+      substed = 1
+    } else
+      len += 1 + keylen
+  }
+  if (nfields == 3 && !substed) {
+    key = field[2]
+    if (F[key] != "" && line ~ /^[	 ]*@.*@[	 ]*$/) {
+      \$ac_cs_awk_read_file
+      next
+    }
+  }
+  print line
+}
+\$ac_cs_awk_pipe_fini
+_ACAWK
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
+  sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
+else
+  cat
+fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \
+  || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
+_ACEOF
+
+# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
+# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[	 ]*VPATH[	 ]*=[	 ]*/{
+h
+s///
+s/^/:/
+s/[	 ]*$/:/
+s/:\$(srcdir):/:/g
+s/:\${srcdir}:/:/g
+s/:@srcdir@:/:/g
+s/^:*//
+s/:*$//
+x
+s/\(=[	 ]*\).*/\1/
+G
+s/\n//
+s/^[^=]*=[	 ]*$//
+}'
+fi
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+fi # test -n "$CONFIG_FILES"
+
+# Set up the scripts for CONFIG_HEADERS section.
+# No need to generate them if there are no CONFIG_HEADERS.
+# This happens for instance with `./config.status Makefile'.
+if test -n "$CONFIG_HEADERS"; then
+cat >"$ac_tmp/defines.awk" <<\_ACAWK ||
+BEGIN {
+_ACEOF
+
+# Transform confdefs.h into an awk script `defines.awk', embedded as
+# here-document in config.status, that substitutes the proper values into
+# config.h.in to produce config.h.
+
+# Create a delimiter string that does not exist in confdefs.h, to ease
+# handling of long lines.
+ac_delim='%!_!# '
+for ac_last_try in false false :; do
+  ac_tt=`sed -n "/$ac_delim/p" confdefs.h`
+  if test -z "$ac_tt"; then
+    break
+  elif $ac_last_try; then
+    as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+# For the awk script, D is an array of macro values keyed by name,
+# likewise P contains macro parameters if any.  Preserve backslash
+# newline sequences.
+
+ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
+sed -n '
+s/.\{148\}/&'"$ac_delim"'/g
+t rset
+:rset
+s/^[	 ]*#[	 ]*define[	 ][	 ]*/ /
+t def
+d
+:def
+s/\\$//
+t bsnl
+s/["\\]/\\&/g
+s/^ \('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/P["\1"]="\2"\
+D["\1"]=" \3"/p
+s/^ \('"$ac_word_re"'\)[	 ]*\(.*\)/D["\1"]=" \2"/p
+d
+:bsnl
+s/["\\]/\\&/g
+s/^ \('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/P["\1"]="\2"\
+D["\1"]=" \3\\\\\\n"\\/p
+t cont
+s/^ \('"$ac_word_re"'\)[	 ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p
+t cont
+d
+:cont
+n
+s/.\{148\}/&'"$ac_delim"'/g
+t clear
+:clear
+s/\\$//
+t bsnlc
+s/["\\]/\\&/g; s/^/"/; s/$/"/p
+d
+:bsnlc
+s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p
+b cont
+' <confdefs.h | sed '
+s/'"$ac_delim"'/"\\\
+"/g' >>$CONFIG_STATUS || ac_write_fail=1
+
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+  for (key in D) D_is_set[key] = 1
+  FS = ""
+}
+/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ {
+  line = \$ 0
+  split(line, arg, " ")
+  if (arg[1] == "#") {
+    defundef = arg[2]
+    mac1 = arg[3]
+  } else {
+    defundef = substr(arg[1], 2)
+    mac1 = arg[2]
+  }
+  split(mac1, mac2, "(") #)
+  macro = mac2[1]
+  prefix = substr(line, 1, index(line, defundef) - 1)
+  if (D_is_set[macro]) {
+    # Preserve the white space surrounding the "#".
+    print prefix "define", macro P[macro] D[macro]
+    next
+  } else {
+    # Replace #undef with comments.  This is necessary, for example,
+    # in the case of _POSIX_SOURCE, which is predefined and required
+    # on some systems where configure will not decide to define it.
+    if (defundef == "undef") {
+      print "/*", prefix defundef, macro, "*/"
+      next
+    }
+  }
+}
+{ print }
+_ACAWK
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+  as_fn_error $? "could not setup config headers machinery" "$LINENO" 5
+fi # test -n "$CONFIG_HEADERS"
+
+
+eval set X "  :F $CONFIG_FILES  :H $CONFIG_HEADERS    :C $CONFIG_COMMANDS"
+shift
+for ac_tag
+do
+  case $ac_tag in
+  :[FHLC]) ac_mode=$ac_tag; continue;;
+  esac
+  case $ac_mode$ac_tag in
+  :[FHL]*:*);;
+  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;;
+  :[FH]-) ac_tag=-:-;;
+  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+  esac
+  ac_save_IFS=$IFS
+  IFS=:
+  set x $ac_tag
+  IFS=$ac_save_IFS
+  shift
+  ac_file=$1
+  shift
+
+  case $ac_mode in
+  :L) ac_source=$1;;
+  :[FH])
+    ac_file_inputs=
+    for ac_f
+    do
+      case $ac_f in
+      -) ac_f="$ac_tmp/stdin";;
+      *) # Look for the file first in the build tree, then in the source tree
+	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
+	 # because $ac_f cannot contain `:'.
+	 test -f "$ac_f" ||
+	   case $ac_f in
+	   [\\/$]*) false;;
+	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+	   esac ||
+	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;;
+      esac
+      case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
+      as_fn_append ac_file_inputs " '$ac_f'"
+    done
+
+    # Let's still pretend it is `configure' which instantiates (i.e., don't
+    # use $as_me), people would be surprised to read:
+    #    /* config.h.  Generated by config.status.  */
+    configure_input='Generated from '`
+	  $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
+	`' by configure.'
+    if test x"$ac_file" != x-; then
+      configure_input="$ac_file.  $configure_input"
+      { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
+$as_echo "$as_me: creating $ac_file" >&6;}
+    fi
+    # Neutralize special characters interpreted by sed in replacement strings.
+    case $configure_input in #(
+    *\&* | *\|* | *\\* )
+       ac_sed_conf_input=`$as_echo "$configure_input" |
+       sed 's/[\\\\&|]/\\\\&/g'`;; #(
+    *) ac_sed_conf_input=$configure_input;;
+    esac
+
+    case $ac_tag in
+    *:-:* | *:-) cat >"$ac_tmp/stdin" \
+      || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;;
+    esac
+    ;;
+  esac
+
+  ac_dir=`$as_dirname -- "$ac_file" ||
+$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$ac_file" : 'X\(//\)[^/]' \| \
+	 X"$ac_file" : 'X\(//\)$' \| \
+	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  as_dir="$ac_dir"; as_fn_mkdir_p
+  ac_builddir=.
+
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
+
+case $srcdir in
+  .)  # We are building in place.
+    ac_srcdir=.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+
+  case $ac_mode in
+  :F)
+  #
+  # CONFIG_FILE
+  #
+
+  case $INSTALL in
+  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
+  *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
+  esac
+  ac_MKDIR_P=$MKDIR_P
+  case $MKDIR_P in
+  [\\/$]* | ?:[\\/]* ) ;;
+  */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;;
+  esac
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+# If the template does not know about datarootdir, expand it.
+# FIXME: This hack should be removed a few years after 2.60.
+ac_datarootdir_hack=; ac_datarootdir_seen=
+ac_sed_dataroot='
+/datarootdir/ {
+  p
+  q
+}
+/@datadir@/p
+/@docdir@/p
+/@infodir@/p
+/@localedir@/p
+/@mandir@/p'
+case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
+*datarootdir*) ac_datarootdir_seen=yes;;
+*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+  ac_datarootdir_hack='
+  s&@datadir@&$datadir&g
+  s&@docdir@&$docdir&g
+  s&@infodir@&$infodir&g
+  s&@localedir@&$localedir&g
+  s&@mandir@&$mandir&g
+  s&\\\${datarootdir}&$datarootdir&g' ;;
+esac
+_ACEOF
+
+# Neutralize VPATH when `$srcdir' = `.'.
+# Shell code in configure.ac might set extrasub.
+# FIXME: do we really want to maintain this feature?
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ac_sed_extra="$ac_vpsub
+$extrasub
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+:t
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+s|@configure_input@|$ac_sed_conf_input|;t t
+s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@top_build_prefix@&$ac_top_build_prefix&;t t
+s&@srcdir@&$ac_srcdir&;t t
+s&@abs_srcdir@&$ac_abs_srcdir&;t t
+s&@top_srcdir@&$ac_top_srcdir&;t t
+s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
+s&@builddir@&$ac_builddir&;t t
+s&@abs_builddir@&$ac_abs_builddir&;t t
+s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+s&@INSTALL@&$ac_INSTALL&;t t
+s&@MKDIR_P@&$ac_MKDIR_P&;t t
+$ac_datarootdir_hack
+"
+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" |
+if $ac_cs_awk_getline; then
+  $AWK -f "$ac_tmp/subs.awk"
+else
+  $AWK -f "$ac_tmp/subs.awk" | $SHELL
+fi \
+  >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+
+test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+  { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } &&
+  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' \
+      "$ac_tmp/out"`; test -z "$ac_out"; } &&
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined" >&5
+$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined" >&2;}
+
+  rm -f "$ac_tmp/stdin"
+  case $ac_file in
+  -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";;
+  *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";;
+  esac \
+  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+ ;;
+  :H)
+  #
+  # CONFIG_HEADER
+  #
+  if test x"$ac_file" != x-; then
+    {
+      $as_echo "/* $configure_input  */" \
+      && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs"
+    } >"$ac_tmp/config.h" \
+      || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+    if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then
+      { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5
+$as_echo "$as_me: $ac_file is unchanged" >&6;}
+    else
+      rm -f "$ac_file"
+      mv "$ac_tmp/config.h" "$ac_file" \
+	|| as_fn_error $? "could not create $ac_file" "$LINENO" 5
+    fi
+  else
+    $as_echo "/* $configure_input  */" \
+      && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \
+      || as_fn_error $? "could not create -" "$LINENO" 5
+  fi
+ ;;
+
+  :C)  { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5
+$as_echo "$as_me: executing $ac_file commands" >&6;}
+ ;;
+  esac
+
+
+  case $ac_file$ac_mode in
+    "libtool":C)
+
+    # See if we are running on zsh, and set the options that allow our
+    # commands through without removal of \ escapes.
+    if test -n "${ZSH_VERSION+set}"; then
+      setopt NO_GLOB_SUBST
+    fi
+
+    cfgfile=${ofile}T
+    trap "$RM \"$cfgfile\"; exit 1" 1 2 15
+    $RM "$cfgfile"
+
+    cat <<_LT_EOF >> "$cfgfile"
+#! $SHELL
+# Generated automatically by $as_me ($PACKAGE) $VERSION
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+
+# Provide generalized library-building support services.
+# Written by Gordon Matzigkeit, 1996
+
+# Copyright (C) 2014 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.  There is NO
+# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+# GNU Libtool is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of of the License, or
+# (at your option) any later version.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program or library that is built
+# using GNU Libtool, you may include this file under the  same
+# distribution terms that you use for the rest of that program.
+#
+# GNU Libtool is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+# The names of the tagged configurations supported by this script.
+available_tags=''
+
+# Configured defaults for sys_lib_dlsearch_path munging.
+: \${LT_SYS_LIBRARY_PATH="$configure_time_lt_sys_library_path"}
+
+# ### BEGIN LIBTOOL CONFIG
+
+# Which release of libtool.m4 was used?
+macro_version=$macro_version
+macro_revision=$macro_revision
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# What type of objects to build.
+pic_mode=$pic_mode
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# Shared archive member basename,for filename based shared library versioning on AIX.
+shared_archive_member_spec=$shared_archive_member_spec
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# An echo program that protects backslashes.
+ECHO=$lt_ECHO
+
+# The PATH separator for the build system.
+PATH_SEPARATOR=$lt_PATH_SEPARATOR
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# A sed program that does not truncate output.
+SED=$lt_SED
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="\$SED -e 1s/^X//"
+
+# A grep program that handles long lines.
+GREP=$lt_GREP
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# A literal string matcher.
+FGREP=$lt_FGREP
+
+# A BSD- or MS-compatible name lister.
+NM=$lt_NM
+
+# Whether we need soft or hard links.
+LN_S=$lt_LN_S
+
+# What is the maximum length of a command?
+max_cmd_len=$max_cmd_len
+
+# Object file suffix (normally "o").
+objext=$ac_objext
+
+# Executable file suffix (normally "").
+exeext=$exeext
+
+# whether the shell understands "unset".
+lt_unset=$lt_unset
+
+# turn spaces into newlines.
+SP2NL=$lt_lt_SP2NL
+
+# turn newlines into spaces.
+NL2SP=$lt_lt_NL2SP
+
+# convert \$build file names to \$host format.
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+
+# convert \$build files to toolchain format.
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
+
+# An object symbol dumper.
+OBJDUMP=$lt_OBJDUMP
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method = "file_magic".
+file_magic_cmd=$lt_file_magic_cmd
+
+# How to find potential files when deplibs_check_method = "file_magic".
+file_magic_glob=$lt_file_magic_glob
+
+# Find potential files using nocaseglob when deplibs_check_method = "file_magic".
+want_nocaseglob=$lt_want_nocaseglob
+
+# DLL creation program.
+DLLTOOL=$lt_DLLTOOL
+
+# Command to associate shared and link libraries.
+sharedlib_from_linklib_cmd=$lt_sharedlib_from_linklib_cmd
+
+# The archiver.
+AR=$lt_AR
+
+# Flags to create an archive.
+AR_FLAGS=$lt_AR_FLAGS
+
+# How to feed a file listing to the archiver.
+archiver_list_spec=$lt_archiver_list_spec
+
+# A symbol stripping program.
+STRIP=$lt_STRIP
+
+# Commands used to install an old-style archive.
+RANLIB=$lt_RANLIB
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Whether to use a lock for old archive extraction.
+lock_old_archive_extraction=$lock_old_archive_extraction
+
+# A C compiler.
+LTCC=$lt_CC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_CFLAGS
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration.
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm into a list of symbols to manually relocate.
+global_symbol_to_import=$lt_lt_cv_sys_global_symbol_to_import
+
+# Transform the output of nm in a C name address pair.
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# Transform the output of nm in a C name address pair when lib prefix is needed.
+global_symbol_to_c_name_address_lib_prefix=$lt_lt_cv_sys_global_symbol_to_c_name_address_lib_prefix
+
+# The name lister interface.
+nm_interface=$lt_lt_cv_nm_interface
+
+# Specify filename containing input files for \$NM.
+nm_file_list_spec=$lt_nm_file_list_spec
+
+# The root where to search for dependent libraries,and where our libraries should be installed.
+lt_sysroot=$lt_sysroot
+
+# Command to truncate a binary pipe.
+lt_truncate_bin=$lt_lt_cv_truncate_bin
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# Used to examine libraries when file_magic_cmd begins with "file".
+MAGIC_CMD=$MAGIC_CMD
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Manifest tool.
+MANIFEST_TOOL=$lt_MANIFEST_TOOL
+
+# Tool to manipulate archived DWARF debug symbol files on Mac OS X.
+DSYMUTIL=$lt_DSYMUTIL
+
+# Tool to change global to local symbols on Mac OS X.
+NMEDIT=$lt_NMEDIT
+
+# Tool to manipulate fat objects and archives on Mac OS X.
+LIPO=$lt_LIPO
+
+# ldd/readelf like tool for Mach-O binaries on Mac OS X.
+OTOOL=$lt_OTOOL
+
+# ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4.
+OTOOL64=$lt_OTOOL64
+
+# Old archive suffix (normally "a").
+libext=$libext
+
+# Shared library suffix (normally ".so").
+shrext_cmds=$lt_shrext_cmds
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at link time.
+variables_saved_for_relink=$lt_variables_saved_for_relink
+
+# Do we need the "lib" prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Library versioning type.
+version_type=$version_type
+
+# Shared library runtime path variable.
+runpath_var=$runpath_var
+
+# Shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Permission mode override for installation of shared libraries.
+install_override_mode=$lt_install_override_mode
+
+# Command to use after installation of a shared archive.
+postinstall_cmds=$lt_postinstall_cmds
+
+# Command to use after uninstallation of a shared archive.
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# As "finish_cmds", except a single script fragment to be evaled but
+# not shown.
+finish_eval=$lt_finish_eval
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Compile-time system search path for libraries.
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Detected run-time system search path for libraries.
+sys_lib_dlsearch_path_spec=$lt_configure_time_dlsearch_path
+
+# Explicit LT_SYS_LIBRARY_PATH set during ./configure time.
+configure_time_lt_sys_library_path=$lt_configure_time_lt_sys_library_path
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+
+# The linker used to build libraries.
+LD=$lt_LD
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# Commands used to build an old-style archive.
+old_archive_cmds=$lt_old_archive_cmds
+
+# A language specific compiler.
+CC=$lt_compiler
+
+# Is the compiler the GNU compiler?
+with_gcc=$GCC
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc
+
+# Whether or not to disallow shared libs when runtime libs are static.
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec
+
+# Whether the compiler copes with passing no objects directly.
+compiler_needs_object=$lt_compiler_needs_object
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds
+
+# Commands used to build a shared archive.
+archive_cmds=$lt_archive_cmds
+archive_expsym_cmds=$lt_archive_expsym_cmds
+
+# Commands used to build a loadable module if different from building
+# a shared archive.
+module_cmds=$lt_module_cmds
+module_expsym_cmds=$lt_module_expsym_cmds
+
+# Whether we are building with GNU ld or not.
+with_gnu_ld=$lt_with_gnu_ld
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag
+
+# Flag that enforces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
+
+# Whether we need a single "-rpath" flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator
+
+# Set to "yes" if using DIR/libNAME\$shared_ext during linking hardcodes
+# DIR into the resulting binary.
+hardcode_direct=$hardcode_direct
+
+# Set to "yes" if using DIR/libNAME\$shared_ext during linking hardcodes
+# DIR into the resulting binary and the resulting library dependency is
+# "absolute",i.e impossible to change by setting \$shlibpath_var if the
+# library is relocated.
+hardcode_direct_absolute=$hardcode_direct_absolute
+
+# Set to "yes" if using the -LDIR flag during linking hardcodes DIR
+# into the resulting binary.
+hardcode_minus_L=$hardcode_minus_L
+
+# Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR
+# into the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var
+
+# Set to "yes" if building a shared library automatically hardcodes DIR
+# into the library and all subsequent libraries and executables linked
+# against it.
+hardcode_automatic=$hardcode_automatic
+
+# Set to yes if linker adds runtime paths of dependent libraries
+# to runtime path list.
+inherit_rpath=$inherit_rpath
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs
+
+# Set to "yes" if exported symbols are required.
+always_export_symbols=$always_export_symbols
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms
+
+# Commands necessary for linking programs (against libraries) with templates.
+prelink_cmds=$lt_prelink_cmds
+
+# Commands necessary for finishing linking programs.
+postlink_cmds=$lt_postlink_cmds
+
+# Specify filename containing input files.
+file_list_spec=$lt_file_list_spec
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action
+
+# ### END LIBTOOL CONFIG
+
+_LT_EOF
+
+    cat <<'_LT_EOF' >> "$cfgfile"
+
+# ### BEGIN FUNCTIONS SHARED WITH CONFIGURE
+
+# func_munge_path_list VARIABLE PATH
+# -----------------------------------
+# VARIABLE is name of variable containing _space_ separated list of
+# directories to be munged by the contents of PATH, which is string
+# having a format:
+# "DIR[:DIR]:"
+#       string "DIR[ DIR]" will be prepended to VARIABLE
+# ":DIR[:DIR]"
+#       string "DIR[ DIR]" will be appended to VARIABLE
+# "DIRP[:DIRP]::[DIRA:]DIRA"
+#       string "DIRP[ DIRP]" will be prepended to VARIABLE and string
+#       "DIRA[ DIRA]" will be appended to VARIABLE
+# "DIR[:DIR]"
+#       VARIABLE will be replaced by "DIR[ DIR]"
+func_munge_path_list ()
+{
+    case x$2 in
+    x)
+        ;;
+    *:)
+        eval $1=\"`$ECHO $2 | $SED 's/:/ /g'` \$$1\"
+        ;;
+    x:*)
+        eval $1=\"\$$1 `$ECHO $2 | $SED 's/:/ /g'`\"
+        ;;
+    *::*)
+        eval $1=\"\$$1\ `$ECHO $2 | $SED -e 's/.*:://' -e 's/:/ /g'`\"
+        eval $1=\"`$ECHO $2 | $SED -e 's/::.*//' -e 's/:/ /g'`\ \$$1\"
+        ;;
+    *)
+        eval $1=\"`$ECHO $2 | $SED 's/:/ /g'`\"
+        ;;
+    esac
+}
+
+
+# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
+func_cc_basename ()
+{
+    for cc_temp in $*""; do
+      case $cc_temp in
+        compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+        distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+        \-*) ;;
+        *) break;;
+      esac
+    done
+    func_cc_basename_result=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"`
+}
+
+
+# ### END FUNCTIONS SHARED WITH CONFIGURE
+
+_LT_EOF
+
+  case $host_os in
+  aix3*)
+    cat <<\_LT_EOF >> "$cfgfile"
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test set != "${COLLECT_NAMES+set}"; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+_LT_EOF
+    ;;
+  esac
+
+
+ltmain=$ac_aux_dir/ltmain.sh
+
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '$q' "$ltmain" >> "$cfgfile" \
+     || (rm -f "$cfgfile"; exit 1)
+
+   mv -f "$cfgfile" "$ofile" ||
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+
+ ;;
+    "chmod":C) chmod a+x doc/doxygen/doxygen-input-filter ;;
+
+  esac
+done # for ac_tag
+
+
+as_fn_exit 0
+_ACEOF
+ac_clean_files=$ac_clean_files_save
+
+test $ac_write_fail = 0 ||
+  as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
+
+
+# configure is writing to config.log, and then calls config.status.
+# config.status does its own redirection, appending to config.log.
+# Unfortunately, on DOS this fails, as config.log is still kept open
+# by configure, so config.status won't be able to write to it; its
+# output is simply discarded.  So we exec the FD to /dev/null,
+# effectively closing config.log, so it can be properly (re)opened and
+# appended to by config.status.  When coming back to configure, we
+# need to make the FD available again.
+if test "$no_create" != yes; then
+  ac_cs_success=:
+  ac_config_status_args=
+  test "$silent" = yes &&
+    ac_config_status_args="$ac_config_status_args --quiet"
+  exec 5>/dev/null
+  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
+  exec 5>>config.log
+  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
+  # would make configure fail if this is the last instruction.
+  $ac_cs_success || as_fn_exit 1
+fi
+if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
+$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
+fi
+
+
+#
+# Now that the Makefiles exist we can ensure that everything is rebuilt.
+#
+# [pairwise: --with-make-clean, --without-make-clean]
+
+# Check whether --with-make-clean was given.
+if test "${with_make_clean+set}" = set; then :
+  withval=$with_make_clean; make_clean="$withval"
+else
+  make_clean="yes"
+fi
+
+case "$make_clean" in
+yes)
+	if test "yes" != "$no_create"
+	then
+		if test "yes" = "$silent"
+		then
+			make clean > /dev/null
+		else
+			make clean
+		fi
+	fi
+	;;
+esac
+
+# [pairwise: --enable-full-report, --disable-full-report]
+# Check whether --enable-full-report was given.
+if test "${enable_full_report+set}" = set; then :
+  enableval=$enable_full_report;
+fi
+
+
+report() {
+    echo "==============================================================================="
+    echo "Configuration summary:"
+    echo "-------------------------------------------------------------------------------"
+    echo "Optional features enabled:"
+    if test "yes" = "$enable_full_report" -o "standard" = "$with_locktype"; then
+	echo "    Mutex lock type: $with_locktype"
+    fi
+    test "small" = "$with_tuning" && echo "    Small-system tuning (--with-tuning)"
+    test "no" = "$use_dnstap" || \
+	    echo "    Allow 'dnstap' packet logging (--enable-dnstap)"
+    test -z "$MAXMINDDB_LIBS" || echo "    GeoIP2 access control (--enable-geoip)"
+    test "no" = "$use_gssapi" || echo "    GSS-API (--with-gssapi)"
+
+    # these lines are only printed if run with --enable-full-report
+    if test "yes" = "$enable_full_report"; then
+	test "no" = "$found_ipv6" || echo "    IPv6 support (--enable-ipv6)"
+	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
+	test "X$LIBXML2_LIBS" = "X" || echo "    XML statistics (--with-libxml2)"
+	test "X$JSON_C_LIBS" = "X" || echo "    JSON statistics (--with-json-c): $JSON_C_CFLAGS $JSON_C_LIBS"
+	test "X$ZLIB_LIBS" = "X" || echo "    HTTP zlib compression (--with-zlib)"
+	test "X$NZD_TOOLS" = "X" || echo "    LMDB database to store configuration for 'addzone' zones (--with-lmdb)"
+	test "no" = "$with_libidn2" || echo "    IDN support (--with-libidn2)"
+    fi
+
+    test "yes" = "$enable_dnsrps" && \
+	echo "    DNS Response Policy Service interface (--enable-dnsrps)"
+    test "yes" = "$enable_fixed" && \
+	echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+    test "yes" = "$enable_backtrace" && \
+	echo "    Print backtrace on crash (--enable-backtrace)"
+    test "minimal" = "$want_symtable" && \
+	echo "    Use symbol table for backtrace, named only (--enable-symtable)"
+    test "yes" = "$want_symtable" -o "all" = "$want_symtable" && \
+	echo "    Use symbol table for backtrace, all binaries (--enable-symtable=all)"
+    test "no" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
+    test "yes" = "$want_querytrace" && \
+	echo "    Very verbose query trace logging (--enable-querytrace)"
+    test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
+
+    test "auto" = "$validation_default" && echo "    DNSSEC validation active by default (--enable-auto-validation)"
+
+    test "$CRYPTO" = "pkcs11" && (
+	echo "    Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
+	echo "    PKCS#11 module (--with-pkcs11): $with_pkcs11"
+	echo "    +--------------------------------------------+"
+	echo "    |             ==== WARNING ====              |"
+	echo "    |                                            |"
+	echo "    | The use of native PKCS#11 for Public-Key   |"
+	echo "    | Cryptography in BIND 9 has been deprecated |"
+	echo "    | in favor of OpenSSL engine_pkcs11 from the |"
+	echo "    | OpenSC project. The --with-native-pkcs11   |"
+	echo "    | configuration option will be removed from  |"
+	echo "    | the next major BIND 9 release. The option  |"
+	echo "    | to use the engine_pkcs11 OpenSSL engine is |"
+	echo "    | already available in BIND 9; please see    |"
+	echo "    | the ARM section on PKCS#11 for details.    |"
+	echo "    +--------------------------------------------+"
+    )
+
+    dlz_enabled=no
+
+    echo "    Dynamically loadable zone (DLZ) drivers:"
+    if test "$use_dlz_bdb" != "no"; then :
+  $as_echo "        Berkeley DB (--with-dlz-bdb)"
+	   dlz_enabled=yes
+fi
+    if test "$use_dlz_ldap" != "no"; then :
+  $as_echo "        LDAP (--with-dlz-ldap)"
+	   dlz_enabled=yes
+fi
+    if test "$use_dlz_mysql" != "no"; then :
+  $as_echo "        MySQL (--with-dlz-mysql)"
+	   dlz_enabled=yes
+fi
+    if test "$use_dlz_odbc" != "no"; then :
+  $as_echo "        ODBC (--with-dlz-odbc)"
+	   dlz_enabled=yes
+fi
+    if test "$use_dlz_postgres" != "no"; then :
+  $as_echo "        Postgres (--with-dlz-postgres)"
+	   dlz_enabled=yes
+fi
+    if test "$use_dlz_filesystem" != "no"; then :
+  $as_echo "        Filesystem (--with-dlz-filesystem)"
+	   dlz_enabled=yes
+fi
+    if test "$use_dlz_stub" != "no"; then :
+  $as_echo "        Stub (--with-dlz-stub)"
+	   dlz_enabled=yes
+fi
+
+    if test "$dlz_enabled" = "no"; then :
+  $as_echo "        None"
+else
+  $as_echo "    +--------------------------------------------------------+"
+	   $as_echo "    |             ==== DEPRECATION WARNING ====              |"
+	   $as_echo "    +--------------------------------------------------------+"
+	   $as_echo "    | Old-style DLZ drivers have been deprecated in favor of |"
+	   $as_echo "    | DLZ modules. The DLZ drivers configuration option will |"
+	   $as_echo "    | be removed from the next major BIND 9 release.         |"
+	   $as_echo "    |                                                        |"
+	   $as_echo "    | The option to use the DLZ modules is already available |"
+	   $as_echo "    | in BIND 9; please see the ARM section on DLZ modules.  |"
+	   $as_echo "    +--------------------------------------------------------+"
+
+fi
+
+    echo "-------------------------------------------------------------------------------"
+
+    echo "Features disabled or unavailable on this platform:"
+    test "no" = "$found_ipv6" && echo "    IPv6 support (--enable-ipv6)"
+    test "small" = "$with_tuning" || echo "    Small-system tuning (--with-tuning)"
+
+    test "no" = "$use_dnstap" && \
+	    echo "    Allow 'dnstap' packet logging (--enable-dnstap)"
+    test -z "$MAXMINDDB_LIBS" && echo "    GeoIP2 access control (--enable-geoip)"
+    test "no" = "$use_gssapi" && echo "    GSS-API (--with-gssapi)"
+
+    test "no" = "$enable_dnsrps" && \
+	echo "    DNS Response Policy Service interface (--enable-dnsrps)"
+
+    test "yes" = "$enable_fixed" || \
+	echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+
+    test "yes" = "$validation_default" && echo "    DNSSEC validation requires configuration (--enablee-auto-validation)"
+
+    test "$CRYPTO" = "pkcs11" || (
+	echo "    Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
+    )
+
+    test "yes" = "$enable_backtrace" || \
+	echo "    Print backtrace on crash (--enable-backtrace)"
+    test "yes" = "$want_querytrace" || \
+	echo "    Very verbose query trace logging (--enable-querytrace)"
+
+    test "yes" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
+    test "no" = "$with_cmocka" && echo "    CMocka Unit Testing Framework (--with-cmocka)"
+
+    test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
+    test "X$LIBXML2_LIBS" = "X" && echo "    XML statistics (--with-libxml2)"
+    test "X$JSON_C_LIBS" = "X" && echo "    JSON statistics (--with-json-c)"
+    test "X$ZLIB_LIBS" = "X" && echo "    HTTP zlib compression (--with-zlib)"
+    test "X$NZD_TOOLS" = "X" && echo "    LMDB database to store configuration for 'addzone' zones (--with-lmdb)"
+    test "no" = "$with_libidn2" && echo "    IDN support (--with-libidn2)"
+
+    echo "-------------------------------------------------------------------------------"
+    echo "Configured paths:"
+    echo "    prefix: $prefix"
+    echo "    sysconfdir: $sysconfdir"
+    echo "    localstatedir: $localstatedir"
+    echo "-------------------------------------------------------------------------------"
+    echo "Compiler: $CC"
+    if test "$GCC" = "yes"; then :
+  $CC --version 2>&1 | sed 's/^/    /'
+else
+  case $host in #(
+  *-solaris*) :
+    $CC -V 2>&1 | sed 's/^/    /' ;; #(
+  *) :
+    $CC --version 2>&1 | sed 's/^/    /' ;;
+esac
+fi
+
+    if test "X$ac_unrecognized_opts" != "X"; then
+	echo "Unrecognized options:"
+	echo "    $ac_unrecognized_opts"
+    fi
+
+    if test "yes" != "$enable_full_report"; then
+	echo "-------------------------------------------------------------------------------"
+	echo "For more detail, use --enable-full-report."
+    fi
+    echo "==============================================================================="
+}
+
+if test "yes" != "$silent"; then
+	report
+fi
+
+# Tell Emacs to edit this file in shell mode.
+# Local Variables:
+# mode: sh
+# End:
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..fb6f172
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,3150 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+AC_INIT(BIND, [9.16], [https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug], [], [https://www.isc.org/downloads/])
+AC_PREREQ([2.60])
+
+#
+# Enable maintainer mode by default, but allow to disable it in the CI
+#
+AM_MAINTAINER_MODE([enable])
+
+AC_CONFIG_HEADER(config.h)
+AC_CONFIG_MACRO_DIR([m4])
+
+AC_CANONICAL_HOST
+
+#
+# Enable system extensions to C and POSIX
+#
+AC_USE_SYSTEM_EXTENSIONS
+
+#
+# Enable large file support
+#
+AC_SYS_LARGEFILE
+AC_FUNC_FSEEKO
+
+LFS_CFLAGS=`getconf LFS_CFLAGS 2>/dev/null`
+LFS_LDFLAGS=`getconf LFS_LDFLAGS 2>/dev/null`
+LFS_LIBS=`getconf LFS_LIBS 2>/dev/null`
+
+AC_SUBST([LFS_CFLAGS])
+AC_SUBST([LFS_LDFLAGS])
+AC_SUBST([LFS_LIBS])
+
+# Enable RFC 3542 APIs on macOS
+AC_DEFINE([__APPLE_USE_RFC_3542], [1], [Select RFC3542 IPv6 API on macOS])
+
+AC_PROG_MAKE_SET
+
+AC_PROG_LIBTOOL
+AC_PROG_INSTALL
+AC_PROG_LN_S
+AX_POSIX_SHELL
+AC_PROG_MKDIR_P
+
+AC_SUBST(STD_CINCLUDES)
+AC_SUBST(STD_CDEFINES)
+AC_SUBST(STD_CWARNINGS)
+AC_SUBST(CCOPT)
+AC_SUBST(CCNOOPT)
+AC_SUBST(BACKTRACECFLAGS)
+
+#
+# Use pkg-config
+#
+
+PKG_PROG_PKG_CONFIG
+AS_IF([test -z "$PKG_CONFIG"],
+      [AC_MSG_ERROR([The pkg-config script could not be found or is too old.])])
+
+# [pairwise: --enable-buffer-useinline, --disable-buffer-useinline]
+AC_ARG_ENABLE(buffer_useinline,
+	      AS_HELP_STRING([--enable-buffer-useinline],
+		             [define ISC_BUFFER_USEINLINE when compiling
+				[default=yes]]),
+	      if test yes = "${enable}"
+	      then
+		      AC_DEFINE([ISC_BUFFER_USEINLINE], [1],
+			        [Define if you want to use inline buffers])
+	      fi,
+	      AC_DEFINE([ISC_BUFFER_USEINLINE], [1]))
+
+# [pairwise: --enable-warn-shadow, --disable-warn-shadow]
+AC_ARG_ENABLE([warn_shadow],
+	      [AS_HELP_STRING([--enable-warn-shadow],
+			      [turn on -Wshadow when compiling])])
+
+# [pairwise: --enable-warn-error, --disable-warn-error]
+AC_ARG_ENABLE([warn_error],
+	      [AS_HELP_STRING([--enable-warn-error],
+			      [turn on -Werror when compiling])])
+
+# [pairwise: --enable-developer, --disable-developer]
+AC_ARG_ENABLE([developer],
+	      [AS_HELP_STRING([--enable-developer],
+			      [enable developer build settings])])
+
+XTARGETS=
+AS_IF([test "$enable_developer" = "yes"],
+      [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+       test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+       test "${enable_querytrace+set}" = set || enable_querytrace=yes
+       test "${with_cmocka+set}" = set || with_cmocka=yes
+       test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
+       test "${enable_symtable+set}" = set || enable_symtable=all
+       test "${enable_warn_error+set}" = set || enable_warn_error=yes
+       test "${enable_warn_shadow+set}" = set || enable_warn_shadow=yes
+       test "${with_zlib+set}" = set || with_zlib=yes
+       XTARGETS='${XTARGETS}'
+       ])
+AC_SUBST([XTARGETS])
+
+# Fuzzing is not included in pairwise testing as fuzzing tools are
+# not present in the relevant Docker image.
+#
+# [pairwise: skip]
+AC_ARG_ENABLE([fuzzing],
+	      [AS_HELP_STRING([--enable-fuzzing=<afl|libfuzzer>],
+			      [Enable fuzzing using American Fuzzy Lop or libFuzzer (default=no)])],
+	      [],
+	      [enable_fuzzing=no])
+
+AC_MSG_CHECKING([whether to enable fuzzing mode])
+AS_CASE([$enable_fuzzing],
+	[no],[AC_MSG_RESULT([no])],
+	[afl],[
+	  AC_MSG_RESULT([using AFL])
+	  AC_DEFINE([ENABLE_AFL], [1],
+		    [Define to enable American Fuzzy Lop test harness])
+	  CFLAGS="$CFLAGS -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"
+	  LIBS="$LIBS -lpthread"],
+	[libfuzzer],[
+	  AC_MSG_RESULT([using libFuzzer])
+	  CFLAGS="$CFLAGS -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -fsanitize=fuzzer,address,undefined"
+	  LDFLAGS="$LDFLAGS -fsanitize=fuzzer,address,undefined"],
+	[*],[AC_MSG_ERROR([You need to explicitly select the fuzzer])])
+
+AS_IF([test "$enable_fuzzing" = "afl"],
+      [AC_MSG_CHECKING("for AFL enabled compiler")
+       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([],
+					  [#ifndef __AFL_COMPILER
+					   #error AFL compiler required
+					   #endif
+					  ])],
+			 [AC_MSG_RESULT([yes])],
+			 [AC_MSG_ERROR([set CC=afl-<gcc|clang> when --enable-fuzzing=afl is used])])
+      ])
+
+#
+# Make very sure that these are the first files processed by
+# config.status, since we use the processed output as the input for
+# AC_SUBST_FILE() substitutions in other files.
+#
+AC_CONFIG_FILES([make/rules make/includes])
+
+AC_PATH_PROG(AR, ar)
+ARFLAGS="cruv"
+AC_SUBST(AR)
+AC_SUBST(ARFLAGS)
+
+# The POSIX ln(1) program.  Non-POSIX systems may substitute
+# "copy" or something.
+LN=ln
+AC_SUBST(LN)
+
+case "$AR" in
+	"")
+		AC_MSG_ERROR([
+ar program not found.  Please fix your PATH to include the directory in
+which ar resides, or set AR in the environment with the full path to ar.
+])
+
+		;;
+esac
+
+#
+# Look for w3m
+#
+AC_PATH_PROGS(W3M, w3m, w3m)
+AC_SUBST(W3M)
+
+#
+# Look for pandoc
+#
+AC_PATH_PROG(PANDOC, pandoc, pandoc)
+AC_SUBST(PANDOC)
+
+#
+# Perl is optional; it is used only by some of the system test scripts.
+# Note: the backtrace feature (see below) uses perl to build the symbol table,
+# but it still compiles without perl, in which case an empty table will be used.
+#
+AC_PATH_PROGS(PERL, perl5 perl)
+AC_SUBST(PERL)
+
+#
+# Python is also optional but required by default so that dnssec-keymgr gets
+# installed unless explicitly prevented by the user using --without-python.
+#
+testminvers='import sys
+if (sys.version_info < (2,7)) or (sys.version_info < (3,2) and sys.version_info >= (3,0)):
+   exit(1)'
+
+testargparse='try: import argparse
+except: exit(1)'
+
+testply='try: import ply
+except: exit(1)'
+
+testsetuptools='try: from setuptools import setup
+except: exit(1)'
+
+testdistutils='try: from distutils.core import setup
+except: exit(1)'
+
+default_with_python="python python3 python3.11 python3.10 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
+
+AC_ARG_VAR([PYTHON], [path to python executable])
+
+# [pairwise: --with-python, --without-python]
+AC_ARG_WITH([python],
+	    AS_HELP_STRING([--with-python=PATH],
+			   [specify path to Python interpreter]),
+	    [], [with_python=$default_with_python])
+
+# [pairwise: skip]
+AC_ARG_WITH([python-install-dir],
+	    AS_HELP_STRING([--with-python-install-dir=PATH],
+			   [installation directory for Python modules]),
+	    [], with_python_install_dir="")
+
+AS_IF([test "$with_python" = "yes"],
+      [with_python=$default_with_python])
+
+AS_IF([test "$with_python" = "no"],
+      [AC_MSG_CHECKING([for Python support])
+       unset PYTHON
+       AC_MSG_RESULT([disabled])],
+      [for p in $with_python
+       do
+	 AS_CASE([$p],
+		 [/*],[PYTHON="$p"])
+
+	 AC_PATH_PROG([PYTHON], [$p])
+	 # Do not cache the result of the check from the previous line.  If the
+	 # first found Python interpreter has missing module dependencies and
+	 # the result of the above check is cached, subsequent module checks
+	 # will erroneously keep on using the cached path to the first found
+	 # Python interpreter instead of different ones.
+	 unset ac_cv_path_PYTHON
+
+	 AS_IF([test -z "$PYTHON"], [continue])
+
+	 AC_MSG_CHECKING([if $PYTHON is python2 version >= 2.7 or python3 version >= 3.2])
+	 AS_IF(["$PYTHON" -c "$testminvers" 2>/dev/null],
+	       [AC_MSG_RESULT([yes])],
+	       [AC_MSG_RESULT([no])
+		unset PYTHON
+		continue])
+
+	 AC_MSG_CHECKING([Python module 'argparse'])
+	 AS_IF(["$PYTHON" -c "$testargparse" 2>/dev/null],
+	       [AC_MSG_RESULT([yes])],
+	       [AC_MSG_RESULT([no])
+		unset PYTHON
+		continue])
+
+	 AC_MSG_CHECKING([Python module 'ply'])
+	 AS_IF(["$PYTHON" -c "$testply" 2>/dev/null],
+	       [AC_MSG_RESULT([yes])],
+	       [AC_MSG_RESULT([no])
+		unset PYTHON
+		continue])
+
+	 AC_MSG_CHECKING([Python module 'setuptools'])
+	 AS_IF(["$PYTHON" -c "$testsetuptools" 2>/dev/null],
+	       [AC_MSG_RESULT([yes])],
+	       [AC_MSG_RESULT([no])
+		AC_MSG_CHECKING([Python module 'distutils'])
+		AS_IF(["$PYTHON" -c "$testdistutils" 2>/dev/null],
+		      [AC_MSG_RESULT([yes])],
+		      [AC_MSG_RESULT([no])
+		       unset PYTHON
+		       continue])])
+
+	 # Stop looking any further once we find a Python interpreter
+	 # satisfying all requirements.
+	 break
+       done
+
+       AS_IF([test "X$PYTHON" = "X"],
+	     [AC_MSG_CHECKING([for Python support])
+	      AC_MSG_RESULT([no])
+	      AC_MSG_ERROR([m4_normalize(
+				[Python >= 2.7 or >= 3.2 and the PLY package
+                                 are required for dnssec-keymgr and other
+                                 Python-based tools. PLY may be
+                                 available from your OS package manager
+                                 as python-ply or python3-ply; it can also
+                                 be installed via pip. To build without
+                                 Python/PLY, use --without-python.]
+			    )])])])
+
+PYTHON_TOOLS=''
+CHECKDS=''
+COVERAGE=''
+KEYMGR=''
+AS_IF([test "X$PYTHON" != "X"],
+      [PYTHON_TOOLS=python
+       CHECKDS=checkdstool
+       COVERAGE=coverage
+       KEYMGR=keymgr
+       PYTHON_INSTALL_DIR="$with_python_install_dir"
+       AS_IF([test -n "$with_python_install_dir"],
+	     [PYTHON_INSTALL_LIB="--install-lib=$with_python_install_dir"])])
+AC_SUBST(CHECKDS)
+AC_SUBST(COVERAGE)
+AC_SUBST(KEYMGR)
+AC_SUBST(PYTHON_TOOLS)
+AC_SUBST(PYTHON_INSTALL_DIR)
+AC_SUBST(PYTHON_INSTALL_LIB)
+
+#
+# expanded_sysconfdir is needed for replacement in the python utilities
+#
+expanded_sysconfdir=`eval echo $sysconfdir`
+AC_SUBST(expanded_sysconfdir)
+
+#
+# Make sure INSTALL uses an absolute path, else it will be wrong in all
+# Makefiles, since they use make/rules.in and INSTALL will be adjusted by
+# configure based on the location of the file where it is substituted.
+# Since in BIND9 INSTALL is only substituted into make/rules.in, an immediate
+# subdirectory of install-sh, This relative path will be wrong for all
+# directories more than one level down from install-sh.
+#
+case "$INSTALL" in
+	/*)
+		;;
+	*)
+		#
+		# Not all systems have dirname.
+		#
+		changequote({, })
+		ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
+		changequote([, ])
+
+		ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
+		test "X$ac_dir" = "X$ac_prog" && ac_dir=.
+		test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
+		INSTALL="$ac_dir/$ac_prog"
+		;;
+esac
+
+AC_PATH_PROGS([PYTEST], [pytest-3 py.test-3 pytest py.test pytest-pypy], [])
+AS_IF([test -z "$PYTEST"],
+      [AC_MSG_WARN([pytest not found, some system tests will be skipped])])
+AC_SUBST([PYTEST])
+
+
+AC_PROG_CC
+AC_PROG_CC_C99
+
+#
+# Using Solaris linker with gcc on Solaris breaks Thread Local Storage
+#
+AS_CASE([$host],
+	[*-solaris*],[
+	    AS_IF([test "$GCC" = "yes"],
+		  [LDFLAGS="$LDFLAGS -zrelax=transtls"
+		   AC_MSG_WARN([When using GNU C Compiler on Solaris, -zrelax=transtls linker flag is used to fix bug in Thread Local Storage])
+		  ])
+	],
+	[*-darwin*],[LDFLAGS="$LDFLAGS -Wl,-flat_namespace"])
+
+#
+# CCNOOPT defaults to -O0 on gcc and disables optimization when is last
+#
+if test "X$CCNOOPT" = "X" -a "X$GCC" = "Xyes"; then
+	CCNOOPT="-O0"
+fi
+
+AC_HEADER_STDC
+
+AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/mman.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h sys/socket.h net/route.h linux/netlink.h linux/rtnetlink.h,,,
+[$ac_includes_default
+#ifdef HAVE_SYS_PARAM_H
+# include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
+])
+
+#
+# Check for thread local storage
+#
+AC_CHECK_HEADERS([threads.h],
+		 [
+		     AC_MSG_CHECKING([for C11 Thread-Local Storage using thread_local])
+		     AC_COMPILE_IFELSE(
+			 [AC_LANG_PROGRAM(
+			      [
+				  #include <threads.h>
+			      ],[
+				  static thread_local int tls = 0;
+				  return (tls);
+			      ])
+			 ],[
+			     AC_MSG_RESULT([yes])
+			     AC_DEFINE([HAVE_THREAD_LOCAL],[1],[Define if thread_local keyword is available])
+			     AC_DEFINE([HAVE_TLS],[1],[Define if Thread-Local Storage is available])
+			 ],[
+			     AC_MSG_ERROR([Thread Local Storage support required, update your toolchain to build BIND 9])
+			 ])
+		 ],[
+		     AC_MSG_CHECKING([for Thread-Local Storage using __thread])
+		     AC_COMPILE_IFELSE(
+			 [AC_LANG_PROGRAM(
+			      [
+			      ],[
+				  static __thread int tls = 0;
+				  return (tls);
+			      ])
+			 ],[
+			     AC_MSG_RESULT([yes])
+			     AC_DEFINE([HAVE___THREAD],[1],[Define if __thread keyword is available])
+			     AC_DEFINE([HAVE_TLS],[1],[Define if Thread-Local Storage is available])
+			 ],[
+			     AC_MSG_ERROR([Thread Local Storage support required, update your toolchain to build BIND 9])
+			 ])
+		 ])
+
+AC_C_CONST
+AC_C_INLINE
+AC_C_VOLATILE
+AC_C_FLEXIBLE_ARRAY_MEMBER
+
+#
+# Check for yield support on ARM processors
+#
+AS_CASE([$host],
+	[arm*],
+	[AC_MSG_CHECKING([for yield instruction support])
+	 AC_COMPILE_IFELSE(
+	     [AC_LANG_PROGRAM([[]],
+			     [[__asm__ __volatile__ ("yield")]])],
+	     [AC_MSG_RESULT([yes])
+	      AC_DEFINE([HAVE_ARM_YIELD], [1],
+			[define if the ARM yield instruction is available])],
+	     [AC_MSG_RESULT([no])])])
+
+#
+# Check for pause support on SPARC processors
+#
+AS_CASE([$host],
+	[sparc*],
+	[AC_MSG_CHECKING([for pause instruction support])
+	 AC_COMPILE_IFELSE(
+	     [AC_LANG_PROGRAM([[]],
+			     [[__asm__ __volatile__ ("pause")]])],
+	     [AC_MSG_RESULT([yes])
+	      AC_DEFINE([HAVE_SPARC_PAUSE], [1],
+			[define if the SPARC pause instruction is available])],
+	     [AC_MSG_RESULT([no])])])
+
+AC_CHECK_FUNCS([sysctlbyname])
+
+#
+# Check for the existence of mmap to enable the fast format zones
+#
+AC_CHECK_FUNCS(mmap)
+
+#
+# Older versions of HP/UX don't define seteuid() and setegid()
+#
+AC_CHECK_FUNCS(seteuid setresuid)
+AC_CHECK_FUNCS(setegid setresgid)
+
+AC_TYPE_SIZE_T
+AC_TYPE_SSIZE_T
+AC_TYPE_UINTPTR_T
+
+AC_HEADER_TIME
+
+#
+# check for uname library routine
+#
+AC_MSG_CHECKING([for uname])
+AC_COMPILE_IFELSE(
+  [AC_LANG_PROGRAM(
+     [[#include <sys/utsname.h>
+       #include <stdio.h>
+      ]],
+     [[
+       struct utsname uts;
+       uname(&uts);
+       printf("running on %s %s %s for %s\n",
+	      uts.sysname, uts.release, uts.version, uts.machine);
+     ]])],
+  [AC_MSG_RESULT(yes)
+   AC_DEFINE([HAVE_UNAME], [1], [define if uname is available])
+  ],
+  [AC_MSG_RESULT(no)
+   AC_MSG_WARN([uname is not correctly supported])
+  ])
+
+#
+# check for GCC noreturn attribute
+#
+AC_MSG_CHECKING(for GCC noreturn attribute)
+AC_TRY_COMPILE([],[void foo() __attribute__((noreturn));],
+	[AC_MSG_RESULT(yes)
+		ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE"
+		ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST __attribute__((noreturn))"],
+	[AC_MSG_RESULT(no)
+		ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE"
+		ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST"])
+AC_SUBST(ISC_PLATFORM_NORETURN_PRE)
+AC_SUBST(ISC_PLATFORM_NORETURN_POST)
+
+#
+# check for GCC malloc attribute
+#
+AX_GCC_FUNC_ATTRIBUTE([malloc])
+
+AC_MSG_CHECKING([for extended malloc attributes])
+AC_COMPILE_IFELSE(
+  [AC_LANG_PROGRAM(
+     [[
+       #include <stddef.h>
+       #include <stdlib.h>
+       __attribute__ ((malloc, malloc (free, 1))
+       void * xmalloc(size_t sz) { return malloc(sz); }
+     ]],
+     [[
+       void *p = xmalloc(8);
+       free(p);
+     ]])],
+  [AC_MSG_RESULT(yes)
+   AC_DEFINE([HAVE_MALLOC_EXT_ATTR], [1], [define if extended attributes for malloc are available])
+  ],
+  [AC_MSG_RESULT(no)])
+
+#
+# check for GCC returns_nonnull attribute
+#
+AX_GCC_FUNC_ATTRIBUTE([returns_nonnull])
+
+#
+# check if we have kqueue
+#
+# [pairwise: --enable-kqueue, --disable-kqueue]
+AC_ARG_ENABLE([kqueue],
+	      [AS_HELP_STRING([--enable-kqueue],
+			      [use BSD kqueue when available [default=yes]])],
+	      [], enable_kqueue="yes")
+
+AS_IF([test "$enable_kqueue" = "yes"],
+      [AC_CHECK_FUNCS([kqueue])])
+
+#
+# check if we have epoll.  Linux kernel 2.4 has epoll_create() which fails,
+# so we need to try running the code, not just test its existence.
+#
+# [pairwise: --enable-epoll, --disable-epoll]
+AC_ARG_ENABLE([epoll],
+	      [AS_HELP_STRING([--enable-epoll],
+			      [use Linux epoll when available [default=auto]])],
+	      [], [enable_epoll="yes"])
+
+AS_IF([test "$enable_epoll" = "yes"],
+      [AC_CHECK_FUNCS([epoll_create1])])
+
+#
+# check if we support /dev/poll
+#
+# [pairwise: --enable-devpoll, --disable-devpoll]
+AC_ARG_ENABLE([devpoll],
+	      [AS_HELP_STRING([--enable-devpoll],
+			      [use /dev/poll when available [default=yes]])],
+	      [], [enable_devpoll="yes"])
+AS_IF([test "$enable_devpoll" = "yes"],
+      [AC_CHECK_HEADERS([sys/devpoll.h devpoll.h])])
+
+#
+# Find the machine's endian flavor.
+#
+AC_C_BIGENDIAN
+
+#
+# GeoIP support?
+#
+# Should be on by default if libmaxminddb exists.
+#
+# [pairwise: skip]
+AC_ARG_WITH([geoip2],
+	    [AS_HELP_STRING([--with-geoip2],
+			    [deprecated, use --with-maxminddb])],
+	    [AC_MSG_WARN([--with-geoip2 is DEPRECATED and will be removed in a future release, use --with-maxminddb instead])],
+	    [with_geoip2="auto"])
+
+# [pairwise: --enable-geoip --with-maxminddb=auto, --enable-geoip --with-maxminddb=yes, --disable-geoip]
+AC_ARG_ENABLE([geoip],
+	      [AS_HELP_STRING([--disable-geoip],
+			      [support GeoIP2 geolocation ACLs if available [default=yes]])],
+	      [], [enable_geoip="yes"])
+
+# [pairwise: skip]
+AC_ARG_WITH([maxminddb],
+	    [AS_HELP_STRING([--with-maxminddb=PATH],
+			    [Build with MaxMind GeoIP2 support (auto|yes|no|path) [default=auto]])],
+	    [], [with_maxminddb="$with_geoip2"])
+
+GEOIP2LINKSRCS=
+GEOIP2LINKOBJS=
+AS_IF([test "$enable_geoip" = "yes"],
+      [AS_CASE([$with_maxminddb],
+	       [no],[AC_MSG_ERROR([Use '--disable-geoip' to disable the GeoIP])],
+	       [auto],[PKG_CHECK_MODULES([MAXMINDDB], [libmaxminddb],
+					 [AC_DEFINE([HAVE_GEOIP2], [1], [Build with GeoIP2 support])
+					  PKG_CHECK_VAR([MAXMINDDB_PREFIX], [libmaxminddb], [prefix], [], [AC_MSG_ERROR([libmaxminddb prefix not found in pkg-config; set MAXMINDDB_PREFIX in the environment])])
+					  GEOIP2LINKSRCS='${GEOIP2LINKSRCS}'
+					  GEOIP2LINKOBJS='${GEOIP2LINKOBJS}'
+					 ],[:])],
+	       [yes],[PKG_CHECK_MODULES([MAXMINDDB], [libmaxminddb],
+					[AC_DEFINE([HAVE_GEOIP2], [1], [Build with GeoIP2 support])
+					 PKG_CHECK_VAR([MAXMINDDB_PREFIX], [libmaxminddb], [prefix], [], [AC_MSG_ERROR([libmaxminddb prefix not found in pkg-config; set MAXMINDDB_PREFIX in the environment])])
+					 GEOIP2LINKSRCS='${GEOIP2LINKSRCS}'
+					 GEOIP2LINKOBJS='${GEOIP2LINKOBJS}'
+					])],
+	       [ # default
+		   AX_SAVE_FLAGS([maxminddb])
+		   MAXMINDDB_CFLAGS="-I$with_maxminddb/include"
+		   MAXMINDDB_LIBS="-L$with_maxminddb/lib"
+		   CFLAGS="$CFLAGS $MAXMINDDB_CFLAGS"
+		   LDFLAGS="$LDFLAGS $MAXMINDDB_LIBS"
+		   AC_SEARCH_LIBS([MMDB_open], [maxminddb],
+				  [AC_DEFINE([HAVE_GEOIP2], [1], [Build with GeoIP2 support])
+				   GEOIP2LINKSRCS='${GEOIP2LINKSRCS}'
+				   GEOIP2LINKOBJS='${GEOIP2LINKOBJS}'
+				   MAXMINDDB_LIBS="$MAXMINDDB_LIBS $ac_cv_search_MMDB_open"
+				   AC_MSG_NOTICE([GeoIP2 default database path set to $with_maxminddb/share/GeoIP])
+				   AS_VAR_COPY([MAXMINDDB_PREFIX], [with_maxminddb])
+				  ],
+				  [AC_MSG_ERROR([GeoIP2 requested, but libmaxminddb not found])])
+		   AX_RESTORE_FLAGS([maxminddb])
+	       ])
+       AC_ARG_VAR([MAXMINDDB_PREFIX], [value of prefix for MAXMINDDB, overriding pkg-config])
+])
+
+AC_SUBST([MAXMINDDB_CFLAGS])
+AC_SUBST([MAXMINDDB_LIBS])
+AC_SUBST([GEOIP2LINKSRCS])
+AC_SUBST([GEOIP2LINKOBJS])
+
+#
+# Do we have arc4random(), etc ?
+#
+AC_CHECK_FUNCS(arc4random arc4random_buf arc4random_uniform getrandom)
+
+AX_PTHREAD
+
+LIBS="$PTHREAD_LIBS $LIBS"
+CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+CC="$PTHREAD_CC"
+
+AC_CHECK_FUNCS([pthread_attr_getstacksize pthread_attr_setstacksize])
+
+# [pairwise: --with-locktype=adaptive, --with-locktype=standard]
+AC_ARG_WITH([locktype],
+	    AS_HELP_STRING([--with-locktype=ARG],
+			   [Specify mutex lock type
+			    (adaptive or standard)]),
+	    [], [with_locktype="adaptive"])
+
+AS_CASE([$with_locktype],
+	[adaptive],[
+	  AC_MSG_CHECKING([for PTHREAD_MUTEX_ADAPTIVE_NP])
+	  AC_COMPILE_IFELSE(
+	    [AC_LANG_PROGRAM(
+	       [[
+		 #ifndef _GNU_SOURCE
+		 #define _GNU_SOURCE
+		 #endif
+		 #include <pthread.h>
+	       ]],
+	       [[
+		 return (PTHREAD_MUTEX_ADAPTIVE_NP);
+	       ]]
+	     )],
+	    [AC_MSG_RESULT([using adaptive lock type])
+	     AC_DEFINE([HAVE_PTHREAD_MUTEX_ADAPTIVE_NP], 1,
+		       [Support for PTHREAD_MUTEX_ADAPTIVE_NP]) ],
+	    [AC_MSG_RESULT([using standard lock type])]
+	  )],
+	[standard],[AC_MSG_RESULT([using standard lock type])],
+	[AC_MSG_ERROR([You must specify "adaptive" or "standard" for --with-locktype.])]
+       )
+
+AC_CHECK_HEADERS([sched.h])
+
+AC_SEARCH_LIBS([sched_yield],[rt])
+AC_CHECK_FUNCS([sched_yield pthread_yield pthread_yield_np])
+
+# Look for functions relating to thread naming
+AC_CHECK_FUNCS([pthread_setname_np pthread_set_name_np])
+AC_CHECK_HEADERS([pthread_np.h], [], [], [#include <pthread.h>])
+
+# libuv
+PKG_CHECK_MODULES([LIBUV], [libuv >= 1.37.0], [],
+		  [PKG_CHECK_MODULES([LIBUV], [libuv >= 1.0.0 libuv < 1.35.0], [],
+				     [AC_MSG_ERROR([libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found])])])
+
+AX_SAVE_FLAGS([libuv])
+CFLAGS="$CFLAGS $LIBUV_CFLAGS"
+LIBS="$LIBS $LIBUV_LIBS"
+
+# libuv recvmmsg support
+AC_CHECK_DECLS([UV_UDP_MMSG_FREE, UV_UDP_MMSG_CHUNK], [], [], [[#include <uv.h>]])
+AC_MSG_CHECKING([whether struct msghdr uses padding for alignment])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <sys/socket.h>],
+				   [const struct msghdr h = { .__pad1 = 0, .__pad2 = 0 };])],
+		  [AC_MSG_RESULT([yes])
+		   AC_DEFINE([HAVE_DECL_UV_UDP_RECVMMSG],
+			     [0], [Disable recvmmsg support on systems with MUSL glibc])],
+		  [AC_MSG_RESULT([no])
+		   AC_CHECK_DECLS([UV_UDP_RECVMMSG], [], [], [[#include <uv.h>]])])
+
+AX_RESTORE_FLAGS([libuv])
+
+#
+# flockfile is usually provided by pthreads
+#
+AC_CHECK_FUNCS([flockfile getc_unlocked])
+
+#
+# Look for sysconf to allow detection of the number of processors.
+#
+AC_CHECK_FUNCS([sysconf])
+
+AC_SUBST(ALWAYS_DEFINES)
+
+AC_MSG_CHECKING(for libtool)
+
+# [pairwise: --with-libtool, --without-libtool]
+AC_ARG_WITH(libtool, AS_HELP_STRING([--with-libtool], [use GNU libtool]),
+	    use_libtool="$withval", use_libtool="no")
+NO_LIBTOOL_ISCLIBS=
+NO_LIBTOOL_DNSLIBS=
+case $use_libtool in
+	yes)
+		AC_MSG_RESULT(yes)
+		AM_PROG_LIBTOOL
+		O=lo
+		A=la
+		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
+		LIBTOOL_MODE_COMPILE='--mode=compile'
+		LIBTOOL_MODE_INSTALL='--mode=install'
+		LIBTOOL_MODE_LINK='--mode=link'
+		LIBTOOL_MODE_UNINSTALL='--mode=uninstall'
+		INSTALL_LIBRARY='${INSTALL_PROGRAM}'
+		AC_DEFINE([USE_LIBTOOL],[1],[Define if libtool is used for compilation])
+		;;
+	*)
+		AC_MSG_RESULT(no)
+		O=o
+		A=a
+		LIBTOOL=
+		AC_SUBST(LIBTOOL)
+		LIBTOOL_MKDEP_SED=
+		LIBTOOL_MODE_COMPILE=
+		LIBTOOL_MODE_INSTALL=
+		LIBTOOL_MODE_LINK=
+		LIBTOOL_MODE_UNINSTALL=
+		INSTALL_LIBRARY='${INSTALL_DATA}'
+		NO_LIBTOOL_ISCLIBS='${NO_LIBTOOL_ISCLIBS}'
+		NO_LIBTOOL_DNSLIBS='${NO_LIBTOOL_DNSLIBS}'
+		;;
+esac
+AC_SUBST(INSTALL_LIBRARY)
+AC_SUBST(NO_LIBTOOL_ISCLIBS)
+AC_SUBST(NO_LIBTOOL_DNSLIBS)
+
+#
+# Do we want to use pthread rwlock?
+#
+# [pairwise: --enable-pthread-rwlock, --disable-pthread-rwlock]
+AC_ARG_ENABLE([pthread_rwlock],
+	      [AS_HELP_STRING([--enable-pthread-rwlock],
+			      [use pthread rwlock instead of internal rwlock implementation])],
+	      [], [enable_pthread_rwlock=no])
+
+AS_IF([test "$enable_pthread_rwlock" = "yes"],
+      [AC_CHECK_FUNCS([pthread_rwlock_rdlock], [],
+		      [AC_MSG_ERROR([pthread_rwlock_rdlock requested but not found])])
+       AC_DEFINE([USE_PTHREAD_RWLOCK],[1],[Define if you want to use pthread rwlock implementation])
+      ])
+
+CRYPTO=OpenSSL
+
+#
+# OpenSSL/LibreSSL is mandatory
+#
+PKG_CHECK_MODULES([OPENSSL], [libssl libcrypto], [],
+		  [AX_CHECK_OPENSSL([:],[AC_MSG_FAILURE([OpenSSL/LibreSSL not found])])])
+
+AX_SAVE_FLAGS([openssl])
+
+#
+# This maintenance branch of BIND 9 does not support new OpenSSL APIs
+# introduced in version 3.0.0.  Suppress compiler warnings about using
+# functions deprecated in newer OpenSSL versions as they will not be
+# addressed in BIND 9.16.
+#
+OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+
+CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
+LIBS="$LIBS $OPENSSL_LIBS"
+
+AC_MSG_CHECKING([for OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0])
+AC_COMPILE_IFELSE(
+    [AC_LANG_PROGRAM([[#include <openssl/opensslv.h>]],
+		     [[#if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)) || \\
+			   (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x02070000fL))
+		       #error OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0 required
+		       #endif
+		      ]])],
+    [AC_MSG_RESULT([yes])],
+    [AC_MSG_FAILURE([not found])])
+
+#
+# Check for functions added in OpenSSL or LibreSSL
+#
+
+AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup])
+AC_CHECK_FUNCS([CRYPTO_zalloc])
+AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free])
+AC_CHECK_FUNCS([EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset])
+AC_CHECK_FUNCS([HMAC_CTX_new HMAC_CTX_free HMAC_CTX_reset HMAC_CTX_get_md])
+AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
+AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
+AC_CHECK_FUNCS([BN_GENCB_new])
+AC_CHECK_FUNCS([SSL_CTX_up_ref])
+AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version])
+
+#
+# Check for algorithm support in OpenSSL
+#
+
+AC_CHECK_FUNCS([ECDSA_sign ECDSA_verify], [:],
+	       [AC_MSG_FAILURE([ECDSA support in OpenSSL is mandatory.])])
+
+AC_MSG_CHECKING([for ECDSA P-256 support])
+AC_COMPILE_IFELSE(
+    [AC_LANG_PROGRAM([[#include <openssl/evp.h>
+		       #include <openssl/ec.h>]],
+		     [[EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);]])],
+    [AC_MSG_RESULT([yes])],
+    [AC_MSG_FAILURE([not found.  ECDSA P-256 support in OpenSSL is mandatory.])])
+
+AC_MSG_CHECKING([for ECDSA P-384 support])
+AC_COMPILE_IFELSE(
+    [AC_LANG_PROGRAM([[#include <openssl/evp.h>
+		       #include <openssl/ec.h>]],
+		     [[EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);]])],
+    [AC_MSG_RESULT([yes])],
+    [AC_MSG_FAILURE([not found.  ECDSA P-384 support in OpenSSL is mandatory.])])
+
+AC_MSG_CHECKING([for Ed25519 support])
+AC_COMPILE_IFELSE(
+    [AC_LANG_PROGRAM([[#include <openssl/evp.h>
+		       #include <openssl/ec.h>]],
+		     [[EC_KEY *key = EC_KEY_new_by_curve_name(NID_ED25519);]])],
+    [AC_DEFINE([HAVE_OPENSSL_ED25519], [1], [define if OpenSSL supports Ed25519])
+     AC_MSG_RESULT([yes])],
+    [AC_MSG_RESULT([no])])
+
+AC_MSG_CHECKING([for Ed448 support])
+AC_COMPILE_IFELSE(
+    [AC_LANG_PROGRAM([[#include <openssl/evp.h>
+		       #include <openssl/ec.h>]],
+		     [[EC_KEY *key = EC_KEY_new_by_curve_name(NID_ED448);]])],
+    [AC_DEFINE([HAVE_OPENSSL_ED448], [1], [define if OpenSSL supports Ed448])
+     AC_MSG_RESULT([yes])],
+    [AC_MSG_RESULT([no])])
+
+#
+# Check for OpenSSL SHA-1 support
+#
+AC_CHECK_FUNCS([EVP_sha1], [:],
+	       [AC_MSG_FAILURE([SHA-1 support in OpenSSL is mandatory.])])
+
+#
+# Check for OpenSSL SHA-2 support
+#
+AC_CHECK_FUNCS([EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [:],
+	       [AC_MSG_FAILURE([SHA-2 support in OpenSSL is mandatory.])])
+
+#
+# Check for OpenSSL AES support
+#
+AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:],
+	       [AC_MSG_FAILURE([AES support in OpenSSL is mandatory.])])
+
+#
+# Check for OpenSSL 1.1.x/LibreSSL functions
+#
+AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key])
+
+AC_CHECK_FUNCS([TLS_server_method TLS_client_method])
+
+#
+# Check whether FIPS mode is available and whether we should enable it
+#
+# FIPS is not included in pairwise testing as the relevant Docker image
+# does not support FIPS mode.
+#
+# [pairwise: skip]
+AC_ARG_ENABLE([fips-mode],
+	      [AS_HELP_STRING([--enable-fips-mode],
+			      [enable FIPS mode in OpenSSL library [default=no]])],
+	      [], [enable_fips_mode="no"])
+
+AC_MSG_CHECKING([whether to enable FIPS mode in OpenSSL library])
+AS_CASE([$enable_fips_mode],
+	[yes], [AC_MSG_RESULT([yes])
+		AC_CHECK_FUNCS([FIPS_mode],
+			       [], [AC_MSG_FAILURE([OpenSSL FIPS mode requested but not available.])])],
+	[no], [AC_MSG_RESULT([no])])
+
+AX_RESTORE_FLAGS([openssl])
+
+AC_SUBST([OPENSSL_CFLAGS])
+AC_SUBST([OPENSSL_LIBS])
+
+PKCS11_TOOLS=
+PKCS11_TEST=
+PKCS11_MANS=
+#
+# was --enable-native-pkcs11 specified?
+#
+# DNSRPS builds are included in pairwise testing here and not later because both
+# --enable-native-pkcs11 and --enable-dnsrps-dl require --with-dlopen and the
+# ordering of the set of ./configure arguments generated during pairwise testing
+# is random.
+#
+# [pairwise: --enable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --disable-dnsrps --without-dlopen]
+AC_ARG_ENABLE(native-pkcs11,
+	      AS_HELP_STRING([--enable-native-pkcs11],
+			     [use native PKCS11 for public-key crypto [default=no]]),
+	      [:], [enable_native_pkcs11="no"])
+
+AC_MSG_CHECKING([for PKCS11 for Public-Key Cryptography])
+AS_CASE([$enable_native_pkcs11],
+	[no],[AC_MSG_RESULT([no])],
+	[yes],[PKCS11_TOOLS=pkcs11
+	       PKCS11_TEST=pkcs11
+	       PKCS11_MANS='${pkcs11_man8_MANS}'
+	       CRYPTO=pkcs11
+	       AS_IF([$use_threads],
+		     [:],
+		     [AC_MSG_ERROR([PKCS11 requires threading support])])
+	       AC_MSG_RESULT([yes])
+	       AC_CHECK_FUNCS([getpassphrase])
+	      ])
+AC_SUBST([PKCS11_TEST])
+AC_SUBST([PKCS11_TOOLS])
+AC_SUBST([PKCS11_MANS])
+
+AC_SUBST([CRYPTO])
+AS_CASE([$CRYPTO],
+	[pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
+	[AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
+
+# preparation for automake
+# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
+
+#
+# was --with-pkcs11 specified?
+#
+# [pairwise: skip]
+AC_ARG_WITH([pkcs11],
+	    [AS_HELP_STRING([--with-pkcs11[=PATH]],
+			    [Build with PKCS11 support [no|path] (PATH is for the PKCS11 provider)])],
+	    [:], [with_pkcs11="undefined"])
+
+AS_CASE([$with_pkcs11],
+	[yes|auto],[AC_MSG_ERROR([--with-pkcs11 needs explicit path to the PKCS11 library])],
+	[no|undefined],[with_pkcs11="undefined"])
+AC_DEFINE_UNQUOTED([PK11_LIB_LOCATION], ["$with_pkcs11"], [define the default PKCS11 library path])
+
+# for PKCS11 benchmarks
+
+have_clock_gt=no
+AC_CHECK_FUNC(clock_gettime,have_clock_gt=yes,)
+if test "no" = "$have_clock_gt"; then
+	AC_CHECK_LIB(rt,clock_gettime,have_clock_gt=rt,)
+fi
+
+if test "no" != "$have_clock_gt"; then
+	AC_DEFINE(HAVE_CLOCK_GETTIME, 1, [Define if clock_gettime is available.])
+fi
+
+if test "rt" = "$have_clock_gt"; then
+	LIBS="-lrt $LIBS"
+fi
+
+AC_MSG_CHECKING(for GSSAPI library)
+
+# [pairwise: --with-gssapi=yes, --with-gssapi=auto, --without-gssapi]
+AC_ARG_WITH(gssapi,
+	    AS_HELP_STRING([--with-gssapi=[PATH|[/path/]krb5-config]],
+			   [Specify path for system-supplied GSSAPI
+				[default=auto]]),
+	    use_gssapi="$withval", use_gssapi="auto")
+
+# first try using krb5-config, if that does not work then fall back to "yes" method.
+
+case "$use_gssapi" in
+*/krb5-config|krb5-config)
+    AC_MSG_RESULT(trying $use_gssapi)
+    if test krb5-config = "$use_gssapi"
+    then
+	AC_PATH_PROG(KRB5_CONFIG, $use_gssapi)
+    else
+	KRB5_CONFIG="$use_gssapi"
+    fi
+    gssapi_cflags=`$KRB5_CONFIG --cflags gssapi`
+    gssapi_libs=`$KRB5_CONFIG --libs gssapi`
+    krb5_cflags=`$KRB5_CONFIG --cflags krb5`
+    krb5_libs=`$KRB5_CONFIG --libs krb5`
+    saved_cppflags="$CPPFLAGS"
+    CPPFLAGS="$gssapi_cflags $krb5_cflags $CPPFLAGS"
+    AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
+	[ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
+    if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
+	AC_MSG_RESULT([krb5-config: gssapi.h not found])
+	CPPFLAGS="$saved_cppflags"
+	use_gssapi="yes"
+    else
+	AC_CHECK_HEADERS(krb5/krb5.h krb5.h,
+	    [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"])
+	if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
+	    AC_MSG_RESULT([krb5-config: krb5.h not found])
+	    CPPFLAGS="$saved_cppflags"
+	    use_gssapi="yes"
+	else
+	    CPPFLAGS="$saved_cppflags"
+	    saved_libs="$LIBS"
+	    LIBS="$gssapi_libs $krb5_libs $LIBS"
+	    AC_MSG_CHECKING([krb5-config linking as $LIBS])
+	    AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
+		gssapi_linked=yes, gssapi_linked=no)
+	    case $gssapi_linked in
+		yes) AC_MSG_RESULT([krb5-config: linked]);;
+		no)  AC_MSG_RESULT([krb5-config: could not determine proper GSSAPI linkage])
+		    use_gssapi="yes"
+		    ;;
+	    esac
+	    LIBS=$saved_libs
+	fi
+    fi
+    if test "yes" = "$use_gssapi"; then
+	AC_MSG_CHECKING([for GSSAPI library, non krb5-config method])
+    fi
+    ;;
+esac
+
+case "$host" in
+*darwin*)
+	if test "yes" = "$use_gssapi" -o "auto" = "$use_gssapi"
+	then
+		use_gssapi=framework
+	fi
+	;;
+esac
+
+# gssapi is just the framework, we really require kerberos v5, so
+# look for those headers (the gssapi headers must be there, too)
+# The problem with this implementation is that it doesn't allow
+# for the specification of gssapi and krb5 headers in different locations,
+# which probably ought to be fixed although fixing might raise the issue of
+# trying to build with incompatible versions of gssapi and krb5.
+if test "yes" = "$use_gssapi" -o "auto" = "$use_gssapi"
+then
+	# first, deal with the obvious
+	if test \( -f /usr/include/kerberosv5/krb5.h -o \
+		   -f /usr/include/krb5/krb5.h -o \
+		   -f /usr/include/krb5.h \)   -a \
+		\( -f /usr/include/gssapi.h -o \
+		   -f /usr/include/gssapi/gssapi.h \)
+	then
+		use_gssapi=/usr
+	else
+	    krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
+	    for d in $krb5dirs
+	    do
+		if test -f $d/include/gssapi/gssapi_krb5.h -o \
+			-f $d/include/krb5.h
+		then
+			if test -f $d/include/gssapi/gssapi.h -o \
+				-f $d/include/gssapi.h
+			then
+				use_gssapi=$d
+				break
+			fi
+		fi
+	    done
+	    if test "auto" = "$use_gssapi"
+	    then
+		use_gssapi="no"
+	    fi
+	fi
+fi
+
+case "$use_gssapi" in
+	no)
+		AC_MSG_RESULT(disabled)
+		USE_GSSAPI=''
+		;;
+	yes)
+		AC_MSG_ERROR([--with-gssapi must specify a path])
+		;;
+	*/krb5-config|krb5-config)
+		USE_GSSAPI='-DGSSAPI'
+		DST_GSSAPI_INC="$gssapi_cflags $krb5_cflags"
+		DNS_GSSAPI_LIBS="$gssapi_libs $krb5_libs"
+		;;
+	framework)
+		USE_GSSAPI='-DGSSAPI'
+		ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <Kerberos/Kerberos.h>"
+		ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <Kerberos/Kerberos.h>"
+		DNS_GSSAPI_LIBS="-framework Kerberos"
+		AC_MSG_RESULT(framework)
+		;;
+
+	*)
+		AC_MSG_RESULT(looking in $use_gssapi/lib)
+		USE_GSSAPI='-DGSSAPI'
+		saved_cppflags="$CPPFLAGS"
+		CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+		AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
+		    [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
+		     gssapi_hack="#include <$ac_header>"])
+
+		if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
+		    AC_MSG_ERROR([gssapi.h not found])
+		fi
+
+		AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h,
+		    [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"
+		     gssapi_krb5_hack="#include <$ac_header>"])
+
+		AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h,
+		    [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
+		    krb5_hack="#include <$ac_header>"])
+
+		if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
+		    AC_MSG_ERROR([krb5.h not found])
+		fi
+
+		#
+		# XXXDCL This probably doesn't work right on all systems.
+		# It will need to be worked on as problems become evident.
+		#
+		# Essentially the problems here relate to two different
+		# areas.  The first area is building with either KTH
+		# or MIT Kerberos, particularly when both are present on
+		# the machine.  The other is static versus dynamic linking.
+		#
+		# On the KTH vs MIT issue, Both have libkrb5 that can mess
+		# up the works if one implementation ends up trying to
+		# use the other's krb.  This is unfortunately a situation
+		# that very easily arises.
+		#
+		# Dynamic linking when the dependency information is built
+		# into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+		# all such problems go away, but when that setup is not
+		# present, because either the dynamic libraries lack
+		# dependencies or static linking is being done, then the
+		# problems start to show up.
+		saved_libs="$LIBS"
+		for TRY_LIBS in \
+		    "-lgssapi_krb5" \
+		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+		    "-lgssapi" \
+		    "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgss -lkrb5"
+		do
+		    # Note that this does not include $saved_libs, because
+		    # on FreeBSD machines this configure script has added
+		    # -L/usr/local/lib to LIBS, which can make the
+		    # -lgssapi_krb5 test succeed with shared libraries even
+		    # when you are trying to build with KTH in /usr/lib.
+		    if test "/usr" = "$use_gssapi"
+		    then
+			    LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS"
+		    else
+			    LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS"
+		    fi
+		    AC_MSG_CHECKING(linking as $TRY_LIBS)
+		    AC_TRY_LINK([
+#include <sys/types.h>
+$gssapi_hack
+$gssapi_krb5_hack
+$krb5_hack
+				] , [gss_acquire_cred(NULL, NULL, 0, NULL, 0, NULL, NULL, NULL);krb5_init_context(NULL);
+#if defined(HAVE_GSSAPI_KRB5_H) || defined(HAVE_GSSAPI_GSSAPI_KRB5_H)
+gsskrb5_register_acceptor_identity(NULL);
+#endif],
+				gssapi_linked=yes, gssapi_linked=no)
+		    case $gssapi_linked in
+		    yes) AC_MSG_RESULT(yes); break ;;
+		    no)  AC_MSG_RESULT(no) ;;
+		    esac
+		done
+
+		CPPFLAGS="$saved_cppflags"
+
+		case $gssapi_linked in
+		no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;;
+		esac
+
+		#
+		# XXXDCL Major kludge.  Tries to cope with KTH in /usr/lib
+		# but MIT in /usr/local/lib and trying to build with KTH.
+		# /usr/local/lib can end up earlier on the link lines.
+		# Like most kludges, this one is not only inelegant it
+		# is also likely to be the wrong thing to do at least as
+		# many times as it is the right thing.  Something better
+		# needs to be done.
+		#
+		if test "/usr" = "$use_gssapi" -a \
+			-f /usr/local/lib/libkrb5.a; then
+		    FIX_KTH_VS_MIT=yes
+		fi
+
+		case "$FIX_KTH_VS_MIT" in
+		yes)
+		    case "$enable_static_linking" in
+		    yes) gssapi_lib_suffix=".a"  ;;
+		    *)   gssapi_lib_suffix=".so" ;;
+		    esac
+
+		    for lib in $LIBS; do
+			case $lib in
+			-L*)
+			    ;;
+			-l*)
+			    new_lib=`echo $lib |
+				     sed -e s%^-l%$use_gssapi/lib/lib% \
+					 -e s%$%$gssapi_lib_suffix%`
+			    NEW_LIBS="$NEW_LIBS $new_lib"
+			    ;;
+			*)
+			   AC_MSG_ERROR([KTH vs MIT Kerberos confusion!])
+			    ;;
+			esac
+		    done
+		    LIBS="$NEW_LIBS"
+		    ;;
+		esac
+
+		DST_GSSAPI_INC="-I$use_gssapi/include"
+		DNS_GSSAPI_LIBS="$LIBS"
+
+		AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include)
+		LIBS="$saved_libs"
+		;;
+esac
+
+AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
+AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER)
+AC_SUBST(ISC_PLATFORM_KRB5HEADER)
+
+AC_SUBST(USE_GSSAPI)
+AC_SUBST(DST_GSSAPI_INC)
+AC_SUBST(DNS_GSSAPI_LIBS)
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
+
+#
+# Applications linking with libdns also need to link with these libraries.
+#
+
+AC_SUBST(DNS_CRYPTO_LIBS)
+
+#
+# was --with-lmdb specified?
+#
+AC_MSG_CHECKING(for lmdb library)
+
+# [pairwise: --with-lmdb=auto, --with-lmdb=yes, --without-lmdb]
+AC_ARG_WITH(lmdb,
+	    AS_HELP_STRING([--with-lmdb[=PATH]],
+			   [build with LMDB library [yes|no|path]]),
+    use_lmdb="$withval", use_lmdb="auto")
+
+have_lmdb=""
+case "$use_lmdb" in
+	no)
+		LMDB_LIBS=""
+		;;
+	auto|yes)
+		for d in /usr /usr/local /opt/local
+		do
+			if test -f "${d}/include/lmdb.h"
+			then
+				if test ${d} != /usr
+				then
+					LMDB_CFLAGS="-I ${d}/include"
+					LMDB_LIBS="-L${d}/lib"
+				fi
+				have_lmdb="yes"
+			fi
+		done
+		;;
+	*)
+		if test -f "${use_lmdb}/include/lmdb.h"
+		then
+			LMDB_CFLAGS="-I${use_lmdb}/include"
+			LMDB_LIBS="-L${use_lmdb}/lib"
+			have_lmdb="yes"
+		else
+			AC_MSG_ERROR([$use_lmdb/include/lmdb.h not found.])
+		fi
+		;;
+esac
+
+if test "X${have_lmdb}" != "X"
+then
+	AC_MSG_RESULT(yes)
+	AX_SAVE_FLAGS([lmdb])
+	CFLAGS="$CFLAGS $LMDB_CFLAGS"
+	LIBS="$LIBS $LMDB_LIBS"
+	AC_SEARCH_LIBS([mdb_env_create], [lmdb], [],
+		       [AC_MSG_ERROR([found lmdb include but not library.])
+			have_lmdb=""])
+	LMDB_LIBS="$LMDB_LIBS $ac_cv_search_mdb_env_create"
+	AX_RESTORE_FLAGS([lmdb])
+elif test "X$use_lmdb" = Xyes
+then
+	AC_MSG_ERROR([include/lmdb.h not found.])
+else
+	AC_MSG_RESULT(no)
+fi
+AC_SUBST([LMDB_CFLAGS])
+AC_SUBST([LMDB_LIBS])
+
+NZD_TOOLS=""
+NZDSRCS=
+NZDTARGETS=
+if test "X${have_lmdb}" != "X"
+then
+	AC_DEFINE(HAVE_LMDB, 1, [Define if lmdb was found])
+	NZD_TOOLS="nzd"
+	NZDSRCS='${NZDSRCS}'
+	NZDTARGETS='${NZDTARGETS}'
+	NZD_MANS='${nzd_man8_MANS}'
+fi
+AC_SUBST(NZD_TOOLS)
+AC_SUBST(NZDSRCS)
+AC_SUBST(NZDTARGETS)
+AC_SUBST(NZD_MANS)
+
+#
+# was --with-libxml2 specified?
+#
+# [pairwise: --with-libxml2=auto, --with-libxml2=yes, --without-libxml2]
+AC_ARG_WITH([libxml2],
+	    [AS_HELP_STRING([--with-libxml2],
+			    [build with libxml2 library [yes|no|auto] (default is auto)])],
+	    [], [with_libxml2="auto"])
+
+AS_CASE([$with_libxml2],
+	[no],[],
+	[auto],[PKG_CHECK_MODULES([LIBXML2], [libxml-2.0 >= 2.6.0],
+				  [AC_DEFINE([HAVE_LIBXML2], [1], [Use libxml2 library])],
+				  [:])],
+	[yes],[PKG_CHECK_MODULES([LIBXML2], [libxml-2.0 >= 2.6.0],
+				 [AC_DEFINE([HAVE_LIBXML2], [1], [Use libxml2 library])])],
+	[AC_MSG_ERROR([Specifying libxml2 installation path is not supported, adjust PKG_CONFIG_PATH instead])])
+
+#
+# DEPRECATED
+#
+# [pairwise: skip]
+AC_ARG_WITH([libjson],
+	    [AS_HELP_STRING([--with-libjson],
+			    [deprecated, use --with-json-c])],
+	    [AC_MSG_WARN([--with-libjson is DEPRECATED and will be removed in a future release, use --with-json-c instead])],
+	    [with_libjson="detect"])
+
+#
+# was --with-json-c specified?
+#
+# [pairwise: --with-json-c=detect, --with-json-c=yes, --without-json-c]
+AC_ARG_WITH([json-c],
+	    [AS_HELP_STRING([--with-json-c],
+			    [build with json-c library [yes|no|detect] (default is detect)])],
+	    [], [with_json_c="$with_libjson"])
+
+AS_CASE([$with_json_c],
+	[no],[],
+	[detect],[PKG_CHECK_MODULES([JSON_C], [json-c >= 0.11],
+				    [AC_DEFINE([HAVE_JSON_C], [1], [Use json-c library])],
+				    [:])],
+	[yes],[PKG_CHECK_MODULES([JSON_C], [json-c >= 0.11],
+				 [AC_DEFINE([HAVE_JSON_C], [1], [Use json-c library])])],
+	[AC_MSG_ERROR([Specifying json-c installation path is not supported, adjust PKG_CONFIG_PATH instead])]
+       )
+
+AC_SUBST([JSON_C_CFLAGS])
+AC_SUBST([JSON_C_LIBS])
+
+# [pairwise: --with-zlib=auto, --with-zlib=yes, --without-zlib]
+AC_ARG_WITH([zlib],
+           [AS_HELP_STRING([--with-zlib],
+                           [build with zlib for HTTP compression
+                            [default=yes]])],
+	   [], with_zlib="auto")
+
+AS_CASE([$with_zlib],
+       [no],[],
+       [auto],[PKG_CHECK_MODULES([ZLIB], [zlib],
+                                 [AC_DEFINE([HAVE_ZLIB], [1], [Use zlib library])],
+                                 [:])],
+       [yes],[PKG_CHECK_MODULES([ZLIB], [zlib],
+                                [AC_DEFINE([HAVE_ZLIB], [1], [Use zlib library])])],
+       [AC_MSG_ERROR([Specifying zlib installation path is not supported, adjust PKG_CONFIG_PATH instead])])
+AC_SUBST([ZLIB_CFLAGS])
+AC_SUBST([ZLIB_LIBS])
+
+#
+# In solaris 10, SMF can manage named service
+#
+AC_CHECK_LIB(scf, smf_enable_instance)
+
+#
+# Additional compiler settings.
+#
+MKDEPCC="$CC"
+
+MKDEPCFLAGS="-M"
+AS_CASE([$host],
+	[*-solaris*],[
+	    AS_IF([test "$GCC" != "yes"],
+		  [MKDEPCFLAGS="-xM"])])
+
+AS_IF([test "$GCC" = "yes"],
+      [STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -Wno-missing-field-initializers"]
+      )
+
+AX_CHECK_COMPILE_FLAG([-fno-strict-aliasing],
+		      [STD_CWARNINGS="$STD_CWARNINGS -fno-strict-aliasing"])
+AX_CHECK_COMPILE_FLAG([-Werror -fno-delete-null-pointer-checks],
+		      [STC_CWARNINGS="$STD_CWARNINGS -fno-delete-null-pointer-checks"])
+AS_IF([test "$enable_warn_shadow" = "yes"],
+      [AX_CHECK_COMPILE_FLAG([-Wshadow],
+			     [STD_CWARNINGS="$STD_CWARNINGS -Wshadow"])])
+AS_IF([test "$enable_warn_error" = "yes"],
+      [AX_CHECK_COMPILE_FLAG([-Werror],
+			     [STD_CWARNINGS="$STD_CWARNINGS -Werror"])])
+
+AC_SUBST([MKDEPCC])
+AC_SUBST([MKDEPCFLAGS])
+AC_SUBST([MKDEPPROG])
+
+#
+# -lxnet buys us one big porting headache...  standards, gotta love 'em.
+#
+# AC_CHECK_LIB(xnet, socket, ,
+#    AC_CHECK_LIB(socket, socket)
+# )
+#
+# Use this for now, instead:
+#
+case "$host" in
+	*-linux*)
+		;;
+	*)
+		AC_CHECK_LIB(socket, socket)
+		AC_CHECK_LIB(nsl, inet_addr)
+		;;
+esac
+
+#
+# Work around Solaris's select() limitations.
+#
+case "$host" in
+	*-solaris2.[[89]]|*-solaris2.1?)
+	AC_DEFINE(FD_SETSIZE, 65536,
+		  [Solaris hack to get select_large_fdset.])
+	;;
+esac
+
+#
+# Purify support
+#
+AC_MSG_CHECKING(whether to use purify)
+
+# Purify is not included in pairwise testing as that tool is not present
+# in the relevant Docker image.
+#
+# [pairwise: skip]
+AC_ARG_WITH(purify,
+	    AS_HELP_STRING([--with-purify[=PATH]],[use Rational purify]),
+	    use_purify="$withval", use_purify="no")
+
+case "$use_purify" in
+	no)
+		;;
+	yes)
+		AC_PATH_PROG(purify_path, purify, purify)
+		;;
+	*)
+		purify_path="$use_purify"
+		;;
+esac
+
+case "$use_purify" in
+	no)
+		AC_MSG_RESULT(no)
+		PURIFY=""
+		;;
+	*)
+		if test -f "$purify_path" || test purify = "$purify_path"; then
+			AC_MSG_RESULT($purify_path)
+			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
+			PURIFY="$purify_path $PURIFYFLAGS"
+		else
+			AC_MSG_ERROR([$purify_path not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-purify=PATH
+])
+		fi
+		;;
+esac
+
+AC_SUBST(PURIFY)
+
+#
+# Google/Great Performance Tools CPU Profiler
+#
+AC_MSG_CHECKING(whether to use gperftools profiler)
+
+# Google/Great Performance Tools CPU Profiler is not included in
+# pairwise testing as that tool is not present in the relevant Docker
+# image.
+#
+# [pairwise: skip]
+AC_ARG_WITH(gperftools-profiler,
+	    AS_HELP_STRING([--with-gperftools-profiler],
+			   [use gperftools CPU profiler]),
+	    use_profiler="$withval", use_profiler="no")
+
+case $use_profiler in
+	yes)
+		AC_MSG_RESULT(yes)
+		AC_DEFINE([HAVE_GPERFTOOLS_PROFILER], 1,
+		[Define to use gperftools CPU profiler.])
+		LIBS="$LIBS -lprofiler"
+		;;
+	*)
+		AC_MSG_RESULT(no)
+		;;
+esac
+
+#
+# enable/disable dumping stack backtrace.  Also check if the system supports
+# glibc-compatible backtrace() function.
+#
+# [pairwise: --enable-backtrace, --disable-backtrace]
+AC_ARG_ENABLE([backtrace],
+	      [AS_HELP_STRING([--enable-backtrace],
+			      [log stack backtrace on abort [default=yes]])],
+	      [], [enable_backtrace="yes"])
+
+AS_IF([test "$enable_backtrace" = "yes"],
+      [AC_DEFINE([USE_BACKTRACE], [1], [define if we can use backtrace])
+       AC_CHECK_LIB(execinfo,backtrace,EXILIBS=-lexecinfo,EXILIBS=)
+       LIBS="$LIBS $EXILIBS"
+       AC_LINK_IFELSE(
+	 [AC_LANG_PROGRAM(
+	    [[#include <execinfo.h>]],
+	    [[return (backtrace((void **)0, 0));]]
+	  )],
+	 [AC_DEFINE([HAVE_LIBCTRACE], [1], [define if system have backtrace function])],
+	 [AC_LINK_IFELSE(
+	    [AC_LANG_PROGRAM(
+	       [[#include <stddef.h>]],
+	       [[return _Unwind_Backtrace(NULL, NULL);]]
+	     )],
+	    [AC_DEFINE([HAVE_UNWIND_BACKTRACE], [1], [define if the compiler supports _Unwind_Backtrace()])]
+	  )]
+       )])
+
+# [pairwise: --enable-symtable, --disable-symtable]
+AC_ARG_ENABLE(symtable,
+	      AS_HELP_STRING([--enable-symtable],
+			     [use internal symbol table for backtrace
+			      [all|minimal(default)|none]]),
+		want_symtable="$enableval",  want_symtable="minimal")
+case $want_symtable in
+yes|all|minimal)     # "yes" is a hidden value equivalent to "minimal"
+	if test "" = "$PERL"
+	then
+		AC_MSG_ERROR([Internal symbol table requires perl but no perl is found.
+Install perl or explicitly disable the feature by --disable-symtable.])
+	fi
+	if test "yes" = "$use_libtool"; then
+		AC_MSG_WARN([Internal symbol table does not work with libtool.  Disabling symbol table.])
+	else
+		# we generate the internal symbol table only for those systems
+		# known to work to avoid unexpected build failure.  Also, warn
+		# about unsupported systems when the feature is enabled
+		#  manually.
+		case $host_os in
+		freebsd*|netbsd*|openbsd*|linux*|solaris*|darwin*)
+			MKSYMTBL_PROGRAM="$PERL"
+			if test "all" = "$want_symtable"; then
+				ALWAYS_MAKE_SYMTABLE="yes"
+			fi
+			;;
+		*)
+			if test "yes" = "$want_symtable" -o "all" = "$want_symtable"
+			then
+				AC_MSG_WARN([this system is not known to generate internal symbol table safely; disabling it])
+			fi
+		esac
+	fi
+	;;
+*)
+	;;
+esac
+AC_SUBST(MKSYMTBL_PROGRAM)
+AC_SUBST(ALWAYS_MAKE_SYMTABLE)
+
+#
+# File name extension for static archive files, for those few places
+# where they are treated differently from dynamic ones.
+#
+SA=a
+
+AC_SUBST(O)
+AC_SUBST(A)
+AC_SUBST(SA)
+AC_SUBST(LIBTOOL_MKDEP_SED)
+AC_SUBST(LIBTOOL_MODE_COMPILE)
+AC_SUBST(LIBTOOL_MODE_INSTALL)
+AC_SUBST(LIBTOOL_MODE_LINK)
+AC_SUBST(LIBTOOL_MODE_UNINSTALL)
+
+BIND9_CO_RULE=".c.$O:"
+AC_SUBST(BIND9_CO_RULE)
+
+#
+# Here begins a very long section to determine the system's networking
+# capabilities.  The order of the tests is significant.
+#
+
+#
+# We do the IPv6 compilation checking after libtool so that we can put
+# the right suffix on the files.
+#
+AC_MSG_CHECKING([for IPv6 structures])
+AC_COMPILE_IFELSE(
+  [AC_LANG_PROGRAM(
+     [[
+       #include <sys/types.h>
+       #include <sys/socket.h>
+       #include <netinet/in.h>
+     ]],
+     [[
+       struct sockaddr_in6 sin6;
+       struct in6_addr in6;
+       struct in6_pktinfo in6_pi;
+       struct sockaddr_storage storage;
+       in6 = in6addr_any;
+       in6 = in6addr_loopback;
+       sin6.sin6_scope_id = 0;
+       return (0);
+     ]])],
+  [AC_MSG_RESULT([yes])],
+  [AC_MSG_FAILURE([IPv6 support is mandatory])])
+
+#
+# Allow forcibly disabling TCP Fast Open support as autodetection might yield
+# confusing results on some systems (e.g. FreeBSD; see set_tcp_fastopen()
+# comment in lib/isc/unix/socket.c).
+#
+# [pairwise: --enable-tcp-fastopen, --disable-tcp-fastopen]
+AC_ARG_ENABLE([tcp_fastopen],
+	      [AS_HELP_STRING([--disable-tcp-fastopen],
+			      [disable TCP Fast Open support [default=yes]])],
+	     [], [enable_tcp_fastopen="yes"])
+
+AS_IF([test "$enable_tcp_fastopen" = "yes"],
+      [AC_DEFINE([ENABLE_TCP_FASTOPEN], [1], [define if you want TCP_FASTOPEN enabled if available])])
+
+#
+# Check for some other useful functions that are not ever-present.
+#
+AC_CHECK_FUNCS([strlcpy strlcat strnstr])
+
+AC_SUBST(READLINE_LIB)
+
+# [pairwise: --with-readline=auto, --with-readline=yes, --without-readline]
+AC_ARG_WITH(readline,
+	    AS_HELP_STRING([--with-readline[=LIBSPEC]],
+			   [specify readline library [default auto]]),
+	    use_readline="$withval", use_readline="auto")
+case "$use_readline" in
+no)	;;
+*)
+	saved_LIBS="$LIBS"
+	case "$use_readline" in
+	yes|auto) try_readline="-ledit"; or_readline="-lreadline" ;;
+	*) try_readline="$use_readline"
+	esac
+	for readline in "$try_readline" $or_readline
+	do
+		LIBS="$readline"
+		AC_MSG_NOTICE(checking for readline with $readline)
+		AC_CHECK_FUNCS(readline)
+		if test "yes" = "$ac_cv_func_readline"
+		then
+			READLINE_LIB="$readline"
+			break
+		fi
+		for lib in -lterminfo -ltermcap -lncurses -lcurses
+		do
+			AC_MSG_NOTICE(checking for readline with $readline $lib)
+			unset ac_cv_func_readline
+			LIBS="$readline $lib"
+			AC_CHECK_FUNCS(readline)
+			if test "yes" = "$ac_cv_func_readline"
+			then
+				READLINE_LIB="$readline $lib"
+				break
+			fi
+		done
+		if test "yes" = "$ac_cv_func_readline"
+		then
+			break
+		fi
+	done
+	if test "auto" != "$use_readline" &&
+	   test "X$READLINE_LIB" = "X"
+	then
+		AC_MSG_ERROR([The readline library was not found.])
+	fi
+	LIBS="$saved_LIBS"
+	;;
+esac
+if test "yes" = "$ac_cv_func_readline"
+then
+	case "$READLINE_LIB" in
+	*edit*)
+		AC_CHECK_HEADERS(editline/readline.h)
+		AC_CHECK_HEADERS(edit/readline/readline.h)
+		AC_CHECK_HEADERS(edit/readline/history.h)
+		;;
+	esac
+	AC_CHECK_HEADERS(readline/readline.h)
+	AC_CHECK_HEADERS(readline/history.h)
+fi
+
+AC_SUBST(DST_EXTRA_OBJS)
+AC_SUBST(DST_EXTRA_SRCS)
+
+#
+# Security Stuff
+#
+# Note it is very recommended to *not* disable chroot(),
+# this is only because chroot() was made obsolete by Posix.
+#
+# [pairwise: --enable-chroot, --disable-chroot]
+AC_ARG_ENABLE(chroot, AS_HELP_STRING([--disable-chroot], [disable chroot]))
+case "$enable_chroot" in
+	yes|'')
+		AC_CHECK_FUNCS(chroot)
+		;;
+	no)
+		;;
+esac
+
+LIBCAP_LIBS=""
+AC_MSG_CHECKING([whether to enable Linux capabilities])
+
+# [pairwise: --enable-linux-caps, --disable-linux-caps]
+AC_ARG_ENABLE([linux-caps],
+	      [AS_HELP_STRING([--disable-linux-caps],
+			      [disable Linux capabilities])],
+	      [],
+	      [AS_CASE([$host],
+		       [*-linux*],[enable_linux_caps=yes],
+		       [enable_linux_caps=no])])
+
+AS_IF([test "$enable_linux_caps" = "yes"],
+      [AC_MSG_RESULT([yes])
+       AC_CHECK_HEADERS([sys/capability.h],
+			[],
+			[AC_MSG_ERROR(m4_normalize([sys/capability.h header is required for Linux capabilities support.
+						    Either install libcap or use --disable-linux-caps.]))])
+       AX_SAVE_FLAGS([cap])
+       AC_SEARCH_LIBS([cap_set_proc], [cap],
+		      [LIBCAP_LIBS="$ac_cv_search_cap_set_proc"],
+		      [AC_MSG_ERROR(m4_normalize([libcap is required for Linux capabilities support.
+						  Either install libcap or use --disable-linux-caps.]))])
+       AX_RESTORE_FLAGS([cap])],
+      [AC_MSG_RESULT([no])])
+AC_SUBST([LIBCAP_LIBS])
+
+AC_CHECK_HEADERS(sys/un.h,
+ISC_PLATFORM_HAVESYSUNH="#define ISC_PLATFORM_HAVESYSUNH 1"
+,
+ISC_PLATFORM_HAVESYSUNH="#undef ISC_PLATFORM_HAVESYSUNH"
+)
+AC_SUBST(ISC_PLATFORM_HAVESYSUNH)
+
+case "$host" in
+*-solaris*)
+	AC_DEFINE(NEED_SECURE_DIRECTORY, 1,
+		  [Define if connect does not honour the permission on the UNIX domain socket.])
+	;;
+esac
+
+#
+# Time Zone Stuff
+#
+AC_CHECK_FUNCS([tzset])
+
+AC_MSG_CHECKING(for optarg declaration)
+AC_TRY_COMPILE([
+#include <unistd.h>
+],
+[optarg = 0;],
+[AC_MSG_RESULT(yes)],
+[AC_MSG_RESULT(no)
+GEN_NEED_OPTARG="-DNEED_OPTARG=1"
+AC_DEFINE(NEED_OPTARG, 1, [Defined if extern char *optarg is not declared.])])
+
+#
+# Check for nanoseconds in file stats
+#
+AC_MSG_CHECKING([for st_mtim.tv_nsec])
+AC_COMPILE_IFELSE(
+  [AC_LANG_PROGRAM(
+     [[#include <sys/fcntl.h>]],
+     [[struct stat s;
+       return(s.st_mtim.tv_nsec);
+      ]])],
+   [AC_DEFINE([HAVE_STAT_NSEC], [1], [define if struct stat has st_mtim.tv_nsec field])])
+
+#
+# Check for if_nametoindex() for IPv6 scoped addresses support
+#
+AC_CHECK_FUNCS([if_nametoindex])
+
+ISC_ATOMIC_LIBS=""
+AC_CHECK_HEADERS(
+  [stdatomic.h],
+  [AC_MSG_CHECKING([for memory model aware atomic operations])
+   AC_COMPILE_IFELSE(
+     [AC_LANG_PROGRAM(
+	[[#include <stdatomic.h>]],
+	[[atomic_int_fast32_t val = 0; atomic_fetch_add_explicit(&val, 1, memory_order_relaxed);]]
+      )],
+     [AC_MSG_RESULT([stdatomic.h])
+      AC_MSG_CHECKING([whether -latomic is needed for 64-bit stdatomic.h functions])
+      AC_LINK_IFELSE(
+	[AC_LANG_PROGRAM(
+	   [[#include <stdatomic.h>]],
+	   [[atomic_int_fast64_t val = 0; atomic_fetch_add_explicit(&val, 1, memory_order_relaxed);]]
+	 )],
+	[AC_MSG_RESULT([no])],
+	[ISC_ATOMIC_LIBS="-latomic"
+	 AX_SAVE_FLAGS([atomic])
+	 LIBS="$LIBS $ISC_ATOMIC_LIBS"
+	 AC_LINK_IFELSE(
+	   [AC_LANG_PROGRAM(
+	      [[#include <stdatomic.h>]],
+	      [[atomic_int_fast64_t val = 0; atomic_fetch_add_explicit(&val, 1, memory_order_relaxed);]]
+	    )],
+	   [AC_MSG_RESULT([yes])],
+	   [AC_MSG_FAILURE([libatomic needed, but linking with -latomic failed, please fix your toolchain.])])
+	 AX_RESTORE_FLAGS([atomic])
+	])
+     ],
+     [AC_MSG_FAILURE([stdatomic.h header found, but compilation failed, please fix your toolchain.])]
+   )],
+  [AC_MSG_CHECKING([for memory model aware atomic operations])
+   AC_COMPILE_IFELSE(
+     [AC_LANG_PROGRAM(
+	[[#include <inttypes.h>]],
+	[[int32_t val = 0; __atomic_fetch_add(&val, 1, __ATOMIC_RELAXED);]]
+      )],
+     [AC_MSG_RESULT([__atomic builtins])
+      AC_DEFINE([HAVE___ATOMIC], [1], [define if __atomic builtins are not available])
+      AC_MSG_CHECKING([whether -latomic is needed for 64-bit __atomic builtins])
+      AC_LINK_IFELSE(
+	[AC_LANG_PROGRAM(
+	   [[#include <inttypes.h>]],
+	   [[int64_t val = 0; __atomic_fetch_add(&val, 1, __ATOMIC_RELAXED);]]
+	 )],
+	[AC_MSG_RESULT([no])],
+	[ISC_ATOMIC_LIBS="-latomic"
+	 AX_SAVE_FLAGS([atomic])
+	 LIBS="$LIBS $ISC_ATOMIC_LIBS"
+	 AC_LINK_IFELSE(
+	   [AC_LANG_PROGRAM(
+	      [[#include <inttypes.h>]],
+	      [[int64_t val = 0; __atomic_fetch_add(&val, 1, __ATOMIC_RELAXED);]]
+	    )],
+	   [AC_MSG_RESULT([yes])],
+	   [AC_MSG_FAILURE([libatomic needed, but linking with -latomic failed, please fix your toolchain.])])
+	 AX_RESTORE_FLAGS([atomic])
+	])
+     ],
+     [AC_MSG_RESULT([__sync builtins])
+     ])
+  ])
+LIBS="$LIBS $ISC_ATOMIC_LIBS"
+
+AC_CHECK_HEADERS([stdalign.h])
+
+AC_CHECK_HEADERS([uchar.h])
+
+#
+# Check for __builtin_unreachable
+#
+AC_MSG_CHECKING([compiler support for __builtin_unreachable()])
+AC_LINK_IFELSE(
+  [AC_LANG_PROGRAM(
+     [[]],
+     [[__builtin_unreachable();]]
+   )],
+  [AC_MSG_RESULT([yes])
+   AC_DEFINE([HAVE_BUILTIN_UNREACHABLE], [1], [define if the compiler supports __builtin_unreachable().])
+  ],
+  [AC_MSG_RESULT([no])
+  ])
+
+#
+# Check for __builtin_expect
+#
+AC_MSG_CHECKING([compiler support for __builtin_expect])
+AC_TRY_LINK(, [
+	return (__builtin_expect(1, 1) ? 1 : 0);
+], [
+	have_builtin_expect=yes
+	AC_MSG_RESULT(yes)
+], [
+	have_builtin_expect=no
+	AC_MSG_RESULT(no)
+])
+if test "yes" = "$have_builtin_expect"; then
+	AC_DEFINE(HAVE_BUILTIN_EXPECT, 1, [Define to 1 if the compiler supports __builtin_expect.])
+fi
+
+#
+# Check for __builtin_clz
+#
+AC_MSG_CHECKING([compiler support for __builtin_clz])
+AC_TRY_LINK(, [
+	return (__builtin_clz(0xff) == 24 ? 1 : 0);
+], [
+	have_builtin_clz=yes
+	AC_MSG_RESULT(yes)
+], [
+	have_builtin_clz=no
+	AC_MSG_RESULT(no)
+])
+if test "yes" = "$have_builtin_clz"; then
+	AC_DEFINE(HAVE_BUILTIN_CLZ, 1, [Define to 1 if the compiler supports __builtin_clz.])
+fi
+
+#
+# Activate "rrset-order fixed" or not?
+#
+# [pairwise: --enable-fixed-rrset, --disable-fixed-rrset]
+AC_ARG_ENABLE(fixed-rrset,
+	      AS_HELP_STRING([--enable-fixed-rrset],
+			     [enable fixed rrset ordering [default=no]]),
+	      enable_fixed="$enableval", enable_fixed="no")
+case "$enable_fixed" in
+	yes)
+		AC_DEFINE(DNS_RDATASET_FIXED, 1,
+			  [Define to enable "rrset-order fixed" syntax.])
+		;;
+	no)
+		;;
+	*)
+		;;
+esac
+
+#
+# Activate dnstap?
+#
+# [pairwise: --enable-dnstap, --disable-dnstap]
+AC_ARG_ENABLE(dnstap,
+	      AS_HELP_STRING([--enable-dnstap],
+			     [enable dnstap support
+				(requires fstrm, protobuf-c)]),
+	      use_dnstap=$enableval, use_dnstap=no)
+
+DNSTAP=
+DNSTAPSRCS=
+DNSTAPOBJS=
+DNSTAPTARGETS=
+if test "x$use_dnstap" != "xno"; then
+
+	# [pairwise: skip]
+	AC_ARG_WITH([protobuf-c],
+		    AS_HELP_STRING([--with-protobuf-c=path],
+				   [Path where protobuf-c is installed, for dnstap]), [
+	    # workaround for protobuf-c includes at old dir
+	    # before protobuf-c-1.0.0
+	    if test -f $withval/include/google/protobuf-c/protobuf-c.h
+	    then
+		PROTOBUF_C_CFLAGS="-I$withval/include/google"
+	    else
+		PROTOBUF_C_CFLAGS="-I$withval/include"
+	    fi
+	    PROTOBUF_C_LIBS="-L$withval/lib"
+	    AC_PATH_PROG([PROTOC_C], [protoc-c], [],
+			 [$PATH$PATH_SEPARATOR$withval/bin])
+	], [
+	    # workaround for protobuf-c includes at old dir
+	    # before protobuf-c-1.0.0
+	    if test -f /usr/include/google/protobuf-c/protobuf-c.h
+	    then
+		PROTOBUF_C_CFLAGS="-I/usr/include/google"
+	    else
+		if test -f /usr/local/include/google/protobuf-c/protobuf-c.h
+		then
+		    PROTOBUF_C_CFLAGS="-I/usr/local/include/google"
+		    PROTOBUF_C_LIBS="-L/usr/local/lib"
+		elif test -f /opt/local/include/google/protobuf-c/protobuf-c.h
+		then
+		    PROTOBUF_C_CFLAGS="-I/opt/local/include/google"
+		    PROTOBUF_C_LIBS="-L/opt/local/lib"
+		fi
+	    fi
+	    AC_PATH_PROG([PROTOC_C],[protoc-c])
+	])
+	if test -z "$PROTOC_C"; then
+		AC_MSG_ERROR([The protoc-c program was not found.])
+	fi
+
+	# [pairwise: skip]
+	AC_ARG_WITH([libfstrm], AS_HELP_STRING([--with-libfstrm=path],
+		    [Path where libfstrm is installed, for dnstap]), [
+	    FSTRM_CFLAGS="-I$withval/include"
+	    FSTRM_LIBS="-L$withval/lib"
+	    AC_PATH_PROG([FSTRM_CAPTURE], [fstrm_capture], [], [$PATH$PATH_SEPARATOR$withval/bin])
+	],[
+	    for d in /usr /usr/local /opt/local
+	    do
+		if test -f "${d}/include/fstrm.h"
+		then
+		    if test ${d} != /usr
+		    then
+			FSTRM_CFLAGS="-I${d}/include"
+			FSTRM_LIBS="-L${d}/lib"
+		    fi
+		    have_fstrm="$d"
+		    break
+		fi
+	    done
+	    if test -z "$have_fstrm"; then
+		AC_PATH_PROG([FSTRM_CAPTURE], [fstrm_capture])
+	    else
+		AC_PATH_PROG([FSTRM_CAPTURE], [fstrm_capture], [], [$PATH$PATH_SEPARATOR$have_fstrm/bin])
+	    fi
+	])
+	AX_SAVE_FLAGS([dnstap])
+	CFLAGS="$CFLAGS $PROTOBUF_C_CFLAGS $FSTRM_CFLAGS"
+	LIBS="$LDFLAGS $PROTOBUF_C_LIBS $FSTRM_LIBS"
+
+	AC_SEARCH_LIBS([fstrm_iothr_init], [fstrm], [],
+		       AC_MSG_ERROR([The fstrm library was not found. Please install fstrm!]))
+	FSTRM_LIBS="$FSTRM_LIBS $ac_cv_search_fstrm_iothr_init"
+
+	AC_SEARCH_LIBS([protobuf_c_message_pack], [protobuf-c], [],
+		       AC_MSG_ERROR([The protobuf-c library was not found. Please install protobuf-c!]))
+	PROTOBUF_C_LIBS="$PROTOBUF_C_LIBS $ac_cv_search_protobuf_c_message_pack"
+
+	AX_RESTORE_FLAGS([dnstap])
+	AC_DEFINE(HAVE_DNSTAP, 1, [Define to 1 to enable dnstap support])
+	DNSTAP=dnstap
+	DNSTAPSRCS='${DNSTAPSRCS}'
+	DNSTAPOBJS='${DNSTAPOBJS}'
+	DNSTAPTARGETS='${DNSTAPTARGETS}'
+	DNSTAP_MANS='${dnstap_man1_MANS}'
+fi
+AC_SUBST(DNSTAP)
+AC_SUBST(DNSTAPSRCS)
+AC_SUBST(DNSTAPOBJS)
+AC_SUBST(DNSTAPTARGETS)
+AC_SUBST(DNSTAP_MANS)
+AC_SUBST([PROTOBUF_C_CFLAGS])
+AC_SUBST([PROTOBUF_C_LIBS])
+AC_SUBST([FSTRM_CFLAGS])
+AC_SUBST([FSTRM_LIBS])
+
+#
+#  The following sets up how non-blocking i/o is established.
+#  cygwin and solaris 2.x (x<5) require special handling.
+#
+case "$host" in
+*-cygwin*) AC_DEFINE(PORT_NONBLOCK, O_NDELAY);;
+*-solaris2.[[01234]])
+	AC_DEFINE(PORT_NONBLOCK, O_NONBLOCK)
+	AC_DEFINE(USE_FIONBIO_IOCTL, 1,
+		  [Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make non-blocking.])
+	;;
+*) AC_DEFINE(PORT_NONBLOCK, O_NONBLOCK,
+	     [Sets which flag to pass to open/fcntl to make non-blocking (O_NDELAY/O_NONBLOCK).])
+	;;
+esac
+#
+# Solaris 2.5.1 and earlier cannot bind() then connect() a TCP socket.
+# This prevents the source address being set.
+#
+case "$host" in
+*-solaris2.[[012345]]|*-solaris2.5.1)
+	AC_DEFINE(BROKEN_TCP_BIND_BEFORE_CONNECT, 1,
+		  [Define if you cannot bind() before connect() for TCP sockets.])
+	;;
+esac
+#
+# The following sections deal with tools used for formatting
+# the documentation.  They are all optional, unless you are
+# a developer editing the documentation source.
+#
+
+#
+# The following sections deal with tools used for formatting
+# the documentation.  They are all optional, unless you are
+# a developer editing the documentation source.
+#
+
+#
+# Look for sphinx-build
+#
+AC_ARG_VAR([SPHINX_BUILD], [path to sphinx-build binary used to build the documentation])
+AC_PATH_PROG([SPHINX_BUILD], [sphinx-build], [:])
+AM_CONDITIONAL([HAVE_SPHINX_BUILD], [test "$SPHINX_BUILD" != ":"])
+
+AC_PATH_PROG([XELATEX], [xelatex], [:])
+AC_PATH_PROG([LATEXMK], [latexmk], [:])
+AM_CONDITIONAL([HAVE_XELATEX], [test "$XELATEX" != ":" && test "$LATEXMK" != ":"])
+
+#
+# Build the man pages only if we have prebuilt manpages or we can build them from RST sources
+#
+BUILD_MANPAGES=
+AS_IF([test -e doc/man/named.conf.5in || test "$SPHINX_BUILD" != ":"],
+      [BUILD_MANPAGES=man])
+AC_SUBST([BUILD_MANPAGES])
+
+#
+# Pull release date from CHANGES file last modification date
+# for reproducible builds
+#
+release_date=`date -u -r CHANGES +%Y-%m-%d`
+AC_SUBST([RELEASE_DATE], $release_date)
+
+# Don't build the documentation if the sphinx-build is not present
+PDFTARGET=
+HTMLTARGET=
+MANSRCS=
+AS_IF([test -n "$SPHINX_BUILD"],[
+	  MANSRCS='$(MANPAGES_IN)'
+	  HTMLTARGET='html dirhtml'
+	  AC_PATH_PROGS([PDFLATEX], [pdflatex], [])
+	  AC_PATH_PROGS([LATEXMK], [latexmk], [])
+	  AS_IF([test -n "$PDFLATEX" && test -n "$LATEXMK"],[
+		    PDFTARGET='pdf'
+		])
+      ])
+AC_SUBST([HTMLTARGET])
+AC_SUBST([PDFTARGET])
+AC_SUBST([MANSRCS])
+
+#
+# Look for Doxygen
+#
+AC_PATH_PROGS([DOXYGEN], [doxygen])
+AC_SUBST(DOXYGEN)
+
+#
+# Look for curl
+#
+
+AC_PATH_PROG(CURL, curl, curl)
+AC_SUBST(CURL)
+
+#
+# Look for xsltproc
+#
+
+AC_PATH_PROG(XSLTPROC, xsltproc, xsltproc)
+AC_SUBST(XSLTPROC)
+
+#
+# IDN support using libidn2
+#
+
+LIBIDN2_CFLAGS=
+LIBIDN2_LDFLAGS=
+LIBIDN2_LIBS=
+
+# [pairwise: --with-libidn2=yes, --without-libidn2]
+AC_ARG_WITH([libidn2],
+	    [AS_HELP_STRING([--with-libidn2[=PATH]], [enable IDN support using GNU libidn2 [yes|no(default)|path]])],
+	    [with_libidn2="$withval"], [with_libidn2="no"])
+AS_CASE([$with_libidn2],
+	[yes],	[PKG_CHECK_MODULES([LIBIDN2], [libidn2],
+				   [AC_DEFINE([HAVE_LIBIDN2], [1], [Define if libidn2 was found])])],
+	[no],	[],
+	[*],	[AX_SAVE_FLAGS([libidn2])
+		 LIBIDN2_CFLAGS="-I$with_libidn2/include"
+		 LIBIDN2_LDFLAGS="-L$with_libidn2/lib"
+		 CFLAGS="$LIBIDN2_CFLAGS $CFLAGS"
+		 CPPFLAGS="$LIBIDN2_CFLAGS $CPPFLAGS"
+		 LDFLAGS="$LIBIDN2_LDFLAGS $LDFLAGS"
+		 AC_CHECK_HEADERS([idn2.h],
+				  [],
+				  [AC_MSG_ERROR([idn2.h not found])])
+		 AC_SEARCH_LIBS([idn2_to_ascii_lz], [idn2],
+				[LIBIDN2_LIBS="$ac_cv_search_idn2_to_ascii_lz"
+				 AC_DEFINE([HAVE_LIBIDN2], [1], [Define if libidn2 was found])],
+				[AC_MSG_ERROR([libidn2 requested, but not found])])
+		AX_RESTORE_FLAGS([libidn2])])
+AC_SUBST([LIBIDN2_CFLAGS])
+AC_SUBST([LIBIDN2_LDFLAGS])
+AC_SUBST([LIBIDN2_LIBS])
+
+#
+# Check whether to build with cmocka unit testing framework
+#
+# [pairwise: --with-cmocka=detect, --with-cmocka=yes, --without-cmocka]
+AC_ARG_WITH([cmocka],
+	    [AS_HELP_STRING([--with-cmocka=detect],[enable CMocka based tests (default is detect)])],
+	    [],[with_cmocka=detect])
+
+AS_CASE([$with_cmocka],
+	[no],[],
+	[detect],[PKG_CHECK_MODULES([CMOCKA], [cmocka >= 1.1.3],
+				    [AC_DEFINE([HAVE_CMOCKA], [1], [Use CMocka])
+				     with_cmocka=yes],[with_cmocka=no])],
+	[yes],[PKG_CHECK_MODULES([CMOCKA], [cmocka >= 1.1.3],
+				 [AC_DEFINE([HAVE_CMOCKA], [1], [Use CMocka])])],
+	[AC_MSG_ERROR([Use PKG_CONFIG_PATH to specify path to CMocka library])]
+       )
+AC_SUBST([CMOCKA_CFLAGS])
+AC_SUBST([CMOCKA_LIBS])
+
+AC_DEFINE([SKIPPED_TEST_EXIT_CODE], [0], [Exit code for skipped tests])
+
+#
+# Check for kyua execution engine if CMocka was requested
+# and bail out if execution engine was not found
+#
+AC_ARG_VAR([KYUA], [path to kyua execution engine])
+AS_IF([test "$with_cmocka" != "no"],
+      [AC_PATH_PROGS([KYUA], [kyua], [])
+       AS_IF([test -z "$KYUA"],
+             [AC_MSG_WARN([kyua test execution engine not found])],
+             [UNITTESTS=tests])])
+AC_SUBST([KYUA])
+AC_SUBST([UNITTESTS])
+
+#
+# Check for -Wl,--wrap= support
+#
+
+LD_WRAP_TESTS=false
+AC_MSG_CHECKING([for linker support for --wrap option])
+AX_SAVE_FLAGS([wrap])
+LDFLAGS="-Wl,--wrap,exit"
+AC_LINK_IFELSE(
+    [AC_LANG_PROGRAM([[#include <stdlib.h>
+		       void __real_exit (int status);
+		       void __wrap_exit (int status) { __real_exit (0); }
+		      ]],
+		     [[exit (1);]])],
+    [LD_WRAP_TESTS=true
+     AC_DEFINE([LD_WRAP], [1], [define if the linker supports --wrap option])
+     AC_MSG_RESULT([yes])],
+    [AC_MSG_RESULT([no])])
+AX_RESTORE_FLAGS([wrap])
+
+AC_SUBST([LD_WRAP_TESTS])
+
+#
+# Check for i18n
+#
+AC_CHECK_HEADERS(locale.h)
+AC_CHECK_FUNCS(setlocale)
+
+#
+# was --with-tuning specified?
+#
+# [pairwise: --with-tuning=small, --without-tuning]
+AC_ARG_WITH([tuning],
+	    AS_HELP_STRING([--with-tuning=ARG],
+			   [Specify server tuning (default or small)]),
+	    [],[with_tuning=no])
+
+AS_CASE([$with_tuning],
+	[small],[AC_MSG_NOTICE(using small system tuning)],
+	[AC_DEFINE(TUNE_LARGE, 1, [Define to use default system tuning.])
+	 AC_MSG_NOTICE(using default system tuning)])
+
+#
+# was --enable-querytrace specified?
+#
+# [pairwise: --enable-querytrace, --disable-querytrace]
+AC_ARG_ENABLE(querytrace,
+	      AS_HELP_STRING([--enable-querytrace],
+			     [enable very verbose query trace logging
+				[default=no]]),
+	      want_querytrace="$enableval", want_querytrace="no")
+
+AC_MSG_CHECKING([whether to enable query trace logging])
+case "$want_querytrace" in
+yes)
+	AC_MSG_RESULT(yes)
+	AC_DEFINE(WANT_QUERYTRACE, 1, [Define to enable very verbose query trace logging.])
+	;;
+no)
+	AC_MSG_RESULT(no)
+	;;
+*)
+	AC_MSG_ERROR("--enable-querytrace requires yes or no")
+	;;
+esac
+
+#
+# Was --disable-auto-validation specified?
+#
+
+validation_default=auto
+
+# [pairwise: --enable-auto-validation, --disable-auto-validation]
+AC_ARG_ENABLE(auto-validation,
+	      AS_HELP_STRING([--enable-auto-validation],
+			     [turn on DNSSEC validation by default, using the IANA root key [default=yes]]),
+	      [:],[enable_auto_validation=yes])
+AS_IF([test "$enable_auto_validation" = "no"],[validation_default=yes])
+AC_DEFINE_UNQUOTED([VALIDATION_DEFAULT], ["$validation_default"], [the default value of dnssec-validation option])
+
+#
+# Substitutions
+#
+AC_SUBST(BIND9_TOP_BUILDDIR)
+BIND9_TOP_BUILDDIR=`pwd`
+
+AC_SUBST(BIND9_ISC_BUILDINCLUDE)
+AC_SUBST(BIND9_ISCCC_BUILDINCLUDE)
+AC_SUBST(BIND9_ISCCFG_BUILDINCLUDE)
+AC_SUBST(BIND9_DNS_BUILDINCLUDE)
+AC_SUBST(BIND9_NS_BUILDINCLUDE)
+AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
+AC_SUBST(BIND9_IRS_BUILDINCLUDE)
+if test "X$srcdir" != "X"; then
+	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
+	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
+	BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
+	BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
+	BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
+	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
+	BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
+else
+	BIND9_ISC_BUILDINCLUDE=""
+	BIND9_ISCCC_BUILDINCLUDE=""
+	BIND9_ISCCFG_BUILDINCLUDE=""
+	BIND9_DNS_BUILDINCLUDE=""
+	BIND9_NS_BUILDINCLUDE=""
+	BIND9_BIND9_BUILDINCLUDE=""
+	BIND9_IRS_BUILDINCLUDE=""
+fi
+
+AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
+BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
+
+AC_SUBST_FILE(BIND9_MAKE_RULES)
+BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
+
+. "$srcdir/version"
+BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\""
+AC_SUBST(BIND9_PRODUCT)
+BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\""
+AC_SUBST(BIND9_DESCRIPTION)
+BIND9_VERSION="${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}"
+AC_SUBST(BIND9_VERSION)
+BIND9_MAJOR="MAJOR=${MAJORVER}.${MINORVER}"
+AC_SUBST(BIND9_MAJOR)
+BIND9_VERSIONSTRING="${PRODUCT} ${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}${DESCRIPTION:+ }${DESCRIPTION}"
+AC_SUBST(BIND9_VERSIONSTRING)
+
+BIND9_SRCID="SRCID=unset_id"
+if test -f "${srcdir}/srcid"; then
+	. "${srcdir}/srcid"
+	BIND9_SRCID="SRCID=$SRCID"
+elif test -d "${srcdir}/.git"; then
+	BIND9_SRCID="SRCID="`(cd "${srcdir}";git rev-parse --short HEAD)`
+fi
+
+AC_SUBST(BIND9_SRCID)
+
+if test -z "$ac_configure_args"; then
+	BIND9_CONFIGARGS="defaults"
+else
+	for a in $ac_configure_args
+	do
+		BIND9_CONFIGARGS="$BIND9_CONFIGARGS $a"
+	done
+fi
+BIND9_CONFIGARGS="`echo $BIND9_CONFIGARGS | sed 's/^ //'`"
+BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
+AC_SUBST(BIND9_CONFIGARGS)
+
+AC_SUBST_FILE(LIBDNS_MAPAPI)
+LIBDNS_MAPAPI="$srcdir/lib/dns/mapapi"
+
+#
+# Configure any DLZ drivers.
+#
+# If config.dlz.in selects one or more DLZ drivers, it will set
+# CONTRIB_DLZ to a non-empty value, which will be our clue to
+# build DLZ drivers in contrib.
+#
+# This section has to come after the libtool stuff because it needs to
+# know how to name the driver object files.
+#
+
+CONTRIB_DLZ=""
+DLZ_DRIVER_INCLUDES=""
+DLZ_DRIVER_LIBS=""
+DLZ_DRIVER_SRCS=""
+DLZ_DRIVER_OBJS=""
+DLZ_SYSTEM_TEST=""
+DLZ_DRIVER_MYSQL_INCLUDES=""
+DLZ_DRIVER_MYSQL_LIBS=""
+
+#
+# Configure support for building a shared library object
+#
+# Even when libtool is available it can't always be relied upon
+# to build an object that can be dlopen()'ed, but this is necessary
+# for building the dlzexternal system test, so we'll try it the
+# old-fashioned way.
+#
+SO="so"
+SO_CFLAGS=""
+SO_LDFLAGS=""
+SO_LD=""
+SO_TARGETS=""
+SO_STRIP="cat"
+
+# [pairwise: skip]
+AC_ARG_WITH([dlopen],
+	    AS_HELP_STRING([--with-dlopen=ARG],
+			   [support dynamically loadable DLZ and DYNDB drivers]),
+	    [], [with_dlopen="auto"])
+
+
+#
+# If PIC is disabled, dlopen must also be
+#
+AS_IF([test "$pic_mode" = "no"],
+      [AS_CASE([$with_dlopen],
+	       [auto],[with_dlopen="no"],
+	       [yes],[AC_MSG_ERROR([--with-dlopen requires PIC])])])
+
+AS_CASE([$with_dlopen],
+	[auto|yes],[
+	  # -fsanitize=thread hijacks dlopen and dlclose so use dlsym.
+	  AC_SEARCH_LIBS([dlsym],[dl])
+	  AC_CHECK_FUNCS([dlopen dlclose dlsym],
+			 [with_dlopen="yes"],
+			 [with_dlopen="no"])
+	])
+
+AS_IF([test "$with_dlopen" = "yes"],
+      [AS_CASE([$host],
+	       [*-linux*|*-gnu*],[
+		 LDFLAGS="${LDFLAGS} -Wl,--export-dynamic"
+		 SO_CFLAGS="-fPIC"
+		 SO_LDFLAGS=""
+		 AS_IF([test "$use_libtool" = "yes"],[
+			 SO_LDFLAGS="-Xcompiler -shared"
+			 SO_LD="${CC}"
+		       ],[
+			 SO_LDFLAGS="-shared"
+			 SO_LD="${CC}"
+		       ])
+	       ],
+	       [*-freebsd*|*-openbsd*|*-netbsd*],[
+		 LDFLAGS="${LDFLAGS} -Wl,-E"
+		 SO_CFLAGS="-fpic"
+		 AS_IF([test "$use_libtool" = "yes"],[
+			 SO_LDFLAGS="-Xcompiler -shared"
+			 SO_LD="${CC}"
+		       ],[
+			 SO_LDFLAGS="-shared"
+			 SO_LD="${CC}"
+		       ])
+	       ],
+	       [*-darwin*],[
+		 SO_CFLAGS="-fPIC"
+                 SO_LD="${CC}"
+		 AS_IF([test "$use_libtool" = "yes"],[
+			 SO_LDFLAGS="-Xcompiler -dynamiclib -undefined dynamic_lookup"
+		       ],[
+			 SO_LDFLAGS="-dynamiclib -undefined dynamic_lookup"
+		       ])
+	       ],
+	       [*-solaris*],[
+		 SO_CFLAGS="-KPIC"
+		 SO_LDFLAGS="-G -z text"
+		 SO_LD="ld"
+	       ],
+	       [ia64-hp-hpux*],[
+		 SO_CFLAGS="+z"
+	         SO_LDFLAGS="-b"
+		 SO_LD="${CC}"
+	       ],
+	       [
+		 SO_CFLAGS="-fPIC"
+	       ])
+       AS_IF([test "$GCC" = "yes"],[
+	       SO_CFLAGS="-fPIC"
+	       AS_IF([test -z "$SO_LD"],
+		     [AS_IF([test "$use_libtool" = "yes"],[
+			      SO_LDFLAGS="-Xcompiler -shared"
+			      SO_LD="${CC}"
+			    ],[
+			      SO_LDFLAGS="-shared"
+			      SO_LD="${CC}"
+			    ])
+		     ])
+	     ])
+       # If we still don't know how to make shared objects, don't make any.
+       AS_IF([test -n "$SO_LD"],
+	     [SO_TARGETS="\${SO_TARGETS}"
+	      AC_DEFINE([ISC_DLZ_DLOPEN], [1],
+			[Define to allow building of objects for dlopen().])
+	     ])
+      ])
+
+AS_IF([test "$with_dlopen" = "no" -a "$enable_native_pkcs11" = "yes"],
+      [AC_MSG_ERROR([PKCS11 requires dlopen() support])])
+
+CFLAGS="$CFLAGS $SO_CFLAGS"
+
+AC_SUBST(SO)
+AC_SUBST(SO_CFLAGS)
+AC_SUBST(SO_LDFLAGS)
+AC_SUBST(SO_LD)
+AC_SUBST(SO_STRIP)
+AC_SUBST(SO_TARGETS)
+
+#
+# Response policy rewriting using DNS Response Policy Service (DNSRPS)
+# interface.
+#
+# DNSRPS can be compiled into BIND everywhere with a reasonably
+# modern C compiler.  It is enabled on systems with dlopen() and librpz.so.
+#
+dnsrps_avail=yes
+AC_MSG_CHECKING([for librpz __attribute__s])
+AC_COMPILE_IFELSE(
+  [AC_LANG_PROGRAM(
+     [[]],
+     [[
+       extern void f(char *p __attribute__((unused)), ...)
+       __attribute__((format(printf,1,2))) __attribute__((__noreturn__));
+     ]])],
+  [
+    librpz_have_attr=yes
+    AC_DEFINE([LIBRPZ_HAVE_ATTR], [1], [have __attribute__s used in librpz.h])
+    AC_MSG_RESULT([yes])
+  ],[
+    librpz_have_attr=no
+    AC_MSG_RESULT([no])
+  ])
+
+# DNSRPS builds are included in pairwise testing along --enable-native-pkcs11
+# tests above as both of these features require --with-dlopen (see also the
+# relevant comment there).
+#
+# [pairwise: skip]
+AC_ARG_ENABLE([dnsrps-dl],
+	      [AS_HELP_STRING([--enable-dnsrps-dl],
+			      [DNS Response Policy Service delayed link
+			       [default=$librpz_dl]])],
+	      [enable_librpz_dl="$enableval"], [enable_librpz_dl="$with_dlopen"])
+
+AS_IF([test "$enable_librpz_dl" = "yes" -a "$with_dlopen" = "no"],
+      [AC_MSG_ERROR([DNS Response Policy Service delayed link requires dlopen to be enabled])])
+
+# [pairwise: skip]
+AC_ARG_WITH([dnsrps-libname],
+	    [AS_HELP_STRING([--with-dnsrps-libname],
+			    [DNSRPS provider library name (librpz.so)])],
+	    [librpz_name="$withval"], [librpz_name="librpz.so"])
+
+# [pairwise: skip]
+AC_ARG_WITH([dnsrps-dir],
+	    [AS_HELP_STRING([--with-dnsrps-dir],
+			    [path to DNSRPS provider library])],
+	    [librpz_path="$withval/$librpz_name"], [librpz_path="$librpz_name"])
+AC_DEFINE_UNQUOTED([DNSRPS_LIBRPZ_PATH], ["$librpz_path"],
+		   [dnsrps $librpz_name])
+AS_IF([test "$enable_librpz_dl" = "yes"],
+      [
+	dnsrps_lib_open=2
+      ],[
+	dnsrps_lib_open=1
+	# Add librpz.so to linked libraries if we are not using dlopen()
+	AC_SEARCH_LIBS([librpz_client_create], [rpz], [],
+		[dnsrps_lib_open=0
+		 dnsrps_avail=no])
+      ])
+AC_DEFINE_UNQUOTED([DNSRPS_LIB_OPEN], [$dnsrps_lib_open],
+		   [0=no DNSRPS  1=static link  2=dlopen()])
+
+# [pairwise: skip]
+AC_ARG_ENABLE([dnsrps],
+	      AS_HELP_STRING([--enable-dnsrps],
+			     [enable DNS Response Policy Service API]),
+	      [enable_dnsrps=$enableval], [enable_dnsrps=no])
+
+AS_IF([test "$enable_dnsrps" != "no"],[
+	AS_IF([test "$dnsrps_avail" != "yes"],
+	      [AC_MSG_ERROR([dlopen and librpz.so needed for DNSRPS])])
+	AS_IF([test "$dnsrps_lib_open" = "0"],
+	      [AC_MSG_ERROR([dlopen and librpz.so needed for DNSRPS])])
+	AC_DEFINE([USE_DNSRPS], [1], [Enable DNS Response Policy Service API])
+      ])
+
+sinclude(contrib/dlz/config.dlz.in)
+AC_MSG_CHECKING(contributed DLZ drivers)
+
+#
+# Support for constructor and destructor attributes
+#
+AX_GCC_FUNC_ATTRIBUTE([constructor])
+AX_GCC_FUNC_ATTRIBUTE([destructor])
+
+if test -n "$CONTRIB_DLZ"
+then
+	AC_MSG_RESULT(yes)
+	DLZ_DRIVER_RULES=contrib/dlz/drivers/rules
+	AC_CONFIG_FILES([$DLZ_DRIVER_RULES
+		contrib/dlz/modules/mysql/Makefile
+		contrib/dlz/modules/mysqldyn/Makefile])
+else
+	AC_MSG_RESULT(no)
+	DLZ_DRIVER_RULES=/dev/null
+fi
+
+AC_SUBST(CONTRIB_DLZ)
+AC_SUBST(DLZ_DRIVER_INCLUDES)
+AC_SUBST(DLZ_DRIVER_LIBS)
+AC_SUBST(DLZ_DRIVER_SRCS)
+AC_SUBST(DLZ_DRIVER_OBJS)
+AC_SUBST(DLZ_SYSTEM_TEST)
+AC_SUBST(DLZ_DRIVER_MYSQL_INCLUDES)
+AC_SUBST(DLZ_DRIVER_MYSQL_LIBS)
+AC_SUBST_FILE(DLZ_DRIVER_RULES)
+
+if test "yes" = "$cross_compiling"; then
+	if test -z "$BUILD_CC"; then
+		AC_MSG_ERROR([BUILD_CC not set])
+	fi
+	BUILD_CFLAGS="$BUILD_CFLAGS"
+	BUILD_CPPFLAGS="$BUILD_CPPFLAGS"
+	BUILD_LDFLAGS="$BUILD_LDFLAGS"
+	BUILD_LIBS="$BUILD_LIBS"
+else
+	BUILD_CC="$CC"
+	BUILD_CFLAGS="$CFLAGS"
+	BUILD_CPPFLAGS="$CPPFLAGS $GEN_NEED_OPTARG"
+	BUILD_LDFLAGS="$LDFLAGS"
+	BUILD_LIBS="$LIBS"
+fi
+
+NEWFLAGS=""
+for e in $BUILD_LDFLAGS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+BUILD_LDFLAGS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $DNS_GSSAPI_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+DNS_GSSAPI_LIBS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $ISC_OPENSSL_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+ISC_OPENSSL_LIBS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $DNS_CRYPTO_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+DNS_CRYPTO_LIBS="$NEWFLAGS"
+
+AC_SUBST(BUILD_CC)
+AC_SUBST(BUILD_CFLAGS)
+AC_SUBST(BUILD_CPPFLAGS)
+AC_SUBST(BUILD_LDFLAGS)
+AC_SUBST(BUILD_LIBS)
+
+#
+# Commands to run at the end of config.status.
+# Don't just put these into configure, it won't work right if somebody
+# runs config.status directly (which autoconf allows).
+#
+
+AC_CONFIG_COMMANDS(
+	[chmod],
+	[chmod a+x doc/doxygen/doxygen-input-filter])
+
+#
+# Files to configure.  These are listed here because we used to
+# specify them as arguments to AC_OUTPUT.  It's (now) ok to move these
+# elsewhere if there's a good reason for doing so.
+#
+
+AC_CONFIG_FILES([
+	Makefile
+	bin/Makefile
+	bin/check/Makefile
+	bin/confgen/Makefile
+	bin/confgen/unix/Makefile
+	bin/delv/Makefile
+	bin/dig/Makefile
+	bin/dnssec/Makefile
+	bin/named/Makefile
+	bin/named/unix/Makefile
+	bin/nsupdate/Makefile
+	bin/pkcs11/Makefile
+	bin/plugins/Makefile
+	bin/python/Makefile
+	bin/python/dnssec-checkds.py
+	bin/python/dnssec-coverage.py
+	bin/python/dnssec-keymgr.py
+	bin/python/isc/Makefile
+	bin/python/isc/__init__.py
+	bin/python/isc/checkds.py
+	bin/python/isc/coverage.py
+	bin/python/isc/dnskey.py
+	bin/python/isc/eventlist.py
+	bin/python/isc/keydict.py
+	bin/python/isc/keyevent.py
+	bin/python/isc/keymgr.py
+	bin/python/isc/keyseries.py
+	bin/python/isc/keyzone.py
+	bin/python/isc/policy.py
+	bin/python/isc/rndc.py
+	bin/python/isc/tests/Makefile
+	bin/python/isc/tests/dnskey_test.py
+	bin/python/isc/tests/policy_test.py
+	bin/python/isc/utils.py
+	bin/rndc/Makefile
+	bin/tests/Makefile
+	bin/tests/headerdep_test.sh
+	bin/tests/optional/Makefile
+	bin/tests/pkcs11/Makefile
+	bin/tests/pkcs11/benchmarks/Makefile
+	bin/tests/system/Makefile
+	bin/tests/system/conf.sh
+	bin/tests/system/dlzexternal/Makefile
+	bin/tests/system/dlzexternal/ns1/dlzs.conf
+	bin/tests/system/dyndb/Makefile
+	bin/tests/system/dyndb/driver/Makefile
+	bin/tests/system/pipelined/Makefile
+	bin/tests/system/rndc/Makefile
+	bin/tests/system/rpz/Makefile
+	bin/tests/system/rsabigexponent/Makefile
+	bin/tests/system/tkey/Makefile
+	bin/tools/Makefile
+	contrib/scripts/check-secure-delegation.pl
+	contrib/scripts/zone-edit.sh
+	doc/Makefile
+	doc/arm/Makefile
+	doc/doxygen/Doxyfile
+	doc/doxygen/Makefile
+	doc/doxygen/doxygen-input-filter
+	doc/man/Makefile
+	doc/misc/Makefile
+	fuzz/Makefile
+	lib/Makefile
+	lib/bind9/Makefile
+	lib/bind9/include/Makefile
+	lib/bind9/include/bind9/Makefile
+	lib/dns/Makefile
+	lib/dns/include/Makefile
+	lib/dns/include/dns/Makefile
+	lib/dns/include/dst/Makefile
+	lib/dns/tests/Makefile
+	lib/irs/Makefile
+	lib/irs/include/Makefile
+	lib/irs/include/irs/Makefile
+	lib/irs/include/irs/netdb.h
+	lib/irs/include/irs/platform.h
+	lib/irs/tests/Makefile
+	lib/isc/Makefile
+	lib/isc/include/Makefile
+	lib/isc/include/isc/Makefile
+	lib/isc/include/isc/platform.h
+	lib/isc/include/pk11/Makefile
+	lib/isc/include/pkcs11/Makefile
+	lib/isc/netmgr/Makefile
+	lib/isc/pthreads/Makefile
+	lib/isc/pthreads/include/Makefile
+	lib/isc/pthreads/include/isc/Makefile
+	lib/isc/tests/Makefile
+	lib/isc/unix/Makefile
+	lib/isc/unix/include/Makefile
+	lib/isc/unix/include/isc/Makefile
+	lib/isccc/Makefile
+	lib/isccc/include/Makefile
+	lib/isccc/include/isccc/Makefile
+	lib/isccc/tests/Makefile
+	lib/isccfg/Makefile
+	lib/isccfg/include/Makefile
+	lib/isccfg/include/isccfg/Makefile
+	lib/isccfg/tests/Makefile
+	lib/ns/Makefile
+	lib/ns/include/Makefile
+	lib/ns/include/ns/Makefile
+	lib/ns/tests/Makefile
+	make/Makefile
+	make/mkdep
+	unit/unittest.sh
+	util/check-make-install
+])
+
+#
+# Do it
+#
+
+AC_OUTPUT
+
+#
+# Now that the Makefiles exist we can ensure that everything is rebuilt.
+#
+# [pairwise: --with-make-clean, --without-make-clean]
+AC_ARG_WITH(make-clean,
+	    AS_HELP_STRING([--with-make-clean],
+			   [run "make clean" at end of configure [yes|no]]),
+    make_clean="$withval", make_clean="yes")
+case "$make_clean" in
+yes)
+	if test "yes" != "$no_create"
+	then
+		if test "yes" = "$silent"
+		then
+			make clean > /dev/null
+		else
+			make clean
+		fi
+	fi
+	;;
+esac
+
+# [pairwise: --enable-full-report, --disable-full-report]
+AC_ARG_ENABLE(full-report,
+	      AS_HELP_STRING([--enable-full-report],
+			     [report values of all configure options]))
+
+report() {
+    echo "==============================================================================="
+    echo "Configuration summary:"
+    echo "-------------------------------------------------------------------------------"
+    echo "Optional features enabled:"
+    if test "yes" = "$enable_full_report" -o "standard" = "$with_locktype"; then
+	echo "    Mutex lock type: $with_locktype"
+    fi
+    test "small" = "$with_tuning" && echo "    Small-system tuning (--with-tuning)"
+    test "no" = "$use_dnstap" || \
+	    echo "    Allow 'dnstap' packet logging (--enable-dnstap)"
+    test -z "$MAXMINDDB_LIBS" || echo "    GeoIP2 access control (--enable-geoip)"
+    test "no" = "$use_gssapi" || echo "    GSS-API (--with-gssapi)"
+
+    # these lines are only printed if run with --enable-full-report
+    if test "yes" = "$enable_full_report"; then
+	test "no" = "$found_ipv6" || echo "    IPv6 support (--enable-ipv6)"
+	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
+	test "X$LIBXML2_LIBS" = "X" || echo "    XML statistics (--with-libxml2)"
+	test "X$JSON_C_LIBS" = "X" || echo "    JSON statistics (--with-json-c): $JSON_C_CFLAGS $JSON_C_LIBS"
+	test "X$ZLIB_LIBS" = "X" || echo "    HTTP zlib compression (--with-zlib)"
+	test "X$NZD_TOOLS" = "X" || echo "    LMDB database to store configuration for 'addzone' zones (--with-lmdb)"
+	test "no" = "$with_libidn2" || echo "    IDN support (--with-libidn2)"
+    fi
+
+    test "yes" = "$enable_dnsrps" && \
+	echo "    DNS Response Policy Service interface (--enable-dnsrps)"
+    test "yes" = "$enable_fixed" && \
+	echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+    test "yes" = "$enable_backtrace" && \
+	echo "    Print backtrace on crash (--enable-backtrace)"
+    test "minimal" = "$want_symtable" && \
+	echo "    Use symbol table for backtrace, named only (--enable-symtable)"
+    test "yes" = "$want_symtable" -o "all" = "$want_symtable" && \
+	echo "    Use symbol table for backtrace, all binaries (--enable-symtable=all)"
+    test "no" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
+    test "yes" = "$want_querytrace" && \
+	echo "    Very verbose query trace logging (--enable-querytrace)"
+    test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
+
+    test "auto" = "$validation_default" && echo "    DNSSEC validation active by default (--enable-auto-validation)"
+
+    test "$CRYPTO" = "pkcs11" && (
+	echo "    Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
+	echo "    PKCS#11 module (--with-pkcs11): $with_pkcs11"
+	echo "    +--------------------------------------------+"
+	echo "    |             ==== WARNING ====              |"
+	echo "    |                                            |"
+	echo "    | The use of native PKCS#11 for Public-Key   |"
+	echo "    | Cryptography in BIND 9 has been deprecated |"
+	echo "    | in favor of OpenSSL engine_pkcs11 from the |"
+	echo "    | OpenSC project. The --with-native-pkcs11   |"
+	echo "    | configuration option will be removed from  |"
+	echo "    | the next major BIND 9 release. The option  |"
+	echo "    | to use the engine_pkcs11 OpenSSL engine is |"
+	echo "    | already available in BIND 9; please see    |"
+	echo "    | the ARM section on PKCS#11 for details.    |"
+	echo "    +--------------------------------------------+"
+    )
+
+    dlz_enabled=no
+
+    echo "    Dynamically loadable zone (DLZ) drivers:"
+    AS_IF([test "$use_dlz_bdb" != "no"],
+	  [AS_ECHO(["        Berkeley DB (--with-dlz-bdb)"])
+	   dlz_enabled=yes])
+    AS_IF([test "$use_dlz_ldap" != "no"],
+	  [AS_ECHO(["        LDAP (--with-dlz-ldap)"])
+	   dlz_enabled=yes])
+    AS_IF([test "$use_dlz_mysql" != "no"],
+	  [AS_ECHO(["        MySQL (--with-dlz-mysql)"])
+	   dlz_enabled=yes])
+    AS_IF([test "$use_dlz_odbc" != "no"],
+	  [AS_ECHO(["        ODBC (--with-dlz-odbc)"])
+	   dlz_enabled=yes])
+    AS_IF([test "$use_dlz_postgres" != "no"],
+	  [AS_ECHO(["        Postgres (--with-dlz-postgres)"])
+	   dlz_enabled=yes])
+    AS_IF([test "$use_dlz_filesystem" != "no"],
+	  [AS_ECHO(["        Filesystem (--with-dlz-filesystem)"])
+	   dlz_enabled=yes])
+    AS_IF([test "$use_dlz_stub" != "no"],
+	  [AS_ECHO(["        Stub (--with-dlz-stub)"])
+	   dlz_enabled=yes])
+
+    AS_IF([test "$dlz_enabled" = "no"],
+	  [AS_ECHO(["        None"])],
+	  [AS_ECHO(["    +--------------------------------------------------------+"])
+	   AS_ECHO(["    |             ==== DEPRECATION WARNING ====              |"])
+	   AS_ECHO(["    +--------------------------------------------------------+"])
+	   AS_ECHO(["    | Old-style DLZ drivers have been deprecated in favor of |"])
+	   AS_ECHO(["    | DLZ modules. The DLZ drivers configuration option will |"])
+	   AS_ECHO(["    | be removed from the next major BIND 9 release.         |"])
+	   AS_ECHO(["    |                                                        |"])
+	   AS_ECHO(["    | The option to use the DLZ modules is already available |"])
+	   AS_ECHO(["    | in BIND 9; please see the ARM section on DLZ modules.  |"])
+	   AS_ECHO(["    +--------------------------------------------------------+"])
+	  ])
+
+    echo "-------------------------------------------------------------------------------"
+
+    echo "Features disabled or unavailable on this platform:"
+    test "no" = "$found_ipv6" && echo "    IPv6 support (--enable-ipv6)"
+    test "small" = "$with_tuning" || echo "    Small-system tuning (--with-tuning)"
+
+    test "no" = "$use_dnstap" && \
+	    echo "    Allow 'dnstap' packet logging (--enable-dnstap)"
+    test -z "$MAXMINDDB_LIBS" && echo "    GeoIP2 access control (--enable-geoip)"
+    test "no" = "$use_gssapi" && echo "    GSS-API (--with-gssapi)"
+
+    test "no" = "$enable_dnsrps" && \
+	echo "    DNS Response Policy Service interface (--enable-dnsrps)"
+
+    test "yes" = "$enable_fixed" || \
+	echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+
+    test "yes" = "$validation_default" && echo "    DNSSEC validation requires configuration (--enablee-auto-validation)"
+
+    test "$CRYPTO" = "pkcs11" || (
+	echo "    Using PKCS#11 for Public-Key Cryptography (--with-native-pkcs11)"
+    )
+
+    test "yes" = "$enable_backtrace" || \
+	echo "    Print backtrace on crash (--enable-backtrace)"
+    test "yes" = "$want_querytrace" || \
+	echo "    Very verbose query trace logging (--enable-querytrace)"
+
+    test "yes" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
+    test "no" = "$with_cmocka" && echo "    CMocka Unit Testing Framework (--with-cmocka)"
+
+    test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
+    test "X$LIBXML2_LIBS" = "X" && echo "    XML statistics (--with-libxml2)"
+    test "X$JSON_C_LIBS" = "X" && echo "    JSON statistics (--with-json-c)"
+    test "X$ZLIB_LIBS" = "X" && echo "    HTTP zlib compression (--with-zlib)"
+    test "X$NZD_TOOLS" = "X" && echo "    LMDB database to store configuration for 'addzone' zones (--with-lmdb)"
+    test "no" = "$with_libidn2" && echo "    IDN support (--with-libidn2)"
+
+    echo "-------------------------------------------------------------------------------"
+    echo "Configured paths:"
+    echo "    prefix: $prefix"
+    echo "    sysconfdir: $sysconfdir"
+    echo "    localstatedir: $localstatedir"
+    echo "-------------------------------------------------------------------------------"
+    echo "Compiler: $CC"
+    AS_IF([test "$GCC" = "yes"],
+	  [$CC --version 2>&1 | sed 's/^/    /'],
+	  [AS_CASE([$host],
+		   [*-solaris*],[$CC -V 2>&1 | sed 's/^/    /'],
+		   [$CC --version 2>&1 | sed 's/^/    /'])])
+
+    if test "X$ac_unrecognized_opts" != "X"; then
+	echo "Unrecognized options:"
+	echo "    $ac_unrecognized_opts"
+    fi
+
+    if test "yes" != "$enable_full_report"; then
+	echo "-------------------------------------------------------------------------------"
+	echo "For more detail, use --enable-full-report."
+    fi
+    echo "==============================================================================="
+}
+
+if test "yes" != "$silent"; then
+	report
+fi
+
+# Tell Emacs to edit this file in shell mode.
+# Local Variables:
+# mode: sh
+# End:
diff --git a/contrib/README b/contrib/README
new file mode 100644
index 0000000..f8fc639
--- /dev/null
+++ b/contrib/README
@@ -0,0 +1,52 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+
+This directory contains scripts, tools, and other useful accessories to
+BIND 9.  Contrib software is not supported by ISC, but reported bugs will
+be fixed as time permits.
+
+    - scripts/
+
+      Assorted useful scripts, including 'nanny' which monitors 
+      named and restarts it in the event of a crash, 'zone-edit'
+      which enables editing of a dynamic zone, and others.
+
+    - dane/
+
+      mkdane.sh generates TLSA records for use with DNS-based
+      Authentication of Named Entities (DANE).
+
+    - dnspriv/
+
+      Sample configuration for setting up a DNS-over-TLS server
+      using BIND with Nginx as a TLS proxy.
+
+    - kasp/
+
+      Scripts for converting key and signature policies from OpenDNSSEC
+      KASP format to the policy.conf format used by dnssec-keymgr.
+
+    - dlz/modules
+
+      Dynamically linkable DLZ modules that can be configured into
+      named at runtime, enabling access to external data sources including
+      LDAP, MySQL, Berkeley DB, perl scripts, etc.
+
+    - dlz/drivers
+
+      Old-style DLZ drivers that can be linked into named at compile
+      time. (These are no longer actively maintained and are expected
+      to be removed eventually.)
+
+Some links to useful software and other resources related to BIND 9 and
+DNS can be found at https://www.isc.org/dns-tools-and-resources.
diff --git a/contrib/dane/mkdane.sh b/contrib/dane/mkdane.sh
new file mode 100755
index 0000000..7c33b7c
--- /dev/null
+++ b/contrib/dane/mkdane.sh
@@ -0,0 +1,130 @@
+#!/bin/sh
+
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+USAGE="$BASENAME [options] <filename>
+Options:
+        -f <input format>: PEM | DLR
+        -n <name>: record name (default: _443._tcp)
+        -o <origin>: zone origin (default: none; name will be relative)
+        -m <matching type>: NONE (0) | SHA256 (1) | SHA512 (2)
+        -r <RR type>: TLSA
+        -s <selector>: FULL (0) | PK (1)
+        -t <ttl>: TTL of the TLSA record (default: none)
+        -u <certificate usage>: CA (0) | SERVICE (1) | TA (2) | DOMAIN (3)"
+
+NM="_443._tcp"
+CU=2
+SELECTOR=0
+MTYPE=1
+IN=
+FORM=PEM
+TTL=
+RRTYPE=TLSA
+BASENAME=`basename $0`;
+
+while getopts "xn:o:u:s:t:m:i:f:r:" c; do
+    case $c in
+	x) set -x; DEBUG=-x;;
+	m) MTYPE="$OPTARG";;
+        n) NM="$OPTARG";;
+        o) ORIGIN="$OPTARG";;
+        r) RRTYPE="$OPTARG";;
+	s) SELECTOR="$OPTARG";;
+        t) TTL="$OPTARG";;
+	u) CU="$OPTARG";;
+	*) echo "$USAGE" 1>&2; exit 1;;
+    esac
+done
+shift `expr $OPTIND - 1 || true`
+
+if test "$#" -eq 1; then
+    IN=$1
+else
+    echo "$USAGE" 1>&2; exit 1
+fi
+
+ORIGIN=`echo $ORIGIN | sed 's/\([^.]$\)/\1./'`
+if [ -n "$ORIGIN" ]; then
+    NM=`echo $NM | sed 's/\.$//'`
+    NM="$NM.$ORIGIN"
+fi
+
+case "$CU" in
+    [Cc][Aa]) CU=0;;
+    [Ss][Ee][Rr][Vv]*) CU=1;;
+    [Tt][Aa]) CU=2;;
+    [Dd][Oo][Mm]*) CU=3;;
+    [0123]) ;;
+    *) echo "bad certificate usage -u \"$CU\"" 1>&2; exit 1;;
+esac
+
+case "$SELECTOR" in
+    [Ff][Uu][Ll][Ll]) SELECTOR=0;;
+    [Pp][Kk]) SELECTOR=1;;
+    [01]) ;;
+    *) echo "bad selector -s \"$SELECTOR\"" 1>&2; exit 1;;
+esac
+
+case "$MTYPE" in
+    0|[Nn][Oo][Nn][Ee]) HASH='od -A n -v -t xC';;
+    1|[Ss][Hh][Aa]256) HASH='openssl dgst -sha256';;
+    2|[Ss][Hh][Aa]512) HASH='openssl dgst -sha512';;
+    *) echo "bad matching type -m \"$MTYPE\"" 1>&2; exit 1;;
+esac
+
+case "$FORM" in
+    [Pp][Ee][Mm]) FORM=PEM;;
+    [Dd][Ll][Rr]) FORM=DLR;;
+    *) echo "bad input file format -f \"$FORM\"" 1>&2; exit 1
+esac
+
+case "$RRTYPE" in
+    [Tt][Ll][Ss][Aa]) RRTYPE=TLSA;;
+    *) echo "invalid RR type" 1>&2; exit 1
+esac
+
+if test -z "$IN" -o ! -s "$IN"; then
+    echo "bad input file -i \"$IN\"" 1>&2; exit 1
+fi
+
+echo "; $BASENAME -o$NM -u$CU -s$SELECTOR -m$MTYPE -f$FORM $IN"
+
+(if test "$SELECTOR" = 0; then
+    openssl x509 -in "$IN" -inform "$FORM" -outform DER
+else
+    openssl x509 -in "$IN" -inform "$FORM" -noout -pubkey		\
+	| sed -e '/PUBLIC KEY/d'					\
+	| openssl base64 -d 
+fi)									\
+    | $HASH								\
+    | awk '
+	# format Association Data as in Appendix C of the DANE RFC
+	BEGIN {
+		print "'"$NM\t\t$TTL\tIN TLSA\t$CU $SELECTOR $MTYPE"' ("; 
+		leader = "\t\t\t\t\t"; 
+	}
+	/.+/ {
+	    gsub(/ +/, "", $0);
+	    buf = buf $0;
+	    while (length(buf) >= 36) {
+		print leader substr(buf, 1, 36);
+		buf = substr(buf, 37);
+	    }
+	}
+	END {
+            if (length(buf) > 34)
+                print leader buf "\n" leader ")";
+            else
+                print leader buf " )";
+        }'
diff --git a/contrib/dane/tlsa6698.pem b/contrib/dane/tlsa6698.pem
new file mode 100644
index 0000000..9b9c1ee
--- /dev/null
+++ b/contrib/dane/tlsa6698.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVDCCArwCCQCrWNJOd60q9jANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJO
+TDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQww
+CgYDVQQKEwNPUzMxIzAhBgNVBAMTGmRhbmUua2lldi5wcmFjdGljdW0ub3MzLm5s
+MB4XDTEyMDExNjE2NTcwM1oXDTIyMDExMzE2NTcwM1owbDELMAkGA1UEBhMCTkwx
+FjAUBgNVBAgTDU5vb3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRhbTEMMAoG
+A1UEChMDT1MzMSMwIQYDVQQDExpkYW5lLmtpZXYucHJhY3RpY3VtLm9zMy5ubDCC
+AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOYshKWv5Z8KKmslDe5oesjF
+xgT1fSbOshGRQP+sOMS5y76JIwguf4Fia2rV3qDIdxx048qn9hMFSu+jZz5I/+R7
+P3r5h94oGmgjCyS52hqY3L5RGVtg5C/XUXwyjZg+JqgnyHerkU7kwb/erUi9Jb5f
+LEc7qcHLvd2gw3TQ1Yw4nMPW2MIGYuGc92jzJEG399FK6olmznwyoXIqs4Yj0AgC
+mp5HAog/i5d6Gh5Skr+K1yI51AOTN7hqOsYPoAEpBFIXe/F5hgmgWhMPAzRXpSEm
+KfvduOcOKp5lVoc8T3ykauSosXjwX7MZAF4cHH1L1336NANVY8EmqiwzKLkA55kK
+yXh/AdqC90w9S2Z0zOzh/Uxu+eZkT0Y17e2jnYsOL3yOBtrndWITvT1ggxF1vikE
+QrSvxa5vRrdphVoGfBCX5heWJSnhZvIq7hDduYG4zW/xfT1wcjFpA42/vBpEnI0N
+MbxoPF884mFI5C7Ju9TZ8mFWmyW1PB1/wt3/a0ysBQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4IBgQArKr4GPpyGrEofeDU3IJEHnIJ2qcLF0exXZN5SP92r3qs/005v5sug
+VFgKZ4WmY1ldkBMrk9Rzkp6B+giH0v/3ioHH0BS5d3irasnl5pD29anpK7X7q3G4
+V65ptuGL3MsLpvzZ1LCEo082NRSMSV1I/mNZA7iI7B3rJhBUjt1I1j+GUTpFYkaY
+MUjA1duC1zpMNQpCu2YddjQw/GyOX50T6ht2qlKkw1jl6gQAD3lGGDA6ts7qTpqO
+nHTXPBsLe68W3t52lrXi8gb3dxAPVyfhaE1BMvXmkvR69nVuqLQhAAvgMbXY8CIO
+Q2tR+xVP6VlTM8E6JAP53gjl3cWiL9YYLjOVk+JjdEUCILwU8+QP8z8IRSawnDQl
+BwLoo1KzMszLD53izysziCO5KvxhwLa4q9ta9xjtjdqXwpjka4KgGxSBSGjPpPLD
+Ymi//0pZH0Jli/dZGJAtPkJt/h1f8PxqISBx9tqL2DP+LlYNh3dejukzPAW2+461
+ZYnZENteqQM=
+-----END CERTIFICATE-----
diff --git a/contrib/dlz/bin/dlzbdb/Makefile.in b/contrib/dlz/bin/dlzbdb/Makefile.in
new file mode 100644
index 0000000..345c54b
--- /dev/null
+++ b/contrib/dlz/bin/dlzbdb/Makefile.in
@@ -0,0 +1,56 @@
+# Copyright (C) 1998-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+DLZINCLUDES =	@DLZ_DRIVER_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
+                ${ISC_INCLUDES} ${DLZINCLUDES}
+
+CDEFINES =      @CONTRIB_DLZ@
+CWARNINGS =
+
+DLZLIBS = 	@DLZ_DRIVER_LIBS@
+ISCLIBS =	../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+DEPLIBS =	${ISCDEPLIBS}
+
+LIBS =		${ISCLIBS} ${DLZLIBS} @LIBS@
+
+TARGETS =	dlzbdb
+
+SRCS =		dlzbdb.c
+
+@BIND9_MAKE_RULES@
+
+dlzbdb.@O@: dlzbdb.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/dlzbdb.c
+
+dlzbdb: dlzbdb.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ dlzbdb.@O@ ${LIBS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+install:: dlzbdb installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dlzbdb ${DESTDIR}${sbindir}
diff --git a/contrib/dlz/bin/dlzbdb/dlzbdb.c b/contrib/dlz/bin/dlzbdb/dlzbdb.c
new file mode 100644
index 0000000..122d496
--- /dev/null
+++ b/contrib/dlz/bin/dlzbdb/dlzbdb.c
@@ -0,0 +1,1277 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 1999-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifdef DLZ_BDB
+
+/*
+ * exit codes
+ * 0 everything ok
+ * 1 error parsing command line
+ * 2 Missing, too many or invalid combination of command line parameters
+ * 3 Unable to open BDB database.
+ * 4 Unable to allocate memory for, or create lexer.
+ * 5 unable to perform BDB cursor operation
+ */
+#include <db.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/formatcheck.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/* shut up compiler warnings about no previous prototype */
+
+static void
+show_usage(void);
+
+int
+getzone(DB *dbp, const DBT *pkey, const DBT *pdata, DBT *skey);
+
+int
+gethost(DB *dbp, const DBT *pkey, const DBT *pdata, DBT *skey);
+
+void
+bdb_cleanup(void);
+
+isc_result_t
+bdb_opendb(DBTYPE db_type, DB **db_out, const char *db_name, int flags);
+
+void
+put_data(bool dns_data, char *input_key, char *input_data);
+
+void
+insert_data(void);
+
+isc_result_t
+openBDB(void);
+
+isc_result_t
+open_lexer(void);
+
+void
+close_lexer(void);
+
+isc_result_t
+bulk_write(char type, DB *database, DBC *dbcursor, DBT *bdbkey, DBT *bdbdata);
+
+void
+operation_add(void);
+
+void
+operation_bulk(void);
+
+void
+operation_listOrDelete(bool dlt);
+
+/*%
+ * Maximum length of a single data line that
+ * may be inserted into database by this program.
+ * If you need to insert a line of data that is more
+ * than 10,000 characters change this definition.
+ */
+
+#define max_data_len 10000
+
+/*%
+ * BDB database names.  If you want to use different
+ * database names change them here.
+ */
+
+#define dlz_data   "dns_data"
+#define dlz_zone   "dns_zone"
+#define dlz_host   "dns_host"
+#define dlz_client "dns_client"
+
+/*%
+ * Error code returned by BDB secondary index callback functions.
+ * This error is returned if the callback function could not create
+ * the secondary index for any reason.
+ */
+
+#define BDBparseErr 1
+
+/* A struct to hold all the relevant info about the database */
+
+typedef struct bdb_instance {
+	DB_ENV *dbenv; /* BDB environment */
+	DB *data;      /* dns_data database handle */
+	DBC *cursor;   /* database cursor */
+	DBC *cursor2;  /* second cursor used during list operation. */
+	DBC *cursor3;  /* third cursor used during list operation */
+	DBC *cursor4;  /* fourth cursor used during list operation */
+	DB *zone;      /* zone database handle */
+	DB *host;      /* host database handle */
+	DB *client;    /* client database handle */
+} bdb_instance_t;
+
+/* Possible operations */
+
+#define list 1 /* list data */
+#define dele 2 /* delete data */
+#define add  3 /* add a single piece of data */
+#define bulk 4 /* bulk load data */
+
+/*%
+ * quit macro is used instead of exit.  quit always tries to close the lexer
+ * and the BDB database before exiting.
+ */
+
+#define quit(i)        \
+	close_lexer(); \
+	bdb_cleanup(); \
+	exit(i);
+
+/*%
+ * checkOp is used to verify that only one operation (list, del, add,
+ * bulk from file, bulk from stdin) is specified on the command line.
+ * This prevents a user from specifying two operations on the command
+ * line, which would make no sense anyway.
+ */
+
+#define checkOp(x)                                                   \
+	if (x != 0) {                                                \
+		fprintf(stderr, "\nonly one operation "              \
+				"(l e d a f s) may be specified\n"); \
+		quit(2);                                             \
+	}
+
+/*%
+ * checkParam is used to only allow a parameter to be specified once.
+ * I.E. the parameter key can only be used on the command line once.
+ * any attempt to use it twice causes an error.
+ */
+
+#define checkParam(x, y)                       \
+	if (x != NULL) {                       \
+		fprintf(stderr,                \
+			"\n%s may only "       \
+			"be specified once\n", \
+			y);                    \
+		quit(2);                       \
+	}
+
+/*%
+ * checkInvalidParam is used to only allow parameters which make sense for
+ * the operation selected.  I.E. passing the key parameter makes no sense
+ * for the add operation, and thus it isn't allowed.
+ */
+
+#define checkInvalidParam(x, y, z)                   \
+	if (x != NULL) {                             \
+		fprintf(stderr,                      \
+			"\n%s "                      \
+			"may not be specified %s\n", \
+			y, z);                       \
+		quit(2);                             \
+	}
+
+/*%
+ * checkInvalidOption is used to only allow parameters which make sense for
+ * the operation selected - but checks boolean options.
+ * I.E. passing the "b" bare_list parameter makes no sense for the add
+ * operation, and thus it isn't allowed.
+ * if w == x then output error message "flag", "message"
+ */
+
+#define checkInvalidOption(w, x, y, z)               \
+	if (w == x) {                                \
+		fprintf(stderr,                      \
+			"\n%s "                      \
+			"may not be specified %s\n", \
+			y, z);                       \
+		quit(2);                             \
+	}
+
+/* Global Variables */
+
+int operation = 0; /*%< operation to perform. */
+/*% allow new lock files or DB to be created. */
+bool create_allowed = false;
+char *key = NULL; /*%< key to use in list & del operations */
+
+/*% dump DB in DLZBDB bulk format */
+bool list_everything = false;
+unsigned int key_val; /*%< key as unsigned int used in list & del operations */
+char *zone = NULL;    /*%< zone to use in list operations */
+char *host = NULL;    /*%< host to use in list operations */
+char *c_zone = NULL;  /*%< client zone to use in list operations */
+char *c_ip = NULL;    /*%< client IP to use in list operations */
+char *a_data = NULL;  /*%< data in add operation */
+char *bulk_file = NULL;		 /*%< bulk data file to load */
+char *db_envdir = NULL;		 /*%< BDB environment location  */
+char *db_file = NULL;		 /*%< BDB database file location. */
+bdb_instance_t db;		 /* BDB instance we are operating on */
+isc_lex_t *lexer = NULL;	 /*%< lexer for use to use in parsing input */
+isc_mem_t *lex_mctx = NULL;	 /*%< memory context for lexer */
+char lex_data_buf[max_data_len]; /*%< data array to use for lex_buffer below */
+isc_buffer_t lex_buffer;	 /*%< buffer for lexer during add operation */
+
+/*%
+ * Displays usage message
+ */
+
+static void
+show_usage(void) {
+	fprintf(stderr, "\n\n\
+---Usage:---------------------------------------------------------------------\
+\n\n\
+   List data:\n\
+      dlzbdb -l [-k key] [-z zone] [-h host] [-c client_zone] [-i client_ip]\n\
+               BDB_environment BDB_database\n\n\
+   Delete data:\n\
+      dlzbdb -d [-k key] [-c client_zone] [-i client_ip]\n\
+               BDB_environment BDB_database\n\n\
+   Bulk load data from file:\n\
+      dlzbdb -f file_to_load BDB_environment BDB_database\n\n\
+   Bulk load data from stdin\n\
+      dlzbdb -s BDB_environment BDB_database\n\n\
+   Add data:\n\
+      dlzbdb -a \"dns data to be added\" BDB_environment BDB_database\n\n\
+   Export data:\n\
+      dlzbdb -e BDB_environment BDB_database\n\n\
+   Normally operations can only be performed on an existing database files.\n\
+   Use the -n flag with any operation to allow files to be created.\n\
+   Existing files will NOT be truncated by using the -n flag.\n\
+   The -n flag will allow a new database to be created, or allow new\n\
+   environment files to be created for an existing database.\n\n\
+---Format for -f & -a options:------------------------------------------------\
+\n\n\
+db_type zone host dns_type ttl ip\n\
+db_type zone host dns_type ttl mx_priority mail_host\n\
+db_type zone host dns_type ttl nm_svr resp_psn serial refresh retry expire min\
+\n\
+db_type zone client_ip\n\n\
+---Examples:------------------------------------------------------------------\
+\n\n\
+d mynm.com www A 10 127.0.0.1\n\
+d mynm.com @ MX 10 5 mail\n\
+d mynm.com @ SOA 10 ns1.mynm.com. root.mynm.com. 2 28800 7200 604800 86400\n\
+c mynm.com 127.0.0.1\n\
+c mynm.com 192.168.0.10\n\
+");
+	quit(1);
+}
+
+/*% BDB callback to create zone secondary index */
+
+int
+getzone(DB *dbp, const DBT *pkey, const DBT *pdata, DBT *skey) {
+	char *token, *last;
+
+	UNUSED(dbp);
+	UNUSED(pkey);
+
+	if ((token = strtok_r(pdata->data, " ", &last)) == NULL) {
+		return (BDBparseErr);
+	}
+
+	/* copy string for "zone" secondary index */
+	if ((skey->data = strdup(token)) == NULL) {
+		return (BDBparseErr);
+	}
+	/* set required values for BDB */
+	skey->size = strlen(skey->data);
+	skey->flags = DB_DBT_APPMALLOC;
+
+	return (0);
+}
+
+/*%
+ * BDB callback to create host secondary index
+ */
+
+int
+gethost(DB *dbp, const DBT *pkey, const DBT *pdata, DBT *skey) {
+	char *token, *last;
+
+	UNUSED(dbp);
+	UNUSED(pkey);
+
+	/* we don't care about first token. */
+	if ((token = strtok_r(right, " ", &last)) == NULL) {
+		return (BDBparseErr);
+	}
+
+	/* get "host" from data string */
+	if ((token = strtok_r(NULL, " ", &last)) == NULL) {
+		return (BDBparseErr);
+	}
+
+	/* copy string for "host" secondary index */
+	if ((skey->data = strdup(token)) == NULL) {
+		return (BDBparseErr);
+	}
+	/* set required values for BDB */
+	skey->size = strlen(skey->data);
+	skey->flags = DB_DBT_APPMALLOC;
+
+	return (0);
+}
+
+/*%
+ * Performs BDB cleanup. Close each database that we opened.
+ * Close environment.  Set each var to NULL so we know they
+ * were closed and don't accidentally try to close them twice.
+ */
+
+void
+bdb_cleanup(void) {
+	/* close cursors */
+	if (db.cursor4 != NULL) {
+		db.cursor4->c_close(db.cursor4);
+		db.cursor4 = NULL;
+	}
+
+	if (db.cursor3 != NULL) {
+		db.cursor3->c_close(db.cursor3);
+		db.cursor3 = NULL;
+	}
+
+	if (db.cursor2 != NULL) {
+		db.cursor2->c_close(db.cursor2);
+		db.cursor2 = NULL;
+	}
+
+	if (db.cursor != NULL) {
+		db.cursor->c_close(db.cursor);
+		db.cursor = NULL;
+	}
+
+	/* close databases */
+	if (db.data != NULL) {
+		db.data->close(db.data, 0);
+		db.data = NULL;
+	}
+	if (db.host != NULL) {
+		db.host->close(db.host, 0);
+		db.host = NULL;
+	}
+	if (db.zone != NULL) {
+		db.zone->close(db.zone, 0);
+		db.zone = NULL;
+	}
+	if (db.client != NULL) {
+		db.client->close(db.client, 0);
+		db.client = NULL;
+	}
+
+	/* close environment */
+	if (db.dbenv != NULL) {
+		db.dbenv->close(db.dbenv, 0);
+		db.dbenv = NULL;
+	}
+}
+
+/*% Initializes, sets flags and then opens Berkeley databases. */
+
+isc_result_t
+bdb_opendb(DBTYPE db_type, DB **db_out, const char *db_name, int flags) {
+	int result;
+	int createFlag = 0;
+
+	/* Initialize the database. */
+	if ((result = db_create(db_out, db.dbenv, 0)) != 0) {
+		fprintf(stderr,
+			"BDB could not initialize %s database. BDB error: %s",
+			db_name, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	/* set database flags. */
+	if ((result = (*db_out)->set_flags(*db_out, flags)) != 0) {
+		fprintf(stderr,
+			"BDB could not set flags for %s database. BDB error: "
+			"%s",
+			db_name, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	if (create_allowed) {
+		createFlag = DB_CREATE;
+	}
+	/* open the database. */
+	if ((result = (*db_out)->open(*db_out, NULL, db_file, db_name, db_type,
+				      createFlag, 0)) != 0)
+	{
+		fprintf(stderr,
+			"BDB could not open %s database in %s. BDB error: %s",
+			db_name, db_file, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * parses input and adds it to the BDB database
+ * Lexer should be instantiated, and either a file or buffer opened for it.
+ * The insert_data function is used by both the add, and bulk insert
+ * operations
+ */
+
+void
+put_data(bool dns_data, char *input_key, char *input_data) {
+	int bdbres;
+	DBT key, data;
+
+	/* make sure key & data are completely empty */
+	memset(&key, 0, sizeof(key));
+	memset(&data, 0, sizeof(data));
+
+	/* if client data, setup key for insertion */
+	if (!dns_data && input_key != NULL) {
+		key.data = input_key;
+		key.size = strlen(input_key);
+		key.flags = 0;
+	}
+	/* always setup data for insertion */
+	data.data = input_data;
+	data.size = strlen(input_data);
+	data.flags = 0;
+
+	/* execute insert against appropriate database. */
+	if (dns_data) {
+		bdbres = db.data->put(db.data, NULL, &key, &data, DB_APPEND);
+	} else {
+		bdbres = db.client->put(db.client, NULL, &key, &data, 0);
+	}
+
+	/* if something went wrong, log error and quit */
+	if (bdbres != 0) {
+		fprintf(stderr, "BDB could not insert data.  Error: %s",
+			db_strerror(bdbres));
+		quit(5);
+	}
+}
+
+void
+insert_data(void) {
+	unsigned int opt = ISC_LEXOPT_EOL |	/* Want end-of-line token. */
+			   ISC_LEXOPT_EOF |	/* Want end-of-file token. */
+			   ISC_LEXOPT_QSTRING | /* Recognize qstrings. */
+			   ISC_LEXOPT_QSTRINGMULTILINE; /* Allow multiline ""
+							 * strings */
+
+	isc_result_t result;
+	isc_token_t token; /* token from lexer */
+	bool loop = true;
+	bool have_czone = false;
+	char data_arr[max_data_len];
+	isc_buffer_t buf;
+	char data_arr2[max_data_len];
+	isc_buffer_t buf2;
+	char data_type = 'u'; /* u =unknown, b =bad token, d/D =DNS, c/C =client
+			       * IP */
+
+	/* Initialize buffers */
+	isc_buffer_init(&buf, &data_arr, max_data_len);
+	isc_buffer_init(&buf2, &data_arr2, max_data_len);
+
+	while (loop) {
+		result = isc_lex_gettoken(lexer, opt, &token);
+		if (result != ISC_R_SUCCESS) {
+			goto data_cleanup;
+		}
+
+		switch (token.type) {
+		case isc_tokentype_string:
+			if (data_type == 'u') {
+				/* store data_type */
+				strncpy(&data_type, token.value.as_pointer, 1);
+				/* verify data_type was specified correctly on
+				 * input */
+				if (strlen(token.value.as_pointer) > 1 ||
+				    (data_type != 'd' && data_type != 'D' &&
+				     data_type != 'c' && data_type != 'C'))
+				{
+					/* if not, set to 'b' so this line is
+					 * ignored. */
+					data_type = 'b';
+				}
+			} else if (data_type == 'c' || data_type == 'C') {
+				if (have_czone) {
+					isc_buffer_putstr(
+						&buf2, token.value.as_pointer);
+					/* add string terminator to buffer */
+					isc_buffer_putmem(&buf2, "\0", 1);
+				} else {
+					isc_buffer_putstr(
+						&buf, token.value.as_pointer);
+					/* add string terminator to buffer */
+					isc_buffer_putmem(&buf, "\0", 1);
+					have_czone = true;
+				}
+			} else {
+				isc_buffer_putstr(&buf, token.value.as_pointer);
+				isc_buffer_putstr(&buf, " ");
+			}
+			break;
+		case isc_tokentype_qstring:
+			isc_buffer_putstr(&buf, "\"");
+			isc_buffer_putstr(&buf, token.value.as_pointer);
+			isc_buffer_putstr(&buf, "\" ");
+			break;
+		case isc_tokentype_eol:
+		case isc_tokentype_eof:
+
+			if ((data_type != 'u' &&
+			     isc_buffer_usedlength(&buf) > 0) ||
+			    data_type == 'b')
+			{
+				/* perform insert operation */
+				if (data_type == 'd' || data_type == 'D') {
+					/* add string terminator to buffer */
+					isc_buffer_putmem(&buf, "\0", 1);
+					put_data(true, NULL, (char *)&data_arr);
+				} else if (data_type == 'c' || data_type == 'C')
+				{
+					put_data(false, (char *)&data_arr,
+						 (char *)&data_arr2);
+				} else if (data_type == 'b') {
+					fprintf(stderr,
+						"Bad / unknown token "
+						"encountered on line %lu."
+						"  Skipping line.",
+						isc_lex_getsourceline(lexer) -
+							1);
+				} else {
+					fprintf(stderr,
+						"Bad / unknown db data type "
+						"encountered on "
+						"line %lu.  Skipping line\n",
+						isc_lex_getsourceline(lexer) -
+							1);
+				}
+			}
+
+			if (token.type == isc_tokentype_eof) {
+				loop = false;
+			}
+
+			/* reset buffer for next insert */
+			isc_buffer_clear(&buf);
+			isc_buffer_clear(&buf2);
+			have_czone = false;
+			data_type = 'u';
+			break;
+		default:
+			data_type = 'b';
+			break;
+		}
+	}
+
+	return;
+
+data_cleanup:
+	/* let user know we had problems */
+	fprintf(stderr,
+		"Unknown error processing tokens during \"add\" or "
+		"\"bulk\" operation.\nStoped processing on line %lu.",
+		isc_lex_getsourceline(lexer));
+}
+
+isc_result_t
+openBDB(void) {
+	int bdbres;
+	isc_result_t result;
+
+	/* create BDB environment  */
+	/* Basically BDB allocates and assigns memory to db->dbenv */
+	bdbres = db_env_create(&db.dbenv, 0);
+	if (bdbres != 0) {
+		fprintf(stderr,
+			"BDB environment could not be created. BDB error: %s",
+			db_strerror(bdbres));
+		result = ISC_R_FAILURE;
+		goto openBDB_cleanup;
+	}
+
+	/* open BDB environment */
+	if (create_allowed) {
+		/* allowed to create new files */
+		bdbres = db.dbenv->open(db.dbenv, db_envdir,
+					DB_INIT_CDB | DB_INIT_MPOOL | DB_CREATE,
+					0);
+	} else { /* not allowed to create new files. */
+		bdbres = db.dbenv->open(db.dbenv, db_envdir,
+					DB_INIT_CDB | DB_INIT_MPOOL, 0);
+	}
+	if (bdbres != 0) {
+		fprintf(stderr,
+			"BDB environment at '%s' could not be opened. BDB "
+			"error: %s",
+			db_envdir, db_strerror(bdbres));
+		result = ISC_R_FAILURE;
+		goto openBDB_cleanup;
+	}
+
+	/* open dlz_data database. */
+
+	result = bdb_opendb(DB_RECNO, &db.data, dlz_data, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto openBDB_cleanup;
+	}
+
+	/* open dlz_host database */
+	result = bdb_opendb(DB_BTREE, &db.host, dlz_host, DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto openBDB_cleanup;
+	}
+
+	/* open dlz_zone database. */
+	result = bdb_opendb(DB_BTREE, &db.zone, dlz_zone, DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto openBDB_cleanup;
+	}
+
+	/* open dlz_client database. */
+	result = bdb_opendb(DB_BTREE, &db.client, dlz_client,
+			    DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto openBDB_cleanup;
+	}
+
+	/* associate the host secondary database with the primary database */
+	bdbres = db.data->associate(db.data, NULL, db.host, gethost, 0);
+	if (bdbres != 0) {
+		fprintf(stderr,
+			"BDB could not associate %s database with %s. BDB "
+			"error: %s",
+			dlz_host, dlz_data, db_strerror(bdbres));
+		result = ISC_R_FAILURE;
+		goto openBDB_cleanup;
+	}
+
+	/* associate the zone secondary database with the primary database */
+	bdbres = db.data->associate(db.data, NULL, db.zone, getzone, 0);
+	if (bdbres != 0) {
+		fprintf(stderr,
+			"BDB could not associate %s database with %s. BDB "
+			"error: %s",
+			dlz_zone, dlz_data, db_strerror(bdbres));
+		result = ISC_R_FAILURE;
+		goto openBDB_cleanup;
+	}
+
+	return (result);
+
+openBDB_cleanup:
+
+	bdb_cleanup();
+	return (result);
+}
+
+/*% Create & open lexer to parse input data */
+
+isc_result_t
+open_lexer(void) {
+	isc_result_t result;
+
+	/* check if we already opened the lexer, if we did, return success */
+	if (lexer != NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* allocate memory for lexer, and verify it was allocated */
+	isc_mem_create(&lex_mctx);
+
+	/* create lexer */
+	result = isc_lex_create(lex_mctx, 1500, &lexer);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "unexpected error creating lexer\n");
+	}
+
+	/* set allowed commenting style */
+	isc_lex_setcomments(lexer,
+			    ISC_LEXCOMMENT_C | /* Allow C comments */
+				    ISC_LEXCOMMENT_CPLUSPLUS | /* Allow
+								* C++
+								* comments
+								*/
+				    ISC_LEXCOMMENT_SHELL);     /* Allow
+								* shellcomments
+								*/
+
+	isc_buffer_init(&lex_buffer, &lex_data_buf, max_data_len);
+
+	return (result);
+}
+
+/*% Close the lexer, and cleanup memory */
+
+void
+close_lexer(void) {
+	/* If lexer is still open, close it & destroy it. */
+	if (lexer != NULL) {
+		isc_lex_close(lexer);
+		isc_lex_destroy(&lexer);
+	}
+
+	/* if lexer memory is still allocated, destroy it. */
+	if (lex_mctx != NULL) {
+		isc_mem_destroy(&lex_mctx);
+	}
+}
+
+/*% Perform add operation */
+
+void
+operation_add(void) {
+	/* check for any parameters that are not allowed during add */
+	checkInvalidParam(key, "k", "for add operation");
+	checkInvalidParam(zone, "z", "for add operation");
+	checkInvalidParam(host, "h", "for add operation");
+	checkInvalidParam(c_zone, "c", "for add operation");
+	checkInvalidParam(c_ip, "i", "for add operation");
+	checkInvalidOption(list_everything, true, "e", "for add operation");
+
+	/* if open lexer fails it already prints error messages. */
+	if (open_lexer() != ISC_R_SUCCESS) {
+		quit(4);
+	}
+
+	/* copy input data to buffer */
+	isc_buffer_putstr(&lex_buffer, a_data);
+
+	/* tell lexer to use buffer as input  */
+	if (isc_lex_openbuffer(lexer, &lex_buffer) != ISC_R_SUCCESS) {
+		fprintf(stderr, "unexpected error opening lexer buffer");
+		quit(4);
+	}
+
+	/*common logic for "add" & "bulk" operations are handled by insert_data
+	 */
+	insert_data();
+}
+
+/*% Perform bulk insert operation */
+
+void
+operation_bulk(void) {
+	/* check for any parameters that are not allowed during bulk */
+	checkInvalidParam(key, "k", "for bulk load operation");
+	checkInvalidParam(zone, "z", "for bulk load operation");
+	checkInvalidParam(host, "h", "for bulk load operation");
+	checkInvalidParam(c_zone, "c", "for bulk load operation");
+	checkInvalidParam(c_ip, "i", "for bulk load operation");
+	checkInvalidOption(list_everything, true, "e",
+			   "for bulk load operation");
+
+	/* if open lexer fails it already prints error messages. */
+	if (open_lexer() != ISC_R_SUCCESS) {
+		quit(4);
+	}
+
+	if (bulk_file == NULL) {
+		if (isc_lex_openstream(lexer, stdin) != ISC_R_SUCCESS) {
+			fprintf(stderr, "unexpected error opening stdin by "
+					"lexer.");
+			quit(4);
+		}
+	} else if (isc_lex_openfile(lexer, bulk_file) != ISC_R_SUCCESS) {
+		fprintf(stderr, "unexpected error opening %s by lexer.",
+			bulk_file);
+		quit(4);
+	}
+
+	/* common logic for "add" & "bulk" operations are handled by insert_data
+	 */
+	insert_data();
+}
+
+isc_result_t
+bulk_write(char type, DB *database, DBC *dbcursor, DBT *bdbkey, DBT *bdbdata) {
+	int bdbres;
+	db_recno_t recNum;
+	char *retkey = NULL, *retdata;
+	size_t retklen = 0, retdlen;
+	void *p;
+
+	/* use a 5MB buffer for the bulk dump */
+	int buffer_size = 5 * 1024 * 1024;
+
+	/* try to allocate a 5 MB buffer, if we fail write err msg, die. */
+	bdbdata->data = malloc(buffer_size);
+	if (bdbdata->data == NULL) {
+		fprintf(stderr, "Unable to allocate 5 MB buffer for bulk "
+				"database dump\n");
+		return (ISC_R_FAILURE);
+	}
+	bdbdata->ulen = buffer_size;
+	bdbdata->flags = DB_DBT_USERMEM;
+
+	/* get a cursor, make sure it worked. */
+	bdbres = database->cursor(database, NULL, &dbcursor, 0);
+	if (bdbres != 0) {
+		fprintf(stderr, "Unexpected error. BDB Error: %s\n",
+			db_strerror(bdbres));
+		free(bdbdata->data);
+		return (ISC_R_FAILURE);
+	}
+
+	/* loop and dump all data */
+	for (;;) {
+		/* loop through data until DB_NOTFOUND is returned */
+		bdbres = dbcursor->c_get(dbcursor, bdbkey, bdbdata,
+					 DB_MULTIPLE_KEY | DB_NEXT);
+		/* if not successful did we encounter DB_NOTFOUND, or */
+		/* have  a different problem. */
+		if (bdbres != 0) {
+			if (bdbres != DB_NOTFOUND) {
+				fprintf(stderr,
+					"Unexpected error. BDB Error: %s\n",
+					db_strerror(bdbres));
+				free(bdbdata->data);
+				return (ISC_R_FAILURE);
+			}
+			/* Hit DB_NOTFOUND which means end of data. */
+			break;
+		} /* end of if (bdbres !=0) */
+
+		for (DB_MULTIPLE_INIT(p, bdbdata);;) {
+			if (type == 'c') {
+				DB_MULTIPLE_KEY_NEXT(p, bdbdata, retkey,
+						     retklen, retdata, retdlen);
+			} else {
+				DB_MULTIPLE_RECNO_NEXT(p, bdbdata, recNum,
+						       retdata, retdlen);
+			}
+
+			if (p == NULL) {
+				break;
+			}
+			if (type == 'c') {
+				printf("c %.*s %.*s\n", (int)retklen, retkey,
+				       (int)retdlen, retdata);
+			} else {
+				printf("d %.*s\n", (int)retdlen, retdata);
+			}
+		} /* end of for (DB_MULTIPLE_INIT....) */
+	}	  /* end of for (;;) */
+
+	/* free the buffer we created earlier */
+	free(bdbdata->data);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Perform listOrDelete operation
+ * if dlt == true, delete data
+ * else list data
+ */
+
+void
+operation_listOrDelete(bool dlt) {
+	int bdbres = 0;
+	DBC *curList[3];
+	DBT bdbkey, bdbdata;
+	db_recno_t recno;
+	int curIndex = 0;
+
+	/* verify that only allowed parameters were passed. */
+	if (dlt) {
+		checkInvalidParam(zone, "z", "for delete operation");
+		checkInvalidParam(host, "h", "for delete operation");
+		checkInvalidOption(list_everything, true, "e",
+				   "for delete operation");
+		checkInvalidOption(create_allowed, true, "n",
+				   "for delete operation");
+	} else if (key != NULL || zone != NULL || host != NULL) {
+		checkInvalidParam(c_zone, "c",
+				  "for list when k, z or h are specified");
+		checkInvalidParam(c_ip, "i",
+				  "for list when k, z, or h are specified");
+		checkInvalidOption(list_everything, true, "e",
+				   "for list when k, z, or h are specified");
+		checkInvalidOption(create_allowed, true, "n",
+				   "for list operation");
+	} else if (c_ip != NULL || c_zone != NULL) {
+		checkInvalidOption(list_everything, true, "e",
+				   "for list when c or i are specified");
+		checkInvalidOption(create_allowed, true, "n",
+				   "for list operation");
+	}
+
+	memset(&bdbkey, 0, sizeof(bdbkey));
+	memset(&bdbdata, 0, sizeof(bdbdata));
+
+	/* Dump database in "dlzbdb" bulk format */
+	if (list_everything) {
+		if (bulk_write('c', db.client, db.cursor, &bdbkey, &bdbdata) !=
+		    ISC_R_SUCCESS)
+		{
+			return;
+		}
+		memset(&bdbkey, 0, sizeof(bdbkey));
+		memset(&bdbdata, 0, sizeof(bdbdata));
+		bulk_write('d', db.data, db.cursor2, &bdbkey, &bdbdata);
+		return;
+	} /* end if (list_everything) */
+
+	/* set NULL the 2nd and 3rd positions in curList. */
+	/* that way later when add cursors to the join list */
+	/* it is already null terminated. */
+	curList[1] = curList[2] = NULL;
+
+	if (key != NULL) {
+		/* make sure other parameters weren't */
+		checkInvalidParam(zone, "z", "when k is specified");
+		checkInvalidParam(host, "h", "when k is specified");
+
+		recno = key_val;
+		bdbkey.data = &recno;
+		bdbkey.size = sizeof(recno);
+
+		if (dlt) {
+			bdbres = db.data->del(db.data, NULL, &bdbkey, 0);
+		} else {
+			bdbdata.flags = DB_DBT_REALLOC;
+			bdbres = db.data->get(db.data, NULL, &bdbkey, &bdbdata,
+					      0);
+
+			if (bdbres == 0) {
+				printf("KEY | DATA\n");
+				printf("%lu | %.*s\n", *(u_long *)bdbkey.data,
+				       (int)bdbdata.size, (char *)bdbdata.data);
+			}
+		} /* closes else of if (dlt == true) */
+		if (bdbres == DB_NOTFOUND) {
+			printf("Key not found in database");
+		}
+	} /* closes if (key != NULL) */
+
+	/* if zone is passed */
+	if (zone != NULL) {
+		/* create a cursor and make sure it worked */
+		bdbres = db.zone->cursor(db.zone, NULL, &db.cursor2, 0);
+		if (bdbres != 0) {
+			fprintf(stderr, "Unexpected error. BDB Error: %s\n",
+				db_strerror(bdbres));
+			return;
+		}
+
+		bdbkey.data = zone;
+		bdbkey.size = strlen(zone);
+		bdbres = db.cursor2->c_get(db.cursor2, &bdbkey, &bdbdata,
+					   DB_SET);
+		if (bdbres != 0) {
+			if (bdbres != DB_NOTFOUND) {
+				fprintf(stderr,
+					"Unexpected error. BDB Error: %s\n",
+					db_strerror(bdbres));
+			} else {
+				printf("Zone not found in database");
+			}
+			return;
+		}
+
+		/* add cursor to cursor list for later use in join */
+		curList[curIndex++] = db.cursor2;
+	}
+
+	/* if host is passed */
+	if (host != NULL) {
+		/* create a cursor and make sure it worked. */
+		bdbres = db.host->cursor(db.host, NULL, &db.cursor3, 0);
+		if (bdbres != 0) {
+			fprintf(stderr, "Unexpected error. BDB Error: %s\n",
+				db_strerror(bdbres));
+			return;
+		}
+		bdbkey.data = host;
+		bdbkey.size = strlen(host);
+		bdbres = db.cursor3->c_get(db.cursor3, &bdbkey, &bdbdata,
+					   DB_SET);
+		if (bdbres != 0) {
+			if (bdbres != DB_NOTFOUND) {
+				fprintf(stderr,
+					"Unexpected error. BDB Error: %s\n",
+					db_strerror(bdbres));
+			} else {
+				printf("Host not found in database");
+			}
+			return;
+		}
+
+		/* add cursor to cursor list for later use in join */
+		curList[curIndex++] = db.cursor3;
+	}
+
+	if (zone != NULL || host != NULL) {
+		/* join any cursors */
+		bdbres = db.data->join(db.data, curList, &db.cursor4, 0);
+		if (bdbres != 0) {
+			fprintf(stderr, "Unexpected error. BDB Error: %s\n",
+				db_strerror(bdbres));
+			return;
+		}
+
+		memset(&bdbkey, 0, sizeof(bdbkey));
+		bdbkey.flags = DB_DBT_REALLOC;
+		memset(&bdbdata, 0, sizeof(bdbdata));
+		bdbdata.flags = DB_DBT_REALLOC;
+
+		/* print a header to explain the output */
+		printf("KEY | DATA\n");
+		/* loop and list all results. */
+		while (bdbres == 0) {
+			/* get data */
+			bdbres = db.cursor4->c_get(db.cursor4, &bdbkey,
+						   &bdbdata, 0);
+			/* verify call had no errors */
+			if (bdbres != 0) {
+				break;
+			}
+			printf("%lu | %.*s\n", *(u_long *)bdbkey.data,
+			       (int)bdbdata.size, (char *)bdbdata.data);
+		} /* closes while loop */
+	}
+
+	if (c_ip != NULL && c_zone == NULL) {
+		fprintf(stderr, "i may only be specified when c is also "
+				"specified\n");
+		quit(2);
+	}
+	/* if client_zone was passed */
+	if (c_zone != NULL) {
+		/* create a cursor and make sure it worked. */
+		if (dlt) {
+			/* open read-write cursor */
+			bdbres = db.client->cursor(db.client, NULL, &db.cursor,
+						   DB_WRITECURSOR);
+		} else {
+			/* open read only cursor */
+			bdbres = db.client->cursor(db.client, NULL, &db.cursor,
+						   0);
+			/* print a header to explain the output */
+			printf("CLIENT_ZONE | CLIENT_IP\n");
+		}
+
+		bdbkey.data = c_zone;
+		bdbkey.size = strlen(c_zone);
+
+		if (c_ip != NULL) {
+			bdbdata.data = c_ip;
+			bdbdata.size = strlen(c_ip);
+			bdbres = db.cursor->c_get(db.cursor, &bdbkey, &bdbdata,
+						  DB_GET_BOTH);
+			if (bdbres == DB_NOTFOUND) {
+				printf("Client zone & IP not found in "
+				       "database");
+			}
+		} else {
+			bdbdata.flags = DB_DBT_REALLOC;
+			bdbres = db.cursor->c_get(db.cursor, &bdbkey, &bdbdata,
+						  DB_SET);
+			if (bdbres == DB_NOTFOUND) {
+				printf("Client zone not found in database");
+			}
+		}
+
+		while (bdbres == 0) {
+			if (!dlt) {
+				printf("%.*s | %.*s\n", (int)bdbkey.size,
+				       (char *)bdbkey.data, (int)bdbdata.size,
+				       (char *)bdbdata.data);
+			} else {
+				/* delete record. */
+				bdbres = db.cursor->c_del(db.cursor, 0);
+				if (bdbres != 0) {
+					fprintf(stderr,
+						"Unexpected error. BDB Error: "
+						"%s\n",
+						db_strerror(bdbres));
+					break;
+				}
+			}
+			if (c_ip != NULL) {
+				break;
+			}
+			bdbres = db.cursor->c_get(db.cursor, &bdbkey, &bdbdata,
+						  DB_NEXT_DUP);
+			if (bdbres != 0) {
+				break;
+			}
+		} /* end while loop */
+	}
+
+	if (bdbres != 0 && bdbres != DB_NOTFOUND) {
+		fprintf(stderr,
+			"Unexpected error during list operation "
+			"BDB error: %s",
+			db_strerror(bdbres));
+	}
+
+	if (bdbkey.flags == DB_DBT_REALLOC && bdbkey.data != NULL) {
+		free(bdbkey.data);
+	}
+	if (bdbdata.flags == DB_DBT_REALLOC && bdbdata.data != NULL) {
+		free(bdbdata.data);
+	}
+}
+
+int
+main(int argc, char **argv) {
+	int ch;
+	char *endp;
+
+	/* there has to be at least 2 args, some operations require more */
+	if (argc < 2) {
+		show_usage();
+	}
+
+	/* use the ISC commandline parser to get all the program arguments */
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "ldesna:f:k:z:h:c:i:")) != -1)
+	{
+		switch (ch) {
+		case 'n':
+			create_allowed = true;
+			break;
+		case 'l':
+			checkOp(operation);
+			operation = list;
+			break;
+		case 'd':
+			checkOp(operation);
+			operation = dele;
+			break;
+		case 'a':
+			checkOp(operation);
+			operation = add;
+			a_data = isc_commandline_argument;
+			break;
+		case 'f':
+			checkOp(operation);
+			operation = bulk;
+			bulk_file = isc_commandline_argument;
+			break;
+		case 's':
+			checkOp(operation);
+			operation = bulk;
+			break;
+		case 'k':
+			checkParam(key, "k");
+			key = isc_commandline_argument;
+			key_val = strtoul(key, &endp, 10);
+			if (*endp != '\0' || key_val < 1) {
+				fprintf(stderr, "Error converting key to "
+						"integer");
+			}
+			break;
+		case 'z':
+			checkParam(zone, "z");
+			zone = isc_commandline_argument;
+			break;
+		case 'h':
+			checkParam(host, "h");
+			host = isc_commandline_argument;
+			break;
+		case 'c':
+			checkParam(c_zone, "c");
+			c_zone = isc_commandline_argument;
+			break;
+		case 'i':
+			checkParam(c_ip, "i");
+			c_ip = isc_commandline_argument;
+			break;
+		case 'e':
+			checkOp(operation);
+			operation = list;
+			list_everything = true;
+			break;
+		case '?':
+			show_usage();
+			break;
+		default:
+			/* should never reach this point */
+			fprintf(stderr, "unexpected error parsing command "
+					"arguments\n");
+			quit(1);
+			break;
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	/* argc & argv have been modified, so now only "extra" parameters are */
+	/* left in argc & argv.  "Extra" parameters are any parameters that were
+	 */
+	/* not passed using a command line flag.  Exactly 2 args should be left.
+	 */
+	/* The first should be the BDB environment path, the second should be
+	 * the */
+	/* BDB database.  The BDB database path can be either relative to the */
+	/* BDB environment path, or absolute. */
+	if (argc < 2) {
+		fprintf(stderr, "Both a Berkeley DB environment and file "
+				"must be specified");
+		quit(2);
+	} else if (argc > 2) {
+		fprintf(stderr, "Too many parameters. Check command line for "
+				"errors.");
+		quit(2);
+	}
+
+	/* get db_file to operate on */
+	db_envdir = argv[0];
+	db_file = argv[1];
+
+	if (openBDB() != ISC_R_SUCCESS) {
+		/* openBDB already prints error messages, don't do it here. */
+		bdb_cleanup();
+		quit(3);
+	}
+
+	switch (operation) {
+	case list:
+		operation_listOrDelete(false);
+		break;
+	case dele:
+		operation_listOrDelete(true);
+		break;
+	case add:
+		operation_add();
+		break;
+	case bulk:
+		operation_bulk();
+		break;
+	default:
+		fprintf(stderr, "\nNo operation was selected. "
+				"Select an operation (l d a f)");
+		quit(2);
+		break;
+	}
+
+	quit(0);
+}
+#endif /* ifdef DLZ_BDB */
diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
new file mode 100644
index 0000000..696fd96
--- /dev/null
+++ b/contrib/dlz/config.dlz.in
@@ -0,0 +1,510 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+#
+# Shorthand.  Note quoting: DLZ_DRIVER_DIR expanded in Makefile, not here.
+#
+dlzdir='${DLZ_DRIVER_DIR}'
+
+#
+# Private autoconf macro to simplify configuring drivers:
+#
+#   DLZ_ADD_DRIVER(DEFINE, DRIVER, INCLUDES, LIBS)
+#
+# where:
+#   DEFINE is FOO (to define -DDLZ_FOO)
+#   DRIVER is dlz_foo_driver (sources without the .c)
+#   INCLUDES is any necessary include definitions
+#   LIBS is any necessary library definitions
+#
+AC_DEFUN([DLZ_ADD_DRIVER], [
+	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_$1"
+	for i in $2
+	do
+		DLZ_DRIVER_SRCS="$DLZ_DRIVER_SRCS $dlzdir/$i.c"
+		DLZ_DRIVER_OBJS="$DLZ_DRIVER_OBJS $i.$O"
+	done
+	if test -n "$3"
+	then
+		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES $3"
+		DLZ_DRIVER_$1_INCLUDES="$3"
+	fi
+	if test -n "$4"
+	then
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS $4"
+		DLZ_DRIVER_$1_LIBS="$4"
+	fi
+])
+
+#
+# Check for the various DLZ drivers
+#
+
+#
+# Was --with-dlz-postgres specified?
+#
+
+AC_MSG_CHECKING(for Postgres DLZ driver)
+AC_ARG_WITH(dlz_postgres,
+	    AS_HELP_STRING([--with-dlz-postgres[=PATH]],
+			   [Build with Postgres DLZ driver [yes|no|path].
+			       (Required to use Postgres with DLZ)]),
+    use_dlz_postgres="$withval", use_dlz_postgres="no")
+
+if test "$use_dlz_postgres" != "no"
+then
+	if test "$use_dlz_postgres" != "yes"
+        then
+                AC_PATH_PROGS(PG_CONFIG, pg_config, [not found], $use_dlz_postgres/bin)
+	else
+                AC_PATH_PROGS(PG_CONFIG, pg_config, [not found])
+	fi
+
+	if test "$PG_CONFIG" != "not found"
+	then
+		use_dlz_postgres=`$PG_CONFIG --includedir`
+		use_dlz_postgres_lib=`$PG_CONFIG --libdir`
+	else
+		pgprefix="$use_dlz_postgres"
+		use_dlz_postgres="$pgprefix/include"
+		use_dlz_postgres_lib="$pgprefix/lib"
+	fi
+fi
+
+if test "$use_dlz_postgres" = "yes/include"
+then
+	# User did not specify path and Postgres didn't say - guess it
+	pgdirs="/usr /usr/local /usr/local/pgsql /usr/pkg"
+	for d in $pgdirs
+	do
+		if test -f $d/include/libpq-fe.h
+		then
+			use_dlz_postgres=$d/include
+			use_dlz_postgres_lib=$d/lib
+			break
+		fi
+	done
+fi
+
+if test "$use_dlz_postgres" = "yes/include"
+then
+	# Still no joy, give up
+
+	AC_MSG_RESULT(not found)
+	AC_MSG_ERROR(
+[No pg_config and PostgreSQL was not found in any of $pgdirs; use --with-dlz-postgres=/path or put pg_config in your path])
+fi
+
+case "$use_dlz_postgres" in
+	no)
+		AC_MSG_RESULT(no)
+		;;
+	*)
+		DLZ_ADD_DRIVER(POSTGRES, dlz_postgres_driver,
+				[-I$use_dlz_postgres],
+				[-L$use_dlz_postgres_lib -lpq])
+
+		AC_MSG_RESULT(
+[using PostgreSQL from $use_dlz_postgres_lib and $use_dlz_postgres])
+		;;
+esac
+
+
+#
+# Was --with-dlz-mysql specified?
+#
+
+AC_MSG_CHECKING(for MySQL DLZ driver)
+AC_ARG_WITH(dlz_mysql,
+	    AS_HELP_STRING([--with-dlz-mysql[=PATH]],
+		           [Build with MySQL DLZ driver [yes|no|path].
+			       (Required to use MySQL with DLZ)]),
+    use_dlz_mysql="$withval", use_dlz_mysql="no")
+
+mysql_include=""
+mysql_lib=""
+if test "$use_dlz_mysql" = "yes"
+then
+	AC_CHECK_PROGS(MYSQL_CONFIG, mysql_config)
+	if test -n "$MYSQL_CONFIG"
+	then
+		mysql_include=`${MYSQL_CONFIG} --include`
+		mysql_lib=`${MYSQL_CONFIG} --libs`
+		use_dlz_mysql="config"
+
+	else
+		# User did not specify a path - guess it
+		mysqldirs="/usr /usr/local /usr/local/mysql /usr/pkg"
+		for d in $mysqldirs
+		do
+			if test -f $d/include/mysql/mysql.h
+			then
+				use_dlz_mysql=$d
+				mysql_include=$d/include/mysql
+				break
+			elif test -f $d/include/mysql.h
+			then
+				use_dlz_mysql=$d
+				mysql_include=$d/include
+				break
+			fi
+		done
+	fi
+elif test "$use_dlz_mysql" != "no"
+then
+	d=$use_dlz_mysql
+	if test -f $d/include/mysql/mysql.h
+	then
+		mysql_include=$d/include/mysql
+	elif test -f $d/include/mysql.h
+	then
+		mysql_include=$d/include
+	fi
+fi
+
+if test "$use_dlz_mysql" = "yes"
+then
+	AC_MSG_RESULT(not found)
+	AC_MSG_ERROR(
+[MySQL was not found in any of $mysqldirs; use --with-dlz-mysql=/path])
+fi
+
+case "$use_dlz_mysql" in
+	no)
+		AC_MSG_RESULT(no)
+		;;
+	config)
+		DLZ_ADD_DRIVER(MYSQL, dlz_mysql_driver,
+				[${mysql_include}],
+				[${mysql_lib}])
+
+		AC_MSG_RESULT(
+[using mysql with libs ${mysql_lib} and includes ${mysql_include}])
+		;;
+	*)
+		if test -d "$use_dlz_mysql/lib/mysql"
+		then
+			mysql_lib="$use_dlz_mysql/lib/mysql"
+		else
+			mysql_lib="$use_dlz_mysql/lib"
+		fi
+		DLZ_ADD_DRIVER(MYSQL, dlz_mysql_driver,
+				[-I${mysql_include}],
+				[-L${mysql_lib} -lmysqlclient -lz -lcrypt -lm])
+
+		AC_MSG_RESULT(
+[using mysql from ${mysql_lib} and ${mysql_include}])
+		;;
+esac
+
+
+#
+# Was --with-dlz-bdb specified?
+#
+
+AC_MSG_CHECKING(for Berkeley DB DLZ driver...)
+AC_ARG_WITH(dlz_bdb,
+	    AS_HELP_STRING([--with-dlz-bdb[=PATH]],
+			   [Build with Berkeley DB DLZ driver [yes|no|path].
+			       (Required to use Berkeley DB with DLZ)]),
+    use_dlz_bdb="$withval", use_dlz_bdb="no")
+
+case "$use_dlz_bdb" in
+	no)
+		AC_MSG_RESULT(no)
+		;;
+	*)
+		if test "$use_dlz_bdb" = "yes"
+		then
+			# User did not specify a path - guess directories
+			bdbdirs="/usr/local /usr/pkg /usr"
+		elif test -d "$use_dlz_bdb"
+		then
+			# User specified directory and it exists
+			bdbdirs="$use_dlz_bdb"
+		else
+			AC_MSG_RESULT(not found)
+			AC_MSG_ERROR([path $use_dlz_bdb does not exist])
+			bdbdirs=""
+		fi
+
+		# Use path we were given or guessed.  This is insanely
+		# complicated because we have to search for a bunch of
+		# platform-specific variations and have to check
+		# separately for include and library directories.
+
+		# Set both to yes, so we can check them later
+		dlz_bdb_inc="yes"
+		dlz_bdb_libs="yes"
+
+                AC_MSG_RESULT( )
+		for dd in $bdbdirs
+		do
+			# Skip nonexistent directories
+			if test ! -d "$dd"
+			then
+				continue
+			fi
+
+			# Check other locations for includes.
+			# Order is important (sigh).
+
+			bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
+			# include a blank element first
+			for d in "" $bdb_incdirs
+			do
+				if test -f "$dd/include${d}/db.h"
+				then
+					dlz_bdb_inc="-I$dd/include${d}"
+					break
+				fi
+			done
+
+			# Give up on this directory if we couldn't
+			# find the include subdir
+
+			if test "$dlz_bdb_inc" = "yes"
+			then
+				continue
+			fi
+
+			# Look for libname other than libdb.so.
+			# Order is important (sigh).
+
+			bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
+			for d in $bdb_libnames
+			do
+				if test "$dd" = "/usr"
+				then
+					AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}")
+					if test $dlz_bdb_libs != "yes"
+					then
+						break
+					fi
+				elif test -f "$dd/lib/lib${d}.so"
+				then
+					dlz_bdb_libs="-L${dd}/lib -l${d}"
+					break
+				fi
+			done
+
+			# If we found both incdir and lib, we're done
+			if test "$dlz_bdb_libs" != "yes"
+			then
+				break
+			fi
+
+			# Otherwise, we're starting over
+
+			dlz_bdb_inc="yes"
+			dlz_bdb_libs="yes"
+		done
+		
+		# Done searching, now make sure we got everything.
+
+		if test "$dlz_bdb_inc" = "yes"
+		then
+			AC_MSG_ERROR([could not find Berkeley DB include directory])
+		fi
+
+		if test "$dlz_bdb_libs" = "yes"
+		then
+			AC_MSG_RESULT(not found)
+			AC_MSG_ERROR([could not find Berkeley DB library])
+		fi
+
+		DLZ_ADD_DRIVER(BDB, dlz_bdb_driver dlz_bdbhpt_driver,
+			       [$dlz_bdb_inc], [$dlz_bdb_libs])
+
+		AC_MSG_RESULT([using Berkeley DB: $dlz_bdb_inc $dlz_bdb_libs])
+
+		AC_CONFIG_FILES([contrib/dlz/bin/dlzbdb/Makefile])
+		;;
+esac
+
+
+#
+# Was --with-dlz-filesystem specified?
+#
+
+AC_MSG_CHECKING(for file system DLZ driver)
+AC_ARG_WITH(dlz_filesystem,
+	    AS_HELP_STRING([--with-dlz-filesystem[=ARG]],
+			   [Build with filesystem DLZ driver [yes|no].
+			       (Required to use file system driver with DLZ)]),
+    use_dlz_filesystem="$withval", use_dlz_filesystem="no")
+
+case "$use_dlz_filesystem" in
+	no)
+		AC_MSG_RESULT(no)
+		;;
+	*)
+		DLZ_ADD_DRIVER(FILESYSTEM, dlz_filesystem_driver)
+		DLZ_SYSTEM_TEST=filesystem
+		AC_MSG_RESULT(yes)
+		;;
+esac
+
+
+#
+# Was --with-dlz-ldap specified?
+#
+
+AC_MSG_CHECKING(for LDAP DLZ driver)
+AC_ARG_WITH(dlz_ldap,
+	    AS_HELP_STRING([--with-dlz-ldap[=PATH]],
+			   [Build with LDAP DLZ driver [yes|no|path].
+			       (Required to use LDAP with DLZ)]),
+    use_dlz_ldap="$withval", use_dlz_ldap="no")
+
+if test "$use_dlz_ldap" = "yes"
+then
+	# User did not specify a path - guess it
+	ldapdirs="/usr /usr/local /usr/pkg"
+	for d in $ldapdirs
+	do
+		if test -f $d/include/ldap.h
+		then
+			use_dlz_ldap=$d
+			break
+		fi
+	done
+fi
+
+if test "$use_dlz_ldap" = "yes"
+then
+	AC_MSG_RESULT(not found)
+	AC_MSG_ERROR(
+[LDAP headers were not found in any of $ldapdirs; use --with-dlz-ldap=/path])
+fi
+
+case "$use_dlz_ldap" in
+	no)
+		AC_MSG_RESULT(no)
+		;;
+	*)
+		DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
+				[-I$use_dlz_ldap/include],
+				[-L$use_dlz_ldap/lib -lldap -llber])
+
+		AC_MSG_RESULT(
+[using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
+		;;
+esac
+
+
+#
+# Was --with-dlz-odbc specified?
+#
+
+AC_MSG_CHECKING(for ODBC DLZ driver)
+AC_ARG_WITH(dlz_odbc,
+	    AS_HELP_STRING([--with-dlz-odbc[=PATH]],
+			   [Build with ODBC DLZ driver [yes|no|path].
+			       (Required to use ODBC with DLZ)]),
+    use_dlz_odbc="$withval", use_dlz_odbc="no")
+
+if test "$use_dlz_odbc" = "yes"
+then
+	# User did not specify a path - guess it
+	libodbc_found=no
+	sql_h_found=no
+	AC_CHECK_HEADER(sql.h, sql_h_found=yes)
+	AC_CHECK_LIB(odbc, SQLConnect, libodbc_found=yes)
+
+	if test $libodbc_found = "yes" -o $sql_h_found = "yes"
+	then
+		use_dlz_odbc=system
+		dlz_odbc_include=""
+		dlz_odbc_libs="-lodbc"
+	else
+		odbcdirs="/usr /usr/local /usr/pkg"
+		for d in $odbcdirs
+		do
+			if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
+			then
+				use_dlz_odbc=$d
+				dlz_odbc_include="-I$use_dlz_odbc/include"
+				dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
+				break
+			fi
+		done
+	fi
+fi
+
+case "$use_dlz_odbc" in
+	no)
+		AC_MSG_RESULT(no)
+		;;
+	yes)
+		AC_MSG_RESULT(not found)
+		AC_MSG_ERROR(
+[ODBC headers were not found in any of $odbcdirs; use --with-dlz-odbc=/path])
+		;;
+	*)
+		DLZ_ADD_DRIVER(ODBC, dlz_odbc_driver,
+				[$dlz_odbc_include],
+				[$dlz_odbc_libs])
+
+		AC_MSG_RESULT([using ODBC from $use_dlz_odbc])
+		;;
+esac
+
+
+#
+# Was --with-dlz-stub specified?
+#
+
+AC_MSG_CHECKING(for stub DLZ driver)
+AC_ARG_WITH(dlz_stub,
+	    AS_HELP_STRING([--with-dlz-stub[=ARG]],
+			   [Build with stub DLZ driver [yes|no].
+			       (Required to use stub driver with DLZ)]),
+    use_dlz_stub="$withval", use_dlz_stub="no")
+
+case "$use_dlz_stub" in
+	no)
+		AC_MSG_RESULT(no)
+		;;
+	*)
+
+		DLZ_ADD_DRIVER(STUB, dlz_stub_driver)
+
+		AC_MSG_RESULT(yes)
+		;;
+esac
+
+# Add any additional DLZ drivers here.
+
+#
+# Finally, some generic stuff that applies to all drivers, assuming
+# we're compiling contrib DLZ drivers at all.
+#
+if test -n "$CONTRIB_DLZ"
+then
+	CONTRIB_DLZ="-DCONTRIB_DLZ $CONTRIB_DLZ"
+
+	#
+	# Where to find DLZ driver header files.
+	#
+	DLZ_DRIVER_INCLUDES="-I$dlzdir/include $DLZ_DRIVER_INCLUDES"
+
+	#
+	# Initialization and shutdown wrappers, helper functions.
+	#
+	DLZ_DRIVER_SRCS="$dlzdir/dlz_drivers.c $dlzdir/sdlz_helper.c $DLZ_DRIVER_SRCS"
+	DLZ_DRIVER_OBJS="dlz_drivers.$O sdlz_helper.$O $DLZ_DRIVER_OBJS"
+fi
diff --git a/contrib/dlz/drivers/dlz_bdb_driver.c b/contrib/dlz/drivers/dlz_bdb_driver.c
new file mode 100644
index 0000000..5cce7ce
--- /dev/null
+++ b/contrib/dlz/drivers/dlz_bdb_driver.c
@@ -0,0 +1,780 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 1999-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifdef DLZ_BDB
+#include <db.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
+
+#include <dlz/dlz_bdb_driver.h>
+#include <named/globals.h>
+
+static dns_sdlzimplementation_t *dlz_bdb = NULL;
+
+/* should the bdb driver use threads. */
+#define bdb_threads DB_THREAD
+
+/* BDB database names */
+#define dlz_data   "dns_data"
+#define dlz_zone   "dns_zone"
+#define dlz_host   "dns_host"
+#define dlz_client "dns_client"
+
+/*%
+ * This structure contains all the Berkeley DB handles
+ * for this instance of the BDB driver.
+ */
+
+typedef struct bdb_instance {
+	DB_ENV *dbenv;	 /*%< BDB environment */
+	DB *data;	 /*%< dns_data database handle */
+	DB *zone;	 /*%< zone database handle */
+	DB *host;	 /*%< host database handle */
+	DB *client;	 /*%< client database handle */
+	isc_mem_t *mctx; /*%< memory context */
+} bdb_instance_t;
+
+typedef struct parsed_data {
+	char *zone;
+	char *host;
+	char *type;
+	int ttl;
+	char *data;
+} parsed_data_t;
+
+/* forward reference */
+
+static isc_result_t
+bdb_findzone(void *driverarg, void *dbdata, const char *name,
+	     dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo);
+
+/*%
+ * Parses the DBT from the Berkeley DB into a parsed_data record
+ * The parsed_data record should be allocated before and passed into the
+ * bdb_parse_data function.  The char (type & data) fields should not
+ * be "free"d as that memory is part of the DBT data field.  It will be
+ * "free"d when the DBT is freed.
+ */
+
+static isc_result_t
+bdb_parse_data(char *in, parsed_data_t *pd) {
+	char *endp, *ttlStr;
+	char *tmp = in;
+	char *lastchar = (char *)&tmp[strlen(tmp) + 1];
+
+	/*%
+	 * String should be formatted as:
+	 * zone(a space)host(a space)ttl(a space)type(a space)remaining data
+	 * examples:
+	 * example.com www 10 A 127.0.0.1
+	 * example.com mail 10 A 127.0.0.2
+	 * example.com @ 10 MX 20 mail.example.com
+	 */
+
+	/* save pointer to zone */
+	pd->zone = tmp;
+
+	/* find space after zone and change it to a '\0' */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* change the space to a null (string terminator) */
+	tmp[0] = '\0';
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to host */
+	pd->host = tmp;
+
+	/* find space after type and change it to a '\0' */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* change the space to a null (string terminator) */
+	tmp[0] = '\0';
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to dns type */
+	pd->type = tmp;
+
+	/* find space after type and change it to a '\0' */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* change the space to a null (string terminator) */
+	tmp[0] = '\0';
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to dns ttl */
+	ttlStr = tmp;
+
+	/* find space after ttl and change it to a '\0' */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* change the space to a null (string terminator) */
+	tmp[0] = '\0';
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to remainder of DNS data */
+	pd->data = tmp;
+
+	/* convert ttl string to integer */
+	pd->ttl = strtol(ttlStr, &endp, 10);
+	if (*endp != '\0' || pd->ttl < 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "BDB driver ttl must be a positive number");
+		return (ISC_R_FAILURE);
+	}
+
+	/* if we get this far everything should have worked. */
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * DLZ methods
+ */
+
+static isc_result_t
+bdb_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+		 const char *client) {
+	isc_result_t result;
+	bdb_instance_t *db = (bdb_instance_t *)dbdata;
+	DBC *client_cursor = NULL;
+	DBT key, data;
+
+	/* check to see if we are authoritative for the zone first. */
+	result = bdb_findzone(driverarg, dbdata, name, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	memset(&key, 0, sizeof(DBT));
+	key.flags = DB_DBT_MALLOC;
+	key.data = strdup(name);
+	if (key.data == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto xfr_cleanup;
+	}
+	key.size = strlen(key.data);
+
+	memset(&data, 0, sizeof(DBT));
+	data.flags = DB_DBT_MALLOC;
+	data.data = strdup(client);
+	if (data.data == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto xfr_cleanup;
+	}
+	data.size = strlen(data.data);
+
+	/* get a cursor to loop through zone data */
+	if (db->client->cursor(db->client, NULL, &client_cursor, 0) != 0) {
+		result = ISC_R_FAILURE;
+		goto xfr_cleanup;
+	}
+
+	switch (client_cursor->c_get(client_cursor, &key, &data, DB_GET_BOTH)) {
+	case DB_NOTFOUND:
+	case DB_SECONDARY_BAD:
+		result = ISC_R_NOTFOUND;
+		break;
+	case 0:
+		result = ISC_R_SUCCESS;
+		break;
+	default:
+		result = ISC_R_FAILURE;
+	}
+
+xfr_cleanup:
+
+	/* free any memory duplicate string in the key field */
+	if (key.data != NULL) {
+		free(key.data);
+	}
+
+	/* free any memory allocated to the data field. */
+	if (data.data != NULL) {
+		free(data.data);
+	}
+
+	/* get rid of zone_cursor */
+	if (client_cursor != NULL) {
+		client_cursor->c_close(client_cursor);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+bdb_allnodes(const char *zone, void *driverarg, void *dbdata,
+	     dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	bdb_instance_t *db = (bdb_instance_t *)dbdata;
+	DBC *zone_cursor = NULL;
+	DBT key, data;
+	int flags;
+	int bdbres;
+	parsed_data_t pd;
+	char *tmp = NULL, *tmp_zone;
+
+	UNUSED(driverarg);
+
+	memset(&key, 0, sizeof(DBT));
+	memset(&data, 0, sizeof(DBT));
+
+	key.data = tmp_zone = strdup(zone);
+
+	if (key.data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	key.size = strlen(key.data);
+
+	/* get a cursor to loop through zone data */
+	if (db->zone->cursor(db->zone, NULL, &zone_cursor, 0) != 0) {
+		result = ISC_R_FAILURE;
+		goto allnodes_cleanup;
+	}
+
+	flags = DB_SET;
+
+	while ((bdbres = zone_cursor->c_get(zone_cursor, &key, &data, flags)) ==
+	       0)
+	{
+		flags = DB_NEXT_DUP;
+
+		tmp = realloc(tmp, data.size + 1);
+		if (tmp == NULL) {
+			goto allnodes_cleanup;
+		}
+
+		strncpy(tmp, data.data, data.size);
+		tmp[data.size] = '\0';
+
+		if (bdb_parse_data(tmp, &pd) != ISC_R_SUCCESS) {
+			goto allnodes_cleanup;
+		}
+
+		result = dns_sdlz_putnamedrr(allnodes, pd.host, pd.type, pd.ttl,
+					     pd.data);
+		if (result != ISC_R_SUCCESS) {
+			goto allnodes_cleanup;
+		}
+	} /* end while loop */
+
+allnodes_cleanup:
+
+	if (tmp != NULL) {
+		free(tmp);
+	}
+
+	/* free any memory duplicate string in the key field */
+	if (tmp_zone != NULL) {
+		free(tmp_zone);
+	}
+
+	/* get rid of zone_cursor */
+	if (zone_cursor != NULL) {
+		zone_cursor->c_close(zone_cursor);
+	}
+
+	return (result);
+}
+
+/*%
+ * Performs BDB cleanup.
+ * Used by bdb_create if there is an error starting up.
+ * Used by bdb_destroy when the driver is shutting down.
+ */
+
+static void
+bdb_cleanup(bdb_instance_t *db) {
+	isc_mem_t *mctx;
+
+	/* close databases */
+	if (db->data != NULL) {
+		db->data->close(db->data, 0);
+	}
+	if (db->host != NULL) {
+		db->host->close(db->host, 0);
+	}
+	if (db->zone != NULL) {
+		db->zone->close(db->zone, 0);
+	}
+	if (db->client != NULL) {
+		db->client->close(db->client, 0);
+	}
+
+	/* close environment */
+	if (db->dbenv != NULL) {
+		db->dbenv->close(db->dbenv, 0);
+	}
+
+	/* cleanup memory */
+	if (db->mctx != NULL) {
+		/* save mctx for later */
+		mctx = db->mctx;
+		/* return, and detach the memory */
+		isc_mem_putanddetach(&mctx, db, sizeof(bdb_instance_t));
+	}
+}
+
+static isc_result_t
+bdb_findzone(void *driverarg, void *dbdata, const char *name,
+	     dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	bdb_instance_t *db = (bdb_instance_t *)dbdata;
+	DBC *zone_cursor = NULL;
+	DBT key, data;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	memset(&key, 0, sizeof(DBT));
+	memset(&data, 0, sizeof(DBT));
+	data.flags = DB_DBT_MALLOC;
+
+	key.data = strdup(name);
+
+	if (key.data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	key.size = strlen(key.data);
+
+	/* get a cursor to loop through zone data */
+	if (db->zone->cursor(db->zone, NULL, &zone_cursor, 0) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto findzone_cleanup;
+	}
+
+	switch (zone_cursor->c_get(zone_cursor, &key, &data, DB_SET)) {
+	case DB_NOTFOUND:
+	case DB_SECONDARY_BAD:
+		result = ISC_R_NOTFOUND;
+		break;
+	case 0:
+		result = ISC_R_SUCCESS;
+		break;
+	default:
+		result = ISC_R_FAILURE;
+	}
+
+findzone_cleanup:
+
+	/* free any memory duplicate string in the key field */
+	if (key.data != NULL) {
+		free(key.data);
+	}
+
+	/* free any memory allocated to the data field. */
+	if (data.data != NULL) {
+		free(data.data);
+	}
+
+	/* get rid of zone_cursor */
+	if (zone_cursor != NULL) {
+		zone_cursor->c_close(zone_cursor);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+bdb_lookup(const char *zone, const char *name, void *driverarg, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	bdb_instance_t *db = (bdb_instance_t *)dbdata;
+	DBC *zone_cursor = NULL;
+	DBC *host_cursor = NULL;
+	DBC *join_cursor = NULL;
+	DBT key, data;
+	DBC *cur_arr[3];
+	int bdbres;
+	parsed_data_t pd;
+	char *tmp_zone, *tmp_host = NULL;
+	char *tmp = NULL;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	memset(&key, 0, sizeof(DBT));
+	memset(&data, 0, sizeof(DBT));
+
+	/* set zone key */
+	key.data = tmp_zone = strdup(zone);
+	if (key.data == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto lookup_cleanup;
+	}
+	key.size = strlen(key.data);
+
+	/* get a cursor to loop through zone data */
+	if (db->zone->cursor(db->zone, NULL, &zone_cursor, 0) != 0) {
+		result = ISC_R_FAILURE;
+		goto lookup_cleanup;
+	}
+
+	/* initialize zone_cursor with zone_key */
+	if (zone_cursor->c_get(zone_cursor, &key, &data, DB_SET) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto lookup_cleanup;
+	}
+
+	/* set host key */
+	key.data = tmp_host = strdup(name);
+	if (key.data == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto lookup_cleanup;
+	}
+	key.size = strlen(key.data);
+
+	/* get a cursor to loop through host data */
+	if (db->host->cursor(db->host, NULL, &host_cursor, 0) != 0) {
+		result = ISC_R_FAILURE;
+		goto lookup_cleanup;
+	}
+
+	/* initialize host_cursor with host_key */
+	if (host_cursor->c_get(host_cursor, &key, &data, DB_SET) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto lookup_cleanup;
+	}
+
+	cur_arr[0] = zone_cursor;
+	cur_arr[1] = host_cursor;
+	cur_arr[2] = NULL;
+
+	db->data->join(db->data, cur_arr, &join_cursor, 0);
+
+	while ((bdbres = join_cursor->c_get(join_cursor, &key, &data, 0)) == 0)
+	{
+		tmp = realloc(tmp, data.size + 1);
+		if (tmp == NULL) {
+			goto lookup_cleanup;
+		}
+
+		strncpy(tmp, data.data, data.size);
+		tmp[data.size] = '\0';
+
+		if (bdb_parse_data(tmp, &pd) != ISC_R_SUCCESS) {
+			goto lookup_cleanup;
+		}
+
+		result = dns_sdlz_putrr(lookup, pd.type, pd.ttl, pd.data);
+
+		if (result != ISC_R_SUCCESS) {
+			goto lookup_cleanup;
+		}
+	} /* end while loop */
+
+lookup_cleanup:
+
+	if (tmp != NULL) {
+		free(tmp);
+	}
+	if (tmp_zone != NULL) {
+		free(tmp_zone);
+	}
+	if (tmp_host != NULL) {
+		free(tmp_host);
+	}
+
+	/* get rid of the joined cusor */
+	if (join_cursor != NULL) {
+		join_cursor->c_close(join_cursor);
+	}
+
+	/* get rid of zone_cursor */
+	if (zone_cursor != NULL) {
+		zone_cursor->c_close(zone_cursor);
+	}
+
+	/* get rid of host_cursor */
+	if (host_cursor != NULL) {
+		host_cursor->c_close(host_cursor);
+	}
+
+	return (result);
+}
+
+/*% Initializes, sets flags and then opens Berkeley databases. */
+
+static isc_result_t
+bdb_opendb(DB_ENV *db_env, DBTYPE db_type, DB **db, const char *db_name,
+	   char *db_file, int flags) {
+	int result;
+
+	/* Initialize the database. */
+	if ((result = db_create(db, db_env, 0)) != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "BDB could not initialize %s database. "
+			      "BDB error: %s",
+			      db_name, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	/* set database flags. */
+	if ((result = (*db)->set_flags(*db, flags)) != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "BDB could not set flags for %s database. "
+			      "BDB error: %s",
+			      db_name, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	/* open the database. */
+	if ((result = (*db)->open(*db, NULL, db_file, db_name, db_type,
+				  DB_RDONLY | bdb_threads, 0)) != 0)
+	{
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "BDB could not open %s database in %s. "
+			      "BDB error: %s",
+			      db_name, db_file, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+bdb_create(const char *dlzname, unsigned int argc, char *argv[],
+	   void *driverarg, void **dbdata) {
+	isc_result_t result;
+	int bdbres;
+	bdb_instance_t *db = NULL;
+
+	UNUSED(dlzname);
+	UNUSED(driverarg);
+
+	/* verify we have 3 arg's passed to the driver */
+	if (argc != 3) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Berkeley DB driver requires at least "
+			      "2 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* allocate and zero memory for driver structure */
+	db = isc_mem_get(named_g_mctx, sizeof(bdb_instance_t));
+	memset(db, 0, sizeof(bdb_instance_t));
+
+	/* attach to the memory context */
+	isc_mem_attach(named_g_mctx, &db->mctx);
+
+	/* create BDB environment
+	 * Basically BDB allocates and assigns memory to db->dbenv
+	 */
+	bdbres = db_env_create(&db->dbenv, 0);
+	if (bdbres != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "BDB environment could not be created. "
+			      "BDB error: %s",
+			      db_strerror(bdbres));
+		result = ISC_R_FAILURE;
+		goto init_cleanup;
+	}
+
+	/* open BDB environment */
+	bdbres = db->dbenv->open(
+		db->dbenv, argv[1],
+		DB_INIT_CDB | DB_INIT_MPOOL | bdb_threads | DB_CREATE, 0);
+	if (bdbres != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "BDB environment at '%s' could not be opened. "
+			      "BDB error: %s",
+			      argv[1], db_strerror(bdbres));
+		result = ISC_R_FAILURE;
+		goto init_cleanup;
+	}
+
+	/* open dlz_data database. */
+	result = bdb_opendb(db->dbenv, DB_UNKNOWN, &db->data, dlz_data, argv[2],
+			    0);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	/* open dlz_host database. */
+	result = bdb_opendb(db->dbenv, DB_UNKNOWN, &db->host, dlz_host, argv[2],
+			    DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	/* open dlz_zone database. */
+	result = bdb_opendb(db->dbenv, DB_UNKNOWN, &db->zone, dlz_zone, argv[2],
+			    DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	/* open dlz_client database. */
+	result = bdb_opendb(db->dbenv, DB_UNKNOWN, &db->client, dlz_client,
+			    argv[2], DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	/* associate the host secondary database with the primary database */
+	bdbres = db->data->associate(db->data, NULL, db->host, NULL, 0);
+	if (bdbres != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "BDB could not associate %s database with %s. "
+			      "BDB error: %s",
+			      dlz_host, dlz_data, db_strerror(bdbres));
+		result = ISC_R_FAILURE;
+		goto init_cleanup;
+	}
+
+	/* associate the zone secondary database with the primary database */
+	bdbres = db->data->associate(db->data, NULL, db->zone, NULL, 0);
+	if (bdbres != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "BDB could not associate %s database with %s. "
+			      "BDB error: %s",
+			      dlz_zone, dlz_data, db_strerror(bdbres));
+		result = ISC_R_FAILURE;
+		goto init_cleanup;
+	}
+
+	*dbdata = db;
+
+	return (ISC_R_SUCCESS);
+
+init_cleanup:
+
+	bdb_cleanup(db);
+	return (result);
+}
+
+static void
+bdb_destroy(void *driverarg, void *dbdata) {
+	UNUSED(driverarg);
+
+	bdb_cleanup((bdb_instance_t *)dbdata);
+}
+
+/* bdb_authority not needed as authority data is returned by lookup */
+static dns_sdlzmethods_t dlz_bdb_methods = {
+	bdb_create,
+	bdb_destroy,
+	bdb_findzone,
+	bdb_lookup,
+	NULL,
+	bdb_allnodes,
+	bdb_allowzonexfr,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+};
+
+/*%
+ * Wrapper around dns_sdlzregister().
+ */
+isc_result_t
+dlz_bdb_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Registering DLZ bdb driver.");
+
+	result = dns_sdlzregister("bdb", &dlz_bdb_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+					  DNS_SDLZFLAG_RELATIVERDATA |
+					  DNS_SDLZFLAG_THREADSAFE,
+				  named_g_mctx, &dlz_bdb);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+}
+
+/*%
+ * Wrapper around dns_sdlzunregister().
+ */
+void
+dlz_bdb_clear(void) {
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unregistering DLZ bdb driver.");
+
+	if (dlz_bdb != NULL) {
+		dns_sdlzunregister(&dlz_bdb);
+	}
+}
+
+#endif /* ifdef DLZ_BDB */
diff --git a/contrib/dlz/drivers/dlz_bdbhpt_driver.c b/contrib/dlz/drivers/dlz_bdbhpt_driver.c
new file mode 100644
index 0000000..fefe99d
--- /dev/null
+++ b/contrib/dlz/drivers/dlz_bdbhpt_driver.c
@@ -0,0 +1,849 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 1999-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifdef DLZ_BDB
+#include <db.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
+
+#include <dlz/dlz_bdbhpt_driver.h>
+#include <named/globals.h>
+
+static dns_sdlzimplementation_t *dlz_bdbhpt = NULL;
+
+/* should the bdb driver use threads. */
+#define bdbhpt_threads DB_THREAD
+
+/* bdbhpt database names */
+#define dlz_data   "dns_data"
+#define dlz_zone   "dns_zone"
+#define dlz_xfr	   "dns_xfr"
+#define dlz_client "dns_client"
+
+/* This structure contains all the Berkeley DB handles
+ * for this instance of the bdbhpt driver.
+ */
+
+typedef struct bdbhpt_instance {
+	DB_ENV *dbenv;	 /*%< bdbhpt environment */
+	DB *data;	 /*%< dns_data database handle */
+	DB *zone;	 /*%< zone database handle */
+	DB *xfr;	 /*%< zone xfr database handle */
+	DB *client;	 /*%< client database handle */
+	isc_mem_t *mctx; /*%< memory context */
+} bdbhpt_instance_t;
+
+typedef struct bdbhpt_parsed_data {
+	char *host;
+	char *type;
+	int ttl;
+	char *data;
+} bdbhpt_parsed_data_t;
+
+/* forward reference */
+
+static isc_result_t
+bdbhpt_findzone(void *driverarg, void *dbdata, const char *name,
+		dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo);
+
+/*%
+ * Reverses a string in place.
+ */
+
+static char *
+bdbhpt_strrev(char *str) {
+	char *p1, *p2;
+
+	if (!str || !*str) {
+		return (str);
+	}
+	for (p1 = str, p2 = str + strlen(str) - 1; p2 > p1; ++p1, --p2) {
+		*p1 ^= *p2;
+		*p2 ^= *p1;
+		*p1 ^= *p2;
+	}
+	return (str);
+}
+
+/*%
+ * Parses the DBT from the Berkeley DB into a parsed_data record
+ * The parsed_data record should be allocated before and passed into the
+ * bdbhpt_parse_data function.  The char (type & data) fields should not
+ * be "free"d as that memory is part of the DBT data field.  It will be
+ * "free"d when the DBT is freed.
+ */
+
+static isc_result_t
+bdbhpt_parse_data(char *in, bdbhpt_parsed_data_t *pd) {
+	char *endp, *ttlStr;
+	char *tmp = in;
+	char *lastchar = (char *)&tmp[strlen(tmp)];
+
+	/*%
+	 * String should be formatted as:
+	 *   replication_id
+	 *   (a space)
+	 *   host_name
+	 *   (a space)
+	 *   ttl
+	 *   (a space)
+	 *   type
+	 *   (a space)
+	 *   remaining data
+	 *
+	 * examples:
+	 *
+	 * 9191 host 10 A 127.0.0.1
+	 * server1_212 host 10 A 127.0.0.2
+	 * {xxxx-xxxx-xxxx-xxxx-xxxx} host 10 MX 20 mail.example.com
+	 */
+
+	/*
+	 * we don't need the replication id, so don't
+	 * bother saving a pointer to it.
+	 */
+
+	/* find space after replication id */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to host */
+	pd->host = tmp;
+
+	/* find space after host and change it to a '\0' */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* change the space to a null (string terminator) */
+	tmp[0] = '\0';
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to ttl string */
+	ttlStr = tmp;
+
+	/* find space after ttl and change it to a '\0' */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* change the space to a null (string terminator) */
+	tmp[0] = '\0';
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to dns type */
+	pd->type = tmp;
+
+	/* find space after type and change it to a '\0' */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* change the space to a null (string terminator) */
+	tmp[0] = '\0';
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to remainder of DNS data */
+	pd->data = tmp;
+
+	/* convert ttl string to integer */
+	pd->ttl = strtol(ttlStr, &endp, 10);
+	if (*endp != '\0' || pd->ttl < 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "bdbhpt driver ttl must be a positive number");
+		return (ISC_R_FAILURE);
+	}
+
+	/* if we get this far everything should have worked. */
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * DLZ methods
+ */
+
+static isc_result_t
+bdbhpt_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+		    const char *client) {
+	isc_result_t result;
+	bdbhpt_instance_t *db = (bdbhpt_instance_t *)dbdata;
+	DBT key, data;
+
+	/* check to see if we are authoritative for the zone first. */
+	result = bdbhpt_findzone(driverarg, dbdata, name, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	memset(&key, 0, sizeof(DBT));
+	key.flags = DB_DBT_MALLOC;
+	key.data = strdup(name);
+	if (key.data == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto xfr_cleanup;
+	}
+	key.size = strlen(key.data);
+
+	memset(&data, 0, sizeof(DBT));
+	data.flags = DB_DBT_MALLOC;
+	data.data = strdup(client);
+	if (data.data == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto xfr_cleanup;
+	}
+	data.size = strlen(data.data);
+
+	switch (db->client->get(db->client, NULL, &key, &data, DB_GET_BOTH)) {
+	case DB_NOTFOUND:
+		result = ISC_R_NOTFOUND;
+		break;
+	case 0:
+		result = ISC_R_SUCCESS;
+		break;
+	default:
+		result = ISC_R_FAILURE;
+	}
+
+xfr_cleanup:
+
+	/* free any memory duplicate string in the key field */
+	if (key.data != NULL) {
+		free(key.data);
+	}
+
+	/* free any memory allocated to the data field. */
+	if (data.data != NULL) {
+		free(data.data);
+	}
+
+	return (result);
+}
+
+/*%
+ * BDB does not allow a secondary index on a database that allows
+ * duplicates.  We have a few options:
+ *
+ * 1) kill speed by having lookup method use a secondary db which
+ * is associated to the primary DB with the DNS data.  Then have
+ * another secondary db for zone transfer which also points to
+ * the dns_data primary.  NO - The  point of this driver is
+ * lookup performance.
+ *
+ * 2) Blow up database size by storing DNS data twice.  Once for
+ * the lookup (dns_data) database, and a second time for the zone
+ * transfer (dns_xfr) database. NO - That would probably require
+ * a larger cache to provide good performance.  Also, that would
+ * make the DB larger on disk potentially slowing it as well.
+ *
+ * 3) Loop through the dns_xfr database with a cursor to get
+ * all the different hosts in a zone.  Then use the zone & host
+ * together to lookup the data in the dns_data database. YES -
+ * This may slow down zone xfr's a little, but that's ok they
+ * don't happen as often and don't need to be as fast. We can
+ * also use this table when deleting a zone (The BDB driver
+ * is read only - the delete would be used during replication
+ * updates by a separate process).
+ */
+
+static isc_result_t
+bdbhpt_allnodes(const char *zone, void *driverarg, void *dbdata,
+		dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	bdbhpt_instance_t *db = (bdbhpt_instance_t *)dbdata;
+	DBC *xfr_cursor = NULL;
+	DBC *dns_cursor = NULL;
+	DBT xfr_key, xfr_data, dns_key, dns_data;
+	int xfr_flags;
+	int dns_flags;
+	int bdbhptres;
+	bdbhpt_parsed_data_t pd;
+	char *tmp = NULL, *tmp_zone, *tmp_zone_host = NULL;
+
+	UNUSED(driverarg);
+
+	memset(&xfr_key, 0, sizeof(DBT));
+	memset(&xfr_data, 0, sizeof(DBT));
+	memset(&dns_key, 0, sizeof(DBT));
+	memset(&dns_data, 0, sizeof(DBT));
+
+	xfr_key.data = tmp_zone = strdup(zone);
+	if (xfr_key.data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	xfr_key.size = strlen(xfr_key.data);
+
+	/* get a cursor to loop through dns_xfr table */
+	if (db->xfr->cursor(db->xfr, NULL, &xfr_cursor, 0) != 0) {
+		result = ISC_R_FAILURE;
+		goto allnodes_cleanup;
+	}
+
+	/* get a cursor to loop through dns_data table */
+	if (db->data->cursor(db->data, NULL, &dns_cursor, 0) != 0) {
+		result = ISC_R_FAILURE;
+		goto allnodes_cleanup;
+	}
+
+	xfr_flags = DB_SET;
+
+	/* loop through xfr table for specified zone. */
+	while ((bdbhptres = xfr_cursor->c_get(xfr_cursor, &xfr_key, &xfr_data,
+					      xfr_flags)) == 0)
+	{
+		xfr_flags = DB_NEXT_DUP;
+
+		/* +1 to allow for space between zone and host names */
+		dns_key.size = xfr_data.size + xfr_key.size + 1;
+
+		/* +1 to allow for null term at end of string. */
+		dns_key.data = tmp_zone_host = malloc(dns_key.size + 1);
+		if (dns_key.data == NULL) {
+			goto allnodes_cleanup;
+		}
+
+		/*
+		 * construct search key for dns_data.
+		 * zone_name(a space)host_name
+		 */
+		strcpy(dns_key.data, zone);
+		strcat(dns_key.data, " ");
+		strncat(dns_key.data, xfr_data.data, xfr_data.size);
+
+		dns_flags = DB_SET;
+
+		while ((bdbhptres = dns_cursor->c_get(dns_cursor, &dns_key,
+						      &dns_data, dns_flags)) ==
+		       0)
+		{
+			dns_flags = DB_NEXT_DUP;
+
+			/* +1 to allow for null term at end of string. */
+			tmp = realloc(tmp, dns_data.size + 1);
+			if (tmp == NULL) {
+				goto allnodes_cleanup;
+			}
+
+			/* copy data to tmp string, and append null term. */
+			strncpy(tmp, dns_data.data, dns_data.size);
+			tmp[dns_data.size] = '\0';
+
+			/* split string into dns data parts. */
+			if (bdbhpt_parse_data(tmp, &pd) != ISC_R_SUCCESS) {
+				goto allnodes_cleanup;
+			}
+
+			result = dns_sdlz_putnamedrr(allnodes, pd.host, pd.type,
+						     pd.ttl, pd.data);
+			if (result != ISC_R_SUCCESS) {
+				goto allnodes_cleanup;
+			}
+		} /* end inner while loop */
+
+		/* clean up memory */
+		if (tmp_zone_host != NULL) {
+			free(tmp_zone_host);
+			tmp_zone_host = NULL;
+		}
+	} /* end outer while loop */
+
+allnodes_cleanup:
+
+	/* free any memory */
+	if (tmp != NULL) {
+		free(tmp);
+	}
+
+	if (tmp_zone_host != NULL) {
+		free(tmp_zone_host);
+	}
+
+	if (tmp_zone != NULL) {
+		free(tmp_zone);
+	}
+
+	/* get rid of cursors */
+	if (xfr_cursor != NULL) {
+		xfr_cursor->c_close(xfr_cursor);
+	}
+
+	if (dns_cursor != NULL) {
+		dns_cursor->c_close(dns_cursor);
+	}
+
+	return (result);
+}
+
+/*%
+ * Performs bdbhpt cleanup.
+ * Used by bdbhpt_create if there is an error starting up.
+ * Used by bdbhpt_destroy when the driver is shutting down.
+ */
+
+static void
+bdbhpt_cleanup(bdbhpt_instance_t *db) {
+	isc_mem_t *mctx;
+
+	/* close databases */
+	if (db->data != NULL) {
+		db->data->close(db->data, 0);
+	}
+	if (db->xfr != NULL) {
+		db->xfr->close(db->xfr, 0);
+	}
+	if (db->zone != NULL) {
+		db->zone->close(db->zone, 0);
+	}
+	if (db->client != NULL) {
+		db->client->close(db->client, 0);
+	}
+
+	/* close environment */
+	if (db->dbenv != NULL) {
+		db->dbenv->close(db->dbenv, 0);
+	}
+
+	/* cleanup memory */
+	if (db->mctx != NULL) {
+		/* save mctx for later */
+		mctx = db->mctx;
+		/* return, and detach the memory */
+		isc_mem_putanddetach(&mctx, db, sizeof(bdbhpt_instance_t));
+	}
+}
+
+static isc_result_t
+bdbhpt_findzone(void *driverarg, void *dbdata, const char *name,
+		dns_clientinfomethods_t *methods,
+		dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	bdbhpt_instance_t *db = (bdbhpt_instance_t *)dbdata;
+	DBT key, data;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	memset(&key, 0, sizeof(DBT));
+	memset(&data, 0, sizeof(DBT));
+	data.flags = DB_DBT_MALLOC;
+
+	key.data = strdup(name);
+
+	if (key.data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * reverse string to take advantage of BDB locality of reference
+	 * if we need further lookups because the zone doesn't match the
+	 * first time.
+	 */
+	key.data = bdbhpt_strrev(key.data);
+	key.size = strlen(key.data);
+
+	switch (db->zone->get(db->zone, NULL, &key, &data, 0)) {
+	case DB_NOTFOUND:
+		result = ISC_R_NOTFOUND;
+		break;
+	case 0:
+		result = ISC_R_SUCCESS;
+		break;
+	default:
+		result = ISC_R_FAILURE;
+	}
+
+	/* free any memory duplicate string in the key field */
+	if (key.data != NULL) {
+		free(key.data);
+	}
+
+	/* free any memory allocated to the data field. */
+	if (data.data != NULL) {
+		free(data.data);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+bdbhpt_lookup(const char *zone, const char *name, void *driverarg, void *dbdata,
+	      dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	      dns_clientinfo_t *clientinfo) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	bdbhpt_instance_t *db = (bdbhpt_instance_t *)dbdata;
+	DBC *data_cursor = NULL;
+	DBT key, data;
+	int bdbhptres;
+	int flags;
+
+	bdbhpt_parsed_data_t pd;
+	char *tmp = NULL;
+	char *keyStr = NULL;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	memset(&key, 0, sizeof(DBT));
+	memset(&data, 0, sizeof(DBT));
+
+	key.size = strlen(zone) + strlen(name) + 1;
+
+	/* allocate mem for key */
+	key.data = keyStr = malloc((key.size + 1) * sizeof(char));
+
+	if (keyStr == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	strcpy(keyStr, zone);
+	strcat(keyStr, " ");
+	strcat(keyStr, name);
+
+	/* get a cursor to loop through data */
+	if (db->data->cursor(db->data, NULL, &data_cursor, 0) != 0) {
+		result = ISC_R_FAILURE;
+		goto lookup_cleanup;
+	}
+
+	result = ISC_R_NOTFOUND;
+
+	flags = DB_SET;
+	while ((bdbhptres = data_cursor->c_get(data_cursor, &key, &data,
+					       flags)) == 0)
+	{
+		flags = DB_NEXT_DUP;
+		tmp = realloc(tmp, data.size + 1);
+		if (tmp == NULL) {
+			goto lookup_cleanup;
+		}
+
+		strncpy(tmp, data.data, data.size);
+		tmp[data.size] = '\0';
+
+		if (bdbhpt_parse_data(tmp, &pd) != ISC_R_SUCCESS) {
+			goto lookup_cleanup;
+		}
+
+		result = dns_sdlz_putrr(lookup, pd.type, pd.ttl, pd.data);
+
+		if (result != ISC_R_SUCCESS) {
+			goto lookup_cleanup;
+		}
+	} /* end while loop */
+
+lookup_cleanup:
+
+	/* get rid of cursor */
+	if (data_cursor != NULL) {
+		data_cursor->c_close(data_cursor);
+	}
+
+	free(keyStr);
+	if (tmp != NULL) {
+		free(tmp);
+	}
+
+	return (result);
+}
+
+/*% Initializes, sets flags and then opens Berkeley databases. */
+
+static isc_result_t
+bdbhpt_opendb(DB_ENV *db_env, DBTYPE db_type, DB **db, const char *db_name,
+	      char *db_file, int flags) {
+	int result;
+
+	/* Initialize the database. */
+	if ((result = db_create(db, db_env, 0)) != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "bdbhpt could not initialize %s database. "
+			      "bdbhpt error: %s",
+			      db_name, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	/* set database flags. */
+	if ((result = (*db)->set_flags(*db, flags)) != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "bdbhpt could not set flags for %s database. "
+			      "bdbhpt error: %s",
+			      db_name, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	/* open the database. */
+	if ((result = (*db)->open(*db, NULL, db_file, db_name, db_type,
+				  DB_RDONLY | bdbhpt_threads, 0)) != 0)
+	{
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "bdbhpt could not open %s database in %s. "
+			      "bdbhpt error: %s",
+			      db_name, db_file, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+bdbhpt_create(const char *dlzname, unsigned int argc, char *argv[],
+	      void *driverarg, void **dbdata) {
+	isc_result_t result;
+	int bdbhptres;
+	int bdbFlags = 0;
+	bdbhpt_instance_t *db = NULL;
+
+	UNUSED(dlzname);
+	UNUSED(driverarg);
+
+	/* verify we have 4 arg's passed to the driver */
+	if (argc != 4) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "bdbhpt driver requires at least "
+			      "3 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	switch ((char)*argv[1]) {
+	/*
+	 * Transactional mode.  Highest safety - lowest speed.
+	 */
+	case 'T':
+	case 't':
+		bdbFlags = DB_INIT_MPOOL | DB_INIT_LOCK | DB_INIT_LOG |
+			   DB_INIT_TXN;
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(1),
+			      "bdbhpt driver using transactional mode.");
+		break;
+	/*
+	 * Concurrent mode.  Lower safety (no rollback) -
+	 * higher speed.
+	 */
+	case 'C':
+	case 'c':
+		bdbFlags = DB_INIT_CDB | DB_INIT_MPOOL;
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(1),
+			      "bdbhpt driver using concurrent mode.");
+		break;
+	/*
+	 * Private mode. No inter-process communication & no locking.
+	 * Lowest safety - highest speed.
+	 */
+	case 'P':
+	case 'p':
+		bdbFlags = DB_PRIVATE | DB_INIT_MPOOL;
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(1),
+			      "bdbhpt driver using private mode.");
+		break;
+	default:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "bdbhpt driver requires the operating mode "
+			      "be set to P or C or T.  You specified '%s'",
+			      argv[1]);
+		return (ISC_R_FAILURE);
+	}
+
+	/* allocate and zero memory for driver structure */
+	db = isc_mem_get(named_g_mctx, sizeof(bdbhpt_instance_t));
+	memset(db, 0, sizeof(bdbhpt_instance_t));
+
+	/* attach to the memory context */
+	isc_mem_attach(named_g_mctx, &db->mctx);
+
+	/*
+	 * create bdbhpt environment
+	 * Basically bdbhpt allocates and assigns memory to db->dbenv
+	 */
+	bdbhptres = db_env_create(&db->dbenv, 0);
+	if (bdbhptres != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "bdbhpt environment could not be created. "
+			      "bdbhpt error: %s",
+			      db_strerror(bdbhptres));
+		result = ISC_R_FAILURE;
+		goto init_cleanup;
+	}
+
+	/* open bdbhpt environment */
+	bdbhptres = db->dbenv->open(db->dbenv, argv[2],
+				    bdbFlags | bdbhpt_threads | DB_CREATE, 0);
+	if (bdbhptres != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "bdbhpt environment at '%s' could not be opened."
+			      " bdbhpt error: %s",
+			      argv[2], db_strerror(bdbhptres));
+		result = ISC_R_FAILURE;
+		goto init_cleanup;
+	}
+
+	/* open dlz_data database. */
+	result = bdbhpt_opendb(db->dbenv, DB_UNKNOWN, &db->data, dlz_data,
+			       argv[3], DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	/* open dlz_xfr database. */
+	result = bdbhpt_opendb(db->dbenv, DB_UNKNOWN, &db->xfr, dlz_xfr,
+			       argv[3], DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	/* open dlz_zone database. */
+	result = bdbhpt_opendb(db->dbenv, DB_UNKNOWN, &db->zone, dlz_zone,
+			       argv[3], 0);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	/* open dlz_client database. */
+	result = bdbhpt_opendb(db->dbenv, DB_UNKNOWN, &db->client, dlz_client,
+			       argv[3], DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	*dbdata = db;
+
+	return (ISC_R_SUCCESS);
+
+init_cleanup:
+
+	bdbhpt_cleanup(db);
+	return (result);
+}
+
+static void
+bdbhpt_destroy(void *driverarg, void *dbdata) {
+	UNUSED(driverarg);
+
+	bdbhpt_cleanup((bdbhpt_instance_t *)dbdata);
+}
+
+/*
+ * bdbhpt_authority not needed as authority data is returned by lookup
+ */
+static dns_sdlzmethods_t dlz_bdbhpt_methods = {
+	bdbhpt_create,
+	bdbhpt_destroy,
+	bdbhpt_findzone,
+	bdbhpt_lookup,
+	NULL,
+	bdbhpt_allnodes,
+	bdbhpt_allowzonexfr,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+};
+
+/*%
+ * Wrapper around dns_sdlzregister().
+ */
+isc_result_t
+dlz_bdbhpt_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Registering DLZ bdbhpt driver.");
+
+	result = dns_sdlzregister("bdbhpt", &dlz_bdbhpt_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+					  DNS_SDLZFLAG_RELATIVERDATA |
+					  DNS_SDLZFLAG_THREADSAFE,
+				  named_g_mctx, &dlz_bdbhpt);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+}
+
+/*%
+ * Wrapper around dns_sdlzunregister().
+ */
+void
+dlz_bdbhpt_clear(void) {
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unregistering DLZ bdbhpt driver.");
+
+	if (dlz_bdbhpt != NULL) {
+		dns_sdlzunregister(&dlz_bdbhpt);
+	}
+}
+
+#endif /* ifdef DLZ_BDB */
diff --git a/contrib/dlz/drivers/dlz_dlopen_driver.c b/contrib/dlz/drivers/dlz_dlopen_driver.c
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/contrib/dlz/drivers/dlz_dlopen_driver.c
diff --git a/contrib/dlz/drivers/dlz_drivers.c b/contrib/dlz/drivers/dlz_drivers.c
new file mode 100644
index 0000000..8320bf8
--- /dev/null
+++ b/contrib/dlz/drivers/dlz_drivers.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/result.h>
+
+/*
+ * Pull in declarations for this module's functions.
+ */
+
+#include <dlz/dlz_drivers.h>
+
+/*
+ * Pull in driver-specific stuff.
+ */
+
+#ifdef DLZ_STUB
+#include <dlz/dlz_stub_driver.h>
+#endif /* ifdef DLZ_STUB */
+
+#ifdef DLZ_POSTGRES
+#include <dlz/dlz_postgres_driver.h>
+#endif /* ifdef DLZ_POSTGRES */
+
+#ifdef DLZ_MYSQL
+#include <dlz/dlz_mysql_driver.h>
+#endif /* ifdef DLZ_MYSQL */
+
+#ifdef DLZ_FILESYSTEM
+#include <dlz/dlz_filesystem_driver.h>
+#endif /* ifdef DLZ_FILESYSTEM */
+
+#ifdef DLZ_BDB
+#include <dlz/dlz_bdb_driver.h>
+#include <dlz/dlz_bdbhpt_driver.h>
+#endif /* ifdef DLZ_BDB */
+
+#ifdef DLZ_LDAP
+#include <dlz/dlz_ldap_driver.h>
+#endif /* ifdef DLZ_LDAP */
+
+#ifdef DLZ_ODBC
+#include <dlz/dlz_odbc_driver.h>
+#endif /* ifdef DLZ_ODBC */
+
+/*%
+ * Call init functions for all relevant DLZ drivers.
+ */
+
+isc_result_t
+dlz_drivers_init(void) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+#ifdef DLZ_STUB
+	result = dlz_stub_init();
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+#endif /* ifdef DLZ_STUB */
+
+#ifdef DLZ_POSTGRES
+	result = dlz_postgres_init();
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+#endif /* ifdef DLZ_POSTGRES */
+
+#ifdef DLZ_MYSQL
+	result = dlz_mysql_init();
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+#endif /* ifdef DLZ_MYSQL */
+
+#ifdef DLZ_FILESYSTEM
+	result = dlz_fs_init();
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+#endif /* ifdef DLZ_FILESYSTEM */
+
+#ifdef DLZ_BDB
+	result = dlz_bdb_init();
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	result = dlz_bdbhpt_init();
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+#endif /* ifdef DLZ_BDB */
+
+#ifdef DLZ_LDAP
+	result = dlz_ldap_init();
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+#endif /* ifdef DLZ_LDAP */
+
+#ifdef DLZ_ODBC
+	result = dlz_odbc_init();
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+#endif /* ifdef DLZ_ODBC */
+
+	return (result);
+}
+
+/*%
+ * Call shutdown functions for all relevant DLZ drivers.
+ */
+
+void
+dlz_drivers_clear(void) {
+#ifdef DLZ_STUB
+	dlz_stub_clear();
+#endif /* ifdef DLZ_STUB */
+
+#ifdef DLZ_POSTGRES
+	dlz_postgres_clear();
+#endif /* ifdef DLZ_POSTGRES */
+
+#ifdef DLZ_MYSQL
+	dlz_mysql_clear();
+#endif /* ifdef DLZ_MYSQL */
+
+#ifdef DLZ_FILESYSTEM
+	dlz_fs_clear();
+#endif /* ifdef DLZ_FILESYSTEM */
+
+#ifdef DLZ_BDB
+	dlz_bdb_clear();
+	dlz_bdbhpt_clear();
+#endif /* ifdef DLZ_BDB */
+
+#ifdef DLZ_LDAP
+	dlz_ldap_clear();
+#endif /* ifdef DLZ_LDAP */
+
+#ifdef DLZ_ODBC
+	dlz_odbc_clear();
+#endif /* ifdef DLZ_ODBC */
+}
diff --git a/contrib/dlz/drivers/dlz_filesystem_driver.c b/contrib/dlz/drivers/dlz_filesystem_driver.c
new file mode 100644
index 0000000..c097411
--- /dev/null
+++ b/contrib/dlz/drivers/dlz_filesystem_driver.c
@@ -0,0 +1,1000 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 1999-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifdef DLZ_FILESYSTEM
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+
+#include <isc/dir.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
+
+#include <dlz/dlz_filesystem_driver.h>
+#include <named/globals.h>
+
+static dns_sdlzimplementation_t *dlz_fs = NULL;
+
+typedef struct config_data {
+	char *basedir;
+	int basedirsize;
+	char *datadir;
+	int datadirsize;
+	char *xfrdir;
+	int xfrdirsize;
+	int splitcnt;
+	char separator;
+	char pathsep;
+	isc_mem_t *mctx;
+} config_data_t;
+
+typedef struct dir_entry dir_entry_t;
+
+struct dir_entry {
+	char dirpath[PATH_MAX];
+	ISC_LINK(dir_entry_t) link;
+};
+
+typedef ISC_LIST(dir_entry_t) dlist_t;
+
+/* forward reference */
+
+static void
+fs_destroy(void *driverarg, void *dbdata);
+
+/*
+ * Private methods
+ */
+
+static bool
+is_safe(const char *input) {
+	unsigned int i;
+	unsigned int len = strlen(input);
+
+	/* check that only allowed characters  are in the domain name */
+	for (i = 0; i < len; i++) {
+		/* '.' is allowed, but has special requirements */
+		if (input[i] == '.') {
+			/* '.' is not allowed as first char */
+			if (i == 0) {
+				return (false);
+			}
+			/* '..', two dots together is not allowed. */
+			if (input[i - 1] == '.') {
+				return (false);
+			}
+			/* '.' is not allowed as last char */
+			if (i == len - 1) {
+				return (false);
+			}
+			/* only 1 dot in ok location, continue at next char */
+			continue;
+		}
+		/* '-' is allowed, continue at next char */
+		if (input[i] == '-') {
+			continue;
+		}
+		/* 0-9 is allowed, continue at next char */
+		if (input[i] >= '0' && input[i] <= '9') {
+			continue;
+		}
+		/* A-Z uppercase is allowed, continue at next char */
+		if (input[i] >= 'A' && input[i] <= 'Z') {
+			continue;
+		}
+		/* a-z lowercase is allowed, continue at next char */
+		if (input[i] >= 'a' && input[i] <= 'z') {
+			continue;
+		}
+
+		/*
+		 * colon needs to be allowed for IPV6 client
+		 * addresses.  Not dangerous in domain names, as not a
+		 * special char.
+		 */
+		if (input[i] == ':') {
+			continue;
+		}
+
+		/*
+		 * '@' needs to be allowed for in zone data.  Not
+		 * dangerous in domain names, as not a special char.
+		 */
+		if (input[i] == '@') {
+			continue;
+		}
+
+		/*
+		 * if we reach this point we have encountered a
+		 * disallowed char!
+		 */
+		return (false);
+	}
+	/* everything ok. */
+	return (true);
+}
+
+static void
+create_path_helper(char *out, const char *in, config_data_t *cd) {
+	char *tmpString;
+	char *tmpPtr;
+	int i;
+
+	tmpString = isc_mem_strdup(named_g_mctx, in);
+
+	/*
+	 * don't forget is_safe guarantees '.' will NOT be the
+	 * first/last char
+	 */
+	while ((tmpPtr = strrchr(tmpString, '.')) != NULL) {
+		i = 0;
+		while (tmpPtr[i + 1] != '\0') {
+			if (cd->splitcnt < 1) {
+				strcat(out, (char *)&tmpPtr[i + 1]);
+			} else {
+				strncat(out, (char *)&tmpPtr[i + 1],
+					cd->splitcnt);
+			}
+			strncat(out, (char *)&cd->pathsep, 1);
+			if (cd->splitcnt == 0) {
+				break;
+			}
+			if (strlen((char *)&tmpPtr[i + 1]) <=
+			    (unsigned int)cd->splitcnt)
+			{
+				break;
+			}
+			i += cd->splitcnt;
+		}
+		tmpPtr[0] = '\0';
+	}
+
+	/* handle the "first" label properly */
+	i = 0;
+	tmpPtr = tmpString;
+	while (tmpPtr[i] != '\0') {
+		if (cd->splitcnt < 1) {
+			strcat(out, (char *)&tmpPtr[i]);
+		} else {
+			strncat(out, (char *)&tmpPtr[i], cd->splitcnt);
+		}
+		strncat(out, (char *)&cd->pathsep, 1);
+		if (cd->splitcnt == 0) {
+			break;
+		}
+		if (strlen((char *)&tmpPtr[i]) <= (unsigned int)cd->splitcnt) {
+			break;
+		}
+		i += cd->splitcnt;
+	}
+
+	isc_mem_free(named_g_mctx, tmpString);
+}
+
+/*%
+ * Checks to make sure zone and host are safe.  If safe, then
+ * hashes zone and host strings to build a path.  If zone / host
+ * are not safe an error is returned.
+ */
+
+static isc_result_t
+create_path(const char *zone, const char *host, const char *client,
+	    config_data_t *cd, char **path) {
+	char *tmpPath;
+	int pathsize;
+	int len;
+	bool isroot = false;
+
+	/* we require a zone & cd parameter */
+	REQUIRE(zone != NULL);
+	REQUIRE(cd != NULL);
+	/* require path to be a pointer to NULL */
+	REQUIRE(path != NULL && *path == NULL);
+	/*
+	 * client and host may both be NULL, but they can't both be
+	 * NON-NULL
+	 */
+	REQUIRE((host == NULL && client == NULL) ||
+		(host != NULL && client == NULL) ||
+		(host == NULL && client != NULL));
+
+	/* special case for root zone */
+	if (strcmp(zone, ".") == 0) {
+		isroot = true;
+	}
+
+	/* if the requested zone is "unsafe", return error */
+	if (!isroot && !is_safe(zone)) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* if host was passed, verify that it is safe */
+	if (host != NULL && !is_safe(host)) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* if client was passed, verify that it is safe */
+	if (client != NULL && !is_safe(client)) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* Determine how much memory the split up string will require */
+	if (host != NULL) {
+		len = strlen(zone) + strlen(host);
+	} else if (client != NULL) {
+		len = strlen(zone) + strlen(client);
+	} else {
+		len = strlen(zone);
+	}
+
+	/*
+	 * even though datadir and xfrdir will never be in the same
+	 * string we only waste a few bytes by allocating for both,
+	 * and then we are safe from buffer overruns.
+	 */
+	pathsize = len + cd->basedirsize + cd->datadirsize + cd->xfrdirsize + 4;
+
+	/* if we are splitting names, we will need extra space. */
+	if (cd->splitcnt > 0) {
+		pathsize += len / cd->splitcnt;
+	}
+
+	tmpPath = isc_mem_allocate(named_g_mctx, pathsize * sizeof(char));
+
+	/*
+	 * build path string.
+	 * start out with base directory.
+	 */
+	strcpy(tmpPath, cd->basedir);
+
+	/* add zone name - parsed properly */
+	if (!isroot) {
+		create_path_helper(tmpPath, zone, cd);
+	}
+
+	/*
+	 * When neither client or host is passed we are building a
+	 * path to see if a zone is supported.  We require that a zone
+	 * path have the "data dir" directory contained within it so
+	 * that we know this zone is really supported.  Otherwise,
+	 * this zone may not really be supported because we are
+	 * supporting a delagated sub zone.
+	 *
+	 * Example:
+	 *
+	 * We are supporting long.domain.com and using a splitcnt of
+	 * 0.  the base dir is "/base-dir/" and the data dir is
+	 * "/.datadir" We want to see if we are authoritative for
+	 * domain.com.  Path /base-dir/com/domain/.datadir since
+	 * /base-dir/com/domain/.datadir does not exist, we are not
+	 * authoritative for the domain "domain.com".  However we are
+	 * authoritative for the domain "long.domain.com" because the
+	 * path /base-dir/com/domain/long/.datadir does exist!
+	 */
+
+	/* if client is passed append xfr dir, otherwise append data dir */
+	if (client != NULL) {
+		strcat(tmpPath, cd->xfrdir);
+		strncat(tmpPath, (char *)&cd->pathsep, 1);
+		strcat(tmpPath, client);
+	} else {
+		strcat(tmpPath, cd->datadir);
+	}
+
+	/* if host not null, add it. */
+	if (host != NULL) {
+		strncat(tmpPath, (char *)&cd->pathsep, 1);
+		create_path_helper(tmpPath, host, cd);
+	}
+
+	/* return the path we built. */
+	*path = tmpPath;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+process_dir(isc_dir_t *dir, void *passback, config_data_t *cd,
+	    dlist_t *dir_list, unsigned int basedirlen) {
+	char tmp[PATH_MAX + NAME_MAX];
+	int astPos;
+	struct stat sb;
+	isc_result_t result = ISC_R_FAILURE;
+	char *endp;
+	char *type;
+	char *ttlStr;
+	char *data;
+	char host[NAME_MAX];
+	char *tmpString;
+	char *tmpPtr;
+	int ttl;
+	int i;
+	int len;
+	dir_entry_t *direntry;
+	bool foundHost;
+
+	tmp[0] = '\0'; /* set 1st byte to '\0' so strcpy works right. */
+	host[0] = '\0';
+	foundHost = false;
+
+	/* copy base directory name to tmp. */
+	strcpy(tmp, dir->dirname);
+
+	/* dir->dirname will always have '*' as the last char. */
+	astPos = strlen(dir->dirname) - 1;
+
+	/* if dir_list != NULL, were are performing a zone xfr */
+	if (dir_list != NULL) {
+		/* if splitcnt == 0, determine host from path. */
+		if (cd->splitcnt == 0) {
+			if (strlen(tmp) - 3 > basedirlen) {
+				tmp[astPos - 1] = '\0';
+				tmpString = (char *)&tmp[basedirlen + 1];
+				/* handle filesystem's special wildcard "-"  */
+				if (strcmp(tmpString, "-") == 0) {
+					strcpy(host, "*");
+				} else {
+					/*
+					 * not special wildcard -- normal name
+					 */
+					while ((tmpPtr = strrchr(
+							tmpString,
+							cd->pathsep)) != NULL)
+					{
+						if ((strlen(host) +
+						     strlen(tmpPtr + 1) + 2) >
+						    NAME_MAX)
+						{
+							continue;
+						}
+						strcat(host, tmpPtr + 1);
+						strcat(host, ".");
+						tmpPtr[0] = '\0';
+					}
+					if ((strlen(host) + strlen(tmpString) +
+					     1) <= NAME_MAX)
+					{
+						strcat(host, tmpString);
+					}
+				}
+
+				foundHost = true;
+				/* set tmp again for use later */
+				strcpy(tmp, dir->dirname);
+			}
+		} else {
+			/*
+			 * if splitcnt != 0 determine host from
+			 * ".host" directory entry
+			 */
+			while (isc_dir_read(dir) == ISC_R_SUCCESS) {
+				if (strncasecmp(".host", dir->entry.name, 5) ==
+				    0)
+				{
+					/*
+					 * handle filesystem's special
+					 * wildcard "-"
+					 */
+					if (strcmp((char *)&dir->entry.name[6],
+						   "-") == 0)
+					{
+						strlcpy(host, "*",
+							sizeof(host));
+					} else {
+						strlcpy(host,
+							(char *)&dir->entry
+								.name[6],
+							sizeof(host));
+					}
+					foundHost = true;
+					break;
+				}
+			}
+			/* reset dir list for use later */
+			isc_dir_reset(dir);
+		} /* end of else */
+	}
+
+	while (isc_dir_read(dir) == ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(1),
+			      "Filesystem driver Dir name:"
+			      " '%s' Dir entry: '%s'\n",
+			      dir->dirname, dir->entry.name);
+
+		/* skip any entries starting with "." */
+		if (dir->entry.name[0] == '.') {
+			continue;
+		}
+
+		/*
+		 * get rid of '*', set to NULL.  Effectively trims
+		 * string from previous loop to base directory only
+		 * while still leaving memory for concat to be
+		 * performed next.
+		 */
+
+		tmp[astPos] = '\0';
+
+		/* add name to base directory name. */
+		strcat(tmp, dir->entry.name);
+
+		/* make sure we can stat entry */
+		if (stat(tmp, &sb) == 0) {
+			/* if entry is a directory */
+			if ((sb.st_mode & S_IFDIR) != 0) {
+				/*
+				 * if dir list is NOT NULL, add dir to
+				 * dir list
+				 */
+				if (dir_list != NULL) {
+					direntry = isc_mem_get(
+						named_g_mctx,
+						sizeof(dir_entry_t));
+					strcpy(direntry->dirpath, tmp);
+					ISC_LINK_INIT(direntry, link);
+					ISC_LIST_APPEND(*dir_list, direntry,
+							link);
+					result = ISC_R_SUCCESS;
+				}
+				continue;
+
+				/*
+				 * if entry is a file be sure we do
+				 * not add entry to DNS results if we
+				 * are performing a zone xfr and we
+				 * could not find a host entry.
+				 */
+			} else if (dir_list != NULL && !foundHost) {
+				continue;
+			}
+		} else { /* if we cannot stat entry, skip it. */
+			continue;
+		}
+
+		type = dir->entry.name;
+		ttlStr = strchr(type, cd->separator);
+		if (ttlStr == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Filesystem driver: "
+				      "%s could not be parsed properly",
+				      tmp);
+			return (ISC_R_FAILURE);
+		}
+
+		/* replace separator char with NULL to split string */
+		ttlStr[0] = '\0';
+		/* start string after NULL of previous string */
+		ttlStr = (char *)&ttlStr[1];
+
+		data = strchr(ttlStr, cd->separator);
+		if (data == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Filesystem driver: "
+				      "%s could not be parsed properly",
+				      tmp);
+			return (ISC_R_FAILURE);
+		}
+
+		/* replace separator char with NULL to split string */
+		data[0] = '\0';
+
+		/* start string after NULL of previous string */
+		data = (char *)&data[1];
+
+		/* replace all cd->separator chars with a space. */
+		len = strlen(data);
+
+		for (i = 0; i < len; i++) {
+			if (data[i] == cd->separator) {
+				data[i] = ' ';
+			}
+		}
+
+		/* convert text to int, make sure it worked right */
+		ttl = strtol(ttlStr, &endp, 10);
+		if (*endp != '\0' || ttl < 0) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Filesystem driver "
+				      "ttl must be a positive number");
+		}
+
+		/* pass data back to Bind */
+		if (dir_list == NULL) {
+			result = dns_sdlz_putrr((dns_sdlzlookup_t *)passback,
+						type, ttl, data);
+		} else {
+			result = dns_sdlz_putnamedrr(
+				(dns_sdlzallnodes_t *)passback, (char *)host,
+				type, ttl, data);
+		}
+
+		/* if error, return error right away */
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	} /* end of while loop */
+
+	return (result);
+}
+
+/*
+ * SDLZ interface methods
+ */
+
+static isc_result_t
+fs_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+		const char *client) {
+	isc_result_t result;
+	char *path;
+	struct stat sb;
+	config_data_t *cd;
+	path = NULL;
+
+	UNUSED(driverarg);
+
+	cd = (config_data_t *)dbdata;
+
+	if (create_path(name, NULL, client, cd, &path) != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (stat(path, &sb) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_AXFR;
+	}
+
+	if ((sb.st_mode & S_IFREG) != 0) {
+		result = ISC_R_SUCCESS;
+		goto complete_AXFR;
+	}
+
+	result = ISC_R_NOTFOUND;
+
+complete_AXFR:
+	isc_mem_free(named_g_mctx, path);
+	return (result);
+}
+
+static isc_result_t
+fs_allnodes(const char *zone, void *driverarg, void *dbdata,
+	    dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result;
+	dlist_t *dir_list;
+	config_data_t *cd;
+	char *basepath;
+	unsigned int basepathlen;
+	struct stat sb;
+	isc_dir_t dir;
+	dir_entry_t *dir_entry;
+	dir_entry_t *next_de;
+
+	basepath = NULL;
+	dir_list = NULL;
+
+	UNUSED(driverarg);
+	UNUSED(allnodes);
+
+	cd = (config_data_t *)dbdata;
+
+	/* allocate memory for list */
+	dir_list = isc_mem_get(named_g_mctx, sizeof(dlist_t));
+
+	/* initialize list */
+	ISC_LIST_INIT(*dir_list);
+
+	if (create_path(zone, NULL, NULL, cd, &basepath) != ISC_R_SUCCESS) {
+		result = ISC_R_NOTFOUND;
+		goto complete_allnds;
+	}
+
+	/* remove path separator at end of path so stat works properly */
+	basepathlen = strlen(basepath);
+
+	if (stat(basepath, &sb) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_allnds;
+	}
+
+	if ((sb.st_mode & S_IFDIR) == 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_allnds;
+	}
+
+	/* initialize and open directory */
+	isc_dir_init(&dir);
+	result = isc_dir_open(&dir, basepath);
+
+	/* if directory open failed, return error. */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Unable to open %s directory to read entries.",
+			      basepath);
+		result = ISC_R_FAILURE;
+		goto complete_allnds;
+	}
+
+	/* process the directory */
+	result = process_dir(&dir, allnodes, cd, dir_list, basepathlen);
+
+	/* close the directory */
+	isc_dir_close(&dir);
+
+	if (result != ISC_R_SUCCESS) {
+		goto complete_allnds;
+	}
+
+	/* get first dir entry from list. */
+	dir_entry = ISC_LIST_HEAD(*dir_list);
+	while (dir_entry != NULL) {
+		result = isc_dir_open(&dir, dir_entry->dirpath);
+		/* if directory open failed, return error. */
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Unable to open %s "
+				      "directory to read entries.",
+				      basepath);
+			result = ISC_R_FAILURE;
+			goto complete_allnds;
+		}
+
+		/* process the directory */
+		result = process_dir(&dir, allnodes, cd, dir_list, basepathlen);
+
+		/* close the directory */
+		isc_dir_close(&dir);
+
+		if (result != ISC_R_SUCCESS) {
+			goto complete_allnds;
+		}
+
+		dir_entry = ISC_LIST_NEXT(dir_entry, link);
+	} /* end while */
+
+complete_allnds:
+	/* clean up entries from list. */
+	dir_entry = ISC_LIST_HEAD(*dir_list);
+	while (dir_entry != NULL) {
+		next_de = ISC_LIST_NEXT(dir_entry, link);
+		isc_mem_put(named_g_mctx, dir_entry, sizeof(dir_entry_t));
+		dir_entry = next_de;
+	} /* end while */
+	isc_mem_put(named_g_mctx, dir_list, sizeof(dlist_t));
+
+	if (basepath != NULL) {
+		isc_mem_free(named_g_mctx, basepath);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+fs_findzone(void *driverarg, void *dbdata, const char *name,
+	    dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	char *path;
+	struct stat sb;
+	path = NULL;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	if (create_path(name, NULL, NULL, (config_data_t *)dbdata, &path) !=
+	    ISC_R_SUCCESS)
+	{
+		return (ISC_R_NOTFOUND);
+	}
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(1),
+		      "Filesystem driver Findzone() Checking for path: '%s'\n",
+		      path);
+
+	if (stat(path, &sb) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_FZ;
+	}
+
+	if ((sb.st_mode & S_IFDIR) != 0) {
+		result = ISC_R_SUCCESS;
+		goto complete_FZ;
+	}
+
+	result = ISC_R_NOTFOUND;
+
+complete_FZ:
+
+	isc_mem_free(named_g_mctx, path);
+	return (result);
+}
+
+static isc_result_t
+fs_lookup(const char *zone, const char *name, void *driverarg, void *dbdata,
+	  dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	  dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	char *path;
+	struct stat sb;
+	isc_dir_t dir;
+	path = NULL;
+
+	UNUSED(driverarg);
+	UNUSED(lookup);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	if (strcmp(name, "*") == 0) {
+		/*
+		 * handle filesystem's special wildcard "-"
+		 */
+		result = create_path(zone, "-", NULL, (config_data_t *)dbdata,
+				     &path);
+	} else {
+		result = create_path(zone, name, NULL, (config_data_t *)dbdata,
+				     &path);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/* remove path separator at end of path so stat works properly */
+	path[strlen(path) - 1] = '\0';
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(1),
+		      "Filesystem driver lookup() Checking for path: '%s'\n",
+		      path);
+
+	if (stat(path, &sb) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_lkup;
+	}
+
+	if ((sb.st_mode & S_IFDIR) == 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_lkup;
+	}
+
+	/* initialize and open directory */
+	isc_dir_init(&dir);
+	result = isc_dir_open(&dir, path);
+
+	/* if directory open failed, return error. */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Unable to open %s directory to read entries.",
+			      path);
+		result = ISC_R_FAILURE;
+		goto complete_lkup;
+	}
+
+	/* process any records in the directory */
+	result = process_dir(&dir, lookup, (config_data_t *)dbdata, NULL, 0);
+
+	/* close the directory */
+	isc_dir_close(&dir);
+
+complete_lkup:
+
+	isc_mem_free(named_g_mctx, path);
+	return (result);
+}
+
+static isc_result_t
+fs_create(const char *dlzname, unsigned int argc, char *argv[], void *driverarg,
+	  void **dbdata) {
+	config_data_t *cd;
+	char *endp;
+	int len;
+	char pathsep;
+
+	UNUSED(driverarg);
+	UNUSED(dlzname);
+
+	/* we require 5 command line args. */
+	if (argc != 6) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Filesystem driver requires "
+			      "6 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	if (strlen(argv[5]) > 1) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Filesystem driver can only "
+			      "accept a single character for separator.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* verify base dir ends with '/' or '\' */
+	len = strlen(argv[1]);
+	if (argv[1][len - 1] != '\\' && argv[1][len - 1] != '/') {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Base dir parameter for filesystem driver "
+			      "should end with %s",
+			      "either '/' or '\\' ");
+		return (ISC_R_FAILURE);
+	}
+
+	/* determine and save path separator for later */
+	if (argv[1][len - 1] == '\\') {
+		pathsep = '\\';
+	} else {
+		pathsep = '/';
+	}
+
+	/* allocate memory for our config data */
+	cd = isc_mem_get(named_g_mctx, sizeof(config_data_t));
+
+	/* zero the memory */
+	memset(cd, 0, sizeof(config_data_t));
+
+	cd->pathsep = pathsep;
+
+	/* get and store our base directory */
+	cd->basedir = isc_mem_strdup(named_g_mctx, argv[1]);
+	cd->basedirsize = strlen(cd->basedir);
+
+	/* get and store our data sub-dir */
+	cd->datadir = isc_mem_strdup(named_g_mctx, argv[2]);
+	cd->datadirsize = strlen(cd->datadir);
+
+	/* get and store our zone xfr sub-dir */
+	cd->xfrdir = isc_mem_strdup(named_g_mctx, argv[3]);
+	cd->xfrdirsize = strlen(cd->xfrdir);
+
+	/* get and store our directory split count */
+	cd->splitcnt = strtol(argv[4], &endp, 10);
+	if (*endp != '\0' || cd->splitcnt < 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Directory split count must be zero (0) "
+			      "or a positive number");
+	}
+
+	/* get and store our separator character */
+	cd->separator = *argv[5];
+
+	/* attach config data to memory context */
+	isc_mem_attach(named_g_mctx, &cd->mctx);
+
+	/* pass back config data */
+	*dbdata = cd;
+
+	/* return success */
+	return (ISC_R_SUCCESS);
+}
+
+static void
+fs_destroy(void *driverarg, void *dbdata) {
+	isc_mem_t *mctx;
+	config_data_t *cd;
+
+	UNUSED(driverarg);
+
+	cd = (config_data_t *)dbdata;
+
+	/*
+	 * free memory for each section of config data that was
+	 * allocated
+	 */
+	if (cd->basedir != NULL) {
+		isc_mem_free(named_g_mctx, cd->basedir);
+	}
+
+	if (cd->datadir != NULL) {
+		isc_mem_free(named_g_mctx, cd->datadir);
+	}
+
+	if (cd->xfrdir != NULL) {
+		isc_mem_free(named_g_mctx, cd->xfrdir);
+	}
+
+	/* hold memory context to use later */
+	mctx = cd->mctx;
+
+	/* free config data memory */
+	isc_mem_putanddetach(&mctx, cd, sizeof(config_data_t));
+}
+
+static dns_sdlzmethods_t dlz_fs_methods = {
+	fs_create,
+	fs_destroy,
+	fs_findzone,
+	fs_lookup,
+	NULL,
+	fs_allnodes,
+	fs_allowzonexfr,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+};
+
+/*%
+ * Wrapper around dns_sdlzregister().
+ */
+isc_result_t
+dlz_fs_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Registering DLZ filesystem driver.");
+
+	result = dns_sdlzregister("filesystem", &dlz_fs_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+					  DNS_SDLZFLAG_RELATIVERDATA,
+				  named_g_mctx, &dlz_fs);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+}
+
+/*%
+ * Wrapper around dns_sdlzunregister().
+ */
+void
+dlz_fs_clear(void) {
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unregistering DLZ filesystem driver.");
+
+	if (dlz_fs != NULL) {
+		dns_sdlzunregister(&dlz_fs);
+	}
+}
+
+#endif /* ifdef DLZ_FILESYSTEM */
diff --git a/contrib/dlz/drivers/dlz_ldap_driver.c b/contrib/dlz/drivers/dlz_ldap_driver.c
new file mode 100644
index 0000000..072d285
--- /dev/null
+++ b/contrib/dlz/drivers/dlz_ldap_driver.c
@@ -0,0 +1,1216 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 1999-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifdef DLZ_LDAP
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
+
+#include <dlz/dlz_ldap_driver.h>
+#include <dlz/sdlz_helper.h>
+#include <named/globals.h>
+
+/*
+ * Need older API functions from ldap.h.
+ */
+#define LDAP_DEPRECATED 1
+
+#include <ldap.h>
+
+#define SIMPLE "simple"
+#define KRB41  "krb41"
+#define KRB42  "krb42"
+#define V2     "v2"
+#define V3     "v3"
+
+static dns_sdlzimplementation_t *dlz_ldap = NULL;
+
+#define dbc_search_limit 30
+#define ALLNODES	 1
+#define ALLOWXFR	 2
+#define AUTHORITY	 3
+#define FINDZONE	 4
+#define LOOKUP		 5
+
+/*%
+ * Structure to hold everything needed by this "instance" of the LDAP
+ * driver remember, the driver code is only loaded once, but may have
+ * many separate instances.
+ */
+
+typedef struct {
+	db_list_t *db; /*%< handle to a list of DB */
+	int method;    /*%< security authentication method */
+	char *user;    /*%< who is authenticating */
+	char *cred;    /*%< password for simple authentication method */
+	int protocol;  /*%< LDAP communication protocol version */
+	char *hosts;   /*%< LDAP server hosts */
+} ldap_instance_t;
+
+/* forward references */
+
+static isc_result_t
+dlz_ldap_findzone(void *driverarg, void *dbdata, const char *name,
+		  dns_clientinfomethods_t *methods,
+		  dns_clientinfo_t *clientinfo);
+
+static void
+dlz_ldap_destroy(void *driverarg, void *dbdata);
+
+/*
+ * Private methods
+ */
+
+/*% checks that the LDAP URL parameters make sense */
+static isc_result_t
+dlz_ldap_checkURL(char *URL, int attrCnt, const char *msg) {
+	isc_result_t result = ISC_R_SUCCESS;
+	int ldap_result;
+	LDAPURLDesc *ldap_url = NULL;
+
+	if (!ldap_is_ldap_url(URL)) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "%s query is not a valid LDAP URL", msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	ldap_result = ldap_url_parse(URL, &ldap_url);
+	if (ldap_result != LDAP_SUCCESS || ldap_url == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "parsing %s query failed", msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (ldap_count_values(ldap_url->lud_attrs) < attrCnt) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "%s query must specify at least "
+			      "%d attributes to return",
+			      msg, attrCnt);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (ldap_url->lud_host != NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "%s query must not specify a host", msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (ldap_url->lud_port != 389) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "%s query must not specify a port", msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (ldap_url->lud_dn == NULL || strlen(ldap_url->lud_dn) < 1) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "%s query must specify a search base", msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (ldap_url->lud_exts != NULL || ldap_url->lud_crit_exts != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "%s uses extensions. "
+			      "The driver does not support LDAP extensions.",
+			      msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+cleanup:
+	if (ldap_url != NULL) {
+		ldap_free_urldesc(ldap_url);
+	}
+
+	return (result);
+}
+
+/*% Connects / reconnects to LDAP server */
+static isc_result_t
+dlz_ldap_connect(ldap_instance_t *dbi, dbinstance_t *dbc) {
+	isc_result_t result;
+	int ldap_result;
+
+	/* if we have a connection, get ride of it. */
+	if (dbc->dbconn != NULL) {
+		ldap_unbind_s((LDAP *)dbc->dbconn);
+		dbc->dbconn = NULL;
+	}
+
+	/* now connect / reconnect. */
+
+	/* initialize. */
+	dbc->dbconn = ldap_init(dbi->hosts, LDAP_PORT);
+	if (dbc->dbconn == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* set protocol version. */
+	ldap_result = ldap_set_option((LDAP *)dbc->dbconn,
+				      LDAP_OPT_PROTOCOL_VERSION,
+				      &(dbi->protocol));
+	if (ldap_result != LDAP_SUCCESS) {
+		result = ISC_R_NOPERM;
+		goto cleanup;
+	}
+
+	/* "bind" to server.  i.e. send username / pass */
+	ldap_result = ldap_bind_s((LDAP *)dbc->dbconn, dbi->user, dbi->cred,
+				  dbi->method);
+	if (ldap_result != LDAP_SUCCESS) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+
+	/* cleanup if failure. */
+	if (dbc->dbconn != NULL) {
+		ldap_unbind_s((LDAP *)dbc->dbconn);
+		dbc->dbconn = NULL;
+	}
+
+	return (result);
+}
+
+/*%
+ * Properly cleans up a list of database instances.
+ * This function is only used when the driver is compiled for
+ * multithreaded operation.
+ */
+static void
+ldap_destroy_dblist(db_list_t *dblist) {
+	dbinstance_t *ndbi = NULL;
+	dbinstance_t *dbi = NULL;
+
+	/* get the first DBI in the list */
+	ndbi = ISC_LIST_HEAD(*dblist);
+
+	/* loop through the list */
+	while (ndbi != NULL) {
+		dbi = ndbi;
+		/* get the next DBI in the list */
+		ndbi = ISC_LIST_NEXT(dbi, link);
+		/* release DB connection */
+		if (dbi->dbconn != NULL) {
+			ldap_unbind_s((LDAP *)dbi->dbconn);
+		}
+		/* release all memory that comprised a DBI */
+		destroy_sqldbinstance(dbi);
+	}
+	/* release memory for the list structure */
+	isc_mem_put(named_g_mctx, dblist, sizeof(db_list_t));
+}
+
+/*%
+ * Loops through the list of DB instances, attempting to lock
+ * on the mutex.  If successful, the DBI is reserved for use
+ * and the thread can perform queries against the database.
+ * If the lock fails, the next one in the list is tried.
+ * looping continues until a lock is obtained, or until
+ * the list has been searched dbc_search_limit times.
+ * This function is only used when the driver is compiled for
+ * multithreaded operation.
+ */
+static dbinstance_t *
+ldap_find_avail_conn(db_list_t *dblist) {
+	dbinstance_t *dbi = NULL;
+	dbinstance_t *head;
+	int count = 0;
+
+	/* get top of list */
+	head = dbi = ISC_LIST_HEAD(*dblist);
+
+	/* loop through list */
+	while (count < dbc_search_limit) {
+		/* try to lock on the mutex */
+		if (isc_mutex_trylock(&dbi->instance_lock) == ISC_R_SUCCESS) {
+			return (dbi); /* success, return the DBI for use. */
+		}
+		/* not successful, keep trying */
+		dbi = ISC_LIST_NEXT(dbi, link);
+
+		/* check to see if we have gone to the top of the list. */
+		if (dbi == NULL) {
+			count++;
+			dbi = head;
+		}
+	}
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_INFO,
+		      "LDAP driver unable to find available connection "
+		      "after searching %d times",
+		      count);
+	return (NULL);
+}
+
+static isc_result_t
+ldap_process_results(LDAP *dbc, LDAPMessage *msg, char **attrs, void *ptr,
+		     bool allnodes) {
+	isc_result_t result = ISC_R_SUCCESS;
+	int i = 0;
+	int j;
+	int len;
+	char *attribute = NULL;
+	LDAPMessage *entry;
+	char *endp = NULL;
+	char *host = NULL;
+	char *type = NULL;
+	char *data = NULL;
+	char **vals = NULL;
+	int ttl;
+
+	/* make sure there are at least some attributes to process. */
+	REQUIRE(attrs != NULL || attrs[0] != NULL);
+
+	/* get the first entry to process */
+	entry = ldap_first_entry(dbc, msg);
+	if (entry == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
+			      "LDAP no entries to process.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* loop through all entries returned */
+	while (entry != NULL) {
+		/* reset for this loop */
+		ttl = 0;
+		len = 0;
+		i = 0;
+		attribute = attrs[i];
+
+		/* determine how much space we need for data string */
+		for (j = 0; attrs[j] != NULL; j++) {
+			/* get the list of values for this attribute. */
+			vals = ldap_get_values(dbc, entry, attrs[j]);
+			/* skip empty attributes. */
+			if (vals == NULL || ldap_count_values(vals) < 1) {
+				continue;
+			}
+			/*
+			 * we only use the first value.  this driver
+			 * does not support multi-valued attributes.
+			 */
+			len = len + strlen(vals[0]) + 1;
+			/* free vals for next loop */
+			ldap_value_free(vals);
+		} /* end for (j = 0; attrs[j] != NULL, j++) loop */
+
+		/* allocate memory for data string */
+		data = isc_mem_allocate(named_g_mctx, len + 1);
+
+		/*
+		 * Make sure data is null termed at the beginning so
+		 * we can check if any data was stored to it later.
+		 */
+		data[0] = '\0';
+
+		/* reset j to re-use below */
+		j = 0;
+
+		/* loop through the attributes in the order specified. */
+		while (attribute != NULL) {
+			/* get the list of values for this attribute. */
+			vals = ldap_get_values(dbc, entry, attribute);
+
+			/* skip empty attributes. */
+			if (vals == NULL || vals[0] == NULL) {
+				/* increment attribute pointer */
+				attribute = attrs[++i];
+				/* start loop over */
+				continue;
+			}
+
+			/*
+			 * j initially = 0.  Increment j each time we
+			 * set a field that way next loop will set
+			 * next field.
+			 */
+			switch (j) {
+			case 0:
+				j++;
+				/*
+				 * convert text to int, make sure it
+				 * worked right
+				 */
+				ttl = strtol(vals[0], &endp, 10);
+				if (*endp != '\0' || ttl < 0) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_DATABASE,
+						      DNS_LOGMODULE_DLZ,
+						      ISC_LOG_ERROR,
+						      "LDAP driver ttl must "
+						      "be a positive number");
+					goto cleanup;
+				}
+				break;
+			case 1:
+				j++;
+				type = isc_mem_strdup(named_g_mctx, vals[0]);
+				break;
+			case 2:
+				j++;
+				if (allnodes) {
+					host = isc_mem_strdup(named_g_mctx,
+							      vals[0]);
+				} else {
+					strcpy(data, vals[0]);
+				}
+				break;
+			case 3:
+				j++;
+				if (allnodes) {
+					strcpy(data, vals[0]);
+				} else {
+					strcat(data, " ");
+					strcat(data, vals[0]);
+				}
+				break;
+			default:
+				strcat(data, " ");
+				strcat(data, vals[0]);
+				break;
+			} /* end switch(j) */
+
+			/* free values */
+			ldap_value_free(vals);
+			vals = NULL;
+
+			/* increment attribute pointer */
+			attribute = attrs[++i];
+		} /* end while (attribute != NULL) */
+
+		if (type == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "LDAP driver unable "
+				      "to retrieve DNS type");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		if (strlen(data) < 1) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "LDAP driver unable "
+				      "to retrieve DNS data");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		if (allnodes && host != NULL) {
+			if (strcasecmp(host, "~") == 0) {
+				result = dns_sdlz_putnamedrr(
+					(dns_sdlzallnodes_t *)ptr, "*", type,
+					ttl, data);
+			} else {
+				result = dns_sdlz_putnamedrr(
+					(dns_sdlzallnodes_t *)ptr, host, type,
+					ttl, data);
+			}
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+					      "dlz-ldap: putnamedrr failed "
+					      "for \"%s %s %u %s\", %s",
+					      host, type, ttl, data,
+					      isc_result_totext(result));
+			}
+		} else {
+			result = dns_sdlz_putrr((dns_sdlzlookup_t *)ptr, type,
+						ttl, data);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+					      "dlz-ldap: putrr failed "
+					      "for \"%s %u %s\", %s",
+					      type, ttl, data,
+					      isc_result_totext(result));
+			}
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "LDAP driver failed "
+				      "while sending data to BIND.");
+			goto cleanup;
+		}
+
+		/* free memory for type, data and host for next loop */
+		isc_mem_free(named_g_mctx, type);
+		isc_mem_free(named_g_mctx, data);
+		if (host != NULL) {
+			isc_mem_free(named_g_mctx, host);
+		}
+
+		/* get the next entry to process */
+		entry = ldap_next_entry(dbc, entry);
+	} /* end while (entry != NULL) */
+
+cleanup:
+	/* de-allocate memory */
+	if (vals != NULL) {
+		ldap_value_free(vals);
+	}
+	if (host != NULL) {
+		isc_mem_free(named_g_mctx, host);
+	}
+	if (type != NULL) {
+		isc_mem_free(named_g_mctx, type);
+	}
+	if (data != NULL) {
+		isc_mem_free(named_g_mctx, data);
+	}
+
+	return (result);
+}
+
+/*%
+ * This function is the real core of the driver.   Zone, record
+ * and client strings are passed in (or NULL is passed if the
+ * string is not available).  The type of query we want to run
+ * is indicated by the query flag, and the dbdata object is passed
+ * passed in to.  dbdata really holds either:
+ *		1) a list of database instances (in multithreaded mode) OR
+ *		2) a single database instance (in single threaded mode)
+ * The function will construct the query and obtain an available
+ * database instance (DBI).  It will then run the query and hopefully
+ * obtain a result set.
+ */
+static isc_result_t
+ldap_get_results(const char *zone, const char *record, const char *client,
+		 unsigned int query, void *dbdata, void *ptr) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+	char *querystring = NULL;
+	LDAPURLDesc *ldap_url = NULL;
+	int ldap_result = 0;
+	LDAPMessage *ldap_msg = NULL;
+	int i;
+	int entries;
+
+	/* get db instance / connection */
+	/* find an available DBI from the list */
+	dbi = ldap_find_avail_conn(
+		(db_list_t *)((ldap_instance_t *)dbdata)->db);
+
+	/* if DBI is null, can't do anything else */
+	if (dbi == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* set fields */
+	if (zone != NULL) {
+		dbi->zone = isc_mem_strdup(named_g_mctx, zone);
+	} else {
+		dbi->zone = NULL;
+	}
+	if (record != NULL) {
+		dbi->record = isc_mem_strdup(named_g_mctx, record);
+	} else {
+		dbi->record = NULL;
+	}
+	if (client != NULL) {
+		dbi->client = isc_mem_strdup(named_g_mctx, client);
+	} else {
+		dbi->client = NULL;
+	}
+
+	/* what type of query are we going to run? */
+	switch (query) {
+	case ALLNODES:
+		/*
+		 * if the query was not passed in from the config file
+		 * then we can't run it.  return not_implemented, so
+		 * it's like the code for that operation was never
+		 * built into the driver.... AHHH flexibility!!!
+		 */
+		if (dbi->allnodes_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		} else {
+			querystring = build_querystring(named_g_mctx,
+							dbi->allnodes_q);
+		}
+		break;
+	case ALLOWXFR:
+		/* same as comments as ALLNODES */
+		if (dbi->allowxfr_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		} else {
+			querystring = build_querystring(named_g_mctx,
+							dbi->allowxfr_q);
+		}
+		break;
+	case AUTHORITY:
+		/* same as comments as ALLNODES */
+		if (dbi->authority_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		} else {
+			querystring = build_querystring(named_g_mctx,
+							dbi->authority_q);
+		}
+		break;
+	case FINDZONE:
+		/* this is required.  It's the whole point of DLZ! */
+		if (dbi->findzone_q == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+				      "No query specified for findzone.  "
+				      "Findzone requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		} else {
+			querystring = build_querystring(named_g_mctx,
+							dbi->findzone_q);
+		}
+		break;
+	case LOOKUP:
+		/* this is required.  It's also a major point of DLZ! */
+		if (dbi->lookup_q == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+				      "No query specified for lookup.  "
+				      "Lookup requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		} else {
+			querystring = build_querystring(named_g_mctx,
+							dbi->lookup_q);
+		}
+		break;
+	default:
+		/*
+		 * this should never happen.  If it does, the code is
+		 * screwed up!
+		 */
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "Incorrect query flag passed to "
+				 "ldap_get_results");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	/* if the querystring is null, Bummer, outta RAM.  UPGRADE TIME!!!   */
+	if (querystring == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/*
+	 * output the full query string during debug so we can see
+	 * what lame error the query has.
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(1), "\nQuery String: %s\n", querystring);
+
+	/* break URL down into it's component parts, if error cleanup */
+	ldap_result = ldap_url_parse(querystring, &ldap_url);
+	if (ldap_result != LDAP_SUCCESS || ldap_url == NULL) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	for (i = 0; i < 3; i++) {
+		/*
+		 * dbi->dbconn may be null if trying to reconnect on a
+		 * previous query failed.
+		 */
+		if (dbi->dbconn == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
+				      "LDAP driver attempting to re-connect");
+
+			result = dlz_ldap_connect((ldap_instance_t *)dbdata,
+						  dbi);
+			if (result != ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+				continue;
+			}
+		}
+
+		/* perform ldap search synchronously */
+		ldap_result =
+			ldap_search_s((LDAP *)dbi->dbconn, ldap_url->lud_dn,
+				      ldap_url->lud_scope, ldap_url->lud_filter,
+				      ldap_url->lud_attrs, 0, &ldap_msg);
+
+		/*
+		 * check return code.  No such object is ok, just
+		 * didn't find what we wanted
+		 */
+		switch (ldap_result) {
+		case LDAP_NO_SUCH_OBJECT:
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(1),
+				      "No object found matching "
+				      "query requirements");
+			result = ISC_R_NOTFOUND;
+			goto cleanup;
+			break;
+		case LDAP_SUCCESS: /* on success do nothing */
+			result = ISC_R_SUCCESS;
+			i = 3;
+			break;
+		case LDAP_SERVER_DOWN:
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
+				      "LDAP driver attempting to re-connect");
+			result = dlz_ldap_connect((ldap_instance_t *)dbdata,
+						  dbi);
+			if (result != ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+			break;
+		default:
+			/*
+			 * other errors not ok.  Log error message and
+			 * get out
+			 */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "LDAP error: %s",
+				      ldap_err2string(ldap_result));
+			result = ISC_R_FAILURE;
+			goto cleanup;
+			break;
+		} /* close switch(ldap_result) */
+	}	  /* end for (int i = 0 i < 3; i++) */
+
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	switch (query) {
+	case ALLNODES:
+		result = ldap_process_results((LDAP *)dbi->dbconn, ldap_msg,
+					      ldap_url->lud_attrs, ptr, true);
+		break;
+	case AUTHORITY:
+	case LOOKUP:
+		result = ldap_process_results((LDAP *)dbi->dbconn, ldap_msg,
+					      ldap_url->lud_attrs, ptr, false);
+		break;
+	case ALLOWXFR:
+		entries = ldap_count_entries((LDAP *)dbi->dbconn, ldap_msg);
+		if (entries == 0) {
+			result = ISC_R_NOPERM;
+		} else if (entries > 0) {
+			result = ISC_R_SUCCESS;
+		} else {
+			result = ISC_R_FAILURE;
+		}
+		break;
+	case FINDZONE:
+		entries = ldap_count_entries((LDAP *)dbi->dbconn, ldap_msg);
+		if (entries == 0) {
+			result = ISC_R_NOTFOUND;
+		} else if (entries > 0) {
+			result = ISC_R_SUCCESS;
+		} else {
+			result = ISC_R_FAILURE;
+		}
+		break;
+	default:
+		/*
+		 * this should never happen.  If it does, the code is
+		 * screwed up!
+		 */
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "Incorrect query flag passed to "
+				 "ldap_get_results");
+		result = ISC_R_UNEXPECTED;
+	}
+
+cleanup:
+	/* it's always good to cleanup after yourself */
+
+	/* if we retrieved results, free them */
+	if (ldap_msg != NULL) {
+		ldap_msgfree(ldap_msg);
+	}
+
+	if (ldap_url != NULL) {
+		ldap_free_urldesc(ldap_url);
+	}
+
+	/* cleanup */
+	if (dbi->zone != NULL) {
+		isc_mem_free(named_g_mctx, dbi->zone);
+	}
+	if (dbi->record != NULL) {
+		isc_mem_free(named_g_mctx, dbi->record);
+	}
+	if (dbi->client != NULL) {
+		isc_mem_free(named_g_mctx, dbi->client);
+	}
+
+	/* release the lock so another thread can use this dbi */
+	isc_mutex_unlock(&dbi->instance_lock);
+
+	/* release query string */
+	if (querystring != NULL) {
+		isc_mem_free(named_g_mctx, querystring);
+	}
+
+	/* return result */
+	return (result);
+}
+
+/*
+ * DLZ methods
+ */
+static isc_result_t
+dlz_ldap_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+		      const char *client) {
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	/* check to see if we are authoritative for the zone first */
+	result = dlz_ldap_findzone(driverarg, dbdata, name, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/* get all the zone data */
+	result = ldap_get_results(name, NULL, client, ALLOWXFR, dbdata, NULL);
+	return (result);
+}
+
+static isc_result_t
+dlz_ldap_allnodes(const char *zone, void *driverarg, void *dbdata,
+		  dns_sdlzallnodes_t *allnodes) {
+	UNUSED(driverarg);
+	return (ldap_get_results(zone, NULL, NULL, ALLNODES, dbdata, allnodes));
+}
+
+static isc_result_t
+dlz_ldap_authority(const char *zone, void *driverarg, void *dbdata,
+		   dns_sdlzlookup_t *lookup) {
+	UNUSED(driverarg);
+	return (ldap_get_results(zone, NULL, NULL, AUTHORITY, dbdata, lookup));
+}
+
+static isc_result_t
+dlz_ldap_findzone(void *driverarg, void *dbdata, const char *name,
+		  dns_clientinfomethods_t *methods,
+		  dns_clientinfo_t *clientinfo) {
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+	return (ldap_get_results(name, NULL, NULL, FINDZONE, dbdata, NULL));
+}
+
+static isc_result_t
+dlz_ldap_lookup(const char *zone, const char *name, void *driverarg,
+		void *dbdata, dns_sdlzlookup_t *lookup,
+		dns_clientinfomethods_t *methods,
+		dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	if (strcmp(name, "*") == 0) {
+		result = ldap_get_results(zone, "~", NULL, LOOKUP, dbdata,
+					  lookup);
+	} else {
+		result = ldap_get_results(zone, name, NULL, LOOKUP, dbdata,
+					  lookup);
+	}
+	return (result);
+}
+
+static isc_result_t
+dlz_ldap_create(const char *dlzname, unsigned int argc, char *argv[],
+		void *driverarg, void **dbdata) {
+	isc_result_t result;
+	ldap_instance_t *ldap_inst = NULL;
+	dbinstance_t *dbi = NULL;
+	int protocol;
+	int method;
+	int dbcount;
+	char *endp;
+	/* db_list_t *dblist = NULL; */
+	int i;
+
+	UNUSED(dlzname);
+	UNUSED(driverarg);
+
+	/* if debugging, let user know we are multithreaded. */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(1), "LDAP driver running multithreaded");
+
+	if (argc < 9) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "LDAP driver requires at least "
+			      "8 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* no more than 13 arg's should be passed to the driver */
+	if (argc > 12) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "LDAP driver cannot accept more than "
+			      "11 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* determine protocol version. */
+	if (strncasecmp(argv[2], V2, strlen(V2)) == 0) {
+		protocol = 2;
+	} else if (strncasecmp(argv[2], V3, strlen(V3)) == 0) {
+		protocol = 3;
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "LDAP driver protocol must be either %s or %s",
+			      V2, V3);
+		return (ISC_R_FAILURE);
+	}
+
+	/* determine connection method. */
+	if (strncasecmp(argv[3], SIMPLE, strlen(SIMPLE)) == 0) {
+		method = LDAP_AUTH_SIMPLE;
+	} else if (strncasecmp(argv[3], KRB41, strlen(KRB41)) == 0) {
+		method = LDAP_AUTH_KRBV41;
+	} else if (strncasecmp(argv[3], KRB42, strlen(KRB42)) == 0) {
+		method = LDAP_AUTH_KRBV42;
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "LDAP driver authentication method must be "
+			      "one of %s, %s or %s",
+			      SIMPLE, KRB41, KRB42);
+		return (ISC_R_FAILURE);
+	}
+
+	/* check how many db connections we should create */
+	dbcount = strtol(argv[1], &endp, 10);
+	if (*endp != '\0' || dbcount < 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "LDAP driver database connection count "
+			      "must be positive.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* check that LDAP URL parameters make sense */
+	switch (argc) {
+	case 12:
+		result = dlz_ldap_checkURL(argv[11], 0, "allow zone transfer");
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		FALLTHROUGH;
+	case 11:
+		result = dlz_ldap_checkURL(argv[10], 3, "all nodes");
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		FALLTHROUGH;
+	case 10:
+		if (strlen(argv[9]) > 0) {
+			result = dlz_ldap_checkURL(argv[9], 3, "authority");
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+		FALLTHROUGH;
+	case 9:
+		result = dlz_ldap_checkURL(argv[8], 3, "lookup");
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		result = dlz_ldap_checkURL(argv[7], 0, "find zone");
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		break;
+	default:
+		/* not really needed, should shut up compiler. */
+		result = ISC_R_FAILURE;
+	}
+
+	/* allocate memory for LDAP instance */
+	ldap_inst = isc_mem_get(named_g_mctx, sizeof(ldap_instance_t));
+	memset(ldap_inst, 0, sizeof(ldap_instance_t));
+
+	/* store info needed to automatically re-connect. */
+	ldap_inst->protocol = protocol;
+	ldap_inst->method = method;
+	ldap_inst->hosts = isc_mem_strdup(named_g_mctx, argv[6]);
+	ldap_inst->user = isc_mem_strdup(named_g_mctx, argv[4]);
+	ldap_inst->cred = isc_mem_strdup(named_g_mctx, argv[5]);
+
+	/* allocate memory for database connection list */
+	ldap_inst->db = isc_mem_get(named_g_mctx, sizeof(db_list_t));
+
+	/* initialize DB connection list */
+	ISC_LIST_INIT(*(ldap_inst->db));
+
+	/*
+	 * create the appropriate number of database instances (DBI)
+	 * append each new DBI to the end of the list
+	 */
+	for (i = 0; i < dbcount; i++) {
+		/* how many queries were passed in from config file? */
+		switch (argc) {
+		case 9:
+			result = build_sqldbinstance(named_g_mctx, NULL, NULL,
+						     NULL, argv[7], argv[8],
+						     NULL, &dbi);
+			break;
+		case 10:
+			result = build_sqldbinstance(named_g_mctx, NULL, NULL,
+						     argv[9], argv[7], argv[8],
+						     NULL, &dbi);
+			break;
+		case 11:
+			result = build_sqldbinstance(named_g_mctx, argv[10],
+						     NULL, argv[9], argv[7],
+						     argv[8], NULL, &dbi);
+			break;
+		case 12:
+			result = build_sqldbinstance(named_g_mctx, argv[10],
+						     argv[11], argv[9], argv[7],
+						     argv[8], NULL, &dbi);
+			break;
+		default:
+			/* not really needed, should shut up compiler. */
+			result = ISC_R_FAILURE;
+		}
+
+		if (result == ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+				      "LDAP driver created "
+				      "database instance object.");
+		} else { /* unsuccessful?, log err msg and cleanup. */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "LDAP driver could not create "
+				      "database instance object.");
+			goto cleanup;
+		}
+
+		ISC_LINK_INIT(dbi, link);
+		ISC_LIST_APPEND(*(ldap_inst->db), dbi, link);
+
+		/* attempt to connect */
+		result = dlz_ldap_connect(ldap_inst, dbi);
+
+		/*
+		 * if db connection cannot be created, log err msg and
+		 * cleanup.
+		 */
+		switch (result) {
+		/* success, do nothing */
+		case ISC_R_SUCCESS:
+			break;
+		/*
+		 * no memory means ldap_init could not
+		 * allocate memory
+		 */
+		case ISC_R_NOMEMORY:
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "LDAP driver could not allocate memory "
+				      "for connection number %u",
+				      i + 1);
+			goto cleanup;
+			break;
+		/*
+		 * no perm means ldap_set_option could not set
+		 * protocol version
+		 */
+		case ISC_R_NOPERM:
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "LDAP driver could not "
+				      "set protocol version.");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+			break;
+		/* failure means couldn't connect to ldap server */
+		case ISC_R_FAILURE:
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "LDAP driver could not "
+				      "bind connection number %u to server.",
+				      i + 1);
+			goto cleanup;
+			break;
+		/*
+		 * default should never happen.  If it does,
+		 * major errors.
+		 */
+		default:
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "dlz_ldap_create() failed: %s",
+					 isc_result_totext(result));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+			break;
+		} /* end switch(result) */
+
+		/* set DBI = null for next loop through. */
+		dbi = NULL;
+	} /* end for loop */
+
+	/* set dbdata to the ldap_instance we created. */
+	*dbdata = ldap_inst;
+
+	/* hey, we got through all of that ok, return success. */
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dlz_ldap_destroy(NULL, ldap_inst);
+
+	return (ISC_R_FAILURE);
+}
+
+void
+dlz_ldap_destroy(void *driverarg, void *dbdata) {
+	UNUSED(driverarg);
+
+	if (dbdata != NULL) {
+		/* cleanup the list of DBI's */
+		ldap_destroy_dblist(
+			(db_list_t *)((ldap_instance_t *)dbdata)->db);
+
+		if (((ldap_instance_t *)dbdata)->hosts != NULL) {
+			isc_mem_free(named_g_mctx,
+				     ((ldap_instance_t *)dbdata)->hosts);
+		}
+
+		if (((ldap_instance_t *)dbdata)->user != NULL) {
+			isc_mem_free(named_g_mctx,
+				     ((ldap_instance_t *)dbdata)->user);
+		}
+
+		if (((ldap_instance_t *)dbdata)->cred != NULL) {
+			isc_mem_free(named_g_mctx,
+				     ((ldap_instance_t *)dbdata)->cred);
+		}
+
+		isc_mem_put(named_g_mctx, dbdata, sizeof(ldap_instance_t));
+	}
+}
+
+static dns_sdlzmethods_t dlz_ldap_methods = {
+	dlz_ldap_create,
+	dlz_ldap_destroy,
+	dlz_ldap_findzone,
+	dlz_ldap_lookup,
+	dlz_ldap_authority,
+	dlz_ldap_allnodes,
+	dlz_ldap_allowzonexfr,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+};
+
+/*%
+ * Wrapper around dns_sdlzregister().
+ */
+isc_result_t
+dlz_ldap_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Registering DLZ ldap driver.");
+
+	result = dns_sdlzregister("ldap", &dlz_ldap_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+					  DNS_SDLZFLAG_RELATIVERDATA,
+				  named_g_mctx, &dlz_ldap);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+}
+
+/*%
+ * Wrapper around dns_sdlzunregister().
+ */
+void
+dlz_ldap_clear(void) {
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unregistering DLZ ldap driver.");
+
+	if (dlz_ldap != NULL) {
+		dns_sdlzunregister(&dlz_ldap);
+	}
+}
+
+#endif /* ifdef DLZ_LDAP */
diff --git a/contrib/dlz/drivers/dlz_mysql_driver.c b/contrib/dlz/drivers/dlz_mysql_driver.c
new file mode 100644
index 0000000..35c3fd9
--- /dev/null
+++ b/contrib/dlz/drivers/dlz_mysql_driver.c
@@ -0,0 +1,1037 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 1999-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifdef DLZ_MYSQL
+#include <mysql.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
+
+#include <dlz/dlz_mysql_driver.h>
+#include <dlz/sdlz_helper.h>
+#include <named/globals.h>
+
+#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000
+typedef bool my_bool;
+#endif /* !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000 */
+
+static dns_sdlzimplementation_t *dlz_mysql = NULL;
+
+#define dbc_search_limit 30
+#define ALLNODES	 1
+#define ALLOWXFR	 2
+#define AUTHORITY	 3
+#define FINDZONE	 4
+#define COUNTZONE	 5
+#define LOOKUP		 6
+
+#define safeGet(in) in == NULL ? "" : in
+
+/*
+ * Private methods
+ */
+
+/*%
+ * Allocates memory for a new string, and then constructs the new
+ * string by "escaping" the input string.  The new string is
+ * safe to be used in queries.  This is necessary because we cannot
+ * be sure of what types of strings are passed to us, and we don't
+ * want special characters in the string causing problems.
+ */
+
+static char *
+mysqldrv_escape_string(MYSQL *mysql, const char *instr) {
+	char *outstr;
+	unsigned int len;
+
+	if (instr == NULL) {
+		return (NULL);
+	}
+
+	len = strlen(instr);
+
+	outstr = isc_mem_allocate(named_g_mctx, (2 * len * sizeof(char)) + 1);
+
+	mysql_real_escape_string(mysql, outstr, instr, len);
+
+	return (outstr);
+}
+
+/*%
+ * This function is the real core of the driver.   Zone, record
+ * and client strings are passed in (or NULL is passed if the
+ * string is not available).  The type of query we want to run
+ * is indicated by the query flag, and the dbdata object is passed
+ * passed in to.  dbdata really holds a single database instance.
+ * The function will construct and run the query, hopefully getting
+ * a result set.
+ */
+
+static isc_result_t
+mysql_get_resultset(const char *zone, const char *record, const char *client,
+		    unsigned int query, void *dbdata, MYSQL_RES **rs) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+	char *querystring = NULL;
+	unsigned int i = 0;
+	unsigned int j = 0;
+	int qres = 0;
+
+	if (query != COUNTZONE) {
+		REQUIRE(*rs == NULL);
+	} else {
+		REQUIRE(rs == NULL);
+	}
+
+	/* get db instance / connection */
+	dbi = (dbinstance_t *)dbdata;
+
+	/* if DBI is null, can't do anything else */
+	if (dbi == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* what type of query are we going to run? */
+	switch (query) {
+	case ALLNODES:
+		/*
+		 * if the query was not passed in from the config file
+		 * then we can't run it.  return not_implemented, so
+		 * it's like the code for that operation was never
+		 * built into the driver.... AHHH flexibility!!!
+		 */
+		if (dbi->allnodes_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case ALLOWXFR:
+		/* same as comments as ALLNODES */
+		if (dbi->allowxfr_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case AUTHORITY:
+		/* same as comments as ALLNODES */
+		if (dbi->authority_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case FINDZONE:
+		/* this is required.  It's the whole point of DLZ! */
+		if (dbi->findzone_q == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+				      "No query specified for findzone.  "
+				      "Findzone requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		break;
+	case COUNTZONE:
+		/* same as comments as ALLNODES */
+		if (dbi->countzone_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case LOOKUP:
+		/* this is required.  It's also a major point of DLZ! */
+		if (dbi->lookup_q == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+				      "No query specified for lookup.  "
+				      "Lookup requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		break;
+	default:
+		/*
+		 * this should never happen.  If it does, the code is
+		 * screwed up!
+		 */
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "Incorrect query flag passed to "
+				 "mysql_get_resultset");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	/*
+	 * was a zone string passed?  If so, make it safe for use in
+	 * queries.
+	 */
+	if (zone != NULL) {
+		dbi->zone = mysqldrv_escape_string((MYSQL *)dbi->dbconn, zone);
+		if (dbi->zone == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else { /* no string passed, set the string pointer to NULL */
+		dbi->zone = NULL;
+	}
+
+	/*
+	 * was a record string passed?  If so, make it safe for use in
+	 * queries.
+	 */
+	if (record != NULL) {
+		dbi->record = mysqldrv_escape_string((MYSQL *)dbi->dbconn,
+						     record);
+		if (dbi->record == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else { /* no string passed, set the string pointer to NULL */
+		dbi->record = NULL;
+	}
+
+	/*
+	 * was a client string passed?  If so, make it safe for use in
+	 * queries.
+	 */
+	if (client != NULL) {
+		dbi->client = mysqldrv_escape_string((MYSQL *)dbi->dbconn,
+						     client);
+		if (dbi->client == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else { /* no string passed, set the string pointer to NULL */
+		dbi->client = NULL;
+	}
+
+	/*
+	 * what type of query are we going to run?  this time we build
+	 * the actual query to run.
+	 */
+	switch (query) {
+	case ALLNODES:
+		querystring = build_querystring(named_g_mctx, dbi->allnodes_q);
+		break;
+	case ALLOWXFR:
+		querystring = build_querystring(named_g_mctx, dbi->allowxfr_q);
+		break;
+	case AUTHORITY:
+		querystring = build_querystring(named_g_mctx, dbi->authority_q);
+		break;
+	case FINDZONE:
+		querystring = build_querystring(named_g_mctx, dbi->findzone_q);
+		break;
+	case COUNTZONE:
+		querystring = build_querystring(named_g_mctx, dbi->countzone_q);
+		break;
+	case LOOKUP:
+		querystring = build_querystring(named_g_mctx, dbi->lookup_q);
+		break;
+	default:
+		/*
+		 * this should never happen.  If it does, the code is
+		 * screwed up!
+		 */
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "Incorrect query flag passed to "
+				 "mysql_get_resultset");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	/* if the querystring is null, Bummer, outta RAM.  UPGRADE TIME!!!   */
+	if (querystring == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/*
+	 * output the full query string during debug so we can see
+	 * what lame error the query has.
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(1), "\nQuery String: %s\n", querystring);
+
+	/* attempt query up to 3 times. */
+	for (i = 0; i < 3; i++) {
+		qres = mysql_query((MYSQL *)dbi->dbconn, querystring);
+		if (qres == 0) {
+			break;
+		}
+		for (j = 0; mysql_ping((MYSQL *)dbi->dbconn) != 0 && j < 4; j++)
+		{
+			;
+		}
+	}
+
+	if (qres == 0) {
+		result = ISC_R_SUCCESS;
+		if (query != COUNTZONE) {
+			*rs = mysql_store_result((MYSQL *)dbi->dbconn);
+			if (*rs == NULL) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	} else {
+		result = ISC_R_FAILURE;
+	}
+
+cleanup:
+	/* it's always good to cleanup after yourself */
+
+	/* free dbi->zone string */
+	if (dbi->zone != NULL) {
+		isc_mem_free(named_g_mctx, dbi->zone);
+	}
+
+	/* free dbi->record string */
+	if (dbi->record != NULL) {
+		isc_mem_free(named_g_mctx, dbi->record);
+	}
+
+	/* free dbi->client string */
+	if (dbi->client != NULL) {
+		isc_mem_free(named_g_mctx, dbi->client);
+	}
+
+	/* release query string */
+	if (querystring != NULL) {
+		isc_mem_free(named_g_mctx, querystring);
+	}
+
+	/* return result */
+	return (result);
+}
+
+/*%
+ * The processing of result sets for lookup and authority are
+ * exactly the same.  So that functionality has been moved
+ * into this function to minimize code.
+ */
+
+static isc_result_t
+mysql_process_rs(dns_sdlzlookup_t *lookup, MYSQL_RES *rs) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	MYSQL_ROW row;
+	unsigned int fields;
+	unsigned int j;
+	unsigned int len;
+	char *tmpString;
+	char *endp;
+	int ttl;
+
+	row = mysql_fetch_row(rs);     /* get a row from the result set */
+	fields = mysql_num_fields(rs); /* how many columns in result set */
+	while (row != NULL) {
+		switch (fields) {
+		case 1:
+			/*
+			 * one column in rs, it's the data field.  use
+			 * default type of A record, and default TTL
+			 * of 86400
+			 */
+			result = dns_sdlz_putrr(lookup, "a", 86400,
+						safeGet(row[0]));
+			break;
+		case 2:
+			/*
+			 * two columns, data field, and data type.
+			 * use default TTL of 86400.
+			 */
+			result = dns_sdlz_putrr(lookup, safeGet(row[0]), 86400,
+						safeGet(row[1]));
+			break;
+		case 3:
+			/*
+			 * three columns, all data no defaults.
+			 * convert text to int, make sure it worked
+			 * right.
+			 */
+			ttl = strtol(safeGet(row[0]), &endp, 10);
+			if (*endp != '\0' || ttl < 0) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+					      "mysql driver ttl must be "
+					      "a positive number");
+			}
+			result = dns_sdlz_putrr(lookup, safeGet(row[1]), ttl,
+						safeGet(row[2]));
+			break;
+		default:
+			/*
+			 * more than 3 fields, concatenate the last
+			 * ones together.  figure out how long to make
+			 * string.
+			 */
+			for (j = 2, len = 0; j < fields; j++) {
+				len += strlen(safeGet(row[j])) + 1;
+			}
+			/*
+			 * allocate string memory, allow for NULL to
+			 * term string
+			 */
+			tmpString = isc_mem_allocate(named_g_mctx, len + 1);
+			/* copy field to tmpString */
+			strcpy(tmpString, safeGet(row[2]));
+
+			/*
+			 * concat the rest of fields together, space
+			 * between each one.
+			 */
+			for (j = 3; j < fields; j++) {
+				strcat(tmpString, " ");
+				strcat(tmpString, safeGet(row[j]));
+			}
+			/* convert text to int, make sure it worked right */
+			ttl = strtol(safeGet(row[0]), &endp, 10);
+			if (*endp != '\0' || ttl < 0) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+					      "mysql driver ttl must be "
+					      "a positive number");
+			}
+			/* ok, now tell Bind about it. */
+			result = dns_sdlz_putrr(lookup, safeGet(row[1]), ttl,
+						tmpString);
+			/* done, get rid of this thing. */
+			isc_mem_free(named_g_mctx, tmpString);
+		}
+		/* I sure hope we were successful */
+		if (result != ISC_R_SUCCESS) {
+			/* nope, get rid of the Result set, and log a msg */
+			mysql_free_result(rs);
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "dns_sdlz_putrr returned error. "
+				      "Error code was: %s",
+				      isc_result_totext(result));
+			return (ISC_R_FAILURE);
+		}
+		row = mysql_fetch_row(rs); /* get next row */
+	}
+
+	/* free result set memory */
+	mysql_free_result(rs);
+
+	/* return result code */
+	return (result);
+}
+
+/*
+ * SDLZ interface methods
+ */
+
+/*% determine if the zone is supported by (in) the database */
+
+static isc_result_t
+mysql_findzone(void *driverarg, void *dbdata, const char *name,
+	       dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	MYSQL_RES *rs = NULL;
+	my_ulonglong rows;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	/* run the query and get the result set from the database. */
+	result = mysql_get_resultset(name, NULL, NULL, FINDZONE, dbdata, &rs);
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS || rs == NULL) {
+		if (rs != NULL) {
+			mysql_free_result(rs);
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver unable to return "
+			      "result set for findzone query");
+		return (ISC_R_FAILURE);
+	}
+	/* count how many rows in result set */
+	rows = mysql_num_rows(rs);
+	/* get rid of result set, we are done with it. */
+	mysql_free_result(rs);
+
+	/* if we returned any rows, zone is supported. */
+	if (rows > 0) {
+		mysql_get_resultset(name, NULL, NULL, COUNTZONE, dbdata, NULL);
+		return (ISC_R_SUCCESS);
+	}
+
+	/* no rows returned, zone is not supported. */
+	return (ISC_R_NOTFOUND);
+}
+
+/*% Determine if the client is allowed to perform a zone transfer */
+static isc_result_t
+mysql_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+		   const char *client) {
+	isc_result_t result;
+	MYSQL_RES *rs = NULL;
+	my_ulonglong rows;
+
+	UNUSED(driverarg);
+
+	/* first check if the zone is supported by the database. */
+	result = mysql_findzone(driverarg, dbdata, name, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * if we get to this point we know the zone is supported by
+	 * the database the only questions now are is the zone
+	 * transfer is allowed for this client and did the config file
+	 * have an allow zone xfr query.
+	 *
+	 * Run our query, and get a result set from the database.
+	 */
+	result = mysql_get_resultset(name, NULL, client, ALLOWXFR, dbdata, &rs);
+	/* if we get "not implemented", send it along. */
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS || rs == NULL) {
+		if (rs != NULL) {
+			mysql_free_result(rs);
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver unable to return "
+			      "result set for allow xfr query");
+		return (ISC_R_FAILURE);
+	}
+	/* count how many rows in result set */
+	rows = mysql_num_rows(rs);
+	/* get rid of result set, we are done with it. */
+	mysql_free_result(rs);
+
+	/* if we returned any rows, zone xfr is allowed. */
+	if (rows > 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* no rows returned, zone xfr not allowed */
+	return (ISC_R_NOPERM);
+}
+
+/*%
+ * If the client is allowed to perform a zone transfer, the next order of
+ * business is to get all the nodes in the zone, so bind can respond to the
+ * query.
+ */
+static isc_result_t
+mysql_allnodes(const char *zone, void *driverarg, void *dbdata,
+	       dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result;
+	MYSQL_RES *rs = NULL;
+	MYSQL_ROW row;
+	unsigned int fields;
+	unsigned int j;
+	unsigned int len;
+	char *tmpString;
+	char *endp;
+	int ttl;
+
+	UNUSED(driverarg);
+
+	/* run the query and get the result set from the database. */
+	result = mysql_get_resultset(zone, NULL, NULL, ALLNODES, dbdata, &rs);
+	/* if we get "not implemented", send it along */
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			mysql_free_result(rs);
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver unable to return "
+			      "result set for all nodes query");
+		return (ISC_R_FAILURE);
+	}
+
+	result = ISC_R_NOTFOUND;
+
+	row = mysql_fetch_row(rs);     /* get a row from the result set */
+	fields = mysql_num_fields(rs); /* how many columns in result set */
+	while (row != NULL) {
+		if (fields < 4) { /* gotta have at least 4 columns */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "mysql driver too few fields returned "
+				      "by all nodes query");
+		}
+		/* convert text to int, make sure it worked right  */
+		ttl = strtol(safeGet(row[0]), &endp, 10);
+		if (*endp != '\0' || ttl < 0) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "mysql driver ttl must be "
+				      "a positive number");
+		}
+		if (fields == 4) {
+			/* tell Bind about it. */
+			result = dns_sdlz_putnamedrr(allnodes, safeGet(row[2]),
+						     safeGet(row[1]), ttl,
+						     safeGet(row[3]));
+		} else {
+			/*
+			 * more than 4 fields, concatenate the last
+			 * ones together.  figure out how long to make
+			 * string.
+			 */
+			for (j = 3, len = 0; j < fields; j++) {
+				len += strlen(safeGet(row[j])) + 1;
+			}
+			/* allocate memory, allow for NULL to term string */
+			tmpString = isc_mem_allocate(named_g_mctx, len + 1);
+			/* copy this field to tmpString */
+			strcpy(tmpString, safeGet(row[3]));
+			/* concatenate the rest, with spaces between */
+			for (j = 4; j < fields; j++) {
+				strcat(tmpString, " ");
+				strcat(tmpString, safeGet(row[j]));
+			}
+			/* tell Bind about it. */
+			result = dns_sdlz_putnamedrr(allnodes, safeGet(row[2]),
+						     safeGet(row[1]), ttl,
+						     tmpString);
+			isc_mem_free(named_g_mctx, tmpString);
+		}
+		/* if we weren't successful, log err msg */
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "dns_sdlz_putnamedrr returned error. "
+				      "Error code was: %s",
+				      isc_result_totext(result));
+			result = ISC_R_FAILURE;
+			break;
+		}
+		/* get next row from the result set */
+		row = mysql_fetch_row(rs);
+	}
+
+	/* free result set memory */
+	mysql_free_result(rs);
+
+	return (result);
+}
+
+/*% if the lookup function does not return SOA or NS records for the zone,
+ * use this function to get that information for Bind.
+ */
+
+static isc_result_t
+mysql_authority(const char *zone, void *driverarg, void *dbdata,
+		dns_sdlzlookup_t *lookup) {
+	isc_result_t result;
+	MYSQL_RES *rs = NULL;
+
+	UNUSED(driverarg);
+
+	/* run the query and get the result set from the database. */
+	result = mysql_get_resultset(zone, NULL, NULL, AUTHORITY, dbdata, &rs);
+	/* if we get "not implemented", send it along */
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			mysql_free_result(rs);
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver unable to return "
+			      "result set for authority query");
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * lookup and authority result sets are processed in the same
+	 * manner mysql_process_rs does the job for both functions.
+	 */
+	return (mysql_process_rs(lookup, rs));
+}
+
+/*% if zone is supported, lookup up a (or multiple) record(s) in it */
+static isc_result_t
+mysql_lookup(const char *zone, const char *name, void *driverarg, void *dbdata,
+	     dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	     dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	MYSQL_RES *rs = NULL;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	/* run the query and get the result set from the database. */
+	result = mysql_get_resultset(zone, name, NULL, LOOKUP, dbdata, &rs);
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			mysql_free_result(rs);
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver unable to return "
+			      "result set for lookup query");
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * lookup and authority result sets are processed in the same manner
+	 * mysql_process_rs does the job for both functions.
+	 */
+	return (mysql_process_rs(lookup, rs));
+}
+
+/*%
+ * create an instance of the driver.  Remember, only 1 copy of the driver's
+ * code is ever loaded, the driver has to remember which context it's
+ * operating in.  This is done via use of the dbdata argument which is
+ * passed into all query functions.
+ */
+static isc_result_t
+mysql_create(const char *dlzname, unsigned int argc, char *argv[],
+	     void *driverarg, void **dbdata) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+	char *tmp = NULL;
+	char *dbname = NULL;
+	char *host = NULL;
+	char *user = NULL;
+	char *pass = NULL;
+	char *socket = NULL;
+	int port;
+	MYSQL *dbc;
+	char *endp;
+	int j;
+	unsigned int flags = 0;
+
+	UNUSED(driverarg);
+	UNUSED(dlzname);
+
+	/* verify we have at least 4 arg's passed to the driver */
+	if (argc < 4) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver requires "
+			      "at least 4 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* no more than 8 arg's should be passed to the driver */
+	if (argc > 8) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver cannot accept "
+			      "more than 7 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* parse connection string and get parameters. */
+
+	/* get db name - required */
+	dbname = getParameterValue(argv[1], "dbname=");
+	if (dbname == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver requires a dbname parameter.");
+		result = ISC_R_FAILURE;
+		goto full_cleanup;
+	}
+
+	/* get db port.  Not required, but must be > 0 if specified */
+	tmp = getParameterValue(argv[1], "port=");
+	if (tmp == NULL) {
+		port = 0;
+	} else {
+		port = strtol(tmp, &endp, 10);
+		if (*endp != '\0' || port < 0) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Mysql driver port "
+				      "must be a positive number.");
+			isc_mem_free(named_g_mctx, tmp);
+			result = ISC_R_FAILURE;
+			goto full_cleanup;
+		}
+		isc_mem_free(named_g_mctx, tmp);
+	}
+
+	/* how many queries were passed in from config file? */
+	switch (argc) {
+	case 4:
+		result = build_sqldbinstance(named_g_mctx, NULL, NULL, NULL,
+					     argv[2], argv[3], NULL, &dbi);
+		break;
+	case 5:
+		result = build_sqldbinstance(named_g_mctx, NULL, NULL, argv[4],
+					     argv[2], argv[3], NULL, &dbi);
+		break;
+	case 6:
+		result = build_sqldbinstance(named_g_mctx, argv[5], NULL,
+					     argv[4], argv[2], argv[3], NULL,
+					     &dbi);
+		break;
+	case 7:
+		result = build_sqldbinstance(named_g_mctx, argv[5], argv[6],
+					     argv[4], argv[2], argv[3], NULL,
+					     &dbi);
+		break;
+	case 8:
+		result = build_sqldbinstance(named_g_mctx, argv[5], argv[6],
+					     argv[4], argv[2], argv[3], argv[7],
+					     &dbi);
+		break;
+	default:
+		/* not really needed, should shut up compiler. */
+		result = ISC_R_FAILURE;
+	}
+
+	/* unsuccessful?, log err msg and cleanup. */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver could not create "
+			      "database instance object.");
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	/* create and set db connection */
+	dbi->dbconn = mysql_init(NULL);
+
+	/* if db connection cannot be created, log err msg and cleanup. */
+	if (dbi->dbconn == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver could not allocate "
+			      "memory for database connection");
+		result = ISC_R_FAILURE;
+		goto full_cleanup;
+	}
+
+	tmp = getParameterValue(argv[1], "compress=");
+	if (tmp != NULL) {
+		if (strcasecmp(tmp, "true") == 0) {
+			flags = CLIENT_COMPRESS;
+		}
+		isc_mem_free(named_g_mctx, tmp);
+	}
+
+	tmp = getParameterValue(argv[1], "ssl=");
+	if (tmp != NULL) {
+		if (strcasecmp(tmp, "true") == 0) {
+			flags = flags | CLIENT_SSL;
+		}
+		isc_mem_free(named_g_mctx, tmp);
+	}
+
+	tmp = getParameterValue(argv[1], "space=");
+	if (tmp != NULL) {
+		if (strcasecmp(tmp, "ignore") == 0) {
+			flags = flags | CLIENT_IGNORE_SPACE;
+		}
+		isc_mem_free(named_g_mctx, tmp);
+	}
+
+	dbc = NULL;
+	host = getParameterValue(argv[1], "host=");
+	user = getParameterValue(argv[1], "user=");
+	pass = getParameterValue(argv[1], "pass=");
+	socket = getParameterValue(argv[1], "socket=");
+
+	/* enable automatic reconnection. */
+	if (mysql_options((MYSQL *)dbi->dbconn, MYSQL_OPT_RECONNECT,
+			  &(my_bool){ 1 }) != 0)
+	{
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_WARNING,
+			      "mysql driver failed to set "
+			      "MYSQL_OPT_RECONNECT option, "
+			      "continuing");
+	}
+
+	for (j = 0; dbc == NULL && j < 4; j++) {
+		dbc = mysql_real_connect((MYSQL *)dbi->dbconn, host, user, pass,
+					 dbname, port, socket, flags);
+	}
+
+	/* let user know if we couldn't connect. */
+	if (dbc == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "mysql driver failed to create "
+			      "database connection after 4 attempts");
+		result = ISC_R_FAILURE;
+		goto full_cleanup;
+	}
+
+	/* return db connection via dbdata */
+	*dbdata = dbi;
+
+	result = ISC_R_SUCCESS;
+	goto cleanup;
+
+full_cleanup:
+
+	if (dbi != NULL) {
+		destroy_sqldbinstance(dbi);
+	}
+
+cleanup:
+
+	if (dbname != NULL) {
+		isc_mem_free(named_g_mctx, dbname);
+	}
+	if (host != NULL) {
+		isc_mem_free(named_g_mctx, host);
+	}
+	if (user != NULL) {
+		isc_mem_free(named_g_mctx, user);
+	}
+	if (pass != NULL) {
+		isc_mem_free(named_g_mctx, pass);
+	}
+	if (socket != NULL) {
+		isc_mem_free(named_g_mctx, socket);
+	}
+
+	return (result);
+}
+
+/*%
+ * destroy the driver.  Remember, only 1 copy of the driver's
+ * code is ever loaded, the driver has to remember which context it's
+ * operating in.  This is done via use of the dbdata argument.
+ * so we really only need to clean it up since we are not using driverarg.
+ */
+
+static void
+mysql_destroy(void *driverarg, void *dbdata) {
+	dbinstance_t *dbi;
+
+	UNUSED(driverarg);
+
+	dbi = (dbinstance_t *)dbdata;
+
+	/* release DB connection */
+	if (dbi->dbconn != NULL) {
+		mysql_close((MYSQL *)dbi->dbconn);
+	}
+
+	/* destroy DB instance */
+	destroy_sqldbinstance(dbi);
+}
+
+/* pointers to all our runtime methods. */
+/* this is used during driver registration */
+/* i.e. in dlz_mysql_init below. */
+static dns_sdlzmethods_t dlz_mysql_methods = {
+	mysql_create,
+	mysql_destroy,
+	mysql_findzone,
+	mysql_lookup,
+	mysql_authority,
+	mysql_allnodes,
+	mysql_allowzonexfr,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+};
+
+/*%
+ * Wrapper around dns_sdlzregister().
+ */
+isc_result_t
+dlz_mysql_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Registering DLZ mysql driver.");
+
+	/* Driver is always threadsafe.  Because of the way MySQL handles
+	 * threads the MySQL driver can only be used when bind is run single
+	 * threaded.  Using MySQL with Bind running multi-threaded is not
+	 * allowed.  When using the MySQL driver "-n1" should always be
+	 * passed to Bind to guarantee single threaded operation.
+	 */
+	result = dns_sdlzregister("mysql", &dlz_mysql_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+					  DNS_SDLZFLAG_RELATIVERDATA |
+					  DNS_SDLZFLAG_THREADSAFE,
+				  named_g_mctx, &dlz_mysql);
+	/* if we can't register the driver, there are big problems. */
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+}
+
+/*%
+ * Wrapper around dns_sdlzunregister().
+ */
+void
+dlz_mysql_clear(void) {
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unregistering DLZ mysql driver.");
+
+	/* unregister the driver. */
+	if (dlz_mysql != NULL) {
+		dns_sdlzunregister(&dlz_mysql);
+	}
+}
+
+#endif /* ifdef DLZ_MYSQL */
diff --git a/contrib/dlz/drivers/dlz_odbc_driver.c b/contrib/dlz/drivers/dlz_odbc_driver.c
new file mode 100644
index 0000000..dae5510
--- /dev/null
+++ b/contrib/dlz/drivers/dlz_odbc_driver.c
@@ -0,0 +1,1406 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 1999-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifdef DLZ_ODBC
+#include <sql.h>
+#include <sqlext.h>
+#include <sqltypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
+
+#include <dlz/dlz_odbc_driver.h>
+#include <dlz/sdlz_helper.h>
+#include <named/globals.h>
+
+static dns_sdlzimplementation_t *dlz_odbc = NULL;
+
+#define dbc_search_limit 30
+#define ALLNODES	 1
+#define ALLOWXFR	 2
+#define AUTHORITY	 3
+#define FINDZONE	 4
+#define LOOKUP		 5
+
+#define sqlOK(a) ((a == SQL_SUCCESS || a == SQL_SUCCESS_WITH_INFO) ? -1 : 0)
+
+/*
+ * Private Structures
+ */
+
+/*
+ * structure to hold ODBC connection & statement
+ */
+
+typedef struct {
+	SQLHDBC dbc;
+	SQLHSTMT stmnt;
+} odbc_db_t;
+
+/*
+ * Structure to hold everything needed by this "instance" of the odbc driver
+ * remember, the driver code is only loaded once, but may have many separate
+ * instances
+ */
+
+typedef struct {
+	db_list_t *db;	 /* handle to a list of DB */
+	SQLHENV sql_env; /* handle to SQL environment */
+	SQLCHAR *dsn;
+	SQLCHAR *user;
+	SQLCHAR *pass;
+} odbc_instance_t;
+
+/* forward reference */
+
+static size_t
+odbc_makesafe(char *to, const char *from, size_t length);
+
+/*
+ * Private methods
+ */
+
+static SQLSMALLINT
+safeLen(void *a) {
+	if (a == NULL) {
+		return (0);
+	}
+	return (strlen((char *)a));
+}
+
+/*% properly cleans up an odbc_instance_t */
+
+static void
+destroy_odbc_instance(odbc_instance_t *odbc_inst) {
+	dbinstance_t *ndbi = NULL;
+	dbinstance_t *dbi = NULL;
+
+	/* get the first DBI in the list */
+	ndbi = ISC_LIST_HEAD(*odbc_inst->db);
+
+	/* loop through the list */
+	while (ndbi != NULL) {
+		dbi = ndbi;
+		/* get the next DBI in the list */
+		ndbi = ISC_LIST_NEXT(dbi, link);
+
+		/* if we have a connection / statement object in memory */
+		if (dbi->dbconn != NULL) {
+			/* free statement handle */
+			if (((odbc_db_t *)(dbi->dbconn))->stmnt != NULL) {
+				SQLFreeHandle(
+					SQL_HANDLE_STMT,
+					((odbc_db_t *)(dbi->dbconn))->stmnt);
+				((odbc_db_t *)(dbi->dbconn))->stmnt = NULL;
+			}
+
+			/* disconnect from database & free connection handle */
+			if (((odbc_db_t *)(dbi->dbconn))->dbc != NULL) {
+				SQLDisconnect(((odbc_db_t *)dbi->dbconn)->dbc);
+				SQLFreeHandle(
+					SQL_HANDLE_DBC,
+					((odbc_db_t *)(dbi->dbconn))->dbc);
+				((odbc_db_t *)(dbi->dbconn))->dbc = NULL;
+			}
+
+			/* free memory that held connection & statement. */
+			isc_mem_free(named_g_mctx, dbi->dbconn);
+		}
+		/* release all memory that comprised a DBI */
+		destroy_sqldbinstance(dbi);
+	}
+	/* release memory for the list structure */
+	isc_mem_put(named_g_mctx, odbc_inst->db, sizeof(db_list_t));
+
+	/* free sql environment */
+	if (odbc_inst->sql_env != NULL) {
+		SQLFreeHandle(SQL_HANDLE_ENV, odbc_inst->sql_env);
+	}
+
+	/* free ODBC instance strings */
+	if (odbc_inst->dsn != NULL) {
+		isc_mem_free(named_g_mctx, odbc_inst->dsn);
+	}
+	if (odbc_inst->pass != NULL) {
+		isc_mem_free(named_g_mctx, odbc_inst->pass);
+	}
+	if (odbc_inst->user != NULL) {
+		isc_mem_free(named_g_mctx, odbc_inst->user);
+	}
+
+	/* free memory for odbc_inst */
+	if (odbc_inst != NULL) {
+		isc_mem_put(named_g_mctx, odbc_inst, sizeof(odbc_instance_t));
+	}
+}
+
+/*% Connects to database, and creates ODBC statements */
+
+static isc_result_t
+odbc_connect(odbc_instance_t *dbi, odbc_db_t **dbc) {
+	odbc_db_t *ndb = *dbc;
+	SQLRETURN sqlRes;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (ndb != NULL) {
+		/*
+		 * if db != null, we have to do some cleanup
+		 * if statement handle != null free it
+		 */
+		if (ndb->stmnt != NULL) {
+			SQLFreeHandle(SQL_HANDLE_STMT, ndb->stmnt);
+			ndb->stmnt = NULL;
+		}
+
+		/* if connection handle != null free it */
+		if (ndb->dbc != NULL) {
+			SQLFreeHandle(SQL_HANDLE_DBC, ndb->dbc);
+			ndb->dbc = NULL;
+		}
+	} else {
+		ndb = isc_mem_allocate(named_g_mctx, sizeof(odbc_db_t));
+		memset(ndb, 0, sizeof(odbc_db_t));
+	}
+
+	sqlRes = SQLAllocHandle(SQL_HANDLE_DBC, dbi->sql_env, &(ndb->dbc));
+	if (!sqlOK(sqlRes)) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver unable to allocate memory");
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	sqlRes = SQLConnect(ndb->dbc, dbi->dsn, safeLen(dbi->dsn), dbi->user,
+			    safeLen(dbi->user), dbi->pass, safeLen(dbi->pass));
+	if (!sqlOK(sqlRes)) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver unable to connect");
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	sqlRes = SQLAllocHandle(SQL_HANDLE_STMT, ndb->dbc, &(ndb->stmnt));
+	if (!sqlOK(sqlRes)) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver unable to allocate memory");
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	*dbc = ndb;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+
+	if (ndb != NULL) {
+		/* if statement handle != null free it */
+		if (ndb->stmnt != NULL) {
+			SQLFreeHandle(SQL_HANDLE_STMT, ndb->stmnt);
+			ndb->stmnt = NULL;
+		}
+
+		/* if connection handle != null free it */
+		if (ndb->dbc != NULL) {
+			SQLDisconnect(ndb->dbc);
+			SQLFreeHandle(SQL_HANDLE_DBC, ndb->dbc);
+			ndb->dbc = NULL;
+		}
+		/* free memory holding ndb */
+		isc_mem_free(named_g_mctx, ndb);
+	}
+
+	return (result);
+}
+
+/*%
+ * Loops through the list of DB instances, attempting to lock
+ * on the mutex.  If successful, the DBI is reserved for use
+ * and the thread can perform queries against the database.
+ * If the lock fails, the next one in the list is tried.
+ * looping continues until a lock is obtained, or until
+ * the list has been searched dbc_search_limit times.
+ * This function is only used when the driver is compiled for
+ * multithreaded operation.
+ */
+
+static dbinstance_t *
+odbc_find_avail_conn(db_list_t *dblist) {
+	dbinstance_t *dbi = NULL;
+	dbinstance_t *head;
+	int count = 0;
+
+	/* get top of list */
+	head = dbi = ISC_LIST_HEAD(*dblist);
+
+	/* loop through list */
+	while (count < dbc_search_limit) {
+		/* try to lock on the mutex */
+		if (isc_mutex_trylock(&dbi->instance_lock) == ISC_R_SUCCESS) {
+			return (dbi); /* success, return the DBI for use. */
+		}
+		/* not successful, keep trying */
+		dbi = ISC_LIST_NEXT(dbi, link);
+
+		/* check to see if we have gone to the top of the list. */
+		if (dbi == NULL) {
+			count++;
+			dbi = head;
+		}
+	}
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_INFO,
+		      "Odbc driver unable to find available "
+		      "connection after searching %d times",
+		      count);
+	return (NULL);
+}
+
+/*% Allocates memory for a new string, and then constructs the new
+ * string by "escaping" the input string.  The new string is
+ * safe to be used in queries.  This is necessary because we cannot
+ * be sure of what types of strings are passed to us, and we don't
+ * want special characters in the string causing problems.
+ */
+
+static char *
+odbc_escape_string(const char *instr) {
+	char *outstr;
+	unsigned int len;
+
+	if (instr == NULL) {
+		return (NULL);
+	}
+
+	len = strlen(instr);
+
+	outstr = isc_mem_allocate(named_g_mctx, (2 * len * sizeof(char)) + 1);
+
+	odbc_makesafe(outstr, instr, len);
+
+	return (outstr);
+}
+
+/* ---------------
+ * Escaping arbitrary strings to get valid SQL strings/identifiers.
+ *
+ * Replaces "\\" with "\\\\" and "'" with "''".
+ * length is the length of the buffer pointed to by
+ * from.  The buffer at to must be at least 2*length + 1 characters
+ * long.  A terminating NUL character is written.
+ *
+ * NOTICE!!!
+ * This function was borrowed directly from PostgreSQL's libpq.
+ *
+ * The copyright statements from the original file containing this
+ * function are included below:
+ * Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ * ---------------
+ */
+
+static size_t
+odbc_makesafe(char *to, const char *from, size_t length) {
+	const char *source = from;
+	char *target = to;
+	unsigned int remaining = length;
+
+	while (remaining > 0) {
+		switch (*source) {
+		case '\\':
+			*target = '\\';
+			target++;
+			*target = '\\';
+			/* target and remaining are updated below. */
+			break;
+
+		case '\'':
+			*target = '\'';
+			target++;
+			*target = '\'';
+			/* target and remaining are updated below. */
+			break;
+
+		default:
+			*target = *source;
+			/* target and remaining are updated below. */
+		}
+		source++;
+		target++;
+		remaining--;
+	}
+
+	/* Write the terminating NUL character. */
+	*target = '\0';
+
+	return (target - to);
+}
+
+/*%
+ * This function is the real core of the driver.   Zone, record
+ * and client strings are passed in (or NULL is passed if the
+ * string is not available).  The type of query we want to run
+ * is indicated by the query flag, and the dbdata object is passed
+ * passed in to.  dbdata really holds either:
+ *		1) a list of database instances (in multithreaded mode) OR
+ *		2) a single database instance (in single threaded mode)
+ * The function will construct the query and obtain an available
+ * database instance (DBI).  It will then run the query and hopefully
+ * obtain a result set.  The data base instance that is used is returned
+ * to the caller so they can get the data from the result set from it.
+ * If successful, it will be the responsibility of the caller to close
+ * the cursor, and unlock the mutex of the DBI when they are done with it.
+ * If not successful, this function will perform all the cleanup.
+ */
+
+static isc_result_t
+odbc_get_resultset(const char *zone, const char *record, const char *client,
+		   unsigned int query, void *dbdata, dbinstance_t **r_dbi) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+	char *querystring = NULL;
+	unsigned int j = 0;
+	SQLRETURN sqlRes;
+
+	REQUIRE(*r_dbi == NULL);
+
+	/* get db instance / connection */
+
+	/* find an available DBI from the list */
+	dbi = odbc_find_avail_conn(((odbc_instance_t *)dbdata)->db);
+
+	/* if DBI is null, can't do anything else */
+	if (dbi == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* what type of query are we going to run? */
+	switch (query) {
+	case ALLNODES:
+		/*
+		 * if the query was not passed in from the config file
+		 * then we can't run it.  return not_implemented, so
+		 * it's like the code for that operation was never
+		 * built into the driver.... AHHH flexibility!!!
+		 */
+		if (dbi->allnodes_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case ALLOWXFR:
+		/* same as comments as ALLNODES */
+		if (dbi->allowxfr_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case AUTHORITY:
+		/* same as comments as ALLNODES */
+		if (dbi->authority_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case FINDZONE:
+		/* this is required.  It's the whole point of DLZ! */
+		if (dbi->findzone_q == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+				      "No query specified for findzone.  "
+				      "Findzone requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		break;
+	case LOOKUP:
+		/* this is required.  It's also a major point of DLZ! */
+		if (dbi->lookup_q == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+				      "No query specified for lookup.  "
+				      "Lookup requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		break;
+	default:
+		/*
+		 * this should never happen.  If it does, the code is
+		 * screwed up!
+		 */
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "Incorrect query flag passed to "
+				 "odbc_get_resultset");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	/*
+	 * was a zone string passed?  If so, make it safe for use in
+	 * queries.
+	 */
+	if (zone != NULL) {
+		dbi->zone = odbc_escape_string(zone);
+		if (dbi->zone == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else { /* no string passed, set the string pointer to NULL */
+		dbi->zone = NULL;
+	}
+
+	/*
+	 * was a record string passed?  If so, make it safe for use in
+	 * queries.
+	 */
+	if (record != NULL) {
+		dbi->record = odbc_escape_string(record);
+		if (dbi->record == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else { /* no string passed, set the string pointer to NULL */
+		dbi->record = NULL;
+	}
+
+	/*
+	 * was a client string passed?  If so, make it safe for use in
+	 * queries.
+	 */
+	if (client != NULL) {
+		dbi->client = odbc_escape_string(client);
+		if (dbi->client == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else { /* no string passed, set the string pointer to NULL */
+		dbi->client = NULL;
+	}
+
+	/*
+	 * what type of query are we going to run?
+	 * this time we build the actual query to run.
+	 */
+	switch (query) {
+	case ALLNODES:
+		querystring = build_querystring(named_g_mctx, dbi->allnodes_q);
+		break;
+	case ALLOWXFR:
+		querystring = build_querystring(named_g_mctx, dbi->allowxfr_q);
+		break;
+	case AUTHORITY:
+		querystring = build_querystring(named_g_mctx, dbi->authority_q);
+		break;
+	case FINDZONE:
+		querystring = build_querystring(named_g_mctx, dbi->findzone_q);
+		break;
+	case LOOKUP:
+		querystring = build_querystring(named_g_mctx, dbi->lookup_q);
+		break;
+	default:
+		/*
+		 * this should never happen.  If it does, the code is
+		 * screwed up!
+		 */
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "Incorrect query flag passed to "
+				 "odbc_get_resultset");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	/* if the querystring is null, Bummer, outta RAM.  UPGRADE TIME!!!   */
+	if (querystring == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/* output the full query string during debug so we can see */
+	/* what lame error the query has. */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(1), "\nQuery String: %s\n", querystring);
+
+	/* attempt query up to 3 times. */
+	for (j = 0; j < 3; j++) {
+		/* try to get result set */
+		sqlRes = SQLExecDirect(((odbc_db_t *)dbi->dbconn)->stmnt,
+				       (SQLCHAR *)querystring,
+				       (SQLINTEGER)strlen(querystring));
+
+		/* if error, reset DB connection */
+		if (!sqlOK(sqlRes)) {
+			/* close cursor */
+			SQLCloseCursor(((odbc_db_t *)dbi->dbconn)->stmnt);
+			/* attempt to reconnect */
+			result = odbc_connect((odbc_instance_t *)dbdata,
+					      (odbc_db_t **)&(dbi->dbconn));
+			/* check if we reconnected */
+			if (result != ISC_R_SUCCESS) {
+				break;
+			}
+			/* in case this is the last time through the loop */
+			result = ISC_R_FAILURE;
+		} else {
+			result = ISC_R_SUCCESS;
+			/* return dbi */
+			*r_dbi = dbi;
+			/* result set ok, break loop */
+			break;
+		}
+	} /* end for loop */
+
+cleanup: /* it's always good to cleanup after yourself */
+
+	/* free dbi->zone string */
+	if (dbi->zone != NULL) {
+		isc_mem_free(named_g_mctx, dbi->zone);
+	}
+
+	/* free dbi->record string */
+	if (dbi->record != NULL) {
+		isc_mem_free(named_g_mctx, dbi->record);
+	}
+
+	/* free dbi->client string */
+	if (dbi->client != NULL) {
+		isc_mem_free(named_g_mctx, dbi->client);
+	}
+
+	/* if we are done using this dbi, release the lock */
+	if (result != ISC_R_SUCCESS) {
+		isc_mutex_unlock(&dbi->instance_lock);
+	}
+
+	/* release query string */
+	if (querystring != NULL) {
+		isc_mem_free(named_g_mctx, querystring);
+	}
+
+	/* return result */
+	return (result);
+}
+
+/*%
+ * Gets a single field from the ODBC statement.  The memory for the
+ * returned data is dynamically allocated.  If this method is successful
+ * it is the responsibility of the caller to free the memory using
+ * isc_mem_free(named_g_mctx, *ptr);
+ */
+
+static isc_result_t
+odbc_getField(SQLHSTMT *stmnt, SQLSMALLINT field, char **data) {
+	SQLLEN size;
+
+	REQUIRE(data != NULL && *data == NULL);
+
+	if (sqlOK(SQLColAttribute(stmnt, field, SQL_DESC_DISPLAY_SIZE, NULL, 0,
+				  NULL, &size)) &&
+	    size > 0)
+	{
+		*data = isc_mem_allocate(named_g_mctx, size + 1);
+		if (data != NULL) {
+			if (sqlOK(SQLGetData(stmnt, field, SQL_C_CHAR, *data,
+					     size + 1, &size)))
+			{
+				return (ISC_R_SUCCESS);
+			}
+			isc_mem_free(named_g_mctx, *data);
+		}
+	}
+	return (ISC_R_FAILURE);
+}
+
+/*%
+ * Gets multiple fields from the ODBC statement.  The memory for the
+ * returned data is dynamically allocated.  If this method is successful
+ * it is the responsibility of the caller to free the memory using
+ * isc_mem_free(named_g_mctx, *ptr);
+ */
+
+static isc_result_t
+odbc_getManyFields(SQLHSTMT *stmnt, SQLSMALLINT startField,
+		   SQLSMALLINT endField, char **retData) {
+	isc_result_t result;
+	SQLLEN size;
+	int totSize = 0;
+	SQLSMALLINT i;
+	int j = 0;
+	char *data;
+
+	REQUIRE(retData != NULL && *retData == NULL);
+	REQUIRE(startField > 0 && startField <= endField);
+
+	/* determine how large the data is */
+	for (i = startField; i <= endField; i++) {
+		if (sqlOK(SQLColAttribute(stmnt, i, SQL_DESC_DISPLAY_SIZE, NULL,
+					  0, NULL, &size)) &&
+		    size > 0)
+		{
+			{
+				/* always allow for a " " (space) character */
+				totSize += (size + 1);
+				/* after the data item */
+			}
+		}
+	}
+
+	if (totSize < 1) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* allow for a "\n" at the end of the string/ */
+	data = isc_mem_allocate(named_g_mctx, ++totSize);
+
+	result = ISC_R_FAILURE;
+
+	/* get the data and concat all fields into a large string */
+	for (i = startField; i <= endField; i++) {
+		if (sqlOK(SQLGetData(stmnt, i, SQL_C_CHAR, &(data[j]),
+				     totSize - j, &size)))
+		{
+			if (size > 0) {
+				j += size;
+				data[j++] = ' ';
+				data[j] = '\0';
+				result = ISC_R_SUCCESS;
+			}
+		} else {
+			isc_mem_free(named_g_mctx, data);
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_free(named_g_mctx, data);
+		return (result);
+	}
+
+	*retData = data;
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * The processing of result sets for lookup and authority are
+ * exactly the same.  So that functionality has been moved
+ * into this function to minimize code.
+ */
+
+static isc_result_t
+odbc_process_rs(dns_sdlzlookup_t *lookup, dbinstance_t *dbi) {
+	isc_result_t result;
+	SQLSMALLINT fields;
+	SQLHSTMT *stmnt;
+	char *ttl_s;
+	char *type;
+	char *data;
+	char *endp;
+	int ttl;
+
+	REQUIRE(dbi != NULL);
+
+	stmnt = ((odbc_db_t *)(dbi->dbconn))->stmnt;
+
+	/* get number of columns */
+	if (!sqlOK(SQLNumResultCols(stmnt, &fields))) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver unable to process result set");
+		result = ISC_R_FAILURE;
+		goto process_rs_cleanup;
+	}
+
+	/* get things ready for processing */
+	result = ISC_R_FAILURE;
+
+	while (sqlOK(SQLFetch(stmnt))) {
+		/* set to null for next pass through */
+		data = type = ttl_s = NULL;
+
+		switch (fields) {
+		case 1:
+			/*
+			 * one column in rs, it's the data field.  use
+			 * default type of A record, and default TTL
+			 * of 86400.  attempt to get data, & tell bind
+			 * about it.
+			 */
+			if ((result = odbc_getField(stmnt, 1, &data)) ==
+			    ISC_R_SUCCESS)
+			{
+				result = dns_sdlz_putrr(lookup, "a", 86400,
+							data);
+			}
+			break;
+		case 2:
+			/*
+			 * two columns, data field, and data type.
+			 * use default TTL of 86400.  attempt to get
+			 * DNS type & data, then tell bind about it.
+			 */
+			if ((result = odbc_getField(stmnt, 1, &type)) ==
+				    ISC_R_SUCCESS &&
+			    (result = odbc_getField(stmnt, 2, &data)) ==
+				    ISC_R_SUCCESS)
+			{
+				result = dns_sdlz_putrr(lookup, type, 86400,
+							data);
+			}
+			break;
+		default:
+			/*
+			 * 3 fields or more, concatenate the last ones
+			 * together.  attempt to get DNS ttl, type,
+			 * data then tell Bind about them.
+			 */
+			if ((result = odbc_getField(stmnt, 1, &ttl_s)) ==
+				    ISC_R_SUCCESS &&
+			    (result = odbc_getField(stmnt, 2, &type)) ==
+				    ISC_R_SUCCESS &&
+			    (result = odbc_getManyFields(
+				     stmnt, 3, fields, &data)) == ISC_R_SUCCESS)
+			{
+				/* try to convert ttl string to int */
+				ttl = strtol(ttl_s, &endp, 10);
+				/* failure converting ttl. */
+				if (*endp != '\0' || ttl < 0) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_DATABASE,
+						      DNS_LOGMODULE_DLZ,
+						      ISC_LOG_ERROR,
+						      "Odbc driver ttl must "
+						      "be a positive number");
+					result = ISC_R_FAILURE;
+				} else {
+					/*
+					 * successful converting TTL,
+					 * tell Bind everything
+					 */
+					result = dns_sdlz_putrr(lookup, type,
+								ttl, data);
+				}
+			} /* closes bid if () */
+		}	  /* closes switch(fields) */
+
+		/* clean up mem */
+		if (ttl_s != NULL) {
+			isc_mem_free(named_g_mctx, ttl_s);
+		}
+		if (type != NULL) {
+			isc_mem_free(named_g_mctx, type);
+		}
+		if (data != NULL) {
+			isc_mem_free(named_g_mctx, data);
+		}
+
+		/* I sure hope we were successful */
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "dns_sdlz_putrr returned error. "
+				      "Error code was: %s",
+				      isc_result_totext(result));
+			result = ISC_R_FAILURE;
+			goto process_rs_cleanup;
+		}
+	} /* closes while loop */
+
+process_rs_cleanup:
+
+	/* close cursor */
+	SQLCloseCursor(((odbc_db_t *)(dbi->dbconn))->stmnt);
+
+	/* free lock on dbi so someone else can use it. */
+	isc_mutex_unlock(&dbi->instance_lock);
+
+	return (result);
+}
+
+/*
+ * SDLZ interface methods
+ */
+
+/*% determine if the zone is supported by (in) the database */
+
+static isc_result_t
+odbc_findzone(void *driverarg, void *dbdata, const char *name,
+	      dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	/* run the query and get the result set from the database. */
+	/* if result != ISC_R_SUCCESS cursor and mutex already cleaned up. */
+	/* so we don't have to do it here. */
+	result = odbc_get_resultset(name, NULL, NULL, FINDZONE, dbdata, &dbi);
+
+	/* Check that we got a result set with data */
+	if (result == ISC_R_SUCCESS &&
+	    !sqlOK(SQLFetch(((odbc_db_t *)(dbi->dbconn))->stmnt)))
+	{
+		result = ISC_R_NOTFOUND;
+	}
+
+	if (dbi != NULL) {
+		/* get rid of result set, we are done with it. */
+		SQLCloseCursor(((odbc_db_t *)(dbi->dbconn))->stmnt);
+
+		/* free lock on dbi so someone else can use it. */
+		isc_mutex_unlock(&dbi->instance_lock);
+	}
+
+	return (result);
+}
+
+/*% Determine if the client is allowed to perform a zone transfer */
+static isc_result_t
+odbc_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+		  const char *client) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+
+	UNUSED(driverarg);
+
+	/* first check if the zone is supported by the database. */
+	result = odbc_findzone(driverarg, dbdata, name, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * if we get to this point we know the zone is supported by
+	 * the database.  the only questions now are is the zone
+	 * transfer is allowed for this client and did the config file
+	 * have an allow zone xfr query
+	 *
+	 * Run our query, and get a result set from the database.  if
+	 * result != ISC_R_SUCCESS cursor and mutex already cleaned
+	 * up, so we don't have to do it here.
+	 */
+	result = odbc_get_resultset(name, NULL, client, ALLOWXFR, dbdata, &dbi);
+
+	/* if we get "not implemented", send it along. */
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+
+	/* Check that we got a result set with data */
+	if (result == ISC_R_SUCCESS &&
+	    !sqlOK(SQLFetch(((odbc_db_t *)(dbi->dbconn))->stmnt)))
+	{
+		result = ISC_R_NOPERM;
+	}
+
+	if (dbi != NULL) {
+		/* get rid of result set, we are done with it. */
+		SQLCloseCursor(((odbc_db_t *)(dbi->dbconn))->stmnt);
+
+		/* free lock on dbi so someone else can use it. */
+		isc_mutex_unlock(&dbi->instance_lock);
+	}
+
+	return (result);
+}
+
+/*%
+ * If the client is allowed to perform a zone transfer, the next order of
+ * business is to get all the nodes in the zone, so bind can respond to the
+ * query.
+ */
+
+static isc_result_t
+odbc_allnodes(const char *zone, void *driverarg, void *dbdata,
+	      dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+	SQLHSTMT *stmnt;
+	SQLSMALLINT fields;
+	char *data;
+	char *type;
+	char *ttl_s;
+	int ttl;
+	char *host;
+	char *endp;
+
+	UNUSED(driverarg);
+
+	/* run the query and get the result set from the database. */
+	result = odbc_get_resultset(zone, NULL, NULL, ALLNODES, dbdata, &dbi);
+
+	/* if we get "not implemented", send it along */
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver unable to return "
+			      "result set for all nodes query");
+		return (ISC_R_FAILURE);
+	}
+
+	stmnt = ((odbc_db_t *)(dbi->dbconn))->stmnt;
+
+	/* get number of columns */
+	if (!sqlOK(SQLNumResultCols(stmnt, &fields))) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver unable to process result set");
+		result = ISC_R_FAILURE;
+		goto allnodes_cleanup;
+	}
+
+	if (fields < 4) { /* gotta have at least 4 columns */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver too few fields returned by "
+			      "all nodes query");
+		result = ISC_R_FAILURE;
+		goto allnodes_cleanup;
+	}
+
+	/* get things ready for processing */
+	result = ISC_R_FAILURE;
+
+	while (sqlOK(SQLFetch(stmnt))) {
+		/* set to null for next pass through */
+		data = host = type = ttl_s = NULL;
+
+		/*
+		 * attempt to get DNS ttl, type, host, data then tell
+		 * Bind about them
+		 */
+		if ((result = odbc_getField(stmnt, 1, &ttl_s)) ==
+			    ISC_R_SUCCESS &&
+		    (result = odbc_getField(stmnt, 2, &type)) ==
+			    ISC_R_SUCCESS &&
+		    (result = odbc_getField(stmnt, 3, &host)) ==
+			    ISC_R_SUCCESS &&
+		    (result = odbc_getManyFields(stmnt, 4, fields, &data)) ==
+			    ISC_R_SUCCESS)
+		{
+			/* convert ttl string to int */
+			ttl = strtol(ttl_s, &endp, 10);
+			/* failure converting ttl. */
+			if (*endp != '\0' || ttl < 0) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+					      "Odbc driver ttl must be "
+					      "a positive number");
+				result = ISC_R_FAILURE;
+			} else {
+				/* successful converting TTL, tell Bind  */
+				result = dns_sdlz_putnamedrr(allnodes, host,
+							     type, ttl, data);
+			}
+		} /* closes big if () */
+
+		/* clean up mem */
+		if (ttl_s != NULL) {
+			isc_mem_free(named_g_mctx, ttl_s);
+		}
+		if (type != NULL) {
+			isc_mem_free(named_g_mctx, type);
+		}
+		if (host != NULL) {
+			isc_mem_free(named_g_mctx, host);
+		}
+		if (data != NULL) {
+			isc_mem_free(named_g_mctx, data);
+		}
+
+		/* if we weren't successful, log err msg */
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "dns_sdlz_putnamedrr returned error. "
+				      "Error code was: %s",
+				      isc_result_totext(result));
+			result = ISC_R_FAILURE;
+			goto allnodes_cleanup;
+		}
+	} /* closes while loop */
+
+allnodes_cleanup:
+
+	/* close cursor */
+	SQLCloseCursor(((odbc_db_t *)(dbi->dbconn))->stmnt);
+
+	/* free lock on dbi so someone else can use it. */
+	isc_mutex_unlock(&dbi->instance_lock);
+
+	return (result);
+}
+
+/*%
+ * if the lookup function does not return SOA or NS records for the zone,
+ * use this function to get that information for Bind.
+ */
+
+static isc_result_t
+odbc_authority(const char *zone, void *driverarg, void *dbdata,
+	       dns_sdlzlookup_t *lookup) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+
+	UNUSED(driverarg);
+
+	/* run the query and get the result set from the database. */
+	result = odbc_get_resultset(zone, NULL, NULL, AUTHORITY, dbdata, &dbi);
+	/* if we get "not implemented", send it along */
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver unable to return "
+			      "result set for authority query");
+		return (ISC_R_FAILURE);
+	}
+	/* lookup and authority result sets are processed in the same manner */
+	/* odbc_process_rs does the job for both functions. */
+	return (odbc_process_rs(lookup, dbi));
+}
+
+/*% if zone is supported, lookup up a (or multiple) record(s) in it */
+
+static isc_result_t
+odbc_lookup(const char *zone, const char *name, void *driverarg, void *dbdata,
+	    dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	    dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	/* run the query and get the result set from the database. */
+	result = odbc_get_resultset(zone, name, NULL, LOOKUP, dbdata, &dbi);
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver unable to return "
+			      "result set for lookup query");
+		return (ISC_R_FAILURE);
+	}
+	/* lookup and authority result sets are processed in the same manner */
+	/* odbc_process_rs does the job for both functions. */
+	return (odbc_process_rs(lookup, dbi));
+}
+
+/*%
+ * create an instance of the driver.  Remember, only 1 copy of the driver's
+ * code is ever loaded, the driver has to remember which context it's
+ * operating in.  This is done via use of the dbdata argument which is
+ * passed into all query functions.
+ */
+static isc_result_t
+odbc_create(const char *dlzname, unsigned int argc, char *argv[],
+	    void *driverarg, void **dbdata) {
+	isc_result_t result;
+	odbc_instance_t *odbc_inst = NULL;
+	dbinstance_t *db = NULL;
+	SQLRETURN sqlRes;
+	int dbcount;
+	int i;
+	char *endp;
+
+	UNUSED(dlzname);
+	UNUSED(driverarg);
+
+	/* if debugging, let user know we are multithreaded. */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(1), "Odbc driver running multithreaded");
+
+	/* verify we have at least 5 arg's passed to the driver */
+	if (argc < 5) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver requires at least "
+			      "4 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* no more than 8 arg's should be passed to the driver */
+	if (argc > 8) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver cannot accept more than "
+			      "7 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* multithreaded build can have multiple DB connections */
+	/* check how many db connections we should create */
+	dbcount = strtol(argv[1], &endp, 10);
+	if (*endp != '\0' || dbcount < 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Odbc driver database connection count "
+			      "must be positive.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* allocate memory for odbc instance */
+	odbc_inst = isc_mem_get(named_g_mctx, sizeof(odbc_instance_t));
+	memset(odbc_inst, 0, sizeof(odbc_instance_t));
+
+	/* parse connection string and get parameters. */
+
+	/* get odbc database dsn - required */
+	odbc_inst->dsn = (SQLCHAR *)getParameterValue(argv[2], "dsn=");
+	if (odbc_inst->dsn == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "odbc driver requires a dns parameter.");
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+	/* get odbc database username */
+	/* if no username was passed, set odbc_inst.user = NULL; */
+	odbc_inst->user = (SQLCHAR *)getParameterValue(argv[2], "user=");
+
+	/* get odbc database password */
+	/* if no password was passed, set odbc_inst.pass = NULL; */
+	odbc_inst->pass = (SQLCHAR *)getParameterValue(argv[2], "pass=");
+
+	/* create odbc environment & set environment to ODBC V3 */
+	if (odbc_inst->sql_env == NULL) {
+		/* create environment handle */
+		sqlRes = SQLAllocHandle(SQL_HANDLE_ENV, SQL_NULL_HANDLE,
+					&(odbc_inst->sql_env));
+		if (!sqlOK(sqlRes)) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
+				      "Odbc driver unable to allocate memory");
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		/*set ODBC version = 3 */
+		sqlRes = SQLSetEnvAttr(odbc_inst->sql_env,
+				       SQL_ATTR_ODBC_VERSION,
+				       (void *)SQL_OV_ODBC3, 0);
+		if (!sqlOK(sqlRes)) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
+				      "Unable to configure ODBC environment");
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	}
+
+	/* allocate memory for database connection list */
+	odbc_inst->db = isc_mem_get(named_g_mctx, sizeof(db_list_t));
+
+	/* initialize DB connection list */
+	ISC_LIST_INIT(*odbc_inst->db);
+
+	/* create the appropriate number of database instances (DBI) */
+	/* append each new DBI to the end of the list */
+	for (i = 0; i < dbcount; i++) {
+		/* how many queries were passed in from config file? */
+		switch (argc) {
+		case 5:
+			result = build_sqldbinstance(named_g_mctx, NULL, NULL,
+						     NULL, argv[3], argv[4],
+						     NULL, &db);
+			break;
+		case 6:
+			result = build_sqldbinstance(named_g_mctx, NULL, NULL,
+						     argv[5], argv[3], argv[4],
+						     NULL, &db);
+			break;
+		case 7:
+			result = build_sqldbinstance(named_g_mctx, argv[6],
+						     NULL, argv[5], argv[3],
+						     argv[4], NULL, &db);
+			break;
+		case 8:
+			result = build_sqldbinstance(named_g_mctx, argv[6],
+						     argv[7], argv[5], argv[3],
+						     argv[4], NULL, &db);
+			break;
+		default:
+			/* not really needed, should shut up compiler. */
+			result = ISC_R_FAILURE;
+		}
+
+		/* unsuccessful?, log err msg and cleanup. */
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Odbc driver could not create "
+				      "database instance object.");
+			goto cleanup;
+		}
+
+		/* when multithreaded, build a list of DBI's */
+		ISC_LINK_INIT(db, link);
+		ISC_LIST_APPEND(*odbc_inst->db, db, link);
+
+		result = odbc_connect(odbc_inst, (odbc_db_t **)&(db->dbconn));
+
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * if multi threaded, let user know which
+			 * connection failed.  user could be
+			 * attempting to create 10 db connections and
+			 * for some reason the db backend only allows
+			 * 9.
+			 */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Odbc driver failed to create database "
+				      "connection number %u after 3 attempts",
+				      i + 1);
+			goto cleanup;
+		}
+
+		/* set DB = null for next loop through. */
+		db = NULL;
+	} /* end for loop */
+
+	/* set dbdata to the odbc_instance we created. */
+	*dbdata = odbc_inst;
+
+	/* hey, we got through all of that ok, return success. */
+	return (ISC_R_SUCCESS);
+
+cleanup:
+
+	destroy_odbc_instance(odbc_inst);
+
+	return (result);
+}
+
+/*%
+ * destroy an instance of the driver.  Remember, only 1 copy of the driver's
+ * code is ever loaded, the driver has to remember which context it's
+ * operating in.  This is done via use of the dbdata argument.
+ * so we really only need to clean it up since we are not using driverarg.
+ */
+
+static void
+odbc_destroy(void *driverarg, void *dbdata) {
+	UNUSED(driverarg);
+
+	destroy_odbc_instance((odbc_instance_t *)dbdata);
+}
+
+/* pointers to all our runtime methods. */
+/* this is used during driver registration */
+/* i.e. in dlz_odbc_init below. */
+static dns_sdlzmethods_t dlz_odbc_methods = {
+	odbc_create,
+	odbc_destroy,
+	odbc_findzone,
+	odbc_lookup,
+	odbc_authority,
+	odbc_allnodes,
+	odbc_allowzonexfr,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+};
+
+/*%
+ * Wrapper around dns_sdlzregister().
+ */
+isc_result_t
+dlz_odbc_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Registering DLZ odbc driver.");
+
+	/*
+	 * Driver is always threadsafe.  When multithreaded all
+	 * functions use multithreaded code.  When not multithreaded,
+	 * all functions can only be entered once, but only 1 thread
+	 * of operation is available in Bind.  So everything is still
+	 * threadsafe.
+	 */
+	result = dns_sdlzregister("odbc", &dlz_odbc_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+					  DNS_SDLZFLAG_RELATIVERDATA |
+					  DNS_SDLZFLAG_THREADSAFE,
+				  named_g_mctx, &dlz_odbc);
+	/* if we can't register the driver, there are big problems. */
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+}
+
+/*%
+ * Wrapper around dns_sdlzunregister().
+ */
+void
+dlz_odbc_clear(void) {
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unregistering DLZ odbc driver.");
+
+	/* unregister the driver. */
+	if (dlz_odbc != NULL) {
+		dns_sdlzunregister(&dlz_odbc);
+	}
+}
+
+#endif /* ifdef DLZ_ODBC */
diff --git a/contrib/dlz/drivers/dlz_postgres_driver.c b/contrib/dlz/drivers/dlz_postgres_driver.c
new file mode 100644
index 0000000..d960c3f
--- /dev/null
+++ b/contrib/dlz/drivers/dlz_postgres_driver.c
@@ -0,0 +1,1240 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 1999-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifdef DLZ_POSTGRES
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
+
+#include <dlz/dlz_postgres_driver.h>
+#include <dlz/sdlz_helper.h>
+#include <named/globals.h>
+
+/* temporarily include time. */
+#include <libpq-fe.h>
+#include <time.h>
+
+static dns_sdlzimplementation_t *dlz_postgres = NULL;
+
+#define dbc_search_limit 30
+#define ALLNODES	 1
+#define ALLOWXFR	 2
+#define AUTHORITY	 3
+#define FINDZONE	 4
+#define LOOKUP		 5
+
+/*
+ * Private methods
+ */
+
+/* ---------------
+ * Escaping arbitrary strings to get valid SQL strings/identifiers.
+ *
+ * Replaces "\\" with "\\\\" and "'" with "''".
+ * length is the length of the buffer pointed to by
+ * from.  The buffer at to must be at least 2*length + 1 characters
+ * long.  A terminating NUL character is written.
+ *
+ * NOTICE!!!
+ * This function was borrowed directly from PostgreSQL's libpq.
+ * The function was originally called PQescapeString and renamed
+ * to postgres_makesafe to avoid a naming collision.
+ * PQescapeString is a new function made available in Postgres 7.2.
+ * For some reason the function is not properly exported on Win32
+ * builds making the function unavailable on Windows.  Also, since
+ * this function is new it would require building this driver with
+ * the libpq 7.2.  By borrowing this function the Windows problem
+ * is solved, and the dependence on libpq 7.2 is removed.  Libpq is
+ * still required of course, but an older version should work now too.
+ *
+ * The copyright statements from the original file containing this
+ * function are included below:
+ * Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ * ---------------
+ */
+
+static size_t
+postgres_makesafe(char *to, const char *from, size_t length) {
+	const char *source = from;
+	char *target = to;
+	unsigned int remaining = length;
+
+	while (remaining > 0) {
+		switch (*source) {
+		case '\\':
+			*target = '\\';
+			target++;
+			*target = '\\';
+			/* target and remaining are updated below. */
+			break;
+
+		case '\'':
+			*target = '\'';
+			target++;
+			*target = '\'';
+			/* target and remaining are updated below. */
+			break;
+
+		default:
+			*target = *source;
+			/* target and remaining are updated below. */
+		}
+		source++;
+		target++;
+		remaining--;
+	}
+
+	/* Write the terminating NUL character. */
+	*target = '\0';
+
+	return (target - to);
+}
+
+/*%
+ * Properly cleans up a list of database instances.
+ * This function is only used when the driver is compiled for
+ * multithreaded operation.
+ */
+static void
+postgres_destroy_dblist(db_list_t *dblist) {
+	dbinstance_t *ndbi = NULL;
+	dbinstance_t *dbi = NULL;
+
+	/* get the first DBI in the list */
+	ndbi = ISC_LIST_HEAD(*dblist);
+
+	/* loop through the list */
+	while (ndbi != NULL) {
+		dbi = ndbi;
+		/* get the next DBI in the list */
+		ndbi = ISC_LIST_NEXT(dbi, link);
+		/* release DB connection */
+		if (dbi->dbconn != NULL) {
+			PQfinish((PGconn *)dbi->dbconn);
+		}
+		/* release all memory that comprised a DBI */
+		destroy_sqldbinstance(dbi);
+	}
+	/* release memory for the list structure */
+	isc_mem_put(named_g_mctx, dblist, sizeof(db_list_t));
+}
+
+/*%
+ * Loops through the list of DB instances, attempting to lock
+ * on the mutex.  If successful, the DBI is reserved for use
+ * and the thread can perform queries against the database.
+ * If the lock fails, the next one in the list is tried.
+ * looping continues until a lock is obtained, or until
+ * the list has been searched dbc_search_limit times.
+ * This function is only used when the driver is compiled for
+ * multithreaded operation.
+ */
+
+static dbinstance_t *
+postgres_find_avail_conn(db_list_t *dblist) {
+	dbinstance_t *dbi = NULL;
+	dbinstance_t *head;
+	int count = 0;
+
+	/* get top of list */
+	head = dbi = ISC_LIST_HEAD(*dblist);
+
+	/* loop through list */
+	while (count < dbc_search_limit) {
+		/* try to lock on the mutex */
+		if (isc_mutex_trylock(&dbi->instance_lock) == ISC_R_SUCCESS) {
+			return (dbi); /* success, return the DBI for use. */
+		}
+		/* not successful, keep trying */
+		dbi = ISC_LIST_NEXT(dbi, link);
+
+		/* check to see if we have gone to the top of the list. */
+		if (dbi == NULL) {
+			count++;
+			dbi = head;
+		}
+	}
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_INFO,
+		      "Postgres driver unable to find available connection "
+		      "after searching %d times",
+		      count);
+	return (NULL);
+}
+
+/*%
+ * Allocates memory for a new string, and then constructs the new
+ * string by "escaping" the input string.  The new string is
+ * safe to be used in queries.  This is necessary because we cannot
+ * be sure of what types of strings are passed to us, and we don't
+ * want special characters in the string causing problems.
+ */
+
+static char *
+postgres_escape_string(const char *instr) {
+	char *outstr;
+	unsigned int len;
+
+	if (instr == NULL) {
+		return (NULL);
+	}
+
+	len = strlen(instr);
+
+	outstr = isc_mem_allocate(named_g_mctx, (2 * len * sizeof(char)) + 1);
+
+	postgres_makesafe(outstr, instr, len);
+	/* PQescapeString(outstr, instr, len); */
+
+	return (outstr);
+}
+
+/*%
+ * This function is the real core of the driver.   Zone, record
+ * and client strings are passed in (or NULL is passed if the
+ * string is not available).  The type of query we want to run
+ * is indicated by the query flag, and the dbdata object is passed
+ * passed in to.  dbdata really holds either:
+ *		1) a list of database instances (in multithreaded mode) OR
+ *		2) a single database instance (in single threaded mode)
+ * The function will construct the query and obtain an available
+ * database instance (DBI).  It will then run the query and hopefully
+ * obtain a result set.  Postgres is nice, in that once the result
+ * set is returned, we can make the db connection available for another
+ * thread to use, while this thread continues on.  So, the DBI is made
+ * available ASAP by unlocking the instance_lock after we have cleaned
+ * it up properly.
+ */
+static isc_result_t
+postgres_get_resultset(const char *zone, const char *record, const char *client,
+		       unsigned int query, void *dbdata, PGresult **rs) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+	char *querystring = NULL;
+	unsigned int i = 0;
+	unsigned int j = 0;
+
+#if 0
+	/* temporarily get a unique thread # */
+	unsigned int dlz_thread_num = 1 +
+				      (int) (1000.0 * rand() /
+					     (RAND_MAX + 1.0));
+#endif /* if 0 */
+
+	REQUIRE(*rs == NULL);
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d Getting DBI", dlz_thread_num);
+#endif /* if 0 */
+
+	/* get db instance / connection */
+
+	/* find an available DBI from the list */
+	dbi = postgres_find_avail_conn((db_list_t *)dbdata);
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d Got DBI - checking query", dlz_thread_num);
+#endif /* if 0 */
+
+	/* if DBI is null, can't do anything else */
+	if (dbi == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* what type of query are we going to run? */
+	switch (query) {
+	case ALLNODES:
+		/*
+		 * if the query was not passed in from the config file
+		 * then we can't run it.  return not_implemented, so
+		 * it's like the code for that operation was never
+		 * built into the driver.... AHHH flexibility!!!
+		 */
+		if (dbi->allnodes_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case ALLOWXFR:
+		/* same as comments as ALLNODES */
+		if (dbi->allowxfr_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case AUTHORITY:
+		/* same as comments as ALLNODES */
+		if (dbi->authority_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case FINDZONE:
+		/* this is required.  It's the whole point of DLZ! */
+		if (dbi->findzone_q == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+				      "No query specified for findzone.  "
+				      "Findzone requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		break;
+	case LOOKUP:
+		/* this is required.  It's also a major point of DLZ! */
+		if (dbi->lookup_q == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+				      "No query specified for lookup.  "
+				      "Lookup requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		break;
+	default:
+		/*
+		 * this should never happen.  If it does, the code is
+		 * screwed up!
+		 */
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "Incorrect query flag passed to "
+				 "postgres_get_resultset");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d checked query", dlz_thread_num);
+#endif /* if 0 */
+
+	/*
+	 * was a zone string passed?  If so, make it safe for use in
+	 * queries.
+	 */
+	if (zone != NULL) {
+		dbi->zone = postgres_escape_string(zone);
+		if (dbi->zone == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else { /* no string passed, set the string pointer to NULL */
+		dbi->zone = NULL;
+	}
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d did zone", dlz_thread_num);
+#endif /* if 0 */
+
+	/*
+	 * was a record string passed?  If so, make it safe for use in
+	 * queries.
+	 */
+	if (record != NULL) {
+		dbi->record = postgres_escape_string(record);
+		if (dbi->record == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else { /* no string passed, set the string pointer to NULL */
+		dbi->record = NULL;
+	}
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d did record", dlz_thread_num);
+#endif /* if 0 */
+
+	/*
+	 * was a client string passed?  If so, make it safe for use in
+	 * queries.
+	 */
+	if (client != NULL) {
+		dbi->client = postgres_escape_string(client);
+		if (dbi->client == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else { /* no string passed, set the string pointer to NULL */
+		dbi->client = NULL;
+	}
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d did client", dlz_thread_num);
+#endif /* if 0 */
+
+	/*
+	 * what type of query are we going to run?
+	 * this time we build the actual query to run.
+	 */
+	switch (query) {
+	case ALLNODES:
+		querystring = build_querystring(named_g_mctx, dbi->allnodes_q);
+		break;
+	case ALLOWXFR:
+		querystring = build_querystring(named_g_mctx, dbi->allowxfr_q);
+		break;
+	case AUTHORITY:
+		querystring = build_querystring(named_g_mctx, dbi->authority_q);
+		break;
+	case FINDZONE:
+		querystring = build_querystring(named_g_mctx, dbi->findzone_q);
+		break;
+	case LOOKUP:
+		querystring = build_querystring(named_g_mctx, dbi->lookup_q);
+		break;
+	default:
+		/*
+		 * this should never happen.  If it does, the code is
+		 * screwed up!
+		 */
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "Incorrect query flag passed to "
+				 "postgres_get_resultset");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d built query", dlz_thread_num);
+#endif /* if 0 */
+
+	/* if the querystring is null, Bummer, outta RAM.  UPGRADE TIME!!!   */
+	if (querystring == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d query is '%s'", dlz_thread_num, querystring);
+#endif /* if 0 */
+
+	/*
+	 * output the full query string during debug so we can see
+	 * what lame error the query has.
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(1), "\nQuery String: %s\n", querystring);
+
+	/* attempt query up to 3 times. */
+	for (j = 0; j < 3; j++) {
+#if 0
+		/* temporary logging message */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "%d executing query for %d time",
+			      dlz_thread_num, j);
+#endif /* if 0 */
+		/* try to get result set */
+		*rs = PQexec((PGconn *)dbi->dbconn, querystring);
+		result = ISC_R_SUCCESS;
+		/*
+		 * if result set is null, reset DB connection, max 3
+		 * attempts.
+		 */
+		for (i = 0; *rs == NULL && i < 3; i++) {
+#if 0
+			/* temporary logging message */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "%d resetting connection",
+				      dlz_thread_num);
+#endif /* if 0 */
+			result = ISC_R_FAILURE;
+			PQreset((PGconn *)dbi->dbconn);
+			/* connection ok, break inner loop */
+			if (PQstatus((PGconn *)dbi->dbconn) == CONNECTION_OK) {
+				break;
+			}
+		}
+		/* result set ok, break outer loop */
+		if (PQresultStatus(*rs) == PGRES_TUPLES_OK) {
+#if 0
+			/* temporary logging message */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "%d rs ok", dlz_thread_num);
+#endif /* if 0 */
+			break;
+		} else {
+			/* we got a result set object, but it's not right. */
+#if 0
+			/* temporary logging message */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "%d clearing rs", dlz_thread_num);
+#endif				      /* if 0 */
+			PQclear(*rs); /* get rid of it */
+			/* in case this was the last attempt */
+			*rs = NULL;
+			result = ISC_R_FAILURE;
+		}
+	}
+
+cleanup:
+	/* it's always good to cleanup after yourself */
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d cleaning up", dlz_thread_num);
+#endif /* if 0 */
+
+	/* free dbi->zone string */
+	if (dbi->zone != NULL) {
+		isc_mem_free(named_g_mctx, dbi->zone);
+	}
+
+	/* free dbi->record string */
+	if (dbi->record != NULL) {
+		isc_mem_free(named_g_mctx, dbi->record);
+	}
+
+	/* free dbi->client string */
+	if (dbi->client != NULL) {
+		isc_mem_free(named_g_mctx, dbi->client);
+	}
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d unlocking mutex", dlz_thread_num);
+#endif /* if 0 */
+
+	/* release the lock so another thread can use this dbi */
+	isc_mutex_unlock(&dbi->instance_lock);
+
+	/* release query string */
+	if (querystring != NULL) {
+		isc_mem_free(named_g_mctx, querystring);
+	}
+
+#if 0
+	/* temporary logging message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+		      "%d returning", dlz_thread_num);
+#endif /* if 0 */
+
+	/* return result */
+	return (result);
+}
+
+/*%
+ * The processing of result sets for lookup and authority are
+ * exactly the same.  So that functionality has been moved
+ * into this function to minimize code.
+ */
+
+static isc_result_t
+postgres_process_rs(dns_sdlzlookup_t *lookup, PGresult *rs) {
+	isc_result_t result;
+	unsigned int i;
+	unsigned int rows;
+	unsigned int fields;
+	unsigned int j;
+	unsigned int len;
+	char *tmpString;
+	char *endp;
+	int ttl;
+
+	rows = PQntuples(rs);	/* how many rows in result set */
+	fields = PQnfields(rs); /* how many columns in result set */
+	for (i = 0; i < rows; i++) {
+		switch (fields) {
+		case 1:
+			/*
+			 * one column in rs, it's the data field.  use
+			 * default type of A record, and default TTL
+			 * of 86400
+			 */
+			result = dns_sdlz_putrr(lookup, "a", 86400,
+						PQgetvalue(rs, i, 0));
+			break;
+		case 2:
+			/* two columns, data field, and data type.
+			 * use default TTL of 86400.
+			 */
+			result = dns_sdlz_putrr(lookup, PQgetvalue(rs, i, 0),
+						86400, PQgetvalue(rs, i, 1));
+			break;
+		case 3:
+			/* three columns, all data no defaults.
+			 * convert text to int, make sure it worked
+			 * right.
+			 */
+			ttl = strtol(PQgetvalue(rs, i, 0), &endp, 10);
+			if (*endp != '\0' || ttl < 0) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+					      "Postgres driver ttl must be "
+					      "a positive number");
+			}
+			result = dns_sdlz_putrr(lookup, PQgetvalue(rs, i, 1),
+						ttl, PQgetvalue(rs, i, 2));
+			break;
+		default:
+			/*
+			 * more than 3 fields, concatenate the last
+			 * ones together.  figure out how long to make
+			 * string
+			 */
+			for (j = 2, len = 0; j < fields; j++) {
+				len += strlen(PQgetvalue(rs, i, j)) + 1;
+			}
+			/*
+			 * allocate string memory, allow for NULL to
+			 * term string
+			 */
+			tmpString = isc_mem_allocate(named_g_mctx, len + 1);
+			/* copy field to tmpString */
+			strcpy(tmpString, PQgetvalue(rs, i, 2));
+			/*
+			 * concat the rest of fields together, space
+			 * between each one.
+			 */
+			for (j = 3; j < fields; j++) {
+				strcat(tmpString, " ");
+				strcat(tmpString, PQgetvalue(rs, i, j));
+			}
+			/* convert text to int, make sure it worked right */
+			ttl = strtol(PQgetvalue(rs, i, 0), &endp, 10);
+			if (*endp != '\0' || ttl < 0) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+					      "Postgres driver ttl must be "
+					      "a positive number");
+			}
+			/* ok, now tell Bind about it. */
+			result = dns_sdlz_putrr(lookup, PQgetvalue(rs, i, 1),
+						ttl, tmpString);
+			/* done, get rid of this thing. */
+			isc_mem_free(named_g_mctx, tmpString);
+		}
+		/* I sure hope we were successful */
+		if (result != ISC_R_SUCCESS) {
+			/* nope, get rid of the Result set, and log a msg */
+			PQclear(rs);
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "dns_sdlz_putrr returned error. "
+				      "Error code was: %s",
+				      isc_result_totext(result));
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	/* free result set memory */
+	PQclear(rs);
+
+	/* if we did return results, we are successful */
+	if (rows > 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* empty result set, no data found */
+	return (ISC_R_NOTFOUND);
+}
+
+/*
+ * SDLZ interface methods
+ */
+
+/*% determine if the zone is supported by (in) the database */
+
+static isc_result_t
+postgres_findzone(void *driverarg, void *dbdata, const char *name,
+		  dns_clientinfomethods_t *methods,
+		  dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	PGresult *rs = NULL;
+	unsigned int rows;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	/* run the query and get the result set from the database. */
+	result = postgres_get_resultset(name, NULL, NULL, FINDZONE, dbdata,
+					&rs);
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			PQclear(rs);
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Postgres driver unable to return "
+			      "result set for findzone query");
+		return (ISC_R_FAILURE);
+	}
+	/* count how many rows in result set */
+	rows = PQntuples(rs);
+	/* get rid of result set, we are done with it. */
+	PQclear(rs);
+
+	/* if we returned any rows, zone is supported. */
+	if (rows > 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* no rows returned, zone is not supported. */
+	return (ISC_R_NOTFOUND);
+}
+
+/*% Determine if the client is allowed to perform a zone transfer */
+static isc_result_t
+postgres_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+		      const char *client) {
+	isc_result_t result;
+	PGresult *rs = NULL;
+	unsigned int rows;
+	UNUSED(driverarg);
+
+	/* first check if the zone is supported by the database. */
+	result = postgres_findzone(driverarg, dbdata, name, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * if we get to this point we know the zone is supported by
+	 * the database the only questions now are is the zone
+	 * transfer is allowed for this client and did the config file
+	 * have an allow zone xfr query.
+	 *
+	 * Run our query, and get a result set from the database.
+	 */
+	result = postgres_get_resultset(name, NULL, client, ALLOWXFR, dbdata,
+					&rs);
+	/* if we get "not implemented", send it along. */
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			PQclear(rs);
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Postgres driver unable to return "
+			      "result set for allow xfr query");
+		return (ISC_R_FAILURE);
+	}
+	/* count how many rows in result set */
+	rows = PQntuples(rs);
+	/* get rid of result set, we are done with it. */
+	PQclear(rs);
+
+	/* if we returned any rows, zone xfr is allowed. */
+	if (rows > 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* no rows returned, zone xfr not allowed */
+	return (ISC_R_NOPERM);
+}
+
+/*%
+ * If the client is allowed to perform a zone transfer, the next order of
+ * business is to get all the nodes in the zone, so bind can respond to the
+ * query.
+ */
+static isc_result_t
+postgres_allnodes(const char *zone, void *driverarg, void *dbdata,
+		  dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result;
+	PGresult *rs = NULL;
+	unsigned int i;
+	unsigned int rows;
+	unsigned int fields;
+	unsigned int j;
+	unsigned int len;
+	char *tmpString;
+	char *endp;
+	int ttl;
+
+	UNUSED(driverarg);
+
+	/* run the query and get the result set from the database. */
+	result = postgres_get_resultset(zone, NULL, NULL, ALLNODES, dbdata,
+					&rs);
+	/* if we get "not implemented", send it along */
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			PQclear(rs);
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Postgres driver unable to return "
+			      "result set for all nodes query");
+		return (ISC_R_FAILURE);
+	}
+
+	rows = PQntuples(rs);	/* how many rows in result set */
+	fields = PQnfields(rs); /* how many columns in result set */
+	for (i = 0; i < rows; i++) {
+		if (fields < 4) { /* gotta have at least 4 columns */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Postgres driver too few fields "
+				      "returned by all nodes query");
+		}
+		/* convert text to int, make sure it worked right  */
+		ttl = strtol(PQgetvalue(rs, i, 0), &endp, 10);
+		if (*endp != '\0' || ttl < 0) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Postgres driver ttl must be "
+				      "a positive number");
+		}
+		if (fields == 4) {
+			/* tell Bind about it. */
+			result = dns_sdlz_putnamedrr(allnodes,
+						     PQgetvalue(rs, i, 2),
+						     PQgetvalue(rs, i, 1), ttl,
+						     PQgetvalue(rs, i, 3));
+		} else {
+			/*
+			 * more than 4 fields, concatonat the last
+			 * ones together.  figure out how long to make
+			 * string
+			 */
+			for (j = 3, len = 0; j < fields; j++) {
+				len += strlen(PQgetvalue(rs, i, j)) + 1;
+			}
+			/* allocate memory, allow for NULL to term string */
+			tmpString = isc_mem_allocate(named_g_mctx, len + 1);
+			/* copy this field to tmpString */
+			strcpy(tmpString, PQgetvalue(rs, i, 3));
+			/* concatenate the rest, with spaces between */
+			for (j = 4; j < fields; j++) {
+				strcat(tmpString, " ");
+				strcat(tmpString, PQgetvalue(rs, i, j));
+			}
+			/* tell Bind about it. */
+			result = dns_sdlz_putnamedrr(
+				allnodes, PQgetvalue(rs, i, 2),
+				PQgetvalue(rs, i, 1), ttl, tmpString);
+			isc_mem_free(named_g_mctx, tmpString);
+		}
+		/* if we weren't successful, log err msg */
+		if (result != ISC_R_SUCCESS) {
+			PQclear(rs);
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "dns_sdlz_putnamedrr returned error. "
+				      "Error code was: %s",
+				      isc_result_totext(result));
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	/* free result set memory */
+	PQclear(rs);
+
+	/* if we did return results, we are successful */
+	if (rows > 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* empty result set, no data found */
+	return (ISC_R_NOTFOUND);
+}
+
+/*%
+ * if the lookup function does not return SOA or NS records for the zone,
+ * use this function to get that information for Bind.
+ */
+
+static isc_result_t
+postgres_authority(const char *zone, void *driverarg, void *dbdata,
+		   dns_sdlzlookup_t *lookup) {
+	isc_result_t result;
+	PGresult *rs = NULL;
+
+	UNUSED(driverarg);
+
+	/* run the query and get the result set from the database. */
+	result = postgres_get_resultset(zone, NULL, NULL, AUTHORITY, dbdata,
+					&rs);
+	/* if we get "not implemented", send it along */
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			PQclear(rs);
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Postgres driver unable to return "
+			      "result set for authority query");
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * lookup and authority result sets are processed in the same
+	 * manner postgres_process_rs does the job for both
+	 * functions.
+	 */
+	return (postgres_process_rs(lookup, rs));
+}
+
+/*% if zone is supported, lookup up a (or multiple) record(s) in it */
+static isc_result_t
+postgres_lookup(const char *zone, const char *name, void *driverarg,
+		void *dbdata, dns_sdlzlookup_t *lookup,
+		dns_clientinfomethods_t *methods,
+		dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	PGresult *rs = NULL;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	/* run the query and get the result set from the database. */
+	result = postgres_get_resultset(zone, name, NULL, LOOKUP, dbdata, &rs);
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			PQclear(rs);
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Postgres driver unable to "
+			      "return result set for lookup query");
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * lookup and authority result sets are processed in the same
+	 * manner postgres_process_rs does the job for both functions.
+	 */
+	return (postgres_process_rs(lookup, rs));
+}
+
+/*%
+ * create an instance of the driver.  Remember, only 1 copy of the driver's
+ * code is ever loaded, the driver has to remember which context it's
+ * operating in.  This is done via use of the dbdata argument which is
+ * passed into all query functions.
+ */
+static isc_result_t
+postgres_create(const char *dlzname, unsigned int argc, char *argv[],
+		void *driverarg, void **dbdata) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+	unsigned int j;
+
+	/* if multi-threaded, we need a few extra variables. */
+	int dbcount;
+	db_list_t *dblist = NULL;
+	int i;
+	char *endp;
+
+	UNUSED(driverarg);
+	UNUSED(dlzname);
+
+	/* seed random # generator */
+	srand((unsigned)time(NULL));
+
+	/* if debugging, let user know we are multithreaded. */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(1),
+		      "Postgres driver running multithreaded");
+
+	/* verify we have at least 5 arg's passed to the driver */
+	if (argc < 5) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Postgres driver requires at least "
+			      "4 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* no more than 8 arg's should be passed to the driver */
+	if (argc > 8) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Postgres driver cannot accept more than "
+			      "7 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* multithreaded build can have multiple DB connections */
+
+	/* check how many db connections we should create */
+	dbcount = strtol(argv[1], &endp, 10);
+	if (*endp != '\0' || dbcount < 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Postgres driver database connection count "
+			      "must be positive.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* allocate memory for database connection list */
+	dblist = isc_mem_get(named_g_mctx, sizeof(db_list_t));
+
+	/* initialize DB connection list */
+	ISC_LIST_INIT(*dblist);
+
+	/*
+	 * create the appropriate number of database instances (DBI)
+	 * append each new DBI to the end of the list
+	 */
+	for (i = 0; i < dbcount; i++) {
+		/* how many queries were passed in from config file? */
+		switch (argc) {
+		case 5:
+			result = build_sqldbinstance(named_g_mctx, NULL, NULL,
+						     NULL, argv[3], argv[4],
+						     NULL, &dbi);
+			break;
+		case 6:
+			result = build_sqldbinstance(named_g_mctx, NULL, NULL,
+						     argv[5], argv[3], argv[4],
+						     NULL, &dbi);
+			break;
+		case 7:
+			result = build_sqldbinstance(named_g_mctx, argv[6],
+						     NULL, argv[5], argv[3],
+						     argv[4], NULL, &dbi);
+			break;
+		case 8:
+			result = build_sqldbinstance(named_g_mctx, argv[6],
+						     argv[7], argv[5], argv[3],
+						     argv[4], NULL, &dbi);
+			break;
+		default:
+			/* not really needed, should shut up compiler. */
+			result = ISC_R_FAILURE;
+		}
+
+		if (result == ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+				      "Postgres driver created database "
+				      "instance object.");
+		} else { /* unsuccessful?, log err msg and cleanup. */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Postgres driver could not create "
+				      "database instance object.");
+			goto cleanup;
+		}
+
+		/* when multithreaded, build a list of DBI's */
+		ISC_LINK_INIT(dbi, link);
+		ISC_LIST_APPEND(*dblist, dbi, link);
+
+		/* create and set db connection */
+		dbi->dbconn = PQconnectdb(argv[2]);
+		/*
+		 * if db connection cannot be created, log err msg and
+		 * cleanup.
+		 */
+		if (dbi->dbconn == NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Postgres driver could not allocate "
+				      "memory for database connection");
+			goto cleanup;
+		}
+
+		/* if we cannot connect the first time, try 3 more times. */
+		for (j = 0;
+		     PQstatus((PGconn *)dbi->dbconn) != CONNECTION_OK && j < 3;
+		     j++)
+		{
+			PQreset((PGconn *)dbi->dbconn);
+		}
+
+		/*
+		 * if multi threaded, let user know which connection
+		 * failed.  user could be attempting to create 10 db
+		 * connections and for some reason the db backend only
+		 * allows 9
+		 */
+		if (PQstatus((PGconn *)dbi->dbconn) != CONNECTION_OK) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+				      "Postgres driver failed to create "
+				      "database connection number %u "
+				      "after 4 attempts",
+				      i + 1);
+			goto cleanup;
+		}
+
+		/* set DBI = null for next loop through. */
+		dbi = NULL;
+	} /* end for loop */
+
+	/* set dbdata to the list we created. */
+	*dbdata = dblist;
+
+	/* hey, we got through all of that ok, return success. */
+	return (ISC_R_SUCCESS);
+
+cleanup:
+
+	/*
+	 * if multithreaded, we could fail because only 1 connection
+	 * couldn't be made.  We should cleanup the other successful
+	 * connections properly.
+	 */
+	postgres_destroy_dblist(dblist);
+
+	return (ISC_R_FAILURE);
+}
+
+/*%
+ * destroy an instance of the driver.  Remember, only 1 copy of the driver's
+ * code is ever loaded, the driver has to remember which context it's
+ * operating in.  This is done via use of the dbdata argument.
+ * so we really only need to clean it up since we are not using driverarg.
+ */
+static void
+postgres_destroy(void *driverarg, void *dbdata) {
+	UNUSED(driverarg);
+	/* cleanup the list of DBI's */
+	postgres_destroy_dblist((db_list_t *)dbdata);
+}
+
+/* pointers to all our runtime methods. */
+/* this is used during driver registration */
+/* i.e. in dlz_postgres_init below. */
+static dns_sdlzmethods_t dlz_postgres_methods = {
+	postgres_create,
+	postgres_destroy,
+	postgres_findzone,
+	postgres_lookup,
+	postgres_authority,
+	postgres_allnodes,
+	postgres_allowzonexfr,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+};
+
+/*%
+ * Wrapper around dns_sdlzregister().
+ */
+isc_result_t
+dlz_postgres_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Registering DLZ postgres driver.");
+
+	/*
+	 * Driver is always threadsafe.  When multithreaded all
+	 * functions use multithreaded code.  When not multithreaded,
+	 * all functions can only be entered once, but only 1 thread
+	 * of operation is available in Bind.  So everything is still
+	 * threadsafe.
+	 */
+	result = dns_sdlzregister("postgres", &dlz_postgres_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+					  DNS_SDLZFLAG_RELATIVERDATA |
+					  DNS_SDLZFLAG_THREADSAFE,
+				  named_g_mctx, &dlz_postgres);
+	/* if we can't register the driver, there are big problems. */
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+}
+
+/*%
+ * Wrapper around dns_sdlzunregister().
+ */
+void
+dlz_postgres_clear(void) {
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unregistering DLZ postgres driver.");
+
+	/* unregister the driver. */
+	if (dlz_postgres != NULL) {
+		dns_sdlzunregister(&dlz_postgres);
+	}
+}
+
+#endif /* ifdef DLZ_POSTGRES */
diff --git a/contrib/dlz/drivers/dlz_stub_driver.c b/contrib/dlz/drivers/dlz_stub_driver.c
new file mode 100644
index 0000000..f2e6f5f
--- /dev/null
+++ b/contrib/dlz/drivers/dlz_stub_driver.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 1999-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifdef DLZ_STUB
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
+
+#include <dlz/dlz_stub_driver.h>
+#include <named/globals.h>
+
+static dns_sdlzimplementation_t *dlz_stub = NULL;
+
+typedef struct config_data {
+	char *myzone;
+	char *myname;
+	char *myip;
+	isc_mem_t *mctx;
+} config_data_t;
+
+/*
+ * SDLZ methods
+ */
+
+static isc_result_t
+stub_dlz_allnodes(const char *zone, void *driverarg, void *dbdata,
+		  dns_sdlzallnodes_t *allnodes) {
+	config_data_t *cd;
+	isc_result_t result;
+
+	UNUSED(zone);
+	UNUSED(driverarg);
+
+	cd = (config_data_t *)dbdata;
+
+	result = dns_sdlz_putnamedrr(allnodes, cd->myname, "soa", 86400,
+				     "web root.localhost. "
+				     "0 28800 7200 604800 86400");
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_FAILURE);
+	}
+	result = dns_sdlz_putnamedrr(allnodes, "ns", "ns", 86400, cd->myname);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_FAILURE);
+	}
+	result = dns_sdlz_putnamedrr(allnodes, cd->myname, "a", 1, cd->myip);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+stub_dlz_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+		      const char *client) {
+	config_data_t *cd;
+
+	UNUSED(driverarg);
+	UNUSED(client);
+
+	cd = (config_data_t *)dbdata;
+
+	if (strcmp(name, cd->myname) == 0) {
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+stub_dlz_authority(const char *zone, void *driverarg, void *dbdata,
+		   dns_sdlzlookup_t *lookup) {
+	isc_result_t result;
+	config_data_t *cd;
+
+	UNUSED(driverarg);
+
+	cd = (config_data_t *)dbdata;
+
+	if (strcmp(zone, cd->myzone) == 0) {
+		result = dns_sdlz_putsoa(lookup, cd->myname, "root.localhost.",
+					 0);
+		if (result != ISC_R_SUCCESS) {
+			return (ISC_R_FAILURE);
+		}
+
+		result = dns_sdlz_putrr(lookup, "ns", 86400, cd->myname);
+		if (result != ISC_R_SUCCESS) {
+			return (ISC_R_FAILURE);
+		}
+
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+stub_dlz_findzonedb(void *driverarg, void *dbdata, const char *name,
+		    dns_clientinfomethods_t *methods,
+		    dns_clientinfo_t *clientinfo) {
+	config_data_t *cd;
+
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	cd = (config_data_t *)dbdata;
+
+	/* Write info message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "dlz_stub findzone looking for '%s'",
+		      name);
+
+	if (strcmp(cd->myzone, name) == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+static isc_result_t
+stub_dlz_lookup(const char *zone, const char *name, void *driverarg,
+		void *dbdata, dns_sdlzlookup_t *lookup,
+		dns_clientinfomethods_t *methods,
+		dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	config_data_t *cd;
+
+	UNUSED(zone);
+	UNUSED(driverarg);
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	cd = (config_data_t *)dbdata;
+
+	if (strcmp(name, cd->myname) == 0) {
+		result = dns_sdlz_putrr(lookup, "a", 1, cd->myip);
+		if (result != ISC_R_SUCCESS) {
+			return (ISC_R_FAILURE);
+		}
+
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_FAILURE);
+}
+
+static isc_result_t
+stub_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
+		void *driverarg, void **dbdata) {
+	config_data_t *cd;
+
+	UNUSED(driverarg);
+
+	if (argc < 4) {
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * Write info message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_INFO,
+		      "Loading '%s' using DLZ_stub driver. "
+		      "Zone: %s, Name: %s IP: %s",
+		      dlzname, argv[1], argv[2], argv[3]);
+
+	cd = isc_mem_get(named_g_mctx, sizeof(config_data_t));
+	if ((cd) == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	memset(cd, 0, sizeof(config_data_t));
+
+	cd->myzone = isc_mem_strdup(named_g_mctx, argv[1]);
+
+	cd->myname = isc_mem_strdup(named_g_mctx, argv[2]);
+
+	cd->myip = isc_mem_strdup(named_g_mctx, argv[3]);
+
+	isc_mem_attach(named_g_mctx, &cd->mctx);
+
+	*dbdata = cd;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+stub_dlz_destroy(void *driverarg, void *dbdata) {
+	config_data_t *cd;
+	isc_mem_t *mctx;
+
+	UNUSED(driverarg);
+
+	cd = (config_data_t *)dbdata;
+
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unloading DLZ_stub driver.");
+
+	isc_mem_free(named_g_mctx, cd->myzone);
+	isc_mem_free(named_g_mctx, cd->myname);
+	isc_mem_free(named_g_mctx, cd->myip);
+	mctx = cd->mctx;
+	isc_mem_putanddetach(&mctx, cd, sizeof(config_data_t));
+}
+
+static dns_sdlzmethods_t dlz_stub_methods = {
+	stub_dlz_create,
+	stub_dlz_destroy,
+	stub_dlz_findzonedb,
+	stub_dlz_lookup,
+	stub_dlz_authority,
+	stub_dlz_allnodes,
+	stub_dlz_allowzonexfr,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+};
+
+/*%
+ * Wrapper around dns_sdlzregister().
+ */
+isc_result_t
+dlz_stub_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Registering DLZ_stub driver.");
+
+	result = dns_sdlzregister("dlz_stub", &dlz_stub_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+					  DNS_SDLZFLAG_RELATIVERDATA,
+				  named_g_mctx, &dlz_stub);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+}
+
+/*
+ * Wrapper around dns_sdlzunregister().
+ */
+void
+dlz_stub_clear(void) {
+	/*
+	 * Write debugging message to log
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unregistering DLZ_stub driver.");
+
+	if (dlz_stub != NULL) {
+		dns_sdlzunregister(&dlz_stub);
+	}
+}
+
+#endif /* ifdef DLZ_STUB */
diff --git a/contrib/dlz/drivers/include/.clang-format b/contrib/dlz/drivers/include/.clang-format
new file mode 120000
index 0000000..e919bba
--- /dev/null
+++ b/contrib/dlz/drivers/include/.clang-format
@@ -0,0 +1 @@
+../../../../.clang-format.headers
\ No newline at end of file
diff --git a/contrib/dlz/drivers/include/dlz/dlz_bdb_driver.h b/contrib/dlz/drivers/include/dlz/dlz_bdb_driver.h
new file mode 100644
index 0000000..afe903d
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/dlz_bdb_driver.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DLZ_BDB_DRIVER_H
+#define DLZ_BDB_DRIVER_H
+
+isc_result_t
+dlz_bdb_init(void);
+
+void
+dlz_bdb_clear(void);
+
+#endif /* ifndef DLZ_BDB_DRIVER_H */
diff --git a/contrib/dlz/drivers/include/dlz/dlz_bdbhpt_driver.h b/contrib/dlz/drivers/include/dlz/dlz_bdbhpt_driver.h
new file mode 100644
index 0000000..c4d151f
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/dlz_bdbhpt_driver.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DLZ_BDBHPT_DRIVER_H
+#define DLZ_BDBHPT_DRIVER_H
+
+isc_result_t
+dlz_bdbhpt_init(void);
+
+void
+dlz_bdbhpt_clear(void);
+
+#endif /* ifndef DLZ_BDBHPT_DRIVER_H */
diff --git a/contrib/dlz/drivers/include/dlz/dlz_dlopen_driver.h b/contrib/dlz/drivers/include/dlz/dlz_dlopen_driver.h
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/dlz_dlopen_driver.h
diff --git a/contrib/dlz/drivers/include/dlz/dlz_drivers.h b/contrib/dlz/drivers/include/dlz/dlz_drivers.h
new file mode 100644
index 0000000..f3f66c5
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/dlz_drivers.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DLZ_DRIVERS_H
+#define DLZ_DRIVERS_H 1
+
+/*! \file */
+
+isc_result_t
+dlz_drivers_init(void);
+
+void
+dlz_drivers_clear(void);
+
+#endif /* DLZ_DRIVERS_H */
diff --git a/contrib/dlz/drivers/include/dlz/dlz_filesystem_driver.h b/contrib/dlz/drivers/include/dlz/dlz_filesystem_driver.h
new file mode 100644
index 0000000..dc83582
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/dlz_filesystem_driver.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DLZ_FILESYSTEM_DRIVER_H
+#define DLZ_FILESYSTEM_DRIVER_H
+
+isc_result_t
+dlz_fs_init(void);
+
+void
+dlz_fs_clear(void);
+
+#endif /* ifndef DLZ_FILESYSTEM_DRIVER_H */
diff --git a/contrib/dlz/drivers/include/dlz/dlz_ldap_driver.h b/contrib/dlz/drivers/include/dlz/dlz_ldap_driver.h
new file mode 100644
index 0000000..ec01d97
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/dlz_ldap_driver.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DLZ_LDAP_DRIVER_H
+#define DLZ_LDAP_DRIVER_H
+
+isc_result_t
+dlz_ldap_init(void);
+
+void
+dlz_ldap_clear(void);
+
+#endif /* ifndef DLZ_LDAP_DRIVER_H */
diff --git a/contrib/dlz/drivers/include/dlz/dlz_mysql_driver.h b/contrib/dlz/drivers/include/dlz/dlz_mysql_driver.h
new file mode 100644
index 0000000..b419482
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/dlz_mysql_driver.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DLZ_MYSQL_DRIVER_H
+#define DLZ_MYSQL_DRIVER_H
+
+isc_result_t
+dlz_mysql_init(void);
+
+void
+dlz_mysql_clear(void);
+
+#endif /* ifndef DLZ_MYSQL_DRIVER_H */
diff --git a/contrib/dlz/drivers/include/dlz/dlz_odbc_driver.h b/contrib/dlz/drivers/include/dlz/dlz_odbc_driver.h
new file mode 100644
index 0000000..023c746
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/dlz_odbc_driver.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DLZ_ODBC_DRIVER_H
+#define DLZ_ODBC_DRIVER_H
+
+isc_result_t
+dlz_odbc_init(void);
+
+void
+dlz_odbc_clear(void);
+
+#endif /* ifndef DLZ_ODBC_DRIVER_H */
diff --git a/contrib/dlz/drivers/include/dlz/dlz_postgres_driver.h b/contrib/dlz/drivers/include/dlz/dlz_postgres_driver.h
new file mode 100644
index 0000000..f0692f1
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/dlz_postgres_driver.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DLZ_POSTGRES_DRIVER_H
+#define DLZ_POSTGRES_DRIVER_H
+
+isc_result_t
+dlz_postgres_init(void);
+
+void
+dlz_postgres_clear(void);
+
+#endif /* ifndef DLZ_POSTGRES_DRIVER_H */
diff --git a/contrib/dlz/drivers/include/dlz/dlz_stub_driver.h b/contrib/dlz/drivers/include/dlz/dlz_stub_driver.h
new file mode 100644
index 0000000..bf9b90a
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/dlz_stub_driver.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DLZ_STUB_DRIVER_H
+#define DLZ_STUB_DRIVER_H
+
+isc_result_t
+dlz_stub_init(void);
+
+void
+dlz_stub_clear(void);
+
+#endif /* ifndef DLZ_STUB_DRIVER_H */
diff --git a/contrib/dlz/drivers/include/dlz/sdlz_helper.h b/contrib/dlz/drivers/include/dlz/sdlz_helper.h
new file mode 100644
index 0000000..1ddf3b9
--- /dev/null
+++ b/contrib/dlz/drivers/include/dlz/sdlz_helper.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef SDLZHELPER_H
+#define SDLZHELPER_H
+
+#include <stdbool.h>
+
+/*
+ * Types
+ */
+#define SDLZH_REQUIRE_CLIENT 0x01
+#define SDLZH_REQUIRE_QUERY  0x02
+#define SDLZH_REQUIRE_RECORD 0x04
+#define SDLZH_REQUIRE_ZONE   0x08
+
+typedef struct query_segment query_segment_t;
+typedef ISC_LIST(query_segment_t) query_list_t;
+typedef struct dbinstance dbinstance_t;
+typedef ISC_LIST(dbinstance_t) db_list_t;
+typedef struct driverinstance driverinstance_t;
+
+/*%
+ * a query segment is all the text between our special tokens
+ * special tokens are %zone%, %record%, %client%
+ */
+struct query_segment {
+	void	    *sql;
+	unsigned int strlen;
+	bool	     direct;
+	ISC_LINK(query_segment_t) link;
+};
+
+/*%
+ * a database instance contains everything we need for running
+ * a query against the database.  Using it each separate thread
+ * can dynamically construct a query and execute it against the
+ * database.  The "instance_lock" and locking code in the driver's
+ * make sure no two threads try to use the same DBI at a time.
+ */
+struct dbinstance {
+	void	     *dbconn;
+	query_list_t *allnodes_q;
+	query_list_t *allowxfr_q;
+	query_list_t *authority_q;
+	query_list_t *findzone_q;
+	query_list_t *lookup_q;
+	query_list_t *countzone_q;
+	char	     *query_buf;
+	char	     *zone;
+	char	     *record;
+	char	     *client;
+	isc_mem_t    *mctx;
+	isc_mutex_t   instance_lock;
+	ISC_LINK(dbinstance_t) link;
+};
+
+/*
+ * Method declarations
+ */
+
+/* see the code in sdlz_helper.c for more information on these methods */
+
+char *
+sdlzh_build_querystring(isc_mem_t *mctx, query_list_t *querylist);
+
+isc_result_t
+sdlzh_build_sqldbinstance(isc_mem_t *mctx, const char *allnodes_str,
+			  const char *allowxfr_str, const char *authority_str,
+			  const char *findzone_str, const char *lookup_str,
+			  const char *countzone_str, dbinstance_t **dbi);
+
+void
+sdlzh_destroy_sqldbinstance(dbinstance_t *dbi);
+
+char *
+sdlzh_get_parameter_value(isc_mem_t *mctx, const char *input, const char *key);
+
+/* Compatibility with existing DLZ drivers */
+
+#define build_querystring     sdlzh_build_querystring
+#define build_sqldbinstance   sdlzh_build_sqldbinstance
+#define destroy_sqldbinstance sdlzh_destroy_sqldbinstance
+
+#define getParameterValue(x, y) \
+	sdlzh_get_parameter_value(named_g_mctx, (x), (y))
+
+#endif /* SDLZHELPER_H */
diff --git a/contrib/dlz/drivers/rules.in b/contrib/dlz/drivers/rules.in
new file mode 100644
index 0000000..560c200
--- /dev/null
+++ b/contrib/dlz/drivers/rules.in
@@ -0,0 +1,50 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+dlz_drivers.@O@: ${DLZ_DRIVER_DIR}/dlz_drivers.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_drivers.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_drivers.c
+
+sdlz_helper.@O@: ${DLZ_DRIVER_DIR}/sdlz_helper.c ${DLZ_DRIVER_DIR}/include/dlz/sdlz_helper.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/sdlz_helper.c
+
+
+dlz_bdb_driver.@O@: ${DLZ_DRIVER_DIR}/dlz_bdb_driver.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_bdb_driver.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_bdb_driver.c
+
+dlz_bdbhpt_driver.@O@: ${DLZ_DRIVER_DIR}/dlz_bdbhpt_driver.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_bdbhpt_driver.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_bdbhpt_driver.c
+
+dlz_filesystem_driver.@O@: ${DLZ_DRIVER_DIR}/dlz_filesystem_driver.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_filesystem_driver.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_filesystem_driver.c
+
+dlz_ldap_driver.@O@: ${DLZ_DRIVER_DIR}/dlz_ldap_driver.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_ldap_driver.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_ldap_driver.c
+
+dlz_mysql_driver.@O@: ${DLZ_DRIVER_DIR}/dlz_mysql_driver.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_mysql_driver.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_mysql_driver.c
+
+dlz_odbc_driver.@O@: ${DLZ_DRIVER_DIR}/dlz_odbc_driver.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_odbc_driver.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_odbc_driver.c
+
+dlz_postgres_driver.@O@: ${DLZ_DRIVER_DIR}/dlz_postgres_driver.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_postgres_driver.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_postgres_driver.c
+
+dlz_dlopen_driver.@O@: ${DLZ_DRIVER_DIR}/dlz_dlopen_driver.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_dlopen_driver.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_dlopen_driver.c
+
+dlz_stub_driver.@O@: ${DLZ_DRIVER_DIR}/dlz_stub_driver.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_stub_driver.h
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_stub_driver.c
+
diff --git a/contrib/dlz/drivers/sdlz_helper.c b/contrib/dlz/drivers/sdlz_helper.c
new file mode 100644
index 0000000..96c2be7
--- /dev/null
+++ b/contrib/dlz/drivers/sdlz_helper.c
@@ -0,0 +1,468 @@
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 1999-2001, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include <dlz/sdlz_helper.h>
+
+/*
+ * sdlz helper methods
+ */
+
+/*%
+ * properly destroys a querylist by de-allocating the
+ * memory for each query segment, and then the list itself
+ */
+
+static void
+destroy_querylist(isc_mem_t *mctx, query_list_t **querylist) {
+	query_segment_t *tseg = NULL;
+	query_segment_t *nseg = NULL;
+
+	REQUIRE(mctx != NULL);
+
+	/* if query list is null, nothing to do */
+	if (*querylist == NULL) {
+		return;
+	}
+
+	/* start at the top of the list */
+	nseg = ISC_LIST_HEAD(**querylist);
+	while (nseg != NULL) { /* loop, until end of list */
+		tseg = nseg;
+		/*
+		 * free the query segment's text string but only if it
+		 * was really a query segment, and not a pointer to
+		 * %zone%, or %record%, or %client%
+		 */
+		if (tseg->sql != NULL && tseg->direct) {
+			isc_mem_free(mctx, tseg->sql);
+		}
+		/* get the next query segment, before we destroy this one. */
+		nseg = ISC_LIST_NEXT(nseg, link);
+		/* deallocate this query segment. */
+		isc_mem_put(mctx, tseg, sizeof(query_segment_t));
+	}
+	/* deallocate the query segment list */
+	isc_mem_put(mctx, *querylist, sizeof(query_list_t));
+}
+
+/*% constructs a query list by parsing a string into query segments */
+static isc_result_t
+build_querylist(isc_mem_t *mctx, const char *query_str, char **zone,
+		char **record, char **client, query_list_t **querylist,
+		unsigned int flags) {
+	isc_result_t result;
+	bool foundzone = false;
+	bool foundrecord = false;
+	bool foundclient = false;
+	char *free_me = NULL;
+	char *temp_str = NULL;
+	query_list_t *tql;
+	query_segment_t *tseg = NULL;
+	char *last = NULL;
+
+	REQUIRE(querylist != NULL && *querylist == NULL);
+	REQUIRE(mctx != NULL);
+
+	/* if query string is null, or zero length */
+	if (query_str == NULL || strlen(query_str) < 1) {
+		if ((flags & SDLZH_REQUIRE_QUERY) == 0) {
+			/* we don't need it were ok. */
+			return (ISC_R_SUCCESS);
+		} else {
+			/* we did need it, PROBLEM!!! */
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	/* allocate memory for query list */
+	tql = isc_mem_get(mctx, sizeof(query_list_t));
+
+	/* initialize the query segment list */
+	ISC_LIST_INIT(*tql);
+
+	/* make a copy of query_str so we can chop it up */
+	free_me = temp_str = isc_mem_strdup(mctx, query_str);
+	/* couldn't make a copy, problem!! */
+	if (temp_str == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/* loop through the string and chop it up */
+	for (;;) {
+		/*
+		 * Split string into tokens at '$'.
+		 */
+		const char *sql = strtok_r(temp_str, "$", &last);
+		if (sql == NULL) {
+			break;
+		}
+		temp_str = NULL;
+
+		/* allocate memory for tseg */
+		tseg = isc_mem_get(mctx, sizeof(query_segment_t));
+		tseg->sql = NULL;
+		tseg->direct = false;
+		/* initialize the query segment link */
+		ISC_LINK_INIT(tseg, link);
+		/* append the query segment to the list */
+		ISC_LIST_APPEND(*tql, tseg, link);
+
+		tseg->sql = isc_mem_strdup(mctx, sql);
+		/* tseg->sql points directly to a string. */
+		tseg->direct = true;
+		tseg->strlen = strlen(tseg->sql);
+
+		/* check if we encountered "$zone$" token */
+		if (strcasecmp(tseg->sql, "zone") == 0) {
+			/*
+			 * we don't really need, or want the "zone"
+			 * text, so get rid of it.
+			 */
+			isc_mem_free(mctx, tseg->sql);
+			/* set tseg->sql to in-direct zone string */
+			tseg->sql = zone;
+			tseg->strlen = 0;
+			/* tseg->sql points in-directly to a string */
+			tseg->direct = false;
+			foundzone = true;
+			/* check if we encountered "$record$" token */
+		} else if (strcasecmp(tseg->sql, "record") == 0) {
+			/*
+			 * we don't really need, or want the "record"
+			 * text, so get rid of it.
+			 */
+			isc_mem_free(mctx, tseg->sql);
+			/* set tseg->sql to in-direct record string */
+			tseg->sql = record;
+			tseg->strlen = 0;
+			/* tseg->sql points in-directly points to a string */
+			tseg->direct = false;
+			foundrecord = true;
+			/* check if we encountered "$client$" token */
+		} else if (strcasecmp(tseg->sql, "client") == 0) {
+			/*
+			 * we don't really need, or want the "client"
+			 * text, so get rid of it.
+			 */
+			isc_mem_free(mctx, tseg->sql);
+			/* set tseg->sql to in-direct record string */
+			tseg->sql = client;
+			tseg->strlen = 0;
+			/* tseg->sql points in-directly points to a string */
+			tseg->direct = false;
+			foundclient = true;
+		}
+	}
+
+	/* we don't need temp_str any more */
+	isc_mem_free(mctx, free_me);
+	/*
+	 * add checks later to verify zone and record are found if
+	 * necessary.
+	 */
+
+	/* if this query requires %client%, make sure we found it */
+	if (((flags & SDLZH_REQUIRE_CLIENT) != 0) && (!foundclient)) {
+		/* Write error message to log */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Required token $client$ not found.");
+		result = ISC_R_FAILURE;
+		goto flag_fail;
+	}
+
+	/* if this query requires %record%, make sure we found it */
+	if (((flags & SDLZH_REQUIRE_RECORD) != 0) && (!foundrecord)) {
+		/* Write error message to log */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Required token $record$ not found.");
+		result = ISC_R_FAILURE;
+		goto flag_fail;
+	}
+
+	/* if this query requires %zone%, make sure we found it */
+	if (((flags & SDLZH_REQUIRE_ZONE) != 0) && (!foundzone)) {
+		/* Write error message to log */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Required token $zone$ not found.");
+		result = ISC_R_FAILURE;
+		goto flag_fail;
+	}
+
+	/* pass back the query list */
+	*querylist = (query_list_t *)tql;
+
+	/* return success */
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	/* get rid of free_me */
+	if (free_me != NULL) {
+		isc_mem_free(mctx, free_me);
+	}
+
+flag_fail:
+	/* get rid of what was build of the query list */
+	destroy_querylist(mctx, &tql);
+	return (result);
+}
+
+/*%
+ * build a query string from query segments, and dynamic segments
+ * dynamic segments replace where the tokens %zone%, %record%, %client%
+ * used to be in our queries from named.conf
+ */
+char *
+sdlzh_build_querystring(isc_mem_t *mctx, query_list_t *querylist) {
+	query_segment_t *tseg = NULL;
+	unsigned int length = 0;
+	char *qs = NULL;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(querylist != NULL);
+
+	/* start at the top of the list */
+	tseg = ISC_LIST_HEAD(*querylist);
+	while (tseg != NULL) {
+		/*
+		 * if this is a query segment, use the
+		 * precalculated string length
+		 */
+		if (tseg->direct) {
+			length += tseg->strlen;
+		} else { /* calculate string length for dynamic segments. */
+			length += strlen(*(char **)tseg->sql);
+		}
+		/* get the next segment */
+		tseg = ISC_LIST_NEXT(tseg, link);
+	}
+
+	/* allocate memory for the string */
+	qs = isc_mem_allocate(mctx, length + 1);
+
+	*qs = 0;
+	/* start at the top of the list again */
+	tseg = ISC_LIST_HEAD(*querylist);
+	while (tseg != NULL) {
+		if (tseg->direct) {
+			/* query segments */
+			strcat(qs, tseg->sql);
+		} else {
+			/* dynamic segments */
+			strcat(qs, *(char **)tseg->sql);
+		}
+		/* get the next segment */
+		tseg = ISC_LIST_NEXT(tseg, link);
+	}
+
+	return (qs);
+}
+
+/*% constructs a sql dbinstance (DBI) */
+isc_result_t
+sdlzh_build_sqldbinstance(isc_mem_t *mctx, const char *allnodes_str,
+			  const char *allowxfr_str, const char *authority_str,
+			  const char *findzone_str, const char *lookup_str,
+			  const char *countzone_str, dbinstance_t **dbi) {
+	isc_result_t result;
+	dbinstance_t *db = NULL;
+
+	REQUIRE(dbi != NULL && *dbi == NULL);
+	REQUIRE(mctx != NULL);
+
+	/* allocate and zero memory for driver structure */
+	db = isc_mem_get(mctx, sizeof(dbinstance_t));
+	memset(db, 0, sizeof(dbinstance_t));
+	db->dbconn = NULL;
+	db->client = NULL;
+	db->record = NULL;
+	db->zone = NULL;
+	db->mctx = NULL;
+	db->query_buf = NULL;
+	db->allnodes_q = NULL;
+	db->allowxfr_q = NULL;
+	db->authority_q = NULL;
+	db->findzone_q = NULL;
+	db->countzone_q = NULL;
+	db->lookup_q = NULL;
+
+	/* attach to the memory context */
+	isc_mem_attach(mctx, &db->mctx);
+
+	/* initialize the reference count mutex */
+	isc_mutex_init(&db->instance_lock);
+
+	/* build the all nodes query list */
+	result = build_querylist(mctx, allnodes_str, &db->zone, &db->record,
+				 &db->client, &db->allnodes_q,
+				 SDLZH_REQUIRE_ZONE);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Could not build all nodes query list");
+		goto cleanup;
+	}
+
+	/* build the allow zone transfer query list */
+	result = build_querylist(mctx, allowxfr_str, &db->zone, &db->record,
+				 &db->client, &db->allowxfr_q,
+				 SDLZH_REQUIRE_ZONE | SDLZH_REQUIRE_CLIENT);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Could not build allow xfr query list");
+		goto cleanup;
+	}
+
+	/* build the authority query, query list */
+	result = build_querylist(mctx, authority_str, &db->zone, &db->record,
+				 &db->client, &db->authority_q,
+				 SDLZH_REQUIRE_ZONE);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Could not build authority query list");
+		goto cleanup;
+	}
+
+	/* build findzone query, query list */
+	result = build_querylist(mctx, findzone_str, &db->zone, &db->record,
+				 &db->client, &db->findzone_q,
+				 SDLZH_REQUIRE_ZONE);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Could not build find zone query list");
+		goto cleanup;
+	}
+
+	/* build countzone query, query list */
+	result = build_querylist(mctx, countzone_str, &db->zone, &db->record,
+				 &db->client, &db->countzone_q,
+				 SDLZH_REQUIRE_ZONE);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Could not build count zone query list");
+		goto cleanup;
+	}
+
+	/* build lookup query, query list */
+	result = build_querylist(mctx, lookup_str, &db->zone, &db->record,
+				 &db->client, &db->lookup_q,
+				 SDLZH_REQUIRE_RECORD);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "Could not build lookup query list");
+		goto cleanup;
+	}
+
+	/* pass back the db instance */
+	*dbi = (dbinstance_t *)db;
+
+	/* return success */
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	/* destroy whatever was build of the db instance */
+	destroy_sqldbinstance(db);
+	/* return failure */
+	return (ISC_R_FAILURE);
+}
+
+void
+sdlzh_destroy_sqldbinstance(dbinstance_t *dbi) {
+	isc_mem_t *mctx;
+
+	/* save mctx for later */
+	mctx = dbi->mctx;
+
+	/* destroy any query lists we created */
+	destroy_querylist(mctx, &dbi->allnodes_q);
+	destroy_querylist(mctx, &dbi->allowxfr_q);
+	destroy_querylist(mctx, &dbi->authority_q);
+	destroy_querylist(mctx, &dbi->findzone_q);
+	destroy_querylist(mctx, &dbi->countzone_q);
+	destroy_querylist(mctx, &dbi->lookup_q);
+
+	/* get rid of the mutex */
+	(void)isc_mutex_destroy(&dbi->instance_lock);
+
+	/* return, and detach the memory */
+	isc_mem_putanddetach(&mctx, dbi, sizeof(dbinstance_t));
+}
+
+char *
+sdlzh_get_parameter_value(isc_mem_t *mctx, const char *input, const char *key) {
+	int keylen;
+	char *keystart;
+	char value[255];
+	int i;
+
+	if (key == NULL || input == NULL || strlen(input) < 1) {
+		return (NULL);
+	}
+
+	keylen = strlen(key);
+
+	if (keylen < 1) {
+		return (NULL);
+	}
+
+	keystart = strstr(input, key);
+
+	if (keystart == NULL) {
+		return (NULL);
+	}
+
+	REQUIRE(mctx != NULL);
+
+	for (i = 0; i < 255; i++) {
+		value[i] = keystart[keylen + i];
+		if (value[i] == ' ' || value[i] == '\0') {
+			value[i] = '\0';
+			break;
+		}
+	}
+
+	return (isc_mem_strdup(mctx, value));
+}
diff --git a/contrib/dlz/example/Makefile b/contrib/dlz/example/Makefile
new file mode 100644
index 0000000..c447940
--- /dev/null
+++ b/contrib/dlz/example/Makefile
@@ -0,0 +1,27 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# for building the dlz_example driver we don't use
+# the bind9 build structure as the aim is to provide an
+# example that is separable from the bind9 source tree
+
+# this means this Makefile is not portable, so the testsuite
+# skips this test on platforms where it doesn't build
+
+CFLAGS=-Wall -fPIC -g
+
+all: dlz_example.so
+
+dlz_example.so: dlz_example.o
+	$(CC) $(CFLAGS) -shared -o dlz_example.so dlz_example.o
+
+clean:
+	rm -f dlz_example.o dlz_example.so
diff --git a/contrib/dlz/example/README b/contrib/dlz/example/README
new file mode 100644
index 0000000..d36fba4
--- /dev/null
+++ b/contrib/dlz/example/README
@@ -0,0 +1,256 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+
+OVERVIEW:
+
+DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that
+allows zone data to be retrieved directly from an external database.
+There is no required format or schema.  DLZ drivers exist for several
+different database backends including PostgreSQL, MySQL, and LDAP and
+can be written for any other.
+
+Historically, DLZ drivers had to be statically linked with the named
+binary and were turned on via a configure option at compile time (for
+example, "configure --with-dlz-ldap").  Currently, the drivers provided
+in the BIND 9 tarball in contrib/dlz/drivers are still linked this way.
+
+However, as of BIND 9.8, it is also possible to link some DLZ modules
+dynamically at runtime, via the DLZ "dlopen" driver, which acts as a
+generic wrapper around a shared object that implements the DLZ API.  The
+"dlopen" driver is linked into named by default, so configure options are
+no longer necessary unless using older DLZ drivers.
+
+When the DLZ module provides data to named, it does so in text format.
+The response is converted to DNS wire format by named.  This conversion,
+and the lack of any internal caching, places significant limits on the
+query performance of DLZ modules.  Consequently, DLZ is not recommended
+for use on high-volume servers.  However, it can be used in a hidden
+master configuration, with slaves retrieving zone updates via AXFR.
+(Note, however, that DLZ has no built-in support for DNS notify; slaves
+are not automatically informed of changes to the zones in the database.)
+
+CONFIGURING DLZ:
+
+A DLZ database is configured with a "dlz" statement in named.conf.
+
+    dlz example {
+        database "dlopen driver.so <args>";
+        search yes;
+    };
+
+This specifies a DLZ module to search when answering queries; the module
+is implemented in "driver.so" and is loaded at runtime by the dlopen DLZ
+driver.  Multiple "dlz" statements can be specified; when answering a
+query, all DLZ modules with the "search" option set to "yes" will be
+checked for an answer, and the best available answer will be returned
+to the client.
+
+The "search" option in this example can be omitted, as "yes" is the
+default value.  If it is set to "no", then this DLZ module is *not*
+searched for best-match when a query is received.  Instead, zones in
+this DLZ must be separately specified in a zone statement.  This can
+be useful when conventional zone semantics are desired but you wish
+to use a different back-end storage mechanism than the standard zone
+database.  For example, to use a DLZ module for an NXDOMAIN redirection
+zone:
+
+    dlz other {
+        database "dlopen driver.so <args>";
+        search no;
+    };
+
+    zone "." {
+        type redirect;
+        dlz other;
+    };
+
+EXAMPLE DRIVER:
+
+This directory contains an example of an externally-lodable DLZ module,
+dlz_example.c, which demonstrates the features of the DLZ API.  It sets up
+a single zone, whose name is configured in named.conf.  The zone can answer
+queries and AXFR requests, and accept DDNS updates.
+
+By default, at runtime, the zone implemented by this driver will contain
+an SOA, NS, and a single A record at the apex.  If configured in named.conf
+to use the name "example.nil", then, the zone will look like this:
+
+ example.nil.  3600    IN      SOA     example.nil. hostmaster.example.nil. (
+                                               123 900 600 86400 3600
+                                       )
+ example.nil.  3600    IN      NS      example.nil.
+ example.nil.  1800    IN      A       10.53.0.1
+
+The driver is also capable of retrieving information about the querying
+client, and altering its response on the basis of this information.  To
+demonstrate this feature, the example driver responds to queries for
+"source-addr.<zonename>/TXT" with the source address of the query.
+Note, however, that this record will *not* be included in AXFR or ANY
+responses.  (Normally, this feature would be used to alter responses in
+some other fashion, e.g., by providing different address records for
+a particular name depending on the network from which the query arrived.)
+
+DYNAMIC UPDATES AND TRANSACTIONS:
+
+If a DLZ module wants to implement dynamic DNS updates (DDNS), the
+normal calling sequence is
+ - dlz_newversion (start a 'transaction')
+ - dlz_addrdataset (add records)
+ - dlz_subrdataset (remove records)
+ - dlz_closeversion (end a 'transaction')
+
+However, BIND may also query the database during the transaction
+(e.g., to check prerequisites), and your DLZ might need to know whether
+the lookup is against the pre-existing data, or the new data.
+dlz_lookup() doesn't give you access to the 'versionp' pointer
+directly, so it must be passed via 'clientinfo' structure if
+it is needed.
+
+The dlz_example.c code has sample code to show how to get the 'versionp'
+pointer from within dlz_lookup(). If it's set to NULL, we query
+the standard database; if non-NULL, we query against the in-flight
+data within the appropriate uncommitted transaction.
+
+IMPLEMENTATION NOTES:
+
+The minimal set of type definitions, prototypes, and macros needed
+for implementing a DLZ driver is in ../modules/dlz_minimal.h.  Copy this
+header file into your source tree when creating an external DLZ module.
+
+The DLZ dlopen driver provides a set of callback functions:
+
+  - void log(int level, const char *fmt, ...);
+
+    Writes the specified string to the named log, at the specified
+    log level.  Uses printf() format semantics.
+
+  - isc_result_t putrr(dns_sdlzlookup_t *lookup, const char *type,
+                       dns_ttl_t ttl, const char *data);
+
+    Puts a DNS resource record into the query response, which
+    referenced by the opaque structure 'lookup' provided by named.
+
+  - isc_result_t putnamedrr(dns_sdlzallnotes_t *allnodes,
+                            const char *name, const char *type,
+                            dns_ttl_t ttl, const char *data);
+
+    Puts a DNS resource record into an AXFR response, which is
+    referenced by the opaque structure 'allnodes' provided by named.
+
+  - isc_result_t writeable_zone(dns_view_t *view, const char *zone_name);
+
+    Allows the DLZ module to inform named that a given zone can receive
+    DDNS updates.  (Note: This is not currently supported for DLZ
+    databases that are configured as 'search no;')
+
+The external DLZ module can define the following functions (some of these
+are mandatory, others optional).
+
+  - int dlz_version(unsigned int *flags);
+
+    Required for alL external DLZ modules, to indicate the version number
+    of the DLZ dlopen driver that this module supports.  It should return
+    the value DLZ_DLOPEN_VERSION, which is defined in the file
+    contrib/dlz/modules/dlz_minimal.h and is currently 3.  'flags' is
+    updated to indicate capabilities of the module.  In particular, if
+    the module is thread-safe then it sets 'flags' to include
+    DNS_SDLZFLAG_THREADSAFE.  (Other capability flags may be added in
+    the future.)
+
+  - isc_result_t dlz_create(const char *dlzname,
+                            unsigned int argc, char *argv[],
+                            void **dbdata, ...);
+
+    Required for all external DLZ modules; this call initializes the
+    module.
+
+  - void dlz_destroy(void *dbdata);
+
+    Optional.  If supplied, this will be called when the driver is
+    unloaded.
+
+  - isc_result_t dlz_findzonedb(void *dbdata, const char *name,
+                                dns_clientinfomethods_t *methods,
+                                dns_clientinfo_t *clientinfo);
+
+    Required for all external DLZ modules.  This indicates whether
+    the DLZ module can answer for the given name.  Returns ISC_R_SUCCESS
+    if so, and ISC_R_NOTFOUND if not.  As an optimization, it can
+    also return ISC_R_NOMORE: this indicates that the DLZ module has
+    no data for the given name or for any name above it in the DNS.
+    This prevents named from searching for a zone cut.
+
+   - isc_result_t dlz_lookup(const char *zone, const char *name, void *dbdata,
+                             dns_sdlzlookup_t *lookup,
+                             dns_clientinfomethods_t *methods,
+                             dns_clientinfo_t *clientinfo);
+
+    Required for all external DLZ modules.  This carries out the database
+    lookup for a query.
+
+  - isc_result_t dlz_allowzonexfr(void *dbdata, const char *name,
+                                  const char *client);
+
+    Optional.  Supply this if you want the module to support AXFR
+    for the specified zone and client.  A return value of ISC_R_SUCCESS
+    means AXFR is allowed, any other value means it isn't.
+
+  -  isc_result_t dlz_allnodes(const char *zone, void *dbdata,
+                               dns_sdlzallnodes_t *allnodes);
+
+     Optional, but must be supplied dlz_allowzonexfr() is.  This function
+     returns all nodes in the zone in order to perform a zone transfer.
+
+  - isc_result_t dlz_newversion(const char *zone, void *dbdata,
+                                void **versionp);
+
+    Optional.  Supply this if you want the module to support DDNS
+    updates.  This function starts a transaction in the database.
+
+
+  - void dlz_closeversion(const char *zone, bool commit,
+                          void *dbdata, void **versionp);
+
+    Optional, but must be supplied if dlz_newversion() is.  This function
+    closes a transaction.  'commit' indicates whether to commit the changes
+    to the database, or ignore them.
+
+  - isc_result_t dlz_configure(dns_view_t *view, void *dbdata);
+
+    Optional, but must be supplied in order to support DDNS updates.
+
+  - bool dlz_ssumatch(const char *signer, const char *name,
+                               const char *tcpaddr, const char *type,
+                               const char *key, uint32_t keydatalen,
+                               uint8_t *keydata, void *dbdata);
+
+    Optional, but must be supplied in order to support DDNS updates.
+
+  - isc_result_t dlz_addrdataset(const char *name, const char *rdatastr,
+                                 void *dbdata, void *version);
+
+    Optional, but must be supplied in order to support DDNS updates.
+    Adds the data in 'rdatastr' to a database node.
+
+  - isc_result_t dlz_subrdataset(const char *name, const char *rdatastr,
+                                 void *dbdata, void *version);
+
+    Optional, but must be supplied in order to support DDNS updates.
+    Removes the data in 'rdatastr' from a database node.
+
+  - isc_result_t dlz_delrdataset(const char *name, const char *rdatastr,
+                                 void *dbdata, void *version);
+
+    Optional, but must be supplied in order to support DDNS updates.
+    Deletes all data matching the type specified in 'rdatastr' from
+    the database.
diff --git a/contrib/dlz/example/dlz_example.c b/contrib/dlz/example/dlz_example.c
new file mode 100644
index 0000000..1a23be9
--- /dev/null
+++ b/contrib/dlz/example/dlz_example.c
@@ -0,0 +1,822 @@
+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: ISC
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This provides a very simple example of an external loadable DLZ
+ * driver, with update support.
+ */
+
+#include <inttypes.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "../modules/include/dlz_minimal.h"
+
+#define CHECK(x)                             \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+/* For this simple example, use fixed sized strings */
+struct record {
+	char name[100];
+	char type[10];
+	char data[200];
+	dns_ttl_t ttl;
+};
+
+#define MAX_RECORDS 100
+
+struct dlz_example_data {
+	char *zone_name;
+
+	/* An example driver doesn't need good memory management :-) */
+	struct record current[MAX_RECORDS];
+	struct record adds[MAX_RECORDS];
+	struct record deletes[MAX_RECORDS];
+
+	bool transaction_started;
+
+	/* Helper functions from the dlz_dlopen driver */
+	log_t *log;
+	dns_sdlz_putrr_t *putrr;
+	dns_sdlz_putnamedrr_t *putnamedrr;
+	dns_dlz_writeablezone_t *writeable_zone;
+};
+
+static bool
+single_valued(const char *type) {
+	const char *single[] = { "soa", "cname", NULL };
+	int i;
+
+	for (i = 0; single[i]; i++) {
+		if (strcasecmp(single[i], type) == 0) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+/*
+ * Add a record to a list
+ */
+static isc_result_t
+add_name(struct dlz_example_data *state, struct record *list, const char *name,
+	 const char *type, dns_ttl_t ttl, const char *data) {
+	int i;
+	bool single = single_valued(type);
+	int first_empty = -1;
+
+	for (i = 0; i < MAX_RECORDS; i++) {
+		if (first_empty == -1 && strlen(list[i].name) == 0U) {
+			first_empty = i;
+		}
+		if (strcasecmp(list[i].name, name) != 0) {
+			continue;
+		}
+		if (strcasecmp(list[i].type, type) != 0) {
+			continue;
+		}
+		if (!single && strcasecmp(list[i].data, data) != 0) {
+			continue;
+		}
+		break;
+	}
+	if (i == MAX_RECORDS && first_empty != -1) {
+		i = first_empty;
+	}
+	if (i == MAX_RECORDS) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_ERROR, "dlz_example: out of record "
+						  "space");
+		}
+		return (ISC_R_FAILURE);
+	}
+
+	if (strlen(name) >= sizeof(list[i].name) ||
+	    strlen(type) >= sizeof(list[i].type) ||
+	    strlen(data) >= sizeof(list[i].data))
+	{
+		return (ISC_R_NOSPACE);
+	}
+
+	strncpy(list[i].name, name, sizeof(list[i].name));
+	list[i].name[sizeof(list[i].name) - 1] = '\0';
+
+	strncpy(list[i].type, type, sizeof(list[i].type));
+	list[i].type[sizeof(list[i].type) - 1] = '\0';
+
+	strncpy(list[i].data, data, sizeof(list[i].data));
+	list[i].data[sizeof(list[i].data) - 1] = '\0';
+
+	list[i].ttl = ttl;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Delete a record from a list
+ */
+static isc_result_t
+del_name(struct dlz_example_data *state, struct record *list, const char *name,
+	 const char *type, dns_ttl_t ttl, const char *data) {
+	int i;
+
+	UNUSED(state);
+
+	for (i = 0; i < MAX_RECORDS; i++) {
+		if (strcasecmp(name, list[i].name) == 0 &&
+		    strcasecmp(type, list[i].type) == 0 &&
+		    strcasecmp(data, list[i].data) == 0 && ttl == list[i].ttl)
+		{
+			break;
+		}
+	}
+	if (i == MAX_RECORDS) {
+		return (ISC_R_NOTFOUND);
+	}
+	memset(&list[i], 0, sizeof(struct record));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fmt_address(isc_sockaddr_t *addr, char *buffer, size_t size) {
+	char addr_buf[100];
+	const char *ret;
+	uint16_t port = 0;
+
+	switch (addr->type.sa.sa_family) {
+	case AF_INET:
+		port = ntohs(addr->type.sin.sin_port);
+		ret = inet_ntop(AF_INET, &addr->type.sin.sin_addr, addr_buf,
+				sizeof(addr_buf));
+		break;
+	case AF_INET6:
+		port = ntohs(addr->type.sin6.sin6_port);
+		ret = inet_ntop(AF_INET6, &addr->type.sin6.sin6_addr, addr_buf,
+				sizeof(addr_buf));
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	if (ret == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	snprintf(buffer, size, "%s#%u", addr_buf, port);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Return the version of the API
+ */
+int
+dlz_version(unsigned int *flags) {
+	UNUSED(flags);
+	return (DLZ_DLOPEN_VERSION);
+}
+
+/*
+ * Remember a helper function from the bind9 dlz_dlopen driver
+ */
+static void
+b9_add_helper(struct dlz_example_data *state, const char *helper_name,
+	      void *ptr) {
+	if (strcmp(helper_name, "log") == 0) {
+		state->log = (log_t *)ptr;
+	}
+	if (strcmp(helper_name, "putrr") == 0) {
+		state->putrr = (dns_sdlz_putrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "putnamedrr") == 0) {
+		state->putnamedrr = (dns_sdlz_putnamedrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "writeable_zone") == 0) {
+		state->writeable_zone = (dns_dlz_writeablezone_t *)ptr;
+	}
+}
+
+/*
+ * Called to initialize the driver
+ */
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...) {
+	struct dlz_example_data *state;
+	const char *helper_name;
+	va_list ap;
+	char soa_data[200];
+	const char *extra;
+	isc_result_t result;
+	int n;
+
+	UNUSED(dlzname);
+
+	state = calloc(1, sizeof(struct dlz_example_data));
+	if (state == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* Fill in the helper functions */
+	va_start(ap, dbdata);
+	while ((helper_name = va_arg(ap, const char *)) != NULL) {
+		b9_add_helper(state, helper_name, va_arg(ap, void *));
+	}
+	va_end(ap);
+
+	if (argc < 2 || argv[1][0] == '\0') {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_ERROR, "dlz_example: please specify "
+						  "a zone name");
+		}
+		dlz_destroy(state);
+		return (ISC_R_FAILURE);
+	}
+
+	/* Ensure zone name is absolute */
+	state->zone_name = malloc(strlen(argv[1]) + 2);
+	if (state->zone_name == NULL) {
+		free(state);
+		return (ISC_R_NOMEMORY);
+	}
+	if (argv[1][strlen(argv[1]) - 1] == '.') {
+		strcpy(state->zone_name, argv[1]);
+	} else {
+		sprintf(state->zone_name, "%s.", argv[1]);
+	}
+
+	if (strcmp(state->zone_name, ".") == 0) {
+		extra = ".root";
+	} else {
+		extra = ".";
+	}
+
+	n = sprintf(soa_data, "%s hostmaster%s%s 123 900 600 86400 3600",
+		    state->zone_name, extra, state->zone_name);
+
+	if (n < 0) {
+		CHECK(ISC_R_FAILURE);
+	}
+	if ((unsigned)n >= sizeof(soa_data)) {
+		CHECK(ISC_R_NOSPACE);
+	}
+
+	add_name(state, &state->current[0], state->zone_name, "soa", 3600,
+		 soa_data);
+	add_name(state, &state->current[0], state->zone_name, "ns", 3600,
+		 state->zone_name);
+	add_name(state, &state->current[0], state->zone_name, "a", 1800,
+		 "10.53.0.1");
+
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO, "dlz_example: started for zone %s",
+			   state->zone_name);
+	}
+
+	*dbdata = state;
+	return (ISC_R_SUCCESS);
+
+failure:
+	free(state);
+	return (result);
+}
+
+/*
+ * Shut down the backend
+ */
+void
+dlz_destroy(void *dbdata) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO, "dlz_example: shutting down zone %s",
+			   state->zone_name);
+	}
+	free(state->zone_name);
+	free(state);
+}
+
+/*
+ * See if we handle a given zone
+ */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+	isc_sockaddr_t *src;
+	char addrbuf[100];
+	char absolute[1024];
+
+	strcpy(addrbuf, "unknown");
+	if (methods != NULL && methods->sourceip != NULL &&
+	    methods->version - methods->age <= DNS_CLIENTINFOMETHODS_VERSION &&
+	    DNS_CLIENTINFOMETHODS_VERSION <= methods->version)
+	{
+		methods->sourceip(clientinfo, &src);
+		fmt_address(src, addrbuf, sizeof(addrbuf));
+	}
+	state->log(ISC_LOG_INFO, "dlz_example: findzonedb connection from: %s",
+		   addrbuf);
+
+	state->log(ISC_LOG_INFO,
+		   "dlz_example: dlz_findzonedb called with name '%s' "
+		   "in zone DB '%s'",
+		   name, state->zone_name);
+
+	/*
+	 * Returning ISC_R_NOTFOUND will cause the query logic to
+	 * check the database for parent names, looking for zone cuts.
+	 *
+	 * Returning ISC_R_NOMORE prevents the query logic from doing
+	 * this; it will move onto the next database after a single query.
+	 */
+	if (strcasecmp(name, "test.example.com") == 0) {
+		return (ISC_R_NOMORE);
+	}
+
+	/*
+	 * For example.net, only return ISC_R_NOMORE when queried
+	 * from 10.53.0.1.
+	 */
+	if (strcasecmp(name, "test.example.net") == 0 &&
+	    strncmp(addrbuf, "10.53.0.1", 9) == 0)
+	{
+		return (ISC_R_NOMORE);
+	}
+
+	if (strcasecmp(state->zone_name, name) == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	snprintf(absolute, sizeof(absolute), "%s.", name);
+	if (strcasecmp(state->zone_name, absolute) == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+/*
+ * Look up one record in the sample database.
+ *
+ * If the queryname is "source-addr", send back a TXT record containing
+ * the address of the client; this demonstrates the use of 'methods'
+ * and 'clientinfo'.
+ *
+ * If the queryname is "too-long", send back a TXT record that's too long
+ * to process; this should result in a SERVFAIL when queried.
+ */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+	bool found = false;
+	void *dbversion = NULL;
+	isc_sockaddr_t *src;
+	char full_name[256];
+	char buf[512];
+	int i;
+
+	UNUSED(zone);
+
+	if (state->putrr == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	if (strcmp(name, "@") == 0) {
+		strncpy(full_name, state->zone_name, 255);
+		full_name[255] = '\0';
+	} else {
+		snprintf(full_name, 255, "%s.%s", name, state->zone_name);
+	}
+
+	/*
+	 * If we need to know the database version (as set in
+	 * the 'newversion' dlz function) we can pick it up from the
+	 * clientinfo.
+	 *
+	 * This allows a lookup to query the correct version of the DNS
+	 * data, if the DLZ can differentiate between versions.
+	 *
+	 * For example, if a new database transaction is created by
+	 * 'newversion', the lookup should query within the same
+	 * transaction scope if it can.
+	 *
+	 * If the DLZ only operates on 'live' data, then version
+	 * wouldn't necessarily be needed.
+	 */
+	if (clientinfo != NULL && clientinfo->version >= 2) {
+		dbversion = clientinfo->dbversion;
+		if (dbversion != NULL && *(bool *)dbversion) {
+			state->log(ISC_LOG_INFO, "dlz_example: lookup against "
+						 "live "
+						 "transaction\n");
+		}
+	}
+
+	if (strcmp(name, "source-addr") == 0) {
+		char ecsbuf[DNS_ECS_FORMATSIZE] = "not supported";
+		strncpy(buf, "unknown", sizeof(buf));
+		if (methods != NULL && methods->sourceip != NULL &&
+		    (methods->version - methods->age <=
+		     DNS_CLIENTINFOMETHODS_VERSION) &&
+		    DNS_CLIENTINFOMETHODS_VERSION <= methods->version)
+		{
+			methods->sourceip(clientinfo, &src);
+			fmt_address(src, buf, sizeof(buf));
+		}
+		if (clientinfo != NULL && clientinfo->version >= 3) {
+			if (clientinfo->ecs.addr.family != AF_UNSPEC) {
+				dns_ecs_format(&clientinfo->ecs, ecsbuf,
+					       sizeof(ecsbuf));
+			} else {
+				snprintf(ecsbuf, sizeof(ecsbuf), "%s",
+					 "not present");
+			}
+		}
+		i = strlen(buf);
+		snprintf(buf + i, sizeof(buf) - i - 1, " ECS %s", ecsbuf);
+
+		state->log(ISC_LOG_INFO,
+			   "dlz_example: lookup connection from: %s", buf);
+
+		found = true;
+		result = state->putrr(lookup, "TXT", 0, buf);
+		/* We could also generate a CNAME RR:
+		snprintf(buf, sizeof(buf), "%s.redirect.example.", ecsbuf);
+		result = state->putrr(lookup, "CNAME", 0, buf); */
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if (strcmp(name, "too-long") == 0) {
+		for (i = 0; i < 511; i++) {
+			buf[i] = 'x';
+		}
+		buf[i] = '\0';
+		found = true;
+		result = state->putrr(lookup, "TXT", 0, buf);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	for (i = 0; i < MAX_RECORDS; i++) {
+		if (strcasecmp(state->current[i].name, full_name) == 0) {
+			found = true;
+			result = state->putrr(lookup, state->current[i].type,
+					      state->current[i].ttl,
+					      state->current[i].data);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+	}
+
+	if (!found) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * See if a zone transfer is allowed
+ */
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	UNUSED(client);
+
+	/* Just say yes for all our zones */
+	return (dlz_findzonedb(dbdata, name, NULL, NULL));
+}
+
+/*
+ * Perform a zone transfer
+ */
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+	int i;
+
+	UNUSED(zone);
+
+	if (state->putnamedrr == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	for (i = 0; i < MAX_RECORDS; i++) {
+		isc_result_t result;
+		if (strlen(state->current[i].name) == 0U) {
+			continue;
+		}
+		result = state->putnamedrr(allnodes, state->current[i].name,
+					   state->current[i].type,
+					   state->current[i].ttl,
+					   state->current[i].data);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Start a transaction
+ */
+isc_result_t
+dlz_newversion(const char *zone, void *dbdata, void **versionp) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (state->transaction_started) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: transaction already "
+				   "started for zone %s",
+				   zone);
+		}
+		return (ISC_R_FAILURE);
+	}
+
+	state->transaction_started = true;
+	*versionp = (void *)&state->transaction_started;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * End a transaction
+ */
+void
+dlz_closeversion(const char *zone, bool commit, void *dbdata, void **versionp) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (!state->transaction_started) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: transaction not "
+				   "started for zone %s",
+				   zone);
+		}
+		*versionp = NULL;
+		return;
+	}
+
+	state->transaction_started = false;
+
+	*versionp = NULL;
+
+	if (commit) {
+		int i;
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: committing "
+				   "transaction on zone %s",
+				   zone);
+		}
+		for (i = 0; i < MAX_RECORDS; i++) {
+			if (strlen(state->deletes[i].name) > 0U) {
+				(void)del_name(state, &state->current[0],
+					       state->deletes[i].name,
+					       state->deletes[i].type,
+					       state->deletes[i].ttl,
+					       state->deletes[i].data);
+			}
+		}
+		for (i = 0; i < MAX_RECORDS; i++) {
+			if (strlen(state->adds[i].name) > 0U) {
+				(void)add_name(state, &state->current[0],
+					       state->adds[i].name,
+					       state->adds[i].type,
+					       state->adds[i].ttl,
+					       state->adds[i].data);
+			}
+		}
+	} else {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: cancelling "
+				   "transaction on zone %s",
+				   zone);
+		}
+	}
+	memset(state->adds, 0, sizeof(state->adds));
+	memset(state->deletes, 0, sizeof(state->deletes));
+}
+
+/*
+ * Configure a writeable zone
+ */
+isc_result_t
+dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb, void *dbdata) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+	isc_result_t result;
+
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO, "dlz_example: starting configure");
+	}
+
+	if (state->writeable_zone == NULL) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO, "dlz_example: no "
+						 "writeable_zone method "
+						 "available");
+		}
+		return (ISC_R_FAILURE);
+	}
+
+	result = state->writeable_zone(view, dlzdb, state->zone_name);
+	if (result != ISC_R_SUCCESS) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_ERROR,
+				   "dlz_example: failed to "
+				   "configure zone %s",
+				   state->zone_name);
+		}
+		return (result);
+	}
+
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO,
+			   "dlz_example: configured writeable "
+			   "zone %s",
+			   state->zone_name);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Authorize a zone update
+ */
+bool
+dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
+	     const char *type, const char *key, uint32_t keydatalen,
+	     unsigned char *keydata, void *dbdata) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	UNUSED(tcpaddr);
+	UNUSED(type);
+	UNUSED(key);
+	UNUSED(keydatalen);
+	UNUSED(keydata);
+
+	if (strncmp(name, "deny.", 5) == 0) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: denying update "
+				   "of name=%s by %s",
+				   name, signer);
+		}
+		return (false);
+	}
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO,
+			   "dlz_example: allowing update of "
+			   "name=%s by %s",
+			   name, signer);
+	}
+	return (true);
+}
+
+static isc_result_t
+modrdataset(struct dlz_example_data *state, const char *name,
+	    const char *rdatastr, struct record *list) {
+	char *full_name, *dclass, *type, *data, *ttlstr, *buf;
+	char absolute[1024];
+	isc_result_t result;
+#if defined(WIN32) || defined(_REENTRANT)
+	char *saveptr = NULL;
+#endif /* if defined(WIN32) || defined(_REENTRANT) */
+
+	buf = strdup(rdatastr);
+	if (buf == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * The format is:
+	 * FULLNAME\tTTL\tDCLASS\tTYPE\tDATA
+	 *
+	 * The DATA field is space separated, and is in the data format
+	 * for the type used by dig
+	 */
+
+	full_name = strtok_r(buf, "\t", &saveptr);
+	if (full_name == NULL) {
+		goto error;
+	}
+
+	ttlstr = strtok_r(NULL, "\t", &saveptr);
+	if (ttlstr == NULL) {
+		goto error;
+	}
+
+	dclass = strtok_r(NULL, "\t", &saveptr);
+	if (dclass == NULL) {
+		goto error;
+	}
+
+	type = strtok_r(NULL, "\t", &saveptr);
+	if (type == NULL) {
+		goto error;
+	}
+
+	data = strtok_r(NULL, "\t", &saveptr);
+	if (data == NULL) {
+		goto error;
+	}
+
+	if (name[strlen(name) - 1] != '.') {
+		snprintf(absolute, sizeof(absolute), "%s.", name);
+		name = absolute;
+	}
+
+	result = add_name(state, list, name, type, strtoul(ttlstr, NULL, 10),
+			  data);
+	free(buf);
+	return (result);
+
+error:
+	free(buf);
+	return (ISC_R_FAILURE);
+}
+
+isc_result_t
+dlz_addrdataset(const char *name, const char *rdatastr, void *dbdata,
+		void *version) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (version != (void *)&state->transaction_started) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO, "dlz_example: adding rdataset %s '%s'",
+			   name, rdatastr);
+	}
+
+	return (modrdataset(state, name, rdatastr, &state->adds[0]));
+}
+
+isc_result_t
+dlz_subrdataset(const char *name, const char *rdatastr, void *dbdata,
+		void *version) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (version != (void *)&state->transaction_started) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO,
+			   "dlz_example: subtracting rdataset "
+			   "%s '%s'",
+			   name, rdatastr);
+	}
+
+	return (modrdataset(state, name, rdatastr, &state->deletes[0]));
+}
+
+isc_result_t
+dlz_delrdataset(const char *name, const char *type, void *dbdata,
+		void *version) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
+
+	if (version != (void *)&state->transaction_started) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO,
+			   "dlz_example: deleting rdataset %s "
+			   "of type %s",
+			   name, type);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/dlz/example/named.conf b/contrib/dlz/example/named.conf
new file mode 100644
index 0000000..eba464c
--- /dev/null
+++ b/contrib/dlz/example/named.conf
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This is a sample named.conf file that uses the DLZ module defined in
+ * dlz_example.c.  It sets up a zone 'example.nil' which can accept DDNS
+ * updates.
+ *
+ * By default, when run, the zone contains the following records:
+ *
+ * example.nil.  3600    IN      SOA     example.nil. hostmaster.example.nil. (
+ *                                               123 900 600 86400 3600
+ *                                       )
+ * example.nil.  3600    IN      NS      example.nil.
+ * example.nil.  1800    IN      A       10.53.0.1
+ *
+ * Additionally, a query for 'source-addr.example.nil/TXT' is always
+ * answered with the source address of the query.  This is used to
+ * demonstrate the code that retrieves client information from the
+ * caller.
+ *
+ * To use this driver, "dlz_external.so" must be moved into the working
+ * directory for named.
+ */
+
+options {
+        allow-transfer { any; };
+        allow-query { any; };
+        notify yes;
+	recursion no;
+};
+
+/*
+ * To test dynamic updates, create a DDNS key:
+ *
+ *   ddns-confgen -q -z example.nil > ddns.key
+ *
+ * Then uncomment the following line:
+ *
+ *   include "ddns.key";
+ *
+ * Use "nsupdate -k ddns.key" when sending updates. (NOTE: This driver does
+ * not check the key that's used: as long as the update is signed by a key
+ * known to named, the update will be accepted.  Only updates to names
+ * that begin with "deny." are rejected.)
+ */
+
+dlz "example" {
+	database "dlopen ./dlz_example.so example.nil";
+};
diff --git a/contrib/dlz/example/win32/DLLMain.c b/contrib/dlz/example/win32/DLLMain.c
new file mode 100644
index 0000000..ca76934
--- /dev/null
+++ b/contrib/dlz/example/win32/DLLMain.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2001, 2004, 2007, 2016  Internet Systems Consortium, Inc.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <signal.h>
+#include <windows.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI
+	DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
diff --git a/contrib/dlz/example/win32/dxdriver.def b/contrib/dlz/example/win32/dxdriver.def
new file mode 100644
index 0000000..6d97466
--- /dev/null
+++ b/contrib/dlz/example/win32/dxdriver.def
@@ -0,0 +1,20 @@
+LIBRARY dxdriver
+
+; Exported Functions
+EXPORTS
+dlz_addrdataset
+dlz_allnodes
+dlz_allowzonexfr
+dlz_closeversion
+dlz_configure
+dlz_create
+dlz_delrdataset
+dlz_destroy
+dlz_findzonedb
+dlz_lookup
+dlz_newversion
+dlz_ssumatch
+dlz_subrdataset
+dlz_version
+
+
diff --git a/contrib/dlz/example/win32/dxdriver.dsp b/contrib/dlz/example/win32/dxdriver.dsp
new file mode 100644
index 0000000..c096b08
--- /dev/null
+++ b/contrib/dlz/example/win32/dxdriver.dsp
@@ -0,0 +1,121 @@
+# Microsoft Developer Studio Project File - Name="dxdriver" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=dxdriver - Win32 Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "dxdriver.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "dxdriver.mak" CFG="dxdriver - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "dxdriver - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "dxdriver - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "dxdriver - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "../" /I "../../../../../" /I "../../../../../lib/isc/win32" /I "../../../../../lib/isc/win32/include" /I "../../../../../lib/isc/include" /I "../../../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib /nologo /dll /machine:I386 /out:"../../../../../Build/Release/dxdriver.dll"
+
+!ELSEIF  "$(CFG)" == "dxdriver - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "../" /I "../../../../../" /I "../../../../../lib/isc/win32" /I "../../../../../lib/isc/win32/include" /I "../../../../../lib/isc/include" /I "../../../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /FR /YX /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib /nologo /dll /debug /machine:I386 /out:"../../../../../Build/Debug/dxdriver.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "dxdriver - Win32 Release"
+# Name "dxdriver - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\driver.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\driver.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\dxdriver.def
+# End Source File
+# End Target
+# End Project
diff --git a/contrib/dlz/example/win32/dxdriver.dsw b/contrib/dlz/example/win32/dxdriver.dsw
new file mode 100644
index 0000000..b0212fe
--- /dev/null
+++ b/contrib/dlz/example/win32/dxdriver.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "dxdriver"=.\dxdriver.dsp - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/contrib/dlz/example/win32/dxdriver.mak b/contrib/dlz/example/win32/dxdriver.mak
new file mode 100644
index 0000000..1d8506b
--- /dev/null
+++ b/contrib/dlz/example/win32/dxdriver.mak
@@ -0,0 +1,298 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on dxdriver.dsp
+!IF "$(CFG)" == ""
+CFG=dxdriver - Win32 Release
+!MESSAGE No configuration specified. Defaulting to dxdriver - Win32 Release.
+!ENDIF 
+
+!IF "$(CFG)" != "dxdriver - Win32 Release" && "$(CFG)" != "dxdriver - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "dxdriver.mak" CFG="dxdriver - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "dxdriver - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "dxdriver - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "dxdriver - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "dxdriver - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\..\..\Build\Release\dxdriver.dll"
+
+CLEAN :
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\driver.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(OUTDIR)\dxdriver.exp"
+	-@erase "$(OUTDIR)\dxdriver.lib"
+	-@erase "..\..\..\..\..\Build\Release\dxdriver.dll"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "../" /I "../../../../../" /I "../../../../../lib/isc/win32" /I "../../../../../lib/isc/win32/include" /I "../../../../../lib/isc/include" /I "../../../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /Fp"$(INTDIR)\dxdriver.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\dxdriver.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\dxdriver.pdb" /machine:I386 /def:".\dxdriver.def" /out:"../../../../../Build/Release/dxdriver.dll" /implib:"$(OUTDIR)\dxdriver.lib" 
+DEF_FILE= \
+	".\dxdriver.def"
+LINK32_OBJS= \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\driver.obj"
+
+"..\..\..\..\..\Build\Release\dxdriver.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF  "$(CFG)" == "dxdriver - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\..\..\Build\Debug\dxdriver.dll" "$(OUTDIR)\dxdriver.bsc"
+
+CLEAN :
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\driver.obj"
+	-@erase "$(INTDIR)\driver.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\dxdriver.bsc"
+	-@erase "$(OUTDIR)\dxdriver.exp"
+	-@erase "$(OUTDIR)\dxdriver.lib"
+	-@erase "$(OUTDIR)\dxdriver.pdb"
+	-@erase "..\..\..\..\..\Build\Debug\dxdriver.dll"
+	-@erase "..\..\..\..\..\Build\Debug\dxdriver.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "../" /I "../../../../../" /I "../../../../../lib/isc/win32" /I "../../../../../lib/isc/win32/include" /I "../../../../../lib/isc/include" /I "../../../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\dxdriver.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\dxdriver.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\driver.sbr"
+
+"$(OUTDIR)\dxdriver.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\dxdriver.pdb" /debug /machine:I386 /def:".\dxdriver.def" /out:"../../../../../Build/Debug/dxdriver.dll" /implib:"$(OUTDIR)\dxdriver.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\dxdriver.def"
+LINK32_OBJS= \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\driver.obj"
+
+"..\..\..\..\..\Build\Debug\dxdriver.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("dxdriver.dep")
+!INCLUDE "dxdriver.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "dxdriver.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "dxdriver - Win32 Release" || "$(CFG)" == "dxdriver - Win32 Debug"
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "dxdriver - Win32 Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "dxdriver - Win32 Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\driver.c
+
+!IF  "$(CFG)" == "dxdriver - Win32 Release"
+
+
+"$(INTDIR)\driver.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "dxdriver - Win32 Debug"
+
+
+"$(INTDIR)\driver.obj"	"$(INTDIR)\driver.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+!ENDIF
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/contrib/dlz/modules/bdbhpt/Makefile b/contrib/dlz/modules/bdbhpt/Makefile
new file mode 100644
index 0000000..45080af
--- /dev/null
+++ b/contrib/dlz/modules/bdbhpt/Makefile
@@ -0,0 +1,43 @@
+# Copyright Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+# Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+#
+# The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+# conceived and contributed by Rob Butler.
+#
+# SPDX-License-Identifier: ISC and MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any purpose
+# with or without fee is hereby granted, provided that the above copyright
+# notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+prefix = /usr
+libdir = $(prefix)/lib/bind9
+
+CFLAGS=-fPIC -g -I../include
+BDB_LIBS=-ldb
+
+all: dlz_bdbhpt_dynamic.so
+
+dlz_bdbhpt_dynamic.so: dlz_bdbhpt_dynamic.c
+	$(CC) $(CFLAGS) -shared -o dlz_bdbhpt_dynamic.so \
+		dlz_bdbhpt_dynamic.c $(BDB_LIBS)
+
+clean:
+	rm -f dlz_bdbhpt_dynamic.so
+
+install: dlz_bdbhpt_dynamic.so
+	mkdir -p $(DESTDIR)$(libdir)
+	install dlz_bdbhpt_dynamic.so $(DESTDIR)$(libdir)
diff --git a/contrib/dlz/modules/bdbhpt/README.md b/contrib/dlz/modules/bdbhpt/README.md
new file mode 100644
index 0000000..3a9e7a7
--- /dev/null
+++ b/contrib/dlz/modules/bdbhpt/README.md
@@ -0,0 +1,113 @@
+<!--
+Copyright Internet Systems Consortium, Inc. ("ISC")
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+
+The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+conceived and contributed by Rob Butler.
+
+SPDX-License-Identifier: ISC and MPL-2.0
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright
+notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+dlz-bdbhpt-dynamic
+==================
+
+A Bind 9 Dynamically Loadable BerkeleyDB High Performance Text Driver
+
+Summary
+-------
+
+This is an attempt to port the original Bind 9 DLZ bdbhpt_driver.c as
+found in the Bind 9 source tree into the new DLZ dlopen driver API.
+The goals of this project are as follows:
+
+* Provide DLZ facilities to OEM-supported Bind distributions
+* Support both v1 (Bind 9.8) and v2 (Bind 9.9) of the dlopen() DLZ API
+
+Requirements
+------------
+
+You will need the following:
+ * Bind 9.8 or higher with the DLZ dlopen driver enabled
+ * BerkeleyDB libraries and header files
+ * A C compiler
+
+This distribution have been successfully installed and tested on
+Ubuntu 12.04.
+
+Installation
+------------
+
+With the above requirements satisfied perform the following steps:
+
+1. Ensure the symlink for dlz_minimal.h points at the correct header
+   file matching your Bind version
+2. Run: make
+3. Run: sudo make install # this will install dlz_bdbhpt_dynamic.so
+   into /usr/lib/bind9/
+4. Add a DLZ statement similar to the example below into your
+   Bind configuration
+5. Ensure your BerkeleyDB home-directory exists and can be written to
+   by the bind user
+6. Use the included testing/bdbhpt-populate.pl script to provide some
+   data for initial testing
+
+Usage
+-----
+
+Example usage is as follows:
+
+```
+dlz "bdbhpt_dynamic" {
+        database "dlopen /usr/lib/bind9/dlz_bdbhpt_dynamic.so T /var/cache/bind/dlz dnsdata.db";
+};
+```
+
+The arguments for the "database" line above are as follows:
+
+1. dlopen - Use the dlopen DLZ driver to dynamically load our compiled
+   driver
+2. The full path to your built dlz_bdbhpt_dynamic.so
+3. Single character specifying the mode to open your BerkeleyDB
+   environment:
+   * T - Transactional Mode - Highest safety, lowest speed.
+   * C - Concurrent Mode - Lower safety (no rollback), higher speed.
+   * P - Private Mode - No interprocess communication & no locking.
+     Lowest safety, highest speed.
+4. Directory containing your BerkeleyDB - this is where the BerkeleyDB
+   environment will be created.
+5. Filename within this directory containing your BerkeleyDB tables.
+
+A copy of the above Bind configuration is included within
+example/dlz.conf.
+
+Author
+------
+
+The person responsible for this is:
+
+ Mark Goldfinch <g@g.org.nz>
+
+The code is maintained at:
+
+ https://github.com/goldie80/dlz-bdbhpt-dynamic
+
+There is very little in the way of original code in this work,
+however, original license conditions from both bdbhpt_driver.c and
+dlz_example.c are maintained in the dlz_bdbhpt_dynamic.c.
diff --git a/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c b/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c
new file mode 100644
index 0000000..e84f866
--- /dev/null
+++ b/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c
@@ -0,0 +1,837 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is simply a merge of Andrew Tridgell's dlz_example.c and the
+ * original bdb_bdbhpt_driver.c
+ *
+ * This provides the externally loadable bdbhpt DLZ driver, without
+ * update support
+ *
+ */
+
+#include <db.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "dlz_minimal.h"
+
+/* should the bdb driver use threads. */
+#define bdbhpt_threads DB_THREAD
+
+/* bdbhpt database names */
+#define dlz_data   "dns_data"
+#define dlz_zone   "dns_zone"
+#define dlz_xfr	   "dns_xfr"
+#define dlz_client "dns_client"
+
+#define dlz_bdbhpt_dynamic_version "0.1"
+
+/*
+ * This structure contains all our DB handles and helper functions we
+ * inherit from the dlz_dlopen driver
+ *
+ */
+typedef struct bdbhpt_instance {
+	DB_ENV *dbenv; /* bdbhpt environment */
+	DB *data;      /* dns_data database handle */
+	DB *zone;      /* zone database handle */
+	DB *xfr;       /* zone xfr database handle */
+	DB *client;    /* client database handle */
+
+	/* Helper functions from the dlz_dlopen driver */
+	log_t *log;
+	dns_sdlz_putrr_t *putrr;
+	dns_sdlz_putnamedrr_t *putnamedrr;
+	dns_dlz_writeablezone_t *writeable_zone;
+} bdbhpt_instance_t;
+
+typedef struct bdbhpt_parsed_data {
+	char *host;
+	char *type;
+	int ttl;
+	char *data;
+} bdbhpt_parsed_data_t;
+
+static void
+b9_add_helper(struct bdbhpt_instance *db, const char *helper_name, void *ptr);
+
+/*%
+ * Reverses a string in place.
+ */
+static char *
+bdbhpt_strrev(char *str) {
+	char *p1, *p2;
+
+	if (!str || !*str) {
+		return (str);
+	}
+	for (p1 = str, p2 = str + strlen(str) - 1; p2 > p1; ++p1, --p2) {
+		*p1 ^= *p2;
+		*p2 ^= *p1;
+		*p1 ^= *p2;
+	}
+	return (str);
+}
+
+/*%
+ * Parses the DBT from the Berkeley DB into a parsed_data record
+ * The parsed_data record should be allocated before and passed into the
+ * bdbhpt_parse_data function.  The char (type & data) fields should not
+ * be "free"d as that memory is part of the DBT data field.  It will be
+ * "free"d when the DBT is freed.
+ */
+
+static isc_result_t
+bdbhpt_parse_data(log_t *log, char *in, bdbhpt_parsed_data_t *pd) {
+	char *endp, *ttlStr;
+	char *tmp = in;
+	char *lastchar = (char *)&tmp[strlen(tmp)];
+
+	/*%
+	 * String should be formatted as:
+	 *   replication_id
+	 *   (a space)
+	 *   host_name
+	 *   (a space)
+	 *   ttl
+	 *   (a space)
+	 *   type
+	 *   (a space)
+	 *   remaining data
+	 *
+	 * examples:
+	 *
+	 * 9191 host 10 A 127.0.0.1
+	 * server1_212 host 10 A 127.0.0.2
+	 * {xxxx-xxxx-xxxx-xxxx-xxxx} host 10 MX 20 mail.example.com
+	 */
+
+	/*
+	 * we don't need the replication id, so don't
+	 * bother saving a pointer to it.
+	 */
+
+	/* find space after replication id */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to host */
+	pd->host = tmp;
+
+	/* find space after host and change it to a '\0' */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* change the space to a null (string terminator) */
+	tmp[0] = '\0';
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to ttl string */
+	ttlStr = tmp;
+
+	/* find space after ttl and change it to a '\0' */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* change the space to a null (string terminator) */
+	tmp[0] = '\0';
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to dns type */
+	pd->type = tmp;
+
+	/* find space after type and change it to a '\0' */
+	tmp = strchr(tmp, ' ');
+	/* verify we found a space */
+	if (tmp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/* change the space to a null (string terminator) */
+	tmp[0] = '\0';
+	/* make sure it is safe to increment pointer */
+	if (++tmp > lastchar) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* save pointer to remainder of DNS data */
+	pd->data = tmp;
+
+	/* convert ttl string to integer */
+	pd->ttl = strtol(ttlStr, &endp, 10);
+	if (*endp != '\0' || pd->ttl < 0) {
+		log(ISC_LOG_ERROR, "bdbhpt_dynamic: "
+				   "ttl must be a positive number");
+		return (ISC_R_FAILURE);
+	}
+
+	/* if we get this far everything should have worked. */
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * See if a zone transfer is allowed
+ */
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	isc_result_t result;
+	bdbhpt_instance_t *db = (bdbhpt_instance_t *)dbdata;
+	DBT key, data;
+
+	/* check to see if we are authoritative for the zone first. */
+#if DLZ_DLOPEN_VERSION >= 3
+	result = dlz_findzonedb(dbdata, name, NULL, NULL);
+#else  /* if DLZ_DLOPEN_VERSION >= 3 */
+	result = dlz_findzonedb(dbdata, name);
+#endif /* if DLZ_DLOPEN_VERSION >= 3 */
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	memset(&key, 0, sizeof(DBT));
+	key.flags = DB_DBT_MALLOC;
+	key.data = strdup(name);
+	if (key.data == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto xfr_cleanup;
+	}
+	key.size = strlen(key.data);
+
+	memset(&data, 0, sizeof(DBT));
+	data.flags = DB_DBT_MALLOC;
+	data.data = strdup(client);
+	if (data.data == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto xfr_cleanup;
+	}
+	data.size = strlen(data.data);
+
+	switch (db->client->get(db->client, NULL, &key, &data, DB_GET_BOTH)) {
+	case DB_NOTFOUND:
+		result = ISC_R_NOTFOUND;
+		break;
+	case 0:
+		result = ISC_R_SUCCESS;
+		break;
+	default:
+		result = ISC_R_FAILURE;
+	}
+
+xfr_cleanup:
+	/* free any memory duplicate string in the key field */
+	if (key.data != NULL) {
+		free(key.data);
+	}
+
+	/* free any memory allocated to the data field. */
+	if (data.data != NULL) {
+		free(data.data);
+	}
+
+	return (result);
+}
+
+/*%
+ * Perform a zone transfer
+ *
+ * BDB does not allow a secondary index on a database that allows
+ * duplicates.	We have a few options:
+ *
+ * 1) kill speed by having lookup method use a secondary db which
+ * is associated to the primary DB with the DNS data.	 Then have
+ * another secondary db for zone transfer which also points to
+ * the dns_data primary.	NO - The	point of this driver is
+ * lookup performance.
+ *
+ * 2) Blow up database size by storing DNS data twice.	Once for
+ * the lookup (dns_data) database, and a second time for the zone
+ * transfer (dns_xfr) database. NO - That would probably require
+ * a larger cache to provide good performance.	Also, that would
+ * make the DB larger on disk potentially slowing it as well.
+ *
+ * 3) Loop through the dns_xfr database with a cursor to get
+ * all the different hosts in a zone.	 Then use the zone & host
+ * together to lookup the data in the dns_data database. YES -
+ * This may slow down zone xfr's a little, but that's ok they
+ * don't happen as often and don't need to be as fast. We can
+ * also use this table when deleting a zone (The BDB driver
+ * is read only - the delete would be used during replication
+ * updates by a separate process).
+ */
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	bdbhpt_instance_t *db = (bdbhpt_instance_t *)dbdata;
+	DBC *xfr_cursor = NULL;
+	DBC *dns_cursor = NULL;
+	DBT xfr_key, xfr_data, dns_key, dns_data;
+	int xfr_flags;
+	int dns_flags;
+	int bdbhptres;
+	bdbhpt_parsed_data_t pd;
+	char *tmp = NULL, *tmp_zone, *tmp_zone_host = NULL;
+
+	memset(&xfr_key, 0, sizeof(DBT));
+	memset(&xfr_data, 0, sizeof(DBT));
+	memset(&dns_key, 0, sizeof(DBT));
+	memset(&dns_data, 0, sizeof(DBT));
+
+	xfr_key.data = tmp_zone = strdup(zone);
+	if (xfr_key.data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	xfr_key.size = strlen(xfr_key.data);
+
+	/* get a cursor to loop through dns_xfr table */
+	if (db->xfr->cursor(db->xfr, NULL, &xfr_cursor, 0) != 0) {
+		result = ISC_R_FAILURE;
+		goto allnodes_cleanup;
+	}
+
+	/* get a cursor to loop through dns_data table */
+	if (db->data->cursor(db->data, NULL, &dns_cursor, 0) != 0) {
+		result = ISC_R_FAILURE;
+		goto allnodes_cleanup;
+	}
+
+	xfr_flags = DB_SET;
+
+	/* loop through xfr table for specified zone. */
+	while ((bdbhptres = xfr_cursor->c_get(xfr_cursor, &xfr_key, &xfr_data,
+					      xfr_flags)) == 0)
+	{
+		xfr_flags = DB_NEXT_DUP;
+
+		/* +1 to allow for space between zone and host names */
+		dns_key.size = xfr_data.size + xfr_key.size + 1;
+
+		/* +1 to allow for null term at end of string. */
+		dns_key.data = tmp_zone_host = malloc(dns_key.size + 1);
+		if (dns_key.data == NULL) {
+			goto allnodes_cleanup;
+		}
+
+		/*
+		 * construct search key for dns_data.
+		 * zone_name(a space)host_name
+		 */
+		strcpy(dns_key.data, zone);
+		strcat(dns_key.data, " ");
+		strncat(dns_key.data, xfr_data.data, xfr_data.size);
+
+		dns_flags = DB_SET;
+
+		while ((bdbhptres = dns_cursor->c_get(dns_cursor, &dns_key,
+						      &dns_data, dns_flags)) ==
+		       0)
+		{
+			dns_flags = DB_NEXT_DUP;
+
+			/* +1 to allow for null term at end of string. */
+			tmp = realloc(tmp, dns_data.size + 1);
+			if (tmp == NULL) {
+				goto allnodes_cleanup;
+			}
+
+			/* copy data to tmp string, and append null term. */
+			strncpy(tmp, dns_data.data, dns_data.size);
+			tmp[dns_data.size] = '\0';
+
+			/* split string into dns data parts. */
+			if (bdbhpt_parse_data(db->log, tmp, &pd) !=
+			    ISC_R_SUCCESS)
+			{
+				goto allnodes_cleanup;
+			}
+			result = db->putnamedrr(allnodes, pd.host, pd.type,
+						pd.ttl, pd.data);
+			if (result != ISC_R_SUCCESS) {
+				goto allnodes_cleanup;
+			}
+		} /* end inner while loop */
+
+		/* clean up memory */
+		if (tmp_zone_host != NULL) {
+			free(tmp_zone_host);
+			tmp_zone_host = NULL;
+		}
+	} /* end outer while loop */
+
+allnodes_cleanup:
+	/* free any memory */
+	if (tmp != NULL) {
+		free(tmp);
+	}
+
+	if (tmp_zone_host != NULL) {
+		free(tmp_zone_host);
+	}
+
+	if (tmp_zone != NULL) {
+		free(tmp_zone);
+	}
+
+	/* get rid of cursors */
+	if (xfr_cursor != NULL) {
+		xfr_cursor->c_close(xfr_cursor);
+	}
+
+	if (dns_cursor != NULL) {
+		dns_cursor->c_close(dns_cursor);
+	}
+
+	return (result);
+}
+
+/*%
+ * Performs bdbhpt cleanup.
+ * Used by bdbhpt_create if there is an error starting up.
+ * Used by bdbhpt_destroy when the driver is shutting down.
+ */
+static void
+bdbhpt_cleanup(bdbhpt_instance_t *db) {
+	/* close databases */
+	if (db->data != NULL) {
+		db->data->close(db->data, 0);
+	}
+	if (db->xfr != NULL) {
+		db->xfr->close(db->xfr, 0);
+	}
+	if (db->zone != NULL) {
+		db->zone->close(db->zone, 0);
+	}
+	if (db->client != NULL) {
+		db->client->close(db->client, 0);
+	}
+
+	/* close environment */
+	if (db->dbenv != NULL) {
+		db->dbenv->close(db->dbenv, 0);
+	}
+}
+
+/*
+ * See if we handle a given zone
+ */
+#if DLZ_DLOPEN_VERSION < 3
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name)
+#else  /* if DLZ_DLOPEN_VERSION < 3 */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo)
+#endif /* if DLZ_DLOPEN_VERSION < 3 */
+{
+	isc_result_t result;
+	bdbhpt_instance_t *db = (bdbhpt_instance_t *)dbdata;
+	DBT key, data;
+
+	memset(&key, 0, sizeof(DBT));
+	memset(&data, 0, sizeof(DBT));
+	data.flags = DB_DBT_MALLOC;
+
+#if DLZ_DLOPEN_VERSION >= 3
+	UNUSED(methods);
+	UNUSED(clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION >= 3 */
+
+	key.data = strdup(name);
+
+	if (key.data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * reverse string to take advantage of BDB locality of reference
+	 * if we need further lookups because the zone doesn't match the
+	 * first time.
+	 */
+	key.data = bdbhpt_strrev(key.data);
+	key.size = strlen(key.data);
+
+	switch (db->zone->get(db->zone, NULL, &key, &data, 0)) {
+	case DB_NOTFOUND:
+		result = ISC_R_NOTFOUND;
+		break;
+	case 0:
+		result = ISC_R_SUCCESS;
+		break;
+	default:
+		result = ISC_R_FAILURE;
+	}
+
+	/* free any memory duplicate string in the key field */
+	if (key.data != NULL) {
+		free(key.data);
+	}
+
+	/* free any memory allocated to the data field. */
+	if (data.data != NULL) {
+		free(data.data);
+	}
+
+	return (result);
+}
+
+/*
+ * Look up one record in the database.
+ *
+ */
+#if DLZ_DLOPEN_VERSION == 1
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup)
+#else  /* if DLZ_DLOPEN_VERSION == 1 */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo)
+#endif /* if DLZ_DLOPEN_VERSION == 1 */
+{
+	isc_result_t result = ISC_R_NOTFOUND;
+	bdbhpt_instance_t *db = (bdbhpt_instance_t *)dbdata;
+	DBC *data_cursor = NULL;
+	DBT key, data;
+	int bdbhptres;
+	int flags;
+
+	bdbhpt_parsed_data_t pd;
+	char *tmp = NULL;
+	char *keyStr = NULL;
+
+#if DLZ_DLOPEN_VERSION >= 2
+	UNUSED(methods);
+	UNUSED(clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION >= 2 */
+
+	memset(&key, 0, sizeof(DBT));
+	memset(&data, 0, sizeof(DBT));
+
+	key.size = strlen(zone) + strlen(name) + 1;
+
+	/* allocate mem for key */
+	key.data = keyStr = malloc((key.size + 1) * sizeof(char));
+
+	if (keyStr == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	strcpy(keyStr, zone);
+	strcat(keyStr, " ");
+	strcat(keyStr, name);
+
+	/* get a cursor to loop through data */
+	if (db->data->cursor(db->data, NULL, &data_cursor, 0) != 0) {
+		result = ISC_R_FAILURE;
+		goto lookup_cleanup;
+	}
+
+	result = ISC_R_NOTFOUND;
+
+	flags = DB_SET;
+	while ((bdbhptres = data_cursor->c_get(data_cursor, &key, &data,
+					       flags)) == 0)
+	{
+		flags = DB_NEXT_DUP;
+		tmp = realloc(tmp, data.size + 1);
+		if (tmp == NULL) {
+			goto lookup_cleanup;
+		}
+
+		strncpy(tmp, data.data, data.size);
+		tmp[data.size] = '\0';
+
+		if (bdbhpt_parse_data(db->log, tmp, &pd) != ISC_R_SUCCESS) {
+			goto lookup_cleanup;
+		}
+
+		result = db->putrr(lookup, pd.type, pd.ttl, pd.data);
+		if (result != ISC_R_SUCCESS) {
+			goto lookup_cleanup;
+		}
+	} /* end while loop */
+
+lookup_cleanup:
+	/* get rid of cursor */
+	if (data_cursor != NULL) {
+		data_cursor->c_close(data_cursor);
+	}
+
+	free(keyStr);
+	if (tmp != NULL) {
+		free(tmp);
+	}
+
+	return (result);
+}
+
+/*%
+ * Initialises, sets flags and then opens Berkeley databases.
+ */
+static isc_result_t
+bdbhpt_opendb(log_t *log, DB_ENV *db_env, DBTYPE db_type, DB **db,
+	      const char *db_name, char *db_file, int flags) {
+	int result;
+
+	/* Initialise the database. */
+	if ((result = db_create(db, db_env, 0)) != 0) {
+		log(ISC_LOG_ERROR,
+		    "bdbhpt_dynamic: could not initialize %s database. "
+		    "BerkeleyDB error: %s",
+		    db_name, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	/* set database flags. */
+	if ((result = (*db)->set_flags(*db, flags)) != 0) {
+		log(ISC_LOG_ERROR,
+		    "bdbhpt_dynamic: could not set flags for %s database. "
+		    "BerkeleyDB error: %s",
+		    db_name, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	/* open the database. */
+	if ((result = (*db)->open(*db, NULL, db_file, db_name, db_type,
+				  DB_RDONLY | bdbhpt_threads, 0)) != 0)
+	{
+		log(ISC_LOG_ERROR,
+		    "bdbhpt_dynamic: could not open %s database in %s. "
+		    "BerkeleyDB error: %s",
+		    db_name, db_file, db_strerror(result));
+		return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Called to initialize the driver
+ */
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...) {
+	isc_result_t result;
+	int bdbhptres;
+	int bdbFlags = 0;
+	bdbhpt_instance_t *db = NULL;
+
+	const char *helper_name;
+	va_list ap;
+
+	UNUSED(dlzname);
+
+	/* Allocate memory for our db structures and helper functions */
+	db = calloc(1, sizeof(struct bdbhpt_instance));
+	if (db == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* Fill in the helper functions */
+	va_start(ap, dbdata);
+	while ((helper_name = va_arg(ap, const char *)) != NULL) {
+		b9_add_helper(db, helper_name, va_arg(ap, void *));
+	}
+	va_end(ap);
+
+	/* verify we have 4 arg's passed to the driver */
+	if (argc != 4) {
+		db->log(ISC_LOG_ERROR,
+			"bdbhpt_dynamic: please supply 3 command line args. "
+			"You supplied: %s",
+			argc);
+		return (ISC_R_FAILURE);
+	}
+
+	switch ((char)*argv[1]) {
+	/*
+	 * Transactional mode.	Highest safety - lowest speed.
+	 */
+	case 'T':
+	case 't':
+		bdbFlags = DB_INIT_MPOOL | DB_INIT_LOCK | DB_INIT_LOG |
+			   DB_INIT_TXN;
+		db->log(ISC_LOG_INFO, "bdbhpt_dynamic: using transactional "
+				      "mode.");
+		break;
+
+	/*
+	 * Concurrent mode.	 Lower safety (no rollback) -
+	 * higher speed.
+	 */
+	case 'C':
+	case 'c':
+		bdbFlags = DB_INIT_CDB | DB_INIT_MPOOL;
+		db->log(ISC_LOG_INFO, "bdbhpt_dynamic: using concurrent mode.");
+		break;
+
+	/*
+	 * Private mode. No inter-process communication & no locking.
+	 * Lowest safety - highest speed.
+	 */
+	case 'P':
+	case 'p':
+		bdbFlags = DB_PRIVATE | DB_INIT_MPOOL;
+		db->log(ISC_LOG_INFO, "bdbhpt_dynamic: using private mode.");
+		break;
+	default:
+		db->log(ISC_LOG_ERROR,
+			"bdbhpt_dynamic: "
+			"operating mode must be set to P or C or T. "
+			"You specified '%s'",
+			argv[1]);
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * create bdbhpt environment
+	 * Basically bdbhpt allocates and assigns memory to db->dbenv
+	 */
+	bdbhptres = db_env_create(&db->dbenv, 0);
+	if (bdbhptres != 0) {
+		db->log(ISC_LOG_ERROR,
+			"bdbhpt_dynamic: db environment could not be created. "
+			"BerkeleyDB error: %s",
+			db_strerror(bdbhptres));
+		result = ISC_R_FAILURE;
+		goto init_cleanup;
+	}
+
+	/* open bdbhpt environment */
+	bdbhptres = db->dbenv->open(db->dbenv, argv[2],
+				    bdbFlags | bdbhpt_threads | DB_CREATE, 0);
+	if (bdbhptres != 0) {
+		db->log(ISC_LOG_ERROR,
+			"bdbhpt_dynamic: "
+			"db environment at '%s' could not be opened. "
+			"BerkeleyDB error: %s",
+			argv[2], db_strerror(bdbhptres));
+		result = ISC_R_FAILURE;
+		goto init_cleanup;
+	}
+
+	/* open dlz_data database. */
+	result = bdbhpt_opendb(db->log, db->dbenv, DB_UNKNOWN, &db->data,
+			       dlz_data, argv[3], DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	/* open dlz_xfr database. */
+	result = bdbhpt_opendb(db->log, db->dbenv, DB_UNKNOWN, &db->xfr,
+			       dlz_xfr, argv[3], DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	/* open dlz_zone database. */
+	result = bdbhpt_opendb(db->log, db->dbenv, DB_UNKNOWN, &db->zone,
+			       dlz_zone, argv[3], 0);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	/* open dlz_client database. */
+	result = bdbhpt_opendb(db->log, db->dbenv, DB_UNKNOWN, &db->client,
+			       dlz_client, argv[3], DB_DUP | DB_DUPSORT);
+	if (result != ISC_R_SUCCESS) {
+		goto init_cleanup;
+	}
+
+	*dbdata = db;
+
+	db->log(ISC_LOG_INFO, "bdbhpt_dynamic: version %s, started",
+		dlz_bdbhpt_dynamic_version);
+	return (ISC_R_SUCCESS);
+
+init_cleanup:
+	bdbhpt_cleanup(db);
+	return (result);
+}
+
+/*
+ * Shut down the backend
+ */
+void
+dlz_destroy(void *dbdata) {
+	struct bdbhpt_instance *db = (struct bdbhpt_instance *)dbdata;
+
+	db->log(ISC_LOG_INFO, "dlz_bdbhpt_dynamic (%s): shutting down",
+		dlz_bdbhpt_dynamic_version);
+	bdbhpt_cleanup((bdbhpt_instance_t *)dbdata);
+	free(db);
+}
+
+/*
+ * Return the version of the API
+ */
+int
+dlz_version(unsigned int *flags) {
+	UNUSED(flags);
+	return (DLZ_DLOPEN_VERSION);
+}
+
+/*
+ * Register a helper function from the bind9 dlz_dlopen driver
+ */
+static void
+b9_add_helper(struct bdbhpt_instance *db, const char *helper_name, void *ptr) {
+	if (strcmp(helper_name, "log") == 0) {
+		db->log = (log_t *)ptr;
+	}
+	if (strcmp(helper_name, "putrr") == 0) {
+		db->putrr = (dns_sdlz_putrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "putnamedrr") == 0) {
+		db->putnamedrr = (dns_sdlz_putnamedrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "writeable_zone") == 0) {
+		db->writeable_zone = (dns_dlz_writeablezone_t *)ptr;
+	}
+}
diff --git a/contrib/dlz/modules/bdbhpt/testing/README b/contrib/dlz/modules/bdbhpt/testing/README
new file mode 100644
index 0000000..aec0935
--- /dev/null
+++ b/contrib/dlz/modules/bdbhpt/testing/README
@@ -0,0 +1,11 @@
+These files were used for testing on Ubuntu Linux using BDB 5.1 and
+BerkeleyDB 0.54 for perl.
+
+- Populate the database from dns-data.txt for zone example.com:
+
+      perl bdbhpt-populate.pl \
+          --bdb=test.db --input=dns-data.txt --zones=example.com
+
+- Run "named -g -c named.conf"
+
+BDB server is now loaded with example.com data from the file test.db
diff --git a/contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl b/contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl
new file mode 100755
index 0000000..b2bceba
--- /dev/null
+++ b/contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl
@@ -0,0 +1,244 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use BerkeleyDB;
+use Getopt::Long;
+
+my $opt = {};
+if (!GetOptions($opt, qw/bdb|b:s input|i:s zones|z:s help|h/)) {
+    usage('GetOptions processing failed.');
+    exit 1;
+}
+
+if ($opt->{help}) {
+    usage();
+    exit 0;
+}
+
+my $db_file = $opt->{bdb};
+if (!defined $db_file || $db_file eq '') {
+    usage('Please specify an output BerkeleyDB filename.');
+    exit 1;
+}
+
+my $input_file = $opt->{input};
+if (!defined $input_file || $input_file eq '') {
+    usage('Please specify an input records file.');
+    exit 1;
+}
+
+my $zone_list = $opt->{zones};
+if (!defined $zone_list || $zone_list eq '') {
+    usage('Please specify a space separated list of zones');
+    exit 1;
+}
+
+my $records = [];
+my $unique_names = [];
+populate_records(records=>$records, input_file=>$input_file, unique_names=>$unique_names);
+
+my $flags =  DB_CREATE;
+
+my $dns_data = new BerkeleyDB::Hash
+    -Filename  => $db_file,
+    -Flags     => $flags,
+    -Property  => DB_DUP | DB_DUPSORT,
+    -Subname   => "dns_data"
+    ||    die "Cannot create dns_data: $BerkeleyDB::Error";
+
+my $replId = 0;
+my @zones = split(/\s+/, $zone_list);
+foreach my $zone (@zones) {
+    foreach my $r (@$records) {
+        my $name = $r->{name};
+        my $ttl = $r->{ttl};
+        my $type = $r->{type};
+        my $data = $r->{data};
+        
+        $data =~ s/\%zone\%/$zone/g;
+        $data =~ s/\%driver\%/bdbhpt-dynamic/g;
+        
+        my $row_name  = "$zone $name";
+        my $row_value = "$replId $name $ttl $type $data";
+        if ($dns_data->db_put($row_name, $row_value) != 0) {
+            die "Cannot add record '$row_name' -> '$row_value' to dns_data: $BerkeleyDB::Error";
+        }
+        $replId++;
+    }
+}
+
+$dns_data->db_close();
+
+my $dns_xfr = new BerkeleyDB::Hash
+    -Filename  => $db_file,
+    -Flags     => $flags,
+    -Property  => DB_DUP | DB_DUPSORT,
+    -Subname   => "dns_xfr"
+    or die "Cannot create dns_xfr: $BerkeleyDB::Error";
+
+foreach my $zone (@zones) {
+    foreach my $name (@$unique_names) {
+        if ($dns_xfr->db_put($zone, $name) != 0) {
+            die "Cannot add record '$zone' -> '$name' to dns_xfr: $BerkeleyDB::Error";
+        }
+    }
+}
+
+$dns_xfr->db_close();
+
+my $dns_client = new BerkeleyDB::Hash
+    -Filename  => $db_file,
+    -Flags     => $flags,
+    -Property  => DB_DUP | DB_DUPSORT,
+    -Subname   => "dns_client"
+    or die "Cannot create dns_client: $BerkeleyDB::Error";
+
+foreach my $zone (@zones) {
+    my $ip = '127.0.0.1';
+    if ($dns_client->db_put($zone, $ip) != 0) {
+        die "Cannot add record '$zone' -> '$ip' to dns_client: $BerkeleyDB::Error";
+    }
+}
+
+$dns_client->db_close();
+
+my $dns_zone = new BerkeleyDB::Btree
+    -Filename  => $db_file,
+    -Flags     => $flags,
+    -Property  => 0,
+    -Subname   => "dns_zone"
+    or die "Cannot create dns_zone: $BerkeleyDB::Error";
+
+foreach my $zone (@zones) {
+    my $reversed_zone = reverse($zone);
+    if ($dns_zone->db_put($reversed_zone, "1") != 0) {
+        die "Cannot add record '$reversed_zone' -> '1' to dns_zone: $BerkeleyDB::Error";
+    }
+};
+
+$dns_zone->db_close();
+
+exit 0;
+
+sub usage {
+    my ($message) = @_;
+    if (defined $message && $message ne '') {
+        print STDERR $message . "\n\n";
+    }
+
+    print STDERR "usage: $0 --bdb=<bdb-file> --input=<input-file> --zones=<zone-list>\n\n";
+    print STDERR "\tbdb-file: The output BerkeleyDB file you wish to create and use with bdbhpt-dynamic\n\n";
+    print STDERR "\tinput-file: The input text-file containing records to populate within your zones\n\n";
+    print STDERR "\tzone-list: The space-separated list of zones you wish to create\n\n";
+}
+
+sub populate_records {
+    my (%args) = @_;
+    my $records = $args{records};
+    my $input_file = $args{input_file};
+    my $unique_names = $args{unique_names};
+
+    my %unique;
+
+    open(RECORDS, $input_file) || die "unable to open $input_file: $!";
+    while (<RECORDS>) {
+        chomp;
+        s/\#.*$//;
+        s/^\s+//;
+        if ($_ eq '') {
+            next;
+        }
+        my ($name, $ttl, $type, $data) = split(/\s+/, $_, 4);
+        my $record = { name=>$name, ttl=>$ttl, type=>$type, data=>$data };
+        if (validate_record($record)) {
+            push @$records, $record;
+            $unique{$name} = 1;
+        }
+    }
+    close(RECORDS);
+
+    foreach my $name (sort keys %unique) {
+        push @$unique_names, $name;
+    }
+}
+
+# This could probably do more in-depth tests, but these tests are better than nothing!
+sub validate_record {
+    my ($r) = @_;
+
+    # http://en.wikipedia.org/wiki/List_of_DNS_record_types
+    my @TYPES = qw/A AAAA AFSDB APL CERT CNAME DHCID DLV DNAME DNSKEY DS HIP IPSECKEY KEY KX LOC MX NAPTR NS NSEC NSEC3 NSEC3PARAM PTR RRSIG RP SIG SOA SPF SRV SSHFP TA TKEY TLSA TSIG TXT/;
+    my $VALID_TYPE = {};
+    foreach my $t (@TYPES) {
+        $VALID_TYPE->{$t} = 1;
+    }
+    
+    if (!defined $r->{name} || $r->{name} eq '') {
+        die "Record name must be set";
+    }
+
+    if (!defined $r->{ttl} || $r->{ttl} eq '') {
+        die "Record TTL must be set";
+    }
+
+    if ($r->{ttl} =~ /\D/ || $r->{ttl} < 0) {
+        die "Record TTL must be an integer 0 or greater";
+    }
+
+    if (!defined $r->{type} || $r->{type} eq '') {
+        die "Record type must be set";
+    }
+
+    if (!$VALID_TYPE->{$r->{type}}) {
+        die "Unsupported record type: $r->{type}";
+    }
+
+    # Lets do some data validation for the records which will cause bind to crash if they're wrong
+    if ($r->{type} eq 'SOA') {
+        my $soa_error = "SOA records must take the form: 'server email refresh retry expire negative_cache_ttl'";
+        my ($server, $email, $version, $refresh, $retry, $expire, $negative_cache_ttl) = split(/\s+/, $r->{data});
+        if (!defined $server || $server eq '') {
+            die "$soa_error, missing server";
+        }
+        if (!defined $email || $email eq '') {
+            die "$soa_error, missing email";
+        }
+        if (!defined $refresh || $refresh eq '') {
+            die "$soa_error, missing refresh";
+        }
+        if ($refresh =~ /\D/ || $refresh <= 0) {
+            die "$soa_error, refresh must be an integer greater than 0";
+        }
+        if (!defined $retry || $retry eq '') {
+            die "$soa_error, missing retry";
+        }
+        if ($retry =~ /\D/ || $retry <= 0) {
+            die "$soa_error, retry must be an integer greater than 0";
+        }
+        if (!defined $expire || $expire eq '') {
+            die "$soa_error, missing expire";
+        }
+        if ($expire =~ /\D/ || $expire <= 0) {
+            die "$soa_error, expire must be an integer greater than 0";
+        }
+        if (!defined $negative_cache_ttl || $negative_cache_ttl eq '') {
+            die "$soa_error, missing negative cache ttl";
+        }
+        if ($negative_cache_ttl =~ /\D/ || $negative_cache_ttl <= 0) {
+            die "$soa_error, negative cache ttl must be an integer greater than 0";
+        }
+    }
+
+    return 1;
+}
diff --git a/contrib/dlz/modules/bdbhpt/testing/dns-data.txt b/contrib/dlz/modules/bdbhpt/testing/dns-data.txt
new file mode 100644
index 0000000..242cd3d
--- /dev/null
+++ b/contrib/dlz/modules/bdbhpt/testing/dns-data.txt
@@ -0,0 +1,19 @@
+# Name TTL Type Data
+@ 3600 SOA ns1.%zone%. root.%zone%. 2012071700 604800 86400 2419200 10800
+@ 3600 NS ns1.%zone%.
+@ 3600 MX 5 mx1.%zone%.
+@ 3600 MX 10 mx2.%zone%.
+@ 3600 TXT This zone brought to you by %driver%!
+jabber 3600 A 127.0.0.1
+mx1 3600 A 127.0.0.2
+mx2 3600 A 127.0.0.3
+jabber 3600 A 127.0.0.4
+ns1 3600 A 127.0.0.5
+ns1 3600 AAAA ::1
+voip 3600 A 127.0.0.6
+www 3600 CNAME www1.%zone%
+www1 3600 A 127.0.0.7
+_sip._udp 3600 SRV 5 0 5060 voip.%zone%.
+_jabber._tcp 3600 SRV 5 0 5269 jabber.%zone%.
+_xmpp-client._tcp 3600 SRV 5 0 5222 jabber.%zone%.
+_xmpp-server._tcp 3600 SRV 5 0 5269 jabber.%zone%.
diff --git a/contrib/dlz/modules/bdbhpt/testing/named.conf b/contrib/dlz/modules/bdbhpt/testing/named.conf
new file mode 100644
index 0000000..c8b5722
--- /dev/null
+++ b/contrib/dlz/modules/bdbhpt/testing/named.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { };
+
+options {
+	directory ".";
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { any; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 127.0.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+dlz "bdbhpt_dynamic" {
+        database "dlopen ../dlz_bdbhpt_dynamic.so T . test.db";
+};
diff --git a/contrib/dlz/modules/common/dlz_dbi.c b/contrib/dlz/modules/common/dlz_dbi.c
new file mode 100644
index 0000000..88ff632
--- /dev/null
+++ b/contrib/dlz/modules/common/dlz_dbi.c
@@ -0,0 +1,484 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <dlz_dbi.h>
+#include <dlz_list.h>
+#include <dlz_minimal.h>
+#include <dlz_pthread.h>
+
+/*%
+ * properly destroys a querylist by de-allocating the
+ * memory for each query segment, and then the list itself
+ */
+
+void
+destroy_querylist(query_list_t **querylist) {
+	query_segment_t *tseg = NULL;
+	query_segment_t *nseg = NULL;
+
+	/* if query list is null, nothing to do */
+	if (*querylist == NULL) {
+		return;
+	}
+
+	/* start at the top of the list */
+	nseg = DLZ_LIST_HEAD(**querylist);
+	while (nseg != NULL) { /* loop, until end of list */
+		tseg = nseg;
+		/*
+		 * free the query segment's text string but only if it
+		 * was really a query segment, and not a pointer to
+		 * %zone%, or %record%, or %client%
+		 */
+		if (tseg->cmd != NULL && tseg->direct) {
+			free(tseg->cmd);
+		}
+		/* get the next query segment, before we destroy this one. */
+		nseg = DLZ_LIST_NEXT(nseg, link);
+		/* deallocate this query segment. */
+		free(tseg);
+	}
+	/* deallocate the query segment list */
+	free(*querylist);
+}
+
+/*% constructs a query list by parsing a string into query segments */
+isc_result_t
+build_querylist(const char *query_str, char **zone, char **record,
+		char **client, query_list_t **querylist, unsigned int flags,
+		log_t log) {
+	isc_result_t result;
+	bool foundzone = false;
+	bool foundrecord = false;
+	bool foundclient = false;
+	char *temp_str = NULL;
+	char *right_str = NULL;
+	char *token = NULL;
+	query_list_t *tql;
+	query_segment_t *tseg = NULL;
+
+	/* if query string is null, or zero length */
+	if (query_str == NULL || strlen(query_str) < 1) {
+		if ((flags & REQUIRE_QUERY) == 0) {
+			/* we don't need it were ok. */
+			return (ISC_R_SUCCESS);
+		} else {
+			/* we did need it, PROBLEM!!! */
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	/* allocate memory for query list */
+	tql = calloc(1, sizeof(query_list_t));
+	/* couldn't allocate memory.  Problem!! */
+	if (tql == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* initialize the query segment list */
+	DLZ_LIST_INIT(*tql);
+
+	/* make a copy of query_str so we can chop it up */
+	temp_str = right_str = strdup(query_str);
+	/* couldn't make a copy, problem!! */
+	if (right_str == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/* loop through the string and chop it up */
+	for (token = strtok_r(right_str, "$", &temp_str); token;
+	     token = strtok_r(NULL, "$", &temp_str))
+	{
+		/* allocate memory for tseg */
+		tseg = calloc(1, sizeof(query_segment_t));
+		if (tseg == NULL) { /* no memory, clean everything up. */
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		tseg->direct = false;
+		/* initialize the query segment link */
+		DLZ_LINK_INIT(tseg, link);
+		/* append the query segment to the list */
+		DLZ_LIST_APPEND(*tql, tseg, link);
+
+		/*
+		 * split string at the first "$". set query segment to
+		 * left portion
+		 */
+		tseg->cmd = strdup(token);
+		if (tseg->cmd == NULL) {
+			/* no memory, clean everything up. */
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		/* tseg->cmd points directly to a string. */
+		tseg->direct = true;
+		tseg->strlen = strlen(tseg->cmd);
+
+		/* check if we encountered "$zone$" token */
+		if (strcasecmp(tseg->cmd, "zone") == 0) {
+			/*
+			 * we don't really need, or want the "zone"
+			 * text, so get rid of it.
+			 */
+			free(tseg->cmd);
+			/* set tseg->cmd to in-direct zone string */
+			tseg->cmd = (char **)zone;
+			tseg->strlen = 0;
+			/* tseg->cmd points in-directly to a string */
+			tseg->direct = false;
+			foundzone = true;
+			/* check if we encountered "$record$" token */
+		} else if (strcasecmp(tseg->cmd, "record") == 0) {
+			/*
+			 * we don't really need, or want the "record"
+			 * text, so get rid of it.
+			 */
+			free(tseg->cmd);
+			/* set tseg->cmd to in-direct record string */
+			tseg->cmd = (char **)record;
+			tseg->strlen = 0;
+			/* tseg->cmd points in-directly poinsts to a string */
+			tseg->direct = false;
+			foundrecord = true;
+			/* check if we encountered "$client$" token */
+		} else if (strcasecmp(tseg->cmd, "client") == 0) {
+			/*
+			 * we don't really need, or want the "client"
+			 * text, so get rid of it.
+			 */
+			free(tseg->cmd);
+			/* set tseg->cmd to in-direct record string */
+			tseg->cmd = (char **)client;
+			tseg->strlen = 0;
+			/* tseg->cmd points in-directly poinsts to a string */
+			tseg->direct = false;
+			foundclient = true;
+		}
+	}
+
+	/* we don't need temp_str any more */
+	free(right_str);
+	right_str = NULL;
+	/*
+	 * add checks later to verify zone and record are found if
+	 * necessary.
+	 */
+
+	/* if this query requires %client%, make sure we found it */
+	if (((flags & REQUIRE_CLIENT) != 0) && (!foundclient)) {
+		/* Write error message to log */
+		if (log != NULL) {
+			log(ISC_LOG_ERROR, "Required token $client$ not "
+					   "found.");
+		}
+		result = ISC_R_FAILURE;
+		goto flag_fail;
+	}
+
+	/* if this query requires %record%, make sure we found it */
+	if (((flags & REQUIRE_RECORD) != 0) && (!foundrecord)) {
+		/* Write error message to log */
+		if (log != NULL) {
+			log(ISC_LOG_ERROR, "Required token $record$ not "
+					   "found.");
+		}
+		result = ISC_R_FAILURE;
+		goto flag_fail;
+	}
+
+	/* if this query requires %zone%, make sure we found it */
+	if (((flags & REQUIRE_ZONE) != 0) && (!foundzone)) {
+		/* Write error message to log */
+		if (log != NULL) {
+			log(ISC_LOG_ERROR, "Required token $zone$ not found.");
+		}
+		result = ISC_R_FAILURE;
+		goto flag_fail;
+	}
+
+	/* pass back the query list */
+	*querylist = (query_list_t *)tql;
+
+	/* return success */
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	/* get rid of temp_str */
+	if (right_str != NULL) {
+		free(right_str);
+	}
+
+flag_fail:
+	/* get rid of what was build of the query list */
+	destroy_querylist(&tql);
+	return (result);
+}
+
+/*%
+ * build a query string from query segments, and dynamic segments
+ * dynamic segments replace where the tokens %zone%, %record%, %client%
+ * used to be in our queries from named.conf
+ */
+char *
+build_querystring(query_list_t *querylist) {
+	query_segment_t *tseg = NULL;
+	unsigned int length = 0;
+	char *qs = NULL;
+
+	/* start at the top of the list */
+	tseg = DLZ_LIST_HEAD(*querylist);
+	while (tseg != NULL) {
+		/*
+		 * if this is a query segment, use the
+		 * precalculated string length
+		 */
+		if (tseg->direct) {
+			length += tseg->strlen;
+		} else { /* calculate string length for dynamic segments. */
+			length += strlen(*(char **)tseg->cmd);
+		}
+		/* get the next segment */
+		tseg = DLZ_LIST_NEXT(tseg, link);
+	}
+
+	qs = malloc(length + 1);
+	if (qs == NULL) {
+		return (NULL);
+	}
+
+	*qs = '\0';
+	/* start at the top of the list again */
+	tseg = DLZ_LIST_HEAD(*querylist);
+	while (tseg != NULL) {
+		if (tseg->direct) {
+			/* query segments */
+			strcat(qs, tseg->cmd);
+		} else {
+			/* dynamic segments */
+			strcat(qs, *(char **)tseg->cmd);
+		}
+		/* get the next segment */
+		tseg = DLZ_LIST_NEXT(tseg, link);
+	}
+
+	return (qs);
+}
+
+/*% constructs a dbinstance (DBI) */
+isc_result_t
+build_dbinstance(const char *allnodes_str, const char *allowxfr_str,
+		 const char *authority_str, const char *findzone_str,
+		 const char *lookup_str, const char *countzone_str,
+		 dbinstance_t **dbi, log_t log) {
+	isc_result_t result;
+	dbinstance_t *db = NULL;
+	int err;
+
+	/* allocate and zero memory for driver structure */
+	db = calloc(1, sizeof(dbinstance_t));
+	if (db == NULL) {
+		if (log != NULL) {
+			log(ISC_LOG_ERROR, "Could not allocate memory for "
+					   "database instance object.");
+		}
+		return (ISC_R_NOMEMORY);
+	}
+	memset(db, 0, sizeof(dbinstance_t));
+	db->dbconn = NULL;
+	db->client = NULL;
+	db->record = NULL;
+	db->zone = NULL;
+	db->query_buf = NULL;
+	db->allnodes_q = NULL;
+	db->allowxfr_q = NULL;
+	db->authority_q = NULL;
+	db->findzone_q = NULL;
+	db->countzone_q = NULL;
+	db->lookup_q = NULL;
+
+	/* initialize the reference count mutex */
+	err = dlz_mutex_init(&db->lock, NULL);
+	if (err == ENOMEM) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	} else if (err != 0) {
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	/* build the all nodes query list */
+	result = build_querylist(allnodes_str, &db->zone, &db->record,
+				 &db->client, &db->allnodes_q, REQUIRE_ZONE,
+				 log);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		if (log != NULL) {
+			log(ISC_LOG_ERROR, "Could not build all nodes query "
+					   "list");
+		}
+		goto cleanup;
+	}
+
+	/* build the allow zone transfer query list */
+	result = build_querylist(allowxfr_str, &db->zone, &db->record,
+				 &db->client, &db->allowxfr_q,
+				 REQUIRE_ZONE | REQUIRE_CLIENT, log);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		if (log != NULL) {
+			log(ISC_LOG_ERROR, "Could not build allow xfr query "
+					   "list");
+		}
+		goto cleanup;
+	}
+
+	/* build the authority query, query list */
+	result = build_querylist(authority_str, &db->zone, &db->record,
+				 &db->client, &db->authority_q, REQUIRE_ZONE,
+				 log);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		if (log != NULL) {
+			log(ISC_LOG_ERROR, "Could not build authority query "
+					   "list");
+		}
+		goto cleanup;
+	}
+
+	/* build findzone query, query list */
+	result = build_querylist(findzone_str, &db->zone, &db->record,
+				 &db->client, &db->findzone_q, REQUIRE_ZONE,
+				 log);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		if (log != NULL) {
+			log(ISC_LOG_ERROR, "Could not build find zone query "
+					   "list");
+		}
+		goto cleanup;
+	}
+
+	/* build countzone query, query list */
+	result = build_querylist(countzone_str, &db->zone, &db->record,
+				 &db->client, &db->countzone_q, REQUIRE_ZONE,
+				 log);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		if (log != NULL) {
+			log(ISC_LOG_ERROR, "Could not build count zone query "
+					   "list");
+		}
+		goto cleanup;
+	}
+
+	/* build lookup query, query list */
+	result = build_querylist(lookup_str, &db->zone, &db->record,
+				 &db->client, &db->lookup_q, REQUIRE_RECORD,
+				 log);
+	/* if unsuccessful, log err msg and cleanup */
+	if (result != ISC_R_SUCCESS) {
+		if (log != NULL) {
+			log(ISC_LOG_ERROR, "Could not build lookup query list");
+		}
+		goto cleanup;
+	}
+
+	/* pass back the db instance */
+	*dbi = (dbinstance_t *)db;
+
+	/* return success */
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	/* destroy whatever was build of the db instance */
+	destroy_dbinstance(db);
+	/* return failure */
+	return (ISC_R_FAILURE);
+}
+
+void
+destroy_dbinstance(dbinstance_t *dbi) {
+	/* destroy any query lists we created */
+	destroy_querylist(&dbi->allnodes_q);
+	destroy_querylist(&dbi->allowxfr_q);
+	destroy_querylist(&dbi->authority_q);
+	destroy_querylist(&dbi->findzone_q);
+	destroy_querylist(&dbi->countzone_q);
+	destroy_querylist(&dbi->lookup_q);
+
+	/* get rid of the mutex */
+	(void)dlz_mutex_destroy(&dbi->lock);
+
+	/* return, and detach the memory */
+	free(dbi);
+}
+
+char *
+get_parameter_value(const char *input, const char *key) {
+	int keylen;
+	char *keystart;
+	char value[255];
+	int i;
+
+	if (key == NULL || input == NULL || *input == '\0') {
+		return (NULL);
+	}
+
+	keylen = strlen(key);
+
+	if (keylen < 1) {
+		return (NULL);
+	}
+
+	keystart = strstr(input, key);
+
+	if (keystart == NULL) {
+		return (NULL);
+	}
+
+	for (i = 0; i < 255; i++) {
+		value[i] = keystart[keylen + i];
+		if (isspace(value[i]) || value[i] == '\0') {
+			value[i] = '\0';
+			break;
+		}
+	}
+
+	return (strdup(value));
+}
diff --git a/contrib/dlz/modules/filesystem/Makefile b/contrib/dlz/modules/filesystem/Makefile
new file mode 100644
index 0000000..40ecb79
--- /dev/null
+++ b/contrib/dlz/modules/filesystem/Makefile
@@ -0,0 +1,45 @@
+# Copyright Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+# Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+#
+# The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+# conceived and contributed by Rob Butler.
+#
+# SPDX-License-Identifier: ISC and MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any purpose
+# with or without fee is hereby granted, provided that the above copyright
+# notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+prefix = /usr
+libdir = $(prefix)/lib/bind9
+
+CFLAGS=-fPIC -g -I../include
+
+all: dlz_filesystem_dynamic.so
+
+dir.o: dir.c
+	$(CC) $(CFLAGS) -c dir.c
+
+dlz_filesystem_dynamic.so: dlz_filesystem_dynamic.c dir.o
+	$(CC) $(CFLAGS) -shared -o dlz_filesystem_dynamic.so \
+		dlz_filesystem_dynamic.c dir.o
+
+clean:
+	rm -f dlz_filesystem_dynamic.so *.o
+
+install: dlz_filesystem_dynamic.so
+	mkdir -p $(DESTDIR)$(libdir)
+	install dlz_filesystem_dynamic.so $(DESTDIR)$(libdir)
diff --git a/contrib/dlz/modules/filesystem/dir.c b/contrib/dlz/modules/filesystem/dir.c
new file mode 100644
index 0000000..f2b3a4e
--- /dev/null
+++ b/contrib/dlz/modules/filesystem/dir.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+#include "dir.h"
+#include <ctype.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "dlz_minimal.h"
+
+void
+dir_init(dir_t *dir) {
+	dir->entry.name[0] = '\0';
+	dir->entry.length = 0;
+
+	dir->handle = NULL;
+}
+
+isc_result_t
+dir_open(dir_t *dir, const char *dirname) {
+	char *p;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (strlen(dirname) + 3 > sizeof(dir->dirname)) {
+		return (ISC_R_NOSPACE);
+	}
+	strcpy(dir->dirname, dirname);
+
+	p = dir->dirname + strlen(dir->dirname);
+	if (dir->dirname < p && *(p - 1) != '/') {
+		*p++ = '/';
+	}
+	*p++ = '*';
+	*p = '\0';
+
+	dir->handle = opendir(dirname);
+	if (dir->handle == NULL) {
+		switch (errno) {
+		case ENOTDIR:
+		case ELOOP:
+		case EINVAL:
+		case ENAMETOOLONG:
+		case EBADF:
+			result = ISC_R_INVALIDFILE;
+			break;
+		case ENOENT:
+			result = ISC_R_FILENOTFOUND;
+			break;
+		case EACCES:
+		case EPERM:
+			result = ISC_R_NOPERM;
+			break;
+		case ENOMEM:
+			result = ISC_R_NOMEMORY;
+			break;
+		default:
+			result = ISC_R_UNEXPECTED;
+			break;
+		}
+	}
+
+	return (result);
+}
+
+/*!
+ * \brief Return previously retrieved file or get next one.
+ *
+ * Unix's dirent has
+ * separate open and read functions, but the Win32 and DOS interfaces open
+ * the dir stream and reads the first file in one operation.
+ */
+isc_result_t
+dir_read(dir_t *dir) {
+	struct dirent *entry;
+
+	entry = readdir(dir->handle);
+	if (entry == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	if (sizeof(dir->entry.name) <= strlen(entry->d_name)) {
+		return (ISC_R_UNEXPECTED);
+	}
+
+	strcpy(dir->entry.name, entry->d_name);
+
+	dir->entry.length = strlen(entry->d_name);
+	return (ISC_R_SUCCESS);
+}
+
+/*!
+ * \brief Close directory stream.
+ */
+void
+dir_close(dir_t *dir) {
+	(void)closedir(dir->handle);
+	dir->handle = NULL;
+}
+
+/*!
+ * \brief Reposition directory stream at start.
+ */
+isc_result_t
+dir_reset(dir_t *dir) {
+	rewinddir(dir->handle);
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/dlz/modules/filesystem/dir.h b/contrib/dlz/modules/filesystem/dir.h
new file mode 100644
index 0000000..bf96e39
--- /dev/null
+++ b/contrib/dlz/modules/filesystem/dir.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+#include <dirent.h>
+#include <sys/types.h>
+
+#include <dlz_minimal.h>
+
+#define DIR_NAMEMAX 256
+#define DIR_PATHMAX 1024
+
+typedef struct direntry {
+	char name[DIR_NAMEMAX];
+	unsigned int length;
+} direntry_t;
+
+typedef struct dir {
+	char dirname[DIR_PATHMAX];
+	direntry_t entry;
+	DIR *handle;
+} dir_t;
+
+void
+dir_init(dir_t *dir);
+
+isc_result_t
+dir_open(dir_t *dir, const char *dirname);
+
+isc_result_t
+dir_read(dir_t *dir);
+
+isc_result_t
+dir_reset(dir_t *dir);
+
+void
+dir_close(dir_t *dir);
diff --git a/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c b/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c
new file mode 100644
index 0000000..3b8a8bb
--- /dev/null
+++ b/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c
@@ -0,0 +1,1008 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This provides the externally loadable filesystem DLZ module, without
+ * update support
+ */
+
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+
+#include "dir.h"
+#include "dlz_list.h"
+#include "dlz_minimal.h"
+
+typedef struct config_data {
+	char *basedir;
+	int basedirsize;
+	char *datadir;
+	int datadirsize;
+	char *xfrdir;
+	int xfrdirsize;
+	int splitcnt;
+	char separator;
+	char pathsep;
+
+	/* Helper functions from the dlz_dlopen driver */
+	log_t *log;
+	dns_sdlz_putrr_t *putrr;
+	dns_sdlz_putnamedrr_t *putnamedrr;
+	dns_dlz_writeablezone_t *writeable_zone;
+} config_data_t;
+
+typedef struct dir_entry dir_entry_t;
+
+struct dir_entry {
+	char dirpath[DIR_PATHMAX];
+	DLZ_LINK(dir_entry_t) link;
+};
+
+typedef DLZ_LIST(dir_entry_t) dlist_t;
+
+/* forward reference */
+
+static void
+b9_add_helper(struct config_data *cd, const char *helper_name, void *ptr);
+
+/*
+ * Private methods
+ */
+static bool
+is_safe(const char *input) {
+	unsigned int i;
+	unsigned int len = strlen(input);
+
+	/* check that only allowed characters are in the domain name */
+	for (i = 0; i < len; i++) {
+		/* '.' is allowed, but has special requirements */
+		if (input[i] == '.') {
+			/* '.' is not allowed as first char */
+			if (i == 0) {
+				return (false);
+			}
+			/* '..', two dots together is not allowed. */
+			if (input[i - 1] == '.') {
+				return (false);
+			}
+			/* '.' is not allowed as last char */
+			if (i == len - 1) {
+				return (false);
+			}
+			/* only 1 dot in ok location, continue at next char */
+			continue;
+		}
+		/* '-' is allowed, continue at next char */
+		if (input[i] == '-') {
+			continue;
+		}
+		/* 0-9 is allowed, continue at next char */
+		if (input[i] >= '0' && input[i] <= '9') {
+			continue;
+		}
+		/* A-Z uppercase is allowed, continue at next char */
+		if (input[i] >= 'A' && input[i] <= 'Z') {
+			continue;
+		}
+		/* a-z lowercase is allowed, continue at next char */
+		if (input[i] >= 'a' && input[i] <= 'z') {
+			continue;
+		}
+
+		/*
+		 * colon needs to be allowed for IPV6 client
+		 * addresses.  Not dangerous in domain names, as not a
+		 * special char.
+		 */
+		if (input[i] == ':') {
+			continue;
+		}
+
+		/*
+		 * '@' needs to be allowed for in zone data.  Not
+		 * dangerous in domain names, as not a special char.
+		 */
+		if (input[i] == '@') {
+			continue;
+		}
+
+		/*
+		 * if we reach this point we have encountered a
+		 * disallowed char!
+		 */
+		return (false);
+	}
+	/* everything ok. */
+	return (true);
+}
+
+static isc_result_t
+create_path_helper(char *out, const char *in, config_data_t *cd) {
+	char *tmpString;
+	char *tmpPtr;
+	int i;
+
+	tmpString = strdup(in);
+	if (tmpString == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * don't forget is_safe guarantees '.' will NOT be the
+	 * first/last char
+	 */
+	while ((tmpPtr = strrchr(tmpString, '.')) != NULL) {
+		i = 0;
+		while (tmpPtr[i + 1] != '\0') {
+			if (cd->splitcnt < 1) {
+				strcat(out, (char *)&tmpPtr[i + 1]);
+			} else {
+				strncat(out, (char *)&tmpPtr[i + 1],
+					cd->splitcnt);
+			}
+			strncat(out, (char *)&cd->pathsep, 1);
+			if (cd->splitcnt == 0) {
+				break;
+			}
+			if (strlen((char *)&tmpPtr[i + 1]) <=
+			    (unsigned int)cd->splitcnt)
+			{
+				break;
+			}
+			i += cd->splitcnt;
+		}
+		tmpPtr[0] = '\0';
+	}
+
+	/* handle the "first" label properly */
+	i = 0;
+	tmpPtr = tmpString;
+	while (tmpPtr[i] != '\0') {
+		if (cd->splitcnt < 1) {
+			strcat(out, (char *)&tmpPtr[i]);
+		} else {
+			strncat(out, (char *)&tmpPtr[i], cd->splitcnt);
+		}
+		strncat(out, (char *)&cd->pathsep, 1);
+		if (cd->splitcnt == 0) {
+			break;
+		}
+		if (strlen((char *)&tmpPtr[i]) <= (unsigned int)cd->splitcnt) {
+			break;
+		}
+		i += cd->splitcnt;
+	}
+
+	free(tmpString);
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Checks to make sure zone and host are safe.  If safe, then
+ * hashes zone and host strings to build a path.  If zone / host
+ * are not safe an error is returned.
+ */
+
+static isc_result_t
+create_path(const char *zone, const char *host, const char *client,
+	    config_data_t *cd, char **path) {
+	char *tmpPath;
+	int pathsize;
+	int len;
+	isc_result_t result;
+	bool isroot = false;
+
+	/* special case for root zone */
+	if (strcmp(zone, ".") == 0) {
+		isroot = true;
+	}
+
+	/* if the requested zone is "unsafe", return error */
+	if (!isroot && !is_safe(zone)) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* if host was passed, verify that it is safe */
+	if (host != NULL && !is_safe(host)) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* if client was passed, verify that it is safe */
+	if (client != NULL && !is_safe(client)) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* Determine how much memory the split up string will require */
+	if (host != NULL) {
+		len = strlen(zone) + strlen(host);
+	} else if (client != NULL) {
+		len = strlen(zone) + strlen(client);
+	} else {
+		len = strlen(zone);
+	}
+
+	/*
+	 * even though datadir and xfrdir will never be in the same
+	 * string we only waste a few bytes by allocating for both,
+	 * and then we are safe from buffer overruns.
+	 */
+	pathsize = len + cd->basedirsize + cd->datadirsize + cd->xfrdirsize + 4;
+
+	/* if we are splitting names, we will need extra space. */
+	if (cd->splitcnt > 0) {
+		pathsize += len / cd->splitcnt;
+	}
+
+	tmpPath = malloc(pathsize * sizeof(char));
+	if (tmpPath == NULL) {
+		/* write error message */
+		cd->log(ISC_LOG_ERROR, "Filesystem driver unable to "
+				       "allocate memory in create_path().");
+		result = ISC_R_NOMEMORY;
+		goto cleanup_mem;
+	}
+
+	/*
+	 * build path string.
+	 * start out with base directory.
+	 */
+	strcpy(tmpPath, cd->basedir);
+
+	/* add zone name - parsed properly */
+	if (!isroot) {
+		result = create_path_helper(tmpPath, zone, cd);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_mem;
+		}
+	}
+
+	/*
+	 * When neither client or host is passed we are building a
+	 * path to see if a zone is supported.  We require that a zone
+	 * path have the "data dir" directory contained within it so
+	 * that we know this zone is really supported.  Otherwise,
+	 * this zone may not really be supported because we are
+	 * supporting a delagated sub zone.
+	 *
+	 * Example:
+	 *
+	 * We are supporting long.domain.com and using a splitcnt of
+	 * 0.  the base dir is "/base-dir/" and the data dir is
+	 * "/.datadir" We want to see if we are authoritative for
+	 * domain.com.  Path /base-dir/com/domain/.datadir since
+	 * /base-dir/com/domain/.datadir does not exist, we are not
+	 * authoritative for the domain "domain.com".  However we are
+	 * authoritative for the domain "long.domain.com" because the
+	 * path /base-dir/com/domain/long/.datadir does exist!
+	 */
+
+	/* if client is passed append xfr dir, otherwise append data dir */
+	if (client != NULL) {
+		strcat(tmpPath, cd->xfrdir);
+		strncat(tmpPath, (char *)&cd->pathsep, 1);
+		strcat(tmpPath, client);
+	} else {
+		strcat(tmpPath, cd->datadir);
+	}
+
+	/* if host not null, add it. */
+	if (host != NULL) {
+		strncat(tmpPath, (char *)&cd->pathsep, 1);
+		result = create_path_helper(tmpPath, host, cd);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_mem;
+		}
+	}
+
+	/* return the path we built. */
+	*path = tmpPath;
+
+	/* return success */
+	result = ISC_R_SUCCESS;
+
+cleanup_mem:
+	/* cleanup memory */
+
+	/* free tmpPath memory */
+	if (tmpPath != NULL && result != ISC_R_SUCCESS) {
+		free(tmpPath);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+process_dir(dir_t *dir, void *passback, config_data_t *cd, dlist_t *dir_list,
+	    unsigned int basedirlen) {
+	char tmp[DIR_PATHMAX + DIR_NAMEMAX];
+	int astPos;
+	struct stat sb;
+	isc_result_t result = ISC_R_FAILURE;
+	char *endp;
+	char *type;
+	char *ttlStr;
+	char *data;
+	char host[DIR_NAMEMAX];
+	char *tmpString;
+	char *tmpPtr;
+	int ttl;
+	int i;
+	int len;
+	dir_entry_t *direntry;
+	bool foundHost;
+
+	tmp[0] = '\0'; /* set 1st byte to '\0' so strcpy works right. */
+	host[0] = '\0';
+	foundHost = false;
+
+	/* copy base directory name to tmp. */
+	strcpy(tmp, dir->dirname);
+
+	/* dir->dirname will always have '*' as the last char. */
+	astPos = strlen(dir->dirname) - 1;
+
+	/* if dir_list != NULL, were are performing a zone xfr */
+	if (dir_list != NULL) {
+		/* if splitcnt == 0, determine host from path. */
+		if (cd->splitcnt == 0) {
+			if (strlen(tmp) - 3 > basedirlen) {
+				tmp[astPos - 1] = '\0';
+				tmpString = (char *)&tmp[basedirlen + 1];
+				/* handle filesystem's special wildcard "-"  */
+				if (strcmp(tmpString, "-") == 0) {
+					strcpy(host, "*");
+				} else {
+					/*
+					 * not special wildcard -- normal name
+					 */
+					while ((tmpPtr = strrchr(
+							tmpString,
+							cd->pathsep)) != NULL)
+					{
+						if ((strlen(host) +
+						     strlen(tmpPtr + 1) + 2) >
+						    DIR_NAMEMAX)
+						{
+							continue;
+						}
+						strcat(host, tmpPtr + 1);
+						strcat(host, ".");
+						tmpPtr[0] = '\0';
+					}
+					if ((strlen(host) + strlen(tmpString) +
+					     1) <= DIR_NAMEMAX)
+					{
+						strcat(host, tmpString);
+					}
+				}
+
+				foundHost = true;
+				/* set tmp again for use later */
+				strcpy(tmp, dir->dirname);
+			}
+		} else {
+			/*
+			 * if splitcnt != 0 determine host from
+			 * ".host" directory entry
+			 */
+			while (dir_read(dir) == ISC_R_SUCCESS) {
+				if (strncasecmp(".host", dir->entry.name, 5) ==
+				    0)
+				{
+					/*
+					 * handle filesystem's special
+					 * wildcard "-"
+					 */
+					if (strcmp((char *)&dir->entry.name[6],
+						   "-") == 0)
+					{
+						strcpy(host, "*");
+					} else {
+						strncpy(host,
+							(char *)&dir->entry
+								.name[6],
+							sizeof(host) - 1);
+						host[255] = '\0';
+					}
+					foundHost = true;
+					break;
+				}
+			}
+			/* reset dir list for use later */
+			dir_reset(dir);
+		} /* end of else */
+	}
+
+	while (dir_read(dir) == ISC_R_SUCCESS) {
+		cd->log(ISC_LOG_DEBUG(1),
+			"Filesystem driver Dir name:"
+			" '%s' Dir entry: '%s'\n",
+			dir->dirname, dir->entry.name);
+
+		/* skip any entries starting with "." */
+		if (dir->entry.name[0] == '.') {
+			continue;
+		}
+
+		/*
+		 * get rid of '*', set to NULL.  Effectively trims
+		 * string from previous loop to base directory only
+		 * while still leaving memory for concat to be
+		 * performed next.
+		 */
+
+		tmp[astPos] = '\0';
+
+		/* add name to base directory name. */
+		strcat(tmp, dir->entry.name);
+
+		/* make sure we can stat entry */
+		if (stat(tmp, &sb) == 0) {
+			/* if entry is a directory */
+			if ((sb.st_mode & S_IFDIR) != 0) {
+				/*
+				 * if dir list is NOT NULL, add dir to
+				 * dir list
+				 */
+				if (dir_list != NULL) {
+					direntry = malloc(sizeof(dir_entry_t));
+					if (direntry == NULL) {
+						return (ISC_R_NOMEMORY);
+					}
+					strcpy(direntry->dirpath, tmp);
+					DLZ_LINK_INIT(direntry, link);
+					DLZ_LIST_APPEND(*dir_list, direntry,
+							link);
+					result = ISC_R_SUCCESS;
+				}
+				continue;
+
+				/*
+				 * if entry is a file be sure we do
+				 * not add entry to DNS results if we
+				 * are performing a zone xfr and we
+				 * could not find a host entry.
+				 */
+			} else if (dir_list != NULL && !foundHost) {
+				continue;
+			}
+		} else { /* if we cannot stat entry, skip it. */
+			continue;
+		}
+
+		type = dir->entry.name;
+		ttlStr = strchr(type, cd->separator);
+		if (ttlStr == NULL) {
+			cd->log(ISC_LOG_ERROR,
+				"Filesystem driver: "
+				"%s could not be parsed properly",
+				tmp);
+			return (ISC_R_FAILURE);
+		}
+
+		/* replace separator char with NULL to split string */
+		ttlStr[0] = '\0';
+		/* start string after NULL of previous string */
+		ttlStr = (char *)&ttlStr[1];
+
+		data = strchr(ttlStr, cd->separator);
+		if (data == NULL) {
+			cd->log(ISC_LOG_ERROR,
+				"Filesystem driver: "
+				"%s could not be parsed properly",
+				tmp);
+			return (ISC_R_FAILURE);
+		}
+
+		/* replace separator char with NULL to split string */
+		data[0] = '\0';
+
+		/* start string after NULL of previous string */
+		data = (char *)&data[1];
+
+		/* replace all cd->separator chars with a space. */
+		len = strlen(data);
+
+		for (i = 0; i < len; i++) {
+			if (data[i] == cd->separator) {
+				data[i] = ' ';
+			}
+		}
+
+		/* convert text to int, make sure it worked right */
+		ttl = strtol(ttlStr, &endp, 10);
+		if (*endp != '\0' || ttl < 0) {
+			cd->log(ISC_LOG_ERROR, "Filesystem driver "
+					       "ttl must be a positive number");
+		}
+
+		/* pass data back to Bind */
+		if (dir_list == NULL) {
+			result = cd->putrr((dns_sdlzlookup_t *)passback, type,
+					   ttl, data);
+		} else {
+			result = cd->putnamedrr((dns_sdlzallnodes_t *)passback,
+						(char *)host, type, ttl, data);
+		}
+
+		/* if error, return error right away */
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	} /* end of while loop */
+
+	return (result);
+}
+
+/*
+ * DLZ methods
+ */
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	isc_result_t result;
+	char *path;
+	struct stat sb;
+	config_data_t *cd;
+	path = NULL;
+
+	cd = (config_data_t *)dbdata;
+
+	if (create_path(name, NULL, client, cd, &path) != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (stat(path, &sb) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_AXFR;
+	}
+
+	if ((sb.st_mode & S_IFREG) != 0) {
+		result = ISC_R_SUCCESS;
+		goto complete_AXFR;
+	}
+
+	result = ISC_R_NOTFOUND;
+
+complete_AXFR:
+	free(path);
+	return (result);
+}
+
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result;
+	dlist_t *dir_list;
+	config_data_t *cd = (config_data_t *)dbdata;
+	char *basepath;
+	unsigned int basepathlen;
+	struct stat sb;
+	dir_t dir;
+	dir_entry_t *dir_entry;
+	dir_entry_t *next_de;
+
+	basepath = NULL;
+
+	/* allocate memory for list */
+	dir_list = malloc(sizeof(dlist_t));
+	if (dir_list == NULL) {
+		result = ISC_R_NOTFOUND;
+		goto complete_allnds;
+	}
+
+	/* initialize list */
+	DLZ_LIST_INIT(*dir_list);
+
+	if (create_path(zone, NULL, NULL, cd, &basepath) != ISC_R_SUCCESS) {
+		result = ISC_R_NOTFOUND;
+		goto complete_allnds;
+	}
+
+	/* remove path separator at end of path so stat works properly */
+	basepathlen = strlen(basepath);
+
+	if (stat(basepath, &sb) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_allnds;
+	}
+
+	if ((sb.st_mode & S_IFDIR) == 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_allnds;
+	}
+
+	/* initialize and open directory */
+	dir_init(&dir);
+	result = dir_open(&dir, basepath);
+
+	/* if directory open failed, return error. */
+	if (result != ISC_R_SUCCESS) {
+		cd->log(ISC_LOG_ERROR,
+			"Unable to open %s directory to read entries.",
+			basepath);
+		result = ISC_R_FAILURE;
+		goto complete_allnds;
+	}
+
+	/* process the directory */
+	result = process_dir(&dir, allnodes, cd, dir_list, basepathlen);
+
+	/* close the directory */
+	dir_close(&dir);
+
+	if (result != ISC_R_SUCCESS) {
+		goto complete_allnds;
+	}
+
+	/* get first dir entry from list. */
+	dir_entry = DLZ_LIST_HEAD(*dir_list);
+	while (dir_entry != NULL) {
+		result = dir_open(&dir, dir_entry->dirpath);
+		/* if directory open failed, return error. */
+		if (result != ISC_R_SUCCESS) {
+			cd->log(ISC_LOG_ERROR,
+				"Unable to open %s "
+				"directory to read entries.",
+				basepath);
+			result = ISC_R_FAILURE;
+			goto complete_allnds;
+		}
+
+		/* process the directory */
+		result = process_dir(&dir, allnodes, cd, dir_list, basepathlen);
+
+		/* close the directory */
+		dir_close(&dir);
+
+		if (result != ISC_R_SUCCESS) {
+			goto complete_allnds;
+		}
+
+		dir_entry = DLZ_LIST_NEXT(dir_entry, link);
+	} /* end while */
+
+complete_allnds:
+	if (dir_list != NULL) {
+		/* clean up entries from list. */
+		dir_entry = DLZ_LIST_HEAD(*dir_list);
+		while (dir_entry != NULL) {
+			next_de = DLZ_LIST_NEXT(dir_entry, link);
+			free(dir_entry);
+			dir_entry = next_de;
+		} /* end while */
+		free(dir_list);
+	}
+
+	if (basepath != NULL) {
+		free(basepath);
+	}
+
+	return (result);
+}
+
+#if DLZ_DLOPEN_VERSION < 3
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name)
+#else  /* if DLZ_DLOPEN_VERSION < 3 */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo)
+#endif /* if DLZ_DLOPEN_VERSION < 3 */
+{
+	isc_result_t result;
+	config_data_t *cd = (config_data_t *)dbdata;
+	char *path;
+	struct stat sb;
+	path = NULL;
+
+#if DLZ_DLOPEN_VERSION >= 3
+	UNUSED(methods);
+	UNUSED(clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION >= 3 */
+
+	if (create_path(name, NULL, NULL, cd, &path) != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	cd->log(ISC_LOG_DEBUG(1),
+		"Filesystem driver Findzone() Checking for path: '%s'\n", path);
+
+	if (stat(path, &sb) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_FZ;
+	}
+
+	if ((sb.st_mode & S_IFDIR) != 0) {
+		result = ISC_R_SUCCESS;
+		goto complete_FZ;
+	}
+
+	result = ISC_R_NOTFOUND;
+
+complete_FZ:
+
+	free(path);
+	return (result);
+}
+
+#if DLZ_DLOPEN_VERSION == 1
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup)
+#else  /* if DLZ_DLOPEN_VERSION == 1 */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo)
+#endif /* if DLZ_DLOPEN_VERSION == 1 */
+{
+	isc_result_t result = ISC_R_NOTFOUND;
+	config_data_t *cd = (config_data_t *)dbdata;
+	char *path;
+	struct stat sb;
+	dir_t dir;
+	path = NULL;
+
+	UNUSED(lookup);
+#if DLZ_DLOPEN_VERSION >= 2
+	UNUSED(methods);
+	UNUSED(clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION >= 2 */
+
+	if (strcmp(name, "*") == 0) {
+		/*
+		 * handle filesystem's special wildcard "-"
+		 */
+		result = create_path(zone, "-", NULL, cd, &path);
+	} else {
+		result = create_path(zone, name, NULL, cd, &path);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/* remove path separator at end of path so stat works properly */
+	path[strlen(path) - 1] = '\0';
+
+	cd->log(ISC_LOG_DEBUG(1),
+		"Filesystem driver lookup() Checking for path: '%s'\n", path);
+
+	if (stat(path, &sb) != 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_lkup;
+	}
+
+	if ((sb.st_mode & S_IFDIR) == 0) {
+		result = ISC_R_NOTFOUND;
+		goto complete_lkup;
+	}
+
+	/* initialize and open directory */
+	dir_init(&dir);
+	result = dir_open(&dir, path);
+
+	/* if directory open failed, return error. */
+	if (result != ISC_R_SUCCESS) {
+		cd->log(ISC_LOG_ERROR,
+			"Unable to open %s directory to read entries.", path);
+		result = ISC_R_FAILURE;
+		goto complete_lkup;
+	}
+
+	/* process any records in the directory */
+	result = process_dir(&dir, lookup, cd, NULL, 0);
+
+	/* close the directory */
+	dir_close(&dir);
+
+complete_lkup:
+
+	free(path);
+	return (result);
+}
+
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...) {
+	isc_result_t result = ISC_R_NOMEMORY;
+	config_data_t *cd;
+	char *endp;
+	int len;
+	char pathsep;
+	const char *helper_name;
+	va_list ap;
+
+	UNUSED(dlzname);
+
+	/* allocate memory for our config data and helper functions */
+	cd = calloc(1, sizeof(config_data_t));
+	if (cd == NULL) {
+		goto no_mem;
+	}
+
+	/* zero the memory */
+	memset(cd, 0, sizeof(config_data_t));
+
+	/* Fill in the helper functions */
+	va_start(ap, dbdata);
+	while ((helper_name = va_arg(ap, const char *)) != NULL) {
+		b9_add_helper(cd, helper_name, va_arg(ap, void *));
+	}
+	va_end(ap);
+
+	/* we require 5 command line args. */
+	if (argc != 6) {
+		cd->log(ISC_LOG_ERROR, "Filesystem driver requires "
+				       "6 command line args.");
+		result = ISC_R_FAILURE;
+		goto free_cd;
+	}
+
+	if (strlen(argv[5]) > 1) {
+		cd->log(ISC_LOG_ERROR, "Filesystem driver can only "
+				       "accept a single character for "
+				       "separator.");
+		result = ISC_R_FAILURE;
+		goto free_cd;
+	}
+
+	/* verify base dir ends with '/' or '\' */
+	len = strlen(argv[1]);
+	if (argv[1][len - 1] != '\\' && argv[1][len - 1] != '/') {
+		cd->log(ISC_LOG_ERROR,
+			"Base dir parameter for filesystem driver "
+			"should end with %s",
+			"either '/' or '\\' ");
+		result = ISC_R_FAILURE;
+		goto free_cd;
+	}
+
+	/* determine and save path separator for later */
+	if (argv[1][len - 1] == '\\') {
+		pathsep = '\\';
+	} else {
+		pathsep = '/';
+	}
+
+	cd->pathsep = pathsep;
+
+	/* get and store our base directory */
+	cd->basedir = strdup(argv[1]);
+	if (cd->basedir == NULL) {
+		goto no_mem;
+	}
+	cd->basedirsize = strlen(cd->basedir);
+
+	/* get and store our data sub-dir */
+	cd->datadir = strdup(argv[2]);
+	if (cd->datadir == NULL) {
+		goto no_mem;
+	}
+	cd->datadirsize = strlen(cd->datadir);
+
+	/* get and store our zone xfr sub-dir */
+	cd->xfrdir = strdup(argv[3]);
+	if (cd->xfrdir == NULL) {
+		goto no_mem;
+	}
+	cd->xfrdirsize = strlen(cd->xfrdir);
+
+	/* get and store our directory split count */
+	cd->splitcnt = strtol(argv[4], &endp, 10);
+	if (*endp != '\0' || cd->splitcnt < 0) {
+		cd->log(ISC_LOG_ERROR, "Directory split count must be zero (0) "
+				       "or a positive number");
+	}
+
+	/* get and store our separator character */
+	cd->separator = *argv[5];
+
+	/* pass back config data */
+	*dbdata = cd;
+
+	/* return success */
+	return (ISC_R_SUCCESS);
+
+	/* handle no memory error */
+no_mem:
+
+	/* write error message */
+	if (cd != NULL && cd->log != NULL) {
+		cd->log(ISC_LOG_ERROR, "filesystem_dynamic: Filesystem driver "
+				       "unable to "
+				       "allocate memory for config data.");
+	}
+
+free_cd:
+	/* if we allocated a config data object clean it up */
+	if (cd != NULL) {
+		dlz_destroy(cd);
+	}
+
+	/* return error */
+	return (result);
+}
+
+void
+dlz_destroy(void *dbdata) {
+	config_data_t *cd;
+
+	cd = (config_data_t *)dbdata;
+
+	/*
+	 * free memory for each section of config data that was
+	 * allocated
+	 */
+	if (cd->basedir != NULL) {
+		free(cd->basedir);
+	}
+
+	if (cd->datadir != NULL) {
+		free(cd->datadir);
+	}
+
+	if (cd->xfrdir != NULL) {
+		free(cd->xfrdir);
+	}
+
+	/* free config data memory */
+	free(cd);
+}
+
+/*
+ * Return the version of the API
+ */
+int
+dlz_version(unsigned int *flags) {
+	UNUSED(flags);
+	return (DLZ_DLOPEN_VERSION);
+}
+
+/*
+ * Register a helper function from the bind9 dlz_dlopen driver
+ */
+static void
+b9_add_helper(struct config_data *cd, const char *helper_name, void *ptr) {
+	if (strcmp(helper_name, "log") == 0) {
+		cd->log = (log_t *)ptr;
+	}
+	if (strcmp(helper_name, "putrr") == 0) {
+		cd->putrr = (dns_sdlz_putrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "putnamedrr") == 0) {
+		cd->putnamedrr = (dns_sdlz_putnamedrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "writeable_zone") == 0) {
+		cd->writeable_zone = (dns_dlz_writeablezone_t *)ptr;
+	}
+}
diff --git a/contrib/dlz/modules/include/.clang-format b/contrib/dlz/modules/include/.clang-format
new file mode 120000
index 0000000..e919bba
--- /dev/null
+++ b/contrib/dlz/modules/include/.clang-format
@@ -0,0 +1 @@
+../../../../.clang-format.headers
\ No newline at end of file
diff --git a/contrib/dlz/modules/include/dlz_dbi.h b/contrib/dlz/modules/include/dlz_dbi.h
new file mode 100644
index 0000000..8080570
--- /dev/null
+++ b/contrib/dlz/modules/include/dlz_dbi.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdbool.h>
+
+#include <dlz_list.h>
+#include <dlz_minimal.h>
+#include <dlz_pthread.h>
+
+#ifndef DLZ_DBI_H
+#define DLZ_DBI_H 1
+
+/*
+ * Types
+ */
+#define REQUIRE_CLIENT 0x01
+#define REQUIRE_QUERY  0x02
+#define REQUIRE_RECORD 0x04
+#define REQUIRE_ZONE   0x08
+
+typedef struct query_segment query_segment_t;
+typedef DLZ_LIST(query_segment_t) query_list_t;
+typedef struct dbinstance dbinstance_t;
+typedef DLZ_LIST(dbinstance_t) db_list_t;
+typedef struct driverinstance driverinstance_t;
+
+/*%
+ * a query segment is all the text between our special tokens
+ * special tokens are %zone%, %record%, %client%
+ */
+struct query_segment {
+	void	    *cmd;
+	unsigned int strlen;
+	bool	     direct;
+	DLZ_LINK(query_segment_t) link;
+};
+
+/*%
+ * a database instance contains everything we need for running
+ * a query against the database.  Using it each separate thread
+ * can dynamically construct a query and execute it against the
+ * database.  The "instance_lock" and locking code in the driver's
+ * make sure no two threads try to use the same DBI at a time.
+ */
+struct dbinstance {
+	void	     *dbconn;
+	query_list_t *allnodes_q;
+	query_list_t *allowxfr_q;
+	query_list_t *authority_q;
+	query_list_t *findzone_q;
+	query_list_t *lookup_q;
+	query_list_t *countzone_q;
+	char	     *query_buf;
+	char	     *zone;
+	char	     *record;
+	char	     *client;
+	dlz_mutex_t   lock;
+	DLZ_LINK(dbinstance_t) link;
+};
+
+/*
+ * Method declarations
+ */
+
+void
+destroy_querylist(query_list_t **querylist);
+
+isc_result_t
+build_querylist(const char *query_str, char **zone, char **record,
+		char **client, query_list_t **querylist, unsigned int flags,
+		log_t log);
+
+char *
+build_querystring(query_list_t *querylist);
+
+isc_result_t
+build_dbinstance(const char *allnodes_str, const char *allowxfr_str,
+		 const char *authority_str, const char *findzone_str,
+		 const char *lookup_str, const char *countzone_str,
+		 dbinstance_t **dbi, log_t log);
+
+void
+destroy_dbinstance(dbinstance_t *dbi);
+
+char *
+get_parameter_value(const char *input, const char *key);
+
+#endif /* DLZ_DBI_H */
diff --git a/contrib/dlz/modules/include/dlz_list.h b/contrib/dlz/modules/include/dlz_list.h
new file mode 100644
index 0000000..028e567
--- /dev/null
+++ b/contrib/dlz/modules/include/dlz_list.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: ISC
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef DLZ_LIST_H
+#define DLZ_LIST_H 1
+
+#define DLZ_LIST(type)             \
+	struct {                   \
+		type *head, *tail; \
+	}
+#define DLZ_LIST_INIT(list)         \
+	do {                        \
+		(list).head = NULL; \
+		(list).tail = NULL; \
+	} while (0)
+
+#define DLZ_LINK(type)             \
+	struct {                   \
+		type *prev, *next; \
+	}
+#define DLZ_LINK_INIT(elt, link)                 \
+	do {                                     \
+		(elt)->link.prev = (void *)(-1); \
+		(elt)->link.next = (void *)(-1); \
+	} while (0)
+
+#define DLZ_LIST_HEAD(list) ((list).head)
+#define DLZ_LIST_TAIL(list) ((list).tail)
+
+#define DLZ_LIST_APPEND(list, elt, link)                \
+	do {                                            \
+		if ((list).tail != NULL)                \
+			(list).tail->link.next = (elt); \
+		else                                    \
+			(list).head = (elt);            \
+		(elt)->link.prev = (list).tail;         \
+		(elt)->link.next = NULL;                \
+		(list).tail = (elt);                    \
+	} while (0)
+
+#define DLZ_LIST_PREV(elt, link) ((elt)->link.prev)
+#define DLZ_LIST_NEXT(elt, link) ((elt)->link.next)
+
+#define DLZ_LIST_UNLINK(list, elt, link)                                \
+	do {                                                            \
+		if ((elt)->link.next != NULL)                           \
+			(elt)->link.next->link.prev = (elt)->link.prev; \
+		else                                                    \
+			(list).tail = (elt)->link.prev;                 \
+		if ((elt)->link.prev != NULL)                           \
+			(elt)->link.prev->link.next = (elt)->link.next; \
+		else                                                    \
+			(list).head = (elt)->link.next;                 \
+		(elt)->link.prev = (void *)(-1);                        \
+		(elt)->link.next = (void *)(-1);                        \
+	} while (0)
+
+#endif /* DLZ_LIST_H */
diff --git a/contrib/dlz/modules/include/dlz_minimal.h b/contrib/dlz/modules/include/dlz_minimal.h
new file mode 100644
index 0000000..b6fa611
--- /dev/null
+++ b/contrib/dlz/modules/include/dlz_minimal.h
@@ -0,0 +1,336 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: ISC
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This header provides a minimal set of defines and typedefs needed
+ * for building an external DLZ module for bind9. When creating a new
+ * external DLZ driver, please copy this header into your own source
+ * tree.
+ */
+
+#ifndef DLZ_MINIMAL_H
+#define DLZ_MINIMAL_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <sys/socket.h>
+#include <sys/types.h>
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/un.h>
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+#include <arpa/inet.h>
+#include <net/if.h>
+#include <netinet/in.h>
+
+typedef unsigned int isc_result_t;
+typedef uint32_t     dns_ttl_t;
+
+/*
+ * Define DLZ_DLOPEN_VERSION to different values to use older versions
+ * of the interface
+ */
+#ifndef DLZ_DLOPEN_VERSION
+#define DLZ_DLOPEN_VERSION 3
+#define DLZ_DLOPEN_AGE	   0
+#endif /* ifndef DLZ_DLOPEN_VERSION */
+
+/* return these in flags from dlz_version() */
+#define DNS_SDLZFLAG_THREADSAFE	   0x00000001U
+#define DNS_SDLZFLAG_RELATIVEOWNER 0x00000002U
+#define DNS_SDLZFLAG_RELATIVERDATA 0x00000004U
+
+/* result codes */
+#define ISC_R_SUCCESS	     0
+#define ISC_R_NOMEMORY	     1
+#define ISC_R_NOPERM	     6
+#define ISC_R_NOSPACE	     19
+#define ISC_R_NOTFOUND	     23
+#define ISC_R_FAILURE	     25
+#define ISC_R_NOTIMPLEMENTED 27
+#define ISC_R_NOMORE	     29
+#define ISC_R_INVALIDFILE    30
+#define ISC_R_UNEXPECTED     34
+#define ISC_R_FILENOTFOUND   38
+
+/* log levels */
+#define ISC_LOG_INFO	     (-1)
+#define ISC_LOG_NOTICE	     (-2)
+#define ISC_LOG_WARNING	     (-3)
+#define ISC_LOG_ERROR	     (-4)
+#define ISC_LOG_CRITICAL     (-5)
+#define ISC_LOG_DEBUG(level) (level)
+
+/* other useful definitions */
+#define UNUSED(x) (void)(x)
+#define DE_CONST(konst, var)           \
+	do {                           \
+		union {                \
+			const void *k; \
+			void	   *v; \
+		} _u;                  \
+		_u.k = konst;          \
+		var = _u.v;            \
+	} while (0)
+
+#if !defined(__has_attribute)
+#define __has_attribute(x) 0
+#endif /* if !defined(__has_attribute) */
+
+#if __GNUC__ >= 7 || __has_attribute(fallthrough)
+#define FALLTHROUGH __attribute__((fallthrough))
+#else
+/* clang-format off */
+#define FALLTHROUGH do {} while (0) /* FALLTHROUGH */
+/* clang-format on */
+#endif
+
+#ifdef __GNUC__
+#define UNREACHABLE() __builtin_unreachable()
+#else
+#define UNREACHABLE() abort()
+#endif
+
+/* opaque structures */
+typedef void *dns_sdlzlookup_t;
+typedef void *dns_sdlzallnodes_t;
+typedef void *dns_view_t;
+typedef void *dns_dlzdb_t;
+
+#if DLZ_DLOPEN_VERSION > 1
+/*
+ * Method and type definitions needed for retrieval of client info
+ * from the caller.
+ */
+typedef struct isc_sockaddr {
+	union {
+		struct sockaddr	    sa;
+		struct sockaddr_in  sin;
+		struct sockaddr_in6 sin6;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		struct sockaddr_un sunix;
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	} type;
+	unsigned int length;
+	void	    *link;
+} isc_sockaddr_t;
+
+typedef struct isc_netaddr {
+	unsigned int family;
+	union {
+		struct in_addr	in;
+		struct in6_addr in6;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		char un[sizeof(((struct sockaddr_un *)0)->sun_path)];
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	} type;
+	uint32_t zone;
+} isc_netaddr_t;
+
+typedef struct dns_ecs {
+	isc_netaddr_t addr;
+	uint8_t	      source;
+	uint8_t	      scope;
+} dns_ecs_t;
+
+#define DNS_CLIENTINFO_VERSION 3
+typedef struct dns_clientinfo {
+	uint16_t  version;
+	void	 *data;
+	void	 *dbversion;
+	dns_ecs_t ecs;
+} dns_clientinfo_t;
+
+typedef isc_result_t (*dns_clientinfo_sourceip_t)(dns_clientinfo_t *client,
+						  isc_sockaddr_t  **addrp);
+
+typedef isc_result_t (*dns_clientinfo_version_t)(dns_clientinfo_t *client,
+						 void		 **addrp);
+
+#define DNS_CLIENTINFOMETHODS_VERSION 2
+#define DNS_CLIENTINFOMETHODS_AGE     1
+typedef struct dns_clientinfomethods {
+	uint16_t		  version;
+	uint16_t		  age;
+	dns_clientinfo_sourceip_t sourceip;
+} dns_clientinfomethods_t;
+#endif /* DLZ_DLOPEN_VERSION > 1 */
+
+#define DNS_ECS_FORMATSIZE                                                \
+	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX%SSSSSSSSSS" \
+	       "/NNN/NNN")
+
+/*
+ * Method definitions for callbacks provided by the dlopen driver
+ */
+typedef void
+log_t(int level, const char *fmt, ...);
+
+typedef isc_result_t
+dns_sdlz_putrr_t(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
+		 const char *data);
+
+typedef isc_result_t
+dns_sdlz_putnamedrr_t(dns_sdlzallnodes_t *allnodes, const char *name,
+		      const char *type, dns_ttl_t ttl, const char *data);
+
+#if DLZ_DLOPEN_VERSION < 3
+typedef isc_result_t
+dns_dlz_writeablezone_t(dns_view_t *view, const char *zone_name);
+#else  /* DLZ_DLOPEN_VERSION >= 3 */
+typedef isc_result_t
+dns_dlz_writeablezone_t(dns_view_t *view, dns_dlzdb_t *dlzdb,
+			const char *zone_name);
+#endif /* DLZ_DLOPEN_VERSION */
+
+/*
+ * prototypes for the functions you can include in your module
+ */
+
+/*
+ * dlz_version() is required for all DLZ external drivers. It should
+ * return DLZ_DLOPEN_VERSION.  'flags' is updated to indicate capabilities
+ * of the module.  In particular, if the module is thread-safe then it
+ * sets 'flags' to include DNS_SDLZFLAG_THREADSAFE.  Other capability
+ * flags may be added in the future.
+ */
+int
+dlz_version(unsigned int *flags);
+
+/*
+ * dlz_create() is required for all DLZ external drivers.
+ */
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...);
+
+/*
+ * dlz_destroy() is optional, and will be called when the driver is
+ * unloaded if supplied
+ */
+void
+dlz_destroy(void *dbdata);
+
+/*
+ * dlz_findzonedb is required for all DLZ external drivers
+ */
+#if DLZ_DLOPEN_VERSION < 3
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name);
+#else  /* DLZ_DLOPEN_VERSION >= 3 */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo);
+#endif /* DLZ_DLOPEN_VERSION */
+
+/*
+ * dlz_lookup is required for all DLZ external drivers
+ */
+#if DLZ_DLOPEN_VERSION == 1
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup);
+#else  /* DLZ_DLOPEN_VERSION > 1 */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo);
+#endif /* DLZ_DLOPEN_VERSION */
+
+/*
+ * dlz_authority() is optional if dlz_lookup() supplies
+ * authority information (i.e., SOA, NS) for the dns record
+ */
+isc_result_t
+dlz_authority(const char *zone, void *dbdata, dns_sdlzlookup_t *lookup);
+
+/*
+ * dlz_allowzonexfr() is optional, and should be supplied if you want to
+ * support zone transfers
+ */
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client);
+
+/*
+ * dlz_allnodes() is optional, but must be supplied if supply a
+ * dlz_allowzonexfr() function
+ */
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes);
+
+/*
+ * dlz_newversion() is optional. It should be supplied if you want to
+ * support dynamic updates.
+ */
+isc_result_t
+dlz_newversion(const char *zone, void *dbdata, void **versionp);
+
+/*
+ * dlz_closeversion() is optional, but must be supplied if you supply a
+ * dlz_newversion() function
+ */
+void
+dlz_closeversion(const char *zone, bool commit, void *dbdata, void **versionp);
+
+/*
+ * dlz_configure() is optional, but must be supplied if you want to support
+ * dynamic updates
+ */
+#if DLZ_DLOPEN_VERSION < 3
+isc_result_t
+dlz_configure(dns_view_t *view, void *dbdata);
+#else  /* DLZ_DLOPEN_VERSION >= 3 */
+isc_result_t
+dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb, void *dbdata);
+#endif /* DLZ_DLOPEN_VERSION */
+
+/*
+ * dlz_ssumatch() is optional, but must be supplied if you want to support
+ * dynamic updates
+ */
+bool
+dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
+	     const char *type, const char *key, uint32_t keydatalen,
+	     uint8_t *keydata, void *dbdata);
+
+/*
+ * dlz_addrdataset() is optional, but must be supplied if you want to
+ * support dynamic updates
+ */
+isc_result_t
+dlz_addrdataset(const char *name, const char *rdatastr, void *dbdata,
+		void *version);
+
+/*
+ * dlz_subrdataset() is optional, but must be supplied if you want to
+ * support dynamic updates
+ */
+isc_result_t
+dlz_subrdataset(const char *name, const char *rdatastr, void *dbdata,
+		void *version);
+
+/*
+ * dlz_delrdataset() is optional, but must be supplied if you want to
+ * support dynamic updates
+ */
+isc_result_t
+dlz_delrdataset(const char *name, const char *type, void *dbdata,
+		void *version);
+
+#endif /* DLZ_MINIMAL_H */
diff --git a/contrib/dlz/modules/include/dlz_pthread.h b/contrib/dlz/modules/include/dlz_pthread.h
new file mode 100644
index 0000000..4479f83
--- /dev/null
+++ b/contrib/dlz/modules/include/dlz_pthread.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: ISC
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef DLZ_PTHREAD_H
+#define DLZ_PTHREAD_H 1
+
+#ifndef PTHREADS
+#define PTHREADS 1
+#endif /* ifndef PTHREADS */
+
+#ifdef PTHREADS
+#include <pthread.h>
+#define dlz_mutex_t	  pthread_mutex_t
+#define dlz_mutex_init	  pthread_mutex_init
+#define dlz_mutex_destroy pthread_mutex_destroy
+#define dlz_mutex_lock	  pthread_mutex_lock
+#define dlz_mutex_trylock pthread_mutex_trylock
+#define dlz_mutex_unlock  pthread_mutex_unlock
+#else /* !PTHREADS */
+#define dlz_mutex_t	     void
+#define dlz_mutex_init(a, b) (0)
+#define dlz_mutex_destroy(a) (0)
+#define dlz_mutex_lock(a)    (0)
+#define dlz_mutex_trylock(a) (0)
+#define dlz_mutex_unlock(a)  (0)
+#endif /* ifdef PTHREADS */
+
+#endif /* DLZ_PTHREAD_H */
diff --git a/contrib/dlz/modules/ldap/Makefile b/contrib/dlz/modules/ldap/Makefile
new file mode 100644
index 0000000..8e86e3e
--- /dev/null
+++ b/contrib/dlz/modules/ldap/Makefile
@@ -0,0 +1,46 @@
+# Copyright Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+# Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+#
+# The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+# conceived and contributed by Rob Butler.
+#
+# SPDX-License-Identifier: ISC and MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any purpose
+# with or without fee is hereby granted, provided that the above copyright
+# notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+prefix = /usr
+libdir = $(prefix)/lib/bind9
+
+CFLAGS=-fPIC -g -I../include
+LDAP_LIBS=-lldap
+
+all: dlz_ldap_dynamic.so
+
+dlz_dbi.o: ../common/dlz_dbi.c
+	$(CC) $(CFLAGS) -c ../common/dlz_dbi.c
+
+dlz_ldap_dynamic.so: dlz_ldap_dynamic.c dlz_dbi.o
+	$(CC) $(CFLAGS) -shared -o dlz_ldap_dynamic.so \
+		dlz_ldap_dynamic.c dlz_dbi.o $(LDAP_LIBS)
+
+clean:
+	rm -f dlz_ldap_dynamic.so *.o
+
+install: dlz_ldap_dynamic.so
+	mkdir -p $(DESTDIR)$(libdir)
+	install dlz_ldap_dynamic.so $(DESTDIR)$(libdir)
diff --git a/contrib/dlz/modules/ldap/dlz_ldap_dynamic.c b/contrib/dlz/modules/ldap/dlz_ldap_dynamic.c
new file mode 100644
index 0000000..eca49ff
--- /dev/null
+++ b/contrib/dlz/modules/ldap/dlz_ldap_dynamic.c
@@ -0,0 +1,1254 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This provides the externally loadable ldap DLZ module, without
+ * update support
+ */
+
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <dlz_dbi.h>
+#include <dlz_list.h>
+#include <dlz_minimal.h>
+#include <dlz_pthread.h>
+
+/*
+ * Need older API functions from ldap.h.
+ */
+#define LDAP_DEPRECATED 1
+
+#include <ldap.h>
+
+#define SIMPLE "simple"
+#define KRB41  "krb41"
+#define KRB42  "krb42"
+#define V2     "v2"
+#define V3     "v3"
+
+#define dbc_search_limit 30
+#define ALLNODES	 1
+#define ALLOWXFR	 2
+#define AUTHORITY	 3
+#define FINDZONE	 4
+#define LOOKUP		 5
+
+/*%
+ * Structure to hold everything needed by this "instance" of the LDAP
+ * driver remember, the driver code is only loaded once, but may have
+ * many separate instances.
+ */
+typedef struct {
+#if PTHREADS
+	db_list_t *db; /*%< handle to a list of DB */
+#else		       /* if PTHREADS */
+	dbinstance_t *db; /*%< handle to db */
+#endif		       /* if PTHREADS */
+	int method;    /*%< security authentication
+			* method */
+	char *user;    /*%< who is authenticating */
+	char *cred;    /*%< password for simple
+			* authentication method */
+	int protocol;  /*%< LDAP communication
+			* protocol version */
+	char *hosts;   /*%< LDAP server hosts */
+
+	/* Helper functions from the dlz_dlopen driver */
+	log_t *log;
+	dns_sdlz_putrr_t *putrr;
+	dns_sdlz_putnamedrr_t *putnamedrr;
+	dns_dlz_writeablezone_t *writeable_zone;
+} ldap_instance_t;
+
+/* forward references */
+
+#if DLZ_DLOPEN_VERSION < 3
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name);
+#else  /* if DLZ_DLOPEN_VERSION < 3 */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION < 3 */
+
+void
+dlz_destroy(void *dbdata);
+
+static void
+b9_add_helper(ldap_instance_t *db, const char *helper_name, void *ptr);
+
+/*
+ * Private methods
+ */
+
+/*% checks that the LDAP URL parameters make sense */
+static isc_result_t
+dlz_ldap_checkURL(ldap_instance_t *db, char *URL, int attrCnt,
+		  const char *msg) {
+	isc_result_t result = ISC_R_SUCCESS;
+	int ldap_result;
+	LDAPURLDesc *ldap_url = NULL;
+
+	if (!ldap_is_ldap_url(URL)) {
+		db->log(ISC_LOG_ERROR, "%s query is not a valid LDAP URL", msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	ldap_result = ldap_url_parse(URL, &ldap_url);
+	if (ldap_result != LDAP_SUCCESS || ldap_url == NULL) {
+		db->log(ISC_LOG_ERROR, "parsing %s query failed", msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (ldap_count_values(ldap_url->lud_attrs) < attrCnt) {
+		db->log(ISC_LOG_ERROR,
+			"%s query must specify at least "
+			"%d attributes to return",
+			msg, attrCnt);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (ldap_url->lud_host != NULL) {
+		db->log(ISC_LOG_ERROR, "%s query must not specify a host", msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (ldap_url->lud_port != 389) {
+		db->log(ISC_LOG_ERROR, "%s query must not specify a port", msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (ldap_url->lud_dn == NULL || strlen(ldap_url->lud_dn) < 1) {
+		db->log(ISC_LOG_ERROR, "%s query must specify a search base",
+			msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (ldap_url->lud_exts != NULL || ldap_url->lud_crit_exts != 0) {
+		db->log(ISC_LOG_ERROR,
+			"%s uses extensions. "
+			"The driver does not support LDAP extensions.",
+			msg);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+cleanup:
+	if (ldap_url != NULL) {
+		ldap_free_urldesc(ldap_url);
+	}
+
+	return (result);
+}
+
+/*% Connects / reconnects to LDAP server */
+static isc_result_t
+dlz_ldap_connect(ldap_instance_t *dbi, dbinstance_t *dbc) {
+	isc_result_t result;
+	int ldap_result;
+
+	/* if we have a connection, get ride of it. */
+	if (dbc->dbconn != NULL) {
+		ldap_unbind_s((LDAP *)dbc->dbconn);
+		dbc->dbconn = NULL;
+	}
+
+	/* now connect / reconnect. */
+
+	/* initialize. */
+	dbc->dbconn = ldap_init(dbi->hosts, LDAP_PORT);
+	if (dbc->dbconn == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* set protocol version. */
+	ldap_result = ldap_set_option((LDAP *)dbc->dbconn,
+				      LDAP_OPT_PROTOCOL_VERSION,
+				      &(dbi->protocol));
+	if (ldap_result != LDAP_SUCCESS) {
+		result = ISC_R_NOPERM;
+		goto cleanup;
+	}
+
+	/* "bind" to server.  i.e. send username / pass */
+	ldap_result = ldap_bind_s((LDAP *)dbc->dbconn, dbi->user, dbi->cred,
+				  dbi->method);
+	if (ldap_result != LDAP_SUCCESS) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+
+	/* cleanup if failure. */
+	if (dbc->dbconn != NULL) {
+		ldap_unbind_s((LDAP *)dbc->dbconn);
+		dbc->dbconn = NULL;
+	}
+
+	return (result);
+}
+
+#if PTHREADS
+/*%
+ * Properly cleans up a list of database instances.
+ * This function is only used when the driver is compiled for
+ * multithreaded operation.
+ */
+static void
+dlz_ldap_destroy_dblist(db_list_t *dblist) {
+	dbinstance_t *ndbi = NULL;
+	dbinstance_t *dbi = NULL;
+
+	/* get the first DBI in the list */
+	ndbi = DLZ_LIST_HEAD(*dblist);
+
+	/* loop through the list */
+	while (ndbi != NULL) {
+		dbi = ndbi;
+		/* get the next DBI in the list */
+		ndbi = DLZ_LIST_NEXT(dbi, link);
+		/* release DB connection */
+		if (dbi->dbconn != NULL) {
+			ldap_unbind_s((LDAP *)dbi->dbconn);
+		}
+		/* release all memory that comprised a DBI */
+		destroy_dbinstance(dbi);
+	}
+	/* release memory for the list structure */
+	free(dblist);
+}
+
+/*%
+ * Loops through the list of DB instances, attempting to lock
+ * on the mutex.  If successful, the DBI is reserved for use
+ * and the thread can perform queries against the database.
+ * If the lock fails, the next one in the list is tried.
+ * looping continues until a lock is obtained, or until
+ * the list has been searched dbc_search_limit times.
+ * This function is only used when the driver is compiled for
+ * multithreaded operation.
+ */
+static dbinstance_t *
+dlz_ldap_find_avail_conn(ldap_instance_t *ldap) {
+	dbinstance_t *dbi = NULL;
+	dbinstance_t *head;
+	int count = 0;
+
+	/* get top of list */
+	head = dbi = DLZ_LIST_HEAD(*ldap->db);
+
+	/* loop through list */
+	while (count < dbc_search_limit) {
+		/* try to lock on the mutex */
+		if (dlz_mutex_trylock(&dbi->lock) == 0) {
+			return (dbi); /* success, return the DBI for use. */
+		}
+		/* not successful, keep trying */
+		dbi = DLZ_LIST_NEXT(dbi, link);
+
+		/* check to see if we have gone to the top of the list. */
+		if (dbi == NULL) {
+			count++;
+			dbi = head;
+		}
+	}
+
+	ldap->log(ISC_LOG_INFO,
+		  "LDAP driver unable to find available connection "
+		  "after searching %d times",
+		  count);
+	return (NULL);
+}
+#endif /* PTHREADS */
+
+static isc_result_t
+dlz_ldap_process_results(ldap_instance_t *db, LDAP *dbc, LDAPMessage *msg,
+			 char **attrs, void *ptr, bool allnodes) {
+	isc_result_t result = ISC_R_SUCCESS;
+	int i = 0;
+	int j;
+	int len;
+	char *attribute = NULL;
+	LDAPMessage *entry;
+	char *endp = NULL;
+	char *host = NULL;
+	char *type = NULL;
+	char *data = NULL;
+	char **vals = NULL;
+	int ttl;
+
+	/* get the first entry to process */
+	entry = ldap_first_entry(dbc, msg);
+	if (entry == NULL) {
+		db->log(ISC_LOG_INFO, "LDAP no entries to process.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* loop through all entries returned */
+	while (entry != NULL) {
+		/* reset for this loop */
+		ttl = 0;
+		len = 0;
+		i = 0;
+		attribute = attrs[i];
+
+		/* determine how much space we need for data string */
+		for (j = 0; attrs[j] != NULL; j++) {
+			/* get the list of values for this attribute. */
+			vals = ldap_get_values(dbc, entry, attrs[j]);
+			/* skip empty attributes. */
+			if (vals == NULL || ldap_count_values(vals) < 1) {
+				continue;
+			}
+			/*
+			 * we only use the first value.  this driver
+			 * does not support multi-valued attributes.
+			 */
+			len = len + strlen(vals[0]) + 1;
+			/* free vals for next loop */
+			ldap_value_free(vals);
+		}
+
+		/* allocate memory for data string */
+		data = malloc(len + 1);
+		if (data == NULL) {
+			db->log(ISC_LOG_ERROR, "LDAP driver unable to allocate "
+					       "memory "
+					       "while processing results");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		/*
+		 * Make sure data is null termed at the beginning so
+		 * we can check if any data was stored to it later.
+		 */
+		data[0] = '\0';
+
+		/* reset j to re-use below */
+		j = 0;
+
+		/* loop through the attributes in the order specified. */
+		while (attribute != NULL) {
+			/* get the list of values for this attribute. */
+			vals = ldap_get_values(dbc, entry, attribute);
+
+			/* skip empty attributes. */
+			if (vals == NULL || vals[0] == NULL) {
+				/* increment attribute pointer */
+				attribute = attrs[++i];
+				/* start loop over */
+				continue;
+			}
+
+			/*
+			 * j initially = 0.  Increment j each time we
+			 * set a field that way next loop will set
+			 * next field.
+			 */
+			switch (j) {
+			case 0:
+				j++;
+				/*
+				 * convert text to int, make sure it
+				 * worked right
+				 */
+				ttl = strtol(vals[0], &endp, 10);
+				if (*endp != '\0' || ttl < 0) {
+					db->log(ISC_LOG_ERROR, "LDAP driver "
+							       "ttl must "
+							       "be a positive "
+							       "number");
+					goto cleanup;
+				}
+				break;
+			case 1:
+				j++;
+				type = strdup(vals[0]);
+				break;
+			case 2:
+				j++;
+				if (allnodes) {
+					host = strdup(vals[0]);
+				} else {
+					strcpy(data, vals[0]);
+				}
+				break;
+			case 3:
+				j++;
+				if (allnodes) {
+					strcpy(data, vals[0]);
+				} else {
+					strcat(data, " ");
+					strcat(data, vals[0]);
+				}
+				break;
+			default:
+				strcat(data, " ");
+				strcat(data, vals[0]);
+				break;
+			}
+
+			/* free values */
+			ldap_value_free(vals);
+			vals = NULL;
+
+			/* increment attribute pointer */
+			attribute = attrs[++i];
+		}
+
+		if (type == NULL) {
+			db->log(ISC_LOG_ERROR, "LDAP driver unable to retrieve "
+					       "DNS type");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		if (strlen(data) < 1) {
+			db->log(ISC_LOG_ERROR, "LDAP driver unable to retrieve "
+					       "DNS data");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		if (allnodes && host != NULL) {
+			dns_sdlzallnodes_t *an = (dns_sdlzallnodes_t *)ptr;
+			if (strcasecmp(host, "~") == 0) {
+				result = db->putnamedrr(an, "*", type, ttl,
+							data);
+			} else {
+				result = db->putnamedrr(an, host, type, ttl,
+							data);
+			}
+			if (result != ISC_R_SUCCESS) {
+				db->log(ISC_LOG_ERROR,
+					"ldap_dynamic: putnamedrr failed "
+					"for \"%s %s %u %s\" (%d)",
+					host, type, ttl, data, result);
+			}
+		} else {
+			dns_sdlzlookup_t *lookup = (dns_sdlzlookup_t *)ptr;
+			result = db->putrr(lookup, type, ttl, data);
+			if (result != ISC_R_SUCCESS) {
+				db->log(ISC_LOG_ERROR,
+					"ldap_dynamic: putrr failed "
+					"for \"%s %u %s\" (%s)",
+					type, ttl, data, result);
+			}
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			db->log(ISC_LOG_ERROR, "LDAP driver failed "
+					       "while sending data to BIND.");
+			goto cleanup;
+		}
+
+		/* free memory for type, data and host for next loop */
+		free(type);
+		type = NULL;
+
+		free(data);
+		data = NULL;
+
+		if (host != NULL) {
+			free(host);
+			host = NULL;
+		}
+
+		/* get the next entry to process */
+		entry = ldap_next_entry(dbc, entry);
+	}
+
+cleanup:
+	/* de-allocate memory */
+	if (vals != NULL) {
+		ldap_value_free(vals);
+	}
+	if (host != NULL) {
+		free(host);
+	}
+	if (type != NULL) {
+		free(type);
+	}
+	if (data != NULL) {
+		free(data);
+	}
+
+	return (result);
+}
+
+/*%
+ * This function is the real core of the driver.   Zone, record
+ * and client strings are passed in (or NULL is passed if the
+ * string is not available).  The type of query we want to run
+ * is indicated by the query flag, and the dbdata object is passed
+ * passed in to.  dbdata really holds either:
+ *		1) a list of database instances (in multithreaded mode) OR
+ *		2) a single database instance (in single threaded mode)
+ * The function will construct the query and obtain an available
+ * database instance (DBI).  It will then run the query and hopefully
+ * obtain a result set.
+ */
+static isc_result_t
+dlz_ldap_get_results(const char *zone, const char *record, const char *client,
+		     unsigned int query, void *dbdata, void *ptr) {
+	isc_result_t result;
+	ldap_instance_t *db = (ldap_instance_t *)dbdata;
+	dbinstance_t *dbi = NULL;
+	char *querystring = NULL;
+	LDAPURLDesc *ldap_url = NULL;
+	int ldap_result = 0;
+	LDAPMessage *ldap_msg = NULL;
+	int i;
+	int entries;
+
+	/* get db instance / connection */
+#if PTHREADS
+	/* find an available DBI from the list */
+	dbi = dlz_ldap_find_avail_conn(db);
+#else  /* PTHREADS */
+	/*
+	 * only 1 DBI - no need to lock instance lock either
+	 * only 1 thread in the whole process, no possible contention.
+	 */
+	dbi = (dbinstance_t *)(db->db);
+#endif /* PTHREADS */
+
+	/* if DBI is null, can't do anything else */
+	if (dbi == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* set fields */
+	if (zone != NULL) {
+		dbi->zone = strdup(zone);
+		if (dbi->zone == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else {
+		dbi->zone = NULL;
+	}
+
+	if (record != NULL) {
+		dbi->record = strdup(record);
+		if (dbi->record == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else {
+		dbi->record = NULL;
+	}
+
+	if (client != NULL) {
+		dbi->client = strdup(client);
+		if (dbi->client == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else {
+		dbi->client = NULL;
+	}
+
+	/* what type of query are we going to run? */
+	switch (query) {
+	case ALLNODES:
+		/*
+		 * if the query was not passed in from the config file
+		 * then we can't run it.  return not_implemented, so
+		 * it's like the code for that operation was never
+		 * built into the driver.... AHHH flexibility!!!
+		 */
+		if (dbi->allnodes_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		} else {
+			querystring = build_querystring(dbi->allnodes_q);
+		}
+		break;
+	case ALLOWXFR:
+		/* same as comments as ALLNODES */
+		if (dbi->allowxfr_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		} else {
+			querystring = build_querystring(dbi->allowxfr_q);
+		}
+		break;
+	case AUTHORITY:
+		/* same as comments as ALLNODES */
+		if (dbi->authority_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		} else {
+			querystring = build_querystring(dbi->authority_q);
+		}
+		break;
+	case FINDZONE:
+		/* this is required.  It's the whole point of DLZ! */
+		if (dbi->findzone_q == NULL) {
+			db->log(ISC_LOG_DEBUG(2), "No query specified for "
+						  "findzone. "
+						  "Findzone requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		} else {
+			querystring = build_querystring(dbi->findzone_q);
+		}
+		break;
+	case LOOKUP:
+		/* this is required.  It's also a major point of DLZ! */
+		if (dbi->lookup_q == NULL) {
+			db->log(ISC_LOG_DEBUG(2), "No query specified for "
+						  "lookup. "
+						  "Lookup requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		} else {
+			querystring = build_querystring(dbi->lookup_q);
+		}
+		break;
+	default:
+		/*
+		 * this should never happen.  If it does, the code is
+		 * screwed up!
+		 */
+		db->log(ISC_LOG_ERROR, "Incorrect query flag passed to "
+				       "dlz_ldap_get_results");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	/* if the querystring is null, Bummer, outta RAM.  UPGRADE TIME!!!   */
+	if (querystring == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/*
+	 * output the full query string during debug so we can see
+	 * what lame error the query has.
+	 */
+	db->log(ISC_LOG_DEBUG(1), "Query String: %s", querystring);
+
+	/* break URL down into it's component parts, if error cleanup */
+	ldap_result = ldap_url_parse(querystring, &ldap_url);
+	if (ldap_result != LDAP_SUCCESS || ldap_url == NULL) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	for (i = 0; i < 3; i++) {
+		/*
+		 * dbi->dbconn may be null if trying to reconnect on a
+		 * previous query failed.
+		 */
+		if (dbi->dbconn == NULL) {
+			db->log(ISC_LOG_INFO, "LDAP driver attempting to "
+					      "re-connect");
+
+			result = dlz_ldap_connect((ldap_instance_t *)dbdata,
+						  dbi);
+			if (result != ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+				continue;
+			}
+		}
+
+		/* perform ldap search synchronously */
+		ldap_result =
+			ldap_search_s((LDAP *)dbi->dbconn, ldap_url->lud_dn,
+				      ldap_url->lud_scope, ldap_url->lud_filter,
+				      ldap_url->lud_attrs, 0, &ldap_msg);
+
+		/*
+		 * check return code.  No such object is ok, just
+		 * didn't find what we wanted
+		 */
+		switch (ldap_result) {
+		case LDAP_NO_SUCH_OBJECT:
+			db->log(ISC_LOG_DEBUG(1), "No object found matching "
+						  "query requirements");
+			result = ISC_R_NOTFOUND;
+			goto cleanup;
+			break;
+		case LDAP_SUCCESS: /* on success do nothing */
+			result = ISC_R_SUCCESS;
+			i = 3;
+			break;
+		case LDAP_SERVER_DOWN:
+			db->log(ISC_LOG_INFO, "LDAP driver attempting to "
+					      "re-connect");
+			result = dlz_ldap_connect((ldap_instance_t *)dbdata,
+						  dbi);
+			if (result != ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+			break;
+		default:
+			/*
+			 * other errors not ok.  Log error message and
+			 * get out
+			 */
+			db->log(ISC_LOG_ERROR, "LDAP error: %s",
+				ldap_err2string(ldap_result));
+			result = ISC_R_FAILURE;
+			goto cleanup;
+			break;
+		}
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	switch (query) {
+	case ALLNODES:
+		result = dlz_ldap_process_results(db, (LDAP *)dbi->dbconn,
+						  ldap_msg, ldap_url->lud_attrs,
+						  ptr, true);
+		break;
+	case AUTHORITY:
+	case LOOKUP:
+		result = dlz_ldap_process_results(db, (LDAP *)dbi->dbconn,
+						  ldap_msg, ldap_url->lud_attrs,
+						  ptr, false);
+		break;
+	case ALLOWXFR:
+		entries = ldap_count_entries((LDAP *)dbi->dbconn, ldap_msg);
+		if (entries == 0) {
+			result = ISC_R_NOPERM;
+		} else if (entries > 0) {
+			result = ISC_R_SUCCESS;
+		} else {
+			result = ISC_R_FAILURE;
+		}
+		break;
+	case FINDZONE:
+		entries = ldap_count_entries((LDAP *)dbi->dbconn, ldap_msg);
+		if (entries == 0) {
+			result = ISC_R_NOTFOUND;
+		} else if (entries > 0) {
+			result = ISC_R_SUCCESS;
+		} else {
+			result = ISC_R_FAILURE;
+		}
+		break;
+	default:
+		/*
+		 * this should never happen.  If it does, the code is
+		 * screwed up!
+		 */
+		db->log(ISC_LOG_ERROR, "Incorrect query flag passed to "
+				       "dlz_ldap_get_results");
+		result = ISC_R_UNEXPECTED;
+	}
+
+cleanup:
+	/* it's always good to cleanup after yourself */
+
+	/* if we retrieved results, free them */
+	if (ldap_msg != NULL) {
+		ldap_msgfree(ldap_msg);
+	}
+
+	if (ldap_url != NULL) {
+		ldap_free_urldesc(ldap_url);
+	}
+
+	/* cleanup */
+	if (dbi->zone != NULL) {
+		free(dbi->zone);
+	}
+	if (dbi->record != NULL) {
+		free(dbi->record);
+	}
+	if (dbi->client != NULL) {
+		free(dbi->client);
+	}
+	dbi->zone = dbi->record = dbi->client = NULL;
+
+	/* release the lock so another thread can use this dbi */
+	(void)dlz_mutex_unlock(&dbi->lock);
+
+	/* release query string */
+	if (querystring != NULL) {
+		free(querystring);
+	}
+
+	/* return result */
+	return (result);
+}
+
+/*
+ * DLZ methods
+ */
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	isc_result_t result;
+
+	/* check to see if we are authoritative for the zone first */
+#if DLZ_DLOPEN_VERSION < 3
+	result = dlz_findzonedb(dbdata, name);
+#else  /* if DLZ_DLOPEN_VERSION < 3 */
+	result = dlz_findzonedb(dbdata, name, NULL, NULL);
+#endif /* if DLZ_DLOPEN_VERSION < 3 */
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/* get all the zone data */
+	result = dlz_ldap_get_results(name, NULL, client, ALLOWXFR, dbdata,
+				      NULL);
+	return (result);
+}
+
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
+	return (dlz_ldap_get_results(zone, NULL, NULL, ALLNODES, dbdata,
+				     allnodes));
+}
+
+isc_result_t
+dlz_authority(const char *zone, void *dbdata, dns_sdlzlookup_t *lookup) {
+	return (dlz_ldap_get_results(zone, NULL, NULL, AUTHORITY, dbdata,
+				     lookup));
+}
+
+#if DLZ_DLOPEN_VERSION < 3
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name)
+#else  /* if DLZ_DLOPEN_VERSION < 3 */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo)
+#endif /* if DLZ_DLOPEN_VERSION < 3 */
+{
+#if DLZ_DLOPEN_VERSION >= 3
+	UNUSED(methods);
+	UNUSED(clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION >= 3 */
+	return (dlz_ldap_get_results(name, NULL, NULL, FINDZONE, dbdata, NULL));
+}
+
+#if DLZ_DLOPEN_VERSION == 1
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup)
+#else  /* if DLZ_DLOPEN_VERSION == 1 */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo)
+#endif /* if DLZ_DLOPEN_VERSION == 1 */
+{
+	isc_result_t result;
+
+#if DLZ_DLOPEN_VERSION >= 2
+	UNUSED(methods);
+	UNUSED(clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION >= 2 */
+
+	if (strcmp(name, "*") == 0) {
+		result = dlz_ldap_get_results(zone, "~", NULL, LOOKUP, dbdata,
+					      lookup);
+	} else {
+		result = dlz_ldap_get_results(zone, name, NULL, LOOKUP, dbdata,
+					      lookup);
+	}
+	return (result);
+}
+
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...) {
+	isc_result_t result = ISC_R_FAILURE;
+	ldap_instance_t *ldap = NULL;
+	dbinstance_t *dbi = NULL;
+	const char *helper_name;
+	int protocol;
+	int method;
+#if PTHREADS
+	int dbcount;
+	char *endp;
+	int i;
+#endif /* PTHREADS */
+	va_list ap;
+
+	UNUSED(dlzname);
+
+	/* allocate memory for LDAP instance */
+	ldap = calloc(1, sizeof(ldap_instance_t));
+	if (ldap == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	memset(ldap, 0, sizeof(ldap_instance_t));
+
+	/* Fill in the helper functions */
+	va_start(ap, dbdata);
+	while ((helper_name = va_arg(ap, const char *)) != NULL) {
+		b9_add_helper(ldap, helper_name, va_arg(ap, void *));
+	}
+	va_end(ap);
+
+#if PTHREADS
+	/* if debugging, let user know we are multithreaded. */
+	ldap->log(ISC_LOG_DEBUG(1), "LDAP driver running multithreaded");
+#else  /* PTHREADS */
+	/* if debugging, let user know we are single threaded. */
+	ldap->log(ISC_LOG_DEBUG(1), "LDAP driver running single threaded");
+#endif /* PTHREADS */
+
+	if (argc < 9) {
+		ldap->log(ISC_LOG_ERROR, "LDAP driver requires at least "
+					 "8 command line args.");
+		goto cleanup;
+	}
+
+	/* no more than 13 arg's should be passed to the driver */
+	if (argc > 12) {
+		ldap->log(ISC_LOG_ERROR, "LDAP driver cannot accept more than "
+					 "11 command line args.");
+		goto cleanup;
+	}
+
+	/* determine protocol version. */
+	if (strncasecmp(argv[2], V2, strlen(V2)) == 0) {
+		protocol = 2;
+	} else if (strncasecmp(argv[2], V3, strlen(V3)) == 0) {
+		protocol = 3;
+	} else {
+		ldap->log(ISC_LOG_ERROR,
+			  "LDAP driver protocol must be either %s or %s", V2,
+			  V3);
+		goto cleanup;
+	}
+
+	/* determine connection method. */
+	if (strncasecmp(argv[3], SIMPLE, strlen(SIMPLE)) == 0) {
+		method = LDAP_AUTH_SIMPLE;
+	} else if (strncasecmp(argv[3], KRB41, strlen(KRB41)) == 0) {
+		method = LDAP_AUTH_KRBV41;
+	} else if (strncasecmp(argv[3], KRB42, strlen(KRB42)) == 0) {
+		method = LDAP_AUTH_KRBV42;
+	} else {
+		ldap->log(ISC_LOG_ERROR,
+			  "LDAP driver authentication method must be "
+			  "one of %s, %s or %s",
+			  SIMPLE, KRB41, KRB42);
+		goto cleanup;
+	}
+
+	/* multithreaded build can have multiple DB connections */
+#if PTHREADS
+	/* check how many db connections we should create */
+	dbcount = strtol(argv[1], &endp, 10);
+	if (*endp != '\0' || dbcount < 0) {
+		ldap->log(ISC_LOG_ERROR, "LDAP driver database connection "
+					 "count "
+					 "must be positive.");
+		goto cleanup;
+	}
+#endif /* if PTHREADS */
+
+	/* check that LDAP URL parameters make sense */
+	switch (argc) {
+	case 12:
+		result = dlz_ldap_checkURL(ldap, argv[11], 0,
+					   "allow zone transfer");
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		FALLTHROUGH;
+	case 11:
+		result = dlz_ldap_checkURL(ldap, argv[10], 3, "all nodes");
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		FALLTHROUGH;
+	case 10:
+		if (strlen(argv[9]) > 0) {
+			result = dlz_ldap_checkURL(ldap, argv[9], 3,
+						   "authority");
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
+		FALLTHROUGH;
+	case 9:
+		result = dlz_ldap_checkURL(ldap, argv[8], 3, "lookup");
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		result = dlz_ldap_checkURL(ldap, argv[7], 0, "find zone");
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		break;
+	default:
+		/* not really needed, should shut up compiler. */
+		result = ISC_R_FAILURE;
+	}
+
+	/* store info needed to automatically re-connect. */
+	ldap->protocol = protocol;
+	ldap->method = method;
+	ldap->hosts = strdup(argv[6]);
+	if (ldap->hosts == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	ldap->user = strdup(argv[4]);
+	if (ldap->user == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	ldap->cred = strdup(argv[5]);
+	if (ldap->cred == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+#if PTHREADS
+	/* allocate memory for database connection list */
+	ldap->db = calloc(1, sizeof(db_list_t));
+	if (ldap->db == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/* initialize DB connection list */
+	DLZ_LIST_INIT(*(ldap->db));
+
+	/*
+	 * create the appropriate number of database instances (DBI)
+	 * append each new DBI to the end of the list
+	 */
+	for (i = 0; i < dbcount; i++) {
+#endif /* PTHREADS */
+		/* how many queries were passed in from config file? */
+		switch (argc) {
+		case 9:
+			result = build_dbinstance(NULL, NULL, NULL, argv[7],
+						  argv[8], NULL, &dbi,
+						  ldap->log);
+			break;
+		case 10:
+			result = build_dbinstance(NULL, NULL, argv[9], argv[7],
+						  argv[8], NULL, &dbi,
+						  ldap->log);
+			break;
+		case 11:
+			result = build_dbinstance(argv[10], NULL, argv[9],
+						  argv[7], argv[8], NULL, &dbi,
+						  ldap->log);
+			break;
+		case 12:
+			result = build_dbinstance(argv[10], argv[11], argv[9],
+						  argv[7], argv[8], NULL, &dbi,
+						  ldap->log);
+			break;
+		default:
+			/* not really needed, should shut up compiler. */
+			result = ISC_R_FAILURE;
+		}
+
+		if (result == ISC_R_SUCCESS) {
+			ldap->log(ISC_LOG_DEBUG(2), "LDAP driver created "
+						    "database instance "
+						    "object.");
+		} else { /* unsuccessful?, log err msg and cleanup. */
+			ldap->log(ISC_LOG_ERROR, "LDAP driver could not create "
+						 "database instance object.");
+			goto cleanup;
+		}
+
+#if PTHREADS
+		/* when multithreaded, build a list of DBI's */
+		DLZ_LINK_INIT(dbi, link);
+		DLZ_LIST_APPEND(*(ldap->db), dbi, link);
+#else  /* if PTHREADS */
+	/*
+	 * when single threaded, hold onto the one connection
+	 * instance.
+	 */
+	ldap->db = dbi;
+#endif /* if PTHREADS */
+		/* attempt to connect */
+		result = dlz_ldap_connect(ldap, dbi);
+
+		/*
+		 * if db connection cannot be created, log err msg and
+		 * cleanup.
+		 */
+		switch (result) {
+		/* success, do nothing */
+		case ISC_R_SUCCESS:
+			break;
+		/*
+		 * no memory means ldap_init could not
+		 * allocate memory
+		 */
+		case ISC_R_NOMEMORY:
+#if PTHREADS
+			ldap->log(ISC_LOG_ERROR,
+				  "LDAP driver could not allocate memory "
+				  "for connection number %u",
+				  i + 1);
+#else  /* if PTHREADS */
+		ldap->log(ISC_LOG_ERROR, "LDAP driver could not allocate "
+					 "memory "
+					 "for connection");
+#endif /* if PTHREADS */
+			goto cleanup;
+		/*
+		 * no perm means ldap_set_option could not set
+		 * protocol version
+		 */
+		case ISC_R_NOPERM:
+			ldap->log(ISC_LOG_ERROR, "LDAP driver could not "
+						 "set protocol version.");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		/* failure means couldn't connect to ldap server */
+		case ISC_R_FAILURE:
+#if PTHREADS
+			ldap->log(ISC_LOG_ERROR,
+				  "LDAP driver could not bind "
+				  "connection number %u to server.",
+				  i + 1);
+#else  /* if PTHREADS */
+		ldap->log(ISC_LOG_ERROR, "LDAP driver could not "
+					 "bind connection to server.");
+#endif /* if PTHREADS */
+			goto cleanup;
+		/*
+		 * default should never happen.  If it does,
+		 * major errors.
+		 */
+		default:
+			ldap->log(ISC_LOG_ERROR, "dlz_create() failed (%d)",
+				  result);
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+
+#if PTHREADS
+		/* set DBI = null for next loop through. */
+		dbi = NULL;
+	}
+#endif /* PTHREADS */
+
+	/* set dbdata to the ldap_instance we created. */
+	*dbdata = ldap;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dlz_destroy(ldap);
+
+	return (result);
+}
+
+void
+dlz_destroy(void *dbdata) {
+	if (dbdata != NULL) {
+		ldap_instance_t *db = (ldap_instance_t *)dbdata;
+#if PTHREADS
+		/* cleanup the list of DBI's */
+		if (db->db != NULL) {
+			dlz_ldap_destroy_dblist((db_list_t *)(db->db));
+		}
+#else  /* PTHREADS */
+		if (db->db->dbconn != NULL) {
+			ldap_unbind_s((LDAP *)(db->db->dbconn));
+		}
+
+		/* destroy single DB instance */
+		destroy_dbinstance(db->db);
+#endif /* PTHREADS */
+
+		if (db->hosts != NULL) {
+			free(db->hosts);
+		}
+		if (db->user != NULL) {
+			free(db->user);
+		}
+		if (db->cred != NULL) {
+			free(db->cred);
+		}
+		free(dbdata);
+	}
+}
+
+/*
+ * Return the version of the API
+ */
+int
+dlz_version(unsigned int *flags) {
+	*flags |= DNS_SDLZFLAG_RELATIVERDATA;
+#if PTHREADS
+	*flags |= DNS_SDLZFLAG_THREADSAFE;
+#else  /* if PTHREADS */
+	*flags &= ~DNS_SDLZFLAG_THREADSAFE;
+#endif /* if PTHREADS */
+	return (DLZ_DLOPEN_VERSION);
+}
+
+/*
+ * Register a helper function from the bind9 dlz_dlopen driver
+ */
+static void
+b9_add_helper(ldap_instance_t *db, const char *helper_name, void *ptr) {
+	if (strcmp(helper_name, "log") == 0) {
+		db->log = (log_t *)ptr;
+	}
+	if (strcmp(helper_name, "putrr") == 0) {
+		db->putrr = (dns_sdlz_putrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "putnamedrr") == 0) {
+		db->putnamedrr = (dns_sdlz_putnamedrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "writeable_zone") == 0) {
+		db->writeable_zone = (dns_dlz_writeablezone_t *)ptr;
+	}
+}
diff --git a/contrib/dlz/modules/ldap/testing/README b/contrib/dlz/modules/ldap/testing/README
new file mode 100644
index 0000000..69b1381
--- /dev/null
+++ b/contrib/dlz/modules/ldap/testing/README
@@ -0,0 +1,10 @@
+These files were used for testing on Ubuntu Linux using OpenLDAP.
+
+- Move aside /etc/ldap/slapd.d
+- Move slapd.conf to /etc/ldap
+- Move dlz.schema to /etc/ldap/schema/dlz.schema
+- Run "/etc/init.d/slapd restart"
+- Run "ldapadd -x -f example.ldif -D 'cn=Manager,o=bind-dlz' -w secret"
+
+LDAP server is now loaded with example.com data from the file example.ldif
+
diff --git a/contrib/dlz/modules/ldap/testing/dlz.schema b/contrib/dlz/modules/ldap/testing/dlz.schema
new file mode 100644
index 0000000..d0f0086
--- /dev/null
+++ b/contrib/dlz/modules/ldap/testing/dlz.schema
@@ -0,0 +1,192 @@
+#
+#
+# 1.3.6.1.4.1.18420.1.1.X is reserved for attribute types declared by the DLZ project.
+# 1.3.6.1.4.1.18420.1.2.X is reserved for object classes declared by the DLZ project.
+# 1.3.6.1.4.1.18420.1.3.X is reserved for PRIVATE extensions to the DLZ attribute
+# types and object classes that may be needed by end users
+# to add security, etc.  Attributes and object classes using
+# this OID MUST NOT be published outside of an organization
+# except to offer them for consideration to become part of the
+# standard attributes and object classes published by the DLZ project.
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.10
+	NAME 'dlzZoneName'
+	DESC 'DNS zone name - domain name not including host name'
+	SUP name
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.20
+	NAME 'dlzHostName'
+	DESC 'Host portion of a domain name'
+	SUP name
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.30
+	NAME 'dlzData'
+	DESC 'Data for the resource record'
+	SUP name
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.40
+	NAME 'dlzType'
+	DESC 'DNS record type - A, SOA, NS, MX, etc...'
+	SUP name
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.50
+	NAME 'dlzSerial'
+	DESC 'SOA record serial number'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.60
+	NAME 'dlzRefresh'
+	DESC 'SOA record refresh time in seconds'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.70
+	NAME 'dlzRetry'
+	DESC 'SOA retry time in seconds'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.80
+	NAME 'dlzExpire'
+	DESC 'SOA expire time in seconds'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.90
+	NAME 'dlzMinimum'
+	DESC 'SOA minimum time in seconds'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.100
+	NAME 'dlzAdminEmail'
+	DESC 'E-mail address of person responsible for this zone - @ should be replaced with . (period)'
+	SUP name
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.110
+	NAME 'dlzPrimaryNS'
+	DESC 'Primary name server for this zone - should be host name not IP address'
+	SUP name
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.120
+	NAME 'dlzIPAddr'
+	DESC 'IP address - IPV4 should be in dot notation xxx.xxx.xxx.xxx IPV6 should be in colon notation xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'
+	EQUALITY caseExactIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{40}
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.130
+	NAME 'dlzCName'
+	DESC 'DNS cname'
+	SUP name
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.140
+	NAME 'dlzPreference'
+	DESC 'DNS MX record preference.  Lower numbers have higher preference'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.150
+	NAME 'dlzTTL'
+	DESC 'DNS time to live - how long this record can be cached by caching DNS servers'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.18420.1.1.160
+	NAME 'dlzRecordID'
+	DESC 'Unique ID for each DLZ resource record'
+	SUP name
+	SINGLE-VALUE )
+
+#------------------------------------------------------------------------------
+# Object class definitions
+#------------------------------------------------------------------------------
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.10
+	NAME 'dlzZone'
+	DESC 'Zone name portion of a domain name'
+	SUP top STRUCTURAL
+	MUST ( objectclass $ dlzZoneName ) )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.20
+	NAME 'dlzHost'
+	DESC 'Host name portion of a domain name'
+	SUP top STRUCTURAL
+	MUST ( objectclass $ dlzHostName ) MAY ( description ) )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.30
+	NAME 'dlzAbstractRecord'
+	DESC 'Data common to all DNS record types'
+	SUP top ABSTRACT
+	MUST ( objectclass $ dlzRecordID $ dlzHostName $ dlzType $ dlzTTL ) MAY ( description ) )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.40
+	NAME 'dlzGenericRecord'
+	DESC 'Generic DNS record - useful when a specific object class has not been defined for a DNS record'
+	SUP dlzAbstractRecord STRUCTURAL
+	MUST ( dlzData ) )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.50
+	NAME 'dlzARecord'
+	DESC 'DNS A record'
+	SUP dlzAbstractrecord STRUCTURAL
+	MUST ( dlzIPAddr ) )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.60
+	NAME 'dlzNSRecord'
+	DESC 'DNS NS record'
+	SUP dlzGenericRecord STRUCTURAL )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.70
+	NAME 'dlzMXRecord'
+	DESC 'DNS MX record'
+	SUP dlzGenericRecord STRUCTURAL
+	MUST ( dlzPreference ) )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.80
+	NAME 'dlzSOARecord'
+	DESC 'DNS SOA record'
+	SUP dlzAbstractRecord STRUCTURAL
+	MUST ( dlzSerial $ dlzRefresh $ dlzRetry
+	       $ dlzExpire $ dlzMinimum $ dlzAdminEmail $ dlzPrimaryNS ) )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.90
+	NAME 'dlzTextRecord'
+	DESC 'Text data with spaces should be wrapped in double quotes'
+	SUP dlzGenericRecord STRUCTURAL )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.100
+	NAME 'dlzPTRRecord'
+	DESC 'DNS PTR record'
+	SUP dlzGenericRecord STRUCTURAL )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.110
+	NAME 'dlzCNameRecord'
+	DESC 'DNS CName record'
+	SUP dlzGenericRecord STRUCTURAL )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.120
+	NAME 'dlzXFR'
+	DESC 'Host allowed to perform zone transfer'
+	SUP top STRUCTURAL
+	MUST ( objectclass $ dlzRecordID $ dlzIPAddr ) )
+
+objectclass ( 1.3.6.1.4.1.18420.1.2.130
+	NAME 'dlzDNameRecord'
+	DESC 'DNS DName record'
+	SUP dlzGenericRecord STRUCTURAL )
diff --git a/contrib/dlz/modules/ldap/testing/example.ldif b/contrib/dlz/modules/ldap/testing/example.ldif
new file mode 100644
index 0000000..fff1793
--- /dev/null
+++ b/contrib/dlz/modules/ldap/testing/example.ldif
@@ -0,0 +1,192 @@
+# server suffix - o=bind-dlz
+
+dn: o=bind-dlz
+objectclass: organization
+o: bind-dlz
+
+dn: ou=dns,o=bind-dlz
+objectclass: organizationalUnit
+ou: dns
+
+dn: dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzZone
+dlzZoneName: example.com
+
+dn: dlzHostName=@,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzHost
+dlzHostName: @
+
+dn: dlzHostName=www,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzHost
+dlzHostName: www
+
+dn: dlzHostName=mail,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzHost
+dlzHostName: mail
+
+dn: dlzHostName=backup,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzHost
+dlzHostName: backup
+
+dn: dlzHostName=ns1,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzHost
+dlzHostName: ns1
+
+dn: dlzHostName=ns2,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzHost
+dlzHostName: ns2
+
+dn: dlzHostName=~,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzHost
+dlzHostName: ~
+
+dn: dlzHostName=cname,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzHost
+dlzHostName: cname
+
+dn: dlzHostName=dname,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzHost
+dlzHostName: dname
+
+dn: dlzRecordID=1,dlzHostName=@,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzGenericRecord
+dlzRecordID: 1
+dlzHostName: @
+dlzType: txt
+dlzData: "this is a text record"
+dlzTTL: 10
+
+dn: dlzRecordID=2,dlzHostName=www,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzARecord
+dlzRecordID: 2
+dlzHostName: www
+dlzType: a
+dlzIPAddr: 192.168.0.1
+dlzTTL: 10
+
+dn: dlzRecordID=3,dlzHostName=mail,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzARecord
+dlzRecordID: 3
+dlzHostName: mail
+dlzType: a
+dlzIPAddr: 192.168.0.2
+dlzTTL: 10
+
+dn: dlzRecordID=4,dlzHostName=backup,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzARecord
+dlzRecordID: 4
+dlzHostName: backup
+dlzType: a
+dlzIPAddr: 192.168.0.3
+dlzTTL: 10
+
+dn: dlzRecordID=5,dlzHostName=@,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzMXRecord
+dlzRecordID: 5
+dlzHostName: @
+dlzType: mx
+dlzData: mail
+dlzPreference: 20
+dlzTTL: 10
+
+dn: dlzRecordID=6,dlzHostName=@,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzMXRecord
+dlzRecordID: 6
+dlzHostName: @
+dlzType: mx
+dlzData: backup
+dlzPreference: 40
+dlzTTL: 10
+
+dn: dlzRecordID=7,dlzHostName=www,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzMXRecord
+dlzRecordID: 7
+dlzHostName: www
+dlzType: mx
+dlzData: backup
+dlzPreference: 40
+dlzTTL: 10
+
+dn: dlzRecordID=8,dlzHostName=www,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzMXRecord
+dlzRecordID: 8
+dlzHostName: www
+dlzType: mx
+dlzData: mail
+dlzPreference: 20
+dlzTTL: 10
+
+dn: dlzRecordID=9,dlzHostName=ns1,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzARecord
+dlzRecordID: 9
+dlzHostName: ns1
+dlzType: a
+dlzIPAddr: 192.168.0.4
+dlzTTL: 10
+
+dn: dlzRecordID=10,dlzHostName=ns2,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzARecord
+dlzRecordID: 10
+dlzHostName: ns2
+dlzType: a
+dlzIPAddr: 192.168.0.5
+dlzTTL: 10
+
+dn: dlzRecordID=11,dlzHostName=@,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzSOARecord
+dlzRecordID: 11
+dlzHostName: @
+dlzType: soa
+dlzSerial: 2
+dlzRefresh: 2800
+dlzRetry: 7200
+dlzExpire: 604800
+dlzMinimum: 86400
+dlzAdminEmail: root.example.com.
+dlzPrimaryns: ns1.example.com.
+dlzTTL: 10
+
+dn: dlzRecordID=12,dlzHostName=@,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzNSRecord
+dlzRecordID: 12
+dlzHostName: @
+dlzType: ns
+dlzData: ns1.example.com.
+dlzTTL: 10
+
+dn: dlzRecordID=13,dlzHostName=@,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzNSRecord
+dlzRecordID: 13
+dlzHostName: @
+dlzType: ns
+dlzData: ns2
+dlzTTL: 10
+
+dn: dlzRecordID=14,dlzHostName=~,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzARecord
+dlzRecordID: 14
+dlzHostName: ~
+dlzType: a
+dlzIPAddr: 192.168.0.250
+dlzTTL: 10
+
+dn: dlzRecordID=15,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzXFR
+dlzRecordID: 15
+dlzIPAddr: 127.0.0.1
+
+dn: dlzRecordID=16,dlzHostName=cname,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzCNameRecord
+dlzRecordID: 16
+dlzHostName: cname
+dlzType: cname
+dlzData: www
+dlzTTL: 10
+
+dn: dlzRecordID=17,dlzHostName=dname,dlzZoneName=example.com,ou=dns,o=bind-dlz
+objectclass: dlzDNameRecord
+dlzRecordID: 17
+dlzHostName: dname
+dlzType: dname
+dlzData: example.net.
+dlzTTL: 10
diff --git a/contrib/dlz/modules/ldap/testing/named.conf b/contrib/dlz/modules/ldap/testing/named.conf
new file mode 100644
index 0000000..3f8378b
--- /dev/null
+++ b/contrib/dlz/modules/ldap/testing/named.conf
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { };
+
+options {
+	directory ".";
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { any; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 127.0.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+dlz "test" {
+	database "dlopen ../dlz_ldap_dynamic.so 2
+        v3 simple {cn=Manager,o=bind-dlz} {secret} {127.0.0.1}
+        ldap:///dlzZoneName=$zone$,ou=dns,o=bind-dlz???objectclass=dlzZone
+        ldap:///dlzHostName=$record$,dlzZoneName=$zone$,ou=dns,o=bind-dlz?dlzTTL,dlzType,dlzPreference,dlzData,dlzIPAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
+        ldap:///dlzHostName=@,dlzZoneName=$zone$,ou=dns,o=bind-dlz?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa))
+        ldap:///dlzZoneName=$zone$,ou=dns,o=bind-dlz?dlzTTL,dlzType,dlzHostName,dlzPreference,dlzData,dlzIPAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa)))
+        ldap:///dlzZoneName=$zone$,ou=dns,o=bind-dlz??sub?(&(objectclass=dlzXFR)(dlzIPAddr=$client$))";
+};
diff --git a/contrib/dlz/modules/ldap/testing/slapd.conf b/contrib/dlz/modules/ldap/testing/slapd.conf
new file mode 100644
index 0000000..14c8ffb
--- /dev/null
+++ b/contrib/dlz/modules/ldap/testing/slapd.conf
@@ -0,0 +1,44 @@
+# this is the full path to the core.schema
+include               /etc/ldap/schema/core.schema
+
+# this is the full path to the dlz.schema
+include               /etc/ldap/schema/dlz.schema
+
+# these files hold the slapd process ID and program args when
+# slapd is started.
+pidfile         /var/run/slapd/slapd.pid
+argsfile        /var/run/slapd/slapd.args
+
+modulepath      /usr/lib/ldap
+moduleload      back_hdb
+
+# this allows ldap version 2 connections.  You should comment
+# it out if you don't need ldap version 2.
+allow bind_v2
+
+# this sets up the Berkeley DB database backend for LDAP to use.
+database      hdb
+
+# This is the root of the LDAP server.  You still need to add
+# an entry to this location via a LDIF file, or you won't be
+# able to add anything else into the LDAP server. 
+suffix                "o=bind-dlz"
+
+# this is the "username" you have to use when connecting to the
+# ldap server to make updates.  Type the whole thing exactly
+# as you see it as a parameter to ldapadd. 
+rootdn                "cn=Manager,o=bind-dlz"
+
+# this is the "password" you have to use when connecting to the
+# ldap server to make updates.
+rootpw                secret
+
+# this is the directory that the LDAP server will create the
+# Berkeley DB backend in.
+directory     /var/lib/ldap
+
+# this just adds some indexing to the LDAP server.
+# probably should have more to better optimize DLZ LDAP searches.
+index cn,sn,uid pres,eq
+index objectClass     eq
+
diff --git a/contrib/dlz/modules/mysql/Makefile.in b/contrib/dlz/modules/mysql/Makefile.in
new file mode 100644
index 0000000..4aa199e
--- /dev/null
+++ b/contrib/dlz/modules/mysql/Makefile.in
@@ -0,0 +1,52 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+# Copyright Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+#
+# The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+# conceived and contributed by Rob Butler.
+#
+# SPDX-License-Identifier: ISC and MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any purpose
+# with or without fee is hereby granted, provided that the above copyright
+# notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+prefix = /usr
+libdir = $(prefix)/lib/bind9
+
+CFLAGS=-fPIC -Wall -g -I../include @DLZ_DRIVER_MYSQL_INCLUDES@
+MYSQL_LIBS=@DLZ_DRIVER_MYSQL_LIBS@
+
+all: dlz_mysql_dynamic.so
+
+dlz_dbi.o: ../common/dlz_dbi.c
+	$(CC) $(CFLAGS) -c ../common/dlz_dbi.c
+
+dlz_mysql_dynamic.so: dlz_mysql_dynamic.c dlz_dbi.o
+	$(CC) $(CFLAGS) -shared -o dlz_mysql_dynamic.so \
+		dlz_mysql_dynamic.c dlz_dbi.o $(MYSQL_LIBS)
+
+clean:
+	rm -f dlz_mysql_dynamic.so *.o
+
+install: dlz_mysql_dynamic.so
+	mkdir -p $(DESTDIR)$(libdir)
+	install dlz_mysql_dynamic.so $(DESTDIR)$(libdir)
diff --git a/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c b/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c
new file mode 100644
index 0000000..a7b48c5
--- /dev/null
+++ b/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c
@@ -0,0 +1,1109 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This provides the externally loadable MySQL DLZ module, without
+ * update support
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <mysql/mysql.h>
+
+#include <dlz_dbi.h>
+#include <dlz_list.h>
+#include <dlz_minimal.h>
+#include <dlz_pthread.h>
+
+#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000
+typedef bool my_bool;
+#endif /* !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000 */
+
+#define dbc_search_limit 30
+#define ALLNODES	 1
+#define ALLOWXFR	 2
+#define AUTHORITY	 3
+#define FINDZONE	 4
+#define COUNTZONE	 5
+#define LOOKUP		 6
+
+#define safeGet(in) in == NULL ? "" : in
+
+/*%
+ * Structure to hold everything needed by this "instance" of the MySQL
+ * module remember, the module code is only loaded once, but may have
+ * many separate instances.
+ */
+typedef struct {
+#if PTHREADS
+	db_list_t *db; /*%< handle to a list of DB */
+	int dbcount;
+#else  /* if PTHREADS */
+	dbinstance_t *db; /*%< handle to DB */
+#endif /* if PTHREADS */
+
+	unsigned int flags;
+	char *dbname;
+	char *host;
+	char *user;
+	char *pass;
+	char *socket;
+	int port;
+
+	/* Helper functions from the dlz_dlopen driver */
+	log_t *log;
+	dns_sdlz_putrr_t *putrr;
+	dns_sdlz_putnamedrr_t *putnamedrr;
+	dns_dlz_writeablezone_t *writeable_zone;
+} mysql_instance_t;
+
+/* forward references */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo);
+
+void
+dlz_destroy(void *dbdata);
+
+static void
+b9_add_helper(mysql_instance_t *db, const char *helper_name, void *ptr);
+
+/*
+ * Private methods
+ */
+
+void
+mysql_destroy(dbinstance_t *db) {
+	/* release DB connection */
+	if (db->dbconn != NULL) {
+		mysql_close((MYSQL *)db->dbconn);
+	}
+
+	/* destroy DB instance */
+	destroy_dbinstance(db);
+}
+
+#if PTHREADS
+/*%
+ * Properly cleans up a list of database instances.
+ * This function is only used when the module is compiled for
+ * multithreaded operation.
+ */
+static void
+mysql_destroy_dblist(db_list_t *dblist) {
+	dbinstance_t *ndbi = NULL;
+	dbinstance_t *dbi = NULL;
+
+	ndbi = DLZ_LIST_HEAD(*dblist);
+	while (ndbi != NULL) {
+		dbi = ndbi;
+		ndbi = DLZ_LIST_NEXT(dbi, link);
+
+		mysql_destroy(dbi);
+	}
+
+	/* release memory for the list structure */
+	free(dblist);
+}
+
+/*%
+ * Loops through the list of DB instances, attempting to lock
+ * on the mutex.  If successful, the DBI is reserved for use
+ * and the thread can perform queries against the database.
+ * If the lock fails, the next one in the list is tried.
+ * looping continues until a lock is obtained, or until
+ * the list has been searched dbc_search_limit times.
+ * This function is only used when the module is compiled for
+ * multithreaded operation.
+ */
+static dbinstance_t *
+mysql_find_avail_conn(mysql_instance_t *mysql) {
+	dbinstance_t *dbi = NULL, *head;
+	int count = 0;
+
+	/* get top of list */
+	head = dbi = DLZ_LIST_HEAD(*(mysql->db));
+
+	/* loop through list */
+	while (count < dbc_search_limit) {
+		/* try to lock on the mutex */
+		if (dlz_mutex_trylock(&dbi->lock) == 0) {
+			return (dbi); /* success, return the DBI for use. */
+		}
+		/* not successful, keep trying */
+		dbi = DLZ_LIST_NEXT(dbi, link);
+
+		/* check to see if we have gone to the top of the list. */
+		if (dbi == NULL) {
+			count++;
+			dbi = head;
+		}
+	}
+
+	mysql->log(ISC_LOG_INFO,
+		   "MySQL module unable to find available connection "
+		   "after searching %d times",
+		   count);
+	return (NULL);
+}
+#endif /* PTHREADS */
+
+/*%
+ * Allocates memory for a new string, and then constructs the new
+ * string by "escaping" the input string.  The new string is
+ * safe to be used in queries.  This is necessary because we cannot
+ * be sure of what types of strings are passed to us, and we don't
+ * want special characters in the string causing problems.
+ */
+static char *
+mysqldrv_escape_string(MYSQL *mysql, const char *instr) {
+	char *outstr;
+	unsigned int len;
+
+	if (instr == NULL) {
+		return (NULL);
+	}
+
+	len = strlen(instr);
+	outstr = malloc((2 * len * sizeof(char)) + 1);
+	if (outstr == NULL) {
+		return (NULL);
+	}
+
+	mysql_real_escape_string(mysql, outstr, instr, len);
+
+	return (outstr);
+}
+
+/*%
+ * This function is the real core of the module.   Zone, record
+ * and client strings are passed in (or NULL is passed if the
+ * string is not available).  The type of query we want to run
+ * is indicated by the query flag, and the dbdata object is passed
+ * passed in to.  dbdata really holds a single database instance.
+ * The function will construct and run the query, hopefully getting
+ * a result set.
+ */
+static isc_result_t
+mysql_get_resultset(const char *zone, const char *record, const char *client,
+		    unsigned int query, void *dbdata, MYSQL_RES **rs) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+	mysql_instance_t *db = (mysql_instance_t *)dbdata;
+	char *querystring = NULL;
+	unsigned int i = 0;
+	unsigned int j = 0;
+	int qres = 0;
+
+#if PTHREADS
+	/* find an available DBI from the list */
+	dbi = mysql_find_avail_conn(db);
+#else  /* PTHREADS */
+	/*
+	 * only 1 DBI - no need to lock instance lock either
+	 * only 1 thread in the whole process, no possible contention.
+	 */
+	dbi = (dbinstance_t *)(db->db);
+#endif /* PTHREADS */
+
+	if (dbi == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* what type of query are we going to run? */
+	switch (query) {
+	case ALLNODES:
+		if (dbi->allnodes_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case ALLOWXFR:
+		if (dbi->allowxfr_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case AUTHORITY:
+		if (dbi->authority_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case FINDZONE:
+		if (dbi->findzone_q == NULL) {
+			db->log(ISC_LOG_DEBUG(2), "No query specified for "
+						  "findzone.  "
+						  "Findzone requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		break;
+	case COUNTZONE:
+		if (dbi->countzone_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case LOOKUP:
+		if (dbi->lookup_q == NULL) {
+			db->log(ISC_LOG_DEBUG(2), "No query specified for "
+						  "lookup.  "
+						  "Lookup requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		break;
+	default:
+		db->log(ISC_LOG_ERROR, "Incorrect query flag passed to "
+				       "mysql_get_resultset");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	if (zone != NULL) {
+		if (dbi->zone != NULL) {
+			free(dbi->zone);
+		}
+
+		dbi->zone = mysqldrv_escape_string((MYSQL *)dbi->dbconn, zone);
+		if (dbi->zone == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else {
+		dbi->zone = NULL;
+	}
+
+	if (record != NULL) {
+		if (dbi->record != NULL) {
+			free(dbi->record);
+		}
+
+		dbi->record = mysqldrv_escape_string((MYSQL *)dbi->dbconn,
+						     record);
+		if (dbi->record == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else {
+		dbi->record = NULL;
+	}
+
+	if (client != NULL) {
+		if (dbi->client != NULL) {
+			free(dbi->client);
+		}
+
+		dbi->client = mysqldrv_escape_string((MYSQL *)dbi->dbconn,
+						     client);
+		if (dbi->client == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else {
+		dbi->client = NULL;
+	}
+
+	/*
+	 * what type of query are we going to run?  this time we build
+	 * the actual query to run.
+	 */
+	switch (query) {
+	case ALLNODES:
+		querystring = build_querystring(dbi->allnodes_q);
+		break;
+	case ALLOWXFR:
+		querystring = build_querystring(dbi->allowxfr_q);
+		break;
+	case AUTHORITY:
+		querystring = build_querystring(dbi->authority_q);
+		break;
+	case FINDZONE:
+		querystring = build_querystring(dbi->findzone_q);
+		break;
+	case COUNTZONE:
+		querystring = build_querystring(dbi->countzone_q);
+		break;
+	case LOOKUP:
+		querystring = build_querystring(dbi->lookup_q);
+		break;
+	default:
+		db->log(ISC_LOG_ERROR, "Incorrect query flag passed to "
+				       "mysql_get_resultset");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	if (querystring == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/* output the full query string when debugging */
+	db->log(ISC_LOG_DEBUG(1), "\nQuery String: %s\n", querystring);
+
+	/* attempt query up to 3 times. */
+	for (i = 0; i < 3; i++) {
+		qres = mysql_query((MYSQL *)dbi->dbconn, querystring);
+		if (qres == 0) {
+			break;
+		}
+		for (j = 0; j < 4; j++) {
+			if (mysql_ping((MYSQL *)dbi->dbconn) == 0) {
+				break;
+			}
+		}
+	}
+
+	if (qres == 0) {
+		result = ISC_R_SUCCESS;
+		if (query != COUNTZONE) {
+			*rs = mysql_store_result((MYSQL *)dbi->dbconn);
+			if (*rs == NULL) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	} else {
+		result = ISC_R_FAILURE;
+	}
+
+cleanup:
+	if (dbi->zone != NULL) {
+		free(dbi->zone);
+		dbi->zone = NULL;
+	}
+	if (dbi->record != NULL) {
+		free(dbi->record);
+		dbi->record = NULL;
+	}
+	if (dbi->client != NULL) {
+		free(dbi->client);
+		dbi->client = NULL;
+	}
+
+	/* release the lock so another thread can use this dbi */
+	(void)dlz_mutex_unlock(&dbi->lock);
+
+	if (querystring != NULL) {
+		free(querystring);
+	}
+
+	return (result);
+}
+
+/*%
+ * The processing of result sets for lookup and authority are
+ * exactly the same.  So that functionality has been moved
+ * into this function to minimize code.
+ */
+static isc_result_t
+mysql_process_rs(mysql_instance_t *db, dns_sdlzlookup_t *lookup,
+		 MYSQL_RES *rs) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	MYSQL_ROW row;
+	unsigned int fields;
+	unsigned int j;
+	char *tmpString;
+	char *endp;
+	int ttl;
+
+	fields = mysql_num_fields(rs); /* how many columns in result set */
+	row = mysql_fetch_row(rs);     /* get a row from the result set */
+	while (row != NULL) {
+		unsigned int len = 0;
+
+		switch (fields) {
+		case 1:
+			/*
+			 * one column in rs, it's the data field.  use
+			 * default type of A record, and default TTL
+			 * of 86400
+			 */
+			result = db->putrr(lookup, "a", 86400, safeGet(row[0]));
+			break;
+		case 2:
+			/*
+			 * two columns, data field, and data type.
+			 * use default TTL of 86400.
+			 */
+			result = db->putrr(lookup, safeGet(row[0]), 86400,
+					   safeGet(row[1]));
+			break;
+		case 3:
+			/*
+			 * three columns, all data no defaults.
+			 * convert text to int, make sure it worked
+			 * right.
+			 */
+			ttl = strtol(safeGet(row[0]), &endp, 10);
+			if (*endp != '\0' || ttl < 0) {
+				db->log(ISC_LOG_ERROR, "MySQL module ttl must "
+						       "be "
+						       "a positive number");
+				return (ISC_R_FAILURE);
+			}
+
+			result = db->putrr(lookup, safeGet(row[1]), ttl,
+					   safeGet(row[2]));
+			break;
+		default:
+			/*
+			 * more than 3 fields, concatenate the last
+			 * ones together.  figure out how long to make
+			 * string.
+			 */
+			for (j = 2; j < fields; j++) {
+				len += strlen(safeGet(row[j])) + 1;
+			}
+
+			/*
+			 * allocate string memory, allow for NULL to
+			 * term string
+			 */
+			tmpString = malloc(len + 1);
+			if (tmpString == NULL) {
+				db->log(ISC_LOG_ERROR, "MySQL module unable to "
+						       "allocate "
+						       "memory for temporary "
+						       "string");
+				mysql_free_result(rs);
+				return (ISC_R_FAILURE);
+			}
+
+			strcpy(tmpString, safeGet(row[2]));
+			for (j = 3; j < fields; j++) {
+				strcat(tmpString, " ");
+				strcat(tmpString, safeGet(row[j]));
+			}
+
+			ttl = strtol(safeGet(row[0]), &endp, 10);
+			if (*endp != '\0' || ttl < 0) {
+				db->log(ISC_LOG_ERROR, "MySQL module ttl must "
+						       "be "
+						       "a positive number");
+				free(tmpString);
+				return (ISC_R_FAILURE);
+			}
+
+			result = db->putrr(lookup, safeGet(row[1]), ttl,
+					   tmpString);
+			free(tmpString);
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			mysql_free_result(rs);
+			db->log(ISC_LOG_ERROR, "putrr returned error: %d",
+				result);
+			return (ISC_R_FAILURE);
+		}
+
+		row = mysql_fetch_row(rs);
+	}
+
+	mysql_free_result(rs);
+	return (result);
+}
+
+/*
+ * DLZ methods
+ */
+
+/*% determine if the zone is supported by (in) the database */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	MYSQL_RES *rs = NULL;
+	my_ulonglong rows;
+	mysql_instance_t *db = (mysql_instance_t *)dbdata;
+
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	result = mysql_get_resultset(name, NULL, NULL, FINDZONE, dbdata, &rs);
+	if (result != ISC_R_SUCCESS || rs == NULL) {
+		if (rs != NULL) {
+			mysql_free_result(rs);
+		}
+
+		db->log(ISC_LOG_ERROR, "MySQL module unable to return "
+				       "result set for findzone query");
+
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * if we returned any rows, the zone is supported.
+	 */
+	rows = mysql_num_rows(rs);
+	mysql_free_result(rs);
+	if (rows > 0) {
+		mysql_get_resultset(name, NULL, NULL, COUNTZONE, dbdata, NULL);
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+/*% Determine if the client is allowed to perform a zone transfer */
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	isc_result_t result;
+	mysql_instance_t *db = (mysql_instance_t *)dbdata;
+	MYSQL_RES *rs = NULL;
+	my_ulonglong rows;
+
+	/* first check if the zone is supported by the database. */
+	result = dlz_findzonedb(dbdata, name, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * if we get to this point we know the zone is supported by
+	 * the database the only questions now are is the zone
+	 * transfer is allowed for this client and did the config file
+	 * have an allow zone xfr query.
+	 */
+	result = mysql_get_resultset(name, NULL, client, ALLOWXFR, dbdata, &rs);
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+
+	if (result != ISC_R_SUCCESS || rs == NULL) {
+		if (rs != NULL) {
+			mysql_free_result(rs);
+		}
+		db->log(ISC_LOG_ERROR, "MySQL module unable to return "
+				       "result set for allow xfr query");
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * count how many rows in result set; if we returned any,
+	 * zone xfr is allowed.
+	 */
+	rows = mysql_num_rows(rs);
+	mysql_free_result(rs);
+	if (rows > 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOPERM);
+}
+
+/*%
+ * If the client is allowed to perform a zone transfer, the next order of
+ * business is to get all the nodes in the zone, so bind can respond to the
+ * query.
+ */
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result;
+	mysql_instance_t *db = (mysql_instance_t *)dbdata;
+	MYSQL_RES *rs = NULL;
+	MYSQL_ROW row;
+	unsigned int fields;
+	unsigned int j;
+	char *tmpString;
+	char *endp;
+	int ttl;
+
+	result = mysql_get_resultset(zone, NULL, NULL, ALLNODES, dbdata, &rs);
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		db->log(ISC_LOG_ERROR, "MySQL module unable to return "
+				       "result set for all nodes query");
+		goto cleanup;
+	}
+
+	result = ISC_R_NOTFOUND;
+
+	fields = mysql_num_fields(rs); /* how many columns in result set */
+	row = mysql_fetch_row(rs);     /* get a row from the result set */
+	while (row != NULL) {
+		if (fields < 4) {
+			db->log(ISC_LOG_ERROR, "MySQL module too few fields "
+					       "returned "
+					       "by all nodes query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		ttl = strtol(safeGet(row[0]), &endp, 10);
+		if (*endp != '\0' || ttl < 0) {
+			db->log(ISC_LOG_ERROR, "MySQL module ttl must be "
+					       "a positive number");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		if (fields == 4) {
+			result = db->putnamedrr(allnodes, safeGet(row[2]),
+						safeGet(row[1]), ttl,
+						safeGet(row[3]));
+		} else {
+			unsigned int len = 0;
+
+			/*
+			 * more than 4 fields, concatenate the last
+			 * ones together.
+			 */
+			for (j = 3; j < fields; j++) {
+				len += strlen(safeGet(row[j])) + 1;
+			}
+
+			tmpString = malloc(len + 1);
+			if (tmpString == NULL) {
+				db->log(ISC_LOG_ERROR, "MySQL module unable to "
+						       "allocate "
+						       "memory for temporary "
+						       "string");
+				result = ISC_R_FAILURE;
+				goto cleanup;
+			}
+
+			strcpy(tmpString, safeGet(row[3]));
+			for (j = 4; j < fields; j++) {
+				strcat(tmpString, " ");
+				strcat(tmpString, safeGet(row[j]));
+			}
+
+			result = db->putnamedrr(allnodes, safeGet(row[2]),
+						safeGet(row[1]), ttl,
+						tmpString);
+			free(tmpString);
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			db->log(ISC_LOG_ERROR, "putnamedrr returned error: %s",
+				result);
+			result = ISC_R_FAILURE;
+			break;
+		}
+
+		row = mysql_fetch_row(rs);
+	}
+
+cleanup:
+	if (rs != NULL) {
+		mysql_free_result(rs);
+	}
+
+	return (result);
+}
+
+/*%
+ * If the lookup function does not return SOA or NS records for the zone,
+ * use this function to get that information for named.
+ */
+isc_result_t
+dlz_authority(const char *zone, void *dbdata, dns_sdlzlookup_t *lookup) {
+	isc_result_t result;
+	MYSQL_RES *rs = NULL;
+	mysql_instance_t *db = (mysql_instance_t *)dbdata;
+
+	result = mysql_get_resultset(zone, NULL, NULL, AUTHORITY, dbdata, &rs);
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			mysql_free_result(rs);
+		}
+		db->log(ISC_LOG_ERROR, "MySQL module unable to return "
+				       "result set for authority query");
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * lookup and authority result sets are processed in the same
+	 * manner: mysql_process_rs does the job for both functions.
+	 */
+	return (mysql_process_rs(db, lookup, rs));
+}
+
+/*% If zone is supported, lookup up a (or multiple) record(s) in it */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	MYSQL_RES *rs = NULL;
+	mysql_instance_t *db = (mysql_instance_t *)dbdata;
+
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	result = mysql_get_resultset(zone, name, NULL, LOOKUP, dbdata, &rs);
+
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			mysql_free_result(rs);
+		}
+		db->log(ISC_LOG_ERROR, "MySQL module unable to return "
+				       "result set for lookup query");
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * lookup and authority result sets are processed in the same
+	 * manner: mysql_process_rs does the job for both functions.
+	 */
+	return (mysql_process_rs(db, lookup, rs));
+}
+
+/*%
+ * Create an instance of the module.
+ */
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...) {
+	isc_result_t result = ISC_R_FAILURE;
+	mysql_instance_t *mysql = NULL;
+	dbinstance_t *dbi = NULL;
+	MYSQL *dbc;
+	char *tmp = NULL;
+	char *endp;
+	int j;
+	const char *helper_name;
+#if PTHREADS
+	int dbcount;
+	int i;
+#endif /* PTHREADS */
+	va_list ap;
+
+	UNUSED(dlzname);
+
+	/* allocate memory for MySQL instance */
+	mysql = calloc(1, sizeof(mysql_instance_t));
+	if (mysql == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	memset(mysql, 0, sizeof(mysql_instance_t));
+
+	/* Fill in the helper functions */
+	va_start(ap, dbdata);
+	while ((helper_name = va_arg(ap, const char *)) != NULL) {
+		b9_add_helper(mysql, helper_name, va_arg(ap, void *));
+	}
+	va_end(ap);
+
+#if PTHREADS
+	/* if debugging, let user know we are multithreaded. */
+	mysql->log(ISC_LOG_DEBUG(1), "MySQL module running multithreaded");
+#else  /* PTHREADS */
+	/* if debugging, let user know we are single threaded. */
+	mysql->log(ISC_LOG_DEBUG(1), "MySQL module running single threaded");
+#endif /* PTHREADS */
+
+	/* verify we have at least 4 arg's passed to the module */
+	if (argc < 4) {
+		mysql->log(ISC_LOG_ERROR, "MySQL module requires "
+					  "at least 4 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* no more than 8 arg's should be passed to the module */
+	if (argc > 8) {
+		mysql->log(ISC_LOG_ERROR, "MySQL module cannot accept "
+					  "more than 7 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* get db name - required */
+	mysql->dbname = get_parameter_value(argv[1], "dbname=");
+	if (mysql->dbname == NULL) {
+		mysql->log(ISC_LOG_ERROR, "MySQL module requires a dbname "
+					  "parameter.");
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	/* get db port.  Not required, but must be > 0 if specified */
+	tmp = get_parameter_value(argv[1], "port=");
+	if (tmp == NULL) {
+		mysql->port = 0;
+	} else {
+		mysql->port = strtol(tmp, &endp, 10);
+		if (*endp != '\0' || mysql->port < 0) {
+			mysql->log(ISC_LOG_ERROR, "Mysql module: port "
+						  "must be a positive number.");
+			free(tmp);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		free(tmp);
+	}
+
+	mysql->host = get_parameter_value(argv[1], "host=");
+	mysql->user = get_parameter_value(argv[1], "user=");
+	mysql->pass = get_parameter_value(argv[1], "pass=");
+	mysql->socket = get_parameter_value(argv[1], "socket=");
+
+	mysql->flags = CLIENT_REMEMBER_OPTIONS;
+
+	tmp = get_parameter_value(argv[1], "compress=");
+	if (tmp != NULL) {
+		if (strcasecmp(tmp, "true") == 0) {
+			mysql->flags |= CLIENT_COMPRESS;
+		}
+		free(tmp);
+	}
+
+	tmp = get_parameter_value(argv[1], "ssl=");
+	if (tmp != NULL) {
+		if (strcasecmp(tmp, "true") == 0) {
+			mysql->flags |= CLIENT_SSL;
+		}
+		free(tmp);
+	}
+
+	tmp = get_parameter_value(argv[1], "space=");
+	if (tmp != NULL) {
+		if (strcasecmp(tmp, "ignore") == 0) {
+			mysql->flags |= CLIENT_IGNORE_SPACE;
+		}
+		free(tmp);
+	}
+
+#if PTHREADS
+	/* multithreaded build can have multiple DB connections */
+	tmp = get_parameter_value(argv[1], "threads=");
+	if (tmp == NULL) {
+		dbcount = 1;
+	} else {
+		dbcount = strtol(tmp, &endp, 10);
+		if (*endp != '\0' || dbcount < 1) {
+			mysql->log(ISC_LOG_ERROR, "MySQL database connection "
+						  "count "
+						  "must be positive.");
+			free(tmp);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		free(tmp);
+	}
+
+	/* allocate memory for database connection list */
+	mysql->db = calloc(1, sizeof(db_list_t));
+	if (mysql->db == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/* initialize DB connection list */
+	DLZ_LIST_INIT(*(mysql->db));
+
+	/*
+	 * create the appropriate number of database instances (DBI)
+	 * append each new DBI to the end of the list
+	 */
+	for (i = 0; i < dbcount; i++) {
+#endif /* PTHREADS */
+		switch (argc) {
+		case 4:
+			result = build_dbinstance(NULL, NULL, NULL, argv[2],
+						  argv[3], NULL, &dbi,
+						  mysql->log);
+			break;
+		case 5:
+			result = build_dbinstance(NULL, NULL, argv[4], argv[2],
+						  argv[3], NULL, &dbi,
+						  mysql->log);
+			break;
+		case 6:
+			result = build_dbinstance(argv[5], NULL, argv[4],
+						  argv[2], argv[3], NULL, &dbi,
+						  mysql->log);
+			break;
+		case 7:
+			result = build_dbinstance(argv[5], argv[6], argv[4],
+						  argv[2], argv[3], NULL, &dbi,
+						  mysql->log);
+			break;
+		case 8:
+			result = build_dbinstance(argv[5], argv[6], argv[4],
+						  argv[2], argv[3], argv[7],
+						  &dbi, mysql->log);
+			break;
+		default:
+			result = ISC_R_FAILURE;
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			mysql->log(ISC_LOG_ERROR, "MySQL module could not "
+						  "create "
+						  "database instance object.");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+#if PTHREADS
+		/* when multithreaded, build a list of DBI's */
+		DLZ_LINK_INIT(dbi, link);
+		DLZ_LIST_APPEND(*(mysql->db), dbi, link);
+#else  /* if PTHREADS */
+	/*
+	 * when single threaded, hold onto the one connection
+	 * instance.
+	 */
+	mysql->db = dbi;
+#endif /* if PTHREADS */
+
+		/* create and set db connection */
+		dbi->dbconn = mysql_init(NULL);
+		if (dbi->dbconn == NULL) {
+			mysql->log(ISC_LOG_ERROR, "MySQL module could not "
+						  "allocate "
+						  "memory for database "
+						  "connection");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		dbc = NULL;
+
+		/* enable automatic reconnection. */
+		if (mysql_options((MYSQL *)dbi->dbconn, MYSQL_OPT_RECONNECT,
+				  &(my_bool){ 1 }) != 0)
+		{
+			mysql->log(ISC_LOG_WARNING, "MySQL module failed to "
+						    "set "
+						    "MYSQL_OPT_RECONNECT "
+						    "option, continuing");
+		}
+
+		for (j = 0; dbc == NULL && j < 4; j++) {
+			dbc = mysql_real_connect(
+				(MYSQL *)dbi->dbconn, mysql->host, mysql->user,
+				mysql->pass, mysql->dbname, mysql->port,
+				mysql->socket, mysql->flags);
+			if (dbc == NULL) {
+				mysql->log(ISC_LOG_ERROR,
+					   "MySQL connection failed: %s",
+					   mysql_error((MYSQL *)dbi->dbconn));
+			}
+		}
+
+		if (dbc == NULL) {
+			mysql->log(ISC_LOG_ERROR, "MySQL module failed to "
+						  "create "
+						  "database connection after 4 "
+						  "attempts");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+#if PTHREADS
+		/* set DBI = null for next loop through. */
+		dbi = NULL;
+	}
+#endif /* PTHREADS */
+
+	*dbdata = mysql;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dlz_destroy(mysql);
+
+	return (result);
+}
+
+/*%
+ * Destroy the module.
+ */
+void
+dlz_destroy(void *dbdata) {
+	mysql_instance_t *db = (mysql_instance_t *)dbdata;
+#if PTHREADS
+	/* cleanup the list of DBI's */
+	if (db->db != NULL) {
+		mysql_destroy_dblist((db_list_t *)(db->db));
+	}
+#else  /* PTHREADS */
+	mysql_destroy(db);
+#endif /* PTHREADS */
+
+	if (db->dbname != NULL) {
+		free(db->dbname);
+	}
+	if (db->host != NULL) {
+		free(db->host);
+	}
+	if (db->user != NULL) {
+		free(db->user);
+	}
+	if (db->pass != NULL) {
+		free(db->pass);
+	}
+	if (db->socket != NULL) {
+		free(db->socket);
+	}
+}
+
+/*
+ * Return the version of the API
+ */
+int
+dlz_version(unsigned int *flags) {
+	*flags |= (DNS_SDLZFLAG_RELATIVEOWNER | DNS_SDLZFLAG_RELATIVERDATA |
+		   DNS_SDLZFLAG_THREADSAFE);
+	return (DLZ_DLOPEN_VERSION);
+}
+
+/*
+ * Register a helper function from the bind9 dlz_dlopen driver
+ */
+static void
+b9_add_helper(mysql_instance_t *db, const char *helper_name, void *ptr) {
+	if (strcmp(helper_name, "log") == 0) {
+		db->log = (log_t *)ptr;
+	}
+	if (strcmp(helper_name, "putrr") == 0) {
+		db->putrr = (dns_sdlz_putrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "putnamedrr") == 0) {
+		db->putnamedrr = (dns_sdlz_putnamedrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "writeable_zone") == 0) {
+		db->writeable_zone = (dns_dlz_writeablezone_t *)ptr;
+	}
+}
diff --git a/contrib/dlz/modules/mysql/testing/README b/contrib/dlz/modules/mysql/testing/README
new file mode 100644
index 0000000..a4b87bb
--- /dev/null
+++ b/contrib/dlz/modules/mysql/testing/README
@@ -0,0 +1,7 @@
+These files were used for testing on Ubuntu Linux using MySQL
+
+- Install MySQL: sudo apt-get install mysql-server
+- Run "mysql --user=USER --password=PASSWORD < dlz.schema" to set up database
+- Run "mysql --user=USER --password=PASSWORD < dlz.data" to populate it
+- update named.conf with correct USER and PASSWORD
+
diff --git a/contrib/dlz/modules/mysql/testing/dlz.data b/contrib/dlz/modules/mysql/testing/dlz.data
new file mode 100644
index 0000000..cef3e13
--- /dev/null
+++ b/contrib/dlz/modules/mysql/testing/dlz.data
@@ -0,0 +1,12 @@
+use BindDB;
+INSERT INTO `records` (`id`, `zone`, `ttl`, `type`, `host`, `mx_priority`, `data`, `primary_ns`, `resp_contact`, `serial`, `refresh`, `retry`, `expire`, `minimum`) VALUES
+(1, 'example.com', 86400, 'SOA', '@', NULL, NULL, 'ns1.example.com.', 'info.example.com.', 2011043001, 10800, 7200, 604800, 86400),
+(2, 'example.com', 86400, 'NS', '@', NULL, 'ns1.example.com.', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+(3, 'example.com', 86400, 'NS', '@', NULL, 'ns2.example.com.', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+(4, 'example.com', 86400, 'MX', '@', 10, 'mail.example.com.', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+(5, 'example.com', 86400, 'A', '@', NULL, '192.168.0.2', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+(6, 'example.com', 86400, 'CNAME', 'www', NULL, '@', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+(7, 'example.com', 86400, 'A', 'ns1', NULL, '192.168.0.111', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+(8, 'example.com', 86400, 'A', 'ns2', NULL, '192.168.0.222', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+(9, 'example.com', 86400, 'A', 'mail', NULL, '192.168.0.3', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+(10, 'example.com', 86400, 'TXT', '@', NULL, 'v=spf1 ip:192.168.0.3 ~all', NULL, NULL, NULL, NULL, NULL, NULL, NULL)
diff --git a/contrib/dlz/modules/mysql/testing/dlz.schema b/contrib/dlz/modules/mysql/testing/dlz.schema
new file mode 100644
index 0000000..f20b59e
--- /dev/null
+++ b/contrib/dlz/modules/mysql/testing/dlz.schema
@@ -0,0 +1,30 @@
+CREATE DATABASE `BindDB` DEFAULT CHARACTER SET latin1;
+USE `BindDB`;
+
+CREATE TABLE IF NOT EXISTS `records` (
+    `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+    `zone` varchar(255) NOT NULL,
+    `ttl` int(11) NOT NULL DEFAULT '86400',
+    `type` varchar(255) NOT NULL,
+    `host` varchar(255) NOT NULL DEFAULT '@',
+    `mx_priority` int(11) DEFAULT NULL,
+    `data` text,
+    `primary_ns` varchar(255) DEFAULT NULL,
+    `resp_contact` varchar(255) DEFAULT NULL,
+    `serial` bigint(20) DEFAULT NULL,
+    `refresh` int(11) DEFAULT NULL,
+    `retry` int(11) DEFAULT NULL,
+    `expire` int(11) DEFAULT NULL,
+    `minimum` int(11) DEFAULT NULL,
+    PRIMARY KEY (`id`),
+    KEY `type` (`type`),
+    KEY `host` (`host`),
+    KEY `zone` (`zone`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+
+CREATE TABLE IF NOT EXISTS `xfr` (
+    `zone` varchar(255) NOT NULL,
+    `client` varchar(255) NOT NULL,
+    KEY `zone` (`zone`),
+    KEY `client` (`client`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
diff --git a/contrib/dlz/modules/mysql/testing/named.conf b/contrib/dlz/modules/mysql/testing/named.conf
new file mode 100644
index 0000000..1152143
--- /dev/null
+++ b/contrib/dlz/modules/mysql/testing/named.conf
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { };
+
+options {
+	directory ".";
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { any; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 127.0.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+dlz "test" {
+	database "dlopen ../dlz_mysql_dynamic.so
+           {
+             host=127.0.0.1 port=3306 socket=/tmp/mysql.sock
+             dbname=BindDB user=USER pass=PASSWORD threads=2
+           }
+           {SELECT zone FROM records WHERE zone = '$zone$'}
+           {SELECT ttl, type, mx_priority, IF(type = 'TXT', CONCAT('\"',data,'\"'), data) AS data FROM records WHERE zone = '$zone$' AND host = '$record$' AND type <> 'SOA' AND type <> 'NS'}
+           {SELECT ttl, type, data, primary_ns, resp_contact, serial, refresh, retry, expire, minimum FROM records WHERE zone = '$zone$' AND (type = 'SOA' OR type='NS')}
+           {SELECT ttl, type, host, mx_priority, IF(type = 'TXT', CONCAT('\"',data,'\"'), data) AS data, resp_contact, serial, refresh, retry, expire, minimum FROM records WHERE zone = '$zone$' AND type <> 'SOA' AND type <> 'NS'}
+           {SELECT zone FROM xfr where zone='$zone$' AND client = '$client$'}";
+};
diff --git a/contrib/dlz/modules/mysqldyn/Makefile.in b/contrib/dlz/modules/mysqldyn/Makefile.in
new file mode 100644
index 0000000..a230e36
--- /dev/null
+++ b/contrib/dlz/modules/mysqldyn/Makefile.in
@@ -0,0 +1,52 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+# Copyright Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+#
+# The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+# conceived and contributed by Rob Butler.
+#
+# SPDX-License-Identifier: ISC and MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any purpose
+# with or without fee is hereby granted, provided that the above copyright
+# notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+prefix = /usr
+libdir = $(prefix)/lib/bind9
+
+CFLAGS=-fPIC -Wall -g -I../include @DLZ_DRIVER_MYSQL_INCLUDES@
+MYSQL_LIBS=@DLZ_DRIVER_MYSQL_LIBS@
+
+all: dlz_mysqldyn_mod.so
+
+dlz_dbi.o: ../common/dlz_dbi.c
+	$(CC) $(CFLAGS) -c ../common/dlz_dbi.c
+
+dlz_mysqldyn_mod.so: dlz_mysqldyn_mod.c dlz_dbi.o
+	$(CC) $(CFLAGS) -shared -o dlz_mysqldyn_mod.so \
+		dlz_mysqldyn_mod.c dlz_dbi.o $(MYSQL_LIBS)
+
+clean:
+	rm -f dlz_mysqldyn_mod.so *.o
+
+install: dlz_mysqldyn_mod.so
+	mkdir -p $(DESTDIR)$(libdir)
+	install dlz_mysqldyn_mod.so $(DESTDIR)$(libdir)
diff --git a/contrib/dlz/modules/mysqldyn/README b/contrib/dlz/modules/mysqldyn/README
new file mode 100644
index 0000000..6faa35d
--- /dev/null
+++ b/contrib/dlz/modules/mysqldyn/README
@@ -0,0 +1,87 @@
+<!--
+Copyright Internet Systems Consortium, Inc. ("ISC")
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+
+The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+conceived and contributed by Rob Butler.
+
+SPDX-License-Identifier: ISC and MPL-2.0
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright
+notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+BIND 9 DLZ MySQL module with support for dynamic DNS (DDNS)
+
+Adapted from code contributed by Marty Lee, Maui Systems Ltd.
+
+This is a dynamically loadable zone (DLZ) plugin that uses a fixed-
+schema MySQL database for back-end storage. It allows zone data
+to be updated via dynamic DNS updates, and sends DNS NOTIFY packets
+to other name servers when appropriate.
+
+The database for this module uses the following schema:
+
+    CREATE TABLE `Zones` (
+        `id` int(11) NOT NULL AUTO_INCREMENT,
+        `domain` varchar(128) NOT NULL DEFAULT '',
+        `host` varchar(128) NOT NULL DEFAULT '',
+        `admin` varchar(128) NOT NULL DEFAULT '',
+        `serial` int(11) NOT NULL DEFAULT '1',
+        `expire` int(11) NOT NULL DEFAULT '86400',
+        `refresh` int(11) NOT NULL DEFAULT '86400',
+        `retry` int(11) NOT NULL DEFAULT '86400',
+        `minimum` int(11) NOT NULL DEFAULT '86400',
+        `ttl` int(11) NOT NULL DEFAULT '86400',
+        `writeable` tinyint(1) NOT NULL DEFAULT '0',
+        PRIMARY KEY (`id`),
+        KEY `domain_idx` (`domain`)
+    );
+
+    CREATE TABLE `ZoneData` (
+        `id` int(11) NOT NULL AUTO_INCREMENT,
+        `zone_id` int(11) NOT NULL,
+        `name` varchar(128) NOT NULL DEFAULT '',
+        `type` varchar(16) NOT NULL DEFAULT '',
+        `ttl` int(11) NOT NULL DEFAULT '86400',
+        `data` varchar(128) NOT NULL DEFAULT '',
+        PRIMARY KEY (`id`),
+        KEY `zone_idx` (`zone_id`),
+        KEY `name_idx` (`zone_id`, `name`),
+        KEY `type_idx` (`type`)
+    );
+
+'Zones' contains information about specific zones:
+ - domain: the zone name
+ - admin: the zone administrator
+ - serial, expire, reresh, retry, minimum: values in the SOA record
+ - ttl: default zone TTL
+ - writeable: set to true if the zone can be updated via DDNS
+
+'ZoneData' contains the individual records within the zone:
+ - zone_id: the 'id' from the corresponding record in Zones 
+ - name: domain name, relative to the zone apex. (Data at the zone
+   apex itself may use a blank name or "@".)
+ - type: the RR type, expressed as text
+ - ttl: the record's TTL
+ - data: the records rdata, expressed as text.
+
+To configure this module in named.conf:
+
+dlz "mysqldlz" {
+    database "dlopen <path to>/dlz_mysqldyn_mod.so <dbname> [dbhost [dbuser [dbpass]]]";
+};
diff --git a/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c b/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c
new file mode 100644
index 0000000..bdd0bcc
--- /dev/null
+++ b/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c
@@ -0,0 +1,1800 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * BIND 9 DLZ MySQL module with support for dynamic DNS (DDNS)
+ *
+ * Adapted from code contributed by Marty Lee, Maui Systems Ltd.
+ *
+ * See README for database schema and usage details.
+ */
+
+#include <ifaddrs.h>
+#include <inttypes.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <pthread.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <mysql/errmsg.h>
+#include <mysql/mysql.h>
+
+#include <dlz_list.h>
+#include <dlz_minimal.h>
+#include <dlz_pthread.h>
+
+#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000
+typedef bool my_bool;
+#endif /* !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000 */
+
+/*
+ * The SQL queries that will be used for lookups and updates are defined
+ * here.  They will be processed into queries by the build_query()
+ * function.
+ *
+ * NOTE: Despite appearances, these do NOT use printf-style formatting.
+ * "%s", with no modifiers, is the only supported directive.
+ */
+
+/*
+ * Get the NS RRset for a zone
+ * Arguments: zone-name
+ */
+#define Q_GETNS                                                         \
+	"SELECT d.data FROM ZoneData d, Zones z "                       \
+	"WHERE UPPER(d.type) = 'NS' AND LOWER(z.domain) = LOWER('%s') " \
+	"AND z.id = d.zone_id"
+
+/*
+ * Get a list of zones (ignoring writable or not)
+ * Arguments: (none)
+ */
+#define Q_GETZONES "SELECT LOWER(domain), serial FROM Zones"
+
+/*
+ * Find a specific zone
+ * Arguments: zone-name
+ */
+#define Q_FINDZONE "SELECT id FROM Zones WHERE LOWER(domain) = LOWER('%s')"
+
+/*
+ * Get SOA data from zone apex
+ * Arguments: zone-name
+ */
+#define Q_GETSOA                                                            \
+	"SELECT host, admin, serial, refresh, retry, expire, minimum, ttl " \
+	"FROM Zones WHERE LOWER(domain) = LOWER('%s')"
+
+/*
+ * Get other data from zone apex
+ * Arguments: zone-name, zone-name (repeated)
+ */
+#define Q_GETAPEX                                                   \
+	"SELECT d.type, d.data, d.ttl FROM ZoneData d, Zones z "    \
+	"WHERE LOWER(z.domain) = LOWER('%s') AND z.id = d.zone_id " \
+	"AND LOWER(d.name) IN (LOWER('%s'), '', '@') "              \
+	"ORDER BY UPPER(d.type) ASC"
+
+/*
+ * Get data from non-apex nodes
+ * Arguments: zone-name, node-name (relative to zone name)
+ */
+#define Q_GETNODE                                                   \
+	"SELECT d.type, d.data, d.ttl FROM ZoneData d, Zones z "    \
+	"WHERE LOWER(z.domain) = LOWER('%s') AND z.id = d.zone_id " \
+	"AND LOWER(d.name) = LOWER('%s') "                          \
+	"ORDER BY UPPER(d.type) ASC"
+
+/*
+ * Get all data from a zone, for AXFR
+ * Arguments: zone-name
+ */
+#define Q_GETALL                                                         \
+	"SELECT d.name, d.type, d.data, d.ttl FROM ZoneData d, Zones z " \
+	"WHERE LOWER(z.domain) = LOWER('%s') AND z.id = d.zone_id"
+
+/*
+ * Get SOA serial number for a zone.
+ * Arguments: zone-name
+ */
+#define Q_GETSERIAL "SELECT serial FROM Zones WHERE domain = '%s'"
+
+/*
+ * Determine whether a zone is writeable, and if so, retrieve zone_id
+ * Arguments: zone-name
+ */
+#define Q_WRITEABLE                   \
+	"SELECT id FROM Zones WHERE " \
+	"LOWER(domain) = LOWER('%s') AND writeable = 1"
+
+/*
+ * Insert data into zone (other than SOA)
+ * Arguments: zone-id (from Q_WRITEABLE), node-name (relative to zone-name),
+ * 	      rrtype, rdata text, TTL (in text format)
+ */
+#define I_DATA                                                   \
+	"INSERT INTO ZoneData (zone_id, name, type, data, ttl) " \
+	"VALUES (%s, LOWER('%s'), UPPER('%s'), '%s', %s)"
+
+/*
+ * Update SOA serial number for a zone
+ * Arguments: new serial number (in text format), zone-id (from Q_WRITEABLE)
+ */
+#define U_SERIAL "UPDATE Zones SET serial = %s WHERE id = %s"
+
+/*
+ * Delete a specific record (non-SOA) from a zone
+ *
+ * Arguments: node-name (relative to zone-name), zone-id (from Q_WRITEABLE),
+ * 	      rrtype, rdata text, TTL (in text format).
+ */
+#define D_RECORD                                                       \
+	"DELETE FROM ZoneData WHERE zone_id = %s AND "                 \
+	"LOWER(name) = LOWER('%s') AND UPPER(type) = UPPER('%s') AND " \
+	"data = '%s' AND ttl = %s"
+
+/*
+ * Delete an entire rrset from a zone
+ * Arguments: node-name (relative to zone-name), zone-id (from Q_WRITEABLE),
+ * 	      rrtype.
+ */
+#define D_RRSET                                        \
+	"DELETE FROM ZoneData WHERE zone_id = %s AND " \
+	"LOWER(name) = LOWER('%s') AND UPPER(type) = UPPER('%s')"
+
+/*
+ * Number of concurrent database connections we support
+ * - equivalent to maxmium number of concurrent transactions
+ *   that can be 'in-flight' + 1
+ */
+#define MAX_DBI 16
+
+typedef struct mysql_record {
+	char zone[255];
+	char name[100];
+	char type[10];
+	char data[200];
+	char ttl[10];
+} mysql_record_t;
+
+typedef struct mysql_instance {
+	int id;
+	MYSQL *sock;
+	int connected;
+	dlz_mutex_t mutex;
+} mysql_instance_t;
+
+typedef struct mysql_transaction mysql_transaction_t;
+struct mysql_transaction {
+	char *zone;
+	char *zone_id;
+	mysql_instance_t *dbi;
+	mysql_transaction_t *next;
+};
+
+typedef struct mysql_data {
+	int debug;
+
+	/*
+	 * Database connection details
+	 */
+	char *db_name;
+	char *db_host;
+	char *db_user;
+	char *db_pass;
+
+	/*
+	 * Database structures
+	 */
+	mysql_instance_t db[MAX_DBI];
+
+	/*
+	 * Transactions
+	 */
+	mysql_transaction_t *transactions;
+
+	/*
+	 * Mutex for transactions
+	 */
+	dlz_mutex_t tx_mutex;
+
+	/* Helper functions from the dlz_dlopen driver */
+	log_t *log;
+	dns_sdlz_putrr_t *putrr;
+	dns_sdlz_putnamedrr_t *putnamedrr;
+	dns_dlz_writeablezone_t *writeable_zone;
+} mysql_data_t;
+
+typedef struct mysql_arg mysql_arg_t;
+typedef DLZ_LIST(mysql_arg_t) mysql_arglist_t;
+struct mysql_arg {
+	char *arg;
+	DLZ_LINK(mysql_arg_t) link;
+};
+
+static const char *modname = "dlz_mysqldyn";
+
+/*
+ * Local functions
+ */
+static bool
+db_connect(mysql_data_t *state, mysql_instance_t *dbi) {
+	MYSQL *conn;
+	/*
+	 * Make sure this thread has been through 'init'
+	 */
+	mysql_thread_init();
+
+	if (dbi->connected) {
+		return (true);
+	}
+
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO, "%s: init connection %d ", modname,
+			   dbi->id);
+	}
+
+	conn = mysql_real_connect(dbi->sock, state->db_host, state->db_user,
+				  state->db_pass, state->db_name, 0, NULL,
+				  CLIENT_REMEMBER_OPTIONS);
+	if (conn == NULL) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_ERROR,
+				   "%s: database connection failed: %s",
+				   modname, mysql_error(dbi->sock));
+		}
+
+		dlz_mutex_unlock(&dbi->mutex);
+		return (false);
+	}
+
+	dbi->connected = 1;
+	return (true);
+}
+
+static mysql_instance_t *
+get_dbi(mysql_data_t *state) {
+	int i;
+
+	/*
+	 * Find an available dbi
+	 */
+	for (i = 0; i < MAX_DBI; i++) {
+		if (dlz_mutex_trylock(&state->db[i].mutex) == 0) {
+			break;
+		}
+	}
+
+	if (i == MAX_DBI) {
+		if (state->debug && state->log != NULL) {
+			state->log(ISC_LOG_ERROR,
+				   "%s: No available connections", modname);
+		}
+		return (NULL);
+	}
+	return (&state->db[i]);
+}
+
+/*
+ * Allocate memory and store an escaped, sanitized version
+ * of string 'original'
+ */
+static char *
+sanitize(mysql_instance_t *dbi, const char *original) {
+	char *s;
+
+	if (original == NULL) {
+		return (NULL);
+	}
+
+	s = (char *)malloc((strlen(original) * 2) + 1);
+	if (s != NULL) {
+		memset(s, 0, (strlen(original) * 2) + 1);
+
+		mysql_real_escape_string(dbi->sock, s, original,
+					 strlen(original));
+	}
+
+	return (s);
+}
+
+/*
+ * Append the string pointed to by 's' to the argument list 'arglist',
+ * and add the string length to the running total pointed to by 'len'.
+ */
+static isc_result_t
+additem(mysql_arglist_t *arglist, char **s, size_t *len) {
+	mysql_arg_t *item;
+
+	item = malloc(sizeof(*item));
+	if (item == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	DLZ_LINK_INIT(item, link);
+	item->arg = *s;
+	*len += strlen(*s);
+	DLZ_LIST_APPEND(*arglist, item, link);
+	*s = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Construct a query string using a variable number of arguments, and
+ * save it into newly allocated memory.
+ *
+ * NOTE: 'command' resembles a printf-style format string, but ONLY
+ * supports the "%s" directive with no modifiers of any kind.
+ *
+ * If 'dbi' is NULL, we attempt to get a temporary database connection;
+ * otherwise we use the existing one.
+ */
+static char *
+build_query(mysql_data_t *state, mysql_instance_t *dbi, const char *command,
+	    ...) {
+	isc_result_t result;
+	bool localdbi = false;
+	mysql_arglist_t arglist;
+	mysql_arg_t *item;
+	char *p, *q, *tmp = NULL, *querystr = NULL;
+	char *query = NULL;
+	size_t len = 0;
+	va_list ap1;
+
+	/* Get a DB instance if needed */
+	if (dbi == NULL) {
+		dbi = get_dbi(state);
+		if (dbi == NULL) {
+			return (NULL);
+		}
+		localdbi = true;
+	}
+
+	/* Make sure this instance is connected */
+	if (!db_connect(state, dbi)) {
+		goto fail;
+	}
+
+	va_start(ap1, command);
+	DLZ_LIST_INIT(arglist);
+	q = querystr = strdup(command);
+	if (querystr == NULL) {
+		goto fail;
+	}
+
+	for (;;) {
+		if (*q == '\0') {
+			break;
+		}
+
+		p = strstr(q, "%s");
+		if (p != NULL) {
+			*p = '\0';
+			tmp = strdup(q);
+			if (tmp == NULL) {
+				goto fail;
+			}
+
+			result = additem(&arglist, &tmp, &len);
+			if (result != ISC_R_SUCCESS) {
+				goto fail;
+			}
+
+			tmp = sanitize(dbi, va_arg(ap1, const char *));
+			if (tmp == NULL) {
+				goto fail;
+			}
+
+			result = additem(&arglist, &tmp, &len);
+			if (result != ISC_R_SUCCESS) {
+				goto fail;
+			}
+
+			q = p + 2;
+		} else {
+			tmp = strdup(q);
+			if (tmp == NULL) {
+				goto fail;
+			}
+
+			result = additem(&arglist, &tmp, &len);
+			if (result != ISC_R_SUCCESS) {
+				goto fail;
+			}
+
+			break;
+		}
+	}
+
+	if (len == 0) {
+		goto fail;
+	}
+
+	query = malloc(len + 1);
+	if (query == NULL) {
+		goto fail;
+	}
+
+	*query = '\0';
+	for (item = DLZ_LIST_HEAD(arglist); item != NULL;
+	     item = DLZ_LIST_NEXT(item, link))
+	{
+		if (item->arg != NULL) {
+			strcat(query, item->arg);
+		}
+	}
+
+fail:
+	va_end(ap1);
+
+	while ((item = DLZ_LIST_HEAD(arglist)) != NULL) {
+		DLZ_LIST_UNLINK(arglist, item, link);
+		if (item->arg != NULL) {
+			free(item->arg);
+		}
+		free(item);
+	}
+
+	if (tmp != NULL) {
+		free(tmp);
+	}
+	if (querystr != NULL) {
+		free(querystr);
+	}
+
+	if (dbi != NULL && localdbi) {
+		dlz_mutex_unlock(&dbi->mutex);
+	}
+
+	return (query);
+}
+
+/* Does this name end in a dot? */
+static bool
+isrelative(const char *s) {
+	if (s == NULL || s[strlen(s) - 1] == '.') {
+		return (false);
+	}
+	return (true);
+}
+
+/* Return a dot if 's' doesn't already end with one */
+static const char *
+dot(const char *s) {
+	return (isrelative(s) ? "." : "");
+}
+
+/*
+ * Generate a full hostname from a (presumably relative) name 'name'
+ * and a zone name 'zone'; store the result in 'dest' (which must have
+ * enough space).
+ */
+static void
+fqhn(const char *name, const char *zone, char *dest) {
+	if (dest == NULL) {
+		return;
+	}
+
+	if (strlen(name) == 0 || strcmp(name, "@") == 0) {
+		sprintf(dest, "%s%s", zone, dot(zone));
+	} else {
+		if (isrelative(name)) {
+			sprintf(dest, "%s.%s%s", name, zone, dot(zone));
+		} else {
+			strcpy(dest, name);
+		}
+	}
+}
+
+/*
+ * Names are stored in relative form in ZoneData; this function
+ * removes labels matching 'zone' from the end of 'name'.
+ */
+static char *
+relname(const char *name, const char *zone) {
+	size_t nlen, zlen;
+	const char *p;
+	char *new;
+
+	new = (char *)malloc(strlen(name) + 1);
+	if (new == NULL) {
+		return (NULL);
+	}
+
+	nlen = strlen(name);
+	zlen = strlen(zone);
+
+	if (nlen < zlen) {
+		strcpy(new, name);
+		return (new);
+	} else if (nlen == zlen || strcasecmp(name, zone) == 0) {
+		strcpy(new, "@");
+		return (new);
+	}
+
+	p = name + nlen - zlen;
+	if (strcasecmp(p, zone) != 0 &&
+	    (zone[zlen - 1] != '.' || strncasecmp(p, zone, zlen - 1) != 0))
+	{
+		strcpy(new, name);
+		return (new);
+	}
+
+	strncpy(new, name, nlen - zlen);
+	new[nlen - zlen - 1] = '\0';
+	return (new);
+}
+
+static isc_result_t
+validate_txn(mysql_data_t *state, mysql_transaction_t *txn) {
+	isc_result_t result = ISC_R_FAILURE;
+	mysql_transaction_t *txp;
+
+	dlz_mutex_lock(&state->tx_mutex);
+	for (txp = state->transactions; txp != NULL; txp = txp->next) {
+		if (txn == txp) {
+			result = ISC_R_SUCCESS;
+			break;
+		}
+	}
+	dlz_mutex_unlock(&state->tx_mutex);
+
+	if (result != ISC_R_SUCCESS && state->log != NULL) {
+		state->log(ISC_LOG_ERROR, "%s: invalid txn %x", modname, txn);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+db_execute(mysql_data_t *state, mysql_instance_t *dbi, const char *query) {
+	int ret;
+
+	/* Make sure this instance is connected.  */
+	if (!db_connect(state, dbi)) {
+		return (ISC_R_FAILURE);
+	}
+
+	ret = mysql_real_query(dbi->sock, query, strlen(query));
+	if (ret != 0) {
+		if (state->debug && state->log != NULL) {
+			state->log(ISC_LOG_ERROR, "%s: query '%s' failed: %s",
+				   modname, query, mysql_error(dbi->sock));
+		}
+		return (ISC_R_FAILURE);
+	}
+
+	if (state->debug && state->log != NULL) {
+		state->log(ISC_LOG_INFO, "%s: execute(%d) %s", modname, dbi->id,
+			   query);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static MYSQL_RES *
+db_query(mysql_data_t *state, mysql_instance_t *dbi, const char *query) {
+	isc_result_t result;
+	bool localdbi = false;
+	MYSQL_RES *res = NULL;
+
+	if (query == NULL) {
+		return (NULL);
+	}
+
+	/* Get a DB instance if needed */
+	if (dbi == NULL) {
+		dbi = get_dbi(state);
+		if (dbi == NULL) {
+			return (NULL);
+		}
+		localdbi = true;
+	}
+
+	/* Make sure this instance is connected */
+	if (!db_connect(state, dbi)) {
+		goto fail;
+	}
+
+	result = db_execute(state, dbi, query);
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+
+	res = mysql_store_result(dbi->sock);
+	if (res == NULL) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_ERROR,
+				   "%s: unable to store result: %s", modname,
+				   mysql_error(dbi->sock));
+		}
+		goto fail;
+	}
+
+	if (state->debug && state->log != NULL) {
+		state->log(ISC_LOG_INFO, "%s: query(%d) returned %d rows",
+			   modname, dbi->id, mysql_num_rows(res));
+	}
+
+fail:
+	if (dbi != NULL && localdbi) {
+		dlz_mutex_unlock(&dbi->mutex);
+	}
+	return (res);
+}
+
+/*
+ * Generate a DNS NOTIFY packet:
+ * 12 bytes header
+ * Question (1)
+ * 	strlen(zone) +2
+ *  2 bytes qtype
+ *  2 bytes qclass
+ *
+ * -> 18 bytes + strlen(zone)
+ *
+ * N.B. Need to be mindful of byte ordering; using htons to map 16bit
+ * values to the 'on the wire' packet values.
+ */
+static unsigned char *
+make_notify(const char *zone, int *packetlen) {
+	int i, j;
+	unsigned char *packet = (unsigned char *)malloc(strlen(zone) + 18);
+
+	if (packet == NULL) {
+		return (NULL);
+	}
+
+	*packetlen = strlen(zone) + 18;
+	memset(packet, 0, *packetlen);
+
+	/* Random query ID */
+	i = rand();
+	packet[0] = htons(i) & 0xff;
+	packet[1] = htons(i) >> 8;
+
+	/* Flags (OpCode '4' in bits 14-11), Auth Answer set in bit 10 */
+	i = 0x2400;
+	packet[2] = htons(i) & 0xff;
+	packet[3] = htons(i) >> 8;
+
+	/* QD Count */
+	i = 0x1;
+	packet[4] = htons(i) & 0xff;
+	packet[5] = htons(i) >> 8;
+
+	/* Question */
+	packet[12] = '.';
+	memmove(&packet[13], zone, strlen(zone));
+	packet[13 + strlen(zone)] = 0;
+
+	/* Make the question into labels */
+	j = 12;
+	while (packet[j]) {
+		for (i = j + 1; packet[i] != '\0' && packet[i] != '.'; i++) {
+			;
+		}
+		packet[j] = i - j - 1;
+		j = i;
+	}
+
+	/* Question type */
+	i = 6;
+	packet[j + 1] = htons(i) & 0xff;
+	packet[j + 2] = htons(i) >> 8;
+
+	/* Queston class */
+	i = 1;
+	packet[j + 3] = htons(i) & 0xff;
+	packet[j + 4] = htons(i) >> 8;
+
+	return (packet);
+}
+
+static void
+send_notify(struct sockaddr_in *addr, const unsigned char *p, const int plen) {
+	int s;
+
+	addr->sin_family = AF_INET;
+	addr->sin_port = htons(53);
+
+	if ((s = socket(PF_INET, SOCK_DGRAM, 0)) < 0) {
+		return;
+	}
+
+	sendto(s, p, plen, 0, (struct sockaddr *)addr, sizeof(*addr));
+	close(s);
+	return;
+}
+
+/*
+ * Generate and send a DNS NOTIFY packet
+ */
+static void
+notify(mysql_data_t *state, const char *zone, int sn) {
+	MYSQL_RES *res;
+	MYSQL_ROW row;
+	char *query;
+	unsigned char *packet;
+	int packetlen;
+	struct ifaddrs *ifap, *ifa;
+	char zaddr[INET_ADDRSTRLEN];
+	void *addrp = NULL;
+
+	/* Get the name servers from the NS rrset */
+	query = build_query(state, NULL, Q_GETNS, zone);
+	res = db_query(state, NULL, query);
+	free(query);
+	if (res == NULL) {
+		return;
+	}
+
+	/* Create a DNS NOTIFY packet */
+	packet = make_notify(zone, &packetlen);
+	if (packet == NULL) {
+		mysql_free_result(res);
+		return;
+	}
+
+	/* Get a list of our own addresses */
+	if (getifaddrs(&ifap) < 0) {
+		ifap = NULL;
+	}
+
+	/* Tell each nameserver of the update */
+	while ((row = mysql_fetch_row(res)) != NULL) {
+		bool local = false;
+		struct hostent *h;
+		struct sockaddr_in addr, *sin;
+
+		/*
+		 * Put nameserver rdata through gethostbyname as it
+		 * might be an IP address or a hostname. (XXX: switch
+		 * this to inet_pton/getaddrinfo.)
+		 */
+		h = gethostbyname(row[0]);
+		if (h == NULL) {
+			continue;
+		}
+
+		memmove(&addr.sin_addr, h->h_addr, h->h_length);
+		addrp = &addr.sin_addr;
+
+		/* Get the address for the nameserver into a string */
+		inet_ntop(AF_INET, addrp, zaddr, INET_ADDRSTRLEN);
+		for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
+			char ifaddr[INET_ADDRSTRLEN];
+
+			if (ifa->ifa_addr->sa_family != AF_INET) {
+				continue;
+			}
+
+			/* Get local address into a string */
+			sin = (struct sockaddr_in *)ifa->ifa_addr;
+			addrp = &sin->sin_addr;
+			inet_ntop(AF_INET, addrp, ifaddr, INET_ADDRSTRLEN);
+
+			/* See if nameserver address matches this one */
+			if (strcmp(ifaddr, zaddr) == 0) {
+				local = true;
+			}
+		}
+
+		if (!local) {
+			if (state->log != NULL) {
+				state->log(ISC_LOG_INFO,
+					   "%s: notify %s zone %s serial %d",
+					   modname, row[0], zone, sn);
+			}
+			send_notify(&addr, packet, packetlen);
+		}
+	}
+
+	mysql_free_result(res);
+	free(packet);
+	if (ifap != NULL) {
+		freeifaddrs(ifap);
+	}
+}
+
+/*
+ * Constructs a mysql_record_t structure from 'rdatastr', to be
+ * used in the dlz_{add,sub,del}rdataset functions below.
+ */
+static mysql_record_t *
+makerecord(mysql_data_t *state, const char *name, const char *rdatastr) {
+	mysql_record_t *new_record;
+	char *real_name = NULL, *dclass = NULL, *type = NULL;
+	char *data = NULL, *ttlstr = NULL, *buf = NULL;
+	char *saveptr = NULL;
+	dns_ttl_t ttlvalue;
+
+	new_record = (mysql_record_t *)malloc(sizeof(mysql_record_t));
+
+	if (new_record == NULL) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_ERROR,
+				   "%s: makerecord - unable to malloc",
+				   modname);
+		}
+		return (NULL);
+	}
+
+	buf = strdup(rdatastr);
+	if (buf == NULL) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_ERROR,
+				   "%s: makerecord - unable to malloc",
+				   modname);
+		}
+		free(new_record);
+		return (NULL);
+	}
+
+	/*
+	 * The format is:
+	 * FULLNAME\tTTL\tDCLASS\tTYPE\tDATA
+	 *
+	 * The DATA field is space separated, and is in the data format
+	 * for the type used by dig
+	 */
+	real_name = strtok_r(buf, "\t", &saveptr);
+	if (real_name == NULL) {
+		goto error;
+	}
+
+	ttlstr = strtok_r(NULL, "\t", &saveptr);
+	if (ttlstr == NULL || sscanf(ttlstr, "%d", &ttlvalue) != 1) {
+		goto error;
+	}
+
+	dclass = strtok_r(NULL, "\t", &saveptr);
+	if (dclass == NULL) {
+		goto error;
+	}
+
+	type = strtok_r(NULL, "\t", &saveptr);
+	if (type == NULL) {
+		goto error;
+	}
+
+	data = strtok_r(NULL, "\t", &saveptr);
+	if (data == NULL) {
+		goto error;
+	}
+
+	strcpy(new_record->name, name);
+	strcpy(new_record->type, type);
+	strcpy(new_record->data, data);
+	sprintf(new_record->ttl, "%d", ttlvalue);
+
+	free(buf);
+	return (new_record);
+
+error:
+	free(buf);
+	free(new_record);
+	return (NULL);
+}
+
+/*
+ * Remember a helper function from the bind9 dlz_dlopen driver
+ */
+static void
+b9_add_helper(mysql_data_t *state, const char *helper_name, void *ptr) {
+	if (strcmp(helper_name, "log") == 0) {
+		state->log = (log_t *)ptr;
+	}
+	if (strcmp(helper_name, "putrr") == 0) {
+		state->putrr = (dns_sdlz_putrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "putnamedrr") == 0) {
+		state->putnamedrr = (dns_sdlz_putnamedrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "writeable_zone") == 0) {
+		state->writeable_zone = (dns_dlz_writeablezone_t *)ptr;
+	}
+}
+
+/*
+ * DLZ API functions
+ */
+
+/*
+ * Return the version of the API
+ */
+int
+dlz_version(unsigned int *flags) {
+	UNUSED(flags);
+	*flags |= DNS_SDLZFLAG_THREADSAFE;
+	return (DLZ_DLOPEN_VERSION);
+}
+
+/*
+ * Called to initialize the driver
+ */
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...) {
+	mysql_data_t *state;
+	const char *helper_name;
+	va_list ap;
+	int n;
+
+	UNUSED(dlzname);
+
+	state = calloc(1, sizeof(mysql_data_t));
+	if (state == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	dlz_mutex_init(&state->tx_mutex, NULL);
+	state->transactions = NULL;
+
+	/* Fill in the helper functions */
+	va_start(ap, dbdata);
+	while ((helper_name = va_arg(ap, const char *)) != NULL) {
+		b9_add_helper(state, helper_name, va_arg(ap, void *));
+	}
+	va_end(ap);
+
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO, "loading %s module", modname);
+	}
+
+	if ((argc < 2) || (argc > 6)) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_ERROR,
+				   "%s: missing args <dbname> "
+				   "[<dbhost> [<user> <pass>]]",
+				   modname);
+		}
+		dlz_destroy(state);
+		return (ISC_R_FAILURE);
+	}
+
+	state->db_name = strdup(argv[1]);
+	if (argc > 2) {
+		state->db_host = strdup(argv[2]);
+		if (argc > 4) {
+			state->db_user = strdup(argv[3]);
+			state->db_pass = strdup(argv[4]);
+		} else {
+			state->db_user = strdup("bind");
+			state->db_pass = strdup("");
+		}
+	} else {
+		state->db_host = strdup("localhost");
+		state->db_user = strdup("bind");
+		state->db_pass = strdup("");
+	}
+
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO, "%s: DB=%s, Host=%s, User=%s", modname,
+			   state->db_name, state->db_host, state->db_user);
+	}
+
+	/*
+	 * Assign the 'state' to dbdata so we get it in our callbacks
+	 */
+
+	dlz_mutex_lock(&state->tx_mutex);
+
+	/*
+	 * Populate DB instances
+	 */
+	if (mysql_thread_safe()) {
+		for (n = 0; n < MAX_DBI; n++) {
+			dlz_mutex_init(&state->db[n].mutex, NULL);
+			dlz_mutex_lock(&state->db[n].mutex);
+			state->db[n].id = n;
+			state->db[n].connected = 0;
+			state->db[n].sock = mysql_init(NULL);
+			mysql_options(state->db[n].sock,
+				      MYSQL_READ_DEFAULT_GROUP, modname);
+			mysql_options(state->db[n].sock, MYSQL_OPT_RECONNECT,
+				      &(my_bool){ 1 });
+			dlz_mutex_unlock(&state->db[n].mutex);
+		}
+
+		*dbdata = state;
+		dlz_mutex_unlock(&state->tx_mutex);
+		return (ISC_R_SUCCESS);
+	}
+
+	free(state->db_name);
+	free(state->db_host);
+	free(state->db_user);
+	free(state->db_pass);
+	dlz_mutex_destroy(&state->tx_mutex);
+	free(state);
+	return (ISC_R_FAILURE);
+}
+
+/*
+ * Shut down the backend
+ */
+void
+dlz_destroy(void *dbdata) {
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+	int i;
+
+	if (state->debug && state->log != NULL) {
+		state->log(ISC_LOG_INFO, "%s: shutting down", modname);
+	}
+
+	for (i = 0; i < MAX_DBI; i++) {
+		if (state->db[i].sock) {
+			mysql_close(state->db[i].sock);
+			state->db[i].sock = NULL;
+		}
+	}
+	free(state->db_name);
+	free(state->db_host);
+	free(state->db_user);
+	free(state->db_pass);
+	dlz_mutex_destroy(&state->tx_mutex);
+	free(state);
+}
+
+/*
+ * See if we handle a given zone
+ */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo) {
+	UNUSED(methods);
+	UNUSED(clientinfo);
+	isc_result_t result = ISC_R_SUCCESS;
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+	MYSQL_RES *res;
+	char *query;
+
+	/* Query the Zones table to see if this zone is present */
+	query = build_query(state, NULL, Q_FINDZONE, name);
+
+	if (query == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	res = db_query(state, NULL, query);
+	if (res == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (mysql_num_rows(res) == 0) {
+		result = ISC_R_NOTFOUND;
+	}
+
+	mysql_free_result(res);
+	return (result);
+}
+
+/*
+ * Perform a database lookup
+ */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo) {
+	UNUSED(methods);
+	UNUSED(clientinfo);
+	isc_result_t result;
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+	bool found = false;
+	char *real_name;
+	MYSQL_RES *res;
+	MYSQL_ROW row;
+	char *query;
+	mysql_transaction_t *txn = NULL;
+	mysql_instance_t *dbi = NULL;
+
+	if (state->putrr == NULL) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_ERROR, "%s: dlz_lookup - no putrr",
+				   modname);
+		}
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	/* Are we okay to try to find the txn version?  */
+	if (clientinfo != NULL && clientinfo->version >= 2) {
+		txn = (mysql_transaction_t *)clientinfo->dbversion;
+		if (txn != NULL && validate_txn(state, txn) == ISC_R_SUCCESS) {
+			dbi = txn->dbi;
+		}
+		if (dbi != NULL) {
+			state->log(ISC_LOG_DEBUG(1),
+				   "%s: lookup in live transaction %p, DBI %p",
+				   modname, txn, dbi);
+		}
+	}
+
+	if (strcmp(name, "@") == 0) {
+		real_name = (char *)malloc(strlen(zone) + 1);
+		if (real_name == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
+		strcpy(real_name, zone);
+	} else {
+		real_name = (char *)malloc(strlen(name) + 1);
+		if (real_name == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
+		strcpy(real_name, name);
+	}
+
+	if (strcmp(real_name, zone) == 0) {
+		/*
+		 * Get the Zones table data for use in the SOA:
+		 * zone admin serial refresh retry expire min
+		 */
+		query = build_query(state, dbi, Q_GETSOA, zone);
+		if (query == NULL) {
+			free(real_name);
+			return (ISC_R_NOMEMORY);
+		}
+
+		res = db_query(state, dbi, query);
+		free(query);
+
+		if (res == NULL) {
+			free(real_name);
+			return (ISC_R_NOTFOUND);
+		}
+
+		while ((row = mysql_fetch_row(res)) != NULL) {
+			char host[1024], admin[1024], data[4096];
+			int ttl;
+
+			sscanf(row[7], "%d", &ttl);
+			fqhn(row[0], zone, host);
+			fqhn(row[1], zone, admin);
+
+			/* zone admin serial refresh retry expire min */
+			snprintf(data, sizeof(data), "%s%s %s%s %s %s %s %s %s",
+				 host, dot(host), admin, dot(admin), row[2],
+				 row[3], row[4], row[5], row[6]);
+
+			result = state->putrr(lookup, "soa", ttl, data);
+			if (result != ISC_R_SUCCESS) {
+				free(real_name);
+				mysql_free_result(res);
+				return (result);
+			}
+		}
+
+		mysql_free_result(res);
+
+		/*
+		 *  Now we'll get the rest of the apex data
+		 */
+		query = build_query(state, dbi, Q_GETAPEX, zone, real_name);
+	} else {
+		query = build_query(state, dbi, Q_GETNODE, zone, real_name);
+	}
+
+	res = db_query(state, dbi, query);
+	free(query);
+
+	if (res == NULL) {
+		free(real_name);
+		return (ISC_R_NOTFOUND);
+	}
+
+	while ((row = mysql_fetch_row(res)) != NULL) {
+		int ttl;
+		sscanf(row[2], "%d", &ttl);
+		result = state->putrr(lookup, row[0], ttl, row[1]);
+		if (result != ISC_R_SUCCESS) {
+			free(real_name);
+			mysql_free_result(res);
+			return (result);
+		}
+
+		found = true;
+	}
+
+	if (state->debug && state->log != NULL) {
+		state->log(ISC_LOG_INFO, "%s: dlz_lookup %s/%s/%s - (%d rows)",
+			   modname, name, real_name, zone, mysql_num_rows(res));
+	}
+
+	mysql_free_result(res);
+	free(real_name);
+
+	if (!found) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * See if a zone transfer is allowed
+ */
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+
+	if (state->debug && state->log != NULL) {
+		state->log(ISC_LOG_INFO, "dlz_allowzonexfr: %s %s", name,
+			   client);
+	}
+
+	/* Just say yes for all our zones */
+	return (dlz_findzonedb(dbdata, name, NULL, NULL));
+}
+
+/*
+ * Perform a zone transfer
+ */
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result = ISC_R_SUCCESS;
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+	MYSQL_RES *res;
+	MYSQL_ROW row;
+	char *query;
+
+	UNUSED(zone);
+
+	if (state->debug && (state->log != NULL)) {
+		state->log(ISC_LOG_INFO, "dlz_allnodes: %s", zone);
+	}
+
+	if (state->putnamedrr == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	/*
+	 * Get all the ZoneData for this zone
+	 */
+	query = build_query(state, NULL, Q_GETALL, zone);
+	if (query == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	res = db_query(state, NULL, query);
+	free(query);
+	if (res == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	while ((row = mysql_fetch_row(res)) != NULL) {
+		char hostname[1024];
+		int ttl;
+
+		sscanf(row[3], "%d", &ttl);
+		fqhn(row[0], zone, hostname);
+		result = state->putnamedrr(allnodes, hostname, row[1], ttl,
+					   row[2]);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+	}
+
+	mysql_free_result(res);
+	return (result);
+}
+
+/*
+ * Start a transaction
+ */
+isc_result_t
+dlz_newversion(const char *zone, void *dbdata, void **versionp) {
+	isc_result_t result = ISC_R_FAILURE;
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+	MYSQL_RES *res;
+	MYSQL_ROW row;
+	char *query;
+	char zone_id[16];
+	mysql_transaction_t *txn = NULL, *newtx = NULL;
+
+	/*
+	 * Check Zone is writable
+	 */
+	query = build_query(state, NULL, Q_WRITEABLE, zone);
+	if (query == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	res = db_query(state, NULL, query);
+	free(query);
+	if (res == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	if ((row = mysql_fetch_row(res)) == NULL) {
+		mysql_free_result(res);
+		return (ISC_R_FAILURE);
+	}
+
+	strcpy(zone_id, row[0]);
+	mysql_free_result(res);
+
+	/*
+	 * See if we already have a transaction for this zone
+	 */
+	dlz_mutex_lock(&state->tx_mutex);
+	for (txn = state->transactions; txn != NULL; txn = txn->next) {
+		if (strcmp(txn->zone, zone) == 0) {
+			if (state->log != NULL) {
+				state->log(ISC_LOG_ERROR,
+					   "%s: transaction already "
+					   "started for zone %s",
+					   modname, zone);
+			}
+			dlz_mutex_unlock(&state->tx_mutex);
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	/*
+	 * Create new transaction
+	 */
+	newtx = (mysql_transaction_t *)calloc(1, sizeof(mysql_transaction_t));
+	if (newtx == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	newtx->zone = strdup(zone);
+	if (newtx->zone == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	newtx->zone_id = strdup(zone_id);
+	if (newtx->zone_id == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	newtx->dbi = get_dbi(state);
+	newtx->next = NULL;
+
+	if (newtx->dbi == NULL) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	result = db_execute(state, newtx->dbi, "START TRANSACTION");
+	if (result != ISC_R_SUCCESS) {
+		dlz_mutex_unlock(&newtx->dbi->mutex);
+		goto cleanup;
+	}
+
+	/*
+	 * Add this tx to front of list
+	 */
+	newtx->next = state->transactions;
+	state->transactions = newtx;
+
+	if (state->debug && (state->log != NULL)) {
+		state->log(ISC_LOG_INFO, "%s: New tx %x", modname, newtx);
+	}
+
+cleanup:
+	dlz_mutex_unlock(&state->tx_mutex);
+	if (result == ISC_R_SUCCESS) {
+		*versionp = (void *)newtx;
+	} else {
+		dlz_mutex_unlock(&state->tx_mutex);
+		if (newtx != NULL) {
+			if (newtx->zone != NULL) {
+				free(newtx->zone);
+			}
+			if (newtx->zone != NULL) {
+				free(newtx->zone_id);
+			}
+			free(newtx);
+		}
+	}
+
+	return (result);
+}
+
+/*
+ * End a transaction
+ */
+void
+dlz_closeversion(const char *zone, bool commit, void *dbdata, void **versionp) {
+	isc_result_t result;
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+	mysql_transaction_t *txn = (mysql_transaction_t *)*versionp;
+	mysql_transaction_t *txp;
+	char *query;
+	MYSQL_RES *res;
+	MYSQL_ROW row;
+
+	/*
+	 * Find the transaction
+	 */
+	dlz_mutex_lock(&state->tx_mutex);
+	if (state->transactions == txn) {
+		/* Tx is first in list; remove it. */
+		state->transactions = txn->next;
+	} else {
+		txp = state->transactions;
+		while (txp != NULL) {
+			if (txp->next != NULL) {
+				if (txp->next == txn) {
+					txp->next = txn->next;
+					break;
+				}
+			}
+			if (txp == txn) {
+				txp = txn->next;
+				break;
+			}
+			txp = txp->next;
+		}
+	}
+
+	/*
+	 * Tidy up
+	 */
+	dlz_mutex_unlock(&state->tx_mutex);
+	*versionp = NULL;
+
+	if (commit) {
+		int oldsn = 0, newsn = 0;
+
+		/*
+		 * Find out the serial number of the zone out with the
+		 * transaction so we can see if it has incremented or not
+		 */
+		query = build_query(state, txn->dbi, Q_GETSERIAL, zone);
+		if (query == NULL && state->log != NULL) {
+			state->log(ISC_LOG_ERROR,
+				   "%s: unable to commit transaction %x "
+				   "on zone %s: no memory",
+				   modname, txn, zone);
+			return;
+		}
+
+		res = db_query(state, txn->dbi, query);
+		if (res != NULL) {
+			while ((row = mysql_fetch_row(res)) != NULL) {
+				sscanf(row[0], "%d", &oldsn);
+			}
+			mysql_free_result(res);
+		}
+
+		/*
+		 * Commit the transaction to the database
+		 */
+		result = db_execute(state, txn->dbi, "COMMIT");
+		if (result != ISC_R_SUCCESS && state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "%s: (%x) commit transaction on zone %s",
+				   modname, txn, zone);
+			return;
+		}
+
+		if (state->debug && state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "%s: (%x) committing transaction "
+				   "on zone %s",
+				   modname, txn, zone);
+		}
+
+		/*
+		 * Now get the serial number again
+		 */
+		query = build_query(state, txn->dbi, Q_GETSERIAL, zone);
+		res = db_query(state, txn->dbi, query);
+		free(query);
+
+		if (res != NULL) {
+			while ((row = mysql_fetch_row(res)) != NULL) {
+				sscanf(row[0], "%d", &newsn);
+			}
+			mysql_free_result(res);
+		}
+
+		/*
+		 * Look to see if serial numbers have changed
+		 */
+		if (newsn > oldsn) {
+			notify(state, zone, newsn);
+		}
+	} else {
+		result = db_execute(state, txn->dbi, "ROLLBACK");
+		if (state->debug && (state->log != NULL)) {
+			state->log(ISC_LOG_INFO,
+				   "%s: (%x) roll back transaction on zone %s",
+				   modname, txn, zone);
+		}
+	}
+
+	/*
+	 * Unlock the mutex for this txn
+	 */
+	dlz_mutex_unlock(&txn->dbi->mutex);
+
+	/*
+	 * Free up other structures
+	 */
+	free(txn->zone);
+	free(txn->zone_id);
+	free(txn);
+}
+
+/*
+ * Configure a writeable zone
+ */
+#if DLZ_DLOPEN_VERSION < 3
+isc_result_t
+dlz_configure(dns_view_t *view, void *dbdata)
+#else  /* DLZ_DLOPEN_VERSION >= 3 */
+isc_result_t
+dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb, void *dbdata)
+#endif /* DLZ_DLOPEN_VERSION */
+{
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+	isc_result_t result;
+	MYSQL_RES *res;
+	MYSQL_ROW row;
+	int count;
+
+	/*
+	 * Seed PRNG (used by Notify code)
+	 */
+	srand(getpid());
+
+	if (state->debug && state->log != NULL) {
+		state->log(ISC_LOG_INFO, "%s: dlz_confgure", modname);
+	}
+
+	if (state->writeable_zone == NULL) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_ERROR,
+				   "%s: no writeable_zone method available",
+				   modname);
+		}
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * Get a list of Zones (ignore writeable column at this point)
+	 */
+	res = db_query(state, NULL, Q_GETZONES);
+	if (res == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	count = 0;
+	while ((row = mysql_fetch_row(res)) != NULL) {
+		int sn;
+		sscanf(row[1], "%d", &sn);
+		notify(state, row[0], sn);
+		result = state->writeable_zone(view,
+#if DLZ_DLOPEN_VERSION >= 3
+					       dlzdb,
+#endif /* if DLZ_DLOPEN_VERSION >= 3 */
+					       row[0]);
+		if (result != ISC_R_SUCCESS) {
+			if (state->log != NULL) {
+				state->log(ISC_LOG_ERROR,
+					   "%s: failed to configure zone %s",
+					   modname, row[0]);
+			}
+			mysql_free_result(res);
+			return (result);
+		}
+		count++;
+	}
+	mysql_free_result(res);
+
+	if (state->debug && state->log != NULL) {
+		state->log(ISC_LOG_INFO, "%s: configured %d zones", modname,
+			   count);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Authorize a zone update
+ */
+bool
+dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
+	     const char *type, const char *key, uint32_t keydatalen,
+	     unsigned char *keydata, void *dbdata) {
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+
+	UNUSED(tcpaddr);
+	UNUSED(type);
+	UNUSED(keydatalen);
+	UNUSED(keydata);
+	UNUSED(key);
+
+	if (state->debug && state->log != NULL) {
+		state->log(ISC_LOG_INFO, "%s: allowing update of %s by key %s",
+			   modname, name, signer);
+	}
+	return (true);
+}
+
+isc_result_t
+dlz_addrdataset(const char *name, const char *rdatastr, void *dbdata,
+		void *version) {
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+	mysql_transaction_t *txn = (mysql_transaction_t *)version;
+	char *new_name, *query;
+	mysql_record_t *record;
+	isc_result_t result;
+
+	if (txn == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	new_name = relname(name, txn->zone);
+	if (new_name == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (state->debug && (state->log != NULL)) {
+		state->log(ISC_LOG_INFO, "%s: add (%x) %s (as %s) %s", modname,
+			   version, name, new_name, rdatastr);
+	}
+
+	record = makerecord(state, new_name, rdatastr);
+	free(new_name);
+	if (record == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* Write out data to database */
+	if (strcasecmp(record->type, "SOA") != 0) {
+		query = build_query(state, txn->dbi, I_DATA, txn->zone_id,
+				    record->name, record->type, record->data,
+				    record->ttl);
+		if (query == NULL) {
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		result = db_execute(state, txn->dbi, query);
+		free(query);
+	} else {
+		/*
+		 * This is an SOA record, so we update: it must exist,
+		 * or we wouldn't have gotten this far.
+		 * SOA: zone admin serial refresh retry expire min
+		 */
+		char sn[32];
+		sscanf(record->data, "%*s %*s %31s %*s %*s %*s %*s", sn);
+		query = build_query(state, txn->dbi, U_SERIAL, sn,
+				    txn->zone_id);
+		if (query == NULL) {
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		result = db_execute(state, txn->dbi, query);
+		free(query);
+	}
+
+cleanup:
+	free(record);
+	return (result);
+}
+
+isc_result_t
+dlz_subrdataset(const char *name, const char *rdatastr, void *dbdata,
+		void *version) {
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+	mysql_transaction_t *txn = (mysql_transaction_t *)version;
+	char *new_name, *query;
+	mysql_record_t *record;
+	isc_result_t result;
+
+	if (txn == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	new_name = relname(name, txn->zone);
+	if (new_name == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (state->debug && (state->log != NULL)) {
+		state->log(ISC_LOG_INFO, "%s: sub (%x) %s %s", modname, version,
+			   name, rdatastr);
+	}
+
+	record = makerecord(state, new_name, rdatastr);
+	free(new_name);
+	if (record == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * If 'type' isn't 'SOA', delete the records
+	 */
+	if (strcasecmp(record->type, "SOA") == 0) {
+		result = ISC_R_SUCCESS;
+	} else {
+		query = build_query(state, txn->dbi, D_RECORD, txn->zone_id,
+				    record->name, record->type, record->data,
+				    record->ttl);
+		if (query == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		result = db_execute(state, txn->dbi, query);
+		free(query);
+	}
+
+cleanup:
+	free(record);
+	return (result);
+}
+
+isc_result_t
+dlz_delrdataset(const char *name, const char *type, void *dbdata,
+		void *version) {
+	mysql_data_t *state = (mysql_data_t *)dbdata;
+	mysql_transaction_t *txn = (mysql_transaction_t *)version;
+	char *new_name, *query;
+	isc_result_t result;
+
+	if (txn == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	new_name = relname(name, txn->zone);
+	if (new_name == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (state->debug && (state->log != NULL)) {
+		state->log(ISC_LOG_INFO, "%s: del (%x) %s %s", modname, version,
+			   name, type);
+	}
+
+	query = build_query(state, txn->dbi, D_RRSET, txn->zone_id, new_name,
+			    type);
+	if (query == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	result = db_execute(state, txn->dbi, query);
+	free(query);
+
+cleanup:
+	free(new_name);
+	return (result);
+}
diff --git a/contrib/dlz/modules/mysqldyn/testing/README b/contrib/dlz/modules/mysqldyn/testing/README
new file mode 100644
index 0000000..862ec6f
--- /dev/null
+++ b/contrib/dlz/modules/mysqldyn/testing/README
@@ -0,0 +1,11 @@
+These files were used for testing on Ubuntu Linux using MySQL
+
+To set up a test server:
+- Install MySQL: sudo apt-get install mysql-server
+- Run "mysql --user=USER --password=PASSWORD < dlz.schema" to set up database
+- Run "mysql --user=USER --password=PASSWORD < dlz.data" to populate it
+- Update named.conf with correct USER and PASSWORD
+- Generate a TSIG key: "ddns-confgen -qz example.com"
+
+To query the database, use "dig -p 5300 @localhost"
+To send dynamic updates, use "nsupdate -p 5300 -k ddns.key"
diff --git a/contrib/dlz/modules/mysqldyn/testing/dlz.data b/contrib/dlz/modules/mysqldyn/testing/dlz.data
new file mode 100644
index 0000000..068ad7a
--- /dev/null
+++ b/contrib/dlz/modules/mysqldyn/testing/dlz.data
@@ -0,0 +1,18 @@
+use BindDB;
+insert into `Zones`
+    ( `id`, `domain`, `host`, `admin`, `serial`, `expire`,
+    `refresh`, `retry`, `minimum`, `ttl`, `writeable`) VALUES
+    (1, 'example.com', '@', 'info', 2014040100, 10800,
+    7200, 604800, 86400, 86400, 1);
+
+insert into `ZoneData`
+    (`id`, `zone_id`, `name`, `type`, `data`) VALUES
+    ('', 1, '@', 'NS', 'ns1.example.com.'),
+    ('', 1, '@', 'NS', 'ns2.example.com.'),
+    ('', 1, '@', 'MX', '10 mail.example.com.'),
+    ('', 1, '@', 'A', '192.168.0.2'),
+    ('', 1, '@', 'TXT', '"v=spf1 ip:192.168.0.3 ~all"'),
+    ('', 1, 'www', 'CNAME', 'example.com.'),
+    ('', 1, 'mail', 'A', '192.168.0.3'),
+    ('', 1, 'ns1', 'A', '192.168.1.111'),
+    ('', 1, 'ns2', 'A', '192.168.1.222');
diff --git a/contrib/dlz/modules/mysqldyn/testing/dlz.schema b/contrib/dlz/modules/mysqldyn/testing/dlz.schema
new file mode 100644
index 0000000..a28f912
--- /dev/null
+++ b/contrib/dlz/modules/mysqldyn/testing/dlz.schema
@@ -0,0 +1,31 @@
+CREATE DATABASE `BindDB` DEFAULT CHARACTER SET latin1;
+USE `BindDB`;
+
+CREATE TABLE `ZoneData` (
+    `id` int(11) NOT NULL AUTO_INCREMENT,
+    `zone_id` int(11) NOT NULL,
+    `name` varchar(128) NOT NULL DEFAULT '',
+    `type` varchar(16) NOT NULL DEFAULT '',
+    `data` varchar(128) NOT NULL DEFAULT '',
+    `ttl` int(11) NOT NULL DEFAULT '86400',
+    PRIMARY KEY (`id`),
+    KEY `zone_idx` (`zone_id`),
+    KEY `name_idx` (`zone_id`, `name`),
+    KEY `type_idx` (`type`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+
+CREATE TABLE `Zones` (
+    `id` int(11) NOT NULL AUTO_INCREMENT,
+    `domain` varchar(128) NOT NULL DEFAULT '',
+    `host` varchar(128) NOT NULL DEFAULT '',
+    `admin` varchar(128) NOT NULL DEFAULT '',
+    `serial` int(11) NOT NULL DEFAULT '1',
+    `expire` int(11) NOT NULL DEFAULT '86400',
+    `refresh` int(11) NOT NULL DEFAULT '86400',
+    `retry` int(11) NOT NULL DEFAULT '86400',
+    `minimum` int(11) NOT NULL DEFAULT '86400',
+    `ttl` int(11) NOT NULL DEFAULT '86400',
+    `writeable` tinyint(1) NOT NULL DEFAULT '0',
+    PRIMARY KEY (`id`),
+    KEY `domain_idx` (`domain`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
diff --git a/contrib/dlz/modules/mysqldyn/testing/named.conf b/contrib/dlz/modules/mysqldyn/testing/named.conf
new file mode 100644
index 0000000..8131d9c
--- /dev/null
+++ b/contrib/dlz/modules/mysqldyn/testing/named.conf
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { };
+
+options {
+	directory ".";
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { any; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+include "ddns.key";
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 127.0.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+dlz "test" {
+	database "dlopen ../dlz_mysqldyn_mod.so BindDB localhost root password";
+};
diff --git a/contrib/dlz/modules/perl/Makefile b/contrib/dlz/modules/perl/Makefile
new file mode 100644
index 0000000..ec99e00
--- /dev/null
+++ b/contrib/dlz/modules/perl/Makefile
@@ -0,0 +1,63 @@
+# Copyright Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+# Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+# Copyright (C) John Eaglesham
+#
+# The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+# conceived and contributed by Rob Butler.
+#
+# SPDX-License-Identifier: ISC and MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any purpose
+# with or without fee is hereby granted, provided that the above copyright
+# notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# For building the dlz_perl_driver driver we don't use
+# the bind9 build structure as the aim is to provide an
+# perl_driver that is separable from the bind9 source tree
+
+CFLAGS += -fPIC -O2 -I../include
+FLAGS_PERL ?= perl
+LIBNAME = dlz_perl_driver.so
+
+all: $(LIBNAME)
+
+dlz_perl_driver.o: dlz_perl_driver.c
+	$(CC) $(CFLAGS) `${FLAGS_PERL} -MExtUtils::Embed -e ccopts` -c -o dlz_perl_driver.o dlz_perl_driver.c
+
+
+dlz_perl_callback_clientinfo.c: dlz_perl_callback_clientinfo.xs
+	${FLAGS_PERL} `${FLAGS_PERL} -MConfig -le 'print $$Config{privlibexp}'`/ExtUtils/xsubpp -prototypes -typemap `${FLAGS_PERL} -MConfig -le 'print $$Config{privlibexp}'`/ExtUtils/typemap dlz_perl_callback_clientinfo.xs > dlz_perl_callback_clientinfo.c
+
+dlz_perl_callback_clientinfo.o: dlz_perl_callback_clientinfo.c
+	$(CC) $(CFLAGS) `${FLAGS_PERL} -MExtUtils::Embed -e ccopts` -c -o dlz_perl_callback_clientinfo.o dlz_perl_callback_clientinfo.c
+
+
+dlz_perl_callback.c: dlz_perl_callback.xs
+	${FLAGS_PERL} `${FLAGS_PERL} -MConfig -le 'print $$Config{privlibexp}'`/ExtUtils/xsubpp -prototypes -typemap `${FLAGS_PERL} -MConfig -le 'print $$Config{privlibexp}'`/ExtUtils/typemap dlz_perl_callback.xs > dlz_perl_callback.c
+
+dlz_perl_callback.o: dlz_perl_callback.c
+	$(CC) $(CFLAGS) `${FLAGS_PERL} -MExtUtils::Embed -e ccopts` -c -o dlz_perl_callback.o dlz_perl_callback.c
+
+
+$(LIBNAME): dlz_perl_driver.o dlz_perl_callback_clientinfo.o dlz_perl_callback.o
+	$(CC) $(LDFLAGS) -shared -o $(LIBNAME) dlz_perl_driver.o dlz_perl_callback_clientinfo.o dlz_perl_callback.o `${FLAGS_PERL} -MExtUtils::Embed -e ldopts`
+
+clean:
+	rm -f dlz_perl_driver.o dlz_perl_driver.so dlz_perl_callback_clientinfo.c dlz_perl_callback_clientinfo.o dlz_perl_callback.c dlz_perl_callback.o
+
+install: dlz_perl_driver.so
+	mkdir -p $(DESTDIR)$(libdir)
+	install dlz_perl_driver.so $(DESTDIR)$(libdir)
diff --git a/contrib/dlz/modules/perl/README b/contrib/dlz/modules/perl/README
new file mode 100644
index 0000000..324054a
--- /dev/null
+++ b/contrib/dlz/modules/perl/README
@@ -0,0 +1,38 @@
+<!--
+Copyright Internet Systems Consortium, Inc. ("ISC")
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+Copyright (C) John Eaglesham
+
+The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+conceived and contributed by Rob Butler.
+
+SPDX-License-Identifier: ISC and MPL-2.0
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright
+notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+
+BIND 9 DLZ Perl module (bind-dlz-tools)
+
+Written by John Eaglesham <dns@8192.net>
+
+A dynamically loadable zone (DLZ) plugin embedding a Perl
+interpreter in BIND, allowing Perl scripts to be written to
+integrate with BIND and serve DNS data.
+
+More information/updates at http://bind-dlz-tools.sourceforge.net/
diff --git a/contrib/dlz/modules/perl/dlz_perl_callback.xs b/contrib/dlz/modules/perl/dlz_perl_callback.xs
new file mode 100644
index 0000000..0b9f504
--- /dev/null
+++ b/contrib/dlz/modules/perl/dlz_perl_callback.xs
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) John Eaglesham
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "EXTERN.h"
+#include "perl.h"
+#include "XSUB.h"
+#include "dlz_perl_driver.h"
+
+#include <dlz_minimal.h>
+
+/* And some XS code. */
+MODULE = DLZ_Perl	   PACKAGE = DLZ_Perl
+
+int
+LOG_INFO()
+	CODE:
+		RETVAL = ISC_LOG_INFO;
+	OUTPUT:
+		RETVAL
+
+int
+LOG_NOTICE()
+	CODE:
+		RETVAL = ISC_LOG_NOTICE;
+	OUTPUT:
+		RETVAL
+
+int
+LOG_WARNING()
+	CODE:
+		RETVAL = ISC_LOG_WARNING;
+	OUTPUT:
+		RETVAL
+
+int
+LOG_ERROR()
+	CODE:
+		RETVAL = ISC_LOG_ERROR;
+	OUTPUT:
+		RETVAL
+
+int
+LOG_CRITICAL()
+	CODE:
+		RETVAL = ISC_LOG_CRITICAL;
+	OUTPUT:
+		RETVAL
+
+
+void
+log(opaque, level, msg)
+	IV opaque
+	int level
+	char *msg
+
+	PREINIT:
+		log_t *log = (log_t *) opaque;
+
+	CODE:
+		log( level, msg );
+
diff --git a/contrib/dlz/modules/perl/dlz_perl_callback_clientinfo.xs b/contrib/dlz/modules/perl/dlz_perl_callback_clientinfo.xs
new file mode 100644
index 0000000..22aec66
--- /dev/null
+++ b/contrib/dlz/modules/perl/dlz_perl_callback_clientinfo.xs
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) John Eaglesham
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#define ADDR_BUF_LEN INET6_ADDRSTRLEN
+
+#include "EXTERN.h"
+#include "perl.h"
+#include "XSUB.h"
+#include "dlz_perl_driver.h"
+
+#include <dlz_minimal.h>
+
+/* And some XS code. */
+MODULE = DLZ_Perl::clientinfo	   PACKAGE = DLZ_Perl::clientinfo
+
+PROTOTYPES: DISABLE
+
+void
+sourceip(opaque)
+	SV *opaque
+
+	PREINIT:
+		const char *ret;
+		char addr_buf[ADDR_BUF_LEN];
+		int port;
+		isc_sockaddr_t *src;
+		dlz_perl_clientinfo_opaque *ci;
+		I32 wantarray = GIMME_V;
+
+	PPCODE:
+		if (!SvTRUE(opaque) || !SvIOK(opaque)) XSRETURN_EMPTY;
+
+                /*
+                 * Safe, because Perl guarantees that an IV (the type we
+                 * pass into DLZ functions who pass it here) is able to
+                 * hold a pointer.
+                 */
+		ci = (dlz_perl_clientinfo_opaque *) SvIV(opaque);
+		if (wantarray == G_VOID || ci->methods == NULL ||
+			ci->methods->version - ci->methods->age <
+			DNS_CLIENTINFOMETHODS_VERSION)
+			XSRETURN_EMPTY;
+
+		ci->methods->sourceip(ci->clientinfo, &src);
+
+		switch (src->type.sa.sa_family) {
+			case AF_INET:
+				port = ntohs(src->type.sin.sin_port);
+				ret = inet_ntop(AF_INET,
+                                                &src->type.sin.sin_addr,
+                                                addr_buf, ADDR_BUF_LEN);
+				break;
+			case AF_INET6:
+				port = ntohs(src->type.sin6.sin6_port);
+				ret = inet_ntop(AF_INET6,
+                                                &src->type.sin6.sin6_addr,
+                                                addr_buf, ADDR_BUF_LEN);
+				break;
+			default:
+				ret = NULL;
+		}
+
+		if (ret == NULL) XSRETURN_EMPTY;
+
+		XPUSHs(sv_2mortal(newSVpv(addr_buf, strlen(addr_buf))));
+		if (wantarray == G_ARRAY) XPUSHs(sv_2mortal(newSViv(port)));
+
diff --git a/contrib/dlz/modules/perl/dlz_perl_driver.c b/contrib/dlz/modules/perl/dlz_perl_driver.c
new file mode 100644
index 0000000..b99b296
--- /dev/null
+++ b/contrib/dlz/modules/perl/dlz_perl_driver.c
@@ -0,0 +1,715 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) John Eaglesham
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "dlz_perl_driver.h"
+#include <EXTERN.h>
+#include <perl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <dlz_minimal.h>
+
+#define BUF_LEN 64 /* Should be big enough, right? hah */
+
+/* Enable debug logging? */
+#if 0
+#define carp(...) cd->log(ISC_LOG_INFO, __VA_ARGS__);
+#else /* if 0 */
+#define carp(...)
+#endif /* if 0 */
+
+#ifndef MULTIPLICITY
+/* This is a pretty terrible work-around for handling HUP/rndc reconfig, but
+ * the way BIND/DLZ handles reloads causes it to create a second back end
+ * before removing the first. In the case of a single global interpreter,
+ * serious problems arise. We can hack around this, but it's much better to do
+ * it properly and link against a perl compiled with multiplicity. */
+static PerlInterpreter *global_perl = NULL;
+static int global_perl_dont_free = 0;
+#endif /* ifndef MULTIPLICITY */
+
+typedef struct config_data {
+	PerlInterpreter *perl;
+	char *perl_source;
+	SV *perl_class;
+
+	/* Functions given to us by bind9 */
+	log_t *log;
+	dns_sdlz_putrr_t *putrr;
+	dns_sdlz_putnamedrr_t *putnamedrr;
+	dns_dlz_writeablezone_t *writeable_zone;
+} config_data_t;
+
+/* Note, this code generates warnings due to lost type qualifiers.  This code
+ * is (almost) verbatim from perlembed, and is known to work correctly despite
+ * the warnings.
+ */
+EXTERN_C void xs_init(pTHX);
+EXTERN_C void
+boot_DynaLoader(pTHX_ CV *cv);
+EXTERN_C void
+boot_DLZ_Perl__clientinfo(pTHX_ CV *cv);
+EXTERN_C void
+boot_DLZ_Perl(pTHX_ CV *cv);
+EXTERN_C void
+xs_init(pTHX) {
+	const char *file = __FILE__;
+	dXSUB_SYS;
+
+	/* DynaLoader is a special case */
+	newXS("DynaLoader::boot_DynaLoader", boot_DynaLoader, file);
+	newXS("DLZ_Perl::clientinfo::bootstrap", boot_DLZ_Perl__clientinfo,
+	      file);
+	newXS("DLZ_Perl::bootstrap", boot_DLZ_Perl, file);
+}
+
+/*
+ * methods
+ */
+
+/*
+ * remember a helper function, from the bind9 dlz_dlopen driver
+ */
+static void
+b9_add_helper(config_data_t *state, const char *helper_name, void *ptr) {
+	if (strcmp(helper_name, "log") == 0) {
+		state->log = ptr;
+	}
+	if (strcmp(helper_name, "putrr") == 0) {
+		state->putrr = ptr;
+	}
+	if (strcmp(helper_name, "putnamedrr") == 0) {
+		state->putnamedrr = ptr;
+	}
+	if (strcmp(helper_name, "writeable_zone") == 0) {
+		state->writeable_zone = ptr;
+	}
+}
+
+int
+dlz_version(unsigned int *flags) {
+	UNUSED(flags);
+	return (DLZ_DLOPEN_VERSION);
+}
+
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
+	config_data_t *cd = (config_data_t *)dbdata;
+	isc_result_t retval;
+	int rrcount, r;
+	SV *record_ref;
+	SV **rr_name;
+	SV **rr_type;
+	SV **rr_ttl;
+	SV **rr_data;
+#ifdef MULTIPLICITY
+	PerlInterpreter *my_perl = cd->perl;
+#endif /* ifdef MULTIPLICITY */
+	dSP;
+
+	PERL_SET_CONTEXT(cd->perl);
+	ENTER;
+	SAVETMPS;
+
+	PUSHMARK(SP);
+	XPUSHs(cd->perl_class);
+	XPUSHs(sv_2mortal(newSVpv(zone, 0)));
+	PUTBACK;
+
+	carp("DLZ Perl: Calling allnodes for zone %s", zone);
+	rrcount = call_method("allnodes", G_ARRAY | G_EVAL);
+	carp("DLZ Perl: Call to allnodes returned rrcount of %i", rrcount);
+
+	SPAGAIN;
+
+	if (SvTRUE(ERRSV)) {
+		(void)POPs;
+		cd->log(ISC_LOG_ERROR,
+			"DLZ Perl: allnodes for zone %s died in eval: %s", zone,
+			SvPV_nolen(ERRSV));
+		retval = ISC_R_FAILURE;
+		goto CLEAN_UP_AND_RETURN;
+	}
+
+	if (!rrcount) {
+		retval = ISC_R_NOTFOUND;
+		goto CLEAN_UP_AND_RETURN;
+	}
+
+	retval = ISC_R_SUCCESS;
+	r = 0;
+	while (r++ < rrcount) {
+		record_ref = POPs;
+		if ((!SvROK(record_ref)) ||
+		    (SvTYPE(SvRV(record_ref)) != SVt_PVAV))
+		{
+			cd->log(ISC_LOG_ERROR,
+				"DLZ Perl: allnodes for zone %s "
+				"returned an invalid value "
+				"(expected array of arrayrefs)",
+				zone);
+			retval = ISC_R_FAILURE;
+			break;
+		}
+
+		record_ref = SvRV(record_ref);
+
+		rr_name = av_fetch((AV *)record_ref, 0, 0);
+		rr_type = av_fetch((AV *)record_ref, 1, 0);
+		rr_ttl = av_fetch((AV *)record_ref, 2, 0);
+		rr_data = av_fetch((AV *)record_ref, 3, 0);
+
+		if (rr_name == NULL || rr_type == NULL || rr_ttl == NULL ||
+		    rr_data == NULL)
+		{
+			cd->log(ISC_LOG_ERROR,
+				"DLZ Perl: allnodes for zone %s "
+				"returned an array that was missing data",
+				zone);
+			retval = ISC_R_FAILURE;
+			break;
+		}
+
+		carp("DLZ Perl: Got record %s/%s = %s", SvPV_nolen(*rr_name),
+		     SvPV_nolen(*rr_type), SvPV_nolen(*rr_data));
+		retval = cd->putnamedrr(allnodes, SvPV_nolen(*rr_name),
+					SvPV_nolen(*rr_type), SvIV(*rr_ttl),
+					SvPV_nolen(*rr_data));
+		if (retval != ISC_R_SUCCESS) {
+			cd->log(ISC_LOG_ERROR,
+				"DLZ Perl: putnamedrr in allnodes "
+				"for zone %s failed with code %i "
+				"(did lookup return invalid record data?)",
+				zone, retval);
+			break;
+		}
+	}
+
+CLEAN_UP_AND_RETURN:
+	PUTBACK;
+	FREETMPS;
+	LEAVE;
+
+	carp("DLZ Perl: Returning from allnodes, r = %i, retval = %i", r,
+	     retval);
+
+	return (retval);
+}
+
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	config_data_t *cd = (config_data_t *)dbdata;
+	int r;
+	isc_result_t retval;
+#ifdef MULTIPLICITY
+	PerlInterpreter *my_perl = cd->perl;
+#endif /* ifdef MULTIPLICITY */
+	dSP;
+
+	PERL_SET_CONTEXT(cd->perl);
+	ENTER;
+	SAVETMPS;
+
+	PUSHMARK(SP);
+	XPUSHs(cd->perl_class);
+	XPUSHs(sv_2mortal(newSVpv(name, 0)));
+	XPUSHs(sv_2mortal(newSVpv(client, 0)));
+	PUTBACK;
+
+	r = call_method("allowzonexfr", G_SCALAR | G_EVAL);
+	SPAGAIN;
+
+	if (SvTRUE(ERRSV)) {
+		/*
+		 * On error there's an undef at the top of the stack. Pop
+		 * it away so we don't leave junk on the stack for the next
+		 * caller.
+		 */
+		(void)POPs;
+		cd->log(ISC_LOG_ERROR,
+			"DLZ Perl: allowzonexfr died in eval: %s",
+			SvPV_nolen(ERRSV));
+		retval = ISC_R_FAILURE;
+	} else if (r == 0) {
+		/* Client returned nothing -- zone not found. */
+		retval = ISC_R_NOTFOUND;
+	} else if (r > 1) {
+		/* Once again, clean out the stack when possible. */
+		while (r--) {
+			POPi;
+		}
+		cd->log(ISC_LOG_ERROR, "DLZ Perl: allowzonexfr returned too "
+				       "many parameters!");
+		retval = ISC_R_FAILURE;
+	} else {
+		/*
+		 * Client returned true/false -- we're authoritative for
+		 * the zone.
+		 */
+		r = POPi;
+		if (r) {
+			retval = ISC_R_SUCCESS;
+		} else {
+			retval = ISC_R_NOPERM;
+		}
+	}
+
+	PUTBACK;
+	FREETMPS;
+	LEAVE;
+	return (retval);
+}
+
+#if DLZ_DLOPEN_VERSION < 3
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name)
+#else  /* if DLZ_DLOPEN_VERSION < 3 */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo)
+#endif /* if DLZ_DLOPEN_VERSION < 3 */
+{
+	config_data_t *cd = (config_data_t *)dbdata;
+	int r;
+	isc_result_t retval;
+#ifdef MULTIPLICITY
+	PerlInterpreter *my_perl = cd->perl;
+#endif /* ifdef MULTIPLICITY */
+
+#if DLZ_DLOPEN_VERSION >= 3
+	UNUSED(methods);
+	UNUSED(clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION >= 3 */
+
+	dSP;
+	carp("DLZ Perl: findzone looking for '%s'", name);
+
+	PERL_SET_CONTEXT(cd->perl);
+	ENTER;
+	SAVETMPS;
+
+	PUSHMARK(SP);
+	XPUSHs(cd->perl_class);
+	XPUSHs(sv_2mortal(newSVpv(name, 0)));
+	PUTBACK;
+
+	r = call_method("findzone", G_SCALAR | G_EVAL);
+	SPAGAIN;
+
+	if (SvTRUE(ERRSV)) {
+		/*
+		 * On error there's an undef at the top of the stack. Pop
+		 * it away so we don't leave junk on the stack for the next
+		 * caller.
+		 */
+		(void)POPs;
+		cd->log(ISC_LOG_ERROR, "DLZ Perl: findzone died in eval: %s",
+			SvPV_nolen(ERRSV));
+		retval = ISC_R_FAILURE;
+	} else if (r == 0) {
+		retval = ISC_R_FAILURE;
+	} else if (r > 1) {
+		/* Once again, clean out the stack when possible. */
+		while (r--) {
+			POPi;
+		}
+		cd->log(ISC_LOG_ERROR, "DLZ Perl: findzone returned too many "
+				       "parameters!");
+		retval = ISC_R_FAILURE;
+	} else {
+		r = POPi;
+		if (r) {
+			retval = ISC_R_SUCCESS;
+		} else {
+			retval = ISC_R_NOTFOUND;
+		}
+	}
+
+	PUTBACK;
+	FREETMPS;
+	LEAVE;
+	return (retval);
+}
+
+#if DLZ_DLOPEN_VERSION == 1
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup)
+#else  /* if DLZ_DLOPEN_VERSION == 1 */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo)
+#endif /* if DLZ_DLOPEN_VERSION == 1 */
+{
+	isc_result_t retval;
+	config_data_t *cd = (config_data_t *)dbdata;
+	int rrcount, r;
+	dlz_perl_clientinfo_opaque opaque;
+	SV *record_ref;
+	SV **rr_type;
+	SV **rr_ttl;
+	SV **rr_data;
+#ifdef MULTIPLICITY
+	PerlInterpreter *my_perl = cd->perl;
+#endif /* ifdef MULTIPLICITY */
+
+#if DLZ_DLOPEN_VERSION >= 2
+	UNUSED(methods);
+	UNUSED(clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION >= 2 */
+
+	dSP;
+	PERL_SET_CONTEXT(cd->perl);
+	ENTER;
+	SAVETMPS;
+
+	opaque.methods = methods;
+	opaque.clientinfo = clientinfo;
+
+	PUSHMARK(SP);
+	XPUSHs(cd->perl_class);
+	XPUSHs(sv_2mortal(newSVpv(name, 0)));
+	XPUSHs(sv_2mortal(newSVpv(zone, 0)));
+	XPUSHs(sv_2mortal(newSViv((IV)&opaque)));
+	PUTBACK;
+
+	carp("DLZ Perl: Searching for name %s in zone %s", name, zone);
+	rrcount = call_method("lookup", G_ARRAY | G_EVAL);
+	carp("DLZ Perl: Call to lookup returned %i", rrcount);
+
+	SPAGAIN;
+
+	if (SvTRUE(ERRSV)) {
+		(void)POPs;
+		cd->log(ISC_LOG_ERROR, "DLZ Perl: lookup died in eval: %s",
+			SvPV_nolen(ERRSV));
+		retval = ISC_R_FAILURE;
+		goto CLEAN_UP_AND_RETURN;
+	}
+
+	if (!rrcount) {
+		retval = ISC_R_NOTFOUND;
+		goto CLEAN_UP_AND_RETURN;
+	}
+
+	retval = ISC_R_SUCCESS;
+	r = 0;
+	while (r++ < rrcount) {
+		record_ref = POPs;
+		if ((!SvROK(record_ref)) ||
+		    (SvTYPE(SvRV(record_ref)) != SVt_PVAV))
+		{
+			cd->log(ISC_LOG_ERROR, "DLZ Perl: lookup returned an "
+					       "invalid value (expected array "
+					       "of arrayrefs)!");
+			retval = ISC_R_FAILURE;
+			break;
+		}
+
+		record_ref = SvRV(record_ref);
+
+		rr_type = av_fetch((AV *)record_ref, 0, 0);
+		rr_ttl = av_fetch((AV *)record_ref, 1, 0);
+		rr_data = av_fetch((AV *)record_ref, 2, 0);
+
+		if (rr_type == NULL || rr_ttl == NULL || rr_data == NULL) {
+			cd->log(ISC_LOG_ERROR,
+				"DLZ Perl: lookup for record %s in "
+				"zone %s returned an array that was "
+				"missing data",
+				name, zone);
+			retval = ISC_R_FAILURE;
+			break;
+		}
+
+		carp("DLZ Perl: Got record %s = %s", SvPV_nolen(*rr_type),
+		     SvPV_nolen(*rr_data));
+		retval = cd->putrr(lookup, SvPV_nolen(*rr_type), SvIV(*rr_ttl),
+				   SvPV_nolen(*rr_data));
+
+		if (retval != ISC_R_SUCCESS) {
+			cd->log(ISC_LOG_ERROR,
+				"DLZ Perl: putrr for lookup of %s in "
+				"zone %s failed with code %i "
+				"(did lookup return invalid record data?)",
+				name, zone, retval);
+			break;
+		}
+	}
+
+CLEAN_UP_AND_RETURN:
+	PUTBACK;
+	FREETMPS;
+	LEAVE;
+
+	carp("DLZ Perl: Returning from lookup, r = %i, retval = %i", r, retval);
+
+	return (retval);
+}
+
+static const char *
+#ifdef MULTIPLICITY
+missing_perl_method(const char *perl_class_name, PerlInterpreter *my_perl)
+#else  /* ifdef MULTIPLICITY */
+missing_perl_method(const char *perl_class_name)
+#endif /* ifdef MULTIPLICITY */
+{
+	char full_name[BUF_LEN];
+	const char *methods[] = { "new", "findzone", "lookup", NULL };
+	int i = 0;
+
+	while (methods[i] != NULL) {
+		snprintf(full_name, BUF_LEN, "%s::%s", perl_class_name,
+			 methods[i]);
+
+		if (get_cv(full_name, 0) == NULL) {
+			return (methods[i]);
+		}
+		i++;
+	}
+
+	return (NULL);
+}
+
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...) {
+	config_data_t *cd;
+	char *perlrun[] = { (char *)"", NULL, (char *)"dlz perl", NULL };
+	char *perl_class_name;
+	int r;
+	va_list ap;
+	const char *helper_name;
+	const char *missing_method_name;
+	char *call_argv_args = NULL;
+#ifdef MULTIPLICITY
+	PerlInterpreter *my_perl;
+#endif /* ifdef MULTIPLICITY */
+
+	cd = malloc(sizeof(config_data_t));
+	if (cd == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	memset(cd, 0, sizeof(config_data_t));
+
+	/* fill in the helper functions */
+	va_start(ap, dbdata);
+	while ((helper_name = va_arg(ap, const char *)) != NULL) {
+		b9_add_helper(cd, helper_name, va_arg(ap, void *));
+	}
+	va_end(ap);
+
+	if (argc < 2) {
+		cd->log(ISC_LOG_ERROR,
+			"DLZ Perl '%s': Missing script argument.", dlzname);
+		free(cd);
+		return (ISC_R_FAILURE);
+	}
+
+	if (argc < 3) {
+		cd->log(ISC_LOG_ERROR,
+			"DLZ Perl '%s': Missing class name argument.", dlzname);
+		free(cd);
+		return (ISC_R_FAILURE);
+	}
+	perl_class_name = argv[2];
+
+	cd->log(ISC_LOG_INFO, "DLZ Perl '%s': Loading '%s' from location '%s'",
+		dlzname, perl_class_name, argv[1], argc);
+
+#ifndef MULTIPLICITY
+	if (global_perl) {
+		/*
+		 * PERL_SET_CONTEXT not needed here as we're guaranteed to
+		 * have an implicit context thanks to an undefined
+		 * MULTIPLICITY.
+		 */
+		PL_perl_destruct_level = 1;
+		perl_destruct(global_perl);
+		perl_free(global_perl);
+		global_perl = NULL;
+		global_perl_dont_free = 1;
+	}
+#endif /* ifndef MULTIPLICITY */
+
+	cd->perl = perl_alloc();
+	if (cd->perl == NULL) {
+		free(cd);
+		return (ISC_R_FAILURE);
+	}
+#ifdef MULTIPLICITY
+	my_perl = cd->perl;
+#endif /* ifdef MULTIPLICITY */
+	PERL_SET_CONTEXT(cd->perl);
+
+	/*
+	 * We will re-create the interpreter during an rndc reconfig, so we
+	 * must set this variable per perlembed in order to insure we can
+	 * clean up Perl at a later time.
+	 */
+	PL_perl_destruct_level = 1;
+	perl_construct(cd->perl);
+	PL_exit_flags |= PERL_EXIT_DESTRUCT_END;
+	/* Prevent crashes from clients writing to $0 */
+	PL_origalen = 1;
+
+	cd->perl_source = strdup(argv[1]);
+	if (cd->perl_source == NULL) {
+		free(cd);
+		return (ISC_R_NOMEMORY);
+	}
+
+	perlrun[1] = cd->perl_source;
+	if (perl_parse(cd->perl, xs_init, 3, perlrun, (char **)NULL)) {
+		cd->log(ISC_LOG_ERROR,
+			"DLZ Perl '%s': Failed to parse Perl script, aborting",
+			dlzname);
+		goto CLEAN_UP_PERL_AND_FAIL;
+	}
+
+	/* Let Perl know about our callbacks. */
+	call_argv("DLZ_Perl::clientinfo::bootstrap", G_DISCARD | G_NOARGS,
+		  &call_argv_args);
+	call_argv("DLZ_Perl::bootstrap", G_DISCARD | G_NOARGS, &call_argv_args);
+
+	/*
+	 * Run the script. We don't really need to do this since we have
+	 * the init callback, but there's not really a downside either.
+	 */
+	if (perl_run(cd->perl)) {
+		cd->log(ISC_LOG_ERROR,
+			"DLZ Perl '%s': Script exited with an error, aborting",
+			dlzname);
+		goto CLEAN_UP_PERL_AND_FAIL;
+	}
+
+#ifdef MULTIPLICITY
+	if ((missing_method_name = missing_perl_method(perl_class_name,
+						       my_perl)))
+#else  /* ifdef MULTIPLICITY */
+	if ((missing_method_name = missing_perl_method(perl_class_name)))
+#endif /* ifdef MULTIPLICITY */
+	{
+		cd->log(ISC_LOG_ERROR,
+			"DLZ Perl '%s': Missing required function '%s', "
+			"aborting",
+			dlzname, missing_method_name);
+		goto CLEAN_UP_PERL_AND_FAIL;
+	}
+
+	dSP;
+	ENTER;
+	SAVETMPS;
+
+	PUSHMARK(SP);
+	XPUSHs(sv_2mortal(newSVpv(perl_class_name, 0)));
+
+	/* Build flattened hash of config info. */
+	XPUSHs(sv_2mortal(newSVpv("log_context", 0)));
+	XPUSHs(sv_2mortal(newSViv((IV)cd->log)));
+
+	/* Argument to pass to new? */
+	if (argc == 4) {
+		XPUSHs(sv_2mortal(newSVpv("argv", 0)));
+		XPUSHs(sv_2mortal(newSVpv(argv[3], 0)));
+	}
+
+	PUTBACK;
+
+	r = call_method("new", G_EVAL | G_SCALAR);
+
+	SPAGAIN;
+
+	if (r) {
+		cd->perl_class = SvREFCNT_inc(POPs);
+	}
+
+	PUTBACK;
+	FREETMPS;
+	LEAVE;
+
+	if (SvTRUE(ERRSV)) {
+		(void)POPs;
+		cd->log(ISC_LOG_ERROR, "DLZ Perl '%s': new died in eval: %s",
+			dlzname, SvPV_nolen(ERRSV));
+		goto CLEAN_UP_PERL_AND_FAIL;
+	}
+
+	if (!r || !sv_isobject(cd->perl_class)) {
+		cd->log(ISC_LOG_ERROR,
+			"DLZ Perl '%s': new failed to return a blessed object",
+			dlzname);
+		goto CLEAN_UP_PERL_AND_FAIL;
+	}
+
+	*dbdata = cd;
+
+#ifndef MULTIPLICITY
+	global_perl = cd->perl;
+#endif /* ifndef MULTIPLICITY */
+	return (ISC_R_SUCCESS);
+
+CLEAN_UP_PERL_AND_FAIL:
+	PL_perl_destruct_level = 1;
+	perl_destruct(cd->perl);
+	perl_free(cd->perl);
+	free(cd->perl_source);
+	free(cd);
+	return (ISC_R_FAILURE);
+}
+
+void
+dlz_destroy(void *dbdata) {
+	config_data_t *cd = (config_data_t *)dbdata;
+#ifdef MULTIPLICITY
+	PerlInterpreter *my_perl = cd->perl;
+#endif /* ifdef MULTIPLICITY */
+
+	cd->log(ISC_LOG_INFO, "DLZ Perl: Unloading driver.");
+
+#ifndef MULTIPLICITY
+	if (!global_perl_dont_free) {
+#endif /* ifndef MULTIPLICITY */
+		PERL_SET_CONTEXT(cd->perl);
+		PL_perl_destruct_level = 1;
+		perl_destruct(cd->perl);
+		perl_free(cd->perl);
+#ifndef MULTIPLICITY
+		global_perl_dont_free = 0;
+		global_perl = NULL;
+	}
+#endif /* ifndef MULTIPLICITY */
+
+	free(cd->perl_source);
+	free(cd);
+}
diff --git a/contrib/dlz/modules/perl/dlz_perl_driver.h b/contrib/dlz/modules/perl/dlz_perl_driver.h
new file mode 100644
index 0000000..2cfb24d
--- /dev/null
+++ b/contrib/dlz/modules/perl/dlz_perl_driver.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) John Eaglesham
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <dlz_minimal.h>
+
+/* This is the only part that differs from dlz_minimal.h. */
+typedef struct dlz_perl_clientinfo_opaque {
+	dns_clientinfomethods_t *methods;
+	dns_clientinfo_t *clientinfo;
+} dlz_perl_clientinfo_opaque;
diff --git a/contrib/dlz/modules/perl/testing/dlz_perl_example.pm b/contrib/dlz/modules/perl/testing/dlz_perl_example.pm
new file mode 100644
index 0000000..eafa87c
--- /dev/null
+++ b/contrib/dlz/modules/perl/testing/dlz_perl_example.pm
@@ -0,0 +1,185 @@
+# Copyright Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+# Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+# Copyright (C) John Eaglesham
+#
+# The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+# conceived and contributed by Rob Butler.
+#
+# SPDX-License-Identifier: ISC and MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any purpose
+# with or without fee is hereby granted, provided that the above copyright
+# notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+package dlz_perl_example;
+
+use warnings;
+use strict;
+
+use Data::Dumper;
+$Data::Dumper::Sortkeys = 1;
+
+# Constructor. Everything after the class name can be folded into a hash of
+# various options and settings. Right now only log_context and argv are
+# available.
+sub new {
+    my ( $class, %config ) = @_;
+    my $self = {};
+    bless $self, $class;
+
+    $self->{log} = sub {
+        my ( $level, $msg ) = @_;
+        DLZ_Perl::log( $config{log_context}, $level, $msg );
+    };
+
+    if ( $config{argv} ) { warn "Got argv: $config{argv}\n"; }
+
+    $self->{zones} = {
+        'example.com' => {
+            '@' => [
+                {
+                    type => 'SOA',
+                    ttl  => 86400,
+                    data =>
+                     'ns1.example.com. hostmaster.example.com. 12345 172800 900 1209600 3600',
+                }
+            ],
+            perlrr => [
+                {
+                    type => 'A',
+                    ttl  => 444,
+                    data => '1.1.1.1',
+                },
+                {
+                    type => 'A',
+                    ttl  => 444,
+                    data => '1.1.1.2',
+                }
+            ],
+            perltime => [
+                {
+                    code => sub {
+                        return ['TXT', '1', time()];
+                    },
+                },
+            ],
+            sourceip => [
+                {
+                    code => sub {
+                        my ( $opaque ) = @_;
+                        # Passing anything other than the proper opaque value,
+                        # 0, or undef to this function will cause a crash (at
+                        # best!).
+                        my ( $addr, $port ) =
+                         DLZ_Perl::clientinfo::sourceip( $opaque );
+                        if ( !$addr ) { $addr = $port = 'unknown'; }
+                        return ['TXT', '1', $addr], ['TXT', '1', $port];
+                    },
+                },
+            ],
+        },
+    };
+
+    $self->{log}->(
+        DLZ_Perl::LOG_INFO(),
+        'DLZ Perl Script: Called init. Loaded zone data: '
+         . Dumper( $self->{zones} )
+    );
+    return $self;
+}
+
+# Do we have data for this zone? Expects a simple true or false return value.
+sub findzone {
+    my ( $self, $zone ) = @_;
+    $self->{log}->(
+        DLZ_Perl::LOG_INFO(),
+        "DLZ Perl Script: Called findzone, looking for zone $zone"
+    );
+
+    return exists $self->{zones}->{$zone};
+}
+
+# Return the data for a given record in a given zone. The final parameter is
+# an opaque value that can be passed to DLZ_Perl::clientinfo::sourceip to
+# retrieve the client source IP and port. Expected return value is an array
+# of array refs, with each array ref representing one record and containing
+# the type, ttl, and data in that order. Data is as it appears in a zone file.
+sub lookup {
+    my ( $self, $name, $zone, $client_info ) = @_;
+    $self->{log}->(
+        DLZ_Perl::LOG_INFO(),
+        "DLZ Perl Script: Called lookup, looking for record $name in zone $zone"
+    );
+    return unless $self->{zones}->{$zone}->{$name};
+
+    my @results;
+    foreach my $rr ( @{ $self->{zones}->{$zone}->{$name} } ) {
+        if ( $rr->{'code'} ) {
+            my @r = $rr->{'code'}->( $client_info );
+            if ( @r ) {
+                push @results, @r;
+            }
+        } else {
+            push @results, [$rr->{'type'}, $rr->{'ttl'}, $rr->{'data'}];
+        }
+    }
+
+    return @results;
+}
+
+# Will we allow zone transfer for this client? Expects a simple true or false
+# return value.
+sub allowzonexfr {
+    my ( $self, $zone, $client ) = @_;
+    $self->{log}->(
+        DLZ_Perl::LOG_INFO(),
+        "DLZ Perl Script: Called allowzonexfr, looking for zone $zone for " .
+        "client $client"
+    );
+    if ( $client eq '127.0.0.1' ) { return 1; }
+    return 0;
+}
+
+# Note the return AoA for this method differs from lookup in that it must
+# return the name of the record as well as the other data.
+sub allnodes {
+    my ( $self, $zone ) = @_;
+    my @results;
+    $self->{log}->(
+        DLZ_Perl::LOG_INFO(),
+        "DLZ Perl Script: Called allnodes, looking for zone $zone"
+    );
+
+    foreach my $name ( keys %{ $self->{zones}->{$zone} } ) {
+        foreach my $rr ( @{ $self->{zones}->{$zone}->{$name} } ) {
+            if ( $rr->{'code'} ) {
+                my @r = $rr->{'code'}->();
+                # The code returns an array of array refs without the name.
+                # This makes things easy for lookup but hard here. We must
+                # iterate over each array ref and inject the name into it.
+                foreach my $a ( @r ) {
+                    unshift @{$a}, $name;
+                }
+                push @results, @r;
+            } else {
+                push @results,
+                 [$name, $rr->{'type'}, $rr->{'ttl'}, $rr->{'data'}];
+            }
+        }
+    }
+    return @results;
+}
+
+1;
diff --git a/contrib/dlz/modules/perl/testing/named.conf b/contrib/dlz/modules/perl/testing/named.conf
new file mode 100644
index 0000000..293d655
--- /dev/null
+++ b/contrib/dlz/modules/perl/testing/named.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 127.0.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+};
+
+dlz "perl zone" {
+	database "dlopen ../dlz_perl_driver.so dlz_perl_example.pm dlz_perl_example";
+};
diff --git a/contrib/dlz/modules/sqlite3/Makefile b/contrib/dlz/modules/sqlite3/Makefile
new file mode 100644
index 0000000..b7861de
--- /dev/null
+++ b/contrib/dlz/modules/sqlite3/Makefile
@@ -0,0 +1,46 @@
+# Copyright Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+# Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+#
+# The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+# conceived and contributed by Rob Butler.
+#
+# SPDX-License-Identifier: ISC and MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any purpose
+# with or without fee is hereby granted, provided that the above copyright
+# notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+prefix = /usr
+libdir = $(prefix)/lib/bind9
+
+CFLAGS=-fPIC -g -I../include
+SQLITE3_LIBS=-lsqlite3
+
+all: dlz_sqlite3_dynamic.so
+
+dlz_dbi.o: ../common/dlz_dbi.c
+	$(CC) $(CFLAGS) -c ../common/dlz_dbi.c
+
+dlz_sqlite3_dynamic.so: dlz_sqlite3_dynamic.c dlz_dbi.o
+	$(CC) $(CFLAGS) -shared -o dlz_sqlite3_dynamic.so \
+		dlz_sqlite3_dynamic.c dlz_dbi.o $(SQLITE3_LIBS)
+
+clean:
+	rm -f dlz_sqlite3_dynamic.so *.o
+
+install: dlz_sqlite3_dynamic.so
+	mkdir -p $(DESTDIR)$(libdir)
+	install dlz_sqlite3_dynamic.so $(DESTDIR)$(libdir)
diff --git a/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c b/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c
new file mode 100644
index 0000000..8a920ff
--- /dev/null
+++ b/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c
@@ -0,0 +1,1093 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This provides the externally loadable SQLitee DLZ module, without
+ * update support. Based in part on SQLite code contributed by Tim Tessier.
+ */
+
+#include <sqlite3.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <dlz_dbi.h>
+#include <dlz_list.h>
+#include <dlz_minimal.h>
+#include <dlz_pthread.h>
+
+#define dbc_search_limit 30
+#define ALLNODES	 1
+#define ALLOWXFR	 2
+#define AUTHORITY	 3
+#define FINDZONE	 4
+#define COUNTZONE	 5
+#define LOOKUP		 6
+
+#define safeGet(in) in == NULL ? "" : in
+
+/*%
+ * Structure to hold everything needed by this "instance" of the SQLite3
+ * module remember, the module code is only loaded once, but may have
+ * many separate instances.
+ */
+typedef struct {
+#if PTHREADS
+	db_list_t *db; /*%< handle to a list of DB */
+	int dbcount;
+#else  /* if PTHREADS */
+	dbinstance_t *db; /*%< handle to DB */
+#endif /* if PTHREADS */
+
+	char *dbname;
+
+	/* Helper functions from the dlz_dlopen driver */
+	log_t *log;
+	dns_sdlz_putrr_t *putrr;
+	dns_sdlz_putnamedrr_t *putnamedrr;
+	dns_dlz_writeablezone_t *writeable_zone;
+} sqlite3_instance_t;
+
+/*
+ * SQLite3 result set
+ */
+typedef struct {
+	char **pazResult; /* Result of the query */
+	int pnRow;	  /* Number of result rows */
+	int pnColumn;	  /* Number of result columns */
+	int curRow;	  /* Current row */
+	char *pzErrmsg;	  /* Error message */
+} sqlite3_res_t;
+
+/* forward references */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo);
+
+void
+dlz_destroy(void *dbdata);
+
+static void
+b9_add_helper(sqlite3_instance_t *db, const char *helper_name, void *ptr);
+
+/*
+ * Private methods
+ */
+
+void
+sqlite3_destroy(dbinstance_t *db) {
+	/* release DB connection */
+	if (db->dbconn != NULL) {
+		sqlite3_close((sqlite3 *)db->dbconn);
+	}
+	sqlite3_shutdown();
+
+	/* destroy DB instance */
+	destroy_dbinstance(db);
+}
+
+#if PTHREADS
+/*%
+ * Properly cleans up a list of database instances.
+ * This function is only used when the module is compiled for
+ * multithreaded operation.
+ */
+static void
+sqlite3_destroy_dblist(db_list_t *dblist) {
+	dbinstance_t *ndbi = NULL;
+	dbinstance_t *dbi = NULL;
+
+	ndbi = DLZ_LIST_HEAD(*dblist);
+	while (ndbi != NULL) {
+		dbi = ndbi;
+		ndbi = DLZ_LIST_NEXT(dbi, link);
+
+		sqlite3_destroy(dbi);
+	}
+
+	/* release memory for the list structure */
+	free(dblist);
+}
+
+/*%
+ * Loops through the list of DB instances, attempting to lock
+ * on the mutex.  If successful, the DBI is reserved for use
+ * and the thread can perform queries against the database.
+ * If the lock fails, the next one in the list is tried.
+ * looping continues until a lock is obtained, or until
+ * the list has been searched dbc_search_limit times.
+ * This function is only used when the module is compiled for
+ * multithreaded operation.
+ */
+static dbinstance_t *
+sqlite3_find_avail(sqlite3_instance_t *sqlite3) {
+	dbinstance_t *dbi = NULL, *head;
+	int count = 0;
+
+	/* get top of list */
+	head = dbi = DLZ_LIST_HEAD(*(sqlite3->db));
+
+	/* loop through list */
+	while (count < dbc_search_limit) {
+		/* try to lock on the mutex */
+		if (dlz_mutex_trylock(&dbi->lock) == 0) {
+			return (dbi); /* success, return the DBI for use. */
+		}
+		/* not successful, keep trying */
+		dbi = DLZ_LIST_NEXT(dbi, link);
+
+		/* check to see if we have gone to the top of the list. */
+		if (dbi == NULL) {
+			count++;
+			dbi = head;
+		}
+	}
+
+	sqlite3->log(ISC_LOG_INFO,
+		     "SQLite3 module: unable to find available connection "
+		     "after searching %d times",
+		     count);
+	return (NULL);
+}
+#endif /* PTHREADS */
+
+/*%
+ * Allocates memory for a new string, and then constructs the new
+ * string by "escaping" the input string.  The new string is
+ * safe to be used in queries.  This is necessary because we cannot
+ * be sure of what types of strings are passed to us, and we don't
+ * want special characters in the string causing problems.
+ */
+static char *
+escape_string(const char *instr) {
+	char *outstr;
+	char *ptr;
+	unsigned int len;
+	unsigned int tlen = 0;
+	unsigned int atlen = 0;
+	unsigned int i;
+
+	if (instr == NULL) {
+		return (NULL);
+	}
+	len = strlen(instr);
+	atlen = (2 * len * sizeof(char)) + 1;
+	outstr = malloc(atlen);
+	if (outstr == NULL) {
+		return (NULL);
+	}
+
+	ptr = outstr;
+	for (i = 0; i < len; i++) {
+		if (tlen > atlen || instr[i] == '\0') {
+			break;
+		}
+
+		if (instr[i] == '\'') {
+			*ptr++ = '\'';
+			tlen++;
+		}
+
+		*ptr++ = instr[i];
+		tlen++;
+	}
+	*ptr = '\0';
+
+	return (outstr);
+}
+
+/*%
+ * This function is the real core of the module.   Zone, record
+ * and client strings are passed in (or NULL is passed if the
+ * string is not available).  The type of query we want to run
+ * is indicated by the query flag, and the dbdata object is passed
+ * passed in too.  dbdata really holds a single database instance.
+ * The function will construct and run the query, hopefully getting
+ * a result set.
+ */
+static isc_result_t
+sqlite3_get_resultset(const char *zone, const char *record, const char *client,
+		      unsigned int query, void *dbdata, sqlite3_res_t **rsp) {
+	isc_result_t result;
+	dbinstance_t *dbi = NULL;
+	sqlite3_instance_t *db = (sqlite3_instance_t *)dbdata;
+	char *querystring = NULL;
+	sqlite3_res_t *rs = NULL;
+	int qres = 0;
+
+	if ((query == COUNTZONE && rsp != NULL) ||
+	    (query != COUNTZONE && (rsp == NULL || *rsp != NULL)))
+	{
+		db->log(ISC_LOG_DEBUG(2), "Invalid result set pointer.");
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+#if PTHREADS
+	/* find an available DBI from the list */
+	dbi = sqlite3_find_avail(db);
+#else  /* PTHREADS */
+	/*
+	 * only 1 DBI - no need to lock instance lock either
+	 * only 1 thread in the whole process, no possible contention.
+	 */
+	dbi = (dbinstance_t *)(db->db);
+#endif /* PTHREADS */
+
+	if (dbi == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* what type of query are we going to run? */
+	switch (query) {
+	case ALLNODES:
+		if (dbi->allnodes_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case ALLOWXFR:
+		if (dbi->allowxfr_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case AUTHORITY:
+		if (dbi->authority_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case FINDZONE:
+		if (dbi->findzone_q == NULL) {
+			db->log(ISC_LOG_DEBUG(2), "No query specified for "
+						  "findzone.  "
+						  "Findzone requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		break;
+	case COUNTZONE:
+		if (dbi->countzone_q == NULL) {
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup;
+		}
+		break;
+	case LOOKUP:
+		if (dbi->lookup_q == NULL) {
+			db->log(ISC_LOG_DEBUG(2), "No query specified for "
+						  "lookup.  "
+						  "Lookup requires a query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		break;
+	default:
+		db->log(ISC_LOG_ERROR, "Incorrect query flag passed to "
+				       "sqlite3_get_resultset");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	if (zone != NULL) {
+		if (dbi->zone != NULL) {
+			free(dbi->zone);
+		}
+
+		dbi->zone = escape_string(zone);
+		if (dbi->zone == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else {
+		dbi->zone = NULL;
+	}
+
+	if (record != NULL) {
+		if (dbi->record != NULL) {
+			free(dbi->record);
+		}
+
+		dbi->record = escape_string(record);
+		if (dbi->record == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else {
+		dbi->record = NULL;
+	}
+
+	if (client != NULL) {
+		if (dbi->client != NULL) {
+			free(dbi->client);
+		}
+
+		dbi->client = escape_string(client);
+		if (dbi->client == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	} else {
+		dbi->client = NULL;
+	}
+
+	/*
+	 * what type of query are we going to run?  this time we build
+	 * the actual query to run.
+	 */
+	switch (query) {
+	case ALLNODES:
+		querystring = build_querystring(dbi->allnodes_q);
+		break;
+	case ALLOWXFR:
+		querystring = build_querystring(dbi->allowxfr_q);
+		break;
+	case AUTHORITY:
+		querystring = build_querystring(dbi->authority_q);
+		break;
+	case FINDZONE:
+		querystring = build_querystring(dbi->findzone_q);
+		break;
+	case COUNTZONE:
+		querystring = build_querystring(dbi->countzone_q);
+		break;
+	case LOOKUP:
+		querystring = build_querystring(dbi->lookup_q);
+		break;
+	default:
+		db->log(ISC_LOG_ERROR, "Incorrect query flag passed to "
+				       "sqlite3_get_resultset");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	if (querystring == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/* output the full query string when debugging */
+	db->log(ISC_LOG_DEBUG(1), "\nQuery String: %s\n", querystring);
+
+	rs = malloc(sizeof(sqlite3_res_t));
+	if (rs == NULL) {
+		db->log(ISC_LOG_ERROR, "Failed to allocate result set");
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	memset(rs, 0, sizeof(sqlite3_res_t));
+
+	qres = sqlite3_get_table(dbi->dbconn, querystring, &rs->pazResult,
+				 &rs->pnRow, &rs->pnColumn, &rs->pzErrmsg);
+	if (qres != SQLITE_OK) {
+		db->log(ISC_LOG_DEBUG(1), "SQLite3 query failed; %s",
+			rs->pzErrmsg != NULL ? rs->pzErrmsg : "unknown error");
+		sqlite3_free(rs->pzErrmsg);
+		rs->pzErrmsg = NULL;
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	result = ISC_R_SUCCESS;
+	if (query == COUNTZONE) {
+		sqlite3_free_table(rs->pazResult);
+	}
+
+	if (rsp != NULL) {
+		*rsp = rs;
+	}
+
+cleanup:
+	if (dbi->zone != NULL) {
+		free(dbi->zone);
+		dbi->zone = NULL;
+	}
+	if (dbi->record != NULL) {
+		free(dbi->record);
+		dbi->record = NULL;
+	}
+	if (dbi->client != NULL) {
+		free(dbi->client);
+		dbi->client = NULL;
+	}
+
+	/* release the lock so another thread can use this dbi */
+	(void)dlz_mutex_unlock(&dbi->lock);
+
+	if (querystring != NULL) {
+		free(querystring);
+	}
+
+	return (result);
+}
+
+/*%
+ * The processing of result sets for lookup and authority are
+ * exactly the same.  So that functionality has been moved
+ * into this function to minimize code.
+ */
+
+char **
+sqlite3_fetch_row(sqlite3_res_t *rs) {
+	char **retval = NULL;
+	if (rs != NULL) {
+		if (rs->pnRow > 0 && rs->curRow < rs->pnRow) {
+			int index = (rs->curRow + 1) * rs->pnColumn;
+			retval = &rs->pazResult[index];
+			rs->curRow++;
+		}
+	}
+	return (retval);
+}
+
+unsigned int
+sqlite3_num_fields(sqlite3_res_t *rs) {
+	unsigned int retval = 0;
+	if (rs != NULL) {
+		retval = rs->pnColumn;
+	}
+	return (retval);
+}
+
+unsigned int
+sqlite3_num_rows(sqlite3_res_t *rs) {
+	unsigned int retval = 0;
+	if (rs != NULL) {
+		retval = rs->pnRow;
+	}
+	return (retval);
+}
+
+void
+sqlite3_free_result(sqlite3_res_t *rs) {
+	if (rs != NULL) {
+		sqlite3_free_table(rs->pazResult);
+		free(rs);
+	}
+}
+
+static isc_result_t
+sqlite3_process_rs(sqlite3_instance_t *db, dns_sdlzlookup_t *lookup,
+		   sqlite3_res_t *rs) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	char **row;
+	unsigned int fields;
+	unsigned int j;
+	char *tmpString;
+	char *endp;
+	int ttl;
+
+	row = sqlite3_fetch_row(rs);	 /* get a row from the result set */
+	fields = sqlite3_num_fields(rs); /* how many columns in result set */
+	while (row != NULL) {
+		unsigned int len = 0;
+
+		switch (fields) {
+		case 1:
+			/*
+			 * one column in rs, it's the data field.  use
+			 * default type of A record, and default TTL
+			 * of 86400
+			 */
+			result = db->putrr(lookup, "a", 86400, safeGet(row[0]));
+			break;
+		case 2:
+			/*
+			 * two columns, data field, and data type.
+			 * use default TTL of 86400.
+			 */
+			result = db->putrr(lookup, safeGet(row[0]), 86400,
+					   safeGet(row[1]));
+			break;
+		case 3:
+			/*
+			 * three columns, all data no defaults.
+			 * convert text to int, make sure it worked
+			 * right.
+			 */
+			ttl = strtol(safeGet(row[0]), &endp, 10);
+			if (*endp != '\0' || ttl < 0) {
+				db->log(ISC_LOG_ERROR, "SQLite3 module: TTL "
+						       "must be "
+						       "a positive number");
+				return (ISC_R_FAILURE);
+			}
+
+			result = db->putrr(lookup, safeGet(row[1]), ttl,
+					   safeGet(row[2]));
+			break;
+		default:
+			/*
+			 * more than 3 fields, concatenate the last
+			 * ones together.  figure out how long to make
+			 * string.
+			 */
+			for (j = 2; j < fields; j++) {
+				len += strlen(safeGet(row[j])) + 1;
+			}
+
+			/*
+			 * allocate string memory, allow for NULL to
+			 * term string
+			 */
+			tmpString = malloc(len + 1);
+			if (tmpString == NULL) {
+				db->log(ISC_LOG_ERROR, "SQLite3 module: unable "
+						       "to allocate "
+						       "memory for temporary "
+						       "string");
+				sqlite3_free_result(rs);
+				return (ISC_R_FAILURE);
+			}
+
+			strcpy(tmpString, safeGet(row[2]));
+			for (j = 3; j < fields; j++) {
+				strcat(tmpString, " ");
+				strcat(tmpString, safeGet(row[j]));
+			}
+
+			ttl = strtol(safeGet(row[0]), &endp, 10);
+			if (*endp != '\0' || ttl < 0) {
+				db->log(ISC_LOG_ERROR, "SQLite3 module: TTL "
+						       "must be "
+						       "a positive number");
+				free(tmpString);
+				return (ISC_R_FAILURE);
+			}
+
+			result = db->putrr(lookup, safeGet(row[1]), ttl,
+					   tmpString);
+			free(tmpString);
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			sqlite3_free_result(rs);
+			db->log(ISC_LOG_ERROR, "putrr returned error: %d",
+				result);
+			return (ISC_R_FAILURE);
+		}
+
+		row = sqlite3_fetch_row(rs);
+	}
+
+	sqlite3_free_result(rs);
+	return (result);
+}
+
+/*
+ * DLZ methods
+ */
+
+/*% determine if the zone is supported by (in) the database */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	sqlite3_res_t *rs = NULL;
+	sqlite3_uint64 rows;
+	sqlite3_instance_t *db = (sqlite3_instance_t *)dbdata;
+
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	result = sqlite3_get_resultset(name, NULL, NULL, FINDZONE, dbdata, &rs);
+	if (result != ISC_R_SUCCESS || rs == NULL) {
+		if (rs != NULL) {
+			sqlite3_free_result(rs);
+		}
+
+		db->log(ISC_LOG_ERROR, "SQLite3 module: unable to return "
+				       "result set for FINDZONE query");
+
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * if we returned any rows, the zone is supported.
+	 */
+	rows = sqlite3_num_rows(rs);
+	sqlite3_free_result(rs);
+	if (rows > 0) {
+		sqlite3_get_resultset(name, NULL, NULL, COUNTZONE, dbdata,
+				      NULL);
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+/*% Determine if the client is allowed to perform a zone transfer */
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	isc_result_t result;
+	sqlite3_instance_t *db = (sqlite3_instance_t *)dbdata;
+	sqlite3_res_t *rs = NULL;
+	sqlite3_uint64 rows;
+
+	/* first check if the zone is supported by the database. */
+	result = dlz_findzonedb(dbdata, name, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * if we get to this point we know the zone is supported by
+	 * the database the only questions now are is the zone
+	 * transfer is allowed for this client and did the config file
+	 * have an allow zone xfr query.
+	 */
+	result = sqlite3_get_resultset(name, NULL, client, ALLOWXFR, dbdata,
+				       &rs);
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+
+	if (result != ISC_R_SUCCESS || rs == NULL) {
+		if (rs != NULL) {
+			sqlite3_free_result(rs);
+		}
+		db->log(ISC_LOG_ERROR, "SQLite3 module: unable to return "
+				       "result set for ALLOWXFR query");
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * count how many rows in result set; if we returned any,
+	 * zone xfr is allowed.
+	 */
+	rows = sqlite3_num_rows(rs);
+	sqlite3_free_result(rs);
+	if (rows > 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOPERM);
+}
+
+/*%
+ * If the client is allowed to perform a zone transfer, the next order of
+ * business is to get all the nodes in the zone, so bind can respond to the
+ * query.
+ */
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
+	isc_result_t result;
+	sqlite3_instance_t *db = (sqlite3_instance_t *)dbdata;
+	sqlite3_res_t *rs = NULL;
+	char **row;
+	unsigned int fields;
+	unsigned int j;
+	char *tmpString;
+	char *endp;
+	int ttl;
+
+	result = sqlite3_get_resultset(zone, NULL, NULL, ALLNODES, dbdata, &rs);
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		db->log(ISC_LOG_ERROR, "SQLite3 module: unable to return "
+				       "result set for all nodes query");
+		goto cleanup;
+	}
+
+	result = ISC_R_NOTFOUND;
+
+	fields = sqlite3_num_fields(rs);
+	row = sqlite3_fetch_row(rs);
+	while (row != NULL) {
+		if (fields < 4) {
+			db->log(ISC_LOG_ERROR, "SQLite3 module: too few fields "
+					       "returned "
+					       "by ALLNODES query");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		ttl = strtol(safeGet(row[0]), &endp, 10);
+		if (*endp != '\0' || ttl < 0) {
+			db->log(ISC_LOG_ERROR, "SQLite3 module: TTL must be "
+					       "a positive number");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		if (fields == 4) {
+			result = db->putnamedrr(allnodes, safeGet(row[2]),
+						safeGet(row[1]), ttl,
+						safeGet(row[3]));
+		} else {
+			unsigned int len = 0;
+
+			/*
+			 * more than 4 fields, concatenate the last
+			 * ones together.
+			 */
+			for (j = 3; j < fields; j++) {
+				len += strlen(safeGet(row[j])) + 1;
+			}
+
+			tmpString = malloc(len + 1);
+			if (tmpString == NULL) {
+				db->log(ISC_LOG_ERROR, "SQLite3 module: unable "
+						       "to allocate "
+						       "memory for temporary "
+						       "string");
+				result = ISC_R_FAILURE;
+				goto cleanup;
+			}
+
+			strcpy(tmpString, safeGet(row[3]));
+			for (j = 4; j < fields; j++) {
+				strcat(tmpString, " ");
+				strcat(tmpString, safeGet(row[j]));
+			}
+
+			result = db->putnamedrr(allnodes, safeGet(row[2]),
+						safeGet(row[1]), ttl,
+						tmpString);
+			free(tmpString);
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			db->log(ISC_LOG_ERROR, "putnamedrr returned error: %s",
+				result);
+			result = ISC_R_FAILURE;
+			break;
+		}
+
+		row = sqlite3_fetch_row(rs);
+	}
+
+cleanup:
+	if (rs != NULL) {
+		sqlite3_free_result(rs);
+	}
+
+	return (result);
+}
+
+/*%
+ * If the lookup function does not return SOA or NS records for the zone,
+ * use this function to get that information for named.
+ */
+isc_result_t
+dlz_authority(const char *zone, void *dbdata, dns_sdlzlookup_t *lookup) {
+	isc_result_t result;
+	sqlite3_res_t *rs = NULL;
+	sqlite3_instance_t *db = (sqlite3_instance_t *)dbdata;
+
+	result = sqlite3_get_resultset(zone, NULL, NULL, AUTHORITY, dbdata,
+				       &rs);
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		return (result);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			sqlite3_free_result(rs);
+		}
+		db->log(ISC_LOG_ERROR, "SQLite3 module: unable to return "
+				       "result set for AUTHORITY query");
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * lookup and authority result sets are processed in the same
+	 * manner: sqlite3_process_rs does the job for both functions.
+	 */
+	return (sqlite3_process_rs(db, lookup, rs));
+}
+
+/*% If zone is supported, lookup up a (or multiple) record(s) in it */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo) {
+	isc_result_t result;
+	sqlite3_res_t *rs = NULL;
+	sqlite3_instance_t *db = (sqlite3_instance_t *)dbdata;
+
+	UNUSED(methods);
+	UNUSED(clientinfo);
+
+	result = sqlite3_get_resultset(zone, name, NULL, LOOKUP, dbdata, &rs);
+
+	/* if we didn't get a result set, log an err msg. */
+	if (result != ISC_R_SUCCESS) {
+		if (rs != NULL) {
+			sqlite3_free_result(rs);
+		}
+		db->log(ISC_LOG_ERROR, "SQLite3 module: unable to return "
+				       "result set for LOOKUP query");
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * lookup and authority result sets are processed in the same
+	 * manner: sqlite3_process_rs does the job for both functions.
+	 */
+	return (sqlite3_process_rs(db, lookup, rs));
+}
+
+/*%
+ * Create an instance of the module.
+ */
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...) {
+	isc_result_t result = ISC_R_FAILURE;
+	sqlite3_instance_t *s3 = NULL;
+	dbinstance_t *dbi = NULL;
+	sqlite3 *dbc = NULL;
+	char *tmp = NULL;
+	char *endp;
+	const char *helper_name;
+#if PTHREADS
+	int dbcount;
+	int i, ret;
+#endif /* PTHREADS */
+	va_list ap;
+
+	UNUSED(dlzname);
+
+	/* allocate memory for SQLite3 instance */
+	s3 = calloc(1, sizeof(sqlite3_instance_t));
+	if (s3 == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	memset(s3, 0, sizeof(sqlite3_instance_t));
+
+	/* Fill in the helper functions */
+	va_start(ap, dbdata);
+	while ((helper_name = va_arg(ap, const char *)) != NULL) {
+		b9_add_helper(s3, helper_name, va_arg(ap, void *));
+	}
+	va_end(ap);
+
+#if PTHREADS
+	/* if debugging, let user know we are multithreaded. */
+	s3->log(ISC_LOG_DEBUG(1), "SQLite3 module: running multithreaded");
+#else  /* PTHREADS */
+	/* if debugging, let user know we are single threaded. */
+	s3->log(ISC_LOG_DEBUG(1), "SQLite3 module: running single threaded");
+#endif /* PTHREADS */
+
+	/* verify we have at least 4 arg's passed to the module */
+	if (argc < 4) {
+		s3->log(ISC_LOG_ERROR, "SQLite3 module requires "
+				       "at least 4 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* no more than 8 arg's should be passed to the module */
+	if (argc > 8) {
+		s3->log(ISC_LOG_ERROR, "SQLite3 module cannot accept "
+				       "more than 8 command line args.");
+		return (ISC_R_FAILURE);
+	}
+
+	/* get db name - required */
+	s3->dbname = get_parameter_value(argv[1], "dbname=");
+	if (s3->dbname == NULL) {
+		s3->log(ISC_LOG_ERROR, "SQLite3 module requires a dbname "
+				       "parameter.");
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+#if PTHREADS
+	/* multithreaded build can have multiple DB connections */
+	tmp = get_parameter_value(argv[1], "threads=");
+	if (tmp == NULL) {
+		dbcount = 1;
+	} else {
+		dbcount = strtol(tmp, &endp, 10);
+		if (*endp != '\0' || dbcount < 1) {
+			s3->log(ISC_LOG_ERROR, "SQLite3 module: database "
+					       "connection count "
+					       "must be positive.");
+			free(tmp);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		free(tmp);
+	}
+
+	/* allocate memory for database connection list */
+	s3->db = calloc(1, sizeof(db_list_t));
+	if (s3->db == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	/* initialize DB connection list */
+	DLZ_LIST_INIT(*(s3->db));
+
+	/*
+	 * create the appropriate number of database instances (DBI)
+	 * append each new DBI to the end of the list
+	 */
+	for (i = 0; i < dbcount; i++) {
+#endif /* PTHREADS */
+		switch (argc) {
+		case 4:
+			result = build_dbinstance(NULL, NULL, NULL, argv[2],
+						  argv[3], NULL, &dbi, s3->log);
+			break;
+		case 5:
+			result = build_dbinstance(NULL, NULL, argv[4], argv[2],
+						  argv[3], NULL, &dbi, s3->log);
+			break;
+		case 6:
+			result = build_dbinstance(argv[5], NULL, argv[4],
+						  argv[2], argv[3], NULL, &dbi,
+						  s3->log);
+			break;
+		case 7:
+			result = build_dbinstance(argv[5], argv[6], argv[4],
+						  argv[2], argv[3], NULL, &dbi,
+						  s3->log);
+			break;
+		case 8:
+			result = build_dbinstance(argv[5], argv[6], argv[4],
+						  argv[2], argv[3], argv[7],
+						  &dbi, s3->log);
+			break;
+		default:
+			result = ISC_R_FAILURE;
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			s3->log(ISC_LOG_ERROR, "SQLite3 module: could not "
+					       "create "
+					       "database instance object.");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		/* create and set db connection */
+		ret = sqlite3_initialize();
+		if (ret != SQLITE_OK) {
+			s3->log(ISC_LOG_ERROR, "SQLite3 module: could not "
+					       "initialize database object.");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		ret = sqlite3_open(s3->dbname, &dbc);
+		if (ret != SQLITE_OK) {
+			s3->log(ISC_LOG_ERROR,
+				"SQLite3 module: could not "
+				"open '%s'.",
+				s3->dbname);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+#if PTHREADS
+		/* when multithreaded, build a list of DBI's */
+		DLZ_LINK_INIT(dbi, link);
+		DLZ_LIST_APPEND(*(s3->db), dbi, link);
+#else  /* if PTHREADS */
+	/*
+	 * when single threaded, hold onto the one connection
+	 * instance.
+	 */
+	s3->db = dbi;
+#endif /* if PTHREADS */
+
+		dbi->dbconn = dbc;
+		dbc = NULL;
+#if PTHREADS
+		/* set DBI = null for next loop through. */
+		dbi = NULL;
+	}
+#endif /* PTHREADS */
+
+	*dbdata = s3;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dlz_destroy(s3);
+
+	return (result);
+}
+
+/*%
+ * Destroy the module.
+ */
+void
+dlz_destroy(void *dbdata) {
+	sqlite3_instance_t *db = (sqlite3_instance_t *)dbdata;
+#if PTHREADS
+	/* cleanup the list of DBI's */
+	if (db->db != NULL) {
+		sqlite3_destroy_dblist((db_list_t *)(db->db));
+	}
+#else  /* PTHREADS */
+	sqlite3_destroy(db);
+#endif /* PTHREADS */
+
+	if (db->dbname != NULL) {
+		free(db->dbname);
+	}
+}
+
+/*
+ * Return the version of the API
+ */
+int
+dlz_version(unsigned int *flags) {
+	*flags |= (DNS_SDLZFLAG_RELATIVEOWNER | DNS_SDLZFLAG_RELATIVERDATA |
+		   DNS_SDLZFLAG_THREADSAFE);
+	return (DLZ_DLOPEN_VERSION);
+}
+
+/*
+ * Register a helper function from the bind9 dlz_dlopen driver
+ */
+static void
+b9_add_helper(sqlite3_instance_t *db, const char *helper_name, void *ptr) {
+	if (strcmp(helper_name, "log") == 0) {
+		db->log = (log_t *)ptr;
+	}
+	if (strcmp(helper_name, "putrr") == 0) {
+		db->putrr = (dns_sdlz_putrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "putnamedrr") == 0) {
+		db->putnamedrr = (dns_sdlz_putnamedrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "writeable_zone") == 0) {
+		db->writeable_zone = (dns_dlz_writeablezone_t *)ptr;
+	}
+}
diff --git a/contrib/dlz/modules/sqlite3/testing/README b/contrib/dlz/modules/sqlite3/testing/README
new file mode 100644
index 0000000..c7af001
--- /dev/null
+++ b/contrib/dlz/modules/sqlite3/testing/README
@@ -0,0 +1,10 @@
+These files were used for testing on Ubuntu Linux using SQLite3
+
+- Install SQLite3: sudo apt-get install sqlite3 libsqlite3-dev
+- Build sqlite3 DLZ module
+- Run "sqlite3 BindDB < dlz.schema" to set up database
+- Run "sqlite3 BindDB < dlz.data" to populate it
+- Run "named -gc named.conf"
+- Send test queries, e.g "dig @localhost -p 5300 example.com",
+   "dig @localhost -p 5300 axfr example.com" (AXFR should be
+   allowed from 127.0.0.1 only).
diff --git a/contrib/dlz/modules/sqlite3/testing/dlz.data b/contrib/dlz/modules/sqlite3/testing/dlz.data
new file mode 100644
index 0000000..015607f
--- /dev/null
+++ b/contrib/dlz/modules/sqlite3/testing/dlz.data
@@ -0,0 +1,18 @@
+INSERT INTO `records`
+(`zone`, `ttl`, `type`, `host`, `mx_priority`, `data`, `primary_ns`, `resp_contact`, `serial`, `refresh`, `retry`, `expire`, `minimum`)
+VALUES
+('example.com', 86400, 'SOA', '@', NULL, NULL, 'ns1.example.com.', 'info.example.com.', 2011043001, 10800, 7200, 604800, 86400),
+('example.com', 86400, 'NS', '@', NULL, 'ns1.example.com.', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+('example.com', 86400, 'NS', '@', NULL, 'ns2.example.com.', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+('example.com', 86400, 'MX', '@', 10, 'mail.example.com.', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+('example.com', 86400, 'A', '@', NULL, '192.168.0.2', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+('example.com', 86400, 'CNAME', 'www', NULL, '@', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+('example.com', 86400, 'A', 'ns1', NULL, '192.168.0.111', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+('example.com', 86400, 'A', 'ns2', NULL, '192.168.0.222', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+('example.com', 86400, 'A', 'mail', NULL, '192.168.0.3', NULL, NULL, NULL, NULL, NULL, NULL, NULL),
+('example.com', 86400, 'TXT', '@', NULL, 'v=spf1 ip:192.168.0.3 ~all', NULL, NULL, NULL, NULL, NULL, NULL, NULL);
+
+INSERT INTO `xfr`
+(`zone`, `client`)
+VALUES
+('example.com', '127.0.0.1');
diff --git a/contrib/dlz/modules/sqlite3/testing/dlz.schema b/contrib/dlz/modules/sqlite3/testing/dlz.schema
new file mode 100644
index 0000000..4cbcb34
--- /dev/null
+++ b/contrib/dlz/modules/sqlite3/testing/dlz.schema
@@ -0,0 +1,28 @@
+CREATE TABLE IF NOT EXISTS `records` (
+    `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+    `zone` CHAR(255) NOT NULL,
+    `ttl` INT NOT NULL DEFAULT '86400',
+    `type` CHAR(255) NOT NULL,
+    `host` CHAR(255) NOT NULL DEFAULT '@',
+    `mx_priority` INT DEFAULT NULL,
+    `data` text,
+    `primary_ns` CHAR(255) DEFAULT NULL,
+    `resp_contact` CHAR(255) DEFAULT NULL,
+    `serial` bigint DEFAULT NULL,
+    `refresh` INT DEFAULT NULL,
+    `retry` INT DEFAULT NULL,
+    `expire` INT DEFAULT NULL,
+    `minimum` INT DEFAULT NULL
+);
+
+CREATE INDEX IF NOT EXISTS record_type on records (type);
+CREATE INDEX IF NOT EXISTS record_host on records (host);
+CREATE INDEX IF NOT EXISTS record_zone on records (zone);
+
+CREATE TABLE IF NOT EXISTS `xfr` (
+    `zone` CHAR(255) NOT NULL,
+    `client` CHAR(255) NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS xfr_zone on xfr (zone);
+CREATE INDEX IF NOT EXISTS xfr_client on xfr (client);
diff --git a/contrib/dlz/modules/sqlite3/testing/named.conf b/contrib/dlz/modules/sqlite3/testing/named.conf
new file mode 100644
index 0000000..d5ce0bb
--- /dev/null
+++ b/contrib/dlz/modules/sqlite3/testing/named.conf
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { };
+
+options {
+	directory ".";
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { any; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 127.0.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+dlz "test" {
+	database "dlopen ../dlz_sqlite3_dynamic.so
+           {
+             dbname=BindDB threads=2
+           }
+           {SELECT zone FROM records WHERE zone = '$zone$'}
+           {SELECT ttl, type, mx_priority, CASE WHEN type = 'TXT' THEN '\"' || data || '\"' ELSE data END AS data FROM records WHERE zone = '$zone$' AND host = '$record$' AND type <> 'SOA' AND type <> 'NS'}
+           {SELECT ttl, type, data, primary_ns, resp_contact, serial, refresh, retry, expire, minimum FROM records WHERE zone = '$zone$' AND (type = 'SOA' OR type='NS')}
+           {SELECT ttl, type, host, mx_priority, CASE WHEN type = 'TXT' THEN '\"' || data || '\"' ELSE data END AS data, resp_contact, serial, refresh, retry, expire, minimum FROM records WHERE zone = '$zone$' AND type <> 'SOA' AND type <> 'NS'}
+           {SELECT zone FROM xfr where zone='$zone$' AND client = '$client$'}";
+};
diff --git a/contrib/dlz/modules/wildcard/Makefile b/contrib/dlz/modules/wildcard/Makefile
new file mode 100644
index 0000000..d09a83a
--- /dev/null
+++ b/contrib/dlz/modules/wildcard/Makefile
@@ -0,0 +1,46 @@
+# Copyright Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+# Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+# Copyright (C) Vadim Goncharov, Russia, vadim_nuclight@mail.ru.
+#
+# The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+# conceived and contributed by Rob Butler.
+#
+# SPDX-License-Identifier: ISC and MPL-2.0
+#
+# Permission to use, copy, modify, and distribute this software for any purpose
+# with or without fee is hereby granted, provided that the above copyright
+# notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+prefix = /usr
+libdir = $(prefix)/lib/bind9
+
+CFLAGS=-fPIC -g -I../include
+
+all: dlz_wildcard_dynamic.so
+
+dlz_dbi.o: ../common/dlz_dbi.c
+	$(CC) $(CFLAGS) -c ../common/dlz_dbi.c
+
+dlz_wildcard_dynamic.so: dlz_wildcard_dynamic.c dlz_dbi.o
+	$(CC) $(CFLAGS) -shared -o dlz_wildcard_dynamic.so \
+		dlz_wildcard_dynamic.c dlz_dbi.o
+
+clean:
+	rm -f dlz_wildcard_dynamic.so *.o
+
+install: dlz_wildcard_dynamic.so
+	mkdir -p $(DESTDIR)$(libdir)
+	install dlz_wildcard_dynamic.so $(DESTDIR)$(libdir)
diff --git a/contrib/dlz/modules/wildcard/README b/contrib/dlz/modules/wildcard/README
new file mode 100644
index 0000000..2ec6852
--- /dev/null
+++ b/contrib/dlz/modules/wildcard/README
@@ -0,0 +1,59 @@
+<!--
+Copyright Internet Systems Consortium, Inc. ("ISC")
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+Copyright (C) Vadim Goncharov, Russia, vadim_nuclight@mail.ru.
+
+The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+conceived and contributed by Rob Butler.
+
+SPDX-License-Identifier: ISC and MPL-2.0
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright
+notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+The "wildcard" DLZ module provides a "template" zone for domains matching
+a wildcard name.  For example, the following DLZ configuration would match
+any zone name containing the string "example" and ending with .com, such
+as "thisexample.com", "exampleofthat.com", or "anexampleoftheotherthing.com".
+
+    dlz "test" {
+	database "dlopen ../dlz_wildcard_dynamic.so
+        *example*.com 10.53.* 1800
+        @      3600    SOA   {ns3.example.nil. support.example.nil. 42 14400 7200 2592000 600}
+        @      3600    NS     ns3.example.nil.
+        @      3600    NS     ns4.example.nil.
+        @      3600    NS     ns8.example.nil.
+        @      3600    MX     {5 mail.example.nil.}
+        ftp    86400   A      192.0.0.1
+        sql    86400   A      192.0.0.2
+        tmp    {}      A      192.0.0.3
+        www    86400   A      192.0.0.3
+        www    86400   AAAA   ::1
+        txt    300     TXT    {\"you requested $record$ in $zone$\"}
+        *      86400   A      192.0.0.100";
+    };
+
+For any zone name matching the wildcard, it would return the data from
+the template.  "$zone$" is replaced with zone name: i.e., the shortest
+possible string of labels in the query name that matches the wildcard.
+"$record$" is replaced with the remainder of the query name.  In the
+example above, a query for "txt.thisexample.com/TXT" would return the
+string "you requested txt in thisexample.com".
+
+Any client whose source address matches the second wildcard ("10.53.*")
+is allowed to request a zone transfer.
diff --git a/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c b/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c
new file mode 100644
index 0000000..95221a1
--- /dev/null
+++ b/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c
@@ -0,0 +1,773 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ * Copyright (C) Vadim Goncharov, Russia, vadim_nuclight@mail.ru.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any purpose
+ * with or without fee is hereby granted, provided that the above copyright
+ * notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL STICHTING NLNET BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This provides the externally loadable wildcard DLZ module.
+ */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <dlz_dbi.h>
+#include <dlz_list.h>
+#include <dlz_minimal.h>
+
+#define DE_CONST(konst, var)           \
+	do {                           \
+		union {                \
+			const void *k; \
+			void *v;       \
+		} _u;                  \
+		_u.k = konst;          \
+		var = _u.v;            \
+	} while (0)
+
+/* fnmatch() return values. */
+#define FNM_NOMATCH 1 /* Match failed. */
+
+/* fnmatch() flags. */
+#define FNM_NOESCAPE	0x01 /* Disable backslash escaping. */
+#define FNM_PATHNAME	0x02 /* Slash must be matched by slash. */
+#define FNM_PERIOD	0x04 /* Period must be matched by period. */
+#define FNM_LEADING_DIR 0x08 /* Ignore /<tail> after Imatch. */
+#define FNM_CASEFOLD	0x10 /* Case insensitive search. */
+#define FNM_IGNORECASE	FNM_CASEFOLD
+#define FNM_FILE_NAME	FNM_PATHNAME
+
+/*
+ * Our data structures.
+ */
+
+typedef struct named_rr nrr_t;
+typedef DLZ_LIST(nrr_t) rr_list_t;
+
+typedef struct config_data {
+	char *zone_pattern;
+	char *axfr_pattern;
+	rr_list_t rrs_list;
+	char *zone;
+	char *record;
+	char *client;
+
+	/* Helper functions from the dlz_dlopen driver */
+	log_t *log;
+	dns_sdlz_putrr_t *putrr;
+	dns_sdlz_putnamedrr_t *putnamedrr;
+	dns_dlz_writeablezone_t *writeable_zone;
+} config_data_t;
+
+struct named_rr {
+	char *name;
+	char *type;
+	int ttl;
+	query_list_t *data;
+	DLZ_LINK(nrr_t) link;
+};
+
+/*
+ * Forward references
+ */
+static int
+rangematch(const char *, char, int, char **);
+
+static int
+fnmatch(const char *pattern, const char *string, int flags);
+
+static void
+b9_add_helper(struct config_data *cd, const char *helper_name, void *ptr);
+
+static const char *
+shortest_match(const char *pattern, const char *string);
+
+isc_result_t
+dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) {
+	config_data_t *cd = (config_data_t *)dbdata;
+	isc_result_t result;
+	char *querystring = NULL;
+	nrr_t *nrec;
+	int i = 0;
+
+	DE_CONST(zone, cd->zone);
+
+	/* Write info message to log */
+	cd->log(ISC_LOG_DEBUG(1), "dlz_wildcard allnodes called for zone '%s'",
+		zone);
+
+	result = ISC_R_FAILURE;
+
+	nrec = DLZ_LIST_HEAD(cd->rrs_list);
+	while (nrec != NULL) {
+		cd->record = nrec->name;
+
+		querystring = build_querystring(nrec->data);
+
+		if (querystring == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto done;
+		}
+
+		cd->log(ISC_LOG_DEBUG(2),
+			"dlz_wildcard allnodes entry num %d: calling "
+			"putnamedrr(name=%s type=%s ttl=%d qs=%s)",
+			i++, nrec->name, nrec->type, nrec->ttl, querystring);
+
+		result = cd->putnamedrr(allnodes, nrec->name, nrec->type,
+					nrec->ttl, querystring);
+		if (result != ISC_R_SUCCESS) {
+			goto done;
+		}
+
+		nrec = DLZ_LIST_NEXT(nrec, link);
+	}
+
+done:
+	cd->zone = NULL;
+
+	if (querystring != NULL) {
+		free(querystring);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	config_data_t *cd = (config_data_t *)dbdata;
+
+	UNUSED(name);
+
+	/* Write info message to log */
+	cd->log(ISC_LOG_DEBUG(1),
+		"dlz_wildcard allowzonexfr called for client '%s'", client);
+
+	if (fnmatch(cd->axfr_pattern, client, FNM_CASEFOLD) == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+#if DLZ_DLOPEN_VERSION < 3
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name)
+#else  /* if DLZ_DLOPEN_VERSION < 3 */
+isc_result_t
+dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods,
+	       dns_clientinfo_t *clientinfo)
+#endif /* if DLZ_DLOPEN_VERSION < 3 */
+{
+	config_data_t *cd = (config_data_t *)dbdata;
+	const char *p;
+
+#if DLZ_DLOPEN_VERSION >= 3
+	UNUSED(methods);
+	UNUSED(clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION >= 3 */
+
+	p = shortest_match(cd->zone_pattern, name);
+	if (p == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/* Write info message to log */
+	cd->log(ISC_LOG_DEBUG(1), "dlz_wildcard findzonedb matched '%s'", p);
+
+	return (ISC_R_SUCCESS);
+}
+
+#if DLZ_DLOPEN_VERSION == 1
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup)
+#else  /* if DLZ_DLOPEN_VERSION == 1 */
+isc_result_t
+dlz_lookup(const char *zone, const char *name, void *dbdata,
+	   dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+	   dns_clientinfo_t *clientinfo)
+#endif /* if DLZ_DLOPEN_VERSION == 1 */
+{
+	isc_result_t result;
+	config_data_t *cd = (config_data_t *)dbdata;
+	char *querystring = NULL;
+	const char *p;
+	char *namebuf;
+	nrr_t *nrec;
+
+#if DLZ_DLOPEN_VERSION >= 2
+	UNUSED(methods);
+	UNUSED(clientinfo);
+#endif /* if DLZ_DLOPEN_VERSION >= 2 */
+
+	p = shortest_match(cd->zone_pattern, zone);
+	if (p == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	DE_CONST(name, cd->record);
+	DE_CONST(p, cd->zone);
+
+	if ((p != zone) && (strcmp(name, "@") == 0 || strcmp(name, zone) == 0))
+	{
+		size_t len = p - zone;
+		namebuf = malloc(len);
+		if (namebuf == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
+		strncpy(namebuf, zone, len - 1);
+		namebuf[len - 1] = '\0';
+		cd->record = namebuf;
+	} else if (p == zone) {
+		cd->record = (char *)"@";
+	}
+
+	/* Write info message to log */
+	cd->log(ISC_LOG_DEBUG(1),
+		"dlz_wildcard_dynamic: lookup for '%s' in '%s': "
+		"trying '%s' in '%s'",
+		name, zone, cd->record, cd->zone);
+
+	result = ISC_R_NOTFOUND;
+	nrec = DLZ_LIST_HEAD(cd->rrs_list);
+	while (nrec != NULL) {
+		nrr_t *next = DLZ_LIST_NEXT(nrec, link);
+		if (strcmp(cd->record, nrec->name) == 0) {
+			/* We handle authority data in dlz_authority() */
+			if (strcmp(nrec->type, "SOA") == 0 ||
+			    strcmp(nrec->type, "NS") == 0)
+			{
+				nrec = next;
+				continue;
+			}
+
+			querystring = build_querystring(nrec->data);
+			if (querystring == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto done;
+			}
+
+			result = cd->putrr(lookup, nrec->type, nrec->ttl,
+					   querystring);
+			if (result != ISC_R_SUCCESS) {
+				goto done;
+			}
+
+			result = ISC_R_SUCCESS;
+
+			free(querystring);
+			querystring = NULL;
+		}
+		nrec = next;
+	}
+
+done:
+	cd->zone = NULL;
+	cd->record = NULL;
+
+	if (querystring != NULL) {
+		free(querystring);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dlz_authority(const char *zone, void *dbdata, dns_sdlzlookup_t *lookup) {
+	isc_result_t result;
+	config_data_t *cd = (config_data_t *)dbdata;
+	char *querystring = NULL;
+	nrr_t *nrec;
+	const char *p;
+
+	p = shortest_match(cd->zone_pattern, zone);
+	if (p == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	DE_CONST(p, cd->zone);
+
+	/* Write info message to log */
+	cd->log(ISC_LOG_DEBUG(1), "dlz_wildcard_dynamic: authority for '%s'",
+		zone);
+
+	result = ISC_R_NOTFOUND;
+	nrec = DLZ_LIST_HEAD(cd->rrs_list);
+	while (nrec != NULL) {
+		if (strcmp("@", nrec->name) == 0) {
+			isc_result_t presult;
+
+			querystring = build_querystring(nrec->data);
+			if (querystring == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto done;
+			}
+
+			presult = cd->putrr(lookup, nrec->type, nrec->ttl,
+					    querystring);
+			if (presult != ISC_R_SUCCESS) {
+				result = presult;
+				goto done;
+			}
+
+			result = ISC_R_SUCCESS;
+
+			free(querystring);
+			querystring = NULL;
+		}
+		nrec = DLZ_LIST_NEXT(nrec, link);
+	}
+
+done:
+	cd->zone = NULL;
+
+	if (querystring != NULL) {
+		free(querystring);
+	}
+
+	return (result);
+}
+
+static void
+destroy_rrlist(config_data_t *cd) {
+	nrr_t *trec, *nrec;
+
+	nrec = DLZ_LIST_HEAD(cd->rrs_list);
+
+	while (nrec != NULL) {
+		trec = nrec;
+
+		destroy_querylist(&trec->data);
+
+		if (trec->name != NULL) {
+			free(trec->name);
+		}
+		if (trec->type != NULL) {
+			free(trec->type);
+		}
+		trec->name = trec->type = NULL;
+
+		/* Get the next record, before we destroy this one. */
+		nrec = DLZ_LIST_NEXT(nrec, link);
+
+		free(trec);
+	}
+}
+
+isc_result_t
+dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
+	   ...) {
+	config_data_t *cd;
+	char *endp;
+	unsigned int i;
+	int def_ttl;
+	nrr_t *trec = NULL;
+	isc_result_t result;
+	const char *helper_name;
+	va_list ap;
+
+	if (argc < 8 || argc % 4 != 0) {
+		return (ISC_R_FAILURE);
+	}
+
+	cd = calloc(1, sizeof(config_data_t));
+	if (cd == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	memset(cd, 0, sizeof(config_data_t));
+
+	/* Fill in the helper functions */
+	va_start(ap, dbdata);
+	while ((helper_name = va_arg(ap, const char *)) != NULL) {
+		b9_add_helper(cd, helper_name, va_arg(ap, void *));
+	}
+	va_end(ap);
+
+	/*
+	 * Write info message to log
+	 */
+	cd->log(ISC_LOG_INFO,
+		"Loading '%s' using DLZ_wildcard driver. "
+		"Zone: %s, AXFR allowed for: %s, $TTL: %s",
+		dlzname, argv[1], argv[2], argv[3]);
+
+	/* initialize the records list here to simplify cleanup */
+	DLZ_LIST_INIT(cd->rrs_list);
+
+	cd->zone_pattern = strdup(argv[1]);
+	cd->axfr_pattern = strdup(argv[2]);
+	if (cd->zone_pattern == NULL || cd->axfr_pattern == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	def_ttl = strtol(argv[3], &endp, 10);
+	if (*endp != '\0' || def_ttl < 0) {
+		def_ttl = 3600;
+		cd->log(ISC_LOG_ERROR, "default TTL invalid, using 3600");
+	}
+
+	for (i = 4; i < argc; i += 4) {
+		result = ISC_R_NOMEMORY;
+
+		trec = malloc(sizeof(nrr_t));
+		if (trec == NULL) {
+			goto full_cleanup;
+		}
+
+		memset(trec, 0, sizeof(nrr_t));
+
+		/* Initialize the record link */
+		DLZ_LINK_INIT(trec, link);
+		/* Append the record to the list */
+		DLZ_LIST_APPEND(cd->rrs_list, trec, link);
+
+		trec->name = strdup(argv[i]);
+		if (trec->name == NULL) {
+			goto full_cleanup;
+		}
+
+		trec->type = strdup(argv[i + 2]);
+		if (trec->type == NULL) {
+			goto full_cleanup;
+		}
+
+		trec->ttl = strtol(argv[i + 1], &endp, 10);
+		if (argv[i + 1][0] == '\0' || *endp != '\0' || trec->ttl < 0) {
+			trec->ttl = def_ttl;
+		}
+
+		result = build_querylist(argv[i + 3], &cd->zone, &cd->record,
+					 &cd->client, &trec->data, 0, cd->log);
+		/* If unsuccessful, log err msg and cleanup */
+		if (result != ISC_R_SUCCESS) {
+			cd->log(ISC_LOG_ERROR,
+				"Could not build RR data list at argv[%d]",
+				i + 3);
+			goto full_cleanup;
+		}
+	}
+
+	*dbdata = cd;
+
+	return (ISC_R_SUCCESS);
+
+full_cleanup:
+	destroy_rrlist(cd);
+
+cleanup:
+	if (cd->zone_pattern != NULL) {
+		free(cd->zone_pattern);
+	}
+	if (cd->axfr_pattern != NULL) {
+		free(cd->axfr_pattern);
+	}
+	free(cd);
+
+	return (result);
+}
+
+void
+dlz_destroy(void *dbdata) {
+	config_data_t *cd = (config_data_t *)dbdata;
+
+	/*
+	 * Write debugging message to log
+	 */
+	cd->log(ISC_LOG_DEBUG(2), "Unloading DLZ_wildcard driver.");
+
+	destroy_rrlist(cd);
+
+	free(cd->zone_pattern);
+	free(cd->axfr_pattern);
+	free(cd);
+}
+
+/*
+ * Return the version of the API
+ */
+int
+dlz_version(unsigned int *flags) {
+	UNUSED(flags);
+	/* XXX: ok to set DNS_SDLZFLAG_THREADSAFE here? */
+	return (DLZ_DLOPEN_VERSION);
+}
+
+/*
+ * Register a helper function from the bind9 dlz_dlopen driver
+ */
+static void
+b9_add_helper(struct config_data *cd, const char *helper_name, void *ptr) {
+	if (strcmp(helper_name, "log") == 0) {
+		cd->log = (log_t *)ptr;
+	}
+	if (strcmp(helper_name, "putrr") == 0) {
+		cd->putrr = (dns_sdlz_putrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "putnamedrr") == 0) {
+		cd->putnamedrr = (dns_sdlz_putnamedrr_t *)ptr;
+	}
+	if (strcmp(helper_name, "writeable_zone") == 0) {
+		cd->writeable_zone = (dns_dlz_writeablezone_t *)ptr;
+	}
+}
+
+static const char *
+shortest_match(const char *pattern, const char *string) {
+	const char *p = string;
+	if (pattern == NULL || p == NULL || *p == '\0') {
+		return (NULL);
+	}
+
+	p += strlen(p);
+	while (p-- > string) {
+		if (*p == '.') {
+			if (fnmatch(pattern, p + 1, FNM_CASEFOLD) == 0) {
+				return (p + 1);
+			}
+		}
+	}
+	if (fnmatch(pattern, string, FNM_CASEFOLD) == 0) {
+		return (string);
+	}
+
+	return (NULL);
+}
+
+/*
+ * The helper functions stolen from the FreeBSD kernel (sys/libkern/fnmatch.c).
+ *
+ * Why don't we use fnmatch(3) from libc? Because it is not thread-safe, and
+ * it is not thread-safe because it supports multibyte characters. But here,
+ * in BIND, we want to be thread-safe and don't need multibyte - DNS names are
+ * always ASCII.
+ */
+#define EOS '\0'
+
+#define RANGE_MATCH   1
+#define RANGE_NOMATCH 0
+#define RANGE_ERROR   (-1)
+
+static int
+fnmatch(const char *pattern, const char *string, int flags) {
+	const char *stringstart;
+	char *newp;
+	char c, test;
+
+	for (stringstart = string;;) {
+		switch (c = *pattern++) {
+		case EOS:
+			if ((flags & FNM_LEADING_DIR) && *string == '/') {
+				return (0);
+			}
+			return (*string == EOS ? 0 : FNM_NOMATCH);
+		case '?':
+			if (*string == EOS) {
+				return (FNM_NOMATCH);
+			}
+			if (*string == '/' && (flags & FNM_PATHNAME)) {
+				return (FNM_NOMATCH);
+			}
+			if (*string == '.' && (flags & FNM_PERIOD) &&
+			    (string == stringstart ||
+			     ((flags & FNM_PATHNAME) && *(string - 1) == '/')))
+			{
+				return (FNM_NOMATCH);
+			}
+			++string;
+			break;
+		case '*':
+			c = *pattern;
+			/* Collapse multiple stars. */
+			while (c == '*') {
+				c = *++pattern;
+			}
+
+			if (*string == '.' && (flags & FNM_PERIOD) &&
+			    (string == stringstart ||
+			     ((flags & FNM_PATHNAME) && *(string - 1) == '/')))
+			{
+				return (FNM_NOMATCH);
+			}
+
+			/* Optimize for pattern with * at end or before /. */
+			if (c == EOS) {
+				if (flags & FNM_PATHNAME) {
+					return ((flags & FNM_LEADING_DIR) ||
+								index(string,
+								      '/') ==
+									NULL
+							? 0
+							: FNM_NOMATCH);
+				} else {
+					return (0);
+				}
+			} else if (c == '/' && flags & FNM_PATHNAME) {
+				if ((string = index(string, '/')) == NULL) {
+					return (FNM_NOMATCH);
+				}
+				break;
+			}
+
+			/* General case, use recursion. */
+			while ((test = *string) != EOS) {
+				if (!fnmatch(pattern, string,
+					     flags & ~FNM_PERIOD))
+				{
+					return (0);
+				}
+				if (test == '/' && flags & FNM_PATHNAME) {
+					break;
+				}
+				++string;
+			}
+			return (FNM_NOMATCH);
+		case '[':
+			if (*string == EOS) {
+				return (FNM_NOMATCH);
+			}
+			if (*string == '/' && (flags & FNM_PATHNAME)) {
+				return (FNM_NOMATCH);
+			}
+			if (*string == '.' && (flags & FNM_PERIOD) &&
+			    (string == stringstart ||
+			     ((flags & FNM_PATHNAME) && *(string - 1) == '/')))
+			{
+				return (FNM_NOMATCH);
+			}
+
+			switch (rangematch(pattern, *string, flags, &newp)) {
+			case RANGE_ERROR:
+				goto norm;
+			case RANGE_MATCH:
+				pattern = newp;
+				break;
+			case RANGE_NOMATCH:
+				return (FNM_NOMATCH);
+			}
+			++string;
+			break;
+		case '\\':
+			if (!(flags & FNM_NOESCAPE)) {
+				if ((c = *pattern++) == EOS) {
+					c = '\\';
+					--pattern;
+				}
+			}
+			FALLTHROUGH;
+		default:
+		norm:
+			if (c == *string) {
+			} else if ((flags & FNM_CASEFOLD) &&
+				   (tolower((unsigned char)c) ==
+				    tolower((unsigned char)*string)))
+			{
+			} else {
+				return (FNM_NOMATCH);
+			}
+			string++;
+			break;
+		}
+	}
+	UNREACHABLE();
+}
+
+static int
+rangematch(const char *pattern, char test, int flags, char **newp) {
+	int negate, ok;
+	char c, c2;
+
+	/*
+	 * A bracket expression starting with an unquoted circumflex
+	 * character produces unspecified results (IEEE 1003.2-1992,
+	 * 3.13.2).  This implementation treats it like '!', for
+	 * consistency with the regular expression syntax.
+	 * J.T. Conklin (conklin@ngai.kaleida.com)
+	 */
+	if ((negate = (*pattern == '!' || *pattern == '^'))) {
+		++pattern;
+	}
+
+	if (flags & FNM_CASEFOLD) {
+		test = tolower((unsigned char)test);
+	}
+
+	/*
+	 * A right bracket shall lose its special meaning and represent
+	 * itself in a bracket expression if it occurs first in the list.
+	 * -- POSIX.2 2.8.3.2
+	 */
+	ok = 0;
+	c = *pattern++;
+	do {
+		if (c == '\\' && !(flags & FNM_NOESCAPE)) {
+			c = *pattern++;
+		}
+		if (c == EOS) {
+			return (RANGE_ERROR);
+		}
+
+		if (c == '/' && (flags & FNM_PATHNAME)) {
+			return (RANGE_NOMATCH);
+		}
+
+		if (flags & FNM_CASEFOLD) {
+			c = tolower((unsigned char)c);
+		}
+
+		if (*pattern == '-' && (c2 = *(pattern + 1)) != EOS &&
+		    c2 != ']')
+		{
+			pattern += 2;
+			if (c2 == '\\' && !(flags & FNM_NOESCAPE)) {
+				c2 = *pattern++;
+			}
+			if (c2 == EOS) {
+				return (RANGE_ERROR);
+			}
+
+			if (flags & FNM_CASEFOLD) {
+				c2 = tolower((unsigned char)c2);
+			}
+
+			if (c <= test && test <= c2) {
+				ok = 1;
+			}
+		} else if (c == test) {
+			ok = 1;
+		}
+	} while ((c = *pattern++) != ']');
+
+	*newp = (char *)(uintptr_t)pattern;
+	return (ok == negate ? RANGE_NOMATCH : RANGE_MATCH);
+}
diff --git a/contrib/dlz/modules/wildcard/testing/named.conf b/contrib/dlz/modules/wildcard/testing/named.conf
new file mode 100644
index 0000000..cd46706
--- /dev/null
+++ b/contrib/dlz/modules/wildcard/testing/named.conf
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { };
+
+options {
+	directory ".";
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { any; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 127.0.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+/*
+ * This will match any zone name containing the string "example" and
+ * ending with .com, such as "thisexample.com", "exampleofthat.com",
+ * or "anexampleoftheotherthing.com".
+ */
+dlz "test" {
+	database "dlopen ../dlz_wildcard_dynamic.so
+        *example*.com 10.53.* 1800
+        @      3600    SOA   {ns3.example.nil. support.example.nil. 42 14400 7200 2592000 600}
+        @      3600    NS     ns3.example.nil.
+        @      3600    NS     ns4.example.nil.
+        @      3600    NS     ns8.example.nil.
+        @      3600    MX     {5 mail.example.nil.}
+        ftp    86400   A      192.0.0.1
+        sql    86400   A      192.0.0.2
+        tmp    {}      A      192.0.0.3
+        www    86400   A      192.0.0.3
+        www    86400   AAAA   ::1
+        txt    300     TXT    {\"you requested $record$ in $zone$\"}
+        *      86400   A      192.0.0.100";
+};
diff --git a/contrib/dnspriv/README.md b/contrib/dnspriv/README.md
new file mode 100644
index 0000000..8fa6795
--- /dev/null
+++ b/contrib/dnspriv/README.md
@@ -0,0 +1,23 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+### DNS Privacy in BIND
+
+This directory contains sample configuration files to enable BIND,
+with Nginx as a TLS proxy, to provide DNS over TLS.
+
+`named.conf` configures a validating recursive name server to listen
+on the localhost address at port 8853.
+
+`nginx.conf` configures a TLS proxy to listen on port 853 and
+forward queries and responses to `named`.
+
+For more information, please see
+[https://dnsprivacy.org/wiki/](https://dnsprivacy.org/wiki/)
diff --git a/contrib/dnspriv/named.conf b/contrib/dnspriv/named.conf
new file mode 100644
index 0000000..e5ab3cd
--- /dev/null
+++ b/contrib/dnspriv/named.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	listen-on port 8853 { 127.0.0.1; };
+	allow-query { localhost; };
+	recursion yes;
+	dnssec-validation auto;
+	tcp-clients 1024;
+};
diff --git a/contrib/dnspriv/nginx.conf b/contrib/dnspriv/nginx.conf
new file mode 100644
index 0000000..83f2a88
--- /dev/null
+++ b/contrib/dnspriv/nginx.conf
@@ -0,0 +1,43 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# uncomment to choose an appropriate UID/GID; default is 'nobody'
+# user bind bind;
+
+worker_processes auto;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+    multi_accept on;
+}
+
+stream {
+    upstream dns_tcp_servers {
+	server 127.0.0.1:8853;
+    }
+
+    server {
+	listen 853 ssl;
+	proxy_pass dns_tcp_servers;
+
+	# update to a suitable SSL certificate (e.g. from LetsEncrypt),
+	# and uncomment the following lines:
+	# ssl_certificate       /etc/nginx/lego/certificates/<cert>.crt;
+	# ssl_certificate_key   /etc/nginx/lego/certificates/<cert>.key;
+
+	ssl_protocols         TLSv1.2;
+	ssl_ciphers           ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+	ssl_session_tickets   on;
+	ssl_session_timeout   4h;
+	ssl_handshake_timeout 30s;
+    }
+}
diff --git a/contrib/kasp/README b/contrib/kasp/README
new file mode 100644
index 0000000..fb897f1
--- /dev/null
+++ b/contrib/kasp/README
@@ -0,0 +1,11 @@
+This directory is for tools and scripts related to the OpenDNSSEC KASP
+("key and signature policy") format. Currently it only contains
+"kasp2policy.py", a python script for converting KASP key policy
+to the "dnssec.policy" format that is used by dnssec-keymgr.
+
+This depends on PLY (python lex/yacc) and on the "isc.dnskey" module in
+bin/python/isc.
+
+Basic test:
+$ python kasp2policy.py kasp.xml > policy.out
+$ diff policy.out policy.good 
diff --git a/contrib/kasp/kasp.xml b/contrib/kasp/kasp.xml
new file mode 100644
index 0000000..a92d096
--- /dev/null
+++ b/contrib/kasp/kasp.xml
@@ -0,0 +1,146 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+
+<!-- Sample KASP file to use for testing kasp2policy.py. -->
+<KASP>
+	<Policy name="Policy1">
+	  <Description>A default policy that will
+		amaze you and your friends</Description>
+		<Signatures>
+			<Resign>PT5M</Resign>
+			<Refresh>PT5M</Refresh>
+			<Validity>
+					<Default>PT15M</Default>
+					<Denial>PT15M</Denial>
+			</Validity>
+			<Jitter>PT2M</Jitter>
+			<InceptionOffset>PT1M</InceptionOffset>
+		</Signatures>
+
+		<Denial>
+			<NSEC>
+			</NSEC>
+		</Denial>
+
+		<Keys>
+			<!-- Parameters for both KSK and ZSK -->
+			<TTL>PT1M</TTL>
+			<RetireSafety>PT0S</RetireSafety>
+			<PublishSafety>PT0S</PublishSafety>
+
+			<!-- Parameters for KSK only -->
+			<KSK>
+				<Algorithm length="2048">5</Algorithm>
+				<Lifetime>PT40M</Lifetime>
+				<Repository>softHSM</Repository>
+				<Standby>1</Standby>
+			</KSK>
+
+			<!-- Parameters for ZSK only -->
+			<ZSK>
+				<Algorithm length="2048">5</Algorithm>
+				<Lifetime>PT25M</Lifetime>
+				<Repository>softHSM</Repository>
+				<Standby>1</Standby>
+			</ZSK>
+		</Keys>
+
+		<Zone>
+			<PropagationDelay>PT0S</PropagationDelay>
+			<SOA>
+				<TTL>PT0S</TTL>
+				<Minimum>PT0S</Minimum>
+				<Serial>unixtime</Serial>
+			</SOA>
+		</Zone>
+
+		<Parent>
+			<PropagationDelay>PT8M</PropagationDelay>
+			<DS>
+				<TTL>PT0S</TTL>
+			</DS>
+			<SOA>
+				<TTL>PT0S</TTL>
+				<Minimum>PT0S</Minimum>
+			</SOA>
+		</Parent>
+	</Policy>
+	<Policy name="Policy2">
+		<Description>A default policy that will amaze you and your friends</Description>
+		<Signatures>
+			<Resign>PT7M</Resign>
+			<Refresh>PT7M</Refresh>
+			<Validity>
+					<Default>PT15M</Default>
+					<Denial>PT16M</Denial>
+			</Validity>
+			<Jitter>PT2M</Jitter>
+			<InceptionOffset>PT1M</InceptionOffset>
+		</Signatures>
+
+		<Denial>
+			<NSEC3>
+				<Resalt>P120D</Resalt>
+				<Hash>
+					<Algorithm>1</Algorithm>
+					<Iterations>5</Iterations>
+					<Salt length="8"/>
+				</Hash>
+			</NSEC3>
+		</Denial>
+
+		<Keys>
+			<!-- Parameters for both KSK and ZSK -->
+			<TTL>PT15M</TTL>
+			<RetireSafety>PT0S</RetireSafety>
+			<PublishSafety>PT0S</PublishSafety>
+
+			<!-- Parameters for KSK only -->
+			<KSK>
+				<Algorithm length="2048">7</Algorithm>
+				<Lifetime>PT45M</Lifetime>
+				<Repository>softHSM</Repository>
+				<Standby>1</Standby>
+			</KSK>
+
+			<!-- Parameters for ZSK only -->
+			<ZSK>
+				<Algorithm length="2048">7</Algorithm>
+				<Lifetime>PT25M</Lifetime>
+				<Repository>softHSM</Repository>
+				<Standby>1</Standby>
+			</ZSK>
+		</Keys>
+
+		<Zone>
+			<PropagationDelay>PT0S</PropagationDelay>
+			<SOA>
+				<TTL>PT0S</TTL>
+				<Minimum>PT0S</Minimum>
+				<Serial>unixtime</Serial>
+			</SOA>
+		</Zone>
+
+		<Parent>
+			<PropagationDelay>PT12M</PropagationDelay>
+			<DS>
+				<TTL>PT0S</TTL>
+			</DS>
+			<SOA>
+				<TTL>PT0S</TTL>
+				<Minimum>PT0S</Minimum>
+			</SOA>
+		</Parent>
+	</Policy>
+</KASP>
diff --git a/contrib/kasp/kasp2policy.py b/contrib/kasp/kasp2policy.py
new file mode 100644
index 0000000..a2536a7
--- /dev/null
+++ b/contrib/kasp/kasp2policy.py
@@ -0,0 +1,223 @@
+#!/usr/bin/python
+
+# Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from xml.etree import cElementTree as ET
+from collections import defaultdict
+import re
+from ply import yacc
+from ply import lex
+from isc import dnskey
+
+
+############################################################################
+# Translate KASP duration values into seconds
+############################################################################
+class KaspTime:
+    # pylint: disable=invalid-name
+    class KTLex:
+        # pylint: disable=invalid-name
+
+        tokens = ("P", "T", "Y", "M", "D", "H", "S", "NUM")
+
+        t_P = r"(?i)P"
+        t_T = r"(?i)T"
+        t_Y = r"(?i)Y"
+        t_M = r"(?i)M"
+        t_D = r"(?i)D"
+        t_H = r"(?i)H"
+        t_S = r"(?i)S"
+
+        @staticmethod
+        def t_NUM(t):
+            r"\d+"
+            t.value = int(t.value)
+            return t
+
+        @staticmethod
+        def t_error(t):
+            print("Illegal character '%s'" % t.value[0])
+            t.lexer.skip(1)
+
+        def __init__(self):
+            self.lexer = lex.lex(object=self)
+
+    def __init__(self):
+        self.lexer = self.KTLex()
+        self.tokens = self.lexer.tokens
+        self.parser = yacc.yacc(debug=False, write_tables=False, module=self)
+
+    def parse(self, text):
+        self.lexer.lexer.lineno = 0
+        return self.parser.parse(text)
+
+    @staticmethod
+    def p_ktime_4(p):
+        "ktime : P periods T times"
+        p[0] = p[2] + p[4]
+
+    @staticmethod
+    def p_ktime_3(p):
+        "ktime : P T times"
+        p[0] = p[3]
+
+    @staticmethod
+    def p_ktime_2(p):
+        "ktime : P periods"
+        p[0] = p[2]
+
+    @staticmethod
+    def p_periods_1(p):
+        "periods : period"
+        p[0] = p[1]
+
+    @staticmethod
+    def p_periods_2(p):
+        "periods : periods period"
+        p[0] = p[1] + p[2]
+
+    @staticmethod
+    def p_times_1(p):
+        "times : time"
+        p[0] = p[1]
+
+    @staticmethod
+    def p_times_2(p):
+        "times : times time"
+        p[0] = p[1] + p[2]
+
+    @staticmethod
+    def p_period(p):
+        """period : NUM Y
+        | NUM M
+        | NUM D"""
+        if p[2].lower() == "y":
+            p[0] = int(p[1]) * 31536000
+        elif p[2].lower() == "m":
+            p[0] = int(p[1]) * 2592000
+        elif p[2].lower() == "d":
+            p[0] += int(p[1]) * 86400
+
+    @staticmethod
+    def p_time(p):
+        """time : NUM H
+        | NUM M
+        | NUM S"""
+        if p[2].lower() == "h":
+            p[0] = int(p[1]) * 3600
+        elif p[2].lower() == "m":
+            p[0] = int(p[1]) * 60
+        elif p[2].lower() == "s":
+            p[0] = int(p[1])
+
+    @staticmethod
+    def p_error():
+        print("Syntax error")
+
+
+############################################################################
+# Load the contents of a KASP XML file as a python dictionary
+############################################################################
+class Kasp:
+    # pylint: disable=invalid-name
+
+    @staticmethod
+    def _todict(t):
+        d = {t.tag: {} if t.attrib else None}
+        children = list(t)
+        if children:
+            dd = defaultdict(list)
+            for dc in map(Kasp._todict, children):
+                for k, v in dc.iteritems():
+                    dd[k].append(v)
+            k = {k: v[0] if len(v) == 1 else v for k, v in dd.items()}
+            d = {t.tag: k}
+        if t.attrib:
+            d[t.tag].update(("@" + k, v) for k, v in t.attrib.iteritems())
+        if t.text:
+            text = t.text.strip()
+            if children or t.attrib:
+                if text:
+                    d[t.tag]["#text"] = text
+            else:
+                d[t.tag] = text
+        return d
+
+    def __init__(self, filename):
+        self._dict = Kasp._todict(ET.parse(filename).getroot())
+
+    def __getitem__(self, key):
+        return self._dict[key]
+
+    def __len__(self):
+        return len(self._dict)
+
+    def __iter__(self):
+        return self._dict.__iter__()
+
+    def __repr__(self):
+        return repr(self._dict)
+
+
+############################################################################
+# Load the contents of a KASP XML file as a python dictionary
+############################################################################
+if __name__ == "__main__":
+    import sys
+
+    if len(sys.argv) < 2:
+        print("Usage: kasp2policy <filename>")
+        sys.exit(1)
+
+    KINFO = Kasp(sys.argv[1])
+    try:
+        KINFO = Kasp(sys.argv[1])
+    except FileNotFoundError:
+        print("%s: unable to load KASP file '%s'" % (sys.argv[0], sys.argv[1]))
+        sys.exit(1)
+
+    KT = KaspTime()
+    FIRST = True
+
+    for policy in KINFO["KASP"]["Policy"]:
+        if not policy["@name"] or not policy["Keys"]:
+            continue
+        if not FIRST:
+            print("")
+        FIRST = False
+        if policy["Description"]:
+            desc = policy["Description"].strip()
+            print("# %s" % re.sub(r"\n\s*", "\n# ", desc))
+        print("policy %s {" % policy["@name"])
+        ksk = policy["Keys"]["KSK"]
+        zsk = policy["Keys"]["ZSK"]
+        kalg = ksk["Algorithm"]
+        zalg = zsk["Algorithm"]
+        algnum = kalg["#text"] or zalg["#text"]
+        if algnum:
+            print("\talgorithm %s;" % dnskey.algstr(int(algnum)))
+        if policy["Keys"]["TTL"]:
+            print("\tkeyttl %d;" % KT.parse(policy["Keys"]["TTL"]))
+        if kalg["@length"]:
+            print("\tkey-size ksk %d;" % int(kalg["@length"]))
+        if zalg["@length"]:
+            print("\tkey-size zsk %d;" % int(zalg["@length"]))
+        if ksk["Lifetime"]:
+            print("\troll-period ksk %d;" % KT.parse(ksk["Lifetime"]))
+        if zsk["Lifetime"]:
+            print("\troll-period zsk %d;" % KT.parse(zsk["Lifetime"]))
+        if ksk["Standby"]:
+            print("\tstandby ksk %d;" % int(ksk["Standby"]))
+        if zsk["Standby"]:
+            print("\tstandby zsk %d;" % int(zsk["Standby"]))
+        print("};")
diff --git a/contrib/kasp/policy.good b/contrib/kasp/policy.good
new file mode 100644
index 0000000..18c6360
--- /dev/null
+++ b/contrib/kasp/policy.good
@@ -0,0 +1,24 @@
+# A default policy that will
+# amaze you and your friends
+policy Policy1 {
+	algorithm RSASHA1;
+	keyttl 60;
+	key-size ksk 2048;
+	key-size zsk 2048;
+	roll-period ksk 2400;
+	roll-period zsk 1500;
+	standby ksk 1;
+	standby zsk 1;
+};
+
+# A default policy that will amaze you and your friends
+policy Policy2 {
+	algorithm NSEC3RSASHA1;
+	keyttl 900;
+	key-size ksk 2048;
+	key-size zsk 2048;
+	roll-period ksk 2700;
+	roll-period zsk 1500;
+	standby ksk 1;
+	standby zsk 1;
+};
diff --git a/contrib/scripts/catzhash.py b/contrib/scripts/catzhash.py
new file mode 100644
index 0000000..98f6c9e
--- /dev/null
+++ b/contrib/scripts/catzhash.py
@@ -0,0 +1,35 @@
+#!/usr/bin/python
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# catzhash.py: generate the SHA-1 hash of a domain name in wire format.
+#
+# This can be used to determine the label to use in a catalog zone to
+# represent the specified zone. For example, the zone
+# "domain.example" can be represented in a catalog zone called
+# "catalog.example" by adding the following record:
+#
+# 5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. \
+#    IN PTR domain.example.
+#
+# The label "5960775ba382e7a4e09263fc06e7c00569b6a05c" is the output of
+# this script when run with the argument "domain.example".
+
+import sys
+import hashlib
+import dns.name
+
+if len(sys.argv) < 2:
+    print("Usage: %s name" % sys.argv[0])
+
+NAME = dns.name.from_text(sys.argv[1]).to_wire()
+print(hashlib.sha1(NAME).hexdigest())
diff --git a/contrib/scripts/check-secure-delegation.pl.in b/contrib/scripts/check-secure-delegation.pl.in
new file mode 100644
index 0000000..f2a3a19
--- /dev/null
+++ b/contrib/scripts/check-secure-delegation.pl.in
@@ -0,0 +1,116 @@
+#!@PERL@
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use warnings;
+use FileHandle;
+use IPC::Open2;
+use POSIX qw/strftime/;
+
+#
+# We only compare keyid / DNSSEC algorithm pairs.  If this succeeds then
+# the crypto will likely succeed.  If it fails then the crypto will definitely
+# fail.
+#
+$prefix = "@prefix@";
+$dig = "$prefix/bin/dig +cd +dnssec +noall +answer";
+$dsfromkey = "$prefix/sbin/dnssec-dsfromkey -1 -A -f /dev/stdin";
+
+# Get "now" in a RRSIG datestamp format.
+$now = strftime "%Y%m%d%H%M%S", gmtime;
+
+foreach $zone (@ARGV) {
+	my %algorithms = ();
+	my %dnskeygood = ();
+	my %dnskeyalg = ();
+	my %dnskey = ();
+	my %dsgood = ();
+	my %ds = ();
+
+	# Read the DS records and extract the key id, algorithm pairs
+	open(DS, "$dig -t DS -q $zone|") || die("dig DS failed");
+	while(<DS>) {
+		@words = split;
+		if ($words[3] eq "RRSIG" && $words[4] eq "DS") {
+			next if ($words[8] >= $now && $words[9] <= $now);
+			print "BAD SIG DATES: $_";
+		}
+		next if ($words[3] ne "DS");
+		$ds{"$words[4] $words[5]"} = 1;
+		$algorithms{"$words[5]"} = 1;
+	}
+	close(DS);
+
+	# Read the RRSIG(DNSKEY) records and extract the key id,
+	# algorithm pairs.  Set good if we have a match against the DS
+	# records.  DNSKEY records should be before the RRSIG records.
+	open(DNSKEY, "$dig -t DNSKEY -q $zone|") || die("dig DNSKEY failed");
+	while (<DNSKEY>) {
+		@words = split;
+		if ($words[3] eq "DNSKEY") {
+			$dnskeyalg{"$words[6]"} = 1;
+			next if (! -e "/dev/stdin");
+			# get the key id ($dswords[3]).
+			$pid = open2(*Reader, *Writer, "$dsfromkey $zone");
+			die("dsfromkey failed") if ($pid == -1);
+			print Writer "$_";
+			close(Writer);
+			$line = <Reader>;
+			close(Reader);
+			@dswords = split /\s/, $line;
+			$dnskey{"$dswords[3] $dswords[4]"} = 1;
+			next;
+		}
+		next if ($words[3] ne "RRSIG" || $words[4] ne "DNSKEY");
+		if ($words[8] >= $now && $words[9] <= $now) {
+			# If we don't have /dev/stdin then just check for the
+			# RRSIG otherwise check for both the DNSKEY and
+			# RRSIG.
+			$dsgood{"$words[5]"} = 1
+				if (! -e "/dev/stdin" &&
+				    exists($ds{"$words[10] $words[5]"}));
+			$dsgood{"$words[5]"} = 1
+				if (exists($ds{"$words[10] $words[5]"}) &&
+				    exists($dnskey{"$words[10] $words[5]"}));
+			$dnskeygood{"$words[5]"} = 1
+				if (! -e "/dev/stdin");
+			$dnskeygood{"$words[5]"} = 1
+				if (exists($dnskey{"$words[10] $words[5]"}));
+		} else {
+			$dnskeygood{"$words[5]"} = 1;
+			print "BAD SIG DATES: $_";
+		}
+	}
+	close(DNSKEY);
+
+	# Do we have signatures for all DNSKEY algorithms?
+	foreach $alg ( keys %dnskeyalg ) {
+		print "Missing $zone DNSKEY RRSIG for algorithm $alg\n"
+			if (!exists($dnskeygood{$alg}));
+	}
+
+	# Do we have a matching self signed DNSKEY for all DNSSEC algorithms
+	# in the DS records.
+	$count = 0;
+	foreach $alg ( keys %algorithms ) {
+		if (exists($dsgood{$alg})) {
+			print "$zone algorithm $alg good " .
+			      "(found DS / self signed DNSKEY pair)\n";
+		} else {
+			print "$zone algorithm $alg bad " .
+			      "(no DS / self signed DNSKEY pair found)\n";
+		}
+		$count++;
+	}
+	print "$zone has no secure delegation records\n"
+		if (! $count);
+}
diff --git a/contrib/scripts/check5011.pl b/contrib/scripts/check5011.pl
new file mode 100644
index 0000000..814295a
--- /dev/null
+++ b/contrib/scripts/check5011.pl
@@ -0,0 +1,210 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use warnings;
+use strict;
+
+use POSIX qw(strftime);
+my $now = strftime "%Y%m%d%H%M%S", gmtime;
+
+sub ext8601 ($) {
+	my $d = shift;
+	$d =~ s{(....)(..)(..)(..)(..)(..)}
+	       {$1-$2-$3.$4:$5:$6+0000};
+	return $d;
+}
+
+sub getkey ($$) {
+	my $h = shift;
+	my $k = shift;
+	m{\s+(\d+)\s+(\d+)\s+(\d+)\s+[(]\s*$};
+	$k->{flags}     = $1;
+	$k->{protocol}  = $2;
+	$k->{algorithm} = $3;
+	my $data = "(";
+	while (<$h>) {
+		s{^\s+}{};
+		s{\s+$}{};
+		last if m{^[)]};
+		$data .= $_;
+	}
+	m{ alg = (\S+)\s*; key id = (\d+)};
+	$k->{alg}  = $1;
+	$k->{id}   = $2;
+	$k->{data} = $data;
+	return $k;
+}
+
+sub fmtkey ($) {
+	my $k = shift;
+	return sprintf "%16s tag %s", $k->{name}, $k->{id};
+}
+
+sub printstatus ($) {
+	my $a = shift;
+	if ($a->{removehd} ne "19700101000000") {
+		printf " untrusted and to be removed at %s\n", ext8601 $a->{removehd};
+	} elsif ($a->{addhd} le $now) {
+		printf " trusted\n";
+	} else {
+		printf " waiting for %s\n", ext8601 $a->{addhd};
+	}
+}
+
+sub digkeys ($) {
+	my $name = shift;
+	my $keys;
+	open my $d, "-|", qw{dig +multiline DNSKEY}, $name;
+	while (<$d>) {
+		next unless m{^([a-z0-9.-]*)\s+\d+\s+IN\s+DNSKEY\s+};
+		next unless $name eq $1;
+		push @$keys, getkey $d, { name => $name };
+	}
+	return $keys;
+}
+
+my $anchor;
+my $owner = ".";
+while (<>) {
+	next unless m{^([a-z0-9.-]*)\s+KEYDATA\s+(\d+)\s+(\d+)\s+(\d+)\s+};
+	my $k = getkey *ARGV, {
+		name     => $1,
+		refresh  => $2,
+		addhd    => $3,
+		removehd => $4,
+	};
+	if ($k->{name} eq "") {
+		$k->{name} = $owner;
+	} else {
+		$owner = $k->{name};
+	}
+	$k->{name} =~ s{[.]*$}{.};
+	push @{$anchor->{$k->{name}}}, $k;
+}
+
+for my $name (keys %$anchor) {
+	my $keys = digkeys $name;
+	my $anchors = $anchor->{$name};
+	for my $k (@$keys) {
+		if ($k->{flags} & 1) {
+			printf "%s %s", fmtkey $k, $k->{alg};
+		} else {
+			# ZSK - skipping
+			next;
+		}
+		if ($k->{flags} & 512) {
+			print " revoked;";
+		}
+		my $a;
+		for my $t (@$anchors) {
+			if ($t->{data} eq $k->{data} and
+			    $t->{protocol} eq $k->{protocol} and
+			    $t->{algorithm} eq $k->{algorithm}) {
+				$t->{matched} = 1;
+				$a = $t;
+				last;
+			}
+		}
+		if (not defined $a) {
+			print " no trust anchor\n";
+			next;
+		}
+		printstatus $a;
+	}
+	for my $a (@$anchors) {
+		next if $a->{matched};
+		printf "%s %s missing;", fmtkey $a, $a->{alg};
+		printstatus $a;
+	}
+}
+
+exit;
+
+__END__
+
+=head1 NAME
+
+check5011 - summarize DNSSEC trust anchor status
+
+=head1 SYNOPSIS
+
+check5011 <I<managed-keys.bind>>
+
+=head1 DESCRIPTION
+
+The BIND managed-keys file contains DNSSEC trust anchors
+that can be automatically updated according to RFC 5011. The
+B<check5011> program reads this file and prints a summary of the
+status of the trust anchors. It fetches the corresponding
+DNSKEY records using B<dig> and compares them to the trust anchors.
+
+Each key is printed on a line with its name, its tag, and its
+algorithm, followed by a summary of its status.
+
+=over
+
+=item C<trusted>
+
+The key is currently trusted.
+
+=item C<waiting for ...>
+
+The key is new, and B<named> is waiting for the "add hold-down" period
+to pass before the key will be trusted.
+
+=item C<untrusted and to be removed at ...>
+
+The key was revoked and will be removed at the stated time.
+
+=item C<no trust anchor>
+
+The key is present in the DNS but not in the managed-keys file.
+
+=item C<revoked>
+
+The key has its revoked flag set. This is printed before the key's
+trust anchor status which should normally be C<untrusted...> if
+B<named> has observed the revocation.
+
+=item C<missing>
+
+There is no DNSKEY record for this trust anchor. This is printed
+before the key's trust anchor status.
+
+=back
+
+By default the managed keys are stored in a file called
+F<managed-keys.bind> in B<named>'s working directory. This location
+can be changed with B<named>'s B<managed-keys-directory> option. If
+you are using views the file may be named with the SHA256 hash of a
+view name with a F<.mkeys> extension added.
+
+=head1 AUTHOR
+
+=over
+
+=item Written by Tony Finch <fanf2@cam.ac.uk> <dot@dotat.at>
+
+=item at the University of Cambridge Computing Service.
+
+=item You may do anything with this. It has no warranty.
+
+=item L<http://creativecommons.org/publicdomain/zero/1.0/>
+
+=back
+
+=head1 SEE ALSO
+
+dig(1), named(8)
+
+=cut
diff --git a/contrib/scripts/dnssec-keyset.sh b/contrib/scripts/dnssec-keyset.sh
new file mode 100644
index 0000000..9bf02c6
--- /dev/null
+++ b/contrib/scripts/dnssec-keyset.sh
@@ -0,0 +1,207 @@
+#!/bin/sh
+
+# Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+HELP="
+Generates a set of <count> successive DNSSEC keys for <zone>
+Key timings are based on a pre-publication rollover strategy
+
+ <life>  (lifetime) is the key active lifetime in days [default 180]
+ <intro> (introduction time) is the number of days from publication
+         to activation of a key [default 30]
+ <ret>   (retirement time) is the number of days from inactivation
+         to deletion of a key [default 30]
+
+Options:
+ -a <alg>    Cryptographic algorithm. See man dnssec-keygen for defaults.
+ -b <bits>   Number of bits in the key. See man dnssec-keygen for defaults.
+ -k          if present, generate Key Signing Keys (KSKs). Otherwise,
+             generate Zone Signing Keys (ZSKs).
+ -3          If present and if -a is not specified, use an NSEC3-
+             capable algorithm. See man dnssec-keygen for defaults.
+ -i <date>   Inception date of the set of keys, in 'mm/dd/yyyy' format.
+             The first two keys will be published by this date, and the
+             first one will be activated. Default is today.
+ -f <index>  Index of first key generated. Defaults to 0.
+ -K <dir>    Key repository: write keys to this directory. Defaults to CWD. 
+ -d          Dry run. No actual keys generated if present."
+
+USAGE="Usage:
+`basename $0` [-a <alg>] [-b <bits>] [-k] [-3] [-i <date>]
+              [-f <index>] [-d] <zone> <count> [<life>] [<intro>] [<ret>]"
+
+ALGFLAG=''
+BITSFLAG=''
+KSKFLAG=''
+NSEC3FLAG=''
+KEYREPO=''
+DRYRUN=false
+OPTKSK=false
+K=0
+INCEP=`date +%m/%d/%Y`
+
+# Parse command line options
+while getopts ":a:b:df:hkK:3i:" thisOpt
+do
+    case $thisOpt in
+        a)
+            ALGFLAG=" -a $OPTARG"
+            ;;
+        b)
+            BITSFLAG=" -b $OPTARG"
+            ;;
+        d)
+            DRYRUN=true
+            ;;
+        f)
+            OPTKSK=true
+            K=$OPTARG
+            ;;
+        h)
+            echo "$USAGE"
+            echo "$HELP"
+            exit 0
+            ;;
+        k)
+            KSKFLAG=" -f KSK"
+            ;;
+        K)
+            KEYREPO=$OPTARG
+            ;;
+        3)
+            NSEC3FLAG=" -3"
+            ;;
+        i)
+            INCEP=$OPTARG
+            ;;
+        *)
+            echo 'Unrecognized option.'
+            echo "$USAGE"
+            exit 1
+            ;;
+    esac
+done
+shift `expr $OPTIND - 1`
+
+# Check that required arguments are present
+if [ $# -gt 5 -o $# -lt 2 ]; then
+    echo "$USAGE"
+    exit 1
+fi
+
+# Remaining arguments:
+# DNS zone name
+ZONE=$1
+shift
+
+# Number of keys to be generated
+COUNT=$1
+shift
+
+# Key active lifetime
+LIFE=${1:-180}
+[ $# -ne 0 ] && shift
+
+# Key introduction time (publication to activation)
+INTRO=${1:-30}
+[ $# -ne 0 ] && shift
+
+# Key retirement time (inactivation to deletion)
+RET=${1:-30}
+
+# Today's date in dnssec-keygen format (YYYYMMDD)
+TODAY=`date +%Y%m%d`
+
+# Key repository defaults to CWD
+if [ -z "$KEYREPO" ]; then
+    KEYREPO="."
+fi
+
+if $DRYRUN; then
+    echo 'Dry Run (no key files generated)'
+elif [ ! -d "$KEYREPO" ]; then
+    # Create the key repository if it does not currently exist
+    mkdir -p "$KEYREPO"
+fi
+
+# Iterate through the key set. K is the index, zero-based.
+KLAST=`expr $K + $COUNT`
+while [ $K -lt $KLAST ]; do
+    KEYLABEL="Key `printf \"%02d\" $K`:"
+    # Epoch of the current key
+    # (zero for the first key, increments of key lifetime)
+    # The epoch is in days relative to the inception date of the key set
+    EPOCH=`expr $LIFE \* $K`
+    # Activation date in days is the same as the epoch
+    ACTIVATE=$EPOCH
+    # Publication date in days relative to the key epoch
+    PUBLISH=`expr $EPOCH - $LIFE - $INTRO`
+    # Inactivation date in days relative to the key epoch
+    INACTIVE=`expr $EPOCH + $LIFE`
+    # Deletion date in days relative to the key epoch
+    DELETE=`expr $EPOCH + $LIFE + $RET`
+
+    # ... these values should not precede the key epoch
+    [ $ACTIVATE -lt 0 ] && ACTIVATE=0
+    [ $PUBLISH -lt 0 ] && PUBLISH=0
+    [ $INACTIVE -lt 0 ] && INACTIVE=0
+    [ $DELETE -lt 0 ] && DELETE=0
+
+    # Key timing dates in dnssec-keygen format (YYYYMMDD):
+    # publication, activation, inactivation, deletion
+    PDATE=`date -d "$INCEP +$PUBLISH day" +%Y%m%d`
+    ADATE=`date -d "$INCEP +$ACTIVATE day" +%Y%m%d`
+    IDATE=`date -d "$INCEP +$INACTIVE day" +%Y%m%d`
+    DDATE=`date -d "$INCEP +$DELETE day" +%Y%m%d`
+
+    # Construct the dnssec-keygen command including all the specified options.
+    # Suppress key generation progress information, and save the key in
+    # the $KEYREPO directory.
+    KEYGENCMD="dnssec-keygen -q$ALGFLAG$BITSFLAG$NSEC3FLAG$KSKFLAG -P $PDATE -A $ADATE -I $IDATE -D $DDATE -K $KEYREPO $ZONE"
+    echo "$KEYLABEL $KEYGENCMD"
+
+    # Generate the key and retrieve its name
+    if $DRYRUN; then
+        KEYNAME="DryRunKey-`printf \"%02d\" $K`"
+    else
+        KEYNAME=`$KEYGENCMD`
+    fi
+
+    # Indicate the key status based on key timing dates relative to today
+    if [ $TODAY -ge $DDATE ]; then
+        echo "$KEYLABEL $KEYNAME is obsolete post deletion date."
+    elif [ $TODAY -ge $IDATE ]; then
+        echo "$KEYLABEL $KEYNAME is published and inactive prior to deletion date."
+    elif [ $TODAY -ge $ADATE ]; then
+        echo "$KEYLABEL $KEYNAME is published and active."
+    elif [ $TODAY -ge $PDATE ]; then
+        echo "$KEYLABEL $KEYNAME is published prior to activation date."
+    else
+        echo "$KEYLABEL $KEYNAME is pending publication."
+    fi
+
+    # For published KSKs, generate the required DS records,
+    # saving them to the file $KEYREPO/DS-$KEYNAME
+    if $OPTKSK && [ $TODAY -ge $PDATE -a $TODAY -lt $DDATE ]; then
+        echo "$KEYLABEL $KEYNAME (KSK) requires the publication of DS records in the parent zone."
+        if $DRYRUN; then
+            echo "$KEYLABEL No DS-$KEYNAME file created."
+        else
+            dnssec-dsfromkey "$KEYREPO/$KEYNAME" > "$KEYREPO/DS-$KEYNAME"
+            echo "$KEYLABEL See $KEYREPO/DS-$KEYNAME."
+        fi
+    fi
+    K=`expr $K + 1`
+done
+
+exit 0
diff --git a/contrib/scripts/named-bootconf.sh b/contrib/scripts/named-bootconf.sh
new file mode 100644
index 0000000..273588d
--- /dev/null
+++ b/contrib/scripts/named-bootconf.sh
@@ -0,0 +1,301 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $NetBSD: named-bootconf.sh,v 1.5 1998/12/15 01:00:53 tron Exp $
+#
+# Copyright (c) 1995, 1998 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to The NetBSD Foundation
+# by Matthias Scheler.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+if [ ${OPTIONFILE-X} = X ]; then
+	WORKDIR=/tmp/`date +%s`.$$
+	( umask 077 ; mkdir $WORKDIR ) || {
+		echo "unable to create work directory '$WORKDIR'" >&2 
+		exit 1
+	}
+	OPTIONFILE=$WORKDIR/options
+	ZONEFILE=$WORKDIR/zones
+	COMMENTFILE=$WORKDIR/comments
+	export OPTIONFILE ZONEFILE COMMENTFILE
+	touch $OPTIONFILE $ZONEFILE $COMMENTFILE
+	DUMP=1
+else
+	DUMP=0
+fi
+
+while read CMD ARGS; do
+	class=
+	CMD=`echo "${CMD}" | tr '[A-Z]' '[a-z]'`
+	case $CMD in
+	\; )
+		echo \# $ARGS >>$COMMENTFILE
+		;;
+	cache )
+		set - X $ARGS
+		shift
+		if [ $# -eq 2 ]; then
+			(echo ""
+			cat $COMMENTFILE
+			echo "zone \"$1\" {"
+			echo "	type hint;"
+			echo "	file \"$2\";"
+			echo "};") >>$ZONEFILE
+			rm -f $COMMENTFILE
+			touch $COMMENTFILE
+		fi
+		;;
+	directory )
+		set - X $ARGS
+		shift
+		if [ $# -eq 1 ]; then
+			(cat $COMMENTFILE
+			echo "	directory \"$1\";") >>$OPTIONFILE
+			rm -f $COMMENTFILE
+			touch $COMMENTFILE
+
+			DIRECTORY=$1
+			export DIRECTORY
+		fi
+		;;
+	forwarders )
+		(cat $COMMENTFILE
+		echo "	forwarders {"
+		for ARG in $ARGS; do
+			echo "		$ARG;"
+		done
+		echo "	};") >>$OPTIONFILE
+		rm -f $COMMENTFILE
+		touch $COMMENTFILE
+		;;
+	include )
+		if [ "$ARGS" != "" ]; then
+			(cd ${DIRECTORY-.}; cat $ARGS) | $0
+		fi
+		;;
+	limit )
+		ARGS=`echo "${ARGS}" | tr '[A-Z]' '[a-z]'`
+		set - X $ARGS
+		shift
+		if [ $# -eq 2 ]; then
+			cat $COMMENTFILE >>$OPTIONFILE
+			case $1 in
+			datasize | files | transfers-in | transfers-per-ns )
+				echo "	$1 $2;" >>$OPTIONFILE
+				;;
+			esac
+			rm -f $COMMENTFILE
+			touch $COMMENTFILE
+		fi
+		;;
+	options )
+		ARGS=`echo "${ARGS}" | tr '[A-Z]' '[a-z]'`
+		cat $COMMENTFILE >>$OPTIONFILE
+		for ARG in $ARGS; do
+			case $ARG in
+			fake-iquery )
+				echo "	fake-iquery yes;" >>$OPTIONFILE
+				;;
+			forward-only )
+				echo "	forward only;" >>$OPTIONFILE
+				;;
+			no-fetch-glue )
+				echo "	fetch-glue no;" >>$OPTIONFILE
+				;;
+			no-recursion )
+				echo "	recursion no;" >>$OPTIONFILE
+				;;
+			esac
+		done
+		rm -f $COMMENTFILE
+		touch $COMMENTFILE
+		;;
+	primary|primary/* )
+		case $CMD in
+		primary/chaos )
+			class="chaos "
+			;;
+		primary/hs )
+			class="hesiod "
+			;;
+		esac
+		set - X $ARGS
+		shift
+		if [ $# -eq 2 ]; then
+			(echo ""
+			cat $COMMENTFILE
+			echo "zone \"$1\" ${class}{"
+			echo "	type master;"
+			echo "	file \"$2\";"
+			echo "};") >>$ZONEFILE
+			rm -f $COMMENTFILE
+			touch $COMMENTFILE
+		fi
+		;;
+	secondary|secondary/* )
+		case $CMD in
+		secondary/chaos )
+			class="chaos "
+			;;
+		secondary/hs )
+			class="hesiod "
+			;;
+		esac
+		set - X $ARGS
+		shift
+		if [ $# -gt 2 ]; then
+			ZONE=$1
+			shift
+			PRIMARIES=$1
+			while [ $# -gt 2 ]; do
+				shift
+				PRIMARIES="$PRIMARIES $1"
+			done
+			(echo ""
+			cat $COMMENTFILE
+			echo "zone \"$ZONE\" ${class}{"
+			echo "	type slave;"
+			echo "	file \"$2\";"
+			echo "	masters {"
+			for PRIMARY in $PRIMARIES; do
+				echo "		$PRIMARY;"
+			done
+			echo "	};"
+			echo "};") >>$ZONEFILE
+			rm -f $COMMENTFILE
+			touch $COMMENTFILE
+		fi
+		;;
+	stub|stub/* )
+		case $CMD in
+		stub/chaos )
+			class="chaos "
+			;;
+		stub/hs )
+			class="hesiod "
+			;;
+		esac
+		set - X $ARGS
+		shift
+		if [ $# -gt 2 ]; then
+			ZONE=$1
+			shift
+			PRIMARIES=$1
+			while [ $# -gt 2 ]; do
+				shift
+				PRIMARIES="$PRIMARIES $1"
+			done
+			(echo ""
+			cat $COMMENTFILE
+			echo "zone \"$ZONE\" ${class}{"
+			echo "	type stub;"
+			echo "	file \"$2\";"
+			echo "	masters {"
+			for PRIMARY in $PRIMARIES; do
+				echo "		$PRIMARY;"
+			done
+			echo "	};"
+			echo "};") >>$ZONEFILE
+			rm -f $COMMENTFILE
+			touch $COMMENTFILE
+		fi
+		;;
+	slave )
+		cat $COMMENTFILE >>$OPTIONFILE
+		echo "	forward only;" >>$OPTIONFILE
+		rm -f $COMMENTFILE
+		touch $COMMENTFILE
+		;;
+	sortlist )
+		(cat $COMMENTFILE
+		echo "	topology {"
+		for ARG in $ARGS; do
+			case $ARG in
+			*.0.0.0 )
+				echo "		$ARG/8;"
+				;;
+			*.0.0 )
+				echo "		$ARG/16;"
+				;;
+			*.0 )
+				echo "		$ARG/24;"
+				;;
+			* )
+				echo "		$ARG;"
+				;;
+			esac
+		done
+		echo "	};") >>$OPTIONFILE
+		rm -f $COMMENTFILE
+		touch $COMMENTFILE
+		;;
+	tcplist | xfrnets )
+		(cat $COMMENTFILE
+		echo "	allow-transfer {"
+		for ARG in $ARGS; do
+			case $ARG in
+			*.0.0.0 )
+				echo "		$ARG/8;"
+				;;
+			*.0.0 )
+				echo "		$ARG/16;"
+				;;
+			*.0 )
+				echo "		$ARG/24;"
+				;;
+			* )
+				echo "		$ARG;"
+				;;
+			esac
+		done
+		echo "	};") >>$OPTIONFILE
+		rm -f $COMMENTFILE
+		touch $COMMENTFILE
+		;;
+	esac
+done
+
+if [ $DUMP -eq 1 ]; then
+	echo ""
+	echo "options {"
+	cat $OPTIONFILE
+	echo "};"
+	cat $ZONEFILE $COMMENTFILE
+
+	rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE
+	rmdir $WORKDIR
+fi
+
+exit 0
diff --git a/contrib/scripts/nanny.pl b/contrib/scripts/nanny.pl
new file mode 100644
index 0000000..27a159e
--- /dev/null
+++ b/contrib/scripts/nanny.pl
@@ -0,0 +1,49 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# A simple nanny to make sure named stays running.
+
+$pid_file_location = '/var/run/named.pid';
+$nameserver_location = 'localhost';
+$dig_program = 'dig';
+$named_program =  'named';
+
+fork() && exit();
+
+for (;;) {
+	$pid = 0;
+	open(FILE, $pid_file_location) || goto restart;
+	$pid = <FILE>;
+	close(FILE);
+	chomp($pid);
+
+	$res = kill 0, $pid;
+
+	goto restart if ($res == 0);
+
+	$dig_command =
+	       "$dig_program +short . \@$nameserver_location > /dev/null";
+	$return = system($dig_command);
+	goto restart if ($return == 9);
+
+	sleep 30;
+	next;
+
+ restart:
+	if ($pid != 0) {
+		kill 15, $pid;
+		sleep 30;
+	}
+	system ($named_program);
+	sleep 120;
+}
diff --git a/contrib/scripts/zone-edit.sh.in b/contrib/scripts/zone-edit.sh.in
new file mode 100644
index 0000000..a4e076d
--- /dev/null
+++ b/contrib/scripts/zone-edit.sh.in
@@ -0,0 +1,153 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+dir=/tmp/zone-edit.$$
+mkdir ${dir} || exit 1
+trap "/bin/rm -rf ${dir}" 0
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+bindir=@bindir@
+sbindir=@sbindir@
+
+dig=${bindir}/dig
+checkzone=${sbindir}/named-checkzone
+nsupdate=${bindir}/nsupdate
+
+case $# in
+0) echo "Usage: zone-edit <zone> [dig options] [ -- nsupdate options ]"; exit 0 ;;
+esac
+
+# What kind of echo are we using?
+try=`echo -n ""`
+if test "X$try" = "X-n "
+then
+    echo_arg=""
+    bsc="\\c"
+else
+    echo_arg="-n"
+    bsc=""
+fi
+
+zone="${1}"
+shift
+digopts=
+while test $# -ne 0
+do
+    case "${1}" in
+    --)
+	shift
+	break
+	;;
+    *)
+	digopts="$digopts $1"
+	shift
+	;;
+    esac
+done
+
+${dig} axfr "$zone" $digopts |
+awk '$4 == "RRSIG" || $4 == "NSEC" || $4 == "NSEC3" || $4 == "NSEC3PARAM" { next; } { print; }' > ${dir}/old
+
+if test -s ${dir}/old
+then
+    ${checkzone} -q -D "$zone" ${dir}/old > ${dir}/ooo
+fi
+
+if test -s ${dir}/ooo
+then
+    cp ${dir}/ooo ${dir}/new
+    while :
+    do
+        if ${VISUAL:-${EDITOR:-/bin/ed}} ${dir}/new
+        then
+	    if ${checkzone} -q -D "$zone" ${dir}/new > ${dir}/nnn
+	    then
+	        sort ${dir}/ooo > ${dir}/s1 
+	        sort ${dir}/nnn > ${dir}/s2 
+	        comm -23 ${dir}/s1 ${dir}/s2 |
+		sed 's/^/update delete /' > ${dir}/ccc
+	        comm -13 ${dir}/s1 ${dir}/s2 |
+		sed 's/^/update add /' >> ${dir}/ccc
+	        if test -s ${dir}/ccc
+	        then
+		    cat ${dir}/ccc | more
+		    while :
+		    do
+		        echo ${echo_arg} "Update (u), Abort (a), Redo (r), Modify (m), Display (d) : $bsc"
+			read ans
+			case "$ans" in
+		        u)
+			    (
+			    echo zone "$zone"
+			    cat ${dir}/ccc
+			    echo send
+			    ) | ${nsupdate} "$@"
+			    break 2
+			    ;;
+			a)
+			    break 2
+			    ;;
+			d)
+			    cat ${dir}/ccc | more
+			    ;;
+			r)
+			    cp ${dir}/ooo ${dir}/new
+			    break
+			    ;;
+			m)
+			    break
+			    ;;
+		        esac
+		    done
+		else
+		    while :
+		    do 
+		        echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc"
+		        read ans
+		        case "$ans" in
+		        a)
+		            break 2
+		            ;;
+		        r)
+		            cp ${dir}/ooo ${dir}/new
+		    	    break
+		            ;;
+		        m)
+			    break
+		            ;;
+		        esac
+		    done
+	        fi
+	    else
+		while :
+		do 
+		    echo ${echo_arg} "Abort (a), Redo (r), Modify (m) : $bsc"
+		    read ans
+		    case "$ans" in
+		    a)
+		        break 2
+		        ;;
+		    r)
+		        cp ${dir}/ooo ${dir}/new
+		    	break
+		        ;;
+		    m)
+			break
+		        ;;
+		    esac
+		done
+	    fi
+        fi
+    done
+fi
diff --git a/dangerfile.py b/dangerfile.py
new file mode 100644
index 0000000..d6a32e5
--- /dev/null
+++ b/dangerfile.py
@@ -0,0 +1,434 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+import re
+
+import gitlab
+
+# Helper functions and variables
+
+
+def added_lines(target_branch, paths):
+    import subprocess
+
+    subprocess.check_output(
+        ["/usr/bin/git", "fetch", "--depth", "1", "origin", target_branch]
+    )
+    diff = subprocess.check_output(
+        ["/usr/bin/git", "diff", "FETCH_HEAD..", "--"] + paths
+    )
+    added_lines = []
+    for line in diff.splitlines():
+        if line.startswith(b"+") and not line.startswith(b"+++"):
+            added_lines.append(line)
+    return added_lines
+
+
+def lines_containing(lines, string):
+    return [l for l in lines if bytes(string, "utf-8") in l]
+
+
+changes_issue_or_mr_id_regex = re.compile(rb"\[(GL [#!]|RT #)[0-9]+\]")
+relnotes_issue_or_mr_id_regex = re.compile(rb":gl:`[#!][0-9]+`")
+release_notes_regex = re.compile(r"doc/(arm|notes)/notes-.*\.(rst|xml)")
+
+modified_files = danger.git.modified_files
+mr_labels = danger.gitlab.mr.labels
+target_branch = danger.gitlab.mr.target_branch
+is_backport = "Backport" in mr_labels or "Backport::Partial" in mr_labels
+is_full_backport = is_backport and "Backport::Partial" not in mr_labels
+
+gl = gitlab.Gitlab(
+    url=f"https://{os.environ['CI_SERVER_HOST']}",
+    private_token=os.environ["DANGER_GITLAB_API_TOKEN"],
+)
+proj = gl.projects.get(os.environ["CI_PROJECT_ID"])
+mr = proj.mergerequests.get(os.environ["CI_MERGE_REQUEST_IID"])
+
+###############################################################################
+# COMMIT MESSAGES
+###############################################################################
+#
+# - FAIL if any of the following is true for any commit on the MR branch:
+#
+#     * The subject line starts with "fixup!", "amend!" or "Apply suggestion".
+#
+#     * The subject line starts with a prohibited word indicating a work in
+#       progress commit (e.g. "WIP").
+#
+#     * The subject line contains a trailing dot.
+#
+#     * There is no empty line between the subject line and the log message.
+#
+# - WARN if any of the following is true for any commit on the MR branch:
+#
+#     * The length of the subject line for a non-merge commit exceeds 72
+#       characters.
+#
+#     * There is no log message present (i.e. commit only has a subject) and
+#       the subject line does not contain any of the following strings:
+#       "fixup!", " CHANGES ", " release note".
+#
+#     * Any line of the log message is longer than 72 characters.  This rule is
+#       not evaluated for:
+#
+#         - lines starting with four spaces, which allows long lines to be
+#           included in the commit log message by prefixing them with four
+#           spaces (useful for pasting compiler warnings, static analyzer
+#           messages, log lines, etc.),
+#
+#         - lines which contain references (i.e. those starting with "[1]",
+#           "[2]", etc.) which allows e.g. long URLs to be included in the
+#           commit log message.
+
+PROHIBITED_WORDS_RE = re.compile(
+    "^(WIP|wip|DROP|drop|DROPME|checkpoint|experiment|TODO|todo)[^a-zA-Z]"
+)
+fixup_error_logged = False
+for commit in danger.git.commits:
+    message_lines = commit.message.splitlines()
+    subject = message_lines[0]
+    if not fixup_error_logged and (
+        subject.startswith("fixup!")
+        or subject.startswith("amend!")
+        or subject.startswith("Apply suggestion")
+    ):
+        fail(
+            "Fixup commits are still present in this merge request. "
+            "Please squash them before merging."
+        )
+        fixup_error_logged = True
+    match = PROHIBITED_WORDS_RE.search(subject)
+    if match:
+        fail(
+            f"Prohibited keyword `{match.groups()[0]}` detected "
+            f"at the start of a subject line in commit {commit.sha}."
+        )
+    if len(subject) > 72 and not subject.startswith("Merge branch "):
+        warn(
+            f"Subject line for commit {commit.sha} is too long: "
+            f"```{subject}``` ({len(subject)} > 72 characters)."
+        )
+    if subject[-1] == ".":
+        fail(f"Trailing dot found in the subject of commit {commit.sha}.")
+    if len(message_lines) > 1 and message_lines[1]:
+        fail(f"No empty line after subject for commit {commit.sha}.")
+    if (
+        len(message_lines) < 3
+        and "fixup! " not in subject
+        and "CHANGES " not in subject
+        and "release note" not in subject.lower()
+        and "GL #" not in subject
+    ):
+        warn(f"Please write a log message for commit {commit.sha}.")
+    for line in message_lines[2:]:
+        if (
+            len(line) > 72
+            and not line.startswith("    ")
+            and not re.match(r"\[[0-9]+\]", line)
+        ):
+            warn(
+                f"Line too long in log message for commit {commit.sha}: "
+                f"```{line}``` ({len(line)} > 72 characters)."
+            )
+
+###############################################################################
+# MILESTONE
+###############################################################################
+#
+# FAIL if the merge request is not assigned to any milestone.
+
+if not danger.gitlab.mr.milestone:
+    fail("Please assign this merge request to a milestone.")
+
+###############################################################################
+# BACKPORT & VERSION LABELS
+###############################################################################
+#
+# FAIL if any of the following is true for the merge request:
+#
+# * The MR is marked as Backport and the number of version labels set is
+#   different than 1.  (For backports, the version label is used for indicating
+#   its target branch.  This is a rather ugly attempt to address a UI
+#   deficiency - the target branch for each MR is not visible on milestone
+#   dashboards.)
+#
+# * The MR is not marked as "Backport" nor any version label is set.  (If the
+#   merge request is not a backport, version labels are used for indicating
+#   backporting preferences.)
+#
+# * The Backport MR doesn't have target branch in the merge request title.
+#
+# * The Backport MR doesn't link to the original MR is its description.
+#
+# * The original MR linked to from Backport MR hasn't been merged.
+
+BACKPORT_OF_RE = re.compile(
+    r"Backport\s+of.*(merge_requests/|!)([0-9]+)", flags=re.IGNORECASE
+)
+VERSION_LABEL_RE = re.compile(r"v9.([0-9]+)(-S)?")
+backport_desc = BACKPORT_OF_RE.search(danger.gitlab.mr.description)
+version_labels = [l for l in mr_labels if l.startswith("v9.")]
+affects_labels = [l for l in mr_labels if l.startswith("Affects v9.")]
+if is_backport:
+    if len(version_labels) != 1:
+        fail(
+            "This MR was marked as *Backport*. "
+            "Please also set exactly one version label (*v9.x*)."
+        )
+    else:
+        minor_ver, edition = VERSION_LABEL_RE.search(version_labels[0]).groups()
+        edition = "" if edition is None else edition
+        title_re = f"^\\[9.{minor_ver}{edition}\\]"
+        match = re.search(title_re, danger.gitlab.mr.title)
+        if match is None:
+            fail(
+                "Backport MRs must have their target version in the title. "
+                f"Please put `[9.{minor_ver}{edition}]` at the start of the MR title."
+            )
+    if backport_desc is None:
+        fail(
+            "Backport MRs must link to the original MR. Please put "
+            "`Backport of MR !XXXX` in the MR description."
+        )
+    else:  # backport MR is linked to original MR
+        original_mr_id = backport_desc.groups()[1]
+        original_mr = proj.mergerequests.get(original_mr_id)
+        if original_mr.state != "merged":
+            fail(
+                f"Original MR !{original_mr_id} has not been merged. "
+                "Please re-run `danger` check once it's merged."
+            )
+        else:  # check for commit IDs once original MR is merged
+            original_mr_commits = list(original_mr.commits(all=True))
+            backport_mr_commits = list(mr.commits(all=True))
+            for orig_commit in original_mr_commits:
+                for backport_commit in backport_mr_commits:
+                    if orig_commit.id in backport_commit.message:
+                        break
+                else:
+                    msg = (
+                        f"Commit {orig_commit.id} from original MR !{original_mr_id} "
+                        "is not referenced in any of the backport commits."
+                    )
+                    if not is_full_backport:
+                        message(msg)
+                    else:
+                        msg += (
+                            " Please use `-x` when cherry-picking to include "
+                            "the full original commit ID. Alternately, use the "
+                            "`Backport::Partial` label if not all original "
+                            "commits are meant to be backported."
+                        )
+                        fail(msg)
+else:
+    if not version_labels:
+        fail(
+            "If this merge request is a backport, set the *Backport* label and "
+            "a single version label (*v9.x*) indicating the target branch. "
+            "If not, set version labels for all targeted backport branches."
+        )
+    if not affects_labels:
+        warn(
+            "Set `Affects v9.` label(s) for all versions that are affected by "
+            "the issue which this MR addresses."
+        )
+
+###############################################################################
+# OTHER LABELS
+###############################################################################
+#
+# WARN if any of the following is true for the merge request:
+#
+# * The "Review" label is not set.  (It may be intentional, but rarely is.)
+#
+# * The "Review" label is set, but the "LGTM" label is not set.  (This aims to
+#   remind developers about the need to set the latter on merge requests which
+#   passed review.)
+
+approved = mr.approvals.get().approved
+if "Review" not in mr_labels:
+    warn(
+        "This merge request does not have the *Review* label set. "
+        "Please set it if you would like the merge request to be reviewed."
+    )
+elif not approved:
+    warn(
+        "This merge request is currently in review. "
+        "It should not be merged until it is approved."
+    )
+
+###############################################################################
+# 'CHANGES' FILE
+###############################################################################
+#
+# FAIL if any of the following is true:
+#
+# * The merge request does not update the CHANGES file, but it does not have
+#   the "No CHANGES" label set.  (This attempts to ensure that the author of
+#   the MR did not forget about adding a CHANGES entry.)
+#
+# * The merge request updates the CHANGES file, but it has the "No CHANGES"
+#   label set.  (This attempts to ensure that the "No CHANGES" label is used in
+#   a sane way.)
+#
+# * The merge request adds any placeholder entries to the CHANGES file, but it
+#   does not target the "main" branch.
+#
+# * The merge request adds a new CHANGES entry that is not a placeholder and
+#   does not contain any GitLab/RT issue/MR identifiers.
+
+changes_modified = "CHANGES" in modified_files or "CHANGES.SE" in modified_files
+no_changes_label_set = "No CHANGES" in mr_labels
+if not changes_modified and not no_changes_label_set:
+    fail(
+        "This merge request does not modify `CHANGES`. "
+        "Add a `CHANGES` entry or set the *No CHANGES* label."
+    )
+if changes_modified and no_changes_label_set:
+    fail(
+        "This merge request modifies `CHANGES`. "
+        "Revert `CHANGES` modifications or unset the *No Changes* label."
+    )
+
+changes_added_lines = added_lines(target_branch, ["CHANGES", "CHANGES.SE"])
+placeholders_added = lines_containing(changes_added_lines, "[placeholder]")
+identifiers_found = filter(changes_issue_or_mr_id_regex.search, changes_added_lines)
+if changes_added_lines:
+    if placeholders_added:
+        if target_branch != "main":
+            fail(
+                "This MR adds at least one placeholder entry to `CHANGES`. "
+                "It should be targeting the `main` branch."
+            )
+    elif not any(identifiers_found):
+        fail("No valid issue/MR identifiers found in added `CHANGES` entries.")
+
+###############################################################################
+# RELEASE NOTES
+###############################################################################
+#
+# - FAIL if any of the following is true:
+#
+#     * The merge request does not update release notes and has the "Release
+#       Notes" label set.  (This attempts to point out missing release notes.)
+#
+#     * The merge request updates release notes but does not have the "Release
+#       Notes" label set.  (This ensures that merge requests updating release
+#       notes can be easily found using the "Release Notes" label.)
+#
+# - WARN if any of the following is true:
+#
+#     * This merge request does not update release notes and has the "Customer"
+#       label set.  (Except for trivial changes, all merge requests which may
+#       be of interest to customers should include a release note.)
+#
+#     * This merge request updates release notes, but no GitLab/RT issue/MR
+#       identifiers are found in the lines added to the release notes by this
+#       MR.
+
+release_notes_regex = re.compile(r"doc/(arm|notes)/notes-.*\.(rst|xml)")
+release_notes_changed = list(filter(release_notes_regex.match, modified_files))
+release_notes_label_set = "Release Notes" in mr_labels
+if not release_notes_changed:
+    if release_notes_label_set:
+        fail(
+            "This merge request has the *Release Notes* label set. "
+            "Add a release note or unset the *Release Notes* label."
+        )
+    elif "Customer" in mr_labels:
+        warn(
+            "This merge request has the *Customer* label set. "
+            "Add a release note unless the changes introduced are trivial."
+        )
+if release_notes_changed and not release_notes_label_set:
+    fail(
+        "This merge request modifies release notes. "
+        "Revert release note modifications or set the *Release Notes* label."
+    )
+
+if release_notes_changed:
+    notes_added_lines = added_lines(target_branch, release_notes_changed)
+    identifiers_found = filter(relnotes_issue_or_mr_id_regex.search, notes_added_lines)
+    if notes_added_lines and not any(identifiers_found):
+        warn("No valid issue/MR identifiers found in added release notes.")
+else:
+    notes_added_lines = []
+
+###############################################################################
+# CVE IDENTIFIERS
+###############################################################################
+#
+# FAIL if the merge request adds a CHANGES entry of type [security] and a CVE
+# identifier is missing from either the added CHANGES entry or the added
+# release note.
+
+if lines_containing(changes_added_lines, "[security]"):
+    if not lines_containing(changes_added_lines, "(CVE-20"):
+        fail(
+            "This merge request fixes a security issue. "
+            "Please add a CHANGES entry which includes a CVE identifier."
+        )
+    if not lines_containing(notes_added_lines, "CVE-20"):
+        fail(
+            "This merge request fixes a security issue. "
+            "Please add a release note which includes a CVE identifier."
+        )
+
+###############################################################################
+# PAIRWISE TESTING
+###############################################################################
+#
+# FAIL if the merge request adds any new ./configure switch without an
+# associated annotation used for pairwise testing.
+
+configure_added_lines = added_lines(target_branch, ["configure.ac"])
+switches_added = lines_containing(
+    configure_added_lines, "AC_ARG_ENABLE"
+) + lines_containing(configure_added_lines, "AC_ARG_WITH")
+annotations_added = lines_containing(configure_added_lines, "# [pairwise: ")
+if switches_added:
+    if len(switches_added) > len(annotations_added):
+        fail(
+            "This merge request adds at least one new `./configure` switch that "
+            "is not annotated for pairwise testing purposes."
+        )
+    else:
+        message(
+            "**Before merging**, please start a full CI pipeline for this "
+            "branch with the `PAIRWISE_TESTING` variable set to any "
+            "non-empty value (e.g. `1`). This will cause the `pairwise` "
+            "job to exercise the new `./configure` switches."
+        )
+
+###############################################################################
+# USER-VISIBLE LOG LEVELS
+###############################################################################
+#
+# WARN if the merge request adds new user-visible log messages (INFO or above)
+
+user_visible_log_levels = [
+    "ISC_LOG_INFO",
+    "ISC_LOG_NOTICE",
+    "ISC_LOG_WARNING",
+    "ISC_LOG_ERROR",
+    "ISC_LOG_CRITICAL",
+]
+source_added_lines = added_lines(target_branch, ["*.[ch]"])
+for log_level in user_visible_log_levels:
+    if lines_containing(source_added_lines, log_level):
+        warn(
+            "This merge request adds new user-visible log messages with "
+            "level INFO or above. Please double-check log levels and make "
+            "sure none of the messages added is a leftover debug message."
+        )
+        break
diff --git a/doc/Makefile.in b/doc/Makefile.in
new file mode 100644
index 0000000..91e9e17
--- /dev/null
+++ b/doc/Makefile.in
@@ -0,0 +1,23 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# This Makefile is a placeholder.  It exists merely to make
+# sure that its directory gets created in the object directory
+# tree when doing a build using separate object directories.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS = @BUILD_MANPAGES@ arm misc doxygen
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/doc/arm/.gitattributes b/doc/arm/.gitattributes
new file mode 100644
index 0000000..967c07a
--- /dev/null
+++ b/doc/arm/.gitattributes
@@ -0,0 +1,7 @@
+
+Bv9ARM.ch* -diff -merge
+Bv9ARM.pdf -diff -merge
+Bv9ARM.xml   text
+Bv9ARM.conf  text
+
+*.xml auto=text
diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in
new file mode 100644
index 0000000..ce365e3
--- /dev/null
+++ b/doc/arm/Makefile.in
@@ -0,0 +1,82 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+abs_srcdir =	@abs_srcdir@
+builddir =	@builddir@
+top_builddir =	@top_builddir@
+
+@BIND9_MAKE_RULES@
+
+MKDIR_P=@MKDIR_P@
+
+BIND9_VERSION=@BIND9_VERSION@
+RELEASE_DATE=@RELEASE_DATE@
+BIND9_VERSIONSTRING=@BIND9_VERSIONSTRING@
+
+# You can set these variables from the command line.
+SPHINXBUILD = @SPHINX_BUILD@
+SPHINXBUILDDIR = ${builddir}/_build
+
+common_SPHINXOPTS =	\
+	-W		\
+	-a		\
+	-v		\
+	-c "${abs_srcdir}"
+
+# The "today" variable set below is not directly used in the ARM, but its value
+# is implicitly inserted on the title page of the PDF file produced by Sphinx.
+ALLSPHINXOPTS =				\
+	$(common_SPHINXOPTS)			\
+	-D today="${RELEASE_DATE}"		\
+	$(SPHINXOPTS)				\
+	${srcdir}
+
+# Put it first so that "make" without argument just builds manpages
+all: man
+	@:
+
+man:: $(man1_MANS) $(man5_MANS) $(man8_MANS) @PKCS11_MANS@
+
+doc:: @HTMLTARGET@ @PDFTARGET@
+
+html dirhtml:
+	$(SPHINXBUILD) -b $@ -d "$(SPHINXBUILDDIR)"/.doctrees/$@ $(ALLSPHINXOPTS) "$(SPHINXBUILDDIR)"/$@
+
+pdf:
+	$(SPHINXBUILD) -b latex -d "$(SPHINXBUILDDIR)"/.doctrees/$@ $(ALLSPHINXOPTS) "$(SPHINXBUILDDIR)"/latex
+	make -C "$(SPHINXBUILDDIR)"/latex
+	cp "$(SPHINXBUILDDIR)"/latex/Bv9ARM.pdf "${builddir}"
+
+.PHONY: help Makefile doc pdf man
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: installdirs
+	for m in $(man1_MANPAGES); do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man1/; done
+	for m in $(man5_MANPAGES); do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man5/; done
+	for m in $(man8_MANPAGES); do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8/; done
+	for m in @PKCS11_MANS@; do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8/; done
+
+uninstall::
+	for m in $(man1_MANPAGES); do rm -f ${DESTDIR}${mandir}/man1/$$m; done
+	for m in $(man5_MANPAGES); do rm -f ${DESTDIR}${mandir}/man5/$$m; done
+	for m in $(man8_MANPAGES); do rm -f ${DESTDIR}${mandir}/man8/$$m; done
+	for m in @PKCS11_MANS@; do rm -f ${DESTDIR}${mandir}/man8/$$m; done
+
+clean docclean manclean maintainer-clean::
+	rm -rf $(SPHINXBUILDDIR)
+	rm -f Bv9ARM.pdf
diff --git a/doc/arm/_static/custom.css b/doc/arm/_static/custom.css
new file mode 100644
index 0000000..86f030f
--- /dev/null
+++ b/doc/arm/_static/custom.css
@@ -0,0 +1,25 @@
+/*
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+*/
+
+/* make table content wrappable */
+.wy-table-responsive table td {
+    white-space:normal;
+}
+
+/* readability improvements */
+.rst-content code.literal {
+    color: black;
+}
+.rst-content code.xref {
+    text-decoration: underline dotted gray;
+}
diff --git a/doc/arm/advanced.rst b/doc/arm/advanced.rst
new file mode 100644
index 0000000..4405b5c
--- /dev/null
+++ b/doc/arm/advanced.rst
@@ -0,0 +1,632 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. Advanced:
+
+Advanced DNS Features
+=====================
+
+.. _notify:
+
+Notify
+------
+
+DNS NOTIFY is a mechanism that allows primary servers to notify their
+secondary servers of changes to a zone's data. In response to a ``NOTIFY``
+from a primary server, the secondary checks to see that its version of
+the zone is the current version and, if not, initiates a zone transfer.
+
+For more information about DNS ``NOTIFY``, see the description of the
+``notify`` option in :ref:`boolean_options` and the
+description of the zone option ``also-notify`` in :ref:`zone_transfers`.
+The ``NOTIFY`` protocol is specified in :rfc:`1996`.
+
+.. note::
+
+   As a secondary zone can also be a primary to other secondaries, ``named``, by
+   default, sends ``NOTIFY`` messages for every zone it loads.
+   Specifying ``notify primary-only;`` causes ``named`` to only send
+   ``NOTIFY`` for primary zones that it loads.
+
+.. _dynamic_update:
+
+Dynamic Update
+--------------
+
+Dynamic update is a method for adding, replacing, or deleting records in
+a primary server by sending it a special form of DNS messages. The format
+and meaning of these messages is specified in :rfc:`2136`.
+
+Dynamic update is enabled by including an ``allow-update`` or an
+``update-policy`` clause in the ``zone`` statement.
+
+If the zone's ``update-policy`` is set to ``local``, updates to the zone
+are permitted for the key ``local-ddns``, which is generated by
+``named`` at startup. See :ref:`dynamic_update_policies` for more details.
+
+Dynamic updates using Kerberos-signed requests can be made using the
+TKEY/GSS protocol, either by setting the ``tkey-gssapi-keytab`` option
+or by setting both the ``tkey-gssapi-credential`` and
+``tkey-domain`` options. Once enabled, Kerberos-signed requests are
+matched against the update policies for the zone, using the Kerberos
+principal as the signer for the request.
+
+Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG,
+NSEC, and NSEC3 records affected by updates are automatically regenerated
+by the server using an online zone key. Update authorization is based on
+transaction signatures and an explicit server policy.
+
+.. _journal:
+
+The Journal File
+~~~~~~~~~~~~~~~~
+
+All changes made to a zone using dynamic update are stored in the zone's
+journal file. This file is automatically created by the server when the
+first dynamic update takes place. The name of the journal file is formed
+by appending the extension ``.jnl`` to the name of the corresponding
+zone file unless specifically overridden. The journal file is in a
+binary format and should not be edited manually.
+
+The server also occasionally writes ("dumps") the complete contents
+of the updated zone to its zone file. This is not done immediately after
+each dynamic update because that would be too slow when a large zone is
+updated frequently. Instead, the dump is delayed by up to 15 minutes,
+allowing additional updates to take place. During the dump process,
+transient files are created with the extensions ``.jnw`` and
+``.jbk``; under ordinary circumstances, these are removed when the
+dump is complete, and can be safely ignored.
+
+When a server is restarted after a shutdown or crash, it replays the
+journal file to incorporate into the zone any updates that took place
+after the last zone dump.
+
+Changes that result from incoming incremental zone transfers are also
+journaled in a similar way.
+
+The zone files of dynamic zones cannot normally be edited by hand
+because they are not guaranteed to contain the most recent dynamic
+changes; those are only in the journal file. The only way to ensure
+that the zone file of a dynamic zone is up-to-date is to run
+``rndc stop``.
+
+To make changes to a dynamic zone manually, follow these steps:
+first, disable dynamic updates to the zone using
+``rndc freeze zone``. This updates the zone file with the
+changes stored in its ``.jnl`` file. Then, edit the zone file. Finally, run
+``rndc thaw zone`` to reload the changed zone and re-enable dynamic
+updates.
+
+``rndc sync zone`` updates the zone file with changes from the
+journal file without stopping dynamic updates; this may be useful for
+viewing the current zone state. To remove the ``.jnl`` file after
+updating the zone file, use ``rndc sync -clean``.
+
+.. _incremental_zone_transfers:
+
+Incremental Zone Transfers (IXFR)
+---------------------------------
+
+The incremental zone transfer (IXFR) protocol is a way for secondary servers
+to transfer only changed data, instead of having to transfer an entire
+zone. The IXFR protocol is specified in :rfc:`1995`.
+
+When acting as a primary server, BIND 9 supports IXFR for those zones where the
+necessary change history information is available. These include primary
+zones maintained by dynamic update and secondary zones whose data was
+obtained by IXFR. For manually maintained primary zones, and for secondary
+zones obtained by performing a full zone transfer (AXFR), IXFR is
+supported only if the option ``ixfr-from-differences`` is set to
+``yes``.
+
+When acting as a secondary server, BIND 9 attempts to use IXFR unless it is
+explicitly disabled. For more information about disabling IXFR, see the
+description of the ``request-ixfr`` clause of the ``server`` statement.
+
+When a secondary server receives a zone via AXFR, it creates a new copy of the
+zone database and then swaps it into place; during the loading process, queries
+continue to be served from the old database with no interference. When receiving
+a zone via IXFR, however, changes are applied to the running zone, which may
+degrade query performance during the transfer. If a server receiving an IXFR
+request determines that the response size would be similar in size to an AXFR
+response, it may wish to send AXFR instead. The threshold at which this
+determination is made can be configured using the
+``max-ixfr-ratio`` option.
+
+.. _split_dns:
+
+Split DNS
+---------
+
+Setting up different views of the DNS space to internal
+and external resolvers is usually referred to as a *split DNS* setup.
+There are several reasons an organization might want to set up its DNS
+this way.
+
+One common reason to use split DNS is to hide
+"internal" DNS information from "external" clients on the Internet.
+There is some debate as to whether this is actually useful.
+Internal DNS information leaks out in many ways (via email headers, for
+example) and most savvy "attackers" can find the information they need
+using other means. However, since listing addresses of internal servers
+that external clients cannot possibly reach can result in connection
+delays and other annoyances, an organization may choose to use split
+DNS to present a consistent view of itself to the outside world.
+
+Another common reason for setting up a split DNS system is to allow
+internal networks that are behind filters or in :rfc:`1918` space (reserved
+IP space, as documented in :rfc:`1918`) to resolve DNS on the Internet.
+Split DNS can also be used to allow mail from outside back into the
+internal network.
+
+.. _split_dns_sample:
+
+Example Split DNS Setup
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Let's say a company named *Example, Inc.* (``example.com``) has several
+corporate sites that have an internal network with reserved Internet
+Protocol (IP) space and an external demilitarized zone (DMZ), or
+"outside" section of a network, that is available to the public.
+
+Example, Inc. wants its internal clients to be able to resolve
+external hostnames and to exchange mail with people on the outside. The
+company also wants its internal resolvers to have access to certain
+internal-only zones that are not available at all outside of the
+internal network.
+
+To accomplish this, the company sets up two sets of name
+servers. One set is on the inside network (in the reserved IP
+space) and the other set is on bastion hosts, which are "proxy"
+hosts in the DMZ that can talk to both sides of its network.
+
+The internal servers are configured to forward all queries, except
+queries for ``site1.internal``, ``site2.internal``,
+``site1.example.com``, and ``site2.example.com``, to the servers in the
+DMZ. These internal servers have complete sets of information for
+``site1.example.com``, ``site2.example.com``, ``site1.internal``, and
+``site2.internal``.
+
+To protect the ``site1.internal`` and ``site2.internal`` domains, the
+internal name servers must be configured to disallow all queries to
+these domains from any external hosts, including the bastion hosts.
+
+The external servers, which are on the bastion hosts, are configured
+to serve the "public" version of the ``site1.example.com`` and ``site2.example.com``
+zones. This could include things such as the host records for public
+servers (``www.example.com`` and ``ftp.example.com``) and mail exchange
+(MX) records (``a.mx.example.com`` and ``b.mx.example.com``).
+
+In addition, the public ``site1.example.com`` and ``site2.example.com`` zones should
+have special MX records that contain wildcard (``*``) records pointing to
+the bastion hosts. This is needed because external mail servers
+have no other way of determining how to deliver mail to those internal
+hosts. With the wildcard records, the mail is delivered to the
+bastion host, which can then forward it on to internal hosts.
+
+Here's an example of a wildcard MX record:
+
+::
+
+   *   IN MX 10 external1.example.com.
+
+Now that they accept mail on behalf of anything in the internal network,
+the bastion hosts need to know how to deliver mail to internal
+hosts. The resolvers on the bastion
+hosts need to be configured to point to the internal name servers
+for DNS resolution.
+
+Queries for internal hostnames are answered by the internal servers,
+and queries for external hostnames are forwarded back out to the DNS
+servers on the bastion hosts.
+
+For all of this to work properly, internal clients need to be
+configured to query *only* the internal name servers for DNS queries.
+This could also be enforced via selective filtering on the network.
+
+If everything has been set properly, Example, Inc.'s internal clients
+are now able to:
+
+-  Look up any hostnames in the ``site1.example.com`` and ``site2.example.com``
+   zones.
+
+-  Look up any hostnames in the ``site1.internal`` and
+   ``site2.internal`` domains.
+
+-  Look up any hostnames on the Internet.
+
+-  Exchange mail with both internal and external users.
+
+Hosts on the Internet are able to:
+
+-  Look up any hostnames in the ``site1.example.com`` and ``site2.example.com``
+   zones.
+
+-  Exchange mail with anyone in the ``site1.example.com`` and ``site2.example.com``
+   zones.
+
+Here is an example configuration for the setup just described above.
+Note that this is only configuration information; for information on how
+to configure the zone files, see :ref:`sample_configuration`.
+
+Internal DNS server config:
+
+::
+
+
+   acl internals { 172.16.72.0/24; 192.168.1.0/24; };
+
+   acl externals { bastion-ips-go-here; };
+
+   options {
+       ...
+       ...
+       forward only;
+       // forward to external servers
+       forwarders {
+       bastion-ips-go-here;
+       };
+       // sample allow-transfer (no one)
+       allow-transfer { none; };
+       // restrict query access
+       allow-query { internals; externals; };
+       // restrict recursion
+       allow-recursion { internals; };
+       ...
+       ...
+   };
+
+   // sample primary zone
+   zone "site1.example.com" {
+     type primary;
+     file "m/site1.example.com";
+     // do normal iterative resolution (do not forward)
+     forwarders { };
+     allow-query { internals; externals; };
+     allow-transfer { internals; };
+   };
+
+   // sample secondary zone
+   zone "site2.example.com" {
+     type secondary;
+     file "s/site2.example.com";
+     primaries { 172.16.72.3; };
+     forwarders { };
+     allow-query { internals; externals; };
+     allow-transfer { internals; };
+   };
+
+   zone "site1.internal" {
+     type primary;
+     file "m/site1.internal";
+     forwarders { };
+     allow-query { internals; };
+     allow-transfer { internals; }
+   };
+
+   zone "site2.internal" {
+     type secondary;
+     file "s/site2.internal";
+     primaries { 172.16.72.3; };
+     forwarders { };
+     allow-query { internals };
+     allow-transfer { internals; }
+   };
+
+External (bastion host) DNS server configuration:
+
+::
+
+   acl internals { 172.16.72.0/24; 192.168.1.0/24; };
+
+   acl externals { bastion-ips-go-here; };
+
+   options {
+     ...
+     ...
+     // sample allow-transfer (no one)
+     allow-transfer { none; };
+     // default query access
+     allow-query { any; };
+     // restrict cache access
+     allow-query-cache { internals; externals; };
+     // restrict recursion
+     allow-recursion { internals; externals; };
+     ...
+     ...
+   };
+
+   // sample secondary zone
+   zone "site1.example.com" {
+     type primary;
+     file "m/site1.foo.com";
+     allow-transfer { internals; externals; };
+   };
+
+   zone "site2.example.com" {
+     type secondary;
+     file "s/site2.foo.com";
+     masters { another_bastion_host_maybe; };
+     allow-transfer { internals; externals; }
+   };
+
+In the ``resolv.conf`` (or equivalent) on the bastion host(s):
+
+::
+
+   search ...
+   nameserver 172.16.72.2
+   nameserver 172.16.72.3
+   nameserver 172.16.72.4
+
+.. _tsig:
+
+TSIG
+----
+
+TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
+messages, originally specified in :rfc:`2845`. It allows DNS messages to be
+cryptographically signed using a shared secret. TSIG can be used in any
+DNS transaction, as a way to restrict access to certain server functions
+(e.g., recursive queries) to authorized clients when IP-based access
+control is insufficient or needs to be overridden, or as a way to ensure
+message authenticity when it is critical to the integrity of the server,
+such as with dynamic UPDATE messages or zone transfers from a primary to
+a secondary server.
+
+This section is a guide to setting up TSIG in BIND. It describes the
+configuration syntax and the process of creating TSIG keys.
+
+``named`` supports TSIG for server-to-server communication, and some of
+the tools included with BIND support it for sending messages to
+``named``:
+
+   * :ref:`man_nsupdate` supports TSIG via the ``-k``, ``-l``, and ``-y`` command-line options, or via the ``key`` command when running interactively.
+   * :ref:`man_dig` supports TSIG via the ``-k`` and ``-y`` command-line options.
+
+Generating a Shared Key
+~~~~~~~~~~~~~~~~~~~~~~~
+
+TSIG keys can be generated using the ``tsig-keygen`` command; the output
+of the command is a ``key`` directive suitable for inclusion in
+``named.conf``. The key name, algorithm, and size can be specified by
+command-line parameters; the defaults are "tsig-key", HMAC-SHA256, and
+256 bits, respectively.
+
+Any string which is a valid DNS name can be used as a key name. For
+example, a key to be shared between servers called ``host1`` and ``host2``
+could be called "host1-host2.", and this key can be generated using:
+
+::
+
+     $ tsig-keygen host1-host2. > host1-host2.key
+
+This key may then be copied to both hosts. The key name and secret must
+be identical on both hosts. (Note: copying a shared secret from one
+server to another is beyond the scope of the DNS. A secure transport
+mechanism should be used: secure FTP, SSL, ssh, telephone, encrypted
+email, etc.)
+
+``tsig-keygen`` can also be run as ``ddns-confgen``, in which case its
+output includes additional configuration text for setting up dynamic DNS
+in ``named``. See :ref:`man_ddns-confgen` for details.
+
+Loading a New Key
+~~~~~~~~~~~~~~~~~
+
+For a key shared between servers called ``host1`` and ``host2``, the
+following could be added to each server's ``named.conf`` file:
+
+::
+
+   key "host1-host2." {
+       algorithm hmac-sha256;
+       secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
+   };
+
+(This is the same key generated above using ``tsig-keygen``.)
+
+Since this text contains a secret, it is recommended that either
+``named.conf`` not be world-readable, or that the ``key`` directive be
+stored in a file which is not world-readable and which is included in
+``named.conf`` via the ``include`` directive.
+
+Once a key has been added to ``named.conf`` and the server has been
+restarted or reconfigured, the server can recognize the key. If the
+server receives a message signed by the key, it is able to verify
+the signature. If the signature is valid, the response is signed
+using the same key.
+
+TSIG keys that are known to a server can be listed using the command
+``rndc tsig-list``.
+
+Instructing the Server to Use a Key
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A server sending a request to another server must be told whether to use
+a key, and if so, which key to use.
+
+For example, a key may be specified for each server in the ``primaries``
+statement in the definition of a secondary zone; in this case, all SOA QUERY
+messages, NOTIFY messages, and zone transfer requests (AXFR or IXFR)
+are signed using the specified key. Keys may also be specified in
+the ``also-notify`` statement of a primary or secondary zone, causing NOTIFY
+messages to be signed using the specified key.
+
+Keys can also be specified in a ``server`` directive. Adding the
+following on ``host1``, if the IP address of ``host2`` is 10.1.2.3, would
+cause *all* requests from ``host1`` to ``host2``, including normal DNS
+queries, to be signed using the ``host1-host2.`` key:
+
+::
+
+   server 10.1.2.3 {
+       keys { host1-host2. ;};
+   };
+
+Multiple keys may be present in the ``keys`` statement, but only the
+first one is used. As this directive does not contain secrets, it can be
+used in a world-readable file.
+
+Requests sent by ``host2`` to ``host1`` would *not* be signed, unless a
+similar ``server`` directive were in ``host2``'s configuration file.
+
+When any server sends a TSIG-signed DNS request, it expects the
+response to be signed with the same key. If a response is not signed, or
+if the signature is not valid, the response is rejected.
+
+TSIG-Based Access Control
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+TSIG keys may be specified in ACL definitions and ACL directives such as
+``allow-query``, ``allow-transfer``, and ``allow-update``. The above key
+would be denoted in an ACL element as ``key host1-host2.``
+
+Here is an example of an ``allow-update`` directive using a TSIG key:
+
+::
+
+   allow-update { !{ !localnets; any; }; key host1-host2. ;};
+
+This allows dynamic updates to succeed only if the UPDATE request comes
+from an address in ``localnets``, *and* if it is signed using the
+``host1-host2.`` key.
+
+See :ref:`dynamic_update_policies` for a
+discussion of the more flexible ``update-policy`` statement.
+
+Errors
+~~~~~~
+
+Processing of TSIG-signed messages can result in several errors:
+
+-  If a TSIG-aware server receives a message signed by an unknown key,
+   the response will be unsigned, with the TSIG extended error code set
+   to BADKEY.
+-  If a TSIG-aware server receives a message from a known key but with
+   an invalid signature, the response will be unsigned, with the TSIG
+   extended error code set to BADSIG.
+-  If a TSIG-aware server receives a message with a time outside of the
+   allowed range, the response will be signed but the TSIG extended
+   error code set to BADTIME, and the time values will be adjusted so
+   that the response can be successfully verified.
+
+In all of the above cases, the server returns a response code of
+NOTAUTH (not authenticated).
+
+TKEY
+----
+
+TKEY (Transaction KEY) is a mechanism for automatically negotiating a
+shared secret between two hosts, originally specified in :rfc:`2930`.
+
+There are several TKEY "modes" that specify how a key is to be generated
+or assigned. BIND 9 implements only one of these modes: Diffie-Hellman
+key exchange. Both hosts are required to have a KEY record with
+algorithm DH (though this record is not required to be present in a
+zone).
+
+The TKEY process is initiated by a client or server by sending a query
+of type TKEY to a TKEY-aware server. The query must include an
+appropriate KEY record in the additional section, and must be signed
+using either TSIG or SIG(0) with a previously established key. The
+server's response, if successful, contains a TKEY record in its
+answer section. After this transaction, both participants have
+enough information to calculate a shared secret using Diffie-Hellman key
+exchange. The shared secret can then be used to sign subsequent
+transactions between the two servers.
+
+TSIG keys known by the server, including TKEY-negotiated keys, can be
+listed using ``rndc tsig-list``.
+
+TKEY-negotiated keys can be deleted from a server using
+``rndc tsig-delete``. This can also be done via the TKEY protocol
+itself, by sending an authenticated TKEY query specifying the "key
+deletion" mode.
+
+SIG(0)
+------
+
+BIND partially supports DNSSEC SIG(0) transaction signatures as
+specified in :rfc:`2535` and :rfc:`2931`. SIG(0) uses public/private keys to
+authenticate messages. Access control is performed in the same manner as with
+TSIG keys; privileges can be granted or denied in ACL directives based
+on the key name.
+
+When a SIG(0) signed message is received, it is only verified if
+the key is known and trusted by the server. The server does not attempt
+to recursively fetch or validate the key.
+
+SIG(0) signing of multiple-message TCP streams is not supported.
+
+The only tool shipped with BIND 9 that generates SIG(0) signed messages
+is ``nsupdate``.
+
+.. include:: managed-keys.rst
+.. include:: pkcs11.rst
+.. include:: dlz.rst
+.. include:: dyndb.rst
+.. include:: catz.rst
+
+.. _ipv6:
+
+IPv6 Support in BIND 9
+----------------------
+
+BIND 9 fully supports all currently defined forms of IPv6 name-to-address
+and address-to-name lookups. It also uses IPv6 addresses to
+make queries when running on an IPv6-capable system.
+
+For forward lookups, BIND 9 supports only AAAA records. :rfc:`3363`
+deprecated the use of A6 records, and client-side support for A6 records
+was accordingly removed from BIND 9. However, authoritative BIND 9 name
+servers still load zone files containing A6 records correctly, answer
+queries for A6 records, and accept zone transfer for a zone containing
+A6 records.
+
+For IPv6 reverse lookups, BIND 9 supports the traditional "nibble"
+format used in the ``ip6.arpa`` domain, as well as the older, deprecated
+``ip6.int`` domain. Older versions of BIND 9 supported the "binary label"
+(also known as "bitstring") format, but support of binary labels has
+been completely removed per :rfc:`3363`. Many applications in BIND 9 do not
+understand the binary label format at all anymore, and return an
+error if one is given. In particular, an authoritative BIND 9 name server will
+not load a zone file containing binary labels.
+
+Address Lookups Using AAAA Records
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the
+deprecated A6 record, specifies the entire IPv6 address in a single
+record. For example:
+
+::
+
+   $ORIGIN example.com.
+   host            3600    IN      AAAA    2001:db8::1
+
+Use of IPv4-in-IPv6 mapped addresses is not recommended. If a host has
+an IPv4 address, use an A record, not a AAAA, with
+``::ffff:192.168.42.1`` as the address.
+
+Address-to-Name Lookups Using Nibble Format
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When looking up an address in nibble format, the address components are
+simply reversed, just as in IPv4, and ``ip6.arpa.`` is appended to the
+resulting name. For example, the following commands produce a reverse name
+lookup for a host with address ``2001:db8::1``:
+
+::
+
+   $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
+   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
+                       host.example.com. )
diff --git a/doc/arm/build.rst b/doc/arm/build.rst
new file mode 100644
index 0000000..7c266c9
--- /dev/null
+++ b/doc/arm/build.rst
@@ -0,0 +1,199 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Building BIND 9
+---------------
+
+To build on a Unix or Linux system, use:
+
+::
+
+       $ ./configure
+       $ make
+
+Several environment variables affect compilation, and they can be set
+before running ``configure``. The most significant ones are:
+
++--------------------+-------------------------------------------------+
+| Variable           | Description                                     |
++====================+=================================================+
+| ``CC``             | The C compiler to use. ``configure`` tries to   |
+|                    | figure out the right one for supported systems. |
++--------------------+-------------------------------------------------+
+| ``CFLAGS``         | The C compiler flags. Defaults to include -g    |
+|                    | and/or -O2 as supported by the compiler. Please |
+|                    | include ``-g`` if ``CFLAGS`` needs to be set.   |
++--------------------+-------------------------------------------------+
+| ``STD_CINCLUDES``  | System header file directories. Can be used to  |
+|                    | specify where add-on thread or IPv6 support is, |
+|                    | for example. Defaults to empty string.          |
++--------------------+-------------------------------------------------+
+| ``STD_CDEFINES``   | Any additional preprocessor symbols you want    |
+|                    | defined. Defaults to empty string. For a list   |
+|                    | of possible settings, see the file              |
+|                    | `OPTIONS <OPTIONS.md>`__.                       |
++--------------------+-------------------------------------------------+
+| ``LDFLAGS``        | The linker flags. Defaults to an empty string.  |
++--------------------+-------------------------------------------------+
+| ``BUILD_CC``       | Needed when cross-compiling: the native C       |
+|                    | compiler to use when building for the target    |
+|                    | system.                                         |
++--------------------+-------------------------------------------------+
+| ``BUILD_CFLAGS``   | ``CFLAGS`` for the target system during         |
+|                    | cross-compiling.                                |
++--------------------+-------------------------------------------------+
+| ``BUILD_CPPFLAGS`` | ``CPPFLAGS`` for the target system during       |
+|                    | cross-compiling.                                |
++--------------------+-------------------------------------------------+
+| ``BUILD_LDFLAGS``  | ``LDFLAGS`` for the target system during        |
+|                    | cross-compiling.                                |
++--------------------+-------------------------------------------------+
+| ``BUILD_LIBS``     | ``LIBS`` for the target system during           |
+|                    | cross-compiling.                                |
++--------------------+-------------------------------------------------+
+
+Additional environment variables affecting the build are listed at the
+end of the ``configure`` help text, which can be obtained by running the
+command:
+
+::
+
+    $ ./configure --help
+
+If you’re planning on making changes to the BIND 9 source, you should
+run ``make depend``. If you’re using Emacs, you might find ``make tags`` helpful.
+
+.. _build_dependencies:
+
+Required Libraries
+~~~~~~~~~~~~~~~~~~
+
+To build BIND 9, the following packages must be installed:
+
+- ``libcrypto``, ``libssl``
+- ``libuv``
+- ``perl``
+- ``pkg-config`` / ``pkgconfig`` / ``pkgconf``
+
+BIND 9.16 requires ``libuv`` 1.0.0 or higher, using ``libuv`` >= 1.40.0
+is recommended. Compiling or running with ``libuv`` 1.35.0 or 1.36.0 is
+not supported, as this could lead to an assertion failure in the UDP
+receive code. On older systems, an updated ``libuv`` package needs to be
+installed from sources such as EPEL, PPA, or other native sources. The
+other option is to build and install ``libuv`` from source.
+
+OpenSSL 1.0.2e or newer is required. If the OpenSSL library is installed
+in a nonstandard location, specify the prefix using
+``--with-openssl=<PREFIX>`` on the ``configure`` command line.
+
+Portions of BIND that are written in Python, including
+``dnssec-keymgr``, ``dnssec-coverage``, ``dnssec-checkds``, and some of
+the system tests, require the ``argparse``, ``ply`` and
+``distutils.core`` modules to be available. ``argparse`` is a standard
+module as of Python 2.7 and Python 3.2. ``ply`` is available from
+https://pypi.python.org/pypi/ply. ``distutils.core`` is required for
+installation.
+
+Optional Features
+~~~~~~~~~~~~~~~~~
+
+To see a full list of configuration options, run ``configure --help``.
+
+To build shared libraries, specify ``--with-libtool`` on the
+``configure`` command line.
+
+To support the HTTP statistics channel, the server must be linked with
+at least one of the following libraries: ``libxml2``
+(http://xmlsoft.org) or ``json-c`` (https://github.com/json-c/json-c).
+If these are installed at a nonstandard location, then:
+
+- for ``libxml2``, specify the prefix using ``--with-libxml2=/prefix``,
+- for ``json-c``, adjust ``PKG_CONFIG_PATH``.
+
+To support compression on the HTTP statistics channel, the server must
+be linked against ``zlib`` (https://zlib.net/). If this is installed in
+a nonstandard location, specify the prefix using
+``--with-zlib=/prefix``.
+
+To support storing configuration data for runtime-added zones in an LMDB
+database, the server must be linked with ``liblmdb``
+(https://github.com/LMDB/lmdb). If this is installed in a nonstandard
+location, specify the prefix using ``--with-lmdb=/prefix``.
+
+To support MaxMind GeoIP2 location-based ACLs, the server must be linked
+with ``libmaxminddb`` (https://maxmind.github.io/libmaxminddb/). This is
+turned on by default if the library is found; if the library is
+installed in a nonstandard location, specify the prefix using
+``--with-maxminddb=/prefix``. GeoIP2 support can be switched off with
+``--disable-geoip``.
+
+For DNSTAP packet logging, ``libfstrm``
+(https://github.com/farsightsec/fstrm) and ``libprotobuf-c``
+(https://developers.google.com/protocol-buffers) must be installed, and
+BIND must be configured with ``--enable-dnstap``.
+
+To support internationalized domain names in ``dig``, ``libidn2``
+(https://www.gnu.org/software/libidn/#libidn2) must be installed. If the
+library is installed in a nonstandard location, specify the prefix using
+``--with-libidn2=/prefix`` or adjust ``PKG_CONFIG_PATH``.
+
+For line editing in ``nsupdate`` and ``nslookup``, either the
+``readline`` (https://tiswww.case.edu/php/chet/readline/rltop.html) or
+the ``libedit`` library (https://www.thrysoee.dk/editline/) must be
+installed. If these are installed at a nonstandard location, adjust
+``PKG_CONFIG_PATH``. ``readline`` is used by default, and ``libedit``
+can be explicitly requested using ``--with-readline=libedit``.
+
+Certain compiled-in constants and default settings can be decreased to
+values better suited to small machines, e.g. OpenWRT boxes, by
+specifying ``--with-tuning=small`` on the ``configure`` command line.
+This decreases memory usage by using smaller structures, but degrades
+performance.
+
+On Linux, process capabilities are managed in user space using the
+``libcap`` library
+(https://git.kernel.org/pub/scm/libs/libcap/libcap.git/), which can be
+installed on most Linux systems via the ``libcap-dev`` or
+``libcap-devel`` package. Process capability support can also be
+disabled by configuring with ``--disable-linux-caps``.
+
+On some platforms it is necessary to explicitly request large file
+support to handle files bigger than 2GB. This can be done by using
+``--enable-largefile`` on the ``configure`` command line.
+
+Support for the “fixed� RRset-order option can be enabled or disabled by
+specifying ``--enable-fixed-rrset`` or ``--disable-fixed-rrset`` on the
+``configure`` command line. By default, fixed RRset-order is disabled to
+reduce memory footprint.
+
+The ``--enable-querytrace`` option causes ``named`` to log every step
+while processing every query. This option should only be enabled when
+debugging because is has a significant negative impact on query
+performance.
+
+``make install`` installs ``named`` and the various BIND 9 libraries. By
+default, installation is into /usr/local, but this can be changed with
+the ``--prefix`` option when running ``configure``.
+
+The option ``--sysconfdir`` can be specified to set the directory where
+configuration files such as ``named.conf`` go by default;
+``--localstatedir`` can be used to set the default parent directory of
+``run/named.pid``. ``--sysconfdir`` defaults to ``$prefix/etc`` and
+``--localstatedir`` defaults to ``$prefix/var``.
+
+macOS
+~~~~~
+
+Building on macOS assumes that the “Command Tools for Xcode� are
+installed. These can be downloaded from
+https://developer.apple.com/download/more/ or, if Xcode is already
+installed, simply run ``xcode-select --install``. (Note that an Apple ID
+may be required to access the download page.)
diff --git a/doc/arm/catz.rst b/doc/arm/catz.rst
new file mode 100644
index 0000000..177a562
--- /dev/null
+++ b/doc/arm/catz.rst
@@ -0,0 +1,241 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _catz-info:
+
+Catalog Zones
+-------------
+
+A "catalog zone" is a special DNS zone that contains a list of other
+zones to be served, along with their configuration parameters. Zones
+listed in a catalog zone are called "member zones." When a catalog zone
+is loaded or transferred to a secondary server which supports this
+functionality, the secondary server creates the member zones
+automatically. When the catalog zone is updated (for example, to add or
+delete member zones, or change their configuration parameters), those
+changes are immediately put into effect. Because the catalog zone is a
+normal DNS zone, these configuration changes can be propagated using the
+standard AXFR/IXFR zone transfer mechanism.
+
+Catalog zones' format and behavior are specified as an Internet draft
+for interoperability among DNS implementations. The
+latest revision of the DNS catalog zones draft can be found here:
+https://datatracker.ietf.org/doc/draft-toorop-dnsop-dns-catalog-zones/ .
+
+Principle of Operation
+~~~~~~~~~~~~~~~~~~~~~~
+
+Normally, if a zone is to be served by a secondary server, the
+``named.conf`` file on the server must list the zone, or the zone must
+be added using ``rndc addzone``. In environments with a large number of
+secondary servers, and/or where the zones being served are changing
+frequently, the overhead involved in maintaining consistent zone
+configuration on all the secondary servers can be significant.
+
+A catalog zone is a way to ease this administrative burden: it is a DNS
+zone that lists member zones that should be served by secondary servers.
+When a secondary server receives an update to the catalog zone, it adds,
+removes, or reconfigures member zones based on the data received.
+
+To use a catalog zone, it must first be set up as a normal zone on both the
+primary and secondary servers that are configured to use it. It
+must also be added to a ``catalog-zones`` list in the ``options`` or
+``view`` statement in ``named.conf``. This is comparable to the way a
+policy zone is configured as a normal zone and also listed in a
+``response-policy`` statement.
+
+To use the catalog zone feature to serve a new member zone:
+
+-  Set up the member zone to be served on the primary as normal. This
+   can be done by editing ``named.conf`` or by running
+   ``rndc addzone``.
+
+-  Add an entry to the catalog zone for the new member zone. This can
+   be done by editing the catalog zone's zone file and running
+   ``rndc reload``, or by updating the zone using ``nsupdate``.
+
+The change to the catalog zone is propagated from the primary to all
+secondaries using the normal AXFR/IXFR mechanism. When the secondary receives the
+update to the catalog zone, it detects the entry for the new member
+zone, creates an instance of that zone on the secondary server, and points
+that instance to the ``masters`` specified in the catalog zone data. The
+newly created member zone is a normal secondary zone, so BIND
+immediately initiates a transfer of zone contents from the primary. Once
+complete, the secondary starts serving the member zone.
+
+Removing a member zone from a secondary server requires only
+deleting the member zone's entry in the catalog zone; the change to the
+catalog zone is propagated to the secondary server using the normal
+AXFR/IXFR transfer mechanism. The secondary server, on processing the
+update, notices that the member zone has been removed, stops
+serving the zone, and removes it from its list of configured zones.
+However, removing the member zone from the primary server must be done
+by editing the configuration file or running
+``rndc delzone``.
+
+Configuring Catalog Zones
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Catalog zones are configured with a ``catalog-zones`` statement in the
+``options`` or ``view`` section of ``named.conf``. For example:
+
+::
+
+   catalog-zones {
+       zone "catalog.example"
+            default-masters { 10.53.0.1; }
+            in-memory no
+            zone-directory "catzones"
+            min-update-interval 10;
+   };
+
+This statement specifies that the zone ``catalog.example`` is a catalog
+zone. This zone must be properly configured in the same view. In most
+configurations, it would be a secondary zone.
+
+The options following the zone name are not required, and may be
+specified in any order.
+
+``default-masters``
+   This option defines the default primaries for member
+   zones listed in a catalog zone, and can be overridden by options within
+   a catalog zone. If no such options are included, then member zones
+   transfer their contents from the servers listed in this option.
+
+``in-memory``
+   This option, if set to ``yes``, causes member zones to be
+   stored only in memory. This is functionally equivalent to configuring a
+   secondary zone without a ``file`` option. The default is ``no``; member
+   zones' content is stored locally in a file whose name is
+   automatically generated from the view name, catalog zone name, and
+   member zone name.
+
+``zone-directory``
+   This option causes local copies of member zones' zone files to be
+   stored in the specified directory, if ``in-memory`` is not set to
+   ``yes``. The default is to store zone files in the server's working
+   directory. A non-absolute pathname in ``zone-directory`` is assumed
+   to be relative to the working directory.
+
+``min-update-interval``
+   This option sets the minimum interval between updates to catalog
+   zones, in seconds. If an update to a catalog zone (for example, via
+   IXFR) happens less than ``min-update-interval`` seconds after the
+   most recent update, the changes are not carried out until this
+   interval has elapsed. The default is 5 seconds.
+
+Catalog zones are defined on a per-view basis. Configuring a non-empty
+``catalog-zones`` statement in a view automatically turns on
+``allow-new-zones`` for that view. This means that ``rndc addzone``
+and ``rndc delzone`` also work in any view that supports catalog
+zones.
+
+Catalog Zone Format
+~~~~~~~~~~~~~~~~~~~
+
+A catalog zone is a regular DNS zone; therefore, it must have a single
+``SOA`` and at least one ``NS`` record.
+
+A record stating the version of the catalog zone format is also
+required. If the version number listed is not supported by the server,
+then a catalog zone may not be used by that server.
+
+::
+
+   catalog.example.    IN SOA . . 2016022901 900 600 86400 1
+   catalog.example.    IN NS nsexample.
+   version.catalog.example.    IN TXT "1"
+
+Note that this record must have the domain name
+``version.catalog-zone-name``. The data
+stored in a catalog zone is indicated by the domain name label
+immediately before the catalog zone domain.
+
+Catalog zone options can be set either globally for the whole catalog
+zone or for a single member zone. Global options override the settings
+in the configuration file, and member zone options override global
+options.
+
+Global options are set at the apex of the catalog zone, e.g.:
+
+::
+
+    masters.catalog.example.    IN AAAA 2001:db8::1
+
+BIND currently supports the following options:
+
+-  A simple ``masters`` definition:
+
+   ::
+
+           masters.catalog.example.    IN A 192.0.2.1
+
+
+   This option defines a primary server for the member zones, which can be
+   either an A or AAAA record. If multiple primaries are set, the order in
+   which they are used is random.
+
+-  A ``masters`` with a TSIG key defined:
+
+   ::
+
+               label.masters.catalog.example.     IN A 192.0.2.2
+               label.masters.catalog.example.     IN TXT "tsig_key_name"
+
+
+   This option defines a primary server for the member zone with a TSIG
+   key set. The TSIG key must be configured in the configuration file.
+   ``label`` can be any valid DNS label.
+
+-  ``allow-query`` and ``allow-transfer`` ACLs:
+
+   ::
+
+               allow-query.catalog.example.   IN APL 1:10.0.0.1/24
+               allow-transfer.catalog.example.    IN APL !1:10.0.0.1/32 1:10.0.0.0/24
+
+
+   These options are the equivalents of ``allow-query`` and
+   ``allow-transfer`` in a zone declaration in the ``named.conf``
+   configuration file. The ACL is processed in order; if there is no
+   match to any rule, the default policy is to deny access. For the
+   syntax of the APL RR, see :rfc:`3123`.
+
+A member zone is added by including a ``PTR`` resource record in the
+``zones`` sub-domain of the catalog zone. The record label is a
+``SHA-1`` hash of the member zone name in wire format. The target of the
+PTR record is the member zone name. For example, to add the member zone
+``domain.example``:
+
+::
+
+   5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN PTR domain.example.
+
+The hash is necessary to identify options for a specific member zone.
+The member zone-specific options are defined the same way as global
+options, but in the member zone subdomain:
+
+::
+
+   masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN A 192.0.2.2
+   label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN AAAA 2001:db8::2
+   label.masters.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN TXT "tsig_key"
+   allow-query.5960775ba382e7a4e09263fc06e7c00569b6a05c.zones.catalog.example. IN APL 1:10.0.0.0/24
+
+Options defined for a specific zone override the
+global options defined in the catalog zone. These in turn override the
+global options defined in the ``catalog-zones`` statement in the
+configuration file.
+
+Note that none of the global records for an option are inherited if any
+records are defined for that option for the specific zone. For example,
+if the zone had a ``masters`` record of type A but not AAAA, it
+would *not* inherit the type AAAA record from the global option.
diff --git a/doc/arm/conf.py b/doc/arm/conf.py
new file mode 100644
index 0000000..ba52bed
--- /dev/null
+++ b/doc/arm/conf.py
@@ -0,0 +1,188 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import re
+
+from typing import List, Tuple
+
+from docutils import nodes
+from docutils.nodes import Node, system_message
+from docutils.parsers.rst import roles
+
+from sphinx import addnodes
+
+try:
+    from sphinx.util.docutils import ReferenceRole
+except ImportError:
+    # pylint: disable=too-few-public-methods
+    class ReferenceRole(roles.GenericRole):
+        """
+        The ReferenceRole class (used as a base class by GitLabRefRole
+        below) is only defined in Sphinx >= 2.0.0.  For older Sphinx
+        versions, this stub version of the ReferenceRole class is used
+        instead.
+        """
+
+        def __init__(self):
+            super().__init__("", nodes.strong)
+
+
+GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/"
+
+
+# Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
+class GitLabRefRole(ReferenceRole):
+    def __init__(self, base_url: str) -> None:
+        self.base_url = base_url
+        super().__init__()
+
+    def run(self) -> Tuple[List[Node], List[system_message]]:
+        gl_identifier = "[GL %s]" % self.target
+
+        target_id = "index-%s" % self.env.new_serialno("index")
+        entries = [("single", "GitLab; " + gl_identifier, target_id, "", None)]
+
+        index = addnodes.index(entries=entries)
+        target = nodes.target("", "", ids=[target_id])
+        self.inliner.document.note_explicit_target(target)
+
+        try:
+            refuri = self.build_uri()
+            reference = nodes.reference(
+                "", "", internal=False, refuri=refuri, classes=["gl"]
+            )
+            if self.has_explicit_title:
+                reference += nodes.strong(self.title, self.title)
+            else:
+                reference += nodes.strong(gl_identifier, gl_identifier)
+        except ValueError:
+            error_text = "invalid GitLab identifier %s" % self.target
+            msg = self.inliner.reporter.error(error_text, line=self.lineno)
+            prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
+            return [prb], [msg]
+
+        return [index, target, reference], []
+
+    def build_uri(self):
+        if self.target[0] == "#":
+            return self.base_url + "issues/%d" % int(self.target[1:])
+        if self.target[0] == "!":
+            return self.base_url + "merge_requests/%d" % int(self.target[1:])
+        raise ValueError
+
+
+def setup(app):
+    roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL))
+    app.add_crossref_type("iscman", "iscman", "pair: %s; manual page")
+    # ignore :option: references to simplify doc backports to v9_16 branch
+    app.add_role_to_domain("std", "option", roles.code_role)
+
+
+#
+# Configuration file for the Sphinx documentation builder.
+#
+# This file only contains a selection of the most common options. For a full
+# list see the documentation:
+# http://www.sphinx-doc.org/en/master/config
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+# import os
+# import sys
+# sys.path.insert(0, os.path.abspath('.'))
+
+
+# -- Project information -----------------------------------------------------
+
+project = "BIND 9"
+# pylint: disable=redefined-builtin
+copyright = "2023, Internet Systems Consortium"
+author = "Internet Systems Consortium"
+
+version_vars = {}
+with open("../../version", encoding="utf-8") as version_file:
+    for line in version_file:
+        match = re.match(r"(?P<key>[A-Z]+)=(?P<val>.*)", line)
+        if match:
+            version_vars[match.group("key")] = match.group("val")
+
+version = "%s.%s.%s%s%s%s" % (
+    version_vars["MAJORVER"],
+    version_vars["MINORVER"],
+    version_vars["PATCHVER"],
+    version_vars["RELEASETYPE"],
+    version_vars["RELEASEVER"],
+    version_vars["EXTENSIONS"],
+)
+release = version
+
+# -- General configuration ---------------------------------------------------
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = []
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ["_templates"]
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path.
+exclude_patterns = [
+    "_build",
+    "Thumbs.db",
+    ".DS_Store",
+    "*.grammar.rst",
+    "*.zoneopts.rst",
+    "build.rst",
+    "catz.rst",
+    "dlz.rst",
+    "dnssec.rst",
+    "dyndb.rst",
+    "logging-categories.rst",
+    "managed-keys.rst",
+    "pkcs11.rst",
+    "platforms.rst",
+    "plugins.rst",
+]
+
+# The master toctree document.
+master_doc = "index"
+
+# -- Options for HTML output -------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+html_theme = "sphinx_rtd_theme"
+html_static_path = ["_static"]
+html_css_files = ["custom.css"]
+
+# -- Options for LaTeX output ------------------------------------------------
+latex_engine = "xelatex"
+
+# pylint disable=line-too-long
+latex_documents = [
+    (
+        master_doc,
+        "Bv9ARM.tex",
+        "BIND 9 Administrator Reference Manual",
+        author,
+        "manual",
+    ),
+]
+
+latex_logo = "isc-logo.pdf"
diff --git a/doc/arm/configuration.rst b/doc/arm/configuration.rst
new file mode 100644
index 0000000..0b8d8ec
--- /dev/null
+++ b/doc/arm/configuration.rst
@@ -0,0 +1,320 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. Configuration:
+
+Name Server Configuration
+=========================
+
+In this chapter we provide some suggested configurations, along with
+guidelines for their use. We suggest reasonable values for certain
+option settings.
+
+.. _sample_configuration:
+
+Sample Configurations
+---------------------
+
+.. _cache_only_sample:
+
+A Caching-only Name Server
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following sample configuration is appropriate for a caching-only
+name server for use by clients internal to a corporation. All queries
+from outside clients are refused using the ``allow-query`` option.
+The same effect can be achieved using suitable firewall
+rules.
+
+::
+
+   // Two corporate subnets we wish to allow queries from.
+   acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
+   options {
+        // Working directory
+        directory "/etc/namedb";
+
+        allow-query { corpnets; };
+   };
+   // Provide a reverse mapping for the loopback
+   // address 127.0.0.1
+   zone "0.0.127.in-addr.arpa" {
+        type primary;
+        file "localhost.rev";
+        notify no;
+   };
+
+.. _auth_only_sample:
+
+An Authoritative-only Name Server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This sample configuration is for an authoritative-only server that is
+the primary server for ``example.com`` and a secondary server for the subdomain
+``eng.example.com``.
+
+::
+
+   options {
+        // Working directory
+        directory "/etc/namedb";
+        // Do not allow access to cache
+        allow-query-cache { none; };
+        // This is the default
+        allow-query { any; };
+        // Do not provide recursive service
+        recursion no;
+   };
+
+   // Provide a reverse mapping for the loopback
+   // address 127.0.0.1
+   zone "0.0.127.in-addr.arpa" {
+        type primary;
+        file "localhost.rev";
+        notify no;
+   };
+   // We are the primary server for example.com
+   zone "example.com" {
+        type primary;
+        file "example.com.db";
+        // IP addresses of secondary servers allowed to
+        // transfer example.com
+        allow-transfer {
+         192.168.4.14;
+         192.168.5.53;
+        };
+   };
+   // We are a secondary server for eng.example.com
+   zone "eng.example.com" {
+        type secondary;
+        file "eng.example.com.bk";
+        // IP address of eng.example.com primary server
+        masters { 192.168.4.12; };
+   };
+
+.. _load_balancing:
+
+Load Balancing
+--------------
+
+A primitive form of load balancing can be achieved in the DNS by using
+multiple records (such as multiple A records) for one name.
+
+For example, assuming three HTTP servers with network addresses of
+10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following
+means that clients will connect to each machine one-third of the time:
+
++-----------+------+----------+----------+----------------------------+
+| Name      | TTL  | CLASS    | TYPE     | Resource Record (RR) Data  |
++-----------+------+----------+----------+----------------------------+
+| www       | 600  |   IN     |   A      |   10.0.0.1                 |
++-----------+------+----------+----------+----------------------------+
+|           | 600  |   IN     |   A      |   10.0.0.2                 |
++-----------+------+----------+----------+----------------------------+
+|           | 600  |   IN     |   A      |   10.0.0.3                 |
++-----------+------+----------+----------+----------------------------+
+
+When a resolver queries for these records, BIND rotates them and
+responds to the query with the records in a different order. In the
+example above, clients randomly receive records in the order 1, 2,
+3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned
+and discard the rest.
+
+For more detail on ordering responses, check the ``rrset-order``
+sub-statement in the ``options`` statement; see :ref:`rrset_ordering`.
+
+.. _ns_operations:
+
+Name Server Operations
+----------------------
+
+.. _tools:
+
+Tools for Use With the Name Server Daemon
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This section describes several indispensable diagnostic, administrative, 
+and monitoring tools available to the system administrator for
+controlling and debugging the name server daemon.
+
+.. _diagnostic_tools:
+
+Diagnostic Tools
+^^^^^^^^^^^^^^^^
+
+The ``dig``, ``host``, and ``nslookup`` programs are all command-line
+tools for manually querying name servers. They differ in style and
+output format.
+
+``dig``
+   ``dig`` is the most versatile and complete of these lookup tools. It
+   has two modes: simple interactive mode for a single query, and batch
+   mode, which executes a query for each in a list of several query
+   lines. All query options are accessible from the command line.
+
+   For more information and a list of available commands and options,
+   see :ref:`man_dig`.
+
+``host``
+   The ``host`` utility emphasizes simplicity and ease of use. By
+   default, it converts between host names and Internet addresses, but
+   its functionality can be extended with the use of options.
+
+   For more information and a list of available commands and options,
+   see :ref:`man_host`.
+
+``nslookup``
+   ``nslookup`` has two modes: interactive and non-interactive.
+   Interactive mode allows the user to query name servers for
+   information about various hosts and domains, or to print a list of
+   hosts in a domain. Non-interactive mode is used to print just the
+   name and requested information for a host or domain.
+
+   Due to its arcane user interface and frequently inconsistent
+   behavior, we do not recommend the use of ``nslookup``. Use ``dig``
+   instead.
+
+.. _admin_tools:
+
+Administrative Tools
+^^^^^^^^^^^^^^^^^^^^
+
+Administrative tools play an integral part in the management of a
+server.
+
+``named-checkconf``
+   The ``named-checkconf`` program checks the syntax of a ``named.conf``
+   file.
+
+   For more information and a list of available commands and options,
+   see :ref:`man_named-checkconf`.
+
+``named-checkzone``
+   The ``named-checkzone`` program checks a zone file for syntax and
+   consistency.
+
+   For more information and a list of available commands and options,
+   see :ref:`man_named-checkzone`.
+
+``named-compilezone``
+   This tool is similar to ``named-checkzone`` but it always dumps the zone content
+   to a specified file (typically in a different format).
+
+   For more information and a list of available commands and options,
+   see :ref:`man_named-compilezone`.
+
+``rndc``
+   The remote name daemon control (``rndc``) program allows the system
+   administrator to control the operation of a name server.
+
+   See :ref:`man_rndc` for details of the available ``rndc``
+   commands.
+
+   ``rndc`` requires a configuration file, since all communication with
+   the server is authenticated with digital signatures that rely on a
+   shared secret, and there is no way to provide that secret other than
+   with a configuration file. The default location for the ``rndc``
+   configuration file is ``/etc/rndc.conf``, but an alternate location
+   can be specified with the ``-c`` option. If the configuration file is
+   not found, ``rndc`` also looks in ``/etc/rndc.key`` (or whatever
+   ``sysconfdir`` was defined when the BIND build was configured). The
+   ``rndc.key`` file is generated by running ``rndc-confgen -a`` as
+   described in :ref:`controls_statement_definition_and_usage`.
+
+   The format of the configuration file is similar to that of
+   ``named.conf``, but is limited to only four statements: the ``options``,
+   ``key``, ``server``, and ``include`` statements. These statements are
+   what associate the secret keys to the servers with which they are
+   meant to be shared. The order of statements is not significant.
+
+   The ``options`` statement has three clauses: ``default-server``,
+   ``default-key``, and ``default-port``. ``default-server`` takes a
+   host name or address argument and represents the server that is
+   contacted if no ``-s`` option is provided on the command line.
+   ``default-key`` takes the name of a key as its argument, as defined
+   by a ``key`` statement. ``default-port`` specifies the port to which
+   ``rndc`` should connect if no port is given on the command line or in
+   a ``server`` statement.
+
+   The ``key`` statement defines a key to be used by ``rndc`` when
+   authenticating with ``named``. Its syntax is identical to the ``key``
+   statement in ``named.conf``. The keyword ``key`` is followed by a key
+   name, which must be a valid domain name, though it need not actually
+   be hierarchical; thus, a string like ``rndc_key`` is a valid name.
+   The ``key`` statement has two clauses: ``algorithm`` and ``secret``.
+   While the configuration parser accepts any string as the argument
+   to ``algorithm``, currently only the strings ``hmac-md5``,
+   ``hmac-sha1``, ``hmac-sha224``, ``hmac-sha256``,
+   ``hmac-sha384``, and ``hmac-sha512`` have any meaning. The secret
+   is a Base64-encoded string as specified in :rfc:`3548`.
+
+   The ``server`` statement associates a key defined using the ``key``
+   statement with a server. The keyword ``server`` is followed by a host
+   name or address. The ``server`` statement has two clauses: ``key``
+   and ``port``. The ``key`` clause specifies the name of the key to be
+   used when communicating with this server, and the ``port`` clause can
+   be used to specify the port ``rndc`` should connect to on the server.
+
+   A sample minimal configuration file is as follows:
+
+   ::
+
+      key rndc_key {
+           algorithm "hmac-sha256";
+           secret
+             "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+      };
+      options {
+           default-server 127.0.0.1;
+           default-key    rndc_key;
+      };
+
+   This file, if installed as ``/etc/rndc.conf``, allows the
+   command:
+
+   ``$ rndc reload``
+
+   to connect to 127.0.0.1 port 953 and causes the name server to reload,
+   if a name server on the local machine is running with the following
+   controls statements:
+
+   ::
+
+      controls {
+          inet 127.0.0.1
+              allow { localhost; } keys { rndc_key; };
+      };
+
+   and it has an identical key statement for ``rndc_key``.
+
+   Running the ``rndc-confgen`` program conveniently creates an
+   ``rndc.conf`` file, and also displays the corresponding
+   ``controls`` statement needed to add to ``named.conf``.
+   Alternatively, it is possible to run ``rndc-confgen -a`` to set up an
+   ``rndc.key`` file and not modify ``named.conf`` at all.
+
+Signals
+~~~~~~~
+
+Certain Unix signals cause the name server to take specific actions, as
+described in the following table. These signals can be sent using the
+``kill`` command.
+
++--------------+-------------------------------------------------------+
+| ``SIGHUP``   | Causes the server to read ``named.conf`` and reload   |
+|              | the database.                                         |
++--------------+-------------------------------------------------------+
+| ``SIGTERM``  | Causes the server to clean up and exit.               |
++--------------+-------------------------------------------------------+
+| ``SIGINT``   | Causes the server to clean up and exit.               |
++--------------+-------------------------------------------------------+
+
+.. include:: plugins.rst
diff --git a/doc/arm/dlz.rst b/doc/arm/dlz.rst
new file mode 100644
index 0000000..ccb06c4
--- /dev/null
+++ b/doc/arm/dlz.rst
@@ -0,0 +1,134 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _dlz-info:
+
+Dynamically Loadable Zones (DLZ)
+--------------------------------
+
+Dynamically Loadable Zones (DLZ) are an extension to BIND 9 that allows
+zone data to be retrieved directly from an external database. There is
+no required format or schema. DLZ drivers exist for several different
+database backends, including PostgreSQL, MySQL, and LDAP, and can be
+written for any other.
+
+Historically, DLZ drivers had to be statically linked with the ``named``
+binary and were turned on via a configure option at compile time (for
+example, ``configure --with-dlz-ldap``). The drivers
+provided in the BIND 9 tarball in ``contrib/dlz/drivers`` are still
+linked this way.
+
+In BIND 9.8 and higher, it is possible to link some DLZ modules
+dynamically at runtime, via the DLZ "dlopen" driver, which acts as a
+generic wrapper around a shared object implementing the DLZ API. The
+"dlopen" driver is linked into ``named`` by default, so configure
+options are no longer necessary when using these dynamically linkable
+drivers; they are still needed for the older drivers in
+``contrib/dlz/drivers``.
+
+The DLZ module provides data to ``named`` in text
+format, which is then converted to DNS wire format by ``named``. This
+conversion, and the lack of any internal caching, places significant
+limits on the query performance of DLZ modules. Consequently, DLZ is not
+recommended for use on high-volume servers. However, it can be used in a
+hidden primary configuration, with secondaries retrieving zone updates via
+AXFR. Note, however, that DLZ has no built-in support for DNS notify;
+secondary servers are not automatically informed of changes to the zones in the
+database.
+
+Configuring DLZ
+~~~~~~~~~~~~~~~
+
+A DLZ database is configured with a ``dlz`` statement in ``named.conf``:
+
+::
+
+       dlz example {
+       database "dlopen driver.so args";
+       search yes;
+       };
+
+
+This specifies a DLZ module to search when answering queries; the module
+is implemented in ``driver.so`` and is loaded at runtime by the dlopen
+DLZ driver. Multiple ``dlz`` statements can be specified; when answering
+a query, all DLZ modules with ``search`` set to ``yes`` are queried
+to see whether they contain an answer for the query name. The best
+available answer is returned to the client.
+
+The ``search`` option in the above example can be omitted, because
+``yes`` is the default value.
+
+If ``search`` is set to ``no``, this DLZ module is *not* searched
+for the best match when a query is received. Instead, zones in this DLZ
+must be separately specified in a zone statement. This allows users to
+configure a zone normally using standard zone-option semantics, but
+specify a different database backend for storage of the zone's data.
+For example, to implement NXDOMAIN redirection using a DLZ module for
+backend storage of redirection rules:
+
+::
+
+       dlz other {
+              database "dlopen driver.so args";
+              search no;
+       };
+
+       zone "." {
+              type redirect;
+              dlz other;
+       };
+
+
+Sample DLZ Driver
+~~~~~~~~~~~~~~~~~
+
+For guidance in the implementation of DLZ modules, the directory
+``contrib/dlz/example`` contains a basic dynamically linkable DLZ
+module - i.e., one which can be loaded at runtime by the "dlopen" DLZ
+driver. The example sets up a single zone, whose name is passed to the
+module as an argument in the ``dlz`` statement:
+
+::
+
+       dlz other {
+              database "dlopen driver.so example.nil";
+       };
+
+
+In the above example, the module is configured to create a zone
+"example.nil", which can answer queries and AXFR requests and accept
+DDNS updates. At runtime, prior to any updates, the zone contains an
+SOA, NS, and a single A record at the apex:
+
+::
+
+    example.nil.  3600    IN      SOA     example.nil. hostmaster.example.nil. (
+                              123 900 600 86400 3600
+                          )
+    example.nil.  3600    IN      NS      example.nil.
+    example.nil.  1800    IN      A       10.53.0.1
+
+
+The sample driver can retrieve information about the
+querying client and alter its response on the basis of this
+information. To demonstrate this feature, the example driver responds to
+queries for "source-addr.``zonename``>/TXT" with the source address of
+the query. Note, however, that this record will *not* be included in
+AXFR or ANY responses. Normally, this feature is used to alter
+responses in some other fashion, e.g., by providing different address
+records for a particular name depending on the network from which the
+query arrived.
+
+Documentation of the DLZ module API can be found in
+``contrib/dlz/example/README``. This directory also contains the header
+file ``dlz_minimal.h``, which defines the API and should be included by
+any dynamically linkable DLZ module.
diff --git a/doc/arm/dnssec-guide.rst b/doc/arm/dnssec-guide.rst
new file mode 100644
index 0000000..0c28849
--- /dev/null
+++ b/doc/arm/dnssec-guide.rst
@@ -0,0 +1,23 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+DNSSEC Guide
+============
+
+.. include:: ../dnssec-guide/preface.rst
+.. include:: ../dnssec-guide/introduction.rst
+.. include:: ../dnssec-guide/getting-started.rst
+.. include:: ../dnssec-guide/validation.rst
+.. include:: ../dnssec-guide/signing.rst
+.. include:: ../dnssec-guide/troubleshooting.rst
+.. include:: ../dnssec-guide/advanced-discussions.rst
+.. include:: ../dnssec-guide/recipes.rst
+.. include:: ../dnssec-guide/commonly-asked-questions.rst
diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst
new file mode 100644
index 0000000..f2b66aa
--- /dev/null
+++ b/doc/arm/dnssec.inc.rst
@@ -0,0 +1,521 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _dnssec:
+
+DNSSEC
+------
+DNS Security Extensions (DNSSEC) provide reliable protection from
+`cache poisoning`_ attacks. At the same time these extensions also provide other benefits: 
+they limit the impact of `random subdomain attacks`_ on resolver caches and authoritative
+servers, and provide the foundation for modern applications like `authenticated
+and private e-mail transfer`_.
+
+To achieve this goal, DNSSEC adds `digital signatures`_ to DNS records in
+authoritative DNS zones, and DNS resolvers verify the validity of the signatures on the
+received records. If the signatures match the received data, the resolver can
+be sure that the data was not modified in transit.
+
+.. note::
+   DNSSEC and transport-level encryption are complementary!
+   Unlike typical transport-level encryption like DNS-over-TLS, DNS-over-HTTPS,
+   or VPN, DNSSEC makes DNS records verifiable at all points of the DNS
+   resolution chain.
+
+This section focuses on ways to deploy DNSSEC using BIND. For a more in-depth
+discussion of DNSSEC principles (e.g. :ref:`how_does_dnssec_change_dns_lookup`)
+please see :doc:`dnssec-guide`.
+
+.. _`cache poisoning`: https://en.wikipedia.org/wiki/DNS_cache_poisoning
+.. _`random subdomain attacks`: https://www.isc.org/blogs/nsec-caching-should-limit-excessive-queries-to-dns-root/
+.. _`digital signatures`: https://en.wikipedia.org/wiki/Digital_signature
+.. _`authenticated and private e-mail transfer`: https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md
+
+
+.. _dnssec_zone_signing:
+
+Zone Signing
+~~~~~~~~~~~~
+
+BIND offers several ways to generate signatures and maintain their validity
+during the lifetime of a DNS zone:
+
+  - :ref:`dnssec_kasp` - **strongly recommended**
+  - :ref:`dnssec_dynamic_zones` - only for special needs
+  - :ref:`dnssec_tools` - discouraged, use only for debugging
+
+.. _zone_keys:
+
+Zone keys
+^^^^^^^^^
+Regardless of the :ref:`zone-signing <dnssec_zone_signing>` method in use, cryptographic keys are
+stored in files named like :file:`Kdnssec.example.+013+12345.key` and
+:file:`Kdnssec.example.+013+12345.private`.
+The private key (in the ``.private`` file) is used to generate signatures, and
+the public key (in the ``.key`` file) is used for signature verification.
+Additionally, the :ref:`dnssec_kasp` method creates a third file,
+:file:`Kdnssec.example+013+12345.state`, which is used to track DNSSEC key timings
+and to perform key rollovers safely.
+
+These filenames contain:
+
+   - the key name, which always matches the zone name (``dnssec.example.``),
+   - the `algorithm number`_ (013 is ECDSAP256SHA256, 008 is RSASHA256, etc.),
+   - and the key tag, i.e. a non-unique key identifier (12345 in this case).
+
+.. _`algorithm number`: https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1
+
+
+.. warning::
+   Private keys are required for full disaster recovery. Back up key files in a
+   safe location and protect them from unauthorized access. Anyone with
+   access to the private key can create fake but seemingly valid DNS data.
+
+
+.. _dnssec_kasp:
+
+Fully Automated (Key and Signing Policy)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Key and Signing Policy (KASP) is a method of configuration that describes
+how to maintain DNSSEC signing keys and how to sign the zone.
+
+This is the recommended, fully automated way to sign and maintain DNS zones. For
+most use cases users can simply use the built-in default policy, which applies
+up-to-date DNSSEC practices:
+
+.. code-block:: none
+  :emphasize-lines: 4
+
+    zone "dnssec.example" {
+        type primary;
+        file "dnssec.example.db";
+        dnssec-policy default;
+        inline-signing yes;
+    };
+
+The ``dnssec-policy`` statement requires dynamic DNS to be set up, or
+``inline-signing`` to be enabled. In the example above we use the latter.
+
+This is sufficient to create the necessary signing keys, and generate
+``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes
+care of any DNSSEC maintenance for this zone, including replacing signatures
+that are about to expire and managing :ref:`key_rollovers`.
+
+.. note::
+   ``dnssec-policy`` needs write access to the zone. Please see
+   :ref:`dnssec_policy` for more details about implications for zone storage.
+
+The default policy creates one key that is used to sign the complete zone,
+and uses ``NSEC`` to enable authenticated denial of existence (a secure way
+to tell which records do not exist in a zone). This policy is recommended
+and typically does not need to be changed.
+
+If needed, a custom policy can be defined by adding a ``dnssec-policy`` statement
+into the configuration:
+
+.. code-block:: none
+
+
+    dnssec-policy "custom" {
+        dnskey-ttl 600;
+        keys {
+            ksk lifetime P1Y algorithm ecdsap384sha384;
+            zsk lifetime 60d algorithm ecdsap384sha384;
+        };
+        nsec3param iterations 0 optout no salt-length 0;
+    };
+
+This ``custom`` policy, for example:
+
+  - uses a very short ``DNSKEY`` TTL (600 seconds),
+  - uses two keys to sign the zone: a Key Signing Key (KSK) to sign the key
+    related RRsets (``DNSKEY``, ``CDS``, and ``CDNSKEY``), and a Zone Signing
+    Key (ZSK) to sign the rest of the zone. The KSK is automatically
+    rotated after one year and the ZSK after 60 days.
+
+Also:
+  - The configured keys have a lifetime set and use the ECDSAP384SHA384
+    algorithm.
+  - The last line instructs BIND to generate NSEC3 records for
+    :ref:`Proof of Non-Existence <advanced_discussions_proof_of_nonexistence>`,
+    using zero extra iterations and no salt. NSEC3 opt-out is disabled, meaning
+    insecure delegations also get an NSEC3 record.
+
+For more information about KASP configuration see :ref:`dnssec_policy_grammar`.
+
+The :ref:`dnssec_advanced_discussions` section in the DNSSEC Guide discusses the
+various policy settings and may be useful for determining values for specific
+needs.
+
+Key Rollover
+============
+
+When using a ``dnssec-policy``, a key lifetime can be set to trigger
+key rollovers. ZSK rollovers are fully automatic, but for KSK and CSK rollovers
+a DS record needs to be submitted to the parent. See
+:ref:`secure_delegation` for possible ways to do so.
+
+Once the DS is in the parent (and the DS of the predecessor key is withdrawn),
+BIND needs to be told that this event has happened. This can be done automatically
+by configuring parental agents:
+
+.. code-block:: none
+  :emphasize-lines: 5
+
+    zone "dnssec.example" {
+        type primary;
+        file "dnssec.example.db";
+        dnssec-policy default;
+        inline-signing yes;
+        parental-agents { 192.0.2.1; };
+    };
+
+Here one server, ``192.0.2.1``, is configured for BIND to send DS queries to,
+to check the DS RRset for ``dnssec-example`` during key rollovers. This needs
+to be a trusted server, because BIND does not validate the response.
+
+If setting up a parental agent is undesirable, it is also possible to tell BIND that the
+DS is published in the parent with:
+:option:`rndc dnssec -checkds -key 12345 published dnssec.example. <rndc dnssec>`.
+and the DS for the predecessor key has been removed with:
+:option:`rndc dnssec -checkds -key 54321 withdrawn dnssec.example. <rndc dnssec>`.
+where 12345 and 54321 are the key tags of the successor and predecessor key,
+respectively.
+
+To roll a key sooner than scheduled, or to roll a key that
+has an unlimited lifetime, use:
+:option:`rndc dnssec -rollover -key 12345 dnssec.example. <rndc dnssec>`.
+
+To revert a signed zone back to an insecure zone, change
+the zone configuration to use the built-in "insecure" policy. Detailed
+instructions are described in :ref:`revert_to_unsigned`.
+
+.. _dnssec_dynamic_zones:
+
+Manual Key Management
+^^^^^^^^^^^^^^^^^^^^^
+
+.. warning::
+   The method described here allows full control over the keys used to sign
+   the zone. This is required only for very special cases and is generally
+   discouraged. Under normal circumstances, please use :ref:`dnssec_kasp`.
+
+
+.. _dnssec_dynamic_zones_multisigner_model:
+
+Multi-Signer Model
+==================
+
+Dynamic zones provide the ability to sign a zone by multiple providers, meaning
+each provider signs and serves the same zone independently. Such a setup requires
+some coordination between providers when it comes to key rollovers, and may be
+better suited to be configured with ``auto-dnssec allow;``. This permits keys to
+be updated and the zone to be re-signed only if the user issues the command
+:option:`rndc sign zonename <rndc sign>`.
+
+A zone can also be configured with ``auto-dnssec maintain``, which automatically
+adjusts the zone's DNSSEC keys on a schedule according to the key timing
+metadata. However, keys still need to be generated separately, for
+example with :iscman:`dnssec-keygen`.
+
+Of course, dynamic zones can also use ``dnssec-policy`` to fully automate DNSSEC
+maintenance. The next sections assume that more key
+management control is needed, and describe how to use dynamic DNS update to perform
+various DNSSEC operations.
+
+.. _dnssec_dynamic_zones_enabling_dnssec:
+
+Enabling DNSSEC Manually
+========================
+As an alternative to fully automated zone signing using :ref:`dnssec-policy
+<dnssec_kasp>`, a zone can be changed from insecure to secure using a dynamic
+DNS update. :iscman:`named` must be configured so that it can see the ``K*``
+files which contain the public and private parts of the `zone keys`_ that are
+used to sign the zone. Key files should be placed in the ``key-directory``, as
+specified in :iscman:`named.conf`:
+
+::
+
+       zone update.example {
+           type primary;
+           update-policy local;
+           auto-dnssec allow;
+           file "dynamic/update.example.db";
+           key-directory "keys/update.example/";
+       };
+
+If there are both a KSK and a ZSK available (or a CSK), this configuration causes the
+zone to be signed. An ``NSEC`` chain is generated as part of the initial signing
+process.
+
+In any secure zone which supports dynamic updates, :iscman:`named` periodically
+re-signs RRsets which have not been re-signed as a result of some update action.
+The signature lifetimes are adjusted to spread the re-sign load over time rather
+than all at once.
+
+.. _dnssec_dynamic_zones_publishing_dnskey_records:
+
+Publishing DNSKEY Records
+=========================
+
+To insert the keys via dynamic update:
+
+::
+
+       % nsupdate
+       > ttl 3600
+       > update add update.example DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+       > update add update.example DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+       > send
+
+In order to sign with these keys, the corresponding key files should also be
+placed in the ``key-directory``.
+
+.. _dnssec_dynamic_zones_nsec3:
+
+NSEC3
+=====
+
+To sign using :ref:`NSEC3 <advanced_discussions_nsec3>` instead of :ref:`NSEC
+<advanced_discussions_nsec>`, add an NSEC3PARAM record to the initial update
+request. The :term:`OPTOUT <Opt-out>` bit in the NSEC3
+chain can be set in the flags field of the
+NSEC3PARAM record.
+
+::
+
+       % nsupdate
+       > ttl 3600
+       > update add update.example DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+       > update add update.example DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+       > update add update.example NSEC3PARAM 1 0 0 -
+       > send
+
+Note that the ``NSEC3PARAM`` record does not show up until :iscman:`named` has
+had a chance to build/remove the relevant chain. A private type record is
+created to record the state of the operation (see below for more details), and
+is removed once the operation completes.
+
+The ``NSEC3`` chain is generated and the ``NSEC3PARAM`` record is added before
+the ``NSEC`` chain is destroyed.
+
+While the initial signing and ``NSEC``/``NSEC3`` chain generation are occurring,
+other updates are possible as well.
+
+A new ``NSEC3PARAM`` record can be added via dynamic update. When the new
+``NSEC3`` chain has been generated, the ``NSEC3PARAM`` flag field is set to
+zero. At that point, the old ``NSEC3PARAM`` record can be removed. The old
+chain is removed after the update request completes.
+
+:iscman:`named` only supports creating new ``NSEC3`` chains where all the
+``NSEC3`` records in the zone have the same ``OPTOUT`` state. :iscman:`named`
+supports updates to zones where the ``NSEC3`` records in the chain have mixed
+``OPTOUT`` state. :iscman:`named` does not support changing the ``OPTOUT``
+state of an individual ``NSEC3`` record; if the ``OPTOUT`` state of an
+individual ``NSEC3`` needs to be changed, the entire chain must be changed.
+
+To switch back to ``NSEC``, use :iscman:`nsupdate` to remove any ``NSEC3PARAM``
+records. The ``NSEC`` chain is generated before the ``NSEC3`` chain is removed.
+
+.. _dnssec_dynamic_zones_dnskey_rollovers:
+
+DNSKEY Rollovers
+================
+
+To perform key rollovers via a dynamic update, the ``K*`` files for the new keys
+must be added so that :iscman:`named` can find them. The new ``DNSKEY`` RRs can
+then be added via dynamic update. When the zones are being signed, they are
+signed with the new key set; when the signing is complete, the private type
+records are updated so that the last octet is non-zero.
+
+If this is for a KSK, the parent and any trust anchor repositories of the new
+KSK must be informed.
+
+The maximum TTL in the zone must expire before removing the old ``DNSKEY``. If
+it is a KSK that is being updated, the DS RRset in the parent must also be
+updated and its TTL allowed to expire. This ensures that all clients are able to
+verify at least one signature when the old ``DNSKEY`` is removed.
+
+The old ``DNSKEY`` can be removed via ``UPDATE``, taking care to specify the
+correct key. :iscman:`named` cleans out any signatures generated by the old
+key after the update completes.
+
+.. _dnssec_dynamic_zones_going_insecure:
+
+Going Insecure
+==============
+
+To convert a signed zone to unsigned using dynamic DNS, delete all the
+``DNSKEY`` records from the zone apex using :iscman:`nsupdate`. All signatures,
+``NSEC`` or ``NSEC3`` chains, and associated ``NSEC3PARAM`` records are removed
+automatically when the zone is supposed to be re-signed.
+
+This requires the ``dnssec-secure-to-insecure`` option to be set to ``yes`` in
+:iscman:`named.conf`.
+
+In addition, if the ``auto-dnssec maintain`` or a ``dnssec-policy`` is used, it
+should be removed or changed to ``allow`` instead; otherwise it will re-sign.
+
+.. _dnssec_tools:
+
+Manual Signing
+^^^^^^^^^^^^^^
+
+There are several tools available to manually sign a zone.
+
+.. warning::
+
+   Please note manual procedures are available mainly for backwards
+   compatibility and should be used only by expert users with specific needs.
+
+To set up a DNSSEC secure zone manually, a series of steps
+must be followed. Please see chapter
+:ref:`advanced_discussions_manual_key_management_and_signing` in the
+:doc:`dnssec-guide` for more information.
+
+Monitoring with Private Type Records
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The state of the signing process is signaled by private type records (with a
+default type value of 65534). When signing is complete, those records with a
+non-zero initial octet have a non-zero value for the final octet.
+
+If the first octet of a private type record is non-zero, the record indicates
+either that the zone needs to be signed with the key matching the record, or
+that all signatures that match the record should be removed. Here are the
+meanings of the different values of the first octet:
+
+   - algorithm (octet 1)
+
+   - key ID in network order (octet 2 and 3)
+
+   - removal flag (octet 4)
+
+   - complete flag (octet 5)
+
+Only records flagged as "complete" can be removed via dynamic update; attempts
+to remove other private type records are silently ignored.
+
+If the first octet is zero (this is a reserved algorithm number that should
+never appear in a ``DNSKEY`` record), the record indicates that changes to the
+``NSEC3`` chains are in progress. The rest of the record contains an
+``NSEC3PARAM`` record, while the flag field tells what operation to perform
+based on the flag bits:
+
+   0x01 OPTOUT
+
+   0x80 CREATE
+
+   0x40 REMOVE
+
+   0x20 NONSEC
+
+.. _secure_delegation:
+
+Secure Delegation
+~~~~~~~~~~~~~~~~~
+
+Once a zone is signed on the authoritative servers, the last remaining step
+is to establish chain of trust [#validation]_ between the parent zone
+(``example.``) and the local zone (``dnssec.example.``).
+
+Generally the procedure is:
+
+  - **Wait** for stale data to expire from caches. The amount of time required
+    is equal to the maximum TTL value used in the zone before signing. This
+    step ensures that unsigned data expire from caches and resolvers do not get
+    confused by missing signatures.
+  - Insert/update DS records in the parent zone (``dnssec.example. DS`` record).
+
+There are multiple ways to update DS records in the parent zone. Refer to the
+documentation for the parent zone to find out which options are applicable to
+a given case zone. Generally the options are, from most- to least-recommended:
+
+  - Automatically update the DS record in the parent zone using
+    ``CDS``/``CDNSKEY`` records automatically generated by BIND. This requires
+    support for :rfc:`7344` in either parent zone, registry, or registrar. In
+    that case, configure BIND to :ref:`monitor DS records in the parent
+    zone <cds_cdnskey>` and everything will happen automatically at the right
+    time.
+  - Query the zone for automatically generated ``CDS`` or ``CDNSKEY`` records using
+    :iscman:`dig`, and then insert these records into the parent zone using
+    the method specified by the parent zone (web form, e-mail, API, ...).
+  - Generate DS records manually using the :iscman:`dnssec-dsfromkey` utility on
+    `zone keys`_, and then insert them into the parent zone.
+
+.. [#validation] For further details on how the chain of trust is used in practice, see
+                :ref:`dnssec_12_steps` in the :doc:`dnssec-guide`.
+
+
+
+DNSSEC Validation
+~~~~~~~~~~~~~~~~~
+
+The BIND resolver validates answers from authoritative servers by default. This
+behavior is controlled by the configuration statement :ref:`dnssec-validation
+<dnssec-validation-option>`.
+
+By default a trust anchor for the DNS root zone is used.
+This trust anchor is provided as part of BIND and is kept up-to-date using
+:ref:`rfc5011.support`.
+
+.. note::
+   DNSSEC validation works "out of the box" and does not require
+   additional configuration. Additional configuration options are intended only
+   for special cases.
+
+To validate answers, the resolver needs at least one trusted starting point,
+a "trust anchor." Essentially, trust anchors are copies of ``DNSKEY`` RRs for
+zones that are used to form the first link in the cryptographic chain of trust.
+Alternative trust anchors can be specified using :ref:`trust_anchors`, but
+this setup is very unusual and is recommended only for expert use.
+For more information, see :ref:`trust_anchors_description` in the
+:doc:`dnssec-guide`.
+
+The BIND authoritative server does not verify signatures on load, so zone keys
+for authoritative zones do not need to be specified in the configuration
+file.
+
+Validation Failures
+^^^^^^^^^^^^^^^^^^^
+
+When DNSSEC validation is configured, the resolver rejects any answers from
+signed, secure zones which fail to validate, and returns SERVFAIL to the
+client.
+
+Responses may fail to validate for any of several reasons, including
+missing, expired, or invalid signatures; a key which does not match the
+DS RRset in the parent zone; or an insecure response from a zone which,
+according to its parent, should have been secure.
+
+For more information see :ref:`dnssec_troubleshooting`.
+
+Coexistence With Unsigned (Insecure) Zones
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Zones not protected by DNSSEC are called "insecure," and these zones seamlessly
+coexist with signed zones.
+
+When the validator receives a response from an unsigned zone that has
+a signed parent, it must confirm with the parent that the zone was
+intentionally left unsigned. It does this by verifying, via signed
+and validated :ref:`NSEC/NSEC3 records
+<advanced_discussions_proof_of_nonexistence>`, that the parent zone contains no
+DS records for the child.
+
+If the validator *can* prove that the zone is insecure, then the
+response is accepted. However, if it cannot, the validator must assume an
+insecure response to be a forgery; it rejects the response and logs
+an error.
+
+The logged error reads "insecurity proof failed" and "got insecure
+response; parent indicates it should be secure."
diff --git a/doc/arm/dyndb.rst b/doc/arm/dyndb.rst
new file mode 100644
index 0000000..c6d7026
--- /dev/null
+++ b/doc/arm/dyndb.rst
@@ -0,0 +1,89 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _dyndb-info:
+
+Dynamic Database (DynDB)
+------------------------
+
+Dynamic Database, or DynDB, is an extension to BIND 9 which, like DLZ (see
+:ref:`dlz-info`), allows zone data to be retrieved from an external
+database. Unlike DLZ, a DynDB module provides a full-featured BIND zone
+database interface. Where DLZ translates DNS queries into real-time
+database lookups, resulting in relatively poor query performance, and is
+unable to handle DNSSEC-signed data due to its limited API, a DynDB
+module can pre-load an in-memory database from the external data source,
+providing the same performance and functionality as zones served
+natively by BIND.
+
+A DynDB module supporting LDAP has been created by Red Hat and is
+available from https://pagure.io/bind-dyndb-ldap.
+
+A sample DynDB module for testing and developer guidance is included
+with the BIND source code, in the directory
+``bin/tests/system/dyndb/driver``.
+
+Configuring DynDB
+~~~~~~~~~~~~~~~~~
+
+A DynDB database is configured with a ``dyndb`` statement in
+``named.conf``:
+
+::
+
+       dyndb example "driver.so" {
+           parameters
+       };
+
+
+The file ``driver.so`` is a DynDB module which implements the full DNS
+database API. Multiple ``dyndb`` statements can be specified, to load
+different drivers or multiple instances of the same driver. Zones
+provided by a DynDB module are added to the view's zone table, and are
+treated as normal authoritative zones when BIND responds to
+queries. Zone configuration is handled internally by the DynDB module.
+
+The parameters are passed as an opaque string to the DynDB module's
+initialization routine. Configuration syntax differs depending on
+the driver.
+
+Sample DynDB Module
+~~~~~~~~~~~~~~~~~~~
+
+For guidance in the implementation of DynDB modules, the directory
+``bin/tests/system/dyndb/driver`` contains a basic DynDB module. The
+example sets up two zones, whose names are passed to the module as
+arguments in the ``dyndb`` statement:
+
+::
+
+       dyndb sample "sample.so" { example.nil. arpa. };
+
+
+In the above example, the module is configured to create a zone,
+"example.nil", which can answer queries and AXFR requests and accept
+DDNS updates. At runtime, prior to any updates, the zone contains an
+SOA, NS, and a single A record at the apex:
+
+::
+
+    example.nil.  86400    IN      SOA     example.nil. example.nil. (
+                                                  0 28800 7200 604800 86400
+                                          )
+    example.nil.  86400    IN      NS      example.nil.
+    example.nil.  86400    IN      A       127.0.0.1
+
+
+When the zone is updated dynamically, the DynDB module determines
+whether the updated RR is an address (i.e., type A or AAAA); if so,
+it automatically updates the corresponding PTR record in a reverse
+zone. Note that updates are not stored permanently; all updates are lost when the
+server is restarted.
diff --git a/doc/arm/general.rst b/doc/arm/general.rst
new file mode 100644
index 0000000..c4af278
--- /dev/null
+++ b/doc/arm/general.rst
@@ -0,0 +1,432 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. General:
+
+General DNS Reference Information
+=================================
+
+.. _rfcs:
+
+Requests for Comment (RFCs)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Specification documents for the Internet protocol suite, including the
+DNS, are published as part of the `Request for Comments`_ (RFCs) series
+of technical notes. The standards themselves are defined by the
+`Internet Engineering Task Force`_ (IETF) and the `Internet Engineering
+Steering Group`_ (IESG). RFCs can be viewed online at:
+https://www.rfc-editor.org/.
+
+While reading RFCs, please keep in mind that :rfc:`not all RFCs are
+standards <1796>`, and also that the validity of documents does change
+over time. Every RFC needs to be interpreted in the context of other
+documents.
+
+BIND 9 strives for strict compliance with IETF standards. To the best
+of our knowledge, BIND 9 complies with the following RFCs, with
+the caveats and exceptions listed in the numbered notes below. Many
+of these RFCs were written by current or former ISC staff members.
+The list is non-exhaustive.
+
+.. _Internet Engineering Steering Group: https://www.ietf.org/about/groups/iesg/
+.. _Internet Engineering Task Force: https://www.ietf.org/about/
+.. _Request for Comments: https://www.ietf.org/standards/rfcs/
+
+Some of these RFCs, though DNS-related, are not concerned with implementing
+software.
+
+Protocol Specifications
+-----------------------
+
+:rfc:`1034` - P. Mockapetris. *Domain Names — Concepts and Facilities.* November
+1987.
+
+:rfc:`1035` - P. Mockapetris. *Domain Names — Implementation and Specification.*
+November 1987. [#rfc1035_1]_ [#rfc1035_2]_
+
+:rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR
+Definitions.* October 1990.
+
+:rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994.
+
+:rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of
+Geographical Location.* November 1994.
+
+:rfc:`1876` - C. Davis, P. Vixie, T. Goodwin, and I. Dickinson. *A Means for Expressing
+Location Information in the Domain Name System.* January 1996.
+
+:rfc:`1982` - R. Elz and R. Bush. *Serial Number Arithmetic.* August 1996.
+
+:rfc:`1995` - M. Ohta. *Incremental Zone Transfer in DNS.* August 1996.
+
+:rfc:`1996` - P. Vixie. *A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY).*
+August 1996.
+
+:rfc:`2136` - P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. *Dynamic Updates in the
+Domain Name System (DNS UPDATE).* April 1997.
+
+:rfc:`2163` - A. Allocchio. *Using the Internet DNS to Distribute MIXER
+Conformant Global Address Mapping (MCGAM).* January 1998.
+
+:rfc:`2181` - R. Elz and R. Bush. *Clarifications to the DNS Specification.* July 1997.
+
+:rfc:`2230` - R. Atkinson. *Key Exchange Delegation Record for the DNS.* November
+1997.
+
+:rfc:`2308` - M. Andrews. *Negative Caching of DNS Queries (DNS NCACHE).* March 1998.
+
+:rfc:`2539` - D. Eastlake, 3rd. *Storage of Diffie-Hellman Keys in the Domain Name
+System (DNS).* March 1999.
+
+:rfc:`2782` - A. Gulbrandsen, P. Vixie, and L. Esibov. *A DNS RR for Specifying the
+Location of Services (DNS SRV).* February 2000.
+
+:rfc:`2930` - D. Eastlake, 3rd. *Secret Key Establishment for DNS (TKEY RR).*
+September 2000.
+
+:rfc:`2931` - D. Eastlake, 3rd. *DNS Request and Transaction Signatures (SIG(0)s).*
+September 2000. [#rfc2931]_
+
+:rfc:`3007` - B. Wellington. *Secure Domain Name System (DNS) Dynamic Update.*
+November 2000.
+
+:rfc:`3110` - D. Eastlake, 3rd. *RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
+System (DNS).* May 2001.
+
+:rfc:`3123` - P. Koch. *A DNS RR Type for Lists of Address Prefixes (APL RR).* June
+2001.
+
+:rfc:`3225` - D. Conrad. *Indicating Resolver Support of DNSSEC.* December 2001.
+
+:rfc:`3226` - O. Gudmundsson. *DNSSEC and IPv6 A6 Aware Server/Resolver
+Message Size Requirements.* December 2001.
+
+:rfc:`3363` - R. Bush, A. Durand, B. Fink, O. Gudmundsson, and T. Hain.
+*Representing Internet Protocol Version 6 (IPv6) Addresses in the Domain Name
+System (DNS).* August 2002. [#rfc3363]_
+
+:rfc:`3403` - M. Mealling.
+*Dynamic Delegation Discovery System (DDDS). Part Three: The Domain Name System
+(DNS) Database.*
+October 2002.
+
+:rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for
+Internationalized Domain Names in Applications (IDNA).* March 2003.
+
+:rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens.
+*Basic Socket Interface Extensions for IPv6.* March 2003.
+
+:rfc:`3496` - A. G. Malis and T. Hsiao. *Protocol Extension for Support of
+Asynchronous Transfer Mode (ATM) Service Class-aware Multiprotocol Label
+Switching (MPLS) Traffic Engineering.* March 2003.
+
+:rfc:`3596` - S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. *DNS Extensions to
+Support IP Version 6.* October 2003.
+
+:rfc:`3597` - A. Gustafsson. *Handling of Unknown DNS Resource Record (RR) Types.*
+September 2003.
+
+:rfc:`3645` - S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. *Generic
+Security Service Algorithm for Secret Key Transaction Authentication for
+DNS (GSS-TSIG).* October 2003.
+
+:rfc:`4025` - M. Richardson. *A Method for Storing IPsec Keying Material in
+DNS.* March 2005.
+
+:rfc:`4033` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *DNS Security
+Introduction and Requirements.* March 2005.
+
+:rfc:`4034` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Resource Records for
+the DNS Security Extensions.* March 2005.
+
+:rfc:`4035` - R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. *Protocol
+Modifications for the DNS Security Extensions.* March 2005.
+
+:rfc:`4255` - J. Schlyter and W. Griffin. *Using DNS to Securely Publish Secure
+Shell (SSH) Key Fingerprints.* January 2006.
+
+:rfc:`4343` - D. Eastlake, 3rd. *Domain Name System (DNS) Case Insensitivity
+Clarification.* January 2006.
+
+:rfc:`4398` - S. Josefsson. *Storing Certificates in the Domain Name System (DNS).* March 2006.
+
+:rfc:`4470` - S. Weiler and J. Ihren. *Minimally covering NSEC Records and
+DNSSEC On-line Signing.* April 2006. [#rfc4470]_
+
+:rfc:`4509` - W. Hardaker. *Use of SHA-256 in DNSSEC Delegation Signer
+(DS) Resource Records (RRs).* May 2006.
+
+:rfc:`4592` - E. Lewis. *The Role of Wildcards in the Domain Name System.* July 2006.
+
+:rfc:`4635` - D. Eastlake, 3rd. *HMAC SHA (Hashed Message Authentication
+Code, Secure Hash Algorithm) TSIG Algorithm Identifiers.* August 2006.
+
+:rfc:`4701` - M. Stapp, T. Lemon, and A. Gustafsson. *A DNS Resource Record
+(RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID
+RR).* October 2006.
+
+:rfc:`4955` - D. Blacka. *DNS Security (DNSSEC) Experiments.* July 2007. [#rfc4955]_
+
+:rfc:`5001` - R. Austein. *DNS Name Server Identifier (NSID) Option.* August 2007.
+
+:rfc:`5011` - M. StJohns. *Automated Updates of DNS Security (DNSSEC) Trust Anchors.*
+
+:rfc:`5155` - B. Laurie, G. Sisson, R. Arends, and D. Blacka. *DNS Security
+(DNSSEC) Hashed Authenticated Denial of Existence.* March 2008.
+
+:rfc:`5205` - P. Nikander and J. Laganier. *Host Identity Protocol (HIP)
+Domain Name System (DNS) Extension.* April 2008.
+
+:rfc:`5452` - A. Hubert and R. van Mook. *Measures for Making DNS More
+Resilient Against Forged Answers.* January 2009. [#rfc5452]_
+
+:rfc:`5702` - J. Jansen. *Use of SHA-2 Algorithms with RSA in DNSKEY and
+RRSIG Resource Records for DNSSEC.* October 2009.
+
+:rfc:`5891` - J. Klensin.
+*Internationalized Domain Names in Applications (IDNA): Protocol.*
+August 2010
+
+:rfc:`5936` - E. Lewis and A. Hoenes, Ed. *DNS Zone Transfer Protocol (AXFR).*
+June 2010.
+
+:rfc:`5952` - S. Kawamura and M. Kawashima. *A Recommendation for IPv6 Address
+Text Representation.* August 2010.
+
+:rfc:`6052` - C. Bao, C. Huitema, M. Bagnulo, M. Boucadair, and X. Li. *IPv6
+Addressing of IPv4/IPv6 Translators.* October 2010.
+
+:rfc:`6147` - M. Bagnulo, A. Sullivan, P. Matthews, and I. van Beijnum.
+*DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to
+IPv4 Servers.* April 2011. [#rfc6147]_
+
+:rfc:`6604` - D. Eastlake, 3rd. *xNAME RCODE and Status Bits Clarification.*
+April 2012.
+
+:rfc:`6605` - P. Hoffman and W. C. A. Wijngaards. *Elliptic Curve Digital
+Signature Algorithm (DSA) for DNSSEC.* April 2012. [#rfc6605]_
+
+:rfc:`6672` - S. Rose and W. Wijngaards. *DNAME Redirection in the DNS.*
+June 2012.
+
+:rfc:`6698` - P. Hoffman and J. Schlyter. *The DNS-Based Authentication of
+Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA.*
+August 2012.
+
+:rfc:`6725` - S. Rose. *DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry
+Updates.* August 2012. [#rfc6725]_
+
+:rfc:`6742` - RJ Atkinson, SN Bhatti, U. St. Andrews, and S. Rose. *DNS
+Resource Records for the Identifier-Locator Network Protocol (ILNP).*
+November 2012.
+
+:rfc:`6840` - S. Weiler, Ed., and D. Blacka, Ed. *Clarifications and
+Implementation Notes for DNS Security (DNSSEC).* February 2013. [#rfc6840]_
+
+:rfc:`6891` - J. Damas, M. Graff, and P. Vixie. *Extension Mechanisms for DNS
+(EDNS(0)).* April 2013.
+
+:rfc:`7043` - J. Abley. *Resource Records for EUI-48 and EUI-64 Addresses
+in the DNS.* October 2013.
+
+:rfc:`7208` - S. Kitterman.
+*Sender Policy Framework (SPF) for Authorizing Use of Domains in Email,
+Version 1.*
+April 2014.
+
+:rfc:`7314` - M. Andrews. *Extension Mechanisms for DNS (EDNS) EXPIRE Option.*
+July 2014.
+
+:rfc:`7344` - W. Kumari, O. Gudmundsson, and G. Barwood. *Automating DNSSEC
+Delegation Trust Maintenance.* September 2014. [#rfc7344]_
+
+:rfc:`7477` - W. Hardaker. *Child-to-Parent Synchronization in DNS.* March
+2015.
+
+:rfc:`7553` - P. Faltstrom and O. Kolkman. *The Uniform Resource Identifier
+(URI) DNS Resource Record.* June 2015.
+
+:rfc:`7583` - S. Morris, J. Ihren, J. Dickinson, and W. Mekking. *DNSSEC Key
+Rollover Timing Considerations.* October 2015.
+
+:rfc:`7766` - J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D.
+Wessels. *DNS Transport over TCP - Implementation Requirements.* March 2016.
+
+:rfc:`7828` - P. Wouters, J. Abley, S. Dickinson, and R. Bellis.
+*The edns-tcp-keepalive EDNS0 Option.* April 2016.
+
+:rfc:`7830` - A. Mayrhofer. *The EDNS(0) Padding Option.* May 2016. [#rfc7830]_
+
+:rfc:`7929` - P. Wouters. *DNS-Based Authentication of Named Entities (DANE)
+Bindings for OpenPGP.* August 2016.
+
+:rfc:`8078` - O. Gudmundsson and P. Wouters. *Managing DS Records from the
+Parent via CDS/CDNSKEY.* March 2017. [#rfc8078]_
+
+:rfc:`8080` - O. Sury and R. Edmonds. *Edwards-Curve Digital Security Algorithm
+(EdDSA) for DNSSEC.* February 2017.
+
+:rfc:`8624` - P. Wouters and O. Sury. *Algorithm Implementation Requirements
+and Usage Guidance for DNSSEC.* June 2019.
+
+:rfc:`8659` - P. Hallam-Baker, R. Stradling, and J. Hoffman-Andrews.
+*DNS Certification Authority Authorization (CAA) Resource Record.*
+November 2019.
+
+:rfc:`8945` - F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson,
+and B. Wellington.
+*Secret Key Transaction Authentication for DNS (TSIG).*
+November 2020.
+
+Best Current Practice RFCs
+--------------------------
+
+:rfc:`2219` - M. Hamilton and R. Wright. *Use of DNS Aliases for Network Services.*
+October 1997.
+
+:rfc:`2317` - H. Eidnes, G. de Groot, and P. Vixie. *Classless IN-ADDR.ARPA Delegation.*
+March 1998.
+
+:rfc:`2606` - D. Eastlake, 3rd and A. Panitz. *Reserved Top Level DNS Names.* June
+1999. [#rfc2606]_
+
+:rfc:`3901` - A. Durand and J. Ihren. *DNS IPv6 Transport Operational Guidelines.*
+September 2004.
+
+:rfc:`5625` - R. Bellis. *DNS Proxy Implementation Guidelines.* August 2009.
+
+:rfc:`6303` - M. Andrews. *Locally Served DNS Zones.* July 2011.
+
+:rfc:`7793` - M. Andrews. *Adding 100.64.0.0/10 Prefixes to the IPv4
+Locally-Served DNS Zones Registry.* May 2016.
+
+:rfc:`8906` - M. Andrews and R. Bellis. *A Common Operational Problem in DNS
+Servers: Failure to Communicate.* September 2020.
+
+For Your Information
+--------------------
+
+:rfc:`1101` - P. Mockapetris. *DNS Encoding of Network Names and Other Types.*
+April 1989.
+
+:rfc:`1123` - R. Braden. *Requirements for Internet Hosts - Application and
+Support.* October 1989.
+
+:rfc:`1535` - E. Gavron. *A Security Problem and Proposed Correction With Widely
+Deployed DNS Software.* October 1993.
+
+:rfc:`1536` - A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. *Common DNS
+Implementation Errors and Suggested Fixes.* October 1993.
+
+:rfc:`1912` - D. Barr. *Common DNS Operational and Configuration Errors.* February
+1996.
+
+:rfc:`2874` - M. Crawford and C. Huitema. *DNS Extensions to Support IPv6 Address
+Aggregation and Renumbering.* July 2000. [#rfc2874]_
+
+:rfc:`3833` - D. Atkins and R. Austein. *Threat Analysis of the Domain Name System
+(DNS).* August 2004.
+
+:rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for
+IPv6 Addresses.* June 2005.
+
+:rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation
+(DLV) DNS Resource Record.* February 2006. [#rfc4431]_
+
+:rfc:`4892` - S. Woolf and D. Conrad. *Requirements for a Mechanism
+Identifying a Name Server Instance.* June 2007.
+
+:rfc:`6781` - O. Kolkman, W. Mekking, and R. Gieben. *DNSSEC Operational
+Practices, Version 2.* December 2012.
+
+:rfc:`7129` - R. Gieben and W. Mekking. *Authenticated Denial of Existence
+in the DNS.* February 2014.
+
+:rfc:`8749` - W. Mekking and D. Mahoney. *Moving DNSSEC Lookaside Validation
+(DLV) to Historic Status.* March 2020.
+
+Notes
+~~~~~
+
+.. [#rfc1035_1] Queries to zones that have failed to load return SERVFAIL rather
+   than a non-authoritative response. This is considered a feature.
+
+.. [#rfc1035_2] CLASS ANY queries are not supported. This is considered a
+   feature.
+
+.. [#rfc2931] When receiving a query signed with a SIG(0), the server is
+   only able to verify the signature if it has the key in its local
+   authoritative data; it cannot do recursion or validation to
+   retrieve unknown keys.
+
+.. [#rfc2874] Compliance is with loading and serving of A6 records only.
+   A6 records were moved to the experimental category by :rfc:`3363`.
+
+.. [#rfc4431] Compliance is with loading and serving of DLV records only.
+   DLV records were moved to the historic category by :rfc:`8749`.
+
+.. [#rfc4470] Minimally Covering NSEC records are accepted but not generated.
+
+.. [#rfc4955] BIND 9 interoperates with correctly designed experiments.
+
+.. [#rfc5452] ``named`` only uses ports to extend the ID space; addresses are not
+   used.
+
+.. [#rfc6147] Section 5.5 does not match reality. ``named`` uses the presence
+   of DO=1 to detect if validation may be occurring. CD has no bearing
+   on whether validation occurs.
+
+.. [#rfc6605] Compliance is conditional on the OpenSSL library being linked against
+   a supporting ECDSA.
+
+.. [#rfc6725] RSAMD5 support has been removed. See :rfc:`8624`.
+
+.. [#rfc6840] Section 5.9 - Always set CD=1 on queries. This is *not* done, as
+   it prevents DNSSEC from working correctly through another recursive server.
+
+   When talking to a recursive server, the best algorithm is to send
+   CD=0 and then send CD=1 iff SERVFAIL is returned, in case the recursive
+   server has a bad clock and/or bad trust anchor. Alternatively, one
+   can send CD=1 then CD=0 on validation failure, in case the recursive
+   server is under attack or there is stale/bogus authoritative data.
+
+.. [#rfc7344] Updating of parent zones is not yet implemented.
+
+.. [#rfc7830] ``named`` does not currently encrypt DNS requests, so the PAD option
+   is accepted but not returned in responses.
+
+.. [#rfc3363] Section 4 is ignored.
+
+.. [#rfc2606] This does not apply to DNS server implementations.
+
+.. [#rfc1521] Only the Base 64 encoding specification is supported.
+
+.. [#idna] BIND 9 requires ``--with-libidn2`` to enable entry of IDN labels within
+   dig, host, and nslookup at compile time.  ACE labels are supported
+   everywhere with or without ``--with-libidn2``.
+
+.. [#rfc4294] Section 5.1 - DNAME records are fully supported.
+
+.. [#rfc8078] Updating of parent zones is not yet implemented.
+
+.. _internet_drafts:
+
+Internet Drafts
+~~~~~~~~~~~~~~~
+
+Internet Drafts (IDs) are rough-draft working documents of the Internet
+Engineering Task Force (IETF). They are, in essence, RFCs in the preliminary
+stages of development. Implementors are cautioned not to regard IDs as
+archival, and they should not be quoted or cited in any formal documents
+unless accompanied by the disclaimer that they are "works in progress."
+IDs have a lifespan of six months, after which they are deleted unless
+updated by their authors.
diff --git a/doc/arm/history.rst b/doc/arm/history.rst
new file mode 100644
index 0000000..5049982
--- /dev/null
+++ b/doc/arm/history.rst
@@ -0,0 +1,77 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. History:
+
+A Brief History of the DNS and BIND
+===================================
+
+Although the Domain Name System "officially" began in
+1984 with the publication of :rfc:`920`, the core of the new system was
+described in 1983 in :rfc:`882` and :rfc:`883`. From 1984 to 1987, the ARPAnet
+(the precursor to today's Internet) became a testbed of experimentation
+for developing the new naming/addressing scheme in a rapidly expanding,
+operational network environment. New RFCs were written and published in
+1987 that modified the original documents to incorporate improvements
+based on the working model. :rfc:`1034`, "Domain Names-Concepts and
+Facilities," and :rfc:`1035`, "Domain Names-Implementation and
+Specification," were published and became the standards upon which all
+DNS implementations are built.
+
+The first working domain name server, called "Jeeves," was written in
+1983-84 by Paul Mockapetris for operation on DEC Tops-20 machines
+located at the University of Southern California's Information Sciences
+Institute (USC-ISI) and SRI International's Network Information Center
+(SRI-NIC). A DNS server for Unix machines, the Berkeley Internet Name
+Domain (BIND) package, was written soon after by a group of graduate
+students at the University of California at Berkeley under a grant from
+the US Defense Advanced Research Projects Administration (DARPA).
+
+Versions of BIND through 4.8.3 were maintained by the Computer Systems
+Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark Painter, David
+Riggle, and Songnian Zhou made up the initial BIND project team. After
+that, additional work on the software package was done by Ralph
+Campbell. Kevin Dunlap, a Digital Equipment Corporation employee on loan
+to the CSRG, worked on BIND for 2 years, from 1985 to 1987. Many other
+people also contributed to BIND development during that time: Doug
+Kingston, Craig Partridge, Smoot Carl-Mitchell, Mike Muuss, Jim Bloom,
+and Mike Schwartz. BIND maintenance was subsequently handled by Mike
+Karels and Øivind Kure.
+
+BIND versions 4.9 and 4.9.1 were released by Digital Equipment
+Corporation (which became Compaq Computer Corporation and eventually merged
+with Hewlett-Packard). Paul Vixie, then a DEC
+employee, became BIND's primary caretaker. He was assisted by Phil
+Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
+Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat Baran,
+Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe Wolfhugel,
+and others.
+
+In 1994, BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul
+Vixie became BIND's principal architect/programmer.
+
+BIND versions from 4.9.3 onward have been developed and maintained by
+Internet Systems Consortium and its predecessor, the Internet
+Software Consortium, with support provided by ISC's sponsors.
+
+As co-architects/programmers, Bob Halley and Paul Vixie released the
+first production-ready version of BIND version 8 in May 1997.
+
+BIND version 9 was released in September 2000 and is a major rewrite of
+nearly all aspects of the underlying BIND architecture.
+
+BIND versions 4 and 8 are officially deprecated. No additional
+development is done on BIND version 4 or BIND version 8.
+
+BIND development work is made possible today by the sponsorship of
+corporations who purchase professional support services from ISC
+(https://www.isc.org/contact/) and/or donate to our mission, and by the
+tireless efforts of numerous individuals.
diff --git a/doc/arm/index.rst b/doc/arm/index.rst
new file mode 100644
index 0000000..651fd78
--- /dev/null
+++ b/doc/arm/index.rst
@@ -0,0 +1,41 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. meta::
+   :google-site-verification: 0-DMrB_qDynsvXBKJhpsS5m8l5oVea8Qe2ojkudjtCY
+
+*************************************
+BIND 9 Administrator Reference Manual
+*************************************
+
+.. toctree::
+   :numbered:
+   :maxdepth: 2
+
+   introduction
+   requirements
+   configuration
+   reference
+   dnssec.inc
+   advanced
+   security
+   troubleshooting
+   
+.. toctree::
+   :caption: Appendices
+   :name: appendices
+   :maxdepth: 2
+
+   notes
+   dnssec-guide
+   history
+   general
+   manpages
diff --git a/doc/arm/introduction.rst b/doc/arm/introduction.rst
new file mode 100644
index 0000000..1f7be6c
--- /dev/null
+++ b/doc/arm/introduction.rst
@@ -0,0 +1,311 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _Introduction:
+
+Introduction
+============
+
+The Internet Domain Name System (DNS) consists of the syntax to specify
+the names of entities in the Internet in a hierarchical manner, the
+rules used for delegating authority over names, and the system
+implementation that actually maps names to Internet addresses. DNS data
+is maintained in a group of distributed hierarchical databases.
+
+.. _doc_scope:
+
+Scope of Document
+-----------------
+
+The Berkeley Internet Name Domain (BIND) implements a domain name server
+for a number of operating systems. This document provides basic
+information about the installation and care of the Internet Systems
+Consortium (ISC) BIND version 9 software package for system
+administrators.
+
+This manual covers BIND version |release|.
+
+.. _organization:
+
+Organization of This Document
+-----------------------------
+
+In this document, *Chapter 1* introduces the basic DNS and BIND
+concepts. *Chapter 2* describes resource requirements for running BIND
+in various environments. Information in *Chapter 3* is *task-oriented*
+in its presentation and is organized functionally, to aid in the process
+of installing the BIND 9 software. The task-oriented section is followed
+by *Chapter 4*, which is organized as a reference manual to aid in the ongoing
+maintenance of the software. *Chapter 5* contains more advanced concepts that
+the system administrator may need for implementing certain options. *Chapter 6*
+addresses security considerations, and *Chapter 7* contains troubleshooting help.
+The main body of the document is followed by several *appendices* which contain
+useful reference information, such as a *bibliography* and historic
+information related to BIND and the Domain Name System.
+
+.. _conventions:
+
+Conventions Used in This Document
+---------------------------------
+
+In this document, we generally use ``Fixed Width`` text to indicate the
+following types of information:
+
+- pathnames
+- filenames
+- URLs
+- hostnames
+- mailing list names
+- new terms or concepts
+- literal user input
+- program output
+- keywords
+- variables
+
+Text in "quotes," **bold**, or *italics* is also used for emphasis or clarity.
+
+.. _dns_overview:
+
+The Domain Name System (DNS)
+----------------------------
+
+This document explains the installation and upkeep
+of the BIND (Berkeley Internet Name Domain) software package. We
+begin by reviewing the fundamentals of the Domain Name System (DNS) as
+they relate to BIND.
+
+.. _dns_fundamentals:
+
+DNS Fundamentals
+~~~~~~~~~~~~~~~~
+
+The Domain Name System (DNS) is a hierarchical, distributed database. It
+stores information for mapping Internet host names to IP addresses and
+vice versa, mail routing information, and other data used by Internet
+applications.
+
+Clients look up information in the DNS by calling a *resolver* library,
+which sends queries to one or more *name servers* and interprets the
+responses. The BIND 9 software distribution contains a name server,
+``named``, and a set of associated tools.
+
+.. _domain_names:
+
+Domains and Domain Names
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+The data stored in the DNS is identified by *domain names* that are
+organized as a tree according to organizational or administrative
+boundaries. Each node of the tree, called a *domain*, is given a label.
+The domain name of the node is the concatenation of all the labels on
+the path from the node to the *root* node. This is represented in
+written form as a string of labels listed from right to left and
+separated by dots. A label need only be unique within its parent domain.
+
+For example, a domain name for a host at the company *Example, Inc.*
+could be ``ourhost.example.com``, where ``com`` is the top-level domain
+to which ``ourhost.example.com`` belongs, ``example`` is a subdomain of
+``com``, and ``ourhost`` is the name of the host.
+
+For administrative purposes, the name space is partitioned into areas
+called *zones*, each starting at a node and extending down to the "leaf"
+nodes or to nodes where other zones start. The data for each zone is
+stored in a *name server*, which answers queries about the zone using
+the *DNS protocol*.
+
+The data associated with each domain name is stored in the form of
+*resource records* (RRs). Some of the supported resource record types
+are described in :ref:`types_of_resource_records_and_when_to_use_them`.
+
+For more detailed information about the design of the DNS and the DNS
+protocol, please refer to the standards documents listed in :ref:`rfcs`.
+
+Zones
+~~~~~
+
+To properly operate a name server, it is important to understand the
+difference between a *zone* and a *domain*.
+
+As stated previously, a zone is a point of delegation in the DNS tree. A
+zone consists of those contiguous parts of the domain tree for which a
+name server has complete information and over which it has authority. It
+contains all domain names from a certain point downward in the domain
+tree except those which are delegated to other zones. A delegation point
+is marked by one or more *NS records* in the parent zone, which should
+be matched by equivalent NS records at the root of the delegated zone.
+
+For instance, consider the ``example.com`` domain, which includes names
+such as ``host.aaa.example.com`` and ``host.bbb.example.com``, even
+though the ``example.com`` zone includes only delegations for the
+``aaa.example.com`` and ``bbb.example.com`` zones. A zone can map
+exactly to a single domain, but could also include only part of a
+domain, the rest of which could be delegated to other name servers.
+Every name in the DNS tree is a *domain*, even if it is *terminal*, that
+is, has no *subdomains*. Every subdomain is a domain and every domain
+except the root is also a subdomain. The terminology is not intuitive
+and we suggest reading :rfc:`1033`, :rfc:`1034`, and :rfc:`1035` to gain a complete
+understanding of this difficult and subtle topic.
+
+Though BIND 9 is called a "domain name server," it deals primarily in
+terms of zones. The ``primary`` and ``secondary`` declarations in the ``named.conf``
+file specify zones, not domains. When BIND asks some other site if it is
+willing to be a secondary server for a *domain*, it is actually asking
+for secondary service for some collection of *zones*.
+
+.. _auth_servers:
+
+Authoritative Name Servers
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Each zone is served by at least one *authoritative name server*, which
+contains the complete data for the zone. To make the DNS tolerant of
+server and network failures, most zones have two or more authoritative
+servers, on different networks.
+
+Responses from authoritative servers have the "authoritative answer"
+(AA) bit set in the response packets. This makes them easy to identify
+when debugging DNS configurations using tools like ``dig`` (:ref:`diagnostic_tools`).
+
+.. _primary_master:
+
+The Primary Server
+^^^^^^^^^^^^^^^^^^
+
+The authoritative server, where the main copy of the zone data is
+maintained, is called the *primary* (formerly *master*) server, or simply the
+*primary*. Typically it loads the zone contents from some local file
+edited by humans or perhaps generated mechanically from some other local
+file which is edited by humans. This file is called the *zone file* or
+*master file*.
+
+In some cases, however, the master file may not be edited by humans at
+all, but may instead be the result of *dynamic update* operations.
+
+.. _secondary_server:
+
+Secondary Servers
+^^^^^^^^^^^^^^^^^
+
+The other authoritative servers, the *secondary* servers (formerly known as
+*slave* servers) load the zone contents from another server using a
+replication process known as a *zone transfer*. Typically the data is
+transferred directly from the primary, but it is also possible to
+transfer it from another secondary. In other words, a secondary server may
+itself act as a primary to a subordinate secondary server.
+
+Periodically, the secondary server must send a refresh query to determine
+whether the zone contents have been updated. This is done by sending a
+query for the zone's Start of Authority (SOA) record and checking whether the SERIAL field
+has been updated; if so, a new transfer request is initiated. The timing
+of these refresh queries is controlled by the SOA REFRESH and RETRY
+fields, but can be overridden with the ``max-refresh-time``,
+``min-refresh-time``, ``max-retry-time``, and ``min-retry-time``
+options.
+
+If the zone data cannot be updated within the time specified by the SOA
+EXPIRE option (up to a hard-coded maximum of 24 weeks), the secondary
+zone expires and no longer responds to queries.
+
+.. _stealth_server:
+
+Stealth Servers
+^^^^^^^^^^^^^^^
+
+Usually, all of the zone's authoritative servers are listed in NS
+records in the parent zone. These NS records constitute a *delegation*
+of the zone from the parent. The authoritative servers are also listed
+in the zone file itself, at the *top level* or *apex* of the zone.
+Servers that are not in the parent's NS delegation can be listed in the
+zone's top-level NS records, but servers that are not present at the
+zone's top level cannot be listed in the parent's delegation.
+
+A *stealth server* is a server that is authoritative for a zone but is
+not listed in that zone's NS records. Stealth servers can be used for
+keeping a local copy of a zone, to speed up access to the zone's records
+or to make sure that the zone is available even if all the "official"
+servers for the zone are inaccessible.
+
+A configuration where the primary server itself is a stealth
+server is often referred to as a "hidden primary" configuration. One use
+for this configuration is when the primary is behind a firewall
+and is therefore unable to communicate directly with the outside world.
+
+.. _cache_servers:
+
+Caching Name Servers
+~~~~~~~~~~~~~~~~~~~~
+
+The resolver libraries provided by most operating systems are *stub
+resolvers*, meaning that they are not capable of performing the full DNS
+resolution process by themselves by talking directly to the
+authoritative servers. Instead, they rely on a local name server to
+perform the resolution on their behalf. Such a server is called a
+*recursive* name server; it performs *recursive lookups* for local
+clients.
+
+To improve performance, recursive servers cache the results of the
+lookups they perform. Since the processes of recursion and caching are
+intimately connected, the terms *recursive server* and *caching server*
+are often used synonymously.
+
+The length of time for which a record may be retained in the cache of a
+caching name server is controlled by the Time-To-Live (TTL) field
+associated with each resource record.
+
+.. _forwarder:
+
+Forwarding
+^^^^^^^^^^
+
+Even a caching name server does not necessarily perform the complete
+recursive lookup itself. Instead, it can *forward* some or all of the
+queries that it cannot satisfy from its cache to another caching name
+server, commonly referred to as a *forwarder*.
+
+Forwarders are typically used when an administrator does not wish for
+all the servers at a given site to interact directly with the rest of
+the Internet. For example, a common scenario is when multiple internal
+DNS servers are behind an Internet firewall. Servers behind the firewall
+forward their requests to the server with external access, which queries
+Internet DNS servers on the internal servers' behalf.
+
+Another scenario (largely now superseded by Response Policy Zones) is to
+send queries first to a custom server for RBL processing before
+forwarding them to the wider Internet.
+
+There may be one or more forwarders in a given setup. The order in which
+the forwarders are listed in ``named.conf`` does not determine the
+sequence in which they are queried; rather, ``named`` uses the response
+times from previous queries to select the server that is likely to
+respond the most quickly. A server that has not yet been queried is
+given an initial small random response time to ensure that it is tried
+at least once. Dynamic adjustment of the recorded response times ensures
+that all forwarders are queried, even those with slower response times.
+This permits changes in behavior based on server responsiveness.
+
+.. _multi_role:
+
+Name Servers in Multiple Roles
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The BIND name server can simultaneously act as a primary for some zones,
+a secondary for other zones, and as a caching (recursive) server for a set
+of local clients.
+
+However, since the functions of authoritative name service and
+caching/recursive name service are logically separate, it is often
+advantageous to run them on separate server machines. A server that only
+provides authoritative name service (an *authoritative-only* server) can
+run with recursion disabled, improving reliability and security. A
+server that is not authoritative for any zones and only provides
+recursive service to local clients (a *caching-only* server) does not
+need to be reachable from the Internet at large and can be placed inside
+a firewall.
diff --git a/doc/arm/isc-logo.pdf b/doc/arm/isc-logo.pdf
new file mode 100644
index 0000000..7877082
--- /dev/null
+++ b/doc/arm/isc-logo.pdf
diff --git a/doc/arm/logging-categories.rst b/doc/arm/logging-categories.rst
new file mode 100644
index 0000000..46d27e7
--- /dev/null
+++ b/doc/arm/logging-categories.rst
@@ -0,0 +1,117 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+``client``
+    Processing of client requests.
+
+``cname``
+    Name servers that are skipped for being a CNAME rather than A/AAAA records.
+     
+``config``
+    Configuration file parsing and processing.
+
+``database``
+    Messages relating to the databases used internally by the name server to store zone and cache data.
+
+``default``
+    Logging options for those categories where no specific configuration has been defined.
+
+``delegation-only``
+    Queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a ``delegation-only`` in a forward, hint, or stub zone declaration.
+
+``dispatch``
+    Dispatching of incoming packets to the server modules where they are to be processed.
+
+``dnssec``
+    DNSSEC and TSIG protocol processing.
+
+``dnstap``
+    The "dnstap" DNS traffic capture system.
+
+``edns-disabled``
+    Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being :rfc:`1034`-compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
+    
+    Note: the log message can also be due to packet loss. Before reporting servers for non-:rfc:`1034` compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
+    
+    Note: eventually ``named`` will have to stop treating such timeouts as due to :rfc:`1034` non-compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to :rfc:`1034` non-compliance impacts DNSSEC validation, which requires EDNS for the DNSSEC records to be returned.
+
+``general``
+    A catch-all for many things that still are not classified into categories.
+
+``lame-servers``
+    Misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
+
+``network``
+    Network operations.
+
+``notify``
+    The NOTIFY protocol.
+
+``nsid``
+    NSID options received from upstream servers.
+
+``queries``
+    A location where queries should be logged.
+    
+    At startup, specifying the category ``queries`` also enables query logging unless the ``querylog`` option has been specified.
+    
+    The query log entry first reports a client object identifier in @0x<hexadecimal-number> format. Next, it reports the client's IP address and port number, and the query name, class, and type. Next, it reports whether the Recursion Desired flag was set (+ if set, - if not set), whether the query was signed (S), whether EDNS was in use along with the EDNS version number (E(#)), whether TCP was used (T), whether DO (DNSSEC Ok) was set (D), whether CD (Checking Disabled) was set (C), whether a valid DNS Server COOKIE was received (V), and whether a DNS COOKIE option without a valid Server COOKIE was present (K). After this, the destination address the query was sent to is reported. Finally, if any CLIENT-SUBNET option was present in the client query, it is included in square brackets in the format [ECS address/source/scope].
+
+    .. code-block:: none
+
+       client @0x7f91b8005490 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +E(0)K (127.0.0.1)
+       client @0x7f91b4007400 ::1#62537 (www.example.net): query: www.example.net IN AAAA +E(0)K (::1)
+
+    The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.
+
+``query-errors``
+    Information about queries that resulted in some failure.
+
+``rate-limit``
+    Start, periodic, and final notices of the rate limiting of a stream of responses that are logged at ``info`` severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice. The final notice is normally delayed until about one minute after rate limiting stops. A lack of memory can hurry the final notice, which is indicated by an initial asterisk (\*). Various internal events are logged at debug level 1 and higher.
+    
+    Rate limiting of individual requests is logged in the ``query-errors`` category.
+
+``resolver``
+    DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
+
+``rpz``
+    Information about errors in response policy zone files, rewritten responses, and, at the highest ``debug`` levels, mere rewriting attempts.
+
+``security``
+    Approval and denial of requests.
+
+``serve-stale``
+    Indication of whether a stale answer is used following a resolver failure.
+
+``spill``
+    Queries that have been terminated, either by dropping or responding with SERVFAIL, as a result of a fetchlimit quota being exceeded.
+
+``trust-anchor-telemetry``
+    Trust-anchor-telemetry requests received by ``named``.
+
+``unmatched``
+    Messages that ``named`` was unable to determine the class of, or for which there was no matching ``view``. A one-line summary is also logged to the ``client`` category. This category is best sent to a file or stderr; by default it is sent to the ``null`` channel.
+
+``update``
+    Dynamic updates.
+
+``update-security``
+    Approval and denial of update requests.
+
+``xfer-in``
+    Zone transfers the server is receiving.
+
+``xfer-out``
+    Zone transfers the server is sending.
+
+``zoneload``
+    Loading of zones and creation of automatic empty zones.
diff --git a/doc/arm/managed-keys.rst b/doc/arm/managed-keys.rst
new file mode 100644
index 0000000..d50dbdb
--- /dev/null
+++ b/doc/arm/managed-keys.rst
@@ -0,0 +1,92 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _rfc5011.support:
+
+Dynamic Trust Anchor Management
+-------------------------------
+
+BIND is able to maintain DNSSEC trust anchors using :rfc:`5011` key
+management. This feature allows ``named`` to keep track of changes to
+critical DNSSEC keys without any need for the operator to make changes
+to configuration files.
+
+Validating Resolver
+~~~~~~~~~~~~~~~~~~~
+
+To configure a validating resolver to use :rfc:`5011` to maintain a trust
+anchor, configure the trust anchor using a ``trust-anchors`` statement and
+the ``initial-key`` keyword. Information about this can be found in
+:ref:`trust-anchors`.
+
+Authoritative Server
+~~~~~~~~~~~~~~~~~~~~
+
+To set up an authoritative zone for :rfc:`5011` trust anchor maintenance,
+generate two (or more) key signing keys (KSKs) for the zone. Sign the
+zone with one of them; this is the "active" KSK. All KSKs which do not
+sign the zone are "stand-by" keys.
+
+Any validating resolver which is configured to use the active KSK as an
+:rfc:`5011`-managed trust anchor takes note of the stand-by KSKs in the
+zone's DNSKEY RRset, and stores them for future reference. The resolver
+rechecks the zone periodically; after 30 days, if the new key is
+still there, the key is accepted by the resolver as a valid
+trust anchor for the zone. Anytime after this 30-day acceptance timer
+has completed, the active KSK can be revoked, and the zone can be
+"rolled over" to the newly accepted key.
+
+The easiest way to place a stand-by key in a zone is to use the "smart
+signing" features of ``dnssec-keygen`` and ``dnssec-signzone``. If a key
+exists with a publication date in the past, but an activation date which is
+unset or in the future, ``dnssec-signzone -S`` includes the
+DNSKEY record in the zone but does not sign with it:
+
+::
+
+   $ dnssec-keygen -K keys -f KSK -P now -A now+2y example.net
+   $ dnssec-signzone -S -K keys example.net
+
+To revoke a key, use the command ``dnssec-revoke``. This
+adds the REVOKED bit to the key flags and regenerates the ``K*.key``
+and ``K*.private`` files.
+
+After revoking the active key, the zone must be signed with both the
+revoked KSK and the new active KSK. Smart signing takes care of this
+automatically.
+
+Once a key has been revoked and used to sign the DNSKEY RRset in which
+it appears, that key is never again accepted as a valid trust
+anchor by the resolver. However, validation can proceed using the new
+active key, which was accepted by the resolver when it was a
+stand-by key.
+
+See :rfc:`5011` for more details on key rollover scenarios.
+
+When a key has been revoked, its key ID changes, increasing by 128 and
+wrapping around at 65535. So, for example, the key
+"``Kexample.com.+005+10000``" becomes "``Kexample.com.+005+10128``".
+
+If two keys have IDs exactly 128 apart and one is revoked, the two
+key IDs will collide, causing several problems. To prevent this,
+``dnssec-keygen`` does not generate a new key if another key
+which may collide is present. This checking only occurs if the new keys are
+written to the same directory that holds all other keys in use for that
+zone.
+
+Older versions of BIND 9 did not have this protection. Exercise caution
+if using key revocation on keys that were generated by previous
+releases, or if using keys stored in multiple directories or on multiple
+machines.
+
+It is expected that a future release of BIND 9 will address this problem
+in a different way, by storing revoked keys with their original
+unrevoked key IDs.
diff --git a/doc/arm/manpages.rst b/doc/arm/manpages.rst
new file mode 100644
index 0000000..e6d21bd
--- /dev/null
+++ b/doc/arm/manpages.rst
@@ -0,0 +1,55 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _manpages:
+
+Manual Pages
+============
+
+.. include:: ../../bin/tools/arpaname.rst
+.. include:: ../../bin/confgen/ddns-confgen.rst
+.. include:: ../../bin/delv/delv.rst
+.. include:: ../../bin/dig/dig.rst
+.. include:: ../../bin/dnssec/dnssec-cds.rst
+.. include:: ../../bin/dnssec/dnssec-dsfromkey.rst
+.. include:: ../../bin/dnssec/dnssec-importkey.rst
+.. include:: ../../bin/python/dnssec-checkds.rst
+.. include:: ../../bin/python/dnssec-coverage.rst
+.. include:: ../../bin/python/dnssec-keymgr.rst
+.. include:: ../../bin/dnssec/dnssec-keyfromlabel.rst
+.. include:: ../../bin/dnssec/dnssec-keygen.rst
+.. include:: ../../bin/dnssec/dnssec-revoke.rst
+.. include:: ../../bin/dnssec/dnssec-settime.rst
+.. include:: ../../bin/dnssec/dnssec-signzone.rst
+.. include:: ../../bin/dnssec/dnssec-verify.rst
+.. include:: ../../bin/tools/dnstap-read.rst
+.. include:: ../../bin/plugins/filter-aaaa.rst
+.. include:: ../../bin/dig/host.rst
+.. include:: ../../bin/tools/mdig.rst
+.. include:: ../../bin/check/named-checkconf.rst
+.. include:: ../../bin/check/named-checkzone.rst
+.. include:: ../../bin/check/named-compilezone.rst
+.. include:: ../../bin/tools/named-journalprint.rst
+.. include:: ../../bin/tools/named-nzd2nzf.rst
+.. include:: ../../bin/tools/named-rrchecker.rst
+.. include:: ../../bin/named/named.conf.rst
+.. include:: ../../bin/named/named.rst
+.. include:: ../../bin/tools/nsec3hash.rst
+.. include:: ../../bin/dig/nslookup.rst
+.. include:: ../../bin/nsupdate/nsupdate.rst
+.. include:: ../../bin/pkcs11/pkcs11-destroy.rst
+.. include:: ../../bin/pkcs11/pkcs11-keygen.rst
+.. include:: ../../bin/pkcs11/pkcs11-list.rst
+.. include:: ../../bin/pkcs11/pkcs11-tokens.rst
+.. include:: ../../bin/confgen/rndc-confgen.rst
+.. include:: ../../bin/rndc/rndc.conf.rst
+.. include:: ../../bin/rndc/rndc.rst
+.. include:: ../../bin/confgen/tsig-keygen.rst
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
new file mode 100644
index 0000000..90421ec
--- /dev/null
+++ b/doc/arm/notes.rst
@@ -0,0 +1,116 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Release Notes
+=============
+
+.. contents::
+
+Introduction
+------------
+
+BIND 9.16 (Extended Support Version) is a stable branch of BIND. This
+document summarizes significant changes since the last production
+release on that branch. Please see the CHANGES file for a more detailed
+list of changes and bug fixes.
+
+Note on Version Numbering
+-------------------------
+
+As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+release numbering convention. BIND 9.16 contains new features that were
+added during the BIND 9.15 development process. Henceforth, the 9.16
+branch will be limited to bug fixes, and new feature development will
+proceed in the unstable 9.17 branch.
+
+Supported Platforms
+-------------------
+
+See the :ref:`supported_os` section in the :ref:`Requirements` chapter.
+
+Download
+--------
+
+The latest versions of BIND 9 software can always be found at
+https://www.isc.org/download/. There you will find additional
+information about each release, source code, and pre-compiled versions
+for Microsoft Windows operating systems.
+
+.. include:: ../notes/notes-known-issues.rst
+
+.. include:: ../notes/notes-9.16.44.rst
+.. include:: ../notes/notes-9.16.43.rst
+.. include:: ../notes/notes-9.16.42.rst
+.. include:: ../notes/notes-9.16.41.rst
+.. include:: ../notes/notes-9.16.40.rst
+.. include:: ../notes/notes-9.16.39.rst
+.. include:: ../notes/notes-9.16.38.rst
+.. include:: ../notes/notes-9.16.37.rst
+.. include:: ../notes/notes-9.16.36.rst
+.. include:: ../notes/notes-9.16.35.rst
+.. include:: ../notes/notes-9.16.34.rst
+.. include:: ../notes/notes-9.16.33.rst
+.. include:: ../notes/notes-9.16.32.rst
+.. include:: ../notes/notes-9.16.31.rst
+.. include:: ../notes/notes-9.16.30.rst
+.. include:: ../notes/notes-9.16.29.rst
+.. include:: ../notes/notes-9.16.28.rst
+.. include:: ../notes/notes-9.16.27.rst
+.. include:: ../notes/notes-9.16.26.rst
+.. include:: ../notes/notes-9.16.25.rst
+.. include:: ../notes/notes-9.16.24.rst
+.. include:: ../notes/notes-9.16.23.rst
+.. include:: ../notes/notes-9.16.22.rst
+.. include:: ../notes/notes-9.16.21.rst
+.. include:: ../notes/notes-9.16.20.rst
+.. include:: ../notes/notes-9.16.19.rst
+.. include:: ../notes/notes-9.16.18.rst
+.. include:: ../notes/notes-9.16.17.rst
+.. include:: ../notes/notes-9.16.16.rst
+.. include:: ../notes/notes-9.16.15.rst
+.. include:: ../notes/notes-9.16.14.rst
+.. include:: ../notes/notes-9.16.13.rst
+.. include:: ../notes/notes-9.16.12.rst
+.. include:: ../notes/notes-9.16.11.rst
+.. include:: ../notes/notes-9.16.10.rst
+.. include:: ../notes/notes-9.16.9.rst
+.. include:: ../notes/notes-9.16.8.rst
+.. include:: ../notes/notes-9.16.7.rst
+.. include:: ../notes/notes-9.16.6.rst
+.. include:: ../notes/notes-9.16.5.rst
+.. include:: ../notes/notes-9.16.4.rst
+.. include:: ../notes/notes-9.16.3.rst
+.. include:: ../notes/notes-9.16.2.rst
+.. include:: ../notes/notes-9.16.1.rst
+.. include:: ../notes/notes-9.16.0.rst
+
+.. _relnotes_license:
+
+License
+-------
+
+BIND 9 is open source software licensed under the terms of the Mozilla Public
+License, version 2.0 (see the ``COPYING`` file for the full text).
+
+Those wishing to discuss license compliance may contact ISC at
+https://www.isc.org/contact/.
+
+End of Life
+-----------
+
+BIND 9.16 (Extended Support Version) will be supported until at least
+December, 2023. See https://kb.isc.org/docs/aa-00896 for details of
+ISC's software support policy.
+
+Thank You
+---------
+
+Thank you to everyone who assisted us in making this release possible.
diff --git a/doc/arm/pkcs11.rst b/doc/arm/pkcs11.rst
new file mode 100644
index 0000000..bce9ef6
--- /dev/null
+++ b/doc/arm/pkcs11.rst
@@ -0,0 +1,287 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _pkcs11:
+
+PKCS#11 (Cryptoki) Support
+--------------------------
+
+Public Key Cryptography Standard #11 (PKCS#11) defines a
+platform-independent API for the control of hardware security modules
+(HSMs) and other cryptographic support devices.
+
+BIND 9 is known to work with three HSMs: the AEP Keyper, which has been
+tested with Debian Linux, Solaris x86, and Windows Server 2003; the
+Thales nShield, tested with Debian Linux; and the Sun SCA 6000
+cryptographic acceleration board, tested with Solaris x86. In addition,
+BIND can be used with all current versions of SoftHSM, a software-based
+HSM simulator library produced by the OpenDNSSEC project.
+
+PKCS#11 uses a "provider library": a dynamically loadable
+library which provides a low-level PKCS#11 interface to drive the HSM
+hardware. The PKCS#11 provider library comes from the HSM vendor, and it
+is specific to the HSM to be controlled.
+
+There are two available mechanisms for PKCS#11 support in BIND 9:
+OpenSSL-based PKCS#11 and native PKCS#11. With OpenSSL-based PKCS#11,
+BIND uses a modified version of OpenSSL, which loads the
+provider library and operates the HSM indirectly; any cryptographic
+operations not supported by the HSM can be carried out by OpenSSL
+instead. Native PKCS#11 enables BIND to bypass OpenSSL completely;
+BIND loads the provider library itself, and uses the PKCS#11 API to
+drive the HSM directly.
+
+Prerequisites
+~~~~~~~~~~~~~
+
+See the documentation provided by the HSM vendor for information about
+installing, initializing, testing, and troubleshooting the HSM.
+
+Native PKCS#11
+~~~~~~~~~~~~~~
+
+Native PKCS#11 mode only works with an HSM capable of carrying out
+*every* cryptographic operation BIND 9 may need. The HSM's provider
+library must have a complete implementation of the PKCS#11 API, so that
+all these functions are accessible. As of this writing, only the Thales
+nShield HSM and SoftHSMv2 can be used in this fashion. For other HSMs,
+including the AEP Keyper, Sun SCA 6000, and older versions of SoftHSM,
+use OpenSSL-based PKCS#11. (Note: Eventually, when more HSMs become
+capable of supporting native PKCS#11, it is expected that OpenSSL-based
+PKCS#11 will be deprecated.)
+
+To build BIND with native PKCS#11, configure it as follows:
+
+::
+
+   $ cd bind9
+   $ ./configure --enable-native-pkcs11 \
+       --with-pkcs11=provider-library-path
+
+
+This causes all BIND tools, including ``named`` and the ``dnssec-*``
+and ``pkcs11-*`` tools, to use the PKCS#11 provider library specified in
+provider-library-path for cryptography. (The provider library path can
+be overridden using the ``-E`` argument in ``named`` and the ``dnssec-*`` tools,
+or the ``-m`` argument in the ``pkcs11-*`` tools.)
+
+Building SoftHSMv2
+^^^^^^^^^^^^^^^^^^
+
+SoftHSMv2, the latest development version of SoftHSM, is available from
+https://github.com/opendnssec/SoftHSMv2. It is a software library
+developed by the OpenDNSSEC project (https://www.opendnssec.org) which
+provides a PKCS#11 interface to a virtual HSM, implemented in the form
+of an SQLite3 database on the local filesystem. It provides less security
+than a true HSM, but it allows users to experiment with native PKCS#11
+when an HSM is not available. SoftHSMv2 can be configured to use either
+OpenSSL or the Botan library to perform cryptographic functions, but
+when using it for native PKCS#11 in BIND, OpenSSL is required.
+
+By default, the SoftHSMv2 configuration file is ``prefix/etc/softhsm2.conf``
+(where ``prefix`` is configured at compile time). This location can be
+overridden by the SOFTHSM2_CONF environment variable. The SoftHSMv2
+cryptographic store must be installed and initialized before using it
+with BIND.
+
+::
+
+   $  cd SoftHSMv2
+   $  configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr
+   $  make
+   $  make install
+   $  /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2
+
+
+OpenSSL-based PKCS#11
+~~~~~~~~~~~~~~~~~~~~~
+
+OpenSSL-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project.
+
+For more information, see https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11
+
+PKCS#11 Tools
+~~~~~~~~~~~~~
+
+BIND 9 includes a minimal set of tools to operate the HSM, including
+``pkcs11-keygen`` to generate a new key pair within the HSM,
+``pkcs11-list`` to list objects currently available, ``pkcs11-destroy``
+to remove objects, and ``pkcs11-tokens`` to list available tokens.
+
+In UNIX/Linux builds, these tools are built only if BIND 9 is configured
+with the ``--with-pkcs11`` option. (Note: If ``--with-pkcs11`` is set to ``yes``,
+rather than to the path of the PKCS#11 provider, the tools are
+built but the provider is left undefined. Use the ``-m`` option or the
+``PKCS11_PROVIDER`` environment variable to specify the path to the
+provider.)
+
+Using the HSM
+~~~~~~~~~~~~~
+
+For OpenSSL-based PKCS#11, the runtime environment must first be set up
+so the OpenSSL and PKCS#11 libraries can be loaded:
+
+::
+
+   $ export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}
+
+This causes ``named`` and other binaries to load the OpenSSL library
+from ``/opt/pkcs11/usr/lib``, rather than from the default location. This
+step is not necessary when using native PKCS#11.
+
+Some HSMs require other environment variables to be set. For example,
+when operating an AEP Keyper, the location of
+the "machine" file, which stores information about the Keyper for use by
+the provider library, must be specified. If the machine file is in
+``/opt/Keyper/PKCS11Provider/machine``, use:
+
+::
+
+   $ export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider
+
+Such environment variables must be set when running any tool that
+uses the HSM, including ``pkcs11-keygen``, ``pkcs11-list``,
+``pkcs11-destroy``, ``dnssec-keyfromlabel``, ``dnssec-signzone``,
+``dnssec-keygen``, and ``named``.
+
+HSM keys can now be created and used. In this case, we will create
+a 2048-bit key and give it the label "sample-ksk":
+
+::
+
+   $ pkcs11-keygen -b 2048 -l sample-ksk
+
+To confirm that the key exists:
+
+::
+
+   $ pkcs11-list
+   Enter PIN:
+   object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
+   object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
+
+Before using this key to sign a zone, we must create a pair of BIND 9
+key files. The ``dnssec-keyfromlabel`` utility does this. In this case, we
+are using the HSM key "sample-ksk" as the key-signing key for
+"example.net":
+
+::
+
+   $ dnssec-keyfromlabel -l sample-ksk -f KSK example.net
+
+The resulting K*.key and K*.private files can now be used to sign the
+zone. Unlike normal K\* files, which contain both public and private key
+data, these files contain only the public key data, plus an
+identifier for the private key which remains stored within the HSM.
+Signing with the private key takes place inside the HSM.
+
+To generate a second key in the HSM for use as a
+zone-signing key, follow the same procedure above, using a different
+keylabel, a smaller key size, and omitting ``-f KSK`` from the
+``dnssec-keyfromlabel`` arguments:
+
+::
+
+   $ pkcs11-keygen -b 1024 -l sample-zsk
+   $ dnssec-keyfromlabel -l sample-zsk example.net
+
+Alternatively, a conventional on-disk key can be generated
+using ``dnssec-keygen``:
+
+::
+
+   $ dnssec-keygen example.net
+
+This provides less security than an HSM key, but since HSMs can be slow
+or cumbersome to use for security reasons, it may be more efficient to
+reserve HSM keys for use in the less frequent key-signing operation. The
+zone-signing key can be rolled more frequently, if desired, to
+compensate for a reduction in key security. (Note: When using native
+PKCS#11, there is no speed advantage to using on-disk keys, as
+cryptographic operations are done by the HSM.)
+
+Now the zone can be signed. Please note that, if the -S option is not used for
+``dnssec-signzone``, the contents of both
+``K*.key`` files must be added to the zone master file before signing it.
+
+::
+
+   $ dnssec-signzone -S example.net
+   Enter PIN:
+   Verifying the zone using the following algorithms:
+   NSEC3RSASHA1.
+   Zone signing complete:
+   Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
+   example.net.signed
+
+Specifying the Engine on the Command Line
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can
+be specified in ``named`` and all of the BIND ``dnssec-*`` tools by
+using the ``-E <engine>`` command line option. If BIND 9 is built with the
+``--with-pkcs11`` option, this option defaults to "pkcs11". Specifying the
+engine is generally not necessary unless
+a different OpenSSL engine is used.
+
+To disable use of the "pkcs11" engine - for
+troubleshooting purposes, or because the HSM is unavailable - set
+the engine to the empty string. For example:
+
+::
+
+   $ dnssec-signzone -E '' -S example.net
+
+This causes ``dnssec-signzone`` to run as if it were compiled without
+the ``--with-pkcs11`` option.
+
+When built with native PKCS#11 mode, the "engine" option has a different
+meaning: it specifies the path to the PKCS#11 provider library. This may
+be useful when testing a new provider library.
+
+Running ``named`` With Automatic Zone Re-signing
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+For ``named`` to dynamically re-sign zones using HSM keys,
+and/or to sign new records inserted via nsupdate, ``named`` must
+have access to the HSM PIN. In OpenSSL-based PKCS#11, this is
+accomplished by placing the PIN into the ``openssl.cnf`` file (in the above
+examples, ``/opt/pkcs11/usr/ssl/openssl.cnf``).
+
+The location of the openssl.cnf file can be overridden by setting the
+``OPENSSL_CONF`` environment variable before running ``named``.
+
+Here is a sample ``openssl.cnf``:
+
+::
+
+       openssl_conf = openssl_def
+       [ openssl_def ]
+       engines = engine_section
+       [ engine_section ]
+       pkcs11 = pkcs11_section
+       [ pkcs11_section ]
+       PIN = <PLACE PIN HERE>
+
+This also allows the ``dnssec-\*`` tools to access the HSM without PIN
+entry. (The ``pkcs11-\*`` tools access the HSM directly, not via OpenSSL, so
+a PIN is still required to use them.)
+
+In native PKCS#11 mode, the PIN can be provided in a file specified as
+an attribute of the key's label. For example, if a key had the label
+``pkcs11:object=local-zsk;pin-source=/etc/hsmpin``, then the PIN would
+be read from the file ``/etc/hsmpin``.
+
+.. warning::
+
+   Placing the HSM's PIN in a text file in this manner may reduce the
+   security advantage of using an HSM. Use caution
+   when configuring the system in this way.
diff --git a/doc/arm/platforms.rst b/doc/arm/platforms.rst
new file mode 100644
index 0000000..534157c
--- /dev/null
+++ b/doc/arm/platforms.rst
@@ -0,0 +1,113 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _supported_os:
+
+Supported Platforms
+-------------------
+
+Current support status of various platforms and BIND 9 versions can be
+found in the ISC Knowledgebase:
+
+https://kb.isc.org/docs/supported-platforms
+
+In general, this version of BIND will build and run on any
+POSIX-compliant system with a C11-compliant C compiler, BSD-style
+sockets with RFC-compliant IPv6 support, POSIX-compliant threads, and
+the :ref:`required libraries <build_dependencies>`.
+
+The following C11 features are used in BIND 9:
+
+-  Atomic operations support from the compiler is needed, either in the
+   form of builtin operations, C11 atomics, or the ``Interlocked``
+   family of functions on Windows.
+
+-  Thread Local Storage support from the compiler is needed, either in
+   the form of C11 ``_Thread_local``/``thread_local``, the ``__thread``
+   GCC extension, or the ``__declspec(thread)`` MSVC extension on
+   Windows.
+
+ISC regularly tests BIND on many operating systems and architectures,
+but lacks the resources to test all of them. Consequently, ISC is only
+able to offer support on a “best effort� basis for some.
+
+Regularly tested platforms
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Current versions of BIND 9 are fully supported and regularly tested on the
+following systems:
+
+-  Debian 10, 11, 12
+-  Ubuntu LTS 18.04, 20.04, 22.04
+-  Fedora 38
+-  Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9
+-  FreeBSD 12.4, 13.2
+-  OpenBSD 7.3
+-  Alpine Linux 3.18
+
+The amd64, i386, armhf and arm64 CPU architectures are all fully
+supported.
+
+Best effort
+~~~~~~~~~~~
+
+The following are platforms on which BIND is known to build and run. ISC
+makes every effort to fix bugs on these platforms, but may be unable to
+do so quickly due to lack of hardware, less familiarity on the part of
+engineering staff, and other constraints. With the exception of Windows
+Server 2016, none of these are tested regularly by ISC.
+
+-  Windows Server 2012 R2, 2016 / x64
+-  Windows 10 / x64
+-  macOS 10.12+
+-  Solaris 11
+-  NetBSD
+-  Other Linux distributions still supported by their vendors, such as:
+
+   -  Ubuntu 20.10+
+   -  Gentoo
+   -  Arch Linux
+
+-  OpenWRT/LEDE 17.01+
+-  Other CPU architectures (mips, mipsel, sparc, …)
+
+Community maintained
+~~~~~~~~~~~~~~~~~~~~
+
+These systems may not all have the required dependencies for building
+BIND easily available, although it will be possible in many cases to
+compile those directly from source. The community and interested parties
+may wish to help with maintenance, and we welcome patch contributions,
+although we cannot guarantee that we will accept them. All contributions
+will be assessed against the risk of adverse effect on officially
+supported platforms.
+
+-  Platforms past or close to their respective EOL dates, such as:
+
+   -  Ubuntu 14.04, 16.04 (Ubuntu ESM releases are not supported)
+   -  CentOS 6
+   -  Debian 8 Jessie, 9 Stretch
+   -  FreeBSD 10.x, 11.x
+
+Unsupported Platforms
+---------------------
+
+These are platforms on which BIND 9.16 is known *not* to build or run:
+
+-  Platforms without at least OpenSSL 1.0.2
+-  Windows 10 / x86
+-  Windows Server 2012 and older
+-  Solaris 10 and older
+-  Platforms that don’t support IPv6 Advanced Socket API (RFC 3542)
+-  Platforms that don’t support atomic operations (via compiler or
+   library)
+-  Linux without NPTL (Native POSIX Thread Library)
+-  Platforms on which ``libuv`` cannot be compiled
diff --git a/doc/arm/plugins.rst b/doc/arm/plugins.rst
new file mode 100644
index 0000000..1939ac7
--- /dev/null
+++ b/doc/arm/plugins.rst
@@ -0,0 +1,82 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _module-info:
+
+Plugins
+-------
+
+Plugins are a mechanism to extend the functionality of ``named`` using
+dynamically loadable libraries. By using plugins, core server
+functionality can be kept simple for the majority of users; more complex
+code implementing optional features need only be installed by users that
+need those features.
+
+The plugin interface is a work in progress, and is expected to evolve as
+more plugins are added. Currently, only "query plugins" are supported;
+these modify the name server query logic. Other plugin types may be
+added in the future.
+
+The only plugin currently included in BIND is ``filter-aaaa.so``, which
+replaces the ``filter-aaaa`` feature that previously existed natively as
+part of ``named``. The code for this feature has been removed from
+``named`` and can no longer be configured using standard ``named.conf``
+syntax, but linking in the ``filter-aaaa.so`` plugin provides identical
+functionality.
+
+Configuring Plugins
+~~~~~~~~~~~~~~~~~~~
+
+A plugin is configured with the ``plugin`` statement in ``named.conf``:
+
+::
+
+       plugin query "library.so" {
+           parameters
+       };
+
+
+In this example, file ``library.so`` is the plugin library. ``query``
+indicates that this is a query plugin.
+
+Multiple ``plugin`` statements can be specified, to load different
+plugins or multiple instances of the same plugin.
+
+``parameters`` are passed as an opaque string to the plugin's initialization
+routine. Configuration syntax differs depending on the module.
+
+Developing Plugins
+~~~~~~~~~~~~~~~~~~
+
+Each plugin implements four functions:
+
+-  ``plugin_register``
+   to allocate memory, configure a plugin instance, and attach to hook
+   points within
+   ``named``
+   ,
+-  ``plugin_destroy``
+   to tear down the plugin instance and free memory,
+-  ``plugin_version``
+   to check that the plugin is compatible with the current version of
+   the plugin API,
+-  ``plugin_check``
+   to test syntactic correctness of the plugin parameters.
+
+At various locations within the ``named`` source code, there are "hook
+points" at which a plugin may register itself. When a hook point is
+reached while ``named`` is running, it is checked to see whether any
+plugins have registered themselves there; if so, the associated "hook
+action" - a function within the plugin library - is called. Hook
+actions may examine the runtime state and make changes: for example,
+modifying the answers to be sent back to a client or forcing a query to
+be aborted. More details can be found in the file
+``lib/ns/include/ns/hooks.h``.
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
new file mode 100644
index 0000000..4bb477a
--- /dev/null
+++ b/doc/arm/reference.rst
@@ -0,0 +1,7057 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. Reference:
+
+BIND 9 Configuration Reference
+==============================
+
+.. _configuration_file_elements:
+
+Configuration File Elements
+---------------------------
+
+Following is a list of elements used throughout the BIND configuration
+file documentation:
+
+.. glossary::
+
+    ``acl_name``
+        The name of an ``address_match_list`` as defined by the ``acl`` statement.
+
+    ``address_match_list``
+        A list of one or more ``ip_addr``, ``ip_prefix``, ``key_id``, or ``acl_name`` elements; see :ref:`address_match_lists`.
+
+    ``remoteserver_list``
+        A named list of one or more ``ip_addr`` with optional ``key_id`` and/or ``ip_port``. A ``remoteserver_list`` may include other ``remoteserver_list``.
+
+    ``domain_name``
+        A quoted string which is used as a DNS name; for example. ``my.test.domain``.
+
+    ``namelist``
+        A list of one or more ``domain_name`` elements.
+
+    ``dotted_decimal``
+        One to four integers valued 0 through 255 separated by dots (``.``), such as ``123.45.67`` or ``89.123.45.67``.
+
+    ``ip4_addr``
+        An IPv4 address with exactly four elements in ``dotted_decimal`` notation.
+
+    ``ip6_addr``
+        An IPv6 address, such as ``2001:db8::1234``. IPv6-scoped addresses that have ambiguity on their scope zones must be disambiguated by an appropriate zone ID with the percent character (``%``) as a delimiter. It is strongly recommended to use string zone names rather than numeric identifiers, to be robust against system configuration changes. However, since there is no standard mapping for such names and identifier values, only interface names as link identifiers are supported, assuming one-to-one mapping between interfaces and links. For example, a link-local address ``fe80::1`` on the link attached to the interface ``ne0`` can be specified as ``fe80::1%ne0``. Note that on most systems link-local addresses always have ambiguity and need to be disambiguated.
+
+    ``ip_addr``
+        An ``ip4_addr`` or ``ip6_addr``.
+
+    ``ip_dscp``
+        A ``number`` between 0 and 63, used to select a differentiated services code point (DSCP) value for use with outgoing traffic on operating systems that support DSCP.
+
+    ``ip_port``
+        An IP port ``number``. The ``number`` is limited to 0 through 65535, with values below 1024 typically restricted to use by processes running as root. In some cases, an asterisk (``*``) character can be used as a placeholder to select a random high-numbered port.
+
+    ``ip_prefix``
+        An IP network specified as an ``ip_addr``, followed by a slash (``/``) and then the number of bits in the netmask. Trailing zeros in an``ip_addr`` may be omitted. For example, ``127/8`` is the network ``127.0.0.0``with netmask ``255.0.0.0`` and ``1.2.3.0/28`` is network ``1.2.3.0`` with netmask ``255.255.255.240``.
+        When specifying a prefix involving a IPv6-scoped address, the scope may be omitted. In that case, the prefix matches packets from any scope.
+
+    ``key_id``
+        A ``domain_name`` representing the name of a shared key, to be used for transaction security.
+
+    ``key_list``
+        A list of one or more ``key_id``, separated by semicolons and ending with a semicolon.
+
+    ``number``
+        A non-negative 32-bit integer (i.e., a number between 0 and 4294967295, inclusive). Its acceptable value might be further limited by the context in which it is used.
+
+    ``fixedpoint``
+        A non-negative real number that can be specified to the nearest one-hundredth. Up to five digits can be specified before a decimal point, and up to two digits after, so the maximum value is 99999.99. Acceptable values might be further limited by the contexts in which they are used.
+
+    ``path_name``
+        A quoted string which is used as a pathname, such as ``zones/master/my.test.domain``.
+
+    ``port_list``
+        A list of an ``ip_port`` or a port range. A port range is specified in the form of ``range`` followed by two ``ip_port``s, ``port_low`` and ``port_high``, which represents port numbers from ``port_low`` through ``port_high``, inclusive. ``port_low`` must not be larger than ``port_high``. For example, ``range 1024 65535`` represents ports from 1024 through 65535. In either case an asterisk (``*``) character is not allowed as a valid ``ip_port``.
+
+    ``size_spec``
+        A 64-bit unsigned integer, or the keywords ``unlimited`` or ``default``. Integers may take values 0 <= value <= 18446744073709551615, though certain parameters (such as ``max-journal-size``) may use a more limited range within these extremes. In most cases, setting a value to 0 does not literally mean zero; it means "undefined" or "as big as possible," depending on the context. See the explanations of particular parameters that use ``size_spec`` for details on how they interpret its use. Numeric values can optionally be followed by a scaling factor: ``K`` or ``k`` for kilobytes, ``M`` or ``m`` for megabytes, and ``G`` or ``g`` for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.
+        ``unlimited`` generally means "as big as possible," and is usually the best way to safely set a very large number.
+        ``default`` uses the limit that was in force when the server was started.
+
+    ``size_or_percent``
+         A ``size_spec`` or integer value followed by ``%`` to represent percent. The behavior is exactly the same as ``size_spec``, but ``size_or_percent`` also allows specifying a positive integer value followed by the ``%`` sign to represent percent.
+
+    ``yes_or_no``
+        Either ``yes`` or ``no``. The words ``true`` and ``false`` are also accepted, as are the numbers ``1`` and ``0``.
+
+    ``dialup_option``
+        One of ``yes``, ``no``, ``notify``, ``notify-passive``, ``refresh``, or  ``passive``. When used in a zone, ``notify-passive``, ``refresh``, and ``passive`` are restricted to secondary and stub zones.
+
+    ``duration``
+        A duration in BIND 9 can be written in three ways: as single number
+        representing seconds, as a string of numbers with TTL-style
+        time-unit suffixes, or in ISO 6801 duration format.
+
+        Allowed TTL time-unit suffixes are: "W" (week), "D" (day), "H" (hour),
+        "M" (minute), and "S" (second). Examples: "1W" (1 week), "3d12h"
+        (3 days, 12 hours).
+
+        ISO 8601 duration format consists of the letter "P", followed by an
+	optional series of numbers with unit suffixes "Y" (year), "M" (month),
+        "W" (week), and "D" (day); this may optionally be followed by the
+        letter "T", and another series of numbers with unit suffixes
+        "H" (hour), "M" (minute), and "S" (second). Examples: "P3M10D"
+        (3 months, 10 days), "P2WT12H" (2 weeks, 12 hours), "pt15m"
+        (15 minutes).  For more information on ISO 8601 duration format,
+        see :rfc:`3339`, appendix A.
+
+        Both TTL-style and ISO 8601 duration formats are case-insensitive.
+
+.. _address_match_lists:
+
+Address Match Lists
+~~~~~~~~~~~~~~~~~~~
+
+Syntax
+^^^^^^
+
+::
+
+   address_match_list = address_match_list_element ; ...
+
+   address_match_list_element = [ ! ] ( ip_address | ip_prefix |
+        key key_id | acl_name | { address_match_list } )
+
+Definition and Usage
+^^^^^^^^^^^^^^^^^^^^
+
+Address match lists are primarily used to determine access control for
+various server operations. They are also used in the ``listen-on`` and
+``sortlist`` statements. The elements which constitute an address match
+list can be any of the following:
+
+-  an IP address (IPv4 or IPv6)
+
+-  an IP prefix (in ``/`` notation)
+
+-  a key ID, as defined by the ``key`` statement
+
+-  the name of an address match list defined with the ``acl`` statement
+
+-  a nested address match list enclosed in braces
+
+Elements can be negated with a leading exclamation mark (``!``), and the
+match list names "any", "none", "localhost", and "localnets" are
+predefined. More information on those names can be found in the
+description of the ``acl`` statement.
+
+The addition of the key clause made the name of this syntactic element
+something of a misnomer, since security keys can be used to validate
+access without regard to a host or network address. Nonetheless, the
+term "address match list" is still used throughout the documentation.
+
+When a given IP address or prefix is compared to an address match list,
+the comparison takes place in approximately O(1) time. However, key
+comparisons require that the list of keys be traversed until a matching
+key is found, and therefore may be somewhat slower.
+
+The interpretation of a match depends on whether the list is being used
+for access control, defining ``listen-on`` ports, or in a ``sortlist``,
+and whether the element was negated.
+
+When used as an access control list, a non-negated match allows access
+and a negated match denies access. If there is no match, access is
+denied. The clauses ``allow-notify``, ``allow-recursion``,
+``allow-recursion-on``, ``allow-query``, ``allow-query-on``,
+``allow-query-cache``, ``allow-query-cache-on``, ``allow-transfer``,
+``allow-update``, ``allow-update-forwarding``, ``blackhole``, and
+``keep-response-order`` all use address match lists. Similarly, the
+``listen-on`` option causes the server to refuse queries on any of
+the machine's addresses which do not match the list.
+
+Order of insertion is significant. If more than one element in an ACL is
+found to match a given IP address or prefix, preference is given to
+the one that came *first* in the ACL definition. Because of this
+first-match behavior, an element that defines a subset of another
+element in the list should come before the broader element, regardless
+of whether either is negated. For example, in ``1.2.3/24; ! 1.2.3.13;``
+the 1.2.3.13 element is completely useless because the algorithm
+matches any lookup for 1.2.3.13 to the 1.2.3/24 element. Using
+``! 1.2.3.13; 1.2.3/24`` fixes that problem by blocking 1.2.3.13
+via the negation, but all other 1.2.3.\* hosts pass through.
+
+.. _comment_syntax:
+
+Comment Syntax
+~~~~~~~~~~~~~~
+
+The BIND 9 comment syntax allows comments to appear anywhere that
+whitespace may appear in a BIND configuration file. To appeal to
+programmers of all kinds, they can be written in the C, C++, or
+shell/perl style.
+
+Syntax
+^^^^^^
+
+::
+
+   /* This is a BIND comment as in C */
+
+::
+
+   // This is a BIND comment as in C++
+
+::
+
+   # This is a BIND comment as in common Unix shells
+   # and perl
+
+Definition and Usage
+^^^^^^^^^^^^^^^^^^^^
+
+Comments may appear anywhere that whitespace may appear in a BIND
+configuration file.
+
+C-style comments start with the two characters /\* (slash, star) and end
+with \*/ (star, slash). Because they are completely delimited with these
+characters, they can be used to comment only a portion of a line or to
+span multiple lines.
+
+C-style comments cannot be nested. For example, the following is not
+valid because the entire comment ends with the first \*/:
+
+::
+
+   /* This is the start of a comment.
+      This is still part of the comment.
+   /* This is an incorrect attempt at nesting a comment. */
+      This is no longer in any comment. */
+
+C++-style comments start with the two characters // (slash, slash) and
+continue to the end of the physical line. They cannot be continued
+across multiple physical lines; to have one logical comment span
+multiple lines, each line must use the // pair. For example:
+
+::
+
+   // This is the start of a comment.  The next line
+   // is a new comment, even though it is logically
+   // part of the previous comment.
+
+Shell-style (or perl-style) comments start with the
+character ``#`` (number sign) and continue to the end of the physical
+line, as in C++ comments. For example:
+
+::
+
+   # This is the start of a comment.  The next line
+   # is a new comment, even though it is logically
+   # part of the previous comment.
+
+..
+
+.. warning::
+
+   The semicolon (``;``) character cannot start a comment, unlike
+   in a zone file. The semicolon indicates the end of a
+   configuration statement.
+
+.. _Configuration_File_Grammar:
+
+Configuration File Grammar
+--------------------------
+
+A BIND 9 configuration consists of statements and comments. Statements
+end with a semicolon; statements and comments are the only elements that
+can appear without enclosing braces. Many statements contain a block of
+sub-statements, which are also terminated with a semicolon.
+
+The following statements are supported:
+
+    ``acl``
+        Defines a named IP address matching list, for access control and other uses.
+
+    ``controls``
+        Declares control channels to be used by the ``rndc`` utility.
+
+    ``dnssec-policy``
+        Describes a DNSSEC key and signing policy for zones. See :ref:`dnssec-policy Grammar <dnssec_policy_grammar>` for details.
+
+    ``include``
+        Includes a file.
+
+    ``key``
+        Specifies key information for use in authentication and authorization using TSIG.
+
+    ``logging``
+        Specifies what information the server logs and where the log messages are sent.
+
+    ``masters``
+        Synonym for ``primaries``.
+
+    ``options``
+        Controls global server configuration options and sets defaults for other statements.
+
+    ``parental-agents``
+        Defines a named list of servers for inclusion in primary and secondary zones' ``parental-agents`` lists.
+
+    ``primaries``
+        Defines a named list of servers for inclusion in stub and secondary zones' ``primaries`` or ``also-notify`` lists. (Note: this is a synonym for the original keyword ``masters``, which can still be used, but is no longer the preferred terminology.)
+
+    ``server``
+        Sets certain configuration options on a per-server basis.
+
+    ``statistics-channels``
+        Declares communication channels to get access to ``named`` statistics.
+
+    ``trust-anchors``
+        Defines DNSSEC trust anchors: if used with the ``initial-key`` or ``initial-ds`` keyword, trust anchors are kept up-to-date using :rfc:`5011` trust anchor maintenance; if used with ``static-key`` or ``static-ds``, keys are permanent.
+
+    ``managed-keys``
+        Is identical to ``trust-anchors``; this option is deprecated in favor of ``trust-anchors`` with the ``initial-key`` keyword, and may be removed in a future release.
+
+    ``trusted-keys``
+        Defines permanent trusted DNSSEC keys; this option is deprecated in favor of ``trust-anchors`` with the ``static-key`` keyword, and may be removed in a future release.
+
+    ``view``
+        Defines a view.
+
+    ``zone``
+        Defines a zone.
+
+The ``logging`` and ``options`` statements may only occur once per
+configuration.
+
+.. _acl_grammar:
+
+``acl`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/acl.grammar.rst
+
+.. _acl:
+
+``acl`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``acl`` statement assigns a symbolic name to an address match list.
+It gets its name from one of the primary uses of address match lists: Access
+Control Lists (ACLs).
+
+The following ACLs are built-in:
+
+    ``any``
+        Matches all hosts.
+
+    ``none``
+        Matches no hosts.
+
+    ``localhost``
+        Matches the IPv4 and IPv6 addresses of all network interfaces on the system. When addresses are added or removed, the ``localhost`` ACL element is updated to reflect the changes.
+
+    ``localnets``
+        Matches any host on an IPv4 or IPv6 network for which the system has an interface. When addresses are added or removed, the ``localnets`` ACL element is updated to reflect the changes. Some systems do not provide a way to determine the prefix lengths of local IPv6 addresses; in such cases, ``localnets`` only matches the local IPv6 addresses, just like ``localhost``.
+
+.. _controls_grammar:
+
+``controls`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/controls.grammar.rst
+
+.. _controls_statement_definition_and_usage:
+
+``controls`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``controls`` statement declares control channels to be used by
+system administrators to manage the operation of the name server. These
+control channels are used by the ``rndc`` utility to send commands to
+and retrieve non-DNS results from a name server.
+
+An ``inet`` control channel is a TCP socket listening at the specified
+``ip_port`` on the specified ``ip_addr``, which can be an IPv4 or IPv6
+address. An ``ip_addr`` of ``*`` (asterisk) is interpreted as the IPv4
+wildcard address; connections are accepted on any of the system's
+IPv4 addresses. To listen on the IPv6 wildcard address, use an
+``ip_addr`` of ``::``. If ``rndc`` is only used on the local host,
+using the loopback address (``127.0.0.1`` or ``::1``) is recommended for
+maximum security.
+
+If no port is specified, port 953 is used. The asterisk ``*`` cannot
+be used for ``ip_port``.
+
+The ability to issue commands over the control channel is restricted by
+the ``allow`` and ``keys`` clauses. Connections to the control channel
+are permitted based on the ``address_match_list``. This is for simple IP
+address-based filtering only; any ``key_id`` elements of the
+``address_match_list`` are ignored.
+
+A ``unix`` control channel is a Unix domain socket listening at the
+specified path in the file system. Access to the socket is specified by
+the ``perm``, ``owner``, and ``group`` clauses. Note that on some platforms
+(SunOS and Solaris), the permissions (``perm``) are applied to the parent
+directory as the permissions on the socket itself are ignored.
+
+The primary authorization mechanism of the command channel is the
+``key_list``, which contains a list of ``key_id``s. Each ``key_id`` in
+the ``key_list`` is authorized to execute commands over the control
+channel. See :ref:`admin_tools` for information about
+configuring keys in ``rndc``.
+
+If the ``read-only`` clause is enabled, the control channel is limited
+to the following set of read-only commands: ``nta -dump``, ``null``,
+``status``, ``showzone``, ``testgen``, and ``zonestatus``. By default,
+``read-only`` is not enabled and the control channel allows read-write
+access.
+
+If no ``controls`` statement is present, ``named`` sets up a default
+control channel listening on the loopback address 127.0.0.1 and its IPv6
+counterpart, ::1. In this case, and also when the ``controls`` statement
+is present but does not have a ``keys`` clause, ``named`` attempts
+to load the command channel key from the file ``rndc.key`` in ``/etc``
+(or whatever ``sysconfdir`` was specified when BIND was built). To
+create an ``rndc.key`` file, run ``rndc-confgen -a``.
+
+To disable the command channel, use an empty ``controls`` statement:
+``controls { };``.
+
+.. _include_grammar:
+
+``include`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+   include filename;
+
+.. _include_statement:
+
+``include`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``include`` statement inserts the specified file at the point where the
+``include`` statement is encountered. The ``include`` statement facilitates
+the administration of configuration files by permitting the reading or
+writing of some things but not others. For example, the statement could
+include private keys that are readable only by the name server.
+
+.. _key_grammar:
+
+``key`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/key.grammar.rst
+
+.. _key_statement:
+
+``key`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``key`` statement defines a shared secret key for use with TSIG (see
+:ref:`tsig`) or the command channel (see :ref:`controls_statement_definition_and_usage`).
+
+The ``key`` statement can occur at the top level of the configuration
+file or inside a ``view`` statement. Keys defined in top-level ``key``
+statements can be used in all views. Keys intended for use in a
+``controls`` statement (see :ref:`controls_statement_definition_and_usage`)
+must be defined at the top level.
+
+The ``key_id``, also known as the key name, is a domain name that uniquely
+identifies the key. It can be used in a ``server`` statement to cause
+requests sent to that server to be signed with this key, or in address
+match lists to verify that incoming requests have been signed with a key
+matching this name, algorithm, and secret.
+
+The ``algorithm_id`` is a string that specifies a security/authentication
+algorithm. The ``named`` server supports ``hmac-md5``, ``hmac-sha1``,
+``hmac-sha224``, ``hmac-sha256``, ``hmac-sha384``, and ``hmac-sha512``
+TSIG authentication. Truncated hashes are supported by appending the
+minimum number of required bits preceded by a dash, e.g.,
+``hmac-sha1-80``. The ``secret_string`` is the secret to be used by the
+algorithm, and is treated as a Base64-encoded string.
+
+.. _logging_grammar:
+
+``logging`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/logging.grammar.rst
+
+.. _logging_statement:
+
+``logging`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``logging`` statement configures a wide variety of logging options
+for the name server. Its ``channel`` phrase associates output methods,
+format options, and severity levels with a name that can then be used
+with the ``category`` phrase to select how various classes of messages
+are logged.
+
+Only one ``logging`` statement is used to define as many channels and
+categories as desired. If there is no ``logging`` statement, the
+logging configuration is:
+
+::
+
+   logging {
+        category default { default_syslog; default_debug; };
+        category unmatched { null; };
+   };
+
+If ``named`` is started with the ``-L`` option, it logs to the specified
+file at startup, instead of using syslog. In this case the logging
+configuration is:
+
+::
+
+   logging {
+        category default { default_logfile; default_debug; };
+        category unmatched { null; };
+   };
+
+The logging configuration is only established when the entire
+configuration file has been parsed. When the server starts up, all
+logging messages regarding syntax errors in the configuration file go to
+the default channels, or to standard error if the ``-g`` option was
+specified.
+
+.. _channel:
+
+The ``channel`` Phrase
+^^^^^^^^^^^^^^^^^^^^^^
+
+All log output goes to one or more ``channels``; there is no limit to
+the number of channels that can be created.
+
+Every channel definition must include a destination clause that says
+whether messages selected for the channel go to a file, go to a particular
+syslog facility, go to the standard error stream, or are discarded. The definition can
+optionally also limit the message severity level that is accepted
+by the channel (the default is ``info``), and whether to include a
+``named``-generated time stamp, the category name, and/or the severity level
+(the default is not to include any).
+
+The ``null`` destination clause causes all messages sent to the channel
+to be discarded; in that case, other options for the channel are
+meaningless.
+
+The ``file`` destination clause directs the channel to a disk file. It
+can include additional arguments to specify how large the file is
+allowed to become before it is rolled to a backup file (``size``), how
+many backup versions of the file are saved each time this happens
+(``versions``), and the format to use for naming backup versions
+(``suffix``).
+
+The ``size`` option is used to limit log file growth. If the file ever
+exceeds the specified size, then ``named`` stops writing to the file
+unless it has a ``versions`` option associated with it. If backup
+versions are kept, the files are rolled as described below. If there is
+no ``versions`` option, no more data is written to the log until
+some out-of-band mechanism removes or truncates the log to less than the
+maximum size. The default behavior is not to limit the size of the file.
+
+File rolling only occurs when the file exceeds the size specified with
+the ``size`` option. No backup versions are kept by default; any
+existing log file is simply appended. The ``versions`` option specifies
+how many backup versions of the file should be kept. If set to
+``unlimited``, there is no limit.
+
+The ``suffix`` option can be set to either ``increment`` or
+``timestamp``. If set to ``timestamp``, then when a log file is rolled,
+it is saved with the current timestamp as a file suffix. If set to
+``increment``, then backup files are saved with incrementing numbers as
+suffixes; older files are renamed when rolling. For example, if
+``versions`` is set to 3 and ``suffix`` to ``increment``, then when
+``filename.log`` reaches the size specified by ``size``,
+``filename.log.1`` is renamed to ``filename.log.2``, ``filename.log.0``
+is renamed to ``filename.log.1``, and ``filename.log`` is renamed to
+``filename.log.0``, whereupon a new ``filename.log`` is opened.
+
+Here is an example using the ``size``, ``versions``, and ``suffix`` options:
+
+::
+
+   channel an_example_channel {
+       file "example.log" versions 3 size 20m suffix increment;
+       print-time yes;
+       print-category yes;
+   };
+
+The ``syslog`` destination clause directs the channel to the system log.
+Its argument is a syslog facility as described in the ``syslog`` man
+page. Known facilities are ``kern``, ``user``, ``mail``, ``daemon``,
+``auth``, ``syslog``, ``lpr``, ``news``, ``uucp``, ``cron``,
+``authpriv``, ``ftp``, ``local0``, ``local1``, ``local2``, ``local3``,
+``local4``, ``local5``, ``local6``, and ``local7``; however, not all
+facilities are supported on all operating systems. How ``syslog`` 
+handles messages sent to this facility is described in the
+``syslog.conf`` man page. On a system which uses a very old
+version of ``syslog``, which only uses two arguments to the ``openlog()``
+function, this clause is silently ignored.
+
+On Windows machines, syslog messages are directed to the EventViewer.
+
+The ``severity`` clause works like ``syslog``'s "priorities," except
+that they can also be used when writing straight to a file rather
+than using ``syslog``. Messages which are not at least of the severity
+level given are not selected for the channel; messages of higher
+severity levels are accepted.
+
+When using ``syslog``, the ``syslog.conf`` priorities
+also determine what eventually passes through. For example, defining a
+channel facility and severity as ``daemon`` and ``debug``, but only
+logging ``daemon.warning`` via ``syslog.conf``, causes messages of
+severity ``info`` and ``notice`` to be dropped. If the situation were
+reversed, with ``named`` writing messages of only ``warning`` or higher,
+then ``syslogd`` would print all messages it received from the channel.
+
+The ``stderr`` destination clause directs the channel to the server's
+standard error stream. This is intended for use when the server is
+running as a foreground process, as when debugging a
+configuration, for example.
+
+The server can supply extensive debugging information when it is in
+debugging mode. If the server's global debug level is greater than zero,
+debugging mode is active. The global debug level is set either
+by starting the ``named`` server with the ``-d`` flag followed by a
+positive integer, or by running ``rndc trace``. The global debug level
+can be set to zero, and debugging mode turned off, by running ``rndc
+notrace``. All debugging messages in the server have a debug level;
+higher debug levels give more detailed output. Channels that specify a
+specific debug severity, for example:
+
+::
+
+   channel specific_debug_level {
+       file "foo";
+       severity debug 3;
+   };
+
+get debugging output of level 3 or less any time the server is in
+debugging mode, regardless of the global debugging level. Channels with
+``dynamic`` severity use the server's global debug level to determine
+what messages to print.
+
+``print-time`` can be set to ``yes``, ``no``, or a time format
+specifier, which may be one of ``local``, ``iso8601``, or
+``iso8601-utc``. If set to ``no``, the date and time are not
+logged. If set to ``yes`` or ``local``, the date and time are logged in
+a human-readable format, using the local time zone. If set to
+``iso8601``, the local time is logged in ISO 8601 format. If set to
+``iso8601-utc``, the date and time are logged in ISO 8601 format,
+with time zone set to UTC. The default is ``no``.
+
+``print-time`` may be specified for a ``syslog`` channel, but it is
+usually pointless since ``syslog`` also logs the date and time.
+
+If ``print-category`` is requested, then the category of the message
+is logged as well. Finally, if ``print-severity`` is on, then the
+severity level of the message is logged. The ``print-`` options may
+be used in any combination, and are always printed in the following
+order: time, category, severity. Here is an example where all three
+``print-`` options are on:
+
+``28-Feb-2000 15:05:32.863 general: notice: running``
+
+If ``buffered`` has been turned on, the output to files is not
+flushed after each log entry. By default all log messages are flushed.
+
+There are four predefined channels that are used for ``named``'s default
+logging, as follows. If ``named`` is started with the ``-L`` option, then a fifth
+channel, ``default_logfile``, is added. How they are used is described in
+:ref:`the_category_phrase`.
+
+::
+
+   channel default_syslog {
+       // send to syslog's daemon facility
+       syslog daemon;
+       // only send priority info and higher
+       severity info;
+   };
+
+   channel default_debug {
+       // write to named.run in the working directory
+       // Note: stderr is used instead of "named.run" if
+       // the server is started with the '-g' option.
+       file "named.run";
+       // log at the server's current debug level
+       severity dynamic;
+   };
+
+   channel default_stderr {
+       // writes to stderr
+       stderr;
+       // only send priority info and higher
+       severity info;
+   };
+
+   channel null {
+      // toss anything sent to this channel
+      null;
+   };
+
+   channel default_logfile {
+       // this channel is only present if named is
+       // started with the -L option, whose argument
+       // provides the file name
+       file "...";
+       // log at the server's current debug level
+       severity dynamic;
+   };
+
+The ``default_debug`` channel has the special property that it only
+produces output when the server's debug level is non-zero. It normally
+writes to a file called ``named.run`` in the server's working directory.
+
+For security reasons, when the ``-u`` command-line option is used, the
+``named.run`` file is created only after ``named`` has changed to the
+new UID, and any debug output generated while ``named`` is starting -
+and still running as root - is discarded. To capture this
+output, run the server with the ``-L`` option to specify a
+default logfile, or the ``-g`` option to log to standard error which can
+be redirected to a file.
+
+Once a channel is defined, it cannot be redefined. The
+built-in channels cannot be altered directly, but the default logging
+can be modified by pointing categories at defined channels.
+
+.. _the_category_phrase:
+
+The ``category`` Phrase
+^^^^^^^^^^^^^^^^^^^^^^^
+
+There are many categories, so desired logs can be sent anywhere
+while unwanted logs are ignored. If
+a list of channels is not specified for a category, log messages in that
+category are sent to the ``default`` category instead. If no
+default category is specified, the following "default default" is used:
+
+::
+
+   category default { default_syslog; default_debug; };
+
+If ``named`` is started with the ``-L`` option, the default category
+is:
+
+::
+
+   category default { default_logfile; default_debug; };
+
+As an example, let's say a user wants to log security events to a file, but
+also wants to keep the default logging behavior. They would specify the
+following:
+
+::
+
+   channel my_security_channel {
+       file "my_security_file";
+       severity info;
+   };
+   category security {
+       my_security_channel;
+       default_syslog;
+       default_debug;
+   };
+
+To discard all messages in a category, specify the ``null`` channel:
+
+::
+
+   category xfer-out { null; };
+   category notify { null; };
+
+The following are the available categories and brief descriptions of the
+types of log information they contain. More categories may be added in
+future BIND releases.
+
+.. include:: logging-categories.rst
+
+.. _query_errors:
+
+The ``query-errors`` Category
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The ``query-errors`` category is used to indicate why and how specific queries
+resulted in responses which indicate an error.  Normally, these messages are
+logged at ``debug`` logging levels; note, however, that if query logging is
+active, some are logged at ``info``. The logging levels are described below:
+
+At ``debug`` level 1 or higher - or at ``info`` when query logging is
+active - each response with the rcode of SERVFAIL is logged as follows:
+
+``client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880``
+
+This means an error resulting in SERVFAIL was detected at line 3880 of source
+file ``query.c``.  Log messages of this level are particularly helpful in identifying
+the cause of SERVFAIL for an authoritative server.
+
+At ``debug`` level 2 or higher, detailed context information about recursive
+resolutions that resulted in SERVFAIL is logged.  The log message looks
+like this:
+
+::
+
+   fetch completed at resolver.c:2970 for www.example.com/A
+   in 10.000183: timed out/success [domain:example.com,
+   referral:2,restart:7,qrysent:8,timeout:5,lame:0,quota:0,neterr:0,
+   badresp:1,adberr:0,findfail:0,valfail:0]
+
+The first part before the colon shows that a recursive resolution for
+AAAA records of www.example.com completed in 10.000183 seconds, and the
+final result that led to the SERVFAIL was determined at line 2970 of
+source file ``resolver.c``.
+
+The next part shows the detected final result and the latest result of
+DNSSEC validation.  The latter is always "success" when no validation attempt
+was made.  In this example, this query probably resulted in SERVFAIL because all
+name servers are down or unreachable, leading to a timeout in 10 seconds.
+DNSSEC validation was probably not attempted.
+
+The last part, enclosed in square brackets, shows statistics collected for this
+particular resolution attempt.  The ``domain`` field shows the deepest zone that
+the resolver reached; it is the zone where the error was finally detected.  The
+meaning of the other fields is summarized in the following list.
+
+``referral``
+    The number of referrals the resolver received throughout the resolution process. In the above ``example.com`` there are two.
+
+``restart``
+    The number of cycles that the resolver tried remote servers at the ``domain`` zone. In each cycle, the resolver sends one query (possibly resending it, depending on the response) to each known name server of the ``domain`` zone.
+
+``qrysent``
+    The number of queries the resolver sent at the ``domain`` zone.
+
+``timeout``
+    The number of timeouts the resolver received since the last response.
+
+``lame``
+    The number of lame servers the resolver detected at the ``domain`` zone. A server is detected to be lame either by an invalid response or as a result of lookup in BIND 9's address database (ADB), where lame servers are cached.
+
+``quota``
+    The number of times the resolver was unable to send a query because it had exceeded the permissible fetch quota for a server.
+
+``neterr``
+    The number of erroneous results that the resolver encountered in sending queries at the ``domain`` zone. One common case is when the remote server is unreachable and the resolver receives an "ICMP unreachable" error message.
+
+``badresp``
+    The number of unexpected responses (other than ``lame``) to queries sent by the resolver at the ``domain`` zone.
+
+``adberr``
+    Failures in finding remote server addresses of the``domain`` zone in the ADB. One common case of this is that the remote server's name does not have any address records.
+
+``findfail``
+    Failures to resolve remote server addresses. This is a total number of failures throughout the resolution process.
+
+``valfail``
+    Failures of DNSSEC validation. Validation failures are counted throughout the resolution process (not limited to the ``domain`` zone), but should only happen in ``domain``.
+
+At ``debug`` level 3 or higher, the same messages as those at
+``debug`` level 1 are logged for errors other than
+SERVFAIL. Note that negative responses such as NXDOMAIN are not errors, and are
+not logged at this debug level.
+
+At ``debug`` level 4 or higher, the detailed context information logged at
+``debug`` level 2 is logged for errors other than SERVFAIL and for negative
+responses such as NXDOMAIN.
+
+.. _parental_agents_grammar:
+
+``parental-agents`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/parental-agents.grammar.rst
+
+.. _parental_agents_statement:
+
+``parental-agents`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``parental-agents`` lists allow for a common set of parental agents to be easily
+used by multiple primary and secondary zones in their ``parental-agents`` lists.
+A parental agent is the entity that the zone has a relationship with to
+change its delegation information (defined in :rfc:`7344`).
+
+.. _primaries_grammar:
+
+``primaries`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/primaries.grammar.rst
+
+.. _primaries_statement:
+
+``primaries`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``primaries`` lists allow for a common set of primary servers  to be easily
+used by multiple stub and secondary zones in their ``primaries`` or
+``also-notify`` lists. (Note: ``primaries`` is a synonym for the original
+keyword ``masters``, which can still be used, but is no longer the
+preferred terminology.)
+
+.. _options_grammar:
+
+``options`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This is the grammar of the ``options`` statement in the ``named.conf``
+file:
+
+.. include:: ../misc/options.grammar.rst
+
+.. _options:
+
+``options`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``options`` statement sets up global options to be used by BIND.
+This statement may appear only once in a configuration file. If there is
+no ``options`` statement, an options block with each option set to its
+default is used.
+
+.. _attach-cache:
+
+``attach-cache``
+   This option allows multiple views to share a single cache database. Each view has
+   its own cache database by default, but if multiple views have the
+   same operational policy for name resolution and caching, those views
+   can share a single cache to save memory, and possibly improve
+   resolution efficiency, by using this option.
+
+   The ``attach-cache`` option may also be specified in ``view``
+   statements, in which case it overrides the global ``attach-cache``
+   option.
+
+   The ``cache_name`` specifies the cache to be shared. When the ``named``
+   server configures views which are supposed to share a cache, it
+   creates a cache with the specified name for the first view of these
+   sharing views. The rest of the views simply refer to the
+   already-created cache.
+
+   One common configuration to share a cache is to allow all views
+   to share a single cache. This can be done by specifying
+   ``attach-cache`` as a global option with an arbitrary name.
+
+   Another possible operation is to allow a subset of all views to share
+   a cache while the others retain their own caches. For example, if
+   there are three views A, B, and C, and only A and B should share a
+   cache, specify the ``attach-cache`` option as a view of A (or B)'s
+   option, referring to the other view name:
+
+   ::
+
+        view "A" {
+          // this view has its own cache
+          ...
+        };
+        view "B" {
+          // this view refers to A's cache
+          attach-cache "A";
+        };
+        view "C" {
+          // this view has its own cache
+          ...
+        };
+
+   Views that share a cache must have the same policy on configurable
+   parameters that may affect caching. The current implementation
+   requires the following configurable options be consistent among these
+   views: ``check-names``, ``dnssec-accept-expired``,
+   ``dnssec-validation``, ``max-cache-ttl``, ``max-ncache-ttl``,
+   ``max-stale-ttl``, ``max-cache-size``, ``min-cache-ttl``,
+   ``min-ncache-ttl``, and ``zero-no-soa-ttl``.
+
+   Note that there may be other parameters that may cause confusion if
+   they are inconsistent for different views that share a single cache.
+   For example, if these views define different sets of forwarders that
+   can return different answers for the same question, sharing the
+   answer does not make sense or could even be harmful. It is the
+   administrator's responsibility to ensure that configuration differences in
+   different views do not cause disruption with a shared cache.
+
+``directory``
+   This sets the working directory of the server. Any non-absolute pathnames in
+   the configuration file are taken as relative to this directory.
+   The default location for most server output files (e.g.,
+   ``named.run``) is this directory. If a directory is not specified,
+   the working directory defaults to ``"."``, the directory from
+   which the server was started. The directory specified should be an
+   absolute path, and *must* be writable by the effective user ID of the
+   ``named`` process.
+
+   The option takes effect only at the time that the configuration
+   option is parsed; if other files are being included before or after specifying the
+   new ``directory``, the ``directory`` option must be listed
+   before any other directive (like ``include``) that can work with relative
+   files. The safest way to include files is to use absolute file names.
+
+``dnstap``
+   ``dnstap`` is a fast, flexible method for capturing and logging DNS
+   traffic. Developed by Robert Edmonds at Farsight Security, Inc., and
+   supported by multiple DNS implementations, ``dnstap`` uses
+   ``libfstrm`` (a lightweight high-speed framing library; see
+   https://github.com/farsightsec/fstrm) to send event payloads which
+   are encoded using Protocol Buffers (``libprotobuf-c``, a mechanism
+   for serializing structured data developed by Google, Inc.; see
+   https://developers.google.com/protocol-buffers/).
+
+   To enable ``dnstap`` at compile time, the ``fstrm`` and
+   ``protobuf-c`` libraries must be available, and BIND must be
+   configured with ``--enable-dnstap``.
+
+   The ``dnstap`` option is a bracketed list of message types to be
+   logged. These may be set differently for each view. Supported types
+   are ``client``, ``auth``, ``resolver``, ``forwarder``, and
+   ``update``. Specifying type ``all`` causes all ``dnstap``
+   messages to be logged, regardless of type.
+
+   Each type may take an additional argument to indicate whether to log
+   ``query`` messages or ``response`` messages; if not specified, both
+   queries and responses are logged.
+
+   Example: To log all authoritative queries and responses, recursive
+   client responses, and upstream queries sent by the resolver, use:
+
+   ::
+
+      dnstap {
+        auth;
+        client response;
+        resolver query;
+      };
+
+   Logged ``dnstap`` messages can be parsed using the ``dnstap-read``
+   utility (see :ref:`man_dnstap-read` for details).
+
+   For more information on ``dnstap``, see http://dnstap.info.
+
+   The fstrm library has a number of tunables that are exposed in
+   ``named.conf``, and can be modified if necessary to improve
+   performance or prevent loss of data. These are:
+
+   -  ``fstrm-set-buffer-hint``: The threshold number of bytes to
+      accumulate in the output buffer before forcing a buffer flush. The
+      minimum is 1024, the maximum is 65536, and the default is 8192.
+
+   -  ``fstrm-set-flush-timeout``: The number of seconds to allow
+      unflushed data to remain in the output buffer. The minimum is 1
+      second, the maximum is 600 seconds (10 minutes), and the default
+      is 1 second.
+
+   -  ``fstrm-set-output-notify-threshold``: The number of outstanding
+      queue entries to allow on an input queue before waking the I/O
+      thread. The minimum is 1 and the default is 32.
+
+   -  ``fstrm-set-output-queue-model``: The queuing semantics
+      to use for queue objects. The default is ``mpsc`` (multiple
+      producer, single consumer); the other option is ``spsc`` (single
+      producer, single consumer).
+
+   -  ``fstrm-set-input-queue-size``: The number of queue entries to
+      allocate for each input queue. This value must be a power of 2.
+      The minimum is 2, the maximum is 16384, and the default is 512.
+
+   -  ``fstrm-set-output-queue-size``: The number of queue entries to
+      allocate for each output queue. The minimum is 2, the maximum is
+      system-dependent and based on ``IOV_MAX``, and the default is 64.
+
+   -  ``fstrm-set-reopen-interval``: The number of seconds to wait
+      between attempts to reopen a closed output stream. The minimum is
+      1 second, the maximum is 600 seconds (10 minutes), and the default
+      is 5 seconds. For convenience, TTL-style time-unit suffixes may be
+      used to specify the value.
+
+   Note that all of the above minimum, maximum, and default values are
+   set by the ``libfstrm`` library, and may be subject to change in
+   future versions of the library. See the ``libfstrm`` documentation
+   for more information.
+
+``dnstap-output``
+   This configures the path to which the ``dnstap`` frame stream is sent
+   if ``dnstap`` is enabled at compile time and active.
+
+   The first argument is either ``file`` or ``unix``, indicating whether
+   the destination is a file or a Unix domain socket. The second
+   argument is the path of the file or socket. (Note: when using a
+   socket, ``dnstap`` messages are only sent if another process such
+   as ``fstrm_capture`` (provided with ``libfstrm``) is listening on the
+   socket.)
+
+   If the first argument is ``file``, then up to three additional
+   options can be added: ``size`` indicates the size to which a
+   ``dnstap`` log file can grow before being rolled to a new file;
+   ``versions`` specifies the number of rolled log files to retain; and
+   ``suffix`` indicates whether to retain rolled log files with an
+   incrementing counter as the suffix (``increment``) or with the
+   current timestamp (``timestamp``). These are similar to the ``size``,
+   ``versions``, and ``suffix`` options in a ``logging`` channel. The
+   default is to allow ``dnstap`` log files to grow to any size without
+   rolling.
+
+   ``dnstap-output`` can only be set globally in ``options``. Currently,
+   it can only be set once while ``named`` is running; once set, it
+   cannot be changed by ``rndc reload`` or ``rndc reconfig``.
+
+``dnstap-identity``
+   This specifies an ``identity`` string to send in ``dnstap`` messages. If
+   set to ``hostname``, which is the default, the server's hostname
+   is sent. If set to ``none``, no identity string is sent.
+
+``dnstap-version``
+   This specifies a ``version`` string to send in ``dnstap`` messages. The
+   default is the version number of the BIND release. If set to
+   ``none``, no version string is sent.
+
+``geoip-directory``
+   When ``named`` is compiled using the MaxMind GeoIP2 geolocation API, this
+   specifies the directory containing GeoIP database files.  By default, the
+   option is set based on the prefix used to build the ``libmaxminddb`` module;
+   for example, if the library is installed in ``/usr/local/lib``, then the
+   default ``geoip-directory`` is ``/usr/local/share/GeoIP``. On Windows,
+   the default is the ``named`` working directory.  See :ref:`acl`
+   for details about ``geoip`` ACLs.
+
+``key-directory``
+   This is the directory where the public and private DNSSEC key files should be
+   found when performing a dynamic update of secure zones, if different
+   than the current working directory. (Note that this option has no
+   effect on the paths for files containing non-DNSSEC keys such as
+   ``bind.keys``, ``rndc.key``, or ``session.key``.)
+
+``lmdb-mapsize``
+   When ``named`` is built with liblmdb, this option sets a maximum size
+   for the memory map of the new-zone database (NZD) in LMDB database
+   format. This database is used to store configuration information for
+   zones added using ``rndc addzone``. Note that this is not the NZD
+   database file size, but the largest size that the database may grow
+   to.
+
+   Because the database file is memory-mapped, its size is limited by
+   the address space of the ``named`` process. The default of 32 megabytes
+   was chosen to be usable with 32-bit ``named`` builds. The largest
+   permitted value is 1 terabyte. Given typical zone configurations
+   without elaborate ACLs, a 32 MB NZD file ought to be able to hold
+   configurations of about 100,000 zones.
+
+``managed-keys-directory``
+   This specifies the directory in which to store the files that track managed DNSSEC
+   keys (i.e., those configured using the ``initial-key`` or ``initial-ds``
+   keywords in a ``trust-anchors`` statement). By default, this is the working
+   directory. The directory *must* be writable by the effective user ID of the
+   ``named`` process.
+
+   If ``named`` is not configured to use views, managed keys for
+   the server are tracked in a single file called
+   ``managed-keys.bind``. Otherwise, managed keys are tracked in
+   separate files, one file per view; each file name is the view
+   name (or, if it contains characters that are incompatible with use as
+   a file name, the SHA256 hash of the view name), followed by the
+   extension ``.mkeys``.
+
+   (Note: in earlier releases, file names for views always used the
+   SHA256 hash of the view name. To ensure compatibility after upgrading,
+   if a file using the old name format is found to exist, it is
+   used instead of the new format.)
+
+``max-ixfr-ratio``
+   This sets the size threshold (expressed as a percentage of the size
+   of the full zone) beyond which ``named`` chooses to use an AXFR
+   response rather than IXFR when answering zone transfer requests. See
+   :ref:`incremental_zone_transfers`.
+
+   The minimum value is ``1%``. The keyword ``unlimited`` disables ratio
+   checking and allows IXFRs of any size. The default is ``unlimited``.
+
+``new-zones-directory``
+   This specifies the directory in which to store the configuration
+   parameters for zones added via ``rndc addzone``. By default, this is
+   the working directory. If set to a relative path, it is relative
+   to the working directory. The directory *must* be writable by the
+   effective user ID of the ``named`` process.
+
+``qname-minimization``
+   When this is set to ``strict``, BIND follows the QNAME
+   minimization algorithm to the letter, as specified in :rfc:`7816`.
+
+   Setting this option to ``relaxed`` causes BIND to fall back to
+   normal (non-minimized) query mode when it receives either NXDOMAIN or
+   other unexpected responses (e.g., SERVFAIL, improper zone cut,
+   REFUSED) to a minimized query. A resolver can use a leading
+   underscore, like ``_.example.com``, in an attempt to improve
+   interoperability. (See :rfc:`7816` section 3.)
+
+   ``disabled`` disables QNAME minimization completely.
+   ``off`` is a synonym for ``disabled``.
+
+   The current default is ``relaxed``, but it
+   may be changed to ``strict`` in a future release.
+
+``tkey-gssapi-keytab``
+   This is the KRB5 keytab file to use for GSS-TSIG updates. If this option is
+   set and tkey-gssapi-credential is not set, updates are
+   allowed with any key matching a principal in the specified keytab.
+
+``tkey-gssapi-credential``
+   This is the security credential with which the server should authenticate
+   keys requested by the GSS-TSIG protocol. Currently only Kerberos 5
+   authentication is available; the credential is a Kerberos
+   principal which the server can acquire through the default system key
+   file, normally ``/etc/krb5.keytab``. The location of the keytab file can be
+   overridden using the ``tkey-gssapi-keytab`` option. Normally this
+   principal is of the form ``DNS/server.domain``. To use
+   GSS-TSIG, ``tkey-domain`` must also be set if a specific keytab is
+   not set with ``tkey-gssapi-keytab``.
+
+``tkey-domain``
+   This domain is appended to the names of all shared keys generated with
+   ``TKEY``. When a client requests a ``TKEY`` exchange, it may or may
+   not specify the desired name for the key. If present, the name of the
+   shared key is ``client-specified part`` + ``tkey-domain``.
+   Otherwise, the name of the shared key is ``random hex digits``
+   + ``tkey-domain``. In most cases, the ``domainname``
+   should be the server's domain name, or an otherwise nonexistent
+   subdomain like ``_tkey.domainname``. If using GSS-TSIG,
+   this variable must be defined, unless a specific keytab
+   is specified using ``tkey-gssapi-keytab``.
+
+``tkey-dhkey``
+   This is the Diffie-Hellman key used by the server to generate shared keys
+   with clients using the Diffie-Hellman mode of ``TKEY``. The server
+   must be able to load the public and private keys from files in the
+   working directory. In most cases, the ``key_name`` should be the
+   server's host name.
+
+``cache-file``
+   This is for testing only. Do not use.
+
+``dump-file``
+   This is the pathname of the file the server dumps the database to, when
+   instructed to do so with ``rndc dumpdb``. If not specified, the
+   default is ``named_dump.db``.
+
+``memstatistics-file``
+   This is the pathname of the file the server writes memory usage statistics to
+   on exit. If not specified, the default is ``named.memstats``.
+
+``lock-file``
+   This is the pathname of a file on which ``named`` attempts to acquire a
+   file lock when starting for the first time; if unsuccessful, the
+   server terminates, under the assumption that another server
+   is already running. If not specified, the default is
+   ``none``.
+
+   Specifying ``lock-file none`` disables the use of a lock file.
+   ``lock-file`` is ignored if ``named`` was run using the ``-X``
+   option, which overrides it. Changes to ``lock-file`` are ignored if
+   ``named`` is being reloaded or reconfigured; it is only effective
+   when the server is first started.
+
+``pid-file``
+   This is the pathname of the file the server writes its process ID in. If not
+   specified, the default is ``/var/run/named/named.pid``. The PID file
+   is used by programs that send signals to the running name
+   server. Specifying ``pid-file none`` disables the use of a PID file;
+   no file is written and any existing one is removed. Note
+   that ``none`` is a keyword, not a filename, and therefore is not
+   enclosed in double quotes.
+
+``recursing-file``
+   This is the pathname of the file where the server dumps the queries that are
+   currently recursing, when instructed to do so with ``rndc recursing``.
+   If not specified, the default is ``named.recursing``.
+
+``statistics-file``
+   This is the pathname of the file the server appends statistics to, when
+   instructed to do so using ``rndc stats``. If not specified, the
+   default is ``named.stats`` in the server's current directory. The
+   format of the file is described in :ref:`statsfile`.
+
+``bindkeys-file``
+   This is the pathname of a file to override the built-in trusted keys provided
+   by ``named``. See the discussion of ``dnssec-validation`` for
+   details. If not specified, the default is ``/etc/bind.keys``.
+
+``secroots-file``
+   This is the pathname of the file the server dumps security roots to, when
+   instructed to do so with ``rndc secroots``. If not specified, the
+   default is ``named.secroots``.
+
+``session-keyfile``
+   This is the pathname of the file into which to write a TSIG session key
+   generated by ``named`` for use by ``nsupdate -l``. If not specified,
+   the default is ``/var/run/named/session.key``. (See :ref:`dynamic_update_policies`,
+   and in particular the discussion of the ``update-policy`` statement's
+   ``local`` option, for more information about this feature.)
+
+``session-keyname``
+   This is the key name to use for the TSIG session key. If not specified, the
+   default is ``local-ddns``.
+
+``session-keyalg``
+   This is the algorithm to use for the TSIG session key. Valid values are
+   hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512, and
+   hmac-md5. If not specified, the default is hmac-sha256.
+
+``port``
+   This is the UDP/TCP port number the server uses to receive and send DNS
+   protocol traffic. The default is 53. This option is mainly intended
+   for server testing; a server using a port other than 53 is not
+   able to communicate with the global DNS.
+
+``dscp``
+   This is the global Differentiated Services Code Point (DSCP) value to
+   classify outgoing DNS traffic, on operating systems that support DSCP.
+   Valid values are 0 through 63. It is not configured by default.
+
+``random-device``
+   This specifies a source of entropy to be used by the server; it is a
+   device or file from which to read entropy. If it is a file,
+   operations requiring entropy will fail when the file has been
+   exhausted.
+
+   Entropy is needed for cryptographic operations such as TKEY
+   transactions, dynamic update of signed zones, and generation of TSIG
+   session keys. It is also used for seeding and stirring the
+   pseudo-random number generator which is used for less critical
+   functions requiring randomness, such as generation of DNS message
+   transaction IDs.
+
+   If ``random-device`` is not specified, or if it is set to ``none``,
+   entropy is read from the random number generation function
+   supplied by the cryptographic library with which BIND was linked
+   (i.e. OpenSSL or a PKCS#11 provider).
+
+   The ``random-device`` option takes effect during the initial
+   configuration load at server startup time and is ignored on
+   subsequent reloads.
+
+``preferred-glue``
+   If specified, the listed type (A or AAAA) is emitted before
+   other glue in the additional section of a query response. The default
+   is to prefer A records when responding to queries that arrived via
+   IPv4 and AAAA when responding to queries that arrived via IPv6.
+
+.. _root-delegation-only:
+
+``root-delegation-only``
+   This turns on enforcement of delegation-only in TLDs (top-level domains)
+   and root zones with an optional exclude list.
+
+   DS queries are expected to be made to and be answered by delegation-only
+   zones. Such queries and responses are treated as an exception to
+   delegation-only processing and are not converted to NXDOMAIN
+   responses, provided a CNAME is not discovered at the query name.
+
+   If a delegation-only zone server also serves a child zone, it is not
+   always possible to determine whether an answer comes from the
+   delegation-only zone or the child zone. SOA NS and DNSKEY records are
+   apex-only records and a matching response that contains these records
+   or DS is treated as coming from a child zone. RRSIG records are also
+   examined to see whether they are signed by a child zone, and the
+   authority section is examined to see if there is evidence that
+   the answer is from the child zone. Answers that are determined to be
+   from a child zone are not converted to NXDOMAIN responses. Despite
+   all these checks, there is still a possibility of false negatives when
+   a child zone is being served.
+
+   Similarly, false positives can arise from empty nodes (no records at
+   the name) in the delegation-only zone when the query type is not ``ANY``.
+
+   Note that some TLDs are not delegation-only; e.g., "DE", "LV", "US", and
+   "MUSEUM". This list is not exhaustive.
+
+   ::
+
+      options {
+          root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
+      };
+
+``disable-algorithms``
+   This disables the specified DNSSEC algorithms at and below the specified
+   name. Multiple ``disable-algorithms`` statements are allowed. Only
+   the best-match ``disable-algorithms`` clause is used to
+   determine the algorithms.
+
+   If all supported algorithms are disabled, the zones covered by the
+   ``disable-algorithms`` setting are treated as insecure.
+
+   Configured trust anchors in ``trust-anchors`` (or ``managed-keys`` or
+   ``trusted-keys``) that match a disabled algorithm are ignored and treated
+   as if they were not configured.
+
+``disable-ds-digests``
+   This disables the specified DS digest types at and below the specified
+   name. Multiple ``disable-ds-digests`` statements are allowed. Only
+   the best-match ``disable-ds-digests`` clause is used to
+   determine the digest types.
+
+   If all supported digest types are disabled, the zones covered by
+   ``disable-ds-digests`` are treated as insecure.
+
+``dnssec-must-be-secure``
+   This specifies hierarchies which must be or may not be secure (signed and
+   validated). If ``yes``, then ``named`` only accepts answers if
+   they are secure. If ``no``, then normal DNSSEC validation applies,
+   allowing insecure answers to be accepted. The specified domain
+   must be defined as a trust anchor, for instance in a ``trust-anchors``
+   statement, or ``dnssec-validation auto`` must be active.
+
+``dns64``
+   This directive instructs ``named`` to return mapped IPv4 addresses to
+   AAAA queries when there are no AAAA records. It is intended to be
+   used in conjunction with a NAT64. Each ``dns64`` defines one DNS64
+   prefix. Multiple DNS64 prefixes can be defined.
+
+   Compatible IPv6 prefixes have lengths of 32, 40, 48, 56, 64, and 96, per
+   :rfc:`6052`. Bits 64..71 inclusive must be zero, with the most significant bit
+   of the prefix in position 0.
+
+   In addition, a reverse IP6.ARPA zone is created for the prefix
+   to provide a mapping from the IP6.ARPA names to the corresponding
+   IN-ADDR.ARPA names using synthesized CNAMEs. ``dns64-server`` and
+   ``dns64-contact`` can be used to specify the name of the server and
+   contact for the zones. These can be set at the view/options
+   level but not on a per-prefix basis.
+
+   Each ``dns64`` supports an optional ``clients`` ACL that determines
+   which clients are affected by this directive. If not defined, it
+   defaults to ``any;``.
+
+   Each ``dns64`` supports an optional ``mapped`` ACL that selects which
+   IPv4 addresses are to be mapped in the corresponding A RRset. If not
+   defined, it defaults to ``any;``.
+
+   Normally, DNS64 does not apply to a domain name that owns one or more
+   AAAA records; these records are simply returned. The optional
+   ``exclude`` ACL allows specification of a list of IPv6 addresses that
+   are ignored if they appear in a domain name's AAAA records;
+   DNS64 is applied to any A records the domain name owns. If not
+   defined, ``exclude`` defaults to ::ffff:0.0.0.0/96.
+
+   An optional ``suffix`` can also be defined to set the bits trailing
+   the mapped IPv4 address bits. By default these bits are set to
+   ``::``. The bits matching the prefix and mapped IPv4 address must be
+   zero.
+
+   If ``recursive-only`` is set to ``yes``, the DNS64 synthesis only
+   happens for recursive queries. The default is ``no``.
+
+   If ``break-dnssec`` is set to ``yes``, the DNS64 synthesis happens
+   even if the result, if validated, would cause a DNSSEC validation
+   failure. If this option is set to ``no`` (the default), the DO is set
+   on the incoming query, and there are RRSIGs on the applicable
+   records, then synthesis does not happen.
+
+   ::
+
+          acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+          dns64 64:FF9B::/96 {
+              clients { any; };
+              mapped { !rfc1918; any; };
+              exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
+              suffix ::;
+          };
+
+``dnssec-loadkeys-interval``
+   When a zone is configured with ``auto-dnssec maintain;``, its key
+   repository must be checked periodically to see if any new keys have
+   been added or any existing keys' timing metadata has been updated
+   (see :ref:`man_dnssec-keygen` and :ref:`man_dnssec-settime`).
+   The ``dnssec-loadkeys-interval`` option
+   sets the frequency of automatic repository checks, in minutes.  The
+   default is ``60`` (1 hour), the minimum is ``1`` (1 minute), and
+   the maximum is ``1440`` (24 hours); any higher value is silently
+   reduced.
+
+``dnssec-policy``
+   This specifies which key and signing policy (KASP) should be used for this
+   zone. This is a string referring to a ``dnssec-policy`` statement.  There
+   are three built-in policies: ``default``, which uses the default policy,
+   ``insecure``, to be used when you want to gracefully unsign your zone, and
+   ``none``, which means no DNSSEC policy.  The default is ``none``.
+   See :ref:`dnssec-policy Grammar <dnssec_policy_grammar>` for more details.
+
+``dnssec-update-mode``
+   If this option is set to its default value of ``maintain`` in a zone
+   of type ``primary`` which is DNSSEC-signed and configured to allow
+   dynamic updates (see :ref:`dynamic_update_policies`), and if ``named`` has access
+   to the private signing key(s) for the zone, then ``named``
+   automatically signs all new or changed records and maintains signatures
+   for the zone by regenerating RRSIG records whenever they approach
+   their expiration date.
+
+   If the option is changed to ``no-resign``, then ``named`` signs
+   all new or changed records, but scheduled maintenance of signatures
+   is disabled.
+
+   With either of these settings, ``named`` rejects updates to a
+   DNSSEC-signed zone when the signing keys are inactive or unavailable
+   to ``named``. (A planned third option, ``external``, will disable all
+   automatic signing and allow DNSSEC data to be submitted into a zone
+   via dynamic update; this is not yet implemented.)
+
+``nta-lifetime``
+   This specifies the default lifetime, in seconds, for
+   negative trust anchors added via ``rndc nta``.
+
+   A negative trust anchor selectively disables DNSSEC validation for
+   zones that are known to be failing because of misconfiguration, rather
+   than an attack. When data to be validated is at or below an active
+   NTA (and above any other configured trust anchors), ``named``
+   aborts the DNSSEC validation process and treats the data as insecure
+   rather than bogus. This continues until the NTA's lifetime has
+   elapsed. NTAs persist across ``named`` restarts.
+
+   For convenience, TTL-style time-unit suffixes can be used to specify the NTA
+   lifetime in seconds, minutes, or hours. It also accepts ISO 8601 duration
+   formats.
+
+   ``nta-lifetime`` defaults to one hour; it cannot exceed one week.
+
+``nta-recheck``
+   This specifies how often to check whether negative trust anchors added via
+   ``rndc nta`` are still necessary.
+
+   A negative trust anchor is normally used when a domain has stopped
+   validating due to operator error; it temporarily disables DNSSEC
+   validation for that domain. In the interest of ensuring that DNSSEC
+   validation is turned back on as soon as possible, ``named``
+   periodically sends a query to the domain, ignoring negative trust
+   anchors, to find out whether it can now be validated. If so, the
+   negative trust anchor is allowed to expire early.
+
+   Validity checks can be disabled for an individual NTA by using
+   ``rndc nta -f``, or for all NTAs by setting ``nta-recheck`` to zero.
+
+   For convenience, TTL-style time-unit suffixes can be used to specify the NTA
+   recheck interval in seconds, minutes, or hours. It also accepts ISO 8601
+   duration formats.
+
+   The default is five minutes. It cannot be longer than ``nta-lifetime``, which
+   cannot be longer than a week.
+
+``max-zone-ttl``
+
+   This should now be configured as part of ``dnssec-policy``.
+   Use of this option in ``options``, ``view`` and ``zone`` blocks has no
+   effect on any zone for which a ``dnssec-policy`` has also been configured.
+
+   ``max-zone-ttl`` specifies a maximum permissible TTL value in seconds.
+   For convenience, TTL-style time-unit suffixes may be used to specify the
+   maximum value. When a zone file is loaded, any record encountered with a
+   TTL higher than ``max-zone-ttl`` causes the zone to be rejected.
+
+   This is useful in DNSSEC-signed zones because when rolling to a new
+   DNSKEY, the old key needs to remain available until RRSIG records
+   have expired from caches. The ``max-zone-ttl`` option guarantees that
+   the largest TTL in the zone is no higher than the set value.
+
+   (Note: because ``map``-format files load directly into memory, this
+   option cannot be used with them.)
+
+   The default value is ``unlimited``. Setting ``max-zone-ttl`` to zero is
+   equivalent to ``unlimited``.
+
+``stale-answer-ttl``
+   This specifies the TTL to be returned on stale answers. The default is 30
+   seconds. The minimum allowed is 1 second; a value of 0 is updated silently
+   to 1 second.
+
+   For stale answers to be returned, they must be enabled, either in the
+   configuration file using ``stale-answer-enable`` or via
+   ``rndc serve-stale on``.
+
+``serial-update-method``
+   Zones configured for dynamic DNS may use this option to set the
+   update method to be used for the zone serial number in the SOA
+   record.
+
+   With the default setting of ``serial-update-method increment;``, the
+   SOA serial number is incremented by one each time the zone is
+   updated.
+
+   When set to ``serial-update-method unixtime;``, the SOA serial number
+   is set to the number of seconds since the Unix epoch, unless the
+   serial number is already greater than or equal to that value, in
+   which case it is simply incremented by one.
+
+   When set to ``serial-update-method date;``, the new SOA serial number
+   is the current date in the form "YYYYMMDD", followed by two
+   zeroes, unless the existing serial number is already greater than or
+   equal to that value, in which case it is incremented by one.
+
+``zone-statistics``
+   If ``full``, the server collects statistical data on all zones,
+   unless specifically turned off on a per-zone basis by specifying
+   ``zone-statistics terse`` or ``zone-statistics none`` in the ``zone``
+   statement. The statistical data includes, for example, DNSSEC signing
+   operations and the number of authoritative answers per query type. The
+   default is ``terse``, providing minimal statistics on zones
+   (including name and current serial number, but not query type
+   counters).
+
+   These statistics may be accessed via the ``statistics-channel`` or
+   using ``rndc stats``, which dumps them to the file listed in the
+   ``statistics-file``. See also :ref:`statsfile`.
+
+   For backward compatibility with earlier versions of BIND 9, the
+   ``zone-statistics`` option can also accept ``yes`` or ``no``; ``yes``
+   has the same meaning as ``full``. As of BIND 9.10, ``no`` has the
+   same meaning as ``none``; previously, it was the same as ``terse``.
+
+.. _boolean_options:
+
+Boolean Options
+^^^^^^^^^^^^^^^
+
+``automatic-interface-scan``
+   If ``yes`` and supported by the operating system, this automatically rescans
+   network interfaces when the interface addresses are added or removed.  The
+   default is ``yes``.  This configuration option does not affect the time-based
+   ``interface-interval`` option; it is recommended to set the time-based
+   ``interface-interval`` to 0 when the operator confirms that automatic
+   interface scanning is supported by the operating system.
+
+   The ``automatic-interface-scan`` implementation uses routing sockets for the
+   network interface discovery; therefore, the operating system must
+   support the routing sockets for this feature to work.
+
+``allow-new-zones``
+   If ``yes``, then zones can be added at runtime via ``rndc addzone``.
+   The default is ``no``.
+
+   Newly added zones' configuration parameters are stored so that they
+   can persist after the server is restarted. The configuration
+   information is saved in a file called ``viewname.nzf`` (or, if
+   ``named`` is compiled with liblmdb, in an LMDB database file called
+   ``viewname.nzd``). "viewname" is the name of the view, unless the view
+   name contains characters that are incompatible with use as a file
+   name, in which case a cryptographic hash of the view name is used
+   instead.
+
+   Configurations for zones added at runtime are stored either in
+   a new-zone file (NZF) or a new-zone database (NZD), depending on
+   whether ``named`` was linked with liblmdb at compile time. See
+   :ref:`man_rndc` for further details about ``rndc addzone``.
+
+``auth-nxdomain``
+   If ``yes``, then the ``AA`` bit is always set on NXDOMAIN responses,
+   even if the server is not actually authoritative. The default is
+   ``no``.
+
+``memstatistics``
+   This writes memory statistics to the file specified by
+   ``memstatistics-file`` at exit. The default is ``no`` unless ``-m
+   record`` is specified on the command line, in which case it is ``yes``.
+
+``dialup``
+   If ``yes``, then the server treats all zones as if they are doing
+   zone transfers across a dial-on-demand dialup link, which can be
+   brought up by traffic originating from this server. Although this setting has
+   different effects according to zone type, it concentrates the zone
+   maintenance so that everything happens quickly, once every
+   ``heartbeat-interval``, ideally during a single call. It also
+   suppresses some normal zone maintenance traffic. The default
+   is ``no``.
+
+   If specified in the ``view`` and
+   ``zone`` statements, the ``dialup`` option overrides the global ``dialup``
+   option.
+
+   If the zone is a primary zone, the server sends out a NOTIFY
+   request to all the secondaries (default). This should trigger the zone
+   serial number check in the secondary (providing it supports NOTIFY),
+   allowing the secondary to verify the zone while the connection is active.
+   The set of servers to which NOTIFY is sent can be controlled by
+   ``notify`` and ``also-notify``.
+
+   If the zone is a secondary or stub zone, the server suppresses
+   the regular "zone up to date" (refresh) queries and only performs them
+   when the ``heartbeat-interval`` expires, in addition to sending NOTIFY
+   requests.
+
+   Finer control can be achieved by using ``notify``, which only sends
+   NOTIFY messages; ``notify-passive``, which sends NOTIFY messages and
+   suppresses the normal refresh queries; ``refresh``, which suppresses
+   normal refresh processing and sends refresh queries when the
+   ``heartbeat-interval`` expires; and ``passive``, which disables
+   normal refresh processing.
+
+   +--------------------+-----------------+-----------------+-----------------+
+   | dialup mode        | normal refresh  | heart-beat      | heart-beat      |
+   |                    |                 | refresh         | notify          |
+   +--------------------+-----------------+-----------------+-----------------+
+   | ``no``             | yes             | no              | no              |
+   | (default)          |                 |                 |                 |
+   +--------------------+-----------------+-----------------+-----------------+
+   | ``yes``            | no              | yes             | yes             |
+   +--------------------+-----------------+-----------------+-----------------+
+   | ``notify``         | yes             | no              | yes             |
+   +--------------------+-----------------+-----------------+-----------------+
+   | ``refresh``        | no              | yes             | no              |
+   +--------------------+-----------------+-----------------+-----------------+
+   | ``passive``        | no              | no              | no              |
+   +--------------------+-----------------+-----------------+-----------------+
+   | ``notify-passive`` | no              | no              | yes             |
+   +--------------------+-----------------+-----------------+-----------------+
+
+   Note that normal NOTIFY processing is not affected by ``dialup``.
+
+``flush-zones-on-shutdown``
+   When the name server exits upon receiving SIGTERM, flush or do not
+   flush any pending zone writes. The default is
+   ``flush-zones-on-shutdown no``.
+
+``geoip-use-ecs``
+   This option was part of an experimental implementation of the EDNS
+   CLIENT-SUBNET for authoritative servers, but is now obsolete.
+
+``root-key-sentinel``
+   If ``yes``, respond to root key sentinel probes as described in
+   draft-ietf-dnsop-kskroll-sentinel-08. The default is ``yes``.
+
+``reuseport``
+   This option enables kernel load-balancing of sockets on systems which support
+   it, including Linux (SO_REUSEPORT) and FreeBSD (SO_REUSEPORT_LB). This
+   instructs the kernel to distribute incoming socket connections among the
+   networking threads based on a hashing scheme. For more information, see the
+   receive network flow classification options (``rx-flow-hash``) section in the
+   ``ethtool`` manual page. The default is ``yes``.
+
+   Enabling ``reuseport`` significantly increases general throughput when
+   incoming traffic is distributed uniformly onto the threads by the
+   operating system. However, in cases where a worker thread is busy with a
+   long-lasting operation, such as processing a Response Policy Zone (RPZ) or
+   Catalog Zone update or an unusually large zone transfer, incoming traffic
+   that hashes onto that thread may be delayed. On servers where these events
+   occur frequently, it may be preferable to disable socket load-balancing so
+   that other threads can pick up the traffic that would have been sent to the
+   busy thread.
+
+   Note: this option can only be set when ``named`` first starts.
+   Changes will not take effect during reconfiguration; the server
+   must be restarted.
+
+``message-compression``
+   If ``yes``, DNS name compression is used in responses to regular
+   queries (not including AXFR or IXFR, which always use compression).
+   Setting this option to ``no`` reduces CPU usage on servers and may
+   improve throughput. However, it increases response size, which may
+   cause more queries to be processed using TCP; a server with
+   compression disabled is out of compliance with :rfc:`1123` Section
+   6.1.3.2. The default is ``yes``.
+
+``minimal-responses``
+   This option controls the addition of records to the authority and
+   additional sections of responses. Such records may be included in
+   responses to be helpful to clients; for example, MX records may
+   have associated address records included in the additional section,
+   obviating the need for a separate address lookup. However, adding
+   these records to responses is not mandatory and requires additional
+   database lookups, causing extra latency when marshalling responses.
+
+   Responses to DNSKEY, DS, CDNSKEY, and CDS requests will never have
+   optional additional records added. Responses to NS requests will
+   always have additional section processing.
+
+   ``minimal-responses`` takes one of four values:
+
+   -  ``no``: the server is as complete as possible when generating
+      responses.
+   -  ``yes``: the server only adds records to the authority and additional
+      sections when such records are required by the DNS protocol (for
+      example, when returning delegations or negative responses). This
+      provides the best server performance but may result in more client
+      queries.
+   -  ``no-auth``: the server omits records from the authority section except
+      when they are required, but it may still add records to the
+      additional section.
+   -  ``no-auth-recursive``: the same as ``no-auth`` when recursion is requested
+      in the query (RD=1), or the same as ``no`` if recursion is not requested.
+
+   ``no-auth`` and ``no-auth-recursive`` are useful when answering stub
+   clients, which usually ignore the authority section.
+   ``no-auth-recursive`` is meant for use in mixed-mode servers that
+   handle both authoritative and recursive queries.
+
+   The default is ``no-auth-recursive``.
+
+``glue-cache``
+   When set to ``yes``, a cache is used to improve query performance
+   when adding address-type (A and AAAA) glue records to the additional
+   section of DNS response messages that delegate to a child zone.
+
+   The glue cache uses memory proportional to the number of delegations
+   in the zone. The default setting is ``yes``, which improves
+   performance at the cost of increased memory usage for the zone. To avoid
+   this, set it to ``no``.
+
+``minimal-any``
+   If set to ``yes``, the server replies with only one of
+   the RRsets for the query name, and its covering RRSIGs if any,
+   when generating a positive response to a query of type ANY over UDP,
+   instead of replying with all known RRsets for the name. Similarly, a
+   query for type RRSIG is answered with the RRSIG records covering
+   only one type. This can reduce the impact of some kinds of attack
+   traffic, without harming legitimate clients. (Note, however, that the
+   RRset returned is the first one found in the database; it is not
+   necessarily the smallest available RRset.) Additionally,
+   ``minimal-responses`` is turned on for these queries, so no
+   unnecessary records are added to the authority or additional
+   sections. The default is ``no``.
+
+``notify``
+   If set to ``yes`` (the default), DNS NOTIFY messages are sent when a
+   zone the server is authoritative for changes; see :ref:`notify`.
+   The messages are sent to the servers listed in the zone's NS records
+   (except the primary server identified in the SOA MNAME field), and to
+   any servers listed in the ``also-notify`` option.
+
+   If set to ``primary-only`` (or the older keyword ``master-only``),
+   notifies are only sent for primary zones. If set to ``explicit``,
+   notifies are sent only to servers explicitly listed using
+   ``also-notify``. If set to ``no``, no notifies are sent.
+
+   The ``notify`` option may also be specified in the ``zone``
+   statement, in which case it overrides the ``options notify``
+   statement. It would only be necessary to turn off this option if it
+   caused secondary zones to crash.
+
+``notify-to-soa``
+   If ``yes``, do not check the name servers in the NS RRset against the
+   SOA MNAME. Normally a NOTIFY message is not sent to the SOA MNAME
+   (SOA ORIGIN), as it is supposed to contain the name of the ultimate
+   primary server. Sometimes, however, a secondary server is listed as the SOA MNAME in
+   hidden primary configurations; in that case, the
+   ultimate primary should be set to still send NOTIFY messages to all the name servers
+   listed in the NS RRset.
+
+``recursion``
+   If ``yes``, and a DNS query requests recursion, then the server
+   attempts to do all the work required to answer the query. If recursion
+   is off and the server does not already know the answer, it
+   returns a referral response. The default is ``yes``. Note that setting
+   ``recursion no`` does not prevent clients from getting data from the
+   server's cache; it only prevents new data from being cached as an
+   effect of client queries. Caching may still occur as an effect of the
+   server's internal operation, such as NOTIFY address lookups.
+
+``request-nsid``
+   If ``yes``, then an empty EDNS(0) NSID (Name Server Identifier)
+   option is sent with all queries to authoritative name servers during
+   iterative resolution. If the authoritative server returns an NSID
+   option in its response, then its contents are logged in the ``nsid``
+   category at level ``info``. The default is ``no``.
+
+``request-sit``
+   This experimental option is obsolete.
+
+``require-server-cookie``
+   If ``yes``, require a valid server cookie before sending a full response to a UDP
+   request from a cookie-aware client. BADCOOKIE is sent if there is a
+   bad or nonexistent server cookie.
+
+   The default is ``no``.
+
+   Users wishing to test that DNS COOKIE clients correctly handle
+   BADCOOKIE, or who are getting a lot of forged DNS requests with DNS COOKIES
+   present, should set this to ``yes``. Setting this to ``yes`` results in a reduced amplification effect
+   in a reflection attack, as the BADCOOKIE response is smaller than a full
+   response, while also requiring a legitimate client to follow up with a second
+   query with the new, valid, cookie.
+
+``answer-cookie``
+   When set to the default value of ``yes``, COOKIE EDNS options are
+   sent when applicable in replies to client queries. If set to ``no``,
+   COOKIE EDNS options are not sent in replies. This can only be set
+   at the global options level, not per-view.
+
+   ``answer-cookie no`` is intended as a temporary measure, for use when
+   ``named`` shares an IP address with other servers that do not yet
+   support DNS COOKIE. A mismatch between servers on the same address is
+   not expected to cause operational problems, but the option to disable
+   COOKIE responses so that all servers have the same behavior is
+   provided out of an abundance of caution. DNS COOKIE is an important
+   security mechanism, and should not be disabled unless absolutely
+   necessary.
+
+``send-cookie``
+   If ``yes``, then a COOKIE EDNS option is sent along with the query.
+   If the resolver has previously communicated with the server, the COOKIE
+   returned in the previous transaction is sent. This is used by the
+   server to determine whether the resolver has talked to it before. A
+   resolver sending the correct COOKIE is assumed not to be an off-path
+   attacker sending a spoofed-source query; the query is therefore
+   unlikely to be part of a reflection/amplification attack, so
+   resolvers sending a correct COOKIE option are not subject to response
+   rate limiting (RRL). Resolvers which do not send a correct COOKIE
+   option may be limited to receiving smaller responses via the
+   ``nocookie-udp-size`` option.
+
+   The default is ``yes``.
+
+``stale-answer-enable``
+   If ``yes``, enable the returning of "stale" cached answers when the name
+   servers for a zone are not answering and the ``stale-cache-enable`` option is
+   also enabled. The default is not to return stale answers.
+
+   Stale answers can also be enabled or disabled at runtime via
+   ``rndc serve-stale on`` or ``rndc serve-stale off``; these override
+   the configured setting. ``rndc serve-stale reset`` restores the
+   setting to the one specified in ``named.conf``. Note that if stale
+   answers have been disabled by ``rndc``, they cannot be
+   re-enabled by reloading or reconfiguring ``named``; they must be
+   re-enabled with ``rndc serve-stale on``, or the server must be
+   restarted.
+
+   Information about stale answers is logged under the ``serve-stale``
+   log category.
+
+``stale-answer-client-timeout``
+   This option defines the amount of time (in milliseconds) that ``named``
+   waits before attempting to answer the query with a stale RRset from cache.
+   If a stale answer is found, ``named`` continues the ongoing fetches,
+   attempting to refresh the RRset in cache until the
+   ``resolver-query-timeout`` interval is reached.
+
+   This option is off by default, which is equivalent to setting it to
+   ``off`` or ``disabled``. It also has no effect if ``stale-answer-enable``
+   is disabled.
+
+   The maximum value for this option is ``resolver-query-timeout`` minus
+   one second. The minimum value, ``0``, causes a cached (stale) RRset to be
+   immediately returned if it is available while still attempting to
+   refresh the data in cache. :rfc:`8767` recommends a value of ``1800``
+   (milliseconds).
+
+``stale-cache-enable``
+   If ``yes``, enable the retaining of "stale" cached answers.  Default ``yes``.
+
+``stale-refresh-time``
+   If the name servers for a given zone are not answering, this sets the time
+   window for which ``named`` will promptly return "stale" cached answers for
+   that RRSet being requested before a new attempt in contacting the servers
+   is made. For convenience, TTL-style time-unit suffixes may be used to
+   specify the value. It also accepts ISO 8601 duration formats.
+
+   The default ``stale-refresh-time`` is 30 seconds, as :rfc:`8767` recommends
+   that attempts to refresh to be done no more frequently than every 30
+   seconds. A value of zero disables the feature, meaning that normal
+   resolution will take place first, if that fails only then ``named`` will
+   return "stale" cached answers.
+
+``nocookie-udp-size``
+   This sets the maximum size of UDP responses that are sent to queries
+   without a valid server COOKIE. A value below 128 is silently
+   raised to 128. The default value is 4096, but the ``max-udp-size``
+   option may further limit the response size as the default for
+   ``max-udp-size`` is 4096.
+
+``sit-secret``
+   This experimental option is obsolete.
+
+``cookie-algorithm``
+   This sets the algorithm to be used when generating the server cookie; the options are
+   "aes" or "siphash24". The default is "siphash24". The "aes" option remains for legacy
+   purposes.
+
+``cookie-secret``
+   If set, this is a shared secret used for generating and verifying
+   EDNS COOKIE options within an anycast cluster. If not set, the system
+   generates a random secret at startup. The shared secret is
+   encoded as a hex string and needs to be 128 bits for either "siphash24"
+   or "aes".
+
+   If there are multiple secrets specified, the first one listed in
+   ``named.conf`` is used to generate new server cookies. The others
+   are only used to verify returned cookies.
+
+``response-padding``
+   The EDNS Padding option is intended to improve confidentiality when
+   DNS queries are sent over an encrypted channel, by reducing the
+   variability in packet sizes. If a query:
+
+   1. contains an EDNS Padding option,
+   2. includes a valid server cookie or uses TCP,
+   3. is not signed using TSIG or SIG(0), and
+   4. is from a client whose address matches the specified ACL,
+
+   then the response is padded with an EDNS Padding option to a multiple
+   of ``block-size`` bytes. If these conditions are not met, the
+   response is not padded.
+
+   If ``block-size`` is 0 or the ACL is ``none;``, this feature is
+   disabled and no padding occurs; this is the default. If
+   ``block-size`` is greater than 512, a warning is logged and the value
+   is truncated to 512. Block sizes are ordinarily expected to be powers
+   of two (for instance, 128), but this is not mandatory.
+
+``trust-anchor-telemetry``
+   This causes ``named`` to send specially formed queries once per day to
+   domains for which trust anchors have been configured via, e.g.,
+   ``trust-anchors`` or ``dnssec-validation auto``.
+
+   The query name used for these queries has the form
+   ``_ta-xxxx(-xxxx)(...).<domain>``, where each "xxxx" is a group of four
+   hexadecimal digits representing the key ID of a trusted DNSSEC key.
+   The key IDs for each domain are sorted smallest to largest prior to
+   encoding. The query type is NULL.
+
+   By monitoring these queries, zone operators are able to see which
+   resolvers have been updated to trust a new key; this may help them
+   decide when it is safe to remove an old one.
+
+   The default is ``yes``.
+
+``use-ixfr``
+   *This option is obsolete*. To disable IXFR to a
+   particular server or servers, see the information on the
+   ``provide-ixfr`` option in :ref:`server_statement_definition_and_usage`.
+   See also :ref:`incremental_zone_transfers`.
+
+``provide-ixfr``
+   See the description of ``provide-ixfr`` in :ref:`server_statement_definition_and_usage`.
+
+``request-ixfr``
+   See the description of ``request-ixfr`` in :ref:`server_statement_definition_and_usage`.
+
+``request-expire``
+   See the description of ``request-expire`` in :ref:`server_statement_definition_and_usage`.
+
+``match-mapped-addresses``
+   If ``yes``, then an IPv4-mapped IPv6 address matches any
+   address-match list entries that match the corresponding IPv4 address.
+
+   This option was introduced to work around a kernel quirk in some
+   operating systems that causes IPv4 TCP connections, such as zone
+   transfers, to be accepted on an IPv6 socket using mapped addresses.
+   This caused address-match lists designed for IPv4 to fail to match.
+   However, ``named`` now solves this problem internally. The use of
+   this option is discouraged.
+
+``ixfr-from-differences``
+   When ``yes`` and the server loads a new version of a primary zone from
+   its zone file or receives a new version of a secondary file via zone
+   transfer, it compares the new version to the previous one and
+   calculates a set of differences. The differences are then logged in
+   the zone's journal file so that the changes can be transmitted to
+   downstream secondaries as an incremental zone transfer.
+
+   By allowing incremental zone transfers to be used for non-dynamic
+   zones, this option saves bandwidth at the expense of increased CPU
+   and memory consumption at the primary server. In particular, if the new
+   version of a zone is completely different from the previous one, the
+   set of differences is of a size comparable to the combined size
+   of the old and new zone versions, and the server needs to
+   temporarily allocate memory to hold this complete difference set.
+
+   ``ixfr-from-differences`` also accepts ``primary``
+   and ``secondary`` at the view and options levels,
+   which causes ``ixfr-from-differences`` to be enabled for all primary
+   or secondary zones, respectively. It is off for all zones by default.
+
+   Note: if inline signing is enabled for a zone, the user-provided
+   ``ixfr-from-differences`` setting is ignored for that zone.
+
+``multi-master``
+   This should be set when there are multiple primary servers for a zone and the
+   addresses refer to different machines. If ``yes``, ``named`` does not
+   log when the serial number on the primary is less than what ``named``
+   currently has. The default is ``no``.
+
+``auto-dnssec``
+   Zones configured for dynamic DNS may use this option to allow varying
+   levels of automatic DNSSEC key management. There are three possible
+   settings:
+
+   ``auto-dnssec allow;`` permits keys to be updated and the zone fully
+   re-signed whenever the user issues the command ``rndc sign zonename``.
+
+   ``auto-dnssec maintain;`` includes the above, but also
+   automatically adjusts the zone's DNSSEC keys on a schedule, according
+   to the keys' timing metadata (see :ref:`man_dnssec-keygen` and
+   :ref:`man_dnssec-settime`). The command ``rndc sign zonename``
+   causes ``named`` to load keys from the key repository and sign the
+   zone with all keys that are active. ``rndc loadkeys zonename``
+   causes ``named`` to load keys from the key repository and schedule
+   key maintenance events to occur in the future, but it does not sign
+   the full zone immediately. Note: once keys have been loaded for a
+   zone the first time, the repository is searched for changes
+   periodically, regardless of whether ``rndc loadkeys`` is used. The
+   recheck interval is defined by ``dnssec-loadkeys-interval``.
+
+   ``auto-dnssec off;`` does not allow for DNSSEC key management.
+   This is the default setting.
+
+   This option may only be activated at the zone level; if configured
+   at the view or options level, it must be set to ``off``.
+
+   The DNSSEC records are written to the zone's filename set in ``file``,
+   unless ``inline-signing`` is enabled.
+
+``dnssec-enable``
+   This option is obsolete and has no effect.
+
+.. _dnssec-validation-option:
+
+``dnssec-validation``
+   This option enables DNSSEC validation in ``named``.
+
+   If set to ``auto``, DNSSEC validation is enabled and a default trust
+   anchor for the DNS root zone is used. This trust anchor is provided
+   as part of BIND and is kept up-to-date using :ref:`rfc5011.support` key
+   management.
+
+   If set to ``yes``, DNSSEC validation is enabled, but a trust anchor must be
+   manually configured using a ``trust-anchors`` statement (or the
+   ``managed-keys`` or ``trusted-keys`` statements, both deprecated). If
+   there is no configured trust anchor, validation does not take place.
+
+   If set to ``no``, DNSSEC validation is disabled.
+
+   The default is ``auto``, unless BIND is built with
+   ``configure --disable-auto-validation``, in which case the default is
+   ``yes``.
+
+   The default root trust anchor is stored in the file ``bind.keys``.
+   ``named`` loads that key at startup if ``dnssec-validation`` is
+   set to ``auto``. A copy of the file is installed along with BIND 9,
+   and is current as of the release date. If the root key expires, a new
+   copy of ``bind.keys`` can be downloaded from
+   https://www.isc.org/bind-keys.
+
+   (To prevent problems if ``bind.keys`` is not found, the current trust
+   anchor is also compiled in ``named``. Relying on this is not
+   recommended, however, as it requires ``named`` to be recompiled with
+   a new key when the root key expires.)
+
+   .. note:: ``named`` loads *only* the root key from ``bind.keys``. The file
+         cannot be used to store keys for other zones. The root key in
+         ``bind.keys`` is ignored if ``dnssec-validation auto`` is not in
+         use.
+
+         Whenever the resolver sends out queries to an EDNS-compliant
+         server, it always sets the DO bit indicating it can support DNSSEC
+         responses, even if ``dnssec-validation`` is off.
+
+``validate-except``
+   This specifies a list of domain names at and beneath which DNSSEC
+   validation should *not* be performed, regardless of the presence of a
+   trust anchor at or above those names. This may be used, for example,
+   when configuring a top-level domain intended only for local use, so
+   that the lack of a secure delegation for that domain in the root zone
+   does not cause validation failures. (This is similar to setting a
+   negative trust anchor except that it is a permanent configuration,
+   whereas negative trust anchors expire and are removed after a set
+   period of time.)
+
+``dnssec-accept-expired``
+   This accepts expired signatures when verifying DNSSEC signatures. The
+   default is ``no``. Setting this option to ``yes`` leaves ``named``
+   vulnerable to replay attacks.
+
+``querylog``
+   Query logging provides a complete log of all incoming queries and all query
+   errors. This provides more insight into the server's activity, but with a
+   cost to performance which may be significant on heavily loaded servers.
+
+   The ``querylog`` option specifies whether query logging should be active when
+   ``named`` first starts.  If ``querylog`` is not specified, then query logging
+   is determined by the presence of the logging category ``queries``.  Query
+   logging can also be activated at runtime using the command ``rndc querylog
+   on``, or deactivated with ``rndc querylog off``.
+
+``check-names``
+   This option is used to restrict the character set and syntax of
+   certain domain names in primary files and/or DNS responses received
+   from the network. The default varies according to usage area. For
+   ``primary`` zones the default is ``fail``. For ``secondary`` zones the
+   default is ``warn``. For answers received from the network
+   (``response``), the default is ``ignore``.
+
+   The rules for legal hostnames and mail domains are derived from
+   :rfc:`952` and :rfc:`821` as modified by :rfc:`1123`.
+
+   ``check-names`` applies to the owner names of A, AAAA, and MX records.
+   It also applies to the domain names in the RDATA of NS, SOA, MX, and
+   SRV records. It further applies to the RDATA of PTR records where the
+   owner name indicates that it is a reverse lookup of a hostname (the
+   owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
+
+``check-dup-records``
+   This checks primary zones for records that are treated as different by
+   DNSSEC but are semantically equal in plain DNS. The default is to
+   ``warn``. Other possible values are ``fail`` and ``ignore``.
+
+``check-mx``
+   This checks whether the MX record appears to refer to an IP address. The
+   default is to ``warn``. Other possible values are ``fail`` and
+   ``ignore``.
+
+``check-wildcard``
+   This option is used to check for non-terminal wildcards. The use of
+   non-terminal wildcards is almost always as a result of a lack of
+   understanding of the wildcard matching algorithm (:rfc:`1034`). This option
+   affects primary zones. The default (``yes``) is to check for
+   non-terminal wildcards and issue a warning.
+
+``check-integrity``
+   This performs post-load zone integrity checks on primary zones. It checks
+   that MX and SRV records refer to address (A or AAAA) records and that
+   glue address records exist for delegated zones. For MX and SRV
+   records, only in-zone hostnames are checked (for out-of-zone hostnames,
+   use ``named-checkzone``). For NS records, only names below top-of-zone
+   are checked (for out-of-zone names and glue consistency checks, use
+   ``named-checkzone``). The default is ``yes``.
+
+   The use of the SPF record to publish Sender Policy Framework is
+   deprecated, as the migration from using TXT records to SPF records was
+   abandoned. Enabling this option also checks that a TXT Sender Policy
+   Framework record exists (starts with "v=spf1") if there is an SPF
+   record. Warnings are emitted if the TXT record does not exist; they can
+   be suppressed with ``check-spf``.
+
+``check-mx-cname``
+   If ``check-integrity`` is set, then fail, warn, or ignore MX records
+   that refer to CNAMES. The default is to ``warn``.
+
+``check-srv-cname``
+   If ``check-integrity`` is set, then fail, warn, or ignore SRV records
+   that refer to CNAMES. The default is to ``warn``.
+
+``check-sibling``
+   When performing integrity checks, also check that sibling glue
+   exists. The default is ``yes``.
+
+``check-spf``
+   If ``check-integrity`` is set, check that there is a TXT Sender
+   Policy Framework record present (starts with "v=spf1") if there is an
+   SPF record present. The default is ``warn``.
+
+``zero-no-soa-ttl``
+   If ``yes``, when returning authoritative negative responses to SOA queries, set
+   the TTL of the SOA record returned in the authority section to zero.
+   The default is ``yes``.
+
+``zero-no-soa-ttl-cache``
+   If ``yes``, when caching a negative response to an SOA query set the TTL to zero.
+   The default is ``no``.
+
+``update-check-ksk``
+   When set to the default value of ``yes``, check the KSK bit in each
+   key to determine how the key should be used when generating RRSIGs
+   for a secure zone.
+
+   Ordinarily, zone-signing keys (that is, keys without the KSK bit set)
+   are used to sign the entire zone, while key-signing keys (keys with
+   the KSK bit set) are only used to sign the DNSKEY RRset at the zone
+   apex. However, if this option is set to ``no``, then the KSK bit is
+   ignored; KSKs are treated as if they were ZSKs and are used to sign
+   the entire zone. This is similar to the ``dnssec-signzone -z``
+   command-line option.
+
+   When this option is set to ``yes``, there must be at least two active
+   keys for every algorithm represented in the DNSKEY RRset: at least
+   one KSK and one ZSK per algorithm. If there is any algorithm for
+   which this requirement is not met, this option is ignored for
+   that algorithm.
+
+``dnssec-dnskey-kskonly``
+   When this option and ``update-check-ksk`` are both set to ``yes``,
+   only key-signing keys (that is, keys with the KSK bit set) are
+   used to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex.
+   Zone-signing keys (keys without the KSK bit set) are used to sign
+   the remainder of the zone, but not the DNSKEY RRset. This is similar
+   to the ``dnssec-signzone -x`` command-line option.
+
+   The default is ``no``. If ``update-check-ksk`` is set to ``no``, this
+   option is ignored.
+
+``try-tcp-refresh``
+   If ``yes``, try to refresh the zone using TCP if UDP queries fail. The default is
+   ``yes``.
+
+``dnssec-secure-to-insecure``
+   This allows a dynamic zone to transition from secure to insecure (i.e.,
+   signed to unsigned) by deleting all of the DNSKEY records. The
+   default is ``no``. If set to ``yes``, and if the DNSKEY RRset at the
+   zone apex is deleted, all RRSIG and NSEC records are removed from
+   the zone as well.
+
+   If the zone uses NSEC3, it is also necessary to delete the
+   NSEC3PARAM RRset from the zone apex; this causes the removal of
+   all corresponding NSEC3 records. (It is expected that this
+   requirement will be eliminated in a future release.)
+
+   Note that if a zone has been configured with ``auto-dnssec maintain``
+   and the private keys remain accessible in the key repository,
+   the zone will be automatically signed again the next time ``named``
+   is started.
+
+``synth-from-dnssec``
+   This option synthesizes answers from cached NSEC, NSEC3, and other RRsets that have been
+   proved to be correct using DNSSEC. The default is ``no``, but it will become
+   ``yes`` again in future releases.
+
+   .. note:: DNSSEC validation must be enabled for this option to be effective.
+      This initial implementation only covers synthesis of answers from
+      NSEC records; synthesis from NSEC3 is planned for the future. This
+      will also be controlled by ``synth-from-dnssec``.
+
+Forwarding
+^^^^^^^^^^
+
+The forwarding facility can be used to create a large site-wide cache on
+a few servers, reducing traffic over links to external name servers. It
+can also be used to allow queries by servers that do not have direct
+access to the Internet, but wish to look up exterior names anyway.
+Forwarding occurs only on those queries for which the server is not
+authoritative and does not have the answer in its cache.
+
+``forward``
+   This option is only meaningful if the forwarders list is not empty. A
+   value of ``first`` is the default and causes the server to query the
+   forwarders first; if that does not answer the question, the
+   server then looks for the answer itself. If ``only`` is
+   specified, the server only queries the forwarders.
+
+``forwarders``
+   This specifies a list of IP addresses to which queries are forwarded. The
+   default is the empty list (no forwarding). Each address in the list can be
+   associated with an optional port number and/or DSCP value, and a default port
+   number and DSCP value can be set for the entire list.
+
+Forwarding can also be configured on a per-domain basis, allowing for
+the global forwarding options to be overridden in a variety of ways.
+Particular domains can be set to use different forwarders, or have a
+different ``forward only/first`` behavior, or not forward at all; see
+:ref:`zone_statement_grammar`.
+
+.. _dual_stack:
+
+Dual-stack Servers
+^^^^^^^^^^^^^^^^^^
+
+Dual-stack servers are used as servers of last resort, to work around
+problems in reachability due to the lack of support for either IPv4 or IPv6
+on the host machine.
+
+``dual-stack-servers``
+   This specifies host names or addresses of machines with access to both
+   IPv4 and IPv6 transports. If a hostname is used, the server must be
+   able to resolve the name using only the transport it has. If the
+   machine is dual-stacked, the ``dual-stack-servers`` parameter has no
+   effect unless access to a transport has been disabled on the command
+   line (e.g., ``named -4``).
+
+.. _access_control:
+
+Access Control
+^^^^^^^^^^^^^^
+
+Access to the server can be restricted based on the IP address of the
+requesting system. See :ref:`address_match_lists`
+for details on how to specify IP address lists.
+
+``allow-notify``
+   This ACL specifies which hosts may send NOTIFY messages to inform
+   this server of changes to zones for which it is acting as a secondary
+   server. This is only applicable for secondary zones (i.e., type
+   ``secondary`` or ``slave``).
+
+   If this option is set in ``view`` or ``options``, it is globally
+   applied to all secondary zones. If set in the ``zone`` statement, the
+   global value is overridden.
+
+   If not specified, the default is to process NOTIFY messages only from
+   the configured ``primaries`` for the zone. ``allow-notify`` can be used
+   to expand the list of permitted hosts, not to reduce it.
+
+``allow-query``
+   This specifies which hosts are allowed to ask ordinary DNS questions.
+   ``allow-query`` may also be specified in the ``zone`` statement, in
+   which case it overrides the ``options allow-query`` statement. If not
+   specified, the default is to allow queries from all hosts.
+
+   .. note:: ``allow-query-cache`` is used to specify access to the cache.
+
+``allow-query-on``
+   This specifies which local addresses can accept ordinary DNS questions.
+   This makes it possible, for instance, to allow queries on
+   internal-facing interfaces but disallow them on external-facing ones,
+   without necessarily knowing the internal network's addresses.
+
+   Note that ``allow-query-on`` is only checked for queries that are
+   permitted by ``allow-query``. A query must be allowed by both ACLs,
+   or it is refused.
+
+   ``allow-query-on`` may also be specified in the ``zone`` statement,
+   in which case it overrides the ``options allow-query-on`` statement.
+
+   If not specified, the default is to allow queries on all addresses.
+
+   .. note:: ``allow-query-cache`` is used to specify access to the cache.
+
+``allow-query-cache``
+   This specifies which hosts are allowed to get answers from the cache. If
+   ``allow-recursion`` is not set, BIND checks to see if the following parameters
+   are set, in order: ``allow-query-cache`` and ``allow-query`` (unless ``recursion no;`` is set).
+   If neither of those parameters is set, the default (localnets; localhost;) is used.
+
+``allow-query-cache-on``
+   This specifies which local addresses can send answers from the cache. If
+   ``allow-query-cache-on`` is not set, then ``allow-recursion-on`` is
+   used if set. Otherwise, the default is to allow cache responses to be
+   sent from any address. Note: both ``allow-query-cache`` and
+   ``allow-query-cache-on`` must be satisfied before a cache response
+   can be sent; a client that is blocked by one cannot be allowed by the
+   other.
+
+``allow-recursion``
+   This specifies which hosts are allowed to make recursive queries through
+   this server. BIND checks to see if the following parameters are set, in
+   order: ``allow-query-cache`` and ``allow-query``. If neither of those parameters
+   is set, the default (localnets; localhost;) is used.
+
+``allow-recursion-on``
+   This specifies which local addresses can accept recursive queries. If
+   ``allow-recursion-on`` is not set, then ``allow-query-cache-on`` is
+   used if set; otherwise, the default is to allow recursive queries on
+   all addresses. Any client permitted to send recursive queries can
+   send them to any address on which ``named`` is listening. Note: both
+   ``allow-recursion`` and ``allow-recursion-on`` must be satisfied
+   before recursion is allowed; a client that is blocked by one cannot
+   be allowed by the other.
+
+``allow-update``
+   When set in the ``zone`` statement for a primary zone, this specifies which
+   hosts are allowed to submit Dynamic DNS updates to that zone. The
+   default is to deny updates from all hosts.
+
+   Note that allowing updates based on the requestor's IP address is
+   insecure; see :ref:`dynamic_update_security` for details.
+
+   In general, this option should only be set at the ``zone`` level.
+   While a default value can be set at the ``options`` or ``view`` level
+   and inherited by zones, this could lead to some zones unintentionally
+   allowing updates.
+
+   Updates are written to the zone's filename that is set in ``file``.
+
+``allow-update-forwarding``
+   When set in the ``zone`` statement for a secondary zone, this specifies which
+   hosts are allowed to submit Dynamic DNS updates and have them be
+   forwarded to the primary. The default is ``{ none; }``, which means
+   that no update forwarding is performed.
+
+   To enable update forwarding, specify
+   ``allow-update-forwarding { any; };`` in the ``zone`` statement.
+   Specifying values other than ``{ none; }`` or ``{ any; }`` is usually
+   counterproductive; the responsibility for update access control
+   should rest with the primary server, not the secondary.
+
+   Note that enabling the update forwarding feature on a secondary server
+   may expose primary servers to attacks if they rely on insecure
+   IP-address-based access control; see :ref:`dynamic_update_security` for more details.
+
+   In general this option should only be set at the ``zone`` level.
+   While a default value can be set at the ``options`` or ``view`` level
+   and inherited by zones, this can lead to some zones unintentionally
+   forwarding updates.
+
+.. _allow-transfer-access:
+
+``allow-transfer``
+   This specifies which hosts are allowed to receive zone transfers from the
+   server. ``allow-transfer`` may also be specified in the ``zone``
+   statement, in which case it overrides the ``allow-transfer``
+   statement set in ``options`` or ``view``. If not specified, the
+   default is to allow transfers to all hosts.
+
+``blackhole``
+   This specifies a list of addresses which the server does not accept queries
+   from or use to resolve a query. Queries from these addresses are not
+   responded to. The default is ``none``.
+
+``keep-response-order``
+   This specifies a list of addresses to which the server sends responses
+   to TCP queries, in the same order in which they were received. This
+   disables the processing of TCP queries in parallel. The default is
+   ``none``.
+
+``no-case-compress``
+   This specifies a list of addresses which require responses to use
+   case-insensitive compression. This ACL can be used when ``named``
+   needs to work with clients that do not comply with the requirement in
+   :rfc:`1034` to use case-insensitive name comparisons when checking for
+   matching domain names.
+
+   If left undefined, the ACL defaults to ``none``: case-insensitive
+   compression is used for all clients. If the ACL is defined and
+   matches a client, case is ignored when compressing domain
+   names in DNS responses sent to that client.
+
+   This can result in slightly smaller responses; if a response contains
+   the names "example.com" and "example.COM", case-insensitive
+   compression treats the second one as a duplicate. It also
+   ensures that the case of the query name exactly matches the case of
+   the owner names of returned records, rather than matches the case of
+   the records entered in the zone file. This allows responses to
+   exactly match the query, which is required by some clients due to
+   incorrect use of case-sensitive comparisons.
+
+   Case-insensitive compression is *always* used in AXFR and IXFR
+   responses, regardless of whether the client matches this ACL.
+
+   There are circumstances in which ``named`` does not preserve the case
+   of owner names of records: if a zone file defines records of
+   different types with the same name, but the capitalization of the
+   name is different (e.g., "www.example.com/A" and
+   "WWW.EXAMPLE.COM/AAAA"), then all responses for that name use
+   the *first* version of the name that was used in the zone file. This
+   limitation may be addressed in a future release. However, domain
+   names specified in the rdata of resource records (i.e., records of
+   type NS, MX, CNAME, etc.) always have their case preserved unless
+   the client matches this ACL.
+
+``resolver-query-timeout``
+   This is the amount of time in milliseconds that the resolver spends
+   attempting to resolve a recursive query before failing. The default
+   and minimum is ``10000`` and the maximum is ``30000``. Setting it to
+   ``0`` results in the default being used.
+
+   This value was originally specified in seconds. Values less than or
+   equal to 300 are treated as seconds and converted to
+   milliseconds before applying the above limits.
+
+Interfaces
+^^^^^^^^^^
+
+The interfaces and ports that the server answers queries from may be
+specified using the ``listen-on`` option. ``listen-on`` takes an
+optional port and an ``address_match_list`` of IPv4 addresses. (IPv6
+addresses are ignored, with a logged warning.) The server listens on
+all interfaces allowed by the address match list. If a port is not
+specified, port 53 is used.
+
+Multiple ``listen-on`` statements are allowed. For example:
+
+::
+
+   listen-on { 5.6.7.8; };
+   listen-on port 1234 { !1.2.3.4; 1.2/16; };
+
+enables the name server on port 53 for the IP address 5.6.7.8, and
+on port 1234 of an address on the machine in net 1.2 that is not
+1.2.3.4.
+
+If no ``listen-on`` is specified, the server listens on port 53 on
+all IPv4 interfaces.
+
+The ``listen-on-v6`` option is used to specify the interfaces and the
+ports on which the server listens for incoming queries sent using
+IPv6. If not specified, the server listens on port 53 on all IPv6
+interfaces.
+
+Multiple ``listen-on-v6`` options can be used. For example:
+
+::
+
+   listen-on-v6 { any; };
+   listen-on-v6 port 1234 { !2001:db8::/32; any; };
+
+enables the name server on port 53 for any IPv6 addresses (with a
+single wildcard socket), and on port 1234 of IPv6 addresses that are not
+in the prefix 2001:db8::/32 (with separate sockets for each matched
+address).
+
+To instruct the server not to listen on any IPv6 address, use:
+
+::
+
+   listen-on-v6 { none; };
+
+.. _query_address:
+
+Query Address
+^^^^^^^^^^^^^
+
+If the server does not know the answer to a question, it queries other
+name servers. ``query-source`` specifies the address and port used for
+such queries. For queries sent over IPv6, there is a separate
+``query-source-v6`` option. If ``address`` is ``*`` (asterisk) or is
+omitted, a wildcard IP address (``INADDR_ANY``) is used.
+
+If ``port`` is ``*`` or is omitted, a random port number from a
+pre-configured range is picked up and used for each query. The
+port range(s) is specified in the ``use-v4-udp-ports`` (for IPv4)
+and ``use-v6-udp-ports`` (for IPv6) options, excluding the ranges
+specified in the ``avoid-v4-udp-ports`` and ``avoid-v6-udp-ports``
+options, respectively.
+
+The defaults of the ``query-source`` and ``query-source-v6`` options
+are:
+
+::
+
+   query-source address * port *;
+   query-source-v6 address * port *;
+
+If ``use-v4-udp-ports`` or ``use-v6-udp-ports`` is unspecified,
+``named`` checks whether the operating system provides a programming
+interface to retrieve the system's default range for ephemeral ports. If
+such an interface is available, ``named`` uses the corresponding
+system default range; otherwise, it uses its own defaults:
+
+::
+
+   use-v4-udp-ports { range 1024 65535; };
+   use-v6-udp-ports { range 1024 65535; };
+
+.. note:: Make sure the ranges are sufficiently large for security. A
+   desirable size depends on several parameters, but we generally recommend
+   it contain at least 16384 ports (14 bits of entropy). Note also that the
+   system's default range when used may be too small for this purpose, and
+   that the range may even be changed while ``named`` is running; the new
+   range is automatically applied when ``named`` is reloaded. Explicit
+   configuration of ``use-v4-udp-ports`` and ``use-v6-udp-ports`` is encouraged,
+   so that the ranges are sufficiently large and are reasonably
+   independent from the ranges used by other applications.
+
+.. note:: The operational configuration where ``named`` runs may prohibit
+   the use of some ports. For example, Unix systems do not allow
+   ``named``, if run without root privilege, to use ports less than 1024.
+   If such ports are included in the specified (or detected) set of query
+   ports, the corresponding query attempts will fail, resulting in
+   resolution failures or delay. It is therefore important to configure the
+   set of ports that can be safely used in the expected operational
+   environment.
+
+The defaults of the ``avoid-v4-udp-ports`` and ``avoid-v6-udp-ports``
+options are:
+
+::
+
+   avoid-v4-udp-ports {};
+   avoid-v6-udp-ports {};
+
+.. note:: BIND 9.5.0 introduced the ``use-queryport-pool`` option to support
+   a pool of such random ports, but this option is now obsolete because
+   reusing the same ports in the pool may not be sufficiently secure. For
+   the same reason, it is generally strongly discouraged to specify a
+   particular port for the ``query-source`` or ``query-source-v6`` options;
+   it implicitly disables the use of randomized port numbers.
+
+``use-queryport-pool``
+   This option is obsolete.
+
+``queryport-pool-ports``
+   This option is obsolete.
+
+``queryport-pool-updateinterval``
+   This option is obsolete.
+
+.. note:: The address specified in the ``query-source`` option is used for both
+   UDP and TCP queries, but the port applies only to UDP queries. TCP
+   queries always use a random unprivileged port.
+
+.. warning:: Specifying a single port is discouraged, as it removes a layer of
+   protection against spoofing errors.
+
+.. warning:: The configured ``port`` must not be same as the listening port.
+
+.. note:: See also ``transfer-source``, ``notify-source`` and ``parental-source``.
+
+.. _zone_transfers:
+
+Zone Transfers
+^^^^^^^^^^^^^^
+
+BIND has mechanisms in place to facilitate zone transfers and set limits
+on the amount of load that transfers place on the system. The following
+options apply to zone transfers.
+
+``also-notify``
+   This option defines a global list of IP addresses of name servers that are also
+   sent NOTIFY messages whenever a fresh copy of the zone is loaded, in
+   addition to the servers listed in the zone's NS records. This helps
+   to ensure that copies of the zones quickly converge on stealth
+   servers. Optionally, a port may be specified with each
+   ``also-notify`` address to send the notify messages to a port other
+   than the default of 53. An optional TSIG key can also be specified
+   with each address to cause the notify messages to be signed; this can
+   be useful when sending notifies to multiple views. In place of
+   explicit addresses, one or more named ``primaries`` lists can be used.
+
+   If an ``also-notify`` list is given in a ``zone`` statement, it
+   overrides the ``options also-notify`` statement. When a
+   ``zone notify`` statement is set to ``no``, the IP addresses in the
+   global ``also-notify`` list are not sent NOTIFY messages for that
+   zone. The default is the empty list (no global notification list).
+
+``max-transfer-time-in``
+   Inbound zone transfers running longer than this many minutes are
+   terminated. The default is 120 minutes (2 hours). The maximum value
+   is 28 days (40320 minutes).
+
+``max-transfer-idle-in``
+   Inbound zone transfers making no progress in this many minutes are
+   terminated. The default is 60 minutes (1 hour). The maximum value
+   is 28 days (40320 minutes).
+
+``max-transfer-time-out``
+   Outbound zone transfers running longer than this many minutes are
+   terminated. The default is 120 minutes (2 hours). The maximum value
+   is 28 days (40320 minutes).
+
+``max-transfer-idle-out``
+   Outbound zone transfers making no progress in this many minutes are
+   terminated. The default is 60 minutes (1 hour). The maximum value
+   is 28 days (40320 minutes).
+
+``notify-rate``
+   This specifies the rate at which NOTIFY requests are sent during normal zone
+   maintenance operations. (NOTIFY requests due to initial zone loading
+   are subject to a separate rate limit; see below.) The default is 20
+   per second. The lowest possible rate is one per second; when set to
+   zero, it is silently raised to one.
+
+``startup-notify-rate``
+   This is the rate at which NOTIFY requests are sent when the name server
+   is first starting up, or when zones have been newly added to the
+   name server. The default is 20 per second. The lowest possible rate is
+   one per second; when set to zero, it is silently raised to one.
+
+``serial-query-rate``
+   Secondary servers periodically query primary servers to find out if
+   zone serial numbers have changed. Each such query uses a minute
+   amount of the secondary server's network bandwidth. To limit the amount
+   of bandwidth used, BIND 9 limits the rate at which queries are sent.
+   The value of the ``serial-query-rate`` option, an integer, is the
+   maximum number of queries sent per second. The default is 20 per
+   second. The lowest possible rate is one per second; when set to zero,
+   it is silently raised to one.
+
+``transfer-format``
+   Zone transfers can be sent using two different formats,
+   ``one-answer`` and ``many-answers``. The ``transfer-format`` option
+   is used on the primary server to determine which format it sends.
+   ``one-answer`` uses one DNS message per resource record transferred.
+   ``many-answers`` packs as many resource records as possible into one
+   message. ``many-answers`` is more efficient; the default is ``many-answers``.
+   ``transfer-format`` may be overridden on a per-server basis by using
+   the ``server`` statement.
+
+``transfer-message-size``
+   This is an upper bound on the uncompressed size of DNS messages used
+   in zone transfers over TCP. If a message grows larger than this size,
+   additional messages are used to complete the zone transfer.
+   (Note, however, that this is a hint, not a hard limit; if a message
+   contains a single resource record whose RDATA does not fit within the
+   size limit, a larger message will be permitted so the record can be
+   transferred.)
+
+   Valid values are between 512 and 65535 octets; any values outside
+   that range are adjusted to the nearest value within it. The
+   default is ``20480``, which was selected to improve message
+   compression; most DNS messages of this size will compress to less
+   than 16536 bytes. Larger messages cannot be compressed as
+   effectively, because 16536 is the largest permissible compression
+   offset pointer in a DNS message.
+
+   This option is mainly intended for server testing; there is rarely
+   any benefit in setting a value other than the default.
+
+``transfers-in``
+   This is the maximum number of inbound zone transfers that can run
+   concurrently. The default value is ``10``. Increasing
+   ``transfers-in`` may speed up the convergence of secondary zones, but it
+   also may increase the load on the local system.
+
+``transfers-out``
+   This is the maximum number of outbound zone transfers that can run
+   concurrently. Zone transfer requests in excess of the limit are
+   refused. The default value is ``10``.
+
+``transfers-per-ns``
+   This is the maximum number of inbound zone transfers that can concurrently
+   transfer from a given remote name server. The default value is
+   ``2``. Increasing ``transfers-per-ns`` may speed up the convergence
+   of secondary zones, but it also may increase the load on the remote name
+   server. ``transfers-per-ns`` may be overridden on a per-server basis
+   by using the ``transfers`` phrase of the ``server`` statement.
+
+``transfer-source``
+   ``transfer-source`` determines which local address is bound to
+   IPv4 TCP connections used to fetch zones transferred inbound by the
+   server. It also determines the source IPv4 address, and optionally
+   the UDP port, used for the refresh queries and forwarded dynamic
+   updates. If not set, it defaults to a system-controlled value which
+   is usually the address of the interface "closest to" the remote
+   end. This address must appear in the remote end's ``allow-transfer``
+   option for the zone being transferred, if one is specified. This
+   statement sets the ``transfer-source`` for all zones, but can be
+   overridden on a per-view or per-zone basis by including a
+   ``transfer-source`` statement within the ``view`` or ``zone`` block
+   in the configuration file.
+
+   .. warning:: Specifying a single port is discouraged, as it removes a layer of
+      protection against spoofing errors.
+
+   .. warning:: The configured ``port`` must not be same as the listening port.
+
+``transfer-source-v6``
+   This option is the same as ``transfer-source``, except zone transfers are performed
+   using IPv6.
+
+``alt-transfer-source``
+   This indicates an alternate transfer source if the one listed in ``transfer-source``
+   fails and ``use-alt-transfer-source`` is set.
+
+   .. note:: To avoid using the alternate transfer source,
+      set ``use-alt-transfer-source`` appropriately and
+      do not depend upon getting an answer back to the first refresh
+      query.
+
+``alt-transfer-source-v6``
+   This indicates an alternate transfer source if the one listed in
+   ``transfer-source-v6`` fails and ``use-alt-transfer-source`` is set.
+
+``use-alt-transfer-source``
+   This indicates whether the alternate transfer sources should be used. If views are specified,
+   this defaults to ``no``; otherwise, it defaults to ``yes``.
+
+``notify-source``
+   ``notify-source`` determines which local source address, and
+   optionally UDP port, is used to send NOTIFY messages. This
+   address must appear in the secondary server's ``primaries`` zone clause or
+   in an ``allow-notify`` clause. This statement sets the
+   ``notify-source`` for all zones, but can be overridden on a per-zone
+   or per-view basis by including a ``notify-source`` statement within
+   the ``zone`` or ``view`` block in the configuration file.
+
+   .. warning:: Specifying a single port is discouraged, as it removes a layer of
+      protection against spoofing errors.
+
+   .. warning:: The configured ``port`` must not be same as the listening port.
+
+``notify-source-v6``
+   This option acts like ``notify-source``, but applies to notify messages sent to IPv6
+   addresses.
+
+.. _port_lists:
+
+UDP Port Lists
+^^^^^^^^^^^^^^
+
+``use-v4-udp-ports``, ``avoid-v4-udp-ports``, ``use-v6-udp-ports``, and
+``avoid-v6-udp-ports`` specify a list of IPv4 and IPv6 UDP ports that
+are or are not used as source ports for UDP messages. See
+:ref:`query_address` about how the available ports are
+determined. For example, with the following configuration:
+
+::
+
+   use-v6-udp-ports { range 32768 65535; };
+   avoid-v6-udp-ports { 40000; range 50000 60000; };
+
+UDP ports of IPv6 messages sent from ``named`` are in one of the
+following ranges: 32768 to 39999, 40001 to 49999, and 60001 to 65535.
+
+``avoid-v4-udp-ports`` and ``avoid-v6-udp-ports`` can be used to prevent
+``named`` from choosing as its random source port a port that is blocked
+by a firewall or a port that is used by other applications; if a
+query went out with a source port blocked by a firewall, the answer
+would not pass through the firewall and the name server would have to query
+again. Note: the desired range can also be represented only with
+``use-v4-udp-ports`` and ``use-v6-udp-ports``, and the ``avoid-``
+options are redundant in that sense; they are provided for backward
+compatibility and to possibly simplify the port specification.
+
+.. _resource_limits:
+
+Operating System Resource Limits
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The server's usage of many system resources can be limited. Scaled
+values are allowed when specifying resource limits. For example, ``1G``
+can be used instead of ``1073741824`` to specify a limit of one
+gigabyte. ``unlimited`` requests unlimited use, or the maximum available
+amount. ``default`` uses the limit that was in force when the server was
+started. See the description of ``size_spec`` in :ref:`configuration_file_elements`.
+
+The following options set operating system resource limits for the name
+server process. Some operating systems do not support some or any of the
+limits; on such systems, a warning is issued if an unsupported
+limit is used.
+
+``coresize``
+   This sets the maximum size of a core dump. The default is ``default``.
+
+``datasize``
+   This sets the maximum amount of data memory the server may use. The default is
+   ``default``. This is a hard limit on server memory usage; if the
+   server attempts to allocate memory in excess of this limit, the
+   allocation will fail, which may in turn leave the server unable to
+   perform DNS service. Therefore, this option is rarely useful as a way
+   to limit the amount of memory used by the server, but it can be
+   used to raise an operating system data size limit that is too small
+   by default. To limit the amount of memory used by the
+   server, use the ``max-cache-size`` and ``recursive-clients`` options
+   instead.
+
+``files``
+   This sets the maximum number of files the server may have open concurrently.
+   The default is ``unlimited``.
+
+``stacksize``
+   This sets the maximum amount of stack memory the server may use. The default is
+   ``default``.
+
+.. _server_resource_limits:
+
+Server Resource Limits
+^^^^^^^^^^^^^^^^^^^^^^
+
+The following options set limits on the server's resource consumption
+that are enforced internally by the server rather than by the operating
+system.
+
+``max-journal-size``
+   This sets a maximum size for each journal file (see :ref:`journal`),
+   expressed in bytes or, if followed by an
+   optional unit suffix ('k', 'm', or 'g'), in kilobytes, megabytes, or
+   gigabytes. When the journal file approaches the specified size, some
+   of the oldest transactions in the journal are automatically
+   removed. The largest permitted value is 2 gigabytes. Very small
+   values are rounded up to 4096 bytes. It is possible to specify ``unlimited``,
+   which also means 2 gigabytes. If the limit is set to ``default`` or
+   left unset, the journal is allowed to grow up to twice as large
+   as the zone. (There is little benefit in storing larger journals.)
+
+   This option may also be set on a per-zone basis.
+
+``max-records``
+   This sets the maximum number of records permitted in a zone. The default is
+   zero, which means the maximum is unlimited.
+
+``recursive-clients``
+   This sets the maximum number (a "hard quota") of simultaneous recursive lookups
+   the server performs on behalf of clients. The default is
+   ``1000``. Because each recursing client uses a fair bit of memory (on
+   the order of 20 kilobytes), the value of the ``recursive-clients``
+   option may have to be decreased on hosts with limited memory.
+
+   ``recursive-clients`` defines a "hard quota" limit for pending
+   recursive clients; when more clients than this are pending, new
+   incoming requests are not accepted, and for each incoming request
+   a previous pending request is dropped.
+
+   A "soft quota" is also set. When this lower quota is exceeded,
+   incoming requests are accepted, but for each one, a pending request
+   is dropped. If ``recursive-clients`` is greater than 1000, the
+   soft quota is set to ``recursive-clients`` minus 100; otherwise it is
+   set to 90% of ``recursive-clients``.
+
+``tcp-clients``
+   This is the maximum number of simultaneous client TCP connections that the
+   server accepts. The default is ``150``.
+
+.. _clients-per-query:
+
+``clients-per-query``; ``max-clients-per-query``
+   These set the initial value (minimum) and maximum number of recursive
+   simultaneous clients for any given query (<qname,qtype,qclass>) that
+   the server accepts before dropping additional clients. ``named``
+   attempts to self-tune this value and changes are logged. The
+   default values are 10 and 100.
+
+   This value should reflect how many queries come in for a given name
+   in the time it takes to resolve that name. If the number of queries
+   exceeds this value, ``named`` assumes that it is dealing with a
+   non-responsive zone and drops additional queries. If it gets a
+   response after dropping queries, it raises the estimate. The
+   estimate is then lowered in 20 minutes if it has remained
+   unchanged.
+
+   If ``clients-per-query`` is set to zero, there is no limit on
+   the number of clients per query and no queries are dropped.
+
+   If ``max-clients-per-query`` is set to zero, there is no upper
+   bound other than that imposed by ``recursive-clients``.
+
+``fetches-per-zone``
+   This sets the maximum number of simultaneous iterative queries to any one
+   domain that the server permits before blocking new queries for
+   data in or beneath that zone. This value should reflect how many
+   fetches would normally be sent to any one zone in the time it would
+   take to resolve them. It should be smaller than
+   ``recursive-clients``.
+
+   When many clients simultaneously query for the same name and type,
+   the clients are all attached to the same fetch, up to the
+   ``max-clients-per-query`` limit, and only one iterative query is
+   sent. However, when clients are simultaneously querying for
+   *different* names or types, multiple queries are sent and
+   ``max-clients-per-query`` is not effective as a limit.
+
+   Optionally, this value may be followed by the keyword ``drop`` or
+   ``fail``, indicating whether queries which exceed the fetch quota for
+   a zone are dropped with no response, or answered with SERVFAIL.
+   The default is ``drop``.
+
+   If ``fetches-per-zone`` is set to zero, there is no limit on the
+   number of fetches per query and no queries are dropped. The
+   default is zero.
+
+   The current list of active fetches can be dumped by running
+   ``rndc recursing``. The list includes the number of active fetches
+   for each domain and the number of queries that have been passed
+   (allowed) or dropped (spilled) as a result of the ``fetches-per-zone``
+   limit. (Note: these counters are not cumulative over time;
+   whenever the number of active fetches for a domain drops to zero,
+   the counter for that domain is deleted, and the next time a fetch
+   is sent to that domain, it is recreated with the counters set
+   to zero.)
+
+``fetches-per-server``
+   This sets the maximum number of simultaneous iterative queries that the server
+   allows to be sent to a single upstream name server before
+   blocking additional queries. This value should reflect how many
+   fetches would normally be sent to any one server in the time it would
+   take to resolve them. It should be smaller than
+   ``recursive-clients``.
+
+   Optionally, this value may be followed by the keyword ``drop`` or
+   ``fail``, indicating whether queries are dropped with no
+   response or answered with SERVFAIL, when all of the servers
+   authoritative for a zone are found to have exceeded the per-server
+   quota. The default is ``fail``.
+
+   If ``fetches-per-server`` is set to zero, there is no limit on
+   the number of fetches per query and no queries are dropped. The
+   default is zero.
+
+   The ``fetches-per-server`` quota is dynamically adjusted in response
+   to detected congestion. As queries are sent to a server and either are
+   answered or time out, an exponentially weighted moving average
+   is calculated of the ratio of timeouts to responses. If the current
+   average timeout ratio rises above a "high" threshold, then
+   ``fetches-per-server`` is reduced for that server. If the timeout
+   ratio drops below a "low" threshold, then ``fetches-per-server`` is
+   increased. The ``fetch-quota-params`` options can be used to adjust
+   the parameters for this calculation.
+
+``fetch-quota-params``
+   This sets the parameters to use for dynamic resizing of the
+   ``fetches-per-server`` quota in response to detected congestion.
+
+   The first argument is an integer value indicating how frequently to
+   recalculate the moving average of the ratio of timeouts to responses
+   for each server. The default is 100, meaning that BIND recalculates the
+   average ratio after every 100 queries have either been answered or
+   timed out.
+
+   The remaining three arguments represent the "low" threshold
+   (defaulting to a timeout ratio of 0.1), the "high" threshold
+   (defaulting to a timeout ratio of 0.3), and the discount rate for the
+   moving average (defaulting to 0.7). A higher discount rate causes
+   recent events to weigh more heavily when calculating the moving
+   average; a lower discount rate causes past events to weigh more
+   heavily, smoothing out short-term blips in the timeout ratio. These
+   arguments are all fixed-point numbers with precision of 1/100; at
+   most two places after the decimal point are significant.
+
+``reserved-sockets``
+   This sets the number of file descriptors reserved for TCP, stdio, etc. This
+   needs to be big enough to cover the number of interfaces ``named``
+   listens on plus ``tcp-clients``, as well as to provide room for
+   outgoing TCP queries and incoming zone transfers. The default is
+   ``512``. The minimum value is ``128`` and the maximum value is
+   ``128`` fewer than maxsockets (-S). This option may be removed in the
+   future.
+
+   This option has little effect on Windows.
+
+``max-cache-size``
+   This sets the maximum amount of memory to use for an individual cache
+   database and its associated metadata, in bytes or percentage of total
+   physical memory. By default, each view has its own separate cache,
+   which means the total amount of memory required for cache data is the
+   sum of the cache database sizes for all views (unless the
+   :ref:`attach-cache <attach-cache>` option is used).
+
+   When the amount of data in a cache database reaches the configured
+   limit, ``named`` starts purging non-expired records (following an
+   LRU-based strategy).
+
+   The default size limit for each individual cache is:
+
+     - 90% of physical memory for views with ``recursion`` set to
+       ``yes`` (the default), or
+
+     - 2 MB for views with ``recursion`` set to ``no``.
+
+   Any positive value smaller than 2 MB is ignored and reset to 2 MB.
+   The keyword ``unlimited``, or the value ``0``, places no limit on the
+   cache size; records are then purged from the cache only when they
+   expire (according to their TTLs).
+
+   .. note::
+
+       For configurations which define multiple views with separate
+       caches and recursion enabled, it is recommended to set
+       ``max-cache-size`` appropriately for each view, as using the
+       default value of that option (90% of physical memory for each
+       individual cache) may lead to memory exhaustion over time.
+
+   .. note::
+
+       ``max-cache-size`` does not work reliably for the maximum
+       amount of memory of 100 MB or lower.
+
+   Upon startup and reconfiguration, caches with a limited size
+   preallocate a small amount of memory (less than 1% of
+   ``max-cache-size`` for a given view). This preallocation serves as an
+   optimization to eliminate extra latency introduced by resizing
+   internal cache structures.
+
+   On systems where detection of the amount of physical memory is not
+   supported, percentage-based values fall back to ``unlimited``. Note
+   that the amount of physical memory available is only detected on
+   startup, so ``named`` does not adjust the cache size limits if the
+   amount of physical memory is changed at runtime.
+
+``tcp-listen-queue``
+   This sets the listen-queue depth. The default and minimum is 10. If the kernel
+   supports the accept filter "dataready", this also controls how many
+   TCP connections are queued in kernel space waiting for some
+   data before being passed to accept. Non-zero values less than 10 are
+   silently raised. A value of 0 may also be used; on most platforms
+   this sets the listen-queue length to a system-defined default value.
+
+``tcp-initial-timeout``
+   This sets the amount of time (in units of 100 milliseconds) that the server waits on
+   a new TCP connection for the first message from the client. The
+   default is 300 (30 seconds), the minimum is 25 (2.5 seconds), and the
+   maximum is 1200 (two minutes). Values above the maximum or below the
+   minimum are adjusted with a logged warning. (Note: this value
+   must be greater than the expected round-trip delay time; otherwise, no
+   client will ever have enough time to submit a message.) This value
+   can be updated at runtime by using ``rndc tcp-timeouts``.
+
+``tcp-idle-timeout``
+   This sets the amount of time (in units of 100 milliseconds) that the server waits on
+   an idle TCP connection before closing it, when the client is not using
+   the EDNS TCP keepalive option. The default is 300 (30 seconds), the
+   maximum is 1200 (two minutes), and the minimum is 1 (one-tenth of a
+   second). Values above the maximum or below the minimum are
+   adjusted with a logged warning. See ``tcp-keepalive-timeout`` for
+   clients using the EDNS TCP keepalive option. This value can be
+   updated at runtime by using ``rndc tcp-timeouts``.
+
+``tcp-keepalive-timeout``
+   This sets the amount of time (in units of 100 milliseconds) that the server waits on
+   an idle TCP connection before closing it, when the client is using the
+   EDNS TCP keepalive option. The default is 300 (30 seconds), the
+   maximum is 65535 (about 1.8 hours), and the minimum is 1 (one-tenth
+   of a second). Values above the maximum or below the minimum are
+   adjusted with a logged warning. This value may be greater than
+   ``tcp-idle-timeout`` because clients using the EDNS TCP keepalive
+   option are expected to use TCP connections for more than one message.
+   This value can be updated at runtime by using ``rndc tcp-timeouts``.
+
+``tcp-advertised-timeout``
+   This sets the timeout value (in units of 100 milliseconds) that the server sends
+   in responses containing the EDNS TCP keepalive option, which informs a
+   client of the amount of time it may keep the session open. The
+   default is 300 (30 seconds), the maximum is 65535 (about 1.8 hours),
+   and the minimum is 0, which signals that the clients must close TCP
+   connections immediately. Ordinarily this should be set to the same
+   value as ``tcp-keepalive-timeout``. This value can be updated at
+   runtime by using ``rndc tcp-timeouts``.
+
+``update-quota``
+   This is the maximum number of simultaneous DNS UPDATE messages that
+   the server will accept for updating local authoritiative zones or
+   forwarding to a primary server. The default is ``100``.
+
+.. _intervals:
+
+Periodic Task Intervals
+^^^^^^^^^^^^^^^^^^^^^^^
+
+``cleaning-interval``
+   This option is obsolete.
+
+``heartbeat-interval``
+   The server performs zone maintenance tasks for all zones marked
+   as ``dialup`` whenever this interval expires. The default is 60
+   minutes. Reasonable values are up to 1 day (1440 minutes). The
+   maximum value is 28 days (40320 minutes). If set to 0, no zone
+   maintenance for these zones occurs.
+
+``interface-interval``
+   The server scans the network interface list every ``interface-interval``
+   minutes. The default is 60 minutes; the maximum value is 28 days (40320
+   minutes). If set to 0, interface scanning only occurs when the configuration
+   file is loaded, or when ``automatic-interface-scan`` is enabled and supported
+   by the operating system. After the scan, the server begins listening for
+   queries on any newly discovered interfaces (provided they are allowed by the
+   ``listen-on`` configuration), and stops listening on interfaces that have
+   gone away. For convenience, TTL-style time-unit suffixes may be used to
+   specify the value. It also accepts ISO 8601 duration formats.
+
+.. _the_sortlist_statement:
+
+The ``sortlist`` Statement
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The response to a DNS query may consist of multiple resource records
+(RRs) forming a resource record set (RRset). The name server
+normally returns the RRs within the RRset in an indeterminate order (but
+see the ``rrset-order`` statement in :ref:`rrset_ordering`). The client resolver code should
+rearrange the RRs as appropriate: that is, using any addresses on the
+local net in preference to other addresses. However, not all resolvers
+can do this or are correctly configured. When a client is using a local
+server, the sorting can be performed in the server, based on the
+client's address. This only requires configuring the name servers, not
+all the clients.
+
+The ``sortlist`` statement (see below) takes an ``address_match_list`` and
+interprets it in a special way. Each top-level statement in the ``sortlist``
+must itself be an explicit ``address_match_list`` with one or two elements. The
+first element (which may be an IP address, an IP prefix, an ACL name, or a nested
+``address_match_list``) of each top-level list is checked against the source
+address of the query until a match is found. When the addresses in the first
+element overlap, the first rule to match is selected.
+
+Once the source address of the query has been matched, if the top-level
+statement contains only one element, the actual primitive element that
+matched the source address is used to select the address in the response
+to move to the beginning of the response. If the statement is a list of
+two elements, then the second element is interpreted as a topology
+preference list. Each top-level element is assigned a distance, and the
+address in the response with the minimum distance is moved to the
+beginning of the response.
+
+In the following example, any queries received from any of the addresses
+of the host itself get responses preferring addresses on any of the
+locally connected networks. Next most preferred are addresses on the
+192.168.1/24 network, and after that either the 192.168.2/24 or
+192.168.3/24 network, with no preference shown between these two
+networks. Queries received from a host on the 192.168.1/24 network
+prefer other addresses on that network to the 192.168.2/24 and
+192.168.3/24 networks. Queries received from a host on the 192.168.4/24
+or the 192.168.5/24 network only prefer other addresses on their
+directly connected networks.
+
+::
+
+   sortlist {
+       // IF the local host
+       // THEN first fit on the following nets
+       { localhost;
+       { localnets;
+           192.168.1/24;
+           { 192.168.2/24; 192.168.3/24; }; }; };
+       // IF on class C 192.168.1 THEN use .1, or .2 or .3
+       { 192.168.1/24;
+       { 192.168.1/24;
+           { 192.168.2/24; 192.168.3/24; }; }; };
+       // IF on class C 192.168.2 THEN use .2, or .1 or .3
+       { 192.168.2/24;
+       { 192.168.2/24;
+           { 192.168.1/24; 192.168.3/24; }; }; };
+       // IF on class C 192.168.3 THEN use .3, or .1 or .2
+       { 192.168.3/24;
+       { 192.168.3/24;
+           { 192.168.1/24; 192.168.2/24; }; }; };
+       // IF .4 or .5 THEN prefer that net
+       { { 192.168.4/24; 192.168.5/24; };
+       };
+   };
+
+The following example illlustrates reasonable behavior for the local host
+and hosts on directly connected networks. Responses sent to queries from the
+local host favor any of the directly connected networks. Responses
+sent to queries from any other hosts on a directly connected network
+prefer addresses on that same network. Responses to other queries
+are not sorted.
+
+::
+
+   sortlist {
+          { localhost; localnets; };
+          { localnets; };
+   };
+
+.. _rrset_ordering:
+
+RRset Ordering
+^^^^^^^^^^^^^^
+
+.. note::
+
+    While alternating the order of records in a DNS response between
+    subsequent queries is a known load distribution technique, certain
+    caveats apply (mostly stemming from caching) which usually make it a
+    suboptimal choice for load balancing purposes when used on its own.
+
+The ``rrset-order`` statement permits configuration of the ordering of
+the records in a multiple-record response. See also:
+:ref:`the_sortlist_statement`.
+
+Each rule in an ``rrset-order`` statement is defined as follows:
+
+::
+
+    [class <class_name>] [type <type_name>] [name "<domain_name>"] order <ordering>
+
+The default qualifiers for each rule are:
+
+  - If no ``class`` is specified, the default is ``ANY``.
+  - If no ``type`` is specified, the default is ``ANY``.
+  - If no ``name`` is specified, the default is ``*`` (asterisk).
+
+``<domain_name>`` only matches the name itself, not any of its
+subdomains.  To make a rule match all subdomains of a given name, a
+wildcard name (``*.<domain_name>``) must be used.  Note that
+``*.<domain_name>`` does *not* match ``<domain_name>`` itself; to
+specify RRset ordering for a name and all of its subdomains, two
+separate rules must be defined: one for ``<domain_name>`` and one for
+``*.<domain_name>``.
+
+The legal values for ``<ordering>`` are:
+
+``fixed``
+    Records are returned in the order they are defined in the zone file.
+
+.. note::
+
+    The ``fixed`` option is only available if BIND is configured with
+    ``--enable-fixed-rrset`` at compile time.
+
+``random``
+    Records are returned in a random order.
+
+``cyclic``
+    Records are returned in a cyclic round-robin order, rotating by one
+    record per query.
+
+``none``
+    Records are returned in the order they were retrieved from the
+    database. This order is indeterminate, but remains consistent as
+    long as the database is not modified.
+
+The default RRset order used depends on whether any ``rrset-order``
+statements are present in the configuration file used by ``named``:
+
+  - If no ``rrset-order`` statement is present in the configuration
+    file, the implicit default is to return all records in ``random``
+    order.
+
+  - If any ``rrset-order`` statements are present in the configuration
+    file, but no ordering rule specified in these statements matches a
+    given RRset, the default order for that RRset is ``none``.
+
+Note that if multiple ``rrset-order`` statements are present in the
+configuration file (at both the ``options`` and ``view`` levels), they
+are *not* combined; instead, the more-specific one (``view``) replaces
+the less-specific one (``options``).
+
+If multiple rules within a single ``rrset-order`` statement match a
+given RRset, the first matching rule is applied.
+
+Example:
+
+::
+
+    rrset-order {
+        type A name "foo.isc.org" order random;
+        type AAAA name "foo.isc.org" order cyclic;
+        name "bar.isc.org" order fixed;
+        name "*.bar.isc.org" order random;
+        name "*.baz.isc.org" order cyclic;
+    };
+
+With the above configuration, the following RRset ordering is used:
+
+===================    ========    ===========
+QNAME                  QTYPE       RRset Order
+===================    ========    ===========
+``foo.isc.org``        ``A``       ``random``
+``foo.isc.org``        ``AAAA``    ``cyclic``
+``foo.isc.org``        ``TXT``     ``none``
+``sub.foo.isc.org``    all         ``none``
+``bar.isc.org``        all         ``fixed``
+``sub.bar.isc.org``    all         ``random``
+``baz.isc.org``        all         ``none``
+``sub.baz.isc.org``    all         ``cyclic``
+===================    ========    ===========
+
+.. _tuning:
+
+Tuning
+^^^^^^
+
+``lame-ttl``
+   This is always set to 0. More information is available in the
+   `security advisory for CVE-2021-25219
+   <https://kb.isc.org/docs/cve-2021-25219>`_.
+
+``servfail-ttl``
+   This sets the number of seconds to cache a SERVFAIL response due to DNSSEC
+   validation failure or other general server failure. If set to ``0``,
+   SERVFAIL caching is disabled. The SERVFAIL cache is not consulted if
+   a query has the CD (Checking Disabled) bit set; this allows a query
+   that failed due to DNSSEC validation to be retried without waiting
+   for the SERVFAIL TTL to expire.
+
+   The maximum value is ``30`` seconds; any higher value is
+   silently reduced. The default is ``1`` second.
+
+``min-ncache-ttl``
+   To reduce network traffic and increase performance, the server stores
+   negative answers. ``min-ncache-ttl`` is used to set a minimum
+   retention time for these answers in the server, in seconds. For
+   convenience, TTL-style time-unit suffixes may be used to specify the
+   value. It also accepts ISO 8601 duration formats.
+
+   The default ``min-ncache-ttl`` is ``0`` seconds. ``min-ncache-ttl`` cannot
+   exceed 90 seconds and is truncated to 90 seconds if set to a greater
+   value.
+
+``min-cache-ttl``
+   This sets the minimum time for which the server caches ordinary (positive)
+   answers, in seconds. For convenience, TTL-style time-unit suffixes may be used
+   to specify the value. It also accepts ISO 8601 duration formats.
+
+   The default ``min-cache-ttl`` is ``0`` seconds. ``min-cache-ttl`` cannot
+   exceed 90 seconds and is truncated to 90 seconds if set to a greater
+   value.
+
+``max-ncache-ttl``
+   To reduce network traffic and increase performance, the server stores
+   negative answers. ``max-ncache-ttl`` is used to set a maximum retention time
+   for these answers in the server, in seconds. For convenience, TTL-style
+   time-unit suffixes may be used to specify the value.  It also accepts ISO 8601
+   duration formats.
+
+   The default ``max-ncache-ttl`` is 10800 seconds (3 hours). ``max-ncache-ttl``
+   cannot exceed 7 days and is silently truncated to 7 days if set to a
+   greater value.
+
+``max-cache-ttl``
+   This sets the maximum time for which the server caches ordinary (positive)
+   answers, in seconds. For convenience, TTL-style time-unit suffixes may be used
+   to specify the value. It also accepts ISO 8601 duration formats.
+
+   The default ``max-cache-ttl`` is 604800 (one week). A value of zero may cause
+   all queries to return SERVFAIL, because of lost caches of intermediate RRsets
+   (such as NS and glue AAAA/A records) in the resolution process.
+
+``max-stale-ttl``
+   If retaining stale RRsets in cache is enabled, and returning of stale cached
+   answers is also enabled, ``max-stale-ttl`` sets the maximum time for which
+   the server retains records past their normal expiry to return them as stale
+   records, when the servers for those records are not reachable. The default
+   is 1 day. The minimum allowed is 1 second; a value of 0 is updated silently
+   to 1 second.
+
+   For stale answers to be returned, the retaining of them in cache must be
+   enabled via the configuration option ``stale-cache-enable``, and returning
+   cached answers must be enabled, either in the configuration file using the
+   ``stale-answer-enable`` option or by calling ``rndc serve-stale on``.
+
+   When ``stale-cache-enable`` is set to ``no``, setting the ``max-stale-ttl``
+   has no effect, the value of ``max-cache-ttl`` will be ``0`` in such case.
+
+``resolver-nonbackoff-tries``
+   This specifies how many retries occur before exponential backoff kicks in. The
+   default is ``3``.
+
+``resolver-retry-interval``
+   This sets the base retry interval in milliseconds. The default is ``800``.
+
+``sig-validity-interval``
+   this specifies the upper bound of the number of days that RRSIGs
+   generated by ``named`` are valid; the default is ``30`` days,
+   with a maximum of 3660 days (10 years). The optional second value
+   specifies the minimum bound on those RRSIGs and also determines
+   how long before expiry ``named`` starts regenerating those RRSIGs.
+   The default value for the lower bound is 1/4 of the upper bound;
+   it is expressed in days if the upper bound is greater than 7,
+   and hours if it is less than or equal to 7 days.
+
+   When new RRSIGs are generated, the length of time is randomly
+   chosen between these two limits, to spread out the re-signing
+   load. When RRSIGs are re-generated, the upper bound is used, with
+   a small amount of jitter added. New RRSIGs are generated by a
+   number of processes, including the processing of UPDATE requests
+   (ref:`dynamic_update`), the addition and removal of records via
+   in-line signing, and the initial signing of a zone.
+
+   The signature inception time is unconditionally set to one hour
+   before the current time, to allow for a limited amount of clock skew.
+
+   The ``sig-validity-interval`` can be overridden for DNSKEY records by
+   setting ``dnskey-sig-validity``.
+
+   The ``sig-validity-interval`` should be at least several multiples
+   of the SOA expire interval, to allow for reasonable interaction
+   between the various timer and expiry dates.
+
+``dnskey-sig-validity``
+   This specifies the number of days into the future when DNSSEC signatures
+   that are automatically generated for DNSKEY RRsets as a result of
+   dynamic updates (:ref:`dynamic_update`) will expire.
+   If set to a non-zero value, this overrides the value set by
+   ``sig-validity-interval``. The default is zero, meaning
+   ``sig-validity-interval`` is used. The maximum value is 3660 days (10
+   years), and higher values are rejected.
+
+``sig-signing-nodes``
+   This specifies the maximum number of nodes to be examined in each quantum,
+   when signing a zone with a new DNSKEY. The default is ``100``.
+
+``sig-signing-signatures``
+   This specifies a threshold number of signatures that terminates
+   processing a quantum, when signing a zone with a new DNSKEY. The
+   default is ``10``.
+
+``sig-signing-type``
+   This specifies a private RDATA type to be used when generating signing-state
+   records. The default is ``65534``.
+
+   This parameter may be removed in a future version,
+   once there is a standard type.
+
+   Signing-state records are used internally by ``named`` to track
+   the current state of a zone-signing process, i.e., whether it is
+   still active or has been completed. The records can be inspected
+   using the command ``rndc signing -list zone``. Once ``named`` has
+   finished signing a zone with a particular key, the signing-state
+   record associated with that key can be removed from the zone by
+   running ``rndc signing -clear keyid/algorithm zone``. To clear all of
+   the completed signing-state records for a zone, use
+   ``rndc signing -clear all zone``.
+
+``min-refresh-time``; ``max-refresh-time``; ``min-retry-time``; ``max-retry-time``
+   These options control the server's behavior on refreshing a zone
+   (querying for SOA changes) or retrying failed transfers. Usually the
+   SOA values for the zone are used, up to a hard-coded maximum expiry
+   of 24 weeks. However, these values are set by the primary, giving
+   secondary server administrators little control over their contents.
+
+   These options allow the administrator to set a minimum and maximum
+   refresh and retry time in seconds per-zone, per-view, or globally.
+   These options are valid for secondary and stub zones, and clamp the SOA
+   refresh and retry times to the specified values.
+
+   The following defaults apply: ``min-refresh-time`` 300 seconds,
+   ``max-refresh-time`` 2419200 seconds (4 weeks), ``min-retry-time``
+   500 seconds, and ``max-retry-time`` 1209600 seconds (2 weeks).
+
+``edns-udp-size``
+   This sets the maximum advertised EDNS UDP buffer size, in bytes, to control
+   the size of packets received from authoritative servers in response
+   to recursive queries. Valid values are 512 to 4096; values outside
+   this range are silently adjusted to the nearest value within it.
+   The default value is 1232.
+
+   The usual reason for setting ``edns-udp-size`` to a non-default value
+   is to get UDP answers to pass through broken firewalls that block
+   fragmented packets and/or block UDP DNS packets that are greater than
+   512 bytes.
+
+   When ``named`` first queries a remote server, it advertises a UDP
+   buffer size of 512, as this has the greatest chance of success on the
+   first try.
+
+   If the initial query is successful with EDNS advertising a buffer size of
+   512, then ``named`` will advertise progressively larger buffer sizes on
+   successive queries, until responses begin timing out or ``edns-udp-size`` is
+   reached.
+
+   The default buffer sizes used by ``named`` are 512, 1232, 1432, and
+   4096, but never exceeding ``edns-udp-size``. (The values 1232 and
+   1432 are chosen to allow for an IPv4-/IPv6-encapsulated UDP message
+   to be sent without fragmentation at the minimum MTU sizes for
+   Ethernet and IPv6 networks.)
+
+   According to the measurements done by multiple parties the default value
+   should not be causing the fragmentation as most of the Internet "core" is able to
+   cope with IP message sizes between 1400-1500 bytes, the 1232 size was picked
+   as a conservative minimal number that could be changed by the DNS operator to
+   a estimated path MTU minus the estimated header space. In practice, the
+   smallest MTU witnessed in the operational DNS community is 1500 octets, the
+   Ethernet maximum payload size, so a a useful default for maximum DNS/UDP
+   payload size on **reliable** networks would be 1432.
+
+   Any server-specific ``edns-udp-size`` setting has precedence over all
+   the above rules.
+
+``max-udp-size``
+   This sets the maximum EDNS UDP message size that ``named`` sends, in bytes.
+   Valid values are 512 to 4096; values outside this range are
+   silently adjusted to the nearest value within it. The default value
+   is 1232.
+
+   This value applies to responses sent by a server; to set the
+   advertised buffer size in queries, see ``edns-udp-size``.
+
+   The usual reason for setting ``max-udp-size`` to a non-default value
+   is to allow UDP answers to pass through broken firewalls that block
+   fragmented packets and/or block UDP packets that are greater than 512
+   bytes. This is independent of the advertised receive buffer
+   (``edns-udp-size``).
+
+   Setting this to a low value encourages additional TCP traffic to
+   the name server.
+
+``masterfile-format``
+   This specifies the file format of zone files (see :ref:`zonefile_format`
+   for details).  The default value is ``text``, which is the standard
+   textual representation, except for secondary zones, in which the default
+   value is ``raw``. Files in formats other than ``text`` are typically
+   expected to be generated by the ``named-compilezone`` tool, or dumped by
+   ``named``.
+
+   Note that when a zone file in a format other than ``text`` is loaded,
+   ``named`` may omit some of the checks which are performed for a file in
+   ``text`` format. For example, ``check-names`` only applies when loading
+   zones in ``text`` format, and ``max-zone-ttl`` only applies to ``text``
+   and ``raw``.  Zone files in binary formats should be generated with the
+   same check level as that specified in the ``named`` configuration file.
+
+   ``map`` format files are loaded directly into memory via memory mapping,
+   with only minimal validity checking. Because they are not guaranteed to
+   be compatible from one version of BIND 9 to another, and are not
+   compatible from one system architecture to another, they should be used
+   with caution. See :ref:`zonefile_format` for further discussion.
+
+   When configured in ``options``, this statement sets the
+   ``masterfile-format`` for all zones, but it can be overridden on a
+   per-zone or per-view basis by including a ``masterfile-format``
+   statement within the ``zone`` or ``view`` block in the configuration
+   file.
+
+``masterfile-style``
+   This specifies the formatting of zone files during dump, when the
+   ``masterfile-format`` is ``text``. This option is ignored with any
+   other ``masterfile-format``.
+
+   When set to ``relative``, records are printed in a multi-line format,
+   with owner names expressed relative to a shared origin. When set to
+   ``full``, records are printed in a single-line format with absolute
+   owner names. The ``full`` format is most suitable when a zone file
+   needs to be processed automatically by a script. The ``relative``
+   format is more human-readable, and is thus suitable when a zone is to
+   be edited by hand. The default is ``relative``.
+
+``max-recursion-depth``
+   This sets the maximum number of levels of recursion that are permitted at
+   any one time while servicing a recursive query. Resolving a name may
+   require looking up a name server address, which in turn requires
+   resolving another name, etc.; if the number of recursions exceeds
+   this value, the recursive query is terminated and returns SERVFAIL.
+   The default is 7.
+
+``max-recursion-queries``
+   This sets the maximum number of iterative queries that may be sent while
+   servicing a recursive query. If more queries are sent, the recursive
+   query is terminated and returns SERVFAIL. The default is 100.
+
+``notify-delay``
+   This sets the delay, in seconds, between sending sets of NOTIFY messages
+   for a zone. Whenever a NOTIFY message is sent for a zone, a timer will
+   be set for this duration. If the zone is updated again before the timer
+   expires, the NOTIFY for that update will be postponed. The default is 5
+   seconds.
+
+   The overall rate at which NOTIFY messages are sent for all zones is
+   controlled by ``notify-rate``.
+
+``max-rsa-exponent-size``
+   This sets the maximum RSA exponent size, in bits, that is accepted when
+   validating. Valid values are 35 to 4096 bits. The default, zero, is
+   also accepted and is equivalent to 4096.
+
+``prefetch``
+   When a query is received for cached data which is to expire shortly,
+   ``named`` can refresh the data from the authoritative server
+   immediately, ensuring that the cache always has an answer available.
+
+   ``prefetch`` specifies the "trigger" TTL value at which prefetch
+   of the current query takes place; when a cache record with a
+   lower or equal TTL value is encountered during query processing, it is
+   refreshed. Valid trigger TTL values are 1 to 10 seconds. Values
+   larger than 10 seconds are silently reduced to 10. Setting a
+   trigger TTL to zero causes prefetch to be disabled. The default
+   trigger TTL is ``2``.
+
+   An optional second argument specifies the "eligibility" TTL: the
+   smallest *original* TTL value that is accepted for a record to
+   be eligible for prefetching. The eligibility TTL must be at least six
+   seconds longer than the trigger TTL; if not, ``named``
+   silently adjusts it upward. The default eligibility TTL is ``9``.
+
+``v6-bias``
+   When determining the next name server to try, this indicates by how many
+   milliseconds to prefer IPv6 name servers. The default is ``50``
+   milliseconds.
+
+.. _builtin:
+
+Built-in Server Information Zones
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The server provides some helpful diagnostic information through a number
+of built-in zones under the pseudo-top-level-domain ``bind`` in the
+``CHAOS`` class. These zones are part of a built-in view
+(see :ref:`view_statement_grammar`) of class ``CHAOS``, which is
+separate from the default view of class ``IN``. Most global
+configuration options (``allow-query``, etc.) apply to this view,
+but some are locally overridden: ``notify``, ``recursion``, and
+``allow-new-zones`` are always set to ``no``, and ``rate-limit`` is set
+to allow three responses per second.
+
+To disable these zones, use the options below or hide the
+built-in ``CHAOS`` view by defining an explicit view of class ``CHAOS``
+that matches all clients.
+
+``version``
+   This is the version the server should report via a query of the name
+   ``version.bind`` with type ``TXT`` and class ``CHAOS``. The default is
+   the real version number of this server. Specifying ``version none``
+   disables processing of the queries.
+
+   Setting ``version`` to any value (including ``none``) also disables
+   queries for ``authors.bind TXT CH``.
+
+``hostname``
+   This is the hostname the server should report via a query of the name
+   ``hostname.bind`` with type ``TXT`` and class ``CHAOS``. This defaults
+   to the hostname of the machine hosting the name server, as found by
+   the ``gethostname()`` function. The primary purpose of such queries is to
+   identify which of a group of anycast servers is actually answering
+   the queries. Specifying ``hostname none;`` disables processing of
+   the queries.
+
+``server-id``
+   This is the ID the server should report when receiving a Name Server
+   Identifier (NSID) query, or a query of the name ``ID.SERVER`` with
+   type ``TXT`` and class ``CHAOS``. The primary purpose of such queries is
+   to identify which of a group of anycast servers is actually answering
+   the queries. Specifying ``server-id none;`` disables processing of
+   the queries. Specifying ``server-id hostname;`` causes ``named``
+   to use the hostname as found by the ``gethostname()`` function. The
+   default ``server-id`` is ``none``.
+
+.. _empty:
+
+Built-in Empty Zones
+^^^^^^^^^^^^^^^^^^^^
+
+The ``named`` server has some built-in empty zones, for SOA and NS records
+only. These are for zones that should normally be answered locally and for
+which queries should not be sent to the Internet's root servers. The
+official servers that cover these namespaces return NXDOMAIN responses
+to these queries. In particular, these cover the reverse namespaces for
+addresses from :rfc:`1918`, :rfc:`4193`, :rfc:`5737`, and :rfc:`6598`. They also
+include the reverse namespace for the IPv6 local address (locally assigned),
+IPv6 link local addresses, the IPv6 loopback address, and the IPv6
+unknown address.
+
+The server attempts to determine if a built-in zone already exists
+or is active (covered by a forward-only forwarding declaration) and does
+not create an empty zone if either is true.
+
+The current list of empty zones is:
+
+-  10.IN-ADDR.ARPA
+-  16.172.IN-ADDR.ARPA
+-  17.172.IN-ADDR.ARPA
+-  18.172.IN-ADDR.ARPA
+-  19.172.IN-ADDR.ARPA
+-  20.172.IN-ADDR.ARPA
+-  21.172.IN-ADDR.ARPA
+-  22.172.IN-ADDR.ARPA
+-  23.172.IN-ADDR.ARPA
+-  24.172.IN-ADDR.ARPA
+-  25.172.IN-ADDR.ARPA
+-  26.172.IN-ADDR.ARPA
+-  27.172.IN-ADDR.ARPA
+-  28.172.IN-ADDR.ARPA
+-  29.172.IN-ADDR.ARPA
+-  30.172.IN-ADDR.ARPA
+-  31.172.IN-ADDR.ARPA
+-  168.192.IN-ADDR.ARPA
+-  64.100.IN-ADDR.ARPA
+-  65.100.IN-ADDR.ARPA
+-  66.100.IN-ADDR.ARPA
+-  67.100.IN-ADDR.ARPA
+-  68.100.IN-ADDR.ARPA
+-  69.100.IN-ADDR.ARPA
+-  70.100.IN-ADDR.ARPA
+-  71.100.IN-ADDR.ARPA
+-  72.100.IN-ADDR.ARPA
+-  73.100.IN-ADDR.ARPA
+-  74.100.IN-ADDR.ARPA
+-  75.100.IN-ADDR.ARPA
+-  76.100.IN-ADDR.ARPA
+-  77.100.IN-ADDR.ARPA
+-  78.100.IN-ADDR.ARPA
+-  79.100.IN-ADDR.ARPA
+-  80.100.IN-ADDR.ARPA
+-  81.100.IN-ADDR.ARPA
+-  82.100.IN-ADDR.ARPA
+-  83.100.IN-ADDR.ARPA
+-  84.100.IN-ADDR.ARPA
+-  85.100.IN-ADDR.ARPA
+-  86.100.IN-ADDR.ARPA
+-  87.100.IN-ADDR.ARPA
+-  88.100.IN-ADDR.ARPA
+-  89.100.IN-ADDR.ARPA
+-  90.100.IN-ADDR.ARPA
+-  91.100.IN-ADDR.ARPA
+-  92.100.IN-ADDR.ARPA
+-  93.100.IN-ADDR.ARPA
+-  94.100.IN-ADDR.ARPA
+-  95.100.IN-ADDR.ARPA
+-  96.100.IN-ADDR.ARPA
+-  97.100.IN-ADDR.ARPA
+-  98.100.IN-ADDR.ARPA
+-  99.100.IN-ADDR.ARPA
+-  100.100.IN-ADDR.ARPA
+-  101.100.IN-ADDR.ARPA
+-  102.100.IN-ADDR.ARPA
+-  103.100.IN-ADDR.ARPA
+-  104.100.IN-ADDR.ARPA
+-  105.100.IN-ADDR.ARPA
+-  106.100.IN-ADDR.ARPA
+-  107.100.IN-ADDR.ARPA
+-  108.100.IN-ADDR.ARPA
+-  109.100.IN-ADDR.ARPA
+-  110.100.IN-ADDR.ARPA
+-  111.100.IN-ADDR.ARPA
+-  112.100.IN-ADDR.ARPA
+-  113.100.IN-ADDR.ARPA
+-  114.100.IN-ADDR.ARPA
+-  115.100.IN-ADDR.ARPA
+-  116.100.IN-ADDR.ARPA
+-  117.100.IN-ADDR.ARPA
+-  118.100.IN-ADDR.ARPA
+-  119.100.IN-ADDR.ARPA
+-  120.100.IN-ADDR.ARPA
+-  121.100.IN-ADDR.ARPA
+-  122.100.IN-ADDR.ARPA
+-  123.100.IN-ADDR.ARPA
+-  124.100.IN-ADDR.ARPA
+-  125.100.IN-ADDR.ARPA
+-  126.100.IN-ADDR.ARPA
+-  127.100.IN-ADDR.ARPA
+-  0.IN-ADDR.ARPA
+-  127.IN-ADDR.ARPA
+-  254.169.IN-ADDR.ARPA
+-  2.0.192.IN-ADDR.ARPA
+-  100.51.198.IN-ADDR.ARPA
+-  113.0.203.IN-ADDR.ARPA
+-  255.255.255.255.IN-ADDR.ARPA
+-  0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
+-  1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
+-  8.B.D.0.1.0.0.2.IP6.ARPA
+-  D.F.IP6.ARPA
+-  8.E.F.IP6.ARPA
+-  9.E.F.IP6.ARPA
+-  A.E.F.IP6.ARPA
+-  B.E.F.IP6.ARPA
+-  EMPTY.AS112.ARPA
+-  HOME.ARPA
+
+Empty zones can be set at the view level and only apply to views of
+class IN. Disabled empty zones are only inherited from options if there
+are no disabled empty zones specified at the view level. To override the
+options list of disabled zones, disable the root zone at the
+view level. For example:
+
+::
+
+           disable-empty-zone ".";
+
+If using the address ranges covered here,
+reverse zones covering the addresses should already be in place. In practice this
+appears to not be the case, with many queries being made to the
+infrastructure servers for names in these spaces. So many, in fact, that
+sacrificial servers had to be deployed to channel the query load
+away from the infrastructure servers.
+
+.. note::
+
+   The real parent servers for these zones should disable all empty zones
+   under the parent zone they serve. For the real root servers, this is
+   all built-in empty zones. This enables them to return referrals
+   to deeper in the tree.
+
+``empty-server``
+   This specifies the server name that appears in the returned SOA record for
+   empty zones. If none is specified, the zone's name is used.
+
+``empty-contact``
+   This specifies the contact name that appears in the returned SOA record for
+   empty zones. If none is specified, "." is used.
+
+``empty-zones-enable``
+   This enables or disables all empty zones. By default, they are enabled.
+
+``disable-empty-zone``
+   This disables individual empty zones. By default, none are disabled. This
+   option can be specified multiple times.
+
+.. _content_filtering:
+
+Content Filtering
+^^^^^^^^^^^^^^^^^
+
+BIND 9 provides the ability to filter out responses from external
+DNS servers containing certain types of data in the answer section.
+Specifically, it can reject address (A or AAAA) records if the
+corresponding IPv4 or IPv6 addresses match the given
+``address_match_list`` of the ``deny-answer-addresses`` option. It can
+also reject CNAME or DNAME records if the "alias" name (i.e., the CNAME
+alias or the substituted query name due to DNAME) matches the given
+``namelist`` of the ``deny-answer-aliases`` option, where "match" means
+the alias name is a subdomain of one of the ``name_list`` elements. If
+the optional ``namelist`` is specified with ``except-from``, records
+whose query name matches the list are accepted regardless of the
+filter setting. Likewise, if the alias name is a subdomain of the
+corresponding zone, the ``deny-answer-aliases`` filter does not apply;
+for example, even if "example.com" is specified for
+``deny-answer-aliases``,
+
+::
+
+   www.example.com. CNAME xxx.example.com.
+
+returned by an "example.com" server is accepted.
+
+In the ``address_match_list`` of the ``deny-answer-addresses`` option,
+only ``ip_addr`` and ``ip_prefix`` are meaningful; any ``key_id`` is
+silently ignored.
+
+If a response message is rejected due to the filtering, the entire
+message is discarded without being cached, and a SERVFAIL error is
+returned to the client.
+
+This filtering is intended to prevent "DNS rebinding attacks," in which
+an attacker, in response to a query for a domain name the attacker
+controls, returns an IP address within the user's own network or an alias name
+within the user's own domain. A naive web browser or script could then serve
+as an unintended proxy, allowing the attacker to get access to an
+internal node of the local network that could not be externally accessed
+otherwise. See the paper available at
+https://dl.acm.org/doi/10.1145/1315245.1315298 for more details
+about these attacks.
+
+For example, with a domain named "example.net" and an internal
+network using an IPv4 prefix 192.0.2.0/24, an administrator might specify the
+following rules:
+
+::
+
+   deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
+   deny-answer-aliases { "example.net"; };
+
+If an external attacker let a web browser in the local network look up
+an IPv4 address of "attacker.example.com", the attacker's DNS server
+would return a response like this:
+
+::
+
+   attacker.example.com. A 192.0.2.1
+
+in the answer section. Since the rdata of this record (the IPv4 address)
+matches the specified prefix 192.0.2.0/24, this response would be
+ignored.
+
+On the other hand, if the browser looked up a legitimate internal web
+server "www.example.net" and the following response were returned to the
+BIND 9 server:
+
+::
+
+   www.example.net. A 192.0.2.2
+
+it would be accepted, since the owner name "www.example.net" matches the
+``except-from`` element, "example.net".
+
+Note that this is not really an attack on the DNS per se. In fact, there
+is nothing wrong with having an "external" name mapped to an "internal"
+IP address or domain name from the DNS point of view; it might actually
+be provided for a legitimate purpose, such as for debugging. As long as
+the mapping is provided by the correct owner, it either is not possible or does
+not make sense to detect whether the intent of the mapping is legitimate
+within the DNS. The "rebinding" attack must primarily be
+protected at the application that uses the DNS. For a large site,
+however, it may be difficult to protect all possible applications at
+once. This filtering feature is provided only to help such an
+operational environment; turning it on is generally discouraged
+unless there is no other choice and the attack is a
+real threat to applications.
+
+Care should be particularly taken if using this option for
+addresses within 127.0.0.0/8. These addresses are obviously "internal,"
+but many applications conventionally rely on a DNS mapping from some
+name to such an address. Filtering out DNS records containing this
+address spuriously can break such applications.
+
+.. _rpz:
+
+Response Policy Zone (RPZ) Rewriting
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+BIND 9 includes a limited mechanism to modify DNS responses for requests
+analogous to email anti-spam DNS rejection lists. Responses can be changed to
+deny the existence of domains (NXDOMAIN), deny the existence of IP
+addresses for domains (NODATA), or contain other IP addresses or data.
+
+Response policy zones are named in the ``response-policy`` option for
+the view, or among the global options if there is no ``response-policy``
+option for the view. Response policy zones are ordinary DNS zones
+containing RRsets that can be queried normally if allowed. It is usually
+best to restrict those queries with something like
+``allow-query { localhost; };``. Note that zones using
+``masterfile-format map`` cannot be used as policy zones.
+
+A ``response-policy`` option can support multiple policy zones. To
+maximize performance, a radix tree is used to quickly identify response
+policy zones containing triggers that match the current query. This
+imposes an upper limit of 64 on the number of policy zones in a single
+``response-policy`` option; more than that is a configuration error.
+
+Rules encoded in response policy zones are processed after those defined in
+:ref:`access_control`. All queries from clients which are not permitted access
+to the resolver are answered with a status code of REFUSED, regardless of
+configured RPZ rules.
+
+Five policy triggers can be encoded in RPZ records.
+
+``RPZ-CLIENT-IP``
+   IP records are triggered by the IP address of the DNS client. Client
+   IP address triggers are encoded in records that have owner names that
+   are subdomains of ``rpz-client-ip``, relativized to the policy zone
+   origin name, and that encode an address or address block. IPv4 addresses
+   are represented as ``prefixlength.B4.B3.B2.B1.rpz-client-ip``. The
+   IPv4 prefix length must be between 1 and 32. All four bytes - B4, B3,
+   B2, and B1 - must be present. B4 is the decimal value of the least
+   significant byte of the IPv4 address as in IN-ADDR.ARPA.
+
+   IPv6 addresses are encoded in a format similar to the standard IPv6
+   text representation,
+   ``prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip``. Each of
+   W8,...,W1 is a one- to four-digit hexadecimal number representing 16
+   bits of the IPv6 address as in the standard text representation of
+   IPv6 addresses, but reversed as in IP6.ARPA. (Note that this
+   representation of IPv6 addresses is different from IP6.ARPA, where each
+   hex digit occupies a label.) All 8 words must be present except when
+   one set of consecutive zero words is replaced with ``.zz.``, analogous
+   to double colons (::) in standard IPv6 text encodings. The IPv6
+   prefix length must be between 1 and 128.
+
+``QNAME``
+   QNAME policy records are triggered by query names of requests and
+   targets of CNAME records resolved to generate the response. The owner
+   name of a QNAME policy record is the query name relativized to the
+   policy zone.
+
+``RPZ-IP``
+   IP triggers are IP addresses in an A or AAAA record in the ANSWER
+   section of a response. They are encoded like client-IP triggers,
+   except as subdomains of ``rpz-ip``.
+
+``RPZ-NSDNAME``
+   NSDNAME triggers match names of authoritative servers for the query name, a
+   parent of the query name, a CNAME for the query name, or a parent of a CNAME.
+   They are encoded as subdomains of ``rpz-nsdname``, relativized
+   to the RPZ origin name.  NSIP triggers match IP addresses in A and AAAA
+   RRsets for domains that can be checked against NSDNAME policy records. The
+   ``nsdname-enable`` phrase turns NSDNAME triggers off or on for a single
+   policy zone or for all zones.
+
+   If authoritative name servers for the query name are not yet known, ``named``
+   recursively looks up the authoritative servers for the query name before
+   applying an RPZ-NSDNAME rule, which can cause a processing delay.
+
+``RPZ-NSIP``
+   NSIP triggers match the IP addresses of authoritative servers. They
+   are encoded like IP triggers, except as subdomains of ``rpz-nsip``.
+   NSDNAME and NSIP triggers are checked only for names with at least
+   ``min-ns-dots`` dots. The default value of ``min-ns-dots`` is 1, to
+   exclude top-level domains. The ``nsip-enable`` phrase turns NSIP
+   triggers off or on for a single policy zone or for all zones.
+
+   If a name server's IP address is not yet known, ``named``
+   recursively looks up the IP address before applying an RPZ-NSIP rule,
+   which can cause a processing delay. To speed up processing at the cost
+   of precision, the ``nsip-wait-recurse`` option can be used; when set
+   to ``no``, RPZ-NSIP rules are only applied when a name server's
+   IP address has already been looked up and cached. If a server's IP
+   address is not in the cache, the RPZ-NSIP rule is ignored,
+   but the address is looked up in the background and the rule
+   is applied to subsequent queries. The default is ``yes``,
+   meaning RPZ-NSIP rules are always applied, even if an address
+   needs to be looked up first.
+
+The query response is checked against all response policy zones, so two
+or more policy records can be triggered by a response. Because DNS
+responses are rewritten according to at most one policy record, a single
+record encoding an action (other than ``DISABLED`` actions) must be
+chosen. Triggers, or the records that encode them, are chosen for
+rewriting in the following order:
+
+1. Choose the triggered record in the zone that appears first in the
+   response-policy option.
+2. Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP triggers in a
+   single zone.
+3. Among NSDNAME triggers, prefer the trigger that matches the smallest
+   name under the DNSSEC ordering.
+4. Among IP or NSIP triggers, prefer the trigger with the longest
+   prefix.
+5. Among triggers with the same prefix length, prefer the IP or NSIP
+   trigger that matches the smallest IP address.
+
+When the processing of a response is restarted to resolve DNAME or CNAME
+records and a policy record set has not been triggered, all response
+policy zones are again consulted for the DNAME or CNAME names and
+addresses.
+
+RPZ record sets are any types of DNS record, except DNAME or DNSSEC, that
+encode actions or responses to individual queries. Any of the policies
+can be used with any of the triggers. For example, while the
+``TCP-only`` policy is commonly used with ``client-IP`` triggers, it can
+be used with any type of trigger to force the use of TCP for responses
+with owner names in a zone.
+
+``PASSTHRU``
+   The auto-acceptance policy is specified by a CNAME whose target is
+   ``rpz-passthru``. It causes the response to not be rewritten and is
+   most often used to "poke holes" in policies for CIDR blocks.
+
+``DROP``
+   The auto-rejection policy is specified by a CNAME whose target is
+   ``rpz-drop``. It causes the response to be discarded. Nothing is sent
+   to the DNS client.
+
+``TCP-Only``
+   The "slip" policy is specified by a CNAME whose target is
+   ``rpz-tcp-only``. It changes UDP responses to short, truncated DNS
+   responses that require the DNS client to try again with TCP. It is
+   used to mitigate distributed DNS reflection attacks.
+
+``NXDOMAIN``
+   The "domain undefined" response is encoded by a CNAME whose target is
+   the root domain (.).
+
+``NODATA``
+   The empty set of resource records is specified by a CNAME whose target
+   is the wildcard top-level domain (``*.``). It rewrites the response to
+   NODATA or ANCOUNT=0.
+
+``Local Data``
+   A set of ordinary DNS records can be used to answer queries. Queries
+   for record types not in the set are answered with NODATA.
+
+   A special form of local data is a CNAME whose target is a wildcard
+   such as \*.example.com. It is used as if an ordinary CNAME after
+   the asterisk (\*) has been replaced with the query name.
+   This special form is useful for query logging in the walled garden's
+   authoritative DNS server.
+
+All of the actions specified in all of the individual records in a
+policy zone can be overridden with a ``policy`` clause in the
+``response-policy`` option. An organization using a policy zone provided
+by another organization might use this mechanism to redirect domains to
+its own walled garden.
+
+``GIVEN``
+   The placeholder policy says "do not override but perform the action
+   specified in the zone."
+
+``DISABLED``
+   The testing override policy causes policy zone records to do nothing
+   but log what they would have done if the policy zone were not
+   disabled. The response to the DNS query is written (or not)
+   according to any triggered policy records that are not disabled.
+   Disabled policy zones should appear first, because they are often
+   not logged if a higher-precedence trigger is found first.
+
+``PASSTHRU``; ``DROP``; ``TCP-Only``; ``NXDOMAIN``; ``NODATA``
+   These settings each override the corresponding per-record policy.
+
+``CNAME domain``
+   This causes all RPZ policy records to act as if they were "cname domain"
+   records.
+
+By default, the actions encoded in a response policy zone are applied
+only to queries that ask for recursion (RD=1). That default can be
+changed for a single policy zone, or for all response policy zones in a view,
+with a ``recursive-only no`` clause. This feature is useful for serving
+the same zone files both inside and outside an :rfc:`1918` cloud and using
+RPZ to delete answers that would otherwise contain :rfc:`1918` values on
+the externally visible name server or view.
+
+Also by default, RPZ actions are applied only to DNS requests that
+either do not request DNSSEC metadata (DO=0) or when no DNSSEC records
+are available for the requested name in the original zone (not the response
+policy zone). This default can be changed for all response policy zones
+in a view with a ``break-dnssec yes`` clause. In that case, RPZ actions
+are applied regardless of DNSSEC. The name of the clause option reflects
+the fact that results rewritten by RPZ actions cannot verify.
+
+No DNS records are needed for a QNAME or Client-IP trigger; the name or
+IP address itself is sufficient, so in principle the query name need not
+be recursively resolved. However, not resolving the requested name can
+leak the fact that response policy rewriting is in use, and that the name
+is listed in a policy zone, to operators of servers for listed names. To
+prevent that information leak, by default any recursion needed for a
+request is done before any policy triggers are considered. Because
+listed domains often have slow authoritative servers, this behavior can
+cost significant time. The ``qname-wait-recurse no`` option overrides
+the default and enables that behavior when recursion cannot change a
+non-error response. The option does not affect QNAME or client-IP
+triggers in policy zones listed after other zones containing IP, NSIP,
+and NSDNAME triggers, because those may depend on the A, AAAA, and NS
+records that would be found during recursive resolution. It also does
+not affect DNSSEC requests (DO=1) unless ``break-dnssec yes`` is in use,
+because the response would depend on whether RRSIG records were
+found during resolution. Using this option can cause error responses
+such as SERVFAIL to appear to be rewritten, since no recursion is being
+done to discover problems at the authoritative server.
+
+The ``dnsrps-enable yes`` option turns on the DNS Response Policy Service
+(DNSRPS) interface, if it has been compiled in ``named`` using
+``configure --enable-dnsrps``.
+
+The ``dnsrps-options`` block provides additional RPZ configuration
+settings, which are passed through to the DNSRPS provider library.
+Multiple DNSRPS settings in an ``dnsrps-options`` string should be
+separated with semi-colons (;). The DNSRPS provider, librpz, is passed a
+configuration string consisting of the ``dnsrps-options`` text,
+concatenated with settings derived from the ``response-policy``
+statement.
+
+Note: the ``dnsrps-options`` text should only include configuration
+settings that are specific to the DNSRPS provider. For example, the
+DNSRPS provider from Farsight Security takes options such as
+``dnsrpzd-conf``, ``dnsrpzd-sock``, and ``dnzrpzd-args`` (for details of
+these options, see the ``librpz`` documentation). Other RPZ
+configuration settings could be included in ``dnsrps-options`` as well,
+but if ``named`` were switched back to traditional RPZ by setting
+``dnsrps-enable`` to "no", those options would be ignored.
+
+The TTL of a record modified by RPZ policies is set from the TTL of the
+relevant record in the policy zone. It is then limited to a maximum value.
+The ``max-policy-ttl`` clause changes the maximum number of seconds from its
+default of 5. For convenience, TTL-style time-unit suffixes may be used
+to specify the value. It also accepts ISO 8601 duration formats.
+
+For example, an administrator might use this option statement:
+
+::
+
+       response-policy { zone "badlist"; };
+
+and this zone statement:
+
+::
+
+       zone "badlist" {type primary; file "primary/badlist"; allow-query {none;}; };
+
+with this zone file:
+
+::
+
+   $TTL 1H
+   @                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
+               NS  LOCALHOST.
+
+   ; QNAME policy records.  There are no periods (.) after the owner names.
+   nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
+   *.nxdomain.domain.com   CNAME   .               ; NXDOMAIN policy
+   nodata.domain.com       CNAME   *.              ; NODATA policy
+   *.nodata.domain.com     CNAME   *.              ; NODATA policy
+   bad.domain.com          A       10.0.0.1        ; redirect to a walled garden
+               AAAA    2001:2::1
+   bzone.domain.com        CNAME   garden.example.com.
+
+   ; do not rewrite (PASSTHRU) OK.DOMAIN.COM
+   ok.domain.com           CNAME   rpz-passthru.
+
+   ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
+   *.bzone.domain.com      CNAME   *.garden.example.com.
+
+   ; IP policy records that rewrite all responses containing A records in 127/8
+   ;       except 127.0.0.1
+   8.0.0.0.127.rpz-ip      CNAME   .
+   32.1.0.0.127.rpz-ip     CNAME   rpz-passthru.
+
+   ; NSDNAME and NSIP policy records
+   ns.domain.com.rpz-nsdname   CNAME   .
+   48.zz.2.2001.rpz-nsip       CNAME   .
+
+   ; auto-reject and auto-accept some DNS clients
+   112.zz.2001.rpz-client-ip    CNAME   rpz-drop.
+   8.0.0.0.127.rpz-client-ip    CNAME   rpz-drop.
+
+   ; force some DNS clients and responses in the example.com zone to TCP
+   16.0.0.1.10.rpz-client-ip   CNAME   rpz-tcp-only.
+   example.com                 CNAME   rpz-tcp-only.
+   *.example.com               CNAME   rpz-tcp-only.
+
+RPZ can affect server performance. Each configured response policy zone
+requires the server to perform one to four additional database lookups
+before a query can be answered. For example, a DNS server with four
+policy zones, each with all four kinds of response triggers (QNAME, IP,
+NSIP, and NSDNAME), requires a total of 17 times as many database lookups
+as a similar DNS server with no response policy zones. A BIND 9 server
+with adequate memory and one response policy zone with QNAME and IP
+triggers might achieve a maximum queries-per-second (QPS) rate about 20%
+lower. A server with four response policy zones with QNAME and IP
+triggers might have a maximum QPS rate about 50% lower.
+
+Responses rewritten by RPZ are counted in the ``RPZRewrites``
+statistics.
+
+The ``log`` clause can be used to optionally turn off rewrite logging
+for a particular response policy zone. By default, all rewrites are
+logged.
+
+The ``add-soa`` option controls whether the RPZ's SOA record is added to
+the section for traceback of changes from this zone.
+This can be set at the individual policy zone level or at the
+response-policy level. The default is ``yes``.
+
+Updates to RPZ zones are processed asynchronously; if there is more than
+one update pending they are bundled together. If an update to a RPZ zone
+(for example, via IXFR) happens less than ``min-update-interval``
+seconds after the most recent update, the changes are not
+carried out until this interval has elapsed. The default is ``60``
+seconds. For convenience, TTL-style time-unit suffixes may be used to
+specify the value. It also accepts ISO 8601 duration formats.
+
+.. _rrl:
+
+Response Rate Limiting
+^^^^^^^^^^^^^^^^^^^^^^
+
+Excessive, almost-identical UDP *responses* can be controlled by
+configuring a ``rate-limit`` clause in an ``options`` or ``view``
+statement. This mechanism keeps authoritative BIND 9 from being used to
+amplify reflection denial-of-service (DoS) attacks. Short BADCOOKIE errors or
+truncated (TC=1) responses can be sent to provide rate-limited responses to
+legitimate clients within a range of forged, attacked IP addresses.
+Legitimate clients react to dropped responses by retrying,
+to BADCOOKIE errors by including a server cookie when retrying,
+and to truncated responses by switching to TCP.
+
+This mechanism is intended for authoritative DNS servers. It can be used
+on recursive servers, but can slow applications such as SMTP servers
+(mail receivers) and HTTP clients (web browsers) that repeatedly request
+the same domains. When possible, closing "open" recursive servers is
+better.
+
+Response rate limiting uses a "credit" or "token bucket" scheme. Each
+combination of identical response and client has a conceptual "account"
+that earns a specified number of credits every second. A prospective
+response debits its account by one. Responses are dropped or truncated
+while the account is negative. Responses are tracked within a rolling
+window of time which defaults to 15 seconds, but which can be configured with
+the ``window`` option to any value from 1 to 3600 seconds (1 hour). The
+account cannot become more positive than the per-second limit or more
+negative than ``window`` times the per-second limit. When the specified
+number of credits for a class of responses is set to 0, those responses
+are not rate-limited.
+
+The notions of "identical response" and "DNS client" for rate limiting
+are not simplistic. All responses to an address block are counted as if
+to a single client. The prefix lengths of address blocks are specified
+with ``ipv4-prefix-length`` (default 24) and ``ipv6-prefix-length``
+(default 56).
+
+All non-empty responses for a valid domain name (qname) and record type
+(qtype) are identical and have a limit specified with
+``responses-per-second`` (default 0 or no limit). All valid wildcard
+domain names are interpreted as the zone's origin name concatenated to
+the "*" name. All empty (NODATA) responses for a valid domain,
+regardless of query type, are identical.  Responses in the NODATA class
+are limited by ``nodata-per-second`` (default ``responses-per-second``).
+Requests for any and all undefined subdomains of a given valid domain
+result in NXDOMAIN errors, and are identical regardless of query type.
+They are limited by ``nxdomains-per-second`` (default
+``responses-per-second``). This controls some attacks using random
+names, but can be relaxed or turned off (set to 0) on servers that
+expect many legitimate NXDOMAIN responses, such as from anti-spam
+rejection lists. Referrals or delegations to the server of a given
+domain are identical and are limited by ``referrals-per-second``
+(default ``responses-per-second``).
+
+Responses generated from local wildcards are counted and limited as if
+they were for the parent domain name. This controls flooding using
+random.wild.example.com.
+
+All requests that result in DNS errors other than NXDOMAIN, such as
+SERVFAIL and FORMERR, are identical regardless of requested name (qname)
+or record type (qtype). This controls attacks using invalid requests or
+distant, broken authoritative servers. By default the limit on errors is
+the same as the ``responses-per-second`` value, but it can be set
+separately with ``errors-per-second``.
+
+Many attacks using DNS involve UDP requests with forged source
+addresses. Rate limiting prevents the use of BIND 9 to flood a network
+with responses to requests with forged source addresses, but could let a
+third party block responses to legitimate requests. There is a mechanism
+that can answer some legitimate requests from a client whose address is
+being forged in a flood. Setting ``slip`` to 2 (its default) causes
+every other UDP request without a valid server cookie to be answered with
+a small response. The small size and reduced frequency, and resulting lack of
+amplification, of "slipped" responses make them unattractive for
+reflection DoS attacks. ``slip`` must be between 0 and 10. A value of 0
+does not "slip"; no small responses are sent due to rate limiting. Rather,
+all responses are dropped. A value of 1 causes every response to slip;
+values between 2 and 10 cause every nth response to slip.
+
+If the request included a client cookie, then a "slipped" response is
+a BADCOOKIE error with a server cookie, which allows a legitimate client
+to include the server cookie to be exempted from the rate limiting
+when it retries the request.
+If the request did not include a cookie, then a "slipped" response is
+a truncated (TC=1) response, which prompts a legitimate client to
+switch to TCP and thus be exempted from the rate limiting. Some error
+responses, including REFUSED and SERVFAIL, cannot be replaced with
+truncated responses and are instead leaked at the ``slip`` rate.
+
+(Note: dropped responses from an authoritative server may reduce the
+difficulty of a third party successfully forging a response to a
+recursive resolver. The best security against forged responses is for
+authoritative operators to sign their zones using DNSSEC and for
+resolver operators to validate the responses. When this is not an
+option, operators who are more concerned with response integrity than
+with flood mitigation may consider setting ``slip`` to 1, causing all
+rate-limited responses to be truncated rather than dropped. This reduces
+the effectiveness of rate-limiting against reflection attacks.)
+
+When the approximate query-per-second rate exceeds the ``qps-scale``
+value, the ``responses-per-second``, ``errors-per-second``,
+``nxdomains-per-second``, and ``all-per-second`` values are reduced by
+the ratio of the current rate to the ``qps-scale`` value. This feature
+can tighten defenses during attacks. For example, with
+``qps-scale 250; responses-per-second 20;`` and a total query rate of
+1000 queries/second for all queries from all DNS clients including via
+TCP, then the effective responses/second limit changes to (250/1000)*20,
+or 5. Responses to requests that included a valid server cookie,
+and responses sent via TCP, are not limited but are counted to compute
+the query-per-second rate.
+
+Communities of DNS clients can be given their own parameters or no
+rate limiting by putting ``rate-limit`` statements in ``view`` statements
+instead of in the global ``option`` statement. A ``rate-limit`` statement
+in a view replaces, rather than supplements, a ``rate-limit``
+statement among the main options. DNS clients within a view can be
+exempted from rate limits with the ``exempt-clients`` clause.
+
+UDP responses of all kinds can be limited with the ``all-per-second``
+phrase. This rate limiting is unlike the rate limiting provided by
+``responses-per-second``, ``errors-per-second``, and
+``nxdomains-per-second`` on a DNS server, which are often invisible to
+the victim of a DNS reflection attack. Unless the forged requests of the
+attack are the same as the legitimate requests of the victim, the
+victim's requests are not affected. Responses affected by an
+``all-per-second`` limit are always dropped; the ``slip`` value has no
+effect. An ``all-per-second`` limit should be at least 4 times as large
+as the other limits, because single DNS clients often send bursts of
+legitimate requests. For example, the receipt of a single mail message
+can prompt requests from an SMTP server for NS, PTR, A, and AAAA records
+as the incoming SMTP/TCP/IP connection is considered. The SMTP server
+can need additional NS, A, AAAA, MX, TXT, and SPF records as it
+considers the SMTP ``Mail From`` command. Web browsers often repeatedly
+resolve the same names that are duplicated in HTML <IMG> tags in a page.
+``all-per-second`` is similar to the rate limiting offered by firewalls
+but is often inferior. Attacks that justify ignoring the contents of DNS
+responses are likely to be attacks on the DNS server itself. They
+usually should be discarded before the DNS server spends resources making
+TCP connections or parsing DNS requests, but that rate limiting must be
+done before the DNS server sees the requests.
+
+The maximum size of the table used to track requests and rate-limit
+responses is set with ``max-table-size``. Each entry in the table is
+between 40 and 80 bytes. The table needs approximately as many entries
+as the number of requests received per second. The default is 20,000. To
+reduce the cold start of growing the table, ``min-table-size`` (default 500)
+can set the minimum table size. Enable ``rate-limit`` category
+logging to monitor expansions of the table and inform choices for the
+initial and maximum table size.
+
+Use ``log-only yes`` to test rate-limiting parameters without actually
+dropping any requests.
+
+Responses dropped by rate limits are included in the ``RateDropped`` and
+``QryDropped`` statistics. Responses that are truncated by rate limits are
+included in ``RateSlipped`` and ``RespTruncated``.
+
+NXDOMAIN Redirection
+^^^^^^^^^^^^^^^^^^^^
+
+``named`` supports NXDOMAIN redirection via two methods:
+
+-  Redirect zone (:ref:`zone_statement_grammar`)
+-  Redirect namespace
+
+With either method, when ``named`` gets an NXDOMAIN response it examines a
+separate namespace to see if the NXDOMAIN response should be replaced
+with an alternative response.
+
+With a redirect zone (``zone "." { type redirect; };``), the data used
+to replace the NXDOMAIN is held in a single zone which is not part of
+the normal namespace. All the redirect information is contained in the
+zone; there are no delegations.
+
+With a redirect namespace (``option { nxdomain-redirect <suffix> };``),
+the data used to replace the NXDOMAIN is part of the normal namespace
+and is looked up by appending the specified suffix to the original
+query name. This roughly doubles the cache required to process
+NXDOMAIN responses, as both the original NXDOMAIN response and the
+replacement data (or an NXDOMAIN indicating that there is no
+replacement) must be stored.
+
+If both a redirect zone and a redirect namespace are configured, the
+redirect zone is tried first.
+
+.. _server_statement_grammar:
+
+``server`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/server.grammar.rst
+
+.. _server_statement_definition_and_usage:
+
+``server`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``server`` statement defines characteristics to be associated with a
+remote name server. If a prefix length is specified, then a range of
+servers is covered. Only the most specific server clause applies,
+regardless of the order in ``named.conf``.
+
+The ``server`` statement can occur at the top level of the configuration
+file or inside a ``view`` statement. If a ``view`` statement contains
+one or more ``server`` statements, only those apply to the view and any
+top-level ones are ignored. If a view contains no ``server`` statements,
+any top-level ``server`` statements are used as defaults.
+
+If a remote server is giving out bad data, marking it
+as bogus prevents further queries to it. The default value of
+``bogus`` is ``no``.
+
+The ``provide-ixfr`` clause determines whether the local server, acting
+as primary, responds with an incremental zone transfer when the given
+remote server, a secondary, requests it. If set to ``yes``, incremental
+transfer is provided whenever possible. If set to ``no``, all
+transfers to the remote server are non-incremental. If not set, the
+value of the ``provide-ixfr`` option in the view or global options block
+is used as a default.
+
+The ``request-ixfr`` clause determines whether the local server, acting
+as a secondary, requests incremental zone transfers from the given
+remote server, a primary. If not set, the value of the ``request-ixfr``
+option in the view or global options block is used as a default. It may
+also be set in the zone block; if set there, it overrides the
+global or view setting for that zone.
+
+IXFR requests to servers that do not support IXFR automatically
+fall back to AXFR. Therefore, there is no need to manually list which
+servers support IXFR and which ones do not; the global default of
+``yes`` should always work. The purpose of the ``provide-ixfr`` and
+``request-ixfr`` clauses is to make it possible to disable the use of
+IXFR even when both primary and secondary claim to support it: for example, if
+one of the servers is buggy and crashes or corrupts data when IXFR is
+used.
+
+The ``request-expire`` clause determines whether the local server, when
+acting as a secondary, requests the EDNS EXPIRE value. The EDNS EXPIRE
+value indicates the remaining time before the zone data expires and
+needs to be refreshed. This is used when a secondary server transfers
+a zone from another secondary server; when transferring from the
+primary, the expiration timer is set from the EXPIRE field of the SOA
+record instead. The default is ``yes``.
+
+The ``edns`` clause determines whether the local server attempts to
+use EDNS when communicating with the remote server. The default is
+``yes``.
+
+The ``edns-udp-size`` option sets the EDNS UDP size that is advertised
+by ``named`` when querying the remote server. Valid values are 512 to
+4096 bytes; values outside this range are silently adjusted to the
+nearest value within it. This option is useful when
+advertising a different value to this server than the value advertised
+globally: for example, when there is a firewall at the remote site that
+is blocking large replies. Note: currently, this sets a single UDP size
+for all packets sent to the server; ``named`` does not deviate from this
+value. This differs from the behavior of ``edns-udp-size`` in
+``options`` or ``view`` statements, where it specifies a maximum value.
+The ``server`` statement behavior may be brought into conformance with
+the ``options``/``view`` behavior in future releases.
+
+The ``edns-version`` option sets the maximum EDNS VERSION that is
+sent to the server(s) by the resolver. The actual EDNS version sent is
+still subject to normal EDNS version-negotiation rules (see :rfc:`6891`),
+the maximum EDNS version supported by the server, and any other
+heuristics that indicate that a lower version should be sent. This
+option is intended to be used when a remote server reacts badly to a
+given EDNS version or higher; it should be set to the highest version
+the remote server is known to support. Valid values are 0 to 255; higher
+values are silently adjusted. This option is not needed until
+higher EDNS versions than 0 are in use.
+
+The ``max-udp-size`` option sets the maximum EDNS UDP message size
+``named`` sends. Valid values are 512 to 4096 bytes; values outside
+this range are silently adjusted. This option is useful when
+there is a firewall that is blocking large replies from
+``named``.
+
+The ``padding`` option adds EDNS Padding options to outgoing messages,
+increasing the packet size to a multiple of the specified block size.
+Valid block sizes range from 0 (the default, which disables the use of
+EDNS Padding) to 512 bytes. Larger values are reduced to 512, with a
+logged warning. Note: this option is not currently compatible with no
+TSIG or SIG(0), as the EDNS OPT record containing the padding would have
+to be added to the packet after it had already been signed.
+
+The ``tcp-only`` option sets the transport protocol to TCP. The default
+is to use the UDP transport and to fallback on TCP only when a truncated
+response is received.
+
+The ``tcp-keepalive`` option adds EDNS TCP keepalive to messages sent
+over TCP. Note that currently idle timeouts in responses are ignored.
+
+The server supports two zone transfer methods. The first,
+``one-answer``, uses one DNS message per resource record transferred.
+``many-answers`` packs as many resource records as possible into a single
+message, which is more efficient.
+It is possible to specify which method to use for a server via the
+``transfer-format`` option; if not set there, the
+``transfer-format`` specified by the ``options`` statement is used.
+
+``transfers`` is used to limit the number of concurrent inbound zone
+transfers from the specified server. If no ``transfers`` clause is
+specified, the limit is set according to the ``transfers-per-ns``
+option.
+
+The ``keys`` clause identifies a ``key_id`` defined by the ``key``
+statement, to be used for transaction security (see :ref:`tsig`)
+when talking to the remote server. When a request is sent to the remote
+server, a request signature is generated using the key specified
+here and appended to the message. A request originating from the remote
+server is not required to be signed by this key.
+
+Only a single key per server is currently supported.
+
+The ``transfer-source`` and ``transfer-source-v6`` clauses specify the
+IPv4 and IPv6 source address, respectively, to be used for zone transfer with the
+remote server. For an IPv4 remote server, only
+``transfer-source`` can be specified. Similarly, for an IPv6 remote
+server, only ``transfer-source-v6`` can be specified. For more details,
+see the description of ``transfer-source`` and ``transfer-source-v6`` in
+:ref:`zone_transfers`.
+
+The ``notify-source`` and ``notify-source-v6`` clauses specify the IPv4
+and IPv6 source address, respectively, to be used for notify messages sent to remote
+servers. For an IPv4 remote server, only ``notify-source``
+can be specified. Similarly, for an IPv6 remote server, only
+``notify-source-v6`` can be specified.
+
+The ``query-source`` and ``query-source-v6`` clauses specify the IPv4
+and IPv6 source address, respectively, to be used for queries sent to remote servers.
+For an IPv4 remote server, only ``query-source`` can be
+specified. Similarly, for an IPv6 remote server, only
+``query-source-v6`` can be specified.
+
+The ``request-nsid`` clause determines whether the local server adds
+an NSID EDNS option to requests sent to the server. This overrides
+``request-nsid`` set at the view or option level.
+
+The ``send-cookie`` clause determines whether the local server adds
+a COOKIE EDNS option to requests sent to the server. This overrides
+``send-cookie`` set at the view or option level. The ``named`` server
+may determine that COOKIE is not supported by the remote server and not
+add a COOKIE EDNS option to requests.
+
+.. _statschannels:
+
+``statistics-channels`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/statistics-channels.grammar.rst
+
+.. _statistics_channels:
+
+``statistics-channels`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``statistics-channels`` statement declares communication channels to
+be used by system administrators to get access to statistics information
+on the name server.
+
+This statement is intended to be flexible to support multiple communication
+protocols in the future, but currently only HTTP access is supported. It
+requires that BIND 9 be compiled with libxml2 and/or json-c (also known
+as libjson0); the ``statistics-channels`` statement is still accepted
+even if it is built without the library, but any HTTP access fails
+with an error.
+
+An ``inet`` control channel is a TCP socket listening at the specified
+``ip_port`` on the specified ``ip_addr``, which can be an IPv4 or IPv6
+address. An ``ip_addr`` of ``*`` (asterisk) is interpreted as the IPv4
+wildcard address; connections are accepted on any of the system's
+IPv4 addresses. To listen on the IPv6 wildcard address, use an
+``ip_addr`` of ``::``.
+
+If no port is specified, port 80 is used for HTTP channels. The asterisk
+(``*``) cannot be used for ``ip_port``.
+
+Attempts to open a statistics channel are restricted by the
+optional ``allow`` clause. Connections to the statistics channel are
+permitted based on the ``address_match_list``. If no ``allow`` clause is
+present, ``named`` accepts connection attempts from any address. Since
+the statistics may contain sensitive internal information, the source of
+connection requests must be restricted appropriately so that only
+trusted parties can access the statistics channel.
+
+Gathering data exposed by the statistics channel locks various subsystems in
+``named``, which could slow down query processing if statistics data is
+requested too often.
+
+An issue in the statistics channel would be considered a security issue
+only if it could be exploited by unprivileged users circumventing the access
+control list. In other words, any issue in the statistics channel that could be
+used to access information unavailable otherwise, or to crash ``named``, is
+not considered a security issue if it can be avoided through the
+use of a secure configuration.
+
+If no ``statistics-channels`` statement is present, ``named`` does not
+open any communication channels.
+
+The statistics are available in various formats and views, depending on
+the URI used to access them. For example, if the statistics channel is
+configured to listen on 127.0.0.1 port 8888, then the statistics are
+accessible in XML format at http://127.0.0.1:8888/ or
+http://127.0.0.1:8888/xml. A CSS file is included, which can format the
+XML statistics into tables when viewed with a stylesheet-capable
+browser, and into charts and graphs using the Google Charts API when
+using a JavaScript-capable browser.
+
+Broken-out subsets of the statistics can be viewed at
+http://127.0.0.1:8888/xml/v3/status (server uptime and last
+reconfiguration time), http://127.0.0.1:8888/xml/v3/server (server and
+resolver statistics), http://127.0.0.1:8888/xml/v3/zones (zone
+statistics), http://127.0.0.1:8888/xml/v3/net (network status and socket
+statistics), http://127.0.0.1:8888/xml/v3/mem (memory manager
+statistics), http://127.0.0.1:8888/xml/v3/tasks (task manager
+statistics), and http://127.0.0.1:8888/xml/v3/traffic (traffic sizes).
+
+The full set of statistics can also be read in JSON format at
+http://127.0.0.1:8888/json, with the broken-out subsets at
+http://127.0.0.1:8888/json/v1/status (server uptime and last
+reconfiguration time), http://127.0.0.1:8888/json/v1/server (server and
+resolver statistics), http://127.0.0.1:8888/json/v1/zones (zone
+statistics), http://127.0.0.1:8888/json/v1/net (network status and
+socket statistics), http://127.0.0.1:8888/json/v1/mem (memory manager
+statistics), http://127.0.0.1:8888/json/v1/tasks (task manager
+statistics), and http://127.0.0.1:8888/json/v1/traffic (traffic sizes).
+
+.. _trust_anchors:
+
+``trust-anchors`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/trust-anchors.grammar.rst
+
+.. _trust-anchors:
+
+``trust-anchors`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``trust-anchors`` statement defines DNSSEC trust anchors. DNSSEC is
+described in :ref:`DNSSEC`.
+
+A trust anchor is defined when the public key or public key digest for a non-authoritative
+zone is known but cannot be securely obtained through DNS, either
+because it is the DNS root zone or because its parent zone is unsigned.
+Once a key or digest has been configured as a trust anchor, it is treated as if it
+has been validated and proven secure.
+
+The resolver attempts DNSSEC validation on all DNS data in subdomains of
+configured trust anchors. Validation below specified names can be
+temporarily disabled by using ``rndc nta``, or permanently disabled with
+the ``validate-except`` option.
+
+All keys listed in ``trust-anchors``, and their corresponding zones, are
+deemed to exist regardless of what parent zones say. Only keys
+configured as trust anchors are used to validate the DNSKEY RRset for
+the corresponding name. The parent's DS RRset is not used.
+
+``trust-anchors`` may be set at the top level of ``named.conf`` or within
+a view. If it is set in both places, the configurations are additive;
+keys defined at the top level are inherited by all views, but keys
+defined in a view are only used within that view.
+
+The ``trust-anchors`` statement can contain
+multiple trust-anchor entries, each consisting of a
+domain name, followed by an "anchor type" keyword indicating
+the trust anchor's format, followed by the key or digest data.
+
+If the anchor type is ``static-key`` or
+``initial-key``, then it is followed with the
+key's flags, protocol, and algorithm, plus the Base64 representation
+of the public key data. This is identical to the text
+representation of a DNSKEY record.  Spaces, tabs, newlines, and
+carriage returns are ignored in the key data, so the
+configuration may be split into multiple lines.
+
+If the anchor type is ``static-ds`` or
+``initial-ds``, it is followed with the
+key tag, algorithm, digest type, and the hexadecimal
+representation of the key digest. This is identical to the
+text representation of a DS record.  Spaces, tabs, newlines,
+and carriage returns are ignored.
+
+Trust anchors configured with the
+``static-key`` or ``static-ds``
+anchor types are immutable, while keys configured with
+``initial-key`` or ``initial-ds``
+can be kept up-to-date automatically, without intervention from the resolver operator.
+(``static-key`` keys are identical to keys configured using the
+deprecated ``trusted-keys`` statement.)
+
+Suppose, for example, that a zone's key-signing key was compromised, and
+the zone owner had to revoke and replace the key. A resolver which had
+the original key
+configured using ``static-key`` or
+``static-ds`` would be unable to validate
+this zone any longer; it would reply with a SERVFAIL response
+code.  This would continue until the resolver operator had
+updated the ``trust-anchors`` statement with
+the new key.
+
+If, however, the trust anchor had been configured using
+``initial-key`` or ``initial-ds``
+instead, the zone owner could add a "stand-by" key to
+the zone in advance. ``named`` would store
+the stand-by key, and when the original key was revoked,
+``named`` would be able to transition smoothly
+to the new key.  It would also recognize that the old key had
+been revoked and cease using that key to validate answers,
+minimizing the damage that the compromised key could do.
+This is the process used to keep the ICANN root DNSSEC key
+up-to-date.
+
+Whereas ``static-key`` and
+``static-ds`` trust anchors continue
+to be trusted until they are removed from
+``named.conf``, an
+``initial-key`` or ``initial-ds``
+is only trusted *once*: for as long as it
+takes to load the managed key database and start the
+:rfc:`5011` key maintenance process.
+
+It is not possible to mix static with initial trust anchors
+for the same domain name.
+
+The first time ``named`` runs with an
+``initial-key`` or ``initial-ds``
+configured in ``named.conf``, it fetches the
+DNSKEY RRset directly from the zone apex,
+and validates it
+using the trust anchor specified in ``trust-anchors``.
+If the DNSKEY RRset is validly signed by a key matching
+the trust anchor, then it is used as the basis for a new
+managed-keys database.
+
+From that point on, whenever ``named`` runs, it sees the ``initial-key`` or ``initial-ds``
+listed in ``trust-anchors``, checks to make sure :rfc:`5011` key maintenance
+has already been initialized for the specified domain, and if so,
+simply moves on. The key specified in the ``trust-anchors`` statement is
+not used to validate answers; it is superseded by the key or keys stored
+in the managed-keys database.
+
+The next time ``named`` runs after an ``initial-key`` or ``initial-ds`` has been *removed*
+from the ``trust-anchors`` statement (or changed to a ``static-key`` or ``static-ds``), the
+corresponding zone is removed from the managed-keys database, and
+:rfc:`5011` key maintenance is no longer used for that domain.
+
+In the current implementation, the managed-keys database is stored as a
+master-format zone file.
+
+On servers which do not use views, this file is named
+``managed-keys.bind``. When views are in use, there is a separate
+managed-keys database for each view; the filename is the view name
+(or, if a view name contains characters which would make it illegal as a
+filename, a hash of the view name), followed by the suffix ``.mkeys``.
+
+When the key database is changed, the zone is updated. As with any other
+dynamic zone, changes are written into a journal file, e.g.,
+``managed-keys.bind.jnl`` or ``internal.mkeys.jnl``. Changes are
+committed to the primary file as soon as possible afterward,
+usually within 30 seconds. Whenever ``named`` is using
+automatic key maintenance, the zone file and journal file can be
+expected to exist in the working directory. (For this reason, among
+others, the working directory should be always be writable by
+``named``.)
+
+If the ``dnssec-validation`` option is set to ``auto``, ``named``
+automatically initializes an ``initial-key`` for the root zone. The key
+that is used to initialize the key-maintenance process is stored in
+``bind.keys``; the location of this file can be overridden with the
+``bindkeys-file`` option. As a fallback in the event no ``bind.keys``
+can be found, the initializing key is also compiled directly into
+``named``.
+
+.. _dnssec_policy_grammar:
+
+``dnssec-policy`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/dnssec-policy.grammar.rst
+
+.. _dnssec_policy:
+
+``dnssec-policy`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``dnssec-policy`` statement defines a key and signing policy (KASP)
+for zones.
+
+A KASP determines how one or more zones are signed with DNSSEC.  For
+example, it specifies how often keys should roll, which cryptographic
+algorithms to use, and how often RRSIG records need to be refreshed.
+
+Keys are not shared among zones, which means that one set of keys per
+zone is generated even if they have the same policy.  If multiple views
+are configured with different versions of the same zone, each separate
+version uses the same set of signing keys.
+
+Multiple key and signing policies can be configured.  To attach a policy
+to a zone, add a ``dnssec-policy`` option to the ``zone`` statement,
+specifying the name of the policy that should be used.
+
+The ``dnssec-policy`` statement requires dynamic DNS to be set up, or
+``inline-signing`` to be enabled.
+
+If ``inline-signing`` is enabled, this means that a signed version of the
+zone is maintained separately and is written out to a different file on disk
+(the zone's filename plus a ``.signed`` extension).
+
+If the zone is dynamic because it is configured with an ``update-policy`` or
+``allow-update``, the DNSSEC records are written to the filename set in the
+original zone's ``file``, unless ``inline-signing`` is explicitly set.
+
+Key rollover timing is computed for each key according to the key
+lifetime defined in the KASP.  The lifetime may be modified by zone TTLs
+and propagation delays, to prevent validation failures.  When a key
+reaches the end of its lifetime, ``named`` generates and publishes a new
+key automatically, then deactivates the old key and activates the new
+one; finally, the old key is retired according to a computed schedule.
+
+Zone-signing key (ZSK) rollovers require no operator input.  Key-signing
+key (KSK) and combined-signing key (CSK) rollovers require action to be
+taken to submit a DS record to the parent.  Rollover timing for KSKs and
+CSKs is adjusted to take into account delays in processing and
+propagating DS updates.
+
+There are two predefined ``dnssec-policy`` names: ``none`` and
+``default``.  Setting a zone's policy to ``none`` is the same as not
+setting ``dnssec-policy`` at all; the zone is not signed.  Policy
+``default`` causes the zone to be signed with a single combined-signing
+key (CSK) using algorithm ECDSAP256SHA256; this key has an unlimited
+lifetime.  (A verbose copy of this policy may be found in the source
+tree, in the file ``doc/misc/dnssec-policy.default.conf``.)
+
+.. note:: The default signing policy may change in future releases.
+   This could require changes to a signing policy when upgrading to a
+   new version of BIND.  Check the release notes carefully when
+   upgrading to be informed of such changes.  To prevent policy changes
+   on upgrade, use an explicitly defined ``dnssec-policy``, rather than
+   ``default``.
+
+If a ``dnssec-policy`` statement is modified and the server restarted or
+reconfigured, ``named`` attempts to change the policy smoothly from the
+old one to the new.  For example, if the key algorithm is changed, then
+a new key is generated with the new algorithm, and the old algorithm is
+retired when the existing key's lifetime ends.
+
+.. note:: Rolling to a new policy while another key rollover is already
+   in progress is not yet supported, and may result in unexpected
+   behavior.
+
+The following options can be specified in a ``dnssec-policy`` statement:
+
+  ``dnskey-ttl``
+    This indicates the TTL to use when generating DNSKEY resource
+    records.  The default is 1 hour (3600 seconds).
+
+  ``keys``
+    This is a list specifying the algorithms and roles to use when
+    generating keys and signing the zone.  Entries in this list do not
+    represent specific DNSSEC keys, which may be changed on a regular
+    basis, but the roles that keys play in the signing policy.  For
+    example, configuring a KSK of algorithm RSASHA256 ensures that the
+    DNSKEY RRset always includes a key-signing key for that algorithm.
+
+    Here is an example (for illustration purposes only) of some possible
+    entries in a ``keys`` list:
+
+    ::
+
+        keys {
+            ksk key-directory lifetime unlimited algorithm rsasha256 2048;
+            zsk lifetime 30d algorithm 8;
+            csk lifetime P6MT12H3M15S algorithm ecdsa256;
+        };
+
+    This example specifies that three keys should be used in the zone.
+    The first token determines which role the key plays in signing
+    RRsets.  If set to ``ksk``, then this is a key-signing key; it has
+    the KSK flag set and is only used to sign DNSKEY, CDS, and CDNSKEY
+    RRsets.  If set to ``zsk``, this is a zone-signing key; the KSK flag
+    is unset, and the key signs all RRsets *except* DNSKEY, CDS, and
+    CDNSKEY.  If set to ``csk``, the key has the KSK flag set and is
+    used to sign all RRsets.
+
+    An optional second token determines where the key is stored.
+    Currently, keys can only be stored in the configured
+    ``key-directory``.  This token may be used in the future to store
+    keys in hardware security modules or separate directories.
+
+    The ``lifetime`` parameter specifies how long a key may be used
+    before rolling over. For convenience, TTL-style time-unit suffixes
+    can be used to specify the key lifetime. It also accepts ISO 8601
+    duration formats.
+
+    In the example above, the first key has an
+    unlimited lifetime, the second key may be used for 30 days, and the
+    third key has a rather peculiar lifetime of 6 months, 12 hours, 3
+    minutes, and 15 seconds.  A lifetime of 0 seconds is the same as
+    ``unlimited``.
+
+    Note that the lifetime of a key may be extended if retiring it too
+    soon would cause validation failures.  For example, if the key were
+    configured to roll more frequently than its own TTL, its lifetime
+    would automatically be extended to account for this.
+
+    The ``algorithm`` parameter specifies the key's algorithm, expressed
+    either as a string ("rsasha256", "ecdsa384", etc.) or as a decimal
+    number.  An optional second parameter specifies the key's size in
+    bits.  If it is omitted, as shown in the example for the second and
+    third keys, an appropriate default size for the algorithm is used.
+    Each KSK/ZSK pair must have the same algorithm. A CSK combines the
+    functionality of a ZSK and a KSK.
+
+  ``purge-keys``
+    This is the time after when DNSSEC keys that have been deleted from
+    the zone can be removed from disk. If a key still determined to have
+    presence (for example in some resolver cache), ``named`` will not
+    remove the key files.
+
+    The default is ``P90D`` (90 days). Set this option to ``0`` to never
+    purge deleted keys.
+
+  ``publish-safety``
+    This is a margin that is added to the pre-publication interval in
+    rollover timing calculations, to give some extra time to cover
+    unforeseen events.  This increases the time between when keys are
+    published and when they become active.  The default is ``PT1H`` (1
+    hour).
+
+  ``retire-safety``
+    This is a margin that is added to the post-publication interval in
+    rollover timing calculations, to give some extra time to cover
+    unforeseen events.  This increases the time a key remains published
+    after it is no longer active.  The default is ``PT1H`` (1 hour).
+
+  ``signatures-refresh``
+    This determines how frequently an RRSIG record needs to be
+    refreshed.  The signature is renewed when the time until the
+    expiration time is less than the specified interval.  The default is
+    ``P5D`` (5 days), meaning signatures that expire in 5 days or sooner
+    are refreshed.
+
+  ``signatures-validity``
+    This indicates the validity period of an RRSIG record (subject to
+    inception offset and jitter).  The default is ``P2W`` (2 weeks).
+
+  ``signatures-validity-dnskey``
+    This is similar to ``signatures-validity``, but for DNSKEY records.
+    The default is ``P2W`` (2 weeks).
+
+  ``max-zone-ttl``
+
+   This specifies the maximum permissible TTL value for the zone.  When
+   a zone file is loaded, any record encountered with a TTL higher than
+   ``max-zone-ttl`` causes the zone to be rejected.
+
+   This ensures that when rolling to a new DNSKEY, the old key will remain
+   available until RRSIG records have expired from caches. The
+   ``max-zone-ttl`` option guarantees that the largest TTL in the
+   zone is no higher than a known and predictable value.
+
+    .. note:: Because ``map``-format files load directly into memory,
+       this option cannot be used with them.
+
+   The default value ``PT24H`` (24 hours).  A value of zero is treated
+   as if the default value were in use.
+
+
+  ``nsec3param``
+    Use NSEC3 instead of NSEC, and optionally set the NSEC3 parameters.
+
+    Here is an example of an ``nsec3`` configuration:
+
+    ::
+
+        nsec3param iterations 5 optout no salt-length 8;
+
+    The default is to use NSEC. The ``iterations``, ``optout``, and
+    ``salt-length`` parts are optional, but if not set, the values in
+    the example above are the default NSEC3 parameters. Note that the
+    specific salt string is not specified by the user; :iscman:`named` creates a salt
+    of the indicated length.
+
+    .. warning::
+       Do not use extra :term:`iterations <Iterations>`, :term:`salt <Salt>`, and
+       :term:`opt-out <Opt-out>` unless their implications are fully understood.
+       A higher number of iterations causes interoperability problems and opens
+       servers to CPU-exhausting DoS attacks.
+
+  ``zone-propagation-delay``
+    This is the expected propagation delay from the time when a zone is
+    first updated to the time when the new version of the zone is served
+    by all secondary servers.  The default is ``PT5M`` (5 minutes).
+
+  ``parent-ds-ttl``
+    This is the TTL of the DS RRset that the parent zone uses.  The
+    default is ``P1D`` (1 day).
+
+  ``parent-propagation-delay``
+    This is the expected propagation delay from the time when the parent
+    zone is updated to the time when the new version is served by all of
+    the parent zone's name servers.  The default is ``PT1H`` (1 hour).
+
+Automated KSK Rollovers
+^^^^^^^^^^^^^^^^^^^^^^^
+
+BIND has mechanisms in place to facilitate automated KSK rollovers. It
+publishes CDS and CDNSKEY records that can be used by the parent zone to
+publish or withdraw the zone's DS records. BIND will query the parental
+agents to see if the new DS is actually published before withdrawing the
+old DNSSEC key.
+
+   .. note::
+      The DS response is not validated so it is recommended to set up a
+      trust relationship with the parental agent. For example, use TSIG to
+      authenticate the parental agent, or point to a validating resolver.
+
+The following options apply to DS queries sent to ``parental-agents``:
+
+``parental-source``
+   ``parental-source`` determines which local source address, and optionally
+   UDP port, is used to send parental DS queries. This statement sets the
+   ``parental-source`` for all zones, but can be overridden on a per-zone or
+   per-view basis by including a ``parental-source`` statement within the
+   ``zone`` or ``view`` block in the configuration file.
+
+   .. warning:: Specifying a single port is discouraged, as it removes a layer of
+      protection against spoofing errors.
+
+   .. warning:: The configured ``port`` must not be same as the listening port.
+
+``parental-source-v6``
+   This option acts like ``parental-source``, but applies to parental DS
+   queries sent to IPv6 addresses.
+
+.. _managed-keys:
+
+``managed-keys`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/managed-keys.grammar.rst
+
+.. _managed_keys:
+
+``managed-keys`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``managed-keys`` statement has been
+deprecated in favor of :ref:`trust_anchors`
+with the ``initial-key`` keyword.
+
+.. _trusted-keys:
+
+``trusted-keys`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/trusted-keys.grammar.rst
+
+.. _trusted_keys:
+
+``trusted-keys`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``trusted-keys`` statement has been deprecated in favor of
+:ref:`trust_anchors` with the ``static-key`` keyword.
+
+.. _view_statement_grammar:
+
+``view`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+   view view_name [ class ] {
+       match-clients { address_match_list } ;
+       match-destinations { address_match_list } ;
+       match-recursive-only yes_or_no ;
+     [ view_option ; ... ]
+     [ zone_statement ; ... ]
+   } ;
+
+.. _view_statement:
+
+``view`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``view`` statement is a powerful feature of BIND 9 that lets a name
+server answer a DNS query differently depending on who is asking. It is
+particularly useful for implementing split DNS setups without having to
+run multiple servers.
+
+Each ``view`` statement defines a view of the DNS namespace that is
+seen by a subset of clients. A client matches a view if its source IP
+address matches the ``address_match_list`` of the view's
+``match-clients`` clause, and its destination IP address matches the
+``address_match_list`` of the view's ``match-destinations`` clause. If
+not specified, both ``match-clients`` and ``match-destinations`` default
+to matching all addresses. In addition to checking IP addresses,
+``match-clients`` and ``match-destinations`` can also take ``keys``
+which provide an mechanism for the client to select the view. A view can
+also be specified as ``match-recursive-only``, which means that only
+recursive requests from matching clients match that view. The order
+of the ``view`` statements is significant; a client request is
+resolved in the context of the first ``view`` that it matches.
+
+Zones defined within a ``view`` statement are only accessible to
+clients that match the ``view``. By defining a zone of the same name in
+multiple views, different zone data can be given to different clients:
+for example, "internal" and "external" clients in a split DNS setup.
+
+Many of the options given in the ``options`` statement can also be used
+within a ``view`` statement, and then apply only when resolving queries
+with that view. When no view-specific value is given, the value in the
+``options`` statement is used as a default. Also, zone options can have
+default values specified in the ``view`` statement; these view-specific
+defaults take precedence over those in the ``options`` statement.
+
+Views are class-specific. If no class is given, class IN is assumed.
+Note that all non-IN views must contain a hint zone, since only the IN
+class has compiled-in default hints.
+
+If there are no ``view`` statements in the config file, a default view
+that matches any client is automatically created in class IN. Any
+``zone`` statements specified on the top level of the configuration file
+are considered to be part of this default view, and the ``options``
+statement applies to the default view. If any explicit ``view``
+statements are present, all ``zone`` statements must occur inside
+``view`` statements.
+
+Here is an example of a typical split DNS setup implemented using
+``view`` statements:
+
+::
+
+   view "internal" {
+         // This should match our internal networks.
+         match-clients { 10.0.0.0/8; };
+
+         // Provide recursive service to internal
+         // clients only.
+         recursion yes;
+
+         // Provide a complete view of the example.com
+         // zone including addresses of internal hosts.
+         zone "example.com" {
+           type primary;
+           file "example-internal.db";
+         };
+   };
+
+   view "external" {
+         // Match all clients not matched by the
+         // previous view.
+         match-clients { any; };
+
+         // Refuse recursive service to external clients.
+         recursion no;
+
+         // Provide a restricted view of the example.com
+         // zone containing only publicly accessible hosts.
+         zone "example.com" {
+          type primary;
+          file "example-external.db";
+         };
+   };
+
+.. _zone_statement_grammar:
+
+``zone`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/master.zoneopt.rst
+.. include:: ../misc/slave.zoneopt.rst
+.. include:: ../misc/mirror.zoneopt.rst
+.. include:: ../misc/hint.zoneopt.rst
+.. include:: ../misc/stub.zoneopt.rst
+.. include:: ../misc/static-stub.zoneopt.rst
+.. include:: ../misc/forward.zoneopt.rst
+.. include:: ../misc/redirect.zoneopt.rst
+.. include:: ../misc/delegation-only.zoneopt.rst
+.. include:: ../misc/in-view.zoneopt.rst
+
+.. _zone_statement:
+
+``zone`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. _zone_types:
+
+Zone Types
+^^^^^^^^^^
+
+The ``type`` keyword is required for the ``zone`` configuration unless
+it is an ``in-view`` configuration. Its acceptable values are:
+``primary`` (or ``master``), ``secondary`` (or ``slave``), ``mirror``,
+``hint``, ``stub``, ``static-stub``, ``forward``, ``redirect``,
+or ``delegation-only``.
+
+``primary``
+   A primary zone has a master copy of the data for the zone and is able
+   to provide authoritative answers for it. Type ``master`` is a synonym
+   for ``primary``.
+
+``secondary``
+    A secondary zone is a replica of a primary zone. Type ``slave`` is a
+    synonym for ``secondary``. The ``primaries`` list specifies one or more IP
+    addresses of primary servers that the secondary contacts to update
+    its copy of the zone.  Primaries list elements can
+    also be names of other primaries lists.  By default,
+    transfers are made from port 53 on the servers;
+    this can be changed for all servers by specifying
+    a port number before the list of IP addresses,
+    or on a per-server basis after the IP address.
+    Authentication to the primary can also be done with
+    per-server TSIG keys.  If a file is specified, then the
+    replica is written to this file
+    whenever the zone
+    is changed, and reloaded from this file on a server
+    restart. Use of a file is recommended, since it
+    often speeds server startup and eliminates a
+    needless waste of bandwidth. Note that for large
+    numbers (in the tens or hundreds of thousands) of
+    zones per server, it is best to use a two-level
+    naming scheme for zone filenames. For example,
+    a secondary server for the zone
+    ``example.com`` might place
+    the zone contents into a file called
+    ``ex/example.com``, where
+    ``ex/`` is just the first two
+    letters of the zone name. (Most operating systems
+    behave very slowly if there are 100000 files in a single directory.)
+
+``mirror``
+   A mirror zone is similar to a zone of type ``secondary``, except its
+   data is subject to DNSSEC validation before being used in answers.
+   Validation is applied to the entire zone during the zone transfer
+   process, and again when the zone file is loaded from disk upon
+   restarting ``named``. If validation of a new version of a mirror zone
+   fails, a retransfer is scheduled; in the meantime, the most recent
+   correctly validated version of that zone is used until it either
+   expires or a newer version validates correctly. If no usable zone
+   data is available for a mirror zone, due to either transfer failure
+   or expiration, traditional DNS recursion is used to look up the
+   answers instead. Mirror zones cannot be used in a view that does not
+   have recursion enabled.
+
+   Answers coming from a mirror zone look almost exactly like answers
+   from a zone of type ``secondary``, with the notable exceptions that
+   the AA bit ("authoritative answer") is not set, and the AD bit
+   ("authenticated data") is.
+
+   Mirror zones are intended to be used to set up a fast local copy of
+   the root zone (see :rfc:`8806`). A default list of primary servers
+   for the IANA root zone is built into ``named``, so its mirroring can
+   be enabled using the following configuration:
+
+   ::
+
+       zone "." {
+           type mirror;
+       };
+
+   Mirror zone validation always happens for the entire zone contents.
+   This ensures that each version of the zone used by the resolver is
+   fully self-consistent with respect to DNSSEC. For incoming mirror
+   zone IXFRs, every revision of the zone contained in the IXFR sequence
+   is validated independently, in the order in which the zone revisions
+   appear on the wire. For this reason, it might be useful to force use
+   of AXFR for mirror zones by setting ``request-ixfr no;`` for the
+   relevant zone (or view). Other, more efficient zone verification
+   methods may be added in the future.
+
+   To make mirror zone contents persist between ``named`` restarts, use
+   the :ref:`file <file-option>` option.
+
+   Mirroring a zone other than root requires an explicit list of primary
+   servers to be provided using the ``primaries`` option (see
+   :ref:`primaries_grammar` for details), and a key-signing key (KSK)
+   for the specified zone to be explicitly configured as a trust anchor
+   (see :ref:`trust-anchors`).
+
+   When configuring NOTIFY for a mirror zone, only ``notify no;`` and
+   ``notify explicit;`` can be used at the zone level; any other
+   ``notify`` setting at the zone level is a configuration error. Using
+   any other ``notify`` setting at the ``options`` or ``view`` level
+   causes that setting to be overridden with ``notify explicit;`` for
+   the mirror zone. The global default for the ``notify`` option is
+   ``yes``, so mirror zones are by default configured with ``notify
+   explicit;``.
+
+   Outgoing transfers of mirror zones are disabled by default but may be
+   enabled using :ref:`allow-transfer <allow-transfer-access>`.
+
+   .. note::
+      Use of this zone type with any zone other than the root should be
+      considered *experimental* and may cause performance issues,
+      especially for zones that are large and/or frequently updated.
+
+``hint``
+   The initial set of root name servers is specified using a hint zone.
+   When the server starts, it uses the root hints to find a root name
+   server and get the most recent list of root name servers. If no hint zone
+   is specified for class IN, the server uses a compiled-in default set of
+   root servers hints. Classes other than IN have no built-in default hints.
+
+``stub``
+   A stub zone is similar to a secondary zone, except that it replicates only
+   the NS records of a primary zone instead of the entire zone. Stub zones
+   are not a standard part of the DNS; they are a feature specific to the
+   BIND implementation.
+
+   Stub zones can be used to eliminate the need for a glue NS record in a parent
+   zone, at the expense of maintaining a stub zone entry and a set of name
+   server addresses in ``named.conf``. This usage is not recommended for
+   new configurations, and BIND 9 supports it only in a limited way. If a BIND 9
+   primary, serving a parent zone, has child stub
+   zones configured, all the secondary servers for the parent zone also need to
+   have the same child stub zones configured.
+
+   Stub zones can also be used as a way to force the resolution of a given
+   domain to use a particular set of authoritative servers. For example, the
+   caching name servers on a private network using :rfc:`1918` addressing may be
+   configured with stub zones for ``10.in-addr.arpa`` to use a set of
+   internal name servers as the authoritative servers for that domain.
+
+``static-stub``
+   A static-stub zone is similar to a stub zone, with the following
+   exceptions: the zone data is statically configured, rather than
+   transferred from a primary server; and when recursion is necessary for a query
+   that matches a static-stub zone, the locally configured data (name server
+   names and glue addresses) is always used, even if different authoritative
+   information is cached.
+
+   Zone data is configured via the ``server-addresses`` and ``server-names``
+   zone options.
+
+   The zone data is maintained in the form of NS and (if necessary) glue A or
+   AAAA RRs internally, which can be seen by dumping zone databases with
+   ``rndc dumpdb -all``. The configured RRs are considered local configuration
+   parameters rather than public data. Non-recursive queries (i.e., those
+   with the RD bit off) to a static-stub zone are therefore prohibited and
+   are responded to with REFUSED.
+
+   Since the data is statically configured, no zone maintenance action takes
+   place for a static-stub zone. For example, there is no periodic refresh
+   attempt, and an incoming notify message is rejected with an rcode
+   of NOTAUTH.
+
+   Each static-stub zone is configured with internally generated NS and (if
+   necessary) glue A or AAAA RRs.
+
+``forward``
+   A forward zone is a way to configure forwarding on a per-domain basis.
+   A ``zone`` statement of type ``forward`` can contain a ``forward`` and/or
+   ``forwarders`` statement, which applies to queries within the domain
+   given by the zone name. If no ``forwarders`` statement is present, or an
+   empty list for ``forwarders`` is given, then no forwarding is done
+   for the domain, canceling the effects of any forwarders in the ``options``
+   statement. Thus, to use this type of zone to change the
+   behavior of the global ``forward`` option (that is, "forward first" to,
+   then "forward only", or vice versa), but use the same servers as set
+   globally, re-specify the global forwarders.
+
+``redirect``
+   Redirect zones are used to provide answers to queries when normal
+   resolution would result in NXDOMAIN being returned. Only one redirect zone
+   is supported per view. ``allow-query`` can be used to restrict which
+   clients see these answers.
+
+   If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response
+   is signed, no substitution occurs.
+
+   To redirect all NXDOMAIN responses to 100.100.100.2 and
+   2001:ffff:ffff::100.100.100.2, configure a type ``redirect`` zone
+   named ".", with the zone file containing wildcard records that point to
+   the desired addresses: ``*. IN A 100.100.100.2`` and
+   ``*. IN AAAA 2001:ffff:ffff::100.100.100.2``.
+
+   As another example, to redirect all Spanish names (under .ES), use similar entries
+   but with the names ``*.ES.`` instead of ``*.``. To redirect all commercial
+   Spanish names (under COM.ES), use wildcard entries
+   called ``*.COM.ES.``.
+
+   Note that the redirect zone supports all possible types; it is not
+   limited to A and AAAA records.
+
+   If a redirect zone is configured with a ``primaries`` option, then it is
+   transferred in as if it were a secondary zone. Otherwise, it is loaded from a
+   file as if it were a primary zone.
+
+   Because redirect zones are not referenced directly by name, they are not
+   kept in the zone lookup table with normal primary and secondary zones. To reload
+   a redirect zone, use ``rndc reload -redirect``; to retransfer a
+   redirect zone configured as a secondary, use ``rndc retransfer -redirect``.
+   When using ``rndc reload`` without specifying a zone name, redirect
+   zones are reloaded along with other zones.
+
+``delegation-only``
+   This zone type is used to enforce the delegation-only status of infrastructure
+   zones (e.g., COM, NET, ORG). Any answer that is received without an
+   explicit or implicit delegation in the authority section is treated
+   as NXDOMAIN. This does not apply to the zone apex, and should not be
+   applied to leaf zones.
+
+   ``delegation-only`` has no effect on answers received from forwarders.
+
+   See caveats in :ref:`root-delegation-only <root-delegation-only>`.
+
+``in-view``
+   When using multiple views, a ``primary`` or ``secondary`` zone configured
+   in one view can be referenced in a subsequent view. This allows both views
+   to use the same zone without the overhead of loading it more than once. This
+   is configured using a ``zone`` statement, with an ``in-view`` option
+   specifying the view in which the zone is defined. A ``zone`` statement
+   containing ``in-view`` does not need to specify a type, since that is part
+   of the zone definition in the other view.
+
+   See :ref:`multiple_views` for more information.
+
+Class
+^^^^^
+
+The zone's name may optionally be followed by a class. If a class is not
+specified, class ``IN`` (for ``Internet``) is assumed. This is correct
+for the vast majority of cases.
+
+The ``hesiod`` class is named for an information service from MIT's
+Project Athena. It was used to share information about various systems
+databases, such as users, groups, printers, and so on. The keyword ``HS``
+is a synonym for hesiod.
+
+Another MIT development is Chaosnet, a LAN protocol created in the
+mid-1970s. Zone data for it can be specified with the ``CHAOS`` class.
+
+.. _zone_options:
+
+Zone Options
+^^^^^^^^^^^^
+
+``allow-notify``
+   See the description of ``allow-notify`` in :ref:`access_control`.
+
+``allow-query``
+   See the description of ``allow-query`` in :ref:`access_control`.
+
+``allow-query-on``
+   See the description of ``allow-query-on`` in :ref:`access_control`.
+
+``allow-transfer``
+   See the description of ``allow-transfer`` in :ref:`access_control`.
+
+``allow-update``
+   See the description of ``allow-update`` in :ref:`access_control`.
+
+``update-policy``
+   This specifies a "Simple Secure Update" policy. See :ref:`dynamic_update_policies`.
+
+``allow-update-forwarding``
+   See the description of ``allow-update-forwarding`` in :ref:`access_control`.
+
+``also-notify``
+   This option is only meaningful if ``notify`` is active for this zone. The set of
+   machines that receive a ``DNS NOTIFY`` message for this zone is
+   made up of all the listed name servers (other than the primary)
+   for the zone, plus any IP addresses specified with
+   ``also-notify``. A port may be specified with each ``also-notify``
+   address to send the notify messages to a port other than the default
+   of 53. A TSIG key may also be specified to cause the ``NOTIFY`` to be
+   signed by the given key. ``also-notify`` is not meaningful for stub
+   zones. The default is the empty list.
+
+``check-names``
+   This option is used to restrict the character set and syntax of
+   certain domain names in primary files and/or DNS responses received
+   from the network. The default varies according to zone type. For
+   ``primary`` zones the default is ``fail``; for ``secondary`` zones the
+   default is ``warn``. It is not implemented for ``hint`` zones.
+
+``check-mx``
+   See the description of ``check-mx`` in :ref:`boolean_options`.
+
+``check-spf``
+   See the description of ``check-spf`` in :ref:`boolean_options`.
+
+``check-wildcard``
+   See the description of ``check-wildcard`` in :ref:`boolean_options`.
+
+``check-integrity``
+   See the description of ``check-integrity`` in :ref:`boolean_options`.
+
+``check-sibling``
+   See the description of ``check-sibling`` in :ref:`boolean_options`.
+
+``zero-no-soa-ttl``
+   See the description of ``zero-no-soa-ttl`` in :ref:`boolean_options`.
+
+``update-check-ksk``
+   See the description of ``update-check-ksk`` in :ref:`boolean_options`.
+
+``dnssec-loadkeys-interval``
+   See the description of ``dnssec-loadkeys-interval`` in :ref:`options`.
+
+``dnssec-update-mode``
+   See the description of ``dnssec-update-mode`` in :ref:`options`.
+
+``dnssec-dnskey-kskonly``
+   See the description of ``dnssec-dnskey-kskonly`` in :ref:`boolean_options`.
+
+``try-tcp-refresh``
+   See the description of ``try-tcp-refresh`` in :ref:`boolean_options`.
+
+``database``
+   This specifies the type of database to be used to store the zone data.
+   The string following the ``database`` keyword is interpreted as a
+   list of whitespace-delimited words. The first word identifies the
+   database type, and any subsequent words are passed as arguments to
+   the database to be interpreted in a way specific to the database
+   type.
+
+   The default is ``rbt``, BIND 9's native in-memory red-black tree
+   database. This database does not take arguments.
+
+   Other values are possible if additional database drivers have been
+   linked into the server. Some sample drivers are included with the
+   distribution but none are linked in by default.
+
+``dialup``
+   See the description of ``dialup`` in :ref:`boolean_options`.
+
+``delegation-only``
+   This flag only applies to forward, hint, and stub zones. If set to
+   ``yes``, then the zone is treated as if it is also a
+   delegation-only type zone.
+
+   See caveats in :ref:`root-delegation-only <root-delegation-only>`.
+
+.. _file-option:
+
+``file``
+   This sets the zone's filename. In ``primary``, ``hint``, and ``redirect``
+   zones which do not have ``primaries`` defined, zone data is loaded from
+   this file. In ``secondary``, ``mirror``, ``stub``, and ``redirect`` zones
+   which do have ``primaries`` defined, zone data is retrieved from
+   another server and saved in this file. This option is not applicable
+   to other zone types.
+
+``forward``
+   This option is only meaningful if the zone has a forwarders list. The ``only`` value
+   causes the lookup to fail after trying the forwarders and getting no
+   answer, while ``first`` allows a normal lookup to be tried.
+
+``forwarders``
+   This is used to override the list of global forwarders. If it is not
+   specified in a zone of type ``forward``, no forwarding is done for
+   the zone and the global options are not used.
+
+``journal``
+   This allows the default journal's filename to be overridden. The default is
+   the zone's filename with "``.jnl``" appended. This is applicable to
+   ``primary`` and ``secondary`` zones.
+
+``max-ixfr-ratio``
+   See the description of ``max-ixfr-ratio`` in :ref:`options`.
+
+``max-journal-size``
+   See the description of ``max-journal-size`` in :ref:`server_resource_limits`.
+
+``max-records``
+   See the description of ``max-records`` in :ref:`server_resource_limits`.
+
+``max-transfer-time-in``
+   See the description of ``max-transfer-time-in`` in :ref:`zone_transfers`.
+
+``max-transfer-idle-in``
+   See the description of ``max-transfer-idle-in`` in :ref:`zone_transfers`.
+
+``max-transfer-time-out``
+   See the description of ``max-transfer-time-out`` in :ref:`zone_transfers`.
+
+``max-transfer-idle-out``
+   See the description of ``max-transfer-idle-out`` in :ref:`zone_transfers`.
+
+``notify``
+   See the description of ``notify`` in :ref:`boolean_options`.
+
+``notify-delay``
+   See the description of ``notify-delay`` in :ref:`tuning`.
+
+``notify-to-soa``
+   See the description of ``notify-to-soa`` in :ref:`boolean_options`.
+
+``zone-statistics``
+   See the description of ``zone-statistics`` in :ref:`options`.
+
+``server-addresses``
+   This option is only meaningful for static-stub zones. This is a list of IP addresses
+   to which queries should be sent in recursive resolution for the zone.
+   A non-empty list for this option internally configures the apex
+   NS RR with associated glue A or AAAA RRs.
+
+   For example, if "example.com" is configured as a static-stub zone
+   with 192.0.2.1 and 2001:db8::1234 in a ``server-addresses`` option,
+   the following RRs are internally configured:
+
+   ::
+
+      example.com. NS example.com.
+      example.com. A 192.0.2.1
+      example.com. AAAA 2001:db8::1234
+
+   These records are used internally to resolve names under the
+   static-stub zone. For instance, if the server receives a query for
+   "www.example.com" with the RD bit on, the server initiates
+   recursive resolution and sends queries to 192.0.2.1 and/or
+   2001:db8::1234.
+
+``server-names``
+   This option is only meaningful for static-stub zones. This is a list of domain names
+   of name servers that act as authoritative servers of the static-stub
+   zone. These names are resolved to IP addresses when ``named``
+   needs to send queries to these servers. For this supplemental
+   resolution to be successful, these names must not be a subdomain of the
+   origin name of the static-stub zone. That is, when "example.net" is the
+   origin of a static-stub zone, "ns.example" and "master.example.com"
+   can be specified in the ``server-names`` option, but "ns.example.net"
+   cannot; it is rejected by the configuration parser.
+
+   A non-empty list for this option internally configures the apex
+   NS RR with the specified names. For example, if "example.com" is
+   configured as a static-stub zone with "ns1.example.net" and
+   "ns2.example.net" in a ``server-names`` option, the following RRs
+   are internally configured:
+
+   ::
+
+      example.com. NS ns1.example.net.
+      example.com. NS ns2.example.net.
+
+   These records are used internally to resolve names under the
+   static-stub zone. For instance, if the server receives a query for
+   "www.example.com" with the RD bit on, the server initiates recursive
+   resolution, resolves "ns1.example.net" and/or "ns2.example.net" to IP
+   addresses, and then sends queries to one or more of these addresses.
+
+``sig-validity-interval``
+   See the description of ``sig-validity-interval`` in :ref:`tuning`.
+
+``sig-signing-nodes``
+   See the description of ``sig-signing-nodes`` in :ref:`tuning`.
+
+``sig-signing-signatures``
+   See the description of ``sig-signing-signatures`` in
+   :ref:`tuning`.
+
+``sig-signing-type``
+   See the description of ``sig-signing-type`` in :ref:`tuning`.
+
+``transfer-source``
+   See the description of ``transfer-source`` in :ref:`zone_transfers`.
+
+``transfer-source-v6``
+   See the description of ``transfer-source-v6`` in :ref:`zone_transfers`.
+
+``alt-transfer-source``
+   See the description of ``alt-transfer-source`` in :ref:`zone_transfers`.
+
+``alt-transfer-source-v6``
+   See the description of ``alt-transfer-source-v6`` in :ref:`zone_transfers`.
+
+``use-alt-transfer-source``
+   See the description of ``use-alt-transfer-source`` in :ref:`zone_transfers`.
+
+``notify-source``
+   See the description of ``notify-source`` in :ref:`zone_transfers`.
+
+``notify-source-v6``
+   See the description of ``notify-source-v6`` in :ref:`zone_transfers`.
+
+``min-refresh-time``; ``max-refresh-time``; ``min-retry-time``; ``max-retry-time``
+   See the descriptions in :ref:`tuning`.
+
+``ixfr-from-differences``
+   See the description of ``ixfr-from-differences`` in :ref:`boolean_options`.
+   (Note that the ``ixfr-from-differences`` choices of ``primary`` and ``secondary``
+   are not available at the zone level.)
+
+``key-directory``
+   See the description of ``key-directory`` in :ref:`options`.
+
+``auto-dnssec``
+   See the description of ``auto-dnssec`` in :ref:`options`.
+
+``serial-update-method``
+   See the description of ``serial-update-method`` in :ref:`options`.
+
+``inline-signing``
+   If ``yes``, BIND 9 maintains a separate signed version of the zone.
+   An unsigned zone is transferred in or loaded from disk and the signed
+   version of the zone is served with, possibly, a different serial
+   number. The signed version of the zone is stored in a file that is
+   the zone's filename (set in ``file``) with a ``.signed`` extension.
+   This behavior is disabled by default.
+
+``multi-master``
+   See the description of ``multi-master`` in :ref:`boolean_options`.
+
+``masterfile-format``
+   See the description of ``masterfile-format`` in :ref:`tuning`.
+
+``max-zone-ttl``
+   See the description of ``max-zone-ttl`` in :ref:`options`.
+
+``dnssec-secure-to-insecure``
+   See the description of ``dnssec-secure-to-insecure`` in :ref:`boolean_options`.
+
+.. _dynamic_update_policies:
+
+Dynamic Update Policies
+^^^^^^^^^^^^^^^^^^^^^^^
+
+BIND 9 supports two methods of granting clients the right to
+perform dynamic updates to a zone:
+
+- ``allow-update`` - a simple access control list
+- ``update-policy`` - fine-grained access control
+
+In both cases, BIND 9 writes the updates to the zone's filename
+set in ``file``.
+
+In the case of a DNSSEC zone, DNSSEC records are also written to
+the zone's filename, unless ``inline-signing`` is enabled.
+
+   .. note:: The zone file can no longer be manually updated while ``named``
+      is running; it is now necessary to perform :option:`rndc freeze`, edit,
+      and then perform :option:`rndc thaw`. Comments and formatting
+      in the zone file are lost when dynamic updates occur.
+
+The ``allow-update`` clause is a simple access control list. Any client
+that matches the ACL is granted permission to update any record in the
+zone.
+
+The ``update-policy`` clause allows more fine-grained control over which
+updates are allowed. It specifies a set of rules, in which each rule
+either grants or denies permission for one or more names in the zone to
+be updated by one or more identities. Identity is determined by the key
+that signed the update request, using either TSIG or SIG(0). In most
+cases, ``update-policy`` rules only apply to key-based identities. There
+is no way to specify update permissions based on the client source address.
+
+``update-policy`` rules are only meaningful for zones of type
+``primary``, and are not allowed in any other zone type. It is a
+configuration error to specify both ``allow-update`` and
+``update-policy`` at the same time.
+
+A pre-defined ``update-policy`` rule can be switched on with the command
+``update-policy local;``. ``named`` automatically
+generates a TSIG session key when starting and stores it in a file;
+this key can then be used by local clients to update the zone while
+``named`` is running. By default, the session key is stored in the file
+``/var/run/named/session.key``, the key name is "local-ddns", and the
+key algorithm is HMAC-SHA256. These values are configurable with the
+``session-keyfile``, ``session-keyname``, and ``session-keyalg`` options,
+respectively. A client running on the local system, if run with
+appropriate permissions, may read the session key from the key file and
+use it to sign update requests. The zone's update policy is set to
+allow that key to change any record within the zone. Assuming the key
+name is "local-ddns", this policy is equivalent to:
+
+::
+
+   update-policy { grant local-ddns zonesub any; };
+
+with the additional restriction that only clients connecting from the
+local system are permitted to send updates.
+
+Note that only one session key is generated by ``named``; all zones
+configured to use ``update-policy local`` accept the same key.
+
+The command ``nsupdate -l`` implements this feature, sending requests to
+localhost and signing them using the key retrieved from the session key
+file.
+
+Other rule definitions look like this:
+
+::
+
+   ( grant | deny ) identity ruletype  name   types
+
+Each rule grants or denies privileges. Rules are checked in the order in
+which they are specified in the ``update-policy`` statement. Once a
+message has successfully matched a rule, the operation is immediately
+granted or denied, and no further rules are examined. There are 13 types
+of rules; the rule type is specified by the ``ruletype`` field, and the
+interpretation of other fields varies depending on the rule type.
+
+In general, a rule is matched when the key that signed an update request
+matches the ``identity`` field, the name of the record to be updated
+matches the ``name`` field (in the manner specified by the ``ruletype``
+field), and the type of the record to be updated matches the ``types``
+field. Details for each rule type are described below.
+
+The ``identity`` field must be set to a fully qualified domain name. In
+most cases, this represents the name of the TSIG or SIG(0) key that
+must be used to sign the update request. If the specified name is a
+wildcard, it is subject to DNS wildcard expansion, and the rule may
+apply to multiple identities. When a TKEY exchange has been used to
+create a shared secret, the identity of the key used to authenticate the
+TKEY exchange is used as the identity of the shared secret. Some
+rule types use identities matching the client's Kerberos principal (e.g,
+``"host/machine@REALM"``) or Windows realm (``machine$@REALM``).
+
+The ``name`` field also specifies a fully qualified domain name. This often
+represents the name of the record to be updated. Interpretation of this
+field is dependent on rule type.
+
+If no ``types`` are explicitly specified, then a rule matches all types
+except RRSIG, NS, SOA, NSEC, and NSEC3. Types may be specified by name,
+including ``ANY``; ANY matches all types except NSEC and NSEC3, which can
+never be updated. Note that when an attempt is made to delete all
+records associated with a name, the rules are checked for each existing
+record type.
+
+The ruletype field has 16 values: ``name``, ``subdomain``, ``zonesub``, ``wildcard``,
+``self``, ``selfsub``, ``selfwild``, ``ms-self``, ``ms-selfsub``, ``ms-subdomain``,
+``krb5-self``, ``krb5-selfsub``, ``krb5-subdomain``,
+``tcp-self``, ``6to4-self``, and ``external``.
+
+``name``
+    With exact-match semantics, this rule matches when the name being updated is identical to the contents of the ``name`` field.
+
+``subdomain``
+    This rule matches when the name being updated is a subdomain of, or identical to, the contents of the ``name`` field.
+
+``zonesub``
+    This rule is similar to subdomain, except that it matches when the name being updated is a subdomain of the zone in which the ``update-policy`` statement appears. This obviates the need to type the zone name twice, and enables the use of a standard ``update-policy`` statement in multiple zones without modification.
+    When this rule is used, the ``name`` field is omitted.
+
+``wildcard``
+    The ``name`` field is subject to DNS wildcard expansion, and this rule matches when the name being updated is a valid expansion of the wildcard.
+
+``self``
+    This rule matches when the name of the record being updated matches the contents of the ``identity`` field. The ``name`` field is ignored. To avoid confusion, it is recommended that this field be set to the same value as the ``identity`` field or to "."
+    The ``self`` rule type is most useful when allowing one key per name to update, where the key has the same name as the record to be updated. In this case, the ``identity`` field can be specified as ``*`` (asterisk).
+
+``selfsub``
+    This rule is similar to ``self``, except that subdomains of ``self`` can also be updated.
+
+``selfwild``
+    This rule is similar to ``self``, except that only subdomains of ``self`` can be updated.
+
+``ms-self``
+    When a client sends an UPDATE using a Windows machine principal (for example, ``machine$@REALM``), this rule allows records with the absolute name of ``machine.REALM`` to be updated.
+
+    The realm to be matched is specified in the ``identity`` field.
+
+    The ``name`` field has no effect on this rule; it should be set to "." as a placeholder.
+
+    For example, ``grant EXAMPLE.COM ms-self . A AAAA`` allows any machine with a valid principal in the realm ``EXAMPLE.COM`` to update its own address records.
+
+``ms-selfsub``
+    This is similar to ``ms-self``, except it also allows updates to any subdomain of the name specified in the Windows machine principal, not just to the name itself.
+
+``ms-subdomain``
+    When a client sends an UPDATE using a Windows machine principal (for example, ``machine$@REALM``), this rule allows any machine in the specified realm to update any record in the zone or in a specified subdomain of the zone.
+
+    The realm to be matched is specified in the ``identity`` field.
+
+    The ``name`` field specifies the subdomain that may be updated. If set to "." or any other name at or above the zone apex, any name in the zone can be updated.
+
+    For example, if ``update-policy`` for the zone "example.com" includes ``grant EXAMPLE.COM ms-subdomain hosts.example.com. AA AAAA``, any machine with a valid principal in the realm ``EXAMPLE.COM`` is able to update address records at or below ``hosts.example.com``.
+
+``krb5-self``
+    When a client sends an UPDATE using a Kerberos machine principal (for example, ``host/machine@REALM``), this rule allows records with the absolute name of ``machine`` to be updated, provided it has been authenticated by REALM. This is similar but not identical to ``ms-self``, due to the ``machine`` part of the Kerberos principal being an absolute name instead of an unqualified name.
+
+    The realm to be matched is specified in the ``identity`` field.
+
+    The ``name`` field has no effect on this rule; it should be set to "." as a placeholder.
+
+    For example, ``grant EXAMPLE.COM krb5-self . A AAAA`` allows any machine with a valid principal in the realm ``EXAMPLE.COM`` to update its own address records.
+
+``krb5-selfsub``
+    This is similar to ``krb5-self``, except it also allows updates to any subdomain of the name specified in the ``machine`` part of the Kerberos principal, not just to the name itself.
+
+``krb5-subdomain``
+    This rule is identical to ``ms-subdomain``, except that it works with Kerberos machine principals (i.e., ``host/machine@REALM``) rather than Windows machine principals.
+
+``tcp-self``
+    This rule allows updates that have been sent via TCP and for which the standard mapping from the client's IP address into the ``in-addr.arpa`` and ``ip6.arpa`` namespaces matches the name to be updated. The ``identity`` field must match that name. The ``name`` field should be set to ".". Note that, since identity is based on the client's IP address, it is not necessary for update request messages to be signed.
+
+    .. note::
+        It is theoretically possible to spoof these TCP sessions.
+
+``6to4-self``
+    This allows the name matching a 6to4 IPv6 prefix, as specified in :rfc:`3056`, to be updated by any TCP connection from either the 6to4 network or from the corresponding IPv4 address. This is intended to allow NS or DNAME RRsets to be added to the ``ip6.arpa`` reverse tree.
+
+    The ``identity`` field must match the 6to4 prefix in ``ip6.arpa``. The ``name`` field should be set to ".". Note that, since identity is based on the client's IP address, it is not necessary for update request messages to be signed.
+
+    In addition, if specified for an ``ip6.arpa`` name outside of the ``2.0.0.2.ip6.arpa`` namespace, the corresponding /48 reverse name can be updated. For example, TCP/IPv6 connections from 2001:DB8:ED0C::/48 can update records at ``C.0.D.E.8.B.D.0.1.0.0.2.ip6.arpa``.
+
+    .. note::
+        It is theoretically possible to spoof these TCP sessions.
+
+``external``
+    This rule allows ``named`` to defer the decision of whether to allow a given update to an external daemon.
+
+    The method of communicating with the daemon is specified in the ``identity`` field, the format of which is "``local:``\ path", where "path" is the location of a Unix-domain socket. (Currently, "local" is the only supported mechanism.)
+
+    Requests to the external daemon are sent over the Unix-domain socket as datagrams with the following format:
+
+    ::
+
+        Protocol version number (4 bytes, network byte order, currently 1)
+        Request length (4 bytes, network byte order)
+        Signer (null-terminated string)
+        Name (null-terminated string)
+        TCP source address (null-terminated string)
+        Rdata type (null-terminated string)
+        Key (null-terminated string)
+        TKEY token length (4 bytes, network byte order)
+        TKEY token (remainder of packet)
+
+    The daemon replies with a four-byte value in network byte order, containing either 0 or 1; 0 indicates that the specified update is not permitted, and 1 indicates that it is.
+
+       .. warning:: The external daemon must not delay communication. This policy is evaluated synchronously; any wait period negatively affects :iscman:`named` performance.
+
+.. _multiple_views:
+
+Multiple Views
+^^^^^^^^^^^^^^
+
+When multiple views are in use, a zone may be referenced by more than
+one of them. Often, the views contain different zones with the same
+name, allowing different clients to receive different answers for the
+same queries. At times, however, it is desirable for multiple views to
+contain identical zones. The ``in-view`` zone option provides an
+efficient way to do this; it allows a view to reference a zone that was
+defined in a previously configured view. For example:
+
+::
+
+   view internal {
+       match-clients { 10/8; };
+
+       zone example.com {
+       type primary;
+       file "example-external.db";
+       };
+   };
+
+   view external {
+       match-clients { any; };
+
+       zone example.com {
+       in-view internal;
+       };
+   };
+
+An ``in-view`` option cannot refer to a view that is configured later in
+the configuration file.
+
+A ``zone`` statement which uses the ``in-view`` option may not use any
+other options, with the exception of ``forward`` and ``forwarders``.
+(These options control the behavior of the containing view, rather than
+change the zone object itself.)
+
+Zone-level ACLs (e.g., allow-query, allow-transfer), and other
+configuration details of the zone, are all set in the view the referenced
+zone is defined in. Be careful to ensure that ACLs are wide
+enough for all views referencing the zone.
+
+An ``in-view`` zone cannot be used as a response policy zone.
+
+An ``in-view`` zone is not intended to reference a ``forward`` zone.
+
+.. _zone_file:
+
+Zone File
+---------
+
+.. _types_of_resource_records_and_when_to_use_them:
+
+Types of Resource Records and When to Use Them
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This section, largely borrowed from :rfc:`1034`, describes the concept of a
+Resource Record (RR) and explains when each type is used. Since the
+publication of :rfc:`1034`, several new RRs have been identified and
+implemented in the DNS. These are also included.
+
+Resource Records
+^^^^^^^^^^^^^^^^
+
+A domain name identifies a node. Each node has a set of resource
+information, which may be empty. The set of resource information
+associated with a particular name is composed of separate RRs. The order
+of RRs in a set is not significant and need not be preserved by name
+servers, resolvers, or other parts of the DNS. However, sorting of
+multiple RRs is permitted for optimization purposes: for example, to
+specify that a particular nearby server be tried first. See
+:ref:`the_sortlist_statement` and :ref:`rrset_ordering`.
+
+The components of a Resource Record are:
+
+owner name
+    The domain name where the RR is found.
+
+type
+    An encoded 16-bit value that specifies the type of the resource record.
+
+TTL
+    The time-to-live of the RR. This field is a 32-bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded.
+
+class
+    An encoded 16-bit value that identifies a protocol family or an instance of a protocol.
+
+RDATA
+    The resource data. The format of the data is type- and sometimes class-specific.
+
+For a complete list of *types* of valid RRs, including those that have been obsoleted, please refer to https://en.wikipedia.org/wiki/List_of_DNS_record_types.
+
+The following *classes* of resource records are currently valid in the
+DNS:
+
+IN
+    The Internet.
+
+CH
+    Chaosnet, a LAN protocol created at MIT in the mid-1970s. It was rarely used for its historical purpose, but was reused for BIND's built-in server information zones, e.g., ``version.bind``.
+
+HS
+    Hesiod, an information service developed by MIT's Project Athena. It was used to share information about various systems databases, such as users, groups, printers, etc.
+
+The owner name is often implicit, rather than forming an integral part
+of the RR. For example, many name servers internally form tree or hash
+structures for the name space, and chain RRs off nodes. The remaining RR
+parts are the fixed header (type, class, TTL), which is consistent for
+all RRs, and a variable part (RDATA) that fits the needs of the resource
+being described.
+
+The TTL field is a time limit on how long an RR can be
+kept in a cache. This limit does not apply to authoritative data in
+zones; that also times out, but follows the refreshing policies for the
+zone. The TTL is assigned by the administrator for the zone where the
+data originates. While short TTLs can be used to minimize caching, and a
+zero TTL prohibits caching, the realities of Internet performance
+suggest that these times should be on the order of days for the typical
+host. If a change is anticipated, the TTL can be reduced prior to
+the change to minimize inconsistency, and then
+increased back to its former value following the change.
+
+The data in the RDATA section of RRs is carried as a combination of
+binary strings and domain names. The domain names are frequently used as
+"pointers" to other data in the DNS.
+
+.. _rr_text:
+
+Textual Expression of RRs
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+RRs are represented in binary form in the packets of the DNS protocol,
+and are usually represented in highly encoded form when stored in a name
+server or resolver. In the examples provided in :rfc:`1034`, a style
+similar to that used in primary files was employed in order to show the
+contents of RRs. In this format, most RRs are shown on a single line,
+although continuation lines are possible using parentheses.
+
+The start of the line gives the owner of the RR. If a line begins with a
+blank, then the owner is assumed to be the same as that of the previous
+RR. Blank lines are often included for readability.
+
+Following the owner are listed the TTL, type, and class of the RR. Class
+and type use the mnemonics defined above, and TTL is an integer before
+the type field. To avoid ambiguity in parsing, type and class
+mnemonics are disjoint, TTLs are integers, and the type mnemonic is
+always last. The IN class and TTL values are often omitted from examples
+in the interest of clarity.
+
+The resource data or RDATA section of the RR is given using knowledge
+of the typical representation for the data.
+
+For example, the RRs carried in a message might be shown as:
+
+ +---------------------+---------------+--------------------------------+
+ | ``ISI.EDU.``        | ``MX``        | ``10 VENERA.ISI.EDU.``         |
+ +---------------------+---------------+--------------------------------+
+ |                     | ``MX``        | ``10 VAXA.ISI.EDU``            |
+ +---------------------+---------------+--------------------------------+
+ | ``VENERA.ISI.EDU``  | ``A``         | ``128.9.0.32``                 |
+ +---------------------+---------------+--------------------------------+
+ |                     | ``A``         | ``10.1.0.52``                  |
+ +---------------------+---------------+--------------------------------+
+ | ``VAXA.ISI.EDU``    | ``A``         | ``10.2.0.27``                  |
+ +---------------------+---------------+--------------------------------+
+ |                     | ``A``         | ``128.9.0.33``                 |
+ +---------------------+---------------+--------------------------------+
+
+The MX RRs have an RDATA section which consists of a 16-bit number
+followed by a domain name. The address RRs use a standard IP address
+format to contain a 32-bit Internet address.
+
+The above example shows six RRs, with two RRs at each of three domain
+names.
+
+Here is another possible example:
+
+ +----------------------+---------------+-------------------------------+
+ | ``XX.LCS.MIT.EDU.``  | ``IN A``      | ``10.0.0.44``                 |
+ +----------------------+---------------+-------------------------------+
+ |                      | ``CH A``      | ``MIT.EDU. 2420``             |
+ +----------------------+---------------+-------------------------------+
+
+This shows two addresses for ``XX.LCS.MIT.EDU``, each of a
+different class.
+
+.. _mx_records:
+
+Discussion of MX Records
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+As described above, domain servers store information as a series of
+resource records, each of which contains a particular piece of
+information about a given domain name (which is usually, but not always,
+a host). The simplest way to think of an RR is as a typed pair of data, a
+domain name matched with a relevant datum and stored with some
+additional type information, to help systems determine when the RR is
+relevant.
+
+MX records are used to control delivery of email. The data specified in
+the record is a priority and a domain name. The priority controls the
+order in which email delivery is attempted, with the lowest number
+first. If two priorities are the same, a server is chosen randomly. If
+no servers at a given priority are responding, the mail transport agent
+falls back to the next largest priority. Priority numbers do not
+have any absolute meaning; they are relevant only respective to other
+MX records for that domain name. The domain name given is the machine to
+which the mail is delivered. It *must* have an associated address
+record (A or AAAA); CNAME is not sufficient.
+
+For a given domain, if there is both a CNAME record and an MX record,
+the MX record is in error and is ignored. Instead, the mail is
+delivered to the server specified in the MX record pointed to by the
+CNAME. For example:
+
+ +------------------------+--------+--------+--------------+------------------------+
+ | ``example.com.``       | ``IN`` | ``MX`` | ``10``       | ``mail.example.com.``  |
+ +------------------------+--------+--------+--------------+------------------------+
+ |                        | ``IN`` | ``MX`` | ``10``       | ``mail2.example.com.`` |
+ +------------------------+--------+--------+--------------+------------------------+
+ |                        | ``IN`` | ``MX`` | ``20``       | ``mail.backup.org.``   |
+ +------------------------+--------+--------+--------------+------------------------+
+ | ``mail.example.com.``  | ``IN`` | ``A``  | ``10.0.0.1`` |                        |
+ +------------------------+--------+--------+--------------+------------------------+
+ | ``mail2.example.com.`` | ``IN`` | ``A``  | ``10.0.0.2`` |                        |
+ +------------------------+--------+--------+--------------+------------------------+
+
+Mail delivery is attempted to ``mail.example.com`` and
+``mail2.example.com`` (in any order); if neither of those succeeds,
+delivery to ``mail.backup.org`` is attempted.
+
+.. _Setting_TTLs:
+
+Setting TTLs
+~~~~~~~~~~~~
+
+The time-to-live (TTL) of the RR field is a 32-bit integer represented in
+units of seconds, and is primarily used by resolvers when they cache
+RRs. The TTL describes how long an RR can be cached before it should be
+discarded. The following three types of TTLs are currently used in a zone
+file.
+
+SOA
+    The last field in the SOA is the negative caching TTL. This controls how long other servers cache no-such-domain (NXDOMAIN) responses from this server.
+
+    The maximum time for negative caching is 3 hours (3h).
+
+$TTL
+    The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.
+
+RR TTLs
+    Each RR can have a TTL as the second field in the RR, which controls how long other servers can cache it.
+
+All of these TTLs default to units of seconds, though units can be
+explicitly specified: for example, ``1h30m``.
+
+.. _ipv4_reverse:
+
+Inverse Mapping in IPv4
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Reverse name resolution (that is, translation from IP address to name)
+is achieved by means of the ``in-addr.arpa`` domain and PTR records.
+Entries in the in-addr.arpa domain are made in least-to-most significant
+order, read left to right. This is the opposite order to the way IP
+addresses are usually written. Thus, a machine with an IP address of
+10.1.2.3 would have a corresponding in-addr.arpa name of
+3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose
+data field is the name of the machine or, optionally, multiple PTR
+records if the machine has more than one name. For example, in the
+``example.com`` domain:
+
+ +--------------+-------------------------------------------------------+
+ | ``$ORIGIN``  | ``2.1.10.in-addr.arpa``                               |
+ +--------------+-------------------------------------------------------+
+ | ``3``        | ``IN PTR foo.example.com.``                           |
+ +--------------+-------------------------------------------------------+
+
+.. note::
+
+   The ``$ORIGIN`` line in this example is only to provide context;
+   it does not necessarily appear in the actual
+   usage. It is only used here to indicate that the example is
+   relative to the listed origin.
+
+.. _zone_directives:
+
+Other Zone File Directives
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The DNS "master file" format was initially defined in :rfc:`1035` and has
+subsequently been extended. While the format itself is class-independent,
+all records in a zone file must be of the same class.
+
+Master file directives include ``$ORIGIN``, ``$INCLUDE``, and ``$TTL.``
+
+.. _atsign:
+
+The ``@`` (at-sign)
+^^^^^^^^^^^^^^^^^^^
+
+When used in the label (or name) field, the asperand or at-sign (@)
+symbol represents the current origin. At the start of the zone file, it
+is the <``zone_name``>, followed by a trailing dot (.).
+
+.. _origin_directive:
+
+The ``$ORIGIN`` Directive
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Syntax: ``$ORIGIN`` domain-name [comment]
+
+``$ORIGIN`` sets the domain name that is appended to any
+unqualified records. When a zone is first read, there is an implicit
+``$ORIGIN`` <``zone_name``>``.``; note the trailing dot. The
+current ``$ORIGIN`` is appended to the domain specified in the
+``$ORIGIN`` argument if it is not absolute.
+
+::
+
+   $ORIGIN example.com.
+   WWW     CNAME   MAIN-SERVER
+
+is equivalent to
+
+::
+
+   WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
+
+.. _include_directive:
+
+The ``$INCLUDE`` Directive
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Syntax: ``$INCLUDE`` filename [origin] [comment]
+
+This reads and processes the file ``filename`` as if it were included in the
+file at this point. The ``filename`` can be an absolute path, or a relative
+path. In the latter case it is read from ``named``'s working directory. If
+``origin`` is specified, the file is processed with ``$ORIGIN`` set to that
+value; otherwise, the current ``$ORIGIN`` is used.
+
+The origin and the current domain name revert to the values they had
+prior to the ``$INCLUDE`` once the file has been read.
+
+.. note::
+
+   :rfc:`1035` specifies that the current origin should be restored after
+   an ``$INCLUDE``, but it is silent on whether the current domain name
+   should also be restored. BIND 9 restores both of them. This could be
+   construed as a deviation from :rfc:`1035`, a feature, or both.
+
+.. _ttl_directive:
+
+The ``$TTL`` Directive
+^^^^^^^^^^^^^^^^^^^^^^
+
+Syntax: ``$TTL`` default-ttl [comment]
+
+This sets the default Time-To-Live (TTL) for subsequent records with undefined
+TTLs. Valid TTLs are of the range 0-2147483647 seconds.
+
+``$TTL`` is defined in :rfc:`2308`.
+
+.. _generate_directive:
+
+BIND Primary File Extension: the ``$GENERATE`` Directive
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Syntax: ``$GENERATE`` range owner [ttl] [class] type rdata [comment]
+
+``$GENERATE`` is used to create a series of resource records that only
+differ from each other by an iterator.
+
+``range``
+    This can be one of two forms: start-stop or start-stop/step.
+    If the first form is used, then step is set to 1. "start",
+    "stop", and "step" must be positive integers between 0 and
+    (2^31)-1. "start" must not be larger than "stop".
+
+``owner``
+    This describes the owner name of the resource records to be created.
+
+    The ``owner`` string may include one or more ``$`` (dollar sign)
+    symbols, which will be replaced with the iterator value when
+    generating records; see below for details.
+
+``ttl``
+    This specifies the time-to-live of the generated records. If
+    not specified, this is inherited using the normal TTL inheritance
+    rules.
+
+    ``class`` and ``ttl`` can be entered in either order.
+
+``class``
+    This specifies the class of the generated records. This must
+    match the zone class if it is specified.
+
+    ``class`` and ``ttl`` can be entered in either order.
+
+``type``
+    This can be any valid type.
+
+``rdata``
+    This is a string containing the RDATA of the resource record
+    to be created. As with ``owner``, the ``rdata`` string may
+    include one or more ``$`` symbols, which are replaced with the
+    iterator value. ``rdata`` may be quoted if there are spaces in
+    the string; the quotation marks do not appear in the generated
+    record.
+
+    Any single ``$`` (dollar sign) symbols within the ``owner`` or
+    ``rdata`` strings are replaced by the iterator value. To get a ``$``
+    in the output, escape the ``$`` using a backslash ``\\``, e.g.,
+    ``\$``. (For compatibility with earlier versions, ``$$`` is also
+    recognized as indicating a literal ``$`` in the output.)
+
+    The ``$`` may optionally be followed by modifiers which change
+    the offset from the iterator, field width, and base.  Modifiers
+    are introduced by a ``{`` (left brace) immediately following
+    the ``$``, as in  ``${offset[,width[,base]]}``. For example,
+    ``${-20,3,d}`` subtracts 20 from the current value and prints
+    the result as a decimal in a zero-padded field of width 3.
+    Available output forms are decimal (``d``), octal (``o``),
+    hexadecimal (``x`` or ``X`` for uppercase), and nibble (``n``
+    or ``N`` for uppercase). The modfiier cannot contain whitespace
+    or newlines.
+
+    The default modifier is ``${0,0,d}``. If the ``owner`` is not
+    absolute, the current ``$ORIGIN`` is appended to the name.
+
+    In nibble mode, the value is treated as if it were a reversed
+    hexadecimal string, with each hexadecimal digit as a separate
+    label. The width field includes the label separator.
+
+Examples:
+
+``$GENERATE`` can be used to easily generate the sets of records required
+to support sub-/24 reverse delegations described in :rfc:`2317`:
+
+::
+
+   $ORIGIN 0.0.192.IN-ADDR.ARPA.
+   $GENERATE 1-2 @ NS SERVER$.EXAMPLE.
+   $GENERATE 1-127 $ CNAME $.0
+
+is equivalent to
+
+::
+
+   0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
+   0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
+   1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
+   2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
+   ...
+   127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
+
+This example creates a set of A and MX records. Note the MX's ``rdata``
+is a quoted string; the quotes are stripped when ``$GENERATE`` is processed:
+
+::
+
+   $ORIGIN EXAMPLE.
+   $GENERATE 1-127 HOST-$ A 1.2.3.$
+   $GENERATE 1-127 HOST-$ MX "0 ."
+
+is equivalent to
+
+::
+
+   HOST-1.EXAMPLE.   A  1.2.3.1
+   HOST-1.EXAMPLE.   MX 0 .
+   HOST-2.EXAMPLE.   A  1.2.3.2
+   HOST-2.EXAMPLE.   MX 0 .
+   HOST-3.EXAMPLE.   A  1.2.3.3
+   HOST-3.EXAMPLE.   MX 0 .
+   ...
+   HOST-127.EXAMPLE. A  1.2.3.127
+   HOST-127.EXAMPLE. MX 0 .
+
+
+This example generates A and AAAA records using modifiers; the AAAA
+``owner`` names are generated using nibble mode:
+
+::
+
+   $ORIGIN EXAMPLE.
+   $GENERATE 0-2 HOST-${0,4,d} A 1.2.3.${1,0,d}
+   $GENERATE 1024-1026 ${0,3,n} AAAA 2001:db8::${0,4,x}
+
+is equivalent to:
+
+::
+
+   HOST-0000.EXAMPLE.   A      1.2.3.1
+   HOST-0001.EXAMPLE.   A      1.2.3.2
+   HOST-0002.EXAMPLE.   A      1.2.3.3
+   0.0.4.EXAMPLE.       AAAA   2001:db8::400
+   1.0.4.EXAMPLE.       AAAA   2001:db8::401
+   2.0.4.EXAMPLE.       AAAA   2001:db8::402
+
+The ``$GENERATE`` directive is a BIND extension and not part of the
+standard zone file format.
+
+.. _zonefile_format:
+
+Additional File Formats
+~~~~~~~~~~~~~~~~~~~~~~~
+
+In addition to the standard text format, BIND 9 supports the ability
+to read or dump to zone files in other formats.
+
+The ``raw`` format is a binary representation of zone data in a manner
+similar to that used in zone transfers. Since it does not require
+parsing text, load time is significantly reduced.
+
+An even faster alternative is the ``map`` format, which is an image of a
+BIND 9 in-memory zone database; it can be loaded directly into memory via
+the ``mmap()`` function and the zone can begin serving queries almost
+immediately.  Because records are not indivdually processed when loading a
+``map`` file, zones using this format cannot be used in ``response-policy``
+statements.
+
+For a primary server, a zone file in ``raw`` or ``map`` format is expected
+to be generated from a text zone file by the ``named-compilezone`` command.
+For a secondary server or a dynamic zone, the zone file is automatically
+generated when ``named`` dumps the zone contents after zone transfer or
+when applying prior updates, if one of these formats is specified by the
+``masterfile-format`` option.
+
+If a zone file in a binary format needs manual modification, it first must
+be converted to ``text`` format by the ``named-compilezone`` command,
+then converted back after editing.  For example:
+
+::
+    named-compilezone -f map -F text -o zonefile.text <origin> zonefile.map
+    [edit zonefile.text]
+    named-compilezone -f text -F map -o zonefile.map <origin> zonefile.text
+
+Note that the ``map`` format is highly architecture-specific. A ``map``
+file *cannot* be used on a system with different pointer size, endianness,
+or data alignment than the system on which it was generated, and should in
+general be used only inside a single system.
+
+The ``map`` format is also dependent on the internal memory representation
+of a zone database, which may change from one release of BIND 9 to another.
+``map`` files are never compatible across major releases, and may not be
+compatible across minor releases; any upgrade to BIND 9 may cause ``map``
+files to be rejected when loading. If a ``map`` file is being used for a
+primary zone, it will need to be regenerated from text before restarting
+the server.  If it used for a secondary zone, this is unnecessary; the
+rejection of the file will trigger a retransfer of the zone from the
+primary. (To avoid a spike in traffic upon restart, it may be desirable in
+some cases to convert ``map`` files to ``text`` format using
+``named-compilezone`` before an upgrade, then back to ``map`` format with
+the new version of ``named-compilezone`` afterward.)
+
+The use of ``map`` format may also be limited by operating system
+mmap(2) limits like ``sysctl vm.max_map_count``.  For Linux, this
+defaults to 65536, which limits the number of mapped zones that can
+be used without increasing ``vm.max_map_count``.
+
+``raw`` format uses network byte order and avoids architecture-
+dependent data alignment so that it is as portable as possible, but it is
+still primarily expected to be used inside the same single system. To
+export a zone file in either ``raw`` or ``map`` format, or make a portable
+backup of such a file, conversion to ``text`` format is recommended.
+
+.. _statistics:
+
+BIND 9 Statistics
+-----------------
+
+BIND 9 maintains lots of statistics information and provides several
+interfaces for users to access those statistics. The available
+statistics include all statistics counters that are meaningful in BIND 9,
+and other information that is considered useful.
+
+The statistics information is categorized into the following sections:
+
+Incoming Requests
+   The number of incoming DNS requests for each OPCODE.
+
+Incoming Queries
+   The number of incoming queries for each RR type.
+
+Outgoing Queries
+   The number of outgoing queries for each RR type sent from the internal
+   resolver, maintained per view.
+
+Name Server Statistics
+   Statistics counters for incoming request processing.
+
+Zone Maintenance Statistics
+   Statistics counters regarding zone maintenance operations, such as zone
+   transfers.
+
+Resolver Statistics
+   Statistics counters for name resolutions performed in the internal resolver,
+   maintained per view.
+
+Cache DB RRsets
+   Statistics counters related to cache contents, maintained per view.
+
+   The "NXDOMAIN" counter is the number of names that have been cached as
+   nonexistent.  Counters named for RR types indicate the number of active
+   RRsets for each type in the cache database.
+
+   If an RR type name is preceded by an exclamation point (!), it represents the
+   number of records in the cache which indicate that the type does not exist
+   for a particular name; this is also known as "NXRRSET". If an RR type name
+   is preceded by a hash mark (#), it represents the number of RRsets for this
+   type that are present in the cache but whose TTLs have expired; these RRsets
+   may only be used if stale answers are enabled.  If an RR type name is
+   preceded by a tilde (~), it represents the number of RRsets for this type
+   that are present in the cache database but are marked for garbage collection;
+   these RRsets cannot be used.
+
+Socket I/O Statistics
+   Statistics counters for network-related events.
+
+A subset of Name Server Statistics is collected and shown per zone for
+which the server has the authority, when ``zone-statistics`` is set to
+``full`` (or ``yes``), for backward compatibility. See the description of
+``zone-statistics`` in :ref:`options` for further details.
+
+These statistics counters are shown with their zone and view names. The
+view name is omitted when the server is not configured with explicit
+views.
+
+There are currently two user interfaces to get access to the statistics.
+One is in plain-text format, dumped to the file specified by the
+``statistics-file`` configuration option; the other is remotely
+accessible via a statistics channel when the ``statistics-channels``
+statement is specified in the configuration file (see :ref:`statschannels`.)
+
+.. _statsfile:
+
+The Statistics File
+~~~~~~~~~~~~~~~~~~~
+
+The text format statistics dump begins with a line, like:
+
+``+++ Statistics Dump +++ (973798949)``
+
+The number in parentheses is a standard Unix-style timestamp, measured
+in seconds since January 1, 1970. Following that line is a set of
+statistics information, which is categorized as described above. Each
+section begins with a line, like:
+
+``++ Name Server Statistics ++``
+
+Each section consists of lines, each containing the statistics counter
+value followed by its textual description; see below for available
+counters. For brevity, counters that have a value of 0 are not shown in
+the statistics file.
+
+The statistics dump ends with the line where the number is identical to
+the number in the beginning line; for example:
+
+``--- Statistics Dump --- (973798949)``
+
+.. _statistics_counters:
+
+Statistics Counters
+~~~~~~~~~~~~~~~~~~~
+
+The following lists summarize the statistics counters that BIND 9 provides.
+For each counter, the abbreviated
+symbol name is given; these symbols are shown in the statistics
+information accessed via an HTTP statistics channel.
+The description of the counter is also shown in the
+statistics file but, in this document, may be slightly
+modified for better readability.
+
+.. _stats_counters:
+
+Name Server Statistics Counters
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``Requestv4``
+    This indicates the number of IPv4 requests received. Note: this also counts non-query requests.
+
+``Requestv6``
+    This indicates the number of IPv6 requests received. Note: this also counts non-query requests.
+
+``ReqEdns0``
+    This indicates the number of requests received with EDNS(0).
+
+``ReqBadEDN SVer``
+    This indicates the number of requests received with an unsupported EDNS version.
+
+``ReqTSIG``
+    This indicates the number of requests received with TSIG.
+
+``ReqSIG0``
+    This indicates the number of requests received with SIG(0).
+
+``ReqBadSIG``
+    This indicates the number of requests received with an invalid (TSIG or SIG(0)) signature.
+
+``ReqTCP``
+    This indicates the number of TCP requests received.
+
+``AuthQryRej``
+    This indicates the number of rejected authoritative (non-recursive) queries.
+
+``RecQryRej``
+    This indicates the number of rejected recursive queries.
+
+``XfrRej``
+    This indicates the number of rejected zone transfer requests.
+
+``UpdateRej``
+    This indicates the number of rejected dynamic update requests.
+
+``Response``
+    This indicates the number of responses sent.
+
+``RespTruncated``
+    This indicates the number of truncated responses sent.
+
+``RespEDNS0``
+    This indicates the number of responses sent with EDNS(0).
+
+``RespTSIG``
+    This indicates the number of responses sent with TSIG.
+
+``RespSIG0``
+    This indicates the number of responses sent with SIG(0).
+
+``QrySuccess``
+    This indicates the number of queries that resulted in a successful answer, meaning queries which return a NOERROR response with at least one answer RR. This corresponds to the ``success`` counter of previous versions of BIND 9.
+
+``QryAuthAns``
+    This indicates the number of queries that resulted in an authoritative answer.
+
+``QryNoauthAns``
+    This indicates the number of queries that resulted in a non-authoritative answer.
+
+``QryReferral``
+    This indicates the number of queries that resulted in a referral answer. This corresponds to the ``referral`` counter of previous versions of BIND 9.
+
+``QryNxrrset``
+    This indicates the number of queries that resulted in NOERROR responses with no data. This corresponds to the ``nxrrset`` counter of previous versions of BIND 9.
+
+``QrySERVFAIL``
+    This indicates the number of queries that resulted in SERVFAIL.
+
+``QryFORMERR``
+    This indicates the number of queries that resulted in FORMERR.
+
+``QryNXDOMAIN``
+    This indicates the number of queries that resulted in NXDOMAIN. This corresponds to the ``nxdomain`` counter of previous versions of BIND 9.
+
+``QryRecursion``
+    This indicates the number of queries that caused the server to perform recursion in order to find the final answer. This corresponds to the ``recursion`` counter of previous versions of BIND 9.
+
+``QryDuplicate``
+    This indicates the number of queries which the server attempted to recurse but for which it discovered an existing query with the same IP address, port, query ID, name, type, and class already being processed. This corresponds to the ``duplicate`` counter of previous versions of BIND 9.
+
+``QryDropped``
+    This indicates the number of recursive queries for which the server discovered an excessive number of existing recursive queries for the same name, type, and class, and which were subsequently dropped. This is the number of dropped queries due to the reason explained with the ``clients-per-query`` and ``max-clients-per-query`` options (see :ref:`clients-per-query <clients-per-query>`). This corresponds to the ``dropped`` counter of previous versions of BIND 9.
+
+``QryFailure``
+    This indicates the number of query failures. This corresponds to the ``failure`` counter of previous versions of BIND 9. Note: this counter is provided mainly for backward compatibility with previous versions; normally, more fine-grained counters such as ``AuthQryRej`` and ``RecQryRej`` that would also fall into this counter are provided, so this counter is not of much interest in practice.
+
+``QryNXRedir``
+    This indicates the number of queries that resulted in NXDOMAIN that were redirected.
+
+``QryNXRedirRLookup``
+    This indicates the number of queries that resulted in NXDOMAIN that were redirected and resulted in a successful remote lookup.
+
+``XfrReqDone``
+    This indicates the number of requested and completed zone transfers.
+
+``UpdateReqFwd``
+    This indicates the number of forwarded update requests.
+
+``UpdateRespFwd``
+    This indicates the number of forwarded update responses.
+
+``UpdateFwdFail``
+    This indicates the number of forwarded dynamic updates that failed.
+
+``UpdateDone``
+    This indicates the number of completed dynamic updates.
+
+``UpdateFail``
+    This indicates the number of failed dynamic updates.
+
+``UpdateBadPrereq``
+    This indicates the number of dynamic updates rejected due to a prerequisite failure.
+
+``UpdateQuota``
+    This indicates the number of times a dynamic update or update
+    forwarding request was rejected because the number of pending
+    requests exceeded ``update-quota``.
+
+``RateDropped``
+    This indicates the number of responses dropped due to rate limits.
+
+``RateSlipped``
+    This indicates the number of responses truncated by rate limits.
+
+``RPZRewrites``
+    This indicates the number of response policy zone rewrites.
+
+.. _zone_stats:
+
+Zone Maintenance Statistics Counters
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``NotifyOutv4``
+    This indicates the number of IPv4 notifies sent.
+
+``NotifyOutv6``
+    This indicates the number of IPv6 notifies sent.
+
+``NotifyInv4``
+    This indicates the number of IPv4 notifies received.
+
+``NotifyInv6``
+    This indicates the number of IPv6 notifies received.
+
+``NotifyRej``
+    This indicates the number of incoming notifies rejected.
+
+``SOAOutv4``
+    This indicates the number of IPv4 SOA queries sent.
+
+``SOAOutv6``
+    This indicates the number of IPv6 SOA queries sent.
+
+``AXFRReqv4``
+    This indicates the number of requested IPv4 AXFRs.
+
+``AXFRReqv6``
+    This indicates the number of requested IPv6 AXFRs.
+
+``IXFRReqv4``
+    This indicates the number of requested IPv4 IXFRs.
+
+``IXFRReqv6``
+    This indicates the number of requested IPv6 IXFRs.
+
+``XfrSuccess``
+    This indicates the number of successful zone transfer requests.
+
+``XfrFail``
+    This indicates the number of failed zone transfer requests.
+
+.. _resolver_stats:
+
+Resolver Statistics Counters
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``Queryv4``
+    This indicates the number of IPv4 queries sent.
+
+``Queryv6``
+    This indicates the number of IPv6 queries sent.
+
+``Responsev4``
+    This indicates the number of IPv4 responses received.
+
+``Responsev6``
+    This indicates the number of IPv6 responses received.
+
+``NXDOMAIN``
+    This indicates the number of NXDOMAINs received.
+
+``SERVFAIL``
+    This indicates the number of SERVFAILs received.
+
+``FORMERR``
+    This indicates the number of FORMERRs received.
+
+``OtherError``
+    This indicates the number of other errors received.
+
+``EDNS0Fail``
+    This indicates the number of EDNS(0) query failures.
+
+``Mismatch``
+    This indicates the number of mismatched responses received, meaning the DNS ID, response's source address, and/or the response's source port does not match what was expected. (The port must be 53 or as defined by the ``port`` option.) This may be an indication of a cache poisoning attempt.
+
+``Truncated``
+    This indicates the number of truncated responses received.
+
+``Lame``
+    This indicates the number of lame delegations received.
+
+``Retry``
+    This indicates the number of query retries performed.
+
+``QueryAbort``
+    This indicates the number of queries aborted due to quota control.
+
+``QuerySockFail``
+    This indicates the number of failures in opening query sockets. One common reason for such failures is due to a limitation on file descriptors.
+
+``QueryTimeout``
+    This indicates the number of query timeouts.
+
+``GlueFetchv4``
+    This indicates the number of IPv4 NS address fetches invoked.
+
+``GlueFetchv6``
+    This indicates the number of IPv6 NS address fetches invoked.
+
+``GlueFetchv4Fail``
+    This indicates the number of failed IPv4 NS address fetches.
+
+``GlueFetchv6Fail``
+    This indicates the number of failed IPv6 NS address fetches.
+
+``ValAttempt``
+    This indicates the number of attempted DNSSEC validations.
+
+``ValOk``
+    This indicates the number of successful DNSSEC validations.
+
+``ValNegOk``
+    This indicates the number of successful DNSSEC validations on negative information.
+
+``ValFail``
+    This indicates the number of failed DNSSEC validations.
+
+``QryRTTnn``
+    This provides a frequency table on query round-trip times (RTTs). Each ``nn`` specifies the corresponding frequency. In the sequence of ``nn_1``, ``nn_2``, ..., ``nn_m``, the value of ``nn_i`` is the number of queries whose RTTs are between ``nn_(i-1)`` (inclusive) and ``nn_i`` (exclusive) milliseconds. For the sake of convenience, we define ``nn_0`` to be 0. The last entry should be represented as ``nn_m+``, which means the number of queries whose RTTs are equal to or greater than ``nn_m`` milliseconds.
+
+.. _socket_stats:
+
+Socket I/O Statistics Counters
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Socket I/O statistics counters are defined per socket type, which are
+``UDP4`` (UDP/IPv4), ``UDP6`` (UDP/IPv6), ``TCP4`` (TCP/IPv4), ``TCP6``
+(TCP/IPv6), ``Unix`` (Unix Domain), and ``FDwatch`` (sockets opened
+outside the socket module). In the following list, ``<TYPE>`` represents
+a socket type. Not all counters are available for all socket types;
+exceptions are noted in the descriptions.
+
+``<TYPE>Open``
+    This indicates the number of sockets opened successfully. This counter does not apply to the ``FDwatch`` type.
+
+``<TYPE>OpenFail``
+    This indicates the number of failures to open sockets. This counter does not apply to the ``FDwatch`` type.
+
+``<TYPE>Close``
+    This indicates the number of closed sockets.
+
+``<TYPE>BindFail``
+    This indicates the number of failures to bind sockets.
+
+``<TYPE>ConnFail``
+    This indicates the number of failures to connect sockets.
+
+``<TYPE>Conn``
+    This indicates the number of connections established successfully.
+
+``<TYPE>AcceptFail``
+    This indicates the number of failures to accept incoming connection requests. This counter does not apply to the ``UDP`` and ``FDwatch`` types.
+
+``<TYPE>Accept``
+    This indicates the number of incoming connections successfully accepted. This counter does not apply to the ``UDP`` and ``FDwatch`` types.
+
+``<TYPE>SendErr``
+    This indicates the number of errors in socket send operations.
+
+``<TYPE>RecvErr``
+    This indicates the number of errors in socket receive operations, including errors of send operations on a connected UDP socket, notified by an ICMP error message.
diff --git a/doc/arm/requirements.rst b/doc/arm/requirements.rst
new file mode 100644
index 0000000..09f0f42
--- /dev/null
+++ b/doc/arm/requirements.rst
@@ -0,0 +1,74 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _Requirements:
+
+BIND Resource Requirements
+==========================
+
+.. _hw_req:
+
+Hardware Requirements
+---------------------
+
+DNS hardware requirements have traditionally been quite modest. For many
+installations, servers that have been retired from active duty
+have performed admirably as DNS servers.
+
+However, the DNSSEC features of BIND 9 may be quite CPU-intensive,
+so organizations that make heavy use of these features may wish
+to consider larger systems for these applications. BIND 9 is fully
+multithreaded, allowing full utilization of multiprocessor systems for
+installations that need it.
+
+.. _cpu_req:
+
+CPU Requirements
+----------------
+
+CPU requirements for BIND 9 range from i386-class machines, for serving
+static zones without caching, to enterprise-class machines
+to process many dynamic updates and DNSSEC-signed zones, serving
+many thousands of queries per second.
+
+.. _mem_req:
+
+Memory Requirements
+-------------------
+
+Server memory must be sufficient to hold both the cache and the
+zones loaded from disk. The ``max-cache-size`` option can
+limit the amount of memory used by the cache, at the expense of reducing
+cache hit rates and causing more DNS traffic. It is still good practice
+to have enough memory to load all zone and cache data into memory;
+unfortunately, the best way to determine this for a given installation
+is to watch the name server in operation. After a few weeks, the server
+process should reach a relatively stable size where entries are expiring
+from the cache as fast as they are being inserted.
+
+.. _intensive_env:
+
+Name Server-Intensive Environment Issues
+----------------------------------------
+
+For name server-intensive environments, there are two
+configurations that may be used. The first is one where clients and any
+second-level internal name servers query the main name server, which has
+enough memory to build a large cache; this approach minimizes the
+bandwidth used by external name lookups. The second alternative is to
+set up second-level internal name servers to make queries independently.
+In this configuration, none of the individual machines need to have as
+much memory or CPU power as in the first alternative, but this has the
+disadvantage of making many more external queries, as none of the name
+servers share their cached data.
+
+.. include:: platforms.rst
+.. include:: build.rst
diff --git a/doc/arm/requirements.txt b/doc/arm/requirements.txt
new file mode 100644
index 0000000..4dd6796
--- /dev/null
+++ b/doc/arm/requirements.txt
@@ -0,0 +1,5 @@
+# Make Read the Docs use the exact same package versions as in
+# registry.gitlab.isc.org/isc-projects/images/bind9:debian-bookworm-amd64
+Sphinx==6.2.1
+docutils==0.18.1
+sphinx_rtd_theme==1.2.2
diff --git a/doc/arm/security.rst b/doc/arm/security.rst
new file mode 100644
index 0000000..c17643b
--- /dev/null
+++ b/doc/arm/security.rst
@@ -0,0 +1,228 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. Security:
+
+BIND 9 Security Considerations
+==============================
+
+.. _Access_Control_Lists:
+
+Access Control Lists
+--------------------
+
+Access Control Lists (ACLs) are address match lists that can be set up
+and nicknamed for future use in ``allow-notify``, ``allow-query``,
+``allow-query-on``, ``allow-recursion``, ``blackhole``,
+``allow-transfer``, ``match-clients``, etc.
+
+ACLs give users finer control over who can access the
+name server, without cluttering up configuration files with huge lists of
+IP addresses.
+
+It is a *good idea* to use ACLs, and to control access.
+Limiting access to the server by outside parties can help prevent
+spoofing and denial of service (DoS) attacks against the server.
+
+ACLs match clients on the basis of up to three characteristics: 1) The
+client's IP address; 2) the TSIG or SIG(0) key that was used to sign the
+request, if any; and 3) an address prefix encoded in an EDNS
+Client-Subnet option, if any.
+
+Here is an example of ACLs based on client addresses:
+
+::
+
+   // Set up an ACL named "bogusnets" that blocks
+   // RFC1918 space and some reserved space, which is
+   // commonly used in spoofing attacks.
+   acl bogusnets {
+       0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
+       10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
+   };
+
+   // Set up an ACL called our-nets. Replace this with the
+   // real IP numbers.
+   acl our-nets { x.x.x.x/24; x.x.x.x/21; };
+   options {
+     ...
+     ...
+     allow-query { our-nets; };
+     allow-recursion { our-nets; };
+     ...
+     blackhole { bogusnets; };
+     ...
+   };
+
+   zone "example.com" {
+     type primary;
+     file "m/example.com";
+     allow-query { any; };
+   };
+
+This allows authoritative queries for ``example.com`` from any address,
+but recursive queries only from the networks specified in ``our-nets``,
+and no queries at all from the networks specified in ``bogusnets``.
+
+In addition to network addresses and prefixes, which are matched against
+the source address of the DNS request, ACLs may include ``key``
+elements, which specify the name of a TSIG or SIG(0) key.
+
+When BIND 9 is built with GeoIP support, ACLs can also be used for
+geographic access restrictions. This is done by specifying an ACL
+element of the form: ``geoip db database field value``.
+
+The ``field`` parameter indicates which field to search for a match. Available fields
+are ``country``, ``region``, ``city``, ``continent``, ``postal`` (postal code),
+``metro`` (metro code), ``area`` (area code), ``tz`` (timezone), ``isp``,
+``asnum``, and ``domain``.
+
+``value`` is the value to search for within the database. A string may be quoted
+if it contains spaces or other special characters. An ``asnum`` search for
+autonomous system number can be specified using the string "ASNNNN" or the
+integer NNNN. If a ``country`` search is specified with a string that is two characters
+long, it must be a standard ISO-3166-1 two-letter country code; otherwise,
+it is interpreted as the full name of the country.  Similarly, if
+``region`` is the search term and the string is two characters long, it is treated as a
+standard two-letter state or province abbreviation; otherwise, it is treated as the
+full name of the state or province.
+
+The ``database`` field indicates which GeoIP database to search for a match. In
+most cases this is unnecessary, because most search fields can only be found in
+a single database.  However, searches for ``continent`` or ``country`` can be
+answered from either the ``city`` or ``country`` databases, so for these search
+types, specifying a ``database`` forces the query to be answered from that
+database and no other. If a ``database`` is not specified, these queries
+are first answered from the ``city`` database if it is installed, and then from the ``country``
+database if it is installed. Valid database names are ``country``,
+``city``, ``asnum``, ``isp``, and ``domain``.
+
+Some example GeoIP ACLs:
+
+::
+
+   geoip country US;
+   geoip country JP;
+   geoip db country country Canada;
+   geoip region WA;
+   geoip city "San Francisco";
+   geoip region Oklahoma;
+   geoip postal 95062;
+   geoip tz "America/Los_Angeles";
+   geoip org "Internet Systems Consortium";
+
+ACLs use a "first-match" logic rather than "best-match"; if an address
+prefix matches an ACL element, then that ACL is considered to have
+matched even if a later element would have matched more specifically.
+For example, the ACL ``{ 10/8; !10.0.0.1; }`` would actually match a
+query from 10.0.0.1, because the first element indicates that the query
+should be accepted, and the second element is ignored.
+
+When using "nested" ACLs (that is, ACLs included or referenced within
+other ACLs), a negative match of a nested ACL tells the containing ACL to
+continue looking for matches. This enables complex ACLs to be
+constructed, in which multiple client characteristics can be checked at
+the same time. For example, to construct an ACL which allows a query
+only when it originates from a particular network *and* only when it is
+signed with a particular key, use:
+
+::
+
+   allow-query { !{ !10/8; any; }; key example; };
+
+Within the nested ACL, any address that is *not* in the 10/8 network
+prefix is rejected, which terminates the processing of the ACL.
+Any address that *is* in the 10/8 network prefix is accepted, but
+this causes a negative match of the nested ACL, so the containing ACL
+continues processing. The query is accepted if it is signed by
+the key ``example``, and rejected otherwise. The ACL, then, only
+matches when *both* conditions are true.
+
+.. _chroot_and_setuid:
+
+``Chroot`` and ``Setuid``
+-------------------------
+
+On Unix servers, it is possible to run BIND in a *chrooted* environment
+(using the ``chroot()`` function) by specifying the ``-t`` option for
+``named``. This can help improve system security by placing BIND in a
+"sandbox," which limits the damage done if a server is compromised.
+
+Another useful feature in the Unix version of BIND is the ability to run
+the daemon as an unprivileged user (``-u`` user). We suggest running
+as an unprivileged user when using the ``chroot`` feature.
+
+Here is an example command line to load BIND in a ``chroot`` sandbox,
+``/var/named``, and to run ``named`` ``setuid`` to user 202:
+
+``/usr/local/sbin/named -u 202 -t /var/named``
+
+.. _chroot:
+
+The ``chroot`` Environment
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+For a ``chroot`` environment to work properly in a particular
+directory (for example, ``/var/named``), the
+environment must include everything BIND needs to run. From BIND's
+point of view, ``/var/named`` is the root of the filesystem;
+the values of options like ``directory`` and ``pid-file``
+must be adjusted to account for this.
+
+Unlike with earlier versions of BIND, 
+``named`` does *not* typically need to be compiled statically, nor do shared libraries need to be installed under the new
+root. However, depending on the operating system, it may be necessary to set
+up locations such as ``/dev/zero``, ``/dev/random``, ``/dev/log``, and
+``/etc/localtime``.
+
+.. _setuid:
+
+Using the ``setuid`` Function
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Prior to running the ``named`` daemon, use the ``touch`` utility (to
+change file access and modification times) or the ``chown`` utility (to
+set the user id and/or group id) on files where BIND should
+write.
+
+.. note::
+
+   If the ``named`` daemon is running as an unprivileged user, it
+   cannot bind to new restricted ports if the server is
+   reloaded.
+
+.. _dynamic_update_security:
+
+Dynamic Update Security
+-----------------------
+
+Access to the dynamic update facility should be strictly limited. In
+earlier versions of BIND, the only way to do this was based on the IP
+address of the host requesting the update, by listing an IP address or
+network prefix in the ``allow-update`` zone option. This method is
+insecure, since the source address of the update UDP packet is easily
+forged. Also note that if the IP addresses allowed by the
+``allow-update`` option include the address of a secondary server which
+performs forwarding of dynamic updates, the primary can be trivially
+attacked by sending the update to the secondary, which forwards it to
+the primary with its own source IP address - causing the primary to approve
+it without question.
+
+For these reasons, we strongly recommend that updates be
+cryptographically authenticated by means of transaction signatures
+(TSIG). That is, the ``allow-update`` option should list only TSIG key
+names, not IP addresses or network prefixes. Alternatively, the
+``update-policy`` option can be used.
+
+Some sites choose to keep all dynamically updated DNS data in a
+subdomain and delegate that subdomain to a separate zone. This way, the
+top-level zone containing critical data, such as the IP addresses of
+public web and mail servers, need not allow dynamic updates at all.
diff --git a/doc/arm/troubleshooting.rst b/doc/arm/troubleshooting.rst
new file mode 100644
index 0000000..4ff3abb
--- /dev/null
+++ b/doc/arm/troubleshooting.rst
@@ -0,0 +1,107 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. Troubleshooting:
+
+Troubleshooting
+===============
+
+.. _common_problems:
+
+Common Problems
+---------------
+
+It's Not Working; How Can I Figure Out What's Wrong?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The best solution to installation and configuration issues is to
+take preventive measures by setting up logging files beforehand. The
+log files provide hints and information that can be used to
+identify anything that went wrong and fix the problem.
+
+EDNS Compliance Issues
+~~~~~~~~~~~~~~~~~~~~~~
+
+EDNS (Extended DNS) is a standard that was first specified in 1999. It
+is required for DNSSEC validation, DNS COOKIE options, and other
+features. There are broken and outdated DNS servers and firewalls still
+in use which misbehave when queried with EDNS; for example, they may
+drop EDNS queries rather than replying with FORMERR. BIND and other
+recursive name servers have traditionally employed workarounds in this
+situation, retrying queries in different ways and eventually falling
+back to plain DNS queries without EDNS.
+
+Such workarounds cause unnecessary resolution delays, increase code
+complexity, and prevent deployment of new DNS features. In February
+2019, all major DNS software vendors removed these
+workarounds; see https://dnsflagday.net/2019 for further details. This change
+was implemented in BIND as of release 9.14.0.
+
+As a result, some domains may be non-resolvable without manual
+intervention. In these cases, resolution can be restored by adding
+``server`` clauses for the offending servers, or by specifying ``edns no`` or
+``send-cookie no``, depending on the specific noncompliance.
+
+To determine which ``server`` clause to use, run the following commands
+to send queries to the authoritative servers for the broken domain:
+
+::
+
+           dig soa <zone> @<server> +dnssec
+           dig soa <zone> @<server> +dnssec +nocookie
+           dig soa <zone> @<server> +noedns
+
+
+If the first command fails but the second succeeds, the server most
+likely needs ``send-cookie no``. If the first two fail but the third
+succeeds, then the server needs EDNS to be fully disabled with
+``edns no``.
+
+Please contact the administrators of noncompliant domains and encourage
+them to upgrade their broken DNS servers.
+
+Incrementing and Changing the Serial Number
+-------------------------------------------
+
+Zone serial numbers are just numbers — they are not date-related. However, many
+people set them to a number that represents a date, usually of the
+form YYYYMMDDRR. Occasionally they make a mistake and set the serial number to a
+date in the future, then try to correct it by setting it to the
+current date. This causes problems because serial numbers are used to
+indicate that a zone has been updated. If the serial number on the secondary
+server is lower than the serial number on the primary, the secondary server
+attempts to update its copy of the zone.
+
+Setting the serial number to a lower number on the primary server than the one
+on the secondary server means that the secondary will not perform updates to its
+copy of the zone.
+
+The solution to this is to add 2147483647 (2^31-1) to the number, reload
+the zone and make sure all secondaries have updated to the new zone serial
+number, then reset it to the desired number and reload the
+zone again.
+
+.. _more_help:
+
+Where Can I Get Help?
+---------------------
+The BIND-users mailing list, at https://lists.isc.org/mailman/listinfo/bind-users, is an excellent resource for
+peer user support. In addition, ISC maintains a Knowledgebase of helpful articles
+at https://kb.isc.org.
+
+Internet Systems Consortium (ISC) offers annual support agreements
+for BIND 9, ISC DHCP, and Kea DHCP. 
+All paid support contracts include advance security notifications; some levels include
+service level agreements (SLAs), premium software features, and increased priority on bug fixes
+and feature requests.
+
+Please contact info@isc.org or visit
+https://www.isc.org/contact/ for more information.
diff --git a/doc/dnssec-guide/advanced-discussions.rst b/doc/dnssec-guide/advanced-discussions.rst
new file mode 100644
index 0000000..692b189
--- /dev/null
+++ b/doc/dnssec-guide/advanced-discussions.rst
@@ -0,0 +1,1089 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _dnssec_advanced_discussions:
+
+Advanced Discussions
+--------------------
+
+.. _signature_validity_periods:
+
+Signature Validity Periods and Zone Re-Signing Intervals
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In :ref:`how_are_answers_verified`, we saw that record signatures
+have a validity period outside of which they are not valid. This means
+that at some point, a signature will no longer be valid and a query for
+the associated record will fail DNSSEC validation. But how long should a
+signature be valid for?
+
+The maximum value for the validity period should be determined by the impact of a
+replay attack: if this is low, the period can be long; if high,
+the period should be shorter. There is no "right" value, but periods of
+between a few days to a month are common.
+
+Deciding a minimum value is probably an easier task. Should something
+fail (e.g., a hidden primary distributing to secondary servers that
+actually answer queries), how long will it take before the failure is
+noticed, and how long before it is fixed? If you are a large 24x7
+operation with operators always on-site, the answer might be less than
+an hour. In smaller companies, if the failure occurs
+just after everyone has gone home for a long weekend, the answer might
+be several days.
+
+Again, there are no "right" values - they depend on your circumstances. The
+signature validity period you decide to use should be a value between
+the two bounds. At the time of this writing (mid-2020), the default policy used by BIND
+sets a value of 14 days.
+
+To keep the zone valid, the signatures must be periodically refreshed
+since they expire - i.e., the zone must be periodically
+re-signed. The frequency of the re-signing depends on your network's
+individual needs. For example, signing puts a load on your server, so if
+the server is very highly loaded, a lower re-signing frequency is better. Another
+consideration is the signature lifetime: obviously the intervals between
+signings must not be longer than the signature validity period. But if
+you have set a signature lifetime close to the minimum (see above), the
+signing interval must be much shorter. What would happen if the system
+failed just before the zone was re-signed?
+
+Again, there is no single "right" answer; it depends on your circumstances. The
+BIND 9 default policy sets the signature refresh interval to 5 days.
+
+.. _advanced_discussions_proof_of_nonexistence:
+
+Proof of Non-Existence (NSEC and NSEC3)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+How do you prove that something does not exist? This zen-like question
+is an interesting one, and in this section we provide an overview
+of how DNSSEC solves the problem.
+
+Why is it even important to have authenticated denial of existence in DNS?
+Couldn't we just send back "hey, what you asked for does not exist,"
+and somehow generate a digital signature to go with it, proving it
+really is from the correct authoritative source? Aside from the technical
+challenge of signing something that doesn't exist, this solution has flaws, one of
+which is it gives an attacker a way to create the appearance of denial
+of service by replaying this message on the network.
+
+Let's use a little story, told three different ways, to
+illustrate how proof of nonexistence works. In our story, we run a small
+company with three employees: Alice, Edward, and Susan. For reasons that
+are far too complicated to go into, they don't have email accounts;
+instead, email for them is sent to a single account and a nameless
+intern passes the message to them. The intern has access to our private
+DNSSEC key to create signatures for their responses.
+
+If we followed the approach of giving back the same answer no matter
+what was asked, when people emailed and asked for the message to be
+passed to "Bob," our intern would simply answer "Sorry, that person
+doesn’t work here" and sign this message. This answer could be validated
+because our intern signed the response with our private DNSSEC key.
+However, since the signature doesn’t change, an attacker could record
+this message. If the attacker were able to intercept our email, when the next
+person emailed asking for the message to be passed to Susan, the attacker
+could return the exact same message: "Sorry, that person doesn’t work
+here," with the same signature. Now the attacker has successfully fooled
+the sender into thinking that Susan doesn’t work at our company, and
+might even be able to convince all senders that no one works at this
+company.
+
+To solve this problem, two different solutions were created. We will
+look at the first one, NSEC, next.
+
+.. _advanced_discussions_nsec:
+.. _NSEC:
+
+NSEC
+^^^^
+
+The NSEC record is used to prove that something does not exist, by
+providing the name before it and the name after it. Using our tiny
+company example, this would be analogous to someone sending an email for
+Bob and our nameless intern responding with with: "I'm sorry, that
+person doesn't work here. The name before the location where 'Bob'
+would be is Alice, and the name after that is Edward." Let's say
+another email was received for a
+non-existent person, this time Oliver; our intern would respond "I'm
+sorry, that person doesn't work here. The name before the location
+where 'Oliver' would be is Edward,
+and the name after that is Susan." If another sender asked for Todd, the
+answer would be: "I'm sorry, that person doesn't work here. The name
+before the location where 'Todd' would be is Susan, and there are no
+other names after that."
+
+So we end up with four NSEC records:
+
+::
+
+   example.com.        300 IN  NSEC    alice.example.com.  A RRSIG NSEC
+   alice.example.com.  300 IN  NSEC    edward.example.com. A RRSIG NSEC
+   edward.example.com. 300 IN  NSEC    susan.example.com.  A RRSIG NSEC
+   susan.example.com.  300 IN  NSEC    example.com.        A RRSIG NSEC
+
+What if the attacker tried to use the same replay method described
+earlier? If someone sent an email for Edward, none of the four answers
+would fit. If attacker replied with message #2, "I'm sorry, that person
+doesn't work here. The name before it is Alice, and the name after it is
+Edward," it is obviously false, since "Edward" is in the response; and the same
+goes for #3, Edward and Susan. As for #1 and #4, Edward does not fall in
+the alphabetical range before Alice or after Susan, so the sender can logically deduce
+that it was an incorrect answer.
+
+When BIND signs your zone, the zone data is automatically sorted on
+the fly before generating NSEC records, much like how a phone directory
+is sorted.
+
+The NSEC record allows for a proof of non-existence for record types. If
+you ask a signed zone for a name that exists but for a record type that
+doesn't (for that name), the signed NSEC record returned lists all of
+the record types that *do* exist for the requested domain name.
+
+NSEC records can also be used to show whether a record was generated as
+the result of a wildcard expansion. The details of this are not
+within the scope of this document, but are described well in
+:rfc:`7129`.
+
+Unfortunately, the NSEC solution has a few drawbacks, one of which is
+trivial "zone walking." In our story, a curious person can keep sending emails, and
+our nameless, gullible intern keeps divulging information about our
+employees. Imagine if the sender first asked: "Is Bob there?" and
+received back the names Alice and Edward. Our sender could then email
+again: "Is Edwarda there?", and will get back Edward and Susan. (No,
+"Edwarda" is not a real name. However, it is the first name
+alphabetically after "Edward" and that is enough to get the intern to reply
+with a message telling us the next valid name after Edward.) Repeat the
+process enough times and the person sending the emails eventually
+learns every name in our company phone directory. For many of you, this
+may not be a problem, since the very idea of DNS is similar to a public
+phone book: if you don't want a name to be known publicly, don't put it
+in DNS! Consider using DNS views (split DNS) and only display your
+sensitive names to a select audience.
+
+The second potential drawback of NSEC is a bigger zone file and memory consumption;
+there is no opt-out mechanism for insecure child zones, so each name
+in the zone will get an additional NSEC record and a RRSIG record to go with
+it. In practice this is a problem only for parent-zone operators dealing with
+mostly insecure child zones, such as ``com.``. To learn more about opt-out,
+please see :ref:`advanced_discussions_nsec3_optout`.
+
+.. _advanced_discussions_nsec3:
+.. _nsec3:
+
+NSEC3
+^^^^^
+
+NSEC3 adds two additional features that NSEC does not have:
+
+1. It offers no easy zone enumeration.
+
+2. It provides a mechanism for the parent zone to exclude insecure
+   delegations (i.e., delegations to zones that are not signed) from the
+   proof of non-existence.
+
+Recall that in :ref:`advanced_discussions_nsec` we provided a range of
+names to prove that something does not exist. But as it turns
+out, even disclosing these ranges of names becomes a problem: this made
+it very easy for the curious-minded to look at our entire zone. Not
+only that, unlike a zone transfer, this "zone walking" is more
+resource-intensive. So how do we disclose something without actually disclosing
+it?
+
+The answer is actually quite simple: hashing functions, or one-way
+hashes. Without going into many details, think of it like a magical meat
+grinder. A juicy piece of ribeye steak goes in one end, and out comes a
+predictable shape and size of ground meat (hash) with a somewhat unique
+pattern. No matter how hard you try, you cannot turn the ground meat
+back into the ribeye steak: that's what we call a one-way hash.
+
+NSEC3 basically runs the names through a one-way hash before giving them
+out, so the recipients can verify the non-existence without any
+knowledge of the other names in the zone.
+
+So let's tell our little story for the third time, this
+time with NSEC3. In this version, our intern is not given a list of actual
+names; he is given a list of "hashed" names. So instead of Alice,
+Edward, and Susan, the list he is given reads like this (hashes
+shortened for easier reading):
+
+::
+
+   FSK5.... (produced from Edward)
+   JKMA.... (produced from Susan)
+   NTQ0.... (produced from Alice)
+
+Then, an email is received for Bob again. Our intern takes the name Bob
+through a hash function, and the result is L8J2..., so he replies: "I'm
+sorry, that person doesn't work here. The name before that is JKMA...,
+and the name after that is NTQ0...". There, we proved Bob doesn't exist,
+without giving away any names! To put that into proper NSEC3 resource
+records, they would look like this (again, hashes shortened for
+ease of display):
+
+::
+
+   FSK5....example.com. 300 IN NSEC3 1 0 0 -  JKMA... A RRSIG
+   JKMA....example.com. 300 IN NSEC3 1 0 0 -  NTQ0... A RRSIG
+   NTQ0....example.com. 300 IN NSEC3 1 0 0 -  FSK5... A RRSIG
+
+.. note::
+
+   Just because we employed one-way hash functions does not mean there is
+   no way for a determined individual to figure out our zone data.
+
+Most names published in the DNS are rarely secret or unpredictable. They are
+published to be memorable, used and consumed by humans. They are often recorded
+in many other network logs such as email logs, certificate transparency logs,
+web page links, intrusion detection systems, malware scanners, email archives,
+etc. Many times a simple dictionary of commonly used domain-name prefixes
+(www, mail, imap, login, database, etc.) can be used to quickly reveal a large
+number of labels within a zone. Additionally, if an adversary really wants to
+expend significant CPU resources to mount an offline dictionary attack on a
+zone's NSEC3 chain, they will likely be able to find most of the "guessable"
+names despite any level of hashing.
+
+Also, it is still possible to gather all of our NSEC3 records and hashed
+names and perform an offline brute-force attack by trying all
+possible combinations to figure out what the original name is. In our
+meat-grinder analogy, this would be like someone
+buying all available cuts of meat and grinding them up at home using
+the same model of meat grinder, and comparing the output with the meat
+you gave him. It is expensive and time-consuming (especially with
+real meat), but like everything else in cryptography, if someone has
+enough resources and time, nothing is truly private forever. If you
+are concerned about someone performing this type of attack on your
+zone data, use some of the special techniques described in :rfc:`4470`.
+
+.. _advanced_discussions_nsec3param:
+
+NSEC3PARAM
+++++++++++
+
+.. warning::
+   Before we dive into the details of NSEC3 parametrization, please note:
+   the defaults should not be changed without a strong justification and a full
+   understanding of the potential impact.
+
+The above NSEC3 examples used four parameters: 1, 0, 0, and
+zero-length salt. 1 represents the algorithm, 0 represents the opt-out
+flag, 0 represents the number of additional iterations, and - is the
+salt. Let's look at how each one can be configured:
+
+.. glossary::
+
+   Algorithm
+   NSEC3 Hashing Algorithm
+      The only currently defined value is 1 for SHA-1, so there
+      is no configuration field for it.
+
+   Opt-out
+      Setting this bit to 1 enables NSEC3 opt-out, which is
+      discussed in :ref:`advanced_discussions_nsec3_optout`.
+
+   Iterations
+      Iterations defines the number of _additional_ times to
+      apply the algorithm when generating an NSEC3 hash. More iterations
+      consume more resources for both authoritative servers and validating
+      resolvers. The considerations here are similar to those seen in
+      :ref:`key_sizes`, of security versus resources.
+
+      .. warning::
+         Do not use values higher than zero. A value of zero provides one round
+         of SHA-1 hashing and protects from non-determined attackers.
+
+         A greater number of additional iterations causes interoperability problems
+         and opens servers to CPU-exhausting DoS attacks, while providing
+         only doubtful security benefits.
+
+   Salt
+      A salt value, which can be combined with an FQDN to influence the
+      resulting hash. Salt is discussed in more detail in
+      :ref:`advanced_discussions_nsec3_salt`.
+
+.. _advanced_discussions_nsec3_optout:
+
+NSEC3 Opt-Out
++++++++++++++
+
+First things first: For most DNS administrators who do not manage a huge number
+of insecure delegations, the NSEC3 opt-out featuere is not relevant.
+
+Opt-out allows for blocks of unsigned delegations to be covered by a single NSEC3
+record. In other words, use of the opt-out allows large registries to only sign as
+many NSEC3 records as there are signed DS or other RRsets in the zone; with
+opt-out, unsigned delegations do not require additional NSEC3 records. This
+sacrifices the tamper-resistance proof of non-existence offered by NSEC3 in
+order to reduce memory and CPU overheads, and decreases the effectiveness of the cache
+(:rfc:`8198`).
+
+Why would that ever be desirable? If a significant number of delegations
+are not yet securely delegated, meaning they lack DS records and are still
+insecure or unsigned, generating DNSSEC records for all their NS records
+might consume lots of memory and is not strictly required by the child zones.
+
+This resource-saving typically makes a difference only for *huge* zones like ``com.``.
+Imagine that you are the operator of busy top-level domains such as ``com.``,
+with millions of insecure delegated domain names.
+As of mid-2022, around 3% of all ``com.`` zones are signed. Basically,
+without opt-out, with 1,000,000 delegations, only 30,000 of which are secure, you
+still have to generate NSEC RRsets for the other 970,000 delegations; with
+NSEC3 opt-out, you will have saved yourself 970,000 sets of records.
+
+In contrast, for a small zone the difference is operationally negligible
+and the drawbacks outweigh the benefits.
+
+If NSEC3 opt-out is truly essential for a zone, the following
+configuration can be added to ``dnssec-policy``; for example, to create an
+NSEC3 chain using the SHA-1 hash algorithm, with the opt-out flag,
+no additional iterations, and no extra salt, use:
+
+.. code-block:: none
+
+   dnssec-policy "nsec3" {
+       ...
+       nsec3param iterations 0 optout yes salt-length 0;
+   };
+
+
+
+To learn more about how to configure NSEC3 opt-out, please see
+:ref:`recipes_nsec3_optout`.
+
+.. _advanced_discussions_nsec3_salt:
+
+NSEC3 Salt
+++++++++++
+
+.. warning::
+   Contrary to popular belief, adding salt provides little value.
+   Each DNS zone is always uniquely salted using the zone name. **Operators should
+   use a zero-length salt value.**
+
+The properties of this extra salt are complicated and beyond scope of this
+document. For detailed description why the salt in the context of DNSSEC
+provides little value please see `IETF draft ietf-dnsop-nsec3-guidance version
+10 section 2.4
+<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10#section-2.4>`__.
+
+.. _advanced_discussions_nsec_or_nsec3:
+
+NSEC or NSEC3?
+^^^^^^^^^^^^^^
+
+So which is better: NSEC or NSEC3? There is no single right
+answer here that fits everyone; it comes down to a given network's needs or
+requirements.
+
+In most cases, NSEC is a good choice for zone administrators. It
+relieves the authoritative servers and resolver of the additional cryptographic
+operations that NSEC3 requires, and NSEC is comparatively easier to
+troubleshoot than NSEC3.
+
+NSEC3 comes with many drawbacks and should be implemented only if zone
+enumeration prevention is really needed, or when opt-out provides a
+significant reduction in memory and CPU overheads (in other words, with a
+huge zone with mostly insecure delegations).
+
+.. _advanced_discussions_key_generation:
+
+DNSSEC Keys
+~~~~~~~~~~~
+
+Types of Keys
+^^^^^^^^^^^^^
+
+Although DNSSEC
+documentation talks about three types of keys, they are all the same
+thing - but they have different roles. The roles are:
+
+Zone-Signing Key (ZSK)
+   This is the key used to sign the zone. It signs all records in the
+   zone apart from the DNSSEC key-related RRsets: DNSKEY, CDS, and
+   CDNSKEY.
+
+Key-Signing Key (KSK)
+   This is the key used to sign the DNSSEC key-related RRsets and is the
+   key used to link the parent and child zones. The parent zone stores a
+   digest of the KSK. When a resolver verifies the chain of trust it
+   checks to see that the DS record in the parent (which holds the
+   digest of a key) matches a key in the DNSKEY RRset, and that it is
+   able to use that key to verify the DNSKEY RRset. If it can do
+   that, the resolver knows that it can trust the DNSKEY resource
+   records, and so can use one of them to validate the other records in
+   the zone.
+
+Combined Signing Key (CSK)
+   A CSK combines the functionality of a ZSK and a KSK. Instead of
+   having one key for signing the zone and one for linking the parent
+   and child zones, a CSK is a single key that serves both roles.
+
+It is important to realize the terms ZSK, KSK, and CSK describe how the
+keys are used - all these keys are represented by DNSKEY records. The
+following examples are the DNSKEY records from a zone signed with a KSK
+and ZSK:
+
+::
+
+   $ dig @192.168.1.12 example.com DNSKEY
+
+   ; <<>> DiG 9.16.0 <<>> @192.168.1.12 example.com dnskey +multiline
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54989
+   ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
+   ;; WARNING: recursion requested but not available
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags:; udp: 4096
+   ; COOKIE: 5258d7ed09db0d76010000005ea1cc8c672d8db27a464e37 (good)
+   ;; QUESTION SECTION:
+   ;example.com.       IN DNSKEY
+
+   ;; ANSWER SECTION:
+   example.com.        60 IN DNSKEY 256 3 13 (
+                   tAeXLtIQ3aVDqqS/1UVRt9AE6/nzfoAuaT1Vy4dYl2CK
+                   pLNcUJxME1Z//pnGXY+HqDU7Gr5HkJY8V0W3r5fzlw==
+                   ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 63722
+   example.com.        60 IN DNSKEY 257 3 13 (
+                   cxkNegsgubBPXSra5ug2P8rWy63B8jTnS4n0IYSsD9eW
+                   VhiyQDmdgevKUhfG3SE1wbLChjJc2FAbvSZ1qk03Nw==
+                   ) ; KSK; alg = ECDSAP256SHA256 ; key id = 42933
+
+... and a zone signed with just a CSK:
+
+::
+
+   $ dig @192.168.1.13 example.com DNSKEY
+
+   ; <<>> DiG 9.16.0 <<>> @192.168.1.13 example.com dnskey +multiline
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22628
+   ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+   ;; WARNING: recursion requested but not available
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags:; udp: 4096
+   ; COOKIE: bf19ee914b5df46e010000005ea1cd02b66c06885d274647 (good)
+   ;; QUESTION SECTION:
+   ;example.com.       IN DNSKEY
+
+   ;; ANSWER SECTION:
+   example.com.        60 IN DNSKEY 257 3 13 (
+                   p0XM6AJ68qid2vtOdyGaeH1jnrdk2GhZeVvGzXfP/PNa
+                   71wGtzR6jdUrTbXo5Z1W5QeeJF4dls4lh4z7DByF5Q==
+                   ) ; KSK; alg = ECDSAP256SHA256 ; key id = 1231
+
+The only visible difference between the records (apart from the key data
+itself) is the value of the flags fields; this is 256
+for a ZSK and 257 for a KSK or CSK. Even then, the flags field is only a
+hint to the software using it as to the role of the key: zones can be
+signed by any key. The fact that a CSK and KSK both have the same flags
+emphasizes this. A KSK usually only signs the DNSSEC key-related RRsets
+in a zone, whereas a CSK is used to sign all records in the zone.
+
+The original idea of separating the function of the key into a KSK and
+ZSK was operational. With a single key, changing it for any reason is
+"expensive," as it requires interaction with the parent zone
+(e.g., uploading the key to the parent may require manual interaction
+with the organization running that zone). By splitting it, interaction
+with the parent is required only if the KSK is changed; the ZSK can be
+changed as often as required without involving the parent.
+
+The split also allows the keys to be of different lengths. So the ZSK,
+which is used to sign the record in the zone, can be of a (relatively)
+short length, lowering the load on the server. The KSK, which is used
+only infrequently, can be of a much longer length. The relatively
+infrequent use also allows the private part of the key to be stored in a
+way that is more secure but that may require more overhead to access, e.g., on
+an HSM (see :ref:`hardware_security_modules`).
+
+In the early days of DNSSEC, the idea of splitting the key went more or
+less unchallenged. However, with the advent of more powerful computers
+and the introduction of signaling methods between the parent and child
+zones (see :ref:`cds_cdnskey`), the advantages of a ZSK/KSK split are
+less clear and, for many zones, a single key is all that is required.
+
+As with many questions related to the choice of DNSSEC policy, the
+decision on which is "best" is not clear and depends on your circumstances.
+
+Which Algorithm?
+^^^^^^^^^^^^^^^^
+
+There are three algorithm choices for DNSSEC as of this writing
+(mid-2020):
+
+-  RSA
+
+-  Elliptic Curve DSA (ECDSA)
+
+-  Edwards Curve Digital Security Algorithm (EdDSA)
+
+All are supported in BIND 9, but only RSA and ECDSA (specifically
+RSASHA256 and ECDSAP256SHA256) are mandatory to implement in DNSSEC.
+However, RSA is a little long in the tooth, and ECDSA/EdDSA are emerging
+as the next new cryptographic standards. In fact, the US federal
+government recommended discontinuing RSA use altogether by September 2015
+and migrating to using ECDSA or similar algorithms.
+
+For now, use ECDSAP256SHA256 but keep abreast of developments in this
+area. For details about rolling over DNSKEYs to a new algorithm, see
+:ref:`advanced_discussions_DNSKEY_algorithm_rollovers`.
+
+.. _key_sizes:
+
+Key Sizes
+^^^^^^^^^
+
+If using RSA keys, the choice of key sizes is a classic issue of finding
+the balance between performance and security. The larger the key size,
+the longer it takes for an attacker to crack the key; but larger keys
+also mean more resources are needed both when generating signatures
+(authoritative servers) and verifying signatures (recursive servers).
+
+Of the two sets of keys, ZSK is used much more frequently. ZSK is used whenever zone
+data changes or when signatures expire, so performance
+certainly is of a bigger concern. As for KSK, it is used less
+frequently, so performance is less of a factor, but its impact is bigger
+because of its role in signing other keys.
+
+In earlier versions of this guide, the following key lengths were
+chosen for each set, with the recommendation that they be rotated more
+frequently for better security:
+
+-  *ZSK*: RSA 1024 bits, rollover every year
+
+-  *KSK*: RSA 2048 bits, rollover every five years
+
+These should be considered minimum RSA key sizes. At the time
+of this writing (mid-2020), the root zone and many TLDs are already using 2048
+bit ZSKs. If you choose to implement larger key sizes, keep in mind that
+larger key sizes result in larger DNS responses, which this may mean more
+load on network resources. Depending on your network configuration, end users
+may even experience resolution failures due to the increased response
+sizes, as discussed in :ref:`whats_edns0_all_about`.
+
+ECDSA key sizes can be much smaller for the same level of security, e.g.,
+an ECDSA key length of 224 bits provides the same level of security as a
+2048-bit RSA key. Currently BIND 9 sets a key size of 256 for all ECDSA keys.
+
+.. _advanced_discussions_key_storage:
+
+Key Storage
+^^^^^^^^^^^
+
+Public Key Storage
+++++++++++++++++++
+
+The beauty of a public key cryptography system is that the public key
+portion can and should be distributed to as many people as possible. As
+the administrator, you may want to keep the public keys on an easily
+accessible file system for operational ease, but there is no need to
+securely store them, since both ZSK and KSK public keys are published in
+the zone data as DNSKEY resource records.
+
+Additionally, a hash of the KSK public key is also uploaded to the
+parent zone (see :ref:`working_with_parent_zone` for more details),
+and is published by the parent zone as DS records.
+
+Private Key Storage
++++++++++++++++++++
+
+Ideally, private keys should be stored offline, in secure devices such
+as a smart card. Operationally, however, this creates certain
+challenges, since the private key is needed to create RRSIG resource
+records, and it is a hassle to bring the private key out of
+storage every time the zone file changes or signatures expire.
+
+A common approach to strike the balance between security and
+practicality is to have two sets of keys: a ZSK set and a KSK set. A ZSK
+private key is used to sign zone data, and can be kept online for ease
+of use, while a KSK private key is used to sign just the DNSKEY (the ZSK); it is
+used less frequently, and can be stored in a much more secure and
+restricted fashion.
+
+For example, a KSK private key stored on a USB flash drive that is kept
+in a fireproof safe, only brought online once a year to sign a new pair
+of ZSKs, combined with a ZSK private key stored on the network
+file system and available for routine use, may be a good balance between
+operational flexibility and security.
+
+For more information on changing keys, please see
+:ref:`key_rollovers`.
+
+.. _hardware_security_modules:
+
+Hardware Security Modules (HSMs)
+++++++++++++++++++++++++++++++++
+
+A Hardware Security Module (HSM) may come in different shapes and sizes,
+but as the name indicates, it is a physical device or devices, usually
+with some or all of the following features:
+
+-  Tamper-resistant key storage
+
+-  Strong random-number generation
+
+-  Hardware for faster cryptographic operations
+
+Most organizations do not incorporate HSMs into their security practices
+due to cost and the added operational complexity.
+
+BIND supports Public Key Cryptography Standard #11 (PKCS #11) for
+communication with HSMs and other cryptographic support devices. For
+more information on how to configure BIND to work with an HSM, please
+refer to the `BIND 9 Administrator Reference
+Manual <https://bind9.readthedocs.io/en/latest/index.html>`_.
+
+.. _advanced_discussions_key_management:
+
+Rollovers
+~~~~~~~~~
+
+.. _key_rollovers:
+
+Key Rollovers
+^^^^^^^^^^^^^
+
+A key rollover is where one key in a zone is replaced by a new one.
+There are arguments for and against regularly rolling keys. In essence
+these are:
+
+Pros:
+
+1. Regularly changing the key hinders attempts at determination of the
+   private part of the key by cryptanalysis of signatures.
+
+2. It gives administrators practice at changing a key; should a key ever need to be
+   changed in an emergency, they would not be doing it for the first time.
+
+Cons:
+
+1. A lot of effort is required to hack a key, and there are probably
+   easier ways of obtaining it, e.g., by breaking into the systems on
+   which it is stored.
+
+2. Rolling the key adds complexity to the system and introduces the
+   possibility of error. We are more likely to
+   have an interruption to our service than if we had not rolled it.
+
+Whether and when to roll the key is up to you. How serious would the
+damage be if a key were compromised without you knowing about it? How
+serious would a key roll failure be?
+
+Before going any further, it is worth noting that if you sign your zone
+with either of the fully automatic methods (described in ref:`signing_alternative_ways`),
+you don't really need to
+concern yourself with the details of a key rollover: BIND 9 takes care of
+it all for you. If you are doing a manual key roll or are setting up the
+keys for a semi-automatic key rollover, you do need to familiarize yourself
+with the various steps involved and the timing details.
+
+Rolling a key is not as simple as replacing the DNSKEY statement in the
+zone. That is an essential part of it, but timing is everything. For
+example, suppose that we run the ``example.com`` zone and that a friend
+queries for the AAAA record of ``www.example.com``. As part of the
+resolution process (described in
+:ref:`how_does_dnssec_change_dns_lookup`), their recursive server
+looks up the keys for the ``example.com`` zone and uses them to verify
+the signature associated with the AAAA record. We'll assume that the
+records validated successfully, so they can use the
+address to visit ``example.com``'s website.
+
+Let's also assume that immediately after the lookup, we want to roll the ZSK
+for ``example.com``. Our first attempt at this is to remove the old
+DNSKEY record and signatures, add a new DNSKEY record, and re-sign the
+zone with it. So one minute our server is serving the old DNSKEY and
+records signed with the old key, and the next minute it is serving the
+new key and records signed with it. We've achieved our goal - we are
+serving a zone signed with the new keys; to check this is really the
+case, we booted up our laptop and looked up the AAAA record
+``ftp.example.com``. The lookup succeeded so all must be well. Or is it?
+Just to be sure, we called our friend and asked them to check. They
+tried to lookup ``ftp.example.com`` but got a SERVFAIL response from
+their recursive server. What's going on?
+
+The answer, in a word, is "caching." When our friend looked up
+``www.example.com``, their recursive server retrieved and cached
+not only the AAAA record, but also a lot of other records. It cached
+the NS records for ``com`` and ``example.com``, as well as
+the AAAA (and A) records for those name servers (and this action may, in turn, have
+caused the lookup and caching of other NS and AAAA/A records). Most
+importantly for this example, it also looked up and cached the DNSKEY
+records for the root, ``com``, and ``example.com`` zones. When a query
+was made for ``ftp.example.com``, the recursive server believed it
+already had most of the information
+we needed. It knew what nameservers served ``example.com`` and their
+addresses, so it went directly to one of those to get the AAAA record for
+``ftp.example.com`` and its associated signature. But when it tried to
+validate the signature, it used the cached copy of the DNSKEY, and that
+is when our friend had the problem. Their recursive server had a copy of
+the old DNSKEY in its cache, but the AAAA record for ``ftp.example.com``
+was signed with the new key. So, not surprisingly, the signature could not
+validate.
+
+How should we roll the keys for ``example.com``? A clue to the
+answer is to note that the problem came about because the DNSKEY records
+were cached by the recursive server. What would have happened had our
+friend flushed the DNSKEY records from the recursive server's cache before
+making the query? That would have worked; those records would have been
+retrieved from ``example.com``'s nameservers at the same time that we
+retrieved the AAAA record for ``ftp.example.com``. Our friend's server would have
+obtained the new key along with the AAAA record and associated signature
+created with the new key, and all would have been well.
+
+As it is obviously impossible for us to notify all recursive server
+operators to flush our DNSKEY records every time we roll a key, we must
+use another solution. That solution is to wait
+for the recursive servers to remove old records from caches when they
+reach their TTL. How exactly we do this depends on whether we are trying
+to roll a ZSK, a KSK, or a CSK.
+
+.. _zsk_rollover_methods:
+
+ZSK Rollover Methods
+++++++++++++++++++++
+
+The ZSK can be rolled in one of the following two ways:
+
+1. *Pre-Publication*: Publish the new ZSK into zone data before it is
+   actually used. Wait at least one TTL interval, so the world's recursive servers
+   know about both keys, then stop using the old key and generate a new
+   RRSIG using the new key. Wait at least another TTL, so the cached old
+   key data is expunged from the world's recursive servers, and then remove
+   the old key.
+
+   The benefit of the pre-publication approach is it does not
+   dramatically increase the zone size; however, the duration of the rollover
+   is longer. If insufficient time has passed after the new ZSK is
+   published, some resolvers may only have the old ZSK cached when the
+   new RRSIG records are published, and validation may fail. This is the
+   method described in :ref:`recipes_zsk_rollover`.
+
+2. *Double-Signature*: Publish the new ZSK and new RRSIG, essentially
+   doubling the size of the zone. Wait at least one TTL interval, and then remove
+   the old ZSK and old RRSIG.
+
+   The benefit of the double-signature approach is that it is easier to
+   understand and execute, but it causes a significantly increased zone size
+   during a rollover event.
+
+.. _ksk_rollover_methods:
+
+KSK Rollover Methods
+++++++++++++++++++++
+
+Rolling the KSK requires interaction with the parent zone, so
+operationally this may be more complex than rolling ZSKs. There are
+three methods of rolling the KSK:
+
+1. *Double-KSK*: Add the new KSK to the DNSKEY RRset, which is then
+   signed with both the old and new keys. After waiting for the old RRset
+   to expire from caches, change the DS record in the parent zone.
+   After waiting a further TTL interval for this change to be reflected in
+   caches, remove the old key from the RRset.
+
+   Basically, the new KSK is added first at the child zone and
+   used to sign the DNSKEY; then the DS record is changed, followed by the
+   removal of the old KSK. Double-KSK keeps the interaction with the
+   parent zone to a minimum, but for the duration of the rollover, the
+   size of the DNSKEY RRset is increased.
+
+2. *Double-DS*: Publish the new DS record. After waiting for this
+   change to propagate into caches, change the KSK. After a further TTL
+   interval during which the old DNSKEY RRset expires from caches, remove the
+   old DS record.
+
+   Double-DS is the reverse of Double-KSK: the new DS is published at
+   the parent first, then the KSK at the child is updated, then
+   the old DS at the parent is removed. The benefit is that the size of the DNSKEY
+   RRset is kept to a minimum, but interactions with the parent zone are
+   increased to two events. This is the method described in
+   :ref:`recipes_ksk_rollover`.
+
+3. *Double-RRset*: Add the new KSK to the DNSKEY RRset, which is
+   then signed with both the old and new key, and add the new DS record
+   to the parent zone. After waiting a suitable interval for the
+   old DS and DNSKEY RRsets to expire from caches, remove the old DNSKEY and
+   old DS record.
+
+   Double-RRset is the fastest way to roll the KSK (i.e., it has the shortest rollover
+   time), but has the drawbacks of both of the other methods: a larger
+   DNSKEY RRset and two interactions with the parent.
+
+.. _csk_rollover_methods:
+
+CSK Rollover Methods
+++++++++++++++++++++
+
+Rolling the CSK is more complex than rolling either the ZSK or KSK, as
+the timing constraints relating to both the parent zone and the caching
+of records by downstream recursive servers must be taken into
+account. There are numerous possible methods that are a combination of ZSK
+rollover and KSK rollover methods. BIND 9 automatic signing uses a
+combination of ZSK Pre-Publication and Double-KSK rollover.
+
+.. _advanced_discussions_emergency_rollovers:
+
+Emergency Key Rollovers
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Keys are generally rolled on a regular schedule - if you choose
+to roll them at all. But sometimes, you may have to rollover keys
+out-of-schedule due to a security incident. The aim of an emergency
+rollover is to re-sign the zone with a new key as soon as possible, because
+when a key is suspected of being compromised, a malicious attacker (or
+anyone who has access to the key) could impersonate your server and trick other
+validating resolvers into believing that they are receiving authentic,
+validated answers.
+
+During an emergency rollover, follow the same operational
+procedures described in :ref:`recipes_rollovers`, with the added
+task of reducing the TTL of the current active (potentially compromised) DNSKEY
+RRset, in an attempt to phase out the compromised key faster before the new
+key takes effect. The time frame should be significantly reduced from
+the 30-days-apart example, since you probably do not want to wait up to
+60 days for the compromised key to be removed from your zone.
+
+Another method is to carry a spare key with you at all times. If
+you have a second key pre-published and that one
+is not compromised at the same time as the first key,
+you could save yourself some time by immediately
+activating the spare key if the active
+key is compromised. With pre-publication, all validating resolvers should already
+have this spare key cached, thus saving you some time.
+
+With a KSK emergency rollover, you also need to consider factors
+related to your parent zone, such as how quickly they can remove the old
+DS records and publish the new ones.
+
+As with many other facets of DNSSEC, there are multiple aspects to take into
+account when it comes to emergency key rollovers. For more in-depth
+considerations, please check out :rfc:`7583`.
+
+.. _advanced_discussions_DNSKEY_algorithm_rollovers:
+
+Algorithm Rollovers
+^^^^^^^^^^^^^^^^^^^
+
+From time to time, new digital signature algorithms with improved
+security are introduced, and it may be desirable for administrators to
+roll over DNSKEYs to a new algorithm, e.g., from RSASHA1 (algorithm 5 or
+7) to RSASHA256 (algorithm 8). The algorithm rollover steps must be followed with
+care to avoid breaking DNSSEC validation.
+
+If you are managing DNSSEC by using the ``dnssec-policy`` configuration,
+``named`` handles the rollover for you. Simply change the algorithm
+for the relevant keys, and ``named`` uses the new algorithm when the
+key is next rolled. It performs a smooth transition to the new
+algorithm, ensuring that the zone remains valid throughout rollover.
+
+If you are using other methods to sign the zone, the administrator needs to do more work. As
+with other key rollovers, when the zone is a primary zone, an algorithm
+rollover can be accomplished using dynamic updates or automatic key
+rollovers. For secondary zones, only automatic key rollovers are
+possible, but the ``dnssec-settime`` utility can be used to control the
+timing.
+
+In any case, the first step is to put DNSKEYs in place using the new algorithm.
+You must generate the ``K*`` files for the new algorithm and put
+them in the zone's key directory, where ``named`` can access them. Take
+care to set appropriate ownership and permissions on the keys. If the
+``auto-dnssec`` zone option is set to ``maintain``, ``named``
+automatically signs the zone with the new keys, based on their timing
+metadata when the ``dnssec-loadkeys-interval`` elapses or when you issue the
+``rndc loadkeys`` command. Otherwise, for primary zones, you can use
+``nsupdate`` to add the new DNSKEYs to the zone; this causes ``named``
+to use them to sign the zone. For secondary zones, e.g., on a
+"bump in the wire" signing server, ``nsupdate`` cannot be used.
+
+Once the zone has been signed by the new DNSKEYs (and you have waited
+for at least one TTL period), you must inform the parent zone and any trust
+anchor repositories of the new KSKs, e.g., you might place DS records in
+the parent zone through your DNS registrar's website.
+
+Before starting to remove the old algorithm from a zone, you must allow
+the maximum TTL on its DS records in the parent zone to expire. This
+assures that any subsequent queries retrieve the new DS records
+for the new algorithm. After the TTL has expired, you can remove the DS
+records for the old algorithm from the parent zone and any trust anchor
+repositories. You must then allow another maximum TTL interval to elapse
+so that the old DS records disappear from all resolver caches.
+
+The next step is to remove the DNSKEYs using the old algorithm from your
+zone. Again this can be accomplished using ``nsupdate`` to delete the
+old DNSKEYs (for primary zones only) or by automatic key rollover when
+``auto-dnssec`` is set to ``maintain``. You can cause the automatic key
+rollover to take place immediately by using the ``dnssec-settime``
+utility to set the *Delete* date on all keys to any time in the past.
+(See the ``dnssec-settime -D <date/offset>`` option.)
+
+After adjusting the timing metadata, the ``rndc loadkeys`` command
+causes ``named`` to remove the DNSKEYs and
+RRSIGs for the old algorithm from the zone. Note also that with the
+``nsupdate`` method, removing the DNSKEYs also causes ``named`` to
+remove the associated RRSIGs automatically.
+
+Once you have verified that the old DNSKEYs and RRSIGs have been removed
+from the zone, the final (optional) step is to remove the key files for
+the old algorithm from the key directory.
+
+Other Topics
+~~~~~~~~~~~~
+
+DNSSEC and Dynamic Updates
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Dynamic DNS (DDNS) is actually independent of DNSSEC. DDNS provides a
+mechanism, separate from editing the zone file or zone database, to edit DNS
+data. Most DNS clients and servers are able to handle dynamic
+updates, and DDNS can also be integrated as part of your DHCP
+environment.
+
+When you have both DNSSEC and dynamic updates in your environment,
+updating zone data works the same way as with traditional (insecure)
+DNS: you can use ``rndc freeze`` before editing the zone file, and
+``rndc thaw`` when you have finished editing, or you can use the
+command ``nsupdate`` to add, edit, or remove records like this:
+
+::
+
+   $ nsupdate
+   > server 192.168.1.13
+   > update add xyz.example.com. 300 IN A 1.1.1.1
+   > send
+   > quit
+
+The examples provided in this guide make ``named`` automatically
+re-sign the zone whenever its content has changed. If you decide to sign
+your own zone file manually, you need to remember to execute the
+``dnssec-signzone`` command whenever your zone file has been updated.
+
+As far as system resources and performance are concerned, be mindful that
+with a DNSSEC zone that changes frequently, every time the zone
+changes your system is executing a series of cryptographic operations
+to (re)generate signatures and NSEC or NSEC3 records.
+
+.. _dnssec_on_private_networks:
+
+DNSSEC on Private Networks
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Let's clarify what we mean: in this section, "private networks" really refers to
+a private or internal DNS view. Most DNS products offer the ability to
+have different versions of DNS answers, depending on the origin of the
+query. This feature is often called "DNS views" or "split DNS," and is most
+commonly implemented as an "internal" versus an "external" setup.
+
+For instance, your organization may have a version of ``example.com``
+that is offered to the world, and its names most likely resolve to
+publicly reachable IP addresses. You may also have an internal version
+of ``example.com`` that is only accessible when you are on the company's
+private networks or via a VPN connection. These private networks typically
+fall under 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 for IPv4.
+
+So what if you want to offer DNSSEC for your internal version of
+``example.com``? This can be done: the golden rule is to use the same
+key for both the internal and external versions of the zones. This
+avoids problems that can occur when machines (e.g., laptops) move
+between accessing the internal and external zones, when it is possible
+that they may have cached records from the wrong zone.
+
+.. _introduction_to_dane:
+
+Introduction to DANE
+^^^^^^^^^^^^^^^^^^^^
+
+With your DNS infrastructure secured with DNSSEC, information can
+now be stored in DNS and its integrity and authenticity can be proved.
+One of the new features that takes advantage of this is the DNS-Based
+Authentication of Named Entities, or DANE. This improves security in a
+number of ways, including:
+
+-  The ability to store self-signed X.509 certificates and bypass having to pay a third
+   party (such as a Certificate Authority) to sign the certificates
+   (:rfc:`6698`).
+
+-  Improved security for clients connecting to mail servers (:rfc:`7672`).
+
+-  A secure way of getting public PGP keys (:rfc:`7929`).
+
+Disadvantages of DNSSEC
+~~~~~~~~~~~~~~~~~~~~~~~
+
+DNSSEC, like many things in this world, is not without its problems.
+Below are a few challenges and disadvantages that DNSSEC faces.
+
+1. *Increased, well, everything*: With DNSSEC, signed zones are larger,
+   thus taking up more disk space; for DNSSEC-aware servers, the
+   additional cryptographic computation usually results in increased
+   system load; and the network packets are bigger, possibly putting
+   more strains on the network infrastructure.
+
+2. *Different security considerations*: DNSSEC addresses many security
+   concerns, most notably cache poisoning. But at the same time, it may
+   introduce a set of different security considerations, such as
+   amplification attack and zone enumeration through NSEC. These
+   concerns are still being identified and addressed by the Internet
+   community.
+
+3. *More complexity*: If you have read this far, you have probably already
+   concluded this yourself. With additional resource records, keys,
+   signatures, and rotations, DNSSEC adds many more moving pieces on top of
+   the existing DNS machine. The job of the DNS administrator changes,
+   as DNS becomes the new secure repository of everything from spam
+   avoidance to encryption keys, and the amount of work involved to
+   troubleshoot a DNS-related issue becomes more challenging.
+
+4. *Increased fragility*: The increased complexity means more
+   opportunities for things to go wrong. Before DNSSEC, DNS
+   was essentially "add something to the zone and forget it." With DNSSEC,
+   each new component - re-signing, key rollover, interaction with
+   parent zone, key management - adds more opportunity for error. It is
+   entirely possible that a failure to validate a name may come down to
+   errors on the part of one or more zone operators rather than the
+   result of a deliberate attack on the DNS.
+
+5. *New maintenance tasks*: Even if your new secure DNS infrastructure
+   runs without any hiccups or security breaches, it still requires
+   regular attention, from re-signing to key rollovers. While most of
+   these can be automated, some of the tasks, such as KSK rollover,
+   remain manual for the time being.
+
+6. *Not enough people are using it today*: While it's estimated (as of
+   mid-2020) that roughly 30% of the global Internet DNS traffic is
+   validating  [#]_ , that doesn't mean that many of the DNS zones are
+   actually signed. What this means is, even if your company's zone is
+   signed today, fewer than 30% of the Internet's servers are taking
+   advantage of this extra security. It gets worse: with less than 1.5%
+   of the ``com.`` domains signed, even if your DNSSEC validation is enabled today,
+   it's not likely to buy you or your users a whole lot more protection
+   until these popular domain names decide to sign their zones.
+
+The last point may have more impact than you realize. Consider this:
+HTTP and HTTPS make up the majority of traffic on the Internet. While you may have
+secured your DNS infrastructure through DNSSEC, if your web hosting is
+outsourced to a third party that does not yet support DNSSEC in its
+own domain, or if your web page loads contents and components from
+insecure domains, end users may experience validation problems when
+trying to access your web page. For example, although you may have signed
+the zone ``company.com``, the web address ``www.company.com`` may actually be a
+CNAME to ``foo.random-cloud-provider.com``. As long as
+``random-cloud-provider.com`` remains an insecure DNS zone, users cannot
+fully validate everything when they visit your web page and could be
+redirected elsewhere by a cache poisoning attack.
+
+.. [#]
+   Based on APNIC statistics at
+   `<https://stats.labs.apnic.net/dnssec/XA>`__
diff --git a/doc/dnssec-guide/commonly-asked-questions.rst b/doc/dnssec-guide/commonly-asked-questions.rst
new file mode 100644
index 0000000..a506777
--- /dev/null
+++ b/doc/dnssec-guide/commonly-asked-questions.rst
@@ -0,0 +1,172 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _dnssec_commonly_asked_questions:
+
+Commonly Asked Questions
+------------------------
+
+Below are some common questions and (hopefully) some answers that
+help.
+
+Do I need IPv6 to have DNSSEC?
+   No. DNSSEC can be deployed without IPv6.
+
+Does DNSSEC encrypt my DNS traffic, so others cannot eavesdrop on my DNS queries?
+   No. Although cryptographic keys and digital signatures
+   are used in DNSSEC, they only provide authenticity and integrity, not
+   privacy. Someone who sniffs network traffic can still see all the DNS
+   queries and answers in plain text; DNSSEC just makes it very difficult
+   for the eavesdropper to alter or spoof the DNS responses.
+   For protection against eavesdropping, the preferred protocol is DNS-over-TLS.
+   DNS-over-HTTPS can also do the job, but it is more complex.
+
+If I deploy DNS-over-TLS/HTTPS, can I skip deploying DNSSEC?
+   No. DNS-over-encrypted-transport stops eavesdroppers on a network, but it does
+   not protect against cache poisoning and answer manipulation in other parts
+   of the DNS resolution chain. In other words, these technologies offer protection
+   only for records when they are in transit between two machines; any
+   compromised server can still redirect traffic elsewhere (or simply eavesdrop).
+   However, DNSSEC provides integrity and authenticity for DNS
+   *records*, even when these records are stored in caches and on disks.
+
+Does DNSSEC protect the communication between my laptop and my name server?
+   Unfortunately, not at the moment. DNSSEC is designed to protect the
+   communication between end clients (laptop) and name servers;
+   however, there are few applications or stub resolver libraries as of
+   mid-2020 that take advantage of this capability.
+
+Does DNSSEC secure zone transfers?
+   No. You should consider using TSIG to secure zone transfers among your
+   name servers.
+
+Does DNSSEC protect my network from malicious websites?
+   DNSSEC makes it much more difficult for attackers to spoof DNS responses
+   or perform cache poisoning. It cannot protect against users who
+   visit a malicious website that an attacker owns and operates, or prevent users from
+   mistyping a domain name; it will just become less likely that an attacker can
+   hijack other domain names.
+
+   In other words, DNSSEC is designed to provide confidence that when
+   a DNS response is received for www.company.com over port 53, it really came from
+   Company's name servers and the answers are authentic. But that does not mean
+   the web server a user visits over port 80 or port 443 is necessarily safe.
+
+If I enable DNSSEC validation, will it break DNS lookup, since most domain names do not yet use DNSSEC?
+   No, DNSSEC is backwards-compatible to "standard" DNS. A DNSSEC-enabled
+   validating resolver can still look up all of these domain names as it always
+   has under standard DNS.
+
+   There are four (4) categories of responses (see :rfc:`4035`):
+
+   .. glossary::
+
+      Secure
+         Domains that have DNSSEC deployed correctly.
+
+      Insecure
+         Domains that have yet to deploy DNSSEC.
+
+      Bogus
+         Domains that have deployed DNSSEC but have done it incorrectly.
+
+      Indeterminate
+         Domains for which it is not possible to determine whether these domains use DNSSEC.
+
+   A DNSSEC-enabled validating resolver still resolves :term:`Secure` and
+   :term:`Insecure`; only :term:`Bogus` and :term:`Indeterminate` result in a
+   SERVFAIL.
+   As of mid-2022, roughly one-third of users worldwide are using DNSSEC validation
+   on their recursive name servers. Google public DNS (8.8.8.8) also has
+   enabled DNSSEC validation.
+
+Do I need to have special client software to use DNSSEC?
+   No. DNSSEC only changes the communication
+   behavior among DNS servers, not between a DNS server (validating resolver) and
+   a client (stub resolver). With DNSSEC validation enabled on your recursive
+   server, if a domain name does not pass the checks, an error message
+   (typically SERVFAIL) is returned to clients; to most client
+   software today, it appears that the DNS query has failed or that the domain
+   name does not exist.
+
+Since DNSSEC uses public key cryptography, do I need Public Key Infrastructure (PKI) in order to use DNSSEC?
+   No, DNSSEC does not depend on an existing PKI. Public keys are stored within
+   the DNS hierarchy; the trustworthiness of each zone is guaranteed by
+   its parent zone, all the way back to the root zone. A copy of the trust
+   anchor for the root zone is distributed with BIND 9.
+
+Do I need to purchase SSL certificates from a Certificate Authority (CA) to use DNSSEC?
+   No. With DNSSEC, you generate and publish your own keys, and sign your own
+   data as well. There is no need to pay someone else to do it for you.
+
+My parent zone does not support DNSSEC; can I still sign my zone?
+   Technically, yes, but you will not get
+   the full benefit of DNSSEC, as other validating resolvers are not
+   able to validate your zone data. Without the DS record(s) in your parent
+   zone, other validating resolvers treat your zone as an insecure
+   (traditional) zone, and no actual verification is carried out.
+   To the rest of the world, your zone still appears to be
+   insecure, and it will continue to be insecure until your parent zone can
+   host the DS record(s) for you and tell the rest of the world
+   that your zone is signed.
+
+Is DNSSEC the same thing as TSIG?
+   No. TSIG is typically used
+   between primary and secondary name servers to secure zone transfers,
+   while DNSSEC secures DNS lookup by validating answers. Even if you enable
+   DNSSEC, zone transfers are still not validated; to
+   secure the communication between your primary and secondary name
+   servers, consider setting up TSIG or similar secure channels.
+
+How are keys copied from primary to secondary server(s)?
+   DNSSEC uses public cryptography, which results in two types of keys: public and
+   private. The public keys are part of the zone data, stored as DNSKEY
+   record types. Thus the public keys are synchronized from primary to
+   secondary server(s) as part of the zone transfer. The private keys are
+   not, and should not be, stored anywhere other than secured on the primary server.
+   See :ref:`advanced_discussions_key_storage` for
+   more information on key storage options and considerations.
+
+Can I use the same key for multiple zones?
+   Yes and no. Good security practice
+   suggests that you should use unique key pairs for each zone, just as
+   you should have different passwords for your email account, social
+   media login, and online banking credentials. On a technical level, it
+   is completely feasible to reuse a key, but multiple zones are at risk if one key
+   pair is compromised. However, if you have hundreds or thousands
+   of zones to administer, a single key pair for all might be
+   less error-prone to manage. You may choose to use the same approach as
+   with password management: use unique passwords for your bank accounts and
+   shopping sites, but use a standard password for your not-very-important
+   logins. First, categorize your zones: high-value zones (or zones that have
+   specific key rollover requirements) get their own key pairs, while other,
+   more "generic" zones can use a single key pair for easier management. Note that
+   at present (mid-2020), fully automatic signing (using the ``dnssec-policy``
+   clause in your ``named`` configuration file) does not support reuse of keys
+   except when the same zone appears in multiple views (see next question).
+   To use the same key for multiple zones, sign your
+   zones using semi-automatic signing. Each zone wishing to use the key
+   should point to the same key directory.
+
+How do I sign the different instances of a zone that appears in multiple views?
+   Add a ``dnssec-policy`` statement to each ``zone`` definition in the
+   configuration file. To avoid problems when a single computer accesses
+   different instances of the zone while information is still in its cache
+   (e.g., a laptop moving from your office to a customer site), you
+   should sign all instances with the same key. This means setting the
+   same DNSSEC policy for all instances of the zone, and making sure that the
+   key directory is the same for all instances of the zone.
+
+Will there be any problems if I change the DNSSEC policy for a zone?
+   If you are using fully automatic signing, no. Just change the parameters in the
+   ``dnssec-policy`` statement and reload the configuration file. ``named``
+   makes a smooth transition to the new policy, ensuring that your zone
+   remains valid at all times.
diff --git a/doc/dnssec-guide/getting-started.rst b/doc/dnssec-guide/getting-started.rst
new file mode 100644
index 0000000..1b212ff
--- /dev/null
+++ b/doc/dnssec-guide/getting-started.rst
@@ -0,0 +1,147 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _getting_started:
+
+Getting Started
+---------------
+
+.. _software_requirements:
+
+Software Requirements
+~~~~~~~~~~~~~~~~~~~~~
+
+This guide assumes BIND 9.16.9 or newer, although the more elaborate manual
+procedures do work with all versions of BIND later than 9.9.
+
+We recommend running the latest stable version to get the most
+complete DNSSEC configuration, as well as the latest security fixes.
+
+.. _hardware_requirements:
+
+Hardware Requirements
+~~~~~~~~~~~~~~~~~~~~~
+
+.. _recursive_server_hardware:
+
+Recursive Server Hardware
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Enabling DNSSEC validation on a recursive server makes it a *validating
+resolver*. The job of a validating resolver is to fetch additional
+information that can be used to computationally verify the answer set.
+Contrary to popular belief, the increase in resource consumption is very modest:
+
+1. *CPU*: a validating resolver executes cryptographic functions on cache-miss
+   answers, which leads to increased CPU usage. Thanks to standard DNS caching
+   and contemporary CPUs, the increase in CPU-time consumption in a steady
+   state is negligible - typically on the order of 5%. For a brief period (a few
+   minutes) after the resolver starts, the increase might be as much as 20%, but it
+   quickly decreases as the DNS cache fills in.
+
+2. *System memory*: DNSSEC leads to larger answer sets and occupies
+   more memory space. With typical ISP traffic and the state of the Internet as
+   of mid-2022, memory consumption for the cache increases by roughly 20%.
+
+3. *Network interfaces*: although DNSSEC does increase the amount of DNS
+   traffic overall, in practice this increase is often within measurement
+   error.
+
+.. _authoritative_server_hardware:
+
+Authoritative Server Hardware
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+On the authoritative server side, DNSSEC is enabled on a zone-by-zone
+basis. When a zone is DNSSEC-enabled, it is also known as "signed."
+Below are the expected changes to resource consumption caused by serving
+DNSSEC-signed zones:
+
+1. *CPU*: a DNSSEC-signed zone requires periodic re-signing, which is a
+   cryptographic function that is CPU-intensive. If your DNS zone is
+   dynamic or changes frequently, that also adds to higher CPU loads.
+
+2. *System storage*: A signed zone is definitely larger than an unsigned
+   zone. How much larger? See
+   :ref:`your_zone_before_and_after_dnssec` for a comparison
+   example. The final size depends on the structure of the zone, the signing algorithm,
+   the number of keys, the choice of NSEC or NSEC3, the ratio of signed delegations, the zone file
+   format, etc. Usually, the size of a signed zone ranges from a negligible
+   increase to as much as three times the size of the unsigned zone.
+
+3. *System memory*: Larger DNS zone files take up not only more storage
+   space on the file system, but also more space when they are loaded
+   into system memory. The final memory consumption also depends on all the
+   variables listed above: in the typical case the increase is around half of
+   the unsigned zone memory consumption, but it can be as high as three times
+   for some corner cases.
+
+4. *Network interfaces*: While your authoritative name servers will
+   begin sending back larger responses, it is unlikely that you need to
+   upgrade your network interface card (NIC) on the name server unless
+   you have some truly outdated hardware.
+
+One factor to consider, but over which you really have no control, is
+the number of users who query your domain name who themselves have DNSSEC
+enabled. As of mid-2022, measurements by `APNIC
+<https://stats.labs.apnic.net/dnssec>`__ show 41% of Internet users send
+DNSSEC-aware queries. This means that more DNS queries for your domain will
+take advantage of the additional security features, which will result in
+increased system load and possibly network traffic.
+
+.. _network_requirements:
+
+Network Requirements
+~~~~~~~~~~~~~~~~~~~~
+
+From a network perspective, DNS and DNSSEC packets are very similar;
+DNSSEC packets are just bigger, which means DNS is more likely to use
+TCP. You should test for the following two items to make sure your
+network is ready for DNSSEC:
+
+1. *DNS over TCP*: Verify network connectivity over TCP port 53, which
+   may mean updating firewall policies or Access Control Lists (ACL) on
+   routers. See :ref:`dns_uses_tcp` for more details.
+
+2. *Large UDP packets*: Some network equipment, such as firewalls, may
+   make assumptions about the size of DNS UDP packets and incorrectly
+   reject DNS traffic that appears "too big." Verify that the
+   responses your name server generates are being seen by the rest of the
+   world: see :ref:`whats_edns0_all_about` for more details.
+
+.. _operational_requirements:
+
+Operational Requirements
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. _parent_zone:
+
+Parent Zone
+^^^^^^^^^^^
+
+Before starting your DNSSEC deployment, check with your parent zone
+administrators to make sure they support DNSSEC. This may or may not be
+the same entity as your registrar. As you will see later in
+:ref:`working_with_parent_zone`, a crucial step in DNSSEC deployment
+is establishing the parent-child trust relationship. If your parent zone
+does not yet support DNSSEC, contact that administrator to voice your concerns.
+
+.. _security_requirements:
+
+Security Requirements
+^^^^^^^^^^^^^^^^^^^^^
+
+Some organizations may be subject to stricter security requirements than
+others. Check to see if your organization requires stronger
+cryptographic keys be generated and stored, and how often keys need to be
+rotated. The examples presented in this document are not intended for
+high-value zones. We cover some of these security considerations in
+:ref:`dnssec_advanced_discussions`.
diff --git a/doc/dnssec-guide/img/add-ds-1.png b/doc/dnssec-guide/img/add-ds-1.png
new file mode 100644
index 0000000..ac28899
--- /dev/null
+++ b/doc/dnssec-guide/img/add-ds-1.png
diff --git a/doc/dnssec-guide/img/add-ds-2.png b/doc/dnssec-guide/img/add-ds-2.png
new file mode 100644
index 0000000..c4b1acf
--- /dev/null
+++ b/doc/dnssec-guide/img/add-ds-2.png
diff --git a/doc/dnssec-guide/img/add-ds-3.png b/doc/dnssec-guide/img/add-ds-3.png
new file mode 100644
index 0000000..41a2858
--- /dev/null
+++ b/doc/dnssec-guide/img/add-ds-3.png
diff --git a/doc/dnssec-guide/img/add-ds-4.png b/doc/dnssec-guide/img/add-ds-4.png
new file mode 100644
index 0000000..d760e5d
--- /dev/null
+++ b/doc/dnssec-guide/img/add-ds-4.png
diff --git a/doc/dnssec-guide/img/add-ds-5.png b/doc/dnssec-guide/img/add-ds-5.png
new file mode 100644
index 0000000..904448d
--- /dev/null
+++ b/doc/dnssec-guide/img/add-ds-5.png
diff --git a/doc/dnssec-guide/img/add-ds-6.png b/doc/dnssec-guide/img/add-ds-6.png
new file mode 100644
index 0000000..0a0046e
--- /dev/null
+++ b/doc/dnssec-guide/img/add-ds-6.png
diff --git a/doc/dnssec-guide/img/dnssec-12-steps.png b/doc/dnssec-guide/img/dnssec-12-steps.png
new file mode 100644
index 0000000..e8ca53b
--- /dev/null
+++ b/doc/dnssec-guide/img/dnssec-12-steps.png
diff --git a/doc/dnssec-guide/img/dnssec-8-steps.png b/doc/dnssec-guide/img/dnssec-8-steps.png
new file mode 100644
index 0000000..20c4c8b
--- /dev/null
+++ b/doc/dnssec-guide/img/dnssec-8-steps.png
diff --git a/doc/dnssec-guide/img/dnssec-inline-signing-1.png b/doc/dnssec-guide/img/dnssec-inline-signing-1.png
new file mode 100644
index 0000000..daf25fc
--- /dev/null
+++ b/doc/dnssec-guide/img/dnssec-inline-signing-1.png
diff --git a/doc/dnssec-guide/img/dnssec-inline-signing-2.png b/doc/dnssec-guide/img/dnssec-inline-signing-2.png
new file mode 100644
index 0000000..bc23eb8
--- /dev/null
+++ b/doc/dnssec-guide/img/dnssec-inline-signing-2.png
diff --git a/doc/dnssec-guide/img/dnsviz-example-small.png b/doc/dnssec-guide/img/dnsviz-example-small.png
new file mode 100644
index 0000000..c4e8abf
--- /dev/null
+++ b/doc/dnssec-guide/img/dnsviz-example-small.png
diff --git a/doc/dnssec-guide/img/remove-ds-1.png b/doc/dnssec-guide/img/remove-ds-1.png
new file mode 100644
index 0000000..690f1a5
--- /dev/null
+++ b/doc/dnssec-guide/img/remove-ds-1.png
diff --git a/doc/dnssec-guide/img/remove-ds-2.png b/doc/dnssec-guide/img/remove-ds-2.png
new file mode 100644
index 0000000..b2e173f
--- /dev/null
+++ b/doc/dnssec-guide/img/remove-ds-2.png
diff --git a/doc/dnssec-guide/img/remove-ds-3.png b/doc/dnssec-guide/img/remove-ds-3.png
new file mode 100644
index 0000000..a51aba0
--- /dev/null
+++ b/doc/dnssec-guide/img/remove-ds-3.png
diff --git a/doc/dnssec-guide/img/signature-generation.png b/doc/dnssec-guide/img/signature-generation.png
new file mode 100644
index 0000000..f473232
--- /dev/null
+++ b/doc/dnssec-guide/img/signature-generation.png
diff --git a/doc/dnssec-guide/img/signature-verification.png b/doc/dnssec-guide/img/signature-verification.png
new file mode 100644
index 0000000..15f4a72
--- /dev/null
+++ b/doc/dnssec-guide/img/signature-verification.png
diff --git a/doc/dnssec-guide/img/unsign-1.png b/doc/dnssec-guide/img/unsign-1.png
new file mode 100644
index 0000000..d4e3037
--- /dev/null
+++ b/doc/dnssec-guide/img/unsign-1.png
diff --git a/doc/dnssec-guide/img/unsign-2.png b/doc/dnssec-guide/img/unsign-2.png
new file mode 100644
index 0000000..690f1a5
--- /dev/null
+++ b/doc/dnssec-guide/img/unsign-2.png
diff --git a/doc/dnssec-guide/img/unsign-3.png b/doc/dnssec-guide/img/unsign-3.png
new file mode 100644
index 0000000..5aa6497
--- /dev/null
+++ b/doc/dnssec-guide/img/unsign-3.png
diff --git a/doc/dnssec-guide/img/unsign-4.png b/doc/dnssec-guide/img/unsign-4.png
new file mode 100644
index 0000000..3fd398a
--- /dev/null
+++ b/doc/dnssec-guide/img/unsign-4.png
diff --git a/doc/dnssec-guide/img/verisign-dnssec-debugger-example.png b/doc/dnssec-guide/img/verisign-dnssec-debugger-example.png
new file mode 100644
index 0000000..35a2d95
--- /dev/null
+++ b/doc/dnssec-guide/img/verisign-dnssec-debugger-example.png
diff --git a/doc/dnssec-guide/introduction.rst b/doc/dnssec-guide/introduction.rst
new file mode 100644
index 0000000..e8f6cf9
--- /dev/null
+++ b/doc/dnssec-guide/introduction.rst
@@ -0,0 +1,394 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _dnssec_guide_introduction:
+
+Introduction
+------------
+
+.. _who_should_read:
+
+Who Should Read this Guide?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This guide is intended as an introduction to DNSSEC for the DNS
+administrator who is already comfortable working with the existing BIND and DNS
+infrastructure. He or she might be curious about DNSSEC, but may not have had the
+time to investigate DNSSEC, to learn whether DNSSEC should
+be a part of his or her environment, and understand what it means to deploy it in the
+field.
+
+This guide provides basic information on how to configure DNSSEC using
+BIND 9.16.9 or later. Most of the information and examples in this guide also
+apply to versions of BIND later than 9.9.0, but some of the key features described here
+were only introduced in version 9.16.9. Readers are assumed to have basic
+working knowledge of the Domain Name System (DNS) and related network
+infrastructure, such as concepts of TCP/IP. In-depth knowledge of DNS and
+TCP/IP is not required. The guide assumes no prior knowledge of DNSSEC or
+related technology such as public key cryptography.
+
+.. _who_should_not_read:
+
+Who May Not Want to Read this Guide?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you are already operating a DNSSEC-signed zone, you may not learn
+much from the first half of this document, and you may want to start with 
+:ref:`dnssec_advanced_discussions`. If you want to
+learn about details of the protocol extension, such as data fields and flags,
+or the new record types, this document can help you get started but it
+does not include all the technical details.
+
+If you are experienced in DNSSEC, you
+may find some of the concepts in this document to be overly simplified for
+your taste, and some details are intentionally omitted at times for ease of
+illustration.
+
+If you administer a large or complex BIND environment, this
+guide may not provide enough information for you, as it is intended to provide
+only basic, generic working examples.
+
+If you are a top-level domain (TLD) operator, or
+administer zones under signed TLDs, this guide can
+help you get started, but it does not provide enough details to serve all of your
+needs.
+
+If your DNS environment uses DNS products other than (or in addition to)
+BIND, this document may provide some background or overlapping information, but you
+should check each product's vendor documentation for specifics.
+
+Finally, deploying
+DNSSEC on internal or private networks is not covered in this document, with the
+exception of a brief discussion in :ref:`dnssec_on_private_networks`.
+
+.. _what_is_dnssec:
+
+What is DNSSEC?
+~~~~~~~~~~~~~~~
+
+The Domain Name System (DNS) was designed in a day and age when the
+Internet was a friendly and trusting place. The protocol itself provides
+little protection against malicious or forged answers. DNS Security
+Extensions (DNSSEC) addresses this need, by adding digital signatures
+into DNS data so that each DNS response can be verified for integrity
+(the answer did not change during transit) and authenticity (the data
+came from the true source, not an impostor). In the ideal world, when
+DNSSEC is fully deployed, every single DNS answer can be validated and
+trusted.
+
+DNSSEC does not provide a secure tunnel; it does not encrypt or hide DNS
+data. It operates independently of an existing Public Key Infrastructure
+(PKI). It does not need SSL certificates or shared secrets. It was
+designed with backwards compatibility in mind, and can be deployed
+without impacting "old" unsecured domain names.
+
+DNSSEC is deployed on the three major components of the DNS
+infrastructure:
+
+-  *Recursive Servers*: People use recursive servers to lookup external
+   domain names such as ``www.example.com``. Operators of recursive servers
+   need to enable DNSSEC validation. With validation enabled, recursive
+   servers carry out additional tasks on each DNS response they
+   receive to ensure its authenticity.
+
+-  *Authoritative Servers*: People who publish DNS data on their name
+   servers need to sign that data. This entails creating additional
+   resource records, and publishing them to parent domains where
+   necessary. With DNSSEC enabled, authoritative servers respond to
+   queries with additional DNS data, such as digital signatures and
+   keys, in addition to the standard answers.
+
+-  *Applications*: This component lives on every client machine, from web
+   servers to smart phones. This includes resolver libraries on different
+   operating systems, and applications such as web browsers.
+
+In this guide, we focus on the first two components, Recursive
+Servers and Authoritative Servers, and only lightly touch on the third
+component. We look at how DNSSEC works, how to configure a
+validating resolver, how to sign DNS zone data, and other operational
+tasks and considerations.
+
+.. _what_does_dnssec_add_to_dns:
+
+What Does DNSSEC Add to DNS?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. note::
+
+   Public Key Cryptography works on the concept of a pair of keys: one
+   made available to the world publicly, and one kept in secrecy
+   privately. Not surprisingly, they are known as a public key and a private
+   key. If you are not familiar with the concept, think of it as a
+   cleverly designed lock, where one key locks and one key unlocks. In
+   DNSSEC, we give out the unlocking public key to the rest of the
+   world, while keeping the locking key private. To learn how this is
+   used to secure DNS messages, see :ref:`how_are_answers_verified`.
+
+DNSSEC introduces eight new resource record types:
+
+-  RRSIG (digital resource record signature)
+
+-  DNSKEY (public key)
+
+-  DS (parent-child)
+
+-  NSEC (proof of nonexistence)
+
+-  NSEC3 (proof of nonexistence)
+
+-  NSEC3PARAM (proof of nonexistence)
+
+-  CDS (child-parent signaling)
+
+-  CDNSKEY (child-parent signaling)
+
+This guide does not go deep into the anatomy of each resource record
+type; the details are left for the reader to research and explore.
+Below is a short introduction on each of the new record types:
+
+-  *RRSIG*: With DNSSEC enabled, just about every DNS answer (A, PTR,
+   MX, SOA, DNSKEY, etc.) comes with at least one resource
+   record signature, or RRSIG. These signatures are used by recursive name
+   servers, also known as validating resolvers, to verify the answers
+   received. To learn how digital signatures are generated and used, see
+   :ref:`how_are_answers_verified`.
+
+-  *DNSKEY*: DNSSEC relies on public-key cryptography for data
+   authenticity and integrity. There are several keys used in DNSSEC,
+   some private, some public. The public keys are published to the world
+   as part of the zone data, and they are stored in the DNSKEY record
+   type.
+
+   In general, keys in DNSSEC are used for one or both of the following
+   roles: as a Zone Signing Key (ZSK), used to protect all zone data; or
+   as a Key Signing Key (KSK), used to protect the zone's keys. A key
+   that is used for both roles is referred to as a Combined Signing Key
+   (CSK). We talk about keys in more detail in
+   :ref:`advanced_discussions_key_generation`.
+
+-  *DS*: One of the critical components of DNSSEC is that the parent
+   zone can "vouch" for its child zone. The DS record is verifiable
+   information (generated from one of the child's public keys) that a
+   parent zone publishes about its child as part of the chain of trust.
+   To learn more about the Chain of Trust, see
+   :ref:`chain_of_trust`.
+
+-  *NSEC, NSEC3, NSEC3PARAM*: These resource records all deal with a
+   very interesting problem: proving that something does not exist. We
+   look at these record types in more detail in
+   :ref:`advanced_discussions_proof_of_nonexistence`.
+
+-  *CDS, CDNSKEY*: The CDS and CDNSKEY resource records apply to
+   operational matters and are a way to signal to the parent zone that
+   the DS records it holds for the child zone should be updated. This is
+   covered in more detail in :ref:`cds_cdnskey`.
+
+.. _how_does_dnssec_change_dns_lookup:
+
+How Does DNSSEC Change DNS Lookup?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Traditional (insecure) DNS lookup is simple: a recursive name server
+receives a query from a client to lookup a name like ``www.isc.org``. The
+recursive name server tracks down the authoritative name server(s)
+responsible, sends the query to one of the authoritative name servers,
+and waits for it to respond with the answer.
+
+With DNSSEC validation enabled, a validating recursive name server
+(a.k.a. a *validating resolver*) asks for additional resource
+records in its query, hoping the remote authoritative name servers
+respond with more than just the answer to the query, but some proof to
+go along with the answer as well. If DNSSEC responses are received, the
+validating resolver performs cryptographic computation to verify the
+authenticity (the origin of the data) and integrity (that the data was not altered
+during transit) of the answers, and even asks the parent zone as part of
+the verification. It repeats this process of get-key, validate,
+ask-parent, and its parent, and its parent, all the way until
+the validating resolver reaches a key that it trusts. In the ideal,
+fully deployed world of DNSSEC, all validating resolvers only need to
+trust one key: the root key.
+
+.. _dnssec_12_steps:
+
+The 12-Step DNSSEC Validation Process (Simplified)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The following example shows the 12 steps of the DNSSEC validating process 
+at a very high level, looking up the name ``www.isc.org`` :
+
+.. figure:: ../dnssec-guide/img/dnssec-12-steps.png
+   :alt: DNSSEC Validation 12 Steps
+
+1.  Upon receiving a DNS query from a client to resolve ``www.isc.org``,
+    the validating resolver follows standard DNS protocol to track down
+    the name server for ``isc.org``, and sends it a DNS query to ask for the
+    A record of ``www.isc.org``. But since this is a DNSSEC-enabled
+    resolver, the outgoing query has a bit set indicating it wants
+    DNSSEC answers, hoping the name server that receives it is DNSSEC-enabled
+    and can honor this secure request.
+
+2.  The ``isc.org`` name server is DNSSEC-enabled, so it responds with both
+    the answer (in this case, an A record) and a digital signature for
+    verification purposes.
+
+3.  The validating resolver requires cryptographic keys to be able to verify the
+    digital signature, so it asks the ``isc.org`` name server for those keys.
+
+4.  The ``isc.org`` name server responds with the cryptographic keys
+    (and digital signatures of the keys) used to generate the digital
+    signature that was sent in #2. At this point, the validating
+    resolver can use this information to verify the answers received in
+    #2.
+
+    Let's take a quick break here and look at what we've got so far...
+    how can our server trust this answer? If a clever attacker had taken over
+    the ``isc.org`` name server(s), of course she would send matching
+    keys and signatures. We need to ask someone else to have confidence
+    that we are really talking to the real ``isc.org`` name server. This
+    is a critical part of DNSSEC: at some point, the DNS administrators
+    at ``isc.org`` uploaded some cryptographic information to its
+    parent, ``.org``, maybe through a secure web form, maybe
+    through an email exchange, or perhaps in person. In
+    any event, at some point some verifiable information about the
+    child (``isc.org``) was sent to the parent (``.org``) for
+    safekeeping.
+
+5.  The validating resolver asks the parent (``.org``) for the
+    verifiable information it keeps on its child, ``isc.org``.
+
+6.  Verifiable information is sent from the ``.org`` server. At this
+    point, the validating resolver compares this to the answer it received
+    in #4; if the two of them match, it proves the authenticity of
+    ``isc.org``.
+
+    Let's examine this process. You might be thinking to yourself,
+    what if the clever attacker that took over ``isc.org`` also
+    compromised the ``.org`` servers? Of course all this information
+    would match! That's why we turn our attention now to the
+    ``.org`` server, interrogate it for its cryptographic keys, and
+    move one level up to ``.org``'s parent, root.
+
+7.  The validating resolver asks the ``.org`` authoritative name server for
+    its cryptographic keys, to verify the answers received in #6.
+
+8.  The ``.org`` name server responds with the answer (in this case,
+    keys and signatures). At this point, the validating resolver can
+    verify the answers received in #6.
+
+9.  The validating resolver asks root (``.org``'s parent) for the verifiable
+    information it keeps on its child, ``.org``.
+
+10. The root name server sends back the verifiable information it keeps
+    on ``.org``. The validating resolver uses this information
+    to verify the answers received in #8.
+
+    So at this point, both ``isc.org`` and ``.org`` check out. But
+    what about root? What if this attacker is really clever and somehow
+    tricked us into thinking she's the root name server? Of course she
+    would send us all matching information! So we repeat the
+    interrogation process and ask for the keys from the root name
+    server.
+
+11. The validating resolver asks the root name server for its cryptographic
+    keys to verify the answer(s) received in #10.
+
+12. The root name server sends its keys; at this point, the validating
+    resolver can verify the answer(s) received in #10.
+
+.. _chain_of_trust:
+
+Chain of Trust
+^^^^^^^^^^^^^^
+
+But what about the root server itself? Who do we go to verify root's
+keys? There's no parent zone for root. In security, you have to trust
+someone, and in the perfectly protected world of DNSSEC (we talk later
+about the current imperfect state and ways to work around it),
+each validating resolver would only have to trust one entity, that is,
+the root name server. The validating resolver already has the root key
+on file (we discuss later how we got the root key file). So
+after the answer in #12 is received, the validating resolver compares it
+to the key it already has on file. Providing one of the keys in the
+answer matches the one on file, we can trust the answer from root. Thus
+we can trust ``.org``, and thus we can trust ``isc.org``. This is known
+as the "chain of trust" in DNSSEC.
+
+We revisit this 12-step process again later in
+:ref:`how_does_dnssec_change_dns_lookup_revisited` with more
+technical details.
+
+.. _why_is_dnssec_important:
+
+Why is DNSSEC Important? (Why Should I Care?)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You might be thinking to yourself: all this DNSSEC stuff sounds
+wonderful, but why should I care? Below are some reasons why you may
+want to consider deploying DNSSEC:
+
+1. *Being a good netizen*: By enabling DNSSEC validation (as described in
+   :ref:`dnssec_validation`) on your DNS servers, you're protecting
+   your users and yourself a little more by checking answers returned to
+   you; by signing your zones (as described in
+   :ref:`dnssec_signing`), you are making it possible for other
+   people to verify your zone data. As more people adopt DNSSEC, the
+   Internet as a whole becomes more secure for everyone.
+
+2. *Compliance*: You may not even get a say in
+   implementing DNSSEC, if your organization is subject to compliance
+   standards that mandate it. For example, the US government set a
+   deadline in 2008 to have all ``.gov`` subdomains signed by
+   December 2009  [#]_. So if you operate a subdomain in ``.gov``, you
+   must implement DNSSEC to be compliant. ICANN also requires
+   that all new top-level domains support DNSSEC.
+
+3. *Enhanced Security*: Okay, so the big lofty goal of "let's be good"
+   doesn't appeal to you, and you don't have any compliance standards to
+   worry about. Here is a more practical reason why you should consider
+   DNSSEC: in the event of a DNS-based security breach, such as cache
+   poisoning or domain hijacking, after all the financial and brand
+   damage done to your domain name, you might be placed under scrutiny
+   for any preventive measure that could have been put in place. Think
+   of this like having your website only available via HTTP but not
+   HTTPS.
+
+4. *New Features*: DNSSEC brings not only enhanced security, but also
+   a whole new suite of features. Once DNS
+   can be trusted completely, it becomes possible to publish SSL
+   certificates in DNS, or PGP keys for fully automatic cross-platform
+   email encryption, or SSH fingerprints.... New features are still
+   being developed, but they all rely on a trustworthy DNS
+   infrastructure. To take a peek at these next-generation DNS features,
+   check out :ref:`introduction_to_dane`.
+
+.. [#]
+   The Office of Management and Budget (OMB) for the US government
+   published `a memo in
+   2008 <https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2008/m08-23.pdf>`__,
+   requesting all ``.gov`` subdomains to be DNSSEC-signed by December
+   2009. This explains why ``.gov`` is the most-deployed DNSSEC domain
+   currently, with `around 90% of subdomains
+   signed. <https://fedv6-deployment.antd.nist.gov/cgi-bin/generate-gov>`__
+
+.. _how_does_dnssec_change_my_job:
+
+How Does DNSSEC Change My Job as a DNS Administrator?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+With this protocol extension, some of the things you were used to in DNS
+have changed. As the DNS administrator, you have new maintenance
+tasks to perform on a regular basis (as described in
+:ref:`signing_maintenance_tasks`); when there is a DNS resolution
+problem, you have new troubleshooting techniques and tools to use (as
+described in :ref:`dnssec_troubleshooting`). BIND 9 tries its best to
+make these things as transparent and seamless as possible. In this
+guide, we try to use configuration examples that result in the least
+amount of work for BIND 9 DNS administrators.
diff --git a/doc/dnssec-guide/preface.rst b/doc/dnssec-guide/preface.rst
new file mode 100644
index 0000000..13ba820
--- /dev/null
+++ b/doc/dnssec-guide/preface.rst
@@ -0,0 +1,83 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Preface
+-------
+
+.. _preface_organization:
+
+Organization
+~~~~~~~~~~~~
+
+This document provides introductory information on how DNSSEC works, how
+to configure BIND 9 to support some common DNSSEC features, and
+some basic troubleshooting tips. The chapters are organized as follows:
+
+:ref:`dnssec_guide_introduction` covers the intended audience for this
+document, assumed background knowledge, and a basic introduction to the
+topic of DNSSEC.
+
+:ref:`getting_started` covers various requirements
+before implementing DNSSEC, such as software versions, hardware
+capacity, network requirements, and security changes.
+
+:ref:`dnssec_validation` walks through setting up a validating
+resolver, and gives both more information on the validation process and
+some examples of tools to verify that the resolver is properly validating
+answers.
+
+:ref:`dnssec_signing` explains how to set up a basic signed
+authoritative zone, details the relationship between a child and a parent zone, 
+and discusses ongoing maintenance tasks.
+
+:ref:`dnssec_troubleshooting` provides some tips on how to analyze
+and diagnose DNSSEC-related problems.
+
+:ref:`dnssec_advanced_discussions` covers several topics, including key
+generation, key storage, key management, NSEC and NSEC3, and some
+disadvantages of DNSSEC.
+
+:ref:`dnssec_recipes` provides several working examples of common DNSSEC
+solutions, with step-by-step details.
+
+:ref:`dnssec_commonly_asked_questions` lists some commonly asked
+questions and answers about DNSSEC.
+
+.. _preface_acknowledgement:
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+
+This document was originally authored by Josh Kuo of `DeepDive
+Networking <https://www.deepdivenetworking.com/>`__. He can be reached
+at josh.kuo@gmail.com.
+
+Thanks to the following individuals (in no particular order) who have
+helped in completing this document: Jeremy C. Reed, Heidi Schempf,
+Stephen Morris, Jeff Osborn, Vicky Risk, Jim Martin, Evan Hunt, Mark
+Andrews, Michael McNally, Kelli Blucher, Chuck Aurora, Francis Dupont,
+Rob Nagy, Ray Bellis, Matthijs Mekking, and Suzanne Goldlust.
+
+Special thanks goes to Cricket Liu and Matt Larson for their
+selflessness in knowledge sharing.
+
+Thanks to all the reviewers and contributors, including John Allen, Jim
+Young, Tony Finch, Timothe Litt, and Dr. Jeffry A. Spain.
+
+The sections on key rollover and key timing metadata borrowed heavily
+from the Internet Engineering Task Force draft titled "DNSSEC Key Timing
+Considerations" by S. Morris, J. Ihren, J. Dickinson, and W. Mekking,
+subsequently published as :rfc:`7583`.
+
+Icons made by `Freepik <https://www.freepik.com/>`__ and
+`SimpleIcon <https://www.simpleicon.com/>`__ from
+`Flaticon <https://www.flaticon.com/>`__, licensed under `Creative Commons BY
+3.0 <https://creativecommons.org/licenses/by/3.0/>`__.
diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst
new file mode 100644
index 0000000..a4bdffa
--- /dev/null
+++ b/doc/dnssec-guide/recipes.rst
@@ -0,0 +1,1084 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _dnssec_recipes:
+
+Recipes
+-------
+
+This chapter provides step-by-step "recipes" for some common
+DNSSEC configurations.
+
+.. _recipes_inline_signing:
+
+DNSSEC Signing
+~~~~~~~~~~~~~~
+
+There are two recipes here: the first shows an example using DNSSEC
+signing on the primary server, which has been covered in this
+guide; the second shows how to setup a "bump in the
+wire" between a hidden primary and the secondary servers to seamlessly
+sign the zone "on the fly."
+
+.. _recipes_inline_signing_primary:
+
+Primary Server DNSSEC Signing
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In this recipe, our servers are illustrated as shown in
+:ref:`dnssec-signing-1`: we have a primary server
+(192.168.1.1) and three secondary servers (192.168.1.2, 192.168.1.3, and
+192.168.1.4) that receive zone transfers. To get the zone
+signed, we need to reconfigure the primary server. Once reconfigured, a
+signed version of the zone is generated on the fly;
+zone transfers take care of synchronizing the signed zone data
+to all secondary name servers, without configuration or software changes
+on them.
+
+.. _dnssec-signing-1:
+
+.. figure:: ../dnssec-guide/img/dnssec-inline-signing-1.png
+   :alt: DNSSEC Signing Recipe #1
+   :width: 80.0%
+
+   DNSSEC Signing Recipe #1
+
+Using the method described in
+:ref:`easy_start_guide_for_authoritative_servers`, we just need to
+add a ``dnssec-policy`` statement to the relevant zone clause. This is
+what the ``named.conf`` zone statement looks like on the primary server, 192.168.1.1:
+
+::
+
+   zone "example.com" IN {
+       type primary;
+       file "db/example.com.db";
+       key-directory "keys/example.com";
+       dnssec-policy default;
+       inline-signing yes;
+       allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
+   };
+
+We have chosen to use the default policy, storing the keys generated for
+the zone in the directory ``keys/example.com``. To use a
+custom policy, define the policy in the configuration
+file and select it in the zone statement (as described in
+:ref:`signing_custom_policy`).
+
+On the secondary servers, ``named.conf`` does not need to be updated,
+and it looks like this:
+
+::
+
+   zone "example.com" IN {
+       type secondary;
+       file "db/example.com.db";
+       primaries { 192.168.1.1; };
+   };
+
+In fact, the secondary servers do not even need to be running BIND; they
+can run any DNS product that supports DNSSEC.
+
+.. _recipes_inline_signing_bump_in_the_wire:
+
+"Bump in the Wire" Signing
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In this recipe, we take advantage of the power of automated signing
+by placing an additional name server (192.168.1.5) between the hidden
+primary (192.168.1.1) and the DNS secondaries (192.168.1.2, 192.168.1.3,
+and 192.168.1.4). The additional name server, 192.168.1.5, acts as a "bump
+in the wire," taking an unsigned zone from the hidden primary,
+and sending out signed data on the other end to the secondary name
+servers. The steps described in this recipe may be used as part of a
+DNSSEC deployment strategy, since it requires only minimal changes made to
+the existing hidden DNS primary and DNS secondaries.
+
+.. _dnssec-signing-2:
+
+.. figure:: ../dnssec-guide/img/dnssec-inline-signing-2.png
+   :alt: DNSSEC Signing Recipe #2
+   :width: 100.0%
+
+   DNSSEC Signing Recipe #2
+
+It is important to remember that 192.168.1.1 in this case is a hidden
+primary not exposed to the world, and it must not be listed in the NS RRset.
+Otherwise the world will get conflicting answers: unsigned answers from
+the hidden primary and signed answers from the other name servers.
+
+The only configuration change needed on the hidden primary, 192.168.1.1,
+is to make sure it allows our middle box to perform a zone transfer:
+
+::
+
+   zone "example.com" IN {
+       ...
+       allow-transfer { 192.168.1.5; };
+       ...
+   };
+
+On the middle box, 192.168.1.5, all the tasks described in
+:ref:`easy_start_guide_for_authoritative_servers` still need to be
+performed, such as generating key pairs and uploading information to
+the parent zone. This server is configured as secondary to the hidden
+primary 192.168.1.1 to receive the unsigned data; then, using keys
+accessible to this middle box, to sign data on the fly; and finally, to send out the
+signed data via zone transfer to the other three DNS secondaries. Its
+``named.conf`` zone statement looks like this:
+
+::
+
+   zone example.com {
+       type secondary;
+       primaries { 192.168.1.1; };
+       file "db/example.com.db";
+       key-directory "keys/example.com";
+       dnssec-policy default;
+       inline-signing yes;
+       allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
+   };
+
+(As before, the default policy has been selected here. See
+:ref:`signing_custom_policy` for instructions on how to define
+and use a custom policy.)
+
+Finally, on the three secondary servers, the configuration should be updated
+to receive a zone transfer from 192.168.1.5 (the middle box) instead of
+from 192.168.1.1 (the hidden primary). If using BIND, the ``named.conf`` file looks
+like this:
+
+::
+
+   zone "example.com" IN {
+       type secondary;
+       file "db/example.com.db";
+       primaries { 192.168.1.5; };   # this was 192.168.1.1 before!
+   };
+
+.. _recipes_rollovers:
+
+Rollovers
+~~~~~~~~~
+
+If you are signing your zone using a ``dnssec-policy`` statement, this
+section is not really relevant to you. In the policy statement, you set how long
+you want your keys to be valid for, the time
+taken for information to propagate through your zone, the time it takes
+for your parent zone to register a new DS record, etc., and that's more
+or less it. ``named`` implements everything for you automatically, apart from
+uploading the new DS records to your parent zone - which is covered in
+:ref:`signing_easy_start_upload_to_parent_zone`. (Some
+screenshots from a session where a KSK is uploaded to the parent zone
+are presented here for convenience.) However, these recipes may be useful
+in describing what happens
+through the rollover process and what you should be monitoring.
+
+.. _recipes_zsk_rollover:
+
+ZSK Rollover
+^^^^^^^^^^^^
+
+This recipe covers how to perform a ZSK rollover using what is known as
+the Pre-Publication method. For other ZSK rolling methods, please see
+:ref:`zsk_rollover_methods` in :ref:`dnssec_advanced_discussions`.
+
+Below is a sample timeline for a ZSK rollover to occur on January 1, 2021:
+
+1. December 1, 2020 (one month before rollover)
+
+   -  Generate new ZSK
+
+   -  Add DNSKEY for new ZSK to zone
+
+2. January 1, 2021 (day of rollover)
+
+   -  New ZSK used to replace RRSIGs for the bulk of the zone
+
+3. February 1, 2021 (one month after rollover)
+
+   -  Remove old ZSK DNSKEY RRset from zone
+
+   -  DNSKEY signatures made with KSK are changed
+
+The current active ZSK has the ID 17694 in the example below. For more
+information on key management and rollovers, please see
+:ref:`advanced_discussions_key_management`.
+
+One Month Before ZSK Rollover
++++++++++++++++++++++++++++++
+
+On December 1, 2020, a month before the example rollover, you (as administrator)
+should change the parameters on the current key (17694). Set it to become inactive on
+January 1, 2021 and be deleted from the zone on February 1, 2021; also,
+generate a successor key (51623):
+
+::
+
+   # cd /etc/bind/keys/example.com/
+   # dnssec-settime -I 20210101 -D 20210201 Kexample.com.+008+17694
+   ./Kexample.com.+008+17694.key/GoDaddy
+
+   ./Kexample.com.+008+17694.private
+   # dnssec-keygen -S Kexample.com.+008+17694
+   Generating key pair..++++++ ...........++++++ 
+   Kexample.com.+008+51623
+
+The first command gets us into the key directory
+``/etc/bind/keys/example.com/``, where keys for ``example.com`` are
+stored.
+
+The second, ``dnssec-settime``, sets an inactive (``-I``) date of January 1,
+2021, and a deletion (``-D``) date of February 1, 2021, for the current ZSK
+(``Kexample.com.+008+17694``).
+
+The third command, ``dnssec-keygen``, creates a successor key, using
+the exact same parameters (algorithms, key sizes, etc.) as the current
+ZSK. The new ZSK created in our example is ``Kexample.com.+008+51623``.
+
+Make sure the successor keys are readable by ``named``.
+
+``named``'s logging messages indicate when the next
+key checking event is scheduled to occur, the frequency of which can be
+controlled by ``dnssec-loadkeys-interval``. The log message looks like
+this:
+
+::
+
+   zone example.com/IN (signed): next key event: 01-Dec-2020 00:13:05.385
+
+And you can check the publish date of the key by looking at the key
+file:
+
+::
+
+   # cd /etc/bind/keys/example.com
+   # cat Kexample.com.+008+51623.key 
+   ; This is a zone-signing key, keyid 11623, for example.com.
+   ; Created: 20201130160024 (Mon Dec  1 00:00:24 2020)
+   ; Publish: 20201202000000 (Fri Dec  2 08:00:00 2020)
+   ; Activate: 20210101000000 (Sun Jan  1 08:00:00 2021)
+   ...
+
+Since the publish date is set to the morning of December 2, and our example
+scenario takes place on December 1, the next
+morning you will notice that your zone has gained a new DNSKEY record,
+but the new ZSK is not yet being used to generate signatures. Below is
+the abbreviated output - with shortened DNSKEY and RRSIG - when querying the
+authoritative name server, 192.168.1.13:
+
+::
+
+   $ dig @192.168.1.13 example.com. DNSKEY +dnssec +multiline
+
+   ...
+   ;; ANSWER SECTION:
+   example.com.        600 IN DNSKEY 257 3 8 (
+                   AwEAAcWDps...lM3NRn/G/R
+                   ) ; KSK; alg = RSASHA256; key id = 6817
+   example.com.        600 IN DNSKEY 256 3 8 (
+                   AwEAAbi6Vo...qBW5+iAqNz
+                   ) ; ZSK; alg = RSASHA256; key id = 51623
+   example.com.        600 IN DNSKEY 256 3 8 (
+                   AwEAAcjGaU...0rzuu55If5
+                   ) ; ZSK; alg = RSASHA256; key id = 17694
+   example.com.        600 IN RRSIG DNSKEY 8 2 600 (
+                   20210101000000 20201201230000 6817 example.com.
+                   LAiaJM26T7...FU9syh/TQ= )
+   example.com.        600 IN RRSIG DNSKEY 8 2 600 (
+                   20210101000000 20201201230000 17694 example.com.
+                   HK4EBbbOpj...n5V6nvAkI= )
+   ...
+
+For good measure, let's take a look at the SOA record and its
+signature for this zone. Notice the RRSIG is signed by the current ZSK,
+17694. This will come in handy later when you want to verify whether
+the new ZSK is in effect:
+
+::
+
+   $ dig @192.168.1.13 example.com. SOA +dnssec +multiline
+
+   ...
+   ;; ANSWER SECTION:
+   example.com.        600 IN SOA ns1.example.com. admin.example.com. (
+                   2020120102 ; serial
+                   1800       ; refresh (30 minutes)
+                   900        ; retry (15 minutes)
+                   2419200    ; expire (4 weeks)
+                   300        ; minimum (5 minutes)
+                   )
+   example.com.        600 IN RRSIG SOA 8 2 600 (
+                   20201230160109 20201130150109 17694 example.com.
+                   YUTC8rFULaWbW+nAHzbfGwNqzARHevpryzRIJMvZBYPo
+                   NAeejNk9saNAoCYKWxGJ0YBc2k+r5fYq1Mg4ll2JkBF5
+                   buAsAYLw8vEOIxVpXwlArY+oSp9T1w2wfTZ0vhVIxaYX
+                   6dkcz4I3wbDx2xmG0yngtA6A8lAchERx2EGy0RM= )
+
+These are all the manual tasks you need to perform for a ZSK rollover.
+If you have followed the configuration examples in this guide of using
+``inline-signing`` and ``auto-dnssec``, everything else is automated for
+you by BIND.
+
+Day of ZSK Rollover
++++++++++++++++++++
+
+On the actual day of the rollover, although there is technically nothing
+for you to do, you should still keep an eye on the zone to make sure new
+signatures are being generated by the new ZSK (51623 in this example).
+The easiest way is to query the authoritative name server 192.168.1.13
+for the SOA record as you did a month ago:
+
+::
+
+   $ dig @192.168.1.13 example.com. SOA +dnssec +multiline
+
+   ...
+   ;; ANSWER SECTION:
+   example.com.        600 IN SOA ns1.example.com. admin.example.com. (
+                   2020112011 ; serial
+                   1800       ; refresh (30 minutes)
+                   900        ; retry (15 minutes)
+                   2419200    ; expire (4 weeks)
+                   300        ; minimum (5 minutes)
+                   )
+   example.com.        600 IN RRSIG SOA 8 2 600 (
+                   20210131000000 20201231230000 51623 example.com.
+                   J4RMNpJPOmMidElyBugJp0RLqXoNqfvo/2AT6yAAvx9X
+                   zZRL1cuhkRcyCSLZ9Z+zZ2y4u2lvQGrNiondaKdQCor7
+                   uTqH5WCPoqalOCBjqU7c7vlAM27O9RD11nzPNpVQ7xPs
+                   y5nkGqf83OXTK26IfnjU1jqiUKSzg6QR7+XpLk0= )
+   ...
+
+As you can see, the signature generated by the old ZSK (17694) has
+disappeared, replaced by a new signature generated from the new ZSK
+(51623).
+
+.. note::
+
+   Not all signatures will disappear magically on the same day;
+   it depends on when each one was generated. In the worst-case scenario,
+   a new signature could have been signed by the old ZSK (17694) moments
+   before it was deactivated, meaning that the signature could live for almost
+   30 more days, until just before February 1.
+
+   This is why it is important to keep the old ZSK in the
+   zone and not delete it right away.
+
+One Month After ZSK Rollover
+++++++++++++++++++++++++++++
+
+Again, technically there is nothing you need to do on this day,
+but it doesn't hurt to verify that the old ZSK (17694) is now completely
+gone from your zone. ``named`` will not touch
+``Kexample.com.+008+17694.private`` and ``Kexample.com.+008+17694.key``
+on your file system. Running the same ``dig`` command for DNSKEY should
+suffice:
+
+::
+
+   $ dig @192.168.1.13 example.com. DNSKEY +multiline +dnssec
+
+   ...
+   ;; ANSWER SECTION:
+   example.com.        600 IN DNSKEY 257 3 8 (
+                   AwEAAcWDps...lM3NRn/G/R
+                   ) ; KSK; alg = RSASHA256; key id = 6817
+   example.com.        600 IN DNSKEY 256 3 8 (
+                   AwEAAdeCGr...1DnEfX+Xzn
+                   ) ; ZSK; alg = RSASHA256; key id = 51623
+   example.com.        600 IN RRSIG DNSKEY 8 2 600 (
+                   20170203000000 20170102230000 6817 example.com.
+                   KHY8P0zE21...Y3szrmjAM= )
+   example.com.        600 IN RRSIG DNSKEY 8 2 600 (
+                   20170203000000 20170102230000 51623 example.com.
+                   G2g3crN17h...Oe4gw6gH8= )
+   ...
+
+Congratulations, the ZSK rollover is complete! As for the actual key
+files (the files ending in ``.key`` and ``.private``), they may be deleted at this
+point, but they do not have to be.
+
+.. _recipes_ksk_rollover:
+
+KSK Rollover
+^^^^^^^^^^^^
+
+This recipe describes how to perform KSK rollover using the Double-DS
+method. For other KSK rolling methods, please see
+:ref:`ksk_rollover_methods` in
+:ref:`dnssec_advanced_discussions`. The registrar used in this
+recipe is `GoDaddy <https://www.godaddy.com>`__. Also for this recipe,
+we are keeping the number of DS records down to just one per active set
+using just SHA-1, for the sake of better clarity, although in practice
+most zone operators choose to upload two DS records as shown in
+:ref:`working_with_parent_zone`. For more information on key
+management and rollovers,
+please see :ref:`advanced_discussions_key_management`.
+
+Below is a sample timeline for a KSK rollover to occur on January 1, 2021:
+
+1. December 1, 2020 (one month before rollover)
+
+   -  Change timer on the current KSK
+
+   -  Generate new KSK and DS records
+
+   -  Add DNSKEY for the new KSK to zone
+
+   -  Upload new DS records to parent zone
+
+2. January 1, 2021 (day of rollover)
+
+   -  Use the new KSK to sign all DNSKEY RRsets, which generates new
+      RRSIGs
+
+   -  Add new RRSIGs to the zone
+
+   -  Remove RRSIG for the old ZSK from zone
+
+   -  Start using the new KSK to sign DNSKEY
+
+3. February 1, 2021 (one month after rollover)
+
+   -  Remove the old KSK DNSKEY from zone
+
+   -  Remove old DS records from parent zone
+
+The current active KSK has the ID 24828, and this is the DS record that
+has already been published by the parent zone:
+
+::
+
+   # dnssec-dsfromkey -a SHA-1 Kexample.com.+007+24828.key
+   example.com. IN DS 24828 7 1 D4A33E8DD550A9567B4C4971A34AD6C4B80A6AD3
+
+.. _one_month_before_ksk_rollover:
+
+One Month Before KSK Rollover
++++++++++++++++++++++++++++++
+
+On December 1, 2020, a month before the planned rollover, you (as
+administrator) should
+change the parameters on the current key. Set it to become inactive on January
+1, 2021, and be deleted from the zone on February 1st, 2021;
+also generate a successor key (23550). Finally, generate a new
+DS record based on the new key, 23550:
+
+::
+
+   # cd /etc/bind/keys/example.com/
+   # dnssec-settime -I 20210101 -D 20210201 Kexample.com.+007+24828
+   ./Kexample.com.+007+24848.key
+   ./Kexample.com.+007+24848.private
+   # dnssec-keygen -S Kexample.com.+007+24848
+   Generating key pair.......................................................................................++ ...................................++ 
+   Kexample.com.+007+23550
+   # dnssec-dsfromkey -a SHA-1 Kexample.com.+007+23550.key
+   example.com. IN DS 23550 7 1 54FCF030AA1C79C0088FDEC1BD1C37DAA2E70DFB
+
+The first command gets us into the key directory
+``/etc/bind/keys/example.com/``, where keys for ``example.com`` are
+stored.
+
+The second, ``dnssec-settime``, sets an inactive (``-I``) date of January 1,
+2021, and a deletion (``-D``) date of February 1, 2021 for the current KSK
+(``Kexample.com.+007+24848``).
+
+The third command, ``dnssec-keygen``, creates a successor key, using
+the exact same parameters (algorithms, key sizes, etc.) as the current
+KSK. The new key pair created in our example is ``Kexample.com.+007+23550``.
+
+The fourth and final command, ``dnssec-dsfromkey``, creates a DS record
+from the new KSK (23550), using SHA-1 as the digest type. Again, in
+practice most people generate two DS records for both supported digest
+types (SHA-1 and SHA-256), but for our example here we are only using
+one to keep the output small and hopefully clearer.
+
+Make sure the successor keys are readable by ``named``.
+
+The ``syslog`` message indicates when the next key
+checking event is. The log message looks like this:
+
+::
+
+   zone example.com/IN (signed): next key event: 01-Dec-2020 00:13:05.385
+
+You can check the publish date of the key by looking at the key
+file:
+
+::
+
+   # cd /etc/bind/keys/example.com
+   # cat Kexample.com.+007+23550.key
+   ; This is a key-signing key, keyid 23550, for example.com.
+   ; Created: 20201130160024 (Thu Dec  1 00:00:24 2020)
+   ; Publish: 20201202000000 (Fri Dec  2 08:00:00 2020)
+   ; Activate: 20210101000000 (Sun Jan  1 08:00:00 2021)
+   ...
+
+Since the publish date is set to the morning of December 2, and our example
+scenario takes place on December 1, the next
+morning you will notice that your zone has gained a new DNSKEY record
+based on your new KSK, but with no corresponding RRSIG yet. Below is the
+abbreviated output - with shortened DNSKEY and RRSIG - when querying the
+authoritative name server, 192.168.1.13:
+
+::
+
+   $ dig @192.168.1.13 example.com. DNSKEY +dnssec +multiline
+
+   ...
+   ;; ANSWER SECTION:
+   example.com.   300 IN DNSKEY 256 3 7 (
+                   AwEAAdYqAc...TiSlrma6Ef
+                   ) ; ZSK; alg = NSEC3RSASHA1; key id = 29747
+   example.com.   300 IN DNSKEY 257 3 7 (
+                   AwEAAeTJ+w...O+Zy9j0m63
+                   ) ; KSK; alg = NSEC3RSASHA1; key id = 24828
+   example.com.   300 IN DNSKEY 257 3 7 (
+                   AwEAAc1BQN...Wdc0qoH21H
+                   ) ; KSK; alg = NSEC3RSASHA1; key id = 23550
+   example.com.   300 IN RRSIG DNSKEY 7 2 300 (
+                   20201206125617 20201107115617 24828 example.com.
+                   4y1iPVJOrK...aC3iF9vgc= )
+   example.com.   300 IN RRSIG DNSKEY 7 2 300 (
+                   20201206125617 20201107115617 29747 example.com.
+                   g/gfmPjr+y...rt/S/xjPo= )
+
+   ...
+
+Anytime after generating the DS record, you can upload it;
+it is not necessary to wait for the DNSKEY to be published in your zone,
+since this new KSK is not active yet. You can do it
+immediately after the new DS record has been generated on December 1,
+or you can wait until the next day after you have verified that the
+new DNSKEY record is added to the zone. Below are some screenshots from
+GoDaddy's web-based interface, used to add a new DS record [#]_.
+
+1. After logging in, click the green "Launch" button next to the domain
+   name you want to manage.
+
+   .. _add-ds-1:
+
+   .. figure:: ../dnssec-guide/img/add-ds-1.png
+      :alt: Upload DS Record Step #1
+      :width: 70.0%
+
+      Upload DS Record Step #1
+
+2. Scroll down to the "DS Records" section and click "Manage."
+
+   .. _add-ds-2:
+
+   .. figure:: ../dnssec-guide/img/add-ds-2.png
+      :alt: Upload DS Record Step #2
+      :width: 40.0%
+
+      Upload DS Record Step #2
+
+3. A dialog appears, displaying the current key (24828). Click "Add DS
+   Record."
+
+   .. _add-ds-3:
+
+   .. figure:: ../dnssec-guide/img/add-ds-3.png
+      :alt: Upload DS Record Step #3
+      :width: 80.0%
+
+      Upload DS Record Step #3
+
+4. Enter the Key ID, algorithm, digest type, and the digest, then click
+   "Next."
+
+   .. _add-ds-4:
+
+   .. figure:: ../dnssec-guide/img/add-ds-4.png
+      :alt: Upload DS Record Step #4
+      :width: 80.0%
+
+      Upload DS Record Step #4
+
+5. Address any errors and click "Finish."
+
+   .. _add-ds-5:
+
+   .. figure:: ../dnssec-guide/img/add-ds-5.png
+      :alt: Upload DS Record Step #5
+      :width: 80.0%
+
+      Upload DS Record Step #5
+
+6. Both DS records are shown. Click "Save."
+
+   .. _add-ds-6:
+
+   .. figure:: ../dnssec-guide/img/add-ds-6.png
+      :alt: Upload DS Record Step #6
+      :width: 80.0%
+
+      Upload DS Record Step #6
+
+Finally, let's verify that the registrar has published the new DS
+record. This may take anywhere from a few minutes to a few days,
+depending on your parent zone. You can verify whether your
+parent zone has published the new DS record by querying for the DS
+record of your zone. In the example below, the Google public DNS server
+8.8.8.8 is used:
+
+::
+
+   $ dig @8.8.8.8 example.com. DS
+
+   ...
+   ;; ANSWER SECTION:
+   example.com.    21552   IN  DS  24828 7 1 D4A33E8DD550A9567B4C4971A34AD6C4B80A6AD3
+   example.com.    21552   IN  DS  23550 7 1 54FCF030AA1C79C0088FDEC1BD1C37DAA2E70DFB
+
+You can also query your parent zone's authoritative name servers
+directly to see if these records have been published. DS records will
+not show up on your own authoritative zone, so you cannot query your own
+name servers for them. In this recipe, the parent zone is ``.com``, so
+querying a few of the ``.com`` name servers is another appropriate
+verification.
+
+Day of KSK Rollover
++++++++++++++++++++
+
+If you have followed the examples in this document, as described in
+:ref:`easy_start_guide_for_authoritative_servers`, there is
+technically nothing you need to do manually on the actual day of the
+rollover. However, you should still keep an eye on the zone to make sure
+new signature(s) are being generated by the new KSK (23550 in this
+example). The easiest way is to query the authoritative name server
+192.168.1.13 for the same DNSKEY and signatures, as you did a month
+ago:
+
+::
+
+   $ dig @192.168.1.13 example.com. DNSKEY +dnssec +multiline
+
+   ...
+   ;; ANSWER SECTION:
+   example.com.   300 IN DNSKEY 256 3 7 (
+                   AwEAAdYqAc...TiSlrma6Ef
+                   ) ; ZSK; alg = NSEC3RSASHA1; key id = 29747
+   example.com.   300 IN DNSKEY 257 3 7 (
+                   AwEAAeTJ+w...O+Zy9j0m63
+                   ) ; KSK; alg = NSEC3RSASHA1; key id = 24828
+   example.com.   300 IN DNSKEY 257 3 7 (
+                   AwEAAc1BQN...Wdc0qoH21H
+                   ) ; KSK; alg = NSEC3RSASHA1; key id = 23550
+   example.com.    300 IN RRSIG DNSKEY 7 2 300 (
+                   20210201074900 20210101064900 23550 mydnssecgood.org.
+                   S6zTbBTfvU...Ib5eXkbtE= )
+   example.com.    300 IN RRSIG DNSKEY 7 2 300 (
+                   20210105074900 20201206064900 29747 mydnssecgood.org.
+                   VY5URQA2/d...OVKr1+KX8= )
+   ...
+
+As you can see, the signature generated by the old KSK (24828) has
+disappeared, replaced by a new signature generated from the new KSK
+(23550).
+
+One Month After KSK Rollover
+++++++++++++++++++++++++++++
+
+While the removal of the old DNSKEY from the zone should be automated by
+``named``, the removal of the DS record is manual. You should make sure
+the old DNSKEY record is gone from your zone first, by querying for the
+DNSKEY records of the zone; this time we expect not to see
+the key with an ID of 24828:
+
+::
+
+   $ dig @192.168.1.13 example.com. DNSKEY +dnssec +multiline
+
+   ...
+   ;; ANSWER SECTION:
+   example.com.    300 IN DNSKEY 256 3 7 (
+                   AwEAAdYqAc...TiSlrma6Ef
+                   ) ; ZSK; alg = NSEC3RSASHA1; key id = 29747
+   example.com.    300 IN DNSKEY 257 3 7 (
+                   AwEAAc1BQN...Wdc0qoH21H
+                   ) ; KSK; alg = NSEC3RSASHA1; key id = 23550
+   example.com.    300 IN RRSIG DNSKEY 7 2 300 (
+                   20210208000000 20210105230000 23550 mydnssecgood.org.
+                   Qw9Em3dDok...bNCS7KISw= )
+   example.com.    300 IN RRSIG DNSKEY 7 2 300 (
+                   20210208000000 20210105230000 29747 mydnssecgood.org.
+                   OuelpIlpY9...XfsKupQgc= )
+   ...
+
+Since the key with the ID 24828 is gone, you can now remove the old DS
+record for that key from our parent zone.
+Be careful to remove the correct DS record. If you accidentally remove
+the new DS record(s) with key ID 23550, it could lead to a problem called
+"security lameness," as discussed in
+:ref:`troubleshooting_security_lameness`, and may cause users to be unable
+to resolve any names in the zone.
+
+1. After logging in (again, GoDaddy.com in our example) and launching the domain, scroll down to the "DS
+   Records" section and click Manage.
+
+   .. _remove-ds-1:
+
+   .. figure:: ../dnssec-guide/img/remove-ds-1.png
+      :alt: Remove DS Record Step #1
+      :width: 40.0%
+
+      Remove DS Record Step #1
+
+2. A dialog appears, displaying both keys (24828 and 23550). Use the far
+   right-hand X button to remove key 24828.
+
+   .. _remove-ds-2:
+
+   .. figure:: ../dnssec-guide/img/remove-ds-2.png
+      :alt: Remove DS Record Step #2
+      :width: 80.0%
+
+      Remove DS Record Step #2
+
+3. Key 24828 now appears crossed out; click "Save" to complete the
+   removal.
+
+   .. _remove-ds-3:
+
+   .. figure:: ../dnssec-guide/img/remove-ds-3.png
+      :alt: Remove DS Record Step #3
+      :width: 80.0%
+
+      Remove DS Record Step #3
+
+Congratulations, the KSK rollover is complete! As for the actual key
+files (ending in ``.key`` and ``.private``), they may be deleted at this
+point, but they do not have to be.
+
+.. [#]
+   The screenshots were taken from GoDaddy's interface at the time the
+   original version of this guide was published (2015). It may have
+   changed since then.
+
+.. _recipes_nsec3:
+
+NSEC and NSEC3
+~~~~~~~~~~~~~~
+
+.. _recipes_nsec_to_nsec3:
+
+Migrating from NSEC to NSEC3
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This recipe describes how to transition from using NSEC to NSEC3, as described
+in :ref:`advanced_discussions_proof_of_nonexistence`. This recipe
+assumes that the zones are already signed, and that ``named`` is configured
+according to the steps described in
+:ref:`easy_start_guide_for_authoritative_servers`.
+
+.. warning::
+
+   If your zone is signed with RSASHA1 (algorithm 5), you cannot migrate
+   to NSEC3 without also performing an
+   algorithm rollover
+   to RSASHA1-NSEC3-SHA1 (algorithm 7), as described in
+   :ref:`advanced_discussions_DNSKEY_algorithm_rollovers`. This
+   ensures that older validating resolvers that do not understand
+   NSEC3 will fall back to treating the zone as unsecured (rather than
+   "bogus"), as described in Section 2 of :rfc:`5155`.
+
+To enable NSEC3, update your ``dnssec-policy`` and add the desired NSEC3
+parameters. The example below enables NSEC3 for zones with the ``standard``
+DNSSEC policy, using 0 additional iterations, no opt-out, and a zero-length salt:
+
+::
+
+    dnssec-policy "standard" {
+        nsec3param iterations 0 optout no salt-length 0;
+    };
+
+Then reconfigure the server with ``rndc``. You can tell that it worked if you
+see the following debug log messages:
+
+::
+
+   Oct 21 13:47:21 received control channel command 'reconfig'
+   Oct 21 13:47:21 zone example.com/IN (signed): zone_addnsec3chain(1,CREATE,0,-)
+
+You can also verify that it worked by querying for a name that you know
+does not exist, and checking for the presence of the NSEC3 record.
+For example:
+
+::
+
+   $ dig @192.168.1.13 thereisnowaythisexists.example.com. A +dnssec +multiline
+
+   ...
+   5A03TL362CS8VSIH69CVA4MJIKRHFQH3.example.com. 300 IN NSEC3 1 0 0 - (
+                   TQ9QBEGA6CROHEOC8KIH1A2C06IVQ5ER
+                   NS SOA RRSIG DNSKEY NSEC3PARAM )
+   ...
+
+Our example used four parameters: 1, 0, 0, and -, in
+order. 1 represents the algorithm, 0 represents the
+opt-out flag, 0 represents the number of additional iterations, and
+- denotes no salt is used. To learn more about each of these
+parameters, please see :ref:`advanced_discussions_nsec3param`.
+
+.. _recipes_nsec3_to_nsec:
+
+Migrating from NSEC3 to NSEC
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Migrating from NSEC3 back to NSEC is easy; just remove the ``nsec3param``
+configuration option from your ``dnssec-policy`` and reconfigure the name
+server. You can tell that it worked if you see these messages in the log:
+
+::
+
+   named[14093]: received control channel command 'reconfig'
+   named[14093]: zone example.com/IN: zone_addnsec3chain(1,REMOVE,0,-)
+
+You can also query for a name that you know does not exist,
+and you should no longer see any traces of NSEC3 records.
+
+::
+
+   $ dig @192.168.1.13 reieiergiuhewhiouwe.example.com. A +dnssec +multiline
+
+   ...
+   example.com.        300 IN NSEC aaa.example.com. NS SOA RRSIG NSEC DNSKEY
+   ...
+   ns1.example.com.    300 IN NSEC web.example.com. A RRSIG NSEC
+   ...
+
+.. _recipes_nsec3_optout:
+
+NSEC3 Opt-Out
+^^^^^^^^^^^^^
+
+This recipe discusses how to enable and disable NSEC3 opt-out, and how to show
+the results of each action. As discussed in
+:ref:`advanced_discussions_nsec3_optout`, NSEC3 opt-out is a feature
+that can help conserve resources on parent zones with many
+delegations that have not yet been signed.
+
+.. warning::
+   NSEC3 Opt-Out feature brings benefit only to _extremely_ large zones with lots
+   of insecure delegations. It's use is counterproductive in all other cases as
+   it decreases tamper-resistance of the zone and also decreases efficiency of
+   resolver cache (see :rfc:`8198`).
+
+   In other words, don't enable Opt-Out unless you are serving an equivalent of
+   ``com.`` zone.
+
+Because the NSEC3PARAM record does not keep track of whether opt-out is used,
+it is hard to check whether changes need to be made to the NSEC3 chain if the flag
+is changed. Similar to changing the NSEC3 salt, your best option is to change
+the value of ``optout`` together with another NSEC3 parameter, like
+``iterations``, and in a following step restore the ``iterations`` value.
+
+For this recipe we assume the zone ``example.com``
+has the following four entries (for this example, it is not relevant what
+record types these entries are):
+
+-  ``ns1.example.com``
+
+-  ``ftp.example.com``
+
+-  ``www.example.com``
+
+-  ``web.example.com``
+
+And the zone ``example.com`` has five delegations to five subdomains, only one of
+which is signed and has a valid DS RRset:
+
+-  ``aaa.example.com``, not signed
+
+-  ``bbb.example.com``, signed
+
+-  ``ccc.example.com``, not signed
+
+-  ``ddd.example.com``, not signed
+
+-  ``eee.example.com``, not signed
+
+Before enabling NSEC3 opt-out, the zone ``example.com`` contains ten
+NSEC3 records; below is the list with the plain text name before the actual
+NSEC3 record:
+
+-  *aaa.example.com*: IFA1I3IE7EKCTPHM6R58URO3Q846I52M.example.com
+
+-  *bbb.example.com*: ROJUF3VJSJO6LQ2LC1DNSJ5GBAUJPVHE.example.com
+
+-  *ccc.example.com*: 0VPUT696LUVDPDS5NIHSHBH9KLV20V5K.example.com
+
+-  *ddd.example.com*: UHPBD5U4HRGB84MLC2NQOVEFNAKJU0CA.example.com
+
+-  *eee.example.com*: NF7I61FA4C2UEKPMEDSOC25FE0UJIMKT.example.com
+
+-  *ftp.example.com*: 8P15KCUAT1RHCSDN46HBQVPI5T532IN1.example.com
+
+-  *ns1.example.com*: GUFVRA2SFIO8RSFP7UO41E8AD1KR41FH.example.com
+
+-  *web.example.com*: CVQ4LA4ALPQIAO2H3N2RB6IR8UHM91E7.example.com
+
+-  *www.example.com*: MIFDNDT3NFF3OD53O7TLA1HRFF95JKUK.example.com
+
+-  *example.com*: ONIB9MGUB9H0RML3CDF5BGRJ59DKJHVK.example.com
+
+We can enable NSEC3 opt-out with the following configuration, changing
+the ``optout`` configuration value from ``no`` to ``yes``:
+
+::
+
+   dnssec-policy "standard" {
+       nsec3param iterations 0 optout yes salt-length 0;
+   };
+
+After NSEC3 opt-out is enabled, the number of NSEC3 records is reduced.
+Notice that the unsigned delegations ``aaa``, ``ccc``, ``ddd``, and
+``eee`` no longer have corresponding NSEC3 records.
+
+-  *bbb.example.com*: ROJUF3VJSJO6LQ2LC1DNSJ5GBAUJPVHE.example.com
+
+-  *ftp.example.com*: 8P15KCUAT1RHCSDN46HBQVPI5T532IN1.example.com
+
+-  *ns1.example.com*: GUFVRA2SFIO8RSFP7UO41E8AD1KR41FH.example.com
+
+-  *web.example.com*: CVQ4LA4ALPQIAO2H3N2RB6IR8UHM91E7.example.com
+
+-  *www.example.com*: MIFDNDT3NFF3OD53O7TLA1HRFF95JKUK.example.com
+
+-  *example.com*: ONIB9MGUB9H0RML3CDF5BGRJ59DKJHVK.example.com
+
+To undo NSEC3 opt-out, change the configuration again:
+
+::
+
+   dnssec-policy "standard" {
+       nsec3param iterations 0 optout no salt-length 0;
+   };
+
+.. note::
+
+   NSEC3 hashes the plain text domain name, and we can compute our own
+   hashes using the tool ``nsec3hash``. For example, to compute the
+   hashed name for ``www.example.com`` using the parameters we listed
+   above, we can execute this command:
+
+   ::
+
+      # nsec3hash - 1 0 www.example.com.
+      MIFDNDT3NFF3OD53O7TLA1HRFF95JKUK (salt=-, hash=1, iterations=0)
+
+.. _revert_to_unsigned:
+
+Reverting to Unsigned
+~~~~~~~~~~~~~~~~~~~~~
+
+This recipe describes how to revert from a signed zone (DNSSEC) back to
+an unsigned (DNS) zone.
+
+Here is what :iscman:`named.conf` looks like when it is signed:
+
+.. code-block:: none
+  :emphasize-lines: 4
+
+   zone "example.com" IN {
+       type primary;
+       file "db/example.com.db";
+       dnssec-policy "default";
+       inline-signing yes;
+   };
+
+To indicate the reversion to unsigned, change the ``dnssec-policy`` line:
+
+.. code-block:: none
+  :emphasize-lines: 4
+
+   zone "example.com" IN {
+       type primary;
+       file "db/example.com.db";
+       dnssec-policy "insecure";
+       inline-signing yes;
+   };
+
+Then use :option:`rndc reload` to reload the zone.
+
+The "insecure" policy is a built-in policy (like "default"). It makes sure
+the zone is still DNSSEC-maintained, to allow for a graceful transition to
+unsigned. It also publishes the CDS and CDNSKEY DELETE records automatically
+at the appropriate time.
+
+If the parent zone allows management of DS records via CDS/CDNSKEY, as described in
+:rfc:`8078`, the DS record should be removed from the parent automatically.
+
+Otherwise, DS records can be removed via the registrar. Below is an example
+showing how to remove DS records using the
+`GoDaddy <https://www.godaddy.com>`__ web-based interface:
+
+1. After logging in, click the green "Launch" button next to the domain
+   name you want to manage.
+
+.. _unsign-1:
+
+   .. figure:: ../dnssec-guide/img/unsign-1.png
+      :alt: Revert to Unsigned Step #1
+      :width: 60.0%
+
+      Revert to Unsigned Step #1
+
+2. Scroll down to the "DS Records" section and click Manage.
+
+.. _unsign-2:
+
+   .. figure:: ../dnssec-guide/img/unsign-2.png
+      :alt: Revert to Unsigned Step #2
+      :width: 40.0%
+
+      Revert to Unsigned Step #2
+
+3. A dialog appears, displaying all current keys. Use the far right-hand
+   X button to remove each key.
+
+.. _unsign-3:
+
+   .. figure:: ../dnssec-guide/img/unsign-3.png
+      :alt: Revert to Unsigned Step #3
+      :width: 70.0%
+
+      Revert to Unsigned Step #3
+
+4. Click Save.
+
+.. _unsign-4:
+
+   .. figure:: ../dnssec-guide/img/unsign-4.png
+      :alt: Revert to Unsigned Step #4
+      :width: 70.0%
+
+      Revert to Unsigned Step #4
+
+When the DS records have been removed from the parent zone, use
+``rndc dnssec -checkds -key <id> withdrawn example.com`` to tell ``named`` that
+the DS is removed, and the remaining DNSSEC records will be removed in a timely
+manner. Or, if parental agents are configured, the DNSSEC records will be
+automatically removed after BIND has seen that the parental agents no longer
+serve the DS RRset for this zone.
+
+After a while, the zone is reverted back to the traditional, insecure DNS
+format. This can be verified by checking that all DNSKEY and RRSIG records have been
+removed from the zone.
+
+The ``dnssec-policy`` line can then be removed from :iscman:`named.conf` and
+the zone reloaded. The zone will no longer be subject to any DNSSEC
+maintenance.
diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst
new file mode 100644
index 0000000..9bd5371
--- /dev/null
+++ b/doc/dnssec-guide/signing.rst
@@ -0,0 +1,1647 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _dnssec_signing:
+
+Signing
+-------
+
+.. _easy_start_guide_for_authoritative_servers:
+
+Easy-Start Guide for Signing Authoritative Zones
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This section provides the basic information needed to set up a
+DNSSEC-enabled authoritative name server. A DNSSEC-enabled (or
+"signed") zone contains additional resource records that are used to
+verify the authenticity of its zone information.
+
+To convert a traditional (insecure) DNS zone to a secure one, we need to
+create some additional records (DNSKEY, RRSIG, and NSEC or NSEC3), and
+upload verifiable information (such as a DS record) to the parent zone to
+complete the chain of trust. For more information about DNSSEC resource
+records, please see :ref:`what_does_dnssec_add_to_dns`.
+
+.. note::
+
+   In this chapter, we assume all configuration files, key files, and
+   zone files are stored in ``/etc/bind``, and most examples show
+   commands run as the root user. This may not be ideal, but the point is
+   not to distract from what is important here: learning how to sign
+   a zone. There are many best practices for deploying a more secure
+   BIND installation, with techniques such as jailed process and
+   restricted user privileges, but those are not covered
+   in this document. We trust you, a responsible DNS
+   administrator, to take the necessary precautions to secure your
+   system.
+
+For the examples below, we work with the assumption that
+there is an existing insecure zone ``example.com`` that we are
+converting to a secure zone.
+
+.. _signing_easy_start_policy_enable:
+
+Enabling Automated DNSSEC Zone Maintenance and Key Generation
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To sign a zone, add the following statement to its
+``zone`` clause in the BIND 9 configuration file:
+
+::
+
+   options {
+       directory "/etc/bind";
+       recursion no;
+       ...
+   };
+
+   zone "example.com" in {
+       ...
+       dnssec-policy default;
+       inline-signing yes;
+       ...
+   };
+
+The ``dnssec-policy`` statement causes the zone to be signed and turns
+on automatic maintenance for the zone. This includes re-signing the zone
+as signatures expire and replacing keys on a periodic basis. The value
+``default`` selects the default policy, which contains values suitable
+for most situations. We cover the creation of a custom policy in
+:ref:`signing_custom_policy`, but for the moment we are accepting the
+default values.
+
+Using ``dnssec-policy`` requires dynamic DNS or ``inline-signing``
+to be enabled.
+
+.. note::
+
+   Previously, if a zone with a ``dnssec-policy`` did not have dynamic
+   DNS set up and ``inline-signing`` was not explicity set, BIND 9 used
+   inline-signing implicitly. But this caused a lot of problems when operators
+   switched on or off dynamic DNS for their zones. Therefor, you now have to
+   configure it explicitly.
+
+When the configuration file is updated, tell ``named`` to
+reload the configuration file by running ``rndc reconfig``:
+
+::
+
+   # rndc reconfig
+
+And that's it - BIND signs your zone.
+
+At this point, before you go away and merrily add ``dnssec-policy``
+statements to all your zones, we should mention that, like a number of
+other BIND configuration options, its scope depends on where it is placed. In
+the example above, we placed it in a ``zone`` clause, so it applied only
+to the zone in question. If we had placed it in a ``view`` clause, it
+would have applied to all zones in the view; and if we had placed it in
+the ``options`` clause, it would have applied to all zones served by
+this instance of BIND.
+
+.. _signing_verification:
+
+Verification
+^^^^^^^^^^^^
+
+The BIND 9 reconfiguration starts the process of signing the zone.
+First, it generates a key for the zone and includes it
+in the published zone. The log file shows messages such as these:
+
+::
+
+   07-Apr-2020 16:02:55.045 zone example.com/IN (signed): reconfiguring zone keys
+   07-Apr-2020 16:02:55.045 reloading configuration succeeded
+   07-Apr-2020 16:02:55.046 keymgr: DNSKEY example.com/ECDSAP256SHA256/10376 (CSK) created for policy default
+   07-Apr-2020 16:02:55.046 Fetching example.com/ECDSAP256SHA256/10376 (CSK) from key repository.
+   07-Apr-2020 16:02:55.046 DNSKEY example.com/ECDSAP256SHA256/10376 (CSK) is now published
+   07-Apr-2020 16:02:55.046 DNSKEY example.com/ECDSAP256SHA256/10376 (CSK) is now active
+   07-Apr-2020 16:02:55.048 zone example.com/IN (signed): next key event: 07-Apr-2020 18:07:55.045
+
+It then starts signing the zone. How long this process takes depends on the
+size of the zone, the speed of the server, and how much activity is
+taking place. We can check what is happening by using ``rndc``,
+entering the command:
+
+::
+
+   # rndc signing -list example.com
+
+While the signing is in progress, the output is something like:
+
+::
+
+   Signing with key 10376/ECDSAP256SHA256
+
+and when it is finished:
+
+::
+
+   Done signing with key 10376/ECDSAP256SHA256
+
+When the second message appears, the zone is signed.
+
+Before moving on to the next step of coordinating with the parent zone,
+let's make sure everything looks good using ``delv``. We want to
+simulate what a validating resolver will check, by telling
+``delv`` to use a specific trust anchor.
+
+First, we need to make a copy of the key created by BIND. This
+is in the directory you set with the ``directory`` statement in
+your configuration file's ``options`` clause, and is named something
+like ``Kexample.com.+013.10376.key``:
+
+::
+
+   # cp /etc/bind/Kexample.com.+013+10376.key /tmp/example.key
+
+The original key file looks like this (with the actual key shortened for ease of display,
+and comments omitted):
+
+::
+
+   # cat /etc/bind/Kexample.com.+013+10376.key
+
+   ...
+   example.com. 3600 IN DNSKEY 257 3 13 6saiq99qDB...dqp+o0dw==
+
+We want to edit the copy to be in the ``trust-anchors`` format, so that
+it looks like this:
+
+::
+
+   # cat /tmp/example.key
+   trust-anchors {
+       example.com. static-key 257 3 13 "6saiq99qDB...dqp+o0dw==";
+   };
+
+Now we can run the ``delv`` command and instruct it to use this
+trusted-key file to validate the answer it receives from the
+authoritative name server 192.168.1.13:
+
+::
+
+   $ delv @192.168.1.13 -a /tmp/example.key +root=example.com example.com. SOA +multiline
+   ; fully validated
+   example.com.        600 IN SOA ns1.example.com. admin.example.com. (
+                   2020040703 ; serial
+                   1800       ; refresh (30 minutes)
+                   900        ; retry (15 minutes)
+                   2419200    ; expire (4 weeks)
+                   300        ; minimum (5 minutes)
+                   )
+   example.com.        600 IN RRSIG SOA 13 2 600 (
+                   20200421150255 20200407140255 10376 example.com.
+                   jBsz92zwAcGMNV/yu167aKQZvFyC7BiQe1WEnlogdLTF
+                   oq4yBQumOhO5WX61LjA17l1DuLWcd/ASwlUZWFGCYQ== )
+
+.. _signing_easy_start_upload_to_parent_zone:
+
+Uploading Information to the Parent Zone
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Once everything is complete on our name server, we need to generate some
+information to be uploaded to the parent zone to complete the chain of
+trust. The format and the upload methods are actually dictated by your
+parent zone's administrator, so contact your registrar or parent zone
+administrator to find out what the actual format should be and how to
+deliver or upload the information to the parent zone.
+
+What about your zone between the time you signed it and the time your
+parent zone accepts the upload? To the rest of the world, your
+zone still appears to be insecure, because if a validating
+resolver attempts to validate your domain name via
+your parent zone, your parent zone will indicate that you are
+not yet signed (as far as it knows). The validating resolver will then
+give up attempting to validate your domain name, and will fall back to the
+insecure DNS. Until you complete this final step with your
+parent zone, your zone remains insecure.
+
+.. note::
+
+   Before uploading to your parent zone, verify that your newly signed
+   zone has propagated to all of your name servers (usually via zone
+   transfers). If some of your name servers still have unsigned zone
+   data while the parent tells the world it should be signed, validating
+   resolvers around the world cannot resolve your domain name.
+
+Here are some examples of what you may upload to your parent zone, with
+the DNSKEY/DS data shortened for display. Note that no matter what
+format may be required, the end result is the parent zone
+publishing DS record(s) based on the information you upload. Again,
+contact your parent zone administrator(s) to find out the
+correct format for their system.
+
+1. DS record format:
+
+   ::
+
+      example.com. 3600 IN DS 10376 13 2 B92E22CAE0...33B8312EF0
+
+2. DNSKEY format:
+
+   ::
+
+      example.com. 3600 IN DNSKEY 257 3 13 6saiq99qDB...dqp+o0dw==
+
+The DS record format may be generated from the DNSKEY using the
+``dnssec-dsfromkey`` tool, which is covered in
+:ref:`parent_ds_record_format`. For more details and examples on how
+to work with your parent zone, please see
+:ref:`working_with_parent_zone`.
+
+.. _signing_easy_start_so_what_now:
+
+So... What Now?
+^^^^^^^^^^^^^^^
+
+Congratulations! Your zone is signed, your secondary servers have
+received the new zone data, and the parent zone has accepted your upload
+and published your DS record. Your zone is now officially
+DNSSEC-enabled. What happens next? That is basically it - BIND
+takes care of everything else. As for updating your zone file, you can
+continue to update it the same way as prior to signing your
+zone; the normal work flow of editing a zone file and using the ``rndc``
+command to reload the zone still works as usual, and although you are
+editing the unsigned version of the zone, BIND generates the signed
+version automatically.
+
+Curious as to what all these commands did to your zone file? Read on to
+:ref:`your_zone_before_and_after_dnssec` and find out. If you are
+interested in how to roll this out to your existing primary and
+secondary name servers, check out :ref:`recipes_inline_signing` in
+the :ref:`dnssec_recipes` chapter.
+
+.. _your_zone_before_and_after_dnssec:
+
+Your Zone, Before and After DNSSEC
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When we assigned the default DNSSEC policy to the zone, we provided the
+minimal amount of information to convert a traditional DNS
+zone into a DNSSEC-enabled zone. This is what the zone looked like
+before we started:
+
+::
+
+   $ dig @192.168.1.13 example.com. AXFR +multiline +onesoa
+
+   ; <<>> DiG 9.16.0 <<>> @192.168.1.13 example.com AXFR +multiline +onesoa
+   ; (1 server found)
+   ;; global options: +cmd
+   example.com.        600 IN SOA ns1.example.com. admin.example.com. (
+                   2020040700 ; serial
+                   1800       ; refresh (30 minutes)
+                   900        ; retry (15 minutes)
+                   2419200    ; expire (4 weeks)
+                   300        ; minimum (5 minutes)
+                   )
+   example.com.        600 IN NS ns1.example.com.
+   ftp.example.com.    600 IN A 192.168.1.200
+   ns1.example.com.    600 IN A 192.168.1.1
+   web.example.com.    600 IN CNAME www.example.com.
+   www.example.com.    600 IN A 192.168.1.100
+
+Below shows the test zone ``example.com`` after reloading the
+server configuration. Clearly, the zone grew in size, and the
+number of records multiplied:
+
+::
+
+   # dig @192.168.1.13 example.com. AXFR +multiline +onesoa
+
+   ; <<>> DiG 9.16.0 <<>> @192.168.1.13 example.com AXFR +multiline +onesoa
+   ; (1 server found)
+   ;; global options: +cmd
+   example.com.        600 IN SOA ns1.example.com. admin.example.com. (
+                   2020040703 ; serial
+                   1800       ; refresh (30 minutes)
+                   900        ; retry (15 minutes)
+                   2419200    ; expire (4 weeks)
+                   300        ; minimum (5 minutes)
+                   )
+   example.com.        300 IN RRSIG NSEC 13 2 300 (
+                   20200413050536 20200407140255 10376 example.com.
+                   drtV1rJbo5OMi65OJtu7Jmg/thgpdTWrzr6O3Pzt12+B
+                   oCxMAv3orWWYjfP2n9w5wj0rx2Mt2ev7MOOG8IOUCA== )
+   example.com.        300 IN NSEC ftp.example.com. NS SOA RRSIG NSEC DNSKEY TYPE65534
+   example.com.        600 IN RRSIG NS 13 2 600 (
+                   20200413130638 20200407140255 10376 example.com.
+                   2ipmzm1Ei6vfE9OLowPMsxLBCbjrCpWPgWJ0ekwZBbux
+                   MLffZOXn8clt0Ql2U9iCPdyoQryuJCiojHSE2d6nrw== )
+   example.com.        600 IN RRSIG SOA 13 2 600 (
+                   20200421150255 20200407140255 10376 example.com.
+                   jBsz92zwAcGMNV/yu167aKQZvFyC7BiQe1WEnlogdLTF
+                   oq4yBQumOhO5WX61LjA17l1DuLWcd/ASwlUZWFGCYQ== )
+   example.com.        0 IN RRSIG TYPE65534 13 2 0 (
+                   20200413050536 20200407140255 10376 example.com.
+                   Xjkom24N6qeCJjg9BMUfuWf+euLeZB169DHvLYZPZNlm
+                   GgM2czUDPio6VpQbUw6JE5DSNjuGjgpgXC5SipC42g== )
+   example.com.        3600 IN RRSIG DNSKEY 13 2 3600 (
+                   20200421150255 20200407140255 10376 example.com.
+                   maK75+28oUyDtci3V7wjTsuhgkLUZW+Q++q46Lea6bKn
+                   Xj77kXcLNogNdUOr5am/6O6cnPeJKJWsnmTLISm62g== )
+   example.com.        0 IN TYPE65534 \# 5 ( 0D28880001 )
+   example.com.        3600 IN DNSKEY 257 3 13 (
+                   6saiq99qDBb5b4G4cx13cPjFTrIvUs3NW44SvbbHorHb
+                   kXwOzeGAWyPORN+pwEV/LP9+FHAF/JzAJYdqp+o0dw==
+                   ) ; KSK; alg = ECDSAP256SHA256 ; key id = 10376
+   example.com.        600 IN NS ns1.example.com.
+   ftp.example.com.    600 IN RRSIG A 13 3 600 (
+                   20200413130638 20200407140255 10376 example.com.
+                   UYo1njeUA49VhKnPSS3JO4G+/Xd2PD4m3Vaacnd191yz
+                   BIoouEBAGPcrEM2BNrgR0op1EWSus9tG86SM1ZHGuQ== )
+   ftp.example.com.    300 IN RRSIG NSEC 13 3 300 (
+                   20200413130638 20200407140255 10376 example.com.
+                   rPADrAMAPIPSF3S45OSY8kXBTYMS3nrZg4Awj7qRL+/b
+                   sOKy6044MbIbjg+YWL69dBjKoTSeEGSCSt73uIxrYA== )
+   ftp.example.com.    300 IN NSEC ns1.example.com. A RRSIG NSEC
+   ftp.example.com.    600 IN A 192.168.1.200
+   ns1.example.com.    600 IN RRSIG A 13 3 600 (
+                   20200413130638 20200407140255 10376 example.com.
+                   Yeojg7qrJmxL6uLTnALwKU5byNldZ9Ggj5XjcbpPvujQ
+                   ocG/ovGBg6pdugXC9UxE39bCDl8dua1frjDcRCCZAA== )
+   ns1.example.com.    300 IN RRSIG NSEC 13 3 300 (
+                   20200413130638 20200407140255 10376 example.com.
+                   vukgQme6k7JwCf/mJOOzHXbE3fKtSro+Kc10T6dHMdsc
+                   oM1/oXioZvgBZ9cKrQhIAUt7r1KUnrUwM6Je36wWFA== )
+   ns1.example.com.    300 IN NSEC web.example.com. A RRSIG NSEC
+   ns1.example.com.    600 IN A 192.168.1.1
+   web.example.com.    600 IN RRSIG CNAME 13 3 600 (
+                   20200413130638 20200407140255 10376 example.com.
+                   JXi4WYypofD5geUowVqlqJyHzvcRnsvU/ONhTBaUCw5Y
+                   XtifKAXRHWrUL1HIwt37JYPLf5uYu90RfkWLj0GqTQ== )
+   web.example.com.    300 IN RRSIG NSEC 13 3 300 (
+                   20200413130638 20200407140255 10376 example.com.
+                   XF4Hsd58dalL+s6Qu99bG80PQyMf7ZrHEzDiEflRuykP
+                   DfBRuf34z27vj70LO1lp2ZiX4BB1ahcEK2ae9ASAmA== )
+   web.example.com.    300 IN NSEC www.example.com. CNAME RRSIG NSEC
+   web.example.com.    600 IN CNAME www.example.com.
+   www.example.com.    600 IN RRSIG A 13 3 600 (
+                   20200413050536 20200407140255 10376 example.com.
+                   mACKXrDOF5JMWqncSiQ3pYWA6abyGDJ4wgGCumjLXhPy
+                   0cMzJmKv2s7G6+tW3TsA6BK3UoMfv30oblY2Mnl4/A== )
+   www.example.com.    300 IN RRSIG NSEC 13 3 300 (
+                   20200413050536 20200407140255 10376 example.com.
+                   1YQ22odVt0TeP5gbNJwkvS684ipDmx6sEOsF0eCizhCv
+                   x8osuOATdlPjIEztt+rveaErZ2nsoLor5k1nQAHsbQ== )
+   www.example.com.    300 IN NSEC example.com. A RRSIG NSEC
+   www.example.com.    600 IN A 192.168.1.100
+
+But this is a really messy way to tell if the zone is set up properly
+with DNSSEC. Fortunately, there are tools to help us with that. Read on
+to :ref:`how_to_test_authoritative_server` to learn more.
+
+.. _how_to_test_authoritative_server:
+
+How To Test Authoritative Zones
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+So we've activated DNSSEC and uploaded some data to our parent zone. How
+do we know our zone is signed correctly? Here are a few ways to check.
+
+.. _signing_verify_key_data:
+
+Look for Key Data in Your Zone
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+One way to see if your zone is signed is to check for the
+presence of DNSKEY record types. In our example, we created a single
+key, and we expect to see it returned when we query for it.
+
+::
+
+   $ dig @192.168.1.13 example.com. DNSKEY +multiline
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.6 example.com DNSKEY +multiline
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18637
+   ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+   ;; WARNING: recursion requested but not available
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags:; udp: 4096
+   ; COOKIE: efe186423313fb66010000005e8c997e99864f7d69ed7c11 (good)
+   ;; QUESTION SECTION:
+   ;example.com.       IN DNSKEY
+
+   ;; ANSWER SECTION:
+   example.com.        3600 IN DNSKEY 257 3 13 (
+                   6saiq99qDBb5b4G4cx13cPjFTrIvUs3NW44SvbbHorHb
+                   kXwOzeGAWyPORN+pwEV/LP9+FHAF/JzAJYdqp+o0dw==
+                   ) ; KSK; alg = ECDSAP256SHA256 ; key id = 10376
+     
+
+.. _signing_verify_signature:
+
+Look for Signatures in Your Zone
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Another way to see if your zone data is signed is to check for the
+presence of a signature. With DNSSEC, every record [#]_ now comes with at
+least one corresponding signature, known as an RRSIG.
+
+::
+
+   $ dig @192.168.1.13 example.com. SOA +dnssec +multiline
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.6 example.com SOA +dnssec +multiline
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45219
+   ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
+   ;; WARNING: recursion requested but not available
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags: do; udp: 4096
+   ; COOKIE: 75adff4f4ce916b2010000005e8c99c0de47eabb7951b2f5 (good)
+   ;; QUESTION SECTION:
+   ;example.com.       IN SOA
+
+   ;; ANSWER SECTION:
+   example.com.        600 IN SOA ns1.example.com. admin.example.com. (
+                   2020040703 ; serial
+                   1800       ; refresh (30 minutes)
+                   900        ; retry (15 minutes)
+                   2419200    ; expire (4 weeks)
+                   300        ; minimum (5 minutes)
+                   )
+   example.com.        600 IN RRSIG SOA 13 2 600 (
+                   20200421150255 20200407140255 10376 example.com.
+                   jBsz92zwAcGMNV/yu167aKQZvFyC7BiQe1WEnlogdLTF
+                   oq4yBQumOhO5WX61LjA17l1DuLWcd/ASwlUZWFGCYQ== )
+
+The serial number was automatically incremented from the old, unsigned
+version. ``named`` keeps track of the serial number of the signed version of
+the zone independently of the unsigned version. If the unsigned zone is
+updated with a new serial number that is higher than the one in the
+signed copy, then the signed copy is increased to match it;
+otherwise, the two are kept separate.
+
+.. _signing_verify_zone_file:
+
+Examine the Zone File
+^^^^^^^^^^^^^^^^^^^^^
+
+Our original zone file ``example.com.db`` remains untouched, and ``named`` has
+generated three additional files automatically for us (shown below). The
+signed DNS data is stored in ``example.com.db.signed`` and in the
+associated journal file.
+
+::
+
+   # cd /etc/bind
+   # ls
+   example.com.db  example.com.db.jbk  example.com.db.signed  example.com.db.signed.jnl
+
+A quick description of each of the files:
+
+-  ``.jbk``: a transient file used by ``named``
+
+-  ``.signed``: the signed version of the zone in raw format
+
+-  ``.signed.jnl``: a journal file for the signed version of the zone
+
+These files are stored in raw (binary) format for faster loading. To
+reveal the human-readable version, use ``named-compilezone``
+as shown below. In the example below, we run the command on the
+raw format zone ``example.com.db.signed`` to produce a text version of
+the zone ``example.com.text``:
+
+::
+
+   # named-compilezone -f raw -F text -o example.com.text example.com example.com.db.signed
+   zone example.com/IN: loaded serial 2014112008 (DNSSEC signed)
+   dump zone to example.com.text...done
+   OK
+
+.. _signing_verify_check_parent:
+
+Check the Parent
+^^^^^^^^^^^^^^^^
+
+Although this is not strictly related to whether the zone is
+signed, a critical part of DNSSEC is the trust relationship between the
+parent and the child. Just because we, the child, have all the correctly
+signed records in our zone does not mean it can be fully validated by a
+validating resolver, unless our parent's data agrees with ours. To check
+if our upload to the parent was successful, ask the parent name server
+for the DS record of our child zone; we should get back the DS record(s)
+containing the information we uploaded in
+:ref:`signing_easy_start_upload_to_parent_zone`:
+
+::
+
+   $ dig example.com. DS
+
+   ; <<>> DiG 9.16.0 <<>> example.com DS
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16954
+   ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags:; udp: 4096
+   ; COOKIE: db280d5b52576780010000005e8c9bf5b0d8de103d934e5d (good)
+   ;; QUESTION SECTION:
+   ;example.com.           IN  DS
+
+   ;; ANSWER SECTION:
+   example.com.  61179 IN  DS  10376 13 2 B92E22CAE0B41430EC38D3F7EDF1183C3A94F4D4748569250C15EE33B8312EF0
+
+.. [#]
+   Well, almost every record: NS records and glue records for
+   delegations do not have RRSIG records. If there are
+   no delegations, then every record in your zone is
+   signed and comes with its own RRSIG.
+
+.. _signing_verify_external_tools:
+
+External Testing Tools
+^^^^^^^^^^^^^^^^^^^^^^
+
+We recommend two tools, below: Verisign DNSSEC Debugger and DNSViz. Others can
+be found via a simple online search. These excellent online tools are an easy
+way to verify that your domain name is fully secured.
+
+.. _signing_verify_external_tools_dnssec_debugger:
+
+Verisign DNSSEC Debugger
+++++++++++++++++++++++++
+
+URL: `<https://dnssec-debugger.verisignlabs.com/>`__
+
+This tool shows a nice summary of checks performed on your domain name.
+You can expand it to view more details for each of the items checked, to
+get a detailed report.
+
+.. figure:: ../dnssec-guide/img/verisign-dnssec-debugger-example.png
+   :alt: Verisign DNSSEC Debugger
+
+   Verisign DNSSEC Debugger
+
+.. _signing_verify_external_tools_dnsviz:
+
+DNSViz
+++++++
+
+URL: `<https://dnsviz.net/>`__
+
+DNSViz provides a visual analysis of the DNSSEC authentication chain for
+a domain name and its resolution path in the DNS namespace.
+
+.. figure:: ../dnssec-guide/img/dnsviz-example-small.png
+   :alt: DNSViz
+   :width: 80.0%
+
+   DNSViz
+
+.. _signing_easy_start_explained:
+
+Signing Easy Start Explained
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. _enable_automatic_maintenance_explained:
+
+Enable Automatic DNSSEC Maintenance Explained
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Signing a zone requires a number of separate steps:
+
+-  Generation of the keys to sign the zone.
+
+-  Inclusion of the keys into the zone.
+
+-  Signing of the records in the file (including the generation of the
+   NSEC or NSEC3 records).
+
+Maintaining a signed zone comprises a set of ongoing tasks:
+
+-  Re-signing the zone as signatures approach expiration.
+
+-  Generation of new keys as the time approaches for a key roll.
+
+-  Inclusion of new keys into the zone when the rollover starts.
+
+-  Transition from signing the zone with the old set of keys to signing
+   the zone with the new set of keys.
+
+-  Waiting the appropriate interval before removing the old keys from
+   the zone.
+
+-  Deleting the old keys.
+
+That is quite complex, and it is all handled in BIND 9 with the single
+``dnssec-policy default`` statement. We will see later on (in the
+:ref:`signing_custom_policy` section) how these actions can be tuned, by
+setting up our own DNSSEC policy with customized parameters. However, in many
+cases the defaults are adequate.
+
+At the time of this writing (mid-2020), ``dnssec-policy`` is still a
+relatively new feature in BIND. Although it is the preferred
+way to run DNSSEC in a zone, it is not yet able to automatically implement
+all the features that are available
+with a more "hands-on" approach to signing and key maintenance. For this
+reason, we cover alternative signing techniques in
+:ref:`signing_alternative_ways`.
+
+.. _working_with_parent_zone:
+
+Working With the Parent Zone
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As mentioned in :ref:`signing_easy_start_upload_to_parent_zone`,
+the format of the information uploaded to your parent zone is dictated
+by your parent zone administrator. The two main formats are:
+
+1. DS record format
+
+2. DNSKEY format
+
+Check with your parent zone to see which format they require.
+
+But how can you get each of the formats from your existing data?
+
+When ``named`` turned on automatic
+DNSSEC maintenance, essentially the first thing it did was to create
+the DNSSEC keys and put them in the directory you specified in the
+configuration file. If you look in that directory, you will see three
+files with names like ``Kexample.com.+013+10376.key``,
+``Kexample.com.+013+10376.private``, and
+``Kexample.com.+013+10376.state``. The one we are interested in is the
+one with the ``.key`` suffix, which contains the zone's public key. (The
+other files contain the zone's private key and the DNSSEC state
+associated with the key.) This public key is used to generate the information we
+need to pass to the parent.
+
+.. _parent_ds_record_format:
+
+DS Record Format
+^^^^^^^^^^^^^^^^
+
+Below is an example of a DS record format generated from the KSK we
+created earlier (``Kexample.com.+013+10376.key``):
+
+::
+
+   # cd /etc/bind
+    dnssec-dsfromkey Kexample.com.+013+10376.key
+   example.com. IN DS 10376 13 2 B92E22CAE0B41430EC38D3F7EDF1183C3A94F4D4748569250C15EE33B8312EF0
+
+Some registrars ask their customers to manually specify the types of algorithm
+and digest used. In this example, 13 represents the algorithm used, and
+2 represents the digest type (SHA-256). The key tag or key ID is 10376.
+
+.. _parent_dnskey_format:
+
+DNSKEY Format
+^^^^^^^^^^^^^
+
+Below is an example of the same key ID (10376) using DNSKEY format
+(with the actual key shortened for ease of display):
+
+::
+
+   example.com. 3600 IN DNSKEY 257 3 13 (6saiq99qDB...dqp+o0dw==) ; key id = 10376
+
+The key itself is easy to find (it's difficult to miss that long
+base64 string) in the file.
+
+::
+
+   # cd /etc/bind
+   # cat Kexample.com.+013+10376.key
+   ; This is a key-signing key, keyid 10376, for example.com.
+   ; Created: 20200407150255 (Tue Apr  7 16:02:55 2020)
+   ; Publish: 20200407150255 (Tue Apr  7 16:02:55 2020)
+   ; Activate: 20200407150255 (Tue Apr  7 16:02:55 2020)
+   example.com. 3600 IN DNSKEY 257 3 13 6saiq99qDB...dqp+o0dw==
+
+.. _signing_custom_policy:
+
+Creating a Custom DNSSEC Policy
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The remainder of this section describes the contents of a custom DNSSEC
+policy. :ref:`dnssec_advanced_discussions` describes the concepts
+involved here and the pros and cons of choosing particular values. If
+you are not already familiar with DNSSEC, it may be worth reading that chapter
+first.
+
+Setting up your own DNSSEC policy means that you must include a
+``dnssec-policy`` clause in the zone file. This sets values for the
+various parameters that affect the signing of zones and the rolling of
+keys. The following is an example of such a clause:
+
+::
+
+   dnssec-policy standard {
+       dnskey-ttl 600;
+       keys {
+           ksk lifetime 365d algorithm ecdsap256sha256;
+           zsk lifetime 60d algorithm ecdsap256sha256;
+       };
+       max-zone-ttl 600;
+       parent-ds-ttl 600;
+       parent-propagation-delay 2h;
+       publish-safety 7d;
+       retire-safety 7d;
+       signatures-refresh 5d;
+       signatures-validity 15d;
+       signatures-validity-dnskey 15d;
+       zone-propagation-delay 2h;
+   };
+
+The policy has multiple parts:
+
+-  The name must be specified. As each zone can use a different policy,
+   ``named`` needs to be able to distinguish between policies. This is
+   done by giving each policy a name, such as ``standard`` in the above
+   example.
+
+-  The ``keys`` clause lists all keys that should be in the zone, along
+   with their associated parameters. In this example, we are using the
+   conventional KSK/ZSK split, with the KSK changed every year and the
+   ZSK changed every two months (the ``default`` DNSSEC policy sets a
+   CSK that is never changed). Keys are created using the
+   ECDSAPS256SHA256 algorithm; each KSK/ZSK pair must have the same
+   algorithm. A CSK combines the functionality of a ZSK and a KSK.
+
+-  The parameters ending in ``-ttl`` are, as expected, the TTLs of the
+   associated records. Remember that during a key rollover,
+   we have to wait for records to expire from caches? The values
+   here tell BIND 9 the maximum amount of time it has to wait for this to
+   happen. Values can be set for the DNSKEY records in your zone, the
+   non-DNSKEY records in your zone, and the DS records in the parent
+   zone.
+
+-  Another set of time-related parameters are those ending in
+   ``-propagation-delay``. These tell BIND how long it takes for a
+   change in zone contents to become available on all secondary servers.
+   (This may be non-negligible: for example, if a large zone is
+   transferred over a slow link.)
+
+-  The policy also sets values for the various signature parameters: how
+   long the signatures on the DNSKEY and non-DNSKEY records are valid,
+   and how often BIND should re-sign the zone.
+
+-  The parameters ending in ``-safety`` are there to give
+   you a bit of leeway in case a key roll doesn't go to plan. When
+   introduced into the zone, the ``publish-safety`` time is the amount
+   of additional time, over and above that calculated from the other
+   parameters, during which the new key is in the zone but before BIND starts
+   to sign records with it. Similarly, the ``retire-safety`` is the
+   amount of additional time, over and above that calculated from the
+   other parameters, during which the old key is retained in the zone before
+   being removed.
+
+-  Finally, the ``purge-keys`` option allows you to clean up key files
+   automatically after a period of time. If a key has been removed from the
+   zone, this option will determine how long its key files will be retained
+   on disk.
+
+(You do not have to specify all the items listed above in your policy
+definition. Any that are not set simply take the default value.)
+
+Usually, the exact timing of a key roll, or how long a signature remains
+valid, is not critical. For this reason, err on the side of caution when
+setting values for the parameters. It is better to have an operation
+like a key roll take a few days longer than absolutely required, than it
+is to have a quick key roll but have users get validation failures
+during the process.
+
+Having defined a new policy called "standard", we now need to tell
+``named`` to use it. We do this by adding a ``dnssec-policy standard;``
+statement to the configuration file. Like many other configuration
+statements, it can be placed in the ``options`` statement (thus applying
+to all zones on the server), a ``view`` statement (applying to all zones
+in the view), or a ``zone`` statement (applying only to that zone). In
+this example, we'll add it to the ``zone`` statement:
+
+::
+
+   zone "example.net" in {
+       ...
+       dnssec-policy standard;
+       inline-signing yes;
+       ...
+   };
+
+Finally, tell ``named`` to use the new policy:
+
+::
+
+   # rndc reconfig
+
+... and that's it. ``named`` now applies the "standard" policy to
+your zone.
+
+.. _signing_maintenance_tasks:
+
+Maintenance Tasks
+~~~~~~~~~~~~~~~~~
+
+Zone data is signed and the parent zone has published your DS records:
+at this point your zone is officially secure. When other
+validating resolvers look up information in your zone, they are able to
+follow the 12-step process as described in
+:ref:`how_does_dnssec_change_dns_lookup_revisited` and verify the
+authenticity and integrity of the answers.
+
+There is not that much left for you, as the DNS administrator, to do on
+an ongoing basis. Whenever you update your zone, BIND automatically
+re-signs your zone with new RRSIG and NSEC/NSEC3 records, and even
+increments the serial number for you. If you choose to split your keys
+into a KSK and ZSK, the rolling of the ZSK is completely automatic.
+Rolling of a KSK or CSK may require some manual intervention, though,
+so let's examine two more DNSSEC-related resource records, CDS and CDNSKEY.
+
+.. _cds_cdnskey:
+
+The CDS and CDNSKEY Resource Records
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Passing the DS record to the organization running the parent zone has
+always been recognized as a bottleneck in the key rollover process. To
+automate the process, the CDS and CDNSKEY resource records were
+introduced.
+
+The CDS and CDNSKEY records are identical to the DS and DNSKEY records,
+except in the type code and the name. When such a record appears in the
+child zone, it is a signal to the parent that it should update the DS it
+has for that zone. In essence, when the parent notices
+the presence of the CDS and/or CDNSKEY record(s) in the
+child zone, it checks these records to verify that they are
+signed by a valid key for the zone. If the record(s) successfully
+validate, the parent zone's DS RRset for the child zone is changed to
+correspond to the CDS (or CDNSKEY) records. (For more
+information on how the signaling works and the issues surrounding it,
+please refer to :rfc:`7344` and :rfc:`8078`.)
+
+.. _working_with_the_parent_2:
+
+Working with the Parent Zone (2)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Once the zone is signed, the only required manual tasks are
+to monitor KSK or CSK key rolls and pass the new DS record to the
+parent zone. However, if the parent can process CDS or CDNSKEY records,
+you may not even have to do that [#]_.
+
+When the time approaches for the roll of a KSK or CSK, BIND adds a
+CDS and a CDNSKEY record for the key in question to the apex of the
+zone. If your parent zone supports polling for CDS/CDNSKEY records, they
+are uploaded and the DS record published in the parent - at least ideally.
+
+If BIND is configured with ``parental-agents``, it will check for the DS
+presence. Let's look at the following configuration excerpt:
+
+::
+
+   parental-agents "net" {
+       10.53.0.11; 10.53.0.12;
+   };
+
+   zone "example.net" in {
+       ...
+       dnssec-policy standard;
+       inline-signing yes;
+       parental-agents { "net"; };
+       ...
+   };
+
+BIND will check for the presence of the DS record in the parent zone by querying
+its parental agents (defined in :rfc:`7344` to be the entities that the child
+zone has a relationship with to change its delegation information). In the
+example above, The zone `example.net` is configured with two parental agents,
+at the addresses 10.53.0.11 and 10.53.0.12. These addresses are used as an
+example only. Both addresses will have to respond with a DS RRset that
+includes the DS record identifying the key that is being rolled. If one or
+both don't have the DS included yet the rollover is paused, and the check for
+DS presence is retried after an hour. The same applies for DS withdrawal.
+
+Alternatively, you can use the ``rndc`` tool to tell ``named`` that the DS
+record has been published or withdrawn. For example:
+
+::
+
+   # rndc dnssec -checkds published example.net
+
+If your parent zone doesn't support CDS/CDNSKEY, you will have to supply
+the DNSKEY or DS record to the parent zone manually when a new KSK appears in
+your zone, presumably using the same mechanism you used to upload the
+records for the first time. Again, you need to use the ``rndc`` tool
+to tell ``named`` that the DS record has been published.
+
+.. [#]
+   For security reasons, a parent zone that supports CDS/CDNSKEY may require
+   the DS record to be manually uploaded when we first sign the zone.
+   Until our zone is signed, the parent cannot be sure that a CDS or CDNSKEY
+   record it finds by querying our zone really comes from our zone; thus, it
+   needs to use some other form of secure transfer to obtain the information.
+
+.. _signing_alternative_ways:
+
+Alternate Ways of Signing a Zone
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Although use of the automatic ``dnssec-policy`` is the preferred way to sign zones in
+BIND, there are occasions where a more manual approach may be
+needed, such as when external hardware is used to
+generate and sign the zone. ``dnssec-policy`` does not currently support
+the use of external hardware, so if your security policy requires it, you
+need to use one of the methods described here.
+
+The idea of DNSSEC was first discussed in the 1990s and has been
+extensively developed over the intervening years. BIND has tracked the
+development of this technology, often being the first name server
+implementation to introduce new features. However, for compatibility reasons, BIND
+retained older ways of doing things even when new ways were added. This
+particularly applies to signing and maintaining zones, where different
+levels of automation are available.
+
+The following is a list of the available methods of signing in BIND, in the
+order that they were introduced - and in order of decreasing
+complexity.
+
+Manual
+   "Manual" signing was the first method to be introduced into BIND and
+   its name describes it perfectly: the user needs to do everything. In the
+   more-automated methods, you load an unsigned zone file into
+   ``named``, which takes care of signing it. With manual signing, you
+   have to provide a signed zone for ``named`` to serve.
+
+   In practice, this means creating an unsigned zone file as usual, then
+   using the BIND-provided tools ``dnssec-keygen`` to create the keys
+   and ``dnssec-signzone`` to sign the zone. The signed zone is stored
+   in another file and is the one you tell BIND to load. To
+   update the zone (for example, to add a resource record), you update the
+   unsigned zone, re-sign it, and tell ``named`` to load the updated
+   signed copy. The same goes for refreshing signatures or rolling keys;
+   the user is responsible for providing the signed zone served by
+   ``named``. (In the case of rolling keys, you are also responsible for
+   ensuring that the keys are added and removed at the correct times.)
+
+   Why would you want to sign your zone this way? You probably
+   wouldn't in the normal course of events, but as there may be
+   circumstances in which it is required, the scripts have been left in
+   the BIND distribution.
+
+Semi-Automatic
+   The first step in DNSSEC automation came with BIND 9.7, when the
+   ``auto-dnssec`` option was added. This causes ``named`` to
+   periodically search the directory holding the key files (see
+   :ref:`generate_keys` for a description) and to
+   use the information in them to both add and remove keys and sign the
+   zone.
+
+   Use of ``auto-dnssec`` alone requires that the zone be dynamic,
+   something not suitable for a number of situations, so BIND 9.9 added the
+   ``inline-signing`` option. With this, ``named`` essentially keeps the
+   signed and unsigned copies of the zone separate. The signed zone is
+   created from the unsigned one using the key information; when the
+   unsigned zone is updated and the zone reloaded, ``named`` detects the
+   changes and updates the signed copy of the zone.
+
+   This mode of signing has been termed "semi-automatic" in this
+   document because keys still have to be manually created (and deleted
+   when appropriate). Although not an onerous task, it is still
+   additional work.
+
+   Why would anyone want to use this
+   method when fully automated ones are available? At the time of
+   this writing (mid-2020), the fully automatic methods cannot handle all scenarios,
+   particularly that of having a single key shared among multiple
+   zones. They also do not handle keys stored in Hardware Security
+   Modules (HSMs), which are briefly covered in
+   :ref:`hardware_security_modules`.
+
+Fully Automatic with ``dnssec-keymgr``
+   The next step in the automation of DNSSEC operations came with BIND
+   9.11, which introduced the ``dnssec-keymgr`` utility. This is a
+   separate program and is expected to be run on a regular basis
+   (probably via ``cron``). It reads a DNSSEC policy from its
+   configuration file and reads timing information from the DNSSEC key
+   files. With this information it creates new key files with timing
+   information in them consistent with the policy. ``named`` is run as
+   usual, picking up the timing information in the key files to
+   determine when to add and remove keys, and when to sign with them.
+
+   In BIND 9.17.0 and later, this method of handling DNSSEC
+   policies has been replaced by the ``dnssec-policy`` statement in the
+   configuration file.
+
+Fully Automatic with ``dnssec-policy``
+   Introduced a BIND 9.16, ``dnssec-policy`` replaces ``dnssec-keymgr`` from BIND
+   9.17 onwards and avoids the need to run a separate program. It also
+   handles the creation of keys if a zone is added (``dnssec-keymgr``
+   requires an initial key) and deletes old key files as they are
+   removed from the zone. This is the method described in
+   :ref:`easy_start_guide_for_authoritative_servers`.
+
+We now look at some of these methods in more detail. We cover
+semi-automatic signing first, as that contains a lot of useful
+information about keys and key timings. We then describe what
+``dnssec-keymgr`` adds to semi-automatic signing. After that, we
+touch on fully automatic signing with ``dnssec-policy``. Since this has
+already been described in
+:ref:`easy_start_guide_for_authoritative_servers`, we will just
+mention a few additional points. Finally, we briefly describe manual signing.
+
+.. _semi_automatic_signing:
+
+Semi-Automatic Signing
+^^^^^^^^^^^^^^^^^^^^^^
+
+As noted above, the term semi-automatic signing has been used in this
+document to indicate the mode of signing enabled by the ``auto-dnssec``
+and ``inline-signing`` keywords. ``named`` signs the zone without any
+manual intervention, based purely on the timing information in the
+DNSSEC key files. The files, however, must be created manually.
+
+By appropriately setting the key parameters and the timing information
+in the key files, you can implement any DNSSEC policy you want for your
+zones. But why manipulate the key information yourself rather than rely
+on ``dnssec-keymgr`` or ``dnssec-policy`` to do it for you? The answer
+is that semi-automatic signing allows you to do things that, at the time of this writing
+(mid-2020), are currently not possible with one of the key managers: for
+example, the ability to use an HSM to store keys, or the ability to use
+the same key for multiple zones.
+
+To convert a traditional
+(insecure) DNS zone to a secure one, we need to create various
+additional records (DNSKEY, RRSIG, NSEC/NSEC3) and, as with
+fully automatic signing, to upload verifiable information (such as a DS
+record) to the parent zone to complete the chain of trust.
+
+.. note::
+
+   Again, we assume all configuration files, key
+   files, and zone files are stored in ``/etc/bind``, and most examples
+   show commands run
+   as the root user. This may not be ideal, but the point is not
+   to distract from what is important here: learning how to sign
+   a zone. There are many best practices for deploying a more secure
+   BIND installation, with techniques such as jailed process and
+   restricted user privileges, but those are not covered
+   in this document. We trust you, a responsible DNS
+   administrator, to take the necessary precautions to secure your
+   system.
+   
+   For our examples below, we work with the assumption that
+   there is an existing insecure zone ``example.com`` that we are
+   converting to a secure version. The secure version uses both a KSK
+   and a ZSK.
+
+.. _generate_keys:
+
+Generate Keys
++++++++++++++
+
+Everything in DNSSEC centers around keys, so we begin by
+generating our own keys.
+
+.. code-block:: console
+
+   # cd /etc/bind/keys
+   # dnssec-keygen -a ECDSAP256SHA256 example.com
+   Generating key pair...........................+++++ ......................+++++
+   Kexample.com.+013+34371
+   # dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com
+   Generating key pair........................+++ ..................................+++
+   Kexample.com.+013+00472
+
+This command generates four key files in ``/etc/bind/keys``:
+
+-  Kexample.com.+013+34371.key
+
+-  Kexample.com.+013+34371.private
+
+-  Kexample.com.+013+00472.key
+
+-  Kexample.com.+013+00472.private
+
+The two files ending in ``.key`` are the public keys. These contain the
+DNSKEY resource records that appear in the zone. The two files
+ending in ``.private`` are the private keys, and contain the information
+that ``named`` actually uses to sign the zone.
+
+Of the two pairs, one is the zone-signing key (ZSK), and one is the
+key-signing key (KSK). We can tell which is which by looking at the file
+contents (the actual keys are shortened here for ease of display):
+
+.. code-block:: console
+
+   # cat Kexample.com.+013+34371.key
+   ; This is a zone-signing key, keyid 34371, for example.com.
+   ; Created: 20200616104249 (Tue Jun 16 11:42:49 2020)
+   ; Publish: 20200616104249 (Tue Jun 16 11:42:49 2020)
+   ; Activate: 20200616104249 (Tue Jun 16 11:42:49 2020)
+   example.com. IN DNSKEY 256 3 13 AwEAAfel66...LqkA7cvn8=
+   # cat Kexample.com.+013+00472.key
+   ; This is a key-signing key, keyid 472, for example.com.
+   ; Created: 20200616104254 (Tue Jun 16 11:42:54 2020)
+   ; Publish: 20200616104254 (Tue Jun 16 11:42:54 2020)
+   ; Activate: 20200616104254 (Tue Jun 16 11:42:54 2020)
+   example.com. IN DNSKEY 257 3 13 AwEAAbCR6U...l8xPjokVU=
+
+The first line of each file tells us what type of key it is. Also, by
+looking at the actual DNSKEY record, we can tell them apart: 256 is
+ZSK, and 257 is KSK.
+
+The name of the file also tells us something
+about the contents. See chapter :ref:`zone_keys` for more details.
+
+Make sure that these files are readable by ``named`` and that the
+``.private`` files are not readable by anyone else.
+
+Alternativelly, the ``dnssec-keyfromlabel`` program is used to get a key
+pair from a crypto hardware device and build the key files. Its usage is
+similar to ``dnssec-keygen``.
+
+Setting Key Timing Information
+++++++++++++++++++++++++++++++
+
+You may remember that in the above description of this method, we said
+that time information related to rolling keys is stored in the key
+files. This is placed there by ``dnssec-keygen`` when the file is
+created, and it can be modified using ``dnssec-settime``. By default,
+only a limited amount of timing information is included in the file, as
+illustrated in the examples in the previous section.
+
+All the dates are the same, and are the date and time that
+``dnssec-keygen`` created the key. We can use ``dnssec-settime`` to
+modify the dates [#]_. For example, to publish this key in
+the zone on 1 July 2020, use it to sign records for a year starting on
+15 July 2020, and remove it from the zone at the end of July 2021, we
+can use the following command:
+
+.. code-block:: console
+
+   # dnssec-settime -P 20200701 -A 20200715 -I 20210715 -D 20210731 Kexample.com.+013+34371.key
+   ./Kexample.com.+013+34371.key
+   ./Kexample.com.+013+34371.private
+
+which would set the contents of the key file to:
+
+.. code-block:: none
+
+   ; This is a zone-signing key, keyid 34371, for example.com.
+   ; Created: 20200616104249 (Tue Jun 16 11:42:49 2020)
+   ; Publish: 20200701000000 (Wed Jul  1 01:00:00 2020)
+   ; Activate: 20200715000000 (Wed Jul 15 01:00:00 2020)
+   ; Inactive: 20210715000000 (Thu Jul 15 01:00:00 2021)
+   ; Delete: 20210731000000 (Sat Jul 31 01:00:00 2021)
+   example.com. IN DNSKEY 256 3 13 AwEAAfel66...LqkA7cvn8=
+
+(The actual key is truncated here to improve readability.)
+
+Below is a complete list of each of the metadata fields, and how each
+one affects the signing of your zone:
+
+1. *Created*: This records the date on which the key was created. It is
+   not used in calculations; it is useful simply for documentation
+   purposes.
+
+2. *Publish*: This sets the date on which a key is to be published to the
+   zone. After that date, the key is included in the zone but is
+   not used to sign it. This allows validating resolvers to get a
+   copy of the new key in their cache before there are any resource
+   records signed with it. By default, if not specified at creation
+   time, this is set to the current time, meaning the key is
+   published as soon as ``named`` picks it up.
+
+3. *Activate*: This sets the date on which the key is to be activated. After
+   that date, resource records are signed with the key. By default,
+   if not specified during creation time, this is set to the current
+   time, meaning the key is used to sign data as soon as ``named``
+   picks it up.
+
+4. *Revoke:* This sets the date on which the key is to be revoked. After that
+   date, the key is flagged as revoked, although it is still included in the
+   zone and used to sign it. This is used to notify validating
+   resolvers that this key is about to be removed or retired from the
+   zone. (This state is not used in normal day-to-day operations. See
+   :rfc:`5011` to understand the circumstances where it may be used.)
+
+5. *Inactive*: This sets the date on which the key is to become inactive.
+   After that date, the key is still included in the zone, but it
+   is no longer used to sign it. This sets the "expiration" or "retire"
+   date for a key.
+
+6. *Delete*: This sets the date on which the key is to be deleted. After that
+   date, the key is no longer included in the zone, but it
+   continues to exist on the file system or key repository.
+
+This can be summarized as follows:
+
+.. table:: Key Metadata Comparison
+
+   +----------+------------------+------------------+------------------+
+   | Metadata | Included in Zone | Used to Sign     | Purpose          |
+   |          | File?            | Data?            |                  |
+   +==========+==================+==================+==================+
+   | Created  | No               | No               | Recording of     |
+   |          |                  |                  | key creation     |
+   +----------+------------------+------------------+------------------+
+   | Publish  | Yes              | No               | Introduction of  |
+   |          |                  |                  | a key soon to be |
+   |          |                  |                  | active           |
+   +----------+------------------+------------------+------------------+
+   | Activate | Yes              | Yes              | Activation date  |
+   |          |                  |                  | for new key      |
+   +----------+------------------+------------------+------------------+
+   | Revoke   | Yes              | Yes              | Notification of  |
+   |          |                  |                  | a key soon to be |
+   |          |                  |                  | retired          |
+   +----------+------------------+------------------+------------------+
+   | Inactive | Yes              | No               | Inactivation or  |
+   |          |                  |                  | retirement of a  |
+   |          |                  |                  | key              |
+   +----------+------------------+------------------+------------------+
+   | Delete   | No               | No               | Deletion or      |
+   |          |                  |                  | removal of a key |
+   |          |                  |                  | from a zone      |
+   +----------+------------------+------------------+------------------+
+
+The publication date is the date the key is introduced into the zone.
+Sometime later it is activated and is used to sign resource records.
+After a specified period, BIND stops using it to sign records, and at some
+other specified later time it is removed from the zone.
+
+Finally, we should note that the ``dnssec-keygen`` command supports the
+same set of switches so we could have set the dates
+when we created the key.
+
+.. _semi_automatic_signing_reconfigure_bind:
+
+Reconfiguring BIND
+++++++++++++++++++
+
+Having created the keys with the appropriate timing information, the
+next step is to turn on DNSSEC signing. Below is a very simple
+``named.conf``; in our example environment, this file is
+``/etc/bind/named.conf``.
+
+::
+
+   options {
+       directory "/etc/bind";
+       recursion no;
+       minimal-responses yes;
+   };
+
+   zone "example.com" IN {
+       type primary;
+       file "example.com.db";
+       auto-dnssec maintain;
+       inline-signing yes;
+   };
+
+Once the configuration file is updated, tell ``named`` to
+reload:
+
+::
+
+   # rndc reload
+   server reload successful
+
+.. _semi_automated_signing_verification:
+
+Verifying That the Zone Is Signed Correctly
++++++++++++++++++++++++++++++++++++++++++++
+
+You should now check that the zone is signed. Follow the steps in
+:ref:`signing_verification`.
+
+.. _semi_automatic_signing_upload_ds:
+
+Uploading the DS Record to the Parent
++++++++++++++++++++++++++++++++++++++
+
+As described in :ref:`signing_easy_start_upload_to_parent_zone`, we
+must now upload the new information to the parent zone. The format of the
+information and how to generate it is described in
+:ref:`working_with_parent_zone`, although it is important to remember that you must
+use the contents of the KSK file that you generated above as part of the
+process.
+
+When the DS record is published in the parent zone, your zone is fully
+signed.
+
+Checking That Your Zone Can Be Validated
+++++++++++++++++++++++++++++++++++++++++
+
+Finally, follow the steps in :ref:`how_to_test_authoritative_server`
+to confirm that a query recognizes the zone as properly signed and
+vouched for by the parent zone.
+
+So... What Now?
++++++++++++++++
+
+Once the zone is signed, it must be monitored as described
+in :ref:`signing_maintenance_tasks`. However,
+as the time approaches for a key roll, you must create the new key. Of
+course, it is possible to create keys for the next fifty
+years all at once and set the key times appropriately. Whether the
+increased risk in having the private key files for future keys available
+on disk offsets the overhead of having to remember to create a new key
+before a rollover depends on your organization's security policy.
+
+.. _advanced_discussions_automatic_dnssec-keymgr:
+
+Fully Automatic Signing With ``dnssec-keymgr``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``dnssec-keymgr`` is a program supplied with BIND (versions 9.11 to
+9.16) to help with key rollovers. When run, it compares the timing
+information for existing keys with the defined policy, and adjusts it if
+necessary. It also creates additional keys as required.
+
+``dnssec-keymgr`` is completely separate from ``named``. As we will see,
+the policy states a coverage period; ``dnssec-keymgr`` generates
+enough key files to handle all rollovers in that period. However, it is
+a good idea to schedule it to run on a regular basis; that way there is
+no chance of forgetting to run it when the coverage period ends.
+
+BIND should be set up exactly the same way as described in
+:ref:`semi_automatic_signing`, i.e.,
+with ``auto-dnssec`` set to ``maintain`` and ``inline-signing`` set to
+``true``. Then a policy file must be created. The following is an
+example of such a file:
+
+::
+
+   # cat policy.conf
+   policy standard {
+       coverage 1y;
+       algorithm RSASHA256;
+       directory "/etc/bind";
+       keyttl 2h;
+
+       key-size ksk 4096;
+       roll-period ksk 1y;
+       pre-publish ksk 30d;
+       post-publish ksk 30d;
+
+       key-size zsk 2048;
+       roll-period zsk 90d;
+       pre-publish zsk 30d;
+       post-publish zsk 30d;
+   };
+
+   zone example.com {
+       policy standard;
+   };
+
+   zone example.net {
+       policy standard;
+       keyttl 300;
+   };
+
+As can be seen, the syntax is similar to that of the ``named``
+configuration file.
+
+In the example above, we define a DNSSEC policy called "standard". Keys
+are created using the RSASHA256 algorithm, assigned a TTL of two hours,
+and placed in the directory ``/etc/bind``. KSKs have a key size of
+4096 bits and are expected to roll once a year; the new key is added to the
+zone 30 days before it becomes active, and is retained in the zone for
+30 days after it is rolled. ZSKs have a key size of 2048 bits and roll
+every 90 days; like the KSKs, the are added to the zone 30 days before
+they are used for signing, and retained for 30 days after ``named``
+ceases signing with them.
+
+The policy is applied to two zones, ``example.com`` and ``example.net``.
+The policy is applied unaltered to the former, but for the latter the
+setting for the DNSKEY TTL has been overridden and set to 300 seconds.
+
+To apply the policy, we need to run ``dnssec-keymgr``. Since this does
+not read the ``named`` configuration file, it relies on the presence of
+at least one key file for a zone to tell it that the zone is
+DNSSEC-enabled. If a key file does not already exist, we first need to create
+one for each zone. We can do that either by running
+``dnssec-keygen`` to create a key file for each zone [#]_, or by
+specifying the zones in question on the command line. Here, we do the
+latter:
+
+::
+
+   # dnssec-keymgr -c policy.conf example.com example.net
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -L 7200 -a RSASHA256 -b 2048 example.net
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -L 7200 -fk -a RSASHA256 -b 4096 example.net
+   # /usr/local/sbin/dnssec-settime -K /etc/bind -I 20200915110318 -D 20201015110318 Kexample.net.+008+31339
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -S Kexample.net.+008+31339 -L 7200 -i 2592000
+   # /usr/local/sbin/dnssec-settime -K /etc/bind -I 20201214110318 -D 20210113110318 Kexample.net.+008+14526
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -S Kexample.net.+008+14526 -L 7200 -i 2592000
+   # /usr/local/sbin/dnssec-settime -K /etc/bind -I 20210314110318 -D 20210413110318 Kexample.net.+008+46069
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -S Kexample.net.+008+46069 -L 7200 -i 2592000
+   # /usr/local/sbin/dnssec-settime -K /etc/bind -I 20210612110318 -D 20210712110318 Kexample.net.+008+13018
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -S Kexample.net.+008+13018 -L 7200 -i 2592000
+   # /usr/local/sbin/dnssec-settime -K /etc/bind -I 20210617110318 -D 20210717110318 Kexample.net.+008+55237
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -S Kexample.net.+008+55237 -L 7200 -i 2592000
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -L 7200 -a RSASHA256 -b 2048 example.com
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -L 7200 -fk -a RSASHA256 -b 4096 example.com
+   # /usr/local/sbin/dnssec-settime -K /etc/bind -P 20200617110318 -A 20200617110318 -I 20200915110318 -D 20201015110318 Kexample.com.+008+31168
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -S Kexample.com.+008+31168 -L 7200 -i 2592000
+   # /usr/local/sbin/dnssec-settime -K /etc/bind -I 20201214110318 -D 20210113110318 Kexample.com.+008+24199
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -S Kexample.com.+008+24199 -L 7200 -i 2592000
+   # /usr/local/sbin/dnssec-settime -K /etc/bind -I 20210314110318 -D 20210413110318 Kexample.com.+008+08728
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -S Kexample.com.+008+08728 -L 7200 -i 2592000
+   # /usr/local/sbin/dnssec-settime -K /etc/bind -I 20210612110318 -D 20210712110318 Kexample.com.+008+12874
+   # /usr/local/sbin/dnssec-keygen -q -K /etc/bind -S Kexample.com.+008+12874 -L 7200 -i 2592000
+   # /usr/local/sbin/dnssec-settime -K /etc/bind -P 20200617110318 -A 20200617110318 Kexample.com.+008+26186
+
+This creates enough key files to last for the coverage period, set in
+the policy file to be one year. The script should be run on a regular
+basis (probably via ``cron``) to keep the reserve of key files topped
+up. With the shortest roll period set to 90 days, every 30 days is
+more than adequate.
+
+At any time, you can check what key changes are coming up and whether
+the keys and timings are correct by using ``dnssec-coverage``. For
+example, to check coverage for the next 60 days:
+
+::
+
+    # dnssec-coverage -d 2h -m 1d -l 60d -K /etc/bind/keys
+   PHASE 1--Loading keys to check for internal timing problems
+   PHASE 2--Scanning future key events for coverage failures
+   Checking scheduled KSK events for zone example.net, algorithm RSASHA256...
+     Wed Jun 17 11:03:18 UTC 2020:
+       Publish: example.net/RSASHA256/55237 (KSK)
+       Activate: example.net/RSASHA256/55237 (KSK)
+
+   Ignoring events after Sun Aug 16 11:47:24 UTC 2020
+
+   No errors found
+
+   Checking scheduled ZSK events for zone example.net, algorithm RSASHA256...
+     Wed Jun 17 11:03:18 UTC 2020:
+       Publish: example.net/RSASHA256/31339 (ZSK)
+       Activate: example.net/RSASHA256/31339 (ZSK)
+     Sun Aug 16 11:03:18 UTC 2020:
+       Publish: example.net/RSASHA256/14526 (ZSK)
+
+   Ignoring events after Sun Aug 16 11:47:24 UTC 2020
+
+   No errors found
+
+   Checking scheduled KSK events for zone example.com, algorithm RSASHA256...
+     Wed Jun 17 11:03:18 UTC 2020:
+       Publish: example.com/RSASHA256/26186 (KSK)
+       Activate: example.com/RSASHA256/26186 (KSK)
+
+   No errors found
+
+   Checking scheduled ZSK events for zone example.com, algorithm RSASHA256...
+     Wed Jun 17 11:03:18 UTC 2020:
+       Publish: example.com/RSASHA256/31168 (ZSK)
+       Activate: example.com/RSASHA256/31168 (ZSK)
+     Sun Aug 16 11:03:18 UTC 2020:
+       Publish: example.com/RSASHA256/24199 (ZSK)
+
+   Ignoring events after Sun Aug 16 11:47:24 UTC 2020
+
+   No errors found
+
+The ``-d 2h`` and ``-m 1d`` on the command line specify the maximum TTL
+for the DNSKEYs and other resource records in the zone: in this example
+two hours and one day, respectively. ``dnssec-coverage`` needs this
+information when it checks that the zones will remain secure through key
+rolls.
+
+.. _advanced_discussions_automatic_dnssec-policy:
+
+Fully Automatic Signing With ``dnssec-policy``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The latest development in DNSSEC key management appeared with BIND 9.16,
+and is the full integration of key management into ``named``. Managing
+the signing process and rolling of these keys has been described in
+:ref:`easy_start_guide_for_authoritative_servers` and is not
+repeated here. A few points are worth noting, though:
+
+-  The ``dnssec-policy`` statement in the ``named`` configuration file
+   describes all aspects of the DNSSEC policy, including the signing.
+   With ``dnssec-keymgr``, this is split between two configuration files
+   and two programs.
+
+-  The ``dnssec-policy`` statement requires to zone to use dynamic DNS,
+   or that ``inline-signing`` is enabled.
+
+-  It is possible to manage some zones served by an instance of BIND
+   through ``dnssec-policy`` and others through ``dnssec-keymgr``, but
+   this is not recommended. Although it should work, if you
+   modify the configuration files and inadvertently specify a zone to be
+   managed by both systems, BIND will not operate properly.
+
+.. _advanced_discussions_manual_key_management_and_signing:
+
+Manual Signing
+^^^^^^^^^^^^^^
+
+Manual signing of a zone was the first method of signing introduced into
+BIND and offers, as the name suggests, no automation. The user must
+handle everything: create the keys, sign the zone file with them, load
+the signed zone, periodically re-sign the zone, and manage key rolls,
+including interaction with the parent. A user certainly can do all this,
+but why not use one of the automated methods? Nevertheless, it may
+be useful for test purposes, so we cover it briefly here.
+
+BIND 9 ships with several tools that are used in
+this process, which are explained in more detail below. In all cases,
+the ``-h`` option prints a full list of parameters. Note that the DNSSEC
+tools require the keyset files to be in the working directory or the
+directory specified by the ``-d`` option.
+
+The first step is to create the keys as described in :ref:`generate_keys`.
+
+Then, edit the zone file to make sure the proper DNSKEY entries are included.
+The public keys should be inserted into the zone file by
+including the ``.key`` files using ``$INCLUDE`` statements.
+
+Finally, use the command ``dnssec-signzone``.
+Any ``keyset`` files corresponding to secure sub-zones should be
+present. The zone signer generates ``NSEC``, ``NSEC3``, and ``RRSIG``
+records for the zone, as well as ``DS`` for the child zones if
+``-g`` is specified. If
+``-g`` is not specified, then DS RRsets for the
+secure child zones need to be added manually.
+
+By default, all zone keys which have an available private key are used
+to generate signatures. The following command signs the zone, assuming
+it is in a file called ``zone.child.example``, using manually specified keys:
+
+.. code-block:: console
+
+   # cd /etc/bind/keys/example.com/
+   # dnssec-signzone -t -N INCREMENT -o example.com -f /etc/bind/db/example.com.signed.db \
+       /etc/bind/db/example.com.db Kexample.com.+013+17694.key Kexample.com.+013+06817.key
+   Verifying the zone using the following algorithms: ECDSAP256SHA256.
+   Zone fully signed:
+   Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
+                               ZSKs: 1 active, 0 stand-by, 0 revoked
+   /etc/bind/db/example.com.signed.db
+   Signatures generated:                       17
+   Signatures retained:                         0
+   Signatures dropped:                          0
+   Signatures successfully verified:            0
+   Signatures unsuccessfully verified:          0
+   Signing time in seconds:                 0.046
+   Signatures per second:                 364.634
+   Runtime in seconds:                      0.055
+
+The -o switch explicitly defines the domain name (``example.com`` in
+this case), while the -f switch specifies the output file name. The second line
+has three parameters: the unsigned zone name
+(``/etc/bind/db/example.com.db``), the ZSK file name, and the KSK file name. This
+also generates a plain text file ``/etc/bind/db/example.com.signed.db``,
+which can be manually verified for correctness.
+
+``dnssec-signzone`` also produces keyset and dsset files. These are used
+to provide the parent zone administrators with the ``DNSKEY`` records (or their
+corresponding ``DS`` records) that are the secure entry point to the zone.
+
+Finally, you'll need to update ``named.conf`` to load the signed version
+of the zone, which looks something like this:
+
+.. code-block:: none
+
+   zone "example.com" IN {
+       type primary;
+       file "db/example.com.signed.db";
+   };
+
+Once the ``rndc reconfig`` command is issued, BIND serves a signed
+zone. The file ``dsset-example.com`` (created by ``dnssec-signzone``
+when it signed the ``example.com`` zone) contains the DS record for the
+zone's KSK. You will need to pass that to the administrator of the parent
+zone, to be placed in the zone.
+
+Since this is a manual process, you will need to re-sign periodically,
+as well as every time the zone
+data changes. You will also need to manually roll the keys by adding and
+removing DNSKEY records (and interacting with the parent) at the
+appropriate times.
+
+.. [#]
+   The dates can also be modified using an editor, but that is likely to
+   be more error-prone than using ``dnssec-settime``.
+
+.. [#]
+   Only one key file - for either a KSK or ZSK - is needed to signal the
+   presence of the zone. ``dnssec-keygen`` creates files of both
+   types as needed.
diff --git a/doc/dnssec-guide/troubleshooting.rst b/doc/dnssec-guide/troubleshooting.rst
new file mode 100644
index 0000000..cdc40cc
--- /dev/null
+++ b/doc/dnssec-guide/troubleshooting.rst
@@ -0,0 +1,589 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _dnssec_troubleshooting:
+
+Basic DNSSEC Troubleshooting
+----------------------------
+
+In this chapter, we cover some basic troubleshooting
+techniques, some common DNSSEC symptoms, and their causes and solutions. This
+is not a comprehensive "how to troubleshoot any DNS or DNSSEC problem"
+guide, because that could easily be an entire book by itself.
+
+.. _troubleshooting_query_path:
+
+Query Path
+~~~~~~~~~~
+
+The first step in troubleshooting DNS or DNSSEC should be to
+determine the query path. Whenever you are working with a DNS-related issue, it is
+always a good idea to determine the exact query path to identify the
+origin of the problem.
+
+End clients, such as laptop computers or mobile phones, are configured
+to talk to a recursive name server, and the recursive name server may in
+turn forward requests on to other recursive name servers before arriving at the
+authoritative name server. The giveaway is the presence of the
+Authoritative Answer (``aa``) flag in a query response: when present, we know we are talking
+to the authoritative server; when missing, we are talking to a recursive
+server. The example below shows an answer to a query for
+``www.example.com`` without the Authoritative Answer flag:
+
+::
+
+   $ dig @10.53.0.3 www.example.com A
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.3 www.example.com a
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62714
+   ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags:; udp: 4096
+   ; COOKIE: c823fe302625db5b010000005e722b504d81bb01c2227259 (good)
+   ;; QUESTION SECTION:
+   ;www.example.com.       IN  A
+
+   ;; ANSWER SECTION:
+   www.example.com.    60  IN  A   10.1.0.1
+
+   ;; Query time: 3 msec
+   ;; SERVER: 10.53.0.3#53(10.53.0.3)
+   ;; WHEN: Wed Mar 18 14:08:16 GMT 2020
+   ;; MSG SIZE  rcvd: 88
+
+Not only do we not see the ``aa`` flag, we see an ``ra``
+flag, which indicates Recursion Available. This indicates that the
+server we are talking to (10.53.0.3 in this example) is a recursive name
+server: although we were able to get an answer for
+``www.example.com``, we know that the answer came from somewhere else.
+
+If we query the authoritative server directly, we get:
+
+::
+
+   $ dig @10.53.0.2 www.example.com A
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.2 www.example.com a
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39542
+   ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+   ;; WARNING: recursion requested but not available
+   ...
+
+The ``aa`` flag tells us that we are now talking to the
+authoritative name server for ``www.example.com``, and that this is not a
+cached answer it obtained from some other name server; it served this
+answer to us right from its own database. In fact,
+the Recursion Available (``ra``) flag is not present, which means this
+name server is not configured to perform recursion (at least not for
+this client), so it could not have queried another name server to get
+cached results.
+
+.. _troubleshooting_visible_symptoms:
+
+Visible DNSSEC Validation Symptoms
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+After determining the query path, it is necessary to
+determine whether the problem is actually related to DNSSEC
+validation. You can use the ``+cd`` flag in ``dig`` to disable
+validation, as described in
+:ref:`how_do_i_know_validation_problem`.
+
+When there is indeed a DNSSEC validation problem, the visible symptoms,
+unfortunately, are very limited. With DNSSEC validation enabled, if a
+DNS response is not fully validated, it results in a generic
+SERVFAIL message, as shown below when querying against a recursive name
+server at 192.168.1.7:
+
+::
+
+   $ dig @10.53.0.3 www.example.org. A
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.3 www.example.org A
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28947
+   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags:; udp: 4096
+   ; COOKIE: d1301968aca086ad010000005e723a7113603c01916d136b (good)
+   ;; QUESTION SECTION:
+   ;www.example.org.       IN  A
+
+   ;; Query time: 3 msec
+   ;; SERVER: 10.53.0.3#53(10.53.0.3)
+   ;; WHEN: Wed Mar 18 15:12:49 GMT 2020
+   ;; MSG SIZE  rcvd: 72
+
+With ``delv``, a "resolution failed" message is output instead:
+
+::
+
+   $ delv @10.53.0.3 www.example.org. A +rtrace
+   ;; fetch: www.example.org/A
+   ;; resolution failed: SERVFAIL
+   
+BIND 9 logging features may be useful when trying to identify
+DNSSEC errors.
+
+.. _troubleshooting_logging:
+
+Basic Logging
+~~~~~~~~~~~~~
+
+DNSSEC validation error messages show up in ``syslog`` as a
+query error by default. Here is an example of what it may look like:
+
+::
+
+   validating www.example.org/A: no valid signature found
+   RRSIG failed to verify resolving 'www.example.org/A/IN': 10.53.0.2#53
+
+Usually, this level of error logging is sufficient.
+Debug logging, described in
+:ref:`troubleshooting_logging_debug`, gives information on how
+to get more details about why DNSSEC validation may have
+failed.
+
+.. _troubleshooting_logging_debug:
+
+BIND DNSSEC Debug Logging
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A word of caution: before you enable debug logging, be aware that this
+may dramatically increase the load on your name servers. Enabling debug
+logging is thus not recommended for production servers.
+
+With that said, sometimes it may become necessary to temporarily enable
+BIND debug logging to see more details of how and whether DNSSEC is
+validating. DNSSEC-related messages are not recorded in ``syslog`` by default,
+even if query log is enabled; only DNSSEC errors show up in ``syslog``.
+
+The example below shows how to enable debug level 3 (to see full DNSSEC
+validation messages) in BIND 9 and have it sent to ``syslog``:
+
+::
+
+   logging {
+      channel dnssec_log {
+           syslog daemon;
+           severity debug 3;
+           print-category yes;
+       };
+       category dnssec { dnssec_log; };
+   };
+
+The example below shows how to log DNSSEC messages to their own file
+(here, ``/var/log/dnssec.log``):
+
+::
+
+   logging {
+       channel dnssec_log {
+           file "/var/log/dnssec.log";
+           severity debug 3;
+       };
+       category dnssec { dnssec_log; };
+   };
+
+After turning on debug logging and restarting BIND, a large
+number of log messages appear in
+``syslog``. The example below shows the log messages as a result of
+successfully looking up and validating the domain name ``ftp.isc.org``.
+
+::
+
+   validating ./NS: starting
+   validating ./NS: attempting positive response validation
+     validating ./DNSKEY: starting
+     validating ./DNSKEY: attempting positive response validation
+     validating ./DNSKEY: verify rdataset (keyid=20326): success
+     validating ./DNSKEY: marking as secure (DS)
+   validating ./NS: in validator_callback_dnskey
+   validating ./NS: keyset with trust secure
+   validating ./NS: resuming validate
+   validating ./NS: verify rdataset (keyid=33853): success
+   validating ./NS: marking as secure, noqname proof not needed
+   validating ftp.isc.org/A: starting
+   validating ftp.isc.org/A: attempting positive response validation
+   validating isc.org/DNSKEY: starting
+   validating isc.org/DNSKEY: attempting positive response validation
+     validating isc.org/DS: starting
+     validating isc.org/DS: attempting positive response validation
+   validating org/DNSKEY: starting
+   validating org/DNSKEY: attempting positive response validation
+     validating org/DS: starting
+     validating org/DS: attempting positive response validation
+     validating org/DS: keyset with trust secure
+     validating org/DS: verify rdataset (keyid=33853): success
+     validating org/DS: marking as secure, noqname proof not needed
+   validating org/DNSKEY: in validator_callback_ds
+   validating org/DNSKEY: dsset with trust secure
+   validating org/DNSKEY: verify rdataset (keyid=9795): success
+   validating org/DNSKEY: marking as secure (DS)
+     validating isc.org/DS: in fetch_callback_dnskey
+     validating isc.org/DS: keyset with trust secure
+     validating isc.org/DS: resuming validate
+     validating isc.org/DS: verify rdataset (keyid=33209): success
+     validating isc.org/DS: marking as secure, noqname proof not needed
+   validating isc.org/DNSKEY: in validator_callback_ds
+   validating isc.org/DNSKEY: dsset with trust secure
+   validating isc.org/DNSKEY: verify rdataset (keyid=7250): success
+   validating isc.org/DNSKEY: marking as secure (DS)
+   validating ftp.isc.org/A: in fetch_callback_dnskey
+   validating ftp.isc.org/A: keyset with trust secure
+   validating ftp.isc.org/A: resuming validate
+   validating ftp.isc.org/A: verify rdataset (keyid=27566): success
+   validating ftp.isc.org/A: marking as secure, noqname proof not needed
+
+Note that these log messages indicate that the chain of trust has been
+established and ``ftp.isc.org`` has been successfully validated.
+
+If validation had failed, you would see log messages indicating errors.
+We cover some of the most validation problems in the next section.
+
+.. _troubleshooting_common_problems:
+
+Common Problems
+~~~~~~~~~~~~~~~
+
+.. _troubleshooting_security_lameness:
+
+Security Lameness
+^^^^^^^^^^^^^^^^^
+
+Similar to lame delegation in traditional DNS, security lameness refers to the
+condition when the parent zone holds a set of DS records that point to
+something that does not exist in the child zone. As a result,
+the entire child zone may "disappear," having been marked as bogus by
+validating resolvers.
+
+Below is an example attempting to resolve the A record for a test domain
+name ``www.example.net``. From the user's perspective, as described in
+:ref:`how_do_i_know_validation_problem`, only a SERVFAIL
+message is returned. On the validating resolver, we see the
+following messages in ``syslog``:
+
+::
+
+   named[126063]: validating example.net/DNSKEY: no valid signature found (DS)
+   named[126063]: no valid RRSIG resolving 'example.net/DNSKEY/IN': 10.53.0.2#53
+   named[126063]: broken trust chain resolving 'www.example.net/A/IN': 10.53.0.2#53
+
+This gives us a hint that it is a broken trust chain issue. Let's take a
+look at the DS records that are published for the zone (with the keys
+shortened for ease of display):
+
+::
+
+   $ dig @10.53.0.3 example.net. DS
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.3 example.net DS
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59602
+   ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags:; udp: 4096
+   ; COOKIE: 7026d8f7c6e77e2a010000005e735d7c9d038d061b2d24da (good)
+   ;; QUESTION SECTION:
+   ;example.net.           IN  DS
+
+   ;; ANSWER SECTION:
+   example.net.        256 IN  DS  14956 8 2 9F3CACD...D3E3A396
+
+   ;; Query time: 0 msec
+   ;; SERVER: 10.53.0.3#53(10.53.0.3)
+   ;; WHEN: Thu Mar 19 11:54:36 GMT 2020
+   ;; MSG SIZE  rcvd: 116
+
+Next, we query for the DNSKEY and RRSIG of ``example.net`` to see if
+there's anything wrong. Since we are having trouble validating, we
+can use the ``+cd`` option to temporarily disable checking and return
+results, even though they do not pass the validation tests. The
+``+multiline`` option tells ``dig`` to print the type, algorithm type,
+and key id for DNSKEY records. Again,
+some long strings are shortened for ease of display:
+
+::
+
+   $ dig @10.53.0.3 example.net. DNSKEY +dnssec +cd +multiline
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.3 example.net DNSKEY +cd +multiline +dnssec
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42980
+   ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags: do; udp: 4096
+   ; COOKIE: 4b5e7c88b3680c35010000005e73722057551f9f8be1990e (good)
+   ;; QUESTION SECTION:
+   ;example.net.       IN DNSKEY
+
+   ;; ANSWER SECTION:
+   example.net.        287 IN DNSKEY 256 3 8 (
+                   AwEAAbu3NX...ADU/D7xjFFDu+8WRIn
+                   ) ; ZSK; alg = RSASHA256 ; key id = 35328
+   example.net.        287 IN DNSKEY 257 3 8 (
+                   AwEAAbKtU1...PPP4aQZTybk75ZW+uL
+                   6OJMAF63NO0s1nAZM2EWAVasbnn/X+J4N2rLuhk=
+                   ) ; KSK; alg = RSASHA256 ; key id = 27247
+   example.net.        287 IN RRSIG DNSKEY 8 2 300 (
+                   20811123173143 20180101000000 27247 example.net.
+                   Fz1sjClIoF...YEjzpAWuAj9peQ== )
+   example.net.        287 IN RRSIG DNSKEY 8 2 300 (
+                   20811123173143 20180101000000 35328 example.net.
+                   seKtUeJ4/l...YtDc1rcXTVlWIOw= )
+
+   ;; Query time: 0 msec
+   ;; SERVER: 10.53.0.3#53(10.53.0.3)
+   ;; WHEN: Thu Mar 19 13:22:40 GMT 2020
+   ;; MSG SIZE  rcvd: 962
+
+Here is the problem: the parent zone is telling the world that
+``example.net`` is using the key 14956, but the authoritative server
+indicates that it is using keys 27247 and 35328. There are several
+potential causes for this mismatch: one possibility is that a malicious
+attacker has compromised one side and changed the data. A more likely
+scenario is that the DNS administrator for the child zone did not upload
+the correct key information to the parent zone.
+
+.. _troubleshooting_incorrect_time:
+
+Incorrect Time
+^^^^^^^^^^^^^^
+
+In DNSSEC, every record comes with at least one RRSIG, and each RRSIG
+contains two timestamps: one indicating when it becomes valid, and
+one when it expires. If the validating resolver's current system time does
+not fall within the two RRSIG timestamps, error messages
+appear in the BIND debug log.
+
+The example below shows a log message when the RRSIG appears to have
+expired. This could mean the validating resolver system time is
+incorrectly set too far in the future, or the zone administrator has not
+kept up with RRSIG maintenance.
+
+::
+
+   validating example.com/DNSKEY: verify failed due to bad signature (keyid=19036): RRSIG has expired
+
+The log below shows that the RRSIG validity period has not yet begun. This could mean
+the validation resolver's system time is incorrectly set too far in the past, or
+the zone administrator has incorrectly generated signatures for this
+domain name.
+
+::
+
+   validating example.com/DNSKEY: verify failed due to bad signature (keyid=4521): RRSIG validity period has not begun
+
+.. _troubleshooting_unable_to_load_keys:
+
+Unable to Load Keys
+^^^^^^^^^^^^^^^^^^^
+
+This is a simple yet common issue. If the key files are present but
+unreadable by ``named`` for some reason, the ``syslog`` returns clear error
+messages, as shown below:
+
+::
+
+   named[32447]: zone example.com/IN (signed): reconfiguring zone keys
+   named[32447]: dns_dnssec_findmatchingkeys: error reading key file Kexample.com.+008+06817.private: permission denied
+   named[32447]: dns_dnssec_findmatchingkeys: error reading key file Kexample.com.+008+17694.private: permission denied
+   named[32447]: zone example.com/IN (signed): next key event: 27-Nov-2014 20:04:36.521
+
+However, if no keys are found, the error is not as obvious. Below shows
+the ``syslog`` messages after executing ``rndc
+reload`` with the key files missing from the key directory:
+
+::
+
+   named[32516]: received control channel command 'reload'
+   named[32516]: loading configuration from '/etc/bind/named.conf'
+   named[32516]: reading built-in trusted keys from file '/etc/bind/bind.keys'
+   named[32516]: using default UDP/IPv4 port range: [1024, 65535]
+   named[32516]: using default UDP/IPv6 port range: [1024, 65535]
+   named[32516]: sizing zone task pool based on 6 zones
+   named[32516]: the working directory is not writable
+   named[32516]: reloading configuration succeeded
+   named[32516]: reloading zones succeeded
+   named[32516]: all zones loaded
+   named[32516]: running
+   named[32516]: zone example.com/IN (signed): reconfiguring zone keys
+   named[32516]: zone example.com/IN (signed): next key event: 27-Nov-2014 20:07:09.292
+
+This happens to look exactly the same as if the keys were present and
+readable, and appears to indicate that ``named`` loaded the keys and signed the zone. It
+even generates the internal (raw) files:
+
+::
+
+   # cd /etc/bind/db
+   # ls
+   example.com.db  example.com.db.jbk  example.com.db.signed
+
+If ``named`` really loaded the keys and signed the zone, you should see
+the following files:
+
+::
+
+   # cd /etc/bind/db
+   # ls
+   example.com.db  example.com.db.jbk  example.com.db.signed  example.com.db.signed.jnl
+
+So, unless you see the ``*.signed.jnl`` file, your zone has not been
+signed.
+
+.. _troubleshooting_invalid_trust_anchors:
+
+Invalid Trust Anchors
+^^^^^^^^^^^^^^^^^^^^^
+
+In most cases, you never need to explicitly configure trust
+anchors. ``named`` supplies the current root trust anchor and,
+with the default setting of ``dnssec-validation``, updates it on the
+infrequent occasions when it is changed.
+
+However, in some circumstances you may need to explicitly configure
+your own trust anchor. As we saw in the :ref:`trust_anchors_description`
+section, whenever a DNSKEY is received by the validating resolver, it is
+compared to the list of keys the resolver explicitly trusts to see if
+further action is needed. If the two keys match, the validating resolver
+stops performing further verification and returns the answer(s) as
+validated.
+
+But what if the key file on the validating resolver is misconfigured or
+missing? Below we show some examples of log messages when things are not
+working properly.
+
+First of all, if the key you copied is malformed, BIND does not even
+start and you will likely find this error message in syslog:
+
+::
+
+   named[18235]: /etc/bind/named.conf.options:29: bad base64 encoding
+   named[18235]: loading configuration: failure
+
+If the key is a valid base64 string but the key algorithm is incorrect,
+or if the wrong key is installed, the first thing you will notice is
+that virtually all of your DNS lookups result in SERVFAIL, even when
+you are looking up domain names that have not been DNSSEC-enabled. Below
+shows an example of querying a recursive server 10.53.0.3:
+
+::
+
+   $ dig @10.53.0.3 www.example.com. A
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.3 www.example.org A +dnssec
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29586
+   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags: do; udp: 4096
+   ; COOKIE: ee078fc321fa1367010000005e73a58bf5f205ca47e04bed (good)
+   ;; QUESTION SECTION:
+   ;www.example.org.       IN  A
+
+``delv`` shows a similar result:
+
+::
+
+   $ delv @192.168.1.7 www.example.com. +rtrace
+   ;; fetch: www.example.com/A
+   ;; resolution failed: SERVFAIL
+
+The next symptom you see is in the DNSSEC log messages:
+
+::
+
+   managed-keys-zone: DNSKEY set for zone '.' could not be verified with current keys
+   validating ./DNSKEY: starting
+   validating ./DNSKEY: attempting positive response validation
+   validating ./DNSKEY: no DNSKEY matching DS
+   validating ./DNSKEY: no DNSKEY matching DS
+   validating ./DNSKEY: no valid signature found (DS)
+
+These errors are indications that there are problems with the trust
+anchor.
+
+.. _troubleshooting_nta:
+
+Negative Trust Anchors
+~~~~~~~~~~~~~~~~~~~~~~
+
+BIND 9.11 introduced Negative Trust Anchors (NTAs) as a means to
+*temporarily* disable DNSSEC validation for a zone when you know that
+the zone's DNSSEC is misconfigured.
+
+NTAs are added using the ``rndc`` command, e.g.:
+
+::
+
+   $ rndc nta example.com
+    Negative trust anchor added: example.com/_default, expires 19-Mar-2020 19:57:42.000
+    
+
+The list of currently configured NTAs can also be examined using
+``rndc``, e.g.:
+
+::
+
+   $ rndc nta -dump
+    example.com/_default: expiry 19-Mar-2020 19:57:42.000
+    
+
+The default lifetime of an NTA is one hour, although by default, BIND
+polls the zone every five minutes to see if the zone correctly
+validates, at which point the NTA automatically expires. Both the
+default lifetime and the polling interval may be configured via
+``named.conf``, and the lifetime can be overridden on a per-zone basis
+using the ``-lifetime duration`` parameter to ``rndc nta``. Both timer
+values have a permitted maximum value of one week.
+
+.. _troubleshooting_nsec3:
+
+NSEC3 Troubleshooting
+~~~~~~~~~~~~~~~~~~~~~
+
+BIND includes a tool called ``nsec3hash`` that runs through the same
+steps as a validating resolver, to generate the correct hashed name
+based on NSEC3PARAM parameters. The command takes the following
+parameters in order: salt, algorithm, iterations, and domain. For
+example, if the salt is 1234567890ABCDEF, hash algorithm is 1, and
+iteration is 10, to get the NSEC3-hashed name for ``www.example.com`` we
+would execute a command like this:
+
+::
+
+   $ nsec3hash 1234567890ABCEDF 1 10 www.example.com
+   RN7I9ME6E1I6BDKIP91B9TCE4FHJ7LKF (salt=1234567890ABCEDF, hash=1, iterations=10)
+
+Zero-length salt can be specified as ``-``.
+
+While it is unlikely you would construct a rainbow table of your own
+zone data, this tool may be useful when troubleshooting NSEC3 problems.
diff --git a/doc/dnssec-guide/validation.rst b/doc/dnssec-guide/validation.rst
new file mode 100644
index 0000000..2830b98
--- /dev/null
+++ b/doc/dnssec-guide/validation.rst
@@ -0,0 +1,864 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _DNSSEC_validation:
+
+Validation
+----------
+
+.. _easy_start_guide_for_recursive_servers:
+
+Easy-Start Guide for Recursive Servers
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This section provides the basic information needed to set up a
+working DNSSEC-aware recursive server, also known as a validating
+resolver. A validating resolver performs validation for each remote
+response received, following the chain of trust to verify that the answers it
+receives are legitimate, through the use of public key cryptography and
+hashing functions.
+
+.. _enabling_validation:
+
+Enabling DNSSEC Validation
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+So how do we turn on DNSSEC validation? It turns out that you may not need
+to reconfigure your name server at all, since the most recent versions of BIND 9 -
+including packages and distributions - have shipped with DNSSEC validation
+enabled by default. Before making any configuration changes, check
+whether you already have DNSSEC validation enabled by following the steps
+described in :ref:`how_to_test_recursive_server`.
+
+In earlier versions of BIND, including 9.11-ESV, DNSSEC
+validation must be explicitly enabled. To do this, you only need to
+add one line to the ``options`` section of your configuration file:
+
+::
+
+   options {
+        ...
+        dnssec-validation auto;
+        ...
+    };
+
+Restart ``named`` or run ``rndc reconfig``, and your recursive server is
+now happily validating each DNS response. If this does not work for you,
+you may have some other network-related configurations that need to be
+adjusted. Take a look at :ref:`network_requirements` to make sure your network
+is ready for DNSSEC.
+
+.. _effect_of_enabling_validation:
+
+Effects of Enabling DNSSEC Validation
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Once DNSSEC validation is enabled, any DNS response that does not pass
+the validation checks results in a failure to resolve the domain name
+(often a SERVFAIL status seen by the client). If everything has
+been configured properly, this is the correct result; it means that an end user has
+been protected against a malicious attack.
+
+However, if there is a DNSSEC configuration issue (sometimes outside of
+the administrator's control), a specific name or sometimes entire
+domains may "disappear" from the DNS, and become unreachable
+through that resolver. For the end user, the issue may manifest itself
+as name resolution being slow or failing altogether; some parts of a URL
+not loading; or the web browser returning an error message indicating
+that the page cannot be displayed. For example, if root name
+servers were misconfigured with the wrong information about ``.org``, it
+could cause all validation for ``.org`` domains to fail. To end
+users, it would appear that all ``.org`` web
+sites were out of service [#]_. Should you encounter DNSSEC-related problems, don't be
+tempted to disable validation; there is almost certainly a solution that
+leaves validation enabled. A basic troubleshooting guide can be found in
+:ref:`dnssec_troubleshooting`.
+
+.. [#]
+   Of course, something like this could happen for reasons other than
+   DNSSEC: for example, the root publishing the wrong addresses for the
+   ``.org`` nameservers.
+
+.. _how_to_test_recursive_server:
+
+So You Think You Are Validating (How To Test A Recursive Server)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Now that you have reconfigured your recursive server and
+restarted it, how do you know that your recursive name server is
+actually verifying each DNS query? There are several ways to check, and
+we've listed a few of them below.
+
+.. _using_web_based_tests_to_verify:
+
+Using Web-Based Tools to Verify
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+For most people, the simplest way to check if a recursive name server
+is indeed validating DNS queries is to use one of the many web-based
+tools available.
+
+Configure your client computer to use the newly reconfigured recursive
+server for DNS resolution; then use one of these web-based tests to
+confirm that it is in fact validating DNS responses.
+
+-  `Internet.nl <https://en.conn.internet.nl/connection/>`__
+
+-  `DNSSEC or Not (VeriSign) <https://www.dnssec-or-not.com/>`__
+
+.. _using_dig_to_verify:
+
+Using ``dig`` to Verify
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Web-based DNSSEC-verification tools often employ JavaScript. If you don't trust the
+JavaScript magic that the web-based tools rely on, you can take matters
+into your own hands and use a command-line DNS tool to check your
+validating resolver yourself.
+
+While ``nslookup`` is popular, partly because it comes pre-installed on
+most systems, it is not DNSSEC-aware. ``dig``, on the other hand, fully
+supports the DNSSEC standard and comes as a part of BIND. If you do not
+have ``dig`` already installed on your system, install it by downloading
+it from ISC's `website <https://www.isc.org/download>`__. ISC provides pre-compiled
+Windows versions on its website.
+
+``dig`` is a flexible tool for interrogating DNS name servers. It
+performs DNS lookups and displays the answers that are returned from the
+name servers that were queried. Most seasoned DNS administrators use
+``dig`` to troubleshoot DNS problems because of its flexibility, ease of
+use, and clarity of output.
+
+The example below shows how to use ``dig`` to query the name server 10.53.0.1
+for the A record for ``ftp.isc.org`` when DNSSEC validation is enabled
+(i.e. the default). The address 10.53.0.1 is only used as an example;
+replace it with the actual address or host name of your
+recursive name server.
+
+::
+
+   $ dig @10.53.0.1 ftp.isc.org. A +dnssec +multiline
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.1 ftp.isc.org a +dnssec +multiline
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48742
+   ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags: do; udp: 4096
+   ; COOKIE: 29a9705c2160b08c010000005e67a4a102b9ae079c1b24c8 (good)
+   ;; QUESTION SECTION:
+   ;ftp.isc.org.       IN A
+
+   ;; ANSWER SECTION:
+   ftp.isc.org.        300 IN A 149.20.1.49
+   ftp.isc.org.        300 IN RRSIG A 13 3 300 (
+                   20200401191851 20200302184340 27566 isc.org.
+                   e9Vkb6/6aHMQk/t23Im71ioiDUhB06sncsduoW9+Asl4
+                   L3TZtpLvZ5+zudTJC2coI4D/D9AXte1cD6FV6iS6PQ== )
+
+   ;; Query time: 452 msec
+   ;; SERVER: 10.53.0.1#53(10.53.0.1)
+   ;; WHEN: Tue Mar 10 14:30:57 GMT 2020
+   ;; MSG SIZE  rcvd: 187
+
+The important detail in this output is the presence of the ``ad`` flag
+in the header. This signifies that BIND has retrieved all related DNSSEC
+information related to the target of the query (``ftp.isc.org``) and that
+the answer received has passed the validation process described in
+:ref:`how_are_answers_verified`. We can have confidence in the
+authenticity and integrity of the answer, that ``ftp.isc.org`` really
+points to the IP address 149.20.1.49, and that it was not a spoofed answer
+from a clever attacker.
+
+Unlike earlier versions of BIND, the current versions of BIND always
+request DNSSEC records (by setting the ``do`` bit in the query they make
+to upstream servers), regardless of DNSSEC settings. However, with
+validation disabled, the returned signature is not checked. This can be
+seen by explicitly disabling DNSSEC validation. To do this, add the line
+``dnssec-validation no;`` to the "options" section of the configuration
+file, i.e.:
+
+::
+
+   options {
+       ...
+       dnssec-validation no;
+       ...
+   };
+
+If the server is restarted (to ensure a clean cache) and the same
+``dig`` command executed, the result is very similar:
+
+::
+
+   $ dig @10.53.0.1 ftp.isc.org. A +dnssec +multiline
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.1 ftp.isc.org a +dnssec +multiline
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39050
+   ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags: do; udp: 4096
+   ; COOKIE: a8dc9d1b9ec45e75010000005e67a8a69399741fdbe126f2 (good)
+   ;; QUESTION SECTION:
+   ;ftp.isc.org.       IN A
+
+   ;; ANSWER SECTION:
+   ftp.isc.org.        300 IN A 149.20.1.49
+   ftp.isc.org.        300 IN RRSIG A 13 3 300 (
+                   20200401191851 20200302184340 27566 isc.org.
+                   e9Vkb6/6aHMQk/t23Im71ioiDUhB06sncsduoW9+Asl4
+                   L3TZtpLvZ5+zudTJC2coI4D/D9AXte1cD6FV6iS6PQ== )
+
+   ;; Query time: 261 msec
+   ;; SERVER: 10.53.0.1#53(10.53.0.1)
+   ;; WHEN: Tue Mar 10 14:48:06 GMT 2020
+   ;; MSG SIZE  rcvd: 187
+
+However, this time there is no ``ad`` flag in the header. Although
+``dig`` is still returning the DNSSEC-related resource records, it is
+not checking them, and thus cannot vouch for the authenticity of the answer.
+If you do carry out this test, remember to re-enable DNSSEC validation
+(by removing the ``dnssec-validation no;`` line from the configuration
+file) before continuing.
+
+.. _verifying_protection_from_bad_domains:
+
+Verifying Protection From Bad Domain Names
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+It is also important to make sure that DNSSEC is protecting your network from
+domain names that fail to validate; such failures could be caused by
+attacks on your system, attempting to get it to accept false DNS
+information. Validation could fail for a number of reasons: maybe the
+answer doesn't verify because it's a spoofed response; maybe the
+signature was a replayed network attack that has expired; or maybe the
+child zone has been compromised along with its keys, and the parent
+zone's information tells us that things don't add up. There is a
+domain name specifically set up to fail DNSSEC validation,
+``www.dnssec-failed.org``.
+
+With DNSSEC validation enabled (the default), an attempt to look up that
+name fails:
+
+::
+
+   $ dig @10.53.0.1 www.dnssec-failed.org. A
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.1 www.dnssec-failed.org. A
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22667
+   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags:; udp: 4096
+   ; COOKIE: 69c3083144854587010000005e67bb57f5f90ff2688e455d (good)
+   ;; QUESTION SECTION:
+   ;www.dnssec-failed.org.     IN  A
+
+   ;; Query time: 2763 msec
+   ;; SERVER: 10.53.0.1#53(10.53.0.1)
+   ;; WHEN: Tue Mar 10 16:07:51 GMT 2020
+   ;; MSG SIZE  rcvd: 78
+
+On the other hand, if DNSSEC validation is disabled (by adding the
+statement ``dnssec-validation no;`` to the ``options`` clause in the
+configuration file), the lookup succeeds:
+
+::
+
+   $ dig @10.53.0.1 www.dnssec-failed.org. A
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.1 www.dnssec-failed.org. A
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54704
+   ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags:; udp: 4096
+   ; COOKIE: 251eee58208917f9010000005e67bb6829f6dabc5ae6b7b9 (good)
+   ;; QUESTION SECTION:
+   ;www.dnssec-failed.org.     IN  A
+
+   ;; ANSWER SECTION:
+   www.dnssec-failed.org.  7200    IN  A   68.87.109.242
+   www.dnssec-failed.org.  7200    IN  A   69.252.193.191
+
+   ;; Query time: 439 msec
+   ;; SERVER: 10.53.0.1#53(10.53.0.1)
+   ;; WHEN: Tue Mar 10 16:08:08 GMT 2020
+   ;; MSG SIZE  rcvd: 110
+
+Do not be tempted to disable DNSSEC validation just because some names
+are failing to resolve. Remember, DNSSEC protects your DNS lookup from
+hacking. The next section describes how to quickly check whether
+the failure to successfully look up a name is due to a validation
+failure.
+
+.. _how_do_i_know_validation_problem:
+
+How Do I Know I Have a Validation Problem?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Since all DNSSEC validation failures result in a general ``SERVFAIL``
+message, how do we know if it was really a validation error?
+Fortunately, there is a flag in ``dig``, (``+cd``, for "checking
+disabled") which tells the server to disable DNSSEC validation. If
+you receive a ``SERVFAIL`` message, re-run the query a second time
+and set the ``+cd`` flag. If the query succeeds with ``+cd``, but
+ends in ``SERVFAIL`` without it, you know you are dealing with a
+validation problem. So using the previous example of
+``www.dnssec-failed.org`` and with DNSSEC validation enabled in the
+resolver:
+
+::
+
+   $ dig @10.53.0.1 www.dnssec-failed.org A +cd
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.1 www.dnssec-failed.org. A +cd
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62313
+   ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags:; udp: 4096
+   ; COOKIE: 73ca1be3a74dd2cf010000005e67c8c8e6df64b519cd87fd (good)
+   ;; QUESTION SECTION:
+   ;www.dnssec-failed.org.     IN  A
+
+   ;; ANSWER SECTION:
+   www.dnssec-failed.org.  7197    IN  A   68.87.109.242
+   www.dnssec-failed.org.  7197    IN  A   69.252.193.191
+
+   ;; Query time: 0 msec
+   ;; SERVER: 10.53.0.1#53(10.53.0.1)
+   ;; WHEN: Tue Mar 10 17:05:12 GMT 2020
+   ;; MSG SIZE  rcvd: 110
+
+For more information on troubleshooting, please see
+:ref:`dnssec_troubleshooting`.
+
+.. _validation_easy_start_explained:
+
+Validation Easy Start Explained
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In :ref:`easy_start_guide_for_recursive_servers`, we used one line
+of configuration to turn on DNSSEC validation: the act of chasing down
+signatures and keys, making sure they are authentic. Now we are going to
+take a closer look at what DNSSEC validation actually does, and some other options.
+
+.. _dnssec_validation_explained:
+
+``dnssec-validation``
+^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   options {
+       dnssec-validation auto;
+   };
+
+This “auto� line enables automatic DNSSEC trust anchor configuration
+using the ``managed-keys`` feature. In this case, no manual key
+configuration is needed. There are three possible choices for the
+``dnssec-validation`` option:
+
+-  *yes*: DNSSEC validation is enabled, but a trust anchor must be
+   manually configured. No validation actually takes place until
+   at least one trusted key has been manually configured.
+
+-  *no*: DNSSEC validation is disabled, and the recursive server behaves
+   in the "old-fashioned" way of performing insecure DNS lookups.
+
+-  *auto*: DNSSEC validation is enabled, and a default trust anchor
+   (included as part of BIND 9) for the DNS root zone is used. This is the
+   default; BIND automatically does this if there is no
+   ``dnssec-validation`` line in the configuration file.
+
+Let's discuss the difference between *yes* and *auto*. If set to
+*yes*, the trust anchor must be manually defined and maintained
+using the ``trust-anchors`` statement (with either the ``static-key`` or
+``static-ds`` modifier) in the configuration file; if set to
+*auto* (the default, and as shown in the example), then no further
+action should be required as BIND includes a copy [#]_ of the root key.
+When set to *auto*, BIND automatically keeps the keys (also known as
+trust anchors, discussed in :ref:`trust_anchors_description`)
+up-to-date without intervention from the DNS administrator.
+
+We recommend using the default *auto* unless there is a good reason to
+require a manual trust anchor. To learn more about trust anchors,
+please refer to :ref:`trusted_keys_and_managed_keys`.
+
+.. _how_does_dnssec_change_dns_lookup_revisited:
+
+How Does DNSSEC Change DNS Lookup (Revisited)?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Now you've enabled validation on your recursive name server and
+verified that it works. What exactly changed? In
+:ref:`how_does_dnssec_change_dns_lookup` we looked at a very
+high-level, simplified version of the 12 steps of the DNSSEC validation process. Let's revisit
+that process now and see what your validating resolver is doing in more
+detail. Again, as an example we are looking up the A record for the
+domain name ``www.isc.org`` (see :ref:`dnssec_12_steps`):
+
+1.  The validating resolver queries the ``isc.org`` name servers for the
+    A record of ``www.isc.org``. This query has the ``DNSSEC
+    OK`` (``do``) bit set to 1, notifying the remote authoritative
+    server that DNSSEC answers are desired.
+
+2.  Since the zone ``isc.org`` is signed, and its name servers are
+    DNSSEC-aware, it responds with the answer to the A record query plus
+    the RRSIG for the A record.
+
+3.  The validating resolver queries for the DNSKEY for ``isc.org``.
+
+4.  The ``isc.org`` name server responds with the DNSKEY and RRSIG
+    records. The DNSKEY is used to verify the answers received in #2.
+
+5.  The validating resolver queries the parent (``.org``) for the DS
+    record for ``isc.org``.
+
+6.  The ``.org`` name server is also DNSSEC-aware, so it responds with the
+    DS and RRSIG records. The DS record is used to verify the answers
+    received in #4.
+
+7.  The validating resolver queries for the DNSKEY for ``.org``.
+
+8.  The ``.org`` name server responds with its DNSKEY and RRSIG. The DNSKEY
+    is used to verify the answers received in #6.
+
+9.  The validating resolver queries the parent (root) for the DS record
+    for ``.org``.
+
+10. The root name server, being DNSSEC-aware, responds with DS and RRSIG
+    records. The DS record is used to verify the answers received in #8.
+
+11. The validating resolver queries for the DNSKEY for root.
+
+12. The root name server responds with its DNSKEY and RRSIG. The DNSKEY is
+    used to verify the answers received in #10.
+
+After step #12, the validating resolver takes the DNSKEY received and
+compares it to the key or keys it has configured, to decide whether
+the received key can be trusted. We talk about these locally
+configured keys, or trust anchors, in :ref:`trust_anchors_description`.
+
+With DNSSEC, every response includes not just the
+answer, but a digital signature (RRSIG) as well, so the
+validating resolver can verify the answer received. That is what we
+look at in the next section, :ref:`how_are_answers_verified`.
+
+.. _how_are_answers_verified:
+
+How Are Answers Verified?
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. note::
+
+   Keep in mind, as you read this section, that although words like
+   "encryption" and "decryption"
+   are used here from time to time, DNSSEC does not provide privacy.
+   Public key cryptography is used to verify data *authenticity* (who
+   sent it) and data *integrity* (it did not change during transit), but
+   any eavesdropper can still see DNS requests and responses in
+   clear text, even when DNSSEC is enabled.
+
+So how exactly are DNSSEC answers verified? Let's first see how verifiable information is
+generated. On the authoritative server, each DNS record (or message) is
+run through a hash function, and this hashed value is then encrypted by a
+private key. This encrypted hash value is the digital signature.
+
+.. figure:: ../dnssec-guide/img/signature-generation.png
+   :alt: Signature Generation
+   :width: 80.0%
+
+   Signature Generation
+
+When the validating resolver queries for the resource record, it
+receives both the plain-text message and the digital signature(s). The
+validating resolver knows the hash function used (it is listed in the digital
+signature record itself), so it can take the plain-text message and run
+it through the same hash function to produce a hashed value, which we'll call
+hash value X. The validating resolver can also obtain the public key
+(published as DNSKEY records), decrypt the digital signature, and get
+back the original hashed value produced by the authoritative server,
+which we'll call hash value Y. If hash values X and Y are identical, and
+the time is correct (more on what this means below), the answer is
+verified, meaning this answer came from the authoritative server
+(authenticity), and the content remained intact during transit
+(integrity).
+
+.. figure:: ../dnssec-guide/img/signature-verification.png
+   :alt: Signature Verification
+   :width: 80.0%
+
+   Signature Verification
+
+Take the A record ``ftp.isc.org``, for example. The plain text is:
+
+::
+
+   ftp.isc.org.     4 IN A  149.20.1.49
+
+The digital signature portion is:
+
+::
+
+   ftp.isc.org.      300 IN RRSIG A 13 3 300 (
+                   20200401191851 20200302184340 27566 isc.org.
+                   e9Vkb6/6aHMQk/t23Im71ioiDUhB06sncsduoW9+Asl4
+                   L3TZtpLvZ5+zudTJC2coI4D/D9AXte1cD6FV6iS6PQ== )
+
+When a validating resolver queries for the A record ``ftp.isc.org``, it
+receives both the A record and the RRSIG record. It runs the A record
+through a hash function (in this example, SHA256 as
+indicated by the number 13, signifying ECDSAP256SHA256) and produces
+hash value X. The resolver also fetches the appropriate DNSKEY record to
+decrypt the signature, and the result of the decryption is hash value Y.
+
+But wait, there's more! Just because X equals Y doesn't mean everything
+is good. We still have to look at the time. Remember we mentioned a
+little earlier that we need to check if the time is correct? Look
+at the two timestamps in our example above:
+
+-  Signature Expiration: 20200401191851
+
+-  Signature Inception: 20200302184340
+
+This tells us that this signature was generated UTC March 2nd, 2020, at
+6:43:40 PM (20200302184340), and it is good until UTC April 1st, 2020,
+7:18:51 PM (20200401191851). The validating resolver's current
+system time needs to fall between these two timestamps. If it does not, the
+validation fails, because it could be an attacker replaying an old
+captured answer set from the past, or feeding us a crafted one with
+incorrect future timestamps.
+
+If the answer passes both the hash value check and the timestamp check, it is
+validated and the authenticated data (``ad``) bit is set, and the response
+is sent to the client; if it does not verify, a SERVFAIL is returned to
+the client.
+
+.. [#]
+   BIND technically includes two copies of the root key: one is in
+   ``bind.keys.h`` and is built into the executable, and one is in
+   ``bind.keys`` as a ``trust-anchors`` statement. The two copies of the
+   key are identical.
+
+.. _trust_anchors_description:
+
+Trust Anchors
+~~~~~~~~~~~~~
+
+A trust anchor is a key that is placed into a validating resolver, so
+that the validator can verify the results of a given request with a
+known or trusted public key (the trust anchor). A validating resolver
+must have at least one trust anchor installed to perform DNSSEC
+validation.
+
+.. _how_trust_anchors_are_used:
+
+How Trust Anchors are Used
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In the section :ref:`how_does_dnssec_change_dns_lookup_revisited`,
+we walked through the 12 steps of the DNSSEC lookup process. At the end
+of the 12 steps, a critical comparison happens: the key received from
+the remote server and the key we have on file are compared to see if we
+trust it. The key we have on file is called a trust anchor, sometimes
+also known as a trust key, trust point, or secure entry point.
+
+The 12-step lookup process describes the DNSSEC lookup in the ideal
+world, where every single domain name is signed and properly delegated,
+and where each validating resolver only needs to have one trust anchor - that
+is, the root's public key. But there is no restriction that the
+validating resolver must only have one trust anchor. In fact, in the
+early stages of DNSSEC adoption, it was not unusual for a validating
+resolver to have more than one trust anchor.
+
+For instance, before the root zone was signed (in July 2010), some
+validating resolvers that wished to validate domain names in the ``.gov``
+zone needed to obtain and install the key for ``.gov``. A sample lookup
+process for ``www.fbi.gov`` at that time would have been eight steps rather
+than 12:
+
+.. figure:: ../dnssec-guide/img/dnssec-8-steps.png
+   :alt: DNSSEC Validation with ``.gov`` Trust Anchor
+
+
+1. The validating resolver queried ``fbi.gov`` name server for the A
+   record of ``www.fbi.gov``.
+
+2. The FBI's name server responded with the answer and its RRSIG.
+
+3. The validating resolver queried the FBI's name server for its DNSKEY.
+
+4. The FBI's name server responded with the DNSKEY and its RRSIG.
+
+5. The validating resolver queried a ``.gov`` name server for the DS
+   record of ``fbi.gov``.
+
+6. The ``.gov`` name server responded with the DS record and the
+   associated RRSIG for ``fbi.gov``.
+
+7. The validating resolver queried the ``.gov`` name server for its DNSKEY.
+
+8. The ``.gov`` name server responded with its DNSKEY and the associated
+   RRSIG.
+
+This all looks very similar, except it's shorter than the 12 steps that
+we saw earlier. Once the validating resolver receives the DNSKEY file in
+#8, it recognizes that this is the manually configured trusted key
+(trust anchor), and never goes to the root name servers to ask for the
+DS record for ``.gov``, or ask the root name servers for their DNSKEY.
+
+In fact, whenever the validating resolver receives a DNSKEY, it checks
+to see if this is a configured trusted key to decide whether it
+needs to continue chasing down the validation chain.
+
+.. _trusted_keys_and_managed_keys:
+
+Trusted Keys and Managed Keys
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Since the resolver is validating, we must have at least one key (trust
+anchor) configured. How did it get here, and how do we maintain it?
+
+If you followed the recommendation in
+:ref:`easy_start_guide_for_recursive_servers`, by setting
+``dnssec-validation`` to *auto*, there is nothing left to do.
+BIND already includes a copy of the root key (in the file
+``bind.keys``), and automatically updates it when the root key
+changes. [#]_ It looks something like this:
+
+::
+
+   trust-anchors {
+           # This key (20326) was published in the root zone in 2017.
+           . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+                   +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+                   ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+                   0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+                   oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+                   RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+                   R1AkUTV74bU=";
+   };
+
+You can, of course, decide to manage this key manually yourself.
+First, you need to make sure that ``dnssec-validation`` is set
+to *yes* rather than *auto*:
+
+::
+
+   options {
+       dnssec-validation yes;
+   };
+
+Then, download the root key manually from a trustworthy source, such as
+`<https://www.isc.org/bind-keys>`__. Finally, take the root key you
+manually downloaded and put it into a ``trust-anchors`` statement as
+shown below:
+
+::
+
+   trust-anchors {
+           # This key (20326) was published in the root zone in 2017.
+           . static-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+                   +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+                   ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+                   0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+                   oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+                   RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+                   R1AkUTV74bU=";
+   };
+
+While this ``trust-anchors`` statement and the one in the ``bind.keys``
+file appear similar, the definition of the key in ``bind.keys`` has the
+``initial-key`` modifier, whereas in the statement in the configuration
+file, that is replaced by ``static-key``. There is an important
+difference between the two: a key defined with ``static-key`` is always
+trusted until it is deleted from the configuration file. With the
+``initial-key`` modified, keys are only trusted once: for as long as it
+takes to load the managed key database and start the key maintenance
+process. Thereafter, BIND uses the managed keys database
+(``managed-keys.bind.jnl``) as the source of key information.
+
+.. warning::
+
+   Remember, if you choose to manage the keys on your own, whenever the
+   key changes (which, for most zones, happens on a periodic basis),
+   the configuration needs to be updated manually. Failure to do so will
+   result in breaking nearly all DNS queries for the subdomain of the
+   key. So if you are manually managing ``.gov``, all domain names in
+   the ``.gov`` space may become unresolvable; if you are manually
+   managing the root key, you could break all DNS requests made to your
+   recursive name server.
+
+Explicit management of keys was common in the early days of DNSSEC, when
+neither the root zone nor many top-level domains were signed. Since
+then, `over 90% <https://stats.research.icann.org/dns/tld_report/>`__ of
+the top-level domains have been signed, including all the largest ones.
+Unless you have a particular need to manage keys yourself, it is best to
+use the BIND defaults and let the software manage the root key.
+
+.. [#]
+   The root zone was signed in July 2010 and, as at the time of this writing
+   (mid-2020), the key has been changed once, in October 2018. The intention going
+   forward is to roll the key once every five years.
+
+.. _whats_edns0_all_about:
+
+What's EDNS All About (And Why Should I Care)?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. _whats-edns0-all-about-overview:
+
+EDNS Overview
+^^^^^^^^^^^^^
+
+Traditional DNS responses are typically small in size (less than 512
+bytes) and fit nicely into a small UDP packet. The Extension mechanism
+for DNS (EDNS, or EDNS(0)) offers a mechanism to send DNS data in
+larger packets over UDP. To support EDNS, both the DNS server
+and the network need to be properly prepared to support the larger
+packet sizes and multiple fragments.
+
+This is important for DNSSEC, since the ``+do`` bit that signals
+DNSSEC-awareness is carried within EDNS, and DNSSEC responses are larger
+than traditional DNS ones. If DNS servers and the network environment cannot
+support large UDP packets, it will cause retransmission over TCP, or the
+larger UDP responses will be discarded. Users will likely experience
+slow DNS resolution or be unable to resolve certain names at all.
+
+Note that EDNS applies regardless of whether you are validating DNSSEC, because
+BIND has DNSSEC enabled by default.
+
+Please see :ref:`network_requirements` for more information on what
+DNSSEC expects from the network environment.
+
+.. _edns_on_dns_servers:
+
+EDNS on DNS Servers
+^^^^^^^^^^^^^^^^^^^
+
+For many years, BIND has had EDNS enabled by default,
+and the UDP packet size is set to a maximum of 4096 bytes. The DNS
+administrator should not need to perform any reconfiguration. You can
+use ``dig`` to verify that your server supports EDNS and see the UDP packet
+size it allows with this ``dig`` command:
+
+::
+
+   $ dig @10.53.0.1 www.isc.org. A +dnssec +multiline
+
+   ; <<>> DiG 9.16.0 <<>> @10.53.0.1 ftp.isc.org a +dnssec +multiline
+   ; (1 server found)
+   ;; global options: +cmd
+   ;; Got answer:
+   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48742
+   ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
+
+   ;; OPT PSEUDOSECTION:
+   ; EDNS: version: 0, flags: do; udp: 4096
+   ; COOKIE: 29a9705c2160b08c010000005e67a4a102b9ae079c1b24c8 (good)
+   ;; QUESTION SECTION:
+   ;ftp.isc.org.       IN A
+
+   ;; ANSWER SECTION:
+   ftp.isc.org.        300 IN A 149.20.1.49
+   ftp.isc.org.        300 IN RRSIG A 13 3 300 (
+                   20200401191851 20200302184340 27566 isc.org.
+                   e9Vkb6/6aHMQk/t23Im71ioiDUhB06sncsduoW9+Asl4
+                   L3TZtpLvZ5+zudTJC2coI4D/D9AXte1cD6FV6iS6PQ== )
+
+   ;; Query time: 452 msec
+   ;; SERVER: 10.53.0.1#53(10.53.0.1)
+   ;; WHEN: Tue Mar 10 14:30:57 GMT 2020
+   ;; MSG SIZE  rcvd: 187
+
+There is a helpful testing tool available (provided by DNS-OARC) that
+you can use to verify resolver behavior regarding EDNS support:
+`<https://www.dns-oarc.net/oarc/services/replysizetest/>`__ .
+
+Once you've verified that your name servers have EDNS enabled, that should be the
+end of the story, right? Unfortunately, EDNS is a hop-by-hop extension
+to DNS. This means the use of EDNS is negotiated between each pair of
+hosts in a DNS resolution process, which in turn means if one of your
+upstream name servers (for instance, your ISP's recursive name server
+that your name server forwards to) does not support EDNS, you may experience DNS
+lookup failures or be unable to perform DNSSEC validation.
+
+.. _support_for_large_packets_network_equipment:
+
+Support for Large Packets on Network Equipment
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If both your recursive name server and your ISP's name servers
+support EDNS, we are all good here, right? Not so fast. Since these large
+packets have to traverse the network, the network infrastructure
+itself must allow them to pass.
+
+When data is physically transmitted over a network, it has to be broken
+down into chunks. The size of the data chunk is known as the Maximum
+Transmission Unit (MTU), and it can differ from network to
+network. IP fragmentation occurs when a large data packet needs to be
+broken down into chunks smaller than the
+MTU; these smaller chunks then need to be reassembled back into the large
+data packet at their destination. IP fragmentation is not necessarily a bad thing, and it most
+likely occurs on your network today.
+
+Some network equipment, such as a firewall, may make assumptions about
+DNS traffic. One of these assumptions may be how large each DNS packet
+is. When a firewall sees a larger DNS packet than it expects, it may either
+reject the large packet or drop its fragments because the firewall
+thinks it's an attack. This configuration probably didn't cause problems
+in the past, since traditional DNS packets are usually pretty small in
+size. However, with DNSSEC, these configurations need to be updated,
+since DNSSEC traffic regularly exceeds 1500 bytes (a common MTU value).
+If the configuration is not updated to support a larger DNS packet size,
+it often results in the larger packets being rejected, and to the
+end user it looks like the queries go unanswered. Or in the case of
+fragmentation, only a part of the answer makes it to the validating
+resolver, and your validating resolver may need to re-ask the question
+again and again, creating the appearance for end users that the DNS/network is slow.
+
+While you are updating the configuration on your network equipment, make
+sure TCP port 53 is also allowed for DNS traffic.
+
+.. _dns_uses_tcp:
+
+Wait... DNS Uses TCP?
+^^^^^^^^^^^^^^^^^^^^^
+
+Yes. DNS uses TCP port 53 as a fallback mechanism, when it cannot use
+UDP to transmit data. This has always been the case, even long before
+the arrival of DNSSEC. Traditional DNS relies on TCP port 53 for
+operations such as zone transfer. The use of DNSSEC, or DNS with IPv6
+records such as AAAA, increases the chance that DNS data will be
+transmitted via TCP.
+
+Due to the increased packet size, DNSSEC may fall back to TCP more often
+than traditional (insecure) DNS. If your network blocks or
+filters TCP port 53 today, you may already experience instability with
+DNS resolution, before even deploying DNSSEC.
diff --git a/doc/doxygen/Doxyfile.in b/doc/doxygen/Doxyfile.in
new file mode 100644
index 0000000..3304585
--- /dev/null
+++ b/doc/doxygen/Doxyfile.in
@@ -0,0 +1,1280 @@
+# Doxyfile 1.4.7
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project
+#
+# All text after a hash (#) is considered a comment and will be ignored
+# The format is:
+#       TAG = value [value, ...]
+# For lists items can also be appended using:
+#       TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (" ")
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded 
+# by quotes) that should identify the project.
+
+PROJECT_NAME           = "BIND9 Internals"
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. 
+# This could be handy for archiving the generated documentation or 
+# if some version control system is used.
+
+PROJECT_NUMBER         = $(BIND9_VERSION)
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
+# base path where the generated documentation will be put. 
+# If a relative path is entered, it will be relative to the location 
+# where doxygen was started. If left blank the current directory will be used.
+
+OUTPUT_DIRECTORY       = 
+
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 
+# 4096 sub-directories (in 2 levels) under the output directory of each output 
+# format and will distribute the generated files over these directories. 
+# Enabling this option can be useful when feeding doxygen a huge amount of 
+# source files, where putting all generated files in the same directory would 
+# otherwise cause performance problems for the file system.
+
+CREATE_SUBDIRS         = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all 
+# documentation generated by doxygen is written. Doxygen will use this 
+# information to generate all constant output in the proper language. 
+# The default language is English, other supported languages are: 
+# Brazilian, Catalan, Chinese, Chinese-Traditional, Croatian, Czech, Danish, 
+# Dutch, Finnish, French, German, Greek, Hungarian, Italian, Japanese, 
+# Japanese-en (Japanese with English messages), Korean, Korean-en, Norwegian, 
+# Polish, Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, 
+# Swedish, and Ukrainian.
+
+OUTPUT_LANGUAGE        = English
+
+# This tag can be used to specify the encoding used in the generated output. 
+# The encoding is not always determined by the language that is chosen, 
+# but also whether or not the output is meant for Windows or non-Windows users. 
+# In case there is a difference, setting the USE_WINDOWS_ENCODING tag to YES 
+# forces the Windows encoding (this is the default for the Windows binary), 
+# whereas setting the tag to NO uses a Unix-style encoding (the default for 
+# all platforms other than Windows).
+
+USE_WINDOWS_ENCODING   = NO
+
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will 
+# include brief member descriptions after the members that are listed in 
+# the file and class documentation (similar to JavaDoc). 
+# Set to NO to disable this.
+
+BRIEF_MEMBER_DESC      = YES
+
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend 
+# the brief description of a member or function before the detailed description. 
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
+# brief descriptions will be completely suppressed.
+
+REPEAT_BRIEF           = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator 
+# that is used to form the text in various listings. Each string 
+# in this list, if found as the leading text of the brief description, will be 
+# stripped from the text and the result after processing the whole list, is 
+# used as the annotated text. Otherwise, the brief description is used as-is. 
+# If left blank, the following values are used ("$name" is automatically 
+# replaced with the name of the entity): "The $name class" "The $name widget" 
+# "The $name file" "is" "provides" "specifies" "contains" 
+# "represents" "a" "an" "the"
+
+ABBREVIATE_BRIEF       =
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then 
+# Doxygen will generate a detailed section even if there is only a brief 
+# description.
+
+ALWAYS_DETAILED_SEC    = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all 
+# inherited members of a class in the documentation of that class as if those 
+# members were ordinary class members. Constructors, destructors and assignment 
+# operators of the base classes will not be shown.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full 
+# path before files name in the file list and in the header files. If set 
+# to NO the shortest path that makes the file name unique will be used.
+
+FULL_PATH_NAMES        = YES
+
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag 
+# can be used to strip a user-defined part of the path. Stripping is 
+# only done if one of the specified strings matches the left-hand part of 
+# the path. The tag can be used to show relative paths in the file list. 
+# If left blank the directory from which doxygen is run is used as the 
+# path to strip.
+
+STRIP_FROM_PATH        = @BIND9_TOP_BUILDDIR@/
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of 
+# the path mentioned in the documentation of a class, which tells 
+# the reader which header file to include in order to use a class. 
+# If left blank only the name of the header file containing the class 
+# definition is used. Otherwise one should specify the include paths that 
+# are normally passed to the compiler using the -I flag.
+
+STRIP_FROM_INC_PATH    = 
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter 
+# (but less readable) file names. This can be useful is your file systems 
+# doesn't support long names like on DOS, Mac, or CD-ROM.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen 
+# will interpret the first line (until the first dot) of a JavaDoc-style 
+# comment as the brief description. If set to NO, the JavaDoc 
+# comments will behave just like the Qt-style comments (thus requiring an 
+# explicit @brief command for a brief description.
+
+JAVADOC_AUTOBRIEF      = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen 
+# treat a multi-line C++ special comment block (i.e. a block of //! or /// 
+# comments) as a brief description. This used to be the default behaviour. 
+# The new default is to treat a multi-line C++ comment block as a detailed 
+# description. Set this tag to YES if you prefer the old behaviour instead.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the DETAILS_AT_TOP tag is set to YES then Doxygen 
+# will output the detailed description near the top, like JavaDoc.
+# If set to NO, the detailed description appears after the member 
+# documentation.
+
+DETAILS_AT_TOP         = NO
+
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented 
+# member inherits the documentation from any documented member that it 
+# re-implements.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce 
+# a new page for each member. If set to NO, the documentation of a member will 
+# be part of the file/class/namespace that contains it.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. 
+# Doxygen uses this value to replace tabs by spaces in code fragments.
+
+TAB_SIZE               = 8
+
+# This tag can be used to specify a number of aliases that acts 
+# as commands in the documentation. An alias has the form "name=value". 
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to 
+# put the command \sideeffect (or @sideeffect) in the documentation, which 
+# will result in a user-defined paragraph with heading "Side Effects:". 
+# You can put \n's in the value part of an alias to insert newlines.
+
+ALIASES                = 
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C 
+# sources only. Doxygen will then generate output that is more tailored for C. 
+# For instance, some of the names that are used will be different. The list 
+# of all members will be omitted, etc.
+
+OPTIMIZE_OUTPUT_FOR_C  = YES
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java 
+# sources only. Doxygen will then generate output that is more tailored for Java. 
+# For instance, namespaces will be presented as packages, qualified scopes 
+# will look different, etc.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to 
+# include (a tag file for) the STL sources as input, then you should 
+# set this tag to YES in order to let doxygen match functions declarations and 
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. 
+# func(std::string) {}). This also make the inheritance and collaboration 
+# diagrams that involve STL classes more complete and accurate.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC 
+# tag is set to YES, then doxygen will reuse the documentation of the first 
+# member in the group (if any) for the other members of the group. By default 
+# all members of a group must be documented explicitly.
+
+DISTRIBUTE_GROUP_DOC   = YES
+
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of 
+# the same type (for instance a group of public functions) to be put as a 
+# subgroup of that type (e.g. under the Public Functions section). Set it to 
+# NO to prevent subgrouping. Alternatively, this can be done per class using 
+# the \nosubgrouping command.
+
+SUBGROUPING            = YES
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in 
+# documentation are documented, even if no documentation was available. 
+# Private class members and static file members will be hidden unless 
+# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+
+EXTRACT_ALL            = YES
+
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class 
+# will be included in the documentation.
+
+EXTRACT_PRIVATE        = YES
+
+# If the EXTRACT_STATIC tag is set to YES all static members of a file 
+# will be included in the documentation.
+
+EXTRACT_STATIC         = YES
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) 
+# defined locally in source files will be included in the documentation. 
+# If set to NO only classes defined in header files are included.
+
+EXTRACT_LOCAL_CLASSES  = YES
+
+# This flag is only useful for Objective-C code. When set to YES local 
+# methods, which are defined in the implementation section but not in 
+# the interface are included in the documentation. 
+# If set to NO (the default) only methods in the interface are included.
+
+EXTRACT_LOCAL_METHODS  = YES
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all 
+# undocumented members of documented classes, files or namespaces. 
+# If set to NO (the default) these members will be included in the 
+# various overviews, but no documentation section is generated. 
+# This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_MEMBERS     = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all 
+# undocumented classes that are normally visible in the class hierarchy. 
+# If set to NO (the default) these classes will be included in the various 
+# overviews. This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_CLASSES     = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all 
+# friend (class|struct|union) declarations. 
+# If set to NO (the default) these declarations will be included in the 
+# documentation.
+
+HIDE_FRIEND_COMPOUNDS  = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any 
+# documentation blocks found inside the body of a function. 
+# If set to NO (the default) these blocks will be appended to the 
+# function's detailed documentation block.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation 
+# that is typed after a \internal command is included. If the tag is set 
+# to NO (the default) then the documentation will be excluded. 
+# Set it to YES to include the internal documentation.
+
+INTERNAL_DOCS          = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate 
+# file names in lower-case letters. If set to YES upper-case letters are also 
+# allowed. This is useful if you have classes or files whose names only differ 
+# in case and if your file system supports case sensitive file names. Windows 
+# and Mac users are advised to set this option to NO.
+
+CASE_SENSE_NAMES       = YES
+
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen 
+# will show members with their full class and namespace scopes in the 
+# documentation. If set to YES the scope will be hidden.
+
+HIDE_SCOPE_NAMES       = NO
+
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen 
+# will put a list of the files that are included by a file in the documentation 
+# of that file.
+
+SHOW_INCLUDE_FILES     = YES
+
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] 
+# is inserted in the documentation for inline members.
+
+INLINE_INFO            = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen 
+# will sort the (detailed) documentation of file and class members 
+# alphabetically by member name. If set to NO the members will appear in 
+# declaration order.
+
+SORT_MEMBER_DOCS       = NO
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the 
+# brief documentation of file, namespace and class members alphabetically 
+# by member name. If set to NO (the default) the members will appear in 
+# declaration order.
+
+SORT_BRIEF_DOCS        = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be 
+# sorted by fully-qualified names, including namespaces. If set to 
+# NO (the default), the class list will be sorted only by class name, 
+# not including the namespace part. 
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the 
+# alphabetical list.
+
+SORT_BY_SCOPE_NAME     = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or 
+# disable (NO) the todo list. This list is created by putting \todo 
+# commands in the documentation.
+
+GENERATE_TODOLIST      = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or 
+# disable (NO) the test list. This list is created by putting \test 
+# commands in the documentation.
+
+GENERATE_TESTLIST      = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or 
+# disable (NO) the bug list. This list is created by putting \bug 
+# commands in the documentation.
+
+GENERATE_BUGLIST       = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or 
+# disable (NO) the deprecated list. This list is created by putting 
+# \deprecated commands in the documentation.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional 
+# documentation sections, marked by \if sectionname ... \endif.
+
+ENABLED_SECTIONS       = 
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines 
+# the initial value of a variable or define consists of for it to appear in 
+# the documentation. If the initializer consists of more lines than specified 
+# here it will be hidden. Use a value of 0 to hide initializers completely. 
+# The appearance of the initializer of individual variables and defines in the 
+# documentation can be controlled using \showinitializer or \hideinitializer 
+# command in the documentation regardless of this setting.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated 
+# at the bottom of the documentation of classes and structs. If set to YES the 
+# list will mention the files that were used to generate the documentation.
+
+SHOW_USED_FILES        = YES
+
+# If the sources in your project are distributed over multiple directories 
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES       = YES
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that 
+# doxygen should invoke to get the current version for each file (typically from the 
+# version control system). Doxygen will invoke the program by executing (via 
+# popen()) the command <command> <input-file>, where <command> is the value of 
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file 
+# provided by doxygen. Whatever the program writes to standard output 
+# is used as the file version. See the manual for examples.
+
+FILE_VERSION_FILTER    = 
+
+#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated 
+# by doxygen. Possible values are YES and NO. If left blank NO is used.
+
+QUIET                  = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are 
+# generated by doxygen. Possible values are YES and NO. If left blank 
+# NO is used.
+
+WARNINGS               = YES
+
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings 
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will 
+# automatically be disabled.
+
+WARN_IF_UNDOCUMENTED   = YES
+
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for 
+# potential errors in the documentation, such as not documenting some 
+# parameters in a documented function, or documenting parameters that 
+# don't exist or using markup commands wrongly.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be abled to get warnings for 
+# functions that are documented, but have no documentation for their parameters 
+# or return value. If set to NO (the default) doxygen will only warn about 
+# wrong or incomplete parameter documentation, but not about the absence of 
+# documentation.
+
+WARN_NO_PARAMDOC       = YES
+
+# The WARN_FORMAT tag determines the format of the warning messages that 
+# doxygen can produce. The string should contain the $file, $line, and $text 
+# tags, which will be replaced by the file and line number from which the 
+# warning originated and the warning text. Optionally the format may contain 
+# $version, which will be replaced by the version of the file (if it could 
+# be obtained via FILE_VERSION_FILTER)
+
+WARN_FORMAT            = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning 
+# and error messages should be written. If left blank the output is written 
+# to stderr.
+
+WARN_LOGFILE           = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag can be used to specify the files and/or directories that contain 
+# documented source files. You may enter file names like "myfile.cpp" or 
+# directories like "/usr/src/myproject". Separate the files or directories 
+# with spaces.
+
+INPUT                  = @BIND9_TOP_BUILDDIR@/lib/isc		\
+			 @BIND9_TOP_BUILDDIR@/lib/dns		\
+			 @BIND9_TOP_BUILDDIR@/lib/isccfg	\
+			 @BIND9_TOP_BUILDDIR@/lib/isccc		\
+			 @BIND9_TOP_BUILDDIR@/lib/ns		\
+			 @BIND9_TOP_BUILDDIR@/lib/bind9		\
+			 @BIND9_TOP_BUILDDIR@/bin/check		\
+			 @BIND9_TOP_BUILDDIR@/bin/dig		\
+			 @BIND9_TOP_BUILDDIR@/bin/dnssec	\
+			 @BIND9_TOP_BUILDDIR@/bin/named		\
+			 @BIND9_TOP_BUILDDIR@/bin/nsupdate	\
+			 @BIND9_TOP_BUILDDIR@/bin/rndc		\
+			 @BIND9_TOP_BUILDDIR@/doc/doxygen/mainpage
+
+# If the value of the INPUT tag contains directories, you can use the 
+# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank the following patterns are tested: 
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx 
+# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py
+
+FILE_PATTERNS          = *.c *.h *.dox
+
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories 
+# should be searched for input files as well. Possible values are YES and NO. 
+# If left blank NO is used.
+
+RECURSIVE              = YES
+
+# The EXCLUDE tag can be used to specify files and/or directories that should 
+# excluded from the INPUT source files. This way you can easily exclude a 
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+
+EXCLUDE                =
+
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or 
+# directories that are symbolic links (a Unix filesystem feature) are excluded 
+# from the input.
+
+EXCLUDE_SYMLINKS       = NO
+
+# If the value of the INPUT tag contains directories, you can use the 
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude 
+# certain files from those directories. Note that the wildcards are matched 
+# against the file with absolute path, so to exclude all test directories 
+# for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       = */win32/* */lib/dns/gen* */lib/dns/rdata/*.h
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or 
+# directories that contain example code fragments that are included (see 
+# the \include command).
+
+EXAMPLE_PATH           = 
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the 
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank all files are included.
+
+EXAMPLE_PATTERNS       = *
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be 
+# searched for input files to be used with the \include or \dontinclude 
+# commands irrespective of the value of the RECURSIVE tag. 
+# Possible values are YES and NO. If left blank NO is used.
+
+EXAMPLE_RECURSIVE      = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or 
+# directories that contain image that are included in the documentation (see 
+# the \image command).
+
+IMAGE_PATH             = 
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should 
+# invoke to filter for each input file. Doxygen will invoke the filter program 
+# by executing (via popen()) the command <filter> <input-file>, where <filter> 
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an 
+# input file. Doxygen will then use the output that the filter program writes 
+# to standard output.  If FILTER_PATTERNS is specified, this tag will be 
+# ignored.
+
+INPUT_FILTER           = ./doxygen-input-filter
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern 
+# basis.  Doxygen will compare the file name with each pattern and apply the 
+# filter if there is a match.  The filters are a list of the form: 
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further 
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER 
+# is applied to all files.
+
+FILTER_PATTERNS        = 
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using 
+# INPUT_FILTER) will be used to filter the input files when producing source 
+# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+
+FILTER_SOURCE_FILES    = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will 
+# be generated. Documented entities will be cross-referenced with these sources. 
+# Note: To get rid of all source code in the generated output, make sure also 
+# VERBATIM_HEADERS is set to NO.
+
+SOURCE_BROWSER         = YES
+
+# Setting the INLINE_SOURCES tag to YES will include the body 
+# of functions and classes directly in the documentation.
+
+INLINE_SOURCES         = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct 
+# doxygen to hide any special comment blocks from generated source code 
+# fragments. Normal C and C++ comments will always remain visible.
+
+STRIP_CODE_COMMENTS    = NO
+
+# If the REFERENCED_BY_RELATION tag is set to YES (the default) 
+# then for each documented function all documented 
+# functions referencing it will be listed.
+
+REFERENCED_BY_RELATION = YES
+
+# If the REFERENCES_RELATION tag is set to YES (the default) 
+# then for each documented function all documented entities 
+# called/used by that function will be listed.
+
+REFERENCES_RELATION    = YES
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
+# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
+# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
+# link to the source code.  Otherwise they will link to the documentstion.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code 
+# will point to the HTML generated by the htags(1) tool instead of doxygen 
+# built-in source browser. The htags tool is part of GNU's global source 
+# tagging system (see http://www.gnu.org/software/global/global.html). You 
+# will need version 4.8.6 or higher.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen 
+# will generate a verbatim copy of the header file for each class for 
+# which an include is specified. Set to NO to disable this.
+
+VERBATIM_HEADERS       = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index 
+# of all compounds will be generated. Enable this if the project 
+# contains a lot of classes, structs, unions or interfaces.
+
+ALPHABETICAL_INDEX     = YES
+
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then 
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns 
+# in which this list will be split (can be a number in the range [1..20])
+
+COLS_IN_ALPHA_INDEX    = 5
+
+# In case all classes in a project start with a common prefix, all 
+# classes will be put under the same header in the alphabetical index. 
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that 
+# should be ignored while generating the index headers.
+
+IGNORE_PREFIX          = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will 
+# generate HTML output.
+
+GENERATE_HTML          = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `html' will be used as the default path.
+
+HTML_OUTPUT            = html
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for 
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank 
+# doxygen will generate files with .html extension.
+
+HTML_FILE_EXTENSION    = .html
+
+# The HTML_HEADER tag can be used to specify a personal HTML header for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard header.
+
+HTML_HEADER            = @srcdir@/isc-header.html
+
+# The HTML_FOOTER tag can be used to specify a personal HTML footer for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard footer.
+
+HTML_FOOTER            = @srcdir@/isc-footer.html
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading 
+# style sheet that is used by each HTML page. It can be used to 
+# fine-tune the look of the HTML output. If the tag is left blank doxygen 
+# will generate a default style sheet. Note that doxygen will try to copy 
+# the style sheet file to the HTML output directory, so don't put your own 
+# stylesheet in the HTML output directory as well, or it will be erased!
+
+HTML_STYLESHEET        = 
+
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
+# files or namespaces will be aligned in HTML using tables. If set to 
+# NO a bullet list will be used.
+
+HTML_ALIGN_MEMBERS     = YES
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files 
+# will be generated that can be used as input for tools like the 
+# Microsoft HTML help workshop to generate a compressed HTML help file (.chm) 
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP      = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can 
+# be used to specify the file name of the resulting .chm file. You 
+# can add a path in front of the file if the result should not be 
+# written to the html output directory.
+
+CHM_FILE               = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can 
+# be used to specify the location (absolute path including file name) of 
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run 
+# the HTML help compiler on the generated index.hhp.
+
+HHC_LOCATION           = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag 
+# controls if a separate .chi index file is generated (YES) or that 
+# it should be included in the master .chm file (NO).
+
+GENERATE_CHI           = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag 
+# controls whether a binary table of contents is generated (YES) or a 
+# normal table of contents (NO) in the .chm file.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members 
+# to the contents of the HTML help documentation and to the tree view.
+
+TOC_EXPAND             = NO
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at 
+# top of each HTML page. The value NO (the default) enables the index and 
+# the value YES disables it.
+
+DISABLE_INDEX          = NO
+
+# This tag can be used to set the number of enum values (range [1..20]) 
+# that doxygen will group on one line in the generated HTML documentation.
+
+ENUM_VALUES_PER_LINE   = 4
+
+# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be
+# generated containing a tree-like index structure (just like the one that 
+# is generated for HTML Help). For this to work a browser that supports 
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, 
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are 
+# probably better off using the HTML help feature.
+
+GENERATE_TREEVIEW      = NO
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be 
+# used to set the initial width (in pixels) of the frame in which the tree 
+# is shown.
+
+TREEVIEW_WIDTH         = 250
+
+#---------------------------------------------------------------------------
+# configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will 
+# generate Latex output.
+
+GENERATE_LATEX         = NO
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `latex' will be used as the default path.
+
+LATEX_OUTPUT           = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be 
+# invoked. If left blank `latex' will be used as the default command name.
+
+LATEX_CMD_NAME         = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to 
+# generate index for LaTeX. If left blank `makeindex' will be used as the 
+# default command name.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact 
+# LaTeX documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_LATEX          = YES
+
+# The PAPER_TYPE tag can be used to set the paper type that is used 
+# by the printer. Possible values are: a4, a4wide, letter, legal and 
+# executive. If left blank a4wide will be used.
+
+PAPER_TYPE             = letter
+
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX 
+# packages that should be included in the LaTeX output.
+
+EXTRA_PACKAGES         = 
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for 
+# the generated latex document. The header should contain everything until 
+# the first chapter. If it is left blank doxygen will generate a 
+# standard header. Notice: only use this tag if you know what you are doing!
+
+LATEX_HEADER           = 
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated 
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will 
+# contain links (just like the HTML output) instead of page references 
+# This makes the output suitable for online browsing using a pdf viewer.
+
+PDF_HYPERLINKS         = NO
+
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of 
+# plain latex in the generated Makefile. Set this option to YES to get a 
+# higher quality PDF documentation.
+
+USE_PDFLATEX           = YES
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. 
+# command to the generated LaTeX files. This will instruct LaTeX to keep 
+# running if errors occur, instead of asking the user for help. 
+# This option is also used when generating formulas in HTML.
+
+LATEX_BATCHMODE        = YES
+
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not 
+# include the index chapters (such as File Index, Compound Index, etc.) 
+# in the output.
+
+LATEX_HIDE_INDICES     = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output 
+# The RTF output is optimized for Word 97 and may not look very pretty with 
+# other RTF readers or editors.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `rtf' will be used as the default path.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact 
+# RTF documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated 
+# will contain hyperlink fields. The RTF file will 
+# contain links (just like the HTML output) instead of page references. 
+# This makes the output suitable for online browsing using WORD or other 
+# programs which support those fields. 
+# Note: wordpad (write) and others do not support links.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's 
+# config file, i.e. a series of assignments. You only have to provide 
+# replacements, missing definitions are set to their default value.
+
+RTF_STYLESHEET_FILE    = 
+
+# Set optional variables used in the generation of an rtf document. 
+# Syntax is similar to doxygen's config file.
+
+RTF_EXTENSIONS_FILE    = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will 
+# generate man pages
+
+GENERATE_MAN           = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `man' will be used as the default path.
+
+MAN_OUTPUT             = man
+
+# The MAN_EXTENSION tag determines the extension that is added to 
+# the generated man pages (default is the subroutine's section .3)
+
+MAN_EXTENSION          = .3
+
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output, 
+# then it will generate one additional man file for each entity 
+# documented in the real man page(s). These additional files 
+# only source the real man page, but without them the man command 
+# would be unable to find the correct page. The default is NO.
+
+MAN_LINKS              = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES Doxygen will 
+# generate an XML file that captures the structure of 
+# the code including all documentation.
+
+GENERATE_XML           = YES
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `xml' will be used as the default path.
+
+XML_OUTPUT             = xml
+
+# The XML_SCHEMA tag can be used to specify an XML schema, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_SCHEMA             = 
+
+# The XML_DTD tag can be used to specify an XML DTD, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_DTD                = 
+
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
+# dump the program listings (including syntax highlighting 
+# and cross-referencing information) to the XML output. Note that 
+# enabling this will significantly increase the size of the XML output.
+
+XML_PROGRAMLISTING     = YES
+
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will 
+# generate an AutoGen Definitions (see autogen.sf.net) file 
+# that captures the structure of the code including all 
+# documentation. Note that this feature is still experimental 
+# and incomplete at the moment.
+
+GENERATE_AUTOGEN_DEF   = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will 
+# generate a Perl module file that captures the structure of 
+# the code including all documentation. Note that this 
+# feature is still experimental and incomplete at the 
+# moment.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate 
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able 
+# to generate PDF and DVI output from the Perl module output.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be 
+# nicely formatted so it can be parsed by a human reader.  This is useful 
+# if you want to understand what is going on.  On the other hand, if this 
+# tag is set to NO the size of the Perl module output will be much smaller 
+# and Perl will parse it just the same.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file 
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. 
+# This is useful so different doxyrules.make files included by the same 
+# Makefile don't overwrite each other's variables.
+
+PERLMOD_MAKEVAR_PREFIX = 
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor   
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will 
+# evaluate all C-preprocessor directives found in the sources and include 
+# files.
+
+ENABLE_PREPROCESSING   = YES
+
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro 
+# names in the source code. If set to NO (the default) only conditional 
+# compilation will be performed. Macro expansion can be done in a controlled 
+# way by setting EXPAND_ONLY_PREDEF to YES.
+
+MACRO_EXPANSION        = YES
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES 
+# then the macro expansion is limited to the macros specified with the 
+# PREDEFINED and EXPAND_AS_DEFINED tags.
+
+EXPAND_ONLY_PREDEF     = YES
+
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files 
+# in the INCLUDE_PATH (see below) will be search if a #include is found.
+
+SEARCH_INCLUDES        = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that 
+# contain include files that are not input files but should be processed by 
+# the preprocessor.
+
+INCLUDE_PATH           = 
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard 
+# patterns (like *.h and *.hpp) to filter out the header-files in the 
+# directories. If left blank, the patterns specified with FILE_PATTERNS will 
+# be used.
+
+INCLUDE_FILE_PATTERNS  = 
+
+# The PREDEFINED tag can be used to specify one or more macro names that 
+# are defined before the preprocessor is started (similar to the -D option of 
+# gcc). The argument of the tag is a list of macros of the form: name 
+# or name=definition (no spaces). If the definition and the = are 
+# omitted =1 is assumed. To prevent a macro definition from being 
+# undefined via #undef or recursively expanded use the := operator 
+# instead of the = operator.
+
+PREDEFINED             = "ISC_FORMAT_PRINTF(fmt, args)=" \
+			 "LIBRPZ_PF(f, l)="
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then 
+# this tag can be used to specify a list of macro names that should be expanded. 
+# The macro definition that is found in the sources will be used. 
+# Use the PREDEFINED tag if you want to use a different macro definition.
+
+EXPAND_AS_DEFINED      = 
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then 
+# doxygen's preprocessor will remove all function-like macros that are alone 
+# on a line, have an all uppercase name, and do not end with a semicolon. Such 
+# function macros are typically used for boiler-plate code, and will confuse 
+# the parser if not removed.
+
+SKIP_FUNCTION_MACROS   = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to external references   
+#---------------------------------------------------------------------------
+
+# The TAGFILES option can be used to specify one or more tagfiles. 
+# Optionally an initial location of the external documentation 
+# can be added for each tagfile. The format of a tag file without 
+# this location is as follows: 
+#   TAGFILES = file1 file2 ... 
+# Adding location for the tag files is done as follows: 
+#   TAGFILES = file1=loc1 "file2 = loc2" ... 
+# where "loc1" and "loc2" can be relative or absolute paths or 
+# URLs. If a location is present for each tag, the installdox tool 
+# does not have to be run to correct the links.
+# Note that each tag file must have a unique name
+# (where the name does NOT include the path)
+# If a tag file is not located in the directory in which doxygen 
+# is run, you must also specify the path to the tagfile here.
+
+TAGFILES               = 
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create 
+# a tag file that is based on the input files it reads.
+
+GENERATE_TAGFILE       = 
+
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed 
+# in the class index. If set to NO only the inherited external classes 
+# will be listed.
+
+ALLEXTERNALS           = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed 
+# in the modules index. If set to NO, only the current project's groups will 
+# be listed.
+
+EXTERNAL_GROUPS        = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script 
+# interpreter (i.e. the result of `which perl').
+
+PERL_PATH              = @PERL@
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool   
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will 
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base 
+# or super classes. Setting the tag to NO turns the diagrams off. Note that 
+# this option is superseded by the HAVE_DOT option below. This is only a 
+# fallback. It is recommended to install and use dot, since it yields more 
+# powerful graphs.
+
+CLASS_DIAGRAMS         = YES
+
+# If set to YES, the inheritance and collaboration graphs will hide 
+# inheritance and usage relations if the target is undocumented 
+# or is not a class.
+
+HIDE_UNDOC_RELATIONS   = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is 
+# available from the path. This tool is part of Graphviz, a graph visualization 
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section 
+# have no effect if this option is set to NO (the default)
+
+HAVE_DOT               = NO
+
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect inheritance relations. Setting this tag to YES will force the 
+# the CLASS_DIAGRAMS tag to NO.
+
+CLASS_GRAPH            = YES
+
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect implementation dependencies (inheritance, containment, and 
+# class references variables) of the class with other documented classes.
+
+COLLABORATION_GRAPH    = YES
+
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for groups, showing the direct groups dependencies
+
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and 
+# collaboration diagrams in a style similar to the OMG's Unified Modeling 
+# Language.
+
+UML_LOOK               = NO
+
+# If set to YES, the inheritance and collaboration graphs will show the 
+# relations between templates and their instances.
+
+TEMPLATE_RELATIONS     = NO
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT 
+# tags are set to YES then doxygen will generate a graph for each documented 
+# file showing the direct and indirect include dependencies of the file with 
+# other documented files.
+
+INCLUDE_GRAPH          = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and 
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each 
+# documented header file showing the documented files that directly or 
+# indirectly include this file.
+
+INCLUDED_BY_GRAPH      = YES
+
+# If the CALL_GRAPH and HAVE_DOT tags are set to YES then doxygen will 
+# generate a call dependency graph for every global function or class method. 
+# Note that enabling this option will significantly increase the time of a run. 
+# So in most cases it will be better to enable call graphs for selected 
+# functions only using the \callgraph command.
+
+CALL_GRAPH             = NO
+
+# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then doxygen will 
+# generate a caller dependency graph for every global function or class method. 
+# Note that enabling this option will significantly increase the time of a run. 
+# So in most cases it will be better to enable caller graphs for selected 
+# functions only using the \callergraph command.
+
+CALLER_GRAPH           = YES
+
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen 
+# will graphical hierarchy of all classes instead of a textual one.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES 
+# then doxygen will show the dependencies a directory has on other directories 
+# in a graphical way. The dependency relations are determined by the #include
+# relations between the files in the directories.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images 
+# generated by dot. Possible values are png, jpg, or gif
+# If left blank png will be used.
+
+DOT_IMAGE_FORMAT       = png
+
+# The tag DOT_PATH can be used to specify the path where the dot tool can be 
+# found. If left blank, it is assumed the dot tool can be found in the path.
+
+DOT_PATH               = 
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that 
+# contain dot files that are included in the documentation (see the 
+# \dotfile command).
+
+DOTFILE_DIRS           = 
+
+# The MAX_DOT_GRAPH_WIDTH tag can be used to set the maximum allowed width 
+# (in pixels) of the graphs generated by dot. If a graph becomes larger than 
+# this value, doxygen will try to truncate the graph, so that it fits within 
+# the specified constraint. Beware that most browsers cannot cope with very 
+# large images.
+
+MAX_DOT_GRAPH_WIDTH    = 1024
+
+# The MAX_DOT_GRAPH_HEIGHT tag can be used to set the maximum allows height 
+# (in pixels) of the graphs generated by dot. If a graph becomes larger than 
+# this value, doxygen will try to truncate the graph, so that it fits within 
+# the specified constraint. Beware that most browsers cannot cope with very 
+# large images.
+
+MAX_DOT_GRAPH_HEIGHT   = 1024
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the 
+# graphs generated by dot. A depth value of 3 means that only nodes reachable 
+# from the root by following a path via at most 3 edges will be shown. Nodes 
+# that lay further from the root node will be omitted. Note that setting this 
+# option to 1 or 2 may greatly reduce the computation time needed for large 
+# code bases. Also note that a graph may be further truncated if the graph's 
+# image dimensions are not sufficient to fit the graph (see MAX_DOT_GRAPH_WIDTH 
+# and MAX_DOT_GRAPH_HEIGHT). If 0 is used for the depth value (the default), 
+# the graph is not depth-constrained.
+
+MAX_DOT_GRAPH_DEPTH    = 1000
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent 
+# background. This is disabled by default, which results in a white background. 
+# Warning: Depending on the platform used, enabling this option may lead to 
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to 
+# read).
+
+DOT_TRANSPARENT        = NO
+
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output 
+# files in one run (i.e. multiple -o and -T options on the command line). This 
+# makes dot run faster, but since only newer versions of dot (>1.8.10) 
+# support this, this feature is disabled by default.
+
+DOT_MULTI_TARGETS      = YES
+
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will 
+# generate a legend page explaining the meaning of the various boxes and 
+# arrows in the dot generated graphs.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will 
+# remove the intermediate dot files that are used to generate 
+# the various graphs.
+
+DOT_CLEANUP            = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine   
+#---------------------------------------------------------------------------
+
+# The SEARCHENGINE tag specifies whether or not a search engine should be 
+# used. If set to NO the values of all tags below this one will be ignored.
+
+SEARCHENGINE           = NO
+
+# Local Variables:
+# compile-command: "doxygen"
+# End:
diff --git a/doc/doxygen/Makefile.in b/doc/doxygen/Makefile.in
new file mode 100644
index 0000000..46bdff7
--- /dev/null
+++ b/doc/doxygen/Makefile.in
@@ -0,0 +1,33 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+VERSION=@BIND9_VERSION@
+
+# Until and unless we decide to ship all umptyzillion Doxygen output
+# files, distclean for this directory implies docclean.
+
+doc docclean distclean::
+	rm -rf html xml
+
+doc::
+	BIND9_VERSION='${VERSION}' @DOXYGEN@
+
+distclean::
+	rm -f Doxyfile doxygen-input-filter
diff --git a/doc/doxygen/doxygen-input-filter.in b/doc/doxygen/doxygen-input-filter.in
new file mode 100644
index 0000000..2903fa6
--- /dev/null
+++ b/doc/doxygen/doxygen-input-filter.in
@@ -0,0 +1,55 @@
+#!@PERL@ -w
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Input filter for feeding our source code into Doxygen.
+
+# Slurp whole file at once
+undef $/;
+$_ = <>;
+
+# It turns out that there are a lot of cases where we'd really like to
+# use what Doxygen calls "brief" documentation in a comment.  Doxygen
+# has a shorthand way of doing this -- if one is writing C++.  ISC
+# coding conventions require C, not C++, so we have to do it the
+# verbose way, which makes a lot of comments too long to fit on a
+# single line without violating another ISC coding standard (80
+# character line limit).
+#
+# So we use Doxygen's input filter mechanism to define our own
+# brief comment convention:
+#
+#	/*% foo */
+#
+# expands to
+#
+#	/*! \brief foo */
+#
+# and
+#
+#	/*%< foo */
+#
+# expands to
+#
+#	/*!< \brief foo */
+#
+s{/\*%(<?)}{/*!$1 \\brief }g;
+
+# Doxygen appears to strip trailing newlines when reading files
+# directly but not when reading from an input filter.  Go figure.
+# Future versions of Doxygen might change this, be warned.
+#
+s{\n+\z}{};
+
+# Done, send the result to Doxygen.
+#
+print;
diff --git a/doc/doxygen/isc-footer.html b/doc/doxygen/isc-footer.html
new file mode 100644
index 0000000..43527f0
--- /dev/null
+++ b/doc/doxygen/isc-footer.html
@@ -0,0 +1,21 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - SPDX-License-Identifier: MPL-2.0
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+    <hr size="1">
+    <address style="align: right;">
+      <small>
+	Generated on $datetime by Doxygen $doxygenversion for $projectname $projectnumber
+      </small>
+    </address>
+  </body>
+</html>
diff --git a/doc/doxygen/isc-header.html b/doc/doxygen/isc-header.html
new file mode 100644
index 0000000..d8c2fdf
--- /dev/null
+++ b/doc/doxygen/isc-header.html
@@ -0,0 +1,21 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - SPDX-License-Identifier: MPL-2.0
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<html>
+  <head>
+    <meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1">
+    <title>$title</title>
+    <link href="$relpath$doxygen.css" rel="stylesheet" type="text/css">
+    <link href="$relpath$tabs.css" rel="stylesheet" type="text/css">
+  </head>
+  <body>
diff --git a/doc/doxygen/mainpage b/doc/doxygen/mainpage
new file mode 100644
index 0000000..618ebb8
--- /dev/null
+++ b/doc/doxygen/mainpage
@@ -0,0 +1,96 @@
+// -*- C++ -*-
+//
+// Doxygen text.  Lines beginning with two slashes are comments; lines
+// beginning with three slashes are Doxygen input.
+//
+// Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+//
+// SPDX-License-Identifier: MPL-2.0
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0.  If a copy of the MPL was not distributed with this
+// file, you can obtain one at https://mozilla.org/MPL/2.0/.
+//
+// See the COPYRIGHT file distributed with this work for additional
+// information regarding copyright ownership.
+
+
+/// \mainpage
+/// \section mainpage_overview Overview
+/// \par
+///
+/// This is the beginning of an internals manual for BIND9.  It's
+/// still very rough in many places.
+///
+/// \li See the files in doc/doxygen for the source to this page and
+///     the Doxygen configuration that generates the rest of the manual.
+///
+/// \li See the tabs at the top of the screen to navigate through the
+///     generated documentation.
+///
+/// \li See <a href="http://www.doxygen.org/">the Doxygen web site</a>
+///     for more information about Doxygen, including its manual.
+///
+/// \section mainpage_knownissues Known Issues
+/// \par
+///
+/// Known issues with our current use of Doxygen:
+///
+/// \li In a major departure from previous attempts to use Doxygen
+///     with BIND9, this manual attempts to take the simplest approach
+///     to every choice Doxygen gives us.  We don't generate fancy
+///     extra Doxygen tags files from the RFC database.  We don't
+///     attempt to use Doxygen as a wrapper framework for other
+///     documentation (eg, ISC Tech Notes, the ARM, ...).  We don't
+///     try to generate the list of files to document on the fly.
+///     Instead, we attempt to use Doxygen's native facilities
+///     wherever possible, on the assumption that we'll add new
+///     features later as we need them but should start as simply as
+///     we can.
+///
+/// \li Our use of \\file is wrong in many places.  We probably should
+///     be marking header files with the names by which we include
+///     them (eg, "dns/resolver.h").  Doxygen reports filename
+///     conflicts in a few cases where it can't work out which of
+///     several files to use.
+///
+/// \li At the moment we're instructing Doxygen to document all
+///     functions, whether they have proper comment markup or not.
+///     This is a good way to see what's been marked up, but might not
+///     be the right approach in the long run.
+///
+/// \li See doc/doxygen/doxygen-input-filter.in for local abbreviations.
+///
+/// \li We're probably over-using the \\brief markup tag.
+///
+/// \li We may in fact be confusing Doxygen to the point where it's
+///     not finding markup comments that it should.  Needs
+///     investigation.
+///
+/// \li At the moment I have all the cool "dot" stuff turned off,
+///     both because it's a distraction and because it slows down
+///     doxygen runs.  Maybe after I get a faster desk machine. :)
+///
+/// \li At the moment we're producing a single "BIND9 Internals"
+///     manual.   One of our previous complications was an attempt to
+///     produce separate manuals for each library, then cross-link
+///     them.  We might still need separate library manuals, but, if
+///     so, it might be easier to have the BIND9 Internals manual be a
+///     superset of the library manuals (ie, reuse the same source to
+///     produce differently scoped manuals).   Would certainly be
+///     simpler than the cross-linking mess, but partly it's a
+///     question of how we want to present the material.
+///
+/// \li Doxygen is slanted towards C++.  It can be tuned towards plain
+///     old C, but the C++ bias still shows up in places, eg, the lack
+///     of top-level menu support for functions (in C++, the basic
+///     unit of programming is the class, which Doxygen does support
+///     directly).   This is a bit annoying, but not all that
+///     critical.
+///
+/// \li If we ever get really ambitious, we might try processing
+///     Doxygen's XML output, which is basically a dump of what Doxygen
+///     was able to scrape from the sources.   This would be a major
+///     project, just something to think about if there's something we
+///     really don't like about the output Doxygen generates.  Punt
+///     for now.
diff --git a/doc/man/Makefile.in b/doc/man/Makefile.in
new file mode 100644
index 0000000..75794f7
--- /dev/null
+++ b/doc/man/Makefile.in
@@ -0,0 +1,275 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+abs_srcdir =	@abs_srcdir@
+builddir =	@builddir@
+top_builddir =	@top_builddir@
+
+@BIND9_MAKE_RULES@
+
+man1_MANS =			\
+	arpaname.1		\
+	delv.1			\
+	dig.1			\
+	host.1			\
+	mdig.1			\
+	named-rrchecker.1	\
+	nslookup.1		\
+	nsupdate.1
+
+man5_MANS =			\
+	named.conf.5		\
+	rndc.conf.5
+
+man8_MANS =			\
+	ddns-confgen.8		\
+	dnssec-cds.8		\
+	dnssec-checkds.8	\
+	dnssec-coverage.8	\
+	dnssec-dsfromkey.8	\
+	dnssec-importkey.8	\
+	dnssec-keyfromlabel.8	\
+	dnssec-keygen.8		\
+	dnssec-keymgr.8		\
+	dnssec-revoke.8		\
+	dnssec-settime.8	\
+	dnssec-signzone.8	\
+	dnssec-verify.8		\
+	filter-aaaa.8		\
+	named-checkconf.8	\
+	named-checkzone.8	\
+	named-compilezone.8	\
+	named-journalprint.8	\
+	named.8			\
+	nsec3hash.8		\
+	rndc-confgen.8		\
+	rndc.8			\
+	tsig-keygen.8
+
+MANPAGES_RST =			\
+	arpaname.rst		\
+	ddns-confgen.rst	\
+	delv.rst		\
+	dig.rst			\
+	dnssec-cds.rst		\
+	dnssec-checkds.rst	\
+	dnssec-coverage.rst	\
+	dnssec-dsfromkey.rst	\
+	dnssec-importkey.rst	\
+	dnssec-keyfromlabel.rst	\
+	dnssec-keygen.rst	\
+	dnssec-keymgr.rst	\
+	dnssec-revoke.rst	\
+	dnssec-settime.rst	\
+	dnssec-signzone.rst	\
+	dnssec-verify.rst	\
+	dnstap-read.rst		\
+	filter-aaaa.rst		\
+	host.rst		\
+	mdig.rst		\
+	named-checkconf.rst	\
+	named-checkzone.rst	\
+	named-compilezone.rst	\
+	named-journalprint.rst	\
+	named-nzd2nzf.rst	\
+	named-rrchecker.rst	\
+	named.conf.rst		\
+	named.rst		\
+	nsec3hash.rst		\
+	nslookup.rst		\
+	nsupdate.rst		\
+	rndc-confgen.rst	\
+	rndc.conf.rst		\
+	rndc.rst		\
+	tsig-keygen.rst		\
+	pkcs11-destroy.rst	\
+	pkcs11-keygen.rst	\
+	pkcs11-list.rst		\
+	pkcs11-tokens.rst
+
+MANPAGES_IN = \
+	arpaname.1in		\
+	ddns-confgen.8in	\
+	delv.1in		\
+	dig.1in			\
+	dnssec-cds.8in		\
+	dnssec-checkds.8in	\
+	dnssec-coverage.8in	\
+	dnssec-dsfromkey.8in	\
+	dnssec-importkey.8in	\
+	dnssec-keyfromlabel.8in	\
+	dnssec-keygen.8in	\
+	dnssec-keymgr.8in	\
+	dnssec-revoke.8in	\
+	dnssec-settime.8in	\
+	dnssec-signzone.8in	\
+	dnssec-verify.8in	\
+	dnstap-read.1in		\
+	filter-aaaa.8in		\
+	host.1in		\
+	mdig.1in		\
+	named-checkconf.8in	\
+	named-checkzone.8in	\
+	named-compilezone.8in	\
+	named-journalprint.8in	\
+	named-nzd2nzf.8in	\
+	named-rrchecker.1in	\
+	named.conf.5in		\
+	named.8in		\
+	nsec3hash.8in		\
+	nslookup.1in		\
+	nsupdate.1in		\
+	rndc-confgen.8in	\
+	rndc.conf.5in		\
+	rndc.8in		\
+	tsig-keygen.8in		\
+	pkcs11-destroy.8in	\
+	pkcs11-keygen.8in	\
+	pkcs11-list.8in		\
+	pkcs11-tokens.8in
+
+dnstap_man1_MANS =		\
+	dnstap-read.1
+
+nzd_man8_MANS =			\
+	named-nzd2nzf.8
+
+pkcs11_man8_MANS =		\
+	pkcs11-destroy.8	\
+	pkcs11-keygen.8		\
+	pkcs11-list.8		\
+	pkcs11-tokens.8
+
+BIND9_VERSION=@BIND9_VERSION@
+RELEASE_DATE=@RELEASE_DATE@
+BIND9_VERSIONSTRING=@BIND9_VERSIONSTRING@
+
+# You can set these variables from the command line.
+SPHINXBUILD = @SPHINX_BUILD@
+SPHINXBUILDDIR = ${builddir}/_build
+SPHINX_W = -W
+
+common_SPHINXOPTS =		\
+	$(SPHINX_W)		\
+	-a			\
+	-v			\
+	-c "${abs_srcdir}"
+
+ALLSPHINXOPTS =					\
+	$(common_SPHINXOPTS)			\
+	-D version="${BIND9_VERSION}"		\
+	-D today="${RELEASE_DATE}"		\
+	-D release="${BIND9_VERSIONSTRING}"	\
+	$(SPHINXOPTS)				\
+	${srcdir}
+
+man_SPHINXOPTS =				\
+	$(common_SPHINXOPTS)			\
+	-D version="@""BIND9_VERSION""@"	\
+	-D today="@""RELEASE_DATE""@"		\
+	-D release="@""BIND9_VERSIONSTRING""@"	\
+	$(SPHINXOPTS)				\
+	${srcdir}
+
+# Put it first so that "make" without argument just builds manpages
+all: man
+	@:
+
+man:: ootsetup $(man1_MANS) $(man5_MANS) $(man8_MANS) @DNSTAP_MANS@ @NZD_MANS@ @PKCS11_MANS@
+
+doc:: @HTMLTARGET@ @PDFTARGET@
+
+html dirhtml:
+	$(SPHINXBUILD) -b $@ -d "$(SPHINXBUILDDIR)"/.doctrees/$@ $(ALLSPHINXOPTS) "$(SPHINXBUILDDIR)"/$@
+
+# copy in out-of-tree files in case sphinx-build isn't available
+.NOTPARALLEL:
+ootsetup: $(MANPAGES_IN)
+	for man in $(MANPAGES_IN); do \
+	  [ -e "$$man" ] || cp -f ${srcdir}/"$$man" .; \
+	done
+
+$(MANPAGES_IN): $(MANPAGES_RST)
+	$(SPHINXBUILD) -b man -d "$(SPHINXBUILDDIR)"/.doctrees/$@ $(man_SPHINXOPTS) "$(SPHINXBUILDDIR)"/man
+	-for man in $(MANPAGES_IN); do \
+	  [ -e "$(SPHINXBUILDDIR)"/man/"$$(basename $$man in)" ] && \
+	    cp -f "$(SPHINXBUILDDIR)"/man/"$$(basename $$man in)" "$$man"; \
+	done
+
+man_SUBST = sed							\
+	-e 's,[@]BIND9_VERSION[@],$(BIND9_VERSION),'			\
+	-e 's,[@]RELEASE_DATE[@],$(RELEASE_DATE),'			\
+	-e 's,[@]BIND9_VERSION_STRING[@],$(BIND9_VERSION_STRING),'	\
+	-e 's,[@]sysconfdir[@],$(sysconfdir),'				\
+	-e 's,[@]plugindir[@],$(plugindir),'
+
+$(man1_MANS): @MANSRCS@
+	for m in $(man1_MANS); do \
+		$(man_SUBST) $${m}in > $$m; \
+	done
+
+$(man5_MANS): @MANSRCS@
+	for m in $(man5_MANS); do \
+		$(man_SUBST) $${m}in > $$m; \
+	done
+
+$(man8_MANS): @MANSRCS@
+	for m in $(man8_MANS); do \
+		$(man_SUBST) $${m}in > $$m; \
+	done
+
+$(dnstap_man1_MANS): @MANSRCS@
+	for m in $(dnstap_man1_MANS); do \
+		$(man_SUBST) $${m}in > $$m; \
+	done
+
+$(nzd_man8_MANS): @MANSRCS@
+	for m in $(nzd_man8_MANS); do \
+		$(man_SUBST) $${m}in > $$m; \
+	done
+
+$(pkcs11_man8_MANS): @MANSRCS@
+	for m in $(pkcs11_man8_MANS); do \
+		$(man_SUBST) $${m}in > $$m; \
+	done
+
+.PHONY: help Makefile doc pdf man
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: installdirs
+	for m in $(man1_MANS); do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man1/; done
+	for m in $(man5_MANS); do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man5/; done
+	for m in $(man8_MANS); do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8/; done
+	for m in @DNSTAP_MANS@; do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man1/; done
+	for m in @NZD_MANS@; do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8/; done
+	for m in @PKCS11_MANS@; do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8/; done
+
+uninstall::
+	for m in $(man1_MANS); do rm -f ${DESTDIR}${mandir}/man1/$$m; done
+	for m in $(man5_MANS); do rm -f ${DESTDIR}${mandir}/man5/$$m; done
+	for m in $(man8_MANS); do rm -f ${DESTDIR}${mandir}/man8/$$m; done
+	for m in @DNSTAP_MANS@; do rm -f ${DESTDIR}${mandir}/man1/$$m; done
+	for m in @NZD_MANS@; do rm -f ${DESTDIR}${mandir}/man8/$$m; done
+	for m in @PKCS11_MANS@; do rm -f ${DESTDIR}${mandir}/man8/$$m; done
+
+docclean manclean maintainer-clean::
+	rm -f $(MANPAGES_IN)
+
+clean::
+	-rm -rf $(SPHINXBUILDDIR)
+	-rm -f $(man1_MANS) $(man5_MANS) $(man8_MANS) @DNSTAP_MANS@ @NZD_MANS@ @PKCS11_MANS@
diff --git a/doc/man/arpaname.1in b/doc/man/arpaname.1in
new file mode 100644
index 0000000..2c25399
--- /dev/null
+++ b/doc/man/arpaname.1in
@@ -0,0 +1,48 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "ARPANAME" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+arpaname \- translate IP addresses to the corresponding ARPA names
+.SH SYNOPSIS
+.sp
+\fBarpaname\fP {\fIipaddress\fP ...}
+.SH DESCRIPTION
+.sp
+\fBarpaname\fP translates IP addresses (IPv4 and IPv6) to the
+corresponding IN\-ADDR.ARPA or IP6.ARPA names.
+.SH SEE ALSO
+.sp
+BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/arpaname.rst b/doc/man/arpaname.rst
new file mode 100644
index 0000000..52d69b6
--- /dev/null
+++ b/doc/man/arpaname.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/tools/arpaname.rst
diff --git a/doc/man/conf.py b/doc/man/conf.py
new file mode 100644
index 0000000..266dfbb
--- /dev/null
+++ b/doc/man/conf.py
@@ -0,0 +1,216 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import datetime
+from docutils.parsers.rst import roles
+
+#
+# Configuration file for the Sphinx documentation builder.
+#
+# This file only contains a selection of the most common options. For a full
+# list see the documentation:
+# http://www.sphinx-doc.org/en/master/config
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+# import os
+# import sys
+# sys.path.insert(0, os.path.abspath('.'))
+
+# -- Project information -----------------------------------------------------
+
+project = "BIND 9"
+# pylint: disable=wrong-import-position
+year = datetime.datetime.now().year
+# pylint: disable=redefined-builtin
+copyright = "%d, Internet Systems Consortium" % year
+author = "Internet Systems Consortium"
+
+# -- General configuration ---------------------------------------------------
+
+# Build man pages directly in _build/man/, not in _build/man/<section>/.
+# This is what the shell code in Makefile.am expects.
+man_make_section_directory = False
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = []
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ["../arm/_templates"]
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path.
+exclude_patterns = [
+    "_build",
+    "Thumbs.db",
+    ".DS_Store",
+]
+
+# The master toctree document.
+master_doc = "index"
+
+# pylint: disable=line-too-long
+man_pages = [
+    (
+        "arpaname",
+        "arpaname",
+        "translate IP addresses to the corresponding ARPA names",
+        author,
+        1,
+    ),
+    ("ddns-confgen", "ddns-confgen", "ddns key generation tool", author, 8),
+    ("delv", "delv", "DNS lookup and validation utility", author, 1),
+    ("dig", "dig", "DNS lookup utility", author, 1),
+    (
+        "dnssec-cds",
+        "dnssec-cds",
+        "change DS records for a child zone based on CDS/CDNSKEY",
+        author,
+        8,
+    ),
+    (
+        "dnssec-checkds",
+        "dnssec-checkds",
+        "DNSSEC delegation consistency checking tool",
+        author,
+        8,
+    ),
+    (
+        "dnssec-coverage",
+        "dnssec-coverage",
+        "checks future DNSKEY coverage for a zone",
+        author,
+        8,
+    ),
+    ("dnssec-dsfromkey", "dnssec-dsfromkey", "DNSSEC DS RR generation tool", author, 8),
+    (
+        "dnssec-importkey",
+        "dnssec-importkey",
+        "import DNSKEY records from external systems so they can be managed",
+        author,
+        8,
+    ),
+    (
+        "dnssec-keyfromlabel",
+        "dnssec-keyfromlabel",
+        "DNSSEC key generation tool",
+        author,
+        8,
+    ),
+    ("dnssec-keygen", "dnssec-keygen", "DNSSEC key generation tool", author, 8),
+    (
+        "dnssec-keymgr",
+        "dnssec-keymgr",
+        "ensure correct DNSKEY coverage based on a defined policy",
+        author,
+        8,
+    ),
+    (
+        "dnssec-revoke",
+        "dnssec-revoke",
+        "set the REVOKED bit on a DNSSEC key",
+        author,
+        8,
+    ),
+    (
+        "dnssec-settime",
+        "dnssec-settime",
+        "set the key timing metadata for a DNSSEC key",
+        author,
+        8,
+    ),
+    ("dnssec-signzone", "dnssec-signzone", "DNSSEC zone signing tool", author, 8),
+    ("dnssec-verify", "dnssec-verify", "DNSSEC zone verification tool", author, 8),
+    (
+        "dnstap-read",
+        "dnstap-read",
+        "print dnstap data in human-readable form",
+        author,
+        1,
+    ),
+    (
+        "filter-aaaa",
+        "filter-aaaa",
+        "filter AAAA in DNS responses when A is present",
+        author,
+        8,
+    ),
+    ("host", "host", "DNS lookup utility", author, 1),
+    ("mdig", "mdig", "DNS pipelined lookup utility", author, 1),
+    (
+        "named-checkconf",
+        "named-checkconf",
+        "named configuration file syntax checking tool",
+        author,
+        8,
+    ),
+    (
+        "named-checkzone",
+        "named-checkzone",
+        "zone file validity checking or converting tool",
+        author,
+        8,
+    ),
+    (
+        "named-compilezone",
+        "named-compilezone",
+        "zone file validity checking or converting tool",
+        author,
+        8,
+    ),
+    (
+        "named-journalprint",
+        "named-journalprint",
+        "print zone journal in human-readable form",
+        author,
+        8,
+    ),
+    (
+        "named-nzd2nzf",
+        "named-nzd2nzf",
+        "convert an NZD database to NZF text format",
+        author,
+        8,
+    ),
+    (
+        "named-rrchecker",
+        "named-rrchecker",
+        "syntax checker for individual DNS resource records",
+        author,
+        1,
+    ),
+    ("named.conf", "named.conf", "configuration file for **named**", author, 5),
+    ("named", "named", "Internet domain name server", author, 8),
+    ("nsec3hash", "nsec3hash", "generate NSEC3 hash", author, 8),
+    ("nslookup", "nslookup", "query Internet name servers interactively", author, 1),
+    ("nsupdate", "nsupdate", "dynamic DNS update utility", author, 1),
+    ("pkcs11-destroy", "pkcs11-destroy", "destroy PKCS#11 objects", author, 8),
+    ("pkcs11-keygen", "pkcs11-keygen", "generate keys on a PKCS#11 device", author, 8),
+    ("pkcs11-list", "pkcs11-list", "list PKCS#11 objects", author, 8),
+    ("pkcs11-tokens", "pkcs11-tokens", "list PKCS#11 available tokens", author, 8),
+    ("rndc-confgen", "rndc-confgen", "rndc key generation tool", author, 8),
+    ("rndc.conf", "rndc.conf", "rndc configuration file", author, 5),
+    ("rndc", "rndc", "name server control utility", author, 8),
+    ("tsig-keygen", "tsig-keygen", "TSIG key generation tool", author, 8),
+]
+
+
+def setup(app):
+    app.add_crossref_type("iscman", "iscman", "pair: %s; manual page")
+    # ignore :option: references to simplify doc backports to v9_16 branch
+    app.add_role_to_domain("std", "option", roles.code_role)
diff --git a/doc/man/ddns-confgen.8in b/doc/man/ddns-confgen.8in
new file mode 100644
index 0000000..97e1cf8
--- /dev/null
+++ b/doc/man/ddns-confgen.8in
@@ -0,0 +1,102 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DDNS-CONFGEN" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+ddns-confgen \- ddns key generation tool
+.SH SYNOPSIS
+.sp
+\fBddns\-confgen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [\fB\-k\fP keyname] [\fB\-q\fP] [\fB\-s\fP name] [\fB\-z\fP zone]
+.SH DESCRIPTION
+.sp
+\fBddns\-confgen\fP is an utility that generates keys for use in TSIG signing.
+The resulting keys can be used, for example, to secure dynamic DNS updates
+to a zone, or for the \fBrndc\fP command channel.
+.sp
+The key name can specified using \fB\-k\fP parameter and defaults to \fBddns\-key\fP\&.
+The generated key is accompanied by configuration text and instructions that
+can be used with \fBnsupdate\fP and \fBnamed\fP when setting up dynamic DNS,
+including an example \fBupdate\-policy\fP statement.
+(This usage is similar to the \fBrndc\-confgen\fP command for setting up
+command\-channel security.)
+.sp
+Note that \fBnamed\fP itself can configure a local DDNS key for use with
+\fBnsupdate \-l\fP; it does this when a zone is configured with
+\fBupdate\-policy local;\fP\&. \fBddns\-confgen\fP is only needed when a more
+elaborate configuration is required: for instance, if \fBnsupdate\fP is to
+be used from a remote system.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a algorithm\fP
+This option specifies the algorithm to use for the TSIG key. Available
+choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384,
+and hmac\-sha512. The default is hmac\-sha256. Options are
+case\-insensitive, and the \(dqhmac\-\(dq prefix may be omitted.
+.TP
+.B \fB\-h\fP
+This option prints a short summary of options and arguments.
+.TP
+.B \fB\-k keyname\fP
+This option specifies the key name of the DDNS authentication key. The
+default is \fBddns\-key\fP when neither the \fB\-s\fP nor \fB\-z\fP option is
+specified; otherwise, the default is \fBddns\-key\fP as a separate label
+followed by the argument of the option, e.g., \fBddns\-key.example.com.\fP
+The key name must have the format of a valid domain name, consisting of
+letters, digits, hyphens, and periods.
+.TP
+.B \fB\-q\fP
+This option enables quiet mode, which prints only the key, with no
+explanatory text or usage examples. This is essentially identical to
+\fBtsig\-keygen\fP\&.
+.TP
+.B \fB\-s name\fP
+This option generates a configuration example to allow dynamic updates
+of a single hostname. The example \fBnamed.conf\fP text shows how to set
+an update policy for the specified name using the \(dqname\(dq nametype. The
+default key name is \fBddns\-key.name\fP\&. Note that the \(dqself\(dq nametype
+cannot be used, since the name to be updated may differ from the key
+name. This option cannot be used with the \fB\-z\fP option.
+.TP
+.B \fB\-z zone\fP
+This option generates a configuration example to allow
+dynamic updates of a zone. The example \fBnamed.conf\fP text shows how
+to set an update policy for the specified zone using the \(dqzonesub\(dq
+nametype, allowing updates to all subdomain names within that zone.
+This option cannot be used with the \fB\-s\fP option.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBnsupdate(1)\fP, \fBnamed.conf(5)\fP, \fBnamed(8)\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/ddns-confgen.rst b/doc/man/ddns-confgen.rst
new file mode 100644
index 0000000..891102f
--- /dev/null
+++ b/doc/man/ddns-confgen.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/confgen/ddns-confgen.rst
diff --git a/doc/man/delv.1in b/doc/man/delv.1in
new file mode 100644
index 0000000..9a2b186
--- /dev/null
+++ b/doc/man/delv.1in
@@ -0,0 +1,345 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DELV" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+delv \- DNS lookup and validation utility
+.SH SYNOPSIS
+.sp
+\fBdelv\fP [@server] [ [\fB\-4\fP] | [\fB\-6\fP] ] [\fB\-a\fP anchor\-file] [\fB\-b\fP address] [\fB\-c\fP class] [\fB\-d\fP level] [\fB\-i\fP] [\fB\-m\fP] [\fB\-p\fP port#] [\fB\-q\fP name] [\fB\-t\fP type] [\fB\-x\fP addr] [name] [type] [class] [queryopt...]
+.sp
+\fBdelv\fP [\fB\-h\fP]
+.sp
+\fBdelv\fP [\fB\-v\fP]
+.sp
+\fBdelv\fP [queryopt...] [query...]
+.SH DESCRIPTION
+.sp
+\fBdelv\fP is a tool for sending DNS queries and validating the results,
+using the same internal resolver and validator logic as \fBnamed\fP\&.
+.sp
+\fBdelv\fP sends to a specified name server all queries needed to
+fetch and validate the requested data; this includes the original
+requested query, subsequent queries to follow CNAME or DNAME chains,
+queries for DNSKEY, and DS records to establish a chain of trust for
+DNSSEC validation. It does not perform iterative resolution, but
+simulates the behavior of a name server configured for DNSSEC validating
+and forwarding.
+.sp
+By default, responses are validated using the built\-in DNSSEC trust anchor
+for the root zone (\(dq.\(dq). Records returned by \fBdelv\fP are either fully
+validated or were not signed. If validation fails, an explanation of the
+failure is included in the output; the validation process can be traced
+in detail. Because \fBdelv\fP does not rely on an external server to carry
+out validation, it can be used to check the validity of DNS responses in
+environments where local name servers may not be trustworthy.
+.sp
+Unless it is told to query a specific name server, \fBdelv\fP tries
+each of the servers listed in \fB/etc/resolv.conf\fP\&. If no usable server
+addresses are found, \fBdelv\fP sends queries to the localhost
+addresses (127.0.0.1 for IPv4, ::1 for IPv6).
+.sp
+When no command\-line arguments or options are given, \fBdelv\fP
+performs an NS query for \(dq.\(dq (the root zone).
+.SH SIMPLE USAGE
+.sp
+A typical invocation of \fBdelv\fP looks like:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+delv @server name type
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+where:
+.INDENT 0.0
+.TP
+.B \fBserver\fP
+is the name or IP address of the name server to query. This can be an
+IPv4 address in dotted\-decimal notation or an IPv6 address in
+colon\-delimited notation. When the supplied \fBserver\fP argument is a
+hostname, \fBdelv\fP resolves that name before querying that name
+server (note, however, that this initial lookup is \fInot\fP validated by
+DNSSEC).
+.sp
+If no \fBserver\fP argument is provided, \fBdelv\fP consults
+\fB/etc/resolv.conf\fP; if an address is found there, it queries the
+name server at that address. If either of the \fB\-4\fP or \fB\-6\fP
+options is in use, then only addresses for the corresponding
+transport are tried. If no usable addresses are found, \fBdelv\fP
+sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
+for IPv6).
+.TP
+.B \fBname\fP
+is the domain name to be looked up.
+.TP
+.B \fBtype\fP
+indicates what type of query is required \- ANY, A, MX, etc.
+\fBtype\fP can be any valid query type. If no \fBtype\fP argument is
+supplied, \fBdelv\fP performs a lookup for an A record.
+.UNINDENT
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a anchor\-file\fP
+This option specifies a file from which to read DNSSEC trust anchors. The default
+is \fB/etc/bind.keys\fP, which is included with BIND 9 and contains one
+or more trust anchors for the root zone (\(dq.\(dq).
+.sp
+Keys that do not match the root zone name are ignored. An alternate
+key name can be specified using the \fB+root=NAME\fP options.
+.sp
+Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP,
+\fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key,
+it is the \fIinitial\fP key that is trusted; \fI\%RFC 5011\fP key management is not
+supported. \fBdelv\fP does not consult the managed\-keys database maintained by
+\fBnamed\fP, which means that if either of the keys in \fB/etc/bind.keys\fP is
+revoked and rolled over, \fB/etc/bind.keys\fP must be updated to
+use DNSSEC validation in \fBdelv\fP\&.
+.TP
+.B \fB\-b address\fP
+This option sets the source IP address of the query to \fBaddress\fP\&. This must be
+a valid address on one of the host\(aqs network interfaces, or \fB0.0.0.0\fP,
+or \fB::\fP\&. An optional source port may be specified by appending
+\fB#<port>\fP
+.TP
+.B \fB\-c class\fP
+This option sets the query class for the requested data. Currently, only class
+\(dqIN\(dq is supported in \fBdelv\fP and any other value is ignored.
+.TP
+.B \fB\-d level\fP
+This option sets the systemwide debug level to \fBlevel\fP\&. The allowed range is
+from 0 to 99. The default is 0 (no debugging). Debugging traces from
+\fBdelv\fP become more verbose as the debug level increases. See the
+\fB+mtrace\fP, \fB+rtrace\fP, and \fB+vtrace\fP options below for
+additional debugging details.
+.TP
+.B \fB\-h\fP
+This option displays the \fBdelv\fP help usage output and exits.
+.TP
+.B \fB\-i\fP
+This option sets insecure mode, which disables internal DNSSEC validation. (Note,
+however, that this does not set the CD bit on upstream queries. If the
+server being queried is performing DNSSEC validation, then it does
+not return invalid data; this can cause \fBdelv\fP to time out. When it
+is necessary to examine invalid data to debug a DNSSEC problem, use
+\fBdig +cd\fP\&.)
+.TP
+.B \fB\-m\fP
+This option enables memory usage debugging.
+.TP
+.B \fB\-p port#\fP
+This option specifies a destination port to use for queries, instead of the
+standard DNS port number 53. This option is used with a name
+server that has been configured to listen for queries on a
+non\-standard port number.
+.TP
+.B \fB\-q name\fP
+This option sets the query name to \fBname\fP\&. While the query name can be
+specified without using the \fB\-q\fP option, it is sometimes necessary to
+disambiguate names from types or classes (for example, when looking
+up the name \(dqns\(dq, which could be misinterpreted as the type NS, or
+\(dqch\(dq, which could be misinterpreted as class CH).
+.TP
+.B \fB\-t type\fP
+This option sets the query type to \fBtype\fP, which can be any valid query type
+supported in BIND 9 except for zone transfer types AXFR and IXFR. As
+with \fB\-q\fP, this is useful to distinguish query\-name types or classes
+when they are ambiguous. It is sometimes necessary to disambiguate
+names from types.
+.sp
+The default query type is \(dqA\(dq, unless the \fB\-x\fP option is supplied
+to indicate a reverse lookup, in which case it is \(dqPTR\(dq.
+.TP
+.B \fB\-v\fP
+This option prints the \fBdelv\fP version and exits.
+.TP
+.B \fB\-x addr\fP
+This option performs a reverse lookup, mapping an address to a name. \fBaddr\fP
+is an IPv4 address in dotted\-decimal notation, or a colon\-delimited
+IPv6 address. When \fB\-x\fP is used, there is no need to provide the
+\fBname\fP or \fBtype\fP arguments; \fBdelv\fP automatically performs a
+lookup for a name like \fB11.12.13.10.in\-addr.arpa\fP and sets the
+query type to PTR. IPv6 addresses are looked up using nibble format
+under the IP6.ARPA domain.
+.TP
+.B \fB\-4\fP
+This option forces \fBdelv\fP to only use IPv4.
+.TP
+.B \fB\-6\fP
+This option forces \fBdelv\fP to only use IPv6.
+.UNINDENT
+.SH QUERY OPTIONS
+.sp
+\fBdelv\fP provides a number of query options which affect the way results
+are displayed, and in some cases the way lookups are performed.
+.sp
+Each query option is identified by a keyword preceded by a plus sign
+(\fB+\fP). Some keywords set or reset an option. These may be preceded by
+the string \fBno\fP to negate the meaning of that keyword. Other keywords
+assign values to options like the timeout interval. They have the form
+\fB+keyword=value\fP\&. The query options are:
+.INDENT 0.0
+.TP
+.B \fB+[no]cdflag\fP
+This option controls whether to set the CD (checking disabled) bit in queries
+sent by \fBdelv\fP\&. This may be useful when troubleshooting DNSSEC
+problems from behind a validating resolver. A validating resolver
+blocks invalid responses, making it difficult to retrieve them
+for analysis. Setting the CD flag on queries causes the resolver
+to return invalid responses, which \fBdelv\fP can then validate
+internally and report the errors in detail.
+.TP
+.B \fB+[no]class\fP
+This option controls whether to display the CLASS when printing a record. The
+default is to display the CLASS.
+.TP
+.B \fB+[no]ttl\fP
+This option controls whether to display the TTL when printing a record. The
+default is to display the TTL.
+.TP
+.B \fB+[no]rtrace\fP
+This option toggles resolver fetch logging. This reports the name and type of each
+query sent by \fBdelv\fP in the process of carrying out the resolution
+and validation process, including the original query
+and all subsequent queries to follow CNAMEs and to establish a chain
+of trust for DNSSEC validation.
+.sp
+This is equivalent to setting the debug level to 1 in the \(dqresolver\(dq
+logging category. Setting the systemwide debug level to 1 using the
+\fB\-d\fP option produces the same output, but affects other
+logging categories as well.
+.TP
+.B \fB+[no]mtrace\fP
+This option toggles message logging. This produces a detailed dump of the
+responses received by \fBdelv\fP in the process of carrying out the
+resolution and validation process.
+.sp
+This is equivalent to setting the debug level to 10 for the \(dqpackets\(dq
+module of the \(dqresolver\(dq logging category. Setting the systemwide
+debug level to 10 using the \fB\-d\fP option produces the same
+output, but affects other logging categories as well.
+.TP
+.B \fB+[no]vtrace\fP
+This option toggles validation logging. This shows the internal process of the
+validator as it determines whether an answer is validly signed,
+unsigned, or invalid.
+.sp
+This is equivalent to setting the debug level to 3 for the
+\(dqvalidator\(dq module of the \(dqdnssec\(dq logging category. Setting the
+systemwide debug level to 3 using the \fB\-d\fP option produces the
+same output, but affects other logging categories as well.
+.TP
+.B \fB+[no]short\fP
+This option toggles between verbose and terse answers. The default is to print the answer in a
+verbose form.
+.TP
+.B \fB+[no]comments\fP
+This option toggles the display of comment lines in the output. The default is to
+print comments.
+.TP
+.B \fB+[no]rrcomments\fP
+This option toggles the display of per\-record comments in the output (for example,
+human\-readable key information about DNSKEY records). The default is
+to print per\-record comments.
+.TP
+.B \fB+[no]crypto\fP
+This option toggles the display of cryptographic fields in DNSSEC records. The
+contents of these fields are unnecessary to debug most DNSSEC
+validation failures and removing them makes it easier to see the
+common failures. The default is to display the fields. When omitted,
+they are replaced by the string \fB[omitted]\fP or, in the DNSKEY case, the
+key ID is displayed as the replacement, e.g. \fB[ key id = value ]\fP\&.
+.TP
+.B \fB+[no]trust\fP
+This option controls whether to display the trust level when printing a record.
+The default is to display the trust level.
+.TP
+.B \fB+[no]split[=W]\fP
+This option splits long hex\- or base64\-formatted fields in resource records into
+chunks of \fBW\fP characters (where \fBW\fP is rounded up to the nearest
+multiple of 4). \fB+nosplit\fP or \fB+split=0\fP causes fields not to be
+split at all. The default is 56 characters, or 44 characters when
+multiline mode is active.
+.TP
+.B \fB+[no]all\fP
+This option sets or clears the display options \fB+[no]comments\fP,
+\fB+[no]rrcomments\fP, and \fB+[no]trust\fP as a group.
+.TP
+.B \fB+[no]multiline\fP
+This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
+verbose multi\-line format with human\-readable comments. The default
+is to print each record on a single line, to facilitate machine
+parsing of the \fBdelv\fP output.
+.TP
+.B \fB+[no]dnssec\fP
+This option indicates whether to display RRSIG records in the \fBdelv\fP output.
+The default is to do so. Note that (unlike in \fBdig\fP) this does
+\fInot\fP control whether to request DNSSEC records or to
+validate them. DNSSEC records are always requested, and validation
+always occurs unless suppressed by the use of \fB\-i\fP or
+\fB+noroot\fP\&.
+.TP
+.B \fB+[no]root[=ROOT]\fP
+This option indicates whether to perform conventional DNSSEC validation, and if so,
+specifies the name of a trust anchor. The default is to validate using a
+trust anchor of \(dq.\(dq (the root zone), for which there is a built\-in key. If
+specifying a different trust anchor, then \fB\-a\fP must be used to specify a
+file containing the key.
+.TP
+.B \fB+[no]tcp\fP
+This option controls whether to use TCP when sending queries. The default is to
+use UDP unless a truncated response has been received.
+.TP
+.B \fB+[no]unknownformat\fP
+This option prints all RDATA in unknown RR\-type presentation format (\fI\%RFC 3597\fP).
+The default is to print RDATA for known types in the type\(aqs
+presentation format.
+.TP
+.B \fB+[no]yaml\fP
+This option prints response data in YAML format.
+.UNINDENT
+.SH FILES
+.sp
+\fB/etc/bind.keys\fP
+.sp
+\fB/etc/resolv.conf\fP
+.SH SEE ALSO
+.sp
+\fBdig(1)\fP, \fBnamed(8)\fP, \fI\%RFC 4034\fP, \fI\%RFC 4035\fP, \fI\%RFC 4431\fP, \fI\%RFC 5074\fP, \fI\%RFC 5155\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/delv.rst b/doc/man/delv.rst
new file mode 100644
index 0000000..8f3b548
--- /dev/null
+++ b/doc/man/delv.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/delv/delv.rst
diff --git a/doc/man/dig.1in b/doc/man/dig.1in
new file mode 100644
index 0000000..fd6d6f8
--- /dev/null
+++ b/doc/man/dig.1in
@@ -0,0 +1,670 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DIG" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dig \- DNS lookup utility
+.SH SYNOPSIS
+.sp
+\fBdig\fP [@server] [\fB\-b\fP address] [\fB\-c\fP class] [\fB\-f\fP filename] [\fB\-k\fP filename] [\fB\-m\fP] [\fB\-p\fP port#] [\fB\-q\fP name] [\fB\-t\fP type] [\fB\-v\fP] [\fB\-x\fP addr] [\fB\-y\fP [hmac:]name:key] [ [\fB\-4\fP] | [\fB\-6\fP] ] [name] [type] [class] [queryopt...]
+.sp
+\fBdig\fP [\fB\-h\fP]
+.sp
+\fBdig\fP [global\-queryopt...] [query...]
+.SH DESCRIPTION
+.sp
+\fBdig\fP is a flexible tool for interrogating DNS name servers. It
+performs DNS lookups and displays the answers that are returned from the
+name server(s) that were queried. Most DNS administrators use \fBdig\fP to
+troubleshoot DNS problems because of its flexibility, ease of use, and
+clarity of output. Other lookup tools tend to have less functionality
+than \fBdig\fP\&.
+.sp
+Although \fBdig\fP is normally used with command\-line arguments, it also
+has a batch mode of operation for reading lookup requests from a file. A
+brief summary of its command\-line arguments and options is printed when
+the \fB\-h\fP option is given. The BIND 9
+implementation of \fBdig\fP allows multiple lookups to be issued from the
+command line.
+.sp
+Unless it is told to query a specific name server, \fBdig\fP tries each
+of the servers listed in \fB/etc/resolv.conf\fP\&. If no usable server
+addresses are found, \fBdig\fP sends the query to the local host.
+.sp
+When no command\-line arguments or options are given, \fBdig\fP
+performs an NS query for \(dq.\(dq (the root).
+.sp
+It is possible to set per\-user defaults for \fBdig\fP via
+\fB${HOME}/.digrc\fP\&. This file is read and any options in it are applied
+before the command\-line arguments. The \fB\-r\fP option disables this
+feature, for scripts that need predictable behavior.
+.sp
+The IN and CH class names overlap with the IN and CH top\-level domain
+names. Either use the \fB\-t\fP and \fB\-c\fP options to specify the type and
+class, use the \fB\-q\fP to specify the domain name, or use \(dqIN.\(dq and
+\(dqCH.\(dq when looking up these top\-level domains.
+.SH SIMPLE USAGE
+.sp
+A typical invocation of \fBdig\fP looks like:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+dig @server name type
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+where:
+.INDENT 0.0
+.TP
+.B \fBserver\fP
+is the name or IP address of the name server to query. This can be an
+IPv4 address in dotted\-decimal notation or an IPv6 address in
+colon\-delimited notation. When the supplied \fBserver\fP argument is a
+hostname, \fBdig\fP resolves that name before querying that name
+server.
+.sp
+If no \fBserver\fP argument is provided, \fBdig\fP consults
+\fB/etc/resolv.conf\fP; if an address is found there, it queries the
+name server at that address. If either of the \fB\-4\fP or \fB\-6\fP
+options are in use, then only addresses for the corresponding
+transport are tried. If no usable addresses are found, \fBdig\fP
+sends the query to the local host. The reply from the name server
+that responds is displayed.
+.TP
+.B \fBname\fP
+is the name of the resource record that is to be looked up.
+.TP
+.B \fBtype\fP
+indicates what type of query is required \- ANY, A, MX, SIG, etc.
+\fBtype\fP can be any valid query type. If no \fBtype\fP argument is
+supplied, \fBdig\fP performs a lookup for an A record.
+.UNINDENT
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-4\fP
+This option indicates that only IPv4 should be used.
+.TP
+.B \fB\-6\fP
+This option indicates that only IPv6 should be used.
+.TP
+.B \fB\-b address[#port]\fP
+This option sets the source IP address of the query. The \fBaddress\fP must be a
+valid address on one of the host\(aqs network interfaces, or \(dq0.0.0.0\(dq
+or \(dq::\(dq. An optional port may be specified by appending \fB#port\fP\&.
+.TP
+.B \fB\-c class\fP
+This option sets the query class. The default \fBclass\fP is IN; other classes are
+HS for Hesiod records or CH for Chaosnet records.
+.TP
+.B \fB\-f file\fP
+This option sets batch mode, in which \fBdig\fP reads a list of lookup requests to process from
+the given \fBfile\fP\&. Each line in the file should be organized in the
+same way it would be presented as a query to \fBdig\fP using the
+command\-line interface.
+.TP
+.B \fB\-k keyfile\fP
+This option tells \fBnamed\fP to sign queries using TSIG using a key read from the given file. Key
+files can be generated using \fBtsig\-keygen\fP\&. When using TSIG
+authentication with \fBdig\fP, the name server that is queried needs to
+know the key and algorithm that is being used. In BIND, this is done
+by providing appropriate \fBkey\fP and \fBserver\fP statements in
+\fBnamed.conf\fP\&.
+.TP
+.B \fB\-m\fP
+This option enables memory usage debugging.
+.TP
+.B \fB\-p port\fP
+This option sends the query to a non\-standard port on the server, instead of the
+default port 53. This option is used to test a name server that
+has been configured to listen for queries on a non\-standard port
+number.
+.TP
+.B \fB\-q name\fP
+This option specifies the domain name to query. This is useful to distinguish the \fBname\fP
+from other arguments.
+.TP
+.B \fB\-r\fP
+This option indicates that options from \fB${HOME}/.digrc\fP should not be read. This is useful for
+scripts that need predictable behavior.
+.TP
+.B \fB\-t type\fP
+This option indicates the resource record type to query, which can be any valid query type. If
+it is a resource record type supported in BIND 9, it can be given by
+the type mnemonic (such as \fBNS\fP or \fBAAAA\fP). The default query type is
+\fBA\fP, unless the \fB\-x\fP option is supplied to indicate a reverse
+lookup. A zone transfer can be requested by specifying a type of
+AXFR. When an incremental zone transfer (IXFR) is required, set the
+\fBtype\fP to \fBixfr=N\fP\&. The incremental zone transfer contains
+all changes made to the zone since the serial number in the zone\(aqs
+SOA record was \fBN\fP\&.
+.sp
+All resource record types can be expressed as \fBTYPEnn\fP, where \fBnn\fP is
+the number of the type. If the resource record type is not supported
+in BIND 9, the result is displayed as described in \fI\%RFC 3597\fP\&.
+.TP
+.B \fB\-u\fP
+This option indicates that print query times should be provided in microseconds instead of milliseconds.
+.TP
+.B \fB\-v\fP
+This option prints the version number and exits.
+.TP
+.B \fB\-x addr\fP
+This option sets simplified reverse lookups, for mapping addresses to names. The
+\fBaddr\fP is an IPv4 address in dotted\-decimal notation, or a
+colon\-delimited IPv6 address. When the \fB\-x\fP option is used, there is no
+need to provide the \fBname\fP, \fBclass\fP, and \fBtype\fP arguments.
+\fBdig\fP automatically performs a lookup for a name like
+\fB94.2.0.192.in\-addr.arpa\fP and sets the query type and class to PTR
+and IN respectively. IPv6 addresses are looked up using nibble format
+under the IP6.ARPA domain.
+.TP
+.B \fB\-y [hmac:]keyname:secret\fP
+This option signs queries using TSIG with the given authentication key.
+\fBkeyname\fP is the name of the key, and \fBsecret\fP is the
+base64\-encoded shared secret. \fBhmac\fP is the name of the key algorithm;
+valid choices are \fBhmac\-md5\fP, \fBhmac\-sha1\fP, \fBhmac\-sha224\fP,
+\fBhmac\-sha256\fP, \fBhmac\-sha384\fP, or \fBhmac\-sha512\fP\&. If \fBhmac\fP is
+not specified, the default is \fBhmac\-md5\fP; if MD5 was disabled, the default is
+\fBhmac\-sha256\fP\&.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Only the \fB\-k\fP option should be used, rather than the \fB\-y\fP option,
+because with \fB\-y\fP the shared secret is supplied as a command\-line
+argument in clear text. This may be visible in the output from \fBps1\fP or
+in a history file maintained by the user\(aqs shell.
+.UNINDENT
+.UNINDENT
+.SH QUERY OPTIONS
+.sp
+\fBdig\fP provides a number of query options which affect the way in which
+lookups are made and the results displayed. Some of these set or reset
+flag bits in the query header, some determine which sections of the
+answer get printed, and others determine the timeout and retry
+strategies.
+.sp
+Each query option is identified by a keyword preceded by a plus sign
+(\fB+\fP). Some keywords set or reset an option; these may be preceded by
+the string \fBno\fP to negate the meaning of that keyword. Other keywords
+assign values to options, like the timeout interval. They have the form
+\fB+keyword=value\fP\&. Keywords may be abbreviated, provided the
+abbreviation is unambiguous; for example, \fB+cd\fP is equivalent to
+\fB+cdflag\fP\&. The query options are:
+.INDENT 0.0
+.TP
+.B \fB+[no]aaflag\fP
+This option is a synonym for \fB+[no]aaonly\fP\&.
+.TP
+.B \fB+[no]aaonly\fP
+This option sets the \fBaa\fP flag in the query.
+.TP
+.B \fB+[no]additional\fP
+This option displays [or does not display] the additional section of a reply. The
+default is to display it.
+.TP
+.B \fB+[no]adflag\fP
+This option sets [or does not set] the AD (authentic data) bit in the query. This
+requests the server to return whether all of the answer and authority
+sections have been validated as secure, according to the security
+policy of the server. \fBAD=1\fP indicates that all records have been
+validated as secure and the answer is not from a OPT\-OUT range. \fBAD=0\fP
+indicates that some part of the answer was insecure or not validated.
+This bit is set by default.
+.TP
+.B \fB+[no]all\fP
+This option sets or clears all display flags.
+.TP
+.B \fB+[no]answer\fP
+This option displays [or does not display] the answer section of a reply. The default
+is to display it.
+.TP
+.B \fB+[no]authority\fP
+This option displays [or does not display] the authority section of a reply. The
+default is to display it.
+.TP
+.B \fB+[no]badcookie\fP
+This option retries the lookup with a new server cookie if a BADCOOKIE response is
+received.
+.TP
+.B \fB+[no]besteffort\fP
+This option attempts to display the contents of messages which are malformed. The
+default is to not display malformed answers.
+.TP
+.B \fB+bufsize[=B]\fP
+This option sets the UDP message buffer size advertised using EDNS0
+to \fBB\fP bytes.  The maximum and minimum sizes of this buffer are
+65535 and 0, respectively.  \fB+bufsize=0\fP disables EDNS (use
+\fB+bufsize=0 +edns\fP to send an EDNS message with an advertised size
+of 0 bytes). \fB+bufsize\fP restores the default buffer size.
+.TP
+.B \fB+[no]cdflag\fP
+This option sets [or does not set] the CD (checking disabled) bit in the query. This
+requests the server to not perform DNSSEC validation of responses.
+.TP
+.B \fB+[no]class\fP
+This option displays [or does not display] the CLASS when printing the record.
+.TP
+.B \fB+[no]cmd\fP
+This option toggles the printing of the initial comment in the output, identifying the
+version of \fBdig\fP and the query options that have been applied. This option
+always has a global effect; it cannot be set globally and then overridden on a
+per\-lookup basis. The default is to print this comment.
+.TP
+.B \fB+[no]comments\fP
+This option toggles the display of some comment lines in the output, with
+information about the packet header and OPT pseudosection, and the names of
+the response section. The default is to print these comments.
+.sp
+Other types of comments in the output are not affected by this option, but
+can be controlled using other command\-line switches. These include
+\fB+[no]cmd\fP, \fB+[no]question\fP, \fB+[no]stats\fP, and \fB+[no]rrcomments\fP\&.
+.TP
+.B \fB+[no]cookie=####\fP
+This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
+from a previous response allows the server to identify a previous
+client. The default is \fB+cookie\fP\&.
+.sp
+\fB+cookie\fP is also set when \fB+trace\fP is set to better emulate the
+default queries from a nameserver.
+.TP
+.B \fB+[no]crypto\fP
+This option toggles the display of cryptographic fields in DNSSEC records. The
+contents of these fields are unnecessary for debugging most DNSSEC
+validation failures and removing them makes it easier to see the
+common failures. The default is to display the fields. When omitted,
+they are replaced by the string \fB[omitted]\fP or, in the DNSKEY case, the
+key ID is displayed as the replacement, e.g. \fB[ key id = value ]\fP\&.
+.TP
+.B \fB+[no]defname\fP
+This option, which is deprecated, is treated as a synonym for \fB+[no]search\fP\&.
+.TP
+.B \fB+[no]dnssec\fP
+This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
+the OPT record in the additional section of the query.
+.TP
+.B \fB+domain=somename\fP
+This option sets the search list to contain the single domain \fBsomename\fP, as if
+specified in a \fBdomain\fP directive in \fB/etc/resolv.conf\fP, and
+enables search list processing as if the \fB+search\fP option were
+given.
+.TP
+.B \fB+dscp=value\fP
+This option sets the DSCP code point to be used when sending the query. Valid DSCP
+code points are in the range [0...63]. By default no code point is
+explicitly set.
+.TP
+.B \fB+[no]edns[=#]\fP
+This option specifies the EDNS version to query with. Valid values are 0 to 255.
+Setting the EDNS version causes an EDNS query to be sent.
+\fB+noedns\fP clears the remembered EDNS version. EDNS is set to 0 by
+default.
+.TP
+.B \fB+[no]ednsflags[=#]\fP
+This option sets the must\-be\-zero EDNS flags bits (Z bits) to the specified value.
+Decimal, hex, and octal encodings are accepted. Setting a named flag
+(e.g., DO) is silently ignored. By default, no Z bits are set.
+.TP
+.B \fB+[no]ednsnegotiation\fP
+This option enables/disables EDNS version negotiation. By default, EDNS version
+negotiation is enabled.
+.TP
+.B \fB+[no]ednsopt[=code[:value]]\fP
+This option specifies the EDNS option with code point \fBcode\fP and an optional payload
+of \fBvalue\fP as a hexadecimal string. \fBcode\fP can be either an EDNS
+option name (for example, \fBNSID\fP or \fBECS\fP) or an arbitrary
+numeric value. \fB+noednsopt\fP clears the EDNS options to be sent.
+.TP
+.B \fB+[no]expire\fP
+This option sends an EDNS Expire option.
+.TP
+.B \fB+[no]fail\fP
+This option indicates that \fBnamed\fP should try [or not try] the next server if a SERVFAIL is received. The default is
+to not try the next server, which is the reverse of normal stub
+resolver behavior.
+.TP
+.B \fB+[no]header\-only\fP
+This option sends a query with a DNS header without a question section. The
+default is to add a question section. The query type and query name
+are ignored when this is set.
+.TP
+.B \fB+[no]identify\fP
+This option shows [or does not show] the IP address and port number that supplied
+the answer, when the \fB+short\fP option is enabled. If short form
+answers are requested, the default is not to show the source address
+and port number of the server that provided the answer.
+.TP
+.B \fB+[no]idnin\fP
+This option processes [or does not process] IDN domain names on input. This requires
+\fBIDN SUPPORT\fP to have been enabled at compile time.
+.sp
+The default is to process IDN input when standard output is a tty.
+The IDN processing on input is disabled when \fBdig\fP output is redirected
+to files, pipes, and other non\-tty file descriptors.
+.TP
+.B \fB+[no]idnout\fP
+This option converts [or does not convert] puny code on output. This requires
+\fBIDN SUPPORT\fP to have been enabled at compile time.
+.sp
+The default is to process puny code on output when standard output is
+a tty. The puny code processing on output is disabled when \fBdig\fP output
+is redirected to files, pipes, and other non\-tty file descriptors.
+.TP
+.B \fB+[no]ignore\fP
+This option ignores [or does not ignore] truncation in UDP responses instead of retrying with TCP. By
+default, TCP retries are performed.
+.TP
+.B \fB+[no]keepalive\fP
+This option sends [or does not send] an EDNS Keepalive option.
+.TP
+.B \fB+[no]keepopen\fP
+This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than
+creating a new TCP socket for each lookup. The default is
+\fB+nokeepopen\fP\&.
+.TP
+.B \fB+[no]mapped\fP
+This option allows [or does not allow] mapped IPv4\-over\-IPv6 addresses to be used. The default is
+\fB+mapped\fP\&.
+.TP
+.B \fB+[no]multiline\fP
+This option prints [or does not print] records, like the SOA records, in a verbose multi\-line format
+with human\-readable comments. The default is to print each record on
+a single line to facilitate machine parsing of the \fBdig\fP output.
+.TP
+.B \fB+ndots=D\fP
+This option sets the number of dots (\fBD\fP) that must appear in \fBname\fP for
+it to be considered absolute. The default value is that defined using
+the \fBndots\fP statement in \fB/etc/resolv.conf\fP, or 1 if no \fBndots\fP
+statement is present. Names with fewer dots are interpreted as
+relative names, and are searched for in the domains listed in the
+\fBsearch\fP or \fBdomain\fP directive in \fB/etc/resolv.conf\fP if
+\fB+search\fP is set.
+.TP
+.B \fB+[no]nsid\fP
+When enabled, this option includes an EDNS name server ID request when sending a query.
+.TP
+.B \fB+[no]nssearch\fP
+When this option is set, \fBdig\fP attempts to find the authoritative
+name servers for the zone containing the name being looked up, and
+display the SOA record that each name server has for the zone.
+Addresses of servers that did not respond are also printed.
+.TP
+.B \fB+[no]onesoa\fP
+When enabled, this option prints only one (starting) SOA record when performing an AXFR. The
+default is to print both the starting and ending SOA records.
+.TP
+.B \fB+[no]opcode=value\fP
+When enabled, this option sets (restores) the DNS message opcode to the specified value. The
+default value is QUERY (0).
+.TP
+.B \fB+padding=value\fP
+This option pads the size of the query packet using the EDNS Padding option to
+blocks of \fBvalue\fP bytes. For example, \fB+padding=32\fP causes a
+48\-byte query to be padded to 64 bytes. The default block size is 0,
+which disables padding; the maximum is 512. Values are ordinarily
+expected to be powers of two, such as 128; however, this is not
+mandatory. Responses to padded queries may also be padded, but only
+if the query uses TCP or DNS COOKIE.
+.TP
+.B \fB+[no]qr\fP
+This option toggles the display of the query message as it is sent. By default, the query
+is not printed.
+.TP
+.B \fB+[no]question\fP
+This option toggles the display of the question section of a query when an answer is
+returned. The default is to print the question section as a comment.
+.TP
+.B \fB+[no]raflag\fP
+This option sets [or does not set] the RA (Recursion Available) bit in the query. The
+default is \fB+noraflag\fP\&. This bit is ignored by the server for
+QUERY.
+.TP
+.B \fB+[no]rdflag\fP
+This option is a synonym for \fB+[no]recurse\fP\&.
+.TP
+.B \fB+[no]recurse\fP
+This option toggles the setting of the RD (recursion desired) bit in the query.
+This bit is set by default, which means \fBdig\fP normally sends
+recursive queries. Recursion is automatically disabled when the
+\fB+nssearch\fP or \fB+trace\fP query option is used.
+.TP
+.B \fB+retry=T\fP
+This option sets the number of times to retry UDP and TCP queries to server to \fBT\fP
+instead of the default, 2.  Unlike \fB+tries\fP, this does not include
+the initial query.
+.TP
+.B \fB+[no]rrcomments\fP
+This option toggles the display of per\-record comments in the output (for example,
+human\-readable key information about DNSKEY records). The default is
+not to print record comments unless multiline mode is active.
+.TP
+.B \fB+[no]search\fP
+This option uses [or does not use] the search list defined by the searchlist or domain
+directive in \fBresolv.conf\fP, if any. The search list is not used by
+default.
+.sp
+\fBndots\fP from \fBresolv.conf\fP (default 1), which may be overridden by
+\fB+ndots\fP, determines whether the name is treated as relative
+and hence whether a search is eventually performed.
+.TP
+.B \fB+[no]short\fP
+This option toggles whether a terse answer is provided. The default is to print the answer in a verbose
+form. This option always has a global effect; it cannot be set globally and
+then overridden on a per\-lookup basis.
+.TP
+.B \fB+[no]showsearch\fP
+This option performs [or does not perform] a search showing intermediate results.
+.TP
+.B \fB+[no]sigchase\fP
+This feature is now obsolete and has been removed; use \fBdelv\fP
+instead.
+.TP
+.B \fB+split=W\fP
+This option splits long hex\- or base64\-formatted fields in resource records into
+chunks of \fBW\fP characters (where \fBW\fP is rounded up to the nearest
+multiple of 4). \fB+nosplit\fP or \fB+split=0\fP causes fields not to be
+split at all. The default is 56 characters, or 44 characters when
+multiline mode is active.
+.TP
+.B \fB+[no]stats\fP
+This option toggles the printing of statistics: when the query was made, the size of the
+reply, etc. The default behavior is to print the query statistics as a
+comment after each lookup.
+.TP
+.B \fB+[no]subnet=addr[/prefix\-length]\fP
+This option sends [or does not send] an EDNS CLIENT\-SUBNET option with the specified IP
+address or network prefix.
+.sp
+\fBdig +subnet=0.0.0.0/0\fP, or simply \fBdig +subnet=0\fP for short,
+sends an EDNS CLIENT\-SUBNET option with an empty address and a source
+prefix\-length of zero, which signals a resolver that the client\(aqs
+address information must \fInot\fP be used when resolving this query.
+.TP
+.B \fB+[no]tcflag\fP
+This option sets [or does not set] the TC (TrunCation) bit in the query. The default is
+\fB+notcflag\fP\&. This bit is ignored by the server for QUERY.
+.TP
+.B \fB+[no]tcp\fP
+This option uses [or does not use] TCP when querying name servers.
+The default behavior is to use UDP unless a type \fBany\fP or
+\fBixfr=N\fP query is requested, in which case the default is TCP.
+AXFR queries always use TCP. To prevent retry over TCP when TC=1
+is returned from a UDP query, use \fB+ignore\fP\&.
+.TP
+.B \fB+timeout=T\fP
+This option sets the timeout for a query to \fBT\fP seconds. The default timeout is
+5 seconds. An attempt to set \fBT\fP to less than 1 is silently set to 1.
+.TP
+.B \fB+[no]topdown\fP
+This feature is related to \fBdig +sigchase\fP, which is obsolete and
+has been removed. Use \fBdelv\fP instead.
+.TP
+.B \fB+[no]trace\fP
+This option toggles tracing of the delegation path from the root name servers for
+the name being looked up. Tracing is disabled by default. When
+tracing is enabled, \fBdig\fP makes iterative queries to resolve the
+name being looked up. It follows referrals from the root servers,
+showing the answer from each server that was used to resolve the
+lookup.
+.sp
+If \fB@server\fP is also specified, it affects only the initial query for
+the root zone name servers.
+.sp
+\fB+dnssec\fP is also set when \fB+trace\fP is set, to better emulate the
+default queries from a name server.
+.TP
+.B \fB+tries=T\fP
+This option sets the number of times to try UDP and TCP queries to server to \fBT\fP
+instead of the default, 3. If \fBT\fP is less than or equal to zero,
+the number of tries is silently rounded up to 1.
+.TP
+.B \fB+trusted\-key=####\fP
+This option formerly specified trusted keys for use with \fBdig +sigchase\fP\&. This
+feature is now obsolete and has been removed; use \fBdelv\fP instead.
+.TP
+.B \fB+[no]ttlid\fP
+This option displays [or does not display] the TTL when printing the record.
+.TP
+.B \fB+[no]ttlunits\fP
+This option displays [or does not display] the TTL in friendly human\-readable time
+units of \fBs\fP, \fBm\fP, \fBh\fP, \fBd\fP, and \fBw\fP, representing seconds, minutes,
+hours, days, and weeks. This implies \fB+ttlid\fP\&.
+.TP
+.B \fB+[no]unexpected\fP
+This option accepts [or does not accept] answers from unexpected sources.  By default, \fBdig\fP
+will not accept a reply from a source other than the one to which it sent the
+query.
+.TP
+.B \fB+[no]unknownformat\fP
+This option prints all RDATA in unknown RR type presentation format (\fI\%RFC 3597\fP).
+The default is to print RDATA for known types in the type\(aqs
+presentation format.
+.TP
+.B \fB+[no]vc\fP
+This option uses [or does not use] TCP when querying name servers. This alternate
+syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The
+\fBvc\fP stands for \(dqvirtual circuit.\(dq
+.TP
+.B \fB+[no]yaml\fP
+When enabled, this option prints the responses (and, if \fB+qr\fP is in use, also the
+outgoing queries) in a detailed YAML format.
+.TP
+.B \fB+[no]zflag\fP
+This option sets [or does not set] the last unassigned DNS header flag in a DNS query.
+This flag is off by default.
+.UNINDENT
+.SH MULTIPLE QUERIES
+.sp
+The BIND 9 implementation of \fBdig\fP supports specifying multiple
+queries on the command line (in addition to supporting the \fB\-f\fP batch
+file option). Each of those queries can be supplied with its own set of
+flags, options, and query options.
+.sp
+In this case, each \fBquery\fP argument represents an individual query in
+the command\-line syntax described above. Each consists of any of the
+standard options and flags, the name to be looked up, an optional query
+type and class, and any query options that should be applied to that
+query.
+.sp
+A global set of query options, which should be applied to all queries,
+can also be supplied. These global query options must precede the first
+tuple of name, class, type, options, flags, and query options supplied
+on the command line. Any global query options (except \fB+[no]cmd\fP and
+\fB+[no]short\fP options) can be overridden by a query\-specific set of
+query options. For example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+shows how \fBdig\fP can be used from the command line to make three
+lookups: an ANY query for \fBwww.isc.org\fP, a reverse lookup of 127.0.0.1,
+and a query for the NS records of \fBisc.org\fP\&. A global query option of
+\fB+qr\fP is applied, so that \fBdig\fP shows the initial query it made for
+each lookup. The final query has a local query option of \fB+noqr\fP which
+means that \fBdig\fP does not print the initial query when it looks up the
+NS records for \fBisc.org\fP\&.
+.SH IDN SUPPORT
+.sp
+If \fBdig\fP has been built with IDN (internationalized domain name)
+support, it can accept and display non\-ASCII domain names. \fBdig\fP
+appropriately converts character encoding of a domain name before sending
+a request to a DNS server or displaying a reply from the server.
+To turn off IDN support, use the parameters
+\fB+noidnin\fP and \fB+noidnout\fP, or define the \fBIDN_DISABLE\fP environment
+variable.
+.SH RETURN CODES
+.sp
+\fBdig\fP return codes are:
+.INDENT 0.0
+.TP
+.B \fB0\fP
+DNS response received, including NXDOMAIN status
+.TP
+.B \fB1\fP
+Usage error
+.TP
+.B \fB8\fP
+Couldn\(aqt open batch file
+.TP
+.B \fB9\fP
+No reply from server
+.TP
+.B \fB10\fP
+Internal error
+.UNINDENT
+.SH FILES
+.sp
+\fB/etc/resolv.conf\fP
+.sp
+\fB${HOME}/.digrc\fP
+.SH SEE ALSO
+.sp
+\fBdelv(1)\fP, \fBhost(1)\fP, \fBnamed(8)\fP, \fBdnssec\-keygen(8)\fP, \fI\%RFC 1035\fP\&.
+.SH BUGS
+.sp
+There are probably too many query options.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dig.rst b/doc/man/dig.rst
new file mode 100644
index 0000000..578a0be
--- /dev/null
+++ b/doc/man/dig.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dig/dig.rst
diff --git a/doc/man/dnssec-cds.8in b/doc/man/dnssec-cds.8in
new file mode 100644
index 0000000..f915c35
--- /dev/null
+++ b/doc/man/dnssec-cds.8in
@@ -0,0 +1,229 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-CDS" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
+.SH SYNOPSIS
+.sp
+\fBdnssec\-cds\fP [\fB\-a\fP alg...] [\fB\-c\fP class] [\fB\-D\fP] {\fB\-d\fP dsset\-file} {\fB\-f\fP child\-file} [\fB\-i**[extension]] [\fP\-s** start\-time] [\fB\-T\fP ttl] [\fB\-u\fP] [\fB\-v\fP level] [\fB\-V\fP] {domain}
+.SH DESCRIPTION
+.sp
+The \fBdnssec\-cds\fP command changes DS records at a delegation point
+based on CDS or CDNSKEY records published in the child zone. If both CDS
+and CDNSKEY records are present in the child zone, the CDS is preferred.
+This enables a child zone to inform its parent of upcoming changes to
+its key\-signing keys (KSKs); by polling periodically with \fBdnssec\-cds\fP, the
+parent can keep the DS records up\-to\-date and enable automatic rolling
+of KSKs.
+.sp
+Two input files are required. The \fB\-f child\-file\fP option specifies a
+file containing the child\(aqs CDS and/or CDNSKEY records, plus RRSIG and
+DNSKEY records so that they can be authenticated. The \fB\-d path\fP option
+specifies the location of a file containing the current DS records. For
+example, this could be a \fBdsset\-\fP file generated by
+\fBdnssec\-signzone\fP, or the output of \fBdnssec\-dsfromkey\fP, or the
+output of a previous run of \fBdnssec\-cds\fP\&.
+.sp
+The \fBdnssec\-cds\fP command uses special DNSSEC validation logic
+specified by \fI\%RFC 7344\fP\&. It requires that the CDS and/or CDNSKEY records
+be validly signed by a key represented in the existing DS records. This
+is typically the pre\-existing KSK.
+.sp
+For protection against replay attacks, the signatures on the child
+records must not be older than they were on a previous run of
+\fBdnssec\-cds\fP\&. Their age is obtained from the modification time of the
+\fBdsset\-\fP file, or from the \fB\-s\fP option.
+.sp
+To protect against breaking the delegation, \fBdnssec\-cds\fP ensures that
+the DNSKEY RRset can be verified by every key algorithm in the new DS
+RRset, and that the same set of keys are covered by every DS digest
+type.
+.sp
+By default, replacement DS records are written to the standard output;
+with the \fB\-i\fP option the input file is overwritten in place. The
+replacement DS records are the same as the existing records, when no
+change is required. The output can be empty if the CDS/CDNSKEY records
+specify that the child zone wants to be insecure.
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+Be careful not to delete the DS records when \fBdnssec\-cds\fP fails!
+.UNINDENT
+.UNINDENT
+.sp
+Alternatively, \fBdnssec\-cds \-u\fP writes an \fBnsupdate\fP script to the
+standard output. The \fB\-u\fP and \fB\-i\fP options can be used together to
+maintain a \fBdsset\-\fP file as well as emit an \fBnsupdate\fP script.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a algorithm\fP
+This option specifies a digest algorithm to use when converting CDNSKEY records to
+DS records. This option can be repeated, so that multiple DS records
+are created for each CDNSKEY record. This option has no effect when
+using CDS records.
+.sp
+The algorithm must be one of SHA\-1, SHA\-256, or SHA\-384. These values
+are case\-insensitive, and the hyphen may be omitted. If no algorithm
+is specified, the default is SHA\-256.
+.TP
+.B \fB\-c class\fP
+This option specifies the DNS class of the zones.
+.TP
+.B \fB\-D\fP
+This option generates DS records from CDNSKEY records if both CDS and CDNSKEY
+records are present in the child zone. By default CDS records are
+preferred.
+.TP
+.B \fB\-d path\fP
+This specifies the location of the parent DS records. The path can be the name of a file
+containing the DS records; if it is a directory, \fBdnssec\-cds\fP
+looks for a \fBdsset\-\fP file for the domain inside the directory.
+.sp
+To protect against replay attacks, child records are rejected if they
+were signed earlier than the modification time of the \fBdsset\-\fP
+file. This can be adjusted with the \fB\-s\fP option.
+.TP
+.B \fB\-f child\-file\fP
+This option specifies the file containing the child\(aqs CDS and/or CDNSKEY records, plus its
+DNSKEY records and the covering RRSIG records, so that they can be
+authenticated.
+.sp
+The examples below describe how to generate this file.
+.TP
+.B \fB\-iextension\fP
+This option updates the \fBdsset\-\fP file in place, instead of writing DS records to
+the standard output.
+.sp
+There must be no space between the \fB\-i\fP and the extension. If
+no extension is provided, the old \fBdsset\-\fP is discarded. If an
+extension is present, a backup of the old \fBdsset\-\fP file is kept
+with the extension appended to its filename.
+.sp
+To protect against replay attacks, the modification time of the
+\fBdsset\-\fP file is set to match the signature inception time of the
+child records, provided that it is later than the file\(aqs current
+modification time.
+.TP
+.B \fB\-s start\-time\fP
+This option specifies the date and time after which RRSIG records become
+acceptable. This can be either an absolute or a relative time. An
+absolute start time is indicated by a number in YYYYMMDDHHMMSS
+notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A
+time relative to the \fBdsset\-\fP file is indicated with \fB\-N\fP, which is N
+seconds before the file modification time. A time relative to the
+current time is indicated with \fBnow+N\fP\&.
+.sp
+If no start\-time is specified, the modification time of the
+\fBdsset\-\fP file is used.
+.TP
+.B \fB\-T ttl\fP
+This option specifies a TTL to be used for new DS records. If not specified, the
+default is the TTL of the old DS records. If they had no explicit TTL,
+the new DS records also have no explicit TTL.
+.TP
+.B \fB\-u\fP
+This option writes an \fBnsupdate\fP script to the standard output, instead of
+printing the new DS reords. The output is empty if no change is
+needed.
+.sp
+Note: The TTL of new records needs to be specified: it can be done in the
+original \fBdsset\-\fP file, with the \fB\-T\fP option, or using the
+\fBnsupdate\fP \fBttl\fP command.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level. Level 1 is intended to be usefully verbose
+for general users; higher levels are intended for developers.
+.TP
+.B \fBdomain\fP
+This indicates the name of the delegation point/child zone apex.
+.UNINDENT
+.SH EXIT STATUS
+.sp
+The \fBdnssec\-cds\fP command exits 0 on success, or non\-zero if an error
+occurred.
+.sp
+If successful, the DS records may or may not need to be
+changed.
+.SH EXAMPLES
+.sp
+Before running \fBdnssec\-signzone\fP, ensure that the delegations
+are up\-to\-date by running \fBdnssec\-cds\fP on every \fBdsset\-\fP file.
+.sp
+To fetch the child records required by \fBdnssec\-cds\fP, invoke
+\fBdig\fP as in the script below. It is acceptable if the \fBdig\fP fails, since
+\fBdnssec\-cds\fP performs all the necessary checking.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+for f in dsset\-*
+do
+    d=${f#dsset\-}
+    dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+    dnssec\-cds \-i \-f /dev/stdin \-d $f $d
+done
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+When the parent zone is automatically signed by \fBnamed\fP,
+\fBdnssec\-cds\fP can be used with \fBnsupdate\fP to maintain a delegation as follows.
+The \fBdsset\-\fP file allows the script to avoid having to fetch and
+validate the parent DS records, and it maintains the replay attack
+protection time.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+dnssec\-cds \-u \-i \-f /dev/stdin \-d $f $d |
+nsupdate \-l
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdig(1)\fP, \fBdnssec\-settime(8)\fP, \fBdnssec\-signzone(8)\fP, \fBnsupdate(1)\fP, BIND 9 Administrator
+Reference Manual, \fI\%RFC 7344\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-cds.rst b/doc/man/dnssec-cds.rst
new file mode 100644
index 0000000..fadc1a1
--- /dev/null
+++ b/doc/man/dnssec-cds.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dnssec/dnssec-cds.rst
diff --git a/doc/man/dnssec-checkds.8in b/doc/man/dnssec-checkds.8in
new file mode 100644
index 0000000..8a1328b
--- /dev/null
+++ b/doc/man/dnssec-checkds.8in
@@ -0,0 +1,96 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-CHECKDS" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-checkds \- DNSSEC delegation consistency checking tool
+.SH SYNOPSIS
+.sp
+\fBdnssec\-checkds\fP [\fB\-d\fP\fIdig path\fP] [\fB\-D\fP\fIdsfromkey path\fP]
+[\fB\-f\fP\fIfile\fP] [\fB\-l\fP\fIdomain\fP] [\fB\-s\fP\fIfile\fP] {zone}
+.SH DESCRIPTION
+.sp
+\fBdnssec\-checkds\fP verifies the correctness of Delegation Signer (DS)
+resource records for keys in a specified zone.
+.SH OPTIONS
+.sp
+\fB\-a\fP \fIalgorithm\fP
+.INDENT 0.0
+.INDENT 3.5
+Specify a digest algorithm to use when converting the zones DNSKEY
+records to expected DS records. This option can be repeated, so that
+multiple records are checked for each DNSKEY record.
+.sp
+The \fIalgorithm\fP must be one of SHA\-1, SHA\-256, or SHA\-384. These
+values are case insensitive, and the hyphen may be omitted. If no
+algorithm is specified, the default is SHA\-256.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-f\fP \fIfile\fP
+.INDENT 0.0
+.INDENT 3.5
+If a \fBfile\fP is specified, then the zone is read from that file to
+find the DNSKEY records. If not, then the DNSKEY records for the zone
+are looked up in the DNS.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-s\fP \fIfile\fP
+.INDENT 0.0
+.INDENT 3.5
+Specifies a prepared dsset file, such as would be generated by
+\fBdnssec\-signzone\fP, to use as a source for the DS RRset instead of
+querying the parent.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-d\fP \fIdig path\fP
+.INDENT 0.0
+.INDENT 3.5
+Specifies a path to a \fBdig\fP binary. Used for testing.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-D\fP \fIdsfromkey path\fP
+.INDENT 0.0
+.INDENT 3.5
+Specifies a path to a \fBdnssec\-dsfromkey\fP binary. Used for testing.
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdnssec\-dsfromkey\fP(8), \fBdnssec\-keygen\fP(8),
+\fBdnssec\-signzone\fP(8),
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-checkds.rst b/doc/man/dnssec-checkds.rst
new file mode 100644
index 0000000..a3c2431
--- /dev/null
+++ b/doc/man/dnssec-checkds.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/python/dnssec-checkds.rst
diff --git a/doc/man/dnssec-coverage.8in b/doc/man/dnssec-coverage.8in
new file mode 100644
index 0000000..1dde5bc
--- /dev/null
+++ b/doc/man/dnssec-coverage.8in
@@ -0,0 +1,192 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-COVERAGE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-coverage \- checks future DNSKEY coverage for a zone
+.SH SYNOPSIS
+.sp
+\fBdnssec\-coverage\fP [\fB\-K\fP\fIdirectory\fP] [\fB\-l\fP\fIlength\fP]
+[\fB\-f\fP\fIfile\fP] [\fB\-d\fP\fIDNSKEY TTL\fP] [\fB\-m\fP\fImax TTL\fP]
+[\fB\-r\fP\fIinterval\fP] [\fB\-c\fP\fIcompilezone path\fP] [\fB\-k\fP] [\fB\-z\fP]
+[zone...]
+.SH DESCRIPTION
+.sp
+\fBdnssec\-coverage\fP verifies that the DNSSEC keys for a given zone or a
+set of zones have timing metadata set properly to ensure no future
+lapses in DNSSEC coverage.
+.sp
+If \fBzone\fP is specified, then keys found in the key repository matching
+that zone are scanned, and an ordered list is generated of the events
+scheduled for that key (i.e., publication, activation, inactivation,
+deletion). The list of events is walked in order of occurrence. Warnings
+are generated if any event is scheduled which could cause the zone to
+enter a state in which validation failures might occur: for example, if
+the number of published or active keys for a given algorithm drops to
+zero, or if a key is deleted from the zone too soon after a new key is
+rolled, and cached data signed by the prior key has not had time to
+expire from resolver caches.
+.sp
+If \fBzone\fP is not specified, then all keys in the key repository will
+be scanned, and all zones for which there are keys will be analyzed.
+(Note: This method of reporting is only accurate if all the zones that
+have keys in a given repository share the same TTL parameters.)
+.SH OPTIONS
+.sp
+\fB\-K\fP \fIdirectory\fP
+.INDENT 0.0
+.INDENT 3.5
+Sets the directory in which keys can be found. Defaults to the
+current working directory.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-f\fP \fIfile\fP
+.INDENT 0.0
+.INDENT 3.5
+If a \fBfile\fP is specified, then the zone is read from that file; the
+largest TTL and the DNSKEY TTL are determined directly from the zone
+data, and the \fB\-m\fP and \fB\-d\fP options do not need to be specified
+on the command line.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-l\fP \fIduration\fP
+.INDENT 0.0
+.INDENT 3.5
+The length of time to check for DNSSEC coverage. Key events scheduled
+further into the future than \fBduration\fP will be ignored, and
+assumed to be correct.
+.sp
+The value of \fBduration\fP can be set in seconds, or in larger units
+of time by adding a suffix: mi for minutes, h for hours, d for days,
+w for weeks, mo for months, y for years.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-m\fP \fImaximum TTL\fP
+.INDENT 0.0
+.INDENT 3.5
+Sets the value to be used as the maximum TTL for the zone or zones
+being analyzed when determining whether there is a possibility of
+validation failure. When a zone\-signing key is deactivated, there
+must be enough time for the record in the zone with the longest TTL
+to have expired from resolver caches before that key can be purged
+from the DNSKEY RRset. If that condition does not apply, a warning
+will be generated.
+.sp
+The length of the TTL can be set in seconds, or in larger units of
+time by adding a suffix: mi for minutes, h for hours, d for days, w
+for weeks, mo for months, y for years.
+.sp
+This option is not necessary if the \fB\-f\fP has been used to specify a
+zone file. If \fB\-f\fP has been specified, this option may still be
+used; it will override the value found in the file.
+.sp
+If this option is not used and the maximum TTL cannot be retrieved
+from a zone file, a warning is generated and a default value of 1
+week is used.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-d\fP \fIDNSKEY TTL\fP
+.INDENT 0.0
+.INDENT 3.5
+Sets the value to be used as the DNSKEY TTL for the zone or zones
+being analyzed when determining whether there is a possibility of
+validation failure. When a key is rolled (that is, replaced with a
+new key), there must be enough time for the old DNSKEY RRset to have
+expired from resolver caches before the new key is activated and
+begins generating signatures. If that condition does not apply, a
+warning will be generated.
+.sp
+The length of the TTL can be set in seconds, or in larger units of
+time by adding a suffix: mi for minutes, h for hours, d for days, w
+for weeks, mo for months, y for years.
+.sp
+This option is not necessary if \fB\-f\fP has been used to specify a
+zone file from which the TTL of the DNSKEY RRset can be read, or if a
+default key TTL was set using ith the \fB\-L\fP to \fBdnssec\-keygen\fP\&. If
+either of those is true, this option may still be used; it will
+override the values found in the zone file or the key file.
+.sp
+If this option is not used and the key TTL cannot be retrieved from
+the zone file or the key file, then a warning is generated and a
+default value of 1 day is used.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-r\fP \fIresign interval\fP
+.INDENT 0.0
+.INDENT 3.5
+Sets the value to be used as the resign interval for the zone or
+zones being analyzed when determining whether there is a possibility
+of validation failure. This value defaults to 22.5 days, which is
+also the default in \fBnamed\fP\&. However, if it has been changed by the
+\fBsig\-validity\-interval\fP option in named.conf, then it should also
+be changed here.
+.sp
+The length of the interval can be set in seconds, or in larger units
+of time by adding a suffix: mi for minutes, h for hours, d for days,
+w for weeks, mo for months, y for years.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-k\fP
+.INDENT 0.0
+.INDENT 3.5
+Only check KSK coverage; ignore ZSK events. Cannot be used with
+\fB\-z\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-z\fP
+.INDENT 0.0
+.INDENT 3.5
+Only check ZSK coverage; ignore KSK events. Cannot be used with
+\fB\-k\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-c\fP \fIcompilezone path\fP
+.INDENT 0.0
+.INDENT 3.5
+Specifies a path to a \fBnamed\-compilezone\fP binary. Used for testing.
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdnssec\-checkds\fP(8), \fBdnssec\-dsfromkey\fP(8),
+\fBdnssec\-keygen\fP(8), \fBdnssec\-signzone\fP(8)
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-coverage.rst b/doc/man/dnssec-coverage.rst
new file mode 100644
index 0000000..0e974ac
--- /dev/null
+++ b/doc/man/dnssec-coverage.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/python/dnssec-coverage.rst
diff --git a/doc/man/dnssec-dsfromkey.8in b/doc/man/dnssec-dsfromkey.8in
new file mode 100644
index 0000000..83f6a7a
--- /dev/null
+++ b/doc/man/dnssec-dsfromkey.8in
@@ -0,0 +1,153 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-DSFROMKEY" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-dsfromkey \- DNSSEC DS RR generation tool
+.SH SYNOPSIS
+.sp
+\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-K\fP directory] {keyfile}
+.sp
+\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-c\fP class] [\fB\-A\fP] {\fB\-f\fP file} [dnsname]
+.sp
+\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-c\fP class] [\fB\-K\fP directory] {\fB\-s\fP} {dnsname}
+.sp
+\fBdnssec\-dsfromkey\fP [ \fB\-h\fP | \fB\-V\fP ]
+.SH DESCRIPTION
+.sp
+The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records
+(RRs), or CDS (Child DS) RRs with the \fB\-C\fP option.
+.sp
+By default, only KSKs are converted (keys with flags = 257).  The
+\fB\-A\fP option includes ZSKs (flags = 256).  Revoked keys are never
+included.
+.sp
+The input keys can be specified in a number of ways:
+.sp
+By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format
+\fBKnnnn.+aaa+iiiii.key\fP, as generated by \fBdnssec\-keygen\fP\&.
+.sp
+With the \fB\-f file\fP option, \fBdnssec\-dsfromkey\fP reads keys from a zone
+file or partial zone file (which can contain just the DNSKEY records).
+.sp
+With the \fB\-s\fP option, \fBdnssec\-dsfromkey\fP reads a \fBkeyset\-\fP file,
+as generated by \fBdnssec\-keygen\fP \fB\-C\fP\&.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-1\fP
+This option is an abbreviation for \fB\-a SHA1\fP\&.
+.TP
+.B \fB\-2\fP
+This option is an abbreviation for \fB\-a SHA\-256\fP\&.
+.TP
+.B \fB\-a algorithm\fP
+This option specifies a digest algorithm to use when converting DNSKEY records to
+DS records. This option can be repeated, so that multiple DS records
+are created for each DNSKEY record.
+.sp
+The algorithm must be one of SHA\-1, SHA\-256, or SHA\-384. These values
+are case\-insensitive, and the hyphen may be omitted. If no algorithm
+is specified, the default is SHA\-256.
+.TP
+.B \fB\-A\fP
+This option indicates that ZSKs are to be included when generating DS records. Without this option, only
+keys which have the KSK flag set are converted to DS records and
+printed. This option is only useful in \fB\-f\fP zone file mode.
+.TP
+.B \fB\-c class\fP
+This option specifies the DNS class; the default is IN. This option is only useful in \fB\-s\fP keyset
+or \fB\-f\fP zone file mode.
+.TP
+.B \fB\-C\fP
+This option generates CDS records rather than DS records.
+.TP
+.B \fB\-f file\fP
+This option sets zone file mode, in which the final dnsname argument of \fBdnssec\-dsfromkey\fP is the
+DNS domain name of a zone whose master file can be read from
+\fBfile\fP\&. If the zone name is the same as \fBfile\fP, then it may be
+omitted.
+.sp
+If \fBfile\fP is \fB\-\fP, then the zone data is read from the standard
+input. This makes it possible to use the output of the \fBdig\fP
+command as input, as in:
+.sp
+\fBdig dnskey example.com | dnssec\-dsfromkey \-f \- example.com\fP
+.TP
+.B \fB\-h\fP
+This option prints usage information.
+.TP
+.B \fB\-K directory\fP
+This option tells BIND 9 to look for key files or \fBkeyset\-\fP files in \fBdirectory\fP\&.
+.TP
+.B \fB\-s\fP
+This option enables keyset mode, in which the final dnsname argument from \fBdnssec\-dsfromkey\fP is the DNS
+domain name used to locate a \fBkeyset\-\fP file.
+.TP
+.B \fB\-T TTL\fP
+This option specifies the TTL of the DS records. By default the TTL is omitted.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.UNINDENT
+.SH EXAMPLE
+.sp
+To build the SHA\-256 DS RR from the \fBKexample.com.+003+26160\fP keyfile,
+issue the following command:
+.sp
+\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fP
+.sp
+The command returns something similar to:
+.sp
+\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fP
+.SH FILES
+.sp
+The keyfile can be designated by the key identification
+\fBKnnnn.+aaa+iiiii\fP or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as
+generated by \fBdnssec\-keygen\fP\&.
+.sp
+The keyset file name is built from the \fBdirectory\fP, the string
+\fBkeyset\-\fP, and the \fBdnsname\fP\&.
+.SH CAVEAT
+.sp
+A keyfile error may return \(dqfile not found,\(dq even if the file exists.
+.SH SEE ALSO
+.sp
+\fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
+\fI\%RFC 3658\fP (DS RRs), \fI\%RFC 4509\fP (SHA\-256 for DS RRs),
+\fI\%RFC 6605\fP (SHA\-384 for DS RRs), \fI\%RFC 7344\fP (CDS and CDNSKEY RRs).
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-dsfromkey.rst b/doc/man/dnssec-dsfromkey.rst
new file mode 100644
index 0000000..9a016b1
--- /dev/null
+++ b/doc/man/dnssec-dsfromkey.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dnssec/dnssec-dsfromkey.rst
diff --git a/doc/man/dnssec-importkey.8in b/doc/man/dnssec-importkey.8in
new file mode 100644
index 0000000..8a50888
--- /dev/null
+++ b/doc/man/dnssec-importkey.8in
@@ -0,0 +1,126 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-IMPORTKEY" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-importkey \- import DNSKEY records from external systems so they can be managed
+.SH SYNOPSIS
+.sp
+\fBdnssec\-importkey\fP [\fB\-K\fP directory] [\fB\-L\fP ttl] [\fB\-P\fP date/offset] [\fB\-P\fP sync date/offset] [\fB\-D\fP date/offset] [\fB\-D\fP sync date/offset] [\fB\-h\fP] [\fB\-v\fP level] [\fB\-V\fP] {keyfile}
+.sp
+\fBdnssec\-importkey\fP {\fB\-f\fP filename} [\fB\-K\fP directory] [\fB\-L\fP ttl] [\fB\-P\fP date/offset] [\fB\-P\fP sync date/offset] [\fB\-D\fP date/offset] [\fB\-D\fP sync date/offset] [\fB\-h\fP] [\fB\-v\fP level] [\fB\-V\fP] [dnsname]
+.SH DESCRIPTION
+.sp
+\fBdnssec\-importkey\fP reads a public DNSKEY record and generates a pair
+of .key/.private files. The DNSKEY record may be read from an
+existing .key file, in which case a corresponding .private file is
+generated, or it may be read from any other file or from the standard
+input, in which case both .key and .private files are generated.
+.sp
+The newly created .private file does \fInot\fP contain private key data, and
+cannot be used for signing. However, having a .private file makes it
+possible to set publication (\fB\-P\fP) and deletion (\fB\-D\fP) times for the
+key, which means the public key can be added to and removed from the
+DNSKEY RRset on schedule even if the true private key is stored offline.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-f filename\fP
+This option indicates the zone file mode. Instead of a public keyfile name, the argument is the
+DNS domain name of a zone master file, which can be read from
+\fBfilename\fP\&. If the domain name is the same as \fBfilename\fP, then it may be
+omitted.
+.sp
+If \fBfilename\fP is set to \fB\(dq\-\(dq\fP, then the zone data is read from the
+standard input.
+.TP
+.B \fB\-K directory\fP
+This option sets the directory in which the key files are to reside.
+.TP
+.B \fB\-L ttl\fP
+This option sets the default TTL to use for this key when it is converted into a
+DNSKEY RR. This is the TTL used when the key is imported into a zone,
+unless there was already a DNSKEY RRset in
+place, in which case the existing TTL takes precedence. Setting the default TTL to \fB0\fP or \fBnone\fP
+removes it from the key.
+.TP
+.B \fB\-h\fP
+This option emits a usage message and exits.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.UNINDENT
+.SH TIMING OPTIONS
+.sp
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a \fB+\fP or \fB\-\fP, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes \fBy\fP, \fBmo\fP, \fBw\fP, \fBd\fP, \fBh\fP, or \fBmi\fP, then the offset is
+computed in years (defined as 365 24\-hour days, ignoring leap years),
+months (defined as 30 24\-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use \fBnone\fP or \fBnever\fP\&.
+.INDENT 0.0
+.TP
+.B \fB\-P date/offset\fP
+This option sets the date on which a key is to be published to the zone. After
+that date, the key is included in the zone but is not used
+to sign it.
+.TP
+.B \fB\-P sync date/offset\fP
+This option sets the date on which CDS and CDNSKEY records that match this key
+are to be published to the zone.
+.TP
+.B \fB\-D date/offset\fP
+This option sets the date on which the key is to be deleted. After that date, the
+key is no longer included in the zone. (However, it may remain in the key
+repository.)
+.TP
+.B \fB\-D sync date/offset\fP
+This option sets the date on which the CDS and CDNSKEY records that match this
+key are to be deleted.
+.UNINDENT
+.SH FILES
+.sp
+A keyfile can be designed by the key identification \fBKnnnn.+aaa+iiiii\fP
+or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as generated by
+\fBdnssec\-keygen\fP\&.
+.SH SEE ALSO
+.sp
+\fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
+\fI\%RFC 5011\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-importkey.rst b/doc/man/dnssec-importkey.rst
new file mode 100644
index 0000000..a9df508
--- /dev/null
+++ b/doc/man/dnssec-importkey.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dnssec/dnssec-importkey.rst
diff --git a/doc/man/dnssec-keyfromlabel.8in b/doc/man/dnssec-keyfromlabel.8in
new file mode 100644
index 0000000..7bedc45
--- /dev/null
+++ b/doc/man/dnssec-keyfromlabel.8in
@@ -0,0 +1,277 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-KEYFROMLABEL" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-keyfromlabel \- DNSSEC key generation tool
+.SH SYNOPSIS
+.sp
+\fBdnssec\-keyfromlabel\fP {\fB\-l\fP label} [\fB\-3\fP] [\fB\-a\fP algorithm] [\fB\-A\fP date/offset] [\fB\-c\fP class] [\fB\-D\fP date/offset] [\fB\-D\fP sync date/offset] [\fB\-E\fP engine] [\fB\-f\fP flag] [\fB\-G\fP] [\fB\-I\fP date/offset] [\fB\-i\fP interval] [\fB\-k\fP] [\fB\-K\fP directory] [\fB\-L\fP ttl] [\fB\-n\fP nametype] [\fB\-P\fP date/offset] [\fB\-P\fP sync date/offset] [\fB\-p\fP protocol] [\fB\-R\fP date/offset] [\fB\-S\fP key] [\fB\-t\fP type] [\fB\-v\fP level] [\fB\-V\fP] [\fB\-y\fP] {name}
+.SH DESCRIPTION
+.sp
+\fBdnssec\-keyfromlabel\fP generates a pair of key files that reference a
+key object stored in a cryptographic hardware service module (HSM). The
+private key file can be used for DNSSEC signing of zone data as if it
+were a conventional signing key created by \fBdnssec\-keygen\fP, but the
+key material is stored within the HSM and the actual signing takes
+place there.
+.sp
+The \fBname\fP of the key is specified on the command line. This must
+match the name of the zone for which the key is being generated.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a algorithm\fP
+This option selects the cryptographic algorithm. The value of \fBalgorithm\fP must
+be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
+ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
+.sp
+These values are case\-insensitive. In some cases, abbreviations are
+supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
+ECDSAP384SHA384. If RSASHA1 is specified along with the \fB\-3\fP
+option, then NSEC3RSASHA1 is used instead.
+.sp
+This option is mandatory except when using the
+\fB\-S\fP option, which copies the algorithm from the predecessory key.
+.sp
+Changed in version 9.12.0: The default value RSASHA1 for newly generated keys was removed.
+
+.TP
+.B \fB\-3\fP
+This option uses an NSEC3\-capable algorithm to generate a DNSSEC key. If this
+option is used with an algorithm that has both NSEC and NSEC3
+versions, then the NSEC3 version is used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fP specifies the NSEC3RSASHA1 algorithm.
+.TP
+.B \fB\-E engine\fP
+This option specifies the cryptographic hardware to use.
+.sp
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
+built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
+defaults to the path of the PKCS#11 provider library specified via
+\fB\-\-with\-pkcs11\fP\&.
+.TP
+.B \fB\-l label\fP
+This option specifies the label for a key pair in the crypto hardware.
+.sp
+When BIND 9 is built with OpenSSL\-based PKCS#11 support, the label is
+an arbitrary string that identifies a particular key. It may be
+preceded by an optional OpenSSL engine name, followed by a colon, as
+in \fBpkcs11:keylabel\fP\&.
+.sp
+When BIND 9 is built with native PKCS#11 support, the label is a
+PKCS#11 URI string in the format
+\fBpkcs11:keyword\e =value[;\e keyword\e =value;...]\fP\&. Keywords
+include \fBtoken\fP, which identifies the HSM; \fBobject\fP, which identifies
+the key; and \fBpin\-source\fP, which identifies a file from which the
+HSM\(aqs PIN code can be obtained. The label is stored in the
+on\-disk \fBprivate\fP file.
+.sp
+If the label contains a \fBpin\-source\fP field, tools using the
+generated key files are able to use the HSM for signing and other
+operations without any need for an operator to manually enter a PIN.
+Note: Making the HSM\(aqs PIN accessible in this manner may reduce the
+security advantage of using an HSM; use caution
+with this feature.
+.TP
+.B \fB\-n nametype\fP
+This option specifies the owner type of the key. The value of \fBnametype\fP must
+either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
+(for a key associated with a host (KEY)), USER (for a key associated
+with a user (KEY)), or OTHER (DNSKEY). These values are
+case\-insensitive.
+.TP
+.B \fB\-C\fP
+This option enables compatibility mode, which generates an old\-style key, without any metadata.
+By default, \fBdnssec\-keyfromlabel\fP includes the key\(aqs creation
+date in the metadata stored with the private key; other dates may
+be set there as well, including publication date, activation date, etc. Keys
+that include this data may be incompatible with older versions of
+BIND; the \fB\-C\fP option suppresses them.
+.TP
+.B \fB\-c class\fP
+This option indicates that the DNS record containing the key should have the
+specified class. If not specified, class IN is used.
+.TP
+.B \fB\-f flag\fP
+This option sets the specified flag in the \fBflag\fP field of the KEY/DNSKEY record.
+The only recognized flags are KSK (Key\-Signing Key) and REVOKE.
+.TP
+.B \fB\-G\fP
+This option generates a key, but does not publish it or sign with it. This option is
+incompatible with \fB\-P\fP and \fB\-A\fP\&.
+.TP
+.B \fB\-h\fP
+This option prints a short summary of the options and arguments to
+\fBdnssec\-keyfromlabel\fP\&.
+.TP
+.B \fB\-K directory\fP
+This option sets the directory in which the key files are to be written.
+.TP
+.B \fB\-k\fP
+This option generates KEY records rather than DNSKEY records.
+.TP
+.B \fB\-L\fP ttl
+This option sets the default TTL to use for this key when it is converted into a
+DNSKEY RR. This is the TTL used when the key is imported into a zone,
+unless there was already a DNSKEY RRset in
+place, in which case the existing TTL would take precedence. Setting
+the default TTL to \fB0\fP or \fBnone\fP removes it.
+.TP
+.B \fB\-p protocol\fP
+This option sets the protocol value for the key. The protocol is a number between
+0 and 255. The default is 3 (DNSSEC). Other possible values for this
+argument are listed in \fI\%RFC 2535\fP and its successors.
+.TP
+.B \fB\-S key\fP
+This option generates a key as an explicit successor to an existing key. The name,
+algorithm, size, and type of the key are set to match the
+predecessor. The activation date of the new key is set to the
+inactivation date of the existing one. The publication date is
+set to the activation date minus the prepublication interval, which
+defaults to 30 days.
+.TP
+.B \fB\-t type\fP
+This option indicates the type of the key. \fBtype\fP must be one of AUTHCONF,
+NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
+to the ability to authenticate data, and CONF to the ability to encrypt
+data.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.TP
+.B \fB\-y\fP
+This option allows DNSSEC key files to be generated even if the key ID would
+collide with that of an existing key, in the event of either key
+being revoked. (This is only safe to enable if
+\fI\%RFC 5011\fP trust anchor maintenance is not used with either of the keys
+involved.)
+.UNINDENT
+.SH TIMING OPTIONS
+.sp
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a \fB+\fP or \fB\-\fP, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes \fBy\fP, \fBmo\fP, \fBw\fP, \fBd\fP, \fBh\fP, or \fBmi\fP, then the offset is
+computed in years (defined as 365 24\-hour days, ignoring leap years),
+months (defined as 30 24\-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use \fBnone\fP or \fBnever\fP\&.
+.INDENT 0.0
+.TP
+.B \fB\-P date/offset\fP
+This option sets the date on which a key is to be published to the zone. After
+that date, the key is included in the zone but is not used
+to sign it. If not set, and if the \fB\-G\fP option has not been used, the
+default is the current date.
+.TP
+.B \fB\-P sync date/offset\fP
+This option sets the date on which CDS and CDNSKEY records that match this key
+are to be published to the zone.
+.TP
+.B \fB\-A date/offset\fP
+This option sets the date on which the key is to be activated. After that date,
+the key is included in the zone and used to sign it. If not set,
+and if the \fB\-G\fP option has not been used, the default is the current date.
+.TP
+.B \fB\-R date/offset\fP
+This option sets the date on which the key is to be revoked. After that date, the
+key is flagged as revoked. It is included in the zone and
+is used to sign it.
+.TP
+.B \fB\-I date/offset\fP
+This option sets the date on which the key is to be retired. After that date, the
+key is still included in the zone, but it is not used to
+sign it.
+.TP
+.B \fB\-D date/offset\fP
+This option sets the date on which the key is to be deleted. After that date, the
+key is no longer included in the zone. (However, it may remain in the key
+repository.)
+.TP
+.B \fB\-D sync date/offset\fP
+This option sets the date on which the CDS and CDNSKEY records that match this
+key are to be deleted.
+.TP
+.B \fB\-i interval\fP
+This option sets the prepublication interval for a key. If set, then the
+publication and activation dates must be separated by at least this
+much time. If the activation date is specified but the publication
+date is not, the publication date defaults to this much time
+before the activation date; conversely, if the publication date is
+specified but not the activation date, activation is set to
+this much time after publication.
+.sp
+If the key is being created as an explicit successor to another key,
+then the default prepublication interval is 30 days; otherwise it is
+zero.
+.sp
+As with date offsets, if the argument is followed by one of the
+suffixes \fBy\fP, \fBmo\fP, \fBw\fP, \fBd\fP, \fBh\fP, or \fBmi\fP, the interval is
+measured in years, months, weeks, days, hours, or minutes,
+respectively. Without a suffix, the interval is measured in seconds.
+.UNINDENT
+.SH GENERATED KEY FILES
+.sp
+When \fBdnssec\-keyfromlabel\fP completes successfully, it prints a string
+of the form \fBKnnnn.+aaa+iiiii\fP to the standard output. This is an
+identification string for the key files it has generated.
+.INDENT 0.0
+.IP \(bu 2
+\fBnnnn\fP is the key name.
+.IP \(bu 2
+\fBaaa\fP is the numeric representation of the algorithm.
+.IP \(bu 2
+\fBiiiii\fP is the key identifier (or footprint).
+.UNINDENT
+.sp
+\fBdnssec\-keyfromlabel\fP creates two files, with names based on the
+printed string. \fBKnnnn.+aaa+iiiii.key\fP contains the public key, and
+\fBKnnnn.+aaa+iiiii.private\fP contains the private key.
+.sp
+The \fB\&.key\fP file contains a DNS KEY record that can be inserted into a
+zone file (directly or with an $INCLUDE statement).
+.sp
+The \fB\&.private\fP file contains algorithm\-specific fields. For obvious
+security reasons, this file does not have general read permission.
+.SH SEE ALSO
+.sp
+\fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
+\fI\%RFC 4034\fP, \fI\%RFC 7512\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-keyfromlabel.rst b/doc/man/dnssec-keyfromlabel.rst
new file mode 100644
index 0000000..ae00dc0
--- /dev/null
+++ b/doc/man/dnssec-keyfromlabel.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dnssec/dnssec-keyfromlabel.rst
diff --git a/doc/man/dnssec-keygen.8in b/doc/man/dnssec-keygen.8in
new file mode 100644
index 0000000..84d4d68
--- /dev/null
+++ b/doc/man/dnssec-keygen.8in
@@ -0,0 +1,331 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-KEYGEN" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-keygen \- DNSSEC key generation tool
+.SH SYNOPSIS
+.sp
+\fBdnssec\-keygen\fP [\fB\-3\fP] [\fB\-A\fP date/offset] [\fB\-a\fP algorithm] [\fB\-b\fP keysize] [\fB\-C\fP] [\fB\-c\fP class] [\fB\-D\fP date/offset] [\fB\-d\fP bits] [\fB\-D\fP sync date/offset] [\fB\-E\fP engine] [\fB\-f\fP flag] [\fB\-G\fP] [\fB\-g\fP generator] [\fB\-h\fP] [\fB\-I\fP date/offset] [\fB\-i\fP interval] [\fB\-K\fP directory] [\fB\-k\fP policy] [\fB\-L\fP ttl] [\fB\-l\fP file] [\fB\-n\fP nametype] [\fB\-P\fP date/offset] [\fB\-P\fP sync date/offset] [\fB\-p\fP protocol] [\fB\-q\fP] [\fB\-R\fP date/offset] [\fB\-S\fP key] [\fB\-s\fP strength] [\fB\-T\fP rrtype] [\fB\-t\fP type] [\fB\-V\fP] [\fB\-v\fP level] {name}
+.SH DESCRIPTION
+.sp
+\fBdnssec\-keygen\fP generates keys for DNSSEC (Secure DNS), as defined in
+\fI\%RFC 2535\fP and \fI\%RFC 4034\fP\&. It can also generate keys for use with TSIG
+(Transaction Signatures) as defined in \fI\%RFC 2845\fP, or TKEY (Transaction
+Key) as defined in \fI\%RFC 2930\fP\&.
+.sp
+The \fBname\fP of the key is specified on the command line. For DNSSEC
+keys, this must match the name of the zone for which the key is being
+generated.
+.sp
+The \fBdnssec\-keymgr\fP command acts as a wrapper
+around \fBdnssec\-keygen\fP, generating and updating keys
+as needed to enforce defined security policies such as key rollover
+scheduling. Using \fBdnssec\-keymgr\fP may be preferable
+to direct use of \fBdnssec\-keygen\fP\&.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-3\fP
+This option uses an NSEC3\-capable algorithm to generate a DNSSEC key. If this
+option is used with an algorithm that has both NSEC and NSEC3
+versions, then the NSEC3 version is selected; for example,
+\fBdnssec\-keygen \-3 \-a RSASHA1\fP specifies the NSEC3RSASHA1 algorithm.
+.TP
+.B \fB\-a algorithm\fP
+This option selects the cryptographic algorithm. For DNSSEC keys, the value of
+\fBalgorithm\fP must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
+RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For
+TKEY, the value must be DH (Diffie\-Hellman); specifying this value
+automatically sets the \fB\-T KEY\fP option as well.
+.sp
+These values are case\-insensitive. In some cases, abbreviations are
+supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
+ECDSAP384SHA384. If RSASHA1 is specified along with the \fB\-3\fP
+option, NSEC3RSASHA1 is used instead.
+.sp
+This parameter \fImust\fP be specified except when using the \fB\-S\fP
+option, which copies the algorithm from the predecessor key.
+.sp
+In prior releases, HMAC algorithms could be generated for use as TSIG
+keys, but that feature was removed in BIND 9.13.0. Use
+\fBtsig\-keygen\fP to generate TSIG keys.
+.TP
+.B \fB\-b keysize\fP
+This option specifies the number of bits in the key. The choice of key size
+depends on the algorithm used: RSA keys must be between 1024 and 4096
+bits; Diffie\-Hellman keys must be between 128 and 4096 bits. Elliptic
+curve algorithms do not need this parameter.
+.sp
+If the key size is not specified, some algorithms have pre\-defined
+defaults. For example, RSA keys for use as DNSSEC zone\-signing keys
+have a default size of 1024 bits; RSA keys for use as key\-signing
+keys (KSKs, generated with \fB\-f KSK\fP) default to 2048 bits.
+.TP
+.B \fB\-C\fP
+This option enables compatibility mode, which generates an old\-style key, without any timing
+metadata. By default, \fBdnssec\-keygen\fP includes the key\(aqs
+creation date in the metadata stored with the private key; other
+dates may be set there as well, including publication date, activation date,
+etc. Keys that include this data may be incompatible with older
+versions of BIND; the \fB\-C\fP option suppresses them.
+.TP
+.B \fB\-c class\fP
+This option indicates that the DNS record containing the key should have the
+specified class. If not specified, class IN is used.
+.TP
+.B \fB\-d bits\fP
+This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and
+RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128
+and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
+ECDSAP384SHA384, ED25519, and ED448.
+.TP
+.B \fB\-E engine\fP
+This option specifies the cryptographic hardware to use, when applicable.
+.sp
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
+built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
+defaults to the path of the PKCS#11 provider library specified via
+\fB\-\-with\-pkcs11\fP\&.
+.TP
+.B \fB\-f flag\fP
+This option sets the specified flag in the flag field of the KEY/DNSKEY record.
+The only recognized flags are KSK (Key\-Signing Key) and REVOKE.
+.TP
+.B \fB\-G\fP
+This option generates a key, but does not publish it or sign with it. This option is
+incompatible with \fB\-P\fP and \fB\-A\fP\&.
+.TP
+.B \fB\-g generator\fP
+This option indicates the generator to use if generating a Diffie\-Hellman key. Allowed
+values are 2 and 5. If no generator is specified, a known prime from
+\fI\%RFC 2539\fP is used if possible; otherwise the default is 2.
+.TP
+.B \fB\-h\fP
+This option prints a short summary of the options and arguments to
+\fBdnssec\-keygen\fP\&.
+.TP
+.B \fB\-K directory\fP
+This option sets the directory in which the key files are to be written.
+.TP
+.B \fB\-k policy\fP
+This option creates keys for a specific \fBdnssec\-policy\fP\&. If a policy uses multiple keys,
+\fBdnssec\-keygen\fP generates multiple keys. This also
+creates a \(dq.state\(dq file to keep track of the key state.
+.sp
+This option creates keys according to the \fBdnssec\-policy\fP configuration, hence
+it cannot be used at the same time as many of the other options that
+\fBdnssec\-keygen\fP provides.
+.TP
+.B \fB\-L ttl\fP
+This option sets the default TTL to use for this key when it is converted into a
+DNSKEY RR. This is the TTL used when the key is imported into a zone,
+unless there was already a DNSKEY RRset in
+place, in which case the existing TTL takes precedence. If this
+value is not set and there is no existing DNSKEY RRset, the TTL
+defaults to the SOA TTL. Setting the default TTL to \fB0\fP or \fBnone\fP
+is the same as leaving it unset.
+.TP
+.B \fB\-l file\fP
+This option provides a configuration file that contains a \fBdnssec\-policy\fP statement
+(matching the policy set with \fB\-k\fP).
+.TP
+.B \fB\-n nametype\fP
+This option specifies the owner type of the key. The value of \fBnametype\fP must
+either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
+(for a key associated with a host (KEY)), USER (for a key associated
+with a user (KEY)), or OTHER (DNSKEY). These values are
+case\-insensitive. The default is ZONE for DNSKEY generation.
+.TP
+.B \fB\-p protocol\fP
+This option sets the protocol value for the generated key, for use with
+\fB\-T KEY\fP\&. The protocol is a number between 0 and 255. The default
+is 3 (DNSSEC). Other possible values for this argument are listed in
+\fI\%RFC 2535\fP and its successors.
+.TP
+.B \fB\-q\fP
+This option sets quiet mode, which suppresses unnecessary output, including progress
+indication. Without this option, when \fBdnssec\-keygen\fP is run
+interactively to generate an RSA or DSA key pair, it prints a
+string of symbols to \fBstderr\fP indicating the progress of the key
+generation. A \fB\&.\fP indicates that a random number has been found which
+passed an initial sieve test; \fB+\fP means a number has passed a single
+round of the Miller\-Rabin primality test; and a space ( ) means that the
+number has passed all the tests and is a satisfactory key.
+.TP
+.B \fB\-S key\fP
+This option creates a new key which is an explicit successor to an existing key.
+The name, algorithm, size, and type of the key are set to match
+the existing key. The activation date of the new key is set to
+the inactivation date of the existing one. The publication date is
+set to the activation date minus the prepublication interval,
+which defaults to 30 days.
+.TP
+.B \fB\-s strength\fP
+This option specifies the strength value of the key. The strength is a number
+between 0 and 15, and currently has no defined purpose in DNSSEC.
+.TP
+.B \fB\-T rrtype\fP
+This option specifies the resource record type to use for the key. \fBrrtype\fP
+must be either DNSKEY or KEY. The default is DNSKEY when using a
+DNSSEC algorithm, but it can be overridden to KEY for use with
+SIG(0).
+.TP
+.B \fB\-t type\fP
+This option indicates the type of the key for use with \fB\-T KEY\fP\&. \fBtype\fP
+must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+is AUTHCONF. AUTH refers to the ability to authenticate data, and
+CONF to the ability to encrypt data.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.UNINDENT
+.SH TIMING OPTIONS
+.sp
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a \fB+\fP or \fB\-\fP, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes \fBy\fP, \fBmo\fP, \fBw\fP, \fBd\fP, \fBh\fP, or \fBmi\fP, then the offset is
+computed in years (defined as 365 24\-hour days, ignoring leap years),
+months (defined as 30 24\-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use \fBnone\fP or \fBnever\fP\&.
+.INDENT 0.0
+.TP
+.B \fB\-P date/offset\fP
+This option sets the date on which a key is to be published to the zone. After
+that date, the key is included in the zone but is not used
+to sign it. If not set, and if the \fB\-G\fP option has not been used, the
+default is the current date.
+.TP
+.B \fB\-P sync date/offset\fP
+This option sets the date on which CDS and CDNSKEY records that match this key
+are to be published to the zone.
+.TP
+.B \fB\-A date/offset\fP
+This option sets the date on which the key is to be activated. After that date,
+the key is included in the zone and used to sign it. If not set,
+and if the \fB\-G\fP option has not been used, the default is the current date. If set,
+and \fB\-P\fP is not set, the publication date is set to the
+activation date minus the prepublication interval.
+.TP
+.B \fB\-R date/offset\fP
+This option sets the date on which the key is to be revoked. After that date, the
+key is flagged as revoked. It is included in the zone and
+is used to sign it.
+.TP
+.B \fB\-I date/offset\fP
+This option sets the date on which the key is to be retired. After that date, the
+key is still included in the zone, but it is not used to
+sign it.
+.TP
+.B \fB\-D date/offset\fP
+This option sets the date on which the key is to be deleted. After that date, the
+key is no longer included in the zone. (However, it may remain in the key
+repository.)
+.TP
+.B \fB\-D sync date/offset\fP
+This option sets the date on which the CDS and CDNSKEY records that match this
+key are to be deleted.
+.TP
+.B \fB\-i interval\fP
+This option sets the prepublication interval for a key. If set, then the
+publication and activation dates must be separated by at least this
+much time. If the activation date is specified but the publication
+date is not, the publication date defaults to this much time
+before the activation date; conversely, if the publication date is
+specified but not the activation date, activation is set to
+this much time after publication.
+.sp
+If the key is being created as an explicit successor to another key,
+then the default prepublication interval is 30 days; otherwise it is
+zero.
+.sp
+As with date offsets, if the argument is followed by one of the
+suffixes \fBy\fP, \fBmo\fP, \fBw\fP, \fBd\fP, \fBh\fP, or \fBmi\fP, the interval is
+measured in years, months, weeks, days, hours, or minutes,
+respectively. Without a suffix, the interval is measured in seconds.
+.UNINDENT
+.SH GENERATED KEYS
+.sp
+When \fBdnssec\-keygen\fP completes successfully, it prints a string of the
+form \fBKnnnn.+aaa+iiiii\fP to the standard output. This is an
+identification string for the key it has generated.
+.INDENT 0.0
+.IP \(bu 2
+\fBnnnn\fP is the key name.
+.IP \(bu 2
+\fBaaa\fP is the numeric representation of the algorithm.
+.IP \(bu 2
+\fBiiiii\fP is the key identifier (or footprint).
+.UNINDENT
+.sp
+\fBdnssec\-keygen\fP creates two files, with names based on the printed
+string. \fBKnnnn.+aaa+iiiii.key\fP contains the public key, and
+\fBKnnnn.+aaa+iiiii.private\fP contains the private key.
+.sp
+The \fB\&.key\fP file contains a DNSKEY or KEY record. When a zone is being
+signed by \fBnamed\fP or \fBdnssec\-signzone \-S\fP, DNSKEY records are
+included automatically. In other cases, the \fB\&.key\fP file can be
+inserted into a zone file manually or with an \fB$INCLUDE\fP statement.
+.sp
+The \fB\&.private\fP file contains algorithm\-specific fields. For obvious
+security reasons, this file does not have general read permission.
+.SH EXAMPLE
+.sp
+To generate an ECDSAP256SHA256 zone\-signing key for the zone
+\fBexample.com\fP, issue the command:
+.sp
+\fBdnssec\-keygen \-a ECDSAP256SHA256 example.com\fP
+.sp
+The command prints a string of the form:
+.sp
+\fBKexample.com.+013+26160\fP
+.sp
+In this example, \fBdnssec\-keygen\fP creates the files
+\fBKexample.com.+013+26160.key\fP and \fBKexample.com.+013+26160.private\fP\&.
+.sp
+To generate a matching key\-signing key, issue the command:
+.sp
+\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example.com\fP
+.SH SEE ALSO
+.sp
+\fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 2539\fP,
+\fI\%RFC 2845\fP, \fI\%RFC 4034\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-keygen.rst b/doc/man/dnssec-keygen.rst
new file mode 100644
index 0000000..70e0c54
--- /dev/null
+++ b/doc/man/dnssec-keygen.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dnssec/dnssec-keygen.rst
diff --git a/doc/man/dnssec-keymgr.8in b/doc/man/dnssec-keymgr.8in
new file mode 100644
index 0000000..ae163db
--- /dev/null
+++ b/doc/man/dnssec-keymgr.8in
@@ -0,0 +1,297 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-KEYMGR" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-keymgr \- ensure correct DNSKEY coverage based on a defined policy
+.SH SYNOPSIS
+.sp
+\fBdnssec\-keymgr\fP [\fB\-K\fP\fIdirectory\fP] [\fB\-c\fP\fIfile\fP] [\fB\-f\fP] [\fB\-k\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-z\fP] [\fB\-g\fP\fIpath\fP] [\fB\-s\fP\fIpath\fP] [zone...]
+.SH DESCRIPTION
+.sp
+\fBdnssec\-keymgr\fP is a high level Python wrapper to facilitate the key
+rollover process for zones handled by BIND. It uses the BIND commands
+for manipulating DNSSEC key metadata: \fBdnssec\-keygen\fP and
+\fBdnssec\-settime\fP\&.
+.sp
+DNSSEC policy can be read from a configuration file (default
+/etc/dnssec\-policy.conf), from which the key parameters, publication and
+rollover schedule, and desired coverage duration for any given zone can
+be determined. This file may be used to define individual DNSSEC
+policies on a per\-zone basis, or to set a \(dqdefault\(dq policy used for all
+zones.
+.sp
+When \fBdnssec\-keymgr\fP runs, it examines the DNSSEC keys for one or more
+zones, comparing their timing metadata against the policies for those
+zones. If key settings do not conform to the DNSSEC policy (for example,
+because the policy has been changed), they are automatically corrected.
+.sp
+A zone policy can specify a duration for which we want to ensure the key
+correctness (\fBcoverage\fP). It can also specify a rollover period
+(\fBroll\-period\fP). If policy indicates that a key should roll over
+before the coverage period ends, then a successor key will automatically
+be created and added to the end of the key series.
+.sp
+If zones are specified on the command line, \fBdnssec\-keymgr\fP will
+examine only those zones. If a specified zone does not already have keys
+in place, then keys will be generated for it according to policy.
+.sp
+If zones are \fInot\fP specified on the command line, then \fBdnssec\-keymgr\fP
+will search the key directory (either the current working directory or
+the directory set by the \fB\-K\fP option), and check the keys for all the
+zones represented in the directory.
+.sp
+Key times that are in the past will not be updated unless the \fB\-f\fP is
+used (see below). Key inactivation and deletion times that are less than
+five minutes in the future will be delayed by five minutes.
+.sp
+It is expected that this tool will be run automatically and unattended
+(for example, by \fBcron\fP).
+.SH OPTIONS
+.sp
+\fB\-c\fP \fIfile\fP
+.INDENT 0.0
+.INDENT 3.5
+If \fB\-c\fP is specified, then the DNSSEC policy is read from \fBfile\fP\&.
+(If not specified, then the policy is read from
+/etc/dnssec\-policy.conf; if that file doesnt exist, a built\-in global
+default policy is used.)
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-f\fP
+.INDENT 0.0
+.INDENT 3.5
+Force: allow updating of key events even if they are already in the
+past. This is not recommended for use with zones in which keys have
+already been published. However, if a set of keys has been generated
+all of which have publication and activation dates in the past, but
+the keys have not been published in a zone as yet, then this option
+can be used to clean them up and turn them into a proper series of
+keys with appropriate rollover intervals.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-g\fP \fIkeygen\-path\fP
+.INDENT 0.0
+.INDENT 3.5
+Specifies a path to a \fBdnssec\-keygen\fP binary. Used for testing. See
+also the \fB\-s\fP option.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-h\fP
+.INDENT 0.0
+.INDENT 3.5
+Print the \fBdnssec\-keymgr\fP help summary and exit.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-K\fP \fIdirectory\fP
+.INDENT 0.0
+.INDENT 3.5
+Sets the directory in which keys can be found. Defaults to the
+current working directory.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-k\fP
+.INDENT 0.0
+.INDENT 3.5
+Only apply policies to KSK keys. See also the \fB\-z\fP option.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-q\fP
+.INDENT 0.0
+.INDENT 3.5
+Quiet: suppress printing of \fBdnssec\-keygen\fP and \fBdnssec\-settime\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-s\fP \fIsettime\-path\fP
+.INDENT 0.0
+.INDENT 3.5
+Specifies a path to a \fBdnssec\-settime\fP binary. Used for testing.
+See also the \fB\-g\fP option.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-v\fP
+.INDENT 0.0
+.INDENT 3.5
+Print the \fBdnssec\-keymgr\fP version and exit.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-z\fP
+.INDENT 0.0
+.INDENT 3.5
+Only apply policies to ZSK keys. See also the \fB\-k\fP option.
+.UNINDENT
+.UNINDENT
+.SH POLICY CONFIGURATION
+.sp
+The dnssec\-policy.conf file can specify three kinds of policies:
+.INDENT 0.0
+.INDENT 3.5
+· \fIPolicy classes\fP (\fBpolicy\fP\fIname\fP\fB{ ... };\fP) can be
+inherited by zone policies or other policy classes; these can be used
+to create sets of different security profiles. For example, a policy
+class \fBnormal\fP might specify 1024\-bit key sizes, but a class
+\fBextra\fP might specify 2048 bits instead; \fBextra\fP would be used
+for zones that had unusually high security needs.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+· \fIAlgorithm policies:\fP (\fBalgorithm\-policy\fP\fIalgorithm\fP\fB{ ...
+};\fP ) override default per\-algorithm settings. For example, by
+default, RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK.
+This can be modified using \fBalgorithm\-policy\fP, and the new key
+sizes would then be used for any key of type RSASHA256.
+.sp
+· \fIZone policies:\fP (\fBzone\fP\fIname\fP\fB{ ... };\fP ) set policy for a
+single zone by name. A zone policy can inherit a policy class by
+including a \fBpolicy\fP option. Zone names beginning with digits
+(i.e., 0\-9) must be quoted. If a zone does not have its own policy
+then the \(dqdefault\(dq policy applies.
+.UNINDENT
+.UNINDENT
+.sp
+Options that can be specified in policies:
+.sp
+\fBalgorithm\fP \fIname\fP;
+.INDENT 0.0
+.INDENT 3.5
+The key algorithm. If no policy is defined, the default is RSASHA256.
+.UNINDENT
+.UNINDENT
+.sp
+\fBcoverage\fP \fIduration\fP;
+.INDENT 0.0
+.INDENT 3.5
+The length of time to ensure that keys will be correct; no action
+will be taken to create new keys to be activated after this time.
+This can be represented as a number of seconds, or as a duration
+using human\-readable units (examples: \(dq1y\(dq or \(dq6 months\(dq). A default
+value for this option can be set in algorithm policies as well as in
+policy classes or zone policies. If no policy is configured, the
+default is six months.
+.UNINDENT
+.UNINDENT
+.sp
+\fBdirectory\fP \fIpath\fP;
+.INDENT 0.0
+.INDENT 3.5
+Specifies the directory in which keys should be stored.
+.UNINDENT
+.UNINDENT
+.sp
+\fBkey\-size\fP \fIkeytype\fP \fIsize\fP;
+.INDENT 0.0
+.INDENT 3.5
+Specifies the number of bits to use in creating keys. The keytype is
+either \(dqzsk\(dq or \(dqksk\(dq. A default value for this option can be set in
+algorithm policies as well as in policy classes or zone policies. If
+no policy is configured, the default is 2048 bits for RSA keys.
+.UNINDENT
+.UNINDENT
+.sp
+\fBkeyttl\fP \fIduration\fP;
+.INDENT 0.0
+.INDENT 3.5
+The key TTL. If no policy is defined, the default is one hour.
+.UNINDENT
+.UNINDENT
+.sp
+\fBpost\-publish\fP \fIkeytype\fP \fIduration\fP;
+.INDENT 0.0
+.INDENT 3.5
+How long after inactivation a key should be deleted from the zone.
+Note: If \fBroll\-period\fP is not set, this value is ignored. The
+keytype is either \(dqzsk\(dq or \(dqksk\(dq. A default duration for this option
+can be set in algorithm policies as well as in policy classes or zone
+policies. The default is one month.
+.UNINDENT
+.UNINDENT
+.sp
+\fBpre\-publish\fP \fIkeytype\fP \fIduration\fP;
+.INDENT 0.0
+.INDENT 3.5
+How long before activation a key should be published. Note: If
+\fBroll\-period\fP is not set, this value is ignored. The keytype is
+either \(dqzsk\(dq or \(dqksk\(dq. A default duration for this option can be set
+in algorithm policies as well as in policy classes or zone policies.
+The default is one month.
+.UNINDENT
+.UNINDENT
+.sp
+\fBroll\-period\fP \fIkeytype\fP \fIduration\fP;
+.INDENT 0.0
+.INDENT 3.5
+How frequently keys should be rolled over. The keytype is either
+\(dqzsk\(dq or \(dqksk\(dq. A default duration for this option can be set in
+algorithm policies as well as in policy classes or zone policies. If
+no policy is configured, the default is one year for ZSKs. KSKs do
+not roll over by default.
+.UNINDENT
+.UNINDENT
+.sp
+\fBstandby\fP \fIkeytype\fP \fInumber\fP;
+.INDENT 0.0
+.INDENT 3.5
+Not yet implemented.
+.UNINDENT
+.UNINDENT
+.SH REMAINING WORK
+.INDENT 0.0
+.INDENT 3.5
+· Enable scheduling of KSK rollovers using the \fB\-P sync\fP and \fB\-D
+sync\fP options to \fBdnssec\-keygen\fP and \fBdnssec\-settime\fP\&. Check the
+parent zone (as in \fBdnssec\-checkds\fP) to determine when its safe for
+the key to roll.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+· Allow configuration of standby keys and use of the REVOKE bit, for
+keys that use RFC 5011 semantics.
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdnssec\-coverage\fP(8), \fBdnssec\-keygen\fP(8),
+\fBdnssec\-settime\fP(8), \fBdnssec\-checkds\fP(8)
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-keymgr.rst b/doc/man/dnssec-keymgr.rst
new file mode 100644
index 0000000..92fe728
--- /dev/null
+++ b/doc/man/dnssec-keymgr.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/python/dnssec-keymgr.rst
\ No newline at end of file
diff --git a/doc/man/dnssec-revoke.8in b/doc/man/dnssec-revoke.8in
new file mode 100644
index 0000000..2b40587
--- /dev/null
+++ b/doc/man/dnssec-revoke.8in
@@ -0,0 +1,86 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-REVOKE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-revoke \- set the REVOKED bit on a DNSSEC key
+.SH SYNOPSIS
+.sp
+\fBdnssec\-revoke\fP [\fB\-hr\fP] [\fB\-v\fP level] [\fB\-V\fP] [\fB\-K\fP directory] [\fB\-E\fP engine] [\fB\-f\fP] [\fB\-R\fP] {keyfile}
+.SH DESCRIPTION
+.sp
+\fBdnssec\-revoke\fP reads a DNSSEC key file, sets the REVOKED bit on the
+key as defined in \fI\%RFC 5011\fP, and creates a new pair of key files
+containing the now\-revoked key.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-h\fP
+This option emits a usage message and exits.
+.TP
+.B \fB\-K directory\fP
+This option sets the directory in which the key files are to reside.
+.TP
+.B \fB\-r\fP
+This option indicates to remove the original keyset files after writing the new keyset files.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.TP
+.B \fB\-E engine\fP
+This option specifies the cryptographic hardware to use, when applicable.
+.sp
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
+built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
+defaults to the path of the PKCS#11 provider library specified via
+\fB\-\-with\-pkcs11\fP\&.
+.TP
+.B \fB\-f\fP
+This option indicates a forced overwrite and causes \fBdnssec\-revoke\fP to write the new key pair,
+even if a file already exists matching the algorithm and key ID of
+the revoked key.
+.TP
+.B \fB\-R\fP
+This option prints the key tag of the key with the REVOKE bit set, but does not
+revoke the key.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdnssec\-keygen(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 5011\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-revoke.rst b/doc/man/dnssec-revoke.rst
new file mode 100644
index 0000000..a5a71ab
--- /dev/null
+++ b/doc/man/dnssec-revoke.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dnssec/dnssec-revoke.rst
diff --git a/doc/man/dnssec-settime.8in b/doc/man/dnssec-settime.8in
new file mode 100644
index 0000000..7ecaf49
--- /dev/null
+++ b/doc/man/dnssec-settime.8in
@@ -0,0 +1,246 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-SETTIME" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-settime \- set the key timing metadata for a DNSSEC key
+.SH SYNOPSIS
+.sp
+\fBdnssec\-settime\fP [\fB\-f\fP] [\fB\-K\fP directory] [\fB\-L\fP ttl] [\fB\-P\fP date/offset] [\fB\-P\fP ds date/offset] [\fB\-P\fP sync date/offset] [\fB\-A\fP date/offset] [\fB\-R\fP date/offset] [\fB\-I\fP date/offset] [\fB\-D\fP date/offset] [\fB\-D\fP ds date/offset] [\fB\-D\fP sync date/offset] [\fB\-S\fP key] [\fB\-i\fP interval] [\fB\-h\fP] [\fB\-V\fP] [\fB\-v\fP level] [\fB\-E\fP engine] {keyfile} [\fB\-s\fP] [\fB\-g\fP state] [\fB\-d\fP state date/offset] [\fB\-k\fP state date/offset] [\fB\-r\fP state date/offset] [\fB\-z\fP state date/offset]
+.SH DESCRIPTION
+.sp
+\fBdnssec\-settime\fP reads a DNSSEC private key file and sets the key
+timing metadata as specified by the \fB\-P\fP, \fB\-A\fP, \fB\-R\fP, \fB\-I\fP, and
+\fB\-D\fP options. The metadata can then be used by \fBdnssec\-signzone\fP or
+other signing software to determine when a key is to be published,
+whether it should be used for signing a zone, etc.
+.sp
+If none of these options is set on the command line,
+\fBdnssec\-settime\fP simply prints the key timing metadata already stored
+in the key.
+.sp
+When key metadata fields are changed, both files of a key pair
+(\fBKnnnn.+aaa+iiiii.key\fP and \fBKnnnn.+aaa+iiiii.private\fP) are
+regenerated.
+.sp
+Metadata fields are stored in the private file. A
+human\-readable description of the metadata is also placed in comments in
+the key file. The private file\(aqs permissions are always set to be
+inaccessible to anyone other than the owner (mode 0600).
+.sp
+When working with state files, it is possible to update the timing metadata in
+those files as well with \fB\-s\fP\&.  With this option, it is also possible to update key
+states with \fB\-d\fP (DS), \fB\-k\fP (DNSKEY), \fB\-r\fP (RRSIG of KSK), or \fB\-z\fP
+(RRSIG of ZSK). Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and
+UNRETENTIVE.
+.sp
+The goal state of the key can also be set with \fB\-g\fP\&. This should be either
+HIDDEN or OMNIPRESENT, representing whether the key should be removed from the
+zone or published.
+.sp
+It is NOT RECOMMENDED to manipulate state files manually, except for testing
+purposes.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-f\fP
+This option forces an update of an old\-format key with no metadata fields. Without
+this option, \fBdnssec\-settime\fP fails when attempting to update a
+legacy key. With this option, the key is recreated in the new
+format, but with the original key data retained. The key\(aqs creation
+date is set to the present time. If no other values are
+specified, then the key\(aqs publication and activation dates are also
+set to the present time.
+.TP
+.B \fB\-K directory\fP
+This option sets the directory in which the key files are to reside.
+.TP
+.B \fB\-L ttl\fP
+This option sets the default TTL to use for this key when it is converted into a
+DNSKEY RR. This is the TTL used when the key is imported into a zone,
+unless there was already a DNSKEY RRset in
+place, in which case the existing TTL takes precedence. If this
+value is not set and there is no existing DNSKEY RRset, the TTL
+defaults to the SOA TTL. Setting the default TTL to \fB0\fP or \fBnone\fP
+removes it from the key.
+.TP
+.B \fB\-h\fP
+This option emits a usage message and exits.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.TP
+.B \fB\-E engine\fP
+This option specifies the cryptographic hardware to use, when applicable.
+.sp
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
+built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
+defaults to the path of the PKCS#11 provider library specified via
+\fB\-\-with\-pkcs11\fP\&.
+.UNINDENT
+.SH TIMING OPTIONS
+.sp
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a \fB+\fP or \fB\-\fP, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes \fBy\fP, \fBmo\fP, \fBw\fP, \fBd\fP, \fBh\fP, or \fBmi\fP, then the offset is
+computed in years (defined as 365 24\-hour days, ignoring leap years),
+months (defined as 30 24\-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use \fBnone\fP or \fBnever\fP\&.
+.INDENT 0.0
+.TP
+.B \fB\-P date/offset\fP
+This option sets the date on which a key is to be published to the zone. After
+that date, the key is included in the zone but is not used
+to sign it.
+.TP
+.B \fB\-P ds date/offset\fP
+This option Sets the date on which DS records that match this key have been
+seen in the parent zone.
+.TP
+.B \fB\-P sync date/offset\fP
+This option sets the date on which CDS and CDNSKEY records that match this key
+are to be published to the zone.
+.TP
+.B \fB\-A date/offset\fP
+This option sets the date on which the key is to be activated. After that date,
+the key is included in the zone and used to sign it.
+.TP
+.B \fB\-R date/offset\fP
+This option sets the date on which the key is to be revoked. After that date, the
+key is flagged as revoked. It is included in the zone and
+is used to sign it.
+.TP
+.B \fB\-I date/offset\fP
+This option sets the date on which the key is to be retired. After that date, the
+key is still included in the zone, but it is not used to
+sign it.
+.TP
+.B \fB\-D date/offset\fP
+This option sets the date on which the key is to be deleted. After that date, the
+key is no longer included in the zone. (However, it may remain in the key
+repository.)
+.TP
+.B \fB\-D ds date/offset\fP
+This option sets the date on which the DS records that match this key have
+been seen removed from the parent zone.
+.TP
+.B \fB\-D sync date/offset\fP
+This option sets the date on which the CDS and CDNSKEY records that match this
+key are to be deleted.
+.TP
+.B \fB\-S predecessor key\fP
+This option selects a key for which the key being modified is an explicit
+successor. The name, algorithm, size, and type of the predecessor key
+must exactly match those of the key being modified. The activation
+date of the successor key is set to the inactivation date of the
+predecessor. The publication date is set to the activation date
+minus the prepublication interval, which defaults to 30 days.
+.TP
+.B \fB\-i interval\fP
+This option sets the prepublication interval for a key. If set, then the
+publication and activation dates must be separated by at least this
+much time. If the activation date is specified but the publication
+date is not, the publication date defaults to this much time
+before the activation date; conversely, if the publication date is
+specified but not the activation date, activation is set to
+this much time after publication.
+.sp
+If the key is being created as an explicit successor to another key,
+then the default prepublication interval is 30 days; otherwise it is
+zero.
+.sp
+As with date offsets, if the argument is followed by one of the
+suffixes \fBy\fP, \fBmo\fP, \fBw\fP, \fBd\fP, \fBh\fP, or \fBmi\fP, the interval is
+measured in years, months, weeks, days, hours, or minutes,
+respectively. Without a suffix, the interval is measured in seconds.
+.UNINDENT
+.SH KEY STATE OPTIONS
+.sp
+To test dnssec\-policy it may be necessary to construct keys with artificial
+state information; these options are used by the testing framework for that
+purpose, but should never be used in production.
+.sp
+Known key states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE.
+.INDENT 0.0
+.TP
+.B \fB\-s\fP
+This option indicates that when setting key timing data, the state file should also be updated.
+.TP
+.B \fB\-g state\fP
+This option sets the goal state for this key. Must be HIDDEN or OMNIPRESENT.
+.TP
+.B \fB\-d state date/offset\fP
+This option sets the DS state for this key as of the specified date, offset from the current date.
+.TP
+.B \fB\-k state date/offset\fP
+This option sets the DNSKEY state for this key as of the specified date, offset from the current date.
+.TP
+.B \fB\-r state date/offset\fP
+This option sets the RRSIG (KSK) state for this key as of the specified date, offset from the current date.
+.TP
+.B \fB\-z state date/offset\fP
+This option sets the RRSIG (ZSK) state for this key as of the specified date, offset from the current date.
+.UNINDENT
+.SH PRINTING OPTIONS
+.sp
+\fBdnssec\-settime\fP can also be used to print the timing metadata
+associated with a key.
+.INDENT 0.0
+.TP
+.B \fB\-u\fP
+This option indicates that times should be printed in Unix epoch format.
+.TP
+.B \fB\-p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all\fP
+This option prints a specific metadata value or set of metadata values.
+The \fB\-p\fP option may be followed by one or more of the following letters or
+strings to indicate which value or values to print: \fBC\fP for the
+creation date, \fBP\fP for the publication date, \fBPds\(ga for the DS publication
+date, \(ga\(gaPsync\fP for the CDS and CDNSKEY publication date, \fBA\fP for the
+activation date, \fBR\fP for the revocation date, \fBI\fP for the inactivation
+date, \fBD\fP for the deletion date, \fBDds\fP for the DS deletion date,
+and \fBDsync\fP for the CDS and CDNSKEY deletion date. To print all of the
+metadata, use \fBall\fP\&.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
+\fI\%RFC 5011\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-settime.rst b/doc/man/dnssec-settime.rst
new file mode 100644
index 0000000..c1bb692
--- /dev/null
+++ b/doc/man/dnssec-settime.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dnssec/dnssec-settime.rst
diff --git a/doc/man/dnssec-signzone.8in b/doc/man/dnssec-signzone.8in
new file mode 100644
index 0000000..d9599a4
--- /dev/null
+++ b/doc/man/dnssec-signzone.8in
@@ -0,0 +1,438 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-SIGNZONE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-signzone \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec\-signzone\fP [\fB\-a\fP] [\fB\-c\fP class] [\fB\-d\fP directory] [\fB\-D\fP] [\fB\-E\fP engine] [\fB\-e\fP end\-time] [\fB\-f\fP output\-file] [\fB\-g\fP] [\fB\-h\fP] [\fB\-i\fP interval] [\fB\-I\fP input\-format] [\fB\-j\fP jitter] [\fB\-K\fP directory] [\fB\-k\fP key] [\fB\-L\fP serial] [\fB\-M\fP maxttl] [\fB\-N\fP soa\-serial\-format] [\fB\-o\fP origin] [\fB\-O\fP output\-format] [\fB\-P\fP] [\fB\-Q\fP] [\fB\-q\fP] [\fB\-R\fP] [\fB\-S\fP] [\fB\-s\fP start\-time] [\fB\-T\fP ttl] [\fB\-t\fP] [\fB\-u\fP] [\fB\-v\fP level] [\fB\-V\fP] [\fB\-X\fP extended end\-time] [\fB\-x\fP] [\fB\-z\fP] [\fB\-3\fP salt] [\fB\-H\fP iterations] [\fB\-A\fP] {zonefile} [key...]
+.SH DESCRIPTION
+.sp
+\fBdnssec\-signzone\fP signs a zone; it generates NSEC and RRSIG records
+and produces a signed version of the zone. The security status of
+delegations from the signed zone (that is, whether the child zones are
+secure) is determined by the presence or absence of a \fBkeyset\fP
+file for each child zone.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a\fP
+This option verifies all generated signatures.
+.TP
+.B \fB\-c class\fP
+This option specifies the DNS class of the zone.
+.TP
+.B \fB\-C\fP
+This option sets compatibility mode, in which a \fBkeyset\-zonename\fP file is generated in addition
+to \fBdsset\-zonename\fP when signing a zone, for use by older versions
+of \fBdnssec\-signzone\fP\&.
+.TP
+.B \fB\-d directory\fP
+This option indicates the directory where BIND 9 should look for \fBdsset\-\fP or \fBkeyset\-\fP files.
+.TP
+.B \fB\-D\fP
+This option indicates that only those record types automatically managed by
+\fBdnssec\-signzone\fP, i.e., RRSIG, NSEC, NSEC3 and NSEC3PARAM records, should be included in the output.
+If smart signing (\fB\-S\fP) is used, DNSKEY records are also included.
+The resulting file can be included in the original zone file with
+\fB$INCLUDE\fP\&. This option cannot be combined with \fB\-O raw\fP,
+\fB\-O map\fP, or serial\-number updating.
+.TP
+.B \fB\-E engine\fP
+This option specifies the hardware to use for cryptographic
+operations, such as a secure key store used for signing, when applicable.
+.sp
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
+built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
+defaults to the path of the PKCS#11 provider library specified via
+\fB\-\-with\-pkcs11\fP\&.
+.TP
+.B \fB\-g\fP
+This option indicates that DS records for child zones should be generated from a \fBdsset\-\fP or \fBkeyset\-\fP
+file. Existing DS records are removed.
+.TP
+.B \fB\-K directory\fP
+This option specifies the directory to search for DNSSEC keys. If not
+specified, it defaults to the current directory.
+.TP
+.B \fB\-k key\fP
+This option tells BIND 9 to treat the specified key as a key\-signing key, ignoring any key flags. This
+option may be specified multiple times.
+.TP
+.B \fB\-M maxttl\fP
+This option sets the maximum TTL for the signed zone. Any TTL higher than \fBmaxttl\fP
+in the input zone is reduced to \fBmaxttl\fP in the output. This
+provides certainty as to the largest possible TTL in the signed zone,
+which is useful to know when rolling keys. The maxttl is the longest
+possible time before signatures that have been retrieved by resolvers
+expire from resolver caches. Zones that are signed with this
+option should be configured to use a matching \fBmax\-zone\-ttl\fP in
+\fBnamed.conf\fP\&. (Note: This option is incompatible with \fB\-D\fP,
+because it modifies non\-DNSSEC data in the output zone.)
+.TP
+.B \fB\-s start\-time\fP
+This option specifies the date and time when the generated RRSIG records become
+valid. This can be either an absolute or relative time. An absolute
+start time is indicated by a number in YYYYMMDDHHMMSS notation;
+20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
+start time is indicated by \fB+N\fP, which is N seconds from the current
+time. If no \fBstart\-time\fP is specified, the current time minus 1
+hour (to allow for clock skew) is used.
+.TP
+.B \fB\-e end\-time\fP
+This option specifies the date and time when the generated RRSIG records expire. As
+with \fBstart\-time\fP, an absolute time is indicated in YYYYMMDDHHMMSS
+notation. A time relative to the start time is indicated with \fB+N\fP,
+which is N seconds from the start time. A time relative to the
+current time is indicated with \fBnow+N\fP\&. If no \fBend\-time\fP is
+specified, 30 days from the start time is the default.
+\fBend\-time\fP must be later than \fBstart\-time\fP\&.
+.TP
+.B \fB\-X extended end\-time\fP
+This option specifies the date and time when the generated RRSIG records for the
+DNSKEY RRset expire. This is to be used in cases when the DNSKEY
+signatures need to persist longer than signatures on other records;
+e.g., when the private component of the KSK is kept offline and the
+KSK signature is to be refreshed manually.
+.sp
+As with \fBend\-time\fP, an absolute time is indicated in
+YYYYMMDDHHMMSS notation. A time relative to the start time is
+indicated with \fB+N\fP, which is N seconds from the start time. A time
+relative to the current time is indicated with \fBnow+N\fP\&. If no
+\fBextended end\-time\fP is specified, the value of \fBend\-time\fP is used
+as the default. (\fBend\-time\fP, in turn, defaults to 30 days from the
+start time.) \fBextended end\-time\fP must be later than \fBstart\-time\fP\&.
+.TP
+.B \fB\-f output\-file\fP
+This option indicates the name of the output file containing the signed zone. The default
+is to append \fB\&.signed\fP to the input filename. If \fBoutput\-file\fP is
+set to \fB\-\fP, then the signed zone is written to the standard
+output, with a default output format of \fBfull\fP\&.
+.TP
+.B \fB\-h\fP
+This option prints a short summary of the options and arguments to
+\fBdnssec\-signzone\fP\&.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.TP
+.B \fB\-i interval\fP
+This option indicates that, when a previously signed zone is passed as input, records may be
+re\-signed. The \fBinterval\fP option specifies the cycle interval as an
+offset from the current time, in seconds. If a RRSIG record expires
+after the cycle interval, it is retained; otherwise, it is considered
+to be expiring soon and it is replaced.
+.sp
+The default cycle interval is one quarter of the difference between
+the signature end and start times. So if neither \fBend\-time\fP nor
+\fBstart\-time\fP is specified, \fBdnssec\-signzone\fP generates
+signatures that are valid for 30 days, with a cycle interval of 7.5
+days. Therefore, if any existing RRSIG records are due to expire in
+less than 7.5 days, they are replaced.
+.TP
+.B \fB\-I input\-format\fP
+This option sets the format of the input zone file. Possible formats are \fBtext\fP
+(the default), \fBraw\fP, and \fBmap\fP\&. This option is primarily
+intended to be used for dynamic signed zones, so that the dumped zone
+file in a non\-text format containing updates can be signed directly.
+This option is not useful for non\-dynamic zones.
+.TP
+.B \fB\-j jitter\fP
+When signing a zone with a fixed signature lifetime, all RRSIG
+records issued at the time of signing expire simultaneously. If the
+zone is incrementally signed, i.e., a previously signed zone is passed
+as input to the signer, all expired signatures must be regenerated
+at approximately the same time. The \fBjitter\fP option specifies a jitter
+window that is used to randomize the signature expire time, thus
+spreading incremental signature regeneration over time.
+.sp
+Signature lifetime jitter also, to some extent, benefits validators and
+servers by spreading out cache expiration, i.e., if large numbers of
+RRSIGs do not expire at the same time from all caches, there is
+less congestion than if all validators need to refetch at around the
+same time.
+.TP
+.B \fB\-L serial\fP
+When writing a signed zone to \(dqraw\(dq or \(dqmap\(dq format, this option sets the \(dqsource
+serial\(dq value in the header to the specified \fBserial\fP number. (This is
+expected to be used primarily for testing purposes.)
+.TP
+.B \fB\-n ncpus\fP
+This option specifies the number of threads to use. By default, one thread is
+started for each detected CPU.
+.TP
+.B \fB\-N soa\-serial\-format\fP
+This option sets the SOA serial number format of the signed zone. Possible formats are
+\fBkeep\fP (the default), \fBincrement\fP, \fBunixtime\fP, and
+\fBdate\fP\&.
+.INDENT 7.0
+.TP
+\fBkeep\fP
+This format indicates that the SOA serial number should not be modified.
+.TP
+\fBincrement\fP
+This format increments the SOA serial number using \fI\%RFC 1982\fP arithmetic.
+.TP
+\fBunixtime\fP
+This format sets the SOA serial number to the number of seconds
+since the beginning of the Unix epoch, unless the serial
+number is already greater than or equal to that value, in
+which case it is simply incremented by one.
+.TP
+\fBdate\fP
+This format sets the SOA serial number to today\(aqs date, in
+YYYYMMDDNN format, unless the serial number is already greater
+than or equal to that value, in which case it is simply
+incremented by one.
+.UNINDENT
+.TP
+.B \fB\-o origin\fP
+This option sets the zone origin. If not specified, the name of the zone file is
+assumed to be the origin.
+.TP
+.B \fB\-O output\-format\fP
+This option sets the format of the output file containing the signed zone. Possible
+formats are \fBtext\fP (the default), which is the standard textual
+representation of the zone; \fBfull\fP, which is text output in a
+format suitable for processing by external scripts; and \fBmap\fP,
+\fBraw\fP, and \fBraw=N\fP, which store the zone in binary formats
+for rapid loading by \fBnamed\fP\&. \fBraw=N\fP specifies the format
+version of the raw zone file: if N is 0, the raw file can be read by
+any version of \fBnamed\fP; if N is 1, the file can be read by release
+9.9.0 or higher. The default is 1.
+.TP
+.B \fB\-P\fP
+This option disables post\-sign verification tests.
+.sp
+The post\-sign verification tests ensure that for each algorithm in
+use there is at least one non\-revoked self\-signed KSK key, that all
+revoked KSK keys are self\-signed, and that all records in the zone
+are signed by the algorithm. This option skips these tests.
+.TP
+.B \fB\-Q\fP
+This option removes signatures from keys that are no longer active.
+.sp
+Normally, when a previously signed zone is passed as input to the
+signer, and a DNSKEY record has been removed and replaced with a new
+one, signatures from the old key that are still within their validity
+period are retained. This allows the zone to continue to validate
+with cached copies of the old DNSKEY RRset. The \fB\-Q\fP option forces
+\fBdnssec\-signzone\fP to remove signatures from keys that are no longer
+active. This enables ZSK rollover using the procedure described in
+\fI\%RFC 4641#4.2.1.1\fP (\(dqPre\-Publish Key Rollover\(dq).
+.TP
+.B \fB\-q\fP
+This option enables quiet mode, which suppresses unnecessary output. Without this option, when
+\fBdnssec\-signzone\fP is run it prints three pieces of information to standard output: the number of
+keys in use; the algorithms used to verify the zone was signed correctly and
+other status information; and the filename containing the signed
+zone. With the option that output is suppressed, leaving only the filename.
+.TP
+.B \fB\-R\fP
+This option removes signatures from keys that are no longer published.
+.sp
+This option is similar to \fB\-Q\fP, except it forces
+\fBdnssec\-signzone\fP to remove signatures from keys that are no longer
+published. This enables ZSK rollover using the procedure described in
+\fI\%RFC 4641#4.2.1.2\fP (\(dqDouble Signature Zone Signing Key
+Rollover\(dq).
+.TP
+.B \fB\-S\fP
+This option enables smart signing, which instructs \fBdnssec\-signzone\fP to search the key
+repository for keys that match the zone being signed, and to include
+them in the zone if appropriate.
+.sp
+When a key is found, its timing metadata is examined to determine how
+it should be used, according to the following rules. Each successive
+rule takes priority over the prior ones:
+.INDENT 7.0
+.INDENT 3.5
+If no timing metadata has been set for the key, the key is
+published in the zone and used to sign the zone.
+.sp
+If the key\(aqs publication date is set and is in the past, the key
+is published in the zone.
+.sp
+If the key\(aqs activation date is set and is in the past, the key is
+published (regardless of publication date) and used to sign the
+zone.
+.sp
+If the key\(aqs revocation date is set and is in the past, and the key
+is published, then the key is revoked, and the revoked key is used
+to sign the zone.
+.sp
+If either the key\(aqs unpublication or deletion date is set and
+in the past, the key is NOT published or used to sign the zone,
+regardless of any other metadata.
+.sp
+If the key\(aqs sync publication date is set and is in the past,
+synchronization records (type CDS and/or CDNSKEY) are created.
+.sp
+If the key\(aqs sync deletion date is set and is in the past,
+synchronization records (type CDS and/or CDNSKEY) are removed.
+.UNINDENT
+.UNINDENT
+.TP
+.B \fB\-T ttl\fP
+This option specifies a TTL to be used for new DNSKEY records imported into the
+zone from the key repository. If not specified, the default is the
+TTL value from the zone\(aqs SOA record. This option is ignored when
+signing without \fB\-S\fP, since DNSKEY records are not imported from
+the key repository in that case. It is also ignored if there are any
+pre\-existing DNSKEY records at the zone apex, in which case new
+records\(aq TTL values are set to match them, or if any of the
+imported DNSKEY records had a default TTL value. In the event of a
+conflict between TTL values in imported keys, the shortest one is
+used.
+.TP
+.B \fB\-t\fP
+This option prints statistics at completion.
+.TP
+.B \fB\-u\fP
+This option updates the NSEC/NSEC3 chain when re\-signing a previously signed zone.
+With this option, a zone signed with NSEC can be switched to NSEC3,
+or a zone signed with NSEC3 can be switched to NSEC or to NSEC3 with
+different parameters. Without this option, \fBdnssec\-signzone\fP
+retains the existing chain when re\-signing.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.TP
+.B \fB\-x\fP
+This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key\-signing keys,
+and should omit signatures from zone\-signing keys. (This is similar to the
+\fBdnssec\-dnskey\-kskonly yes;\fP zone option in \fBnamed\fP\&.)
+.TP
+.B \fB\-z\fP
+This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes
+KSK\-flagged keys to sign all records, not just the DNSKEY RRset.
+(This is similar to the \fBupdate\-check\-ksk no;\fP zone option in
+\fBnamed\fP\&.)
+.TP
+.B \fB\-3 salt\fP
+This option generates an NSEC3 chain with the given hex\-encoded salt. A dash
+(\-) can be used to indicate that no salt is to be used when
+generating the NSEC3 chain.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fB\-3 \-\fP is the recommended configuration. Adding salt provides no practical benefits.
+.UNINDENT
+.UNINDENT
+.TP
+.B \fB\-H iterations\fP
+This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
+is 10.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Values greater than 0 cause interoperability issues and also increase the risk of CPU\-exhausting DoS attacks. The default value has not been changed because the best practices has changed only after BIND 9.16 reached Extended Support Version status.
+.UNINDENT
+.UNINDENT
+.TP
+.B \fB\-A\fP
+This option indicates that, when generating an NSEC3 chain, BIND 9 should set the OPTOUT flag on all NSEC3
+records and should not generate NSEC3 records for insecure delegations.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to \fBcom.\fP) with sparse secure delegations.
+.UNINDENT
+.UNINDENT
+.sp
+Using this option twice (i.e., \fB\-AA\fP) turns the OPTOUT flag off for
+all records. This is useful when using the \fB\-u\fP option to modify an
+NSEC3 chain which previously had OPTOUT set.
+.TP
+.B \fBzonefile\fP
+This option sets the file containing the zone to be signed.
+.TP
+.B \fBkey\fP
+This option specifies which keys should be used to sign the zone. If no keys are
+specified, the zone is examined for DNSKEY records at the
+zone apex. If these records are found and there are matching private keys in
+the current directory, they are used for signing.
+.UNINDENT
+.SH EXAMPLE
+.sp
+The following command signs the \fBexample.com\fP zone with the
+ECDSAP256SHA256 key generated by \fBdnssec\-keygen\fP
+(Kexample.com.+013+17247). Because the \fB\-S\fP option is not being used,
+the zone\(aqs keys must be in the master file (\fBdb.example.com\fP). This
+invocation looks for \fBdsset\fP files in the current directory, so that
+DS records can be imported from them (\fB\-g\fP).
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+% dnssec\-signzone \-g \-o example.com db.example.com \e
+Kexample.com.+013+17247
+db.example.com.signed
+%
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+In the above example, \fBdnssec\-signzone\fP creates the file
+\fBdb.example.com.signed\fP\&. This file should be referenced in a zone
+statement in the \fBnamed.conf\fP file.
+.sp
+This example re\-signs a previously signed zone with default parameters.
+The private keys are assumed to be in the current directory.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+% cp db.example.com.signed db.example.com
+% dnssec\-signzone \-o example.com db.example.com
+db.example.com.signed
+%
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdnssec\-keygen(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 4033\fP,
+\fI\%RFC 4641\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-signzone.rst b/doc/man/dnssec-signzone.rst
new file mode 100644
index 0000000..b95e04a
--- /dev/null
+++ b/doc/man/dnssec-signzone.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dnssec/dnssec-signzone.rst
diff --git a/doc/man/dnssec-verify.8in b/doc/man/dnssec-verify.8in
new file mode 100644
index 0000000..6413884
--- /dev/null
+++ b/doc/man/dnssec-verify.8in
@@ -0,0 +1,113 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-VERIFY" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-verify \- DNSSEC zone verification tool
+.SH SYNOPSIS
+.sp
+\fBdnssec\-verify\fP [\fB\-c\fP class] [\fB\-E\fP engine] [\fB\-I\fP input\-format] [\fB\-o\fP origin] [\fB\-q\fP] [\fB\-v\fP level] [\fB\-V\fP] [\fB\-x\fP] [\fB\-z\fP] {zonefile}
+.SH DESCRIPTION
+.sp
+\fBdnssec\-verify\fP verifies that a zone is fully signed for each
+algorithm found in the DNSKEY RRset for the zone, and that the
+NSEC/NSEC3 chains are complete.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-c class\fP
+This option specifies the DNS class of the zone.
+.TP
+.B \fB\-E engine\fP
+This option specifies the cryptographic hardware to use, when applicable.
+.sp
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
+built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
+defaults to the path of the PKCS#11 provider library specified via
+\fB\-\-with\-pkcs11\fP\&.
+.TP
+.B \fB\-I input\-format\fP
+This option sets the format of the input zone file. Possible formats are \fBtext\fP
+(the default) and \fBraw\fP\&. This option is primarily intended to be used
+for dynamic signed zones, so that the dumped zone file in a non\-text
+format containing updates can be verified independently.
+This option is not useful for non\-dynamic zones.
+.TP
+.B \fB\-o origin\fP
+This option indicates the zone origin. If not specified, the name of the zone file is
+assumed to be the origin.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.TP
+.B \fB\-q\fP
+This option sets quiet mode, which suppresses output.  Without this option, when \fBdnssec\-verify\fP
+is run it prints to standard output the number of keys in use, the
+algorithms used to verify the zone was signed correctly, and other status
+information.  With this option, all non\-error output is suppressed, and only the exit
+code indicates success.
+.TP
+.B \fB\-x\fP
+This option verifies only that the DNSKEY RRset is signed with key\-signing keys.
+Without this flag, it is assumed that the DNSKEY RRset is signed
+by all active keys. When this flag is set, it is not an error if
+the DNSKEY RRset is not signed by zone\-signing keys. This corresponds
+to the \fB\-x\fP option in \fBdnssec\-signzone\fP\&.
+.TP
+.B \fB\-z\fP
+This option indicates that the KSK flag on the keys should be ignored when determining whether the zone is
+correctly signed. Without this flag, it is assumed that there is
+a non\-revoked, self\-signed DNSKEY with the KSK flag set for each
+algorithm, and that RRsets other than DNSKEY RRset are signed with
+a different DNSKEY without the KSK flag set.
+.sp
+With this flag set, BIND 9 only requires that for each algorithm, there
+be at least one non\-revoked, self\-signed DNSKEY, regardless of
+the KSK flag state, and that other RRsets be signed by a
+non\-revoked key for the same algorithm that includes the self\-signed
+key; the same key may be used for both purposes. This corresponds to
+the \fB\-z\fP option in \fBdnssec\-signzone\fP\&.
+.TP
+.B \fBzonefile\fP
+This option indicates the file containing the zone to be signed.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 4033\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnssec-verify.rst b/doc/man/dnssec-verify.rst
new file mode 100644
index 0000000..c565fed
--- /dev/null
+++ b/doc/man/dnssec-verify.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dnssec/dnssec-verify.rst
diff --git a/doc/man/dnstap-read.1in b/doc/man/dnstap-read.1in
new file mode 100644
index 0000000..c6dc0d0
--- /dev/null
+++ b/doc/man/dnstap-read.1in
@@ -0,0 +1,67 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSTAP-READ" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnstap-read \- print dnstap data in human-readable form
+.SH SYNOPSIS
+.sp
+\fBdnstap\-read\fP [\fB\-m\fP] [\fB\-p\fP] [\fB\-x\fP] [\fB\-y\fP] {file}
+.SH DESCRIPTION
+.sp
+\fBdnstap\-read\fP reads \fBdnstap\fP data from a specified file and prints
+it in a human\-readable format. By default, \fBdnstap\fP data is printed in
+a short summary format, but if the \fB\-y\fP option is specified, a
+longer and more detailed YAML format is used.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-m\fP
+This option indicates trace memory allocations, and is used for debugging memory leaks.
+.TP
+.B \fB\-p\fP
+This option prints the text form of the DNS
+message that was encapsulated in the \fBdnstap\fP frame, after printing the \fBdnstap\fP data.
+.TP
+.B \fB\-x\fP
+This option prints a hex dump of the wire form
+of the DNS message that was encapsulated in the \fBdnstap\fP frame, after printing the \fBdnstap\fP data.
+.TP
+.B \fB\-y\fP
+This option prints \fBdnstap\fP data in a detailed YAML format.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBnamed(8)\fP, \fBrndc(8)\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/dnstap-read.rst b/doc/man/dnstap-read.rst
new file mode 100644
index 0000000..9b60739
--- /dev/null
+++ b/doc/man/dnstap-read.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/tools/dnstap-read.rst
diff --git a/doc/man/filter-aaaa.8in b/doc/man/filter-aaaa.8in
new file mode 100644
index 0000000..b4ef946
--- /dev/null
+++ b/doc/man/filter-aaaa.8in
@@ -0,0 +1,110 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "FILTER-AAAA" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+filter-aaaa \- filter AAAA in DNS responses when A is present
+.SH SYNOPSIS
+.sp
+\fBplugin query\fP \(dqfilter\-aaaa.so\(dq [{ parameters }];
+.SH DESCRIPTION
+.sp
+\fBfilter\-aaaa.so\fP is a query plugin module for \fBnamed\fP, enabling
+\fBnamed\fP to omit some IPv6 addresses when responding to clients.
+.sp
+Until BIND 9.12, this feature was implemented natively in \fBnamed\fP and
+enabled with the \fBfilter\-aaaa\fP ACL and the \fBfilter\-aaaa\-on\-v4\fP and
+\fBfilter\-aaaa\-on\-v6\fP options. These options are now deprecated in
+\fBnamed.conf\fP but can be passed as parameters to the
+\fBfilter\-aaaa.so\fP plugin, for example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+plugin query \(dq/usr/local/lib/filter\-aaaa.so\(dq {
+        filter\-aaaa\-on\-v4 yes;
+        filter\-aaaa\-on\-v6 yes;
+        filter\-aaaa { 192.0.2.1; 2001:db8:2::1; };
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+This module is intended to aid transition from IPv4 to IPv6 by
+withholding IPv6 addresses from DNS clients which are not connected to
+the IPv6 Internet, when the name being looked up has an IPv4 address
+available. Use of this module is not recommended unless absolutely
+necessary.
+.sp
+Note: This mechanism can erroneously cause other servers not to give
+AAAA records to their clients. If a recursing server with both IPv6 and
+IPv4 network connections queries an authoritative server using this
+mechanism via IPv4, it is denied AAAA records even if its client is
+using IPv6.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fBfilter\-aaaa\fP
+This option specifies a list of client addresses for which AAAA filtering is to
+be applied. The default is \fBany\fP\&.
+.TP
+.B \fBfilter\-aaaa\-on\-v4\fP
+If set to \fByes\fP, this option indicates that the DNS client is at an IPv4 address, in
+\fBfilter\-aaaa\fP\&. If the response does not include DNSSEC
+signatures, then all AAAA records are deleted from the response. This
+filtering applies to all responses, not only authoritative
+ones.
+.sp
+If set to \fBbreak\-dnssec\fP, then AAAA records are deleted even when
+DNSSEC is enabled. As suggested by the name, this causes the response
+to fail to verify, because the DNSSEC protocol is designed to detect
+deletions.
+.sp
+This mechanism can erroneously cause other servers not to give AAAA
+records to their clients. If a recursing server with both IPv6 and IPv4
+network connections queries an authoritative server using this
+mechanism via IPv4, it is denied AAAA records even if its client is
+using IPv6.
+.TP
+.B \fBfilter\-aaaa\-on\-v6\fP
+This option is identical to \fBfilter\-aaaa\-on\-v4\fP, except that it filters AAAA responses
+to queries from IPv6 clients instead of IPv4 clients. To filter all
+responses, set both options to \fByes\fP\&.
+.UNINDENT
+.SH SEE ALSO
+.sp
+BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/filter-aaaa.rst b/doc/man/filter-aaaa.rst
new file mode 100644
index 0000000..2ad0521
--- /dev/null
+++ b/doc/man/filter-aaaa.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/plugins/filter-aaaa.rst
diff --git a/doc/man/host.1in b/doc/man/host.1in
new file mode 100644
index 0000000..0747ded
--- /dev/null
+++ b/doc/man/host.1in
@@ -0,0 +1,182 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "HOST" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+host \- DNS lookup utility
+.SH SYNOPSIS
+.sp
+\fBhost\fP [\fB\-aACdlnrsTUwv\fP] [\fB\-c\fP class] [\fB\-N\fP ndots] [\fB\-p\fP port] [\fB\-R\fP number] [\fB\-t\fP type] [\fB\-W\fP wait] [\fB\-m\fP flag] [ [\fB\-4\fP] | [\fB\-6\fP] ] [\fB\-v\fP] [\fB\-V\fP] {name} [server]
+.SH DESCRIPTION
+.sp
+\fBhost\fP is a simple utility for performing DNS lookups. It is normally
+used to convert names to IP addresses and vice versa. When no arguments
+or options are given, \fBhost\fP prints a short summary of its
+command\-line arguments and options.
+.sp
+\fBname\fP is the domain name that is to be looked up. It can also be a
+dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which
+case \fBhost\fP by default performs a reverse lookup for that address.
+\fBserver\fP is an optional argument which is either the name or IP
+address of the name server that \fBhost\fP should query instead of the
+server or servers listed in \fB/etc/resolv.conf\fP\&.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-4\fP
+This option specifies that only IPv4 should be used for query transport. See also the \fB\-6\fP option.
+.TP
+.B \fB\-6\fP
+This option specifies that only IPv6 should be used for query transport. See also the \fB\-4\fP option.
+.TP
+.B \fB\-a\fP
+The \fB\-a\fP (\(dqall\(dq) option is normally equivalent to \fB\-v \-t ANY\fP\&. It
+also affects the behavior of the \fB\-l\fP list zone option.
+.TP
+.B \fB\-A\fP
+The \fB\-A\fP (\(dqalmost all\(dq) option is equivalent to \fB\-a\fP, except that RRSIG,
+NSEC, and NSEC3 records are omitted from the output.
+.TP
+.B \fB\-c class\fP
+This option specifies the query class, which can be used to lookup HS (Hesiod) or CH (Chaosnet)
+class resource records. The default class is IN (Internet).
+.TP
+.B \fB\-C\fP
+This option indicates that \fBnamed\fP should check consistency, meaning that \fBhost\fP queries the SOA records for zone
+\fBname\fP from all the listed authoritative name servers for that
+zone. The list of name servers is defined by the NS records that are
+found for the zone.
+.TP
+.B \fB\-d\fP
+This option prints debugging traces, and is equivalent to the \fB\-v\fP verbose option.
+.TP
+.B \fB\-l\fP
+This option tells \fBnamed\fP to list the zone, meaning the \fBhost\fP command performs a zone transfer of zone
+\fBname\fP and prints out the NS, PTR, and address records (A/AAAA).
+.sp
+Together, the \fB\-l \-a\fP options print all records in the zone.
+.TP
+.B \fB\-N ndots\fP
+This option specifies the number of dots (\fBndots\fP) that have to be in \fBname\fP for it to be
+considered absolute. The default value is that defined using the
+\fBndots\fP statement in \fB/etc/resolv.conf\fP, or 1 if no \fBndots\fP statement
+is present. Names with fewer dots are interpreted as relative names,
+and are searched for in the domains listed in the \fBsearch\fP or
+\fBdomain\fP directive in \fB/etc/resolv.conf\fP\&.
+.TP
+.B \fB\-p port\fP
+This option specifies the port to query on the server. The default is 53.
+.TP
+.B \fB\-r\fP
+This option specifies a non\-recursive query; setting this option clears the RD (recursion
+desired) bit in the query. This means that the name server
+receiving the query does not attempt to resolve \fBname\fP\&. The \fB\-r\fP
+option enables \fBhost\fP to mimic the behavior of a name server by
+making non\-recursive queries, and expecting to receive answers to
+those queries that can be referrals to other name servers.
+.TP
+.B \fB\-R number\fP
+This option specifies the number of retries for UDP queries. If \fBnumber\fP is negative or zero,
+the number of retries is silently set to 1. The default value is 1, or
+the value of the \fBattempts\fP option in \fB/etc/resolv.conf\fP, if set.
+.TP
+.B \fB\-s\fP
+This option tells \fBnamed\fP \fInot\fP to send the query to the next nameserver if any server responds
+with a SERVFAIL response, which is the reverse of normal stub
+resolver behavior.
+.TP
+.B \fB\-t type\fP
+This option specifies the query type. The \fBtype\fP argument can be any recognized query type:
+CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
+.sp
+When no query type is specified, \fBhost\fP automatically selects an
+appropriate query type. By default, it looks for A, AAAA, and MX
+records. If the \fB\-C\fP option is given, queries are made for SOA
+records. If \fBname\fP is a dotted\-decimal IPv4 address or
+colon\-delimited IPv6 address, \fBhost\fP queries for PTR records.
+.sp
+If a query type of IXFR is chosen, the starting serial number can be
+specified by appending an equals sign (=), followed by the starting serial
+number, e.g., \fB\-t IXFR=12345678\fP\&.
+.TP
+.B \fB\-T\fP; \fB\-U\fP
+This option specifies TCP or UDP. By default, \fBhost\fP uses UDP when making queries; the
+\fB\-T\fP option makes it use a TCP connection when querying the name
+server. TCP is automatically selected for queries that require
+it, such as zone transfer (AXFR) requests. Type \fBANY\fP queries default
+to TCP, but can be forced to use UDP initially via \fB\-U\fP\&.
+.TP
+.B \fB\-m flag\fP
+This option sets memory usage debugging: the flag can be \fBrecord\fP, \fBusage\fP, or
+\fBtrace\fP\&. The \fB\-m\fP option can be specified more than once to set
+multiple flags.
+.TP
+.B \fB\-v\fP
+This option sets verbose output, and is equivalent to the \fB\-d\fP debug option. Verbose output
+can also be enabled by setting the \fBdebug\fP option in
+\fB/etc/resolv.conf\fP\&.
+.TP
+.B \fB\-V\fP
+This option prints the version number and exits.
+.TP
+.B \fB\-w\fP
+This option sets \(dqwait forever\(dq: the query timeout is set to the maximum possible. See
+also the \fB\-W\fP option.
+.TP
+.B \fB\-W wait\fP
+This options sets the length of the wait timeout, indicating that \fBnamed\fP should wait for up to \fBwait\fP seconds for a reply. If \fBwait\fP is
+less than 1, the wait interval is set to 1 second.
+.sp
+By default, \fBhost\fP waits for 5 seconds for UDP responses and 10
+seconds for TCP connections. These defaults can be overridden by the
+\fBtimeout\fP option in \fB/etc/resolv.conf\fP\&.
+.sp
+See also the \fB\-w\fP option.
+.UNINDENT
+.SH IDN SUPPORT
+.sp
+If \fBhost\fP has been built with IDN (internationalized domain name)
+support, it can accept and display non\-ASCII domain names. \fBhost\fP
+appropriately converts character encoding of a domain name before sending
+a request to a DNS server or displaying a reply from the server.
+To turn off IDN support, define the \fBIDN_DISABLE\fP
+environment variable. IDN support is disabled if the variable is set
+when \fBhost\fP runs.
+.SH FILES
+.sp
+\fB/etc/resolv.conf\fP
+.SH SEE ALSO
+.sp
+\fBdig(1)\fP, \fBnamed(8)\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/host.rst b/doc/man/host.rst
new file mode 100644
index 0000000..690243d
--- /dev/null
+++ b/doc/man/host.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dig/host.rst
diff --git a/doc/man/index.rst b/doc/man/index.rst
new file mode 100644
index 0000000..35fd8d3
--- /dev/null
+++ b/doc/man/index.rst
@@ -0,0 +1,10 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
diff --git a/doc/man/mdig.1in b/doc/man/mdig.1in
new file mode 100644
index 0000000..8ad1858
--- /dev/null
+++ b/doc/man/mdig.1in
@@ -0,0 +1,341 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "MDIG" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+mdig \- DNS pipelined lookup utility
+.SH SYNOPSIS
+.sp
+\fBmdig\fP \fI\%{@server\fP} [\fB\-f\fP filename] [\fB\-h\fP] [\fB\-v\fP] [ [\fB\-4\fP] | [\fB\-6\fP] ] [\fB\-m\fP] [\fB\-b\fP address] [\fB\-p\fP port#] [\fB\-c\fP class] [\fB\-t\fP type] [\fB\-i\fP] [\fB\-x\fP addr] [plusopt...]
+.sp
+\fBmdig\fP {\fB\-h\fP}
+.sp
+\fBmdig\fP [@server] {global\-opt...} { {local\-opt...} {query} ...}
+.SH DESCRIPTION
+.sp
+\fBmdig\fP is a multiple/pipelined query version of \fBdig\fP: instead of
+waiting for a response after sending each query, it begins by sending
+all queries. Responses are displayed in the order in which they are
+received, not in the order the corresponding queries were sent.
+.sp
+\fBmdig\fP options are a subset of the \fBdig\fP options, and are divided
+into \(dqanywhere options,\(dq which can occur anywhere, \(dqglobal options,\(dq which
+must occur before the query name (or they are ignored with a warning),
+and \(dqlocal options,\(dq which apply to the next query on the command line.
+.sp
+The \fB@server\fP option is a mandatory global option. It is the name or IP
+address of the name server to query. (Unlike \fBdig\fP, this value is not
+retrieved from \fB/etc/resolv.conf\fP\&.) It can be an IPv4 address in
+dotted\-decimal notation, an IPv6 address in colon\-delimited notation, or
+a hostname. When the supplied \fBserver\fP argument is a hostname,
+\fBmdig\fP resolves that name before querying the name server.
+.sp
+\fBmdig\fP provides a number of query options which affect the way in
+which lookups are made and the results displayed. Some of these set or
+reset flag bits in the query header, some determine which sections of
+the answer get printed, and others determine the timeout and retry
+strategies.
+.sp
+Each query option is identified by a keyword preceded by a plus sign
+(\fB+\fP). Some keywords set or reset an option. These may be preceded by
+the string \fBno\fP to negate the meaning of that keyword. Other keywords
+assign values to options like the timeout interval. They have the form
+\fB+keyword=value\fP\&.
+.SH ANYWHERE OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-f\fP
+This option makes \fBmdig\fP operate in batch mode by reading a list
+of lookup requests to process from the file \fBfilename\fP\&. The file
+contains a number of queries, one per line. Each entry in the file
+should be organized in the same way they would be presented as queries
+to \fBmdig\fP using the command\-line interface.
+.TP
+.B \fB\-h\fP
+This option causes \fBmdig\fP to print detailed help information, with the full list
+of options, and exit.
+.TP
+.B \fB\-v\fP
+This option causes \fBmdig\fP to print the version number and exit.
+.UNINDENT
+.SH GLOBAL OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-4\fP
+This option forces \fBmdig\fP to only use IPv4 query transport.
+.TP
+.B \fB\-6\fP
+This option forces \fBmdig\fP to only use IPv6 query transport.
+.TP
+.B \fB\-b address\fP
+This option sets the source IP address of the query to
+\fBaddress\fP\&. This must be a valid address on one of the host\(aqs network
+interfaces or \(dq0.0.0.0\(dq or \(dq::\(dq. An optional port may be specified by
+appending \(dq#<port>\(dq
+.TP
+.B \fB\-m\fP
+This option enables memory usage debugging.
+.TP
+.B \fB\-p port#\fP
+This option is used when a non\-standard port number is to be
+queried. \fBport#\fP is the port number that \fBmdig\fP sends its
+queries to, instead of the standard DNS port number 53. This option is
+used to test a name server that has been configured to listen for
+queries on a non\-standard port number.
+.UNINDENT
+.sp
+The global query options are:
+.INDENT 0.0
+.TP
+.B \fB+[no]additional\fP
+This option displays [or does not display] the additional section of a reply. The
+default is to display it.
+.TP
+.B \fB+[no]all\fP
+This option sets or clears all display flags.
+.TP
+.B \fB+[no]answer\fP
+This option displays [or does not display] the answer section of a reply. The default
+is to display it.
+.TP
+.B \fB+[no]authority\fP
+This option displays [or does not display] the authority section of a reply. The
+default is to display it.
+.TP
+.B \fB+[no]besteffort\fP
+This option attempts to display [or does not display] the contents of messages which are malformed. The
+default is to not display malformed answers.
+.TP
+.B \fB+burst\fP
+This option delays queries until the start of the next second.
+.TP
+.B \fB+[no]cl\fP
+This option displays [or does not display] the CLASS when printing the record.
+.TP
+.B \fB+[no]comments\fP
+This option toggles the display of comment lines in the output. The default is to
+print comments.
+.TP
+.B \fB+[no]continue\fP
+This option toggles continuation on errors (e.g. timeouts).
+.TP
+.B \fB+[no]crypto\fP
+This option toggles the display of cryptographic fields in DNSSEC records. The
+contents of these fields are unnecessary to debug most DNSSEC
+validation failures and removing them makes it easier to see the
+common failures. The default is to display the fields. When omitted,
+they are replaced by the string \(dq[omitted]\(dq; in the DNSKEY case, the
+key ID is displayed as the replacement, e.g., \fB[ key id = value ]\fP\&.
+.TP
+.B \fB+dscp[=value]\fP
+This option sets the DSCP code point to be used when sending the query. Valid DSCP
+code points are in the range [0...63]. By default no code point is
+explicitly set.
+.TP
+.B \fB+[no]multiline\fP
+This option toggles printing of records, like the SOA records, in a verbose multi\-line format
+with human\-readable comments. The default is to print each record on
+a single line, to facilitate machine parsing of the \fBmdig\fP output.
+.TP
+.B \fB+[no]question\fP
+This option prints [or does not print] the question section of a query when an answer
+is returned. The default is to print the question section as a
+comment.
+.TP
+.B \fB+[no]rrcomments\fP
+This option toggles the display of per\-record comments in the output (for example,
+human\-readable key information about DNSKEY records). The default is
+not to print record comments unless multiline mode is active.
+.TP
+.B \fB+[no]short\fP
+This option provides [or does not provide] a terse answer. The default is to print the answer in a
+verbose form.
+.TP
+.B \fB+split=W\fP
+This option splits long hex\- or base64\-formatted fields in resource records into
+chunks of \fBW\fP characters (where \fBW\fP is rounded up to the nearest
+multiple of 4). \fB+nosplit\fP or \fB+split=0\fP causes fields not to be
+split. The default is 56 characters, or 44 characters when
+multiline mode is active.
+.TP
+.B \fB+[no]tcp\fP
+This option uses [or does not use] TCP when querying name servers. The default behavior
+is to use UDP.
+.TP
+.B \fB+[no]ttlid\fP
+This option displays [or does not display] the TTL when printing the record.
+.TP
+.B \fB+[no]ttlunits\fP
+This option displays [or does not display] the TTL in friendly human\-readable time
+units of \(dqs\(dq, \(dqm\(dq, \(dqh\(dq, \(dqd\(dq, and \(dqw\(dq, representing seconds, minutes,
+hours, days, and weeks. This implies +ttlid.
+.TP
+.B \fB+[no]vc\fP
+This option uses [or does not use] TCP when querying name servers. This alternate
+syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The
+\fBvc\fP stands for \(dqvirtual circuit\(dq.
+.UNINDENT
+.SH LOCAL OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-c class\fP
+This option sets the query class to \fBclass\fP\&. It can be any valid
+query class which is supported in BIND 9. The default query class is
+\(dqIN\(dq.
+.TP
+.B \fB\-t type\fP
+This option sets the query type to \fBtype\fP\&. It can be any valid
+query type which is supported in BIND 9. The default query type is \(dqA\(dq,
+unless the \fB\-x\fP option is supplied to indicate a reverse lookup with
+the \(dqPTR\(dq query type.
+.TP
+.B \fB\-x addr\fP
+Reverse lookups \- mapping addresses to names \- are simplified by
+this option. \fBaddr\fP is an IPv4 address in dotted\-decimal
+notation, or a colon\-delimited IPv6 address. \fBmdig\fP automatically
+performs a lookup for a query name like \fB11.12.13.10.in\-addr.arpa\fP and
+sets the query type and class to PTR and IN respectively. By default,
+IPv6 addresses are looked up using nibble format under the IP6.ARPA
+domain.
+.UNINDENT
+.sp
+The local query options are:
+.INDENT 0.0
+.TP
+.B \fB+[no]aaflag\fP
+This is a synonym for \fB+[no]aaonly\fP\&.
+.TP
+.B \fB+[no]aaonly\fP
+This sets the \fBaa\fP flag in the query.
+.TP
+.B \fB+[no]adflag\fP
+This sets [or does not set] the AD (authentic data) bit in the query. This
+requests the server to return whether all of the answer and authority
+sections have all been validated as secure, according to the security
+policy of the server. AD=1 indicates that all records have been
+validated as secure and the answer is not from a OPT\-OUT range. AD=0
+indicates that some part of the answer was insecure or not validated.
+This bit is set by default.
+.TP
+.B \fB+bufsize=B\fP
+This sets the UDP message buffer size advertised using EDNS0 to \fBB\fP
+bytes. The maximum and minimum sizes of this buffer are 65535 and 0
+respectively. Values outside this range are rounded up or down
+appropriately. Values other than zero cause a EDNS query to be
+sent.
+.TP
+.B \fB+[no]cdflag\fP
+This sets [or does not set] the CD (checking disabled) bit in the query. This
+requests the server to not perform DNSSEC validation of responses.
+.TP
+.B \fB+[no]cookie=####\fP
+This sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
+from a previous response allows the server to identify a previous
+client. The default is \fB+nocookie\fP\&.
+.TP
+.B \fB+[no]dnssec\fP
+This requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
+the OPT record in the additional section of the query.
+.TP
+.B \fB+[no]edns[=#]\fP
+This specifies [or does not specify] the EDNS version to query with. Valid values are 0 to 255.
+Setting the EDNS version causes an EDNS query to be sent.
+\fB+noedns\fP clears the remembered EDNS version. EDNS is set to 0 by
+default.
+.TP
+.B \fB+[no]ednsflags[=#]\fP
+This sets the must\-be\-zero EDNS flag bits (Z bits) to the specified value.
+Decimal, hex, and octal encodings are accepted. Setting a named flag
+(e.g. DO) is silently ignored. By default, no Z bits are set.
+.TP
+.B \fB+[no]ednsopt[=code[:value]]\fP
+This specifies [or does not specify] an EDNS option with code point \fBcode\fP and an optional payload
+of \fBvalue\fP as a hexadecimal string. \fB+noednsopt\fP clears the EDNS
+options to be sent.
+.TP
+.B \fB+[no]expire\fP
+This toggles sending of an EDNS Expire option.
+.TP
+.B \fB+[no]nsid\fP
+This toggles inclusion of an EDNS name server ID request when sending a query.
+.TP
+.B \fB+[no]recurse\fP
+This toggles the setting of the RD (recursion desired) bit in the query.
+This bit is set by default, which means \fBmdig\fP normally sends
+recursive queries.
+.TP
+.B \fB+retry=T\fP
+This sets the number of times to retry UDP queries to server to \fBT\fP
+instead of the default, 2. Unlike \fB+tries\fP, this does not include
+the initial query.
+.TP
+.B \fB+[no]subnet=addr[/prefix\-length]\fP
+This sends [or does not send] an EDNS Client Subnet option with the specified IP
+address or network prefix.
+.TP
+.B \fBmdig +subnet=0.0.0.0/0\fP, or simply \fBmdig +subnet=0\fP
+This sends an EDNS client\-subnet option with an empty address and a source
+prefix\-length of zero, which signals a resolver that the client\(aqs
+address information must \fInot\fP be used when resolving this query.
+.TP
+.B \fB+timeout=T\fP
+This sets the timeout for a query to \fBT\fP seconds. The default timeout is
+5 seconds for UDP transport and 10 for TCP. An attempt to set \fBT\fP
+to less than 1 results in a query timeout of 1 second being
+applied.
+.TP
+.B \fB+tries=T\fP
+This sets the number of times to try UDP queries to server to \fBT\fP
+instead of the default, 3. If \fBT\fP is less than or equal to zero,
+the number of tries is silently rounded up to 1.
+.TP
+.B \fB+udptimeout=T\fP
+This sets the timeout between UDP query retries to \fBT\fP\&.
+.TP
+.B \fB+[no]unknownformat\fP
+This prints [or does not print] all RDATA in unknown RR\-type presentation format (see \fI\%RFC 3597\fP).
+The default is to print RDATA for known types in the type\(aqs
+presentation format.
+.TP
+.B \fB+[no]yaml\fP
+This toggles printing of the responses in a detailed YAML format.
+.TP
+.B \fB+[no]zflag\fP
+This sets [or does not set] the last unassigned DNS header flag in a DNS query.
+This flag is off by default.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdig(1)\fP, \fI\%RFC 1035\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/mdig.rst b/doc/man/mdig.rst
new file mode 100644
index 0000000..351d17f
--- /dev/null
+++ b/doc/man/mdig.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/tools/mdig.rst
diff --git a/doc/man/named-checkconf.8in b/doc/man/named-checkconf.8in
new file mode 100644
index 0000000..a54628e
--- /dev/null
+++ b/doc/man/named-checkconf.8in
@@ -0,0 +1,108 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NAMED-CHECKCONF" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+named-checkconf \- named configuration file syntax checking tool
+.SH SYNOPSIS
+.sp
+\fBnamed\-checkconf\fP [\fB\-chjlvz\fP] [\fB\-p\fP [\fB\-x\fP ]] [\fB\-t\fP directory] {filename}
+.SH DESCRIPTION
+.sp
+\fBnamed\-checkconf\fP checks the syntax, but not the semantics, of a
+\fBnamed\fP configuration file. The file, along with all files included by it, is parsed and checked for syntax
+errors. If no file is specified,
+\fB/etc/named.conf\fP is read by default.
+.sp
+Note: files that \fBnamed\fP reads in separate parser contexts, such as
+\fBrndc.key\fP and \fBbind.keys\fP, are not automatically read by
+\fBnamed\-checkconf\fP\&. Configuration errors in these files may cause
+\fBnamed\fP to fail to run, even if \fBnamed\-checkconf\fP was successful.
+However, \fBnamed\-checkconf\fP can be run on these files explicitly.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-h\fP
+This option prints the usage summary and exits.
+.TP
+.B \fB\-j\fP
+When loading a zonefile, this option instructs \fBnamed\fP to read the journal if it exists.
+.TP
+.B \fB\-l\fP
+This option lists all the configured zones. Each line of output contains the zone
+name, class (e.g. IN), view, and type (e.g. primary or secondary).
+.TP
+.B \fB\-c\fP
+This option specifies that only the \(dqcore\(dq configuration should be checked. This suppresses the loading of
+plugin modules, and causes all parameters to \fBplugin\fP statements to
+be ignored.
+.TP
+.B \fB\-i\fP
+This option ignores warnings on deprecated options.
+.TP
+.B \fB\-p\fP
+This option prints out the \fBnamed.conf\fP and included files in canonical form if
+no errors were detected. See also the \fB\-x\fP option.
+.TP
+.B \fB\-t directory\fP
+This option instructs \fBnamed\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
+configuration file are processed as if run by a similarly chrooted
+\fBnamed\fP\&.
+.TP
+.B \fB\-v\fP
+This option prints the version of the \fBnamed\-checkconf\fP program and exits.
+.TP
+.B \fB\-x\fP
+When printing the configuration files in canonical form, this option obscures
+shared secrets by replacing them with strings of question marks
+(\fB?\fP). This allows the contents of \fBnamed.conf\fP and related files
+to be shared \- for example, when submitting bug reports \-
+without compromising private data. This option cannot be used without
+\fB\-p\fP\&.
+.TP
+.B \fB\-z\fP
+This option performs a test load of all zones of type \fBprimary\fP found in \fBnamed.conf\fP\&.
+.TP
+.B \fBfilename\fP
+This indicates the name of the configuration file to be checked. If not specified,
+it defaults to \fB/etc/named.conf\fP\&.
+.UNINDENT
+.SH RETURN VALUES
+.sp
+\fBnamed\-checkconf\fP returns an exit status of 1 if errors were detected
+and 0 otherwise.
+.SH SEE ALSO
+.sp
+\fBnamed(8)\fP, \fBnamed\-checkzone(8)\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/named-checkconf.rst b/doc/man/named-checkconf.rst
new file mode 100644
index 0000000..a120b43
--- /dev/null
+++ b/doc/man/named-checkconf.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/check/named-checkconf.rst
diff --git a/doc/man/named-checkzone.8in b/doc/man/named-checkzone.8in
new file mode 100644
index 0000000..3eff3d8
--- /dev/null
+++ b/doc/man/named-checkzone.8in
@@ -0,0 +1,204 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NAMED-CHECKZONE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+named-checkzone \- zone file validity checking or converting tool
+.SH SYNOPSIS
+.sp
+\fBnamed\-checkzone\fP [\fB\-d\fP] [\fB\-h\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-M\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-o\fP filename] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-S\fP mode] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {zonename} {filename}
+.SH DESCRIPTION
+.sp
+\fBnamed\-checkzone\fP checks the syntax and integrity of a zone file. It
+performs the same checks as \fBnamed\fP does when loading a zone. This
+makes \fBnamed\-checkzone\fP useful for checking zone files before
+configuring them into a name server.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-d\fP
+This option enables debugging.
+.TP
+.B \fB\-h\fP
+This option prints the usage summary and exits.
+.TP
+.B \fB\-q\fP
+This option sets quiet mode, which only sets an exit code to indicate
+successful or failed completion.
+.TP
+.B \fB\-v\fP
+This option prints the version of the \fBnamed\-checkzone\fP program and exits.
+.TP
+.B \fB\-j\fP
+When loading a zone file, this option tells \fBnamed\fP to read the journal if it exists. The journal
+file name is assumed to be the zone file name with the
+string \fB\&.jnl\fP appended.
+.TP
+.B \fB\-J filename\fP
+When loading the zone file, this option tells \fBnamed\fP to read the journal from the given file, if
+it exists. This implies \fB\-j\fP\&.
+.TP
+.B \fB\-c class\fP
+This option specifies the class of the zone. If not specified, \fBIN\fP is assumed.
+.TP
+.B \fB\-i mode\fP
+This option performs post\-load zone integrity checks. Possible modes are
+\fBfull\fP (the default), \fBfull\-sibling\fP, \fBlocal\fP,
+\fBlocal\-sibling\fP, and \fBnone\fP\&.
+.sp
+Mode \fBfull\fP checks that MX records refer to A or AAAA records
+(both in\-zone and out\-of\-zone hostnames). Mode \fBlocal\fP only
+checks MX records which refer to in\-zone hostnames.
+.sp
+Mode \fBfull\fP checks that SRV records refer to A or AAAA records
+(both in\-zone and out\-of\-zone hostnames). Mode \fBlocal\fP only
+checks SRV records which refer to in\-zone hostnames.
+.sp
+Mode \fBfull\fP checks that delegation NS records refer to A or AAAA
+records (both in\-zone and out\-of\-zone hostnames). It also checks that
+glue address records in the zone match those advertised by the child.
+Mode \fBlocal\fP only checks NS records which refer to in\-zone
+hostnames or verifies that some required glue exists, i.e., when the
+name server is in a child zone.
+.sp
+Modes \fBfull\-sibling\fP and \fBlocal\-sibling\fP disable sibling glue
+checks, but are otherwise the same as \fBfull\fP and \fBlocal\fP,
+respectively.
+.sp
+Mode \fBnone\fP disables the checks.
+.TP
+.B \fB\-f format\fP
+This option specifies the format of the zone file. Possible formats are
+\fBtext\fP (the default), \fBraw\fP, and \fBmap\fP\&.
+.TP
+.B \fB\-F format\fP
+This option specifies the format of the output file specified. For
+\fBnamed\-checkzone\fP, this does not have any effect unless it dumps
+the zone contents.
+.sp
+Possible formats are \fBtext\fP (the default), which is the standard
+textual representation of the zone, and \fBmap\fP, \fBraw\fP, and \fBraw=N\fP, which
+store the zone in a binary format for rapid loading by \fBnamed\fP\&.
+\fBraw=N\fP specifies the format version of the raw zone file: if \fBN\fP is
+0, the raw file can be read by any version of \fBnamed\fP; if N is 1, the
+file can only be read by release 9.9.0 or higher. The default is 1.
+.TP
+.B \fB\-k mode\fP
+This option performs \fBcheck\-names\fP checks with the specified failure mode.
+Possible modes are \fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&.
+.TP
+.B \fB\-l ttl\fP
+This option sets a maximum permissible TTL for the input file. Any record with a
+TTL higher than this value causes the zone to be rejected. This
+is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&.
+.TP
+.B \fB\-L serial\fP
+When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the \(dqsource
+serial\(dq value in the header to the specified serial number. This is
+expected to be used primarily for testing purposes.
+.TP
+.B \fB\-m mode\fP
+This option specifies whether MX records should be checked to see if they are
+addresses. Possible modes are \fBfail\fP, \fBwarn\fP (the default), and
+\fBignore\fP\&.
+.TP
+.B \fB\-M mode\fP
+This option checks whether a MX record refers to a CNAME. Possible modes are
+\fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&.
+.TP
+.B \fB\-n mode\fP
+This option specifies whether NS records should be checked to see if they are
+addresses. Possible modes are \fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&.
+.TP
+.B \fB\-o filename\fP
+This option writes the zone output to \fBfilename\fP\&. If \fBfilename\fP is \fB\-\fP, then
+the zone output is written to standard output.
+.TP
+.B \fB\-r mode\fP
+This option checks for records that are treated as different by DNSSEC but are
+semantically equal in plain DNS. Possible modes are \fBfail\fP,
+\fBwarn\fP (the default), and \fBignore\fP\&.
+.TP
+.B \fB\-s style\fP
+This option specifies the style of the dumped zone file. Possible styles are
+\fBfull\fP (the default) and \fBrelative\fP\&. The \fBfull\fP format is most
+suitable for processing automatically by a separate script.
+The relative format is more human\-readable and is thus
+suitable for editing by hand. This does not have any effect unless it dumps
+the zone contents. It also does not have any meaning if the output format
+is not text.
+.TP
+.B \fB\-S mode\fP
+This option checks whether an SRV record refers to a CNAME. Possible modes are
+\fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&.
+.TP
+.B \fB\-t directory\fP
+This option tells \fBnamed\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
+configuration file are processed as if run by a similarly chrooted
+\fBnamed\fP\&.
+.TP
+.B \fB\-T mode\fP
+This option checks whether Sender Policy Framework (SPF) records exist and issues a
+warning if an SPF\-formatted TXT record is not also present. Possible
+modes are \fBwarn\fP (the default) and \fBignore\fP\&.
+.TP
+.B \fB\-w directory\fP
+This option instructs \fBnamed\fP to chdir to \fBdirectory\fP, so that relative filenames in master file
+\fB$INCLUDE\fP directives work. This is similar to the directory clause in
+\fBnamed.conf\fP\&.
+.TP
+.B \fB\-D\fP
+This option dumps the zone file in canonical format.
+.TP
+.B \fB\-W mode\fP
+This option specifies whether to check for non\-terminal wildcards. Non\-terminal
+wildcards are almost always the result of a failure to understand the
+wildcard matching algorithm (\fI\%RFC 4592\fP). Possible modes are \fBwarn\fP
+(the default) and \fBignore\fP\&.
+.TP
+.B \fBzonename\fP
+This indicates the domain name of the zone being checked.
+.TP
+.B \fBfilename\fP
+This is the name of the zone file.
+.UNINDENT
+.SH RETURN VALUES
+.sp
+\fBnamed\-checkzone\fP returns an exit status of 1 if errors were detected
+and 0 otherwise.
+.SH SEE ALSO
+.sp
+\fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBnamed\-compilezone(8)\fP,
+\fI\%RFC 1035\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/named-checkzone.rst b/doc/man/named-checkzone.rst
new file mode 100644
index 0000000..53d2a00
--- /dev/null
+++ b/doc/man/named-checkzone.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/check/named-checkzone.rst
diff --git a/doc/man/named-compilezone.8in b/doc/man/named-compilezone.8in
new file mode 100644
index 0000000..493223e
--- /dev/null
+++ b/doc/man/named-compilezone.8in
@@ -0,0 +1,206 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NAMED-COMPILEZONE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+named-compilezone \- zone file validity checking or converting tool
+.SH SYNOPSIS
+.sp
+\fBnamed\-compilezone\fP [\fB\-d\fP] [\fB\-h\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-M\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-S\fP mode] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {\fB\-o\fP filename} {zonename} {filename}
+.SH DESCRIPTION
+.sp
+\fBnamed\-compilezone\fP checks the syntax and integrity of a zone file,
+and dumps the zone contents to a specified file in a specified format.
+It applies strict check levels by default, since the
+dump output is used as an actual zone file loaded by \fBnamed\fP\&.
+When manually specified otherwise, the check levels must at least be as
+strict as those specified in the \fBnamed\fP configuration file.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-d\fP
+This option enables debugging.
+.TP
+.B \fB\-h\fP
+This option prints the usage summary and exits.
+.TP
+.B \fB\-q\fP
+This option sets quiet mode, which only sets an exit code to indicate
+successful or failed completion.
+.TP
+.B \fB\-v\fP
+This option prints the version of the \fBnamed\-checkzone\fP program and exits.
+.TP
+.B \fB\-j\fP
+When loading a zone file, this option tells \fBnamed\fP to read the journal if it exists. The journal
+file name is assumed to be the zone file name with the
+string \fB\&.jnl\fP appended.
+.TP
+.B \fB\-J filename\fP
+When loading the zone file, this option tells \fBnamed\fP to read the journal from the given file, if
+it exists. This implies \fB\-j\fP\&.
+.TP
+.B \fB\-c class\fP
+This option specifies the class of the zone. If not specified, \fBIN\fP is assumed.
+.TP
+.B \fB\-i mode\fP
+This option performs post\-load zone integrity checks. Possible modes are
+\fBfull\fP (the default), \fBfull\-sibling\fP, \fBlocal\fP,
+\fBlocal\-sibling\fP, and \fBnone\fP\&.
+.sp
+Mode \fBfull\fP checks that MX records refer to A or AAAA records
+(both in\-zone and out\-of\-zone hostnames). Mode \fBlocal\fP only
+checks MX records which refer to in\-zone hostnames.
+.sp
+Mode \fBfull\fP checks that SRV records refer to A or AAAA records
+(both in\-zone and out\-of\-zone hostnames). Mode \fBlocal\fP only
+checks SRV records which refer to in\-zone hostnames.
+.sp
+Mode \fBfull\fP checks that delegation NS records refer to A or AAAA
+records (both in\-zone and out\-of\-zone hostnames). It also checks that
+glue address records in the zone match those advertised by the child.
+Mode \fBlocal\fP only checks NS records which refer to in\-zone
+hostnames or verifies that some required glue exists, i.e., when the
+name server is in a child zone.
+.sp
+Modes \fBfull\-sibling\fP and \fBlocal\-sibling\fP disable sibling glue
+checks, but are otherwise the same as \fBfull\fP and \fBlocal\fP,
+respectively.
+.sp
+Mode \fBnone\fP disables the checks.
+.TP
+.B \fB\-f format\fP
+This option specifies the format of the zone file. Possible formats are
+\fBtext\fP (the default), \fBraw\fP, and \fBmap\fP\&.
+.TP
+.B \fB\-F format\fP
+This option specifies the format of the output file specified. For
+\fBnamed\-checkzone\fP, this does not have any effect unless it dumps
+the zone contents.
+.sp
+Possible formats are \fBtext\fP (the default), which is the standard
+textual representation of the zone, and \fBmap\fP, \fBraw\fP, and \fBraw=N\fP, which
+store the zone in a binary format for rapid loading by \fBnamed\fP\&.
+\fBraw=N\fP specifies the format version of the raw zone file: if \fBN\fP is
+0, the raw file can be read by any version of \fBnamed\fP; if N is 1, the
+file can only be read by release 9.9.0 or higher. The default is 1.
+.TP
+.B \fB\-k mode\fP
+This option performs \fBcheck\-names\fP checks with the specified failure mode.
+Possible modes are \fBfail\fP (the default), \fBwarn\fP, and \fBignore\fP\&.
+.TP
+.B \fB\-l ttl\fP
+This option sets a maximum permissible TTL for the input file. Any record with a
+TTL higher than this value causes the zone to be rejected. This
+is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&.
+.TP
+.B \fB\-L serial\fP
+When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the \(dqsource
+serial\(dq value in the header to the specified serial number. This is
+expected to be used primarily for testing purposes.
+.TP
+.B \fB\-m mode\fP
+This option specifies whether MX records should be checked to see if they are
+addresses. Possible modes are \fBfail\fP, \fBwarn\fP (the default), and
+\fBignore\fP\&.
+.TP
+.B \fB\-M mode\fP
+This option checks whether a MX record refers to a CNAME. Possible modes are
+\fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&.
+.TP
+.B \fB\-n mode\fP
+This option specifies whether NS records should be checked to see if they are
+addresses. Possible modes are \fBfail\fP (the default), \fBwarn\fP,  and
+\fBignore\fP\&.
+.TP
+.B \fB\-o filename\fP
+This option writes the zone output to \fBfilename\fP\&. If \fBfilename\fP is \fB\-\fP, then
+the zone output is written to standard output. This is mandatory for \fBnamed\-compilezone\fP\&.
+.TP
+.B \fB\-r mode\fP
+This option checks for records that are treated as different by DNSSEC but are
+semantically equal in plain DNS. Possible modes are \fBfail\fP,
+\fBwarn\fP (the default), and \fBignore\fP\&.
+.TP
+.B \fB\-s style\fP
+This option specifies the style of the dumped zone file. Possible styles are
+\fBfull\fP (the default) and \fBrelative\fP\&. The \fBfull\fP format is most
+suitable for processing automatically by a separate script.
+The relative format is more human\-readable and is thus
+suitable for editing by hand.
+.TP
+.B \fB\-S mode\fP
+This option checks whether an SRV record refers to a CNAME. Possible modes are
+\fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&.
+.TP
+.B \fB\-t directory\fP
+This option tells \fBnamed\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
+configuration file are processed as if run by a similarly chrooted
+\fBnamed\fP\&.
+.TP
+.B \fB\-T mode\fP
+This option checks whether Sender Policy Framework (SPF) records exist and issues a
+warning if an SPF\-formatted TXT record is not also present. Possible
+modes are \fBwarn\fP (the default) and \fBignore\fP\&.
+.TP
+.B \fB\-w directory\fP
+This option instructs \fBnamed\fP to chdir to \fBdirectory\fP, so that relative filenames in master file
+\fB$INCLUDE\fP directives work. This is similar to the directory clause in
+\fBnamed.conf\fP\&.
+.TP
+.B \fB\-D\fP
+This option dumps the zone file in canonical format. This is always enabled for
+\fBnamed\-compilezone\fP\&.
+.TP
+.B \fB\-W mode\fP
+This option specifies whether to check for non\-terminal wildcards. Non\-terminal
+wildcards are almost always the result of a failure to understand the
+wildcard matching algorithm (\fI\%RFC 4592\fP). Possible modes are \fBwarn\fP
+(the default) and \fBignore\fP\&.
+.TP
+.B \fBzonename\fP
+This indicates the domain name of the zone being checked.
+.TP
+.B \fBfilename\fP
+This is the name of the zone file.
+.UNINDENT
+.SH RETURN VALUES
+.sp
+\fBnamed\-compilezone\fP returns an exit status of 1 if errors were detected
+and 0 otherwise.
+.SH SEE ALSO
+.sp
+\fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBnamed\-checkzone(8)\fP,
+\fI\%RFC 1035\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/named-compilezone.rst b/doc/man/named-compilezone.rst
new file mode 100644
index 0000000..9d3cae6
--- /dev/null
+++ b/doc/man/named-compilezone.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/check/named-compilezone.rst
diff --git a/doc/man/named-journalprint.8in b/doc/man/named-journalprint.8in
new file mode 100644
index 0000000..6f8d89a
--- /dev/null
+++ b/doc/man/named-journalprint.8in
@@ -0,0 +1,79 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NAMED-JOURNALPRINT" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+named-journalprint \- print zone journal in human-readable form
+.SH SYNOPSIS
+.sp
+\fBnamed\-journalprint\fP [\-c serial] [\fB\-dux\fP] {journal}
+.SH DESCRIPTION
+.sp
+\fBnamed\-journalprint\fP scans the contents of a zone journal file,
+printing it in a human\-readable form, or, optionally, converting it
+to a different journal file format.
+.sp
+Journal files are automatically created by \fBnamed\fP when changes are
+made to dynamic zones (e.g., by \fBnsupdate\fP). They record each addition
+or deletion of a resource record, in binary format, allowing the changes
+to be re\-applied to the zone when the server is restarted after a
+shutdown or crash. By default, the name of the journal file is formed by
+appending the extension \fB\&.jnl\fP to the name of the corresponding zone
+file.
+.sp
+\fBnamed\-journalprint\fP converts the contents of a given journal file
+into a human\-readable text format. Each line begins with \fBadd\fP or \fBdel\fP,
+to indicate whether the record was added or deleted, and continues with
+the resource record in master\-file format.
+.sp
+The \fB\-c\fP (compact) option provides a mechanism to reduce the size of
+a journal by removing (most/all) transactions prior to the specified
+serial number. Note: this option \fImust not\fP be used while \fBnamed\fP is
+running, and can cause data loss if the zone file has not been updated
+to contain the data being removed from the journal. Use with extreme caution.
+.sp
+The \fB\-x\fP option causes additional data about the journal file to be
+printed at the beginning of the output and before each group of changes.
+.sp
+The \fB\-u\fP (upgrade) and \fB\-d\fP (downgrade) options recreate the journal
+file with a modified format version.  The existing journal file is
+replaced.  \fB\-d\fP writes out the journal in the format used by
+versions of BIND up to 9.16.11; \fB\-u\fP writes it out in the format used
+by versions since 9.16.13. (9.16.12 is omitted due to a journal\-formatting
+bug in that release.) Note that these options \fImust not\fP be used while
+\fBnamed\fP is running.
+.SH SEE ALSO
+.sp
+\fBnamed(8)\fP, \fBnsupdate(1)\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/named-journalprint.rst b/doc/man/named-journalprint.rst
new file mode 100644
index 0000000..9317f7b
--- /dev/null
+++ b/doc/man/named-journalprint.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/tools/named-journalprint.rst
diff --git a/doc/man/named-nzd2nzf.8in b/doc/man/named-nzd2nzf.8in
new file mode 100644
index 0000000..f245015
--- /dev/null
+++ b/doc/man/named-nzd2nzf.8in
@@ -0,0 +1,57 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NAMED-NZD2NZF" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+named-nzd2nzf \- convert an NZD database to NZF text format
+.SH SYNOPSIS
+.sp
+\fBnamed\-nzd2nzf\fP {filename}
+.SH DESCRIPTION
+.sp
+\fBnamed\-nzd2nzf\fP converts an NZD database to NZF format and prints it
+to standard output. This can be used to review the configuration of
+zones that were added to \fBnamed\fP via \fBrndc addzone\fP\&. It can also be
+used to restore the old file format when rolling back from a newer
+version of BIND to an older version.
+.SH ARGUMENTS
+.INDENT 0.0
+.TP
+.B \fBfilename\fP
+This is the name of the \fB\&.nzd\fP file whose contents should be printed.
+.UNINDENT
+.SH SEE ALSO
+.sp
+BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/named-nzd2nzf.rst b/doc/man/named-nzd2nzf.rst
new file mode 100644
index 0000000..10d59e9
--- /dev/null
+++ b/doc/man/named-nzd2nzf.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/tools/named-nzd2nzf.rst
diff --git a/doc/man/named-rrchecker.1in b/doc/man/named-rrchecker.1in
new file mode 100644
index 0000000..3348558
--- /dev/null
+++ b/doc/man/named-rrchecker.1in
@@ -0,0 +1,70 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NAMED-RRCHECKER" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+named-rrchecker \- syntax checker for individual DNS resource records
+.SH SYNOPSIS
+.sp
+\fBnamed\-rrchecker\fP [\fB\-h\fP] [\fB\-o\fP origin] [\fB\-p\fP] [\fB\-u\fP] [\fB\-C\fP] [\fB\-T\fP] [\fB\-P\fP]
+.SH DESCRIPTION
+.sp
+\fBnamed\-rrchecker\fP reads a individual DNS resource record from standard
+input and checks whether it is syntactically correct.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-h\fP
+This option prints out the help menu.
+.TP
+.B \fB\-o origin\fP
+This option specifies the origin to be used when interpreting
+the record.
+.TP
+.B \fB\-p\fP
+This option prints out the resulting record in canonical form. If there
+is no canonical form defined, the record is printed in unknown
+record format.
+.TP
+.B \fB\-u\fP
+This option prints out the resulting record in unknown record form.
+.TP
+.B \fB\-C\fP, \fB\-T\fP, and \fB\-P\fP
+These options print out the known class, standard type,
+and private type mnemonics, respectively.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%RFC 1034\fP, \fI\%RFC 1035\fP, \fBnamed(8)\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/named-rrchecker.rst b/doc/man/named-rrchecker.rst
new file mode 100644
index 0000000..fff9f82
--- /dev/null
+++ b/doc/man/named-rrchecker.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/tools/named-rrchecker.rst
diff --git a/doc/man/named.8in b/doc/man/named.8in
new file mode 100644
index 0000000..b501b46
--- /dev/null
+++ b/doc/man/named.8in
@@ -0,0 +1,296 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NAMED" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+named \- Internet domain name server
+.SH SYNOPSIS
+.sp
+\fBnamed\fP [ [\fB\-4\fP] | [\fB\-6\fP] ] [\fB\-c\fP config\-file] [\fB\-C\fP] [\fB\-d\fP debug\-level] [\fB\-D\fP string] [\fB\-E\fP engine\-name] [\fB\-f\fP] [\fB\-g\fP] [\fB\-L\fP logfile] [\fB\-M\fP option] [\fB\-m\fP flag] [\fB\-n\fP #cpus] [\fB\-p\fP port] [\fB\-s\fP] [\fB\-S\fP #max\-socks] [\fB\-t\fP directory] [\fB\-U\fP #listeners] [\fB\-u\fP user] [\fB\-v\fP] [\fB\-V\fP] [\fB\-X\fP lock\-file] [\fB\-x\fP cache\-file]
+.SH DESCRIPTION
+.sp
+\fBnamed\fP is a Domain Name System (DNS) server, part of the BIND 9
+distribution from ISC. For more information on the DNS, see \fI\%RFC 1033\fP,
+\fI\%RFC 1034\fP, and \fI\%RFC 1035\fP\&.
+.sp
+When invoked without arguments, \fBnamed\fP reads the default
+configuration file \fB/etc/named.conf\fP, reads any initial data, and
+listens for queries.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-4\fP
+This option tells \fBnamed\fP to use only IPv4, even if the host machine is capable of IPv6. \fB\-4\fP and
+\fB\-6\fP are mutually exclusive.
+.TP
+.B \fB\-6\fP
+This option tells \fBnamed\fP to use only IPv6, even if the host machine is capable of IPv4. \fB\-4\fP and
+\fB\-6\fP are mutually exclusive.
+.TP
+.B \fB\-c config\-file\fP
+This option tells \fBnamed\fP to use \fBconfig\-file\fP as its configuration file instead of the default,
+\fB/etc/named.conf\fP\&. To ensure that the configuration file
+can be reloaded after the server has changed its working directory
+due to to a possible \fBdirectory\fP option in the configuration file,
+\fBconfig\-file\fP should be an absolute pathname.
+.UNINDENT
+.sp
+\fB\-C\fP
+.INDENT 0.0
+.INDENT 3.5
+This option prints out the default built\-in configuration and exits.
+.sp
+NOTE: This is for debugging purposes only and is not an
+accurate representation of the actual configuration used by \fBnamed\fP
+at runtime.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-d debug\-level\fP
+This option sets the daemon\(aqs debug level to \fBdebug\-level\fP\&. Debugging traces from
+\fBnamed\fP become more verbose as the debug level increases.
+.TP
+.B \fB\-D string\fP
+This option specifies a string that is used to identify a instance of \fBnamed\fP
+in a process listing. The contents of \fBstring\fP are not examined.
+.TP
+.B \fB\-E engine\-name\fP
+When applicable, this option specifies the hardware to use for cryptographic
+operations, such as a secure key store used for signing.
+.sp
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
+built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
+defaults to the path of the PKCS#11 provider library specified via
+\fB\-\-with\-pkcs11\fP\&.
+.TP
+.B \fB\-f\fP
+This option runs the server in the foreground (i.e., do not daemonize).
+.TP
+.B \fB\-g\fP
+This option runs the server in the foreground and forces all logging to \fBstderr\fP\&.
+.TP
+.B \fB\-L logfile\fP
+This option sets the log to the file \fBlogfile\fP by default, instead of the system log.
+.UNINDENT
+.sp
+\fB\-M option\fP
+.INDENT 0.0
+.INDENT 3.5
+This option sets the default (comma\-separated) memory context
+options. The possible flags are:
+.INDENT 0.0
+.IP \(bu 2
+\fBexternal\fP: use system\-provided memory allocation functions; this
+is the implicit default.
+.IP \(bu 2
+\fBinternal\fP: use the internal memory manager.
+.IP \(bu 2
+\fBfill\fP: fill blocks of memory with tag values when they are
+allocated or freed, to assist debugging of memory problems; this is
+the implicit default if \fBnamed\fP has been compiled with
+\fB\-\-enable\-developer\fP\&.
+.IP \(bu 2
+\fBnofill\fP: disable the behavior enabled by \fBfill\fP; this is the
+implicit default unless \fBnamed\fP has been compiled with
+\fB\-\-enable\-developer\fP\&.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-m flag\fP
+This option turns on memory usage debugging flags. Possible flags are \fBusage\fP,
+\fBtrace\fP, \fBrecord\fP, \fBsize\fP, and \fBmctx\fP\&. These correspond to the
+\fBISC_MEM_DEBUGXXXX\fP flags described in \fB<isc/mem.h>\fP\&.
+.TP
+.B \fB\-n #cpus\fP
+This option controls the number of CPUs that \fBnamed\fP assumes the
+presence of. If not specified, \fBnamed\fP tries to determine the
+number of CPUs present automatically; if it fails, a single CPU is
+assumed to be present.
+.sp
+\fBnamed\fP creates two threads per each CPU present (one thread for
+receiving and sending client traffic and another thread for sending
+and receiving resolver traffic) and then on top of that a single
+thread for handling time\-based events.
+.TP
+.B \fB\-p port\fP
+This option listens for queries on \fBport\fP\&. If not specified, the default is
+port 53.
+.TP
+.B \fB\-s\fP
+This option writes memory usage statistics to \fBstdout\fP on exit.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option is mainly of interest to BIND 9 developers and may be
+removed or changed in a future release.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-S #max\-socks\fP
+This option allows \fBnamed\fP to use up to \fB#max\-socks\fP sockets. The default value is
+21000 on systems built with default configuration options, and 4096
+on systems built with \fBconfigure \-\-with\-tuning=small\fP\&.
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option should be unnecessary for the vast majority of users.
+The use of this option could even be harmful, because the specified
+value may exceed the limitation of the underlying system API. It
+is therefore set only when the default configuration causes
+exhaustion of file descriptors and the operational environment is
+known to support the specified number of sockets. Note also that
+the actual maximum number is normally slightly fewer than the
+specified value, because \fBnamed\fP reserves some file descriptors
+for its internal use.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-t directory\fP
+This option tells \fBnamed\fP to chroot to \fBdirectory\fP after processing the command\-line arguments, but
+before reading the configuration file.
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option should be used in conjunction with the \fB\-u\fP option,
+as chrooting a process running as root doesn\(aqt enhance security on
+most systems; the way \fBchroot\fP is defined allows a process
+with root privileges to escape a chroot jail.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-U #listeners\fP
+This option tells \fBnamed\fP the number of \fB#listeners\fP worker threads to listen on, for incoming UDP packets on
+each address. If not specified, \fBnamed\fP calculates a default
+value based on the number of detected CPUs: 1 for 1 CPU, and the
+number of detected CPUs minus one for machines with more than 1 CPU.
+This cannot be increased to a value higher than the number of CPUs.
+If \fB\-n\fP has been set to a higher value than the number of detected
+CPUs, then \fB\-U\fP may be increased as high as that value, but no
+higher. On Windows, the number of UDP listeners is hardwired to 1 and
+this option has no effect.
+.TP
+.B \fB\-u user\fP
+This option sets the setuid to \fBuser\fP after completing privileged operations, such as
+creating sockets that listen on privileged ports.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+On Linux, \fBnamed\fP uses the kernel\(aqs capability mechanism to drop
+all root privileges except the ability to \fBbind\fP to a
+privileged port and set process resource limits. Unfortunately,
+this means that the \fB\-u\fP option only works when \fBnamed\fP is run
+on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since
+previous kernels did not allow privileges to be retained after
+\fBsetuid\fP\&.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \fB\-v\fP
+This option reports the version number and exits.
+.TP
+.B \fB\-V\fP
+This option reports the version number, build options, supported
+cryptographics algorithms, and exits.
+.TP
+.B \fB\-X lock\-file\fP
+This option acquires a lock on the specified file at runtime; this helps to
+prevent duplicate \fBnamed\fP instances from running simultaneously.
+Use of this option overrides the \fBlock\-file\fP option in
+\fBnamed.conf\fP\&. If set to \fBnone\fP, the lock file check is disabled.
+.TP
+.B \fB\-x cache\-file\fP
+This option loads data from \fBcache\-file\fP into the cache of the default view.
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option must not be used in normal operations. It is only of interest to BIND 9
+developers and may be removed or changed in a future release.
+.UNINDENT
+.UNINDENT
+.SH SIGNALS
+.sp
+In routine operation, signals should not be used to control the
+nameserver; \fBrndc\fP should be used instead.
+.INDENT 0.0
+.TP
+.B SIGHUP
+This signal forces a reload of the server.
+.TP
+.B SIGINT, SIGTERM
+These signals shut down the server.
+.UNINDENT
+.sp
+The result of sending any other signals to the server is undefined.
+.SH CONFIGURATION
+.sp
+The \fBnamed\fP configuration file is too complex to describe in detail
+here. A complete description is provided in the BIND 9 Administrator
+Reference Manual.
+.sp
+\fBnamed\fP inherits the \fBumask\fP (file creation mode mask) from the
+parent process. If files created by \fBnamed\fP, such as journal files,
+need to have custom permissions, the \fBumask\fP should be set explicitly
+in the script used to start the \fBnamed\fP process.
+.SH FILES
+.INDENT 0.0
+.TP
+.B \fB/etc/named.conf\fP
+The default configuration file.
+.TP
+.B \fB/var/run/named/named.pid\fP
+The default process\-id file.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%RFC 1033\fP, \fI\%RFC 1034\fP, \fI\%RFC 1035\fP, \fBnamed\-checkconf(8)\fP, \fBnamed\-checkzone(8)\fP, \fBrndc(8)\fP, \fBnamed.conf(5)\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
new file mode 100644
index 0000000..c87afa2
--- /dev/null
+++ b/doc/man/named.conf.5in
@@ -0,0 +1,1175 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NAMED.CONF" "5" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+named.conf \- configuration file for **named**
+.SH SYNOPSIS
+.sp
+\fBnamed.conf\fP
+.SH DESCRIPTION
+.sp
+\fBnamed.conf\fP is the configuration file for \fBnamed\fP\&. Statements are
+enclosed in braces and terminated with a semi\-colon. Clauses in the
+statements are also semi\-colon terminated.  The usual comment styles are
+supported:
+.sp
+C style: /* */
+.INDENT 0.0
+.INDENT 3.5
+C++ style: // to end of line
+.UNINDENT
+.UNINDENT
+.sp
+Unix style: # to end of line
+.SS ACL
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+acl string { address_match_element; ... };
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS CONTROLS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+controls {
+      inet ( ipv4_address | ipv6_address |
+          * ) [ port ( integer | * ) ] allow
+          { address_match_element; ... } [
+          keys { string; ... } ] [ read\-only
+          boolean ];
+      unix quoted_string perm integer
+          owner integer group integer [
+          keys { string; ... } ] [ read\-only
+          boolean ];
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS DLZ
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+dlz string {
+      database string;
+      search boolean;
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS DNSSEC\-POLICY
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+dnssec\-policy string {
+      dnskey\-ttl duration;
+      keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime
+          duration_or_unlimited algorithm string [ integer ]; ... };
+      max\-zone\-ttl duration;
+      nsec3param [ iterations integer ] [ optout boolean ] [
+          salt\-length integer ];
+      parent\-ds\-ttl duration;
+      parent\-propagation\-delay duration;
+      publish\-safety duration;
+      purge\-keys duration;
+      retire\-safety duration;
+      signatures\-refresh duration;
+      signatures\-validity duration;
+      signatures\-validity\-dnskey duration;
+      zone\-propagation\-delay duration;
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS DYNDB
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+dyndb string quoted_string {
+    unspecified\-text };
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS KEY
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+key string {
+      algorithm string;
+      secret string;
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS LOGGING
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+logging {
+      category string { string; ... };
+      channel string {
+              buffered boolean;
+              file quoted_string [ versions ( unlimited | integer ) ]
+                  [ size size ] [ suffix ( increment | timestamp ) ];
+              null;
+              print\-category boolean;
+              print\-severity boolean;
+              print\-time ( iso8601 | iso8601\-utc | local | boolean );
+              severity log_severity;
+              stderr;
+              syslog [ syslog_facility ];
+      };
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS MANAGED\-KEYS
+.sp
+See DNSSEC\-KEYS.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+managed\-keys { string ( static\-key
+    | initial\-key | static\-ds |
+    initial\-ds ) integer integer
+    integer quoted_string; ... };, deprecated
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS MASTERS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+masters string [ port integer ] [ dscp
+    integer ] { ( remote\-servers |
+    ipv4_address [ port integer ] |
+    ipv6_address [ port integer ] ) [ key
+    string ]; ... };
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS OPTIONS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+options {
+      allow\-new\-zones boolean;
+      allow\-notify { address_match_element; ... };
+      allow\-query { address_match_element; ... };
+      allow\-query\-cache { address_match_element; ... };
+      allow\-query\-cache\-on { address_match_element; ... };
+      allow\-query\-on { address_match_element; ... };
+      allow\-recursion { address_match_element; ... };
+      allow\-recursion\-on { address_match_element; ... };
+      allow\-transfer { address_match_element; ... };
+      allow\-update { address_match_element; ... };
+      allow\-update\-forwarding { address_match_element; ... };
+      also\-notify [ port integer ] [ dscp integer ] { (
+          remote\-servers | ipv4_address [ port integer ] |
+          ipv6_address [ port integer ] ) [ key string ]; ... };
+      alt\-transfer\-source ( ipv4_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
+      alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer |
+          * ) ] [ dscp integer ];
+      answer\-cookie boolean;
+      attach\-cache string;
+      auth\-nxdomain boolean; // default changed
+      auto\-dnssec ( allow | maintain | off );// deprecated
+      automatic\-interface\-scan boolean;
+      avoid\-v4\-udp\-ports { portrange; ... };
+      avoid\-v6\-udp\-ports { portrange; ... };
+      bindkeys\-file quoted_string;
+      blackhole { address_match_element; ... };
+      cache\-file quoted_string;// deprecated
+      catalog\-zones { zone string [ default\-masters [ port integer ]
+          [ dscp integer ] { ( remote\-servers | ipv4_address [ port
+          integer ] | ipv6_address [ port integer ] ) [ key
+          string ]; ... } ] [ zone\-directory quoted_string ] [
+          in\-memory boolean ] [ min\-update\-interval duration ]; ... };
+      check\-dup\-records ( fail | warn | ignore );
+      check\-integrity boolean;
+      check\-mx ( fail | warn | ignore );
+      check\-mx\-cname ( fail | warn | ignore );
+      check\-names ( primary | master |
+          secondary | slave | response ) (
+          fail | warn | ignore );
+      check\-sibling boolean;
+      check\-spf ( warn | ignore );
+      check\-srv\-cname ( fail | warn | ignore );
+      check\-wildcard boolean;
+      clients\-per\-query integer;
+      cookie\-algorithm ( aes | siphash24 );
+      cookie\-secret string;
+      coresize ( default | unlimited | sizeval );
+      datasize ( default | unlimited | sizeval );
+      deny\-answer\-addresses { address_match_element; ... } [
+          except\-from { string; ... } ];
+      deny\-answer\-aliases { string; ... } [ except\-from { string; ...
+          } ];
+      dialup ( notify | notify\-passive | passive | refresh | boolean );
+      directory quoted_string;
+      disable\-algorithms string { string;
+          ... };
+      disable\-ds\-digests string { string;
+          ... };
+      disable\-empty\-zone string;
+      dns64 netprefix {
+              break\-dnssec boolean;
+              clients { address_match_element; ... };
+              exclude { address_match_element; ... };
+              mapped { address_match_element; ... };
+              recursive\-only boolean;
+              suffix ipv6_address;
+      };
+      dns64\-contact string;
+      dns64\-server string;
+      dnskey\-sig\-validity integer;
+      dnsrps\-enable boolean;
+      dnsrps\-options { unspecified\-text };
+      dnssec\-accept\-expired boolean;
+      dnssec\-dnskey\-kskonly boolean;
+      dnssec\-loadkeys\-interval integer;
+      dnssec\-must\-be\-secure string boolean;
+      dnssec\-policy string;
+      dnssec\-secure\-to\-insecure boolean;
+      dnssec\-update\-mode ( maintain | no\-resign );
+      dnssec\-validation ( yes | no | auto );
+      dnstap { ( all | auth | client | forwarder | resolver | update ) [
+          ( query | response ) ]; ... };
+      dnstap\-identity ( quoted_string | none | hostname );
+      dnstap\-output ( file | unix ) quoted_string [ size ( unlimited |
+          size ) ] [ versions ( unlimited | integer ) ] [ suffix (
+          increment | timestamp ) ];
+      dnstap\-version ( quoted_string | none );
+      dscp integer;
+      dual\-stack\-servers [ port integer ] { ( quoted_string [ port
+          integer ] [ dscp integer ] | ipv4_address [ port
+          integer ] [ dscp integer ] | ipv6_address [ port
+          integer ] [ dscp integer ] ); ... };
+      dump\-file quoted_string;
+      edns\-udp\-size integer;
+      empty\-contact string;
+      empty\-server string;
+      empty\-zones\-enable boolean;
+      fetch\-quota\-params integer fixedpoint fixedpoint fixedpoint;
+      fetches\-per\-server integer [ ( drop | fail ) ];
+      fetches\-per\-zone integer [ ( drop | fail ) ];
+      files ( default | unlimited | sizeval );
+      flush\-zones\-on\-shutdown boolean;
+      forward ( first | only );
+      forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
+          | ipv6_address ) [ port integer ] [ dscp integer ]; ... };
+      fstrm\-set\-buffer\-hint integer;
+      fstrm\-set\-flush\-timeout integer;
+      fstrm\-set\-input\-queue\-size integer;
+      fstrm\-set\-output\-notify\-threshold integer;
+      fstrm\-set\-output\-queue\-model ( mpsc | spsc );
+      fstrm\-set\-output\-queue\-size integer;
+      fstrm\-set\-reopen\-interval duration;
+      geoip\-directory ( quoted_string | none );
+      glue\-cache boolean;
+      heartbeat\-interval integer;
+      hostname ( quoted_string | none );
+      interface\-interval duration;
+      ixfr\-from\-differences ( primary | master | secondary | slave |
+          boolean );
+      keep\-response\-order { address_match_element; ... };
+      key\-directory quoted_string;
+      lame\-ttl duration;
+      listen\-on [ port integer ] [ dscp
+          integer ] {
+          address_match_element; ... };
+      listen\-on\-v6 [ port integer ] [ dscp
+          integer ] {
+          address_match_element; ... };
+      lmdb\-mapsize sizeval;
+      lock\-file ( quoted_string | none );
+      managed\-keys\-directory quoted_string;
+      masterfile\-format ( map | raw | text );
+      masterfile\-style ( full | relative );
+      match\-mapped\-addresses boolean;
+      max\-cache\-size ( default | unlimited | sizeval | percentage );
+      max\-cache\-ttl duration;
+      max\-clients\-per\-query integer;
+      max\-ixfr\-ratio ( unlimited | percentage );
+      max\-journal\-size ( default | unlimited | sizeval );
+      max\-ncache\-ttl duration;
+      max\-records integer;
+      max\-recursion\-depth integer;
+      max\-recursion\-queries integer;
+      max\-refresh\-time integer;
+      max\-retry\-time integer;
+      max\-rsa\-exponent\-size integer;
+      max\-stale\-ttl duration;
+      max\-transfer\-idle\-in integer;
+      max\-transfer\-idle\-out integer;
+      max\-transfer\-time\-in integer;
+      max\-transfer\-time\-out integer;
+      max\-udp\-size integer;
+      max\-zone\-ttl ( unlimited | duration );
+      memstatistics boolean;
+      memstatistics\-file quoted_string;
+      message\-compression boolean;
+      min\-cache\-ttl duration;
+      min\-ncache\-ttl duration;
+      min\-refresh\-time integer;
+      min\-retry\-time integer;
+      minimal\-any boolean;
+      minimal\-responses ( no\-auth | no\-auth\-recursive | boolean );
+      multi\-master boolean;
+      new\-zones\-directory quoted_string;
+      no\-case\-compress { address_match_element; ... };
+      nocookie\-udp\-size integer;
+      notify ( explicit | master\-only | primary\-only | boolean );
+      notify\-delay integer;
+      notify\-rate integer;
+      notify\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      notify\-source\-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
+          [ dscp integer ];
+      notify\-to\-soa boolean;
+      nta\-lifetime duration;
+      nta\-recheck duration;
+      nxdomain\-redirect string;
+      parental\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      parental\-source\-v6 ( ipv6_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
+      pid\-file ( quoted_string | none );
+      port integer;
+      preferred\-glue string;
+      prefetch integer [ integer ];
+      provide\-ixfr boolean;
+      qname\-minimization ( strict | relaxed | disabled | off );
+      query\-source ( ( [ address ] ( ipv4_address | * ) [ port (
+          integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ]
+          port ( integer | * ) ) ) [ dscp integer ];
+      query\-source\-v6 ( ( [ address ] ( ipv6_address | * ) [ port (
+          integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ]
+          port ( integer | * ) ) ) [ dscp integer ];
+      querylog boolean;
+      random\-device ( quoted_string | none );
+      rate\-limit {
+              all\-per\-second integer;
+              errors\-per\-second integer;
+              exempt\-clients { address_match_element; ... };
+              ipv4\-prefix\-length integer;
+              ipv6\-prefix\-length integer;
+              log\-only boolean;
+              max\-table\-size integer;
+              min\-table\-size integer;
+              nodata\-per\-second integer;
+              nxdomains\-per\-second integer;
+              qps\-scale integer;
+              referrals\-per\-second integer;
+              responses\-per\-second integer;
+              slip integer;
+              window integer;
+      };
+      recursing\-file quoted_string;
+      recursion boolean;
+      recursive\-clients integer;
+      request\-expire boolean;
+      request\-ixfr boolean;
+      request\-nsid boolean;
+      require\-server\-cookie boolean;
+      reserved\-sockets integer;
+      resolver\-nonbackoff\-tries integer;
+      resolver\-query\-timeout integer;
+      resolver\-retry\-interval integer;
+      response\-padding { address_match_element; ... } block\-size
+          integer;
+      response\-policy { zone string [ add\-soa boolean ] [ log
+          boolean ] [ max\-policy\-ttl duration ] [ min\-update\-interval
+          duration ] [ policy ( cname | disabled | drop | given | no\-op
+          | nodata | nxdomain | passthru | tcp\-only quoted_string ) ] [
+          recursive\-only boolean ] [ nsip\-enable boolean ] [
+          nsdname\-enable boolean ]; ... } [ add\-soa boolean ] [
+          break\-dnssec boolean ] [ max\-policy\-ttl duration ] [
+          min\-update\-interval duration ] [ min\-ns\-dots integer ] [
+          nsip\-wait\-recurse boolean ] [ qname\-wait\-recurse boolean ]
+          [ recursive\-only boolean ] [ nsip\-enable boolean ] [
+          nsdname\-enable boolean ] [ dnsrps\-enable boolean ] [
+          dnsrps\-options { unspecified\-text } ];
+      reuseport boolean;
+      root\-delegation\-only [ exclude { string; ... } ];
+      root\-key\-sentinel boolean;
+      rrset\-order { [ class string ] [ type string ] [ name
+          quoted_string ] string string; ... };
+      secroots\-file quoted_string;
+      send\-cookie boolean;
+      serial\-query\-rate integer;
+      serial\-update\-method ( date | increment | unixtime );
+      server\-id ( quoted_string | none | hostname );
+      servfail\-ttl duration;
+      session\-keyalg string;
+      session\-keyfile ( quoted_string | none );
+      session\-keyname string;
+      sig\-signing\-nodes integer;
+      sig\-signing\-signatures integer;
+      sig\-signing\-type integer;
+      sig\-validity\-interval integer [ integer ];
+      sortlist { address_match_element; ... };
+      stacksize ( default | unlimited | sizeval );
+      stale\-answer\-client\-timeout ( disabled | off | integer );
+      stale\-answer\-enable boolean;
+      stale\-answer\-ttl duration;
+      stale\-cache\-enable boolean;
+      stale\-refresh\-time duration;
+      startup\-notify\-rate integer;
+      statistics\-file quoted_string;
+      synth\-from\-dnssec boolean;
+      tcp\-advertised\-timeout integer;
+      tcp\-clients integer;
+      tcp\-idle\-timeout integer;
+      tcp\-initial\-timeout integer;
+      tcp\-keepalive\-timeout integer;
+      tcp\-listen\-queue integer;
+      tkey\-dhkey quoted_string integer;
+      tkey\-domain quoted_string;
+      tkey\-gssapi\-credential quoted_string;
+      tkey\-gssapi\-keytab quoted_string;
+      transfer\-format ( many\-answers | one\-answer );
+      transfer\-message\-size integer;
+      transfer\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
+      transfers\-in integer;
+      transfers\-out integer;
+      transfers\-per\-ns integer;
+      trust\-anchor\-telemetry boolean; // experimental
+      try\-tcp\-refresh boolean;
+      update\-check\-ksk boolean;
+      update\-quota integer;
+      use\-alt\-transfer\-source boolean;
+      use\-v4\-udp\-ports { portrange; ... };
+      use\-v6\-udp\-ports { portrange; ... };
+      v6\-bias integer;
+      validate\-except { string; ... };
+      version ( quoted_string | none );
+      zero\-no\-soa\-ttl boolean;
+      zero\-no\-soa\-ttl\-cache boolean;
+      zone\-statistics ( full | terse | none | boolean );
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS PARENTAL\-AGENTS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+parental\-agents string [ port integer ] [
+    dscp integer ] { ( remote\-servers |
+    ipv4_address [ port integer ] |
+    ipv6_address [ port integer ] ) [ key
+    string ]; ... };
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS PLUGIN
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+plugin ( query ) string [ { unspecified\-text
+    } ];
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS PRIMARIES
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+primaries string [ port integer ] [ dscp
+    integer ] { ( remote\-servers |
+    ipv4_address [ port integer ] |
+    ipv6_address [ port integer ] ) [ key
+    string ]; ... };
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS SERVER
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+server netprefix {
+      bogus boolean;
+      edns boolean;
+      edns\-udp\-size integer;
+      edns\-version integer;
+      keys server_key;
+      max\-udp\-size integer;
+      notify\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      notify\-source\-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
+          [ dscp integer ];
+      padding integer;
+      provide\-ixfr boolean;
+      query\-source ( ( [ address ] ( ipv4_address | * ) [ port (
+          integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ]
+          port ( integer | * ) ) ) [ dscp integer ];
+      query\-source\-v6 ( ( [ address ] ( ipv6_address | * ) [ port (
+          integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ]
+          port ( integer | * ) ) ) [ dscp integer ];
+      request\-expire boolean;
+      request\-ixfr boolean;
+      request\-nsid boolean;
+      send\-cookie boolean;
+      tcp\-keepalive boolean;
+      tcp\-only boolean;
+      transfer\-format ( many\-answers | one\-answer );
+      transfer\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
+      transfers integer;
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS STATISTICS\-CHANNELS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+statistics\-channels {
+      inet ( ipv4_address | ipv6_address |
+          * ) [ port ( integer | * ) ] [
+          allow { address_match_element; ...
+          } ];
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS TRUST\-ANCHORS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+trust\-anchors { string ( static\-key |
+    initial\-key | static\-ds | initial\-ds )
+    integer integer integer
+    quoted_string; ... };
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS TRUSTED\-KEYS
+.sp
+Deprecated \- see DNSSEC\-KEYS.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+trusted\-keys { string integer
+    integer integer
+    quoted_string; ... };, deprecated
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS VIEW
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+view string [ class ] {
+      allow\-new\-zones boolean;
+      allow\-notify { address_match_element; ... };
+      allow\-query { address_match_element; ... };
+      allow\-query\-cache { address_match_element; ... };
+      allow\-query\-cache\-on { address_match_element; ... };
+      allow\-query\-on { address_match_element; ... };
+      allow\-recursion { address_match_element; ... };
+      allow\-recursion\-on { address_match_element; ... };
+      allow\-transfer { address_match_element; ... };
+      allow\-update { address_match_element; ... };
+      allow\-update\-forwarding { address_match_element; ... };
+      also\-notify [ port integer ] [ dscp integer ] { (
+          remote\-servers | ipv4_address [ port integer ] |
+          ipv6_address [ port integer ] ) [ key string ]; ... };
+      alt\-transfer\-source ( ipv4_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
+      alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer |
+          * ) ] [ dscp integer ];
+      attach\-cache string;
+      auth\-nxdomain boolean; // default changed
+      auto\-dnssec ( allow | maintain | off );// deprecated
+      cache\-file quoted_string;// deprecated
+      catalog\-zones { zone string [ default\-masters [ port integer ]
+          [ dscp integer ] { ( remote\-servers | ipv4_address [ port
+          integer ] | ipv6_address [ port integer ] ) [ key
+          string ]; ... } ] [ zone\-directory quoted_string ] [
+          in\-memory boolean ] [ min\-update\-interval duration ]; ... };
+      check\-dup\-records ( fail | warn | ignore );
+      check\-integrity boolean;
+      check\-mx ( fail | warn | ignore );
+      check\-mx\-cname ( fail | warn | ignore );
+      check\-names ( primary | master |
+          secondary | slave | response ) (
+          fail | warn | ignore );
+      check\-sibling boolean;
+      check\-spf ( warn | ignore );
+      check\-srv\-cname ( fail | warn | ignore );
+      check\-wildcard boolean;
+      clients\-per\-query integer;
+      deny\-answer\-addresses { address_match_element; ... } [
+          except\-from { string; ... } ];
+      deny\-answer\-aliases { string; ... } [ except\-from { string; ...
+          } ];
+      dialup ( notify | notify\-passive | passive | refresh | boolean );
+      disable\-algorithms string { string;
+          ... };
+      disable\-ds\-digests string { string;
+          ... };
+      disable\-empty\-zone string;
+      dlz string {
+              database string;
+              search boolean;
+      };
+      dns64 netprefix {
+              break\-dnssec boolean;
+              clients { address_match_element; ... };
+              exclude { address_match_element; ... };
+              mapped { address_match_element; ... };
+              recursive\-only boolean;
+              suffix ipv6_address;
+      };
+      dns64\-contact string;
+      dns64\-server string;
+      dnskey\-sig\-validity integer;
+      dnsrps\-enable boolean;
+      dnsrps\-options { unspecified\-text };
+      dnssec\-accept\-expired boolean;
+      dnssec\-dnskey\-kskonly boolean;
+      dnssec\-loadkeys\-interval integer;
+      dnssec\-must\-be\-secure string boolean;
+      dnssec\-policy string;
+      dnssec\-secure\-to\-insecure boolean;
+      dnssec\-update\-mode ( maintain | no\-resign );
+      dnssec\-validation ( yes | no | auto );
+      dnstap { ( all | auth | client | forwarder | resolver | update ) [
+          ( query | response ) ]; ... };
+      dual\-stack\-servers [ port integer ] { ( quoted_string [ port
+          integer ] [ dscp integer ] | ipv4_address [ port
+          integer ] [ dscp integer ] | ipv6_address [ port
+          integer ] [ dscp integer ] ); ... };
+      dyndb string quoted_string {
+          unspecified\-text };
+      edns\-udp\-size integer;
+      empty\-contact string;
+      empty\-server string;
+      empty\-zones\-enable boolean;
+      fetch\-quota\-params integer fixedpoint fixedpoint fixedpoint;
+      fetches\-per\-server integer [ ( drop | fail ) ];
+      fetches\-per\-zone integer [ ( drop | fail ) ];
+      forward ( first | only );
+      forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
+          | ipv6_address ) [ port integer ] [ dscp integer ]; ... };
+      glue\-cache boolean;
+      ixfr\-from\-differences ( primary | master | secondary | slave |
+          boolean );
+      key string {
+              algorithm string;
+              secret string;
+      };
+      key\-directory quoted_string;
+      lame\-ttl duration;
+      lmdb\-mapsize sizeval;
+      managed\-keys { string (
+          static\-key | initial\-key
+          | static\-ds | initial\-ds
+          ) integer integer
+          integer
+          quoted_string; ... };, deprecated
+      masterfile\-format ( map | raw | text );
+      masterfile\-style ( full | relative );
+      match\-clients { address_match_element; ... };
+      match\-destinations { address_match_element; ... };
+      match\-recursive\-only boolean;
+      max\-cache\-size ( default | unlimited | sizeval | percentage );
+      max\-cache\-ttl duration;
+      max\-clients\-per\-query integer;
+      max\-ixfr\-ratio ( unlimited | percentage );
+      max\-journal\-size ( default | unlimited | sizeval );
+      max\-ncache\-ttl duration;
+      max\-records integer;
+      max\-recursion\-depth integer;
+      max\-recursion\-queries integer;
+      max\-refresh\-time integer;
+      max\-retry\-time integer;
+      max\-stale\-ttl duration;
+      max\-transfer\-idle\-in integer;
+      max\-transfer\-idle\-out integer;
+      max\-transfer\-time\-in integer;
+      max\-transfer\-time\-out integer;
+      max\-udp\-size integer;
+      max\-zone\-ttl ( unlimited | duration );
+      message\-compression boolean;
+      min\-cache\-ttl duration;
+      min\-ncache\-ttl duration;
+      min\-refresh\-time integer;
+      min\-retry\-time integer;
+      minimal\-any boolean;
+      minimal\-responses ( no\-auth | no\-auth\-recursive | boolean );
+      multi\-master boolean;
+      new\-zones\-directory quoted_string;
+      no\-case\-compress { address_match_element; ... };
+      nocookie\-udp\-size integer;
+      notify ( explicit | master\-only | primary\-only | boolean );
+      notify\-delay integer;
+      notify\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      notify\-source\-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
+          [ dscp integer ];
+      notify\-to\-soa boolean;
+      nta\-lifetime duration;
+      nta\-recheck duration;
+      nxdomain\-redirect string;
+      parental\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      parental\-source\-v6 ( ipv6_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
+      plugin ( query ) string [ {
+          unspecified\-text } ];
+      preferred\-glue string;
+      prefetch integer [ integer ];
+      provide\-ixfr boolean;
+      qname\-minimization ( strict | relaxed | disabled | off );
+      query\-source ( ( [ address ] ( ipv4_address | * ) [ port (
+          integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ]
+          port ( integer | * ) ) ) [ dscp integer ];
+      query\-source\-v6 ( ( [ address ] ( ipv6_address | * ) [ port (
+          integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ]
+          port ( integer | * ) ) ) [ dscp integer ];
+      rate\-limit {
+              all\-per\-second integer;
+              errors\-per\-second integer;
+              exempt\-clients { address_match_element; ... };
+              ipv4\-prefix\-length integer;
+              ipv6\-prefix\-length integer;
+              log\-only boolean;
+              max\-table\-size integer;
+              min\-table\-size integer;
+              nodata\-per\-second integer;
+              nxdomains\-per\-second integer;
+              qps\-scale integer;
+              referrals\-per\-second integer;
+              responses\-per\-second integer;
+              slip integer;
+              window integer;
+      };
+      recursion boolean;
+      request\-expire boolean;
+      request\-ixfr boolean;
+      request\-nsid boolean;
+      require\-server\-cookie boolean;
+      resolver\-nonbackoff\-tries integer;
+      resolver\-query\-timeout integer;
+      resolver\-retry\-interval integer;
+      response\-padding { address_match_element; ... } block\-size
+          integer;
+      response\-policy { zone string [ add\-soa boolean ] [ log
+          boolean ] [ max\-policy\-ttl duration ] [ min\-update\-interval
+          duration ] [ policy ( cname | disabled | drop | given | no\-op
+          | nodata | nxdomain | passthru | tcp\-only quoted_string ) ] [
+          recursive\-only boolean ] [ nsip\-enable boolean ] [
+          nsdname\-enable boolean ]; ... } [ add\-soa boolean ] [
+          break\-dnssec boolean ] [ max\-policy\-ttl duration ] [
+          min\-update\-interval duration ] [ min\-ns\-dots integer ] [
+          nsip\-wait\-recurse boolean ] [ qname\-wait\-recurse boolean ]
+          [ recursive\-only boolean ] [ nsip\-enable boolean ] [
+          nsdname\-enable boolean ] [ dnsrps\-enable boolean ] [
+          dnsrps\-options { unspecified\-text } ];
+      root\-delegation\-only [ exclude { string; ... } ];
+      root\-key\-sentinel boolean;
+      rrset\-order { [ class string ] [ type string ] [ name
+          quoted_string ] string string; ... };
+      send\-cookie boolean;
+      serial\-update\-method ( date | increment | unixtime );
+      server netprefix {
+              bogus boolean;
+              edns boolean;
+              edns\-udp\-size integer;
+              edns\-version integer;
+              keys server_key;
+              max\-udp\-size integer;
+              notify\-source ( ipv4_address | * ) [ port ( integer | *
+                  ) ] [ dscp integer ];
+              notify\-source\-v6 ( ipv6_address | * ) [ port ( integer
+                  | * ) ] [ dscp integer ];
+              padding integer;
+              provide\-ixfr boolean;
+              query\-source ( ( [ address ] ( ipv4_address | * ) [ port
+                  ( integer | * ) ] ) | ( [ [ address ] (
+                  ipv4_address | * ) ] port ( integer | * ) ) ) [
+                  dscp integer ];
+              query\-source\-v6 ( ( [ address ] ( ipv6_address | * ) [
+                  port ( integer | * ) ] ) | ( [ [ address ] (
+                  ipv6_address | * ) ] port ( integer | * ) ) ) [
+                  dscp integer ];
+              request\-expire boolean;
+              request\-ixfr boolean;
+              request\-nsid boolean;
+              send\-cookie boolean;
+              tcp\-keepalive boolean;
+              tcp\-only boolean;
+              transfer\-format ( many\-answers | one\-answer );
+              transfer\-source ( ipv4_address | * ) [ port ( integer |
+                  * ) ] [ dscp integer ];
+              transfer\-source\-v6 ( ipv6_address | * ) [ port (
+                  integer | * ) ] [ dscp integer ];
+              transfers integer;
+      };
+      servfail\-ttl duration;
+      sig\-signing\-nodes integer;
+      sig\-signing\-signatures integer;
+      sig\-signing\-type integer;
+      sig\-validity\-interval integer [ integer ];
+      sortlist { address_match_element; ... };
+      stale\-answer\-client\-timeout ( disabled | off | integer );
+      stale\-answer\-enable boolean;
+      stale\-answer\-ttl duration;
+      stale\-cache\-enable boolean;
+      stale\-refresh\-time duration;
+      synth\-from\-dnssec boolean;
+      transfer\-format ( many\-answers | one\-answer );
+      transfer\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
+      trust\-anchor\-telemetry boolean; // experimental
+      trust\-anchors { string ( static\-key |
+          initial\-key | static\-ds | initial\-ds
+          ) integer integer integer
+          quoted_string; ... };
+      trusted\-keys { string
+          integer integer
+          integer
+          quoted_string; ... };, deprecated
+      try\-tcp\-refresh boolean;
+      update\-check\-ksk boolean;
+      use\-alt\-transfer\-source boolean;
+      v6\-bias integer;
+      validate\-except { string; ... };
+      zero\-no\-soa\-ttl boolean;
+      zero\-no\-soa\-ttl\-cache boolean;
+      zone string [ class ] {
+              allow\-notify { address_match_element; ... };
+              allow\-query { address_match_element; ... };
+              allow\-query\-on { address_match_element; ... };
+              allow\-transfer { address_match_element; ... };
+              allow\-update { address_match_element; ... };
+              allow\-update\-forwarding { address_match_element; ... };
+              also\-notify [ port integer ] [ dscp integer ] { (
+                  remote\-servers | ipv4_address [ port integer ] |
+                  ipv6_address [ port integer ] ) [ key string ];
+                  ... };
+              alt\-transfer\-source ( ipv4_address | * ) [ port (
+                  integer | * ) ] [ dscp integer ];
+              alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port (
+                  integer | * ) ] [ dscp integer ];
+              auto\-dnssec ( allow | maintain | off );// deprecated
+              check\-dup\-records ( fail | warn | ignore );
+              check\-integrity boolean;
+              check\-mx ( fail | warn | ignore );
+              check\-mx\-cname ( fail | warn | ignore );
+              check\-names ( fail | warn | ignore );
+              check\-sibling boolean;
+              check\-spf ( warn | ignore );
+              check\-srv\-cname ( fail | warn | ignore );
+              check\-wildcard boolean;
+              database string;
+              delegation\-only boolean;
+              dialup ( notify | notify\-passive | passive | refresh |
+                  boolean );
+              dlz string;
+              dnskey\-sig\-validity integer;
+              dnssec\-dnskey\-kskonly boolean;
+              dnssec\-loadkeys\-interval integer;
+              dnssec\-policy string;
+              dnssec\-secure\-to\-insecure boolean;
+              dnssec\-update\-mode ( maintain | no\-resign );
+              file quoted_string;
+              forward ( first | only );
+              forwarders [ port integer ] [ dscp integer ] { (
+                  ipv4_address | ipv6_address ) [ port integer ] [
+                  dscp integer ]; ... };
+              in\-view string;
+              inline\-signing boolean;
+              ixfr\-from\-differences boolean;
+              journal quoted_string;
+              key\-directory quoted_string;
+              masterfile\-format ( map | raw | text );
+              masterfile\-style ( full | relative );
+              masters [ port integer ] [ dscp integer ] { (
+                  remote\-servers | ipv4_address [ port integer ] |
+                  ipv6_address [ port integer ] ) [ key string ];
+                  ... };
+              max\-ixfr\-ratio ( unlimited | percentage );
+              max\-journal\-size ( default | unlimited | sizeval );
+              max\-records integer;
+              max\-refresh\-time integer;
+              max\-retry\-time integer;
+              max\-transfer\-idle\-in integer;
+              max\-transfer\-idle\-out integer;
+              max\-transfer\-time\-in integer;
+              max\-transfer\-time\-out integer;
+              max\-zone\-ttl ( unlimited | duration );
+              min\-refresh\-time integer;
+              min\-retry\-time integer;
+              multi\-master boolean;
+              notify ( explicit | master\-only | primary\-only | boolean );
+              notify\-delay integer;
+              notify\-source ( ipv4_address | * ) [ port ( integer | *
+                  ) ] [ dscp integer ];
+              notify\-source\-v6 ( ipv6_address | * ) [ port ( integer
+                  | * ) ] [ dscp integer ];
+              notify\-to\-soa boolean;
+              parental\-agents [ port integer ] [ dscp integer ] { (
+                  remote\-servers | ipv4_address [ port integer ] |
+                  ipv6_address [ port integer ] ) [ key string ];
+                  ... };
+              parental\-source ( ipv4_address | * ) [ port ( integer |
+                  * ) ] [ dscp integer ];
+              parental\-source\-v6 ( ipv6_address | * ) [ port (
+                  integer | * ) ] [ dscp integer ];
+              primaries [ port integer ] [ dscp integer ] { (
+                  remote\-servers | ipv4_address [ port integer ] |
+                  ipv6_address [ port integer ] ) [ key string ];
+                  ... };
+              request\-expire boolean;
+              request\-ixfr boolean;
+              serial\-update\-method ( date | increment | unixtime );
+              server\-addresses { ( ipv4_address | ipv6_address ); ... };
+              server\-names { string; ... };
+              sig\-signing\-nodes integer;
+              sig\-signing\-signatures integer;
+              sig\-signing\-type integer;
+              sig\-validity\-interval integer [ integer ];
+              transfer\-source ( ipv4_address | * ) [ port ( integer |
+                  * ) ] [ dscp integer ];
+              transfer\-source\-v6 ( ipv6_address | * ) [ port (
+                  integer | * ) ] [ dscp integer ];
+              try\-tcp\-refresh boolean;
+              type ( primary | master | secondary | slave | mirror |
+                  delegation\-only | forward | hint | redirect |
+                  static\-stub | stub );
+              update\-check\-ksk boolean;
+              update\-policy ( local | { ( deny | grant ) string (
+                  6to4\-self | external | krb5\-self | krb5\-selfsub |
+                  krb5\-subdomain | ms\-self | ms\-selfsub | ms\-subdomain |
+                  name | self | selfsub | selfwild | subdomain | tcp\-self
+                  | wildcard | zonesub ) [ string ] rrtypelist; ... } );
+              use\-alt\-transfer\-source boolean;
+              zero\-no\-soa\-ttl boolean;
+              zone\-statistics ( full | terse | none | boolean );
+      };
+      zone\-statistics ( full | terse | none | boolean );
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS ZONE
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+zone string [ class ] {
+      allow\-notify { address_match_element; ... };
+      allow\-query { address_match_element; ... };
+      allow\-query\-on { address_match_element; ... };
+      allow\-transfer { address_match_element; ... };
+      allow\-update { address_match_element; ... };
+      allow\-update\-forwarding { address_match_element; ... };
+      also\-notify [ port integer ] [ dscp integer ] { (
+          remote\-servers | ipv4_address [ port integer ] |
+          ipv6_address [ port integer ] ) [ key string ]; ... };
+      alt\-transfer\-source ( ipv4_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
+      alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer |
+          * ) ] [ dscp integer ];
+      auto\-dnssec ( allow | maintain | off );// deprecated
+      check\-dup\-records ( fail | warn | ignore );
+      check\-integrity boolean;
+      check\-mx ( fail | warn | ignore );
+      check\-mx\-cname ( fail | warn | ignore );
+      check\-names ( fail | warn | ignore );
+      check\-sibling boolean;
+      check\-spf ( warn | ignore );
+      check\-srv\-cname ( fail | warn | ignore );
+      check\-wildcard boolean;
+      database string;
+      delegation\-only boolean;
+      dialup ( notify | notify\-passive | passive | refresh | boolean );
+      dlz string;
+      dnskey\-sig\-validity integer;
+      dnssec\-dnskey\-kskonly boolean;
+      dnssec\-loadkeys\-interval integer;
+      dnssec\-policy string;
+      dnssec\-secure\-to\-insecure boolean;
+      dnssec\-update\-mode ( maintain | no\-resign );
+      file quoted_string;
+      forward ( first | only );
+      forwarders [ port integer ] [ dscp integer ] { ( ipv4_address
+          | ipv6_address ) [ port integer ] [ dscp integer ]; ... };
+      in\-view string;
+      inline\-signing boolean;
+      ixfr\-from\-differences boolean;
+      journal quoted_string;
+      key\-directory quoted_string;
+      masterfile\-format ( map | raw | text );
+      masterfile\-style ( full | relative );
+      masters [ port integer ] [ dscp integer ] { ( remote\-servers
+          | ipv4_address [ port integer ] | ipv6_address [ port
+          integer ] ) [ key string ]; ... };
+      max\-ixfr\-ratio ( unlimited | percentage );
+      max\-journal\-size ( default | unlimited | sizeval );
+      max\-records integer;
+      max\-refresh\-time integer;
+      max\-retry\-time integer;
+      max\-transfer\-idle\-in integer;
+      max\-transfer\-idle\-out integer;
+      max\-transfer\-time\-in integer;
+      max\-transfer\-time\-out integer;
+      max\-zone\-ttl ( unlimited | duration );
+      min\-refresh\-time integer;
+      min\-retry\-time integer;
+      multi\-master boolean;
+      notify ( explicit | master\-only | primary\-only | boolean );
+      notify\-delay integer;
+      notify\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      notify\-source\-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
+          [ dscp integer ];
+      notify\-to\-soa boolean;
+      parental\-agents [ port integer ] [ dscp integer ] { (
+          remote\-servers | ipv4_address [ port integer ] |
+          ipv6_address [ port integer ] ) [ key string ]; ... };
+      parental\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      parental\-source\-v6 ( ipv6_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
+      primaries [ port integer ] [ dscp integer ] { (
+          remote\-servers | ipv4_address [ port integer ] |
+          ipv6_address [ port integer ] ) [ key string ]; ... };
+      request\-expire boolean;
+      request\-ixfr boolean;
+      serial\-update\-method ( date | increment | unixtime );
+      server\-addresses { ( ipv4_address | ipv6_address ); ... };
+      server\-names { string; ... };
+      sig\-signing\-nodes integer;
+      sig\-signing\-signatures integer;
+      sig\-signing\-type integer;
+      sig\-validity\-interval integer [ integer ];
+      transfer\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
+      try\-tcp\-refresh boolean;
+      type ( primary | master | secondary | slave | mirror |
+          delegation\-only | forward | hint | redirect | static\-stub |
+          stub );
+      update\-check\-ksk boolean;
+      update\-policy ( local | { ( deny | grant ) string ( 6to4\-self |
+          external | krb5\-self | krb5\-selfsub | krb5\-subdomain | ms\-self
+          | ms\-selfsub | ms\-subdomain | name | self | selfsub | selfwild
+          | subdomain | tcp\-self | wildcard | zonesub ) [ string ]
+          rrtypelist; ... } );
+      use\-alt\-transfer\-source boolean;
+      zero\-no\-soa\-ttl boolean;
+      zone\-statistics ( full | terse | none | boolean );
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH FILES
+.sp
+\fB/etc/named.conf\fP
+.SH SEE ALSO
+.sp
+\fBddns\-confgen(8)\fP, \fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBrndc(8)\fP, \fBrndc\-confgen(8)\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/named.conf.rst b/doc/man/named.conf.rst
new file mode 100644
index 0000000..6fbdda6
--- /dev/null
+++ b/doc/man/named.conf.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/named/named.conf.rst
diff --git a/doc/man/named.rst b/doc/man/named.rst
new file mode 100644
index 0000000..63c0f4b
--- /dev/null
+++ b/doc/man/named.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/named/named.rst
diff --git a/doc/man/nsec3hash.8in b/doc/man/nsec3hash.8in
new file mode 100644
index 0000000..32d85d1
--- /dev/null
+++ b/doc/man/nsec3hash.8in
@@ -0,0 +1,78 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NSEC3HASH" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+nsec3hash \- generate NSEC3 hash
+.SH SYNOPSIS
+.sp
+\fBnsec3hash\fP {salt} {algorithm} {iterations} {domain}
+.sp
+\fBnsec3hash\fP \fB\-r\fP {algorithm} {flags} {iterations} {salt} {domain}
+.SH DESCRIPTION
+.sp
+\fBnsec3hash\fP generates an NSEC3 hash based on a set of NSEC3
+parameters. This can be used to check the validity of NSEC3 records in a
+signed zone.
+.sp
+If this command is invoked as \fBnsec3hash \-r\fP, it takes arguments in
+order, matching the first four fields of an NSEC3 record followed by the
+domain name: \fBalgorithm\fP, \fBflags\fP, \fBiterations\fP, \fBsalt\fP, \fBdomain\fP\&. This makes it
+convenient to copy and paste a portion of an NSEC3 or NSEC3PARAM record
+into a command line to confirm the correctness of an NSEC3 hash.
+.SH ARGUMENTS
+.INDENT 0.0
+.TP
+.B \fBsalt\fP
+This is the salt provided to the hash algorithm.
+.TP
+.B \fBalgorithm\fP
+This is a number indicating the hash algorithm. Currently the only supported
+hash algorithm for NSEC3 is SHA\-1, which is indicated by the number
+1; consequently \(dq1\(dq is the only useful value for this argument.
+.TP
+.B \fBflags\fP
+This is provided for compatibility with NSEC3 record presentation format, but
+is ignored since the flags do not affect the hash.
+.TP
+.B \fBiterations\fP
+This is the number of additional times the hash should be performed.
+.TP
+.B \fBdomain\fP
+This is the domain name to be hashed.
+.UNINDENT
+.SH SEE ALSO
+.sp
+BIND 9 Administrator Reference Manual, \fI\%RFC 5155\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/nsec3hash.rst b/doc/man/nsec3hash.rst
new file mode 100644
index 0000000..ba81f0d
--- /dev/null
+++ b/doc/man/nsec3hash.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/tools/nsec3hash.rst
diff --git a/doc/man/nslookup.1in b/doc/man/nslookup.1in
new file mode 100644
index 0000000..f009105
--- /dev/null
+++ b/doc/man/nslookup.1in
@@ -0,0 +1,225 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NSLOOKUP" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+nslookup \- query Internet name servers interactively
+.SH SYNOPSIS
+.sp
+\fBnslookup\fP [\-option] [name | \-] [server]
+.SH DESCRIPTION
+.sp
+\fBnslookup\fP is a program to query Internet domain name servers.
+\fBnslookup\fP has two modes: interactive and non\-interactive. Interactive
+mode allows the user to query name servers for information about various
+hosts and domains or to print a list of hosts in a domain.
+Non\-interactive mode prints just the name and requested
+information for a host or domain.
+.SH ARGUMENTS
+.sp
+Interactive mode is entered in the following cases:
+.INDENT 0.0
+.IP a. 3
+when no arguments are given (the default name server is used);
+.IP b. 3
+when the first argument is a hyphen (\-) and the second argument is
+the host name or Internet address of a name server.
+.UNINDENT
+.sp
+Non\-interactive mode is used when the name or Internet address of the
+host to be looked up is given as the first argument. The optional second
+argument specifies the host name or address of a name server.
+.sp
+Options can also be specified on the command line if they precede the
+arguments and are prefixed with a hyphen. For example, to change the
+default query type to host information, with an initial timeout of 10
+seconds, type:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+nslookup \-query=hinfo  \-timeout=10
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The \fB\-version\fP option causes \fBnslookup\fP to print the version number
+and immediately exit.
+.SH INTERACTIVE COMMANDS
+.INDENT 0.0
+.TP
+.B \fBhost [server]\fP
+This command looks up information for \fBhost\fP using the current default server or
+using \fBserver\fP, if specified. If \fBhost\fP is an Internet address and the
+query type is A or PTR, the name of the host is returned. If \fBhost\fP is
+a name and does not have a trailing period (\fB\&.\fP), the search list is used
+to qualify the name.
+.sp
+To look up a host not in the current domain, append a period to the
+name.
+.TP
+.B \fBserver domain\fP | \fBlserver domain\fP
+These commands change the default server to \fBdomain\fP; \fBlserver\fP uses the initial
+server to look up information about \fBdomain\fP, while \fBserver\fP uses the
+current default server. If an authoritative answer cannot be found,
+the names of servers that might have the answer are returned.
+.TP
+.B \fBroot\fP
+This command is not implemented.
+.TP
+.B \fBfinger\fP
+This command is not implemented.
+.TP
+.B \fBls\fP
+This command is not implemented.
+.TP
+.B \fBview\fP
+This command is not implemented.
+.TP
+.B \fBhelp\fP
+This command is not implemented.
+.TP
+.B \fB?\fP
+This command is not implemented.
+.TP
+.B \fBexit\fP
+This command exits the program.
+.TP
+.B \fBset keyword[=value]\fP
+This command is used to change state information that affects the
+lookups. Valid keywords are:
+.INDENT 7.0
+.TP
+.B \fBall\fP
+This keyword prints the current values of the frequently used options to
+\fBset\fP\&. Information about the current default server and host is
+also printed.
+.TP
+.B \fBclass=value\fP
+This keyword changes the query class to one of:
+.INDENT 7.0
+.TP
+.B \fBIN\fP
+the Internet class
+.TP
+.B \fBCH\fP
+the Chaos class
+.TP
+.B \fBHS\fP
+the Hesiod class
+.TP
+.B \fBANY\fP
+wildcard
+.UNINDENT
+.sp
+The class specifies the protocol group of the information. The default
+is \fBIN\fP; the abbreviation for this keyword is \fBcl\fP\&.
+.TP
+.B \fBnodebug\fP
+This keyword turns on or off the display of the full response packet, and any
+intermediate response packets, when searching. The default for this keyword is
+\fBnodebug\fP; the abbreviation for this keyword is \fB[no]deb\fP\&.
+.TP
+.B \fBnod2\fP
+This keyword turns debugging mode on or off. This displays more about what
+nslookup is doing. The default is \fBnod2\fP\&.
+.TP
+.B \fBdomain=name\fP
+This keyword sets the search list to \fBname\fP\&.
+.TP
+.B \fBnosearch\fP
+If the lookup request contains at least one period, but does not end
+with a trailing period, this keyword appends the domain names in the domain
+search list to the request until an answer is received. The default is \fBsearch\fP\&.
+.TP
+.B \fBport=value\fP
+This keyword changes the default TCP/UDP name server port to \fBvalue\fP from
+its default, port 53. The abbreviation for this keyword is \fBpo\fP\&.
+.TP
+.B \fBquerytype=value\fP | \fBtype=value\fP
+This keyword changes the type of the information query to \fBvalue\fP\&. The
+defaults are A and then AAAA; the abbreviations for these keywords are
+\fBq\fP and \fBty\fP\&.
+.sp
+Please note that it is only possible to specify one query type. Only the default
+behavior looks up both when an alternative is not specified.
+.TP
+.B \fBnorecurse\fP
+This keyword tells the name server to query other servers if it does not have
+the information. The default is \fBrecurse\fP; the abbreviation for this
+keyword is \fB[no]rec\fP\&.
+.TP
+.B \fBndots=number\fP
+This keyword sets the number of dots (label separators) in a domain that
+disables searching. Absolute names always stop searching.
+.TP
+.B \fBretry=number\fP
+This keyword sets the number of retries to \fBnumber\fP\&.
+.TP
+.B \fBtimeout=number\fP
+This keyword changes the initial timeout interval to wait for a reply to
+\fBnumber\fP, in seconds.
+.TP
+.B \fBnovc\fP
+This keyword indicates that a virtual circuit should always be used when sending requests to the server.
+\fBnovc\fP is the default.
+.TP
+.B \fBnofail\fP
+This keyword tries the next nameserver if a nameserver responds with SERVFAIL or
+a referral (nofail), or terminates the query (fail) on such a response. The
+default is \fBnofail\fP\&.
+.UNINDENT
+.UNINDENT
+.SH RETURN VALUES
+.sp
+\fBnslookup\fP returns with an exit status of 1 if any query failed, and 0
+otherwise.
+.SH IDN SUPPORT
+.sp
+If \fBnslookup\fP has been built with IDN (internationalized domain name)
+support, it can accept and display non\-ASCII domain names. \fBnslookup\fP
+appropriately converts character encoding of a domain name before sending
+a request to a DNS server or displaying a reply from the server.
+To turn off IDN support, define the \fBIDN_DISABLE\fP
+environment variable. IDN support is disabled if the variable is set
+when \fBnslookup\fP runs, or when the standard output is not a tty.
+.SH FILES
+.sp
+\fB/etc/resolv.conf\fP
+.SH SEE ALSO
+.sp
+\fBdig(1)\fP, \fBhost(1)\fP, \fBnamed(8)\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/nslookup.rst b/doc/man/nslookup.rst
new file mode 100644
index 0000000..015740d
--- /dev/null
+++ b/doc/man/nslookup.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/dig/nslookup.rst
diff --git a/doc/man/nsupdate.1in b/doc/man/nsupdate.1in
new file mode 100644
index 0000000..5a2d02f
--- /dev/null
+++ b/doc/man/nsupdate.1in
@@ -0,0 +1,385 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NSUPDATE" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+nsupdate \- dynamic DNS update utility
+.SH SYNOPSIS
+.sp
+\fBnsupdate\fP [\fB\-d\fP] [\fB\-D\fP] [\fB\-i\fP] [\fB\-L\fP level] [ [\fB\-g\fP] | [\fB\-o\fP] | [\fB\-l\fP] | [\fB\-y\fP [hmac:]keyname:secret] | [\fB\-k\fP keyfile] ] [\fB\-t\fP timeout] [\fB\-u\fP udptimeout] [\fB\-r\fP udpretries] [\fB\-v\fP] [\fB\-T\fP] [\fB\-P\fP] [\fB\-V\fP] [ [\fB\-4\fP] | [\fB\-6\fP] ] [filename]
+.SH DESCRIPTION
+.sp
+\fBnsupdate\fP is used to submit Dynamic DNS Update requests, as defined in
+\fI\%RFC 2136\fP, to a name server. This allows resource records to be added or
+removed from a zone without manually editing the zone file. A single
+update request can contain requests to add or remove more than one
+resource record.
+.sp
+Zones that are under dynamic control via \fBnsupdate\fP or a DHCP server
+should not be edited by hand. Manual edits could conflict with dynamic
+updates and cause data to be lost.
+.sp
+The resource records that are dynamically added or removed with
+\fBnsupdate\fP must be in the same zone. Requests are sent to the
+zone\(aqs primary server, which is identified by the MNAME field of the
+zone\(aqs SOA record.
+.sp
+Transaction signatures can be used to authenticate the Dynamic DNS
+updates. These use the TSIG resource record type described in \fI\%RFC 2845\fP,
+the SIG(0) record described in \fI\%RFC 2535\fP and \fI\%RFC 2931\fP, or GSS\-TSIG as
+described in \fI\%RFC 3645\fP\&.
+.sp
+TSIG relies on a shared secret that should only be known to \fBnsupdate\fP
+and the name server. For instance, suitable \fBkey\fP and \fBserver\fP
+statements are added to \fB/etc/named.conf\fP so that the name server
+can associate the appropriate secret key and algorithm with the IP
+address of the client application that is using TSIG
+authentication. \fBddns\-confgen\fP can generate suitable
+configuration fragments. \fBnsupdate\fP uses the \fB\-y\fP or \fB\-k\fP options
+to provide the TSIG shared secret; these options are mutually exclusive.
+.sp
+SIG(0) uses public key cryptography. To use a SIG(0) key, the public key
+must be stored in a KEY record in a zone served by the name server.
+.sp
+GSS\-TSIG uses Kerberos credentials. Standard GSS\-TSIG mode is switched
+on with the \fB\-g\fP flag. A non\-standards\-compliant variant of GSS\-TSIG
+used by Windows 2000 can be switched on with the \fB\-o\fP flag.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-4\fP
+This option sets use of IPv4 only.
+.TP
+.B \fB\-6\fP
+This option sets use of IPv6 only.
+.TP
+.B \fB\-d\fP
+This option sets debug mode, which provides tracing information about the update
+requests that are made and the replies received from the name server.
+.TP
+.B \fB\-D\fP
+This option sets extra debug mode.
+.TP
+.B \fB\-i\fP
+This option forces interactive mode, even when standard input is not a terminal.
+.TP
+.B \fB\-k keyfile\fP
+This option indicates the file containing the TSIG authentication key. Keyfiles may be in
+two formats: a single file containing a \fBnamed.conf\fP\-format \fBkey\fP
+statement, which may be generated automatically by \fBddns\-confgen\fP;
+or a pair of files whose names are of the format
+\fBK{name}.+157.+{random}.key\fP and
+\fBK{name}.+157.+{random}.private\fP, which can be generated by
+\fBdnssec\-keygen\fP\&. The \fB\-k\fP option can also be used to specify a SIG(0)
+key used to authenticate Dynamic DNS update requests. In this case,
+the key specified is not an HMAC\-MD5 key.
+.TP
+.B \fB\-l\fP
+This option sets local\-host only mode, which sets the server address to localhost
+(disabling the \fBserver\fP so that the server address cannot be
+overridden). Connections to the local server use a TSIG key
+found in \fB/var/run/named/session.key\fP, which is automatically
+generated by \fBnamed\fP if any local \fBprimary\fP zone has set
+\fBupdate\-policy\fP to \fBlocal\fP\&. The location of this key file can be
+overridden with the \fB\-k\fP option.
+.TP
+.B \fB\-L level\fP
+This option sets the logging debug level. If zero, logging is disabled.
+.TP
+.B \fB\-p port\fP
+This option sets the port to use for connections to a name server. The default is
+53.
+.TP
+.B \fB\-P\fP
+This option prints the list of private BIND\-specific resource record types whose
+format is understood by \fBnsupdate\fP\&. See also the \fB\-T\fP option.
+.TP
+.B \fB\-r udpretries\fP
+This option sets the number of UDP retries. The default is 3. If zero, only one update
+request is made.
+.TP
+.B \fB\-t timeout\fP
+This option sets the maximum time an update request can take before it is aborted. The
+default is 300 seconds. If zero, the timeout is disabled.
+.TP
+.B \fB\-T\fP
+This option prints the list of IANA standard resource record types whose format is
+understood by \fBnsupdate\fP\&. \fBnsupdate\fP exits after the lists
+are printed. The \fB\-T\fP option can be combined with the \fB\-P\fP
+option.
+.sp
+Other types can be entered using \fBTYPEXXXXX\fP where \fBXXXXX\fP is the
+decimal value of the type with no leading zeros. The rdata, if
+present, is parsed using the UNKNOWN rdata format, (<backslash>
+<hash> <space> <length> <space> <hexstring>).
+.TP
+.B \fB\-u udptimeout\fP
+This option sets the UDP retry interval. The default is 3 seconds. If zero, the
+interval is computed from the timeout interval and number of UDP
+retries.
+.TP
+.B \fB\-v\fP
+This option specifies that TCP should be used even for small update requests. By default, \fBnsupdate\fP uses
+UDP to send update requests to the name server unless they are too
+large to fit in a UDP request, in which case TCP is used. TCP may
+be preferable when a batch of update requests is made.
+.TP
+.B \fB\-V\fP
+This option prints the version number and exits.
+.TP
+.B \fB\-y [hmac:]keyname:secret\fP
+This option sets the literal TSIG authentication key. \fBkeyname\fP is the name of the key,
+and \fBsecret\fP is the base64 encoded shared secret. \fBhmac\fP is the
+name of the key algorithm; valid choices are \fBhmac\-md5\fP,
+\fBhmac\-sha1\fP, \fBhmac\-sha224\fP, \fBhmac\-sha256\fP, \fBhmac\-sha384\fP, or
+\fBhmac\-sha512\fP\&. If \fBhmac\fP is not specified, the default is
+\fBhmac\-md5\fP, or if MD5 was disabled, \fBhmac\-sha256\fP\&.
+.sp
+NOTE: Use of the \fB\-y\fP option is discouraged because the shared
+secret is supplied as a command\-line argument in clear text. This may
+be visible in the output from ps1 or in a history file maintained by
+the user\(aqs shell.
+.UNINDENT
+.SH INPUT FORMAT
+.sp
+\fBnsupdate\fP reads input from \fBfilename\fP or standard input. Each
+command is supplied on exactly one line of input. Some commands are for
+administrative purposes; others are either update instructions or
+prerequisite checks on the contents of the zone. These checks set
+conditions that some name or set of resource records (RRset) either
+exists or is absent from the zone. These conditions must be met if the
+entire update request is to succeed. Updates are rejected if the
+tests for the prerequisite conditions fail.
+.sp
+Every update request consists of zero or more prerequisites and zero or
+more updates. This allows a suitably authenticated update request to
+proceed if some specified resource records are either present or missing from
+the zone. A blank input line (or the \fBsend\fP command) causes the
+accumulated commands to be sent as one Dynamic DNS update request to the
+name server.
+.sp
+The command formats and their meanings are as follows:
+.INDENT 0.0
+.TP
+.B \fBserver servername port\fP
+This command sends all dynamic update requests to the name server \fBservername\fP\&.
+When no server statement is provided, \fBnsupdate\fP sends updates
+to the primary server of the correct zone. The MNAME field of that
+zone\(aqs SOA record identify the primary server for that zone.
+\fBport\fP is the port number on \fBservername\fP where the dynamic
+update requests are sent. If no port number is specified, the default
+DNS port number of 53 is used.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+This command has no effect when GSS\-TSIG is in use.
+.UNINDENT
+.UNINDENT
+.TP
+.B \fBlocal address port\fP
+This command sends all dynamic update requests using the local \fBaddress\fP\&. When
+no local statement is provided, \fBnsupdate\fP sends updates using
+an address and port chosen by the system. \fBport\fP can also
+be used to force requests to come from a specific port. If no port number
+is specified, the system assigns one.
+.TP
+.B \fBzone zonename\fP
+This command specifies that all updates are to be made to the zone \fBzonename\fP\&.
+If no \fBzone\fP statement is provided, \fBnsupdate\fP attempts to
+determine the correct zone to update based on the rest of the input.
+.TP
+.B \fBclass classname\fP
+This command specifies the default class. If no \fBclass\fP is specified, the default
+class is \fBIN\fP\&.
+.TP
+.B \fBttl seconds\fP
+This command specifies the default time\-to\-live, in seconds, for records to be added. The value
+\fBnone\fP clears the default TTL.
+.TP
+.B \fBkey hmac:keyname secret\fP
+This command specifies that all updates are to be TSIG\-signed using the
+\fBkeyname\fP\-\fBsecret\fP pair. If \fBhmac\fP is specified, it sets
+the signing algorithm in use. The default is \fBhmac\-md5\fP; if MD5
+was disabled, the default is \fBhmac\-sha256\fP\&. The \fBkey\fP command overrides any key
+specified on the command line via \fB\-y\fP or \fB\-k\fP\&.
+.TP
+.B \fBgsstsig\fP
+This command uses GSS\-TSIG to sign the updates. This is equivalent to specifying
+\fB\-g\fP on the command line.
+.TP
+.B \fBoldgsstsig\fP
+This command uses the Windows 2000 version of GSS\-TSIG to sign the updates. This is
+equivalent to specifying \fB\-o\fP on the command line.
+.TP
+.B \fBrealm [realm_name]\fP
+When using GSS\-TSIG, this command specifies the use of \fBrealm_name\fP rather than the default realm
+in \fBkrb5.conf\fP\&. If no realm is specified, the saved realm is
+cleared.
+.TP
+.B \fBcheck\-names [yes_or_no]\fP
+This command turns on or off check\-names processing on records to be added.
+Check\-names has no effect on prerequisites or records to be deleted.
+By default check\-names processing is on. If check\-names processing
+fails, the record is not added to the UPDATE message.
+.TP
+.B \fBprereq nxdomain domain\-name\fP
+This command requires that no resource record of any type exist with the name
+\fBdomain\-name\fP\&.
+.TP
+.B \fBprereq yxdomain domain\-name\fP
+This command requires that \fBdomain\-name\fP exist (as at least one resource
+record, of any type).
+.TP
+.B \fBprereq nxrrset domain\-name class type\fP
+This command requires that no resource record exist of the specified \fBtype\fP,
+\fBclass\fP, and \fBdomain\-name\fP\&. If \fBclass\fP is omitted, IN (Internet)
+is assumed.
+.TP
+.B \fBprereq yxrrset domain\-name class type\fP
+This command requires that a resource record of the specified \fBtype\fP,
+\fBclass\fP and \fBdomain\-name\fP exist. If \fBclass\fP is omitted, IN
+(internet) is assumed.
+.TP
+.B \fBprereq yxrrset domain\-name class type data\fP
+With this command, the \fBdata\fP from each set of prerequisites of this form sharing a
+common \fBtype\fP, \fBclass\fP, and \fBdomain\-name\fP are combined to form
+a set of RRs. This set of RRs must exactly match the set of RRs
+existing in the zone at the given \fBtype\fP, \fBclass\fP, and
+\fBdomain\-name\fP\&. The \fBdata\fP are written in the standard text
+representation of the resource record\(aqs RDATA.
+.TP
+.B \fBupdate delete domain\-name ttl class type data\fP
+This command deletes any resource records named \fBdomain\-name\fP\&. If \fBtype\fP and
+\fBdata\fP are provided, only matching resource records are removed.
+The Internet class is assumed if \fBclass\fP is not supplied. The
+\fBttl\fP is ignored, and is only allowed for compatibility.
+.TP
+.B \fBupdate add domain\-name ttl class type data\fP
+This command adds a new resource record with the specified \fBttl\fP, \fBclass\fP, and
+\fBdata\fP\&.
+.TP
+.B \fBshow\fP
+This command displays the current message, containing all of the prerequisites and
+updates specified since the last send.
+.TP
+.B \fBsend\fP
+This command sends the current message. This is equivalent to entering a blank
+line.
+.TP
+.B \fBanswer\fP
+This command displays the answer.
+.TP
+.B \fBdebug\fP
+This command turns on debugging.
+.TP
+.B \fBversion\fP
+This command prints the version number.
+.TP
+.B \fBhelp\fP
+This command prints a list of commands.
+.UNINDENT
+.sp
+Lines beginning with a semicolon (;) are comments and are ignored.
+.SH EXAMPLES
+.sp
+The examples below show how \fBnsupdate\fP can be used to insert and
+delete resource records from the \fBexample.com\fP zone. Notice that the
+input in each example contains a trailing blank line, so that a group of
+commands is sent as one dynamic update request to the primary name
+server for \fBexample.com\fP\&.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+# nsupdate
+> update delete oldhost.example.com A
+> update add newhost.example.com 86400 A 172.16.1.1
+> send
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Any A records for \fBoldhost.example.com\fP are deleted, and an A record
+for \fBnewhost.example.com\fP with IP address 172.16.1.1 is added. The
+newly added record has a TTL of 1 day (86400 seconds).
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+# nsupdate
+> prereq nxdomain nickname.example.com
+> update add nickname.example.com 86400 CNAME somehost.example.com
+> send
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The prerequisite condition tells the name server to verify that there are
+no resource records of any type for \fBnickname.example.com\fP\&. If there
+are, the update request fails. If this name does not exist, a CNAME for
+it is added. This ensures that when the CNAME is added, it cannot
+conflict with the long\-standing rule in \fI\%RFC 1034\fP that a name must not
+exist as any other record type if it exists as a CNAME. (The rule has
+been updated for DNSSEC in \fI\%RFC 2535\fP to allow CNAMEs to have RRSIG,
+DNSKEY, and NSEC records.)
+.SH FILES
+.INDENT 0.0
+.TP
+.B \fB/etc/resolv.conf\fP
+Used to identify the default name server
+.TP
+.B \fB/var/run/named/session.key\fP
+Sets the default TSIG key for use in local\-only mode
+.TP
+.B \fBK{name}.+157.+{random}.key\fP
+Base\-64 encoding of the HMAC\-MD5 key created by \fBdnssec\-keygen\fP\&.
+.TP
+.B \fBK{name}.+157.+{random}.private\fP
+Base\-64 encoding of the HMAC\-MD5 key created by \fBdnssec\-keygen\fP\&.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%RFC 2136\fP, \fI\%RFC 3007\fP, \fI\%RFC 2104\fP, \fI\%RFC 2845\fP, \fI\%RFC 1034\fP, \fI\%RFC 2535\fP, \fI\%RFC 2931\fP,
+\fBnamed(8)\fP, \fBddns\-confgen(8)\fP, \fBdnssec\-keygen(8)\fP\&.
+.SH BUGS
+.sp
+The TSIG key is redundantly stored in two separate files. This is a
+consequence of \fBnsupdate\fP using the DST library for its cryptographic
+operations, and may change in future releases.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/nsupdate.rst b/doc/man/nsupdate.rst
new file mode 100644
index 0000000..bced04e
--- /dev/null
+++ b/doc/man/nsupdate.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/nsupdate/nsupdate.rst
diff --git a/doc/man/pkcs11-destroy.8in b/doc/man/pkcs11-destroy.8in
new file mode 100644
index 0000000..be5941e
--- /dev/null
+++ b/doc/man/pkcs11-destroy.8in
@@ -0,0 +1,74 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "PKCS11-DESTROY" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+pkcs11-destroy \- destroy PKCS#11 objects
+pkcs11\-destroy \- destroy PKCS#11 objects
+.sp
+\fBpkcs11\-destroy\fP [\fB\-m\fP module] [\fB\-s\fP slot] [\fB\-i\fP ID] [\fB\-l\fP label] [\fB\-p\fP PIN] [\fB\-w\fP seconds]
+.sp
+\fBpkcs11\-destroy\fP destroys keys stored in a PKCS#11 device, identified
+by their \fBID\fP or \fBlabel\fP\&.
+.sp
+Matching keys are displayed before being destroyed. By default, there is
+a five\-second delay to allow the user to interrupt the process before
+the destruction takes place.
+.INDENT 0.0
+.TP
+.B \fB\-m module\fP
+This option specifies the PKCS#11 provider module. This must be the full path to a
+shared library object implementing the PKCS#11 API for the device.
+.TP
+.B \fB\-s slot\fP
+This option opens the session with the given PKCS#11 slot. The default is slot 0.
+.TP
+.B \fB\-i ID\fP
+This option destroys keys with the given object ID.
+.TP
+.B \fB\-l label\fP
+This option destroys keys with the given label.
+.TP
+.B \fB\-p PIN\fP
+This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command
+line, \fBpkcs11\-destroy\fP prompts for it.
+.TP
+.B \fB\-w seconds\fP
+This option specifies how long, in seconds, to pause before carrying out key destruction. The
+default is 5 seconds. If set to \fB0\fP, destruction is
+immediate.
+.UNINDENT
+.sp
+\fBpkcs11\-keygen(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/pkcs11-destroy.rst b/doc/man/pkcs11-destroy.rst
new file mode 100644
index 0000000..da48cef
--- /dev/null
+++ b/doc/man/pkcs11-destroy.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/pkcs11/pkcs11-destroy.rst
diff --git a/doc/man/pkcs11-keygen.8in b/doc/man/pkcs11-keygen.8in
new file mode 100644
index 0000000..8ea542e
--- /dev/null
+++ b/doc/man/pkcs11-keygen.8in
@@ -0,0 +1,95 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "PKCS11-KEYGEN" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+pkcs11-keygen \- generate keys on a PKCS#11 device
+.SH SYNOPSIS
+.sp
+\fBpkcs11\-keygen\fP [\fB\-a\fP algorithm] [\fB\-b\fP keysize] [\fB\-e\fP] [\fB\-i\fP id] [\fB\-m\fP module] [\fB\-P\fP] [\fB\-p\fP PIN] [\fB\-q\fP] [\fB\-S\fP] [\fB\-s\fP slot] label
+.SH DESCRIPTION
+.sp
+\fBpkcs11\-keygen\fP causes a PKCS#11 device to generate a new key pair
+with the given \fBlabel\fP (which must be unique) and with \fBkeysize\fP
+bits of prime.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a algorithm\fP
+This option specifies the key algorithm class: supported classes are RSA, DSA, DH,
+ECC, and ECX. In addition to these strings, the \fBalgorithm\fP can be
+specified as a DNSSEC signing algorithm to be used with this
+key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to
+ECC, and ED25519 to ECX. The default class is \fBRSA\fP\&.
+.TP
+.B \fB\-b keysize\fP
+This option creates the key pair with \fBkeysize\fP bits of prime. For ECC keys, the
+only valid values are 256 and 384, and the default is 256. For ECX
+keys, the only valid values are 256 and 456, and the default is 256.
+.TP
+.B \fB\-e\fP
+For RSA keys only, this option specifies use of a large exponent.
+.TP
+.B \fB\-i id\fP
+This option creates key objects with \fBid\fP\&. The ID is either an unsigned short 2\-byte
+or an unsigned long 4\-byte number.
+.TP
+.B \fB\-m module\fP
+This option specifies the PKCS#11 provider module. This must be the full path to a
+shared library object implementing the PKCS#11 API for the device.
+.TP
+.B \fB\-P\fP
+This option sets the new private key to be non\-sensitive and extractable, and
+allows the private key data to be read from the PKCS#11 device. The
+default is for private keys to be sensitive and non\-extractable.
+.TP
+.B \fB\-p PIN\fP
+This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command
+line, \fBpkcs11\-keygen\fP prompts for it.
+.TP
+.B \fB\-q\fP
+This option sets quiet mode, which suppresses unnecessary output.
+.TP
+.B \fB\-S\fP
+For Diffie\-Hellman (DH) keys only, this option specifies use of a special prime of 768\-, 1024\-,
+or 1536\-bit size and base (AKA generator) 2. If not specified, bit
+size defaults to 1024.
+.TP
+.B \fB\-s slot\fP
+This option opens the session with the given PKCS#11 slot. The default is slot 0.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-list(8)\fP, \fBpkcs11\-tokens(8)\fP, \fBdnssec\-keyfromlabel(8)\fP
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/pkcs11-keygen.rst b/doc/man/pkcs11-keygen.rst
new file mode 100644
index 0000000..ea392b6
--- /dev/null
+++ b/doc/man/pkcs11-keygen.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/pkcs11/pkcs11-keygen.rst
diff --git a/doc/man/pkcs11-list.8in b/doc/man/pkcs11-list.8in
new file mode 100644
index 0000000..e833db7
--- /dev/null
+++ b/doc/man/pkcs11-list.8in
@@ -0,0 +1,73 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "PKCS11-LIST" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+pkcs11-list \- list PKCS#11 objects
+.sp
+\fBpkcs11\-list\fP [\fB\-P\fP] [\fB\-m\fP module] [\fB\-s\fP slot] [\fB\-i\fP ID \fB] [\-l\fP label] [\fB\-p\fP PIN]
+.SH DESCRIPTION
+.sp
+\fBpkcs11\-list\fP lists the PKCS#11 objects with \fBID\fP or \fBlabel\fP or, by
+default, all objects. The object class, label, and ID are displayed for
+all keys. For private or secret keys, the extractability attribute is
+also displayed, as either \fBtrue\fP, \fBfalse\fP, or \fBnever\fP\&.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-P\fP
+This option lists only the public objects. (Note that on some PKCS#11 devices, all
+objects are private.)
+.TP
+.B \fB\-m module\fP
+This option specifies the PKCS#11 provider module. This must be the full path to a
+shared library object implementing the PKCS#11 API for the device.
+.TP
+.B \fB\-s slot\fP
+This option opens the session with the given PKCS#11 slot. The default is slot 0.
+.TP
+.B \fB\-i ID\fP
+This option lists only key objects with the given object ID.
+.TP
+.B \fB\-l label\fP
+This option lists only key objects with the given label.
+.TP
+.B \fB\-p PIN\fP
+This option specifies the \fBPIN\fP for the device. If no \fBPIN\fP is provided on the command
+line, \fBpkcs11\-list\fP prompts for it.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-keygen(8)\fP, \fBpkcs11\-tokens(8)\fP
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/pkcs11-list.rst b/doc/man/pkcs11-list.rst
new file mode 100644
index 0000000..a2eebef
--- /dev/null
+++ b/doc/man/pkcs11-list.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/pkcs11/pkcs11-list.rst
diff --git a/doc/man/pkcs11-tokens.8in b/doc/man/pkcs11-tokens.8in
new file mode 100644
index 0000000..4c29201
--- /dev/null
+++ b/doc/man/pkcs11-tokens.8in
@@ -0,0 +1,58 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "PKCS11-TOKENS" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+pkcs11-tokens \- list PKCS#11 available tokens
+.SH SYNOPSIS
+.sp
+\fBpkcs11\-tokens\fP [\fB\-m\fP module] [\fB\-v\fP]
+.SH DESCRIPTION
+.sp
+\fBpkcs11\-tokens\fP lists the PKCS#11 available tokens with defaults from
+the slot/token scan performed at application initialization.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-m module\fP
+This option specifies the PKCS#11 provider module. This must be the full path to a
+shared library object implementing the PKCS#11 API for the device.
+.TP
+.B \fB\-v\fP
+This option makes the PKCS#11 libisc initialization verbose.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBpkcs11\-destroy(8)\fP, \fBpkcs11\-keygen(8)\fP, \fBpkcs11\-list(8)\fP
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/pkcs11-tokens.rst b/doc/man/pkcs11-tokens.rst
new file mode 100644
index 0000000..3c8129d
--- /dev/null
+++ b/doc/man/pkcs11-tokens.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/pkcs11/pkcs11-tokens.rst
diff --git a/doc/man/rndc-confgen.8in b/doc/man/rndc-confgen.8in
new file mode 100644
index 0000000..fb7f6aa
--- /dev/null
+++ b/doc/man/rndc-confgen.8in
@@ -0,0 +1,119 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "RNDC-CONFGEN" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+rndc-confgen \- rndc key generation tool
+.SH SYNOPSIS
+.sp
+\fBrndc\-confgen\fP [\fB\-a\fP] [\fB\-A\fP algorithm] [\fB\-b\fP keysize] [\fB\-c\fP keyfile] [\fB\-h\fP] [\fB\-k\fP keyname] [\fB\-p\fP port] [\fB\-s\fP address] [\fB\-t\fP chrootdir] [\fB\-u\fP user]
+.SH DESCRIPTION
+.sp
+\fBrndc\-confgen\fP generates configuration files for \fBrndc\fP\&. It can be
+used as a convenient alternative to writing the \fBrndc.conf\fP file and
+the corresponding \fBcontrols\fP and \fBkey\fP statements in \fBnamed.conf\fP
+by hand. Alternatively, it can be run with the \fB\-a\fP option to set up a
+\fBrndc.key\fP file and avoid the need for a \fBrndc.conf\fP file and a
+\fBcontrols\fP statement altogether.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a\fP
+This option sets automatic \fBrndc\fP configuration, which creates a file \fBrndc.key\fP
+in \fB/etc\fP (or a different \fBsysconfdir\fP specified when BIND
+was built) that is read by both \fBrndc\fP and \fBnamed\fP on startup.
+The \fBrndc.key\fP file defines a default command channel and
+authentication key allowing \fBrndc\fP to communicate with \fBnamed\fP on
+the local host with no further configuration.
+.sp
+If a more elaborate configuration than that generated by
+\fBrndc\-confgen \-a\fP is required, for example if rndc is to be used
+remotely, run \fBrndc\-confgen\fP without the \fB\-a\fP option
+and set up \fBrndc.conf\fP and \fBnamed.conf\fP as directed.
+.TP
+.B \fB\-A algorithm\fP
+This option specifies the algorithm to use for the TSIG key. Available choices
+are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384, and
+hmac\-sha512. The default is hmac\-sha256.
+.TP
+.B \fB\-b keysize\fP
+This option specifies the size of the authentication key in bits. The size must be between
+1 and 512 bits; the default is the hash size.
+.TP
+.B \fB\-c keyfile\fP
+This option is used with the \fB\-a\fP option to specify an alternate location for
+\fBrndc.key\fP\&.
+.TP
+.B \fB\-h\fP
+This option prints a short summary of the options and arguments to
+\fBrndc\-confgen\fP\&.
+.TP
+.B \fB\-k keyname\fP
+This option specifies the key name of the \fBrndc\fP authentication key. This must be a
+valid domain name. The default is \fBrndc\-key\fP\&.
+.TP
+.B \fB\-p port\fP
+This option specifies the command channel port where \fBnamed\fP listens for
+connections from \fBrndc\fP\&. The default is 953.
+.TP
+.B \fB\-s address\fP
+This option specifies the IP address where \fBnamed\fP listens for command\-channel
+connections from \fBrndc\fP\&. The default is the loopback address
+127.0.0.1.
+.TP
+.B \fB\-t chrootdir\fP
+This option is used with the \fB\-a\fP option to specify a directory where \fBnamed\fP
+runs chrooted. An additional copy of the \fBrndc.key\fP is
+written relative to this directory, so that it is found by the
+chrooted \fBnamed\fP\&.
+.TP
+.B \fB\-u user\fP
+This option is used with the \fB\-a\fP option to set the owner of the generated \fBrndc.key\fP file.
+If \fB\-t\fP is also specified, only the file in the chroot
+area has its owner changed.
+.UNINDENT
+.SH EXAMPLES
+.sp
+To allow \fBrndc\fP to be used with no manual configuration, run:
+.sp
+\fBrndc\-confgen \-a\fP
+.sp
+To print a sample \fBrndc.conf\fP file and the corresponding \fBcontrols\fP and
+\fBkey\fP statements to be manually inserted into \fBnamed.conf\fP, run:
+.sp
+\fBrndc\-confgen\fP
+.SH SEE ALSO
+.sp
+\fBrndc(8)\fP, \fBrndc.conf(5)\fP, \fBnamed(8)\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/rndc-confgen.rst b/doc/man/rndc-confgen.rst
new file mode 100644
index 0000000..dac57ba
--- /dev/null
+++ b/doc/man/rndc-confgen.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/confgen/rndc-confgen.rst
diff --git a/doc/man/rndc.8in b/doc/man/rndc.8in
new file mode 100644
index 0000000..dba9922
--- /dev/null
+++ b/doc/man/rndc.8in
@@ -0,0 +1,627 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "RNDC" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+rndc \- name server control utility
+.SH SYNOPSIS
+.sp
+\fBrndc\fP [\fB\-b\fP source\-address] [\fB\-c\fP config\-file] [\fB\-k\fP key\-file] [\fB\-s\fP server] [\fB\-p\fP port] [\fB\-q\fP] [\fB\-r\fP] [\fB\-V\fP] [\fB\-y\fP key_id] [[\fB\-4\fP] | [\fB\-6\fP]] {command}
+.SH DESCRIPTION
+.sp
+\fBrndc\fP controls the operation of a name server; it supersedes the
+\fBndc\fP utility. If \fBrndc\fP is
+invoked with no command line options or arguments, it prints a short
+summary of the supported commands and the available options and their
+arguments.
+.sp
+\fBrndc\fP communicates with the name server over a TCP connection,
+sending commands authenticated with digital signatures. In the current
+versions of \fBrndc\fP and \fBnamed\fP, the only supported authentication
+algorithms are HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224,
+HMAC\-SHA256 (default), HMAC\-SHA384, and HMAC\-SHA512. They use a shared
+secret on each end of the connection, which provides TSIG\-style
+authentication for the command request and the name server\(aqs response.
+All commands sent over the channel must be signed by a key_id known to
+the server.
+.sp
+\fBrndc\fP reads a configuration file to determine how to contact the name
+server and decide what algorithm and key it should use.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-4\fP
+This option indicates use of IPv4 only.
+.TP
+.B \fB\-6\fP
+This option indicates use of IPv6 only.
+.TP
+.B \fB\-b source\-address\fP
+This option indicates \fBsource\-address\fP as the source address for the connection to the
+server. Multiple instances are permitted, to allow setting of both the
+IPv4 and IPv6 source addresses.
+.TP
+.B \fB\-c config\-file\fP
+This option indicates \fBconfig\-file\fP as the configuration file instead of the default,
+\fB/etc/rndc.conf\fP\&.
+.TP
+.B \fB\-k key\-file\fP
+This option indicates \fBkey\-file\fP as the key file instead of the default,
+\fB/etc/rndc.key\fP\&. The key in \fB/etc/rndc.key\fP is used to
+authenticate commands sent to the server if the config\-file does not
+exist.
+.TP
+.B \fB\-s server\fP
+\fBserver\fP is the name or address of the server which matches a server
+statement in the configuration file for \fBrndc\fP\&. If no server is
+supplied on the command line, the host named by the default\-server
+clause in the options statement of the \fBrndc\fP configuration file
+is used.
+.TP
+.B \fB\-p port\fP
+This option instructs BIND 9 to send commands to TCP port \fBport\fP instead of its default control
+channel port, 953.
+.TP
+.B \fB\-q\fP
+This option sets quiet mode, where message text returned by the server is not printed
+unless there is an error.
+.TP
+.B \fB\-r\fP
+This option instructs \fBrndc\fP to print the result code returned by \fBnamed\fP
+after executing the requested command (e.g., ISC_R_SUCCESS,
+ISC_R_FAILURE, etc.).
+.TP
+.B \fB\-V\fP
+This option enables verbose logging.
+.TP
+.B \fB\-y key_id\fP
+This option indicates use of the key \fBkey_id\fP from the configuration file. For control message validation to succeed, \fBkey_id\fP must be known
+by \fBnamed\fP with the same algorithm and secret string. If no \fBkey_id\fP is specified,
+\fBrndc\fP first looks for a key clause in the server statement of
+the server being used, or if no server statement is present for that
+host, then in the default\-key clause of the options statement. Note that
+the configuration file contains shared secrets which are used to send
+authenticated control commands to name servers, and should therefore
+not have general read or write access.
+.UNINDENT
+.SH COMMANDS
+.sp
+A list of commands supported by \fBrndc\fP can be seen by running \fBrndc\fP
+without arguments.
+.sp
+Currently supported commands are:
+.INDENT 0.0
+.TP
+.B \fBaddzone\fP \fIzone\fP [\fIclass\fP [\fIview\fP]] \fIconfiguration\fP
+This command adds a zone while the server is running. This command requires the
+\fBallow\-new\-zones\fP option to be set to \fByes\fP\&. The configuration
+string specified on the command line is the zone configuration text
+that would ordinarily be placed in \fBnamed.conf\fP\&.
+.sp
+The configuration is saved in a file called \fBviewname.nzf\fP (or, if
+\fBnamed\fP is compiled with liblmdb, an LMDB database file called
+\fBviewname.nzd\fP). \fBviewname\fP is the name of the view, unless the view
+name contains characters that are incompatible with use as a file
+name, in which case a cryptographic hash of the view name is used
+instead. When \fBnamed\fP is restarted, the file is loaded into
+the view configuration so that zones that were added can persist
+after a restart.
+.sp
+This sample \fBaddzone\fP command adds the zone \fBexample.com\fP to
+the default view:
+.sp
+\fBrndc addzone example.com \(aq{ type master; file \(dqexample.com.db\(dq; };\(aq\fP
+.sp
+(Note the brackets around and semi\-colon after the zone configuration
+text.)
+.sp
+See also \fBrndc delzone\fP and \fBrndc modzone\fP\&.
+.TP
+\fBdelzone\fP [\fB\-clean\fP] \fIzone\fP [\fIclass\fP [\fIview\fP]]
+This command deletes a zone while the server is running.
+.sp
+If the \fB\-clean\fP argument is specified, the zone\(aqs master file (and
+journal file, if any) are deleted along with the zone. Without
+the \fB\-clean\fP option, zone files must be deleted manually. (If the
+zone is of type \fBsecondary\fP or \fBstub\fP, the files needing to be removed
+are reported in the output of the \fBrndc delzone\fP command.)
+.sp
+If the zone was originally added via \fBrndc addzone\fP, then it is
+removed permanently. However, if it was originally configured in
+\fBnamed.conf\fP, then that original configuration remains in place;
+when the server is restarted or reconfigured, the zone is
+recreated. To remove it permanently, it must also be removed from
+\fBnamed.conf\fP\&.
+.sp
+See also \fBrndc addzone\fP and \fBrndc modzone\fP\&.
+.TP
+\fBdnssec\fP ( \fB\-status\fP | \fB\-rollover\fP \fB\-key\fP id [\fB\-alg\fP \fIalgorithm\fP] [\fB\-when\fP \fItime\fP] | \fB\-checkds\fP [\fB\-key\fP \fIid\fP [\fB\-alg\fP \fIalgorithm\fP]] [\fB\-when\fP \fItime\fP] ( \fIpublished\fP | \fIwithdrawn\fP )) \fIzone\fP [\fIclass\fP [\fIview\fP]]
+This command allows you to interact with the \(dqdnssec\-policy\(dq of a given
+zone.
+.sp
+\fBrndc dnssec \-status\fP show the DNSSEC signing state for the specified
+zone.
+.sp
+\fBrndc dnssec \-rollover\fP allows you to schedule key rollover for a
+specific key (overriding the original key lifetime).
+.sp
+\fBrndc dnssec \-checkds\fP informs \fBnamed\fP that the DS for
+a specified zone\(aqs key\-signing key has been confirmed to be published
+in, or withdrawn from, the parent zone. This is required in order to
+complete a KSK rollover.  The \fB\-key id\fP and \fB\-alg algorithm\fP arguments
+can be used to specify a particular KSK, if necessary; if there is only
+one key acting as a KSK for the zone, these arguments can be omitted.
+The time of publication or withdrawal for the DS is set to the current
+time by default, but can be overridden to a specific time with the
+argument \fB\-when time\fP, where \fBtime\fP is expressed in YYYYMMDDHHMMSS
+notation.
+.TP
+\fBdnstap\fP ( \fB\-reopen\fP | \fB\-roll\fP [\fInumber\fP] )
+This command closes and re\-opens DNSTAP output files.
+.sp
+\fBrndc dnstap \-reopen\fP allows
+the output file to be renamed externally, so that \fBnamed\fP can
+truncate and re\-open it.
+.sp
+\fBrndc dnstap \-roll\fP causes the output file
+to be rolled automatically, similar to log files. The most recent
+output file has \(dq.0\(dq appended to its name; the previous most recent
+output file is moved to \(dq.1\(dq, and so on. If \fBnumber\fP is specified, then
+the number of backup log files is limited to that number.
+.TP
+\fBdumpdb\fP [\fB\-all\fP | \fB\-cache\fP | \fB\-zones\fP | \fB\-adb\fP | \fB\-bad\fP | \fB\-expired\fP | \fB\-fail\fP] [\fIview ...\fP]
+This command dumps the server\(aqs caches (default) and/or zones to the dump file for
+the specified views. If no view is specified, all views are dumped.
+(See the \fBdump\-file\fP option in the BIND 9 Administrator Reference
+Manual.)
+.TP
+.B \fBflush\fP
+This command flushes the server\(aqs cache.
+.TP
+.B \fBflushname\fP \fIname\fP [\fIview\fP]
+This command flushes the given name from the view\(aqs DNS cache and, if applicable,
+from the view\(aqs nameserver address database, bad server cache, and
+SERVFAIL cache.
+.TP
+.B \fBflushtree\fP \fIname\fP [\fIview\fP]
+This command flushes the given name, and all of its subdomains, from the view\(aqs
+DNS cache, address database, bad server cache, and SERVFAIL cache.
+.TP
+.B \fBfreeze\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
+This command suspends updates to a dynamic zone. If no zone is specified, then all
+zones are suspended. This allows manual edits to be made to a zone
+normally updated by dynamic update, and causes changes in the
+journal file to be synced into the master file. All dynamic update
+attempts are refused while the zone is frozen.
+.sp
+See also \fBrndc thaw\fP\&.
+.TP
+\fBhalt\fP [\fB\-p\fP]
+This command stops the server immediately. Recent changes made through dynamic
+update or IXFR are not saved to the master files, but are rolled
+forward from the journal files when the server is restarted. If
+\fB\-p\fP is specified, \fBnamed\fP\(aqs process ID is returned. This allows
+an external process to determine when \fBnamed\fP has completed
+halting.
+.sp
+See also \fBrndc stop\fP\&.
+.TP
+.B \fBloadkeys\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
+This command fetches all DNSSEC keys for the given zone from the key directory. If
+they are within their publication period, they are merged into the
+zone\(aqs DNSKEY RRset. Unlike \fBrndc sign\fP, however, the zone is not
+immediately re\-signed by the new keys, but is allowed to
+incrementally re\-sign over time.
+.sp
+This command requires that the zone be configured with a \fBdnssec\-policy\fP, or
+that the \fBauto\-dnssec\fP zone option be set to \fBmaintain\fP, and also requires the
+zone to be configured to allow dynamic DNS. (See \(dqDynamic Update Policies\(dq in
+the Administrator Reference Manual for more details.)
+.TP
+.B \fBmanaged\-keys\fP (\fIstatus\fP | \fIrefresh\fP | \fIsync\fP | \fIdestroy\fP) [\fIclass\fP [\fIview\fP]]
+This command inspects and controls the \(dqmanaged\-keys\(dq database which handles
+\fI\%RFC 5011\fP DNSSEC trust anchor maintenance. If a view is specified, these
+commands are applied to that view; otherwise, they are applied to all
+views.
+.INDENT 7.0
+.IP \(bu 2
+When run with the \fBstatus\fP keyword, this prints the current status of
+the managed\-keys database.
+.IP \(bu 2
+When run with the \fBrefresh\fP keyword, this forces an immediate refresh
+query to be sent for all the managed keys, updating the
+managed\-keys database if any new keys are found, without waiting
+the normal refresh interval.
+.IP \(bu 2
+When run with the \fBsync\fP keyword, this forces an immediate dump of
+the managed\-keys database to disk (in the file
+\fBmanaged\-keys.bind\fP or (\fBviewname.mkeys\fP). This synchronizes
+the database with its journal file, so that the database\(aqs current
+contents can be inspected visually.
+.IP \(bu 2
+When run with the \fBdestroy\fP keyword, the managed\-keys database
+is shut down and deleted, and all key maintenance is terminated.
+This command should be used only with extreme caution.
+.sp
+Existing keys that are already trusted are not deleted from
+memory; DNSSEC validation can continue after this command is used.
+However, key maintenance operations cease until \fBnamed\fP is
+restarted or reconfigured, and all existing key maintenance states
+are deleted.
+.sp
+Running \fBrndc reconfig\fP or restarting \fBnamed\fP immediately
+after this command causes key maintenance to be reinitialized
+from scratch, just as if the server were being started for the
+first time. This is primarily intended for testing, but it may
+also be used, for example, to jumpstart the acquisition of new
+keys in the event of a trust anchor rollover, or as a brute\-force
+repair for key maintenance problems.
+.UNINDENT
+.TP
+.B \fBmodzone\fP \fIzone\fP [\fIclass\fP [\fIview\fP]] \fIconfiguration\fP
+This command modifies the configuration of a zone while the server is running. This
+command requires the \fBallow\-new\-zones\fP option to be set to \fByes\fP\&.
+As with \fBaddzone\fP, the configuration string specified on the
+command line is the zone configuration text that would ordinarily be
+placed in \fBnamed.conf\fP\&.
+.sp
+If the zone was originally added via \fBrndc addzone\fP, the
+configuration changes are recorded permanently and are still
+in effect after the server is restarted or reconfigured. However, if
+it was originally configured in \fBnamed.conf\fP, then that original
+configuration remains in place; when the server is restarted or
+reconfigured, the zone reverts to its original configuration. To
+make the changes permanent, it must also be modified in
+\fBnamed.conf\fP\&.
+.sp
+See also \fBrndc addzone\fP and \fBrndc delzone\fP\&.
+.TP
+.B \fBnotify\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
+This command resends NOTIFY messages for the zone.
+.TP
+.B \fBnotrace\fP
+This command sets the server\(aqs debugging level to 0.
+.sp
+See also \fBrndc trace\fP\&.
+.TP
+\fBnta\fP [( \fB\-class\fP \fIclass\fP | \fB\-dump\fP | \fB\-force\fP | \fB\-remove\fP | \fB\-lifetime\fP \fIduration\fP)] \fIdomain\fP [\fIview\fP]
+This command sets a DNSSEC negative trust anchor (NTA) for \fBdomain\fP, with a
+lifetime of \fBduration\fP\&. The default lifetime is configured in
+\fBnamed.conf\fP via the \fBnta\-lifetime\fP option, and defaults to one
+hour. The lifetime cannot exceed one week.
+.sp
+A negative trust anchor selectively disables DNSSEC validation for
+zones that are known to be failing because of misconfiguration rather
+than an attack. When data to be validated is at or below an active
+NTA (and above any other configured trust anchors), \fBnamed\fP
+aborts the DNSSEC validation process and treats the data as insecure
+rather than bogus. This continues until the NTA\(aqs lifetime has
+elapsed.
+.sp
+NTAs persist across restarts of the \fBnamed\fP server. The NTAs for a
+view are saved in a file called \fBname.nta\fP, where \fBname\fP is the name
+of the view; if it contains characters that are incompatible with
+use as a file name, a cryptographic hash is generated from the name of
+the view.
+.sp
+An existing NTA can be removed by using the \fB\-remove\fP option.
+.sp
+An NTA\(aqs lifetime can be specified with the \fB\-lifetime\fP option.
+TTL\-style suffixes can be used to specify the lifetime in seconds,
+minutes, or hours. If the specified NTA already exists, its lifetime
+is updated to the new value. Setting \fBlifetime\fP to zero is
+equivalent to \fB\-remove\fP\&.
+.sp
+If \fB\-dump\fP is used, any other arguments are ignored and a list
+of existing NTAs is printed. Note that this may include NTAs that are
+expired but have not yet been cleaned up.
+.sp
+Normally, \fBnamed\fP periodically tests to see whether data below
+an NTA can now be validated (see the \fBnta\-recheck\fP option in the
+Administrator Reference Manual for details). If data can be
+validated, then the NTA is regarded as no longer necessary and is
+allowed to expire early. The \fB\-force\fP parameter overrides this behavior
+and forces an NTA to persist for its entire lifetime, regardless of
+whether data could be validated if the NTA were not present.
+.sp
+The view class can be specified with \fB\-class\fP\&. The default is class
+\fBIN\fP, which is the only class for which DNSSEC is currently
+supported.
+.sp
+All of these options can be shortened, i.e., to \fB\-l\fP, \fB\-r\fP,
+\fB\-d\fP, \fB\-f\fP, and \fB\-c\fP\&.
+.sp
+Unrecognized options are treated as errors. To refer to a domain or
+view name that begins with a hyphen, use a double\-hyphen (\-\-) on the
+command line to indicate the end of options.
+.TP
+.B \fBquerylog\fP [(\fIon\fP | \fIoff\fP)]
+This command enables or disables query logging. For backward compatibility, this
+command can also be used without an argument to toggle query logging
+on and off.
+.sp
+Query logging can also be enabled by explicitly directing the
+\fBqueries\fP \fBcategory\fP to a \fBchannel\fP in the \fBlogging\fP section
+of \fBnamed.conf\fP, or by specifying \fBquerylog yes;\fP in the
+\fBoptions\fP section of \fBnamed.conf\fP\&.
+.TP
+.B \fBreconfig\fP
+This command reloads the configuration file and loads new zones, but does not reload
+existing zone files even if they have changed. This is faster than a
+full \fBreload\fP when there is a large number of zones, because it
+avoids the need to examine the modification times of the zone files.
+.TP
+.B \fBrecursing\fP
+This command dumps the list of queries \fBnamed\fP is currently
+recursing on, and the list of domains to which iterative queries
+are currently being sent.
+.sp
+The first list includes all unique clients that are waiting for
+recursion to complete, including the query that is awaiting a
+response and the timestamp (seconds since the Unix epoch) of
+when named started processing this client query.
+.sp
+The second list comprises of domains for which there are active
+(or recently active) fetches in progress.  It reports the number
+of active fetches for each domain and the number of queries that
+have been passed (allowed) or dropped (spilled) as a result of
+the \fBfetches\-per\-zone\fP limit.  (Note: these counters are not
+cumulative over time; whenever the number of active fetches for
+a domain drops to zero, the counter for that domain is deleted,
+and the next time a fetch is sent to that domain, it is recreated
+with the counters set to zero).
+.TP
+.B \fBrefresh\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
+This command schedules zone maintenance for the given zone.
+.TP
+.B \fBreload\fP
+This command reloads the configuration file and zones.
+.TP
+.B \fBreload\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
+This command reloads the given zone.
+.TP
+.B \fBretransfer\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
+This command retransfers the given secondary zone from the primary server.
+.sp
+If the zone is configured to use \fBinline\-signing\fP, the signed
+version of the zone is discarded; after the retransfer of the
+unsigned version is complete, the signed version is regenerated
+with new signatures.
+.TP
+.B \fBscan\fP
+This command scans the list of available network interfaces for changes, without
+performing a full \fBreconfig\fP or waiting for the
+\fBinterface\-interval\fP timer.
+.TP
+\fBsecroots\fP [\fB\-\fP] [\fIview\fP ...]
+This command dumps the security roots (i.e., trust anchors configured via
+\fBtrust\-anchors\fP, or the \fBmanaged\-keys\fP or \fBtrusted\-keys\fP statements
+[both deprecated], or \fBdnssec\-validation auto\fP) and negative trust anchors
+for the specified views. If no view is specified, all views are
+dumped. Security roots indicate whether they are configured as trusted
+keys, managed keys, or initializing managed keys (managed keys that have not
+yet been updated by a successful key refresh query).
+.sp
+If the first argument is \fB\-\fP, then the output is returned via the
+\fBrndc\fP response channel and printed to the standard output.
+Otherwise, it is written to the secroots dump file, which defaults to
+\fBnamed.secroots\fP, but can be overridden via the \fBsecroots\-file\fP
+option in \fBnamed.conf\fP\&.
+.sp
+See also \fBrndc managed\-keys\fP\&.
+.TP
+\fBserve\-stale\fP (\fBon\fP | \fBoff\fP | \fBreset\fP | \fBstatus\fP) [\fIclass\fP [\fIview\fP]]
+This command enables, disables, resets, or reports the current status of the serving
+of stale answers as configured in \fBnamed.conf\fP\&.
+.sp
+If serving of stale answers is disabled by \fBrndc\-serve\-stale off\fP,
+then it remains disabled even if \fBnamed\fP is reloaded or
+reconfigured. \fBrndc serve\-stale reset\fP restores the setting as
+configured in \fBnamed.conf\fP\&.
+.sp
+\fBrndc serve\-stale status\fP reports whether serving of stale
+answers is currently enabled, disabled by the configuration, or
+disabled by \fBrndc\fP\&. It also reports the values of
+\fBstale\-answer\-ttl\fP and \fBmax\-stale\-ttl\fP\&.
+.TP
+.B \fBshowzone\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
+This command prints the configuration of a running zone.
+.sp
+See also \fBrndc zonestatus\fP\&.
+.TP
+.B \fBsign\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
+This command fetches all DNSSEC keys for the given zone from the key directory (see
+the \fBkey\-directory\fP option in the BIND 9 Administrator Reference
+Manual). If they are within their publication period, they are merged into
+the zone\(aqs DNSKEY RRset. If the DNSKEY RRset is changed, then the
+zone is automatically re\-signed with the new key set.
+.sp
+This command requires that the zone be configured with a \fBdnssec\-policy\fP, or
+that the \fBauto\-dnssec\fP zone option be set to \fBallow\fP or \fBmaintain\fP,
+and also requires the zone to be configured to allow dynamic DNS. (See
+\(dqDynamic Update Policies\(dq in the BIND 9 Administrator Reference Manual for more
+details.)
+.sp
+See also \fBrndc loadkeys\fP\&.
+.TP
+\fBsigning\fP [(\fB\-list\fP | \fB\-clear\fP \fIkeyid/algorithm\fP | \fB\-clear\fP \fIall\fP | \fB\-nsec3param\fP ( \fIparameters\fP | none ) | \fB\-serial\fP \fIvalue\fP ) \fIzone\fP [\fIclass\fP [\fIview\fP]]
+This command lists, edits, or removes the DNSSEC signing\-state records for the
+specified zone. The status of ongoing DNSSEC operations, such as
+signing or generating NSEC3 chains, is stored in the zone in the form
+of DNS resource records of type \fBsig\-signing\-type\fP\&.
+\fBrndc signing \-list\fP converts these records into a human\-readable
+form, indicating which keys are currently signing or have finished
+signing the zone, and which NSEC3 chains are being created or
+removed.
+.sp
+\fBrndc signing \-clear\fP can remove a single key (specified in the
+same format that \fBrndc signing \-list\fP uses to display it), or all
+keys. In either case, only completed keys are removed; any record
+indicating that a key has not yet finished signing the zone is
+retained.
+.sp
+\fBrndc signing \-nsec3param\fP sets the NSEC3 parameters for a zone.
+This is the only supported mechanism for using NSEC3 with
+\fBinline\-signing\fP zones. Parameters are specified in the same format
+as an NSEC3PARAM resource record: \fBhash algorithm\fP, \fBflags\fP, \fBiterations\fP,
+and \fBsalt\fP, in that order.
+.sp
+Currently, the only defined value for \fBhash algorithm\fP is \fB1\fP,
+representing SHA\-1. The \fBflags\fP may be set to \fB0\fP or \fB1\fP,
+depending on whether the opt\-out bit in the NSEC3
+chain should be set. \fBiterations\fP defines the number of additional times to apply
+the algorithm when generating an NSEC3 hash. The \fBsalt\fP is a string
+of data expressed in hexadecimal, a hyphen (\fB\-\fP) if no salt is to be
+used, or the keyword \fBauto\fP, which causes \fBnamed\fP to generate a
+random 64\-bit salt.
+.sp
+The only recommended configuration is \fBrndc signing \-nsec3param 1 0 0 \- zone\fP,
+i.e. no salt, no additional iterations, no opt\-out.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Do not use extra iterations, salt, or opt\-out unless all their implications
+are fully understood. A higher number of iterations causes interoperability
+problems and opens servers to CPU\-exhausting DoS attacks.
+.UNINDENT
+.UNINDENT
+.sp
+\fBrndc signing \-nsec3param none\fP removes an existing NSEC3 chain and
+replaces it with NSEC.
+.sp
+\fBrndc signing \-serial value\fP sets the serial number of the zone to
+\fBvalue\fP\&. If the value would cause the serial number to go backwards, it
+is rejected. The primary use of this parameter is to set the serial number on inline
+signed zones.
+.TP
+.B \fBstats\fP
+This command writes server statistics to the statistics file. (See the
+\fBstatistics\-file\fP option in the BIND 9 Administrator Reference
+Manual.)
+.TP
+.B \fBstatus\fP
+This command displays the status of the server. Note that the number of zones includes
+the internal \fBbind/CH\fP zone and the default \fB\&./IN\fP hint zone, if
+there is no explicit root zone configured.
+.TP
+\fBstop\fP \fB\-p\fP
+This command stops the server, making sure any recent changes made through dynamic
+update or IXFR are first saved to the master files of the updated
+zones. If \fB\-p\fP is specified, \fBnamed(8)\(ga\(aqs process ID is returned.
+This allows an external process to determine when \(ga\(ganamed\fP has
+completed stopping.
+.sp
+See also \fBrndc halt\fP\&.
+.TP
+\fBsync\fP \fB\-clean\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
+This command syncs changes in the journal file for a dynamic zone to the master
+file. If the \(dq\-clean\(dq option is specified, the journal file is also
+removed. If no zone is specified, then all zones are synced.
+.TP
+.B \fBtcp\-timeouts\fP [\fIinitial\fP \fIidle\fP \fIkeepalive\fP \fIadvertised\fP]
+When called without arguments, this command displays the current values of the
+\fBtcp\-initial\-timeout\fP, \fBtcp\-idle\-timeout\fP,
+\fBtcp\-keepalive\-timeout\fP, and \fBtcp\-advertised\-timeout\fP options.
+When called with arguments, these values are updated. This allows an
+administrator to make rapid adjustments when under a
+denial\-of\-service (DoS) attack. See the descriptions of these options in the BIND 9
+Administrator Reference Manual for details of their use.
+.TP
+.B \fBthaw\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
+This command enables updates to a frozen dynamic zone. If no zone is specified,
+then all frozen zones are enabled. This causes the server to reload
+the zone from disk, and re\-enables dynamic updates after the load has
+completed. After a zone is thawed, dynamic updates are no longer
+refused. If the zone has changed and the \fBixfr\-from\-differences\fP
+option is in use, the journal file is updated to reflect
+changes in the zone. Otherwise, if the zone has changed, any existing
+journal file is removed.
+.sp
+See also \fBrndc freeze\fP\&.
+.TP
+.B \fBtrace\fP
+This command increments the server\(aqs debugging level by one.
+.TP
+.B \fBtrace\fP \fIlevel\fP
+This command sets the server\(aqs debugging level to an explicit value.
+.sp
+See also \fBrndc notrace\fP\&.
+.TP
+.B \fBtsig\-delete\fP \fIkeyname\fP [\fIview\fP]
+This command deletes a given TKEY\-negotiated key from the server. This does not
+apply to statically configured TSIG keys.
+.TP
+.B \fBtsig\-list\fP
+This command lists the names of all TSIG keys currently configured for use by
+\fBnamed\fP in each view. The list includes both statically configured keys and
+dynamic TKEY\-negotiated keys.
+.TP
+\fBvalidation\fP (\fBon\fP | \fBoff\fP | \fBstatus\fP) [\fIview\fP ...]\(ga\(ga
+This command enables, disables, or checks the current status of DNSSEC validation. By
+default, validation is enabled.
+.sp
+The cache is flushed when validation is turned on or off to avoid using data
+that might differ between states.
+.TP
+.B \fBzonestatus\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
+This command displays the current status of the given zone, including the master
+file name and any include files from which it was loaded, when it was
+most recently loaded, the current serial number, the number of nodes,
+whether the zone supports dynamic updates, whether the zone is DNSSEC
+signed, whether it uses automatic DNSSEC key management or inline
+signing, and the scheduled refresh or expiry times for the zone.
+.sp
+See also \fBrndc showzone\fP\&.
+.UNINDENT
+.sp
+\fBrndc\fP commands that specify zone names, such as \fBreload\fP,
+\fBretransfer\fP, or \fBzonestatus\fP, can be ambiguous when applied to zones
+of type \fBredirect\fP\&. Redirect zones are always called \fB\&.\fP, and can be
+confused with zones of type \fBhint\fP or with secondary copies of the root
+zone. To specify a redirect zone, use the special zone name
+\fB\-redirect\fP, without a trailing period. (With a trailing period, this
+would specify a zone called \(dq\-redirect\(dq.)
+.SH LIMITATIONS
+.sp
+There is currently no way to provide the shared secret for a \fBkey_id\fP
+without using the configuration file.
+.sp
+Several error messages could be clearer.
+.SH SEE ALSO
+.sp
+\fBrndc.conf(5)\fP, \fBrndc\-confgen(8)\fP,
+\fBnamed(8)\fP, \fBnamed.conf(5)\fP, \fBndc(8)\fP, BIND 9 Administrator
+Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/rndc.conf.5in b/doc/man/rndc.conf.5in
new file mode 100644
index 0000000..54a0847
--- /dev/null
+++ b/doc/man/rndc.conf.5in
@@ -0,0 +1,196 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "RNDC.CONF" "5" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+rndc.conf \- rndc configuration file
+.SH SYNOPSIS
+.sp
+\fBrndc.conf\fP
+.SH DESCRIPTION
+.sp
+\fBrndc.conf\fP is the configuration file for \fBrndc\fP, the BIND 9 name
+server control utility. This file has a similar structure and syntax to
+\fBnamed.conf\fP\&. Statements are enclosed in braces and terminated with a
+semi\-colon. Clauses in the statements are also semi\-colon terminated.
+The usual comment styles are supported:
+.sp
+C style: /* */
+.sp
+C++ style: // to end of line
+.sp
+Unix style: # to end of line
+.sp
+\fBrndc.conf\fP is much simpler than \fBnamed.conf\fP\&. The file uses three
+statements: an options statement, a server statement, and a key
+statement.
+.sp
+The \fBoptions\fP statement contains five clauses. The \fBdefault\-server\fP
+clause is followed by the name or address of a name server. This host
+is used when no name server is given as an argument to \fBrndc\fP\&.
+The \fBdefault\-key\fP clause is followed by the name of a key, which is
+identified by a \fBkey\fP statement. If no \fBkeyid\fP is provided on the
+rndc command line, and no \fBkey\fP clause is found in a matching
+\fBserver\fP statement, this default key is used to authenticate the
+server\(aqs commands and responses. The \fBdefault\-port\fP clause is followed
+by the port to connect to on the remote name server. If no \fBport\fP
+option is provided on the rndc command line, and no \fBport\fP clause is
+found in a matching \fBserver\fP statement, this default port is used
+to connect. The \fBdefault\-source\-address\fP and
+\fBdefault\-source\-address\-v6\fP clauses can be used to set the IPv4
+and IPv6 source addresses respectively.
+.sp
+After the \fBserver\fP keyword, the server statement includes a string
+which is the hostname or address for a name server. The statement has
+three possible clauses: \fBkey\fP, \fBport\fP, and \fBaddresses\fP\&. The key
+name must match the name of a key statement in the file. The port number
+specifies the port to connect to. If an \fBaddresses\fP clause is supplied,
+these addresses are used instead of the server name. Each address
+can take an optional port. If an \fBsource\-address\fP or
+\fBsource\-address\-v6\fP is supplied, it is used to specify the
+IPv4 and IPv6 source address, respectively.
+.sp
+The \fBkey\fP statement begins with an identifying string, the name of the
+key. The statement has two clauses. \fBalgorithm\fP identifies the
+authentication algorithm for \fBrndc\fP to use; currently only HMAC\-MD5
+(for compatibility), HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256 (default),
+HMAC\-SHA384, and HMAC\-SHA512 are supported. This is followed by a secret
+clause which contains the base\-64 encoding of the algorithm\(aqs
+authentication key. The base\-64 string is enclosed in double quotes.
+.sp
+There are two common ways to generate the base\-64 string for the secret.
+The BIND 9 program \fBrndc\-confgen\fP can be used to generate a random
+key, or the \fBmmencode\fP program, also known as \fBmimencode\fP, can be
+used to generate a base\-64 string from known input. \fBmmencode\fP does
+not ship with BIND 9 but is available on many systems. See the Example
+section for sample command lines for each.
+.SH EXAMPLE
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+options {
+  default\-server  localhost;
+  default\-key     samplekey;
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+server localhost {
+  key             samplekey;
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+server testserver {
+  key     testkey;
+  addresses   { localhost port 5353; };
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+key samplekey {
+  algorithm       hmac\-sha256;
+  secret          \(dq6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz\(dq;
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+key testkey {
+  algorithm   hmac\-sha256;
+  secret      \(dqR3HI8P6BKw9ZwXwN3VZKuQ==\(dq;
+};
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+In the above example, \fBrndc\fP by default uses the server at
+localhost (127.0.0.1) and the key called \(dqsamplekey\(dq. Commands to the
+localhost server use the \(dqsamplekey\(dq key, which must also be defined
+in the server\(aqs configuration file with the same name and secret. The
+key statement indicates that \(dqsamplekey\(dq uses the HMAC\-SHA256 algorithm
+and its secret clause contains the base\-64 encoding of the HMAC\-SHA256
+secret enclosed in double quotes.
+.sp
+If \fBrndc \-s testserver\fP is used, then \fBrndc\fP connects to the server
+on localhost port 5353 using the key \(dqtestkey\(dq.
+.sp
+To generate a random secret with \fBrndc\-confgen\fP:
+.sp
+\fBrndc\-confgen\fP
+.sp
+A complete \fBrndc.conf\fP file, including the randomly generated key,
+is written to the standard output. Commented\-out \fBkey\fP and
+\fBcontrols\fP statements for \fBnamed.conf\fP are also printed.
+.sp
+To generate a base\-64 secret with \fBmmencode\fP:
+.sp
+\fBecho \(dqknown plaintext for a secret\(dq | mmencode\fP
+.SH NAME SERVER CONFIGURATION
+.sp
+The name server must be configured to accept rndc connections and to
+recognize the key specified in the \fBrndc.conf\fP file, using the
+controls statement in \fBnamed.conf\fP\&. See the sections on the
+\fBcontrols\fP statement in the BIND 9 Administrator Reference Manual for
+details.
+.SH SEE ALSO
+.sp
+\fBrndc(8)\fP, \fBrndc\-confgen(8)\fP, \fBmmencode(1)\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/rndc.conf.rst b/doc/man/rndc.conf.rst
new file mode 100644
index 0000000..f575060
--- /dev/null
+++ b/doc/man/rndc.conf.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/rndc/rndc.conf.rst
diff --git a/doc/man/rndc.rst b/doc/man/rndc.rst
new file mode 100644
index 0000000..a330531
--- /dev/null
+++ b/doc/man/rndc.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/rndc/rndc.rst
diff --git a/doc/man/tsig-keygen.8in b/doc/man/tsig-keygen.8in
new file mode 100644
index 0000000..e094902
--- /dev/null
+++ b/doc/man/tsig-keygen.8in
@@ -0,0 +1,64 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "TSIG-KEYGEN" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+tsig-keygen \- TSIG key generation tool
+.SH SYNOPSIS
+.sp
+\fBtsig\-keygen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [name]
+.SH DESCRIPTION
+.sp
+\fBtsig\-keygen\fP is an utility that generates keys for use in TSIG signing.
+The resulting keys can be used, for example, to secure dynamic DNS updates
+to a zone, or for the \fBrndc\fP command channel.
+.sp
+A domain name can be specified on the command line to be used as the name
+of the generated key. If no name is specified, the default is \fBtsig\-key\fP\&.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a algorithm\fP
+This option specifies the algorithm to use for the TSIG key. Available
+choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384,
+and hmac\-sha512. The default is hmac\-sha256. Options are
+case\-insensitive, and the \(dqhmac\-\(dq prefix may be omitted.
+.TP
+.B \fB\-h\fP
+This option prints a short summary of options and arguments.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBnsupdate(1)\fP, \fBnamed.conf(5)\fP, \fBnamed(8)\fP, BIND 9 Administrator Reference Manual.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.
diff --git a/doc/man/tsig-keygen.rst b/doc/man/tsig-keygen.rst
new file mode 100644
index 0000000..fbd957d
--- /dev/null
+++ b/doc/man/tsig-keygen.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+:orphan:
+
+.. include:: ../../bin/confgen/tsig-keygen.rst
diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in
new file mode 100644
index 0000000..35c79f1
--- /dev/null
+++ b/doc/misc/Makefile.in
@@ -0,0 +1,83 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_RULES@
+
+PERL = @PERL@
+
+MANOBJS = options
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f options
+
+# Do not make options depend on ../../bin/tests/cfg_test, doing so
+# will cause excessively clever versions of make to attempt to build
+# that program right here, right now, if it is missing, which will
+# cause make doc to bomb.
+
+CFG_TEST = ../../bin/tests/cfg_test
+
+options: FORCE
+	if test -x ${CFG_TEST} ; \
+	then \
+		${CFG_TEST} --named --grammar > $@.raw ; \
+		${PERL} ${srcdir}/sort-options.pl < $@.raw > $@.sorted ; \
+		${PERL} ${srcdir}/format-options.pl < $@.sorted > $@.new ; \
+		mv -f $@.new $@ ; \
+		${CFG_TEST} --named --grammar --active > $@.raw ; \
+		${PERL} ${srcdir}/sort-options.pl < $@.raw > $@.sorted ; \
+		${PERL} ${srcdir}/format-options.pl < $@.sorted > $@.new ; \
+		mv -f $@.new $@.active ; \
+		rm -f $@.raw $@.sorted ; \
+		${CFG_TEST} --zonegrammar master --active > master.zoneopt ; \
+		${CFG_TEST} --zonegrammar slave --active > slave.zoneopt ; \
+		${CFG_TEST} --zonegrammar mirror --active > mirror.zoneopt ; \
+		${CFG_TEST} --zonegrammar forward --active > forward.zoneopt ; \
+		${CFG_TEST} --zonegrammar hint --active > hint.zoneopt ; \
+		${CFG_TEST} --zonegrammar stub --active > stub.zoneopt ; \
+		${CFG_TEST} --zonegrammar static-stub --active > static-stub.zoneopt ; \
+		${CFG_TEST} --zonegrammar redirect --active > redirect.zoneopt ; \
+		${CFG_TEST} --zonegrammar delegation-only --active > delegation-only.zoneopt ; \
+		${CFG_TEST} --zonegrammar in-view --active > in-view.zoneopt ; \
+	else \
+		rm -f $@.new $@.raw $@.sorted ; \
+	fi
+
+rst: options rst-options.pl rst-zoneopt.pl rst-grammars.pl
+	${PERL} rst-options.pl options.active > ${top_srcdir}/bin/named/named.conf.rst
+	${PERL} rst-zoneopt.pl master.zoneopt > master.zoneopt.rst
+	${PERL} rst-zoneopt.pl slave.zoneopt > slave.zoneopt.rst
+	${PERL} rst-zoneopt.pl mirror.zoneopt > mirror.zoneopt.rst
+	${PERL} rst-zoneopt.pl forward.zoneopt > forward.zoneopt.rst
+	${PERL} rst-zoneopt.pl hint.zoneopt > hint.zoneopt.rst
+	${PERL} rst-zoneopt.pl stub.zoneopt > stub.zoneopt.rst
+	${PERL} rst-zoneopt.pl static-stub.zoneopt > static-stub.zoneopt.rst
+	${PERL} rst-zoneopt.pl redirect.zoneopt > redirect.zoneopt.rst
+	${PERL} rst-zoneopt.pl delegation-only.zoneopt > delegation-only.zoneopt.rst
+	${PERL} rst-zoneopt.pl in-view.zoneopt > in-view.zoneopt.rst
+	${PERL} rst-grammars.pl options.active acl > acl.grammar.rst
+	${PERL} rst-grammars.pl options.active controls > controls.grammar.rst
+	${PERL} rst-grammars.pl options.active key > key.grammar.rst
+	${PERL} rst-grammars.pl options.active logging > logging.grammar.rst
+	${PERL} rst-grammars.pl options.active parental-agents > parental-agents.grammar.rst
+	${PERL} rst-grammars.pl options.active primaries > primaries.grammar.rst
+	${PERL} rst-grammars.pl options.active options > options.grammar.rst
+	${PERL} rst-grammars.pl options.active server > server.grammar.rst
+	${PERL} rst-grammars.pl options.active statistics-channels > statistics-channels.grammar.rst
+	${PERL} rst-grammars.pl options.active trust-anchors > trust-anchors.grammar.rst
+	${PERL} rst-grammars.pl options.active managed-keys > managed-keys.grammar.rst
+	${PERL} rst-grammars.pl options.active trusted-keys > trusted-keys.grammar.rst
diff --git a/doc/misc/acl.grammar.rst b/doc/misc/acl.grammar.rst
new file mode 100644
index 0000000..d27dab3
--- /dev/null
+++ b/doc/misc/acl.grammar.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  acl <string> { <address_match_element>; ... };
diff --git a/doc/misc/controls.grammar.rst b/doc/misc/controls.grammar.rst
new file mode 100644
index 0000000..440bce4
--- /dev/null
+++ b/doc/misc/controls.grammar.rst
@@ -0,0 +1,24 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  controls {
+  	inet ( <ipv4_address> | <ipv6_address> |
+  	    * ) [ port ( <integer> | * ) ] allow
+  	    { <address_match_element>; ... } [
+  	    keys { <string>; ... } ] [ read-only
+  	    <boolean> ];
+  	unix <quoted_string> perm <integer>
+  	    owner <integer> group <integer> [
+  	    keys { <string>; ... } ] [ read-only
+  	    <boolean> ];
+  };
diff --git a/doc/misc/delegation-only.zoneopt b/doc/misc/delegation-only.zoneopt
new file mode 100644
index 0000000..ab86327
--- /dev/null
+++ b/doc/misc/delegation-only.zoneopt
@@ -0,0 +1,3 @@
+zone <string> [ <class> ] {
+	type delegation-only;
+};
diff --git a/doc/misc/delegation-only.zoneopt.rst b/doc/misc/delegation-only.zoneopt.rst
new file mode 100644
index 0000000..2a262d1
--- /dev/null
+++ b/doc/misc/delegation-only.zoneopt.rst
@@ -0,0 +1,16 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  zone <string> [ <class> ] {
+  	type delegation-only;
+  };
diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf
new file mode 100644
index 0000000..00b8a14
--- /dev/null
+++ b/doc/misc/dnssec-policy.default.conf
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "default" {
+	// Keys
+	keys {
+		csk key-directory lifetime unlimited algorithm 13;
+	};
+
+	// Key timings
+	dnskey-ttl 3600;
+	publish-safety 1h;
+	retire-safety 1h;
+	purge-keys P90D;
+
+	// Signature timings
+	signatures-refresh 5d;
+	signatures-validity 14d;
+	signatures-validity-dnskey 14d;
+
+	// Zone parameters
+	max-zone-ttl 86400;
+	zone-propagation-delay 300;
+
+	// Parent parameters
+	parent-ds-ttl 86400;
+	parent-propagation-delay 1h;
+};
diff --git a/doc/misc/dnssec-policy.grammar.rst b/doc/misc/dnssec-policy.grammar.rst
new file mode 100644
index 0000000..b0b9692
--- /dev/null
+++ b/doc/misc/dnssec-policy.grammar.rst
@@ -0,0 +1,28 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+  dnssec-policy <string> {
+  	dnskey-ttl <duration>;
+  	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+  	    <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
+  	max-zone-ttl <duration>;
+  	nsec3param [ iterations <integer> ] [ optout <boolean> ] [
+  	    salt-length <integer> ];
+  	parent-ds-ttl <duration>;
+  	parent-propagation-delay <duration>;
+  	publish-safety <duration>;
+  	purge-keys <duration>;
+  	retire-safety <duration>;
+  	signatures-refresh <duration>;
+  	signatures-validity <duration>;
+  	signatures-validity-dnskey <duration>;
+  	zone-propagation-delay <duration>;
+  };
diff --git a/doc/misc/format-options.pl b/doc/misc/format-options.pl
new file mode 100644
index 0000000..f4a36c2
--- /dev/null
+++ b/doc/misc/format-options.pl
@@ -0,0 +1,43 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+print <<END;
+
+This is a summary of the named.conf options supported by
+this version of BIND 9.
+
+END
+
+# Break long lines
+while (<>) {
+	chomp;
+	s/\t/        /g;
+	my $line = $_;
+	m!^( *)!;
+	my $indent = $1;
+	my $comment = "";
+	if ( $line =~ m!//.*! ) {
+		$comment = $&;
+		$line =~ s!//.*!!;
+	}
+	my $start = "";
+	while (length($line) >= 79 - length($comment)) {
+		$_ = $line;
+		# this makes sure that the comment has something in front of it
+		$len = 75 - length($comment);
+		m!^(.{0,$len}) (.*)$!;
+		$start = $start.$1."\n";
+		$line = $indent."    ".$2;
+	}
+	print $start.$line.$comment."\n";
+}
diff --git a/doc/misc/forward.zoneopt b/doc/misc/forward.zoneopt
new file mode 100644
index 0000000..e694813
--- /dev/null
+++ b/doc/misc/forward.zoneopt
@@ -0,0 +1,6 @@
+zone <string> [ <class> ] {
+	type forward;
+	delegation-only <boolean>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+};
diff --git a/doc/misc/forward.zoneopt.rst b/doc/misc/forward.zoneopt.rst
new file mode 100644
index 0000000..3ced3ac
--- /dev/null
+++ b/doc/misc/forward.zoneopt.rst
@@ -0,0 +1,19 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  zone <string> [ <class> ] {
+  	type forward;
+  	delegation-only <boolean>;
+  	forward ( first | only );
+  	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+  };
diff --git a/doc/misc/hint.zoneopt b/doc/misc/hint.zoneopt
new file mode 100644
index 0000000..d7ec16c
--- /dev/null
+++ b/doc/misc/hint.zoneopt
@@ -0,0 +1,6 @@
+zone <string> [ <class> ] {
+	type hint;
+	check-names ( fail | warn | ignore );
+	delegation-only <boolean>;
+	file <quoted_string>;
+};
diff --git a/doc/misc/hint.zoneopt.rst b/doc/misc/hint.zoneopt.rst
new file mode 100644
index 0000000..998e662
--- /dev/null
+++ b/doc/misc/hint.zoneopt.rst
@@ -0,0 +1,19 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  zone <string> [ <class> ] {
+  	type hint;
+  	check-names ( fail | warn | ignore );
+  	delegation-only <boolean>;
+  	file <quoted_string>;
+  };
diff --git a/doc/misc/in-view.zoneopt b/doc/misc/in-view.zoneopt
new file mode 100644
index 0000000..c63c427
--- /dev/null
+++ b/doc/misc/in-view.zoneopt
@@ -0,0 +1,3 @@
+zone <string> [ <class> ] {
+	in-view <string>;
+};
diff --git a/doc/misc/in-view.zoneopt.rst b/doc/misc/in-view.zoneopt.rst
new file mode 100644
index 0000000..df1a587
--- /dev/null
+++ b/doc/misc/in-view.zoneopt.rst
@@ -0,0 +1,16 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  zone <string> [ <class> ] {
+  	in-view <string>;
+  };
diff --git a/doc/misc/key.grammar.rst b/doc/misc/key.grammar.rst
new file mode 100644
index 0000000..a417997
--- /dev/null
+++ b/doc/misc/key.grammar.rst
@@ -0,0 +1,17 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  key <string> {
+  	algorithm <string>;
+  	secret <string>;
+  };
diff --git a/doc/misc/logging.grammar.rst b/doc/misc/logging.grammar.rst
new file mode 100644
index 0000000..377d6e9
--- /dev/null
+++ b/doc/misc/logging.grammar.rst
@@ -0,0 +1,28 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  logging {
+  	category <string> { <string>; ... };
+  	channel <string> {
+  		buffered <boolean>;
+  		file <quoted_string> [ versions ( unlimited | <integer> ) ]
+  		    [ size <size> ] [ suffix ( increment | timestamp ) ];
+  		null;
+  		print-category <boolean>;
+  		print-severity <boolean>;
+  		print-time ( iso8601 | iso8601-utc | local | <boolean> );
+  		severity <log_severity>;
+  		stderr;
+  		syslog [ <syslog_facility> ];
+  	};
+  };
diff --git a/doc/misc/managed-keys.grammar.rst b/doc/misc/managed-keys.grammar.rst
new file mode 100644
index 0000000..a57f8ef
--- /dev/null
+++ b/doc/misc/managed-keys.grammar.rst
@@ -0,0 +1,17 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  managed-keys { <string> ( static-key
+      | initial-key | static-ds |
+      initial-ds ) <integer> <integer>
+      <integer> <quoted_string>; ... };, deprecated
diff --git a/doc/misc/master.zoneopt b/doc/misc/master.zoneopt
new file mode 100644
index 0000000..953e3a2
--- /dev/null
+++ b/doc/misc/master.zoneopt
@@ -0,0 +1,61 @@
+zone <string> [ <class> ] {
+	type ( master | primary );
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-transfer { <address_match_element>; ... };
+	allow-update { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	auto-dnssec ( allow | maintain | off ); // deprecated
+	check-dup-records ( fail | warn | ignore );
+	check-integrity <boolean>;
+	check-mx ( fail | warn | ignore );
+	check-mx-cname ( fail | warn | ignore );
+	check-names ( fail | warn | ignore );
+	check-sibling <boolean>;
+	check-spf ( warn | ignore );
+	check-srv-cname ( fail | warn | ignore );
+	check-wildcard <boolean>;
+	database <string>;
+	dialup ( notify | notify-passive | passive | refresh | <boolean> );
+	dlz <string>;
+	dnskey-sig-validity <integer>;
+	dnssec-dnskey-kskonly <boolean>;
+	dnssec-loadkeys-interval <integer>;
+	dnssec-policy <string>;
+	dnssec-secure-to-insecure <boolean>;
+	dnssec-update-mode ( maintain | no-resign );
+	file <quoted_string>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+	inline-signing <boolean>;
+	ixfr-from-differences <boolean>;
+	journal <quoted_string>;
+	key-directory <quoted_string>;
+	masterfile-format ( map | raw | text );
+	masterfile-style ( full | relative );
+	max-ixfr-ratio ( unlimited | <percentage> );
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-records <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-out <integer>;
+	max-zone-ttl ( unlimited | <duration> );
+	notify ( explicit | master-only | primary-only | <boolean> );
+	notify-delay <integer>;
+	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	notify-to-soa <boolean>;
+	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	serial-update-method ( date | increment | unixtime );
+	sig-signing-nodes <integer>;
+	sig-signing-signatures <integer>;
+	sig-signing-type <integer>;
+	sig-validity-interval <integer> [ <integer> ];
+	update-check-ksk <boolean>;
+	update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
+	zero-no-soa-ttl <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst
new file mode 100644
index 0000000..346d598
--- /dev/null
+++ b/doc/misc/master.zoneopt.rst
@@ -0,0 +1,74 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  zone <string> [ <class> ] {
+  	type ( master | primary );
+  	allow-query { <address_match_element>; ... };
+  	allow-query-on { <address_match_element>; ... };
+  	allow-transfer { <address_match_element>; ... };
+  	allow-update { <address_match_element>; ... };
+  	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	auto-dnssec ( allow | maintain | off ); // deprecated
+  	check-dup-records ( fail | warn | ignore );
+  	check-integrity <boolean>;
+  	check-mx ( fail | warn | ignore );
+  	check-mx-cname ( fail | warn | ignore );
+  	check-names ( fail | warn | ignore );
+  	check-sibling <boolean>;
+  	check-spf ( warn | ignore );
+  	check-srv-cname ( fail | warn | ignore );
+  	check-wildcard <boolean>;
+  	database <string>;
+  	dialup ( notify | notify-passive | passive | refresh | <boolean> );
+  	dlz <string>;
+  	dnskey-sig-validity <integer>;
+  	dnssec-dnskey-kskonly <boolean>;
+  	dnssec-loadkeys-interval <integer>;
+  	dnssec-policy <string>;
+  	dnssec-secure-to-insecure <boolean>;
+  	dnssec-update-mode ( maintain | no-resign );
+  	file <quoted_string>;
+  	forward ( first | only );
+  	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+  	inline-signing <boolean>;
+  	ixfr-from-differences <boolean>;
+  	journal <quoted_string>;
+  	key-directory <quoted_string>;
+  	masterfile-format ( map | raw | text );
+  	masterfile-style ( full | relative );
+  	max-ixfr-ratio ( unlimited | <percentage> );
+  	max-journal-size ( default | unlimited | <sizeval> );
+  	max-records <integer>;
+  	max-transfer-idle-out <integer>;
+  	max-transfer-time-out <integer>;
+  	max-zone-ttl ( unlimited | <duration> );
+  	notify ( explicit | master-only | primary-only | <boolean> );
+  	notify-delay <integer>;
+  	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	notify-to-soa <boolean>;
+  	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	serial-update-method ( date | increment | unixtime );
+  	sig-signing-nodes <integer>;
+  	sig-signing-signatures <integer>;
+  	sig-signing-type <integer>;
+  	sig-validity-interval <integer> [ <integer> ];
+  	update-check-ksk <boolean>;
+  	update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
+  	zero-no-soa-ttl <boolean>;
+  	zone-statistics ( full | terse | none | <boolean> );
+  };
diff --git a/doc/misc/mirror.zoneopt b/doc/misc/mirror.zoneopt
new file mode 100644
index 0000000..3d45a3d
--- /dev/null
+++ b/doc/misc/mirror.zoneopt
@@ -0,0 +1,44 @@
+zone <string> [ <class> ] {
+	type mirror;
+	allow-notify { <address_match_element>; ... };
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-transfer { <address_match_element>; ... };
+	allow-update-forwarding { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	check-names ( fail | warn | ignore );
+	database <string>;
+	file <quoted_string>;
+	ixfr-from-differences <boolean>;
+	journal <quoted_string>;
+	masterfile-format ( map | raw | text );
+	masterfile-style ( full | relative );
+	masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	max-ixfr-ratio ( unlimited | <percentage> );
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-records <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-transfer-idle-in <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-in <integer>;
+	max-transfer-time-out <integer>;
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	multi-master <boolean>;
+	notify ( explicit | master-only | primary-only | <boolean> );
+	notify-delay <integer>;
+	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	request-expire <boolean>;
+	request-ixfr <boolean>;
+	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	try-tcp-refresh <boolean>;
+	use-alt-transfer-source <boolean>;
+	zero-no-soa-ttl <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/mirror.zoneopt.rst b/doc/misc/mirror.zoneopt.rst
new file mode 100644
index 0000000..b425a96
--- /dev/null
+++ b/doc/misc/mirror.zoneopt.rst
@@ -0,0 +1,57 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  zone <string> [ <class> ] {
+  	type mirror;
+  	allow-notify { <address_match_element>; ... };
+  	allow-query { <address_match_element>; ... };
+  	allow-query-on { <address_match_element>; ... };
+  	allow-transfer { <address_match_element>; ... };
+  	allow-update-forwarding { <address_match_element>; ... };
+  	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	check-names ( fail | warn | ignore );
+  	database <string>;
+  	file <quoted_string>;
+  	ixfr-from-differences <boolean>;
+  	journal <quoted_string>;
+  	masterfile-format ( map | raw | text );
+  	masterfile-style ( full | relative );
+  	masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	max-ixfr-ratio ( unlimited | <percentage> );
+  	max-journal-size ( default | unlimited | <sizeval> );
+  	max-records <integer>;
+  	max-refresh-time <integer>;
+  	max-retry-time <integer>;
+  	max-transfer-idle-in <integer>;
+  	max-transfer-idle-out <integer>;
+  	max-transfer-time-in <integer>;
+  	max-transfer-time-out <integer>;
+  	min-refresh-time <integer>;
+  	min-retry-time <integer>;
+  	multi-master <boolean>;
+  	notify ( explicit | master-only | primary-only | <boolean> );
+  	notify-delay <integer>;
+  	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	request-expire <boolean>;
+  	request-ixfr <boolean>;
+  	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	try-tcp-refresh <boolean>;
+  	use-alt-transfer-source <boolean>;
+  	zero-no-soa-ttl <boolean>;
+  	zone-statistics ( full | terse | none | <boolean> );
+  };
diff --git a/doc/misc/options b/doc/misc/options
new file mode 100644
index 0000000..0dbcf10
--- /dev/null
+++ b/doc/misc/options
@@ -0,0 +1,1031 @@
+
+This is a summary of the named.conf options supported by
+this version of BIND 9.
+
+acl <string> { <address_match_element>; ... }; // may occur multiple times
+
+controls {
+        inet ( <ipv4_address> | <ipv6_address> |
+            * ) [ port ( <integer> | * ) ] allow
+            { <address_match_element>; ... } [
+            keys { <string>; ... } ] [ read-only
+            <boolean> ]; // may occur multiple times
+        unix <quoted_string> perm <integer>
+            owner <integer> group <integer> [
+            keys { <string>; ... } ] [ read-only
+            <boolean> ]; // may occur multiple times
+}; // may occur multiple times
+
+dlz <string> {
+        database <string>;
+        search <boolean>;
+}; // may occur multiple times
+
+dnssec-policy <string> {
+        dnskey-ttl <duration>;
+        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+            <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
+        max-zone-ttl <duration>;
+        nsec3param [ iterations <integer> ] [ optout <boolean> ] [
+            salt-length <integer> ];
+        parent-ds-ttl <duration>;
+        parent-propagation-delay <duration>;
+        parent-registration-delay <duration>; // obsolete
+        publish-safety <duration>;
+        purge-keys <duration>;
+        retire-safety <duration>;
+        signatures-refresh <duration>;
+        signatures-validity <duration>;
+        signatures-validity-dnskey <duration>;
+        zone-propagation-delay <duration>;
+}; // may occur multiple times
+
+dyndb <string> <quoted_string> {
+    <unspecified-text> }; // may occur multiple times
+
+key <string> {
+        algorithm <string>;
+        secret <string>;
+}; // may occur multiple times
+
+logging {
+        category <string> { <string>; ... }; // may occur multiple times
+        channel <string> {
+                buffered <boolean>;
+                file <quoted_string> [ versions ( unlimited | <integer> ) ]
+                    [ size <size> ] [ suffix ( increment | timestamp ) ];
+                null;
+                print-category <boolean>;
+                print-severity <boolean>;
+                print-time ( iso8601 | iso8601-utc | local | <boolean> );
+                severity <log_severity>;
+                stderr;
+                syslog [ <syslog_facility> ];
+        }; // may occur multiple times
+};
+
+lwres { <unspecified-text> }; // obsolete, may occur multiple times
+
+managed-keys { <string> ( static-key
+    | initial-key | static-ds |
+    initial-ds ) <integer> <integer>
+    <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
+
+masters <string> [ port <integer> ] [ dscp
+    <integer> ] { ( <remote-servers> |
+    <ipv4_address> [ port <integer> ] |
+    <ipv6_address> [ port <integer> ] ) [ key
+    <string> ]; ... }; // may occur multiple times
+
+options {
+        acache-cleaning-interval <integer>; // obsolete
+        acache-enable <boolean>; // obsolete
+        additional-from-auth <boolean>; // obsolete
+        additional-from-cache <boolean>; // obsolete
+        allow-new-zones <boolean>;
+        allow-notify { <address_match_element>; ... };
+        allow-query { <address_match_element>; ... };
+        allow-query-cache { <address_match_element>; ... };
+        allow-query-cache-on { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
+        allow-recursion { <address_match_element>; ... };
+        allow-recursion-on { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
+        also-notify [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ] [ dscp <integer> ];
+        answer-cookie <boolean>;
+        attach-cache <string>;
+        auth-nxdomain <boolean>; // default changed
+        auto-dnssec ( allow | maintain | off ); // deprecated
+        automatic-interface-scan <boolean>;
+        avoid-v4-udp-ports { <portrange>; ... };
+        avoid-v6-udp-ports { <portrange>; ... };
+        bindkeys-file <quoted_string>;
+        blackhole { <address_match_element>; ... };
+        cache-file <quoted_string>; // deprecated
+        catalog-zones { zone <string> [ default-masters [ port <integer> ]
+            [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port
+            <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+            <string> ]; ... } ] [ zone-directory <quoted_string> ] [
+            in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
+        check-dup-records ( fail | warn | ignore );
+        check-integrity <boolean>;
+        check-mx ( fail | warn | ignore );
+        check-mx-cname ( fail | warn | ignore );
+        check-names ( primary | master |
+            secondary | slave | response ) (
+            fail | warn | ignore ); // may occur multiple times
+        check-sibling <boolean>;
+        check-spf ( warn | ignore );
+        check-srv-cname ( fail | warn | ignore );
+        check-wildcard <boolean>;
+        cleaning-interval <integer>; // obsolete
+        clients-per-query <integer>;
+        cookie-algorithm ( aes | siphash24 );
+        cookie-secret <string>; // may occur multiple times
+        coresize ( default | unlimited | <sizeval> );
+        datasize ( default | unlimited | <sizeval> );
+        deallocate-on-exit <boolean>; // ancient
+        deny-answer-addresses { <address_match_element>; ... } [
+            except-from { <string>; ... } ];
+        deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+            } ];
+        dialup ( notify | notify-passive | passive | refresh | <boolean> );
+        directory <quoted_string>;
+        disable-algorithms <string> { <string>;
+            ... }; // may occur multiple times
+        disable-ds-digests <string> { <string>;
+            ... }; // may occur multiple times
+        disable-empty-zone <string>; // may occur multiple times
+        dns64 <netprefix> {
+                break-dnssec <boolean>;
+                clients { <address_match_element>; ... };
+                exclude { <address_match_element>; ... };
+                mapped { <address_match_element>; ... };
+                recursive-only <boolean>;
+                suffix <ipv6_address>;
+        }; // may occur multiple times
+        dns64-contact <string>;
+        dns64-server <string>;
+        dnskey-sig-validity <integer>;
+        dnsrps-enable <boolean>; // not configured
+        dnsrps-options { <unspecified-text> }; // not configured
+        dnssec-accept-expired <boolean>;
+        dnssec-dnskey-kskonly <boolean>;
+        dnssec-enable <boolean>; // obsolete
+        dnssec-loadkeys-interval <integer>;
+        dnssec-lookaside ( <string>
+            trust-anchor <string> |
+            auto | no ); // obsolete, may occur multiple times
+        dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+        dnssec-policy <string>;
+        dnssec-secure-to-insecure <boolean>;
+        dnssec-update-mode ( maintain | no-resign );
+        dnssec-validation ( yes | no | auto );
+        dnstap { ( all | auth | client | forwarder | resolver | update ) [
+            ( query | response ) ]; ... };
+        dnstap-identity ( <quoted_string> | none | hostname );
+        dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
+            <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
+            increment | timestamp ) ];
+        dnstap-version ( <quoted_string> | none );
+        dscp <integer>; // deprecated
+        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
+            <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
+            <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
+            <integer> ] [ dscp <integer> ] ); ... };
+        dump-file <quoted_string>;
+        edns-udp-size <integer>;
+        empty-contact <string>;
+        empty-server <string>;
+        empty-zones-enable <boolean>;
+        fake-iquery <boolean>; // ancient
+        fetch-glue <boolean>; // ancient
+        fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+        fetches-per-server <integer> [ ( drop | fail ) ];
+        fetches-per-zone <integer> [ ( drop | fail ) ];
+        files ( default | unlimited | <sizeval> );
+        filter-aaaa { <address_match_element>; ... }; // obsolete
+        filter-aaaa-on-v4 <boolean>; // obsolete
+        filter-aaaa-on-v6 <boolean>; // obsolete
+        flush-zones-on-shutdown <boolean>;
+        forward ( first | only );
+        forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+            | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+        fstrm-set-buffer-hint <integer>;
+        fstrm-set-flush-timeout <integer>;
+        fstrm-set-input-queue-size <integer>;
+        fstrm-set-output-notify-threshold <integer>;
+        fstrm-set-output-queue-model ( mpsc | spsc );
+        fstrm-set-output-queue-size <integer>;
+        fstrm-set-reopen-interval <duration>;
+        geoip-directory ( <quoted_string> | none );
+        geoip-use-ecs <boolean>; // obsolete
+        glue-cache <boolean>;
+        has-old-clients <boolean>; // ancient
+        heartbeat-interval <integer>;
+        host-statistics <boolean>; // ancient
+        host-statistics-max <integer>; // ancient
+        hostname ( <quoted_string> | none );
+        interface-interval <duration>;
+        ixfr-from-differences ( primary | master | secondary | slave |
+            <boolean> );
+        keep-response-order { <address_match_element>; ... };
+        key-directory <quoted_string>;
+        lame-ttl <duration>;
+        listen-on [ port <integer> ] [ dscp
+            <integer> ] {
+            <address_match_element>; ... }; // may occur multiple times
+        listen-on-v6 [ port <integer> ] [ dscp
+            <integer> ] {
+            <address_match_element>; ... }; // may occur multiple times
+        lmdb-mapsize <sizeval>;
+        lock-file ( <quoted_string> | none );
+        maintain-ixfr-base <boolean>; // ancient
+        managed-keys-directory <quoted_string>;
+        masterfile-format ( map | raw | text );
+        masterfile-style ( full | relative );
+        match-mapped-addresses <boolean>;
+        max-acache-size ( unlimited | <sizeval> ); // obsolete
+        max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+        max-cache-ttl <duration>;
+        max-clients-per-query <integer>;
+        max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
+        max-ixfr-ratio ( unlimited | <percentage> );
+        max-journal-size ( default | unlimited | <sizeval> );
+        max-ncache-ttl <duration>;
+        max-records <integer>;
+        max-recursion-depth <integer>;
+        max-recursion-queries <integer>;
+        max-refresh-time <integer>;
+        max-retry-time <integer>;
+        max-rsa-exponent-size <integer>;
+        max-stale-ttl <duration>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-udp-size <integer>;
+        max-zone-ttl ( unlimited | <duration> );
+        memstatistics <boolean>;
+        memstatistics-file <quoted_string>;
+        message-compression <boolean>;
+        min-cache-ttl <duration>;
+        min-ncache-ttl <duration>;
+        min-refresh-time <integer>;
+        min-retry-time <integer>;
+        min-roots <integer>; // ancient
+        minimal-any <boolean>;
+        minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+        multi-master <boolean>;
+        multiple-cnames <boolean>; // ancient
+        named-xfer <quoted_string>; // ancient
+        new-zones-directory <quoted_string>;
+        no-case-compress { <address_match_element>; ... };
+        nocookie-udp-size <integer>;
+        nosit-udp-size <integer>; // obsolete
+        notify ( explicit | master-only | primary-only | <boolean> );
+        notify-delay <integer>;
+        notify-rate <integer>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+            [ dscp <integer> ];
+        notify-to-soa <boolean>;
+        nsec3-test-zone <boolean>; // test only
+        nta-lifetime <duration>;
+        nta-recheck <duration>;
+        nxdomain-redirect <string>;
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        pid-file ( <quoted_string> | none );
+        port <integer>;
+        preferred-glue <string>;
+        prefetch <integer> [ <integer> ];
+        provide-ixfr <boolean>;
+        qname-minimization ( strict | relaxed | disabled | off );
+        query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        querylog <boolean>;
+        queryport-pool-ports <integer>; // obsolete
+        queryport-pool-updateinterval <integer>; // obsolete
+        random-device ( <quoted_string> | none );
+        rate-limit {
+                all-per-second <integer>;
+                errors-per-second <integer>;
+                exempt-clients { <address_match_element>; ... };
+                ipv4-prefix-length <integer>;
+                ipv6-prefix-length <integer>;
+                log-only <boolean>;
+                max-table-size <integer>;
+                min-table-size <integer>;
+                nodata-per-second <integer>;
+                nxdomains-per-second <integer>;
+                qps-scale <integer>;
+                referrals-per-second <integer>;
+                responses-per-second <integer>;
+                slip <integer>;
+                window <integer>;
+        };
+        recursing-file <quoted_string>;
+        recursion <boolean>;
+        recursive-clients <integer>;
+        request-expire <boolean>;
+        request-ixfr <boolean>;
+        request-nsid <boolean>;
+        request-sit <boolean>; // obsolete
+        require-server-cookie <boolean>;
+        reserved-sockets <integer>;
+        resolver-nonbackoff-tries <integer>;
+        resolver-query-timeout <integer>;
+        resolver-retry-interval <integer>;
+        response-padding { <address_match_element>; ... } block-size
+            <integer>;
+        response-policy { zone <string> [ add-soa <boolean> ] [ log
+            <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
+            <duration> ] [ policy ( cname | disabled | drop | given | no-op
+            | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
+            recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+            nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
+            break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
+            min-update-interval <duration> ] [ min-ns-dots <integer> ] [
+            nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
+            [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+            nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
+            dnsrps-options { <unspecified-text> } ];
+        reuseport <boolean>;
+        rfc2308-type1 <boolean>; // ancient
+        root-delegation-only [ exclude { <string>; ... } ];
+        root-key-sentinel <boolean>;
+        rrset-order { [ class <string> ] [ type <string> ] [ name
+            <quoted_string> ] <string> <string>; ... };
+        secroots-file <quoted_string>;
+        send-cookie <boolean>;
+        serial-queries <integer>; // ancient
+        serial-query-rate <integer>;
+        serial-update-method ( date | increment | unixtime );
+        server-id ( <quoted_string> | none | hostname );
+        servfail-ttl <duration>;
+        session-keyalg <string>;
+        session-keyfile ( <quoted_string> | none );
+        session-keyname <string>;
+        sig-signing-nodes <integer>;
+        sig-signing-signatures <integer>;
+        sig-signing-type <integer>;
+        sig-validity-interval <integer> [ <integer> ];
+        sit-secret <string>; // obsolete
+        sortlist { <address_match_element>; ... };
+        stacksize ( default | unlimited | <sizeval> );
+        stale-answer-client-timeout ( disabled | off | <integer> );
+        stale-answer-enable <boolean>;
+        stale-answer-ttl <duration>;
+        stale-cache-enable <boolean>;
+        stale-refresh-time <duration>;
+        startup-notify-rate <integer>;
+        statistics-file <quoted_string>;
+        statistics-interval <integer>; // ancient
+        suppress-initial-notify <boolean>; // not yet implemented
+        synth-from-dnssec <boolean>;
+        tcp-advertised-timeout <integer>;
+        tcp-clients <integer>;
+        tcp-idle-timeout <integer>;
+        tcp-initial-timeout <integer>;
+        tcp-keepalive-timeout <integer>;
+        tcp-listen-queue <integer>;
+        tkey-dhkey <quoted_string> <integer>;
+        tkey-domain <quoted_string>;
+        tkey-gssapi-credential <quoted_string>;
+        tkey-gssapi-keytab <quoted_string>;
+        topology { <address_match_element>; ... }; // ancient
+        transfer-format ( many-answers | one-answer );
+        transfer-message-size <integer>;
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        transfers-in <integer>;
+        transfers-out <integer>;
+        transfers-per-ns <integer>;
+        treat-cr-as-space <boolean>; // ancient
+        trust-anchor-telemetry <boolean>; // experimental
+        try-tcp-refresh <boolean>;
+        update-check-ksk <boolean>;
+        update-quota <integer>;
+        use-alt-transfer-source <boolean>;
+        use-id-pool <boolean>; // ancient
+        use-ixfr <boolean>; // obsolete
+        use-queryport-pool <boolean>; // obsolete
+        use-v4-udp-ports { <portrange>; ... };
+        use-v6-udp-ports { <portrange>; ... };
+        v6-bias <integer>;
+        validate-except { <string>; ... };
+        version ( <quoted_string> | none );
+        zero-no-soa-ttl <boolean>;
+        zero-no-soa-ttl-cache <boolean>;
+        zone-statistics ( full | terse | none | <boolean> );
+};
+
+parental-agents <string> [ port <integer> ] [
+    dscp <integer> ] { ( <remote-servers> |
+    <ipv4_address> [ port <integer> ] |
+    <ipv6_address> [ port <integer> ] ) [ key
+    <string> ]; ... }; // may occur multiple times
+
+plugin ( query ) <string> [ { <unspecified-text>
+    } ]; // may occur multiple times
+
+primaries <string> [ port <integer> ] [ dscp
+    <integer> ] { ( <remote-servers> |
+    <ipv4_address> [ port <integer> ] |
+    <ipv6_address> [ port <integer> ] ) [ key
+    <string> ]; ... }; // may occur multiple times
+
+server <netprefix> {
+        bogus <boolean>;
+        edns <boolean>;
+        edns-udp-size <integer>;
+        edns-version <integer>;
+        keys <server_key>;
+        max-udp-size <integer>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+            [ dscp <integer> ];
+        padding <integer>;
+        provide-ixfr <boolean>;
+        query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        request-expire <boolean>;
+        request-ixfr <boolean>;
+        request-nsid <boolean>;
+        request-sit <boolean>; // obsolete
+        send-cookie <boolean>;
+        support-ixfr <boolean>; // obsolete
+        tcp-keepalive <boolean>;
+        tcp-only <boolean>;
+        transfer-format ( many-answers | one-answer );
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        transfers <integer>;
+}; // may occur multiple times
+
+statistics-channels {
+        inet ( <ipv4_address> | <ipv6_address> |
+            * ) [ port ( <integer> | * ) ] [
+            allow { <address_match_element>; ...
+            } ]; // may occur multiple times
+}; // may occur multiple times
+
+trust-anchors { <string> ( static-key |
+    initial-key | static-ds | initial-ds )
+    <integer> <integer> <integer>
+    <quoted_string>; ... }; // may occur multiple times
+
+trusted-keys { <string> <integer>
+    <integer> <integer>
+    <quoted_string>; ... }; // may occur multiple times, deprecated
+
+view <string> [ <class> ] {
+        acache-cleaning-interval <integer>; // obsolete
+        acache-enable <boolean>; // obsolete
+        additional-from-auth <boolean>; // obsolete
+        additional-from-cache <boolean>; // obsolete
+        allow-new-zones <boolean>;
+        allow-notify { <address_match_element>; ... };
+        allow-query { <address_match_element>; ... };
+        allow-query-cache { <address_match_element>; ... };
+        allow-query-cache-on { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
+        allow-recursion { <address_match_element>; ... };
+        allow-recursion-on { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
+        also-notify [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ] [ dscp <integer> ];
+        attach-cache <string>;
+        auth-nxdomain <boolean>; // default changed
+        auto-dnssec ( allow | maintain | off ); // deprecated
+        cache-file <quoted_string>; // deprecated
+        catalog-zones { zone <string> [ default-masters [ port <integer> ]
+            [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port
+            <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+            <string> ]; ... } ] [ zone-directory <quoted_string> ] [
+            in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
+        check-dup-records ( fail | warn | ignore );
+        check-integrity <boolean>;
+        check-mx ( fail | warn | ignore );
+        check-mx-cname ( fail | warn | ignore );
+        check-names ( primary | master |
+            secondary | slave | response ) (
+            fail | warn | ignore ); // may occur multiple times
+        check-sibling <boolean>;
+        check-spf ( warn | ignore );
+        check-srv-cname ( fail | warn | ignore );
+        check-wildcard <boolean>;
+        cleaning-interval <integer>; // obsolete
+        clients-per-query <integer>;
+        deny-answer-addresses { <address_match_element>; ... } [
+            except-from { <string>; ... } ];
+        deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+            } ];
+        dialup ( notify | notify-passive | passive | refresh | <boolean> );
+        disable-algorithms <string> { <string>;
+            ... }; // may occur multiple times
+        disable-ds-digests <string> { <string>;
+            ... }; // may occur multiple times
+        disable-empty-zone <string>; // may occur multiple times
+        dlz <string> {
+                database <string>;
+                search <boolean>;
+        }; // may occur multiple times
+        dns64 <netprefix> {
+                break-dnssec <boolean>;
+                clients { <address_match_element>; ... };
+                exclude { <address_match_element>; ... };
+                mapped { <address_match_element>; ... };
+                recursive-only <boolean>;
+                suffix <ipv6_address>;
+        }; // may occur multiple times
+        dns64-contact <string>;
+        dns64-server <string>;
+        dnskey-sig-validity <integer>;
+        dnsrps-enable <boolean>; // not configured
+        dnsrps-options { <unspecified-text> }; // not configured
+        dnssec-accept-expired <boolean>;
+        dnssec-dnskey-kskonly <boolean>;
+        dnssec-enable <boolean>; // obsolete
+        dnssec-loadkeys-interval <integer>;
+        dnssec-lookaside ( <string>
+            trust-anchor <string> |
+            auto | no ); // obsolete, may occur multiple times
+        dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+        dnssec-policy <string>;
+        dnssec-secure-to-insecure <boolean>;
+        dnssec-update-mode ( maintain | no-resign );
+        dnssec-validation ( yes | no | auto );
+        dnstap { ( all | auth | client | forwarder | resolver | update ) [
+            ( query | response ) ]; ... };
+        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
+            <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
+            <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
+            <integer> ] [ dscp <integer> ] ); ... };
+        dyndb <string> <quoted_string> {
+            <unspecified-text> }; // may occur multiple times
+        edns-udp-size <integer>;
+        empty-contact <string>;
+        empty-server <string>;
+        empty-zones-enable <boolean>;
+        fetch-glue <boolean>; // ancient
+        fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+        fetches-per-server <integer> [ ( drop | fail ) ];
+        fetches-per-zone <integer> [ ( drop | fail ) ];
+        filter-aaaa { <address_match_element>; ... }; // obsolete
+        filter-aaaa-on-v4 <boolean>; // obsolete
+        filter-aaaa-on-v6 <boolean>; // obsolete
+        forward ( first | only );
+        forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+            | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+        glue-cache <boolean>;
+        ixfr-from-differences ( primary | master | secondary | slave |
+            <boolean> );
+        key <string> {
+                algorithm <string>;
+                secret <string>;
+        }; // may occur multiple times
+        key-directory <quoted_string>;
+        lame-ttl <duration>;
+        lmdb-mapsize <sizeval>;
+        maintain-ixfr-base <boolean>; // ancient
+        managed-keys { <string> (
+            static-key | initial-key
+            | static-ds | initial-ds
+            ) <integer> <integer>
+            <integer>
+            <quoted_string>; ... }; // may occur multiple times, deprecated
+        masterfile-format ( map | raw | text );
+        masterfile-style ( full | relative );
+        match-clients { <address_match_element>; ... };
+        match-destinations { <address_match_element>; ... };
+        match-recursive-only <boolean>;
+        max-acache-size ( unlimited | <sizeval> ); // obsolete
+        max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+        max-cache-ttl <duration>;
+        max-clients-per-query <integer>;
+        max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
+        max-ixfr-ratio ( unlimited | <percentage> );
+        max-journal-size ( default | unlimited | <sizeval> );
+        max-ncache-ttl <duration>;
+        max-records <integer>;
+        max-recursion-depth <integer>;
+        max-recursion-queries <integer>;
+        max-refresh-time <integer>;
+        max-retry-time <integer>;
+        max-stale-ttl <duration>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-udp-size <integer>;
+        max-zone-ttl ( unlimited | <duration> );
+        message-compression <boolean>;
+        min-cache-ttl <duration>;
+        min-ncache-ttl <duration>;
+        min-refresh-time <integer>;
+        min-retry-time <integer>;
+        min-roots <integer>; // ancient
+        minimal-any <boolean>;
+        minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+        multi-master <boolean>;
+        new-zones-directory <quoted_string>;
+        no-case-compress { <address_match_element>; ... };
+        nocookie-udp-size <integer>;
+        nosit-udp-size <integer>; // obsolete
+        notify ( explicit | master-only | primary-only | <boolean> );
+        notify-delay <integer>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+            [ dscp <integer> ];
+        notify-to-soa <boolean>;
+        nsec3-test-zone <boolean>; // test only
+        nta-lifetime <duration>;
+        nta-recheck <duration>;
+        nxdomain-redirect <string>;
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        plugin ( query ) <string> [ {
+            <unspecified-text> } ]; // may occur multiple times
+        preferred-glue <string>;
+        prefetch <integer> [ <integer> ];
+        provide-ixfr <boolean>;
+        qname-minimization ( strict | relaxed | disabled | off );
+        query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        queryport-pool-ports <integer>; // obsolete
+        queryport-pool-updateinterval <integer>; // obsolete
+        rate-limit {
+                all-per-second <integer>;
+                errors-per-second <integer>;
+                exempt-clients { <address_match_element>; ... };
+                ipv4-prefix-length <integer>;
+                ipv6-prefix-length <integer>;
+                log-only <boolean>;
+                max-table-size <integer>;
+                min-table-size <integer>;
+                nodata-per-second <integer>;
+                nxdomains-per-second <integer>;
+                qps-scale <integer>;
+                referrals-per-second <integer>;
+                responses-per-second <integer>;
+                slip <integer>;
+                window <integer>;
+        };
+        recursion <boolean>;
+        request-expire <boolean>;
+        request-ixfr <boolean>;
+        request-nsid <boolean>;
+        request-sit <boolean>; // obsolete
+        require-server-cookie <boolean>;
+        resolver-nonbackoff-tries <integer>;
+        resolver-query-timeout <integer>;
+        resolver-retry-interval <integer>;
+        response-padding { <address_match_element>; ... } block-size
+            <integer>;
+        response-policy { zone <string> [ add-soa <boolean> ] [ log
+            <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
+            <duration> ] [ policy ( cname | disabled | drop | given | no-op
+            | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
+            recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+            nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
+            break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
+            min-update-interval <duration> ] [ min-ns-dots <integer> ] [
+            nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
+            [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+            nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
+            dnsrps-options { <unspecified-text> } ];
+        rfc2308-type1 <boolean>; // ancient
+        root-delegation-only [ exclude { <string>; ... } ];
+        root-key-sentinel <boolean>;
+        rrset-order { [ class <string> ] [ type <string> ] [ name
+            <quoted_string> ] <string> <string>; ... };
+        send-cookie <boolean>;
+        serial-update-method ( date | increment | unixtime );
+        server <netprefix> {
+                bogus <boolean>;
+                edns <boolean>;
+                edns-udp-size <integer>;
+                edns-version <integer>;
+                keys <server_key>;
+                max-udp-size <integer>;
+                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+                    ) ] [ dscp <integer> ];
+                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+                    | * ) ] [ dscp <integer> ];
+                padding <integer>;
+                provide-ixfr <boolean>;
+                query-source ( ( [ address ] ( <ipv4_address> | * ) [ port
+                    ( <integer> | * ) ] ) | ( [ [ address ] (
+                    <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [
+                    dscp <integer> ];
+                query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [
+                    port ( <integer> | * ) ] ) | ( [ [ address ] (
+                    <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [
+                    dscp <integer> ];
+                request-expire <boolean>;
+                request-ixfr <boolean>;
+                request-nsid <boolean>;
+                request-sit <boolean>; // obsolete
+                send-cookie <boolean>;
+                support-ixfr <boolean>; // obsolete
+                tcp-keepalive <boolean>;
+                tcp-only <boolean>;
+                transfer-format ( many-answers | one-answer );
+                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ] [ dscp <integer> ];
+                transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
+                transfers <integer>;
+        }; // may occur multiple times
+        servfail-ttl <duration>;
+        sig-signing-nodes <integer>;
+        sig-signing-signatures <integer>;
+        sig-signing-type <integer>;
+        sig-validity-interval <integer> [ <integer> ];
+        sortlist { <address_match_element>; ... };
+        stale-answer-client-timeout ( disabled | off | <integer> );
+        stale-answer-enable <boolean>;
+        stale-answer-ttl <duration>;
+        stale-cache-enable <boolean>;
+        stale-refresh-time <duration>;
+        suppress-initial-notify <boolean>; // not yet implemented
+        synth-from-dnssec <boolean>;
+        topology { <address_match_element>; ... }; // ancient
+        transfer-format ( many-answers | one-answer );
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        trust-anchor-telemetry <boolean>; // experimental
+        trust-anchors { <string> ( static-key |
+            initial-key | static-ds | initial-ds
+            ) <integer> <integer> <integer>
+            <quoted_string>; ... }; // may occur multiple times
+        trusted-keys { <string>
+            <integer> <integer>
+            <integer>
+            <quoted_string>; ... }; // may occur multiple times, deprecated
+        try-tcp-refresh <boolean>;
+        update-check-ksk <boolean>;
+        use-alt-transfer-source <boolean>;
+        use-queryport-pool <boolean>; // obsolete
+        v6-bias <integer>;
+        validate-except { <string>; ... };
+        zero-no-soa-ttl <boolean>;
+        zero-no-soa-ttl-cache <boolean>;
+        zone <string> [ <class> ] {
+                allow-notify { <address_match_element>; ... };
+                allow-query { <address_match_element>; ... };
+                allow-query-on { <address_match_element>; ... };
+                allow-transfer { <address_match_element>; ... };
+                allow-update { <address_match_element>; ... };
+                allow-update-forwarding { <address_match_element>; ... };
+                also-notify [ port <integer> ] [ dscp <integer> ] { (
+                    <remote-servers> | <ipv4_address> [ port <integer> ] |
+                    <ipv6_address> [ port <integer> ] ) [ key <string> ];
+                    ... };
+                alt-transfer-source ( <ipv4_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
+                alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
+                auto-dnssec ( allow | maintain | off ); // deprecated
+                check-dup-records ( fail | warn | ignore );
+                check-integrity <boolean>;
+                check-mx ( fail | warn | ignore );
+                check-mx-cname ( fail | warn | ignore );
+                check-names ( fail | warn | ignore );
+                check-sibling <boolean>;
+                check-spf ( warn | ignore );
+                check-srv-cname ( fail | warn | ignore );
+                check-wildcard <boolean>;
+                database <string>;
+                delegation-only <boolean>;
+                dialup ( notify | notify-passive | passive | refresh |
+                    <boolean> );
+                dlz <string>;
+                dnskey-sig-validity <integer>;
+                dnssec-dnskey-kskonly <boolean>;
+                dnssec-loadkeys-interval <integer>;
+                dnssec-policy <string>;
+                dnssec-secure-to-insecure <boolean>;
+                dnssec-update-mode ( maintain | no-resign );
+                file <quoted_string>;
+                forward ( first | only );
+                forwarders [ port <integer> ] [ dscp <integer> ] { (
+                    <ipv4_address> | <ipv6_address> ) [ port <integer> ] [
+                    dscp <integer> ]; ... };
+                in-view <string>;
+                inline-signing <boolean>;
+                ixfr-base <quoted_string>; // ancient
+                ixfr-from-differences <boolean>;
+                ixfr-tmp-file <quoted_string>; // ancient
+                journal <quoted_string>;
+                key-directory <quoted_string>;
+                maintain-ixfr-base <boolean>; // ancient
+                masterfile-format ( map | raw | text );
+                masterfile-style ( full | relative );
+                masters [ port <integer> ] [ dscp <integer> ] { (
+                    <remote-servers> | <ipv4_address> [ port <integer> ] |
+                    <ipv6_address> [ port <integer> ] ) [ key <string> ];
+                    ... };
+                max-ixfr-log-size ( default | unlimited |
+                    <sizeval> ); // ancient
+                max-ixfr-ratio ( unlimited | <percentage> );
+                max-journal-size ( default | unlimited | <sizeval> );
+                max-records <integer>;
+                max-refresh-time <integer>;
+                max-retry-time <integer>;
+                max-transfer-idle-in <integer>;
+                max-transfer-idle-out <integer>;
+                max-transfer-time-in <integer>;
+                max-transfer-time-out <integer>;
+                max-zone-ttl ( unlimited | <duration> );
+                min-refresh-time <integer>;
+                min-retry-time <integer>;
+                multi-master <boolean>;
+                notify ( explicit | master-only | primary-only | <boolean> );
+                notify-delay <integer>;
+                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+                    ) ] [ dscp <integer> ];
+                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+                    | * ) ] [ dscp <integer> ];
+                notify-to-soa <boolean>;
+                nsec3-test-zone <boolean>; // test only
+                parental-agents [ port <integer> ] [ dscp <integer> ] { (
+                    <remote-servers> | <ipv4_address> [ port <integer> ] |
+                    <ipv6_address> [ port <integer> ] ) [ key <string> ];
+                    ... };
+                parental-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ] [ dscp <integer> ];
+                parental-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
+                primaries [ port <integer> ] [ dscp <integer> ] { (
+                    <remote-servers> | <ipv4_address> [ port <integer> ] |
+                    <ipv6_address> [ port <integer> ] ) [ key <string> ];
+                    ... };
+                pubkey <integer> <integer> <integer>
+                    <quoted_string>; // ancient
+                request-expire <boolean>;
+                request-ixfr <boolean>;
+                serial-update-method ( date | increment | unixtime );
+                server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
+                server-names { <string>; ... };
+                sig-signing-nodes <integer>;
+                sig-signing-signatures <integer>;
+                sig-signing-type <integer>;
+                sig-validity-interval <integer> [ <integer> ];
+                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ] [ dscp <integer> ];
+                transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
+                try-tcp-refresh <boolean>;
+                type ( primary | master | secondary | slave | mirror |
+                    delegation-only | forward | hint | redirect |
+                    static-stub | stub );
+                update-check-ksk <boolean>;
+                update-policy ( local | { ( deny | grant ) <string> (
+                    6to4-self | external | krb5-self | krb5-selfsub |
+                    krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
+                    name | self | selfsub | selfwild | subdomain | tcp-self
+                    | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
+                use-alt-transfer-source <boolean>;
+                zero-no-soa-ttl <boolean>;
+                zone-statistics ( full | terse | none | <boolean> );
+        }; // may occur multiple times
+        zone-statistics ( full | terse | none | <boolean> );
+}; // may occur multiple times
+
+zone <string> [ <class> ] {
+        allow-notify { <address_match_element>; ... };
+        allow-query { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        also-notify [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ] [ dscp <integer> ];
+        auto-dnssec ( allow | maintain | off ); // deprecated
+        check-dup-records ( fail | warn | ignore );
+        check-integrity <boolean>;
+        check-mx ( fail | warn | ignore );
+        check-mx-cname ( fail | warn | ignore );
+        check-names ( fail | warn | ignore );
+        check-sibling <boolean>;
+        check-spf ( warn | ignore );
+        check-srv-cname ( fail | warn | ignore );
+        check-wildcard <boolean>;
+        database <string>;
+        delegation-only <boolean>;
+        dialup ( notify | notify-passive | passive | refresh | <boolean> );
+        dlz <string>;
+        dnskey-sig-validity <integer>;
+        dnssec-dnskey-kskonly <boolean>;
+        dnssec-loadkeys-interval <integer>;
+        dnssec-policy <string>;
+        dnssec-secure-to-insecure <boolean>;
+        dnssec-update-mode ( maintain | no-resign );
+        file <quoted_string>;
+        forward ( first | only );
+        forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+            | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+        in-view <string>;
+        inline-signing <boolean>;
+        ixfr-base <quoted_string>; // ancient
+        ixfr-from-differences <boolean>;
+        ixfr-tmp-file <quoted_string>; // ancient
+        journal <quoted_string>;
+        key-directory <quoted_string>;
+        maintain-ixfr-base <boolean>; // ancient
+        masterfile-format ( map | raw | text );
+        masterfile-style ( full | relative );
+        masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers>
+            | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
+            <integer> ] ) [ key <string> ]; ... };
+        max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
+        max-ixfr-ratio ( unlimited | <percentage> );
+        max-journal-size ( default | unlimited | <sizeval> );
+        max-records <integer>;
+        max-refresh-time <integer>;
+        max-retry-time <integer>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-zone-ttl ( unlimited | <duration> );
+        min-refresh-time <integer>;
+        min-retry-time <integer>;
+        multi-master <boolean>;
+        notify ( explicit | master-only | primary-only | <boolean> );
+        notify-delay <integer>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+            [ dscp <integer> ];
+        notify-to-soa <boolean>;
+        nsec3-test-zone <boolean>; // test only
+        parental-agents [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        primaries [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+        pubkey <integer> <integer> <integer> <quoted_string>; // ancient
+        request-expire <boolean>;
+        request-ixfr <boolean>;
+        serial-update-method ( date | increment | unixtime );
+        server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
+        server-names { <string>; ... };
+        sig-signing-nodes <integer>;
+        sig-signing-signatures <integer>;
+        sig-signing-type <integer>;
+        sig-validity-interval <integer> [ <integer> ];
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        try-tcp-refresh <boolean>;
+        type ( primary | master | secondary | slave | mirror |
+            delegation-only | forward | hint | redirect | static-stub |
+            stub );
+        update-check-ksk <boolean>;
+        update-policy ( local | { ( deny | grant ) <string> ( 6to4-self |
+            external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
+            | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild
+            | subdomain | tcp-self | wildcard | zonesub ) [ <string> ]
+            <rrtypelist>; ... } );
+        use-alt-transfer-source <boolean>;
+        zero-no-soa-ttl <boolean>;
+        zone-statistics ( full | terse | none | <boolean> );
+}; // may occur multiple times
+
diff --git a/doc/misc/options.active b/doc/misc/options.active
new file mode 100644
index 0000000..eb75a86
--- /dev/null
+++ b/doc/misc/options.active
@@ -0,0 +1,942 @@
+
+This is a summary of the named.conf options supported by
+this version of BIND 9.
+
+acl <string> { <address_match_element>; ... }; // may occur multiple times
+
+controls {
+        inet ( <ipv4_address> | <ipv6_address> |
+            * ) [ port ( <integer> | * ) ] allow
+            { <address_match_element>; ... } [
+            keys { <string>; ... } ] [ read-only
+            <boolean> ]; // may occur multiple times
+        unix <quoted_string> perm <integer>
+            owner <integer> group <integer> [
+            keys { <string>; ... } ] [ read-only
+            <boolean> ]; // may occur multiple times
+}; // may occur multiple times
+
+dlz <string> {
+        database <string>;
+        search <boolean>;
+}; // may occur multiple times
+
+dnssec-policy <string> {
+        dnskey-ttl <duration>;
+        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+            <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
+        max-zone-ttl <duration>;
+        nsec3param [ iterations <integer> ] [ optout <boolean> ] [
+            salt-length <integer> ];
+        parent-ds-ttl <duration>;
+        parent-propagation-delay <duration>;
+        publish-safety <duration>;
+        purge-keys <duration>;
+        retire-safety <duration>;
+        signatures-refresh <duration>;
+        signatures-validity <duration>;
+        signatures-validity-dnskey <duration>;
+        zone-propagation-delay <duration>;
+}; // may occur multiple times
+
+dyndb <string> <quoted_string> {
+    <unspecified-text> }; // may occur multiple times
+
+key <string> {
+        algorithm <string>;
+        secret <string>;
+}; // may occur multiple times
+
+logging {
+        category <string> { <string>; ... }; // may occur multiple times
+        channel <string> {
+                buffered <boolean>;
+                file <quoted_string> [ versions ( unlimited | <integer> ) ]
+                    [ size <size> ] [ suffix ( increment | timestamp ) ];
+                null;
+                print-category <boolean>;
+                print-severity <boolean>;
+                print-time ( iso8601 | iso8601-utc | local | <boolean> );
+                severity <log_severity>;
+                stderr;
+                syslog [ <syslog_facility> ];
+        }; // may occur multiple times
+};
+
+managed-keys { <string> ( static-key
+    | initial-key | static-ds |
+    initial-ds ) <integer> <integer>
+    <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
+
+masters <string> [ port <integer> ] [ dscp
+    <integer> ] { ( <remote-servers> |
+    <ipv4_address> [ port <integer> ] |
+    <ipv6_address> [ port <integer> ] ) [ key
+    <string> ]; ... }; // may occur multiple times
+
+options {
+        allow-new-zones <boolean>;
+        allow-notify { <address_match_element>; ... };
+        allow-query { <address_match_element>; ... };
+        allow-query-cache { <address_match_element>; ... };
+        allow-query-cache-on { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
+        allow-recursion { <address_match_element>; ... };
+        allow-recursion-on { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        also-notify [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ] [ dscp <integer> ];
+        answer-cookie <boolean>;
+        attach-cache <string>;
+        auth-nxdomain <boolean>; // default changed
+        auto-dnssec ( allow | maintain | off ); // deprecated
+        automatic-interface-scan <boolean>;
+        avoid-v4-udp-ports { <portrange>; ... };
+        avoid-v6-udp-ports { <portrange>; ... };
+        bindkeys-file <quoted_string>;
+        blackhole { <address_match_element>; ... };
+        cache-file <quoted_string>; // deprecated
+        catalog-zones { zone <string> [ default-masters [ port <integer> ]
+            [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port
+            <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+            <string> ]; ... } ] [ zone-directory <quoted_string> ] [
+            in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
+        check-dup-records ( fail | warn | ignore );
+        check-integrity <boolean>;
+        check-mx ( fail | warn | ignore );
+        check-mx-cname ( fail | warn | ignore );
+        check-names ( primary | master |
+            secondary | slave | response ) (
+            fail | warn | ignore ); // may occur multiple times
+        check-sibling <boolean>;
+        check-spf ( warn | ignore );
+        check-srv-cname ( fail | warn | ignore );
+        check-wildcard <boolean>;
+        clients-per-query <integer>;
+        cookie-algorithm ( aes | siphash24 );
+        cookie-secret <string>; // may occur multiple times
+        coresize ( default | unlimited | <sizeval> );
+        datasize ( default | unlimited | <sizeval> );
+        deny-answer-addresses { <address_match_element>; ... } [
+            except-from { <string>; ... } ];
+        deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+            } ];
+        dialup ( notify | notify-passive | passive | refresh | <boolean> );
+        directory <quoted_string>;
+        disable-algorithms <string> { <string>;
+            ... }; // may occur multiple times
+        disable-ds-digests <string> { <string>;
+            ... }; // may occur multiple times
+        disable-empty-zone <string>; // may occur multiple times
+        dns64 <netprefix> {
+                break-dnssec <boolean>;
+                clients { <address_match_element>; ... };
+                exclude { <address_match_element>; ... };
+                mapped { <address_match_element>; ... };
+                recursive-only <boolean>;
+                suffix <ipv6_address>;
+        }; // may occur multiple times
+        dns64-contact <string>;
+        dns64-server <string>;
+        dnskey-sig-validity <integer>;
+        dnsrps-enable <boolean>; // not configured
+        dnsrps-options { <unspecified-text> }; // not configured
+        dnssec-accept-expired <boolean>;
+        dnssec-dnskey-kskonly <boolean>;
+        dnssec-loadkeys-interval <integer>;
+        dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+        dnssec-policy <string>;
+        dnssec-secure-to-insecure <boolean>;
+        dnssec-update-mode ( maintain | no-resign );
+        dnssec-validation ( yes | no | auto );
+        dnstap { ( all | auth | client | forwarder | resolver | update ) [
+            ( query | response ) ]; ... };
+        dnstap-identity ( <quoted_string> | none | hostname );
+        dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
+            <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
+            increment | timestamp ) ];
+        dnstap-version ( <quoted_string> | none );
+        dscp <integer>; // deprecated
+        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
+            <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
+            <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
+            <integer> ] [ dscp <integer> ] ); ... };
+        dump-file <quoted_string>;
+        edns-udp-size <integer>;
+        empty-contact <string>;
+        empty-server <string>;
+        empty-zones-enable <boolean>;
+        fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+        fetches-per-server <integer> [ ( drop | fail ) ];
+        fetches-per-zone <integer> [ ( drop | fail ) ];
+        files ( default | unlimited | <sizeval> );
+        flush-zones-on-shutdown <boolean>;
+        forward ( first | only );
+        forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+            | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+        fstrm-set-buffer-hint <integer>;
+        fstrm-set-flush-timeout <integer>;
+        fstrm-set-input-queue-size <integer>;
+        fstrm-set-output-notify-threshold <integer>;
+        fstrm-set-output-queue-model ( mpsc | spsc );
+        fstrm-set-output-queue-size <integer>;
+        fstrm-set-reopen-interval <duration>;
+        geoip-directory ( <quoted_string> | none );
+        glue-cache <boolean>;
+        heartbeat-interval <integer>;
+        hostname ( <quoted_string> | none );
+        interface-interval <duration>;
+        ixfr-from-differences ( primary | master | secondary | slave |
+            <boolean> );
+        keep-response-order { <address_match_element>; ... };
+        key-directory <quoted_string>;
+        lame-ttl <duration>;
+        listen-on [ port <integer> ] [ dscp
+            <integer> ] {
+            <address_match_element>; ... }; // may occur multiple times
+        listen-on-v6 [ port <integer> ] [ dscp
+            <integer> ] {
+            <address_match_element>; ... }; // may occur multiple times
+        lmdb-mapsize <sizeval>;
+        lock-file ( <quoted_string> | none );
+        managed-keys-directory <quoted_string>;
+        masterfile-format ( map | raw | text );
+        masterfile-style ( full | relative );
+        match-mapped-addresses <boolean>;
+        max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+        max-cache-ttl <duration>;
+        max-clients-per-query <integer>;
+        max-ixfr-ratio ( unlimited | <percentage> );
+        max-journal-size ( default | unlimited | <sizeval> );
+        max-ncache-ttl <duration>;
+        max-records <integer>;
+        max-recursion-depth <integer>;
+        max-recursion-queries <integer>;
+        max-refresh-time <integer>;
+        max-retry-time <integer>;
+        max-rsa-exponent-size <integer>;
+        max-stale-ttl <duration>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-udp-size <integer>;
+        max-zone-ttl ( unlimited | <duration> );
+        memstatistics <boolean>;
+        memstatistics-file <quoted_string>;
+        message-compression <boolean>;
+        min-cache-ttl <duration>;
+        min-ncache-ttl <duration>;
+        min-refresh-time <integer>;
+        min-retry-time <integer>;
+        minimal-any <boolean>;
+        minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+        multi-master <boolean>;
+        new-zones-directory <quoted_string>;
+        no-case-compress { <address_match_element>; ... };
+        nocookie-udp-size <integer>;
+        notify ( explicit | master-only | primary-only | <boolean> );
+        notify-delay <integer>;
+        notify-rate <integer>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+            [ dscp <integer> ];
+        notify-to-soa <boolean>;
+        nta-lifetime <duration>;
+        nta-recheck <duration>;
+        nxdomain-redirect <string>;
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        pid-file ( <quoted_string> | none );
+        port <integer>;
+        preferred-glue <string>;
+        prefetch <integer> [ <integer> ];
+        provide-ixfr <boolean>;
+        qname-minimization ( strict | relaxed | disabled | off );
+        query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        querylog <boolean>;
+        random-device ( <quoted_string> | none );
+        rate-limit {
+                all-per-second <integer>;
+                errors-per-second <integer>;
+                exempt-clients { <address_match_element>; ... };
+                ipv4-prefix-length <integer>;
+                ipv6-prefix-length <integer>;
+                log-only <boolean>;
+                max-table-size <integer>;
+                min-table-size <integer>;
+                nodata-per-second <integer>;
+                nxdomains-per-second <integer>;
+                qps-scale <integer>;
+                referrals-per-second <integer>;
+                responses-per-second <integer>;
+                slip <integer>;
+                window <integer>;
+        };
+        recursing-file <quoted_string>;
+        recursion <boolean>;
+        recursive-clients <integer>;
+        request-expire <boolean>;
+        request-ixfr <boolean>;
+        request-nsid <boolean>;
+        require-server-cookie <boolean>;
+        reserved-sockets <integer>;
+        resolver-nonbackoff-tries <integer>;
+        resolver-query-timeout <integer>;
+        resolver-retry-interval <integer>;
+        response-padding { <address_match_element>; ... } block-size
+            <integer>;
+        response-policy { zone <string> [ add-soa <boolean> ] [ log
+            <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
+            <duration> ] [ policy ( cname | disabled | drop | given | no-op
+            | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
+            recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+            nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
+            break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
+            min-update-interval <duration> ] [ min-ns-dots <integer> ] [
+            nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
+            [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+            nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
+            dnsrps-options { <unspecified-text> } ];
+        reuseport <boolean>;
+        root-delegation-only [ exclude { <string>; ... } ];
+        root-key-sentinel <boolean>;
+        rrset-order { [ class <string> ] [ type <string> ] [ name
+            <quoted_string> ] <string> <string>; ... };
+        secroots-file <quoted_string>;
+        send-cookie <boolean>;
+        serial-query-rate <integer>;
+        serial-update-method ( date | increment | unixtime );
+        server-id ( <quoted_string> | none | hostname );
+        servfail-ttl <duration>;
+        session-keyalg <string>;
+        session-keyfile ( <quoted_string> | none );
+        session-keyname <string>;
+        sig-signing-nodes <integer>;
+        sig-signing-signatures <integer>;
+        sig-signing-type <integer>;
+        sig-validity-interval <integer> [ <integer> ];
+        sortlist { <address_match_element>; ... };
+        stacksize ( default | unlimited | <sizeval> );
+        stale-answer-client-timeout ( disabled | off | <integer> );
+        stale-answer-enable <boolean>;
+        stale-answer-ttl <duration>;
+        stale-cache-enable <boolean>;
+        stale-refresh-time <duration>;
+        startup-notify-rate <integer>;
+        statistics-file <quoted_string>;
+        synth-from-dnssec <boolean>;
+        tcp-advertised-timeout <integer>;
+        tcp-clients <integer>;
+        tcp-idle-timeout <integer>;
+        tcp-initial-timeout <integer>;
+        tcp-keepalive-timeout <integer>;
+        tcp-listen-queue <integer>;
+        tkey-dhkey <quoted_string> <integer>;
+        tkey-domain <quoted_string>;
+        tkey-gssapi-credential <quoted_string>;
+        tkey-gssapi-keytab <quoted_string>;
+        transfer-format ( many-answers | one-answer );
+        transfer-message-size <integer>;
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        transfers-in <integer>;
+        transfers-out <integer>;
+        transfers-per-ns <integer>;
+        trust-anchor-telemetry <boolean>; // experimental
+        try-tcp-refresh <boolean>;
+        update-check-ksk <boolean>;
+        update-quota <integer>;
+        use-alt-transfer-source <boolean>;
+        use-v4-udp-ports { <portrange>; ... };
+        use-v6-udp-ports { <portrange>; ... };
+        v6-bias <integer>;
+        validate-except { <string>; ... };
+        version ( <quoted_string> | none );
+        zero-no-soa-ttl <boolean>;
+        zero-no-soa-ttl-cache <boolean>;
+        zone-statistics ( full | terse | none | <boolean> );
+};
+
+parental-agents <string> [ port <integer> ] [
+    dscp <integer> ] { ( <remote-servers> |
+    <ipv4_address> [ port <integer> ] |
+    <ipv6_address> [ port <integer> ] ) [ key
+    <string> ]; ... }; // may occur multiple times
+
+plugin ( query ) <string> [ { <unspecified-text>
+    } ]; // may occur multiple times
+
+primaries <string> [ port <integer> ] [ dscp
+    <integer> ] { ( <remote-servers> |
+    <ipv4_address> [ port <integer> ] |
+    <ipv6_address> [ port <integer> ] ) [ key
+    <string> ]; ... }; // may occur multiple times
+
+server <netprefix> {
+        bogus <boolean>;
+        edns <boolean>;
+        edns-udp-size <integer>;
+        edns-version <integer>;
+        keys <server_key>;
+        max-udp-size <integer>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+            [ dscp <integer> ];
+        padding <integer>;
+        provide-ixfr <boolean>;
+        query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        request-expire <boolean>;
+        request-ixfr <boolean>;
+        request-nsid <boolean>;
+        send-cookie <boolean>;
+        tcp-keepalive <boolean>;
+        tcp-only <boolean>;
+        transfer-format ( many-answers | one-answer );
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        transfers <integer>;
+}; // may occur multiple times
+
+statistics-channels {
+        inet ( <ipv4_address> | <ipv6_address> |
+            * ) [ port ( <integer> | * ) ] [
+            allow { <address_match_element>; ...
+            } ]; // may occur multiple times
+}; // may occur multiple times
+
+trust-anchors { <string> ( static-key |
+    initial-key | static-ds | initial-ds )
+    <integer> <integer> <integer>
+    <quoted_string>; ... }; // may occur multiple times
+
+trusted-keys { <string> <integer>
+    <integer> <integer>
+    <quoted_string>; ... }; // may occur multiple times, deprecated
+
+view <string> [ <class> ] {
+        allow-new-zones <boolean>;
+        allow-notify { <address_match_element>; ... };
+        allow-query { <address_match_element>; ... };
+        allow-query-cache { <address_match_element>; ... };
+        allow-query-cache-on { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
+        allow-recursion { <address_match_element>; ... };
+        allow-recursion-on { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        also-notify [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ] [ dscp <integer> ];
+        attach-cache <string>;
+        auth-nxdomain <boolean>; // default changed
+        auto-dnssec ( allow | maintain | off ); // deprecated
+        cache-file <quoted_string>; // deprecated
+        catalog-zones { zone <string> [ default-masters [ port <integer> ]
+            [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port
+            <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+            <string> ]; ... } ] [ zone-directory <quoted_string> ] [
+            in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
+        check-dup-records ( fail | warn | ignore );
+        check-integrity <boolean>;
+        check-mx ( fail | warn | ignore );
+        check-mx-cname ( fail | warn | ignore );
+        check-names ( primary | master |
+            secondary | slave | response ) (
+            fail | warn | ignore ); // may occur multiple times
+        check-sibling <boolean>;
+        check-spf ( warn | ignore );
+        check-srv-cname ( fail | warn | ignore );
+        check-wildcard <boolean>;
+        clients-per-query <integer>;
+        deny-answer-addresses { <address_match_element>; ... } [
+            except-from { <string>; ... } ];
+        deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+            } ];
+        dialup ( notify | notify-passive | passive | refresh | <boolean> );
+        disable-algorithms <string> { <string>;
+            ... }; // may occur multiple times
+        disable-ds-digests <string> { <string>;
+            ... }; // may occur multiple times
+        disable-empty-zone <string>; // may occur multiple times
+        dlz <string> {
+                database <string>;
+                search <boolean>;
+        }; // may occur multiple times
+        dns64 <netprefix> {
+                break-dnssec <boolean>;
+                clients { <address_match_element>; ... };
+                exclude { <address_match_element>; ... };
+                mapped { <address_match_element>; ... };
+                recursive-only <boolean>;
+                suffix <ipv6_address>;
+        }; // may occur multiple times
+        dns64-contact <string>;
+        dns64-server <string>;
+        dnskey-sig-validity <integer>;
+        dnsrps-enable <boolean>; // not configured
+        dnsrps-options { <unspecified-text> }; // not configured
+        dnssec-accept-expired <boolean>;
+        dnssec-dnskey-kskonly <boolean>;
+        dnssec-loadkeys-interval <integer>;
+        dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+        dnssec-policy <string>;
+        dnssec-secure-to-insecure <boolean>;
+        dnssec-update-mode ( maintain | no-resign );
+        dnssec-validation ( yes | no | auto );
+        dnstap { ( all | auth | client | forwarder | resolver | update ) [
+            ( query | response ) ]; ... };
+        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
+            <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
+            <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
+            <integer> ] [ dscp <integer> ] ); ... };
+        dyndb <string> <quoted_string> {
+            <unspecified-text> }; // may occur multiple times
+        edns-udp-size <integer>;
+        empty-contact <string>;
+        empty-server <string>;
+        empty-zones-enable <boolean>;
+        fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+        fetches-per-server <integer> [ ( drop | fail ) ];
+        fetches-per-zone <integer> [ ( drop | fail ) ];
+        forward ( first | only );
+        forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+            | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+        glue-cache <boolean>;
+        ixfr-from-differences ( primary | master | secondary | slave |
+            <boolean> );
+        key <string> {
+                algorithm <string>;
+                secret <string>;
+        }; // may occur multiple times
+        key-directory <quoted_string>;
+        lame-ttl <duration>;
+        lmdb-mapsize <sizeval>;
+        managed-keys { <string> (
+            static-key | initial-key
+            | static-ds | initial-ds
+            ) <integer> <integer>
+            <integer>
+            <quoted_string>; ... }; // may occur multiple times, deprecated
+        masterfile-format ( map | raw | text );
+        masterfile-style ( full | relative );
+        match-clients { <address_match_element>; ... };
+        match-destinations { <address_match_element>; ... };
+        match-recursive-only <boolean>;
+        max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+        max-cache-ttl <duration>;
+        max-clients-per-query <integer>;
+        max-ixfr-ratio ( unlimited | <percentage> );
+        max-journal-size ( default | unlimited | <sizeval> );
+        max-ncache-ttl <duration>;
+        max-records <integer>;
+        max-recursion-depth <integer>;
+        max-recursion-queries <integer>;
+        max-refresh-time <integer>;
+        max-retry-time <integer>;
+        max-stale-ttl <duration>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-udp-size <integer>;
+        max-zone-ttl ( unlimited | <duration> );
+        message-compression <boolean>;
+        min-cache-ttl <duration>;
+        min-ncache-ttl <duration>;
+        min-refresh-time <integer>;
+        min-retry-time <integer>;
+        minimal-any <boolean>;
+        minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+        multi-master <boolean>;
+        new-zones-directory <quoted_string>;
+        no-case-compress { <address_match_element>; ... };
+        nocookie-udp-size <integer>;
+        notify ( explicit | master-only | primary-only | <boolean> );
+        notify-delay <integer>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+            [ dscp <integer> ];
+        notify-to-soa <boolean>;
+        nta-lifetime <duration>;
+        nta-recheck <duration>;
+        nxdomain-redirect <string>;
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        plugin ( query ) <string> [ {
+            <unspecified-text> } ]; // may occur multiple times
+        preferred-glue <string>;
+        prefetch <integer> [ <integer> ];
+        provide-ixfr <boolean>;
+        qname-minimization ( strict | relaxed | disabled | off );
+        query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+            <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+            port ( <integer> | * ) ) ) [ dscp <integer> ];
+        rate-limit {
+                all-per-second <integer>;
+                errors-per-second <integer>;
+                exempt-clients { <address_match_element>; ... };
+                ipv4-prefix-length <integer>;
+                ipv6-prefix-length <integer>;
+                log-only <boolean>;
+                max-table-size <integer>;
+                min-table-size <integer>;
+                nodata-per-second <integer>;
+                nxdomains-per-second <integer>;
+                qps-scale <integer>;
+                referrals-per-second <integer>;
+                responses-per-second <integer>;
+                slip <integer>;
+                window <integer>;
+        };
+        recursion <boolean>;
+        request-expire <boolean>;
+        request-ixfr <boolean>;
+        request-nsid <boolean>;
+        require-server-cookie <boolean>;
+        resolver-nonbackoff-tries <integer>;
+        resolver-query-timeout <integer>;
+        resolver-retry-interval <integer>;
+        response-padding { <address_match_element>; ... } block-size
+            <integer>;
+        response-policy { zone <string> [ add-soa <boolean> ] [ log
+            <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
+            <duration> ] [ policy ( cname | disabled | drop | given | no-op
+            | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
+            recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+            nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
+            break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
+            min-update-interval <duration> ] [ min-ns-dots <integer> ] [
+            nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
+            [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+            nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
+            dnsrps-options { <unspecified-text> } ];
+        root-delegation-only [ exclude { <string>; ... } ];
+        root-key-sentinel <boolean>;
+        rrset-order { [ class <string> ] [ type <string> ] [ name
+            <quoted_string> ] <string> <string>; ... };
+        send-cookie <boolean>;
+        serial-update-method ( date | increment | unixtime );
+        server <netprefix> {
+                bogus <boolean>;
+                edns <boolean>;
+                edns-udp-size <integer>;
+                edns-version <integer>;
+                keys <server_key>;
+                max-udp-size <integer>;
+                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+                    ) ] [ dscp <integer> ];
+                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+                    | * ) ] [ dscp <integer> ];
+                padding <integer>;
+                provide-ixfr <boolean>;
+                query-source ( ( [ address ] ( <ipv4_address> | * ) [ port
+                    ( <integer> | * ) ] ) | ( [ [ address ] (
+                    <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [
+                    dscp <integer> ];
+                query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [
+                    port ( <integer> | * ) ] ) | ( [ [ address ] (
+                    <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [
+                    dscp <integer> ];
+                request-expire <boolean>;
+                request-ixfr <boolean>;
+                request-nsid <boolean>;
+                send-cookie <boolean>;
+                tcp-keepalive <boolean>;
+                tcp-only <boolean>;
+                transfer-format ( many-answers | one-answer );
+                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ] [ dscp <integer> ];
+                transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
+                transfers <integer>;
+        }; // may occur multiple times
+        servfail-ttl <duration>;
+        sig-signing-nodes <integer>;
+        sig-signing-signatures <integer>;
+        sig-signing-type <integer>;
+        sig-validity-interval <integer> [ <integer> ];
+        sortlist { <address_match_element>; ... };
+        stale-answer-client-timeout ( disabled | off | <integer> );
+        stale-answer-enable <boolean>;
+        stale-answer-ttl <duration>;
+        stale-cache-enable <boolean>;
+        stale-refresh-time <duration>;
+        synth-from-dnssec <boolean>;
+        transfer-format ( many-answers | one-answer );
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        trust-anchor-telemetry <boolean>; // experimental
+        trust-anchors { <string> ( static-key |
+            initial-key | static-ds | initial-ds
+            ) <integer> <integer> <integer>
+            <quoted_string>; ... }; // may occur multiple times
+        trusted-keys { <string>
+            <integer> <integer>
+            <integer>
+            <quoted_string>; ... }; // may occur multiple times, deprecated
+        try-tcp-refresh <boolean>;
+        update-check-ksk <boolean>;
+        use-alt-transfer-source <boolean>;
+        v6-bias <integer>;
+        validate-except { <string>; ... };
+        zero-no-soa-ttl <boolean>;
+        zero-no-soa-ttl-cache <boolean>;
+        zone <string> [ <class> ] {
+                allow-notify { <address_match_element>; ... };
+                allow-query { <address_match_element>; ... };
+                allow-query-on { <address_match_element>; ... };
+                allow-transfer { <address_match_element>; ... };
+                allow-update { <address_match_element>; ... };
+                allow-update-forwarding { <address_match_element>; ... };
+                also-notify [ port <integer> ] [ dscp <integer> ] { (
+                    <remote-servers> | <ipv4_address> [ port <integer> ] |
+                    <ipv6_address> [ port <integer> ] ) [ key <string> ];
+                    ... };
+                alt-transfer-source ( <ipv4_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
+                alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
+                auto-dnssec ( allow | maintain | off ); // deprecated
+                check-dup-records ( fail | warn | ignore );
+                check-integrity <boolean>;
+                check-mx ( fail | warn | ignore );
+                check-mx-cname ( fail | warn | ignore );
+                check-names ( fail | warn | ignore );
+                check-sibling <boolean>;
+                check-spf ( warn | ignore );
+                check-srv-cname ( fail | warn | ignore );
+                check-wildcard <boolean>;
+                database <string>;
+                delegation-only <boolean>;
+                dialup ( notify | notify-passive | passive | refresh |
+                    <boolean> );
+                dlz <string>;
+                dnskey-sig-validity <integer>;
+                dnssec-dnskey-kskonly <boolean>;
+                dnssec-loadkeys-interval <integer>;
+                dnssec-policy <string>;
+                dnssec-secure-to-insecure <boolean>;
+                dnssec-update-mode ( maintain | no-resign );
+                file <quoted_string>;
+                forward ( first | only );
+                forwarders [ port <integer> ] [ dscp <integer> ] { (
+                    <ipv4_address> | <ipv6_address> ) [ port <integer> ] [
+                    dscp <integer> ]; ... };
+                in-view <string>;
+                inline-signing <boolean>;
+                ixfr-from-differences <boolean>;
+                journal <quoted_string>;
+                key-directory <quoted_string>;
+                masterfile-format ( map | raw | text );
+                masterfile-style ( full | relative );
+                masters [ port <integer> ] [ dscp <integer> ] { (
+                    <remote-servers> | <ipv4_address> [ port <integer> ] |
+                    <ipv6_address> [ port <integer> ] ) [ key <string> ];
+                    ... };
+                max-ixfr-ratio ( unlimited | <percentage> );
+                max-journal-size ( default | unlimited | <sizeval> );
+                max-records <integer>;
+                max-refresh-time <integer>;
+                max-retry-time <integer>;
+                max-transfer-idle-in <integer>;
+                max-transfer-idle-out <integer>;
+                max-transfer-time-in <integer>;
+                max-transfer-time-out <integer>;
+                max-zone-ttl ( unlimited | <duration> );
+                min-refresh-time <integer>;
+                min-retry-time <integer>;
+                multi-master <boolean>;
+                notify ( explicit | master-only | primary-only | <boolean> );
+                notify-delay <integer>;
+                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+                    ) ] [ dscp <integer> ];
+                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+                    | * ) ] [ dscp <integer> ];
+                notify-to-soa <boolean>;
+                parental-agents [ port <integer> ] [ dscp <integer> ] { (
+                    <remote-servers> | <ipv4_address> [ port <integer> ] |
+                    <ipv6_address> [ port <integer> ] ) [ key <string> ];
+                    ... };
+                parental-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ] [ dscp <integer> ];
+                parental-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
+                primaries [ port <integer> ] [ dscp <integer> ] { (
+                    <remote-servers> | <ipv4_address> [ port <integer> ] |
+                    <ipv6_address> [ port <integer> ] ) [ key <string> ];
+                    ... };
+                request-expire <boolean>;
+                request-ixfr <boolean>;
+                serial-update-method ( date | increment | unixtime );
+                server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
+                server-names { <string>; ... };
+                sig-signing-nodes <integer>;
+                sig-signing-signatures <integer>;
+                sig-signing-type <integer>;
+                sig-validity-interval <integer> [ <integer> ];
+                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ] [ dscp <integer> ];
+                transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
+                try-tcp-refresh <boolean>;
+                type ( primary | master | secondary | slave | mirror |
+                    delegation-only | forward | hint | redirect |
+                    static-stub | stub );
+                update-check-ksk <boolean>;
+                update-policy ( local | { ( deny | grant ) <string> (
+                    6to4-self | external | krb5-self | krb5-selfsub |
+                    krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
+                    name | self | selfsub | selfwild | subdomain | tcp-self
+                    | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
+                use-alt-transfer-source <boolean>;
+                zero-no-soa-ttl <boolean>;
+                zone-statistics ( full | terse | none | <boolean> );
+        }; // may occur multiple times
+        zone-statistics ( full | terse | none | <boolean> );
+}; // may occur multiple times
+
+zone <string> [ <class> ] {
+        allow-notify { <address_match_element>; ... };
+        allow-query { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        also-notify [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ] [ dscp <integer> ];
+        auto-dnssec ( allow | maintain | off ); // deprecated
+        check-dup-records ( fail | warn | ignore );
+        check-integrity <boolean>;
+        check-mx ( fail | warn | ignore );
+        check-mx-cname ( fail | warn | ignore );
+        check-names ( fail | warn | ignore );
+        check-sibling <boolean>;
+        check-spf ( warn | ignore );
+        check-srv-cname ( fail | warn | ignore );
+        check-wildcard <boolean>;
+        database <string>;
+        delegation-only <boolean>;
+        dialup ( notify | notify-passive | passive | refresh | <boolean> );
+        dlz <string>;
+        dnskey-sig-validity <integer>;
+        dnssec-dnskey-kskonly <boolean>;
+        dnssec-loadkeys-interval <integer>;
+        dnssec-policy <string>;
+        dnssec-secure-to-insecure <boolean>;
+        dnssec-update-mode ( maintain | no-resign );
+        file <quoted_string>;
+        forward ( first | only );
+        forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+            | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+        in-view <string>;
+        inline-signing <boolean>;
+        ixfr-from-differences <boolean>;
+        journal <quoted_string>;
+        key-directory <quoted_string>;
+        masterfile-format ( map | raw | text );
+        masterfile-style ( full | relative );
+        masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers>
+            | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
+            <integer> ] ) [ key <string> ]; ... };
+        max-ixfr-ratio ( unlimited | <percentage> );
+        max-journal-size ( default | unlimited | <sizeval> );
+        max-records <integer>;
+        max-refresh-time <integer>;
+        max-retry-time <integer>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-zone-ttl ( unlimited | <duration> );
+        min-refresh-time <integer>;
+        min-retry-time <integer>;
+        multi-master <boolean>;
+        notify ( explicit | master-only | primary-only | <boolean> );
+        notify-delay <integer>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+            [ dscp <integer> ];
+        notify-to-soa <boolean>;
+        parental-agents [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        primaries [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+        request-expire <boolean>;
+        request-ixfr <boolean>;
+        serial-update-method ( date | increment | unixtime );
+        server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
+        server-names { <string>; ... };
+        sig-signing-nodes <integer>;
+        sig-signing-signatures <integer>;
+        sig-signing-type <integer>;
+        sig-validity-interval <integer> [ <integer> ];
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
+        try-tcp-refresh <boolean>;
+        type ( primary | master | secondary | slave | mirror |
+            delegation-only | forward | hint | redirect | static-stub |
+            stub );
+        update-check-ksk <boolean>;
+        update-policy ( local | { ( deny | grant ) <string> ( 6to4-self |
+            external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
+            | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild
+            | subdomain | tcp-self | wildcard | zonesub ) [ <string> ]
+            <rrtypelist>; ... } );
+        use-alt-transfer-source <boolean>;
+        zero-no-soa-ttl <boolean>;
+        zone-statistics ( full | terse | none | <boolean> );
+}; // may occur multiple times
+
diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst
new file mode 100644
index 0000000..beef353
--- /dev/null
+++ b/doc/misc/options.grammar.rst
@@ -0,0 +1,313 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  options {
+  	allow-new-zones <boolean>;
+  	allow-notify { <address_match_element>; ... };
+  	allow-query { <address_match_element>; ... };
+  	allow-query-cache { <address_match_element>; ... };
+  	allow-query-cache-on { <address_match_element>; ... };
+  	allow-query-on { <address_match_element>; ... };
+  	allow-recursion { <address_match_element>; ... };
+  	allow-recursion-on { <address_match_element>; ... };
+  	allow-transfer { <address_match_element>; ... };
+  	allow-update { <address_match_element>; ... };
+  	allow-update-forwarding { <address_match_element>; ... };
+  	also-notify [ port <integer> ] [ dscp <integer> ] { (
+  	    <remote-servers> | <ipv4_address> [ port <integer> ] |
+  	    <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+  	    ] [ dscp <integer> ];
+  	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+  	    * ) ] [ dscp <integer> ];
+  	answer-cookie <boolean>;
+  	attach-cache <string>;
+  	auth-nxdomain <boolean>; // default changed
+  	auto-dnssec ( allow | maintain | off ); // deprecated
+  	automatic-interface-scan <boolean>;
+  	avoid-v4-udp-ports { <portrange>; ... };
+  	avoid-v6-udp-ports { <portrange>; ... };
+  	bindkeys-file <quoted_string>;
+  	blackhole { <address_match_element>; ... };
+  	cache-file <quoted_string>; // deprecated
+  	catalog-zones { zone <string> [ default-masters [ port <integer> ]
+  	    [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port
+  	    <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+  	    <string> ]; ... } ] [ zone-directory <quoted_string> ] [
+  	    in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
+  	check-dup-records ( fail | warn | ignore );
+  	check-integrity <boolean>;
+  	check-mx ( fail | warn | ignore );
+  	check-mx-cname ( fail | warn | ignore );
+  	check-names ( primary | master |
+  	    secondary | slave | response ) (
+  	    fail | warn | ignore );
+  	check-sibling <boolean>;
+  	check-spf ( warn | ignore );
+  	check-srv-cname ( fail | warn | ignore );
+  	check-wildcard <boolean>;
+  	clients-per-query <integer>;
+  	cookie-algorithm ( aes | siphash24 );
+  	cookie-secret <string>;
+  	coresize ( default | unlimited | <sizeval> );
+  	datasize ( default | unlimited | <sizeval> );
+  	deny-answer-addresses { <address_match_element>; ... } [
+  	    except-from { <string>; ... } ];
+  	deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
+  	    } ];
+  	dialup ( notify | notify-passive | passive | refresh | <boolean> );
+  	directory <quoted_string>;
+  	disable-algorithms <string> { <string>;
+  	    ... };
+  	disable-ds-digests <string> { <string>;
+  	    ... };
+  	disable-empty-zone <string>;
+  	dns64 <netprefix> {
+  		break-dnssec <boolean>;
+  		clients { <address_match_element>; ... };
+  		exclude { <address_match_element>; ... };
+  		mapped { <address_match_element>; ... };
+  		recursive-only <boolean>;
+  		suffix <ipv6_address>;
+  	};
+  	dns64-contact <string>;
+  	dns64-server <string>;
+  	dnskey-sig-validity <integer>;
+  	dnsrps-enable <boolean>;
+  	dnsrps-options { <unspecified-text> };
+  	dnssec-accept-expired <boolean>;
+  	dnssec-dnskey-kskonly <boolean>;
+  	dnssec-loadkeys-interval <integer>;
+  	dnssec-must-be-secure <string> <boolean>;
+  	dnssec-policy <string>;
+  	dnssec-secure-to-insecure <boolean>;
+  	dnssec-update-mode ( maintain | no-resign );
+  	dnssec-validation ( yes | no | auto );
+  	dnstap { ( all | auth | client | forwarder | resolver | update ) [
+  	    ( query | response ) ]; ... };
+  	dnstap-identity ( <quoted_string> | none | hostname );
+  	dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
+  	    <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
+  	    increment | timestamp ) ];
+  	dnstap-version ( <quoted_string> | none );
+  	dscp <integer>;
+  	dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
+  	    <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
+  	    <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
+  	    <integer> ] [ dscp <integer> ] ); ... };
+  	dump-file <quoted_string>;
+  	edns-udp-size <integer>;
+  	empty-contact <string>;
+  	empty-server <string>;
+  	empty-zones-enable <boolean>;
+  	fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+  	fetches-per-server <integer> [ ( drop | fail ) ];
+  	fetches-per-zone <integer> [ ( drop | fail ) ];
+  	files ( default | unlimited | <sizeval> );
+  	flush-zones-on-shutdown <boolean>;
+  	forward ( first | only );
+  	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+  	    | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+  	fstrm-set-buffer-hint <integer>;
+  	fstrm-set-flush-timeout <integer>;
+  	fstrm-set-input-queue-size <integer>;
+  	fstrm-set-output-notify-threshold <integer>;
+  	fstrm-set-output-queue-model ( mpsc | spsc );
+  	fstrm-set-output-queue-size <integer>;
+  	fstrm-set-reopen-interval <duration>;
+  	geoip-directory ( <quoted_string> | none );
+  	glue-cache <boolean>;
+  	heartbeat-interval <integer>;
+  	hostname ( <quoted_string> | none );
+  	interface-interval <duration>;
+  	ixfr-from-differences ( primary | master | secondary | slave |
+  	    <boolean> );
+  	keep-response-order { <address_match_element>; ... };
+  	key-directory <quoted_string>;
+  	lame-ttl <duration>;
+  	listen-on [ port <integer> ] [ dscp
+  	    <integer> ] {
+  	    <address_match_element>; ... };
+  	listen-on-v6 [ port <integer> ] [ dscp
+  	    <integer> ] {
+  	    <address_match_element>; ... };
+  	lmdb-mapsize <sizeval>;
+  	lock-file ( <quoted_string> | none );
+  	managed-keys-directory <quoted_string>;
+  	masterfile-format ( map | raw | text );
+  	masterfile-style ( full | relative );
+  	match-mapped-addresses <boolean>;
+  	max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+  	max-cache-ttl <duration>;
+  	max-clients-per-query <integer>;
+  	max-ixfr-ratio ( unlimited | <percentage> );
+  	max-journal-size ( default | unlimited | <sizeval> );
+  	max-ncache-ttl <duration>;
+  	max-records <integer>;
+  	max-recursion-depth <integer>;
+  	max-recursion-queries <integer>;
+  	max-refresh-time <integer>;
+  	max-retry-time <integer>;
+  	max-rsa-exponent-size <integer>;
+  	max-stale-ttl <duration>;
+  	max-transfer-idle-in <integer>;
+  	max-transfer-idle-out <integer>;
+  	max-transfer-time-in <integer>;
+  	max-transfer-time-out <integer>;
+  	max-udp-size <integer>;
+  	max-zone-ttl ( unlimited | <duration> );
+  	memstatistics <boolean>;
+  	memstatistics-file <quoted_string>;
+  	message-compression <boolean>;
+  	min-cache-ttl <duration>;
+  	min-ncache-ttl <duration>;
+  	min-refresh-time <integer>;
+  	min-retry-time <integer>;
+  	minimal-any <boolean>;
+  	minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+  	multi-master <boolean>;
+  	new-zones-directory <quoted_string>;
+  	no-case-compress { <address_match_element>; ... };
+  	nocookie-udp-size <integer>;
+  	notify ( explicit | master-only | primary-only | <boolean> );
+  	notify-delay <integer>;
+  	notify-rate <integer>;
+  	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+  	    dscp <integer> ];
+  	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+  	    [ dscp <integer> ];
+  	notify-to-soa <boolean>;
+  	nta-lifetime <duration>;
+  	nta-recheck <duration>;
+  	nxdomain-redirect <string>;
+  	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+  	    dscp <integer> ];
+  	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+  	    ] [ dscp <integer> ];
+  	pid-file ( <quoted_string> | none );
+  	port <integer>;
+  	preferred-glue <string>;
+  	prefetch <integer> [ <integer> ];
+  	provide-ixfr <boolean>;
+  	qname-minimization ( strict | relaxed | disabled | off );
+  	query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+  	    <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+  	    port ( <integer> | * ) ) ) [ dscp <integer> ];
+  	query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+  	    <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+  	    port ( <integer> | * ) ) ) [ dscp <integer> ];
+  	querylog <boolean>;
+  	random-device ( <quoted_string> | none );
+  	rate-limit {
+  		all-per-second <integer>;
+  		errors-per-second <integer>;
+  		exempt-clients { <address_match_element>; ... };
+  		ipv4-prefix-length <integer>;
+  		ipv6-prefix-length <integer>;
+  		log-only <boolean>;
+  		max-table-size <integer>;
+  		min-table-size <integer>;
+  		nodata-per-second <integer>;
+  		nxdomains-per-second <integer>;
+  		qps-scale <integer>;
+  		referrals-per-second <integer>;
+  		responses-per-second <integer>;
+  		slip <integer>;
+  		window <integer>;
+  	};
+  	recursing-file <quoted_string>;
+  	recursion <boolean>;
+  	recursive-clients <integer>;
+  	request-expire <boolean>;
+  	request-ixfr <boolean>;
+  	request-nsid <boolean>;
+  	require-server-cookie <boolean>;
+  	reserved-sockets <integer>;
+  	resolver-nonbackoff-tries <integer>;
+  	resolver-query-timeout <integer>;
+  	resolver-retry-interval <integer>;
+  	response-padding { <address_match_element>; ... } block-size
+  	    <integer>;
+  	response-policy { zone <string> [ add-soa <boolean> ] [ log
+  	    <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
+  	    <duration> ] [ policy ( cname | disabled | drop | given | no-op
+  	    | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
+  	    recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+  	    nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
+  	    break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
+  	    min-update-interval <duration> ] [ min-ns-dots <integer> ] [
+  	    nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
+  	    [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+  	    nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
+  	    dnsrps-options { <unspecified-text> } ];
+  	reuseport <boolean>;
+  	root-delegation-only [ exclude { <string>; ... } ];
+  	root-key-sentinel <boolean>;
+  	rrset-order { [ class <string> ] [ type <string> ] [ name
+  	    <quoted_string> ] <string> <string>; ... };
+  	secroots-file <quoted_string>;
+  	send-cookie <boolean>;
+  	serial-query-rate <integer>;
+  	serial-update-method ( date | increment | unixtime );
+  	server-id ( <quoted_string> | none | hostname );
+  	servfail-ttl <duration>;
+  	session-keyalg <string>;
+  	session-keyfile ( <quoted_string> | none );
+  	session-keyname <string>;
+  	sig-signing-nodes <integer>;
+  	sig-signing-signatures <integer>;
+  	sig-signing-type <integer>;
+  	sig-validity-interval <integer> [ <integer> ];
+  	sortlist { <address_match_element>; ... };
+  	stacksize ( default | unlimited | <sizeval> );
+  	stale-answer-client-timeout ( disabled | off | <integer> );
+  	stale-answer-enable <boolean>;
+  	stale-answer-ttl <duration>;
+  	stale-cache-enable <boolean>;
+  	stale-refresh-time <duration>;
+  	startup-notify-rate <integer>;
+  	statistics-file <quoted_string>;
+  	synth-from-dnssec <boolean>;
+  	tcp-advertised-timeout <integer>;
+  	tcp-clients <integer>;
+  	tcp-idle-timeout <integer>;
+  	tcp-initial-timeout <integer>;
+  	tcp-keepalive-timeout <integer>;
+  	tcp-listen-queue <integer>;
+  	tkey-dhkey <quoted_string> <integer>;
+  	tkey-domain <quoted_string>;
+  	tkey-gssapi-credential <quoted_string>;
+  	tkey-gssapi-keytab <quoted_string>;
+  	transfer-format ( many-answers | one-answer );
+  	transfer-message-size <integer>;
+  	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+  	    dscp <integer> ];
+  	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+  	    ] [ dscp <integer> ];
+  	transfers-in <integer>;
+  	transfers-out <integer>;
+  	transfers-per-ns <integer>;
+  	trust-anchor-telemetry <boolean>; // experimental
+  	try-tcp-refresh <boolean>;
+  	update-check-ksk <boolean>;
+  	update-quota <integer>;
+  	use-alt-transfer-source <boolean>;
+  	use-v4-udp-ports { <portrange>; ... };
+  	use-v6-udp-ports { <portrange>; ... };
+  	v6-bias <integer>;
+  	validate-except { <string>; ... };
+  	version ( <quoted_string> | none );
+  	zero-no-soa-ttl <boolean>;
+  	zero-no-soa-ttl-cache <boolean>;
+  	zone-statistics ( full | terse | none | <boolean> );
+  };
diff --git a/doc/misc/parental-agents.grammar.rst b/doc/misc/parental-agents.grammar.rst
new file mode 100644
index 0000000..509d01c
--- /dev/null
+++ b/doc/misc/parental-agents.grammar.rst
@@ -0,0 +1,18 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  parental-agents <string> [ port <integer> ] [
+      dscp <integer> ] { ( <remote-servers> |
+      <ipv4_address> [ port <integer> ] |
+      <ipv6_address> [ port <integer> ] ) [ key
+      <string> ]; ... };
diff --git a/doc/misc/primaries.grammar.rst b/doc/misc/primaries.grammar.rst
new file mode 100644
index 0000000..7e1901e
--- /dev/null
+++ b/doc/misc/primaries.grammar.rst
@@ -0,0 +1,18 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  primaries <string> [ port <integer> ] [ dscp
+      <integer> ] { ( <remote-servers> |
+      <ipv4_address> [ port <integer> ] |
+      <ipv6_address> [ port <integer> ] ) [ key
+      <string> ]; ... };
diff --git a/doc/misc/redirect.zoneopt b/doc/misc/redirect.zoneopt
new file mode 100644
index 0000000..6a5ef66
--- /dev/null
+++ b/doc/misc/redirect.zoneopt
@@ -0,0 +1,14 @@
+zone <string> [ <class> ] {
+	type redirect;
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	dlz <string>;
+	file <quoted_string>;
+	masterfile-format ( map | raw | text );
+	masterfile-style ( full | relative );
+	masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	max-records <integer>;
+	max-zone-ttl ( unlimited | <duration> );
+	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/redirect.zoneopt.rst b/doc/misc/redirect.zoneopt.rst
new file mode 100644
index 0000000..51c378a
--- /dev/null
+++ b/doc/misc/redirect.zoneopt.rst
@@ -0,0 +1,27 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  zone <string> [ <class> ] {
+  	type redirect;
+  	allow-query { <address_match_element>; ... };
+  	allow-query-on { <address_match_element>; ... };
+  	dlz <string>;
+  	file <quoted_string>;
+  	masterfile-format ( map | raw | text );
+  	masterfile-style ( full | relative );
+  	masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	max-records <integer>;
+  	max-zone-ttl ( unlimited | <duration> );
+  	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	zone-statistics ( full | terse | none | <boolean> );
+  };
diff --git a/doc/misc/rst-grammars.pl b/doc/misc/rst-grammars.pl
new file mode 100644
index 0000000..56ff5ea
--- /dev/null
+++ b/doc/misc/rst-grammars.pl
@@ -0,0 +1,81 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use warnings;
+use strict;
+
+if (@ARGV < 2) {
+	print STDERR <<'END';
+usage:
+    perl docbook-options.pl options_file section > section.grammar.xml
+END
+	exit 1;
+}
+
+my $FILE = shift;
+my $SECTION = shift;
+
+open (FH, "<", $FILE) or die "Can't open $FILE";
+
+print <<END;
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+END
+
+# skip preamble
+my $preamble = 0;
+while (<FH>) {
+	if (m{^\s*$}) {
+		last if $preamble > 0;
+	} else {
+		$preamble++;
+	}
+}
+
+my $display = 0;
+while (<FH>) {
+	if (m{^$SECTION\b}) {
+		$display = 1
+	}
+
+	if (m{// not.*implemented} || m{// obsolete} ||
+	    m{// ancient} || m{// test.*only})
+	{
+		next;
+	}
+
+	s{ // not configured}{};
+	s{ // non-operational}{};
+	s{ // may occur multiple times}{};
+	s{[[]}{[}g;
+	s{[]]}{]}g;
+	s{        }{\t}g;
+
+	if (m{^\s*$} && $display) {
+		last;
+	}
+	if ($display) {
+		print "  " . $_;
+	}
+}
diff --git a/doc/misc/rst-options.pl b/doc/misc/rst-options.pl
new file mode 100644
index 0000000..7b5d490
--- /dev/null
+++ b/doc/misc/rst-options.pl
@@ -0,0 +1,135 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use warnings;
+use strict;
+
+if (@ARGV < 1) {
+	print STDERR <<'END';
+usage:
+    perl rst-options.pl options_file >named.conf.rst
+END
+	exit 1;
+}
+
+my $FILE = shift;
+
+open (FH, "<", $FILE) or die "Can't open $FILE";
+
+print <<END;
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+END
+
+print <<END;
+.. highlight: console
+
+named.conf - configuration file for **named**
+---------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`named.conf`
+
+Description
+~~~~~~~~~~~
+
+``named.conf`` is the configuration file for ``named``. Statements are
+enclosed in braces and terminated with a semi-colon. Clauses in the
+statements are also semi-colon terminated.  The usual comment styles are
+supported:
+
+C style: /\\* \\*/
+
+ C++ style: // to end of line
+
+Unix style: # to end of line
+
+END
+
+# skip preamble
+my $preamble = 0;
+while (<FH>) {
+	if (m{^\s*$}) {
+		last if $preamble > 0;
+	} else {
+		$preamble++;
+	}
+}
+
+my $blank = 0;
+while (<FH>) {
+	if (m{// not.*implemented} || m{// obsolete} ||
+	    m{// ancient} || m{// test.*only})
+	{
+		next;
+	}
+
+	s{ // not configured}{};
+	s{ // non-operational}{};
+	s{ (// )*may occur multiple times}{};
+	s{<([a-z0-9_-]+)>}{$1}g;
+	s{ // deprecated,*}{// deprecated};
+	s{[[]}{[}g;
+	s{[]]}{]}g;
+	s{        }{\t}g;
+	if (m{^([a-z0-9-]+) }) {
+		my $HEADING = uc $1;
+		my $UNDERLINE = $HEADING;
+		$UNDERLINE =~ s/./^/g;
+		print $HEADING . "\n";
+		print $UNDERLINE . "\n\n";
+		if ($HEADING eq "TRUSTED-KEYS") {
+		    print "Deprecated - see DNSSEC-KEYS.\n\n";
+		}
+		if ($HEADING eq "MANAGED-KEYS") {
+		    print "See DNSSEC-KEYS.\n\n" ;
+		}
+		print "::\n\n";
+	}
+
+	if (m{^\s*$}) {
+		if (!$blank) {
+			print "\n";
+			$blank = 1;
+		}
+		next;
+	} else {
+		$blank = 0;
+	}
+	print "  " . $_;
+
+}
+
+print <<END;
+Files
+~~~~~
+
+``/etc/named.conf``
+
+See Also
+~~~~~~~~
+
+:manpage:`ddns-confgen(8)`, :manpage:`named(8)`, :manpage:`named-checkconf(8)`, :manpage:`rndc(8)`, :manpage:`rndc-confgen(8)`, BIND 9 Administrator Reference Manual.
+
+END
diff --git a/doc/misc/rst-zoneopt.pl b/doc/misc/rst-zoneopt.pl
new file mode 100644
index 0000000..e1af541
--- /dev/null
+++ b/doc/misc/rst-zoneopt.pl
@@ -0,0 +1,59 @@
+#!/usr/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use warnings;
+use strict;
+
+if (@ARGV < 1) {
+	print STDERR <<'END';
+usage:
+    perl rst-zoneopt.pl zoneopt_file
+END
+	exit 1;
+}
+
+my $FILE = shift;
+
+open (FH, "<", $FILE) or die "Can't open $FILE";
+
+print <<END;
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+END
+
+while (<FH>) {
+	if (m{// not.*implemented} || m{// obsolete} ||
+	    m{// ancient} || m{// test.*only})
+	{
+		next;
+	}
+
+	s{ // not configured}{};
+	s{ // may occur multiple times}{};
+	s{[[]}{[}g;
+	s{[]]}{]}g;
+	s{        }{\t}g;
+
+	print "  " . $_;
+}
diff --git a/doc/misc/server.grammar.rst b/doc/misc/server.grammar.rst
new file mode 100644
index 0000000..526636e
--- /dev/null
+++ b/doc/misc/server.grammar.rst
@@ -0,0 +1,45 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  server <netprefix> {
+  	bogus <boolean>;
+  	edns <boolean>;
+  	edns-udp-size <integer>;
+  	edns-version <integer>;
+  	keys <server_key>;
+  	max-udp-size <integer>;
+  	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+  	    dscp <integer> ];
+  	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+  	    [ dscp <integer> ];
+  	padding <integer>;
+  	provide-ixfr <boolean>;
+  	query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+  	    <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+  	    port ( <integer> | * ) ) ) [ dscp <integer> ];
+  	query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+  	    <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+  	    port ( <integer> | * ) ) ) [ dscp <integer> ];
+  	request-expire <boolean>;
+  	request-ixfr <boolean>;
+  	request-nsid <boolean>;
+  	send-cookie <boolean>;
+  	tcp-keepalive <boolean>;
+  	tcp-only <boolean>;
+  	transfer-format ( many-answers | one-answer );
+  	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+  	    dscp <integer> ];
+  	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+  	    ] [ dscp <integer> ];
+  	transfers <integer>;
+  };
diff --git a/doc/misc/slave.zoneopt b/doc/misc/slave.zoneopt
new file mode 100644
index 0000000..c46202d
--- /dev/null
+++ b/doc/misc/slave.zoneopt
@@ -0,0 +1,65 @@
+zone <string> [ <class> ] {
+	type ( slave | secondary );
+	allow-notify { <address_match_element>; ... };
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	allow-transfer { <address_match_element>; ... };
+	allow-update-forwarding { <address_match_element>; ... };
+	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	auto-dnssec ( allow | maintain | off ); // deprecated
+	check-names ( fail | warn | ignore );
+	database <string>;
+	dialup ( notify | notify-passive | passive | refresh | <boolean> );
+	dlz <string>;
+	dnskey-sig-validity <integer>;
+	dnssec-dnskey-kskonly <boolean>;
+	dnssec-loadkeys-interval <integer>;
+	dnssec-policy <string>;
+	dnssec-update-mode ( maintain | no-resign );
+	file <quoted_string>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+	inline-signing <boolean>;
+	ixfr-from-differences <boolean>;
+	journal <quoted_string>;
+	key-directory <quoted_string>;
+	masterfile-format ( map | raw | text );
+	masterfile-style ( full | relative );
+	masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	max-ixfr-ratio ( unlimited | <percentage> );
+	max-journal-size ( default | unlimited | <sizeval> );
+	max-records <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-transfer-idle-in <integer>;
+	max-transfer-idle-out <integer>;
+	max-transfer-time-in <integer>;
+	max-transfer-time-out <integer>;
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	multi-master <boolean>;
+	notify ( explicit | master-only | primary-only | <boolean> );
+	notify-delay <integer>;
+	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	notify-to-soa <boolean>;
+	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	request-expire <boolean>;
+	request-ixfr <boolean>;
+	sig-signing-nodes <integer>;
+	sig-signing-signatures <integer>;
+	sig-signing-type <integer>;
+	sig-validity-interval <integer> [ <integer> ];
+	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	try-tcp-refresh <boolean>;
+	update-check-ksk <boolean>;
+	use-alt-transfer-source <boolean>;
+	zero-no-soa-ttl <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst
new file mode 100644
index 0000000..468a7f4
--- /dev/null
+++ b/doc/misc/slave.zoneopt.rst
@@ -0,0 +1,78 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  zone <string> [ <class> ] {
+  	type ( slave | secondary );
+  	allow-notify { <address_match_element>; ... };
+  	allow-query { <address_match_element>; ... };
+  	allow-query-on { <address_match_element>; ... };
+  	allow-transfer { <address_match_element>; ... };
+  	allow-update-forwarding { <address_match_element>; ... };
+  	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	auto-dnssec ( allow | maintain | off ); // deprecated
+  	check-names ( fail | warn | ignore );
+  	database <string>;
+  	dialup ( notify | notify-passive | passive | refresh | <boolean> );
+  	dlz <string>;
+  	dnskey-sig-validity <integer>;
+  	dnssec-dnskey-kskonly <boolean>;
+  	dnssec-loadkeys-interval <integer>;
+  	dnssec-policy <string>;
+  	dnssec-update-mode ( maintain | no-resign );
+  	file <quoted_string>;
+  	forward ( first | only );
+  	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+  	inline-signing <boolean>;
+  	ixfr-from-differences <boolean>;
+  	journal <quoted_string>;
+  	key-directory <quoted_string>;
+  	masterfile-format ( map | raw | text );
+  	masterfile-style ( full | relative );
+  	masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	max-ixfr-ratio ( unlimited | <percentage> );
+  	max-journal-size ( default | unlimited | <sizeval> );
+  	max-records <integer>;
+  	max-refresh-time <integer>;
+  	max-retry-time <integer>;
+  	max-transfer-idle-in <integer>;
+  	max-transfer-idle-out <integer>;
+  	max-transfer-time-in <integer>;
+  	max-transfer-time-out <integer>;
+  	min-refresh-time <integer>;
+  	min-retry-time <integer>;
+  	multi-master <boolean>;
+  	notify ( explicit | master-only | primary-only | <boolean> );
+  	notify-delay <integer>;
+  	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	notify-to-soa <boolean>;
+  	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	request-expire <boolean>;
+  	request-ixfr <boolean>;
+  	sig-signing-nodes <integer>;
+  	sig-signing-signatures <integer>;
+  	sig-signing-type <integer>;
+  	sig-validity-interval <integer> [ <integer> ];
+  	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	try-tcp-refresh <boolean>;
+  	update-check-ksk <boolean>;
+  	use-alt-transfer-source <boolean>;
+  	zero-no-soa-ttl <boolean>;
+  	zone-statistics ( full | terse | none | <boolean> );
+  };
diff --git a/doc/misc/sort-options.pl b/doc/misc/sort-options.pl
new file mode 100644
index 0000000..f60b0b7
--- /dev/null
+++ b/doc/misc/sort-options.pl
@@ -0,0 +1,45 @@
+#!/bin/perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+sub sortlevel() {
+	my @options = ();
+	my $fin = "";
+	my $i = 0;
+	while (<>) {
+		if (/^\s*};$/ || /^\s*}; \/\/.*$/) {
+			$fin = $_;
+			# print 2, $_;
+			last;
+		}
+		next if (/^$/);
+		if (/{$/) {
+			# print 3, $_;
+			my $sec = $_;
+			push(@options, $sec . sortlevel());
+		} else {
+			push(@options, $_);
+			# print 1, $_;
+		}
+		$i++;
+	}
+	my $result = "";
+	foreach my $i (sort @options) {
+		$result = ${result}.${i};
+		$result = $result."\n" if ($i =~ /^[a-z]/i);
+		# print 5, ${i};
+	}
+	$result = ${result}.${fin};
+	return ($result);
+}
+
+print sortlevel();
diff --git a/doc/misc/static-stub.zoneopt b/doc/misc/static-stub.zoneopt
new file mode 100644
index 0000000..f89d462
--- /dev/null
+++ b/doc/misc/static-stub.zoneopt
@@ -0,0 +1,11 @@
+zone <string> [ <class> ] {
+	type static-stub;
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	forward ( first | only );
+	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+	max-records <integer>;
+	server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
+	server-names { <string>; ... };
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/static-stub.zoneopt.rst b/doc/misc/static-stub.zoneopt.rst
new file mode 100644
index 0000000..d307586
--- /dev/null
+++ b/doc/misc/static-stub.zoneopt.rst
@@ -0,0 +1,24 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  zone <string> [ <class> ] {
+  	type static-stub;
+  	allow-query { <address_match_element>; ... };
+  	allow-query-on { <address_match_element>; ... };
+  	forward ( first | only );
+  	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+  	max-records <integer>;
+  	server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
+  	server-names { <string>; ... };
+  	zone-statistics ( full | terse | none | <boolean> );
+  };
diff --git a/doc/misc/statistics-channels.grammar.rst b/doc/misc/statistics-channels.grammar.rst
new file mode 100644
index 0000000..7a4ef27
--- /dev/null
+++ b/doc/misc/statistics-channels.grammar.rst
@@ -0,0 +1,19 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  statistics-channels {
+  	inet ( <ipv4_address> | <ipv6_address> |
+  	    * ) [ port ( <integer> | * ) ] [
+  	    allow { <address_match_element>; ...
+  	    } ];
+  };
diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt
new file mode 100644
index 0000000..2db604d
--- /dev/null
+++ b/doc/misc/stub.zoneopt
@@ -0,0 +1,28 @@
+zone <string> [ <class> ] {
+	type stub;
+	allow-query { <address_match_element>; ... };
+	allow-query-on { <address_match_element>; ... };
+	check-names ( fail | warn | ignore );
+	database <string>;
+	delegation-only <boolean>;
+	dialup ( notify | notify-passive | passive | refresh | <boolean> );
+	file <quoted_string>;
+	forward ( first | only );
+	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+	masterfile-format ( map | raw | text );
+	masterfile-style ( full | relative );
+	masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	max-records <integer>;
+	max-refresh-time <integer>;
+	max-retry-time <integer>;
+	max-transfer-idle-in <integer>;
+	max-transfer-time-in <integer>;
+	min-refresh-time <integer>;
+	min-retry-time <integer>;
+	multi-master <boolean>;
+	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	use-alt-transfer-source <boolean>;
+	zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/stub.zoneopt.rst b/doc/misc/stub.zoneopt.rst
new file mode 100644
index 0000000..6b5ce2d
--- /dev/null
+++ b/doc/misc/stub.zoneopt.rst
@@ -0,0 +1,41 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  zone <string> [ <class> ] {
+  	type stub;
+  	allow-query { <address_match_element>; ... };
+  	allow-query-on { <address_match_element>; ... };
+  	check-names ( fail | warn | ignore );
+  	database <string>;
+  	delegation-only <boolean>;
+  	dialup ( notify | notify-passive | passive | refresh | <boolean> );
+  	file <quoted_string>;
+  	forward ( first | only );
+  	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+  	masterfile-format ( map | raw | text );
+  	masterfile-style ( full | relative );
+  	masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	max-records <integer>;
+  	max-refresh-time <integer>;
+  	max-retry-time <integer>;
+  	max-transfer-idle-in <integer>;
+  	max-transfer-time-in <integer>;
+  	min-refresh-time <integer>;
+  	min-retry-time <integer>;
+  	multi-master <boolean>;
+  	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+  	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	use-alt-transfer-source <boolean>;
+  	zone-statistics ( full | terse | none | <boolean> );
+  };
diff --git a/doc/misc/trust-anchors.grammar.rst b/doc/misc/trust-anchors.grammar.rst
new file mode 100644
index 0000000..eabe7c0
--- /dev/null
+++ b/doc/misc/trust-anchors.grammar.rst
@@ -0,0 +1,17 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  trust-anchors { <string> ( static-key |
+      initial-key | static-ds | initial-ds )
+      <integer> <integer> <integer>
+      <quoted_string>; ... };
diff --git a/doc/misc/trusted-keys.grammar.rst b/doc/misc/trusted-keys.grammar.rst
new file mode 100644
index 0000000..55cfa38
--- /dev/null
+++ b/doc/misc/trusted-keys.grammar.rst
@@ -0,0 +1,16 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+::
+
+  trusted-keys { <string> <integer>
+      <integer> <integer>
+      <quoted_string>; ... };, deprecated
diff --git a/doc/notes/notes-9.16.0.rst b/doc/notes/notes-9.16.0.rst
new file mode 100644
index 0000000..1b4e92f
--- /dev/null
+++ b/doc/notes/notes-9.16.0.rst
@@ -0,0 +1,152 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.0
+---------------------
+
+.. note::
+
+   This section only lists changes from BIND 9.14 (the previous
+   stable branch of BIND).
+
+New Features
+~~~~~~~~~~~~
+
+-  A new asynchronous network communications system based on ``libuv``
+   is now used by ``named`` for listening for incoming requests and
+   responding to them. This change will make it easier to improve
+   performance and implement new protocol layers (for example, DNS over
+   TLS) in the future. :gl:`#29`
+
+-  The new ``dnssec-policy`` option allows the configuration of a key
+   and signing policy (KASP) for zones. This option enables ``named`` to
+   generate new keys as needed and automatically roll both ZSK and KSK
+   keys. (Note that the syntax for this statement differs from the
+   DNSSEC policy used by ``dnssec-keymgr``.) :gl:`#1134`
+
+-  In order to clarify the configuration of DNSSEC keys, the
+   ``trusted-keys`` and ``managed-keys`` statements have been
+   deprecated, and the new ``trust-anchors`` statement should now be
+   used for both types of key.
+
+   When used with the keyword ``initial-key``, ``trust-anchors`` has the
+   same behavior as ``managed-keys``, i.e., it configures a trust anchor
+   that is to be maintained via :rfc:`5011`.
+
+   When used with the new keyword ``static-key``, ``trust-anchors`` has
+   the same behavior as ``trusted-keys``, i.e., it configures a
+   permanent trust anchor that will not automatically be updated. (This
+   usage is not recommended for the root key.) :gl:`#6`
+
+-  Two new keywords have been added to the ``trust-anchors`` statement:
+   ``initial-ds`` and ``static-ds``. These allow the use of trust
+   anchors in DS format instead of DNSKEY format. DS format allows trust
+   anchors to be configured for keys that have not yet been published;
+   this is the format used by IANA when announcing future root keys.
+
+   As with the ``initial-key`` and ``static-key`` keywords,
+   ``initial-ds`` configures a dynamic trust anchor to be maintained via
+   :rfc:`5011`, and ``static-ds`` configures a permanent trust anchor.
+   :gl:`#6` :gl:`#622`
+
+-  ``dig``, ``mdig`` and ``delv`` can all now take a ``+yaml`` option to
+   print output in a detailed YAML format. :gl:`#1145`
+
+-  ``dig`` now has a new command line option: ``+[no]unexpected``. By
+   default, ``dig`` won't accept a reply from a source other than the
+   one to which it sent the query. Add the ``+unexpected`` argument to
+   enable it to process replies from unexpected sources. [RT #44978]
+
+-  ``dig`` now accepts a new command line option, ``+[no]expandaaaa``,
+   which causes the IPv6 addresses in AAAA records to be printed in full
+   128-bit notation rather than the default :rfc:`5952` format.
+   :gl:`#765`
+
+-  Statistics channel groups can now be toggled. :gl:`#1030`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+-  When static and managed DNSSEC keys were both configured for the same
+   name, or when a static key was used to configure a trust anchor for
+   the root zone and ``dnssec-validation`` was set to the default value
+   of ``auto``, automatic :rfc:`5011` key rollovers would be disabled.
+   This combination of settings was never intended to work, but there
+   was no check for it in the parser. This has been corrected, and it is
+   now a fatal configuration error. :gl:`#868`
+
+-  DS and CDS records are now generated with SHA-256 digests only,
+   instead of both SHA-1 and SHA-256. This affects the default output of
+   ``dnssec-dsfromkey``, the ``dsset`` files generated by
+   ``dnssec-signzone``, the DS records added to a zone by
+   ``dnssec-signzone`` based on ``keyset`` files, the CDS records added
+   to a zone by ``named`` and ``dnssec-signzone`` based on "sync" timing
+   parameters in key files, and the checks performed by
+   ``dnssec-checkds``. :gl:`#1015`
+
+-  ``named`` will now log a warning if a static key is configured for
+   the root zone. :gl:`#6`
+
+-  A SipHash 2-4 based DNS Cookie (:rfc:`7873`) algorithm has been added
+   and made default. Old non-default HMAC-SHA based DNS Cookie
+   algorithms have been removed, and only the default AES algorithm is
+   being kept for legacy reasons. This change has no operational impact
+   in most common scenarios. :gl:`#605`
+
+   If you are running multiple DNS servers (different versions of BIND 9
+   or DNS servers from multiple vendors) responding from the same IP
+   address (anycast or load-balancing scenarios), make sure that all the
+   servers are configured with the same DNS Cookie algorithm and same
+   Server Secret for the best performance.
+
+-  The information from the ``dnssec-signzone`` and ``dnssec-verify``
+   commands is now printed to standard output. The standard error output
+   is only used to print warnings and errors, and in case the user
+   requests the signed zone to be printed to standard output with the
+   ``-f -`` option. A new configuration option ``-q`` has been added to
+   silence all output on standard output except for the name of the
+   signed zone. :gl:`#1151`
+
+-  The DNSSEC validation code has been refactored for clarity and to
+   reduce code duplication. :gl:`#622`
+
+-  Compile-time settings enabled by the ``--with-tuning=large`` option
+   for ``configure`` are now in effect by default. Previously used
+   default compile-time settings can be enabled by passing
+   ``--with-tuning=small`` to ``configure``. :gl:`!2989`
+
+-  JSON-C is now the only supported library for enabling JSON support
+   for BIND statistics. The ``configure`` option has been renamed from
+   ``--with-libjson`` to ``--with-json-c``. Set the ``PKG_CONFIG_PATH``
+   environment variable accordingly to specify a custom path to the
+   ``json-c`` library, as the new ``configure`` option does not take the
+   library installation path as an optional argument. :gl:`#855`
+
+-  ``./configure`` no longer sets ``--sysconfdir`` to ``/etc`` or
+   ``--localstatedir`` to ``/var`` when ``--prefix`` is not specified
+   and the aforementioned options are not specified explicitly. Instead,
+   Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are
+   respected. :gl:`#658`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+-  The ``dnssec-enable`` option has been obsoleted and no longer has any
+   effect. DNSSEC responses are always enabled if signatures and other
+   DNSSEC data are present. :gl:`#866`
+
+-  DNSSEC Lookaside Validation (DLV) is now obsolete. The
+   ``dnssec-lookaside`` option has been marked as deprecated; when used
+   in ``named.conf``, it will generate a warning but will otherwise be
+   ignored. All code enabling the use of lookaside validation has been
+   removed from the validator, ``delv``, and the DNSSEC tools. :gl:`#7`
+
+-  The ``cleaning-interval`` option has been removed. :gl:`!1731`
diff --git a/doc/notes/notes-9.16.1.rst b/doc/notes/notes-9.16.1.rst
new file mode 100644
index 0000000..ac3668b
--- /dev/null
+++ b/doc/notes/notes-9.16.1.rst
@@ -0,0 +1,48 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.1
+---------------------
+
+Known Issues
+~~~~~~~~~~~~
+
+-  UDP network ports used for listening can no longer simultaneously be
+   used for sending traffic. An example configuration which triggers
+   this issue would be one which uses the same address:port pair for
+   ``listen-on(-v6)`` statements as for ``notify-source(-v6)`` or
+   ``transfer-source(-v6)``. While this issue affects all operating
+   systems, it only triggers log messages (e.g. "unable to create
+   dispatch for reserved port") on some of them. There are currently no
+   plans to make such a combination of settings work again.
+
+-  See :ref:`above <relnotes_known_issues>` for a list of all known
+   issues affecting this BIND 9 branch.
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+-  The system-provided POSIX Threads read-write lock implementation is
+   now used by default instead of the native BIND 9 implementation.
+   Please be aware that glibc versions 2.26 through 2.29 had a
+   `bug <https://sourceware.org/bugzilla/show_bug.cgi?id=23844>`__ that
+   could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and
+   most current Linux distributions have patched or updated glibc, with
+   the notable exception of Ubuntu 18.04 (Bionic) which is a work in
+   progress. If you are running on an affected operating system, compile
+   BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of
+   glibc is available. :gl:`!3125`
+
+Bug Fixes
+~~~~~~~~~
+
+-  Fixed re-signing issues with inline zones which resulted in records
+   being re-signed late or not at all.
diff --git a/doc/notes/notes-9.16.10.rst b/doc/notes/notes-9.16.10.rst
new file mode 100644
index 0000000..782011a
--- /dev/null
+++ b/doc/notes/notes-9.16.10.rst
@@ -0,0 +1,58 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.10
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- NSEC3 support was added to KASP. A new option for ``dnssec-policy``,
+  ``nsec3param``, can be used to set the desired NSEC3 parameters.
+  NSEC3 salt collisions are automatically prevented during resalting.
+  :gl:`#1620`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The default value of ``max-recursion-queries`` was increased from 75
+  to 100. Since the queries sent towards root and TLD servers are now
+  included in the count (as a result of the fix for CVE-2020-8616),
+  ``max-recursion-queries`` has a higher chance of being exceeded by
+  non-attack queries, which is the main reason for increasing its
+  default value. :gl:`#2305`
+
+- The default value of ``nocookie-udp-size`` was restored back to 4096
+  bytes. Since ``max-udp-size`` is the upper bound for
+  ``nocookie-udp-size``, this change relieves the operator from having
+  to change ``nocookie-udp-size`` together with ``max-udp-size`` in
+  order to increase the default EDNS buffer size limit.
+  ``nocookie-udp-size`` can still be set to a value lower than
+  ``max-udp-size``, if desired. :gl:`#2250`
+
+Bug Fixes
+~~~~~~~~~
+
+- Handling of missing DNS COOKIE responses over UDP was tightened by
+  falling back to TCP. :gl:`#2275`
+
+- The CNAME synthesized from a DNAME was incorrectly followed when the
+  QTYPE was CNAME or ANY. :gl:`#2280`
+
+- Building with native PKCS#11 support for AEP Keyper has been broken
+  since BIND 9.16.6. This has been fixed. :gl:`#2315`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.11.rst b/doc/notes/notes-9.16.11.rst
new file mode 100644
index 0000000..70a6658
--- /dev/null
+++ b/doc/notes/notes-9.16.11.rst
@@ -0,0 +1,74 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.11
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The new networking code introduced in BIND 9.16 (netmgr) was
+  overhauled in order to make it more stable, testable, and
+  maintainable. :gl:`#2321`
+
+- Earlier releases of BIND versions 9.16 and newer required the
+  operating system to support load-balanced sockets in order for
+  ``named`` to be able to achieve high performance (by distributing
+  incoming queries among multiple threads). However, the only operating
+  systems currently known to support load-balanced sockets are Linux and
+  FreeBSD 12, which means both UDP and TCP performance were limited to a
+  single thread on other systems. As of BIND 9.16.11, ``named`` attempts
+  to distribute incoming queries among multiple threads on systems which
+  lack support for load-balanced sockets (except Windows). :gl:`#2137`
+
+- It is now possible to transition a zone from secure to insecure mode
+  without making it bogus in the process; changing to ``dnssec-policy
+  none;`` also causes CDS and CDNSKEY DELETE records to be published, to
+  signal that the entire DS RRset at the parent must be removed, as
+  described in :rfc:`8078`. :gl:`#1750`
+
+- When using the ``unixtime`` or ``date`` method to update the SOA
+  serial number, ``named`` and ``dnssec-signzone`` silently fell back to
+  the ``increment`` method to prevent the new serial number from being
+  smaller than the old serial number (using serial number arithmetics).
+  ``dnssec-signzone`` now prints a warning message, and ``named`` logs a
+  warning, when such a fallback happens. :gl:`#2058`
+
+Bug Fixes
+~~~~~~~~~
+
+- Multiple threads could attempt to destroy a single RBTDB instance at
+  the same time, resulting in an unpredictable but low-probability
+  assertion failure in ``free_rbtdb()``. This has been fixed.
+  :gl:`#2317`
+
+- ``named`` no longer attempts to assign threads to CPUs outside the CPU
+  affinity set. Thanks to Ole Bjørn Hessen. :gl:`#2245`
+
+- When reconfiguring ``named``, removing ``auto-dnssec`` did not turn
+  off DNSSEC maintenance. This has been fixed. :gl:`#2341`
+
+- The report of intermittent BIND assertion failures triggered in
+  ``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed
+  without further action. Our initial response to this was to add
+  diagnostic logging instead of terminating ``named``, anticipating that
+  we would receive further useful troubleshooting input. This workaround
+  first appeared in BIND releases 9.17.5 and 9.16.7. However, since
+  those releases were published, there have been no new reports of
+  assertion failures matching this issue, but also no further diagnostic
+  input, so we have closed the issue. :gl:`#2091`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.12.rst b/doc/notes/notes-9.16.12.rst
new file mode 100644
index 0000000..d236f5e
--- /dev/null
+++ b/doc/notes/notes-9.16.12.rst
@@ -0,0 +1,123 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.12
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- When ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` was
+  configured, a specially crafted GSS-TSIG query could cause a buffer
+  overflow in the ISC implementation of SPNEGO (a protocol enabling
+  negotiation of the security mechanism to use for GSSAPI
+  authentication). This flaw could be exploited to crash ``named``.
+  Theoretically, it also enabled remote code execution, but achieving
+  the latter is very difficult in real-world conditions.
+  (CVE-2020-8625)
+
+  This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
+  Trend Micro Zero Day Initiative. :gl:`#2354`
+
+New Features
+~~~~~~~~~~~~
+
+- When a secondary server receives a large incremental zone transfer
+  (IXFR), it can have a negative impact on query performance while the
+  incremental changes are applied to the zone. To address this,
+  ``named`` can now limit the size of IXFR responses it sends in
+  response to zone transfer requests. If an IXFR response would be
+  larger than an AXFR of the entire zone, it will send an AXFR response
+  instead.
+
+  This behavior is controlled by the ``max-ixfr-ratio`` option - a
+  percentage value representing the ratio of IXFR size to the size of a
+  full zone transfer. The default is ``100%``. :gl:`#1515`
+
+- A new option, ``stale-answer-client-timeout``, has been added to
+  improve ``named``'s behavior with respect to serving stale data. The
+  option defines the amount of time ``named`` waits before attempting to
+  answer the query with a stale RRset from cache. If a stale answer is
+  found, ``named`` continues the ongoing fetches, attempting to refresh
+  the RRset in cache until the ``resolver-query-timeout`` interval is
+  reached.
+
+  The default value is ``1800`` (in milliseconds) and the maximum value
+  is limited to ``resolver-query-timeout`` minus one second. A value of
+  ``0`` causes any available cached RRset to immediately be returned
+  while still triggering a refresh of the data in cache.
+
+  This new behavior can be disabled by setting
+  ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
+  option has no effect if ``stale-answer-enable`` is disabled.
+  :gl:`#2247`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- As part of an ongoing effort to use :rfc:`8499` terminology,
+  ``primaries`` can now be used as a synonym for ``masters`` in
+  ``named.conf``. Similarly, ``notify primary-only`` can now be used as
+  a synonym for ``notify master-only``. The output of ``rndc
+  zonestatus`` now uses ``primary`` and ``secondary`` terminology.
+  :gl:`#1948`
+
+- The default value of ``max-stale-ttl`` has been changed from 12 hours
+  to 1 day and the default value of ``stale-answer-ttl`` has been
+  changed from 1 second to 30 seconds, following :rfc:`8767`
+  recommendations. :gl:`#2248`
+
+- The SONAMEs for BIND 9 libraries now include the current BIND 9
+  version number, in an effort to tightly couple internal libraries with
+  a specific release. This change makes the BIND 9 release process both
+  simpler and more consistent while also unequivocally preventing BIND 9
+  binaries from silently loading wrong versions of shared libraries (or
+  multiple versions of the same shared library) at startup. :gl:`#2387`
+
+- When ``check-names`` is in effect, A records below an ``_spf``,
+  ``_spf_rate``, or ``_spf_verify`` label (which are employed by the
+  ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
+  D.1) are no longer reported as warnings/errors. :gl:`#2377`
+
+Bug Fixes
+~~~~~~~~~
+
+- ``named`` failed to start when its configuration included a zone with
+  a non-builtin ``allow-update`` ACL attached. :gl:`#2413`
+
+- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
+  key. This has been fixed. :gl:`#2178`
+
+- KASP incorrectly set signature validity to the value of the DNSKEY
+  signature validity. This has been fixed. :gl:`#2383`
+
+- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
+  and/or ``Delete`` timing metadata to be possible active keys. This has
+  been fixed. :gl:`#2406`
+
+- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
+  faster than the time required to finish the rollover procedure, the
+  successor relation equation failed because it assumed only two keys
+  were taking part in a rollover. This could lead to premature removal
+  of predecessor keys. BIND 9 now implements a recursive successor
+  relation, as described in the paper "Flexible and Robust Key Rollover"
+  (Equation (2)). :gl:`#2375`
+
+- Performance of the DNSSEC verification code (used by
+  ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
+  improved. :gl:`#2073`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.13.rst b/doc/notes/notes-9.16.13.rst
new file mode 100644
index 0000000..d7650ee
--- /dev/null
+++ b/doc/notes/notes-9.16.13.rst
@@ -0,0 +1,79 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.13
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- A new ``purge-keys`` option has been added to ``dnssec-policy``. It
+  sets the period of time that key files are retained after becoming
+  obsolete due to a key rollover; the default is 90 days. This feature
+  can be disabled by setting ``purge-keys`` to 0. :gl:`#2408`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- When serve-stale is enabled and stale data is available, ``named`` now
+  returns stale answers upon encountering any unexpected error in the
+  query resolution process. This may happen, for example, if the
+  ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In
+  this case, ``named`` attempts to answer DNS requests with stale data,
+  but does not start the ``stale-refresh-time`` window. :gl:`#2434`
+
+Bug Fixes
+~~~~~~~~~
+
+- Zone journal (``.jnl``) files created by versions of ``named`` prior
+  to 9.16.12 were no longer compatible; this could cause problems when
+  upgrading if journal files were not synchronized first. This has been
+  corrected: older journal files can now be read when starting up. When
+  an old-style journal file is detected, it is updated to the new format
+  immediately after loading.
+
+  Note that journals created by the current version of ``named`` are not
+  usable by versions prior to 9.16.12. Before downgrading to a prior
+  release, users are advised to ensure that all dynamic zones have been
+  synchronized using ``rndc sync -clean``.
+
+  A journal file's format can be changed manually by running
+  ``named-journalprint -d`` (downgrade) or ``named-journalprint -u``
+  (upgrade). Note that this *must not* be done while ``named`` is
+  running. :gl:`#2505`
+
+- ``named`` crashed when it was allowed to serve stale answers and
+  ``stale-answer-client-timeout`` was triggered without any (stale) data
+  available in the cache to answer the query. :gl:`#2503`
+
+- If an outgoing packet exceeded ``max-udp-size``, ``named`` dropped it
+  instead of sending back a proper response. To prevent this problem,
+  the ``IP_DONTFRAG`` option is no longer set on UDP sockets, which has
+  been happening since BIND 9.16.11. :gl:`#2466`
+
+- NSEC3 records were not immediately created when signing a dynamic zone
+  using ``dnssec-policy`` with ``nsec3param``. This has been fixed.
+  :gl:`#2498`
+
+- A memory leak occurred when ``named`` was reconfigured after adding an
+  inline-signed zone with ``auto-dnssec maintain`` enabled. This has
+  been fixed. :gl:`#2041`
+
+- An invalid direction field (not one of ``N``, ``S``, ``E``, ``W``) in
+  a LOC record resulted in an INSIST failure when a zone file containing
+  such a record was loaded. :gl:`#2499`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.14.rst b/doc/notes/notes-9.16.14.rst
new file mode 100644
index 0000000..237bf28
--- /dev/null
+++ b/doc/notes/notes-9.16.14.rst
@@ -0,0 +1,19 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.14
+----------------------
+
+.. note::
+
+   The BIND 9.16.14 release was withdrawn after a backporting bug was
+   discovered during pre-release testing. ISC would like to acknowledge
+   the assistance of Natan Segal of Bluecat Networks.
diff --git a/doc/notes/notes-9.16.15.rst b/doc/notes/notes-9.16.15.rst
new file mode 100644
index 0000000..0cc0f49
--- /dev/null
+++ b/doc/notes/notes-9.16.15.rst
@@ -0,0 +1,112 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.15
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- A malformed incoming IXFR transfer could trigger an assertion failure
+  in ``named``, causing it to quit abnormally. (CVE-2021-25214)
+
+  ISC would like to thank Greg Kuechle of SaskTel for bringing this
+  vulnerability to our attention. :gl:`#2467`
+
+- ``named`` crashed when a DNAME record placed in the ANSWER section
+  during DNAME chasing turned out to be the final answer to a client
+  query. (CVE-2021-25215)
+
+  ISC would like to thank `Siva Kakarla`_ for bringing this
+  vulnerability to our attention. :gl:`#2540`
+
+.. _Siva Kakarla: https://github.com/sivakesava1
+
+- When a server's configuration set the ``tkey-gssapi-keytab`` or
+  ``tkey-gssapi-credential`` option, a specially crafted GSS-TSIG query
+  could cause a buffer overflow in the ISC implementation of SPNEGO (a
+  protocol enabling negotiation of the security mechanism used for
+  GSSAPI authentication). This flaw could be exploited to crash
+  ``named`` binaries compiled for 64-bit platforms, and could enable
+  remote code execution when ``named`` was compiled for 32-bit
+  platforms. (CVE-2021-25216)
+
+  This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
+  Zero Day Initiative. :gl:`#2604`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The ISC implementation of SPNEGO was removed from BIND 9 source code.
+  Instead, BIND 9 now always uses the SPNEGO implementation provided by
+  the system GSSAPI library when it is built with GSSAPI support. All
+  major contemporary Kerberos/GSSAPI libraries contain an implementation
+  of the SPNEGO mechanism. :gl:`#2607`
+
+- The default value for the ``stale-answer-client-timeout`` option was
+  changed from ``1800`` (ms) to ``off``. The default value may be
+  changed again in future releases as this feature matures. :gl:`#2608`
+
+Bug Fixes
+~~~~~~~~~
+
+- TCP idle and initial timeouts were being incorrectly applied: only the
+  ``tcp-initial-timeout`` was applied on the whole connection, even if
+  the connection were still active, which could prevent a large zone
+  transfer from being sent back to the client. The default setting for
+  ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
+  connection taking more than 30 seconds was abruptly terminated. This
+  has been fixed. :gl:`#2583`
+
+- When ``stale-answer-client-timeout`` was set to a positive value and
+  recursion for a client query completed when ``named`` was about to
+  look for a stale answer, an assertion could fail in
+  ``query_respond()``, resulting in a crash. This has been fixed.
+  :gl:`#2594`
+
+- If zone journal files written by BIND 9.16.11 or earlier were present
+  when BIND was upgraded to BIND 9.16.13 or BIND 9.16.14, the zone file
+  for that zone could have been inadvertently rewritten with the current
+  zone contents. This caused the original zone file structure (e.g.
+  comments, ``$INCLUDE`` directives) to be lost, although the zone data
+  itself was preserved. :gl:`#2623`
+
+- After upgrading to BIND 9.16.13, journal files for trust anchor
+  databases (e.g. ``managed-keys.bind.jnl``) could be left in a corrupt
+  state. (Other zone journal files were not affected.) This has been
+  fixed. If a corrupt journal file is detected, ``named`` can now
+  recover from it. :gl:`#2600`
+
+- When sending queries over TCP, ``dig`` now properly handles ``+tries=1
+  +retry=0`` by not retrying the connection when the remote server
+  closes the connection prematurely. :gl:`#2490`
+
+- CDS/CDNSKEY DELETE records are now removed when a zone transitions
+  from a secure to an insecure state. ``named-checkzone`` also no longer
+  reports an error when such records are found in an unsigned zone.
+  :gl:`#2517`
+
+- Zones using KASP could not be thawed after they were frozen using
+  ``rndc freeze``. This has been fixed. :gl:`#2523`
+
+- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
+  ``named`` now immediately attempts to reconfigure zone keys. This
+  change prevents unnecessary key rollover delays. :gl:`#2488`
+
+- Previously, a memory leak could occur when ``named`` failed to bind a
+  UDP socket to a network interface. This has been fixed. :gl:`#2575`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.16.rst b/doc/notes/notes-9.16.16.rst
new file mode 100644
index 0000000..721546c
--- /dev/null
+++ b/doc/notes/notes-9.16.16.rst
@@ -0,0 +1,76 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.16
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- DNSSEC responses containing NSEC3 records with iteration counts
+  greater than 150 are now treated as insecure. :gl:`#2445`
+
+- The maximum supported number of NSEC3 iterations that can be
+  configured for a zone has been reduced to 150. :gl:`#2642`
+
+- The default value of the ``max-ixfr-ratio`` option was changed to
+  ``unlimited``, for better backwards compatibility in the stable
+  release series. :gl:`#2671`
+
+- Zones that want to transition from secure to insecure mode without
+  becoming bogus in the process must now have their ``dnssec-policy``
+  changed first to ``insecure``, rather than ``none``. After the DNSSEC
+  records have been removed from the zone, the ``dnssec-policy`` can be
+  set to ``none`` or removed from the configuration. Setting the
+  ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
+  records to be published. :gl:`#2645`
+
+- The implementation of the ZONEMD RR type has been updated to match
+  :rfc:`8976`. :gl:`#2658`
+
+- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
+  NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
+  or the SOA TTL. :gl:`#2347`
+
+Bug Fixes
+~~~~~~~~~
+
+- It was possible for corrupt journal files generated by an earlier
+  version of ``named`` to cause problems after an upgrade. This has been
+  fixed. :gl:`#2670`
+
+- TTL values in cache dumps were reported incorrectly when
+  ``stale-cache-enable`` was set to ``yes``. This has been fixed.
+  :gl:`#389` :gl:`#2289`
+
+- A deadlock could occur when multiple ``rndc addzone``, ``rndc
+  delzone``, and/or ``rndc modzone`` commands were invoked
+  simultaneously for different zones. This has been fixed. :gl:`#2626`
+
+- ``named`` and ``named-checkconf`` did not report an error when
+  multiple zones with the ``dnssec-policy`` option set were using the
+  same zone file. This has been fixed. :gl:`#2603`
+
+- If ``dnssec-policy`` was active and a private key file was temporarily
+  offline during a rekey event, ``named`` could incorrectly introduce
+  replacement keys and break a signed zone. This has been fixed.
+  :gl:`#2596`
+
+- When generating zone signing keys, KASP now also checks for key ID
+  conflicts among newly created keys, rather than just between new and
+  existing ones. :gl:`#2628`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.17.rst b/doc/notes/notes-9.16.17.rst
new file mode 100644
index 0000000..9f2bd7a
--- /dev/null
+++ b/doc/notes/notes-9.16.17.rst
@@ -0,0 +1,67 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.17
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- After the network manager was introduced to ``named`` to handle
+  incoming traffic, it was discovered that recursive performance had
+  degraded compared to previous BIND 9 versions. This has now been
+  fixed by processing internal tasks inside network manager worker
+  threads, preventing resource contention among two sets of threads.
+  :gl:`#2638`
+
+- Zone dumping tasks are now run on separate asynchronous thread pools.
+  This change prevents zone dumping from blocking network I/O.
+  :gl:`#2732`
+
+- ``inline-signing`` was incorrectly described as being inherited from
+  the ``options``/``view`` levels and was incorrectly accepted at those
+  levels without effect. This has been fixed; ``named.conf`` files with
+  ``inline-signing`` at those levels no longer load. :gl:`#2536`
+
+Bug Fixes
+~~~~~~~~~
+
+- The calculation of the estimated IXFR transaction size in
+  ``dns_journal_iter_init()`` was invalid. This resulted in excessive
+  AXFR-style IXFR responses. :gl:`#2685`
+
+- Fixed an assertion failure that could occur if stale data was used to
+  answer a query, and then a prefetch was triggered after the query was
+  restarted (for example, to follow a CNAME). :gl:`#2733`
+
+- If a query was answered with stale data on a server with DNS64
+  enabled, an assertion could occur if a non-stale answer arrived
+  afterward. This has been fixed. :gl:`#2731`
+
+- Fixed an error which caused the ``IP_DONTFRAG`` socket option to be
+  enabled instead of disabled, leading to errors when sending oversized
+  UDP packets. :gl:`#2746`
+
+- Zones which are configured in multiple views, with different values
+  set for ``dnssec-policy`` and with identical values set for
+  ``key-directory``, are now detected and treated as a configuration
+  error. :gl:`#2463`
+
+- A race condition could occur when reading and writing key files for
+  zones using KASP and configured in multiple views. This has been
+  fixed. :gl:`#1875`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.18.rst b/doc/notes/notes-9.16.18.rst
new file mode 100644
index 0000000..c2ebda8
--- /dev/null
+++ b/doc/notes/notes-9.16.18.rst
@@ -0,0 +1,33 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.18
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- When preparing DNS responses, ``named`` could replace the letters
+  ``W`` (uppercase) and ``w`` (lowercase) with ``\000``. This has been
+  fixed. :gl:`#2779`
+
+- The configuration-checking code failed to account for the inheritance
+  rules of the ``key-directory`` option. As a side effect of this flaw,
+  the code detecting ``key-directory`` conflicts for zones using KASP
+  incorrectly reported unique key directories as being reused. This has
+  been fixed. :gl:`#2778`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.19.rst b/doc/notes/notes-9.16.19.rst
new file mode 100644
index 0000000..2f964ff
--- /dev/null
+++ b/doc/notes/notes-9.16.19.rst
@@ -0,0 +1,68 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.19
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Using a new configuration option, ``parental-agents``, each zone can
+  now be associated with a list of servers that can be used to check the
+  DS RRset in the parent zone. This enables automatic KSK rollovers.
+  :gl:`#1126`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- IP fragmentation has been disabled for outgoing UDP sockets. Errors
+  triggered by sending DNS messages larger than the specified path MTU
+  are properly handled by sending empty DNS replies with the ``TC``
+  (TrunCated) bit set, which forces DNS clients to fall back to TCP.
+  :gl:`#2790`
+
+Bug Fixes
+~~~~~~~~~
+
+- The code managing :rfc:`5011` trust anchors created an invalid
+  placeholder keydata record upon a refresh failure, which prevented the
+  database of managed keys from subsequently being read back. This has
+  been fixed. :gl:`#2686`
+
+- Signed, insecure delegation responses prepared by ``named`` either
+  lacked the necessary NSEC records or contained duplicate NSEC records
+  when both wildcard expansion and CNAME chaining were required to
+  prepare the response. This has been fixed. :gl:`#2759`
+
+- If ``nsupdate`` sends an SOA request and receives a REFUSED response,
+  it now fails over to the next available server. :gl:`#2758`
+
+- A bug that caused the NSEC3 salt to be changed on every restart for
+  zones using KASP has been fixed. :gl:`#2725`
+
+- The configuration-checking code failed to account for the inheritance
+  rules of the ``dnssec-policy`` option. This has been fixed.
+  :gl:`#2780`
+
+- The fix for :gl:`#1875` inadvertently introduced a deadlock: when
+  locking key files for reading and writing, the ``in-view`` logic was
+  not considered. This has been fixed. :gl:`#2783`
+
+- A race condition could occur where two threads were competing for the
+  same set of key file locks, leading to a deadlock. This has been
+  fixed. :gl:`#2786`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.2.rst b/doc/notes/notes-9.16.2.rst
new file mode 100644
index 0000000..ab484a1
--- /dev/null
+++ b/doc/notes/notes-9.16.2.rst
@@ -0,0 +1,59 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.2
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+-  DNS rebinding protection was ineffective when BIND 9 is configured as
+   a forwarding DNS server. Found and responsibly reported by Tobias
+   Klein. :gl:`#1574`
+
+Known Issues
+~~~~~~~~~~~~
+
+-  We have received reports that in some circumstances, receipt of an
+   IXFR can cause the processing of queries to slow significantly. Some
+   of these were related to RPZ processing, which has been fixed in this
+   release (see below). Others appear to occur where there are
+   NSEC3-related changes (such as an operator changing the NSEC3 salt
+   used in the hash calculation). These are being investigated.
+   :gl:`#1685`
+
+-  See :ref:`above <relnotes_known_issues>` for a list of all known
+   issues affecting this BIND 9 branch.
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+-  The previous DNSSEC sign statistics used lots of memory. The number
+   of keys to track is reduced to four per zone, which should be enough
+   for 99% of all signed zones. :gl:`#1179`
+
+Bug Fixes
+~~~~~~~~~
+
+-  When an RPZ policy zone was updated via zone transfer and a large
+   number of records was deleted, ``named`` could become nonresponsive
+   for a short period while deleted names were removed from the RPZ
+   summary database. This database cleanup is now done incrementally
+   over a longer period of time, reducing such delays. :gl:`#1447`
+
+-  When trying to migrate an already-signed zone from
+   ``auto-dnssec maintain`` to one based on ``dnssec-policy``, the
+   existing keys were immediately deleted and replaced with new ones. As
+   the key rollover timing constraints were not being followed, it was
+   possible that some clients would not have been able to validate
+   responses until all old DNSSEC information had timed out from caches.
+   BIND now looks at the time metadata of the existing keys and
+   incorporates it into its DNSSEC policy operation. :gl:`#1706`
diff --git a/doc/notes/notes-9.16.20.rst b/doc/notes/notes-9.16.20.rst
new file mode 100644
index 0000000..b1ae9b2
--- /dev/null
+++ b/doc/notes/notes-9.16.20.rst
@@ -0,0 +1,57 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.20
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Fixed an assertion failure that occurred in ``named`` when it
+  attempted to send a UDP packet that exceeded the MTU size, if
+  Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
+
+- ``named`` failed to check the opcode of responses when performing zone
+  refreshes, stub zone updates, and UPDATE forwarding. This could lead
+  to an assertion failure under certain conditions and has been
+  addressed by rejecting responses whose opcode does not match the
+  expected value. :gl:`#2762`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Testing revealed that setting the thread affinity for various types of
+  ``named`` threads led to inconsistent recursive performance, as
+  sometimes multiple sets of threads competed over a single resource.
+
+  Due to the above, ``named`` no longer sets thread affinity. This
+  causes a slight dip of around 5% in authoritative performance, but
+  recursive performance is now consistently improved. :gl:`#2822`
+
+- CDS and CDNSKEY records can now be published in a zone without the
+  requirement that they exactly match an existing DNSKEY record, as long
+  as the zone is signed with an algorithm represented in the CDS or
+  CDNSKEY record. This allows a clean rollover from one DNS provider to
+  another when using a multiple-signer DNSSEC configuration. :gl:`#2710`
+
+Bug Fixes
+~~~~~~~~~
+
+- Authentication of ``rndc`` messages could fail if a ``controls``
+  statement was configured with multiple key algorithms for the same
+  listener. This has been fixed. :gl:`#2756`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.21.rst b/doc/notes/notes-9.16.21.rst
new file mode 100644
index 0000000..b3d5567
--- /dev/null
+++ b/doc/notes/notes-9.16.21.rst
@@ -0,0 +1,68 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.21
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Support for HTTPS and SVCB record types has been added. (This does not
+  include ADDITIONAL section processing for these record types, only
+  basic support for RR type parsing and printing.) :gl:`#1132`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- When ``dnssec-signzone`` signs a zone using a successor key whose
+  predecessor is still published, it now only refreshes signatures for
+  RRsets which have an invalid signature, an expired signature, or a
+  signature which expires within the provided cycle interval. This
+  allows ``dnssec-signzone`` to gradually replace signatures in a zone
+  whose ZSK is being rolled over (similarly to what ``auto-dnssec
+  maintain;`` does). :gl:`#1551`
+
+Bug Fixes
+~~~~~~~~~
+
+- A recent change to the internal memory structure of zone databases
+  inadvertently neglected to update the MAPAPI value for zone files in
+  ``map`` format. This caused version 9.16.20 of ``named`` to attempt to
+  load files into memory that were no longer compatible, triggering an
+  assertion failure on startup. The MAPAPI value has now been updated,
+  so ``named`` rejects outdated files when encountering them.
+  :gl:`#2872`
+
+- Zone files in ``map`` format whose size exceeded 2 GB failed to load.
+  This has been fixed. :gl:`#2878`
+
+- ``named`` was unable to run as a Windows Service under certain
+  circumstances. This has been fixed. :gl:`#2837`
+
+- Stale data in the cache could cause ``named`` to send non-minimized
+  queries despite QNAME minimization being enabled. This has been fixed.
+  :gl:`#2665`
+
+- When a DNSSEC-signed zone which only has a single signing key
+  available is migrated to ``dnssec-policy``, that key is now treated as
+  a Combined Signing Key (CSK). :gl:`#2857`
+
+- When a dynamic zone was made available in another view using the
+  ``in-view`` statement, running ``rndc freeze`` always reported an
+  ``already frozen`` error even though the zone was successfully
+  frozen. This has been fixed. :gl:`#2844`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.22.rst b/doc/notes/notes-9.16.22.rst
new file mode 100644
index 0000000..3403ee6
--- /dev/null
+++ b/doc/notes/notes-9.16.22.rst
@@ -0,0 +1,86 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.22
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The ``lame-ttl`` option controls how long ``named`` caches certain
+  types of broken responses from authoritative servers (see the
+  `security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
+  details). This caching mechanism could be abused by an attacker to
+  significantly degrade resolver performance. The vulnerability has been
+  mitigated by changing the default value of ``lame-ttl`` to ``0`` and
+  overriding any explicitly set value with ``0``, effectively disabling
+  this mechanism altogether. ISC's testing has determined that doing
+  that has a negligible impact on resolver performance while also
+  preventing abuse. Administrators may observe more traffic towards
+  servers issuing certain types of broken responses than in previous
+  BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
+
+  ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
+  bringing this vulnerability to our attention. :gl:`#2899`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The use of native PKCS#11 for Public-Key Cryptography in BIND 9 has
+  been deprecated in favor of the engine_pkcs11 OpenSSL engine from the
+  `OpenSC`_ project. The ``--with-native-pkcs11`` configuration option
+  will be removed in the next major BIND 9 release. The option to use
+  the engine_pkcs11 OpenSSL engine is already available in BIND 9;
+  please see the :ref:`ARM section on PKCS#11 <pkcs11>` for details.
+  :gl:`#2691`
+
+- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
+  enabled in ``named`` at build time have been marked as deprecated in
+  favor of new-style DLZ modules. Old-style DLZ drivers will be removed
+  in the next major BIND 9 release. :gl:`#2814`
+
+- The ``map`` zone file format has been marked as deprecated and will be
+  removed in the next major BIND 9 release. :gl:`#2882`
+
+- ``named`` and ``named-checkconf`` now exit with an error when a single
+  port configured for ``query-source``, ``transfer-source``,
+  ``notify-source``, ``parental-source``, and/or their respective IPv6
+  counterparts clashes with a global listening port. This configuration
+  has not been supported since BIND 9.16.0, but no error was reported
+  until now (even though sending UDP messages such as NOTIFY failed).
+  :gl:`#2888`
+
+- ``named`` and ``named-checkconf`` now issue a warning when there is a
+  single port configured for ``query-source``, ``transfer-source``,
+  ``notify-source``, ``parental-source``, and/or for their respective
+  IPv6 counterparts. :gl:`#2888`
+
+.. _OpenSC: https://github.com/OpenSC/libp11
+
+Bug Fixes
+~~~~~~~~~
+
+- A recent change introduced in BIND 9.16.21 inadvertently broke
+  backward compatibility for the ``check-names master ...`` and
+  ``check-names slave ...`` options, causing them to be silently
+  ignored. This has been fixed and these options now work properly
+  again. :gl:`#2911`
+
+- When new IP addresses were set up by the operating system during
+  ``named`` startup, it could fail to listen for TCP connections on the
+  newly added interfaces. :gl:`#2852`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.23.rst b/doc/notes/notes-9.16.23.rst
new file mode 100644
index 0000000..3f715aa
--- /dev/null
+++ b/doc/notes/notes-9.16.23.rst
@@ -0,0 +1,27 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.23
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- Reloading a catalog zone which referenced a missing/deleted member
+  zone triggered a runtime check failure, causing ``named`` to exit
+  prematurely. This has been fixed. :gl:`#2308`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.24.rst b/doc/notes/notes-9.16.24.rst
new file mode 100644
index 0000000..eda9a7b
--- /dev/null
+++ b/doc/notes/notes-9.16.24.rst
@@ -0,0 +1,43 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.24
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Previously, when an incoming TCP connection could not be accepted
+  because the client closed the connection early, an error message of
+  ``TCP connection failed: socket is not connected`` was logged. This
+  message has been changed to ``Accepting TCP connection failed: socket
+  is not connected``. The severity level at which this type of message
+  is logged has also been changed from ``error`` to ``info`` for the
+  following triggering events: ``socket is not connected``, ``quota
+  reached``, and ``soft quota reached``. :gl:`#2700`
+
+- ``dnssec-dsfromkey`` no longer generates DS records from revoked keys.
+  :gl:`#853`
+
+Bug Fixes
+~~~~~~~~~
+
+- Removing a configured ``catalog-zone`` clause from the configuration,
+  running ``rndc reconfig``, then bringing back the removed
+  ``catalog-zone`` clause and running ``rndc reconfig`` again caused
+  ``named`` to crash. This has been fixed. :gl:`#1608`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.25.rst b/doc/notes/notes-9.16.25.rst
new file mode 100644
index 0000000..a024a93
--- /dev/null
+++ b/doc/notes/notes-9.16.25.rst
@@ -0,0 +1,48 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.25
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Overall memory use by ``named`` has been optimized and reduced,
+  especially on systems with many CPU cores. The default memory
+  allocator has been switched from ``internal`` to ``external``. A new
+  command-line option ``-M internal`` allows ``named`` to be started
+  with the old internal memory allocator. :gl:`#2398`
+
+Bug Fixes
+~~~~~~~~~
+
+- On FreeBSD, TCP connections leaked a small amount of heap memory,
+  leading to an eventual out-of-memory problem. This has been fixed.
+  :gl:`#3051`
+
+- If signatures created by the ZSK were expired and the ZSK private key
+  was offline, the signatures were not replaced. This behavior has been
+  amended to replace the expired signatures with new signatures created
+  using the KSK. :gl:`#3049`
+
+- Under certain circumstances, the signed version of an inline-signed
+  zone could be dumped to disk without the serial number of the unsigned
+  version of the zone. This prevented resynchronization of the zone
+  contents after ``named`` restarted, if the unsigned zone file was
+  modified while ``named`` was not running. This has been fixed.
+  :gl:`#3071`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.26.rst b/doc/notes/notes-9.16.26.rst
new file mode 100644
index 0000000..92ba18d
--- /dev/null
+++ b/doc/notes/notes-9.16.26.rst
@@ -0,0 +1,46 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.26
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent
+  by a client are now included in the client information sent to DLZ
+  modules when processing queries. :gl:`#3082`
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, ``recvmmsg`` support was enabled in libuv 1.35.0 and
+  1.36.0, but not in libuv versions 1.37.0 or greater, reducing the
+  maximum query-response performance. This has been fixed. :gl:`#3095`
+
+- A failed view configuration during a ``named`` reconfiguration
+  procedure could cause inconsistencies in BIND internal structures,
+  causing a crash or other unexpected errors. This has been fixed.
+  :gl:`#3060`
+
+- Previously, ``named`` logged a "quota reached" message when it hit its
+  hard quota on the number of connections. That message was accidentally
+  removed but has now been restored. :gl:`#3125`
+
+- Build errors were introduced in some DLZ modules due to an incomplete
+  change in the previous release. This has been fixed. :gl:`#3111`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.27.rst b/doc/notes/notes-9.16.27.rst
new file mode 100644
index 0000000..842a1c4
--- /dev/null
+++ b/doc/notes/notes-9.16.27.rst
@@ -0,0 +1,65 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.27
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The rules for acceptance of records into the cache have been tightened
+  to prevent the possibility of poisoning if forwarders send records
+  outside the configured bailiwick. (CVE-2021-25220)
+
+  ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
+  Network and Information Security Lab, Tsinghua University, and
+  Changgen Zou from Qi An Xin Group Corp. for bringing this
+  vulnerability to our attention. :gl:`#2950`
+
+- TCP connections with ``keep-response-order`` enabled could leave the
+  TCP sockets in the ``CLOSE_WAIT`` state when the client did not
+  properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- DEBUG(1)-level messages were added when starting and ending the BIND 9
+  task-exclusive mode that stops normal DNS operation (e.g. for
+  reconfiguration, interface scans, and other events that require
+  exclusive access to a shared resource). :gl:`#3137`
+
+Bug Fixes
+~~~~~~~~~
+
+- The ``max-transfer-time-out`` and ``max-transfer-idle-out`` options
+  were not implemented when the BIND 9 networking stack was refactored
+  in 9.16. The missing functionality has been re-implemented and
+  outgoing zone transfers now time out properly when not progressing.
+  :gl:`#1897`
+
+- TCP connections could hang indefinitely if the other party did not
+  read sent data, causing the TCP write buffers to fill. This has been
+  fixed by adding a "write" timer. Connections that are hung while
+  writing now time out after the ``tcp-idle-timeout`` period has
+  elapsed. :gl:`#3132`
+
+- The statistics counter representing the current number of clients
+  awaiting recursive resolution results (``RecursClients``) could be
+  miscalculated in certain resolution scenarios, potentially causing the
+  value of the counter to drop below zero. This has been fixed.
+  :gl:`#3147`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.28.rst b/doc/notes/notes-9.16.28.rst
new file mode 100644
index 0000000..54dfc17
--- /dev/null
+++ b/doc/notes/notes-9.16.28.rst
@@ -0,0 +1,40 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.28
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Add a new configuration option ``reuseport`` to disable load balancing
+  on sockets in situations where processing of Response Policy Zones
+  (RPZ), Catalog Zones, or large zone transfers can cause service
+  disruptions. See the BIND 9 ARM for more detail. :gl:`#3249`
+
+Bug Fixes
+~~~~~~~~~
+
+- Invalid ``dnssec-policy`` definitions, where the defined keys did not
+  cover both KSK and ZSK roles for a given algorithm, were being
+  accepted. These are now checked, and the ``dnssec-policy`` is rejected
+  if both roles are not present for all algorithms in use. :gl:`#3142`
+
+- Handling of TCP write timeouts has been improved to track the timeout
+  for each TCP write separately, leading to a faster connection teardown
+  in case the other party is not reading the data. :gl:`#3200`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.29.rst b/doc/notes/notes-9.16.29.rst
new file mode 100644
index 0000000..9e1cc4a
--- /dev/null
+++ b/doc/notes/notes-9.16.29.rst
@@ -0,0 +1,27 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.29
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, CDS and CDNSKEY DELETE records were removed from the zone
+  when configured with the ``auto-dnssec maintain;`` option. This has
+  been fixed. :gl:`#2931`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.3.rst b/doc/notes/notes-9.16.3.rst
new file mode 100644
index 0000000..773bfd8
--- /dev/null
+++ b/doc/notes/notes-9.16.3.rst
@@ -0,0 +1,95 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.3
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+-  To prevent exhaustion of server resources by a maliciously configured
+   domain, the number of recursive queries that can be triggered by a
+   request before aborting recursion has been further limited. Root and
+   top-level domain servers are no longer exempt from the
+   ``max-recursion-queries`` limit. Fetches for missing name server
+   address records are limited to 4 for any domain. This issue was
+   disclosed in CVE-2020-8616. :gl:`#1388`
+
+-  Replaying a TSIG BADTIME response as a request could trigger an
+   assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703`
+
+Known Issues
+~~~~~~~~~~~~
+
+-  BIND crashes on startup when linked against libuv 1.36. This issue
+   is related to ``recvmmsg()`` support in libuv, which was first
+   included in libuv 1.35. The problem was addressed in libuv 1.37, but
+   the relevant libuv code change requires a special flag to be set
+   during library initialization in order for ``recvmmsg()`` support to
+   be enabled. This BIND release sets that special flag when required,
+   so ``recvmmsg()`` support is now enabled when BIND is compiled
+   against either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not
+   usable with BIND. :gl:`#1761` :gl:`#1797`
+
+-  See :ref:`above <relnotes_known_issues>` for a list of all known
+   issues affecting this BIND 9 branch.
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+-  BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
+   relying on system defaults instead. :gl:`#1713`
+
+-  The default rwlock implementation has been changed back to the native
+   BIND 9 rwlock implementation. :gl:`#1753`
+
+-  The native PKCS#11 EdDSA implementation has been updated to PKCS#11
+   v3.0 and thus made operational again. Contributed by Aaron Thompson.
+   :gl:`!3326`
+
+-  The OpenSSL ECDSA implementation has been updated to support PKCS#11
+   via OpenSSL engine (see engine_pkcs11 from libp11 project).
+   :gl:`#1534`
+
+-  The OpenSSL EdDSA implementation has been updated to support PKCS#11
+   via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
+   is required and thus this code is only a proof-of-concept for the
+   time being. Contributed by Aaron Thompson. :gl:`#1763`
+
+-  Message IDs in inbound AXFR transfers are now checked for
+   consistency. Log messages are emitted for streams with inconsistent
+   message IDs. :gl:`#1674`
+
+-  The zone timers are now exported to the statistics channel. For the
+   primary zones, only the loaded time is exported. For the secondary
+   zones, the exported timers also include expire and refresh times.
+   Contributed by Paul Frieden, Verizon Media. :gl:`#1232`
+
+Bug Fixes
+~~~~~~~~~
+
+-  A bug in dnstap initialization could prevent some dnstap data from
+   being logged, especially on recursive resolvers. :gl:`#1795`
+
+-  When running on a system with support for Linux capabilities,
+   ``named`` drops root privileges very soon after system startup. This
+   was causing a spurious log message, ``unable to set effective uid to
+   0: Operation not permitted``, which has now been silenced.
+   :gl:`#1042` :gl:`#1090`
+
+-  When ``named-checkconf -z`` was run, it would sometimes incorrectly set
+   its exit code. It reflected only the status of the last view found;
+   any errors found for other configured views were not reported. Thanks
+   to Graham Clinch. :gl:`#1807`
+
+-  When built without LMDB support, ``named`` failed to restart after a
+   zone with a double quote (") in its name was added with
+   ``rndc addzone``. Thanks to Alberto Fernández. :gl:`#1695`
diff --git a/doc/notes/notes-9.16.30.rst b/doc/notes/notes-9.16.30.rst
new file mode 100644
index 0000000..2d375c1
--- /dev/null
+++ b/doc/notes/notes-9.16.30.rst
@@ -0,0 +1,37 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.30
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- The ``fetches-per-server`` quota is designed to adjust itself downward
+  automatically when an authoritative server times out too frequently.
+  Due to a coding error, that adjustment was applied incorrectly, so
+  that the quota for a congested server was always set to 1. This has
+  been fixed. :gl:`#3327`
+
+- DNSSEC-signed catalog zones were not being processed correctly. This
+  has been fixed. :gl:`#3380`
+
+- Key files were updated every time the ``dnssec-policy`` key manager
+  ran, whether the metadata had changed or not. :iscman:`named` now
+  checks whether changes were applied before writing out the key files.
+  :gl:`#3302`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.31.rst b/doc/notes/notes-9.16.31.rst
new file mode 100644
index 0000000..150694d
--- /dev/null
+++ b/doc/notes/notes-9.16.31.rst
@@ -0,0 +1,31 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.31
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- An assertion failure caused by a TCP connection closing between a
+  connect (or accept) and a read from a socket has been fixed.
+  :gl:`#3400`
+
+- :iscman:`named` could crash during a very rare situation that could
+  arise when validating a query which had timed out at that exact
+  moment. This has been fixed. :gl:`#3398`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.32.rst b/doc/notes/notes-9.16.32.rst
new file mode 100644
index 0000000..542051e
--- /dev/null
+++ b/doc/notes/notes-9.16.32.rst
@@ -0,0 +1,56 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.32
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
+  disabled on systems where they are disallowed by the security policy
+  (e.g. Red Hat Enterprise Linux 9). Primary zones using those
+  algorithms need to be migrated to new algorithms prior to running on
+  these systems, as graceful migration to different DNSSEC algorithms is
+  not possible when RSASHA1 is disallowed by the operating system.
+  :gl:`#3469`
+
+- Log messages related to fetch limiting have been improved to provide
+  more complete information. Specifically, the final counts of allowed
+  and spilled fetches are now logged before the counter object is
+  destroyed. :gl:`#3461`
+
+Bug Fixes
+~~~~~~~~~
+
+- Non-dynamic zones that inherit ``dnssec-policy`` from the
+  ``view`` or ``options`` blocks were not
+  marked as inline-signed and therefore never scheduled to be re-signed.
+  This has been fixed. :gl:`#3438`
+
+- The old ``max-zone-ttl`` zone option was meant to be superseded by
+  the ``max-zone-ttl`` option in ``dnssec-policy``; however, the
+  latter option was not fully effective. This has been corrected: zones
+  no longer load if they contain TTLs greater than the limit configured
+  in ``dnssec-policy``. For zones with both the old
+  ``max-zone-ttl`` option and ``dnssec-policy`` configured, the
+  old option is ignored, and a warning is generated. :gl:`#2918`
+
+- ``rndc dumpdb -expired`` was fixed to include
+  expired RRsets, even if ``stale-cache-enable`` is set to ``no`` and
+  the cache-cleaning time window has passed. :gl:`#3462`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.33.rst b/doc/notes/notes-9.16.33.rst
new file mode 100644
index 0000000..876aab8
--- /dev/null
+++ b/doc/notes/notes-9.16.33.rst
@@ -0,0 +1,68 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.33
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, there was no limit to the number of database lookups
+  performed while processing large delegations, which could be abused to
+  severely impact the performance of :iscman:`named` running as a
+  recursive resolver. This has been fixed. (CVE-2022-2795)
+
+  ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
+  Bremler-Barr & Shani Stajnrod from Reichman University for bringing
+  this vulnerability to our attention. :gl:`#3394`
+
+- :iscman:`named` running as a resolver with the
+  ``stale-answer-client-timeout`` option set to ``0`` could crash with
+  an assertion failure, when there was a stale CNAME in the cache for
+  the incoming query. This has been fixed. (CVE-2022-3080) :gl:`#3517`
+
+- A memory leak was fixed that could be externally triggered in the
+  DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177)
+  :gl:`#3487`
+
+- Memory leaks were fixed that could be externally triggered in the
+  DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
+  :gl:`#3487`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Response Rate Limiting (RRL) code now treats all QNAMEs that are
+  subject to wildcard processing within a given zone as the same name,
+  to prevent circumventing the limits enforced by RRL. :gl:`#3459`
+
+- Zones using ``dnssec-policy`` now require dynamic DNS or
+  ``inline-signing`` to be configured explicitly. :gl:`#3381`
+
+- A backward-compatible approach was implemented for encoding
+  internationalized domain names (IDN) in :iscman:`dig` and converting
+  the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
+  conversion. :gl:`#3485`
+
+Bug Fixes
+~~~~~~~~~
+
+- A serve-stale bug was fixed, where BIND would try to return stale data
+  from cache for lookups that received duplicate queries or queries that
+  would be dropped. This bug resulted in premature SERVFAIL responses,
+  and has now been resolved. :gl:`#2982`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.34.rst b/doc/notes/notes-9.16.34.rst
new file mode 100644
index 0000000..b1eedac
--- /dev/null
+++ b/doc/notes/notes-9.16.34.rst
@@ -0,0 +1,46 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.34
+----------------------
+
+Known Issues
+~~~~~~~~~~~~
+
+- Upgrading from BIND 9.16.32 or any older version may require a manual
+  configuration change. The following configurations are affected:
+
+  - ``type primary`` zones configured with ``dnssec-policy`` but without
+    either ``allow-update`` or ``update-policy``,
+  - ``type secondary`` zones configured with ``dnssec-policy``.
+
+  In these cases please add ``inline-signing yes;`` to the individual
+  zone configuration(s). Without applying this change, :iscman:`named`
+  will fail to start. For more details, see
+  https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+  issues affecting this BIND 9 branch.
+
+New Features
+~~~~~~~~~~~~
+
+- Support for parsing and validating the ``dohpath`` service parameter
+  in SVCB records was added. :gl:`#3544`
+
+- :iscman:`named` now logs the supported cryptographic algorithms during
+  startup and in the output of ``named -V``. :gl:`#3541`
+
+Bug Fixes
+~~~~~~~~~
+
+- Changing just the TSIG key names for primaries in catalog zones'
+  member zones was not effective. This has been fixed. :gl:`#3557`
diff --git a/doc/notes/notes-9.16.35.rst b/doc/notes/notes-9.16.35.rst
new file mode 100644
index 0000000..23ccf86
--- /dev/null
+++ b/doc/notes/notes-9.16.35.rst
@@ -0,0 +1,56 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.35
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- A crash was fixed that happened when a ``dnssec-policy`` zone that
+  used NSEC3 was reconfigured to enable ``inline-signing``. :gl:`#3591`
+
+- In certain resolution scenarios, quotas could be erroneously reached
+  for servers, including any configured forwarders, resulting in
+  SERVFAIL answers being sent to clients. This has been fixed.
+  :gl:`#3598`
+
+- ``rpz-ip`` rules in ``response-policy`` zones could be ineffective in
+  some cases if a query had the CD (Checking Disabled) bit set to 1.
+  This has been fixed. :gl:`#3247`
+
+- Previously, if Internet connectivity issues were experienced during
+  the initial startup of :iscman:`named`, a BIND resolver with
+  ``dnssec-validation`` set to ``auto`` could enter into a state where
+  it would not recover without stopping :iscman:`named`, manually
+  deleting the ``managed-keys.bind`` and ``managed-keys.bind.jnl``
+  files, and starting :iscman:`named` again. This has been fixed.
+  :gl:`#2895`
+
+- The statistics counter representing the current number of clients
+  awaiting recursive resolution results (``RecursClients``) could
+  overflow in certain resolution scenarios. This has been fixed.
+  :gl:`#3584`
+
+- Previously, BIND failed to start on Solaris-based systems with
+  hundreds of CPUs. This has been fixed. :gl:`#3563`
+
+- When a DNS resource record's TTL value was equal to the resolver's
+  configured ``prefetch`` "eligibility" value, the record was
+  erroneously not treated as eligible for prefetching. This has been
+  fixed. :gl:`#3603`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.36.rst b/doc/notes/notes-9.16.36.rst
new file mode 100644
index 0000000..d73df01
--- /dev/null
+++ b/doc/notes/notes-9.16.36.rst
@@ -0,0 +1,49 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.36
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The ``auto-dnssec`` option has been deprecated and will be removed in
+  a future BIND 9.19.x release. Please migrate to ``dnssec-policy``.
+  :gl:`#3667`
+
+Bug Fixes
+~~~~~~~~~
+
+- When a catalog zone was removed from the configuration, in some cases
+  a dangling pointer could cause the :iscman:`named` process to crash.
+  This has been fixed. :gl:`#3683`
+
+- When a zone was deleted from a server, a key management object related
+  to that zone was inadvertently kept in memory and only released upon
+  shutdown. This could lead to constantly increasing memory use on
+  servers with a high rate of changes affecting the set of zones being
+  served. This has been fixed. :gl:`#3727`
+
+- In certain cases, :iscman:`named` waited for the resolution of
+  outstanding recursive queries to finish before shutting down. This was
+  unintended and has been fixed. :gl:`#3183`
+
+- The ``zone <name>/<class>: final reference detached`` log message was
+  moved from the INFO log level to the DEBUG(1) log level to prevent the
+  :iscman:`named-checkzone` tool from superfluously logging this message
+  in non-debug mode. :gl:`#3707`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.37.rst b/doc/notes/notes-9.16.37.rst
new file mode 100644
index 0000000..9b0393c
--- /dev/null
+++ b/doc/notes/notes-9.16.37.rst
@@ -0,0 +1,80 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.37
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- An UPDATE message flood could cause :iscman:`named` to exhaust all
+  available memory. This flaw was addressed by adding a new
+  ``update-quota`` option that controls the maximum number of
+  outstanding DNS UPDATE messages that :iscman:`named` can hold in a
+  queue at any given time (default: 100). (CVE-2022-3094)
+
+  ISC would like to thank Rob Schulhof from Infoblox for bringing this
+  vulnerability to our attention. :gl:`#3523`
+
+- :iscman:`named` could crash with an assertion failure when an RRSIG
+  query was received and ``stale-answer-client-timeout`` was set to a
+  non-zero value. This has been fixed. (CVE-2022-3736)
+
+  ISC would like to thank Borja Marcos from Sarenet (with assistance by
+  Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
+  our attention. :gl:`#3622`
+
+- :iscman:`named` running as a resolver with the
+  ``stale-answer-client-timeout`` option set to any value greater than
+  ``0`` could crash with an assertion failure, when the
+  ``recursive-clients`` soft quota was reached. This has been fixed.
+  (CVE-2022-3924)
+
+  ISC would like to thank Maksym Odinintsev from AWS for bringing this
+  vulnerability to our attention. :gl:`#3619`
+
+New Features
+~~~~~~~~~~~~
+
+- The new ``update-quota`` option can be used to control the number of
+  simultaneous DNS UPDATE messages that can be processed to update an
+  authoritative zone on a primary server, or forwarded to the primary
+  server by a secondary server. The default is 100. A new statistics
+  counter has also been added to record events when this quota is
+  exceeded, and the version numbers for the XML and JSON statistics
+  schemas have been updated. :gl:`#3523`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The Differentiated Services Code Point (DSCP) feature in BIND has been
+  deprecated. Configuring DSCP values in ``named.conf`` now causes a
+  warning to be logged. Note that this feature has only been partly
+  operational since the new Network Manager was introduced in BIND
+  9.16.0. :gl:`#3773`
+
+- The catalog zone implementation has been optimized to work with
+  hundreds of thousands of member zones. :gl:`#3744`
+
+Bug Fixes
+~~~~~~~~~
+
+- In certain query resolution scenarios (e.g. when following CNAME
+  records), :iscman:`named` configured to answer from stale cache could
+  return a SERVFAIL response despite a usable, non-stale answer being
+  present in the cache. This has been fixed. :gl:`#3678`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.38.rst b/doc/notes/notes-9.16.38.rst
new file mode 100644
index 0000000..8d20794
--- /dev/null
+++ b/doc/notes/notes-9.16.38.rst
@@ -0,0 +1,33 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.38
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- A constant stream of zone additions and deletions via ``rndc
+  reconfig`` could cause increased memory consumption due to delayed
+  cleaning of view memory. This has been fixed. :gl:`#3801`
+
+- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of
+  NSEC3 hashing, has been improved. :gl:`#3795`
+
+- Building BIND 9 failed when the ``--enable-dnsrps`` switch for
+  ``./configure`` was used. This has been fixed. :gl:`#3827`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.39.rst b/doc/notes/notes-9.16.39.rst
new file mode 100644
index 0000000..4e88a9d
--- /dev/null
+++ b/doc/notes/notes-9.16.39.rst
@@ -0,0 +1,60 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.39
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- libuv support for receiving multiple UDP messages in a single
+  ``recvmmsg()`` system call has been tweaked several times between
+  libuv versions 1.35.0 and 1.40.0; the current recommended libuv
+  version is 1.40.0 or higher. New rules are now in effect for running
+  with a different version of libuv than the one used at compilation
+  time. These rules may trigger a fatal error at startup:
+
+  - Building against or running with libuv versions 1.35.0 and 1.36.0 is
+    now a fatal error.
+
+  - Running with libuv version higher than 1.34.2 is now a fatal error
+    when :iscman:`named` is built against libuv version 1.34.2 or lower.
+
+  - Running with libuv version higher than 1.39.0 is now a fatal error
+    when :iscman:`named` is built against libuv version 1.37.0, 1.38.0,
+    1.38.1, or 1.39.0.
+
+  This prevents the use of libuv versions that may trigger an assertion
+  failure when receiving multiple UDP messages in a single system call.
+  :gl:`#3840`
+
+Bug Fixes
+~~~~~~~~~
+
+- :iscman:`named` could crash with an assertion failure when adding a
+  new zone into the configuration file for a name which was already
+  configured as a member zone for a catalog zone. This has been fixed.
+  :gl:`#3911`
+
+- When :iscman:`named` starts up, it sends a query for the DNSSEC key
+  for each configured trust anchor to determine whether the key has
+  changed. In some unusual cases, the query might depend on a zone for
+  which the server is itself authoritative, and would have failed if it
+  were sent before the zone was fully loaded. This has now been fixed by
+  delaying the key queries until all zones have finished loading.
+  :gl:`#3673`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.4.rst b/doc/notes/notes-9.16.4.rst
new file mode 100644
index 0000000..6dd03f6
--- /dev/null
+++ b/doc/notes/notes-9.16.4.rst
@@ -0,0 +1,120 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.4
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+-  It was possible to trigger an assertion when attempting to fill an
+   oversized TCP buffer. This was disclosed in CVE-2020-8618.
+   :gl:`#1850`
+
+-  It was possible to trigger an INSIST failure when a zone with an
+   interior wildcard label was queried in a certain pattern. This was
+   disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718`
+
+New Features
+~~~~~~~~~~~~
+
+-  Documentation was converted from DocBook to reStructuredText. The
+   BIND 9 ARM is now generated using Sphinx and published on `Read the
+   Docs`_. Release notes are no longer available as a separate document
+   accompanying a release. :gl:`#83`
+
+-  ``named`` and ``named-checkzone`` now reject master zones that have a
+   DS RRset at the zone apex. Attempts to add DS records at the zone
+   apex via UPDATE will be logged but otherwise ignored. DS records
+   belong in the parent zone, not at the zone apex. :gl:`#1798`
+
+-  ``dig`` and other tools can now print the Extended DNS Error (EDE)
+   option when it appears in a request or a response. :gl:`#1835`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+-  The default value of ``max-stale-ttl`` has changed from 1 week to 12
+   hours. This option controls how long ``named`` retains expired RRsets
+   in cache as a potential mitigation mechanism, should there be a
+   problem with one or more domains. Note that cache content retention
+   is independent of whether stale answers are used in response to
+   client queries (``stale-answer-enable yes|no`` and ``rndc serve-stale
+   on|off``). Serving of stale answers when the authoritative servers
+   are not responding must be explicitly enabled, whereas the retention
+   of expired cache content takes place automatically on all versions of
+   BIND 9 that have this feature available. :gl:`#1877`
+
+   .. warning::
+       This change may be significant for administrators who expect that
+       stale cache content will be automatically retained for up to 1
+       week. Add option ``max-stale-ttl 1w;`` to ``named.conf`` to keep
+       the previous behavior of ``named``.
+
+-  ``listen-on-v6 { any; }`` creates a separate socket for each
+   interface. Previously, just one socket was created on systems
+   conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced
+   in BIND 9.16.0, but it was accidentally omitted from documentation.
+   :gl:`#1782`
+
+Bug Fixes
+~~~~~~~~~
+
+-  When fully updating the NSEC3 chain for a large zone via IXFR, a
+   temporary loss of performance could be experienced on the secondary
+   server when answering queries for nonexistent data that required
+   DNSSEC proof of non-existence (in other words, queries that required
+   the server to find and to return NSEC3 data). The unnecessary
+   processing step that was causing this delay has now been removed.
+   :gl:`#1834`
+
+-  ``named`` could crash with an assertion failure if the name of a
+   database node was looked up while the database was being modified.
+   :gl:`#1857`
+
+-  A possible deadlock in ``lib/isc/unix/socket.c`` was fixed.
+   :gl:`#1859`
+
+-  Previously, ``named`` did not destroy some mutexes and conditional
+   variables in netmgr code, which caused a memory leak on FreeBSD. This
+   has been fixed. :gl:`#1893`
+
+-  A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead
+   to an assertion failure was fixed. :gl:`#1808`
+
+-  Previously, ``provide-ixfr no;`` failed to return up-to-date
+   responses when the serial number was greater than or equal to the
+   current serial number. :gl:`#1714`
+
+-  A bug in dnssec-policy keymgr was fixed, where the check for the
+   existence of a given key's successor would incorrectly return
+   ``true`` if any other key in the keyring had a successor. :gl:`#1845`
+
+-  With dnssec-policy, when creating a successor key, the "goal" state
+   of the current active key (the predecessor) was not changed and thus
+   never removed from the zone. :gl:`#1846`
+
+-  ``named-checkconf -p`` could include spurious text in
+   ``server-addresses`` statements due to an uninitialized DSCP value.
+   This has been fixed. :gl:`#1812`
+
+-  The ARM has been updated to indicate that the TSIG session key is
+   generated when named starts, regardless of whether it is needed.
+   :gl:`#1842`
+
+Known Issues
+~~~~~~~~~~~~
+
+-  There are no new known issues with this release. See :ref:`above
+   <relnotes_known_issues>` for a list of all known issues affecting
+   this BIND 9 branch.
+
+.. _Read the Docs: https://bind9.readthedocs.io/
diff --git a/doc/notes/notes-9.16.40.rst b/doc/notes/notes-9.16.40.rst
new file mode 100644
index 0000000..caa2e61
--- /dev/null
+++ b/doc/notes/notes-9.16.40.rst
@@ -0,0 +1,32 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.40
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- Logfiles using ``timestamp``-style suffixes were not always correctly
+  removed when the number of files exceeded the limit set by ``versions``.
+  This has been fixed for configurations which do not explicitly specify
+  a directory path as part of the ``file`` argument in the ``channel``
+  specification. :gl:`#3959` :gl:`#3991`
+
+- Performance of DNSSEC validation in zones with many DNSKEY records
+  has been improved. :gl:`#3981`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.41.rst b/doc/notes/notes-9.16.41.rst
new file mode 100644
index 0000000..24f2cb8
--- /dev/null
+++ b/doc/notes/notes-9.16.41.rst
@@ -0,0 +1,27 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.41
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- When removing delegations from an opt-out range, empty-non-terminal
+  NSEC3 records generated by those delegations were not cleaned up. This
+  has been fixed. :gl:`#4027`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.42.rst b/doc/notes/notes-9.16.42.rst
new file mode 100644
index 0000000..85b0ede
--- /dev/null
+++ b/doc/notes/notes-9.16.42.rst
@@ -0,0 +1,45 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.42
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The overmem cleaning process has been improved, to prevent the cache
+  from significantly exceeding the configured ``max-cache-size`` limit.
+  (CVE-2023-2828)
+
+  ISC would like to thank Shoham Danino from Reichman University, Anat
+  Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
+  University, and Yuval Shavitt from Tel-Aviv University for bringing
+  this vulnerability to our attention.  :gl:`#4055`
+
+- A query that prioritizes stale data over lookup triggers a fetch to
+  refresh the stale data in cache. If the fetch is aborted for exceeding
+  the recursion quota, it was possible for :iscman:`named` to enter an
+  infinite callback loop and crash due to stack overflow. This has been
+  fixed. (CVE-2023-2911) :gl:`#4089`
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, it was possible for a delegation from cache to be returned
+  to the client after the ``stale-answer-client-timeout`` duration.
+  This has been fixed. :gl:`#3950`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.43.rst b/doc/notes/notes-9.16.43.rst
new file mode 100644
index 0000000..4c30315
--- /dev/null
+++ b/doc/notes/notes-9.16.43.rst
@@ -0,0 +1,27 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.43
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- Processing already-queued queries received over TCP could cause an
+  assertion failure, when the server was reconfigured at the same time
+  or the cache was being flushed. This has been fixed. :gl:`#4200`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.44.rst b/doc/notes/notes-9.16.44.rst
new file mode 100644
index 0000000..81c157a
--- /dev/null
+++ b/doc/notes/notes-9.16.44.rst
@@ -0,0 +1,31 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.44
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, sending a specially crafted message over the control
+  channel could cause the packet-parsing code to run out of available
+  stack memory, causing :iscman:`named` to terminate unexpectedly.
+  This has been fixed. (CVE-2023-3341)
+
+  ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
+  bringing this vulnerability to our attention. :gl:`#4152`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.5.rst b/doc/notes/notes-9.16.5.rst
new file mode 100644
index 0000000..613dcf7
--- /dev/null
+++ b/doc/notes/notes-9.16.5.rst
@@ -0,0 +1,72 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.5
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- New ``rndc`` command ``rndc dnssec -status`` shows the current DNSSEC
+  policy and keys in use, the key states, and rollover status.
+  :gl:`#1612`
+
+Bug Fixes
+~~~~~~~~~
+
+- A race condition could occur if a TCP socket connection was closed
+  while ``named`` was waiting for a recursive response. The attempt to
+  send a response over the closing connection triggered an assertion
+  failure in the function ``isc__nm_tcpdns_send()``. :gl:`#1937`
+
+- A race condition could occur when ``named`` attempted to use a UDP
+  interface that was shutting down. This triggered an assertion failure
+  in ``uv__udp_finish_close()``. :gl:`#1938`
+
+- Fix assertion failure when server was under load and root zone had not
+  yet been loaded. :gl:`#1862`
+
+- ``named`` could crash when cleaning dead nodes in ``lib/dns/rbtdb.c``
+  that were being reused. :gl:`#1968`
+
+- ``named`` crashed on shutdown when a new ``rndc`` connection was
+  received during shutdown. This has been fixed. :gl:`#1747`
+
+- The DS RRset returned by ``dns_keynode_dsset()`` was used in a
+  non-thread-safe manner. This could result in an INSIST being
+  triggered. :gl:`#1926`
+
+- Properly handle missing ``kyua`` command so that ``make check`` does
+  not fail unexpectedly when CMocka is installed, but Kyua is not.
+  :gl:`#1950`
+
+- The ``primary`` and ``secondary`` keywords, when used as parameters
+  for ``check-names``, were not processed correctly and were being
+  ignored. :gl:`#1949`
+
+- ``rndc dnstap -roll <value>`` did not limit the number of saved files
+  to ``<value>``. :gl:`!3728`
+
+- The validator could fail to accept a properly signed RRset if an
+  unsupported algorithm appeared earlier in the DNSKEY RRset than a
+  supported algorithm. It could also stop if it detected a malformed
+  public key. :gl:`#1689`
+
+- The ``blackhole`` ACL was inadvertently disabled for client queries.
+  Blocked IP addresses were not used for upstream queries but queries
+  from those addresses could still be answered. :gl:`#1936`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.6.rst b/doc/notes/notes-9.16.6.rst
new file mode 100644
index 0000000..1357f1d
--- /dev/null
+++ b/doc/notes/notes-9.16.6.rst
@@ -0,0 +1,121 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.6
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- It was possible to trigger an assertion failure by sending a specially
+  crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
+
+  ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
+  bringing this vulnerability to our attention. :gl:`#1996`
+
+- ``named`` could crash after failing an assertion check in certain
+  query resolution scenarios where QNAME minimization and forwarding
+  were both enabled. To prevent such crashes, QNAME minimization is now
+  always disabled for a given query resolution process, if forwarders
+  are used at any point. This was disclosed in CVE-2020-8621.
+
+  ISC would like to thank Joseph Gullo for bringing this vulnerability
+  to our attention. :gl:`#1997`
+
+- It was possible to trigger an assertion failure when verifying the
+  response to a TSIG-signed request. This was disclosed in
+  CVE-2020-8622.
+
+  ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
+  of Oracle for bringing this vulnerability to our attention.
+  :gl:`#2028`
+
+- When BIND 9 was compiled with native PKCS#11 support, it was possible
+  to trigger an assertion failure in code determining the number of bits
+  in the PKCS#11 RSA public key with a specially crafted packet. This
+  was disclosed in CVE-2020-8623.
+
+  ISC would like to thank Lyu Chiy for bringing this vulnerability to
+  our attention. :gl:`#2037`
+
+- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
+  as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
+  to update names outside of the specified subdomains. The problem was
+  fixed by making sure ``subdomain`` rules are again processed as
+  described in the ARM. This was disclosed in CVE-2020-8624.
+
+  ISC would like to thank Joop Boonen of credativ GmbH for bringing this
+  vulnerability to our attention. :gl:`#2055`
+
+New Features
+~~~~~~~~~~~~
+
+- A new configuration option ``stale-cache-enable`` has been introduced
+  to enable or disable keeping stale answers in cache. :gl:`#1712`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- BIND's cache database implementation has been updated to use a faster
+  hash function with better distribution. In addition, the effective
+  ``max-cache-size`` (configured explicitly, defaulting to a value based
+  on system memory or set to ``unlimited``) now pre-allocates fixed-size
+  hash tables. This prevents interruption to query resolution when the
+  hash table sizes need to be increased. :gl:`#1775`
+
+- Resource records received with 0 TTL are no longer kept in the cache
+  to be used for stale answers. :gl:`#1829`
+
+Bug Fixes
+~~~~~~~~~
+
+- Wildcard RPZ passthru rules could incorrectly be overridden by other
+  rules that were loaded from RPZ zones which appeared later in the
+  ``response-policy`` statement. This has been fixed. :gl:`#1619`
+
+- The IPv6 Duplicate Address Detection (DAD) mechanism could
+  inadvertently prevent ``named`` from binding to new IPv6 interfaces,
+  by causing multiple route socket messages to be sent for each IPv6
+  address. ``named`` monitors for new interfaces to ``bind()`` to when
+  it is configured to listen on ``any`` or on a specific range of
+  addresses. New IPv6 interfaces can be in a "tentative" state before
+  they are fully available for use. When DAD is in use, two messages are
+  emitted by the route socket: one when the interface first appears and
+  then a second one when it is fully "up." An attempt by ``named`` to
+  ``bind()`` to the new interface prematurely would fail, causing it
+  thereafter to ignore that address/interface. The problem was worked
+  around by setting the ``IP_FREEBIND`` option on the socket and trying
+  to ``bind()`` to each IPv6 address again if the first ``bind()`` call
+  for that address failed with ``EADDRNOTAVAIL``. :gl:`#2038`
+
+- Addressed an error in recursive clients stats reporting which could
+  cause underflow, and even negative statistics. There were occasions
+  when an incoming query could trigger a prefetch for some eligible
+  RRset, and if the prefetch code were executed before recursion, no
+  increment in recursive clients stats would take place. Conversely,
+  when processing the answers, if the recursion code were executed
+  before the prefetch, the same counter would be decremented without a
+  matching increment. :gl:`#1719`
+
+- The introduction of KASP support inadvertently caused the second field
+  of ``sig-validity-interval`` to always be calculated in hours, even in
+  cases when it should have been calculated in days. This has been
+  fixed. (Thanks to Tony Finch.) :gl:`!3735`
+
+- LMDB locking code was revised to make ``rndc reconfig`` work properly
+  on FreeBSD and with LMDB >= 0.9.26. :gl:`#1976`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.7.rst b/doc/notes/notes-9.16.7.rst
new file mode 100644
index 0000000..ed04df2
--- /dev/null
+++ b/doc/notes/notes-9.16.7.rst
@@ -0,0 +1,63 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.7
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Add a new ``rndc`` command, ``rndc dnssec -checkds``, which signals to
+  ``named`` that a DS record for a given zone or key has been published
+  or withdrawn from the parent. This command replaces the time-based
+  ``parent-registration-delay`` configuration option. :gl:`#1613`
+
+- Log when ``named`` adds a CDS/CDNSKEY to the zone. :gl:`#1748`
+
+Bug Fixes
+~~~~~~~~~
+
+- In rare circumstances, ``named`` would exit with an assertion failure
+  when the number of nodes stored in the red-black tree exceeded the
+  maximum allowed size of the internal hash table. :gl:`#2104`
+
+- Silence spurious system log messages for an EPROTO(71) error code that
+  was seen on older operating systems, where unhandled ICMPv6 errors
+  resulted in a generic protocol error being returned instead of a more
+  specific error code. :gl:`#1928`
+
+- With query name minimization enabled, ``named`` failed to resolve
+  ``ip6.arpa.`` names that had extra labels to the left of the IPv6
+  part. For example, when ``named`` attempted query name minimization on
+  a name like ``A.B.1.2.3.4.(...).ip6.arpa.``, it stopped at the
+  leftmost IPv6 label, i.e. ``1.2.3.4.(...).ip6.arpa.``, without
+  considering the extra labels (``A.B``). That caused a query loop when
+  resolving the name: if ``named`` received NXDOMAIN answers, then the
+  same query was repeatedly sent until the number of queries sent
+  reached the value of the ``max-recursion-queries`` configuration
+  option. :gl:`#1847`
+
+- Parsing of LOC records was made more strict by rejecting a sole period
+  (``.``) and/or ``m`` as a value. These changes prevent zone files
+  using such values from being loaded. Handling of negative altitudes
+  which are not integers was also corrected. :gl:`#2074`
+
+- Several problems found by `OSS-Fuzz`_ were fixed. (None of these are
+  security issues.) :gl:`!3953` :gl:`!3975`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
+
+.. _OSS-Fuzz: https://github.com/google/oss-fuzz
diff --git a/doc/notes/notes-9.16.8.rst b/doc/notes/notes-9.16.8.rst
new file mode 100644
index 0000000..e441e42
--- /dev/null
+++ b/doc/notes/notes-9.16.8.rst
@@ -0,0 +1,63 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.8
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Add a new ``rndc`` command, ``rndc dnssec -rollover``, which triggers
+  a manual rollover for a specific key. :gl:`#1749`
+
+- Add a new ``rndc`` command, ``rndc dumpdb -expired``, which dumps the
+  cache database, including expired RRsets that are awaiting cleanup, to
+  the ``dump-file`` for diagnostic purposes. :gl:`#1870`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- DNS Flag Day 2020: The default EDNS buffer size has been changed from
+  4096 to 1232 bytes. According to measurements done by multiple
+  parties, this should not cause any operational problems as most of the
+  Internet "core" is able to cope with IP message sizes between
+  1400-1500 bytes; the 1232 size was picked as a conservative minimal
+  number that could be changed by the DNS operator to an estimated path
+  MTU minus the estimated header space. In practice, the smallest MTU
+  witnessed in the operational DNS community is 1500 octets, the maximum
+  Ethernet payload size, so a useful default for maximum DNS/UDP payload
+  size on reliable networks would be 1432 bytes. :gl:`#2183`
+
+Bug Fixes
+~~~~~~~~~
+
+- ``named`` reported an invalid memory size when running in an
+  environment that did not properly report the number of available
+  memory pages and/or the size of each memory page. :gl:`#2166`
+
+- With multiple forwarders configured, ``named`` could fail the
+  ``REQUIRE(msg->state == (-1))`` assertion in ``lib/dns/message.c``,
+  causing it to crash. This has been fixed. :gl:`#2124`
+
+- ``named`` erroneously performed continuous key rollovers for KASP
+  policies that used algorithm Ed25519 or Ed448 due to a mismatch
+  between created key size and expected key size. :gl:`#2171`
+
+- Updating contents of an RPZ zone which contained names spelled using
+  varying letter case could cause some processing rules in that RPZ zone
+  to be erroneously ignored. :gl:`#2169`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.16.9.rst b/doc/notes/notes-9.16.9.rst
new file mode 100644
index 0000000..5ce2b37
--- /dev/null
+++ b/doc/notes/notes-9.16.9.rst
@@ -0,0 +1,50 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.9
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- A new configuration option, ``stale-refresh-time``, has been
+  introduced. It allows a stale RRset to be served directly from cache
+  for a period of time after a failed lookup, before a new attempt to
+  refresh it is made. :gl:`#2066`
+
+Bug Fixes
+~~~~~~~~~
+
+- ``named`` could crash with an assertion failure if a TCP connection
+  were closed while a request was still being processed. :gl:`#2227`
+
+- ``named`` acting as a resolver could incorrectly treat signed zones
+  with no DS record at the parent as bogus. Such zones should be treated
+  as insecure. This has been fixed. :gl:`#2236`
+
+- After a Negative Trust Anchor (NTA) is added, BIND performs periodic
+  checks to see if it is still necessary. If BIND encountered a failure
+  while creating a query to perform such a check, it attempted to
+  dereference a ``NULL`` pointer, resulting in a crash. :gl:`#2244`
+
+- A problem obtaining glue records could prevent a stub zone from
+  functioning properly, if the authoritative server for the zone were
+  configured for minimal responses. :gl:`#1736`
+
+- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a
+  ``TCP6RecvErr``. :gl:`#2208`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst
new file mode 100644
index 0000000..d9000cb
--- /dev/null
+++ b/doc/notes/notes-known-issues.rst
@@ -0,0 +1,46 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _relnotes_known_issues:
+
+Known Issues
+------------
+
+- Upgrading from BIND 9.16.32 or any older version may require a manual
+  configuration change. The following configurations are affected:
+
+  - ``type primary`` zones configured with ``dnssec-policy`` but without
+    either ``allow-update`` or ``update-policy``,
+  - ``type secondary`` zones configured with ``dnssec-policy``.
+
+  In these cases please add ``inline-signing yes;`` to the individual
+  zone configuration(s). Without applying this change, :iscman:`named`
+  will fail to start. For more details, see
+  https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- BIND crashes on startup when linked against libuv 1.36. This issue is
+  related to ``recvmmsg()`` support in libuv, which was first included
+  in libuv 1.35. The problem was addressed in libuv 1.37, but the
+  relevant libuv code change requires a special flag to be set during
+  library initialization in order for ``recvmmsg()`` support to be
+  enabled. This BIND release sets that special flag when required, so
+  ``recvmmsg()`` support is now enabled when BIND is compiled against
+  either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not usable with
+  BIND. :gl:`#1761` :gl:`#1797`
+
+- UDP network ports used for listening can no longer simultaneously be
+  used for sending traffic. An example configuration which triggers this
+  issue would be one which uses the same address:port pair for
+  ``listen-on(-v6)`` statements as for ``notify-source(-v6)`` or
+  ``transfer-source(-v6)``. While this issue affects all operating
+  systems, it only triggers log messages (e.g. "unable to create
+  dispatch for reserved port") on some of them. There are currently no
+  plans to make such a combination of settings work again.
diff --git a/fuzz/FUZZING.md b/fuzz/FUZZING.md
new file mode 100644
index 0000000..65363e1
--- /dev/null
+++ b/fuzz/FUZZING.md
@@ -0,0 +1,37 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+
+= Fuzzing
+
+The tests in this directory can be operated in three modes:
+
+* non-fuzzing - the test just runs over all input located in `<test_name>.in/`
+  directory by compiling with mock main.c that walks through the directory and
+  runs `LLVMFuzzerTestOneInput()` over the input files
+* AFL - `./configure --with-fuzzing=afl` will either feed the stdin to
+  `LLVMFuzzerTestOneInput()` or run the `__AFL_LOOP(10000)` if compiled with
+  `afl-clang-fast`
+* LibFuzzer - `./configure --with-fuzzing=libfuzzer` will disable `main.c`
+  completely and it uses the standard LibFuzzer mechanims to feed
+  `LLVMFuzzerTestOneInput` with the fuzzer
+
+== Test Cases
+
+Each test case should be called descriptively and the executable target must
+link `testcase.o` and `main.o` and the `test_case.c` must have a function
+`LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)`.
+
+== Adding more fuzzers
+
+To add a different fuzzer, `main.c` must be modified to include `main()` function
+for a specific fuzzer (or no function as is case with LibFuzzer).
diff --git a/fuzz/Makefile.in b/fuzz/Makefile.in
new file mode 100644
index 0000000..e62ed15
--- /dev/null
+++ b/fuzz/Makefile.in
@@ -0,0 +1,55 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+abs_srcdir =	@abs_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -I.. ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS}
+CDEFINES =	-DFUZZDIR=\"$(abs_srcdir)\"
+
+ISCLIBS =	../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCDEPLIBS =	../lib/isc/libisc.@A@
+DNSLIBS =	../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS =	../lib/dns/libdns.@A@
+
+LIBS =		@LIBS@
+
+OBJS =		main.@O@
+SRCS =		main.c dns_name_fromtext_target.c dns_rdata_fromwire_text.c
+
+SUBDIRS =
+TARGETS =	dns_name_fromtext_target@EXEEXT@ \
+		dns_rdata_fromwire_text@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+dns_name_fromtext_target@EXEEXT@: dns_name_fromtext_target.@O@ main.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+		dns_name_fromtext_target.@O@ main.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dns_rdata_fromwire_text@EXEEXT@: dns_rdata_fromwire_text.@O@ main.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+		dns_rdata_fromwire_text.@O@ main.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+check: ${TARGETS}
+	for fuzzer in ${TARGETS}; do \
+		./$${fuzzer} ; \
+	done
+
+oss-fuzz: ${TARGETS}
+
+clean distclean::
+	rm -f ${TARGETS}
diff --git a/fuzz/dns_master_load.in/generate-counter-overflow.db b/fuzz/dns_master_load.in/generate-counter-overflow.db
new file mode 100644
index 0000000..590c0d5
--- /dev/null
+++ b/fuzz/dns_master_load.in/generate-counter-overflow.db
diff --git a/fuzz/dns_name_fromtext_target.c b/fuzz/dns_name_fromtext_target.c
new file mode 100644
index 0000000..a9db90f
--- /dev/null
+++ b/fuzz/dns_name_fromtext_target.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <isc/buffer.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+	isc_buffer_t buf;
+	isc_result_t result;
+	dns_fixedname_t origin;
+	char *de_const;
+
+	if (size < 5) {
+		return (0);
+	}
+
+	dns_fixedname_init(&origin);
+	DE_CONST(data, de_const);
+	isc_buffer_init(&buf, (void *)de_const, size);
+	isc_buffer_add(&buf, size);
+	result = dns_name_fromtext(dns_fixedname_name(&origin), &buf,
+				   dns_rootname, 0, NULL);
+	UNUSED(result);
+	return (0);
+}
diff --git a/fuzz/dns_name_fromtext_target.in/example.com b/fuzz/dns_name_fromtext_target.in/example.com
new file mode 100644
index 0000000..de54ac6
--- /dev/null
+++ b/fuzz/dns_name_fromtext_target.in/example.com
@@ -0,0 +1 @@
+example.com
diff --git a/fuzz/dns_rdata_fromtext.in/svbc-max-token b/fuzz/dns_rdata_fromtext.in/svbc-max-token
new file mode 100644
index 0000000..6d1a265
--- /dev/null
+++ b/fuzz/dns_rdata_fromtext.in/svbc-max-token
@@ -0,0 +1 @@
+1 65 8 . aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
diff --git a/fuzz/dns_rdata_fromwire_text.c b/fuzz/dns_rdata_fromwire_text.c
new file mode 100644
index 0000000..d60d370
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <assert.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/compress.h>
+#include <dns/master.h>
+#include <dns/rdata.h>
+#include <dns/rdatatype.h>
+
+#define CHECK(x)                                     \
+	({                                           \
+		if ((result = (x)) != ISC_R_SUCCESS) \
+			goto done;                   \
+	})
+
+extern bool debug;
+
+/*
+ * Fuzz input to dns_rdata_fromwire(). Then convert the result
+ * to text, back to wire format, to multiline text, and back to wire
+ * format again, checking for consistency throughout the sequence.
+ */
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+static void
+nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) {
+	va_list args;
+
+	UNUSED(cb);
+
+	if (debug) {
+		va_start(args, fmt);
+		vfprintf(stderr, fmt, args);
+		fprintf(stderr, "\n");
+		va_end(args);
+	}
+}
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+	char totext[64 * 1044 * 4];
+	dns_compress_t cctx;
+	dns_decompress_t dctx;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t typelist[256] = { 1000 }; /* unknown */
+	dns_rdataclass_t classlist[] = { dns_rdataclass_in, dns_rdataclass_hs,
+					 dns_rdataclass_ch, dns_rdataclass_any,
+					 60 };
+	dns_rdata_t rdata1 = DNS_RDATA_INIT, rdata2 = DNS_RDATA_INIT,
+		    rdata3 = DNS_RDATA_INIT;
+	dns_rdatacallbacks_t callbacks;
+	isc_buffer_t source, target;
+	isc_lex_t *lex = NULL;
+	isc_lexspecials_t specials;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	unsigned char fromtext[1024];
+	unsigned char fromwire[1024];
+	unsigned char towire[1024];
+	unsigned int classes = (sizeof(classlist) / sizeof(classlist[0]));
+	unsigned int types = 1, flags, t;
+
+	/*
+	 * First 2 bytes are used to select type and class.
+	 * dns_rdata_fromwire() only accepts input up to 2^16-1 octets.
+	 */
+	if (size < 2 || size > 0xffff + 2) {
+		return (0);
+	}
+
+	/*
+	 * Append known types to list.
+	 */
+	for (t = 1; t <= 0x10000; t++) {
+		char typebuf[256];
+		if (dns_rdatatype_ismeta(t)) {
+			continue;
+		}
+		dns_rdatatype_format(t, typebuf, sizeof(typebuf));
+		if (strncmp(typebuf, "TYPE", 4) != 0) {
+			/* Assert when we need to grow typelist. */
+			assert(types < sizeof(typelist) / sizeof(typelist[0]));
+			typelist[types++] = t;
+		}
+	}
+
+	/*
+	 * Random type and class from a limited set.
+	 */
+	rdtype = typelist[(*data++) % types];
+	size--;
+	rdclass = classlist[(*data++) % classes];
+	size--;
+
+	isc_mem_create(&mctx);
+
+	CHECK(isc_lex_create(mctx, 64, &lex));
+	memset(specials, 0, sizeof(specials));
+	specials[0] = 1;
+	specials['('] = 1;
+	specials[')'] = 1;
+	specials['"'] = 1;
+	isc_lex_setspecials(lex, specials);
+	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+
+	if (debug) {
+		fprintf(stderr, "type=%u, class=%u\n", rdtype, rdclass);
+	}
+
+	dns_rdatacallbacks_init(&callbacks);
+	callbacks.warn = callbacks.error = nullmsg;
+
+	/* Disallow decompression as we are reading a packet */
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+
+	isc_buffer_constinit(&source, data, size);
+	isc_buffer_add(&source, size);
+	isc_buffer_setactive(&source, size);
+
+	isc_buffer_init(&target, fromwire, sizeof(fromwire));
+
+	/*
+	 * Reject invalid rdata.
+	 */
+	CHECK(dns_rdata_fromwire(&rdata1, rdclass, rdtype, &source, &dctx, 0,
+				 &target));
+	assert(rdata1.length == size);
+
+	/*
+	 * Convert to text from wire.
+	 */
+	isc_buffer_init(&target, totext, sizeof(totext) - 1);
+	result = dns_rdata_totext(&rdata1, NULL, &target);
+	assert(result == ISC_R_SUCCESS);
+
+	/*
+	 * Make debugging easier by NUL terminating.
+	 */
+	totext[isc_buffer_usedlength(&target)] = 0;
+
+	/*
+	 * Convert to wire from text.
+	 */
+	isc_buffer_constinit(&source, totext, isc_buffer_usedlength(&target));
+	isc_buffer_add(&source, isc_buffer_usedlength(&target));
+	CHECK(isc_lex_openbuffer(lex, &source));
+
+	isc_buffer_init(&target, fromtext, sizeof(fromtext));
+	result = dns_rdata_fromtext(&rdata2, rdclass, rdtype, lex, dns_rootname,
+				    0, mctx, &target, &callbacks);
+	if (debug && result != ISC_R_SUCCESS) {
+		fprintf(stderr, "'%s'\n", totext);
+	}
+	assert(result == ISC_R_SUCCESS);
+	assert(rdata2.length == size);
+	assert(!memcmp(rdata2.data, data, size));
+
+	/*
+	 * Convert to multi-line text from wire.
+	 */
+	isc_buffer_init(&target, totext, sizeof(totext));
+	flags = dns_master_styleflags(&dns_master_style_default);
+	result = dns_rdata_tofmttext(&rdata1, dns_rootname, flags, 80 - 32, 4,
+				     "\n", &target);
+	assert(result == ISC_R_SUCCESS);
+
+	/*
+	 * Convert to wire from text.
+	 */
+	isc_buffer_constinit(&source, totext, isc_buffer_usedlength(&target));
+	isc_buffer_add(&source, isc_buffer_usedlength(&target));
+	CHECK(isc_lex_openbuffer(lex, &source));
+
+	isc_buffer_init(&target, fromtext, sizeof(fromtext));
+	result = dns_rdata_fromtext(&rdata3, rdclass, rdtype, lex, dns_rootname,
+				    0, mctx, &target, &callbacks);
+	assert(result == ISC_R_SUCCESS);
+	assert(rdata3.length == size);
+	assert(!memcmp(rdata3.data, data, size));
+
+	/*
+	 * Convert rdata back to wire.
+	 */
+	CHECK(dns_compress_init(&cctx, -1, mctx));
+	dns_compress_disable(&cctx);
+	isc_buffer_init(&target, towire, sizeof(towire));
+	result = dns_rdata_towire(&rdata1, &cctx, &target);
+	dns_compress_invalidate(&cctx);
+	assert(result == ISC_R_SUCCESS);
+	assert(target.used == size);
+	assert(!memcmp(target.base, data, size));
+
+done:
+	if (lex != NULL) {
+		isc_lex_destroy(&lex);
+	}
+	if (lex != NULL) {
+		isc_mem_detach(&mctx);
+	}
+	return (0);
+}
diff --git a/fuzz/dns_rdata_fromwire_text.in/cdnskey b/fuzz/dns_rdata_fromwire_text.in/cdnskey
new file mode 100644
index 0000000..9eb47d5
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/cdnskey
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-0 b/fuzz/dns_rdata_fromwire_text.in/input-0
new file mode 100644
index 0000000..67264cf
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-0
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-1 b/fuzz/dns_rdata_fromwire_text.in/input-1
new file mode 100644
index 0000000..ae8e0b9
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-1
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-10 b/fuzz/dns_rdata_fromwire_text.in/input-10
new file mode 100644
index 0000000..2a39348
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-10
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-100 b/fuzz/dns_rdata_fromwire_text.in/input-100
new file mode 100644
index 0000000..5a527cd
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-100
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-101 b/fuzz/dns_rdata_fromwire_text.in/input-101
new file mode 100644
index 0000000..1d3d6a2
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-101
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-102 b/fuzz/dns_rdata_fromwire_text.in/input-102
new file mode 100644
index 0000000..b800c4c
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-102
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-103 b/fuzz/dns_rdata_fromwire_text.in/input-103
new file mode 100644
index 0000000..c0ca9c0
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-103
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-104 b/fuzz/dns_rdata_fromwire_text.in/input-104
new file mode 100644
index 0000000..5c39be4
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-104
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-105 b/fuzz/dns_rdata_fromwire_text.in/input-105
new file mode 100644
index 0000000..754d0f2
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-105
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-106 b/fuzz/dns_rdata_fromwire_text.in/input-106
new file mode 100644
index 0000000..af4bdc5
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-106
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-107 b/fuzz/dns_rdata_fromwire_text.in/input-107
new file mode 100644
index 0000000..8ddc502
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-107
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-108 b/fuzz/dns_rdata_fromwire_text.in/input-108
new file mode 100644
index 0000000..a328093
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-108
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-109 b/fuzz/dns_rdata_fromwire_text.in/input-109
new file mode 100644
index 0000000..b566c0b
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-109
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-11 b/fuzz/dns_rdata_fromwire_text.in/input-11
new file mode 100644
index 0000000..21ca619
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-11
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-110 b/fuzz/dns_rdata_fromwire_text.in/input-110
new file mode 100644
index 0000000..b55551a
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-110
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-111 b/fuzz/dns_rdata_fromwire_text.in/input-111
new file mode 100644
index 0000000..7e4fcd1
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-111
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-112 b/fuzz/dns_rdata_fromwire_text.in/input-112
new file mode 100644
index 0000000..c351052
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-112
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-113 b/fuzz/dns_rdata_fromwire_text.in/input-113
new file mode 100644
index 0000000..6159786
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-113
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-114 b/fuzz/dns_rdata_fromwire_text.in/input-114
new file mode 100644
index 0000000..a709d51
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-114
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-115 b/fuzz/dns_rdata_fromwire_text.in/input-115
new file mode 100644
index 0000000..a6a21c1
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-115
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-116 b/fuzz/dns_rdata_fromwire_text.in/input-116
new file mode 100644
index 0000000..248105b
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-116
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-117 b/fuzz/dns_rdata_fromwire_text.in/input-117
new file mode 100644
index 0000000..82fe403
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-117
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-118 b/fuzz/dns_rdata_fromwire_text.in/input-118
new file mode 100644
index 0000000..0b6136e
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-118
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-119 b/fuzz/dns_rdata_fromwire_text.in/input-119
new file mode 100644
index 0000000..bb8cd98
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-119
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-12 b/fuzz/dns_rdata_fromwire_text.in/input-12
new file mode 100644
index 0000000..e51156b
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-12
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-120 b/fuzz/dns_rdata_fromwire_text.in/input-120
new file mode 100644
index 0000000..0e0b607
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-120
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-121 b/fuzz/dns_rdata_fromwire_text.in/input-121
new file mode 100644
index 0000000..8671167
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-121
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-122 b/fuzz/dns_rdata_fromwire_text.in/input-122
new file mode 100644
index 0000000..90d058c
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-122
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-123 b/fuzz/dns_rdata_fromwire_text.in/input-123
new file mode 100644
index 0000000..9728ae9
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-123
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-124 b/fuzz/dns_rdata_fromwire_text.in/input-124
new file mode 100644
index 0000000..7a54801
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-124
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-125 b/fuzz/dns_rdata_fromwire_text.in/input-125
new file mode 100644
index 0000000..90e2175
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-125
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-126 b/fuzz/dns_rdata_fromwire_text.in/input-126
new file mode 100644
index 0000000..04a84f4
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-126
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-127 b/fuzz/dns_rdata_fromwire_text.in/input-127
new file mode 100644
index 0000000..b7b8446
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-127
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-128 b/fuzz/dns_rdata_fromwire_text.in/input-128
new file mode 100644
index 0000000..bd581cd
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-128
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-129 b/fuzz/dns_rdata_fromwire_text.in/input-129
new file mode 100644
index 0000000..f80c669
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-129
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-13 b/fuzz/dns_rdata_fromwire_text.in/input-13
new file mode 100644
index 0000000..0c4f452
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-13
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-130 b/fuzz/dns_rdata_fromwire_text.in/input-130
new file mode 100644
index 0000000..00d9438
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-130
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-131 b/fuzz/dns_rdata_fromwire_text.in/input-131
new file mode 100644
index 0000000..b5377d3
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-131
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-132 b/fuzz/dns_rdata_fromwire_text.in/input-132
new file mode 100644
index 0000000..2866ed0
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-132
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-133 b/fuzz/dns_rdata_fromwire_text.in/input-133
new file mode 100644
index 0000000..d6ca8c8
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-133
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-134 b/fuzz/dns_rdata_fromwire_text.in/input-134
new file mode 100644
index 0000000..bee8307
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-134
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-135 b/fuzz/dns_rdata_fromwire_text.in/input-135
new file mode 100644
index 0000000..91efead
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-135
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-136 b/fuzz/dns_rdata_fromwire_text.in/input-136
new file mode 100644
index 0000000..f7b1843
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-136
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-137 b/fuzz/dns_rdata_fromwire_text.in/input-137
new file mode 100644
index 0000000..2bd7066
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-137
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-138 b/fuzz/dns_rdata_fromwire_text.in/input-138
new file mode 100644
index 0000000..ea08340
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-138
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-139 b/fuzz/dns_rdata_fromwire_text.in/input-139
new file mode 100644
index 0000000..e95cbf5
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-139
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-14 b/fuzz/dns_rdata_fromwire_text.in/input-14
new file mode 100644
index 0000000..bde6b15
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-14
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-140 b/fuzz/dns_rdata_fromwire_text.in/input-140
new file mode 100644
index 0000000..25be408
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-140
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-141 b/fuzz/dns_rdata_fromwire_text.in/input-141
new file mode 100644
index 0000000..0b2d0d6
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-141
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-142 b/fuzz/dns_rdata_fromwire_text.in/input-142
new file mode 100644
index 0000000..ca87de0
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-142
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-143 b/fuzz/dns_rdata_fromwire_text.in/input-143
new file mode 100644
index 0000000..1a3e0ac
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-143
@@ -0,0 +1 @@
+d$3ÿê
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-15 b/fuzz/dns_rdata_fromwire_text.in/input-15
new file mode 100644
index 0000000..72df49c
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-15
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-16 b/fuzz/dns_rdata_fromwire_text.in/input-16
new file mode 100644
index 0000000..b80f63f
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-16
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-17 b/fuzz/dns_rdata_fromwire_text.in/input-17
new file mode 100644
index 0000000..cc63d40
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-17
@@ -0,0 +1 @@
+d®#®®®®®®®®®®®®®®®®®®®®®Ä®®®®®d®®®®®d
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-18 b/fuzz/dns_rdata_fromwire_text.in/input-18
new file mode 100644
index 0000000..4a0d214
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-18
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-19 b/fuzz/dns_rdata_fromwire_text.in/input-19
new file mode 100644
index 0000000..4ef39ef
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-19
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-2 b/fuzz/dns_rdata_fromwire_text.in/input-2
new file mode 100644
index 0000000..cecf923
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-2
@@ -0,0 +1 @@
+4A-ò 
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-20 b/fuzz/dns_rdata_fromwire_text.in/input-20
new file mode 100644
index 0000000..52c3851
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-20
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-21 b/fuzz/dns_rdata_fromwire_text.in/input-21
new file mode 100644
index 0000000..0cc97d6
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-21
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-22 b/fuzz/dns_rdata_fromwire_text.in/input-22
new file mode 100644
index 0000000..d993d48
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-22
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-23 b/fuzz/dns_rdata_fromwire_text.in/input-23
new file mode 100644
index 0000000..38cbee6
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-23
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-24 b/fuzz/dns_rdata_fromwire_text.in/input-24
new file mode 100644
index 0000000..a45779e
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-24
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-25 b/fuzz/dns_rdata_fromwire_text.in/input-25
new file mode 100644
index 0000000..2d9f2ce
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-25
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-26 b/fuzz/dns_rdata_fromwire_text.in/input-26
new file mode 100644
index 0000000..a392076
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-26
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-27 b/fuzz/dns_rdata_fromwire_text.in/input-27
new file mode 100644
index 0000000..f75f8d9
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-27
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-28 b/fuzz/dns_rdata_fromwire_text.in/input-28
new file mode 100644
index 0000000..005ae77
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-28
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-29 b/fuzz/dns_rdata_fromwire_text.in/input-29
new file mode 100644
index 0000000..b9c69e1
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-29
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-3 b/fuzz/dns_rdata_fromwire_text.in/input-3
new file mode 100644
index 0000000..606dc1b
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-3
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-30 b/fuzz/dns_rdata_fromwire_text.in/input-30
new file mode 100644
index 0000000..e106d54
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-30
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-31 b/fuzz/dns_rdata_fromwire_text.in/input-31
new file mode 100644
index 0000000..dc5bf2b
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-31
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-32 b/fuzz/dns_rdata_fromwire_text.in/input-32
new file mode 100644
index 0000000..1297a7e
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-32
@@ -0,0 +1 @@
+déé
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-33 b/fuzz/dns_rdata_fromwire_text.in/input-33
new file mode 100644
index 0000000..b6d57bb
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-33
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-34 b/fuzz/dns_rdata_fromwire_text.in/input-34
new file mode 100644
index 0000000..fef669d
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-34
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-35 b/fuzz/dns_rdata_fromwire_text.in/input-35
new file mode 100644
index 0000000..94a4a37
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-35
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-36 b/fuzz/dns_rdata_fromwire_text.in/input-36
new file mode 100644
index 0000000..dab603c
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-36
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-37 b/fuzz/dns_rdata_fromwire_text.in/input-37
new file mode 100644
index 0000000..51f4124
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-37
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-38 b/fuzz/dns_rdata_fromwire_text.in/input-38
new file mode 100644
index 0000000..1ad3023
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-38
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-39 b/fuzz/dns_rdata_fromwire_text.in/input-39
new file mode 100644
index 0000000..b8dfecd
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-39
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-4 b/fuzz/dns_rdata_fromwire_text.in/input-4
new file mode 100644
index 0000000..ae6730e
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-4
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-40 b/fuzz/dns_rdata_fromwire_text.in/input-40
new file mode 100644
index 0000000..5ab3557
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-40
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-41 b/fuzz/dns_rdata_fromwire_text.in/input-41
new file mode 100644
index 0000000..ea33ca7
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-41
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-42 b/fuzz/dns_rdata_fromwire_text.in/input-42
new file mode 100644
index 0000000..eb63067
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-42
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-43 b/fuzz/dns_rdata_fromwire_text.in/input-43
new file mode 100644
index 0000000..9aa3747
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-43
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-44 b/fuzz/dns_rdata_fromwire_text.in/input-44
new file mode 100644
index 0000000..bdc8b9d
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-44
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-45 b/fuzz/dns_rdata_fromwire_text.in/input-45
new file mode 100644
index 0000000..e6966b5
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-45
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-46 b/fuzz/dns_rdata_fromwire_text.in/input-46
new file mode 100644
index 0000000..1156424
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-46
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-47 b/fuzz/dns_rdata_fromwire_text.in/input-47
new file mode 100644
index 0000000..b499172
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-47
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-48 b/fuzz/dns_rdata_fromwire_text.in/input-48
new file mode 100644
index 0000000..7ab447b
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-48
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-49 b/fuzz/dns_rdata_fromwire_text.in/input-49
new file mode 100644
index 0000000..ab5e3b0
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-49
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-5 b/fuzz/dns_rdata_fromwire_text.in/input-5
new file mode 100644
index 0000000..4f0acdc
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-5
@@ -0,0 +1 @@
+„Ë››
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-50 b/fuzz/dns_rdata_fromwire_text.in/input-50
new file mode 100644
index 0000000..5f43a46
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-50
@@ -0,0 +1 @@
+µ|8‡‡¶|¶|8¶|¶|8
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-51 b/fuzz/dns_rdata_fromwire_text.in/input-51
new file mode 100644
index 0000000..880c12c
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-51
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-52 b/fuzz/dns_rdata_fromwire_text.in/input-52
new file mode 100644
index 0000000..50a22af
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-52
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-53 b/fuzz/dns_rdata_fromwire_text.in/input-53
new file mode 100644
index 0000000..95243a6
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-53
@@ -0,0 +1 @@
+ñ(
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-54 b/fuzz/dns_rdata_fromwire_text.in/input-54
new file mode 100644
index 0000000..b501920
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-54
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-55 b/fuzz/dns_rdata_fromwire_text.in/input-55
new file mode 100644
index 0000000..59b9f03
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-55
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-56 b/fuzz/dns_rdata_fromwire_text.in/input-56
new file mode 100644
index 0000000..b0beba0
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-56
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-57 b/fuzz/dns_rdata_fromwire_text.in/input-57
new file mode 100644
index 0000000..24f40a5
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-57
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-58 b/fuzz/dns_rdata_fromwire_text.in/input-58
new file mode 100644
index 0000000..aca62bb
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-58
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-59 b/fuzz/dns_rdata_fromwire_text.in/input-59
new file mode 100644
index 0000000..3388b2d
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-59
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-6 b/fuzz/dns_rdata_fromwire_text.in/input-6
new file mode 100644
index 0000000..889a2bd
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-6
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-60 b/fuzz/dns_rdata_fromwire_text.in/input-60
new file mode 100644
index 0000000..ac328d9
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-60
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-61 b/fuzz/dns_rdata_fromwire_text.in/input-61
new file mode 100644
index 0000000..08ad070
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-61
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-62 b/fuzz/dns_rdata_fromwire_text.in/input-62
new file mode 100644
index 0000000..18a05e5
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-62
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-63 b/fuzz/dns_rdata_fromwire_text.in/input-63
new file mode 100644
index 0000000..959fdaf
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-63
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-64 b/fuzz/dns_rdata_fromwire_text.in/input-64
new file mode 100644
index 0000000..5d9c569
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-64
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-65 b/fuzz/dns_rdata_fromwire_text.in/input-65
new file mode 100644
index 0000000..2d9c1fc
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-65
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-66 b/fuzz/dns_rdata_fromwire_text.in/input-66
new file mode 100644
index 0000000..f78d393
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-66
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-67 b/fuzz/dns_rdata_fromwire_text.in/input-67
new file mode 100644
index 0000000..95efb96
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-67
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-68 b/fuzz/dns_rdata_fromwire_text.in/input-68
new file mode 100644
index 0000000..e913515
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-68
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-69 b/fuzz/dns_rdata_fromwire_text.in/input-69
new file mode 100644
index 0000000..c8046b5
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-69
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-7 b/fuzz/dns_rdata_fromwire_text.in/input-7
new file mode 100644
index 0000000..e52f460
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-7
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-70 b/fuzz/dns_rdata_fromwire_text.in/input-70
new file mode 100644
index 0000000..92a7128
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-70
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-71 b/fuzz/dns_rdata_fromwire_text.in/input-71
new file mode 100644
index 0000000..5fc383e
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-71
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-72 b/fuzz/dns_rdata_fromwire_text.in/input-72
new file mode 100644
index 0000000..7759c47
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-72
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-73 b/fuzz/dns_rdata_fromwire_text.in/input-73
new file mode 100644
index 0000000..872fee9
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-73
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-74 b/fuzz/dns_rdata_fromwire_text.in/input-74
new file mode 100644
index 0000000..6d6ec93
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-74
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-75 b/fuzz/dns_rdata_fromwire_text.in/input-75
new file mode 100644
index 0000000..47a9f2b
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-75
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-76 b/fuzz/dns_rdata_fromwire_text.in/input-76
new file mode 100644
index 0000000..0a02761
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-76
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-77 b/fuzz/dns_rdata_fromwire_text.in/input-77
new file mode 100644
index 0000000..44d445a
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-77
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-78 b/fuzz/dns_rdata_fromwire_text.in/input-78
new file mode 100644
index 0000000..2893517
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-78
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-79 b/fuzz/dns_rdata_fromwire_text.in/input-79
new file mode 100644
index 0000000..c83c4bd
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-79
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-8 b/fuzz/dns_rdata_fromwire_text.in/input-8
new file mode 100644
index 0000000..4d60fdf
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-8
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-80 b/fuzz/dns_rdata_fromwire_text.in/input-80
new file mode 100644
index 0000000..5da0971
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-80
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-81 b/fuzz/dns_rdata_fromwire_text.in/input-81
new file mode 100644
index 0000000..c3b5aff
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-81
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-82 b/fuzz/dns_rdata_fromwire_text.in/input-82
new file mode 100644
index 0000000..0e862c6
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-82
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-83 b/fuzz/dns_rdata_fromwire_text.in/input-83
new file mode 100644
index 0000000..7f49b5f
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-83
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-84 b/fuzz/dns_rdata_fromwire_text.in/input-84
new file mode 100644
index 0000000..417471d
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-84
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-85 b/fuzz/dns_rdata_fromwire_text.in/input-85
new file mode 100644
index 0000000..2e6a9ea
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-85
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-86 b/fuzz/dns_rdata_fromwire_text.in/input-86
new file mode 100644
index 0000000..1eb09cc
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-86
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-87 b/fuzz/dns_rdata_fromwire_text.in/input-87
new file mode 100644
index 0000000..4c29c23
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-87
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-88 b/fuzz/dns_rdata_fromwire_text.in/input-88
new file mode 100644
index 0000000..28ac529
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-88
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-89 b/fuzz/dns_rdata_fromwire_text.in/input-89
new file mode 100644
index 0000000..8119bf0
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-89
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-9 b/fuzz/dns_rdata_fromwire_text.in/input-9
new file mode 100644
index 0000000..72a140c
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-9
@@ -0,0 +1 @@
+222222'œœœœœœœœœœœœœœœœœ222222222'œœœœœœœœœœœœœœœœ
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-90 b/fuzz/dns_rdata_fromwire_text.in/input-90
new file mode 100644
index 0000000..6ae07bd
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-90
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-91 b/fuzz/dns_rdata_fromwire_text.in/input-91
new file mode 100644
index 0000000..28a0c7f
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-91
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-92 b/fuzz/dns_rdata_fromwire_text.in/input-92
new file mode 100644
index 0000000..6b7efe5
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-92
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-93 b/fuzz/dns_rdata_fromwire_text.in/input-93
new file mode 100644
index 0000000..a5395e1
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-93
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-94 b/fuzz/dns_rdata_fromwire_text.in/input-94
new file mode 100644
index 0000000..43fbdae
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-94
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-95 b/fuzz/dns_rdata_fromwire_text.in/input-95
new file mode 100644
index 0000000..742afd7
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-95
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-96 b/fuzz/dns_rdata_fromwire_text.in/input-96
new file mode 100644
index 0000000..bb8bb8a
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-96
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-97 b/fuzz/dns_rdata_fromwire_text.in/input-97
new file mode 100644
index 0000000..03d79ae
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-97
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-98 b/fuzz/dns_rdata_fromwire_text.in/input-98
new file mode 100644
index 0000000..0cc1f01
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-98
diff --git a/fuzz/dns_rdata_fromwire_text.in/input-99 b/fuzz/dns_rdata_fromwire_text.in/input-99
new file mode 100644
index 0000000..1490fa0
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/input-99
@@ -0,0 +1 @@
+d"éé
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/smimea b/fuzz/dns_rdata_fromwire_text.in/smimea
new file mode 100644
index 0000000..528472d
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/smimea
@@ -0,0 +1 @@
+…-Òeœ<
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/sshfp b/fuzz/dns_rdata_fromwire_text.in/sshfp
new file mode 100644
index 0000000..b3007cd
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/sshfp
@@ -0,0 +1 @@
+|‡°|8
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/svcb b/fuzz/dns_rdata_fromwire_text.in/svcb
new file mode 100644
index 0000000..800a616
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/svcb
diff --git a/fuzz/fuzz.h b/fuzz/fuzz.h
new file mode 100644
index 0000000..b5645a9
--- /dev/null
+++ b/fuzz/fuzz.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include <isc/lang.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+extern bool debug;
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+ISC_LANG_ENDDECLS
diff --git a/fuzz/main.c b/fuzz/main.c
new file mode 100644
index 0000000..79689d9
--- /dev/null
+++ b/fuzz/main.c
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include "fuzz.h"
+
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+
+#include <dirent.h>
+
+bool debug = false;
+
+static void
+test_all_from(const char *dirname) {
+	DIR *dirp;
+	struct dirent *dp;
+
+	dirp = opendir(dirname);
+	if (dirp == NULL) {
+		return;
+	}
+
+	while ((dp = readdir(dirp)) != NULL) {
+		char filename[strlen(dirname) + strlen(dp->d_name) + 2];
+		int fd;
+		struct stat st;
+		char *data;
+		ssize_t n;
+
+		if (dp->d_name[0] == '.') {
+			continue;
+		}
+		snprintf(filename, sizeof(filename), "%s/%s", dirname,
+			 dp->d_name);
+
+		if ((fd = open(filename, O_RDONLY)) == -1) {
+			fprintf(stderr, "Failed to open %s: %s\n", filename,
+				strerror(errno));
+			continue;
+		}
+
+		if (fstat(fd, &st) != 0) {
+			fprintf(stderr, "Failed to stat %s: %s\n", filename,
+				strerror(errno));
+			goto closefd;
+		}
+
+		data = malloc(st.st_size);
+		n = read(fd, data, st.st_size);
+		if (n == st.st_size) {
+			printf("testing %zd bytes from %s\n", n, filename);
+			fflush(stdout);
+			LLVMFuzzerTestOneInput((const uint8_t *)data, n);
+			fflush(stderr);
+		} else {
+			if (n < 0) {
+				fprintf(stderr,
+					"Failed to read %zd bytes from %s: "
+					"%s\n",
+					(ssize_t)st.st_size, filename,
+					strerror(errno));
+			} else {
+				fprintf(stderr,
+					"Failed to read %zd bytes from %s"
+					", got %zd\n",
+					(ssize_t)st.st_size, filename, n);
+			}
+		}
+		free(data);
+	closefd:
+		close(fd);
+	}
+
+	closedir(dirp);
+}
+
+int
+main(int argc, char **argv) {
+	char corpusdir[PATH_MAX];
+	const char *target = strrchr(argv[0], '/');
+
+	UNUSED(argc);
+	UNUSED(argv);
+
+	if (argc != 1) {
+		debug = true;
+	}
+
+	target = (target != NULL) ? target + 1 : argv[0];
+	if (strncmp(target, "lt-", 3) == 0) {
+		target += 3;
+	}
+
+	snprintf(corpusdir, sizeof(corpusdir), FUZZDIR "/%s.in", target);
+
+	test_all_from(corpusdir);
+
+	return (0);
+}
+
+#elif __AFL_COMPILER
+
+int
+main(int argc, char **argv) {
+	int ret;
+	unsigned char buf[64 * 1024];
+
+	UNUSED(argc);
+	UNUSED(argv);
+
+#ifdef __AFL_LOOP
+	while (__AFL_LOOP(10000)) { /* only works with afl-clang-fast */
+#else  /* ifdef __AFL_LOOP */
+	{
+#endif /* ifdef __AFL_LOOP */
+		ret = fread(buf, 1, sizeof(buf), stdin);
+		if (ret < 0) {
+			return (0);
+		}
+
+		LLVMFuzzerTestOneInput(buf, ret);
+	}
+
+	return (0);
+}
+
+#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
diff --git a/install-sh b/install-sh
new file mode 100755
index 0000000..0b0fdcb
--- /dev/null
+++ b/install-sh
@@ -0,0 +1,501 @@
+#!/bin/sh
+# install - install a program, script, or datafile
+
+scriptversion=2013-12-25.23; # UTC
+
+# This originates from X11R5 (mit/util/scripts/install.sh), which was
+# later released in X11R6 (xc/config/util/install.sh) with the
+# following copyright and license.
+#
+# Copyright (C) 1994 X Consortium
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
+# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# Except as contained in this notice, the name of the X Consortium shall not
+# be used in advertising or otherwise to promote the sale, use or other deal-
+# ings in this Software without prior written authorization from the X Consor-
+# tium.
+#
+#
+# FSF changes to this file are in the public domain.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# 'make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+
+tab='	'
+nl='
+'
+IFS=" $tab$nl"
+
+# Set DOITPROG to "echo" to test this script.
+
+doit=${DOITPROG-}
+doit_exec=${doit:-exec}
+
+# Put in absolute file names if you don't have them in your path;
+# or use environment vars.
+
+chgrpprog=${CHGRPPROG-chgrp}
+chmodprog=${CHMODPROG-chmod}
+chownprog=${CHOWNPROG-chown}
+cmpprog=${CMPPROG-cmp}
+cpprog=${CPPROG-cp}
+mkdirprog=${MKDIRPROG-mkdir}
+mvprog=${MVPROG-mv}
+rmprog=${RMPROG-rm}
+stripprog=${STRIPPROG-strip}
+
+posix_mkdir=
+
+# Desired mode of installed file.
+mode=0755
+
+chgrpcmd=
+chmodcmd=$chmodprog
+chowncmd=
+mvcmd=$mvprog
+rmcmd="$rmprog -f"
+stripcmd=
+
+src=
+dst=
+dir_arg=
+dst_arg=
+
+copy_on_change=false
+is_target_a_directory=possibly
+
+usage="\
+Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
+   or: $0 [OPTION]... SRCFILES... DIRECTORY
+   or: $0 [OPTION]... -t DIRECTORY SRCFILES...
+   or: $0 [OPTION]... -d DIRECTORIES...
+
+In the 1st form, copy SRCFILE to DSTFILE.
+In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
+In the 4th, create DIRECTORIES.
+
+Options:
+     --help     display this help and exit.
+     --version  display version info and exit.
+
+  -c            (ignored)
+  -C            install only if different (preserve the last data modification time)
+  -d            create directories instead of installing files.
+  -g GROUP      $chgrpprog installed files to GROUP.
+  -m MODE       $chmodprog installed files to MODE.
+  -o USER       $chownprog installed files to USER.
+  -s            $stripprog installed files.
+  -t DIRECTORY  install into DIRECTORY.
+  -T            report an error if DSTFILE is a directory.
+
+Environment variables override the default commands:
+  CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
+  RMPROG STRIPPROG
+"
+
+while test $# -ne 0; do
+  case $1 in
+    -c) ;;
+
+    -C) copy_on_change=true;;
+
+    -d) dir_arg=true;;
+
+    -g) chgrpcmd="$chgrpprog $2"
+        shift;;
+
+    --help) echo "$usage"; exit $?;;
+
+    -m) mode=$2
+        case $mode in
+          *' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*)
+            echo "$0: invalid mode: $mode" >&2
+            exit 1;;
+        esac
+        shift;;
+
+    -o) chowncmd="$chownprog $2"
+        shift;;
+
+    -s) stripcmd=$stripprog;;
+
+    -t)
+        is_target_a_directory=always
+        dst_arg=$2
+        # Protect names problematic for 'test' and other utilities.
+        case $dst_arg in
+          -* | [=\(\)!]) dst_arg=./$dst_arg;;
+        esac
+        shift;;
+
+    -T) is_target_a_directory=never;;
+
+    --version) echo "$0 $scriptversion"; exit $?;;
+
+    --) shift
+        break;;
+
+    -*) echo "$0: invalid option: $1" >&2
+        exit 1;;
+
+    *)  break;;
+  esac
+  shift
+done
+
+# We allow the use of options -d and -T together, by making -d
+# take the precedence; this is for compatibility with GNU install.
+
+if test -n "$dir_arg"; then
+  if test -n "$dst_arg"; then
+    echo "$0: target directory not allowed when installing a directory." >&2
+    exit 1
+  fi
+fi
+
+if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
+  # When -d is used, all remaining arguments are directories to create.
+  # When -t is used, the destination is already specified.
+  # Otherwise, the last argument is the destination.  Remove it from $@.
+  for arg
+  do
+    if test -n "$dst_arg"; then
+      # $@ is not empty: it contains at least $arg.
+      set fnord "$@" "$dst_arg"
+      shift # fnord
+    fi
+    shift # arg
+    dst_arg=$arg
+    # Protect names problematic for 'test' and other utilities.
+    case $dst_arg in
+      -* | [=\(\)!]) dst_arg=./$dst_arg;;
+    esac
+  done
+fi
+
+if test $# -eq 0; then
+  if test -z "$dir_arg"; then
+    echo "$0: no input file specified." >&2
+    exit 1
+  fi
+  # It's OK to call 'install-sh -d' without argument.
+  # This can happen when creating conditional directories.
+  exit 0
+fi
+
+if test -z "$dir_arg"; then
+  if test $# -gt 1 || test "$is_target_a_directory" = always; then
+    if test ! -d "$dst_arg"; then
+      echo "$0: $dst_arg: Is not a directory." >&2
+      exit 1
+    fi
+  fi
+fi
+
+if test -z "$dir_arg"; then
+  do_exit='(exit $ret); exit $ret'
+  trap "ret=129; $do_exit" 1
+  trap "ret=130; $do_exit" 2
+  trap "ret=141; $do_exit" 13
+  trap "ret=143; $do_exit" 15
+
+  # Set umask so as not to create temps with too-generous modes.
+  # However, 'strip' requires both read and write access to temps.
+  case $mode in
+    # Optimize common cases.
+    *644) cp_umask=133;;
+    *755) cp_umask=22;;
+
+    *[0-7])
+      if test -z "$stripcmd"; then
+        u_plus_rw=
+      else
+        u_plus_rw='% 200'
+      fi
+      cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
+    *)
+      if test -z "$stripcmd"; then
+        u_plus_rw=
+      else
+        u_plus_rw=,u+rw
+      fi
+      cp_umask=$mode$u_plus_rw;;
+  esac
+fi
+
+for src
+do
+  # Protect names problematic for 'test' and other utilities.
+  case $src in
+    -* | [=\(\)!]) src=./$src;;
+  esac
+
+  if test -n "$dir_arg"; then
+    dst=$src
+    dstdir=$dst
+    test -d "$dstdir"
+    dstdir_status=$?
+  else
+
+    # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
+    # might cause directories to be created, which would be especially bad
+    # if $src (and thus $dsttmp) contains '*'.
+    if test ! -f "$src" && test ! -d "$src"; then
+      echo "$0: $src does not exist." >&2
+      exit 1
+    fi
+
+    if test -z "$dst_arg"; then
+      echo "$0: no destination specified." >&2
+      exit 1
+    fi
+    dst=$dst_arg
+
+    # If destination is a directory, append the input filename; won't work
+    # if double slashes aren't ignored.
+    if test -d "$dst"; then
+      if test "$is_target_a_directory" = never; then
+        echo "$0: $dst_arg: Is a directory" >&2
+        exit 1
+      fi
+      dstdir=$dst
+      dst=$dstdir/`basename "$src"`
+      dstdir_status=0
+    else
+      dstdir=`dirname "$dst"`
+      test -d "$dstdir"
+      dstdir_status=$?
+    fi
+  fi
+
+  obsolete_mkdir_used=false
+
+  if test $dstdir_status != 0; then
+    case $posix_mkdir in
+      '')
+        # Create intermediate dirs using mode 755 as modified by the umask.
+        # This is like FreeBSD 'install' as of 1997-10-28.
+        umask=`umask`
+        case $stripcmd.$umask in
+          # Optimize common cases.
+          *[2367][2367]) mkdir_umask=$umask;;
+          .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
+
+          *[0-7])
+            mkdir_umask=`expr $umask + 22 \
+              - $umask % 100 % 40 + $umask % 20 \
+              - $umask % 10 % 4 + $umask % 2
+            `;;
+          *) mkdir_umask=$umask,go-w;;
+        esac
+
+        # With -d, create the new directory with the user-specified mode.
+        # Otherwise, rely on $mkdir_umask.
+        if test -n "$dir_arg"; then
+          mkdir_mode=-m$mode
+        else
+          mkdir_mode=
+        fi
+
+        posix_mkdir=false
+        case $umask in
+          *[123567][0-7][0-7])
+            # POSIX mkdir -p sets u+wx bits regardless of umask, which
+            # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
+            ;;
+          *)
+            tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
+            trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
+
+            if (umask $mkdir_umask &&
+                exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
+            then
+              if test -z "$dir_arg" || {
+                   # Check for POSIX incompatibilities with -m.
+                   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
+                   # other-writable bit of parent directory when it shouldn't.
+                   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
+                   ls_ld_tmpdir=`ls -ld "$tmpdir"`
+                   case $ls_ld_tmpdir in
+                     d????-?r-*) different_mode=700;;
+                     d????-?--*) different_mode=755;;
+                     *) false;;
+                   esac &&
+                   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
+                     ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
+                     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
+                   }
+                 }
+              then posix_mkdir=:
+              fi
+              rmdir "$tmpdir/d" "$tmpdir"
+            else
+              # Remove any dirs left behind by ancient mkdir implementations.
+              rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
+            fi
+            trap '' 0;;
+        esac;;
+    esac
+
+    if
+      $posix_mkdir && (
+        umask $mkdir_umask &&
+        $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
+      )
+    then :
+    else
+
+      # The umask is ridiculous, or mkdir does not conform to POSIX,
+      # or it failed possibly due to a race condition.  Create the
+      # directory the slow way, step by step, checking for races as we go.
+
+      case $dstdir in
+        /*) prefix='/';;
+        [-=\(\)!]*) prefix='./';;
+        *)  prefix='';;
+      esac
+
+      oIFS=$IFS
+      IFS=/
+      set -f
+      set fnord $dstdir
+      shift
+      set +f
+      IFS=$oIFS
+
+      prefixes=
+
+      for d
+      do
+        test X"$d" = X && continue
+
+        prefix=$prefix$d
+        if test -d "$prefix"; then
+          prefixes=
+        else
+          if $posix_mkdir; then
+            (umask=$mkdir_umask &&
+             $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
+            # Don't fail if two instances are running concurrently.
+            test -d "$prefix" || exit 1
+          else
+            case $prefix in
+              *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
+              *) qprefix=$prefix;;
+            esac
+            prefixes="$prefixes '$qprefix'"
+          fi
+        fi
+        prefix=$prefix/
+      done
+
+      if test -n "$prefixes"; then
+        # Don't fail if two instances are running concurrently.
+        (umask $mkdir_umask &&
+         eval "\$doit_exec \$mkdirprog $prefixes") ||
+          test -d "$dstdir" || exit 1
+        obsolete_mkdir_used=true
+      fi
+    fi
+  fi
+
+  if test -n "$dir_arg"; then
+    { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
+    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
+    { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
+      test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
+  else
+
+    # Make a couple of temp file names in the proper directory.
+    dsttmp=$dstdir/_inst.$$_
+    rmtmp=$dstdir/_rm.$$_
+
+    # Trap to clean up those temp files at exit.
+    trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
+
+    # Copy the file name to the temp name.
+    (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
+
+    # and set any options; do chmod last to preserve setuid bits.
+    #
+    # If any of these fail, we abort the whole thing.  If we want to
+    # ignore errors from any of these, just make sure not to ignore
+    # errors from the above "$doit $cpprog $src $dsttmp" command.
+    #
+    { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
+    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
+    { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
+    { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
+
+    # If -C, don't bother to copy if it wouldn't change the file.
+    if $copy_on_change &&
+       old=`LC_ALL=C ls -dlL "$dst"     2>/dev/null` &&
+       new=`LC_ALL=C ls -dlL "$dsttmp"  2>/dev/null` &&
+       set -f &&
+       set X $old && old=:$2:$4:$5:$6 &&
+       set X $new && new=:$2:$4:$5:$6 &&
+       set +f &&
+       test "$old" = "$new" &&
+       $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
+    then
+      rm -f "$dsttmp"
+    else
+      # Rename the file to the real destination.
+      $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
+
+      # The rename failed, perhaps because mv can't rename something else
+      # to itself, or perhaps because mv is so ancient that it does not
+      # support -f.
+      {
+        # Now remove or move aside any old file at destination location.
+        # We try this two ways since rm can't unlink itself on some
+        # systems and the destination file might be busy for other
+        # reasons.  In this case, the final cleanup might fail but the new
+        # file should still install successfully.
+        {
+          test ! -f "$dst" ||
+          $doit $rmcmd -f "$dst" 2>/dev/null ||
+          { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
+            { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
+          } ||
+          { echo "$0: cannot unlink or rename $dst" >&2
+            (exit 1); exit 1
+          }
+        } &&
+
+        # Now rename the file to the real destination.
+        $doit $mvcmd "$dsttmp" "$dst"
+      }
+    fi || exit 1
+
+    trap '' 0
+  fi
+done
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
+# End:
diff --git a/lib/Kyuafile b/lib/Kyuafile
new file mode 100644
index 0000000..b5fd894
--- /dev/null
+++ b/lib/Kyuafile
@@ -0,0 +1,20 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+include('dns/Kyuafile')
+include('irs/Kyuafile')
+include('isc/Kyuafile')
+include('isccc/Kyuafile')
+include('isccfg/Kyuafile')
+include('ns/Kyuafile')
diff --git a/lib/Makefile.in b/lib/Makefile.in
new file mode 100644
index 0000000..4cabc8c
--- /dev/null
+++ b/lib/Makefile.in
@@ -0,0 +1,23 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Note: the order of SUBDIRS is important.
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+SUBDIRS =	isc isccc dns ns isccfg bind9 irs
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in
new file mode 100644
index 0000000..e304dea
--- /dev/null
+++ b/lib/bind9/Makefile.in
@@ -0,0 +1,79 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${ISCCFG_INCLUDES} ${NS_INCLUDES} \
+		${FSTRM_CFLAGS} ${OPENSSL_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCCFGLIBS =    ../../lib/isccfg/libisccfg.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+NSLIBS =	../../lib/ns/libns.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSDEPLIBS =    ../../lib/dns/libdns.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+
+# Alphabetically
+OBJS =		check.@O@ getaddresses.@O@ version.@O@
+
+# Alphabetically
+SRCS =		check.c getaddresses.c version.c
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/version.c
+
+libbind9.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libbind9.la: ${OBJS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libbind9.la -rpath ${libdir} \
+		-release "${VERSION}" \
+		${OBJS} ${NSLIBS} ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} \
+		@DNS_CRYPTO_LIBS@ ${LIBS}
+
+timestamp: libbind9.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libbind9.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libbind9.@A@
+
+clean distclean::
+	rm -f libbind9.@A@ timestamp
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
new file mode 100644
index 0000000..3a78a17
--- /dev/null
+++ b/lib/bind9/check.c
@@ -0,0 +1,5512 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#ifdef HAVE_DNSTAP
+#include <fstrm.h>
+#endif
+
+#include <isc/aes.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/log.h>
+#include <isc/md.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/parseint.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/siphash.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/acl.h>
+#include <dns/dnstap.h>
+#include <dns/fixedname.h>
+#include <dns/kasp.h>
+#include <dns/keyvalues.h>
+#include <dns/rbt.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/rrl.h>
+#include <dns/secalg.h>
+#include <dns/ssu.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#include <isccfg/aclconf.h>
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/kaspconf.h>
+#include <isccfg/namedconf.h>
+
+#include <ns/hooks.h>
+
+#include <bind9/check.h>
+
+static in_port_t dnsport = 53;
+
+static isc_result_t
+fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable,
+	  isc_log_t *logctxlogc);
+
+static isc_result_t
+keydirexist(const cfg_obj_t *zcgf, const char *dir, const char *kaspnamestr,
+	    isc_symtab_t *symtab, isc_log_t *logctx, isc_mem_t *mctx);
+static void
+freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
+	UNUSED(type);
+	UNUSED(value);
+	isc_mem_free(userarg, key);
+}
+
+static isc_result_t
+check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_textregion_t r;
+	dns_fixedname_t fixed;
+	const cfg_obj_t *obj;
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t rdtype;
+	isc_buffer_t b;
+	const char *str;
+
+	dns_fixedname_init(&fixed);
+	obj = cfg_tuple_get(ent, "class");
+	if (cfg_obj_isstring(obj)) {
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		tresult = dns_rdataclass_fromtext(&rdclass, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid class '%s'", r.base);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "type");
+	if (cfg_obj_isstring(obj)) {
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		tresult = dns_rdatatype_fromtext(&rdtype, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid type '%s'", r.base);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "name");
+	if (cfg_obj_isstring(obj)) {
+		str = cfg_obj_asstring(obj);
+		isc_buffer_constinit(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+					    dns_rootname, 0, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid name '%s'", str);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "order");
+	if (!cfg_obj_isstring(obj) ||
+	    strcasecmp("order", cfg_obj_asstring(obj)) != 0)
+	{
+		cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
+			    "rrset-order: keyword 'order' missing");
+		if (result == ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "ordering");
+	if (!cfg_obj_isstring(obj)) {
+		cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
+			    "rrset-order: missing ordering");
+		if (result == ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+		}
+	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) {
+#if !DNS_RDATASET_FIXED
+		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+			    "rrset-order: order 'fixed' was disabled at "
+			    "compilation time");
+#endif /* if !DNS_RDATASET_FIXED */
+	} else if (strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
+		   strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0 &&
+		   strcasecmp(cfg_obj_asstring(obj), "none") != 0)
+	{
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "rrset-order: invalid order '%s'",
+			    cfg_obj_asstring(obj));
+		if (result == ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+check_order(const cfg_obj_t *options, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj = NULL;
+
+	if (cfg_map_get(options, "rrset-order", &obj) != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (element = cfg_list_first(obj); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		tresult = check_orderent(cfg_listelt_value(element), logctx);
+		if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+check_dual_stack(const cfg_obj_t *options, isc_log_t *logctx) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *alternates = NULL;
+	const cfg_obj_t *value;
+	const cfg_obj_t *obj;
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t buffer;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	(void)cfg_map_get(options, "dual-stack-servers", &alternates);
+
+	if (alternates == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	obj = cfg_tuple_get(alternates, "port");
+	if (cfg_obj_isuint32(obj)) {
+		uint32_t val = cfg_obj_asuint32(obj);
+		if (val > UINT16_MAX) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "port '%u' out of range", val);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_RANGE;
+			}
+		}
+	}
+	obj = cfg_tuple_get(alternates, "addresses");
+	for (element = cfg_list_first(obj); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		value = cfg_listelt_value(element);
+		if (cfg_obj_issockaddr(value)) {
+			continue;
+		}
+		obj = cfg_tuple_get(value, "name");
+		str = cfg_obj_asstring(obj);
+		isc_buffer_constinit(&buffer, str, strlen(str));
+		isc_buffer_add(&buffer, strlen(str));
+		name = dns_fixedname_initname(&fixed);
+		tresult = dns_name_fromtext(name, &buffer, dns_rootname, 0,
+					    NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "bad name '%s'",
+				    str);
+			if (result == ISC_R_SUCCESS) {
+				result = tresult;
+			}
+		}
+		obj = cfg_tuple_get(value, "port");
+		if (cfg_obj_isuint32(obj)) {
+			uint32_t val = cfg_obj_asuint32(obj);
+			if (val > UINT16_MAX) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "port '%u' out of range", val);
+				if (result == ISC_R_SUCCESS) {
+					result = ISC_R_RANGE;
+				}
+			}
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+check_forward(const cfg_obj_t *options, const cfg_obj_t *global,
+	      isc_log_t *logctx) {
+	const cfg_obj_t *forward = NULL;
+	const cfg_obj_t *forwarders = NULL;
+
+	(void)cfg_map_get(options, "forward", &forward);
+	(void)cfg_map_get(options, "forwarders", &forwarders);
+
+	if (forwarders != NULL && global != NULL) {
+		const char *file = cfg_obj_file(global);
+		unsigned int line = cfg_obj_line(global);
+		cfg_obj_log(forwarders, logctx, ISC_LOG_ERROR,
+			    "forwarders declared in root zone and "
+			    "in general configuration: %s:%u",
+			    file, line);
+		return (ISC_R_FAILURE);
+	}
+	if (forward != NULL && forwarders == NULL) {
+		cfg_obj_log(forward, logctx, ISC_LOG_ERROR,
+			    "no matching 'forwarders' statement");
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+	const char *str;
+	isc_buffer_t b;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	const cfg_obj_t *obj;
+
+	name = dns_fixedname_initname(&fixed);
+	obj = cfg_tuple_get(disabled, "name");
+	str = cfg_obj_asstring(obj);
+	isc_buffer_constinit(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	tresult = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (tresult != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "bad domain name '%s'",
+			    str);
+		result = tresult;
+	}
+
+	obj = cfg_tuple_get(disabled, "algorithms");
+
+	for (element = cfg_list_first(obj); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_textregion_t r;
+		dns_secalg_t alg;
+
+		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
+		r.length = strlen(r.base);
+
+		tresult = dns_secalg_fromtext(&alg, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(cfg_listelt_value(element), logctx,
+				    ISC_LOG_ERROR, "invalid algorithm '%s'",
+				    r.base);
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+disabled_ds_digests(const cfg_obj_t *disabled, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+	const char *str;
+	isc_buffer_t b;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	const cfg_obj_t *obj;
+
+	name = dns_fixedname_initname(&fixed);
+	obj = cfg_tuple_get(disabled, "name");
+	str = cfg_obj_asstring(obj);
+	isc_buffer_constinit(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	tresult = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (tresult != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "bad domain name '%s'",
+			    str);
+		result = tresult;
+	}
+
+	obj = cfg_tuple_get(disabled, "digests");
+
+	for (element = cfg_list_first(obj); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_textregion_t r;
+		dns_dsdigest_t digest;
+
+		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
+		r.length = strlen(r.base);
+
+		/* works with a numeric argument too */
+		tresult = dns_dsdigest_fromtext(&digest, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(cfg_listelt_value(element), logctx,
+				    ISC_LOG_ERROR, "invalid digest type '%s'",
+				    r.base);
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+nameexist(const cfg_obj_t *obj, const char *name, int value,
+	  isc_symtab_t *symtab, const char *fmt, isc_log_t *logctx,
+	  isc_mem_t *mctx) {
+	char *key;
+	const char *file;
+	unsigned int line;
+	isc_result_t result;
+	isc_symvalue_t symvalue;
+
+	key = isc_mem_strdup(mctx, name);
+	symvalue.as_cpointer = obj;
+	result = isc_symtab_define(symtab, key, value, symvalue,
+				   isc_symexists_reject);
+	if (result == ISC_R_EXISTS) {
+		RUNTIME_CHECK(isc_symtab_lookup(symtab, key, value,
+						&symvalue) == ISC_R_SUCCESS);
+		file = cfg_obj_file(symvalue.as_cpointer);
+		line = cfg_obj_line(symvalue.as_cpointer);
+
+		if (file == NULL) {
+			file = "<unknown file>";
+		}
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR, fmt, key, file, line);
+		isc_mem_free(mctx, key);
+		result = ISC_R_EXISTS;
+	} else if (result != ISC_R_SUCCESS) {
+		isc_mem_free(mctx, key);
+	}
+	return (result);
+}
+
+static isc_result_t
+mustbesecure(const cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
+	     isc_mem_t *mctx) {
+	const cfg_obj_t *obj;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	name = dns_fixedname_initname(&fixed);
+	obj = cfg_tuple_get(secure, "name");
+	str = cfg_obj_asstring(obj);
+	isc_buffer_constinit(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "bad domain name '%s'",
+			    str);
+	} else {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		result = nameexist(secure, namebuf, 1, symtab,
+				   "dnssec-must-be-secure '%s': already "
+				   "exists previous definition: %s:%u",
+				   logctx, mctx);
+	}
+	return (result);
+}
+
+static isc_result_t
+checkacl(const char *aclname, cfg_aclconfctx_t *actx, const cfg_obj_t *zconfig,
+	 const cfg_obj_t *voptions, const cfg_obj_t *config, isc_log_t *logctx,
+	 isc_mem_t *mctx) {
+	isc_result_t result;
+	const cfg_obj_t *aclobj = NULL;
+	const cfg_obj_t *options;
+	dns_acl_t *acl = NULL;
+
+	if (zconfig != NULL) {
+		options = cfg_tuple_get(zconfig, "options");
+		cfg_map_get(options, aclname, &aclobj);
+	}
+	if (voptions != NULL && aclobj == NULL) {
+		cfg_map_get(voptions, aclname, &aclobj);
+	}
+	if (config != NULL && aclobj == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			cfg_map_get(options, aclname, &aclobj);
+		}
+	}
+	if (aclobj == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+	result = cfg_acl_fromconfig(aclobj, config, logctx, actx, mctx, 0,
+				    &acl);
+	if (acl != NULL) {
+		dns_acl_detach(&acl);
+	}
+	return (result);
+}
+
+static isc_result_t
+check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+	       const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	int i = 0;
+
+	static const char *acls[] = {
+		"allow-query",	     "allow-query-on",
+		"allow-query-cache", "allow-query-cache-on",
+		"blackhole",	     "keep-response-order",
+		"match-clients",     "match-destinations",
+		"sortlist",	     NULL
+	};
+
+	while (acls[i] != NULL) {
+		tresult = checkacl(acls[i++], actx, NULL, voptions, config,
+				   logctx, mctx);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+static void
+dns64_error(const cfg_obj_t *obj, isc_log_t *logctx, isc_netaddr_t *netaddr,
+	    unsigned int prefixlen, const char *message) {
+	char buf[ISC_NETADDR_FORMATSIZE + 1];
+	isc_netaddr_format(netaddr, buf, sizeof(buf));
+	cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "dns64 prefix %s/%u %s", buf,
+		    prefixlen, message);
+}
+
+static isc_result_t
+check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+	    const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *dns64 = NULL;
+	const cfg_obj_t *options;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *map, *obj;
+	isc_netaddr_t na, sa;
+	unsigned int prefixlen;
+	int nbytes;
+	int i;
+
+	static const char *acls[] = { "clients", "exclude", "mapped", NULL };
+
+	if (voptions != NULL) {
+		cfg_map_get(voptions, "dns64", &dns64);
+	}
+	if (config != NULL && dns64 == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			cfg_map_get(options, "dns64", &dns64);
+		}
+	}
+	if (dns64 == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	for (element = cfg_list_first(dns64); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		map = cfg_listelt_value(element);
+		obj = cfg_map_getname(map);
+
+		cfg_obj_asnetprefix(obj, &na, &prefixlen);
+		if (na.family != AF_INET6) {
+			dns64_error(map, logctx, &na, prefixlen,
+				    "must be IPv6");
+			result = ISC_R_FAILURE;
+			continue;
+		}
+
+		if (na.type.in6.s6_addr[8] != 0) {
+			dns64_error(map, logctx, &na, prefixlen,
+				    "bits [64..71] must be zero");
+			result = ISC_R_FAILURE;
+			continue;
+		}
+
+		if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 &&
+		    prefixlen != 56 && prefixlen != 64 && prefixlen != 96)
+		{
+			dns64_error(map, logctx, &na, prefixlen,
+				    "length is not 32/40/48/56/64/96");
+			result = ISC_R_FAILURE;
+			continue;
+		}
+
+		for (i = 0; acls[i] != NULL; i++) {
+			obj = NULL;
+			(void)cfg_map_get(map, acls[i], &obj);
+			if (obj != NULL) {
+				dns_acl_t *acl = NULL;
+				isc_result_t tresult;
+
+				tresult = cfg_acl_fromconfig(obj, config,
+							     logctx, actx, mctx,
+							     0, &acl);
+				if (acl != NULL) {
+					dns_acl_detach(&acl);
+				}
+				if (tresult != ISC_R_SUCCESS) {
+					result = tresult;
+				}
+			}
+		}
+
+		obj = NULL;
+		(void)cfg_map_get(map, "suffix", &obj);
+		if (obj != NULL) {
+			static const unsigned char zeros[16];
+			isc_netaddr_fromsockaddr(&sa, cfg_obj_assockaddr(obj));
+			if (sa.family != AF_INET6) {
+				cfg_obj_log(map, logctx, ISC_LOG_ERROR,
+					    "dns64 requires a IPv6 suffix");
+				result = ISC_R_FAILURE;
+				continue;
+			}
+			nbytes = prefixlen / 8 + 4;
+			if (prefixlen <= 64) {
+				nbytes++;
+			}
+			if (memcmp(sa.type.in6.s6_addr, zeros, nbytes) != 0) {
+				char netaddrbuf[ISC_NETADDR_FORMATSIZE];
+				isc_netaddr_format(&sa, netaddrbuf,
+						   sizeof(netaddrbuf));
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "bad suffix '%s' leading "
+					    "%u octets not zeros",
+					    netaddrbuf, nbytes);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	return (result);
+}
+
+#define CHECK_RRL(cond, pat, val1, val2)                                   \
+	do {                                                               \
+		if (!(cond)) {                                             \
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR, pat, val1, \
+				    val2);                                 \
+			if (result == ISC_R_SUCCESS)                       \
+				result = ISC_R_RANGE;                      \
+		}                                                          \
+	} while (0)
+
+#define CHECK_RRL_RATE(rate, def, max_rate, name)                          \
+	do {                                                               \
+		obj = NULL;                                                \
+		mresult = cfg_map_get(map, name, &obj);                    \
+		if (mresult == ISC_R_SUCCESS) {                            \
+			rate = cfg_obj_asuint32(obj);                      \
+			CHECK_RRL(rate <= max_rate, name " %d > %d", rate, \
+				  max_rate);                               \
+		}                                                          \
+	} while (0)
+
+static isc_result_t
+check_ratelimit(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+		const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t mresult;
+	const cfg_obj_t *map = NULL;
+	const cfg_obj_t *options;
+	const cfg_obj_t *obj;
+	int min_entries, i;
+	int all_per_second;
+	int errors_per_second;
+	int nodata_per_second;
+	int nxdomains_per_second;
+	int referrals_per_second;
+	int responses_per_second;
+	int slip;
+
+	if (voptions != NULL) {
+		cfg_map_get(voptions, "rate-limit", &map);
+	}
+	if (config != NULL && map == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			cfg_map_get(options, "rate-limit", &map);
+		}
+	}
+	if (map == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	min_entries = 500;
+	obj = NULL;
+	mresult = cfg_map_get(map, "min-table-size", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		min_entries = cfg_obj_asuint32(obj);
+		if (min_entries < 1) {
+			min_entries = 1;
+		}
+	}
+
+	obj = NULL;
+	mresult = cfg_map_get(map, "max-table-size", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= min_entries,
+			  "max-table-size %d < min-table-size %d", i,
+			  min_entries);
+	}
+
+	CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE,
+		       "responses-per-second");
+
+	CHECK_RRL_RATE(referrals_per_second, responses_per_second,
+		       DNS_RRL_MAX_RATE, "referrals-per-second");
+	CHECK_RRL_RATE(nodata_per_second, responses_per_second,
+		       DNS_RRL_MAX_RATE, "nodata-per-second");
+	CHECK_RRL_RATE(nxdomains_per_second, responses_per_second,
+		       DNS_RRL_MAX_RATE, "nxdomains-per-second");
+	CHECK_RRL_RATE(errors_per_second, responses_per_second,
+		       DNS_RRL_MAX_RATE, "errors-per-second");
+
+	CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE, "all-per-second");
+
+	CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP, "slip");
+
+	obj = NULL;
+	mresult = cfg_map_get(map, "window", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW,
+			  "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW);
+	}
+
+	obj = NULL;
+	mresult = cfg_map_get(map, "qps-scale", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, "");
+	}
+
+	obj = NULL;
+	mresult = cfg_map_get(map, "ipv4-prefix-length", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 8 && i <= 32,
+			  "invalid 'ipv4-prefix-length %d'%s", i, "");
+	}
+
+	obj = NULL;
+	mresult = cfg_map_get(map, "ipv6-prefix-length", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX,
+			  "ipv6-prefix-length %d < 16 or > %d", i,
+			  DNS_RRL_MAX_PREFIX);
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(map, "exempt-clients", &obj);
+	if (obj != NULL) {
+		dns_acl_t *acl = NULL;
+		isc_result_t tresult;
+
+		tresult = cfg_acl_fromconfig(obj, config, logctx, actx, mctx, 0,
+					     &acl);
+		if (acl != NULL) {
+			dns_acl_detach(&acl);
+		}
+		if (result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	return (result);
+}
+
+/*
+ * Check allow-recursion and allow-recursion-on acls, and also log a
+ * warning if they're inconsistent with the "recursion" option.
+ */
+static isc_result_t
+check_recursionacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+		    const char *viewname, const cfg_obj_t *config,
+		    isc_log_t *logctx, isc_mem_t *mctx) {
+	const cfg_obj_t *options, *aclobj, *obj = NULL;
+	dns_acl_t *acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	bool recursion;
+	const char *forview = " for view ";
+	int i = 0;
+
+	static const char *acls[] = { "allow-recursion", "allow-recursion-on",
+				      NULL };
+
+	if (voptions != NULL) {
+		cfg_map_get(voptions, "recursion", &obj);
+	}
+	if (obj == NULL && config != NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			cfg_map_get(options, "recursion", &obj);
+		}
+	}
+	if (obj == NULL) {
+		recursion = true;
+	} else {
+		recursion = cfg_obj_asboolean(obj);
+	}
+
+	if (viewname == NULL) {
+		viewname = "";
+		forview = "";
+	}
+
+	for (i = 0; acls[i] != NULL; i++) {
+		aclobj = options = NULL;
+		acl = NULL;
+
+		if (voptions != NULL) {
+			cfg_map_get(voptions, acls[i], &aclobj);
+		}
+		if (config != NULL && aclobj == NULL) {
+			options = NULL;
+			cfg_map_get(config, "options", &options);
+			if (options != NULL) {
+				cfg_map_get(options, acls[i], &aclobj);
+			}
+		}
+		if (aclobj == NULL) {
+			continue;
+		}
+
+		tresult = cfg_acl_fromconfig(aclobj, config, logctx, actx, mctx,
+					     0, &acl);
+
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+
+		if (acl == NULL) {
+			continue;
+		}
+
+		if (!recursion && !dns_acl_isnone(acl)) {
+			cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+				    "both \"recursion no;\" and "
+				    "\"%s\" active%s%s",
+				    acls[i], forview, viewname);
+		}
+
+		if (acl != NULL) {
+			dns_acl_detach(&acl);
+		}
+	}
+
+	return (result);
+}
+
+typedef struct {
+	const char *name;
+	unsigned int scale;
+	unsigned int max;
+} intervaltable;
+
+#ifdef HAVE_DNSTAP
+typedef struct {
+	const char *name;
+	unsigned int min;
+	unsigned int max;
+} fstrmtable;
+#endif /* ifdef HAVE_DNSTAP */
+
+typedef enum {
+	optlevel_config,
+	optlevel_options,
+	optlevel_view,
+	optlevel_zone
+} optlevel_t;
+
+static isc_result_t
+check_dscp(const cfg_obj_t *options, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *obj = NULL;
+
+	/*
+	 * Check that DSCP setting is within range
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "dscp", &obj);
+	if (obj != NULL) {
+		uint32_t dscp = cfg_obj_asuint32(obj);
+		if (dscp >= 64) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'dscp' out of range (0-63)");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	return (result);
+}
+
+static isc_result_t
+check_name(const char *str) {
+	dns_fixedname_t fixed;
+
+	dns_fixedname_init(&fixed);
+	return (dns_name_fromstring(dns_fixedname_name(&fixed), str, 0, NULL));
+}
+
+static bool
+kasp_name_allowed(const cfg_listelt_t *element) {
+	const char *name = cfg_obj_asstring(
+		cfg_tuple_get(cfg_listelt_value(element), "name"));
+
+	if (strcmp("none", name) == 0) {
+		return (false);
+	}
+	if (strcmp("default", name) == 0) {
+		return (false);
+	}
+	if (strcmp("insecure", name) == 0) {
+		return (false);
+	}
+	return (true);
+}
+
+static isc_result_t
+check_port(const cfg_obj_t *options, isc_log_t *logctx, const char *type,
+	   in_port_t *portp) {
+	const cfg_obj_t *portobj = NULL;
+	isc_result_t result;
+
+	result = cfg_map_get(options, type, &portobj);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (cfg_obj_asuint32(portobj) >= UINT16_MAX) {
+		cfg_obj_log(portobj, logctx, ISC_LOG_ERROR,
+			    "port '%u' out of range",
+			    cfg_obj_asuint32(portobj));
+		return (ISC_R_RANGE);
+	}
+
+	if (portp != NULL) {
+		*portp = (in_port_t)cfg_obj_asuint32(portobj);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+	      optlevel_t optlevel) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	unsigned int i;
+	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *resignobj = NULL;
+	const cfg_listelt_t *element;
+	isc_symtab_t *symtab = NULL;
+	const char *str;
+	isc_buffer_t b;
+	uint32_t lifetime = 3600;
+	bool has_dnssecpolicy = false;
+	const char *ccalg = "siphash24";
+	static const char *sources[] = {
+		"query-source",
+		"query-source-v6",
+	};
+
+	/*
+	 * { "name", scale, value }
+	 * (scale * value) <= UINT32_MAX
+	 */
+	static intervaltable intervals[] = {
+		{ "heartbeat-interval", 60, 28 * 24 * 60 },    /* 28 days */
+		{ "interface-interval", 60, 28 * 24 * 60 },    /* 28 days */
+		{ "max-transfer-idle-in", 60, 28 * 24 * 60 },  /* 28 days */
+		{ "max-transfer-idle-out", 60, 28 * 24 * 60 }, /* 28 days */
+		{ "max-transfer-time-in", 60, 28 * 24 * 60 },  /* 28 days */
+		{ "max-transfer-time-out", 60, 28 * 24 * 60 }, /* 28 days */
+
+		/* minimum and maximum cache and negative cache TTLs */
+		{ "min-cache-ttl", 1, MAX_MIN_CACHE_TTL },   /* 90 secs */
+		{ "max-cache-ttl", 1, UINT32_MAX },	     /* no limit */
+		{ "min-ncache-ttl", 1, MAX_MIN_NCACHE_TTL }, /* 90 secs */
+		{ "max-ncache-ttl", 1, MAX_MAX_NCACHE_TTL }, /*  7 days */
+	};
+
+	static const char *server_contact[] = { "empty-server", "empty-contact",
+						"dns64-server", "dns64-contact",
+						NULL };
+
+#ifdef HAVE_DNSTAP
+	static fstrmtable fstrm[] = {
+		{ "fstrm-set-buffer-hint", FSTRM_IOTHR_BUFFER_HINT_MIN,
+		  FSTRM_IOTHR_BUFFER_HINT_MAX },
+		{ "fstrm-set-flush-timeout", FSTRM_IOTHR_FLUSH_TIMEOUT_MIN,
+		  FSTRM_IOTHR_FLUSH_TIMEOUT_MAX },
+		{ "fstrm-set-input-queue-size",
+		  FSTRM_IOTHR_INPUT_QUEUE_SIZE_MIN,
+		  FSTRM_IOTHR_INPUT_QUEUE_SIZE_MAX },
+		{ "fstrm-set-output-notify-threshold",
+		  FSTRM_IOTHR_QUEUE_NOTIFY_THRESHOLD_MIN, 0 },
+		{ "fstrm-set-output-queue-size",
+		  FSTRM_IOTHR_OUTPUT_QUEUE_SIZE_MIN,
+		  FSTRM_IOTHR_OUTPUT_QUEUE_SIZE_MAX },
+		{ "fstrm-set-reopen-interval", FSTRM_IOTHR_REOPEN_INTERVAL_MIN,
+		  FSTRM_IOTHR_REOPEN_INTERVAL_MAX }
+	};
+#endif /* ifdef HAVE_DNSTAP */
+
+	if (optlevel == optlevel_options) {
+		/*
+		 * Check port values, and record "port" for later use.
+		 */
+		tresult = check_port(options, logctx, "port", &dnsport);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+		tresult = check_port(options, logctx, "tls-port", NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+		tresult = check_port(options, logctx, "http-port", NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+		tresult = check_port(options, logctx, "https-port", NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	if (optlevel == optlevel_options || optlevel == optlevel_view) {
+		/*
+		 * Warn if query-source or query-source-v6 options specify
+		 * a port, and fail if they specify the DNS port.
+		 */
+		for (i = 0; i < ARRAY_SIZE(sources); i++) {
+			obj = NULL;
+			(void)cfg_map_get(options, sources[i], &obj);
+			if (obj != NULL) {
+				const isc_sockaddr_t *sa =
+					cfg_obj_assockaddr(obj);
+				in_port_t port = isc_sockaddr_getport(sa);
+				if (port == dnsport) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "'%s' cannot specify the "
+						    "DNS listener port (%d)",
+						    sources[i], port);
+					result = ISC_R_FAILURE;
+				} else if (port != 0) {
+					cfg_obj_log(obj, logctx,
+						    ISC_LOG_WARNING,
+						    "'%s': specifying a port "
+						    "is not recommended",
+						    sources[i]);
+				}
+			}
+		}
+	}
+
+	/*
+	 * Check that fields specified in units of time other than seconds
+	 * have reasonable values.
+	 */
+	for (i = 0; i < sizeof(intervals) / sizeof(intervals[0]); i++) {
+		uint32_t val;
+		obj = NULL;
+		(void)cfg_map_get(options, intervals[i].name, &obj);
+		if (obj == NULL) {
+			continue;
+		}
+		if (cfg_obj_isduration(obj)) {
+			val = cfg_obj_asduration(obj);
+		} else {
+			val = cfg_obj_asuint32(obj);
+		}
+		if (val > intervals[i].max) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%u' is out of range (0..%u)",
+				    intervals[i].name, val, intervals[i].max);
+			result = ISC_R_RANGE;
+		} else if (val > (UINT32_MAX / intervals[i].scale)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%d' is out of range",
+				    intervals[i].name, val);
+			result = ISC_R_RANGE;
+		}
+	}
+
+	/*
+	 * Check dnssec-policy.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "dnssec-policy", &obj);
+	if (obj != NULL) {
+		bool bad_kasp = false;
+		bool bad_name = false;
+
+		if (optlevel != optlevel_config && !cfg_obj_isstring(obj)) {
+			bad_kasp = true;
+		} else if (optlevel == optlevel_config) {
+			dns_kasplist_t list;
+			dns_kasp_t *kasp = NULL, *kasp_next = NULL;
+
+			ISC_LIST_INIT(list);
+
+			if (cfg_obj_islist(obj)) {
+				for (element = cfg_list_first(obj);
+				     element != NULL;
+				     element = cfg_list_next(element))
+				{
+					isc_result_t ret;
+					cfg_obj_t *kconfig =
+						cfg_listelt_value(element);
+
+					if (!cfg_obj_istuple(kconfig)) {
+						bad_kasp = true;
+						continue;
+					}
+					if (!kasp_name_allowed(element)) {
+						bad_name = true;
+						continue;
+					}
+
+					ret = cfg_kasp_fromconfig(kconfig, NULL,
+								  mctx, logctx,
+								  &list, &kasp);
+					if (ret != ISC_R_SUCCESS) {
+						if (result == ISC_R_SUCCESS) {
+							result = ret;
+						}
+					}
+
+					if (kasp != NULL) {
+						dns_kasp_detach(&kasp);
+					}
+				}
+			}
+
+			for (kasp = ISC_LIST_HEAD(list); kasp != NULL;
+			     kasp = kasp_next)
+			{
+				kasp_next = ISC_LIST_NEXT(kasp, link);
+				ISC_LIST_UNLINK(list, kasp, link);
+				dns_kasp_detach(&kasp);
+			}
+		}
+
+		if (bad_kasp) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-policy may only be configured at "
+				    "the top level, please use name reference "
+				    "at the zone level");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		} else if (bad_name) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-policy name may not be 'insecure', "
+				    "'none', or 'default' (which are built-in "
+				    "policies)");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		} else {
+			has_dnssecpolicy = true;
+		}
+	}
+
+	obj = NULL;
+	cfg_map_get(options, "max-rsa-exponent-size", &obj);
+	if (obj != NULL) {
+		uint32_t val;
+
+		val = cfg_obj_asuint32(obj);
+		if (val != 0 && (val < 35 || val > 4096)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "max-rsa-exponent-size '%u' is out of "
+				    "range (35..4096)",
+				    val);
+			result = ISC_R_RANGE;
+		}
+	}
+
+	obj = NULL;
+	cfg_map_get(options, "sig-validity-interval", &obj);
+	if (obj != NULL) {
+		uint32_t validity, resign = 0;
+
+		validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity"));
+		resignobj = cfg_tuple_get(obj, "re-sign");
+		if (!cfg_obj_isvoid(resignobj)) {
+			resign = cfg_obj_asuint32(resignobj);
+		}
+
+		if (validity > 3660 || validity == 0) { /* 10 years */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%u' is out of range (1..3660)",
+				    "sig-validity-interval", validity);
+			result = ISC_R_RANGE;
+		}
+
+		if (!cfg_obj_isvoid(resignobj)) {
+			if (resign > 3660 || resign == 0) { /* 10 years */
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s '%u' is out of range (1..3660)",
+					    "sig-validity-interval (re-sign)",
+					    validity);
+				result = ISC_R_RANGE;
+			} else if ((validity > 7 && validity < resign) ||
+				   (validity <= 7 && validity * 24 < resign))
+			{
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "validity interval (%u days) "
+					    "less than re-signing interval "
+					    "(%u %s)",
+					    validity, resign,
+					    (validity > 7) ? "days" : "hours");
+				result = ISC_R_RANGE;
+			}
+		}
+
+		if (has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "sig-validity-interval: cannot be "
+				    "configured if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = NULL;
+	cfg_map_get(options, "dnskey-sig-validity", &obj);
+	if (obj != NULL) {
+		uint32_t keyvalidity;
+
+		keyvalidity = cfg_obj_asuint32(obj);
+		if (keyvalidity > 3660) { /* 10 years */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%u' is out of range (0..3660)",
+				    "dnskey-sig-validity", keyvalidity);
+			result = ISC_R_RANGE;
+		}
+
+		if (has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnskey-sig-validity: cannot be "
+				    "configured if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "preferred-glue", &obj);
+	if (obj != NULL) {
+		str = cfg_obj_asstring(obj);
+		if (strcasecmp(str, "a") != 0 && strcasecmp(str, "aaaa") != 0 &&
+		    strcasecmp(str, "none") != 0)
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "preferred-glue unexpected value '%s'",
+				    str);
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "root-delegation-only", &obj);
+	if (obj != NULL) {
+		if (!cfg_obj_isvoid(obj)) {
+			for (element = cfg_list_first(obj); element != NULL;
+			     element = cfg_list_next(element))
+			{
+				const cfg_obj_t *exclude;
+
+				exclude = cfg_listelt_value(element);
+				str = cfg_obj_asstring(exclude);
+				tresult = check_name(str);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "bad domain name '%s'",
+						    str);
+					result = tresult;
+				}
+			}
+		}
+	}
+
+	/*
+	 * Set supported DNSSEC algorithms.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "disable-algorithms", &obj);
+	if (obj != NULL) {
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			obj = cfg_listelt_value(element);
+			tresult = disabled_algorithms(obj, logctx);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			}
+		}
+	}
+
+	/*
+	 * Set supported DS digest types.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "disable-ds-digests", &obj);
+	if (obj != NULL) {
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			obj = cfg_listelt_value(element);
+			tresult = disabled_ds_digests(obj, logctx);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			}
+		}
+	}
+
+	/*
+	 * Check auto-dnssec at the view/options level
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "auto-dnssec", &obj);
+	if (obj != NULL) {
+		const char *arg = cfg_obj_asstring(obj);
+		if (optlevel != optlevel_zone && strcasecmp(arg, "off") != 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "auto-dnssec may only be activated at the "
+				    "zone level");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Check dnssec-must-be-secure.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "dnssec-must-be-secure", &obj);
+	if (obj != NULL) {
+		tresult = isc_symtab_create(mctx, 100, freekey, mctx, false,
+					    &symtab);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			obj = cfg_listelt_value(element);
+			tresult = mustbesecure(obj, symtab, logctx, mctx);
+			if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS)
+			{
+				result = tresult;
+			}
+		}
+		if (symtab != NULL) {
+			isc_symtab_destroy(&symtab);
+		}
+	}
+
+	/*
+	 * Check server/contacts for syntactic validity.
+	 */
+	for (i = 0; server_contact[i] != NULL; i++) {
+		obj = NULL;
+		(void)cfg_map_get(options, server_contact[i], &obj);
+		if (obj != NULL) {
+			str = cfg_obj_asstring(obj);
+			if (check_name(str) != ISC_R_SUCCESS) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s: invalid name '%s'",
+					    server_contact[i], str);
+				if (result == ISC_R_SUCCESS) {
+					result = ISC_R_FAILURE;
+				}
+			}
+		}
+	}
+
+	/*
+	 * Check empty zone configuration.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "disable-empty-zone", &obj);
+	for (element = cfg_list_first(obj); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(obj);
+		if (check_name(str) != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "disable-empty-zone: invalid name '%s'",
+				    str);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Check that server-id is not too long.
+	 * 1024 bytes should be big enough.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "server-id", &obj);
+	if (obj != NULL && cfg_obj_isstring(obj) &&
+	    strlen(cfg_obj_asstring(obj)) > 1024U)
+	{
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "'server-id' too big (>1024 bytes)");
+		if (result == ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	tresult = check_dscp(options, logctx);
+	if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "nta-lifetime", &obj);
+	if (obj != NULL) {
+		lifetime = cfg_obj_asduration(obj);
+		if (lifetime > 604800) { /* 7 days */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'nta-lifetime' cannot exceed one week");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_RANGE;
+			}
+		} else if (lifetime == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'nta-lifetime' may not be zero");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_RANGE;
+			}
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "nta-recheck", &obj);
+	if (obj != NULL) {
+		uint32_t recheck = cfg_obj_asduration(obj);
+		if (recheck > 604800) { /* 7 days */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'nta-recheck' cannot exceed one week");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_RANGE;
+			}
+		}
+
+		if (recheck > lifetime) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "'nta-recheck' (%d seconds) is "
+				    "greater than 'nta-lifetime' "
+				    "(%d seconds)",
+				    recheck, lifetime);
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "cookie-algorithm", &obj);
+	if (obj != NULL) {
+		ccalg = cfg_obj_asstring(obj);
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "cookie-secret", &obj);
+	if (obj != NULL) {
+		unsigned char secret[32];
+
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			unsigned int usedlength;
+
+			obj = cfg_listelt_value(element);
+			str = cfg_obj_asstring(obj);
+
+			memset(secret, 0, sizeof(secret));
+			isc_buffer_init(&b, secret, sizeof(secret));
+			tresult = isc_hex_decodestring(str, &b);
+			if (tresult == ISC_R_NOSPACE) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "cookie-secret: too long");
+			} else if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "cookie-secret: invalid hex "
+					    "string");
+			}
+			if (tresult != ISC_R_SUCCESS) {
+				if (result == ISC_R_SUCCESS) {
+					result = tresult;
+				}
+				continue;
+			}
+
+			usedlength = isc_buffer_usedlength(&b);
+			if (strcasecmp(ccalg, "aes") == 0 &&
+			    usedlength != ISC_AES128_KEYLENGTH)
+			{
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "AES cookie-secret must be 128 "
+					    "bits");
+				if (result == ISC_R_SUCCESS) {
+					result = ISC_R_RANGE;
+				}
+			}
+			if (strcasecmp(ccalg, "siphash24") == 0 &&
+			    usedlength != ISC_SIPHASH24_KEY_LENGTH)
+			{
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "SipHash-2-4 cookie-secret must be "
+					    "128 bits");
+				if (result == ISC_R_SUCCESS) {
+					result = ISC_R_RANGE;
+				}
+			}
+		}
+	}
+
+#ifdef HAVE_DNSTAP
+	for (i = 0; i < sizeof(fstrm) / sizeof(fstrm[0]); i++) {
+		uint32_t value;
+
+		obj = NULL;
+		(void)cfg_map_get(options, fstrm[i].name, &obj);
+		if (obj == NULL) {
+			continue;
+		}
+
+		if (cfg_obj_isduration(obj)) {
+			value = cfg_obj_asduration(obj);
+		} else {
+			value = cfg_obj_asuint32(obj);
+		}
+		if (value < fstrm[i].min ||
+		    (fstrm[i].max != 0U && value > fstrm[i].max))
+		{
+			if (fstrm[i].max != 0U) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s '%u' out of range (%u..%u)",
+					    fstrm[i].name, value, fstrm[i].min,
+					    fstrm[i].max);
+			} else {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s out of range (%u < %u)",
+					    fstrm[i].name, value, fstrm[i].min);
+			}
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_RANGE;
+			}
+		}
+
+		if (strcmp(fstrm[i].name, "fstrm-set-input-queue-size") == 0) {
+			int bits = 0;
+			do {
+				bits += value & 0x1;
+				value >>= 1;
+			} while (value != 0U);
+			if (bits != 1) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s '%u' not a power-of-2",
+					    fstrm[i].name,
+					    cfg_obj_asuint32(obj));
+				if (result == ISC_R_SUCCESS) {
+					result = ISC_R_RANGE;
+				}
+			}
+		}
+	}
+
+	/* Check that dnstap-ouput values are consistent */
+	obj = NULL;
+	(void)cfg_map_get(options, "dnstap-output", &obj);
+	if (obj != NULL) {
+		const cfg_obj_t *obj2;
+		dns_dtmode_t dmode;
+
+		obj2 = cfg_tuple_get(obj, "mode");
+		if (obj2 == NULL) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnstap-output mode not found");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		} else {
+			if (strcasecmp(cfg_obj_asstring(obj2), "file") == 0) {
+				dmode = dns_dtmode_file;
+			} else {
+				dmode = dns_dtmode_unix;
+			}
+
+			obj2 = cfg_tuple_get(obj, "size");
+			if (obj2 != NULL && !cfg_obj_isvoid(obj2) &&
+			    dmode == dns_dtmode_unix)
+			{
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "dnstap-output size "
+					    "cannot be set with mode unix");
+				if (result == ISC_R_SUCCESS) {
+					result = ISC_R_FAILURE;
+				}
+			}
+
+			obj2 = cfg_tuple_get(obj, "versions");
+			if (obj2 != NULL && !cfg_obj_isvoid(obj2) &&
+			    dmode == dns_dtmode_unix)
+			{
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "dnstap-output versions "
+					    "cannot be set with mode unix");
+				if (result == ISC_R_SUCCESS) {
+					result = ISC_R_FAILURE;
+				}
+			}
+
+			obj2 = cfg_tuple_get(obj, "suffix");
+			if (obj2 != NULL && !cfg_obj_isvoid(obj2) &&
+			    dmode == dns_dtmode_unix)
+			{
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "dnstap-output suffix "
+					    "cannot be set with mode unix");
+				if (result == ISC_R_SUCCESS) {
+					result = ISC_R_FAILURE;
+				}
+			}
+		}
+	}
+#endif /* ifdef HAVE_DNSTAP */
+
+	obj = NULL;
+	(void)cfg_map_get(options, "lmdb-mapsize", &obj);
+	if (obj != NULL) {
+		uint64_t mapsize = cfg_obj_asuint64(obj);
+
+		if (mapsize < (1ULL << 20)) { /* 1 megabyte */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'lmdb-mapsize "
+				    "%" PRId64 "' "
+				    "is too small",
+				    mapsize);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_RANGE;
+			}
+		} else if (mapsize > (1ULL << 40)) { /* 1 terabyte */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'lmdb-mapsize "
+				    "%" PRId64 "' "
+				    "is too large",
+				    mapsize);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_RANGE;
+			}
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "resolver-nonbackoff-tries", &obj);
+	if (obj != NULL && cfg_obj_asuint32(obj) == 0U) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "'resolver-nonbackoff-tries' must be >= 1");
+		if (result == ISC_R_SUCCESS) {
+			result = ISC_R_RANGE;
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "geoip-use-ecs", &obj);
+	if (obj != NULL && cfg_obj_asboolean(obj)) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "'geoip-use-ecs yes': "
+			    "ECS can no longer be used in geoip ACLs");
+		if (result == ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "max-ixfr-ratio", &obj);
+	if (obj != NULL && cfg_obj_ispercentage(obj)) {
+		uint32_t percent = cfg_obj_aspercentage(obj);
+		if (percent == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'ixfr-max-ratio' must be a nonzero "
+				    "percentage or 'unlimited')");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_RANGE;
+			}
+		} else if (percent > 100) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "'ixfr-max-ratio %d%%' exceeds 100%%",
+				    percent);
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "check-names", &obj);
+	if (obj != NULL && !cfg_obj_islist(obj)) {
+		obj = NULL;
+	}
+	if (obj != NULL) {
+		/* Note: SEC is defined in <sys/time.h> on some platforms. */
+		enum { MAS = 1, PRI = 2, SLA = 4, SCN = 8 } values = 0;
+		for (const cfg_listelt_t *el = cfg_list_first(obj); el != NULL;
+		     el = cfg_list_next(el))
+		{
+			const cfg_obj_t *tuple = cfg_listelt_value(el);
+			const cfg_obj_t *type = cfg_tuple_get(tuple, "type");
+			const char *keyword = cfg_obj_asstring(type);
+			if (strcasecmp(keyword, "primary") == 0) {
+				if ((values & PRI) == PRI) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "'check-names primary' "
+						    "duplicated");
+					if (result == ISC_R_SUCCESS) {
+						result = ISC_R_FAILURE;
+					}
+				}
+				values |= PRI;
+			} else if (strcasecmp(keyword, "master") == 0) {
+				if ((values & MAS) == MAS) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "'check-names master' "
+						    "duplicated");
+					if (result == ISC_R_SUCCESS) {
+						result = ISC_R_FAILURE;
+					}
+				}
+				values |= MAS;
+			} else if (strcasecmp(keyword, "secondary") == 0) {
+				if ((values & SCN) == SCN) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "'check-names secondary' "
+						    "duplicated");
+					if (result == ISC_R_SUCCESS) {
+						result = ISC_R_FAILURE;
+					}
+				}
+				values |= SCN;
+			} else if (strcasecmp(keyword, "slave") == 0) {
+				if ((values & SLA) == SLA) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "'check-names slave' "
+						    "duplicated");
+					if (result == ISC_R_SUCCESS) {
+						result = ISC_R_FAILURE;
+					}
+				}
+				values |= SLA;
+			}
+		}
+
+		if ((values & (PRI | MAS)) == (PRI | MAS)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'check-names' cannot take both "
+				    "'primary' and 'master'");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+
+		if ((values & (SCN | SLA)) == (SCN | SLA)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'check-names' cannot take both "
+				    "'secondary' and 'slave'");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "stale-refresh-time", &obj);
+	if (obj != NULL) {
+		uint32_t refresh_time = cfg_obj_asduration(obj);
+		if (refresh_time > 0 && refresh_time < 30) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "'stale-refresh-time' should either be 0 "
+				    "or otherwise 30 seconds or higher");
+		}
+	}
+
+	return (result);
+}
+
+/*
+ * Check "remote-servers" style list.
+ */
+static isc_result_t
+bind9_check_remoteserverlist(const cfg_obj_t *cctx, const char *list,
+			     isc_log_t *logctx, isc_symtab_t *symtab,
+			     isc_mem_t *mctx) {
+	isc_symvalue_t symvalue;
+	isc_result_t result, tresult;
+	const cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *elt;
+
+	result = cfg_map_get(cctx, list, &obj);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	elt = cfg_list_first(obj);
+	while (elt != NULL) {
+		char *tmp;
+		const char *name;
+
+		obj = cfg_listelt_value(elt);
+		name = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+
+		tmp = isc_mem_strdup(mctx, name);
+		symvalue.as_cpointer = obj;
+		tresult = isc_symtab_define(symtab, tmp, 1, symvalue,
+					    isc_symexists_reject);
+		if (tresult == ISC_R_EXISTS) {
+			const char *file = NULL;
+			unsigned int line;
+
+			RUNTIME_CHECK(
+				isc_symtab_lookup(symtab, tmp, 1, &symvalue) ==
+				ISC_R_SUCCESS);
+			file = cfg_obj_file(symvalue.as_cpointer);
+			line = cfg_obj_line(symvalue.as_cpointer);
+
+			if (file == NULL) {
+				file = "<unknown file>";
+			}
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s list '%s' is duplicated: "
+				    "also defined at %s:%u",
+				    list, name, file, line);
+			isc_mem_free(mctx, tmp);
+			result = tresult;
+			break;
+		} else if (tresult != ISC_R_SUCCESS) {
+			isc_mem_free(mctx, tmp);
+			result = tresult;
+			break;
+		}
+
+		elt = cfg_list_next(elt);
+	}
+	return (result);
+}
+
+/*
+ * Check primaries lists for duplicates.
+ */
+static isc_result_t
+bind9_check_primarylists(const cfg_obj_t *cctx, isc_log_t *logctx,
+			 isc_mem_t *mctx) {
+	isc_result_t result, tresult;
+	isc_symtab_t *symtab = NULL;
+
+	result = isc_symtab_create(mctx, 100, freekey, mctx, false, &symtab);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	tresult = bind9_check_remoteserverlist(cctx, "primaries", logctx,
+					       symtab, mctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+	tresult = bind9_check_remoteserverlist(cctx, "masters", logctx, symtab,
+					       mctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+	isc_symtab_destroy(&symtab);
+	return (result);
+}
+
+/*
+ * Check parental-agents lists for duplicates.
+ */
+static isc_result_t
+bind9_check_parentalagentlists(const cfg_obj_t *cctx, isc_log_t *logctx,
+			       isc_mem_t *mctx) {
+	isc_result_t result, tresult;
+	isc_symtab_t *symtab = NULL;
+
+	result = isc_symtab_create(mctx, 100, freekey, mctx, false, &symtab);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	tresult = bind9_check_remoteserverlist(cctx, "parental-agents", logctx,
+					       symtab, mctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+	isc_symtab_destroy(&symtab);
+	return (result);
+}
+
+static isc_result_t
+get_remotes(const cfg_obj_t *cctx, const char *list, const char *name,
+	    const cfg_obj_t **ret) {
+	isc_result_t result;
+	const cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *elt = NULL;
+
+	result = cfg_map_get(cctx, list, &obj);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	elt = cfg_list_first(obj);
+	while (elt != NULL) {
+		const char *listname;
+
+		obj = cfg_listelt_value(elt);
+		listname = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+
+		if (strcasecmp(listname, name) == 0) {
+			*ret = obj;
+			return (ISC_R_SUCCESS);
+		}
+
+		elt = cfg_list_next(elt);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+get_remoteservers_def(const char *list, const char *name, const cfg_obj_t *cctx,
+		      const cfg_obj_t **ret) {
+	isc_result_t result = ISC_R_NOTFOUND;
+
+	if (strcmp(list, "primaries") == 0) {
+		result = get_remotes(cctx, "primaries", name, ret);
+		if (result != ISC_R_SUCCESS) {
+			result = get_remotes(cctx, "masters", name, ret);
+		}
+	} else if (strcmp(list, "parental-agents") == 0) {
+		result = get_remotes(cctx, "parental-agents", name, ret);
+	}
+	return (result);
+}
+
+static isc_result_t
+validate_remotes(const char *list, const cfg_obj_t *obj,
+		 const cfg_obj_t *config, uint32_t *countp, isc_log_t *logctx,
+		 isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	uint32_t count = 0;
+	isc_symtab_t *symtab = NULL;
+	isc_symvalue_t symvalue;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t **stack = NULL;
+	uint32_t stackcount = 0, pushed = 0;
+	const cfg_obj_t *listobj;
+
+	REQUIRE(countp != NULL);
+	result = isc_symtab_create(mctx, 100, NULL, NULL, false, &symtab);
+	if (result != ISC_R_SUCCESS) {
+		*countp = count;
+		return (result);
+	}
+
+newlist:
+	listobj = cfg_tuple_get(obj, "addresses");
+	element = cfg_list_first(listobj);
+resume:
+	for (; element != NULL; element = cfg_list_next(element)) {
+		const char *listname;
+		const cfg_obj_t *addr;
+		const cfg_obj_t *key;
+
+		addr = cfg_tuple_get(cfg_listelt_value(element),
+				     "remoteselement");
+		key = cfg_tuple_get(cfg_listelt_value(element), "key");
+
+		if (cfg_obj_issockaddr(addr)) {
+			count++;
+			if (cfg_obj_isstring(key)) {
+				const char *str = cfg_obj_asstring(key);
+				dns_fixedname_t fname;
+				dns_name_t *nm = dns_fixedname_initname(&fname);
+				tresult = dns_name_fromstring(nm, str, 0, NULL);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+						    "'%s' is not a valid name",
+						    str);
+					if (result == ISC_R_SUCCESS) {
+						result = tresult;
+					}
+				}
+			}
+			continue;
+		}
+		if (!cfg_obj_isvoid(key)) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "unexpected token '%s'",
+				    cfg_obj_asstring(key));
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+		listname = cfg_obj_asstring(addr);
+		symvalue.as_cpointer = addr;
+		tresult = isc_symtab_define(symtab, listname, 1, symvalue,
+					    isc_symexists_reject);
+		if (tresult == ISC_R_EXISTS) {
+			continue;
+		}
+		tresult = get_remoteservers_def(list, listname, config, &obj);
+		if (tresult != ISC_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS) {
+				result = tresult;
+			}
+			cfg_obj_log(addr, logctx, ISC_LOG_ERROR,
+				    "unable to find %s list '%s'", list,
+				    listname);
+			continue;
+		}
+		/* Grow stack? */
+		if (stackcount == pushed) {
+			void *newstack;
+			uint32_t newlen = stackcount + 16;
+			size_t newsize, oldsize;
+
+			newsize = newlen * sizeof(*stack);
+			oldsize = stackcount * sizeof(*stack);
+			newstack = isc_mem_get(mctx, newsize);
+			if (stackcount != 0) {
+				void *ptr;
+
+				DE_CONST(stack, ptr);
+				memmove(newstack, stack, oldsize);
+				isc_mem_put(mctx, ptr, oldsize);
+			}
+			stack = newstack;
+			stackcount = newlen;
+		}
+		stack[pushed++] = cfg_list_next(element);
+		goto newlist;
+	}
+	if (pushed != 0) {
+		element = stack[--pushed];
+		goto resume;
+	}
+	if (stack != NULL) {
+		void *ptr;
+
+		DE_CONST(stack, ptr);
+		isc_mem_put(mctx, ptr, stackcount * sizeof(*stack));
+	}
+	isc_symtab_destroy(&symtab);
+	*countp = count;
+	return (result);
+}
+
+static isc_result_t
+check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t *element2;
+	dns_fixedname_t fixed_id, fixed_name;
+	dns_name_t *id, *name;
+	const char *str;
+	isc_textregion_t r;
+	dns_rdatatype_t type;
+
+	/* Check for "update-policy local;" */
+	if (cfg_obj_isstring(policy) &&
+	    strcmp("local", cfg_obj_asstring(policy)) == 0)
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Now check the grant policy */
+	for (element = cfg_list_first(policy); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *stmt = cfg_listelt_value(element);
+		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
+		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
+		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
+		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+		dns_ssumatchtype_t mtype;
+
+		id = dns_fixedname_initname(&fixed_id);
+		name = dns_fixedname_initname(&fixed_name);
+
+		tresult = dns_ssu_mtypefromstring(cfg_obj_asstring(matchtype),
+						  &mtype);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+				    "has a bad match-type");
+		}
+
+		str = cfg_obj_asstring(identity);
+		tresult = dns_name_fromstring(id, str, 1, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+				    "'%s' is not a valid name", str);
+			result = tresult;
+		}
+
+		/*
+		 * There is no name field for subzone and dname is void
+		 */
+		if (mtype == dns_ssumatchtype_subdomain &&
+		    cfg_obj_isvoid(dname))
+		{
+			str = "."; /* Use "." as a replacement. */
+		} else {
+			str = cfg_obj_asstring(dname);
+		}
+		if (tresult == ISC_R_SUCCESS) {
+			tresult = dns_name_fromstring(name, str, 0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
+					    "'%s' is not a valid name", str);
+				result = tresult;
+			}
+		}
+
+		if (tresult == ISC_R_SUCCESS &&
+		    mtype == dns_ssumatchtype_wildcard &&
+		    !dns_name_iswildcard(name))
+		{
+			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+				    "'%s' is not a wildcard", str);
+			result = ISC_R_FAILURE;
+		}
+
+		/*
+		 * For some match types, the name should be a placeholder
+		 * value, either "." or the same as identity.
+		 */
+		switch (mtype) {
+		case dns_ssumatchtype_self:
+		case dns_ssumatchtype_selfsub:
+		case dns_ssumatchtype_selfwild:
+			if (tresult == ISC_R_SUCCESS &&
+			    (!dns_name_equal(id, name) &&
+			     !dns_name_equal(dns_rootname, name)))
+			{
+				cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+					    "identity and name fields are not "
+					    "the same");
+				result = ISC_R_FAILURE;
+			}
+			break;
+		case dns_ssumatchtype_selfkrb5:
+		case dns_ssumatchtype_selfms:
+		case dns_ssumatchtype_selfsubkrb5:
+		case dns_ssumatchtype_selfsubms:
+		case dns_ssumatchtype_tcpself:
+		case dns_ssumatchtype_6to4self:
+			if (tresult == ISC_R_SUCCESS &&
+			    !dns_name_equal(dns_rootname, name))
+			{
+				cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+					    "name field not set to "
+					    "placeholder value '.'");
+				result = ISC_R_FAILURE;
+			}
+			break;
+		case dns_ssumatchtype_name:
+		case dns_ssumatchtype_subdomain: /* also zonesub */
+		case dns_ssumatchtype_subdomainms:
+		case dns_ssumatchtype_subdomainkrb5:
+		case dns_ssumatchtype_wildcard:
+		case dns_ssumatchtype_external:
+		case dns_ssumatchtype_local:
+			if (tresult == ISC_R_SUCCESS) {
+				DE_CONST(str, r.base);
+				r.length = strlen(str);
+				tresult = dns_rdatatype_fromtext(&type, &r);
+			}
+			if (tresult == ISC_R_SUCCESS) {
+				cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+					    "missing name field type '%s' "
+					    "found",
+					    str);
+				result = ISC_R_FAILURE;
+				break;
+			}
+			break;
+		default:
+			UNREACHABLE();
+		}
+
+		for (element2 = cfg_list_first(typelist); element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			const cfg_obj_t *typeobj;
+
+			typeobj = cfg_listelt_value(element2);
+			DE_CONST(cfg_obj_asstring(typeobj), r.base);
+			r.length = strlen(r.base);
+
+			tresult = dns_rdatatype_fromtext(&type, &r);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(typeobj, logctx, ISC_LOG_ERROR,
+					    "'%s' is not a valid type", r.base);
+				result = tresult;
+			}
+		}
+	}
+	return (result);
+}
+
+typedef struct {
+	const char *name;
+	unsigned int allowed;
+} optionstable;
+
+static isc_result_t
+check_nonzero(const cfg_obj_t *options, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *obj = NULL;
+	unsigned int i;
+
+	static const char *nonzero[] = { "max-retry-time", "min-retry-time",
+					 "max-refresh-time",
+					 "min-refresh-time" };
+	/*
+	 * Check if value is zero.
+	 */
+	for (i = 0; i < sizeof(nonzero) / sizeof(nonzero[0]); i++) {
+		obj = NULL;
+		if (cfg_map_get(options, nonzero[i], &obj) == ISC_R_SUCCESS &&
+		    cfg_obj_asuint32(obj) == 0)
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'%s' must not be zero", nonzero[i]);
+			result = ISC_R_FAILURE;
+		}
+	}
+	return (result);
+}
+
+/*%
+ * Check whether NOTIFY configuration at the zone level is acceptable for a
+ * mirror zone.  Return true if it is; return false otherwise.
+ */
+static bool
+check_mirror_zone_notify(const cfg_obj_t *zoptions, const char *znamestr,
+			 isc_log_t *logctx) {
+	bool notify_configuration_ok = true;
+	const cfg_obj_t *obj = NULL;
+
+	(void)cfg_map_get(zoptions, "notify", &obj);
+	if (obj == NULL) {
+		/*
+		 * "notify" not set at zone level.  This is fine.
+		 */
+		return (true);
+	}
+
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj)) {
+			/*
+			 * "notify yes;" set at zone level.  This is an error.
+			 */
+			notify_configuration_ok = false;
+		}
+	} else {
+		const char *notifystr = cfg_obj_asstring(obj);
+		if (strcasecmp(notifystr, "explicit") != 0) {
+			/*
+			 * Something else than "notify explicit;" set at zone
+			 * level.  This is an error.
+			 */
+			notify_configuration_ok = false;
+		}
+	}
+
+	if (!notify_configuration_ok) {
+		cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+			    "zone '%s': mirror zones can only be used with "
+			    "'notify no;' or 'notify explicit;'",
+			    znamestr);
+	}
+
+	return (notify_configuration_ok);
+}
+
+/*%
+ * Try to determine whether recursion is available in a view without resorting
+ * to extraordinary measures: just check the "recursion" and "allow-recursion"
+ * settings.  The point is to prevent accidental mirror zone misuse rather than
+ * to enforce some sort of policy.  Recursion is assumed to be allowed by
+ * default if it is not explicitly disabled.
+ */
+static bool
+check_recursion(const cfg_obj_t *config, const cfg_obj_t *voptions,
+		const cfg_obj_t *goptions, isc_log_t *logctx,
+		cfg_aclconfctx_t *actx, isc_mem_t *mctx) {
+	dns_acl_t *acl = NULL;
+	const cfg_obj_t *obj;
+	isc_result_t result;
+	bool retval = true;
+
+	/*
+	 * Check the "recursion" option first.
+	 */
+	obj = NULL;
+	result = ISC_R_NOTFOUND;
+	if (voptions != NULL) {
+		result = cfg_map_get(voptions, "recursion", &obj);
+	}
+	if (result != ISC_R_SUCCESS && goptions != NULL) {
+		result = cfg_map_get(goptions, "recursion", &obj);
+	}
+	if (result == ISC_R_SUCCESS && !cfg_obj_asboolean(obj)) {
+		retval = false;
+		goto cleanup;
+	}
+
+	/*
+	 * If recursion is not disabled by the "recursion" option, check
+	 * whether it is disabled by the "allow-recursion" ACL.
+	 */
+	obj = NULL;
+	result = ISC_R_NOTFOUND;
+	if (voptions != NULL) {
+		result = cfg_map_get(voptions, "allow-recursion", &obj);
+	}
+	if (result != ISC_R_SUCCESS && goptions != NULL) {
+		result = cfg_map_get(goptions, "allow-recursion", &obj);
+	}
+	if (result == ISC_R_SUCCESS) {
+		result = cfg_acl_fromconfig(obj, config, logctx, actx, mctx, 0,
+					    &acl);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		retval = !dns_acl_isnone(acl);
+	}
+
+cleanup:
+	if (acl != NULL) {
+		dns_acl_detach(&acl);
+	}
+
+	return (retval);
+}
+
+static isc_result_t
+check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+	       const cfg_obj_t *config, isc_symtab_t *symtab,
+	       isc_symtab_t *files, isc_symtab_t *keydirs, isc_symtab_t *inview,
+	       const char *viewname, dns_rdataclass_t defclass,
+	       cfg_aclconfctx_t *actx, isc_log_t *logctx, isc_mem_t *mctx) {
+	const char *znamestr;
+	const char *typestr = NULL;
+	const char *target = NULL;
+	unsigned int ztype;
+	const cfg_obj_t *zoptions, *goptions = NULL;
+	const cfg_obj_t *obj = NULL, *kasp = NULL;
+	const cfg_obj_t *inviewobj = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	unsigned int i;
+	dns_rdataclass_t zclass;
+	dns_fixedname_t fixedname;
+	dns_name_t *zname = NULL; /* NULL if parsing of zone name fails. */
+	isc_buffer_t b;
+	bool root = false;
+	bool rfc1918 = false;
+	bool ula = false;
+	const cfg_listelt_t *element;
+	bool dlz;
+	dns_masterformat_t masterformat;
+	bool ddns = false;
+	bool has_dnssecpolicy = false;
+	const void *clauses = NULL;
+	const char *option = NULL;
+	const char *kaspname = NULL;
+	const char *dir = NULL;
+	static const char *acls[] = {
+		"allow-notify",
+		"allow-transfer",
+		"allow-update",
+		"allow-update-forwarding",
+	};
+	static optionstable dialups[] = {
+		{ "notify", CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+		{ "notify-passive", CFG_ZONE_SECONDARY },
+		{ "passive", CFG_ZONE_SECONDARY | CFG_ZONE_STUB },
+		{ "refresh", CFG_ZONE_SECONDARY | CFG_ZONE_STUB },
+	};
+	static const char *sources[] = {
+		"transfer-source",  "transfer-source-v6", "notify-source",
+		"notify-source-v6", "parental-source",	  "parental-source-v6",
+	};
+
+	znamestr = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+
+	zoptions = cfg_tuple_get(zconfig, "options");
+
+	if (config != NULL) {
+		cfg_map_get(config, "options", &goptions);
+	}
+
+	inviewobj = NULL;
+	(void)cfg_map_get(zoptions, "in-view", &inviewobj);
+	if (inviewobj != NULL) {
+		target = cfg_obj_asstring(inviewobj);
+		ztype = CFG_ZONE_INVIEW;
+	} else {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "type", &obj);
+		if (obj == NULL) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': type not present", znamestr);
+			return (ISC_R_FAILURE);
+		}
+
+		typestr = cfg_obj_asstring(obj);
+		if (strcasecmp(typestr, "master") == 0 ||
+		    strcasecmp(typestr, "primary") == 0)
+		{
+			ztype = CFG_ZONE_PRIMARY;
+		} else if (strcasecmp(typestr, "slave") == 0 ||
+			   strcasecmp(typestr, "secondary") == 0)
+		{
+			ztype = CFG_ZONE_SECONDARY;
+		} else if (strcasecmp(typestr, "mirror") == 0) {
+			ztype = CFG_ZONE_MIRROR;
+		} else if (strcasecmp(typestr, "stub") == 0) {
+			ztype = CFG_ZONE_STUB;
+		} else if (strcasecmp(typestr, "static-stub") == 0) {
+			ztype = CFG_ZONE_STATICSTUB;
+		} else if (strcasecmp(typestr, "forward") == 0) {
+			ztype = CFG_ZONE_FORWARD;
+		} else if (strcasecmp(typestr, "hint") == 0) {
+			ztype = CFG_ZONE_HINT;
+		} else if (strcasecmp(typestr, "delegation-only") == 0) {
+			ztype = CFG_ZONE_DELEGATION;
+		} else if (strcasecmp(typestr, "redirect") == 0) {
+			ztype = CFG_ZONE_REDIRECT;
+		} else {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': invalid type %s", znamestr,
+				    typestr);
+			return (ISC_R_FAILURE);
+		}
+
+		if (ztype == CFG_ZONE_REDIRECT && strcmp(znamestr, ".") != 0) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "redirect zones must be called \".\"");
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	obj = cfg_tuple_get(zconfig, "class");
+	if (cfg_obj_isstring(obj)) {
+		isc_textregion_t r;
+
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		result = dns_rdataclass_fromtext(&zclass, &r);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': invalid class %s", znamestr,
+				    r.base);
+			return (ISC_R_FAILURE);
+		}
+		if (zclass != defclass) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': class '%s' does not "
+				    "match view/default class",
+				    znamestr, r.base);
+			return (ISC_R_FAILURE);
+		}
+	} else {
+		zclass = defclass;
+	}
+
+	/*
+	 * Look for an already existing zone.
+	 * We need to make this canonical as isc_symtab_define()
+	 * deals with strings.
+	 */
+	dns_fixedname_init(&fixedname);
+	isc_buffer_constinit(&b, znamestr, strlen(znamestr));
+	isc_buffer_add(&b, strlen(znamestr));
+	tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
+				    dns_rootname, DNS_NAME_DOWNCASE, NULL);
+	if (tresult != ISC_R_SUCCESS) {
+		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+			    "zone '%s': is not a valid name", znamestr);
+		result = ISC_R_FAILURE;
+	} else {
+		char namebuf[DNS_NAME_FORMATSIZE + 128];
+		char *tmp = namebuf;
+		size_t len = sizeof(namebuf);
+
+		zname = dns_fixedname_name(&fixedname);
+		dns_name_format(zname, namebuf, sizeof(namebuf));
+		tresult = nameexist(zconfig, namebuf,
+				    ztype == CFG_ZONE_HINT	 ? 1
+				    : ztype == CFG_ZONE_REDIRECT ? 2
+								 : 3,
+				    symtab,
+				    "zone '%s': already exists "
+				    "previous definition: %s:%u",
+				    logctx, mctx);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+		if (dns_name_equal(zname, dns_rootname)) {
+			root = true;
+		} else if (dns_name_isrfc1918(zname)) {
+			rfc1918 = true;
+		} else if (dns_name_isula(zname)) {
+			ula = true;
+		}
+		len -= strlen(tmp);
+		tmp += strlen(tmp);
+		(void)snprintf(tmp, len, "%u/%s", zclass,
+			       (ztype == CFG_ZONE_INVIEW) ? target
+			       : (viewname != NULL)	  ? viewname
+							  : "_default");
+		switch (ztype) {
+		case CFG_ZONE_INVIEW:
+			tresult = isc_symtab_lookup(inview, namebuf, 0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(inviewobj, logctx, ISC_LOG_ERROR,
+					    "'in-view' zone '%s' "
+					    "does not exist in view '%s', "
+					    "or view '%s' is not yet defined",
+					    znamestr, target, target);
+				if (result == ISC_R_SUCCESS) {
+					result = tresult;
+				}
+			}
+			break;
+
+		case CFG_ZONE_FORWARD:
+		case CFG_ZONE_REDIRECT:
+		case CFG_ZONE_DELEGATION:
+			break;
+
+		case CFG_ZONE_PRIMARY:
+		case CFG_ZONE_SECONDARY:
+		case CFG_ZONE_MIRROR:
+		case CFG_ZONE_HINT:
+		case CFG_ZONE_STUB:
+		case CFG_ZONE_STATICSTUB:
+			tmp = isc_mem_strdup(mctx, namebuf);
+			{
+				isc_symvalue_t symvalue;
+				symvalue.as_cpointer = NULL;
+				tresult = isc_symtab_define(
+					inview, tmp, 1, symvalue,
+					isc_symexists_replace);
+				if (tresult == ISC_R_NOMEMORY) {
+					isc_mem_free(mctx, tmp);
+				}
+				if (result == ISC_R_SUCCESS &&
+				    tresult != ISC_R_SUCCESS)
+				{
+					result = tresult;
+				}
+			}
+			break;
+
+		default:
+			UNREACHABLE();
+		}
+	}
+
+	if (ztype == CFG_ZONE_INVIEW) {
+		const cfg_obj_t *fwd = NULL;
+		unsigned int maxopts = 1;
+
+		(void)cfg_map_get(zoptions, "forward", &fwd);
+		if (fwd != NULL) {
+			maxopts++;
+		}
+		fwd = NULL;
+		(void)cfg_map_get(zoptions, "forwarders", &fwd);
+		if (fwd != NULL) {
+			maxopts++;
+		}
+		if (cfg_map_count(zoptions) > maxopts) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': 'in-view' used "
+				    "with incompatible zone options",
+				    znamestr);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+		return (result);
+	}
+
+	/*
+	 * Check if value is zero.
+	 */
+	if (check_nonzero(zoptions, logctx) != ISC_R_SUCCESS) {
+		result = ISC_R_FAILURE;
+	}
+
+	/*
+	 * Check if a dnssec-policy is set.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "dnssec-policy", &obj);
+	if (obj == NULL && voptions != NULL) {
+		(void)cfg_map_get(voptions, "dnssec-policy", &obj);
+	}
+	if (obj == NULL && goptions != NULL) {
+		(void)cfg_map_get(goptions, "dnssec-policy", &obj);
+	}
+	if (obj != NULL) {
+		const cfg_obj_t *kasps = NULL;
+
+		kaspname = cfg_obj_asstring(obj);
+		if (strcmp(kaspname, "default") == 0) {
+			has_dnssecpolicy = true;
+		} else if (strcmp(kaspname, "insecure") == 0) {
+			has_dnssecpolicy = true;
+		} else if (strcmp(kaspname, "none") == 0) {
+			has_dnssecpolicy = false;
+		} else {
+			(void)cfg_map_get(config, "dnssec-policy", &kasps);
+			for (element = cfg_list_first(kasps); element != NULL;
+			     element = cfg_list_next(element))
+			{
+				const cfg_obj_t *kobj = cfg_tuple_get(
+					cfg_listelt_value(element), "name");
+				if (strcmp(kaspname, cfg_obj_asstring(kobj)) ==
+				    0)
+				{
+					has_dnssecpolicy = true;
+				}
+			}
+
+			if (!has_dnssecpolicy) {
+				cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+					    "zone '%s': option "
+					    "'dnssec-policy %s' has no "
+					    "matching dnssec-policy config",
+					    znamestr, kaspname);
+				if (result == ISC_R_SUCCESS) {
+					result = ISC_R_FAILURE;
+				}
+			}
+		}
+		if (has_dnssecpolicy) {
+			kasp = obj;
+		}
+	}
+
+	/*
+	 * Warn about zones with both dnssec-policy and max-zone-ttl
+	 */
+	if (has_dnssecpolicy) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "max-zone-ttl", &obj);
+		if (obj == NULL && voptions != NULL) {
+			(void)cfg_map_get(voptions, "max-zone-ttl", &obj);
+		}
+		if (obj == NULL && goptions != NULL) {
+			(void)cfg_map_get(goptions, "max-zone-ttl", &obj);
+		}
+		if (obj != NULL) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "zone '%s': option 'max-zone-ttl' "
+				    "is ignored when used together with "
+				    "'dnssec-policy'",
+				    znamestr);
+		}
+	}
+
+	/*
+	 * Check validity of the zone options.
+	 */
+	option = cfg_map_firstclause(&cfg_type_zoneopts, &clauses, &i);
+	while (option != NULL) {
+		obj = NULL;
+		if (cfg_map_get(zoptions, option, &obj) == ISC_R_SUCCESS &&
+		    obj != NULL && !cfg_clause_validforzone(option, ztype))
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "option '%s' is not allowed "
+				    "in '%s' zone '%s'",
+				    option, typestr, znamestr);
+			result = ISC_R_FAILURE;
+		}
+		option = cfg_map_nextclause(&cfg_type_zoneopts, &clauses, &i);
+	}
+
+	/*
+	 * Check that ACLs expand correctly.
+	 */
+	for (i = 0; i < ARRAY_SIZE(acls); i++) {
+		tresult = checkacl(acls[i], actx, zconfig, voptions, config,
+				   logctx, mctx);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	/*
+	 * Only a limited subset of all possible "notify" settings can be used
+	 * at the zone level for mirror zones.
+	 */
+	if (ztype == CFG_ZONE_MIRROR &&
+	    !check_mirror_zone_notify(zoptions, znamestr, logctx))
+	{
+		result = ISC_R_FAILURE;
+	}
+
+	/*
+	 * Primary, secondary, and mirror zones may have an "also-notify"
+	 * field, but shouldn't if notify is disabled.
+	 */
+	if (ztype == CFG_ZONE_PRIMARY || ztype == CFG_ZONE_SECONDARY ||
+	    ztype == CFG_ZONE_MIRROR)
+	{
+		bool donotify = true;
+
+		obj = NULL;
+		tresult = cfg_map_get(zoptions, "notify", &obj);
+		if (tresult != ISC_R_SUCCESS && voptions != NULL) {
+			tresult = cfg_map_get(voptions, "notify", &obj);
+		}
+		if (tresult != ISC_R_SUCCESS && goptions != NULL) {
+			tresult = cfg_map_get(goptions, "notify", &obj);
+		}
+		if (tresult == ISC_R_SUCCESS) {
+			if (cfg_obj_isboolean(obj)) {
+				donotify = cfg_obj_asboolean(obj);
+			} else {
+				const char *str = cfg_obj_asstring(obj);
+				if (ztype != CFG_ZONE_PRIMARY &&
+				    (strcasecmp(str, "master-only") == 0 ||
+				     strcasecmp(str, "primary-only") == 0))
+				{
+					donotify = false;
+				}
+			}
+		}
+
+		obj = NULL;
+		tresult = cfg_map_get(zoptions, "also-notify", &obj);
+		if (tresult == ISC_R_SUCCESS && !donotify) {
+			cfg_obj_log(zoptions, logctx, ISC_LOG_WARNING,
+				    "zone '%s': 'also-notify' set but "
+				    "'notify' is disabled",
+				    znamestr);
+		}
+		if (tresult != ISC_R_SUCCESS && voptions != NULL) {
+			tresult = cfg_map_get(voptions, "also-notify", &obj);
+		}
+		if (tresult != ISC_R_SUCCESS && goptions != NULL) {
+			tresult = cfg_map_get(goptions, "also-notify", &obj);
+		}
+		if (tresult == ISC_R_SUCCESS && donotify) {
+			uint32_t count;
+			tresult = validate_remotes("primaries", obj, config,
+						   &count, logctx, mctx);
+			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
+			{
+				result = tresult;
+			}
+		}
+	}
+
+	/*
+	 * Secondary, mirror, and stub zones must have a "primaries" field,
+	 * with one exception: when mirroring the root zone, a default,
+	 * built-in primary server list is used in the absence of one
+	 * explicitly specified.
+	 */
+	if (ztype == CFG_ZONE_SECONDARY || ztype == CFG_ZONE_STUB ||
+	    (ztype == CFG_ZONE_MIRROR && zname != NULL &&
+	     !dns_name_equal(zname, dns_rootname)))
+	{
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "primaries", &obj);
+		if (obj == NULL) {
+			/* If "primaries" was unset, check for "masters" */
+			(void)cfg_map_get(zoptions, "masters", &obj);
+		} else {
+			const cfg_obj_t *obj2 = NULL;
+
+			/* ...bug if it was set, "masters" must not be. */
+			(void)cfg_map_get(zoptions, "masters", &obj2);
+			if (obj2 != NULL) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "'primaries' and 'masters' cannot "
+					    "both be used in the same zone");
+				result = ISC_R_FAILURE;
+			}
+		}
+		if (obj == NULL) {
+			cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+				    "zone '%s': missing 'primaries' entry",
+				    znamestr);
+			result = ISC_R_FAILURE;
+		} else {
+			uint32_t count;
+			tresult = validate_remotes("primaries", obj, config,
+						   &count, logctx, mctx);
+			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
+			{
+				result = tresult;
+			}
+			if (tresult == ISC_R_SUCCESS && count == 0) {
+				cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+					    "zone '%s': "
+					    "empty 'primaries' entry",
+					    znamestr);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Warn if *-source and *-source-v6 options specify a port,
+	 * and fail if they specify the default listener port.
+	 */
+	for (i = 0; i < ARRAY_SIZE(sources); i++) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, sources[i], &obj);
+		if (obj == NULL && goptions != NULL) {
+			(void)cfg_map_get(goptions, sources[i], &obj);
+		}
+		if (obj != NULL) {
+			in_port_t port =
+				isc_sockaddr_getport(cfg_obj_assockaddr(obj));
+			if (port == dnsport) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "'%s' cannot specify the "
+					    "DNS listener port (%d)",
+					    sources[i], port);
+				result = ISC_R_FAILURE;
+			} else if (port != 0) {
+				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+					    "'%s': specifying a port is "
+					    "not recommended",
+					    sources[i]);
+			}
+		}
+	}
+
+	/*
+	 * Primary and secondary zones that have a "parental-agents" field,
+	 * must have a corresponding "parental-agents" clause.
+	 */
+	if (ztype == CFG_ZONE_PRIMARY || ztype == CFG_ZONE_SECONDARY) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "parental-agents", &obj);
+		if (obj != NULL) {
+			uint32_t count;
+			tresult = validate_remotes("parental-agents", obj,
+						   config, &count, logctx,
+						   mctx);
+			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
+			{
+				result = tresult;
+			}
+			if (tresult == ISC_R_SUCCESS && count == 0) {
+				cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+					    "zone '%s': "
+					    "empty 'parental-agents' entry",
+					    znamestr);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Configuring a mirror zone and disabling recursion at the same time
+	 * contradicts the purpose of the former.
+	 */
+	if (ztype == CFG_ZONE_MIRROR &&
+	    !check_recursion(config, voptions, goptions, logctx, actx, mctx))
+	{
+		cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+			    "zone '%s': mirror zones cannot be used if "
+			    "recursion is disabled",
+			    znamestr);
+		result = ISC_R_FAILURE;
+	}
+
+	/*
+	 * Primary zones can't have both "allow-update" and "update-policy".
+	 */
+	if (ztype == CFG_ZONE_PRIMARY || ztype == CFG_ZONE_SECONDARY) {
+		bool signing = false;
+		isc_result_t res1, res2, res3;
+		const cfg_obj_t *au = NULL;
+		const char *arg;
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "allow-update", &au);
+		obj = NULL;
+		res2 = cfg_map_get(zoptions, "update-policy", &obj);
+		if (res1 == ISC_R_SUCCESS && res2 == ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': 'allow-update' is ignored "
+				    "when 'update-policy' is present",
+				    znamestr);
+			result = ISC_R_FAILURE;
+		} else if (res2 == ISC_R_SUCCESS) {
+			res3 = check_update_policy(obj, logctx);
+			if (res3 != ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+
+		/*
+		 * To determine whether auto-dnssec is allowed,
+		 * we should also check for allow-update at the
+		 * view and options levels.
+		 */
+		if (res1 != ISC_R_SUCCESS && voptions != NULL) {
+			res1 = cfg_map_get(voptions, "allow-update", &au);
+		}
+		if (res1 != ISC_R_SUCCESS && goptions != NULL) {
+			res1 = cfg_map_get(goptions, "allow-update", &au);
+		}
+
+		if (res2 == ISC_R_SUCCESS) {
+			ddns = true;
+		} else if (res1 == ISC_R_SUCCESS) {
+			dns_acl_t *acl = NULL;
+			res1 = cfg_acl_fromconfig(au, config, logctx, actx,
+						  mctx, 0, &acl);
+			if (res1 != ISC_R_SUCCESS) {
+				cfg_obj_log(au, logctx, ISC_LOG_ERROR,
+					    "acl expansion failed: %s",
+					    isc_result_totext(result));
+				result = ISC_R_FAILURE;
+			} else if (acl != NULL) {
+				if (!dns_acl_isnone(acl)) {
+					ddns = true;
+				}
+				dns_acl_detach(&acl);
+			}
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "inline-signing", &obj);
+		if (res1 == ISC_R_SUCCESS) {
+			signing = cfg_obj_asboolean(obj);
+		}
+
+		if (has_dnssecpolicy) {
+			if (!ddns && !signing) {
+				cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
+					    "'inline-signing yes;' must also "
+					    "be configured explicitly for "
+					    "zones using dnssec-policy%s. See "
+					    "https://kb.isc.org/docs/"
+					    "dnssec-policy-requires-dynamic-"
+					    "dns-or-inline-signing",
+					    (ztype == CFG_ZONE_PRIMARY)
+						    ? " without a configured "
+						      "'allow-update' or "
+						      "'update-policy'"
+						    : "");
+				result = ISC_R_FAILURE;
+			}
+		}
+
+		obj = NULL;
+		arg = "off";
+		res3 = cfg_map_get(zoptions, "auto-dnssec", &obj);
+		if (res3 == ISC_R_SUCCESS) {
+			arg = cfg_obj_asstring(obj);
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "'auto-dnssec' option is deprecated and "
+				    "will be removed in BIND 9.19. Please "
+				    "migrate to dnssec-policy");
+		}
+		if (strcasecmp(arg, "off") != 0) {
+			if (!ddns && !signing && !has_dnssecpolicy) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "'auto-dnssec %s;' requires%s "
+					    "inline-signing to be configured "
+					    "for the zone",
+					    arg,
+					    (ztype == CFG_ZONE_PRIMARY)
+						    ? " dynamic DNS or"
+						    : "");
+				result = ISC_R_FAILURE;
+			}
+
+			if (has_dnssecpolicy) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "'auto-dnssec %s;' cannot be "
+					    "configured if dnssec-policy is "
+					    "also set",
+					    arg);
+				result = ISC_R_FAILURE;
+			}
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "sig-signing-type", &obj);
+		if (res1 == ISC_R_SUCCESS) {
+			uint32_t type = cfg_obj_asuint32(obj);
+			if (type < 0xff00U || type > 0xffffU) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "sig-signing-type: %u out of "
+					    "range [%u..%u]",
+					    type, 0xff00U, 0xffffU);
+			}
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "dnssec-dnskey-kskonly", &obj);
+		if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY &&
+		    !signing)
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-dnskey-kskonly: requires "
+				    "inline-signing when used in slave zone");
+			result = ISC_R_FAILURE;
+		}
+		if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-dnskey-kskonly: cannot be "
+				    "configured if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "dnssec-secure-to-insecure", &obj);
+		if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-secure-to-insecure: cannot be "
+				    "configured if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj);
+		if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY &&
+		    !signing)
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-loadkeys-interval: requires "
+				    "inline-signing when used in slave zone");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "update-check-ksk", &obj);
+		if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY &&
+		    !signing)
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "update-check-ksk: requires "
+				    "inline-signing when used in slave zone");
+			result = ISC_R_FAILURE;
+		}
+		if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "update-check-ksk: cannot be configured "
+				    "if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
+		if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-update-mode: cannot be configured "
+				    "if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	/*
+	 * Check the excessively complicated "dialup" option.
+	 */
+	if (ztype == CFG_ZONE_PRIMARY || ztype == CFG_ZONE_SECONDARY ||
+	    ztype == CFG_ZONE_STUB)
+	{
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "dialup", &obj);
+		if (obj != NULL && cfg_obj_isstring(obj)) {
+			const char *str = cfg_obj_asstring(obj);
+			for (i = 0; i < sizeof(dialups) / sizeof(dialups[0]);
+			     i++)
+			{
+				if (strcasecmp(dialups[i].name, str) != 0) {
+					continue;
+				}
+				if ((dialups[i].allowed & ztype) == 0) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "dialup type '%s' is not "
+						    "allowed in '%s' "
+						    "zone '%s'",
+						    str, typestr, znamestr);
+					result = ISC_R_FAILURE;
+				}
+				break;
+			}
+			if (i == sizeof(dialups) / sizeof(dialups[0])) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "invalid dialup type '%s' in zone "
+					    "'%s'",
+					    str, znamestr);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Check that forwarding is reasonable.
+	 */
+	obj = NULL;
+	if (root) {
+		if (voptions != NULL) {
+			(void)cfg_map_get(voptions, "forwarders", &obj);
+		}
+		if (obj == NULL && goptions != NULL) {
+			(void)cfg_map_get(goptions, "forwarders", &obj);
+		}
+	}
+	if (check_forward(zoptions, obj, logctx) != ISC_R_SUCCESS) {
+		result = ISC_R_FAILURE;
+	}
+
+	/*
+	 * Check that a RFC 1918 / ULA reverse zone is not forward first
+	 * unless explicitly configured to be so.
+	 */
+	if (ztype == CFG_ZONE_FORWARD && (rfc1918 || ula)) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "forward", &obj);
+		if (obj == NULL) {
+			/*
+			 * Forward mode not explicitly configured.
+			 */
+			if (voptions != NULL) {
+				cfg_map_get(voptions, "forward", &obj);
+			}
+			if (obj == NULL && goptions != NULL) {
+				cfg_map_get(goptions, "forward", &obj);
+			}
+			if (obj == NULL ||
+			    strcasecmp(cfg_obj_asstring(obj), "first") == 0)
+			{
+				cfg_obj_log(zconfig, logctx, ISC_LOG_WARNING,
+					    "inherited 'forward first;' for "
+					    "%s zone '%s' - did you want "
+					    "'forward only;'?",
+					    rfc1918 ? "rfc1918" : "ula",
+					    znamestr);
+			}
+		}
+	}
+
+	/*
+	 * Check validity of static stub server addresses.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "server-addresses", &obj);
+	if (ztype == CFG_ZONE_STATICSTUB && obj != NULL) {
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			isc_sockaddr_t sa;
+			isc_netaddr_t na;
+			obj = cfg_listelt_value(element);
+			sa = *cfg_obj_assockaddr(obj);
+
+			isc_netaddr_fromsockaddr(&na, &sa);
+			if (isc_netaddr_getzone(&na) != 0) {
+				result = ISC_R_FAILURE;
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "scoped address is not allowed "
+					    "for static stub "
+					    "server-addresses");
+			}
+		}
+	}
+
+	/*
+	 * Check validity of static stub server names.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "server-names", &obj);
+	if (zname != NULL && ztype == CFG_ZONE_STATICSTUB && obj != NULL) {
+		for (element = cfg_list_first(obj); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const char *snamestr;
+			dns_fixedname_t fixed_sname;
+			isc_buffer_t b2;
+			dns_name_t *sname;
+
+			obj = cfg_listelt_value(element);
+			snamestr = cfg_obj_asstring(obj);
+
+			isc_buffer_constinit(&b2, snamestr, strlen(snamestr));
+			isc_buffer_add(&b2, strlen(snamestr));
+			sname = dns_fixedname_initname(&fixed_sname);
+			tresult = dns_name_fromtext(sname, &b2, dns_rootname, 0,
+						    NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+					    "server-name '%s' is not a valid "
+					    "name",
+					    snamestr);
+				result = ISC_R_FAILURE;
+			} else if (dns_name_issubdomain(sname, zname)) {
+				cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+					    "server-name '%s' must not be a "
+					    "subdomain of zone name '%s'",
+					    snamestr, znamestr);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Check that max-zone-ttl isn't used with masterfile-format map
+	 */
+	masterformat = dns_masterformat_text;
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "masterfile-format", &obj);
+	if (obj != NULL) {
+		const char *masterformatstr = cfg_obj_asstring(obj);
+		if (strcasecmp(masterformatstr, "text") == 0) {
+			masterformat = dns_masterformat_text;
+		} else if (strcasecmp(masterformatstr, "raw") == 0) {
+			masterformat = dns_masterformat_raw;
+		} else if (strcasecmp(masterformatstr, "map") == 0) {
+			masterformat = dns_masterformat_map;
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "masterfile-format: format 'map' is "
+				    "deprecated");
+		} else {
+			UNREACHABLE();
+		}
+	}
+
+	if (masterformat == dns_masterformat_map) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "max-zone-ttl", &obj);
+		if (obj == NULL && voptions != NULL) {
+			(void)cfg_map_get(voptions, "max-zone-ttl", &obj);
+		}
+		if (obj == NULL && goptions != NULL) {
+			(void)cfg_map_get(goptions, "max-zone-ttl", &obj);
+		}
+		if (obj != NULL) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': 'max-zone-ttl' is not "
+				    "compatible with 'masterfile-format map'",
+				    znamestr);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	/*
+	 * Warn if key-directory doesn't exist
+	 */
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "key-directory", &obj);
+	if (obj == NULL && voptions != NULL) {
+		(void)cfg_map_get(voptions, "key-directory", &obj);
+	}
+	if (obj == NULL && goptions != NULL) {
+		(void)cfg_map_get(goptions, "key-directory", &obj);
+	}
+	if (obj != NULL) {
+		dir = cfg_obj_asstring(obj);
+
+		tresult = isc_file_isdirectory(dir);
+		switch (tresult) {
+		case ISC_R_SUCCESS:
+			break;
+		case ISC_R_FILENOTFOUND:
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "key-directory: '%s' does not exist", dir);
+			break;
+		case ISC_R_INVALIDFILE:
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "key-directory: '%s' is not a directory",
+				    dir);
+			break;
+		default:
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "key-directory: '%s' %s", dir,
+				    isc_result_totext(tresult));
+			result = tresult;
+		}
+	}
+
+	/*
+	 * Make sure there is no other zone with the same
+	 * key-directory and a different dnssec-policy.
+	 */
+	if (zname != NULL) {
+		char keydirbuf[DNS_NAME_FORMATSIZE + 128];
+		char *tmp = keydirbuf;
+		size_t len = sizeof(keydirbuf);
+		dns_name_format(zname, keydirbuf, sizeof(keydirbuf));
+		len -= strlen(tmp);
+		tmp += strlen(tmp);
+		(void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir);
+		tresult = keydirexist(zconfig, (const char *)keydirbuf,
+				      kaspname, keydirs, logctx, mctx);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	/*
+	 * Check various options.
+	 */
+	tresult = check_options(zoptions, logctx, mctx, optlevel_zone);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+
+	/*
+	 * If the zone type is rbt/rbt64 then primary/hint zones require file
+	 * clauses. If inline-signing is used, then secondary zones require a
+	 * file clause as well.
+	 */
+	obj = NULL;
+	dlz = false;
+	tresult = cfg_map_get(zoptions, "dlz", &obj);
+	if (tresult == ISC_R_SUCCESS) {
+		dlz = true;
+	}
+
+	obj = NULL;
+	tresult = cfg_map_get(zoptions, "database", &obj);
+	if (dlz && tresult == ISC_R_SUCCESS) {
+		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+			    "zone '%s': cannot specify both 'dlz' "
+			    "and 'database'",
+			    znamestr);
+		result = ISC_R_FAILURE;
+	} else if (!dlz && (tresult == ISC_R_NOTFOUND ||
+			    (tresult == ISC_R_SUCCESS &&
+			     (strcmp("rbt", cfg_obj_asstring(obj)) == 0 ||
+			      strcmp("rbt64", cfg_obj_asstring(obj)) == 0))))
+	{
+		isc_result_t res1;
+		const cfg_obj_t *fileobj = NULL;
+		tresult = cfg_map_get(zoptions, "file", &fileobj);
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "inline-signing", &obj);
+		if ((tresult != ISC_R_SUCCESS &&
+		     (ztype == CFG_ZONE_PRIMARY || ztype == CFG_ZONE_HINT ||
+		      (ztype == CFG_ZONE_SECONDARY && res1 == ISC_R_SUCCESS &&
+		       cfg_obj_asboolean(obj)))))
+		{
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': missing 'file' entry",
+				    znamestr);
+			result = tresult;
+		} else if (tresult == ISC_R_SUCCESS &&
+			   (ztype == CFG_ZONE_SECONDARY ||
+			    ztype == CFG_ZONE_MIRROR || ddns ||
+			    has_dnssecpolicy))
+		{
+			tresult = fileexist(fileobj, files, true, logctx);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			}
+		} else if (tresult == ISC_R_SUCCESS &&
+			   (ztype == CFG_ZONE_PRIMARY ||
+			    ztype == CFG_ZONE_HINT))
+		{
+			tresult = fileexist(fileobj, files, false, logctx);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			}
+		}
+	}
+
+	return (result);
+}
+
+typedef struct keyalgorithms {
+	const char *name;
+	uint16_t size;
+} algorithmtable;
+
+isc_result_t
+bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
+	const cfg_obj_t *algobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
+	const char *algorithm;
+	int i;
+	size_t len = 0;
+	isc_result_t result;
+	isc_buffer_t buf;
+	unsigned char secretbuf[1024];
+	static const algorithmtable algorithms[] = {
+		{ "hmac-md5", 128 },
+		{ "hmac-md5.sig-alg.reg.int", 0 },
+		{ "hmac-md5.sig-alg.reg.int.", 0 },
+		{ "hmac-sha1", 160 },
+		{ "hmac-sha224", 224 },
+		{ "hmac-sha256", 256 },
+		{ "hmac-sha384", 384 },
+		{ "hmac-sha512", 512 },
+		{ NULL, 0 }
+	};
+
+	(void)cfg_map_get(key, "algorithm", &algobj);
+	(void)cfg_map_get(key, "secret", &secretobj);
+	if (secretobj == NULL || algobj == NULL) {
+		cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+			    "key '%s' must have both 'secret' and "
+			    "'algorithm' defined",
+			    keyname);
+		return (ISC_R_FAILURE);
+	}
+
+	isc_buffer_init(&buf, secretbuf, sizeof(secretbuf));
+	result = isc_base64_decodestring(cfg_obj_asstring(secretobj), &buf);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(secretobj, logctx, ISC_LOG_ERROR, "bad secret '%s'",
+			    isc_result_totext(result));
+		return (result);
+	}
+
+	algorithm = cfg_obj_asstring(algobj);
+	for (i = 0; algorithms[i].name != NULL; i++) {
+		len = strlen(algorithms[i].name);
+		if (strncasecmp(algorithms[i].name, algorithm, len) == 0 &&
+		    (algorithm[len] == '\0' ||
+		     (algorithms[i].size != 0 && algorithm[len] == '-')))
+		{
+			break;
+		}
+	}
+	if (algorithms[i].name == NULL) {
+		cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+			    "unknown algorithm '%s'", algorithm);
+		return (ISC_R_NOTFOUND);
+	}
+	if (algorithm[len] == '-') {
+		uint16_t digestbits;
+		result = isc_parse_uint16(&digestbits, algorithm + len + 1, 10);
+		if (result == ISC_R_SUCCESS || result == ISC_R_RANGE) {
+			if (result == ISC_R_RANGE ||
+			    digestbits > algorithms[i].size)
+			{
+				cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+					    "key '%s' digest-bits too large "
+					    "[%u..%u]",
+					    keyname, algorithms[i].size / 2,
+					    algorithms[i].size);
+				return (ISC_R_RANGE);
+			}
+			if ((digestbits % 8) != 0) {
+				cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+					    "key '%s' digest-bits not multiple"
+					    " of 8",
+					    keyname);
+				return (ISC_R_RANGE);
+			}
+			/*
+			 * Recommended minima for hmac algorithms.
+			 */
+			if ((digestbits < (algorithms[i].size / 2U) ||
+			     (digestbits < 80U)))
+			{
+				cfg_obj_log(algobj, logctx, ISC_LOG_WARNING,
+					    "key '%s' digest-bits too small "
+					    "[<%u]",
+					    keyname, algorithms[i].size / 2);
+			}
+		} else {
+			cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+				    "key '%s': unable to parse digest-bits",
+				    keyname);
+			return (result);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable,
+	  isc_log_t *logctx) {
+	isc_result_t result;
+	isc_symvalue_t symvalue;
+	unsigned int line;
+	const char *file;
+
+	result = isc_symtab_lookup(symtab, cfg_obj_asstring(obj), 0, &symvalue);
+	if (result == ISC_R_SUCCESS) {
+		if (writeable) {
+			file = cfg_obj_file(symvalue.as_cpointer);
+			line = cfg_obj_line(symvalue.as_cpointer);
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "writeable file '%s': already in use: "
+				    "%s:%u",
+				    cfg_obj_asstring(obj), file, line);
+			return (ISC_R_EXISTS);
+		}
+		result = isc_symtab_lookup(symtab, cfg_obj_asstring(obj), 2,
+					   &symvalue);
+		if (result == ISC_R_SUCCESS) {
+			file = cfg_obj_file(symvalue.as_cpointer);
+			line = cfg_obj_line(symvalue.as_cpointer);
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "writeable file '%s': already in use: "
+				    "%s:%u",
+				    cfg_obj_asstring(obj), file, line);
+			return (ISC_R_EXISTS);
+		}
+		return (ISC_R_SUCCESS);
+	}
+
+	symvalue.as_cpointer = obj;
+	result = isc_symtab_define(symtab, cfg_obj_asstring(obj),
+				   writeable ? 2 : 1, symvalue,
+				   isc_symexists_reject);
+	return (result);
+}
+
+static isc_result_t
+keydirexist(const cfg_obj_t *zcfg, const char *keydir, const char *kaspnamestr,
+	    isc_symtab_t *symtab, isc_log_t *logctx, isc_mem_t *mctx) {
+	isc_result_t result;
+	isc_symvalue_t symvalue;
+	char *symkey;
+
+	if (kaspnamestr == NULL || strcmp(kaspnamestr, "none") == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = isc_symtab_lookup(symtab, keydir, 0, &symvalue);
+	if (result == ISC_R_SUCCESS) {
+		const cfg_obj_t *kasp = NULL;
+		const cfg_obj_t *exist = symvalue.as_cpointer;
+		const char *file = cfg_obj_file(exist);
+		unsigned int line = cfg_obj_line(exist);
+
+		/*
+		 * Having the same key-directory for the same zone is fine
+		 * iff the zone is using the same policy, or has no policy.
+		 */
+		(void)cfg_map_get(cfg_tuple_get(exist, "options"),
+				  "dnssec-policy", &kasp);
+		if (kasp == NULL ||
+		    strcmp(cfg_obj_asstring(kasp), "none") == 0 ||
+		    strcmp(cfg_obj_asstring(kasp), kaspnamestr) == 0)
+		{
+			return (ISC_R_SUCCESS);
+		}
+
+		cfg_obj_log(zcfg, logctx, ISC_LOG_ERROR,
+			    "key-directory '%s' already in use by zone %s with "
+			    "policy %s: %s:%u",
+			    keydir,
+			    cfg_obj_asstring(cfg_tuple_get(exist, "name")),
+			    cfg_obj_asstring(kasp), file, line);
+		return (ISC_R_EXISTS);
+	}
+
+	/*
+	 * Add the new zone plus key-directory.
+	 */
+	symkey = isc_mem_strdup(mctx, keydir);
+	symvalue.as_cpointer = zcfg;
+	result = isc_symtab_define(symtab, symkey, 2, symvalue,
+				   isc_symexists_reject);
+	return (result);
+}
+
+/*
+ * Check key list for duplicates key names and that the key names
+ * are valid domain names as these keys are used for TSIG.
+ *
+ * Check the key contents for validity.
+ */
+static isc_result_t
+check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_mem_t *mctx,
+	      isc_log_t *logctx) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+
+	name = dns_fixedname_initname(&fname);
+	for (element = cfg_list_first(keys); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *key = cfg_listelt_value(element);
+		const char *keyid = cfg_obj_asstring(cfg_map_getname(key));
+		isc_symvalue_t symvalue;
+		isc_buffer_t b;
+		char *keyname;
+
+		isc_buffer_constinit(&b, keyid, strlen(keyid));
+		isc_buffer_add(&b, strlen(keyid));
+		tresult = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "key '%s': bad key name", keyid);
+			result = tresult;
+			continue;
+		}
+		tresult = bind9_check_key(key, logctx);
+		if (tresult != ISC_R_SUCCESS) {
+			return (tresult);
+		}
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		keyname = isc_mem_strdup(mctx, namebuf);
+		symvalue.as_cpointer = key;
+		tresult = isc_symtab_define(symtab, keyname, 1, symvalue,
+					    isc_symexists_reject);
+		if (tresult == ISC_R_EXISTS) {
+			const char *file;
+			unsigned int line;
+
+			RUNTIME_CHECK(isc_symtab_lookup(symtab, keyname, 1,
+							&symvalue) ==
+				      ISC_R_SUCCESS);
+			file = cfg_obj_file(symvalue.as_cpointer);
+			line = cfg_obj_line(symvalue.as_cpointer);
+
+			if (file == NULL) {
+				file = "<unknown file>";
+			}
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "key '%s': already exists "
+				    "previous definition: %s:%u",
+				    keyid, file, line);
+			isc_mem_free(mctx, keyname);
+			result = tresult;
+		} else if (tresult != ISC_R_SUCCESS) {
+			isc_mem_free(mctx, keyname);
+			return (tresult);
+		}
+	}
+	return (result);
+}
+
+/*
+ * RNDC keys are not normalised unlike TSIG keys.
+ *
+ * 	"foo." is different to "foo".
+ */
+static bool
+rndckey_exists(const cfg_obj_t *keylist, const char *keyname) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj;
+	const char *str;
+
+	if (keylist == NULL) {
+		return (false);
+	}
+
+	for (element = cfg_list_first(keylist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(cfg_map_getname(obj));
+		if (!strcasecmp(str, keyname)) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+static struct {
+	const char *v4;
+	const char *v6;
+} sources[] = { { "transfer-source", "transfer-source-v6" },
+		{ "notify-source", "notify-source-v6" },
+		{ "parental-source", "parental-source-v6" },
+		{ "query-source", "query-source-v6" },
+		{ NULL, NULL } };
+
+static isc_result_t
+check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
+	      isc_symtab_t *symtab, isc_log_t *logctx) {
+	dns_fixedname_t fname;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *e1, *e2;
+	const cfg_obj_t *v1, *v2, *keys;
+	const cfg_obj_t *servers;
+	isc_netaddr_t n1, n2;
+	unsigned int p1, p2;
+	const cfg_obj_t *obj;
+	char buf[ISC_NETADDR_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	const char *xfr;
+	const char *keyval;
+	isc_buffer_t b;
+	int source;
+	dns_name_t *keyname;
+
+	servers = NULL;
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "server", &servers);
+	}
+	if (servers == NULL) {
+		(void)cfg_map_get(config, "server", &servers);
+	}
+	if (servers == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
+		v1 = cfg_listelt_value(e1);
+		cfg_obj_asnetprefix(cfg_map_getname(v1), &n1, &p1);
+		/*
+		 * Check that unused bits are zero.
+		 */
+		tresult = isc_netaddr_prefixok(&n1, p1);
+		if (tresult != ISC_R_SUCCESS) {
+			INSIST(tresult == ISC_R_FAILURE);
+			isc_netaddr_format(&n1, buf, sizeof(buf));
+			cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
+				    "server '%s/%u': invalid prefix "
+				    "(extra bits specified)",
+				    buf, p1);
+			result = tresult;
+		}
+		source = 0;
+		do {
+			/*
+			 * For a v6 server we can't specify a v4 source,
+			 * and vice versa.
+			 */
+			obj = NULL;
+			if (n1.family == AF_INET) {
+				xfr = sources[source].v6;
+			} else {
+				xfr = sources[source].v4;
+			}
+			(void)cfg_map_get(v1, xfr, &obj);
+			if (obj != NULL) {
+				isc_netaddr_format(&n1, buf, sizeof(buf));
+				cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
+					    "server '%s/%u': %s not legal", buf,
+					    p1, xfr);
+				result = ISC_R_FAILURE;
+			}
+
+			/*
+			 * Check that we aren't using the DNS
+			 * listener port (i.e. 53, or whatever was set
+			 * as "port" in options) as a source port.
+			 */
+			obj = NULL;
+			if (n1.family == AF_INET) {
+				xfr = sources[source].v4;
+			} else {
+				xfr = sources[source].v6;
+			}
+			(void)cfg_map_get(v1, xfr, &obj);
+			if (obj != NULL) {
+				const isc_sockaddr_t *sa =
+					cfg_obj_assockaddr(obj);
+				in_port_t port = isc_sockaddr_getport(sa);
+				if (port == dnsport) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "'%s' cannot specify the "
+						    "DNS listener port (%d)",
+						    xfr, port);
+					result = ISC_R_FAILURE;
+				}
+			}
+		} while (sources[++source].v4 != NULL);
+		e2 = e1;
+		while ((e2 = cfg_list_next(e2)) != NULL) {
+			v2 = cfg_listelt_value(e2);
+			cfg_obj_asnetprefix(cfg_map_getname(v2), &n2, &p2);
+			if (p1 == p2 && isc_netaddr_equal(&n1, &n2)) {
+				const char *file = cfg_obj_file(v1);
+				unsigned int line = cfg_obj_line(v1);
+
+				if (file == NULL) {
+					file = "<unknown file>";
+				}
+
+				isc_netaddr_format(&n2, buf, sizeof(buf));
+				cfg_obj_log(v2, logctx, ISC_LOG_ERROR,
+					    "server '%s/%u': already exists "
+					    "previous definition: %s:%u",
+					    buf, p2, file, line);
+				result = ISC_R_FAILURE;
+			}
+		}
+		keys = NULL;
+		cfg_map_get(v1, "keys", &keys);
+		if (keys != NULL) {
+			/*
+			 * Normalize key name.
+			 */
+			keyval = cfg_obj_asstring(keys);
+			isc_buffer_constinit(&b, keyval, strlen(keyval));
+			isc_buffer_add(&b, strlen(keyval));
+			keyname = dns_fixedname_initname(&fname);
+			tresult = dns_name_fromtext(keyname, &b, dns_rootname,
+						    0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
+					    "bad key name '%s'", keyval);
+				result = ISC_R_FAILURE;
+				continue;
+			}
+			dns_name_format(keyname, namebuf, sizeof(namebuf));
+			tresult = isc_symtab_lookup(symtab, namebuf, 1, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
+					    "unknown key '%s'", keyval);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+	return (result);
+}
+
+#define ROOT_KSK_STATIC	 0x01
+#define ROOT_KSK_MANAGED 0x02
+#define ROOT_KSK_ANY	 0x03
+#define ROOT_KSK_2010	 0x04
+#define ROOT_KSK_2017	 0x08
+
+static isc_result_t
+check_trust_anchor(const cfg_obj_t *key, bool managed, unsigned int *flagsp,
+		   isc_log_t *logctx) {
+	const char *str = NULL, *namestr = NULL;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname = NULL;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	uint32_t rdata1, rdata2, rdata3;
+	unsigned char data[4096];
+	const char *atstr = NULL;
+	enum {
+		INIT_DNSKEY,
+		STATIC_DNSKEY,
+		INIT_DS,
+		STATIC_DS,
+		TRUSTED
+	} anchortype;
+
+	/*
+	 * The 2010 and 2017 IANA root keys - these are used below
+	 * to check the contents of trusted, initial and
+	 * static trust anchor configurations.
+	 */
+	static const unsigned char root_ksk_2010[] = {
+		0x03, 0x01, 0x00, 0x01, 0xa8, 0x00, 0x20, 0xa9, 0x55, 0x66,
+		0xba, 0x42, 0xe8, 0x86, 0xbb, 0x80, 0x4c, 0xda, 0x84, 0xe4,
+		0x7e, 0xf5, 0x6d, 0xbd, 0x7a, 0xec, 0x61, 0x26, 0x15, 0x55,
+		0x2c, 0xec, 0x90, 0x6d, 0x21, 0x16, 0xd0, 0xef, 0x20, 0x70,
+		0x28, 0xc5, 0x15, 0x54, 0x14, 0x4d, 0xfe, 0xaf, 0xe7, 0xc7,
+		0xcb, 0x8f, 0x00, 0x5d, 0xd1, 0x82, 0x34, 0x13, 0x3a, 0xc0,
+		0x71, 0x0a, 0x81, 0x18, 0x2c, 0xe1, 0xfd, 0x14, 0xad, 0x22,
+		0x83, 0xbc, 0x83, 0x43, 0x5f, 0x9d, 0xf2, 0xf6, 0x31, 0x32,
+		0x51, 0x93, 0x1a, 0x17, 0x6d, 0xf0, 0xda, 0x51, 0xe5, 0x4f,
+		0x42, 0xe6, 0x04, 0x86, 0x0d, 0xfb, 0x35, 0x95, 0x80, 0x25,
+		0x0f, 0x55, 0x9c, 0xc5, 0x43, 0xc4, 0xff, 0xd5, 0x1c, 0xbe,
+		0x3d, 0xe8, 0xcf, 0xd0, 0x67, 0x19, 0x23, 0x7f, 0x9f, 0xc4,
+		0x7e, 0xe7, 0x29, 0xda, 0x06, 0x83, 0x5f, 0xa4, 0x52, 0xe8,
+		0x25, 0xe9, 0xa1, 0x8e, 0xbc, 0x2e, 0xcb, 0xcf, 0x56, 0x34,
+		0x74, 0x65, 0x2c, 0x33, 0xcf, 0x56, 0xa9, 0x03, 0x3b, 0xcd,
+		0xf5, 0xd9, 0x73, 0x12, 0x17, 0x97, 0xec, 0x80, 0x89, 0x04,
+		0x1b, 0x6e, 0x03, 0xa1, 0xb7, 0x2d, 0x0a, 0x73, 0x5b, 0x98,
+		0x4e, 0x03, 0x68, 0x73, 0x09, 0x33, 0x23, 0x24, 0xf2, 0x7c,
+		0x2d, 0xba, 0x85, 0xe9, 0xdb, 0x15, 0xe8, 0x3a, 0x01, 0x43,
+		0x38, 0x2e, 0x97, 0x4b, 0x06, 0x21, 0xc1, 0x8e, 0x62, 0x5e,
+		0xce, 0xc9, 0x07, 0x57, 0x7d, 0x9e, 0x7b, 0xad, 0xe9, 0x52,
+		0x41, 0xa8, 0x1e, 0xbb, 0xe8, 0xa9, 0x01, 0xd4, 0xd3, 0x27,
+		0x6e, 0x40, 0xb1, 0x14, 0xc0, 0xa2, 0xe6, 0xfc, 0x38, 0xd1,
+		0x9c, 0x2e, 0x6a, 0xab, 0x02, 0x64, 0x4b, 0x28, 0x13, 0xf5,
+		0x75, 0xfc, 0x21, 0x60, 0x1e, 0x0d, 0xee, 0x49, 0xcd, 0x9e,
+		0xe9, 0x6a, 0x43, 0x10, 0x3e, 0x52, 0x4d, 0x62, 0x87, 0x3d
+	};
+	static const unsigned char root_ksk_2017[] = {
+		0x03, 0x01, 0x00, 0x01, 0xac, 0xff, 0xb4, 0x09, 0xbc, 0xc9,
+		0x39, 0xf8, 0x31, 0xf7, 0xa1, 0xe5, 0xec, 0x88, 0xf7, 0xa5,
+		0x92, 0x55, 0xec, 0x53, 0x04, 0x0b, 0xe4, 0x32, 0x02, 0x73,
+		0x90, 0xa4, 0xce, 0x89, 0x6d, 0x6f, 0x90, 0x86, 0xf3, 0xc5,
+		0xe1, 0x77, 0xfb, 0xfe, 0x11, 0x81, 0x63, 0xaa, 0xec, 0x7a,
+		0xf1, 0x46, 0x2c, 0x47, 0x94, 0x59, 0x44, 0xc4, 0xe2, 0xc0,
+		0x26, 0xbe, 0x5e, 0x98, 0xbb, 0xcd, 0xed, 0x25, 0x97, 0x82,
+		0x72, 0xe1, 0xe3, 0xe0, 0x79, 0xc5, 0x09, 0x4d, 0x57, 0x3f,
+		0x0e, 0x83, 0xc9, 0x2f, 0x02, 0xb3, 0x2d, 0x35, 0x13, 0xb1,
+		0x55, 0x0b, 0x82, 0x69, 0x29, 0xc8, 0x0d, 0xd0, 0xf9, 0x2c,
+		0xac, 0x96, 0x6d, 0x17, 0x76, 0x9f, 0xd5, 0x86, 0x7b, 0x64,
+		0x7c, 0x3f, 0x38, 0x02, 0x9a, 0xbd, 0xc4, 0x81, 0x52, 0xeb,
+		0x8f, 0x20, 0x71, 0x59, 0xec, 0xc5, 0xd2, 0x32, 0xc7, 0xc1,
+		0x53, 0x7c, 0x79, 0xf4, 0xb7, 0xac, 0x28, 0xff, 0x11, 0x68,
+		0x2f, 0x21, 0x68, 0x1b, 0xf6, 0xd6, 0xab, 0xa5, 0x55, 0x03,
+		0x2b, 0xf6, 0xf9, 0xf0, 0x36, 0xbe, 0xb2, 0xaa, 0xa5, 0xb3,
+		0x77, 0x8d, 0x6e, 0xeb, 0xfb, 0xa6, 0xbf, 0x9e, 0xa1, 0x91,
+		0xbe, 0x4a, 0xb0, 0xca, 0xea, 0x75, 0x9e, 0x2f, 0x77, 0x3a,
+		0x1f, 0x90, 0x29, 0xc7, 0x3e, 0xcb, 0x8d, 0x57, 0x35, 0xb9,
+		0x32, 0x1d, 0xb0, 0x85, 0xf1, 0xb8, 0xe2, 0xd8, 0x03, 0x8f,
+		0xe2, 0x94, 0x19, 0x92, 0x54, 0x8c, 0xee, 0x0d, 0x67, 0xdd,
+		0x45, 0x47, 0xe1, 0x1d, 0xd6, 0x3a, 0xf9, 0xc9, 0xfc, 0x1c,
+		0x54, 0x66, 0xfb, 0x68, 0x4c, 0xf0, 0x09, 0xd7, 0x19, 0x7c,
+		0x2c, 0xf7, 0x9e, 0x79, 0x2a, 0xb5, 0x01, 0xe6, 0xa8, 0xa1,
+		0xca, 0x51, 0x9a, 0xf2, 0xcb, 0x9b, 0x5f, 0x63, 0x67, 0xe9,
+		0x4c, 0x0d, 0x47, 0x50, 0x24, 0x51, 0x35, 0x7b, 0xe1, 0xb5
+	};
+	static const unsigned char root_ds_1_2017[] = {
+		0xae, 0x1e, 0xa5, 0xb9, 0x74, 0xd4, 0xc8, 0x58, 0xb7, 0x40,
+		0xbd, 0x03, 0xe3, 0xce, 0xd7, 0xeb, 0xfc, 0xbd, 0x17, 0x24
+	};
+	static const unsigned char root_ds_2_2017[] = {
+		0xe0, 0x6d, 0x44, 0xb8, 0x0b, 0x8f, 0x1d, 0x39,
+		0xa9, 0x5c, 0x0b, 0x0d, 0x7c, 0x65, 0xd0, 0x84,
+		0x58, 0xe8, 0x80, 0x40, 0x9b, 0xbc, 0x68, 0x34,
+		0x57, 0x10, 0x42, 0x37, 0xc7, 0xf8, 0xec, 0x8D
+	};
+
+	/* if DNSKEY, flags; if DS, key tag */
+	rdata1 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata1"));
+
+	/* if DNSKEY, protocol; if DS, algorithm */
+	rdata2 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata2"));
+
+	/* if DNSKEY, algorithm; if DS, digest type */
+	rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
+
+	namestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
+
+	keyname = dns_fixedname_initname(&fkeyname);
+	isc_buffer_constinit(&b, namestr, strlen(namestr));
+	isc_buffer_add(&b, strlen(namestr));
+	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(key, logctx, ISC_LOG_WARNING, "bad key name: %s\n",
+			    isc_result_totext(result));
+		result = ISC_R_FAILURE;
+	}
+
+	if (managed) {
+		atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
+
+		if (strcasecmp(atstr, "static-key") == 0) {
+			managed = false;
+			anchortype = STATIC_DNSKEY;
+		} else if (strcasecmp(atstr, "static-ds") == 0) {
+			managed = false;
+			anchortype = STATIC_DS;
+		} else if (strcasecmp(atstr, "initial-key") == 0) {
+			anchortype = INIT_DNSKEY;
+		} else if (strcasecmp(atstr, "initial-ds") == 0) {
+			anchortype = INIT_DS;
+		} else {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "key '%s': "
+				    "invalid initialization method '%s'",
+				    namestr, atstr);
+			result = ISC_R_FAILURE;
+
+			/*
+			 * We can't interpret the trust anchor, so
+			 * we skip all other checks.
+			 */
+			goto cleanup;
+		}
+	} else {
+		atstr = "trusted-key";
+		anchortype = TRUSTED;
+	}
+
+	switch (anchortype) {
+	case INIT_DNSKEY:
+	case STATIC_DNSKEY:
+	case TRUSTED:
+		if (rdata1 > 0xffff) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "flags too big: %u", rdata1);
+			result = ISC_R_RANGE;
+		}
+		if (rdata1 & DNS_KEYFLAG_REVOKE) {
+			cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+				    "key flags revoke bit set");
+		}
+		if (rdata2 > 0xff) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "protocol too big: %u", rdata2);
+			result = ISC_R_RANGE;
+		}
+		if (rdata3 > 0xff) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "algorithm too big: %u\n", rdata3);
+			result = ISC_R_RANGE;
+		}
+
+		isc_buffer_init(&b, data, sizeof(data));
+
+		str = cfg_obj_asstring(cfg_tuple_get(key, "data"));
+		tresult = isc_base64_decodestring(str, &b);
+
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR, "%s",
+				    isc_result_totext(tresult));
+			result = ISC_R_FAILURE;
+		} else {
+			isc_buffer_usedregion(&b, &r);
+
+			if ((rdata3 == DST_ALG_RSASHA1) && r.length > 1 &&
+			    r.base[0] == 1 && r.base[1] == 3)
+			{
+				cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+					    "%s '%s' has a weak exponent",
+					    atstr, namestr);
+			}
+		}
+
+		if (result == ISC_R_SUCCESS &&
+		    dns_name_equal(keyname, dns_rootname))
+		{
+			/*
+			 * Flag any use of a root key, regardless of content.
+			 */
+			*flagsp |= (managed ? ROOT_KSK_MANAGED
+					    : ROOT_KSK_STATIC);
+
+			if (rdata1 == 257 && rdata2 == 3 && rdata3 == 8 &&
+			    (isc_buffer_usedlength(&b) ==
+			     sizeof(root_ksk_2010)) &&
+			    memcmp(data, root_ksk_2010,
+				   sizeof(root_ksk_2010)) == 0)
+			{
+				*flagsp |= ROOT_KSK_2010;
+			}
+
+			if (rdata1 == 257 && rdata2 == 3 && rdata3 == 8 &&
+			    (isc_buffer_usedlength(&b) ==
+			     sizeof(root_ksk_2017)) &&
+			    memcmp(data, root_ksk_2017,
+				   sizeof(root_ksk_2017)) == 0)
+			{
+				*flagsp |= ROOT_KSK_2017;
+			}
+		}
+		break;
+
+	case INIT_DS:
+	case STATIC_DS:
+		if (rdata1 > 0xffff) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "key tag too big: %u", rdata1);
+			result = ISC_R_RANGE;
+		}
+		if (rdata2 > 0xff) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "algorithm too big: %u\n", rdata2);
+			result = ISC_R_RANGE;
+		}
+		if (rdata3 > 0xff) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "digest type too big: %u", rdata3);
+			result = ISC_R_RANGE;
+		}
+
+		isc_buffer_init(&b, data, sizeof(data));
+
+		str = cfg_obj_asstring(cfg_tuple_get(key, "data"));
+		tresult = isc_hex_decodestring(str, &b);
+
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR, "%s",
+				    isc_result_totext(tresult));
+			result = ISC_R_FAILURE;
+		}
+		if (result == ISC_R_SUCCESS &&
+		    dns_name_equal(keyname, dns_rootname))
+		{
+			/*
+			 * Flag any use of a root key, regardless of content.
+			 */
+			*flagsp |= (managed ? ROOT_KSK_MANAGED
+					    : ROOT_KSK_STATIC);
+
+			if (rdata1 == 20326 && rdata2 == 8 && rdata3 == 1 &&
+			    (isc_buffer_usedlength(&b) ==
+			     sizeof(root_ds_1_2017)) &&
+			    memcmp(data, root_ds_1_2017,
+				   sizeof(root_ds_1_2017)) == 0)
+			{
+				*flagsp |= ROOT_KSK_2017;
+			}
+
+			if (rdata1 == 20326 && rdata2 == 8 && rdata3 == 2 &&
+			    (isc_buffer_usedlength(&b) ==
+			     sizeof(root_ds_2_2017)) &&
+			    memcmp(data, root_ds_2_2017,
+				   sizeof(root_ds_2_2017)) == 0)
+			{
+				*flagsp |= ROOT_KSK_2017;
+			}
+		}
+		break;
+	}
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+record_static_keys(isc_symtab_t *symtab, isc_mem_t *mctx,
+		   const cfg_obj_t *keylist, isc_log_t *logctx,
+		   bool autovalidation) {
+	isc_result_t result, ret = ISC_R_SUCCESS;
+	const cfg_listelt_t *elt;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	char namebuf[DNS_NAME_FORMATSIZE], *p = NULL;
+
+	name = dns_fixedname_initname(&fixed);
+
+	for (elt = cfg_list_first(keylist); elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		const char *initmethod;
+		const cfg_obj_t *init = NULL;
+		const cfg_obj_t *obj = cfg_listelt_value(elt);
+		const char *str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+		isc_symvalue_t symvalue;
+
+		result = dns_name_fromstring(name, str, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		init = cfg_tuple_get(obj, "anchortype");
+		if (!cfg_obj_isvoid(init)) {
+			initmethod = cfg_obj_asstring(init);
+			if (strcasecmp(initmethod, "initial-key") == 0) {
+				/* initializing key, skip it */
+				continue;
+			}
+			if (strcasecmp(initmethod, "initial-ds") == 0) {
+				/* initializing key, skip it */
+				continue;
+			}
+		}
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		symvalue.as_cpointer = obj;
+		p = isc_mem_strdup(mctx, namebuf);
+		result = isc_symtab_define(symtab, p, 1, symvalue,
+					   isc_symexists_reject);
+		if (result == ISC_R_EXISTS) {
+			isc_mem_free(mctx, p);
+		} else if (result != ISC_R_SUCCESS) {
+			isc_mem_free(mctx, p);
+			ret = result;
+			continue;
+		}
+
+		if (autovalidation && dns_name_equal(name, dns_rootname)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "static trust anchor for root zone "
+				    "cannot be used with "
+				    "'dnssec-validation auto'.");
+			ret = ISC_R_FAILURE;
+			continue;
+		}
+	}
+
+	return (ret);
+}
+
+static isc_result_t
+check_initializing_keys(isc_symtab_t *symtab, const cfg_obj_t *keylist,
+			isc_log_t *logctx) {
+	isc_result_t result, ret = ISC_R_SUCCESS;
+	const cfg_listelt_t *elt;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	name = dns_fixedname_initname(&fixed);
+
+	for (elt = cfg_list_first(keylist); elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		const cfg_obj_t *obj = cfg_listelt_value(elt);
+		const cfg_obj_t *init = NULL;
+		const char *str;
+		isc_symvalue_t symvalue;
+
+		init = cfg_tuple_get(obj, "anchortype");
+		if (cfg_obj_isvoid(init) ||
+		    strcasecmp(cfg_obj_asstring(init), "static-key") == 0 ||
+		    strcasecmp(cfg_obj_asstring(init), "static-ds") == 0)
+		{
+			/* static key, skip it */
+			continue;
+		}
+
+		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+		result = dns_name_fromstring(name, str, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		result = isc_symtab_lookup(symtab, namebuf, 1, &symvalue);
+		if (result == ISC_R_SUCCESS) {
+			const char *file = cfg_obj_file(symvalue.as_cpointer);
+			unsigned int line = cfg_obj_line(symvalue.as_cpointer);
+			if (file == NULL) {
+				file = "<unknown file>";
+			}
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "static and initializing keys "
+				    "cannot be used for the "
+				    "same domain. "
+				    "static key defined at "
+				    "%s:%u",
+				    file, line);
+
+			ret = ISC_R_FAILURE;
+		}
+	}
+
+	return (ret);
+}
+
+static isc_result_t
+record_ds_keys(isc_symtab_t *symtab, isc_mem_t *mctx,
+	       const cfg_obj_t *keylist) {
+	isc_result_t result, ret = ISC_R_SUCCESS;
+	const cfg_listelt_t *elt;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	char namebuf[DNS_NAME_FORMATSIZE], *p = NULL;
+
+	name = dns_fixedname_initname(&fixed);
+
+	for (elt = cfg_list_first(keylist); elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		const char *initmethod;
+		const cfg_obj_t *init = NULL;
+		const cfg_obj_t *obj = cfg_listelt_value(elt);
+		const char *str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+		isc_symvalue_t symvalue;
+
+		result = dns_name_fromstring(name, str, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		init = cfg_tuple_get(obj, "anchortype");
+		if (!cfg_obj_isvoid(init)) {
+			initmethod = cfg_obj_asstring(init);
+			if (strcasecmp(initmethod, "initial-key") == 0 ||
+			    strcasecmp(initmethod, "static-key") == 0)
+			{
+				/* Key-style key, skip it */
+				continue;
+			}
+		}
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		symvalue.as_cpointer = obj;
+		p = isc_mem_strdup(mctx, namebuf);
+		result = isc_symtab_define(symtab, p, 1, symvalue,
+					   isc_symexists_reject);
+		if (result == ISC_R_EXISTS) {
+			isc_mem_free(mctx, p);
+		} else if (result != ISC_R_SUCCESS) {
+			isc_mem_free(mctx, p);
+			ret = result;
+			continue;
+		}
+	}
+
+	return (ret);
+}
+
+/*
+ * Check for conflicts between static and initialiizing keys.
+ */
+static isc_result_t
+check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
+		   const cfg_obj_t *global_tkeys, const cfg_obj_t *view_tkeys,
+		   bool autovalidation, isc_mem_t *mctx, isc_log_t *logctx) {
+	isc_result_t result, tresult;
+	const cfg_listelt_t *elt = NULL;
+	const cfg_obj_t *keylist = NULL;
+	isc_symtab_t *statictab = NULL, *dstab = NULL;
+
+	result = isc_symtab_create(mctx, 100, freekey, mctx, false, &statictab);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = isc_symtab_create(mctx, 100, freekey, mctx, false, &dstab);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * First we record all the static keys (i.e., old-style
+	 * trusted-keys and trust-anchors configured with "static-key"),
+	 * and all the DS-style trust anchors.
+	 */
+	for (elt = cfg_list_first(global_ta); elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		keylist = cfg_listelt_value(elt);
+		tresult = record_static_keys(statictab, mctx, keylist, logctx,
+					     autovalidation);
+		if (result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+
+		tresult = record_ds_keys(dstab, mctx, keylist);
+		if (result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	for (elt = cfg_list_first(view_ta); elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		keylist = cfg_listelt_value(elt);
+		tresult = record_static_keys(statictab, mctx, keylist, logctx,
+					     autovalidation);
+		if (result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+
+		tresult = record_ds_keys(dstab, mctx, keylist);
+		if (result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	for (elt = cfg_list_first(global_tkeys); elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		keylist = cfg_listelt_value(elt);
+		tresult = record_static_keys(statictab, mctx, keylist, logctx,
+					     autovalidation);
+		if (result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	for (elt = cfg_list_first(view_tkeys); elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		keylist = cfg_listelt_value(elt);
+		tresult = record_static_keys(statictab, mctx, keylist, logctx,
+					     autovalidation);
+		if (result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	/*
+	 * Next, ensure that there's no conflict between the
+	 * static keys and the trust-anchors configured with "initial-key".
+	 */
+	for (elt = cfg_list_first(global_ta); elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		keylist = cfg_listelt_value(elt);
+		tresult = check_initializing_keys(statictab, keylist, logctx);
+		if (result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	for (elt = cfg_list_first(view_ta); elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		keylist = cfg_listelt_value(elt);
+		tresult = check_initializing_keys(statictab, keylist, logctx);
+		if (result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+cleanup:
+	if (statictab != NULL) {
+		isc_symtab_destroy(&statictab);
+	}
+	if (dstab != NULL) {
+		isc_symtab_destroy(&dstab);
+	}
+	return (result);
+}
+
+typedef enum { special_zonetype_rpz, special_zonetype_catz } special_zonetype_t;
+
+static isc_result_t
+check_rpz_catz(const char *rpz_catz, const cfg_obj_t *rpz_obj,
+	       const char *viewname, isc_symtab_t *symtab, isc_log_t *logctx,
+	       special_zonetype_t specialzonetype) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj, *nameobj, *zoneobj;
+	const char *zonename, *zonetype;
+	const char *forview = " for view ";
+	isc_symvalue_t value;
+	isc_result_t result, tresult;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	unsigned int num_zones = 0;
+
+	if (viewname == NULL) {
+		viewname = "";
+		forview = "";
+	}
+	result = ISC_R_SUCCESS;
+
+	name = dns_fixedname_initname(&fixed);
+	obj = cfg_tuple_get(rpz_obj, "zone list");
+
+	for (element = cfg_list_first(obj); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		nameobj = cfg_tuple_get(obj, "zone name");
+		zonename = cfg_obj_asstring(nameobj);
+		zonetype = "";
+
+		if (specialzonetype == special_zonetype_rpz) {
+			if (++num_zones > 64) {
+				cfg_obj_log(nameobj, logctx, ISC_LOG_ERROR,
+					    "more than 64 response policy "
+					    "zones in view '%s'",
+					    viewname);
+				return (ISC_R_FAILURE);
+			}
+		}
+
+		tresult = dns_name_fromstring(name, zonename, 0, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(nameobj, logctx, ISC_LOG_ERROR,
+				    "bad domain name '%s'", zonename);
+			if (result == ISC_R_SUCCESS) {
+				result = tresult;
+			}
+			continue;
+		}
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		tresult = isc_symtab_lookup(symtab, namebuf, 3, &value);
+		if (tresult == ISC_R_SUCCESS) {
+			obj = NULL;
+			zoneobj = value.as_cpointer;
+			if (zoneobj != NULL && cfg_obj_istuple(zoneobj)) {
+				zoneobj = cfg_tuple_get(zoneobj, "options");
+			}
+			if (zoneobj != NULL && cfg_obj_ismap(zoneobj)) {
+				(void)cfg_map_get(zoneobj, "type", &obj);
+			}
+			if (obj != NULL) {
+				zonetype = cfg_obj_asstring(obj);
+			}
+		}
+		if (strcasecmp(zonetype, "primary") != 0 &&
+		    strcasecmp(zonetype, "master") != 0 &&
+		    strcasecmp(zonetype, "secondary") != 0 &&
+		    strcasecmp(zonetype, "slave") != 0)
+		{
+			cfg_obj_log(nameobj, logctx, ISC_LOG_ERROR,
+				    "%s '%s'%s%s is not a master or slave zone",
+				    rpz_catz, zonename, forview, viewname);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+	return (result);
+}
+
+#ifdef HAVE_DLOPEN
+/*%
+ * Data structure used for the 'callback_data' argument to check_one_plugin().
+ */
+struct check_one_plugin_data {
+	isc_mem_t *mctx;
+	isc_log_t *lctx;
+	cfg_aclconfctx_t *actx;
+	isc_result_t *check_result;
+};
+
+/*%
+ * A callback for the cfg_pluginlist_foreach() call in check_viewconf() below.
+ * Since the point is to check configuration of all plugins even when
+ * processing some of them fails, always return ISC_R_SUCCESS and indicate any
+ * check failures through the 'check_result' variable passed in via the
+ * 'callback_data' structure.
+ */
+static isc_result_t
+check_one_plugin(const cfg_obj_t *config, const cfg_obj_t *obj,
+		 const char *plugin_path, const char *parameters,
+		 void *callback_data) {
+	struct check_one_plugin_data *data = callback_data;
+	char full_path[PATH_MAX];
+	isc_result_t result;
+
+	result = ns_plugin_expandpath(plugin_path, full_path,
+				      sizeof(full_path));
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, data->lctx, ISC_LOG_ERROR,
+			    "%s: plugin check failed: "
+			    "unable to get full plugin path: %s",
+			    plugin_path, isc_result_totext(result));
+		return (result);
+	}
+
+	result = ns_plugin_check(full_path, parameters, config,
+				 cfg_obj_file(obj), cfg_obj_line(obj),
+				 data->mctx, data->lctx, data->actx);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, data->lctx, ISC_LOG_ERROR,
+			    "%s: plugin check failed: %s", full_path,
+			    isc_result_totext(result));
+		*data->check_result = result;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+#endif /* ifdef HAVE_DLOPEN */
+
+static isc_result_t
+check_dnstap(const cfg_obj_t *voptions, const cfg_obj_t *config,
+	     isc_log_t *logctx) {
+#ifdef HAVE_DNSTAP
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *obj = NULL;
+
+	if (config != NULL) {
+		(void)cfg_map_get(config, "options", &options);
+	}
+	if (options != NULL) {
+		(void)cfg_map_get(options, "dnstap-output", &obj);
+	}
+	if (obj == NULL) {
+		if (voptions != NULL) {
+			(void)cfg_map_get(voptions, "dnstap", &obj);
+		}
+		if (options != NULL && obj == NULL) {
+			(void)cfg_map_get(options, "dnstap", &obj);
+		}
+		if (obj != NULL) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'dnstap-output' must be set if 'dnstap' "
+				    "is set");
+			return (ISC_R_FAILURE);
+		}
+	}
+	return (ISC_R_SUCCESS);
+#else  /* ifdef HAVE_DNSTAP */
+	UNUSED(voptions);
+	UNUSED(config);
+	UNUSED(logctx);
+
+	return (ISC_R_SUCCESS);
+#endif /* ifdef HAVE_DNSTAP */
+}
+
+static isc_result_t
+check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
+	       const char *viewname, dns_rdataclass_t vclass,
+	       isc_symtab_t *files, isc_symtab_t *keydirs, bool check_plugins,
+	       isc_symtab_t *inview, isc_log_t *logctx, isc_mem_t *mctx) {
+	const cfg_obj_t *zones = NULL;
+	const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL;
+	const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL;
+	const cfg_obj_t *view_ta = NULL, *global_ta = NULL;
+	const cfg_obj_t *check_keys[2] = { NULL, NULL };
+	const cfg_obj_t *keys = NULL;
+#ifndef HAVE_DLOPEN
+	const cfg_obj_t *dyndb = NULL;
+#endif /* ifndef HAVE_DLOPEN */
+	const cfg_listelt_t *element, *element2;
+	isc_symtab_t *symtab = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult = ISC_R_SUCCESS;
+	cfg_aclconfctx_t *actx = NULL;
+	const cfg_obj_t *obj;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *opts = NULL;
+	const cfg_obj_t *plugin_list = NULL;
+	bool autovalidation = false;
+	unsigned int tflags = 0, dflags = 0;
+	int i;
+
+	/*
+	 * Get global options block
+	 */
+	(void)cfg_map_get(config, "options", &options);
+
+	/*
+	 * The most relevant options for this view
+	 */
+	if (voptions != NULL) {
+		opts = voptions;
+	} else {
+		opts = options;
+	}
+
+	/*
+	 * Check that all zone statements are syntactically correct and
+	 * there are no duplicate zones.
+	 */
+	tresult = isc_symtab_create(mctx, 1000, freekey, mctx, false, &symtab);
+	if (tresult != ISC_R_SUCCESS) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	cfg_aclconfctx_create(mctx, &actx);
+
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "zone", &zones);
+	} else {
+		(void)cfg_map_get(config, "zone", &zones);
+	}
+
+	for (element = cfg_list_first(zones); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *zone = cfg_listelt_value(element);
+
+		tresult = check_zoneconf(zone, voptions, config, symtab, files,
+					 keydirs, inview, viewname, vclass,
+					 actx, logctx, mctx);
+		if (tresult != ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+		}
+	}
+
+#ifndef HAVE_DLOPEN
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "dyndb", &dyndb);
+	} else {
+		(void)cfg_map_get(config, "dyndb", &dyndb);
+	}
+
+	if (dyndb != NULL) {
+		cfg_obj_log(dyndb, logctx, ISC_LOG_ERROR,
+			    "dynamic loading of databases is not supported");
+		if (tresult != ISC_R_SUCCESS) {
+			result = ISC_R_NOTIMPLEMENTED;
+		}
+	}
+#endif /* ifndef HAVE_DLOPEN */
+
+	/*
+	 * Check that the response-policy and catalog-zones options
+	 * refer to zones that exist.
+	 */
+	if (opts != NULL) {
+		obj = NULL;
+		if ((cfg_map_get(opts, "response-policy", &obj) ==
+		     ISC_R_SUCCESS) &&
+		    (check_rpz_catz("response-policy zone", obj, viewname,
+				    symtab, logctx,
+				    special_zonetype_rpz) != ISC_R_SUCCESS))
+		{
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		if ((cfg_map_get(opts, "catalog-zones", &obj) ==
+		     ISC_R_SUCCESS) &&
+		    (check_rpz_catz("catalog zone", obj, viewname, symtab,
+				    logctx,
+				    special_zonetype_catz) != ISC_R_SUCCESS))
+		{
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	isc_symtab_destroy(&symtab);
+
+	/*
+	 * Check that forwarding is reasonable.
+	 */
+	if (opts != NULL && check_forward(opts, NULL, logctx) != ISC_R_SUCCESS)
+	{
+		result = ISC_R_FAILURE;
+	}
+
+	/*
+	 * Check non-zero options at the global and view levels.
+	 */
+	if (options != NULL && check_nonzero(options, logctx) != ISC_R_SUCCESS)
+	{
+		result = ISC_R_FAILURE;
+	}
+	if (voptions != NULL &&
+	    check_nonzero(voptions, logctx) != ISC_R_SUCCESS)
+	{
+		result = ISC_R_FAILURE;
+	}
+
+	/*
+	 * Check that dual-stack-servers is reasonable.
+	 */
+	if (opts != NULL && check_dual_stack(opts, logctx) != ISC_R_SUCCESS) {
+		result = ISC_R_FAILURE;
+	}
+
+	/*
+	 * Check that rrset-order is reasonable.
+	 */
+	if (opts != NULL && check_order(opts, logctx) != ISC_R_SUCCESS) {
+		result = ISC_R_FAILURE;
+	}
+
+	/*
+	 * Check that all key statements are syntactically correct and
+	 * there are no duplicate keys.
+	 */
+	tresult = isc_symtab_create(mctx, 1000, freekey, mctx, false, &symtab);
+	if (tresult != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	(void)cfg_map_get(config, "key", &keys);
+	tresult = check_keylist(keys, symtab, mctx, logctx);
+	if (tresult == ISC_R_EXISTS) {
+		result = ISC_R_FAILURE;
+	} else if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+		goto cleanup;
+	}
+
+	if (voptions != NULL) {
+		keys = NULL;
+		(void)cfg_map_get(voptions, "key", &keys);
+		tresult = check_keylist(keys, symtab, mctx, logctx);
+		if (tresult == ISC_R_EXISTS) {
+			result = ISC_R_FAILURE;
+		} else if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Global servers can refer to keys in views.
+	 */
+	if (check_servers(config, voptions, symtab, logctx) != ISC_R_SUCCESS) {
+		result = ISC_R_FAILURE;
+	}
+
+	isc_symtab_destroy(&symtab);
+
+	/*
+	 * Load all DNSSEC keys.
+	 */
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "trusted-keys", &view_tkeys);
+		(void)cfg_map_get(voptions, "trust-anchors", &view_ta);
+		(void)cfg_map_get(voptions, "managed-keys", &view_mkeys);
+	}
+	(void)cfg_map_get(config, "trusted-keys", &global_tkeys);
+	(void)cfg_map_get(config, "trust-anchors", &global_ta);
+	(void)cfg_map_get(config, "managed-keys", &global_mkeys);
+
+	/*
+	 * Check trusted-keys.
+	 */
+	check_keys[0] = view_tkeys;
+	check_keys[1] = global_tkeys;
+	for (i = 0; i < 2; i++) {
+		if (check_keys[i] != NULL) {
+			unsigned int flags = 0;
+
+			for (element = cfg_list_first(check_keys[i]);
+			     element != NULL; element = cfg_list_next(element))
+			{
+				const cfg_obj_t *keylist =
+					cfg_listelt_value(element);
+				for (element2 = cfg_list_first(keylist);
+				     element2 != NULL;
+				     element2 = cfg_list_next(element2))
+				{
+					obj = cfg_listelt_value(element2);
+					tresult = check_trust_anchor(
+						obj, false, &flags, logctx);
+					if (tresult != ISC_R_SUCCESS) {
+						result = tresult;
+					}
+				}
+			}
+
+			if ((flags & ROOT_KSK_STATIC) != 0) {
+				cfg_obj_log(check_keys[i], logctx,
+					    ISC_LOG_WARNING,
+					    "trusted-keys entry for the root "
+					    "zone WILL FAIL after key "
+					    "rollover - use trust-anchors "
+					    "with initial-key "
+					    "or initial-ds instead.");
+			}
+
+			tflags |= flags;
+		}
+	}
+
+	/*
+	 * Check dnssec/managed-keys. (Only one or the other can be used.)
+	 */
+	if ((view_mkeys != NULL || global_mkeys != NULL) &&
+	    (view_ta != NULL || global_ta != NULL))
+	{
+		keys = (view_mkeys != NULL) ? view_mkeys : global_mkeys;
+
+		cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
+			    "use of managed-keys is not allowed when "
+			    "trust-anchors is also in use");
+		result = ISC_R_FAILURE;
+	}
+
+	if (view_ta == NULL && global_ta == NULL) {
+		view_ta = view_mkeys;
+		global_ta = global_mkeys;
+	}
+
+	check_keys[0] = view_ta;
+	check_keys[1] = global_ta;
+	for (i = 0; i < 2; i++) {
+		if (check_keys[i] != NULL) {
+			unsigned int flags = 0;
+
+			for (element = cfg_list_first(check_keys[i]);
+			     element != NULL; element = cfg_list_next(element))
+			{
+				const cfg_obj_t *keylist =
+					cfg_listelt_value(element);
+				for (element2 = cfg_list_first(keylist);
+				     element2 != NULL;
+				     element2 = cfg_list_next(element2))
+				{
+					obj = cfg_listelt_value(element2);
+					tresult = check_trust_anchor(
+						obj, true, &flags, logctx);
+					if (tresult != ISC_R_SUCCESS) {
+						result = tresult;
+					}
+				}
+			}
+
+			if ((flags & ROOT_KSK_STATIC) != 0) {
+				cfg_obj_log(check_keys[i], logctx,
+					    ISC_LOG_WARNING,
+					    "static entry for the root "
+					    "zone WILL FAIL after key "
+					    "rollover - use trust-anchors "
+					    "with initial-key "
+					    "or initial-ds instead.");
+			}
+
+			if ((flags & ROOT_KSK_2010) != 0 &&
+			    (flags & ROOT_KSK_2017) == 0)
+			{
+				cfg_obj_log(check_keys[i], logctx,
+					    ISC_LOG_WARNING,
+					    "initial-key entry for the root "
+					    "zone uses the 2010 key without "
+					    "the updated 2017 key");
+			}
+
+			dflags |= flags;
+		}
+	}
+
+	if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) {
+		keys = (view_ta != NULL) ? view_ta : global_ta;
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "both trusted-keys and trust-anchors "
+			    "for the root zone are present");
+	}
+
+	if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
+		keys = (view_ta != NULL) ? view_ta : global_ta;
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "both initial and static entries for the "
+			    "root zone are present");
+	}
+
+	obj = NULL;
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "dnssec-validation", &obj);
+	}
+	if (obj == NULL && options != NULL) {
+		(void)cfg_map_get(options, "dnssec-validation", &obj);
+	}
+	if (obj != NULL && !cfg_obj_isboolean(obj)) {
+		autovalidation = true;
+	}
+
+	tresult = check_ta_conflicts(global_ta, view_ta, global_tkeys,
+				     view_tkeys, autovalidation, mctx, logctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+
+	/*
+	 * Check options.
+	 */
+	if (voptions != NULL) {
+		tresult = check_options(voptions, logctx, mctx, optlevel_view);
+	} else {
+		tresult = check_options(config, logctx, mctx, optlevel_config);
+	}
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+
+	tresult = check_dnstap(voptions, config, logctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+
+	tresult = check_viewacls(actx, voptions, config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+
+	tresult = check_recursionacls(actx, voptions, viewname, config, logctx,
+				      mctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+
+	tresult = check_dns64(actx, voptions, config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+
+	tresult = check_ratelimit(actx, voptions, config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+
+	/*
+	 * Load plugins.
+	 */
+	if (check_plugins) {
+		if (voptions != NULL) {
+			(void)cfg_map_get(voptions, "plugin", &plugin_list);
+		} else {
+			(void)cfg_map_get(config, "plugin", &plugin_list);
+		}
+	}
+
+#ifdef HAVE_DLOPEN
+	{
+		struct check_one_plugin_data check_one_plugin_data = {
+			.mctx = mctx,
+			.lctx = logctx,
+			.actx = actx,
+			.check_result = &tresult,
+		};
+
+		(void)cfg_pluginlist_foreach(config, plugin_list, logctx,
+					     check_one_plugin,
+					     &check_one_plugin_data);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+#endif /* HAVE_DLOPEN */
+
+cleanup:
+	if (symtab != NULL) {
+		isc_symtab_destroy(&symtab);
+	}
+	if (actx != NULL) {
+		cfg_aclconfctx_detach(&actx);
+	}
+
+	return (result);
+}
+
+static const char *default_channels[] = { "default_syslog", "default_stderr",
+					  "default_debug", "null", NULL };
+
+static isc_result_t
+bind9_check_logging(const cfg_obj_t *config, isc_log_t *logctx,
+		    isc_mem_t *mctx) {
+	const cfg_obj_t *categories = NULL;
+	const cfg_obj_t *category;
+	const cfg_obj_t *channels = NULL;
+	const cfg_obj_t *channel;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t *delement;
+	const char *channelname;
+	const char *catname;
+	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *syslogobj = NULL;
+	const cfg_obj_t *nullobj = NULL;
+	const cfg_obj_t *stderrobj = NULL;
+	const cfg_obj_t *logobj = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_symtab_t *symtab = NULL;
+	isc_symvalue_t symvalue;
+	int i;
+
+	(void)cfg_map_get(config, "logging", &logobj);
+	if (logobj == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = isc_symtab_create(mctx, 100, NULL, NULL, false, &symtab);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	symvalue.as_cpointer = NULL;
+	for (i = 0; default_channels[i] != NULL; i++) {
+		tresult = isc_symtab_define(symtab, default_channels[i], 1,
+					    symvalue, isc_symexists_replace);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	cfg_map_get(logobj, "channel", &channels);
+
+	for (element = cfg_list_first(channels); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		channel = cfg_listelt_value(element);
+		channelname = cfg_obj_asstring(cfg_map_getname(channel));
+		fileobj = syslogobj = nullobj = stderrobj = NULL;
+		(void)cfg_map_get(channel, "file", &fileobj);
+		(void)cfg_map_get(channel, "syslog", &syslogobj);
+		(void)cfg_map_get(channel, "null", &nullobj);
+		(void)cfg_map_get(channel, "stderr", &stderrobj);
+		i = 0;
+		if (fileobj != NULL) {
+			i++;
+		}
+		if (syslogobj != NULL) {
+			i++;
+		}
+		if (nullobj != NULL) {
+			i++;
+		}
+		if (stderrobj != NULL) {
+			i++;
+		}
+		if (i != 1) {
+			cfg_obj_log(channel, logctx, ISC_LOG_ERROR,
+				    "channel '%s': exactly one of file, "
+				    "syslog, "
+				    "null, and stderr must be present",
+				    channelname);
+			result = ISC_R_FAILURE;
+		}
+		tresult = isc_symtab_define(symtab, channelname, 1, symvalue,
+					    isc_symexists_replace);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	cfg_map_get(logobj, "category", &categories);
+
+	for (element = cfg_list_first(categories); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		category = cfg_listelt_value(element);
+		catname = cfg_obj_asstring(cfg_tuple_get(category, "name"));
+		if (isc_log_categorybyname(logctx, catname) == NULL) {
+			cfg_obj_log(category, logctx, ISC_LOG_ERROR,
+				    "undefined category: '%s'", catname);
+			result = ISC_R_FAILURE;
+		}
+		channels = cfg_tuple_get(category, "destinations");
+		for (delement = cfg_list_first(channels); delement != NULL;
+		     delement = cfg_list_next(delement))
+		{
+			channel = cfg_listelt_value(delement);
+			channelname = cfg_obj_asstring(channel);
+			tresult = isc_symtab_lookup(symtab, channelname, 1,
+						    &symvalue);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(channel, logctx, ISC_LOG_ERROR,
+					    "undefined channel: '%s'",
+					    channelname);
+				result = tresult;
+			}
+		}
+	}
+	isc_symtab_destroy(&symtab);
+	return (result);
+}
+
+static isc_result_t
+bind9_check_controlskeys(const cfg_obj_t *control, const cfg_obj_t *keylist,
+			 isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *control_keylist;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *key;
+	const char *keyval;
+
+	control_keylist = cfg_tuple_get(control, "keys");
+	if (cfg_obj_isvoid(control_keylist)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	for (element = cfg_list_first(control_keylist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		key = cfg_listelt_value(element);
+		keyval = cfg_obj_asstring(key);
+
+		if (!rndckey_exists(keylist, keyval)) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "unknown key '%s'", keyval);
+			result = ISC_R_NOTFOUND;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
+		     isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	cfg_aclconfctx_t *actx = NULL;
+	const cfg_listelt_t *element, *element2;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *control;
+	const cfg_obj_t *controls;
+	const cfg_obj_t *controlslist = NULL;
+	const cfg_obj_t *inetcontrols;
+	const cfg_obj_t *unixcontrols;
+	const cfg_obj_t *keylist = NULL;
+	const char *path;
+	uint32_t perm, mask;
+	dns_acl_t *acl = NULL;
+	isc_sockaddr_t addr;
+	int i;
+
+	(void)cfg_map_get(config, "controls", &controlslist);
+	if (controlslist == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	(void)cfg_map_get(config, "key", &keylist);
+
+	cfg_aclconfctx_create(mctx, &actx);
+
+	/*
+	 * INET: Check allow clause.
+	 * UNIX: Check "perm" for sanity, check path length.
+	 */
+	for (element = cfg_list_first(controlslist); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		controls = cfg_listelt_value(element);
+		unixcontrols = NULL;
+		inetcontrols = NULL;
+		(void)cfg_map_get(controls, "unix", &unixcontrols);
+		(void)cfg_map_get(controls, "inet", &inetcontrols);
+		for (element2 = cfg_list_first(inetcontrols); element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			control = cfg_listelt_value(element2);
+			allow = cfg_tuple_get(control, "allow");
+			tresult = cfg_acl_fromconfig(allow, config, logctx,
+						     actx, mctx, 0, &acl);
+			if (acl != NULL) {
+				dns_acl_detach(&acl);
+			}
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			}
+			tresult = bind9_check_controlskeys(control, keylist,
+							   logctx);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			}
+		}
+		for (element2 = cfg_list_first(unixcontrols); element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			control = cfg_listelt_value(element2);
+			path = cfg_obj_asstring(cfg_tuple_get(control, "path"));
+			tresult = isc_sockaddr_frompath(&addr, path);
+			if (tresult == ISC_R_NOSPACE) {
+				cfg_obj_log(control, logctx, ISC_LOG_ERROR,
+					    "unix control '%s': path too long",
+					    path);
+				result = ISC_R_NOSPACE;
+			}
+			perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
+			for (i = 0; i < 3; i++) {
+#ifdef NEED_SECURE_DIRECTORY
+				mask = (0x1 << (i * 3)); /* SEARCH */
+#else  /* ifdef NEED_SECURE_DIRECTORY */
+				mask = (0x6 << (i * 3)); /* READ + WRITE */
+#endif /* ifdef NEED_SECURE_DIRECTORY */
+				if ((perm & mask) == mask) {
+					break;
+				}
+			}
+			if (i == 0) {
+				cfg_obj_log(control, logctx, ISC_LOG_WARNING,
+					    "unix control '%s' allows access "
+					    "to everyone",
+					    path);
+			} else if (i == 3) {
+				cfg_obj_log(control, logctx, ISC_LOG_WARNING,
+					    "unix control '%s' allows access "
+					    "to nobody",
+					    path);
+			}
+			tresult = bind9_check_controlskeys(control, keylist,
+							   logctx);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			}
+		}
+	}
+	cfg_aclconfctx_detach(&actx);
+	return (result);
+}
+
+isc_result_t
+bind9_check_namedconf(const cfg_obj_t *config, bool check_plugins,
+		      isc_log_t *logctx, isc_mem_t *mctx) {
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *views = NULL;
+	const cfg_obj_t *acls = NULL;
+	const cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *velement;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_symtab_t *symtab = NULL;
+	isc_symtab_t *files = NULL;
+	isc_symtab_t *keydirs = NULL;
+	isc_symtab_t *inview = NULL;
+
+	static const char *builtin[] = { "localhost", "localnets", "any",
+					 "none" };
+
+	(void)cfg_map_get(config, "options", &options);
+
+	if (options != NULL && check_options(options, logctx, mctx,
+					     optlevel_options) != ISC_R_SUCCESS)
+	{
+		result = ISC_R_FAILURE;
+	}
+
+	if (bind9_check_logging(config, logctx, mctx) != ISC_R_SUCCESS) {
+		result = ISC_R_FAILURE;
+	}
+
+	if (bind9_check_controls(config, logctx, mctx) != ISC_R_SUCCESS) {
+		result = ISC_R_FAILURE;
+	}
+
+	if (bind9_check_primarylists(config, logctx, mctx) != ISC_R_SUCCESS) {
+		result = ISC_R_FAILURE;
+	}
+
+	if (bind9_check_parentalagentlists(config, logctx, mctx) !=
+	    ISC_R_SUCCESS)
+	{
+		result = ISC_R_FAILURE;
+	}
+
+	(void)cfg_map_get(config, "view", &views);
+
+	if (views != NULL && options != NULL) {
+		if (check_dual_stack(options, logctx) != ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+
+			/*
+			 * Use case insensitive comparison as not all file
+			 * systems are case sensitive. This will prevent people
+			 * using FOO.DB and foo.db on case sensitive file
+			 * systems but that shouldn't be a major issue.
+			 */
+		}
+	}
+
+	/*
+	 * Use case insensitive comparison as not all file systems are
+	 * case sensitive. This will prevent people using FOO.DB and foo.db
+	 * on case sensitive file systems but that shouldn't be a major issue.
+	 */
+	tresult = isc_symtab_create(mctx, 100, NULL, NULL, false, &files);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+		goto cleanup;
+	}
+
+	tresult = isc_symtab_create(mctx, 100, freekey, mctx, false, &keydirs);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+		goto cleanup;
+	}
+
+	tresult = isc_symtab_create(mctx, 100, freekey, mctx, true, &inview);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+		goto cleanup;
+	}
+
+	if (views == NULL) {
+		tresult = check_viewconf(config, NULL, NULL, dns_rdataclass_in,
+					 files, keydirs, check_plugins, inview,
+					 logctx, mctx);
+		if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+		}
+	} else {
+		const cfg_obj_t *zones = NULL;
+		const cfg_obj_t *plugins = NULL;
+
+		(void)cfg_map_get(config, "zone", &zones);
+		if (zones != NULL) {
+			cfg_obj_log(zones, logctx, ISC_LOG_ERROR,
+				    "when using 'view' statements, "
+				    "all zones must be in views");
+			result = ISC_R_FAILURE;
+		}
+
+		(void)cfg_map_get(config, "plugin", &plugins);
+		if (plugins != NULL) {
+			cfg_obj_log(plugins, logctx, ISC_LOG_ERROR,
+				    "when using 'view' statements, "
+				    "all plugins must be defined in views");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	tresult = isc_symtab_create(mctx, 100, NULL, NULL, true, &symtab);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+		goto cleanup;
+	}
+	for (velement = cfg_list_first(views); velement != NULL;
+	     velement = cfg_list_next(velement))
+	{
+		const cfg_obj_t *view = cfg_listelt_value(velement);
+		const cfg_obj_t *vname = cfg_tuple_get(view, "name");
+		const cfg_obj_t *voptions = cfg_tuple_get(view, "options");
+		const cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
+		dns_rdataclass_t vclass = dns_rdataclass_in;
+		const char *key = cfg_obj_asstring(vname);
+		isc_symvalue_t symvalue;
+		unsigned int symtype;
+
+		tresult = ISC_R_SUCCESS;
+		if (cfg_obj_isstring(vclassobj)) {
+			isc_textregion_t r;
+
+			DE_CONST(cfg_obj_asstring(vclassobj), r.base);
+			r.length = strlen(r.base);
+			tresult = dns_rdataclass_fromtext(&vclass, &r);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(vclassobj, logctx, ISC_LOG_ERROR,
+					    "view '%s': invalid class %s",
+					    cfg_obj_asstring(vname), r.base);
+			}
+		}
+		symtype = vclass + 1;
+		if (tresult == ISC_R_SUCCESS && symtab != NULL) {
+			symvalue.as_cpointer = view;
+			tresult = isc_symtab_define(symtab, key, symtype,
+						    symvalue,
+						    isc_symexists_reject);
+			if (tresult == ISC_R_EXISTS) {
+				const char *file;
+				unsigned int line;
+				RUNTIME_CHECK(isc_symtab_lookup(symtab, key,
+								symtype,
+								&symvalue) ==
+					      ISC_R_SUCCESS);
+				file = cfg_obj_file(symvalue.as_cpointer);
+				line = cfg_obj_line(symvalue.as_cpointer);
+				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
+					    "view '%s': already exists "
+					    "previous definition: %s:%u",
+					    key, file, line);
+				result = tresult;
+			} else if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			} else if ((strcasecmp(key, "_bind") == 0 &&
+				    vclass == dns_rdataclass_ch) ||
+				   (strcasecmp(key, "_default") == 0 &&
+				    vclass == dns_rdataclass_in))
+			{
+				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
+					    "attempt to redefine builtin view "
+					    "'%s'",
+					    key);
+				result = ISC_R_EXISTS;
+			}
+		}
+		if (tresult == ISC_R_SUCCESS) {
+			tresult = check_viewconf(config, voptions, key, vclass,
+						 files, keydirs, check_plugins,
+						 inview, logctx, mctx);
+		}
+		if (tresult != ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	if (views != NULL && options != NULL) {
+		obj = NULL;
+		tresult = cfg_map_get(options, "cache-file", &obj);
+		if (tresult == ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'cache-file' cannot be a global "
+				    "option if views are present");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	cfg_map_get(config, "acl", &acls);
+
+	if (acls != NULL) {
+		const cfg_listelt_t *elt;
+		const cfg_listelt_t *elt2;
+		const char *aclname;
+
+		for (elt = cfg_list_first(acls); elt != NULL;
+		     elt = cfg_list_next(elt))
+		{
+			const cfg_obj_t *acl = cfg_listelt_value(elt);
+			unsigned int line = cfg_obj_line(acl);
+			unsigned int i;
+
+			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+			for (i = 0; i < sizeof(builtin) / sizeof(builtin[0]);
+			     i++)
+			{
+				if (strcasecmp(aclname, builtin[i]) == 0) {
+					{
+						cfg_obj_log(acl, logctx,
+							    ISC_LOG_ERROR,
+							    "attempt to "
+							    "redefine "
+							    "builtin acl '%s'",
+							    aclname);
+						result = ISC_R_FAILURE;
+						break;
+					}
+				}
+			}
+
+			for (elt2 = cfg_list_next(elt); elt2 != NULL;
+			     elt2 = cfg_list_next(elt2))
+			{
+				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const char *name;
+				name = cfg_obj_asstring(
+					cfg_tuple_get(acl2, "name"));
+				if (strcasecmp(aclname, name) == 0) {
+					const char *file = cfg_obj_file(acl);
+
+					if (file == NULL) {
+						file = "<unknown file>";
+					}
+
+					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
+						    "attempt to redefine "
+						    "acl '%s' previous "
+						    "definition: %s:%u",
+						    name, file, line);
+					result = ISC_R_FAILURE;
+				}
+			}
+		}
+	}
+
+cleanup:
+	if (symtab != NULL) {
+		isc_symtab_destroy(&symtab);
+	}
+	if (inview != NULL) {
+		isc_symtab_destroy(&inview);
+	}
+	if (files != NULL) {
+		isc_symtab_destroy(&files);
+	}
+	if (keydirs != NULL) {
+		isc_symtab_destroy(&keydirs);
+	}
+
+	return (result);
+}
diff --git a/lib/bind9/getaddresses.c b/lib/bind9/getaddresses.c
new file mode 100644
index 0000000..5fa7770
--- /dev/null
+++ b/lib/bind9/getaddresses.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/netdb.h>
+#include <isc/netscope.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <bind9/getaddresses.h>
+
+isc_result_t
+bind9_getaddresses(const char *hostname, in_port_t port, isc_sockaddr_t *addrs,
+		   int addrsize, int *addrcount) {
+	struct in_addr in4;
+	struct in6_addr in6;
+	bool have_ipv4, have_ipv6;
+	int i;
+
+	struct addrinfo *ai = NULL, *tmpai, hints;
+	int result;
+
+	REQUIRE(hostname != NULL);
+	REQUIRE(addrs != NULL);
+	REQUIRE(addrcount != NULL);
+	REQUIRE(addrsize > 0);
+
+	have_ipv4 = (isc_net_probeipv4() == ISC_R_SUCCESS);
+	have_ipv6 = (isc_net_probeipv6() == ISC_R_SUCCESS);
+
+	/*
+	 * Try IPv4, then IPv6.  In order to handle the extended format
+	 * for IPv6 scoped addresses (address%scope_ID), we'll use a local
+	 * working buffer of 128 bytes.  The length is an ad-hoc value, but
+	 * should be enough for this purpose; the buffer can contain a string
+	 * of at least 80 bytes for scope_ID in addition to any IPv6 numeric
+	 * addresses (up to 46 bytes), the delimiter character and the
+	 * terminating NULL character.
+	 */
+	if (inet_pton(AF_INET, hostname, &in4) == 1) {
+		if (have_ipv4) {
+			isc_sockaddr_fromin(&addrs[0], &in4, port);
+		} else {
+			isc_sockaddr_v6fromin(&addrs[0], &in4, port);
+		}
+		*addrcount = 1;
+		return (ISC_R_SUCCESS);
+	} else if (strlen(hostname) <= 127U) {
+		char tmpbuf[128], *d;
+		uint32_t zone = 0;
+
+		strlcpy(tmpbuf, hostname, sizeof(tmpbuf));
+		d = strchr(tmpbuf, '%');
+		if (d != NULL) {
+			*d = '\0';
+		}
+
+		if (inet_pton(AF_INET6, tmpbuf, &in6) == 1) {
+			isc_netaddr_t na;
+
+			if (!have_ipv6) {
+				return (ISC_R_FAMILYNOSUPPORT);
+			}
+
+			if (d != NULL) {
+				isc_result_t iresult;
+
+				iresult = isc_netscope_pton(AF_INET6, d + 1,
+							    &in6, &zone);
+
+				if (iresult != ISC_R_SUCCESS) {
+					return (iresult);
+				}
+			}
+
+			isc_netaddr_fromin6(&na, &in6);
+			isc_netaddr_setzone(&na, zone);
+			isc_sockaddr_fromnetaddr(
+				&addrs[0], (const isc_netaddr_t *)&na, port);
+
+			*addrcount = 1;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	memset(&hints, 0, sizeof(hints));
+	if (!have_ipv6) {
+		hints.ai_family = PF_INET;
+	} else if (!have_ipv4) {
+		hints.ai_family = PF_INET6;
+	} else {
+		hints.ai_family = PF_UNSPEC;
+#ifdef AI_ADDRCONFIG
+		hints.ai_flags = AI_ADDRCONFIG;
+#endif /* ifdef AI_ADDRCONFIG */
+	}
+	hints.ai_socktype = SOCK_STREAM;
+#ifdef AI_ADDRCONFIG
+again:
+#endif /* ifdef AI_ADDRCONFIG */
+	result = getaddrinfo(hostname, NULL, &hints, &ai);
+	switch (result) {
+	case 0:
+		break;
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif /* if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) */
+		return (ISC_R_NOTFOUND);
+#ifdef AI_ADDRCONFIG
+	case EAI_BADFLAGS:
+		if ((hints.ai_flags & AI_ADDRCONFIG) != 0) {
+			hints.ai_flags &= ~AI_ADDRCONFIG;
+			goto again;
+		}
+#endif /* ifdef AI_ADDRCONFIG */
+		FALLTHROUGH;
+	default:
+		return (ISC_R_FAILURE);
+	}
+	for (tmpai = ai, i = 0; tmpai != NULL && i < addrsize;
+	     tmpai = tmpai->ai_next)
+	{
+		if (tmpai->ai_family != AF_INET && tmpai->ai_family != AF_INET6)
+		{
+			continue;
+		}
+		if (tmpai->ai_family == AF_INET) {
+			struct sockaddr_in *sin;
+			sin = (struct sockaddr_in *)tmpai->ai_addr;
+			isc_sockaddr_fromin(&addrs[i], &sin->sin_addr, port);
+		} else {
+			struct sockaddr_in6 *sin6;
+			sin6 = (struct sockaddr_in6 *)tmpai->ai_addr;
+			isc_sockaddr_fromin6(&addrs[i], &sin6->sin6_addr, port);
+		}
+		i++;
+	}
+	freeaddrinfo(ai);
+	*addrcount = i;
+	if (*addrcount == 0) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
diff --git a/lib/bind9/include/.clang-format b/lib/bind9/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/lib/bind9/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/bind9/include/Makefile.in b/lib/bind9/include/Makefile.in
new file mode 100644
index 0000000..51a415b
--- /dev/null
+++ b/lib/bind9/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	bind9
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/bind9/include/bind9/Makefile.in b/lib/bind9/include/bind9/Makefile.in
new file mode 100644
index 0000000..3a8c799
--- /dev/null
+++ b/lib/bind9/include/bind9/Makefile.in
@@ -0,0 +1,41 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	check.h getaddresses.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/bind9
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/bind9 || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/bind9/$$i || exit 1; \
+	done
diff --git a/lib/bind9/include/bind9/check.h b/lib/bind9/include/bind9/check.h
new file mode 100644
index 0000000..3919223
--- /dev/null
+++ b/lib/bind9/include/bind9/check.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef BIND9_CHECK_H
+#define BIND9_CHECK_H 1
+
+/*! \file bind9/check.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <isccfg/cfg.h>
+
+#ifndef MAX_MIN_CACHE_TTL
+#define MAX_MIN_CACHE_TTL 90
+#endif /* MAX_MIN_CACHE_TTL */
+
+#ifndef MAX_MIN_NCACHE_TTL
+#define MAX_MIN_NCACHE_TTL 90
+#endif /* MAX_MIN_NCACHE_TTL */
+
+#ifndef MAX_MAX_NCACHE_TTL
+#define MAX_MAX_NCACHE_TTL 7 * 24 * 3600
+#endif /* MAX_MAX_NCACHE_TTL */
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+bind9_check_namedconf(const cfg_obj_t *config, bool check_plugins,
+		      isc_log_t *logctx, isc_mem_t *mctx);
+/*%<
+ * Check the syntactic validity of a configuration parse tree generated from
+ * a named.conf file.
+ *
+ * If 'check_plugins' is true, load plugins and check the validity of their
+ * parameters as well.
+ *
+ * Requires:
+ *\li	config is a valid parse tree
+ *
+ *\li	logctx is a valid logging context.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE
+ */
+
+isc_result_t
+bind9_check_key(const cfg_obj_t *config, isc_log_t *logctx);
+/*%<
+ * Same as bind9_check_namedconf(), but for a single 'key' statement.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* BIND9_CHECK_H */
diff --git a/lib/bind9/include/bind9/getaddresses.h b/lib/bind9/include/bind9/getaddresses.h
new file mode 100644
index 0000000..2ae677f
--- /dev/null
+++ b/lib/bind9/include/bind9/getaddresses.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef BIND9_GETADDRESSES_H
+#define BIND9_GETADDRESSES_H 1
+
+/*! \file bind9/getaddresses.h */
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+bind9_getaddresses(const char *hostname, in_port_t port, isc_sockaddr_t *addrs,
+		   int addrsize, int *addrcount);
+/*%<
+ * Use the system resolver to get the addresses associated with a hostname.
+ * If successful, the number of addresses found is returned in 'addrcount'.
+ * If a hostname lookup is performed and addresses of an unknown family is
+ * seen, it is ignored.  If more than 'addrsize' addresses are seen, the
+ * first 'addrsize' are returned and the remainder silently truncated.
+ *
+ * This routine may block.  If called by a program using the isc_app
+ * framework, it should be surrounded by isc_app_block()/isc_app_unblock().
+ *
+ *  Requires:
+ *\li	'hostname' is not NULL.
+ *\li	'addrs' is not NULL.
+ *\li	'addrsize' > 0
+ *\li	'addrcount' is not NULL.
+ *
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTFOUND
+ *\li	#ISC_R_FAMILYNOSUPPORT - 'hostname' is an IPv6 address, and IPv6 is
+ *		not supported.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* BIND9_GETADDRESSES_H */
diff --git a/lib/bind9/include/bind9/version.h b/lib/bind9/include/bind9/version.h
new file mode 100644
index 0000000..066f7b9
--- /dev/null
+++ b/lib/bind9/include/bind9/version.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file bind9/version.h */
+
+#include <isc/platform.h>
+
+LIBBIND9_EXTERNAL_DATA extern const char bind9_version[];
diff --git a/lib/bind9/version.c b/lib/bind9/version.c
new file mode 100644
index 0000000..e69c0d9
--- /dev/null
+++ b/lib/bind9/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <bind9/version.h>
+
+const char bind9_version[] = VERSION;
diff --git a/lib/bind9/win32/DLLMain.c b/lib/bind9/win32/DLLMain.c
new file mode 100644
index 0000000..62c6e53
--- /dev/null
+++ b/lib/bind9/win32/DLLMain.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <signal.h>
+#include <windows.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI
+	DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
diff --git a/lib/bind9/win32/libbind9.def b/lib/bind9/win32/libbind9.def
new file mode 100644
index 0000000..b9a14ad
--- /dev/null
+++ b/lib/bind9/win32/libbind9.def
@@ -0,0 +1,8 @@
+LIBRARY libbind9
+
+; Exported Functions
+EXPORTS
+bind9_check_namedconf
+bind9_check_key
+bind9_getaddresses
+
diff --git a/lib/bind9/win32/libbind9.vcxproj.filters.in b/lib/bind9/win32/libbind9.vcxproj.filters.in
new file mode 100644
index 0000000..4e28330
--- /dev/null
+++ b/lib/bind9/win32/libbind9.vcxproj.filters.in
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libbind9.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\check.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\getaddresses.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\bind9\check.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\bind9\getaddresses.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\bind9\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/bind9/win32/libbind9.vcxproj.in b/lib/bind9/win32/libbind9.vcxproj.in
new file mode 100644
index 0000000..5ee7c6d
--- /dev/null
+++ b/lib/bind9/win32/libbind9.vcxproj.in
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{E741C10B-B075-4206-9596-46765B665E03}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libbind9</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\isccfg\include;..\..\dns\include;..\..\ns\include;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>.\libbind9.def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\isccfg\include;..\..\dns\include;..\..\ns\include;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>.\libbind9.def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libbind9.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\check.c" />
+    <ClCompile Include="..\getaddresses.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\bind9\check.h" />
+    <ClInclude Include="..\include\bind9\getaddresses.h" />
+    <ClInclude Include="..\include\bind9\version.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/bind9/win32/libbind9.vcxproj.user b/lib/bind9/win32/libbind9.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/lib/bind9/win32/libbind9.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/lib/bind9/win32/version.c b/lib/bind9/win32/version.c
new file mode 100644
index 0000000..ba9f07b
--- /dev/null
+++ b/lib/bind9/win32/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <versions.h>
+
+#include <bind9/version.h>
+
+LIBBIND9_EXTERNAL_DATA const char bind9_version[] = VERSION;
diff --git a/lib/dns/Kyuafile b/lib/dns/Kyuafile
new file mode 100644
index 0000000..c796010
--- /dev/null
+++ b/lib/dns/Kyuafile
@@ -0,0 +1,15 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
new file mode 100644
index 0000000..5061c47
--- /dev/null
+++ b/lib/dns/Makefile.in
@@ -0,0 +1,215 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+@BIND9_MAJOR@
+
+@LIBDNS_MAPAPI@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
+		${ISC_INCLUDES} \
+		${FSTRM_CFLAGS} \
+		${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
+		${PROTOBUF_C_CFLAGS} \
+		${JSON_C_CFLAGS} \
+		${LIBXML2_CFLAGS} \
+		${LMDB_CFLAGS} \
+		${MAXMINDDB_CFLAGS}
+
+CDEFINES =	@USE_GSSAPI@
+
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+LIBS =		${FSTRM_LIBS} ${MAXMINDDB_LIBS} ${LMDB_LIBS} ${PROTOBUF_C_LIBS} @LIBS@
+
+# Alphabetically
+
+DSTOBJS =	@DST_EXTRA_OBJS@ \
+		dst_api.@O@ dst_parse.@O@ dst_result.@O@ \
+		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ \
+		openssl_link.@O@ openssldh_link.@O@ \
+		opensslecdsa_link.@O@ openssleddsa_link.@O@ opensslrsa_link.@O@ \
+		pkcs11rsa_link.@O@ \
+		pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ pkcs11.@O@ \
+		key.@O@
+
+GEOIP2LINKOBJS = geoip2.@O@
+
+DNSTAPOBJS = dnstap.@O@ dnstap.pb-c.@O@
+
+# Alphabetically
+DNSOBJS =	acl.@O@ adb.@O@ badcache.@O@ byaddr.@O@ \
+		cache.@O@ callbacks.@O@ catz.@O@ clientinfo.@O@ compress.@O@ \
+		db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
+		dlz.@O@ dns64.@O@ dnsrps.@O@ dnssec.@O@ ds.@O@ dyndb.@O@ \
+		ecs.@O@ fixedname.@O@ forward.@O@ \
+		ipkeylist.@O@ iptable.@O@ journal.@O@ kasp.@O@ keydata.@O@ \
+		keymgr.@O@ keytable.@O@ lib.@O@ log.@O@ lookup.@O@ \
+		master.@O@ masterdump.@O@ message.@O@ \
+		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ nta.@O@ \
+		order.@O@ peer.@O@ portlist.@O@ private.@O@ \
+		rbt.@O@ rbtdb.@O@ rcode.@O@ rdata.@O@ \
+		rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \
+		request.@O@ resolver.@O@ result.@O@ rootns.@O@ \
+		rpz.@O@ rrl.@O@ rriterator.@O@ sdb.@O@ \
+		sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
+		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
+		tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \
+		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ \
+		zoneverify.@O@ zt.@O@
+PORTDNSOBJS =	client.@O@ ecdb.@O@
+
+OBJS=		@DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
+		${PORTDNSOBJS} @GEOIP2LINKOBJS@
+
+DSTSRCS =	@DST_EXTRA_SRCS@ \
+		dst_api.c dst_parse.c \
+		dst_result.c gssapi_link.c gssapictx.c hmac_link.c \
+		openssl_link.c openssldh_link.c \
+		opensslecdsa_link.c openssleddsa_link.c opensslrsa_link.c \
+		pkcs11rsa_link.c \
+		pkcs11ecdsa_link.c pkcs11eddsa_link.c pkcs11.c \
+		key.c
+
+GEOIPL2INKSRCS = geoip2.c
+
+DNSTAPSRCS = dnstap.c dnstap.pb-c.c
+
+DNSSRCS =	acl.c adb.c badcache.c byaddr.c \
+		cache.c callbacks.c clientinfo.c compress.c \
+		db.c dbiterator.c dbtable.c diff.c dispatch.c \
+		dlz.c dns64.c dnsrps.c dnssec.c ds.c dyndb.c \
+		ecs.c fixedname.c forward.c ipkeylist.c iptable.c \
+		journal.c kasp.c keydata.c keymgr.c keytable.c \
+		lib.c log.c lookup.c master.c masterdump.c message.c \
+		name.c ncache.c nsec.c nsec3.c nta.c \
+		order.c peer.c portlist.c \
+		rbt.c rbtdb.c rcode.c rdata.c rdatalist.c \
+		rdataset.c rdatasetiter.c rdataslab.c request.c \
+		resolver.c result.c rootns.c rpz.c rrl.c rriterator.c \
+		sdb.c sdlz.c soa.c ssu.c ssu_external.c \
+		stats.c tcpmsg.c time.c timer.c tkey.c \
+		tsec.c tsig.c ttl.c update.c validator.c \
+		version.c view.c xfrin.c zone.c zoneverify.c \
+		zonekey.c zt.c ${OTHERSRCS}
+PORTDNSSRCS =	client.c ecdb.c
+
+SRCS = ${DSTSRCS} ${DNSSRCS} \
+	${PORTDNSSRCS} @DNSTAPSRCS@ @GEOIP2LINKSRCS@
+
+SUBDIRS =	include
+TARGETS =	timestamp
+TESTDIRS =	@UNITTESTS@
+
+DEPENDEXTRA =	./gen -F include/dns/rdatastruct.h \
+		-s ${srcdir} -d >> Makefile ;
+
+@BIND9_MAKE_RULES@
+
+PROTOC_C = @PROTOC_C@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DMAJOR=\"${MAJOR}\" \
+		-DMAPAPI=\"${MAPAPI}\" \
+		-c ${srcdir}/version.c
+
+libdns.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libdns.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+		-release "${VERSION}" \
+		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+
+include: gen
+	${MAKE} include/dns/enumtype.h
+	${MAKE} include/dns/enumclass.h
+	${MAKE} include/dns/rdatastruct.h
+	${MAKE} code.h
+
+include/dns/enumtype.h: gen
+	./gen -s ${srcdir} -t > $@ || { rm -f $@ ; exit 1; }
+
+include/dns/enumclass.h: gen
+	./gen -s ${srcdir} -c > $@ || { rm -f $@ ; exit 1; }
+
+include/dns/rdatastruct.h: gen \
+		${srcdir}/rdata/rdatastructpre.h \
+		${srcdir}/rdata/rdatastructsuf.h
+	./gen -s ${srcdir} -i \
+		-P ${srcdir}/rdata/rdatastructpre.h \
+		-S ${srcdir}/rdata/rdatastructsuf.h > $@ || \
+	{ rm -f $@ ; exit 1; }
+
+code.h:	gen
+	./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
+
+gen: gen.c
+	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
+	${LFS_CFLAGS} ${LFS_LDFLAGS} \
+	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
+	${BUILD_LIBS} ${LFS_LIBS}
+
+timestamp: include libdns.@A@
+	touch timestamp
+
+testdirs: libdns.@A@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
+
+clean distclean::
+	rm -f libdns.@A@ timestamp
+	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
+	rm -f include/dns/rdatastruct.h
+	rm -f dnstap.pb-c.c dnstap.pb-c.h
+
+newrr::
+	rm -f code.h include/dns/enumtype.h include/dns/enumclass.h
+	rm -f include/dns/rdatastruct.h
+
+rdata.@O@: include
+
+depend: include @DNSTAPSRCS@
+subdirs: include
+${OBJS}: include
+
+# dnstap
+dnstap.@O@: dnstap.c dnstap.pb-c.c
+
+dnstap.pb-c.c dnstap.pb-c.h: dnstap.proto
+	$(PROTOC_C) --c_out=. --proto_path ${srcdir} dnstap.proto
+
+dnstap.pb-c.@O@: dnstap.pb-c.c
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
new file mode 100644
index 0000000..9359e53
--- /dev/null
+++ b/lib/dns/acl.c
@@ -0,0 +1,665 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/iptable.h>
+
+/*
+ * Create a new ACL, including an IP table and an array with room
+ * for 'n' ACL elements.  The elements are uninitialized and the
+ * length is 0.
+ */
+isc_result_t
+dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
+	isc_result_t result;
+	dns_acl_t *acl;
+
+	/*
+	 * Work around silly limitation of isc_mem_get().
+	 */
+	if (n == 0) {
+		n = 1;
+	}
+
+	acl = isc_mem_get(mctx, sizeof(*acl));
+
+	acl->mctx = NULL;
+	isc_mem_attach(mctx, &acl->mctx);
+
+	acl->name = NULL;
+
+	isc_refcount_init(&acl->refcount, 1);
+
+	result = dns_iptable_create(mctx, &acl->iptable);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, acl, sizeof(*acl));
+		return (result);
+	}
+
+	acl->elements = NULL;
+	acl->alloc = 0;
+	acl->length = 0;
+	acl->has_negatives = false;
+
+	ISC_LINK_INIT(acl, nextincache);
+	/*
+	 * Must set magic early because we use dns_acl_detach() to clean up.
+	 */
+	acl->magic = DNS_ACL_MAGIC;
+
+	acl->elements = isc_mem_get(mctx, n * sizeof(dns_aclelement_t));
+	acl->alloc = n;
+	memset(acl->elements, 0, n * sizeof(dns_aclelement_t));
+	*target = acl;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Create a new ACL and initialize it with the value "any" or "none",
+ * depending on the value of the "neg" parameter.
+ * "any" is a positive iptable entry with bit length 0.
+ * "none" is the same as "!any".
+ */
+static isc_result_t
+dns_acl_anyornone(isc_mem_t *mctx, bool neg, dns_acl_t **target) {
+	isc_result_t result;
+	dns_acl_t *acl = NULL;
+
+	result = dns_acl_create(mctx, 0, &acl);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_iptable_addprefix(acl->iptable, NULL, 0, !neg);
+	if (result != ISC_R_SUCCESS) {
+		dns_acl_detach(&acl);
+		return (result);
+	}
+
+	*target = acl;
+	return (result);
+}
+
+/*
+ * Create a new ACL that matches everything.
+ */
+isc_result_t
+dns_acl_any(isc_mem_t *mctx, dns_acl_t **target) {
+	return (dns_acl_anyornone(mctx, false, target));
+}
+
+/*
+ * Create a new ACL that matches nothing.
+ */
+isc_result_t
+dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
+	return (dns_acl_anyornone(mctx, true, target));
+}
+
+/*
+ * If pos is true, test whether acl is set to "{ any; }"
+ * If pos is false, test whether acl is set to "{ none; }"
+ */
+static bool
+dns_acl_isanyornone(dns_acl_t *acl, bool pos) {
+	/* Should never happen but let's be safe */
+	if (acl == NULL || acl->iptable == NULL ||
+	    acl->iptable->radix == NULL || acl->iptable->radix->head == NULL ||
+	    acl->iptable->radix->head->prefix == NULL)
+	{
+		return (false);
+	}
+
+	if (acl->length != 0 || dns_acl_node_count(acl) != 1) {
+		return (false);
+	}
+
+	if (acl->iptable->radix->head->prefix->bitlen == 0 &&
+	    acl->iptable->radix->head->data[0] != NULL &&
+	    acl->iptable->radix->head->data[0] ==
+		    acl->iptable->radix->head->data[1] &&
+	    *(bool *)(acl->iptable->radix->head->data[0]) == pos)
+	{
+		return (true);
+	}
+
+	return (false); /* All others */
+}
+
+/*
+ * Test whether acl is set to "{ any; }"
+ */
+bool
+dns_acl_isany(dns_acl_t *acl) {
+	return (dns_acl_isanyornone(acl, true));
+}
+
+/*
+ * Test whether acl is set to "{ none; }"
+ */
+bool
+dns_acl_isnone(dns_acl_t *acl) {
+	return (dns_acl_isanyornone(acl, false));
+}
+
+/*
+ * Determine whether a given address or signer matches a given ACL.
+ * For a match with a positive ACL element or iptable radix entry,
+ * return with a positive value in match; for a match with a negated ACL
+ * element or radix entry, return with a negative value in match.
+ */
+
+isc_result_t
+dns_acl_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner,
+	      const dns_acl_t *acl, const dns_aclenv_t *env, int *match,
+	      const dns_aclelement_t **matchelt) {
+	uint16_t bitlen;
+	isc_prefix_t pfx;
+	isc_radix_node_t *node = NULL;
+	const isc_netaddr_t *addr = reqaddr;
+	isc_netaddr_t v4addr;
+	isc_result_t result;
+	int match_num = -1;
+	unsigned int i;
+
+	REQUIRE(reqaddr != NULL);
+	REQUIRE(matchelt == NULL || *matchelt == NULL);
+
+	if (env != NULL && env->match_mapped && addr->family == AF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&addr->type.in6))
+	{
+		isc_netaddr_fromv4mapped(&v4addr, addr);
+		addr = &v4addr;
+	}
+
+	/* Always match with host addresses. */
+	bitlen = (addr->family == AF_INET6) ? 128 : 32;
+	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
+
+	/* Assume no match. */
+	*match = 0;
+
+	/* Search radix. */
+	result = isc_radix_search(acl->iptable->radix, &node, &pfx);
+
+	/* Found a match. */
+	if (result == ISC_R_SUCCESS && node != NULL) {
+		int fam = ISC_RADIX_FAMILY(&pfx);
+		match_num = node->node_num[fam];
+		if (*(bool *)node->data[fam]) {
+			*match = match_num;
+		} else {
+			*match = -match_num;
+		}
+	}
+
+	isc_refcount_destroy(&pfx.refcount);
+
+	/* Now search non-radix elements for a match with a lower node_num. */
+	for (i = 0; i < acl->length; i++) {
+		dns_aclelement_t *e = &acl->elements[i];
+
+		/* Already found a better match? */
+		if (match_num != -1 && match_num < e->node_num) {
+			break;
+		}
+
+		if (dns_aclelement_match(reqaddr, reqsigner, e, env, matchelt))
+		{
+			if (match_num == -1 || e->node_num < match_num) {
+				if (e->negative) {
+					*match = -e->node_num;
+				} else {
+					*match = e->node_num;
+				}
+			}
+			break;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Merge the contents of one ACL into another.  Call dns_iptable_merge()
+ * for the IP tables, then concatenate the element arrays.
+ *
+ * If pos is set to false, then the nested ACL is to be negated.  This
+ * means reverse the sense of each *positive* element or IP table node,
+ * but leave negatives alone, so as to prevent a double-negative causing
+ * an unexpected positive match in the parent ACL.
+ */
+isc_result_t
+dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, bool pos) {
+	isc_result_t result;
+	unsigned int newalloc, nelem, i;
+	int max_node = 0, nodes;
+
+	/* Resize the element array if needed. */
+	if (dest->length + source->length > dest->alloc) {
+		void *newmem;
+
+		newalloc = dest->alloc + source->alloc;
+		if (newalloc < 4) {
+			newalloc = 4;
+		}
+
+		newmem = isc_mem_get(dest->mctx,
+				     newalloc * sizeof(dns_aclelement_t));
+
+		/* Zero. */
+		memset(newmem, 0, newalloc * sizeof(dns_aclelement_t));
+
+		/* Copy in the original elements */
+		memmove(newmem, dest->elements,
+			dest->length * sizeof(dns_aclelement_t));
+
+		/* Release the memory for the old elements array */
+		isc_mem_put(dest->mctx, dest->elements,
+			    dest->alloc * sizeof(dns_aclelement_t));
+		dest->elements = newmem;
+		dest->alloc = newalloc;
+	}
+
+	/*
+	 * Now copy in the new elements, increasing their node_num
+	 * values so as to keep the new ACL consistent.  If we're
+	 * negating, then negate positive elements, but keep negative
+	 * elements the same for security reasons.
+	 */
+	nelem = dest->length;
+	dest->length += source->length;
+	for (i = 0; i < source->length; i++) {
+		if (source->elements[i].node_num > max_node) {
+			max_node = source->elements[i].node_num;
+		}
+
+		/* Copy type. */
+		dest->elements[nelem + i].type = source->elements[i].type;
+
+		/* Adjust node numbering. */
+		dest->elements[nelem + i].node_num =
+			source->elements[i].node_num + dns_acl_node_count(dest);
+
+		/* Duplicate nested acl. */
+		if (source->elements[i].type == dns_aclelementtype_nestedacl &&
+		    source->elements[i].nestedacl != NULL)
+		{
+			dns_acl_attach(source->elements[i].nestedacl,
+				       &dest->elements[nelem + i].nestedacl);
+		}
+
+		/* Duplicate key name. */
+		if (source->elements[i].type == dns_aclelementtype_keyname) {
+			dns_name_init(&dest->elements[nelem + i].keyname, NULL);
+			dns_name_dup(&source->elements[i].keyname, dest->mctx,
+				     &dest->elements[nelem + i].keyname);
+		}
+
+#if defined(HAVE_GEOIP2)
+		/* Duplicate GeoIP data */
+		if (source->elements[i].type == dns_aclelementtype_geoip) {
+			dest->elements[nelem + i].geoip_elem =
+				source->elements[i].geoip_elem;
+		}
+#endif /* if defined(HAVE_GEOIP2) */
+
+		/* reverse sense of positives if this is a negative acl */
+		if (!pos && !source->elements[i].negative) {
+			dest->elements[nelem + i].negative = true;
+		} else {
+			dest->elements[nelem + i].negative =
+				source->elements[i].negative;
+		}
+	}
+
+	/*
+	 * Merge the iptables.  Make sure the destination ACL's
+	 * node_count value is set correctly afterward.
+	 */
+	nodes = max_node + dns_acl_node_count(dest);
+	result = dns_iptable_merge(dest->iptable, source->iptable, pos);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (nodes > dns_acl_node_count(dest)) {
+		dns_acl_node_count(dest) = nodes;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Like dns_acl_match, but matches against the single ACL element 'e'
+ * rather than a complete ACL, and returns true iff it matched.
+ *
+ * To determine whether the match was positive or negative, the
+ * caller should examine e->negative.  Since the element 'e' may be
+ * a reference to a named ACL or a nested ACL, a matching element
+ * returned through 'matchelt' is not necessarily 'e' itself.
+ */
+
+bool
+dns_aclelement_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner,
+		     const dns_aclelement_t *e, const dns_aclenv_t *env,
+		     const dns_aclelement_t **matchelt) {
+	dns_acl_t *inner = NULL;
+	int indirectmatch;
+	isc_result_t result;
+
+	switch (e->type) {
+	case dns_aclelementtype_keyname:
+		if (reqsigner != NULL && dns_name_equal(reqsigner, &e->keyname))
+		{
+			if (matchelt != NULL) {
+				*matchelt = e;
+			}
+			return (true);
+		} else {
+			return (false);
+		}
+
+	case dns_aclelementtype_nestedacl:
+		inner = e->nestedacl;
+		break;
+
+	case dns_aclelementtype_localhost:
+		if (env == NULL || env->localhost == NULL) {
+			return (false);
+		}
+		inner = env->localhost;
+		break;
+
+	case dns_aclelementtype_localnets:
+		if (env == NULL || env->localnets == NULL) {
+			return (false);
+		}
+		inner = env->localnets;
+		break;
+
+#if defined(HAVE_GEOIP2)
+	case dns_aclelementtype_geoip:
+		if (env == NULL || env->geoip == NULL) {
+			return (false);
+		}
+		return (dns_geoip_match(reqaddr, env->geoip, &e->geoip_elem));
+#endif /* if defined(HAVE_GEOIP2) */
+	default:
+		UNREACHABLE();
+	}
+
+	result = dns_acl_match(reqaddr, reqsigner, inner, env, &indirectmatch,
+			       matchelt);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/*
+	 * Treat negative matches in indirect ACLs as "no match".
+	 * That way, a negated indirect ACL will never become a
+	 * surprise positive match through double negation.
+	 * XXXDCL this should be documented.
+	 */
+	if (indirectmatch > 0) {
+		if (matchelt != NULL) {
+			*matchelt = e;
+		}
+		return (true);
+	}
+
+	/*
+	 * A negative indirect match may have set *matchelt, but we don't
+	 * want it set when we return.
+	 */
+	if (matchelt != NULL) {
+		*matchelt = NULL;
+	}
+
+	return (false);
+}
+
+void
+dns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
+	REQUIRE(DNS_ACL_VALID(source));
+
+	isc_refcount_increment(&source->refcount);
+	*target = source;
+}
+
+static void
+destroy(dns_acl_t *dacl) {
+	unsigned int i;
+
+	INSIST(!ISC_LINK_LINKED(dacl, nextincache));
+
+	for (i = 0; i < dacl->length; i++) {
+		dns_aclelement_t *de = &dacl->elements[i];
+		if (de->type == dns_aclelementtype_keyname) {
+			dns_name_free(&de->keyname, dacl->mctx);
+		} else if (de->type == dns_aclelementtype_nestedacl) {
+			dns_acl_detach(&de->nestedacl);
+		}
+	}
+	if (dacl->elements != NULL) {
+		isc_mem_put(dacl->mctx, dacl->elements,
+			    dacl->alloc * sizeof(dns_aclelement_t));
+	}
+	if (dacl->name != NULL) {
+		isc_mem_free(dacl->mctx, dacl->name);
+	}
+	if (dacl->iptable != NULL) {
+		dns_iptable_detach(&dacl->iptable);
+	}
+	isc_refcount_destroy(&dacl->refcount);
+	dacl->magic = 0;
+	isc_mem_putanddetach(&dacl->mctx, dacl, sizeof(*dacl));
+}
+
+void
+dns_acl_detach(dns_acl_t **aclp) {
+	REQUIRE(aclp != NULL && DNS_ACL_VALID(*aclp));
+	dns_acl_t *acl = *aclp;
+	*aclp = NULL;
+
+	if (isc_refcount_decrement(&acl->refcount) == 1) {
+		destroy(acl);
+	}
+}
+
+static isc_once_t insecure_prefix_once = ISC_ONCE_INIT;
+static isc_mutex_t insecure_prefix_lock;
+static bool insecure_prefix_found;
+
+static void
+initialize_action(void) {
+	isc_mutex_init(&insecure_prefix_lock);
+}
+
+/*
+ * Called via isc_radix_process() to find IP table nodes that are
+ * insecure.
+ */
+static void
+is_insecure(isc_prefix_t *prefix, void **data) {
+	/*
+	 * If all nonexistent or negative then this node is secure.
+	 */
+	if ((data[0] == NULL || !*(bool *)data[0]) &&
+	    (data[1] == NULL || !*(bool *)data[1]))
+	{
+		return;
+	}
+
+	/*
+	 * If a loopback address found and the other family
+	 * entry doesn't exist or is negative, return.
+	 */
+	if (prefix->bitlen == 32 &&
+	    htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK &&
+	    (data[1] == NULL || !*(bool *)data[1]))
+	{
+		return;
+	}
+
+	if (prefix->bitlen == 128 && IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6) &&
+	    (data[0] == NULL || !*(bool *)data[0]))
+	{
+		return;
+	}
+
+	/* Non-negated, non-loopback */
+	insecure_prefix_found = true; /* LOCKED */
+	return;
+}
+
+/*
+ * Return true iff the acl 'a' is considered insecure, that is,
+ * if it contains IP addresses other than those of the local host.
+ * This is intended for applications such as printing warning
+ * messages for suspect ACLs; it is not intended for making access
+ * control decisions.  We make no guarantee that an ACL for which
+ * this function returns false is safe.
+ */
+bool
+dns_acl_isinsecure(const dns_acl_t *a) {
+	unsigned int i;
+	bool insecure;
+
+	RUNTIME_CHECK(isc_once_do(&insecure_prefix_once, initialize_action) ==
+		      ISC_R_SUCCESS);
+
+	/*
+	 * Walk radix tree to find out if there are any non-negated,
+	 * non-loopback prefixes.
+	 */
+	LOCK(&insecure_prefix_lock);
+	insecure_prefix_found = false;
+	isc_radix_process(a->iptable->radix, is_insecure);
+	insecure = insecure_prefix_found;
+	UNLOCK(&insecure_prefix_lock);
+	if (insecure) {
+		return (true);
+	}
+
+	/* Now check non-radix elements */
+	for (i = 0; i < a->length; i++) {
+		dns_aclelement_t *e = &a->elements[i];
+
+		/* A negated match can never be insecure. */
+		if (e->negative) {
+			continue;
+		}
+
+		switch (e->type) {
+		case dns_aclelementtype_keyname:
+		case dns_aclelementtype_localhost:
+			continue;
+
+		case dns_aclelementtype_nestedacl:
+			if (dns_acl_isinsecure(e->nestedacl)) {
+				return (true);
+			}
+			continue;
+
+#if defined(HAVE_GEOIP2)
+		case dns_aclelementtype_geoip:
+#endif /* if defined(HAVE_GEOIP2) */
+		case dns_aclelementtype_localnets:
+			return (true);
+
+		default:
+			UNREACHABLE();
+		}
+	}
+
+	/* No insecure elements were found. */
+	return (false);
+}
+
+/*%
+ * Check whether an address/signer is allowed by a given acl/aclenv.
+ */
+bool
+dns_acl_allowed(isc_netaddr_t *addr, const dns_name_t *signer, dns_acl_t *acl,
+		dns_aclenv_t *aclenv) {
+	int match;
+	isc_result_t result;
+
+	if (acl == NULL) {
+		return (true);
+	}
+	result = dns_acl_match(addr, signer, acl, aclenv, &match, NULL);
+	if (result == ISC_R_SUCCESS && match > 0) {
+		return (true);
+	}
+	return (false);
+}
+
+/*
+ * Initialize ACL environment, setting up localhost and localnets ACLs
+ */
+isc_result_t
+dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
+	isc_result_t result;
+
+	env->localhost = NULL;
+	env->localnets = NULL;
+	result = dns_acl_create(mctx, 0, &env->localhost);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_nothing;
+	}
+	result = dns_acl_create(mctx, 0, &env->localnets);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_localhost;
+	}
+	env->match_mapped = false;
+#if defined(HAVE_GEOIP2)
+	env->geoip = NULL;
+#endif /* if defined(HAVE_GEOIP2) */
+	return (ISC_R_SUCCESS);
+
+cleanup_localhost:
+	dns_acl_detach(&env->localhost);
+cleanup_nothing:
+	return (result);
+}
+
+void
+dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) {
+	dns_acl_detach(&t->localhost);
+	dns_acl_attach(s->localhost, &t->localhost);
+	dns_acl_detach(&t->localnets);
+	dns_acl_attach(s->localnets, &t->localnets);
+	t->match_mapped = s->match_mapped;
+#if defined(HAVE_GEOIP2)
+	t->geoip = s->geoip;
+#endif /* if defined(HAVE_GEOIP2) */
+}
+
+void
+dns_aclenv_destroy(dns_aclenv_t *env) {
+	if (env->localhost != NULL) {
+		dns_acl_detach(&env->localhost);
+	}
+	if (env->localnets != NULL) {
+		dns_acl_detach(&env->localnets);
+	}
+}
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
new file mode 100644
index 0000000..87f0f8b
--- /dev/null
+++ b/lib/dns/adb.c
@@ -0,0 +1,4885 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ *
+ * \note
+ * In finds, if task == NULL, no events will be generated, and no events
+ * have been sent.  If task != NULL but taskaction == NULL, an event has been
+ * posted but not yet freed.  If neither are NULL, no event was posted.
+ *
+ */
+
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+
+#include <isc/mutexblock.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/stats.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+
+#define DNS_ADB_MAGIC		 ISC_MAGIC('D', 'a', 'd', 'b')
+#define DNS_ADB_VALID(x)	 ISC_MAGIC_VALID(x, DNS_ADB_MAGIC)
+#define DNS_ADBNAME_MAGIC	 ISC_MAGIC('a', 'd', 'b', 'N')
+#define DNS_ADBNAME_VALID(x)	 ISC_MAGIC_VALID(x, DNS_ADBNAME_MAGIC)
+#define DNS_ADBNAMEHOOK_MAGIC	 ISC_MAGIC('a', 'd', 'N', 'H')
+#define DNS_ADBNAMEHOOK_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBNAMEHOOK_MAGIC)
+#define DNS_ADBLAMEINFO_MAGIC	 ISC_MAGIC('a', 'd', 'b', 'Z')
+#define DNS_ADBLAMEINFO_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBLAMEINFO_MAGIC)
+#define DNS_ADBENTRY_MAGIC	 ISC_MAGIC('a', 'd', 'b', 'E')
+#define DNS_ADBENTRY_VALID(x)	 ISC_MAGIC_VALID(x, DNS_ADBENTRY_MAGIC)
+#define DNS_ADBFETCH_MAGIC	 ISC_MAGIC('a', 'd', 'F', '4')
+#define DNS_ADBFETCH_VALID(x)	 ISC_MAGIC_VALID(x, DNS_ADBFETCH_MAGIC)
+#define DNS_ADBFETCH6_MAGIC	 ISC_MAGIC('a', 'd', 'F', '6')
+#define DNS_ADBFETCH6_VALID(x)	 ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
+
+/*!
+ * For type 3 negative cache entries, we will remember that the address is
+ * broken for this long.  XXXMLG This is also used for actual addresses, too.
+ * The intent is to keep us from constantly asking about A/AAAA records
+ * if the zone has extremely low TTLs.
+ */
+#define ADB_CACHE_MINIMUM 10	/*%< seconds */
+#define ADB_CACHE_MAXIMUM 86400 /*%< seconds (86400 = 24 hours) */
+#define ADB_ENTRY_WINDOW  1800	/*%< seconds */
+
+/*%
+ * The period in seconds after which an ADB name entry is regarded as stale
+ * and forced to be cleaned up.
+ * TODO: This should probably be configurable at run-time.
+ */
+#ifndef ADB_STALE_MARGIN
+#define ADB_STALE_MARGIN 1800
+#endif /* ifndef ADB_STALE_MARGIN */
+
+#define FREE_ITEMS 64 /*%< free count for memory pools */
+#define FILL_COUNT 16 /*%< fill count for memory pools */
+
+#define DNS_ADB_INVALIDBUCKET (-1) /*%< invalid bucket address */
+
+#define DNS_ADB_MINADBSIZE (1024U * 1024U) /*%< 1 Megabyte */
+
+typedef ISC_LIST(dns_adbname_t) dns_adbnamelist_t;
+typedef struct dns_adbnamehook dns_adbnamehook_t;
+typedef ISC_LIST(dns_adbnamehook_t) dns_adbnamehooklist_t;
+typedef struct dns_adblameinfo dns_adblameinfo_t;
+typedef ISC_LIST(dns_adbentry_t) dns_adbentrylist_t;
+typedef struct dns_adbfetch dns_adbfetch_t;
+typedef struct dns_adbfetch6 dns_adbfetch6_t;
+
+/*% dns adb structure */
+struct dns_adb {
+	unsigned int magic;
+
+	isc_mutex_t lock;
+	isc_mutex_t reflock;	 /*%< Covers irefcnt, erefcnt */
+	isc_mutex_t overmemlock; /*%< Covers overmem */
+	isc_mem_t *mctx;
+	dns_view_t *view;
+
+	isc_taskmgr_t *taskmgr;
+	isc_task_t *task;
+	isc_task_t *excl;
+
+	isc_interval_t tick_interval;
+	int next_cleanbucket;
+
+	unsigned int irefcnt;
+	unsigned int erefcnt;
+
+	isc_refcount_t ahrefcnt;
+	isc_refcount_t nhrefcnt;
+
+	/*!
+	 * Bucketized locks and lists for names.
+	 *
+	 * XXXRTH  Have a per-bucket structure that contains all of these?
+	 */
+	unsigned int nnames;
+	isc_mutex_t namescntlock;
+	unsigned int namescnt;
+	dns_adbnamelist_t *names;
+	dns_adbnamelist_t *deadnames;
+	isc_mutex_t *namelocks;
+	bool *name_sd;
+	unsigned int *name_refcnt;
+
+	/*!
+	 * Bucketized locks and lists for entries.
+	 *
+	 * XXXRTH  Have a per-bucket structure that contains all of these?
+	 */
+	unsigned int nentries;
+	isc_mutex_t entriescntlock;
+	unsigned int entriescnt;
+	dns_adbentrylist_t *entries;
+	dns_adbentrylist_t *deadentries;
+	isc_mutex_t *entrylocks;
+	bool *entry_sd; /*%< shutting down */
+	unsigned int *entry_refcnt;
+
+	isc_event_t cevent;
+	bool cevent_out;
+	bool shutting_down;
+	isc_eventlist_t whenshutdown;
+	isc_event_t growentries;
+	bool growentries_sent;
+	isc_event_t grownames;
+	bool grownames_sent;
+
+	uint32_t quota;
+	uint32_t atr_freq;
+	double atr_low;
+	double atr_high;
+	double atr_discount;
+};
+
+/*
+ * XXXMLG  Document these structures.
+ */
+
+/*% dns_adbname structure */
+struct dns_adbname {
+	unsigned int magic;
+	dns_name_t name;
+	dns_adb_t *adb;
+	unsigned int partial_result;
+	unsigned int flags;
+	int lock_bucket;
+	dns_name_t target;
+	isc_stdtime_t expire_target;
+	isc_stdtime_t expire_v4;
+	isc_stdtime_t expire_v6;
+	unsigned int chains;
+	dns_adbnamehooklist_t v4;
+	dns_adbnamehooklist_t v6;
+	dns_adbfetch_t *fetch_a;
+	dns_adbfetch_t *fetch_aaaa;
+	unsigned int fetch_err;
+	unsigned int fetch6_err;
+	dns_adbfindlist_t finds;
+	/* for LRU-based management */
+	isc_stdtime_t last_used;
+
+	ISC_LINK(dns_adbname_t) plink;
+};
+
+/*% The adbfetch structure */
+struct dns_adbfetch {
+	unsigned int magic;
+	dns_fetch_t *fetch;
+	dns_rdataset_t rdataset;
+	unsigned int depth;
+};
+
+/*%
+ * This is a small widget that dangles off a dns_adbname_t.  It contains a
+ * pointer to the address information about this host, and a link to the next
+ * namehook that will contain the next address this host has.
+ */
+struct dns_adbnamehook {
+	unsigned int magic;
+	dns_adbentry_t *entry;
+	ISC_LINK(dns_adbnamehook_t) plink;
+};
+
+/*%
+ * This is a small widget that holds qname-specific information about an
+ * address.  Currently limited to lameness, but could just as easily be
+ * extended to other types of information about zones.
+ */
+struct dns_adblameinfo {
+	unsigned int magic;
+
+	dns_name_t qname;
+	dns_rdatatype_t qtype;
+	isc_stdtime_t lame_timer;
+
+	ISC_LINK(dns_adblameinfo_t) plink;
+};
+
+/*%
+ * An address entry.  It holds quite a bit of information about addresses,
+ * including edns state (in "flags"), rtt, and of course the address of
+ * the host.
+ */
+struct dns_adbentry {
+	unsigned int magic;
+
+	int lock_bucket;
+	unsigned int refcnt;
+	unsigned int nh;
+
+	unsigned int flags;
+	unsigned int srtt;
+	uint16_t udpsize;
+	unsigned int completed;
+	unsigned int timeouts;
+	unsigned char plain;
+	unsigned char plainto;
+	unsigned char edns;
+	unsigned char to4096; /* Our max. */
+
+	uint8_t mode;
+	atomic_uint_fast32_t quota;
+	atomic_uint_fast32_t active;
+	double atr;
+
+	/*
+	 * Allow for encapsulated IPv4/IPv6 UDP packet over ethernet.
+	 * Ethernet 1500 - IP(20) - IP6(40) - UDP(8) = 1432.
+	 */
+	unsigned char to1432; /* Ethernet */
+	unsigned char to1232; /* IPv6 nofrag */
+	unsigned char to512;  /* plain DNS */
+	isc_sockaddr_t sockaddr;
+	unsigned char *cookie;
+	uint16_t cookielen;
+
+	isc_stdtime_t expires;
+	isc_stdtime_t lastage;
+	/*%<
+	 * A nonzero 'expires' field indicates that the entry should
+	 * persist until that time.  This allows entries found
+	 * using dns_adb_findaddrinfo() to persist for a limited time
+	 * even though they are not necessarily associated with a
+	 * name.
+	 */
+
+	ISC_LIST(dns_adblameinfo_t) lameinfo;
+	ISC_LINK(dns_adbentry_t) plink;
+};
+
+/*
+ * Internal functions (and prototypes).
+ */
+static dns_adbname_t *
+new_adbname(dns_adb_t *, const dns_name_t *);
+static void
+free_adbname(dns_adb_t *, dns_adbname_t **);
+static dns_adbnamehook_t *
+new_adbnamehook(dns_adb_t *, dns_adbentry_t *);
+static void
+free_adbnamehook(dns_adb_t *, dns_adbnamehook_t **);
+static dns_adblameinfo_t *
+new_adblameinfo(dns_adb_t *, const dns_name_t *, dns_rdatatype_t);
+static void
+free_adblameinfo(dns_adb_t *, dns_adblameinfo_t **);
+static dns_adbentry_t *
+new_adbentry(dns_adb_t *);
+static void
+free_adbentry(dns_adb_t *, dns_adbentry_t **);
+static dns_adbfind_t *
+new_adbfind(dns_adb_t *);
+static bool
+free_adbfind(dns_adb_t *, dns_adbfind_t **);
+static dns_adbaddrinfo_t *
+new_adbaddrinfo(dns_adb_t *, dns_adbentry_t *, in_port_t);
+static dns_adbfetch_t *
+new_adbfetch(dns_adb_t *);
+static void
+free_adbfetch(dns_adb_t *, dns_adbfetch_t **);
+static dns_adbname_t *
+find_name_and_lock(dns_adb_t *, const dns_name_t *, unsigned int, int *);
+static dns_adbentry_t *
+find_entry_and_lock(dns_adb_t *, const isc_sockaddr_t *, int *, isc_stdtime_t);
+static void
+dump_adb(dns_adb_t *, FILE *, bool debug, isc_stdtime_t);
+static void
+print_dns_name(FILE *, const dns_name_t *);
+static void
+print_namehook_list(FILE *, const char *legend, dns_adb_t *adb,
+		    dns_adbnamehooklist_t *list, bool debug, isc_stdtime_t now);
+static void
+print_find_list(FILE *, dns_adbname_t *);
+static void
+print_fetch_list(FILE *, dns_adbname_t *);
+static bool
+dec_adb_irefcnt(dns_adb_t *);
+static void
+inc_adb_irefcnt(dns_adb_t *);
+static void
+inc_adb_erefcnt(dns_adb_t *);
+static void
+inc_entry_refcnt(dns_adb_t *, dns_adbentry_t *, bool);
+static bool
+dec_entry_refcnt(dns_adb_t *, bool, dns_adbentry_t *, bool);
+static void
+violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
+static bool
+clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
+static void
+clean_target(dns_adb_t *, dns_name_t *);
+static void
+clean_finds_at_name(dns_adbname_t *, isc_eventtype_t, unsigned int);
+static bool
+check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
+static bool
+check_expire_entry(dns_adb_t *, dns_adbentry_t **, isc_stdtime_t);
+static void
+cancel_fetches_at_name(dns_adbname_t *);
+static isc_result_t
+dbfind_name(dns_adbname_t *, isc_stdtime_t, dns_rdatatype_t);
+static isc_result_t
+fetch_name(dns_adbname_t *, bool, unsigned int, isc_counter_t *qc,
+	   dns_rdatatype_t);
+static void
+check_exit(dns_adb_t *);
+static void
+destroy(dns_adb_t *);
+static bool
+shutdown_names(dns_adb_t *);
+static bool
+shutdown_entries(dns_adb_t *);
+static void
+link_name(dns_adb_t *, int, dns_adbname_t *);
+static bool
+unlink_name(dns_adb_t *, dns_adbname_t *);
+static void
+link_entry(dns_adb_t *, int, dns_adbentry_t *);
+static bool
+unlink_entry(dns_adb_t *, dns_adbentry_t *);
+static bool
+kill_name(dns_adbname_t **, isc_eventtype_t);
+static void
+water(void *, int);
+static void
+dump_entry(FILE *, dns_adb_t *, dns_adbentry_t *, bool, isc_stdtime_t);
+static void
+adjustsrtt(dns_adbaddrinfo_t *addr, unsigned int rtt, unsigned int factor,
+	   isc_stdtime_t now);
+static void
+shutdown_task(isc_task_t *task, isc_event_t *ev);
+static void
+log_quota(dns_adbentry_t *entry, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+
+/*
+ * MUST NOT overlap DNS_ADBFIND_* flags!
+ */
+#define FIND_EVENT_SENT	   0x40000000
+#define FIND_EVENT_FREED   0x80000000
+#define FIND_EVENTSENT(h)  (((h)->flags & FIND_EVENT_SENT) != 0)
+#define FIND_EVENTFREED(h) (((h)->flags & FIND_EVENT_FREED) != 0)
+
+#define NAME_NEEDS_POKE	  0x80000000
+#define NAME_IS_DEAD	  0x40000000
+#define NAME_HINT_OK	  DNS_ADBFIND_HINTOK
+#define NAME_GLUE_OK	  DNS_ADBFIND_GLUEOK
+#define NAME_STARTATZONE  DNS_ADBFIND_STARTATZONE
+#define NAME_DEAD(n)	  (((n)->flags & NAME_IS_DEAD) != 0)
+#define NAME_NEEDSPOKE(n) (((n)->flags & NAME_NEEDS_POKE) != 0)
+#define NAME_GLUEOK(n)	  (((n)->flags & NAME_GLUE_OK) != 0)
+#define NAME_HINTOK(n)	  (((n)->flags & NAME_HINT_OK) != 0)
+
+/*
+ * Private flag(s) for entries.
+ * MUST NOT overlap FCTX_ADDRINFO_xxx and DNS_FETCHOPT_NOEDNS0.
+ */
+#define ENTRY_IS_DEAD 0x00400000
+
+/*
+ * To the name, address classes are all that really exist.  If it has a
+ * V6 address it doesn't care if it came from a AAAA query.
+ */
+#define NAME_HAS_V4(n)	  (!ISC_LIST_EMPTY((n)->v4))
+#define NAME_HAS_V6(n)	  (!ISC_LIST_EMPTY((n)->v6))
+#define NAME_HAS_ADDRS(n) (NAME_HAS_V4(n) || NAME_HAS_V6(n))
+
+/*
+ * Fetches are broken out into A and AAAA types.  In some cases,
+ * however, it makes more sense to test for a particular class of fetches,
+ * like V4 or V6 above.
+ * Note: since we have removed the support of A6 in adb, FETCH_A and FETCH_AAAA
+ * are now equal to FETCH_V4 and FETCH_V6, respectively.
+ */
+#define NAME_FETCH_A(n)	   ((n)->fetch_a != NULL)
+#define NAME_FETCH_AAAA(n) ((n)->fetch_aaaa != NULL)
+#define NAME_FETCH_V4(n)   (NAME_FETCH_A(n))
+#define NAME_FETCH_V6(n)   (NAME_FETCH_AAAA(n))
+#define NAME_FETCH(n)	   (NAME_FETCH_V4(n) || NAME_FETCH_V6(n))
+
+/*
+ * Find options and tests to see if there are addresses on the list.
+ */
+#define FIND_WANTEVENT(fn)	(((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
+#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
+#define FIND_AVOIDFETCHES(fn)	(((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
+#define FIND_STARTATZONE(fn)	(((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
+#define FIND_HINTOK(fn)		(((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+#define FIND_GLUEOK(fn)		(((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+#define FIND_HAS_ADDRS(fn)	(!ISC_LIST_EMPTY((fn)->list))
+#define FIND_RETURNLAME(fn)	(((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+#define FIND_NOFETCH(fn)	(((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
+
+/*
+ * These are currently used on simple unsigned ints, so they are
+ * not really associated with any particular type.
+ */
+#define WANT_INET(x)  (((x)&DNS_ADBFIND_INET) != 0)
+#define WANT_INET6(x) (((x)&DNS_ADBFIND_INET6) != 0)
+
+#define EXPIRE_OK(exp, now) ((exp == INT_MAX) || (exp < now))
+
+/*
+ * Find out if the flags on a name (nf) indicate if it is a hint or
+ * glue, and compare this to the appropriate bits set in o, to see if
+ * this is ok.
+ */
+#define GLUE_OK(nf, o)	   (!NAME_GLUEOK(nf) || (((o)&DNS_ADBFIND_GLUEOK) != 0))
+#define HINT_OK(nf, o)	   (!NAME_HINTOK(nf) || (((o)&DNS_ADBFIND_HINTOK) != 0))
+#define GLUEHINT_OK(nf, o) (GLUE_OK(nf, o) || HINT_OK(nf, o))
+#define STARTATZONE_MATCHES(nf, o) \
+	(((nf)->flags & NAME_STARTATZONE) == ((o)&DNS_ADBFIND_STARTATZONE))
+
+#define ENTER_LEVEL  ISC_LOG_DEBUG(50)
+#define EXIT_LEVEL   ENTER_LEVEL
+#define CLEAN_LEVEL  ISC_LOG_DEBUG(100)
+#define DEF_LEVEL    ISC_LOG_DEBUG(5)
+#define NCACHE_LEVEL ISC_LOG_DEBUG(20)
+
+#define NCACHE_RESULT(r) \
+	((r) == DNS_R_NCACHENXDOMAIN || (r) == DNS_R_NCACHENXRRSET)
+#define AUTH_NX(r) ((r) == DNS_R_NXDOMAIN || (r) == DNS_R_NXRRSET)
+#define NXDOMAIN_RESULT(r) \
+	((r) == DNS_R_NXDOMAIN || (r) == DNS_R_NCACHENXDOMAIN)
+#define NXRRSET_RESULT(r)                                      \
+	((r) == DNS_R_NCACHENXRRSET || (r) == DNS_R_NXRRSET || \
+	 (r) == DNS_R_HINTNXRRSET)
+
+/*
+ * Error state rankings.
+ */
+
+#define FIND_ERR_SUCCESS    0 /* highest rank */
+#define FIND_ERR_CANCELED   1
+#define FIND_ERR_FAILURE    2
+#define FIND_ERR_NXDOMAIN   3
+#define FIND_ERR_NXRRSET    4
+#define FIND_ERR_UNEXPECTED 5
+#define FIND_ERR_NOTFOUND   6
+#define FIND_ERR_MAX	    7
+
+static const char *errnames[] = { "success",  "canceled", "failure",
+				  "nxdomain", "nxrrset",  "unexpected",
+				  "not_found" };
+
+#define NEWERR(old, new) (ISC_MIN((old), (new)))
+
+static isc_result_t find_err_map[FIND_ERR_MAX] = {
+	ISC_R_SUCCESS, ISC_R_CANCELED,	 ISC_R_FAILURE, DNS_R_NXDOMAIN,
+	DNS_R_NXRRSET, ISC_R_UNEXPECTED, ISC_R_NOTFOUND /* not YET found */
+};
+
+static void
+DP(int level, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
+
+static void
+DP(int level, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
+		       level, format, args);
+	va_end(args);
+}
+
+/*%
+ * Increment resolver-related statistics counters.
+ */
+static void
+inc_stats(dns_adb_t *adb, isc_statscounter_t counter) {
+	if (adb->view->resstats != NULL) {
+		isc_stats_increment(adb->view->resstats, counter);
+	}
+}
+
+/*%
+ * Set adb-related statistics counters.
+ */
+static void
+set_adbstat(dns_adb_t *adb, uint64_t val, isc_statscounter_t counter) {
+	if (adb->view->adbstats != NULL) {
+		isc_stats_set(adb->view->adbstats, val, counter);
+	}
+}
+
+static void
+dec_adbstats(dns_adb_t *adb, isc_statscounter_t counter) {
+	if (adb->view->adbstats != NULL) {
+		isc_stats_decrement(adb->view->adbstats, counter);
+	}
+}
+
+static void
+inc_adbstats(dns_adb_t *adb, isc_statscounter_t counter) {
+	if (adb->view->adbstats != NULL) {
+		isc_stats_increment(adb->view->adbstats, counter);
+	}
+}
+
+static dns_ttl_t
+ttlclamp(dns_ttl_t ttl) {
+	if (ttl < ADB_CACHE_MINIMUM) {
+		ttl = ADB_CACHE_MINIMUM;
+	}
+	if (ttl > ADB_CACHE_MAXIMUM) {
+		ttl = ADB_CACHE_MAXIMUM;
+	}
+
+	return (ttl);
+}
+
+/*
+ * Hashing is most efficient if the number of buckets is prime.
+ * The sequence below is the closest previous primes to 2^n and
+ * 1.5 * 2^n, for values of n from 10 to 28.  (The tables will
+ * no longer grow beyond 2^28 entries.)
+ */
+static const unsigned nbuckets[] = {
+	1021,	   1531,     2039,     3067,	  4093,	     6143,
+	8191,	   12281,    16381,    24571,	  32749,     49193,
+	65521,	   98299,    131071,   199603,	  262139,    393209,
+	524287,	   768431,   1048573,  1572853,	  2097143,   3145721,
+	4194301,   6291449,  8388593,  12582893,  16777213,  25165813,
+	33554393,  50331599, 67108859, 100663291, 134217689, 201326557,
+	268535431, 0
+};
+
+static void
+grow_entries(isc_task_t *task, isc_event_t *ev) {
+	dns_adb_t *adb;
+	dns_adbentry_t *e;
+	dns_adbentrylist_t *newdeadentries = NULL;
+	dns_adbentrylist_t *newentries = NULL;
+	bool *newentry_sd = NULL;
+	isc_mutex_t *newentrylocks = NULL;
+	isc_result_t result;
+	unsigned int *newentry_refcnt = NULL;
+	unsigned int i, n, bucket;
+
+	adb = ev->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	isc_event_free(&ev);
+
+	result = isc_task_beginexclusive(task);
+	if (result != ISC_R_SUCCESS) {
+		goto check_exit;
+	}
+
+	i = 0;
+	while (nbuckets[i] != 0 && adb->nentries >= nbuckets[i]) {
+		i++;
+	}
+	if (nbuckets[i] != 0) {
+		n = nbuckets[i];
+	} else {
+		goto done;
+	}
+
+	DP(ISC_LOG_INFO, "adb: grow_entries to %u starting", n);
+
+	/*
+	 * Are we shutting down?
+	 */
+	for (i = 0; i < adb->nentries; i++) {
+		if (adb->entry_sd[i]) {
+			goto cleanup;
+
+			/*
+			 * Grab all the resources we need.
+			 */
+		}
+	}
+
+	/*
+	 * Grab all the resources we need.
+	 */
+	newentries = isc_mem_get(adb->mctx, sizeof(*newentries) * n);
+	newdeadentries = isc_mem_get(adb->mctx, sizeof(*newdeadentries) * n);
+	newentrylocks = isc_mem_get(adb->mctx, sizeof(*newentrylocks) * n);
+	newentry_sd = isc_mem_get(adb->mctx, sizeof(*newentry_sd) * n);
+	newentry_refcnt = isc_mem_get(adb->mctx, sizeof(*newentry_refcnt) * n);
+
+	/*
+	 * Initialise the new resources.
+	 */
+	isc_mutexblock_init(newentrylocks, n);
+
+	for (i = 0; i < n; i++) {
+		ISC_LIST_INIT(newentries[i]);
+		ISC_LIST_INIT(newdeadentries[i]);
+		newentry_sd[i] = false;
+		newentry_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+
+	/*
+	 * Move entries to new arrays.
+	 */
+	for (i = 0; i < adb->nentries; i++) {
+		e = ISC_LIST_HEAD(adb->entries[i]);
+		while (e != NULL) {
+			ISC_LIST_UNLINK(adb->entries[i], e, plink);
+			bucket = isc_sockaddr_hash(&e->sockaddr, true) % n;
+			e->lock_bucket = bucket;
+			ISC_LIST_APPEND(newentries[bucket], e, plink);
+			INSIST(adb->entry_refcnt[i] > 0);
+			adb->entry_refcnt[i]--;
+			newentry_refcnt[bucket]++;
+			e = ISC_LIST_HEAD(adb->entries[i]);
+		}
+		e = ISC_LIST_HEAD(adb->deadentries[i]);
+		while (e != NULL) {
+			ISC_LIST_UNLINK(adb->deadentries[i], e, plink);
+			bucket = isc_sockaddr_hash(&e->sockaddr, true) % n;
+			e->lock_bucket = bucket;
+			ISC_LIST_APPEND(newdeadentries[bucket], e, plink);
+			INSIST(adb->entry_refcnt[i] > 0);
+			adb->entry_refcnt[i]--;
+			newentry_refcnt[bucket]++;
+			e = ISC_LIST_HEAD(adb->deadentries[i]);
+		}
+		INSIST(adb->entry_refcnt[i] == 0);
+		adb->irefcnt--;
+	}
+
+	/*
+	 * Cleanup old resources.
+	 */
+	isc_mutexblock_destroy(adb->entrylocks, adb->nentries);
+	isc_mem_put(adb->mctx, adb->entries,
+		    sizeof(*adb->entries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->deadentries,
+		    sizeof(*adb->deadentries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entrylocks,
+		    sizeof(*adb->entrylocks) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_sd,
+		    sizeof(*adb->entry_sd) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_refcnt,
+		    sizeof(*adb->entry_refcnt) * adb->nentries);
+
+	/*
+	 * Install new resources.
+	 */
+	adb->entries = newentries;
+	adb->deadentries = newdeadentries;
+	adb->entrylocks = newentrylocks;
+	adb->entry_sd = newentry_sd;
+	adb->entry_refcnt = newentry_refcnt;
+	adb->nentries = n;
+
+	set_adbstat(adb, adb->nentries, dns_adbstats_nentries);
+
+	/*
+	 * Only on success do we set adb->growentries_sent to false.
+	 * This will prevent us being continuously being called on error.
+	 */
+	adb->growentries_sent = false;
+	goto done;
+
+cleanup:
+	if (newentries != NULL) {
+		isc_mem_put(adb->mctx, newentries, sizeof(*newentries) * n);
+	}
+	if (newdeadentries != NULL) {
+		isc_mem_put(adb->mctx, newdeadentries,
+			    sizeof(*newdeadentries) * n);
+	}
+	if (newentrylocks != NULL) {
+		isc_mem_put(adb->mctx, newentrylocks,
+			    sizeof(*newentrylocks) * n);
+	}
+	if (newentry_sd != NULL) {
+		isc_mem_put(adb->mctx, newentry_sd, sizeof(*newentry_sd) * n);
+	}
+	if (newentry_refcnt != NULL) {
+		isc_mem_put(adb->mctx, newentry_refcnt,
+			    sizeof(*newentry_refcnt) * n);
+	}
+done:
+	isc_task_endexclusive(task);
+
+check_exit:
+	LOCK(&adb->lock);
+	if (dec_adb_irefcnt(adb)) {
+		check_exit(adb);
+	}
+	UNLOCK(&adb->lock);
+	DP(ISC_LOG_INFO, "adb: grow_entries finished");
+}
+
+static void
+grow_names(isc_task_t *task, isc_event_t *ev) {
+	dns_adb_t *adb;
+	dns_adbname_t *name;
+	dns_adbnamelist_t *newdeadnames = NULL;
+	dns_adbnamelist_t *newnames = NULL;
+	bool *newname_sd = NULL;
+	isc_mutex_t *newnamelocks = NULL;
+	isc_result_t result;
+	unsigned int *newname_refcnt = NULL;
+	unsigned int i, n;
+	unsigned int bucket;
+
+	adb = ev->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	isc_event_free(&ev);
+
+	result = isc_task_beginexclusive(task);
+	if (result != ISC_R_SUCCESS) {
+		goto check_exit;
+	}
+
+	i = 0;
+	while (nbuckets[i] != 0 && adb->nnames >= nbuckets[i]) {
+		i++;
+	}
+	if (nbuckets[i] != 0) {
+		n = nbuckets[i];
+	} else {
+		goto done;
+	}
+
+	DP(ISC_LOG_INFO, "adb: grow_names to %u starting", n);
+
+	/*
+	 * Are we shutting down?
+	 */
+	for (i = 0; i < adb->nnames; i++) {
+		if (adb->name_sd[i]) {
+			goto cleanup;
+
+			/*
+			 * Grab all the resources we need.
+			 */
+		}
+	}
+
+	/*
+	 * Grab all the resources we need.
+	 */
+	newnames = isc_mem_get(adb->mctx, sizeof(*newnames) * n);
+	newdeadnames = isc_mem_get(adb->mctx, sizeof(*newdeadnames) * n);
+	newnamelocks = isc_mem_get(adb->mctx, sizeof(*newnamelocks) * n);
+	newname_sd = isc_mem_get(adb->mctx, sizeof(*newname_sd) * n);
+	newname_refcnt = isc_mem_get(adb->mctx, sizeof(*newname_refcnt) * n);
+
+	/*
+	 * Initialise the new resources.
+	 */
+	isc_mutexblock_init(newnamelocks, n);
+
+	for (i = 0; i < n; i++) {
+		ISC_LIST_INIT(newnames[i]);
+		ISC_LIST_INIT(newdeadnames[i]);
+		newname_sd[i] = false;
+		newname_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+
+	/*
+	 * Move names to new arrays.
+	 */
+	for (i = 0; i < adb->nnames; i++) {
+		name = ISC_LIST_HEAD(adb->names[i]);
+		while (name != NULL) {
+			ISC_LIST_UNLINK(adb->names[i], name, plink);
+			bucket = dns_name_fullhash(&name->name, true) % n;
+			name->lock_bucket = bucket;
+			ISC_LIST_APPEND(newnames[bucket], name, plink);
+			INSIST(adb->name_refcnt[i] > 0);
+			adb->name_refcnt[i]--;
+			newname_refcnt[bucket]++;
+			name = ISC_LIST_HEAD(adb->names[i]);
+		}
+		name = ISC_LIST_HEAD(adb->deadnames[i]);
+		while (name != NULL) {
+			ISC_LIST_UNLINK(adb->deadnames[i], name, plink);
+			bucket = dns_name_fullhash(&name->name, true) % n;
+			name->lock_bucket = bucket;
+			ISC_LIST_APPEND(newdeadnames[bucket], name, plink);
+			INSIST(adb->name_refcnt[i] > 0);
+			adb->name_refcnt[i]--;
+			newname_refcnt[bucket]++;
+			name = ISC_LIST_HEAD(adb->deadnames[i]);
+		}
+		INSIST(adb->name_refcnt[i] == 0);
+		adb->irefcnt--;
+	}
+
+	/*
+	 * Cleanup old resources.
+	 */
+	isc_mutexblock_destroy(adb->namelocks, adb->nnames);
+	isc_mem_put(adb->mctx, adb->names, sizeof(*adb->names) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->deadnames,
+		    sizeof(*adb->deadnames) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->namelocks,
+		    sizeof(*adb->namelocks) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_sd,
+		    sizeof(*adb->name_sd) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_refcnt,
+		    sizeof(*adb->name_refcnt) * adb->nnames);
+
+	/*
+	 * Install new resources.
+	 */
+	adb->names = newnames;
+	adb->deadnames = newdeadnames;
+	adb->namelocks = newnamelocks;
+	adb->name_sd = newname_sd;
+	adb->name_refcnt = newname_refcnt;
+	adb->nnames = n;
+
+	set_adbstat(adb, adb->nnames, dns_adbstats_nnames);
+
+	/*
+	 * Only on success do we set adb->grownames_sent to false.
+	 * This will prevent us being continuously being called on error.
+	 */
+	adb->grownames_sent = false;
+	goto done;
+
+cleanup:
+	if (newnames != NULL) {
+		isc_mem_put(adb->mctx, newnames, sizeof(*newnames) * n);
+	}
+	if (newdeadnames != NULL) {
+		isc_mem_put(adb->mctx, newdeadnames, sizeof(*newdeadnames) * n);
+	}
+	if (newnamelocks != NULL) {
+		isc_mem_put(adb->mctx, newnamelocks, sizeof(*newnamelocks) * n);
+	}
+	if (newname_sd != NULL) {
+		isc_mem_put(adb->mctx, newname_sd, sizeof(*newname_sd) * n);
+	}
+	if (newname_refcnt != NULL) {
+		isc_mem_put(adb->mctx, newname_refcnt,
+			    sizeof(*newname_refcnt) * n);
+	}
+done:
+	isc_task_endexclusive(task);
+
+check_exit:
+	LOCK(&adb->lock);
+	if (dec_adb_irefcnt(adb)) {
+		check_exit(adb);
+	}
+	UNLOCK(&adb->lock);
+	DP(ISC_LOG_INFO, "adb: grow_names finished");
+}
+
+/*
+ * Requires the adbname bucket be locked and that no entry buckets be locked.
+ *
+ * This code handles A and AAAA rdatasets only.
+ */
+static isc_result_t
+import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
+		isc_stdtime_t now) {
+	isc_result_t result;
+	dns_adb_t *adb;
+	dns_adbnamehook_t *nh;
+	dns_adbnamehook_t *anh;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct in_addr ina;
+	struct in6_addr in6a;
+	isc_sockaddr_t sockaddr;
+	dns_adbentry_t *foundentry; /* NO CLEAN UP! */
+	int addr_bucket;
+	bool new_addresses_added;
+	dns_rdatatype_t rdtype;
+	unsigned int findoptions;
+	dns_adbnamehooklist_t *hookhead;
+
+	INSIST(DNS_ADBNAME_VALID(adbname));
+	adb = adbname->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	rdtype = rdataset->type;
+	INSIST((rdtype == dns_rdatatype_a) || (rdtype == dns_rdatatype_aaaa));
+	if (rdtype == dns_rdatatype_a) {
+		findoptions = DNS_ADBFIND_INET;
+	} else {
+		findoptions = DNS_ADBFIND_INET6;
+	}
+
+	addr_bucket = DNS_ADB_INVALIDBUCKET;
+	new_addresses_added = false;
+
+	nh = NULL;
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		if (rdtype == dns_rdatatype_a) {
+			INSIST(rdata.length == 4);
+			memmove(&ina.s_addr, rdata.data, 4);
+			isc_sockaddr_fromin(&sockaddr, &ina, 0);
+			hookhead = &adbname->v4;
+		} else {
+			INSIST(rdata.length == 16);
+			memmove(in6a.s6_addr, rdata.data, 16);
+			isc_sockaddr_fromin6(&sockaddr, &in6a, 0);
+			hookhead = &adbname->v6;
+		}
+
+		INSIST(nh == NULL);
+		nh = new_adbnamehook(adb, NULL);
+		if (nh == NULL) {
+			adbname->partial_result |= findoptions;
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+
+		foundentry = find_entry_and_lock(adb, &sockaddr, &addr_bucket,
+						 now);
+		if (foundentry == NULL) {
+			dns_adbentry_t *entry;
+
+			entry = new_adbentry(adb);
+			if (entry == NULL) {
+				adbname->partial_result |= findoptions;
+				result = ISC_R_NOMEMORY;
+				goto fail;
+			}
+
+			entry->sockaddr = sockaddr;
+			entry->refcnt = 1;
+			entry->nh = 1;
+
+			nh->entry = entry;
+
+			link_entry(adb, addr_bucket, entry);
+		} else {
+			for (anh = ISC_LIST_HEAD(*hookhead); anh != NULL;
+			     anh = ISC_LIST_NEXT(anh, plink))
+			{
+				if (anh->entry == foundentry) {
+					break;
+				}
+			}
+			if (anh == NULL) {
+				foundentry->refcnt++;
+				foundentry->nh++;
+				nh->entry = foundentry;
+			} else {
+				free_adbnamehook(adb, &nh);
+			}
+		}
+
+		new_addresses_added = true;
+		if (nh != NULL) {
+			ISC_LIST_APPEND(*hookhead, nh, plink);
+		}
+		nh = NULL;
+		result = dns_rdataset_next(rdataset);
+	}
+
+fail:
+	if (nh != NULL) {
+		free_adbnamehook(adb, &nh);
+	}
+
+	if (addr_bucket != DNS_ADB_INVALIDBUCKET) {
+		UNLOCK(&adb->entrylocks[addr_bucket]);
+	}
+
+	if (rdataset->trust == dns_trust_glue ||
+	    rdataset->trust == dns_trust_additional)
+	{
+		rdataset->ttl = ADB_CACHE_MINIMUM;
+	} else if (rdataset->trust == dns_trust_ultimate) {
+		rdataset->ttl = 0;
+	} else {
+		rdataset->ttl = ttlclamp(rdataset->ttl);
+	}
+
+	if (rdtype == dns_rdatatype_a) {
+		DP(NCACHE_LEVEL, "expire_v4 set to MIN(%u,%u) import_rdataset",
+		   adbname->expire_v4, now + rdataset->ttl);
+		adbname->expire_v4 = ISC_MIN(
+			adbname->expire_v4,
+			ISC_MIN(now + ADB_ENTRY_WINDOW, now + rdataset->ttl));
+	} else {
+		DP(NCACHE_LEVEL, "expire_v6 set to MIN(%u,%u) import_rdataset",
+		   adbname->expire_v6, now + rdataset->ttl);
+		adbname->expire_v6 = ISC_MIN(
+			adbname->expire_v6,
+			ISC_MIN(now + ADB_ENTRY_WINDOW, now + rdataset->ttl));
+	}
+
+	if (new_addresses_added) {
+		/*
+		 * Lie a little here.  This is more or less so code that cares
+		 * can find out if any new information was added or not.
+		 */
+		return (ISC_R_SUCCESS);
+	}
+
+	return (result);
+}
+
+/*
+ * Requires the name's bucket be locked.
+ */
+static bool
+kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
+	dns_adbname_t *name;
+	bool result = false;
+	bool result4, result6;
+	int bucket;
+	dns_adb_t *adb;
+
+	INSIST(n != NULL);
+	name = *n;
+	*n = NULL;
+	INSIST(DNS_ADBNAME_VALID(name));
+	adb = name->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	DP(DEF_LEVEL, "killing name %p", name);
+
+	/*
+	 * If we're dead already, just check to see if we should go
+	 * away now or not.
+	 */
+	if (NAME_DEAD(name) && !NAME_FETCH(name)) {
+		result = unlink_name(adb, name);
+		free_adbname(adb, &name);
+		if (result) {
+			result = dec_adb_irefcnt(adb);
+		}
+		return (result);
+	}
+
+	/*
+	 * Clean up the name's various lists.  These two are destructive
+	 * in that they will always empty the list.
+	 */
+	clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK);
+	result4 = clean_namehooks(adb, &name->v4);
+	result6 = clean_namehooks(adb, &name->v6);
+	clean_target(adb, &name->target);
+	result = (result4 || result6);
+
+	/*
+	 * If fetches are running, cancel them.  If none are running, we can
+	 * just kill the name here.
+	 */
+	if (!NAME_FETCH(name)) {
+		INSIST(!result);
+		result = unlink_name(adb, name);
+		free_adbname(adb, &name);
+		if (result) {
+			result = dec_adb_irefcnt(adb);
+		}
+	} else {
+		cancel_fetches_at_name(name);
+		if (!NAME_DEAD(name)) {
+			bucket = name->lock_bucket;
+			ISC_LIST_UNLINK(adb->names[bucket], name, plink);
+			ISC_LIST_APPEND(adb->deadnames[bucket], name, plink);
+			name->flags |= NAME_IS_DEAD;
+		}
+	}
+	return (result);
+}
+
+/*
+ * Requires the name's bucket be locked and no entry buckets be locked.
+ */
+static bool
+check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now) {
+	dns_adb_t *adb;
+	bool result4 = false;
+	bool result6 = false;
+
+	INSIST(DNS_ADBNAME_VALID(name));
+	adb = name->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	/*
+	 * Check to see if we need to remove the v4 addresses
+	 */
+	if (!NAME_FETCH_V4(name) && EXPIRE_OK(name->expire_v4, now)) {
+		if (NAME_HAS_V4(name)) {
+			DP(DEF_LEVEL, "expiring v4 for name %p", name);
+			result4 = clean_namehooks(adb, &name->v4);
+			name->partial_result &= ~DNS_ADBFIND_INET;
+		}
+		name->expire_v4 = INT_MAX;
+		name->fetch_err = FIND_ERR_UNEXPECTED;
+	}
+
+	/*
+	 * Check to see if we need to remove the v6 addresses
+	 */
+	if (!NAME_FETCH_V6(name) && EXPIRE_OK(name->expire_v6, now)) {
+		if (NAME_HAS_V6(name)) {
+			DP(DEF_LEVEL, "expiring v6 for name %p", name);
+			result6 = clean_namehooks(adb, &name->v6);
+			name->partial_result &= ~DNS_ADBFIND_INET6;
+		}
+		name->expire_v6 = INT_MAX;
+		name->fetch6_err = FIND_ERR_UNEXPECTED;
+	}
+
+	/*
+	 * Check to see if we need to remove the alias target.
+	 */
+	if (EXPIRE_OK(name->expire_target, now)) {
+		clean_target(adb, &name->target);
+		name->expire_target = INT_MAX;
+	}
+	return (result4 || result6);
+}
+
+/*
+ * Requires the name's bucket be locked.
+ */
+static void
+link_name(dns_adb_t *adb, int bucket, dns_adbname_t *name) {
+	INSIST(name->lock_bucket == DNS_ADB_INVALIDBUCKET);
+
+	ISC_LIST_PREPEND(adb->names[bucket], name, plink);
+	name->lock_bucket = bucket;
+	adb->name_refcnt[bucket]++;
+}
+
+/*
+ * Requires the name's bucket be locked.
+ */
+static bool
+unlink_name(dns_adb_t *adb, dns_adbname_t *name) {
+	int bucket;
+	bool result = false;
+
+	bucket = name->lock_bucket;
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+
+	if (NAME_DEAD(name)) {
+		ISC_LIST_UNLINK(adb->deadnames[bucket], name, plink);
+	} else {
+		ISC_LIST_UNLINK(adb->names[bucket], name, plink);
+	}
+	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	INSIST(adb->name_refcnt[bucket] > 0);
+	adb->name_refcnt[bucket]--;
+	if (adb->name_sd[bucket] && adb->name_refcnt[bucket] == 0) {
+		result = true;
+	}
+	return (result);
+}
+
+/*
+ * Requires the entry's bucket be locked.
+ */
+static void
+link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry) {
+	int i;
+	dns_adbentry_t *e;
+
+	if (isc_mem_isovermem(adb->mctx)) {
+		for (i = 0; i < 2; i++) {
+			e = ISC_LIST_TAIL(adb->entries[bucket]);
+			if (e == NULL) {
+				break;
+			}
+			if (e->refcnt == 0) {
+				unlink_entry(adb, e);
+				free_adbentry(adb, &e);
+				continue;
+			}
+			INSIST((e->flags & ENTRY_IS_DEAD) == 0);
+			e->flags |= ENTRY_IS_DEAD;
+			ISC_LIST_UNLINK(adb->entries[bucket], e, plink);
+			ISC_LIST_PREPEND(adb->deadentries[bucket], e, plink);
+		}
+	}
+
+	ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
+	entry->lock_bucket = bucket;
+	adb->entry_refcnt[bucket]++;
+}
+
+/*
+ * Requires the entry's bucket be locked.
+ */
+static bool
+unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry) {
+	int bucket;
+	bool result = false;
+
+	bucket = entry->lock_bucket;
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+
+	if ((entry->flags & ENTRY_IS_DEAD) != 0) {
+		ISC_LIST_UNLINK(adb->deadentries[bucket], entry, plink);
+	} else {
+		ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
+	}
+	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	INSIST(adb->entry_refcnt[bucket] > 0);
+	adb->entry_refcnt[bucket]--;
+	if (adb->entry_sd[bucket] && adb->entry_refcnt[bucket] == 0) {
+		result = true;
+	}
+	return (result);
+}
+
+static void
+violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want) {
+	if (isc_mutex_trylock(want) != ISC_R_SUCCESS) {
+		UNLOCK(have);
+		LOCK(want);
+		LOCK(have);
+	}
+}
+
+/*
+ * The ADB _MUST_ be locked before calling.  Also, exit conditions must be
+ * checked after calling this function.
+ */
+static bool
+shutdown_names(dns_adb_t *adb) {
+	unsigned int bucket;
+	bool result = false;
+	dns_adbname_t *name;
+	dns_adbname_t *next_name;
+
+	for (bucket = 0; bucket < adb->nnames; bucket++) {
+		LOCK(&adb->namelocks[bucket]);
+		adb->name_sd[bucket] = true;
+
+		name = ISC_LIST_HEAD(adb->names[bucket]);
+		if (name == NULL) {
+			/*
+			 * This bucket has no names.  We must decrement the
+			 * irefcnt ourselves, since it will not be
+			 * automatically triggered by a name being unlinked.
+			 */
+			INSIST(!result);
+			result = dec_adb_irefcnt(adb);
+		} else {
+			/*
+			 * Run through the list.  For each name, clean up finds
+			 * found there, and cancel any fetches running.  When
+			 * all the fetches are canceled, the name will destroy
+			 * itself.
+			 */
+			while (name != NULL) {
+				next_name = ISC_LIST_NEXT(name, plink);
+				INSIST(!result);
+				result = kill_name(&name,
+						   DNS_EVENT_ADBSHUTDOWN);
+				name = next_name;
+			}
+		}
+
+		UNLOCK(&adb->namelocks[bucket]);
+	}
+	return (result);
+}
+
+/*
+ * The ADB _MUST_ be locked before calling.  Also, exit conditions must be
+ * checked after calling this function.
+ */
+static bool
+shutdown_entries(dns_adb_t *adb) {
+	unsigned int bucket;
+	bool result = false;
+	dns_adbentry_t *entry;
+	dns_adbentry_t *next_entry;
+
+	for (bucket = 0; bucket < adb->nentries; bucket++) {
+		LOCK(&adb->entrylocks[bucket]);
+		adb->entry_sd[bucket] = true;
+
+		entry = ISC_LIST_HEAD(adb->entries[bucket]);
+		if (adb->entry_refcnt[bucket] == 0) {
+			/*
+			 * This bucket has no entries.  We must decrement the
+			 * irefcnt ourselves, since it will not be
+			 * automatically triggered by an entry being unlinked.
+			 */
+			result = dec_adb_irefcnt(adb);
+		} else {
+			/*
+			 * Run through the list.  Cleanup any entries not
+			 * associated with names, and which are not in use.
+			 */
+			while (entry != NULL) {
+				next_entry = ISC_LIST_NEXT(entry, plink);
+				if (entry->refcnt == 0 && entry->expires != 0) {
+					result = unlink_entry(adb, entry);
+					free_adbentry(adb, &entry);
+					if (result) {
+						result = dec_adb_irefcnt(adb);
+					}
+				}
+				entry = next_entry;
+			}
+		}
+
+		UNLOCK(&adb->entrylocks[bucket]);
+	}
+	return (result);
+}
+
+/*
+ * Name bucket must be locked
+ */
+static void
+cancel_fetches_at_name(dns_adbname_t *name) {
+	if (NAME_FETCH_A(name)) {
+		dns_resolver_cancelfetch(name->fetch_a->fetch);
+	}
+
+	if (NAME_FETCH_AAAA(name)) {
+		dns_resolver_cancelfetch(name->fetch_aaaa->fetch);
+	}
+}
+
+/*
+ * Assumes the name bucket is locked.
+ */
+static bool
+clean_namehooks(dns_adb_t *adb, dns_adbnamehooklist_t *namehooks) {
+	dns_adbentry_t *entry;
+	dns_adbnamehook_t *namehook;
+	int addr_bucket;
+	bool result = false;
+	bool overmem = isc_mem_isovermem(adb->mctx);
+
+	addr_bucket = DNS_ADB_INVALIDBUCKET;
+	namehook = ISC_LIST_HEAD(*namehooks);
+	while (namehook != NULL) {
+		INSIST(DNS_ADBNAMEHOOK_VALID(namehook));
+
+		/*
+		 * Clean up the entry if needed.
+		 */
+		entry = namehook->entry;
+		if (entry != NULL) {
+			INSIST(DNS_ADBENTRY_VALID(entry));
+
+			if (addr_bucket != entry->lock_bucket) {
+				if (addr_bucket != DNS_ADB_INVALIDBUCKET) {
+					UNLOCK(&adb->entrylocks[addr_bucket]);
+				}
+				addr_bucket = entry->lock_bucket;
+				INSIST(addr_bucket != DNS_ADB_INVALIDBUCKET);
+				LOCK(&adb->entrylocks[addr_bucket]);
+			}
+
+			entry->nh--;
+			result = dec_entry_refcnt(adb, overmem, entry, false);
+		}
+
+		/*
+		 * Free the namehook
+		 */
+		namehook->entry = NULL;
+		ISC_LIST_UNLINK(*namehooks, namehook, plink);
+		free_adbnamehook(adb, &namehook);
+
+		namehook = ISC_LIST_HEAD(*namehooks);
+	}
+
+	if (addr_bucket != DNS_ADB_INVALIDBUCKET) {
+		UNLOCK(&adb->entrylocks[addr_bucket]);
+	}
+	return (result);
+}
+
+static void
+clean_target(dns_adb_t *adb, dns_name_t *target) {
+	if (dns_name_countlabels(target) > 0) {
+		dns_name_free(target, adb->mctx);
+		dns_name_init(target, NULL);
+	}
+}
+
+static isc_result_t
+set_target(dns_adb_t *adb, const dns_name_t *name, const dns_name_t *fname,
+	   dns_rdataset_t *rdataset, dns_name_t *target) {
+	isc_result_t result;
+	dns_namereln_t namereln;
+	unsigned int nlabels;
+	int order;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_fixedname_t fixed1, fixed2;
+	dns_name_t *prefix, *new_target;
+
+	REQUIRE(dns_name_countlabels(target) == 0);
+
+	if (rdataset->type == dns_rdatatype_cname) {
+		dns_rdata_cname_t cname;
+
+		/*
+		 * Copy the CNAME's target into the target name.
+		 */
+		result = dns_rdataset_first(rdataset);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dns_name_dup(&cname.cname, adb->mctx, target);
+		dns_rdata_freestruct(&cname);
+	} else {
+		dns_rdata_dname_t dname;
+
+		INSIST(rdataset->type == dns_rdatatype_dname);
+		namereln = dns_name_fullcompare(name, fname, &order, &nlabels);
+		INSIST(namereln == dns_namereln_subdomain);
+		/*
+		 * Get the target name of the DNAME.
+		 */
+		result = dns_rdataset_first(rdataset);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dname, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		/*
+		 * Construct the new target name.
+		 */
+		prefix = dns_fixedname_initname(&fixed1);
+		new_target = dns_fixedname_initname(&fixed2);
+		dns_name_split(name, nlabels, prefix, NULL);
+		result = dns_name_concatenate(prefix, &dname.dname, new_target,
+					      NULL);
+		dns_rdata_freestruct(&dname);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dns_name_dup(new_target, adb->mctx, target);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Assumes nothing is locked, since this is called by the client.
+ */
+static void
+event_free(isc_event_t *event) {
+	dns_adbfind_t *find;
+
+	INSIST(event != NULL);
+	find = event->ev_destroy_arg;
+	INSIST(DNS_ADBFIND_VALID(find));
+
+	LOCK(&find->lock);
+	find->flags |= FIND_EVENT_FREED;
+	event->ev_destroy_arg = NULL;
+	UNLOCK(&find->lock);
+}
+
+/*
+ * Assumes the name bucket is locked.
+ */
+static void
+clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
+		    unsigned int addrs) {
+	isc_event_t *ev;
+	isc_task_t *task;
+	dns_adbfind_t *find;
+	dns_adbfind_t *next_find;
+	bool process;
+	unsigned int wanted, notify;
+
+	DP(ENTER_LEVEL,
+	   "ENTER clean_finds_at_name, name %p, evtype %08x, addrs %08x", name,
+	   evtype, addrs);
+
+	find = ISC_LIST_HEAD(name->finds);
+	while (find != NULL) {
+		LOCK(&find->lock);
+		next_find = ISC_LIST_NEXT(find, plink);
+
+		process = false;
+		wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
+		notify = wanted & addrs;
+
+		switch (evtype) {
+		case DNS_EVENT_ADBMOREADDRESSES:
+			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBMOREADDRESSES");
+			if ((notify) != 0) {
+				find->flags &= ~addrs;
+				process = true;
+			}
+			break;
+		case DNS_EVENT_ADBNOMOREADDRESSES:
+			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBNOMOREADDRESSES");
+			find->flags &= ~addrs;
+			wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
+			if (wanted == 0) {
+				process = true;
+			}
+			break;
+		default:
+			find->flags &= ~addrs;
+			process = true;
+		}
+
+		if (process) {
+			DP(DEF_LEVEL, "cfan: processing find %p", find);
+			/*
+			 * Unlink the find from the name, letting the caller
+			 * call dns_adb_destroyfind() on it to clean it up
+			 * later.
+			 */
+			ISC_LIST_UNLINK(name->finds, find, plink);
+			find->adbname = NULL;
+			find->name_bucket = DNS_ADB_INVALIDBUCKET;
+
+			INSIST(!FIND_EVENTSENT(find));
+
+			ev = &find->event;
+			task = ev->ev_sender;
+			ev->ev_sender = find;
+			find->result_v4 = find_err_map[name->fetch_err];
+			find->result_v6 = find_err_map[name->fetch6_err];
+			ev->ev_type = evtype;
+			ev->ev_destroy = event_free;
+			ev->ev_destroy_arg = find;
+
+			DP(DEF_LEVEL, "sending event %p to task %p for find %p",
+			   ev, task, find);
+
+			isc_task_sendanddetach(&task, (isc_event_t **)&ev);
+			find->flags |= FIND_EVENT_SENT;
+		} else {
+			DP(DEF_LEVEL, "cfan: skipping find %p", find);
+		}
+
+		UNLOCK(&find->lock);
+		find = next_find;
+	}
+	DP(ENTER_LEVEL, "EXIT clean_finds_at_name, name %p", name);
+}
+
+static void
+check_exit(dns_adb_t *adb) {
+	isc_event_t *event;
+	/*
+	 * The caller must be holding the adb lock.
+	 */
+	if (adb->shutting_down) {
+		/*
+		 * If there aren't any external references either, we're
+		 * done.  Send the control event to initiate shutdown.
+		 */
+		INSIST(!adb->cevent_out); /* Sanity check. */
+		ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
+			       DNS_EVENT_ADBCONTROL, shutdown_task, adb, adb,
+			       NULL, NULL);
+		event = &adb->cevent;
+		isc_task_send(adb->task, &event);
+		adb->cevent_out = true;
+	}
+}
+
+static bool
+dec_adb_irefcnt(dns_adb_t *adb) {
+	isc_event_t *event;
+	isc_task_t *etask;
+	bool result = false;
+
+	LOCK(&adb->reflock);
+
+	INSIST(adb->irefcnt > 0);
+	adb->irefcnt--;
+
+	if (adb->irefcnt == 0) {
+		event = ISC_LIST_HEAD(adb->whenshutdown);
+		while (event != NULL) {
+			ISC_LIST_UNLINK(adb->whenshutdown, event, ev_link);
+			etask = event->ev_sender;
+			event->ev_sender = adb;
+			isc_task_sendanddetach(&etask, &event);
+			event = ISC_LIST_HEAD(adb->whenshutdown);
+		}
+	}
+
+	if (adb->irefcnt == 0 && adb->erefcnt == 0) {
+		result = true;
+	}
+	UNLOCK(&adb->reflock);
+	return (result);
+}
+
+static void
+inc_adb_irefcnt(dns_adb_t *adb) {
+	LOCK(&adb->reflock);
+	adb->irefcnt++;
+	UNLOCK(&adb->reflock);
+}
+
+static void
+inc_adb_erefcnt(dns_adb_t *adb) {
+	LOCK(&adb->reflock);
+	adb->erefcnt++;
+	UNLOCK(&adb->reflock);
+}
+
+static void
+inc_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, bool lock) {
+	int bucket;
+
+	bucket = entry->lock_bucket;
+
+	if (lock) {
+		LOCK(&adb->entrylocks[bucket]);
+	}
+
+	entry->refcnt++;
+
+	if (lock) {
+		UNLOCK(&adb->entrylocks[bucket]);
+	}
+}
+
+static bool
+dec_entry_refcnt(dns_adb_t *adb, bool overmem, dns_adbentry_t *entry,
+		 bool lock) {
+	int bucket;
+	bool destroy_entry;
+	bool result = false;
+
+	bucket = entry->lock_bucket;
+
+	if (lock) {
+		LOCK(&adb->entrylocks[bucket]);
+	}
+
+	INSIST(entry->refcnt > 0);
+	entry->refcnt--;
+
+	destroy_entry = false;
+	if (entry->refcnt == 0 &&
+	    (adb->entry_sd[bucket] || entry->expires == 0 || overmem ||
+	     (entry->flags & ENTRY_IS_DEAD) != 0))
+	{
+		destroy_entry = true;
+		result = unlink_entry(adb, entry);
+	}
+
+	if (lock) {
+		UNLOCK(&adb->entrylocks[bucket]);
+	}
+
+	if (!destroy_entry) {
+		return (result);
+	}
+
+	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
+
+	free_adbentry(adb, &entry);
+	if (result) {
+		result = dec_adb_irefcnt(adb);
+	}
+
+	return (result);
+}
+
+static dns_adbname_t *
+new_adbname(dns_adb_t *adb, const dns_name_t *dnsname) {
+	dns_adbname_t *name;
+
+	name = isc_mem_get(adb->mctx, sizeof(*name));
+
+	dns_name_init(&name->name, NULL);
+	dns_name_dup(dnsname, adb->mctx, &name->name);
+	dns_name_init(&name->target, NULL);
+	name->magic = DNS_ADBNAME_MAGIC;
+	name->adb = adb;
+	name->partial_result = 0;
+	name->flags = 0;
+	name->expire_v4 = INT_MAX;
+	name->expire_v6 = INT_MAX;
+	name->expire_target = INT_MAX;
+	name->chains = 0;
+	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	ISC_LIST_INIT(name->v4);
+	ISC_LIST_INIT(name->v6);
+	name->fetch_a = NULL;
+	name->fetch_aaaa = NULL;
+	name->fetch_err = FIND_ERR_UNEXPECTED;
+	name->fetch6_err = FIND_ERR_UNEXPECTED;
+	ISC_LIST_INIT(name->finds);
+	ISC_LINK_INIT(name, plink);
+
+	LOCK(&adb->namescntlock);
+	adb->namescnt++;
+	inc_adbstats(adb, dns_adbstats_namescnt);
+	if (!adb->grownames_sent && adb->excl != NULL &&
+	    adb->namescnt > (adb->nnames * 8))
+	{
+		isc_event_t *event = &adb->grownames;
+		inc_adb_irefcnt(adb);
+		isc_task_send(adb->excl, &event);
+		adb->grownames_sent = true;
+	}
+	UNLOCK(&adb->namescntlock);
+
+	return (name);
+}
+
+static void
+free_adbname(dns_adb_t *adb, dns_adbname_t **name) {
+	dns_adbname_t *n;
+
+	INSIST(name != NULL && DNS_ADBNAME_VALID(*name));
+	n = *name;
+	*name = NULL;
+
+	INSIST(!NAME_HAS_V4(n));
+	INSIST(!NAME_HAS_V6(n));
+	INSIST(!NAME_FETCH(n));
+	INSIST(ISC_LIST_EMPTY(n->finds));
+	INSIST(!ISC_LINK_LINKED(n, plink));
+	INSIST(n->lock_bucket == DNS_ADB_INVALIDBUCKET);
+	INSIST(n->adb == adb);
+
+	n->magic = 0;
+	dns_name_free(&n->name, adb->mctx);
+
+	isc_mem_put(adb->mctx, n, sizeof(*n));
+	LOCK(&adb->namescntlock);
+	adb->namescnt--;
+	dec_adbstats(adb, dns_adbstats_namescnt);
+	UNLOCK(&adb->namescntlock);
+}
+
+static dns_adbnamehook_t *
+new_adbnamehook(dns_adb_t *adb, dns_adbentry_t *entry) {
+	dns_adbnamehook_t *nh;
+
+	nh = isc_mem_get(adb->mctx, sizeof(*nh));
+	isc_refcount_increment0(&adb->nhrefcnt);
+
+	nh->magic = DNS_ADBNAMEHOOK_MAGIC;
+	nh->entry = entry;
+	ISC_LINK_INIT(nh, plink);
+
+	return (nh);
+}
+
+static void
+free_adbnamehook(dns_adb_t *adb, dns_adbnamehook_t **namehook) {
+	dns_adbnamehook_t *nh;
+
+	INSIST(namehook != NULL && DNS_ADBNAMEHOOK_VALID(*namehook));
+	nh = *namehook;
+	*namehook = NULL;
+
+	INSIST(nh->entry == NULL);
+	INSIST(!ISC_LINK_LINKED(nh, plink));
+
+	nh->magic = 0;
+
+	isc_refcount_decrement(&adb->nhrefcnt);
+	isc_mem_put(adb->mctx, nh, sizeof(*nh));
+}
+
+static dns_adblameinfo_t *
+new_adblameinfo(dns_adb_t *adb, const dns_name_t *qname,
+		dns_rdatatype_t qtype) {
+	dns_adblameinfo_t *li;
+
+	li = isc_mem_get(adb->mctx, sizeof(*li));
+
+	dns_name_init(&li->qname, NULL);
+	dns_name_dup(qname, adb->mctx, &li->qname);
+	li->magic = DNS_ADBLAMEINFO_MAGIC;
+	li->lame_timer = 0;
+	li->qtype = qtype;
+	ISC_LINK_INIT(li, plink);
+
+	return (li);
+}
+
+static void
+free_adblameinfo(dns_adb_t *adb, dns_adblameinfo_t **lameinfo) {
+	dns_adblameinfo_t *li;
+
+	INSIST(lameinfo != NULL && DNS_ADBLAMEINFO_VALID(*lameinfo));
+	li = *lameinfo;
+	*lameinfo = NULL;
+
+	INSIST(!ISC_LINK_LINKED(li, plink));
+
+	dns_name_free(&li->qname, adb->mctx);
+
+	li->magic = 0;
+
+	isc_mem_put(adb->mctx, li, sizeof(*li));
+}
+
+static dns_adbentry_t *
+new_adbentry(dns_adb_t *adb) {
+	dns_adbentry_t *e;
+
+	e = isc_mem_get(adb->mctx, sizeof(*e));
+
+	e->magic = DNS_ADBENTRY_MAGIC;
+	e->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	e->refcnt = 0;
+	e->nh = 0;
+	e->flags = 0;
+	e->udpsize = 0;
+	e->edns = 0;
+	e->completed = 0;
+	e->timeouts = 0;
+	e->plain = 0;
+	e->plainto = 0;
+	e->to4096 = 0;
+	e->to1432 = 0;
+	e->to1232 = 0;
+	e->to512 = 0;
+	e->cookie = NULL;
+	e->cookielen = 0;
+	e->srtt = (isc_random_uniform(0x1f)) + 1;
+	e->lastage = 0;
+	e->expires = 0;
+	atomic_init(&e->active, 0);
+	e->mode = 0;
+	atomic_init(&e->quota, adb->quota);
+	e->atr = 0.0;
+	ISC_LIST_INIT(e->lameinfo);
+	ISC_LINK_INIT(e, plink);
+	LOCK(&adb->entriescntlock);
+	adb->entriescnt++;
+	inc_adbstats(adb, dns_adbstats_entriescnt);
+	if (!adb->growentries_sent && adb->excl != NULL &&
+	    adb->entriescnt > (adb->nentries * 8))
+	{
+		isc_event_t *event = &adb->growentries;
+		inc_adb_irefcnt(adb);
+		isc_task_send(adb->excl, &event);
+		adb->growentries_sent = true;
+	}
+	UNLOCK(&adb->entriescntlock);
+
+	return (e);
+}
+
+static void
+free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry) {
+	dns_adbentry_t *e;
+	dns_adblameinfo_t *li;
+
+	INSIST(entry != NULL && DNS_ADBENTRY_VALID(*entry));
+	e = *entry;
+	*entry = NULL;
+
+	INSIST(e->lock_bucket == DNS_ADB_INVALIDBUCKET);
+	INSIST(e->refcnt == 0);
+	INSIST(!ISC_LINK_LINKED(e, plink));
+
+	e->magic = 0;
+
+	if (e->cookie != NULL) {
+		isc_mem_put(adb->mctx, e->cookie, e->cookielen);
+	}
+
+	li = ISC_LIST_HEAD(e->lameinfo);
+	while (li != NULL) {
+		ISC_LIST_UNLINK(e->lameinfo, li, plink);
+		free_adblameinfo(adb, &li);
+		li = ISC_LIST_HEAD(e->lameinfo);
+	}
+
+	isc_mem_put(adb->mctx, e, sizeof(*e));
+	LOCK(&adb->entriescntlock);
+	adb->entriescnt--;
+	dec_adbstats(adb, dns_adbstats_entriescnt);
+	UNLOCK(&adb->entriescntlock);
+}
+
+static dns_adbfind_t *
+new_adbfind(dns_adb_t *adb) {
+	dns_adbfind_t *h;
+
+	h = isc_mem_get(adb->mctx, sizeof(*h));
+	isc_refcount_increment0(&adb->ahrefcnt);
+
+	/*
+	 * Public members.
+	 */
+	h->magic = 0;
+	h->adb = adb;
+	h->partial_result = 0;
+	h->options = 0;
+	h->flags = 0;
+	h->result_v4 = ISC_R_UNEXPECTED;
+	h->result_v6 = ISC_R_UNEXPECTED;
+	ISC_LINK_INIT(h, publink);
+	ISC_LINK_INIT(h, plink);
+	ISC_LIST_INIT(h->list);
+	h->adbname = NULL;
+	h->name_bucket = DNS_ADB_INVALIDBUCKET;
+
+	/*
+	 * private members
+	 */
+	isc_mutex_init(&h->lock);
+
+	ISC_EVENT_INIT(&h->event, sizeof(isc_event_t), 0, 0, 0, NULL, NULL,
+		       NULL, NULL, h);
+
+	inc_adb_irefcnt(adb);
+	h->magic = DNS_ADBFIND_MAGIC;
+	return (h);
+}
+
+static dns_adbfetch_t *
+new_adbfetch(dns_adb_t *adb) {
+	dns_adbfetch_t *f;
+
+	f = isc_mem_get(adb->mctx, sizeof(*f));
+
+	f->magic = 0;
+	f->fetch = NULL;
+
+	dns_rdataset_init(&f->rdataset);
+
+	f->magic = DNS_ADBFETCH_MAGIC;
+
+	return (f);
+}
+
+static void
+free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch) {
+	dns_adbfetch_t *f;
+
+	INSIST(fetch != NULL && DNS_ADBFETCH_VALID(*fetch));
+	f = *fetch;
+	*fetch = NULL;
+
+	f->magic = 0;
+
+	if (dns_rdataset_isassociated(&f->rdataset)) {
+		dns_rdataset_disassociate(&f->rdataset);
+	}
+
+	isc_mem_put(adb->mctx, f, sizeof(*f));
+}
+
+static bool
+free_adbfind(dns_adb_t *adb, dns_adbfind_t **findp) {
+	dns_adbfind_t *find;
+
+	INSIST(findp != NULL && DNS_ADBFIND_VALID(*findp));
+	find = *findp;
+	*findp = NULL;
+
+	INSIST(!FIND_HAS_ADDRS(find));
+	INSIST(!ISC_LINK_LINKED(find, publink));
+	INSIST(!ISC_LINK_LINKED(find, plink));
+	INSIST(find->name_bucket == DNS_ADB_INVALIDBUCKET);
+	INSIST(find->adbname == NULL);
+
+	find->magic = 0;
+
+	isc_mutex_destroy(&find->lock);
+
+	isc_refcount_decrement(&adb->ahrefcnt);
+	isc_mem_put(adb->mctx, find, sizeof(*find));
+	return (dec_adb_irefcnt(adb));
+}
+
+/*
+ * Copy bits from the entry into the newly allocated addrinfo.  The entry
+ * must be locked, and the reference count must be bumped up by one
+ * if this function returns a valid pointer.
+ */
+static dns_adbaddrinfo_t *
+new_adbaddrinfo(dns_adb_t *adb, dns_adbentry_t *entry, in_port_t port) {
+	dns_adbaddrinfo_t *ai;
+
+	ai = isc_mem_get(adb->mctx, sizeof(*ai));
+
+	ai->magic = DNS_ADBADDRINFO_MAGIC;
+	ai->sockaddr = entry->sockaddr;
+	isc_sockaddr_setport(&ai->sockaddr, port);
+	ai->srtt = entry->srtt;
+	ai->flags = entry->flags;
+	ai->entry = entry;
+	ai->dscp = -1;
+	ISC_LINK_INIT(ai, publink);
+
+	return (ai);
+}
+
+static void
+free_adbaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **ainfo) {
+	dns_adbaddrinfo_t *ai;
+
+	INSIST(ainfo != NULL && DNS_ADBADDRINFO_VALID(*ainfo));
+	ai = *ainfo;
+	*ainfo = NULL;
+
+	INSIST(ai->entry == NULL);
+	INSIST(!ISC_LINK_LINKED(ai, publink));
+
+	ai->magic = 0;
+
+	isc_mem_put(adb->mctx, ai, sizeof(*ai));
+}
+
+/*
+ * Search for the name.  NOTE:  The bucket is kept locked on both
+ * success and failure, so it must always be unlocked by the caller!
+ *
+ * On the first call to this function, *bucketp must be set to
+ * DNS_ADB_INVALIDBUCKET.
+ */
+static dns_adbname_t *
+find_name_and_lock(dns_adb_t *adb, const dns_name_t *name, unsigned int options,
+		   int *bucketp) {
+	dns_adbname_t *adbname;
+	int bucket;
+
+	bucket = dns_name_fullhash(name, false) % adb->nnames;
+
+	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
+		LOCK(&adb->namelocks[bucket]);
+		*bucketp = bucket;
+	} else if (*bucketp != bucket) {
+		UNLOCK(&adb->namelocks[*bucketp]);
+		LOCK(&adb->namelocks[bucket]);
+		*bucketp = bucket;
+	}
+
+	adbname = ISC_LIST_HEAD(adb->names[bucket]);
+	while (adbname != NULL) {
+		if (!NAME_DEAD(adbname)) {
+			if (dns_name_equal(name, &adbname->name) &&
+			    GLUEHINT_OK(adbname, options) &&
+			    STARTATZONE_MATCHES(adbname, options))
+			{
+				return (adbname);
+			}
+		}
+		adbname = ISC_LIST_NEXT(adbname, plink);
+	}
+
+	return (NULL);
+}
+
+/*
+ * Search for the address.  NOTE:  The bucket is kept locked on both
+ * success and failure, so it must always be unlocked by the caller.
+ *
+ * On the first call to this function, *bucketp must be set to
+ * DNS_ADB_INVALIDBUCKET.  This will cause a lock to occur.  On
+ * later calls (within the same "lock path") it can be left alone, so
+ * if this function is called multiple times locking is only done if
+ * the bucket changes.
+ */
+static dns_adbentry_t *
+find_entry_and_lock(dns_adb_t *adb, const isc_sockaddr_t *addr, int *bucketp,
+		    isc_stdtime_t now) {
+	dns_adbentry_t *entry, *entry_next;
+	int bucket;
+
+	bucket = isc_sockaddr_hash(addr, true) % adb->nentries;
+
+	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
+		LOCK(&adb->entrylocks[bucket]);
+		*bucketp = bucket;
+	} else if (*bucketp != bucket) {
+		UNLOCK(&adb->entrylocks[*bucketp]);
+		LOCK(&adb->entrylocks[bucket]);
+		*bucketp = bucket;
+	}
+
+	/* Search the list, while cleaning up expired entries. */
+	for (entry = ISC_LIST_HEAD(adb->entries[bucket]); entry != NULL;
+	     entry = entry_next)
+	{
+		entry_next = ISC_LIST_NEXT(entry, plink);
+		(void)check_expire_entry(adb, &entry, now);
+		if (entry != NULL &&
+		    (entry->expires == 0 || entry->expires > now) &&
+		    isc_sockaddr_equal(addr, &entry->sockaddr))
+		{
+			ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
+			ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
+			return (entry);
+		}
+	}
+
+	return (NULL);
+}
+
+/*
+ * Entry bucket MUST be locked!
+ */
+static bool
+entry_is_lame(dns_adb_t *adb, dns_adbentry_t *entry, const dns_name_t *qname,
+	      dns_rdatatype_t qtype, isc_stdtime_t now) {
+	dns_adblameinfo_t *li, *next_li;
+	bool is_bad;
+
+	is_bad = false;
+
+	li = ISC_LIST_HEAD(entry->lameinfo);
+	if (li == NULL) {
+		return (false);
+	}
+	while (li != NULL) {
+		next_li = ISC_LIST_NEXT(li, plink);
+
+		/*
+		 * Has the entry expired?
+		 */
+		if (li->lame_timer < now) {
+			ISC_LIST_UNLINK(entry->lameinfo, li, plink);
+			free_adblameinfo(adb, &li);
+		}
+
+		/*
+		 * Order tests from least to most expensive.
+		 *
+		 * We do not break out of the main loop here as
+		 * we use the loop for house keeping.
+		 */
+		if (li != NULL && !is_bad && li->qtype == qtype &&
+		    dns_name_equal(qname, &li->qname))
+		{
+			is_bad = true;
+		}
+
+		li = next_li;
+	}
+
+	return (is_bad);
+}
+
+static void
+log_quota(dns_adbentry_t *entry, const char *fmt, ...) {
+	va_list ap;
+	char msgbuf[2048];
+	char addrbuf[ISC_NETADDR_FORMATSIZE];
+	isc_netaddr_t netaddr;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_netaddr_fromsockaddr(&netaddr, &entry->sockaddr);
+	isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
+		      ISC_LOG_INFO,
+		      "adb: quota %s (%" PRIuFAST32 "/%" PRIuFAST32 "): %s",
+		      addrbuf, atomic_load_relaxed(&entry->active),
+		      atomic_load_relaxed(&entry->quota), msgbuf);
+}
+
+static void
+copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find,
+		    const dns_name_t *qname, dns_rdatatype_t qtype,
+		    dns_adbname_t *name, isc_stdtime_t now) {
+	dns_adbnamehook_t *namehook;
+	dns_adbaddrinfo_t *addrinfo;
+	dns_adbentry_t *entry;
+	int bucket;
+
+	bucket = DNS_ADB_INVALIDBUCKET;
+
+	if ((find->options & DNS_ADBFIND_INET) != 0) {
+		namehook = ISC_LIST_HEAD(name->v4);
+		while (namehook != NULL) {
+			entry = namehook->entry;
+			bucket = entry->lock_bucket;
+			INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+			LOCK(&adb->entrylocks[bucket]);
+
+			if (dns_adbentry_overquota(entry)) {
+				find->options |= (DNS_ADBFIND_LAMEPRUNED |
+						  DNS_ADBFIND_OVERQUOTA);
+				goto nextv4;
+			}
+
+			if (!FIND_RETURNLAME(find) &&
+			    entry_is_lame(adb, entry, qname, qtype, now))
+			{
+				find->options |= DNS_ADBFIND_LAMEPRUNED;
+				goto nextv4;
+			}
+			addrinfo = new_adbaddrinfo(adb, entry, find->port);
+			if (addrinfo == NULL) {
+				find->partial_result |= DNS_ADBFIND_INET;
+				goto out;
+			}
+			/*
+			 * Found a valid entry.  Add it to the find's list.
+			 */
+			inc_entry_refcnt(adb, entry, false);
+			ISC_LIST_APPEND(find->list, addrinfo, publink);
+			addrinfo = NULL;
+		nextv4:
+			UNLOCK(&adb->entrylocks[bucket]);
+			bucket = DNS_ADB_INVALIDBUCKET;
+			namehook = ISC_LIST_NEXT(namehook, plink);
+		}
+	}
+
+	if ((find->options & DNS_ADBFIND_INET6) != 0) {
+		namehook = ISC_LIST_HEAD(name->v6);
+		while (namehook != NULL) {
+			entry = namehook->entry;
+			bucket = entry->lock_bucket;
+			INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+			LOCK(&adb->entrylocks[bucket]);
+
+			if (dns_adbentry_overquota(entry)) {
+				find->options |= (DNS_ADBFIND_LAMEPRUNED |
+						  DNS_ADBFIND_OVERQUOTA);
+				goto nextv6;
+			}
+
+			if (!FIND_RETURNLAME(find) &&
+			    entry_is_lame(adb, entry, qname, qtype, now))
+			{
+				find->options |= DNS_ADBFIND_LAMEPRUNED;
+				goto nextv6;
+			}
+			addrinfo = new_adbaddrinfo(adb, entry, find->port);
+			if (addrinfo == NULL) {
+				find->partial_result |= DNS_ADBFIND_INET6;
+				goto out;
+			}
+			/*
+			 * Found a valid entry.  Add it to the find's list.
+			 */
+			inc_entry_refcnt(adb, entry, false);
+			ISC_LIST_APPEND(find->list, addrinfo, publink);
+			addrinfo = NULL;
+		nextv6:
+			UNLOCK(&adb->entrylocks[bucket]);
+			bucket = DNS_ADB_INVALIDBUCKET;
+			namehook = ISC_LIST_NEXT(namehook, plink);
+		}
+	}
+
+out:
+	if (bucket != DNS_ADB_INVALIDBUCKET) {
+		UNLOCK(&adb->entrylocks[bucket]);
+	}
+}
+
+static void
+shutdown_task(isc_task_t *task, isc_event_t *ev) {
+	dns_adb_t *adb;
+
+	UNUSED(task);
+
+	adb = ev->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	isc_event_free(&ev);
+	/*
+	 * Wait for lock around check_exit() call to be released.
+	 */
+	LOCK(&adb->lock);
+	UNLOCK(&adb->lock);
+	destroy(adb);
+}
+
+/*
+ * Name bucket must be locked; adb may be locked; no other locks held.
+ */
+static bool
+check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) {
+	dns_adbname_t *name;
+	bool result = false;
+
+	INSIST(namep != NULL && DNS_ADBNAME_VALID(*namep));
+	name = *namep;
+
+	if (NAME_HAS_V4(name) || NAME_HAS_V6(name)) {
+		return (result);
+	}
+	if (NAME_FETCH(name)) {
+		return (result);
+	}
+	if (!EXPIRE_OK(name->expire_v4, now)) {
+		return (result);
+	}
+	if (!EXPIRE_OK(name->expire_v6, now)) {
+		return (result);
+	}
+	if (!EXPIRE_OK(name->expire_target, now)) {
+		return (result);
+	}
+
+	/*
+	 * The name is empty.  Delete it.
+	 */
+	*namep = NULL;
+	result = kill_name(&name, DNS_EVENT_ADBEXPIRED);
+
+	/*
+	 * Our caller, or one of its callers, will be calling check_exit() at
+	 * some point, so we don't need to do it here.
+	 */
+	return (result);
+}
+
+/*%
+ * Examine the tail entry of the LRU list to see if it expires or is stale
+ * (unused for some period); if so, the name entry will be freed.  If the ADB
+ * is in the overmem condition, the tail and the next to tail entries
+ * will be unconditionally removed (unless they have an outstanding fetch).
+ * We don't care about a race on 'overmem' at the risk of causing some
+ * collateral damage or a small delay in starting cleanup, so we don't bother
+ * to lock ADB (if it's not locked).
+ *
+ * Name bucket must be locked; adb may be locked; no other locks held.
+ */
+static void
+check_stale_name(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
+	int victims, max_victims;
+	dns_adbname_t *victim, *next_victim;
+	bool overmem = isc_mem_isovermem(adb->mctx);
+	int scans = 0;
+
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+
+	max_victims = overmem ? 2 : 1;
+
+	/*
+	 * We limit the number of scanned entries to 10 (arbitrary choice)
+	 * in order to avoid examining too many entries when there are many
+	 * tail entries that have fetches (this should be rare, but could
+	 * happen).
+	 */
+	victim = ISC_LIST_TAIL(adb->names[bucket]);
+	for (victims = 0; victim != NULL && victims < max_victims && scans < 10;
+	     victim = next_victim)
+	{
+		INSIST(!NAME_DEAD(victim));
+		scans++;
+		next_victim = ISC_LIST_PREV(victim, plink);
+		(void)check_expire_name(&victim, now);
+		if (victim == NULL) {
+			victims++;
+			goto next;
+		}
+
+		if (!NAME_FETCH(victim) &&
+		    (overmem || victim->last_used + ADB_STALE_MARGIN <= now))
+		{
+			RUNTIME_CHECK(
+				!kill_name(&victim, DNS_EVENT_ADBCANCELED));
+			victims++;
+		}
+
+	next:
+		if (!overmem) {
+			break;
+		}
+	}
+}
+
+/*
+ * Entry bucket must be locked; adb may be locked; no other locks held.
+ */
+static bool
+check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now) {
+	dns_adbentry_t *entry;
+	bool result = false;
+
+	INSIST(entryp != NULL && DNS_ADBENTRY_VALID(*entryp));
+	entry = *entryp;
+
+	if (entry->refcnt != 0) {
+		return (result);
+	}
+
+	if (entry->expires == 0 || entry->expires > now) {
+		return (result);
+	}
+
+	/*
+	 * The entry is not in use.  Delete it.
+	 */
+	*entryp = NULL;
+	DP(DEF_LEVEL, "killing entry %p", entry);
+	INSIST(ISC_LINK_LINKED(entry, plink));
+	result = unlink_entry(adb, entry);
+	free_adbentry(adb, &entry);
+	if (result) {
+		dec_adb_irefcnt(adb);
+	}
+	return (result);
+}
+
+/*
+ * ADB must be locked, and no other locks held.
+ */
+static bool
+cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
+	dns_adbname_t *name;
+	dns_adbname_t *next_name;
+	bool result = false;
+
+	DP(CLEAN_LEVEL, "cleaning name bucket %d", bucket);
+
+	LOCK(&adb->namelocks[bucket]);
+	if (adb->name_sd[bucket]) {
+		UNLOCK(&adb->namelocks[bucket]);
+		return (result);
+	}
+
+	name = ISC_LIST_HEAD(adb->names[bucket]);
+	while (name != NULL) {
+		next_name = ISC_LIST_NEXT(name, plink);
+		INSIST(!result);
+		result = check_expire_namehooks(name, now);
+		if (!result) {
+			result = check_expire_name(&name, now);
+		}
+		name = next_name;
+	}
+	UNLOCK(&adb->namelocks[bucket]);
+	return (result);
+}
+
+/*
+ * ADB must be locked, and no other locks held.
+ */
+static bool
+cleanup_entries(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
+	dns_adbentry_t *entry, *next_entry;
+	bool result = false;
+
+	DP(CLEAN_LEVEL, "cleaning entry bucket %d", bucket);
+
+	LOCK(&adb->entrylocks[bucket]);
+	entry = ISC_LIST_HEAD(adb->entries[bucket]);
+	while (entry != NULL) {
+		next_entry = ISC_LIST_NEXT(entry, plink);
+		INSIST(!result);
+		result = check_expire_entry(adb, &entry, now);
+		entry = next_entry;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+	return (result);
+}
+
+static void
+destroy(dns_adb_t *adb) {
+	adb->magic = 0;
+
+	isc_task_detach(&adb->task);
+	if (adb->excl != NULL) {
+		isc_task_detach(&adb->excl);
+	}
+
+	isc_mutexblock_destroy(adb->entrylocks, adb->nentries);
+	isc_mem_put(adb->mctx, adb->entries,
+		    sizeof(*adb->entries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->deadentries,
+		    sizeof(*adb->deadentries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entrylocks,
+		    sizeof(*adb->entrylocks) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_sd,
+		    sizeof(*adb->entry_sd) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_refcnt,
+		    sizeof(*adb->entry_refcnt) * adb->nentries);
+
+	isc_mutexblock_destroy(adb->namelocks, adb->nnames);
+	isc_mem_put(adb->mctx, adb->names, sizeof(*adb->names) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->deadnames,
+		    sizeof(*adb->deadnames) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->namelocks,
+		    sizeof(*adb->namelocks) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_sd,
+		    sizeof(*adb->name_sd) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_refcnt,
+		    sizeof(*adb->name_refcnt) * adb->nnames);
+
+	isc_mutex_destroy(&adb->reflock);
+	isc_mutex_destroy(&adb->lock);
+	isc_mutex_destroy(&adb->overmemlock);
+	isc_mutex_destroy(&adb->entriescntlock);
+	isc_mutex_destroy(&adb->namescntlock);
+
+	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
+}
+
+/*
+ * Public functions.
+ */
+
+isc_result_t
+dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
+	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb) {
+	dns_adb_t *adb;
+	isc_result_t result;
+	unsigned int i;
+
+	REQUIRE(mem != NULL);
+	REQUIRE(view != NULL);
+	REQUIRE(timermgr != NULL); /* this is actually unused */
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(newadb != NULL && *newadb == NULL);
+
+	UNUSED(timermgr);
+
+	adb = isc_mem_get(mem, sizeof(dns_adb_t));
+
+	/*
+	 * Initialize things here that cannot fail, and especially things
+	 * that must be NULL for the error return to work properly.
+	 */
+	adb->magic = 0;
+	adb->erefcnt = 1;
+	adb->irefcnt = 0;
+	adb->task = NULL;
+	adb->excl = NULL;
+	adb->mctx = NULL;
+	adb->view = view;
+	adb->taskmgr = taskmgr;
+	adb->next_cleanbucket = 0;
+	ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL, 0, NULL,
+		       NULL, NULL, NULL, NULL);
+	adb->cevent_out = false;
+	adb->shutting_down = false;
+	ISC_LIST_INIT(adb->whenshutdown);
+
+	adb->nentries = nbuckets[0];
+	adb->entriescnt = 0;
+	adb->entries = NULL;
+	adb->deadentries = NULL;
+	adb->entry_sd = NULL;
+	adb->entry_refcnt = NULL;
+	adb->entrylocks = NULL;
+	ISC_EVENT_INIT(&adb->growentries, sizeof(adb->growentries), 0, NULL,
+		       DNS_EVENT_ADBGROWENTRIES, grow_entries, adb, adb, NULL,
+		       NULL);
+	adb->growentries_sent = false;
+
+	adb->quota = 0;
+	adb->atr_freq = 0;
+	adb->atr_low = 0.0;
+	adb->atr_high = 0.0;
+	adb->atr_discount = 0.0;
+
+	adb->nnames = nbuckets[0];
+	adb->namescnt = 0;
+	adb->names = NULL;
+	adb->deadnames = NULL;
+	adb->name_sd = NULL;
+	adb->name_refcnt = NULL;
+	adb->namelocks = NULL;
+	ISC_EVENT_INIT(&adb->grownames, sizeof(adb->grownames), 0, NULL,
+		       DNS_EVENT_ADBGROWNAMES, grow_names, adb, adb, NULL,
+		       NULL);
+	adb->grownames_sent = false;
+
+	result = isc_taskmgr_excltask(adb->taskmgr, &adb->excl);
+	if (result != ISC_R_SUCCESS) {
+		DP(DEF_LEVEL,
+		   "adb: task-exclusive mode unavailable, "
+		   "initializing table sizes to %u\n",
+		   nbuckets[11]);
+		adb->nentries = nbuckets[11];
+		adb->nnames = nbuckets[11];
+	}
+
+	isc_mem_attach(mem, &adb->mctx);
+
+	isc_mutex_init(&adb->lock);
+	isc_mutex_init(&adb->reflock);
+	isc_mutex_init(&adb->overmemlock);
+	isc_mutex_init(&adb->entriescntlock);
+	isc_mutex_init(&adb->namescntlock);
+
+#define ALLOCENTRY(adb, el)                                                    \
+	do {                                                                   \
+		(adb)->el = isc_mem_get((adb)->mctx,                           \
+					sizeof(*(adb)->el) * (adb)->nentries); \
+	} while (0)
+	ALLOCENTRY(adb, entries);
+	ALLOCENTRY(adb, deadentries);
+	ALLOCENTRY(adb, entrylocks);
+	ALLOCENTRY(adb, entry_sd);
+	ALLOCENTRY(adb, entry_refcnt);
+#undef ALLOCENTRY
+
+#define ALLOCNAME(adb, el)                                                   \
+	do {                                                                 \
+		(adb)->el = isc_mem_get((adb)->mctx,                         \
+					sizeof(*(adb)->el) * (adb)->nnames); \
+	} while (0)
+	ALLOCNAME(adb, names);
+	ALLOCNAME(adb, deadnames);
+	ALLOCNAME(adb, namelocks);
+	ALLOCNAME(adb, name_sd);
+	ALLOCNAME(adb, name_refcnt);
+#undef ALLOCNAME
+
+	/*
+	 * Initialize the bucket locks for names and elements.
+	 * May as well initialize the list heads, too.
+	 */
+	isc_mutexblock_init(adb->namelocks, adb->nnames);
+
+	for (i = 0; i < adb->nnames; i++) {
+		ISC_LIST_INIT(adb->names[i]);
+		ISC_LIST_INIT(adb->deadnames[i]);
+		adb->name_sd[i] = false;
+		adb->name_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+	for (i = 0; i < adb->nentries; i++) {
+		ISC_LIST_INIT(adb->entries[i]);
+		ISC_LIST_INIT(adb->deadentries[i]);
+		adb->entry_sd[i] = false;
+		adb->entry_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+	isc_mutexblock_init(adb->entrylocks, adb->nentries);
+
+	isc_refcount_init(&adb->ahrefcnt, 0);
+	isc_refcount_init(&adb->nhrefcnt, 0);
+
+	/*
+	 * Allocate an internal task.
+	 */
+	result = isc_task_create(adb->taskmgr, 0, &adb->task);
+	if (result != ISC_R_SUCCESS) {
+		goto fail2;
+	}
+
+	isc_task_setname(adb->task, "ADB", adb);
+
+	result = isc_stats_create(adb->mctx, &view->adbstats, dns_adbstats_max);
+	if (result != ISC_R_SUCCESS) {
+		goto fail2;
+	}
+
+	set_adbstat(adb, adb->nentries, dns_adbstats_nentries);
+	set_adbstat(adb, adb->nnames, dns_adbstats_nnames);
+
+	/*
+	 * Normal return.
+	 */
+	adb->magic = DNS_ADB_MAGIC;
+	*newadb = adb;
+	return (ISC_R_SUCCESS);
+
+fail2:
+	if (adb->task != NULL) {
+		isc_task_detach(&adb->task);
+	}
+
+	/* clean up entrylocks */
+	isc_mutexblock_destroy(adb->entrylocks, adb->nentries);
+	isc_mutexblock_destroy(adb->namelocks, adb->nnames);
+
+	if (adb->entries != NULL) {
+		isc_mem_put(adb->mctx, adb->entries,
+			    sizeof(*adb->entries) * adb->nentries);
+	}
+	if (adb->deadentries != NULL) {
+		isc_mem_put(adb->mctx, adb->deadentries,
+			    sizeof(*adb->deadentries) * adb->nentries);
+	}
+	if (adb->entrylocks != NULL) {
+		isc_mem_put(adb->mctx, adb->entrylocks,
+			    sizeof(*adb->entrylocks) * adb->nentries);
+	}
+	if (adb->entry_sd != NULL) {
+		isc_mem_put(adb->mctx, adb->entry_sd,
+			    sizeof(*adb->entry_sd) * adb->nentries);
+	}
+	if (adb->entry_refcnt != NULL) {
+		isc_mem_put(adb->mctx, adb->entry_refcnt,
+			    sizeof(*adb->entry_refcnt) * adb->nentries);
+	}
+	if (adb->names != NULL) {
+		isc_mem_put(adb->mctx, adb->names,
+			    sizeof(*adb->names) * adb->nnames);
+	}
+	if (adb->deadnames != NULL) {
+		isc_mem_put(adb->mctx, adb->deadnames,
+			    sizeof(*adb->deadnames) * adb->nnames);
+	}
+	if (adb->namelocks != NULL) {
+		isc_mem_put(adb->mctx, adb->namelocks,
+			    sizeof(*adb->namelocks) * adb->nnames);
+	}
+	if (adb->name_sd != NULL) {
+		isc_mem_put(adb->mctx, adb->name_sd,
+			    sizeof(*adb->name_sd) * adb->nnames);
+	}
+	if (adb->name_refcnt != NULL) {
+		isc_mem_put(adb->mctx, adb->name_refcnt,
+			    sizeof(*adb->name_refcnt) * adb->nnames);
+	}
+
+	isc_mutex_destroy(&adb->namescntlock);
+	isc_mutex_destroy(&adb->entriescntlock);
+	isc_mutex_destroy(&adb->overmemlock);
+	isc_mutex_destroy(&adb->reflock);
+	isc_mutex_destroy(&adb->lock);
+	if (adb->excl != NULL) {
+		isc_task_detach(&adb->excl);
+	}
+	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
+
+	return (result);
+}
+
+void
+dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbx) {
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(adbx != NULL && *adbx == NULL);
+
+	inc_adb_erefcnt(adb);
+	*adbx = adb;
+}
+
+void
+dns_adb_detach(dns_adb_t **adbx) {
+	dns_adb_t *adb;
+	bool need_exit_check;
+
+	REQUIRE(adbx != NULL && DNS_ADB_VALID(*adbx));
+
+	adb = *adbx;
+	*adbx = NULL;
+
+	LOCK(&adb->reflock);
+	INSIST(adb->erefcnt > 0);
+	adb->erefcnt--;
+	need_exit_check = (adb->erefcnt == 0 && adb->irefcnt == 0);
+	UNLOCK(&adb->reflock);
+
+	if (need_exit_check) {
+		LOCK(&adb->lock);
+		INSIST(adb->shutting_down);
+		check_exit(adb);
+		UNLOCK(&adb->lock);
+	}
+}
+
+void
+dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp) {
+	isc_task_t *tclone;
+	isc_event_t *event;
+	bool zeroirefcnt;
+
+	/*
+	 * Send '*eventp' to 'task' when 'adb' has shutdown.
+	 */
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(eventp != NULL);
+
+	event = *eventp;
+	*eventp = NULL;
+
+	LOCK(&adb->lock);
+	LOCK(&adb->reflock);
+
+	zeroirefcnt = (adb->irefcnt == 0);
+
+	if (adb->shutting_down && zeroirefcnt &&
+	    isc_refcount_current(&adb->ahrefcnt) == 0)
+	{
+		/*
+		 * We're already shutdown.  Send the event.
+		 */
+		event->ev_sender = adb;
+		isc_task_send(task, &event);
+	} else {
+		tclone = NULL;
+		isc_task_attach(task, &tclone);
+		event->ev_sender = tclone;
+		ISC_LIST_APPEND(adb->whenshutdown, event, ev_link);
+	}
+
+	UNLOCK(&adb->reflock);
+	UNLOCK(&adb->lock);
+}
+
+static void
+shutdown_stage2(isc_task_t *task, isc_event_t *event) {
+	dns_adb_t *adb;
+
+	UNUSED(task);
+
+	adb = event->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	LOCK(&adb->lock);
+	INSIST(adb->shutting_down);
+	adb->cevent_out = false;
+	(void)shutdown_names(adb);
+	(void)shutdown_entries(adb);
+	if (dec_adb_irefcnt(adb)) {
+		check_exit(adb);
+	}
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_shutdown(dns_adb_t *adb) {
+	isc_event_t *event;
+
+	/*
+	 * Shutdown 'adb'.
+	 */
+
+	LOCK(&adb->lock);
+
+	if (!adb->shutting_down) {
+		adb->shutting_down = true;
+		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
+		/*
+		 * Isolate shutdown_names and shutdown_entries calls.
+		 */
+		inc_adb_irefcnt(adb);
+		ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
+			       DNS_EVENT_ADBCONTROL, shutdown_stage2, adb, adb,
+			       NULL, NULL);
+		adb->cevent_out = true;
+		event = &adb->cevent;
+		isc_task_send(adb->task, &event);
+	}
+
+	UNLOCK(&adb->lock);
+}
+
+isc_result_t
+dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+		   void *arg, const dns_name_t *name, const dns_name_t *qname,
+		   dns_rdatatype_t qtype, unsigned int options,
+		   isc_stdtime_t now, dns_name_t *target, in_port_t port,
+		   unsigned int depth, isc_counter_t *qc,
+		   dns_adbfind_t **findp) {
+	dns_adbfind_t *find;
+	dns_adbname_t *adbname;
+	int bucket;
+	bool want_event, start_at_zone, alias, have_address;
+	isc_result_t result;
+	unsigned int wanted_addresses;
+	unsigned int wanted_fetches;
+	unsigned int query_pending;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	if (task != NULL) {
+		REQUIRE(action != NULL);
+	}
+	REQUIRE(name != NULL);
+	REQUIRE(qname != NULL);
+	REQUIRE(findp != NULL && *findp == NULL);
+	REQUIRE(target == NULL || dns_name_hasbuffer(target));
+
+	REQUIRE((options & DNS_ADBFIND_ADDRESSMASK) != 0);
+
+	result = ISC_R_UNEXPECTED;
+	POST(result);
+	wanted_addresses = (options & DNS_ADBFIND_ADDRESSMASK);
+	wanted_fetches = 0;
+	query_pending = 0;
+	want_event = false;
+	start_at_zone = false;
+	alias = false;
+
+	if (now == 0) {
+		isc_stdtime_get(&now);
+	}
+
+	/*
+	 * XXXMLG  Move this comment somewhere else!
+	 *
+	 * Look up the name in our internal database.
+	 *
+	 * Possibilities:  Note that these are not always exclusive.
+	 *
+	 *      No name found.  In this case, allocate a new name header and
+	 *      an initial namehook or two.  If any of these allocations
+	 *      fail, clean up and return ISC_R_NOMEMORY.
+	 *
+	 *      Name found, valid addresses present.  Allocate one addrinfo
+	 *      structure for each found and append it to the linked list
+	 *      of addresses for this header.
+	 *
+	 *      Name found, queries pending.  In this case, if a task was
+	 *      passed in, allocate a job id, attach it to the name's job
+	 *      list and remember to tell the caller that there will be
+	 *      more info coming later.
+	 */
+
+	find = new_adbfind(adb);
+	if (find == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	find->port = port;
+
+	/*
+	 * Remember what types of addresses we are interested in.
+	 */
+	find->options = options;
+	find->flags |= wanted_addresses;
+	if (FIND_WANTEVENT(find)) {
+		REQUIRE(task != NULL);
+	}
+
+	if (isc_log_wouldlog(dns_lctx, DEF_LEVEL)) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+	} else {
+		namebuf[0] = 0;
+	}
+
+	/*
+	 * Try to see if we know anything about this name at all.
+	 */
+	bucket = DNS_ADB_INVALIDBUCKET;
+	adbname = find_name_and_lock(adb, name, find->options, &bucket);
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+	if (adb->name_sd[bucket]) {
+		DP(DEF_LEVEL, "dns_adb_createfind: returning "
+			      "ISC_R_SHUTTINGDOWN");
+		RUNTIME_CHECK(!free_adbfind(adb, &find));
+		result = ISC_R_SHUTTINGDOWN;
+		goto out;
+	}
+
+	/*
+	 * Nothing found.  Allocate a new adbname structure for this name.
+	 */
+	if (adbname == NULL) {
+		/*
+		 * See if there is any stale name at the end of list, and purge
+		 * it if so.
+		 */
+		check_stale_name(adb, bucket, now);
+
+		adbname = new_adbname(adb, name);
+		if (adbname == NULL) {
+			RUNTIME_CHECK(!free_adbfind(adb, &find));
+			result = ISC_R_NOMEMORY;
+			goto out;
+		}
+		link_name(adb, bucket, adbname);
+		if (FIND_HINTOK(find)) {
+			adbname->flags |= NAME_HINT_OK;
+		}
+		if (FIND_GLUEOK(find)) {
+			adbname->flags |= NAME_GLUE_OK;
+		}
+		if (FIND_STARTATZONE(find)) {
+			adbname->flags |= NAME_STARTATZONE;
+		}
+	} else {
+		/* Move this name forward in the LRU list */
+		ISC_LIST_UNLINK(adb->names[bucket], adbname, plink);
+		ISC_LIST_PREPEND(adb->names[bucket], adbname, plink);
+	}
+	adbname->last_used = now;
+
+	/*
+	 * Expire old entries, etc.
+	 */
+	RUNTIME_CHECK(!check_expire_namehooks(adbname, now));
+
+	/*
+	 * Do we know that the name is an alias?
+	 */
+	if (!EXPIRE_OK(adbname->expire_target, now)) {
+		/*
+		 * Yes, it is.
+		 */
+		DP(DEF_LEVEL,
+		   "dns_adb_createfind: name %s (%p) is an alias (cached)",
+		   namebuf, adbname);
+		alias = true;
+		goto post_copy;
+	}
+
+	/*
+	 * Try to populate the name from the database and/or
+	 * start fetches.  First try looking for an A record
+	 * in the database.
+	 */
+	if (!NAME_HAS_V4(adbname) && EXPIRE_OK(adbname->expire_v4, now) &&
+	    WANT_INET(wanted_addresses))
+	{
+		result = dbfind_name(adbname, now, dns_rdatatype_a);
+		if (result == ISC_R_SUCCESS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: found A for name %s (%p) in db",
+			   namebuf, adbname);
+			goto v6;
+		}
+
+		/*
+		 * Did we get a CNAME or DNAME?
+		 */
+		if (result == DNS_R_ALIAS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: name %s (%p) is an alias",
+			   namebuf, adbname);
+			alias = true;
+			goto post_copy;
+		}
+
+		/*
+		 * If the name doesn't exist at all, don't bother with
+		 * v6 queries; they won't work.
+		 *
+		 * If the name does exist but we didn't get our data, go
+		 * ahead and try AAAA.
+		 *
+		 * If the result is neither of these, try a fetch for A.
+		 */
+		if (NXDOMAIN_RESULT(result)) {
+			goto fetch;
+		} else if (NXRRSET_RESULT(result)) {
+			goto v6;
+		}
+
+		if (!NAME_FETCH_V4(adbname)) {
+			wanted_fetches |= DNS_ADBFIND_INET;
+		}
+	}
+
+v6:
+	if (!NAME_HAS_V6(adbname) && EXPIRE_OK(adbname->expire_v6, now) &&
+	    WANT_INET6(wanted_addresses))
+	{
+		result = dbfind_name(adbname, now, dns_rdatatype_aaaa);
+		if (result == ISC_R_SUCCESS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: found AAAA for name %s (%p)",
+			   namebuf, adbname);
+			goto fetch;
+		}
+
+		/*
+		 * Did we get a CNAME or DNAME?
+		 */
+		if (result == DNS_R_ALIAS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: name %s (%p) is an alias",
+			   namebuf, adbname);
+			alias = true;
+			goto post_copy;
+		}
+
+		/*
+		 * Listen to negative cache hints, and don't start
+		 * another query.
+		 */
+		if (NCACHE_RESULT(result) || AUTH_NX(result)) {
+			goto fetch;
+		}
+
+		if (!NAME_FETCH_V6(adbname)) {
+			wanted_fetches |= DNS_ADBFIND_INET6;
+		}
+	}
+
+fetch:
+	if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
+	    (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
+	{
+		have_address = true;
+	} else {
+		have_address = false;
+	}
+	if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
+	    !FIND_NOFETCH(find))
+	{
+		/*
+		 * We're missing at least one address family.  Either the
+		 * caller hasn't instructed us to avoid fetches, or we don't
+		 * know anything about any of the address families that would
+		 * be acceptable so we have to launch fetches.
+		 */
+
+		if (FIND_STARTATZONE(find)) {
+			start_at_zone = true;
+		}
+
+		/*
+		 * Start V4.
+		 */
+		if (WANT_INET(wanted_fetches) &&
+		    fetch_name(adbname, start_at_zone, depth, qc,
+			       dns_rdatatype_a) == ISC_R_SUCCESS)
+		{
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: "
+			   "started A fetch for name %s (%p)",
+			   namebuf, adbname);
+		}
+
+		/*
+		 * Start V6.
+		 */
+		if (WANT_INET6(wanted_fetches) &&
+		    fetch_name(adbname, start_at_zone, depth, qc,
+			       dns_rdatatype_aaaa) == ISC_R_SUCCESS)
+		{
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: "
+			   "started AAAA fetch for name %s (%p)",
+			   namebuf, adbname);
+		}
+	}
+
+	/*
+	 * Run through the name and copy out the bits we are
+	 * interested in.
+	 */
+	copy_namehook_lists(adb, find, qname, qtype, adbname, now);
+
+post_copy:
+	if (NAME_FETCH_V4(adbname)) {
+		query_pending |= DNS_ADBFIND_INET;
+	}
+	if (NAME_FETCH_V6(adbname)) {
+		query_pending |= DNS_ADBFIND_INET6;
+	}
+
+	/*
+	 * Attach to the name's query list if there are queries
+	 * already running, and we have been asked to.
+	 */
+	want_event = true;
+	if (!FIND_WANTEVENT(find)) {
+		want_event = false;
+	}
+	if (FIND_WANTEMPTYEVENT(find) && FIND_HAS_ADDRS(find)) {
+		want_event = false;
+	}
+	if ((wanted_addresses & query_pending) == 0) {
+		want_event = false;
+	}
+	if (alias) {
+		want_event = false;
+	}
+	if (want_event) {
+		find->adbname = adbname;
+		find->name_bucket = bucket;
+		bool empty = ISC_LIST_EMPTY(adbname->finds);
+		ISC_LIST_APPEND(adbname->finds, find, plink);
+		find->query_pending = (query_pending & wanted_addresses);
+		find->flags &= ~DNS_ADBFIND_ADDRESSMASK;
+		find->flags |= (find->query_pending & DNS_ADBFIND_ADDRESSMASK);
+		DP(DEF_LEVEL,
+		   "createfind: attaching find %p to adbname "
+		   "%p %d",
+		   find, adbname, empty);
+	} else {
+		/*
+		 * Remove the flag so the caller knows there will never
+		 * be an event, and set internal flags to fake that
+		 * the event was sent and freed, so dns_adb_destroyfind() will
+		 * do the right thing.
+		 */
+		find->query_pending = (query_pending & wanted_addresses);
+		find->options &= ~DNS_ADBFIND_WANTEVENT;
+		find->flags |= (FIND_EVENT_SENT | FIND_EVENT_FREED);
+		find->flags &= ~DNS_ADBFIND_ADDRESSMASK;
+	}
+
+	find->partial_result |= (adbname->partial_result & wanted_addresses);
+	if (alias) {
+		if (target != NULL) {
+			dns_name_copynf(&adbname->target, target);
+		}
+		result = DNS_R_ALIAS;
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+	/*
+	 * Copy out error flags from the name structure into the find.
+	 */
+	find->result_v4 = find_err_map[adbname->fetch_err];
+	find->result_v6 = find_err_map[adbname->fetch6_err];
+
+out:
+	if (find != NULL) {
+		*findp = find;
+
+		if (want_event) {
+			isc_task_t *taskp;
+
+			INSIST((find->flags & DNS_ADBFIND_ADDRESSMASK) != 0);
+			taskp = NULL;
+			isc_task_attach(task, &taskp);
+			find->event.ev_sender = taskp;
+			find->event.ev_action = action;
+			find->event.ev_arg = arg;
+		}
+	}
+
+	UNLOCK(&adb->namelocks[bucket]);
+
+	return (result);
+}
+
+void
+dns_adb_destroyfind(dns_adbfind_t **findp) {
+	dns_adbfind_t *find;
+	dns_adbentry_t *entry;
+	dns_adbaddrinfo_t *ai;
+	int bucket;
+	dns_adb_t *adb;
+	bool overmem;
+
+	REQUIRE(findp != NULL && DNS_ADBFIND_VALID(*findp));
+	find = *findp;
+	*findp = NULL;
+
+	LOCK(&find->lock);
+
+	DP(DEF_LEVEL, "dns_adb_destroyfind on find %p", find);
+
+	adb = find->adb;
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	REQUIRE(FIND_EVENTFREED(find));
+
+	bucket = find->name_bucket;
+	INSIST(bucket == DNS_ADB_INVALIDBUCKET);
+
+	UNLOCK(&find->lock);
+
+	/*
+	 * The find doesn't exist on any list, and nothing is locked.
+	 * Return the find to the memory pool, and decrement the adb's
+	 * reference count.
+	 */
+	overmem = isc_mem_isovermem(adb->mctx);
+	ai = ISC_LIST_HEAD(find->list);
+	while (ai != NULL) {
+		ISC_LIST_UNLINK(find->list, ai, publink);
+		entry = ai->entry;
+		ai->entry = NULL;
+		INSIST(DNS_ADBENTRY_VALID(entry));
+		RUNTIME_CHECK(!dec_entry_refcnt(adb, overmem, entry, true));
+		free_adbaddrinfo(adb, &ai);
+		ai = ISC_LIST_HEAD(find->list);
+	}
+
+	/*
+	 * WARNING:  The find is freed with the adb locked.  This is done
+	 * to avoid a race condition where we free the find, some other
+	 * thread tests to see if it should be destroyed, detects it should
+	 * be, destroys it, and then we try to lock it for our check, but the
+	 * lock is destroyed.
+	 */
+	LOCK(&adb->lock);
+	if (free_adbfind(adb, &find)) {
+		check_exit(adb);
+	}
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_cancelfind(dns_adbfind_t *find) {
+	isc_event_t *ev;
+	isc_task_t *task;
+	dns_adb_t *adb;
+	int bucket;
+	int unlock_bucket;
+
+	LOCK(&find->lock);
+
+	DP(DEF_LEVEL, "dns_adb_cancelfind on find %p", find);
+
+	adb = find->adb;
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	REQUIRE(!FIND_EVENTFREED(find));
+	REQUIRE(FIND_WANTEVENT(find));
+
+	bucket = find->name_bucket;
+	if (bucket == DNS_ADB_INVALIDBUCKET) {
+		goto cleanup;
+	}
+
+	/*
+	 * We need to get the adbname's lock to unlink the find.
+	 */
+	unlock_bucket = bucket;
+	violate_locking_hierarchy(&find->lock, &adb->namelocks[unlock_bucket]);
+	bucket = find->name_bucket;
+	if (bucket != DNS_ADB_INVALIDBUCKET) {
+		ISC_LIST_UNLINK(find->adbname->finds, find, plink);
+		find->adbname = NULL;
+		find->name_bucket = DNS_ADB_INVALIDBUCKET;
+	}
+	UNLOCK(&adb->namelocks[unlock_bucket]);
+	bucket = DNS_ADB_INVALIDBUCKET;
+	POST(bucket);
+
+cleanup:
+
+	if (!FIND_EVENTSENT(find)) {
+		ev = &find->event;
+		task = ev->ev_sender;
+		ev->ev_sender = find;
+		ev->ev_type = DNS_EVENT_ADBCANCELED;
+		ev->ev_destroy = event_free;
+		ev->ev_destroy_arg = find;
+		find->result_v4 = ISC_R_CANCELED;
+		find->result_v6 = ISC_R_CANCELED;
+
+		DP(DEF_LEVEL, "sending event %p to task %p for find %p", ev,
+		   task, find);
+
+		isc_task_sendanddetach(&task, (isc_event_t **)&ev);
+	}
+
+	UNLOCK(&find->lock);
+}
+
+void
+dns_adb_dump(dns_adb_t *adb, FILE *f) {
+	unsigned int i;
+	isc_stdtime_t now;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(f != NULL);
+
+	/*
+	 * Lock the adb itself, lock all the name buckets, then lock all
+	 * the entry buckets.  This should put the adb into a state where
+	 * nothing can change, so we can iterate through everything and
+	 * print at our leisure.
+	 */
+
+	LOCK(&adb->lock);
+	isc_stdtime_get(&now);
+
+	for (i = 0; i < adb->nnames; i++) {
+		RUNTIME_CHECK(!cleanup_names(adb, i, now));
+	}
+	for (i = 0; i < adb->nentries; i++) {
+		RUNTIME_CHECK(!cleanup_entries(adb, i, now));
+	}
+
+	dump_adb(adb, f, false, now);
+	UNLOCK(&adb->lock);
+}
+
+static void
+dump_ttl(FILE *f, const char *legend, isc_stdtime_t value, isc_stdtime_t now) {
+	if (value == INT_MAX) {
+		return;
+	}
+	fprintf(f, " [%s TTL %d]", legend, (int)(value - now));
+}
+
+static void
+dump_adb(dns_adb_t *adb, FILE *f, bool debug, isc_stdtime_t now) {
+	dns_adbname_t *name;
+	dns_adbentry_t *entry;
+
+	fprintf(f, ";\n; Address database dump\n;\n");
+	fprintf(f, "; [edns success/4096 timeout/1432 timeout/1232 timeout/"
+		   "512 timeout]\n");
+	fprintf(f, "; [plain success/timeout]\n;\n");
+	if (debug) {
+		LOCK(&adb->reflock);
+		fprintf(f,
+			"; addr %p, erefcnt %u, irefcnt %u, finds out "
+			"%" PRIuFAST32 "\n",
+			adb, adb->erefcnt, adb->irefcnt,
+			isc_refcount_current(&adb->nhrefcnt));
+		UNLOCK(&adb->reflock);
+	}
+
+/*
+ * In TSAN mode we need to lock the locks individually, as TSAN
+ * can't handle more than 64 locks locked by one thread.
+ * In regular mode we want a consistent dump so we need to
+ * lock everything.
+ */
+#ifndef __SANITIZE_THREAD__
+	for (size_t i = 0; i < adb->nnames; i++) {
+		LOCK(&adb->namelocks[i]);
+	}
+	for (size_t i = 0; i < adb->nentries; i++) {
+		LOCK(&adb->entrylocks[i]);
+	}
+#endif /* ifndef __SANITIZE_THREAD__ */
+
+	/*
+	 * Dump the names
+	 */
+	for (size_t i = 0; i < adb->nnames; i++) {
+#ifdef __SANITIZE_THREAD__
+		LOCK(&adb->namelocks[i]);
+#endif /* ifdef __SANITIZE_THREAD__ */
+		name = ISC_LIST_HEAD(adb->names[i]);
+		if (name == NULL) {
+#ifdef __SANITIZE_THREAD__
+			UNLOCK(&adb->namelocks[i]);
+#endif /* ifdef __SANITIZE_THREAD__ */
+			continue;
+		}
+		if (debug) {
+			fprintf(f, "; bucket %zu\n", i);
+		}
+		for (; name != NULL; name = ISC_LIST_NEXT(name, plink)) {
+			if (debug) {
+				fprintf(f, "; name %p (flags %08x)\n", name,
+					name->flags);
+			}
+			fprintf(f, "; ");
+			print_dns_name(f, &name->name);
+			if (dns_name_countlabels(&name->target) > 0) {
+				fprintf(f, " alias ");
+				print_dns_name(f, &name->target);
+			}
+
+			dump_ttl(f, "v4", name->expire_v4, now);
+			dump_ttl(f, "v6", name->expire_v6, now);
+			dump_ttl(f, "target", name->expire_target, now);
+
+			fprintf(f, " [v4 %s] [v6 %s]",
+				errnames[name->fetch_err],
+				errnames[name->fetch6_err]);
+
+			fprintf(f, "\n");
+
+			print_namehook_list(f, "v4", adb, &name->v4, debug,
+					    now);
+			print_namehook_list(f, "v6", adb, &name->v6, debug,
+					    now);
+
+			if (debug) {
+				print_fetch_list(f, name);
+				print_find_list(f, name);
+			}
+		}
+#ifdef __SANITIZE_THREAD__
+		UNLOCK(&adb->namelocks[i]);
+#endif /* ifdef __SANITIZE_THREAD__ */
+	}
+
+	fprintf(f, ";\n; Unassociated entries\n;\n");
+
+	for (size_t i = 0; i < adb->nentries; i++) {
+#ifdef __SANITIZE_THREAD__
+		LOCK(&adb->entrylocks[i]);
+#endif /* ifdef __SANITIZE_THREAD__ */
+		entry = ISC_LIST_HEAD(adb->entries[i]);
+		while (entry != NULL) {
+			if (entry->nh == 0) {
+				dump_entry(f, adb, entry, debug, now);
+			}
+			entry = ISC_LIST_NEXT(entry, plink);
+		}
+#ifdef __SANITIZE_THREAD__
+		UNLOCK(&adb->entrylocks[i]);
+#endif /* ifdef __SANITIZE_THREAD__ */
+	}
+
+#ifndef __SANITIZE_THREAD__
+	/*
+	 * Unlock everything
+	 */
+	for (ssize_t i = adb->nentries - 1; i >= 0; i--) {
+		UNLOCK(&adb->entrylocks[i]);
+	}
+	for (ssize_t i = adb->nnames - 1; i >= 0; i--) {
+		UNLOCK(&adb->namelocks[i]);
+	}
+#endif /* ifndef __SANITIZE_THREAD__ */
+}
+
+static void
+dump_entry(FILE *f, dns_adb_t *adb, dns_adbentry_t *entry, bool debug,
+	   isc_stdtime_t now) {
+	char addrbuf[ISC_NETADDR_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	isc_netaddr_t netaddr;
+	dns_adblameinfo_t *li;
+
+	isc_netaddr_fromsockaddr(&netaddr, &entry->sockaddr);
+	isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
+
+	if (debug) {
+		fprintf(f, ";\t%p: refcnt %u\n", entry, entry->refcnt);
+	}
+
+	fprintf(f,
+		";\t%s [srtt %u] [flags %08x] [edns %u/%u/%u/%u/%u] "
+		"[plain %u/%u]",
+		addrbuf, entry->srtt, entry->flags, entry->edns, entry->to4096,
+		entry->to1432, entry->to1232, entry->to512, entry->plain,
+		entry->plainto);
+	if (entry->udpsize != 0U) {
+		fprintf(f, " [udpsize %u]", entry->udpsize);
+	}
+	if (entry->cookie != NULL) {
+		unsigned int i;
+		fprintf(f, " [cookie=");
+		for (i = 0; i < entry->cookielen; i++) {
+			fprintf(f, "%02x", entry->cookie[i]);
+		}
+		fprintf(f, "]");
+	}
+	if (entry->expires != 0) {
+		fprintf(f, " [ttl %d]", (int)(entry->expires - now));
+	}
+
+	if (adb != NULL && adb->quota != 0 && adb->atr_freq != 0) {
+		uint_fast32_t quota = atomic_load_relaxed(&entry->quota);
+		fprintf(f, " [atr %0.2f] [quota %" PRIuFAST32 "]", entry->atr,
+			quota);
+	}
+
+	fprintf(f, "\n");
+	for (li = ISC_LIST_HEAD(entry->lameinfo); li != NULL;
+	     li = ISC_LIST_NEXT(li, plink))
+	{
+		fprintf(f, ";\t\t");
+		print_dns_name(f, &li->qname);
+		dns_rdatatype_format(li->qtype, typebuf, sizeof(typebuf));
+		fprintf(f, " %s [lame TTL %d]\n", typebuf,
+			(int)(li->lame_timer - now));
+	}
+}
+
+void
+dns_adb_dumpfind(dns_adbfind_t *find, FILE *f) {
+	char tmp[512];
+	const char *tmpp;
+	dns_adbaddrinfo_t *ai;
+	isc_sockaddr_t *sa;
+
+	/*
+	 * Not used currently, in the API Just In Case we
+	 * want to dump out the name and/or entries too.
+	 */
+
+	LOCK(&find->lock);
+
+	fprintf(f, ";Find %p\n", find);
+	fprintf(f, ";\tqpending %08x partial %08x options %08x flags %08x\n",
+		find->query_pending, find->partial_result, find->options,
+		find->flags);
+	fprintf(f, ";\tname_bucket %d, name %p, event sender %p\n",
+		find->name_bucket, find->adbname, find->event.ev_sender);
+
+	ai = ISC_LIST_HEAD(find->list);
+	if (ai != NULL) {
+		fprintf(f, "\tAddresses:\n");
+	}
+	while (ai != NULL) {
+		sa = &ai->sockaddr;
+		switch (sa->type.sa.sa_family) {
+		case AF_INET:
+			tmpp = inet_ntop(AF_INET, &sa->type.sin.sin_addr, tmp,
+					 sizeof(tmp));
+			break;
+		case AF_INET6:
+			tmpp = inet_ntop(AF_INET6, &sa->type.sin6.sin6_addr,
+					 tmp, sizeof(tmp));
+			break;
+		default:
+			tmpp = "UnkFamily";
+		}
+
+		if (tmpp == NULL) {
+			tmpp = "BadAddress";
+		}
+
+		fprintf(f,
+			"\t\tentry %p, flags %08x"
+			" srtt %u addr %s\n",
+			ai->entry, ai->flags, ai->srtt, tmpp);
+
+		ai = ISC_LIST_NEXT(ai, publink);
+	}
+
+	UNLOCK(&find->lock);
+}
+
+static void
+print_dns_name(FILE *f, const dns_name_t *name) {
+	char buf[DNS_NAME_FORMATSIZE];
+
+	INSIST(f != NULL);
+
+	dns_name_format(name, buf, sizeof(buf));
+	fprintf(f, "%s", buf);
+}
+
+static void
+print_namehook_list(FILE *f, const char *legend, dns_adb_t *adb,
+		    dns_adbnamehooklist_t *list, bool debug,
+		    isc_stdtime_t now) {
+	dns_adbnamehook_t *nh;
+
+	for (nh = ISC_LIST_HEAD(*list); nh != NULL;
+	     nh = ISC_LIST_NEXT(nh, plink))
+	{
+		if (debug) {
+			fprintf(f, ";\tHook(%s) %p\n", legend, nh);
+		}
+#ifdef __SANITIZE_THREAD__
+		LOCK(&adb->entrylocks[nh->entry->lock_bucket]);
+#endif
+		dump_entry(f, adb, nh->entry, debug, now);
+#ifdef __SANITIZE_THREAD__
+		UNLOCK(&adb->entrylocks[nh->entry->lock_bucket]);
+#endif
+	}
+}
+
+static void
+print_fetch(FILE *f, dns_adbfetch_t *ft, const char *type) {
+	fprintf(f, "\t\tFetch(%s): %p -> { fetch %p }\n", type, ft, ft->fetch);
+}
+
+static void
+print_fetch_list(FILE *f, dns_adbname_t *n) {
+	if (NAME_FETCH_A(n)) {
+		print_fetch(f, n->fetch_a, "A");
+	}
+	if (NAME_FETCH_AAAA(n)) {
+		print_fetch(f, n->fetch_aaaa, "AAAA");
+	}
+}
+
+static void
+print_find_list(FILE *f, dns_adbname_t *name) {
+	dns_adbfind_t *find;
+
+	find = ISC_LIST_HEAD(name->finds);
+	while (find != NULL) {
+		dns_adb_dumpfind(find, f);
+		find = ISC_LIST_NEXT(find, plink);
+	}
+}
+
+static isc_result_t
+dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_adb_t *adb;
+	dns_fixedname_t foundname;
+	dns_name_t *fname;
+
+	INSIST(DNS_ADBNAME_VALID(adbname));
+	adb = adbname->adb;
+	INSIST(DNS_ADB_VALID(adb));
+	INSIST(rdtype == dns_rdatatype_a || rdtype == dns_rdatatype_aaaa);
+
+	fname = dns_fixedname_initname(&foundname);
+	dns_rdataset_init(&rdataset);
+
+	if (rdtype == dns_rdatatype_a) {
+		adbname->fetch_err = FIND_ERR_UNEXPECTED;
+	} else {
+		adbname->fetch6_err = FIND_ERR_UNEXPECTED;
+	}
+
+	/*
+	 * We need to specify whether to search static-stub zones (if
+	 * configured) depending on whether this is a "start at zone" lookup,
+	 * i.e., whether it's a "bailiwick" glue.  If it's bailiwick (in which
+	 * case NAME_STARTATZONE is set) we need to stop the search at any
+	 * matching static-stub zone without looking into the cache to honor
+	 * the configuration on which server we should send queries to.
+	 */
+	result = dns_view_find(adb->view, &adbname->name, rdtype, now,
+			       NAME_GLUEOK(adbname) ? DNS_DBFIND_GLUEOK : 0,
+			       NAME_HINTOK(adbname),
+			       ((adbname->flags & NAME_STARTATZONE) != 0), NULL,
+			       NULL, fname, &rdataset, NULL);
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (result) {
+	case DNS_R_GLUE:
+	case DNS_R_HINT:
+	case ISC_R_SUCCESS:
+		/*
+		 * Found in the database.  Even if we can't copy out
+		 * any information, return success, or else a fetch
+		 * will be made, which will only make things worse.
+		 */
+		if (rdtype == dns_rdatatype_a) {
+			adbname->fetch_err = FIND_ERR_SUCCESS;
+		} else {
+			adbname->fetch6_err = FIND_ERR_SUCCESS;
+		}
+		result = import_rdataset(adbname, &rdataset, now);
+		break;
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NXRRSET:
+		/*
+		 * We're authoritative and the data doesn't exist.
+		 * Make up a negative cache entry so we don't ask again
+		 * for a while.
+		 *
+		 * XXXRTH  What time should we use?  I'm putting in 30 seconds
+		 * for now.
+		 */
+		if (rdtype == dns_rdatatype_a) {
+			adbname->expire_v4 = now + 30;
+			DP(NCACHE_LEVEL,
+			   "adb name %p: Caching auth negative entry for A",
+			   adbname);
+			if (result == DNS_R_NXDOMAIN) {
+				adbname->fetch_err = FIND_ERR_NXDOMAIN;
+			} else {
+				adbname->fetch_err = FIND_ERR_NXRRSET;
+			}
+		} else {
+			DP(NCACHE_LEVEL,
+			   "adb name %p: Caching auth negative entry for AAAA",
+			   adbname);
+			adbname->expire_v6 = now + 30;
+			if (result == DNS_R_NXDOMAIN) {
+				adbname->fetch6_err = FIND_ERR_NXDOMAIN;
+			} else {
+				adbname->fetch6_err = FIND_ERR_NXRRSET;
+			}
+		}
+		break;
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+		/*
+		 * We found a negative cache entry.  Pull the TTL from it
+		 * so we won't ask again for a while.
+		 */
+		rdataset.ttl = ttlclamp(rdataset.ttl);
+		if (rdtype == dns_rdatatype_a) {
+			adbname->expire_v4 = rdataset.ttl + now;
+			if (result == DNS_R_NCACHENXDOMAIN) {
+				adbname->fetch_err = FIND_ERR_NXDOMAIN;
+			} else {
+				adbname->fetch_err = FIND_ERR_NXRRSET;
+			}
+			DP(NCACHE_LEVEL,
+			   "adb name %p: Caching negative entry for A (ttl %u)",
+			   adbname, rdataset.ttl);
+		} else {
+			DP(NCACHE_LEVEL,
+			   "adb name %p: Caching negative entry for AAAA (ttl "
+			   "%u)",
+			   adbname, rdataset.ttl);
+			adbname->expire_v6 = rdataset.ttl + now;
+			if (result == DNS_R_NCACHENXDOMAIN) {
+				adbname->fetch6_err = FIND_ERR_NXDOMAIN;
+			} else {
+				adbname->fetch6_err = FIND_ERR_NXRRSET;
+			}
+		}
+		break;
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+		/*
+		 * Clear the hint and glue flags, so this will match
+		 * more often.
+		 */
+		adbname->flags &= ~(DNS_ADBFIND_GLUEOK | DNS_ADBFIND_HINTOK);
+
+		rdataset.ttl = ttlclamp(rdataset.ttl);
+		clean_target(adb, &adbname->target);
+		adbname->expire_target = INT_MAX;
+		result = set_target(adb, &adbname->name, fname, &rdataset,
+				    &adbname->target);
+		if (result == ISC_R_SUCCESS) {
+			result = DNS_R_ALIAS;
+			DP(NCACHE_LEVEL, "adb name %p: caching alias target",
+			   adbname);
+			adbname->expire_target = rdataset.ttl + now;
+		}
+		if (rdtype == dns_rdatatype_a) {
+			adbname->fetch_err = FIND_ERR_SUCCESS;
+		} else {
+			adbname->fetch6_err = FIND_ERR_SUCCESS;
+		}
+		break;
+	}
+
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	return (result);
+}
+
+static void
+fetch_callback(isc_task_t *task, isc_event_t *ev) {
+	dns_fetchevent_t *dev;
+	dns_adbname_t *name;
+	dns_adb_t *adb;
+	dns_adbfetch_t *fetch;
+	int bucket;
+	isc_eventtype_t ev_status;
+	isc_stdtime_t now;
+	isc_result_t result;
+	unsigned int address_type;
+	bool want_check_exit = false;
+
+	UNUSED(task);
+
+	INSIST(ev->ev_type == DNS_EVENT_FETCHDONE);
+	dev = (dns_fetchevent_t *)ev;
+	name = ev->ev_arg;
+	INSIST(DNS_ADBNAME_VALID(name));
+	adb = name->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	bucket = name->lock_bucket;
+	LOCK(&adb->namelocks[bucket]);
+
+	INSIST(NAME_FETCH_A(name) || NAME_FETCH_AAAA(name));
+	address_type = 0;
+	if (NAME_FETCH_A(name) && (name->fetch_a->fetch == dev->fetch)) {
+		address_type = DNS_ADBFIND_INET;
+		fetch = name->fetch_a;
+		name->fetch_a = NULL;
+	} else if (NAME_FETCH_AAAA(name) &&
+		   (name->fetch_aaaa->fetch == dev->fetch))
+	{
+		address_type = DNS_ADBFIND_INET6;
+		fetch = name->fetch_aaaa;
+		name->fetch_aaaa = NULL;
+	} else {
+		fetch = NULL;
+	}
+
+	INSIST(address_type != 0 && fetch != NULL);
+
+	dns_resolver_destroyfetch(&fetch->fetch);
+	dev->fetch = NULL;
+
+	ev_status = DNS_EVENT_ADBNOMOREADDRESSES;
+
+	/*
+	 * Cleanup things we don't care about.
+	 */
+	if (dev->node != NULL) {
+		dns_db_detachnode(dev->db, &dev->node);
+	}
+	if (dev->db != NULL) {
+		dns_db_detach(&dev->db);
+	}
+
+	/*
+	 * If this name is marked as dead, clean up, throwing away
+	 * potentially good data.
+	 */
+	if (NAME_DEAD(name)) {
+		free_adbfetch(adb, &fetch);
+		isc_event_free(&ev);
+
+		want_check_exit = kill_name(&name, DNS_EVENT_ADBCANCELED);
+
+		UNLOCK(&adb->namelocks[bucket]);
+
+		if (want_check_exit) {
+			LOCK(&adb->lock);
+			check_exit(adb);
+			UNLOCK(&adb->lock);
+		}
+
+		return;
+	}
+
+	isc_stdtime_get(&now);
+
+	/*
+	 * If we got a negative cache response, remember it.
+	 */
+	if (NCACHE_RESULT(dev->result)) {
+		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
+		if (address_type == DNS_ADBFIND_INET) {
+			DP(NCACHE_LEVEL,
+			   "adb fetch name %p: "
+			   "caching negative entry for A (ttl %u)",
+			   name, dev->rdataset->ttl);
+			name->expire_v4 = ISC_MIN(name->expire_v4,
+						  dev->rdataset->ttl + now);
+			if (dev->result == DNS_R_NCACHENXDOMAIN) {
+				name->fetch_err = FIND_ERR_NXDOMAIN;
+			} else {
+				name->fetch_err = FIND_ERR_NXRRSET;
+			}
+			inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
+		} else {
+			DP(NCACHE_LEVEL,
+			   "adb fetch name %p: "
+			   "caching negative entry for AAAA (ttl %u)",
+			   name, dev->rdataset->ttl);
+			name->expire_v6 = ISC_MIN(name->expire_v6,
+						  dev->rdataset->ttl + now);
+			if (dev->result == DNS_R_NCACHENXDOMAIN) {
+				name->fetch6_err = FIND_ERR_NXDOMAIN;
+			} else {
+				name->fetch6_err = FIND_ERR_NXRRSET;
+			}
+			inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
+		}
+		goto out;
+	}
+
+	/*
+	 * Handle CNAME/DNAME.
+	 */
+	if (dev->result == DNS_R_CNAME || dev->result == DNS_R_DNAME) {
+		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
+		clean_target(adb, &name->target);
+		name->expire_target = INT_MAX;
+		result = set_target(adb, &name->name,
+				    dns_fixedname_name(&dev->foundname),
+				    dev->rdataset, &name->target);
+		if (result == ISC_R_SUCCESS) {
+			DP(NCACHE_LEVEL,
+			   "adb fetch name %p: caching alias target", name);
+			name->expire_target = dev->rdataset->ttl + now;
+		}
+		goto check_result;
+	}
+
+	/*
+	 * Did we get back junk?  If so, and there are no more fetches
+	 * sitting out there, tell all the finds about it.
+	 */
+	if (dev->result != ISC_R_SUCCESS) {
+		char buf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(&name->name, buf, sizeof(buf));
+		DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s", buf,
+		   address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
+		   dns_result_totext(dev->result));
+		/*
+		 * Don't record a failure unless this is the initial
+		 * fetch of a chain.
+		 */
+		if (fetch->depth > 1) {
+			goto out;
+		}
+		/* XXXMLG Don't pound on bad servers. */
+		if (address_type == DNS_ADBFIND_INET) {
+			name->expire_v4 = ISC_MIN(name->expire_v4, now + 10);
+			name->fetch_err = FIND_ERR_FAILURE;
+			inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
+		} else {
+			name->expire_v6 = ISC_MIN(name->expire_v6, now + 10);
+			name->fetch6_err = FIND_ERR_FAILURE;
+			inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
+		}
+		goto out;
+	}
+
+	/*
+	 * We got something potentially useful.
+	 */
+	result = import_rdataset(name, &fetch->rdataset, now);
+
+check_result:
+	if (result == ISC_R_SUCCESS) {
+		ev_status = DNS_EVENT_ADBMOREADDRESSES;
+		if (address_type == DNS_ADBFIND_INET) {
+			name->fetch_err = FIND_ERR_SUCCESS;
+		} else {
+			name->fetch6_err = FIND_ERR_SUCCESS;
+		}
+	}
+
+out:
+	free_adbfetch(adb, &fetch);
+	isc_event_free(&ev);
+
+	clean_finds_at_name(name, ev_status, address_type);
+
+	UNLOCK(&adb->namelocks[bucket]);
+}
+
+static isc_result_t
+fetch_name(dns_adbname_t *adbname, bool start_at_zone, unsigned int depth,
+	   isc_counter_t *qc, dns_rdatatype_t type) {
+	isc_result_t result;
+	dns_adbfetch_t *fetch = NULL;
+	dns_adb_t *adb;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t *nameservers;
+	unsigned int options;
+
+	INSIST(DNS_ADBNAME_VALID(adbname));
+	adb = adbname->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	INSIST((type == dns_rdatatype_a && !NAME_FETCH_V4(adbname)) ||
+	       (type == dns_rdatatype_aaaa && !NAME_FETCH_V6(adbname)));
+
+	adbname->fetch_err = FIND_ERR_NOTFOUND;
+
+	name = NULL;
+	nameservers = NULL;
+	dns_rdataset_init(&rdataset);
+
+	options = DNS_FETCHOPT_NOVALIDATE;
+	if (start_at_zone) {
+		DP(ENTER_LEVEL, "fetch_name: starting at zone for name %p",
+		   adbname);
+		name = dns_fixedname_initname(&fixed);
+		result = dns_view_findzonecut(adb->view, &adbname->name, name,
+					      NULL, 0, 0, true, false,
+					      &rdataset, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_HINT) {
+			goto cleanup;
+		}
+		nameservers = &rdataset;
+		options |= DNS_FETCHOPT_UNSHARED;
+	}
+
+	fetch = new_adbfetch(adb);
+	if (fetch == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	fetch->depth = depth;
+
+	/*
+	 * We're not minimizing this query, as nothing user-related should
+	 * be leaked here.
+	 * However, if we'd ever want to change it we'd have to modify
+	 * createfetch to find deepest cached name when we're providing
+	 * domain and nameservers.
+	 */
+	result = dns_resolver_createfetch(
+		adb->view->resolver, &adbname->name, type, name, nameservers,
+		NULL, NULL, 0, options, depth, qc, adb->task, fetch_callback,
+		adbname, &fetch->rdataset, NULL, &fetch->fetch);
+	if (result != ISC_R_SUCCESS) {
+		DP(ENTER_LEVEL, "fetch_name: createfetch failed with %s",
+		   isc_result_totext(result));
+		goto cleanup;
+	}
+
+	if (type == dns_rdatatype_a) {
+		adbname->fetch_a = fetch;
+		inc_stats(adb, dns_resstatscounter_gluefetchv4);
+	} else {
+		adbname->fetch_aaaa = fetch;
+		inc_stats(adb, dns_resstatscounter_gluefetchv6);
+	}
+	fetch = NULL; /* Keep us from cleaning this up below. */
+
+cleanup:
+	if (fetch != NULL) {
+		free_adbfetch(adb, &fetch);
+	}
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	return (result);
+}
+
+/*
+ * XXXMLG Needs to take a find argument and an address info, no zone or adb,
+ * since these can be extracted from the find itself.
+ */
+isc_result_t
+dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		 const dns_name_t *qname, dns_rdatatype_t qtype,
+		 isc_stdtime_t expire_time) {
+	dns_adblameinfo_t *li;
+	int bucket;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+	REQUIRE(qname != NULL);
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	li = ISC_LIST_HEAD(addr->entry->lameinfo);
+	while (li != NULL &&
+	       (li->qtype != qtype || !dns_name_equal(qname, &li->qname)))
+	{
+		li = ISC_LIST_NEXT(li, plink);
+	}
+	if (li != NULL) {
+		if (expire_time > li->lame_timer) {
+			li->lame_timer = expire_time;
+		}
+		goto unlock;
+	}
+	li = new_adblameinfo(adb, qname, qtype);
+	if (li == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto unlock;
+	}
+
+	li->lame_timer = expire_time;
+
+	ISC_LIST_PREPEND(addr->entry->lameinfo, li, plink);
+unlock:
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (result);
+}
+
+void
+dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int rtt,
+		   unsigned int factor) {
+	int bucket;
+	isc_stdtime_t now = 0;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+	REQUIRE(factor <= 10);
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	if (addr->entry->expires == 0 || factor == DNS_ADB_RTTADJAGE) {
+		isc_stdtime_get(&now);
+	}
+	adjustsrtt(addr, rtt, factor, now);
+
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+void
+dns_adb_agesrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr, isc_stdtime_t now) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	adjustsrtt(addr, 0, DNS_ADB_RTTADJAGE, now);
+
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+static void
+adjustsrtt(dns_adbaddrinfo_t *addr, unsigned int rtt, unsigned int factor,
+	   isc_stdtime_t now) {
+	uint64_t new_srtt;
+
+	if (factor == DNS_ADB_RTTADJAGE) {
+		if (addr->entry->lastage != now) {
+			new_srtt = addr->entry->srtt;
+			new_srtt <<= 9;
+			new_srtt -= addr->entry->srtt;
+			new_srtt >>= 9;
+			addr->entry->lastage = now;
+		} else {
+			new_srtt = addr->entry->srtt;
+		}
+	} else {
+		new_srtt = ((uint64_t)addr->entry->srtt / 10 * factor) +
+			   ((uint64_t)rtt / 10 * (10 - factor));
+	}
+
+	addr->entry->srtt = (unsigned int)new_srtt;
+	addr->srtt = (unsigned int)new_srtt;
+
+	if (addr->entry->expires == 0) {
+		addr->entry->expires = now + ADB_ENTRY_WINDOW;
+	}
+}
+
+void
+dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int bits,
+		    unsigned int mask) {
+	int bucket;
+	isc_stdtime_t now;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	REQUIRE((bits & ENTRY_IS_DEAD) == 0);
+	REQUIRE((mask & ENTRY_IS_DEAD) == 0);
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	addr->entry->flags = (addr->entry->flags & ~mask) | (bits & mask);
+	if (addr->entry->expires == 0) {
+		isc_stdtime_get(&now);
+		addr->entry->expires = now + ADB_ENTRY_WINDOW;
+	}
+
+	/*
+	 * Note that we do not update the other bits in addr->flags with
+	 * the most recent values from addr->entry->flags.
+	 */
+	addr->flags = (addr->flags & ~mask) | (bits & mask);
+
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+/*
+ * The polynomial backoff curve (10000 / ((10 + n) / 10)^(3/2)) <0..99> drops
+ * fairly aggressively at first, then slows down and tails off at around 2-3%.
+ *
+ * These will be used to make quota adjustments.
+ */
+static int quota_adj[] = {
+	10000, 8668, 7607, 6747, 6037, 5443, 4941, 4512, 4141, 3818, 3536,
+	3286,  3065, 2867, 2690, 2530, 2385, 2254, 2134, 2025, 1925, 1832,
+	1747,  1668, 1595, 1527, 1464, 1405, 1350, 1298, 1250, 1205, 1162,
+	1121,  1083, 1048, 1014, 981,  922,  894,  868,	 843,  820,  797,
+	775,   755,  735,  716,	 698,  680,  664,  648,	 632,  618,  603,
+	590,   577,  564,  552,	 540,  529,  518,  507,	 497,  487,  477,
+	468,   459,  450,  442,	 434,  426,  418,  411,	 404,  397,  390,
+	383,   377,  370,  364,	 358,  353,  347,  342,	 336,  331,  326,
+	321,   316,  312,  307,	 303,  298,  294,  290,	 286,  282,  278
+};
+
+#define QUOTA_ADJ_SIZE (sizeof(quota_adj) / sizeof(quota_adj[0]))
+
+/*
+ * Caller must hold adbentry lock
+ */
+static void
+maybe_adjust_quota(dns_adb_t *adb, dns_adbaddrinfo_t *addr, bool timeout) {
+	double tr;
+
+	UNUSED(adb);
+
+	if (adb->quota == 0 || adb->atr_freq == 0) {
+		return;
+	}
+
+	if (timeout) {
+		addr->entry->timeouts++;
+	}
+
+	if (addr->entry->completed++ <= adb->atr_freq) {
+		return;
+	}
+
+	/*
+	 * Calculate an exponential rolling average of the timeout ratio
+	 *
+	 * XXX: Integer arithmetic might be better than floating point
+	 */
+	tr = (double)addr->entry->timeouts / addr->entry->completed;
+	addr->entry->timeouts = addr->entry->completed = 0;
+	INSIST(addr->entry->atr >= 0.0);
+	INSIST(addr->entry->atr <= 1.0);
+	INSIST(adb->atr_discount >= 0.0);
+	INSIST(adb->atr_discount <= 1.0);
+	addr->entry->atr *= 1.0 - adb->atr_discount;
+	addr->entry->atr += tr * adb->atr_discount;
+	addr->entry->atr = ISC_CLAMP(addr->entry->atr, 0.0, 1.0);
+
+	if (addr->entry->atr < adb->atr_low && addr->entry->mode > 0) {
+		uint_fast32_t new_quota =
+			adb->quota * quota_adj[--addr->entry->mode] / 10000;
+		atomic_store_release(&addr->entry->quota,
+				     ISC_MAX(1, new_quota));
+		log_quota(addr->entry,
+			  "atr %0.2f, quota increased to %" PRIuFAST32,
+			  addr->entry->atr, new_quota);
+	} else if (addr->entry->atr > adb->atr_high &&
+		   addr->entry->mode < (QUOTA_ADJ_SIZE - 1))
+	{
+		uint_fast32_t new_quota =
+			adb->quota * quota_adj[++addr->entry->mode] / 10000;
+		atomic_store_release(&addr->entry->quota,
+				     ISC_MAX(1, new_quota));
+		log_quota(addr->entry,
+			  "atr %0.2f, quota decreased to %" PRIuFAST32,
+			  addr->entry->atr, new_quota);
+	}
+}
+
+#define EDNSTOS 3U
+bool
+dns_adb_noedns(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	int bucket;
+	bool noedns = false;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	if (addr->entry->edns == 0U &&
+	    (addr->entry->plain > EDNSTOS || addr->entry->to4096 > EDNSTOS))
+	{
+		if (((addr->entry->plain + addr->entry->to4096) & 0x3f) != 0) {
+			noedns = true;
+		} else {
+			/*
+			 * Increment plain so we don't get stuck.
+			 */
+			addr->entry->plain++;
+			if (addr->entry->plain == 0xff) {
+				addr->entry->edns >>= 1;
+				addr->entry->to4096 >>= 1;
+				addr->entry->to1432 >>= 1;
+				addr->entry->to1232 >>= 1;
+				addr->entry->to512 >>= 1;
+				addr->entry->plain >>= 1;
+				addr->entry->plainto >>= 1;
+			}
+		}
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+	return (noedns);
+}
+
+void
+dns_adb_plainresponse(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	maybe_adjust_quota(adb, addr, false);
+
+	addr->entry->plain++;
+	if (addr->entry->plain == 0xff) {
+		addr->entry->edns >>= 1;
+		addr->entry->to4096 >>= 1;
+		addr->entry->to1432 >>= 1;
+		addr->entry->to1232 >>= 1;
+		addr->entry->to512 >>= 1;
+		addr->entry->plain >>= 1;
+		addr->entry->plainto >>= 1;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+void
+dns_adb_timeout(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	maybe_adjust_quota(adb, addr, true);
+
+	/*
+	 * If we have not had a successful query then clear all
+	 * edns timeout information.
+	 */
+	if (addr->entry->edns == 0 && addr->entry->plain == 0) {
+		addr->entry->to512 = 0;
+		addr->entry->to1232 = 0;
+		addr->entry->to1432 = 0;
+		addr->entry->to4096 = 0;
+	} else {
+		addr->entry->to512 >>= 1;
+		addr->entry->to1232 >>= 1;
+		addr->entry->to1432 >>= 1;
+		addr->entry->to4096 >>= 1;
+	}
+
+	addr->entry->plainto++;
+	if (addr->entry->plainto == 0xff) {
+		addr->entry->edns >>= 1;
+		addr->entry->plain >>= 1;
+		addr->entry->plainto >>= 1;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+void
+dns_adb_ednsto(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int size) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	maybe_adjust_quota(adb, addr, true);
+
+	if (size <= 512U) {
+		if (addr->entry->to512 <= EDNSTOS) {
+			addr->entry->to512++;
+			addr->entry->to1232++;
+			addr->entry->to1432++;
+			addr->entry->to4096++;
+		}
+	} else if (size <= 1232U) {
+		if (addr->entry->to1232 <= EDNSTOS) {
+			addr->entry->to1232++;
+			addr->entry->to1432++;
+			addr->entry->to4096++;
+		}
+	} else if (size <= 1432U) {
+		if (addr->entry->to1432 <= EDNSTOS) {
+			addr->entry->to1432++;
+			addr->entry->to4096++;
+		}
+	} else {
+		if (addr->entry->to4096 <= EDNSTOS) {
+			addr->entry->to4096++;
+		}
+	}
+
+	if (addr->entry->to4096 == 0xff) {
+		addr->entry->edns >>= 1;
+		addr->entry->to4096 >>= 1;
+		addr->entry->to1432 >>= 1;
+		addr->entry->to1232 >>= 1;
+		addr->entry->to512 >>= 1;
+		addr->entry->plain >>= 1;
+		addr->entry->plainto >>= 1;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+void
+dns_adb_setudpsize(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int size) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	if (size < 512U) {
+		size = 512U;
+	}
+	if (size > addr->entry->udpsize) {
+		addr->entry->udpsize = size;
+	}
+
+	maybe_adjust_quota(adb, addr, false);
+
+	addr->entry->edns++;
+	if (addr->entry->edns == 0xff) {
+		addr->entry->edns >>= 1;
+		addr->entry->to4096 >>= 1;
+		addr->entry->to1432 >>= 1;
+		addr->entry->to1232 >>= 1;
+		addr->entry->to512 >>= 1;
+		addr->entry->plain >>= 1;
+		addr->entry->plainto >>= 1;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+unsigned int
+dns_adb_getudpsize(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	int bucket;
+	unsigned int size;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	size = addr->entry->udpsize;
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (size);
+}
+
+unsigned int
+dns_adb_probesize(dns_adb_t *adb, dns_adbaddrinfo_t *addr, int lookups) {
+	int bucket;
+	unsigned int size;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	if (addr->entry->to1232 > EDNSTOS || lookups >= 2) {
+		size = 512;
+	} else if (addr->entry->to1432 > EDNSTOS || lookups >= 1) {
+		size = 1232;
+	} else if (addr->entry->to4096 > EDNSTOS) {
+		size = 1432;
+	} else {
+		size = 4096;
+	}
+	/*
+	 * Don't shrink probe size below what we have seen due to multiple
+	 * lookups.
+	 */
+	if (lookups > 0 && size < addr->entry->udpsize &&
+	    addr->entry->udpsize < 4096)
+	{
+		size = addr->entry->udpsize;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (size);
+}
+
+void
+dns_adb_setcookie(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		  const unsigned char *cookie, size_t len) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	if (addr->entry->cookie != NULL &&
+	    (cookie == NULL || len != addr->entry->cookielen))
+	{
+		isc_mem_put(adb->mctx, addr->entry->cookie,
+			    addr->entry->cookielen);
+		addr->entry->cookie = NULL;
+		addr->entry->cookielen = 0;
+	}
+
+	if (addr->entry->cookie == NULL && cookie != NULL && len != 0U) {
+		addr->entry->cookie = isc_mem_get(adb->mctx, len);
+		addr->entry->cookielen = (uint16_t)len;
+	}
+
+	if (addr->entry->cookie != NULL) {
+		memmove(addr->entry->cookie, cookie, len);
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+size_t
+dns_adb_getcookie(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		  unsigned char *cookie, size_t len) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	if (cookie != NULL && addr->entry->cookie != NULL &&
+	    len >= addr->entry->cookielen)
+	{
+		memmove(cookie, addr->entry->cookie, addr->entry->cookielen);
+		len = addr->entry->cookielen;
+	} else {
+		len = 0;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (len);
+}
+
+isc_result_t
+dns_adb_findaddrinfo(dns_adb_t *adb, const isc_sockaddr_t *sa,
+		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now) {
+	int bucket;
+	dns_adbentry_t *entry;
+	dns_adbaddrinfo_t *addr;
+	isc_result_t result;
+	in_port_t port;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(addrp != NULL && *addrp == NULL);
+
+	UNUSED(now);
+
+	result = ISC_R_SUCCESS;
+	bucket = DNS_ADB_INVALIDBUCKET;
+	entry = find_entry_and_lock(adb, sa, &bucket, now);
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+	if (adb->entry_sd[bucket]) {
+		result = ISC_R_SHUTTINGDOWN;
+		goto unlock;
+	}
+	if (entry == NULL) {
+		/*
+		 * We don't know anything about this address.
+		 */
+		entry = new_adbentry(adb);
+		if (entry == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto unlock;
+		}
+		entry->sockaddr = *sa;
+		link_entry(adb, bucket, entry);
+		DP(ENTER_LEVEL, "findaddrinfo: new entry %p", entry);
+	} else {
+		DP(ENTER_LEVEL, "findaddrinfo: found entry %p", entry);
+	}
+
+	port = isc_sockaddr_getport(sa);
+	addr = new_adbaddrinfo(adb, entry, port);
+	if (addr == NULL) {
+		result = ISC_R_NOMEMORY;
+	} else {
+		inc_entry_refcnt(adb, entry, false);
+		*addrp = addr;
+	}
+
+unlock:
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (result);
+}
+
+void
+dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp) {
+	dns_adbaddrinfo_t *addr;
+	dns_adbentry_t *entry;
+	int bucket;
+	isc_stdtime_t now;
+	bool want_check_exit = false;
+	bool overmem;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(addrp != NULL);
+	addr = *addrp;
+	*addrp = NULL;
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+	entry = addr->entry;
+	REQUIRE(DNS_ADBENTRY_VALID(entry));
+
+	overmem = isc_mem_isovermem(adb->mctx);
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	if (entry->expires == 0) {
+		isc_stdtime_get(&now);
+		entry->expires = now + ADB_ENTRY_WINDOW;
+	}
+
+	want_check_exit = dec_entry_refcnt(adb, overmem, entry, false);
+
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	addr->entry = NULL;
+	free_adbaddrinfo(adb, &addr);
+
+	if (want_check_exit) {
+		LOCK(&adb->lock);
+		check_exit(adb);
+		UNLOCK(&adb->lock);
+	}
+}
+
+void
+dns_adb_flush(dns_adb_t *adb) {
+	unsigned int i;
+
+	INSIST(DNS_ADB_VALID(adb));
+
+	LOCK(&adb->lock);
+
+	/*
+	 * Call our cleanup routines.
+	 */
+	for (i = 0; i < adb->nnames; i++) {
+		RUNTIME_CHECK(!cleanup_names(adb, i, INT_MAX));
+	}
+	for (i = 0; i < adb->nentries; i++) {
+		RUNTIME_CHECK(!cleanup_entries(adb, i, INT_MAX));
+	}
+
+#ifdef DUMP_ADB_AFTER_CLEANING
+	dump_adb(adb, stdout, true, INT_MAX);
+#endif /* ifdef DUMP_ADB_AFTER_CLEANING */
+
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_flushname(dns_adb_t *adb, const dns_name_t *name) {
+	dns_adbname_t *adbname;
+	dns_adbname_t *nextname;
+	unsigned int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(name != NULL);
+
+	LOCK(&adb->lock);
+	bucket = dns_name_hash(name, false) % adb->nnames;
+	LOCK(&adb->namelocks[bucket]);
+	adbname = ISC_LIST_HEAD(adb->names[bucket]);
+	while (adbname != NULL) {
+		nextname = ISC_LIST_NEXT(adbname, plink);
+		if (!NAME_DEAD(adbname) && dns_name_equal(name, &adbname->name))
+		{
+			RUNTIME_CHECK(
+				!kill_name(&adbname, DNS_EVENT_ADBCANCELED));
+		}
+		adbname = nextname;
+	}
+	UNLOCK(&adb->namelocks[bucket]);
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_flushnames(dns_adb_t *adb, const dns_name_t *name) {
+	dns_adbname_t *adbname, *nextname;
+	unsigned int i;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(name != NULL);
+
+	LOCK(&adb->lock);
+	for (i = 0; i < adb->nnames; i++) {
+		LOCK(&adb->namelocks[i]);
+		adbname = ISC_LIST_HEAD(adb->names[i]);
+		while (adbname != NULL) {
+			bool ret;
+			nextname = ISC_LIST_NEXT(adbname, plink);
+			if (!NAME_DEAD(adbname) &&
+			    dns_name_issubdomain(&adbname->name, name))
+			{
+				ret = kill_name(&adbname,
+						DNS_EVENT_ADBCANCELED);
+				RUNTIME_CHECK(!ret);
+			}
+			adbname = nextname;
+		}
+		UNLOCK(&adb->namelocks[i]);
+	}
+	UNLOCK(&adb->lock);
+}
+
+static void
+water(void *arg, int mark) {
+	/*
+	 * We're going to change the way to handle overmem condition: use
+	 * isc_mem_isovermem() instead of storing the state via this callback,
+	 * since the latter way tends to cause race conditions.
+	 * To minimize the change, and in case we re-enable the callback
+	 * approach, however, keep this function at the moment.
+	 */
+
+	dns_adb_t *adb = arg;
+	bool overmem = (mark == ISC_MEM_HIWATER);
+
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	DP(ISC_LOG_DEBUG(1), "adb reached %s water mark",
+	   overmem ? "high" : "low");
+}
+
+void
+dns_adb_setadbsize(dns_adb_t *adb, size_t size) {
+	size_t hiwater, lowater;
+
+	INSIST(DNS_ADB_VALID(adb));
+
+	if (size != 0U && size < DNS_ADB_MINADBSIZE) {
+		size = DNS_ADB_MINADBSIZE;
+	}
+
+	hiwater = size - (size >> 3); /* Approximately 7/8ths. */
+	lowater = size - (size >> 2); /* Approximately 3/4ths. */
+
+	if (size == 0U || hiwater == 0U || lowater == 0U) {
+		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
+	} else {
+		isc_mem_setwater(adb->mctx, water, adb, hiwater, lowater);
+	}
+}
+
+void
+dns_adb_setquota(dns_adb_t *adb, uint32_t quota, uint32_t freq, double low,
+		 double high, double discount) {
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	adb->quota = quota;
+	adb->atr_freq = freq;
+	adb->atr_low = low;
+	adb->atr_high = high;
+	adb->atr_discount = discount;
+}
+
+bool
+dns_adbentry_overquota(dns_adbentry_t *entry) {
+	REQUIRE(DNS_ADBENTRY_VALID(entry));
+
+	uint_fast32_t quota = atomic_load_relaxed(&entry->quota);
+	uint_fast32_t active = atomic_load_acquire(&entry->active);
+
+	return (quota != 0 && active >= quota);
+}
+
+void
+dns_adb_beginudpfetch(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	INSIST(atomic_fetch_add_relaxed(&addr->entry->active, 1) != UINT32_MAX);
+}
+
+void
+dns_adb_endudpfetch(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	INSIST(atomic_fetch_sub_release(&addr->entry->active, 1) != 0);
+}
diff --git a/lib/dns/badcache.c b/lib/dns/badcache.c
new file mode 100644
index 0000000..92116c0
--- /dev/null
+++ b/lib/dns/badcache.c
@@ -0,0 +1,525 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/badcache.h>
+#include <dns/name.h>
+#include <dns/rdatatype.h>
+#include <dns/types.h>
+
+typedef struct dns_bcentry dns_bcentry_t;
+
+struct dns_badcache {
+	unsigned int magic;
+	isc_rwlock_t lock;
+	isc_mem_t *mctx;
+
+	isc_mutex_t *tlocks;
+	dns_bcentry_t **table;
+
+	atomic_uint_fast32_t count;
+	atomic_uint_fast32_t sweep;
+
+	unsigned int minsize;
+	unsigned int size;
+};
+
+#define BADCACHE_MAGIC	  ISC_MAGIC('B', 'd', 'C', 'a')
+#define VALID_BADCACHE(m) ISC_MAGIC_VALID(m, BADCACHE_MAGIC)
+
+struct dns_bcentry {
+	dns_bcentry_t *next;
+	dns_rdatatype_t type;
+	isc_time_t expire;
+	uint32_t flags;
+	unsigned int hashval;
+	dns_name_t name;
+};
+
+static void
+badcache_resize(dns_badcache_t *bc, isc_time_t *now);
+
+isc_result_t
+dns_badcache_init(isc_mem_t *mctx, unsigned int size, dns_badcache_t **bcp) {
+	dns_badcache_t *bc = NULL;
+	unsigned int i;
+
+	REQUIRE(bcp != NULL && *bcp == NULL);
+	REQUIRE(mctx != NULL);
+
+	bc = isc_mem_get(mctx, sizeof(dns_badcache_t));
+	memset(bc, 0, sizeof(dns_badcache_t));
+
+	isc_mem_attach(mctx, &bc->mctx);
+	isc_rwlock_init(&bc->lock, 0, 0);
+
+	bc->table = isc_mem_get(bc->mctx, sizeof(*bc->table) * size);
+	bc->tlocks = isc_mem_get(bc->mctx, sizeof(isc_mutex_t) * size);
+	for (i = 0; i < size; i++) {
+		isc_mutex_init(&bc->tlocks[i]);
+	}
+	bc->size = bc->minsize = size;
+	memset(bc->table, 0, bc->size * sizeof(dns_bcentry_t *));
+
+	atomic_init(&bc->count, 0);
+	atomic_init(&bc->sweep, 0);
+	bc->magic = BADCACHE_MAGIC;
+
+	*bcp = bc;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_badcache_destroy(dns_badcache_t **bcp) {
+	dns_badcache_t *bc;
+	unsigned int i;
+
+	REQUIRE(bcp != NULL && *bcp != NULL);
+	bc = *bcp;
+	*bcp = NULL;
+
+	dns_badcache_flush(bc);
+
+	bc->magic = 0;
+	isc_rwlock_destroy(&bc->lock);
+	for (i = 0; i < bc->size; i++) {
+		isc_mutex_destroy(&bc->tlocks[i]);
+	}
+	isc_mem_put(bc->mctx, bc->table, sizeof(dns_bcentry_t *) * bc->size);
+	isc_mem_put(bc->mctx, bc->tlocks, sizeof(isc_mutex_t) * bc->size);
+	isc_mem_putanddetach(&bc->mctx, bc, sizeof(dns_badcache_t));
+}
+
+static void
+badcache_resize(dns_badcache_t *bc, isc_time_t *now) {
+	dns_bcentry_t **newtable, *bad, *next;
+	isc_mutex_t *newlocks;
+	unsigned int newsize, i;
+	bool grow;
+
+	RWLOCK(&bc->lock, isc_rwlocktype_write);
+
+	/*
+	 * XXXWPK we will have a thundering herd problem here,
+	 * as all threads will wait on the RWLOCK when there's
+	 * a need to resize badcache.
+	 * However, it happens so rarely it should not be a
+	 * performance issue. This is because we double the
+	 * size every time we grow it, and we don't shrink
+	 * unless the number of entries really shrunk. In a
+	 * high load situation, the number of badcache entries
+	 * will eventually stabilize.
+	 */
+	if (atomic_load_relaxed(&bc->count) > bc->size * 8) {
+		grow = true;
+	} else if (atomic_load_relaxed(&bc->count) < bc->size * 2 &&
+		   bc->size > bc->minsize)
+	{
+		grow = false;
+	} else {
+		/* Someone resized it already, bail. */
+		RWUNLOCK(&bc->lock, isc_rwlocktype_write);
+		return;
+	}
+
+	if (grow) {
+		newsize = bc->size * 2 + 1;
+	} else {
+		newsize = (bc->size - 1) / 2;
+#ifdef __clang_analyzer__
+		/*
+		 * XXXWPK there's a bug in clang static analyzer -
+		 * `value % newsize` is considered undefined even though
+		 * we check if newsize is larger than 0. This helps.
+		 */
+		newsize += 1;
+#endif
+	}
+	RUNTIME_CHECK(newsize > 0);
+
+	newtable = isc_mem_get(bc->mctx, sizeof(dns_bcentry_t *) * newsize);
+	memset(newtable, 0, sizeof(dns_bcentry_t *) * newsize);
+
+	newlocks = isc_mem_get(bc->mctx, sizeof(isc_mutex_t) * newsize);
+
+	/* Copy existing mutexes */
+	for (i = 0; i < newsize && i < bc->size; i++) {
+		newlocks[i] = bc->tlocks[i];
+	}
+	/* Initialize additional mutexes if we're growing */
+	for (i = bc->size; i < newsize; i++) {
+		isc_mutex_init(&newlocks[i]);
+	}
+	/* Destroy extra mutexes if we're shrinking */
+	for (i = newsize; i < bc->size; i++) {
+		isc_mutex_destroy(&bc->tlocks[i]);
+	}
+
+	for (i = 0; atomic_load_relaxed(&bc->count) > 0 && i < bc->size; i++) {
+		for (bad = bc->table[i]; bad != NULL; bad = next) {
+			next = bad->next;
+			if (isc_time_compare(&bad->expire, now) < 0) {
+				isc_mem_put(bc->mctx, bad,
+					    sizeof(*bad) + bad->name.length);
+				atomic_fetch_sub_relaxed(&bc->count, 1);
+			} else {
+				bad->next = newtable[bad->hashval % newsize];
+				newtable[bad->hashval % newsize] = bad;
+			}
+		}
+		bc->table[i] = NULL;
+	}
+
+	isc_mem_put(bc->mctx, bc->tlocks, sizeof(isc_mutex_t) * bc->size);
+	bc->tlocks = newlocks;
+
+	isc_mem_put(bc->mctx, bc->table, sizeof(*bc->table) * bc->size);
+	bc->size = newsize;
+	bc->table = newtable;
+
+	RWUNLOCK(&bc->lock, isc_rwlocktype_write);
+}
+
+void
+dns_badcache_add(dns_badcache_t *bc, const dns_name_t *name,
+		 dns_rdatatype_t type, bool update, uint32_t flags,
+		 isc_time_t *expire) {
+	isc_result_t result;
+	unsigned int hashval, hash;
+	dns_bcentry_t *bad, *prev, *next;
+	isc_time_t now;
+	bool resize = false;
+
+	REQUIRE(VALID_BADCACHE(bc));
+	REQUIRE(name != NULL);
+	REQUIRE(expire != NULL);
+
+	RWLOCK(&bc->lock, isc_rwlocktype_read);
+
+	result = isc_time_now(&now);
+	if (result != ISC_R_SUCCESS) {
+		isc_time_settoepoch(&now);
+	}
+
+	hashval = dns_name_hash(name, false);
+	hash = hashval % bc->size;
+	LOCK(&bc->tlocks[hash]);
+	prev = NULL;
+	for (bad = bc->table[hash]; bad != NULL; bad = next) {
+		next = bad->next;
+		if (bad->type == type && dns_name_equal(name, &bad->name)) {
+			if (update) {
+				bad->expire = *expire;
+				bad->flags = flags;
+			}
+			break;
+		}
+		if (isc_time_compare(&bad->expire, &now) < 0) {
+			if (prev == NULL) {
+				bc->table[hash] = bad->next;
+			} else {
+				prev->next = bad->next;
+			}
+			isc_mem_put(bc->mctx, bad,
+				    sizeof(*bad) + bad->name.length);
+			atomic_fetch_sub_relaxed(&bc->count, 1);
+		} else {
+			prev = bad;
+		}
+	}
+
+	if (bad == NULL) {
+		isc_buffer_t buffer;
+		bad = isc_mem_get(bc->mctx, sizeof(*bad) + name->length);
+		bad->type = type;
+		bad->hashval = hashval;
+		bad->expire = *expire;
+		bad->flags = flags;
+		isc_buffer_init(&buffer, bad + 1, name->length);
+		dns_name_init(&bad->name, NULL);
+		dns_name_copy(name, &bad->name, &buffer);
+		bad->next = bc->table[hash];
+		bc->table[hash] = bad;
+		unsigned count = atomic_fetch_add_relaxed(&bc->count, 1);
+		if ((count > bc->size * 8) ||
+		    (count < bc->size * 2 && bc->size > bc->minsize))
+		{
+			resize = true;
+		}
+	} else {
+		bad->expire = *expire;
+	}
+
+	UNLOCK(&bc->tlocks[hash]);
+	RWUNLOCK(&bc->lock, isc_rwlocktype_read);
+	if (resize) {
+		badcache_resize(bc, &now);
+	}
+}
+
+bool
+dns_badcache_find(dns_badcache_t *bc, const dns_name_t *name,
+		  dns_rdatatype_t type, uint32_t *flagp, isc_time_t *now) {
+	dns_bcentry_t *bad, *prev, *next;
+	bool answer = false;
+	unsigned int i;
+	unsigned int hash;
+
+	REQUIRE(VALID_BADCACHE(bc));
+	REQUIRE(name != NULL);
+	REQUIRE(now != NULL);
+
+	RWLOCK(&bc->lock, isc_rwlocktype_read);
+
+	/*
+	 * XXXMUKS: dns_name_equal() is expensive as it does a
+	 * octet-by-octet comparison, and it can be made better in two
+	 * ways here. First, lowercase the names (use
+	 * dns_name_downcase() instead of dns_name_copy() in
+	 * dns_badcache_add()) so that dns_name_caseequal() can be used
+	 * which the compiler will emit as SIMD instructions. Second,
+	 * don't put multiple copies of the same name in the chain (or
+	 * multiple names will have to be matched for equality), but use
+	 * name->link to store the type specific part.
+	 */
+
+	if (atomic_load_relaxed(&bc->count) == 0) {
+		goto skip;
+	}
+
+	hash = dns_name_hash(name, false) % bc->size;
+	prev = NULL;
+	LOCK(&bc->tlocks[hash]);
+	for (bad = bc->table[hash]; bad != NULL; bad = next) {
+		next = bad->next;
+		/*
+		 * Search the hash list. Clean out expired records as we go.
+		 */
+		if (isc_time_compare(&bad->expire, now) < 0) {
+			if (prev != NULL) {
+				prev->next = bad->next;
+			} else {
+				bc->table[hash] = bad->next;
+			}
+
+			isc_mem_put(bc->mctx, bad,
+				    sizeof(*bad) + bad->name.length);
+			atomic_fetch_sub(&bc->count, 1);
+			continue;
+		}
+		if (bad->type == type && dns_name_equal(name, &bad->name)) {
+			if (flagp != NULL) {
+				*flagp = bad->flags;
+			}
+			answer = true;
+			break;
+		}
+		prev = bad;
+	}
+	UNLOCK(&bc->tlocks[hash]);
+skip:
+
+	/*
+	 * Slow sweep to clean out stale records.
+	 */
+	i = atomic_fetch_add(&bc->sweep, 1) % bc->size;
+	if (isc_mutex_trylock(&bc->tlocks[i]) == ISC_R_SUCCESS) {
+		bad = bc->table[i];
+		if (bad != NULL && isc_time_compare(&bad->expire, now) < 0) {
+			bc->table[i] = bad->next;
+			isc_mem_put(bc->mctx, bad,
+				    sizeof(*bad) + bad->name.length);
+			atomic_fetch_sub_relaxed(&bc->count, 1);
+		}
+		UNLOCK(&bc->tlocks[i]);
+	}
+
+	RWUNLOCK(&bc->lock, isc_rwlocktype_read);
+	return (answer);
+}
+
+void
+dns_badcache_flush(dns_badcache_t *bc) {
+	dns_bcentry_t *entry, *next;
+	unsigned int i;
+
+	RWLOCK(&bc->lock, isc_rwlocktype_write);
+	REQUIRE(VALID_BADCACHE(bc));
+
+	for (i = 0; atomic_load_relaxed(&bc->count) > 0 && i < bc->size; i++) {
+		for (entry = bc->table[i]; entry != NULL; entry = next) {
+			next = entry->next;
+			isc_mem_put(bc->mctx, entry,
+				    sizeof(*entry) + entry->name.length);
+			atomic_fetch_sub_relaxed(&bc->count, 1);
+		}
+		bc->table[i] = NULL;
+	}
+	RWUNLOCK(&bc->lock, isc_rwlocktype_write);
+}
+
+void
+dns_badcache_flushname(dns_badcache_t *bc, const dns_name_t *name) {
+	dns_bcentry_t *bad, *prev, *next;
+	isc_result_t result;
+	isc_time_t now;
+	unsigned int hash;
+
+	REQUIRE(VALID_BADCACHE(bc));
+	REQUIRE(name != NULL);
+
+	RWLOCK(&bc->lock, isc_rwlocktype_read);
+
+	result = isc_time_now(&now);
+	if (result != ISC_R_SUCCESS) {
+		isc_time_settoepoch(&now);
+	}
+	hash = dns_name_hash(name, false) % bc->size;
+	LOCK(&bc->tlocks[hash]);
+	prev = NULL;
+	for (bad = bc->table[hash]; bad != NULL; bad = next) {
+		int n;
+		next = bad->next;
+		n = isc_time_compare(&bad->expire, &now);
+		if (n < 0 || dns_name_equal(name, &bad->name)) {
+			if (prev == NULL) {
+				bc->table[hash] = bad->next;
+			} else {
+				prev->next = bad->next;
+			}
+
+			isc_mem_put(bc->mctx, bad,
+				    sizeof(*bad) + bad->name.length);
+			atomic_fetch_sub_relaxed(&bc->count, 1);
+		} else {
+			prev = bad;
+		}
+	}
+	UNLOCK(&bc->tlocks[hash]);
+
+	RWUNLOCK(&bc->lock, isc_rwlocktype_read);
+}
+
+void
+dns_badcache_flushtree(dns_badcache_t *bc, const dns_name_t *name) {
+	dns_bcentry_t *bad, *prev, *next;
+	unsigned int i;
+	int n;
+	isc_time_t now;
+	isc_result_t result;
+
+	REQUIRE(VALID_BADCACHE(bc));
+	REQUIRE(name != NULL);
+
+	/*
+	 * We write lock the tree to avoid relocking every node
+	 * individually.
+	 */
+	RWLOCK(&bc->lock, isc_rwlocktype_write);
+
+	result = isc_time_now(&now);
+	if (result != ISC_R_SUCCESS) {
+		isc_time_settoepoch(&now);
+	}
+
+	for (i = 0; atomic_load_relaxed(&bc->count) > 0 && i < bc->size; i++) {
+		prev = NULL;
+		for (bad = bc->table[i]; bad != NULL; bad = next) {
+			next = bad->next;
+			n = isc_time_compare(&bad->expire, &now);
+			if (n < 0 || dns_name_issubdomain(&bad->name, name)) {
+				if (prev == NULL) {
+					bc->table[i] = bad->next;
+				} else {
+					prev->next = bad->next;
+				}
+
+				isc_mem_put(bc->mctx, bad,
+					    sizeof(*bad) + bad->name.length);
+				atomic_fetch_sub_relaxed(&bc->count, 1);
+			} else {
+				prev = bad;
+			}
+		}
+	}
+
+	RWUNLOCK(&bc->lock, isc_rwlocktype_write);
+}
+
+void
+dns_badcache_print(dns_badcache_t *bc, const char *cachename, FILE *fp) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	dns_bcentry_t *bad, *next, *prev;
+	isc_time_t now;
+	unsigned int i;
+	uint64_t t;
+
+	REQUIRE(VALID_BADCACHE(bc));
+	REQUIRE(cachename != NULL);
+	REQUIRE(fp != NULL);
+
+	/*
+	 * We write lock the tree to avoid relocking every node
+	 * individually.
+	 */
+	RWLOCK(&bc->lock, isc_rwlocktype_write);
+	fprintf(fp, ";\n; %s\n;\n", cachename);
+
+	TIME_NOW(&now);
+	for (i = 0; atomic_load_relaxed(&bc->count) > 0 && i < bc->size; i++) {
+		prev = NULL;
+		for (bad = bc->table[i]; bad != NULL; bad = next) {
+			next = bad->next;
+			if (isc_time_compare(&bad->expire, &now) < 0) {
+				if (prev != NULL) {
+					prev->next = bad->next;
+				} else {
+					bc->table[i] = bad->next;
+				}
+
+				isc_mem_put(bc->mctx, bad,
+					    sizeof(*bad) + bad->name.length);
+				atomic_fetch_sub_relaxed(&bc->count, 1);
+				continue;
+			}
+			prev = bad;
+			dns_name_format(&bad->name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(bad->type, typebuf,
+					     sizeof(typebuf));
+			t = isc_time_microdiff(&bad->expire, &now);
+			t /= 1000;
+			fprintf(fp,
+				"; %s/%s [ttl "
+				"%" PRIu64 "]\n",
+				namebuf, typebuf, t);
+		}
+	}
+	RWUNLOCK(&bc->lock, isc_rwlocktype_write);
+}
diff --git a/lib/dns/byaddr.c b/lib/dns/byaddr.c
new file mode 100644
index 0000000..c6f471b
--- /dev/null
+++ b/lib/dns/byaddr.c
@@ -0,0 +1,282 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/lookup.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+/*
+ * XXXRTH  We could use a static event...
+ */
+
+static char hex_digits[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+			     '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
+
+isc_result_t
+dns_byaddr_createptrname(const isc_netaddr_t *address, unsigned int options,
+			 dns_name_t *name) {
+	char textname[128];
+	const unsigned char *bytes;
+	int i;
+	char *cp;
+	isc_buffer_t buffer;
+	unsigned int len;
+
+	REQUIRE(address != NULL);
+	UNUSED(options);
+
+	/*
+	 * We create the text representation and then convert to a
+	 * dns_name_t.  This is not maximally efficient, but it keeps all
+	 * of the knowledge of wire format in the dns_name_ routines.
+	 */
+
+	bytes = (const unsigned char *)(&address->type);
+	if (address->family == AF_INET) {
+		(void)snprintf(textname, sizeof(textname),
+			       "%u.%u.%u.%u.in-addr.arpa.",
+			       ((unsigned int)bytes[3] & 0xffU),
+			       ((unsigned int)bytes[2] & 0xffU),
+			       ((unsigned int)bytes[1] & 0xffU),
+			       ((unsigned int)bytes[0] & 0xffU));
+	} else if (address->family == AF_INET6) {
+		size_t remaining;
+
+		cp = textname;
+		for (i = 15; i >= 0; i--) {
+			*cp++ = hex_digits[bytes[i] & 0x0f];
+			*cp++ = '.';
+			*cp++ = hex_digits[(bytes[i] >> 4) & 0x0f];
+			*cp++ = '.';
+		}
+		remaining = sizeof(textname) - (cp - textname);
+		strlcpy(cp, "ip6.arpa.", remaining);
+	} else {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	len = (unsigned int)strlen(textname);
+	isc_buffer_init(&buffer, textname, len);
+	isc_buffer_add(&buffer, len);
+	return (dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL));
+}
+
+struct dns_byaddr {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_mutex_t lock;
+	dns_fixedname_t name;
+	/* Locked by lock. */
+	unsigned int options;
+	dns_lookup_t *lookup;
+	isc_task_t *task;
+	dns_byaddrevent_t *event;
+	bool canceled;
+};
+
+#define BYADDR_MAGIC	ISC_MAGIC('B', 'y', 'A', 'd')
+#define VALID_BYADDR(b) ISC_MAGIC_VALID(b, BYADDR_MAGIC)
+
+#define MAX_RESTARTS 16
+
+static isc_result_t
+copy_ptr_targets(dns_byaddr_t *byaddr, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * The caller must be holding the byaddr's lock.
+	 */
+
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_ptr_t ptr;
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ptr, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		name = isc_mem_get(byaddr->mctx, sizeof(*name));
+		dns_name_init(name, NULL);
+		dns_name_dup(&ptr.ptr, byaddr->mctx, name);
+		dns_rdata_freestruct(&ptr);
+		ISC_LIST_APPEND(byaddr->event->names, name, link);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(rdataset);
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static void
+lookup_done(isc_task_t *task, isc_event_t *event) {
+	dns_byaddr_t *byaddr = event->ev_arg;
+	dns_lookupevent_t *levent;
+	isc_result_t result;
+
+	REQUIRE(event->ev_type == DNS_EVENT_LOOKUPDONE);
+	REQUIRE(VALID_BYADDR(byaddr));
+	REQUIRE(byaddr->task == task);
+
+	UNUSED(task);
+
+	levent = (dns_lookupevent_t *)event;
+
+	if (levent->result == ISC_R_SUCCESS) {
+		result = copy_ptr_targets(byaddr, levent->rdataset);
+		byaddr->event->result = result;
+	} else {
+		byaddr->event->result = levent->result;
+	}
+	isc_event_free(&event);
+	isc_task_sendanddetach(&byaddr->task, (isc_event_t **)&byaddr->event);
+}
+
+static void
+bevent_destroy(isc_event_t *event) {
+	dns_byaddrevent_t *bevent;
+	dns_name_t *name, *next_name;
+	isc_mem_t *mctx;
+
+	REQUIRE(event->ev_type == DNS_EVENT_BYADDRDONE);
+	mctx = event->ev_destroy_arg;
+	bevent = (dns_byaddrevent_t *)event;
+
+	for (name = ISC_LIST_HEAD(bevent->names); name != NULL;
+	     name = next_name)
+	{
+		next_name = ISC_LIST_NEXT(name, link);
+		ISC_LIST_UNLINK(bevent->names, name, link);
+		dns_name_free(name, mctx);
+		isc_mem_put(mctx, name, sizeof(*name));
+	}
+	isc_mem_put(mctx, event, event->ev_size);
+}
+
+isc_result_t
+dns_byaddr_create(isc_mem_t *mctx, const isc_netaddr_t *address,
+		  dns_view_t *view, unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp) {
+	isc_result_t result;
+	dns_byaddr_t *byaddr;
+	isc_event_t *ievent;
+
+	byaddr = isc_mem_get(mctx, sizeof(*byaddr));
+	byaddr->mctx = NULL;
+	isc_mem_attach(mctx, &byaddr->mctx);
+	byaddr->options = options;
+
+	byaddr->event = isc_mem_get(mctx, sizeof(*byaddr->event));
+	ISC_EVENT_INIT(byaddr->event, sizeof(*byaddr->event), 0, NULL,
+		       DNS_EVENT_BYADDRDONE, action, arg, byaddr,
+		       bevent_destroy, mctx);
+	byaddr->event->result = ISC_R_FAILURE;
+	ISC_LIST_INIT(byaddr->event->names);
+
+	byaddr->task = NULL;
+	isc_task_attach(task, &byaddr->task);
+
+	isc_mutex_init(&byaddr->lock);
+
+	dns_fixedname_init(&byaddr->name);
+
+	result = dns_byaddr_createptrname(address, options,
+					  dns_fixedname_name(&byaddr->name));
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_lock;
+	}
+
+	byaddr->lookup = NULL;
+	result = dns_lookup_create(mctx, dns_fixedname_name(&byaddr->name),
+				   dns_rdatatype_ptr, view, 0, task,
+				   lookup_done, byaddr, &byaddr->lookup);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_lock;
+	}
+
+	byaddr->canceled = false;
+	byaddr->magic = BYADDR_MAGIC;
+
+	*byaddrp = byaddr;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_lock:
+	isc_mutex_destroy(&byaddr->lock);
+
+	ievent = (isc_event_t *)byaddr->event;
+	isc_event_free(&ievent);
+	byaddr->event = NULL;
+
+	isc_task_detach(&byaddr->task);
+
+	isc_mem_putanddetach(&mctx, byaddr, sizeof(*byaddr));
+
+	return (result);
+}
+
+void
+dns_byaddr_cancel(dns_byaddr_t *byaddr) {
+	REQUIRE(VALID_BYADDR(byaddr));
+
+	LOCK(&byaddr->lock);
+
+	if (!byaddr->canceled) {
+		byaddr->canceled = true;
+		if (byaddr->lookup != NULL) {
+			dns_lookup_cancel(byaddr->lookup);
+		}
+	}
+
+	UNLOCK(&byaddr->lock);
+}
+
+void
+dns_byaddr_destroy(dns_byaddr_t **byaddrp) {
+	dns_byaddr_t *byaddr;
+
+	REQUIRE(byaddrp != NULL);
+	byaddr = *byaddrp;
+	*byaddrp = NULL;
+	REQUIRE(VALID_BYADDR(byaddr));
+	REQUIRE(byaddr->event == NULL);
+	REQUIRE(byaddr->task == NULL);
+	dns_lookup_destroy(&byaddr->lookup);
+
+	isc_mutex_destroy(&byaddr->lock);
+	byaddr->magic = 0;
+	isc_mem_putanddetach(&byaddr->mctx, byaddr, sizeof(*byaddr));
+}
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
new file mode 100644
index 0000000..417cdaf
--- /dev/null
+++ b/lib/dns/cache.c
@@ -0,0 +1,1510 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/stats.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/lib.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+
+#ifdef HAVE_JSON_C
+#include <json_object.h>
+#endif /* HAVE_JSON_C */
+
+#ifdef HAVE_LIBXML2
+#include <libxml/xmlwriter.h>
+#define ISC_XMLCHAR (const xmlChar *)
+#endif /* HAVE_LIBXML2 */
+
+#include "rbtdb.h"
+
+#define CACHE_MAGIC	   ISC_MAGIC('$', '$', '$', '$')
+#define VALID_CACHE(cache) ISC_MAGIC_VALID(cache, CACHE_MAGIC)
+
+/*!
+ * Control incremental cleaning.
+ * DNS_CACHE_MINSIZE is how many bytes is the floor for
+ * dns_cache_setcachesize(). See also DNS_CACHE_CLEANERINCREMENT
+ */
+#define DNS_CACHE_MINSIZE 2097152U /*%< Bytes.  2097152 = 2 MB */
+/*!
+ * Control incremental cleaning.
+ * CLEANERINCREMENT is how many nodes are examined in one pass.
+ * See also DNS_CACHE_MINSIZE
+ */
+#define DNS_CACHE_CLEANERINCREMENT 1000U /*%< Number of nodes. */
+
+/***
+ ***	Types
+ ***/
+
+/*
+ * A cache_cleaner_t encapsulates the state of the periodic
+ * cache cleaning.
+ */
+
+typedef struct cache_cleaner cache_cleaner_t;
+
+typedef enum {
+	cleaner_s_idle, /*%< Waiting for cleaning-interval to expire. */
+	cleaner_s_busy, /*%< Currently cleaning. */
+	cleaner_s_done	/*%< Freed enough memory after being overmem. */
+} cleaner_state_t;
+
+/*
+ * Convenience macros for comprehensive assertion checking.
+ */
+#define CLEANER_IDLE(c) \
+	((c)->state == cleaner_s_idle && (c)->resched_event != NULL)
+#define CLEANER_BUSY(c)                                           \
+	((c)->state == cleaner_s_busy && (c)->iterator != NULL && \
+	 (c)->resched_event == NULL)
+
+/*%
+ * Accesses to a cache cleaner object are synchronized through
+ * task/event serialization, or locked from the cache object.
+ */
+struct cache_cleaner {
+	isc_mutex_t lock;
+	/*%<
+	 * Locks overmem_event, overmem.  Note: never allocate memory
+	 * while holding this lock - that could lead to deadlock since
+	 * the lock is take by water() which is called from the memory
+	 * allocator.
+	 */
+
+	dns_cache_t *cache;
+	isc_task_t *task;
+	isc_event_t *resched_event; /*% Sent by cleaner task to
+				     * itself to reschedule */
+	isc_event_t *overmem_event;
+
+	dns_dbiterator_t *iterator;
+	unsigned int increment; /*% Number of names to
+				 * clean in one increment */
+	cleaner_state_t state;	/*% Idle/Busy. */
+	bool overmem;		/*% The cache is in an overmem state.
+				 * */
+	bool replaceiterator;
+};
+
+/*%
+ * The actual cache object.
+ */
+
+struct dns_cache {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mutex_t lock;
+	isc_mutex_t filelock;
+	isc_mem_t *mctx;  /* Main cache memory */
+	isc_mem_t *hmctx; /* Heap memory */
+	char *name;
+	isc_refcount_t references;
+	isc_refcount_t live_tasks;
+
+	/* Locked by 'lock'. */
+	dns_rdataclass_t rdclass;
+	dns_db_t *db;
+	cache_cleaner_t cleaner;
+	char *db_type;
+	int db_argc;
+	char **db_argv;
+	size_t size;
+	dns_ttl_t serve_stale_ttl;
+	dns_ttl_t serve_stale_refresh;
+	isc_stats_t *stats;
+
+	/* Locked by 'filelock'. */
+	char *filename;
+	/* Access to the on-disk cache file is also locked by 'filelock'. */
+};
+
+/***
+ ***	Functions
+ ***/
+
+static isc_result_t
+cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, cache_cleaner_t *cleaner);
+
+static void
+incremental_cleaning_action(isc_task_t *task, isc_event_t *event);
+
+static void
+cleaner_shutdown_action(isc_task_t *task, isc_event_t *event);
+
+static void
+overmem_cleaning_action(isc_task_t *task, isc_event_t *event);
+
+static isc_result_t
+cache_create_db(dns_cache_t *cache, dns_db_t **db) {
+	isc_result_t result;
+	result = dns_db_create(cache->mctx, cache->db_type, dns_rootname,
+			       dns_dbtype_cache, cache->rdclass, cache->db_argc,
+			       cache->db_argv, db);
+	if (result == ISC_R_SUCCESS) {
+		dns_db_setservestalettl(*db, cache->serve_stale_ttl);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_cache_create(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
+		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		 const char *cachename, const char *db_type,
+		 unsigned int db_argc, char **db_argv, dns_cache_t **cachep) {
+	isc_result_t result;
+	dns_cache_t *cache;
+	int i, extra = 0;
+	isc_task_t *dbtask;
+
+	REQUIRE(cachep != NULL);
+	REQUIRE(*cachep == NULL);
+	REQUIRE(cmctx != NULL);
+	REQUIRE(hmctx != NULL);
+	REQUIRE(cachename != NULL);
+
+	cache = isc_mem_get(cmctx, sizeof(*cache));
+
+	cache->mctx = cache->hmctx = NULL;
+	isc_mem_attach(cmctx, &cache->mctx);
+	isc_mem_attach(hmctx, &cache->hmctx);
+
+	cache->name = NULL;
+	if (cachename != NULL) {
+		cache->name = isc_mem_strdup(cmctx, cachename);
+	}
+
+	isc_mutex_init(&cache->lock);
+	isc_mutex_init(&cache->filelock);
+
+	isc_refcount_init(&cache->references, 1);
+	isc_refcount_init(&cache->live_tasks, 1);
+	cache->rdclass = rdclass;
+	cache->serve_stale_ttl = 0;
+
+	cache->stats = NULL;
+	result = isc_stats_create(cmctx, &cache->stats,
+				  dns_cachestatscounter_max);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_filelock;
+	}
+
+	cache->db_type = isc_mem_strdup(cmctx, db_type);
+
+	/*
+	 * For databases of type "rbt" we pass hmctx to dns_db_create()
+	 * via cache->db_argv, followed by the rest of the arguments in
+	 * db_argv (of which there really shouldn't be any).
+	 */
+	if (strcmp(cache->db_type, "rbt") == 0) {
+		extra = 1;
+	}
+
+	cache->db_argc = db_argc + extra;
+	cache->db_argv = NULL;
+
+	if (cache->db_argc != 0) {
+		cache->db_argv = isc_mem_get(cmctx,
+					     cache->db_argc * sizeof(char *));
+
+		for (i = 0; i < cache->db_argc; i++) {
+			cache->db_argv[i] = NULL;
+		}
+
+		cache->db_argv[0] = (char *)hmctx;
+		for (i = extra; i < cache->db_argc; i++) {
+			cache->db_argv[i] = isc_mem_strdup(cmctx,
+							   db_argv[i - extra]);
+		}
+	}
+
+	/*
+	 * Create the database
+	 */
+	cache->db = NULL;
+	result = cache_create_db(cache, &cache->db);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_dbargv;
+	}
+	if (taskmgr != NULL) {
+		dbtask = NULL;
+		result = isc_task_create(taskmgr, 1, &dbtask);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_db;
+		}
+
+		isc_task_setname(dbtask, "cache_dbtask", NULL);
+		dns_db_settask(cache->db, dbtask);
+		isc_task_detach(&dbtask);
+	}
+
+	cache->filename = NULL;
+
+	cache->magic = CACHE_MAGIC;
+
+	/*
+	 * RBT-type cache DB has its own mechanism of cache cleaning and doesn't
+	 * need the control of the generic cleaner.
+	 */
+	if (strcmp(db_type, "rbt") == 0) {
+		result = cache_cleaner_init(cache, NULL, NULL, &cache->cleaner);
+	} else {
+		result = cache_cleaner_init(cache, taskmgr, timermgr,
+					    &cache->cleaner);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_db;
+	}
+
+	result = dns_db_setcachestats(cache->db, cache->stats);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_db;
+	}
+
+	*cachep = cache;
+	return (ISC_R_SUCCESS);
+
+cleanup_db:
+	dns_db_detach(&cache->db);
+cleanup_dbargv:
+	for (i = extra; i < cache->db_argc; i++) {
+		if (cache->db_argv[i] != NULL) {
+			isc_mem_free(cmctx, cache->db_argv[i]);
+		}
+	}
+	if (cache->db_argv != NULL) {
+		isc_mem_put(cmctx, cache->db_argv,
+			    cache->db_argc * sizeof(char *));
+	}
+	isc_mem_free(cmctx, cache->db_type);
+cleanup_filelock:
+	isc_mutex_destroy(&cache->filelock);
+	isc_stats_detach(&cache->stats);
+	isc_mutex_destroy(&cache->lock);
+	if (cache->name != NULL) {
+		isc_mem_free(cmctx, cache->name);
+	}
+	isc_mem_detach(&cache->hmctx);
+	isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
+	return (result);
+}
+
+static void
+cache_free(dns_cache_t *cache) {
+	REQUIRE(VALID_CACHE(cache));
+
+	isc_refcount_destroy(&cache->references);
+	isc_refcount_destroy(&cache->live_tasks);
+
+	isc_mem_setwater(cache->mctx, NULL, NULL, 0, 0);
+
+	if (cache->cleaner.task != NULL) {
+		isc_task_detach(&cache->cleaner.task);
+	}
+
+	if (cache->cleaner.overmem_event != NULL) {
+		isc_event_free(&cache->cleaner.overmem_event);
+	}
+
+	if (cache->cleaner.resched_event != NULL) {
+		isc_event_free(&cache->cleaner.resched_event);
+	}
+
+	if (cache->cleaner.iterator != NULL) {
+		dns_dbiterator_destroy(&cache->cleaner.iterator);
+	}
+
+	isc_mutex_destroy(&cache->cleaner.lock);
+
+	if (cache->filename) {
+		isc_mem_free(cache->mctx, cache->filename);
+		cache->filename = NULL;
+	}
+
+	if (cache->db != NULL) {
+		dns_db_detach(&cache->db);
+	}
+
+	if (cache->db_argv != NULL) {
+		/*
+		 * We don't free db_argv[0] in "rbt" cache databases
+		 * as it's a pointer to hmctx
+		 */
+		int extra = 0;
+		if (strcmp(cache->db_type, "rbt") == 0) {
+			extra = 1;
+		}
+		for (int i = extra; i < cache->db_argc; i++) {
+			if (cache->db_argv[i] != NULL) {
+				isc_mem_free(cache->mctx, cache->db_argv[i]);
+			}
+		}
+		isc_mem_put(cache->mctx, cache->db_argv,
+			    cache->db_argc * sizeof(char *));
+	}
+
+	if (cache->db_type != NULL) {
+		isc_mem_free(cache->mctx, cache->db_type);
+	}
+
+	if (cache->name != NULL) {
+		isc_mem_free(cache->mctx, cache->name);
+	}
+
+	if (cache->stats != NULL) {
+		isc_stats_detach(&cache->stats);
+	}
+
+	isc_mutex_destroy(&cache->lock);
+	isc_mutex_destroy(&cache->filelock);
+
+	cache->magic = 0;
+	isc_mem_detach(&cache->hmctx);
+	isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
+}
+
+void
+dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp) {
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&cache->references);
+
+	*targetp = cache;
+}
+
+void
+dns_cache_detach(dns_cache_t **cachep) {
+	dns_cache_t *cache;
+
+	REQUIRE(cachep != NULL);
+	cache = *cachep;
+	*cachep = NULL;
+	REQUIRE(VALID_CACHE(cache));
+
+	if (isc_refcount_decrement(&cache->references) == 1) {
+		cache->cleaner.overmem = false;
+		/*
+		 * When the cache is shut down, dump it to a file if one is
+		 * specified.
+		 */
+		isc_result_t result = dns_cache_dump(cache);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "error dumping cache: %s ",
+				      isc_result_totext(result));
+		}
+
+		/*
+		 * If the cleaner task exists, let it free the cache.
+		 */
+		if (isc_refcount_decrement(&cache->live_tasks) > 1) {
+			isc_task_shutdown(cache->cleaner.task);
+		} else {
+			cache_free(cache);
+		}
+	}
+}
+
+void
+dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp) {
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(cache->db != NULL);
+
+	LOCK(&cache->lock);
+	dns_db_attach(cache->db, dbp);
+	UNLOCK(&cache->lock);
+}
+
+isc_result_t
+dns_cache_setfilename(dns_cache_t *cache, const char *filename) {
+	char *newname;
+
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(filename != NULL);
+
+	newname = isc_mem_strdup(cache->mctx, filename);
+
+	LOCK(&cache->filelock);
+	if (cache->filename) {
+		isc_mem_free(cache->mctx, cache->filename);
+	}
+	cache->filename = newname;
+	UNLOCK(&cache->filelock);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_cache_load(dns_cache_t *cache) {
+	isc_result_t result;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	if (cache->filename == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	LOCK(&cache->filelock);
+	result = dns_db_load(cache->db, cache->filename, dns_masterformat_text,
+			     0);
+	UNLOCK(&cache->filelock);
+
+	return (result);
+}
+
+isc_result_t
+dns_cache_dump(dns_cache_t *cache) {
+	isc_result_t result;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	if (cache->filename == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	LOCK(&cache->filelock);
+	result = dns_master_dump(cache->mctx, cache->db, NULL,
+				 &dns_master_style_cache, cache->filename,
+				 dns_masterformat_text, NULL);
+	UNLOCK(&cache->filelock);
+	return (result);
+}
+
+const char *
+dns_cache_getname(dns_cache_t *cache) {
+	REQUIRE(VALID_CACHE(cache));
+
+	return (cache->name);
+}
+
+/*
+ * Initialize the cache cleaner object at *cleaner.
+ * Space for the object must be allocated by the caller.
+ */
+
+static isc_result_t
+cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, cache_cleaner_t *cleaner) {
+	isc_result_t result;
+
+	isc_mutex_init(&cleaner->lock);
+
+	cleaner->increment = DNS_CACHE_CLEANERINCREMENT;
+	cleaner->state = cleaner_s_idle;
+	cleaner->cache = cache;
+	cleaner->iterator = NULL;
+	cleaner->overmem = false;
+	cleaner->replaceiterator = false;
+
+	cleaner->task = NULL;
+	cleaner->resched_event = NULL;
+	cleaner->overmem_event = NULL;
+
+	result = dns_db_createiterator(cleaner->cache->db, false,
+				       &cleaner->iterator);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	if (taskmgr != NULL && timermgr != NULL) {
+		result = isc_task_create(taskmgr, 1, &cleaner->task);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_task_create() failed: %s",
+					 dns_result_totext(result));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+		isc_refcount_increment(&cleaner->cache->live_tasks);
+		isc_task_setname(cleaner->task, "cachecleaner", cleaner);
+
+		result = isc_task_onshutdown(cleaner->task,
+					     cleaner_shutdown_action, cache);
+		if (result != ISC_R_SUCCESS) {
+			isc_refcount_decrement0(&cleaner->cache->live_tasks);
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "cache cleaner: "
+					 "isc_task_onshutdown() failed: %s",
+					 dns_result_totext(result));
+			goto cleanup;
+		}
+
+		cleaner->resched_event = isc_event_allocate(
+			cache->mctx, cleaner, DNS_EVENT_CACHECLEAN,
+			incremental_cleaning_action, cleaner,
+			sizeof(isc_event_t));
+
+		cleaner->overmem_event = isc_event_allocate(
+			cache->mctx, cleaner, DNS_EVENT_CACHEOVERMEM,
+			overmem_cleaning_action, cleaner, sizeof(isc_event_t));
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (cleaner->overmem_event != NULL) {
+		isc_event_free(&cleaner->overmem_event);
+	}
+	if (cleaner->resched_event != NULL) {
+		isc_event_free(&cleaner->resched_event);
+	}
+	if (cleaner->task != NULL) {
+		isc_task_detach(&cleaner->task);
+	}
+	if (cleaner->iterator != NULL) {
+		dns_dbiterator_destroy(&cleaner->iterator);
+	}
+	isc_mutex_destroy(&cleaner->lock);
+
+	return (result);
+}
+
+static void
+begin_cleaning(cache_cleaner_t *cleaner) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(CLEANER_IDLE(cleaner));
+
+	/*
+	 * Create an iterator, if it does not already exist, and
+	 * position it at the beginning of the cache.
+	 */
+	if (cleaner->iterator == NULL) {
+		result = dns_db_createiterator(cleaner->cache->db, false,
+					       &cleaner->iterator);
+	}
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+			      "cache cleaner could not create "
+			      "iterator: %s",
+			      isc_result_totext(result));
+	} else {
+		dns_dbiterator_setcleanmode(cleaner->iterator, true);
+		result = dns_dbiterator_first(cleaner->iterator);
+	}
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * If the result is ISC_R_NOMORE, the database is empty,
+		 * so there is nothing to be cleaned.
+		 */
+		if (result != ISC_R_NOMORE && cleaner->iterator != NULL) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "cache cleaner: "
+					 "dns_dbiterator_first() failed: %s",
+					 dns_result_totext(result));
+			dns_dbiterator_destroy(&cleaner->iterator);
+		} else if (cleaner->iterator != NULL) {
+			result = dns_dbiterator_pause(cleaner->iterator);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
+	} else {
+		/*
+		 * Pause the iterator to free its lock.
+		 */
+		result = dns_dbiterator_pause(cleaner->iterator);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		isc_log_write(
+			dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+			ISC_LOG_DEBUG(1), "begin cache cleaning, mem inuse %lu",
+			(unsigned long)isc_mem_inuse(cleaner->cache->mctx));
+		cleaner->state = cleaner_s_busy;
+		isc_task_send(cleaner->task, &cleaner->resched_event);
+	}
+
+	return;
+}
+
+static void
+end_cleaning(cache_cleaner_t *cleaner, isc_event_t *event) {
+	isc_result_t result;
+
+	REQUIRE(CLEANER_BUSY(cleaner));
+	REQUIRE(event != NULL);
+
+	result = dns_dbiterator_pause(cleaner->iterator);
+	if (result != ISC_R_SUCCESS) {
+		dns_dbiterator_destroy(&cleaner->iterator);
+	}
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "end cache cleaning, mem inuse %lu",
+		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
+
+	cleaner->state = cleaner_s_idle;
+	cleaner->resched_event = event;
+}
+
+/*
+ * This is called when the cache either surpasses its upper limit
+ * or shrinks beyond its lower limit.
+ */
+static void
+overmem_cleaning_action(isc_task_t *task, isc_event_t *event) {
+	cache_cleaner_t *cleaner = event->ev_arg;
+	bool want_cleaning = false;
+
+	UNUSED(task);
+
+	INSIST(task == cleaner->task);
+	INSIST(event->ev_type == DNS_EVENT_CACHEOVERMEM);
+	INSIST(cleaner->overmem_event == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1),
+		      "overmem_cleaning_action called, "
+		      "overmem = %d, state = %d",
+		      cleaner->overmem, cleaner->state);
+
+	LOCK(&cleaner->lock);
+
+	if (cleaner->overmem) {
+		if (cleaner->state == cleaner_s_idle) {
+			want_cleaning = true;
+		}
+	} else {
+		if (cleaner->state == cleaner_s_busy) {
+			/*
+			 * end_cleaning() can't be called here because
+			 * then both cleaner->overmem_event and
+			 * cleaner->resched_event will point to this
+			 * event.  Set the state to done, and then
+			 * when the incremental_cleaning_action() event
+			 * is posted, it will handle the end_cleaning.
+			 */
+			cleaner->state = cleaner_s_done;
+		}
+	}
+
+	cleaner->overmem_event = event;
+
+	UNLOCK(&cleaner->lock);
+
+	if (want_cleaning) {
+		begin_cleaning(cleaner);
+	}
+}
+
+/*
+ * Do incremental cleaning.
+ */
+static void
+incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
+	cache_cleaner_t *cleaner = event->ev_arg;
+	isc_result_t result;
+	unsigned int n_names;
+	isc_time_t start;
+
+	UNUSED(task);
+
+	INSIST(task == cleaner->task);
+	INSIST(event->ev_type == DNS_EVENT_CACHECLEAN);
+
+	if (cleaner->state == cleaner_s_done) {
+		cleaner->state = cleaner_s_busy;
+		end_cleaning(cleaner, event);
+		LOCK(&cleaner->cache->lock);
+		LOCK(&cleaner->lock);
+		if (cleaner->replaceiterator) {
+			dns_dbiterator_destroy(&cleaner->iterator);
+			(void)dns_db_createiterator(cleaner->cache->db, false,
+						    &cleaner->iterator);
+			cleaner->replaceiterator = false;
+		}
+		UNLOCK(&cleaner->lock);
+		UNLOCK(&cleaner->cache->lock);
+		return;
+	}
+
+	INSIST(CLEANER_BUSY(cleaner));
+
+	n_names = cleaner->increment;
+
+	REQUIRE(DNS_DBITERATOR_VALID(cleaner->iterator));
+
+	isc_time_now(&start);
+	while (n_names-- > 0) {
+		dns_dbnode_t *node = NULL;
+
+		result = dns_dbiterator_current(cleaner->iterator, &node, NULL);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "cache cleaner: "
+					 "dns_dbiterator_current() "
+					 "failed: %s",
+					 dns_result_totext(result));
+
+			end_cleaning(cleaner, event);
+			return;
+		}
+
+		/*
+		 * The node was not needed, but was required by
+		 * dns_dbiterator_current().  Give up its reference.
+		 */
+		dns_db_detachnode(cleaner->cache->db, &node);
+
+		/*
+		 * Step to the next node.
+		 */
+		result = dns_dbiterator_next(cleaner->iterator);
+
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Either the end was reached (ISC_R_NOMORE) or
+			 * some error was signaled.  If the cache is still
+			 * overmem and no error was encountered,
+			 * keep trying to clean it, otherwise stop cleaning.
+			 */
+			if (result != ISC_R_NOMORE) {
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "cache cleaner: "
+						 "dns_dbiterator_next() "
+						 "failed: %s",
+						 dns_result_totext(result));
+			} else if (cleaner->overmem) {
+				result =
+					dns_dbiterator_first(cleaner->iterator);
+				if (result == ISC_R_SUCCESS) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_DATABASE,
+						      DNS_LOGMODULE_CACHE,
+						      ISC_LOG_DEBUG(1),
+						      "cache cleaner: "
+						      "still overmem, "
+						      "reset and try again");
+					continue;
+				}
+			}
+
+			end_cleaning(cleaner, event);
+			return;
+		}
+	}
+
+	/*
+	 * We have successfully performed a cleaning increment but have
+	 * not gone through the entire cache.  Free the iterator locks
+	 * and reschedule another batch.  If it fails, just try to continue
+	 * anyway.
+	 */
+	result = dns_dbiterator_pause(cleaner->iterator);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1),
+		      "cache cleaner: checked %u nodes, "
+		      "mem inuse %lu, sleeping",
+		      cleaner->increment,
+		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
+
+	isc_task_send(task, &event);
+	INSIST(CLEANER_BUSY(cleaner));
+	return;
+}
+
+/*
+ * Do immediate cleaning.
+ */
+isc_result_t
+dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now) {
+	isc_result_t result;
+	dns_dbiterator_t *iterator = NULL;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	result = dns_db_createiterator(cache->db, 0, &iterator);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_dbiterator_first(iterator);
+
+	while (result == ISC_R_SUCCESS) {
+		dns_dbnode_t *node = NULL;
+		result = dns_dbiterator_current(iterator, &node,
+						(dns_name_t *)NULL);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Check TTLs, mark expired rdatasets stale.
+		 */
+		result = dns_db_expirenode(cache->db, node, now);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "cache cleaner: dns_db_expirenode() "
+					 "failed: %s",
+					 dns_result_totext(result));
+			/*
+			 * Continue anyway.
+			 */
+		}
+
+		/*
+		 * This is where the actual freeing takes place.
+		 */
+		dns_db_detachnode(cache->db, &node);
+
+		result = dns_dbiterator_next(iterator);
+	}
+
+	dns_dbiterator_destroy(&iterator);
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static void
+water(void *arg, int mark) {
+	dns_cache_t *cache = arg;
+	bool overmem = (mark == ISC_MEM_HIWATER);
+
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->cleaner.lock);
+
+	if (overmem != cache->cleaner.overmem) {
+		dns_db_overmem(cache->db, overmem);
+		cache->cleaner.overmem = overmem;
+		isc_mem_waterack(cache->mctx, mark);
+	}
+
+	if (cache->cleaner.overmem_event != NULL) {
+		isc_task_send(cache->cleaner.task,
+			      &cache->cleaner.overmem_event);
+	}
+
+	UNLOCK(&cache->cleaner.lock);
+}
+
+void
+dns_cache_setcachesize(dns_cache_t *cache, size_t size) {
+	size_t hiwater, lowater;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	/*
+	 * Impose a minimum cache size; pathological things happen if there
+	 * is too little room.
+	 */
+	if (size != 0U && size < DNS_CACHE_MINSIZE) {
+		size = DNS_CACHE_MINSIZE;
+	}
+
+	LOCK(&cache->lock);
+	cache->size = size;
+	UNLOCK(&cache->lock);
+
+	hiwater = size - (size >> 3); /* Approximately 7/8ths. */
+	lowater = size - (size >> 2); /* Approximately 3/4ths. */
+
+	/*
+	 * If the cache was overmem and cleaning, but now with the new limits
+	 * it is no longer in an overmem condition, then the next
+	 * isc_mem_put for cache memory will do the right thing and trigger
+	 * water().
+	 */
+
+	if (size == 0U || hiwater == 0U || lowater == 0U) {
+		/*
+		 * Disable cache memory limiting.
+		 */
+		isc_mem_setwater(cache->mctx, water, cache, 0, 0);
+	} else {
+		/*
+		 * Establish new cache memory limits (either for the first
+		 * time, or replacing other limits).
+		 */
+		isc_mem_setwater(cache->mctx, water, cache, hiwater, lowater);
+	}
+
+	dns_db_adjusthashsize(cache->db, size);
+}
+
+size_t
+dns_cache_getcachesize(dns_cache_t *cache) {
+	size_t size;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	size = cache->size;
+	UNLOCK(&cache->lock);
+
+	return (size);
+}
+
+void
+dns_cache_setservestalettl(dns_cache_t *cache, dns_ttl_t ttl) {
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	cache->serve_stale_ttl = ttl;
+	UNLOCK(&cache->lock);
+
+	(void)dns_db_setservestalettl(cache->db, ttl);
+}
+
+dns_ttl_t
+dns_cache_getservestalettl(dns_cache_t *cache) {
+	dns_ttl_t ttl;
+	isc_result_t result;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	/*
+	 * Could get it straight from the dns_cache_t, but use db
+	 * to confirm the value that the db is really using.
+	 */
+	result = dns_db_getservestalettl(cache->db, &ttl);
+	return (result == ISC_R_SUCCESS ? ttl : 0);
+}
+
+void
+dns_cache_setservestalerefresh(dns_cache_t *cache, dns_ttl_t interval) {
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	cache->serve_stale_refresh = interval;
+	UNLOCK(&cache->lock);
+
+	(void)dns_db_setservestalerefresh(cache->db, interval);
+}
+
+dns_ttl_t
+dns_cache_getservestalerefresh(dns_cache_t *cache) {
+	isc_result_t result;
+	dns_ttl_t interval;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	result = dns_db_getservestalerefresh(cache->db, &interval);
+	return (result == ISC_R_SUCCESS ? interval : 0);
+}
+
+/*
+ * The cleaner task is shutting down; do the necessary cleanup.
+ */
+static void
+cleaner_shutdown_action(isc_task_t *task, isc_event_t *event) {
+	dns_cache_t *cache = event->ev_arg;
+
+	UNUSED(task);
+
+	INSIST(task == cache->cleaner.task);
+	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
+
+	if (CLEANER_BUSY(&cache->cleaner)) {
+		end_cleaning(&cache->cleaner, event);
+	} else {
+		isc_event_free(&event);
+	}
+
+	/* Make sure we don't reschedule anymore. */
+	(void)isc_task_purge(task, NULL, DNS_EVENT_CACHECLEAN, NULL);
+
+	isc_refcount_decrementz(&cache->live_tasks);
+
+	cache_free(cache);
+}
+
+isc_result_t
+dns_cache_flush(dns_cache_t *cache) {
+	dns_db_t *db = NULL, *olddb;
+	dns_dbiterator_t *dbiterator = NULL, *olddbiterator = NULL;
+	isc_result_t result;
+
+	result = cache_create_db(cache, &db);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_createiterator(db, false, &dbiterator);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detach(&db);
+		return (result);
+	}
+
+	LOCK(&cache->lock);
+	LOCK(&cache->cleaner.lock);
+	if (cache->cleaner.state == cleaner_s_idle) {
+		olddbiterator = cache->cleaner.iterator;
+		cache->cleaner.iterator = dbiterator;
+		dbiterator = NULL;
+	} else {
+		if (cache->cleaner.state == cleaner_s_busy) {
+			cache->cleaner.state = cleaner_s_done;
+		}
+		cache->cleaner.replaceiterator = true;
+	}
+	olddb = cache->db;
+	cache->db = db;
+	dns_db_setcachestats(cache->db, cache->stats);
+	UNLOCK(&cache->cleaner.lock);
+	UNLOCK(&cache->lock);
+
+	if (dbiterator != NULL) {
+		dns_dbiterator_destroy(&dbiterator);
+	}
+	if (olddbiterator != NULL) {
+		dns_dbiterator_destroy(&olddbiterator);
+	}
+	dns_db_detach(&olddb);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+clearnode(dns_db_t *db, dns_dbnode_t *node) {
+	isc_result_t result;
+	dns_rdatasetiter_t *iter = NULL;
+
+	result = dns_db_allrdatasets(db, node, NULL, DNS_DB_STALEOK,
+				     (isc_stdtime_t)0, &iter);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (result = dns_rdatasetiter_first(iter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+		dns_rdataset_init(&rdataset);
+
+		dns_rdatasetiter_current(iter, &rdataset);
+		result = dns_db_deleterdataset(db, node, NULL, rdataset.type,
+					       rdataset.covers);
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) {
+			break;
+		}
+	}
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	dns_rdatasetiter_destroy(&iter);
+	return (result);
+}
+
+static isc_result_t
+cleartree(dns_db_t *db, const dns_name_t *name) {
+	isc_result_t result, answer = ISC_R_SUCCESS;
+	dns_dbiterator_t *iter = NULL;
+	dns_dbnode_t *node = NULL, *top = NULL;
+	dns_fixedname_t fnodename;
+	dns_name_t *nodename;
+
+	/*
+	 * Create the node if it doesn't exist so dns_dbiterator_seek()
+	 * can find it.  We will continue even if this fails.
+	 */
+	(void)dns_db_findnode(db, name, true, &top);
+
+	nodename = dns_fixedname_initname(&fnodename);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_dbiterator_seek(iter, name);
+	if (result == DNS_R_PARTIALMATCH) {
+		result = dns_dbiterator_next(iter);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(iter, &node, nodename);
+		if (result == DNS_R_NEWORIGIN) {
+			result = ISC_R_SUCCESS;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		/*
+		 * Are we done?
+		 */
+		if (!dns_name_issubdomain(nodename, name)) {
+			goto cleanup;
+		}
+
+		/*
+		 * If clearnode fails record and move onto the next node.
+		 */
+		result = clearnode(db, node);
+		if (result != ISC_R_SUCCESS && answer == ISC_R_SUCCESS) {
+			answer = result;
+		}
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(iter);
+	}
+
+cleanup:
+	if (result == ISC_R_NOMORE || result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+	}
+	if (result != ISC_R_SUCCESS && answer == ISC_R_SUCCESS) {
+		answer = result;
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (iter != NULL) {
+		dns_dbiterator_destroy(&iter);
+	}
+	if (top != NULL) {
+		dns_db_detachnode(db, &top);
+	}
+
+	return (answer);
+}
+
+isc_result_t
+dns_cache_flushname(dns_cache_t *cache, const dns_name_t *name) {
+	return (dns_cache_flushnode(cache, name, false));
+}
+
+isc_result_t
+dns_cache_flushnode(dns_cache_t *cache, const dns_name_t *name, bool tree) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_db_t *db = NULL;
+
+	if (tree && dns_name_equal(name, dns_rootname)) {
+		return (dns_cache_flush(cache));
+	}
+
+	LOCK(&cache->lock);
+	if (cache->db != NULL) {
+		dns_db_attach(cache->db, &db);
+	}
+	UNLOCK(&cache->lock);
+	if (db == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (tree) {
+		result = cleartree(cache->db, name);
+	} else {
+		result = dns_db_findnode(cache->db, name, false, &node);
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+			goto cleanup_db;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_db;
+		}
+		result = clearnode(cache->db, node);
+		dns_db_detachnode(cache->db, &node);
+	}
+
+cleanup_db:
+	dns_db_detach(&db);
+	return (result);
+}
+
+isc_stats_t *
+dns_cache_getstats(dns_cache_t *cache) {
+	REQUIRE(VALID_CACHE(cache));
+	return (cache->stats);
+}
+
+void
+dns_cache_updatestats(dns_cache_t *cache, isc_result_t result) {
+	REQUIRE(VALID_CACHE(cache));
+	if (cache->stats == NULL) {
+		return;
+	}
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+	case DNS_R_GLUE:
+	case DNS_R_ZONECUT:
+		isc_stats_increment(cache->stats,
+				    dns_cachestatscounter_queryhits);
+		break;
+	default:
+		isc_stats_increment(cache->stats,
+				    dns_cachestatscounter_querymisses);
+	}
+}
+
+/*
+ * XXX: Much of the following code has been copied in from statschannel.c.
+ * We should refactor this into a generic function in stats.c that can be
+ * called from both places.
+ */
+typedef struct cache_dumparg {
+	isc_statsformat_t type;
+	void *arg;		 /* type dependent argument */
+	int ncounters;		 /* for general statistics */
+	int *counterindices;	 /* for general statistics */
+	uint64_t *countervalues; /* for general statistics */
+	isc_result_t result;
+} cache_dumparg_t;
+
+static void
+getcounter(isc_statscounter_t counter, uint64_t val, void *arg) {
+	cache_dumparg_t *dumparg = arg;
+
+	REQUIRE(counter < dumparg->ncounters);
+	dumparg->countervalues[counter] = val;
+}
+
+static void
+getcounters(isc_stats_t *stats, isc_statsformat_t type, int ncounters,
+	    int *indices, uint64_t *values) {
+	cache_dumparg_t dumparg;
+
+	memset(values, 0, sizeof(values[0]) * ncounters);
+
+	dumparg.type = type;
+	dumparg.ncounters = ncounters;
+	dumparg.counterindices = indices;
+	dumparg.countervalues = values;
+
+	isc_stats_dump(stats, getcounter, &dumparg, ISC_STATSDUMP_VERBOSE);
+}
+
+void
+dns_cache_dumpstats(dns_cache_t *cache, FILE *fp) {
+	int indices[dns_cachestatscounter_max];
+	uint64_t values[dns_cachestatscounter_max];
+
+	REQUIRE(VALID_CACHE(cache));
+
+	getcounters(cache->stats, isc_statsformat_file,
+		    dns_cachestatscounter_max, indices, values);
+
+	fprintf(fp, "%20" PRIu64 " %s\n", values[dns_cachestatscounter_hits],
+		"cache hits");
+	fprintf(fp, "%20" PRIu64 " %s\n", values[dns_cachestatscounter_misses],
+		"cache misses");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		values[dns_cachestatscounter_queryhits],
+		"cache hits (from query)");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		values[dns_cachestatscounter_querymisses],
+		"cache misses (from query)");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		values[dns_cachestatscounter_deletelru],
+		"cache records deleted due to memory exhaustion");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		values[dns_cachestatscounter_deletettl],
+		"cache records deleted due to TTL expiration");
+	fprintf(fp, "%20u %s\n", dns_db_nodecount(cache->db),
+		"cache database nodes");
+	fprintf(fp, "%20" PRIu64 " %s\n", (uint64_t)dns_db_hashsize(cache->db),
+		"cache database hash buckets");
+
+	fprintf(fp, "%20" PRIu64 " %s\n", (uint64_t)isc_mem_total(cache->mctx),
+		"cache tree memory total");
+	fprintf(fp, "%20" PRIu64 " %s\n", (uint64_t)isc_mem_inuse(cache->mctx),
+		"cache tree memory in use");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		(uint64_t)isc_mem_maxinuse(cache->mctx),
+		"cache tree highest memory in use");
+
+	fprintf(fp, "%20" PRIu64 " %s\n", (uint64_t)isc_mem_total(cache->hmctx),
+		"cache heap memory total");
+	fprintf(fp, "%20" PRIu64 " %s\n", (uint64_t)isc_mem_inuse(cache->hmctx),
+		"cache heap memory in use");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		(uint64_t)isc_mem_maxinuse(cache->hmctx),
+		"cache heap highest memory in use");
+}
+
+#ifdef HAVE_LIBXML2
+#define TRY0(a)                     \
+	do {                        \
+		xmlrc = (a);        \
+		if (xmlrc < 0)      \
+			goto error; \
+	} while (0)
+static int
+renderstat(const char *name, uint64_t value, xmlTextWriterPtr writer) {
+	int xmlrc;
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
+					 ISC_XMLCHAR name));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "", value));
+	TRY0(xmlTextWriterEndElement(writer)); /* counter */
+
+error:
+	return (xmlrc);
+}
+
+int
+dns_cache_renderxml(dns_cache_t *cache, void *writer0) {
+	int indices[dns_cachestatscounter_max];
+	uint64_t values[dns_cachestatscounter_max];
+	int xmlrc;
+	xmlTextWriterPtr writer = (xmlTextWriterPtr)writer0;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	getcounters(cache->stats, isc_statsformat_file,
+		    dns_cachestatscounter_max, indices, values);
+	TRY0(renderstat("CacheHits", values[dns_cachestatscounter_hits],
+			writer));
+	TRY0(renderstat("CacheMisses", values[dns_cachestatscounter_misses],
+			writer));
+	TRY0(renderstat("QueryHits", values[dns_cachestatscounter_queryhits],
+			writer));
+	TRY0(renderstat("QueryMisses",
+			values[dns_cachestatscounter_querymisses], writer));
+	TRY0(renderstat("DeleteLRU", values[dns_cachestatscounter_deletelru],
+			writer));
+	TRY0(renderstat("DeleteTTL", values[dns_cachestatscounter_deletettl],
+			writer));
+
+	TRY0(renderstat("CacheNodes", dns_db_nodecount(cache->db), writer));
+	TRY0(renderstat("CacheBuckets", dns_db_hashsize(cache->db), writer));
+
+	TRY0(renderstat("TreeMemTotal", isc_mem_total(cache->mctx), writer));
+	TRY0(renderstat("TreeMemInUse", isc_mem_inuse(cache->mctx), writer));
+	TRY0(renderstat("TreeMemMax", isc_mem_maxinuse(cache->mctx), writer));
+
+	TRY0(renderstat("HeapMemTotal", isc_mem_total(cache->hmctx), writer));
+	TRY0(renderstat("HeapMemInUse", isc_mem_inuse(cache->hmctx), writer));
+	TRY0(renderstat("HeapMemMax", isc_mem_maxinuse(cache->hmctx), writer));
+error:
+	return (xmlrc);
+}
+#endif /* ifdef HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+#define CHECKMEM(m)                              \
+	do {                                     \
+		if (m == NULL) {                 \
+			result = ISC_R_NOMEMORY; \
+			goto error;              \
+		}                                \
+	} while (0)
+
+isc_result_t
+dns_cache_renderjson(dns_cache_t *cache, void *cstats0) {
+	isc_result_t result = ISC_R_SUCCESS;
+	int indices[dns_cachestatscounter_max];
+	uint64_t values[dns_cachestatscounter_max];
+	json_object *obj;
+	json_object *cstats = (json_object *)cstats0;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	getcounters(cache->stats, isc_statsformat_file,
+		    dns_cachestatscounter_max, indices, values);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_hits]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "CacheHits", obj);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_misses]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "CacheMisses", obj);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_queryhits]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "QueryHits", obj);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_querymisses]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "QueryMisses", obj);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_deletelru]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "DeleteLRU", obj);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_deletettl]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "DeleteTTL", obj);
+
+	obj = json_object_new_int64(dns_db_nodecount(cache->db));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "CacheNodes", obj);
+
+	obj = json_object_new_int64(dns_db_hashsize(cache->db));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "CacheBuckets", obj);
+
+	obj = json_object_new_int64(isc_mem_total(cache->mctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "TreeMemTotal", obj);
+
+	obj = json_object_new_int64(isc_mem_inuse(cache->mctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "TreeMemInUse", obj);
+
+	obj = json_object_new_int64(isc_mem_maxinuse(cache->mctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "TreeMemMax", obj);
+
+	obj = json_object_new_int64(isc_mem_total(cache->hmctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "HeapMemTotal", obj);
+
+	obj = json_object_new_int64(isc_mem_inuse(cache->hmctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "HeapMemInUse", obj);
+
+	obj = json_object_new_int64(isc_mem_maxinuse(cache->hmctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "HeapMemMax", obj);
+
+	result = ISC_R_SUCCESS;
+error:
+	return (result);
+}
+#endif /* ifdef HAVE_JSON_C */
diff --git a/lib/dns/callbacks.c b/lib/dns/callbacks.c
new file mode 100644
index 0000000..5200b72
--- /dev/null
+++ b/lib/dns/callbacks.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/log.h>
+
+static void
+stdio_error_warn_callback(dns_rdatacallbacks_t *, const char *, ...)
+	ISC_FORMAT_PRINTF(2, 3);
+
+static void
+isclog_error_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(2, 3);
+
+static void
+isclog_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(2, 3);
+
+/*
+ * Private
+ */
+
+static void
+stdio_error_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt,
+			  ...) {
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+	fprintf(stderr, "\n");
+}
+
+static void
+isclog_error_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...) {
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_MASTER, /* XXX */
+		       ISC_LOG_ERROR, fmt, ap);
+	va_end(ap);
+}
+
+static void
+isclog_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...) {
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_MASTER, /* XXX */
+		       ISC_LOG_WARNING, fmt, ap);
+	va_end(ap);
+}
+
+static void
+dns_rdatacallbacks_initcommon(dns_rdatacallbacks_t *callbacks) {
+	REQUIRE(callbacks != NULL);
+
+	callbacks->magic = DNS_CALLBACK_MAGIC;
+	callbacks->add = NULL;
+	callbacks->rawdata = NULL;
+	callbacks->zone = NULL;
+	callbacks->add_private = NULL;
+	callbacks->error_private = NULL;
+	callbacks->warn_private = NULL;
+}
+
+/*
+ * Public.
+ */
+
+void
+dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks) {
+	dns_rdatacallbacks_initcommon(callbacks);
+	callbacks->error = isclog_error_callback;
+	callbacks->warn = isclog_warn_callback;
+}
+
+void
+dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks) {
+	dns_rdatacallbacks_initcommon(callbacks);
+	callbacks->error = stdio_error_warn_callback;
+	callbacks->warn = stdio_error_warn_callback;
+}
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
new file mode 100644
index 0000000..2c00d6e
--- /dev/null
+++ b/lib/dns/catz.c
@@ -0,0 +1,2105 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/hex.h>
+#include <isc/md.h>
+#include <isc/mem.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/catz.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/rdatasetiter.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#define DNS_CATZ_ZONE_MAGIC  ISC_MAGIC('c', 'a', 't', 'z')
+#define DNS_CATZ_ZONES_MAGIC ISC_MAGIC('c', 'a', 't', 's')
+#define DNS_CATZ_ENTRY_MAGIC ISC_MAGIC('c', 'a', 't', 'e')
+
+#define DNS_CATZ_ZONE_VALID(catz)   ISC_MAGIC_VALID(catz, DNS_CATZ_ZONE_MAGIC)
+#define DNS_CATZ_ZONES_VALID(catzs) ISC_MAGIC_VALID(catzs, DNS_CATZ_ZONES_MAGIC)
+#define DNS_CATZ_ENTRY_VALID(entry) ISC_MAGIC_VALID(entry, DNS_CATZ_ENTRY_MAGIC)
+
+/*%
+ * Single member zone in a catalog
+ */
+struct dns_catz_entry {
+	unsigned int magic;
+	dns_name_t name;
+	dns_catz_options_t opts;
+	isc_refcount_t refs;
+};
+
+/*%
+ * Catalog zone
+ */
+struct dns_catz_zone {
+	unsigned int magic;
+	dns_name_t name;
+	dns_catz_zones_t *catzs;
+	dns_rdata_t soa;
+	/* key in entries is 'mhash', not domain name! */
+	isc_ht_t *entries;
+	/*
+	 * defoptions are taken from named.conf
+	 * zoneoptions are global options from zone
+	 */
+	dns_catz_options_t defoptions;
+	dns_catz_options_t zoneoptions;
+	isc_time_t lastupdated;
+	bool updatepending;
+	uint32_t version;
+
+	dns_db_t *db;
+	dns_dbversion_t *dbversion;
+
+	isc_timer_t *updatetimer;
+	isc_event_t updateevent;
+
+	bool active;
+	bool db_registered;
+
+	isc_refcount_t refs;
+};
+
+static isc_result_t
+catz_process_zones_entry(dns_catz_zone_t *zone, dns_rdataset_t *value,
+			 dns_label_t *mhash);
+static isc_result_t
+catz_process_zones_suboption(dns_catz_zone_t *zone, dns_rdataset_t *value,
+			     dns_label_t *mhash, dns_name_t *name);
+static void
+catz_entry_add_or_mod(dns_catz_zone_t *target, isc_ht_t *ht, unsigned char *key,
+		      size_t keysize, dns_catz_entry_t *nentry,
+		      dns_catz_entry_t *oentry, const char *msg,
+		      const char *zname, const char *czname);
+
+/*%
+ * Collection of catalog zones for a view
+ */
+struct dns_catz_zones {
+	unsigned int magic;
+	isc_ht_t *zones;
+	isc_mem_t *mctx;
+	isc_refcount_t refs;
+	isc_mutex_t lock;
+	dns_catz_zonemodmethods_t *zmm;
+	isc_taskmgr_t *taskmgr;
+	isc_timermgr_t *timermgr;
+	dns_view_t *view;
+	isc_task_t *updater;
+};
+
+void
+dns_catz_options_init(dns_catz_options_t *options) {
+	REQUIRE(options != NULL);
+
+	dns_ipkeylist_init(&options->masters);
+
+	options->allow_query = NULL;
+	options->allow_transfer = NULL;
+
+	options->allow_query = NULL;
+	options->allow_transfer = NULL;
+
+	options->in_memory = false;
+	options->min_update_interval = 5;
+	options->zonedir = NULL;
+}
+
+void
+dns_catz_options_free(dns_catz_options_t *options, isc_mem_t *mctx) {
+	REQUIRE(options != NULL);
+	REQUIRE(mctx != NULL);
+
+	if (options->masters.count != 0) {
+		dns_ipkeylist_clear(mctx, &options->masters);
+	}
+	if (options->zonedir != NULL) {
+		isc_mem_free(mctx, options->zonedir);
+		options->zonedir = NULL;
+	}
+	if (options->allow_query != NULL) {
+		isc_buffer_free(&options->allow_query);
+	}
+	if (options->allow_transfer != NULL) {
+		isc_buffer_free(&options->allow_transfer);
+	}
+}
+
+isc_result_t
+dns_catz_options_copy(isc_mem_t *mctx, const dns_catz_options_t *src,
+		      dns_catz_options_t *dst) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(src != NULL);
+	REQUIRE(dst != NULL);
+	REQUIRE(dst->masters.count == 0);
+	REQUIRE(dst->allow_query == NULL);
+	REQUIRE(dst->allow_transfer == NULL);
+
+	if (src->masters.count != 0) {
+		dns_ipkeylist_copy(mctx, &src->masters, &dst->masters);
+	}
+
+	if (dst->zonedir != NULL) {
+		isc_mem_free(mctx, dst->zonedir);
+		dst->zonedir = NULL;
+	}
+
+	if (src->zonedir != NULL) {
+		dst->zonedir = isc_mem_strdup(mctx, src->zonedir);
+	}
+
+	if (src->allow_query != NULL) {
+		isc_buffer_dup(mctx, &dst->allow_query, src->allow_query);
+	}
+
+	if (src->allow_transfer != NULL) {
+		isc_buffer_dup(mctx, &dst->allow_transfer, src->allow_transfer);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_catz_options_setdefault(isc_mem_t *mctx, const dns_catz_options_t *defaults,
+			    dns_catz_options_t *opts) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(defaults != NULL);
+	REQUIRE(opts != NULL);
+
+	if (opts->masters.count == 0 && defaults->masters.count != 0) {
+		dns_ipkeylist_copy(mctx, &defaults->masters, &opts->masters);
+	}
+
+	if (defaults->zonedir != NULL) {
+		opts->zonedir = isc_mem_strdup(mctx, defaults->zonedir);
+	}
+
+	if (opts->allow_query == NULL && defaults->allow_query != NULL) {
+		isc_buffer_dup(mctx, &opts->allow_query, defaults->allow_query);
+	}
+	if (opts->allow_transfer == NULL && defaults->allow_transfer != NULL) {
+		isc_buffer_dup(mctx, &opts->allow_transfer,
+			       defaults->allow_transfer);
+	}
+
+	/* This option is always taken from config, so it's always 'default' */
+	opts->in_memory = defaults->in_memory;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_catz_entry_new(isc_mem_t *mctx, const dns_name_t *domain,
+		   dns_catz_entry_t **nentryp) {
+	dns_catz_entry_t *nentry;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(nentryp != NULL && *nentryp == NULL);
+
+	nentry = isc_mem_get(mctx, sizeof(dns_catz_entry_t));
+
+	dns_name_init(&nentry->name, NULL);
+	if (domain != NULL) {
+		dns_name_dup(domain, mctx, &nentry->name);
+	}
+
+	dns_catz_options_init(&nentry->opts);
+	isc_refcount_init(&nentry->refs, 1);
+	nentry->magic = DNS_CATZ_ENTRY_MAGIC;
+	*nentryp = nentry;
+	return (ISC_R_SUCCESS);
+}
+
+dns_name_t *
+dns_catz_entry_getname(dns_catz_entry_t *entry) {
+	REQUIRE(DNS_CATZ_ENTRY_VALID(entry));
+	return (&entry->name);
+}
+
+isc_result_t
+dns_catz_entry_copy(dns_catz_zone_t *zone, const dns_catz_entry_t *entry,
+		    dns_catz_entry_t **nentryp) {
+	isc_result_t result;
+	dns_catz_entry_t *nentry = NULL;
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(DNS_CATZ_ENTRY_VALID(entry));
+	REQUIRE(nentryp != NULL && *nentryp == NULL);
+
+	result = dns_catz_entry_new(zone->catzs->mctx, &entry->name, &nentry);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_catz_options_copy(zone->catzs->mctx, &entry->opts,
+				       &nentry->opts);
+	if (result != ISC_R_SUCCESS) {
+		dns_catz_entry_detach(zone, &nentry);
+	}
+
+	*nentryp = nentry;
+	return (result);
+}
+
+void
+dns_catz_entry_attach(dns_catz_entry_t *entry, dns_catz_entry_t **entryp) {
+	REQUIRE(DNS_CATZ_ENTRY_VALID(entry));
+	REQUIRE(entryp != NULL && *entryp == NULL);
+
+	isc_refcount_increment(&entry->refs);
+	*entryp = entry;
+}
+
+void
+dns_catz_entry_detach(dns_catz_zone_t *zone, dns_catz_entry_t **entryp) {
+	dns_catz_entry_t *entry;
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(entryp != NULL);
+	entry = *entryp;
+	*entryp = NULL;
+	REQUIRE(DNS_CATZ_ENTRY_VALID(entry));
+
+	if (isc_refcount_decrement(&entry->refs) == 1) {
+		isc_mem_t *mctx = zone->catzs->mctx;
+		entry->magic = 0;
+		isc_refcount_destroy(&entry->refs);
+		dns_catz_options_free(&entry->opts, mctx);
+		if (dns_name_dynamic(&entry->name)) {
+			dns_name_free(&entry->name, mctx);
+		}
+		isc_mem_put(mctx, entry, sizeof(dns_catz_entry_t));
+	}
+}
+
+bool
+dns_catz_entry_validate(const dns_catz_entry_t *entry) {
+	REQUIRE(DNS_CATZ_ENTRY_VALID(entry));
+	UNUSED(entry);
+
+	return (true);
+}
+
+bool
+dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) {
+	isc_region_t ra, rb;
+
+	REQUIRE(DNS_CATZ_ENTRY_VALID(ea));
+	REQUIRE(DNS_CATZ_ENTRY_VALID(eb));
+
+	if (ea == eb) {
+		return (true);
+	}
+
+	if (ea->opts.masters.count != eb->opts.masters.count) {
+		return (false);
+	}
+
+	if (memcmp(ea->opts.masters.addrs, eb->opts.masters.addrs,
+		   ea->opts.masters.count * sizeof(isc_sockaddr_t)))
+	{
+		return (false);
+	}
+
+	for (size_t i = 0; i < eb->opts.masters.count; i++) {
+		if ((ea->opts.masters.keys[i] == NULL) !=
+		    (eb->opts.masters.keys[i] == NULL))
+		{
+			return (false);
+		}
+		if (ea->opts.masters.keys[i] == NULL) {
+			continue;
+		}
+		if (!dns_name_equal(ea->opts.masters.keys[i],
+				    eb->opts.masters.keys[i]))
+		{
+			return (false);
+		}
+	}
+
+	/* If one is NULL and the other isn't, the entries don't match */
+	if ((ea->opts.allow_query == NULL) != (eb->opts.allow_query == NULL)) {
+		return (false);
+	}
+
+	/* If one is non-NULL, then they both are */
+	if (ea->opts.allow_query != NULL) {
+		isc_buffer_usedregion(ea->opts.allow_query, &ra);
+		isc_buffer_usedregion(eb->opts.allow_query, &rb);
+		if (isc_region_compare(&ra, &rb)) {
+			return (false);
+		}
+	}
+
+	/* Repeat the above checks with allow_transfer */
+	if ((ea->opts.allow_transfer == NULL) !=
+	    (eb->opts.allow_transfer == NULL))
+	{
+		return (false);
+	}
+
+	if (ea->opts.allow_transfer != NULL) {
+		isc_buffer_usedregion(ea->opts.allow_transfer, &ra);
+		isc_buffer_usedregion(eb->opts.allow_transfer, &rb);
+		if (isc_region_compare(&ra, &rb)) {
+			return (false);
+		}
+	}
+
+	/* xxxwpk TODO compare dscps! */
+	return (true);
+}
+
+dns_name_t *
+dns_catz_zone_getname(dns_catz_zone_t *zone) {
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+
+	return (&zone->name);
+}
+
+dns_catz_options_t *
+dns_catz_zone_getdefoptions(dns_catz_zone_t *zone) {
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+
+	return (&zone->defoptions);
+}
+
+void
+dns_catz_zone_resetdefoptions(dns_catz_zone_t *zone) {
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+
+	dns_catz_options_free(&zone->defoptions, zone->catzs->mctx);
+	dns_catz_options_init(&zone->defoptions);
+}
+
+isc_result_t
+dns_catz_zones_merge(dns_catz_zone_t *target, dns_catz_zone_t *newzone) {
+	isc_result_t result;
+	isc_ht_iter_t *iter1 = NULL, *iter2 = NULL;
+	isc_ht_iter_t *iteradd = NULL, *itermod = NULL;
+	isc_ht_t *toadd = NULL, *tomod = NULL;
+	bool delcur = false;
+	char czname[DNS_NAME_FORMATSIZE];
+	char zname[DNS_NAME_FORMATSIZE];
+	dns_catz_zoneop_fn_t addzone, modzone, delzone;
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(newzone));
+	REQUIRE(DNS_CATZ_ZONE_VALID(target));
+
+	/* TODO verify the new zone first! */
+
+	addzone = target->catzs->zmm->addzone;
+	modzone = target->catzs->zmm->modzone;
+	delzone = target->catzs->zmm->delzone;
+
+	/* Copy zoneoptions from newzone into target. */
+
+	dns_catz_options_free(&target->zoneoptions, target->catzs->mctx);
+	dns_catz_options_copy(target->catzs->mctx, &newzone->zoneoptions,
+			      &target->zoneoptions);
+	dns_catz_options_setdefault(target->catzs->mctx, &target->defoptions,
+				    &target->zoneoptions);
+
+	dns_name_format(&target->name, czname, DNS_NAME_FORMATSIZE);
+
+	isc_ht_init(&toadd, target->catzs->mctx, 16);
+
+	isc_ht_init(&tomod, target->catzs->mctx, 16);
+
+	isc_ht_iter_create(newzone->entries, &iter1);
+
+	isc_ht_iter_create(target->entries, &iter2);
+
+	/*
+	 * We can create those iterators now, even though toadd and tomod are
+	 * empty
+	 */
+	isc_ht_iter_create(toadd, &iteradd);
+
+	isc_ht_iter_create(tomod, &itermod);
+
+	/*
+	 * First - walk the new zone and find all nodes that are not in the
+	 * old zone, or are in both zones and are modified.
+	 */
+	for (result = isc_ht_iter_first(iter1); result == ISC_R_SUCCESS;
+	     result = delcur ? isc_ht_iter_delcurrent_next(iter1)
+			     : isc_ht_iter_next(iter1))
+	{
+		dns_catz_entry_t *nentry = NULL;
+		dns_catz_entry_t *oentry = NULL;
+		dns_zone_t *zone = NULL;
+		unsigned char *key = NULL;
+		size_t keysize;
+		delcur = false;
+
+		isc_ht_iter_current(iter1, (void **)&nentry);
+		isc_ht_iter_currentkey(iter1, &key, &keysize);
+
+		/*
+		 * Spurious record that came from suboption without main
+		 * record, removed.
+		 * xxxwpk: make it a separate verification phase?
+		 */
+		if (dns_name_countlabels(&nentry->name) == 0) {
+			dns_catz_entry_detach(newzone, &nentry);
+			delcur = true;
+			continue;
+		}
+
+		dns_name_format(&nentry->name, zname, DNS_NAME_FORMATSIZE);
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_DEBUG(3),
+			      "catz: iterating over '%s' from catalog '%s'",
+			      zname, czname);
+		dns_catz_options_setdefault(target->catzs->mctx,
+					    &target->zoneoptions,
+					    &nentry->opts);
+
+		result = isc_ht_find(target->entries, key, (uint32_t)keysize,
+				     (void **)&oentry);
+		if (result != ISC_R_SUCCESS) {
+			catz_entry_add_or_mod(target, toadd, key, keysize,
+					      nentry, NULL, "adding", zname,
+					      czname);
+			continue;
+		}
+
+		result = dns_zt_find(target->catzs->view->zonetable,
+				     dns_catz_entry_getname(nentry), 0, NULL,
+				     &zone);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_DEBUG(3),
+				      "catz: zone '%s' was expected to exist "
+				      "but can not be found, will be restored",
+				      zname);
+			catz_entry_add_or_mod(target, toadd, key, keysize,
+					      nentry, oentry, "adding", zname,
+					      czname);
+			continue;
+		}
+		dns_zone_detach(&zone);
+
+		if (dns_catz_entry_cmp(oentry, nentry) != true) {
+			catz_entry_add_or_mod(target, tomod, key, keysize,
+					      nentry, oentry, "modifying",
+					      zname, czname);
+			continue;
+		}
+
+		/*
+		 * Delete the old entry so that it won't accidentally be
+		 * removed as a non-existing entry below.
+		 */
+		dns_catz_entry_detach(target, &oentry);
+		result = isc_ht_delete(target->entries, key, (uint32_t)keysize);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+	RUNTIME_CHECK(result == ISC_R_NOMORE);
+	isc_ht_iter_destroy(&iter1);
+
+	/*
+	 * Then - walk the old zone; only deleted entries should remain.
+	 */
+	for (result = isc_ht_iter_first(iter2); result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_delcurrent_next(iter2))
+	{
+		dns_catz_entry_t *entry = NULL;
+		isc_ht_iter_current(iter2, (void **)&entry);
+
+		dns_name_format(&entry->name, zname, DNS_NAME_FORMATSIZE);
+		result = delzone(entry, target, target->catzs->view,
+				 target->catzs->taskmgr,
+				 target->catzs->zmm->udata);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+			      "catz: deleting zone '%s' from catalog '%s' - %s",
+			      zname, czname, isc_result_totext(result));
+		dns_catz_entry_detach(target, &entry);
+	}
+	RUNTIME_CHECK(result == ISC_R_NOMORE);
+	isc_ht_iter_destroy(&iter2);
+	/* At this moment target->entries has to be be empty. */
+	INSIST(isc_ht_count(target->entries) == 0);
+	isc_ht_destroy(&target->entries);
+
+	for (result = isc_ht_iter_first(iteradd); result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_delcurrent_next(iteradd))
+	{
+		dns_catz_entry_t *entry = NULL;
+		isc_ht_iter_current(iteradd, (void **)&entry);
+
+		dns_name_format(&entry->name, zname, DNS_NAME_FORMATSIZE);
+		result = addzone(entry, target, target->catzs->view,
+				 target->catzs->taskmgr,
+				 target->catzs->zmm->udata);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+			      "catz: adding zone '%s' from catalog "
+			      "'%s' - %s",
+			      zname, czname, isc_result_totext(result));
+	}
+
+	for (result = isc_ht_iter_first(itermod); result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_delcurrent_next(itermod))
+	{
+		dns_catz_entry_t *entry = NULL;
+		isc_ht_iter_current(itermod, (void **)&entry);
+
+		dns_name_format(&entry->name, zname, DNS_NAME_FORMATSIZE);
+		result = modzone(entry, target, target->catzs->view,
+				 target->catzs->taskmgr,
+				 target->catzs->zmm->udata);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+			      "catz: modifying zone '%s' from catalog "
+			      "'%s' - %s",
+			      zname, czname, isc_result_totext(result));
+	}
+
+	target->entries = newzone->entries;
+	newzone->entries = NULL;
+
+	result = ISC_R_SUCCESS;
+
+	isc_ht_iter_destroy(&iteradd);
+	isc_ht_iter_destroy(&itermod);
+	isc_ht_destroy(&toadd);
+	isc_ht_destroy(&tomod);
+
+	return (result);
+}
+
+isc_result_t
+dns_catz_new_zones(dns_catz_zones_t **catzsp, dns_catz_zonemodmethods_t *zmm,
+		   isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr) {
+	dns_catz_zones_t *new_zones;
+	isc_result_t result;
+
+	REQUIRE(catzsp != NULL && *catzsp == NULL);
+	REQUIRE(zmm != NULL);
+
+	new_zones = isc_mem_get(mctx, sizeof(*new_zones));
+	memset(new_zones, 0, sizeof(*new_zones));
+
+	isc_mutex_init(&new_zones->lock);
+
+	isc_refcount_init(&new_zones->refs, 1);
+
+	isc_ht_init(&new_zones->zones, mctx, 4);
+
+	isc_mem_attach(mctx, &new_zones->mctx);
+	new_zones->zmm = zmm;
+	new_zones->timermgr = timermgr;
+	new_zones->taskmgr = taskmgr;
+
+	result = isc_task_create(taskmgr, 0, &new_zones->updater);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_ht;
+	}
+	new_zones->magic = DNS_CATZ_ZONES_MAGIC;
+
+	*catzsp = new_zones;
+	return (ISC_R_SUCCESS);
+
+cleanup_ht:
+	isc_ht_destroy(&new_zones->zones);
+	isc_refcount_destroy(&new_zones->refs);
+	isc_mutex_destroy(&new_zones->lock);
+	isc_mem_putanddetach(&new_zones->mctx, new_zones, sizeof(*new_zones));
+
+	return (result);
+}
+
+void
+dns_catz_catzs_set_view(dns_catz_zones_t *catzs, dns_view_t *view) {
+	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
+	REQUIRE(DNS_VIEW_VALID(view));
+	/* Either it's a new one or it's being reconfigured. */
+	REQUIRE(catzs->view == NULL || !strcmp(catzs->view->name, view->name));
+
+	catzs->view = view;
+}
+
+isc_result_t
+dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **zonep,
+		  const dns_name_t *name) {
+	isc_result_t result;
+	dns_catz_zone_t *new_zone;
+
+	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
+	REQUIRE(zonep != NULL && *zonep == NULL);
+	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
+
+	new_zone = isc_mem_get(catzs->mctx, sizeof(*new_zone));
+
+	memset(new_zone, 0, sizeof(*new_zone));
+
+	dns_name_init(&new_zone->name, NULL);
+	dns_name_dup(name, catzs->mctx, &new_zone->name);
+
+	isc_ht_init(&new_zone->entries, catzs->mctx, 16);
+
+	new_zone->updatetimer = NULL;
+	result = isc_timer_create(catzs->timermgr, isc_timertype_inactive, NULL,
+				  NULL, catzs->updater,
+				  dns_catz_update_taskaction, new_zone,
+				  &new_zone->updatetimer);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_ht;
+	}
+
+	isc_time_settoepoch(&new_zone->lastupdated);
+	new_zone->updatepending = false;
+	new_zone->db = NULL;
+	new_zone->dbversion = NULL;
+	new_zone->catzs = catzs;
+	dns_catz_options_init(&new_zone->defoptions);
+	dns_catz_options_init(&new_zone->zoneoptions);
+	new_zone->active = true;
+	new_zone->db_registered = false;
+	new_zone->version = (uint32_t)(-1);
+	isc_refcount_init(&new_zone->refs, 1);
+	new_zone->magic = DNS_CATZ_ZONE_MAGIC;
+
+	*zonep = new_zone;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_ht:
+	isc_ht_destroy(&new_zone->entries);
+	dns_name_free(&new_zone->name, catzs->mctx);
+	isc_mem_put(catzs->mctx, new_zone, sizeof(*new_zone));
+
+	return (result);
+}
+
+isc_result_t
+dns_catz_add_zone(dns_catz_zones_t *catzs, const dns_name_t *name,
+		  dns_catz_zone_t **zonep) {
+	dns_catz_zone_t *new_zone = NULL;
+	isc_result_t result, tresult;
+	char zname[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
+	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	dns_name_format(name, zname, DNS_NAME_FORMATSIZE);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER,
+		      ISC_LOG_DEBUG(3), "catz: dns_catz_add_zone %s", zname);
+
+	LOCK(&catzs->lock);
+
+	result = dns_catz_new_zone(catzs, &new_zone, name);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = isc_ht_add(catzs->zones, new_zone->name.ndata,
+			    new_zone->name.length, new_zone);
+	if (result != ISC_R_SUCCESS) {
+		dns_catz_zone_detach(&new_zone);
+		if (result != ISC_R_EXISTS) {
+			goto cleanup;
+		}
+	}
+
+	if (result == ISC_R_EXISTS) {
+		tresult = isc_ht_find(catzs->zones, name->ndata, name->length,
+				      (void **)&new_zone);
+		INSIST(tresult == ISC_R_SUCCESS && !new_zone->active);
+		new_zone->active = true;
+	}
+
+	*zonep = new_zone;
+
+cleanup:
+	UNLOCK(&catzs->lock);
+
+	return (result);
+}
+
+dns_catz_zone_t *
+dns_catz_get_zone(dns_catz_zones_t *catzs, const dns_name_t *name) {
+	isc_result_t result;
+	dns_catz_zone_t *found = NULL;
+
+	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
+	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
+
+	LOCK(&catzs->lock);
+	result = isc_ht_find(catzs->zones, name->ndata, name->length,
+			     (void **)&found);
+	UNLOCK(&catzs->lock);
+	if (result != ISC_R_SUCCESS) {
+		return (NULL);
+	}
+
+	return (found);
+}
+
+void
+dns_catz_catzs_attach(dns_catz_zones_t *catzs, dns_catz_zones_t **catzsp) {
+	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
+	REQUIRE(catzsp != NULL && *catzsp == NULL);
+
+	isc_refcount_increment(&catzs->refs);
+	*catzsp = catzs;
+}
+
+void
+dns_catz_zone_attach(dns_catz_zone_t *zone, dns_catz_zone_t **zonep) {
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	isc_refcount_increment(&zone->refs);
+	*zonep = zone;
+}
+
+void
+dns_catz_zone_detach(dns_catz_zone_t **zonep) {
+	REQUIRE(zonep != NULL && *zonep != NULL);
+	dns_catz_zone_t *zone = *zonep;
+	*zonep = NULL;
+
+	if (isc_refcount_decrement(&zone->refs) == 1) {
+		isc_mem_t *mctx = zone->catzs->mctx;
+		isc_refcount_destroy(&zone->refs);
+		if (zone->entries != NULL) {
+			isc_ht_iter_t *iter = NULL;
+			isc_result_t result;
+			isc_ht_iter_create(zone->entries, &iter);
+			for (result = isc_ht_iter_first(iter);
+			     result == ISC_R_SUCCESS;
+			     result = isc_ht_iter_delcurrent_next(iter))
+			{
+				dns_catz_entry_t *entry = NULL;
+
+				isc_ht_iter_current(iter, (void **)&entry);
+				dns_catz_entry_detach(zone, &entry);
+			}
+			INSIST(result == ISC_R_NOMORE);
+			isc_ht_iter_destroy(&iter);
+
+			/* The hashtable has to be empty now. */
+			INSIST(isc_ht_count(zone->entries) == 0);
+			isc_ht_destroy(&zone->entries);
+		}
+		zone->magic = 0;
+		isc_timer_destroy(&zone->updatetimer);
+		if (zone->db_registered) {
+			dns_db_updatenotify_unregister(
+				zone->db, dns_catz_dbupdate_callback,
+				zone->catzs);
+		}
+		if (zone->dbversion) {
+			dns_db_closeversion(zone->db, &zone->dbversion, false);
+		}
+		if (zone->db != NULL) {
+			dns_db_detach(&zone->db);
+		}
+
+		dns_name_free(&zone->name, mctx);
+		dns_catz_options_free(&zone->defoptions, mctx);
+		dns_catz_options_free(&zone->zoneoptions, mctx);
+
+		zone->catzs = NULL;
+		isc_mem_put(mctx, zone, sizeof(dns_catz_zone_t));
+	}
+}
+
+void
+dns_catz_catzs_detach(dns_catz_zones_t **catzsp) {
+	dns_catz_zones_t *catzs;
+
+	REQUIRE(catzsp != NULL && DNS_CATZ_ZONES_VALID(*catzsp));
+
+	catzs = *catzsp;
+	*catzsp = NULL;
+
+	if (isc_refcount_decrement(&catzs->refs) == 1) {
+		catzs->magic = 0;
+		isc_task_destroy(&catzs->updater);
+		isc_mutex_destroy(&catzs->lock);
+		if (catzs->zones != NULL) {
+			isc_ht_iter_t *iter = NULL;
+			isc_result_t result;
+			isc_ht_iter_create(catzs->zones, &iter);
+			for (result = isc_ht_iter_first(iter);
+			     result == ISC_R_SUCCESS;)
+			{
+				dns_catz_zone_t *zone = NULL;
+				isc_ht_iter_current(iter, (void **)&zone);
+				result = isc_ht_iter_delcurrent_next(iter);
+				dns_catz_zone_detach(&zone);
+			}
+			INSIST(result == ISC_R_NOMORE);
+			isc_ht_iter_destroy(&iter);
+			INSIST(isc_ht_count(catzs->zones) == 0);
+			isc_ht_destroy(&catzs->zones);
+		}
+		isc_refcount_destroy(&catzs->refs);
+		isc_mem_putanddetach(&catzs->mctx, catzs, sizeof(*catzs));
+	}
+}
+
+typedef enum {
+	CATZ_OPT_NONE,
+	CATZ_OPT_ZONES,
+	CATZ_OPT_MASTERS,
+	CATZ_OPT_ALLOW_QUERY,
+	CATZ_OPT_ALLOW_TRANSFER,
+	CATZ_OPT_VERSION,
+} catz_opt_t;
+
+static bool
+catz_opt_cmp(const dns_label_t *option, const char *opt) {
+	unsigned int l = strlen(opt);
+	if (option->length - 1 == l &&
+	    memcmp(opt, option->base + 1, l - 1) == 0)
+	{
+		return (true);
+	} else {
+		return (false);
+	}
+}
+
+static catz_opt_t
+catz_get_option(const dns_label_t *option) {
+	if (catz_opt_cmp(option, "zones")) {
+		return (CATZ_OPT_ZONES);
+	} else if (catz_opt_cmp(option, "masters")) {
+		return (CATZ_OPT_MASTERS);
+	} else if (catz_opt_cmp(option, "allow-query")) {
+		return (CATZ_OPT_ALLOW_QUERY);
+	} else if (catz_opt_cmp(option, "allow-transfer")) {
+		return (CATZ_OPT_ALLOW_TRANSFER);
+	} else if (catz_opt_cmp(option, "version")) {
+		return (CATZ_OPT_VERSION);
+	} else {
+		return (CATZ_OPT_NONE);
+	}
+}
+
+static isc_result_t
+catz_process_zones(dns_catz_zone_t *zone, dns_rdataset_t *value,
+		   dns_name_t *name) {
+	dns_label_t mhash;
+	dns_name_t opt;
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(DNS_RDATASET_VALID(value));
+	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
+
+	if (value->rdclass != dns_rdataclass_in) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (name->labels == 0) {
+		return (ISC_R_FAILURE);
+	}
+
+	dns_name_getlabel(name, name->labels - 1, &mhash);
+
+	if (name->labels == 1) {
+		return (catz_process_zones_entry(zone, value, &mhash));
+	} else {
+		dns_name_init(&opt, NULL);
+		dns_name_split(name, 1, &opt, NULL);
+		return (catz_process_zones_suboption(zone, value, &mhash,
+						     &opt));
+	}
+}
+
+static isc_result_t
+catz_process_zones_entry(dns_catz_zone_t *zone, dns_rdataset_t *value,
+			 dns_label_t *mhash) {
+	isc_result_t result;
+	dns_rdata_t rdata;
+	dns_rdata_ptr_t ptr;
+	dns_catz_entry_t *entry = NULL;
+
+	/*
+	 * We only take -first- value, as mhash must be
+	 * different.
+	 */
+	if (value->type != dns_rdatatype_ptr) {
+		return (ISC_R_FAILURE);
+	}
+
+	result = dns_rdataset_first(value);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_FAILURE);
+	}
+
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(value, &rdata);
+
+	result = dns_rdata_tostruct(&rdata, &ptr, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	result = isc_ht_find(zone->entries, mhash->base, mhash->length,
+			     (void **)&entry);
+	if (result == ISC_R_SUCCESS) {
+		if (dns_name_countlabels(&entry->name) != 0) {
+			/* We have a duplicate. */
+			dns_rdata_freestruct(&ptr);
+			return (ISC_R_FAILURE);
+		} else {
+			dns_name_dup(&ptr.ptr, zone->catzs->mctx, &entry->name);
+		}
+	} else {
+		result = dns_catz_entry_new(zone->catzs->mctx, &ptr.ptr,
+					    &entry);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdata_freestruct(&ptr);
+			return (result);
+		}
+
+		result = isc_ht_add(zone->entries, mhash->base, mhash->length,
+				    entry);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdata_freestruct(&ptr);
+			dns_catz_entry_detach(zone, &entry);
+			return (result);
+		}
+	}
+
+	dns_rdata_freestruct(&ptr);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+catz_process_version(dns_catz_zone_t *zone, dns_rdataset_t *value) {
+	isc_result_t result;
+	dns_rdata_t rdata;
+	dns_rdata_txt_t rdatatxt;
+	dns_rdata_txt_string_t rdatastr;
+	uint32_t tversion;
+	char t[16];
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(DNS_RDATASET_VALID(value));
+
+	if (value->rdclass != dns_rdataclass_in ||
+	    value->type != dns_rdatatype_txt)
+	{
+		return (ISC_R_FAILURE);
+	}
+
+	result = dns_rdataset_first(value);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(value, &rdata);
+
+	result = dns_rdata_tostruct(&rdata, &rdatatxt, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	result = dns_rdata_txt_first(&rdatatxt);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_rdata_txt_current(&rdatatxt, &rdatastr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_rdata_txt_next(&rdatatxt);
+	if (result != ISC_R_NOMORE) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+	if (rdatastr.length > 15) {
+		result = ISC_R_BADNUMBER;
+		goto cleanup;
+	}
+	memmove(t, rdatastr.data, rdatastr.length);
+	t[rdatastr.length] = 0;
+	result = isc_parse_uint32(&tversion, t, 10);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	zone->version = tversion;
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	dns_rdata_freestruct(&rdatatxt);
+	return (result);
+}
+
+static isc_result_t
+catz_process_masters(dns_catz_zone_t *zone, dns_ipkeylist_t *ipkl,
+		     dns_rdataset_t *value, dns_name_t *name) {
+	isc_result_t result;
+	dns_rdata_t rdata;
+	dns_rdata_in_a_t rdata_a;
+	dns_rdata_in_aaaa_t rdata_aaaa;
+	dns_rdata_txt_t rdata_txt;
+	dns_rdata_txt_string_t rdatastr;
+	dns_name_t *keyname = NULL;
+	isc_mem_t *mctx;
+	char keycbuf[DNS_NAME_FORMATSIZE];
+	isc_buffer_t keybuf;
+	unsigned int rcount;
+	unsigned int i;
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(ipkl != NULL);
+	REQUIRE(DNS_RDATASET_VALID(value));
+	REQUIRE(dns_rdataset_isassociated(value));
+	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
+
+	mctx = zone->catzs->mctx;
+	memset(&rdata_a, 0, sizeof(rdata_a));
+	memset(&rdata_aaaa, 0, sizeof(rdata_aaaa));
+	memset(&rdata_txt, 0, sizeof(rdata_txt));
+	isc_buffer_init(&keybuf, keycbuf, sizeof(keycbuf));
+
+	/*
+	 * We have three possibilities here:
+	 * - either empty name and IN A/IN AAAA record
+	 * - label and IN A/IN AAAA
+	 * - label and IN TXT - TSIG key name
+	 */
+	if (value->rdclass != dns_rdataclass_in) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (name->labels > 0) {
+		isc_sockaddr_t sockaddr;
+
+		/*
+		 * We're pre-preparing the data once, we'll put it into
+		 * the right spot in the masters array once we find it.
+		 */
+		result = dns_rdataset_first(value);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(value, &rdata);
+		switch (value->type) {
+		case dns_rdatatype_a:
+			result = dns_rdata_tostruct(&rdata, &rdata_a, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_sockaddr_fromin(&sockaddr, &rdata_a.in_addr, 0);
+			break;
+		case dns_rdatatype_aaaa:
+			result = dns_rdata_tostruct(&rdata, &rdata_aaaa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_sockaddr_fromin6(&sockaddr, &rdata_aaaa.in6_addr,
+					     0);
+			break;
+		case dns_rdatatype_txt:
+			result = dns_rdata_tostruct(&rdata, &rdata_txt, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			result = dns_rdata_txt_first(&rdata_txt);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+
+			result = dns_rdata_txt_current(&rdata_txt, &rdatastr);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+
+			result = dns_rdata_txt_next(&rdata_txt);
+			if (result != ISC_R_NOMORE) {
+				return (ISC_R_FAILURE);
+			}
+
+			/* rdatastr.length < DNS_NAME_MAXTEXT */
+			keyname = isc_mem_get(mctx, sizeof(dns_name_t));
+			dns_name_init(keyname, 0);
+			memmove(keycbuf, rdatastr.data, rdatastr.length);
+			keycbuf[rdatastr.length] = 0;
+			result = dns_name_fromstring(keyname, keycbuf, 0, mctx);
+			if (result != ISC_R_SUCCESS) {
+				dns_name_free(keyname, mctx);
+				isc_mem_put(mctx, keyname, sizeof(dns_name_t));
+				return (result);
+			}
+			break;
+		default:
+			return (ISC_R_FAILURE);
+		}
+
+		/*
+		 * We have to find the appropriate labeled record in masters
+		 * if it exists.
+		 * In common case we'll have no more than 3-4 records here so
+		 * no optimization.
+		 */
+		for (i = 0; i < ipkl->count; i++) {
+			if (ipkl->labels[i] != NULL &&
+			    !dns_name_compare(name, ipkl->labels[i]))
+			{
+				break;
+			}
+		}
+
+		if (i < ipkl->count) { /* we have this record already */
+			if (value->type == dns_rdatatype_txt) {
+				ipkl->keys[i] = keyname;
+			} else { /* A/AAAA */
+				memmove(&ipkl->addrs[i], &sockaddr,
+					sizeof(isc_sockaddr_t));
+			}
+		} else {
+			result = dns_ipkeylist_resize(mctx, ipkl, i + 1);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+
+			ipkl->labels[i] = isc_mem_get(mctx, sizeof(dns_name_t));
+			dns_name_init(ipkl->labels[i], NULL);
+			dns_name_dup(name, mctx, ipkl->labels[i]);
+
+			if (value->type == dns_rdatatype_txt) {
+				ipkl->keys[i] = keyname;
+			} else { /* A/AAAA */
+				memmove(&ipkl->addrs[i], &sockaddr,
+					sizeof(isc_sockaddr_t));
+			}
+			ipkl->count++;
+		}
+		return (ISC_R_SUCCESS);
+	}
+	/* else - 'simple' case - without labels */
+
+	if (value->type != dns_rdatatype_a && value->type != dns_rdatatype_aaaa)
+	{
+		return (ISC_R_FAILURE);
+	}
+
+	rcount = dns_rdataset_count(value) + ipkl->count;
+
+	result = dns_ipkeylist_resize(mctx, ipkl, rcount);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (result = dns_rdataset_first(value); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(value))
+	{
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(value, &rdata);
+		/*
+		 * port 0 == take the default
+		 */
+		if (value->type == dns_rdatatype_a) {
+			result = dns_rdata_tostruct(&rdata, &rdata_a, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_sockaddr_fromin(&ipkl->addrs[ipkl->count],
+					    &rdata_a.in_addr, 0);
+		} else {
+			result = dns_rdata_tostruct(&rdata, &rdata_aaaa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_sockaddr_fromin6(&ipkl->addrs[ipkl->count],
+					     &rdata_aaaa.in6_addr, 0);
+		}
+		ipkl->keys[ipkl->count] = NULL;
+		ipkl->labels[ipkl->count] = NULL;
+		ipkl->count++;
+		dns_rdata_freestruct(&rdata_a);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+catz_process_apl(dns_catz_zone_t *zone, isc_buffer_t **aclbp,
+		 dns_rdataset_t *value) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata;
+	dns_rdata_in_apl_t rdata_apl;
+	dns_rdata_apl_ent_t apl_ent;
+	isc_netaddr_t addr;
+	isc_buffer_t *aclb = NULL;
+	unsigned char buf[256]; /* larger than INET6_ADDRSTRLEN */
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(aclbp != NULL);
+	REQUIRE(*aclbp == NULL);
+	REQUIRE(DNS_RDATASET_VALID(value));
+	REQUIRE(dns_rdataset_isassociated(value));
+
+	if (value->rdclass != dns_rdataclass_in ||
+	    value->type != dns_rdatatype_apl)
+	{
+		return (ISC_R_FAILURE);
+	}
+
+	if (dns_rdataset_count(value) > 1) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_WARNING,
+			      "catz: more than one APL entry for member zone, "
+			      "result is undefined");
+	}
+	result = dns_rdataset_first(value);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(value, &rdata);
+	result = dns_rdata_tostruct(&rdata, &rdata_apl, zone->catzs->mctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_allocate(zone->catzs->mctx, &aclb, 16);
+	isc_buffer_setautorealloc(aclb, true);
+	for (result = dns_rdata_apl_first(&rdata_apl); result == ISC_R_SUCCESS;
+	     result = dns_rdata_apl_next(&rdata_apl))
+	{
+		result = dns_rdata_apl_current(&rdata_apl, &apl_ent);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		memset(buf, 0, sizeof(buf));
+		if (apl_ent.data != NULL && apl_ent.length > 0) {
+			memmove(buf, apl_ent.data, apl_ent.length);
+		}
+		if (apl_ent.family == 1) {
+			isc_netaddr_fromin(&addr, (struct in_addr *)buf);
+		} else if (apl_ent.family == 2) {
+			isc_netaddr_fromin6(&addr, (struct in6_addr *)buf);
+		} else {
+			continue; /* xxxwpk log it or simply ignore? */
+		}
+		if (apl_ent.negative) {
+			isc_buffer_putuint8(aclb, '!');
+		}
+		isc_buffer_reserve(&aclb, INET6_ADDRSTRLEN);
+		result = isc_netaddr_totext(&addr, aclb);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if ((apl_ent.family == 1 && apl_ent.prefix < 32) ||
+		    (apl_ent.family == 2 && apl_ent.prefix < 128))
+		{
+			isc_buffer_putuint8(aclb, '/');
+			isc_buffer_putdecint(aclb, apl_ent.prefix);
+		}
+		isc_buffer_putstr(aclb, "; ");
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	} else {
+		goto cleanup;
+	}
+	*aclbp = aclb;
+	aclb = NULL;
+cleanup:
+	if (aclb != NULL) {
+		isc_buffer_free(&aclb);
+	}
+	dns_rdata_freestruct(&rdata_apl);
+	return (result);
+}
+
+static isc_result_t
+catz_process_zones_suboption(dns_catz_zone_t *zone, dns_rdataset_t *value,
+			     dns_label_t *mhash, dns_name_t *name) {
+	isc_result_t result;
+	dns_catz_entry_t *entry = NULL;
+	dns_label_t option;
+	dns_name_t prefix;
+	catz_opt_t opt;
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(mhash != NULL);
+	REQUIRE(DNS_RDATASET_VALID(value));
+	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
+
+	if (name->labels == 0) {
+		return (ISC_R_FAILURE);
+	}
+	dns_name_getlabel(name, name->labels - 1, &option);
+	opt = catz_get_option(&option);
+
+	/*
+	 * We're adding this entry now, in case the option is invalid we'll get
+	 * rid of it in verification phase.
+	 */
+	result = isc_ht_find(zone->entries, mhash->base, mhash->length,
+			     (void **)&entry);
+	if (result != ISC_R_SUCCESS) {
+		result = dns_catz_entry_new(zone->catzs->mctx, NULL, &entry);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		result = isc_ht_add(zone->entries, mhash->base, mhash->length,
+				    entry);
+		if (result != ISC_R_SUCCESS) {
+			dns_catz_entry_detach(zone, &entry);
+			return (result);
+		}
+	}
+
+	dns_name_init(&prefix, NULL);
+	dns_name_split(name, 1, &prefix, NULL);
+	switch (opt) {
+	case CATZ_OPT_MASTERS:
+		return (catz_process_masters(zone, &entry->opts.masters, value,
+					     &prefix));
+	case CATZ_OPT_ALLOW_QUERY:
+		if (prefix.labels != 0) {
+			return (ISC_R_FAILURE);
+		}
+		return (catz_process_apl(zone, &entry->opts.allow_query,
+					 value));
+	case CATZ_OPT_ALLOW_TRANSFER:
+		if (prefix.labels != 0) {
+			return (ISC_R_FAILURE);
+		}
+		return (catz_process_apl(zone, &entry->opts.allow_transfer,
+					 value));
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_FAILURE);
+}
+
+static void
+catz_entry_add_or_mod(dns_catz_zone_t *target, isc_ht_t *ht, unsigned char *key,
+		      size_t keysize, dns_catz_entry_t *nentry,
+		      dns_catz_entry_t *oentry, const char *msg,
+		      const char *zname, const char *czname) {
+	isc_result_t result = isc_ht_add(ht, key, (uint32_t)keysize, nentry);
+
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: error %s zone '%s' from catalog '%s' - %s",
+			      msg, zname, czname, isc_result_totext(result));
+	}
+	if (oentry != NULL) {
+		dns_catz_entry_detach(target, &oentry);
+		result = isc_ht_delete(target->entries, key, (uint32_t)keysize);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+}
+
+static isc_result_t
+catz_process_value(dns_catz_zone_t *zone, dns_name_t *name,
+		   dns_rdataset_t *rdataset) {
+	dns_label_t option;
+	dns_name_t prefix;
+	catz_opt_t opt;
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+	dns_name_getlabel(name, name->labels - 1, &option);
+	opt = catz_get_option(&option);
+	dns_name_init(&prefix, NULL);
+	dns_name_split(name, 1, &prefix, NULL);
+	switch (opt) {
+	case CATZ_OPT_ZONES:
+		return (catz_process_zones(zone, rdataset, &prefix));
+	case CATZ_OPT_MASTERS:
+		return (catz_process_masters(zone, &zone->zoneoptions.masters,
+					     rdataset, &prefix));
+	case CATZ_OPT_ALLOW_QUERY:
+		if (prefix.labels != 0) {
+			return (ISC_R_FAILURE);
+		}
+		return (catz_process_apl(zone, &zone->zoneoptions.allow_query,
+					 rdataset));
+	case CATZ_OPT_ALLOW_TRANSFER:
+		if (prefix.labels != 0) {
+			return (ISC_R_FAILURE);
+		}
+		return (catz_process_apl(
+			zone, &zone->zoneoptions.allow_transfer, rdataset));
+	case CATZ_OPT_VERSION:
+		if (prefix.labels != 0) {
+			return (ISC_R_FAILURE);
+		}
+		return (catz_process_version(zone, rdataset));
+	default:
+		return (ISC_R_FAILURE);
+	}
+}
+
+isc_result_t
+dns_catz_update_process(dns_catz_zones_t *catzs, dns_catz_zone_t *zone,
+			const dns_name_t *src_name, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	int order;
+	unsigned int nlabels;
+	dns_namereln_t nrres;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	dns_name_t prefix;
+
+	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(ISC_MAGIC_VALID(src_name, DNS_NAME_MAGIC));
+
+	nrres = dns_name_fullcompare(src_name, &zone->name, &order, &nlabels);
+	if (nrres == dns_namereln_equal) {
+		if (rdataset->type == dns_rdatatype_soa) {
+			result = dns_rdataset_first(rdataset);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+
+			dns_rdataset_current(rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			/*
+			 * xxxwpk TODO do we want to save something from SOA?
+			 */
+			return (result);
+		} else if (rdataset->type == dns_rdatatype_ns) {
+			return (ISC_R_SUCCESS);
+		} else {
+			return (ISC_R_UNEXPECTED);
+		}
+	} else if (nrres != dns_namereln_subdomain) {
+		return (ISC_R_UNEXPECTED);
+	}
+
+	dns_name_init(&prefix, NULL);
+	dns_name_split(src_name, zone->name.labels, &prefix, NULL);
+	result = catz_process_value(zone, &prefix, rdataset);
+
+	return (result);
+}
+
+static isc_result_t
+digest2hex(unsigned char *digest, unsigned int digestlen, char *hash,
+	   size_t hashlen) {
+	unsigned int i;
+	int ret;
+	for (i = 0; i < digestlen; i++) {
+		size_t left = hashlen - i * 2;
+		ret = snprintf(hash + i * 2, left, "%02x", digest[i]);
+		if (ret < 0 || (size_t)ret >= left) {
+			return (ISC_R_NOSPACE);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_catz_generate_masterfilename(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
+				 isc_buffer_t **buffer) {
+	isc_buffer_t *tbuf = NULL;
+	isc_region_t r;
+	isc_result_t result;
+	size_t rlen;
+	bool special = false;
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(DNS_CATZ_ENTRY_VALID(entry));
+	REQUIRE(buffer != NULL && *buffer != NULL);
+
+	isc_buffer_allocate(zone->catzs->mctx, &tbuf,
+			    strlen(zone->catzs->view->name) +
+				    2 * DNS_NAME_FORMATSIZE + 2);
+
+	isc_buffer_putstr(tbuf, zone->catzs->view->name);
+	isc_buffer_putstr(tbuf, "_");
+	result = dns_name_totext(&zone->name, true, tbuf);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	isc_buffer_putstr(tbuf, "_");
+	result = dns_name_totext(&entry->name, true, tbuf);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * Search for slash and other special characters in the view and
+	 * zone names.  Add a null terminator so we can use strpbrk(), then
+	 * remove it.
+	 */
+	isc_buffer_putuint8(tbuf, 0);
+	if (strpbrk(isc_buffer_base(tbuf), "\\/:") != NULL) {
+		special = true;
+	}
+	isc_buffer_subtract(tbuf, 1);
+
+	/* __catz__<digest>.db */
+	rlen = (isc_md_type_get_size(ISC_MD_SHA256) * 2 + 1) + 12;
+
+	/* optionally prepend with <zonedir>/ */
+	if (entry->opts.zonedir != NULL) {
+		rlen += strlen(entry->opts.zonedir) + 1;
+	}
+
+	result = isc_buffer_reserve(buffer, (unsigned int)rlen);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	if (entry->opts.zonedir != NULL) {
+		isc_buffer_putstr(*buffer, entry->opts.zonedir);
+		isc_buffer_putstr(*buffer, "/");
+	}
+
+	isc_buffer_usedregion(tbuf, &r);
+	isc_buffer_putstr(*buffer, "__catz__");
+	if (special || tbuf->used > ISC_SHA256_DIGESTLENGTH * 2 + 1) {
+		unsigned char digest[ISC_MAX_MD_SIZE];
+		unsigned int digestlen;
+
+		/* we can do that because digest string < 2 * DNS_NAME */
+		result = isc_md(ISC_MD_SHA256, r.base, r.length, digest,
+				&digestlen);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		result = digest2hex(digest, digestlen, (char *)r.base,
+				    ISC_SHA256_DIGESTLENGTH * 2 + 1);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		isc_buffer_putstr(*buffer, (char *)r.base);
+	} else {
+		isc_buffer_copyregion(*buffer, &r);
+	}
+
+	isc_buffer_putstr(*buffer, ".db");
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	isc_buffer_free(&tbuf);
+	return (result);
+}
+
+isc_result_t
+dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
+			  isc_buffer_t **buf) {
+	/*
+	 * We have to generate a text buffer with regular zone config:
+	 * zone "foo.bar" {
+	 * 	type slave;
+	 * 	masters [ dscp X ] { ip1 port port1; ip2 port port2; };
+	 * }
+	 */
+	isc_buffer_t *buffer = NULL;
+	isc_region_t region;
+	isc_result_t result;
+	uint32_t i;
+	isc_netaddr_t netaddr;
+	char pbuf[sizeof("65535")]; /* used both for port number and DSCP */
+	char zname[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+	REQUIRE(DNS_CATZ_ENTRY_VALID(entry));
+	REQUIRE(buf != NULL && *buf == NULL);
+
+	/*
+	 * The buffer will be reallocated if something won't fit,
+	 * ISC_BUFFER_INCR seems like a good start.
+	 */
+	isc_buffer_allocate(zone->catzs->mctx, &buffer, ISC_BUFFER_INCR);
+
+	isc_buffer_setautorealloc(buffer, true);
+	isc_buffer_putstr(buffer, "zone \"");
+	dns_name_totext(&entry->name, true, buffer);
+	isc_buffer_putstr(buffer, "\" { type slave; masters");
+
+	/*
+	 * DSCP value has no default, but when it is specified, it is identical
+	 * for all masters and cannot be overridden for a specific master IP, so
+	 * use the DSCP value set for the first master
+	 */
+	if (entry->opts.masters.count > 0 && entry->opts.masters.dscps[0] >= 0)
+	{
+		isc_buffer_putstr(buffer, " dscp ");
+		snprintf(pbuf, sizeof(pbuf), "%hd",
+			 entry->opts.masters.dscps[0]);
+		isc_buffer_putstr(buffer, pbuf);
+	}
+
+	isc_buffer_putstr(buffer, " { ");
+	for (i = 0; i < entry->opts.masters.count; i++) {
+		/*
+		 * Every master must have an IP address assigned.
+		 */
+		switch (entry->opts.masters.addrs[i].type.sa.sa_family) {
+		case AF_INET:
+		case AF_INET6:
+			break;
+		default:
+			dns_name_format(&entry->name, zname,
+					DNS_NAME_FORMATSIZE);
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+				      "catz: zone '%s' uses an invalid master "
+				      "(no IP address assigned)",
+				      zname);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		isc_netaddr_fromsockaddr(&netaddr,
+					 &entry->opts.masters.addrs[i]);
+		isc_buffer_reserve(&buffer, INET6_ADDRSTRLEN);
+		result = isc_netaddr_totext(&netaddr, buffer);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		isc_buffer_putstr(buffer, " port ");
+		snprintf(pbuf, sizeof(pbuf), "%u",
+			 isc_sockaddr_getport(&entry->opts.masters.addrs[i]));
+		isc_buffer_putstr(buffer, pbuf);
+
+		if (entry->opts.masters.keys[i] != NULL) {
+			isc_buffer_putstr(buffer, " key ");
+			result = dns_name_totext(entry->opts.masters.keys[i],
+						 true, buffer);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
+		isc_buffer_putstr(buffer, "; ");
+	}
+	isc_buffer_putstr(buffer, "}; ");
+	if (!entry->opts.in_memory) {
+		isc_buffer_putstr(buffer, "file \"");
+		result = dns_catz_generate_masterfilename(zone, entry, &buffer);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		isc_buffer_putstr(buffer, "\"; ");
+	}
+	if (entry->opts.allow_query != NULL) {
+		isc_buffer_putstr(buffer, "allow-query { ");
+		isc_buffer_usedregion(entry->opts.allow_query, &region);
+		isc_buffer_copyregion(buffer, &region);
+		isc_buffer_putstr(buffer, "}; ");
+	}
+	if (entry->opts.allow_transfer != NULL) {
+		isc_buffer_putstr(buffer, "allow-transfer { ");
+		isc_buffer_usedregion(entry->opts.allow_transfer, &region);
+		isc_buffer_copyregion(buffer, &region);
+		isc_buffer_putstr(buffer, "}; ");
+	}
+
+	isc_buffer_putstr(buffer, "};");
+	*buf = buffer;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	isc_buffer_free(&buffer);
+	return (result);
+}
+
+void
+dns_catz_update_taskaction(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_catz_zone_t *zone;
+	(void)task;
+
+	REQUIRE(event != NULL);
+	zone = event->ev_arg;
+	REQUIRE(DNS_CATZ_ZONE_VALID(zone));
+
+	LOCK(&zone->catzs->lock);
+	zone->updatepending = false;
+	dns_catz_update_from_db(zone->db, zone->catzs);
+	result = isc_timer_reset(zone->updatetimer, isc_timertype_inactive,
+				 NULL, NULL, true);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_event_free(&event);
+	result = isc_time_now(&zone->lastupdated);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	UNLOCK(&zone->catzs->lock);
+}
+
+isc_result_t
+dns_catz_dbupdate_callback(dns_db_t *db, void *fn_arg) {
+	dns_catz_zones_t *catzs;
+	dns_catz_zone_t *zone = NULL;
+	isc_time_t now;
+	uint64_t tdiff;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_region_t r;
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(DNS_CATZ_ZONES_VALID(fn_arg));
+	catzs = (dns_catz_zones_t *)fn_arg;
+
+	dns_name_toregion(&db->origin, &r);
+
+	LOCK(&catzs->lock);
+	result = isc_ht_find(catzs->zones, r.base, r.length, (void **)&zone);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/* New zone came as AXFR */
+	if (zone->db != NULL && zone->db != db) {
+		if (zone->dbversion != NULL) {
+			dns_db_closeversion(zone->db, &zone->dbversion, false);
+		}
+		dns_db_updatenotify_unregister(
+			zone->db, dns_catz_dbupdate_callback, zone->catzs);
+		dns_db_detach(&zone->db);
+		/*
+		 * We're not registering db update callback, it will be
+		 * registered at the end of update_from_db
+		 */
+		zone->db_registered = false;
+	}
+	if (zone->db == NULL) {
+		dns_db_attach(db, &zone->db);
+	}
+
+	if (!zone->updatepending) {
+		zone->updatepending = true;
+		isc_time_now(&now);
+		tdiff = isc_time_microdiff(&now, &zone->lastupdated) / 1000000;
+		if (tdiff < zone->defoptions.min_update_interval) {
+			isc_interval_t interval;
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+				      "catz: new zone version came too soon, "
+				      "deferring update");
+			isc_interval_set(&interval,
+					 zone->defoptions.min_update_interval -
+						 (unsigned int)tdiff,
+					 0);
+			dns_db_currentversion(db, &zone->dbversion);
+			result = isc_timer_reset(zone->updatetimer,
+						 isc_timertype_once, NULL,
+						 &interval, true);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		} else {
+			isc_event_t *event;
+
+			dns_db_currentversion(db, &zone->dbversion);
+			ISC_EVENT_INIT(&zone->updateevent,
+				       sizeof(zone->updateevent), 0, NULL,
+				       DNS_EVENT_CATZUPDATED,
+				       dns_catz_update_taskaction, zone, zone,
+				       NULL, NULL);
+			event = &zone->updateevent;
+			isc_task_send(catzs->updater, &event);
+		}
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_DEBUG(3),
+			      "catz: update already queued");
+		if (zone->dbversion != NULL) {
+			dns_db_closeversion(zone->db, &zone->dbversion, false);
+		}
+		dns_db_currentversion(zone->db, &zone->dbversion);
+	}
+
+cleanup:
+	UNLOCK(&catzs->lock);
+
+	return (result);
+}
+
+static bool
+catz_rdatatype_is_processable(const dns_rdatatype_t type) {
+	return (!dns_rdatatype_isdnssec(type) && type != dns_rdatatype_cds &&
+		type != dns_rdatatype_cdnskey && type != dns_rdatatype_zonemd);
+}
+
+void
+dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
+	dns_catz_zone_t *oldzone = NULL, *newzone = NULL;
+	isc_result_t result;
+	isc_region_t r;
+	dns_dbnode_t *node = NULL;
+	dns_dbiterator_t *it = NULL;
+	dns_fixedname_t fixname;
+	dns_name_t *name;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t rdataset;
+	char bname[DNS_NAME_FORMATSIZE];
+	isc_buffer_t ibname;
+	uint32_t vers;
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
+
+	/*
+	 * Create a new catz in the same context as current catz.
+	 */
+	dns_name_toregion(&db->origin, &r);
+	result = isc_ht_find(catzs->zones, r.base, r.length, (void **)&oldzone);
+	if (result != ISC_R_SUCCESS) {
+		/* This can happen if we remove the zone in the meantime. */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: zone '%s' not in config", bname);
+		return;
+	}
+
+	if (!oldzone->active) {
+		/* This can happen during a reconfiguration. */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+			      "catz: zone '%s' is no longer active", bname);
+		return;
+	}
+
+	isc_buffer_init(&ibname, bname, DNS_NAME_FORMATSIZE);
+	result = dns_name_totext(&db->origin, true, &ibname);
+	INSIST(result == ISC_R_SUCCESS);
+
+	result = dns_db_getsoaserial(db, oldzone->dbversion, &vers);
+	if (result != ISC_R_SUCCESS) {
+		/* A zone without SOA record?!? */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: zone '%s' has no SOA record (%s)", bname,
+			      isc_result_totext(result));
+		return;
+	}
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER,
+		      ISC_LOG_INFO,
+		      "catz: updating catalog zone '%s' with serial %" PRIu32,
+		      bname, vers);
+
+	result = dns_catz_new_zone(catzs, &newzone, &db->origin);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_closeversion(db, &oldzone->dbversion, false);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: failed to create new zone - %s",
+			      isc_result_totext(result));
+		return;
+	}
+
+	result = dns_db_createiterator(db, DNS_DB_NONSEC3, &it);
+	if (result != ISC_R_SUCCESS) {
+		dns_catz_zone_detach(&newzone);
+		dns_db_closeversion(db, &oldzone->dbversion, false);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: failed to create DB iterator - %s",
+			      isc_result_totext(result));
+		return;
+	}
+
+	name = dns_fixedname_initname(&fixname);
+
+	/*
+	 * Iterate over database to fill the new zone.
+	 */
+	result = dns_dbiterator_first(it);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: failed to get db iterator - %s",
+			      isc_result_totext(result));
+	}
+
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(it, &node, name);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+				      "catz: failed to get db iterator - %s",
+				      isc_result_totext(result));
+			break;
+		}
+
+		result = dns_db_allrdatasets(db, node, oldzone->dbversion, 0, 0,
+					     &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+				      "catz: failed to fetch rrdatasets - %s",
+				      isc_result_totext(result));
+			dns_db_detachnode(db, &node);
+			break;
+		}
+
+		dns_rdataset_init(&rdataset);
+		result = dns_rdatasetiter_first(rdsiter);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+
+			/*
+			 * Skip processing DNSSEC-related and ZONEMD types,
+			 * because we are not interested in them in the context
+			 * of a catalog zone, and processing them will fail
+			 * and produce an unnecessary warning message.
+			 */
+			if (!catz_rdatatype_is_processable(rdataset.type)) {
+				goto next;
+			}
+
+			result = dns_catz_update_process(catzs, newzone, name,
+							 &rdataset);
+			if (result != ISC_R_SUCCESS) {
+				char cname[DNS_NAME_FORMATSIZE];
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+				char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+				dns_name_format(name, cname,
+						DNS_NAME_FORMATSIZE);
+				dns_rdataclass_format(rdataset.rdclass,
+						      classbuf,
+						      sizeof(classbuf));
+				dns_rdatatype_format(rdataset.type, typebuf,
+						     sizeof(typebuf));
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_MASTER,
+					      ISC_LOG_WARNING,
+					      "catz: unknown record in catalog "
+					      "zone - %s %s %s(%s) - ignoring",
+					      cname, classbuf, typebuf,
+					      isc_result_totext(result));
+			}
+		next:
+			dns_rdataset_disassociate(&rdataset);
+			result = dns_rdatasetiter_next(rdsiter);
+		}
+
+		dns_rdatasetiter_destroy(&rdsiter);
+
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(it);
+	}
+
+	dns_dbiterator_destroy(&it);
+	dns_db_closeversion(db, &oldzone->dbversion, false);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER,
+		      ISC_LOG_DEBUG(3),
+		      "catz: update_from_db: iteration finished");
+
+	/*
+	 * Finally merge new zone into old zone.
+	 */
+	result = dns_catz_zones_merge(oldzone, newzone);
+	dns_catz_zone_detach(&newzone);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: failed merging zones: %s",
+			      isc_result_totext(result));
+
+		return;
+	}
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER,
+		      ISC_LOG_DEBUG(3),
+		      "catz: update_from_db: new zone merged");
+
+	/*
+	 * When we're doing reconfig and setting a new catalog zone
+	 * from an existing zone we won't have a chance to set up
+	 * update callback in zone_startload or axfr_makedb, but we will
+	 * call onupdate() artificially so we can register the callback here.
+	 */
+	if (!oldzone->db_registered) {
+		result = dns_db_updatenotify_register(
+			db, dns_catz_dbupdate_callback, oldzone->catzs);
+		if (result == ISC_R_SUCCESS) {
+			oldzone->db_registered = true;
+		}
+	}
+}
+
+void
+dns_catz_prereconfig(dns_catz_zones_t *catzs) {
+	isc_result_t result;
+	isc_ht_iter_t *iter = NULL;
+
+	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
+
+	LOCK(&catzs->lock);
+	isc_ht_iter_create(catzs->zones, &iter);
+	for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_next(iter))
+	{
+		dns_catz_zone_t *zone = NULL;
+		isc_ht_iter_current(iter, (void **)&zone);
+		zone->active = false;
+	}
+	UNLOCK(&catzs->lock);
+	INSIST(result == ISC_R_NOMORE);
+	isc_ht_iter_destroy(&iter);
+}
+
+void
+dns_catz_postreconfig(dns_catz_zones_t *catzs) {
+	isc_result_t result;
+	dns_catz_zone_t *newzone = NULL;
+	isc_ht_iter_t *iter = NULL;
+
+	REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
+
+	LOCK(&catzs->lock);
+	isc_ht_iter_create(catzs->zones, &iter);
+	for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;) {
+		dns_catz_zone_t *zone = NULL;
+
+		isc_ht_iter_current(iter, (void **)&zone);
+		if (!zone->active) {
+			char cname[DNS_NAME_FORMATSIZE];
+			dns_name_format(&zone->name, cname,
+					DNS_NAME_FORMATSIZE);
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_WARNING,
+				      "catz: removing catalog zone %s", cname);
+
+			/*
+			 * Merge the old zone with an empty one to remove
+			 * all members.
+			 */
+			result = dns_catz_new_zone(catzs, &newzone,
+						   &zone->name);
+			INSIST(result == ISC_R_SUCCESS);
+			dns_catz_zones_merge(zone, newzone);
+			dns_catz_zone_detach(&newzone);
+
+			/* Make sure that we have an empty catalog zone. */
+			INSIST(isc_ht_count(zone->entries) == 0);
+			result = isc_ht_iter_delcurrent_next(iter);
+			dns_catz_zone_detach(&zone);
+		} else {
+			result = isc_ht_iter_next(iter);
+		}
+	}
+	UNLOCK(&catzs->lock);
+	RUNTIME_CHECK(result == ISC_R_NOMORE);
+	isc_ht_iter_destroy(&iter);
+}
+
+void
+dns_catz_get_iterator(dns_catz_zone_t *catz, isc_ht_iter_t **itp) {
+	REQUIRE(DNS_CATZ_ZONE_VALID(catz));
+
+	isc_ht_iter_create(catz->entries, itp);
+}
diff --git a/lib/dns/client.c b/lib/dns/client.c
new file mode 100644
index 0000000..9cfc810
--- /dev/null
+++ b/lib/dns/client.c
@@ -0,0 +1,1353 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <stddef.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/md.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/portset.h>
+#include <isc/refcount.h>
+#include <isc/safe.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/client.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/forward.h>
+#include <dns/keytable.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/tsec.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+
+#include <dst/dst.h>
+
+#define DNS_CLIENT_MAGIC    ISC_MAGIC('D', 'N', 'S', 'c')
+#define DNS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, DNS_CLIENT_MAGIC)
+
+#define RCTX_MAGIC    ISC_MAGIC('R', 'c', 't', 'x')
+#define RCTX_VALID(c) ISC_MAGIC_VALID(c, RCTX_MAGIC)
+
+#define UCTX_MAGIC    ISC_MAGIC('U', 'c', 't', 'x')
+#define UCTX_VALID(c) ISC_MAGIC_VALID(c, UCTX_MAGIC)
+
+#define MAX_RESTARTS 16
+
+#ifdef TUNE_LARGE
+#define RESOLVER_NTASKS 523
+#else /* ifdef TUNE_LARGE */
+#define RESOLVER_NTASKS 31
+#endif /* TUNE_LARGE */
+
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+/*%
+ * DNS client object
+ */
+struct dns_client {
+	/* Unlocked */
+	unsigned int magic;
+	unsigned int attributes;
+	isc_mutex_t lock;
+	isc_mem_t *mctx;
+	isc_appctx_t *actx;
+	isc_taskmgr_t *taskmgr;
+	isc_task_t *task;
+	isc_socketmgr_t *socketmgr;
+	isc_timermgr_t *timermgr;
+	dns_dispatchmgr_t *dispatchmgr;
+	dns_dispatch_t *dispatchv4;
+	dns_dispatch_t *dispatchv6;
+
+	unsigned int find_timeout;
+	unsigned int find_udpretries;
+
+	isc_refcount_t references;
+
+	/* Locked */
+	dns_viewlist_t viewlist;
+	ISC_LIST(struct resctx) resctxs;
+};
+
+#define DEF_FIND_TIMEOUT    5
+#define DEF_FIND_UDPRETRIES 3
+
+/*%
+ * Internal state for a single name resolution procedure
+ */
+typedef struct resctx {
+	/* Unlocked */
+	unsigned int magic;
+	isc_mutex_t lock;
+	dns_client_t *client;
+	bool want_dnssec;
+	bool want_validation;
+	bool want_cdflag;
+	bool want_tcp;
+
+	/* Locked */
+	ISC_LINK(struct resctx) link;
+	isc_task_t *task;
+	dns_view_t *view;
+	unsigned int restarts;
+	dns_fixedname_t name;
+	dns_rdatatype_t type;
+	dns_fetch_t *fetch;
+	dns_namelist_t namelist;
+	isc_result_t result;
+	dns_clientresevent_t *event;
+	bool canceled;
+	dns_rdataset_t *rdataset;
+	dns_rdataset_t *sigrdataset;
+} resctx_t;
+
+/*%
+ * Argument of an internal event for synchronous name resolution.
+ */
+typedef struct resarg {
+	/* Unlocked */
+	isc_appctx_t *actx;
+	dns_client_t *client;
+	isc_mutex_t lock;
+
+	/* Locked */
+	isc_result_t result;
+	isc_result_t vresult;
+	dns_namelist_t *namelist;
+	dns_clientrestrans_t *trans;
+	bool canceled;
+} resarg_t;
+
+static void
+client_resfind(resctx_t *rctx, dns_fetchevent_t *event);
+
+/*
+ * Try honoring the operating system's preferred ephemeral port range.
+ */
+static isc_result_t
+setsourceports(isc_mem_t *mctx, dns_dispatchmgr_t *manager) {
+	isc_portset_t *v4portset = NULL, *v6portset = NULL;
+	in_port_t udpport_low, udpport_high;
+	isc_result_t result;
+
+	result = isc_portset_create(mctx, &v4portset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	isc_portset_addrange(v4portset, udpport_low, udpport_high);
+
+	result = isc_portset_create(mctx, &v6portset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	isc_portset_addrange(v6portset, udpport_low, udpport_high);
+
+	result = dns_dispatchmgr_setavailports(manager, v4portset, v6portset);
+
+cleanup:
+	if (v4portset != NULL) {
+		isc_portset_destroy(mctx, &v4portset);
+	}
+	if (v6portset != NULL) {
+		isc_portset_destroy(mctx, &v6portset);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+getudpdispatch(int family, dns_dispatchmgr_t *dispatchmgr,
+	       isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
+	       bool is_shared, dns_dispatch_t **dispp,
+	       const isc_sockaddr_t *localaddr) {
+	unsigned int attrs, attrmask;
+	dns_dispatch_t *disp;
+	unsigned buffersize, maxbuffers, maxrequests, buckets, increment;
+	isc_result_t result;
+	isc_sockaddr_t anyaddr;
+
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (family) {
+	case AF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+	case AF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+	default:
+		UNREACHABLE();
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	if (localaddr == NULL) {
+		isc_sockaddr_anyofpf(&anyaddr, family);
+		localaddr = &anyaddr;
+	}
+
+	buffersize = 4096;
+	maxbuffers = is_shared ? 1000 : 8;
+	maxrequests = 32768;
+	buckets = is_shared ? 16411 : 3;
+	increment = is_shared ? 16433 : 5;
+
+	disp = NULL;
+	result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, localaddr,
+				     buffersize, maxbuffers, maxrequests,
+				     buckets, increment, attrs, attrmask,
+				     &disp);
+	if (result == ISC_R_SUCCESS) {
+		*dispp = disp;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+createview(isc_mem_t *mctx, dns_rdataclass_t rdclass, unsigned int options,
+	   isc_taskmgr_t *taskmgr, unsigned int ntasks,
+	   isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+	   dns_dispatchmgr_t *dispatchmgr, dns_dispatch_t *dispatchv4,
+	   dns_dispatch_t *dispatchv6, dns_view_t **viewp) {
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	const char *dbtype;
+
+	result = dns_view_create(mctx, rdclass, DNS_CLIENTVIEW_NAME, &view);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/* Initialize view security roots */
+	result = dns_view_initsecroots(view, mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	result = dns_view_createresolver(view, taskmgr, ntasks, 1, socketmgr,
+					 timermgr, 0, dispatchmgr, dispatchv4,
+					 dispatchv6);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	/*
+	 * Set cache DB.
+	 * XXX: it may be better if specific DB implementations can be
+	 * specified via some configuration knob.
+	 */
+	if ((options & DNS_CLIENTCREATEOPT_USECACHE) != 0) {
+		dbtype = "rbt";
+	} else {
+		dbtype = "ecdb";
+	}
+	result = dns_db_create(mctx, dbtype, dns_rootname, dns_dbtype_cache,
+			       rdclass, 0, NULL, &view->cachedb);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	*viewp = view;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_client_create(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
+		  isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+		  unsigned int options, dns_client_t **clientp,
+		  const isc_sockaddr_t *localaddr4,
+		  const isc_sockaddr_t *localaddr6) {
+	isc_result_t result;
+	dns_client_t *client = NULL;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	dns_dispatch_t *dispatchv4 = NULL;
+	dns_dispatch_t *dispatchv6 = NULL;
+	dns_view_t *view = NULL;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(timermgr != NULL);
+	REQUIRE(socketmgr != NULL);
+	REQUIRE(clientp != NULL && *clientp == NULL);
+
+	client = isc_mem_get(mctx, sizeof(*client));
+
+	isc_mutex_init(&client->lock);
+
+	client->actx = actx;
+	client->taskmgr = taskmgr;
+	client->socketmgr = socketmgr;
+	client->timermgr = timermgr;
+
+	client->task = NULL;
+	result = isc_task_create(client->taskmgr, 0, &client->task);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_lock;
+	}
+
+	result = dns_dispatchmgr_create(mctx, &dispatchmgr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_task;
+	}
+	client->dispatchmgr = dispatchmgr;
+	(void)setsourceports(mctx, dispatchmgr);
+
+	/*
+	 * If only one address family is specified, use it.
+	 * If neither family is specified, or if both are, use both.
+	 */
+	client->dispatchv4 = NULL;
+	if (localaddr4 != NULL || localaddr6 == NULL) {
+		result = getudpdispatch(AF_INET, dispatchmgr, socketmgr,
+					taskmgr, true, &dispatchv4, localaddr4);
+		if (result == ISC_R_SUCCESS) {
+			client->dispatchv4 = dispatchv4;
+		}
+	}
+
+	client->dispatchv6 = NULL;
+	if (localaddr6 != NULL || localaddr4 == NULL) {
+		result = getudpdispatch(AF_INET6, dispatchmgr, socketmgr,
+					taskmgr, true, &dispatchv6, localaddr6);
+		if (result == ISC_R_SUCCESS) {
+			client->dispatchv6 = dispatchv6;
+		}
+	}
+
+	/* We need at least one of the dispatchers */
+	if (dispatchv4 == NULL && dispatchv6 == NULL) {
+		INSIST(result != ISC_R_SUCCESS);
+		goto cleanup_dispatchmgr;
+	}
+
+	isc_refcount_init(&client->references, 1);
+
+	/* Create the default view for class IN */
+	result = createview(mctx, dns_rdataclass_in, options, taskmgr,
+			    RESOLVER_NTASKS, socketmgr, timermgr, dispatchmgr,
+			    dispatchv4, dispatchv6, &view);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_references;
+	}
+
+	ISC_LIST_INIT(client->viewlist);
+	ISC_LIST_APPEND(client->viewlist, view, link);
+
+	dns_view_freeze(view); /* too early? */
+
+	ISC_LIST_INIT(client->resctxs);
+
+	client->mctx = NULL;
+	isc_mem_attach(mctx, &client->mctx);
+
+	client->find_timeout = DEF_FIND_TIMEOUT;
+	client->find_udpretries = DEF_FIND_UDPRETRIES;
+	client->attributes = 0;
+
+	client->magic = DNS_CLIENT_MAGIC;
+
+	*clientp = client;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_references:
+	isc_refcount_decrementz(&client->references);
+	isc_refcount_destroy(&client->references);
+cleanup_dispatchmgr:
+	if (dispatchv4 != NULL) {
+		dns_dispatch_detach(&dispatchv4);
+	}
+	if (dispatchv6 != NULL) {
+		dns_dispatch_detach(&dispatchv6);
+	}
+	dns_dispatchmgr_destroy(&dispatchmgr);
+cleanup_task:
+	isc_task_detach(&client->task);
+cleanup_lock:
+	isc_mutex_destroy(&client->lock);
+	isc_mem_put(mctx, client, sizeof(*client));
+
+	return (result);
+}
+
+static void
+destroyclient(dns_client_t *client) {
+	dns_view_t *view;
+
+	isc_refcount_destroy(&client->references);
+
+	while ((view = ISC_LIST_HEAD(client->viewlist)) != NULL) {
+		ISC_LIST_UNLINK(client->viewlist, view, link);
+		dns_view_detach(&view);
+	}
+
+	if (client->dispatchv4 != NULL) {
+		dns_dispatch_detach(&client->dispatchv4);
+	}
+	if (client->dispatchv6 != NULL) {
+		dns_dispatch_detach(&client->dispatchv6);
+	}
+
+	dns_dispatchmgr_destroy(&client->dispatchmgr);
+
+	isc_task_detach(&client->task);
+
+	isc_mutex_destroy(&client->lock);
+	client->magic = 0;
+
+	isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
+}
+
+void
+dns_client_destroy(dns_client_t **clientp) {
+	dns_client_t *client;
+
+	REQUIRE(clientp != NULL);
+	client = *clientp;
+	*clientp = NULL;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	if (isc_refcount_decrement(&client->references) == 1) {
+		destroyclient(client);
+	}
+}
+
+isc_result_t
+dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
+		      const dns_name_t *name_space, isc_sockaddrlist_t *addrs) {
+	isc_result_t result;
+	dns_view_t *view = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(addrs != NULL);
+
+	if (name_space == NULL) {
+		name_space = dns_rootname;
+	}
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&client->lock);
+		return (result);
+	}
+	UNLOCK(&client->lock);
+
+	result = dns_fwdtable_add(view->fwdtable, name_space, addrs,
+				  dns_fwdpolicy_only);
+
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+isc_result_t
+dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
+			const dns_name_t *name_space) {
+	isc_result_t result;
+	dns_view_t *view = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	if (name_space == NULL) {
+		name_space = dns_rootname;
+	}
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&client->lock);
+		return (result);
+	}
+	UNLOCK(&client->lock);
+
+	result = dns_fwdtable_delete(view->fwdtable, name_space);
+
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+static isc_result_t
+getrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(rdatasetp != NULL && *rdatasetp == NULL);
+
+	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
+
+	dns_rdataset_init(rdataset);
+
+	*rdatasetp = rdataset;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+putrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(rdatasetp != NULL);
+	rdataset = *rdatasetp;
+	*rdatasetp = NULL;
+	REQUIRE(rdataset != NULL);
+
+	if (dns_rdataset_isassociated(rdataset)) {
+		dns_rdataset_disassociate(rdataset);
+	}
+
+	isc_mem_put(mctx, rdataset, sizeof(*rdataset));
+}
+
+static void
+fetch_done(isc_task_t *task, isc_event_t *event) {
+	resctx_t *rctx = event->ev_arg;
+	dns_fetchevent_t *fevent;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	REQUIRE(RCTX_VALID(rctx));
+	REQUIRE(rctx->task == task);
+	fevent = (dns_fetchevent_t *)event;
+
+	client_resfind(rctx, fevent);
+}
+
+static isc_result_t
+start_fetch(resctx_t *rctx) {
+	isc_result_t result;
+	int fopts = 0;
+
+	/*
+	 * The caller must be holding the rctx's lock.
+	 */
+
+	REQUIRE(rctx->fetch == NULL);
+
+	if (!rctx->want_cdflag) {
+		fopts |= DNS_FETCHOPT_NOCDFLAG;
+	}
+	if (!rctx->want_validation) {
+		fopts |= DNS_FETCHOPT_NOVALIDATE;
+	}
+	if (rctx->want_tcp) {
+		fopts |= DNS_FETCHOPT_TCP;
+	}
+
+	result = dns_resolver_createfetch(
+		rctx->view->resolver, dns_fixedname_name(&rctx->name),
+		rctx->type, NULL, NULL, NULL, NULL, 0, fopts, 0, NULL,
+		rctx->task, fetch_done, rctx, rctx->rdataset, rctx->sigrdataset,
+		&rctx->fetch);
+
+	return (result);
+}
+
+static isc_result_t
+view_find(resctx_t *rctx, dns_db_t **dbp, dns_dbnode_t **nodep,
+	  dns_name_t *foundname) {
+	isc_result_t result;
+	dns_name_t *name = dns_fixedname_name(&rctx->name);
+	dns_rdatatype_t type;
+
+	if (rctx->type == dns_rdatatype_rrsig) {
+		type = dns_rdatatype_any;
+	} else {
+		type = rctx->type;
+	}
+
+	result = dns_view_find(rctx->view, name, type, 0, 0, false, false, dbp,
+			       nodep, foundname, rctx->rdataset,
+			       rctx->sigrdataset);
+
+	return (result);
+}
+
+static void
+client_resfind(resctx_t *rctx, dns_fetchevent_t *event) {
+	isc_mem_t *mctx;
+	isc_result_t tresult, result = ISC_R_SUCCESS;
+	isc_result_t vresult = ISC_R_SUCCESS;
+	bool want_restart;
+	bool send_event = false;
+	dns_name_t *name, *prefix;
+	dns_fixedname_t foundname, fixed;
+	dns_rdataset_t *trdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+
+	REQUIRE(RCTX_VALID(rctx));
+
+	LOCK(&rctx->lock);
+
+	mctx = rctx->view->mctx;
+
+	name = dns_fixedname_name(&rctx->name);
+
+	do {
+		dns_name_t *fname = NULL;
+		dns_name_t *ansname = NULL;
+		dns_db_t *db = NULL;
+		dns_dbnode_t *node = NULL;
+
+		rctx->restarts++;
+		want_restart = false;
+
+		if (event == NULL && !rctx->canceled) {
+			fname = dns_fixedname_initname(&foundname);
+			INSIST(!dns_rdataset_isassociated(rctx->rdataset));
+			INSIST(rctx->sigrdataset == NULL ||
+			       !dns_rdataset_isassociated(rctx->sigrdataset));
+			result = view_find(rctx, &db, &node, fname);
+			if (result == ISC_R_NOTFOUND) {
+				/*
+				 * We don't know anything about the name.
+				 * Launch a fetch.
+				 */
+				if (node != NULL) {
+					INSIST(db != NULL);
+					dns_db_detachnode(db, &node);
+				}
+				if (db != NULL) {
+					dns_db_detach(&db);
+				}
+				result = start_fetch(rctx);
+				if (result != ISC_R_SUCCESS) {
+					putrdataset(mctx, &rctx->rdataset);
+					if (rctx->sigrdataset != NULL) {
+						putrdataset(mctx,
+							    &rctx->sigrdataset);
+					}
+					send_event = true;
+				}
+				goto done;
+			}
+		} else {
+			INSIST(event != NULL);
+			INSIST(event->fetch == rctx->fetch);
+			dns_resolver_destroyfetch(&rctx->fetch);
+			db = event->db;
+			node = event->node;
+			result = event->result;
+			vresult = event->vresult;
+			fname = dns_fixedname_name(&event->foundname);
+			INSIST(event->rdataset == rctx->rdataset);
+			INSIST(event->sigrdataset == rctx->sigrdataset);
+		}
+
+		/*
+		 * If we've been canceled, forget about the result.
+		 */
+		if (rctx->canceled) {
+			result = ISC_R_CANCELED;
+		} else {
+			/*
+			 * Otherwise, get some resource for copying the
+			 * result.
+			 */
+			dns_name_t *aname = dns_fixedname_name(&rctx->name);
+
+			ansname = isc_mem_get(mctx, sizeof(*ansname));
+			dns_name_init(ansname, NULL);
+
+			dns_name_dup(aname, mctx, ansname);
+		}
+
+		switch (result) {
+		case ISC_R_SUCCESS:
+			send_event = true;
+			/*
+			 * This case is handled in the main line below.
+			 */
+			break;
+		case DNS_R_CNAME:
+			/*
+			 * Add the CNAME to the answer list.
+			 */
+			trdataset = rctx->rdataset;
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+
+			/*
+			 * Copy the CNAME's target into the lookup's
+			 * query name and start over.
+			 */
+			tresult = dns_rdataset_first(trdataset);
+			if (tresult != ISC_R_SUCCESS) {
+				goto done;
+			}
+			dns_rdataset_current(trdataset, &rdata);
+			tresult = dns_rdata_tostruct(&rdata, &cname, NULL);
+			dns_rdata_reset(&rdata);
+			if (tresult != ISC_R_SUCCESS) {
+				goto done;
+			}
+			dns_name_copynf(&cname.cname, name);
+			dns_rdata_freestruct(&cname);
+			want_restart = true;
+			goto done;
+		case DNS_R_DNAME:
+			/*
+			 * Add the DNAME to the answer list.
+			 */
+			trdataset = rctx->rdataset;
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+
+			namereln = dns_name_fullcompare(name, fname, &order,
+							&nlabels);
+			INSIST(namereln == dns_namereln_subdomain);
+			/*
+			 * Get the target name of the DNAME.
+			 */
+			tresult = dns_rdataset_first(trdataset);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+			dns_rdataset_current(trdataset, &rdata);
+			tresult = dns_rdata_tostruct(&rdata, &dname, NULL);
+			dns_rdata_reset(&rdata);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+			/*
+			 * Construct the new query name and start over.
+			 */
+			prefix = dns_fixedname_initname(&fixed);
+			dns_name_split(name, nlabels, prefix, NULL);
+			tresult = dns_name_concatenate(prefix, &dname.dname,
+						       name, NULL);
+			dns_rdata_freestruct(&dname);
+			if (tresult == ISC_R_SUCCESS) {
+				want_restart = true;
+			} else {
+				result = tresult;
+			}
+			goto done;
+		case DNS_R_NCACHENXDOMAIN:
+		case DNS_R_NCACHENXRRSET:
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+			rctx->rdataset = NULL;
+			/* What about sigrdataset? */
+			if (rctx->sigrdataset != NULL) {
+				putrdataset(mctx, &rctx->sigrdataset);
+			}
+			send_event = true;
+			goto done;
+		default:
+			if (rctx->rdataset != NULL) {
+				putrdataset(mctx, &rctx->rdataset);
+			}
+			if (rctx->sigrdataset != NULL) {
+				putrdataset(mctx, &rctx->sigrdataset);
+			}
+			send_event = true;
+			goto done;
+		}
+
+		if (rctx->type == dns_rdatatype_any) {
+			int n = 0;
+			dns_rdatasetiter_t *rdsiter = NULL;
+
+			tresult = dns_db_allrdatasets(db, node, NULL, 0, 0,
+						      &rdsiter);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+
+			tresult = dns_rdatasetiter_first(rdsiter);
+			while (tresult == ISC_R_SUCCESS) {
+				dns_rdatasetiter_current(rdsiter,
+							 rctx->rdataset);
+				if (rctx->rdataset->type != 0) {
+					ISC_LIST_APPEND(ansname->list,
+							rctx->rdataset, link);
+					n++;
+					rctx->rdataset = NULL;
+				} else {
+					/*
+					 * We're not interested in this
+					 * rdataset.
+					 */
+					dns_rdataset_disassociate(
+						rctx->rdataset);
+				}
+				tresult = dns_rdatasetiter_next(rdsiter);
+
+				if (tresult == ISC_R_SUCCESS &&
+				    rctx->rdataset == NULL)
+				{
+					tresult = getrdataset(mctx,
+							      &rctx->rdataset);
+					if (tresult != ISC_R_SUCCESS) {
+						result = tresult;
+						POST(result);
+						break;
+					}
+				}
+			}
+			if (rctx->rdataset != NULL) {
+				putrdataset(mctx, &rctx->rdataset);
+			}
+			if (rctx->sigrdataset != NULL) {
+				putrdataset(mctx, &rctx->sigrdataset);
+			}
+			if (n == 0) {
+				/*
+				 * We didn't match any rdatasets (which means
+				 * something went wrong in this
+				 * implementation).
+				 */
+				result = DNS_R_SERVFAIL; /* better code? */
+				POST(result);
+			} else {
+				ISC_LIST_APPEND(rctx->namelist, ansname, link);
+				ansname = NULL;
+			}
+			dns_rdatasetiter_destroy(&rdsiter);
+			if (tresult != ISC_R_NOMORE) {
+				result = DNS_R_SERVFAIL; /* ditto */
+			} else {
+				result = ISC_R_SUCCESS;
+			}
+			goto done;
+		} else {
+			/*
+			 * This is the "normal" case -- an ordinary question
+			 * to which we've got the answer.
+			 */
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+		}
+
+	done:
+		/*
+		 * Free temporary resources
+		 */
+		if (ansname != NULL) {
+			dns_rdataset_t *rdataset;
+
+			while ((rdataset = ISC_LIST_HEAD(ansname->list)) !=
+			       NULL)
+			{
+				ISC_LIST_UNLINK(ansname->list, rdataset, link);
+				putrdataset(mctx, &rdataset);
+			}
+			dns_name_free(ansname, mctx);
+			isc_mem_put(mctx, ansname, sizeof(*ansname));
+		}
+
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+		if (db != NULL) {
+			dns_db_detach(&db);
+		}
+		if (event != NULL) {
+			isc_event_free(ISC_EVENT_PTR(&event));
+		}
+
+		/*
+		 * Limit the number of restarts.
+		 */
+		if (want_restart && rctx->restarts == MAX_RESTARTS) {
+			want_restart = false;
+			result = ISC_R_QUOTA;
+			send_event = true;
+		}
+
+		/*
+		 * Prepare further find with new resources
+		 */
+		if (want_restart) {
+			INSIST(rctx->rdataset == NULL &&
+			       rctx->sigrdataset == NULL);
+
+			result = getrdataset(mctx, &rctx->rdataset);
+			if (result == ISC_R_SUCCESS && rctx->want_dnssec) {
+				result = getrdataset(mctx, &rctx->sigrdataset);
+				if (result != ISC_R_SUCCESS) {
+					putrdataset(mctx, &rctx->rdataset);
+				}
+			}
+
+			if (result != ISC_R_SUCCESS) {
+				want_restart = false;
+				send_event = true;
+			}
+		}
+	} while (want_restart);
+
+	if (send_event) {
+		isc_task_t *task;
+
+		while ((name = ISC_LIST_HEAD(rctx->namelist)) != NULL) {
+			ISC_LIST_UNLINK(rctx->namelist, name, link);
+			ISC_LIST_APPEND(rctx->event->answerlist, name, link);
+		}
+
+		rctx->event->result = result;
+		rctx->event->vresult = vresult;
+		task = rctx->event->ev_sender;
+		rctx->event->ev_sender = rctx;
+		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&rctx->event));
+	}
+
+	UNLOCK(&rctx->lock);
+}
+
+static void
+suspend(isc_task_t *task, isc_event_t *event) {
+	isc_appctx_t *actx = event->ev_arg;
+
+	UNUSED(task);
+
+	isc_app_ctxsuspend(actx);
+	isc_event_free(&event);
+}
+
+static void
+resolve_done(isc_task_t *task, isc_event_t *event) {
+	resarg_t *resarg = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	isc_result_t result;
+
+	UNUSED(task);
+
+	LOCK(&resarg->lock);
+
+	resarg->result = rev->result;
+	resarg->vresult = rev->vresult;
+	while ((name = ISC_LIST_HEAD(rev->answerlist)) != NULL) {
+		ISC_LIST_UNLINK(rev->answerlist, name, link);
+		ISC_LIST_APPEND(*resarg->namelist, name, link);
+	}
+
+	dns_client_destroyrestrans(&resarg->trans);
+	isc_event_free(&event);
+
+	if (!resarg->canceled) {
+		UNLOCK(&resarg->lock);
+
+		/*
+		 * We may or may not be running.  isc__appctx_onrun will
+		 * fail if we are currently running otherwise we post a
+		 * action to call isc_app_ctxsuspend when we do start
+		 * running.
+		 */
+		result = isc_app_ctxonrun(resarg->actx, resarg->client->mctx,
+					  task, suspend, resarg->actx);
+		if (result == ISC_R_ALREADYRUNNING) {
+			isc_app_ctxsuspend(resarg->actx);
+		}
+	} else {
+		/*
+		 * We have already exited from the loop (due to some
+		 * unexpected event).  Just clean the arg up.
+		 */
+		UNLOCK(&resarg->lock);
+		isc_mutex_destroy(&resarg->lock);
+		isc_mem_put(resarg->client->mctx, resarg, sizeof(*resarg));
+	}
+}
+
+isc_result_t
+dns_client_resolve(dns_client_t *client, const dns_name_t *name,
+		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		   unsigned int options, dns_namelist_t *namelist) {
+	isc_result_t result;
+	resarg_t *resarg;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(client->actx != NULL);
+	REQUIRE(namelist != NULL && ISC_LIST_EMPTY(*namelist));
+
+	resarg = isc_mem_get(client->mctx, sizeof(*resarg));
+
+	*resarg = (resarg_t){
+		.actx = client->actx,
+		.client = client,
+		.result = DNS_R_SERVFAIL,
+		.namelist = namelist,
+	};
+
+	isc_mutex_init(&resarg->lock);
+
+	result = dns_client_startresolve(client, name, rdclass, type, options,
+					 client->task, resolve_done, resarg,
+					 &resarg->trans);
+	if (result != ISC_R_SUCCESS) {
+		isc_mutex_destroy(&resarg->lock);
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+		return (result);
+	}
+
+	/*
+	 * Start internal event loop.  It blocks until the entire process
+	 * is completed.
+	 */
+	result = isc_app_ctxrun(client->actx);
+
+	LOCK(&resarg->lock);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND) {
+		result = resarg->result;
+	}
+	if (result != ISC_R_SUCCESS && resarg->vresult != ISC_R_SUCCESS) {
+		/*
+		 * If this lookup failed due to some error in DNSSEC
+		 * validation, return the validation error code.
+		 * XXX: or should we pass the validation result separately?
+		 */
+		result = resarg->vresult;
+	}
+	if (resarg->trans != NULL) {
+		/*
+		 * Unusual termination (perhaps due to signal).  We need some
+		 * tricky cleanup process.
+		 */
+		resarg->canceled = true;
+		dns_client_cancelresolve(resarg->trans);
+
+		UNLOCK(&resarg->lock);
+
+		/* resarg will be freed in the event handler. */
+	} else {
+		UNLOCK(&resarg->lock);
+
+		isc_mutex_destroy(&resarg->lock);
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_client_startresolve(dns_client_t *client, const dns_name_t *name,
+			dns_rdataclass_t rdclass, dns_rdatatype_t type,
+			unsigned int options, isc_task_t *task,
+			isc_taskaction_t action, void *arg,
+			dns_clientrestrans_t **transp) {
+	dns_view_t *view = NULL;
+	dns_clientresevent_t *event = NULL;
+	resctx_t *rctx = NULL;
+	isc_task_t *tclone = NULL;
+	isc_mem_t *mctx;
+	isc_result_t result;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	bool want_dnssec, want_validation, want_cdflag, want_tcp;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(transp != NULL && *transp == NULL);
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	mctx = client->mctx;
+	rdataset = NULL;
+	sigrdataset = NULL;
+	want_dnssec = ((options & DNS_CLIENTRESOPT_NODNSSEC) == 0);
+	want_validation = ((options & DNS_CLIENTRESOPT_NOVALIDATE) == 0);
+	want_cdflag = ((options & DNS_CLIENTRESOPT_NOCDFLAG) == 0);
+	want_tcp = ((options & DNS_CLIENTRESOPT_TCP) != 0);
+
+	/*
+	 * Prepare some intermediate resources
+	 */
+	tclone = NULL;
+	isc_task_attach(task, &tclone);
+	event = (dns_clientresevent_t *)isc_event_allocate(
+		mctx, tclone, DNS_EVENT_CLIENTRESDONE, action, arg,
+		sizeof(*event));
+	event->result = DNS_R_SERVFAIL;
+	ISC_LIST_INIT(event->answerlist);
+
+	rctx = isc_mem_get(mctx, sizeof(*rctx));
+	isc_mutex_init(&rctx->lock);
+
+	result = getrdataset(mctx, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	rctx->rdataset = rdataset;
+
+	if (want_dnssec) {
+		result = getrdataset(mctx, &sigrdataset);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+	rctx->sigrdataset = sigrdataset;
+
+	dns_fixedname_init(&rctx->name);
+	dns_name_copynf(name, dns_fixedname_name(&rctx->name));
+
+	rctx->client = client;
+	ISC_LINK_INIT(rctx, link);
+	rctx->canceled = false;
+	rctx->task = client->task;
+	rctx->type = type;
+	rctx->view = view;
+	rctx->restarts = 0;
+	rctx->fetch = NULL;
+	rctx->want_dnssec = want_dnssec;
+	rctx->want_validation = want_validation;
+	rctx->want_cdflag = want_cdflag;
+	rctx->want_tcp = want_tcp;
+	ISC_LIST_INIT(rctx->namelist);
+	rctx->event = event;
+
+	rctx->magic = RCTX_MAGIC;
+	isc_refcount_increment(&client->references);
+
+	LOCK(&client->lock);
+	ISC_LIST_APPEND(client->resctxs, rctx, link);
+	UNLOCK(&client->lock);
+
+	*transp = (dns_clientrestrans_t *)rctx;
+	client_resfind(rctx, NULL);
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (rdataset != NULL) {
+		putrdataset(client->mctx, &rdataset);
+	}
+	if (sigrdataset != NULL) {
+		putrdataset(client->mctx, &sigrdataset);
+	}
+	isc_mutex_destroy(&rctx->lock);
+	isc_mem_put(mctx, rctx, sizeof(*rctx));
+	isc_event_free(ISC_EVENT_PTR(&event));
+	isc_task_detach(&tclone);
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+void
+dns_client_cancelresolve(dns_clientrestrans_t *trans) {
+	resctx_t *rctx;
+
+	REQUIRE(trans != NULL);
+	rctx = (resctx_t *)trans;
+	REQUIRE(RCTX_VALID(rctx));
+
+	LOCK(&rctx->lock);
+
+	if (!rctx->canceled) {
+		rctx->canceled = true;
+		if (rctx->fetch != NULL) {
+			dns_resolver_cancelfetch(rctx->fetch);
+		}
+	}
+
+	UNLOCK(&rctx->lock);
+}
+
+void
+dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist) {
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(namelist != NULL);
+
+	while ((name = ISC_LIST_HEAD(*namelist)) != NULL) {
+		ISC_LIST_UNLINK(*namelist, name, link);
+		while ((rdataset = ISC_LIST_HEAD(name->list)) != NULL) {
+			ISC_LIST_UNLINK(name->list, rdataset, link);
+			putrdataset(client->mctx, &rdataset);
+		}
+		dns_name_free(name, client->mctx);
+		isc_mem_put(client->mctx, name, sizeof(*name));
+	}
+}
+
+void
+dns_client_destroyrestrans(dns_clientrestrans_t **transp) {
+	resctx_t *rctx;
+	isc_mem_t *mctx;
+	dns_client_t *client;
+
+	REQUIRE(transp != NULL);
+	rctx = (resctx_t *)*transp;
+	*transp = NULL;
+	REQUIRE(RCTX_VALID(rctx));
+	REQUIRE(rctx->fetch == NULL);
+	REQUIRE(rctx->event == NULL);
+	client = rctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	mctx = client->mctx;
+	dns_view_detach(&rctx->view);
+
+	/*
+	 * Wait for the lock in client_resfind to be released before
+	 * destroying the lock.
+	 */
+	LOCK(&rctx->lock);
+	UNLOCK(&rctx->lock);
+
+	LOCK(&client->lock);
+
+	INSIST(ISC_LINK_LINKED(rctx, link));
+	ISC_LIST_UNLINK(client->resctxs, rctx, link);
+
+	UNLOCK(&client->lock);
+
+	INSIST(ISC_LIST_EMPTY(rctx->namelist));
+
+	isc_mutex_destroy(&rctx->lock);
+	rctx->magic = 0;
+
+	isc_mem_put(mctx, rctx, sizeof(*rctx));
+
+	dns_client_destroy(&client);
+}
+
+isc_result_t
+dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
+			 dns_rdatatype_t rdtype, const dns_name_t *keyname,
+			 isc_buffer_t *databuf) {
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	dns_keytable_t *secroots = NULL;
+	dns_name_t *name = NULL;
+	char rdatabuf[DST_KEY_MAXSIZE];
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	dns_rdata_ds_t ds;
+	dns_decompress_t dctx;
+	dns_rdata_t rdata;
+	isc_buffer_t b;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	CHECK(result);
+
+	CHECK(dns_view_getsecroots(view, &secroots));
+
+	DE_CONST(keyname, name);
+
+	if (rdtype != dns_rdatatype_dnskey && rdtype != dns_rdatatype_ds) {
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup;
+	}
+
+	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+	dns_rdata_init(&rdata);
+	isc_buffer_setactive(databuf, isc_buffer_usedlength(databuf));
+	CHECK(dns_rdata_fromwire(&rdata, rdclass, rdtype, databuf, &dctx, 0,
+				 &b));
+	dns_decompress_invalidate(&dctx);
+
+	if (rdtype == dns_rdatatype_ds) {
+		CHECK(dns_rdata_tostruct(&rdata, &ds, NULL));
+	} else {
+		CHECK(dns_ds_fromkeyrdata(name, &rdata, DNS_DSDIGEST_SHA256,
+					  digest, &ds));
+	}
+
+	CHECK(dns_keytable_add(secroots, false, false, name, &ds));
+
+cleanup:
+	if (view != NULL) {
+		dns_view_detach(&view);
+	}
+	if (secroots != NULL) {
+		dns_keytable_detach(&secroots);
+	}
+	return (result);
+}
diff --git a/lib/dns/clientinfo.c b/lib/dns/clientinfo.c
new file mode 100644
index 0000000..fe81d59
--- /dev/null
+++ b/lib/dns/clientinfo.c
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <dns/clientinfo.h>
+#include <dns/ecs.h>
+
+void
+dns_clientinfomethods_init(dns_clientinfomethods_t *methods,
+			   dns_clientinfo_sourceip_t sourceip) {
+	methods->version = DNS_CLIENTINFOMETHODS_VERSION;
+	methods->age = DNS_CLIENTINFOMETHODS_AGE;
+	methods->sourceip = sourceip;
+}
+
+void
+dns_clientinfo_init(dns_clientinfo_t *ci, void *data, dns_ecs_t *ecs,
+		    void *versionp) {
+	ci->version = DNS_CLIENTINFO_VERSION;
+	ci->data = data;
+	ci->dbversion = versionp;
+	if (ecs != NULL) {
+		ci->ecs = *ecs;
+	} else {
+		dns_ecs_init(&ci->ecs);
+	}
+}
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
new file mode 100644
index 0000000..e8e8954
--- /dev/null
+++ b/lib/dns/compress.c
@@ -0,0 +1,584 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#define DNS_NAME_USEINLINE 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/fixedname.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+#define CCTX_MAGIC    ISC_MAGIC('C', 'C', 'T', 'X')
+#define VALID_CCTX(x) ISC_MAGIC_VALID(x, CCTX_MAGIC)
+
+#define DCTX_MAGIC    ISC_MAGIC('D', 'C', 'T', 'X')
+#define VALID_DCTX(x) ISC_MAGIC_VALID(x, DCTX_MAGIC)
+
+static unsigned char maptolower[] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+	0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
+	0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
+	0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73,
+	0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+	0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83,
+	0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b,
+	0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3,
+	0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb,
+	0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3,
+	0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb,
+	0xfc, 0xfd, 0xfe, 0xff
+};
+
+/*
+ * The tableindex array below is of size 256, one entry for each
+ * unsigned char value. The tableindex array elements are dependent on
+ * DNS_COMPRESS_TABLESIZE. The table was created using the following
+ * function.
+ *
+ * static void
+ * gentable(unsigned char *table) {
+ *         unsigned int i;
+ *         const unsigned int left = DNS_COMPRESS_TABLESIZE - 38;
+ *         long r;
+ *
+ *         for (i = 0; i < 26; i++) {
+ *                 table['A' + i] = i;
+ *                 table['a' + i] = i;
+ *         }
+ *
+ *         for (i = 0; i <= 9; i++)
+ *                 table['0' + i] = i + 26;
+ *
+ *         table['-'] = 36;
+ *         table['_'] = 37;
+ *
+ *         for (i = 0; i < 256; i++) {
+ *                 if ((i >= 'a' && i <= 'z') ||
+ *                     (i >= 'A' && i <= 'Z') ||
+ *                     (i >= '0' && i <= '9') ||
+ *                     (i == '-') ||
+ *                     (i == '_'))
+ *                         continue;
+ *                 r = random() % left;
+ *                 table[i] = 38 + r;
+ *         }
+ * }
+ */
+static unsigned char tableindex[256] = {
+	0x3e, 0x3e, 0x33, 0x2d, 0x30, 0x38, 0x31, 0x3c, 0x2b, 0x33, 0x30, 0x3f,
+	0x2d, 0x3c, 0x36, 0x3a, 0x28, 0x2c, 0x2a, 0x37, 0x3d, 0x34, 0x35, 0x2d,
+	0x39, 0x2b, 0x2f, 0x2c, 0x3b, 0x32, 0x2b, 0x39, 0x30, 0x38, 0x28, 0x3c,
+	0x32, 0x33, 0x39, 0x38, 0x27, 0x2b, 0x39, 0x30, 0x27, 0x24, 0x2f, 0x2b,
+	0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x3a, 0x29, 0x36,
+	0x31, 0x3c, 0x35, 0x26, 0x31, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
+	0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12,
+	0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x3e, 0x3b, 0x39, 0x2f, 0x25,
+	0x27, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+	0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
+	0x17, 0x18, 0x19, 0x36, 0x3b, 0x2f, 0x2f, 0x2e, 0x29, 0x33, 0x2a, 0x36,
+	0x28, 0x3f, 0x2e, 0x29, 0x2c, 0x29, 0x36, 0x2d, 0x32, 0x3d, 0x33, 0x2a,
+	0x2e, 0x2f, 0x3b, 0x30, 0x3d, 0x39, 0x2b, 0x36, 0x2a, 0x2f, 0x2c, 0x26,
+	0x3a, 0x37, 0x30, 0x3d, 0x2a, 0x36, 0x33, 0x2c, 0x38, 0x3d, 0x32, 0x3e,
+	0x26, 0x2a, 0x2c, 0x35, 0x27, 0x39, 0x3b, 0x31, 0x2a, 0x37, 0x3c, 0x27,
+	0x32, 0x29, 0x39, 0x37, 0x34, 0x3f, 0x39, 0x2e, 0x38, 0x2b, 0x2c, 0x3e,
+	0x3b, 0x3b, 0x2d, 0x33, 0x3b, 0x3b, 0x32, 0x3d, 0x3f, 0x3a, 0x34, 0x26,
+	0x35, 0x30, 0x31, 0x39, 0x27, 0x2f, 0x3d, 0x35, 0x35, 0x36, 0x2e, 0x29,
+	0x38, 0x27, 0x34, 0x32, 0x2c, 0x3c, 0x31, 0x28, 0x37, 0x38, 0x37, 0x34,
+	0x33, 0x29, 0x32, 0x34, 0x3f, 0x26, 0x34, 0x34, 0x32, 0x27, 0x30, 0x33,
+	0x33, 0x2d, 0x2b, 0x28, 0x3f, 0x33, 0x2b, 0x39, 0x37, 0x39, 0x2c, 0x3d,
+	0x35, 0x39, 0x27, 0x2f
+};
+
+/***
+ ***	Compression
+ ***/
+
+isc_result_t
+dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx) {
+	REQUIRE(cctx != NULL);
+	REQUIRE(mctx != NULL); /* See: rdataset.c:towiresorted(). */
+
+	cctx->edns = edns;
+	cctx->mctx = mctx;
+	cctx->count = 0;
+	cctx->allowed = DNS_COMPRESS_ENABLED;
+	cctx->arena_off = 0;
+
+	memset(&cctx->table[0], 0, sizeof(cctx->table));
+
+	cctx->magic = CCTX_MAGIC;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_compress_invalidate(dns_compress_t *cctx) {
+	dns_compressnode_t *node;
+	unsigned int i;
+
+	REQUIRE(VALID_CCTX(cctx));
+
+	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
+		while (cctx->table[i] != NULL) {
+			node = cctx->table[i];
+			cctx->table[i] = cctx->table[i]->next;
+			if ((node->offset & 0x8000) != 0) {
+				isc_mem_put(cctx->mctx, node->r.base,
+					    node->r.length);
+			}
+			if (node->count < DNS_COMPRESS_INITIALNODES) {
+				continue;
+			}
+			isc_mem_put(cctx->mctx, node, sizeof(*node));
+		}
+	}
+
+	cctx->magic = 0;
+	cctx->allowed = 0;
+	cctx->edns = -1;
+}
+
+void
+dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed) {
+	REQUIRE(VALID_CCTX(cctx));
+
+	cctx->allowed &= ~DNS_COMPRESS_ALL;
+	cctx->allowed |= (allowed & DNS_COMPRESS_ALL);
+}
+
+unsigned int
+dns_compress_getmethods(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+	return (cctx->allowed & DNS_COMPRESS_ALL);
+}
+
+void
+dns_compress_disable(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+	cctx->allowed &= ~DNS_COMPRESS_ENABLED;
+}
+
+void
+dns_compress_setsensitive(dns_compress_t *cctx, bool sensitive) {
+	REQUIRE(VALID_CCTX(cctx));
+
+	if (sensitive) {
+		cctx->allowed |= DNS_COMPRESS_CASESENSITIVE;
+	} else {
+		cctx->allowed &= ~DNS_COMPRESS_CASESENSITIVE;
+	}
+}
+
+bool
+dns_compress_getsensitive(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+
+	return (cctx->allowed & DNS_COMPRESS_CASESENSITIVE);
+}
+
+int
+dns_compress_getedns(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+	return (cctx->edns);
+}
+
+/*
+ * Find the longest match of name in the table.
+ * If match is found return true. prefix, suffix and offset are updated.
+ * If no match is found return false.
+ */
+bool
+dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
+			dns_name_t *prefix, uint16_t *offset) {
+	dns_name_t tname;
+	dns_compressnode_t *node = NULL;
+	unsigned int labels, i, n;
+	unsigned int numlabels;
+	unsigned char *p;
+
+	REQUIRE(VALID_CCTX(cctx));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(offset != NULL);
+
+	if (ISC_UNLIKELY((cctx->allowed & DNS_COMPRESS_ENABLED) == 0)) {
+		return (false);
+	}
+
+	if (cctx->count == 0) {
+		return (false);
+	}
+
+	labels = dns_name_countlabels(name);
+	INSIST(labels > 0);
+
+	dns_name_init(&tname, NULL);
+
+	numlabels = labels > 3U ? 3U : labels;
+	p = name->ndata;
+
+	for (n = 0; n < numlabels - 1; n++) {
+		unsigned char ch, llen;
+		unsigned int firstoffset, length;
+
+		firstoffset = (unsigned int)(p - name->ndata);
+		length = name->length - firstoffset;
+
+		/*
+		 * We calculate the table index using the first
+		 * character in the first label of the suffix name.
+		 */
+		ch = p[1];
+		i = tableindex[ch];
+		if (ISC_LIKELY((cctx->allowed & DNS_COMPRESS_CASESENSITIVE) !=
+			       0))
+		{
+			for (node = cctx->table[i]; node != NULL;
+			     node = node->next)
+			{
+				if (ISC_UNLIKELY(node->name.length != length)) {
+					continue;
+				}
+
+				if (ISC_LIKELY(memcmp(node->name.ndata, p,
+						      length) == 0))
+				{
+					goto found;
+				}
+			}
+		} else {
+			for (node = cctx->table[i]; node != NULL;
+			     node = node->next)
+			{
+				unsigned int l, count;
+				unsigned char c;
+				unsigned char *label1, *label2;
+
+				if (ISC_UNLIKELY(node->name.length != length)) {
+					continue;
+				}
+
+				l = labels - n;
+				if (ISC_UNLIKELY(node->name.labels != l)) {
+					continue;
+				}
+
+				label1 = node->name.ndata;
+				label2 = p;
+				while (ISC_LIKELY(l-- > 0)) {
+					count = *label1++;
+					if (count != *label2++) {
+						goto cont1;
+					}
+
+					/* no bitstring support */
+					INSIST(count <= 63);
+
+					/* Loop unrolled for performance */
+					while (ISC_LIKELY(count > 3)) {
+						c = maptolower[label1[0]];
+						if (c != maptolower[label2[0]])
+						{
+							goto cont1;
+						}
+						c = maptolower[label1[1]];
+						if (c != maptolower[label2[1]])
+						{
+							goto cont1;
+						}
+						c = maptolower[label1[2]];
+						if (c != maptolower[label2[2]])
+						{
+							goto cont1;
+						}
+						c = maptolower[label1[3]];
+						if (c != maptolower[label2[3]])
+						{
+							goto cont1;
+						}
+						count -= 4;
+						label1 += 4;
+						label2 += 4;
+					}
+					while (ISC_LIKELY(count-- > 0)) {
+						c = maptolower[*label1++];
+						if (c != maptolower[*label2++])
+						{
+							goto cont1;
+						}
+					}
+				}
+				break;
+			cont1:
+				continue;
+			}
+		}
+
+		if (node != NULL) {
+			break;
+		}
+
+		llen = *p;
+		p += llen + 1;
+	}
+
+found:
+	/*
+	 * If node == NULL, we found no match at all.
+	 */
+	if (node == NULL) {
+		return (false);
+	}
+
+	if (n == 0) {
+		dns_name_reset(prefix);
+	} else {
+		dns_name_getlabelsequence(name, 0, n, prefix);
+	}
+
+	*offset = (node->offset & 0x7fff);
+	return (true);
+}
+
+static unsigned int
+name_length(const dns_name_t *name) {
+	isc_region_t r;
+	dns_name_toregion(name, &r);
+	return (r.length);
+}
+
+void
+dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
+		 const dns_name_t *prefix, uint16_t offset) {
+	dns_name_t tname, xname;
+	unsigned int start;
+	unsigned int n;
+	unsigned int count;
+	unsigned int i;
+	dns_compressnode_t *node;
+	unsigned int length;
+	unsigned int tlength;
+	uint16_t toffset;
+	unsigned char *tmp;
+	isc_region_t r;
+	bool allocated = false;
+
+	REQUIRE(VALID_CCTX(cctx));
+	REQUIRE(dns_name_isabsolute(name));
+
+	if (ISC_UNLIKELY((cctx->allowed & DNS_COMPRESS_ENABLED) == 0)) {
+		return;
+	}
+
+	if (offset >= 0x4000) {
+		return;
+	}
+	dns_name_init(&tname, NULL);
+	dns_name_init(&xname, NULL);
+
+	n = dns_name_countlabels(name);
+	count = dns_name_countlabels(prefix);
+	if (dns_name_isabsolute(prefix)) {
+		count--;
+	}
+	if (count == 0) {
+		return;
+	}
+	start = 0;
+	dns_name_toregion(name, &r);
+	length = r.length;
+	if (cctx->arena_off + length < DNS_COMPRESS_ARENA_SIZE) {
+		tmp = &cctx->arena[cctx->arena_off];
+		cctx->arena_off += length;
+	} else {
+		allocated = true;
+		tmp = isc_mem_get(cctx->mctx, length);
+	}
+	/*
+	 * Copy name data to 'tmp' and make 'r' use 'tmp'.
+	 */
+	memmove(tmp, r.base, r.length);
+	r.base = tmp;
+	dns_name_fromregion(&xname, &r);
+
+	if (count > 2U) {
+		count = 2U;
+	}
+
+	while (count > 0) {
+		unsigned char ch;
+
+		dns_name_getlabelsequence(&xname, start, n, &tname);
+		/*
+		 * We calculate the table index using the first
+		 * character in the first label of tname.
+		 */
+		ch = tname.ndata[1];
+		i = tableindex[ch];
+		tlength = name_length(&tname);
+		toffset = (uint16_t)(offset + (length - tlength));
+		if (toffset >= 0x4000) {
+			break;
+		}
+		/*
+		 * Create a new node and add it.
+		 */
+		if (cctx->count < DNS_COMPRESS_INITIALNODES) {
+			node = &cctx->initialnodes[cctx->count];
+		} else {
+			node = isc_mem_get(cctx->mctx,
+					   sizeof(dns_compressnode_t));
+		}
+		node->count = cctx->count++;
+		/*
+		 * 'node->r.base' becomes 'tmp' when start == 0.
+		 * Record this by setting 0x8000 so it can be freed later.
+		 */
+		if (start == 0 && allocated) {
+			toffset |= 0x8000;
+		}
+		node->offset = toffset;
+		dns_name_toregion(&tname, &node->r);
+		dns_name_init(&node->name, NULL);
+		node->name.length = node->r.length;
+		node->name.ndata = node->r.base;
+		node->name.labels = tname.labels;
+		node->name.attributes = DNS_NAMEATTR_ABSOLUTE;
+		node->next = cctx->table[i];
+		cctx->table[i] = node;
+		start++;
+		n--;
+		count--;
+	}
+
+	if (start == 0) {
+		if (!allocated) {
+			cctx->arena_off -= length;
+		} else {
+			isc_mem_put(cctx->mctx, tmp, length);
+		}
+	}
+}
+
+void
+dns_compress_rollback(dns_compress_t *cctx, uint16_t offset) {
+	unsigned int i;
+	dns_compressnode_t *node;
+
+	REQUIRE(VALID_CCTX(cctx));
+
+	if (ISC_UNLIKELY((cctx->allowed & DNS_COMPRESS_ENABLED) == 0)) {
+		return;
+	}
+
+	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
+		node = cctx->table[i];
+		/*
+		 * This relies on nodes with greater offsets being
+		 * closer to the beginning of the list, and the
+		 * items with the greatest offsets being at the end
+		 * of the initialnodes[] array.
+		 */
+		while (node != NULL && (node->offset & 0x7fff) >= offset) {
+			cctx->table[i] = node->next;
+			if ((node->offset & 0x8000) != 0) {
+				isc_mem_put(cctx->mctx, node->r.base,
+					    node->r.length);
+			}
+			if (node->count >= DNS_COMPRESS_INITIALNODES) {
+				isc_mem_put(cctx->mctx, node, sizeof(*node));
+			}
+			cctx->count--;
+			node = cctx->table[i];
+		}
+	}
+}
+
+/***
+ ***	Decompression
+ ***/
+
+void
+dns_decompress_init(dns_decompress_t *dctx, int edns,
+		    dns_decompresstype_t type) {
+	REQUIRE(dctx != NULL);
+	REQUIRE(edns >= -1 && edns <= 255);
+
+	dctx->allowed = DNS_COMPRESS_NONE;
+	dctx->edns = edns;
+	dctx->type = type;
+	dctx->magic = DCTX_MAGIC;
+}
+
+void
+dns_decompress_invalidate(dns_decompress_t *dctx) {
+	REQUIRE(VALID_DCTX(dctx));
+
+	dctx->magic = 0;
+}
+
+void
+dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed) {
+	REQUIRE(VALID_DCTX(dctx));
+
+	switch (dctx->type) {
+	case DNS_DECOMPRESS_ANY:
+		dctx->allowed = DNS_COMPRESS_ALL;
+		break;
+	case DNS_DECOMPRESS_NONE:
+		dctx->allowed = DNS_COMPRESS_NONE;
+		break;
+	case DNS_DECOMPRESS_STRICT:
+		dctx->allowed = allowed;
+		break;
+	}
+}
+
+unsigned int
+dns_decompress_getmethods(dns_decompress_t *dctx) {
+	REQUIRE(VALID_DCTX(dctx));
+
+	return (dctx->allowed);
+}
+
+int
+dns_decompress_edns(dns_decompress_t *dctx) {
+	REQUIRE(VALID_DCTX(dctx));
+
+	return (dctx->edns);
+}
+
+dns_decompresstype_t
+dns_decompress_type(dns_decompress_t *dctx) {
+	REQUIRE(VALID_DCTX(dctx));
+
+	return (dctx->type);
+}
diff --git a/lib/dns/db.c b/lib/dns/db.c
new file mode 100644
index 0000000..41dbaa3
--- /dev/null
+++ b/lib/dns/db.c
@@ -0,0 +1,1139 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/clientinfo.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+
+/***
+ *** Private Types
+ ***/
+
+struct dns_dbimplementation {
+	const char *name;
+	dns_dbcreatefunc_t create;
+	isc_mem_t *mctx;
+	void *driverarg;
+	ISC_LINK(dns_dbimplementation_t) link;
+};
+
+/***
+ *** Supported DB Implementations Registry
+ ***/
+
+/*
+ * Built in database implementations are registered here.
+ */
+
+#include "rbtdb.h"
+
+static ISC_LIST(dns_dbimplementation_t) implementations;
+static isc_rwlock_t implock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static dns_dbimplementation_t rbtimp;
+
+static void
+initialize(void) {
+	isc_rwlock_init(&implock, 0, 0);
+
+	rbtimp.name = "rbt";
+	rbtimp.create = dns_rbtdb_create;
+	rbtimp.mctx = NULL;
+	rbtimp.driverarg = NULL;
+	ISC_LINK_INIT(&rbtimp, link);
+
+	ISC_LIST_INIT(implementations);
+	ISC_LIST_APPEND(implementations, &rbtimp, link);
+}
+
+static dns_dbimplementation_t *
+impfind(const char *name) {
+	dns_dbimplementation_t *imp;
+
+	for (imp = ISC_LIST_HEAD(implementations); imp != NULL;
+	     imp = ISC_LIST_NEXT(imp, link))
+	{
+		if (strcasecmp(name, imp->name) == 0) {
+			return (imp);
+		}
+	}
+	return (NULL);
+}
+
+/***
+ *** Basic DB Methods
+ ***/
+
+isc_result_t
+dns_db_create(isc_mem_t *mctx, const char *db_type, const dns_name_t *origin,
+	      dns_dbtype_t type, dns_rdataclass_t rdclass, unsigned int argc,
+	      char *argv[], dns_db_t **dbp) {
+	dns_dbimplementation_t *impinfo;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	/*
+	 * Create a new database using implementation 'db_type'.
+	 */
+
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(dns_name_isabsolute(origin));
+
+	RWLOCK(&implock, isc_rwlocktype_read);
+	impinfo = impfind(db_type);
+	if (impinfo != NULL) {
+		isc_result_t result;
+		result = ((impinfo->create)(mctx, origin, type, rdclass, argc,
+					    argv, impinfo->driverarg, dbp));
+		RWUNLOCK(&implock, isc_rwlocktype_read);
+		return (result);
+	}
+
+	RWUNLOCK(&implock, isc_rwlocktype_read);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DB,
+		      ISC_LOG_ERROR, "unsupported database type '%s'", db_type);
+
+	return (ISC_R_NOTFOUND);
+}
+
+void
+dns_db_attach(dns_db_t *source, dns_db_t **targetp) {
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(DNS_DB_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	(source->methods->attach)(source, targetp);
+
+	ENSURE(*targetp == source);
+}
+
+void
+dns_db_detach(dns_db_t **dbp) {
+	/*
+	 * Detach *dbp from its database.
+	 */
+
+	REQUIRE(dbp != NULL);
+	REQUIRE(DNS_DB_VALID(*dbp));
+
+	((*dbp)->methods->detach)(dbp);
+
+	ENSURE(*dbp == NULL);
+}
+
+bool
+dns_db_iscache(dns_db_t *db) {
+	/*
+	 * Does 'db' have cache semantics?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & DNS_DBATTR_CACHE) != 0) {
+		return (true);
+	}
+
+	return (false);
+}
+
+bool
+dns_db_iszone(dns_db_t *db) {
+	/*
+	 * Does 'db' have zone semantics?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & (DNS_DBATTR_CACHE | DNS_DBATTR_STUB)) == 0) {
+		return (true);
+	}
+
+	return (false);
+}
+
+bool
+dns_db_isstub(dns_db_t *db) {
+	/*
+	 * Does 'db' have stub semantics?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & DNS_DBATTR_STUB) != 0) {
+		return (true);
+	}
+
+	return (false);
+}
+
+bool
+dns_db_isdnssec(dns_db_t *db) {
+	/*
+	 * Is 'db' secure or partially secure?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+
+	if (db->methods->isdnssec != NULL) {
+		return ((db->methods->isdnssec)(db));
+	}
+	return ((db->methods->issecure)(db));
+}
+
+bool
+dns_db_issecure(dns_db_t *db) {
+	/*
+	 * Is 'db' secure?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+
+	return ((db->methods->issecure)(db));
+}
+
+bool
+dns_db_ispersistent(dns_db_t *db) {
+	/*
+	 * Is 'db' persistent?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return ((db->methods->ispersistent)(db));
+}
+
+dns_name_t *
+dns_db_origin(dns_db_t *db) {
+	/*
+	 * The origin of the database.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return (&db->origin);
+}
+
+dns_rdataclass_t
+dns_db_class(dns_db_t *db) {
+	/*
+	 * The class of the database.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return (db->rdclass);
+}
+
+isc_result_t
+dns_db_beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	/*
+	 * Begin loading 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(DNS_CALLBACK_VALID(callbacks));
+
+	return ((db->methods->beginload)(db, callbacks));
+}
+
+isc_result_t
+dns_db_endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	dns_dbonupdatelistener_t *listener;
+
+	/*
+	 * Finish loading 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(DNS_CALLBACK_VALID(callbacks));
+	REQUIRE(callbacks->add_private != NULL);
+
+	for (listener = ISC_LIST_HEAD(db->update_listeners); listener != NULL;
+	     listener = ISC_LIST_NEXT(listener, link))
+	{
+		listener->onupdate(db, listener->onupdate_arg);
+	}
+
+	return ((db->methods->endload)(db, callbacks));
+}
+
+isc_result_t
+dns_db_load(dns_db_t *db, const char *filename, dns_masterformat_t format,
+	    unsigned int options) {
+	isc_result_t result, eresult;
+	dns_rdatacallbacks_t callbacks;
+
+	/*
+	 * Load master file 'filename' into 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & DNS_DBATTR_CACHE) != 0) {
+		options |= DNS_MASTER_AGETTL;
+	}
+
+	dns_rdatacallbacks_init(&callbacks);
+	result = dns_db_beginload(db, &callbacks);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	result = dns_master_loadfile(filename, &db->origin, &db->origin,
+				     db->rdclass, options, 0, &callbacks, NULL,
+				     NULL, db->mctx, format, 0);
+	eresult = dns_db_endload(db, &callbacks);
+	/*
+	 * We always call dns_db_endload(), but we only want to return its
+	 * result if dns_master_loadfile() succeeded.  If dns_master_loadfile()
+	 * failed, we want to return the result code it gave us.
+	 */
+	if (eresult != ISC_R_SUCCESS &&
+	    (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
+	{
+		result = eresult;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_db_serialize(dns_db_t *db, dns_dbversion_t *version, FILE *file) {
+	REQUIRE(DNS_DB_VALID(db));
+	if (db->methods->serialize == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	return ((db->methods->serialize)(db, version, file));
+}
+
+isc_result_t
+dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
+	return ((db->methods->dump)(db, version, filename,
+				    dns_masterformat_text));
+}
+
+/***
+ *** Version Methods
+ ***/
+
+void
+dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	/*
+	 * Open the current version for reading.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	(db->methods->currentversion)(db, versionp);
+}
+
+isc_result_t
+dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	/*
+	 * Open a new version for reading and writing.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	return ((db->methods->newversion)(db, versionp));
+}
+
+void
+dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
+		     dns_dbversion_t **targetp) {
+	/*
+	 * Attach '*targetp' to 'source'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(source != NULL);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	(db->methods->attachversion)(db, source, targetp);
+
+	ENSURE(*targetp != NULL);
+}
+
+void
+dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit) {
+	dns_dbonupdatelistener_t *listener;
+
+	/*
+	 * Close version '*versionp'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(versionp != NULL && *versionp != NULL);
+
+	(db->methods->closeversion)(db, versionp, commit);
+
+	if (commit) {
+		for (listener = ISC_LIST_HEAD(db->update_listeners);
+		     listener != NULL; listener = ISC_LIST_NEXT(listener, link))
+		{
+			listener->onupdate(db, listener->onupdate_arg);
+		}
+	}
+
+	ENSURE(*versionp == NULL);
+}
+
+/***
+ *** Node Methods
+ ***/
+
+isc_result_t
+dns_db_findnode(dns_db_t *db, const dns_name_t *name, bool create,
+		dns_dbnode_t **nodep) {
+	/*
+	 * Find the node with name 'name'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (db->methods->findnode != NULL) {
+		return ((db->methods->findnode)(db, name, create, nodep));
+	} else {
+		return ((db->methods->findnodeext)(db, name, create, NULL, NULL,
+						   nodep));
+	}
+}
+
+isc_result_t
+dns_db_findnodeext(dns_db_t *db, const dns_name_t *name, bool create,
+		   dns_clientinfomethods_t *methods,
+		   dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep) {
+	/*
+	 * Find the node with name 'name', passing 'arg' to the database
+	 * implementation.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (db->methods->findnodeext != NULL) {
+		return ((db->methods->findnodeext)(db, name, create, methods,
+						   clientinfo, nodep));
+	} else {
+		return ((db->methods->findnode)(db, name, create, nodep));
+	}
+}
+
+isc_result_t
+dns_db_findnsec3node(dns_db_t *db, const dns_name_t *name, bool create,
+		     dns_dbnode_t **nodep) {
+	/*
+	 * Find the node with name 'name'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	return ((db->methods->findnsec3node)(db, name, create, nodep));
+}
+
+isc_result_t
+dns_db_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	    dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	/*
+	 * Find the best match for 'name' and 'type' in version 'version'
+	 * of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(type != dns_rdatatype_rrsig);
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(dns_name_hasbuffer(foundname));
+	REQUIRE(rdataset == NULL || (DNS_RDATASET_VALID(rdataset) &&
+				     !dns_rdataset_isassociated(rdataset)));
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 !dns_rdataset_isassociated(sigrdataset)));
+
+	if (db->methods->find != NULL) {
+		return ((db->methods->find)(db, name, version, type, options,
+					    now, nodep, foundname, rdataset,
+					    sigrdataset));
+	} else {
+		return ((db->methods->findext)(db, name, version, type, options,
+					       now, nodep, foundname, NULL,
+					       NULL, rdataset, sigrdataset));
+	}
+}
+
+isc_result_t
+dns_db_findext(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+	       dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	       dns_dbnode_t **nodep, dns_name_t *foundname,
+	       dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	/*
+	 * Find the best match for 'name' and 'type' in version 'version'
+	 * of 'db', passing in 'arg'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(type != dns_rdatatype_rrsig);
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(dns_name_hasbuffer(foundname));
+	REQUIRE(rdataset == NULL || (DNS_RDATASET_VALID(rdataset) &&
+				     !dns_rdataset_isassociated(rdataset)));
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 !dns_rdataset_isassociated(sigrdataset)));
+
+	if (db->methods->findext != NULL) {
+		return ((db->methods->findext)(
+			db, name, version, type, options, now, nodep, foundname,
+			methods, clientinfo, rdataset, sigrdataset));
+	} else {
+		return ((db->methods->find)(db, name, version, type, options,
+					    now, nodep, foundname, rdataset,
+					    sigrdataset));
+	}
+}
+
+isc_result_t
+dns_db_findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
+		   isc_stdtime_t now, dns_dbnode_t **nodep,
+		   dns_name_t *foundname, dns_name_t *dcname,
+		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	/*
+	 * Find the deepest known zonecut which encloses 'name' in 'db'.
+	 * foundname is the zonecut, dcname is the deepest name we have
+	 * in database that is part of queried name.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(dns_name_hasbuffer(foundname));
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 !dns_rdataset_isassociated(sigrdataset)));
+
+	return ((db->methods->findzonecut)(db, name, options, now, nodep,
+					   foundname, dcname, rdataset,
+					   sigrdataset));
+}
+
+void
+dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(source != NULL);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	(db->methods->attachnode)(db, source, targetp);
+}
+
+void
+dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	/*
+	 * Detach *nodep from its node.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep != NULL);
+
+	(db->methods->detachnode)(db, nodep);
+
+	ENSURE(*nodep == NULL);
+}
+
+void
+dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
+		    dns_dbnode_t **targetp) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+	/*
+	 * This doesn't check the implementation magic.  If we find that
+	 * we need such checks in future then this will be done in the
+	 * method.
+	 */
+	REQUIRE(sourcep != NULL && *sourcep != NULL);
+
+	UNUSED(db);
+
+	if (db->methods->transfernode == NULL) {
+		*targetp = *sourcep;
+		*sourcep = NULL;
+	} else {
+		(db->methods->transfernode)(db, sourcep, targetp);
+	}
+
+	ENSURE(*sourcep == NULL);
+}
+
+isc_result_t
+dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	/*
+	 * Mark as stale all records at 'node' which expire at or before 'now'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
+	REQUIRE(node != NULL);
+
+	return ((db->methods->expirenode)(db, node, now));
+}
+
+void
+dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	/*
+	 * Print a textual representation of the contents of the node to
+	 * 'out'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+
+	(db->methods->printnode)(db, node, out);
+}
+
+/***
+ *** DB Iterator Creation
+ ***/
+
+isc_result_t
+dns_db_createiterator(dns_db_t *db, unsigned int flags,
+		      dns_dbiterator_t **iteratorp) {
+	/*
+	 * Create an iterator for version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
+
+	return (db->methods->createiterator(db, flags, iteratorp));
+}
+
+/***
+ *** Rdataset Methods
+ ***/
+
+isc_result_t
+dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    dns_rdatatype_t type, dns_rdatatype_t covers,
+		    isc_stdtime_t now, dns_rdataset_t *rdataset,
+		    dns_rdataset_t *sigrdataset) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+	REQUIRE(covers == 0 || type == dns_rdatatype_rrsig);
+	REQUIRE(type != dns_rdatatype_any);
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 !dns_rdataset_isassociated(sigrdataset)));
+
+	return ((db->methods->findrdataset)(db, node, version, type, covers,
+					    now, rdataset, sigrdataset));
+}
+
+isc_result_t
+dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    unsigned int options, isc_stdtime_t now,
+		    dns_rdatasetiter_t **iteratorp) {
+	/*
+	 * Make '*iteratorp' an rdataset iteratator for all rdatasets at
+	 * 'node' in version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
+
+	return ((db->methods->allrdatasets)(db, node, version, options, now,
+					    iteratorp));
+}
+
+isc_result_t
+dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   unsigned int options, dns_rdataset_t *addedrdataset) {
+	/*
+	 * Add 'rdataset' to 'node' in version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL) ||
+		((db->attributes & DNS_DBATTR_CACHE) != 0 && version == NULL &&
+		 (options & DNS_DBADD_MERGE) == 0));
+	REQUIRE((options & DNS_DBADD_EXACT) == 0 ||
+		(options & DNS_DBADD_MERGE) != 0);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(dns_rdataset_isassociated(rdataset));
+	REQUIRE(rdataset->rdclass == db->rdclass);
+	REQUIRE(addedrdataset == NULL ||
+		(DNS_RDATASET_VALID(addedrdataset) &&
+		 !dns_rdataset_isassociated(addedrdataset)));
+
+	return ((db->methods->addrdataset)(db, node, version, now, rdataset,
+					   options, addedrdataset));
+}
+
+isc_result_t
+dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
+			dns_dbversion_t *version, dns_rdataset_t *rdataset,
+			unsigned int options, dns_rdataset_t *newrdataset) {
+	/*
+	 * Remove any rdata in 'rdataset' from 'node' in version 'version' of
+	 * 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(dns_rdataset_isassociated(rdataset));
+	REQUIRE(rdataset->rdclass == db->rdclass);
+	REQUIRE(newrdataset == NULL ||
+		(DNS_RDATASET_VALID(newrdataset) &&
+		 !dns_rdataset_isassociated(newrdataset)));
+
+	return ((db->methods->subtractrdataset)(db, node, version, rdataset,
+						options, newrdataset));
+}
+
+isc_result_t
+dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
+		      dns_dbversion_t *version, dns_rdatatype_t type,
+		      dns_rdatatype_t covers) {
+	/*
+	 * Make it so that no rdataset of type 'type' exists at 'node' in
+	 * version version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL) ||
+		((db->attributes & DNS_DBATTR_CACHE) != 0 && version == NULL));
+
+	return ((db->methods->deleterdataset)(db, node, version, type, covers));
+}
+
+void
+dns_db_overmem(dns_db_t *db, bool overmem) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	(db->methods->overmem)(db, overmem);
+}
+
+isc_result_t
+dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, uint32_t *serialp) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t buffer;
+
+	REQUIRE(dns_db_iszone(db) || dns_db_isstub(db));
+
+	result = dns_db_findnode(db, dns_db_origin(db), false, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto freenode;
+	}
+
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto freerdataset;
+	}
+	dns_rdataset_current(&rdataset, &rdata);
+	result = dns_rdataset_next(&rdataset);
+	INSIST(result == ISC_R_NOMORE);
+
+	INSIST(rdata.length > 20);
+	isc_buffer_init(&buffer, rdata.data, rdata.length);
+	isc_buffer_add(&buffer, rdata.length);
+	isc_buffer_forward(&buffer, rdata.length - 20);
+	*serialp = isc_buffer_getuint32(&buffer);
+
+	result = ISC_R_SUCCESS;
+
+freerdataset:
+	dns_rdataset_disassociate(&rdataset);
+
+freenode:
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+unsigned int
+dns_db_nodecount(dns_db_t *db) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	return ((db->methods->nodecount)(db));
+}
+
+size_t
+dns_db_hashsize(dns_db_t *db) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	if (db->methods->hashsize == NULL) {
+		return (0);
+	}
+
+	return ((db->methods->hashsize)(db));
+}
+
+isc_result_t
+dns_db_adjusthashsize(dns_db_t *db, size_t size) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	if (db->methods->adjusthashsize != NULL) {
+		return ((db->methods->adjusthashsize)(db, size));
+	}
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+void
+dns_db_settask(dns_db_t *db, isc_task_t *task) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	(db->methods->settask)(db, task);
+}
+
+isc_result_t
+dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
+		isc_mem_t *mctx, dns_dbimplementation_t **dbimp) {
+	dns_dbimplementation_t *imp;
+
+	REQUIRE(name != NULL);
+	REQUIRE(dbimp != NULL && *dbimp == NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	RWLOCK(&implock, isc_rwlocktype_write);
+	imp = impfind(name);
+	if (imp != NULL) {
+		RWUNLOCK(&implock, isc_rwlocktype_write);
+		return (ISC_R_EXISTS);
+	}
+
+	imp = isc_mem_get(mctx, sizeof(dns_dbimplementation_t));
+	imp->name = name;
+	imp->create = create;
+	imp->mctx = NULL;
+	imp->driverarg = driverarg;
+	isc_mem_attach(mctx, &imp->mctx);
+	ISC_LINK_INIT(imp, link);
+	ISC_LIST_APPEND(implementations, imp, link);
+	RWUNLOCK(&implock, isc_rwlocktype_write);
+
+	*dbimp = imp;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_db_unregister(dns_dbimplementation_t **dbimp) {
+	dns_dbimplementation_t *imp;
+
+	REQUIRE(dbimp != NULL && *dbimp != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	imp = *dbimp;
+	*dbimp = NULL;
+	RWLOCK(&implock, isc_rwlocktype_write);
+	ISC_LIST_UNLINK(implementations, imp, link);
+	isc_mem_putanddetach(&imp->mctx, imp, sizeof(dns_dbimplementation_t));
+	RWUNLOCK(&implock, isc_rwlocktype_write);
+	ENSURE(*dbimp == NULL);
+}
+
+isc_result_t
+dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(dns_db_iszone(db));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (db->methods->getoriginnode != NULL) {
+		return ((db->methods->getoriginnode)(db, nodep));
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+dns_stats_t *
+dns_db_getrrsetstats(dns_db_t *db) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	if (db->methods->getrrsetstats != NULL) {
+		return ((db->methods->getrrsetstats)(db));
+	}
+
+	return (NULL);
+}
+
+isc_result_t
+dns_db_setcachestats(dns_db_t *db, isc_stats_t *stats) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	if (db->methods->setcachestats != NULL) {
+		return ((db->methods->setcachestats)(db, stats));
+	}
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
+			  dns_hash_t *hash, uint8_t *flags,
+			  uint16_t *iterations, unsigned char *salt,
+			  size_t *salt_length) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(dns_db_iszone(db));
+
+	if (db->methods->getnsec3parameters != NULL) {
+		return ((db->methods->getnsec3parameters)(db, version, hash,
+							  flags, iterations,
+							  salt, salt_length));
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, uint64_t *records,
+	       uint64_t *bytes) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(dns_db_iszone(db));
+
+	if (db->methods->getsize != NULL) {
+		return ((db->methods->getsize)(db, version, records, bytes));
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+		      isc_stdtime_t resign) {
+	if (db->methods->setsigningtime != NULL) {
+		return ((db->methods->setsigningtime)(db, rdataset, resign));
+	}
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+		      dns_name_t *name) {
+	if (db->methods->getsigningtime != NULL) {
+		return ((db->methods->getsigningtime)(db, rdataset, name));
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+void
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
+		dns_dbversion_t *version) {
+	if (db->methods->resigned != NULL) {
+		(db->methods->resigned)(db, rdataset, version);
+	}
+}
+
+/*
+ * Attach a database to policy zone databases.
+ * This should only happen when the caller has already ensured that
+ * it is dealing with a database that understands response policy zones.
+ */
+void
+dns_db_rpz_attach(dns_db_t *db, void *rpzs, uint8_t rpz_num) {
+	REQUIRE(db->methods->rpz_attach != NULL);
+	(db->methods->rpz_attach)(db, rpzs, rpz_num);
+}
+
+/*
+ * Finish loading a response policy zone.
+ */
+isc_result_t
+dns_db_rpz_ready(dns_db_t *db) {
+	if (db->methods->rpz_ready == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+	return ((db->methods->rpz_ready)(db));
+}
+
+/*
+ * Attach a notify-on-update function the database
+ */
+isc_result_t
+dns_db_updatenotify_register(dns_db_t *db, dns_dbupdate_callback_t fn,
+			     void *fn_arg) {
+	dns_dbonupdatelistener_t *listener;
+
+	REQUIRE(db != NULL);
+	REQUIRE(fn != NULL);
+
+	for (listener = ISC_LIST_HEAD(db->update_listeners); listener != NULL;
+	     listener = ISC_LIST_NEXT(listener, link))
+	{
+		if ((listener->onupdate == fn) &&
+		    (listener->onupdate_arg == fn_arg))
+		{
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	listener = isc_mem_get(db->mctx, sizeof(dns_dbonupdatelistener_t));
+
+	listener->onupdate = fn;
+	listener->onupdate_arg = fn_arg;
+
+	ISC_LINK_INIT(listener, link);
+	ISC_LIST_APPEND(db->update_listeners, listener, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_db_updatenotify_unregister(dns_db_t *db, dns_dbupdate_callback_t fn,
+			       void *fn_arg) {
+	dns_dbonupdatelistener_t *listener;
+
+	REQUIRE(db != NULL);
+
+	for (listener = ISC_LIST_HEAD(db->update_listeners); listener != NULL;
+	     listener = ISC_LIST_NEXT(listener, link))
+	{
+		if ((listener->onupdate == fn) &&
+		    (listener->onupdate_arg == fn_arg))
+		{
+			ISC_LIST_UNLINK(db->update_listeners, listener, link);
+			isc_mem_put(db->mctx, listener,
+				    sizeof(dns_dbonupdatelistener_t));
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
+	REQUIRE(db != NULL);
+	REQUIRE(node != NULL);
+	REQUIRE(name != NULL);
+
+	if (db->methods->nodefullname == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	return ((db->methods->nodefullname)(db, node, name));
+}
+
+isc_result_t
+dns_db_setservestalettl(dns_db_t *db, dns_ttl_t ttl) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
+
+	if (db->methods->setservestalettl != NULL) {
+		return ((db->methods->setservestalettl)(db, ttl));
+	}
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dns_db_getservestalettl(dns_db_t *db, dns_ttl_t *ttl) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
+
+	if (db->methods->getservestalettl != NULL) {
+		return ((db->methods->getservestalettl)(db, ttl));
+	}
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dns_db_setservestalerefresh(dns_db_t *db, uint32_t interval) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
+
+	if (db->methods->setservestalerefresh != NULL) {
+		return ((db->methods->setservestalerefresh)(db, interval));
+	}
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dns_db_getservestalerefresh(dns_db_t *db, uint32_t *interval) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
+
+	if (db->methods->getservestalerefresh != NULL) {
+		return ((db->methods->getservestalerefresh)(db, interval));
+	}
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dns_db_setgluecachestats(dns_db_t *db, isc_stats_t *stats) {
+	REQUIRE(dns_db_iszone(db));
+	REQUIRE(stats != NULL);
+
+	if (db->methods->setgluecachestats != NULL) {
+		return ((db->methods->setgluecachestats)(db, stats));
+	}
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
diff --git a/lib/dns/dbiterator.c b/lib/dns/dbiterator.c
new file mode 100644
index 0000000..39d9471
--- /dev/null
+++ b/lib/dns/dbiterator.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/util.h>
+
+#include <dns/dbiterator.h>
+#include <dns/name.h>
+
+void
+dns_dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	/*
+	 * Destroy '*iteratorp'.
+	 */
+
+	REQUIRE(iteratorp != NULL);
+	REQUIRE(DNS_DBITERATOR_VALID(*iteratorp));
+
+	(*iteratorp)->methods->destroy(iteratorp);
+
+	ENSURE(*iteratorp == NULL);
+}
+
+isc_result_t
+dns_dbiterator_first(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the first node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->first(iterator));
+}
+
+isc_result_t
+dns_dbiterator_last(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the first node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->last(iterator));
+}
+
+isc_result_t
+dns_dbiterator_seek(dns_dbiterator_t *iterator, const dns_name_t *name) {
+	/*
+	 * Move the node cursor to the node with name 'name'.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->seek(iterator, name));
+}
+
+isc_result_t
+dns_dbiterator_prev(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the previous node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->prev(iterator));
+}
+
+isc_result_t
+dns_dbiterator_next(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the next node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->next(iterator));
+}
+
+isc_result_t
+dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		       dns_name_t *name) {
+	/*
+	 * Return the current node.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+	REQUIRE(name == NULL || dns_name_hasbuffer(name));
+
+	return (iterator->methods->current(iterator, nodep, name));
+}
+
+isc_result_t
+dns_dbiterator_pause(dns_dbiterator_t *iterator) {
+	/*
+	 * Pause iteration.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->pause(iterator));
+}
+
+isc_result_t
+dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+	/*
+	 * Return the origin to which returned node names are relative.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+	REQUIRE(iterator->relative_names);
+	REQUIRE(dns_name_hasbuffer(name));
+
+	return (iterator->methods->origin(iterator, name));
+}
+
+void
+dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, bool mode) {
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	iterator->cleaning = mode;
+}
diff --git a/lib/dns/dbtable.c b/lib/dns/dbtable.c
new file mode 100644
index 0000000..e36594b
--- /dev/null
+++ b/lib/dns/dbtable.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/rwlock.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbtable.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+struct dns_dbtable {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	dns_rdataclass_t rdclass;
+	isc_rwlock_t tree_lock;
+	/* Protected by atomics */
+	isc_refcount_t references;
+	/* Locked by tree_lock. */
+	dns_rbt_t *rbt;
+	dns_db_t *default_db;
+};
+
+#define DBTABLE_MAGIC	       ISC_MAGIC('D', 'B', '-', '-')
+#define VALID_DBTABLE(dbtable) ISC_MAGIC_VALID(dbtable, DBTABLE_MAGIC)
+
+static void
+dbdetach(void *data, void *arg) {
+	dns_db_t *db = data;
+
+	UNUSED(arg);
+
+	dns_db_detach(&db);
+}
+
+isc_result_t
+dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		   dns_dbtable_t **dbtablep) {
+	dns_dbtable_t *dbtable;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(dbtablep != NULL && *dbtablep == NULL);
+
+	dbtable = isc_mem_get(mctx, sizeof(*dbtable));
+
+	dbtable->rbt = NULL;
+	result = dns_rbt_create(mctx, dbdetach, NULL, &dbtable->rbt);
+	if (result != ISC_R_SUCCESS) {
+		goto clean1;
+	}
+
+	isc_rwlock_init(&dbtable->tree_lock, 0, 0);
+	dbtable->default_db = NULL;
+	dbtable->mctx = NULL;
+	isc_mem_attach(mctx, &dbtable->mctx);
+	dbtable->rdclass = rdclass;
+	dbtable->magic = DBTABLE_MAGIC;
+	isc_refcount_init(&dbtable->references, 1);
+
+	*dbtablep = dbtable;
+
+	return (ISC_R_SUCCESS);
+
+clean1:
+	isc_mem_putanddetach(&mctx, dbtable, sizeof(*dbtable));
+
+	return (result);
+}
+
+static void
+dbtable_free(dns_dbtable_t *dbtable) {
+	/*
+	 * Caller must ensure that it is safe to call.
+	 */
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	if (dbtable->default_db != NULL) {
+		dns_db_detach(&dbtable->default_db);
+	}
+
+	dns_rbt_destroy(&dbtable->rbt);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	isc_rwlock_destroy(&dbtable->tree_lock);
+
+	dbtable->magic = 0;
+
+	isc_mem_putanddetach(&dbtable->mctx, dbtable, sizeof(*dbtable));
+}
+
+void
+dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp) {
+	REQUIRE(VALID_DBTABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*targetp = source;
+}
+
+void
+dns_dbtable_detach(dns_dbtable_t **dbtablep) {
+	dns_dbtable_t *dbtable;
+
+	REQUIRE(dbtablep != NULL);
+	dbtable = *dbtablep;
+	*dbtablep = NULL;
+	REQUIRE(VALID_DBTABLE(dbtable));
+
+	if (isc_refcount_decrement(&dbtable->references) == 1) {
+		dbtable_free(dbtable);
+	}
+}
+
+isc_result_t
+dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db) {
+	isc_result_t result;
+	dns_db_t *dbclone;
+
+	REQUIRE(VALID_DBTABLE(dbtable));
+	REQUIRE(dns_db_class(db) == dbtable->rdclass);
+
+	dbclone = NULL;
+	dns_db_attach(db, &dbclone);
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+	result = dns_rbt_addname(dbtable->rbt, dns_db_origin(dbclone), dbclone);
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+void
+dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db) {
+	dns_db_t *stored_data = NULL;
+	isc_result_t result;
+	dns_name_t *name;
+
+	REQUIRE(VALID_DBTABLE(dbtable));
+
+	name = dns_db_origin(db);
+
+	/*
+	 * There is a requirement that the association of name with db
+	 * be verified.  With the current rbt.c this is expensive to do,
+	 * because effectively two find operations are being done, but
+	 * deletion is relatively infrequent.
+	 * XXXDCL ... this could be cheaper now with dns_rbt_deletenode.
+	 */
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	result = dns_rbt_findname(dbtable->rbt, name, 0, NULL,
+				  (void **)(void *)&stored_data);
+
+	if (result == ISC_R_SUCCESS) {
+		INSIST(stored_data == db);
+
+		(void)dns_rbt_deletename(dbtable->rbt, name, false);
+	}
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+}
+
+void
+dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db) {
+	REQUIRE(VALID_DBTABLE(dbtable));
+	REQUIRE(dbtable->default_db == NULL);
+	REQUIRE(dns_name_compare(dns_db_origin(db), dns_rootname) == 0);
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	dbtable->default_db = NULL;
+	dns_db_attach(db, &dbtable->default_db);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+}
+
+void
+dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **dbp) {
+	REQUIRE(VALID_DBTABLE(dbtable));
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+
+	dns_db_attach(dbtable->default_db, dbp);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+}
+
+void
+dns_dbtable_removedefault(dns_dbtable_t *dbtable) {
+	REQUIRE(VALID_DBTABLE(dbtable));
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	dns_db_detach(&dbtable->default_db);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+}
+
+isc_result_t
+dns_dbtable_find(dns_dbtable_t *dbtable, const dns_name_t *name,
+		 unsigned int options, dns_db_t **dbp) {
+	dns_db_t *stored_data = NULL;
+	isc_result_t result;
+	unsigned int rbtoptions = 0;
+
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	if ((options & DNS_DBTABLEFIND_NOEXACT) != 0) {
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+	}
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+
+	result = dns_rbt_findname(dbtable->rbt, name, rbtoptions, NULL,
+				  (void **)(void *)&stored_data);
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		dns_db_attach(stored_data, dbp);
+	} else if (dbtable->default_db != NULL) {
+		dns_db_attach(dbtable->default_db, dbp);
+		result = DNS_R_PARTIALMATCH;
+	} else {
+		result = ISC_R_NOTFOUND;
+	}
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+
+	return (result);
+}
diff --git a/lib/dns/diff.c b/lib/dns/diff.c
new file mode 100644
index 0000000..200d711
--- /dev/null
+++ b/lib/dns/diff.c
@@ -0,0 +1,688 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/log.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/time.h>
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+#define DIFF_COMMON_LOGARGS \
+	dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DIFF
+
+static dns_rdatatype_t
+rdata_covers(dns_rdata_t *rdata) {
+	return (rdata->type == dns_rdatatype_rrsig ? dns_rdata_covers(rdata)
+						   : 0);
+}
+
+isc_result_t
+dns_difftuple_create(isc_mem_t *mctx, dns_diffop_t op, const dns_name_t *name,
+		     dns_ttl_t ttl, dns_rdata_t *rdata, dns_difftuple_t **tp) {
+	dns_difftuple_t *t;
+	unsigned int size;
+	unsigned char *datap;
+
+	REQUIRE(tp != NULL && *tp == NULL);
+
+	/*
+	 * Create a new tuple.  The variable-size wire-format name data and
+	 * rdata immediately follow the dns_difftuple_t structure
+	 * in memory.
+	 */
+	size = sizeof(*t) + name->length + rdata->length;
+	t = isc_mem_allocate(mctx, size);
+	t->mctx = NULL;
+	isc_mem_attach(mctx, &t->mctx);
+	t->op = op;
+
+	datap = (unsigned char *)(t + 1);
+
+	memmove(datap, name->ndata, name->length);
+	dns_name_init(&t->name, NULL);
+	dns_name_clone(name, &t->name);
+	t->name.ndata = datap;
+	datap += name->length;
+
+	t->ttl = ttl;
+
+	dns_rdata_init(&t->rdata);
+	dns_rdata_clone(rdata, &t->rdata);
+	if (rdata->data != NULL) {
+		memmove(datap, rdata->data, rdata->length);
+		t->rdata.data = datap;
+		datap += rdata->length;
+	} else {
+		t->rdata.data = NULL;
+		INSIST(rdata->length == 0);
+	}
+
+	ISC_LINK_INIT(&t->rdata, link);
+	ISC_LINK_INIT(t, link);
+	t->magic = DNS_DIFFTUPLE_MAGIC;
+
+	INSIST(datap == (unsigned char *)t + size);
+
+	*tp = t;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_difftuple_free(dns_difftuple_t **tp) {
+	dns_difftuple_t *t = *tp;
+	*tp = NULL;
+	isc_mem_t *mctx;
+
+	REQUIRE(DNS_DIFFTUPLE_VALID(t));
+
+	dns_name_invalidate(&t->name);
+	t->magic = 0;
+	mctx = t->mctx;
+	isc_mem_free(mctx, t);
+	isc_mem_detach(&mctx);
+}
+
+isc_result_t
+dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp) {
+	return (dns_difftuple_create(orig->mctx, orig->op, &orig->name,
+				     orig->ttl, &orig->rdata, copyp));
+}
+
+void
+dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff) {
+	diff->mctx = mctx;
+	ISC_LIST_INIT(diff->tuples);
+	diff->magic = DNS_DIFF_MAGIC;
+}
+
+void
+dns_diff_clear(dns_diff_t *diff) {
+	dns_difftuple_t *t;
+	REQUIRE(DNS_DIFF_VALID(diff));
+	while ((t = ISC_LIST_HEAD(diff->tuples)) != NULL) {
+		ISC_LIST_UNLINK(diff->tuples, t, link);
+		dns_difftuple_free(&t);
+	}
+	ENSURE(ISC_LIST_EMPTY(diff->tuples));
+}
+
+void
+dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuplep) {
+	ISC_LIST_APPEND(diff->tuples, *tuplep, link);
+	*tuplep = NULL;
+}
+
+/* XXX this is O(N) */
+
+void
+dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep) {
+	dns_difftuple_t *ot, *next_ot;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	REQUIRE(DNS_DIFFTUPLE_VALID(*tuplep));
+
+	/*
+	 * Look for an existing tuple with the same owner name,
+	 * rdata, and TTL.   If we are doing an addition and find a
+	 * deletion or vice versa, remove both the old and the
+	 * new tuple since they cancel each other out (assuming
+	 * that we never delete nonexistent data or add existing
+	 * data).
+	 *
+	 * If we find an old update of the same kind as
+	 * the one we are doing, there must be a programming
+	 * error.  We report it but try to continue anyway.
+	 */
+	for (ot = ISC_LIST_HEAD(diff->tuples); ot != NULL; ot = next_ot) {
+		next_ot = ISC_LIST_NEXT(ot, link);
+		if (dns_name_caseequal(&ot->name, &(*tuplep)->name) &&
+		    dns_rdata_compare(&ot->rdata, &(*tuplep)->rdata) == 0 &&
+		    ot->ttl == (*tuplep)->ttl)
+		{
+			ISC_LIST_UNLINK(diff->tuples, ot, link);
+			if ((*tuplep)->op == ot->op) {
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "unexpected non-minimal diff");
+			} else {
+				dns_difftuple_free(tuplep);
+			}
+			dns_difftuple_free(&ot);
+			break;
+		}
+	}
+
+	if (*tuplep != NULL) {
+		ISC_LIST_APPEND(diff->tuples, *tuplep, link);
+		*tuplep = NULL;
+	}
+}
+
+static isc_stdtime_t
+setresign(dns_rdataset_t *modified) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t sig;
+	int64_t when;
+	isc_result_t result;
+
+	result = dns_rdataset_first(modified);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_rdataset_current(modified, &rdata);
+	(void)dns_rdata_tostruct(&rdata, &sig, NULL);
+	if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
+		when = 0;
+	} else {
+		when = dns_time64_from32(sig.timeexpire);
+	}
+	dns_rdata_reset(&rdata);
+
+	result = dns_rdataset_next(modified);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(modified, &rdata);
+		(void)dns_rdata_tostruct(&rdata, &sig, NULL);
+		if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
+			goto next_rr;
+		}
+		if (when == 0 || dns_time64_from32(sig.timeexpire) < when) {
+			when = dns_time64_from32(sig.timeexpire);
+		}
+	next_rr:
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(modified);
+	}
+	INSIST(result == ISC_R_NOMORE);
+	return ((isc_stdtime_t)when);
+}
+
+static void
+getownercase(dns_rdataset_t *rdataset, dns_name_t *name) {
+	if (dns_rdataset_isassociated(rdataset)) {
+		dns_rdataset_getownercase(rdataset, name);
+	}
+}
+
+static void
+setownercase(dns_rdataset_t *rdataset, const dns_name_t *name) {
+	if (dns_rdataset_isassociated(rdataset)) {
+		dns_rdataset_setownercase(rdataset, name);
+	}
+}
+
+static isc_result_t
+diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, bool warn) {
+	dns_difftuple_t *t;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	REQUIRE(DNS_DB_VALID(db));
+
+	t = ISC_LIST_HEAD(diff->tuples);
+	while (t != NULL) {
+		dns_name_t *name;
+
+		INSIST(node == NULL);
+		name = &t->name;
+		/*
+		 * Find the node.
+		 * We create the node if it does not exist.
+		 * This will cause an empty node to be created if the diff
+		 * contains a deletion of an RR at a nonexistent name,
+		 * but such diffs should never be created in the first
+		 * place.
+		 */
+
+		while (t != NULL && dns_name_equal(&t->name, name)) {
+			dns_rdatatype_t type, covers;
+			dns_diffop_t op;
+			dns_rdatalist_t rdl;
+			dns_rdataset_t rds;
+			dns_rdataset_t ardataset;
+			unsigned int options;
+
+			op = t->op;
+			type = t->rdata.type;
+			covers = rdata_covers(&t->rdata);
+
+			/*
+			 * Collect a contiguous set of updates with
+			 * the same operation (add/delete) and RR type
+			 * into a single rdatalist so that the
+			 * database rrset merging/subtraction code
+			 * can work more efficiently than if each
+			 * RR were merged into / subtracted from
+			 * the database separately.
+			 *
+			 * This is done by linking rdata structures from the
+			 * diff into "rdatalist".  This uses the rdata link
+			 * field, not the diff link field, so the structure
+			 * of the diff itself is not affected.
+			 */
+
+			dns_rdatalist_init(&rdl);
+			rdl.type = type;
+			rdl.covers = covers;
+			rdl.rdclass = t->rdata.rdclass;
+			rdl.ttl = t->ttl;
+
+			node = NULL;
+			if (type != dns_rdatatype_nsec3 &&
+			    covers != dns_rdatatype_nsec3)
+			{
+				CHECK(dns_db_findnode(db, name, true, &node));
+			} else {
+				CHECK(dns_db_findnsec3node(db, name, true,
+							   &node));
+			}
+
+			while (t != NULL && dns_name_equal(&t->name, name) &&
+			       t->op == op && t->rdata.type == type &&
+			       rdata_covers(&t->rdata) == covers)
+			{
+				/*
+				 * Remember the add name for
+				 * dns_rdataset_setownercase.
+				 */
+				name = &t->name;
+				if (t->ttl != rdl.ttl && warn) {
+					dns_name_format(name, namebuf,
+							sizeof(namebuf));
+					dns_rdatatype_format(t->rdata.type,
+							     typebuf,
+							     sizeof(typebuf));
+					dns_rdataclass_format(t->rdata.rdclass,
+							      classbuf,
+							      sizeof(classbuf));
+					isc_log_write(DIFF_COMMON_LOGARGS,
+						      ISC_LOG_WARNING,
+						      "'%s/%s/%s': TTL differs "
+						      "in "
+						      "rdataset, adjusting "
+						      "%lu -> %lu",
+						      namebuf, typebuf,
+						      classbuf,
+						      (unsigned long)t->ttl,
+						      (unsigned long)rdl.ttl);
+				}
+				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
+				t = ISC_LIST_NEXT(t, link);
+			}
+
+			/*
+			 * Convert the rdatalist into a rdataset.
+			 */
+			dns_rdataset_init(&rds);
+			dns_rdataset_init(&ardataset);
+			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
+			rds.trust = dns_trust_ultimate;
+
+			/*
+			 * Merge the rdataset into the database.
+			 */
+			switch (op) {
+			case DNS_DIFFOP_ADD:
+			case DNS_DIFFOP_ADDRESIGN:
+				options = DNS_DBADD_MERGE | DNS_DBADD_EXACT |
+					  DNS_DBADD_EXACTTTL;
+				result = dns_db_addrdataset(db, node, ver, 0,
+							    &rds, options,
+							    &ardataset);
+				break;
+			case DNS_DIFFOP_DEL:
+			case DNS_DIFFOP_DELRESIGN:
+				options = DNS_DBSUB_EXACT | DNS_DBSUB_WANTOLD;
+				result = dns_db_subtractrdataset(db, node, ver,
+								 &rds, options,
+								 &ardataset);
+				break;
+			default:
+				UNREACHABLE();
+			}
+
+			if (result == ISC_R_SUCCESS) {
+				if (rds.type == dns_rdatatype_rrsig &&
+				    (op == DNS_DIFFOP_DELRESIGN ||
+				     op == DNS_DIFFOP_ADDRESIGN))
+				{
+					isc_stdtime_t resign;
+					resign = setresign(&ardataset);
+					dns_db_setsigningtime(db, &ardataset,
+							      resign);
+				}
+				if (op == DNS_DIFFOP_ADD ||
+				    op == DNS_DIFFOP_ADDRESIGN)
+				{
+					setownercase(&ardataset, name);
+				}
+				if (op == DNS_DIFFOP_DEL ||
+				    op == DNS_DIFFOP_DELRESIGN)
+				{
+					getownercase(&ardataset, name);
+				}
+			} else if (result == DNS_R_UNCHANGED) {
+				/*
+				 * This will not happen when executing a
+				 * dynamic update, because that code will
+				 * generate strictly minimal diffs.
+				 * It may happen when receiving an IXFR
+				 * from a server that is not as careful.
+				 * Issue a warning and continue.
+				 */
+				if (warn) {
+					dns_name_format(dns_db_origin(db),
+							namebuf,
+							sizeof(namebuf));
+					dns_rdataclass_format(dns_db_class(db),
+							      classbuf,
+							      sizeof(classbuf));
+					isc_log_write(DIFF_COMMON_LOGARGS,
+						      ISC_LOG_WARNING,
+						      "%s/%s: dns_diff_apply: "
+						      "update with no effect",
+						      namebuf, classbuf);
+				}
+				if (op == DNS_DIFFOP_ADD ||
+				    op == DNS_DIFFOP_ADDRESIGN)
+				{
+					setownercase(&ardataset, name);
+				}
+				if (op == DNS_DIFFOP_DEL ||
+				    op == DNS_DIFFOP_DELRESIGN)
+				{
+					getownercase(&ardataset, name);
+				}
+			} else if (result == DNS_R_NXRRSET) {
+				/*
+				 * OK.
+				 */
+				if (op == DNS_DIFFOP_DEL ||
+				    op == DNS_DIFFOP_DELRESIGN)
+				{
+					getownercase(&ardataset, name);
+				}
+				if (dns_rdataset_isassociated(&ardataset)) {
+					dns_rdataset_disassociate(&ardataset);
+				}
+			} else {
+				if (dns_rdataset_isassociated(&ardataset)) {
+					dns_rdataset_disassociate(&ardataset);
+				}
+				CHECK(result);
+			}
+			dns_db_detachnode(db, &node);
+			if (dns_rdataset_isassociated(&ardataset)) {
+				dns_rdataset_disassociate(&ardataset);
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
+	return (diff_apply(diff, db, ver, true));
+}
+
+isc_result_t
+dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
+	return (diff_apply(diff, db, ver, false));
+}
+
+/* XXX this duplicates lots of code in diff_apply(). */
+
+isc_result_t
+dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
+	      void *add_private) {
+	dns_difftuple_t *t;
+	isc_result_t result;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+
+	t = ISC_LIST_HEAD(diff->tuples);
+	while (t != NULL) {
+		dns_name_t *name;
+
+		name = &t->name;
+		while (t != NULL && dns_name_caseequal(&t->name, name)) {
+			dns_rdatatype_t type, covers;
+			dns_diffop_t op;
+			dns_rdatalist_t rdl;
+			dns_rdataset_t rds;
+
+			op = t->op;
+			type = t->rdata.type;
+			covers = rdata_covers(&t->rdata);
+
+			dns_rdatalist_init(&rdl);
+			rdl.type = type;
+			rdl.covers = covers;
+			rdl.rdclass = t->rdata.rdclass;
+			rdl.ttl = t->ttl;
+
+			while (t != NULL &&
+			       dns_name_caseequal(&t->name, name) &&
+			       t->op == op && t->rdata.type == type &&
+			       rdata_covers(&t->rdata) == covers)
+			{
+				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
+				t = ISC_LIST_NEXT(t, link);
+			}
+
+			/*
+			 * Convert the rdatalist into a rdataset.
+			 */
+			dns_rdataset_init(&rds);
+			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
+			rds.trust = dns_trust_ultimate;
+
+			INSIST(op == DNS_DIFFOP_ADD);
+			result = (*addfunc)(add_private, name, &rds);
+			if (result == DNS_R_UNCHANGED) {
+				isc_log_write(DIFF_COMMON_LOGARGS,
+					      ISC_LOG_WARNING,
+					      "dns_diff_load: "
+					      "update with no effect");
+			} else if (result == ISC_R_SUCCESS ||
+				   result == DNS_R_NXRRSET)
+			{
+				/*
+				 * OK.
+				 */
+			} else {
+				CHECK(result);
+			}
+		}
+	}
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+/*
+ * XXX uses qsort(); a merge sort would be more natural for lists,
+ * and perhaps safer wrt thread stack overflow.
+ */
+isc_result_t
+dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare) {
+	unsigned int length = 0;
+	unsigned int i;
+	dns_difftuple_t **v;
+	dns_difftuple_t *p;
+	REQUIRE(DNS_DIFF_VALID(diff));
+
+	for (p = ISC_LIST_HEAD(diff->tuples); p != NULL;
+	     p = ISC_LIST_NEXT(p, link))
+	{
+		length++;
+	}
+	if (length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+	v = isc_mem_get(diff->mctx, length * sizeof(dns_difftuple_t *));
+	for (i = 0; i < length; i++) {
+		p = ISC_LIST_HEAD(diff->tuples);
+		v[i] = p;
+		ISC_LIST_UNLINK(diff->tuples, p, link);
+	}
+	INSIST(ISC_LIST_HEAD(diff->tuples) == NULL);
+	qsort(v, length, sizeof(v[0]), compare);
+	for (i = 0; i < length; i++) {
+		ISC_LIST_APPEND(diff->tuples, v[i], link);
+	}
+	isc_mem_put(diff->mctx, v, length * sizeof(dns_difftuple_t *));
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Create an rdataset containing the single RR of the given
+ * tuple.  The caller must allocate the rdata, rdataset and
+ * an rdatalist structure for it to refer to.
+ */
+
+static isc_result_t
+diff_tuple_tordataset(dns_difftuple_t *t, dns_rdata_t *rdata,
+		      dns_rdatalist_t *rdl, dns_rdataset_t *rds) {
+	REQUIRE(DNS_DIFFTUPLE_VALID(t));
+	REQUIRE(rdl != NULL);
+	REQUIRE(rds != NULL);
+
+	dns_rdatalist_init(rdl);
+	rdl->type = t->rdata.type;
+	rdl->rdclass = t->rdata.rdclass;
+	rdl->ttl = t->ttl;
+	dns_rdataset_init(rds);
+	ISC_LINK_INIT(rdata, link);
+	dns_rdata_clone(&t->rdata, rdata);
+	ISC_LIST_APPEND(rdl->rdata, rdata, link);
+	return (dns_rdatalist_tordataset(rdl, rds));
+}
+
+isc_result_t
+dns_diff_print(dns_diff_t *diff, FILE *file) {
+	isc_result_t result;
+	dns_difftuple_t *t;
+	char *mem = NULL;
+	unsigned int size = 2048;
+	const char *op = NULL;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+
+	mem = isc_mem_get(diff->mctx, size);
+
+	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		isc_buffer_t buf;
+		isc_region_t r;
+
+		dns_rdatalist_t rdl;
+		dns_rdataset_t rds;
+		dns_rdata_t rd = DNS_RDATA_INIT;
+
+		result = diff_tuple_tordataset(t, &rd, &rdl, &rds);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "diff_tuple_tordataset failed: %s",
+					 dns_result_totext(result));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+	again:
+		isc_buffer_init(&buf, mem, size);
+		result = dns_rdataset_totext(&rds, &t->name, false, false,
+					     &buf);
+
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(diff->mctx, mem, size);
+			size += 1024;
+			mem = isc_mem_get(diff->mctx, size);
+			goto again;
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		/*
+		 * Get rid of final newline.
+		 */
+		INSIST(buf.used >= 1 &&
+		       ((char *)buf.base)[buf.used - 1] == '\n');
+		buf.used--;
+
+		isc_buffer_usedregion(&buf, &r);
+		switch (t->op) {
+		case DNS_DIFFOP_EXISTS:
+			op = "exists";
+			break;
+		case DNS_DIFFOP_ADD:
+			op = "add";
+			break;
+		case DNS_DIFFOP_DEL:
+			op = "del";
+			break;
+		case DNS_DIFFOP_ADDRESIGN:
+			op = "add re-sign";
+			break;
+		case DNS_DIFFOP_DELRESIGN:
+			op = "del re-sign";
+			break;
+		}
+		if (file != NULL) {
+			fprintf(file, "%s %.*s\n", op, (int)r.length,
+				(char *)r.base);
+		} else {
+			isc_log_write(DIFF_COMMON_LOGARGS, ISC_LOG_DEBUG(7),
+				      "%s %.*s", op, (int)r.length,
+				      (char *)r.base);
+		}
+	}
+	result = ISC_R_SUCCESS;
+cleanup:
+	if (mem != NULL) {
+		isc_mem_put(diff->mctx, mem, size);
+	}
+	return (result);
+}
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
new file mode 100644
index 0000000..5f27d63
--- /dev/null
+++ b/lib/dns/dispatch.c
@@ -0,0 +1,3591 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/portset.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/portlist.h>
+#include <dns/stats.h>
+#include <dns/tcpmsg.h>
+#include <dns/types.h>
+
+typedef ISC_LIST(dns_dispentry_t) dns_displist_t;
+
+typedef struct dispsocket dispsocket_t;
+typedef ISC_LIST(dispsocket_t) dispsocketlist_t;
+
+typedef struct dispportentry dispportentry_t;
+typedef ISC_LIST(dispportentry_t) dispportlist_t;
+
+typedef struct dns_qid {
+	unsigned int magic;
+	unsigned int qid_nbuckets;  /*%< hash table size */
+	unsigned int qid_increment; /*%< id increment on collision */
+	isc_mutex_t lock;
+	dns_displist_t *qid_table;    /*%< the table itself */
+	dispsocketlist_t *sock_table; /*%< socket table */
+} dns_qid_t;
+
+struct dns_dispatchmgr {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	dns_acl_t *blackhole;
+	dns_portlist_t *portlist;
+	isc_stats_t *stats;
+
+	/* Locked by "lock". */
+	isc_mutex_t lock;
+	unsigned int state;
+	ISC_LIST(dns_dispatch_t) list;
+
+	/* locked by buffer_lock */
+	dns_qid_t *qid;
+	isc_mutex_t buffer_lock;
+	unsigned int buffers;	 /*%< allocated buffers */
+	unsigned int buffersize; /*%< size of each buffer */
+	unsigned int maxbuffers; /*%< max buffers */
+
+	isc_refcount_t irefs;
+
+	/*%
+	 * Locked by qid->lock if qid exists; otherwise, can be used without
+	 * being locked.
+	 * Memory footprint considerations: this is a simple implementation of
+	 * available ports, i.e., an ordered array of the actual port numbers.
+	 * This will require about 256KB of memory in the worst case (128KB for
+	 * each of IPv4 and IPv6).  We could reduce it by representing it as a
+	 * more sophisticated way such as a list (or array) of ranges that are
+	 * searched to identify a specific port.  Our decision here is the saved
+	 * memory isn't worth the implementation complexity, considering the
+	 * fact that the whole BIND9 process (which is mainly named) already
+	 * requires a pretty large memory footprint.  We may, however, have to
+	 * revisit the decision when we want to use it as a separate module for
+	 * an environment where memory requirement is severer.
+	 */
+	in_port_t *v4ports;    /*%< available ports for IPv4 */
+	unsigned int nv4ports; /*%< # of available ports for IPv4 */
+	in_port_t *v6ports;    /*%< available ports for IPv4 */
+	unsigned int nv6ports; /*%< # of available ports for IPv4 */
+};
+
+#define MGR_SHUTTINGDOWN       0x00000001U
+#define MGR_IS_SHUTTINGDOWN(l) (((l)->state & MGR_SHUTTINGDOWN) != 0)
+
+#define IS_PRIVATE(d) (((d)->attributes & DNS_DISPATCHATTR_PRIVATE) != 0)
+
+struct dns_dispentry {
+	unsigned int magic;
+	dns_dispatch_t *disp;
+	dns_messageid_t id;
+	in_port_t port;
+	unsigned int bucket;
+	isc_sockaddr_t host;
+	isc_task_t *task;
+	isc_taskaction_t action;
+	void *arg;
+	bool item_out;
+	dispsocket_t *dispsocket;
+	ISC_LIST(dns_dispatchevent_t) items;
+	ISC_LINK(dns_dispentry_t) link;
+};
+
+/*%
+ * Maximum number of dispatch sockets that can be pooled for reuse.  The
+ * appropriate value may vary, but experiments have shown a busy caching server
+ * may need more than 1000 sockets concurrently opened.  The maximum allowable
+ * number of dispatch sockets (per manager) will be set to the double of this
+ * value.
+ */
+#ifndef DNS_DISPATCH_POOLSOCKS
+#define DNS_DISPATCH_POOLSOCKS 2048
+#endif /* ifndef DNS_DISPATCH_POOLSOCKS */
+
+/*%
+ * Quota to control the number of dispatch sockets.  If a dispatch has more
+ * than the quota of sockets, new queries will purge oldest ones, so that
+ * a massive number of outstanding queries won't prevent subsequent queries
+ * (especially if the older ones take longer time and result in timeout).
+ */
+#ifndef DNS_DISPATCH_SOCKSQUOTA
+#define DNS_DISPATCH_SOCKSQUOTA 3072
+#endif /* ifndef DNS_DISPATCH_SOCKSQUOTA */
+
+struct dispsocket {
+	unsigned int magic;
+	isc_socket_t *socket;
+	dns_dispatch_t *disp;
+	isc_sockaddr_t host;
+	in_port_t localport; /* XXX: should be removed later */
+	dispportentry_t *portentry;
+	dns_dispentry_t *resp;
+	isc_task_t *task;
+	ISC_LINK(dispsocket_t) link;
+	unsigned int bucket;
+	ISC_LINK(dispsocket_t) blink;
+};
+
+/*%
+ * A port table entry.  We remember every port we first open in a table with a
+ * reference counter so that we can 'reuse' the same port (with different
+ * destination addresses) using the SO_REUSEADDR socket option.
+ */
+struct dispportentry {
+	in_port_t port;
+	isc_refcount_t refs;
+	ISC_LINK(struct dispportentry) link;
+};
+
+#ifndef DNS_DISPATCH_PORTTABLESIZE
+#define DNS_DISPATCH_PORTTABLESIZE 1024
+#endif /* ifndef DNS_DISPATCH_PORTTABLESIZE */
+
+#define INVALID_BUCKET (0xffffdead)
+
+/*%
+ * Number of tasks for each dispatch that use separate sockets for different
+ * transactions.  This must be a power of 2 as it will divide 32 bit numbers
+ * to get an uniformly random tasks selection.  See get_dispsocket().
+ */
+#define MAX_INTERNAL_TASKS 64
+
+struct dns_dispatch {
+	/* Unlocked. */
+	unsigned int magic;	/*%< magic */
+	dns_dispatchmgr_t *mgr; /*%< dispatch manager */
+	int ntasks;
+	/*%
+	 * internal task buckets.  We use multiple tasks to distribute various
+	 * socket events well when using separate dispatch sockets.  We use the
+	 * 1st task (task[0]) for internal control events.
+	 */
+	isc_task_t *task[MAX_INTERNAL_TASKS];
+	isc_socket_t *socket;	  /*%< isc socket attached to */
+	isc_sockaddr_t local;	  /*%< local address */
+	in_port_t localport;	  /*%< local UDP port */
+	isc_sockaddr_t peer;	  /*%< peer address (TCP) */
+	isc_dscp_t dscp;	  /*%< "listen-on" DSCP value */
+	unsigned int maxrequests; /*%< max requests */
+	isc_event_t *ctlevent;
+
+	isc_mem_t *sepool; /*%< pool for socket events */
+
+	/*% Locked by mgr->lock. */
+	ISC_LINK(dns_dispatch_t) link;
+
+	/* Locked by "lock". */
+	isc_mutex_t lock; /*%< locks all below */
+	isc_sockettype_t socktype;
+	unsigned int attributes;
+	unsigned int refcount;		  /*%< number of users */
+	dns_dispatchevent_t *failsafe_ev; /*%< failsafe cancel event */
+	unsigned int shutting_down : 1, shutdown_out : 1, connected : 1,
+		tcpmsg_valid : 1, recv_pending : 1; /*%< is a
+						     * recv()
+						     * pending?
+						     * */
+	isc_result_t shutdown_why;
+	ISC_LIST(dispsocket_t) activesockets;
+	ISC_LIST(dispsocket_t) inactivesockets;
+	unsigned int nsockets;
+	unsigned int requests;	 /*%< how many requests we have */
+	unsigned int tcpbuffers; /*%< allocated buffers */
+	dns_tcpmsg_t tcpmsg;	 /*%< for tcp streams */
+	dns_qid_t *qid;
+	dispportlist_t *port_table; /*%< hold ports 'owned' by us */
+};
+
+#define QID_MAGIC    ISC_MAGIC('Q', 'i', 'd', ' ')
+#define VALID_QID(e) ISC_MAGIC_VALID((e), QID_MAGIC)
+
+#define RESPONSE_MAGIC	  ISC_MAGIC('D', 'r', 's', 'p')
+#define VALID_RESPONSE(e) ISC_MAGIC_VALID((e), RESPONSE_MAGIC)
+
+#define DISPSOCK_MAGIC	  ISC_MAGIC('D', 's', 'o', 'c')
+#define VALID_DISPSOCK(e) ISC_MAGIC_VALID((e), DISPSOCK_MAGIC)
+
+#define DISPATCH_MAGIC	  ISC_MAGIC('D', 'i', 's', 'p')
+#define VALID_DISPATCH(e) ISC_MAGIC_VALID((e), DISPATCH_MAGIC)
+
+#define DNS_DISPATCHMGR_MAGIC ISC_MAGIC('D', 'M', 'g', 'r')
+#define VALID_DISPATCHMGR(e)  ISC_MAGIC_VALID((e), DNS_DISPATCHMGR_MAGIC)
+
+#define DNS_QID(disp)                                          \
+	((disp)->socktype == isc_sockettype_tcp) ? (disp)->qid \
+						 : (disp)->mgr->qid
+
+/*%
+ * Locking a query port buffer is a bit tricky.  We access the buffer without
+ * locking until qid is created.  Technically, there is a possibility of race
+ * between the creation of qid and access to the port buffer; in practice,
+ * however, this should be safe because qid isn't created until the first
+ * dispatch is created and there should be no contending situation until then.
+ */
+#define PORTBUFLOCK(mgr)        \
+	if ((mgr)->qid != NULL) \
+	LOCK(&((mgr)->qid->lock))
+#define PORTBUFUNLOCK(mgr)      \
+	if ((mgr)->qid != NULL) \
+	UNLOCK((&(mgr)->qid->lock))
+
+/*
+ * Statics.
+ */
+static dns_dispentry_t *
+entry_search(dns_qid_t *, const isc_sockaddr_t *, dns_messageid_t, in_port_t,
+	     unsigned int);
+static bool
+destroy_disp_ok(dns_dispatch_t *);
+static void
+destroy_disp(isc_task_t *task, isc_event_t *event);
+static void
+destroy_dispsocket(dns_dispatch_t *, dispsocket_t **);
+static void
+deactivate_dispsocket(dns_dispatch_t *, dispsocket_t *);
+static void
+udp_exrecv(isc_task_t *, isc_event_t *);
+static void
+udp_shrecv(isc_task_t *, isc_event_t *);
+static void
+udp_recv(isc_event_t *, dns_dispatch_t *, dispsocket_t *);
+static void
+tcp_recv(isc_task_t *, isc_event_t *);
+static isc_result_t
+startrecv(dns_dispatch_t *, dispsocket_t *);
+static uint32_t
+dns_hash(dns_qid_t *, const isc_sockaddr_t *, dns_messageid_t, in_port_t);
+static void
+free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len);
+static void *
+allocate_udp_buffer(dns_dispatch_t *disp);
+static void
+free_devent(dns_dispatch_t *disp, dns_dispatchevent_t *ev);
+static dns_dispatchevent_t *
+allocate_devent(dns_dispatch_t *disp);
+static void
+do_cancel(dns_dispatch_t *disp);
+static dns_dispentry_t *
+linear_first(dns_qid_t *disp);
+static dns_dispentry_t *
+linear_next(dns_qid_t *disp, dns_dispentry_t *resp);
+static void
+dispatch_free(dns_dispatch_t **dispp);
+static isc_result_t
+get_udpsocket(dns_dispatchmgr_t *mgr, dns_dispatch_t *disp,
+	      isc_socketmgr_t *sockmgr, const isc_sockaddr_t *localaddr,
+	      isc_socket_t **sockp, isc_socket_t *dup_socket, bool duponly);
+static isc_result_t
+dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		   isc_taskmgr_t *taskmgr, const isc_sockaddr_t *localaddr,
+		   unsigned int maxrequests, unsigned int attributes,
+		   dns_dispatch_t **dispp, isc_socket_t *dup_socket);
+static bool
+destroy_mgr_ok(dns_dispatchmgr_t *mgr);
+static void
+destroy_mgr(dns_dispatchmgr_t **mgrp);
+static isc_result_t
+qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
+	     unsigned int increment, dns_qid_t **qidp, bool needaddrtable);
+static void
+qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp);
+static isc_result_t
+open_socket(isc_socketmgr_t *mgr, const isc_sockaddr_t *local,
+	    unsigned int options, isc_socket_t **sockp,
+	    isc_socket_t *dup_socket, bool duponly);
+static bool
+portavailable(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+	      isc_sockaddr_t *sockaddrp);
+
+#define LVL(x) ISC_LOG_DEBUG(x)
+
+static void
+mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+
+static void
+mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+		      DNS_LOGMODULE_DISPATCH, level, "dispatchmgr %p: %s", mgr,
+		      msgbuf);
+}
+
+static void
+inc_stats(dns_dispatchmgr_t *mgr, isc_statscounter_t counter) {
+	if (mgr->stats != NULL) {
+		isc_stats_increment(mgr->stats, counter);
+	}
+}
+
+static void
+dec_stats(dns_dispatchmgr_t *mgr, isc_statscounter_t counter) {
+	if (mgr->stats != NULL) {
+		isc_stats_decrement(mgr->stats, counter);
+	}
+}
+
+static void
+dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+
+static void
+dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+		      DNS_LOGMODULE_DISPATCH, level, "dispatch %p: %s", disp,
+		      msgbuf);
+}
+
+static void
+request_log(dns_dispatch_t *disp, dns_dispentry_t *resp, int level,
+	    const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
+
+static void
+request_log(dns_dispatch_t *disp, dns_dispentry_t *resp, int level,
+	    const char *fmt, ...) {
+	char msgbuf[2048];
+	char peerbuf[256];
+	va_list ap;
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (VALID_RESPONSE(resp)) {
+		isc_sockaddr_format(&resp->host, peerbuf, sizeof(peerbuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+			      DNS_LOGMODULE_DISPATCH, level,
+			      "dispatch %p response %p %s: %s", disp, resp,
+			      peerbuf, msgbuf);
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+			      DNS_LOGMODULE_DISPATCH, level,
+			      "dispatch %p req/resp %p: %s", disp, resp,
+			      msgbuf);
+	}
+}
+
+/*
+ * Return a hash of the destination and message id.
+ */
+static uint32_t
+dns_hash(dns_qid_t *qid, const isc_sockaddr_t *dest, dns_messageid_t id,
+	 in_port_t port) {
+	uint32_t ret;
+
+	ret = isc_sockaddr_hash(dest, true);
+	ret ^= ((uint32_t)id << 16) | port;
+	ret %= qid->qid_nbuckets;
+
+	INSIST(ret < qid->qid_nbuckets);
+
+	return (ret);
+}
+
+/*
+ * Find the first entry in 'qid'.  Returns NULL if there are no entries.
+ */
+static dns_dispentry_t *
+linear_first(dns_qid_t *qid) {
+	dns_dispentry_t *ret;
+	unsigned int bucket;
+
+	bucket = 0;
+
+	while (bucket < qid->qid_nbuckets) {
+		ret = ISC_LIST_HEAD(qid->qid_table[bucket]);
+		if (ret != NULL) {
+			return (ret);
+		}
+		bucket++;
+	}
+
+	return (NULL);
+}
+
+/*
+ * Find the next entry after 'resp' in 'qid'.  Return NULL if there are
+ * no more entries.
+ */
+static dns_dispentry_t *
+linear_next(dns_qid_t *qid, dns_dispentry_t *resp) {
+	dns_dispentry_t *ret;
+	unsigned int bucket;
+
+	ret = ISC_LIST_NEXT(resp, link);
+	if (ret != NULL) {
+		return (ret);
+	}
+
+	bucket = resp->bucket;
+	bucket++;
+	while (bucket < qid->qid_nbuckets) {
+		ret = ISC_LIST_HEAD(qid->qid_table[bucket]);
+		if (ret != NULL) {
+			return (ret);
+		}
+		bucket++;
+	}
+
+	return (NULL);
+}
+
+/*
+ * The dispatch must be locked.
+ */
+static bool
+destroy_disp_ok(dns_dispatch_t *disp) {
+	if (disp->refcount != 0) {
+		return (false);
+	}
+
+	if (disp->recv_pending != 0) {
+		return (false);
+	}
+
+	if (!ISC_LIST_EMPTY(disp->activesockets)) {
+		return (false);
+	}
+
+	if (disp->shutting_down == 0) {
+		return (false);
+	}
+
+	return (true);
+}
+
+/*
+ * Called when refcount reaches 0 (and safe to destroy).
+ *
+ * The dispatcher must be locked.
+ * The manager must not be locked.
+ */
+static void
+destroy_disp(isc_task_t *task, isc_event_t *event) {
+	dns_dispatch_t *disp;
+	dns_dispatchmgr_t *mgr;
+	bool killmgr;
+	dispsocket_t *dispsocket;
+	int i;
+
+	INSIST(event->ev_type == DNS_EVENT_DISPATCHCONTROL);
+
+	UNUSED(task);
+
+	disp = event->ev_arg;
+	mgr = disp->mgr;
+
+	LOCK(&mgr->lock);
+	ISC_LIST_UNLINK(mgr->list, disp, link);
+
+	dispatch_log(disp, LVL(90),
+		     "shutting down; detaching from sock %p, task %p",
+		     disp->socket, disp->task[0]); /* XXXX */
+
+	if (disp->sepool != NULL) {
+		isc_mem_destroy(&disp->sepool);
+	}
+
+	if (disp->socket != NULL) {
+		isc_socket_detach(&disp->socket);
+	}
+	while ((dispsocket = ISC_LIST_HEAD(disp->inactivesockets)) != NULL) {
+		ISC_LIST_UNLINK(disp->inactivesockets, dispsocket, link);
+		destroy_dispsocket(disp, &dispsocket);
+	}
+	for (i = 0; i < disp->ntasks; i++) {
+		isc_task_detach(&disp->task[i]);
+	}
+	isc_event_free(&event);
+
+	dispatch_free(&disp);
+
+	killmgr = destroy_mgr_ok(mgr);
+	UNLOCK(&mgr->lock);
+	if (killmgr) {
+		destroy_mgr(&mgr);
+	}
+}
+
+/*%
+ * Manipulate port table per dispatch: find an entry for a given port number,
+ * create a new entry, and decrement a given entry with possible clean-up.
+ */
+static dispportentry_t *
+port_search(dns_dispatch_t *disp, in_port_t port) {
+	dispportentry_t *portentry;
+
+	REQUIRE(disp->port_table != NULL);
+
+	portentry = ISC_LIST_HEAD(
+		disp->port_table[port % DNS_DISPATCH_PORTTABLESIZE]);
+	while (portentry != NULL) {
+		if (portentry->port == port) {
+			return (portentry);
+		}
+		portentry = ISC_LIST_NEXT(portentry, link);
+	}
+
+	return (NULL);
+}
+
+static dispportentry_t *
+new_portentry(dns_dispatch_t *disp, in_port_t port) {
+	dispportentry_t *portentry;
+	dns_qid_t *qid;
+
+	REQUIRE(disp->port_table != NULL);
+
+	portentry = isc_mem_get(disp->mgr->mctx, sizeof(*portentry));
+
+	portentry->port = port;
+	isc_refcount_init(&portentry->refs, 1);
+	ISC_LINK_INIT(portentry, link);
+	qid = DNS_QID(disp);
+	LOCK(&qid->lock);
+	ISC_LIST_APPEND(disp->port_table[port % DNS_DISPATCH_PORTTABLESIZE],
+			portentry, link);
+	UNLOCK(&qid->lock);
+
+	return (portentry);
+}
+
+/*%
+ * The caller must hold the qid->lock.
+ */
+static void
+deref_portentry(dns_dispatch_t *disp, dispportentry_t **portentryp) {
+	dispportentry_t *portentry = *portentryp;
+	*portentryp = NULL;
+
+	REQUIRE(disp->port_table != NULL);
+	REQUIRE(portentry != NULL);
+
+	if (isc_refcount_decrement(&portentry->refs) == 1) {
+		ISC_LIST_UNLINK(disp->port_table[portentry->port %
+						 DNS_DISPATCH_PORTTABLESIZE],
+				portentry, link);
+		isc_mem_put(disp->mgr->mctx, portentry, sizeof(*portentry));
+	}
+}
+
+/*%
+ * Find a dispsocket for socket address 'dest', and port number 'port'.
+ * Return NULL if no such entry exists.  Requires qid->lock to be held.
+ */
+static dispsocket_t *
+socket_search(dns_qid_t *qid, const isc_sockaddr_t *dest, in_port_t port,
+	      unsigned int bucket) {
+	dispsocket_t *dispsock;
+
+	REQUIRE(VALID_QID(qid));
+	REQUIRE(bucket < qid->qid_nbuckets);
+
+	dispsock = ISC_LIST_HEAD(qid->sock_table[bucket]);
+
+	while (dispsock != NULL) {
+		if (dispsock->portentry != NULL &&
+		    dispsock->portentry->port == port &&
+		    isc_sockaddr_equal(dest, &dispsock->host))
+		{
+			return (dispsock);
+		}
+		dispsock = ISC_LIST_NEXT(dispsock, blink);
+	}
+
+	return (NULL);
+}
+
+/*%
+ * Make a new socket for a single dispatch with a random port number.
+ * The caller must hold the disp->lock
+ */
+static isc_result_t
+get_dispsocket(dns_dispatch_t *disp, const isc_sockaddr_t *dest,
+	       isc_socketmgr_t *sockmgr, dispsocket_t **dispsockp,
+	       in_port_t *portp) {
+	int i;
+	dns_dispatchmgr_t *mgr = disp->mgr;
+	isc_socket_t *sock = NULL;
+	isc_result_t result = ISC_R_FAILURE;
+	in_port_t port;
+	isc_sockaddr_t localaddr;
+	unsigned int bucket = 0;
+	dispsocket_t *dispsock;
+	unsigned int nports;
+	in_port_t *ports;
+	isc_socket_options_t bindoptions;
+	dispportentry_t *portentry = NULL;
+	dns_qid_t *qid;
+
+	if (isc_sockaddr_pf(&disp->local) == AF_INET) {
+		nports = disp->mgr->nv4ports;
+		ports = disp->mgr->v4ports;
+	} else {
+		nports = disp->mgr->nv6ports;
+		ports = disp->mgr->v6ports;
+	}
+	if (nports == 0) {
+		return (ISC_R_ADDRNOTAVAIL);
+	}
+
+	dispsock = ISC_LIST_HEAD(disp->inactivesockets);
+	if (dispsock != NULL) {
+		ISC_LIST_UNLINK(disp->inactivesockets, dispsock, link);
+		sock = dispsock->socket;
+		dispsock->socket = NULL;
+	} else {
+		dispsock = isc_mem_get(mgr->mctx, sizeof(*dispsock));
+
+		disp->nsockets++;
+		dispsock->socket = NULL;
+		dispsock->disp = disp;
+		dispsock->resp = NULL;
+		dispsock->portentry = NULL;
+		dispsock->task = NULL;
+		isc_task_attach(disp->task[isc_random_uniform(disp->ntasks)],
+				&dispsock->task);
+		ISC_LINK_INIT(dispsock, link);
+		ISC_LINK_INIT(dispsock, blink);
+		dispsock->magic = DISPSOCK_MAGIC;
+	}
+
+	/*
+	 * Pick up a random UDP port and open a new socket with it.  Avoid
+	 * choosing ports that share the same destination because it will be
+	 * very likely to fail in bind(2) or connect(2).
+	 */
+	localaddr = disp->local;
+	qid = DNS_QID(disp);
+
+	for (i = 0; i < 64; i++) {
+		port = ports[isc_random_uniform(nports)];
+		isc_sockaddr_setport(&localaddr, port);
+
+		LOCK(&qid->lock);
+		bucket = dns_hash(qid, dest, 0, port);
+		if (socket_search(qid, dest, port, bucket) != NULL) {
+			UNLOCK(&qid->lock);
+			continue;
+		}
+		UNLOCK(&qid->lock);
+		bindoptions = 0;
+		portentry = port_search(disp, port);
+
+		if (portentry != NULL) {
+			bindoptions |= ISC_SOCKET_REUSEADDRESS;
+		}
+		result = open_socket(sockmgr, &localaddr, bindoptions, &sock,
+				     NULL, false);
+		if (result == ISC_R_SUCCESS) {
+			if (portentry == NULL) {
+				portentry = new_portentry(disp, port);
+				if (portentry == NULL) {
+					result = ISC_R_NOMEMORY;
+					break;
+				}
+			} else {
+				isc_refcount_increment(&portentry->refs);
+			}
+			break;
+		} else if (result == ISC_R_NOPERM) {
+			char buf[ISC_SOCKADDR_FORMATSIZE];
+			isc_sockaddr_format(&localaddr, buf, sizeof(buf));
+			dispatch_log(disp, ISC_LOG_WARNING,
+				     "open_socket(%s) -> %s: continuing", buf,
+				     isc_result_totext(result));
+		} else if (result != ISC_R_ADDRINUSE) {
+			break;
+		}
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		dispsock->socket = sock;
+		dispsock->host = *dest;
+		dispsock->bucket = bucket;
+		LOCK(&qid->lock);
+		dispsock->portentry = portentry;
+		ISC_LIST_APPEND(qid->sock_table[bucket], dispsock, blink);
+		UNLOCK(&qid->lock);
+		*dispsockp = dispsock;
+		*portp = port;
+	} else {
+		/*
+		 * We could keep it in the inactive list, but since this should
+		 * be an exceptional case and might be resource shortage, we'd
+		 * rather destroy it.
+		 */
+		if (sock != NULL) {
+			isc_socket_detach(&sock);
+		}
+		destroy_dispsocket(disp, &dispsock);
+	}
+
+	return (result);
+}
+
+/*%
+ * Destroy a dedicated dispatch socket.
+ */
+static void
+destroy_dispsocket(dns_dispatch_t *disp, dispsocket_t **dispsockp) {
+	dispsocket_t *dispsock;
+	dns_qid_t *qid = DNS_QID(disp);
+
+	/*
+	 * The dispatch must be locked.
+	 */
+
+	REQUIRE(dispsockp != NULL && *dispsockp != NULL);
+	dispsock = *dispsockp;
+	*dispsockp = NULL;
+	REQUIRE(!ISC_LINK_LINKED(dispsock, link));
+
+	disp->nsockets--;
+	dispsock->magic = 0;
+	if (dispsock->portentry != NULL) {
+		/* socket_search() tests and dereferences portentry. */
+		LOCK(&qid->lock);
+		deref_portentry(disp, &dispsock->portentry);
+		UNLOCK(&qid->lock);
+	}
+	if (dispsock->socket != NULL) {
+		isc_socket_detach(&dispsock->socket);
+	}
+	if (ISC_LINK_LINKED(dispsock, blink)) {
+		LOCK(&qid->lock);
+		ISC_LIST_UNLINK(qid->sock_table[dispsock->bucket], dispsock,
+				blink);
+		UNLOCK(&qid->lock);
+	}
+	if (dispsock->task != NULL) {
+		isc_task_detach(&dispsock->task);
+	}
+	isc_mem_put(disp->mgr->mctx, dispsock, sizeof(*dispsock));
+}
+
+/*%
+ * Deactivate a dedicated dispatch socket.  Move it to the inactive list for
+ * future reuse unless the total number of sockets are exceeding the maximum.
+ */
+static void
+deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
+	isc_result_t result;
+	dns_qid_t *qid = DNS_QID(disp);
+
+	/*
+	 * The dispatch must be locked.
+	 */
+	ISC_LIST_UNLINK(disp->activesockets, dispsock, link);
+	if (dispsock->resp != NULL) {
+		INSIST(dispsock->resp->dispsocket == dispsock);
+		dispsock->resp->dispsocket = NULL;
+	}
+
+	INSIST(dispsock->portentry != NULL);
+	/* socket_search() tests and dereferences portentry. */
+	LOCK(&qid->lock);
+	deref_portentry(disp, &dispsock->portentry);
+	UNLOCK(&qid->lock);
+
+	if (disp->nsockets > DNS_DISPATCH_POOLSOCKS) {
+		destroy_dispsocket(disp, &dispsock);
+	} else {
+		result = isc_socket_close(dispsock->socket);
+
+		LOCK(&qid->lock);
+		ISC_LIST_UNLINK(qid->sock_table[dispsock->bucket], dispsock,
+				blink);
+		UNLOCK(&qid->lock);
+
+		if (result == ISC_R_SUCCESS) {
+			ISC_LIST_APPEND(disp->inactivesockets, dispsock, link);
+		} else {
+			/*
+			 * If the underlying system does not allow this
+			 * optimization, destroy this temporary structure (and
+			 * create a new one for a new transaction).
+			 */
+			INSIST(result == ISC_R_NOTIMPLEMENTED);
+			destroy_dispsocket(disp, &dispsock);
+		}
+	}
+}
+
+/*
+ * Find an entry for query ID 'id', socket address 'dest', and port number
+ * 'port'.
+ * Return NULL if no such entry exists.
+ */
+static dns_dispentry_t *
+entry_search(dns_qid_t *qid, const isc_sockaddr_t *dest, dns_messageid_t id,
+	     in_port_t port, unsigned int bucket) {
+	dns_dispentry_t *res;
+
+	REQUIRE(VALID_QID(qid));
+	REQUIRE(bucket < qid->qid_nbuckets);
+
+	res = ISC_LIST_HEAD(qid->qid_table[bucket]);
+
+	while (res != NULL) {
+		if (res->id == id && isc_sockaddr_equal(dest, &res->host) &&
+		    res->port == port)
+		{
+			return (res);
+		}
+		res = ISC_LIST_NEXT(res, link);
+	}
+
+	return (NULL);
+}
+
+static void
+free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len) {
+	unsigned int buffersize;
+	INSIST(buf != NULL && len != 0);
+
+	switch (disp->socktype) {
+	case isc_sockettype_tcp:
+		INSIST(disp->tcpbuffers > 0);
+		disp->tcpbuffers--;
+		isc_mem_put(disp->mgr->mctx, buf, len);
+		break;
+	case isc_sockettype_udp:
+		LOCK(&disp->mgr->buffer_lock);
+		INSIST(disp->mgr->buffers > 0);
+		INSIST(len == disp->mgr->buffersize);
+		disp->mgr->buffers--;
+		buffersize = disp->mgr->buffersize;
+		UNLOCK(&disp->mgr->buffer_lock);
+		isc_mem_put(disp->mgr->mctx, buf, buffersize);
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+static void *
+allocate_udp_buffer(dns_dispatch_t *disp) {
+	unsigned int buffersize;
+
+	LOCK(&disp->mgr->buffer_lock);
+	if (disp->mgr->buffers >= disp->mgr->maxbuffers) {
+		UNLOCK(&disp->mgr->buffer_lock);
+		return (NULL);
+	}
+	buffersize = disp->mgr->buffersize;
+	disp->mgr->buffers++;
+	UNLOCK(&disp->mgr->buffer_lock);
+
+	return (isc_mem_get(disp->mgr->mctx, buffersize));
+}
+
+static void
+free_sevent(isc_event_t *ev) {
+	isc_mem_t *pool = ev->ev_destroy_arg;
+	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
+	isc_mem_put(pool, sev, sizeof(*sev));
+}
+
+static isc_socketevent_t *
+allocate_sevent(dns_dispatch_t *disp, isc_socket_t *sock, isc_eventtype_t type,
+		isc_taskaction_t action, const void *arg) {
+	isc_socketevent_t *ev;
+	void *deconst_arg;
+
+	ev = isc_mem_get(disp->sepool, sizeof(*ev));
+	DE_CONST(arg, deconst_arg);
+	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, type, action, deconst_arg,
+		       sock, free_sevent, disp->sepool);
+	ev->result = ISC_R_UNSET;
+	ISC_LINK_INIT(ev, ev_link);
+	ev->region.base = NULL;
+	ev->n = 0;
+	ev->offset = 0;
+	ev->attributes = 0;
+
+	return (ev);
+}
+
+static void
+free_devent(dns_dispatch_t *disp, dns_dispatchevent_t *ev) {
+	if (disp->failsafe_ev == ev) {
+		INSIST(disp->shutdown_out == 1);
+		disp->shutdown_out = 0;
+
+		return;
+	}
+
+	isc_refcount_decrement(&disp->mgr->irefs);
+	isc_mem_put(disp->mgr->mctx, ev, sizeof(*ev));
+}
+
+static dns_dispatchevent_t *
+allocate_devent(dns_dispatch_t *disp) {
+	dns_dispatchevent_t *ev;
+
+	ev = isc_mem_get(disp->mgr->mctx, sizeof(*ev));
+	isc_refcount_increment0(&disp->mgr->irefs);
+	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, 0, NULL, NULL, NULL, NULL,
+		       NULL);
+
+	return (ev);
+}
+
+static void
+udp_exrecv(isc_task_t *task, isc_event_t *ev) {
+	dispsocket_t *dispsock = ev->ev_arg;
+
+	UNUSED(task);
+
+	REQUIRE(VALID_DISPSOCK(dispsock));
+	udp_recv(ev, dispsock->disp, dispsock);
+}
+
+static void
+udp_shrecv(isc_task_t *task, isc_event_t *ev) {
+	dns_dispatch_t *disp = ev->ev_arg;
+
+	UNUSED(task);
+
+	REQUIRE(VALID_DISPATCH(disp));
+	udp_recv(ev, disp, NULL);
+}
+
+/*
+ * General flow:
+ *
+ * If I/O result == CANCELED or error, free the buffer.
+ *
+ * If query, free the buffer, restart.
+ *
+ * If response:
+ *	Allocate event, fill in details.
+ *		If cannot allocate, free buffer, restart.
+ *	find target.  If not found, free buffer, restart.
+ *	if event queue is not empty, queue.  else, send.
+ *	restart.
+ */
+static void
+udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	dns_messageid_t id;
+	isc_result_t dres;
+	isc_buffer_t source;
+	unsigned int flags;
+	dns_dispentry_t *resp = NULL;
+	dns_dispatchevent_t *rev;
+	unsigned int bucket;
+	bool killit;
+	bool queue_response;
+	dns_dispatchmgr_t *mgr;
+	dns_qid_t *qid;
+	isc_netaddr_t netaddr;
+	int match;
+	int result;
+	bool qidlocked = false;
+
+	LOCK(&disp->lock);
+
+	mgr = disp->mgr;
+	qid = mgr->qid;
+
+	LOCK(&disp->mgr->buffer_lock);
+	dispatch_log(disp, LVL(90),
+		     "got packet: requests %d, buffers %d, recvs %d",
+		     disp->requests, disp->mgr->buffers, disp->recv_pending);
+	UNLOCK(&disp->mgr->buffer_lock);
+
+	if (dispsock == NULL && ev->ev_type == ISC_SOCKEVENT_RECVDONE) {
+		/*
+		 * Unless the receive event was imported from a listening
+		 * interface, in which case the event type is
+		 * DNS_EVENT_IMPORTRECVDONE, receive operation must be pending.
+		 */
+		INSIST(disp->recv_pending != 0);
+		disp->recv_pending = 0;
+	}
+
+	if (dispsock != NULL &&
+	    (ev->result == ISC_R_CANCELED || dispsock->resp == NULL))
+	{
+		/*
+		 * dispsock->resp can be NULL if this transaction was canceled
+		 * just after receiving a response.  Since this socket is
+		 * exclusively used and there should be at most one receive
+		 * event the canceled event should have been no effect.  So
+		 * we can (and should) deactivate the socket right now.
+		 */
+		deactivate_dispsocket(disp, dispsock);
+		dispsock = NULL;
+	}
+
+	if (disp->shutting_down) {
+		/*
+		 * This dispatcher is shutting down.
+		 */
+		free_buffer(disp, ev->region.base, ev->region.length);
+
+		isc_event_free(&ev_in);
+		ev = NULL;
+
+		killit = destroy_disp_ok(disp);
+		UNLOCK(&disp->lock);
+		if (killit) {
+			isc_task_send(disp->task[0], &disp->ctlevent);
+		}
+
+		return;
+	}
+
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		if (dispsock != NULL) {
+			resp = dispsock->resp;
+			id = resp->id;
+			if (ev->result != ISC_R_SUCCESS) {
+				/*
+				 * This is most likely a network error on a
+				 * connected socket.  It makes no sense to
+				 * check the address or parse the packet, but it
+				 * will help to return the error to the caller.
+				 */
+				goto sendresponse;
+			}
+		} else {
+			free_buffer(disp, ev->region.base, ev->region.length);
+
+			isc_event_free(&ev_in);
+			UNLOCK(&disp->lock);
+			return;
+		}
+	} else if (ev->result != ISC_R_SUCCESS) {
+		free_buffer(disp, ev->region.base, ev->region.length);
+
+		if (ev->result != ISC_R_CANCELED) {
+			dispatch_log(disp, ISC_LOG_ERROR,
+				     "odd socket result in udp_recv(): %s",
+				     isc_result_totext(ev->result));
+		}
+
+		isc_event_free(&ev_in);
+		UNLOCK(&disp->lock);
+		return;
+	}
+
+	/*
+	 * If this is from a blackholed address, drop it.
+	 */
+	isc_netaddr_fromsockaddr(&netaddr, &ev->address);
+	if (disp->mgr->blackhole != NULL &&
+	    dns_acl_match(&netaddr, NULL, disp->mgr->blackhole, NULL, &match,
+			  NULL) == ISC_R_SUCCESS &&
+	    match > 0)
+	{
+		if (isc_log_wouldlog(dns_lctx, LVL(10))) {
+			char netaddrstr[ISC_NETADDR_FORMATSIZE];
+			isc_netaddr_format(&netaddr, netaddrstr,
+					   sizeof(netaddrstr));
+			dispatch_log(disp, LVL(10), "blackholed packet from %s",
+				     netaddrstr);
+		}
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto restart;
+	}
+
+	/*
+	 * Peek into the buffer to see what we can see.
+	 */
+	isc_buffer_init(&source, ev->region.base, ev->region.length);
+	isc_buffer_add(&source, ev->n);
+	dres = dns_message_peekheader(&source, &id, &flags);
+	if (dres != ISC_R_SUCCESS) {
+		free_buffer(disp, ev->region.base, ev->region.length);
+		dispatch_log(disp, LVL(10), "got garbage packet");
+		goto restart;
+	}
+
+	dispatch_log(disp, LVL(92),
+		     "got valid DNS message header, /QR %c, id %u",
+		     (((flags & DNS_MESSAGEFLAG_QR) != 0) ? '1' : '0'), id);
+
+	/*
+	 * Look at flags.  If query, drop it. If response,
+	 * look to see where it goes.
+	 */
+	if ((flags & DNS_MESSAGEFLAG_QR) == 0) {
+		/* query */
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto restart;
+	}
+
+	/*
+	 * Search for the corresponding response.  If we are using an exclusive
+	 * socket, we've already identified it and we can skip the search; but
+	 * the ID and the address must match the expected ones.
+	 */
+	if (resp == NULL) {
+		bucket = dns_hash(qid, &ev->address, id, disp->localport);
+		LOCK(&qid->lock);
+		qidlocked = true;
+		resp = entry_search(qid, &ev->address, id, disp->localport,
+				    bucket);
+		dispatch_log(disp, LVL(90),
+			     "search for response in bucket %d: %s", bucket,
+			     (resp == NULL ? "not found" : "found"));
+
+	} else if (resp->id != id ||
+		   !isc_sockaddr_equal(&ev->address, &resp->host))
+	{
+		dispatch_log(disp, LVL(90),
+			     "response to an exclusive socket doesn't match");
+		inc_stats(mgr, dns_resstatscounter_mismatch);
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto unlock;
+	}
+
+	if (resp == NULL) {
+		inc_stats(mgr, dns_resstatscounter_mismatch);
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto unlock;
+	}
+
+	/*
+	 * Now that we have the original dispatch the query was sent
+	 * from check that the address and port the response was
+	 * sent to make sense.
+	 */
+	if (disp != resp->disp) {
+		isc_sockaddr_t a1;
+		isc_sockaddr_t a2;
+
+		/*
+		 * Check that the socket types and ports match.
+		 */
+		if (disp->socktype != resp->disp->socktype ||
+		    isc_sockaddr_getport(&disp->local) !=
+			    isc_sockaddr_getport(&resp->disp->local))
+		{
+			free_buffer(disp, ev->region.base, ev->region.length);
+			goto unlock;
+		}
+
+		/*
+		 * If each dispatch is bound to a different address
+		 * then fail.
+		 *
+		 * Note under Linux a packet can be sent out via IPv4 socket
+		 * and the response be received via a IPv6 socket.
+		 *
+		 * Requests sent out via IPv6 should always come back in
+		 * via IPv6.
+		 */
+		if (isc_sockaddr_pf(&resp->disp->local) == PF_INET6 &&
+		    isc_sockaddr_pf(&disp->local) != PF_INET6)
+		{
+			free_buffer(disp, ev->region.base, ev->region.length);
+			goto unlock;
+		}
+		isc_sockaddr_anyofpf(&a1, isc_sockaddr_pf(&resp->disp->local));
+		isc_sockaddr_anyofpf(&a2, isc_sockaddr_pf(&disp->local));
+		if (!isc_sockaddr_eqaddr(&disp->local, &resp->disp->local) &&
+		    !isc_sockaddr_eqaddr(&a1, &resp->disp->local) &&
+		    !isc_sockaddr_eqaddr(&a2, &disp->local))
+		{
+			free_buffer(disp, ev->region.base, ev->region.length);
+			goto unlock;
+		}
+	}
+
+sendresponse:
+	queue_response = resp->item_out;
+	rev = allocate_devent(resp->disp);
+	if (rev == NULL) {
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto unlock;
+	}
+
+	/*
+	 * At this point, rev contains the event we want to fill in, and
+	 * resp contains the information on the place to send it to.
+	 * Send the event off.
+	 */
+	isc_buffer_init(&rev->buffer, ev->region.base, ev->region.length);
+	isc_buffer_add(&rev->buffer, ev->n);
+	rev->result = ev->result;
+	rev->id = id;
+	rev->addr = ev->address;
+	rev->pktinfo = ev->pktinfo;
+	rev->attributes = ev->attributes;
+	if (queue_response) {
+		ISC_LIST_APPEND(resp->items, rev, ev_link);
+	} else {
+		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL, DNS_EVENT_DISPATCH,
+			       resp->action, resp->arg, resp, NULL, NULL);
+		request_log(disp, resp, LVL(90),
+			    "[a] Sent event %p buffer %p len %d to task %p",
+			    rev, rev->buffer.base, rev->buffer.length,
+			    resp->task);
+		resp->item_out = true;
+		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
+	}
+unlock:
+	if (qidlocked) {
+		UNLOCK(&qid->lock);
+	}
+
+	/*
+	 * Restart recv() to get the next packet.
+	 */
+restart:
+	result = startrecv(disp, dispsock);
+	if (result != ISC_R_SUCCESS && dispsock != NULL) {
+		/*
+		 * XXX: wired. There seems to be no recovery process other than
+		 * deactivate this socket anyway (since we cannot start
+		 * receiving, we won't be able to receive a cancel event
+		 * from the user).
+		 */
+		deactivate_dispsocket(disp, dispsock);
+	}
+	isc_event_free(&ev_in);
+	UNLOCK(&disp->lock);
+}
+
+/*
+ * General flow:
+ *
+ * If I/O result == CANCELED, EOF, or error, notify everyone as the
+ * various queues drain.
+ *
+ * If query, restart.
+ *
+ * If response:
+ *	Allocate event, fill in details.
+ *		If cannot allocate, restart.
+ *	find target.  If not found, restart.
+ *	if event queue is not empty, queue.  else, send.
+ *	restart.
+ */
+static void
+tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
+	dns_dispatch_t *disp = ev_in->ev_arg;
+	dns_tcpmsg_t *tcpmsg = &disp->tcpmsg;
+	dns_messageid_t id;
+	isc_result_t dres;
+	unsigned int flags;
+	dns_dispentry_t *resp;
+	dns_dispatchevent_t *rev;
+	unsigned int bucket;
+	bool killit;
+	bool queue_response;
+	dns_qid_t *qid;
+	int level;
+	char buf[ISC_SOCKADDR_FORMATSIZE];
+
+	UNUSED(task);
+
+	REQUIRE(VALID_DISPATCH(disp));
+
+	qid = disp->qid;
+
+	LOCK(&disp->lock);
+
+	dispatch_log(disp, LVL(90),
+		     "got TCP packet: requests %d, buffers %d, recvs %d",
+		     disp->requests, disp->tcpbuffers, disp->recv_pending);
+
+	INSIST(disp->recv_pending != 0);
+	disp->recv_pending = 0;
+
+	if (disp->refcount == 0) {
+		/*
+		 * This dispatcher is shutting down.  Force cancellation.
+		 */
+		tcpmsg->result = ISC_R_CANCELED;
+	}
+
+	if (tcpmsg->result != ISC_R_SUCCESS) {
+		switch (tcpmsg->result) {
+		case ISC_R_CANCELED:
+			break;
+
+		case ISC_R_EOF:
+			dispatch_log(disp, LVL(90), "shutting down on EOF");
+			do_cancel(disp);
+			break;
+
+		case ISC_R_CONNECTIONRESET:
+			level = ISC_LOG_INFO;
+			goto logit;
+
+		default:
+			level = ISC_LOG_ERROR;
+		logit:
+			isc_sockaddr_format(&tcpmsg->address, buf, sizeof(buf));
+			dispatch_log(disp, level,
+				     "shutting down due to TCP "
+				     "receive error: %s: %s",
+				     buf, isc_result_totext(tcpmsg->result));
+			do_cancel(disp);
+			break;
+		}
+
+		/*
+		 * The event is statically allocated in the tcpmsg
+		 * structure, and destroy_disp() frees the tcpmsg, so we must
+		 * free the event *before* calling destroy_disp().
+		 */
+		isc_event_free(&ev_in);
+
+		disp->shutting_down = 1;
+		disp->shutdown_why = tcpmsg->result;
+
+		/*
+		 * If the recv() was canceled pass the word on.
+		 */
+		killit = destroy_disp_ok(disp);
+		UNLOCK(&disp->lock);
+		if (killit) {
+			isc_task_send(disp->task[0], &disp->ctlevent);
+		}
+		return;
+	}
+
+	dispatch_log(disp, LVL(90), "result %d, length == %d, addr = %p",
+		     tcpmsg->result, tcpmsg->buffer.length,
+		     tcpmsg->buffer.base);
+
+	/*
+	 * Peek into the buffer to see what we can see.
+	 */
+	dres = dns_message_peekheader(&tcpmsg->buffer, &id, &flags);
+	if (dres != ISC_R_SUCCESS) {
+		dispatch_log(disp, LVL(10), "got garbage packet");
+		goto restart;
+	}
+
+	dispatch_log(disp, LVL(92),
+		     "got valid DNS message header, /QR %c, id %u",
+		     (((flags & DNS_MESSAGEFLAG_QR) != 0) ? '1' : '0'), id);
+
+	/*
+	 * Allocate an event to send to the query or response client, and
+	 * allocate a new buffer for our use.
+	 */
+
+	/*
+	 * Look at flags.  If query, drop it. If response,
+	 * look to see where it goes.
+	 */
+	if ((flags & DNS_MESSAGEFLAG_QR) == 0) {
+		/*
+		 * Query.
+		 */
+		goto restart;
+	}
+
+	/*
+	 * Response.
+	 */
+	bucket = dns_hash(qid, &tcpmsg->address, id, disp->localport);
+	LOCK(&qid->lock);
+	resp = entry_search(qid, &tcpmsg->address, id, disp->localport, bucket);
+	dispatch_log(disp, LVL(90), "search for response in bucket %d: %s",
+		     bucket, (resp == NULL ? "not found" : "found"));
+
+	if (resp == NULL) {
+		goto unlock;
+	}
+	queue_response = resp->item_out;
+	rev = allocate_devent(disp);
+	if (rev == NULL) {
+		goto unlock;
+	}
+
+	/*
+	 * At this point, rev contains the event we want to fill in, and
+	 * resp contains the information on the place to send it to.
+	 * Send the event off.
+	 */
+	dns_tcpmsg_keepbuffer(tcpmsg, &rev->buffer);
+	disp->tcpbuffers++;
+	rev->result = ISC_R_SUCCESS;
+	rev->id = id;
+	rev->addr = tcpmsg->address;
+	if (queue_response) {
+		ISC_LIST_APPEND(resp->items, rev, ev_link);
+	} else {
+		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL, DNS_EVENT_DISPATCH,
+			       resp->action, resp->arg, resp, NULL, NULL);
+		request_log(disp, resp, LVL(90),
+			    "[b] Sent event %p buffer %p len %d to task %p",
+			    rev, rev->buffer.base, rev->buffer.length,
+			    resp->task);
+		resp->item_out = true;
+		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
+	}
+unlock:
+	UNLOCK(&qid->lock);
+
+	/*
+	 * Restart recv() to get the next packet.
+	 */
+restart:
+	(void)startrecv(disp, NULL);
+
+	isc_event_free(&ev_in);
+	UNLOCK(&disp->lock);
+}
+
+/*
+ * disp must be locked.
+ */
+static isc_result_t
+startrecv(dns_dispatch_t *disp, dispsocket_t *dispsock) {
+	isc_result_t res;
+	isc_region_t region;
+	isc_socket_t *sock;
+
+	if (disp->shutting_down == 1) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (disp->recv_pending != 0 && dispsock == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0 &&
+	    dispsock == NULL)
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	if (dispsock != NULL) {
+		sock = dispsock->socket;
+	} else {
+		sock = disp->socket;
+	}
+	INSIST(sock != NULL);
+
+	switch (disp->socktype) {
+	/*
+	 * UDP reads are always maximal.
+	 */
+	case isc_sockettype_udp:
+		region.length = disp->mgr->buffersize;
+		region.base = allocate_udp_buffer(disp);
+		if (region.base == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
+		if (dispsock != NULL) {
+			isc_task_t *dt = dispsock->task;
+			isc_socketevent_t *sev = allocate_sevent(
+				disp, sock, ISC_SOCKEVENT_RECVDONE, udp_exrecv,
+				dispsock);
+			if (sev == NULL) {
+				free_buffer(disp, region.base, region.length);
+				return (ISC_R_NOMEMORY);
+			}
+
+			res = isc_socket_recv2(sock, &region, 1, dt, sev, 0);
+			if (res != ISC_R_SUCCESS) {
+				free_buffer(disp, region.base, region.length);
+				return (res);
+			}
+		} else {
+			isc_task_t *dt = disp->task[0];
+			isc_socketevent_t *sev = allocate_sevent(
+				disp, sock, ISC_SOCKEVENT_RECVDONE, udp_shrecv,
+				disp);
+			if (sev == NULL) {
+				free_buffer(disp, region.base, region.length);
+				return (ISC_R_NOMEMORY);
+			}
+
+			res = isc_socket_recv2(sock, &region, 1, dt, sev, 0);
+			if (res != ISC_R_SUCCESS) {
+				free_buffer(disp, region.base, region.length);
+				disp->shutdown_why = res;
+				disp->shutting_down = 1;
+				do_cancel(disp);
+				return (ISC_R_SUCCESS); /* recover by cancel */
+			}
+			INSIST(disp->recv_pending == 0);
+			disp->recv_pending = 1;
+		}
+		break;
+
+	case isc_sockettype_tcp:
+		res = dns_tcpmsg_readmessage(&disp->tcpmsg, disp->task[0],
+					     tcp_recv, disp);
+		if (res != ISC_R_SUCCESS) {
+			disp->shutdown_why = res;
+			disp->shutting_down = 1;
+			do_cancel(disp);
+			return (ISC_R_SUCCESS); /* recover by cancel */
+		}
+		INSIST(disp->recv_pending == 0);
+		disp->recv_pending = 1;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Mgr must be locked when calling this function.
+ */
+static bool
+destroy_mgr_ok(dns_dispatchmgr_t *mgr) {
+	mgr_log(mgr, LVL(90),
+		"destroy_mgr_ok: shuttingdown=%d, listnonempty=%d, ",
+		MGR_IS_SHUTTINGDOWN(mgr), !ISC_LIST_EMPTY(mgr->list));
+	if (!MGR_IS_SHUTTINGDOWN(mgr)) {
+		return (false);
+	}
+	if (!ISC_LIST_EMPTY(mgr->list)) {
+		return (false);
+	}
+	if (isc_refcount_current(&mgr->irefs) != 0) {
+		return (false);
+	}
+
+	return (true);
+}
+
+/*
+ * Mgr must be unlocked when calling this function.
+ */
+static void
+destroy_mgr(dns_dispatchmgr_t **mgrp) {
+	dns_dispatchmgr_t *mgr;
+
+	mgr = *mgrp;
+	*mgrp = NULL;
+
+	mgr->magic = 0;
+	isc_mutex_destroy(&mgr->lock);
+	mgr->state = 0;
+
+	if (mgr->qid != NULL) {
+		qid_destroy(mgr->mctx, &mgr->qid);
+	}
+
+	isc_mutex_destroy(&mgr->buffer_lock);
+
+	if (mgr->blackhole != NULL) {
+		dns_acl_detach(&mgr->blackhole);
+	}
+
+	if (mgr->stats != NULL) {
+		isc_stats_detach(&mgr->stats);
+	}
+
+	if (mgr->v4ports != NULL) {
+		isc_mem_put(mgr->mctx, mgr->v4ports,
+			    mgr->nv4ports * sizeof(in_port_t));
+	}
+	if (mgr->v6ports != NULL) {
+		isc_mem_put(mgr->mctx, mgr->v6ports,
+			    mgr->nv6ports * sizeof(in_port_t));
+	}
+	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(dns_dispatchmgr_t));
+}
+
+static isc_result_t
+open_socket(isc_socketmgr_t *mgr, const isc_sockaddr_t *local,
+	    unsigned int options, isc_socket_t **sockp,
+	    isc_socket_t *dup_socket, bool duponly) {
+	isc_socket_t *sock;
+	isc_result_t result;
+
+	sock = *sockp;
+	if (sock != NULL) {
+		result = isc_socket_open(sock);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	} else if (dup_socket != NULL &&
+		   (!isc_socket_hasreuseport() || duponly))
+	{
+		result = isc_socket_dup(dup_socket, &sock);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		isc_socket_setname(sock, "dispatcher", NULL);
+		*sockp = sock;
+		return (ISC_R_SUCCESS);
+	} else {
+		result = isc_socket_create(mgr, isc_sockaddr_pf(local),
+					   isc_sockettype_udp, &sock);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	isc_socket_setname(sock, "dispatcher", NULL);
+
+#ifndef ISC_ALLOW_MAPPED
+	isc_socket_ipv6only(sock, true);
+#endif /* ifndef ISC_ALLOW_MAPPED */
+	result = isc_socket_bind(sock, local, options);
+	if (result != ISC_R_SUCCESS) {
+		if (*sockp == NULL) {
+			isc_socket_detach(&sock);
+		} else {
+			isc_socket_close(sock);
+		}
+		return (result);
+	}
+
+	*sockp = sock;
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Create a temporary port list to set the initial default set of dispatch
+ * ports: [1024, 65535].  This is almost meaningless as the application will
+ * normally set the ports explicitly, but is provided to fill some minor corner
+ * cases.
+ */
+static isc_result_t
+create_default_portset(isc_mem_t *mctx, isc_portset_t **portsetp) {
+	isc_result_t result;
+
+	result = isc_portset_create(mctx, portsetp);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_portset_addrange(*portsetp, 1024, 65535);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Publics.
+ */
+
+isc_result_t
+dns_dispatchmgr_create(isc_mem_t *mctx, dns_dispatchmgr_t **mgrp) {
+	dns_dispatchmgr_t *mgr;
+	isc_result_t result;
+	isc_portset_t *v4portset = NULL;
+	isc_portset_t *v6portset = NULL;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(mgrp != NULL && *mgrp == NULL);
+
+	mgr = isc_mem_get(mctx, sizeof(dns_dispatchmgr_t));
+	*mgr = (dns_dispatchmgr_t){ 0 };
+
+	isc_mem_attach(mctx, &mgr->mctx);
+
+	isc_mutex_init(&mgr->lock);
+	isc_mutex_init(&mgr->buffer_lock);
+
+	isc_refcount_init(&mgr->irefs, 0);
+
+	ISC_LIST_INIT(mgr->list);
+
+	mgr->magic = DNS_DISPATCHMGR_MAGIC;
+
+	result = create_default_portset(mctx, &v4portset);
+	if (result == ISC_R_SUCCESS) {
+		result = create_default_portset(mctx, &v6portset);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_dispatchmgr_setavailports(mgr, v4portset,
+							       v6portset);
+		}
+	}
+	if (v4portset != NULL) {
+		isc_portset_destroy(mctx, &v4portset);
+	}
+	if (v6portset != NULL) {
+		isc_portset_destroy(mctx, &v6portset);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto kill_dpool;
+	}
+
+	*mgrp = mgr;
+	return (ISC_R_SUCCESS);
+
+kill_dpool:
+	isc_mutex_destroy(&mgr->buffer_lock);
+	isc_mutex_destroy(&mgr->lock);
+	isc_mem_putanddetach(&mctx, mgr, sizeof(dns_dispatchmgr_t));
+
+	return (result);
+}
+
+void
+dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	if (mgr->blackhole != NULL) {
+		dns_acl_detach(&mgr->blackhole);
+	}
+	dns_acl_attach(blackhole, &mgr->blackhole);
+}
+
+dns_acl_t *
+dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	return (mgr->blackhole);
+}
+
+void
+dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
+				 dns_portlist_t *portlist) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	UNUSED(portlist);
+
+	/* This function is deprecated: use dns_dispatchmgr_setavailports(). */
+	return;
+}
+
+dns_portlist_t *
+dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	return (NULL); /* this function is deprecated */
+}
+
+isc_result_t
+dns_dispatchmgr_setavailports(dns_dispatchmgr_t *mgr, isc_portset_t *v4portset,
+			      isc_portset_t *v6portset) {
+	in_port_t *v4ports, *v6ports, p;
+	unsigned int nv4ports, nv6ports, i4, i6;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	nv4ports = isc_portset_nports(v4portset);
+	nv6ports = isc_portset_nports(v6portset);
+
+	v4ports = NULL;
+	if (nv4ports != 0) {
+		v4ports = isc_mem_get(mgr->mctx, sizeof(in_port_t) * nv4ports);
+	}
+	v6ports = NULL;
+	if (nv6ports != 0) {
+		v6ports = isc_mem_get(mgr->mctx, sizeof(in_port_t) * nv6ports);
+	}
+
+	p = 0;
+	i4 = 0;
+	i6 = 0;
+	do {
+		if (isc_portset_isset(v4portset, p)) {
+			INSIST(i4 < nv4ports);
+			v4ports[i4++] = p;
+		}
+		if (isc_portset_isset(v6portset, p)) {
+			INSIST(i6 < nv6ports);
+			v6ports[i6++] = p;
+		}
+	} while (p++ < 65535);
+	INSIST(i4 == nv4ports && i6 == nv6ports);
+
+	PORTBUFLOCK(mgr);
+	if (mgr->v4ports != NULL) {
+		isc_mem_put(mgr->mctx, mgr->v4ports,
+			    mgr->nv4ports * sizeof(in_port_t));
+	}
+	mgr->v4ports = v4ports;
+	mgr->nv4ports = nv4ports;
+
+	if (mgr->v6ports != NULL) {
+		isc_mem_put(mgr->mctx, mgr->v6ports,
+			    mgr->nv6ports * sizeof(in_port_t));
+	}
+	mgr->v6ports = v6ports;
+	mgr->nv6ports = nv6ports;
+	PORTBUFUNLOCK(mgr);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr, unsigned int buffersize,
+		       unsigned int maxbuffers, unsigned int maxrequests,
+		       unsigned int buckets, unsigned int increment) {
+	isc_result_t result;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
+	REQUIRE(maxbuffers > 0);
+	REQUIRE(buckets < 2097169); /* next prime > 65536 * 32 */
+	REQUIRE(increment > buckets);
+	UNUSED(maxrequests);
+
+	/*
+	 * Keep some number of items around.  This should be a config
+	 * option.  For now, keep 8, but later keep at least two even
+	 * if the caller wants less.  This allows us to ensure certain
+	 * things, like an event can be "freed" and the next allocation
+	 * will always succeed.
+	 *
+	 * Note that if limits are placed on anything here, we use one
+	 * event internally, so the actual limit should be "wanted + 1."
+	 *
+	 * XXXMLG
+	 */
+
+	if (maxbuffers < 8) {
+		maxbuffers = 8;
+	}
+
+	LOCK(&mgr->buffer_lock);
+
+	if (maxbuffers > mgr->maxbuffers) {
+		mgr->maxbuffers = maxbuffers;
+	}
+
+	/* Create or adjust socket pool */
+	if (mgr->qid != NULL) {
+		UNLOCK(&mgr->buffer_lock);
+		return (ISC_R_SUCCESS);
+	}
+
+	result = qid_allocate(mgr, buckets, increment, &mgr->qid, true);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	mgr->buffersize = buffersize;
+	mgr->maxbuffers = maxbuffers;
+	UNLOCK(&mgr->buffer_lock);
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	UNLOCK(&mgr->buffer_lock);
+	return (result);
+}
+
+void
+dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
+	dns_dispatchmgr_t *mgr;
+	bool killit;
+
+	REQUIRE(mgrp != NULL);
+	REQUIRE(VALID_DISPATCHMGR(*mgrp));
+
+	mgr = *mgrp;
+	*mgrp = NULL;
+
+	LOCK(&mgr->lock);
+	mgr->state |= MGR_SHUTTINGDOWN;
+	killit = destroy_mgr_ok(mgr);
+	UNLOCK(&mgr->lock);
+
+	mgr_log(mgr, LVL(90), "destroy: killit=%d", killit);
+
+	if (killit) {
+		destroy_mgr(&mgr);
+	}
+}
+
+void
+dns_dispatchmgr_setstats(dns_dispatchmgr_t *mgr, isc_stats_t *stats) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(ISC_LIST_EMPTY(mgr->list));
+	REQUIRE(mgr->stats == NULL);
+
+	isc_stats_attach(stats, &mgr->stats);
+}
+
+static int
+port_cmp(const void *key, const void *ent) {
+	in_port_t p1 = *(const in_port_t *)key;
+	in_port_t p2 = *(const in_port_t *)ent;
+
+	if (p1 < p2) {
+		return (-1);
+	} else if (p1 == p2) {
+		return (0);
+	} else {
+		return (1);
+	}
+}
+
+static bool
+portavailable(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+	      isc_sockaddr_t *sockaddrp) {
+	isc_sockaddr_t sockaddr;
+	isc_result_t result;
+	in_port_t *ports, port;
+	unsigned int nports;
+	bool available = false;
+
+	REQUIRE(sock != NULL || sockaddrp != NULL);
+
+	PORTBUFLOCK(mgr);
+	if (sock != NULL) {
+		sockaddrp = &sockaddr;
+		result = isc_socket_getsockname(sock, sockaddrp);
+		if (result != ISC_R_SUCCESS) {
+			goto unlock;
+		}
+	}
+
+	if (isc_sockaddr_pf(sockaddrp) == AF_INET) {
+		ports = mgr->v4ports;
+		nports = mgr->nv4ports;
+	} else {
+		ports = mgr->v6ports;
+		nports = mgr->nv6ports;
+	}
+	if (ports == NULL) {
+		goto unlock;
+	}
+
+	port = isc_sockaddr_getport(sockaddrp);
+	if (bsearch(&port, ports, nports, sizeof(in_port_t), port_cmp) != NULL)
+	{
+		available = true;
+	}
+
+unlock:
+	PORTBUFUNLOCK(mgr);
+	return (available);
+}
+
+#define ATTRMATCH(_a1, _a2, _mask) (((_a1) & (_mask)) == ((_a2) & (_mask)))
+
+static bool
+local_addr_match(dns_dispatch_t *disp, const isc_sockaddr_t *addr) {
+	isc_sockaddr_t sockaddr;
+	isc_result_t result;
+
+	REQUIRE(disp->socket != NULL);
+
+	if (addr == NULL) {
+		return (true);
+	}
+
+	/*
+	 * Don't match wildcard ports unless the port is available in the
+	 * current configuration.
+	 */
+	if (isc_sockaddr_getport(addr) == 0 &&
+	    isc_sockaddr_getport(&disp->local) == 0 &&
+	    !portavailable(disp->mgr, disp->socket, NULL))
+	{
+		return (false);
+	}
+
+	/*
+	 * Check if we match the binding <address,port>.
+	 * Wildcard ports match/fail here.
+	 */
+	if (isc_sockaddr_equal(&disp->local, addr)) {
+		return (true);
+	}
+	if (isc_sockaddr_getport(addr) == 0) {
+		return (false);
+	}
+
+	/*
+	 * Check if we match a bound wildcard port <address,port>.
+	 */
+	if (!isc_sockaddr_eqaddr(&disp->local, addr)) {
+		return (false);
+	}
+	result = isc_socket_getsockname(disp->socket, &sockaddr);
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+
+	return (isc_sockaddr_equal(&sockaddr, addr));
+}
+
+/*
+ * Requires mgr be locked.
+ *
+ * No dispatcher can be locked by this thread when calling this function.
+ *
+ *
+ * NOTE:
+ *	If a matching dispatcher is found, it is locked after this function
+ *	returns, and must be unlocked by the caller.
+ */
+static isc_result_t
+dispatch_find(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *local,
+	      unsigned int attributes, unsigned int mask,
+	      dns_dispatch_t **dispp) {
+	dns_dispatch_t *disp;
+	isc_result_t result;
+
+	/*
+	 * Make certain that we will not match a private or exclusive dispatch.
+	 */
+	attributes &= ~(DNS_DISPATCHATTR_PRIVATE | DNS_DISPATCHATTR_EXCLUSIVE);
+	mask |= (DNS_DISPATCHATTR_PRIVATE | DNS_DISPATCHATTR_EXCLUSIVE);
+
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL) {
+		LOCK(&disp->lock);
+		if ((disp->shutting_down == 0) &&
+		    ATTRMATCH(disp->attributes, attributes, mask) &&
+		    local_addr_match(disp, local))
+		{
+			break;
+		}
+		UNLOCK(&disp->lock);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+
+	if (disp == NULL) {
+		result = ISC_R_NOTFOUND;
+		goto out;
+	}
+
+	*dispp = disp;
+	result = ISC_R_SUCCESS;
+out:
+
+	return (result);
+}
+
+static isc_result_t
+qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
+	     unsigned int increment, dns_qid_t **qidp, bool needsocktable) {
+	dns_qid_t *qid;
+	unsigned int i;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(buckets < 2097169); /* next prime > 65536 * 32 */
+	REQUIRE(increment > buckets);
+	REQUIRE(qidp != NULL && *qidp == NULL);
+
+	qid = isc_mem_get(mgr->mctx, sizeof(*qid));
+
+	qid->qid_table = isc_mem_get(mgr->mctx,
+				     buckets * sizeof(dns_displist_t));
+
+	qid->sock_table = NULL;
+	if (needsocktable) {
+		qid->sock_table = isc_mem_get(
+			mgr->mctx, buckets * sizeof(dispsocketlist_t));
+	}
+
+	isc_mutex_init(&qid->lock);
+
+	for (i = 0; i < buckets; i++) {
+		ISC_LIST_INIT(qid->qid_table[i]);
+		if (qid->sock_table != NULL) {
+			ISC_LIST_INIT(qid->sock_table[i]);
+		}
+	}
+
+	qid->qid_nbuckets = buckets;
+	qid->qid_increment = increment;
+	qid->magic = QID_MAGIC;
+	*qidp = qid;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp) {
+	dns_qid_t *qid;
+
+	REQUIRE(qidp != NULL);
+	qid = *qidp;
+	*qidp = NULL;
+
+	REQUIRE(VALID_QID(qid));
+
+	qid->magic = 0;
+	isc_mem_put(mctx, qid->qid_table,
+		    qid->qid_nbuckets * sizeof(dns_displist_t));
+	if (qid->sock_table != NULL) {
+		isc_mem_put(mctx, qid->sock_table,
+			    qid->qid_nbuckets * sizeof(dispsocketlist_t));
+	}
+	isc_mutex_destroy(&qid->lock);
+	isc_mem_put(mctx, qid, sizeof(*qid));
+}
+
+/*
+ * Allocate and set important limits.
+ */
+static isc_result_t
+dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
+		  dns_dispatch_t **dispp) {
+	dns_dispatch_t *disp;
+	isc_result_t result;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(dispp != NULL && *dispp == NULL);
+
+	/*
+	 * Set up the dispatcher, mostly.  Don't bother setting some of
+	 * the options that are controlled by tcp vs. udp, etc.
+	 */
+
+	disp = isc_mem_get(mgr->mctx, sizeof(*disp));
+	isc_refcount_increment0(&mgr->irefs);
+
+	disp->magic = 0;
+	disp->mgr = mgr;
+	disp->maxrequests = maxrequests;
+	disp->attributes = 0;
+	ISC_LINK_INIT(disp, link);
+	disp->refcount = 1;
+	disp->recv_pending = 0;
+	memset(&disp->local, 0, sizeof(disp->local));
+	memset(&disp->peer, 0, sizeof(disp->peer));
+	disp->localport = 0;
+	disp->shutting_down = 0;
+	disp->shutdown_out = 0;
+	disp->connected = 0;
+	disp->tcpmsg_valid = 0;
+	disp->shutdown_why = ISC_R_UNEXPECTED;
+	disp->requests = 0;
+	disp->tcpbuffers = 0;
+	disp->qid = NULL;
+	ISC_LIST_INIT(disp->activesockets);
+	ISC_LIST_INIT(disp->inactivesockets);
+	disp->nsockets = 0;
+	disp->port_table = NULL;
+	disp->dscp = -1;
+
+	isc_mutex_init(&disp->lock);
+
+	disp->failsafe_ev = allocate_devent(disp);
+	if (disp->failsafe_ev == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto kill_lock;
+	}
+
+	disp->magic = DISPATCH_MAGIC;
+
+	*dispp = disp;
+	return (ISC_R_SUCCESS);
+
+	/*
+	 * error returns
+	 */
+kill_lock:
+	isc_mutex_destroy(&disp->lock);
+	isc_refcount_decrement(&mgr->irefs);
+	isc_mem_put(mgr->mctx, disp, sizeof(*disp));
+
+	return (result);
+}
+
+/*
+ * MUST be unlocked, and not used by anything.
+ */
+static void
+dispatch_free(dns_dispatch_t **dispp) {
+	dns_dispatch_t *disp;
+	dns_dispatchmgr_t *mgr;
+
+	REQUIRE(VALID_DISPATCH(*dispp));
+	disp = *dispp;
+	*dispp = NULL;
+
+	mgr = disp->mgr;
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	if (disp->tcpmsg_valid) {
+		dns_tcpmsg_invalidate(&disp->tcpmsg);
+		disp->tcpmsg_valid = 0;
+	}
+
+	INSIST(disp->tcpbuffers == 0);
+	INSIST(disp->requests == 0);
+	INSIST(disp->recv_pending == 0);
+	INSIST(ISC_LIST_EMPTY(disp->activesockets));
+	INSIST(ISC_LIST_EMPTY(disp->inactivesockets));
+
+	isc_refcount_decrement(&mgr->irefs);
+	isc_mem_put(mgr->mctx, disp->failsafe_ev, sizeof(*disp->failsafe_ev));
+	disp->failsafe_ev = NULL;
+
+	if (disp->qid != NULL) {
+		qid_destroy(mgr->mctx, &disp->qid);
+	}
+
+	if (disp->port_table != NULL) {
+		for (int i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++) {
+			INSIST(ISC_LIST_EMPTY(disp->port_table[i]));
+		}
+		isc_mem_put(mgr->mctx, disp->port_table,
+			    sizeof(disp->port_table[0]) *
+				    DNS_DISPATCH_PORTTABLESIZE);
+	}
+
+	disp->mgr = NULL;
+	isc_mutex_destroy(&disp->lock);
+	disp->magic = 0;
+	isc_refcount_decrement(&mgr->irefs);
+	isc_mem_put(mgr->mctx, disp, sizeof(*disp));
+}
+
+isc_result_t
+dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+		       isc_taskmgr_t *taskmgr, const isc_sockaddr_t *localaddr,
+		       const isc_sockaddr_t *destaddr, unsigned int buffersize,
+		       unsigned int maxbuffers, unsigned int maxrequests,
+		       unsigned int buckets, unsigned int increment,
+		       unsigned int attributes, dns_dispatch_t **dispp) {
+	isc_result_t result;
+	dns_dispatch_t *disp;
+
+	UNUSED(maxbuffers);
+	UNUSED(buffersize);
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(isc_socket_gettype(sock) == isc_sockettype_tcp);
+	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) != 0);
+	REQUIRE((attributes & DNS_DISPATCHATTR_UDP) == 0);
+
+	if (destaddr == NULL) {
+		attributes |= DNS_DISPATCHATTR_PRIVATE; /* XXXMLG */
+	}
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * dispatch_allocate() checks mgr for us.
+	 * qid_allocate() checks buckets and increment for us.
+	 */
+	disp = NULL;
+	result = dispatch_allocate(mgr, maxrequests, &disp);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&mgr->lock);
+		return (result);
+	}
+
+	result = qid_allocate(mgr, buckets, increment, &disp->qid, false);
+	if (result != ISC_R_SUCCESS) {
+		goto deallocate_dispatch;
+	}
+
+	disp->socktype = isc_sockettype_tcp;
+	disp->socket = NULL;
+	isc_socket_attach(sock, &disp->socket);
+
+	disp->sepool = NULL;
+
+	disp->ntasks = 1;
+	disp->task[0] = NULL;
+	result = isc_task_create(taskmgr, 50, &disp->task[0]);
+	if (result != ISC_R_SUCCESS) {
+		goto kill_socket;
+	}
+
+	disp->ctlevent =
+		isc_event_allocate(mgr->mctx, disp, DNS_EVENT_DISPATCHCONTROL,
+				   destroy_disp, disp, sizeof(isc_event_t));
+
+	isc_task_setname(disp->task[0], "tcpdispatch", disp);
+
+	dns_tcpmsg_init(mgr->mctx, disp->socket, &disp->tcpmsg);
+	disp->tcpmsg_valid = 1;
+
+	disp->attributes = attributes;
+
+	if (localaddr == NULL) {
+		if (destaddr != NULL) {
+			switch (isc_sockaddr_pf(destaddr)) {
+			case AF_INET:
+				isc_sockaddr_any(&disp->local);
+				break;
+			case AF_INET6:
+				isc_sockaddr_any6(&disp->local);
+				break;
+			}
+		}
+	} else {
+		disp->local = *localaddr;
+	}
+
+	if (destaddr != NULL) {
+		disp->peer = *destaddr;
+	}
+
+	/*
+	 * Append it to the dispatcher list.
+	 */
+	ISC_LIST_APPEND(mgr->list, disp, link);
+	UNLOCK(&mgr->lock);
+
+	mgr_log(mgr, LVL(90), "created TCP dispatcher %p", disp);
+	dispatch_log(disp, LVL(90), "created task %p", disp->task[0]);
+	*dispp = disp;
+
+	return (ISC_R_SUCCESS);
+
+kill_socket:
+	isc_socket_detach(&disp->socket);
+deallocate_dispatch:
+	dispatch_free(&disp);
+
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+
+isc_result_t
+dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *destaddr,
+		    const isc_sockaddr_t *localaddr, bool *connected,
+		    dns_dispatch_t **dispp) {
+	dns_dispatch_t *disp;
+	isc_result_t result;
+	isc_sockaddr_t peeraddr;
+	isc_sockaddr_t sockname;
+	unsigned int attributes, mask;
+	bool match = false;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(destaddr != NULL);
+	REQUIRE(dispp != NULL && *dispp == NULL);
+
+	/* First pass  */
+	attributes = DNS_DISPATCHATTR_TCP | DNS_DISPATCHATTR_CONNECTED;
+	mask = DNS_DISPATCHATTR_TCP | DNS_DISPATCHATTR_PRIVATE |
+	       DNS_DISPATCHATTR_EXCLUSIVE | DNS_DISPATCHATTR_CONNECTED;
+
+	LOCK(&mgr->lock);
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL && !match) {
+		LOCK(&disp->lock);
+		if ((disp->shutting_down == 0) &&
+		    ATTRMATCH(disp->attributes, attributes, mask) &&
+		    (localaddr == NULL ||
+		     isc_sockaddr_eqaddr(localaddr, &disp->local)))
+		{
+			result = isc_socket_getsockname(disp->socket,
+							&sockname);
+			if (result == ISC_R_SUCCESS) {
+				result = isc_socket_getpeername(disp->socket,
+								&peeraddr);
+			}
+			if (result == ISC_R_SUCCESS &&
+			    isc_sockaddr_equal(destaddr, &peeraddr) &&
+			    (localaddr == NULL ||
+			     isc_sockaddr_eqaddr(localaddr, &sockname)))
+			{
+				/* attach */
+				disp->refcount++;
+				*dispp = disp;
+				match = true;
+				if (connected != NULL) {
+					*connected = true;
+				}
+			}
+		}
+		UNLOCK(&disp->lock);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+	if (match || connected == NULL) {
+		UNLOCK(&mgr->lock);
+		return (match ? ISC_R_SUCCESS : ISC_R_NOTFOUND);
+	}
+
+	/* Second pass, only if connected != NULL */
+	attributes = DNS_DISPATCHATTR_TCP;
+
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL && !match) {
+		LOCK(&disp->lock);
+		if ((disp->shutting_down == 0) &&
+		    ATTRMATCH(disp->attributes, attributes, mask) &&
+		    (localaddr == NULL ||
+		     isc_sockaddr_eqaddr(localaddr, &disp->local)) &&
+		    isc_sockaddr_equal(destaddr, &disp->peer))
+		{
+			/* attach */
+			disp->refcount++;
+			*dispp = disp;
+			match = true;
+		}
+		UNLOCK(&disp->lock);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+	UNLOCK(&mgr->lock);
+	return (match ? ISC_R_SUCCESS : ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_dispatch_getudp_dup(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+			isc_taskmgr_t *taskmgr, const isc_sockaddr_t *localaddr,
+			unsigned int buffersize, unsigned int maxbuffers,
+			unsigned int maxrequests, unsigned int buckets,
+			unsigned int increment, unsigned int attributes,
+			unsigned int mask, dns_dispatch_t **dispp,
+			dns_dispatch_t *dup_dispatch) {
+	isc_result_t result;
+	dns_dispatch_t *disp = NULL;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(sockmgr != NULL);
+	REQUIRE(localaddr != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
+	REQUIRE(maxbuffers > 0);
+	REQUIRE(buckets < 2097169); /* next prime > 65536 * 32 */
+	REQUIRE(increment > buckets);
+	REQUIRE(dispp != NULL && *dispp == NULL);
+	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) == 0);
+
+	result = dns_dispatchmgr_setudp(mgr, buffersize, maxbuffers,
+					maxrequests, buckets, increment);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	LOCK(&mgr->lock);
+
+	if ((attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		REQUIRE(isc_sockaddr_getport(localaddr) == 0);
+		goto createudp;
+	}
+
+	/*
+	 * See if we have a dispatcher that matches.
+	 */
+	if (dup_dispatch == NULL) {
+		result = dispatch_find(mgr, localaddr, attributes, mask, &disp);
+		if (result == ISC_R_SUCCESS) {
+			disp->refcount++;
+
+			if (disp->maxrequests < maxrequests) {
+				disp->maxrequests = maxrequests;
+			}
+
+			if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) ==
+				    0 &&
+			    (attributes & DNS_DISPATCHATTR_NOLISTEN) != 0)
+			{
+				disp->attributes |= DNS_DISPATCHATTR_NOLISTEN;
+				if (disp->recv_pending != 0) {
+					isc_socket_cancel(disp->socket,
+							  disp->task[0],
+							  ISC_SOCKCANCEL_RECV);
+				}
+			}
+
+			UNLOCK(&disp->lock);
+			UNLOCK(&mgr->lock);
+
+			*dispp = disp;
+
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+createudp:
+	/*
+	 * Nope, create one.
+	 */
+	result = dispatch_createudp(
+		mgr, sockmgr, taskmgr, localaddr, maxrequests, attributes,
+		&disp, dup_dispatch == NULL ? NULL : dup_dispatch->socket);
+
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&mgr->lock);
+		return (result);
+	}
+
+	UNLOCK(&mgr->lock);
+	*dispp = disp;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		    isc_taskmgr_t *taskmgr, const isc_sockaddr_t *localaddr,
+		    unsigned int buffersize, unsigned int maxbuffers,
+		    unsigned int maxrequests, unsigned int buckets,
+		    unsigned int increment, unsigned int attributes,
+		    unsigned int mask, dns_dispatch_t **dispp) {
+	return (dns_dispatch_getudp_dup(mgr, sockmgr, taskmgr, localaddr,
+					buffersize, maxbuffers, maxrequests,
+					buckets, increment, attributes, mask,
+					dispp, NULL));
+}
+
+/*
+ * mgr should be locked.
+ */
+
+#ifndef DNS_DISPATCH_HELD
+#define DNS_DISPATCH_HELD 20U
+#endif /* ifndef DNS_DISPATCH_HELD */
+
+static isc_result_t
+get_udpsocket(dns_dispatchmgr_t *mgr, dns_dispatch_t *disp,
+	      isc_socketmgr_t *sockmgr, const isc_sockaddr_t *localaddr,
+	      isc_socket_t **sockp, isc_socket_t *dup_socket, bool duponly) {
+	unsigned int i, j;
+	isc_socket_t *held[DNS_DISPATCH_HELD];
+	isc_sockaddr_t localaddr_bound;
+	isc_socket_t *sock = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool anyport;
+
+	INSIST(sockp != NULL && *sockp == NULL);
+
+	localaddr_bound = *localaddr;
+	anyport = (isc_sockaddr_getport(localaddr) == 0);
+
+	if (anyport) {
+		unsigned int nports;
+		in_port_t *ports;
+
+		/*
+		 * If no port is specified, we first try to pick up a random
+		 * port by ourselves.
+		 */
+		if (isc_sockaddr_pf(localaddr) == AF_INET) {
+			nports = disp->mgr->nv4ports;
+			ports = disp->mgr->v4ports;
+		} else {
+			nports = disp->mgr->nv6ports;
+			ports = disp->mgr->v6ports;
+		}
+		if (nports == 0) {
+			return (ISC_R_ADDRNOTAVAIL);
+		}
+
+		for (i = 0; i < 1024; i++) {
+			in_port_t prt;
+
+			prt = ports[isc_random_uniform(nports)];
+			isc_sockaddr_setport(&localaddr_bound, prt);
+			result = open_socket(sockmgr, &localaddr_bound, 0,
+					     &sock, NULL, false);
+			/*
+			 * Continue if the port chosen is already in use
+			 * or the OS has reserved it.
+			 */
+			if (result == ISC_R_NOPERM || result == ISC_R_ADDRINUSE)
+			{
+				continue;
+			}
+			disp->localport = prt;
+			*sockp = sock;
+			return (result);
+		}
+
+		/*
+		 * If this fails 1024 times, we then ask the kernel for
+		 * choosing one.
+		 */
+	} else {
+		/* Allow to reuse address for non-random ports. */
+		result = open_socket(sockmgr, localaddr,
+				     ISC_SOCKET_REUSEADDRESS, &sock, dup_socket,
+				     duponly);
+
+		if (result == ISC_R_SUCCESS) {
+			*sockp = sock;
+		}
+
+		return (result);
+	}
+
+	memset(held, 0, sizeof(held));
+	i = 0;
+
+	for (j = 0; j < 0xffffU; j++) {
+		result = open_socket(sockmgr, localaddr, 0, &sock, NULL, false);
+		if (result != ISC_R_SUCCESS) {
+			goto end;
+		} else if (portavailable(mgr, sock, NULL)) {
+			break;
+		}
+		if (held[i] != NULL) {
+			isc_socket_detach(&held[i]);
+		}
+		held[i++] = sock;
+		sock = NULL;
+		if (i == DNS_DISPATCH_HELD) {
+			i = 0;
+		}
+	}
+	if (j == 0xffffU) {
+		mgr_log(mgr, ISC_LOG_ERROR,
+			"avoid-v%s-udp-ports: unable to allocate "
+			"an available port",
+			isc_sockaddr_pf(localaddr) == AF_INET ? "4" : "6");
+		result = ISC_R_FAILURE;
+		goto end;
+	}
+	*sockp = sock;
+
+end:
+	for (i = 0; i < DNS_DISPATCH_HELD; i++) {
+		if (held[i] != NULL) {
+			isc_socket_detach(&held[i]);
+		}
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		   isc_taskmgr_t *taskmgr, const isc_sockaddr_t *localaddr,
+		   unsigned int maxrequests, unsigned int attributes,
+		   dns_dispatch_t **dispp, isc_socket_t *dup_socket) {
+	isc_result_t result;
+	dns_dispatch_t *disp;
+	isc_socket_t *sock = NULL;
+	int i = 0;
+	bool duponly = ((attributes & DNS_DISPATCHATTR_CANREUSE) == 0);
+
+	/* This is an attribute needed only at creation time */
+	attributes &= ~DNS_DISPATCHATTR_CANREUSE;
+	/*
+	 * dispatch_allocate() checks mgr for us.
+	 */
+	disp = NULL;
+	result = dispatch_allocate(mgr, maxrequests, &disp);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	disp->socktype = isc_sockettype_udp;
+
+	if ((attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0) {
+		result = get_udpsocket(mgr, disp, sockmgr, localaddr, &sock,
+				       dup_socket, duponly);
+		if (result != ISC_R_SUCCESS) {
+			goto deallocate_dispatch;
+		}
+
+		if (isc_log_wouldlog(dns_lctx, 90)) {
+			char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+			isc_sockaddr_format(localaddr, addrbuf,
+					    ISC_SOCKADDR_FORMATSIZE);
+			mgr_log(mgr, LVL(90),
+				"dns_dispatch_createudp: Created"
+				" UDP dispatch for %s with socket fd %d",
+				addrbuf, isc_socket_getfd(sock));
+		}
+	} else {
+		isc_sockaddr_t sa_any;
+
+		/*
+		 * For dispatches using exclusive sockets with a specific
+		 * source address, we only check if the specified address is
+		 * available on the system.  Query sockets will be created later
+		 * on demand.
+		 */
+		isc_sockaddr_anyofpf(&sa_any, isc_sockaddr_pf(localaddr));
+		if (!isc_sockaddr_eqaddr(&sa_any, localaddr)) {
+			result = open_socket(sockmgr, localaddr, 0, &sock, NULL,
+					     false);
+			if (sock != NULL) {
+				isc_socket_detach(&sock);
+			}
+			if (result != ISC_R_SUCCESS) {
+				goto deallocate_dispatch;
+			}
+		}
+
+		disp->port_table = isc_mem_get(
+			mgr->mctx, sizeof(disp->port_table[0]) *
+					   DNS_DISPATCH_PORTTABLESIZE);
+		for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++) {
+			ISC_LIST_INIT(disp->port_table[i]);
+		}
+	}
+	disp->socket = sock;
+	disp->local = *localaddr;
+
+	if ((attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		disp->ntasks = MAX_INTERNAL_TASKS;
+	} else {
+		disp->ntasks = 1;
+	}
+	for (i = 0; i < disp->ntasks; i++) {
+		disp->task[i] = NULL;
+		result = isc_task_create(taskmgr, 0, &disp->task[i]);
+		if (result != ISC_R_SUCCESS) {
+			while (--i >= 0) {
+				isc_task_shutdown(disp->task[i]);
+				isc_task_detach(&disp->task[i]);
+			}
+			goto kill_socket;
+		}
+		isc_task_setname(disp->task[i], "udpdispatch", disp);
+	}
+
+	disp->ctlevent =
+		isc_event_allocate(mgr->mctx, disp, DNS_EVENT_DISPATCHCONTROL,
+				   destroy_disp, disp, sizeof(isc_event_t));
+
+	disp->sepool = NULL;
+	isc_mem_create(&disp->sepool);
+	isc_mem_setname(disp->sepool, "disp_sepool", NULL);
+
+	attributes &= ~DNS_DISPATCHATTR_TCP;
+	attributes |= DNS_DISPATCHATTR_UDP;
+	disp->attributes = attributes;
+
+	/*
+	 * Append it to the dispatcher list.
+	 */
+	ISC_LIST_APPEND(mgr->list, disp, link);
+
+	mgr_log(mgr, LVL(90), "created UDP dispatcher %p", disp);
+	dispatch_log(disp, LVL(90), "created task %p", disp->task[0]); /* XXX */
+	if (disp->socket != NULL) {
+		dispatch_log(disp, LVL(90), "created socket %p", disp->socket);
+	}
+
+	*dispp = disp;
+
+	return (result);
+
+	/*
+	 * Error returns.
+	 */
+kill_socket:
+	if (disp->socket != NULL) {
+		isc_socket_detach(&disp->socket);
+	}
+deallocate_dispatch:
+	dispatch_free(&disp);
+
+	return (result);
+}
+
+void
+dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp) {
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(dispp != NULL && *dispp == NULL);
+
+	LOCK(&disp->lock);
+	disp->refcount++;
+	UNLOCK(&disp->lock);
+
+	*dispp = disp;
+}
+
+/*
+ * It is important to lock the manager while we are deleting the dispatch,
+ * since dns_dispatch_getudp will call dispatch_find, which returns to
+ * the caller a dispatch but does not attach to it until later.  _getudp
+ * locks the manager, however, so locking it here will keep us from attaching
+ * to a dispatcher that is in the process of going away.
+ */
+void
+dns_dispatch_detach(dns_dispatch_t **dispp) {
+	dns_dispatch_t *disp;
+	dispsocket_t *dispsock;
+	bool killit;
+
+	REQUIRE(dispp != NULL && VALID_DISPATCH(*dispp));
+
+	disp = *dispp;
+	*dispp = NULL;
+
+	LOCK(&disp->lock);
+
+	INSIST(disp->refcount > 0);
+	disp->refcount--;
+	if (disp->refcount == 0) {
+		if (disp->recv_pending > 0) {
+			isc_socket_cancel(disp->socket, disp->task[0],
+					  ISC_SOCKCANCEL_RECV);
+		}
+		for (dispsock = ISC_LIST_HEAD(disp->activesockets);
+		     dispsock != NULL; dispsock = ISC_LIST_NEXT(dispsock, link))
+		{
+			isc_socket_cancel(dispsock->socket, dispsock->task,
+					  ISC_SOCKCANCEL_RECV);
+		}
+		disp->shutting_down = 1;
+	}
+
+	dispatch_log(disp, LVL(90), "detach: refcount %d", disp->refcount);
+
+	killit = destroy_disp_ok(disp);
+	UNLOCK(&disp->lock);
+	if (killit) {
+		isc_task_send(disp->task[0], &disp->ctlevent);
+	}
+}
+
+isc_result_t
+dns_dispatch_addresponse(dns_dispatch_t *disp, unsigned int options,
+			 const isc_sockaddr_t *dest, isc_task_t *task,
+			 isc_taskaction_t action, void *arg,
+			 dns_messageid_t *idp, dns_dispentry_t **resp,
+			 isc_socketmgr_t *sockmgr) {
+	dns_dispentry_t *res;
+	unsigned int bucket;
+	in_port_t localport = 0;
+	dns_messageid_t id;
+	int i;
+	bool ok;
+	dns_qid_t *qid;
+	dispsocket_t *dispsocket = NULL;
+	isc_result_t result;
+
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(task != NULL);
+	REQUIRE(dest != NULL);
+	REQUIRE(resp != NULL && *resp == NULL);
+	REQUIRE(idp != NULL);
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		REQUIRE(sockmgr != NULL);
+	}
+
+	LOCK(&disp->lock);
+
+	if (disp->shutting_down == 1) {
+		UNLOCK(&disp->lock);
+		return (ISC_R_SHUTTINGDOWN);
+	}
+
+	if (disp->requests >= disp->maxrequests) {
+		UNLOCK(&disp->lock);
+		return (ISC_R_QUOTA);
+	}
+
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0 &&
+	    disp->nsockets > DNS_DISPATCH_SOCKSQUOTA)
+	{
+		dispsocket_t *oldestsocket;
+		dns_dispentry_t *oldestresp;
+		dns_dispatchevent_t *rev;
+
+		/*
+		 * Kill oldest outstanding query if the number of sockets
+		 * exceeds the quota to keep the room for new queries.
+		 */
+		oldestsocket = ISC_LIST_HEAD(disp->activesockets);
+		oldestresp = oldestsocket->resp;
+		if (oldestresp != NULL && !oldestresp->item_out) {
+			rev = allocate_devent(oldestresp->disp);
+			if (rev != NULL) {
+				rev->buffer.base = NULL;
+				rev->result = ISC_R_CANCELED;
+				rev->id = oldestresp->id;
+				ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL,
+					       DNS_EVENT_DISPATCH,
+					       oldestresp->action,
+					       oldestresp->arg, oldestresp,
+					       NULL, NULL);
+				oldestresp->item_out = true;
+				isc_task_send(oldestresp->task,
+					      ISC_EVENT_PTR(&rev));
+				inc_stats(disp->mgr,
+					  dns_resstatscounter_dispabort);
+			}
+		}
+
+		/*
+		 * Move this entry to the tail so that it won't (easily) be
+		 * examined before actually being canceled.
+		 */
+		ISC_LIST_UNLINK(disp->activesockets, oldestsocket, link);
+		ISC_LIST_APPEND(disp->activesockets, oldestsocket, link);
+	}
+
+	qid = DNS_QID(disp);
+
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		/*
+		 * Get a separate UDP socket with a random port number.
+		 */
+		result = get_dispsocket(disp, dest, sockmgr, &dispsocket,
+					&localport);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK(&disp->lock);
+			inc_stats(disp->mgr, dns_resstatscounter_dispsockfail);
+			return (result);
+		}
+	} else {
+		localport = disp->localport;
+	}
+
+	/*
+	 * Try somewhat hard to find an unique ID unless FIXEDID is set
+	 * in which case we use the id passed in via *idp.
+	 */
+	LOCK(&qid->lock);
+	if ((options & DNS_DISPATCHOPT_FIXEDID) != 0) {
+		id = *idp;
+	} else {
+		id = (dns_messageid_t)isc_random16();
+	}
+	ok = false;
+	i = 0;
+	do {
+		bucket = dns_hash(qid, dest, id, localport);
+		if (entry_search(qid, dest, id, localport, bucket) == NULL) {
+			ok = true;
+			break;
+		}
+		if ((disp->attributes & DNS_DISPATCHATTR_FIXEDID) != 0) {
+			break;
+		}
+		id += qid->qid_increment;
+		id &= 0x0000ffff;
+	} while (i++ < 64);
+	UNLOCK(&qid->lock);
+
+	if (!ok) {
+		UNLOCK(&disp->lock);
+		return (ISC_R_NOMORE);
+	}
+
+	res = isc_mem_get(disp->mgr->mctx, sizeof(*res));
+	isc_refcount_increment0(&disp->mgr->irefs);
+
+	disp->refcount++;
+	disp->requests++;
+	res->task = NULL;
+	isc_task_attach(task, &res->task);
+	res->disp = disp;
+	res->id = id;
+	res->port = localport;
+	res->bucket = bucket;
+	res->host = *dest;
+	res->action = action;
+	res->arg = arg;
+	res->dispsocket = dispsocket;
+	if (dispsocket != NULL) {
+		dispsocket->resp = res;
+	}
+	res->item_out = false;
+	ISC_LIST_INIT(res->items);
+	ISC_LINK_INIT(res, link);
+	res->magic = RESPONSE_MAGIC;
+
+	LOCK(&qid->lock);
+	ISC_LIST_APPEND(qid->qid_table[bucket], res, link);
+	UNLOCK(&qid->lock);
+
+	inc_stats(disp->mgr, (qid == disp->mgr->qid)
+				     ? dns_resstatscounter_disprequdp
+				     : dns_resstatscounter_dispreqtcp);
+
+	request_log(disp, res, LVL(90), "attached to task %p", res->task);
+
+	if (((disp->attributes & DNS_DISPATCHATTR_UDP) != 0) ||
+	    ((disp->attributes & DNS_DISPATCHATTR_CONNECTED) != 0))
+	{
+		result = startrecv(disp, dispsocket);
+		if (result != ISC_R_SUCCESS) {
+			LOCK(&qid->lock);
+			ISC_LIST_UNLINK(qid->qid_table[bucket], res, link);
+			UNLOCK(&qid->lock);
+
+			if (dispsocket != NULL) {
+				destroy_dispsocket(disp, &dispsocket);
+			}
+
+			disp->refcount--;
+			disp->requests--;
+
+			dec_stats(disp->mgr,
+				  (qid == disp->mgr->qid)
+					  ? dns_resstatscounter_disprequdp
+					  : dns_resstatscounter_dispreqtcp);
+
+			UNLOCK(&disp->lock);
+			isc_task_detach(&res->task);
+			isc_refcount_decrement(&disp->mgr->irefs);
+			isc_mem_put(disp->mgr->mctx, res, sizeof(*res));
+			return (result);
+		}
+	}
+
+	if (dispsocket != NULL) {
+		ISC_LIST_APPEND(disp->activesockets, dispsocket, link);
+	}
+
+	UNLOCK(&disp->lock);
+
+	*idp = id;
+	*resp = res;
+
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		INSIST(res->dispsocket != NULL);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dispatch_starttcp(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+
+	dispatch_log(disp, LVL(90), "starttcp %p", disp->task[0]);
+
+	LOCK(&disp->lock);
+	if ((disp->attributes & DNS_DISPATCHATTR_CONNECTED) == 0) {
+		disp->attributes |= DNS_DISPATCHATTR_CONNECTED;
+		(void)startrecv(disp, NULL);
+	}
+	UNLOCK(&disp->lock);
+}
+
+isc_result_t
+dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
+	dns_dispatch_t *disp;
+	dns_dispatchevent_t *ev;
+
+	REQUIRE(VALID_RESPONSE(resp));
+	REQUIRE(sockevent != NULL && *sockevent != NULL);
+
+	disp = resp->disp;
+	REQUIRE(VALID_DISPATCH(disp));
+
+	ev = *sockevent;
+	*sockevent = NULL;
+
+	LOCK(&disp->lock);
+
+	REQUIRE(resp->item_out);
+	resp->item_out = false;
+
+	if (ev->buffer.base != NULL) {
+		free_buffer(disp, ev->buffer.base, ev->buffer.length);
+	}
+	free_devent(disp, ev);
+
+	if (disp->shutting_down == 1) {
+		UNLOCK(&disp->lock);
+		return (ISC_R_SHUTTINGDOWN);
+	}
+	ev = ISC_LIST_HEAD(resp->items);
+	if (ev != NULL) {
+		ISC_LIST_UNLINK(resp->items, ev, ev_link);
+		ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, DNS_EVENT_DISPATCH,
+			       resp->action, resp->arg, resp, NULL, NULL);
+		request_log(disp, resp, LVL(90),
+			    "[c] Sent event %p buffer %p len %d to task %p", ev,
+			    ev->buffer.base, ev->buffer.length, resp->task);
+		resp->item_out = true;
+		isc_task_send(resp->task, ISC_EVENT_PTR(&ev));
+	}
+	UNLOCK(&disp->lock);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dispatch_removeresponse(dns_dispentry_t **resp,
+			    dns_dispatchevent_t **sockevent) {
+	dns_dispatchmgr_t *mgr;
+	dns_dispatch_t *disp;
+	dns_dispentry_t *res;
+	dispsocket_t *dispsock;
+	dns_dispatchevent_t *ev;
+	unsigned int bucket;
+	bool killit;
+	unsigned int n;
+	isc_eventlist_t events;
+	dns_qid_t *qid;
+
+	REQUIRE(resp != NULL);
+	REQUIRE(VALID_RESPONSE(*resp));
+
+	res = *resp;
+	*resp = NULL;
+
+	disp = res->disp;
+	REQUIRE(VALID_DISPATCH(disp));
+	mgr = disp->mgr;
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	qid = DNS_QID(disp);
+
+	if (sockevent != NULL) {
+		REQUIRE(*sockevent != NULL);
+		ev = *sockevent;
+		*sockevent = NULL;
+	} else {
+		ev = NULL;
+	}
+
+	LOCK(&disp->lock);
+
+	INSIST(disp->requests > 0);
+	disp->requests--;
+	dec_stats(disp->mgr, (qid == disp->mgr->qid)
+				     ? dns_resstatscounter_disprequdp
+				     : dns_resstatscounter_dispreqtcp);
+	INSIST(disp->refcount > 0);
+	disp->refcount--;
+	if (disp->refcount == 0) {
+		if (disp->recv_pending > 0) {
+			isc_socket_cancel(disp->socket, disp->task[0],
+					  ISC_SOCKCANCEL_RECV);
+		}
+		for (dispsock = ISC_LIST_HEAD(disp->activesockets);
+		     dispsock != NULL; dispsock = ISC_LIST_NEXT(dispsock, link))
+		{
+			isc_socket_cancel(dispsock->socket, dispsock->task,
+					  ISC_SOCKCANCEL_RECV);
+		}
+		disp->shutting_down = 1;
+	}
+
+	bucket = res->bucket;
+
+	LOCK(&qid->lock);
+	ISC_LIST_UNLINK(qid->qid_table[bucket], res, link);
+	UNLOCK(&qid->lock);
+
+	if (ev == NULL && res->item_out) {
+		/*
+		 * We've posted our event, but the caller hasn't gotten it
+		 * yet.  Take it back.
+		 */
+		ISC_LIST_INIT(events);
+		n = isc_task_unsend(res->task, res, DNS_EVENT_DISPATCH, NULL,
+				    &events);
+		/*
+		 * We had better have gotten it back.
+		 */
+		INSIST(n == 1);
+		ev = (dns_dispatchevent_t *)ISC_LIST_HEAD(events);
+	}
+
+	if (ev != NULL) {
+		REQUIRE(res->item_out);
+		res->item_out = false;
+		if (ev->buffer.base != NULL) {
+			free_buffer(disp, ev->buffer.base, ev->buffer.length);
+		}
+		free_devent(disp, ev);
+	}
+
+	request_log(disp, res, LVL(90), "detaching from task %p", res->task);
+	isc_task_detach(&res->task);
+
+	if (res->dispsocket != NULL) {
+		isc_socket_cancel(res->dispsocket->socket,
+				  res->dispsocket->task, ISC_SOCKCANCEL_RECV);
+		res->dispsocket->resp = NULL;
+	}
+
+	/*
+	 * Free any buffered responses as well
+	 */
+	ev = ISC_LIST_HEAD(res->items);
+	while (ev != NULL) {
+		ISC_LIST_UNLINK(res->items, ev, ev_link);
+		if (ev->buffer.base != NULL) {
+			free_buffer(disp, ev->buffer.base, ev->buffer.length);
+		}
+		free_devent(disp, ev);
+		ev = ISC_LIST_HEAD(res->items);
+	}
+	res->magic = 0;
+	isc_refcount_decrement(&disp->mgr->irefs);
+	isc_mem_put(disp->mgr->mctx, res, sizeof(*res));
+	if (disp->shutting_down == 1) {
+		do_cancel(disp);
+	} else {
+		(void)startrecv(disp, NULL);
+	}
+
+	killit = destroy_disp_ok(disp);
+	UNLOCK(&disp->lock);
+	if (killit) {
+		isc_task_send(disp->task[0], &disp->ctlevent);
+	}
+}
+
+/*
+ * disp must be locked.
+ */
+static void
+do_cancel(dns_dispatch_t *disp) {
+	dns_dispatchevent_t *ev;
+	dns_dispentry_t *resp;
+	dns_qid_t *qid;
+
+	if (disp->shutdown_out == 1) {
+		return;
+	}
+
+	qid = DNS_QID(disp);
+
+	/*
+	 * Search for the first response handler without packets outstanding
+	 * unless a specific handler is given.
+	 */
+	LOCK(&qid->lock);
+	for (resp = linear_first(qid); resp != NULL && resp->item_out;
+	     /* Empty. */)
+	{
+		resp = linear_next(qid, resp);
+	}
+
+	/*
+	 * No one to send the cancel event to, so nothing to do.
+	 */
+	if (resp == NULL) {
+		goto unlock;
+	}
+
+	/*
+	 * Send the shutdown failsafe event to this resp.
+	 */
+	ev = disp->failsafe_ev;
+	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, DNS_EVENT_DISPATCH,
+		       resp->action, resp->arg, resp, NULL, NULL);
+	ev->result = disp->shutdown_why;
+	ev->buffer.base = NULL;
+	ev->buffer.length = 0;
+	disp->shutdown_out = 1;
+	request_log(disp, resp, LVL(10), "cancel: failsafe event %p -> task %p",
+		    ev, resp->task);
+	resp->item_out = true;
+	isc_task_send(resp->task, ISC_EVENT_PTR(&ev));
+unlock:
+	UNLOCK(&qid->lock);
+}
+
+isc_socket_t *
+dns_dispatch_getsocket(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+
+	return (disp->socket);
+}
+
+isc_socket_t *
+dns_dispatch_getentrysocket(dns_dispentry_t *resp) {
+	REQUIRE(VALID_RESPONSE(resp));
+
+	if (resp->dispsocket != NULL) {
+		return (resp->dispsocket->socket);
+	} else {
+		return (NULL);
+	}
+}
+
+isc_result_t
+dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp) {
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(addrp != NULL);
+
+	if (disp->socktype == isc_sockettype_udp) {
+		*addrp = disp->local;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+void
+dns_dispatch_cancel(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+
+	LOCK(&disp->lock);
+
+	if (disp->shutting_down == 1) {
+		UNLOCK(&disp->lock);
+		return;
+	}
+
+	disp->shutdown_why = ISC_R_CANCELED;
+	disp->shutting_down = 1;
+	do_cancel(disp);
+
+	UNLOCK(&disp->lock);
+
+	return;
+}
+
+unsigned int
+dns_dispatch_getattributes(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+
+	/*
+	 * We don't bother locking disp here; it's the caller's responsibility
+	 * to use only non volatile flags.
+	 */
+	return (disp->attributes);
+}
+
+void
+dns_dispatch_changeattributes(dns_dispatch_t *disp, unsigned int attributes,
+			      unsigned int mask) {
+	REQUIRE(VALID_DISPATCH(disp));
+	/* Exclusive attribute can only be set on creation */
+	REQUIRE((attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0);
+	/* Also, a dispatch with randomport specified cannot start listening */
+	REQUIRE((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0 ||
+		(attributes & DNS_DISPATCHATTR_NOLISTEN) == 0);
+
+	/* XXXMLG
+	 * Should check for valid attributes here!
+	 */
+
+	LOCK(&disp->lock);
+
+	if ((mask & DNS_DISPATCHATTR_NOLISTEN) != 0) {
+		if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0 &&
+		    (attributes & DNS_DISPATCHATTR_NOLISTEN) == 0)
+		{
+			disp->attributes &= ~DNS_DISPATCHATTR_NOLISTEN;
+			(void)startrecv(disp, NULL);
+		} else if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) ==
+				   0 &&
+			   (attributes & DNS_DISPATCHATTR_NOLISTEN) != 0)
+		{
+			disp->attributes |= DNS_DISPATCHATTR_NOLISTEN;
+			if (disp->recv_pending != 0) {
+				isc_socket_cancel(disp->socket, disp->task[0],
+						  ISC_SOCKCANCEL_RECV);
+			}
+		}
+	}
+
+	disp->attributes &= ~mask;
+	disp->attributes |= (attributes & mask);
+	UNLOCK(&disp->lock);
+}
+
+void
+dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event) {
+	void *buf;
+	isc_socketevent_t *sevent, *newsevent;
+
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(event != NULL);
+
+	if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) == 0) {
+		return;
+	}
+
+	sevent = (isc_socketevent_t *)event;
+	INSIST(sevent->n <= disp->mgr->buffersize);
+
+	newsevent = (isc_socketevent_t *)isc_event_allocate(
+		disp->mgr->mctx, NULL, DNS_EVENT_IMPORTRECVDONE, udp_shrecv,
+		disp, sizeof(isc_socketevent_t));
+
+	buf = allocate_udp_buffer(disp);
+	if (buf == NULL) {
+		isc_event_free(ISC_EVENT_PTR(&newsevent));
+		return;
+	}
+	memmove(buf, sevent->region.base, sevent->n);
+	newsevent->region.base = buf;
+	newsevent->region.length = disp->mgr->buffersize;
+	newsevent->n = sevent->n;
+	newsevent->result = sevent->result;
+	newsevent->address = sevent->address;
+	newsevent->timestamp = sevent->timestamp;
+	newsevent->pktinfo = sevent->pktinfo;
+	newsevent->attributes = sevent->attributes;
+
+	isc_task_send(disp->task[0], ISC_EVENT_PTR(&newsevent));
+}
+
+dns_dispatch_t *
+dns_dispatchset_get(dns_dispatchset_t *dset) {
+	dns_dispatch_t *disp;
+
+	/* check that dispatch set is configured */
+	if (dset == NULL || dset->ndisp == 0) {
+		return (NULL);
+	}
+
+	LOCK(&dset->lock);
+	disp = dset->dispatches[dset->cur];
+	dset->cur++;
+	if (dset->cur == dset->ndisp) {
+		dset->cur = 0;
+	}
+	UNLOCK(&dset->lock);
+
+	return (disp);
+}
+
+isc_result_t
+dns_dispatchset_create(isc_mem_t *mctx, isc_socketmgr_t *sockmgr,
+		       isc_taskmgr_t *taskmgr, dns_dispatch_t *source,
+		       dns_dispatchset_t **dsetp, int n) {
+	isc_result_t result;
+	dns_dispatchset_t *dset;
+	dns_dispatchmgr_t *mgr;
+	int i, j;
+
+	REQUIRE(VALID_DISPATCH(source));
+	REQUIRE((source->attributes & DNS_DISPATCHATTR_UDP) != 0);
+	REQUIRE(dsetp != NULL && *dsetp == NULL);
+
+	mgr = source->mgr;
+
+	dset = isc_mem_get(mctx, sizeof(dns_dispatchset_t));
+	memset(dset, 0, sizeof(*dset));
+
+	isc_mutex_init(&dset->lock);
+
+	dset->dispatches = isc_mem_get(mctx, sizeof(dns_dispatch_t *) * n);
+
+	isc_mem_attach(mctx, &dset->mctx);
+	dset->ndisp = n;
+	dset->cur = 0;
+
+	dset->dispatches[0] = NULL;
+	dns_dispatch_attach(source, &dset->dispatches[0]);
+
+	LOCK(&mgr->lock);
+	for (i = 1; i < n; i++) {
+		dset->dispatches[i] = NULL;
+		result = dispatch_createudp(
+			mgr, sockmgr, taskmgr, &source->local,
+			source->maxrequests, source->attributes,
+			&dset->dispatches[i], source->socket);
+		if (result != ISC_R_SUCCESS) {
+			goto fail;
+		}
+	}
+
+	UNLOCK(&mgr->lock);
+	*dsetp = dset;
+
+	return (ISC_R_SUCCESS);
+
+fail:
+	UNLOCK(&mgr->lock);
+
+	for (j = 0; j < i; j++) {
+		dns_dispatch_detach(&(dset->dispatches[j]));
+	}
+	isc_mem_put(mctx, dset->dispatches, sizeof(dns_dispatch_t *) * n);
+	if (dset->mctx == mctx) {
+		isc_mem_detach(&dset->mctx);
+	}
+
+	isc_mutex_destroy(&dset->lock);
+	isc_mem_put(mctx, dset, sizeof(dns_dispatchset_t));
+	return (result);
+}
+
+void
+dns_dispatchset_cancelall(dns_dispatchset_t *dset, isc_task_t *task) {
+	int i;
+
+	REQUIRE(dset != NULL);
+
+	for (i = 0; i < dset->ndisp; i++) {
+		isc_socket_t *sock;
+		sock = dns_dispatch_getsocket(dset->dispatches[i]);
+		isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL);
+	}
+}
+
+void
+dns_dispatchset_destroy(dns_dispatchset_t **dsetp) {
+	dns_dispatchset_t *dset;
+	int i;
+
+	REQUIRE(dsetp != NULL && *dsetp != NULL);
+
+	dset = *dsetp;
+	*dsetp = NULL;
+	for (i = 0; i < dset->ndisp; i++) {
+		dns_dispatch_detach(&(dset->dispatches[i]));
+	}
+	isc_mem_put(dset->mctx, dset->dispatches,
+		    sizeof(dns_dispatch_t *) * dset->ndisp);
+	isc_mutex_destroy(&dset->lock);
+	isc_mem_putanddetach(&dset->mctx, dset, sizeof(dns_dispatchset_t));
+}
+
+void
+dns_dispatch_setdscp(dns_dispatch_t *disp, isc_dscp_t dscp) {
+	REQUIRE(VALID_DISPATCH(disp));
+	disp->dscp = dscp;
+}
+
+isc_dscp_t
+dns_dispatch_getdscp(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+	return (disp->dscp);
+}
+
+#if 0
+void
+dns_dispatchmgr_dump(dns_dispatchmgr_t *mgr) {
+	dns_dispatch_t *disp;
+	char foo[1024];
+
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL) {
+		isc_sockaddr_format(&disp->local, foo, sizeof(foo));
+		printf("\tdispatch %p, addr %s\n", disp, foo);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+}
+#endif /* if 0 */
diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c
new file mode 100644
index 0000000..6d77f5b
--- /dev/null
+++ b/lib/dns/dlz.c
@@ -0,0 +1,541 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dlz.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/ssu.h>
+#include <dns/zone.h>
+
+/***
+ *** Supported DLZ DB Implementations Registry
+ ***/
+
+static ISC_LIST(dns_dlzimplementation_t) dlz_implementations;
+static isc_rwlock_t dlz_implock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+dlz_initialize(void) {
+	isc_rwlock_init(&dlz_implock, 0, 0);
+	ISC_LIST_INIT(dlz_implementations);
+}
+
+/*%
+ * Searches the dlz_implementations list for a driver matching name.
+ */
+static dns_dlzimplementation_t *
+dlz_impfind(const char *name) {
+	dns_dlzimplementation_t *imp;
+
+	for (imp = ISC_LIST_HEAD(dlz_implementations); imp != NULL;
+	     imp = ISC_LIST_NEXT(imp, link))
+	{
+		if (strcasecmp(name, imp->name) == 0) {
+			return (imp);
+		}
+	}
+	return (NULL);
+}
+
+/***
+ *** Basic DLZ Methods
+ ***/
+
+isc_result_t
+dns_dlzallowzonexfr(dns_view_t *view, const dns_name_t *name,
+		    const isc_sockaddr_t *clientaddr, dns_db_t **dbp) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_dlzallowzonexfr_t allowzonexfr;
+	dns_dlzdb_t *dlzdb;
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(name != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	/*
+	 * Find a driver in which the zone exists and transfer is supported
+	 */
+	for (dlzdb = ISC_LIST_HEAD(view->dlz_searched); dlzdb != NULL;
+	     dlzdb = ISC_LIST_NEXT(dlzdb, link))
+	{
+		REQUIRE(DNS_DLZ_VALID(dlzdb));
+
+		allowzonexfr = dlzdb->implementation->methods->allowzonexfr;
+		result = (*allowzonexfr)(dlzdb->implementation->driverarg,
+					 dlzdb->dbdata, dlzdb->mctx,
+					 view->rdclass, name, clientaddr, dbp);
+
+		/*
+		 * In these cases, we found the right database. Non-success
+		 * result codes indicate the zone might not transfer.
+		 */
+		switch (result) {
+		case ISC_R_SUCCESS:
+		case ISC_R_NOPERM:
+		case ISC_R_DEFAULT:
+			return (result);
+		default:
+			break;
+		}
+	}
+
+	if (result == ISC_R_NOTIMPLEMENTED) {
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_dlzcreate(isc_mem_t *mctx, const char *dlzname, const char *drivername,
+	      unsigned int argc, char *argv[], dns_dlzdb_t **dbp) {
+	dns_dlzimplementation_t *impinfo;
+	isc_result_t result;
+	dns_dlzdb_t *db = NULL;
+
+	/*
+	 * initialize the dlz_implementations list, this is guaranteed
+	 * to only really happen once.
+	 */
+	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(dlzname != NULL);
+	REQUIRE(drivername != NULL);
+	REQUIRE(mctx != NULL);
+
+	/* write log message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_INFO, "Loading '%s' using driver %s", dlzname,
+		      drivername);
+
+	/* lock the dlz_implementations list so we can search it. */
+	RWLOCK(&dlz_implock, isc_rwlocktype_read);
+
+	/* search for the driver implementation	 */
+	impinfo = dlz_impfind(drivername);
+	if (impinfo == NULL) {
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "unsupported DLZ database driver '%s'."
+			      "  %s not loaded.",
+			      drivername, dlzname);
+
+		return (ISC_R_NOTFOUND);
+	}
+
+	/* Allocate memory to hold the DLZ database driver */
+	db = isc_mem_get(mctx, sizeof(dns_dlzdb_t));
+
+	/* Make sure memory region is set to all 0's */
+	memset(db, 0, sizeof(dns_dlzdb_t));
+
+	ISC_LINK_INIT(db, link);
+	db->implementation = impinfo;
+	if (dlzname != NULL) {
+		db->dlzname = isc_mem_strdup(mctx, dlzname);
+	}
+
+	/* Create a new database using implementation 'drivername'. */
+	result = ((impinfo->methods->create)(mctx, dlzname, argc, argv,
+					     impinfo->driverarg, &db->dbdata));
+
+	/* mark the DLZ driver as valid */
+	if (result == ISC_R_SUCCESS) {
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+		db->magic = DNS_DLZ_MAGIC;
+		isc_mem_attach(mctx, &db->mctx);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+			      "DLZ driver loaded successfully.");
+		*dbp = db;
+		return (ISC_R_SUCCESS);
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "DLZ driver failed to load.");
+	}
+
+	/* impinfo->methods->create failed. */
+	RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+	isc_mem_free(mctx, db->dlzname);
+	isc_mem_put(mctx, db, sizeof(dns_dlzdb_t));
+	return (result);
+}
+
+void
+dns_dlzdestroy(dns_dlzdb_t **dbp) {
+	dns_dlzdestroy_t destroy;
+	dns_dlzdb_t *db;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unloading DLZ driver.");
+
+	/*
+	 * Perform checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(dbp != NULL && DNS_DLZ_VALID(*dbp));
+
+	db = *dbp;
+	*dbp = NULL;
+
+	if (db->ssutable != NULL) {
+		dns_ssutable_detach(&db->ssutable);
+	}
+
+	/* call the drivers destroy method */
+	if (db->dlzname != NULL) {
+		isc_mem_free(db->mctx, db->dlzname);
+	}
+	destroy = db->implementation->methods->destroy;
+	(*destroy)(db->implementation->driverarg, db->dbdata);
+	/* return memory and detach */
+	isc_mem_putanddetach(&db->mctx, db, sizeof(dns_dlzdb_t));
+}
+
+/*%
+ * Registers a DLZ driver.  This basically just adds the dlz
+ * driver to the list of available drivers in the dlz_implementations list.
+ */
+isc_result_t
+dns_dlzregister(const char *drivername, const dns_dlzmethods_t *methods,
+		void *driverarg, isc_mem_t *mctx,
+		dns_dlzimplementation_t **dlzimp) {
+	dns_dlzimplementation_t *dlz_imp;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Registering DLZ driver '%s'",
+		      drivername);
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(drivername != NULL);
+	REQUIRE(methods != NULL);
+	REQUIRE(methods->create != NULL);
+	REQUIRE(methods->destroy != NULL);
+	REQUIRE(methods->findzone != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(dlzimp != NULL && *dlzimp == NULL);
+
+	/*
+	 * initialize the dlz_implementations list, this is guaranteed
+	 * to only really happen once.
+	 */
+	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
+
+	/* lock the dlz_implementations list so we can modify it. */
+	RWLOCK(&dlz_implock, isc_rwlocktype_write);
+
+	/*
+	 * check that another already registered driver isn't using
+	 * the same name
+	 */
+	dlz_imp = dlz_impfind(drivername);
+	if (dlz_imp != NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+			      "DLZ Driver '%s' already registered", drivername);
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+		return (ISC_R_EXISTS);
+	}
+
+	/*
+	 * Allocate memory for a dlz_implementation object.  Error if
+	 * we cannot.
+	 */
+	dlz_imp = isc_mem_get(mctx, sizeof(dns_dlzimplementation_t));
+
+	/* Make sure memory region is set to all 0's */
+	memset(dlz_imp, 0, sizeof(dns_dlzimplementation_t));
+
+	/* Store the data passed into this method */
+	dlz_imp->name = drivername;
+	dlz_imp->methods = methods;
+	dlz_imp->mctx = NULL;
+	dlz_imp->driverarg = driverarg;
+
+	/* attach the new dlz_implementation object to a memory context */
+	isc_mem_attach(mctx, &dlz_imp->mctx);
+
+	/*
+	 * prepare the dlz_implementation object to be put in a list,
+	 * and append it to the list
+	 */
+	ISC_LINK_INIT(dlz_imp, link);
+	ISC_LIST_APPEND(dlz_implementations, dlz_imp, link);
+
+	/* Unlock the dlz_implementations list.	 */
+	RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+
+	/* Pass back the dlz_implementation that we created. */
+	*dlzimp = dlz_imp;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Tokenize the string "s" into whitespace-separated words,
+ * return the number of words in '*argcp' and an array
+ * of pointers to the words in '*argvp'.  The caller
+ * must free the array using isc_mem_put().  The string
+ * is modified in-place.
+ */
+isc_result_t
+dns_dlzstrtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
+	return (isc_commandline_strtoargv(mctx, s, argcp, argvp, 0));
+}
+
+/*%
+ * Unregisters a DLZ driver.  This basically just removes the dlz
+ * driver from the list of available drivers in the dlz_implementations list.
+ */
+void
+dns_dlzunregister(dns_dlzimplementation_t **dlzimp) {
+	dns_dlzimplementation_t *dlz_imp;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		      ISC_LOG_DEBUG(2), "Unregistering DLZ driver.");
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(dlzimp != NULL && *dlzimp != NULL);
+
+	/*
+	 * initialize the dlz_implementations list, this is guaranteed
+	 * to only really happen once.
+	 */
+	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
+
+	dlz_imp = *dlzimp;
+
+	/* lock the dlz_implementations list so we can modify it. */
+	RWLOCK(&dlz_implock, isc_rwlocktype_write);
+
+	/* remove the dlz_implementation object from the list */
+	ISC_LIST_UNLINK(dlz_implementations, dlz_imp, link);
+
+	/*
+	 * Return the memory back to the available memory pool and
+	 * remove it from the memory context.
+	 */
+	isc_mem_putanddetach(&dlz_imp->mctx, dlz_imp, sizeof(*dlz_imp));
+
+	/* Unlock the dlz_implementations list. */
+	RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+}
+
+/*
+ * Create a writeable DLZ zone. This can be called by DLZ drivers
+ * during configure() to create a zone that can be updated. The zone
+ * type is set to dns_zone_dlz, which is equivalent to a master zone
+ *
+ * This function uses a callback setup in dns_dlzconfigure() to call
+ * into the server zone code to setup the remaining pieces of server
+ * specific functionality on the zone
+ */
+isc_result_t
+dns_dlz_writeablezone(dns_view_t *view, dns_dlzdb_t *dlzdb,
+		      const char *zone_name) {
+	dns_zone_t *zone = NULL;
+	dns_zone_t *dupzone = NULL;
+	isc_result_t result;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+
+	REQUIRE(DNS_DLZ_VALID(dlzdb));
+
+	REQUIRE(dlzdb->configure_callback != NULL);
+
+	isc_buffer_constinit(&buffer, zone_name, strlen(zone_name));
+	isc_buffer_add(&buffer, strlen(zone_name));
+	dns_fixedname_init(&fixorigin);
+	result = dns_name_fromtext(dns_fixedname_name(&fixorigin), &buffer,
+				   dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	origin = dns_fixedname_name(&fixorigin);
+
+	if (!dlzdb->search) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_WARNING,
+			      "DLZ %s has 'search no;', but attempted to "
+			      "register writeable zone %s.",
+			      dlzdb->dlzname, zone_name);
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/* See if the zone already exists */
+	result = dns_view_findzone(view, origin, &dupzone);
+	if (result == ISC_R_SUCCESS) {
+		dns_zone_detach(&dupzone);
+		result = ISC_R_EXISTS;
+		goto cleanup;
+	}
+	INSIST(dupzone == NULL);
+
+	/* Create it */
+	result = dns_zone_create(&zone, view->mctx);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_zone_setorigin(zone, origin);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	dns_zone_setview(zone, view);
+
+	dns_zone_setadded(zone, true);
+
+	if (dlzdb->ssutable == NULL) {
+		result = dns_ssutable_createdlz(dlzdb->mctx, &dlzdb->ssutable,
+						dlzdb);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+	dns_zone_setssutable(zone, dlzdb->ssutable);
+
+	result = dlzdb->configure_callback(view, dlzdb, zone);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_view_addzone(view, zone);
+
+cleanup:
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+
+	return (result);
+}
+
+/*%
+ * Configure a DLZ driver. This is optional, and if supplied gives
+ * the backend an opportunity to configure parameters related to DLZ.
+ */
+isc_result_t
+dns_dlzconfigure(dns_view_t *view, dns_dlzdb_t *dlzdb,
+		 dlzconfigure_callback_t callback) {
+	dns_dlzimplementation_t *impl;
+	isc_result_t result;
+
+	REQUIRE(DNS_DLZ_VALID(dlzdb));
+	REQUIRE(dlzdb->implementation != NULL);
+
+	impl = dlzdb->implementation;
+
+	if (impl->methods->configure == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	dlzdb->configure_callback = callback;
+
+	result = impl->methods->configure(impl->driverarg, dlzdb->dbdata, view,
+					  dlzdb);
+	return (result);
+}
+
+bool
+dns_dlz_ssumatch(dns_dlzdb_t *dlzdatabase, const dns_name_t *signer,
+		 const dns_name_t *name, const isc_netaddr_t *tcpaddr,
+		 dns_rdatatype_t type, const dst_key_t *key) {
+	dns_dlzimplementation_t *impl;
+	bool r;
+
+	REQUIRE(dlzdatabase != NULL);
+	REQUIRE(dlzdatabase->implementation != NULL);
+	REQUIRE(dlzdatabase->implementation->methods != NULL);
+	impl = dlzdatabase->implementation;
+
+	if (impl->methods->ssumatch == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
+			      "No ssumatch method for DLZ database");
+		return (false);
+	}
+
+	r = impl->methods->ssumatch(signer, name, tcpaddr, type, key,
+				    impl->driverarg, dlzdatabase->dbdata);
+	return (r);
+}
diff --git a/lib/dns/dns64.c b/lib/dns/dns64.c
new file mode 100644
index 0000000..03b3dca
--- /dev/null
+++ b/lib/dns/dns64.c
@@ -0,0 +1,325 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/list.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/dns64.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+
+struct dns_dns64 {
+	unsigned char bits[16]; /*
+				 * Prefix + suffix bits.
+				 */
+	dns_acl_t *clients;	/*
+				 * Which clients get mapped
+				 * addresses.
+				 */
+	dns_acl_t *mapped;	/*
+				 * IPv4 addresses to be mapped.
+				 */
+	dns_acl_t *excluded;	/*
+				 * IPv6 addresses that are
+				 * treated as not existing.
+				 */
+	unsigned int prefixlen; /*
+				 * Start of mapped address.
+				 */
+	unsigned int flags;
+	isc_mem_t *mctx;
+	ISC_LINK(dns_dns64_t) link;
+};
+
+isc_result_t
+dns_dns64_create(isc_mem_t *mctx, const isc_netaddr_t *prefix,
+		 unsigned int prefixlen, const isc_netaddr_t *suffix,
+		 dns_acl_t *clients, dns_acl_t *mapped, dns_acl_t *excluded,
+		 unsigned int flags, dns_dns64_t **dns64p) {
+	dns_dns64_t *dns64;
+	unsigned int nbytes = 16;
+
+	REQUIRE(prefix != NULL && prefix->family == AF_INET6);
+	/* Legal prefix lengths from rfc6052.txt. */
+	REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
+		prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
+	REQUIRE(isc_netaddr_prefixok(prefix, prefixlen) == ISC_R_SUCCESS);
+	REQUIRE(dns64p != NULL && *dns64p == NULL);
+
+	if (suffix != NULL) {
+		static const unsigned char zeros[16];
+		REQUIRE(prefix->family == AF_INET6);
+		nbytes = prefixlen / 8 + 4;
+		/* Bits 64-71 are zeros. rfc6052.txt */
+		if (prefixlen >= 32 && prefixlen <= 64) {
+			nbytes++;
+		}
+		REQUIRE(memcmp(suffix->type.in6.s6_addr, zeros, nbytes) == 0);
+	}
+
+	dns64 = isc_mem_get(mctx, sizeof(dns_dns64_t));
+	memset(dns64->bits, 0, sizeof(dns64->bits));
+	memmove(dns64->bits, prefix->type.in6.s6_addr, prefixlen / 8);
+	if (suffix != NULL) {
+		memmove(dns64->bits + nbytes, suffix->type.in6.s6_addr + nbytes,
+			16 - nbytes);
+	}
+	dns64->clients = NULL;
+	if (clients != NULL) {
+		dns_acl_attach(clients, &dns64->clients);
+	}
+	dns64->mapped = NULL;
+	if (mapped != NULL) {
+		dns_acl_attach(mapped, &dns64->mapped);
+	}
+	dns64->excluded = NULL;
+	if (excluded != NULL) {
+		dns_acl_attach(excluded, &dns64->excluded);
+	}
+	dns64->prefixlen = prefixlen;
+	dns64->flags = flags;
+	ISC_LINK_INIT(dns64, link);
+	dns64->mctx = NULL;
+	isc_mem_attach(mctx, &dns64->mctx);
+	*dns64p = dns64;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dns64_destroy(dns_dns64_t **dns64p) {
+	dns_dns64_t *dns64;
+
+	REQUIRE(dns64p != NULL && *dns64p != NULL);
+
+	dns64 = *dns64p;
+	*dns64p = NULL;
+
+	REQUIRE(!ISC_LINK_LINKED(dns64, link));
+
+	if (dns64->clients != NULL) {
+		dns_acl_detach(&dns64->clients);
+	}
+	if (dns64->mapped != NULL) {
+		dns_acl_detach(&dns64->mapped);
+	}
+	if (dns64->excluded != NULL) {
+		dns_acl_detach(&dns64->excluded);
+	}
+	isc_mem_putanddetach(&dns64->mctx, dns64, sizeof(*dns64));
+}
+
+isc_result_t
+dns_dns64_aaaafroma(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		    const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		    unsigned int flags, unsigned char *a, unsigned char *aaaa) {
+	unsigned int nbytes, i;
+	isc_result_t result;
+	int match;
+
+	if ((dns64->flags & DNS_DNS64_RECURSIVE_ONLY) != 0 &&
+	    (flags & DNS_DNS64_RECURSIVE) == 0)
+	{
+		return (DNS_R_DISALLOWED);
+	}
+
+	if ((dns64->flags & DNS_DNS64_BREAK_DNSSEC) == 0 &&
+	    (flags & DNS_DNS64_DNSSEC) != 0)
+	{
+		return (DNS_R_DISALLOWED);
+	}
+
+	if (dns64->clients != NULL) {
+		result = dns_acl_match(reqaddr, reqsigner, dns64->clients, env,
+				       &match, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		if (match <= 0) {
+			return (DNS_R_DISALLOWED);
+		}
+	}
+
+	if (dns64->mapped != NULL) {
+		struct in_addr ina;
+		isc_netaddr_t netaddr;
+
+		memmove(&ina.s_addr, a, 4);
+		isc_netaddr_fromin(&netaddr, &ina);
+		result = dns_acl_match(&netaddr, NULL, dns64->mapped, env,
+				       &match, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		if (match <= 0) {
+			return (DNS_R_DISALLOWED);
+		}
+	}
+
+	nbytes = dns64->prefixlen / 8;
+	INSIST(nbytes <= 12);
+	/* Copy prefix. */
+	memmove(aaaa, dns64->bits, nbytes);
+	/* Bits 64-71 are zeros. rfc6052.txt */
+	if (nbytes == 8) {
+		aaaa[nbytes++] = 0;
+	}
+	/* Copy mapped address. */
+	for (i = 0; i < 4U; i++) {
+		aaaa[nbytes++] = a[i];
+		/* Bits 64-71 are zeros. rfc6052.txt */
+		if (nbytes == 8) {
+			aaaa[nbytes++] = 0;
+		}
+	}
+	/* Copy suffix. */
+	memmove(aaaa + nbytes, dns64->bits + nbytes, 16 - nbytes);
+	return (ISC_R_SUCCESS);
+}
+
+dns_dns64_t *
+dns_dns64_next(dns_dns64_t *dns64) {
+	dns64 = ISC_LIST_NEXT(dns64, link);
+	return (dns64);
+}
+
+void
+dns_dns64_append(dns_dns64list_t *list, dns_dns64_t *dns64) {
+	ISC_LIST_APPEND(*list, dns64, link);
+}
+
+void
+dns_dns64_unlink(dns_dns64list_t *list, dns_dns64_t *dns64) {
+	ISC_LIST_UNLINK(*list, dns64, link);
+}
+
+bool
+dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		 const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		 unsigned int flags, dns_rdataset_t *rdataset, bool *aaaaok,
+		 size_t aaaaoklen) {
+	struct in6_addr in6;
+	isc_netaddr_t netaddr;
+	isc_result_t result;
+	int match;
+	bool answer = false;
+	bool found = false;
+	unsigned int i, ok;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->type == dns_rdatatype_aaaa);
+	REQUIRE(rdataset->rdclass == dns_rdataclass_in);
+	if (aaaaok != NULL) {
+		REQUIRE(aaaaoklen == dns_rdataset_count(rdataset));
+	}
+
+	for (; dns64 != NULL; dns64 = ISC_LIST_NEXT(dns64, link)) {
+		if ((dns64->flags & DNS_DNS64_RECURSIVE_ONLY) != 0 &&
+		    (flags & DNS_DNS64_RECURSIVE) == 0)
+		{
+			continue;
+		}
+
+		if ((dns64->flags & DNS_DNS64_BREAK_DNSSEC) == 0 &&
+		    (flags & DNS_DNS64_DNSSEC) != 0)
+		{
+			continue;
+		}
+		/*
+		 * Work out if this dns64 structure applies to this client.
+		 */
+		if (dns64->clients != NULL) {
+			result = dns_acl_match(reqaddr, reqsigner,
+					       dns64->clients, env, &match,
+					       NULL);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+			if (match <= 0) {
+				continue;
+			}
+		}
+
+		if (!found && aaaaok != NULL) {
+			for (i = 0; i < aaaaoklen; i++) {
+				aaaaok[i] = false;
+			}
+		}
+		found = true;
+
+		/*
+		 * If we are not excluding any addresses then any AAAA
+		 * will do.
+		 */
+		if (dns64->excluded == NULL) {
+			answer = true;
+			if (aaaaok == NULL) {
+				goto done;
+			}
+			for (i = 0; i < aaaaoklen; i++) {
+				aaaaok[i] = true;
+			}
+			goto done;
+		}
+
+		i = 0;
+		ok = 0;
+		for (result = dns_rdataset_first(rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(rdataset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			if (aaaaok == NULL || !aaaaok[i]) {
+				dns_rdataset_current(rdataset, &rdata);
+				memmove(&in6.s6_addr, rdata.data, 16);
+				isc_netaddr_fromin6(&netaddr, &in6);
+
+				result = dns_acl_match(&netaddr, NULL,
+						       dns64->excluded, env,
+						       &match, NULL);
+				if (result == ISC_R_SUCCESS && match <= 0) {
+					answer = true;
+					if (aaaaok == NULL) {
+						goto done;
+					}
+					aaaaok[i] = true;
+					ok++;
+				}
+			} else {
+				ok++;
+			}
+			i++;
+		}
+		/*
+		 * Are all addresses ok?
+		 */
+		if (aaaaok != NULL && ok == aaaaoklen) {
+			goto done;
+		}
+	}
+
+done:
+	if (!found && aaaaok != NULL) {
+		for (i = 0; i < aaaaoklen; i++) {
+			aaaaok[i] = true;
+		}
+	}
+	return (found ? answer : true);
+}
diff --git a/lib/dns/dnsrps.c b/lib/dns/dnsrps.c
new file mode 100644
index 0000000..8c04337
--- /dev/null
+++ b/lib/dns/dnsrps.c
@@ -0,0 +1,1005 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#ifdef USE_DNSRPS
+
+#include <stdlib.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#define LIBRPZ_LIB_OPEN DNSRPS_LIB_OPEN
+#include <dns/dnsrps.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/rpz.h>
+
+librpz_t *librpz;
+librpz_emsg_t librpz_lib_open_emsg;
+static void *librpz_handle;
+
+#define RPSDB_MAGIC	   ISC_MAGIC('R', 'P', 'Z', 'F')
+#define VALID_RPSDB(rpsdb) ((rpsdb)->common.impmagic == RPSDB_MAGIC)
+
+#define RD_DB(r)      ((r)->private1)
+#define RD_CUR_RR(r)  ((r)->private2)
+#define RD_NEXT_RR(r) ((r)->resign)
+#define RD_COUNT(r)   ((r)->privateuint4)
+
+typedef struct {
+	dns_rdatasetiter_t common;
+	dns_rdatatype_t type;
+	dns_rdataclass_t class;
+	uint32_t ttl;
+	uint count;
+	librpz_idx_t next_rr;
+} rpsdb_rdatasetiter_t;
+
+static dns_dbmethods_t rpsdb_db_methods;
+static dns_rdatasetmethods_t rpsdb_rdataset_methods;
+static dns_rdatasetitermethods_t rpsdb_rdatasetiter_methods;
+
+static librpz_clist_t *clist;
+
+static isc_mutex_t dnsrps_mutex;
+
+static void
+dnsrps_lock(void *mutex0) {
+	isc_mutex_t *mutex = mutex0;
+
+	LOCK(mutex);
+}
+
+static void
+dnsrps_unlock(void *mutex0) {
+	isc_mutex_t *mutex = mutex0;
+
+	UNLOCK(mutex);
+}
+
+static void
+dnsrps_mutex_destroy(void *mutex0) {
+	isc_mutex_t *mutex = mutex0;
+
+	isc_mutex_destroy(mutex);
+}
+
+static void
+dnsrps_log_fnc(librpz_log_level_t level, void *ctxt, const char *buf) {
+	int isc_level;
+
+	UNUSED(ctxt);
+
+	/* Setting librpz_log_level in the configuration overrides the
+	 * BIND9 logging levels. */
+	if (level > LIBRPZ_LOG_TRACE1 &&
+	    level <= librpz->log_level_val(LIBRPZ_LOG_INVALID))
+	{
+		level = LIBRPZ_LOG_TRACE1;
+	}
+
+	switch (level) {
+	case LIBRPZ_LOG_FATAL:
+	case LIBRPZ_LOG_ERROR: /* errors */
+	default:
+		isc_level = DNS_RPZ_ERROR_LEVEL;
+		break;
+
+	case LIBRPZ_LOG_TRACE1: /* big events such as dnsrpzd starts */
+		isc_level = DNS_RPZ_INFO_LEVEL;
+		break;
+
+	case LIBRPZ_LOG_TRACE2: /* smaller dnsrpzd zone transfers */
+		isc_level = DNS_RPZ_DEBUG_LEVEL1;
+		break;
+
+	case LIBRPZ_LOG_TRACE3: /* librpz hits */
+		isc_level = DNS_RPZ_DEBUG_LEVEL2;
+		break;
+
+	case LIBRPZ_LOG_TRACE4: /* librpz lookups */
+		isc_level = DNS_RPZ_DEBUG_LEVEL3;
+		break;
+	}
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB,
+		      isc_level, "dnsrps: %s", buf);
+}
+
+/*
+ * Start dnsrps for the entire server.
+ *	This is not thread safe, but it is called by a single thread.
+ */
+isc_result_t
+dns_dnsrps_server_create(void) {
+	librpz_emsg_t emsg;
+
+	INSIST(clist == NULL);
+	INSIST(librpz == NULL);
+	INSIST(librpz_handle == NULL);
+
+	/*
+	 * Notice if librpz is available.
+	 */
+	librpz = librpz_lib_open(&librpz_lib_open_emsg, &librpz_handle,
+				 DNSRPS_LIBRPZ_PATH);
+	/*
+	 * Stop now without complaining if librpz is not available.
+	 * Complain later if and when librpz is needed for a view with
+	 * "dnsrps-enable yes" (including the default view).
+	 */
+	if (librpz == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_mutex_init(&dnsrps_mutex);
+
+	librpz->set_log(dnsrps_log_fnc, NULL);
+
+	clist = librpz->clist_create(&emsg, dnsrps_lock, dnsrps_unlock,
+				     dnsrps_mutex_destroy, &dnsrps_mutex,
+				     dns_lctx);
+	if (clist == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "dnsrps: %s", emsg.c);
+		return (ISC_R_NOMEMORY);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Stop dnsrps for the entire server.
+ *	This is not thread safe.
+ */
+void
+dns_dnsrps_server_destroy(void) {
+	if (clist != NULL) {
+		librpz->clist_detach(&clist);
+	}
+
+#ifdef LIBRPZ_USE_DLOPEN
+	if (librpz != NULL) {
+		INSIST(librpz_handle != NULL);
+		if (dlclose(librpz_handle) != 0) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+				      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+				      "dnsrps: dlclose(): %s", dlerror());
+		}
+		librpz_handle = NULL;
+	}
+#endif /* ifdef LIBRPZ_USE_DLOPEN */
+}
+
+/*
+ * Ready dnsrps for a view.
+ */
+isc_result_t
+dns_dnsrps_view_init(dns_rpz_zones_t *new, char *rps_cstr) {
+	librpz_emsg_t emsg;
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB,
+		      DNS_RPZ_DEBUG_LEVEL3, "dnsrps configuration \"%s\"",
+		      rps_cstr);
+
+	new->rps_client = librpz->client_create(&emsg, clist, rps_cstr, false);
+	if (new->rps_client == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "librpz->client_create(): %s", emsg.c);
+		new->p.dnsrps_enabled = false;
+		return (ISC_R_FAILURE);
+	}
+
+	new->p.dnsrps_enabled = true;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Connect to and start the dnsrps daemon, dnsrpzd.
+ */
+isc_result_t
+dns_dnsrps_connect(dns_rpz_zones_t *rpzs) {
+	librpz_emsg_t emsg;
+
+	if (rpzs == NULL || !rpzs->p.dnsrps_enabled) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Fail only if we failed to link to librpz.
+	 */
+	if (librpz == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "librpz->connect(): %s", librpz_lib_open_emsg.c);
+		return (ISC_R_FAILURE);
+	}
+
+	if (!librpz->connect(&emsg, rpzs->rps_client, true)) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "librpz->connect(): %s", emsg.c);
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB,
+		      DNS_RPZ_INFO_LEVEL, "dnsrps: librpz version %s",
+		      librpz->version);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Get ready to try RPZ rewriting.
+ */
+isc_result_t
+dns_dnsrps_rewrite_init(librpz_emsg_t *emsg, dns_rpz_st_t *st,
+			dns_rpz_zones_t *rpzs, const dns_name_t *qname,
+			isc_mem_t *mctx, bool have_rd) {
+	rpsdb_t *rpsdb;
+
+	rpsdb = isc_mem_get(mctx, sizeof(*rpsdb));
+	memset(rpsdb, 0, sizeof(*rpsdb));
+
+	if (!librpz->rsp_create(emsg, &rpsdb->rsp, NULL, rpzs->rps_client,
+				have_rd, false))
+	{
+		isc_mem_put(mctx, rpsdb, sizeof(*rpsdb));
+		return (DNS_R_SERVFAIL);
+	}
+	if (rpsdb->rsp == NULL) {
+		isc_mem_put(mctx, rpsdb, sizeof(*rpsdb));
+		return (DNS_R_DISALLOWED);
+	}
+
+	rpsdb->common.magic = DNS_DB_MAGIC;
+	rpsdb->common.impmagic = RPSDB_MAGIC;
+	rpsdb->common.methods = &rpsdb_db_methods;
+	rpsdb->common.rdclass = dns_rdataclass_in;
+	dns_name_init(&rpsdb->common.origin, NULL);
+	isc_mem_attach(mctx, &rpsdb->common.mctx);
+
+	rpsdb->ref_cnt = 1;
+	rpsdb->qname = qname;
+
+	st->rpsdb = &rpsdb->common;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Convert a dnsrps policy to a classic BIND9 RPZ policy.
+ */
+dns_rpz_policy_t
+dns_dnsrps_2policy(librpz_policy_t rps_policy) {
+	switch (rps_policy) {
+	case LIBRPZ_POLICY_UNDEFINED:
+		return (DNS_RPZ_POLICY_MISS);
+	case LIBRPZ_POLICY_PASSTHRU:
+		return (DNS_RPZ_POLICY_PASSTHRU);
+	case LIBRPZ_POLICY_DROP:
+		return (DNS_RPZ_POLICY_DROP);
+	case LIBRPZ_POLICY_TCP_ONLY:
+		return (DNS_RPZ_POLICY_TCP_ONLY);
+	case LIBRPZ_POLICY_NXDOMAIN:
+		return (DNS_RPZ_POLICY_NXDOMAIN);
+	case LIBRPZ_POLICY_NODATA:
+		return (DNS_RPZ_POLICY_NODATA);
+	case LIBRPZ_POLICY_RECORD:
+	case LIBRPZ_POLICY_CNAME:
+		return (DNS_RPZ_POLICY_RECORD);
+
+	case LIBRPZ_POLICY_DELETED:
+	case LIBRPZ_POLICY_GIVEN:
+	case LIBRPZ_POLICY_DISABLED:
+	default:
+		UNREACHABLE();
+	}
+}
+
+/*
+ * Convert a dnsrps trigger to a classic BIND9 RPZ rewrite or trigger type.
+ */
+dns_rpz_type_t
+dns_dnsrps_trig2type(librpz_trig_t trig) {
+	switch (trig) {
+	case LIBRPZ_TRIG_BAD:
+	default:
+		return (DNS_RPZ_TYPE_BAD);
+	case LIBRPZ_TRIG_CLIENT_IP:
+		return (DNS_RPZ_TYPE_CLIENT_IP);
+	case LIBRPZ_TRIG_QNAME:
+		return (DNS_RPZ_TYPE_QNAME);
+	case LIBRPZ_TRIG_IP:
+		return (DNS_RPZ_TYPE_IP);
+	case LIBRPZ_TRIG_NSDNAME:
+		return (DNS_RPZ_TYPE_NSDNAME);
+	case LIBRPZ_TRIG_NSIP:
+		return (DNS_RPZ_TYPE_NSIP);
+	}
+}
+
+/*
+ * Convert a classic BIND9 RPZ rewrite or trigger type to a librpz trigger type.
+ */
+librpz_trig_t
+dns_dnsrps_type2trig(dns_rpz_type_t type) {
+	switch (type) {
+	case DNS_RPZ_TYPE_BAD:
+	default:
+		return (LIBRPZ_TRIG_BAD);
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		return (LIBRPZ_TRIG_CLIENT_IP);
+	case DNS_RPZ_TYPE_QNAME:
+		return (LIBRPZ_TRIG_QNAME);
+	case DNS_RPZ_TYPE_IP:
+		return (LIBRPZ_TRIG_IP);
+	case DNS_RPZ_TYPE_NSDNAME:
+		return (LIBRPZ_TRIG_NSDNAME);
+	case DNS_RPZ_TYPE_NSIP:
+		return (LIBRPZ_TRIG_NSIP);
+	}
+}
+
+static void
+rpsdb_attach(dns_db_t *source, dns_db_t **targetp) {
+	rpsdb_t *rpsdb = (rpsdb_t *)source;
+
+	REQUIRE(VALID_RPSDB(rpsdb));
+
+	/*
+	 * Use a simple count because only one thread uses any single rpsdb_t
+	 */
+	++rpsdb->ref_cnt;
+	*targetp = source;
+}
+
+static void
+rpsdb_detach(dns_db_t **dbp) {
+	rpsdb_t *rpsdb = (rpsdb_t *)*dbp;
+
+	REQUIRE(VALID_RPSDB(rpsdb));
+	REQUIRE(rpsdb->ref_cnt > 0);
+
+	*dbp = NULL;
+
+	/*
+	 * Simple count because only one thread uses a rpsdb_t.
+	 */
+	if (--rpsdb->ref_cnt != 0) {
+		return;
+	}
+
+	librpz->rsp_detach(&rpsdb->rsp);
+	rpsdb->common.impmagic = 0;
+	isc_mem_putanddetach(&rpsdb->common.mctx, rpsdb, sizeof(*rpsdb));
+}
+
+static void
+rpsdb_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	rpsdb_t *rpsdb = (rpsdb_t *)db;
+
+	REQUIRE(VALID_RPSDB(rpsdb));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+	REQUIRE(source == &rpsdb->origin_node || source == &rpsdb->data_node);
+
+	/*
+	 * Simple count because only one thread uses a rpsdb_t.
+	 */
+	++rpsdb->ref_cnt;
+	*targetp = source;
+}
+
+static void
+rpsdb_detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	rpsdb_t *rpsdb = (rpsdb_t *)db;
+
+	REQUIRE(VALID_RPSDB(rpsdb));
+	REQUIRE(*targetp == &rpsdb->origin_node ||
+		*targetp == &rpsdb->data_node);
+
+	*targetp = NULL;
+	rpsdb_detach(&db);
+}
+
+static isc_result_t
+rpsdb_findnode(dns_db_t *db, const dns_name_t *name, bool create,
+	       dns_dbnode_t **nodep) {
+	rpsdb_t *rpsdb = (rpsdb_t *)db;
+	dns_db_t *dbp;
+
+	REQUIRE(VALID_RPSDB(rpsdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+	REQUIRE(!create);
+
+	/*
+	 * A fake/shim rpsdb has two nodes.
+	 * One is the origin to support query_addsoa() in bin/named/query.c.
+	 * The other contains rewritten RRs.
+	 */
+	if (dns_name_equal(name, &db->origin)) {
+		*nodep = &rpsdb->origin_node;
+	} else {
+		*nodep = &rpsdb->data_node;
+	}
+	dbp = NULL;
+	rpsdb_attach(db, &dbp);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rpsdb_bind_rdataset(dns_rdataset_t *rdataset, uint count, librpz_idx_t next_rr,
+		    dns_rdatatype_t type, uint16_t class, uint32_t ttl,
+		    rpsdb_t *rpsdb) {
+	dns_db_t *dbp;
+
+	INSIST(rdataset->methods == NULL); /* We must be disassociated. */
+	REQUIRE(type != dns_rdatatype_none);
+
+	rdataset->methods = &rpsdb_rdataset_methods;
+	rdataset->rdclass = class;
+	rdataset->type = type;
+	rdataset->ttl = ttl;
+	dbp = NULL;
+	dns_db_attach(&rpsdb->common, &dbp);
+	RD_DB(rdataset) = dbp;
+	RD_COUNT(rdataset) = count;
+	RD_NEXT_RR(rdataset) = next_rr;
+	RD_CUR_RR(rdataset) = NULL;
+}
+
+static isc_result_t
+rpsdb_bind_soa(dns_rdataset_t *rdataset, rpsdb_t *rpsdb) {
+	uint32_t ttl;
+	librpz_emsg_t emsg;
+
+	if (!librpz->rsp_soa(&emsg, &ttl, NULL, NULL, &rpsdb->result,
+			     rpsdb->rsp))
+	{
+		librpz->log(LIBRPZ_LOG_ERROR, NULL, "%s", emsg.c);
+		return (DNS_R_SERVFAIL);
+	}
+	rpsdb_bind_rdataset(rdataset, 1, LIBRPZ_IDX_BAD, dns_rdatatype_soa,
+			    dns_rdataclass_in, ttl, rpsdb);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Forge an rdataset of the desired type from a librpz result.
+ * This is written for simplicity instead of speed, because RPZ rewriting
+ * should be rare compared to normal BIND operations.
+ */
+static isc_result_t
+rpsdb_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   dns_rdatatype_t type, dns_rdatatype_t covers,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   dns_rdataset_t *sigrdataset) {
+	rpsdb_t *rpsdb = (rpsdb_t *)db;
+	dns_rdatatype_t foundtype;
+	dns_rdataclass_t class;
+	uint32_t ttl;
+	uint count;
+	librpz_emsg_t emsg;
+
+	UNUSED(version);
+	UNUSED(covers);
+	UNUSED(now);
+	UNUSED(sigrdataset);
+
+	REQUIRE(VALID_RPSDB(rpsdb));
+
+	if (node == &rpsdb->origin_node) {
+		if (type == dns_rdatatype_any) {
+			return (ISC_R_SUCCESS);
+		}
+		if (type == dns_rdatatype_soa) {
+			return (rpsdb_bind_soa(rdataset, rpsdb));
+		}
+		return (DNS_R_NXRRSET);
+	}
+
+	REQUIRE(node == &rpsdb->data_node);
+
+	switch (rpsdb->result.policy) {
+	case LIBRPZ_POLICY_UNDEFINED:
+	case LIBRPZ_POLICY_DELETED:
+	case LIBRPZ_POLICY_PASSTHRU:
+	case LIBRPZ_POLICY_DROP:
+	case LIBRPZ_POLICY_TCP_ONLY:
+	case LIBRPZ_POLICY_GIVEN:
+	case LIBRPZ_POLICY_DISABLED:
+	default:
+		librpz->log(LIBRPZ_LOG_ERROR, NULL,
+			    "impossible dnsrps policy %d at %s:%d",
+			    rpsdb->result.policy, __FILE__, __LINE__);
+		return (DNS_R_SERVFAIL);
+
+	case LIBRPZ_POLICY_NXDOMAIN:
+		return (DNS_R_NXDOMAIN);
+
+	case LIBRPZ_POLICY_NODATA:
+		return (DNS_R_NXRRSET);
+
+	case LIBRPZ_POLICY_RECORD:
+	case LIBRPZ_POLICY_CNAME:
+		break;
+	}
+
+	if (type == dns_rdatatype_soa) {
+		return (rpsdb_bind_soa(rdataset, rpsdb));
+	}
+
+	/*
+	 * There is little to do for an ANY query.
+	 */
+	if (type == dns_rdatatype_any) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Reset to the start of the RRs.
+	 * This function is only used after a policy has been chosen,
+	 * and so without caring whether it is after recursion.
+	 */
+	if (!librpz->rsp_result(&emsg, &rpsdb->result, true, rpsdb->rsp)) {
+		librpz->log(LIBRPZ_LOG_ERROR, NULL, "%s", emsg.c);
+		return (DNS_R_SERVFAIL);
+	}
+	if (!librpz->rsp_rr(&emsg, &foundtype, &class, &ttl, NULL,
+			    &rpsdb->result, rpsdb->qname->ndata,
+			    rpsdb->qname->length, rpsdb->rsp))
+	{
+		librpz->log(LIBRPZ_LOG_ERROR, NULL, "%s", emsg.c);
+		return (DNS_R_SERVFAIL);
+	}
+	REQUIRE(foundtype != dns_rdatatype_none);
+
+	/*
+	 * Ho many of the target RR type are available?
+	 */
+	count = 0;
+	do {
+		if (type == foundtype || type == dns_rdatatype_any) {
+			++count;
+		}
+
+		if (!librpz->rsp_rr(&emsg, &foundtype, NULL, NULL, NULL,
+				    &rpsdb->result, rpsdb->qname->ndata,
+				    rpsdb->qname->length, rpsdb->rsp))
+		{
+			librpz->log(LIBRPZ_LOG_ERROR, NULL, "%s", emsg.c);
+			return (DNS_R_SERVFAIL);
+		}
+	} while (foundtype != dns_rdatatype_none);
+	if (count == 0) {
+		return (DNS_R_NXRRSET);
+	}
+	rpsdb_bind_rdataset(rdataset, count, rpsdb->result.next_rr, type, class,
+			    ttl, rpsdb);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rpsdb_finddb(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+	     dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	     dns_dbnode_t **nodep, dns_name_t *foundname,
+	     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	dns_dbnode_t *node;
+
+	UNUSED(version);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(sigrdataset);
+
+	if (nodep == NULL) {
+		node = NULL;
+		nodep = &node;
+	}
+	rpsdb_findnode(db, name, false, nodep);
+	dns_name_copynf(name, foundname);
+	return (rpsdb_findrdataset(db, *nodep, NULL, type, 0, 0, rdataset,
+				   sigrdataset));
+}
+
+static isc_result_t
+rpsdb_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   unsigned int options, isc_stdtime_t now,
+		   dns_rdatasetiter_t **iteratorp) {
+	rpsdb_t *rpsdb = (rpsdb_t *)db;
+	rpsdb_rdatasetiter_t *rpsdb_iter;
+
+	UNUSED(version);
+	UNUSED(now);
+
+	REQUIRE(VALID_RPSDB(rpsdb));
+	REQUIRE(node == &rpsdb->origin_node || node == &rpsdb->data_node);
+
+	rpsdb_iter = isc_mem_get(rpsdb->common.mctx, sizeof(*rpsdb_iter));
+
+	memset(rpsdb_iter, 0, sizeof(*rpsdb_iter));
+	rpsdb_iter->common.magic = DNS_RDATASETITER_MAGIC;
+	rpsdb_iter->common.methods = &rpsdb_rdatasetiter_methods;
+	rpsdb_iter->common.db = db;
+	rpsdb_iter->common.options = options;
+	rpsdb_attachnode(db, node, &rpsdb_iter->common.node);
+
+	*iteratorp = &rpsdb_iter->common;
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+rpsdb_issecure(dns_db_t *db) {
+	UNUSED(db);
+
+	return (false);
+}
+
+static isc_result_t
+rpsdb_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	rpsdb_t *rpsdb = (rpsdb_t *)db;
+
+	REQUIRE(VALID_RPSDB(rpsdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	rpsdb_attachnode(db, &rpsdb->origin_node, nodep);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rpsdb_rdataset_disassociate(dns_rdataset_t *rdataset) {
+	dns_db_t *db;
+
+	/*
+	 * Detach the last RR delivered.
+	 */
+	if (RD_CUR_RR(rdataset) != NULL) {
+		free(RD_CUR_RR(rdataset));
+		RD_CUR_RR(rdataset) = NULL;
+	}
+
+	db = RD_DB(rdataset);
+	RD_DB(rdataset) = NULL;
+	dns_db_detach(&db);
+}
+
+static isc_result_t
+rpsdb_rdataset_next(dns_rdataset_t *rdataset) {
+	rpsdb_t *rpsdb;
+	uint16_t type;
+	dns_rdataclass_t class;
+	librpz_rr_t *rr;
+	librpz_emsg_t emsg;
+
+	rpsdb = RD_DB(rdataset);
+
+	/*
+	 * Detach the previous RR.
+	 */
+	if (RD_CUR_RR(rdataset) != NULL) {
+		free(RD_CUR_RR(rdataset));
+		RD_CUR_RR(rdataset) = NULL;
+	}
+
+	/*
+	 * Get the next RR of the specified type.
+	 * SOAs differ.
+	 */
+	if (rdataset->type == dns_rdatatype_soa) {
+		if (RD_NEXT_RR(rdataset) == LIBRPZ_IDX_NULL) {
+			return (ISC_R_NOMORE);
+		}
+		RD_NEXT_RR(rdataset) = LIBRPZ_IDX_NULL;
+		if (!librpz->rsp_soa(&emsg, NULL, &rr, NULL, &rpsdb->result,
+				     rpsdb->rsp))
+		{
+			librpz->log(LIBRPZ_LOG_ERROR, NULL, "%s", emsg.c);
+			return (DNS_R_SERVFAIL);
+		}
+		RD_CUR_RR(rdataset) = rr;
+		return (ISC_R_SUCCESS);
+	}
+
+	rpsdb->result.next_rr = RD_NEXT_RR(rdataset);
+	for (;;) {
+		if (!librpz->rsp_rr(&emsg, &type, &class, NULL, &rr,
+				    &rpsdb->result, rpsdb->qname->ndata,
+				    rpsdb->qname->length, rpsdb->rsp))
+		{
+			librpz->log(LIBRPZ_LOG_ERROR, NULL, "%s", emsg.c);
+			return (DNS_R_SERVFAIL);
+		}
+		if (rdataset->type == type && rdataset->rdclass == class) {
+			RD_CUR_RR(rdataset) = rr;
+			RD_NEXT_RR(rdataset) = rpsdb->result.next_rr;
+			return (ISC_R_SUCCESS);
+		}
+		if (type == dns_rdatatype_none) {
+			return (ISC_R_NOMORE);
+		}
+		free(rr);
+	}
+}
+
+static isc_result_t
+rpsdb_rdataset_first(dns_rdataset_t *rdataset) {
+	rpsdb_t *rpsdb;
+	librpz_emsg_t emsg;
+
+	rpsdb = RD_DB(rdataset);
+	REQUIRE(VALID_RPSDB(rpsdb));
+
+	if (RD_CUR_RR(rdataset) != NULL) {
+		free(RD_CUR_RR(rdataset));
+		RD_CUR_RR(rdataset) = NULL;
+	}
+
+	if (!librpz->rsp_result(&emsg, &rpsdb->result, true, rpsdb->rsp)) {
+		librpz->log(LIBRPZ_LOG_ERROR, NULL, "%s", emsg.c);
+		return (DNS_R_SERVFAIL);
+	}
+	if (rdataset->type == dns_rdatatype_soa) {
+		RD_NEXT_RR(rdataset) = LIBRPZ_IDX_BAD;
+	} else {
+		RD_NEXT_RR(rdataset) = rpsdb->result.next_rr;
+	}
+
+	return (rpsdb_rdataset_next(rdataset));
+}
+
+static void
+rpsdb_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	rpsdb_t *rpsdb;
+	librpz_rr_t *rr;
+	isc_region_t r;
+
+	rpsdb = RD_DB(rdataset);
+	REQUIRE(VALID_RPSDB(rpsdb));
+	rr = RD_CUR_RR(rdataset);
+	REQUIRE(rr != NULL);
+
+	r.length = ntohs(rr->rdlength);
+	r.base = rr->rdata;
+	dns_rdata_fromregion(rdata, ntohs(rr->class), ntohs(rr->type), &r);
+}
+
+static void
+rpsdb_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	rpsdb_t *rpsdb;
+	dns_db_t *dbp;
+
+	INSIST(!ISC_LINK_LINKED(target, link));
+	*target = *source;
+	ISC_LINK_INIT(target, link);
+	rpsdb = RD_DB(source);
+	REQUIRE(VALID_RPSDB(rpsdb));
+	dbp = NULL;
+	dns_db_attach(&rpsdb->common, &dbp);
+	RD_DB(target) = dbp;
+	RD_CUR_RR(target) = NULL;
+	RD_NEXT_RR(target) = LIBRPZ_IDX_NULL;
+}
+
+static unsigned int
+rpsdb_rdataset_count(dns_rdataset_t *rdataset) {
+	rpsdb_t *rpsdb;
+
+	rpsdb = RD_DB(rdataset);
+	REQUIRE(VALID_RPSDB(rpsdb));
+
+	return (RD_COUNT(rdataset));
+}
+
+static void
+rpsdb_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	rpsdb_t *rpsdb;
+	dns_rdatasetiter_t *iterator;
+	isc_mem_t *mctx;
+
+	iterator = *iteratorp;
+	*iteratorp = NULL;
+	rpsdb = (rpsdb_t *)iterator->db;
+	REQUIRE(VALID_RPSDB(rpsdb));
+
+	mctx = iterator->db->mctx;
+	dns_db_detachnode(iterator->db, &iterator->node);
+	isc_mem_put(mctx, iterator, sizeof(rpsdb_rdatasetiter_t));
+}
+
+static isc_result_t
+rpsdb_rdatasetiter_next(dns_rdatasetiter_t *iter) {
+	rpsdb_t *rpsdb;
+	rpsdb_rdatasetiter_t *rpsdb_iter;
+	dns_rdatatype_t next_type, type;
+	dns_rdataclass_t next_class, class;
+	uint32_t ttl;
+	librpz_emsg_t emsg;
+
+	rpsdb = (rpsdb_t *)iter->db;
+	REQUIRE(VALID_RPSDB(rpsdb));
+	rpsdb_iter = (rpsdb_rdatasetiter_t *)iter;
+
+	/*
+	 * This function is only used after a policy has been chosen,
+	 * and so without caring whether it is after recursion.
+	 */
+	if (!librpz->rsp_result(&emsg, &rpsdb->result, true, rpsdb->rsp)) {
+		librpz->log(LIBRPZ_LOG_ERROR, NULL, "%s", emsg.c);
+		return (DNS_R_SERVFAIL);
+	}
+	/*
+	 * Find the next class and type after the current class and type
+	 * among the RRs in current result.
+	 * As a side effect, count the number of those RRs.
+	 */
+	rpsdb_iter->count = 0;
+	next_class = dns_rdataclass_reserved0;
+	next_type = dns_rdatatype_none;
+	for (;;) {
+		if (!librpz->rsp_rr(&emsg, &type, &class, &ttl, NULL,
+				    &rpsdb->result, rpsdb->qname->ndata,
+				    rpsdb->qname->length, rpsdb->rsp))
+		{
+			librpz->log(LIBRPZ_LOG_ERROR, NULL, "%s", emsg.c);
+			return (DNS_R_SERVFAIL);
+		}
+		if (type == dns_rdatatype_none) {
+			if (next_type == dns_rdatatype_none) {
+				return (ISC_R_NOMORE);
+			}
+			rpsdb_iter->type = next_type;
+			rpsdb_iter->class = next_class;
+			return (ISC_R_SUCCESS);
+		}
+		/*
+		 * Skip RRs with the current class and type or before.
+		 */
+		if (rpsdb_iter->class > class ||
+		    (rpsdb_iter->class = class && rpsdb_iter->type >= type))
+		{
+			continue;
+		}
+		if (next_type == dns_rdatatype_none || next_class > class ||
+		    (next_class == class && next_type > type))
+		{
+			/*
+			 * This is the first of a subsequent class and type.
+			 */
+			next_type = type;
+			next_class = class;
+			rpsdb_iter->ttl = ttl;
+			rpsdb_iter->count = 1;
+			rpsdb_iter->next_rr = rpsdb->result.next_rr;
+		} else if (next_type == type && next_class == class) {
+			++rpsdb_iter->count;
+		}
+	}
+}
+
+static isc_result_t
+rpsdb_rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	rpsdb_t *rpsdb;
+	rpsdb_rdatasetiter_t *rpsdb_iter;
+
+	rpsdb = (rpsdb_t *)iterator->db;
+	REQUIRE(VALID_RPSDB(rpsdb));
+	rpsdb_iter = (rpsdb_rdatasetiter_t *)iterator;
+
+	rpsdb_iter->type = dns_rdatatype_none;
+	rpsdb_iter->class = dns_rdataclass_reserved0;
+	return (rpsdb_rdatasetiter_next(iterator));
+}
+
+static void
+rpsdb_rdatasetiter_current(dns_rdatasetiter_t *iterator,
+			   dns_rdataset_t *rdataset) {
+	rpsdb_t *rpsdb;
+	rpsdb_rdatasetiter_t *rpsdb_iter;
+
+	rpsdb = (rpsdb_t *)iterator->db;
+	REQUIRE(VALID_RPSDB(rpsdb));
+	rpsdb_iter = (rpsdb_rdatasetiter_t *)iterator;
+	REQUIRE(rpsdb_iter->type != dns_rdatatype_none);
+
+	rpsdb_bind_rdataset(rdataset, rpsdb_iter->count, rpsdb_iter->next_rr,
+			    rpsdb_iter->type, rpsdb_iter->class,
+			    rpsdb_iter->ttl, rpsdb);
+}
+
+static dns_dbmethods_t rpsdb_db_methods = {
+	rpsdb_attach,
+	rpsdb_detach,
+	NULL, /* beginload */
+	NULL, /* endload */
+	NULL, /* serialize */
+	NULL, /* dump */
+	NULL, /* currentversion */
+	NULL, /* newversion */
+	NULL, /* attachversion */
+	NULL, /* closeversion */
+	rpsdb_findnode,
+	rpsdb_finddb,
+	NULL, /* findzonecut*/
+	rpsdb_attachnode,
+	rpsdb_detachnode,
+	NULL, /* expirenode */
+	NULL, /* printnode */
+	NULL, /* createiterator */
+	rpsdb_findrdataset,
+	rpsdb_allrdatasets,
+	NULL, /* addrdataset */
+	NULL, /* subtractrdataset */
+	NULL, /* deleterdataset */
+	rpsdb_issecure,
+	NULL, /* nodecount */
+	NULL, /* ispersistent */
+	NULL, /* overmem */
+	NULL, /* settask */
+	rpsdb_getoriginnode,
+	NULL, /* transfernode */
+	NULL, /* getnsec3parameters */
+	NULL, /* findnsec3node */
+	NULL, /* setsigningtime */
+	NULL, /* getsigningtime */
+	NULL, /* resigned */
+	NULL, /* isdnssec */
+	NULL, /* getrrsetstats */
+	NULL, /* rpz_attach */
+	NULL, /* rpz_ready */
+	NULL, /* findnodeext */
+	NULL, /* findext */
+	NULL, /* setcachestats */
+	NULL, /* hashsize */
+	NULL, /* nodefullname */
+	NULL, /* getsize */
+	NULL, /* setservestalettl */
+	NULL, /* getservestalettl */
+	NULL, /* setservestalerefresh */
+	NULL, /* getservestalerefresh */
+	NULL, /* setgluecachestats */
+	NULL  /* adjusthashsize */
+};
+
+static dns_rdatasetmethods_t rpsdb_rdataset_methods = {
+	rpsdb_rdataset_disassociate,
+	rpsdb_rdataset_first,
+	rpsdb_rdataset_next,
+	rpsdb_rdataset_current,
+	rpsdb_rdataset_clone,
+	rpsdb_rdataset_count,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+};
+
+static dns_rdatasetitermethods_t rpsdb_rdatasetiter_methods = {
+	rpsdb_rdatasetiter_destroy, rpsdb_rdatasetiter_first,
+	rpsdb_rdatasetiter_next, rpsdb_rdatasetiter_current
+};
+
+#endif /* USE_DNSRPS */
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
new file mode 100644
index 0000000..17ee8bd
--- /dev/null
+++ b/lib/dns/dnssec.c
@@ -0,0 +1,2522 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/kasp.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+#include <dns/tsig.h> /* for DNS_TSIG_FUDGE */
+
+#include <dst/result.h>
+
+LIBDNS_EXTERNAL_DATA isc_stats_t *dns_dnssec_stats;
+
+#define is_response(msg) ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
+
+#define RETERR(x)                            \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+#define TYPE_SIGN   0
+#define TYPE_VERIFY 1
+
+static isc_result_t
+digest_callback(void *arg, isc_region_t *data);
+
+static int
+rdata_compare_wrapper(const void *rdata1, const void *rdata2);
+
+static isc_result_t
+rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
+			dns_rdata_t **rdata, int *nrdata);
+
+static isc_result_t
+digest_callback(void *arg, isc_region_t *data) {
+	dst_context_t *ctx = arg;
+
+	return (dst_context_adddata(ctx, data));
+}
+
+static void
+inc_stat(isc_statscounter_t counter) {
+	if (dns_dnssec_stats != NULL) {
+		isc_stats_increment(dns_dnssec_stats, counter);
+	}
+}
+
+/*
+ * Make qsort happy.
+ */
+static int
+rdata_compare_wrapper(const void *rdata1, const void *rdata2) {
+	return (dns_rdata_compare((const dns_rdata_t *)rdata1,
+				  (const dns_rdata_t *)rdata2));
+}
+
+/*
+ * Sort the rdataset into an array.
+ */
+static isc_result_t
+rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
+			dns_rdata_t **rdata, int *nrdata) {
+	isc_result_t ret;
+	int i = 0, n;
+	dns_rdata_t *data;
+	dns_rdataset_t rdataset;
+
+	n = dns_rdataset_count(set);
+
+	data = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_clone(set, &rdataset);
+	ret = dns_rdataset_first(&rdataset);
+	if (ret != ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&rdataset);
+		isc_mem_put(mctx, data, n * sizeof(dns_rdata_t));
+		return (ret);
+	}
+
+	/*
+	 * Put them in the array.
+	 */
+	do {
+		dns_rdata_init(&data[i]);
+		dns_rdataset_current(&rdataset, &data[i++]);
+	} while (dns_rdataset_next(&rdataset) == ISC_R_SUCCESS);
+
+	/*
+	 * Sort the array.
+	 */
+	qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
+	*rdata = data;
+	*nrdata = n;
+	dns_rdataset_disassociate(&rdataset);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dnssec_keyfromrdata(const dns_name_t *name, const dns_rdata_t *rdata,
+			isc_mem_t *mctx, dst_key_t **key) {
+	isc_buffer_t b;
+	isc_region_t r;
+
+	INSIST(name != NULL);
+	INSIST(rdata != NULL);
+	INSIST(mctx != NULL);
+	INSIST(key != NULL);
+	INSIST(*key == NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key ||
+		rdata->type == dns_rdatatype_dnskey);
+
+	dns_rdata_toregion(rdata, &r);
+	isc_buffer_init(&b, r.base, r.length);
+	isc_buffer_add(&b, r.length);
+	return (dst_key_fromdns(name, rdata->rdclass, &b, mctx, key));
+}
+
+static isc_result_t
+digest_sig(dst_context_t *ctx, bool downcase, dns_rdata_t *sigrdata,
+	   dns_rdata_rrsig_t *rrsig) {
+	isc_region_t r;
+	isc_result_t ret;
+	dns_fixedname_t fname;
+
+	dns_rdata_toregion(sigrdata, &r);
+	INSIST(r.length >= 19);
+
+	r.length = 18;
+	ret = dst_context_adddata(ctx, &r);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+	if (downcase) {
+		dns_fixedname_init(&fname);
+
+		RUNTIME_CHECK(dns_name_downcase(&rrsig->signer,
+						dns_fixedname_name(&fname),
+						NULL) == ISC_R_SUCCESS);
+		dns_name_toregion(dns_fixedname_name(&fname), &r);
+	} else {
+		dns_name_toregion(&rrsig->signer, &r);
+	}
+
+	return (dst_context_adddata(ctx, &r));
+}
+
+isc_result_t
+dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		isc_stdtime_t *inception, isc_stdtime_t *expire,
+		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata) {
+	dns_rdata_rrsig_t sig;
+	dns_rdata_t tmpsigrdata;
+	dns_rdata_t *rdatas;
+	int nrdatas, i;
+	isc_buffer_t sigbuf, envbuf;
+	isc_region_t r;
+	dst_context_t *ctx = NULL;
+	isc_result_t ret;
+	isc_buffer_t *databuf = NULL;
+	char data[256 + 8];
+	uint32_t flags;
+	unsigned int sigsize;
+	dns_fixedname_t fnewname;
+	dns_fixedname_t fsigner;
+
+	REQUIRE(name != NULL);
+	REQUIRE(dns_name_countlabels(name) <= 255);
+	REQUIRE(set != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(inception != NULL);
+	REQUIRE(expire != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sigrdata != NULL);
+
+	if (*inception >= *expire) {
+		return (DNS_R_INVALIDTIME);
+	}
+
+	/*
+	 * Is the key allowed to sign data?
+	 */
+	flags = dst_key_flags(key);
+	if ((flags & DNS_KEYTYPE_NOAUTH) != 0) {
+		return (DNS_R_KEYUNAUTHORIZED);
+	}
+	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
+		return (DNS_R_KEYUNAUTHORIZED);
+	}
+
+	sig.mctx = mctx;
+	sig.common.rdclass = set->rdclass;
+	sig.common.rdtype = dns_rdatatype_rrsig;
+	ISC_LINK_INIT(&sig.common, link);
+
+	/*
+	 * Downcase signer.
+	 */
+	dns_name_init(&sig.signer, NULL);
+	dns_fixedname_init(&fsigner);
+	RUNTIME_CHECK(dns_name_downcase(dst_key_name(key),
+					dns_fixedname_name(&fsigner),
+					NULL) == ISC_R_SUCCESS);
+	dns_name_clone(dns_fixedname_name(&fsigner), &sig.signer);
+
+	sig.covered = set->type;
+	sig.algorithm = dst_key_alg(key);
+	sig.labels = dns_name_countlabels(name) - 1;
+	if (dns_name_iswildcard(name)) {
+		sig.labels--;
+	}
+	sig.originalttl = set->ttl;
+	sig.timesigned = *inception;
+	sig.timeexpire = *expire;
+	sig.keyid = dst_key_id(key);
+	ret = dst_key_sigsize(key, &sigsize);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+	sig.siglen = sigsize;
+	/*
+	 * The actual contents of sig.signature are not important yet, since
+	 * they're not used in digest_sig().
+	 */
+	sig.signature = isc_mem_get(mctx, sig.siglen);
+
+	isc_buffer_allocate(mctx, &databuf, sigsize + 256 + 18);
+
+	dns_rdata_init(&tmpsigrdata);
+	ret = dns_rdata_fromstruct(&tmpsigrdata, sig.common.rdclass,
+				   sig.common.rdtype, &sig, databuf);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_databuf;
+	}
+
+	ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, true, 0,
+				 &ctx);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_databuf;
+	}
+
+	/*
+	 * Digest the SIG rdata.
+	 */
+	ret = digest_sig(ctx, false, &tmpsigrdata, &sig);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_context;
+	}
+
+	dns_fixedname_init(&fnewname);
+	RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
+					NULL) == ISC_R_SUCCESS);
+	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
+
+	/*
+	 * Create an envelope for each rdata: <name|type|class|ttl>.
+	 */
+	isc_buffer_init(&envbuf, data, sizeof(data));
+	memmove(data, r.base, r.length);
+	isc_buffer_add(&envbuf, r.length);
+	isc_buffer_putuint16(&envbuf, set->type);
+	isc_buffer_putuint16(&envbuf, set->rdclass);
+	isc_buffer_putuint32(&envbuf, set->ttl);
+
+	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_context;
+	}
+	isc_buffer_usedregion(&envbuf, &r);
+
+	for (i = 0; i < nrdatas; i++) {
+		uint16_t len;
+		isc_buffer_t lenbuf;
+		isc_region_t lenr;
+
+		/*
+		 * Skip duplicates.
+		 */
+		if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i - 1]) == 0)
+		{
+			continue;
+		}
+
+		/*
+		 * Digest the envelope.
+		 */
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_array;
+		}
+
+		/*
+		 * Digest the length of the rdata.
+		 */
+		isc_buffer_init(&lenbuf, &len, sizeof(len));
+		INSIST(rdatas[i].length < 65536);
+		isc_buffer_putuint16(&lenbuf, (uint16_t)rdatas[i].length);
+		isc_buffer_usedregion(&lenbuf, &lenr);
+		ret = dst_context_adddata(ctx, &lenr);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_array;
+		}
+
+		/*
+		 * Digest the rdata.
+		 */
+		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_array;
+		}
+	}
+
+	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
+	ret = dst_context_sign(ctx, &sigbuf);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_array;
+	}
+	isc_buffer_usedregion(&sigbuf, &r);
+	if (r.length != sig.siglen) {
+		ret = ISC_R_NOSPACE;
+		goto cleanup_array;
+	}
+
+	ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass,
+				   sig.common.rdtype, &sig, buffer);
+
+cleanup_array:
+	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
+cleanup_context:
+	dst_context_destroy(&ctx);
+cleanup_databuf:
+	isc_buffer_free(&databuf);
+	isc_mem_put(mctx, sig.signature, sig.siglen);
+
+	return (ret);
+}
+
+isc_result_t
+dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		  bool ignoretime, unsigned int maxbits, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata, dns_name_t *wild) {
+	dns_rdata_rrsig_t sig;
+	dns_fixedname_t fnewname;
+	isc_region_t r;
+	isc_buffer_t envbuf;
+	dns_rdata_t *rdatas;
+	int nrdatas, i;
+	isc_stdtime_t now;
+	isc_result_t ret;
+	unsigned char data[300];
+	dst_context_t *ctx = NULL;
+	int labels = 0;
+	uint32_t flags;
+	bool downcase = false;
+
+	REQUIRE(name != NULL);
+	REQUIRE(set != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_rrsig);
+
+	ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	if (set->type != sig.covered) {
+		return (DNS_R_SIGINVALID);
+	}
+
+	if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
+		inc_stat(dns_dnssecstats_fail);
+		return (DNS_R_SIGINVALID);
+	}
+
+	if (!ignoretime) {
+		isc_stdtime_get(&now);
+
+		/*
+		 * Is SIG temporally valid?
+		 */
+		if (isc_serial_lt((uint32_t)now, sig.timesigned)) {
+			inc_stat(dns_dnssecstats_fail);
+			return (DNS_R_SIGFUTURE);
+		} else if (isc_serial_lt(sig.timeexpire, (uint32_t)now)) {
+			inc_stat(dns_dnssecstats_fail);
+			return (DNS_R_SIGEXPIRED);
+		}
+	}
+
+	/*
+	 * NS, SOA and DNSSKEY records are signed by their owner.
+	 * DS records are signed by the parent.
+	 */
+	switch (set->type) {
+	case dns_rdatatype_ns:
+	case dns_rdatatype_soa:
+	case dns_rdatatype_dnskey:
+		if (!dns_name_equal(name, &sig.signer)) {
+			inc_stat(dns_dnssecstats_fail);
+			return (DNS_R_SIGINVALID);
+		}
+		break;
+	case dns_rdatatype_ds:
+		if (dns_name_equal(name, &sig.signer)) {
+			inc_stat(dns_dnssecstats_fail);
+			return (DNS_R_SIGINVALID);
+		}
+		FALLTHROUGH;
+	default:
+		if (!dns_name_issubdomain(name, &sig.signer)) {
+			inc_stat(dns_dnssecstats_fail);
+			return (DNS_R_SIGINVALID);
+		}
+		break;
+	}
+
+	/*
+	 * Is the key allowed to sign data?
+	 */
+	flags = dst_key_flags(key);
+	if ((flags & DNS_KEYTYPE_NOAUTH) != 0) {
+		inc_stat(dns_dnssecstats_fail);
+		return (DNS_R_KEYUNAUTHORIZED);
+	}
+	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
+		inc_stat(dns_dnssecstats_fail);
+		return (DNS_R_KEYUNAUTHORIZED);
+	}
+
+again:
+	ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, false,
+				 maxbits, &ctx);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_struct;
+	}
+
+	/*
+	 * Digest the SIG rdata (not including the signature).
+	 */
+	ret = digest_sig(ctx, downcase, sigrdata, &sig);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_context;
+	}
+
+	/*
+	 * If the name is an expanded wildcard, use the wildcard name.
+	 */
+	dns_fixedname_init(&fnewname);
+	labels = dns_name_countlabels(name) - 1;
+	RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
+					NULL) == ISC_R_SUCCESS);
+	if (labels - sig.labels > 0) {
+		dns_name_split(dns_fixedname_name(&fnewname), sig.labels + 1,
+			       NULL, dns_fixedname_name(&fnewname));
+	}
+
+	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
+
+	/*
+	 * Create an envelope for each rdata: <name|type|class|ttl>.
+	 */
+	isc_buffer_init(&envbuf, data, sizeof(data));
+	if (labels - sig.labels > 0) {
+		isc_buffer_putuint8(&envbuf, 1);
+		isc_buffer_putuint8(&envbuf, '*');
+		memmove(data + 2, r.base, r.length);
+	} else {
+		memmove(data, r.base, r.length);
+	}
+	isc_buffer_add(&envbuf, r.length);
+	isc_buffer_putuint16(&envbuf, set->type);
+	isc_buffer_putuint16(&envbuf, set->rdclass);
+	isc_buffer_putuint32(&envbuf, sig.originalttl);
+
+	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_context;
+	}
+
+	isc_buffer_usedregion(&envbuf, &r);
+
+	for (i = 0; i < nrdatas; i++) {
+		uint16_t len;
+		isc_buffer_t lenbuf;
+		isc_region_t lenr;
+
+		/*
+		 * Skip duplicates.
+		 */
+		if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i - 1]) == 0)
+		{
+			continue;
+		}
+
+		/*
+		 * Digest the envelope.
+		 */
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_array;
+		}
+
+		/*
+		 * Digest the rdata length.
+		 */
+		isc_buffer_init(&lenbuf, &len, sizeof(len));
+		INSIST(rdatas[i].length < 65536);
+		isc_buffer_putuint16(&lenbuf, (uint16_t)rdatas[i].length);
+		isc_buffer_usedregion(&lenbuf, &lenr);
+
+		/*
+		 * Digest the rdata.
+		 */
+		ret = dst_context_adddata(ctx, &lenr);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_array;
+		}
+		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_array;
+		}
+	}
+
+	r.base = sig.signature;
+	r.length = sig.siglen;
+	ret = dst_context_verify2(ctx, maxbits, &r);
+	if (ret == ISC_R_SUCCESS && downcase) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(&sig.signer, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+			      "successfully validated after lower casing "
+			      "signer '%s'",
+			      namebuf);
+		inc_stat(dns_dnssecstats_downcase);
+	} else if (ret == ISC_R_SUCCESS) {
+		inc_stat(dns_dnssecstats_asis);
+	}
+
+cleanup_array:
+	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
+cleanup_context:
+	dst_context_destroy(&ctx);
+	if (ret == DST_R_VERIFYFAILURE && !downcase) {
+		downcase = true;
+		goto again;
+	}
+cleanup_struct:
+	dns_rdata_freestruct(&sig);
+
+	if (ret == DST_R_VERIFYFAILURE) {
+		ret = DNS_R_SIGINVALID;
+	}
+
+	if (ret != ISC_R_SUCCESS) {
+		inc_stat(dns_dnssecstats_fail);
+	}
+
+	if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
+		if (wild != NULL) {
+			RUNTIME_CHECK(dns_name_concatenate(
+					      dns_wildcardname,
+					      dns_fixedname_name(&fnewname),
+					      wild, NULL) == ISC_R_SUCCESS);
+		}
+		inc_stat(dns_dnssecstats_wildcard);
+		ret = DNS_R_FROMWILDCARD;
+	}
+	return (ret);
+}
+
+bool
+dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now) {
+	isc_result_t result;
+	isc_stdtime_t publish, active, revoke, remove;
+	bool hint_publish, hint_zsign, hint_ksign, hint_revoke, hint_remove;
+	int major, minor;
+	bool ksk = false, zsk = false;
+	isc_result_t ret;
+
+	/* Is this an old-style key? */
+	result = dst_key_getprivateformat(key, &major, &minor);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/* Is this a KSK? */
+	ret = dst_key_getbool(key, DST_BOOL_KSK, &ksk);
+	if (ret != ISC_R_SUCCESS) {
+		ksk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) != 0);
+	}
+	ret = dst_key_getbool(key, DST_BOOL_ZSK, &zsk);
+	if (ret != ISC_R_SUCCESS) {
+		zsk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0);
+	}
+
+	/*
+	 * Smart signing started with key format 1.3; prior to that, all
+	 * keys are assumed active.
+	 */
+	if (major == 1 && minor <= 2) {
+		return (true);
+	}
+
+	hint_publish = dst_key_is_published(key, now, &publish);
+	hint_zsign = dst_key_is_signing(key, DST_BOOL_ZSK, now, &active);
+	hint_ksign = dst_key_is_signing(key, DST_BOOL_KSK, now, &active);
+	hint_revoke = dst_key_is_revoked(key, now, &revoke);
+	hint_remove = dst_key_is_removed(key, now, &remove);
+
+	if (hint_remove) {
+		return (false);
+	}
+	if (hint_publish && hint_revoke) {
+		return (true);
+	}
+	if (hint_zsign && zsk) {
+		return (true);
+	}
+	if (hint_ksign && ksk) {
+		return (true);
+	}
+	return (false);
+}
+
+/*%<
+ * Indicate whether a key is scheduled to to have CDS/CDNSKEY records
+ * published now.
+ *
+ * Returns true if.
+ *  - kasp says the DS record should be published (e.g. the DS state is in
+ *    RUMOURED or OMNIPRESENT state).
+ * Or:
+ *  - SyncPublish is set and in the past, AND
+ *  - SyncDelete is unset or in the future
+ */
+static bool
+syncpublish(dst_key_t *key, isc_stdtime_t now) {
+	isc_result_t result;
+	isc_stdtime_t when;
+	dst_key_state_t state;
+	int major, minor;
+	bool publish;
+
+	/*
+	 * Is this an old-style key?
+	 */
+	result = dst_key_getprivateformat(key, &major, &minor);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/*
+	 * Smart signing started with key format 1.3
+	 */
+	if (major == 1 && minor <= 2) {
+		return (false);
+	}
+
+	/* Check kasp state first. */
+	result = dst_key_getstate(key, DST_KEY_DS, &state);
+	if (result == ISC_R_SUCCESS) {
+		return (state == DST_KEY_STATE_RUMOURED ||
+			state == DST_KEY_STATE_OMNIPRESENT);
+	}
+
+	/* If no kasp state, check timings. */
+	publish = false;
+	result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when);
+	if (result == ISC_R_SUCCESS && when <= now) {
+		publish = true;
+	}
+	result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
+	if (result == ISC_R_SUCCESS && when < now) {
+		publish = false;
+	}
+	return (publish);
+}
+
+/*%<
+ * Indicate whether a key is scheduled to to have CDS/CDNSKEY records
+ * deleted now.
+ *
+ * Returns true if:
+ *  - kasp says the DS record should be unpublished (e.g. the DS state is in
+ *    UNRETENTIVE or HIDDEN state).
+ * Or:
+ * - SyncDelete is set and in the past.
+ */
+static bool
+syncdelete(dst_key_t *key, isc_stdtime_t now) {
+	isc_result_t result;
+	isc_stdtime_t when;
+	dst_key_state_t state;
+	int major, minor;
+
+	/*
+	 * Is this an old-style key?
+	 */
+	result = dst_key_getprivateformat(key, &major, &minor);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/*
+	 * Smart signing started with key format 1.3.
+	 */
+	if (major == 1 && minor <= 2) {
+		return (false);
+	}
+
+	/* Check kasp state first. */
+	result = dst_key_getstate(key, DST_KEY_DS, &state);
+	if (result == ISC_R_SUCCESS) {
+		return (state == DST_KEY_STATE_UNRETENTIVE ||
+			state == DST_KEY_STATE_HIDDEN);
+	}
+
+	/* If no kasp state, check timings. */
+	result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+	if (when <= now) {
+		return (true);
+	}
+	return (false);
+}
+
+#define is_zone_key(key) \
+	((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE)
+
+isc_result_t
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+			const dns_name_t *name, const char *directory,
+			isc_stdtime_t now, isc_mem_t *mctx,
+			unsigned int maxkeys, dst_key_t **keys,
+			unsigned int *nkeys) {
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dst_key_t *pubkey = NULL;
+	unsigned int count = 0;
+
+	REQUIRE(nkeys != NULL);
+	REQUIRE(keys != NULL);
+
+	*nkeys = 0;
+	memset(keys, 0, sizeof(*keys) * maxkeys);
+	dns_rdataset_init(&rdataset);
+	RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
+				   &rdataset, NULL));
+	RETERR(dns_rdataset_first(&rdataset));
+	while (result == ISC_R_SUCCESS && count < maxkeys) {
+		pubkey = NULL;
+		dns_rdataset_current(&rdataset, &rdata);
+		RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
+		dst_key_setttl(pubkey, rdataset.ttl);
+
+		if (!is_zone_key(pubkey) ||
+		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
+		{
+			goto next;
+		}
+		/* Corrupted .key file? */
+		if (!dns_name_equal(name, dst_key_name(pubkey))) {
+			goto next;
+		}
+		keys[count] = NULL;
+		result = dst_key_fromfile(
+			dst_key_name(pubkey), dst_key_id(pubkey),
+			dst_key_alg(pubkey),
+			DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE,
+			directory, mctx, &keys[count]);
+
+		/*
+		 * If the key was revoked and the private file
+		 * doesn't exist, maybe it was revoked internally
+		 * by named.  Try loading the unrevoked version.
+		 */
+		if (result == ISC_R_FILENOTFOUND) {
+			uint32_t flags;
+			flags = dst_key_flags(pubkey);
+			if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+				dst_key_setflags(pubkey,
+						 flags & ~DNS_KEYFLAG_REVOKE);
+				result = dst_key_fromfile(
+					dst_key_name(pubkey),
+					dst_key_id(pubkey), dst_key_alg(pubkey),
+					DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
+						DST_TYPE_STATE,
+					directory, mctx, &keys[count]);
+				if (result == ISC_R_SUCCESS &&
+				    dst_key_pubcompare(pubkey, keys[count],
+						       false))
+				{
+					dst_key_setflags(keys[count], flags);
+				}
+				dst_key_setflags(pubkey, flags);
+			}
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			char filename[DNS_NAME_FORMATSIZE +
+				      DNS_SECALG_FORMATSIZE +
+				      sizeof("key file for //65535")];
+			isc_result_t result2;
+			isc_buffer_t buf;
+
+			isc_buffer_init(&buf, filename, NAME_MAX);
+			result2 = dst_key_getfilename(
+				dst_key_name(pubkey), dst_key_id(pubkey),
+				dst_key_alg(pubkey),
+				(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
+				 DST_TYPE_STATE),
+				directory, mctx, &buf);
+			if (result2 != ISC_R_SUCCESS) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				char algbuf[DNS_SECALG_FORMATSIZE];
+
+				dns_name_format(dst_key_name(pubkey), namebuf,
+						sizeof(namebuf));
+				dns_secalg_format(dst_key_alg(pubkey), algbuf,
+						  sizeof(algbuf));
+				snprintf(filename, sizeof(filename) - 1,
+					 "key file for %s/%s/%d", namebuf,
+					 algbuf, dst_key_id(pubkey));
+			}
+
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+				      "dns_dnssec_findzonekeys2: error "
+				      "reading %s: %s",
+				      filename, isc_result_totext(result));
+		}
+
+		if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
+			keys[count] = pubkey;
+			pubkey = NULL;
+			count++;
+			goto next;
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		/*
+		 * If a key is marked inactive, skip it
+		 */
+		if (!dns_dnssec_keyactive(keys[count], now)) {
+			dst_key_setinactive(pubkey, true);
+			dst_key_free(&keys[count]);
+			keys[count] = pubkey;
+			pubkey = NULL;
+			count++;
+			goto next;
+		}
+
+		/*
+		 * Whatever the key's default TTL may have
+		 * been, the rdataset TTL takes priority.
+		 */
+		dst_key_setttl(keys[count], rdataset.ttl);
+
+		if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
+			/* We should never get here. */
+			dst_key_free(&keys[count]);
+			goto next;
+		}
+		count++;
+	next:
+		if (pubkey != NULL) {
+			dst_key_free(&pubkey);
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&rdataset);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+	if (count == 0) {
+		result = ISC_R_NOTFOUND;
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (pubkey != NULL) {
+		dst_key_free(&pubkey);
+	}
+	if (result != ISC_R_SUCCESS) {
+		while (count > 0) {
+			dst_key_free(&keys[--count]);
+		}
+	}
+	*nkeys = count;
+	return (result);
+}
+
+isc_result_t
+dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
+	dns_rdata_sig_t sig; /* SIG(0) */
+	unsigned char data[512];
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	isc_buffer_t headerbuf, databuf, sigbuf;
+	unsigned int sigsize;
+	isc_buffer_t *dynbuf = NULL;
+	dns_rdata_t *rdata;
+	dns_rdatalist_t *datalist;
+	dns_rdataset_t *dataset;
+	isc_region_t r;
+	isc_stdtime_t now;
+	dst_context_t *ctx = NULL;
+	isc_mem_t *mctx;
+	isc_result_t result;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+
+	if (is_response(msg)) {
+		REQUIRE(msg->query.base != NULL);
+	}
+
+	mctx = msg->mctx;
+
+	memset(&sig, 0, sizeof(sig));
+
+	sig.mctx = mctx;
+	sig.common.rdclass = dns_rdataclass_any;
+	sig.common.rdtype = dns_rdatatype_sig; /* SIG(0) */
+	ISC_LINK_INIT(&sig.common, link);
+
+	sig.covered = 0;
+	sig.algorithm = dst_key_alg(key);
+	sig.labels = 0; /* the root name */
+	sig.originalttl = 0;
+
+	isc_stdtime_get(&now);
+	sig.timesigned = now - DNS_TSIG_FUDGE;
+	sig.timeexpire = now + DNS_TSIG_FUDGE;
+
+	sig.keyid = dst_key_id(key);
+
+	dns_name_init(&sig.signer, NULL);
+	dns_name_clone(dst_key_name(key), &sig.signer);
+
+	sig.siglen = 0;
+	sig.signature = NULL;
+
+	isc_buffer_init(&databuf, data, sizeof(data));
+
+	RETERR(dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, true, 0,
+				  &ctx));
+
+	/*
+	 * Digest the fields of the SIG - we can cheat and use
+	 * dns_rdata_fromstruct.  Since siglen is 0, the digested data
+	 * is identical to dns format.
+	 */
+	RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
+				    dns_rdatatype_sig /* SIG(0) */, &sig,
+				    &databuf));
+	isc_buffer_usedregion(&databuf, &r);
+	RETERR(dst_context_adddata(ctx, &r));
+
+	/*
+	 * If this is a response, digest the query.
+	 */
+	if (is_response(msg)) {
+		RETERR(dst_context_adddata(ctx, &msg->query));
+	}
+
+	/*
+	 * Digest the header.
+	 */
+	isc_buffer_init(&headerbuf, header, sizeof(header));
+	dns_message_renderheader(msg, &headerbuf);
+	isc_buffer_usedregion(&headerbuf, &r);
+	RETERR(dst_context_adddata(ctx, &r));
+
+	/*
+	 * Digest the remainder of the message.
+	 */
+	isc_buffer_usedregion(msg->buffer, &r);
+	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+	RETERR(dst_context_adddata(ctx, &r));
+
+	RETERR(dst_key_sigsize(key, &sigsize));
+	sig.siglen = sigsize;
+	sig.signature = isc_mem_get(mctx, sig.siglen);
+
+	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
+	RETERR(dst_context_sign(ctx, &sigbuf));
+	dst_context_destroy(&ctx);
+
+	rdata = NULL;
+	RETERR(dns_message_gettemprdata(msg, &rdata));
+	isc_buffer_allocate(msg->mctx, &dynbuf, 1024);
+	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
+				    dns_rdatatype_sig /* SIG(0) */, &sig,
+				    dynbuf));
+
+	isc_mem_put(mctx, sig.signature, sig.siglen);
+
+	dns_message_takebuffer(msg, &dynbuf);
+
+	datalist = NULL;
+	RETERR(dns_message_gettemprdatalist(msg, &datalist));
+	datalist->rdclass = dns_rdataclass_any;
+	datalist->type = dns_rdatatype_sig; /* SIG(0) */
+	ISC_LIST_APPEND(datalist->rdata, rdata, link);
+	dataset = NULL;
+	RETERR(dns_message_gettemprdataset(msg, &dataset));
+	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) ==
+		      ISC_R_SUCCESS);
+	msg->sig0 = dataset;
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (dynbuf != NULL) {
+		isc_buffer_free(&dynbuf);
+	}
+	if (sig.signature != NULL) {
+		isc_mem_put(mctx, sig.signature, sig.siglen);
+	}
+	if (ctx != NULL) {
+		dst_context_destroy(&ctx);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
+			 dst_key_t *key) {
+	dns_rdata_sig_t sig; /* SIG(0) */
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t r, source_r, sig_r, header_r;
+	isc_stdtime_t now;
+	dst_context_t *ctx = NULL;
+	isc_mem_t *mctx;
+	isc_result_t result;
+	uint16_t addcount, addcount_n;
+	bool signeedsfree = false;
+
+	REQUIRE(source != NULL);
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+
+	mctx = msg->mctx;
+
+	msg->verify_attempted = 1;
+	msg->verified_sig = 0;
+	msg->sig0status = dns_tsigerror_badsig;
+
+	if (is_response(msg)) {
+		if (msg->query.base == NULL) {
+			return (DNS_R_UNEXPECTEDTSIG);
+		}
+	}
+
+	isc_buffer_usedregion(source, &source_r);
+
+	RETERR(dns_rdataset_first(msg->sig0));
+	dns_rdataset_current(msg->sig0, &rdata);
+
+	RETERR(dns_rdata_tostruct(&rdata, &sig, NULL));
+	signeedsfree = true;
+
+	if (sig.labels != 0) {
+		result = DNS_R_SIGINVALID;
+		goto failure;
+	}
+
+	if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
+		result = DNS_R_SIGINVALID;
+		msg->sig0status = dns_tsigerror_badtime;
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+	if (isc_serial_lt((uint32_t)now, sig.timesigned)) {
+		result = DNS_R_SIGFUTURE;
+		msg->sig0status = dns_tsigerror_badtime;
+		goto failure;
+	} else if (isc_serial_lt(sig.timeexpire, (uint32_t)now)) {
+		result = DNS_R_SIGEXPIRED;
+		msg->sig0status = dns_tsigerror_badtime;
+		goto failure;
+	}
+
+	if (!dns_name_equal(dst_key_name(key), &sig.signer)) {
+		result = DNS_R_SIGINVALID;
+		msg->sig0status = dns_tsigerror_badkey;
+		goto failure;
+	}
+
+	RETERR(dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, false, 0,
+				  &ctx));
+
+	/*
+	 * Digest the SIG(0) record, except for the signature.
+	 */
+	dns_rdata_toregion(&rdata, &r);
+	r.length -= sig.siglen;
+	RETERR(dst_context_adddata(ctx, &r));
+
+	/*
+	 * If this is a response, digest the query.
+	 */
+	if (is_response(msg)) {
+		RETERR(dst_context_adddata(ctx, &msg->query));
+	}
+
+	/*
+	 * Extract the header.
+	 */
+	memmove(header, source_r.base, DNS_MESSAGE_HEADERLEN);
+
+	/*
+	 * Decrement the additional field counter.
+	 */
+	memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
+	addcount_n = ntohs(addcount);
+	addcount = htons((uint16_t)(addcount_n - 1));
+	memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
+
+	/*
+	 * Digest the modified header.
+	 */
+	header_r.base = (unsigned char *)header;
+	header_r.length = DNS_MESSAGE_HEADERLEN;
+	RETERR(dst_context_adddata(ctx, &header_r));
+
+	/*
+	 * Digest all non-SIG(0) records.
+	 */
+	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
+	r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
+	RETERR(dst_context_adddata(ctx, &r));
+
+	sig_r.base = sig.signature;
+	sig_r.length = sig.siglen;
+	result = dst_context_verify(ctx, &sig_r);
+	if (result != ISC_R_SUCCESS) {
+		msg->sig0status = dns_tsigerror_badsig;
+		goto failure;
+	}
+
+	msg->verified_sig = 1;
+	msg->sig0status = dns_rcode_noerror;
+
+	dst_context_destroy(&ctx);
+	dns_rdata_freestruct(&sig);
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (signeedsfree) {
+		dns_rdata_freestruct(&sig);
+	}
+	if (ctx != NULL) {
+		dst_context_destroy(&ctx);
+	}
+
+	return (result);
+}
+
+/*%
+ * Does this key ('rdata') self sign the rrset ('rdataset')?
+ */
+bool
+dns_dnssec_selfsigns(dns_rdata_t *rdata, const dns_name_t *name,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     bool ignoretime, isc_mem_t *mctx) {
+	INSIST(rdataset->type == dns_rdatatype_key ||
+	       rdataset->type == dns_rdatatype_dnskey);
+	if (rdataset->type == dns_rdatatype_key) {
+		INSIST(sigrdataset->type == dns_rdatatype_sig);
+		INSIST(sigrdataset->covers == dns_rdatatype_key);
+	} else {
+		INSIST(sigrdataset->type == dns_rdatatype_rrsig);
+		INSIST(sigrdataset->covers == dns_rdatatype_dnskey);
+	}
+
+	return (dns_dnssec_signs(rdata, name, rdataset, sigrdataset, ignoretime,
+				 mctx));
+}
+
+bool
+dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		 bool ignoretime, isc_mem_t *mctx) {
+	dst_key_t *dstkey = NULL;
+	dns_keytag_t keytag;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	isc_result_t result;
+
+	INSIST(sigrdataset->type == dns_rdatatype_rrsig);
+	if (sigrdataset->covers != rdataset->type) {
+		return (false);
+	}
+
+	result = dns_dnssec_keyfromrdata(name, rdata, mctx, &dstkey);
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+	result = dns_rdata_tostruct(rdata, &key, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	keytag = dst_key_id(dstkey);
+	for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(sigrdataset))
+	{
+		dns_rdata_reset(&sigrdata);
+		dns_rdataset_current(sigrdataset, &sigrdata);
+		result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (sig.algorithm == key.algorithm && sig.keyid == keytag) {
+			result = dns_dnssec_verify(name, rdataset, dstkey,
+						   ignoretime, 0, mctx,
+						   &sigrdata, NULL);
+			if (result == ISC_R_SUCCESS) {
+				dst_key_free(&dstkey);
+				return (true);
+			}
+		}
+	}
+	dst_key_free(&dstkey);
+	return (false);
+}
+
+isc_result_t
+dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
+		     dns_dnsseckey_t **dkp) {
+	isc_result_t result;
+	dns_dnsseckey_t *dk;
+	int major, minor;
+
+	REQUIRE(dkp != NULL && *dkp == NULL);
+	dk = isc_mem_get(mctx, sizeof(dns_dnsseckey_t));
+
+	dk->key = *dstkey;
+	*dstkey = NULL;
+	dk->force_publish = false;
+	dk->force_sign = false;
+	dk->hint_publish = false;
+	dk->hint_sign = false;
+	dk->hint_revoke = false;
+	dk->hint_remove = false;
+	dk->first_sign = false;
+	dk->is_active = false;
+	dk->purge = false;
+	dk->prepublish = 0;
+	dk->source = dns_keysource_unknown;
+	dk->index = 0;
+
+	/* KSK or ZSK? */
+	result = dst_key_getbool(dk->key, DST_BOOL_KSK, &dk->ksk);
+	if (result != ISC_R_SUCCESS) {
+		dk->ksk = ((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) != 0);
+	}
+	result = dst_key_getbool(dk->key, DST_BOOL_ZSK, &dk->zsk);
+	if (result != ISC_R_SUCCESS) {
+		dk->zsk = ((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) == 0);
+	}
+
+	/* Is this an old-style key? */
+	result = dst_key_getprivateformat(dk->key, &major, &minor);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/* Smart signing started with key format 1.3 */
+	dk->legacy = (major == 1 && minor <= 2);
+
+	ISC_LINK_INIT(dk, link);
+	*dkp = dk;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
+	dns_dnsseckey_t *dk;
+
+	REQUIRE(dkp != NULL && *dkp != NULL);
+	dk = *dkp;
+	*dkp = NULL;
+	if (dk->key != NULL) {
+		dst_key_free(&dk->key);
+	}
+	isc_mem_put(mctx, dk, sizeof(dns_dnsseckey_t));
+}
+
+void
+dns_dnssec_get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
+	isc_stdtime_t publish = 0, active = 0, revoke = 0, remove = 0;
+
+	REQUIRE(key != NULL && key->key != NULL);
+
+	key->hint_publish = dst_key_is_published(key->key, now, &publish);
+	key->hint_sign = dst_key_is_signing(key->key, DST_BOOL_ZSK, now,
+					    &active);
+	key->hint_revoke = dst_key_is_revoked(key->key, now, &revoke);
+	key->hint_remove = dst_key_is_removed(key->key, now, &remove);
+
+	/*
+	 * Activation date is set (maybe in the future), but publication date
+	 * isn't. Most likely the user wants to publish now and activate later.
+	 * Most likely because this is true for most rollovers, except for:
+	 * 1. The unpopular ZSK Double-RRSIG method.
+	 * 2. When introducing a new algorithm.
+	 * These two cases are rare enough that we will set hint_publish
+	 * anyway when hint_sign is set, because BIND 9 natively does not
+	 * support the ZSK Double-RRSIG method, and when introducing a new
+	 * algorithm, we strive to publish its signatures and DNSKEY records
+	 * at the same time.
+	 */
+	if (key->hint_sign && publish == 0) {
+		key->hint_publish = true;
+	}
+
+	/*
+	 * If activation date is in the future, make note of how far off.
+	 */
+	if (key->hint_publish && active > now) {
+		key->prepublish = active - now;
+	}
+
+	/*
+	 * Metadata says revoke.  If the key is published, we *have to* sign
+	 * with it per RFC5011 -- even if it was not active before.
+	 *
+	 * If it hasn't already been done, we should also revoke it now.
+	 */
+	if (key->hint_publish && key->hint_revoke) {
+		uint32_t flags;
+		key->hint_sign = true;
+		flags = dst_key_flags(key->key);
+		if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
+			flags |= DNS_KEYFLAG_REVOKE;
+			dst_key_setflags(key->key, flags);
+		}
+	}
+
+	/*
+	 * Metadata says delete, so don't publish this key or sign with it
+	 * (note that signatures of a removed key may still be reused).
+	 */
+	if (key->hint_remove) {
+		key->hint_publish = false;
+		key->hint_sign = false;
+	}
+}
+
+/*%
+ * Get a list of DNSSEC keys from the key repository.
+ */
+isc_result_t
+dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
+			    isc_stdtime_t now, isc_mem_t *mctx,
+			    dns_dnsseckeylist_t *keylist) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool dir_open = false;
+	dns_dnsseckeylist_t list;
+	isc_dir_t dir;
+	dns_dnsseckey_t *key = NULL;
+	dst_key_t *dstkey = NULL;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	isc_buffer_t b;
+	unsigned int len, i, alg;
+
+	REQUIRE(keylist != NULL);
+	ISC_LIST_INIT(list);
+	isc_dir_init(&dir);
+
+	isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1);
+	RETERR(dns_name_tofilenametext(origin, false, &b));
+	len = isc_buffer_usedlength(&b);
+	namebuf[len] = '\0';
+
+	if (directory == NULL) {
+		directory = ".";
+	}
+	RETERR(isc_dir_open(&dir, directory));
+	dir_open = true;
+
+	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
+		if (dir.entry.name[0] != 'K' || dir.entry.length < len + 1 ||
+		    dir.entry.name[len + 1] != '+' ||
+		    strncasecmp(dir.entry.name + 1, namebuf, len) != 0)
+		{
+			continue;
+		}
+
+		alg = 0;
+		for (i = len + 1 + 1; i < dir.entry.length; i++) {
+			if (!isdigit((unsigned char)dir.entry.name[i])) {
+				break;
+			}
+			alg *= 10;
+			alg += dir.entry.name[i] - '0';
+		}
+
+		/*
+		 * Did we not read exactly 3 digits?
+		 * Did we overflow?
+		 * Did we correctly terminate?
+		 */
+		if (i != len + 1 + 1 + 3 || i >= dir.entry.length ||
+		    dir.entry.name[i] != '+')
+		{
+			continue;
+		}
+
+		for (i++; i < dir.entry.length; i++) {
+			if (!isdigit((unsigned char)dir.entry.name[i])) {
+				break;
+			}
+		}
+
+		/*
+		 * Did we not read exactly 5 more digits?
+		 * Did we overflow?
+		 * Did we correctly terminate?
+		 */
+		if (i != len + 1 + 1 + 3 + 1 + 5 || i >= dir.entry.length ||
+		    strcmp(dir.entry.name + i, ".private") != 0)
+		{
+			continue;
+		}
+
+		dstkey = NULL;
+		result = dst_key_fromnamedfile(
+			dir.entry.name, directory,
+			DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE,
+			mctx, &dstkey);
+
+		switch (alg) {
+		case DST_ALG_HMACMD5:
+		case DST_ALG_HMACSHA1:
+		case DST_ALG_HMACSHA224:
+		case DST_ALG_HMACSHA256:
+		case DST_ALG_HMACSHA384:
+		case DST_ALG_HMACSHA512:
+			if (result == DST_R_BADKEYTYPE) {
+				continue;
+			}
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+				      "dns_dnssec_findmatchingkeys: "
+				      "error reading key file %s: %s",
+				      dir.entry.name,
+				      isc_result_totext(result));
+			continue;
+		}
+
+		RETERR(dns_dnsseckey_create(mctx, &dstkey, &key));
+		key->source = dns_keysource_repository;
+		dns_dnssec_get_hints(key, now);
+
+		if (key->legacy) {
+			dns_dnsseckey_destroy(mctx, &key);
+		} else {
+			ISC_LIST_APPEND(list, key, link);
+			key = NULL;
+		}
+	}
+
+	if (!ISC_LIST_EMPTY(list)) {
+		result = ISC_R_SUCCESS;
+		ISC_LIST_APPENDLIST(*keylist, list, link);
+	} else {
+		result = ISC_R_NOTFOUND;
+	}
+
+failure:
+	if (dir_open) {
+		isc_dir_close(&dir);
+	}
+	INSIST(key == NULL);
+	while ((key = ISC_LIST_HEAD(list)) != NULL) {
+		ISC_LIST_UNLINK(list, key, link);
+		INSIST(key->key != NULL);
+		dst_key_free(&key->key);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+	if (dstkey != NULL) {
+		dst_key_free(&dstkey);
+	}
+	return (result);
+}
+
+/*%
+ * Add 'newkey' to 'keylist' if it's not already there.
+ *
+ * If 'savekeys' is true, then we need to preserve all
+ * the keys in the keyset, regardless of whether they have
+ * metadata indicating they should be deactivated or removed.
+ */
+static isc_result_t
+addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey, bool savekeys,
+       isc_mem_t *mctx) {
+	dns_dnsseckey_t *key;
+	isc_result_t result;
+
+	/* Skip duplicates */
+	for (key = ISC_LIST_HEAD(*keylist); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		if (dst_key_id(key->key) == dst_key_id(*newkey) &&
+		    dst_key_alg(key->key) == dst_key_alg(*newkey) &&
+		    dns_name_equal(dst_key_name(key->key),
+				   dst_key_name(*newkey)))
+		{
+			break;
+		}
+	}
+
+	if (key != NULL) {
+		/*
+		 * Found a match.  If the old key was only public and the
+		 * new key is private, replace the old one; otherwise
+		 * leave it.  But either way, mark the key as having
+		 * been found in the zone.
+		 */
+		if (dst_key_isprivate(key->key)) {
+			dst_key_free(newkey);
+		} else if (dst_key_isprivate(*newkey)) {
+			dst_key_free(&key->key);
+			key->key = *newkey;
+		}
+
+		key->source = dns_keysource_zoneapex;
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_dnsseckey_create(mctx, newkey, &key);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (key->legacy || savekeys) {
+		key->force_publish = true;
+		key->force_sign = dst_key_isprivate(key->key);
+	}
+	key->source = dns_keysource_zoneapex;
+	ISC_LIST_APPEND(*keylist, key, link);
+	*newkey = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Mark all keys which signed the DNSKEY/SOA RRsets as "active",
+ * for future reference.
+ */
+static isc_result_t
+mark_active_keys(dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t sigs;
+	dns_dnsseckey_t *key;
+
+	REQUIRE(rrsigs != NULL && dns_rdataset_isassociated(rrsigs));
+
+	dns_rdataset_init(&sigs);
+	dns_rdataset_clone(rrsigs, &sigs);
+	for (key = ISC_LIST_HEAD(*keylist); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		uint16_t keyid, sigid;
+		dns_secalg_t keyalg, sigalg;
+		keyid = dst_key_id(key->key);
+		keyalg = dst_key_alg(key->key);
+
+		for (result = dns_rdataset_first(&sigs);
+		     result == ISC_R_SUCCESS; result = dns_rdataset_next(&sigs))
+		{
+			dns_rdata_rrsig_t sig;
+
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&sigs, &rdata);
+			result = dns_rdata_tostruct(&rdata, &sig, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			sigalg = sig.algorithm;
+			sigid = sig.keyid;
+			if (keyid == sigid && keyalg == sigalg) {
+				key->is_active = true;
+				break;
+			}
+		}
+	}
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	if (dns_rdataset_isassociated(&sigs)) {
+		dns_rdataset_disassociate(&sigs);
+	}
+	return (result);
+}
+
+/*%
+ * Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
+ */
+isc_result_t
+dns_dnssec_keylistfromrdataset(const dns_name_t *origin, const char *directory,
+			       isc_mem_t *mctx, dns_rdataset_t *keyset,
+			       dns_rdataset_t *keysigs, dns_rdataset_t *soasigs,
+			       bool savekeys, bool publickey,
+			       dns_dnsseckeylist_t *keylist) {
+	dns_rdataset_t keys;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dst_key_t *dnskey = NULL, *pubkey = NULL, *privkey = NULL;
+	isc_result_t result;
+
+	REQUIRE(keyset != NULL && dns_rdataset_isassociated(keyset));
+
+	dns_rdataset_init(&keys);
+
+	dns_rdataset_clone(keyset, &keys);
+	for (result = dns_rdataset_first(&keys); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&keys))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&keys, &rdata);
+
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+
+		/* Skip unsupported algorithms */
+		if (!dst_algorithm_supported(rdata.data[3])) {
+			goto skip;
+		}
+
+		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &dnskey));
+		dst_key_setttl(dnskey, keys.ttl);
+
+		if (!is_zone_key(dnskey) ||
+		    (dst_key_flags(dnskey) & DNS_KEYTYPE_NOAUTH) != 0)
+		{
+			goto skip;
+		}
+
+		/* Corrupted .key file? */
+		if (!dns_name_equal(origin, dst_key_name(dnskey))) {
+			goto skip;
+		}
+
+		if (publickey) {
+			RETERR(addkey(keylist, &dnskey, savekeys, mctx));
+			goto skip;
+		}
+
+		/* Try to read the public key. */
+		result = dst_key_fromfile(
+			dst_key_name(dnskey), dst_key_id(dnskey),
+			dst_key_alg(dnskey), (DST_TYPE_PUBLIC | DST_TYPE_STATE),
+			directory, mctx, &pubkey);
+		if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
+			result = ISC_R_SUCCESS;
+		}
+		RETERR(result);
+
+		/* Now read the private key. */
+		result = dst_key_fromfile(
+			dst_key_name(dnskey), dst_key_id(dnskey),
+			dst_key_alg(dnskey),
+			(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE),
+			directory, mctx, &privkey);
+
+		/*
+		 * If the key was revoked and the private file
+		 * doesn't exist, maybe it was revoked internally
+		 * by named.  Try loading the unrevoked version.
+		 */
+		if (result == ISC_R_FILENOTFOUND) {
+			uint32_t flags;
+			flags = dst_key_flags(dnskey);
+			if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+				dst_key_setflags(dnskey,
+						 flags & ~DNS_KEYFLAG_REVOKE);
+				result = dst_key_fromfile(
+					dst_key_name(dnskey),
+					dst_key_id(dnskey), dst_key_alg(dnskey),
+					(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
+					 DST_TYPE_STATE),
+					directory, mctx, &privkey);
+				if (result == ISC_R_SUCCESS &&
+				    dst_key_pubcompare(dnskey, privkey, false))
+				{
+					dst_key_setflags(privkey, flags);
+				}
+				dst_key_setflags(dnskey, flags);
+			}
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			char filename[DNS_NAME_FORMATSIZE +
+				      DNS_SECALG_FORMATSIZE +
+				      sizeof("key file for //65535")];
+			isc_result_t result2;
+			isc_buffer_t buf;
+
+			isc_buffer_init(&buf, filename, NAME_MAX);
+			result2 = dst_key_getfilename(
+				dst_key_name(dnskey), dst_key_id(dnskey),
+				dst_key_alg(dnskey),
+				(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
+				 DST_TYPE_STATE),
+				directory, mctx, &buf);
+			if (result2 != ISC_R_SUCCESS) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				char algbuf[DNS_SECALG_FORMATSIZE];
+
+				dns_name_format(dst_key_name(dnskey), namebuf,
+						sizeof(namebuf));
+				dns_secalg_format(dst_key_alg(dnskey), algbuf,
+						  sizeof(algbuf));
+				snprintf(filename, sizeof(filename) - 1,
+					 "key file for %s/%s/%d", namebuf,
+					 algbuf, dst_key_id(dnskey));
+			}
+
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+				      "dns_dnssec_keylistfromrdataset: error "
+				      "reading %s: %s",
+				      filename, isc_result_totext(result));
+		}
+
+		if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
+			if (pubkey != NULL) {
+				RETERR(addkey(keylist, &pubkey, savekeys,
+					      mctx));
+			} else {
+				RETERR(addkey(keylist, &dnskey, savekeys,
+					      mctx));
+			}
+			goto skip;
+		}
+		RETERR(result);
+
+		/* This should never happen. */
+		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) {
+			goto skip;
+		}
+
+		/*
+		 * Whatever the key's default TTL may have
+		 * been, the rdataset TTL takes priority.
+		 */
+		dst_key_setttl(privkey, dst_key_getttl(dnskey));
+
+		RETERR(addkey(keylist, &privkey, savekeys, mctx));
+	skip:
+		if (dnskey != NULL) {
+			dst_key_free(&dnskey);
+		}
+		if (pubkey != NULL) {
+			dst_key_free(&pubkey);
+		}
+		if (privkey != NULL) {
+			dst_key_free(&privkey);
+		}
+	}
+
+	if (result != ISC_R_NOMORE) {
+		RETERR(result);
+	}
+
+	if (keysigs != NULL && dns_rdataset_isassociated(keysigs)) {
+		RETERR(mark_active_keys(keylist, keysigs));
+	}
+
+	if (soasigs != NULL && dns_rdataset_isassociated(soasigs)) {
+		RETERR(mark_active_keys(keylist, soasigs));
+	}
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (dns_rdataset_isassociated(&keys)) {
+		dns_rdataset_disassociate(&keys);
+	}
+	if (dnskey != NULL) {
+		dst_key_free(&dnskey);
+	}
+	if (pubkey != NULL) {
+		dst_key_free(&pubkey);
+	}
+	if (privkey != NULL) {
+		dst_key_free(&privkey);
+	}
+	return (result);
+}
+
+static isc_result_t
+make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
+	    dns_rdata_t *target) {
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+
+	isc_buffer_init(&b, buf, bufsize);
+	result = dst_key_todns(key, &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdata_reset(target);
+	isc_buffer_usedregion(&b, &r);
+	dns_rdata_fromregion(target, dst_key_class(key), dns_rdatatype_dnskey,
+			     &r);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+addrdata(dns_rdata_t *rdata, dns_diff_t *diff, const dns_name_t *origin,
+	 dns_ttl_t ttl, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+
+	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl, rdata,
+				    &tuple));
+	dns_diff_appendminimal(diff, &tuple);
+
+failure:
+	return (result);
+}
+
+static isc_result_t
+delrdata(dns_rdata_t *rdata, dns_diff_t *diff, const dns_name_t *origin,
+	 dns_ttl_t ttl, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+
+	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl, rdata,
+				    &tuple));
+	dns_diff_appendminimal(diff, &tuple);
+
+failure:
+	return (result);
+}
+
+static isc_result_t
+publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin,
+	    dns_ttl_t ttl, isc_mem_t *mctx, void (*report)(const char *, ...)) {
+	isc_result_t result;
+	unsigned char buf[DST_KEY_MAXSIZE];
+	char keystr[DST_KEY_FORMATSIZE];
+	dns_rdata_t dnskey = DNS_RDATA_INIT;
+
+	dns_rdata_reset(&dnskey);
+	RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
+	dst_key_format(key->key, keystr, sizeof(keystr));
+
+	report("Fetching %s (%s) from key %s.", keystr,
+	       key->ksk ? (key->zsk ? "CSK" : "KSK") : "ZSK",
+	       key->source == dns_keysource_user ? "file" : "repository");
+
+	if (key->prepublish && ttl > key->prepublish) {
+		isc_stdtime_t now;
+
+		report("Key %s: Delaying activation to match the DNSKEY TTL.",
+		       keystr, ttl);
+
+		isc_stdtime_get(&now);
+		dst_key_settime(key->key, DST_TIME_ACTIVATE, now + ttl);
+	}
+
+	/* publish key */
+	result = addrdata(&dnskey, diff, origin, ttl, mctx);
+
+failure:
+	return (result);
+}
+
+static isc_result_t
+remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin,
+	   dns_ttl_t ttl, isc_mem_t *mctx, const char *reason,
+	   void (*report)(const char *, ...)) {
+	isc_result_t result;
+	unsigned char buf[DST_KEY_MAXSIZE];
+	dns_rdata_t dnskey = DNS_RDATA_INIT;
+	char alg[80];
+
+	dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
+	report("Removing %s key %d/%s from DNSKEY RRset.", reason,
+	       dst_key_id(key->key), alg);
+
+	RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
+	result = delrdata(&dnskey, diff, origin, ttl, mctx);
+
+failure:
+	return (result);
+}
+
+static bool
+exists(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_rdataset_t trdataset;
+
+	dns_rdataset_init(&trdataset);
+	dns_rdataset_clone(rdataset, &trdataset);
+	for (result = dns_rdataset_first(&trdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&trdataset))
+	{
+		dns_rdata_t current = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&trdataset, &current);
+		if (dns_rdata_compare(rdata, &current) == 0) {
+			dns_rdataset_disassociate(&trdataset);
+			return (true);
+		}
+	}
+	dns_rdataset_disassociate(&trdataset);
+	return (false);
+}
+
+isc_result_t
+dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
+		      dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
+		      isc_stdtime_t now, dns_ttl_t ttl, dns_diff_t *diff,
+		      isc_mem_t *mctx) {
+	unsigned char dsbuf1[DNS_DS_BUFFERSIZE];
+	unsigned char dsbuf2[DNS_DS_BUFFERSIZE];
+	unsigned char keybuf[DST_KEY_MAXSIZE];
+	isc_result_t result;
+	dns_dnsseckey_t *key;
+
+	for (key = ISC_LIST_HEAD(*keys); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		dns_rdata_t cds_sha1 = DNS_RDATA_INIT;
+		dns_rdata_t cds_sha256 = DNS_RDATA_INIT;
+		dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
+		dns_name_t *origin = dst_key_name(key->key);
+
+		RETERR(make_dnskey(key->key, keybuf, sizeof(keybuf),
+				   &cdnskeyrdata));
+
+		/*
+		 * We construct the SHA-1 version of the record so we can
+		 * delete any old records generated by previous versions of
+		 * BIND. We only add SHA-256 records.
+		 *
+		 * XXXMPA we need to be able to specify the DS algorithms
+		 * to be used here and below with rmkeys.
+		 */
+		RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
+					 DNS_DSDIGEST_SHA1, dsbuf1, &cds_sha1));
+		RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
+					 DNS_DSDIGEST_SHA256, dsbuf2,
+					 &cds_sha256));
+
+		/*
+		 * Now that the we have created the DS records convert
+		 * the rdata to CDNSKEY and CDS for comparison.
+		 */
+		cdnskeyrdata.type = dns_rdatatype_cdnskey;
+		cds_sha1.type = dns_rdatatype_cds;
+		cds_sha256.type = dns_rdatatype_cds;
+
+		if (syncpublish(key->key, now)) {
+			char keystr[DST_KEY_FORMATSIZE];
+			dst_key_format(key->key, keystr, sizeof(keystr));
+
+			if (!dns_rdataset_isassociated(cdnskey) ||
+			    !exists(cdnskey, &cdnskeyrdata))
+			{
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_DNSSEC,
+					      ISC_LOG_INFO,
+					      "CDS for key %s is now published",
+					      keystr);
+				RETERR(addrdata(&cdnskeyrdata, diff, origin,
+						ttl, mctx));
+			}
+			/* Only publish SHA-256 (SHA-1 is deprecated) */
+			if (!dns_rdataset_isassociated(cds) ||
+			    !exists(cds, &cds_sha256))
+			{
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+					"CDNSKEY for key %s is now published",
+					keystr);
+				RETERR(addrdata(&cds_sha256, diff, origin, ttl,
+						mctx));
+			}
+		}
+
+		if (syncdelete(key->key, now)) {
+			char keystr[DST_KEY_FORMATSIZE];
+			dst_key_format(key->key, keystr, sizeof(keystr));
+
+			if (dns_rdataset_isassociated(cds)) {
+				/* Delete both SHA-1 and SHA-256 */
+				if (exists(cds, &cds_sha1)) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_GENERAL,
+						      DNS_LOGMODULE_DNSSEC,
+						      ISC_LOG_INFO,
+						      "CDS (SHA-1) for key %s "
+						      "is now deleted",
+						      keystr);
+					RETERR(delrdata(&cds_sha1, diff, origin,
+							cds->ttl, mctx));
+				}
+				if (exists(cds, &cds_sha256)) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_GENERAL,
+						      DNS_LOGMODULE_DNSSEC,
+						      ISC_LOG_INFO,
+						      "CDS (SHA-256) for key "
+						      "%s is now deleted",
+						      keystr);
+					RETERR(delrdata(&cds_sha256, diff,
+							origin, cds->ttl,
+							mctx));
+				}
+			}
+
+			if (dns_rdataset_isassociated(cdnskey)) {
+				if (exists(cdnskey, &cdnskeyrdata)) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_GENERAL,
+						      DNS_LOGMODULE_DNSSEC,
+						      ISC_LOG_INFO,
+						      "CDNSKEY for key %s is "
+						      "now deleted",
+						      keystr);
+					RETERR(delrdata(&cdnskeyrdata, diff,
+							origin, cdnskey->ttl,
+							mctx));
+				}
+			}
+		}
+	}
+
+	if (!dns_rdataset_isassociated(cds) &&
+	    !dns_rdataset_isassociated(cdnskey))
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Unconditionally remove CDS/DNSKEY records for removed keys.
+	 */
+	for (key = ISC_LIST_HEAD(*rmkeys); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		dns_rdata_t cds_sha1 = DNS_RDATA_INIT;
+		dns_rdata_t cds_sha256 = DNS_RDATA_INIT;
+		dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
+		dns_name_t *origin = dst_key_name(key->key);
+
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key->key, keystr, sizeof(keystr));
+
+		RETERR(make_dnskey(key->key, keybuf, sizeof(keybuf),
+				   &cdnskeyrdata));
+
+		if (dns_rdataset_isassociated(cds)) {
+			RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
+						 DNS_DSDIGEST_SHA1, dsbuf1,
+						 &cds_sha1));
+			RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
+						 DNS_DSDIGEST_SHA256, dsbuf2,
+						 &cds_sha256));
+			if (exists(cds, &cds_sha1)) {
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+					"CDS (SHA-1) for key %s is now deleted",
+					keystr);
+				RETERR(delrdata(&cds_sha1, diff, origin,
+						cds->ttl, mctx));
+			}
+			if (exists(cds, &cds_sha256)) {
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_DNSSEC,
+					      ISC_LOG_INFO,
+					      "CDS (SHA-256) for key %s is now "
+					      "deleted",
+					      keystr);
+				RETERR(delrdata(&cds_sha256, diff, origin,
+						cds->ttl, mctx));
+			}
+		}
+
+		if (dns_rdataset_isassociated(cdnskey)) {
+			if (exists(cdnskey, &cdnskeyrdata)) {
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+					"CDNSKEY for key %s is now deleted",
+					keystr);
+				RETERR(delrdata(&cdnskeyrdata, diff, origin,
+						cdnskey->ttl, mctx));
+			}
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	return (result);
+}
+
+isc_result_t
+dns_dnssec_syncdelete(dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
+		      dns_name_t *origin, dns_rdataclass_t zclass,
+		      dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx,
+		      bool expect_cds_delete, bool expect_cdnskey_delete) {
+	unsigned char dsbuf[5] = { 0, 0, 0, 0, 0 };  /* CDS DELETE rdata */
+	unsigned char keybuf[5] = { 0, 0, 3, 0, 0 }; /* CDNSKEY DELETE rdata */
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_rdata_t cds_delete = DNS_RDATA_INIT;
+	dns_rdata_t cdnskey_delete = DNS_RDATA_INIT;
+	isc_region_t r;
+	isc_result_t result;
+
+	r.base = keybuf;
+	r.length = sizeof(keybuf);
+	dns_rdata_fromregion(&cdnskey_delete, zclass, dns_rdatatype_cdnskey,
+			     &r);
+
+	r.base = dsbuf;
+	r.length = sizeof(dsbuf);
+	dns_rdata_fromregion(&cds_delete, zclass, dns_rdatatype_cds, &r);
+
+	dns_name_format(origin, namebuf, sizeof(namebuf));
+
+	if (expect_cds_delete) {
+		if (!dns_rdataset_isassociated(cds) ||
+		    !exists(cds, &cds_delete))
+		{
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+				      "CDS (DELETE) for zone %s is now "
+				      "published",
+				      namebuf);
+			RETERR(addrdata(&cds_delete, diff, origin, ttl, mctx));
+		}
+	} else {
+		if (dns_rdataset_isassociated(cds) && exists(cds, &cds_delete))
+		{
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+				      "CDS (DELETE) for zone %s is now "
+				      "deleted",
+				      namebuf);
+			RETERR(delrdata(&cds_delete, diff, origin, cds->ttl,
+					mctx));
+		}
+	}
+
+	if (expect_cdnskey_delete) {
+		if (!dns_rdataset_isassociated(cdnskey) ||
+		    !exists(cdnskey, &cdnskey_delete))
+		{
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+				      "CDNSKEY (DELETE) for zone %s is now "
+				      "published",
+				      namebuf);
+			RETERR(addrdata(&cdnskey_delete, diff, origin, ttl,
+					mctx));
+		}
+	} else {
+		if (dns_rdataset_isassociated(cdnskey) &&
+		    exists(cdnskey, &cdnskey_delete))
+		{
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+				      "CDNSKEY (DELETE) for zone %s is now "
+				      "deleted",
+				      namebuf);
+			RETERR(delrdata(&cdnskey_delete, diff, origin,
+					cdnskey->ttl, mctx));
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	return (result);
+}
+
+/*
+ * Update 'keys' with information from 'newkeys'.
+ *
+ * If 'removed' is not NULL, any keys that are being removed from
+ * the zone will be added to the list for post-removal processing.
+ */
+isc_result_t
+dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
+		      dns_dnsseckeylist_t *removed, const dns_name_t *origin,
+		      dns_ttl_t hint_ttl, dns_diff_t *diff, isc_mem_t *mctx,
+		      void (*report)(const char *, ...)) {
+	isc_result_t result;
+	dns_dnsseckey_t *key, *key1, *key2, *next;
+	bool found_ttl = false;
+	dns_ttl_t ttl = hint_ttl;
+
+	/*
+	 * First, look through the existing key list to find keys
+	 * supplied from the command line which are not in the zone.
+	 * Update the zone to include them.
+	 *
+	 * Also, if there are keys published in the zone already,
+	 * use their TTL for all subsequent published keys.
+	 */
+	for (key = ISC_LIST_HEAD(*keys); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		if (key->source == dns_keysource_user &&
+		    (key->hint_publish || key->force_publish))
+		{
+			RETERR(publish_key(diff, key, origin, ttl, mctx,
+					   report));
+		}
+		if (key->source == dns_keysource_zoneapex) {
+			ttl = dst_key_getttl(key->key);
+			found_ttl = true;
+		}
+	}
+
+	/*
+	 * If there were no existing keys, use the smallest nonzero
+	 * TTL of the keys found in the repository.
+	 */
+	if (!found_ttl && !ISC_LIST_EMPTY(*newkeys)) {
+		dns_ttl_t shortest = 0;
+
+		for (key = ISC_LIST_HEAD(*newkeys); key != NULL;
+		     key = ISC_LIST_NEXT(key, link))
+		{
+			dns_ttl_t thisttl = dst_key_getttl(key->key);
+			if (thisttl != 0 &&
+			    (shortest == 0 || thisttl < shortest))
+			{
+				shortest = thisttl;
+			}
+		}
+
+		if (shortest != 0) {
+			ttl = shortest;
+		}
+	}
+
+	/*
+	 * Second, scan the list of newly found keys looking for matches
+	 * with known keys, and update accordingly.
+	 */
+	for (key1 = ISC_LIST_HEAD(*newkeys); key1 != NULL; key1 = next) {
+		bool key_revoked = false;
+		char keystr1[DST_KEY_FORMATSIZE];
+		char keystr2[DST_KEY_FORMATSIZE];
+
+		next = ISC_LIST_NEXT(key1, link);
+
+		for (key2 = ISC_LIST_HEAD(*keys); key2 != NULL;
+		     key2 = ISC_LIST_NEXT(key2, link))
+		{
+			int f1 = dst_key_flags(key1->key);
+			int f2 = dst_key_flags(key2->key);
+			int nr1 = f1 & ~DNS_KEYFLAG_REVOKE;
+			int nr2 = f2 & ~DNS_KEYFLAG_REVOKE;
+			if (nr1 == nr2 &&
+			    dst_key_alg(key1->key) == dst_key_alg(key2->key) &&
+			    dst_key_pubcompare(key1->key, key2->key, true))
+			{
+				int r1, r2;
+				r1 = dst_key_flags(key1->key) &
+				     DNS_KEYFLAG_REVOKE;
+				r2 = dst_key_flags(key2->key) &
+				     DNS_KEYFLAG_REVOKE;
+				key_revoked = (r1 != r2);
+				break;
+			}
+		}
+
+		/* Printable version of key1 (the newly acquired key) */
+		dst_key_format(key1->key, keystr1, sizeof(keystr1));
+
+		/* No match found in keys; add the new key. */
+		if (key2 == NULL) {
+			ISC_LIST_UNLINK(*newkeys, key1, link);
+			ISC_LIST_APPEND(*keys, key1, link);
+
+			if (key1->source != dns_keysource_zoneapex &&
+			    (key1->hint_publish || key1->force_publish))
+			{
+				RETERR(publish_key(diff, key1, origin, ttl,
+						   mctx, report));
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+					"DNSKEY %s (%s) is now published",
+					keystr1,
+					key1->ksk ? (key1->zsk ? "CSK" : "KSK")
+						  : "ZSK");
+				if (key1->hint_sign || key1->force_sign) {
+					key1->first_sign = true;
+					isc_log_write(
+						dns_lctx,
+						DNS_LOGCATEGORY_DNSSEC,
+						DNS_LOGMODULE_DNSSEC,
+						ISC_LOG_INFO,
+						"DNSKEY %s (%s) is now "
+						"active",
+						keystr1,
+						key1->ksk ? (key1->zsk ? "CSK"
+								       : "KSK")
+							  : "ZSK");
+				}
+			}
+
+			continue;
+		}
+
+		/* Printable version of key2 (the old key, if any) */
+		dst_key_format(key2->key, keystr2, sizeof(keystr2));
+
+		/* Copy key metadata. */
+		dst_key_copy_metadata(key2->key, key1->key);
+
+		/* Match found: remove or update it as needed */
+		if (key1->hint_remove) {
+			RETERR(remove_key(diff, key2, origin, ttl, mctx,
+					  "expired", report));
+			ISC_LIST_UNLINK(*keys, key2, link);
+
+			if (removed != NULL) {
+				ISC_LIST_APPEND(*removed, key2, link);
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+					"DNSKEY %s (%s) is now deleted",
+					keystr2,
+					key2->ksk ? (key2->zsk ? "CSK" : "KSK")
+						  : "ZSK");
+			} else {
+				dns_dnsseckey_destroy(mctx, &key2);
+			}
+		} else if (key_revoked &&
+			   (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0)
+		{
+			/*
+			 * A previously valid key has been revoked.
+			 * We need to remove the old version and pull
+			 * in the new one.
+			 */
+			RETERR(remove_key(diff, key2, origin, ttl, mctx,
+					  "revoked", report));
+			ISC_LIST_UNLINK(*keys, key2, link);
+			if (removed != NULL) {
+				ISC_LIST_APPEND(*removed, key2, link);
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+					"DNSKEY %s (%s) is now revoked; "
+					"new ID is %05d",
+					keystr2,
+					key2->ksk ? (key2->zsk ? "CSK" : "KSK")
+						  : "ZSK",
+					dst_key_id(key1->key));
+			} else {
+				dns_dnsseckey_destroy(mctx, &key2);
+			}
+
+			RETERR(publish_key(diff, key1, origin, ttl, mctx,
+					   report));
+			ISC_LIST_UNLINK(*newkeys, key1, link);
+			ISC_LIST_APPEND(*keys, key1, link);
+
+			/*
+			 * XXX: The revoke flag is only defined for trust
+			 * anchors.  Setting the flag on a non-KSK is legal,
+			 * but not defined in any RFC.  It seems reasonable
+			 * to treat it the same as a KSK: keep it in the
+			 * zone, sign the DNSKEY set with it, but not
+			 * sign other records with it.
+			 */
+			key1->ksk = true;
+			continue;
+		} else {
+			if (!key2->is_active &&
+			    (key1->hint_sign || key1->force_sign))
+			{
+				key2->first_sign = true;
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+					"DNSKEY %s (%s) is now active", keystr1,
+					key1->ksk ? (key1->zsk ? "CSK" : "KSK")
+						  : "ZSK");
+			} else if (key2->is_active && !key1->hint_sign &&
+				   !key1->force_sign)
+			{
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+					"DNSKEY %s (%s) is now inactive",
+					keystr1,
+					key1->ksk ? (key1->zsk ? "CSK" : "KSK")
+						  : "ZSK");
+			}
+
+			key2->hint_sign = key1->hint_sign;
+			key2->hint_publish = key1->hint_publish;
+		}
+	}
+
+	/* Free any leftover keys in newkeys */
+	while (!ISC_LIST_EMPTY(*newkeys)) {
+		key1 = ISC_LIST_HEAD(*newkeys);
+		ISC_LIST_UNLINK(*newkeys, key1, link);
+		dns_dnsseckey_destroy(mctx, &key1);
+	}
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	return (result);
+}
+
+isc_result_t
+dns_dnssec_matchdskey(dns_name_t *name, dns_rdata_t *dsrdata,
+		      dns_rdataset_t *keyset, dns_rdata_t *keyrdata) {
+	isc_result_t result;
+	unsigned char buf[DNS_DS_BUFFERSIZE];
+	dns_keytag_t keytag;
+	dns_rdata_dnskey_t key;
+	dns_rdata_ds_t ds;
+	isc_region_t r;
+
+	result = dns_rdata_tostruct(dsrdata, &ds, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	for (result = dns_rdataset_first(keyset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(keyset))
+	{
+		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+
+		dns_rdata_reset(keyrdata);
+		dns_rdataset_current(keyset, keyrdata);
+
+		result = dns_rdata_tostruct(keyrdata, &key, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		dns_rdata_toregion(keyrdata, &r);
+		keytag = dst_region_computeid(&r);
+
+		if (ds.key_tag != keytag || ds.algorithm != key.algorithm) {
+			continue;
+		}
+
+		result = dns_ds_buildrdata(name, keyrdata, ds.digest_type, buf,
+					   &newdsrdata);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		if (dns_rdata_compare(dsrdata, &newdsrdata) == 0) {
+			break;
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
diff --git a/lib/dns/dnstap.c b/lib/dns/dnstap.c
new file mode 100644
index 0000000..97f0709
--- /dev/null
+++ b/lib/dns/dnstap.c
@@ -0,0 +1,1386 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 2013-2014, Farsight Security, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*! \file */
+
+#ifndef HAVE_DNSTAP
+#error DNSTAP not configured.
+#endif /* HAVE_DNSTAP */
+
+#include <fstrm.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/dnstap.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+#include <dns/types.h>
+#include <dns/view.h>
+
+#include "dnstap.pb-c.h"
+
+#define DTENV_MAGIC	 ISC_MAGIC('D', 't', 'n', 'v')
+#define VALID_DTENV(env) ISC_MAGIC_VALID(env, DTENV_MAGIC)
+
+#define DNSTAP_CONTENT_TYPE	"protobuf:dnstap.Dnstap"
+#define DNSTAP_INITIAL_BUF_SIZE 256
+
+struct dns_dtmsg {
+	void *buf;
+	size_t len;
+	Dnstap__Dnstap d;
+	Dnstap__Message m;
+};
+
+struct dns_dthandle {
+	dns_dtmode_t mode;
+	struct fstrm_reader *reader;
+	isc_mem_t *mctx;
+};
+
+struct dns_dtenv {
+	unsigned int magic;
+	isc_refcount_t refcount;
+
+	isc_mem_t *mctx;
+
+	struct fstrm_iothr *iothr;
+	struct fstrm_iothr_options *fopt;
+
+	isc_task_t *reopen_task;
+	isc_mutex_t reopen_lock; /* locks 'reopen_queued'
+				  * */
+	bool reopen_queued;
+
+	isc_region_t identity;
+	isc_region_t version;
+	char *path;
+	dns_dtmode_t mode;
+	isc_offset_t max_size;
+	int rolls;
+	isc_log_rollsuffix_t suffix;
+	isc_stats_t *stats;
+};
+
+#define CHECK(x)                             \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+typedef struct ioq {
+	unsigned int generation;
+	struct fstrm_iothr_queue *ioq;
+} dt__ioq_t;
+
+ISC_THREAD_LOCAL dt__ioq_t dt_ioq = { 0 };
+
+static atomic_uint_fast32_t global_generation;
+
+isc_result_t
+dns_dt_create(isc_mem_t *mctx, dns_dtmode_t mode, const char *path,
+	      struct fstrm_iothr_options **foptp, isc_task_t *reopen_task,
+	      dns_dtenv_t **envp) {
+	isc_result_t result = ISC_R_SUCCESS;
+	fstrm_res res;
+	struct fstrm_unix_writer_options *fuwopt = NULL;
+	struct fstrm_file_options *ffwopt = NULL;
+	struct fstrm_writer_options *fwopt = NULL;
+	struct fstrm_writer *fw = NULL;
+	dns_dtenv_t *env = NULL;
+
+	REQUIRE(path != NULL);
+	REQUIRE(envp != NULL && *envp == NULL);
+	REQUIRE(foptp != NULL && *foptp != NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP, DNS_LOGMODULE_DNSTAP,
+		      ISC_LOG_INFO, "opening dnstap destination '%s'", path);
+
+	atomic_fetch_add_release(&global_generation, 1);
+
+	env = isc_mem_get(mctx, sizeof(dns_dtenv_t));
+
+	memset(env, 0, sizeof(dns_dtenv_t));
+	isc_mem_attach(mctx, &env->mctx);
+	env->reopen_task = reopen_task;
+	isc_mutex_init(&env->reopen_lock);
+	env->reopen_queued = false;
+	env->path = isc_mem_strdup(env->mctx, path);
+	isc_refcount_init(&env->refcount, 1);
+	CHECK(isc_stats_create(env->mctx, &env->stats, dns_dnstapcounter_max));
+
+	fwopt = fstrm_writer_options_init();
+	if (fwopt == NULL) {
+		CHECK(ISC_R_NOMEMORY);
+	}
+
+	res = fstrm_writer_options_add_content_type(
+		fwopt, DNSTAP_CONTENT_TYPE, sizeof(DNSTAP_CONTENT_TYPE) - 1);
+	if (res != fstrm_res_success) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	if (mode == dns_dtmode_file) {
+		ffwopt = fstrm_file_options_init();
+		if (ffwopt != NULL) {
+			fstrm_file_options_set_file_path(ffwopt, env->path);
+			fw = fstrm_file_writer_init(ffwopt, fwopt);
+		}
+	} else if (mode == dns_dtmode_unix) {
+		fuwopt = fstrm_unix_writer_options_init();
+		if (fuwopt != NULL) {
+			fstrm_unix_writer_options_set_socket_path(fuwopt,
+								  env->path);
+			fw = fstrm_unix_writer_init(fuwopt, fwopt);
+		}
+	} else {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	if (fw == NULL) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	env->iothr = fstrm_iothr_init(*foptp, &fw);
+	if (env->iothr == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
+			      DNS_LOGMODULE_DNSTAP, ISC_LOG_WARNING,
+			      "unable to initialize dnstap I/O thread");
+		fstrm_writer_destroy(&fw);
+		CHECK(ISC_R_FAILURE);
+	}
+	env->mode = mode;
+	env->max_size = 0;
+	env->rolls = ISC_LOG_ROLLINFINITE;
+	env->fopt = *foptp;
+	*foptp = NULL;
+
+	env->magic = DTENV_MAGIC;
+	*envp = env;
+
+cleanup:
+	if (ffwopt != NULL) {
+		fstrm_file_options_destroy(&ffwopt);
+	}
+
+	if (fuwopt != NULL) {
+		fstrm_unix_writer_options_destroy(&fuwopt);
+	}
+
+	if (fwopt != NULL) {
+		fstrm_writer_options_destroy(&fwopt);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		isc_mutex_destroy(&env->reopen_lock);
+		isc_mem_free(env->mctx, env->path);
+		if (env->stats != NULL) {
+			isc_stats_detach(&env->stats);
+		}
+		isc_mem_putanddetach(&env->mctx, env, sizeof(dns_dtenv_t));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_dt_setupfile(dns_dtenv_t *env, uint64_t max_size, int rolls,
+		 isc_log_rollsuffix_t suffix) {
+	REQUIRE(VALID_DTENV(env));
+
+	/*
+	 * If we're using unix domain socket mode, then any
+	 * change from the default values is invalid.
+	 */
+	if (env->mode == dns_dtmode_unix) {
+		if (max_size == 0 && rolls == ISC_LOG_ROLLINFINITE &&
+		    suffix == isc_log_rollsuffix_increment)
+		{
+			return (ISC_R_SUCCESS);
+		} else {
+			return (ISC_R_INVALIDFILE);
+		}
+	}
+
+	env->max_size = max_size;
+	env->rolls = rolls;
+	env->suffix = suffix;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dt_reopen(dns_dtenv_t *env, int roll) {
+	isc_result_t result = ISC_R_SUCCESS;
+	fstrm_res res;
+	isc_logfile_t file;
+	struct fstrm_unix_writer_options *fuwopt = NULL;
+	struct fstrm_file_options *ffwopt = NULL;
+	struct fstrm_writer_options *fwopt = NULL;
+	struct fstrm_writer *fw = NULL;
+
+	REQUIRE(VALID_DTENV(env));
+
+	/*
+	 * Run in task-exclusive mode.
+	 */
+	result = isc_task_beginexclusive(env->reopen_task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/*
+	 * Check that we can create a new fw object.
+	 */
+	fwopt = fstrm_writer_options_init();
+	if (fwopt == NULL) {
+		CHECK(ISC_R_NOMEMORY);
+	}
+
+	res = fstrm_writer_options_add_content_type(
+		fwopt, DNSTAP_CONTENT_TYPE, sizeof(DNSTAP_CONTENT_TYPE) - 1);
+	if (res != fstrm_res_success) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	if (env->mode == dns_dtmode_file) {
+		ffwopt = fstrm_file_options_init();
+		if (ffwopt != NULL) {
+			fstrm_file_options_set_file_path(ffwopt, env->path);
+			fw = fstrm_file_writer_init(ffwopt, fwopt);
+		}
+	} else if (env->mode == dns_dtmode_unix) {
+		fuwopt = fstrm_unix_writer_options_init();
+		if (fuwopt != NULL) {
+			fstrm_unix_writer_options_set_socket_path(fuwopt,
+								  env->path);
+			fw = fstrm_unix_writer_init(fuwopt, fwopt);
+		}
+	} else {
+		CHECK(ISC_R_NOTIMPLEMENTED);
+	}
+
+	if (fw == NULL) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	/*
+	 * We are committed here.
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP, DNS_LOGMODULE_DNSTAP,
+		      ISC_LOG_INFO, "%s dnstap destination '%s'",
+		      (roll < 0) ? "reopening" : "rolling", env->path);
+
+	atomic_fetch_add_release(&global_generation, 1);
+
+	if (env->iothr != NULL) {
+		fstrm_iothr_destroy(&env->iothr);
+	}
+
+	if (roll == 0) {
+		roll = env->rolls;
+	}
+
+	if (env->mode == dns_dtmode_file && roll != 0) {
+		/*
+		 * Create a temporary isc_logfile_t structure so we can
+		 * take advantage of the logfile rolling facility.
+		 */
+		char *filename = isc_mem_strdup(env->mctx, env->path);
+		file.name = filename;
+		file.stream = NULL;
+		file.versions = roll;
+		file.maximum_size = 0;
+		file.maximum_reached = false;
+		file.suffix = env->suffix;
+		result = isc_logfile_roll(&file);
+		isc_mem_free(env->mctx, filename);
+		CHECK(result);
+	}
+
+	env->iothr = fstrm_iothr_init(env->fopt, &fw);
+	if (env->iothr == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
+			      DNS_LOGMODULE_DNSTAP, ISC_LOG_WARNING,
+			      "unable to initialize dnstap I/O thread");
+		CHECK(ISC_R_FAILURE);
+	}
+
+cleanup:
+	if (fw != NULL) {
+		fstrm_writer_destroy(&fw);
+	}
+
+	if (fuwopt != NULL) {
+		fstrm_unix_writer_options_destroy(&fuwopt);
+	}
+
+	if (ffwopt != NULL) {
+		fstrm_file_options_destroy(&ffwopt);
+	}
+
+	if (fwopt != NULL) {
+		fstrm_writer_options_destroy(&fwopt);
+	}
+
+	isc_task_endexclusive(env->reopen_task);
+
+	return (result);
+}
+
+static isc_result_t
+toregion(dns_dtenv_t *env, isc_region_t *r, const char *str) {
+	unsigned char *p = NULL;
+
+	REQUIRE(r != NULL);
+
+	if (str != NULL) {
+		p = (unsigned char *)isc_mem_strdup(env->mctx, str);
+	}
+
+	if (r->base != NULL) {
+		isc_mem_free(env->mctx, r->base);
+		r->length = 0;
+	}
+
+	if (p != NULL) {
+		r->base = p;
+		r->length = strlen((char *)p);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dt_setidentity(dns_dtenv_t *env, const char *identity) {
+	REQUIRE(VALID_DTENV(env));
+
+	return (toregion(env, &env->identity, identity));
+}
+
+isc_result_t
+dns_dt_setversion(dns_dtenv_t *env, const char *version) {
+	REQUIRE(VALID_DTENV(env));
+
+	return (toregion(env, &env->version, version));
+}
+
+static void
+set_dt_ioq(unsigned int generation, struct fstrm_iothr_queue *ioq) {
+	dt_ioq.generation = generation;
+	dt_ioq.ioq = ioq;
+}
+
+static struct fstrm_iothr_queue *
+dt_queue(dns_dtenv_t *env) {
+	REQUIRE(VALID_DTENV(env));
+
+	unsigned int generation;
+
+	if (env->iothr == NULL) {
+		return (NULL);
+	}
+
+	generation = atomic_load_acquire(&global_generation);
+	if (dt_ioq.ioq != NULL && dt_ioq.generation != generation) {
+		set_dt_ioq(0, NULL);
+	}
+	if (dt_ioq.ioq == NULL) {
+		struct fstrm_iothr_queue *ioq =
+			fstrm_iothr_get_input_queue(env->iothr);
+		set_dt_ioq(generation, ioq);
+	}
+
+	return (dt_ioq.ioq);
+}
+
+void
+dns_dt_attach(dns_dtenv_t *source, dns_dtenv_t **destp) {
+	REQUIRE(VALID_DTENV(source));
+	REQUIRE(destp != NULL && *destp == NULL);
+
+	isc_refcount_increment(&source->refcount);
+	*destp = source;
+}
+
+isc_result_t
+dns_dt_getstats(dns_dtenv_t *env, isc_stats_t **statsp) {
+	REQUIRE(VALID_DTENV(env));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	if (env->stats == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	isc_stats_attach(env->stats, statsp);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroy(dns_dtenv_t *env) {
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP, DNS_LOGMODULE_DNSTAP,
+		      ISC_LOG_INFO, "closing dnstap");
+	env->magic = 0;
+
+	atomic_fetch_add(&global_generation, 1);
+
+	if (env->iothr != NULL) {
+		fstrm_iothr_destroy(&env->iothr);
+	}
+	if (env->fopt != NULL) {
+		fstrm_iothr_options_destroy(&env->fopt);
+	}
+
+	if (env->identity.base != NULL) {
+		isc_mem_free(env->mctx, env->identity.base);
+		env->identity.length = 0;
+	}
+	if (env->version.base != NULL) {
+		isc_mem_free(env->mctx, env->version.base);
+		env->version.length = 0;
+	}
+	if (env->path != NULL) {
+		isc_mem_free(env->mctx, env->path);
+	}
+	if (env->stats != NULL) {
+		isc_stats_detach(&env->stats);
+	}
+
+	isc_mem_putanddetach(&env->mctx, env, sizeof(*env));
+}
+
+void
+dns_dt_detach(dns_dtenv_t **envp) {
+	REQUIRE(envp != NULL && VALID_DTENV(*envp));
+	dns_dtenv_t *env = *envp;
+	*envp = NULL;
+
+	if (isc_refcount_decrement(&env->refcount) == 1) {
+		isc_refcount_destroy(&env->refcount);
+		destroy(env);
+	}
+}
+
+static isc_result_t
+pack_dt(const Dnstap__Dnstap *d, void **buf, size_t *sz) {
+	ProtobufCBufferSimple sbuf;
+
+	REQUIRE(d != NULL);
+	REQUIRE(sz != NULL);
+
+	memset(&sbuf, 0, sizeof(sbuf));
+	sbuf.base.append = protobuf_c_buffer_simple_append;
+	sbuf.len = 0;
+	sbuf.alloced = DNSTAP_INITIAL_BUF_SIZE;
+
+	/* Need to use malloc() here because protobuf uses free() */
+	sbuf.data = malloc(sbuf.alloced);
+	if (sbuf.data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	sbuf.must_free_data = 1;
+
+	*sz = dnstap__dnstap__pack_to_buffer(d, (ProtobufCBuffer *)&sbuf);
+	if (sbuf.data == NULL) {
+		return (ISC_R_FAILURE);
+	}
+	*buf = sbuf.data;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+send_dt(dns_dtenv_t *env, void *buf, size_t len) {
+	struct fstrm_iothr_queue *ioq;
+	fstrm_res res;
+
+	REQUIRE(env != NULL);
+
+	if (buf == NULL) {
+		return;
+	}
+
+	ioq = dt_queue(env);
+	if (ioq == NULL) {
+		free(buf);
+		return;
+	}
+
+	res = fstrm_iothr_submit(env->iothr, ioq, buf, len, fstrm_free_wrapper,
+				 NULL);
+	if (res != fstrm_res_success) {
+		if (env->stats != NULL) {
+			isc_stats_increment(env->stats, dns_dnstapcounter_drop);
+		}
+		free(buf);
+	} else {
+		if (env->stats != NULL) {
+			isc_stats_increment(env->stats,
+					    dns_dnstapcounter_success);
+		}
+	}
+}
+
+static void
+init_msg(dns_dtenv_t *env, dns_dtmsg_t *dm, Dnstap__Message__Type mtype) {
+	memset(dm, 0, sizeof(*dm));
+	dm->d.base.descriptor = &dnstap__dnstap__descriptor;
+	dm->m.base.descriptor = &dnstap__message__descriptor;
+	dm->d.type = DNSTAP__DNSTAP__TYPE__MESSAGE;
+	dm->d.message = &dm->m;
+	dm->m.type = mtype;
+
+	if (env->identity.length != 0) {
+		dm->d.identity.data = env->identity.base;
+		dm->d.identity.len = env->identity.length;
+		dm->d.has_identity = true;
+	}
+
+	if (env->version.length != 0) {
+		dm->d.version.data = env->version.base;
+		dm->d.version.len = env->version.length;
+		dm->d.has_version = true;
+	}
+}
+
+static Dnstap__Message__Type
+dnstap_type(dns_dtmsgtype_t msgtype) {
+	switch (msgtype) {
+	case DNS_DTTYPE_SQ:
+		return (DNSTAP__MESSAGE__TYPE__STUB_QUERY);
+	case DNS_DTTYPE_SR:
+		return (DNSTAP__MESSAGE__TYPE__STUB_RESPONSE);
+	case DNS_DTTYPE_CQ:
+		return (DNSTAP__MESSAGE__TYPE__CLIENT_QUERY);
+	case DNS_DTTYPE_CR:
+		return (DNSTAP__MESSAGE__TYPE__CLIENT_RESPONSE);
+	case DNS_DTTYPE_AQ:
+		return (DNSTAP__MESSAGE__TYPE__AUTH_QUERY);
+	case DNS_DTTYPE_AR:
+		return (DNSTAP__MESSAGE__TYPE__AUTH_RESPONSE);
+	case DNS_DTTYPE_RQ:
+		return (DNSTAP__MESSAGE__TYPE__RESOLVER_QUERY);
+	case DNS_DTTYPE_RR:
+		return (DNSTAP__MESSAGE__TYPE__RESOLVER_RESPONSE);
+	case DNS_DTTYPE_FQ:
+		return (DNSTAP__MESSAGE__TYPE__FORWARDER_QUERY);
+	case DNS_DTTYPE_FR:
+		return (DNSTAP__MESSAGE__TYPE__FORWARDER_RESPONSE);
+	case DNS_DTTYPE_TQ:
+		return (DNSTAP__MESSAGE__TYPE__TOOL_QUERY);
+	case DNS_DTTYPE_TR:
+		return (DNSTAP__MESSAGE__TYPE__TOOL_RESPONSE);
+	case DNS_DTTYPE_UQ:
+		return (DNSTAP__MESSAGE__TYPE__UPDATE_QUERY);
+	case DNS_DTTYPE_UR:
+		return (DNSTAP__MESSAGE__TYPE__UPDATE_RESPONSE);
+	default:
+		UNREACHABLE();
+	}
+}
+
+static void
+cpbuf(isc_buffer_t *buf, ProtobufCBinaryData *p, protobuf_c_boolean *has) {
+	p->data = isc_buffer_base(buf);
+	p->len = isc_buffer_usedlength(buf);
+	*has = 1;
+}
+
+static void
+setaddr(dns_dtmsg_t *dm, isc_sockaddr_t *sa, bool tcp,
+	ProtobufCBinaryData *addr, protobuf_c_boolean *has_addr, uint32_t *port,
+	protobuf_c_boolean *has_port) {
+	int family = isc_sockaddr_pf(sa);
+
+	if (family != AF_INET6 && family != AF_INET) {
+		return;
+	}
+
+	if (family == AF_INET6) {
+		dm->m.socket_family = DNSTAP__SOCKET_FAMILY__INET6;
+		addr->data = sa->type.sin6.sin6_addr.s6_addr;
+		addr->len = 16;
+		*port = ntohs(sa->type.sin6.sin6_port);
+	} else {
+		dm->m.socket_family = DNSTAP__SOCKET_FAMILY__INET;
+		addr->data = (uint8_t *)&sa->type.sin.sin_addr.s_addr;
+		addr->len = 4;
+		*port = ntohs(sa->type.sin.sin_port);
+	}
+
+	if (tcp) {
+		dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__TCP;
+	} else {
+		dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__UDP;
+	}
+
+	dm->m.has_socket_protocol = 1;
+	dm->m.has_socket_family = 1;
+	*has_addr = 1;
+	*has_port = 1;
+}
+
+/*%
+ * Invoke dns_dt_reopen() and re-allow dnstap output file rolling.  This
+ * function is run in the context of the task stored in the 'reopen_task' field
+ * of the dnstap environment structure.
+ */
+static void
+perform_reopen(isc_task_t *task, isc_event_t *event) {
+	dns_dtenv_t *env;
+
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_type == DNS_EVENT_FREESTORAGE);
+
+	env = (dns_dtenv_t *)event->ev_arg;
+
+	REQUIRE(VALID_DTENV(env));
+	REQUIRE(task == env->reopen_task);
+
+	/*
+	 * Roll output file in the context of env->reopen_task.
+	 */
+	dns_dt_reopen(env, env->rolls);
+
+	/*
+	 * Clean up.
+	 */
+	isc_event_free(&event);
+	isc_task_detach(&task);
+
+	/*
+	 * Re-allow output file rolling.
+	 */
+	LOCK(&env->reopen_lock);
+	env->reopen_queued = false;
+	UNLOCK(&env->reopen_lock);
+}
+
+/*%
+ * Check whether a dnstap output file roll is due and if so, initiate it (the
+ * actual roll happens asynchronously).
+ */
+static void
+check_file_size_and_maybe_reopen(dns_dtenv_t *env) {
+	isc_task_t *reopen_task = NULL;
+	isc_event_t *event;
+	struct stat statbuf;
+
+	/*
+	 * If the task from which the output file should be reopened was not
+	 * specified, abort.
+	 */
+	if (env->reopen_task == NULL) {
+		return;
+	}
+
+	/*
+	 * If an output file roll is not currently queued, check the current
+	 * size of the output file to see whether a roll is needed.  Return if
+	 * it is not.
+	 */
+	LOCK(&env->reopen_lock);
+	if (env->reopen_queued || stat(env->path, &statbuf) < 0 ||
+	    statbuf.st_size <= env->max_size)
+	{
+		goto unlock_and_return;
+	}
+
+	/*
+	 * We need to roll the output file, but it needs to be done in the
+	 * context of env->reopen_task.  Allocate and send an event to achieve
+	 * that, then disallow output file rolling until the roll we queue is
+	 * completed.
+	 */
+	event = isc_event_allocate(env->mctx, NULL, DNS_EVENT_FREESTORAGE,
+				   perform_reopen, env, sizeof(*event));
+	isc_task_attach(env->reopen_task, &reopen_task);
+	isc_task_send(reopen_task, &event);
+	env->reopen_queued = true;
+
+unlock_and_return:
+	UNLOCK(&env->reopen_lock);
+}
+
+void
+dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
+	    isc_sockaddr_t *raddr, bool tcp, isc_region_t *zone,
+	    isc_time_t *qtime, isc_time_t *rtime, isc_buffer_t *buf) {
+	isc_time_t now, *t;
+	dns_dtmsg_t dm;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if ((msgtype & view->dttypes) == 0) {
+		return;
+	}
+
+	if (view->dtenv == NULL) {
+		return;
+	}
+
+	REQUIRE(VALID_DTENV(view->dtenv));
+
+	if (view->dtenv->max_size != 0) {
+		check_file_size_and_maybe_reopen(view->dtenv);
+	}
+
+	TIME_NOW(&now);
+	t = &now;
+
+	init_msg(view->dtenv, &dm, dnstap_type(msgtype));
+
+	/* Query/response times */
+	switch (msgtype) {
+	case DNS_DTTYPE_AR:
+	case DNS_DTTYPE_CR:
+	case DNS_DTTYPE_RR:
+	case DNS_DTTYPE_FR:
+	case DNS_DTTYPE_SR:
+	case DNS_DTTYPE_TR:
+	case DNS_DTTYPE_UR:
+		if (rtime != NULL) {
+			t = rtime;
+		}
+
+		dm.m.response_time_sec = isc_time_seconds(t);
+		dm.m.has_response_time_sec = 1;
+		dm.m.response_time_nsec = isc_time_nanoseconds(t);
+		dm.m.has_response_time_nsec = 1;
+
+		/*
+		 * Types RR and FR can fall through and get the query
+		 * time set as well. Any other response type, break.
+		 */
+		if (msgtype != DNS_DTTYPE_RR && msgtype != DNS_DTTYPE_FR) {
+			break;
+		}
+
+		FALLTHROUGH;
+	case DNS_DTTYPE_AQ:
+	case DNS_DTTYPE_CQ:
+	case DNS_DTTYPE_FQ:
+	case DNS_DTTYPE_RQ:
+	case DNS_DTTYPE_SQ:
+	case DNS_DTTYPE_TQ:
+	case DNS_DTTYPE_UQ:
+		if (qtime != NULL) {
+			t = qtime;
+		}
+
+		dm.m.query_time_sec = isc_time_seconds(t);
+		dm.m.has_query_time_sec = 1;
+		dm.m.query_time_nsec = isc_time_nanoseconds(t);
+		dm.m.has_query_time_nsec = 1;
+		break;
+	default:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
+			      DNS_LOGMODULE_DNSTAP, ISC_LOG_ERROR,
+			      "invalid dnstap message type %d", msgtype);
+		return;
+	}
+
+	/* Query and response messages */
+	if ((msgtype & DNS_DTTYPE_QUERY) != 0) {
+		cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message);
+	} else if ((msgtype & DNS_DTTYPE_RESPONSE) != 0) {
+		cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message);
+	}
+
+	/* Zone/bailiwick */
+	switch (msgtype) {
+	case DNS_DTTYPE_AR:
+	case DNS_DTTYPE_RQ:
+	case DNS_DTTYPE_RR:
+	case DNS_DTTYPE_FQ:
+	case DNS_DTTYPE_FR:
+		if (zone != NULL && zone->base != NULL && zone->length != 0) {
+			dm.m.query_zone.data = zone->base;
+			dm.m.query_zone.len = zone->length;
+			dm.m.has_query_zone = 1;
+		}
+		break;
+	default:
+		break;
+	}
+
+	if (qaddr != NULL) {
+		setaddr(&dm, qaddr, tcp, &dm.m.query_address,
+			&dm.m.has_query_address, &dm.m.query_port,
+			&dm.m.has_query_port);
+	}
+	if (raddr != NULL) {
+		setaddr(&dm, raddr, tcp, &dm.m.response_address,
+			&dm.m.has_response_address, &dm.m.response_port,
+			&dm.m.has_response_port);
+	}
+
+	if (pack_dt(&dm.d, &dm.buf, &dm.len) == ISC_R_SUCCESS) {
+		send_dt(view->dtenv, dm.buf, dm.len);
+	}
+}
+
+static isc_result_t
+putstr(isc_buffer_t **b, const char *str) {
+	isc_result_t result;
+
+	result = isc_buffer_reserve(b, strlen(str));
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOSPACE);
+	}
+
+	isc_buffer_putstr(*b, str);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+putaddr(isc_buffer_t **b, isc_region_t *ip) {
+	char buf[64];
+
+	if (ip->length == 4) {
+		if (!inet_ntop(AF_INET, ip->base, buf, sizeof(buf))) {
+			return (ISC_R_FAILURE);
+		}
+	} else if (ip->length == 16) {
+		if (!inet_ntop(AF_INET6, ip->base, buf, sizeof(buf))) {
+			return (ISC_R_FAILURE);
+		}
+	} else {
+		return (ISC_R_BADADDRESSFORM);
+	}
+
+	return (putstr(b, buf));
+}
+
+static bool
+dnstap_file(struct fstrm_reader *r) {
+	fstrm_res res;
+	const struct fstrm_control *control = NULL;
+	const uint8_t *rtype = NULL;
+	size_t dlen = strlen(DNSTAP_CONTENT_TYPE), rlen = 0;
+	size_t n = 0;
+
+	res = fstrm_reader_get_control(r, FSTRM_CONTROL_START, &control);
+	if (res != fstrm_res_success) {
+		return (false);
+	}
+
+	res = fstrm_control_get_num_field_content_type(control, &n);
+	if (res != fstrm_res_success) {
+		return (false);
+	}
+	if (n > 0) {
+		res = fstrm_control_get_field_content_type(control, 0, &rtype,
+							   &rlen);
+		if (res != fstrm_res_success) {
+			return (false);
+		}
+
+		if (rlen != dlen) {
+			return (false);
+		}
+
+		if (memcmp(DNSTAP_CONTENT_TYPE, rtype, dlen) == 0) {
+			return (true);
+		}
+	}
+
+	return (false);
+}
+
+isc_result_t
+dns_dt_open(const char *filename, dns_dtmode_t mode, isc_mem_t *mctx,
+	    dns_dthandle_t **handlep) {
+	isc_result_t result;
+	struct fstrm_file_options *fopt = NULL;
+	fstrm_res res;
+	dns_dthandle_t *handle;
+
+	REQUIRE(handlep != NULL && *handlep == NULL);
+
+	handle = isc_mem_get(mctx, sizeof(*handle));
+
+	handle->mode = mode;
+	handle->mctx = NULL;
+
+	switch (mode) {
+	case dns_dtmode_file:
+		fopt = fstrm_file_options_init();
+		if (fopt == NULL) {
+			CHECK(ISC_R_NOMEMORY);
+		}
+
+		fstrm_file_options_set_file_path(fopt, filename);
+
+		handle->reader = fstrm_file_reader_init(fopt, NULL);
+		if (handle->reader == NULL) {
+			CHECK(ISC_R_NOMEMORY);
+		}
+
+		res = fstrm_reader_open(handle->reader);
+		if (res != fstrm_res_success) {
+			CHECK(ISC_R_FAILURE);
+		}
+
+		if (!dnstap_file(handle->reader)) {
+			CHECK(DNS_R_BADDNSTAP);
+		}
+		break;
+	case dns_dtmode_unix:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup;
+	default:
+		UNREACHABLE();
+	}
+
+	isc_mem_attach(mctx, &handle->mctx);
+	result = ISC_R_SUCCESS;
+	*handlep = handle;
+	handle = NULL;
+
+cleanup:
+	if (result != ISC_R_SUCCESS && handle->reader != NULL) {
+		fstrm_reader_destroy(&handle->reader);
+		handle->reader = NULL;
+	}
+	if (fopt != NULL) {
+		fstrm_file_options_destroy(&fopt);
+	}
+	if (handle != NULL) {
+		isc_mem_put(mctx, handle, sizeof(*handle));
+	}
+	return (result);
+}
+
+isc_result_t
+dns_dt_getframe(dns_dthandle_t *handle, uint8_t **bufp, size_t *sizep) {
+	const uint8_t *data;
+	fstrm_res res;
+
+	REQUIRE(handle != NULL);
+	REQUIRE(bufp != NULL);
+	REQUIRE(sizep != NULL);
+
+	data = (const uint8_t *)*bufp;
+
+	res = fstrm_reader_read(handle->reader, &data, sizep);
+	switch (res) {
+	case fstrm_res_success:
+		if (data == NULL) {
+			return (ISC_R_FAILURE);
+		}
+		DE_CONST(data, *bufp);
+		return (ISC_R_SUCCESS);
+	case fstrm_res_stop:
+		return (ISC_R_NOMORE);
+	default:
+		return (ISC_R_FAILURE);
+	}
+}
+
+void
+dns_dt_close(dns_dthandle_t **handlep) {
+	dns_dthandle_t *handle;
+
+	REQUIRE(handlep != NULL && *handlep != NULL);
+
+	handle = *handlep;
+	*handlep = NULL;
+
+	if (handle->reader != NULL) {
+		fstrm_reader_destroy(&handle->reader);
+		handle->reader = NULL;
+	}
+	isc_mem_putanddetach(&handle->mctx, handle, sizeof(*handle));
+}
+
+isc_result_t
+dns_dt_parse(isc_mem_t *mctx, isc_region_t *src, dns_dtdata_t **destp) {
+	isc_result_t result;
+	Dnstap__Dnstap *frame;
+	Dnstap__Message *m;
+	dns_dtdata_t *d = NULL;
+	isc_buffer_t b;
+
+	REQUIRE(src != NULL);
+	REQUIRE(destp != NULL && *destp == NULL);
+
+	d = isc_mem_get(mctx, sizeof(*d));
+
+	memset(d, 0, sizeof(*d));
+	isc_mem_attach(mctx, &d->mctx);
+
+	d->frame = dnstap__dnstap__unpack(NULL, src->length, src->base);
+	if (d->frame == NULL) {
+		CHECK(ISC_R_NOMEMORY);
+	}
+
+	frame = (Dnstap__Dnstap *)d->frame;
+
+	if (frame->type != DNSTAP__DNSTAP__TYPE__MESSAGE) {
+		CHECK(DNS_R_BADDNSTAP);
+	}
+
+	m = frame->message;
+
+	/* Message type */
+	switch (m->type) {
+	case DNSTAP__MESSAGE__TYPE__AUTH_QUERY:
+		d->type = DNS_DTTYPE_AQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__AUTH_RESPONSE:
+		d->type = DNS_DTTYPE_AR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__CLIENT_QUERY:
+		d->type = DNS_DTTYPE_CQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__CLIENT_RESPONSE:
+		d->type = DNS_DTTYPE_CR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__FORWARDER_QUERY:
+		d->type = DNS_DTTYPE_FQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__FORWARDER_RESPONSE:
+		d->type = DNS_DTTYPE_FR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__RESOLVER_QUERY:
+		d->type = DNS_DTTYPE_RQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__RESOLVER_RESPONSE:
+		d->type = DNS_DTTYPE_RR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__STUB_QUERY:
+		d->type = DNS_DTTYPE_SQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__STUB_RESPONSE:
+		d->type = DNS_DTTYPE_SR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__TOOL_QUERY:
+		d->type = DNS_DTTYPE_TQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__TOOL_RESPONSE:
+		d->type = DNS_DTTYPE_TR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__UPDATE_QUERY:
+		d->type = DNS_DTTYPE_UQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__UPDATE_RESPONSE:
+		d->type = DNS_DTTYPE_UR;
+		break;
+	default:
+		CHECK(DNS_R_BADDNSTAP);
+	}
+
+	/* Query? */
+	if ((d->type & DNS_DTTYPE_QUERY) != 0) {
+		d->query = true;
+	} else {
+		d->query = false;
+	}
+
+	/* Parse DNS message */
+	if (d->query && m->has_query_message) {
+		d->msgdata.base = m->query_message.data;
+		d->msgdata.length = m->query_message.len;
+	} else if (!d->query && m->has_response_message) {
+		d->msgdata.base = m->response_message.data;
+		d->msgdata.length = m->response_message.len;
+	}
+
+	isc_buffer_init(&b, d->msgdata.base, d->msgdata.length);
+	isc_buffer_add(&b, d->msgdata.length);
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &d->msg);
+	result = dns_message_parse(d->msg, &b, 0);
+	if (result != ISC_R_SUCCESS) {
+		if (result != DNS_R_RECOVERABLE) {
+			dns_message_detach(&d->msg);
+		}
+		result = ISC_R_SUCCESS;
+	}
+
+	/* Timestamp */
+	if (d->query) {
+		if (m->has_query_time_sec && m->has_query_time_nsec) {
+			isc_time_set(&d->qtime, m->query_time_sec,
+				     m->query_time_nsec);
+		}
+	} else {
+		if (m->has_response_time_sec && m->has_response_time_nsec) {
+			isc_time_set(&d->rtime, m->response_time_sec,
+				     m->response_time_nsec);
+		}
+	}
+
+	/* Peer address */
+	if (m->has_query_address) {
+		d->qaddr.base = m->query_address.data;
+		d->qaddr.length = m->query_address.len;
+	}
+	if (m->has_query_port) {
+		d->qport = m->query_port;
+	}
+
+	if (m->has_response_address) {
+		d->raddr.base = m->response_address.data;
+		d->raddr.length = m->response_address.len;
+	}
+	if (m->has_response_port) {
+		d->rport = m->response_port;
+	}
+
+	/* Socket protocol */
+	if (m->has_socket_protocol) {
+		const ProtobufCEnumValue *type =
+			protobuf_c_enum_descriptor_get_value(
+				&dnstap__socket_protocol__descriptor,
+				m->socket_protocol);
+		if (type != NULL && type->value == DNSTAP__SOCKET_PROTOCOL__TCP)
+		{
+			d->tcp = true;
+		} else {
+			d->tcp = false;
+		}
+	}
+
+	/* Query tuple */
+	if (d->msg != NULL) {
+		dns_name_t *name = NULL;
+		dns_rdataset_t *rdataset;
+
+		CHECK(dns_message_firstname(d->msg, DNS_SECTION_QUESTION));
+		dns_message_currentname(d->msg, DNS_SECTION_QUESTION, &name);
+		rdataset = ISC_LIST_HEAD(name->list);
+
+		dns_name_format(name, d->namebuf, sizeof(d->namebuf));
+		dns_rdatatype_format(rdataset->type, d->typebuf,
+				     sizeof(d->typebuf));
+		dns_rdataclass_format(rdataset->rdclass, d->classbuf,
+				      sizeof(d->classbuf));
+	}
+
+	*destp = d;
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		dns_dtdata_free(&d);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_dt_datatotext(dns_dtdata_t *d, isc_buffer_t **dest) {
+	isc_result_t result;
+	char buf[100];
+
+	REQUIRE(d != NULL);
+	REQUIRE(dest != NULL && *dest != NULL);
+
+	memset(buf, 0, sizeof(buf));
+
+	/* Timestamp */
+	if (d->query && !isc_time_isepoch(&d->qtime)) {
+		isc_time_formattimestamp(&d->qtime, buf, sizeof(buf));
+	} else if (!d->query && !isc_time_isepoch(&d->rtime)) {
+		isc_time_formattimestamp(&d->rtime, buf, sizeof(buf));
+	}
+
+	if (buf[0] == '\0') {
+		CHECK(putstr(dest, "???\?-?\?-?? ??:??:??.??? "));
+	} else {
+		CHECK(putstr(dest, buf));
+		CHECK(putstr(dest, " "));
+	}
+
+	/* Type mnemonic */
+	switch (d->type) {
+	case DNS_DTTYPE_AQ:
+		CHECK(putstr(dest, "AQ "));
+		break;
+	case DNS_DTTYPE_AR:
+		CHECK(putstr(dest, "AR "));
+		break;
+	case DNS_DTTYPE_CQ:
+		CHECK(putstr(dest, "CQ "));
+		break;
+	case DNS_DTTYPE_CR:
+		CHECK(putstr(dest, "CR "));
+		break;
+	case DNS_DTTYPE_FQ:
+		CHECK(putstr(dest, "FQ "));
+		break;
+	case DNS_DTTYPE_FR:
+		CHECK(putstr(dest, "FR "));
+		break;
+	case DNS_DTTYPE_RQ:
+		CHECK(putstr(dest, "RQ "));
+		break;
+	case DNS_DTTYPE_RR:
+		CHECK(putstr(dest, "RR "));
+		break;
+	case DNS_DTTYPE_SQ:
+		CHECK(putstr(dest, "SQ "));
+		break;
+	case DNS_DTTYPE_SR:
+		CHECK(putstr(dest, "SR "));
+		break;
+	case DNS_DTTYPE_TQ:
+		CHECK(putstr(dest, "TQ "));
+		break;
+	case DNS_DTTYPE_TR:
+		CHECK(putstr(dest, "TR "));
+		break;
+	case DNS_DTTYPE_UQ:
+		CHECK(putstr(dest, "UQ "));
+		break;
+	case DNS_DTTYPE_UR:
+		CHECK(putstr(dest, "UR "));
+		break;
+	default:
+		return (DNS_R_BADDNSTAP);
+	}
+
+	/* Query and response addresses */
+	if (d->qaddr.length != 0) {
+		CHECK(putaddr(dest, &d->qaddr));
+		snprintf(buf, sizeof(buf), ":%u", d->qport);
+		CHECK(putstr(dest, buf));
+	} else {
+		CHECK(putstr(dest, "?"));
+	}
+	if ((d->type & DNS_DTTYPE_QUERY) != 0) {
+		CHECK(putstr(dest, " -> "));
+	} else {
+		CHECK(putstr(dest, " <- "));
+	}
+	if (d->raddr.length != 0) {
+		CHECK(putaddr(dest, &d->raddr));
+		snprintf(buf, sizeof(buf), ":%u", d->rport);
+		CHECK(putstr(dest, buf));
+	} else {
+		CHECK(putstr(dest, "?"));
+	}
+
+	CHECK(putstr(dest, " "));
+
+	/* Protocol */
+	if (d->tcp) {
+		CHECK(putstr(dest, "TCP "));
+	} else {
+		CHECK(putstr(dest, "UDP "));
+	}
+
+	/* Message size */
+	if (d->msgdata.base != NULL) {
+		snprintf(buf, sizeof(buf), "%zub ", (size_t)d->msgdata.length);
+		CHECK(putstr(dest, buf));
+	} else {
+		CHECK(putstr(dest, "0b "));
+	}
+
+	/* Query tuple */
+	if (d->namebuf[0] == '\0') {
+		CHECK(putstr(dest, "?/"));
+	} else {
+		CHECK(putstr(dest, d->namebuf));
+		CHECK(putstr(dest, "/"));
+	}
+
+	if (d->classbuf[0] == '\0') {
+		CHECK(putstr(dest, "?/"));
+	} else {
+		CHECK(putstr(dest, d->classbuf));
+		CHECK(putstr(dest, "/"));
+	}
+
+	if (d->typebuf[0] == '\0') {
+		CHECK(putstr(dest, "?"));
+	} else {
+		CHECK(putstr(dest, d->typebuf));
+	}
+
+	CHECK(isc_buffer_reserve(dest, 1));
+	isc_buffer_putuint8(*dest, 0);
+
+cleanup:
+	return (result);
+}
+
+void
+dns_dtdata_free(dns_dtdata_t **dp) {
+	dns_dtdata_t *d;
+
+	REQUIRE(dp != NULL && *dp != NULL);
+
+	d = *dp;
+	*dp = NULL;
+
+	if (d->msg != NULL) {
+		dns_message_detach(&d->msg);
+	}
+	if (d->frame != NULL) {
+		dnstap__dnstap__free_unpacked(d->frame, NULL);
+	}
+
+	isc_mem_putanddetach(&d->mctx, d, sizeof(*d));
+}
diff --git a/lib/dns/dnstap.proto b/lib/dns/dnstap.proto
new file mode 100644
index 0000000..9d0ac41
--- /dev/null
+++ b/lib/dns/dnstap.proto
@@ -0,0 +1,289 @@
+// Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+//
+// SPDX-License-Identifier: MPL-2.0
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, you can obtain one at https://mozilla.org/MPL/2.0/.
+//
+// See the COPYRIGHT file distributed with this work for additional
+// information regarding copyright ownership.
+
+// dnstap: flexible, structured event replication format for DNS software
+//
+// This file contains the protobuf schemas for the "dnstap" structured event
+// replication format for DNS software.
+
+// Written in 2013-2014 by Farsight Security, Inc.
+//
+// To the extent possible under law, the author(s) have dedicated all
+// copyright and related and neighboring rights to this file to the public
+// domain worldwide. This file is distributed without any warranty.
+//
+// You should have received a copy of the CC0 Public Domain Dedication along
+// with this file. If not, see:
+//
+// <http://creativecommons.org/publicdomain/zero/1.0/>.
+
+package dnstap;
+
+// "Dnstap": this is the top-level dnstap type, which is a "union" type that
+// contains other kinds of dnstap payloads, although currently only one type
+// of dnstap payload is defined.
+// See: https://developers.google.com/protocol-buffers/docs/techniques#union
+message Dnstap {
+    // DNS server identity.
+    // If enabled, this is the identity string of the DNS server which generated
+    // this message. Typically this would be the same string as returned by an
+    // "NSID" (RFC 5001) query.
+    optional bytes      identity = 1;
+
+    // DNS server version.
+    // If enabled, this is the version string of the DNS server which generated
+    // this message. Typically this would be the same string as returned by a
+    // "version.bind" query.
+    optional bytes      version = 2;
+
+    // Extra data for this payload.
+    // This field can be used for adding an arbitrary byte-string annotation to
+    // the payload. No encoding or interpretation is applied or enforced.
+    optional bytes      extra = 3;
+
+    // Identifies which field below is filled in.
+    enum Type {
+        MESSAGE = 1;
+    }
+    required Type       type = 15;
+
+    // One of the following will be filled in.
+    optional Message    message = 14;
+}
+
+// SocketFamily: the network protocol family of a socket. This specifies how
+// to interpret "network address" fields.
+enum SocketFamily {
+    INET = 1;   // IPv4 (RFC 791)
+    INET6 = 2;  // IPv6 (RFC 2460)
+}
+
+// SocketProtocol: the transport protocol of a socket. This specifies how to
+// interpret "transport port" fields.
+enum SocketProtocol {
+    UDP = 1;    // User Datagram Protocol (RFC 768)
+    TCP = 2;    // Transmission Control Protocol (RFC 793)
+}
+
+// Message: a wire-format (RFC 1035 section 4) DNS message and associated
+// metadata. Applications generating "Message" payloads should follow
+// certain requirements based on the MessageType, see below.
+message Message {
+
+    // There are eight types of "Message" defined that correspond to the
+    // four arrows in the following diagram, slightly modified from RFC 1035
+    // section 2:
+
+    //    +---------+               +----------+           +--------+
+    //    |         |     query     |          |   query   |        |
+    //    | Stub    |-SQ--------CQ->| Recursive|-RQ----AQ->| Auth.  |
+    //    | Resolver|               | Server   |           | Name   |
+    //    |         |<-SR--------CR-|          |<-RR----AR-| Server |
+    //    +---------+    response   |          |  response |        |
+    //                              +----------+           +--------+
+
+    // Each arrow has two Type values each, one for each "end" of each arrow,
+    // because these are considered to be distinct events. Each end of each
+    // arrow on the diagram above has been marked with a two-letter Type
+    // mnemonic. Clockwise from upper left, these mnemonic values are:
+    //
+    //   SQ:        STUB_QUERY
+    //   CQ:      CLIENT_QUERY
+    //   RQ:    RESOLVER_QUERY
+    //   AQ:        AUTH_QUERY
+    //   AR:        AUTH_RESPONSE
+    //   RR:    RESOLVER_RESPONSE
+    //   CR:      CLIENT_RESPONSE
+    //   SR:        STUB_RESPONSE
+
+    // Two additional types of "Message" have been defined for the
+    // "forwarding" case where an upstream DNS server is responsible for
+    // further recursion. These are not shown on the diagram above, but have
+    // the following mnemonic values:
+
+    //   FQ:   FORWARDER_QUERY
+    //   FR:   FORWARDER_RESPONSE
+
+    // The "Message" Type values are defined below.
+
+    enum Type {
+        // AUTH_QUERY is a DNS query message received from a resolver by an
+        // authoritative name server, from the perspective of the authoritative
+        // name server.
+        AUTH_QUERY = 1;
+
+        // AUTH_RESPONSE is a DNS response message sent from an authoritative
+        // name server to a resolver, from the perspective of the authoritative
+        // name server.
+        AUTH_RESPONSE = 2;
+
+        // RESOLVER_QUERY is a DNS query message sent from a resolver to an
+        // authoritative name server, from the perspective of the resolver.
+        // Resolvers typically clear the RD (recursion desired) bit when
+        // sending queries.
+        RESOLVER_QUERY = 3;
+
+        // RESOLVER_RESPONSE is a DNS response message received from an
+        // authoritative name server by a resolver, from the perspective of
+        // the resolver.
+        RESOLVER_RESPONSE = 4;
+
+        // CLIENT_QUERY is a DNS query message sent from a client to a DNS
+        // server which is expected to perform further recursion, from the
+        // perspective of the DNS server. The client may be a stub resolver or
+        // forwarder or some other type of software which typically sets the RD
+        // (recursion desired) bit when querying the DNS server. The DNS server
+        // may be a simple forwarding proxy or it may be a full recursive
+        // resolver.
+        CLIENT_QUERY = 5;
+
+        // CLIENT_RESPONSE is a DNS response message sent from a DNS server to
+        // a client, from the perspective of the DNS server. The DNS server
+        // typically sets the RA (recursion available) bit when responding.
+        CLIENT_RESPONSE = 6;
+
+        // FORWARDER_QUERY is a DNS query message sent from a downstream DNS
+        // server to an upstream DNS server which is expected to perform
+        // further recursion, from the perspective of the downstream DNS
+        // server.
+        FORWARDER_QUERY = 7;
+
+        // FORWARDER_RESPONSE is a DNS response message sent from an upstream
+        // DNS server performing recursion to a downstream DNS server, from the
+        // perspective of the downstream DNS server.
+        FORWARDER_RESPONSE = 8;
+
+        // STUB_QUERY is a DNS query message sent from a stub resolver to a DNS
+        // server, from the perspective of the stub resolver.
+        STUB_QUERY = 9;
+
+        // STUB_RESPONSE is a DNS response message sent from a DNS server to a
+        // stub resolver, from the perspective of the stub resolver.
+        STUB_RESPONSE = 10;
+
+        // TOOL_QUERY is a DNS query message sent from a DNS software tool to a
+        // DNS server, from the perspective of the tool.
+        TOOL_QUERY = 11;
+
+        // TOOL_RESPONSE is a DNS response message received by a DNS software
+        // tool from a DNS server, from the perspective of the tool.
+        TOOL_RESPONSE = 12;
+
+        // UPDATE_QUERY is a DNS update query message received from a resolver
+        // by an authoritative name server, from the perspective of the
+        // authoritative name server.
+	UPDATE_QUERY = 13;
+
+        // UPDATE_RESPONSE is a DNS update response message sent from an
+        // authoritative name server to a resolver, from the perspective of the
+        // authoritative name server.
+	UPDATE_RESPONSE = 14;
+    }
+
+    // One of the Type values described above.
+    required Type               type = 1;
+
+    // One of the SocketFamily values described above.
+    optional SocketFamily       socket_family = 2;
+
+    // One of the SocketProtocol values described above.
+    optional SocketProtocol     socket_protocol = 3;
+
+    // The network address of the message initiator.
+    // For SocketFamily INET, this field is 4 octets (IPv4 address).
+    // For SocketFamily INET6, this field is 16 octets (IPv6 address).
+    optional bytes              query_address = 4;
+
+    // The network address of the message responder.
+    // For SocketFamily INET, this field is 4 octets (IPv4 address).
+    // For SocketFamily INET6, this field is 16 octets (IPv6 address).
+    optional bytes              response_address = 5;
+
+    // The transport port of the message initiator.
+    // This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
+    optional uint32             query_port = 6;
+
+    // The transport port of the message responder.
+    // This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
+    optional uint32             response_port = 7;
+
+    // The time at which the DNS query message was sent or received, depending
+    // on whether this is an AUTH_QUERY, RESOLVER_QUERY, or CLIENT_QUERY.
+    // This is the number of seconds since the UNIX epoch.
+    optional uint64             query_time_sec = 8;
+
+    // The time at which the DNS query message was sent or received.
+    // This is the seconds fraction, expressed as a count of nanoseconds.
+    optional fixed32            query_time_nsec = 9;
+
+    // The initiator's original wire-format DNS query message, verbatim.
+    optional bytes              query_message = 10;
+
+    // The "zone" or "bailiwick" pertaining to the DNS query message.
+    // This is a wire-format DNS domain name.
+    optional bytes              query_zone = 11;
+
+    // The time at which the DNS response message was sent or received,
+    // depending on whether this is an AUTH_RESPONSE, RESOLVER_RESPONSE, or
+    // CLIENT_RESPONSE.
+    // This is the number of seconds since the UNIX epoch.
+    optional uint64             response_time_sec = 12;
+
+    // The time at which the DNS response message was sent or received.
+    // This is the seconds fraction, expressed as a count of nanoseconds.
+    optional fixed32            response_time_nsec = 13;
+
+    // The responder's original wire-format DNS response message, verbatim.
+    optional bytes              response_message = 14;
+}
+
+// All fields except for 'type' in the Message schema are optional.
+// It is recommended that at least the following fields be filled in for
+// particular types of Messages.
+
+// AUTH_QUERY:
+//      socket_family, socket_protocol
+//      query_address, query_port
+//      query_message
+//      query_time_sec, query_time_nsec
+
+// AUTH_RESPONSE:
+//      socket_family, socket_protocol
+//      query_address, query_port
+//      query_time_sec, query_time_nsec
+//      response_message
+//      response_time_sec, response_time_nsec
+
+// RESOLVER_QUERY:
+//      socket_family, socket_protocol
+//      query_message
+//      query_time_sec, query_time_nsec
+//      query_zone
+//      response_address, response_port
+
+// RESOLVER_RESPONSE:
+//      socket_family, socket_protocol
+//      query_time_sec, query_time_nsec
+//      query_zone
+//      response_address, response_port
+//      response_message
+//      response_time_sec, response_time_nsec
+
+// CLIENT_QUERY:
+//      socket_family, socket_protocol
+//      query_message
+//      query_time_sec, query_time_nsec
+
+// CLIENT_RESPONSE:
+//      socket_family, socket_protocol
+//      query_time_sec, query_time_nsec
+//      response_message
+//      response_time_sec, response_time_nsec
diff --git a/lib/dns/ds.c b/lib/dns/ds.c
new file mode 100644
index 0000000..feb73a7
--- /dev/null
+++ b/lib/dns/ds.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/md.h>
+#include <isc/region.h>
+#include <isc/util.h>
+
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+isc_result_t
+dns_ds_fromkeyrdata(const dns_name_t *owner, dns_rdata_t *key,
+		    dns_dsdigest_t digest_type, unsigned char *digest,
+		    dns_rdata_ds_t *dsrdata) {
+	isc_result_t result;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	unsigned int digestlen;
+	isc_region_t r;
+	isc_md_t *md;
+	const isc_md_type_t *md_type = NULL;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->type == dns_rdatatype_dnskey ||
+		key->type == dns_rdatatype_cdnskey);
+
+	if (!dst_ds_digest_supported(digest_type)) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	switch (digest_type) {
+	case DNS_DSDIGEST_SHA1:
+		md_type = ISC_MD_SHA1;
+		break;
+
+	case DNS_DSDIGEST_SHA384:
+		md_type = ISC_MD_SHA384;
+		break;
+
+	case DNS_DSDIGEST_SHA256:
+		md_type = ISC_MD_SHA256;
+		break;
+
+	default:
+		UNREACHABLE();
+	}
+
+	name = dns_fixedname_initname(&fname);
+	(void)dns_name_downcase(owner, name, NULL);
+
+	md = isc_md_new();
+	if (md == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	result = isc_md_init(md, md_type);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	dns_name_toregion(name, &r);
+
+	result = isc_md_update(md, r.base, r.length);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	dns_rdata_toregion(key, &r);
+	INSIST(r.length >= 4);
+
+	result = isc_md_update(md, r.base, r.length);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	result = isc_md_final(md, digest, &digestlen);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	dsrdata->mctx = NULL;
+	dsrdata->common.rdclass = key->rdclass;
+	dsrdata->common.rdtype = dns_rdatatype_ds;
+	dsrdata->algorithm = r.base[3];
+	dsrdata->key_tag = dst_region_computeid(&r);
+	dsrdata->digest_type = digest_type;
+	dsrdata->digest = digest;
+	dsrdata->length = digestlen;
+
+end:
+	isc_md_free(md);
+	return (result);
+}
+
+isc_result_t
+dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
+		  dns_dsdigest_t digest_type, unsigned char *buffer,
+		  dns_rdata_t *rdata) {
+	isc_result_t result;
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	dns_rdata_ds_t ds;
+	isc_buffer_t b;
+
+	result = dns_ds_fromkeyrdata(owner, key, digest_type, digest, &ds);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	memset(buffer, 0, DNS_DS_BUFFERSIZE);
+	isc_buffer_init(&b, buffer, DNS_DS_BUFFERSIZE);
+	result = dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
+				      &ds, &b);
+	return (result);
+}
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
new file mode 100644
index 0000000..d49beb2
--- /dev/null
+++ b/lib/dns/dst_api.c
@@ -0,0 +1,2797 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/fsaccess.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#define DST_KEY_INTERNAL
+
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/ttl.h>
+#include <dns/types.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+
+#define DST_AS_STR(t) ((t).value.as_textregion.base)
+
+#define NEXTTOKEN(lex, opt, token)                       \
+	{                                                \
+		ret = isc_lex_gettoken(lex, opt, token); \
+		if (ret != ISC_R_SUCCESS)                \
+			goto cleanup;                    \
+	}
+
+#define NEXTTOKEN_OR_EOF(lex, opt, token)                \
+	do {                                             \
+		ret = isc_lex_gettoken(lex, opt, token); \
+		if (ret == ISC_R_EOF)                    \
+			break;                           \
+		if (ret != ISC_R_SUCCESS)                \
+			goto cleanup;                    \
+	} while ((*token).type == isc_tokentype_eol);
+
+#define READLINE(lex, opt, token)                        \
+	do {                                             \
+		ret = isc_lex_gettoken(lex, opt, token); \
+		if (ret == ISC_R_EOF)                    \
+			break;                           \
+		if (ret != ISC_R_SUCCESS)                \
+			goto cleanup;                    \
+	} while ((*token).type != isc_tokentype_eol)
+
+#define BADTOKEN()                           \
+	{                                    \
+		ret = ISC_R_UNEXPECTEDTOKEN; \
+		goto cleanup;                \
+	}
+
+#define NUMERIC_NTAGS (DST_MAX_NUMERIC + 1)
+static const char *numerictags[NUMERIC_NTAGS] = {
+	"Predecessor:", "Successor:",  "MaxTTL:",    "RollPeriod:",
+	"Lifetime:",	"DSPubCount:", "DSRemCount:"
+};
+
+#define BOOLEAN_NTAGS (DST_MAX_BOOLEAN + 1)
+static const char *booleantags[BOOLEAN_NTAGS] = { "KSK:", "ZSK:" };
+
+#define TIMING_NTAGS (DST_MAX_TIMES + 1)
+static const char *timingtags[TIMING_NTAGS] = {
+	"Generated:",	 "Published:",	  "Active:",	   "Revoked:",
+	"Retired:",	 "Removed:",
+
+	"DSPublish:",	 "SyncPublish:",  "SyncDelete:",
+
+	"DNSKEYChange:", "ZRRSIGChange:", "KRRSIGChange:", "DSChange:",
+
+	"DSRemoved:"
+};
+
+#define KEYSTATES_NTAGS (DST_MAX_KEYSTATES + 1)
+static const char *keystatestags[KEYSTATES_NTAGS] = {
+	"DNSKEYState:", "ZRRSIGState:", "KRRSIGState:", "DSState:", "GoalState:"
+};
+
+#define KEYSTATES_NVALUES 4
+static const char *keystates[KEYSTATES_NVALUES] = {
+	"hidden",
+	"rumoured",
+	"omnipresent",
+	"unretentive",
+};
+
+#define STATE_ALGORITHM_STR "Algorithm:"
+#define STATE_LENGTH_STR    "Length:"
+#define MAX_NTAGS \
+	(DST_MAX_NUMERIC + DST_MAX_BOOLEAN + DST_MAX_TIMES + DST_MAX_KEYSTATES)
+
+static dst_func_t *dst_t_func[DST_MAX_ALGS];
+
+static bool dst_initialized = false;
+
+void
+gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+
+/*
+ * Static functions.
+ */
+static dst_key_t *
+get_key_struct(const dns_name_t *name, unsigned int alg, unsigned int flags,
+	       unsigned int protocol, unsigned int bits,
+	       dns_rdataclass_t rdclass, dns_ttl_t ttl, isc_mem_t *mctx);
+static isc_result_t
+write_public_key(const dst_key_t *key, int type, const char *directory);
+static isc_result_t
+write_key_state(const dst_key_t *key, int type, const char *directory);
+static isc_result_t
+buildfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg,
+	      unsigned int type, const char *directory, isc_buffer_t *out);
+static isc_result_t
+computeid(dst_key_t *key);
+static isc_result_t
+frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
+	   unsigned int protocol, dns_rdataclass_t rdclass,
+	   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
+
+static isc_result_t
+algorithm_status(unsigned int alg);
+
+static isc_result_t
+addsuffix(char *filename, int len, const char *dirname, const char *ofilename,
+	  const char *suffix);
+
+#define RETERR(x)                            \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto out;            \
+	} while (0)
+
+#define CHECKALG(alg)                       \
+	do {                                \
+		isc_result_t _r;            \
+		_r = algorithm_status(alg); \
+		if (_r != ISC_R_SUCCESS)    \
+			return ((_r));      \
+	} while (0);
+
+isc_result_t
+dst_lib_init(isc_mem_t *mctx, const char *engine) {
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(!dst_initialized);
+
+	UNUSED(engine);
+
+	dst_result_register();
+
+	memset(dst_t_func, 0, sizeof(dst_t_func));
+	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+	RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
+	RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
+	RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
+	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
+	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
+	RETERR(dst__openssl_init(engine));
+	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
+#if USE_OPENSSL
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
+				    DST_ALG_RSASHA1));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
+				    DST_ALG_NSEC3RSASHA1));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256],
+				    DST_ALG_RSASHA256));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
+				    DST_ALG_RSASHA512));
+	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
+	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
+#ifdef HAVE_OPENSSL_ED25519
+	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519]));
+#endif /* ifdef HAVE_OPENSSL_ED25519 */
+#ifdef HAVE_OPENSSL_ED448
+	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
+#endif /* ifdef HAVE_OPENSSL_ED448 */
+#endif /* USE_OPENSSL */
+
+#if USE_PKCS11
+	RETERR(dst__pkcs11_init(mctx, engine));
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
+	RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
+	RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
+	RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
+	RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
+#endif /* USE_PKCS11 */
+#ifdef GSSAPI
+	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
+#endif /* ifdef GSSAPI */
+
+	dst_initialized = true;
+	return (ISC_R_SUCCESS);
+
+out:
+	/* avoid immediate crash! */
+	dst_initialized = true;
+	dst_lib_destroy();
+	return (result);
+}
+
+void
+dst_lib_destroy(void) {
+	int i;
+	RUNTIME_CHECK(dst_initialized);
+	dst_initialized = false;
+
+	for (i = 0; i < DST_MAX_ALGS; i++) {
+		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) {
+			dst_t_func[i]->cleanup();
+		}
+	}
+	dst__openssl_destroy();
+#if USE_PKCS11
+	(void)dst__pkcs11_destroy();
+#endif /* USE_PKCS11 */
+}
+
+bool
+dst_algorithm_supported(unsigned int alg) {
+	REQUIRE(dst_initialized);
+
+	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL) {
+		return (false);
+	}
+	return (true);
+}
+
+bool
+dst_ds_digest_supported(unsigned int digest_type) {
+	return (digest_type == DNS_DSDIGEST_SHA1 ||
+		digest_type == DNS_DSDIGEST_SHA256 ||
+		digest_type == DNS_DSDIGEST_SHA384);
+}
+
+isc_result_t
+dst_context_create(dst_key_t *key, isc_mem_t *mctx, isc_logcategory_t *category,
+		   bool useforsigning, int maxbits, dst_context_t **dctxp) {
+	dst_context_t *dctx;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(mctx != NULL);
+	REQUIRE(dctxp != NULL && *dctxp == NULL);
+
+	if (key->func->createctx == NULL && key->func->createctx2 == NULL) {
+		return (DST_R_UNSUPPORTEDALG);
+	}
+	if (key->keydata.generic == NULL) {
+		return (DST_R_NULLKEY);
+	}
+
+	dctx = isc_mem_get(mctx, sizeof(dst_context_t));
+	memset(dctx, 0, sizeof(*dctx));
+	dst_key_attach(key, &dctx->key);
+	isc_mem_attach(mctx, &dctx->mctx);
+	dctx->category = category;
+	if (useforsigning) {
+		dctx->use = DO_SIGN;
+	} else {
+		dctx->use = DO_VERIFY;
+	}
+	if (key->func->createctx2 != NULL) {
+		result = key->func->createctx2(key, maxbits, dctx);
+	} else {
+		result = key->func->createctx(key, dctx);
+	}
+	if (result != ISC_R_SUCCESS) {
+		if (dctx->key != NULL) {
+			dst_key_free(&dctx->key);
+		}
+		isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(dst_context_t));
+		return (result);
+	}
+	dctx->magic = CTX_MAGIC;
+	*dctxp = dctx;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_context_destroy(dst_context_t **dctxp) {
+	dst_context_t *dctx;
+
+	REQUIRE(dctxp != NULL && VALID_CTX(*dctxp));
+
+	dctx = *dctxp;
+	*dctxp = NULL;
+	INSIST(dctx->key->func->destroyctx != NULL);
+	dctx->key->func->destroyctx(dctx);
+	if (dctx->key != NULL) {
+		dst_key_free(&dctx->key);
+	}
+	dctx->magic = 0;
+	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(dst_context_t));
+}
+
+isc_result_t
+dst_context_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(data != NULL);
+	INSIST(dctx->key->func->adddata != NULL);
+
+	return (dctx->key->func->adddata(dctx, data));
+}
+
+isc_result_t
+dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_key_t *key;
+
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(sig != NULL);
+
+	key = dctx->key;
+	CHECKALG(key->key_alg);
+	if (key->keydata.generic == NULL) {
+		return (DST_R_NULLKEY);
+	}
+
+	if (key->func->sign == NULL) {
+		return (DST_R_NOTPRIVATEKEY);
+	}
+	if (key->func->isprivate == NULL || !key->func->isprivate(key)) {
+		return (DST_R_NOTPRIVATEKEY);
+	}
+
+	return (key->func->sign(dctx, sig));
+}
+
+isc_result_t
+dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(sig != NULL);
+
+	CHECKALG(dctx->key->key_alg);
+	if (dctx->key->keydata.generic == NULL) {
+		return (DST_R_NULLKEY);
+	}
+	if (dctx->key->func->verify == NULL) {
+		return (DST_R_NOTPUBLICKEY);
+	}
+
+	return (dctx->key->func->verify(dctx, sig));
+}
+
+isc_result_t
+dst_context_verify2(dst_context_t *dctx, unsigned int maxbits,
+		    isc_region_t *sig) {
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(sig != NULL);
+
+	CHECKALG(dctx->key->key_alg);
+	if (dctx->key->keydata.generic == NULL) {
+		return (DST_R_NULLKEY);
+	}
+	if (dctx->key->func->verify == NULL && dctx->key->func->verify2 == NULL)
+	{
+		return (DST_R_NOTPUBLICKEY);
+	}
+
+	return (dctx->key->func->verify2 != NULL
+			? dctx->key->func->verify2(dctx, maxbits, sig)
+			: dctx->key->func->verify(dctx, sig));
+}
+
+isc_result_t
+dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+		      isc_buffer_t *secret) {
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
+	REQUIRE(secret != NULL);
+
+	CHECKALG(pub->key_alg);
+	CHECKALG(priv->key_alg);
+
+	if (pub->keydata.generic == NULL || priv->keydata.generic == NULL) {
+		return (DST_R_NULLKEY);
+	}
+
+	if (pub->key_alg != priv->key_alg || pub->func->computesecret == NULL ||
+	    priv->func->computesecret == NULL)
+	{
+		return (DST_R_KEYCANNOTCOMPUTESECRET);
+	}
+
+	if (!dst_key_isprivate(priv)) {
+		return (DST_R_NOTPRIVATEKEY);
+	}
+
+	return (pub->func->computesecret(pub, priv, secret));
+}
+
+isc_result_t
+dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE((type &
+		 (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE)) != 0);
+
+	CHECKALG(key->key_alg);
+
+	if (key->func->tofile == NULL) {
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	if ((type & DST_TYPE_PUBLIC) != 0) {
+		ret = write_public_key(key, type, directory);
+		if (ret != ISC_R_SUCCESS) {
+			return (ret);
+		}
+	}
+
+	if ((type & DST_TYPE_STATE) != 0) {
+		ret = write_key_state(key, type, directory);
+		if (ret != ISC_R_SUCCESS) {
+			return (ret);
+		}
+	}
+
+	if (((type & DST_TYPE_PRIVATE) != 0) &&
+	    (key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
+	{
+		return (key->func->tofile(key, directory));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setexternal(dst_key_t *key, bool value) {
+	REQUIRE(VALID_KEY(key));
+
+	key->external = value;
+}
+
+bool
+dst_key_isexternal(dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+
+	return (key->external);
+}
+
+void
+dst_key_setmodified(dst_key_t *key, bool value) {
+	REQUIRE(VALID_KEY(key));
+
+	isc_mutex_lock(&key->mdlock);
+	key->modified = value;
+	isc_mutex_unlock(&key->mdlock);
+}
+
+bool
+dst_key_ismodified(const dst_key_t *key) {
+	bool modified;
+	dst_key_t *k;
+
+	REQUIRE(VALID_KEY(key));
+
+	DE_CONST(key, k);
+
+	isc_mutex_lock(&k->mdlock);
+	modified = key->modified;
+	isc_mutex_unlock(&k->mdlock);
+
+	return (modified);
+}
+
+isc_result_t
+dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg,
+		    int type, const char *directory, isc_mem_t *mctx,
+		    isc_buffer_t *buf) {
+	isc_result_t result;
+
+	REQUIRE(dst_initialized);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE((type &
+		 (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE)) != 0);
+	REQUIRE(mctx != NULL);
+	REQUIRE(buf != NULL);
+
+	CHECKALG(alg);
+
+	result = buildfilename(name, id, alg, type, directory, buf);
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(buf) > 0) {
+			isc_buffer_putuint8(buf, 0);
+		} else {
+			result = ISC_R_NOSPACE;
+		}
+	}
+
+	return (result);
+}
+
+isc_result_t
+dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type,
+		 const char *directory, isc_mem_t *mctx, dst_key_t **keyp) {
+	isc_result_t result;
+	char filename[NAME_MAX];
+	isc_buffer_t buf;
+	dst_key_t *key;
+
+	REQUIRE(dst_initialized);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	CHECKALG(alg);
+
+	key = NULL;
+
+	isc_buffer_init(&buf, filename, NAME_MAX);
+	result = dst_key_getfilename(name, id, alg, type, NULL, mctx, &buf);
+	if (result != ISC_R_SUCCESS) {
+		goto out;
+	}
+
+	result = dst_key_fromnamedfile(filename, directory, type, mctx, &key);
+	if (result != ISC_R_SUCCESS) {
+		goto out;
+	}
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS) {
+		goto out;
+	}
+
+	if (!dns_name_equal(name, key->key_name) || id != key->key_id ||
+	    alg != key->key_alg)
+	{
+		result = DST_R_INVALIDPRIVATEKEY;
+		goto out;
+	}
+
+	*keyp = key;
+	result = ISC_R_SUCCESS;
+
+out:
+	if ((key != NULL) && (result != ISC_R_SUCCESS)) {
+		dst_key_free(&key);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
+		      isc_mem_t *mctx, dst_key_t **keyp) {
+	isc_result_t result;
+	dst_key_t *pubkey = NULL, *key = NULL;
+	char *newfilename = NULL, *statefilename = NULL;
+	int newfilenamelen = 0, statefilenamelen = 0;
+	isc_lex_t *lex = NULL;
+
+	REQUIRE(dst_initialized);
+	REQUIRE(filename != NULL);
+	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	/* If an absolute path is specified, don't use the key directory */
+#ifndef WIN32
+	if (filename[0] == '/') {
+		dirname = NULL;
+	}
+#else  /* WIN32 */
+	if (filename[0] == '/' || filename[0] == '\\') {
+		dirname = NULL;
+	}
+#endif /* ifndef WIN32 */
+
+	newfilenamelen = strlen(filename) + 5;
+	if (dirname != NULL) {
+		newfilenamelen += strlen(dirname) + 1;
+	}
+	newfilename = isc_mem_get(mctx, newfilenamelen);
+	result = addsuffix(newfilename, newfilenamelen, dirname, filename,
+			   ".key");
+	INSIST(result == ISC_R_SUCCESS);
+
+	RETERR(dst_key_read_public(newfilename, type, mctx, &pubkey));
+	isc_mem_put(mctx, newfilename, newfilenamelen);
+
+	/*
+	 * Read the state file, if requested by type.
+	 */
+	if ((type & DST_TYPE_STATE) != 0) {
+		statefilenamelen = strlen(filename) + 7;
+		if (dirname != NULL) {
+			statefilenamelen += strlen(dirname) + 1;
+		}
+		statefilename = isc_mem_get(mctx, statefilenamelen);
+		result = addsuffix(statefilename, statefilenamelen, dirname,
+				   filename, ".state");
+		INSIST(result == ISC_R_SUCCESS);
+	}
+
+	pubkey->kasp = false;
+	if ((type & DST_TYPE_STATE) != 0) {
+		result = dst_key_read_state(statefilename, mctx, &pubkey);
+		if (result == ISC_R_SUCCESS) {
+			pubkey->kasp = true;
+		} else if (result == ISC_R_FILENOTFOUND) {
+			/* Having no state is valid. */
+			result = ISC_R_SUCCESS;
+		}
+		RETERR(result);
+	}
+
+	if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
+	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
+	{
+		RETERR(computeid(pubkey));
+		pubkey->modified = false;
+		*keyp = pubkey;
+		pubkey = NULL;
+		goto out;
+	}
+
+	RETERR(algorithm_status(pubkey->key_alg));
+
+	key = get_key_struct(pubkey->key_name, pubkey->key_alg,
+			     pubkey->key_flags, pubkey->key_proto,
+			     pubkey->key_size, pubkey->key_class,
+			     pubkey->key_ttl, mctx);
+	if (key == NULL) {
+		RETERR(ISC_R_NOMEMORY);
+	}
+
+	if (key->func->parse == NULL) {
+		RETERR(DST_R_UNSUPPORTEDALG);
+	}
+
+	newfilenamelen = strlen(filename) + 9;
+	if (dirname != NULL) {
+		newfilenamelen += strlen(dirname) + 1;
+	}
+	newfilename = isc_mem_get(mctx, newfilenamelen);
+	result = addsuffix(newfilename, newfilenamelen, dirname, filename,
+			   ".private");
+	INSIST(result == ISC_R_SUCCESS);
+
+	RETERR(isc_lex_create(mctx, 1500, &lex));
+	RETERR(isc_lex_openfile(lex, newfilename));
+	isc_mem_put(mctx, newfilename, newfilenamelen);
+
+	RETERR(key->func->parse(key, lex, pubkey));
+	isc_lex_destroy(&lex);
+
+	key->kasp = false;
+	if ((type & DST_TYPE_STATE) != 0) {
+		result = dst_key_read_state(statefilename, mctx, &key);
+		if (result == ISC_R_SUCCESS) {
+			key->kasp = true;
+		} else if (result == ISC_R_FILENOTFOUND) {
+			/* Having no state is valid. */
+			result = ISC_R_SUCCESS;
+		}
+		RETERR(result);
+	}
+
+	RETERR(computeid(key));
+
+	if (pubkey->key_id != key->key_id) {
+		RETERR(DST_R_INVALIDPRIVATEKEY);
+	}
+
+	key->modified = false;
+	*keyp = key;
+	key = NULL;
+
+out:
+	if (pubkey != NULL) {
+		dst_key_free(&pubkey);
+	}
+	if (newfilename != NULL) {
+		isc_mem_put(mctx, newfilename, newfilenamelen);
+	}
+	if (statefilename != NULL) {
+		isc_mem_put(mctx, statefilename, statefilenamelen);
+	}
+	if (lex != NULL) {
+		isc_lex_destroy(&lex);
+	}
+	if (key != NULL) {
+		dst_key_free(&key);
+	}
+	return (result);
+}
+
+isc_result_t
+dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(target != NULL);
+
+	CHECKALG(key->key_alg);
+
+	if (key->func->todns == NULL) {
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	if (isc_buffer_availablelength(target) < 4) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putuint16(target, (uint16_t)(key->key_flags & 0xffff));
+	isc_buffer_putuint8(target, (uint8_t)key->key_proto);
+	isc_buffer_putuint8(target, (uint8_t)key->key_alg);
+
+	if ((key->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		if (isc_buffer_availablelength(target) < 2) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putuint16(
+			target, (uint16_t)((key->key_flags >> 16) & 0xffff));
+	}
+
+	if (key->keydata.generic == NULL) { /*%< NULL KEY */
+		return (ISC_R_SUCCESS);
+	}
+
+	return (key->func->todns(key, target));
+}
+
+isc_result_t
+dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
+		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) {
+	uint8_t alg, proto;
+	uint32_t flags, extflags;
+	dst_key_t *key = NULL;
+	dns_keytag_t id, rid;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized);
+
+	isc_buffer_remainingregion(source, &r);
+
+	if (isc_buffer_remaininglength(source) < 4) {
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	flags = isc_buffer_getuint16(source);
+	proto = isc_buffer_getuint8(source);
+	alg = isc_buffer_getuint8(source);
+
+	id = dst_region_computeid(&r);
+	rid = dst_region_computerid(&r);
+
+	if ((flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		if (isc_buffer_remaininglength(source) < 2) {
+			return (DST_R_INVALIDPUBLICKEY);
+		}
+		extflags = isc_buffer_getuint16(source);
+		flags |= (extflags << 16);
+	}
+
+	result = frombuffer(name, alg, flags, proto, rdclass, source, mctx,
+			    &key);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	key->key_id = id;
+	key->key_rid = rid;
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
+		   unsigned int protocol, dns_rdataclass_t rdclass,
+		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) {
+	dst_key_t *key = NULL;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized);
+
+	result = frombuffer(name, alg, flags, protocol, rdclass, source, mctx,
+			    &key);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(target != NULL);
+
+	CHECKALG(key->key_alg);
+
+	if (key->func->todns == NULL) {
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	return (key->func->todns(key, target));
+}
+
+isc_result_t
+dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
+	isc_lex_t *lex = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(!dst_key_isprivate(key));
+	REQUIRE(buffer != NULL);
+
+	if (key->func->parse == NULL) {
+		RETERR(DST_R_UNSUPPORTEDALG);
+	}
+
+	RETERR(isc_lex_create(key->mctx, 1500, &lex));
+	RETERR(isc_lex_openbuffer(lex, buffer));
+	RETERR(key->func->parse(key, lex, NULL));
+out:
+	if (lex != NULL) {
+		isc_lex_destroy(&lex);
+	}
+	return (result);
+}
+
+dns_gss_ctx_id_t
+dst_key_getgssctx(const dst_key_t *key) {
+	REQUIRE(key != NULL);
+
+	return (key->keydata.gssctx);
+}
+
+isc_result_t
+dst_key_fromgssapi(const dns_name_t *name, dns_gss_ctx_id_t gssctx,
+		   isc_mem_t *mctx, dst_key_t **keyp, isc_region_t *intoken) {
+	dst_key_t *key;
+	isc_result_t result;
+
+	REQUIRE(gssctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC, 0,
+			     dns_rdataclass_in, 0, mctx);
+	if (key == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (intoken != NULL) {
+		/*
+		 * Keep the token for use by external ssu rules. They may need
+		 * to examine the PAC in the kerberos ticket.
+		 */
+		isc_buffer_allocate(key->mctx, &key->key_tkeytoken,
+				    intoken->length);
+		RETERR(isc_buffer_copyregion(key->key_tkeytoken, intoken));
+	}
+
+	key->keydata.gssctx = gssctx;
+	*keyp = key;
+	result = ISC_R_SUCCESS;
+out:
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+	}
+	return (result);
+}
+
+isc_result_t
+dst_key_buildinternal(const dns_name_t *name, unsigned int alg,
+		      unsigned int bits, unsigned int flags,
+		      unsigned int protocol, dns_rdataclass_t rdclass,
+		      void *data, isc_mem_t *mctx, dst_key_t **keyp) {
+	dst_key_t *key;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+	REQUIRE(data != NULL);
+
+	CHECKALG(alg);
+
+	key = get_key_struct(name, alg, flags, protocol, bits, rdclass, 0,
+			     mctx);
+	if (key == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	key->keydata.generic = data;
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
+		  unsigned int protocol, dns_rdataclass_t rdclass,
+		  const char *engine, const char *label, const char *pin,
+		  isc_mem_t *mctx, dst_key_t **keyp) {
+	dst_key_t *key;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+	REQUIRE(label != NULL);
+
+	CHECKALG(alg);
+
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
+	if (key == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (key->func->fromlabel == NULL) {
+		dst_key_free(&key);
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	result = key->func->fromlabel(key, engine, label, pin);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
+		 unsigned int param, unsigned int flags, unsigned int protocol,
+		 dns_rdataclass_t rdclass, isc_mem_t *mctx, dst_key_t **keyp,
+		 void (*callback)(int)) {
+	dst_key_t *key;
+	isc_result_t ret;
+
+	REQUIRE(dst_initialized);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	CHECKALG(alg);
+
+	key = get_key_struct(name, alg, flags, protocol, bits, rdclass, 0,
+			     mctx);
+	if (key == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (bits == 0) { /*%< NULL KEY */
+		key->key_flags |= DNS_KEYTYPE_NOKEY;
+		*keyp = key;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (key->func->generate == NULL) {
+		dst_key_free(&key);
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	ret = key->func->generate(key, param, callback);
+	if (ret != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (ret);
+	}
+
+	ret = computeid(key);
+	if (ret != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (ret);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_getbool(const dst_key_t *key, int type, bool *valuep) {
+	dst_key_t *k;
+
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(valuep != NULL);
+	REQUIRE(type <= DST_MAX_BOOLEAN);
+
+	DE_CONST(key, k);
+
+	isc_mutex_lock(&k->mdlock);
+	if (!key->boolset[type]) {
+		isc_mutex_unlock(&k->mdlock);
+		return (ISC_R_NOTFOUND);
+	}
+	*valuep = key->bools[type];
+	isc_mutex_unlock(&k->mdlock);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setbool(dst_key_t *key, int type, bool value) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_BOOLEAN);
+
+	isc_mutex_lock(&key->mdlock);
+	key->modified = key->modified || !key->boolset[type] ||
+			key->bools[type] != value;
+	key->bools[type] = value;
+	key->boolset[type] = true;
+	isc_mutex_unlock(&key->mdlock);
+}
+
+void
+dst_key_unsetbool(dst_key_t *key, int type) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_BOOLEAN);
+
+	isc_mutex_lock(&key->mdlock);
+	key->modified = key->modified || key->boolset[type];
+	key->boolset[type] = false;
+	isc_mutex_unlock(&key->mdlock);
+}
+
+isc_result_t
+dst_key_getnum(const dst_key_t *key, int type, uint32_t *valuep) {
+	dst_key_t *k;
+
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(valuep != NULL);
+	REQUIRE(type <= DST_MAX_NUMERIC);
+
+	DE_CONST(key, k);
+
+	isc_mutex_lock(&k->mdlock);
+	if (!key->numset[type]) {
+		isc_mutex_unlock(&k->mdlock);
+		return (ISC_R_NOTFOUND);
+	}
+	*valuep = key->nums[type];
+	isc_mutex_unlock(&k->mdlock);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setnum(dst_key_t *key, int type, uint32_t value) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_NUMERIC);
+
+	isc_mutex_lock(&key->mdlock);
+	key->modified = key->modified || !key->numset[type] ||
+			key->nums[type] != value;
+	key->nums[type] = value;
+	key->numset[type] = true;
+	isc_mutex_unlock(&key->mdlock);
+}
+
+void
+dst_key_unsetnum(dst_key_t *key, int type) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_NUMERIC);
+
+	isc_mutex_lock(&key->mdlock);
+	key->modified = key->modified || key->numset[type];
+	key->numset[type] = false;
+	isc_mutex_unlock(&key->mdlock);
+}
+
+isc_result_t
+dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) {
+	dst_key_t *k;
+
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(timep != NULL);
+	REQUIRE(type <= DST_MAX_TIMES);
+
+	DE_CONST(key, k);
+
+	isc_mutex_lock(&k->mdlock);
+	if (!key->timeset[type]) {
+		isc_mutex_unlock(&k->mdlock);
+		return (ISC_R_NOTFOUND);
+	}
+	*timep = key->times[type];
+	isc_mutex_unlock(&k->mdlock);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_TIMES);
+
+	isc_mutex_lock(&key->mdlock);
+	key->modified = key->modified || !key->timeset[type] ||
+			key->times[type] != when;
+	key->times[type] = when;
+	key->timeset[type] = true;
+	isc_mutex_unlock(&key->mdlock);
+}
+
+void
+dst_key_unsettime(dst_key_t *key, int type) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_TIMES);
+
+	isc_mutex_lock(&key->mdlock);
+	key->modified = key->modified || key->timeset[type];
+	key->timeset[type] = false;
+	isc_mutex_unlock(&key->mdlock);
+}
+
+isc_result_t
+dst_key_getstate(const dst_key_t *key, int type, dst_key_state_t *statep) {
+	dst_key_t *k;
+
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(statep != NULL);
+	REQUIRE(type <= DST_MAX_KEYSTATES);
+
+	DE_CONST(key, k);
+
+	isc_mutex_lock(&k->mdlock);
+	if (!key->keystateset[type]) {
+		isc_mutex_unlock(&k->mdlock);
+		return (ISC_R_NOTFOUND);
+	}
+	*statep = key->keystates[type];
+	isc_mutex_unlock(&k->mdlock);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setstate(dst_key_t *key, int type, dst_key_state_t state) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_KEYSTATES);
+
+	isc_mutex_lock(&key->mdlock);
+	key->modified = key->modified || !key->keystateset[type] ||
+			key->keystates[type] != state;
+	key->keystates[type] = state;
+	key->keystateset[type] = true;
+	isc_mutex_unlock(&key->mdlock);
+}
+
+void
+dst_key_unsetstate(dst_key_t *key, int type) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_KEYSTATES);
+
+	isc_mutex_lock(&key->mdlock);
+	key->modified = key->modified || key->keystateset[type];
+	key->keystateset[type] = false;
+	isc_mutex_unlock(&key->mdlock);
+}
+
+isc_result_t
+dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(majorp != NULL);
+	REQUIRE(minorp != NULL);
+	*majorp = key->fmt_major;
+	*minorp = key->fmt_minor;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setprivateformat(dst_key_t *key, int major, int minor) {
+	REQUIRE(VALID_KEY(key));
+	key->fmt_major = major;
+	key->fmt_minor = minor;
+}
+
+static bool
+comparekeys(const dst_key_t *key1, const dst_key_t *key2,
+	    bool match_revoked_key,
+	    bool (*compare)(const dst_key_t *key1, const dst_key_t *key2)) {
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(key1));
+	REQUIRE(VALID_KEY(key2));
+
+	if (key1 == key2) {
+		return (true);
+	}
+
+	if (key1->key_alg != key2->key_alg) {
+		return (false);
+	}
+
+	if (key1->key_id != key2->key_id) {
+		if (!match_revoked_key) {
+			return (false);
+		}
+		if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
+		    (key2->key_flags & DNS_KEYFLAG_REVOKE))
+		{
+			return (false);
+		}
+		if (key1->key_id != key2->key_rid &&
+		    key1->key_rid != key2->key_id)
+		{
+			return (false);
+		}
+	}
+
+	if (compare != NULL) {
+		return (compare(key1, key2));
+	} else {
+		return (false);
+	}
+}
+
+/*
+ * Compares only the public portion of two keys, by converting them
+ * both to wire format and comparing the results.
+ */
+static bool
+pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	isc_result_t result;
+	unsigned char buf1[DST_KEY_MAXSIZE], buf2[DST_KEY_MAXSIZE];
+	isc_buffer_t b1, b2;
+	isc_region_t r1, r2;
+
+	isc_buffer_init(&b1, buf1, sizeof(buf1));
+	result = dst_key_todns(key1, &b1);
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+	/* Zero out flags. */
+	buf1[0] = buf1[1] = 0;
+	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		isc_buffer_subtract(&b1, 2);
+	}
+
+	isc_buffer_init(&b2, buf2, sizeof(buf2));
+	result = dst_key_todns(key2, &b2);
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+	/* Zero out flags. */
+	buf2[0] = buf2[1] = 0;
+	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		isc_buffer_subtract(&b2, 2);
+	}
+
+	isc_buffer_usedregion(&b1, &r1);
+	/* Remove extended flags. */
+	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		memmove(&buf1[4], &buf1[6], r1.length - 6);
+		r1.length -= 2;
+	}
+
+	isc_buffer_usedregion(&b2, &r2);
+	/* Remove extended flags. */
+	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		memmove(&buf2[4], &buf2[6], r2.length - 6);
+		r2.length -= 2;
+	}
+	return (isc_region_compare(&r1, &r2) == 0);
+}
+
+bool
+dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	return (comparekeys(key1, key2, false, key1->func->compare));
+}
+
+bool
+dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
+		   bool match_revoked_key) {
+	return (comparekeys(key1, key2, match_revoked_key, pub_compare));
+}
+
+bool
+dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(key1));
+	REQUIRE(VALID_KEY(key2));
+
+	if (key1 == key2) {
+		return (true);
+	}
+	if (key1->key_alg == key2->key_alg &&
+	    key1->func->paramcompare != NULL &&
+	    key1->func->paramcompare(key1, key2))
+	{
+		return (true);
+	} else {
+		return (false);
+	}
+}
+
+void
+dst_key_attach(dst_key_t *source, dst_key_t **target) {
+	REQUIRE(dst_initialized);
+	REQUIRE(target != NULL && *target == NULL);
+	REQUIRE(VALID_KEY(source));
+
+	isc_refcount_increment(&source->refs);
+	*target = source;
+}
+
+void
+dst_key_free(dst_key_t **keyp) {
+	REQUIRE(dst_initialized);
+	REQUIRE(keyp != NULL && VALID_KEY(*keyp));
+	dst_key_t *key = *keyp;
+	*keyp = NULL;
+
+	if (isc_refcount_decrement(&key->refs) == 1) {
+		isc_refcount_destroy(&key->refs);
+		isc_mem_t *mctx = key->mctx;
+		if (key->keydata.generic != NULL) {
+			INSIST(key->func->destroy != NULL);
+			key->func->destroy(key);
+		}
+		if (key->engine != NULL) {
+			isc_mem_free(mctx, key->engine);
+		}
+		if (key->label != NULL) {
+			isc_mem_free(mctx, key->label);
+		}
+		dns_name_free(key->key_name, mctx);
+		isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
+		if (key->key_tkeytoken) {
+			isc_buffer_free(&key->key_tkeytoken);
+		}
+		isc_mutex_destroy(&key->mdlock);
+		isc_safe_memwipe(key, sizeof(*key));
+		isc_mem_putanddetach(&mctx, key, sizeof(*key));
+	}
+}
+
+bool
+dst_key_isprivate(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	INSIST(key->func->isprivate != NULL);
+	return (key->func->isprivate(key));
+}
+
+isc_result_t
+dst_key_buildfilename(const dst_key_t *key, int type, const char *directory,
+		      isc_buffer_t *out) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type == DST_TYPE_PRIVATE || type == DST_TYPE_PUBLIC ||
+		type == DST_TYPE_STATE || type == 0);
+
+	return (buildfilename(key->key_name, key->key_id, key->key_alg, type,
+			      directory, out));
+}
+
+isc_result_t
+dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(n != NULL);
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
+		*n = (key->key_size + 7) / 8;
+		break;
+	case DST_ALG_ECDSA256:
+		*n = DNS_SIG_ECDSA256SIZE;
+		break;
+	case DST_ALG_ECDSA384:
+		*n = DNS_SIG_ECDSA384SIZE;
+		break;
+	case DST_ALG_ED25519:
+		*n = DNS_SIG_ED25519SIZE;
+		break;
+	case DST_ALG_ED448:
+		*n = DNS_SIG_ED448SIZE;
+		break;
+	case DST_ALG_HMACMD5:
+		*n = isc_md_type_get_size(ISC_MD_MD5);
+		break;
+	case DST_ALG_HMACSHA1:
+		*n = isc_md_type_get_size(ISC_MD_SHA1);
+		break;
+	case DST_ALG_HMACSHA224:
+		*n = isc_md_type_get_size(ISC_MD_SHA224);
+		break;
+	case DST_ALG_HMACSHA256:
+		*n = isc_md_type_get_size(ISC_MD_SHA256);
+		break;
+	case DST_ALG_HMACSHA384:
+		*n = isc_md_type_get_size(ISC_MD_SHA384);
+		break;
+	case DST_ALG_HMACSHA512:
+		*n = isc_md_type_get_size(ISC_MD_SHA512);
+		break;
+	case DST_ALG_GSSAPI:
+		*n = 128; /*%< XXX */
+		break;
+	case DST_ALG_DH:
+	default:
+		return (DST_R_UNSUPPORTEDALG);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(n != NULL);
+
+	if (key->key_alg == DST_ALG_DH) {
+		*n = (key->key_size + 7) / 8;
+		return (ISC_R_SUCCESS);
+	}
+	return (DST_R_UNSUPPORTEDALG);
+}
+
+/*%
+ * Set the flags on a key, then recompute the key ID
+ */
+isc_result_t
+dst_key_setflags(dst_key_t *key, uint32_t flags) {
+	REQUIRE(VALID_KEY(key));
+	key->key_flags = flags;
+	return (computeid(key));
+}
+
+void
+dst_key_format(const dst_key_t *key, char *cp, unsigned int size) {
+	char namestr[DNS_NAME_FORMATSIZE];
+	char algstr[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
+	dns_secalg_format((dns_secalg_t)dst_key_alg(key), algstr,
+			  sizeof(algstr));
+	snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
+}
+
+isc_result_t
+dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
+	REQUIRE(buffer != NULL && *buffer == NULL);
+	REQUIRE(length != NULL && *length == 0);
+	REQUIRE(VALID_KEY(key));
+
+	if (key->func->dump == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	return (key->func->dump(key, mctx, buffer, length));
+}
+
+isc_result_t
+dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
+		unsigned int protocol, dns_rdataclass_t rdclass,
+		isc_mem_t *mctx, const char *keystr, dst_key_t **keyp) {
+	isc_result_t result;
+	dst_key_t *key;
+
+	REQUIRE(dst_initialized);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL) {
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	if (dst_t_func[alg]->restore == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
+	if (key == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	result = (dst_t_func[alg]->restore)(key, keystr);
+	if (result == ISC_R_SUCCESS) {
+		*keyp = key;
+	} else {
+		dst_key_free(&key);
+	}
+
+	return (result);
+}
+
+/***
+ *** Static methods
+ ***/
+
+/*%
+ * Allocates a key structure and fills in some of the fields.
+ */
+static dst_key_t *
+get_key_struct(const dns_name_t *name, unsigned int alg, unsigned int flags,
+	       unsigned int protocol, unsigned int bits,
+	       dns_rdataclass_t rdclass, dns_ttl_t ttl, isc_mem_t *mctx) {
+	dst_key_t *key;
+	int i;
+
+	key = isc_mem_get(mctx, sizeof(dst_key_t));
+
+	memset(key, 0, sizeof(dst_key_t));
+
+	key->key_name = isc_mem_get(mctx, sizeof(dns_name_t));
+
+	dns_name_init(key->key_name, NULL);
+	dns_name_dup(name, mctx, key->key_name);
+
+	isc_refcount_init(&key->refs, 1);
+	isc_mem_attach(mctx, &key->mctx);
+	key->key_alg = alg;
+	key->key_flags = flags;
+	key->key_proto = protocol;
+	key->keydata.generic = NULL;
+	key->key_size = bits;
+	key->key_class = rdclass;
+	key->key_ttl = ttl;
+	key->func = dst_t_func[alg];
+	key->fmt_major = 0;
+	key->fmt_minor = 0;
+	for (i = 0; i < (DST_MAX_TIMES + 1); i++) {
+		key->times[i] = 0;
+		key->timeset[i] = false;
+	}
+	isc_mutex_init(&key->mdlock);
+	key->inactive = false;
+	key->magic = KEY_MAGIC;
+	return (key);
+}
+
+bool
+dst_key_inactive(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+
+	return (key->inactive);
+}
+
+void
+dst_key_setinactive(dst_key_t *key, bool inactive) {
+	REQUIRE(VALID_KEY(key));
+
+	key->inactive = inactive;
+}
+
+/*%
+ * Reads a public key from disk.
+ */
+isc_result_t
+dst_key_read_public(const char *filename, int type, isc_mem_t *mctx,
+		    dst_key_t **keyp) {
+	u_char rdatabuf[DST_KEY_MAXSIZE];
+	isc_buffer_t b;
+	dns_fixedname_t name;
+	isc_lex_t *lex = NULL;
+	isc_token_t token;
+	isc_result_t ret;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
+	dns_rdataclass_t rdclass = dns_rdataclass_in;
+	isc_lexspecials_t specials;
+	uint32_t ttl = 0;
+	isc_result_t result;
+	dns_rdatatype_t keytype;
+
+	/*
+	 * Open the file and read its formatted contents
+	 * File format:
+	 *    domain.name [ttl] [class] [KEY|DNSKEY] <flags> <protocol>
+	 * <algorithm> <key>
+	 */
+
+	/* 1500 should be large enough for any key */
+	ret = isc_lex_create(mctx, 1500, &lex);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	memset(specials, 0, sizeof(specials));
+	specials['('] = 1;
+	specials[')'] = 1;
+	specials['"'] = 1;
+	isc_lex_setspecials(lex, specials);
+	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+
+	ret = isc_lex_openfile(lex, filename);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/* Read the domain name */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string) {
+		BADTOKEN();
+	}
+
+	/*
+	 * We don't support "@" in .key files.
+	 */
+	if (!strcmp(DST_AS_STR(token), "@")) {
+		BADTOKEN();
+	}
+
+	dns_fixedname_init(&name);
+	isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
+	isc_buffer_add(&b, strlen(DST_AS_STR(token)));
+	ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname, 0,
+				NULL);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/* Read the next word: either TTL, class, or 'KEY' */
+	NEXTTOKEN(lex, opt, &token);
+
+	if (token.type != isc_tokentype_string) {
+		BADTOKEN();
+	}
+
+	/* If it's a TTL, read the next one */
+	result = dns_ttl_fromtext(&token.value.as_textregion, &ttl);
+	if (result == ISC_R_SUCCESS) {
+		NEXTTOKEN(lex, opt, &token);
+	}
+
+	if (token.type != isc_tokentype_string) {
+		BADTOKEN();
+	}
+
+	ret = dns_rdataclass_fromtext(&rdclass, &token.value.as_textregion);
+	if (ret == ISC_R_SUCCESS) {
+		NEXTTOKEN(lex, opt, &token);
+	}
+
+	if (token.type != isc_tokentype_string) {
+		BADTOKEN();
+	}
+
+	if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0) {
+		keytype = dns_rdatatype_dnskey;
+	} else if (strcasecmp(DST_AS_STR(token), "KEY") == 0) {
+		keytype = dns_rdatatype_key; /*%< SIG(0), TKEY */
+	} else {
+		BADTOKEN();
+	}
+
+	if (((type & DST_TYPE_KEY) != 0 && keytype != dns_rdatatype_key) ||
+	    ((type & DST_TYPE_KEY) == 0 && keytype != dns_rdatatype_dnskey))
+	{
+		ret = DST_R_BADKEYTYPE;
+		goto cleanup;
+	}
+
+	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
+	ret = dns_rdata_fromtext(&rdata, rdclass, keytype, lex, NULL, false,
+				 mctx, &b, NULL);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	ret = dst_key_fromdns(dns_fixedname_name(&name), rdclass, &b, mctx,
+			      keyp);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dst_key_setttl(*keyp, ttl);
+
+cleanup:
+	if (lex != NULL) {
+		isc_lex_destroy(&lex);
+	}
+	return (ret);
+}
+
+static int
+find_metadata(const char *s, const char *tags[], int ntags) {
+	for (int i = 0; i < ntags; i++) {
+		if (tags[i] != NULL && strcasecmp(s, tags[i]) == 0) {
+			return (i);
+		}
+	}
+	return (-1);
+}
+
+static int
+find_numericdata(const char *s) {
+	return (find_metadata(s, numerictags, NUMERIC_NTAGS));
+}
+
+static int
+find_booleandata(const char *s) {
+	return (find_metadata(s, booleantags, BOOLEAN_NTAGS));
+}
+
+static int
+find_timingdata(const char *s) {
+	return (find_metadata(s, timingtags, TIMING_NTAGS));
+}
+
+static int
+find_keystatedata(const char *s) {
+	return (find_metadata(s, keystatestags, KEYSTATES_NTAGS));
+}
+
+static isc_result_t
+keystate_fromtext(const char *s, dst_key_state_t *state) {
+	for (int i = 0; i < KEYSTATES_NVALUES; i++) {
+		if (keystates[i] != NULL && strcasecmp(s, keystates[i]) == 0) {
+			*state = (dst_key_state_t)i;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+/*%
+ * Reads a key state from disk.
+ */
+isc_result_t
+dst_key_read_state(const char *filename, isc_mem_t *mctx, dst_key_t **keyp) {
+	isc_lex_t *lex = NULL;
+	isc_token_t token;
+	isc_result_t ret;
+	unsigned int opt = ISC_LEXOPT_EOL;
+
+	ret = isc_lex_create(mctx, 1500, &lex);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+
+	ret = isc_lex_openfile(lex, filename);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * Read the comment line.
+	 */
+	READLINE(lex, opt, &token);
+
+	/*
+	 * Read the algorithm line.
+	 */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string ||
+	    strcmp(DST_AS_STR(token), STATE_ALGORITHM_STR) != 0)
+	{
+		BADTOKEN();
+	}
+
+	NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+	if (token.type != isc_tokentype_number ||
+	    token.value.as_ulong != (unsigned long)dst_key_alg(*keyp))
+	{
+		BADTOKEN();
+	}
+
+	READLINE(lex, opt, &token);
+
+	/*
+	 * Read the length line.
+	 */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string ||
+	    strcmp(DST_AS_STR(token), STATE_LENGTH_STR) != 0)
+	{
+		BADTOKEN();
+	}
+
+	NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+	if (token.type != isc_tokentype_number ||
+	    token.value.as_ulong != (unsigned long)dst_key_size(*keyp))
+	{
+		BADTOKEN();
+	}
+
+	READLINE(lex, opt, &token);
+
+	/*
+	 * Read the metadata.
+	 */
+	for (int n = 0; n < MAX_NTAGS; n++) {
+		int tag;
+
+		NEXTTOKEN_OR_EOF(lex, opt, &token);
+		if (ret == ISC_R_EOF) {
+			break;
+		}
+		if (token.type != isc_tokentype_string) {
+			BADTOKEN();
+		}
+
+		/* Numeric metadata */
+		tag = find_numericdata(DST_AS_STR(token));
+		if (tag >= 0) {
+			INSIST(tag < NUMERIC_NTAGS);
+
+			NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+			if (token.type != isc_tokentype_number) {
+				BADTOKEN();
+			}
+
+			dst_key_setnum(*keyp, tag, token.value.as_ulong);
+			goto next;
+		}
+
+		/* Boolean metadata */
+		tag = find_booleandata(DST_AS_STR(token));
+		if (tag >= 0) {
+			INSIST(tag < BOOLEAN_NTAGS);
+
+			NEXTTOKEN(lex, opt, &token);
+			if (token.type != isc_tokentype_string) {
+				BADTOKEN();
+			}
+
+			if (strcmp(DST_AS_STR(token), "yes") == 0) {
+				dst_key_setbool(*keyp, tag, true);
+			} else if (strcmp(DST_AS_STR(token), "no") == 0) {
+				dst_key_setbool(*keyp, tag, false);
+			} else {
+				BADTOKEN();
+			}
+			goto next;
+		}
+
+		/* Timing metadata */
+		tag = find_timingdata(DST_AS_STR(token));
+		if (tag >= 0) {
+			uint32_t when;
+
+			INSIST(tag < TIMING_NTAGS);
+
+			NEXTTOKEN(lex, opt, &token);
+			if (token.type != isc_tokentype_string) {
+				BADTOKEN();
+			}
+
+			ret = dns_time32_fromtext(DST_AS_STR(token), &when);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+
+			dst_key_settime(*keyp, tag, when);
+			goto next;
+		}
+
+		/* Keystate metadata */
+		tag = find_keystatedata(DST_AS_STR(token));
+		if (tag >= 0) {
+			dst_key_state_t state;
+
+			INSIST(tag < KEYSTATES_NTAGS);
+
+			NEXTTOKEN(lex, opt, &token);
+			if (token.type != isc_tokentype_string) {
+				BADTOKEN();
+			}
+
+			ret = keystate_fromtext(DST_AS_STR(token), &state);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+
+			dst_key_setstate(*keyp, tag, state);
+			goto next;
+		}
+
+	next:
+		READLINE(lex, opt, &token);
+	}
+
+	/* Done, successfully parsed the whole file. */
+	ret = ISC_R_SUCCESS;
+
+cleanup:
+	if (lex != NULL) {
+		isc_lex_destroy(&lex);
+	}
+	return (ret);
+}
+
+static bool
+issymmetric(const dst_key_t *key) {
+	REQUIRE(dst_initialized);
+	REQUIRE(VALID_KEY(key));
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
+	case DST_ALG_DH:
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
+	case DST_ALG_ED25519:
+	case DST_ALG_ED448:
+		return (false);
+	case DST_ALG_HMACMD5:
+	case DST_ALG_HMACSHA1:
+	case DST_ALG_HMACSHA224:
+	case DST_ALG_HMACSHA256:
+	case DST_ALG_HMACSHA384:
+	case DST_ALG_HMACSHA512:
+	case DST_ALG_GSSAPI:
+		return (true);
+	default:
+		return (false);
+	}
+}
+
+/*%
+ * Write key boolean metadata to a file pointer, preceded by 'tag'
+ */
+static void
+printbool(const dst_key_t *key, int type, const char *tag, FILE *stream) {
+	isc_result_t result;
+	bool value = 0;
+
+	result = dst_key_getbool(key, type, &value);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+	fprintf(stream, "%s: %s\n", tag, value ? "yes" : "no");
+}
+
+/*%
+ * Write key numeric metadata to a file pointer, preceded by 'tag'
+ */
+static void
+printnum(const dst_key_t *key, int type, const char *tag, FILE *stream) {
+	isc_result_t result;
+	uint32_t value = 0;
+
+	result = dst_key_getnum(key, type, &value);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+	fprintf(stream, "%s: %u\n", tag, value);
+}
+
+/*%
+ * Write key timing metadata to a file pointer, preceded by 'tag'
+ */
+static void
+printtime(const dst_key_t *key, int type, const char *tag, FILE *stream) {
+	isc_result_t result;
+	char output[26]; /* Minimum buffer as per ctime_r() specification. */
+	isc_stdtime_t when;
+	char utc[sizeof("YYYYMMDDHHSSMM")];
+	isc_buffer_t b;
+	isc_region_t r;
+
+	result = dst_key_gettime(key, type, &when);
+	if (result == ISC_R_NOTFOUND) {
+		return;
+	}
+
+	isc_stdtime_tostring(when, output, sizeof(output));
+	isc_buffer_init(&b, utc, sizeof(utc));
+	result = dns_time32_totext(when, &b);
+	if (result != ISC_R_SUCCESS) {
+		goto error;
+	}
+
+	isc_buffer_usedregion(&b, &r);
+	fprintf(stream, "%s: %.*s (%s)\n", tag, (int)r.length, r.base, output);
+	return;
+
+error:
+	fprintf(stream, "%s: (set, unable to display)\n", tag);
+}
+
+/*%
+ * Write key state metadata to a file pointer, preceded by 'tag'
+ */
+static void
+printstate(const dst_key_t *key, int type, const char *tag, FILE *stream) {
+	isc_result_t result;
+	dst_key_state_t value = 0;
+
+	result = dst_key_getstate(key, type, &value);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+	fprintf(stream, "%s: %s\n", tag, keystates[value]);
+}
+
+/*%
+ * Writes a key state to disk.
+ */
+static isc_result_t
+write_key_state(const dst_key_t *key, int type, const char *directory) {
+	FILE *fp;
+	isc_buffer_t fileb;
+	char filename[NAME_MAX];
+	isc_result_t ret;
+	isc_fsaccess_t access;
+
+	REQUIRE(VALID_KEY(key));
+
+	/*
+	 * Make the filename.
+	 */
+	isc_buffer_init(&fileb, filename, sizeof(filename));
+	ret = dst_key_buildfilename(key, DST_TYPE_STATE, directory, &fileb);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	/*
+	 * Create public key file.
+	 */
+	if ((fp = fopen(filename, "w")) == NULL) {
+		return (DST_R_WRITEERROR);
+	}
+
+	if (issymmetric(key)) {
+		access = 0;
+		isc_fsaccess_add(ISC_FSACCESS_OWNER,
+				 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
+				 &access);
+		(void)isc_fsaccess_set(filename, access);
+	}
+
+	/* Write key state */
+	if ((type & DST_TYPE_KEY) == 0) {
+		fprintf(fp, "; This is the state of key %d, for ", key->key_id);
+		ret = dns_name_print(key->key_name, fp);
+		if (ret != ISC_R_SUCCESS) {
+			fclose(fp);
+			return (ret);
+		}
+		fputc('\n', fp);
+
+		fprintf(fp, "Algorithm: %u\n", key->key_alg);
+		fprintf(fp, "Length: %u\n", key->key_size);
+
+		printnum(key, DST_NUM_LIFETIME, "Lifetime", fp);
+		printnum(key, DST_NUM_PREDECESSOR, "Predecessor", fp);
+		printnum(key, DST_NUM_SUCCESSOR, "Successor", fp);
+
+		printbool(key, DST_BOOL_KSK, "KSK", fp);
+		printbool(key, DST_BOOL_ZSK, "ZSK", fp);
+
+		printtime(key, DST_TIME_CREATED, "Generated", fp);
+		printtime(key, DST_TIME_PUBLISH, "Published", fp);
+		printtime(key, DST_TIME_ACTIVATE, "Active", fp);
+		printtime(key, DST_TIME_INACTIVE, "Retired", fp);
+		printtime(key, DST_TIME_REVOKE, "Revoked", fp);
+		printtime(key, DST_TIME_DELETE, "Removed", fp);
+		printtime(key, DST_TIME_DSPUBLISH, "DSPublish", fp);
+		printtime(key, DST_TIME_DSDELETE, "DSRemoved", fp);
+		printtime(key, DST_TIME_SYNCPUBLISH, "PublishCDS", fp);
+		printtime(key, DST_TIME_SYNCDELETE, "DeleteCDS", fp);
+
+		printnum(key, DST_NUM_DSPUBCOUNT, "DSPubCount", fp);
+		printnum(key, DST_NUM_DSDELCOUNT, "DSDelCount", fp);
+
+		printtime(key, DST_TIME_DNSKEY, "DNSKEYChange", fp);
+		printtime(key, DST_TIME_ZRRSIG, "ZRRSIGChange", fp);
+		printtime(key, DST_TIME_KRRSIG, "KRRSIGChange", fp);
+		printtime(key, DST_TIME_DS, "DSChange", fp);
+
+		printstate(key, DST_KEY_DNSKEY, "DNSKEYState", fp);
+		printstate(key, DST_KEY_ZRRSIG, "ZRRSIGState", fp);
+		printstate(key, DST_KEY_KRRSIG, "KRRSIGState", fp);
+		printstate(key, DST_KEY_DS, "DSState", fp);
+		printstate(key, DST_KEY_GOAL, "GoalState", fp);
+	}
+
+	fflush(fp);
+	if (ferror(fp)) {
+		ret = DST_R_WRITEERROR;
+	}
+	fclose(fp);
+
+	return (ret);
+}
+
+/*%
+ * Writes a public key to disk in DNS format.
+ */
+static isc_result_t
+write_public_key(const dst_key_t *key, int type, const char *directory) {
+	FILE *fp;
+	isc_buffer_t keyb, textb, fileb, classb;
+	isc_region_t r;
+	char filename[NAME_MAX];
+	unsigned char key_array[DST_KEY_MAXSIZE];
+	char text_array[DST_KEY_MAXTEXTSIZE];
+	char class_array[10];
+	isc_result_t ret;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_fsaccess_t access;
+
+	REQUIRE(VALID_KEY(key));
+
+	isc_buffer_init(&keyb, key_array, sizeof(key_array));
+	isc_buffer_init(&textb, text_array, sizeof(text_array));
+	isc_buffer_init(&classb, class_array, sizeof(class_array));
+
+	ret = dst_key_todns(key, &keyb);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	isc_buffer_usedregion(&keyb, &r);
+	dns_rdata_fromregion(&rdata, key->key_class, dns_rdatatype_dnskey, &r);
+
+	ret = dns_rdata_totext(&rdata, (dns_name_t *)NULL, &textb);
+	if (ret != ISC_R_SUCCESS) {
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+
+	ret = dns_rdataclass_totext(key->key_class, &classb);
+	if (ret != ISC_R_SUCCESS) {
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+
+	/*
+	 * Make the filename.
+	 */
+	isc_buffer_init(&fileb, filename, sizeof(filename));
+	ret = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &fileb);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	/*
+	 * Create public key file.
+	 */
+	if ((fp = fopen(filename, "w")) == NULL) {
+		return (DST_R_WRITEERROR);
+	}
+
+	if (issymmetric(key)) {
+		access = 0;
+		isc_fsaccess_add(ISC_FSACCESS_OWNER,
+				 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
+				 &access);
+		(void)isc_fsaccess_set(filename, access);
+	}
+
+	/* Write key information in comments */
+	if ((type & DST_TYPE_KEY) == 0) {
+		fprintf(fp, "; This is a %s%s-signing key, keyid %d, for ",
+			(key->key_flags & DNS_KEYFLAG_REVOKE) != 0 ? "revoked "
+								   : "",
+			(key->key_flags & DNS_KEYFLAG_KSK) != 0 ? "key"
+								: "zone",
+			key->key_id);
+		ret = dns_name_print(key->key_name, fp);
+		if (ret != ISC_R_SUCCESS) {
+			fclose(fp);
+			return (ret);
+		}
+		fputc('\n', fp);
+
+		printtime(key, DST_TIME_CREATED, "; Created", fp);
+		printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
+		printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
+		printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
+		printtime(key, DST_TIME_INACTIVE, "; Inactive", fp);
+		printtime(key, DST_TIME_DELETE, "; Delete", fp);
+		printtime(key, DST_TIME_SYNCPUBLISH, "; SyncPublish", fp);
+		printtime(key, DST_TIME_SYNCDELETE, "; SyncDelete", fp);
+	}
+
+	/* Now print the actual key */
+	ret = dns_name_print(key->key_name, fp);
+	fprintf(fp, " ");
+
+	if (key->key_ttl != 0) {
+		fprintf(fp, "%u ", key->key_ttl);
+	}
+
+	isc_buffer_usedregion(&classb, &r);
+	if ((unsigned)fwrite(r.base, 1, r.length, fp) != r.length) {
+		ret = DST_R_WRITEERROR;
+	}
+
+	if ((type & DST_TYPE_KEY) != 0) {
+		fprintf(fp, " KEY ");
+	} else {
+		fprintf(fp, " DNSKEY ");
+	}
+
+	isc_buffer_usedregion(&textb, &r);
+	if ((unsigned)fwrite(r.base, 1, r.length, fp) != r.length) {
+		ret = DST_R_WRITEERROR;
+	}
+
+	fputc('\n', fp);
+	fflush(fp);
+	if (ferror(fp)) {
+		ret = DST_R_WRITEERROR;
+	}
+	fclose(fp);
+
+	return (ret);
+}
+
+static isc_result_t
+buildfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg,
+	      unsigned int type, const char *directory, isc_buffer_t *out) {
+	const char *suffix = "";
+	isc_result_t result;
+
+	REQUIRE(out != NULL);
+	if ((type & DST_TYPE_PRIVATE) != 0) {
+		suffix = ".private";
+	} else if ((type & DST_TYPE_PUBLIC) != 0) {
+		suffix = ".key";
+	} else if ((type & DST_TYPE_STATE) != 0) {
+		suffix = ".state";
+	}
+
+	if (directory != NULL) {
+		if (isc_buffer_availablelength(out) < strlen(directory)) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putstr(out, directory);
+		if (strlen(directory) > 0U &&
+		    directory[strlen(directory) - 1] != '/')
+		{
+			isc_buffer_putstr(out, "/");
+		}
+	}
+	if (isc_buffer_availablelength(out) < 1) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putstr(out, "K");
+	result = dns_name_tofilenametext(name, false, out);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	return (isc_buffer_printf(out, "+%03d+%05d%s", alg, id, suffix));
+}
+
+static isc_result_t
+computeid(dst_key_t *key) {
+	isc_buffer_t dnsbuf;
+	unsigned char dns_array[DST_KEY_MAXSIZE];
+	isc_region_t r;
+	isc_result_t ret;
+
+	isc_buffer_init(&dnsbuf, dns_array, sizeof(dns_array));
+	ret = dst_key_todns(key, &dnsbuf);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	isc_buffer_usedregion(&dnsbuf, &r);
+	key->key_id = dst_region_computeid(&r);
+	key->key_rid = dst_region_computerid(&r);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
+	   unsigned int protocol, dns_rdataclass_t rdclass,
+	   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) {
+	dst_key_t *key;
+	isc_result_t ret;
+
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(source != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
+	if (key == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (isc_buffer_remaininglength(source) > 0) {
+		ret = algorithm_status(alg);
+		if (ret != ISC_R_SUCCESS) {
+			dst_key_free(&key);
+			return (ret);
+		}
+		if (key->func->fromdns == NULL) {
+			dst_key_free(&key);
+			return (DST_R_UNSUPPORTEDALG);
+		}
+
+		ret = key->func->fromdns(key, source);
+		if (ret != ISC_R_SUCCESS) {
+			dst_key_free(&key);
+			return (ret);
+		}
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+algorithm_status(unsigned int alg) {
+	REQUIRE(dst_initialized);
+
+	if (dst_algorithm_supported(alg)) {
+		return (ISC_R_SUCCESS);
+	}
+	return (DST_R_UNSUPPORTEDALG);
+}
+
+static isc_result_t
+addsuffix(char *filename, int len, const char *odirname, const char *ofilename,
+	  const char *suffix) {
+	int olen = strlen(ofilename);
+	int n;
+
+	if (olen > 1 && ofilename[olen - 1] == '.') {
+		olen -= 1;
+	} else if (olen > 8 && strcmp(ofilename + olen - 8, ".private") == 0) {
+		olen -= 8;
+	} else if (olen > 4 && strcmp(ofilename + olen - 4, ".key") == 0) {
+		olen -= 4;
+	}
+
+	if (odirname == NULL) {
+		n = snprintf(filename, len, "%.*s%s", olen, ofilename, suffix);
+	} else {
+		n = snprintf(filename, len, "%s/%.*s%s", odirname, olen,
+			     ofilename, suffix);
+	}
+	if (n < 0) {
+		return (ISC_R_FAILURE);
+	}
+	if (n >= len) {
+		return (ISC_R_NOSPACE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_buffer_t *
+dst_key_tkeytoken(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_tkeytoken);
+}
+
+/*
+ * A key is considered unused if it does not have any timing metadata set
+ * other than "Created".
+ *
+ */
+bool
+dst_key_is_unused(dst_key_t *key) {
+	isc_stdtime_t val;
+	dst_key_state_t st;
+	int state_type;
+	bool state_type_set;
+
+	REQUIRE(VALID_KEY(key));
+
+	/*
+	 * None of the key timing metadata, except Created, may be set.  Key
+	 * state times may be set only if their respective state is HIDDEN.
+	 */
+	for (int i = 0; i < DST_MAX_TIMES + 1; i++) {
+		state_type_set = false;
+
+		switch (i) {
+		case DST_TIME_CREATED:
+			break;
+		case DST_TIME_DNSKEY:
+			state_type = DST_KEY_DNSKEY;
+			state_type_set = true;
+			break;
+		case DST_TIME_ZRRSIG:
+			state_type = DST_KEY_ZRRSIG;
+			state_type_set = true;
+			break;
+		case DST_TIME_KRRSIG:
+			state_type = DST_KEY_KRRSIG;
+			state_type_set = true;
+			break;
+		case DST_TIME_DS:
+			state_type = DST_KEY_DS;
+			state_type_set = true;
+			break;
+		default:
+			break;
+		}
+
+		/* Created is fine. */
+		if (i == DST_TIME_CREATED) {
+			continue;
+		}
+		/* No such timing metadata found, that is fine too. */
+		if (dst_key_gettime(key, i, &val) == ISC_R_NOTFOUND) {
+			continue;
+		}
+		/*
+		 * Found timing metadata and it is not related to key states.
+		 * This key is used.
+		 */
+		if (!state_type_set) {
+			return (false);
+		}
+		/*
+		 * If the state is not HIDDEN, the key is in use.
+		 * If the state is not set, this is odd and we default to NA.
+		 */
+		if (dst_key_getstate(key, state_type, &st) != ISC_R_SUCCESS) {
+			st = DST_KEY_STATE_NA;
+		}
+		if (st != DST_KEY_STATE_HIDDEN) {
+			return (false);
+		}
+	}
+	/* This key is unused. */
+	return (true);
+}
+
+isc_result_t
+dst_key_role(dst_key_t *key, bool *ksk, bool *zsk) {
+	bool k = false, z = false;
+	isc_result_t result, ret = ISC_R_SUCCESS;
+
+	if (ksk != NULL) {
+		result = dst_key_getbool(key, DST_BOOL_KSK, &k);
+		if (result == ISC_R_SUCCESS) {
+			*ksk = k;
+		} else {
+			*ksk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) != 0);
+			ret = result;
+		}
+	}
+
+	if (zsk != NULL) {
+		result = dst_key_getbool(key, DST_BOOL_ZSK, &z);
+		if (result == ISC_R_SUCCESS) {
+			*zsk = z;
+		} else {
+			*zsk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0);
+			ret = result;
+		}
+	}
+	return (ret);
+}
+
+/* Hints on key whether it can be published and/or used for signing. */
+
+bool
+dst_key_is_published(dst_key_t *key, isc_stdtime_t now,
+		     isc_stdtime_t *publish) {
+	dst_key_state_t state;
+	isc_result_t result;
+	isc_stdtime_t when;
+	bool state_ok = true, time_ok = false;
+
+	REQUIRE(VALID_KEY(key));
+
+	result = dst_key_gettime(key, DST_TIME_PUBLISH, &when);
+	if (result == ISC_R_SUCCESS) {
+		*publish = when;
+		time_ok = (when <= now);
+	}
+
+	/* Check key states:
+	 * If the DNSKEY state is RUMOURED or OMNIPRESENT, it means it
+	 * should be published.
+	 */
+	result = dst_key_getstate(key, DST_KEY_DNSKEY, &state);
+	if (result == ISC_R_SUCCESS) {
+		state_ok = ((state == DST_KEY_STATE_RUMOURED) ||
+			    (state == DST_KEY_STATE_OMNIPRESENT));
+		/*
+		 * Key states trump timing metadata.
+		 * Ignore inactive time.
+		 */
+		time_ok = true;
+	}
+
+	return (state_ok && time_ok);
+}
+
+bool
+dst_key_is_active(dst_key_t *key, isc_stdtime_t now) {
+	dst_key_state_t state;
+	isc_result_t result;
+	isc_stdtime_t when = 0;
+	bool ksk = false, zsk = false, inactive = false;
+	bool ds_ok = true, zrrsig_ok = true, time_ok = false;
+
+	REQUIRE(VALID_KEY(key));
+
+	result = dst_key_gettime(key, DST_TIME_INACTIVE, &when);
+	if (result == ISC_R_SUCCESS) {
+		inactive = (when <= now);
+	}
+
+	result = dst_key_gettime(key, DST_TIME_ACTIVATE, &when);
+	if (result == ISC_R_SUCCESS) {
+		time_ok = (when <= now);
+	}
+
+	(void)dst_key_role(key, &ksk, &zsk);
+
+	/* Check key states:
+	 * KSK: If the DS is RUMOURED or OMNIPRESENT the key is considered
+	 * active.
+	 */
+	if (ksk) {
+		result = dst_key_getstate(key, DST_KEY_DS, &state);
+		if (result == ISC_R_SUCCESS) {
+			ds_ok = ((state == DST_KEY_STATE_RUMOURED) ||
+				 (state == DST_KEY_STATE_OMNIPRESENT));
+			/*
+			 * Key states trump timing metadata.
+			 * Ignore inactive time.
+			 */
+			time_ok = true;
+			inactive = false;
+		}
+	}
+	/*
+	 * ZSK: If the ZRRSIG state is RUMOURED or OMNIPRESENT, it means the
+	 * key is active.
+	 */
+	if (zsk) {
+		result = dst_key_getstate(key, DST_KEY_ZRRSIG, &state);
+		if (result == ISC_R_SUCCESS) {
+			zrrsig_ok = ((state == DST_KEY_STATE_RUMOURED) ||
+				     (state == DST_KEY_STATE_OMNIPRESENT));
+			/*
+			 * Key states trump timing metadata.
+			 * Ignore inactive time.
+			 */
+			time_ok = true;
+			inactive = false;
+		}
+	}
+	return (ds_ok && zrrsig_ok && time_ok && !inactive);
+}
+
+bool
+dst_key_is_signing(dst_key_t *key, int role, isc_stdtime_t now,
+		   isc_stdtime_t *active) {
+	dst_key_state_t state;
+	isc_result_t result;
+	isc_stdtime_t when = 0;
+	bool ksk = false, zsk = false, inactive = false;
+	bool krrsig_ok = true, zrrsig_ok = true, time_ok = false;
+
+	REQUIRE(VALID_KEY(key));
+
+	result = dst_key_gettime(key, DST_TIME_INACTIVE, &when);
+	if (result == ISC_R_SUCCESS) {
+		inactive = (when <= now);
+	}
+
+	result = dst_key_gettime(key, DST_TIME_ACTIVATE, &when);
+	if (result == ISC_R_SUCCESS) {
+		*active = when;
+		time_ok = (when <= now);
+	}
+
+	(void)dst_key_role(key, &ksk, &zsk);
+
+	/* Check key states:
+	 * If the RRSIG state is RUMOURED or OMNIPRESENT, it means the key
+	 * is active.
+	 */
+	if (ksk && role == DST_BOOL_KSK) {
+		result = dst_key_getstate(key, DST_KEY_KRRSIG, &state);
+		if (result == ISC_R_SUCCESS) {
+			krrsig_ok = ((state == DST_KEY_STATE_RUMOURED) ||
+				     (state == DST_KEY_STATE_OMNIPRESENT));
+			/*
+			 * Key states trump timing metadata.
+			 * Ignore inactive time.
+			 */
+			time_ok = true;
+			inactive = false;
+		}
+	} else if (zsk && role == DST_BOOL_ZSK) {
+		result = dst_key_getstate(key, DST_KEY_ZRRSIG, &state);
+		if (result == ISC_R_SUCCESS) {
+			zrrsig_ok = ((state == DST_KEY_STATE_RUMOURED) ||
+				     (state == DST_KEY_STATE_OMNIPRESENT));
+			/*
+			 * Key states trump timing metadata.
+			 * Ignore inactive time.
+			 */
+			time_ok = true;
+			inactive = false;
+		}
+	}
+	return (krrsig_ok && zrrsig_ok && time_ok && !inactive);
+}
+
+bool
+dst_key_is_revoked(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *revoke) {
+	isc_result_t result;
+	isc_stdtime_t when = 0;
+	bool time_ok = false;
+
+	REQUIRE(VALID_KEY(key));
+
+	result = dst_key_gettime(key, DST_TIME_REVOKE, &when);
+	if (result == ISC_R_SUCCESS) {
+		*revoke = when;
+		time_ok = (when <= now);
+	}
+
+	return (time_ok);
+}
+
+bool
+dst_key_is_removed(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *remove) {
+	dst_key_state_t state;
+	isc_result_t result;
+	isc_stdtime_t when = 0;
+	bool state_ok = true, time_ok = false;
+
+	REQUIRE(VALID_KEY(key));
+
+	if (dst_key_is_unused(key)) {
+		/* This key was never used. */
+		return (false);
+	}
+
+	result = dst_key_gettime(key, DST_TIME_DELETE, &when);
+	if (result == ISC_R_SUCCESS) {
+		*remove = when;
+		time_ok = (when <= now);
+	}
+
+	/* Check key states:
+	 * If the DNSKEY state is UNRETENTIVE or HIDDEN, it means the key
+	 * should not be published.
+	 */
+	result = dst_key_getstate(key, DST_KEY_DNSKEY, &state);
+	if (result == ISC_R_SUCCESS) {
+		state_ok = ((state == DST_KEY_STATE_UNRETENTIVE) ||
+			    (state == DST_KEY_STATE_HIDDEN));
+		/*
+		 * Key states trump timing metadata.
+		 * Ignore delete time.
+		 */
+		time_ok = true;
+	}
+
+	return (state_ok && time_ok);
+}
+
+dst_key_state_t
+dst_key_goal(dst_key_t *key) {
+	dst_key_state_t state;
+	isc_result_t result;
+
+	REQUIRE(VALID_KEY(key));
+
+	result = dst_key_getstate(key, DST_KEY_GOAL, &state);
+	if (result == ISC_R_SUCCESS) {
+		return (state);
+	}
+	return (DST_KEY_STATE_HIDDEN);
+}
+
+bool
+dst_key_haskasp(dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+
+	return (key->kasp);
+}
+
+void
+dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) {
+	dst_key_state_t state;
+	isc_stdtime_t when;
+	uint32_t num;
+	bool yesno;
+	isc_result_t result;
+
+	REQUIRE(VALID_KEY(to));
+	REQUIRE(VALID_KEY(from));
+
+	for (int i = 0; i < DST_MAX_TIMES + 1; i++) {
+		result = dst_key_gettime(from, i, &when);
+		if (result == ISC_R_SUCCESS) {
+			dst_key_settime(to, i, when);
+		} else {
+			dst_key_unsettime(to, i);
+		}
+	}
+
+	for (int i = 0; i < DST_MAX_NUMERIC + 1; i++) {
+		result = dst_key_getnum(from, i, &num);
+		if (result == ISC_R_SUCCESS) {
+			dst_key_setnum(to, i, num);
+		} else {
+			dst_key_unsetnum(to, i);
+		}
+	}
+
+	for (int i = 0; i < DST_MAX_BOOLEAN + 1; i++) {
+		result = dst_key_getbool(from, i, &yesno);
+		if (result == ISC_R_SUCCESS) {
+			dst_key_setbool(to, i, yesno);
+		} else {
+			dst_key_unsetbool(to, i);
+		}
+	}
+
+	for (int i = 0; i < DST_MAX_KEYSTATES + 1; i++) {
+		result = dst_key_getstate(from, i, &state);
+		if (result == ISC_R_SUCCESS) {
+			dst_key_setstate(to, i, state);
+		} else {
+			dst_key_unsetstate(to, i);
+		}
+	}
+
+	dst_key_setmodified(to, dst_key_ismodified(from));
+}
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
new file mode 100644
index 0000000..4933cfd
--- /dev/null
+++ b/lib/dns/dst_internal.h
@@ -0,0 +1,286 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#pragma once
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/hmac.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/md.h>
+#include <isc/refcount.h>
+#include <isc/region.h>
+#include <isc/stdtime.h>
+#include <isc/types.h>
+
+#if USE_PKCS11
+#include <pk11/pk11.h>
+#include <pk11/site.h>
+#endif /* USE_PKCS11 */
+
+#include <openssl/dh.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+
+#include <dns/time.h>
+
+#include <dst/dst.h>
+
+#ifdef GSSAPI
+#ifdef WIN32
+/*
+ * MSVC does not like macros in #include lines.
+ */
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
+#else /* ifdef WIN32 */
+#include ISC_PLATFORM_GSSAPIHEADER
+#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
+#include ISC_PLATFORM_GSSAPI_KRB5_HEADER
+#endif /* ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER */
+#endif /* ifdef WIN32 */
+#endif /* ifdef GSSAPI */
+
+ISC_LANG_BEGINDECLS
+
+#define KEY_MAGIC ISC_MAGIC('D', 'S', 'T', 'K')
+#define CTX_MAGIC ISC_MAGIC('D', 'S', 'T', 'C')
+
+#define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
+#define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
+
+/***
+ *** Types
+ ***/
+
+typedef struct dst_func dst_func_t;
+
+typedef struct dst_hmac_key dst_hmac_key_t;
+
+/*%
+ * Indicate whether a DST context will be used for signing
+ * or for verification
+ */
+typedef enum { DO_SIGN, DO_VERIFY } dst_use_t;
+
+/*% DST Key Structure */
+struct dst_key {
+	unsigned int magic;
+	isc_refcount_t refs;
+	isc_mutex_t mdlock;	    /*%< lock for read/write metadata */
+	dns_name_t *key_name;	    /*%< name of the key */
+	unsigned int key_size;	    /*%< size of the key in bits */
+	unsigned int key_proto;	    /*%< protocols this key is used for
+				     * */
+	unsigned int key_alg;	    /*%< algorithm of the key */
+	uint32_t key_flags;	    /*%< flags of the public key */
+	uint16_t key_id;	    /*%< identifier of the key */
+	uint16_t key_rid;	    /*%< identifier of the key when
+				     *   revoked */
+	uint16_t key_bits;	    /*%< hmac digest bits */
+	dns_rdataclass_t key_class; /*%< class of the key record */
+	dns_ttl_t key_ttl;	    /*%< default/initial dnskey ttl */
+	isc_mem_t *mctx;	    /*%< memory context */
+	char *engine;		    /*%< engine name (HSM) */
+	char *label;		    /*%< engine label (HSM) */
+	union {
+		void *generic;
+		dns_gss_ctx_id_t gssctx;
+		DH *dh;
+#if USE_OPENSSL
+		EVP_PKEY *pkey;
+#endif /* if USE_OPENSSL */
+#if USE_PKCS11
+		pk11_object_t *pkey;
+#endif /* if USE_PKCS11 */
+		dst_hmac_key_t *hmac_key;
+	} keydata; /*%< pointer to key in crypto pkg fmt */
+
+	isc_stdtime_t times[DST_MAX_TIMES + 1]; /*%< timing metadata */
+	bool timeset[DST_MAX_TIMES + 1];	/*%< data set? */
+
+	uint32_t nums[DST_MAX_NUMERIC + 1]; /*%< numeric metadata
+					     * */
+	bool numset[DST_MAX_NUMERIC + 1];   /*%< data set? */
+
+	bool bools[DST_MAX_BOOLEAN + 1];   /*%< boolean metadata
+					    * */
+	bool boolset[DST_MAX_BOOLEAN + 1]; /*%< data set? */
+
+	dst_key_state_t keystates[DST_MAX_KEYSTATES + 1]; /*%< key states
+							   * */
+	bool keystateset[DST_MAX_KEYSTATES + 1];	  /*%< data
+							   * set? */
+
+	bool kasp;     /*%< key has kasp state */
+	bool inactive; /*%< private key not present as it is
+			* inactive */
+	bool external; /*%< external key */
+	bool modified; /*%< set to true if key file metadata has changed */
+
+	int fmt_major; /*%< private key format, major version
+			* */
+	int fmt_minor; /*%< private key format, minor version
+			* */
+
+	dst_func_t *func;	     /*%< crypto package specific functions */
+	isc_buffer_t *key_tkeytoken; /*%< TKEY token data */
+};
+
+struct dst_context {
+	unsigned int magic;
+	dst_use_t use;
+	dst_key_t *key;
+	isc_mem_t *mctx;
+	isc_logcategory_t *category;
+	union {
+		void *generic;
+		dst_gssapi_signverifyctx_t *gssctx;
+		isc_hmac_t *hmac_ctx;
+		EVP_MD_CTX *evp_md_ctx;
+#if USE_PKCS11
+		pk11_context_t *pk11_ctx;
+#endif /* if USE_PKCS11 */
+	} ctxdata;
+};
+
+struct dst_func {
+	/*
+	 * Context functions
+	 */
+	isc_result_t (*createctx)(dst_key_t *key, dst_context_t *dctx);
+	isc_result_t (*createctx2)(dst_key_t *key, int maxbits,
+				   dst_context_t *dctx);
+	void (*destroyctx)(dst_context_t *dctx);
+	isc_result_t (*adddata)(dst_context_t *dctx, const isc_region_t *data);
+
+	/*
+	 * Key operations
+	 */
+	isc_result_t (*sign)(dst_context_t *dctx, isc_buffer_t *sig);
+	isc_result_t (*verify)(dst_context_t *dctx, const isc_region_t *sig);
+	isc_result_t (*verify2)(dst_context_t *dctx, int maxbits,
+				const isc_region_t *sig);
+	isc_result_t (*computesecret)(const dst_key_t *pub,
+				      const dst_key_t *priv,
+				      isc_buffer_t *secret);
+	bool (*compare)(const dst_key_t *key1, const dst_key_t *key2);
+	bool (*paramcompare)(const dst_key_t *key1, const dst_key_t *key2);
+	isc_result_t (*generate)(dst_key_t *key, int parms,
+				 void (*callback)(int));
+	bool (*isprivate)(const dst_key_t *key);
+	void (*destroy)(dst_key_t *key);
+
+	/* conversion functions */
+	isc_result_t (*todns)(const dst_key_t *key, isc_buffer_t *data);
+	isc_result_t (*fromdns)(dst_key_t *key, isc_buffer_t *data);
+	isc_result_t (*tofile)(const dst_key_t *key, const char *directory);
+	isc_result_t (*parse)(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub);
+
+	/* cleanup */
+	void (*cleanup)(void);
+
+	isc_result_t (*fromlabel)(dst_key_t *key, const char *engine,
+				  const char *label, const char *pin);
+	isc_result_t (*dump)(dst_key_t *key, isc_mem_t *mctx, char **buffer,
+			     int *length);
+	isc_result_t (*restore)(dst_key_t *key, const char *keystr);
+};
+
+/*%
+ * Initializers
+ */
+isc_result_t
+dst__openssl_init(const char *engine);
+#define dst__pkcs11_init pk11_initialize
+
+isc_result_t
+dst__hmacmd5_init(struct dst_func **funcp);
+isc_result_t
+dst__hmacsha1_init(struct dst_func **funcp);
+isc_result_t
+dst__hmacsha224_init(struct dst_func **funcp);
+isc_result_t
+dst__hmacsha256_init(struct dst_func **funcp);
+isc_result_t
+dst__hmacsha384_init(struct dst_func **funcp);
+isc_result_t
+dst__hmacsha512_init(struct dst_func **funcp);
+isc_result_t
+dst__openssldh_init(struct dst_func **funcp);
+#if USE_OPENSSL
+isc_result_t
+dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
+isc_result_t
+dst__opensslecdsa_init(struct dst_func **funcp);
+#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
+isc_result_t
+dst__openssleddsa_init(struct dst_func **funcp);
+#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
+#endif /* USE_OPENSSL */
+#if USE_PKCS11
+isc_result_t
+dst__pkcs11rsa_init(struct dst_func **funcp);
+isc_result_t
+dst__pkcs11dsa_init(struct dst_func **funcp);
+isc_result_t
+dst__pkcs11ecdsa_init(struct dst_func **funcp);
+isc_result_t
+dst__pkcs11eddsa_init(struct dst_func **funcp);
+#endif /* USE_PKCS11 */
+#ifdef GSSAPI
+isc_result_t
+dst__gssapi_init(struct dst_func **funcp);
+#endif /* GSSAPI */
+
+/*%
+ * Destructors
+ */
+void
+dst__openssl_destroy(void);
+#define dst__pkcs11_destroy pk11_finalize
+
+/*%
+ * Memory allocators using the DST memory pool.
+ */
+void *
+dst__mem_alloc(size_t size);
+void
+dst__mem_free(void *ptr);
+void *
+dst__mem_realloc(void *ptr, size_t size);
+
+ISC_LANG_ENDDECLS
+
+/*! \file */
diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
new file mode 100644
index 0000000..5727848
--- /dev/null
+++ b/lib/dns/dst_openssl.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DST_OPENSSL_H
+#define DST_OPENSSL_H 1
+
+#include <openssl/bn.h>
+#include <openssl/conf.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+
+#include <isc/lang.h>
+#include <isc/log.h>
+#include <isc/result.h>
+
+#if !HAVE_BN_GENCB_NEW
+/*
+ * These are new in OpenSSL 1.1.0.  BN_GENCB _cb needs to be declared in
+ * the function like this before the BN_GENCB_new call:
+ *
+ * #if !HAVE_BN_GENCB_NEW
+ *     	 _cb;
+ * #endif
+ */
+#define BN_GENCB_free(x)    ((void)0)
+#define BN_GENCB_new()	    (&_cb)
+#define BN_GENCB_get_arg(x) ((x)->arg)
+#endif /* !HAVE_BN_GENCB_NEW */
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+/*
+ * EVP_dss1() is a version of EVP_sha1() that was needed prior to
+ * 1.1.0 because there was a link between digests and signing algorithms;
+ * the link has been eliminated and EVP_sha1() can be used now instead.
+ */
+#define EVP_dss1 EVP_sha1
+#endif /* if OPENSSL_VERSION_NUMBER >= 0x10100000L */
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dst__openssl_toresult(isc_result_t fallback);
+
+isc_result_t
+dst__openssl_toresult2(const char *funcname, isc_result_t fallback);
+
+isc_result_t
+dst__openssl_toresult3(isc_logcategory_t *category, const char *funcname,
+		       isc_result_t fallback);
+
+#if !defined(OPENSSL_NO_ENGINE)
+ENGINE *
+dst__openssl_getengine(const char *engine);
+#else /* if !defined(OPENSSL_NO_ENGINE) */
+#define dst__openssl_getengine(x) NULL
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_OPENSSL_H */
+/*! \file */
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
new file mode 100644
index 0000000..b7bbee9
--- /dev/null
+++ b/lib/dns/dst_parse.c
@@ -0,0 +1,804 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "dst_parse.h"
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/base64.h>
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/fsaccess.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/log.h>
+#include <dns/time.h>
+
+#include "dst/result.h"
+#include "dst_internal.h"
+
+#define DST_AS_STR(t) ((t).value.as_textregion.base)
+
+#define PRIVATE_KEY_STR "Private-key-format:"
+#define ALGORITHM_STR	"Algorithm:"
+
+#define TIMING_NTAGS (DST_MAX_TIMES + 1)
+static const char *timetags[TIMING_NTAGS] = {
+	"Created:",    "Publish:", "Activate:",	 "Revoke:",
+	"Inactive:",   "Delete:",  "DSPublish:", "SyncPublish:",
+	"SyncDelete:", NULL,	   NULL,	 NULL,
+	NULL
+};
+
+#define NUMERIC_NTAGS (DST_MAX_NUMERIC + 1)
+static const char *numerictags[NUMERIC_NTAGS] = {
+	"Predecessor:", "Successor:", "MaxTTL:", "RollPeriod:", NULL, NULL, NULL
+};
+
+struct parse_map {
+	const int value;
+	const char *tag;
+};
+
+static struct parse_map map[] = { { TAG_RSA_MODULUS, "Modulus:" },
+				  { TAG_RSA_PUBLICEXPONENT, "PublicExponent:" },
+				  { TAG_RSA_PRIVATEEXPONENT, "PrivateExponent"
+							     ":" },
+				  { TAG_RSA_PRIME1, "Prime1:" },
+				  { TAG_RSA_PRIME2, "Prime2:" },
+				  { TAG_RSA_EXPONENT1, "Exponent1:" },
+				  { TAG_RSA_EXPONENT2, "Exponent2:" },
+				  { TAG_RSA_COEFFICIENT, "Coefficient:" },
+				  { TAG_RSA_ENGINE, "Engine:" },
+				  { TAG_RSA_LABEL, "Label:" },
+
+				  { TAG_DH_PRIME, "Prime(p):" },
+				  { TAG_DH_GENERATOR, "Generator(g):" },
+				  { TAG_DH_PRIVATE, "Private_value(x):" },
+				  { TAG_DH_PUBLIC, "Public_value(y):" },
+
+				  { TAG_ECDSA_PRIVATEKEY, "PrivateKey:" },
+				  { TAG_ECDSA_ENGINE, "Engine:" },
+				  { TAG_ECDSA_LABEL, "Label:" },
+
+				  { TAG_EDDSA_PRIVATEKEY, "PrivateKey:" },
+				  { TAG_EDDSA_ENGINE, "Engine:" },
+				  { TAG_EDDSA_LABEL, "Label:" },
+
+				  { TAG_HMACMD5_KEY, "Key:" },
+				  { TAG_HMACMD5_BITS, "Bits:" },
+
+				  { TAG_HMACSHA1_KEY, "Key:" },
+				  { TAG_HMACSHA1_BITS, "Bits:" },
+
+				  { TAG_HMACSHA224_KEY, "Key:" },
+				  { TAG_HMACSHA224_BITS, "Bits:" },
+
+				  { TAG_HMACSHA256_KEY, "Key:" },
+				  { TAG_HMACSHA256_BITS, "Bits:" },
+
+				  { TAG_HMACSHA384_KEY, "Key:" },
+				  { TAG_HMACSHA384_BITS, "Bits:" },
+
+				  { TAG_HMACSHA512_KEY, "Key:" },
+				  { TAG_HMACSHA512_BITS, "Bits:" },
+
+				  { 0, NULL } };
+
+static int
+find_value(const char *s, const unsigned int alg) {
+	int i;
+
+	for (i = 0; map[i].tag != NULL; i++) {
+		if (strcasecmp(s, map[i].tag) == 0 &&
+		    (TAG_ALG(map[i].value) == alg))
+		{
+			return (map[i].value);
+		}
+	}
+	return (-1);
+}
+
+static const char *
+find_tag(const int value) {
+	int i;
+
+	for (i = 0;; i++) {
+		if (map[i].tag == NULL) {
+			return (NULL);
+		} else if (value == map[i].value) {
+			return (map[i].tag);
+		}
+	}
+}
+
+static int
+find_metadata(const char *s, const char *tags[], int ntags) {
+	int i;
+
+	for (i = 0; i < ntags; i++) {
+		if (tags[i] != NULL && strcasecmp(s, tags[i]) == 0) {
+			return (i);
+		}
+	}
+
+	return (-1);
+}
+
+static int
+find_timedata(const char *s) {
+	return (find_metadata(s, timetags, TIMING_NTAGS));
+}
+
+static int
+find_numericdata(const char *s) {
+	return (find_metadata(s, numerictags, NUMERIC_NTAGS));
+}
+
+static int
+check_rsa(const dst_private_t *priv, bool external) {
+	int i, j;
+	bool have[RSA_NTAGS];
+	bool ok;
+	unsigned int mask;
+
+	if (external) {
+		return ((priv->nelements == 0) ? 0 : -1);
+	}
+
+	for (i = 0; i < RSA_NTAGS; i++) {
+		have[i] = false;
+	}
+
+	for (j = 0; j < priv->nelements; j++) {
+		for (i = 0; i < RSA_NTAGS; i++) {
+			if (priv->elements[j].tag == TAG(DST_ALG_RSA, i)) {
+				break;
+			}
+		}
+		if (i == RSA_NTAGS) {
+			return (-1);
+		}
+		have[i] = true;
+	}
+
+	mask = (1ULL << TAG_SHIFT) - 1;
+
+	if (have[TAG_RSA_ENGINE & mask]) {
+		ok = have[TAG_RSA_MODULUS & mask] &&
+		     have[TAG_RSA_PUBLICEXPONENT & mask] &&
+		     have[TAG_RSA_LABEL & mask];
+	} else {
+		ok = have[TAG_RSA_MODULUS & mask] &&
+		     have[TAG_RSA_PUBLICEXPONENT & mask] &&
+		     have[TAG_RSA_PRIVATEEXPONENT & mask] &&
+		     have[TAG_RSA_PRIME1 & mask] &&
+		     have[TAG_RSA_PRIME2 & mask] &&
+		     have[TAG_RSA_EXPONENT1 & mask] &&
+		     have[TAG_RSA_EXPONENT2 & mask] &&
+		     have[TAG_RSA_COEFFICIENT & mask];
+	}
+	return (ok ? 0 : -1);
+}
+
+static int
+check_dh(const dst_private_t *priv) {
+	int i, j;
+	if (priv->nelements != DH_NTAGS) {
+		return (-1);
+	}
+	for (i = 0; i < DH_NTAGS; i++) {
+		for (j = 0; j < priv->nelements; j++) {
+			if (priv->elements[j].tag == TAG(DST_ALG_DH, i)) {
+				break;
+			}
+		}
+		if (j == priv->nelements) {
+			return (-1);
+		}
+	}
+	return (0);
+}
+
+static int
+check_ecdsa(const dst_private_t *priv, bool external) {
+	int i, j;
+	bool have[ECDSA_NTAGS];
+	bool ok;
+	unsigned int mask;
+
+	if (external) {
+		return ((priv->nelements == 0) ? 0 : -1);
+	}
+
+	for (i = 0; i < ECDSA_NTAGS; i++) {
+		have[i] = false;
+	}
+	for (j = 0; j < priv->nelements; j++) {
+		for (i = 0; i < ECDSA_NTAGS; i++) {
+			if (priv->elements[j].tag == TAG(DST_ALG_ECDSA256, i)) {
+				break;
+			}
+		}
+		if (i == ECDSA_NTAGS) {
+			return (-1);
+		}
+		have[i] = true;
+	}
+
+	mask = (1ULL << TAG_SHIFT) - 1;
+
+	if (have[TAG_ECDSA_ENGINE & mask]) {
+		ok = have[TAG_ECDSA_LABEL & mask];
+	} else {
+		ok = have[TAG_ECDSA_PRIVATEKEY & mask];
+	}
+	return (ok ? 0 : -1);
+}
+
+static int
+check_eddsa(const dst_private_t *priv, bool external) {
+	int i, j;
+	bool have[EDDSA_NTAGS];
+	bool ok;
+	unsigned int mask;
+
+	if (external) {
+		return ((priv->nelements == 0) ? 0 : -1);
+	}
+
+	for (i = 0; i < EDDSA_NTAGS; i++) {
+		have[i] = false;
+	}
+	for (j = 0; j < priv->nelements; j++) {
+		for (i = 0; i < EDDSA_NTAGS; i++) {
+			if (priv->elements[j].tag == TAG(DST_ALG_ED25519, i)) {
+				break;
+			}
+		}
+		if (i == EDDSA_NTAGS) {
+			return (-1);
+		}
+		have[i] = true;
+	}
+
+	mask = (1ULL << TAG_SHIFT) - 1;
+
+	if (have[TAG_EDDSA_ENGINE & mask]) {
+		ok = have[TAG_EDDSA_LABEL & mask];
+	} else {
+		ok = have[TAG_EDDSA_PRIVATEKEY & mask];
+	}
+	return (ok ? 0 : -1);
+}
+
+static int
+check_hmac_md5(const dst_private_t *priv, bool old) {
+	int i, j;
+
+	if (priv->nelements != HMACMD5_NTAGS) {
+		/*
+		 * If this is a good old format and we are accepting
+		 * the old format return success.
+		 */
+		if (old && priv->nelements == OLD_HMACMD5_NTAGS &&
+		    priv->elements[0].tag == TAG_HMACMD5_KEY)
+		{
+			return (0);
+		}
+		return (-1);
+	}
+	/*
+	 * We must be new format at this point.
+	 */
+	for (i = 0; i < HMACMD5_NTAGS; i++) {
+		for (j = 0; j < priv->nelements; j++) {
+			if (priv->elements[j].tag == TAG(DST_ALG_HMACMD5, i)) {
+				break;
+			}
+		}
+		if (j == priv->nelements) {
+			return (-1);
+		}
+	}
+	return (0);
+}
+
+static int
+check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
+	       unsigned int alg) {
+	unsigned int i, j;
+	if (priv->nelements != ntags) {
+		return (-1);
+	}
+	for (i = 0; i < ntags; i++) {
+		for (j = 0; j < priv->nelements; j++) {
+			if (priv->elements[j].tag == TAG(alg, i)) {
+				break;
+			}
+		}
+		if (j == priv->nelements) {
+			return (-1);
+		}
+	}
+	return (0);
+}
+
+static int
+check_data(const dst_private_t *priv, const unsigned int alg, bool old,
+	   bool external) {
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (alg) {
+	case DST_ALG_RSA:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
+		return (check_rsa(priv, external));
+	case DST_ALG_DH:
+		return (check_dh(priv));
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
+		return (check_ecdsa(priv, external));
+	case DST_ALG_ED25519:
+	case DST_ALG_ED448:
+		return (check_eddsa(priv, external));
+	case DST_ALG_HMACMD5:
+		return (check_hmac_md5(priv, old));
+	case DST_ALG_HMACSHA1:
+		return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
+	case DST_ALG_HMACSHA224:
+		return (check_hmac_sha(priv, HMACSHA224_NTAGS, alg));
+	case DST_ALG_HMACSHA256:
+		return (check_hmac_sha(priv, HMACSHA256_NTAGS, alg));
+	case DST_ALG_HMACSHA384:
+		return (check_hmac_sha(priv, HMACSHA384_NTAGS, alg));
+	case DST_ALG_HMACSHA512:
+		return (check_hmac_sha(priv, HMACSHA512_NTAGS, alg));
+	default:
+		return (DST_R_UNSUPPORTEDALG);
+	}
+}
+
+void
+dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
+	int i;
+
+	if (priv == NULL) {
+		return;
+	}
+	for (i = 0; i < priv->nelements; i++) {
+		if (priv->elements[i].data == NULL) {
+			continue;
+		}
+		memset(priv->elements[i].data, 0, MAXFIELDSIZE);
+		isc_mem_put(mctx, priv->elements[i].data, MAXFIELDSIZE);
+	}
+	priv->nelements = 0;
+}
+
+isc_result_t
+dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
+		      isc_mem_t *mctx, dst_private_t *priv) {
+	int n = 0, major, minor, check;
+	isc_buffer_t b;
+	isc_token_t token;
+	unsigned char *data = NULL;
+	unsigned int opt = ISC_LEXOPT_EOL;
+	isc_stdtime_t when;
+	isc_result_t ret;
+	bool external = false;
+
+	REQUIRE(priv != NULL);
+
+	priv->nelements = 0;
+	memset(priv->elements, 0, sizeof(priv->elements));
+
+#define NEXTTOKEN(lex, opt, token)                       \
+	do {                                             \
+		ret = isc_lex_gettoken(lex, opt, token); \
+		if (ret != ISC_R_SUCCESS)                \
+			goto fail;                       \
+	} while (0)
+
+#define READLINE(lex, opt, token)                        \
+	do {                                             \
+		ret = isc_lex_gettoken(lex, opt, token); \
+		if (ret == ISC_R_EOF)                    \
+			break;                           \
+		else if (ret != ISC_R_SUCCESS)           \
+			goto fail;                       \
+	} while ((*token).type != isc_tokentype_eol)
+
+	/*
+	 * Read the description line.
+	 */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string ||
+	    strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string || (DST_AS_STR(token))[0] != 'v')
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+	if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2) {
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	if (major > DST_MAJOR_VERSION) {
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	/*
+	 * Store the private key format version number
+	 */
+	dst_key_setprivateformat(key, major, minor);
+
+	READLINE(lex, opt, &token);
+
+	/*
+	 * Read the algorithm line.
+	 */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string ||
+	    strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+	if (token.type != isc_tokentype_number ||
+	    token.value.as_ulong != (unsigned long)dst_key_alg(key))
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	READLINE(lex, opt, &token);
+
+	/*
+	 * Read the key data.
+	 */
+	for (n = 0; n < MAXFIELDS; n++) {
+		int tag;
+		isc_region_t r;
+		do {
+			ret = isc_lex_gettoken(lex, opt, &token);
+			if (ret == ISC_R_EOF) {
+				goto done;
+			}
+			if (ret != ISC_R_SUCCESS) {
+				goto fail;
+			}
+		} while (token.type == isc_tokentype_eol);
+
+		if (token.type != isc_tokentype_string) {
+			ret = DST_R_INVALIDPRIVATEKEY;
+			goto fail;
+		}
+
+		if (strcmp(DST_AS_STR(token), "External:") == 0) {
+			external = true;
+			goto next;
+		}
+
+		/* Numeric metadata */
+		tag = find_numericdata(DST_AS_STR(token));
+		if (tag >= 0) {
+			INSIST(tag < NUMERIC_NTAGS);
+
+			NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+			if (token.type != isc_tokentype_number) {
+				ret = DST_R_INVALIDPRIVATEKEY;
+				goto fail;
+			}
+
+			dst_key_setnum(key, tag, token.value.as_ulong);
+			goto next;
+		}
+
+		/* Timing metadata */
+		tag = find_timedata(DST_AS_STR(token));
+		if (tag >= 0) {
+			INSIST(tag < TIMING_NTAGS);
+
+			NEXTTOKEN(lex, opt, &token);
+			if (token.type != isc_tokentype_string) {
+				ret = DST_R_INVALIDPRIVATEKEY;
+				goto fail;
+			}
+
+			ret = dns_time32_fromtext(DST_AS_STR(token), &when);
+			if (ret != ISC_R_SUCCESS) {
+				goto fail;
+			}
+
+			dst_key_settime(key, tag, when);
+
+			goto next;
+		}
+
+		/* Key data */
+		tag = find_value(DST_AS_STR(token), alg);
+		if (tag < 0 && minor > DST_MINOR_VERSION) {
+			goto next;
+		} else if (tag < 0) {
+			ret = DST_R_INVALIDPRIVATEKEY;
+			goto fail;
+		}
+
+		priv->elements[n].tag = tag;
+
+		data = isc_mem_get(mctx, MAXFIELDSIZE);
+
+		isc_buffer_init(&b, data, MAXFIELDSIZE);
+		ret = isc_base64_tobuffer(lex, &b, -1);
+		if (ret != ISC_R_SUCCESS) {
+			goto fail;
+		}
+
+		isc_buffer_usedregion(&b, &r);
+		priv->elements[n].length = r.length;
+		priv->elements[n].data = r.base;
+		priv->nelements++;
+
+	next:
+		READLINE(lex, opt, &token);
+		data = NULL;
+	}
+
+done:
+	if (external && priv->nelements != 0) {
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	check = check_data(priv, alg, true, external);
+	if (check < 0) {
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	} else if (check != ISC_R_SUCCESS) {
+		ret = check;
+		goto fail;
+	}
+
+	key->external = external;
+
+	return (ISC_R_SUCCESS);
+
+fail:
+	dst__privstruct_free(priv, mctx);
+	if (data != NULL) {
+		isc_mem_put(mctx, data, MAXFIELDSIZE);
+	}
+
+	return (ret);
+}
+
+isc_result_t
+dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
+			  const char *directory) {
+	FILE *fp;
+	isc_result_t result;
+	char filename[NAME_MAX];
+	char buffer[MAXFIELDSIZE * 2];
+	isc_fsaccess_t access;
+	isc_stdtime_t when;
+	uint32_t value;
+	isc_buffer_t b;
+	isc_region_t r;
+	int major, minor;
+	mode_t mode;
+	int i, ret;
+
+	REQUIRE(priv != NULL);
+
+	ret = check_data(priv, dst_key_alg(key), false, key->external);
+	if (ret < 0) {
+		return (DST_R_INVALIDPRIVATEKEY);
+	} else if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	isc_buffer_init(&b, filename, sizeof(filename));
+	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = isc_file_mode(filename, &mode);
+	if (result == ISC_R_SUCCESS && mode != 0600) {
+		/* File exists; warn that we are changing its permissions */
+		int level;
+
+#ifdef _WIN32
+		/* Windows security model is pretty different,
+		 * e.g., there is no umask... */
+		level = ISC_LOG_NOTICE;
+#else  /* ifdef _WIN32 */
+		level = ISC_LOG_WARNING;
+#endif /* ifdef _WIN32 */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_DNSSEC, level,
+			      "Permissions on the file %s "
+			      "have changed from 0%o to 0600 as "
+			      "a result of this operation.",
+			      filename, (unsigned int)mode);
+	}
+
+	if ((fp = fopen(filename, "w")) == NULL) {
+		return (DST_R_WRITEERROR);
+	}
+
+	access = 0;
+	isc_fsaccess_add(ISC_FSACCESS_OWNER,
+			 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE, &access);
+	(void)isc_fsaccess_set(filename, access);
+
+	dst_key_getprivateformat(key, &major, &minor);
+	if (major == 0 && minor == 0) {
+		major = DST_MAJOR_VERSION;
+		minor = DST_MINOR_VERSION;
+	}
+
+	/* XXXDCL return value should be checked for full filesystem */
+	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor);
+
+	fprintf(fp, "%s %u ", ALGORITHM_STR, dst_key_alg(key));
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (dst_key_alg(key)) {
+	case DST_ALG_DH:
+		fprintf(fp, "(DH)\n");
+		break;
+	case DST_ALG_RSASHA1:
+		fprintf(fp, "(RSASHA1)\n");
+		break;
+	case DST_ALG_NSEC3RSASHA1:
+		fprintf(fp, "(NSEC3RSASHA1)\n");
+		break;
+	case DST_ALG_RSASHA256:
+		fprintf(fp, "(RSASHA256)\n");
+		break;
+	case DST_ALG_RSASHA512:
+		fprintf(fp, "(RSASHA512)\n");
+		break;
+	case DST_ALG_ECDSA256:
+		fprintf(fp, "(ECDSAP256SHA256)\n");
+		break;
+	case DST_ALG_ECDSA384:
+		fprintf(fp, "(ECDSAP384SHA384)\n");
+		break;
+	case DST_ALG_ED25519:
+		fprintf(fp, "(ED25519)\n");
+		break;
+	case DST_ALG_ED448:
+		fprintf(fp, "(ED448)\n");
+		break;
+	case DST_ALG_HMACMD5:
+		fprintf(fp, "(HMAC_MD5)\n");
+		break;
+	case DST_ALG_HMACSHA1:
+		fprintf(fp, "(HMAC_SHA1)\n");
+		break;
+	case DST_ALG_HMACSHA224:
+		fprintf(fp, "(HMAC_SHA224)\n");
+		break;
+	case DST_ALG_HMACSHA256:
+		fprintf(fp, "(HMAC_SHA256)\n");
+		break;
+	case DST_ALG_HMACSHA384:
+		fprintf(fp, "(HMAC_SHA384)\n");
+		break;
+	case DST_ALG_HMACSHA512:
+		fprintf(fp, "(HMAC_SHA512)\n");
+		break;
+	default:
+		fprintf(fp, "(?)\n");
+		break;
+	}
+
+	for (i = 0; i < priv->nelements; i++) {
+		const char *s;
+
+		s = find_tag(priv->elements[i].tag);
+
+		r.base = priv->elements[i].data;
+		r.length = priv->elements[i].length;
+		isc_buffer_init(&b, buffer, sizeof(buffer));
+		result = isc_base64_totext(&r, sizeof(buffer), "", &b);
+		if (result != ISC_R_SUCCESS) {
+			fclose(fp);
+			return (DST_R_INVALIDPRIVATEKEY);
+		}
+		isc_buffer_usedregion(&b, &r);
+
+		fprintf(fp, "%s %.*s\n", s, (int)r.length, r.base);
+	}
+
+	if (key->external) {
+		fprintf(fp, "External:\n");
+	}
+
+	/* Add the metadata tags */
+	if (major > 1 || (major == 1 && minor >= 3)) {
+		for (i = 0; i < NUMERIC_NTAGS; i++) {
+			result = dst_key_getnum(key, i, &value);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+			if (numerictags[i] != NULL) {
+				fprintf(fp, "%s %u\n", numerictags[i], value);
+			}
+		}
+		for (i = 0; i < TIMING_NTAGS; i++) {
+			result = dst_key_gettime(key, i, &when);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+
+			isc_buffer_init(&b, buffer, sizeof(buffer));
+			result = dns_time32_totext(when, &b);
+			if (result != ISC_R_SUCCESS) {
+				fclose(fp);
+				return (DST_R_INVALIDPRIVATEKEY);
+			}
+
+			isc_buffer_usedregion(&b, &r);
+
+			if (timetags[i] != NULL) {
+				fprintf(fp, "%s %.*s\n", timetags[i],
+					(int)r.length, r.base);
+			}
+		}
+	}
+
+	fflush(fp);
+	result = ferror(fp) ? DST_R_WRITEERROR : ISC_R_SUCCESS;
+	fclose(fp);
+	return (result);
+}
+
+/*! \file */
diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h
new file mode 100644
index 0000000..347a729
--- /dev/null
+++ b/lib/dns/dst_parse.h
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+#ifndef DST_DST_PARSE_H
+#define DST_DST_PARSE_H 1
+
+#include <isc/lang.h>
+
+#include <dst/dst.h>
+
+#define MAXFIELDSIZE 512
+
+/*
+ * Maximum number of fields in a private file is 18 (12 algorithm-
+ * specific fields for RSA, plus 6 generic fields).
+ */
+#define MAXFIELDS 12 + 6
+
+#define TAG_SHIFT     4
+#define TAG_ALG(tag)  ((unsigned int)(tag) >> TAG_SHIFT)
+#define TAG(alg, off) (((alg) << TAG_SHIFT) + (off))
+
+/* These are used by RSA-SHA1, RSASHA256 and RSASHA512 */
+#define RSA_NTAGS		11
+#define TAG_RSA_MODULUS		((DST_ALG_RSA << TAG_SHIFT) + 0)
+#define TAG_RSA_PUBLICEXPONENT	((DST_ALG_RSA << TAG_SHIFT) + 1)
+#define TAG_RSA_PRIVATEEXPONENT ((DST_ALG_RSA << TAG_SHIFT) + 2)
+#define TAG_RSA_PRIME1		((DST_ALG_RSA << TAG_SHIFT) + 3)
+#define TAG_RSA_PRIME2		((DST_ALG_RSA << TAG_SHIFT) + 4)
+#define TAG_RSA_EXPONENT1	((DST_ALG_RSA << TAG_SHIFT) + 5)
+#define TAG_RSA_EXPONENT2	((DST_ALG_RSA << TAG_SHIFT) + 6)
+#define TAG_RSA_COEFFICIENT	((DST_ALG_RSA << TAG_SHIFT) + 7)
+#define TAG_RSA_ENGINE		((DST_ALG_RSA << TAG_SHIFT) + 8)
+#define TAG_RSA_LABEL		((DST_ALG_RSA << TAG_SHIFT) + 9)
+
+#define DH_NTAGS	 4
+#define TAG_DH_PRIME	 ((DST_ALG_DH << TAG_SHIFT) + 0)
+#define TAG_DH_GENERATOR ((DST_ALG_DH << TAG_SHIFT) + 1)
+#define TAG_DH_PRIVATE	 ((DST_ALG_DH << TAG_SHIFT) + 2)
+#define TAG_DH_PUBLIC	 ((DST_ALG_DH << TAG_SHIFT) + 3)
+
+#define ECDSA_NTAGS	     4
+#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
+#define TAG_ECDSA_ENGINE     ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
+#define TAG_ECDSA_LABEL	     ((DST_ALG_ECDSA256 << TAG_SHIFT) + 2)
+
+#define EDDSA_NTAGS	     4
+#define TAG_EDDSA_PRIVATEKEY ((DST_ALG_ED25519 << TAG_SHIFT) + 0)
+#define TAG_EDDSA_ENGINE     ((DST_ALG_ED25519 << TAG_SHIFT) + 1)
+#define TAG_EDDSA_LABEL	     ((DST_ALG_ED25519 << TAG_SHIFT) + 2)
+
+#define OLD_HMACMD5_NTAGS 1
+#define HMACMD5_NTAGS	  2
+#define TAG_HMACMD5_KEY	  ((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)
+#define TAG_HMACMD5_BITS  ((DST_ALG_HMACMD5 << TAG_SHIFT) + 1)
+
+#define HMACSHA1_NTAGS	  2
+#define TAG_HMACSHA1_KEY  ((DST_ALG_HMACSHA1 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA1_BITS ((DST_ALG_HMACSHA1 << TAG_SHIFT) + 1)
+
+#define HMACSHA224_NTAGS    2
+#define TAG_HMACSHA224_KEY  ((DST_ALG_HMACSHA224 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA224_BITS ((DST_ALG_HMACSHA224 << TAG_SHIFT) + 1)
+
+#define HMACSHA256_NTAGS    2
+#define TAG_HMACSHA256_KEY  ((DST_ALG_HMACSHA256 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA256_BITS ((DST_ALG_HMACSHA256 << TAG_SHIFT) + 1)
+
+#define HMACSHA384_NTAGS    2
+#define TAG_HMACSHA384_KEY  ((DST_ALG_HMACSHA384 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA384_BITS ((DST_ALG_HMACSHA384 << TAG_SHIFT) + 1)
+
+#define HMACSHA512_NTAGS    2
+#define TAG_HMACSHA512_KEY  ((DST_ALG_HMACSHA512 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA512_BITS ((DST_ALG_HMACSHA512 << TAG_SHIFT) + 1)
+
+struct dst_private_element {
+	unsigned short tag;
+	unsigned short length;
+	unsigned char *data;
+};
+
+typedef struct dst_private_element dst_private_element_t;
+
+struct dst_private {
+	unsigned short nelements;
+	dst_private_element_t elements[MAXFIELDS];
+};
+
+typedef struct dst_private dst_private_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);
+
+isc_result_t
+dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
+		      isc_mem_t *mctx, dst_private_t *priv);
+
+isc_result_t
+dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
+			  const char *directory);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_DST_PARSE_H */
diff --git a/lib/dns/dst_pkcs11.h b/lib/dns/dst_pkcs11.h
new file mode 100644
index 0000000..4589022
--- /dev/null
+++ b/lib/dns/dst_pkcs11.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DST_PKCS11_H
+#define DST_PKCS11_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dst__pkcs11_toresult(const char *funcname, const char *file, int line,
+		     isc_result_t fallback, CK_RV rv);
+
+#define PK11_CALL(func, args, fallback)                                 \
+	((void)(((rv = (func)args) == CKR_OK) ||                        \
+		((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
+					     fallback, rv)),            \
+		 0)))
+
+#define PK11_RET(func, args, fallback)                                  \
+	((void)(((rv = (func)args) == CKR_OK) ||                        \
+		((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
+					     fallback, rv)),            \
+		 0)));                                                  \
+	if (rv != CKR_OK)                                               \
+		goto err;
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_PKCS11_H */
diff --git a/lib/dns/dst_result.c b/lib/dns/dst_result.c
new file mode 100644
index 0000000..6c3acae
--- /dev/null
+++ b/lib/dns/dst_result.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+static const char *text[DST_R_NRESULTS] = {
+	"algorithm is unsupported",		 /*%< 0 */
+	"crypto failure",			 /*%< 1 */
+	"built with no crypto support",		 /*%< 2 */
+	"illegal operation for a null key",	 /*%< 3 */
+	"public key is invalid",		 /*%< 4 */
+	"private key is invalid",		 /*%< 5 */
+	"external key",				 /*%< 6 */
+	"error occurred writing key to disk",	 /*%< 7 */
+	"invalid algorithm specific parameter",	 /*%< 8 */
+	"UNUSED9",				 /*%< 9 */
+	"UNUSED10",				 /*%< 10 */
+	"sign failure",				 /*%< 11 */
+	"UNUSED12",				 /*%< 12 */
+	"UNUSED13",				 /*%< 13 */
+	"verify failure",			 /*%< 14 */
+	"not a public key",			 /*%< 15 */
+	"not a private key",			 /*%< 16 */
+	"not a key that can compute a secret",	 /*%< 17 */
+	"failure computing a shared secret",	 /*%< 18 */
+	"no randomness available",		 /*%< 19 */
+	"bad key type",				 /*%< 20 */
+	"no engine",				 /*%< 21 */
+	"illegal operation for an external key", /*%< 22 */
+};
+
+static const char *ids[DST_R_NRESULTS] = {
+	"DST_R_UNSUPPORTEDALG",
+	"DST_R_CRYPTOFAILURE",
+	"DST_R_NOCRYPTO",
+	"DST_R_NULLKEY",
+	"DST_R_INVALIDPUBLICKEY",
+	"DST_R_INVALIDPRIVATEKEY",
+	"UNUSED",
+	"DST_R_WRITEERROR",
+	"DST_R_INVALIDPARAM",
+	"UNUSED",
+	"UNUSED",
+	"DST_R_SIGNFAILURE",
+	"UNUSED",
+	"UNUSED",
+	"DST_R_VERIFYFAILURE",
+	"DST_R_NOTPUBLICKEY",
+	"DST_R_NOTPRIVATEKEY",
+	"DST_R_KEYCANNOTCOMPUTESECRET",
+	"DST_R_COMPUTESECRETFAILURE",
+	"DST_R_NORANDOMNESS",
+	"DST_R_BADKEYTYPE",
+	"DST_R_NOENGINE",
+	"DST_R_EXTERNALKEY",
+};
+
+#define DST_RESULT_RESULTSET 2
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_DST, DST_R_NRESULTS, text,
+				     DST_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+	}
+	result = isc_result_registerids(ISC_RESULTCLASS_DST, DST_R_NRESULTS,
+					ids, DST_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_registerids() failed: %u", result);
+	}
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+dst_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+dst_result_register(void) {
+	initialize();
+}
+
+/*! \file */
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
new file mode 100644
index 0000000..1caf90b
--- /dev/null
+++ b/lib/dns/dyndb.c
@@ -0,0 +1,465 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#elif _WIN32
+#include <windows.h>
+#endif /* if HAVE_DLFCN_H */
+
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/task.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/dyndb.h>
+#include <dns/log.h>
+#include <dns/types.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+typedef struct dyndb_implementation dyndb_implementation_t;
+struct dyndb_implementation {
+	isc_mem_t *mctx;
+	void *handle;
+	dns_dyndb_register_t *register_func;
+	dns_dyndb_destroy_t *destroy_func;
+	char *name;
+	void *inst;
+	LINK(dyndb_implementation_t) link;
+};
+
+/*
+ * List of dyndb implementations. Locked by dyndb_lock.
+ *
+ * These are stored here so they can be cleaned up on shutdown.
+ * (The order in which they are stored is not important.)
+ */
+static LIST(dyndb_implementation_t) dyndb_implementations;
+
+/* Locks dyndb_implementations. */
+static isc_mutex_t dyndb_lock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+dyndb_initialize(void) {
+	isc_mutex_init(&dyndb_lock);
+	INIT_LIST(dyndb_implementations);
+}
+
+static dyndb_implementation_t *
+impfind(const char *name) {
+	dyndb_implementation_t *imp;
+
+	for (imp = ISC_LIST_HEAD(dyndb_implementations); imp != NULL;
+	     imp = ISC_LIST_NEXT(imp, link))
+	{
+		if (strcasecmp(name, imp->name) == 0) {
+			return (imp);
+		}
+	}
+	return (NULL);
+}
+
+#if HAVE_DLFCN_H && HAVE_DLOPEN
+static isc_result_t
+load_symbol(void *handle, const char *filename, const char *symbol_name,
+	    void **symbolp) {
+	const char *errmsg;
+	void *symbol;
+
+	REQUIRE(handle != NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	symbol = dlsym(handle, symbol_name);
+	if (symbol == NULL) {
+		errmsg = dlerror();
+		if (errmsg == NULL) {
+			errmsg = "returned function pointer is NULL";
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "failed to lookup symbol %s in "
+			      "dyndb module '%s': %s",
+			      symbol_name, filename, errmsg);
+		return (ISC_R_FAILURE);
+	}
+	dlerror();
+
+	*symbolp = symbol;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_library(isc_mem_t *mctx, const char *filename, const char *instname,
+	     dyndb_implementation_t **impp) {
+	isc_result_t result;
+	void *handle = NULL;
+	dyndb_implementation_t *imp = NULL;
+	dns_dyndb_register_t *register_func = NULL;
+	dns_dyndb_destroy_t *destroy_func = NULL;
+	dns_dyndb_version_t *version_func = NULL;
+	int version;
+
+	REQUIRE(impp != NULL && *impp == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DYNDB,
+		      ISC_LOG_INFO, "loading DynDB instance '%s' driver '%s'",
+		      instname, filename);
+
+	handle = dlopen(filename, RTLD_NOW | RTLD_LOCAL);
+	if (handle == NULL) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	/* Clear dlerror */
+	dlerror();
+
+	CHECK(load_symbol(handle, filename, "dyndb_version",
+			  (void **)&version_func));
+
+	version = version_func(NULL);
+	if (version < (DNS_DYNDB_VERSION - DNS_DYNDB_AGE) ||
+	    version > DNS_DYNDB_VERSION)
+	{
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "driver API version mismatch: %d/%d", version,
+			      DNS_DYNDB_VERSION);
+		CHECK(ISC_R_FAILURE);
+	}
+
+	CHECK(load_symbol(handle, filename, "dyndb_init",
+			  (void **)&register_func));
+	CHECK(load_symbol(handle, filename, "dyndb_destroy",
+			  (void **)&destroy_func));
+
+	imp = isc_mem_get(mctx, sizeof(dyndb_implementation_t));
+
+	imp->mctx = NULL;
+	isc_mem_attach(mctx, &imp->mctx);
+	imp->handle = handle;
+	imp->register_func = register_func;
+	imp->destroy_func = destroy_func;
+	imp->name = isc_mem_strdup(mctx, instname);
+
+	imp->inst = NULL;
+	INIT_LINK(imp, link);
+
+	*impp = imp;
+	imp = NULL;
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "failed to dynamically load instance '%s' "
+			      "driver '%s': %s (%s)",
+			      instname, filename, dlerror(),
+			      isc_result_totext(result));
+	}
+	if (imp != NULL) {
+		isc_mem_putanddetach(&imp->mctx, imp,
+				     sizeof(dyndb_implementation_t));
+	}
+	if (result != ISC_R_SUCCESS && handle != NULL) {
+		dlclose(handle);
+	}
+
+	return (result);
+}
+
+static void
+unload_library(dyndb_implementation_t **impp) {
+	dyndb_implementation_t *imp;
+
+	REQUIRE(impp != NULL && *impp != NULL);
+
+	imp = *impp;
+	*impp = NULL;
+
+	isc_mem_free(imp->mctx, imp->name);
+	isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t));
+}
+#elif _WIN32
+static isc_result_t
+load_symbol(HMODULE handle, const char *filename, const char *symbol_name,
+	    void **symbolp) {
+	void *symbol;
+
+	REQUIRE(handle != NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	symbol = GetProcAddress(handle, symbol_name);
+	if (symbol == NULL) {
+		int errstatus = GetLastError();
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "failed to lookup symbol %s in "
+			      "dyndb module '%s': %d",
+			      symbol_name, filename, errstatus);
+		return (ISC_R_FAILURE);
+	}
+
+	*symbolp = symbol;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_library(isc_mem_t *mctx, const char *filename, const char *instname,
+	     dyndb_implementation_t **impp) {
+	isc_result_t result;
+	HMODULE handle;
+	dyndb_implementation_t *imp = NULL;
+	dns_dyndb_register_t *register_func = NULL;
+	dns_dyndb_destroy_t *destroy_func = NULL;
+	dns_dyndb_version_t *version_func = NULL;
+	int version;
+
+	REQUIRE(impp != NULL && *impp == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DYNDB,
+		      ISC_LOG_INFO, "loading DynDB instance '%s' driver '%s'",
+		      instname, filename);
+
+	handle = LoadLibraryA(filename);
+	if (handle == NULL) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	CHECK(load_symbol(handle, filename, "dyndb_version",
+			  (void **)&version_func));
+
+	version = version_func(NULL);
+	if (version < (DNS_DYNDB_VERSION - DNS_DYNDB_AGE) ||
+	    version > DNS_DYNDB_VERSION)
+	{
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "driver API version mismatch: %d/%d", version,
+			      DNS_DYNDB_VERSION);
+		CHECK(ISC_R_FAILURE);
+	}
+
+	CHECK(load_symbol(handle, filename, "dyndb_init",
+			  (void **)&register_func));
+	CHECK(load_symbol(handle, filename, "dyndb_destroy",
+			  (void **)&destroy_func));
+
+	imp = isc_mem_get(mctx, sizeof(dyndb_implementation_t));
+
+	imp->mctx = NULL;
+	isc_mem_attach(mctx, &imp->mctx);
+	imp->handle = handle;
+	imp->register_func = register_func;
+	imp->destroy_func = destroy_func;
+	imp->name = isc_mem_strdup(mctx, instname);
+
+	imp->inst = NULL;
+	INIT_LINK(imp, link);
+
+	*impp = imp;
+	imp = NULL;
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "failed to dynamically load instance '%s' "
+			      "driver '%s': %d (%s)",
+			      instname, filename, GetLastError(),
+			      isc_result_totext(result));
+	}
+	if (imp != NULL) {
+		isc_mem_putanddetach(&imp->mctx, imp,
+				     sizeof(dyndb_implementation_t));
+	}
+	if (result != ISC_R_SUCCESS && handle != NULL) {
+		FreeLibrary(handle);
+	}
+
+	return (result);
+}
+
+static void
+unload_library(dyndb_implementation_t **impp) {
+	dyndb_implementation_t *imp;
+
+	REQUIRE(impp != NULL && *impp != NULL);
+
+	imp = *impp;
+	*impp = NULL;
+
+	isc_mem_free(imp->mctx, imp->name);
+	isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t));
+}
+#else  /* HAVE_DLFCN_H || _WIN32 */
+static isc_result_t
+load_library(isc_mem_t *mctx, const char *filename, const char *instname,
+	     dyndb_implementation_t **impp) {
+	UNUSED(mctx);
+	UNUSED(filename);
+	UNUSED(instname);
+	UNUSED(impp);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DYNDB,
+		      ISC_LOG_ERROR,
+		      "dynamic database support is not implemented");
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+unload_library(dyndb_implementation_t **impp) {
+	UNUSED(impp);
+}
+#endif /* HAVE_DLFCN_H */
+
+isc_result_t
+dns_dyndb_load(const char *libname, const char *name, const char *parameters,
+	       const char *file, unsigned long line, isc_mem_t *mctx,
+	       const dns_dyndbctx_t *dctx) {
+	isc_result_t result;
+	dyndb_implementation_t *implementation = NULL;
+
+	REQUIRE(DNS_DYNDBCTX_VALID(dctx));
+	REQUIRE(name != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS);
+
+	LOCK(&dyndb_lock);
+
+	/* duplicate instance names are not allowed */
+	if (impfind(name) != NULL) {
+		CHECK(ISC_R_EXISTS);
+	}
+
+	CHECK(load_library(mctx, libname, name, &implementation));
+	CHECK(implementation->register_func(mctx, name, parameters, file, line,
+					    dctx, &implementation->inst));
+
+	APPEND(dyndb_implementations, implementation, link);
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		if (implementation != NULL) {
+			unload_library(&implementation);
+		}
+	}
+
+	UNLOCK(&dyndb_lock);
+	return (result);
+}
+
+void
+dns_dyndb_cleanup(bool exiting) {
+	dyndb_implementation_t *elem;
+	dyndb_implementation_t *prev;
+
+	RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS);
+
+	LOCK(&dyndb_lock);
+	elem = TAIL(dyndb_implementations);
+	while (elem != NULL) {
+		prev = PREV(elem, link);
+		UNLINK(dyndb_implementations, elem, link);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_INFO,
+			      "unloading DynDB instance '%s'", elem->name);
+		elem->destroy_func(&elem->inst);
+		ENSURE(elem->inst == NULL);
+		unload_library(&elem);
+		elem = prev;
+	}
+	UNLOCK(&dyndb_lock);
+
+	if (exiting) {
+		isc_mutex_destroy(&dyndb_lock);
+	}
+}
+
+isc_result_t
+dns_dyndb_createctx(isc_mem_t *mctx, const void *hashinit, isc_log_t *lctx,
+		    dns_view_t *view, dns_zonemgr_t *zmgr, isc_task_t *task,
+		    isc_timermgr_t *tmgr, dns_dyndbctx_t **dctxp) {
+	dns_dyndbctx_t *dctx;
+
+	REQUIRE(dctxp != NULL && *dctxp == NULL);
+
+	dctx = isc_mem_get(mctx, sizeof(*dctx));
+
+	memset(dctx, 0, sizeof(*dctx));
+	if (view != NULL) {
+		dns_view_attach(view, &dctx->view);
+	}
+	if (zmgr != NULL) {
+		dns_zonemgr_attach(zmgr, &dctx->zmgr);
+	}
+	if (task != NULL) {
+		isc_task_attach(task, &dctx->task);
+	}
+	dctx->timermgr = tmgr;
+	dctx->hashinit = hashinit;
+	dctx->lctx = lctx;
+	dctx->memdebug = &isc_mem_debugging;
+
+	isc_mem_attach(mctx, &dctx->mctx);
+	dctx->magic = DNS_DYNDBCTX_MAGIC;
+
+	*dctxp = dctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dyndb_destroyctx(dns_dyndbctx_t **dctxp) {
+	dns_dyndbctx_t *dctx;
+
+	REQUIRE(dctxp != NULL && DNS_DYNDBCTX_VALID(*dctxp));
+
+	dctx = *dctxp;
+	*dctxp = NULL;
+
+	dctx->magic = 0;
+
+	if (dctx->view != NULL) {
+		dns_view_detach(&dctx->view);
+	}
+	if (dctx->zmgr != NULL) {
+		dns_zonemgr_detach(&dctx->zmgr);
+	}
+	if (dctx->task != NULL) {
+		isc_task_detach(&dctx->task);
+	}
+	dctx->timermgr = NULL;
+	dctx->lctx = NULL;
+
+	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(*dctx));
+}
diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c
new file mode 100644
index 0000000..abbb8d9
--- /dev/null
+++ b/lib/dns/ecdb.c
@@ -0,0 +1,797 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/refcount.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/ecdb.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdataslab.h>
+
+#define ECDB_MAGIC     ISC_MAGIC('E', 'C', 'D', 'B')
+#define VALID_ECDB(db) ((db) != NULL && (db)->common.impmagic == ECDB_MAGIC)
+
+#define ECDBNODE_MAGIC	      ISC_MAGIC('E', 'C', 'D', 'N')
+#define VALID_ECDBNODE(ecdbn) ISC_MAGIC_VALID(ecdbn, ECDBNODE_MAGIC)
+
+/*%
+ * The 'ephemeral' cache DB (ecdb) implementation.  An ecdb just provides
+ * temporary storage for ongoing name resolution with the common DB interfaces.
+ * It actually doesn't cache anything.  The implementation expects any stored
+ * data is released within a short period, and does not care about the
+ * scalability in terms of the number of nodes.
+ */
+
+typedef struct dns_ecdb {
+	/* Unlocked */
+	dns_db_t common;
+	isc_mutex_t lock;
+
+	/* Protected by atomics */
+	isc_refcount_t references;
+
+	/* Locked */
+	ISC_LIST(struct dns_ecdbnode) nodes;
+} dns_ecdb_t;
+
+typedef struct dns_ecdbnode {
+	/* Unlocked */
+	unsigned int magic;
+	isc_mutex_t lock;
+	dns_ecdb_t *ecdb;
+	dns_name_t name;
+	ISC_LINK(struct dns_ecdbnode) link;
+
+	/* Locked */
+	ISC_LIST(struct rdatasetheader) rdatasets;
+
+	/* Protected by atomics */
+	isc_refcount_t references;
+} dns_ecdbnode_t;
+
+typedef struct rdatasetheader {
+	dns_rdatatype_t type;
+	dns_ttl_t ttl;
+	dns_trust_t trust;
+	dns_rdatatype_t covers;
+	unsigned int attributes;
+
+	ISC_LINK(struct rdatasetheader) link;
+} rdatasetheader_t;
+
+/* Copied from rbtdb.c */
+#define RDATASET_ATTR_NXDOMAIN 0x0010
+#define RDATASET_ATTR_NEGATIVE 0x0100
+#define NXDOMAIN(header)       (((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
+#define NEGATIVE(header)       (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0)
+
+static isc_result_t
+dns_ecdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+		dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		void *driverarg, dns_db_t **dbp);
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset);
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset);
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset);
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset);
+static void
+rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,		   /* addnoqname */
+	NULL,		   /* getnoqname */
+	NULL,		   /* addclosest */
+	NULL,		   /* getclosest */
+	rdataset_settrust, /* settrust */
+	NULL,		   /* expire */
+	NULL,		   /* clearprefetch */
+	NULL,		   /* setownercase */
+	NULL,		   /* getownercase */
+	NULL		   /* addglue */
+};
+
+typedef struct ecdb_rdatasetiter {
+	dns_rdatasetiter_t common;
+	rdatasetheader_t *current;
+} ecdb_rdatasetiter_t;
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator);
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator);
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset);
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy, rdatasetiter_first, rdatasetiter_next,
+	rdatasetiter_current
+};
+
+isc_result_t
+dns_ecdb_register(isc_mem_t *mctx, dns_dbimplementation_t **dbimp) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(dbimp != NULL && *dbimp == NULL);
+
+	return (dns_db_register("ecdb", dns_ecdb_create, NULL, mctx, dbimp));
+}
+
+void
+dns_ecdb_unregister(dns_dbimplementation_t **dbimp) {
+	REQUIRE(dbimp != NULL && *dbimp != NULL);
+
+	dns_db_unregister(dbimp);
+}
+
+/*%
+ * DB routines
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)source;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&ecdb->references);
+
+	*targetp = source;
+}
+
+static void
+destroy_ecdb(dns_ecdb_t *ecdb) {
+	if (isc_refcount_decrement(&ecdb->references) == 1) {
+		isc_refcount_destroy(&ecdb->references);
+
+		INSIST(ISC_LIST_EMPTY(ecdb->nodes));
+
+		if (dns_name_dynamic(&ecdb->common.origin)) {
+			dns_name_free(&ecdb->common.origin, ecdb->common.mctx);
+		}
+
+		isc_mutex_destroy(&ecdb->lock);
+
+		ecdb->common.impmagic = 0;
+		ecdb->common.magic = 0;
+
+		isc_mem_putanddetach(&ecdb->common.mctx, ecdb, sizeof(*ecdb));
+	}
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_ecdb_t *ecdb;
+
+	REQUIRE(dbp != NULL);
+	ecdb = (dns_ecdb_t *)*dbp;
+	REQUIRE(VALID_ECDB(ecdb));
+
+	*dbp = NULL;
+
+	destroy_ecdb(ecdb);
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *node = (dns_ecdbnode_t *)source;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(node));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&node->references);
+	isc_refcount_increment(&node->references);
+
+	*targetp = node;
+}
+
+static void
+destroynode(dns_ecdbnode_t *node) {
+	isc_mem_t *mctx;
+	dns_ecdb_t *ecdb = node->ecdb;
+	rdatasetheader_t *header;
+
+	mctx = ecdb->common.mctx;
+
+	LOCK(&ecdb->lock);
+	ISC_LIST_UNLINK(ecdb->nodes, node, link);
+	UNLOCK(&ecdb->lock);
+
+	dns_name_free(&node->name, mctx);
+
+	while ((header = ISC_LIST_HEAD(node->rdatasets)) != NULL) {
+		unsigned int headersize;
+
+		ISC_LIST_UNLINK(node->rdatasets, header, link);
+		headersize = dns_rdataslab_size((unsigned char *)header,
+						sizeof(*header));
+		isc_mem_put(mctx, header, headersize);
+	}
+
+	isc_mutex_destroy(&node->lock);
+	isc_refcount_destroy(&node->references);
+
+	node->magic = 0;
+	isc_mem_put(mctx, node, sizeof(*node));
+
+	destroy_ecdb(ecdb);
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *node;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(nodep != NULL);
+	node = (dns_ecdbnode_t *)*nodep;
+	REQUIRE(VALID_ECDBNODE(node));
+	*nodep = NULL;
+
+	if (isc_refcount_decrement(&node->references) == 1) {
+		destroynode(node);
+	}
+}
+
+static isc_result_t
+find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+     dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+     dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
+     dns_rdataset_t *sigrdataset) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+
+	REQUIRE(VALID_ECDB(ecdb));
+
+	UNUSED(name);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
+	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_name_t *dcname, dns_rdataset_t *rdataset,
+	    dns_rdataset_t *sigrdataset) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+
+	REQUIRE(VALID_ECDB(ecdb));
+
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(dcname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+findnode(dns_db_t *db, const dns_name_t *name, bool create,
+	 dns_dbnode_t **nodep) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	isc_mem_t *mctx;
+	dns_ecdbnode_t *node;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	UNUSED(name);
+
+	if (create != true) {
+		/* an 'ephemeral' node is never reused. */
+		return (ISC_R_NOTFOUND);
+	}
+
+	mctx = ecdb->common.mctx;
+	node = isc_mem_get(mctx, sizeof(*node));
+
+	isc_mutex_init(&node->lock);
+
+	dns_name_init(&node->name, NULL);
+	dns_name_dup(name, mctx, &node->name);
+
+	isc_refcount_init(&node->references, 1);
+	ISC_LIST_INIT(node->rdatasets);
+
+	ISC_LINK_INIT(node, link);
+
+	isc_refcount_increment(&ecdb->references);
+	node->ecdb = ecdb;
+
+	LOCK(&ecdb->lock);
+	ISC_LIST_APPEND(ecdb->nodes, node, link);
+	UNLOCK(&ecdb->lock);
+
+	node->magic = ECDBNODE_MAGIC;
+
+	*nodep = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+bind_rdataset(dns_ecdb_t *ecdb, dns_ecdbnode_t *node, rdatasetheader_t *header,
+	      dns_rdataset_t *rdataset) {
+	unsigned char *raw;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ecdb->common.rdclass;
+	rdataset->type = header->type;
+	rdataset->covers = header->covers;
+	rdataset->ttl = header->ttl;
+	rdataset->trust = header->trust;
+	if (NXDOMAIN(header)) {
+		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
+	}
+	if (NEGATIVE(header)) {
+		rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
+	}
+
+	rdataset->private1 = ecdb;
+	rdataset->private2 = node;
+	raw = (unsigned char *)header + sizeof(*header);
+	rdataset->private3 = raw;
+	rdataset->count = 0;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+
+	isc_refcount_increment(&node->references);
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_mem_t *mctx;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)node;
+	rdatasetheader_t *header;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(ecdbnode));
+
+	UNUSED(version);
+	UNUSED(now);
+	UNUSED(options);
+
+	mctx = ecdb->common.mctx;
+
+	LOCK(&ecdbnode->lock);
+
+	/*
+	 * Sanity check: this implementation does not allow overriding an
+	 * existing rdataset of the same type.
+	 */
+	for (header = ISC_LIST_HEAD(ecdbnode->rdatasets); header != NULL;
+	     header = ISC_LIST_NEXT(header, link))
+	{
+		INSIST(header->type != rdataset->type ||
+		       header->covers != rdataset->covers);
+	}
+
+	result = dns_rdataslab_fromrdataset(rdataset, mctx, &r,
+					    sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS) {
+		goto unlock;
+	}
+
+	header = (rdatasetheader_t *)r.base;
+	header->type = rdataset->type;
+	header->ttl = rdataset->ttl;
+	header->trust = rdataset->trust;
+	header->covers = rdataset->covers;
+	header->attributes = 0;
+	if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) {
+		header->attributes |= RDATASET_ATTR_NXDOMAIN;
+	}
+	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+		header->attributes |= RDATASET_ATTR_NEGATIVE;
+	}
+	ISC_LINK_INIT(header, link);
+	ISC_LIST_APPEND(ecdbnode->rdatasets, header, link);
+
+	if (addedrdataset == NULL) {
+		goto unlock;
+	}
+
+	bind_rdataset(ecdb, ecdbnode, header, addedrdataset);
+
+unlock:
+	UNLOCK(&ecdbnode->lock);
+
+	return (result);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(covers);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, unsigned int options,
+	       dns_dbiterator_t **iteratorp) {
+	UNUSED(db);
+	UNUSED(options);
+	UNUSED(iteratorp);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     unsigned int options, isc_stdtime_t now,
+	     dns_rdatasetiter_t **iteratorp) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)node;
+	isc_mem_t *mctx;
+	ecdb_rdatasetiter_t *iterator;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(ecdbnode));
+
+	mctx = ecdb->common.mctx;
+
+	iterator = isc_mem_get(mctx, sizeof(ecdb_rdatasetiter_t));
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = NULL;
+	attachnode(db, node, &iterator->common.node);
+	iterator->common.version = version;
+	iterator->common.options = options;
+	iterator->common.now = now;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static dns_dbmethods_t ecdb_methods = {
+	attach,
+	detach,
+	NULL, /* beginload */
+	NULL, /* endload */
+	NULL, /* serialize */
+	NULL, /* dump */
+	NULL, /* currentversion */
+	NULL, /* newversion */
+	NULL, /* attachversion */
+	NULL, /* closeversion */
+	findnode,
+	find,
+	findzonecut,
+	attachnode,
+	detachnode,
+	NULL,		/* expirenode */
+	NULL,		/* printnode */
+	createiterator, /* createiterator */
+	NULL,		/* findrdataset */
+	allrdatasets,
+	addrdataset,
+	NULL, /* subtractrdataset */
+	deleterdataset,
+	NULL, /* issecure */
+	NULL, /* nodecount */
+	NULL, /* ispersistent */
+	NULL, /* overmem */
+	NULL, /* settask */
+	NULL, /* getoriginnode */
+	NULL, /* transfernode */
+	NULL, /* getnsec3parameters */
+	NULL, /* findnsec3node */
+	NULL, /* setsigningtime */
+	NULL, /* getsigningtime */
+	NULL, /* resigned */
+	NULL, /* isdnssec */
+	NULL, /* getrrsetstats */
+	NULL, /* rpz_attach */
+	NULL, /* rpz_ready */
+	NULL, /* findnodeext */
+	NULL, /* findext */
+	NULL, /* setcachestats */
+	NULL, /* hashsize */
+	NULL, /* nodefullname */
+	NULL, /* getsize */
+	NULL, /* setservestalettl */
+	NULL, /* getservestalettl */
+	NULL  /* setgluecachestats */
+};
+
+static isc_result_t
+dns_ecdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+		dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		void *driverarg, dns_db_t **dbp) {
+	dns_ecdb_t *ecdb;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(origin == dns_rootname);
+	REQUIRE(type == dns_dbtype_cache);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	UNUSED(argc);
+	UNUSED(argv);
+	UNUSED(driverarg);
+
+	ecdb = isc_mem_get(mctx, sizeof(*ecdb));
+
+	ecdb->common.attributes = DNS_DBATTR_CACHE;
+	ecdb->common.rdclass = rdclass;
+	ecdb->common.methods = &ecdb_methods;
+	dns_name_init(&ecdb->common.origin, NULL);
+	result = dns_name_dupwithoffsets(origin, mctx, &ecdb->common.origin);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, ecdb, sizeof(*ecdb));
+		return (result);
+	}
+
+	isc_mutex_init(&ecdb->lock);
+
+	isc_refcount_init(&ecdb->references, 1);
+	ISC_LIST_INIT(ecdb->nodes);
+
+	ecdb->common.mctx = NULL;
+	isc_mem_attach(mctx, &ecdb->common.mctx);
+	ecdb->common.impmagic = ECDB_MAGIC;
+	ecdb->common.magic = DNS_DB_MAGIC;
+
+	*dbp = (dns_db_t *)ecdb;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Rdataset Methods
+ */
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+
+	dns_db_detachnode(db, &node);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+#if DNS_RDATASET_FIXED
+	raw += 2 + (4 * count);
+#else  /* if DNS_RDATASET_FIXED */
+	raw += 2;
+#endif /* if DNS_RDATASET_FIXED */
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0) {
+		return (ISC_R_NOMORE);
+	}
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+	raw += length + 4;
+#else  /* if DNS_RDATASET_FIXED */
+	raw += length + 2;
+#endif /* if DNS_RDATASET_FIXED */
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+	unsigned int length;
+	unsigned int flags = 0;
+
+	REQUIRE(raw != NULL);
+
+	length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+	raw += 4;
+#else  /* if DNS_RDATASET_FIXED */
+	raw += 2;
+#endif /* if DNS_RDATASET_FIXED */
+	if (rdataset->type == dns_rdatatype_rrsig) {
+		if ((*raw & DNS_RDATASLAB_OFFLINE) != 0) {
+			flags |= DNS_RDATA_OFFLINE;
+		}
+		length--;
+		raw++;
+	}
+	r.length = length;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+	rdata->flags |= flags;
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_db_t *db = source->private1;
+	dns_dbnode_t *node = source->private2;
+	dns_dbnode_t *cloned_node = NULL;
+
+	attachnode(db, node, &cloned_node);
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static void
+rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
+	rdatasetheader_t *header = rdataset->private3;
+
+	header--;
+	header->trust = rdataset->trust = trust;
+}
+
+/*
+ * Rdataset Iterator Methods
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	isc_mem_t *mctx;
+	union {
+		dns_rdatasetiter_t *rdatasetiterator;
+		ecdb_rdatasetiter_t *ecdbiterator;
+	} u;
+
+	REQUIRE(iteratorp != NULL);
+	REQUIRE(DNS_RDATASETITER_VALID(*iteratorp));
+
+	u.rdatasetiterator = *iteratorp;
+	*iteratorp = NULL;
+
+	mctx = u.ecdbiterator->common.db->mctx;
+	u.ecdbiterator->common.magic = 0;
+
+	dns_db_detachnode(u.ecdbiterator->common.db,
+			  &u.ecdbiterator->common.node);
+	isc_mem_put(mctx, u.ecdbiterator, sizeof(ecdb_rdatasetiter_t));
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)iterator->node;
+
+	if (ISC_LIST_EMPTY(ecdbnode->rdatasets)) {
+		return (ISC_R_NOMORE);
+	}
+	ecdbiterator->current = ISC_LIST_HEAD(ecdbnode->rdatasets);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+
+	ecdbiterator->current = ISC_LIST_NEXT(ecdbiterator->current, link);
+	if (ecdbiterator->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+	dns_ecdb_t *ecdb;
+
+	ecdb = (dns_ecdb_t *)iterator->db;
+	REQUIRE(VALID_ECDB(ecdb));
+
+	bind_rdataset(ecdb, iterator->node, ecdbiterator->current, rdataset);
+}
diff --git a/lib/dns/ecs.c b/lib/dns/ecs.c
new file mode 100644
index 0000000..676c740
--- /dev/null
+++ b/lib/dns/ecs.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/ecs.h>
+#include <dns/nsec.h>
+#include <dns/rbt.h>
+#include <dns/rdata.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/types.h>
+
+void
+dns_ecs_init(dns_ecs_t *ecs) {
+	isc_netaddr_unspec(&ecs->addr);
+	ecs->source = 0;
+	ecs->scope = 0xff;
+}
+
+bool
+dns_ecs_equals(const dns_ecs_t *ecs1, const dns_ecs_t *ecs2) {
+	const unsigned char *addr1, *addr2;
+	uint8_t mask;
+	size_t alen;
+
+	REQUIRE(ecs1 != NULL && ecs2 != NULL);
+
+	if (ecs1->source != ecs2->source ||
+	    ecs1->addr.family != ecs2->addr.family)
+	{
+		return (false);
+	}
+
+	alen = (ecs1->source + 7) / 8;
+	if (alen == 0) {
+		return (true);
+	}
+
+	switch (ecs1->addr.family) {
+	case AF_INET:
+		INSIST(alen <= 4);
+		addr1 = (const unsigned char *)&ecs1->addr.type.in;
+		addr2 = (const unsigned char *)&ecs2->addr.type.in;
+		break;
+	case AF_INET6:
+		INSIST(alen <= 16);
+		addr1 = (const unsigned char *)&ecs1->addr.type.in6;
+		addr2 = (const unsigned char *)&ecs2->addr.type.in6;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	/*
+	 * Compare all octets except the final octet of the address
+	 * prefix.
+	 */
+	if (alen > 1 && memcmp(addr1, addr2, alen - 1) != 0) {
+		return (false);
+	}
+
+	/*
+	 * It should not be necessary to mask the final octet; all
+	 * bits past the source prefix length are supposed to be 0.
+	 * However, it seems prudent not to omit them from the
+	 * comparison anyway.
+	 */
+	mask = (~0U << (8 - (ecs1->source % 8))) & 0xff;
+	if (mask == 0) {
+		mask = 0xff;
+	}
+
+	if ((addr1[alen - 1] & mask) != (addr2[alen - 1] & mask)) {
+		return (false);
+	}
+
+	return (true);
+}
+
+void
+dns_ecs_format(const dns_ecs_t *ecs, char *buf, size_t size) {
+	size_t len;
+	char *p;
+
+	REQUIRE(ecs != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(size >= DNS_ECS_FORMATSIZE);
+
+	isc_netaddr_format(&ecs->addr, buf, size);
+	len = strlen(buf);
+	p = buf + len;
+	snprintf(p, size - len, "/%d/%d", ecs->source,
+		 ecs->scope == 0xff ? 0 : ecs->scope);
+}
diff --git a/lib/dns/fixedname.c b/lib/dns/fixedname.c
new file mode 100644
index 0000000..c6d899d
--- /dev/null
+++ b/lib/dns/fixedname.c
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <dns/fixedname.h>
+
+void
+dns_fixedname_init(dns_fixedname_t *fixed) {
+	dns_name_init(&fixed->name, fixed->offsets);
+	isc_buffer_init(&fixed->buffer, fixed->data, DNS_NAME_MAXWIRE);
+	dns_name_setbuffer(&fixed->name, &fixed->buffer);
+}
+
+void
+dns_fixedname_invalidate(dns_fixedname_t *fixed) {
+	dns_name_invalidate(&fixed->name);
+}
+
+dns_name_t *
+dns_fixedname_name(dns_fixedname_t *fixed) {
+	return (&fixed->name);
+}
+
+dns_name_t *
+dns_fixedname_initname(dns_fixedname_t *fixed) {
+	dns_fixedname_init(fixed);
+	return (dns_fixedname_name(fixed));
+}
diff --git a/lib/dns/forward.c b/lib/dns/forward.c
new file mode 100644
index 0000000..e59f23c
--- /dev/null
+++ b/lib/dns/forward.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/rwlock.h>
+#include <isc/util.h>
+
+#include <dns/forward.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+#include <dns/types.h>
+
+struct dns_fwdtable {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_rwlock_t rwlock;
+	/* Locked by lock. */
+	dns_rbt_t *table;
+};
+
+#define FWDTABLEMAGIC	   ISC_MAGIC('F', 'w', 'd', 'T')
+#define VALID_FWDTABLE(ft) ISC_MAGIC_VALID(ft, FWDTABLEMAGIC)
+
+static void
+auto_detach(void *, void *);
+
+isc_result_t
+dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep) {
+	dns_fwdtable_t *fwdtable;
+	isc_result_t result;
+
+	REQUIRE(fwdtablep != NULL && *fwdtablep == NULL);
+
+	fwdtable = isc_mem_get(mctx, sizeof(*fwdtable));
+
+	fwdtable->table = NULL;
+	result = dns_rbt_create(mctx, auto_detach, fwdtable, &fwdtable->table);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_fwdtable;
+	}
+
+	isc_rwlock_init(&fwdtable->rwlock, 0, 0);
+	fwdtable->mctx = NULL;
+	isc_mem_attach(mctx, &fwdtable->mctx);
+	fwdtable->magic = FWDTABLEMAGIC;
+	*fwdtablep = fwdtable;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_fwdtable:
+	isc_mem_put(mctx, fwdtable, sizeof(*fwdtable));
+
+	return (result);
+}
+
+isc_result_t
+dns_fwdtable_addfwd(dns_fwdtable_t *fwdtable, const dns_name_t *name,
+		    dns_forwarderlist_t *fwdrs, dns_fwdpolicy_t fwdpolicy) {
+	isc_result_t result;
+	dns_forwarders_t *forwarders;
+	dns_forwarder_t *fwd, *nfwd;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	forwarders = isc_mem_get(fwdtable->mctx, sizeof(*forwarders));
+
+	ISC_LIST_INIT(forwarders->fwdrs);
+	for (fwd = ISC_LIST_HEAD(*fwdrs); fwd != NULL;
+	     fwd = ISC_LIST_NEXT(fwd, link))
+	{
+		nfwd = isc_mem_get(fwdtable->mctx, sizeof(*nfwd));
+		*nfwd = *fwd;
+		ISC_LINK_INIT(nfwd, link);
+		ISC_LIST_APPEND(forwarders->fwdrs, nfwd, link);
+	}
+	forwarders->fwdpolicy = fwdpolicy;
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_addname(fwdtable->table, name, forwarders);
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	while (!ISC_LIST_EMPTY(forwarders->fwdrs)) {
+		fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+		ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link);
+		isc_mem_put(fwdtable->mctx, fwd, sizeof(*fwd));
+	}
+	isc_mem_put(fwdtable->mctx, forwarders, sizeof(*forwarders));
+	return (result);
+}
+
+isc_result_t
+dns_fwdtable_add(dns_fwdtable_t *fwdtable, const dns_name_t *name,
+		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t fwdpolicy) {
+	isc_result_t result;
+	dns_forwarders_t *forwarders;
+	dns_forwarder_t *fwd;
+	isc_sockaddr_t *sa;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	forwarders = isc_mem_get(fwdtable->mctx, sizeof(*forwarders));
+
+	ISC_LIST_INIT(forwarders->fwdrs);
+	for (sa = ISC_LIST_HEAD(*addrs); sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link))
+	{
+		fwd = isc_mem_get(fwdtable->mctx, sizeof(*fwd));
+		fwd->addr = *sa;
+		fwd->dscp = -1;
+		ISC_LINK_INIT(fwd, link);
+		ISC_LIST_APPEND(forwarders->fwdrs, fwd, link);
+	}
+	forwarders->fwdpolicy = fwdpolicy;
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_addname(fwdtable->table, name, forwarders);
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	while (!ISC_LIST_EMPTY(forwarders->fwdrs)) {
+		fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+		ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link);
+		isc_mem_put(fwdtable->mctx, fwd, sizeof(*fwd));
+	}
+	isc_mem_put(fwdtable->mctx, forwarders, sizeof(*forwarders));
+	return (result);
+}
+
+isc_result_t
+dns_fwdtable_delete(dns_fwdtable_t *fwdtable, const dns_name_t *name) {
+	isc_result_t result;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_deletename(fwdtable->table, name, false);
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+
+	if (result == DNS_R_PARTIALMATCH) {
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_fwdtable_find(dns_fwdtable_t *fwdtable, const dns_name_t *name,
+		  dns_name_t *foundname, dns_forwarders_t **forwardersp) {
+	isc_result_t result;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
+
+	result = dns_rbt_findname(fwdtable->table, name, 0, foundname,
+				  (void **)forwardersp);
+	if (result == DNS_R_PARTIALMATCH) {
+		result = ISC_R_SUCCESS;
+	}
+
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep) {
+	dns_fwdtable_t *fwdtable;
+
+	REQUIRE(fwdtablep != NULL && VALID_FWDTABLE(*fwdtablep));
+
+	fwdtable = *fwdtablep;
+	*fwdtablep = NULL;
+
+	dns_rbt_destroy(&fwdtable->table);
+	isc_rwlock_destroy(&fwdtable->rwlock);
+	fwdtable->magic = 0;
+
+	isc_mem_putanddetach(&fwdtable->mctx, fwdtable, sizeof(*fwdtable));
+}
+
+/***
+ *** Private
+ ***/
+
+static void
+auto_detach(void *data, void *arg) {
+	dns_forwarders_t *forwarders = data;
+	dns_fwdtable_t *fwdtable = arg;
+	dns_forwarder_t *fwd;
+
+	UNUSED(arg);
+
+	while (!ISC_LIST_EMPTY(forwarders->fwdrs)) {
+		fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+		ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link);
+		isc_mem_put(fwdtable->mctx, fwd, sizeof(*fwd));
+	}
+	isc_mem_put(fwdtable->mctx, forwarders, sizeof(*forwarders));
+}
diff --git a/lib/dns/gen-unix.h b/lib/dns/gen-unix.h
new file mode 100644
index 0000000..5974635
--- /dev/null
+++ b/lib/dns/gen-unix.h
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ * \brief
+ * This file is responsible for defining two operations that are not
+ * directly portable between Unix-like systems and Windows NT, option
+ * parsing and directory scanning.  It is here because it was decided
+ * that the "gen" build utility was not to depend on libisc.a, so
+ * the functions declared in isc/commandline.h and isc/dir.h could not
+ * be used.
+ *
+ * The commandline stuff is really just a wrapper around getopt().
+ * The dir stuff was shrunk to fit the needs of gen.c.
+ */
+
+#ifndef DNS_GEN_UNIX_H
+#define DNS_GEN_UNIX_H 1
+
+#include <dirent.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/types.h> /* Required on some systems for dirent.h. */
+#include <unistd.h>    /* XXXDCL Required for ?. */
+
+#include <isc/lang.h>
+
+#ifdef NEED_OPTARG
+extern char *optarg;
+#endif /* ifdef NEED_OPTARG */
+
+#define isc_commandline_parse	 getopt
+#define isc_commandline_argument optarg
+
+typedef struct {
+	DIR *handle;
+	char *filename;
+} isc_dir_t;
+
+ISC_LANG_BEGINDECLS
+
+static bool
+start_directory(const char *path, isc_dir_t *dir) {
+	dir->handle = opendir(path);
+
+	if (dir->handle != NULL) {
+		return (true);
+	} else {
+		return (false);
+	}
+}
+
+static bool
+next_file(isc_dir_t *dir) {
+	struct dirent *dirent;
+
+	dir->filename = NULL;
+
+	if (dir->handle != NULL) {
+		errno = 0;
+		dirent = readdir(dir->handle);
+		if (dirent != NULL) {
+			dir->filename = dirent->d_name;
+		} else {
+			if (errno != 0) {
+				exit(1);
+			}
+		}
+	}
+
+	if (dir->filename != NULL) {
+		return (true);
+	} else {
+		return (false);
+	}
+}
+
+static void
+end_directory(isc_dir_t *dir) {
+	if (dir->handle != NULL) {
+		(void)closedir(dir->handle);
+	}
+
+	dir->handle = NULL;
+}
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_GEN_UNIX_H */
diff --git a/lib/dns/gen-win32.h b/lib/dns/gen-win32.h
new file mode 100644
index 0000000..1718295
--- /dev/null
+++ b/lib/dns/gen-win32.h
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1987, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * \note This file was adapted from the NetBSD project's source tree, RCS ID:
+ *    NetBSD: getopt.c,v 1.15 1999/09/20 04:39:37 lukem Exp
+ *
+ * The primary change has been to rename items to the ISC namespace
+ * and format in the ISC coding style.
+ *
+ * This file is responsible for defining two operations that are not
+ * directly portable between Unix-like systems and Windows NT, option
+ * parsing and directory scanning.  It is here because it was decided
+ * that the "gen" build utility was not to depend on libisc.a, so
+ * the functions declared in isc/commandline.h and isc/dir.h could not
+ * be used.
+ *
+ * The commandline stuff is pretty much a straight copy from the initial
+ * isc/commandline.c.  The dir stuff was shrunk to fit the needs of gen.c.
+ */
+
+#ifndef DNS_GEN_WIN32_H
+#define DNS_GEN_WIN32_H 1
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <windows.h>
+
+#include <isc/lang.h>
+
+int isc_commandline_index = 1; /* Index into parent argv vector. */
+int isc_commandline_option;    /* Character checked for validity. */
+
+char *isc_commandline_argument; /* Argument associated with option. */
+char *isc_commandline_progname; /* For printing error messages. */
+
+bool isc_commandline_errprint = true; /* Print error messages. */
+bool isc_commandline_reset = true;    /* Reset processing. */
+
+#define BADOPT '?'
+#define BADARG ':'
+#define ENDOPT ""
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * getopt --
+ *	Parse argc/argv argument vector.
+ */
+int
+isc_commandline_parse(int argc, char *const *argv, const char *options) {
+	static char *place = ENDOPT;
+	char *option; /* Index into *options of option. */
+
+	/*
+	 * Update scanning pointer, either because a reset was requested or
+	 * the previous argv was finished.
+	 */
+	if (isc_commandline_reset || *place == '\0') {
+		isc_commandline_reset = false;
+
+		if (isc_commandline_progname == NULL) {
+			isc_commandline_progname = argv[0];
+		}
+
+		if (isc_commandline_index >= argc ||
+		    *(place = argv[isc_commandline_index]) != '-')
+		{
+			/*
+			 * Index out of range or points to non-option.
+			 */
+			place = ENDOPT;
+			return (-1);
+		}
+
+		if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
+			/*
+			 * Found '--' to signal end of options.	 Advance
+			 * index to next argv, the first non-option.
+			 */
+			isc_commandline_index++;
+			place = ENDOPT;
+			return (-1);
+		}
+	}
+
+	isc_commandline_option = *place++;
+	option = strchr(options, isc_commandline_option);
+
+	/*
+	 * Ensure valid option has been passed as specified by options string.
+	 * '-:' is never a valid command line option because it could not
+	 * distinguish ':' from the argument specifier in the options string.
+	 */
+	if (isc_commandline_option == ':' || option == NULL) {
+		if (*place == '\0') {
+			isc_commandline_index++;
+		}
+
+		if (isc_commandline_errprint && *options != ':') {
+			fprintf(stderr, "%s: illegal option -- %c\n",
+				isc_commandline_progname,
+				isc_commandline_option);
+		}
+
+		return (BADOPT);
+	}
+
+	if (*++option != ':') {
+		/*
+		 * Option does not take an argument.
+		 */
+		isc_commandline_argument = NULL;
+
+		/*
+		 * Skip to next argv if at the end of the current argv.
+		 */
+		if (*place == '\0') {
+			++isc_commandline_index;
+		}
+	} else {
+		/*
+		 * Option needs an argument.
+		 */
+		if (*place != '\0') {
+			/*
+			 * Option is in this argv, -D1 style.
+			 */
+			isc_commandline_argument = place;
+		} else if (argc > ++isc_commandline_index) {
+			/*
+			 * Option is next argv, -D 1 style.
+			 */
+			isc_commandline_argument = argv[isc_commandline_index];
+		} else {
+			/*
+			 * Argument needed, but no more argv.
+			 */
+			place = ENDOPT;
+
+			/*
+			 * Silent failure with "missing argument" return
+			 * when ':' starts options string, per historical spec.
+			 */
+			if (*options == ':') {
+				return (BADARG);
+			}
+
+			if (isc_commandline_errprint) {
+				fprintf(stderr,
+					"%s: option requires an argument -- "
+					"%c\n",
+					isc_commandline_progname,
+					isc_commandline_option);
+			}
+
+			return (BADOPT);
+		}
+
+		place = ENDOPT;
+
+		/*
+		 * Point to argv that follows argument.
+		 */
+		isc_commandline_index++;
+	}
+
+	return (isc_commandline_option);
+}
+
+typedef struct {
+	HANDLE handle;
+	WIN32_FIND_DATA find_data;
+	bool first_file;
+	char *filename;
+} isc_dir_t;
+
+bool
+start_directory(const char *path, isc_dir_t *dir) {
+	char pattern[_MAX_PATH], *p;
+
+	/*
+	 * Need space for slash-splat and final NUL.
+	 */
+	if (strlen(path) + 3 > sizeof(pattern)) {
+		return (false);
+	}
+
+	strcpy(pattern, path);
+
+	/*
+	 * Append slash (if needed) and splat.
+	 */
+	p = pattern + strlen(pattern);
+	if (p != pattern && p[-1] != '\\' && p[-1] != ':') {
+		*p++ = '\\';
+	}
+	*p++ = '*';
+	*p++ = '\0';
+
+	dir->first_file = true;
+
+	dir->handle = FindFirstFile(pattern, &dir->find_data);
+
+	if (dir->handle == INVALID_HANDLE_VALUE) {
+		dir->filename = NULL;
+		return (false);
+	} else {
+		dir->filename = dir->find_data.cFileName;
+		return (true);
+	}
+}
+
+bool
+next_file(isc_dir_t *dir) {
+	if (dir->first_file) {
+		dir->first_file = false;
+	} else if (dir->handle != INVALID_HANDLE_VALUE) {
+		if (FindNextFile(dir->handle, &dir->find_data) == TRUE) {
+			dir->filename = dir->find_data.cFileName;
+		} else {
+			dir->filename = NULL;
+		}
+	} else {
+		dir->filename = NULL;
+	}
+
+	if (dir->filename != NULL) {
+		return (true);
+	} else {
+		return (false);
+	}
+}
+
+void
+end_directory(isc_dir_t *dir) {
+	if (dir->handle != INVALID_HANDLE_VALUE) {
+		FindClose(dir->handle);
+	}
+}
+
+inline struct tm *
+gmtime_r(const time_t *clock, struct tm *result) {
+	errno_t ret = gmtime_s(result, clock);
+	if (ret != 0) {
+		errno = ret;
+		return (NULL);
+	}
+	return (result);
+}
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_GEN_WIN32_H */
diff --git a/lib/dns/gen.c b/lib/dns/gen.c
new file mode 100644
index 0000000..6d40858
--- /dev/null
+++ b/lib/dns/gen.c
@@ -0,0 +1,1028 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifdef WIN32
+/*
+ * Silence compiler warnings about using strcpy and friends.
+ */
+#define _CRT_SECURE_NO_DEPRECATE 1
+/*
+ * We use snprintf which was defined late in Windows even it is in C99.
+ */
+#if _MSC_VER < 1900
+#define snprintf _snprintf
+#endif /* if _MSC_VER < 1900 */
+#endif /* ifdef WIN32 */
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <time.h>
+
+#ifndef PATH_MAX
+#define PATH_MAX 1024
+#endif /* ifndef PATH_MAX */
+
+#ifdef WIN32
+#include "gen-win32.h"
+#else /* ifdef WIN32 */
+#include "gen-unix.h"
+#endif /* ifdef WIN32 */
+
+#ifndef ULLONG_MAX
+#define ULLONG_MAX (~0ULL)
+#endif /* ifndef ULLONG_MAX */
+
+#define INSIST(cond)                                                       \
+	if (!(cond)) {                                                     \
+		fprintf(stderr, "%s:%d: INSIST(%s)\n", __FILE__, __LINE__, \
+			#cond);                                            \
+		abort();                                                   \
+	}
+
+#define FROMTEXTARGS  "rdclass, type, lexer, origin, options, target, callbacks"
+#define FROMTEXTCLASS "rdclass"
+#define FROMTEXTTYPE  "type"
+#define FROMTEXTDEF   "result = DNS_R_UNKNOWN"
+
+#define TOTEXTARGS  "rdata, tctx, target"
+#define TOTEXTCLASS "rdata->rdclass"
+#define TOTEXTTYPE  "rdata->type"
+#define TOTEXTDEF   "use_default = true"
+
+#define FROMWIREARGS  "rdclass, type, source, dctx, options, target"
+#define FROMWIRECLASS "rdclass"
+#define FROMWIRETYPE  "type"
+#define FROMWIREDEF   "use_default = true"
+
+#define TOWIREARGS  "rdata, cctx, target"
+#define TOWIRECLASS "rdata->rdclass"
+#define TOWIRETYPE  "rdata->type"
+#define TOWIREDEF   "use_default = true"
+
+#define FROMSTRUCTARGS	"rdclass, type, source, target"
+#define FROMSTRUCTCLASS "rdclass"
+#define FROMSTRUCTTYPE	"type"
+#define FROMSTRUCTDEF	"use_default = true"
+
+#define TOSTRUCTARGS  "rdata, target, mctx"
+#define TOSTRUCTCLASS "rdata->rdclass"
+#define TOSTRUCTTYPE  "rdata->type"
+#define TOSTRUCTDEF   "use_default = true"
+
+#define FREESTRUCTARGS	"source"
+#define FREESTRUCTCLASS "common->rdclass"
+#define FREESTRUCTTYPE	"common->rdtype"
+#define FREESTRUCTDEF	NULL
+
+#define COMPAREARGS  "rdata1, rdata2"
+#define COMPARECLASS "rdata1->rdclass"
+#define COMPARETYPE  "rdata1->type"
+#define COMPAREDEF   "use_default = true"
+
+#define ADDITIONALDATAARGS  "rdata, add, arg"
+#define ADDITIONALDATACLASS "rdata->rdclass"
+#define ADDITIONALDATATYPE  "rdata->type"
+#define ADDITIONALDATADEF   "use_default = true"
+
+#define DIGESTARGS  "rdata, digest, arg"
+#define DIGESTCLASS "rdata->rdclass"
+#define DIGESTTYPE  "rdata->type"
+#define DIGESTDEF   "use_default = true"
+
+#define CHECKOWNERARGS	"name, rdclass, type, wildcard"
+#define CHECKOWNERCLASS "rdclass"
+#define CHECKOWNERTYPE	"type"
+#define CHECKOWNERDEF	"result = true"
+
+#define CHECKNAMESARGS	"rdata, owner, bad"
+#define CHECKNAMESCLASS "rdata->rdclass"
+#define CHECKNAMESTYPE	"rdata->type"
+#define CHECKNAMESDEF	"result = true"
+
+static const char copyright[] = "/*\n"
+				" * Copyright (C) 1998%s  Internet Systems "
+				"Consortium, Inc. (\"ISC\")\n"
+				" *\n"
+				" * This Source Code Form is subject to the "
+				"terms of the Mozilla Public\n"
+				" * License, v. 2.0. If a copy of the MPL was "
+				"not distributed with this\n"
+				" * file, you can obtain one at "
+				"https://mozilla.org/MPL/2.0/.\n"
+				" */\n"
+				"\n"
+				"/***************\n"
+				" ***************\n"
+				" ***************   THIS FILE IS AUTOMATICALLY "
+				"GENERATED BY gen.c.\n"
+				" ***************   DO NOT EDIT!\n"
+				" ***************\n"
+				" ***************/\n"
+				"\n"
+				"/*! \\file */\n"
+				"\n";
+
+#define STR_EXPAND(tok) #tok
+#define STR(tok)	STR_EXPAND(tok)
+
+#define TYPENAMES     256
+#define TYPECLASSLEN  20 /* DNS mnemonic size. Must be less than 100. */
+#define TYPECLASSBUF  (TYPECLASSLEN + 1)
+#define TYPECLASSFMT  "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d"
+#define ATTRIBUTESIZE 256
+
+static struct cc {
+	struct cc *next;
+	int rdclass;
+	char classbuf[TYPECLASSBUF];
+} *classes;
+
+static struct tt {
+	struct tt *next;
+	uint16_t rdclass;
+	uint16_t type;
+	char classbuf[TYPECLASSBUF];
+	char typebuf[TYPECLASSBUF];
+	char dirbuf[PATH_MAX - 30];
+} *types;
+
+static struct ttnam {
+	char typebuf[TYPECLASSBUF];
+	char macroname[TYPECLASSBUF];
+	char attr[ATTRIBUTESIZE];
+	unsigned int sorted;
+	uint16_t type;
+} typenames[TYPENAMES];
+
+static int maxtype = -1;
+
+static char *
+upper(char *);
+static char *
+funname(const char *, char *);
+static void
+doswitch(const char *, const char *, const char *, const char *, const char *,
+	 const char *);
+static void
+add(int, const char *, int, const char *, const char *);
+static void
+sd(int, const char *, const char *, char);
+static void
+insert_into_typenames(int, const char *, const char *);
+
+/*%
+ * If you use more than 10 of these in, say, a printf(), you'll have problems.
+ */
+static char *
+upper(char *s) {
+	static int buf_to_use = 0;
+	static char buf[10][256];
+	char *b;
+	int c;
+
+	buf_to_use++;
+	if (buf_to_use > 9) {
+		buf_to_use = 0;
+	}
+
+	b = buf[buf_to_use];
+	memset(b, 0, 256);
+
+	while ((c = (*s++) & 0xff)) {
+		*b++ = islower(c) ? toupper(c) : c;
+	}
+	*b = '\0';
+	return (buf[buf_to_use]);
+}
+
+static char *
+funname(const char *s, char *buf) {
+	char *b = buf;
+	char c;
+
+	INSIST(strlen(s) < TYPECLASSBUF);
+	while ((c = *s++)) {
+		*b++ = (c == '-') ? '_' : c;
+	}
+	*b = '\0';
+	return (buf);
+}
+
+static void
+doswitch(const char *name, const char *function, const char *args,
+	 const char *tsw, const char *csw, const char *res) {
+	struct tt *tt;
+	int first = 1;
+	int lasttype = 0;
+	int subswitch = 0;
+	char buf1[TYPECLASSBUF], buf2[TYPECLASSBUF];
+	const char *result = " result =";
+
+	if (res == NULL) {
+		result = "";
+	}
+
+	for (tt = types; tt != NULL; tt = tt->next) {
+		if (first) {
+			fprintf(stdout, "\n#define %s \\\n", name);
+			fprintf(stdout, "\tswitch (%s) { \\\n" /*}*/, tsw);
+			first = 0;
+		}
+		if (tt->type != lasttype && subswitch) {
+			if (res == NULL) {
+				fprintf(stdout, "\t\tdefault: break; \\\n");
+			} else {
+				fprintf(stdout, "\t\tdefault: %s; break; \\\n",
+					res);
+			}
+			fputs(/*{*/ "\t\t} \\\n", stdout);
+			fputs("\t\tbreak; \\\n", stdout);
+			subswitch = 0;
+		}
+		if (tt->rdclass && tt->type != lasttype) {
+			fprintf(stdout, "\tcase %d: switch (%s) { \\\n" /*}*/,
+				tt->type, csw);
+			subswitch = 1;
+		}
+		if (tt->rdclass == 0) {
+			fprintf(stdout, "\tcase %d:%s %s_%s(%s); break;",
+				tt->type, result, function,
+				funname(tt->typebuf, buf1), args);
+		} else {
+			fprintf(stdout, "\t\tcase %d:%s %s_%s_%s(%s); break;",
+				tt->rdclass, result, function,
+				funname(tt->classbuf, buf1),
+				funname(tt->typebuf, buf2), args);
+		}
+		fputs(" \\\n", stdout);
+		lasttype = tt->type;
+	}
+	if (subswitch) {
+		if (res == NULL) {
+			fprintf(stdout, "\t\tdefault: break; \\\n");
+		} else {
+			fprintf(stdout, "\t\tdefault: %s; break; \\\n", res);
+		}
+		fputs(/*{*/ "\t\t} \\\n", stdout);
+		fputs("\t\tbreak; \\\n", stdout);
+	}
+	if (first) {
+		if (res == NULL) {
+			fprintf(stdout, "\n#define %s\n", name);
+		} else {
+			fprintf(stdout, "\n#define %s %s;\n", name, res);
+		}
+	} else {
+		if (res == NULL) {
+			fprintf(stdout, "\tdefault: break; \\\n");
+		} else {
+			fprintf(stdout, "\tdefault: %s; break; \\\n", res);
+		}
+		fputs(/*{*/ "\t}\n", stdout);
+	}
+}
+
+static struct ttnam *
+find_typename(int type) {
+	int i;
+
+	for (i = 0; i < TYPENAMES; i++) {
+		if (typenames[i].typebuf[0] != 0 && typenames[i].type == type) {
+			return (&typenames[i]);
+		}
+	}
+	return (NULL);
+}
+
+static void
+insert_into_typenames(int type, const char *typebuf, const char *attr) {
+	struct ttnam *ttn = NULL;
+	size_t c;
+	int i, n;
+	char tmp[256];
+
+	INSIST(strlen(typebuf) < TYPECLASSBUF);
+	for (i = 0; i < TYPENAMES; i++) {
+		if (typenames[i].typebuf[0] != 0 && typenames[i].type == type &&
+		    strcmp(typebuf, typenames[i].typebuf) != 0)
+		{
+			fprintf(stderr,
+				"Error:  type %d has two names: %s, %s\n", type,
+				typenames[i].typebuf, typebuf);
+			exit(1);
+		}
+		if (typenames[i].typebuf[0] == 0 && ttn == NULL) {
+			ttn = &typenames[i];
+		}
+	}
+	if (ttn == NULL) {
+		fprintf(stderr, "Error: typenames array too small\n");
+		exit(1);
+	}
+
+	/* XXXMUKS: This is redundant due to the INSIST above. */
+	if (strlen(typebuf) > sizeof(ttn->typebuf) - 1) {
+		fprintf(stderr, "Error:  type name %s is too long\n", typebuf);
+		exit(1);
+	}
+
+	strncpy(ttn->typebuf, typebuf, sizeof(ttn->typebuf));
+	ttn->typebuf[sizeof(ttn->typebuf) - 1] = '\0';
+
+	strncpy(ttn->macroname, ttn->typebuf, sizeof(ttn->macroname));
+	ttn->macroname[sizeof(ttn->macroname) - 1] = '\0';
+
+	ttn->type = type;
+	c = strlen(ttn->macroname);
+	while (c > 0) {
+		if (ttn->macroname[c - 1] == '-') {
+			ttn->macroname[c - 1] = '_';
+		}
+		c--;
+	}
+
+	if (attr == NULL) {
+		n = snprintf(tmp, sizeof(tmp), "RRTYPE_%s_ATTRIBUTES",
+			     upper(ttn->macroname));
+		INSIST(n > 0 && (unsigned)n < sizeof(tmp));
+		attr = tmp;
+	}
+
+	if (ttn->attr[0] != 0 && strcmp(attr, ttn->attr) != 0) {
+		fprintf(stderr,
+			"Error:  type %d has different attributes: "
+			"%s, %s\n",
+			type, ttn->attr, attr);
+		exit(1);
+	}
+
+	if (strlen(attr) > sizeof(ttn->attr) - 1) {
+		fprintf(stderr, "Error:  attr (%s) [name %s] is too long\n",
+			attr, typebuf);
+		exit(1);
+	}
+
+	strncpy(ttn->attr, attr, sizeof(ttn->attr));
+	ttn->attr[sizeof(ttn->attr) - 1] = '\0';
+
+	ttn->sorted = 0;
+	if (maxtype < type) {
+		maxtype = type;
+	}
+}
+
+static void
+add(int rdclass, const char *classbuf, int type, const char *typebuf,
+    const char *dirbuf) {
+	struct tt *newtt = (struct tt *)malloc(sizeof(*newtt));
+	struct tt *tt, *oldtt;
+	struct cc *newcc;
+	struct cc *cc, *oldcc;
+
+	INSIST(strlen(typebuf) < TYPECLASSBUF);
+	INSIST(strlen(classbuf) < TYPECLASSBUF);
+	INSIST(strlen(dirbuf) < PATH_MAX);
+
+	insert_into_typenames(type, typebuf, NULL);
+
+	if (newtt == NULL) {
+		fprintf(stderr, "malloc() failed\n");
+		exit(1);
+	}
+
+	newtt->next = NULL;
+	newtt->rdclass = rdclass;
+	newtt->type = type;
+
+	strncpy(newtt->classbuf, classbuf, sizeof(newtt->classbuf));
+	newtt->classbuf[sizeof(newtt->classbuf) - 1] = '\0';
+
+	strncpy(newtt->typebuf, typebuf, sizeof(newtt->typebuf));
+	newtt->typebuf[sizeof(newtt->typebuf) - 1] = '\0';
+
+	if (strncmp(dirbuf, "./", 2) == 0) {
+		dirbuf += 2;
+	}
+	strncpy(newtt->dirbuf, dirbuf, sizeof(newtt->dirbuf));
+	newtt->dirbuf[sizeof(newtt->dirbuf) - 1] = '\0';
+
+	tt = types;
+	oldtt = NULL;
+
+	while ((tt != NULL) && (tt->type < type)) {
+		oldtt = tt;
+		tt = tt->next;
+	}
+
+	while ((tt != NULL) && (tt->type == type) && (tt->rdclass < rdclass)) {
+		if (strcmp(tt->typebuf, typebuf) != 0) {
+			exit(1);
+		}
+		oldtt = tt;
+		tt = tt->next;
+	}
+
+	if ((tt != NULL) && (tt->type == type) && (tt->rdclass == rdclass)) {
+		exit(1);
+	}
+
+	newtt->next = tt;
+	if (oldtt != NULL) {
+		oldtt->next = newtt;
+	} else {
+		types = newtt;
+	}
+
+	/*
+	 * Do a class switch for this type.
+	 */
+	if (rdclass == 0) {
+		return;
+	}
+
+	newcc = (struct cc *)malloc(sizeof(*newcc));
+	if (newcc == NULL) {
+		fprintf(stderr, "malloc() failed\n");
+		exit(1);
+	}
+	newcc->rdclass = rdclass;
+	strncpy(newcc->classbuf, classbuf, sizeof(newcc->classbuf));
+	newcc->classbuf[sizeof(newcc->classbuf) - 1] = '\0';
+	cc = classes;
+	oldcc = NULL;
+
+	while ((cc != NULL) && (cc->rdclass < rdclass)) {
+		oldcc = cc;
+		cc = cc->next;
+	}
+
+	if ((cc != NULL) && cc->rdclass == rdclass) {
+		free((char *)newcc);
+		return;
+	}
+
+	newcc->next = cc;
+	if (oldcc != NULL) {
+		oldcc->next = newcc;
+	} else {
+		classes = newcc;
+	}
+}
+
+static void
+sd(int rdclass, const char *classbuf, const char *dirbuf, char filetype) {
+	char buf[TYPECLASSLEN + sizeof("_65535.h")];
+	char typebuf[TYPECLASSBUF];
+	int type, n;
+	isc_dir_t dir;
+
+	if (!start_directory(dirbuf, &dir)) {
+		return;
+	}
+
+	while (next_file(&dir)) {
+		if (sscanf(dir.filename, TYPECLASSFMT, typebuf, &type) != 2) {
+			continue;
+		}
+		if ((type > 65535) || (type < 0)) {
+			continue;
+		}
+
+		n = snprintf(buf, sizeof(buf), "%s_%d.%c", typebuf, type,
+			     filetype);
+		INSIST(n > 0 && (unsigned)n < sizeof(buf));
+		if (strcmp(buf, dir.filename) != 0) {
+			continue;
+		}
+		add(rdclass, classbuf, type, typebuf, dirbuf);
+	}
+
+	end_directory(&dir);
+}
+
+static unsigned int
+HASH(char *string) {
+	size_t n;
+	unsigned char a, b;
+
+	n = strlen(string);
+	if (n == 0) {
+		fprintf(stderr, "n == 0?\n");
+		exit(1);
+	}
+	a = tolower((unsigned char)string[0]);
+	b = tolower((unsigned char)string[n - 1]);
+
+	return (((a + n) * b) % 256);
+}
+
+int
+main(int argc, char **argv) {
+	char buf[PATH_MAX];
+	char srcdir[PATH_MAX];
+	int rdclass;
+	char classbuf[TYPECLASSBUF];
+	struct tt *tt;
+	struct cc *cc;
+	struct ttnam *ttn, *ttn2;
+	unsigned int hash;
+	time_t now;
+	char year[11];
+	int lasttype;
+	int code = 1;
+	int class_enum = 0;
+	int type_enum = 0;
+	int structs = 0;
+	int depend = 0;
+	int c, i, j, n;
+	char buf1[TYPECLASSBUF];
+	char filetype = 'c';
+	FILE *fd;
+	char *prefix = NULL;
+	char *suffix = NULL;
+	char *file = NULL;
+	char *source_date_epoch;
+	unsigned long long epoch;
+	char *endptr;
+	isc_dir_t dir;
+
+	for (i = 0; i < TYPENAMES; i++) {
+		memset(&typenames[i], 0, sizeof(typenames[i]));
+	}
+
+	srcdir[0] = '\0';
+	while ((c = isc_commandline_parse(argc, argv, "cdits:F:P:S:")) != -1) {
+		switch (c) {
+		case 'c':
+			code = 0;
+			depend = 0;
+			type_enum = 0;
+			class_enum = 1;
+			filetype = 'c';
+			structs = 0;
+			break;
+		case 'd':
+			code = 0;
+			depend = 1;
+			class_enum = 0;
+			type_enum = 0;
+			structs = 0;
+			filetype = 'h';
+			break;
+		case 't':
+			code = 0;
+			depend = 0;
+			class_enum = 0;
+			type_enum = 1;
+			filetype = 'c';
+			structs = 0;
+			break;
+		case 'i':
+			code = 0;
+			depend = 0;
+			class_enum = 0;
+			type_enum = 0;
+			structs = 1;
+			filetype = 'h';
+			break;
+		case 's':
+			if (strlen(isc_commandline_argument) >
+			    PATH_MAX - 2 * TYPECLASSLEN -
+				    sizeof("/rdata/_65535_65535"))
+			{
+				fprintf(stderr, "\"%s\" too long\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			n = snprintf(srcdir, sizeof(srcdir), "%s/",
+				     isc_commandline_argument);
+			INSIST(n > 0 && (unsigned)n < sizeof(srcdir));
+			break;
+		case 'F':
+			file = isc_commandline_argument;
+			break;
+		case 'P':
+			prefix = isc_commandline_argument;
+			break;
+		case 'S':
+			suffix = isc_commandline_argument;
+			break;
+		case '?':
+			exit(1);
+		}
+	}
+
+	n = snprintf(buf, sizeof(buf), "%srdata", srcdir);
+	INSIST(n > 0 && (unsigned)n < sizeof(srcdir));
+
+	if (!start_directory(buf, &dir)) {
+		exit(1);
+	}
+
+	while (next_file(&dir)) {
+		if (sscanf(dir.filename, TYPECLASSFMT, classbuf, &rdclass) != 2)
+		{
+			continue;
+		}
+		if ((rdclass > 65535) || (rdclass < 0)) {
+			continue;
+		}
+
+		n = snprintf(buf, sizeof(buf), "%srdata/%s_%d", srcdir,
+			     classbuf, rdclass);
+		INSIST(n > 0 && (unsigned)n < sizeof(buf));
+		if (strcmp(buf + 6 + strlen(srcdir), dir.filename) != 0) {
+			continue;
+		}
+		sd(rdclass, classbuf, buf, filetype);
+	}
+	end_directory(&dir);
+	n = snprintf(buf, sizeof(buf), "%srdata/generic", srcdir);
+	INSIST(n > 0 && (unsigned)n < sizeof(srcdir));
+	sd(0, "", buf, filetype);
+
+	source_date_epoch = getenv("SOURCE_DATE_EPOCH");
+	if (source_date_epoch) {
+		errno = 0;
+		epoch = strtoull(source_date_epoch, &endptr, 10);
+		if ((errno == ERANGE && (epoch == ULLONG_MAX || epoch == 0)) ||
+		    (errno != 0 && epoch == 0))
+		{
+			fprintf(stderr,
+				"Environment variable "
+				"$SOURCE_DATE_EPOCH: strtoull: %s\n",
+				strerror(errno));
+			exit(EXIT_FAILURE);
+		}
+		if (endptr == source_date_epoch) {
+			fprintf(stderr,
+				"Environment variable "
+				"$SOURCE_DATE_EPOCH: "
+				"No digits were found: %s\n",
+				endptr);
+			exit(EXIT_FAILURE);
+		}
+		if (*endptr != '\0') {
+			fprintf(stderr,
+				"Environment variable "
+				"$SOURCE_DATE_EPOCH: Trailing garbage: %s\n",
+				endptr);
+			exit(EXIT_FAILURE);
+		}
+		if (epoch > ULONG_MAX) {
+			fprintf(stderr,
+				"Environment variable "
+				"$SOURCE_DATE_EPOCH: value must be "
+				"smaller than or equal to: %lu but "
+				"was found to be: %llu \n",
+				ULONG_MAX, epoch);
+			exit(EXIT_FAILURE);
+		}
+		now = epoch;
+	} else {
+		time(&now);
+	}
+
+	if (now != -1) {
+		struct tm t, *tm = gmtime_r(&now, &t);
+
+		if (tm != NULL && tm->tm_year > 104) {
+			n = snprintf(year, sizeof(year), "-%d",
+				     tm->tm_year + 1900);
+			INSIST(n > 0 && (unsigned)n < sizeof(year));
+		} else {
+			snprintf(year, sizeof(year), "-2016");
+		}
+	} else {
+		snprintf(year, sizeof(year), "-2016");
+	}
+
+	if (!depend) {
+		fprintf(stdout, copyright, year);
+	}
+
+	if (code) {
+		fputs("#ifndef DNS_CODE_H\n", stdout);
+		fputs("#define DNS_CODE_H 1\n\n", stdout);
+
+		fputs("#include <stdbool.h>\n", stdout);
+		fputs("#include <isc/result.h>\n\n", stdout);
+		fputs("#include <dns/name.h>\n\n", stdout);
+
+		for (tt = types; tt != NULL; tt = tt->next) {
+			fprintf(stdout, "#include \"%s/%s_%d.c\"\n", tt->dirbuf,
+				tt->typebuf, tt->type);
+		}
+
+		fputs("\n\n", stdout);
+
+		doswitch("FROMTEXTSWITCH", "fromtext", FROMTEXTARGS,
+			 FROMTEXTTYPE, FROMTEXTCLASS, FROMTEXTDEF);
+		doswitch("TOTEXTSWITCH", "totext", TOTEXTARGS, TOTEXTTYPE,
+			 TOTEXTCLASS, TOTEXTDEF);
+		doswitch("FROMWIRESWITCH", "fromwire", FROMWIREARGS,
+			 FROMWIRETYPE, FROMWIRECLASS, FROMWIREDEF);
+		doswitch("TOWIRESWITCH", "towire", TOWIREARGS, TOWIRETYPE,
+			 TOWIRECLASS, TOWIREDEF);
+		doswitch("COMPARESWITCH", "compare", COMPAREARGS, COMPARETYPE,
+			 COMPARECLASS, COMPAREDEF);
+		doswitch("CASECOMPARESWITCH", "casecompare", COMPAREARGS,
+			 COMPARETYPE, COMPARECLASS, COMPAREDEF);
+		doswitch("FROMSTRUCTSWITCH", "fromstruct", FROMSTRUCTARGS,
+			 FROMSTRUCTTYPE, FROMSTRUCTCLASS, FROMSTRUCTDEF);
+		doswitch("TOSTRUCTSWITCH", "tostruct", TOSTRUCTARGS,
+			 TOSTRUCTTYPE, TOSTRUCTCLASS, TOSTRUCTDEF);
+		doswitch("FREESTRUCTSWITCH", "freestruct", FREESTRUCTARGS,
+			 FREESTRUCTTYPE, FREESTRUCTCLASS, FREESTRUCTDEF);
+		doswitch("ADDITIONALDATASWITCH", "additionaldata",
+			 ADDITIONALDATAARGS, ADDITIONALDATATYPE,
+			 ADDITIONALDATACLASS, ADDITIONALDATADEF);
+		doswitch("DIGESTSWITCH", "digest", DIGESTARGS, DIGESTTYPE,
+			 DIGESTCLASS, DIGESTDEF);
+		doswitch("CHECKOWNERSWITCH", "checkowner", CHECKOWNERARGS,
+			 CHECKOWNERTYPE, CHECKOWNERCLASS, CHECKOWNERDEF);
+		doswitch("CHECKNAMESSWITCH", "checknames", CHECKNAMESARGS,
+			 CHECKNAMESTYPE, CHECKNAMESCLASS, CHECKNAMESDEF);
+
+		/*
+		 * From here down, we are processing the rdata names and
+		 * attributes.
+		 */
+
+#define PRINT_COMMA(x) (x == maxtype ? "" : ",")
+
+#define METANOTQUESTION             \
+	"DNS_RDATATYPEATTR_META | " \
+	"DNS_RDATATYPEATTR_NOTQUESTION"
+#define METAQUESTIONONLY            \
+	"DNS_RDATATYPEATTR_META | " \
+	"DNS_RDATATYPEATTR_QUESTIONONLY"
+#define RESERVEDNAME "0"
+#define RESERVED     "DNS_RDATATYPEATTR_RESERVED"
+
+		/*
+		 * Add in reserved/special types.  This will let us
+		 * sort them without special cases.
+		 */
+		insert_into_typenames(100, "uinfo", RESERVEDNAME);
+		insert_into_typenames(101, "uid", RESERVEDNAME);
+		insert_into_typenames(102, "gid", RESERVEDNAME);
+		insert_into_typenames(103, "unspec", RESERVEDNAME);
+		insert_into_typenames(251, "ixfr", METAQUESTIONONLY);
+		insert_into_typenames(252, "axfr", METAQUESTIONONLY);
+		insert_into_typenames(253, "mailb", METAQUESTIONONLY);
+		insert_into_typenames(254, "maila", METAQUESTIONONLY);
+		insert_into_typenames(255, "any", METAQUESTIONONLY);
+
+		/*
+		 * Spit out a quick and dirty hash function.  Here,
+		 * we walk through the list of type names, and calculate
+		 * a hash.  This isn't perfect, but it will generate "pretty
+		 * good" estimates.  Lowercase the characters before
+		 * computing in all cases.
+		 *
+		 * Here, walk the list from top to bottom, calculating
+		 * the hash (mod 256) for each name.
+		 */
+		fprintf(stdout, "#define RDATATYPE_COMPARE(_s, _d, _tn, _n, "
+				"_tp) \\\n");
+		fprintf(stdout, "\tdo { \\\n");
+		fprintf(stdout, "\t\tif (sizeof(_s) - 1 == _n && \\\n"
+				"\t\t    strncasecmp(_s,(_tn),"
+				"(sizeof(_s) - 1)) == 0) { \\\n");
+		fprintf(stdout, "\t\t\tif ((dns_rdatatype_attributes(_d) & "
+				"DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
+		fprintf(stdout, "\t\t\t\treturn (ISC_R_NOTIMPLEMENTED); \\\n");
+		fprintf(stdout, "\t\t\t*(_tp) = _d; \\\n");
+		fprintf(stdout, "\t\t\treturn (ISC_R_SUCCESS); \\\n");
+		fprintf(stdout, "\t\t} \\\n");
+		fprintf(stdout, "\t} while (0)\n\n");
+
+		fprintf(stdout, "#define RDATATYPE_FROMTEXT_SW(_hash,"
+				"_typename,_length,_typep) \\\n");
+		fprintf(stdout, "\tswitch (_hash) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL) {
+				continue;
+			}
+
+			/*
+			 * Skip entries we already processed.
+			 */
+			if (ttn->sorted != 0) {
+				continue;
+			}
+
+			hash = HASH(ttn->typebuf);
+			fprintf(stdout, "\t\tcase %u: \\\n", hash);
+
+			/*
+			 * Find all other entries that happen to match
+			 * this hash.
+			 */
+			for (j = 0; j <= maxtype; j++) {
+				ttn2 = find_typename(j);
+				if (ttn2 == NULL) {
+					continue;
+				}
+				if (hash == HASH(ttn2->typebuf)) {
+					fprintf(stdout,
+						"\t\t\t"
+						"RDATATYPE_COMPARE"
+						"(\"%s\", %d, _typename, "
+						" _length, _typep); \\\n",
+						ttn2->typebuf, ttn2->type);
+					ttn2->sorted = 1;
+				}
+			}
+			fprintf(stdout, "\t\t\tbreak; \\\n");
+		}
+		fprintf(stdout, "\t}\n");
+
+		fprintf(stdout, "#define RDATATYPE_ATTRIBUTE_SW \\\n");
+		fprintf(stdout, "\tswitch (type) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL) {
+				continue;
+			}
+			fprintf(stdout, "\tcase %d: return (%s); \\\n", i,
+				upper(ttn->attr));
+		}
+		fprintf(stdout, "\t}\n");
+
+		fprintf(stdout, "#define RDATATYPE_TOTEXT_SW \\\n");
+		fprintf(stdout, "\tswitch (type) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL) {
+				continue;
+			}
+			/*
+			 * Remove KEYDATA (65533) from the type to memonic
+			 * translation as it is internal use only.  This
+			 * stops the tools from displaying KEYDATA instead
+			 * of TYPE65533.
+			 */
+			if (i == 65533U) {
+				continue;
+			}
+			fprintf(stdout,
+				"\tcase %d: return "
+				"(str_totext(\"%s\", target)); \\\n",
+				i, upper(ttn->typebuf));
+		}
+		fprintf(stdout, "\t}\n");
+
+		fputs("#endif /* DNS_CODE_H */\n", stdout);
+	} else if (type_enum) {
+		char *s;
+
+		fprintf(stdout, "#ifndef DNS_ENUMTYPE_H\n");
+		fprintf(stdout, "#define DNS_ENUMTYPE_H 1\n\n");
+
+		fprintf(stdout, "enum {\n");
+		fprintf(stdout, "\tdns_rdatatype_none = 0,\n");
+
+		lasttype = 0;
+		for (tt = types; tt != NULL; tt = tt->next) {
+			if (tt->type != lasttype) {
+				fprintf(stdout, "\tdns_rdatatype_%s = %d,\n",
+					funname(tt->typebuf, buf1),
+					lasttype = tt->type);
+			}
+		}
+
+		fprintf(stdout, "\tdns_rdatatype_ixfr = 251,\n");
+		fprintf(stdout, "\tdns_rdatatype_axfr = 252,\n");
+		fprintf(stdout, "\tdns_rdatatype_mailb = 253,\n");
+		fprintf(stdout, "\tdns_rdatatype_maila = 254,\n");
+		fprintf(stdout, "\tdns_rdatatype_any = 255\n");
+
+		fprintf(stdout, "};\n\n");
+
+		fprintf(stdout, "#define dns_rdatatype_none\t"
+				"((dns_rdatatype_t)dns_rdatatype_none)\n");
+
+		for (tt = types; tt != NULL; tt = tt->next) {
+			if (tt->type != lasttype) {
+				s = funname(tt->typebuf, buf1);
+				fprintf(stdout,
+					"#define dns_rdatatype_%s\t%s"
+					"((dns_rdatatype_t)dns_rdatatype_%s)"
+					"\n",
+					s, strlen(s) < 2U ? "\t" : "", s);
+				lasttype = tt->type;
+			}
+		}
+
+		fprintf(stdout, "#define dns_rdatatype_ixfr\t"
+				"((dns_rdatatype_t)dns_rdatatype_ixfr)\n");
+		fprintf(stdout, "#define dns_rdatatype_axfr\t"
+				"((dns_rdatatype_t)dns_rdatatype_axfr)\n");
+		fprintf(stdout, "#define dns_rdatatype_mailb\t"
+				"((dns_rdatatype_t)dns_rdatatype_mailb)\n");
+		fprintf(stdout, "#define dns_rdatatype_maila\t"
+				"((dns_rdatatype_t)dns_rdatatype_maila)\n");
+		fprintf(stdout, "#define dns_rdatatype_any\t"
+				"((dns_rdatatype_t)dns_rdatatype_any)\n");
+
+		fprintf(stdout, "\n#endif /* DNS_ENUMTYPE_H */\n");
+	} else if (class_enum) {
+		char *s;
+		int classnum;
+
+		fprintf(stdout, "#ifndef DNS_ENUMCLASS_H\n");
+		fprintf(stdout, "#define DNS_ENUMCLASS_H 1\n\n");
+
+		fprintf(stdout, "enum {\n");
+
+		fprintf(stdout, "\tdns_rdataclass_reserved0 = 0,\n");
+		fprintf(stdout, "#define dns_rdataclass_reserved0 \\\n\t\t\t\t"
+				"((dns_rdataclass_t)dns_rdataclass_reserved0)"
+				"\n");
+
+#define PRINTCLASS(name, num)                                                \
+	do {                                                                 \
+		s = funname(name, buf1);                                     \
+		classnum = num;                                              \
+		fprintf(stdout, "\tdns_rdataclass_%s = %d%s\n", s, classnum, \
+			classnum != 255 ? "," : "");                         \
+		fprintf(stdout,                                              \
+			"#define dns_rdataclass_%s\t"                        \
+			"((dns_rdataclass_t)dns_rdataclass_%s)\n",           \
+			s, s);                                               \
+	} while (0)
+
+		for (cc = classes; cc != NULL; cc = cc->next) {
+			if (cc->rdclass == 3) {
+				PRINTCLASS("chaos", 3);
+			} else if (cc->rdclass == 255) {
+				PRINTCLASS("none", 254);
+			}
+			PRINTCLASS(cc->classbuf, cc->rdclass);
+		}
+
+#undef PRINTCLASS
+
+		fprintf(stdout, "};\n\n");
+		fprintf(stdout, "#endif /* DNS_ENUMCLASS_H */\n");
+	} else if (structs) {
+		if (prefix != NULL) {
+			if ((fd = fopen(prefix, "r")) != NULL) {
+				while (fgets(buf, sizeof(buf), fd) != NULL) {
+					fputs(buf, stdout);
+				}
+				fclose(fd);
+			}
+		}
+		for (tt = types; tt != NULL; tt = tt->next) {
+			snprintf(buf, sizeof(buf), "%s/%s_%d.h", tt->dirbuf,
+				 tt->typebuf, tt->type);
+			if ((fd = fopen(buf, "r")) != NULL) {
+				while (fgets(buf, sizeof(buf), fd) != NULL) {
+					fputs(buf, stdout);
+				}
+				fclose(fd);
+			}
+		}
+		if (suffix != NULL) {
+			if ((fd = fopen(suffix, "r")) != NULL) {
+				while (fgets(buf, sizeof(buf), fd) != NULL) {
+					fputs(buf, stdout);
+				}
+				fclose(fd);
+			}
+		}
+	} else if (depend) {
+		for (tt = types; tt != NULL; tt = tt->next) {
+			fprintf(stdout, "%s:\t%s/%s_%d.h\n", file, tt->dirbuf,
+				tt->typebuf, tt->type);
+		}
+	}
+
+	if (ferror(stdout) != 0) {
+		exit(1);
+	}
+
+	return (0);
+}
diff --git a/lib/dns/geoip2.c b/lib/dns/geoip2.c
new file mode 100644
index 0000000..94a3ed8
--- /dev/null
+++ b/lib/dns/geoip2.c
@@ -0,0 +1,389 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+/*
+ * This file is only built and linked if GeoIP2 has been configured.
+ */
+#include <math.h>
+#include <maxminddb.h>
+
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/geoip.h>
+#ifndef WIN32
+#include <netinet/in.h>
+#else /* ifndef WIN32 */
+#ifndef _WINSOCKAPI_
+#define _WINSOCKAPI_ /* Prevent inclusion of winsock.h in windows.h */
+#endif		     /* ifndef _WINSOCKAPI_ */
+#include <winsock2.h>
+#endif /* WIN32 */
+#include <dns/log.h>
+
+/*
+ * This structure preserves state from the previous GeoIP lookup,
+ * so that successive lookups for the same data from the same IP
+ * address will not require repeated database lookups.
+ * This should improve performance somewhat.
+ *
+ * For all lookups we preserve pointers to the MMDB_lookup_result_s
+ * and MMDB_entry_s structures, a pointer to the database from which
+ * the lookup was answered, and a copy of the request address.
+ *
+ * If the next geoip ACL lookup is for the same database and from the
+ * same address, we can reuse the MMDB entry without repeating the lookup.
+ * This is for the case when a single query has to process multiple
+ * geoip ACLs: for example, when there are multiple views with
+ * match-clients statements that search for different countries.
+ *
+ * (XXX: Currently the persistent state is stored in thread specific
+ * memory, but it could more simply be stored in the client object.
+ * Also multiple entries could be stored in case the ACLs require
+ * searching in more than one GeoIP database.)
+ */
+
+typedef struct geoip_state {
+	uint16_t subtype;
+	const MMDB_s *db;
+	isc_netaddr_t addr;
+	MMDB_lookup_result_s mmresult;
+	MMDB_entry_s entry;
+} geoip_state_t;
+
+ISC_THREAD_LOCAL geoip_state_t geoip_state = { 0 };
+
+static void
+set_state(const MMDB_s *db, const isc_netaddr_t *addr,
+	  MMDB_lookup_result_s mmresult, MMDB_entry_s entry) {
+	geoip_state.db = db;
+	geoip_state.addr = *addr;
+	geoip_state.mmresult = mmresult;
+	geoip_state.entry = entry;
+}
+
+static geoip_state_t *
+get_entry_for(MMDB_s *const db, const isc_netaddr_t *addr) {
+	isc_sockaddr_t sa;
+	MMDB_lookup_result_s match;
+	int err;
+
+	if (db == geoip_state.db && isc_netaddr_equal(addr, &geoip_state.addr))
+	{
+		return (&geoip_state);
+	}
+
+	isc_sockaddr_fromnetaddr(&sa, addr, 0);
+	match = MMDB_lookup_sockaddr(db, &sa.type.sa, &err);
+	if (err != MMDB_SUCCESS || !match.found_entry) {
+		return (NULL);
+	}
+
+	set_state(db, addr, match, match.entry);
+
+	return (&geoip_state);
+}
+
+static dns_geoip_subtype_t
+fix_subtype(const dns_geoip_databases_t *geoip, dns_geoip_subtype_t subtype) {
+	dns_geoip_subtype_t ret = subtype;
+
+	switch (subtype) {
+	case dns_geoip_countrycode:
+		if (geoip->city != NULL) {
+			ret = dns_geoip_city_countrycode;
+		} else if (geoip->country != NULL) {
+			ret = dns_geoip_country_code;
+		}
+		break;
+	case dns_geoip_countryname:
+		if (geoip->city != NULL) {
+			ret = dns_geoip_city_countryname;
+		} else if (geoip->country != NULL) {
+			ret = dns_geoip_country_name;
+		}
+		break;
+	case dns_geoip_continentcode:
+		if (geoip->city != NULL) {
+			ret = dns_geoip_city_continentcode;
+		} else if (geoip->country != NULL) {
+			ret = dns_geoip_country_continentcode;
+		}
+		break;
+	case dns_geoip_continent:
+		if (geoip->city != NULL) {
+			ret = dns_geoip_city_continent;
+		} else if (geoip->country != NULL) {
+			ret = dns_geoip_country_continent;
+		}
+		break;
+	case dns_geoip_region:
+		if (geoip->city != NULL) {
+			ret = dns_geoip_city_region;
+		}
+		break;
+	case dns_geoip_regionname:
+		if (geoip->city != NULL) {
+			ret = dns_geoip_city_regionname;
+		}
+	default:
+		break;
+	}
+
+	return (ret);
+}
+
+static MMDB_s *
+geoip2_database(const dns_geoip_databases_t *geoip,
+		dns_geoip_subtype_t subtype) {
+	switch (subtype) {
+	case dns_geoip_country_code:
+	case dns_geoip_country_name:
+	case dns_geoip_country_continentcode:
+	case dns_geoip_country_continent:
+		return (geoip->country);
+
+	case dns_geoip_city_countrycode:
+	case dns_geoip_city_countryname:
+	case dns_geoip_city_continentcode:
+	case dns_geoip_city_continent:
+	case dns_geoip_city_region:
+	case dns_geoip_city_regionname:
+	case dns_geoip_city_name:
+	case dns_geoip_city_postalcode:
+	case dns_geoip_city_timezonecode:
+	case dns_geoip_city_metrocode:
+	case dns_geoip_city_areacode:
+		return (geoip->city);
+
+	case dns_geoip_isp_name:
+		return (geoip->isp);
+
+	case dns_geoip_as_asnum:
+	case dns_geoip_org_name:
+		return (geoip->as);
+
+	case dns_geoip_domain_name:
+		return (geoip->domain);
+
+	default:
+		/*
+		 * All other subtypes are unavailable in GeoIP2.
+		 */
+		return (NULL);
+	}
+}
+
+static bool
+match_string(MMDB_entry_data_s *value, const char *str) {
+	REQUIRE(str != NULL);
+
+	if (value == NULL || !value->has_data ||
+	    value->type != MMDB_DATA_TYPE_UTF8_STRING ||
+	    value->utf8_string == NULL)
+	{
+		return (false);
+	}
+
+	return (strncasecmp(value->utf8_string, str, value->data_size) == 0);
+}
+
+static bool
+match_int(MMDB_entry_data_s *value, const uint32_t ui32) {
+	if (value == NULL || !value->has_data ||
+	    (value->type != MMDB_DATA_TYPE_UINT32 &&
+	     value->type != MMDB_DATA_TYPE_UINT16))
+	{
+		return (false);
+	}
+
+	return (value->uint32 == ui32);
+}
+
+bool
+dns_geoip_match(const isc_netaddr_t *reqaddr,
+		const dns_geoip_databases_t *geoip,
+		const dns_geoip_elem_t *elt) {
+	MMDB_s *db = NULL;
+	MMDB_entry_data_s value;
+	geoip_state_t *state = NULL;
+	dns_geoip_subtype_t subtype;
+	const char *s = NULL;
+	int ret;
+
+	REQUIRE(reqaddr != NULL);
+	REQUIRE(elt != NULL);
+	REQUIRE(geoip != NULL);
+
+	subtype = fix_subtype(geoip, elt->subtype);
+	db = geoip2_database(geoip, subtype);
+	if (db == NULL) {
+		return (false);
+	}
+
+	state = get_entry_for(db, reqaddr);
+	if (state == NULL) {
+		return (false);
+	}
+
+	switch (subtype) {
+	case dns_geoip_country_code:
+	case dns_geoip_city_countrycode:
+		ret = MMDB_get_value(&state->entry, &value, "country",
+				     "iso_code", (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_country_name:
+	case dns_geoip_city_countryname:
+		ret = MMDB_get_value(&state->entry, &value, "country", "names",
+				     "en", (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_country_continentcode:
+	case dns_geoip_city_continentcode:
+		ret = MMDB_get_value(&state->entry, &value, "continent", "code",
+				     (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_country_continent:
+	case dns_geoip_city_continent:
+		ret = MMDB_get_value(&state->entry, &value, "continent",
+				     "names", "en", (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_region:
+	case dns_geoip_city_region:
+		ret = MMDB_get_value(&state->entry, &value, "subdivisions", "0",
+				     "iso_code", (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_regionname:
+	case dns_geoip_city_regionname:
+		ret = MMDB_get_value(&state->entry, &value, "subdivisions", "0",
+				     "names", "en", (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_city_name:
+		ret = MMDB_get_value(&state->entry, &value, "city", "names",
+				     "en", (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_city_postalcode:
+		ret = MMDB_get_value(&state->entry, &value, "postal", "code",
+				     (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_city_timezonecode:
+		ret = MMDB_get_value(&state->entry, &value, "location",
+				     "time_zone", (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_city_metrocode:
+		ret = MMDB_get_value(&state->entry, &value, "location",
+				     "metro_code", (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_isp_name:
+		ret = MMDB_get_value(&state->entry, &value, "isp", (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_as_asnum:
+		INSIST(elt->as_string != NULL);
+
+		ret = MMDB_get_value(&state->entry, &value,
+				     "autonomous_system_number", (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			int i;
+			s = elt->as_string;
+			if (strncasecmp(s, "AS", 2) == 0) {
+				s += 2;
+			}
+			i = strtol(s, NULL, 10);
+			return (match_int(&value, i));
+		}
+		break;
+
+	case dns_geoip_org_name:
+		ret = MMDB_get_value(&state->entry, &value,
+				     "autonomous_system_organization",
+				     (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	case dns_geoip_domain_name:
+		ret = MMDB_get_value(&state->entry, &value, "domain",
+				     (char *)0);
+		if (ret == MMDB_SUCCESS) {
+			return (match_string(&value, elt->as_string));
+		}
+		break;
+
+	default:
+		/*
+		 * For any other subtype, we assume the database was
+		 * unavailable and return false.
+		 */
+		return (false);
+	}
+
+	/*
+	 * No database matched: return false.
+	 */
+	return (false);
+}
diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c
new file mode 100644
index 0000000..966cc2c
--- /dev/null
+++ b/lib/dns/gssapi_link.c
@@ -0,0 +1,358 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifdef GSSAPI
+
+#include <stdbool.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/gssapi.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+
+#define INITIAL_BUFFER_SIZE 1024
+#define BUFFER_EXTRA	    1024
+
+#define REGION_TO_GBUFFER(r, gb)          \
+	do {                              \
+		(gb).length = (r).length; \
+		(gb).value = (r).base;    \
+	} while (0)
+
+#define GBUFFER_TO_REGION(gb, r)                        \
+	do {                                            \
+		(r).length = (unsigned int)(gb).length; \
+		(r).base = (gb).value;                  \
+	} while (0)
+
+struct dst_gssapi_signverifyctx {
+	isc_buffer_t *buffer;
+};
+
+/*%
+ * Allocate a temporary "context" for use in gathering data for signing
+ * or verifying.
+ */
+static isc_result_t
+gssapi_create_signverify_ctx(dst_key_t *key, dst_context_t *dctx) {
+	dst_gssapi_signverifyctx_t *ctx;
+
+	UNUSED(key);
+
+	ctx = isc_mem_get(dctx->mctx, sizeof(dst_gssapi_signverifyctx_t));
+	ctx->buffer = NULL;
+	isc_buffer_allocate(dctx->mctx, &ctx->buffer, INITIAL_BUFFER_SIZE);
+
+	dctx->ctxdata.gssctx = ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Destroy the temporary sign/verify context.
+ */
+static void
+gssapi_destroy_signverify_ctx(dst_context_t *dctx) {
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+
+	if (ctx != NULL) {
+		if (ctx->buffer != NULL) {
+			isc_buffer_free(&ctx->buffer);
+		}
+		isc_mem_put(dctx->mctx, ctx,
+			    sizeof(dst_gssapi_signverifyctx_t));
+		dctx->ctxdata.gssctx = NULL;
+	}
+}
+
+/*%
+ * Add data to our running buffer of data we will be signing or verifying.
+ * This code will see if the new data will fit in our existing buffer, and
+ * copy it in if it will.  If not, it will attempt to allocate a larger
+ * buffer and copy old+new into it, and free the old buffer.
+ */
+static isc_result_t
+gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+	isc_buffer_t *newbuffer = NULL;
+	isc_region_t r;
+	unsigned int length;
+	isc_result_t result;
+
+	result = isc_buffer_copyregion(ctx->buffer, data);
+	if (result == ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	length = isc_buffer_length(ctx->buffer) + data->length + BUFFER_EXTRA;
+
+	isc_buffer_allocate(dctx->mctx, &newbuffer, length);
+
+	isc_buffer_usedregion(ctx->buffer, &r);
+	(void)isc_buffer_copyregion(newbuffer, &r);
+	(void)isc_buffer_copyregion(newbuffer, data);
+
+	isc_buffer_free(&ctx->buffer);
+	ctx->buffer = newbuffer;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Sign.
+ */
+static isc_result_t
+gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+	isc_region_t message;
+	gss_buffer_desc gmessage, gsig;
+	OM_uint32 minor, gret;
+	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
+	char buf[1024];
+
+	/*
+	 * Convert the data we wish to sign into a structure gssapi can
+	 * understand.
+	 */
+	isc_buffer_usedregion(ctx->buffer, &message);
+	REGION_TO_GBUFFER(message, gmessage);
+
+	/*
+	 * Generate the signature.
+	 */
+	gret = gss_get_mic(&minor, gssctx, GSS_C_QOP_DEFAULT, &gmessage, &gsig);
+
+	/*
+	 * If it did not complete, we log the result and return a generic
+	 * failure code.
+	 */
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "GSS sign error: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * If it will not fit in our allocated buffer, return that we need
+	 * more space.
+	 */
+	if (gsig.length > isc_buffer_availablelength(sig)) {
+		gss_release_buffer(&minor, &gsig);
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * Copy the output into our buffer space, and release the gssapi
+	 * allocated space.
+	 */
+	isc_buffer_putmem(sig, gsig.value, (unsigned int)gsig.length);
+	if (gsig.length != 0U) {
+		gss_release_buffer(&minor, &gsig);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Verify.
+ */
+static isc_result_t
+gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+	isc_region_t message;
+	gss_buffer_desc gmessage, gsig;
+	OM_uint32 minor, gret;
+	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
+	char err[1024];
+
+	/*
+	 * Convert the data we wish to sign into a structure gssapi can
+	 * understand.
+	 */
+	isc_buffer_usedregion(ctx->buffer, &message);
+	REGION_TO_GBUFFER(message, gmessage);
+	REGION_TO_GBUFFER(*sig, gsig);
+
+	/*
+	 * Verify the data.
+	 */
+	gret = gss_verify_mic(&minor, gssctx, &gmessage, &gsig, NULL);
+
+	/*
+	 * Convert return codes into something useful to us.
+	 */
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "GSS verify error: %s",
+			gss_error_tostring(gret, minor, err, sizeof(err)));
+		if (gret == GSS_S_DEFECTIVE_TOKEN || gret == GSS_S_BAD_SIG ||
+		    gret == GSS_S_DUPLICATE_TOKEN || gret == GSS_S_OLD_TOKEN ||
+		    gret == GSS_S_UNSEQ_TOKEN || gret == GSS_S_GAP_TOKEN ||
+		    gret == GSS_S_CONTEXT_EXPIRED || gret == GSS_S_NO_CONTEXT ||
+		    gret == GSS_S_FAILURE)
+		{
+			return (DST_R_VERIFYFAILURE);
+		} else {
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	gss_ctx_id_t gsskey1 = key1->keydata.gssctx;
+	gss_ctx_id_t gsskey2 = key2->keydata.gssctx;
+
+	/* No idea */
+	return (gsskey1 == gsskey2);
+}
+
+static isc_result_t
+gssapi_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	UNUSED(key);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	/* No idea */
+	return (ISC_R_FAILURE);
+}
+
+static bool
+gssapi_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (true);
+}
+
+static void
+gssapi_destroy(dst_key_t *key) {
+	REQUIRE(key != NULL);
+	dst_gssapi_deletectx(key->mctx, &key->keydata.gssctx);
+	key->keydata.gssctx = NULL;
+}
+
+static isc_result_t
+gssapi_restore(dst_key_t *key, const char *keystr) {
+	OM_uint32 major, minor;
+	unsigned int len;
+	isc_buffer_t *b = NULL;
+	isc_region_t r;
+	gss_buffer_desc gssbuffer;
+	isc_result_t result;
+
+	len = strlen(keystr);
+	if ((len % 4) != 0U) {
+		return (ISC_R_BADBASE64);
+	}
+
+	len = (len / 4) * 3;
+
+	isc_buffer_allocate(key->mctx, &b, len);
+
+	result = isc_base64_decodestring(keystr, b);
+	if (result != ISC_R_SUCCESS) {
+		isc_buffer_free(&b);
+		return (result);
+	}
+
+	isc_buffer_remainingregion(b, &r);
+	REGION_TO_GBUFFER(r, gssbuffer);
+	major = gss_import_sec_context(&minor, &gssbuffer,
+				       (gss_ctx_id_t *)&key->keydata.gssctx);
+	if (major != GSS_S_COMPLETE) {
+		isc_buffer_free(&b);
+		return (ISC_R_FAILURE);
+	}
+
+	isc_buffer_free(&b);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+gssapi_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
+	OM_uint32 major, minor;
+	gss_buffer_desc gssbuffer;
+	size_t len;
+	char *buf;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	major = gss_export_sec_context(
+		&minor, (gss_ctx_id_t *)&key->keydata.gssctx, &gssbuffer);
+	if (major != GSS_S_COMPLETE) {
+		fprintf(stderr, "gss_export_sec_context -> %u, %u\n", major,
+			minor);
+		return (ISC_R_FAILURE);
+	}
+	if (gssbuffer.length == 0U) {
+		return (ISC_R_FAILURE);
+	}
+	len = ((gssbuffer.length + 2) / 3) * 4;
+	buf = isc_mem_get(mctx, len);
+	isc_buffer_init(&b, buf, (unsigned int)len);
+	GBUFFER_TO_REGION(gssbuffer, r);
+	result = isc_base64_totext(&r, 0, "", &b);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	gss_release_buffer(&minor, &gssbuffer);
+	*buffer = buf;
+	*length = (int)len;
+	return (ISC_R_SUCCESS);
+}
+
+static dst_func_t gssapi_functions = {
+	gssapi_create_signverify_ctx,
+	NULL, /*%< createctx2 */
+	gssapi_destroy_signverify_ctx,
+	gssapi_adddata,
+	gssapi_sign,
+	gssapi_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	gssapi_compare,
+	NULL, /*%< paramcompare */
+	gssapi_generate,
+	gssapi_isprivate,
+	gssapi_destroy,
+	NULL, /*%< todns */
+	NULL, /*%< fromdns */
+	NULL, /*%< tofile */
+	NULL, /*%< parse */
+	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
+	gssapi_dump,
+	gssapi_restore,
+};
+
+isc_result_t
+dst__gssapi_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL) {
+		*funcp = &gssapi_functions;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+#else  /* ifdef GSSAPI */
+int gssapi_link_unneeded = 1;
+#endif /* ifdef GSSAPI */
+
+/*! \file */
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
new file mode 100644
index 0000000..f2a64e8
--- /dev/null
+++ b/lib/dns/gssapictx.c
@@ -0,0 +1,957 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/types.h>
+
+#include <dst/gssapi.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+
+/*
+ * Solaris8 apparently needs an explicit OID set, and Solaris10 needs
+ * one for anything but Kerberos.  Supplying an explicit OID set
+ * doesn't appear to hurt anything in other implementations, so we
+ * always use one.  If we're not using our own SPNEGO implementation,
+ * we include SPNEGO's OID.
+ */
+#ifdef GSSAPI
+#ifdef WIN32
+#include <krb5/krb5.h>
+#else /* ifdef WIN32 */
+#include ISC_PLATFORM_KRB5HEADER
+#endif /* ifdef WIN32 */
+
+#ifndef GSS_KRB5_MECHANISM
+static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
+					       0x12, 0x01, 0x02, 0x02 };
+static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
+	sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
+};
+#define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
+#endif /* ifndef GSS_KRB5_MECHANISM */
+
+#ifndef GSS_SPNEGO_MECHANISM
+static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
+						 0x05, 0x05, 0x02 };
+static gss_OID_desc __gss_spnego_mechanism_oid_desc = {
+	sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
+};
+#define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
+#endif /* ifndef GSS_SPNEGO_MECHANISM */
+
+#define REGION_TO_GBUFFER(r, gb)          \
+	do {                              \
+		(gb).length = (r).length; \
+		(gb).value = (r).base;    \
+	} while (0)
+
+#define GBUFFER_TO_REGION(gb, r)                        \
+	do {                                            \
+		(r).length = (unsigned int)(gb).length; \
+		(r).base = (gb).value;                  \
+	} while (0)
+
+#define RETERR(x)                            \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto out;            \
+	} while (0)
+
+static void
+name_to_gbuffer(const dns_name_t *name, isc_buffer_t *buffer,
+		gss_buffer_desc *gbuffer) {
+	dns_name_t tname;
+	const dns_name_t *namep;
+	isc_region_t r;
+	isc_result_t result;
+
+	if (!dns_name_isabsolute(name)) {
+		namep = name;
+	} else {
+		unsigned int labels;
+		dns_name_init(&tname, NULL);
+		labels = dns_name_countlabels(name);
+		dns_name_getlabelsequence(name, 0, labels - 1, &tname);
+		namep = &tname;
+	}
+
+	result = dns_name_toprincipal(namep, buffer);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_buffer_putuint8(buffer, 0);
+	isc_buffer_usedregion(buffer, &r);
+	REGION_TO_GBUFFER(r, *gbuffer);
+}
+
+static void
+log_cred(const dns_gss_cred_id_t cred) {
+	OM_uint32 gret, minor, lifetime;
+	gss_name_t gname;
+	gss_buffer_desc gbuffer;
+	gss_cred_usage_t usage;
+	const char *usage_text;
+	char buf[1024];
+
+	gret = gss_inquire_cred(&minor, (gss_cred_id_t)cred, &gname, &lifetime,
+				&usage, NULL);
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed gss_inquire_cred: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return;
+	}
+
+	gret = gss_display_name(&minor, gname, &gbuffer, NULL);
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed gss_display_name: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	} else {
+		switch (usage) {
+		case GSS_C_BOTH:
+			usage_text = "GSS_C_BOTH";
+			break;
+		case GSS_C_INITIATE:
+			usage_text = "GSS_C_INITIATE";
+			break;
+		case GSS_C_ACCEPT:
+			usage_text = "GSS_C_ACCEPT";
+			break;
+		default:
+			usage_text = "???";
+		}
+		gss_log(3, "gss cred: \"%s\", %s, %lu", (char *)gbuffer.value,
+			usage_text, (unsigned long)lifetime);
+	}
+
+	if (gret == GSS_S_COMPLETE) {
+		if (gbuffer.length != 0U) {
+			gret = gss_release_buffer(&minor, &gbuffer);
+			if (gret != GSS_S_COMPLETE) {
+				gss_log(3, "failed gss_release_buffer: %s",
+					gss_error_tostring(gret, minor, buf,
+							   sizeof(buf)));
+			}
+		}
+	}
+
+	gret = gss_release_name(&minor, &gname);
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed gss_release_name: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	}
+}
+
+/*
+ * check for the most common configuration errors.
+ *
+ * The errors checked for are:
+ *   - tkey-gssapi-credential doesn't start with DNS/
+ *   - the default realm in /etc/krb5.conf and the
+ *     tkey-gssapi-credential bind config option don't match
+ *
+ * Note that if tkey-gssapi-keytab is set then these configure checks
+ * are not performed, and runtime errors from gssapi are used instead
+ */
+static void
+check_config(const char *gss_name) {
+	const char *p;
+	krb5_context krb5_ctx;
+	char *krb5_realm_name = NULL;
+
+	if (strncasecmp(gss_name, "DNS/", 4) != 0) {
+		gss_log(ISC_LOG_ERROR,
+			"tkey-gssapi-credential (%s) "
+			"should start with 'DNS/'",
+			gss_name);
+		return;
+	}
+
+	if (krb5_init_context(&krb5_ctx) != 0) {
+		gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
+		return;
+	}
+	if (krb5_get_default_realm(krb5_ctx, &krb5_realm_name) != 0) {
+		gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
+		krb5_free_context(krb5_ctx);
+		return;
+	}
+	p = strchr(gss_name, '@');
+	if (p == NULL) {
+		gss_log(ISC_LOG_ERROR,
+			"badly formatted "
+			"tkey-gssapi-credentials (%s)",
+			gss_name);
+		krb5_free_context(krb5_ctx);
+		return;
+	}
+	if (strcasecmp(p + 1, krb5_realm_name) != 0) {
+		gss_log(ISC_LOG_ERROR,
+			"default realm from krb5.conf (%s) "
+			"does not match tkey-gssapi-credential (%s)",
+			krb5_realm_name, gss_name);
+		krb5_free_context(krb5_ctx);
+		return;
+	}
+	krb5_free_context(krb5_ctx);
+}
+
+static OM_uint32
+mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
+	OM_uint32 gret;
+
+	gret = gss_create_empty_oid_set(minor, mech_oid_set);
+	if (gret != GSS_S_COMPLETE) {
+		return (gret);
+	}
+
+	gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
+	if (gret != GSS_S_COMPLETE) {
+		goto release;
+	}
+
+	gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
+				      mech_oid_set);
+	if (gret != GSS_S_COMPLETE) {
+		goto release;
+	}
+
+release:
+	REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);
+
+	return (gret);
+}
+
+static void
+mech_oid_set_release(gss_OID_set *mech_oid_set) {
+	OM_uint32 minor;
+
+	REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);
+}
+
+isc_result_t
+dst_gssapi_acquirecred(const dns_name_t *name, bool initiate,
+		       dns_gss_cred_id_t *cred) {
+	isc_result_t result;
+	isc_buffer_t namebuf;
+	gss_name_t gname;
+	gss_buffer_desc gnamebuf;
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	OM_uint32 gret, minor;
+	OM_uint32 lifetime;
+	gss_cred_usage_t usage;
+	char buf[1024];
+	gss_OID_set mech_oid_set = NULL;
+
+	REQUIRE(cred != NULL && *cred == NULL);
+
+	/*
+	 * XXXSRA In theory we could use GSS_C_NT_HOSTBASED_SERVICE
+	 * here when we're in the acceptor role, which would let us
+	 * default the hostname and use a compiled in default service
+	 * name of "DNS", giving one less thing to configure in
+	 * named.conf.	Unfortunately, this creates a circular
+	 * dependency due to DNS-based realm lookup in at least one
+	 * GSSAPI implementation (Heimdal).  Oh well.
+	 */
+	if (name != NULL) {
+		isc_buffer_init(&namebuf, array, sizeof(array));
+		name_to_gbuffer(name, &namebuf, &gnamebuf);
+		gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
+		if (gret != GSS_S_COMPLETE) {
+			check_config((char *)array);
+
+			gss_log(3, "failed gss_import_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+			return (ISC_R_FAILURE);
+		}
+	} else {
+		gname = NULL;
+	}
+
+	/* Get the credentials. */
+	if (gname != NULL) {
+		gss_log(3, "acquiring credentials for %s",
+			(char *)gnamebuf.value);
+	} else {
+		/* XXXDCL does this even make any sense? */
+		gss_log(3, "acquiring credentials for ?");
+	}
+
+	if (initiate) {
+		usage = GSS_C_INITIATE;
+	} else {
+		usage = GSS_C_ACCEPT;
+	}
+
+	gret = mech_oid_set_create(&minor, &mech_oid_set);
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed to create OID_set: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return (ISC_R_FAILURE);
+	}
+
+	gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
+				usage, (gss_cred_id_t *)cred, NULL, &lifetime);
+
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed to acquire %s credentials for %s: %s",
+			initiate ? "initiate" : "accept",
+			(gname != NULL) ? (char *)gnamebuf.value : "?",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		if (gname != NULL) {
+			check_config((char *)array);
+		}
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	gss_log(4, "acquired %s credentials for %s",
+		initiate ? "initiate" : "accept",
+		(gname != NULL) ? (char *)gnamebuf.value : "?");
+
+	log_cred(*cred);
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	mech_oid_set_release(&mech_oid_set);
+
+	if (gname != NULL) {
+		gret = gss_release_name(&minor, &gname);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed gss_release_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+		}
+	}
+
+	return (result);
+}
+
+bool
+dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
+				    const dns_name_t *name,
+				    const dns_name_t *realm, bool subdomain) {
+	char sbuf[DNS_NAME_FORMATSIZE];
+	char rbuf[DNS_NAME_FORMATSIZE];
+	char *sname;
+	char *rname;
+	isc_buffer_t buffer;
+	isc_result_t result;
+
+	/*
+	 * It is far, far easier to write the names we are looking at into
+	 * a string, and do string operations on them.
+	 */
+	isc_buffer_init(&buffer, sbuf, sizeof(sbuf));
+	result = dns_name_toprincipal(signer, &buffer);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_buffer_putuint8(&buffer, 0);
+	dns_name_format(realm, rbuf, sizeof(rbuf));
+
+	/*
+	 * Find the realm portion.  This is the part after the @.  If it
+	 * does not exist, we don't have something we like, so we fail our
+	 * compare.
+	 */
+	rname = strchr(sbuf, '@');
+	if (rname == NULL) {
+		return (false);
+	}
+	*rname = '\0';
+	rname++;
+
+	if (strcmp(rname, rbuf) != 0) {
+		return (false);
+	}
+
+	/*
+	 * Find the host portion of the signer's name.	We do this by
+	 * searching for the first / character.  We then check to make
+	 * certain the instance name is "host"
+	 *
+	 * This will work for
+	 *    host/example.com@EXAMPLE.COM
+	 */
+	sname = strchr(sbuf, '/');
+	if (sname == NULL) {
+		return (false);
+	}
+	*sname = '\0';
+	sname++;
+	if (strcmp(sbuf, "host") != 0) {
+		return (false);
+	}
+
+	/*
+	 * If name is non NULL check that it matches against the
+	 * machine name as expected.
+	 */
+	if (name != NULL) {
+		dns_fixedname_t fixed;
+		dns_name_t *machine;
+
+		machine = dns_fixedname_initname(&fixed);
+		result = dns_name_fromstring(machine, sname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (false);
+		}
+		if (subdomain) {
+			return (dns_name_issubdomain(name, machine));
+		}
+		return (dns_name_equal(name, machine));
+	}
+
+	return (true);
+}
+
+bool
+dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
+				  const dns_name_t *name,
+				  const dns_name_t *realm, bool subdomain) {
+	char sbuf[DNS_NAME_FORMATSIZE];
+	char rbuf[DNS_NAME_FORMATSIZE];
+	char *sname;
+	char *rname;
+	isc_buffer_t buffer;
+	isc_result_t result;
+
+	/*
+	 * It is far, far easier to write the names we are looking at into
+	 * a string, and do string operations on them.
+	 */
+	isc_buffer_init(&buffer, sbuf, sizeof(sbuf));
+	result = dns_name_toprincipal(signer, &buffer);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_buffer_putuint8(&buffer, 0);
+	dns_name_format(realm, rbuf, sizeof(rbuf));
+
+	/*
+	 * Find the realm portion.  This is the part after the @.  If it
+	 * does not exist, we don't have something we like, so we fail our
+	 * compare.
+	 */
+	rname = strchr(sbuf, '@');
+	if (rname == NULL) {
+		return (false);
+	}
+	sname = strchr(sbuf, '$');
+	if (sname == NULL) {
+		return (false);
+	}
+
+	/*
+	 * Verify that the $ and @ follow one another.
+	 */
+	if (rname - sname != 1) {
+		return (false);
+	}
+
+	/*
+	 * Find the host portion of the signer's name.	Zero out the $ so
+	 * it terminates the signer's name, and skip past the @ for
+	 * the realm.
+	 *
+	 * All service principals in Microsoft format seem to be in
+	 *    machinename$@EXAMPLE.COM
+	 * format.
+	 */
+	rname++;
+	*sname = '\0';
+
+	if (strcmp(rname, rbuf) != 0) {
+		return (false);
+	}
+
+	/*
+	 * Now, we check that the realm matches (case sensitive) and that
+	 * 'name' matches against 'machinename' qualified with 'realm'.
+	 */
+	if (name != NULL) {
+		dns_fixedname_t fixed;
+		dns_name_t *machine;
+
+		machine = dns_fixedname_initname(&fixed);
+		result = dns_name_fromstring2(machine, sbuf, realm, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (false);
+		}
+		if (subdomain) {
+			return (dns_name_issubdomain(name, machine));
+		}
+		return (dns_name_equal(name, machine));
+	}
+
+	return (true);
+}
+
+isc_result_t
+dst_gssapi_releasecred(dns_gss_cred_id_t *cred) {
+	OM_uint32 gret, minor;
+	char buf[1024];
+
+	REQUIRE(cred != NULL && *cred != NULL);
+
+	gret = gss_release_cred(&minor, (gss_cred_id_t *)cred);
+	if (gret != GSS_S_COMPLETE) {
+		/* Log the error, but still free the credential's memory */
+		gss_log(3, "failed releasing credential: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	}
+	*cred = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Format a gssapi error message info into a char ** on the given memory
+ * context. This is used to return gssapi error messages back up the
+ * call chain for reporting to the user.
+ */
+static void
+gss_err_message(isc_mem_t *mctx, uint32_t major, uint32_t minor,
+		char **err_message) {
+	char buf[1024];
+	char *estr;
+
+	if (err_message == NULL || mctx == NULL) {
+		/* the caller doesn't want any error messages */
+		return;
+	}
+
+	estr = gss_error_tostring(major, minor, buf, sizeof(buf));
+	if (estr != NULL) {
+		(*err_message) = isc_mem_strdup(mctx, estr);
+	}
+}
+
+isc_result_t
+dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
+		   isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx,
+		   isc_mem_t *mctx, char **err_message) {
+	isc_region_t r;
+	isc_buffer_t namebuf;
+	gss_name_t gname;
+	OM_uint32 gret, minor, ret_flags, flags;
+	gss_buffer_desc gintoken, *gintokenp, gouttoken = GSS_C_EMPTY_BUFFER;
+	isc_result_t result;
+	gss_buffer_desc gnamebuf;
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+
+	/* Client must pass us a valid gss_ctx_id_t here */
+	REQUIRE(gssctx != NULL);
+	REQUIRE(mctx != NULL);
+
+	isc_buffer_init(&namebuf, array, sizeof(array));
+	name_to_gbuffer(name, &namebuf, &gnamebuf);
+
+	/* Get the name as a GSS name */
+	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
+	if (gret != GSS_S_COMPLETE) {
+		gss_err_message(mctx, gret, minor, err_message);
+		result = ISC_R_FAILURE;
+		goto out;
+	}
+
+	if (intoken != NULL) {
+		/* Don't call gss_release_buffer for gintoken! */
+		REGION_TO_GBUFFER(*intoken, gintoken);
+		gintokenp = &gintoken;
+	} else {
+		gintokenp = NULL;
+	}
+
+	/*
+	 * Note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS
+	 * servers don't like it.
+	 */
+	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
+
+	gret = gss_init_sec_context(
+		&minor, GSS_C_NO_CREDENTIAL, (gss_ctx_id_t *)gssctx, gname,
+		GSS_SPNEGO_MECHANISM, flags, 0, NULL, gintokenp, NULL,
+		&gouttoken, &ret_flags, NULL);
+
+	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
+		gss_err_message(mctx, gret, minor, err_message);
+		if (err_message != NULL && *err_message != NULL) {
+			gss_log(3, "Failure initiating security context: %s",
+				*err_message);
+		} else {
+			gss_log(3, "Failure initiating security context");
+		}
+
+		result = ISC_R_FAILURE;
+		goto out;
+	}
+
+	/*
+	 * XXXSRA Not handled yet: RFC 3645 3.1.1: check ret_flags
+	 * MUTUAL and INTEG flags, fail if either not set.
+	 */
+
+	/*
+	 * RFC 2744 states the a valid output token has a non-zero length.
+	 */
+	if (gouttoken.length != 0U) {
+		GBUFFER_TO_REGION(gouttoken, r);
+		RETERR(isc_buffer_copyregion(outtoken, &r));
+	}
+
+	if (gret == GSS_S_COMPLETE) {
+		result = ISC_R_SUCCESS;
+	} else {
+		result = DNS_R_CONTINUE;
+	}
+
+out:
+	if (gouttoken.length != 0U) {
+		(void)gss_release_buffer(&minor, &gouttoken);
+	}
+	(void)gss_release_name(&minor, &gname);
+	return (result);
+}
+
+isc_result_t
+dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
+		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     dns_gss_ctx_id_t *ctxout, dns_name_t *principal,
+		     isc_mem_t *mctx) {
+	isc_region_t r;
+	isc_buffer_t namebuf;
+	gss_buffer_desc gnamebuf = GSS_C_EMPTY_BUFFER, gintoken,
+			gouttoken = GSS_C_EMPTY_BUFFER;
+	OM_uint32 gret, minor;
+	gss_ctx_id_t context = GSS_C_NO_CONTEXT;
+	gss_name_t gname = NULL;
+	isc_result_t result;
+	char buf[1024];
+
+	REQUIRE(outtoken != NULL && *outtoken == NULL);
+
+	REGION_TO_GBUFFER(*intoken, gintoken);
+
+	if (*ctxout == NULL) {
+		context = GSS_C_NO_CONTEXT;
+	} else {
+		context = *ctxout;
+	}
+
+	if (gssapi_keytab != NULL) {
+#if defined(ISC_PLATFORM_GSSAPI_KRB5_HEADER) || defined(WIN32)
+		gret = gsskrb5_register_acceptor_identity(gssapi_keytab);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3,
+				"failed "
+				"gsskrb5_register_acceptor_identity(%s): %s",
+				gssapi_keytab,
+				gss_error_tostring(gret, 0, buf, sizeof(buf)));
+			return (DNS_R_INVALIDTKEY);
+		}
+#else  /* if defined(ISC_PLATFORM_GSSAPI_KRB5_HEADER) || defined(WIN32) */
+		/*
+		 * Minimize memory leakage by only setting KRB5_KTNAME
+		 * if it needs to change.
+		 */
+		const char *old = getenv("KRB5_KTNAME");
+		if (old == NULL || strcmp(old, gssapi_keytab) != 0) {
+			size_t size;
+			char *kt;
+
+			size = strlen(gssapi_keytab) + 13;
+			kt = malloc(size);
+			if (kt == NULL) {
+				return (ISC_R_NOMEMORY);
+			}
+			snprintf(kt, size, "KRB5_KTNAME=%s", gssapi_keytab);
+			if (putenv(kt) != 0) {
+				return (ISC_R_NOMEMORY);
+			}
+		}
+#endif /* if defined(ISC_PLATFORM_GSSAPI_KRB5_HEADER) || defined(WIN32) */
+	}
+
+	log_cred(cred);
+
+	gret = gss_accept_sec_context(&minor, &context, cred, &gintoken,
+				      GSS_C_NO_CHANNEL_BINDINGS, &gname, NULL,
+				      &gouttoken, NULL, NULL, NULL);
+
+	result = ISC_R_FAILURE;
+
+	switch (gret) {
+	case GSS_S_COMPLETE:
+	case GSS_S_CONTINUE_NEEDED:
+		break;
+	case GSS_S_DEFECTIVE_TOKEN:
+	case GSS_S_DEFECTIVE_CREDENTIAL:
+	case GSS_S_BAD_SIG:
+	case GSS_S_DUPLICATE_TOKEN:
+	case GSS_S_OLD_TOKEN:
+	case GSS_S_NO_CRED:
+	case GSS_S_CREDENTIALS_EXPIRED:
+	case GSS_S_BAD_BINDINGS:
+	case GSS_S_NO_CONTEXT:
+	case GSS_S_BAD_MECH:
+	case GSS_S_FAILURE:
+		result = DNS_R_INVALIDTKEY;
+	/* fall through */
+	default:
+		gss_log(3, "failed gss_accept_sec_context: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		if (gouttoken.length > 0U) {
+			(void)gss_release_buffer(&minor, &gouttoken);
+		}
+		return (result);
+	}
+
+	if (gouttoken.length > 0U) {
+		isc_buffer_allocate(mctx, outtoken,
+				    (unsigned int)gouttoken.length);
+		GBUFFER_TO_REGION(gouttoken, r);
+		RETERR(isc_buffer_copyregion(*outtoken, &r));
+		(void)gss_release_buffer(&minor, &gouttoken);
+	}
+
+	if (gret == GSS_S_COMPLETE) {
+		gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed gss_display_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+			RETERR(ISC_R_FAILURE);
+		}
+
+		/*
+		 * Compensate for a bug in Solaris8's implementation
+		 * of gss_display_name().  Should be harmless in any
+		 * case, since principal names really should not
+		 * contain null characters.
+		 */
+		if (gnamebuf.length > 0U &&
+		    ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
+		{
+			gnamebuf.length--;
+		}
+
+		gss_log(3, "gss-api source name (accept) is %.*s",
+			(int)gnamebuf.length, (char *)gnamebuf.value);
+
+		GBUFFER_TO_REGION(gnamebuf, r);
+		isc_buffer_init(&namebuf, r.base, r.length);
+		isc_buffer_add(&namebuf, r.length);
+
+		RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname, 0,
+					 NULL));
+
+		if (gnamebuf.length != 0U) {
+			gret = gss_release_buffer(&minor, &gnamebuf);
+			if (gret != GSS_S_COMPLETE) {
+				gss_log(3, "failed gss_release_buffer: %s",
+					gss_error_tostring(gret, minor, buf,
+							   sizeof(buf)));
+			}
+		}
+	} else {
+		result = DNS_R_CONTINUE;
+	}
+
+	*ctxout = context;
+
+out:
+	if (gname != NULL) {
+		gret = gss_release_name(&minor, &gname);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed gss_release_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+		}
+	}
+
+	return (result);
+}
+
+isc_result_t
+dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx) {
+	OM_uint32 gret, minor;
+	char buf[1024];
+
+	UNUSED(mctx);
+
+	REQUIRE(gssctx != NULL && *gssctx != NULL);
+
+	/* Delete the context from the GSS provider */
+	gret = gss_delete_sec_context(&minor, (gss_ctx_id_t *)gssctx,
+				      GSS_C_NO_BUFFER);
+	if (gret != GSS_S_COMPLETE) {
+		/* Log the error, but still free the context's memory */
+		gss_log(3, "Failure deleting security context %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+char *
+gss_error_tostring(uint32_t major, uint32_t minor, char *buf, size_t buflen) {
+	gss_buffer_desc msg_minor = GSS_C_EMPTY_BUFFER,
+			msg_major = GSS_C_EMPTY_BUFFER;
+	OM_uint32 msg_ctx, minor_stat;
+
+	/* Handle major status */
+	msg_ctx = 0;
+	(void)gss_display_status(&minor_stat, major, GSS_C_GSS_CODE,
+				 GSS_C_NULL_OID, &msg_ctx, &msg_major);
+
+	/* Handle minor status */
+	msg_ctx = 0;
+	(void)gss_display_status(&minor_stat, minor, GSS_C_MECH_CODE,
+				 GSS_C_NULL_OID, &msg_ctx, &msg_minor);
+
+	snprintf(buf, buflen, "GSSAPI error: Major = %s, Minor = %s.",
+		 (char *)msg_major.value, (char *)msg_minor.value);
+
+	if (msg_major.length != 0U) {
+		(void)gss_release_buffer(&minor_stat, &msg_major);
+	}
+	if (msg_minor.length != 0U) {
+		(void)gss_release_buffer(&minor_stat, &msg_minor);
+	}
+	return (buf);
+}
+
+#else  /* ifdef GSSAPI */
+
+isc_result_t
+dst_gssapi_acquirecred(const dns_name_t *name, bool initiate,
+		       dns_gss_cred_id_t *cred) {
+	REQUIRE(cred != NULL && *cred == NULL);
+
+	UNUSED(name);
+	UNUSED(initiate);
+	UNUSED(cred);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+bool
+dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
+				    const dns_name_t *name,
+				    const dns_name_t *realm, bool subdomain) {
+	UNUSED(signer);
+	UNUSED(name);
+	UNUSED(realm);
+	UNUSED(subdomain);
+	return (false);
+}
+
+bool
+dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
+				  const dns_name_t *name,
+				  const dns_name_t *realm, bool subdomain) {
+	UNUSED(signer);
+	UNUSED(name);
+	UNUSED(realm);
+	UNUSED(subdomain);
+	return (false);
+}
+
+isc_result_t
+dst_gssapi_releasecred(dns_gss_cred_id_t *cred) {
+	UNUSED(cred);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
+		   isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx,
+		   isc_mem_t *mctx, char **err_message) {
+	UNUSED(name);
+	UNUSED(intoken);
+	UNUSED(outtoken);
+	UNUSED(gssctx);
+	UNUSED(mctx);
+	UNUSED(err_message);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
+		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     dns_gss_ctx_id_t *ctxout, dns_name_t *principal,
+		     isc_mem_t *mctx) {
+	UNUSED(cred);
+	UNUSED(gssapi_keytab);
+	UNUSED(intoken);
+	UNUSED(outtoken);
+	UNUSED(ctxout);
+	UNUSED(principal);
+	UNUSED(mctx);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx) {
+	UNUSED(mctx);
+	UNUSED(gssctx);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+char *
+gss_error_tostring(uint32_t major, uint32_t minor, char *buf, size_t buflen) {
+	snprintf(buf, buflen, "GSSAPI error: Major = %u, Minor = %u.", major,
+		 minor);
+
+	return (buf);
+}
+#endif /* ifdef GSSAPI */
+
+void
+gss_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_TKEY,
+		       ISC_LOG_DEBUG(level), fmt, ap);
+	va_end(ap);
+}
+
+/*! \file */
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
new file mode 100644
index 0000000..2872ff2
--- /dev/null
+++ b/lib/dns/hmac_link.c
@@ -0,0 +1,521 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdbool.h>
+#ifndef WIN32
+#include <arpa/inet.h>
+#endif /* WIN32 */
+
+#include <isc/buffer.h>
+#include <isc/hmac.h>
+#include <isc/md.h>
+#include <isc/mem.h>
+#include <isc/nonce.h>
+#include <isc/random.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#ifdef HAVE_FIPS_MODE
+#include "dst_openssl.h" /* FIPS_mode() prototype */
+#endif			 /* ifdef HAVE_FIPS_MODE */
+#include "dst_parse.h"
+
+#define ISC_MD_md5    ISC_MD_MD5
+#define ISC_MD_sha1   ISC_MD_SHA1
+#define ISC_MD_sha224 ISC_MD_SHA224
+#define ISC_MD_sha256 ISC_MD_SHA256
+#define ISC_MD_sha384 ISC_MD_SHA384
+#define ISC_MD_sha512 ISC_MD_SHA512
+
+#define hmac_register_algorithm(alg)                                           \
+	static isc_result_t hmac##alg##_createctx(dst_key_t *key,              \
+						  dst_context_t *dctx) {       \
+		return (hmac_createctx(ISC_MD_##alg, key, dctx));              \
+	}                                                                      \
+	static void hmac##alg##_destroyctx(dst_context_t *dctx) {              \
+		hmac_destroyctx(dctx);                                         \
+	}                                                                      \
+	static isc_result_t hmac##alg##_adddata(dst_context_t *dctx,           \
+						const isc_region_t *data) {    \
+		return (hmac_adddata(dctx, data));                             \
+	}                                                                      \
+	static isc_result_t hmac##alg##_sign(dst_context_t *dctx,              \
+					     isc_buffer_t *sig) {              \
+		return (hmac_sign(dctx, sig));                                 \
+	}                                                                      \
+	static isc_result_t hmac##alg##_verify(dst_context_t *dctx,            \
+					       const isc_region_t *sig) {      \
+		return (hmac_verify(dctx, sig));                               \
+	}                                                                      \
+	static bool hmac##alg##_compare(const dst_key_t *key1,                 \
+					const dst_key_t *key2) {               \
+		return (hmac_compare(ISC_MD_##alg, key1, key2));               \
+	}                                                                      \
+	static isc_result_t hmac##alg##_generate(                              \
+		dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {  \
+		UNUSED(pseudorandom_ok);                                       \
+		UNUSED(callback);                                              \
+		return (hmac_generate(ISC_MD_##alg, key));                     \
+	}                                                                      \
+	static bool hmac##alg##_isprivate(const dst_key_t *key) {              \
+		return (hmac_isprivate(key));                                  \
+	}                                                                      \
+	static void hmac##alg##_destroy(dst_key_t *key) { hmac_destroy(key); } \
+	static isc_result_t hmac##alg##_todns(const dst_key_t *key,            \
+					      isc_buffer_t *data) {            \
+		return (hmac_todns(key, data));                                \
+	}                                                                      \
+	static isc_result_t hmac##alg##_fromdns(dst_key_t *key,                \
+						isc_buffer_t *data) {          \
+		return (hmac_fromdns(ISC_MD_##alg, key, data));                \
+	}                                                                      \
+	static isc_result_t hmac##alg##_tofile(const dst_key_t *key,           \
+					       const char *directory) {        \
+		return (hmac_tofile(ISC_MD_##alg, key, directory));            \
+	}                                                                      \
+	static isc_result_t hmac##alg##_parse(                                 \
+		dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {            \
+		return (hmac_parse(ISC_MD_##alg, key, lexer, pub));            \
+	}                                                                      \
+	static dst_func_t hmac##alg##_functions = {                            \
+		hmac##alg##_createctx,                                         \
+		NULL, /*%< createctx2 */                                       \
+		hmac##alg##_destroyctx,                                        \
+		hmac##alg##_adddata,                                           \
+		hmac##alg##_sign,                                              \
+		hmac##alg##_verify,                                            \
+		NULL, /*%< verify2 */                                          \
+		NULL, /*%< computesecret */                                    \
+		hmac##alg##_compare,                                           \
+		NULL, /*%< paramcompare */                                     \
+		hmac##alg##_generate,                                          \
+		hmac##alg##_isprivate,                                         \
+		hmac##alg##_destroy,                                           \
+		hmac##alg##_todns,                                             \
+		hmac##alg##_fromdns,                                           \
+		hmac##alg##_tofile,                                            \
+		hmac##alg##_parse,                                             \
+		NULL, /*%< cleanup */                                          \
+		NULL, /*%< fromlabel */                                        \
+		NULL, /*%< dump */                                             \
+		NULL, /*%< restore */                                          \
+	};                                                                     \
+	isc_result_t dst__hmac##alg##_init(dst_func_t **funcp) {               \
+		REQUIRE(funcp != NULL);                                        \
+		if (*funcp == NULL) {                                          \
+			*funcp = &hmac##alg##_functions;                       \
+		}                                                              \
+		return (ISC_R_SUCCESS);                                        \
+	}
+
+static isc_result_t
+hmac_fromdns(const isc_md_type_t *type, dst_key_t *key, isc_buffer_t *data);
+
+struct dst_hmac_key {
+	uint8_t key[ISC_MAX_BLOCK_SIZE];
+};
+
+static isc_result_t
+getkeybits(dst_key_t *key, struct dst_private_element *element) {
+	uint16_t *bits = (uint16_t *)element->data;
+
+	if (element->length != 2) {
+		return (DST_R_INVALIDPRIVATEKEY);
+	}
+
+	key->key_bits = ntohs(*bits);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmac_createctx(const isc_md_type_t *type, const dst_key_t *key,
+	       dst_context_t *dctx) {
+	isc_result_t result;
+	const dst_hmac_key_t *hkey = key->keydata.hmac_key;
+	isc_hmac_t *ctx = isc_hmac_new(); /* Either returns or abort()s */
+
+	result = isc_hmac_init(ctx, hkey->key, isc_md_type_get_block_size(type),
+			       type);
+	if (result != ISC_R_SUCCESS) {
+		isc_hmac_free(ctx);
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	dctx->ctxdata.hmac_ctx = ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmac_destroyctx(dst_context_t *dctx) {
+	isc_hmac_t *ctx = dctx->ctxdata.hmac_ctx;
+	REQUIRE(ctx != NULL);
+
+	isc_hmac_free(ctx);
+	dctx->ctxdata.hmac_ctx = NULL;
+}
+
+static isc_result_t
+hmac_adddata(const dst_context_t *dctx, const isc_region_t *data) {
+	isc_result_t result;
+	isc_hmac_t *ctx = dctx->ctxdata.hmac_ctx;
+
+	REQUIRE(ctx != NULL);
+
+	result = isc_hmac_update(ctx, data->base, data->length);
+	if (result != ISC_R_SUCCESS) {
+		return (DST_R_OPENSSLFAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmac_sign(const dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmac_t *ctx = dctx->ctxdata.hmac_ctx;
+	REQUIRE(ctx != NULL);
+	unsigned int digestlen;
+	unsigned char digest[ISC_MAX_MD_SIZE];
+
+	if (isc_hmac_final(ctx, digest, &digestlen) != ISC_R_SUCCESS) {
+		return (DST_R_OPENSSLFAILURE);
+	}
+
+	if (isc_hmac_reset(ctx) != ISC_R_SUCCESS) {
+		return (DST_R_OPENSSLFAILURE);
+	}
+
+	if (isc_buffer_availablelength(sig) < digestlen) {
+		return (ISC_R_NOSPACE);
+	}
+
+	isc_buffer_putmem(sig, digest, digestlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmac_verify(const dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmac_t *ctx = dctx->ctxdata.hmac_ctx;
+	unsigned int digestlen;
+	unsigned char digest[ISC_MAX_MD_SIZE];
+
+	REQUIRE(ctx != NULL);
+
+	if (isc_hmac_final(ctx, digest, &digestlen) != ISC_R_SUCCESS) {
+		return (DST_R_OPENSSLFAILURE);
+	}
+
+	if (isc_hmac_reset(ctx) != ISC_R_SUCCESS) {
+		return (DST_R_OPENSSLFAILURE);
+	}
+
+	if (sig->length > digestlen) {
+		return (DST_R_VERIFYFAILURE);
+	}
+
+	return (isc_safe_memequal(digest, sig->base, sig->length)
+			? ISC_R_SUCCESS
+			: DST_R_VERIFYFAILURE);
+}
+
+static bool
+hmac_compare(const isc_md_type_t *type, const dst_key_t *key1,
+	     const dst_key_t *key2) {
+	dst_hmac_key_t *hkey1, *hkey2;
+
+	hkey1 = key1->keydata.hmac_key;
+	hkey2 = key2->keydata.hmac_key;
+
+	if (hkey1 == NULL && hkey2 == NULL) {
+		return (true);
+	} else if (hkey1 == NULL || hkey2 == NULL) {
+		return (false);
+	}
+
+	return (isc_safe_memequal(hkey1->key, hkey2->key,
+				  isc_md_type_get_block_size(type)));
+}
+
+static isc_result_t
+hmac_generate(const isc_md_type_t *type, dst_key_t *key) {
+	isc_buffer_t b;
+	isc_result_t ret;
+	unsigned int bytes, len;
+	unsigned char data[ISC_MAX_MD_SIZE] = { 0 };
+
+	len = isc_md_type_get_block_size(type);
+
+	bytes = (key->key_size + 7) / 8;
+
+	if (bytes > len) {
+		bytes = len;
+		key->key_size = len * 8;
+	}
+
+	isc_nonce_buf(data, bytes);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+
+	ret = hmac_fromdns(type, key, &b);
+
+	isc_safe_memwipe(data, sizeof(data));
+
+	return (ret);
+}
+
+static bool
+hmac_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (true);
+}
+
+static void
+hmac_destroy(dst_key_t *key) {
+	dst_hmac_key_t *hkey = key->keydata.hmac_key;
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
+	key->keydata.hmac_key = NULL;
+}
+
+static isc_result_t
+hmac_todns(const dst_key_t *key, isc_buffer_t *data) {
+	REQUIRE(key != NULL && key->keydata.hmac_key != NULL);
+	dst_hmac_key_t *hkey = key->keydata.hmac_key;
+	unsigned int bytes;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmac_fromdns(const isc_md_type_t *type, dst_key_t *key, isc_buffer_t *data) {
+	dst_hmac_key_t *hkey;
+	unsigned int keylen;
+	isc_region_t r;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmac_key_t));
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	/* Hash the key if the key is longer then chosen MD block size */
+	if (r.length > (unsigned int)isc_md_type_get_block_size(type)) {
+		if (isc_md(type, r.base, r.length, hkey->key, &keylen) !=
+		    ISC_R_SUCCESS)
+		{
+			isc_mem_put(key->mctx, hkey, sizeof(dst_hmac_key_t));
+			return (DST_R_OPENSSLFAILURE);
+		}
+	} else {
+		memmove(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->keydata.hmac_key = hkey;
+
+	isc_buffer_forward(data, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static int
+hmac__get_tag_key(const isc_md_type_t *type) {
+	if (type == ISC_MD_MD5) {
+		return (TAG_HMACMD5_KEY);
+	} else if (type == ISC_MD_SHA1) {
+		return (TAG_HMACSHA1_KEY);
+	} else if (type == ISC_MD_SHA224) {
+		return (TAG_HMACSHA224_KEY);
+	} else if (type == ISC_MD_SHA256) {
+		return (TAG_HMACSHA256_KEY);
+	} else if (type == ISC_MD_SHA384) {
+		return (TAG_HMACSHA384_KEY);
+	} else if (type == ISC_MD_SHA512) {
+		return (TAG_HMACSHA512_KEY);
+	} else {
+		UNREACHABLE();
+	}
+}
+
+static int
+hmac__get_tag_bits(const isc_md_type_t *type) {
+	if (type == ISC_MD_MD5) {
+		return (TAG_HMACMD5_BITS);
+	} else if (type == ISC_MD_SHA1) {
+		return (TAG_HMACSHA1_BITS);
+	} else if (type == ISC_MD_SHA224) {
+		return (TAG_HMACSHA224_BITS);
+	} else if (type == ISC_MD_SHA256) {
+		return (TAG_HMACSHA256_BITS);
+	} else if (type == ISC_MD_SHA384) {
+		return (TAG_HMACSHA384_BITS);
+	} else if (type == ISC_MD_SHA512) {
+		return (TAG_HMACSHA512_BITS);
+	} else {
+		UNREACHABLE();
+	}
+}
+
+static isc_result_t
+hmac_tofile(const isc_md_type_t *type, const dst_key_t *key,
+	    const char *directory) {
+	dst_hmac_key_t *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	uint16_t bits;
+
+	if (key->keydata.hmac_key == NULL) {
+		return (DST_R_NULLKEY);
+	}
+
+	if (key->external) {
+		return (DST_R_EXTERNALKEY);
+	}
+
+	hkey = key->keydata.hmac_key;
+
+	priv.elements[0].tag = hmac__get_tag_key(type);
+	priv.elements[0].length = bytes;
+	priv.elements[0].data = hkey->key;
+
+	bits = htons(key->key_bits);
+
+	priv.elements[1].tag = hmac__get_tag_bits(type);
+	priv.elements[1].length = sizeof(bits);
+	priv.elements[1].data = (uint8_t *)&bits;
+
+	priv.nelements = 2;
+
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static int
+hmac__to_dst_alg(const isc_md_type_t *type) {
+	if (type == ISC_MD_MD5) {
+		return (DST_ALG_HMACMD5);
+	} else if (type == ISC_MD_SHA1) {
+		return (DST_ALG_HMACSHA1);
+	} else if (type == ISC_MD_SHA224) {
+		return (DST_ALG_HMACSHA224);
+	} else if (type == ISC_MD_SHA256) {
+		return (DST_ALG_HMACSHA256);
+	} else if (type == ISC_MD_SHA384) {
+		return (DST_ALG_HMACSHA384);
+	} else if (type == ISC_MD_SHA512) {
+		return (DST_ALG_HMACSHA512);
+	} else {
+		UNREACHABLE();
+	}
+}
+
+static isc_result_t
+hmac_parse(const isc_md_type_t *type, dst_key_t *key, isc_lex_t *lexer,
+	   dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	UNUSED(pub);
+	/* read private key file */
+	result = dst__privstruct_parse(key, hmac__to_dst_alg(type), lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (key->external) {
+		result = DST_R_EXTERNALKEY;
+	}
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACMD5_KEY:
+		case TAG_HMACSHA1_KEY:
+		case TAG_HMACSHA224_KEY:
+		case TAG_HMACSHA256_KEY:
+		case TAG_HMACSHA384_KEY:
+		case TAG_HMACSHA512_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+					priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmac_fromdns(type, key, &b);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			}
+			break;
+		case TAG_HMACMD5_BITS:
+		case TAG_HMACSHA1_BITS:
+		case TAG_HMACSHA224_BITS:
+		case TAG_HMACSHA256_BITS:
+		case TAG_HMACSHA384_BITS:
+		case TAG_HMACSHA512_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			}
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (result);
+}
+
+hmac_register_algorithm(md5);
+hmac_register_algorithm(sha1);
+hmac_register_algorithm(sha224);
+hmac_register_algorithm(sha256);
+hmac_register_algorithm(sha384);
+hmac_register_algorithm(sha512);
+
+/*! \file */
diff --git a/lib/dns/include/.clang-format b/lib/dns/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/lib/dns/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/dns/include/Makefile.in b/lib/dns/include/Makefile.in
new file mode 100644
index 0000000..cf869c0
--- /dev/null
+++ b/lib/dns/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	dns dst
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in
new file mode 100644
index 0000000..88b9bcf
--- /dev/null
+++ b/lib/dns/include/dns/Makefile.in
@@ -0,0 +1,63 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	acl.h adb.h badcache.h bit.h byaddr.h \
+		cache.h callbacks.h catz.h cert.h \
+		client.h clientinfo.h compress.h \
+		db.h dbiterator.h dbtable.h diff.h dispatch.h \
+		dlz.h dlz_dlopen.h dns64.h dnsrps.h dnssec.h ds.h dsdigest.h \
+		dnstap.h dyndb.h ecs.h \
+		edns.h ecdb.h events.h fixedname.h forward.h geoip.h \
+		ipkeylist.h iptable.h \
+		journal.h kasp.h keydata.h keyflags.h keymgr.h keytable.h \
+		keyvalues.h lib.h librpz.h lmdb.h lookup.h log.h \
+		master.h masterdump.h message.h \
+		name.h ncache.h nsec.h nsec3.h nta.h opcode.h order.h \
+		peer.h portlist.h private.h \
+		rbt.h rcode.h rdata.h rdataclass.h rdatalist.h \
+		rdataset.h rdatasetiter.h rdataslab.h rdatatype.h request.h \
+		resolver.h result.h rootns.h rpz.h rriterator.h rrl.h \
+		sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h stats.h \
+		tcpmsg.h time.h timer.h tkey.h tsec.h tsig.h ttl.h types.h \
+		update.h validator.h version.h view.h xfrin.h \
+		zone.h zonekey.h zoneverify.h zt.h
+
+GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/dns
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/dns || exit 1; \
+	done
+	for i in ${GENHEADERS}; do \
+		${INSTALL_DATA} $$i ${DESTDIR}${includedir}/dns || exit 1; \
+	done
+
+uninstall::
+	for i in ${GENHEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/dns/$$i || exit 1; \
+	done
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/dns/$$i || exit 1; \
+	done
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
new file mode 100644
index 0000000..43fe15b
--- /dev/null
+++ b/lib/dns/include/dns/acl.h
@@ -0,0 +1,253 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ACL_H
+#define DNS_ACL_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/acl.h
+ * \brief
+ * Address match list handling.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/netaddr.h>
+#include <isc/refcount.h>
+
+#include <dns/geoip.h>
+#include <dns/iptable.h>
+#include <dns/name.h>
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef enum {
+	dns_aclelementtype_ipprefix,
+	dns_aclelementtype_keyname,
+	dns_aclelementtype_nestedacl,
+	dns_aclelementtype_localhost,
+	dns_aclelementtype_localnets,
+#if defined(HAVE_GEOIP2)
+	dns_aclelementtype_geoip,
+#endif /* HAVE_GEOIP2 */
+	dns_aclelementtype_any
+} dns_aclelementtype_t;
+
+typedef struct dns_aclipprefix dns_aclipprefix_t;
+
+struct dns_aclipprefix {
+	isc_netaddr_t address; /* IP4/IP6 */
+	unsigned int  prefixlen;
+};
+
+struct dns_aclelement {
+	dns_aclelementtype_t type;
+	bool		     negative;
+	dns_name_t	     keyname;
+#if defined(HAVE_GEOIP2)
+	dns_geoip_elem_t geoip_elem;
+#endif /* HAVE_GEOIP2 */
+	dns_acl_t *nestedacl;
+	int	   node_num;
+};
+
+#define dns_acl_node_count(acl) acl->iptable->radix->num_added_node
+
+struct dns_acl {
+	unsigned int	  magic;
+	isc_mem_t	 *mctx;
+	isc_refcount_t	  refcount;
+	dns_iptable_t	 *iptable;
+	dns_aclelement_t *elements;
+	bool		  has_negatives;
+	unsigned int	  alloc;	 /*%< Elements allocated */
+	unsigned int	  length;	 /*%< Elements initialized */
+	char		 *name;		 /*%< Temporary use only */
+	ISC_LINK(dns_acl_t) nextincache; /*%< Ditto */
+};
+
+struct dns_aclenv {
+	dns_acl_t *localhost;
+	dns_acl_t *localnets;
+	bool	   match_mapped;
+#if defined(HAVE_GEOIP2)
+	dns_geoip_databases_t *geoip;
+#endif /* HAVE_GEOIP2 */
+};
+
+#define DNS_ACL_MAGIC	 ISC_MAGIC('D', 'a', 'c', 'l')
+#define DNS_ACL_VALID(a) ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
+/*%<
+ * Create a new ACL, including an IP table and an array with room
+ * for 'n' ACL elements.  The elements are uninitialized and the
+ * length is 0.
+ */
+
+isc_result_t
+dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
+/*%<
+ * Create a new ACL that matches everything.
+ */
+
+isc_result_t
+dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
+/*%<
+ * Create a new ACL that matches nothing.
+ */
+
+bool
+dns_acl_isany(dns_acl_t *acl);
+/*%<
+ * Test whether ACL is set to "{ any; }"
+ */
+
+bool
+dns_acl_isnone(dns_acl_t *acl);
+/*%<
+ * Test whether ACL is set to "{ none; }"
+ */
+
+isc_result_t
+dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, bool pos);
+/*%<
+ * Merge the contents of one ACL into another.  Call dns_iptable_merge()
+ * for the IP tables, then concatenate the element arrays.
+ *
+ * If pos is set to false, then the nested ACL is to be negated.  This
+ * means reverse the sense of each *positive* element or IP table node,
+ * but leave negatives alone, so as to prevent a double-negative causing
+ * an unexpected positive match in the parent ACL.
+ */
+
+void
+dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
+/*%<
+ * Attach to acl 'source'.
+ *
+ * Requires:
+ *\li	'source' to be a valid acl.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_acl_detach(dns_acl_t **aclp);
+/*%<
+ * Detach the acl. On final detach the acl must not be linked on any
+ * list.
+ *
+ * Requires:
+ *\li	'*aclp' to be a valid acl.
+ *
+ * Insists:
+ *\li	'*aclp' is not linked on final detach.
+ */
+
+bool
+dns_acl_isinsecure(const dns_acl_t *a);
+/*%<
+ * Return #true iff the acl 'a' is considered insecure, that is,
+ * if it contains IP addresses other than those of the local host.
+ * This is intended for applications such as printing warning
+ * messages for suspect ACLs; it is not intended for making access
+ * control decisions.  We make no guarantee that an ACL for which
+ * this function returns #false is safe.
+ */
+
+bool
+dns_acl_allowed(isc_netaddr_t *addr, const dns_name_t *signer, dns_acl_t *acl,
+		dns_aclenv_t *aclenv);
+/*%<
+ * Return #true iff the 'addr', 'signer', or ECS values are
+ * permitted by 'acl' in environment 'aclenv'.
+ */
+
+isc_result_t
+dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
+/*%<
+ * Initialize ACL environment, setting up localhost and localnets ACLs
+ */
+
+void
+dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
+
+void
+dns_aclenv_destroy(dns_aclenv_t *env);
+
+isc_result_t
+dns_acl_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner,
+	      const dns_acl_t *acl, const dns_aclenv_t *env, int *match,
+	      const dns_aclelement_t **matchelt);
+/*%<
+ * General, low-level ACL matching.  This is expected to
+ * be useful even for weird stuff like the topology and sortlist statements.
+ *
+ * Match the address 'reqaddr', and optionally the key name 'reqsigner',
+ * against 'acl'.  'reqsigner' may be NULL.
+ *
+ * If there is a match, '*match' will be set to an integer whose absolute
+ * value corresponds to the order in which the matching value was inserted
+ * into the ACL.  For a positive match, this value will be positive; for a
+ * negative match, it will be negative.
+ *
+ * If there is no match, *match will be set to zero.
+ *
+ * If there is a match in the element list (either positive or negative)
+ * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
+ * element.
+ *
+ * 'env' points to the current ACL environment, including the
+ * current values of localhost and localnets and (if applicable)
+ * the GeoIP context.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Always succeeds.
+ */
+
+bool
+dns_aclelement_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner,
+		     const dns_aclelement_t *e, const dns_aclenv_t *env,
+		     const dns_aclelement_t **matchelt);
+/*%<
+ * Like dns_acl_match, but matches against the single ACL element 'e'
+ * rather than a complete ACL, and returns true iff it matched.
+ *
+ * To determine whether the match was positive or negative, the
+ * caller should examine e->negative.  Since the element 'e' may be
+ * a reference to a named ACL or a nested ACL, a matching element
+ * returned through 'matchelt' is not necessarily 'e' itself.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ACL_H */
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
new file mode 100644
index 0000000..4e05fd6
--- /dev/null
+++ b/lib/dns/include/dns/adb.h
@@ -0,0 +1,835 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ADB_H
+#define DNS_ADB_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/adb.h
+ *\brief
+ * DNS Address Database
+ *
+ * This module implements an address database (ADB) for mapping a name
+ * to an isc_sockaddr_t. It also provides statistical information on
+ * how good that address might be.
+ *
+ * A client will pass in a dns_name_t, and the ADB will walk through
+ * the rdataset looking up addresses associated with the name.  If it
+ * is found on the internal lists, a structure is filled in with the
+ * address information and stats for found addresses.
+ *
+ * If the name cannot be found on the internal lists, a new entry will
+ * be created for a name if all the information needed can be found
+ * in the zone table or cache.  This new address will then be returned.
+ *
+ * If a request must be made to remote servers to satisfy a name lookup,
+ * this module will start fetches to try to complete these addresses.  When
+ * at least one more completes, an event is sent to the caller.  If none of
+ * them resolve before the fetch times out, an event indicating this is
+ * sent instead.
+ *
+ * Records are stored internally until a timer expires. The timer is the
+ * smaller of the TTL or signature validity period.
+ *
+ * Lameness is stored per <qname,qtype> tuple, and this data hangs off each
+ * address field.  When an address is marked lame for a given tuple the address
+ * will not be returned to a caller.
+ *
+ *
+ * MP:
+ *
+ *\li	The ADB takes care of all necessary locking.
+ *
+ *\li	Only the task which initiated the name lookup can cancel the lookup.
+ *
+ *
+ * Security:
+ *
+ *\li	None, since all data stored is required to be pre-filtered.
+ *	(Cache needs to be sane, fetches return bounds-checked and sanity-
+ *       checked data, caller passes a good dns_name_t for the zone, etc)
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/sockaddr.h>
+
+#include <dns/types.h>
+#include <dns/view.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Magic number checks
+ ***/
+
+#define DNS_ADBFIND_MAGIC	 ISC_MAGIC('a', 'd', 'b', 'H')
+#define DNS_ADBFIND_VALID(x)	 ISC_MAGIC_VALID(x, DNS_ADBFIND_MAGIC)
+#define DNS_ADBADDRINFO_MAGIC	 ISC_MAGIC('a', 'd', 'A', 'I')
+#define DNS_ADBADDRINFO_VALID(x) ISC_MAGIC_VALID(x, DNS_ADBADDRINFO_MAGIC)
+
+/***
+ *** TYPES
+ ***/
+
+typedef struct dns_adbname dns_adbname_t;
+
+/*!
+ *\brief
+ * Represents a lookup for a single name.
+ *
+ * On return, the client can safely use "list", and can reorder the list.
+ * Items may not be _deleted_ from this list, however, or added to it
+ * other than by using the dns_adb_*() API.
+ */
+struct dns_adbfind {
+	/* Public */
+	unsigned int	      magic;	      /*%< RO: magic */
+	dns_adbaddrinfolist_t list;	      /*%< RO: list of addrs */
+	unsigned int	      query_pending;  /*%< RO: partial list */
+	unsigned int	      partial_result; /*%< RO: addrs missing */
+	unsigned int	      options;	      /*%< RO: options */
+	isc_result_t	      result_v4;      /*%< RO: v4 result */
+	isc_result_t	      result_v6;      /*%< RO: v6 result */
+	ISC_LINK(dns_adbfind_t) publink;      /*%< RW: client use */
+
+	/* Private */
+	isc_mutex_t    lock; /* locks all below */
+	in_port_t      port;
+	int	       name_bucket;
+	unsigned int   flags;
+	dns_adbname_t *adbname;
+	dns_adb_t     *adb;
+	isc_event_t    event;
+	ISC_LINK(dns_adbfind_t) plink;
+};
+
+/*
+ * _INET:
+ * _INET6:
+ *	return addresses of that type.
+ *
+ * _EMPTYEVENT:
+ *	Only schedule an event if no addresses are known.
+ *	Must set _WANTEVENT for this to be meaningful.
+ *
+ * _WANTEVENT:
+ *	An event is desired.  Check this bit in the returned find to see
+ *	if one will actually be generated.
+ *
+ * _AVOIDFETCHES:
+ *	If set, fetches will not be generated unless no addresses are
+ *	available in any of the address families requested.
+ *
+ * _STARTATZONE:
+ *	Fetches will start using the closest zone data or use the root servers.
+ *	This is useful for reestablishing glue that has expired.
+ *
+ * _GLUEOK:
+ * _HINTOK:
+ *	Glue or hints are ok.  These are used when matching names already
+ *	in the adb, and when dns databases are searched.
+ *
+ * _RETURNLAME:
+ *	Return lame servers in a find, so that all addresses are returned.
+ *
+ * _LAMEPRUNED:
+ *	At least one address was omitted from the list because it was lame.
+ *	This bit will NEVER be set if _RETURNLAME is set in the createfind().
+ */
+/*% Return addresses of type INET. */
+#define DNS_ADBFIND_INET 0x00000001
+/*% Return addresses of type INET6. */
+#define DNS_ADBFIND_INET6	0x00000002
+#define DNS_ADBFIND_ADDRESSMASK 0x00000003
+/*%
+ *      Only schedule an event if no addresses are known.
+ *      Must set _WANTEVENT for this to be meaningful.
+ */
+#define DNS_ADBFIND_EMPTYEVENT 0x00000004
+/*%
+ *	An event is desired.  Check this bit in the returned find to see
+ *	if one will actually be generated.
+ */
+#define DNS_ADBFIND_WANTEVENT 0x00000008
+/*%
+ *	If set, fetches will not be generated unless no addresses are
+ *	available in any of the address families requested.
+ */
+#define DNS_ADBFIND_AVOIDFETCHES 0x00000010
+/*%
+ *	Fetches will start using the closest zone data or use the root servers.
+ *	This is useful for reestablishing glue that has expired.
+ */
+#define DNS_ADBFIND_STARTATZONE 0x00000020
+/*%
+ *	Glue or hints are ok.  These are used when matching names already
+ *	in the adb, and when dns databases are searched.
+ */
+#define DNS_ADBFIND_GLUEOK 0x00000040
+/*%
+ *	Glue or hints are ok.  These are used when matching names already
+ *	in the adb, and when dns databases are searched.
+ */
+#define DNS_ADBFIND_HINTOK 0x00000080
+/*%
+ *	Return lame servers in a find, so that all addresses are returned.
+ */
+#define DNS_ADBFIND_RETURNLAME 0x00000100
+/*%
+ *      Only schedule an event if no addresses are known.
+ *      Must set _WANTEVENT for this to be meaningful.
+ */
+#define DNS_ADBFIND_LAMEPRUNED 0x00000200
+/*%
+ *      The server's fetch quota is exceeded; it will be treated as
+ *      lame for this query.
+ */
+#define DNS_ADBFIND_OVERQUOTA 0x00000400
+/*%
+ *	Don't perform a fetch even if there are no address records available.
+ */
+#define DNS_ADBFIND_NOFETCH 0x00000800
+
+/*%
+ * The answers to queries come back as a list of these.
+ */
+struct dns_adbaddrinfo {
+	unsigned int magic; /*%< private */
+
+	isc_sockaddr_t sockaddr; /*%< [rw] */
+	unsigned int   srtt;	 /*%< [rw] microsecs */
+	isc_dscp_t     dscp;
+
+	unsigned int	flags; /*%< [rw] */
+	dns_adbentry_t *entry; /*%< private */
+	ISC_LINK(dns_adbaddrinfo_t) publink;
+};
+
+/*!<
+ * The event sent to the caller task is just a plain old isc_event_t.  It
+ * contains no data other than a simple status, passed in the "type" field
+ * to indicate that another address resolved, or all partially resolved
+ * addresses have failed to resolve.
+ *
+ * "sender" is the dns_adbfind_t used to issue this query.
+ *
+ * This is simply a standard event, with the "type" set to:
+ *
+ *\li	#DNS_EVENT_ADBMOREADDRESSES   -- another address resolved.
+ *\li	#DNS_EVENT_ADBNOMOREADDRESSES -- all pending addresses failed,
+ *					were canceled, or otherwise will
+ *					not be usable.
+ *\li	#DNS_EVENT_ADBCANCELED	     -- The request was canceled by a
+ *					3rd party.
+ *\li	#DNS_EVENT_ADBNAMEDELETED     -- The name was deleted, so this request
+ *					was canceled.
+ *
+ * In each of these cases, the addresses returned by the initial call
+ * to dns_adb_createfind() can still be used until they are no longer needed.
+ */
+
+/****
+**** FUNCTIONS
+****/
+
+isc_result_t
+dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *tmgr,
+	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb);
+/*%<
+ * Create a new ADB.
+ *
+ * Notes:
+ *
+ *\li	Generally, applications should not create an ADB directly, but
+ *	should instead call dns_view_createresolver().
+ *
+ * Requires:
+ *
+ *\li	'mem' must be a valid memory context.
+ *
+ *\li	'view' be a pointer to a valid view.
+ *
+ *\li	'tmgr' be a pointer to a valid timer manager.
+ *
+ *\li	'taskmgr' be a pointer to a valid task manager.
+ *
+ *\li	'newadb' != NULL && '*newadb' == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS	after happiness.
+ *\li	#ISC_R_NOMEMORY	after resource allocation failure.
+ */
+
+void
+dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbp);
+/*%
+ * Attach to an 'adb' to 'adbp'.
+ *
+ * Requires:
+ *\li	'adb' to be a valid dns_adb_t, created via dns_adb_create().
+ *\li	'adbp' to be a valid pointer to a *dns_adb_t which is initialized
+ *	to NULL.
+ */
+
+void
+dns_adb_detach(dns_adb_t **adb);
+/*%
+ * Delete the ADB. Sets *ADB to NULL. Cancels any outstanding requests.
+ *
+ * Requires:
+ *
+ *\li	'adb' be non-NULL and '*adb' be a valid dns_adb_t, created via
+ *	dns_adb_create().
+ */
+
+void
+dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp);
+/*%
+ * Send '*eventp' to 'task' when 'adb' has shutdown.
+ *
+ * Requires:
+ *
+ *\li	'*adb' is a valid dns_adb_t.
+ *
+ *\li	eventp != NULL && *eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *\li	*eventp == NULL
+ *
+ *\li	The event's sender field is set to the value of adb when the event
+ *	is sent.
+ */
+
+void
+dns_adb_shutdown(dns_adb_t *adb);
+/*%<
+ * Shutdown 'adb'.
+ *
+ * Requires:
+ *
+ * \li	'*adb' is a valid dns_adb_t.
+ */
+
+isc_result_t
+dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+		   void *arg, const dns_name_t *name, const dns_name_t *qname,
+		   dns_rdatatype_t qtype, unsigned int options,
+		   isc_stdtime_t now, dns_name_t *target, in_port_t port,
+		   unsigned int depth, isc_counter_t *qc, dns_adbfind_t **find);
+/*%<
+ * Main interface for clients. The adb will look up the name given in
+ * "name" and will build up a list of found addresses, and perhaps start
+ * internal fetches to resolve names that are unknown currently.
+ *
+ * If other addresses resolve after this call completes, an event will
+ * be sent to the <task, taskaction, arg> with the sender of that event
+ * set to a pointer to the dns_adbfind_t returned by this function.
+ *
+ * If no events will be generated, the *find->result_v4 and/or result_v6
+ * members may be examined for address lookup status.  The usual #ISC_R_SUCCESS,
+ * #ISC_R_FAILURE, #DNS_R_NXDOMAIN, and #DNS_R_NXRRSET are returned, along with
+ * #ISC_R_NOTFOUND meaning the ADB has not _yet_ found the values.  In this
+ * latter case, retrying may produce more addresses.
+ *
+ * If events will be returned, the result_v[46] members are only valid
+ * when that event is actually returned.
+ *
+ * The list of addresses returned is unordered.  The caller must impose
+ * any ordering required.  The list will not contain "known bad" addresses,
+ * however.  For instance, it will not return hosts that are known to be
+ * lame for the zone in question.
+ *
+ * The caller cannot (directly) modify the contents of the address list's
+ * fields other than the "link" field.  All values can be read at any
+ * time, however.
+ *
+ * The "now" parameter is used only for determining which entries that
+ * have a specific time to live or expire time should be removed from
+ * the running database.  If specified as zero, the current time will
+ * be retrieved and used.
+ *
+ * If 'target' is not NULL and 'name' is an alias (i.e. the name is
+ * CNAME'd or DNAME'd to another name), then 'target' will be updated with
+ * the domain name that 'name' is aliased to.
+ *
+ * All addresses returned will have the sockaddr's port set to 'port.'
+ * The caller may change them directly in the dns_adbaddrinfo_t since
+ * they are copies of the internal address only.
+ *
+ * XXXMLG  Document options, especially the flags which control how
+ *         events are sent.
+ *
+ * Requires:
+ *
+ *\li	*adb be a valid isc_adb_t object.
+ *
+ *\li	If events are to be sent, *task be a valid task,
+ *	and isc_taskaction_t != NULL.
+ *
+ *\li	*name is a valid dns_name_t.
+ *
+ *\li	qname != NULL and *qname be a valid dns_name_t.
+ *
+ *\li	target == NULL or target is a valid name with a buffer.
+ *
+ *\li	find != NULL && *find == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS	Addresses might have been returned, and events will be
+ *			delivered for unresolved addresses.
+ *\li	#ISC_R_NOMORE	Addresses might have been returned, but no events
+ *			will ever be posted for this context.  This is only
+ *			returned if task != NULL.
+ *\li	#ISC_R_NOMEMORY	insufficient resources
+ *\li	#DNS_R_ALIAS	'name' is an alias for another name.
+ *
+ * Calls, and returns error codes from:
+ *
+ *\li	isc_stdtime_get()
+ *
+ * Notes:
+ *
+ *\li	No internal reference to "name" exists after this function
+ *	returns.
+ */
+
+void
+dns_adb_cancelfind(dns_adbfind_t *find);
+/*%<
+ * Cancels the find, and sends the event off to the caller.
+ *
+ * It is an error to call dns_adb_cancelfind() on a find where
+ * no event is wanted, or will ever be sent.
+ *
+ * Note:
+ *
+ *\li	It is possible that the real completion event was posted just
+ *	before the dns_adb_cancelfind() call was made.  In this case,
+ *	dns_adb_cancelfind() will do nothing.  The event callback needs
+ *	to be prepared to find this situation (i.e. result is valid but
+ *	the caller expects it to be canceled).
+ *
+ * Requires:
+ *
+ *\li	'find' be a valid dns_adbfind_t pointer.
+ *
+ *\li	events would have been posted to the task.  This can be checked
+ *	with (find->options & DNS_ADBFIND_WANTEVENT).
+ *
+ * Ensures:
+ *
+ *\li	The event was posted to the task.
+ */
+
+void
+dns_adb_destroyfind(dns_adbfind_t **find);
+/*%<
+ * Destroys the find reference.
+ *
+ * Note:
+ *
+ *\li	This can only be called after the event was delivered for a
+ *	find.  Additionally, the event MUST have been freed via
+ *	isc_event_free() BEFORE this function is called.
+ *
+ * Requires:
+ *
+ *\li	'find' != NULL and *find be valid dns_adbfind_t pointer.
+ *
+ * Ensures:
+ *
+ *\li	No "address found" events will be posted to the originating task
+ *	after this function returns.
+ */
+
+void
+dns_adb_dump(dns_adb_t *adb, FILE *f);
+/*%<
+ * This function is only used for debugging.  It will dump as much of the
+ * state of the running system as possible.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	f != NULL, and is a file open for writing.
+ */
+
+void
+dns_adb_dumpfind(dns_adbfind_t *find, FILE *f);
+/*%<
+ * This function is only used for debugging.  Dump the data associated
+ * with a find.
+ *
+ * Requires:
+ *
+ *\li	find is valid.
+ *
+ * \li	f != NULL, and is a file open for writing.
+ */
+
+isc_result_t
+dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		 const dns_name_t *qname, dns_rdatatype_t type,
+		 isc_stdtime_t expire_time);
+/*%<
+ * Mark the given address as lame for the <qname,qtype>.  expire_time should
+ * be set to the time when the entry should expire.  That is, if it is to
+ * expire 10 minutes in the future, it should set it to (now + 10 * 60).
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ *
+ *\li	qname be the qname used in the dns_adb_createfind() call.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOMEMORY		-- could not mark address as lame.
+ */
+
+/*
+ * Reasonable defaults for RTT adjustments
+ *
+ * (Note: these values function both as scaling factors and as
+ * indicators of the type of RTT adjustment operation taking place.
+ * Adjusting the scaling factors is fine, as long as they all remain
+ * unique values.)
+ */
+#define DNS_ADB_RTTADJDEFAULT 7	 /*%< default scale */
+#define DNS_ADB_RTTADJREPLACE 0	 /*%< replace with our rtt */
+#define DNS_ADB_RTTADJAGE     10 /*%< age this rtt */
+
+void
+dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int rtt,
+		   unsigned int factor);
+/*%<
+ * Mix the round trip time into the existing smoothed rtt.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ *
+ *\li	0 <= factor <= 10
+ *
+ * Note:
+ *
+ *\li	The srtt in addr will be updated to reflect the new global
+ *	srtt value.  This may include changes made by others.
+ */
+
+void
+dns_adb_agesrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr, isc_stdtime_t now);
+/*
+ * dns_adb_agesrtt is equivalent to dns_adb_adjustsrtt with factor
+ * equal to DNS_ADB_RTTADJAGE and the current time passed in.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ *
+ * Note:
+ *
+ *\li	The srtt in addr will be updated to reflect the new global
+ *	srtt value.  This may include changes made by others.
+ */
+
+void
+dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int bits,
+		    unsigned int mask);
+/*%
+ * Change Flags.
+ *
+ * Set the flags as given by:
+ *
+ *\li	newflags = (oldflags & ~mask) | (bits & mask);
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+void
+dns_adb_setudpsize(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int size);
+/*%
+ * Update seen UDP response size.  The largest seen will be returned by
+ * dns_adb_getudpsize().
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+unsigned int
+dns_adb_getudpsize(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+/*%
+ * Return the largest seen UDP response size.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+unsigned int
+dns_adb_probesize(dns_adb_t *adb, dns_adbaddrinfo_t *addr, int lookups);
+/*%
+ * Return suggested EDNS UDP size based on observed responses / failures.
+ * 'lookups' is the number of times the current lookup has been attempted.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+void
+dns_adb_plainresponse(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+/*%
+ * Record a successful plain DNS response.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+void
+dns_adb_timeout(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+/*%
+ * Record a plain DNS UDP query failed.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+void
+dns_adb_ednsto(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int size);
+/*%
+ * Record a failed EDNS UDP response and the advertised EDNS UDP buffer size
+ * used.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+bool
+dns_adb_noedns(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+/*%
+ * Return whether EDNS should be disabled for this server.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+isc_result_t
+dns_adb_findaddrinfo(dns_adb_t *adb, const isc_sockaddr_t *sa,
+		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now);
+/*%<
+ * Return a dns_adbaddrinfo_t that is associated with address 'sa'.
+ *
+ * Requires:
+ *
+ *\li	adb is valid.
+ *
+ *\li	sa is valid.
+ *
+ *\li	addrp != NULL && *addrp == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SHUTTINGDOWN
+ */
+
+void
+dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp);
+/*%<
+ * Free a dns_adbaddrinfo_t allocated by dns_adb_findaddrinfo().
+ *
+ * Requires:
+ *
+ *\li	adb is valid.
+ *
+ *\li	*addrp is a valid dns_adbaddrinfo_t *.
+ */
+
+void
+dns_adb_flush(dns_adb_t *adb);
+/*%<
+ * Flushes all cached data from the adb.
+ *
+ * Requires:
+ *\li 	adb is valid.
+ */
+
+void
+dns_adb_setadbsize(dns_adb_t *adb, size_t size);
+/*%<
+ * Set a target memory size.  If memory usage exceeds the target
+ * size entries will be removed before they would have expired on
+ * a random basis.
+ *
+ * If 'size' is 0 then memory usage is unlimited.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ */
+
+void
+dns_adb_flushname(dns_adb_t *adb, const dns_name_t *name);
+/*%<
+ * Flush 'name' from the adb cache.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ *\li	'name' is valid.
+ */
+
+void
+dns_adb_flushnames(dns_adb_t *adb, const dns_name_t *name);
+/*%<
+ * Flush 'name' and all subdomains from the adb cache.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ *\li	'name' is valid.
+ */
+
+void
+dns_adb_setcookie(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		  const unsigned char *cookie, size_t len);
+/*%<
+ * Record the COOKIE associated with this address.  If
+ * cookie is NULL or len is zero the recorded COOKIE is cleared.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ *\li	'addr' is valid.
+ */
+
+size_t
+dns_adb_getcookie(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		  unsigned char *cookie, size_t len);
+/*
+ * Retrieve the saved COOKIE value and store it in 'cookie' which has
+ * size 'len'.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ *\li	'addr' is valid.
+ *
+ * Returns:
+ *	The size of the cookie or zero if it doesn't fit in the buffer
+ *	or it doesn't exist.
+ */
+
+void
+dns_adb_setquota(dns_adb_t *adb, uint32_t quota, uint32_t freq, double low,
+		 double high, double discount);
+/*%<
+ * Set the baseline ADB quota, and configure parameters for the
+ * quota adjustment algorithm.
+ *
+ * If the number of fetches currently waiting for responses from this
+ * address exceeds the current quota, then additional fetches are spilled.
+ *
+ * 'quota' is the highest permissible quota; it will adjust itself
+ * downward in response to detected congestion.
+ *
+ * After every 'freq' fetches have either completed or timed out, an
+ * exponentially weighted moving average of the ratio of timeouts
+ * to responses is calculated.  If the EWMA goes above a 'high'
+ * threshold, then the quota is adjusted down one step; if it drops
+ * below a 'low' threshold, then the quota is adjusted back up one
+ * step.
+ *
+ * The quota adjustment is based on the function (1 / 1 + (n/10)^(3/2)),
+ * for values of n from 0 to 99.  It starts at 100% of the baseline
+ * quota, and descends after 100 steps to 2%.
+ *
+ * 'discount' represents the discount rate of the moving average. Higher
+ * values cause older values to be discounted sooner, providing a faster
+ * response to changes in the timeout ratio.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ */
+
+bool
+dns_adbentry_overquota(dns_adbentry_t *entry);
+/*%<
+ * Returns true if the specified ADB has too many active fetches.
+ *
+ * Requires:
+ *\li	'entry' is valid.
+ */
+
+void
+dns_adb_beginudpfetch(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+void
+dns_adb_endudpfetch(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+/*%
+ * Begin/end a UDP fetch on a particular address.
+ *
+ * These functions increment or decrement the fetch counter for
+ * the ADB entry so that the fetch quota can be enforced.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ADB_H */
diff --git a/lib/dns/include/dns/badcache.h b/lib/dns/include/dns/badcache.h
new file mode 100644
index 0000000..c45ea0c
--- /dev/null
+++ b/lib/dns/include/dns/badcache.h
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_BADCACHE_H
+#define DNS_BADCACHE_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/badcache.h
+ * \brief
+ * Defines dns_badcache_t, the "bad cache" object.
+ *
+ * Notes:
+ *\li 	A bad cache object is a hash table of name/type tuples,
+ *	indicating whether a given tuple known to be "bad" in some
+ *	sense (e.g., queries for that name and type have been
+ *	returning SERVFAIL). This is used for both the "bad server
+ *	cache" in the resolver and for the "servfail cache" in
+ *	the view.
+ *
+ * Reliability:
+ *
+ * Resources:
+ *
+ * Security:
+ *
+ * Standards:
+ */
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_badcache_init(isc_mem_t *mctx, unsigned int size, dns_badcache_t **bcp);
+/*%
+ * Allocate and initialize a badcache and store it in '*bcp'.
+ *
+ * Requires:
+ * \li	mctx != NULL
+ * \li	bcp != NULL
+ * \li	*bcp == NULL
+ */
+
+void
+dns_badcache_destroy(dns_badcache_t **bcp);
+/*%
+ * Flush and then free badcache in 'bcp'. '*bcp' is set to NULL on return.
+ *
+ * Requires:
+ * \li	'*bcp' to be a valid badcache
+ */
+
+void
+dns_badcache_add(dns_badcache_t *bc, const dns_name_t *name,
+		 dns_rdatatype_t type, bool update, uint32_t flags,
+		 isc_time_t *expire);
+/*%
+ * Adds a badcache entry to the badcache 'bc' for name 'name' and
+ * type 'type'.  If an entry already exists, then it will be updated if
+ * 'update' is true.  The entry will be stored with flags 'flags'
+ * and expiration date 'expire'.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache.
+ * \li	name != NULL
+ * \li	expire != NULL
+ */
+
+bool
+dns_badcache_find(dns_badcache_t *bc, const dns_name_t *name,
+		  dns_rdatatype_t type, uint32_t *flagp, isc_time_t *now);
+/*%
+ * Returns true if a record is found in the badcache 'bc' matching
+ * 'name' and 'type', with an expiration date later than 'now'.
+ * If 'flagp' is not NULL, then '*flagp' is updated to the flags
+ * that were stored in the badcache entry.  Returns false if
+ * no matching record is found.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache.
+ * \li	name != NULL
+ * \li	now != NULL
+ */
+
+void
+dns_badcache_flush(dns_badcache_t *bc);
+/*%
+ * Flush the entire bad cache.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache
+ */
+
+void
+dns_badcache_flushname(dns_badcache_t *bc, const dns_name_t *name);
+/*%
+ * Flush the bad cache of all entries at 'name'.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache
+ * \li	name != NULL
+ */
+
+void
+dns_badcache_flushtree(dns_badcache_t *bc, const dns_name_t *name);
+/*%
+ * Flush the bad cache of all entries at or below 'name'.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache
+ * \li	name != NULL
+ */
+
+void
+dns_badcache_print(dns_badcache_t *bc, const char *cachename, FILE *fp);
+/*%
+ * Print the contents of badcache 'bc' (headed by the title 'cachename')
+ * to file pointer 'fp'.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache
+ * \li	cachename != NULL
+ * \li	fp != NULL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_BADCACHE_H */
diff --git a/lib/dns/include/dns/bit.h b/lib/dns/include/dns/bit.h
new file mode 100644
index 0000000..55696e2
--- /dev/null
+++ b/lib/dns/include/dns/bit.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_BIT_H
+#define DNS_BIT_H 1
+
+/*! \file dns/bit.h */
+
+#include <inttypes.h>
+
+typedef uint64_t dns_bitset_t;
+
+#define DNS_BIT_SET(bit, bitset)   (*(bitset) |= ((dns_bitset_t)1 << (bit)))
+#define DNS_BIT_CLEAR(bit, bitset) (*(bitset) &= ~((dns_bitset_t)1 << (bit)))
+#define DNS_BIT_CHECK(bit, bitset) \
+	((*(bitset) & ((dns_bitset_t)1 << (bit))) == ((dns_bitset_t)1 << (bit)))
+
+#endif /* DNS_BIT_H */
diff --git a/lib/dns/include/dns/byaddr.h b/lib/dns/include/dns/byaddr.h
new file mode 100644
index 0000000..f527ed3
--- /dev/null
+++ b/lib/dns/include/dns/byaddr.h
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_BYADDR_H
+#define DNS_BYADDR_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/byaddr.h
+ * \brief
+ * The byaddr module provides reverse lookup services for IPv4 and IPv6
+ * addresses.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	RFCs:	1034, 1035, 2181, TBS
+ *\li	Drafts:	TBS
+ */
+
+#include <isc/event.h>
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * A 'dns_byaddrevent_t' is returned when a byaddr completes.
+ * The sender field will be set to the byaddr that completed.  If 'result'
+ * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
+ * with the address.  The recipient of the event must not change the list
+ * and must not refer to any of the name data after the event is freed.
+ */
+typedef struct dns_byaddrevent {
+	ISC_EVENT_COMMON(struct dns_byaddrevent);
+	isc_result_t   result;
+	dns_namelist_t names;
+} dns_byaddrevent_t;
+
+isc_result_t
+dns_byaddr_create(isc_mem_t *mctx, const isc_netaddr_t *address,
+		  dns_view_t *view, unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp);
+/*%<
+ * Find the domain name of 'address'.
+ *
+ * Notes:
+ *
+ *\li	There is a reverse lookup format for IPv6 addresses, 'nibble'
+ *
+ *\li	The 'nibble' format for that address is
+ *
+ * \code
+ *   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
+ * \endcode
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid mctx.
+ *
+ *\li	'address' is a valid IPv4 or IPv6 address.
+ *
+ *\li	'view' is a valid view which has a resolver.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	byaddrp != NULL && *byaddrp == NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *
+ *\li	Any resolver-related error (e.g. #ISC_R_SHUTTINGDOWN) may also be
+ *	returned.
+ */
+
+void
+dns_byaddr_cancel(dns_byaddr_t *byaddr);
+/*%<
+ * Cancel 'byaddr'.
+ *
+ * Notes:
+ *
+ *\li	If 'byaddr' has not completed, post its #DNS_EVENT_BYADDRDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'byaddr' is a valid byaddr.
+ */
+
+void
+dns_byaddr_destroy(dns_byaddr_t **byaddrp);
+/*%<
+ * Destroy 'byaddr'.
+ *
+ * Requires:
+ *
+ *\li	'*byaddrp' is a valid byaddr.
+ *
+ *\li	The caller has received the #DNS_EVENT_BYADDRDONE event (either because
+ *	the byaddr completed or because dns_byaddr_cancel() was called).
+ *
+ * Ensures:
+ *
+ *\li	*byaddrp == NULL.
+ */
+
+isc_result_t
+dns_byaddr_createptrname(const isc_netaddr_t *address, unsigned int options,
+			 dns_name_t *name);
+/*%<
+ * Creates a name that would be used in a PTR query for this address.  The
+ * nibble flag indicates that the 'nibble' format is to be used if an IPv6
+ * address is provided, instead of the 'bitstring' format.  Since we dropped
+ * the support of the bitstring labels, it is expected that the flag is always
+ * set.  'options' are the same as for dns_byaddr_create().
+ *
+ * Requires:
+ *
+ * \li	'address' is a valid address.
+ * \li	'name' is a valid name with a dedicated buffer.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_BYADDR_H */
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
new file mode 100644
index 0000000..b840a54
--- /dev/null
+++ b/lib/dns/include/dns/cache.h
@@ -0,0 +1,360 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_CACHE_H
+#define DNS_CACHE_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/cache.h
+ * \brief
+ * Defines dns_cache_t, the cache object.
+ *
+ * Notes:
+ *\li 	A cache object contains DNS data of a single class.
+ *	Multiple classes will be handled by creating multiple
+ *	views, each with a different class and its own cache.
+ *
+ * MP:
+ *\li	See notes at the individual functions.
+ *
+ * Reliability:
+ *
+ * Resources:
+ *
+ * Security:
+ *
+ * Standards:
+ */
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/stats.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+isc_result_t
+dns_cache_create(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
+		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		 const char *cachename, const char *db_type,
+		 unsigned int db_argc, char **db_argv, dns_cache_t **cachep);
+/*%<
+ * Create a new DNS cache.
+ *
+ * dns_cache_create2() will create a named cache.
+ *
+ * dns_cache_create3() will create a named cache using two separate memory
+ * contexts, one for cache data which can be cleaned and a separate one for
+ * memory allocated for the heap (which can grow without an upper limit and
+ * has no mechanism for shrinking).
+ *
+ * dns_cache_create() is a backward compatible version that internally
+ * specifies an empty cache name and a single memory context.
+ *
+ * Requires:
+ *
+ *\li	'cmctx' (and 'hmctx' if applicable) is a valid memory context.
+ *
+ *\li	'taskmgr' is a valid task manager and 'timermgr' is a valid timer
+ * 	manager, or both are NULL.  If NULL, no periodic cleaning of the
+ * 	cache will take place.
+ *
+ *\li	'cachename' is a valid string.  This must not be NULL.
+ *
+ *\li	'cachep' is a valid pointer, and *cachep == NULL
+ *
+ * Ensures:
+ *
+ *\li	'*cachep' is attached to the newly created cache
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+void
+dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp);
+/*%<
+ * Attach *targetp to cache.
+ *
+ * Requires:
+ *
+ *\li	'cache' is a valid cache.
+ *
+ *\li	'targetp' points to a NULL dns_cache_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to cache.
+ */
+
+void
+dns_cache_detach(dns_cache_t **cachep);
+/*%<
+ * Detach *cachep from its cache.
+ *
+ * Requires:
+ *
+ *\li	'cachep' points to a valid cache.
+ *
+ * Ensures:
+ *
+ *\li	*cachep is NULL.
+ *
+ *\li	If '*cachep' is the last reference to the cache,
+ *		all resources used by the cache will be freed
+ */
+
+void
+dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
+/*%<
+ * Attach *dbp to the cache's database.
+ *
+ * Notes:
+ *
+ *\li	This may be used to get a reference to the database for
+ *	the purpose of cache lookups (XXX currently it is also
+ * 	the way to add data to the cache, but having a
+ * 	separate dns_cache_add() interface instead would allow
+ * 	more control over memory usage).
+ *	The caller should call dns_db_detach() on the reference
+ *	when it is no longer needed.
+ *
+ * Requires:
+ *
+ *\li	'cache' is a valid cache.
+ *
+ *\li	'dbp' points to a NULL dns_db *.
+ *
+ * Ensures:
+ *
+ *\li	*dbp is attached to the database.
+ */
+
+isc_result_t
+dns_cache_setfilename(dns_cache_t *cache, const char *filename);
+/*%<
+ * If 'filename' is non-NULL, make the cache persistent.
+ * The cache's data will be stored in the given file.
+ * If 'filename' is NULL, make the cache non-persistent.
+ * Files that are no longer used are not unlinked automatically.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	Various file-related failures
+ */
+
+isc_result_t
+dns_cache_load(dns_cache_t *cache);
+/*%<
+ * If the cache has a file name, load the cache contents from the file.
+ * Previous cache contents are not discarded.
+ * If no file name has been set, do nothing and return success.
+ *
+ * MT:
+ *\li	Multiple simultaneous attempts to load or dump the cache
+ * 	will be serialized with respect to one another, but
+ *	the cache may be read and updated while the dump is
+ *	in progress.  Updates performed during loading
+ *	may or may not be preserved, and reads may return
+ * 	either the old or the newly loaded data.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *  \li    Various failures depending on the database implementation type
+ */
+
+isc_result_t
+dns_cache_dump(dns_cache_t *cache);
+/*%<
+ * If the cache has a file name, write the cache contents to disk,
+ * overwriting any preexisting file.  If no file name has been set,
+ * do nothing and return success.
+ *
+ * MT:
+ *\li	Multiple simultaneous attempts to load or dump the cache
+ * 	will be serialized with respect to one another, but
+ *	the cache may be read and updated while the dump is
+ *	in progress.  Updates performed during the dump may
+ * 	or may not be reflected in the dumped file.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *  \li    Various failures depending on the database implementation type
+ */
+
+isc_result_t
+dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now);
+/*%<
+ * Force immediate cleaning of the cache, freeing all rdatasets
+ * whose TTL has expired as of 'now' and that have no pending
+ * references.
+ */
+
+const char *
+dns_cache_getname(dns_cache_t *cache);
+/*%<
+ * Get the cache name.
+ */
+
+void
+dns_cache_setcachesize(dns_cache_t *cache, size_t size);
+/*%<
+ * Set the maximum cache size.  0 means unlimited.
+ */
+
+size_t
+dns_cache_getcachesize(dns_cache_t *cache);
+/*%<
+ * Get the maximum cache size.
+ */
+
+void
+dns_cache_setservestalettl(dns_cache_t *cache, dns_ttl_t ttl);
+/*%<
+ * Sets the maximum length of time that cached answers may be retained
+ * past their normal TTL.  Default value for the library is 0, disabling
+ * the use of stale data.
+ *
+ * Requires:
+ *\li	'cache' to be valid.
+ */
+
+dns_ttl_t
+dns_cache_getservestalettl(dns_cache_t *cache);
+/*%<
+ * Gets the maximum length of time that cached answers may be kept past
+ * normal expiry.
+ *
+ * Requires:
+ *\li	'cache' to be valid.
+ */
+
+void
+dns_cache_setservestalerefresh(dns_cache_t *cache, dns_ttl_t interval);
+/*%<
+ * Sets the length of time to wait before attempting to refresh a rrset
+ * if a previous attempt in doing so has failed.
+ * During this time window if stale rrset are available in cache they
+ * will be directly returned to client.
+ *
+ * Requires:
+ *\li	'cache' to be valid.
+ */
+
+dns_ttl_t
+dns_cache_getservestalerefresh(dns_cache_t *cache);
+/*%<
+ * Gets the 'stale-refresh-time' value, set by a previous call to
+ * 'dns_cache_setservestalerefresh'.
+ *
+ * Requires:
+ *\li	'cache' to be valid.
+ */
+
+isc_result_t
+dns_cache_flush(dns_cache_t *cache);
+/*%<
+ * Flushes all data from the cache.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_cache_flushnode(dns_cache_t *cache, const dns_name_t *name, bool tree);
+/*
+ * Flush a given name from the cache.  If 'tree' is true, then
+ * also flush all names under 'name'.
+ *
+ * Requires:
+ *\li	'cache' to be valid.
+ *\li	'name' to be valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	other error returns.
+ */
+
+isc_result_t
+dns_cache_flushname(dns_cache_t *cache, const dns_name_t *name);
+/*
+ * Flush a given name from the cache.  Equivalent to
+ * dns_cache_flushpartial(cache, name, false).
+ *
+ * Requires:
+ *\li	'cache' to be valid.
+ *\li	'name' to be valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	other error returns.
+ */
+
+isc_stats_t *
+dns_cache_getstats(dns_cache_t *cache);
+/*
+ * Return a pointer to the stats collection object for 'cache'
+ */
+
+void
+dns_cache_dumpstats(dns_cache_t *cache, FILE *fp);
+/*
+ * Dump cache statistics and status in text to 'fp'
+ */
+
+void
+dns_cache_updatestats(dns_cache_t *cache, isc_result_t result);
+/*
+ * Update cache statistics based on result code in 'result'
+ */
+
+#ifdef HAVE_LIBXML2
+int
+dns_cache_renderxml(dns_cache_t *cache, void *writer0);
+/*
+ * Render cache statistics and status in XML for 'writer'.
+ */
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+isc_result_t
+dns_cache_renderjson(dns_cache_t *cache, void *cstats0);
+/*
+ * Render cache statistics and status in JSON
+ */
+#endif /* HAVE_JSON_C */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CACHE_H */
diff --git a/lib/dns/include/dns/callbacks.h b/lib/dns/include/dns/callbacks.h
new file mode 100644
index 0000000..4d71915
--- /dev/null
+++ b/lib/dns/include/dns/callbacks.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_CALLBACKS_H
+#define DNS_CALLBACKS_H 1
+
+/*! \file dns/callbacks.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Types
+ ***/
+
+#define DNS_CALLBACK_MAGIC     ISC_MAGIC('C', 'L', 'L', 'B')
+#define DNS_CALLBACK_VALID(cb) ISC_MAGIC_VALID(cb, DNS_CALLBACK_MAGIC)
+
+struct dns_rdatacallbacks {
+	unsigned int magic;
+
+	/*%
+	 * dns_load_master calls this when it has rdatasets to commit.
+	 */
+	dns_addrdatasetfunc_t add;
+
+	/*%
+	 * This is called when reading in a database image from a 'map'
+	 * format zone file.
+	 */
+	dns_deserializefunc_t deserialize;
+
+	/*%
+	 * dns_master_load*() call this when loading a raw zonefile,
+	 * to pass back information obtained from the file header
+	 */
+	dns_rawdatafunc_t rawdata;
+	dns_zone_t	 *zone;
+
+	/*%
+	 * dns_load_master / dns_rdata_fromtext call this to issue a error.
+	 */
+	void (*error)(struct dns_rdatacallbacks *, const char *, ...);
+	/*%
+	 * dns_load_master / dns_rdata_fromtext call this to issue a warning.
+	 */
+	void (*warn)(struct dns_rdatacallbacks *, const char *, ...);
+	/*%
+	 * Private data handles for use by the above callback functions.
+	 */
+	void *add_private;
+	void *deserialize_private;
+	void *error_private;
+	void *warn_private;
+};
+
+/***
+ ***	Initialization
+ ***/
+
+void
+dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks);
+/*%<
+ * Initialize 'callbacks'.
+ *
+ * \li	'magic' is set to DNS_CALLBACK_MAGIC
+ *
+ * \li	'error' and 'warn' are set to default callbacks that print the
+ *	error message through the DNS library log context.
+ *
+ *\li	All other elements are initialized to NULL.
+ *
+ * Requires:
+ *  \li    'callbacks' is a valid dns_rdatacallbacks_t,
+ */
+
+void
+dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks);
+/*%<
+ * Like dns_rdatacallbacks_init, but logs to stdio.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CALLBACKS_H */
diff --git a/lib/dns/include/dns/catz.h b/lib/dns/include/dns/catz.h
new file mode 100644
index 0000000..7502829
--- /dev/null
+++ b/lib/dns/include/dns/catz.h
@@ -0,0 +1,473 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_CATZ_H
+#define DNS_CATZ_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/ht.h>
+#include <isc/lang.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/ipkeylist.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_CATZ_ERROR_LEVEL  ISC_LOG_WARNING
+#define DNS_CATZ_INFO_LEVEL   ISC_LOG_INFO
+#define DNS_CATZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1)
+#define DNS_CATZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2)
+#define DNS_CATZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3)
+#define DNS_CATZ_DEBUG_QUIET  (DNS_CATZ_DEBUG_LEVEL3 + 1)
+
+/*
+ * Catalog Zones functions and structures.
+ */
+
+/*
+ * Options for a member zone in a catalog
+ */
+struct dns_catz_entry_options {
+	/*
+	 * Options that can be overridden in catalog zone
+	 */
+	/* default-masters definition */
+	dns_ipkeylist_t masters;
+
+	/* both as text in config format, NULL if none */
+	isc_buffer_t *allow_query;
+	isc_buffer_t *allow_transfer;
+
+	/*
+	 * Options that are only set in named.conf
+	 */
+	/* zone-directory definition */
+	char *zonedir;
+
+	/* zone should not be stored on disk (no 'file' statement in def */
+	bool in_memory;
+	/*
+	 * Minimal interval between catalog zone updates, if a new version
+	 * of catalog zone is received before this time the update will be
+	 * postponed. This is a global option for the whole catalog zone.
+	 */
+	uint32_t min_update_interval;
+};
+
+void
+dns_catz_options_init(dns_catz_options_t *options);
+/*%<
+ * Initialize 'options' to NULL values.
+ *
+ * Requires:
+ * \li	'options' to be non NULL.
+ */
+
+void
+dns_catz_options_free(dns_catz_options_t *options, isc_mem_t *mctx);
+/*%<
+ * Free 'options' contents into 'mctx'. ('options' itself is not freed.)
+ *
+ * Requires:
+ * \li	'options' to be non NULL.
+ * \li	'mctx' to be a valid memory context.
+ */
+
+isc_result_t
+dns_catz_options_copy(isc_mem_t *mctx, const dns_catz_options_t *opts,
+		      dns_catz_options_t *nopts);
+/*%<
+ * Duplicate 'opts' into 'nopts', allocating space from 'mctx'.
+ *
+ * Requires:
+ * \li	'mctx' to be a valid memory context.
+ * \li	'options' to be non NULL and valid options.
+ * \li	'nopts' to be non NULL.
+ */
+
+isc_result_t
+dns_catz_options_setdefault(isc_mem_t *mctx, const dns_catz_options_t *defaults,
+			    dns_catz_options_t *opts);
+/*%<
+ * Replace empty values in 'opts' with values from 'defaults'
+ *
+ * Requires:
+ * \li	'mctx' to be a valid memory context.
+ * \li	'defaults' to be non NULL and valid options.
+ * \li	'opts' to be non NULL.
+ */
+
+dns_name_t *
+dns_catz_entry_getname(dns_catz_entry_t *entry);
+/*%<
+ * Get domain name for 'entry'
+ *
+ * Requires:
+ * \li	'entry' to be non NULL.
+ *
+ * Returns:
+ * \li	domain name for entry.
+ */
+
+isc_result_t
+dns_catz_entry_new(isc_mem_t *mctx, const dns_name_t *domain,
+		   dns_catz_entry_t **nentryp);
+/*%<
+ * Allocate a new catz_entry on 'mctx', with the name 'domain'
+ *
+ * Requires:
+ * \li	'mctx' to be a valid memory context.
+ * \li	'domain' to be valid dns_name or NULL.
+ * \li	'nentryp' to be non NULL, *nentryp to be NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS on success
+ * \li	ISC_R_NOMEMORY on allocation failure
+ */
+
+isc_result_t
+dns_catz_entry_copy(dns_catz_zone_t *zone, const dns_catz_entry_t *entry,
+		    dns_catz_entry_t **nentryp);
+/*%<
+ * Allocate a new catz_entry and deep copy 'entry' into 'nentryp'.
+ *
+ * Requires:
+ * \li	'mctx' to be a valid memory context.
+ * \li	'entry' to be non NULL.
+ * \li	'nentryp' to be non NULL, *nentryp to be NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS on success
+ * \li	ISC_R_NOMEMORY on allocation failure
+ */
+
+void
+dns_catz_entry_attach(dns_catz_entry_t *entry, dns_catz_entry_t **entryp);
+/*%<
+ * Attach an entry
+ *
+ * Requires:
+ * \li	'entry' is a valid dns_catz_entry_t.
+ * \li	'entryp' is not NULL and '*entryp' is NULL.
+ */
+
+void
+dns_catz_entry_detach(dns_catz_zone_t *zone, dns_catz_entry_t **entryp);
+/*%<
+ * Detach an entry, free if no further references
+ *
+ * Requires:
+ * \li	'zone' is a valid dns_catz_zone_t.
+ * \li	'entryp' is not NULL and '*entryp' is not NULL.
+ */
+
+bool
+dns_catz_entry_validate(const dns_catz_entry_t *entry);
+/*%<
+ * Validate whether entry is correct.
+ * (NOT YET IMPLEMENTED: always returns true)
+ *
+ * Requires:
+ *\li	'entry' is a valid dns_catz_entry_t.
+ */
+
+bool
+dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb);
+/*%<
+ * Deep compare two entries
+ *
+ * Requires:
+ * \li	'ea' is a valid dns_catz_entry_t.
+ * \li	'eb' is a valid dns_catz_entry_t.
+ *
+ * Returns:
+ * \li 'true' if entries are the same.
+ * \li 'false' if the entries differ.
+ */
+
+void
+dns_catz_zone_attach(dns_catz_zone_t *zone, dns_catz_zone_t **zonep);
+/*%<
+ * Attach a catzone
+ *
+ * Requires:
+ * \li	'zone' is a valid dns_catz_zone_t.
+ * \li	'zonep' is not NULL and '*zonep' is NULL.
+ */
+
+void
+dns_catz_zone_detach(dns_catz_zone_t **zonep);
+/*%<
+ * Detach a zone, free if no further references
+ *
+ * Requires:
+ * \li	'zonep' is not NULL and '*zonep' is not NULL.
+ */
+
+isc_result_t
+dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **zonep,
+		  const dns_name_t *name);
+/*%<
+ * Allocate a new catz zone on catzs mctx
+ *
+ * Requires:
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ * \li	'zonep' is not NULL and '*zonep' is NULL.
+ * \li	'name' is a valid dns_name_t.
+ *
+ */
+
+dns_name_t *
+dns_catz_zone_getname(dns_catz_zone_t *zone);
+/*%<
+ * Get catalog zone name
+ *
+ * Requires:
+ * \li	'zone' is a valid dns_catz_zone_t.
+ */
+
+dns_catz_options_t *
+dns_catz_zone_getdefoptions(dns_catz_zone_t *zone);
+/*%<
+ * Get default member zone options for catalog zone 'zone'
+ *
+ * Requires:
+ * \li	'zone' is a valid dns_catz_zone_t.
+ */
+
+void
+dns_catz_zone_resetdefoptions(dns_catz_zone_t *zone);
+/*%<
+ * Reset the default member zone options for catalog zone 'zone' to
+ * the default values.
+ *
+ * Requires:
+ * \li	'zone' is a valid dns_catz_zone_t.
+ */
+
+isc_result_t
+dns_catz_zones_merge(dns_catz_zone_t *target, dns_catz_zone_t *newzone);
+/*%<
+ * Merge 'newzone' into 'target', calling addzone/delzone/modzone
+ * (from zone->catzs->zmm) for appropriate member zones.
+ *
+ * Requires:
+ * \li	'orig' is a valid dns_catz_zone_t.
+ * \li	'newzone' is not NULL and '*newzone' is not NULL.
+ *
+ */
+
+isc_result_t
+dns_catz_update_process(dns_catz_zones_t *catzs, dns_catz_zone_t *zone,
+			const dns_name_t *src_name, dns_rdataset_t *rdataset);
+/*%<
+ * Process a single rdataset from a catalog zone 'zone' update, src_name is the
+ * record name.
+ *
+ * Requires:
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ * \li	'zone' is a valid dns_catz_zone_t.
+ * \li	'src_name' is a valid dns_name_t.
+ * \li	'rdataset' is valid rdataset.
+ */
+
+isc_result_t
+dns_catz_generate_masterfilename(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
+				 isc_buffer_t **buffer);
+/*%<
+ * Generate master file name and put it into *buffer (might be reallocated).
+ * The general format of the file name is:
+ * __catz__catalog.zone.name__member_zone_name.db
+ * But if it's too long it's shortened to:
+ * __catz__unique_hash_generated_from_the_above.db
+ *
+ * Requires:
+ * \li	'zone' is a valid dns_catz_zone_t.
+ * \li	'entry' is a valid dns_catz_entry_t.
+ * \li	'buffer' is not NULL and '*buffer' is not NULL.
+ */
+
+isc_result_t
+dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
+			  isc_buffer_t **buf);
+/*%<
+ * Generate a zone config entry (in text form) from dns_catz_entry and puts
+ * it into *buf. buf might be reallocated.
+ *
+ * Requires:
+ * \li	'zone' is a valid dns_catz_zone_t.
+ * \li	'entry' is a valid dns_catz_entry_t.
+ * \li	'buf' is not NULL and '*buf' is NULL.
+ *
+ */
+
+/* Methods provided by named to dynamically modify the member zones */
+/* xxxwpk TODO config! */
+typedef isc_result_t (*dns_catz_zoneop_fn_t)(dns_catz_entry_t *entry,
+					     dns_catz_zone_t  *origin,
+					     dns_view_t	      *view,
+					     isc_taskmgr_t    *taskmgr,
+					     void	      *udata);
+struct dns_catz_zonemodmethods {
+	dns_catz_zoneop_fn_t addzone;
+	dns_catz_zoneop_fn_t modzone;
+	dns_catz_zoneop_fn_t delzone;
+	void		    *udata;
+};
+
+isc_result_t
+dns_catz_new_zones(dns_catz_zones_t **catzsp, dns_catz_zonemodmethods_t *zmm,
+		   isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr);
+/*%<
+ * Allocate a new catz_zones object, a collection storing all catalog zones
+ * for a view.
+ *
+ * Requires:
+ * \li 'catzsp' is not NULL and '*catzsp' is NULL.
+ * \li 'zmm' is not NULL.
+ *
+ */
+
+isc_result_t
+dns_catz_add_zone(dns_catz_zones_t *catzs, const dns_name_t *name,
+		  dns_catz_zone_t **catzp);
+/*%<
+ * Allocate a new catz named 'name' and put it in 'catzs' collection.
+ *
+ * Requires:
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ * \li	'name' is a valid dns_name_t.
+ * \li	'zonep' is not NULL and *zonep is NULL.
+ *
+ */
+
+dns_catz_zone_t *
+dns_catz_get_zone(dns_catz_zones_t *catzs, const dns_name_t *name);
+/*%<
+ * Returns a zone named 'name' from collection 'catzs'
+ *
+ * Requires:
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ * \li	'name' is a valid dns_name_t.
+ */
+
+void
+dns_catz_catzs_attach(dns_catz_zones_t *catzs, dns_catz_zones_t **catzsp);
+/*%<
+ * Attach 'catzs' to 'catzsp'.
+ *
+ * Requires:
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ * \li	'catzsp' is not NULL and *catzsp is NULL.
+ */
+
+void
+dns_catz_catzs_detach(dns_catz_zones_t **catzsp);
+/*%<
+ * Detach 'catzsp', free if no further references.
+ *
+ * Requires:
+ * \li	'catzsp' is not NULL and *catzsp is not NULL.
+ */
+
+void
+dns_catz_catzs_set_view(dns_catz_zones_t *catzs, dns_view_t *view);
+/*%<
+ * Set a view for 'catzs'.
+ *
+ * Requires:
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ * \li	'catzs->view' is NULL or 'catzs->view' == 'view'.
+ */
+
+isc_result_t
+dns_catz_dbupdate_callback(dns_db_t *db, void *fn_arg);
+/*%<
+ * Callback for update of catalog zone database.
+ * If there was no catalog zone update recently it launches an
+ * update_taskaction immediately.
+ * If there was an update recently it schedules update_taskaction for some time
+ * in the future.
+ * If there is an update scheduled it replaces old db version with a new one.
+ *
+ * Requires:
+ * \li	'db' is a valid database.
+ * \li	'fn_arg' is not NULL (casted to dns_catz_zones_t*).
+ */
+
+void
+dns_catz_update_taskaction(isc_task_t *task, isc_event_t *event);
+/*%<
+ * Task that launches dns_catz_update_from_db.
+ *
+ * Requires:
+ * \li	'event' is not NULL.
+ */
+
+void
+dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs);
+/*%<
+ * Process an updated database for a catalog zone.
+ * It creates a new catz, iterates over database to fill it with content, and
+ * then merges new catz into old catz.
+ *
+ * Requires:
+ * \li	'db' is a valid DB.
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ *
+ */
+
+void
+dns_catz_prereconfig(dns_catz_zones_t *catzs);
+/*%<
+ * Called before reconfig, clears 'active' flag on all the zones in set
+ *
+ * Requires:
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ *
+ */
+
+void
+dns_catz_postreconfig(dns_catz_zones_t *catzs);
+/*%<
+ * Called after reconfig, walks through all zones in set, removes those
+ * inactive and force reload of those with changed configuration.
+ *
+ * Requires:
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ */
+
+void
+dns_catz_get_iterator(dns_catz_zone_t *catz, isc_ht_iter_t **itp);
+/*%<
+ * Get the hashtable iterator on catalog zone members, point '*itp' to it.
+ *
+ * Requires:
+ * \li	'catzs' is a valid dns_catz_zones_t.
+ * \li	'itp' is not NULL and '*itp' is NULL.
+ *
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CATZ_H_ */
diff --git a/lib/dns/include/dns/cert.h b/lib/dns/include/dns/cert.h
new file mode 100644
index 0000000..cdfa245
--- /dev/null
+++ b/lib/dns/include/dns/cert.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_CERT_H
+#define DNS_CERT_H 1
+
+/*! \file dns/cert.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a certificate type.
+ * The text may contain either a mnemonic type name or a decimal type number.
+ *
+ * Requires:
+ *\li	'certp' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_RANGE			numeric type is out of range
+ *\li	#DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_cert_totext(dns_cert_t cert, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of certificate type 'cert' into 'target'.
+ *
+ * Requires:
+ *\li	'cert' is a valid cert.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CERT_H */
diff --git a/lib/dns/include/dns/client.h b/lib/dns/include/dns/client.h
new file mode 100644
index 0000000..fdcb698
--- /dev/null
+++ b/lib/dns/include/dns/client.h
@@ -0,0 +1,476 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_CLIENT_H
+#define DNS_CLIENT_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ *
+ * \brief
+ * The DNS client module provides convenient programming interfaces to various
+ * DNS services, such as name resolution with or without DNSSEC validation or
+ * dynamic DNS update.  This module is primarily expected to be used by other
+ * applications than BIND9-related ones that need such advanced DNS features.
+ *
+ * MP:
+ *\li	In the typical usage of this module, application threads will not share
+ *	the same data structures created and manipulated in this module.
+ *	However, the module still ensures appropriate synchronization of such
+ *	data structures.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	This module does not handle any low-level data directly, and so no
+ *	security issue specific to this module is anticipated.
+ */
+
+#include <isc/event.h>
+#include <isc/sockaddr.h>
+
+#include <dns/tsig.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+typedef enum {
+	updateop_none = 0,
+	updateop_add = 1,
+	updateop_delete = 2,
+	updateop_exist = 3,
+	updateop_notexist = 4,
+	updateop_max = 5
+} dns_client_updateop_t;
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * Optional flags for dns_client_create(x).
+ */
+/*%< Enable caching resolution results (experimental). */
+#define DNS_CLIENTCREATEOPT_USECACHE 0x8000
+
+/*%
+ * Optional flags for dns_client_(start)resolve.
+ */
+/*%< Do not return DNSSEC data (e.g. RRSIGS) with response. */
+#define DNS_CLIENTRESOPT_NODNSSEC 0x01
+/*%< Allow running external context. */
+#define DNS_CLIENTRESOPT_RESERVED 0x02
+/*%< Don't validate responses. */
+#define DNS_CLIENTRESOPT_NOVALIDATE 0x04
+/*%< Don't set the CD flag on upstream queries. */
+#define DNS_CLIENTRESOPT_NOCDFLAG 0x08
+/*%< Use TCP transport. */
+#define DNS_CLIENTRESOPT_TCP 0x10
+
+/*%
+ * Optional flags for dns_client_(start)request.
+ */
+/*%< Allow running external context. */
+#define DNS_CLIENTREQOPT_RESERVED 0x01
+/*%< Use TCP transport. */
+#define DNS_CLIENTREQOPT_TCP 0x02
+
+/*%
+ * Optional flags for dns_client_(start)update.
+ */
+/*%< Allow running external context. */
+#define DNS_CLIENTUPDOPT_RESERVED 0x01
+/*%< Use TCP transport. */
+#define DNS_CLIENTUPDOPT_TCP 0x02
+
+/*%
+ * View name used in dns_client.
+ */
+#define DNS_CLIENTVIEW_NAME "_dnsclient"
+
+/*%
+ * A dns_clientresevent_t is sent when name resolution performed by a client
+ * completes.  'result' stores the result code of the entire resolution
+ * procedure.  'vresult' specifically stores the result code of DNSSEC
+ * validation if it is performed.  When name resolution successfully completes,
+ * 'answerlist' is typically non empty, containing answer names along with
+ * RRsets.  It is the receiver's responsibility to free this list by calling
+ * dns_client_freeresanswer() before freeing the event structure.
+ */
+typedef struct dns_clientresevent {
+	ISC_EVENT_COMMON(struct dns_clientresevent);
+	isc_result_t   result;
+	isc_result_t   vresult;
+	dns_namelist_t answerlist;
+} dns_clientresevent_t; /* too long? */
+
+/*%
+ * A dns_clientreqevent_t is sent when a DNS request is completed by a client.
+ * 'result' stores the result code of the entire transaction.
+ * If the transaction is successfully completed but the response packet cannot
+ * be parsed, 'result' will store the result code of dns_message_parse().
+ * If the response packet is received, 'rmessage' will contain the response
+ * message, whether it is successfully parsed or not.
+ */
+typedef struct dns_clientreqevent {
+	ISC_EVENT_COMMON(struct dns_clientreqevent);
+	isc_result_t   result;
+	dns_message_t *rmessage;
+} dns_clientreqevent_t; /* too long? */
+
+isc_result_t
+dns_client_create(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
+		  isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+		  unsigned int options, dns_client_t **clientp,
+		  const isc_sockaddr_t *localaddr4,
+		  const isc_sockaddr_t *localaddr6);
+/*%<
+ * Create a DNS client object with minimal internal resources, such as
+ * a default view for the IN class and IPv4/IPv6 dispatches for the view.
+ *
+ * dns_client_create() takes 'manager' arguments so that the caller can
+ * control the behavior of the client through the underlying event framework.
+ * 'localaddr4' and 'localaddr6' specify the local addresses to use for
+ * each address family; if both are set to NULL, then wildcard addresses
+ * will be used for both families. If only one is NULL, then the other
+ * address will be used as the local address, and the NULL protocol family
+ * will not be used.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'actx' is a valid application context.
+ *
+ *\li	'taskmgr' is a valid task manager.
+ *
+ *\li	'socketmgr' is a valid socket manager.
+ *
+ *\li	'timermgr' is a valid timer manager.
+ *
+ *\li	clientp != NULL && *clientp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_destroy(dns_client_t **clientp);
+/*%<
+ * Destroy 'client'.
+ *
+ * Requires:
+ *
+ *\li	'*clientp' is a valid client.
+ *
+ * Ensures:
+ *
+ *\li	*clientp == NULL.
+ */
+
+isc_result_t
+dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
+		      const dns_name_t *name_space, isc_sockaddrlist_t *addrs);
+/*%<
+ * Specify a list of addresses of recursive name servers that the client will
+ * use for name resolution.  A view for the 'rdclass' class must be created
+ * beforehand.  If 'name_space' is non NULL, the specified server will be used
+ * if and only if the query name is a subdomain of 'name_space'.  When servers
+ * for multiple 'name_space's are provided, and a query name is covered by
+ * more than one 'name_space', the servers for the best (longest) matching
+ * name_space will be used.  If 'name_space' is NULL, it works as if
+ * dns_rootname (.) were specified.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'name_space' is NULL or a valid name.
+ *
+ *\li	'addrs' != NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
+			const dns_name_t *name_space);
+/*%<
+ * Remove configured recursive name servers for the 'rdclass' and 'name_space'
+ * from the client.  See the description of dns_client_setservers() for
+ * the requirements about 'rdclass' and 'name_space'.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'name_space' is NULL or a valid name.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_resolve(dns_client_t *client, const dns_name_t *name,
+		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		   unsigned int options, dns_namelist_t *namelist);
+
+isc_result_t
+dns_client_startresolve(dns_client_t *client, const dns_name_t *name,
+			dns_rdataclass_t rdclass, dns_rdatatype_t type,
+			unsigned int options, isc_task_t *task,
+			isc_taskaction_t action, void *arg,
+			dns_clientrestrans_t **transp);
+/*%<
+ * Perform name resolution for 'name', 'rdclass', and 'type'.
+ *
+ * If any trusted keys are configured and the query name is considered to
+ * belong to a secure zone, these functions also validate the responses
+ * using DNSSEC by default.  If the DNS_CLIENTRESOPT_NOVALIDATE flag is set
+ * in 'options', DNSSEC validation is disabled regardless of the configured
+ * trusted keys or the query name. With DNS_CLIENTRESOPT_NODNSSEC
+ * DNSSEC data is not returned with response. DNS_CLIENTRESOPT_NOCDFLAG
+ * disables the CD flag on queries, DNS_CLIENTRESOPT_TCP switches to
+ * the TCP (vs. UDP) transport.
+ *
+ * dns_client_resolve() provides a synchronous service.  This function starts
+ * name resolution internally and blocks until it completes.  On success,
+ * 'namelist' will contain a list of answer names, each of which has
+ * corresponding RRsets.  The caller must provide a valid empty list, and
+ * is responsible for freeing the list content via dns_client_freeresanswer().
+ * If the name resolution fails due to an error in DNSSEC validation,
+ * dns_client_resolve() returns the result code indicating the validation
+ * error. Otherwise, it returns the result code of the entire resolution
+ * process, either success or failure.
+ *
+ * It is expected that the client object passed to dns_client_resolve() was
+ * created via dns_client_create() and has external managers and contexts.
+ *
+ * dns_client_startresolve() is an asynchronous version of dns_client_resolve()
+ * and does not block.  When name resolution is completed, 'action' will be
+ * called with the argument of a 'dns_clientresevent_t' object, which contains
+ * the resulting list of answer names (on success).  On return, '*transp' is
+ * set to an opaque transaction ID so that the caller can cancel this
+ * resolution process.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'addrs' != NULL.
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'namelist' != NULL and is not empty.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_cancelresolve(dns_clientrestrans_t *trans);
+/*%<
+ * Cancel an ongoing resolution procedure started via
+ * dns_client_startresolve().
+ *
+ * Notes:
+ *
+ *\li	If the resolution procedure has not completed, post its CLIENTRESDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyrestrans(dns_clientrestrans_t **transp);
+/*%<
+ * Destroy name resolution transaction state identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the CLIENTRESDONE event (either because the
+ *	resolution completed or because dns_client_cancelresolve() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+void
+dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist);
+/*%<
+ * Free resources allocated for the content of 'namelist'.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'namelist' != NULL.
+ */
+
+isc_result_t
+dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
+			 dns_rdatatype_t rdtype, const dns_name_t *keyname,
+			 isc_buffer_t *keydatabuf);
+/*%<
+ * Add a DNSSEC trusted key for the 'rdclass' class.  A view for the 'rdclass'
+ * class must be created beforehand.  'rdtype' is the type of the RR data
+ * for the key, either DNSKEY or DS.  'keyname' is the DNS name of the key,
+ * and 'keydatabuf' stores the RR data.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'keyname' is a valid name.
+ *
+ *\li	'keydatabuf' is a valid buffer.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_request(dns_client_t *client, dns_message_t *qmessage,
+		   dns_message_t *rmessage, const isc_sockaddr_t *server,
+		   unsigned int options, unsigned int parseoptions,
+		   dns_tsec_t *tsec, unsigned int timeout,
+		   unsigned int udptimeout, unsigned int udpretries);
+
+isc_result_t
+dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
+			dns_message_t *rmessage, const isc_sockaddr_t *server,
+			unsigned int options, unsigned int parseoptions,
+			dns_tsec_t *tsec, unsigned int timeout,
+			unsigned int udptimeout, unsigned int udpretries,
+			isc_task_t *task, isc_taskaction_t action, void *arg,
+			dns_clientreqtrans_t **transp);
+
+/*%<
+ * Send a DNS request containing a query message 'query' to 'server'.
+ *
+ * 'parseoptions' will be used when the response packet is parsed, and will be
+ * passed to dns_message_parse() via dns_request_getresponse().  See
+ * dns_message_parse() for more details.
+ *
+ * 'tsec' is a transaction security object containing, e.g. a TSIG key for
+ * authenticating the request/response transaction.  This is optional and can
+ * be NULL, in which case this library performs the transaction  without any
+ * transaction authentication.
+ *
+ * 'timeout', 'udptimeout', and 'udpretries' are passed to
+ * dns_request_createvia3().  See dns_request_createvia3() for more details.
+ *
+ * dns_client_request() provides a synchronous service.  This function sends
+ * the request and blocks until a response is received.  On success,
+ * 'rmessage' will contain the response message.  The caller must provide a
+ * valid initialized message.
+ *
+ * It is expected that the client object passed to dns_client_request() was
+ * created via dns_client_create() and has external managers and contexts.
+ *
+ * dns_client_startrequest() is an asynchronous version of dns_client_request()
+ * and does not block.  When the transaction is completed, 'action' will be
+ * called with the argument of a 'dns_clientreqevent_t' object, which contains
+ * the response message (on success).  On return, '*transp' is set to an opaque
+ * transaction ID so that the caller can cancel this request.
+ *
+ * DNS_CLIENTREQOPT_TCP switches to the TCP (vs. UDP) transport.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'qmessage' and 'rmessage' are valid initialized message.
+ *
+ *\li	'server' is a valid socket address structure.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ *
+ *\li	Any result that dns_message_parse() can return.
+ */
+
+void
+dns_client_cancelrequest(dns_clientreqtrans_t *transp);
+/*%<
+ * Cancel an ongoing DNS request procedure started via
+ * dns_client_startrequest().
+ *
+ * Notes:
+ *
+ *\li	If the request procedure has not completed, post its CLIENTREQDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyreqtrans(dns_clientreqtrans_t **transp);
+/*%
+ * Destroy DNS request transaction state identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the CLIENTREQDONE event (either because the
+ *	request completed or because dns_client_cancelrequest() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CLIENT_H */
diff --git a/lib/dns/include/dns/clientinfo.h b/lib/dns/include/dns/clientinfo.h
new file mode 100644
index 0000000..3928d21
--- /dev/null
+++ b/lib/dns/include/dns/clientinfo.h
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_CLIENTINFO_H
+#define DNS_CLIENTINFO_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/clientinfo.h
+ * \brief
+ * The DNS clientinfo interface allows libdns to retrieve information
+ * about the client from the caller.
+ *
+ * The clientinfo interface is used by the DNS DB and DLZ interfaces;
+ * it allows databases to modify their answers on the basis of information
+ * about the client, such as source IP address.
+ *
+ * dns_clientinfo_t contains a pointer to an opaque structure containing
+ * client information in some form.  dns_clientinfomethods_t contains a
+ * list of methods which operate on that opaque structure to return
+ * potentially useful data.  Both structures also contain versioning
+ * information.
+ */
+
+/*****
+***** Imports
+*****/
+
+#include <inttypes.h>
+
+#include <isc/sockaddr.h>
+#include <isc/types.h>
+
+#include <dns/ecs.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+***** Types
+*****/
+
+#define DNS_CLIENTINFO_VERSION 3
+/*
+ * Any updates to this structure should also be applied in
+ * contrib/modules/dlz/dlz_minmal.h.
+ */
+typedef struct dns_clientinfo {
+	uint16_t  version;
+	void	 *data;
+	void	 *dbversion;
+	dns_ecs_t ecs;
+} dns_clientinfo_t;
+
+typedef isc_result_t (*dns_clientinfo_sourceip_t)(dns_clientinfo_t *client,
+						  isc_sockaddr_t  **addrp);
+
+#define DNS_CLIENTINFOMETHODS_VERSION 2
+#define DNS_CLIENTINFOMETHODS_AGE     1
+
+/*
+ * Any updates to this structure should also be applied in
+ * contrib/modules/dlz/dlz_minmal.h.
+ */
+typedef struct dns_clientinfomethods {
+	uint16_t		  version;
+	uint16_t		  age;
+	dns_clientinfo_sourceip_t sourceip;
+} dns_clientinfomethods_t;
+
+/*****
+***** Methods
+*****/
+void
+dns_clientinfomethods_init(dns_clientinfomethods_t  *methods,
+			   dns_clientinfo_sourceip_t sourceip);
+
+void
+dns_clientinfo_init(dns_clientinfo_t *ci, void *data, dns_ecs_t *ecs,
+		    void *versionp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CLIENTINFO_H */
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
new file mode 100644
index 0000000..7e19af6
--- /dev/null
+++ b/lib/dns/include/dns/compress.h
@@ -0,0 +1,302 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_COMPRESS_H
+#define DNS_COMPRESS_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/region.h>
+
+#include <dns/name.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*! \file dns/compress.h
+ * Direct manipulation of the structures is strongly discouraged.
+ *
+ * A name compression context handles compression of multiple DNS names
+ * in relation to a single DNS message. The context can be used to
+ * selectively turn on/off compression for specific names (depending on
+ * the RR type) by using \c dns_compress_setmethods(). Alternately,
+ * compression can be disabled completely using \c
+ * dns_compress_disable().
+ *
+ * \c dns_compress_setmethods() is intended for use by RDATA towire()
+ * implementations, whereas \c dns_compress_disable() is intended to be
+ * used by a nameserver's configuration manager.
+ */
+
+#define DNS_COMPRESS_NONE	   0x00 /*%< no compression */
+#define DNS_COMPRESS_GLOBAL14	   0x01 /*%< "normal" compression. */
+#define DNS_COMPRESS_ALL	   0x01 /*%< all compression. */
+#define DNS_COMPRESS_CASESENSITIVE 0x02 /*%< case sensitive compression. */
+#define DNS_COMPRESS_ENABLED	   0x04
+
+/*
+ * DNS_COMPRESS_TABLESIZE must be a power of 2. The compress code
+ * utilizes this assumption.
+ */
+#define DNS_COMPRESS_TABLEBITS	  6
+#define DNS_COMPRESS_TABLESIZE	  (1U << DNS_COMPRESS_TABLEBITS)
+#define DNS_COMPRESS_TABLEMASK	  (DNS_COMPRESS_TABLESIZE - 1)
+#define DNS_COMPRESS_INITIALNODES 24
+#define DNS_COMPRESS_ARENA_SIZE	  640
+
+typedef struct dns_compressnode dns_compressnode_t;
+
+struct dns_compressnode {
+	dns_compressnode_t *next;
+	uint16_t	    offset;
+	uint16_t	    count;
+	isc_region_t	    r;
+	dns_name_t	    name;
+};
+
+struct dns_compress {
+	unsigned int magic;   /*%< Magic number. */
+	unsigned int allowed; /*%< Allowed methods. */
+	int	     edns;    /*%< Edns version or -1. */
+	/*% Global compression table. */
+	dns_compressnode_t *table[DNS_COMPRESS_TABLESIZE];
+	/*% Preallocated arena for names. */
+	unsigned char arena[DNS_COMPRESS_ARENA_SIZE];
+	off_t	      arena_off;
+	/*% Preallocated nodes for the table. */
+	dns_compressnode_t initialnodes[DNS_COMPRESS_INITIALNODES];
+	uint16_t	   count; /*%< Number of nodes. */
+	isc_mem_t	  *mctx;  /*%< Memory context. */
+};
+
+typedef enum {
+	DNS_DECOMPRESS_ANY,    /*%< Any compression */
+	DNS_DECOMPRESS_STRICT, /*%< Allowed compression */
+	DNS_DECOMPRESS_NONE    /*%< No compression */
+} dns_decompresstype_t;
+
+struct dns_decompress {
+	unsigned int	     magic;   /*%< Magic number. */
+	unsigned int	     allowed; /*%< Allowed methods. */
+	int		     edns;    /*%< Edns version or -1. */
+	dns_decompresstype_t type;    /*%< Strict checking */
+};
+
+isc_result_t
+dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
+/*%<
+ *	Initialise the compression context structure pointed to by
+ *	'cctx'. A freshly initialized context has name compression
+ *	enabled, but no methods are set. Please use \c
+ *	dns_compress_setmethods() to set a compression method.
+ *
+ *	Requires:
+ *	\li	'cctx' is a valid dns_compress_t structure.
+ *	\li	'mctx' is an initialized memory context.
+ *	Ensures:
+ *	\li	cctx->global is initialized.
+ *
+ *	Returns:
+ *	\li	#ISC_R_SUCCESS
+ */
+
+void
+dns_compress_invalidate(dns_compress_t *cctx);
+
+/*%<
+ *	Invalidate the compression structure pointed to by cctx.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ */
+
+void
+dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed);
+
+/*%<
+ *	Sets allowed compression methods.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ */
+
+unsigned int
+dns_compress_getmethods(dns_compress_t *cctx);
+
+/*%<
+ *	Gets allowed compression methods.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ *
+ *	Returns:
+ *\li		allowed compression bitmap.
+ */
+
+void
+dns_compress_disable(dns_compress_t *cctx);
+/*%<
+ *	Disables all name compression in the context. Once disabled,
+ *	name compression cannot currently be re-enabled.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ *
+ */
+
+void
+dns_compress_setsensitive(dns_compress_t *cctx, bool sensitive);
+
+/*
+ *	Preserve the case of compressed domain names.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
+ */
+
+bool
+dns_compress_getsensitive(dns_compress_t *cctx);
+/*
+ *	Return whether case is to be preserved when compressing
+ *	domain names.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
+ */
+
+int
+dns_compress_getedns(dns_compress_t *cctx);
+
+/*%<
+ *	Gets edns value.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ *
+ *	Returns:
+ *\li		-1 .. 255
+ */
+
+bool
+dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
+			dns_name_t *prefix, uint16_t *offset);
+/*%<
+ *	Finds longest possible match of 'name' in the global compression table.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ *\li		'name' to be a absolute name.
+ *\li		'prefix' to be initialized.
+ *\li		'offset' to point to an uint16_t.
+ *
+ *	Ensures:
+ *\li		'prefix' and 'offset' are valid if true is 	returned.
+ *
+ *	Returns:
+ *\li		#true / #false
+ */
+
+void
+dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
+		 const dns_name_t *prefix, uint16_t offset);
+/*%<
+ *	Add compression pointers for 'name' to the compression table,
+ *	not replacing existing pointers.
+ *
+ *	Requires:
+ *\li		'cctx' initialized
+ *
+ *\li		'name' must be initialized and absolute, and must remain
+ *		valid until the message compression is complete.
+ *
+ *\li		'prefix' must be a prefix returned by
+ *		dns_compress_findglobal(), or the same as 'name'.
+ */
+
+void
+dns_compress_rollback(dns_compress_t *cctx, uint16_t offset);
+
+/*%<
+ *	Remove any compression pointers from global table >= offset.
+ *
+ *	Requires:
+ *\li		'cctx' is initialized.
+ */
+
+void
+dns_decompress_init(dns_decompress_t *dctx, int edns,
+		    dns_decompresstype_t type);
+
+/*%<
+ *	Initializes 'dctx'.
+ *	Records 'edns' and 'type' into the structure.
+ *
+ *	Requires:
+ *\li		'dctx' to be a valid pointer.
+ */
+
+void
+dns_decompress_invalidate(dns_decompress_t *dctx);
+
+/*%<
+ *	Invalidates 'dctx'.
+ *
+ *	Requires:
+ *\li		'dctx' to be initialized
+ */
+
+void
+dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed);
+
+/*%<
+ *	Sets 'dctx->allowed' to 'allowed'.
+ *
+ *	Requires:
+ *\li		'dctx' to be initialized
+ */
+
+unsigned int
+dns_decompress_getmethods(dns_decompress_t *dctx);
+
+/*%<
+ *	Returns 'dctx->allowed'
+ *
+ *	Requires:
+ *\li		'dctx' to be initialized
+ */
+
+int
+dns_decompress_edns(dns_decompress_t *dctx);
+
+/*%<
+ *	Returns 'dctx->edns'
+ *
+ *	Requires:
+ *\li		'dctx' to be initialized
+ */
+
+dns_decompresstype_t
+dns_decompress_type(dns_decompress_t *dctx);
+
+/*%<
+ *	Returns 'dctx->type'
+ *
+ *	Requires:
+ *\li		'dctx' to be initialized
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_COMPRESS_H */
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
new file mode 100644
index 0000000..84b1cb1
--- /dev/null
+++ b/lib/dns/include/dns/db.h
@@ -0,0 +1,1800 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DB_H
+#define DNS_DB_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/db.h
+ * \brief
+ * The DNS DB interface allows named rdatasets to be stored and retrieved.
+ *
+ * The dns_db_t type is like a "virtual class".  To actually use
+ * DBs, an implementation of the class is required.
+ *
+ * XXX more XXX
+ *
+ * MP:
+ * \li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ * \li	No anticipated impact.
+ *
+ * Resources:
+ * \li	TBS
+ *
+ * Security:
+ * \li	No anticipated impact.
+ *
+ * Standards:
+ * \li	None.
+ */
+
+/*****
+***** Imports
+*****/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/deprecated.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/stats.h>
+#include <isc/stdtime.h>
+
+#include <dns/clientinfo.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+***** Types
+*****/
+
+typedef struct dns_dbmethods {
+	void (*attach)(dns_db_t *source, dns_db_t **targetp);
+	void (*detach)(dns_db_t **dbp);
+	isc_result_t (*beginload)(dns_db_t	       *db,
+				  dns_rdatacallbacks_t *callbacks);
+	isc_result_t (*endload)(dns_db_t *db, dns_rdatacallbacks_t *callbacks);
+	isc_result_t (*serialize)(dns_db_t *db, dns_dbversion_t *version,
+				  FILE *file);
+	isc_result_t (*dump)(dns_db_t *db, dns_dbversion_t *version,
+			     const char	       *filename,
+			     dns_masterformat_t masterformat);
+	void (*currentversion)(dns_db_t *db, dns_dbversion_t **versionp);
+	isc_result_t (*newversion)(dns_db_t *db, dns_dbversion_t **versionp);
+	void (*attachversion)(dns_db_t *db, dns_dbversion_t *source,
+			      dns_dbversion_t **targetp);
+	void (*closeversion)(dns_db_t *db, dns_dbversion_t **versionp,
+			     bool commit);
+	isc_result_t (*findnode)(dns_db_t *db, const dns_name_t *name,
+				 bool create, dns_dbnode_t **nodep);
+	isc_result_t (*find)(dns_db_t *db, const dns_name_t *name,
+			     dns_dbversion_t *version, dns_rdatatype_t type,
+			     unsigned int options, isc_stdtime_t now,
+			     dns_dbnode_t **nodep, dns_name_t *foundname,
+			     dns_rdataset_t *rdataset,
+			     dns_rdataset_t *sigrdataset);
+	isc_result_t (*findzonecut)(dns_db_t *db, const dns_name_t *name,
+				    unsigned int options, isc_stdtime_t now,
+				    dns_dbnode_t **nodep, dns_name_t *foundname,
+				    dns_name_t	   *dcname,
+				    dns_rdataset_t *rdataset,
+				    dns_rdataset_t *sigrdataset);
+	void (*attachnode)(dns_db_t *db, dns_dbnode_t *source,
+			   dns_dbnode_t **targetp);
+	void (*detachnode)(dns_db_t *db, dns_dbnode_t **targetp);
+	isc_result_t (*expirenode)(dns_db_t *db, dns_dbnode_t *node,
+				   isc_stdtime_t now);
+	void (*printnode)(dns_db_t *db, dns_dbnode_t *node, FILE *out);
+	isc_result_t (*createiterator)(dns_db_t *db, unsigned int options,
+				       dns_dbiterator_t **iteratorp);
+	isc_result_t (*findrdataset)(dns_db_t *db, dns_dbnode_t *node,
+				     dns_dbversion_t *version,
+				     dns_rdatatype_t  type,
+				     dns_rdatatype_t covers, isc_stdtime_t now,
+				     dns_rdataset_t *rdataset,
+				     dns_rdataset_t *sigrdataset);
+	isc_result_t (*allrdatasets)(dns_db_t *db, dns_dbnode_t *node,
+				     dns_dbversion_t *version,
+				     unsigned int options, isc_stdtime_t now,
+				     dns_rdatasetiter_t **iteratorp);
+	isc_result_t (*addrdataset)(dns_db_t *db, dns_dbnode_t *node,
+				    dns_dbversion_t *version, isc_stdtime_t now,
+				    dns_rdataset_t *rdataset,
+				    unsigned int    options,
+				    dns_rdataset_t *addedrdataset);
+	isc_result_t (*subtractrdataset)(dns_db_t *db, dns_dbnode_t *node,
+					 dns_dbversion_t *version,
+					 dns_rdataset_t	 *rdataset,
+					 unsigned int	  options,
+					 dns_rdataset_t	 *newrdataset);
+	isc_result_t (*deleterdataset)(dns_db_t *db, dns_dbnode_t *node,
+				       dns_dbversion_t *version,
+				       dns_rdatatype_t	type,
+				       dns_rdatatype_t	covers);
+	bool (*issecure)(dns_db_t *db);
+	unsigned int (*nodecount)(dns_db_t *db);
+	bool (*ispersistent)(dns_db_t *db);
+	void (*overmem)(dns_db_t *db, bool overmem);
+	void (*settask)(dns_db_t *db, isc_task_t *);
+	isc_result_t (*getoriginnode)(dns_db_t *db, dns_dbnode_t **nodep);
+	void (*transfernode)(dns_db_t *db, dns_dbnode_t **sourcep,
+			     dns_dbnode_t **targetp);
+	isc_result_t (*getnsec3parameters)(dns_db_t	   *db,
+					   dns_dbversion_t *version,
+					   dns_hash_t *hash, uint8_t *flags,
+					   uint16_t	 *iterations,
+					   unsigned char *salt,
+					   size_t	 *salt_len);
+	isc_result_t (*findnsec3node)(dns_db_t *db, const dns_name_t *name,
+				      bool create, dns_dbnode_t **nodep);
+	isc_result_t (*setsigningtime)(dns_db_t *db, dns_rdataset_t *rdataset,
+				       isc_stdtime_t resign);
+	isc_result_t (*getsigningtime)(dns_db_t *db, dns_rdataset_t *rdataset,
+				       dns_name_t *name);
+	void (*resigned)(dns_db_t *db, dns_rdataset_t *rdataset,
+			 dns_dbversion_t *version);
+	bool (*isdnssec)(dns_db_t *db);
+	dns_stats_t *(*getrrsetstats)(dns_db_t *db);
+	void (*rpz_attach)(dns_db_t *db, void *rpzs, uint8_t rpz_num);
+	isc_result_t (*rpz_ready)(dns_db_t *db);
+	isc_result_t (*findnodeext)(dns_db_t *db, const dns_name_t *name,
+				    bool		     create,
+				    dns_clientinfomethods_t *methods,
+				    dns_clientinfo_t	    *clientinfo,
+				    dns_dbnode_t	   **nodep);
+	isc_result_t (*findext)(dns_db_t *db, const dns_name_t *name,
+				dns_dbversion_t *version, dns_rdatatype_t type,
+				unsigned int options, isc_stdtime_t now,
+				dns_dbnode_t **nodep, dns_name_t *foundname,
+				dns_clientinfomethods_t *methods,
+				dns_clientinfo_t	*clientinfo,
+				dns_rdataset_t		*rdataset,
+				dns_rdataset_t		*sigrdataset);
+	isc_result_t (*setcachestats)(dns_db_t *db, isc_stats_t *stats);
+	size_t (*hashsize)(dns_db_t *db);
+	isc_result_t (*nodefullname)(dns_db_t *db, dns_dbnode_t *node,
+				     dns_name_t *name);
+	isc_result_t (*getsize)(dns_db_t *db, dns_dbversion_t *version,
+				uint64_t *records, uint64_t *bytes);
+	isc_result_t (*setservestalettl)(dns_db_t *db, dns_ttl_t ttl);
+	isc_result_t (*getservestalettl)(dns_db_t *db, dns_ttl_t *ttl);
+	isc_result_t (*setservestalerefresh)(dns_db_t *db, uint32_t interval);
+	isc_result_t (*getservestalerefresh)(dns_db_t *db, uint32_t *interval);
+	isc_result_t (*setgluecachestats)(dns_db_t *db, isc_stats_t *stats);
+	isc_result_t (*adjusthashsize)(dns_db_t *db, size_t size);
+} dns_dbmethods_t;
+
+typedef isc_result_t (*dns_dbcreatefunc_t)(isc_mem_t	    *mctx,
+					   const dns_name_t *name,
+					   dns_dbtype_t	     type,
+					   dns_rdataclass_t  rdclass,
+					   unsigned int argc, char *argv[],
+					   void *driverarg, dns_db_t **dbp);
+
+typedef isc_result_t (*dns_dbupdate_callback_t)(dns_db_t *db, void *fn_arg);
+
+#define DNS_DB_MAGIC	 ISC_MAGIC('D', 'N', 'S', 'D')
+#define DNS_DB_VALID(db) ISC_MAGIC_VALID(db, DNS_DB_MAGIC)
+
+/*%
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_db_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be DNS_DB_MAGIC for any of the
+ * dns_db_ routines to work.  DB implementations must maintain all DB
+ * invariants.
+ */
+struct dns_db {
+	unsigned int	 magic;
+	unsigned int	 impmagic;
+	dns_dbmethods_t *methods;
+	uint16_t	 attributes;
+	dns_rdataclass_t rdclass;
+	dns_name_t	 origin;
+	isc_mem_t	*mctx;
+	ISC_LIST(dns_dbonupdatelistener_t) update_listeners;
+};
+
+#define DNS_DBATTR_CACHE 0x01
+#define DNS_DBATTR_STUB	 0x02
+
+struct dns_dbonupdatelistener {
+	dns_dbupdate_callback_t onupdate;
+	void		       *onupdate_arg;
+	ISC_LINK(dns_dbonupdatelistener_t) link;
+};
+
+/*@{*/
+/*%
+ * Options that can be specified for dns_db_find().
+ */
+#define DNS_DBFIND_GLUEOK	0x0001
+#define DNS_DBFIND_VALIDATEGLUE 0x0002
+#define DNS_DBFIND_NOWILD	0x0004
+#define DNS_DBFIND_PENDINGOK	0x0008
+#define DNS_DBFIND_NOEXACT	0x0010
+#define DNS_DBFIND_FORCENSEC	0x0020
+#define DNS_DBFIND_COVERINGNSEC 0x0040
+#define DNS_DBFIND_FORCENSEC3	0x0080
+#define DNS_DBFIND_ADDITIONALOK 0x0100
+#define DNS_DBFIND_NOZONECUT	0x0200
+
+/*
+ * DNS_DBFIND_STALEOK: This flag is set when BIND fails to refresh a RRset due
+ * to timeout (resolver-query-timeout). Its intent is to try to look for stale
+ * data in cache as a fallback, but only if stale answers are enabled in
+ * configuration.
+ */
+#define DNS_DBFIND_STALEOK 0x0400
+
+/*
+ * DNS_DBFIND_STALEENABLED: This flag is used as a hint to the database that
+ * it may use stale data. It is always set during query lookup if stale
+ * answers are enabled, but only effectively used during stale-refresh-time
+ * window. Also during this window, the resolver will not try to resolve the
+ * query, in other words no attempt to refresh the data in cache is made when
+ * the stale-refresh-time window is active.
+ */
+#define DNS_DBFIND_STALEENABLED 0x0800
+
+/*
+ * DNS_DBFIND_STALETIMEOUT: This flag is used when we want stale data from the
+ * database, but not due to a failure in resolution, it also doesn't require
+ * stale-refresh-time window timer to be active. As long as there is stale
+ * data available, it should be returned.
+ */
+#define DNS_DBFIND_STALETIMEOUT 0x1000
+
+/*
+ * DNS_DBFIND_STALESTART: This flag is used to activate stale-refresh-time
+ * window.
+ */
+#define DNS_DBFIND_STALESTART 0x2000
+/*@}*/
+
+/*@{*/
+/*%
+ * Options that can be specified for dns_db_addrdataset().
+ */
+#define DNS_DBADD_MERGE	   0x01
+#define DNS_DBADD_FORCE	   0x02
+#define DNS_DBADD_EXACT	   0x04
+#define DNS_DBADD_EXACTTTL 0x08
+#define DNS_DBADD_PREFETCH 0x10
+/*@}*/
+
+/*%
+ * Options that can be specified for dns_db_subtractrdataset().
+ */
+#define DNS_DBSUB_EXACT	  0x01
+#define DNS_DBSUB_WANTOLD 0x02
+
+/*@{*/
+/*%
+ * Iterator options
+ */
+#define DNS_DB_RELATIVENAMES 0x1
+#define DNS_DB_NSEC3ONLY     0x2
+#define DNS_DB_NONSEC3	     0x4
+/*@}*/
+
+#define DNS_DB_STALEOK	 0x01
+#define DNS_DB_EXPIREDOK 0x02
+
+/*****
+***** Methods
+*****/
+
+/***
+ *** Basic DB Methods
+ ***/
+
+isc_result_t
+dns_db_create(isc_mem_t *mctx, const char *db_type, const dns_name_t *origin,
+	      dns_dbtype_t type, dns_rdataclass_t rdclass, unsigned int argc,
+	      char *argv[], dns_db_t **dbp);
+/*%<
+ * Create a new database using implementation 'db_type'.
+ *
+ * Notes:
+ * \li	All names in the database must be subdomains of 'origin' and in class
+ *	'rdclass'.  The database makes its own copy of the origin, so the
+ *	caller may do whatever they like with 'origin' and its storage once the
+ *	call returns.
+ *
+ * \li	DB implementation-specific parameters are passed using argc and argv.
+ *
+ * Requires:
+ *
+ * \li	dbp != NULL and *dbp == NULL
+ *
+ * \li	'origin' is a valid absolute domain name.
+ *
+ * \li	mctx is a valid memory context
+ *
+ * Ensures:
+ *
+ * \li	A copy of 'origin' has been made for the databases use, and the
+ *	caller is free to do whatever they want with the name and storage
+ *	associated with 'origin'.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ * \li	#ISC_R_NOTFOUND				db_type not found
+ *
+ * \li	Many other errors are possible, depending on what db_type was
+ *	specified.
+ */
+
+void
+dns_db_attach(dns_db_t *source, dns_db_t **targetp);
+/*%<
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ * \li	'source' is a valid database.
+ *
+ * \li	'targetp' points to a NULL dns_db_t *.
+ *
+ * Ensures:
+ *
+ * \li	*targetp is attached to source.
+ */
+
+void
+dns_db_detach(dns_db_t **dbp);
+/*%<
+ * Detach *dbp from its database.
+ *
+ * Requires:
+ *
+ * \li	'dbp' points to a valid database.
+ *
+ * Ensures:
+ *
+ * \li	*dbp is NULL.
+ *
+ * \li	If '*dbp' is the last reference to the database,
+ *		all resources used by the database will be freed
+ */
+
+bool
+dns_db_iscache(dns_db_t *db);
+/*%<
+ * Does 'db' have cache semantics?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	#true	'db' has cache semantics
+ * \li	#false	otherwise
+ */
+
+bool
+dns_db_iszone(dns_db_t *db);
+/*%<
+ * Does 'db' have zone semantics?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	#true	'db' has zone semantics
+ * \li	#false	otherwise
+ */
+
+bool
+dns_db_isstub(dns_db_t *db);
+/*%<
+ * Does 'db' have stub semantics?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	#true	'db' has zone semantics
+ * \li	#false	otherwise
+ */
+
+bool
+dns_db_issecure(dns_db_t *db);
+/*%<
+ * Is 'db' secure?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * Returns:
+ * \li	#true	'db' is secure.
+ * \li	#false	'db' is not secure.
+ */
+
+bool
+dns_db_isdnssec(dns_db_t *db);
+/*%<
+ * Is 'db' secure or partially secure?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * Returns:
+ * \li	#true	'db' is secure or is partially.
+ * \li	#false	'db' is not secure.
+ */
+
+dns_name_t *
+dns_db_origin(dns_db_t *db);
+/*%<
+ * The origin of the database.
+ *
+ * Note: caller must not try to change this name.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ *
+ * \li	The origin of the database.
+ */
+
+dns_rdataclass_t
+dns_db_class(dns_db_t *db);
+/*%<
+ * The class of the database.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ *
+ * \li	The class of the database.
+ */
+
+isc_result_t
+dns_db_beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks);
+/*%<
+ * Begin loading 'db'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	This is the first attempt to load 'db'.
+ *
+ * \li  'callbacks' is a pointer to an initialized dns_rdatacallbacks_t
+ *       structure.
+ *
+ * Ensures:
+ *
+ * \li	On success, callbacks->add will be a valid dns_addrdatasetfunc_t
+ *      suitable for loading records into 'db' from a raw or text zone
+ *      file. callbacks->add_private will be a valid DB load context
+ *      which should be used as 'arg' when callbacks->add is called.
+ *      callbacks->deserialize will be a valid dns_deserialize_func_t
+ *      suitable for loading 'db' from a map format zone file.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks);
+/*%<
+ * Finish loading 'db'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database that is being loaded.
+ *
+ * \li	'callbacks' is a valid dns_rdatacallbacks_t structure.
+ *
+ * \li	callbacks->add_private is not NULL and is a valid database load context.
+ *
+ * Ensures:
+ *
+ * \li	'callbacks' is returned to its state prior to calling dns_db_beginload()
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_load(dns_db_t *db, const char *filename, dns_masterformat_t format,
+	    unsigned int options);
+/*%<
+ * Load master file 'filename' into 'db'.
+ *
+ * Notes:
+ * \li	This routine is equivalent to calling
+ *
+ *\code
+ *		dns_db_beginload();
+ *		dns_master_loadfile();
+ *		dns_db_endload();
+ *\endcode
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	This is the first attempt to load 'db'.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_serialize(dns_db_t *db, dns_dbversion_t *version, FILE *rbtfile);
+/*%<
+ * Dump version 'version' of 'db' to map-format file 'filename'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'version' is a valid version.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used, OS file errors, etc.
+ */
+
+isc_result_t
+dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename);
+/*%<
+ * Dump version 'version' of 'db' to master file 'filename'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'version' is a valid version.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used, OS file errors, etc.
+ */
+
+/***
+ *** Version Methods
+ ***/
+
+void
+dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp);
+/*%<
+ * Open the current version for reading.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * \li	versionp != NULL && *verisonp == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, '*versionp' is attached to the current version.
+ *
+ */
+
+isc_result_t
+dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp);
+/*%<
+ * Open a new version for reading and writing.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * \li	versionp != NULL && *verisonp == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, '*versionp' is attached to the current version.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+void
+dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
+		     dns_dbversion_t **targetp);
+/*%<
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * \li	source is a valid open version
+ *
+ * \li	targetp != NULL && *targetp == NULL
+ *
+ * Ensures:
+ *
+ * \li	'*targetp' is attached to source.
+ */
+
+void
+dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit);
+/*%<
+ * Close version '*versionp'.
+ *
+ * Note: if '*versionp' is a read-write version and 'commit' is true,
+ * then all changes made in the version will take effect, otherwise they
+ * will be rolled back.  The value of 'commit' is ignored for read-only
+ * versions.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * \li	'*versionp' refers to a valid version.
+ *
+ * \li	If committing a writable version, then there must be no other
+ *	outstanding references to the version (e.g. an active rdataset
+ *	iterator).
+ *
+ * Ensures:
+ *
+ * \li	*versionp == NULL
+ *
+ * \li	If *versionp is a read-write version, and commit is true, then
+ *	the version will become the current version.  If !commit, then all
+ *	changes made in the version will be undone, and the version will
+ *	not become the current version.
+ */
+
+/***
+ *** Node Methods
+ ***/
+
+isc_result_t
+dns_db_findnode(dns_db_t *db, const dns_name_t *name, bool create,
+		dns_dbnode_t **nodep);
+
+isc_result_t
+dns_db_findnodeext(dns_db_t *db, const dns_name_t *name, bool create,
+		   dns_clientinfomethods_t *methods,
+		   dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep);
+/*%<
+ * Find the node with name 'name'.
+ *
+ * dns_db_findnodeext() (findnode extended) also accepts parameters
+ * 'methods' and 'clientinfo', which, when provided, enable the database to
+ * retrieve information about the client from the caller, and modify its
+ * response on the basis of that information.
+ *
+ * Notes:
+ * \li	If 'create' is true and no node with name 'name' exists, then
+ *	such a node will be created.
+ *
+ * \li	This routine is for finding or creating a node with the specified
+ *	name.  There are no partial matches.  It is not suitable for use
+ *	in building responses to ordinary DNS queries; clients which wish
+ *	to do that should use dns_db_find() instead.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'name' is a valid, non-empty, absolute name.
+ *
+ * \li	nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, *nodep is attached to the node with name 'name'.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND			If !create and name not found.
+ * \li	#ISC_R_NOMEMORY			Can only happen if create is true.
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	    dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+
+isc_result_t
+dns_db_findext(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+	       dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	       dns_dbnode_t **nodep, dns_name_t *foundname,
+	       dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*%<
+ * Find the best match for 'name' and 'type' in version 'version' of 'db'.
+ *
+ * dns_db_findext() (find extended) also accepts parameters 'methods'
+ * and 'clientinfo', which when provided enable the database to retrieve
+ * information about the client from the caller, and modify its response
+ * on the basis of this information.
+ *
+ * Notes:
+ *
+ * \li	If type == dns_rdataset_any, then rdataset will not be bound.
+ *
+ * \li	If 'options' does not have #DNS_DBFIND_GLUEOK set, then no glue will
+ *	be returned.  For zone databases, glue is as defined in RFC2181.
+ *	For cache databases, glue is any rdataset with a trust of
+ *	dns_trust_glue.
+ *
+ * \li	If 'options' does not have #DNS_DBFIND_ADDITIONALOK set, then no
+ *	additional records will be returned.  Only caches can have
+ *	rdataset with trust dns_trust_additional.
+ *
+ * \li	If 'options' does not have #DNS_DBFIND_PENDINGOK set, then no
+ *	pending data will be returned.  This option is only meaningful for
+ *	cache databases.
+ *
+ * \li	If the #DNS_DBFIND_NOWILD option is set, then wildcard matching will
+ *	be disabled.  This option is only meaningful for zone databases.
+ *
+ * \li  If the #DNS_DBFIND_NOZONECUT option is set, the database is
+ *	assumed to contain no zone cuts above 'name'.  An implementation
+ *	may therefore choose to search for a match beginning at 'name'
+ *	rather than walking down the tree to check check for delegations.
+ *	If #DNS_DBFIND_NOWILD is not set, wildcard matching will be
+ *	attempted at each node starting at the direct ancestor of 'name'
+ *	and working up to the zone origin.  This option is only meaningful
+ *	when querying redirect zones.
+ *
+ * \li	If the #DNS_DBFIND_FORCENSEC option is set, the database is assumed to
+ *	have NSEC records, and these will be returned when appropriate.  This
+ *	is only necessary when querying a database that was not secure
+ *	when created.
+ *
+ * \li	If the DNS_DBFIND_COVERINGNSEC option is set, then look for a
+ *	NSEC record that potentially covers 'name' if a answer cannot
+ *	be found.  Note the returned NSEC needs to be checked to ensure
+ *	that it is correct.  This only affects answers returned from the
+ *	cache.
+ *
+ * \li	If the #DNS_DBFIND_FORCENSEC3 option is set, then we are looking
+ *	in the NSEC3 tree and not the main tree.  Without this option being
+ *	set NSEC3 records will not be found.
+ *
+ * \li	To respond to a query for SIG records, the caller should create a
+ *	rdataset iterator and extract the signatures from each rdataset.
+ *
+ * \li	Making queries of type ANY with #DNS_DBFIND_GLUEOK is not recommended,
+ *	because the burden of determining whether a given rdataset is valid
+ *	glue or not falls upon the caller.
+ *
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  Any ANY query will not match unless at least one rdataset at
+ *	the node expires after 'now'.  If 'now' is zero, then the current time
+ *	will be used.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'type' is not SIG, or a meta-RR type other than 'ANY' (e.g. 'OPT').
+ *
+ * \li	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
+ *
+ * \li	'foundname' is a valid name with a dedicated buffer.
+ *
+ * \li	'rdataset' is NULL, or is a valid unassociated rdataset.
+ *
+ * Ensures,
+ *	on a non-error completion:
+ *
+ *	\li	If nodep != NULL, then it is bound to the found node.
+ *
+ *	\li	If foundname != NULL, then it contains the full name of the
+ *		found node.
+ *
+ *	\li	If rdataset != NULL and type != dns_rdatatype_any, then
+ *		rdataset is bound to the found rdataset.
+ *
+ *	Non-error results are:
+ *
+ *	\li	#ISC_R_SUCCESS			The desired node and type were
+ *						found.
+ *
+ *	\li	#DNS_R_GLUE			The desired node and type were
+ *						found, but are glue.  This
+ *						result can only occur if
+ *						the DNS_DBFIND_GLUEOK option
+ *						is set.  This result can only
+ *						occur if 'db' is a zone
+ *						database.  If type ==
+ *						dns_rdatatype_any, then the
+ *						node returned may contain, or
+ *						consist entirely of invalid
+ *						glue (i.e. data occluded by a
+ *						zone cut).  The caller must
+ *						take care not to return invalid
+ *						glue to a client.
+ *
+ *	\li	#DNS_R_DELEGATION		The data requested is beneath
+ *						a zone cut.  node, foundname,
+ *						and rdataset reference the
+ *						NS RRset of the zone cut.
+ *						If 'db' is a cache database,
+ *						then this is the deepest known
+ *						delegation.
+ *
+ *	\li	#DNS_R_ZONECUT			type == dns_rdatatype_any, and
+ *						the desired node is a zonecut.
+ *						The caller must take care not
+ *						to return inappropriate glue
+ *						to a client.  This result can
+ *						only occur if 'db' is a zone
+ *						database and DNS_DBFIND_GLUEOK
+ *						is set.
+ *
+ *	\li	#DNS_R_DNAME			The data requested is beneath
+ *						a DNAME.  node, foundname,
+ *						and rdataset reference the
+ *						DNAME RRset.
+ *
+ *	\li	#DNS_R_CNAME			The rdataset requested was not
+ *						found, but there is a CNAME
+ *						at the desired name.  node,
+ *						foundname, and rdataset
+ *						reference the CNAME RRset.
+ *
+ *	\li	#DNS_R_NXDOMAIN			The desired name does not
+ *						exist.
+ *
+ *	\li	#DNS_R_NXRRSET			The desired name exists, but
+ *						the desired type does not.
+ *
+ *	\li	#ISC_R_NOTFOUND			The desired name does not
+ *						exist, and no delegation could
+ *						be found.  This result can only
+ *						occur if 'db' is a cache
+ *						database.  The caller should
+ *						use its nameserver(s) of last
+ *						resort (e.g. root hints).
+ *
+ *	\li	#DNS_R_NCACHENXDOMAIN		The desired name does not
+ *						exist.  'node' is bound to the
+ *						cache node with the desired
+ *						name, and 'rdataset' contains
+ *						the negative caching proof.
+ *
+ *	\li	#DNS_R_NCACHENXRRSET		The desired type does not
+ *						exist.  'node' is bound to the
+ *						cache node with the desired
+ *						name, and 'rdataset' contains
+ *						the negative caching proof.
+ *
+ *	\li	#DNS_R_EMPTYNAME		The name exists but there is
+ *						no data at the name.
+ *
+ *	\li	#DNS_R_COVERINGNSEC		The returned data is a NSEC
+ *						that potentially covers 'name'.
+ *
+ *	\li	#DNS_R_EMPTYWILD		The name is a wildcard without
+ *						resource records.
+ *
+ *	Error results:
+ *
+ *	\li	#ISC_R_NOMEMORY
+ *
+ *	\li	#DNS_R_BADDB			Data that is required to be
+ *						present in the DB, e.g. an NSEC
+ *						record in a secure zone, is not
+ *						present.
+ *
+ *	\li	Other results are possible, and should all be treated as
+ *		errors.
+ */
+
+isc_result_t
+dns_db_findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
+		   isc_stdtime_t now, dns_dbnode_t **nodep,
+		   dns_name_t *foundname, dns_name_t *dcname,
+		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*%<
+ * Find the deepest known zonecut which encloses 'name' in 'db'.
+ *
+ * Notes:
+ *
+ * \li	If the #DNS_DBFIND_NOEXACT option is set, then the zonecut returned
+ *	(if any) will be the deepest known ancestor of 'name'.
+ *
+ * \li	If 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with cache semantics.
+ *
+ * \li	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
+ *
+ * \li	'foundname' is a valid name with a dedicated buffer.
+ *
+ * \li	'dcname' is a valid name with a dedicated buffer.
+ *
+ * \li	'rdataset' is NULL, or is a valid unassociated rdataset.
+ *
+ * Ensures, on a non-error completion:
+ *
+ * \li	If nodep != NULL, then it is bound to the found node.
+ *
+ * \li	If foundname != NULL, then it contains the full name of the
+ *	found node.
+ *
+ * \li	If dcname != NULL, then it contains the deepest cached name
+ *      that exists in the database.
+ *
+ * \li	If rdataset != NULL and type != dns_rdatatype_any, then
+ *	rdataset is bound to the found rdataset.
+ *
+ * Non-error results are:
+ *
+ * \li	#ISC_R_SUCCESS
+ *
+ * \li	#ISC_R_NOTFOUND
+ *
+ * \li	Other results are possible, and should all be treated as
+ *	errors.
+ */
+
+void
+dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp);
+/*%<
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'source' is a valid node.
+ *
+ * \li	'targetp' points to a NULL dns_dbnode_t *.
+ *
+ * Ensures:
+ *
+ * \li	*targetp is attached to source.
+ */
+
+void
+dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep);
+/*%<
+ * Detach *nodep from its node.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'nodep' points to a valid node.
+ *
+ * Ensures:
+ *
+ * \li	*nodep is NULL.
+ */
+
+void
+dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
+		    dns_dbnode_t **targetp);
+/*%<
+ * Transfer a node between pointer.
+ *
+ * This is equivalent to calling dns_db_attachnode() then dns_db_detachnode().
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'*sourcep' is a valid node.
+ *
+ * \li	'targetp' points to a NULL dns_dbnode_t *.
+ *
+ * Ensures:
+ *
+ * \li	'*sourcep' is NULL.
+ */
+
+isc_result_t
+dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now);
+/*%<
+ * Mark as stale all records at 'node' which expire at or before 'now'.
+ *
+ * Note: if 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid cache database.
+ *
+ * \li	'node' is a valid node.
+ */
+
+void
+dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
+/*%<
+ * Print a textual representation of the contents of the node to
+ * 'out'.
+ *
+ * Note: this function is intended for debugging, not general use.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ */
+
+/***
+ *** DB Iterator Creation
+ ***/
+
+isc_result_t
+dns_db_createiterator(dns_db_t *db, unsigned int options,
+		      dns_dbiterator_t **iteratorp);
+/*%<
+ * Create an iterator for version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ * \li	One or more of the following options can be set.
+ *	#DNS_DB_RELATIVENAMES
+ *	#DNS_DB_NSEC3ONLY
+ *	#DNS_DB_NONSEC3
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	iteratorp != NULL && *iteratorp == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, *iteratorp will be a valid database iterator.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+/***
+ *** Rdataset Methods
+ ***/
+
+/*
+ * XXXRTH  Should we check for glue and pending data in dns_db_findrdataset()?
+ */
+
+isc_result_t
+dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    dns_rdatatype_t type, dns_rdatatype_t covers,
+		    isc_stdtime_t now, dns_rdataset_t *rdataset,
+		    dns_rdataset_t *sigrdataset);
+
+/*%<
+ * Search for an rdataset of type 'type' at 'node' that are in version
+ * 'version' of 'db'.  If found, make 'rdataset' refer to it.
+ *
+ * Notes:
+ *
+ * \li	If 'version' is NULL, then the current version will be used.
+ *
+ * \li	Care must be used when using this routine to build a DNS response:
+ *	'node' should have been found with dns_db_find(), not
+ *	dns_db_findnode().  No glue checking is done.  No checking for
+ *	pending data is done.
+ *
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  If 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ *
+ * \li	'rdataset' is a valid, disassociated rdataset.
+ *
+ * \li	'sigrdataset' is a valid, disassociated rdataset, or it is NULL.
+ *
+ * \li	If 'covers' != 0, 'type' must be RRSIG.
+ *
+ * \li	'type' is not a meta-RR type such as 'ANY' or 'OPT'.
+ *
+ * Ensures:
+ *
+ * \li	On success, 'rdataset' is associated with the found rdataset.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    unsigned int options, isc_stdtime_t now,
+		    dns_rdatasetiter_t **iteratorp);
+/*%<
+ * Make '*iteratorp' an rdataset iterator for all rdatasets at 'node' in
+ * version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ * \li	If 'version' is NULL, then the current version will be used.
+ *
+ * \li	'options' controls which rdatasets are selected when interating over
+ *	the node.
+ *	'DNS_DB_STALEOK' return stale rdatasets as well as current rdatasets.
+ *	'DNS_DB_EXPIREDOK' return expired rdatasets as well as current
+ *	rdatasets.
+ *
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  Any ANY query will not match unless at least one rdataset at
+ *	the node expires after 'now'.  If 'now' is zero, then the current time
+ *	will be used.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ *
+ * \li	iteratorp != NULL && *iteratorp == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, '*iteratorp' is a valid rdataset iterator.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   unsigned int options, dns_rdataset_t *addedrdataset);
+/*%<
+ * Add 'rdataset' to 'node' in version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ * \li	If the database has zone semantics, the #DNS_DBADD_MERGE option is set,
+ *	and an rdataset of the same type as 'rdataset' already exists at
+ *	'node' then the contents of 'rdataset' will be merged with the existing
+ *	rdataset.  If the option is not set, then rdataset will replace any
+ *	existing rdataset of the same type.  If not merging and the
+ *	#DNS_DBADD_FORCE option is set, then the data will update the database
+ *	without regard to trust levels.  If not forcing the data, then the
+ *	rdataset will only be added if its trust level is >= the trust level of
+ *	any existing rdataset.  Forcing is only meaningful for cache databases.
+ *	If #DNS_DBADD_EXACT is set then there must be no rdata in common between
+ *	the old and new rdata sets.  If #DNS_DBADD_EXACTTTL is set then both
+ *	the old and new rdata sets must have the same ttl.
+ *
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is
+ *	a cache database, then the added rdataset will expire no later than
+ *	now + rdataset->ttl.
+ *
+ * \li	If 'addedrdataset' is not NULL, then it will be attached to the
+ *	resulting new rdataset in the database, or to the existing data if
+ *	the existing data was better.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ *
+ * \li	'rdataset' is a valid, associated rdataset with the same class
+ *	as 'db'.
+ *
+ * \li	'addedrdataset' is NULL, or a valid, unassociated rdataset.
+ *
+ * \li	The database has zone semantics and 'version' is a valid
+ *	read-write version, or the database has cache semantics
+ *	and version is NULL.
+ *
+ * \li	If the database has cache semantics, the #DNS_DBADD_MERGE option must
+ *	not be set.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_UNCHANGED			The operation did not change
+ * anything. \li	#ISC_R_NOMEMORY \li	#DNS_R_NOTEXACT
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
+			dns_dbversion_t *version, dns_rdataset_t *rdataset,
+			unsigned int options, dns_rdataset_t *newrdataset);
+/*%<
+ * Remove any rdata in 'rdataset' from 'node' in version 'version' of
+ * 'db'.
+ *
+ * Notes:
+ *
+ * \li	If 'newrdataset' is not NULL, then it will be attached to the
+ *	resulting new rdataset in the database, unless the rdataset has
+ *	become nonexistent.  If DNS_DBSUB_EXACT is set then all elements
+ *	of 'rdataset' must exist at 'node'.
+ *
+ *\li	If DNS_DBSUB_WANTOLD is set and the entire rdataset was deleted
+ *	then return the original rdatatset in newrdataset if that existed.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ *
+ * \li	'rdataset' is a valid, associated rdataset with the same class
+ *	as 'db'.
+ *
+ * \li	'newrdataset' is NULL, or a valid, unassociated rdataset.
+ *
+ * \li	The database has zone semantics and 'version' is a valid
+ *	read-write version.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_UNCHANGED			The operation did not change
+ * anything. \li	#DNS_R_NXRRSET			All rdata of the same
+ *type as
+ * those in 'rdataset' have been deleted. \li	#DNS_R_NOTEXACT
+ * Some part of 'rdataset' did not exist and DNS_DBSUB_EXACT was set.
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
+		      dns_dbversion_t *version, dns_rdatatype_t type,
+		      dns_rdatatype_t covers);
+/*%<
+ * Make it so that no rdataset of type 'type' exists at 'node' in version
+ * version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ * \li	If 'type' is dns_rdatatype_any, then no rdatasets will exist in
+ *	'version' (provided that the dns_db_deleterdataset() isn't followed
+ *	by one or more dns_db_addrdataset() calls).
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ *
+ * \li	The database has zone semantics and 'version' is a valid
+ *	read-write version, or the database has cache semantics
+ *	and version is NULL.
+ *
+ * \li	'type' is not a meta-RR type, except for dns_rdatatype_any, which is
+ *	allowed.
+ *
+ * \li	If 'covers' != 0, 'type' must be SIG.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_UNCHANGED			No rdatasets of 'type' existed
+ * before the operation was attempted.
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, uint32_t *serialp);
+/*%<
+ * Get the current SOA serial number from a zone database.
+ *
+ * Requires:
+ * \li	'db' is a valid database with zone semantics.
+ * \li	'ver' is a valid version.
+ */
+
+void
+dns_db_overmem(dns_db_t *db, bool overmem);
+/*%<
+ * Enable / disable aggressive cache cleaning.
+ */
+
+unsigned int
+dns_db_nodecount(dns_db_t *db);
+/*%<
+ * Count the number of nodes in 'db'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	The number of nodes in the database
+ */
+
+size_t
+dns_db_hashsize(dns_db_t *db);
+/*%<
+ * For database implementations using a hash table, report the
+ * current number of buckets.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	The number of buckets in the database's hash table, or
+ *      0 if not implemented.
+ */
+
+isc_result_t
+dns_db_adjusthashsize(dns_db_t *db, size_t size);
+/*%<
+ * For database implementations using a hash table, adjust the size of
+ * the hash table to store objects with a maximum total memory footprint
+ * of 'size' bytes.  If 'size' is set to 0, it means no finite limit is
+ * requested.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ * \li  'size' is maximum memory footprint of the database in bytes
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS	The registration succeeded
+ * \li	#ISC_R_NOMEMORY	Out of memory
+ */
+
+void
+dns_db_settask(dns_db_t *db, isc_task_t *task);
+/*%<
+ * If task is set then the final detach maybe performed asynchronously.
+ *
+ * Requires:
+ * \li	'db' is a valid database.
+ * \li	'task' to be valid or NULL.
+ */
+
+bool
+dns_db_ispersistent(dns_db_t *db);
+/*%<
+ * Is 'db' persistent?  A persistent database does not need to be loaded
+ * from disk or written to disk.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	#true	'db' is persistent.
+ * \li	#false	'db' is not persistent.
+ */
+
+isc_result_t
+dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
+		isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
+
+/*%<
+ * Register a new database implementation and add it to the list of
+ * supported implementations.
+ *
+ * Requires:
+ *
+ * \li 	'name' is not NULL
+ * \li	'order' is a valid function pointer
+ * \li	'mctx' is a valid memory context
+ * \li	dbimp != NULL && *dbimp == NULL
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS	The registration succeeded
+ * \li	#ISC_R_NOMEMORY	Out of memory
+ * \li	#ISC_R_EXISTS	A database implementation with the same name exists
+ *
+ * Ensures:
+ *
+ * \li	*dbimp points to an opaque structure which must be passed to
+ *	dns_db_unregister().
+ */
+
+void
+dns_db_unregister(dns_dbimplementation_t **dbimp);
+/*%<
+ * Remove a database implementation from the list of supported
+ * implementations.  No databases of this type can be active when this
+ * is called.
+ *
+ * Requires:
+ * \li 	dbimp != NULL && *dbimp == NULL
+ *
+ * Ensures:
+ *
+ * \li	Any memory allocated in *dbimp will be freed.
+ */
+
+isc_result_t
+dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep);
+/*%<
+ * Get the origin DB node corresponding to the DB's zone.  This function
+ * should typically succeed unless the underlying DB implementation doesn't
+ * support the feature.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid zone database.
+ * \li	'nodep' != NULL && '*nodep' == NULL
+ *
+ * Ensures:
+ * \li	On success, '*nodep' will point to the DB node of the zone's origin.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - the DB implementation does not support this feature.
+ */
+
+isc_result_t
+dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
+			  dns_hash_t *hash, uint8_t *flags,
+			  uint16_t *iterations, unsigned char *salt,
+			  size_t *salt_length);
+/*%<
+ * Get the NSEC3 parameters that are associated with this zone.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - the DB implementation does not support this feature
+ *			  or this zone does not have NSEC3 records.
+ */
+
+isc_result_t
+dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, uint64_t *records,
+	       uint64_t *xfrsize);
+/*%<
+ * On success if 'records' is not NULL, it is set to the number of records
+ * in the given version of the database. If 'xfrisize' is not NULL, it is
+ * set to the approximate number of bytes needed to transfer the records,
+ * counting name, TTL, type, class, and rdata for each RR.  (This is meant
+ * to be a rough approximation of the size of a full zone transfer, though
+ * it does not take into account DNS message overhead or name compression.)
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'version' is NULL or a valid version.
+ * \li	'records' is NULL or a pointer to return the record count in.
+ * \li	'xfrsize' is NULL or a pointer to return the byte count in.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+dns_db_findnsec3node(dns_db_t *db, const dns_name_t *name, bool create,
+		     dns_dbnode_t **nodep);
+/*%<
+ * Find the NSEC3 node with name 'name'.
+ *
+ * Notes:
+ * \li	If 'create' is true and no node with name 'name' exists, then
+ *	such a node will be created.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'name' is a valid, non-empty, absolute name.
+ *
+ * \li	nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, *nodep is attached to the node with name 'name'.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND			If !create and name not found.
+ * \li	#ISC_R_NOMEMORY			Can only happen if create is true.
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+		      isc_stdtime_t resign);
+/*%<
+ * Sets the re-signing time associated with 'rdataset' to 'resign'.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'rdataset' is or is to be associated with 'db'.
+ * \li  'rdataset' is not pending removed from the heap via an
+ *       uncommitted call to dns_db_resigned().
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ * \li	#ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation.
+ */
+
+isc_result_t
+dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * Return the rdataset with the earliest signing time in the zone.
+ * Note: the rdataset is version agnostic.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'rdataset' to be initialized but not associated.
+ * \li	'name' to be NULL or have a buffer associated with it.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - No dataset exists.
+ */
+
+void
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
+		dns_dbversion_t *version);
+/*%<
+ * Mark 'rdataset' as not being available to be returned by
+ * dns_db_getsigningtime().  If the changes associated with 'version'
+ * are committed this will be permanent.  If the version is not committed
+ * this change will be rolled back when the version is closed.  Until
+ * 'version' is either committed or rolled back, 'rdataset' can no longer
+ * be acted upon by dns_db_setsigningtime().
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'rdataset' to be associated with 'db'.
+ * \li	'version' to be open for writing.
+ */
+
+dns_stats_t *
+dns_db_getrrsetstats(dns_db_t *db);
+/*%<
+ * Get statistics information counting RRsets stored in the DB, when available.
+ * The statistics may not be available depending on the DB implementation.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database (cache only).
+ *
+ * Returns:
+ * \li	when available, a pointer to a statistics object created by
+ *	dns_rdatasetstats_create(); otherwise NULL.
+ */
+
+isc_result_t
+dns_db_setcachestats(dns_db_t *db, isc_stats_t *stats);
+/*%<
+ * Set the location in which to collect cache statistics.
+ * This option may not exist depending on the DB implementation.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database (cache only).
+ *
+ * Returns:
+ * \li	when available, a pointer to a statistics object created by
+ *	dns_rdatasetstats_create(); otherwise NULL.
+ */
+
+void
+dns_db_rpz_attach(dns_db_t *db, void *rpzs, uint8_t rpz_num) ISC_DEPRECATED;
+/*%<
+ * Attach the response policy information for a view to a database for a
+ * zone for the view.
+ */
+
+isc_result_t
+dns_db_rpz_ready(dns_db_t *db) ISC_DEPRECATED;
+/*%<
+ * Finish loading a response policy zone.
+ */
+
+isc_result_t
+dns_db_updatenotify_register(dns_db_t *db, dns_dbupdate_callback_t fn,
+			     void *fn_arg);
+/*%<
+ * Register a notify-on-update callback function to a database.
+ * Duplicate callbacks are suppressed.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database
+ * \li	'fn' is not NULL
+ *
+ */
+
+isc_result_t
+dns_db_updatenotify_unregister(dns_db_t *db, dns_dbupdate_callback_t fn,
+			       void *fn_arg);
+/*%<
+ * Unregister a notify-on-update callback.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database
+ * \li	'db' has update callback registered
+ *
+ */
+
+isc_result_t
+dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name);
+/*%<
+ * Get the name associated with a database node.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database
+ * \li	'node' and 'name' are not NULL
+ */
+
+isc_result_t
+dns_db_setservestalettl(dns_db_t *db, dns_ttl_t ttl);
+/*%<
+ * Sets the maximum length of time that cached answers may be retained
+ * past their normal TTL. Default value for the library is 0, disabling
+ * the use of stale data.
+ *
+ * Requires:
+ * \li	'db' is a valid cache database.
+ * \li	'ttl' is the number of seconds to retain data past its normal expiry.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation.
+ */
+
+isc_result_t
+dns_db_getservestalettl(dns_db_t *db, dns_ttl_t *ttl);
+/*%<
+ * Gets maximum length of time that cached answers may be kept past
+ * normal TTL expiration.
+ *
+ * Requires:
+ * \li	'db' is a valid cache database.
+ * \li	'ttl' is the number of seconds to retain data past its normal expiry.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation.
+ */
+
+isc_result_t
+dns_db_setservestalerefresh(dns_db_t *db, uint32_t interval);
+/*%<
+ * Sets the length of time to wait before attempting to refresh a rrset
+ * if a previous attempt in doing so has failed.
+ * During this time window if stale rrset are available in cache they
+ * will be directly returned to client.
+ *
+ * Requires:
+ * \li	'db' is a valid cache database.
+ * \li	'interval' is number of seconds before attempting to refresh data.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation.
+ */
+
+isc_result_t
+dns_db_getservestalerefresh(dns_db_t *db, uint32_t *interval);
+/*%<
+ * Gets the length of time in which stale answers are directly returned from
+ * cache before attempting to refresh them, in case a previous attempt in
+ * doing so has failed.
+ *
+ * Requires:
+ * \li	'db' is a valid cache database.
+ * \li	'interval' is number of seconds before attempting to refresh data.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation.
+ */
+
+isc_result_t
+dns_db_setgluecachestats(dns_db_t *db, isc_stats_t *stats);
+/*%<
+ * Set the location in which to collect glue cache statistics.
+ * This option may not exist depending on the DB implementation.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database (cache only).
+ *
+ * Returns:
+ * \li	when available, a pointer to a statistics object created by
+ *	dns_rdatasetstats_create(); otherwise NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DB_H */
diff --git a/lib/dns/include/dns/dbiterator.h b/lib/dns/include/dns/dbiterator.h
new file mode 100644
index 0000000..32f204a
--- /dev/null
+++ b/lib/dns/include/dns/dbiterator.h
@@ -0,0 +1,293 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DBITERATOR_H
+#define DNS_DBITERATOR_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/dbiterator.h
+ * \brief
+ * The DNS DB Iterator interface allows iteration of all of the nodes in a
+ * database.
+ *
+ * The dns_dbiterator_t type is like a "virtual class".  To actually use
+ * it, an implementation of the class is required.  This implementation is
+ * supplied by the database.
+ *
+ * It is the client's responsibility to call dns_db_detachnode() on all
+ * nodes returned.
+ *
+ * XXX &lt;more&gt; XXX
+ *
+ * MP:
+ *\li	The iterator itself is not locked.  The caller must ensure
+ *	synchronization.
+ *
+ *\li	The iterator methods ensure appropriate database locking.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+/*****
+***** Imports
+*****/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+***** Types
+*****/
+
+typedef struct dns_dbiteratormethods {
+	void (*destroy)(dns_dbiterator_t **iteratorp);
+	isc_result_t (*first)(dns_dbiterator_t *iterator);
+	isc_result_t (*last)(dns_dbiterator_t *iterator);
+	isc_result_t (*seek)(dns_dbiterator_t *iterator,
+			     const dns_name_t *name);
+	isc_result_t (*prev)(dns_dbiterator_t *iterator);
+	isc_result_t (*next)(dns_dbiterator_t *iterator);
+	isc_result_t (*current)(dns_dbiterator_t *iterator,
+				dns_dbnode_t **nodep, dns_name_t *name);
+	isc_result_t (*pause)(dns_dbiterator_t *iterator);
+	isc_result_t (*origin)(dns_dbiterator_t *iterator, dns_name_t *name);
+} dns_dbiteratormethods_t;
+
+#define DNS_DBITERATOR_MAGIC	  ISC_MAGIC('D', 'N', 'S', 'I')
+#define DNS_DBITERATOR_VALID(dbi) ISC_MAGIC_VALID(dbi, DNS_DBITERATOR_MAGIC)
+/*%
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_dbiterator_t.
+ *
+ * Clients may use the 'db' field of this structure.  Except for that field,
+ * direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be DNS_DBITERATOR_MAGIC for any of
+ * the dns_dbiterator routines to work.  DB iterator implementations must
+ * maintain all DB iterator invariants.
+ */
+struct dns_dbiterator {
+	/* Unlocked. */
+	unsigned int		 magic;
+	dns_dbiteratormethods_t *methods;
+	dns_db_t		*db;
+	bool			 relative_names;
+	bool			 cleaning;
+};
+
+void
+dns_dbiterator_destroy(dns_dbiterator_t **iteratorp);
+/*%<
+ * Destroy '*iteratorp'.
+ *
+ * Requires:
+ *
+ *\li	'*iteratorp' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *\li	All resources used by the iterator are freed.
+ *
+ *\li	*iteratorp == NULL.
+ */
+
+isc_result_t
+dns_dbiterator_first(dns_dbiterator_t *iterator);
+/*%<
+ * Move the node cursor to the first node in the database (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no nodes in the database.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_last(dns_dbiterator_t *iterator);
+/*%<
+ * Move the node cursor to the last node in the database (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no nodes in the database.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_seek(dns_dbiterator_t *iterator, const dns_name_t *name);
+/*%<
+ * Move the node cursor to the node with name 'name'.
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ *\li	'name' is a valid name.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTFOUND
+ *\li	#DNS_R_PARTIALMATCH
+ *	(node is at name above requested named when name has children)
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_prev(dns_dbiterator_t *iterator);
+/*%<
+ * Move the node cursor to the previous node in the database (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no more nodes in the
+ *					database.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_next(dns_dbiterator_t *iterator);
+/*%<
+ * Move the node cursor to the next node in the database (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no more nodes in the
+ *					database.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		       dns_name_t *name);
+/*%<
+ * Return the current node.
+ *
+ * Notes:
+ *\li	If 'name' is not NULL, it will be set to the name of the node.
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ *\li	nodep != NULL && *nodep == NULL
+ *
+ *\li	The node cursor of 'iterator' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was ISC_R_SUCCESS).
+ *
+ *\li	'name' is NULL, or is a valid name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_NEWORIGIN			If this iterator was created
+ * with 'relative_names' set to true, then #DNS_R_NEWORIGIN will be returned
+ *when
+ * the origin the names are relative to changes.  This result can occur only
+ *when
+ *'name' is not NULL.  This is also a successful result.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_pause(dns_dbiterator_t *iterator);
+/*%<
+ * Pause iteration.
+ *
+ * Calling a cursor movement method or dns_dbiterator_current() may cause
+ * database locks to be acquired.  Rather than reacquire these locks every
+ * time one of these routines is called, the locks may simply be held.
+ * Calling dns_dbiterator_pause() releases any such locks.  Iterator clients
+ * should call this routine any time they are not going to execute another
+ * iterator method in the immediate future.
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Ensures:
+ *\li	Any database locks being held for efficiency of iterator access are
+ *	released.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
+/*%<
+ * Return the origin to which returned node names are relative.
+ *
+ * Requires:
+ *
+ *\li	'iterator' is a valid relative_names iterator.
+ *
+ *\li	'name' is a valid name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+void
+dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, bool mode);
+/*%<
+ * Indicate that the given iterator is/is not cleaning the DB.
+ *
+ * Notes:
+ *\li	When 'mode' is true,
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DBITERATOR_H */
diff --git a/lib/dns/include/dns/dbtable.h b/lib/dns/include/dns/dbtable.h
new file mode 100644
index 0000000..dc1a991
--- /dev/null
+++ b/lib/dns/include/dns/dbtable.h
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DBTABLE_H
+#define DNS_DBTABLE_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/dbtable.h
+ * \brief
+ * DNS DB Tables
+ *
+ * XXX TBS XXX
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	None.
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#define DNS_DBTABLEFIND_NOEXACT 0x01
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		   dns_dbtable_t **dbtablep);
+/*%<
+ * Make a new dbtable of class 'rdclass'
+ *
+ * Requires:
+ *\li	mctx != NULL
+ * \li	dbtablep != NULL && *dptablep == NULL
+ *\li	'rdclass' is a valid class
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+void
+dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp);
+/*%<
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid dbtable.
+ *
+ *\li	'targetp' points to a NULL dns_dbtable_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ */
+
+void
+dns_dbtable_detach(dns_dbtable_t **dbtablep);
+/*%<
+ * Detach *dbtablep from its dbtable.
+ *
+ * Requires:
+ *
+ *\li	'*dbtablep' points to a valid dbtable.
+ *
+ * Ensures:
+ *
+ *\li	*dbtablep is NULL.
+ *
+ *\li	If '*dbtablep' is the last reference to the dbtable,
+ *		all resources used by the dbtable will be freed
+ */
+
+isc_result_t
+dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db);
+/*%<
+ * Add 'db' to 'dbtable'.
+ *
+ * Requires:
+ *\li	'dbtable' is a valid dbtable.
+ *
+ *\li	'db' is a valid database with the same class as 'dbtable'
+ */
+
+void
+dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db);
+/*%<
+ * Remove 'db' from 'dbtable'.
+ *
+ * Requires:
+ *\li	'db' was previously added to 'dbtable'.
+ */
+
+void
+dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db);
+/*%<
+ * Use 'db' as the result of a dns_dbtable_find() if no better match is
+ * available.
+ */
+
+void
+dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **db);
+/*%<
+ * Get the 'db' used as the result of a dns_dbtable_find()
+ * if no better match is available.
+ */
+
+void
+dns_dbtable_removedefault(dns_dbtable_t *dbtable);
+/*%<
+ * Remove the default db from 'dbtable'.
+ */
+
+isc_result_t
+dns_dbtable_find(dns_dbtable_t *dbtable, const dns_name_t *name,
+		 unsigned int options, dns_db_t **dbp);
+/*%<
+ * Find the deepest match to 'name' in the dbtable, and return it
+ *
+ * Notes:
+ *\li	If the DNS_DBTABLEFIND_NOEXACT option is set, the best partial
+ *	match (if any) to 'name' will be returned.
+ *
+ * Returns:
+ * \li #ISC_R_SUCCESS		on success
+ *\li	     something else:		no default and match
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DBTABLE_H */
diff --git a/lib/dns/include/dns/diff.h b/lib/dns/include/dns/diff.h
new file mode 100644
index 0000000..48e1b2e
--- /dev/null
+++ b/lib/dns/include/dns/diff.h
@@ -0,0 +1,282 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DIFF_H
+#define DNS_DIFF_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/diff.h
+ * \brief
+ * A diff is a convenience type representing a list of changes to be
+ * made to a database.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * A dns_difftuple_t represents a single RR being added or deleted.
+ * The RR type and class are in the 'rdata' member; the class is always
+ * the real one, not a DynDNS meta-class, so that the rdatas can be
+ * compared using dns_rdata_compare().  The TTL is significant
+ * even for deletions, because a deletion/addition pair cannot
+ * be canceled out if the TTL differs (it might be an explicit
+ * TTL update).
+ *
+ * Tuples are also used to represent complete RRs with owner
+ * names for a couple of other purposes, such as the
+ * individual RRs of a "RRset exists (value dependent)"
+ * prerequisite set.  In this case, op==DNS_DIFFOP_EXISTS,
+ * and the TTL is ignored.
+ *
+ * DNS_DIFFOP_*RESIGN will cause the 'resign' attribute of the resulting
+ * RRset to be recomputed to be 'resign' seconds before the earliest RRSIG
+ * timeexpire.
+ */
+
+typedef enum {
+	DNS_DIFFOP_ADD = 0,	  /*%< Add an RR. */
+	DNS_DIFFOP_DEL = 1,	  /*%< Delete an RR. */
+	DNS_DIFFOP_EXISTS = 2,	  /*%< Assert RR existence. */
+	DNS_DIFFOP_ADDRESIGN = 4, /*%< ADD + RESIGN. */
+	DNS_DIFFOP_DELRESIGN = 5  /*%< DEL + RESIGN. */
+} dns_diffop_t;
+
+typedef struct dns_difftuple dns_difftuple_t;
+typedef ISC_LIST(dns_difftuple_t) dns_difftuplelist_t;
+
+#define DNS_DIFFTUPLE_MAGIC    ISC_MAGIC('D', 'I', 'F', 'T')
+#define DNS_DIFFTUPLE_VALID(t) ISC_MAGIC_VALID(t, DNS_DIFFTUPLE_MAGIC)
+
+struct dns_difftuple {
+	unsigned int magic;
+	isc_mem_t   *mctx;
+	dns_diffop_t op;
+	dns_name_t   name;
+	dns_ttl_t    ttl;
+	dns_rdata_t  rdata;
+	ISC_LINK(dns_difftuple_t) link;
+	/* Variable-size name data and rdata follows. */
+};
+
+/*%
+ * A dns_diff_t represents a set of changes being applied to
+ * a zone.  Diffs are also used to represent "RRset exists
+ * (value dependent)" prerequisites.
+ */
+typedef struct dns_diff dns_diff_t;
+
+#define DNS_DIFF_MAGIC	  ISC_MAGIC('D', 'I', 'F', 'F')
+#define DNS_DIFF_VALID(t) ISC_MAGIC_VALID(t, DNS_DIFF_MAGIC)
+
+struct dns_diff {
+	unsigned int	    magic;
+	isc_mem_t	   *mctx;
+	dns_difftuplelist_t tuples;
+};
+
+/* Type of comparison function for sorting diffs. */
+typedef int
+dns_diff_compare_func(const void *, const void *);
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/**************************************************************************/
+/*
+ * Manipulation of diffs and tuples.
+ */
+
+isc_result_t
+dns_difftuple_create(isc_mem_t *mctx, dns_diffop_t op, const dns_name_t *name,
+		     dns_ttl_t ttl, dns_rdata_t *rdata, dns_difftuple_t **tp);
+/*%<
+ * Create a tuple.  Deep copies are made of the name and rdata, so
+ * they need not remain valid after the call.
+ *
+ * Requires:
+ *\li	*tp != NULL && *tp == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *  \li    ISC_R_NOMEMORY
+ */
+
+void
+dns_difftuple_free(dns_difftuple_t **tp);
+/*%<
+ * Free a tuple.
+ *
+ * Requires:
+ *    \li   **tp is a valid tuple.
+ *
+ * Ensures:
+ *     \li  *tp == NULL
+ *      \li All memory used by the tuple is freed.
+ */
+
+isc_result_t
+dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp);
+/*%<
+ * Copy a tuple.
+ *
+ * Requires:
+ * \li	'orig' points to a valid tuple
+ *\li	copyp != NULL && *copyp == NULL
+ */
+
+void
+dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff);
+/*%<
+ * Initialize a diff.
+ *
+ * Requires:
+ * \li   'diff' points to an uninitialized dns_diff_t
+ *  \li  allocated by the caller.
+ *
+ * Ensures:
+ * \li   '*diff' is a valid, empty diff.
+ */
+
+void
+dns_diff_clear(dns_diff_t *diff);
+/*%<
+ * Clear a diff, destroying all its tuples.
+ *
+ * Requires:
+ * \li   'diff' points to a valid dns_diff_t.
+ *
+ * Ensures:
+ * \li    Any tuples in the diff are destroyed.
+ *     The diff now empty, but it is still valid
+ *     and may be reused without calling dns_diff_init
+ *     again.  The only memory used is that of the
+ *     dns_diff_t structure itself.
+ *
+ * Notes:
+ * \li    Managing the memory of the dns_diff_t structure itself
+ *     is the caller's responsibility.
+ */
+
+void
+dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuple);
+/*%<
+ * Append a single tuple to a diff.
+ *
+ *\li	'diff' is a valid diff.
+ * \li	'*tuple' is a valid tuple.
+ *
+ * Ensures:
+ *\li	*tuple is NULL.
+ *\li	The tuple has been freed, or will be freed when the diff is cleared.
+ */
+
+void
+dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuple);
+/*%<
+ * Append 'tuple' to 'diff', removing any duplicate
+ * or conflicting updates as needed to create a minimal diff.
+ *
+ * Requires:
+ *\li	'diff' is a minimal diff.
+ *
+ * Ensures:
+ *\li	'diff' is still a minimal diff.
+ *  \li 	*tuple is NULL.
+ *   \li	The tuple has been freed, or will be freed when the diff is
+ * cleared.
+ *
+ */
+
+isc_result_t
+dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare);
+/*%<
+ * Sort 'diff' in-place according to the comparison function 'compare'.
+ */
+
+isc_result_t
+dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
+isc_result_t
+dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
+/*%<
+ * Apply 'diff' to the database 'db'.
+ *
+ * dns_diff_apply() logs warnings about updates with no effect or
+ * with inconsistent TTLs; dns_diff_applysilently() does not.
+ *
+ * For efficiency, the diff should be sorted by owner name.
+ * If it is not sorted, operation will still be correct,
+ * but less efficient.
+ *
+ * Requires:
+ *\li	*diff is a valid diff (possibly empty), containing
+ *   	tuples of type #DNS_DIFFOP_ADD and/or
+ *  	For #DNS_DIFFOP_DEL tuples, the TTL is ignored.
+ *
+ */
+
+isc_result_t
+dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
+	      void *add_private);
+/*%<
+ * Like dns_diff_apply, but for use when loading a new database
+ * instead of modifying an existing one.  This bypasses the
+ * database transaction mechanisms.
+ *
+ * Requires:
+ *\li 	'addfunc' is a valid dns_addradatasetfunc_t obtained from
+ * 	dns_db_beginload()
+ *
+ *\li	'add_private' points to a corresponding dns_dbload_t *
+ *      (XXX why is it a void pointer, then?)
+ */
+
+isc_result_t
+dns_diff_print(dns_diff_t *diff, FILE *file);
+
+/*%<
+ * Print the differences to 'file' or if 'file' is NULL via the
+ * logging system.
+ *
+ * Require:
+ *\li	'diff' to be valid.
+ *\li	'file' to refer to a open file or NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *\li	any error from dns_rdataset_totext()
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DIFF_H */
diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
new file mode 100644
index 0000000..6061843
--- /dev/null
+++ b/lib/dns/include/dns/dispatch.h
@@ -0,0 +1,586 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DISPATCH_H
+#define DNS_DISPATCH_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/dispatch.h
+ * \brief
+ * DNS Dispatch Management
+ * 	Shared UDP and single-use TCP dispatches for queries and responses.
+ *
+ * MP:
+ *
+ *\li     	All locking is performed internally to each dispatch.
+ * 	Restrictions apply to dns_dispatch_removeresponse().
+ *
+ * Reliability:
+ *
+ * Resources:
+ *
+ * Security:
+ *
+ *\li	Depends on the isc_socket_t and dns_message_t for prevention of
+ *	buffer overruns.
+ *
+ * Standards:
+ *
+ *\li	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/socket.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * This event is sent to a task when a response comes in.
+ * No part of this structure should ever be modified by the caller,
+ * other than parts of the buffer.  The holy parts of the buffer are
+ * the base and size of the buffer.  All other parts of the buffer may
+ * be used.  On event delivery the used region contains the packet.
+ *
+ * "id" is the received message id,
+ *
+ * "addr" is the host that sent it to us,
+ *
+ * "buffer" holds state on the received data.
+ *
+ * The "free" routine for this event will clean up itself as well as
+ * any buffer space allocated from common pools.
+ */
+
+struct dns_dispatchevent {
+	ISC_EVENT_COMMON(dns_dispatchevent_t); /*%< standard event common */
+	isc_result_t	   result;	       /*%< result code */
+	int32_t		   id;		       /*%< message id */
+	isc_sockaddr_t	   addr;	       /*%< address recv'd from */
+	struct in6_pktinfo pktinfo;	       /*%< reply info for v6 */
+	isc_buffer_t	   buffer;	       /*%< data buffer */
+	uint32_t	   attributes;	       /*%< mirrored from socket.h */
+};
+
+/*%
+ * This is a set of one or more dispatches which can be retrieved
+ * round-robin fashion.
+ */
+struct dns_dispatchset {
+	isc_mem_t	*mctx;
+	dns_dispatch_t **dispatches;
+	int		 ndisp;
+	int		 cur;
+	isc_mutex_t	 lock;
+};
+
+/*@{*/
+/*%
+ * Attributes for added dispatchers.
+ *
+ * Values with the mask 0xffff0000 are application defined.
+ * Values with the mask 0x0000ffff are library defined.
+ *
+ * Insane values (like setting both TCP and UDP) are not caught.  Don't
+ * do that.
+ *
+ * _PRIVATE
+ *	The dispatcher cannot be shared.
+ *
+ * _TCP, _UDP
+ *	The dispatcher is a TCP or UDP socket.
+ *
+ * _IPV4, _IPV6
+ *	The dispatcher uses an IPv4 or IPv6 socket.
+ *
+ * _NOLISTEN
+ *	The dispatcher should not listen on the socket.
+ *
+ * _MAKEQUERY
+ *	The dispatcher can be used to issue queries to other servers, and
+ *	accept replies from them.
+ *
+ * _RANDOMPORT
+ *	Previously used to indicate that the port of a dispatch UDP must be
+ *	chosen randomly.  This behavior now always applies and the attribute
+ *	is obsoleted.
+ *
+ * _EXCLUSIVE
+ *	A separate socket will be used on-demand for each transaction.
+ */
+#define DNS_DISPATCHATTR_PRIVATE   0x00000001U
+#define DNS_DISPATCHATTR_TCP	   0x00000002U
+#define DNS_DISPATCHATTR_UDP	   0x00000004U
+#define DNS_DISPATCHATTR_IPV4	   0x00000008U
+#define DNS_DISPATCHATTR_IPV6	   0x00000010U
+#define DNS_DISPATCHATTR_NOLISTEN  0x00000020U
+#define DNS_DISPATCHATTR_MAKEQUERY 0x00000040U
+#define DNS_DISPATCHATTR_CONNECTED 0x00000080U
+#define DNS_DISPATCHATTR_FIXEDID   0x00000100U
+#define DNS_DISPATCHATTR_EXCLUSIVE 0x00000200U
+#define DNS_DISPATCHATTR_CANREUSE  0x00000400U
+/*@}*/
+
+/*
+ */
+#define DNS_DISPATCHOPT_FIXEDID 0x00000001U
+
+isc_result_t
+dns_dispatchmgr_create(isc_mem_t *mctx, dns_dispatchmgr_t **mgrp);
+/*%<
+ * Creates a new dispatchmgr object.
+ *
+ * Requires:
+ *\li	"mctx" be a valid memory context.
+ *
+ *\li	mgrp != NULL && *mgrp == NULL
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+void
+dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp);
+/*%<
+ * Destroys the dispatchmgr when it becomes empty.  This could be
+ * immediately.
+ *
+ * Requires:
+ *\li	mgrp != NULL && *mgrp is a valid dispatchmgr.
+ */
+
+void
+dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole);
+/*%<
+ * Sets the dispatcher's "blackhole list," a list of addresses that will
+ * be ignored by all dispatchers created by the dispatchmgr.
+ *
+ * Requires:
+ * \li	mgrp is a valid dispatchmgr
+ * \li	blackhole is a valid acl
+ */
+
+dns_acl_t *
+dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr);
+/*%<
+ * Gets a pointer to the dispatcher's current blackhole list,
+ * without incrementing its reference count.
+ *
+ * Requires:
+ *\li 	mgr is a valid dispatchmgr
+ * Returns:
+ *\li	A pointer to the current blackhole list, or NULL.
+ */
+
+void
+dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
+				 dns_portlist_t	   *portlist);
+/*%<
+ * This function is deprecated.  Use dns_dispatchmgr_setavailports() instead.
+ *
+ * Requires:
+ *\li	mgr is a valid dispatchmgr
+ */
+
+dns_portlist_t *
+dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr);
+/*%<
+ * This function is deprecated and always returns NULL.
+ *
+ * Requires:
+ *\li	mgr is a valid dispatchmgr
+ */
+
+isc_result_t
+dns_dispatchmgr_setavailports(dns_dispatchmgr_t *mgr, isc_portset_t *v4portset,
+			      isc_portset_t *v6portset);
+/*%<
+ * Sets a list of UDP ports that can be used for outgoing UDP messages.
+ *
+ * Requires:
+ *\li	mgr is a valid dispatchmgr
+ *\li	v4portset is NULL or a valid port set
+ *\li	v6portset is NULL or a valid port set
+ */
+
+void
+dns_dispatchmgr_setstats(dns_dispatchmgr_t *mgr, isc_stats_t *stats);
+/*%<
+ * Sets statistics counter for the dispatchmgr.  This function is expected to
+ * be called only on zone creation (when necessary).
+ * Once installed, it cannot be removed or replaced.  Also, there is no
+ * interface to get the installed stats from the zone; the caller must keep the
+ * stats to reference (e.g. dump) it later.
+ *
+ * Requires:
+ *\li	mgr is a valid dispatchmgr with no managed dispatch.
+ *\li	stats is a valid statistics supporting resolver statistics counters
+ *	(see dns/stats.h).
+ */
+
+isc_result_t
+dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		    isc_taskmgr_t *taskmgr, const isc_sockaddr_t *localaddr,
+		    unsigned int buffersize, unsigned int maxbuffers,
+		    unsigned int maxrequests, unsigned int buckets,
+		    unsigned int increment, unsigned int attributes,
+		    unsigned int mask, dns_dispatch_t **dispp);
+
+isc_result_t
+dns_dispatch_getudp_dup(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+			isc_taskmgr_t *taskmgr, const isc_sockaddr_t *localaddr,
+			unsigned int buffersize, unsigned int maxbuffers,
+			unsigned int maxrequests, unsigned int buckets,
+			unsigned int increment, unsigned int attributes,
+			unsigned int mask, dns_dispatch_t **dispp,
+			dns_dispatch_t *dup);
+/*%<
+ * Attach to existing dns_dispatch_t if one is found with dns_dispatchmgr_find,
+ * otherwise create a new UDP dispatch.
+ *
+ * Requires:
+ *\li	All pointer parameters be valid for their respective types.
+ *
+ *\li	dispp != NULL && *disp == NULL
+ *
+ *\li	512 <= buffersize <= 64k
+ *
+ *\li	maxbuffers > 0
+ *
+ *\li	buckets < 2097169
+ *
+ *\li	increment > buckets
+ *
+ *\li	(attributes & DNS_DISPATCHATTR_TCP) == 0
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- success.
+ *
+ *\li	Anything else	-- failure.
+ */
+
+isc_result_t
+dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+		       isc_taskmgr_t *taskmgr, const isc_sockaddr_t *localaddr,
+		       const isc_sockaddr_t *destaddr, unsigned int buffersize,
+		       unsigned int maxbuffers, unsigned int maxrequests,
+		       unsigned int buckets, unsigned int increment,
+		       unsigned int attributes, dns_dispatch_t **dispp);
+/*%<
+ * Create a new dns_dispatch and attach it to the provided isc_socket_t.
+ *
+ * For all dispatches, "buffersize" is the maximum packet size we will
+ * accept.
+ *
+ * "maxbuffers" and "maxrequests" control the number of buffers in the
+ * overall system and the number of buffers which can be allocated to
+ * requests.
+ *
+ * "buckets" is the number of buckets to use, and should be prime.
+ *
+ * "increment" is used in a collision avoidance function, and needs to be
+ * a prime > buckets, and not 2.
+ *
+ * Requires:
+ *
+ *\li	mgr is a valid dispatch manager.
+ *
+ *\li	sock is a valid.
+ *
+ *\li	task is a valid task that can be used internally to this dispatcher.
+ *
+ * \li	512 <= buffersize <= 64k
+ *
+ *\li	maxbuffers > 0.
+ *
+ *\li	maxrequests <= maxbuffers.
+ *
+ *\li	buckets < 2097169 (the next prime after 65536 * 32)
+ *
+ *\li	increment > buckets (and prime).
+ *
+ *\li	attributes includes #DNS_DISPATCHATTR_TCP and does not include
+ *	#DNS_DISPATCHATTR_UDP.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- success.
+ *
+ *\li	Anything else	-- failure.
+ */
+
+void
+dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp);
+/*%<
+ * Attach to a dispatch handle.
+ *
+ * Requires:
+ *\li	disp is valid.
+ *
+ *\li	dispp != NULL && *dispp == NULL
+ */
+
+void
+dns_dispatch_detach(dns_dispatch_t **dispp);
+/*%<
+ * Detaches from the dispatch.
+ *
+ * Requires:
+ *\li	dispp != NULL and *dispp be a valid dispatch.
+ */
+
+void
+dns_dispatch_starttcp(dns_dispatch_t *disp);
+/*%<
+ * Start processing of a TCP dispatch once the socket connects.
+ *
+ * Requires:
+ *\li	'disp' is valid.
+ */
+
+isc_result_t
+dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *destaddr,
+		    const isc_sockaddr_t *localaddr, bool *connected,
+		    dns_dispatch_t **dispp);
+/*
+ * Attempt to connect to a existing TCP connection (connection completed
+ * if connected == NULL).
+ */
+
+isc_result_t
+dns_dispatch_addresponse(dns_dispatch_t *disp, unsigned int options,
+			 const isc_sockaddr_t *dest, isc_task_t *task,
+			 isc_taskaction_t action, void *arg, uint16_t *idp,
+			 dns_dispentry_t **resp, isc_socketmgr_t *sockmgr);
+/*%<
+ * Add a response entry for this dispatch.
+ *
+ * "*idp" is filled in with the assigned message ID, and *resp is filled in
+ * to contain the magic token used to request event flow stop.
+ *
+ * Arranges for the given task to get a callback for response packets.  When
+ * the event is delivered, it must be returned using dns_dispatch_freeevent()
+ * or through dns_dispatch_removeresponse() for another to be delivered.
+ *
+ * Requires:
+ *\li	"idp" be non-NULL.
+ *
+ *\li	"task" "action" and "arg" be set as appropriate.
+ *
+ *\li	"dest" be non-NULL and valid.
+ *
+ *\li	"resp" be non-NULL and *resp be NULL
+ *
+ *\li	"sockmgr" be NULL or a valid socket manager.  If 'disp' has
+ *	the DNS_DISPATCHATTR_EXCLUSIVE attribute, this must not be NULL,
+ *	which also means dns_dispatch_addresponse() cannot be used.
+ *
+ * Ensures:
+ *
+ *\li	&lt;id, dest> is a unique tuple.  That means incoming messages
+ *	are identifiable.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS		-- all is well.
+ *\li	ISC_R_NOMEMORY		-- memory could not be allocated.
+ *\li	ISC_R_NOMORE		-- no more message ids can be allocated
+ *				   for this destination.
+ */
+
+void
+dns_dispatch_removeresponse(dns_dispentry_t	**resp,
+			    dns_dispatchevent_t **sockevent);
+/*%<
+ * Stops the flow of responses for the provided id and destination.
+ * If "sockevent" is non-NULL, the dispatch event and associated buffer is
+ * also returned to the system.
+ *
+ * Requires:
+ *\li	"resp" != NULL and "*resp" contain a value previously allocated
+ *	by dns_dispatch_addresponse();
+ *
+ *\li	May only be called from within the task given as the 'task'
+ * 	argument to dns_dispatch_addresponse() when allocating '*resp'.
+ */
+
+isc_socket_t *
+dns_dispatch_getentrysocket(dns_dispentry_t *resp);
+
+isc_socket_t *
+dns_dispatch_getsocket(dns_dispatch_t *disp);
+/*%<
+ * Return the socket associated with this dispatcher.
+ *
+ * Requires:
+ *\li	disp is valid.
+ *
+ * Returns:
+ *\li	The socket the dispatcher is using.
+ */
+
+isc_result_t
+dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp);
+/*%<
+ * Return the local address for this dispatch.
+ * This currently only works for dispatches using UDP sockets.
+ *
+ * Requires:
+ *\li	disp is valid.
+ *\li	addrp to be non null.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTIMPLEMENTED
+ */
+
+void
+dns_dispatch_cancel(dns_dispatch_t *disp);
+/*%<
+ * cancel outstanding clients
+ *
+ * Requires:
+ *\li	disp is valid.
+ */
+
+unsigned int
+dns_dispatch_getattributes(dns_dispatch_t *disp);
+/*%<
+ * Return the attributes (DNS_DISPATCHATTR_xxx) of this dispatch.  Only the
+ * non-changeable attributes are expected to be referenced by the caller.
+ *
+ * Requires:
+ *\li	disp is valid.
+ */
+
+void
+dns_dispatch_changeattributes(dns_dispatch_t *disp, unsigned int attributes,
+			      unsigned int mask);
+/*%<
+ * Set the bits described by "mask" to the corresponding values in
+ * "attributes".
+ *
+ * That is:
+ *
+ * \code
+ *	new = (old & ~mask) | (attributes & mask)
+ * \endcode
+ *
+ * This function has a side effect when #DNS_DISPATCHATTR_NOLISTEN changes.
+ * When the flag becomes off, the dispatch will start receiving on the
+ * corresponding socket.  When the flag becomes on, receive events on the
+ * corresponding socket will be canceled.
+ *
+ * Requires:
+ *\li	disp is valid.
+ *
+ *\li	attributes are reasonable for the dispatch.  That is, setting the UDP
+ *	attribute on a TCP socket isn't reasonable.
+ */
+
+void
+dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event);
+/*%<
+ * Inform the dispatcher of a socket receive.  This is used for sockets
+ * shared between dispatchers and clients.  If the dispatcher fails to copy
+ * or send the event, nothing happens.
+ *
+ * If the attribute DNS_DISPATCHATTR_NOLISTEN is not set, then
+ * the dispatch is already handling a recv; return immediately.
+ *
+ * Requires:
+ *\li 	disp is valid, and the attribute DNS_DISPATCHATTR_NOLISTEN is set.
+ * 	event != NULL
+ */
+
+dns_dispatch_t *
+dns_dispatchset_get(dns_dispatchset_t *dset);
+/*%<
+ * Retrieve the next dispatch from dispatch set 'dset', and increment
+ * the round-robin counter.
+ *
+ * Requires:
+ *\li 	dset != NULL
+ */
+
+isc_result_t
+dns_dispatchset_create(isc_mem_t *mctx, isc_socketmgr_t *sockmgr,
+		       isc_taskmgr_t *taskmgr, dns_dispatch_t *source,
+		       dns_dispatchset_t **dsetp, int n);
+/*%<
+ * Given a valid dispatch 'source', create a dispatch set containing
+ * 'n' UDP dispatches, with the remainder filled out by clones of the
+ * source.
+ *
+ * Requires:
+ *\li 	source is a valid UDP dispatcher
+ *\li 	dsetp != NULL, *dsetp == NULL
+ */
+
+void
+dns_dispatchset_cancelall(dns_dispatchset_t *dset, isc_task_t *task);
+/*%<
+ * Cancel socket operations for the dispatches in 'dset'.
+ */
+
+void
+dns_dispatchset_destroy(dns_dispatchset_t **dsetp);
+/*%<
+ * Dereference all the dispatches in '*dsetp', free the dispatchset
+ * memory, and set *dsetp to NULL.
+ *
+ * Requires:
+ *\li 	dset is valid
+ */
+
+void
+dns_dispatch_setdscp(dns_dispatch_t *disp, isc_dscp_t dscp);
+isc_dscp_t
+dns_dispatch_getdscp(dns_dispatch_t *disp);
+/*%<
+ * Set/get the DSCP value to be used when sending responses to clients,
+ * as defined in the "listen-on" or "listen-on-v6" statements.
+ *
+ * Requires:
+ *\li	disp is valid.
+ */
+
+isc_result_t
+dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent);
+/*%<
+ * Free the sockevent and trigger the sending of the next item off the
+ * dispatch queue if present.
+ *
+ * Requires:
+ *\li	resp is valid
+ *\li	*sockevent to be valid
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DISPATCH_H */
diff --git a/lib/dns/include/dns/dlz.h b/lib/dns/include/dns/dlz.h
new file mode 100644
index 0000000..962db29
--- /dev/null
+++ b/lib/dns/include/dns/dlz.h
@@ -0,0 +1,336 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file dns/dlz.h */
+
+#ifndef DLZ_H
+#define DLZ_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*
+ * DLZ Interface
+ *
+ * The DLZ interface allows zones to be looked up using a driver instead of
+ * Bind's default in memory zone table.
+ *
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+***** Imports
+*****/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/clientinfo.h>
+#include <dns/name.h>
+#include <dns/types.h>
+#include <dns/view.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+#define DNS_DLZ_MAGIC	   ISC_MAGIC('D', 'L', 'Z', 'D')
+#define DNS_DLZ_VALID(dlz) ISC_MAGIC_VALID(dlz, DNS_DLZ_MAGIC)
+
+typedef isc_result_t (*dns_dlzallowzonexfr_t)(void *driverarg, void *dbdata,
+					      isc_mem_t		   *mctx,
+					      dns_rdataclass_t	    rdclass,
+					      const dns_name_t	   *name,
+					      const isc_sockaddr_t *clientaddr,
+					      dns_db_t		  **dbp);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply an allow zone transfer method.  This method is called when
+ * the DNS server is performing a zone transfer query.  The driver's
+ * method should return ISC_R_SUCCESS and a database pointer to the
+ * name server if the zone is supported by the database, and zone
+ * transfer is allowed.  If the view's transfer acl should be used,
+ * then the driver's method should return ISC_R_DEFAULT.  Otherwise,
+ * it should return ISC_R_NOTFOUND if the zone is not supported by
+ * the database, or ISC_R_NOPERM if zone transfers are not allowed.
+ * If an error occurs, the result code should indicate the type of error.
+ */
+
+typedef isc_result_t (*dns_dlzcreate_t)(isc_mem_t *mctx, const char *dlzname,
+					unsigned int argc, char *argv[],
+					void *driverarg, void **dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply a create method.  This method is called when the DNS server
+ * is starting up and creating drivers for use later.
+ */
+
+typedef void (*dns_dlzdestroy_t)(void *driverarg, void **dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply a destroy method.  This method is called when the DNS server
+ * is shutting down and no longer needs the driver.
+ */
+
+typedef isc_result_t (*dns_dlzfindzone_t)(void *driverarg, void *dbdata,
+					  isc_mem_t		  *mctx,
+					  dns_rdataclass_t	   rdclass,
+					  const dns_name_t	  *name,
+					  dns_clientinfomethods_t *methods,
+					  dns_clientinfo_t	  *clientinfo,
+					  dns_db_t		 **dbp);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply a find zone method.  This method is called when the DNS
+ * server is performing a query.  The find zone method will be called
+ * with the longest possible name first, and continue to be called
+ * with successively shorter domain names, until any of the following
+ * occur:
+ *
+ * \li	1) a match is found, and the function returns (ISC_R_SUCCESS)
+ *
+ * \li	2) a problem occurs, and the functions returns anything other
+ *	   than (ISC_R_NOTFOUND)
+ * \li	3) we run out of domain name labels. I.E. we have tried the
+ *	   shortest domain name
+ * \li	4) the number of labels in the domain name is less than
+ *	   min_labels for dns_dlzfindzone
+ *
+ * The driver's find zone method should return ISC_R_SUCCESS and a
+ * database pointer to the name server if the zone is supported by the
+ * database.  Otherwise it will return ISC_R_NOTFOUND, and a null
+ * pointer if the zone is not supported.  If an error occurs it should
+ * return a result code indicating the type of error.
+ */
+
+typedef isc_result_t (*dns_dlzconfigure_t)(void *driverarg, void *dbdata,
+					   dns_view_t  *view,
+					   dns_dlzdb_t *dlzdb);
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface may
+ * optionally supply a configure method. If supplied, this will be
+ * called immediately after the create method is called. The driver
+ * may call configuration functions during the configure call
+ */
+
+typedef bool (*dns_dlzssumatch_t)(const dns_name_t    *signer,
+				  const dns_name_t    *name,
+				  const isc_netaddr_t *tcpaddr,
+				  dns_rdatatype_t type, const dst_key_t *key,
+				  void *driverarg, void *dbdata);
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface may
+ * optionally supply a ssumatch method. If supplied, this will be
+ * called to authorize update requests
+ */
+
+/*% the methods supplied by a DLZ driver */
+typedef struct dns_dlzmethods {
+	dns_dlzcreate_t	      create;
+	dns_dlzdestroy_t      destroy;
+	dns_dlzfindzone_t     findzone;
+	dns_dlzallowzonexfr_t allowzonexfr;
+	dns_dlzconfigure_t    configure;
+	dns_dlzssumatch_t     ssumatch;
+} dns_dlzmethods_t;
+
+/*% information about a DLZ driver */
+struct dns_dlzimplementation {
+	const char	       *name;
+	const dns_dlzmethods_t *methods;
+	isc_mem_t	       *mctx;
+	void		       *driverarg;
+	ISC_LINK(dns_dlzimplementation_t) link;
+};
+
+typedef isc_result_t (*dlzconfigure_callback_t)(dns_view_t *, dns_dlzdb_t *,
+						dns_zone_t *);
+
+/*% An instance of a DLZ driver */
+struct dns_dlzdb {
+	unsigned int		 magic;
+	isc_mem_t		*mctx;
+	dns_dlzimplementation_t *implementation;
+	void			*dbdata;
+	dlzconfigure_callback_t	 configure_callback;
+	bool			 search;
+	char			*dlzname;
+	ISC_LINK(dns_dlzdb_t) link;
+	dns_ssutable_t *ssutable;
+};
+
+/***
+ *** Method declarations
+ ***/
+
+isc_result_t
+dns_dlzallowzonexfr(dns_view_t *view, const dns_name_t *name,
+		    const isc_sockaddr_t *clientaddr, dns_db_t **dbp);
+
+/*%<
+ * This method is called when the DNS server is performing a zone
+ * transfer query.  It will call the DLZ driver's allow zone transfer
+ * method.
+ */
+
+isc_result_t
+dns_dlzcreate(isc_mem_t *mctx, const char *dlzname, const char *drivername,
+	      unsigned int argc, char *argv[], dns_dlzdb_t **dbp);
+
+/*%<
+ * This method is called when the DNS server is starting up and
+ * creating drivers for use later.  It will search the DLZ driver list
+ * for 'drivername' and return a DLZ driver via dbp if a match is
+ * found.  If the DLZ driver supplies a create method, this function
+ * will call it.
+ */
+
+void
+dns_dlzdestroy(dns_dlzdb_t **dbp);
+
+/*%<
+ * This method is called when the DNS server is shutting down and no
+ * longer needs the driver.  If the DLZ driver supplies a destroy
+ * methods, this function will call it.
+ */
+
+isc_result_t
+dns_dlzregister(const char *drivername, const dns_dlzmethods_t *methods,
+		void *driverarg, isc_mem_t *mctx,
+		dns_dlzimplementation_t **dlzimp);
+
+/*%<
+ * Register a dynamically loadable zones (DLZ) driver for the database
+ * type 'drivername', implemented by the functions in '*methods'.
+ *
+ * dlzimp must point to a NULL dlz_implementation_t pointer.  That is,
+ * dlzimp != NULL && *dlzimp == NULL.  It will be assigned a value that
+ * will later be used to identify the driver when deregistering it.
+ */
+
+isc_result_t
+dns_dlzstrtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp);
+
+/*%<
+ * This method is called when the name server is starting up to parse
+ * the DLZ driver command line from named.conf.  Basically it splits
+ * up a string into and argc / argv.  The primary difference of this
+ * method is items between braces { } are considered only 1 word.  for
+ * example the command line "this is { one grouped phrase } and this
+ * isn't" would be parsed into:
+ *
+ * \li	argv[0]: "this"
+ * \li	argv[1]: "is"
+ * \li	argv{2]: " one grouped phrase "
+ * \li	argv[3]: "and"
+ * \li	argv[4]: "this"
+ * \li	argv{5}: "isn't"
+ *
+ * braces should NOT be nested, more than one grouping in the command
+ * line is allowed.  Notice, argv[2] has an extra space at the
+ * beginning and end.  Extra spaces are not stripped between a
+ * grouping.  You can do so in your driver if needed, or be sure not
+ * to put extra spaces before / after the braces.
+ */
+
+void
+dns_dlzunregister(dns_dlzimplementation_t **dlzimp);
+
+/*%<
+ * Removes the dlz driver from the list of registered dlz drivers.
+ * There must be no active dlz drivers of this type when this function
+ * is called.
+ */
+
+typedef isc_result_t
+dns_dlz_writeablezone_t(dns_view_t *view, dns_dlzdb_t *dlzdb,
+			const char *zone_name);
+dns_dlz_writeablezone_t dns_dlz_writeablezone;
+/*%<
+ * creates a writeable DLZ zone. Must be called from within the
+ * configure() method of a DLZ driver.
+ */
+
+isc_result_t
+dns_dlzconfigure(dns_view_t *view, dns_dlzdb_t *dlzdb,
+		 dlzconfigure_callback_t callback);
+/*%<
+ * call a DLZ drivers configure method, if supplied
+ */
+
+bool
+dns_dlz_ssumatch(dns_dlzdb_t *dlzdatabase, const dns_name_t *signer,
+		 const dns_name_t *name, const isc_netaddr_t *tcpaddr,
+		 dns_rdatatype_t type, const dst_key_t *key);
+/*%<
+ * call a DLZ drivers ssumatch method, if supplied. Otherwise return false
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DLZ_H */
diff --git a/lib/dns/include/dns/dlz_dlopen.h b/lib/dns/include/dns/dlz_dlopen.h
new file mode 100644
index 0000000..058a23e
--- /dev/null
+++ b/lib/dns/include/dns/dlz_dlopen.h
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file dns/dlz_dlopen.h */
+
+#ifndef DLZ_DLOPEN_H
+#define DLZ_DLOPEN_H
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <dns/sdlz.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * This header provides a minimal set of defines and typedefs needed
+ * for the entry points of an external DLZ module for bind9.
+ */
+
+#define DLZ_DLOPEN_VERSION 3
+#define DLZ_DLOPEN_AGE	   0
+
+/*
+ * dlz_dlopen_version() is required for all DLZ external drivers. It
+ * should return DLZ_DLOPEN_VERSION
+ */
+typedef int
+dlz_dlopen_version_t(unsigned int *flags);
+
+/*
+ * dlz_dlopen_create() is required for all DLZ external drivers.
+ */
+typedef isc_result_t
+dlz_dlopen_create_t(const char *dlzname, unsigned int argc, char *argv[],
+		    void **dbdata, ...);
+
+/*
+ * dlz_dlopen_destroy() is optional, and will be called when the
+ * driver is unloaded if supplied
+ */
+typedef void
+dlz_dlopen_destroy_t(void *dbdata);
+
+/*
+ * dlz_dlopen_findzonedb() is required for all DLZ external drivers
+ */
+typedef isc_result_t
+dlz_dlopen_findzonedb_t(void *dbdata, const char *name,
+			dns_clientinfomethods_t *methods,
+			dns_clientinfo_t	*clientinfo);
+
+/*
+ * dlz_dlopen_lookup() is required for all DLZ external drivers
+ */
+typedef isc_result_t
+dlz_dlopen_lookup_t(const char *zone, const char *name, void *dbdata,
+		    dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods,
+		    dns_clientinfo_t *clientinfo);
+
+/*
+ * dlz_dlopen_authority is optional() if dlz_dlopen_lookup()
+ * supplies authority information for the dns record
+ */
+typedef isc_result_t
+dlz_dlopen_authority_t(const char *zone, void *dbdata,
+		       dns_sdlzlookup_t *lookup);
+
+/*
+ * dlz_dlopen_allowzonexfr() is optional, and should be supplied if
+ * you want to support zone transfers
+ */
+typedef isc_result_t
+dlz_dlopen_allowzonexfr_t(void *dbdata, const char *name, const char *client);
+
+/*
+ * dlz_dlopen_allnodes() is optional, but must be supplied if supply a
+ * dlz_dlopen_allowzonexfr() function
+ */
+typedef isc_result_t
+dlz_dlopen_allnodes_t(const char *zone, void *dbdata,
+		      dns_sdlzallnodes_t *allnodes);
+
+/*
+ * dlz_dlopen_newversion() is optional. It should be supplied if you
+ * want to support dynamic updates.
+ */
+typedef isc_result_t
+dlz_dlopen_newversion_t(const char *zone, void *dbdata, void **versionp);
+
+/*
+ * dlz_closeversion() is optional, but must be supplied if you supply
+ * a dlz_newversion() function
+ */
+typedef void
+dlz_dlopen_closeversion_t(const char *zone, bool commit, void *dbdata,
+			  void **versionp);
+
+/*
+ * dlz_dlopen_configure() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t
+dlz_dlopen_configure_t(dns_view_t *view, dns_dlzdb_t *dlzdb, void *dbdata);
+
+/*
+ * dlz_dlopen_setclientcallback() is optional, but must be supplied if you
+ * want to retrieve information about the client (e.g., source address)
+ * before sending a replay.
+ */
+typedef isc_result_t
+dlz_dlopen_setclientcallback_t(dns_view_t *view, void *dbdata);
+
+/*
+ * dlz_dlopen_ssumatch() is optional, but must be supplied if you want
+ * to support dynamic updates
+ */
+typedef bool
+dlz_dlopen_ssumatch_t(const char *signer, const char *name, const char *tcpaddr,
+		      const char *type, const char *key, uint32_t keydatalen,
+		      unsigned char *keydata, void *dbdata);
+
+/*
+ * dlz_dlopen_addrdataset() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t
+dlz_dlopen_addrdataset_t(const char *name, const char *rdatastr, void *dbdata,
+			 void *version);
+
+/*
+ * dlz_dlopen_subrdataset() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t
+dlz_dlopen_subrdataset_t(const char *name, const char *rdatastr, void *dbdata,
+			 void *version);
+
+/*
+ * dlz_dlopen_delrdataset() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t
+dlz_dlopen_delrdataset_t(const char *name, const char *type, void *dbdata,
+			 void *version);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ifndef DLZ_DLOPEN_H */
diff --git a/lib/dns/include/dns/dns64.h b/lib/dns/include/dns/dns64.h
new file mode 100644
index 0000000..07bc06f
--- /dev/null
+++ b/lib/dns/include/dns/dns64.h
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DNS64_H
+#define DNS_DNS64_H 1
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * dns_dns64_create() flags.
+ */
+#define DNS_DNS64_RECURSIVE_ONLY          \
+	0x01 /* If set then this record   \
+	      * only applies to recursive \
+	      * queries.                  \
+	      */
+#define DNS_DNS64_BREAK_DNSSEC            \
+	0x02 /* If set then still perform \
+	      * DNSSEC synthesis even     \
+	      * though the result would   \
+	      * fail validation.          \
+	      */
+
+/*
+ * dns_dns64_aaaaok() and dns_dns64_aaaafroma() flags.
+ */
+#define DNS_DNS64_RECURSIVE 0x01 /* Recursive query. */
+#define DNS_DNS64_DNSSEC    0x02 /* DNSSEC sensitive query. */
+
+isc_result_t
+dns_dns64_create(isc_mem_t *mctx, const isc_netaddr_t *prefix,
+		 unsigned int prefixlen, const isc_netaddr_t *suffix,
+		 dns_acl_t *client, dns_acl_t *mapped, dns_acl_t *excluded,
+		 unsigned int flags, dns_dns64_t **dns64);
+/*
+ * Create a dns64 record which is used to identify the set of clients
+ * it applies to and how to perform the DNS64 synthesis.
+ *
+ * 'prefix' and 'prefixlen' defined the leading bits of the AAAA records
+ * to be synthesised.  'suffix' defines the bits after the A records bits.
+ * If suffix is NULL zeros will be used for these bits.  'client' defines
+ * for which clients this record applies.  If 'client' is NULL then all
+ * clients apply.  'mapped' defines which A records are candidated for
+ * mapping.  If 'mapped' is NULL then all A records will be mapped.
+ * 'excluded' defines which AAAA are to be treated as non-existent for the
+ * purposed of determining whether to perform synthesis.  If 'excluded' is
+ * NULL then no AAAA records prevent synthesis.
+ *
+ * If DNS_DNS64_RECURSIVE_ONLY is set then the record will only match if
+ * DNS_DNS64_RECURSIVE is set when calling  dns_dns64_aaaaok() and
+ * dns_dns64_aaaafroma().
+ *
+ * If DNS_DNS64_BREAK_DNSSEC is set then the record will still apply if
+ * DNS_DNS64_DNSSEC is set when calling  dns_dns64_aaaaok() and
+ * dns_dns64_aaaafroma() otherwise the record will be ignored.
+ *
+ * Requires:
+ *      'mctx'          to be valid.
+ *      'prefix'        to be valid and the address family to AF_INET6.
+ *      'prefixlen'     to be one of 32, 40, 48, 56, 72 and 96.
+ *                      the bits not covered by prefixlen in prefix to
+ *                      be zero.
+ *      'suffix'        to be NULL or the address family be set to AF_INET6
+ *                      and the leading 'prefixlen' + 32 bits of the 'suffix'
+ *                      to be zero.  If 'prefixlen' is 40, 48 or 56 then the
+ *                      the leading 'prefixlen' + 40 bits of 'suffix' must be
+ *                      zero.
+ *	'client'	to be NULL or a valid acl.
+ *	'mapped'	to be NULL or a valid acl.
+ *	'excluded'	to be NULL or a valid acl.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+void
+dns_dns64_destroy(dns_dns64_t **dns64p);
+/*
+ * Destroys a dns64 record.
+ *
+ * Requires the record to not be linked.
+ */
+
+isc_result_t
+dns_dns64_aaaafroma(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		    const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		    unsigned int flags, unsigned char *a, unsigned char *aaaa);
+/*
+ * dns_dns64_aaaafroma() determines whether to perform a DNS64 address
+ * synthesis from 'a' based on 'dns64', 'reqaddr', 'reqsigner', 'env',
+ * 'flags' and 'aaaa'.  If synthesis is performed then the result is
+ * written to '*aaaa'.
+ *
+ * The synthesised address will be of the form:
+ *
+ *	 <prefix bits><a bits><suffix bits>
+ *
+ * If <a bits> straddle bits 64-71 of the AAAA record, then 8 zero bits will
+ * be inserted at bits 64-71.
+ *
+ * Requires:
+ *	'dns64'		to be valid.
+ *	'reqaddr'	to be valid.
+ *	'reqsigner'	to be NULL or valid.
+ *	'env'		to be valid.
+ *	'a'		to point to a IPv4 address in network order.
+ *	'aaaa'		to point to a IPv6 address buffer in network order.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		if synthesis was performed.
+ *	DNS_R_DISALLOWED	if there is no match.
+ */
+
+dns_dns64_t *
+dns_dns64_next(dns_dns64_t *dns64);
+/*
+ * Return the next dns64 record in the list.
+ */
+
+void
+dns_dns64_append(dns_dns64list_t *list, dns_dns64_t *dns64);
+/*
+ * Append the dns64 record to the list.
+ */
+
+void
+dns_dns64_unlink(dns_dns64list_t *list, dns_dns64_t *dns64);
+/*
+ * Unlink the dns64 record from the list.
+ */
+
+bool
+dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		 const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		 unsigned int flags, dns_rdataset_t *rdataset, bool *aaaaok,
+		 size_t aaaaoklen);
+/*
+ * Determine if there are any non-excluded AAAA records in from the
+ * matching dns64 records in the list starting at 'dns64'.  If there
+ * is a non-excluded address return true.  If all addresses are
+ * excluded in the matched records return false.   If no records
+ * match then return true.
+ *
+ * If aaaaok is defined then dns_dns64_aaaaok() return a array of which
+ * addresses in 'rdataset' were deemed to not be exclude by any matching
+ * record.  If there are no matching records then all entries are set
+ * to true.
+ *
+ * Requires
+ * 	'rdataset'	to be valid and to be for type AAAA and class IN.
+ *	'aaaaoklen'	must match the number of records in 'rdataset'
+ *			if 'aaaaok' in non NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DNS64_H */
diff --git a/lib/dns/include/dns/dnsrps.h b/lib/dns/include/dns/dnsrps.h
new file mode 100644
index 0000000..aa903b8
--- /dev/null
+++ b/lib/dns/include/dns/dnsrps.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DNSRPS_H
+#define DNS_DNSRPS_H
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#ifdef USE_DNSRPS
+
+#include <dns/librpz.h>
+#include <dns/rpz.h>
+
+/*
+ * Error message if dlopen(librpz) failed.
+ */
+extern librpz_emsg_t librpz_lib_open_emsg;
+
+/*
+ * These shim BIND9 database, node, and rdataset are handles on RRs from librpz.
+ *
+ * All of these structures are used by a single thread and so need no locks.
+ *
+ * rpsdb_t holds the state for a set of RPZ queries.
+ *
+ * rpsnode_t is a link to the rpsdb_t for the set of  RPZ queries
+ * and a flag saying whether it is pretending to be a node with RRs for
+ * the qname or the node with the SOA for the zone containing the rewritten
+ * RRs or justifying NXDOMAIN.
+ */
+typedef struct {
+	uint8_t unused;
+} rpsnode_t;
+typedef struct rpsdb {
+	dns_db_t	    common;
+	int		    ref_cnt;
+	librpz_result_id_t  hit_id;
+	librpz_result_t	    result;
+	librpz_rsp_t	   *rsp;
+	librpz_domain_buf_t origin_buf;
+	const dns_name_t   *qname;
+	rpsnode_t	    origin_node;
+	rpsnode_t	    data_node;
+} rpsdb_t;
+
+/*
+ * Convert a dnsrps policy to a classic BIND9 RPZ policy.
+ */
+dns_rpz_policy_t
+dns_dnsrps_2policy(librpz_policy_t rps_policy);
+
+/*
+ * Convert a dnsrps trigger to a classic BIND9 RPZ rewrite or trigger type.
+ */
+dns_rpz_type_t
+dns_dnsrps_trig2type(librpz_trig_t trig);
+
+/*
+ * Convert a classic BIND9 RPZ rewrite or trigger type to a librpz trigger type.
+ */
+librpz_trig_t
+dns_dnsrps_type2trig(dns_rpz_type_t type);
+
+/*
+ * Start dnsrps for the entire server.
+ */
+isc_result_t
+dns_dnsrps_server_create(void);
+
+/*
+ * Stop dnsrps for the entire server.
+ */
+void
+dns_dnsrps_server_destroy(void);
+
+/*
+ * Ready dnsrps for a view.
+ */
+isc_result_t
+dns_dnsrps_view_init(dns_rpz_zones_t *new, char *rps_cstr);
+
+/*
+ * Connect to and start the dnsrps daemon, dnsrpzd.
+ */
+isc_result_t
+dns_dnsrps_connect(dns_rpz_zones_t *rpzs);
+
+/*
+ * Get ready to try dnsrps rewriting.
+ */
+isc_result_t
+dns_dnsrps_rewrite_init(librpz_emsg_t *emsg, dns_rpz_st_t *st,
+			dns_rpz_zones_t *rpzs, const dns_name_t *qname,
+			isc_mem_t *mctx, bool have_rd);
+
+#endif /* USE_DNSRPS */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DNSRPS_H */
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
new file mode 100644
index 0000000..9791ef1
--- /dev/null
+++ b/lib/dns/include/dns/dnssec.h
@@ -0,0 +1,401 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DNSSEC_H
+#define DNS_DNSSEC_H 1
+
+/*! \file dns/dnssec.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/stats.h>
+#include <isc/stdtime.h>
+
+#include <dns/diff.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBDNS_EXTERNAL_DATA extern isc_stats_t *dns_dnssec_stats;
+
+/*%< Maximum number of keys supported in a zone. */
+#define DNS_MAXZONEKEYS 32
+
+/*
+ * Indicates how the signer found this key: in the key repository, at the
+ * zone apex, or specified by the user.
+ */
+typedef enum {
+	dns_keysource_unknown,
+	dns_keysource_repository,
+	dns_keysource_zoneapex,
+	dns_keysource_user
+} dns_keysource_t;
+
+/*
+ * A DNSSEC key and hints about its intended use gleaned from metadata
+ */
+struct dns_dnsseckey {
+	dst_key_t *key;
+	bool	   hint_publish;     /*% metadata says to publish */
+	bool	   force_publish;    /*% publish regardless of metadata
+				      * */
+	bool hint_sign;		     /*% metadata says to sign with this
+				      * key */
+	bool force_sign;	     /*% sign with key regardless of
+				      * metadata */
+	bool		hint_revoke; /*% metadata says revoke key */
+	bool		hint_remove; /*% metadata says *don't* publish */
+	bool		is_active;   /*% key is already active */
+	bool		first_sign;  /*% key is newly becoming active */
+	bool		purge;	     /*% remove key files */
+	unsigned int	prepublish;  /*% how long until active? */
+	dns_keysource_t source;	     /*% how the key was found */
+	bool		ksk;	     /*% this is a key-signing key */
+	bool		zsk;	     /*% this is a zone-signing key */
+	bool		legacy;	     /*% this is old-style key with no
+				      *  metadata (possibly generated by
+				      *  an older version of BIND9) and
+				      *  should be ignored when searching
+				      *  for keys to import into the zone */
+	unsigned int index;	     /*% position in list */
+	ISC_LINK(dns_dnsseckey_t) link;
+};
+
+isc_result_t
+dns_dnssec_keyfromrdata(const dns_name_t *name, const dns_rdata_t *rdata,
+			isc_mem_t *mctx, dst_key_t **key);
+/*%<
+ *	Creates a DST key from a DNS record.  Basically a wrapper around
+ *	dst_key_fromdns().
+ *
+ *	Requires:
+ *\li		'name' is not NULL
+ *\li		'rdata' is not NULL
+ *\li		'mctx' is not NULL
+ *\li		'key' is not NULL
+ *\li		'*key' is NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		DST_R_INVALIDPUBLICKEY
+ *\li		various errors from dns_name_totext
+ */
+
+isc_result_t
+dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		isc_stdtime_t *inception, isc_stdtime_t *expire,
+		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata);
+/*%<
+ *	Generates a RRSIG record covering this rdataset.  This has no effect
+ *	on existing RRSIG records.
+ *
+ *	Requires:
+ *\li		'name' (the owner name of the record) is a valid name
+ *\li		'set' is a valid rdataset
+ *\li		'key' is a valid key
+ *\li		'inception' is not NULL
+ *\li		'expire' is not NULL
+ *\li		'mctx' is not NULL
+ *\li		'buffer' is not NULL
+ *\li		'sigrdata' is not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#ISC_R_NOSPACE
+ *\li		#DNS_R_INVALIDTIME - the expiration is before the inception
+ *\li		#DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
+ *			it is not a zone key or its flags prevent
+ *			authentication)
+ *\li		DST_R_*
+ */
+
+isc_result_t
+dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		  bool ignoretime, unsigned int maxbits, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata, dns_name_t *wild);
+/*%<
+ *	Verifies the RRSIG record covering this rdataset signed by a specific
+ *	key.  This does not determine if the key's owner is authorized to sign
+ *	this record, as this requires a resolver or database.
+ *	If 'ignoretime' is true, temporal validity will not be checked.
+ *
+ *	'maxbits' specifies the maximum number of rsa exponent bits accepted.
+ *
+ *	Requires:
+ *\li		'name' (the owner name of the record) is a valid name
+ *\li		'set' is a valid rdataset
+ *\li		'key' is a valid key
+ *\li		'mctx' is not NULL
+ *\li		'sigrdata' is a valid rdata containing a SIG record
+ *\li		'wild' if non-NULL then is a valid and has a buffer.
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#DNS_R_FROMWILDCARD - the signature is valid and is from
+ *			a wildcard expansion.  dns_dnssec_verify2() only.
+ *			'wild' contains the name of the wildcard if non-NULL.
+ *\li		#DNS_R_SIGINVALID - the signature fails to verify
+ *\li		#DNS_R_SIGEXPIRED - the signature has expired
+ *\li		#DNS_R_SIGFUTURE - the signature's validity period has not begun
+ *\li		#DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
+ *			it is not a zone key or its flags prevent
+ *			authentication)
+ *\li		DST_R_*
+ */
+
+/*@{*/
+isc_result_t
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+			const dns_name_t *name, const char *directory,
+			isc_stdtime_t now, isc_mem_t *mctx,
+			unsigned int maxkeys, dst_key_t **keys,
+			unsigned int *nkeys);
+
+/*%<
+ * 	Finds a set of zone keys.
+ * 	XXX temporary - this should be handled in dns_zone_t.
+ */
+/*@}*/
+
+bool
+dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now);
+/*%<
+ *
+ * 	Returns true if 'key' is active as of the time specified
+ * 	in 'now' (i.e., if the activation date has passed, inactivation or
+ * 	deletion date has not yet been reached, and the key is not revoked
+ * 	-- or if it is a legacy key without metadata). Otherwise returns
+ * 	false.
+ *
+ *	Requires:
+ *\li		'key' is a valid key
+ */
+
+isc_result_t
+dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
+/*%<
+ *	Signs a message with a SIG(0) record.  This is implicitly called by
+ *	dns_message_renderend() if msg->sig0key is not NULL.
+ *
+ *	Requires:
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid key that can be used for signing
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		DST_R_*
+ */
+
+isc_result_t
+dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
+			 dst_key_t *key);
+/*%<
+ *	Verifies a message signed by a SIG(0) record.  This is not
+ *	called implicitly by dns_message_parse().  If dns_message_signer()
+ *	is called before dns_dnssec_verifymessage(), it will return
+ *	#DNS_R_NOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
+ *	the verified_sig0 flag in msg if the verify succeeds, and
+ *	the sig0status field otherwise.
+ *
+ *	Requires:
+ *\li		'source' is a valid buffer containing the unparsed message
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid key
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#ISC_R_NOTFOUND - no SIG(0) was found
+ *\li		#DNS_R_SIGINVALID - the SIG record is not well-formed or
+ *				   was not generated by the key.
+ *\li		DST_R_*
+ */
+
+bool
+dns_dnssec_selfsigns(dns_rdata_t *rdata, const dns_name_t *name,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     bool ignoretime, isc_mem_t *mctx);
+
+bool
+dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		 bool ignoretime, isc_mem_t *mctx);
+/*%<
+ * Verify that 'rdataset' is validly signed in 'sigrdataset' by
+ * the key in 'rdata'.
+ *
+ * dns_dnssec_selfsigns() requires that rdataset be a DNSKEY or KEY
+ * rrset.  dns_dnssec_signs() works on any rrset.
+ */
+
+isc_result_t
+dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
+		     dns_dnsseckey_t **dkp);
+/*%<
+ * Create and initialize a dns_dnsseckey_t structure.
+ *
+ *	Requires:
+ *\li		'dkp' is not NULL and '*dkp' is NULL.
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ */
+
+void
+dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp);
+/*%<
+ * Reclaim a dns_dnsseckey_t structure.
+ *
+ *	Requires:
+ *\li		'dkp' is not NULL and '*dkp' is not NULL.
+ *
+ *	Ensures:
+ *\li		'*dkp' is NULL.
+ */
+
+void
+dns_dnssec_get_hints(dns_dnsseckey_t *key, isc_stdtime_t now);
+/*%<
+ * Get hints on DNSSEC key whether this key can be published
+ * and/or is active.  Timing metadata is compared to 'now'.
+ *
+ *	Requires:
+ *\li		'key' is a pointer to a DNSSEC key and is not NULL.
+ */
+
+isc_result_t
+dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
+			    isc_stdtime_t now, isc_mem_t *mctx,
+			    dns_dnsseckeylist_t *keylist);
+/*%<
+ * Search 'directory' for K* key files matching the name in 'origin'.
+ * Append all such keys, along with use hints gleaned from their
+ * metadata, onto 'keylist'.  Skip any unsupported algorithms.
+ *
+ *	Requires:
+ *\li		'keylist' is not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOTFOUND
+ *\li		#ISC_R_NOMEMORY
+ *\li		any error returned by dns_name_totext(), isc_dir_open(), or
+ *              dst_key_fromnamedfile()
+ *
+ *	Ensures:
+ *\li		On error, keylist is unchanged
+ */
+
+isc_result_t
+dns_dnssec_keylistfromrdataset(const dns_name_t *origin, const char *directory,
+			       isc_mem_t *mctx, dns_rdataset_t *keyset,
+			       dns_rdataset_t *keysigs, dns_rdataset_t *soasigs,
+			       bool savekeys, bool publickey,
+			       dns_dnsseckeylist_t *keylist);
+/*%<
+ * Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
+ * Omit duplicates.  If 'publickey' is false, search 'directory' for
+ * matching key files, and load the private keys that go with
+ * the public ones.  If 'savekeys' is true, mark the keys so
+ * they will not be deleted or inactivated regardless of metadata.
+ *
+ * 'keysigs' and 'soasigs', if not NULL and associated, contain the
+ * RRSIGS for the DNSKEY and SOA records respectively and are used to mark
+ * whether a key is already active in the zone.
+ */
+
+isc_result_t
+dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
+		      dns_dnsseckeylist_t *removed, const dns_name_t *origin,
+		      dns_ttl_t hint_ttl, dns_diff_t *diff, isc_mem_t *mctx,
+		      void (*report)(const char *, ...));
+/*%<
+ * Update the list of keys in 'keys' with new key information in 'newkeys'.
+ *
+ * For each key in 'newkeys', see if it has a match in 'keys'.
+ * - If not, and if the metadata says the key should be published:
+ *   add it to 'keys', and place a dns_difftuple into 'diff' so
+ *   the key can be added to the DNSKEY set.  If the metadata says it
+ *   should be active, set the first_sign flag.
+ * - If so, and if the metadata says it should be removed:
+ *   remove it from 'keys', and place a dns_difftuple into 'diff' so
+ *   the key can be removed from the DNSKEY set.  if 'removed' is non-NULL,
+ *   copy the key into that list; otherwise destroy it.
+ * - Otherwise, make sure keys has current metadata.
+ *
+ * 'hint_ttl' is the TTL to use for the DNSKEY RRset if there is no
+ * existing RRset, and if none of the keys to be added has a default TTL
+ * (in which case we would use the shortest one).  If the TTL is longer
+ * than the time until a new key will be activated, then we have to delay
+ * the key's activation.
+ *
+ * 'report' points to a function for reporting status.
+ *
+ * On completion, any remaining keys in 'newkeys' are freed.
+ */
+
+isc_result_t
+dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
+		      dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
+		      isc_stdtime_t now, dns_ttl_t hint_ttl, dns_diff_t *diff,
+		      isc_mem_t *mctx);
+/*%<
+ * Update the CDS and CDNSKEY RRsets, adding and removing keys as needed.
+ *
+ * Returns:
+ *\li   ISC_R_SUCCESS
+ *\li   Other values indicate error
+ */
+
+isc_result_t
+dns_dnssec_syncdelete(dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
+		      dns_name_t *origin, dns_rdataclass_t zclass,
+		      dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx,
+		      bool expect_cds_delete, bool expect_cdnskey_delete);
+/*%<
+ * Add or remove the CDS DELETE record and the CDNSKEY DELETE record.
+ * If 'expect_cds_delete' is true, the CDS DELETE record should be present.
+ * Otherwise, the CDS DELETE record must be removed from the RRsets (if
+ * present). If 'expect_cdnskey_delete' is true, the CDNSKEY DELETE record
+ * should be present. Otherwise, the CDNSKEY DELETE record must be removed
+ * from the RRsets (if present).
+ *
+ * Returns:
+ *\li   ISC_R_SUCCESS
+ *\li   Other values indicate error
+ */
+
+isc_result_t
+dns_dnssec_matchdskey(dns_name_t *name, dns_rdata_t *dsrdata,
+		      dns_rdataset_t *keyset, dns_rdata_t *keyrdata);
+/*%<
+ * Given a DS rdata and a DNSKEY RRset, find the DNSKEY rdata that matches
+ * the DS, and place it in 'keyrdata'.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ *\li	Other values indicate error
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DNSSEC_H */
diff --git a/lib/dns/include/dns/dnstap.h b/lib/dns/include/dns/dnstap.h
new file mode 100644
index 0000000..e1da53d
--- /dev/null
+++ b/lib/dns/include/dns/dnstap.h
@@ -0,0 +1,396 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef _DNSTAP_H
+#define _DNSTAP_H
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * The dt (dnstap) module provides fast passive logging of DNS messages.
+ * Protocol Buffers.  The protobuf schema for Dnstap messages is in the
+ * file dnstap.proto, which is compiled to dnstap.pb-c.c and dnstap.pb-c.h.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+struct fstrm_iothr_options;
+
+#include <isc/log.h>
+#include <isc/refcount.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/time.h>
+#include <isc/types.h>
+
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/types.h>
+
+/*%
+ * Dnstap message types:
+ *
+ * STUB QUERY: SQ
+ * STUB RESPONSE: SR
+ * CLIENT QUERY: CQ
+ * CLIENT RESPONSE: CR
+ * AUTH QUERY: AQ
+ * AUTH RESPONSE: AR
+ * RESOLVER QUERY: RQ
+ * RESOLVER RESPONSE: RR
+ * FORWARDER QUERY: FQ
+ * FORWARDER RESPONSE: FR
+ */
+
+#define DNS_DTTYPE_SQ 0x0001
+#define DNS_DTTYPE_SR 0x0002
+#define DNS_DTTYPE_CQ 0x0004
+#define DNS_DTTYPE_CR 0x0008
+#define DNS_DTTYPE_AQ 0x0010
+#define DNS_DTTYPE_AR 0x0020
+#define DNS_DTTYPE_RQ 0x0040
+#define DNS_DTTYPE_RR 0x0080
+#define DNS_DTTYPE_FQ 0x0100
+#define DNS_DTTYPE_FR 0x0200
+#define DNS_DTTYPE_TQ 0x0400
+#define DNS_DTTYPE_TR 0x0800
+#define DNS_DTTYPE_UQ 0x1000
+#define DNS_DTTYPE_UR 0x2000
+
+#define DNS_DTTYPE_QUERY                                                 \
+	(DNS_DTTYPE_SQ | DNS_DTTYPE_CQ | DNS_DTTYPE_AQ | DNS_DTTYPE_RQ | \
+	 DNS_DTTYPE_FQ | DNS_DTTYPE_TQ | DNS_DTTYPE_UQ)
+#define DNS_DTTYPE_RESPONSE                                              \
+	(DNS_DTTYPE_SR | DNS_DTTYPE_CR | DNS_DTTYPE_AR | DNS_DTTYPE_RR | \
+	 DNS_DTTYPE_FR | DNS_DTTYPE_TR | DNS_DTTYPE_UR)
+#define DNS_DTTYPE_ALL (DNS_DTTYPE_QUERY | DNS_DTTYPE_RESPONSE)
+
+typedef enum {
+	dns_dtmode_none = 0,
+	dns_dtmode_file,
+	dns_dtmode_unix
+} dns_dtmode_t;
+
+typedef struct dns_dthandle dns_dthandle_t;
+
+#ifdef HAVE_DNSTAP
+struct dns_dtdata {
+	isc_mem_t *mctx;
+
+	void *frame;
+
+	bool		query;
+	bool		tcp;
+	dns_dtmsgtype_t type;
+
+	isc_time_t qtime;
+	isc_time_t rtime;
+
+	isc_region_t qaddr;
+	isc_region_t raddr;
+
+	uint32_t qport;
+	uint32_t rport;
+
+	isc_region_t   msgdata;
+	dns_message_t *msg;
+
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+};
+#endif /* HAVE_DNSTAP */
+
+isc_result_t
+dns_dt_create(isc_mem_t *mctx, dns_dtmode_t mode, const char *path,
+	      struct fstrm_iothr_options **foptp, isc_task_t *reopen_task,
+	      dns_dtenv_t **envp);
+/*%<
+ * Create and initialize the dnstap environment.
+ *
+ * There should be a single global dnstap environment for the server;
+ * copies of it will be attached to each view.
+ *
+ * Notes:
+ *
+ *\li	'path' refers to a UNIX domain socket by default. It may
+ *	optionally be prepended with "socket:" or "file:". If prepended
+ *	with "file:", then dnstap logs are sent to a file instead of a
+ *	socket.
+ *
+ *\li	'*foptp' set the options for fstrm_iothr_init(). '*foptp' must have
+ *	have had the number of input queues set and this should be set
+ *	to the number of worker threads.  Additionally the queue model
+ *	should also be set.  Other options may be set if desired.
+ *	If dns_dt_create succeeds the *foptp is set to NULL.
+ *
+ *\li	'reopen_task' needs to be set to the task in the context of which
+ *	dns_dt_reopen() will be called.  This is not an optional parameter:
+ *	using dns_dt_create() (which sets 'reopen_task' to NULL) is only
+ *	allowed in unit tests.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'path' is a valid C string.
+ *
+ *\li	'foptp' is non NULL.
+ *
+ *\li	envp != NULL && *envp == NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *
+ *\li	Other errors are possible.
+ */
+
+isc_result_t
+dns_dt_setupfile(dns_dtenv_t *env, uint64_t max_size, int rolls,
+		 isc_log_rollsuffix_t suffix);
+/*%<
+ * Sets up the dnstap logfile limits.
+ *
+ * 'max_size' is the size a log file may grow before it is rolled
+ *
+ * 'rolls' is the number of rolled files to retain.
+ *
+ * 'suffix' is the logfile suffix setting, increment or timestamp.
+ *
+ * Requires:
+ *
+ *\li	'env' is a valid dnstap environment.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS on success
+ *\li	#ISC_R_INVALIDFILE if dnstap is set to use a UNIX domain socket
+ */
+
+isc_result_t
+dns_dt_reopen(dns_dtenv_t *env, int roll);
+/*%<
+ * Reopens files established by dns_dt_create2().
+ *
+ * If 'roll' is non-negative and 'env->mode' is dns_dtmode_file,
+ * then the file is automatically rolled over before reopening.
+ * The value of 'roll' indicates the number of backup log files to
+ * keep.  If 'roll' is negative, or if 'env->mode' is dns_dtmode_unix,
+ * then the channel is simply reopened.
+ *
+ * Note: dns_dt_reopen() uses task-exclusive mode and must be run in the
+ * context of env->reopen_task.
+ *
+ * Requires:
+ *\li	'env' is a valid dnstap environment.
+ */
+
+isc_result_t
+dns_dt_setidentity(dns_dtenv_t *env, const char *identity);
+isc_result_t
+dns_dt_setversion(dns_dtenv_t *env, const char *version);
+/*%<
+ * Set the "identity" and "version" strings to be sent in dnstap messages.
+ *
+ * Requires:
+ *
+ *\li	'env' is a valid dnstap environment.
+ */
+
+void
+dns_dt_attach(dns_dtenv_t *source, dns_dtenv_t **destp);
+/*%<
+ * Attach '*destp' to 'source', incrementing the reference counter.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid dnstap environment.
+ *
+ *\li	'destp' is not NULL and '*destp' is NULL.
+ *
+ *\li	*destp is attached to source.
+ */
+
+void
+dns_dt_detach(dns_dtenv_t **envp);
+/*%<
+ * Detach '*envp', decrementing the reference counter.
+ *
+ * Requires:
+ *
+ *\li	'*envp' is a valid dnstap environment.
+ *
+ * Ensures:
+ *
+ *\li	'*envp' will be destroyed when the number of references reaches zero.
+ *
+ *\li	'*envp' is NULL.
+ */
+
+isc_result_t
+dns_dt_getstats(dns_dtenv_t *env, isc_stats_t **statsp);
+/*%<
+ * Attach to the stats struct if it exists.
+ *
+ * Requires:
+ *
+ *\li	'env' is a valid dnstap environment.
+ *
+ *\li	'statsp' is non NULL and '*statsp' is NULL.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	ISC_R_NOTFOUND
+ */
+
+void
+dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
+	    isc_sockaddr_t *dstaddr, bool tcp, isc_region_t *zone,
+	    isc_time_t *qtime, isc_time_t *rtime, isc_buffer_t *buf);
+/*%<
+ * Sends a dnstap message to the log, if 'msgtype' is one of the message
+ * types represented in 'view->dttypes'.
+ *
+ * Parameters are: 'qaddr' (query address, i.e, the address of the
+ * query initiator); 'raddr' (response address, i.e., the address of
+ * the query responder); 'tcp' (boolean indicating whether the transaction
+ * was over TCP); 'zone' (the authoritative zone or bailiwick, in
+ * uncompressed wire format), 'qtime' and 'rtime' (query and response
+ * times; if NULL, they are set to the current time); and 'buf' (the
+ * DNS message being logged, in wire format).
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid view, and 'view->dtenv' is NULL or is a
+ *	valid dnstap environment.
+ */
+
+isc_result_t
+dns_dt_parse(isc_mem_t *mctx, isc_region_t *src, dns_dtdata_t **destp);
+/*%<
+ * Converts a raw dnstap frame in 'src' to a parsed dnstap data structure
+ * in '*destp'.
+ *
+ * Requires:
+ *\li	'src' is not NULL
+ *
+ *\li	'destp' is not NULL and '*destp' points to a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS on success
+ *
+ *\li	Other errors are possible.
+ */
+
+isc_result_t
+dns_dt_datatotext(dns_dtdata_t *d, isc_buffer_t **dest);
+/*%<
+ * Converts a parsed dnstap data structure 'd' to text, storing
+ * the result in the buffer 'dest'.  If 'dest' points to a dynamically
+ * allocated buffer, then it may be reallocated as needed.
+ *
+ * (XXX: add a 'long_form' option to generate a detailed listing of
+ * dnstap data instead * of a one-line summary.)
+ *
+ * Requires:
+ *\li	'd' is not NULL
+ *
+ *\li	'dest' is not NULL and '*dest' points to a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS on success
+ *\li	#ISC_R_NOSPACE if buffer is not dynamic and runs out of space
+ *\li	#ISC_R_NOMEMORY if buffer is dynamic but memory could not be allocated
+ *
+ *\li	Other errors are possible.
+ */
+
+void
+dns_dtdata_free(dns_dtdata_t **dp);
+/*%<
+ * Frees the specified dns_dtdata structure and all its members,
+ * and sets *dp to NULL.
+ */
+
+isc_result_t
+dns_dt_open(const char *filename, dns_dtmode_t mode, isc_mem_t *mctx,
+	    dns_dthandle_t **handlep);
+/*%<
+ * Opens a dnstap framestream at 'filename' and stores a pointer to the
+ * reader object in a dns_dthandle_t structure.
+ *
+ * The caller is responsible for allocating the handle structure.
+ *
+ * (XXX: Currently only file readers are supported, not unix-domain socket
+ * readers.)
+ *
+ * Requires:
+ *
+ *\li	'filename' is not NULL.
+ *
+ *\li	'handlep' is not NULL and '*handlep' is NULL.
+ *
+ *\li	'*mctx' is not a valid memory context.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS on success
+ *\li	#ISC_R_NOTIMPLEMENTED if 'mode' is not dns_dtmode_file. (XXX)
+ *\li	#ISC_R_NOMEMORY if the fstrm library was unable to allocate a
+ *      reader or options structure
+ *\li	#ISC_R_FAILURE if 'filename' could not be opened.
+ *\li	#DNS_R_BADDNSTAP if 'filename' does not contain a dnstap
+ *      framestream.
+ */
+
+isc_result_t
+dns_dt_getframe(dns_dthandle_t *handle, uint8_t **bufp, size_t *sizep);
+/*%<
+ * Read a dnstap frame from the framstream reader in 'handle', storing
+ * a pointer to it in '*bufp' and its size in '*sizep'.
+ *
+ * Requires:
+ *
+ *\li	'handle' is not NULL
+ *\li	'bufp' is not NULL
+ *\li	'sizep' is not NULL
+ *
+ * Ensures:
+ * \li	if returning ISC_R_SUCCESS then '*bufp' is not NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS on success
+ *\li	#ISC_R_NOMORE at the end of the frame stream
+ *\li	#ISC_R_FAILURE for any other failure
+ */
+
+void
+dns_dt_close(dns_dthandle_t **handlep);
+/*%<
+ * Closes the dnstap file referenced by 'handle'.
+ *
+ * Requires:
+ *
+ *\li	'*handlep' is not NULL
+ */
+
+#endif /* _DNSTAP_H */
diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h
new file mode 100644
index 0000000..6e02d4c
--- /dev/null
+++ b/lib/dns/include/dns/ds.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DS_H
+#define DNS_DS_H 1
+
+#include <isc/lang.h>
+
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+
+#define DNS_DSDIGEST_SHA1   (1)
+#define DNS_DSDIGEST_SHA256 (2)
+#define DNS_DSDIGEST_GOST   (3)
+#define DNS_DSDIGEST_SHA384 (4)
+
+/*
+ * Assuming SHA-384 digest type.
+ */
+#define DNS_DS_BUFFERSIZE (52)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_ds_fromkeyrdata(const dns_name_t *owner, dns_rdata_t *key,
+		    dns_dsdigest_t digest_type, unsigned char *digest,
+		    dns_rdata_ds_t *dsrdata);
+/*%<
+ * Build a DS rdata structure from a key.
+ *
+ * Requires:
+ *\li	key	Points to a valid DNSKEY or CDNSKEY record.
+ *\li	buffer	Points to a buffer of at least
+ * 		#ISC_MAX_MD_SIZE bytes.
+ */
+
+isc_result_t
+dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
+		  dns_dsdigest_t digest_type, unsigned char *buffer,
+		  dns_rdata_t *rdata);
+/*%<
+ * Similar to dns_ds_fromkeyrdata(), but copies the DS into a
+ * dns_rdata object.
+ *
+ * Requires:
+ *\li	key	Points to a valid DNSKEY or CDNSKEY record.
+ *\li	buffer	Points to a buffer of at least
+ * 		#DNS_DS_BUFFERSIZE bytes.
+ *\li	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *  \li    *rdata	Contains a valid DS rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DS_H */
diff --git a/lib/dns/include/dns/dsdigest.h b/lib/dns/include/dns/dsdigest.h
new file mode 100644
index 0000000..b466fed
--- /dev/null
+++ b/lib/dns/include/dns/dsdigest.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DSDIGEST_H
+#define DNS_DSDIGEST_H 1
+
+/*! \file dns/dsdigest.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_dsdigest_fromtext(dns_dsdigest_t *dsdigestp, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DS digest type value.
+ * The text may contain either a mnemonic digest name or a decimal
+ * digest number.
+ *
+ * Requires:
+ *\li	'dsdigestp' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric type is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_dsdigest_totext(dns_dsdigest_t dsdigest, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of the DS digest type 'dsdigest'
+ * into 'target'.
+ *
+ * Requires:
+ *\li	'dsdigest' is a valid dsdigest.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_NOSPACE			target buffer is too small
+ */
+
+#define DNS_DSDIGEST_FORMATSIZE 20
+void
+dns_dsdigest_format(dns_dsdigest_t typ, char *cp, unsigned int size);
+/*%<
+ * Wrapper for dns_dsdigest_totext(), writing text into 'cp'
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DSDIGEST_H */
diff --git a/lib/dns/include/dns/dyndb.h b/lib/dns/include/dns/dyndb.h
new file mode 100644
index 0000000..cc2820a
--- /dev/null
+++ b/lib/dns/include/dns/dyndb.h
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DYNDB_H
+#define DNS_DYNDB_H
+
+#include <stdbool.h>
+
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*!
+ * \brief
+ * Context for initializing a dyndb module.
+ *
+ * This structure passes global server data to which a dyndb
+ * module will need access -- the server memory context, hash
+ * initializer, log context, etc.  The structure doesn't persist
+ * beyond configuring the dyndb module. The module's register function
+ * should attach to all reference-counted variables and its destroy
+ * function should detach from them.
+ */
+struct dns_dyndbctx {
+	unsigned int	magic;
+	const void     *hashinit;
+	isc_mem_t      *mctx;
+	isc_log_t      *lctx;
+	dns_view_t     *view;
+	dns_zonemgr_t  *zmgr;
+	isc_task_t     *task;
+	isc_timermgr_t *timermgr;
+	unsigned int   *memdebug;
+};
+
+#define DNS_DYNDBCTX_MAGIC    ISC_MAGIC('D', 'd', 'b', 'c')
+#define DNS_DYNDBCTX_VALID(d) ISC_MAGIC_VALID(d, DNS_DYNDBCTX_MAGIC)
+
+/*
+ * API version
+ *
+ * When the API changes, increment DNS_DYNDB_VERSION. If the
+ * change is backward-compatible (e.g., adding a new function call
+ * but not changing or removing an old one), increment DNS_DYNDB_AGE;
+ * if not, set DNS_DYNDB_AGE to 0.
+ */
+#ifndef DNS_DYNDB_VERSION
+#define DNS_DYNDB_VERSION 1
+#define DNS_DYNDB_AGE	  0
+#endif /* ifndef DNS_DYNDB_VERSION */
+
+typedef isc_result_t
+dns_dyndb_register_t(isc_mem_t *mctx, const char *name, const char *parameters,
+		     const char *file, unsigned long line,
+		     const dns_dyndbctx_t *dctx, void **instp);
+/*%
+ * Called when registering a new driver instance. 'name' must be unique.
+ * 'parameters' contains the driver configuration text. 'dctx' is the
+ * initialization context set up in dns_dyndb_createctx().
+ *
+ * '*instp' will be set to the driver instance handle if the function
+ * is successful.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	Other errors are possible
+ */
+
+typedef void
+dns_dyndb_destroy_t(void **instp);
+/*%
+ * Destroy a driver instance. Dereference any reference-counted
+ * variables passed in 'dctx' and 'inst' in the register function.
+ *
+ * \c *instp must be set to \c NULL by the function before it returns.
+ */
+
+typedef int
+dns_dyndb_version_t(unsigned int *flags);
+/*%
+ * Return the API version number a dyndb module was compiled with.
+ *
+ * If the returned version number is no greater than than
+ * DNS_DYNDB_VERSION, and no less than DNS_DYNDB_VERSION - DNS_DYNDB_AGE,
+ * then the module is API-compatible with named.
+ *
+ * 'flags' is currently unused and may be NULL, but could be used in
+ * the future to pass back driver capabilities or other information.
+ */
+
+isc_result_t
+dns_dyndb_load(const char *libname, const char *name, const char *parameters,
+	       const char *file, unsigned long line, isc_mem_t *mctx,
+	       const dns_dyndbctx_t *dctx);
+/*%
+ * Load a dyndb module.
+ *
+ * This loads a dyndb module using dlopen() or equivalent, calls its register
+ * function (see dns_dyndb_register_t above), and if successful, adds
+ * the instance handle to a list of dyndb instances so it can be cleaned
+ * up later.
+ *
+ * 'file' and 'line' can be used to indicate the name of the file and
+ * the line number from which the parameters were taken, so that logged
+ * error messages, if any, will display the correct locations.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	Other errors are possible
+ */
+
+void
+dns_dyndb_cleanup(bool exiting);
+/*%
+ * Shut down and destroy all running dyndb modules.
+ *
+ * 'exiting' indicates whether the server is shutting down,
+ * as opposed to merely being reconfigured.
+ */
+
+isc_result_t
+dns_dyndb_createctx(isc_mem_t *mctx, const void *hashinit, isc_log_t *lctx,
+		    dns_view_t *view, dns_zonemgr_t *zmgr, isc_task_t *task,
+		    isc_timermgr_t *tmgr, dns_dyndbctx_t **dctxp);
+/*%
+ * Create a dyndb initialization context structure, with
+ * pointers to structures in the server that the dyndb module will
+ * need to access (view, zone manager, memory context, hash initializer,
+ * etc). This structure is expected to last only until all dyndb
+ * modules have been loaded and initialized; after that it will be
+ * destroyed with dns_dyndb_destroyctx().
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	Other errors are possible
+ */
+
+void
+dns_dyndb_destroyctx(dns_dyndbctx_t **dctxp);
+/*%
+ * Destroys a dyndb initialization context structure; all
+ * reference-counted members are detached and the structure is freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DYNDB_H */
diff --git a/lib/dns/include/dns/ecdb.h b/lib/dns/include/dns/ecdb.h
new file mode 100644
index 0000000..d94cbac
--- /dev/null
+++ b/lib/dns/include/dns/ecdb.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ECDB_H
+#define DNS_ECDB_H 1
+
+/*****
+***** Module Info
+*****/
+
+/* TBD */
+
+/***
+ *** Imports
+ ***/
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/* TBD: describe those */
+
+isc_result_t
+dns_ecdb_register(isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
+
+void
+dns_ecdb_unregister(dns_dbimplementation_t **dbimp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ECDB_H */
diff --git a/lib/dns/include/dns/ecs.h b/lib/dns/include/dns/ecs.h
new file mode 100644
index 0000000..b4b0d6b
--- /dev/null
+++ b/lib/dns/include/dns/ecs.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ECS_H
+#define DNS_ECS_H 1
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/netaddr.h>
+#include <isc/types.h>
+
+#include <dns/rdatatype.h>
+#include <dns/types.h>
+
+/*%
+ * Maximum scope values for IPv4 and IPv6.
+ */
+#ifndef ECS_MAX_V4_SCOPE
+#define ECS_MAX_V4_SCOPE 24
+#endif
+
+#ifndef ECS_MAX_V6_SCOPE
+#define ECS_MAX_V6_SCOPE 56
+#endif
+
+/*
+ * Any updates to this structure should also be applied in
+ * contrib/modules/dlz/dlz_minmal.h.
+ */
+struct dns_ecs {
+	isc_netaddr_t addr;
+	uint8_t	      source;
+	uint8_t	      scope;
+};
+
+/* <address>/NNN/NNN */
+#define DNS_ECS_FORMATSIZE (ISC_NETADDR_FORMATSIZE + 9)
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_ecs_init(dns_ecs_t *ecs);
+/*%<
+ * Initialize a DNS ECS structure.
+ *
+ * Requires:
+ * \li 'ecs' is not NULL and points to a valid dns_ecs structure.
+ */
+
+bool
+dns_ecs_equals(const dns_ecs_t *ecs1, const dns_ecs_t *ecs2);
+/*%<
+ * Determine whether two ECS address prefixes are equal (except the
+ * scope prefix-length field).
+ *
+ * 'ecs1->source' must exactly match 'ecs2->source'; the address families
+ * must match; and the first 'ecs1->source' bits of the addresses must
+ * match. Subsequent address bits and the 'scope' values are ignored.
+ */
+
+void
+dns_ecs_format(const dns_ecs_t *ecs, char *buf, size_t size);
+/*%<
+ * Format an ECS record as text. Result is guaranteed to be null-terminated.
+ *
+ * Requires:
+ * \li  'ecs' is not NULL.
+ * \li  'buf' is not NULL.
+ * \li  'size' is at least DNS_ECS_FORMATSIZE
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ECS_H */
diff --git a/lib/dns/include/dns/edns.h b/lib/dns/include/dns/edns.h
new file mode 100644
index 0000000..214abe8
--- /dev/null
+++ b/lib/dns/include/dns/edns.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_EDNS_H
+#define DNS_EDNS_H 1
+
+/*%
+ * The maximum version on EDNS supported by this build.
+ */
+#define DNS_EDNS_VERSION 0
+#ifdef DRAFT_ANDREWS_EDNS1
+#undef DNS_EDNS_VERSION
+/*
+ * Warning: this currently disables sending COOKIE requests in resolver.c
+ */
+#define DNS_EDNS_VERSION 1 /* draft-andrews-edns1 */
+#endif			   /* ifdef DRAFT_ANDREWS_EDNS1 */
+
+#endif /* ifndef DNS_EDNS_H */
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
new file mode 100644
index 0000000..608f35f
--- /dev/null
+++ b/lib/dns/include/dns/events.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_EVENTS_H
+#define DNS_EVENTS_H 1
+
+#include <isc/eventclass.h>
+
+/*! \file dns/events.h
+ * \brief
+ * Registry of DNS event numbers.
+ */
+
+#define DNS_EVENT_FETCHCONTROL	     (ISC_EVENTCLASS_DNS + 0)
+#define DNS_EVENT_FETCHDONE	     (ISC_EVENTCLASS_DNS + 1)
+#define DNS_EVENT_VIEWRESSHUTDOWN    (ISC_EVENTCLASS_DNS + 2)
+#define DNS_EVENT_VIEWADBSHUTDOWN    (ISC_EVENTCLASS_DNS + 3)
+#define DNS_EVENT_UPDATE	     (ISC_EVENTCLASS_DNS + 4)
+#define DNS_EVENT_UPDATEDONE	     (ISC_EVENTCLASS_DNS + 5)
+#define DNS_EVENT_DISPATCH	     (ISC_EVENTCLASS_DNS + 6)
+#define DNS_EVENT_TCPMSG	     (ISC_EVENTCLASS_DNS + 7)
+#define DNS_EVENT_ADBMOREADDRESSES   (ISC_EVENTCLASS_DNS + 8)
+#define DNS_EVENT_ADBNOMOREADDRESSES (ISC_EVENTCLASS_DNS + 9)
+#define DNS_EVENT_ADBCANCELED	     (ISC_EVENTCLASS_DNS + 10)
+#define DNS_EVENT_ADBNAMEDELETED     (ISC_EVENTCLASS_DNS + 11)
+#define DNS_EVENT_ADBSHUTDOWN	     (ISC_EVENTCLASS_DNS + 12)
+#define DNS_EVENT_ADBEXPIRED	     (ISC_EVENTCLASS_DNS + 13)
+#define DNS_EVENT_ADBCONTROL	     (ISC_EVENTCLASS_DNS + 14)
+#define DNS_EVENT_CACHECLEAN	     (ISC_EVENTCLASS_DNS + 15)
+#define DNS_EVENT_BYADDRDONE	     (ISC_EVENTCLASS_DNS + 16)
+#define DNS_EVENT_ZONECONTROL	     (ISC_EVENTCLASS_DNS + 17)
+#define DNS_EVENT_DBDESTROYED	     (ISC_EVENTCLASS_DNS + 18)
+#define DNS_EVENT_VALIDATORDONE	     (ISC_EVENTCLASS_DNS + 19)
+#define DNS_EVENT_REQUESTDONE	     (ISC_EVENTCLASS_DNS + 20)
+#define DNS_EVENT_VALIDATORSTART     (ISC_EVENTCLASS_DNS + 21)
+#define DNS_EVENT_VIEWREQSHUTDOWN    (ISC_EVENTCLASS_DNS + 22)
+#define DNS_EVENT_NOTIFYSENDTOADDR   (ISC_EVENTCLASS_DNS + 23)
+#define DNS_EVENT_ZONE		     (ISC_EVENTCLASS_DNS + 24)
+#define DNS_EVENT_ZONESTARTXFRIN     (ISC_EVENTCLASS_DNS + 25)
+#define DNS_EVENT_MASTERQUANTUM	     (ISC_EVENTCLASS_DNS + 26)
+#define DNS_EVENT_CACHEOVERMEM	     (ISC_EVENTCLASS_DNS + 27)
+#define DNS_EVENT_MASTERNEXTZONE     (ISC_EVENTCLASS_DNS + 28)
+#define DNS_EVENT_IOREADY	     (ISC_EVENTCLASS_DNS + 29)
+#define DNS_EVENT_LOOKUPDONE	     (ISC_EVENTCLASS_DNS + 30)
+#define DNS_EVENT_RBTDEADNODES	     (ISC_EVENTCLASS_DNS + 31)
+#define DNS_EVENT_DISPATCHCONTROL    (ISC_EVENTCLASS_DNS + 32)
+#define DNS_EVENT_REQUESTCONTROL     (ISC_EVENTCLASS_DNS + 33)
+#define DNS_EVENT_DUMPQUANTUM	     (ISC_EVENTCLASS_DNS + 34)
+#define DNS_EVENT_IMPORTRECVDONE     (ISC_EVENTCLASS_DNS + 35)
+#define DNS_EVENT_FREESTORAGE	     (ISC_EVENTCLASS_DNS + 36)
+#define DNS_EVENT_VIEWACACHESHUTDOWN (ISC_EVENTCLASS_DNS + 37)
+#define DNS_EVENT_ACACHECONTROL	     (ISC_EVENTCLASS_DNS + 38)
+#define DNS_EVENT_ACACHECLEAN	     (ISC_EVENTCLASS_DNS + 39)
+#define DNS_EVENT_ACACHEOVERMEM	     (ISC_EVENTCLASS_DNS + 40)
+#define DNS_EVENT_RBTPRUNE	     (ISC_EVENTCLASS_DNS + 41)
+#define DNS_EVENT_MANAGEKEYS	     (ISC_EVENTCLASS_DNS + 42)
+#define DNS_EVENT_CLIENTRESDONE	     (ISC_EVENTCLASS_DNS + 43)
+#define DNS_EVENT_CLIENTREQDONE	     (ISC_EVENTCLASS_DNS + 44)
+#define DNS_EVENT_ADBGROWENTRIES     (ISC_EVENTCLASS_DNS + 45)
+#define DNS_EVENT_ADBGROWNAMES	     (ISC_EVENTCLASS_DNS + 46)
+#define DNS_EVENT_ZONESECURESERIAL   (ISC_EVENTCLASS_DNS + 47)
+#define DNS_EVENT_ZONESECUREDB	     (ISC_EVENTCLASS_DNS + 48)
+#define DNS_EVENT_ZONELOAD	     (ISC_EVENTCLASS_DNS + 49)
+#define DNS_EVENT_KEYDONE	     (ISC_EVENTCLASS_DNS + 50)
+#define DNS_EVENT_SETNSEC3PARAM	     (ISC_EVENTCLASS_DNS + 51)
+#define DNS_EVENT_SETSERIAL	     (ISC_EVENTCLASS_DNS + 52)
+#define DNS_EVENT_CATZUPDATED	     (ISC_EVENTCLASS_DNS + 53)
+#define DNS_EVENT_CATZADDZONE	     (ISC_EVENTCLASS_DNS + 54)
+#define DNS_EVENT_CATZMODZONE	     (ISC_EVENTCLASS_DNS + 55)
+#define DNS_EVENT_CATZDELZONE	     (ISC_EVENTCLASS_DNS + 56)
+#define DNS_EVENT_RPZUPDATED	     (ISC_EVENTCLASS_DNS + 57)
+#define DNS_EVENT_STARTUPDATE	     (ISC_EVENTCLASS_DNS + 58)
+#define DNS_EVENT_TRYSTALE	     (ISC_EVENTCLASS_DNS + 59)
+#define DNS_EVENT_ZONEFLUSH	     (ISC_EVENTCLASS_DNS + 60)
+#define DNS_EVENT_CHECKDSSENDTOADDR  (ISC_EVENTCLASS_DNS + 61)
+
+#define DNS_EVENT_FIRSTEVENT (ISC_EVENTCLASS_DNS + 0)
+#define DNS_EVENT_LASTEVENT  (ISC_EVENTCLASS_DNS + 65535)
+
+#endif /* DNS_EVENTS_H */
diff --git a/lib/dns/include/dns/fixedname.h b/lib/dns/include/dns/fixedname.h
new file mode 100644
index 0000000..edd55f4
--- /dev/null
+++ b/lib/dns/include/dns/fixedname.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_FIXEDNAME_H
+#define DNS_FIXEDNAME_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/fixedname.h
+ * \brief
+ * Fixed-size Names
+ *
+ * dns_fixedname_t is a convenience type containing a name, an offsets
+ * table, and a dedicated buffer big enough for the longest possible
+ * name. This is typically used for stack-allocated names.
+ *
+ * MP:
+ *\li	The caller must ensure any required synchronization.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	Per dns_fixedname_t:
+ *\code
+ *		sizeof(dns_name_t) + sizeof(dns_offsets_t) +
+ *		sizeof(isc_buffer_t) + 255 bytes + structure padding
+ *\endcode
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+/*****
+***** Imports
+*****/
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+#include <dns/name.h>
+
+/*****
+***** Types
+*****/
+
+struct dns_fixedname {
+	dns_name_t    name;
+	dns_offsets_t offsets;
+	isc_buffer_t  buffer;
+	unsigned char data[DNS_NAME_MAXWIRE];
+};
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_fixedname_init(dns_fixedname_t *fixed);
+
+void
+dns_fixedname_invalidate(dns_fixedname_t *fixed);
+
+dns_name_t *
+dns_fixedname_name(dns_fixedname_t *fixed);
+
+dns_name_t *
+dns_fixedname_initname(dns_fixedname_t *fixed);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_FIXEDNAME_H */
diff --git a/lib/dns/include/dns/forward.h b/lib/dns/include/dns/forward.h
new file mode 100644
index 0000000..12430c3
--- /dev/null
+++ b/lib/dns/include/dns/forward.h
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_FORWARD_H
+#define DNS_FORWARD_H 1
+
+/*! \file dns/forward.h */
+
+#include <isc/lang.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+struct dns_forwarder {
+	isc_sockaddr_t addr;
+	isc_dscp_t     dscp;
+	ISC_LINK(dns_forwarder_t) link;
+};
+
+typedef ISC_LIST(struct dns_forwarder) dns_forwarderlist_t;
+
+struct dns_forwarders {
+	dns_forwarderlist_t fwdrs;
+	dns_fwdpolicy_t	    fwdpolicy;
+};
+
+isc_result_t
+dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep);
+/*%<
+ * Creates a new forwarding table.
+ *
+ * Requires:
+ * \li 	mctx is a valid memory context.
+ * \li	fwdtablep != NULL && *fwdtablep == NULL
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_fwdtable_addfwd(dns_fwdtable_t *fwdtable, const dns_name_t *name,
+		    dns_forwarderlist_t *fwdrs, dns_fwdpolicy_t policy);
+isc_result_t
+dns_fwdtable_add(dns_fwdtable_t *fwdtable, const dns_name_t *name,
+		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t policy);
+/*%<
+ * Adds an entry to the forwarding table.  The entry associates
+ * a domain with a list of forwarders and a forwarding policy.  The
+ * addrs/fwdrs list is copied if not empty, so the caller should free
+ * its copy.
+ *
+ * Requires:
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ * \li	addrs/fwdrs is a valid list of isc_sockaddr/dns_forwarder
+ *      structures, which may be empty.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_fwdtable_delete(dns_fwdtable_t *fwdtable, const dns_name_t *name);
+/*%<
+ * Removes an entry for 'name' from the forwarding table.  If an entry
+ * that exactly matches 'name' does not exist, ISC_R_NOTFOUND will be returned.
+ *
+ * Requires:
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_fwdtable_find(dns_fwdtable_t *fwdtable, const dns_name_t *name,
+		  dns_name_t *foundname, dns_forwarders_t **forwardersp);
+/*%<
+ * Finds a domain in the forwarding table.  The closest matching parent
+ * domain is returned.
+ *
+ * Requires:
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ * \li	forwardersp != NULL && *forwardersp == NULL
+ * \li	foundname to be NULL or a valid name with buffer.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ */
+
+void
+dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep);
+/*%<
+ * Destroys a forwarding table.
+ *
+ * Requires:
+ * \li	fwtablep != NULL && *fwtablep != NULL
+ *
+ * Ensures:
+ * \li	all memory associated with the forwarding table is freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_FORWARD_H */
diff --git a/lib/dns/include/dns/geoip.h b/lib/dns/include/dns/geoip.h
new file mode 100644
index 0000000..721c297
--- /dev/null
+++ b/lib/dns/include/dns/geoip.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_GEOIP_H
+#define DNS_GEOIP_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/geoip.h
+ * \brief
+ * GeoIP/GeoIP2 data types and function prototypes.
+ */
+
+#if defined(HAVE_GEOIP2)
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/netaddr.h>
+#include <isc/refcount.h>
+
+#include <dns/iptable.h>
+#include <dns/name.h>
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef enum {
+	dns_geoip_countrycode,
+	dns_geoip_countrycode3,
+	dns_geoip_countryname,
+	dns_geoip_continentcode,
+	dns_geoip_continent,
+	dns_geoip_region,
+	dns_geoip_regionname,
+	dns_geoip_country_code,
+	dns_geoip_country_code3,
+	dns_geoip_country_name,
+	dns_geoip_country_continentcode,
+	dns_geoip_country_continent,
+	dns_geoip_region_countrycode,
+	dns_geoip_region_code,
+	dns_geoip_region_name,
+	dns_geoip_city_countrycode,
+	dns_geoip_city_countrycode3,
+	dns_geoip_city_countryname,
+	dns_geoip_city_region,
+	dns_geoip_city_regionname,
+	dns_geoip_city_name,
+	dns_geoip_city_postalcode,
+	dns_geoip_city_metrocode,
+	dns_geoip_city_areacode,
+	dns_geoip_city_continentcode,
+	dns_geoip_city_continent,
+	dns_geoip_city_timezonecode,
+	dns_geoip_isp_name,
+	dns_geoip_org_name,
+	dns_geoip_as_asnum,
+	dns_geoip_domain_name,
+	dns_geoip_netspeed_id
+} dns_geoip_subtype_t;
+
+typedef struct dns_geoip_elem {
+	dns_geoip_subtype_t subtype;
+	void		   *db;
+	union {
+		char as_string[256];
+		int  as_int;
+	};
+} dns_geoip_elem_t;
+
+struct dns_geoip_databases {
+	void *country; /* GeoIP2-Country or GeoLite2-Country */
+	void *city;    /* GeoIP2-CIty or GeoLite2-City */
+	void *domain;  /* GeoIP2-Domain */
+	void *isp;     /* GeoIP2-ISP */
+	void *as;      /* GeoIP2-ASN or GeoLite2-ASN */
+};
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+bool
+dns_geoip_match(const isc_netaddr_t	    *reqaddr,
+		const dns_geoip_databases_t *geoip,
+		const dns_geoip_elem_t	    *elt);
+
+ISC_LANG_ENDDECLS
+
+#endif /* HAVE_GEOIP2 */
+
+#endif /* DNS_GEOIP_H */
diff --git a/lib/dns/include/dns/ipkeylist.h b/lib/dns/include/dns/ipkeylist.h
new file mode 100644
index 0000000..b3dbfb6
--- /dev/null
+++ b/lib/dns/include/dns/ipkeylist.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_IPKEYLIST_H
+#define DNS_IPKEYLIST_H 1
+
+#include <inttypes.h>
+
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+/*%
+ * A structure holding a list of addresses, dscps and keys.  Used to
+ * store masters for a slave zone, created by parsing config options.
+ */
+struct dns_ipkeylist {
+	isc_sockaddr_t *addrs;
+	isc_dscp_t     *dscps;
+	dns_name_t    **keys;
+	dns_name_t    **labels;
+	uint32_t	count;
+	uint32_t	allocated;
+};
+
+void
+dns_ipkeylist_init(dns_ipkeylist_t *ipkl);
+/*%<
+ * Reset ipkl to empty state
+ *
+ * Requires:
+ *\li	'ipkl' to be non NULL.
+ */
+
+void
+dns_ipkeylist_clear(isc_mem_t *mctx, dns_ipkeylist_t *ipkl);
+/*%<
+ * Free `ipkl` contents using `mctx`.
+ *
+ * After this call, `ipkl` is a freshly cleared structure with all
+ * pointers set to `NULL` and count set to 0.
+ *
+ * Requires:
+ *\li	'mctx' to be a valid memory context.
+ *\li	'ipkl' to be non NULL.
+ */
+
+isc_result_t
+dns_ipkeylist_copy(isc_mem_t *mctx, const dns_ipkeylist_t *src,
+		   dns_ipkeylist_t *dst);
+/*%<
+ * Deep copy `src` into empty `dst`, allocating `dst`'s contents.
+ *
+ * Requires:
+ *\li	'mctx' to be a valid memory context.
+ *\li	'src' to be non NULL
+ *\li	'dst' to be non NULL and point to an empty \ref dns_ipkeylist_t
+ *       with all pointers set to `NULL` and count set to 0.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- success
+ *\li	any other value -- failure
+ */
+isc_result_t
+dns_ipkeylist_resize(isc_mem_t *mctx, dns_ipkeylist_t *ipkl, unsigned int n);
+/*%<
+ * Resize ipkl to contain n elements. Size (count) is not changed, and the
+ * added space is zeroed.
+ *
+ * Requires:
+ * \li	'mctx' to be a valid memory context.
+ * \li	'ipk' to be non NULL
+ * \li	'n' >= ipkl->count
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS if success
+ * \li	#ISC_R_NOMEMORY if there's no memory, ipkeylist is left untouched
+ */
+
+#endif /* ifndef DNS_IPKEYLIST_H */
diff --git a/lib/dns/include/dns/iptable.h b/lib/dns/include/dns/iptable.h
new file mode 100644
index 0000000..83ecf04
--- /dev/null
+++ b/lib/dns/include/dns/iptable.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_IPTABLE_H
+#define DNS_IPTABLE_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/radix.h>
+
+#include <dns/types.h>
+
+struct dns_iptable {
+	unsigned int	  magic;
+	isc_mem_t	 *mctx;
+	isc_refcount_t	  refcount;
+	isc_radix_tree_t *radix;
+	ISC_LINK(dns_iptable_t) nextincache;
+};
+
+#define DNS_IPTABLE_MAGIC    ISC_MAGIC('T', 'a', 'b', 'l')
+#define DNS_IPTABLE_VALID(a) ISC_MAGIC_VALID(a, DNS_IPTABLE_MAGIC)
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target);
+/*
+ * Create a new IP table and the underlying radix structure
+ */
+
+isc_result_t
+dns_iptable_addprefix(dns_iptable_t *tab, const isc_netaddr_t *addr,
+		      uint16_t bitlen, bool pos);
+/*
+ * Add an IP prefix to an existing IP table
+ */
+
+isc_result_t
+dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, bool pos);
+/*
+ * Merge one IP table into another one.
+ */
+
+void
+dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target);
+
+void
+dns_iptable_detach(dns_iptable_t **tabp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_IPTABLE_H */
diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h
new file mode 100644
index 0000000..2b9875e
--- /dev/null
+++ b/lib/dns/include/dns/journal.h
@@ -0,0 +1,341 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_JOURNAL_H
+#define DNS_JOURNAL_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/journal.h
+ * \brief
+ * Database journaling.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/diff.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+/***
+ *** Defines.
+ ***/
+#define DNS_JOURNALOPT_RESIGN 0x00000001
+
+#define DNS_JOURNAL_READ   0x00000000 /* false */
+#define DNS_JOURNAL_CREATE 0x00000001 /* true */
+#define DNS_JOURNAL_WRITE  0x00000002
+
+#define DNS_JOURNAL_SIZE_MAX INT32_MAX
+#define DNS_JOURNAL_SIZE_MIN 4096
+
+/*% Print transaction header data */
+#define DNS_JOURNAL_PRINTXHDR 0x0001
+
+/*% Rewrite whole journal file instead of compacting */
+#define DNS_JOURNAL_COMPACTALL 0x0001
+#define DNS_JOURNAL_VERSION1   0x0002
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * A dns_journal_t represents an open journal file.  This is an opaque type.
+ *
+ * A particular dns_journal_t object may be opened for writing, in which case
+ * it can be used for writing transactions to a journal file, or it can be
+ * opened for reading, in which case it can be used for reading transactions
+ * from (iterating over) a journal file.  A single dns_journal_t object may
+ * not be used for both purposes.
+ */
+typedef struct dns_journal dns_journal_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/**************************************************************************/
+
+isc_result_t
+dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
+		      dns_diffop_t op, dns_difftuple_t **tp);
+/*!< brief
+ * Create a diff tuple for the current database SOA.
+ * XXX this probably belongs somewhere else.
+ */
+
+/*@{*/
+#define DNS_SERIAL_GT(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) > 0)
+#define DNS_SERIAL_GE(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) >= 0)
+/*!< brief
+ * Compare SOA serial numbers.  DNS_SERIAL_GT(a, b) returns true iff
+ * a is "greater than" b where "greater than" is as defined in RFC1982.
+ * DNS_SERIAL_GE(a, b) returns true iff a is "greater than or equal to" b.
+ */
+/*@}*/
+
+/**************************************************************************/
+/*
+ * Journal object creation and destruction.
+ */
+
+isc_result_t
+dns_journal_open(isc_mem_t *mctx, const char *filename, unsigned int mode,
+		 dns_journal_t **journalp);
+/*%<
+ * Open the journal file 'filename' and create a dns_journal_t object for it.
+ *
+ * DNS_JOURNAL_CREATE open the journal for reading and writing and create
+ * the journal if it does not exist.
+ * DNS_JOURNAL_WRITE open the journal for reading and writing.
+ * DNS_JOURNAL_READ open the journal for reading only.
+ */
+
+void
+dns_journal_destroy(dns_journal_t **journalp);
+/*%<
+ * Destroy a dns_journal_t, closing any open files and freeing its memory.
+ */
+
+/**************************************************************************/
+/*
+ * Writing transactions to journals.
+ */
+
+isc_result_t
+dns_journal_begin_transaction(dns_journal_t *j);
+/*%<
+ * Prepare to write a new transaction to the open journal file 'j'.
+ *
+ * Requires:
+ *     \li 'j' is open for writing.
+ */
+
+isc_result_t
+dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff);
+/*%<
+ * Write 'diff' to the current transaction of journal file 'j'.
+ *
+ * Requires:
+ * \li     'j' is open for writing and dns_journal_begin_transaction()
+ * 	has been called.
+ *
+ *\li 	'diff' is a full or partial, correctly ordered IXFR
+ *      difference sequence.
+ */
+
+isc_result_t
+dns_journal_commit(dns_journal_t *j);
+/*%<
+ * Commit the current transaction of journal file 'j'.
+ *
+ * Requires:
+ * \li     'j' is open for writing and dns_journal_begin_transaction()
+ * 	has been called.
+ *
+ *   \li   dns_journal_writediff() has been called one or more times
+ * 	to form a complete, correctly ordered IXFR difference
+ *      sequence.
+ */
+
+isc_result_t
+dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff);
+/*%
+ * Write a complete transaction at once to a journal file,
+ * sorting it if necessary, and commit it.  Equivalent to calling
+ * dns_diff_sort(), dns_journal_begin_transaction(),
+ * dns_journal_writediff(), and dns_journal_commit().
+ *
+ * Requires:
+ *\li      'j' is open for writing.
+ *
+ * \li	'diff' contains exactly one SOA deletion, one SOA addition
+ *       with a greater serial number, and possibly other changes,
+ *       in arbitrary order.
+ */
+
+/**************************************************************************/
+/*
+ * Reading transactions from journals.
+ */
+
+bool
+dns_journal_empty(dns_journal_t *j);
+/*<
+ * Find out if a journal is empty.
+ */
+
+bool
+dns_journal_recovered(dns_journal_t *j);
+/*<
+ * Find out if the journal could be opened using old journal format
+ */
+
+uint32_t
+dns_journal_first_serial(dns_journal_t *j);
+uint32_t
+dns_journal_last_serial(dns_journal_t *j);
+/*%<
+ * Get the first and last addressable serial number in the journal.
+ */
+
+isc_result_t
+dns_journal_iter_init(dns_journal_t *j, uint32_t begin_serial,
+		      uint32_t end_serial, size_t *xfrsizep);
+/*%<
+ * Prepare to iterate over the transactions that will bring the database
+ * from SOA serial number 'begin_serial' to 'end_serial'.
+ *
+ * If 'xfrsizep' is not NULL, then on success it will be set to the
+ * total size of all records in the iteration (excluding headers). This
+ * is meant to be a rough approximation of the size of an incremental
+ * zone transfer, though it does not account for DNS message overhead
+ * or name compression.)
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_RANGE	begin_serial is outside the addressable range.
+ *\li	ISC_R_NOTFOUND	begin_serial is within the range of addressable
+ *			serial numbers covered by the journal, but
+ *			this particular serial number does not exist.
+ */
+
+/*@{*/
+isc_result_t
+dns_journal_first_rr(dns_journal_t *j);
+isc_result_t
+dns_journal_next_rr(dns_journal_t *j);
+/*%<
+ * Position the iterator at the first/next RR in a journal
+ * transaction sequence established using dns_journal_iter_init().
+ *
+ * Requires:
+ *    \li  dns_journal_iter_init() has been called.
+ *
+ */
+/*@}*/
+
+void
+dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, uint32_t *ttl,
+		       dns_rdata_t **rdata);
+/*%<
+ * Get the name, ttl, and rdata of the current journal RR.
+ *
+ * Requires:
+ * \li     The last call to dns_journal_first_rr() or dns_journal_next_rr()
+ *      returned ISC_R_SUCCESS.
+ */
+
+/**************************************************************************/
+/*
+ * Database roll-forward.
+ */
+
+isc_result_t
+dns_journal_rollforward(dns_journal_t *j, dns_db_t *db, unsigned int options);
+/*%<
+ * Roll forward (play back) the journal file "filename" into the
+ * database "db".  This should be called when the server starts
+ * after a shutdown or crash.
+ *
+ * Requires:
+ *\li   'journal' is a valid journal
+ *\li	'db' is a valid database which does not have a version
+ *           open for writing.
+ *
+ * Returns:
+ *\li	ISC_R_NOTFOUND when current serial in not in journal.
+ *\li	ISC_R_RANGE when current serial in not in journals range.
+ *\li	DNS_R_UPTODATE when the database was already up to date.
+ *\li	ISC_R_SUCCESS journal has been applied successfully to the
+ *      database without any issues.
+ *
+ *	others
+ */
+
+isc_result_t
+dns_journal_print(isc_mem_t *mctx, uint32_t flags, const char *filename,
+		  FILE *file);
+/* For debugging not general use */
+
+isc_result_t
+dns_db_diff(isc_mem_t *mctx, dns_db_t *dba, dns_dbversion_t *dbvera,
+	    dns_db_t *dbb, dns_dbversion_t *dbverb,
+	    const char *journal_filename);
+
+isc_result_t
+dns_db_diffx(dns_diff_t *diff, dns_db_t *dba, dns_dbversion_t *dbvera,
+	     dns_db_t *dbb, dns_dbversion_t *dbverb,
+	     const char *journal_filename);
+/*%<
+ * Compare the databases 'dba' and 'dbb' and generate a diff/journal
+ * entry containing the changes to make 'dba' from 'dbb' (note
+ * the order).  This journal entry will consist of a single,
+ * possibly very large transaction.  Append the journal
+ * entry to the journal file specified by 'journal_filename' if
+ * non-NULL.
+ */
+
+isc_result_t
+dns_journal_compact(isc_mem_t *mctx, char *filename, uint32_t serial,
+		    uint32_t flags, uint32_t target_size);
+/*%<
+ * Attempt to compact the journal if it is greater that 'target_size'.
+ * Changes from 'serial' onwards will be preserved. Changes prior than
+ * that may be dropped in order to get the journal below `target_size`.
+ *
+ * If 'flags' includes DNS_JOURNAL_COMPACTALL, the entire journal is copied.
+ * In this case, `serial` is ignored. This flag is used when upgrading or
+ * downgrading the format version of the journal. If 'flags' also includes
+ * DNS_JOURNAL_VERSION1, then the journal is copied out in the original
+ * format used prior to BIND 9.16.12; otherwise it is copied in the
+ * current format.
+ *
+ * If _COMPACTALL is not in use, and the journal file exists and is
+ * non-empty, then 'serial' must exist in the journal.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_RANGE	serial is outside the range existing in the journal
+ *
+ * Other errors may be returned from file operations.
+ */
+
+bool
+dns_journal_get_sourceserial(dns_journal_t *j, uint32_t *sourceserial);
+void
+dns_journal_set_sourceserial(dns_journal_t *j, uint32_t sourceserial);
+/*%<
+ * Get and set source serial.
+ *
+ * Returns:
+ *      true if sourceserial has previously been set.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_JOURNAL_H */
diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
new file mode 100644
index 0000000..48d773a
--- /dev/null
+++ b/lib/dns/include/dns/kasp.h
@@ -0,0 +1,717 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_KASP_H
+#define DNS_KASP_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/kasp.h
+ * \brief
+ * DNSSEC Key and Signing Policy (KASP)
+ *
+ * A "kasp" is a DNSSEC policy, that determines how a zone should be
+ * signed and maintained.
+ */
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/refcount.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/* Stores a KASP key */
+struct dns_kasp_key {
+	isc_mem_t *mctx;
+
+	/* Locked by themselves. */
+	isc_refcount_t references;
+
+	/* Under owner's locking control. */
+	ISC_LINK(struct dns_kasp_key) link;
+
+	/* Configuration */
+	uint32_t lifetime;
+	uint8_t	 algorithm;
+	int	 length;
+	uint8_t	 role;
+};
+
+struct dns_kasp_nsec3param {
+	uint8_t saltlen;
+	uint8_t algorithm;
+	uint8_t iterations;
+	bool	optout;
+};
+
+/* Stores a DNSSEC policy */
+struct dns_kasp {
+	unsigned int magic;
+	isc_mem_t   *mctx;
+	char	    *name;
+
+	/* Internals. */
+	isc_mutex_t lock;
+	bool	    frozen;
+
+	/* Locked by themselves. */
+	isc_refcount_t references;
+
+	/* Under owner's locking control. */
+	ISC_LINK(struct dns_kasp) link;
+
+	/* Configuration: signatures */
+	uint32_t signatures_refresh;
+	uint32_t signatures_validity;
+	uint32_t signatures_validity_dnskey;
+
+	/* Configuration: Keys */
+	dns_kasp_keylist_t keys;
+	dns_ttl_t	   dnskey_ttl;
+
+	/* Configuration: Denial of existence */
+	bool		      nsec3;
+	dns_kasp_nsec3param_t nsec3param;
+
+	/* Configuration: Timings */
+	uint32_t publish_safety;
+	uint32_t retire_safety;
+	uint32_t purge_keys;
+
+	/* Zone settings */
+	dns_ttl_t zone_max_ttl;
+	uint32_t  zone_propagation_delay;
+
+	/* Parent settings */
+	dns_ttl_t parent_ds_ttl;
+	uint32_t  parent_propagation_delay;
+};
+
+#define DNS_KASP_MAGIC	     ISC_MAGIC('K', 'A', 'S', 'P')
+#define DNS_KASP_VALID(kasp) ISC_MAGIC_VALID(kasp, DNS_KASP_MAGIC)
+
+/* Defaults */
+#define DNS_KASP_SIG_REFRESH	     (86400 * 5)
+#define DNS_KASP_SIG_VALIDITY	     (86400 * 14)
+#define DNS_KASP_SIG_VALIDITY_DNSKEY (86400 * 14)
+#define DNS_KASP_KEY_TTL	     (3600)
+#define DNS_KASP_DS_TTL		     (86400)
+#define DNS_KASP_PUBLISH_SAFETY	     (3600)
+#define DNS_KASP_PURGE_KEYS	     (86400 * 90)
+#define DNS_KASP_RETIRE_SAFETY	     (3600)
+#define DNS_KASP_ZONE_MAXTTL	     (86400)
+#define DNS_KASP_ZONE_PROPDELAY	     (300)
+#define DNS_KASP_PARENT_PROPDELAY    (3600)
+
+/* Key roles */
+#define DNS_KASP_KEY_ROLE_KSK 0x01
+#define DNS_KASP_KEY_ROLE_ZSK 0x02
+
+isc_result_t
+dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp);
+/*%<
+ * Create a KASP.
+ *
+ * Requires:
+ *
+ *\li  'mctx' is a valid memory context.
+ *
+ *\li  'name' is a valid C string.
+ *
+ *\li  kaspp != NULL && *kaspp == NULL
+ *
+ * Returns:
+ *
+ *\li  #ISC_R_SUCCESS
+ *\li  #ISC_R_NOMEMORY
+ *
+ *\li  Other errors are possible.
+ */
+
+void
+dns_kasp_attach(dns_kasp_t *source, dns_kasp_t **targetp);
+/*%<
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *\li   'source' is a valid, frozen kasp.
+ *
+ *\li   'targetp' points to a NULL dns_kasp_t *.
+ *
+ * Ensures:
+ *
+ *\li   *targetp is attached to source.
+ *
+ *\li   While *targetp is attached, the kasp will not shut down.
+ */
+
+void
+dns_kasp_detach(dns_kasp_t **kaspp);
+/*%<
+ * Detach KASP.
+ *
+ * Requires:
+ *
+ *\li   'kaspp' points to a valid dns_kasp_t *
+ *
+ * Ensures:
+ *
+ *\li   *kaspp is NULL.
+ */
+
+void
+dns_kasp_freeze(dns_kasp_t *kasp);
+/*%<
+ * Freeze kasp.  No changes can be made to kasp configuration while frozen.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, unfrozen kasp.
+ *
+ * Ensures:
+ *
+ *\li   'kasp' is frozen.
+ */
+
+void
+dns_kasp_thaw(dns_kasp_t *kasp);
+/*%<
+ * Thaw kasp.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Ensures:
+ *
+ *\li   'kasp' is no longer frozen.
+ */
+
+const char *
+dns_kasp_getname(dns_kasp_t *kasp);
+/*%<
+ * Get kasp name.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid kasp.
+ *
+ * Returns:
+ *
+ *\li   name of 'kasp'.
+ */
+
+uint32_t
+dns_kasp_signdelay(dns_kasp_t *kasp);
+/*%<
+ * Get the delay that is needed to ensure that all existing RRsets have been
+ * re-signed with a successor key.  This is the signature validity minus the
+ * signature refresh time (that indicates how far before signature expiry an
+ * RRSIG should be refreshed).
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   signature refresh interval.
+ */
+
+uint32_t
+dns_kasp_sigrefresh(dns_kasp_t *kasp);
+/*%<
+ * Get signature refresh interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   signature refresh interval.
+ */
+
+void
+dns_kasp_setsigrefresh(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set signature refresh interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
+uint32_t
+dns_kasp_sigvalidity(dns_kasp_t *kasp);
+uint32_t
+dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp);
+/*%<
+ * Get signature validity.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   signature validity.
+ */
+
+void
+dns_kasp_setsigvalidity(dns_kasp_t *kasp, uint32_t value);
+void
+dns_kasp_setsigvalidity_dnskey(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set signature validity.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
+dns_ttl_t
+dns_kasp_dnskeyttl(dns_kasp_t *kasp);
+/*%<
+ * Get DNSKEY TTL.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   DNSKEY TTL.
+ */
+
+void
+dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl);
+/*%<
+ * Set DNSKEY TTL.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp);
+/*%<
+ * Get purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Purge keys interval.
+ */
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
+uint32_t
+dns_kasp_publishsafety(dns_kasp_t *kasp);
+/*%<
+ * Get publish safety interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Publish safety interval.
+ */
+
+void
+dns_kasp_setpublishsafety(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set publish safety interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
+uint32_t
+dns_kasp_retiresafety(dns_kasp_t *kasp);
+/*%<
+ * Get retire safety interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Retire safety interval.
+ */
+
+void
+dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set retire safety interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
+dns_ttl_t
+dns_kasp_zonemaxttl(dns_kasp_t *kasp);
+/*%<
+ * Get maximum zone TTL.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Maximum zone TTL.
+ */
+
+void
+dns_kasp_setzonemaxttl(dns_kasp_t *kasp, dns_ttl_t ttl);
+/*%<
+ * Set maximum zone TTL.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
+uint32_t
+dns_kasp_zonepropagationdelay(dns_kasp_t *kasp);
+/*%<
+ * Get zone propagation delay.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Zone propagation delay.
+ */
+
+void
+dns_kasp_setzonepropagationdelay(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set zone propagation delay.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
+dns_ttl_t
+dns_kasp_dsttl(dns_kasp_t *kasp);
+/*%<
+ * Get DS TTL (should match that of the parent DS record).
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Expected parent DS TTL.
+ */
+
+void
+dns_kasp_setdsttl(dns_kasp_t *kasp, dns_ttl_t ttl);
+/*%<
+ * Set DS TTL.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
+uint32_t
+dns_kasp_parentpropagationdelay(dns_kasp_t *kasp);
+/*%<
+ * Get parent zone propagation delay.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Parent zone propagation delay.
+ */
+
+void
+dns_kasp_setparentpropagationdelay(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set parent propagation delay.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
+isc_result_t
+dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp);
+/*%<
+ * Search for a kasp with name 'name' in 'list'.
+ * If found, '*kaspp' is (strongly) attached to it.
+ *
+ * Requires:
+ *
+ *\li   'kaspp' points to a NULL dns_kasp_t *.
+ *
+ * Returns:
+ *
+ *\li   #ISC_R_SUCCESS          A matching kasp was found.
+ *\li   #ISC_R_NOTFOUND         No matching kasp was found.
+ */
+
+dns_kasp_keylist_t
+dns_kasp_keys(dns_kasp_t *kasp);
+/*%<
+ * Get the list of kasp keys.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li  #ISC_R_SUCCESS
+ *\li  #ISC_R_NOMEMORY
+ *
+ *\li  Other errors are possible.
+ */
+
+bool
+dns_kasp_keylist_empty(dns_kasp_t *kasp);
+/*%<
+ * Check if the keylist is empty.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid kasp.
+ *
+ * Returns:
+ *
+ *\li  true if the keylist is empty, false otherwise.
+ */
+
+void
+dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key);
+/*%<
+ * Add a key.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ *\li   'key' is not NULL.
+ */
+
+isc_result_t
+dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp);
+/*%<
+ * Create a key inside a KASP.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid kasp.
+ *
+ *\li  keyp != NULL && *keyp == NULL
+ *
+ * Returns:
+ *
+ *\li  #ISC_R_SUCCESS
+ *\li  #ISC_R_NOMEMORY
+ *
+ *\li  Other errors are possible.
+ */
+
+void
+dns_kasp_key_destroy(dns_kasp_key_t *key);
+/*%<
+ * Destroy a KASP key.
+ *
+ * Requires:
+ *
+ *\li  key != NULL
+ */
+
+uint32_t
+dns_kasp_key_algorithm(dns_kasp_key_t *key);
+/*%<
+ * Get the key algorithm.
+ *
+ * Requires:
+ *
+ *\li  key != NULL
+ *
+ * Returns:
+ *
+ *\li  Key algorithm.
+ */
+
+unsigned int
+dns_kasp_key_size(dns_kasp_key_t *key);
+/*%<
+ * Get the key size.
+ *
+ * Requires:
+ *
+ *\li  key != NULL
+ *
+ * Returns:
+ *
+ *\li  Configured key size, or default key size for key algorithm if no size
+ *     configured.
+ */
+
+uint32_t
+dns_kasp_key_lifetime(dns_kasp_key_t *key);
+/*%<
+ * The lifetime of this key (how long may this key be active?)
+ *
+ * Requires:
+ *
+ *\li  key != NULL
+ *
+ * Returns:
+ *
+ *\li  Lifetime of key.
+ *
+ */
+
+bool
+dns_kasp_key_ksk(dns_kasp_key_t *key);
+/*%<
+ * Does this key act as a KSK?
+ *
+ * Requires:
+ *
+ *\li  key != NULL
+ *
+ * Returns:
+ *
+ *\li  True, if the key role has DNS_KASP_KEY_ROLE_KSK set.
+ *\li  False, otherwise.
+ *
+ */
+
+bool
+dns_kasp_key_zsk(dns_kasp_key_t *key);
+/*%<
+ * Does this key act as a ZSK?
+ *
+ * Requires:
+ *
+ *\li  key != NULL
+ *
+ * Returns:
+ *
+ *\li  True, if the key role has DNS_KASP_KEY_ROLE_ZSK set.
+ *\li  False, otherwise.
+ *
+ */
+
+bool
+dns_kasp_nsec3(dns_kasp_t *kasp);
+/*%<
+ * Return true if NSEC3 chain should be used.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, frozen kasp.
+ *
+ */
+
+uint8_t
+dns_kasp_nsec3iter(dns_kasp_t *kasp);
+/*%<
+ * The number of NSEC3 iterations to use.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, frozen kasp.
+ *\li  'kasp->nsec3' is true.
+ *
+ */
+
+uint8_t
+dns_kasp_nsec3flags(dns_kasp_t *kasp);
+/*%<
+ * The NSEC3 flags field value.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, frozen kasp.
+ *\li  'kasp->nsec3' is true.
+ *
+ */
+
+uint8_t
+dns_kasp_nsec3saltlen(dns_kasp_t *kasp);
+/*%<
+ * The NSEC3 salt length.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, frozen kasp.
+ *\li  'kasp->nsec3' is true.
+ *
+ */
+
+void
+dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3);
+/*%<
+ * Set to use NSEC3 if 'nsec3' is 'true', otherwise policy will use NSEC.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, unfrozen kasp.
+ *
+ */
+
+void
+dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
+		       uint8_t saltlen);
+/*%<
+ * Set the desired NSEC3 parameters.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, unfrozen kasp.
+ *\li  'kasp->nsec3' is true.
+ *
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KASP_H */
diff --git a/lib/dns/include/dns/keydata.h b/lib/dns/include/dns/keydata.h
new file mode 100644
index 0000000..43a3ef7
--- /dev/null
+++ b/lib/dns/include/dns/keydata.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_KEYDATA_H
+#define DNS_KEYDATA_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/keydata.h
+ * \brief
+ * KEYDATA utilities.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_keydata_todnskey(dns_rdata_keydata_t *keydata, dns_rdata_dnskey_t *dnskey,
+		     isc_mem_t *mctx);
+
+isc_result_t
+dns_keydata_fromdnskey(dns_rdata_keydata_t *keydata, dns_rdata_dnskey_t *dnskey,
+		       uint32_t refresh, uint32_t addhd, uint32_t removehd,
+		       isc_mem_t *mctx);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYDATA_H */
diff --git a/lib/dns/include/dns/keyflags.h b/lib/dns/include/dns/keyflags.h
new file mode 100644
index 0000000..a603b6f
--- /dev/null
+++ b/lib/dns/include/dns/keyflags.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_KEYFLAGS_H
+#define DNS_KEYFLAGS_H 1
+
+/*! \file dns/keyflags.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNSSEC KEY flags value.
+ * The text may contain either a set of flag mnemonics separated by
+ * vertical bars or a decimal flags value.  For compatibility with
+ * older versions of BIND and the DNSSEC signer, octal values
+ * prefixed with a zero and hexadecimal values prefixed with "0x"
+ * are also accepted.
+ *
+ * Requires:
+ *\li	'flagsp' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric flag value is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic flag is unknown
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYFLAGS_H */
diff --git a/lib/dns/include/dns/keymgr.h b/lib/dns/include/dns/keymgr.h
new file mode 100644
index 0000000..7b31eb8
--- /dev/null
+++ b/lib/dns/include/dns/keymgr.h
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_KEYMGR_H
+#define DNS_KEYMGR_H 1
+
+/*! \file dns/keymgr.h */
+
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
+	       const char *directory, isc_mem_t *mctx,
+	       dns_dnsseckeylist_t *keyring, dns_dnsseckeylist_t *dnskeys,
+	       dns_kasp_t *kasp, isc_stdtime_t now, isc_stdtime_t *nexttime);
+/*%<
+ * Manage keys in 'keyring' and update timing data according to 'kasp' policy.
+ * Create new keys for 'origin' if necessary in 'directory'.  Append all such
+ * keys, along with use hints gleaned from their metadata, onto 'keyring'.
+ *
+ * Update key states and store changes back to disk. Store when to run next
+ * in 'nexttime'.
+ *
+ *	Requires:
+ *\li		'origin' is a valid FQDN.
+ *\li		'mctx' is a valid memory context.
+ *\li		'keyring' is not NULL.
+ *\li		'kasp' is not NULL.
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		any error returned by dst_key_generate(), isc_dir_open(),
+ *		dst_key_to_file(), or dns_dnsseckey_create().
+ *
+ *	Ensures:
+ *\li		On error, keypool is unchanged
+ */
+
+isc_result_t
+dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+		   const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+		   bool dspublish);
+isc_result_t
+dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+		      const char *directory, isc_stdtime_t now,
+		      isc_stdtime_t when, bool dspublish, dns_keytag_t id,
+		      unsigned int algorithm);
+/*%<
+ * Check DS for one key in 'keyring'. The key must have the KSK role.
+ * If 'dspublish' is set to true, set the DS Publish time to 'now'.
+ * If 'dspublish' is set to false, set the DS Removed time to 'now'.
+ * If a specific key 'id' is given it must match the keytag.
+ * If the 'algorithm' is non-zero, it must match the key's algorithm.
+ * The result is stored in the key state file.
+ *
+ *	Requires:
+ *\li		'kasp' is not NULL.
+ *\li		'keyring' is not NULL.
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS (No error).
+ *\li		#DNS_R_NOKEYMATCH (No matching keys found).
+ *\li		#DNS_R_TOOMANYKEYS (More than one matching keys found).
+ *
+ */
+
+isc_result_t
+dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+		    const char *directory, isc_stdtime_t now,
+		    isc_stdtime_t when, dns_keytag_t id,
+		    unsigned int algorithm);
+/*%<
+ * Rollover key with given 'id'. If the 'algorithm' is non-zero, it must
+ * match the key's algorithm. The changes are stored in the key state file.
+ *
+ * A rollover means adjusting the key metadata so that keymgr will start the
+ * actual rollover on the next run. Update the 'inactive' time and adjust
+ * key lifetime to match the 'when' to rollover time.
+ *
+ * The 'when' time may be in the past. In that case keymgr will roll the
+ * key as soon as possible.
+ *
+ * The 'when' time may be in the future. This may extend the lifetime,
+ * overriding the default lifetime from the policy.
+ *
+ *	Requires:
+ *\li		'kasp' is not NULL.
+ *\li		'keyring' is not NULL.
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS (No error).
+ *\li		#DNS_R_NOKEYMATCH (No matching keys found).
+ *\li		#DNS_R_TOOMANYKEYS (More than one matching keys found).
+ *\li		#DNS_R_KEYNOTACTIVE (Key is not active).
+ *
+ */
+
+void
+dns_keymgr_status(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+		  isc_stdtime_t now, char *out, size_t out_len);
+/*%<
+ * Retrieve the status of given 'kasp' policy and keys in the
+ * 'keyring' and store the printable output in the 'out' buffer.
+ *
+ *	Requires:
+ *\li		'kasp' is not NULL.
+ *\li		'keyring' is not NULL.
+ *\li		'out' is not NULL.
+ *
+ *	Returns:
+ *\li		Printable status in 'out'.
+ *
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYMGR_H */
diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
new file mode 100644
index 0000000..9557ab8
--- /dev/null
+++ b/lib/dns/include/dns/keytable.h
@@ -0,0 +1,350 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_KEYTABLE_H
+#define DNS_KEYTABLE_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * The keytable module provides services for storing and retrieving DNSSEC
+ * trusted keys, as well as the ability to find the deepest matching key
+ * for a given domain name.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
+
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep);
+/*%<
+ * Create a keytable.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	keytablep != NULL && *keytablep == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, *keytablep is a valid, empty key table.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+void
+dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp);
+/*%<
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid keytable.
+ *
+ *\li	'targetp' points to a NULL dns_keytable_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ */
+
+void
+dns_keytable_detach(dns_keytable_t **keytablep);
+/*%<
+ * Detach *keytablep from its keytable.
+ *
+ * Requires:
+ *
+ *\li	'keytablep' points to a valid keytable.
+ *
+ * Ensures:
+ *
+ *\li	*keytablep is NULL.
+ *
+ *\li	If '*keytablep' is the last reference to the keytable,
+ *		all resources used by the keytable will be freed
+ */
+
+isc_result_t
+dns_keytable_add(dns_keytable_t *keytable, bool managed, bool initial,
+		 dns_name_t *name, dns_rdata_ds_t *ds);
+/*%<
+ * Add a key to 'keytable'. The keynode associated with 'name'
+ * is updated with the DS specified in 'ds'.
+ *
+ * The value of keynode->managed is set to 'managed', and the
+ * value of keynode->initial is set to 'initial'. (Note: 'initial'
+ * should only be used when adding managed-keys from configuration.
+ * This indicates the key is in "initializing" state, and has not yet
+ * been confirmed with a key refresh query.  Once a key refresh query
+ * has validated, we update the keynode with initial == false.)
+ *
+ * Notes:
+ *
+ *\li   If the key already exists in the table, adding it again
+ *      has no effect and ISC_R_SUCCESS is returned.
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *\li	'ds' is not NULL.
+ *\li	if 'initial' is true then 'managed' must also be true.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_EXISTS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_marksecure(dns_keytable_t *keytable, const dns_name_t *name);
+/*%<
+ * Add a null key to 'keytable' for name 'name'.  This marks the
+ * name as a secure domain, but doesn't supply any key data to allow the
+ * domain to be validated.  (Used when automated trust anchor management
+ * has gotten broken by a zone misconfiguration; for example, when the
+ * active key has been revoked but the stand-by key was still in its 30-day
+ * waiting period for validity.)
+ *
+ * Notes:
+ *
+ *\li   If a key already exists in the table, ISC_R_EXISTS is
+ *      returned and nothing is done.
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *
+ *\li	keyp != NULL && *keyp is a valid dst_key_t *.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_EXISTS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_delete(dns_keytable_t *keytable, const dns_name_t *keyname);
+/*%<
+ * Delete all trust anchors from 'keytable' matching name 'keyname'
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *
+ *\li	'name' is not NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_deletekey(dns_keytable_t *keytable, const dns_name_t *keyname,
+		       dns_rdata_dnskey_t *dnskey);
+/*%<
+ * Remove the trust anchor matching the name 'keyname' and the DNSKEY
+ * rdata struct 'dnskey' from 'keytable'.
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *\li	'dnskey' is not NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname,
+		  dns_keynode_t **keynodep);
+/*%<
+ * Search for the first instance of a trust anchor named 'name' in
+ * 'keytable', without regard to keyid and algorithm.
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'name' is a valid absolute name.
+ *
+ *\li	keynodep != NULL && *keynodep == NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ *
+ *\li	Any other result indicates an error.
+ */
+
+isc_result_t
+dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
+			      dns_name_t *foundname);
+/*%<
+ * Search for the deepest match of 'name' in 'keytable'.
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'name' is a valid absolute name.
+ *
+ *\li	'foundname' is a name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ *
+ *\li	Any other result indicates an error.
+ */
+
+void
+dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep);
+/*%<
+ * Detach a keynode found via dns_keytable_find().
+ *
+ * Requires:
+ *
+ *\li	*keynodep is a valid keynode returned by a call to dns_keytable_find().
+ *
+ * Ensures:
+ *
+ *\li	*keynodep == NULL
+ */
+
+isc_result_t
+dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
+			    dns_name_t *foundname, bool *wantdnssecp);
+/*%<
+ * Is 'name' at or beneath a trusted key?
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'name' is a valid absolute name.
+ *
+ *\li	'foundanme' is NULL or is a pointer to an initialized dns_name_t
+ *
+ *\li	'*wantsdnssecp' is a valid bool.
+ *
+ * Ensures:
+ *
+ *\li	On success, *wantsdnssecp will be true if and only if 'name'
+ *	is at or beneath a trusted key.  If 'foundname' is not NULL, then
+ *	it will be updated to contain the name of the closest enclosing
+ *	trust anchor.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result is an error.
+ */
+
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp);
+/*%<
+ * Dump the keytable on fp.
+ */
+
+isc_result_t
+dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **buf);
+/*%<
+ * Dump the keytable to buffer at 'buf'
+ */
+
+bool
+dns_keynode_dsset(dns_keynode_t *keynode, dns_rdataset_t *rdataset);
+/*%<
+ * Clone the DS RRset associated with 'keynode' into 'rdataset' if
+ * it exists.  'dns_rdataset_disassociate(rdataset)' needs to be
+ * called when done.
+ *
+ * Returns:
+ *\li	true if there is a DS RRset.
+ *\li	false if there isn't DS RRset.
+ *
+ * Requires:
+ *\li	'keynode' is valid.
+ *\li	'rdataset' is valid or NULL.
+ */
+
+bool
+dns_keynode_managed(dns_keynode_t *keynode);
+/*%<
+ * Is this flagged as a managed key?
+ */
+
+bool
+dns_keynode_initial(dns_keynode_t *keynode);
+/*%<
+ * Is this flagged as an initializing key?
+ */
+
+void
+dns_keynode_trust(dns_keynode_t *keynode);
+/*%<
+ * Sets keynode->initial to false in order to mark the key as
+ * trusted: no longer an initializing key.
+ */
+
+isc_result_t
+dns_keytable_forall(dns_keytable_t *keytable,
+		    void (*func)(dns_keytable_t *, dns_keynode_t *,
+				 dns_name_t *, void *),
+		    void *arg);
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYTABLE_H */
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
new file mode 100644
index 0000000..e27ada1
--- /dev/null
+++ b/lib/dns/include/dns/keyvalues.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_KEYVALUES_H
+#define DNS_KEYVALUES_H 1
+
+/*! \file dns/keyvalues.h */
+
+/*
+ * Flags field of the KEY RR rdata
+ */
+#define DNS_KEYFLAG_TYPEMASK 0xC000 /*%< Mask for "type" bits */
+#define DNS_KEYTYPE_AUTHCONF 0x0000 /*%< Key usable for both */
+#define DNS_KEYTYPE_CONFONLY 0x8000 /*%< Key usable for confidentiality */
+#define DNS_KEYTYPE_AUTHONLY 0x4000 /*%< Key usable for authentication */
+#define DNS_KEYTYPE_NOKEY    0xC000 /*%< No key usable for either; no key */
+#define DNS_KEYTYPE_NOAUTH   DNS_KEYTYPE_CONFONLY
+#define DNS_KEYTYPE_NOCONF   DNS_KEYTYPE_AUTHONLY
+
+#define DNS_KEYFLAG_RESERVED2  0x2000 /*%< reserved - must be zero */
+#define DNS_KEYFLAG_EXTENDED   0x1000 /*%< key has extended flags */
+#define DNS_KEYFLAG_RESERVED4  0x0800 /*%< reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED5  0x0400 /*%< reserved - must be zero */
+#define DNS_KEYFLAG_OWNERMASK  0x0300 /*%< these bits determine the type */
+#define DNS_KEYOWNER_USER      0x0000 /*%< key is assoc. with user */
+#define DNS_KEYOWNER_ENTITY    0x0200 /*%< key is assoc. with entity eg host */
+#define DNS_KEYOWNER_ZONE      0x0100 /*%< key is zone key */
+#define DNS_KEYOWNER_RESERVED  0x0300 /*%< reserved meaning */
+#define DNS_KEYFLAG_REVOKE     0x0080 /*%< key revoked (per rfc5011) */
+#define DNS_KEYFLAG_RESERVED9  0x0040 /*%< reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED10 0x0020 /*%< reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED11 0x0010 /*%< reserved - must be zero */
+#define DNS_KEYFLAG_SIGNATORYMASK                  \
+	0x000F /*%< key can sign RR's of same name \
+		*/
+
+#define DNS_KEYFLAG_RESERVEDMASK                         \
+	(DNS_KEYFLAG_RESERVED2 | DNS_KEYFLAG_RESERVED4 | \
+	 DNS_KEYFLAG_RESERVED5 | DNS_KEYFLAG_RESERVED9 | \
+	 DNS_KEYFLAG_RESERVED10 | DNS_KEYFLAG_RESERVED11)
+#define DNS_KEYFLAG_KSK 0x0001 /*%< key signing key */
+
+#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF /*%< no bits defined here */
+
+/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
+#define DNS_KEYALG_RSAMD5	1 /*%< RSA with MD5 */
+#define DNS_KEYALG_RSA		1 /*%< Used just for tagging */
+#define DNS_KEYALG_DH		2 /*%< Diffie Hellman KEY */
+#define DNS_KEYALG_DSA		3 /*%< DSA KEY */
+#define DNS_KEYALG_NSEC3DSA	6
+#define DNS_KEYALG_DSS		DNS_ALG_DSA
+#define DNS_KEYALG_ECC		4
+#define DNS_KEYALG_RSASHA1	5
+#define DNS_KEYALG_NSEC3RSASHA1 7
+#define DNS_KEYALG_RSASHA256	8
+#define DNS_KEYALG_RSASHA512	10
+#define DNS_KEYALG_ECCGOST	12
+#define DNS_KEYALG_ECDSA256	13
+#define DNS_KEYALG_ECDSA384	14
+#define DNS_KEYALG_ED25519	15
+#define DNS_KEYALG_ED448	16
+#define DNS_KEYALG_INDIRECT	252
+#define DNS_KEYALG_PRIVATEDNS	253
+#define DNS_KEYALG_PRIVATEOID	254 /*%< Key begins with OID giving alg */
+#define DNS_KEYALG_MAX		255
+
+/* Protocol values  */
+#define DNS_KEYPROTO_RESERVED 0
+#define DNS_KEYPROTO_TLS      1
+#define DNS_KEYPROTO_EMAIL    2
+#define DNS_KEYPROTO_DNSSEC   3
+#define DNS_KEYPROTO_IPSEC    4
+#define DNS_KEYPROTO_ANY      255
+
+/* Signatures */
+#define DNS_SIG_RSAMINBITS 512 /*%< Size of a mod or exp in bits */
+#define DNS_SIG_RSAMAXBITS 2552
+/* Total of binary mod and exp */
+#define DNS_SIG_RSAMAXBYTES ((DNS_SIG_RSAMAXBITS + 7 / 8) * 2 + 3)
+/*%< Max length of text sig block */
+#define DNS_SIG_RSAMAXBASE64 (((DNS_SIG_RSAMAXBYTES + 2) / 3) * 4)
+#define DNS_SIG_RSAMINSIZE   ((DNS_SIG_RSAMINBITS + 7) / 8)
+#define DNS_SIG_RSAMAXSIZE   ((DNS_SIG_RSAMAXBITS + 7) / 8)
+
+#define DNS_SIG_ECDSA256SIZE 64
+#define DNS_SIG_ECDSA384SIZE 96
+
+#define DNS_KEY_ECDSA256SIZE 64
+#define DNS_KEY_ECDSA384SIZE 96
+
+#define DNS_SIG_ED25519SIZE 64
+#define DNS_SIG_ED448SIZE   114
+
+#define DNS_KEY_ED25519SIZE 32
+#define DNS_KEY_ED448SIZE   57
+
+#endif /* DNS_KEYVALUES_H */
diff --git a/lib/dns/include/dns/lib.h b/lib/dns/include/dns/lib.h
new file mode 100644
index 0000000..649b483
--- /dev/null
+++ b/lib/dns/include/dns/lib.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_LIB_H
+#define DNS_LIB_H 1
+
+/*! \file dns/lib.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * Tuning: external query load in packets per seconds.
+ */
+LIBDNS_EXTERNAL_DATA extern unsigned int dns_pps;
+
+isc_result_t
+dns_lib_init(void);
+/*%<
+ * A set of initialization procedures used in the DNS library.  This function
+ * is provided for an application that is not aware of the underlying ISC or
+ * DNS libraries much.
+ */
+
+void
+dns_lib_shutdown(void);
+/*%<
+ * Free temporary resources allocated in dns_lib_init().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LIB_H */
diff --git a/lib/dns/include/dns/librpz.h b/lib/dns/include/dns/librpz.h
new file mode 100644
index 0000000..110b798
--- /dev/null
+++ b/lib/dns/include/dns/librpz.h
@@ -0,0 +1,956 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Define the interface from a DNS resolver to the Response Policy Zone
+ * library, librpz.
+ *
+ * This file should be included only the interface functions between the
+ * resolver and librpz to avoid name space pollution.
+ *
+ * Copyright (c) 2016-2017 Farsight Security, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * version 1.2.12
+ */
+
+#ifndef LIBRPZ_H
+#define LIBRPZ_H
+
+#include <inttypes.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <arpa/nameser.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+
+/*
+ * Allow either ordinary or dlopen() linking.
+ */
+#ifdef LIBRPZ_INTERNAL
+#define LIBDEF(t, s) extern t s;
+#define LIBDEF_F(f)  LIBDEF(librpz_##f##_t, librpz_##f)
+#else /* ifdef LIBRPZ_INTERNAL */
+#define LIBDEF(t, s)
+#define LIBDEF_F(f)
+#endif /* ifdef LIBRPZ_INTERNAL */
+
+/*
+ * Response Policy Zone triggers.
+ *	Comparisons of trigger precedences require
+ *	LIBRPZ_TRIG_CLIENT_IP < LIBRPZ_TRIG_QNAME < LIBRPZ_TRIG_IP
+ *	    < LIBRPZ_TRIG_NSDNAME < LIBRPZ_TRIG_NSIP}
+ */
+typedef enum {
+	LIBRPZ_TRIG_BAD = 0,
+	LIBRPZ_TRIG_CLIENT_IP = 1,
+	LIBRPZ_TRIG_QNAME = 2,
+	LIBRPZ_TRIG_IP = 3,
+	LIBRPZ_TRIG_NSDNAME = 4,
+	LIBRPZ_TRIG_NSIP = 5
+} librpz_trig_t;
+#define LIBRPZ_TRIG_SIZE 3     /* sizeof librpz_trig_t in bits */
+typedef uint8_t librpz_tbit_t; /* one bit for each of the TRIGS_NUM
+				* trigger types */
+
+/*
+ * Response Policy Zone Actions or policies
+ */
+typedef enum {
+	LIBRPZ_POLICY_UNDEFINED = 0, /* an empty entry or no decision yet */
+	LIBRPZ_POLICY_DELETED = 1,   /* placeholder for a deleted policy */
+
+	LIBRPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */
+	LIBRPZ_POLICY_DROP = 3,	    /* 'drop': do not respond */
+	LIBRPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */
+	LIBRPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */
+	LIBRPZ_POLICY_NODATA = 6,   /* 'nodata': answer with ANCOUNT=0 */
+	LIBRPZ_POLICY_RECORD = 7,   /* rewrite with the policy's RR */
+
+	/* only in client configurations to override the zone */
+	LIBRPZ_POLICY_GIVEN,	/* 'given': what policy record says */
+	LIBRPZ_POLICY_DISABLED, /* at most log */
+	LIBRPZ_POLICY_CNAME,	/* answer with 'cname x' */
+} librpz_policy_t;
+#define LIBRPZ_POLICY_BITS 4
+
+/*
+ * Special policies that appear as targets of CNAMEs
+ * NXDOMAIN is signaled by a CNAME with a "." target.
+ * NODATA is signaled by a CNAME with a "*." target.
+ */
+#define LIBRPZ_RPZ_PREFIX   "rpz-"
+#define LIBRPZ_RPZ_PASSTHRU LIBRPZ_RPZ_PREFIX "passthru"
+#define LIBRPZ_RPZ_DROP	    LIBRPZ_RPZ_PREFIX "drop"
+#define LIBRPZ_RPZ_TCP_ONLY LIBRPZ_RPZ_PREFIX "tcp-only"
+
+typedef uint16_t librpz_dznum_t; /* dnsrpzd zone # in [0,DZNUM_MAX] */
+typedef uint8_t	 librpz_cznum_t; /* client zone # in [0,CZNUM_MAX] */
+
+/*
+ * CIDR block
+ */
+typedef struct librpz_prefix {
+	union {
+		struct in_addr	in;
+		struct in6_addr in6;
+	} addr;
+	uint8_t family;
+	uint8_t len;
+} librpz_prefix_t;
+
+/*
+ * A domain
+ */
+typedef uint8_t librpz_dsize_t;
+typedef struct librpz_domain {
+	librpz_dsize_t size; /* of only .d */
+	uint8_t	       d[0]; /* variable length wire format */
+} librpz_domain_t;
+
+/*
+ * A maximal domain buffer
+ */
+typedef struct librpz_domain_buf {
+	librpz_dsize_t size;
+	uint8_t	       d[NS_MAXCDNAME];
+} librpz_domain_buf_t;
+
+/*
+ * A resource record without the owner name.
+ * C compilers say that sizeof(librpz_rr_t)=12 instead of 10.
+ */
+typedef struct {
+	uint16_t type;	   /* network byte order */
+	uint16_t class;	   /* network byte order */
+	uint32_t ttl;	   /* network byte order */
+	uint16_t rdlength; /* network byte order */
+	uint8_t	 rdata[0]; /* variable length */
+} librpz_rr_t;
+
+/*
+ * The database file might be mapped with different starting addresses
+ * by concurrent clients (resolvers), and so all pointers are offsets.
+ */
+typedef uint32_t librpz_idx_t;
+#define LIBRPZ_IDX_NULL 0
+#define LIBRPZ_IDX_MIN	1
+#define LIBRPZ_IDX_BAD	((librpz_idx_t)-1)
+/**
+ * Partial decoded results of a set of RPZ queries for a single DNS response
+ * or iteration through the mapped file.
+ */
+typedef int16_t librpz_result_id_t;
+typedef struct librpz_result {
+	librpz_idx_t	   next_rr;
+	librpz_result_id_t hit_id;  /* trigger ID from resolver */
+	librpz_policy_t	   zpolicy; /* policy from zone */
+	librpz_policy_t	   policy;  /* adjusted by client configuration */
+	librpz_dznum_t	   dznum;   /* dnsrpzd zone number */
+	librpz_cznum_t	   cznum;   /* librpz client zone number */
+	librpz_trig_t	   trig : LIBRPZ_TRIG_SIZE;
+	bool		   log : 1; /* log rewrite given librpz_log_level
+				     * */
+} librpz_result_t;
+
+/**
+ * librpz trace or log levels.
+ */
+typedef enum {
+	LIBRPZ_LOG_FATAL = 0,  /* always print fatal errors */
+	LIBRPZ_LOG_ERROR = 1,  /* errors have this level */
+	LIBRPZ_LOG_TRACE1 = 2, /* big events such as dnsrpzd starts */
+	LIBRPZ_LOG_TRACE2 = 3, /* smaller dnsrpzd zone transfers */
+	LIBRPZ_LOG_TRACE3 = 4, /* librpz hits */
+	LIBRPZ_LOG_TRACE4 = 5, /* librpz lookups */
+	LIBRPZ_LOG_INVALID = 999,
+} librpz_log_level_t;
+typedef librpz_log_level_t(librpz_log_level_val_t)(librpz_log_level_t level);
+LIBDEF_F(log_level_val)
+
+/**
+ * Logging function that can be supplied by the resolver.
+ * @param level is one of librpz_log_level_t
+ * @param ctx is for use by the resolver's logging system.
+ *	NULL mean a context-free message.
+ */
+typedef void(librpz_log_fnc_t)(librpz_log_level_t level, void *ctx,
+			       const char *buf);
+
+/**
+ * Point librpz logging functions to the resolver's choice.
+ */
+typedef void(librpz_set_log_t)(librpz_log_fnc_t *new_log, const char *prog_nm);
+LIBDEF_F(set_log)
+
+/**
+ * librpz error messages are put in these buffers.
+ * Use a structure instead of naked char* to let the compiler check the length.
+ * A function defined with "foo(char buf[120])" can be called with
+ * "char sbuf[2]; foo(sbuf)" and suffer a buffer overrun.
+ */
+typedef struct {
+	char c[120];
+} librpz_emsg_t;
+
+#ifdef LIBRPZ_HAVE_ATTR
+#define LIBRPZ_UNUSED	__attribute__((unused))
+#define LIBRPZ_PF(f, l) __attribute__((format(printf, f, l)))
+#define LIBRPZ_NORET	__attribute__((__noreturn__))
+#else /* ifdef LIBRPZ_HAVE_ATTR */
+#define LIBRPZ_UNUSED
+#define LIBRPZ_PF(f, l)
+#define LIBRPZ_NORET
+#endif /* ifdef LIBRPZ_HAVE_ATTR */
+
+#ifdef HAVE_BUILTIN_EXPECT
+#define LIBRPZ_LIKELY(c)   __builtin_expect(!!(c), 1)
+#define LIBRPZ_UNLIKELY(c) __builtin_expect(!!(c), 0)
+#else /* ifdef HAVE_BUILTIN_EXPECT */
+#define LIBRPZ_LIKELY(c)   (c)
+#define LIBRPZ_UNLIKELY(c) (c)
+#endif /* ifdef HAVE_BUILTIN_EXPECT */
+
+typedef bool(librpz_parse_log_opt_t)(librpz_emsg_t *emsg, const char *arg);
+LIBDEF_F(parse_log_opt)
+
+typedef void(librpz_vpemsg_t)(librpz_emsg_t *emsg, const char *p, va_list args);
+LIBDEF_F(vpemsg)
+typedef void(librpz_pemsg_t)(librpz_emsg_t *emsg, const char *p, ...)
+	LIBRPZ_PF(2, 3);
+LIBDEF_F(pemsg)
+
+typedef void(librpz_vlog_t)(librpz_log_level_t level, void *ctx, const char *p,
+			    va_list args);
+LIBDEF_F(vlog)
+typedef void(librpz_log_t)(librpz_log_level_t level, void *ctx, const char *p,
+			   ...) LIBRPZ_PF(3, 4);
+LIBDEF_F(log)
+
+typedef void(librpz_fatal_t)(int ex_code, const char *p, ...) LIBRPZ_PF(2, 3);
+extern void
+librpz_fatal(int ex_code, const char *p, ...) LIBRPZ_PF(2, 3) LIBRPZ_NORET;
+
+typedef void(librpz_rpz_assert_t)(const char *file, unsigned line,
+				  const char *p, ...) LIBRPZ_PF(3, 4);
+extern void
+librpz_rpz_assert(const char *file, unsigned line, const char *p, ...)
+	LIBRPZ_PF(3, 4) LIBRPZ_NORET;
+
+typedef void(librpz_rpz_vassert_t)(const char *file, uint line, const char *p,
+				   va_list args);
+extern void
+librpz_rpz_vassert(const char *file, uint line, const char *p,
+		   va_list args) LIBRPZ_NORET;
+
+/*
+ * As far as clients are concerned, all relative pointers or indexes in a
+ * version of the mapped file except trie node parent pointers remain valid
+ * forever.  A client must release a version so that it can be garbage
+ * collected by the file system.  When dnsrpzd needs to expand the file,
+ * it copies the old file to a new, larger file.  Clients can continue
+ * using the old file.
+ *
+ * Versions can also appear in a single file.  Old nodes and trie values
+ * within the file are not destroyed until all clients using the version
+ * that contained the old values release the version.
+ *
+ * A client is marked as using version by connecting to the daemon.  It is
+ * marked as using all subsequent versions.  A client releases all versions
+ * by closing the connection or a range of versions by updating is slot
+ * in the shared memory version table.
+ *
+ * As far as clients are concerned, there are the following possible librpz
+ * failures:
+ *	- malloc() or other fatal internal librpz problems indicated by
+ *	    a failing return from a librpz function
+ *	    All operations will fail until client handle is destroyed and
+ *	    recreated with librpz_client_detach() and librpz_client_create().
+ *	- corrupt database detected by librpz code, corrupt database detected
+ *	    by dnsrpzd, or disconnection from the daemon.
+ *	    Current operations will fail.
+ *
+ * Clients assume that the file has already been unlinked before
+ *	the corrupt flag is set so that they do not race with the server
+ *	over the corruption of a single file.  A client that finds the
+ *	corrupt set knows that dnsrpzd has already crashed with
+ *	abort() and is restarting.  The client can re-connect to dnsrpzd
+ *	and retransmit its configuration, backing off as usual if anything
+ *	goes wrong.
+ *
+ * Searches of the database by a client do not need locks against dnsrpzd or
+ *	other clients, but a lock is used to protect changes to the connection
+ *	by competing threads in the client.  The client provides functions
+ *	to serialize the concurrent use of any single client handle.
+ *	Functions that do nothing are appropriate for applications that are
+ *	not "threaded" or that do not share client handles among threads.
+ *	Otherwise, functions must be provided to librpz_clientcreate().
+ *	Something like the following works with pthreads:
+ *
+ * static void
+ * lock(void *mutex) { assert(pthread_mutex_lock(mutex) == 0); }
+ *
+ * static void
+ * unlock(void *mutex) { assert(pthread_mutex_unlock(mutex) == 0); }
+ *
+ * static void
+ * mutex_destroy(void *mutex) { assert(pthread_mutex_destroy(mutex) == 0); }
+ *
+ *
+ *
+ * At every instant, all of the data and pointers in the mapped file are valid.
+ *	Changes to trie node or other data are always made so that it and
+ *	all pointers in and to it remain valid for a time.  Old versions are
+ *	eventually discarded.
+ *
+ * Dnsrpzd periodically defines a new version by setting aside all changes
+ *	made since the previous version was defined.  Subsequent changes
+ *	made (only!) by dnsrpzd will be part of the next version.
+ *
+ * To discard an old version, dnsrpzd must know that all clients have stopped
+ *	using that version.  Clients do that by using part of the mapped file
+ *	to tell dnsrpzd the oldest version that each client is using.
+ *	Dnsrpzd assigns each connecting client an entry in the cversions array
+ *	in the mapped file.  The client puts version numbers into that entry
+ *	to signal to dnsrpzd which versions that can be discarded.
+ *	Dnsrpzd is free, as far as that client is concerned, to discard all
+ *	numerically smaller versions.  A client can disclaim all versions with
+ *	the version number VERSIONS_ALL or 0.
+ *
+ * The race between a client changing its entry and dnsrpzd discarding a
+ *	version is resolved by allowing dnsrpzd to discard all versions
+ *	smaller or equal to the client's version number.  If dnsrpzd is in
+ *	the midst of discarding or about to discard version N when the
+ *	client asserts N, no harm is done.  The client depends only on
+ *	the consistency of version N+1.
+ *
+ * This version mechanism depends in part on not being exercised too frequently
+ *	Version numbers are 32 bits long and dnsrpzd creates new versions
+ *	at most once every 30 seconds.
+ */
+
+/*
+ * Lock functions for concurrent use of a single librpz_client_t client handle.
+ */
+typedef void(librpz_mutex_t)(void *mutex);
+
+/*
+ * List of connections to dnsrpzd daemons.
+ */
+typedef struct librpz_clist librpz_clist_t;
+
+/*
+ * Client's handle on dnsrpzd.
+ */
+typedef struct librpz_client librpz_client_t;
+
+/**
+ * Create the list of connections to the dnsrpzd daemon.
+ * @param[out] emsg: error message
+ * @param lock: start exclusive access to the client handle
+ * @param unlock: end exclusive access to the client handle
+ * @param mutex_destroy: release the lock
+ * @param mutex: pointer to the lock for the client handle
+ * @param log_ctx: NULL or resolver's context log messages
+ */
+typedef librpz_clist_t *(librpz_clist_create_t)(librpz_emsg_t  *emsg,
+						librpz_mutex_t *lock,
+						librpz_mutex_t *unlock,
+						librpz_mutex_t *mutex_destroy,
+						void *mutex, void *log_ctx);
+LIBDEF_F(clist_create)
+
+/**
+ * Release the list of dnsrpzd connections.
+ */
+typedef void(librpz_clist_detach_t)(librpz_clist_t **clistp);
+LIBDEF_F(clist_detach)
+
+/**
+ * Create a librpz client handle.
+ * @param[out] emsg: error message
+ * @param clist: of dnsrpzd connections
+ * @param cstr: string of configuration settings separated by ';' or '\n'
+ * @param use_expired: true to not ignore expired zones
+ * @return client handle or NULL if the handle could not be created
+ */
+typedef librpz_client_t *(librpz_client_create_t)(librpz_emsg_t	 *emsg,
+						  librpz_clist_t *clist,
+						  const char	 *cstr,
+						  bool		  use_expired);
+LIBDEF_F(client_create)
+
+/**
+ * Start (if necessary) dnsrpzd and connect to it.
+ * @param[out] emsg: error message
+ * @param client handle
+ * @param optional: true if it is ok if starting the daemon is not allowed
+ */
+typedef bool(librpz_connect_t)(librpz_emsg_t *emsg, librpz_client_t *client,
+			       bool optional);
+LIBDEF_F(connect)
+
+/**
+ * Start to destroy a librpz client handle.
+ * It will not be destroyed until the last set of RPZ queries represented
+ * by a librpz_rsp_t ends.
+ * @param client handle to be released
+ * @return false on error
+ */
+typedef void(librpz_client_detach_t)(librpz_client_t **clientp);
+LIBDEF_F(client_detach)
+
+/**
+ * State for a set of RPZ queries for a single DNS response
+ * or for listing the database.
+ */
+typedef struct librpz_rsp librpz_rsp_t;
+
+/**
+ * Start a set of RPZ queries for a single DNS response.
+ * @param[out] emsg: error message for false return or *rspp=NULL
+ * @param[out] rspp created context or NULL
+ * @param[out] min_ns_dotsp: NULL or pointer to configured MIN-NS-DOTS value
+ * @param client state
+ * @param have_rd: RD=1 in the DNS request
+ * @param have_do: DO=1 in the DNS request
+ * @return false on error
+ */
+typedef bool(librpz_rsp_create_t)(librpz_emsg_t *emsg, librpz_rsp_t **rspp,
+				  int *min_ns_dotsp, librpz_client_t *client,
+				  bool have_rd, bool have_do);
+LIBDEF_F(rsp_create)
+
+/**
+ * Finish RPZ work for a DNS response.
+ */
+typedef void(librpz_rsp_detach_t)(librpz_rsp_t **rspp);
+LIBDEF_F(rsp_detach)
+
+/**
+ * Get the final, accumulated result of a set of RPZ queries.
+ * Yield LIBRPZ_POLICY_UNDEFINED if
+ *  - there were no hits,
+ *  - there was a dispositive hit, be we have not recursed and are required
+ *	to recurse so that evil DNS authorities will not know we are using RPZ
+ *  - we have a hit and have recursed, but later data such as NSIP could
+ *	override
+ * @param[out] emsg
+ * @param[out] result describes the hit
+ *	or result->policy=LIBRPZ_POLICY_UNDEFINED without a hit
+ * @param[out] result: current policy rewrite values
+ * @param recursed: recursion has now been done even if it was not done
+ *	when the hit was found
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return false on error
+ */
+typedef bool(librpz_rsp_result_t)(librpz_emsg_t *emsg, librpz_result_t *result,
+				  bool recursed, const librpz_rsp_t *rsp);
+LIBDEF_F(rsp_result)
+
+/**
+ * Might looking for a trigger be worthwhile?
+ * @param trig: look for this type of trigger
+ * @param ipv6: true if trig is LIBRPZ_TRIG_CLIENT_IP, LIBRPZ_TRIG_IP,
+ *	or LIBRPZ_TRIG_NSIP and the IP address is IPv6
+ * @return: true if looking could be worthwhile
+ */
+typedef bool(librpz_have_trig_t)(librpz_trig_t trig, bool ipv6,
+				 const librpz_rsp_t *rsp);
+LIBDEF_F(have_trig)
+
+/**
+ * Might looking for NSDNAME and NSIP triggers be worthwhile?
+ * @return: true if looking could be worthwhile
+ */
+typedef bool(librpz_have_ns_trig_t)(const librpz_rsp_t *rsp);
+LIBDEF_F(have_ns_trig)
+
+/**
+ * Convert the found client IP trie key to a CIDR block
+ * @param[out] emsg
+ * @param[out] prefix trigger
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return false on error
+ */
+typedef bool(librpz_rsp_clientip_prefix_t)(librpz_emsg_t   *emsg,
+					   librpz_prefix_t *prefix,
+					   librpz_rsp_t	   *rsp);
+LIBDEF_F(rsp_clientip_prefix)
+
+/**
+ * Compute the owner name of the found or result trie key, usually to log it.
+ * An IP address key might be returned as 8.0.0.0.127.rpz-client-ip.
+ * example.com. might be a qname trigger.  example.com.rpz-nsdname. could
+ * be an NSDNAME trigger.
+ * @param[out] emsg
+ * @param[out] owner domain
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return false on error
+ */
+typedef bool(librpz_rsp_domain_t)(librpz_emsg_t	      *emsg,
+				  librpz_domain_buf_t *owner,
+				  librpz_rsp_t	      *rsp);
+LIBDEF_F(rsp_domain)
+
+/**
+ * Get the next RR of the LIBRPZ_POLICY_RECORD result after an initial use of
+ * librpz_rsp_result() or librpz_itr_node() or after a previous use of
+ * librpz_rsp_rr().  The RR is in uncompressed wire format including type,
+ * class, ttl and length in network byte order.
+ * @param[out] emsg
+ * @param[out] typep: optional host byte order record type or ns_t_invalid (0)
+ * @param[out] classp: class such as ns_c_in
+ * @param[out] ttlp: TTL
+ * @param[out] rrp: optional malloc() buffer containing the next RR or
+ *	NULL after the last RR
+ * @param[out] result: current policy rewrite values
+ * @param qname: used construct a wildcard CNAME
+ * @param qname_size
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return false on error
+ */
+typedef bool(librpz_rsp_rr_t)(librpz_emsg_t *emsg, uint16_t *typep,
+			      uint16_t *classp, uint32_t *ttlp,
+			      librpz_rr_t **rrp, librpz_result_t *result,
+			      const uint8_t *qname, size_t qname_size,
+			      librpz_rsp_t *rsp);
+LIBDEF_F(rsp_rr)
+
+/**
+ * Get the next RR of the LIBRPZ_POLICY_RECORD result.
+ * @param[out] emsg
+ * @param[out] ttlp: TTL
+ * @param[out] rrp: malloc() buffer with SOA RR without owner name
+ * @param[out] result: current policy rewrite values
+ * @param[out] origin: SOA owner name
+ * @param[out] origin_size
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return false on error
+ */
+typedef bool(librpz_rsp_soa_t)(librpz_emsg_t *emsg, uint32_t *ttlp,
+			       librpz_rr_t **rrp, librpz_domain_buf_t *origin,
+			       librpz_result_t *result, librpz_rsp_t *rsp);
+LIBDEF_F(rsp_soa)
+
+/**
+ * Get the SOA serial number for a policy zone to compare with a known value
+ * to check whether a zone transfer is complete.
+ */
+typedef bool(librpz_soa_serial_t)(librpz_emsg_t *emsg, uint32_t *serialp,
+				  const char *domain_nm, librpz_rsp_t *rsp);
+LIBDEF_F(soa_serial)
+
+/**
+ * Save the current policy checking state.
+ * @param[out] emsg
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return false on error
+ */
+typedef bool(librpz_rsp_push_t)(librpz_emsg_t *emsg, librpz_rsp_t *rsp);
+LIBDEF_F(rsp_push)
+#define LIBRPZ_RSP_STACK_DEPTH 3
+
+/**
+ * Restore the previous policy checking state.
+ * @param[out] emsg
+ * @param[out] result: NULL or restored policy rewrite values
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return false on error
+ */
+typedef bool(librpz_rsp_pop_t)(librpz_emsg_t *emsg, librpz_result_t *result,
+			       librpz_rsp_t *rsp);
+LIBDEF_F(rsp_pop)
+
+/**
+ * Discard the most recently save policy checking state.
+ * @param[out] emsg
+ * @param[out] result: NULL or restored policy rewrite values
+ * @return false on error
+ */
+typedef bool(librpz_rsp_pop_discard_t)(librpz_emsg_t *emsg, librpz_rsp_t *rsp);
+LIBDEF_F(rsp_pop_discard)
+
+/**
+ * Disable a zone.
+ * @param[out] emsg
+ * @param znum
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return false on error
+ */
+typedef bool(librpz_rsp_forget_zone_t)(librpz_emsg_t *emsg, librpz_cznum_t znum,
+				       librpz_rsp_t *rsp);
+LIBDEF_F(rsp_forget_zone)
+
+/**
+ * Apply RPZ to an IP address.
+ * @param[out] emsg
+ * @param addr: address to check
+ * @param ipv6: true for 16 byte IPv6 instead of 4 byte IPv4
+ * @param trig LIBRPZ_TRIG_CLIENT_IP, LIBRPZ_TRIG_IP, or LIBRPZ_TRIG_NSIP
+ * @param hit_id: caller chosen
+ * @param recursed: recursion has been done
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return false on error
+ */
+typedef bool(librpz_ck_ip_t)(librpz_emsg_t *emsg, const void *addr, uint family,
+			     librpz_trig_t trig, librpz_result_id_t hit_id,
+			     bool recursed, librpz_rsp_t *rsp);
+LIBDEF_F(ck_ip)
+
+/**
+ * Apply RPZ to a wire-format domain.
+ * @param[out] emsg
+ * @param domain in wire format
+ * @param domain_size
+ * @param trig LIBRPZ_TRIG_QNAME or LIBRPZ_TRIG_NSDNAME
+ * @param hit_id: caller chosen
+ * @param recursed: recursion has been done
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return false on error
+ */
+typedef bool(librpz_ck_domain_t)(librpz_emsg_t *emsg, const uint8_t *domain,
+				 size_t domain_size, librpz_trig_t trig,
+				 librpz_result_id_t hit_id, bool recursed,
+				 librpz_rsp_t *rsp);
+LIBDEF_F(ck_domain)
+
+/**
+ * Ask dnsrpzd to refresh a zone.
+ * @param[out] emsg error message
+ * @param librpz_domain_t domain to refresh
+ * @param client context
+ * @return false after error
+ */
+typedef bool(librpz_zone_refresh_t)(librpz_emsg_t *emsg, const char *domain,
+				    librpz_rsp_t *rsp);
+LIBDEF_F(zone_refresh)
+
+/**
+ * Get a string describing the database
+ * @param license: include the license
+ * @param cfiles: include the configuration file names
+ * @param listens: include the local notify IP addresses
+ * @param[out] emsg error message if the result is null
+ * @param client context
+ * @return malloc'ed string or NULL after error
+ */
+typedef char *(librpz_db_info_t)(librpz_emsg_t *emsg, bool license, bool cfiles,
+				 bool listens, librpz_rsp_t *rsp);
+LIBDEF_F(db_info)
+
+/**
+ * Start a context for listing the nodes and/or zones in the mapped file
+ * @param[out] emsg: error message for false return or *rspp=NULL
+ * @param[out] rspp: created context or NULL
+ * @param client context
+ * @return false after error
+ */
+typedef bool(librpz_itr_start_t)(librpz_emsg_t *emsg, librpz_rsp_t **rspp,
+				 librpz_client_t *client);
+LIBDEF_F(itr_start)
+
+/**
+ * Get mapped file memory allocation statistics.
+ * @param[out] emsg: error message
+ * @param rsp state from librpz_itr_start()
+ * @return malloc'ed string or NULL after error
+ */
+typedef char *(librpz_mf_stats_t)(librpz_emsg_t *emsg, librpz_rsp_t *rsp);
+LIBDEF_F(mf_stats)
+
+/**
+ * Get versions currently used by clients.
+ * @param[out] emsg: error message
+ * @param[in,out] rsp: state from librpz_itr_start()
+ * @return malloc'ed string or NULL after error
+ */
+typedef char *(librpz_vers_stats_t)(librpz_emsg_t *emsg, librpz_rsp_t *rsp);
+LIBDEF_F(vers_stats)
+
+/**
+ * Allocate a string describing the next zone or "" after the last zone.
+ * @param[out] emsg
+ * @param all_zones to list all instead of only requested zones
+ * @param[in,out] rsp state from librpz_rsp_start()
+ * @return malloc'ed string or NULL after error
+ */
+typedef char *(librpz_itr_zone_t)(librpz_emsg_t *emsg, bool all_zones,
+				  librpz_rsp_t *rsp);
+LIBDEF_F(itr_zone)
+
+/**
+ * Describe the next trie node while dumping the database.
+ * @param[out] emsg
+ * @param[out] result describes node
+ *	or result->policy=LIBRPZ_POLICY_UNDEFINED after the last node.
+ * @param all_zones to list all instead of only requested zones
+ * @param[in,out] rsp state from librpz_itr_start()
+ * @return: false on error
+ */
+typedef bool(librpz_itr_node_t)(librpz_emsg_t *emsg, librpz_result_t *result,
+				bool all_zones, librpz_rsp_t *rsp);
+LIBDEF_F(itr_node)
+
+/**
+ * RPZ policy to string with a backup buffer of POLICY2STR_SIZE size
+ */
+typedef const char *(librpz_policy2str_t)(librpz_policy_t policy, char *buf,
+					  size_t buf_size);
+#define POLICY2STR_SIZE sizeof("policy xxxxxx")
+LIBDEF_F(policy2str)
+
+/**
+ * Trigger type to string.
+ */
+typedef const char *(librpz_trig2str_t)(librpz_trig_t trig);
+LIBDEF_F(trig2str)
+
+/**
+ * Convert a number of seconds to a zone file duration string
+ */
+typedef const char *(librpz_secs2str_t)(time_t secs, char *buf,
+					size_t buf_size);
+#define SECS2STR_SIZE sizeof("1234567w7d24h59m59s")
+LIBDEF_F(secs2str)
+
+/**
+ * Parse a duration with 's', 'm', 'h', 'd', and 'w' units.
+ */
+typedef bool(librpz_str2secs_t)(librpz_emsg_t *emsg, time_t *val,
+				const char *str0);
+LIBDEF_F(str2secs)
+
+/**
+ * Translate selected rtypes to strings
+ */
+typedef const char *(librpz_rtype2str_t)(uint type, char *buf, size_t buf_size);
+#define RTYPE2STR_SIZE sizeof("type xxxxx")
+LIBDEF_F(rtype2str)
+
+/**
+ * Local version of ns_name_ntop() for portability.
+ */
+typedef int(librpz_domain_ntop_t)(const u_char *src, char *dst, size_t dstsiz);
+LIBDEF_F(domain_ntop)
+
+/**
+ * Local version of ns_name_pton().
+ */
+typedef int(librpz_domain_pton2_t)(const char *src, u_char *dst, size_t dstsiz,
+				   size_t *dstlen, bool lower);
+LIBDEF_F(domain_pton2)
+
+typedef union socku socku_t;
+typedef socku_t *(librpz_mk_inet_su_t)(socku_t *su, const struct in_addr *addrp,
+				       in_port_t port);
+LIBDEF_F(mk_inet_su)
+
+typedef socku_t *(librpz_mk_inet6_su_t)(socku_t		      *su,
+					const struct in6_addr *addrp,
+					uint32_t scope_id, in_port_t port);
+LIBDEF_F(mk_inet6_su)
+
+typedef bool(librpz_str2su_t)(socku_t *sup, const char *str);
+LIBDEF_F(str2su)
+
+typedef char *(librpz_su2str_t)(char *str, size_t str_len, const socku_t *su);
+LIBDEF_F(su2str)
+#define SU2STR_SIZE (INET6_ADDRSTRLEN + 1 + 6 + 1)
+
+/**
+ * default path to dnsrpzd
+ */
+LIBDEF(const char *, librpz_dnsrpzd_path)
+
+#undef LIBDEF
+
+/*
+ * This is the dlopen() interface to librpz.
+ */
+typedef const struct {
+	const char			 *dnsrpzd_path;
+	const char			 *version;
+	librpz_parse_log_opt_t		 *parse_log_opt;
+	librpz_log_level_val_t		 *log_level_val;
+	librpz_set_log_t		 *set_log;
+	librpz_vpemsg_t			 *vpemsg;
+	librpz_pemsg_t			 *pemsg;
+	librpz_vlog_t			 *vlog;
+	librpz_log_t			 *log;
+	librpz_fatal_t *fatal		  LIBRPZ_NORET;
+	librpz_rpz_assert_t *rpz_assert	  LIBRPZ_NORET;
+	librpz_rpz_vassert_t *rpz_vassert LIBRPZ_NORET;
+	librpz_clist_create_t		 *clist_create;
+	librpz_clist_detach_t		 *clist_detach;
+	librpz_client_create_t		 *client_create;
+	librpz_connect_t		 *connect;
+	librpz_client_detach_t		 *client_detach;
+	librpz_rsp_create_t		 *rsp_create;
+	librpz_rsp_detach_t		 *rsp_detach;
+	librpz_rsp_result_t		 *rsp_result;
+	librpz_have_trig_t		 *have_trig;
+	librpz_have_ns_trig_t		 *have_ns_trig;
+	librpz_rsp_clientip_prefix_t	 *rsp_clientip_prefix;
+	librpz_rsp_domain_t		 *rsp_domain;
+	librpz_rsp_rr_t			 *rsp_rr;
+	librpz_rsp_soa_t		 *rsp_soa;
+	librpz_soa_serial_t		 *soa_serial;
+	librpz_rsp_push_t		 *rsp_push;
+	librpz_rsp_pop_t		 *rsp_pop;
+	librpz_rsp_pop_discard_t	 *rsp_pop_discard;
+	librpz_rsp_forget_zone_t	 *rsp_forget_zone;
+	librpz_ck_ip_t			 *ck_ip;
+	librpz_ck_domain_t		 *ck_domain;
+	librpz_zone_refresh_t		 *zone_refresh;
+	librpz_db_info_t		 *db_info;
+	librpz_itr_start_t		 *itr_start;
+	librpz_mf_stats_t		 *mf_stats;
+	librpz_vers_stats_t		 *vers_stats;
+	librpz_itr_zone_t		 *itr_zone;
+	librpz_itr_node_t		 *itr_node;
+	librpz_policy2str_t		 *policy2str;
+	librpz_trig2str_t		 *trig2str;
+	librpz_secs2str_t		 *secs2str;
+	librpz_str2secs_t		 *str2secs;
+	librpz_rtype2str_t		 *rtype2str;
+	librpz_domain_ntop_t		 *domain_ntop;
+	librpz_domain_pton2_t		 *domain_pton2;
+	librpz_mk_inet_su_t		 *mk_inet_su;
+	librpz_mk_inet6_su_t		 *mk_inet6_su;
+	librpz_str2su_t			 *str2su;
+	librpz_su2str_t			 *su2str;
+} librpz_0_t;
+extern librpz_0_t librpz_def_0;
+
+/*
+ * Future versions can be upward compatible by defining LIBRPZ_DEF as
+ * librpz_X_t.
+ */
+#define LIBRPZ_DEF     librpz_def_0
+#define LIBRPZ_DEF_STR "librpz_def_0"
+
+typedef librpz_0_t librpz_t;
+extern librpz_t	  *librpz;
+
+#if LIBRPZ_LIB_OPEN == 2
+#include <dlfcn.h>
+
+/**
+ * link-load librpz
+ * @param[out] emsg: error message
+ * @param[in,out] dl_handle: NULL or pointer to new dlopen handle
+ * @param[in] path: librpz.so path
+ * @return address of interface structure or NULL on failure
+ */
+static inline librpz_t *
+librpz_lib_open(librpz_emsg_t *emsg, void **dl_handle, const char *path) {
+	void	 *handle;
+	librpz_t *new_librpz;
+
+	emsg->c[0] = '\0';
+
+	/*
+	 * Close a previously opened handle on librpz.so.
+	 */
+	if (dl_handle != NULL && *dl_handle != NULL) {
+		if (dlclose(*dl_handle) != 0) {
+			snprintf(emsg->c, sizeof(librpz_emsg_t),
+				 "dlopen(NULL): %s", dlerror());
+			return (NULL);
+		}
+		*dl_handle = NULL;
+	}
+
+	/*
+	 * First try the main executable of the process in case it was
+	 * linked to librpz.
+	 * Do not worry if we cannot search the main executable of the process.
+	 */
+	handle = dlopen(NULL, RTLD_NOW | RTLD_LOCAL);
+	if (handle != NULL) {
+		new_librpz = dlsym(handle, LIBRPZ_DEF_STR);
+		if (new_librpz != NULL) {
+			if (dl_handle != NULL) {
+				*dl_handle = handle;
+			}
+			return (new_librpz);
+		}
+		if (dlclose(handle) != 0) {
+			snprintf(emsg->c, sizeof(librpz_emsg_t),
+				 "dlsym(NULL, " LIBRPZ_DEF_STR "): %s",
+				 dlerror());
+			return (NULL);
+		}
+	}
+
+	if (path == NULL || path[0] == '\0') {
+		snprintf(emsg->c, sizeof(librpz_emsg_t),
+			 "librpz not linked and no dlopen() path provided");
+		return (NULL);
+	}
+
+	handle = dlopen(path, RTLD_NOW | RTLD_LOCAL);
+	if (handle == NULL) {
+		snprintf(emsg->c, sizeof(librpz_emsg_t), "dlopen(%s): %s", path,
+			 dlerror());
+		return (NULL);
+	}
+	new_librpz = dlsym(handle, LIBRPZ_DEF_STR);
+	if (new_librpz != NULL) {
+		if (dl_handle != NULL) {
+			*dl_handle = handle;
+		}
+		return (new_librpz);
+	}
+	snprintf(emsg->c, sizeof(librpz_emsg_t),
+		 "dlsym(%s, " LIBRPZ_DEF_STR "): %s", path, dlerror());
+	dlclose(handle);
+	return (NULL);
+}
+#elif defined(LIBRPZ_LIB_OPEN)
+/*
+ * Statically link to the librpz.so DSO on systems without dlopen()
+ */
+static inline librpz_t *
+librpz_lib_open(librpz_emsg_t *emsg, void **dl_handle, const char *path) {
+	(void)(path);
+
+	if (dl_handle != NULL) {
+		*dl_handle = NULL;
+	}
+
+#if LIBRPZ_LIB_OPEN == 1
+	emsg->c[0] = '\0';
+	return (&LIBRPZ_DEF);
+#else  /* if LIBRPZ_LIB_OPEN == 1 */
+	snprintf(emsg->c, sizeof(librpz_emsg_t),
+		 "librpz not available via ./configure");
+	return (NULL);
+#endif /* LIBRPZ_LIB_OPEN */
+}
+#endif /* LIBRPZ_LIB_OPEN */
+
+#endif /* LIBRPZ_H */
diff --git a/lib/dns/include/dns/lmdb.h b/lib/dns/include/dns/lmdb.h
new file mode 100644
index 0000000..f6986cf
--- /dev/null
+++ b/lib/dns/include/dns/lmdb.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#define DNS_LMDB_COMMON_FLAGS (MDB_CREATE | MDB_NOSUBDIR | MDB_NOLOCK)
+#ifndef __OpenBSD__
+#define DNS_LMDB_FLAGS (DNS_LMDB_COMMON_FLAGS)
+#else /* __OpenBSD__ */
+/*
+ * OpenBSD does not have a unified buffer cache, which requires both reads and
+ * writes to be performed using mmap().
+ */
+#define DNS_LMDB_FLAGS (DNS_LMDB_COMMON_FLAGS | MDB_WRITEMAP)
+#endif /* __OpenBSD__ */
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
new file mode 100644
index 0000000..d78dda6
--- /dev/null
+++ b/lib/dns/include/dns/log.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file dns/log.h
+ */
+
+#ifndef DNS_LOG_H
+#define DNS_LOG_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+
+LIBDNS_EXTERNAL_DATA extern isc_log_t	     *dns_lctx;
+LIBDNS_EXTERNAL_DATA extern isc_logcategory_t dns_categories[];
+LIBDNS_EXTERNAL_DATA extern isc_logmodule_t   dns_modules[];
+
+#define DNS_LOGCATEGORY_NOTIFY	 (&dns_categories[0])
+#define DNS_LOGCATEGORY_DATABASE (&dns_categories[1])
+#define DNS_LOGCATEGORY_SECURITY (&dns_categories[2])
+/* DNS_LOGCATEGORY_CONFIG superseded by CFG_LOGCATEGORY_CONFIG */
+#define DNS_LOGCATEGORY_DNSSEC		(&dns_categories[4])
+#define DNS_LOGCATEGORY_RESOLVER	(&dns_categories[5])
+#define DNS_LOGCATEGORY_XFER_IN		(&dns_categories[6])
+#define DNS_LOGCATEGORY_XFER_OUT	(&dns_categories[7])
+#define DNS_LOGCATEGORY_DISPATCH	(&dns_categories[8])
+#define DNS_LOGCATEGORY_LAME_SERVERS	(&dns_categories[9])
+#define DNS_LOGCATEGORY_DELEGATION_ONLY (&dns_categories[10])
+#define DNS_LOGCATEGORY_EDNS_DISABLED	(&dns_categories[11])
+#define DNS_LOGCATEGORY_RPZ		(&dns_categories[12])
+#define DNS_LOGCATEGORY_RRL		(&dns_categories[13])
+#define DNS_LOGCATEGORY_CNAME		(&dns_categories[14])
+#define DNS_LOGCATEGORY_SPILL		(&dns_categories[15])
+#define DNS_LOGCATEGORY_DNSTAP		(&dns_categories[16])
+#define DNS_LOGCATEGORY_ZONELOAD	(&dns_categories[17])
+#define DNS_LOGCATEGORY_NSID		(&dns_categories[18])
+
+/* Backwards compatibility. */
+#define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL
+
+#define DNS_LOGMODULE_DB	 (&dns_modules[0])
+#define DNS_LOGMODULE_RBTDB	 (&dns_modules[1])
+#define DNS_LOGMODULE_RBT	 (&dns_modules[2])
+#define DNS_LOGMODULE_RDATA	 (&dns_modules[3])
+#define DNS_LOGMODULE_MASTER	 (&dns_modules[4])
+#define DNS_LOGMODULE_MESSAGE	 (&dns_modules[5])
+#define DNS_LOGMODULE_CACHE	 (&dns_modules[6])
+#define DNS_LOGMODULE_CONFIG	 (&dns_modules[7])
+#define DNS_LOGMODULE_RESOLVER	 (&dns_modules[8])
+#define DNS_LOGMODULE_ZONE	 (&dns_modules[9])
+#define DNS_LOGMODULE_JOURNAL	 (&dns_modules[10])
+#define DNS_LOGMODULE_ADB	 (&dns_modules[11])
+#define DNS_LOGMODULE_XFER_IN	 (&dns_modules[12])
+#define DNS_LOGMODULE_XFER_OUT	 (&dns_modules[13])
+#define DNS_LOGMODULE_ACL	 (&dns_modules[14])
+#define DNS_LOGMODULE_VALIDATOR	 (&dns_modules[15])
+#define DNS_LOGMODULE_DISPATCH	 (&dns_modules[16])
+#define DNS_LOGMODULE_REQUEST	 (&dns_modules[17])
+#define DNS_LOGMODULE_MASTERDUMP (&dns_modules[18])
+#define DNS_LOGMODULE_TSIG	 (&dns_modules[19])
+#define DNS_LOGMODULE_TKEY	 (&dns_modules[20])
+#define DNS_LOGMODULE_SDB	 (&dns_modules[21])
+#define DNS_LOGMODULE_DIFF	 (&dns_modules[22])
+#define DNS_LOGMODULE_HINTS	 (&dns_modules[23])
+#define DNS_LOGMODULE_UNUSED1	 (&dns_modules[24])
+#define DNS_LOGMODULE_DLZ	 (&dns_modules[25])
+#define DNS_LOGMODULE_DNSSEC	 (&dns_modules[26])
+#define DNS_LOGMODULE_CRYPTO	 (&dns_modules[27])
+#define DNS_LOGMODULE_PACKETS	 (&dns_modules[28])
+#define DNS_LOGMODULE_NTA	 (&dns_modules[29])
+#define DNS_LOGMODULE_DYNDB	 (&dns_modules[30])
+#define DNS_LOGMODULE_DNSTAP	 (&dns_modules[31])
+#define DNS_LOGMODULE_SSU	 (&dns_modules[32])
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_log_init(isc_log_t *lctx);
+/*%
+ * Make the libdns categories and modules available for use with the
+ * ISC logging library.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ *\li	dns_log_init() is called only once.
+ *
+ * Ensures:
+ * \li	The categories and modules defined above are available for
+ * 	use by isc_log_usechannnel() and isc_log_write().
+ */
+
+void
+dns_log_setcontext(isc_log_t *lctx);
+/*%
+ * Make the libdns library use the provided context for logging internal
+ * messages.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LOG_H */
diff --git a/lib/dns/include/dns/lookup.h b/lib/dns/include/dns/lookup.h
new file mode 100644
index 0000000..2d1ce13
--- /dev/null
+++ b/lib/dns/include/dns/lookup.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_LOOKUP_H
+#define DNS_LOOKUP_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/lookup.h
+ * \brief
+ * The lookup module performs simple DNS lookups.  It implements
+ * the full resolver algorithm, both looking for local data and
+ * resolving external names as necessary.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	RFCs:	1034, 1035, 2181, TBS
+ *\li	Drafts:	TBS
+ */
+
+#include <isc/event.h>
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * A 'dns_lookupevent_t' is returned when a lookup completes.
+ * The sender field will be set to the lookup that completed.  If 'result'
+ * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
+ * with the address.  The recipient of the event must not change the list
+ * and must not refer to any of the name data after the event is freed.
+ */
+typedef struct dns_lookupevent {
+	ISC_EVENT_COMMON(struct dns_lookupevent);
+	isc_result_t	result;
+	dns_name_t     *name;
+	dns_rdataset_t *rdataset;
+	dns_rdataset_t *sigrdataset;
+	dns_db_t       *db;
+	dns_dbnode_t   *node;
+} dns_lookupevent_t;
+
+isc_result_t
+dns_lookup_create(isc_mem_t *mctx, const dns_name_t *name, dns_rdatatype_t type,
+		  dns_view_t *view, unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp);
+/*%<
+ * Finds the rrsets matching 'name' and 'type'.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid mctx.
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'view' is a valid view which has a resolver.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	lookupp != NULL && *lookupp == NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMEMORY
+ *
+ *\li	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
+ *	returned.
+ */
+
+void
+dns_lookup_cancel(dns_lookup_t *lookup);
+/*%<
+ * Cancel 'lookup'.
+ *
+ * Notes:
+ *
+ *\li	If 'lookup' has not completed, post its LOOKUPDONE event with a
+ *	result code of ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'lookup' is a valid lookup.
+ */
+
+void
+dns_lookup_destroy(dns_lookup_t **lookupp);
+/*%<
+ * Destroy 'lookup'.
+ *
+ * Requires:
+ *
+ *\li	'*lookupp' is a valid lookup.
+ *
+ *\li	The caller has received the LOOKUPDONE event (either because the
+ *	lookup completed or because dns_lookup_cancel() was called).
+ *
+ * Ensures:
+ *
+ *\li	*lookupp == NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LOOKUP_H */
diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h
new file mode 100644
index 0000000..78ebadd
--- /dev/null
+++ b/lib/dns/include/dns/master.h
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_MASTER_H
+#define DNS_MASTER_H 1
+
+/*! \file dns/master.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/*
+ * Flags to be passed in the 'options' argument in the functions below.
+ */
+#define DNS_MASTER_AGETTL 0x00000001 /*%< Age the ttl based on $DATE. */
+#define DNS_MASTER_MANYERRORS                                               \
+	0x00000002			/*%< Continue processing on errors. \
+					 */
+#define DNS_MASTER_NOINCLUDE 0x00000004 /*%< Disallow $INCLUDE directives. */
+#define DNS_MASTER_ZONE	     0x00000008 /*%< Loading a zone master file. */
+#define DNS_MASTER_HINT	     0x00000010 /*%< Loading a hint master file. */
+#define DNS_MASTER_SLAVE     0x00000020 /*%< Loading a slave master file. */
+#define DNS_MASTER_CHECKNS                    \
+	0x00000040 /*%<                       \
+		    * Check NS records to see \
+		    * if they are an address  \
+		    */
+#define DNS_MASTER_FATALNS                     \
+	0x00000080 /*%<                        \
+		    * Treat DNS_MASTER_CHECKNS \
+		    * matches as fatal         \
+		    */
+#define DNS_MASTER_CHECKNAMES	  0x00000100
+#define DNS_MASTER_CHECKNAMESFAIL 0x00000200
+#define DNS_MASTER_CHECKWILDCARD                    \
+	0x00000400 /* Check for internal wildcards. \
+		    */
+#define DNS_MASTER_CHECKMX     0x00000800
+#define DNS_MASTER_CHECKMXFAIL 0x00001000
+
+#define DNS_MASTER_RESIGN   0x00002000
+#define DNS_MASTER_KEY	    0x00004000 /*%< Loading a key zone master file. */
+#define DNS_MASTER_NOTTL    0x00008000 /*%< Don't require ttl. */
+#define DNS_MASTER_CHECKTTL 0x00010000 /*%< Check max-zone-ttl */
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Structures that implement the "raw" format for master dump.
+ * These are provided for a reference purpose only; in the actual
+ * encoding, we directly read/write each field so that the encoded data
+ * is always "packed", regardless of the hardware architecture.
+ */
+#define DNS_RAWFORMAT_VERSION 1
+
+/*
+ * Flags to indicate the status of the data in the raw file header
+ */
+#define DNS_MASTERRAW_COMPAT	      0x01
+#define DNS_MASTERRAW_SOURCESERIALSET 0x02
+#define DNS_MASTERRAW_LASTXFRINSET    0x04
+
+/* Common header */
+struct dns_masterrawheader {
+	uint32_t format;       /* must be
+				* dns_masterformat_raw
+				* or
+				* dns_masterformat_map */
+	uint32_t version;      /* compatibility for future
+				* extensions */
+	uint32_t dumptime;     /* timestamp on creation
+				* (currently unused) */
+	uint32_t flags;	       /* Flags */
+	uint32_t sourceserial; /* Source serial number (used
+				* by inline-signing zones) */
+	uint32_t lastxfrin;    /* timestamp of last transfer
+				* (used by slave zones) */
+};
+
+/* The structure for each RRset */
+typedef struct {
+	uint32_t totallen;	  /* length of the data for this
+				   * RRset, including the
+				   * "header" part */
+	dns_rdataclass_t rdclass; /* 16-bit class */
+	dns_rdatatype_t	 type;	  /* 16-bit type */
+	dns_rdatatype_t	 covers;  /* same as type */
+	dns_ttl_t	 ttl;	  /* 32-bit TTL */
+	uint32_t	 nrdata;  /* number of RRs in this set */
+	/* followed by encoded owner name, and then rdata */
+} dns_masterrawrdataset_t;
+
+/*
+ * Method prototype: a callback to register each include file as
+ * it is encountered.
+ */
+typedef void (*dns_masterincludecb_t)(const char *file, void *arg);
+
+/***
+ ***	Function
+ ***/
+
+isc_result_t
+dns_master_loadfile(const char *master_file, dns_name_t *top,
+		    dns_name_t *origin, dns_rdataclass_t zclass,
+		    unsigned int options, uint32_t resign,
+		    dns_rdatacallbacks_t *callbacks,
+		    dns_masterincludecb_t include_cb, void *include_arg,
+		    isc_mem_t *mctx, dns_masterformat_t format,
+		    dns_ttl_t maxttl);
+
+isc_result_t
+dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
+		      dns_rdataclass_t zclass, unsigned int options,
+		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top, dns_name_t *origin,
+		      dns_rdataclass_t zclass, unsigned int options,
+		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
+		     dns_rdataclass_t zclass, unsigned int options,
+		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadfileinc(const char *master_file, dns_name_t *top,
+		       dns_name_t *origin, dns_rdataclass_t zclass,
+		       unsigned int options, uint32_t resign,
+		       dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+		       dns_loaddonefunc_t done, void *done_arg,
+		       dns_loadctx_t **ctxp, dns_masterincludecb_t include_cb,
+		       void *include_arg, isc_mem_t *mctx,
+		       dns_masterformat_t format, uint32_t maxttl);
+
+isc_result_t
+dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
+			 dns_rdataclass_t zclass, unsigned int options,
+			 dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			 dns_loaddonefunc_t done, void *done_arg,
+			 dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
+			 dns_name_t *origin, dns_rdataclass_t zclass,
+			 unsigned int options, dns_rdatacallbacks_t *callbacks,
+			 isc_task_t *task, dns_loaddonefunc_t done,
+			 void *done_arg, dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
+			dns_rdataclass_t zclass, unsigned int options,
+			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+/*%<
+ * Loads a RFC1305 master file from a file, stream, buffer, or existing
+ * lexer into rdatasets and then calls 'callbacks->commit' to commit the
+ * rdatasets.  Rdata memory belongs to dns_master_load and will be
+ * reused / released when the callback completes.  dns_load_master will
+ * abort if callbacks->commit returns any value other than ISC_R_SUCCESS.
+ *
+ * If 'DNS_MASTER_AGETTL' is set and the master file contains one or more
+ * $DATE directives, the TTLs of the data will be aged accordingly.
+ *
+ * 'callbacks->commit' is assumed to call 'callbacks->error' or
+ * 'callbacks->warn' to generate any error messages required.
+ *
+ * 'done' is called with 'done_arg' and a result code when the loading
+ * is completed or has failed.  If the initial setup fails 'done' is
+ * not called.
+ *
+ * 'resign' the number of seconds before a RRSIG expires that it should
+ * be re-signed.  0 is used if not provided.
+ *
+ * Requires:
+ *\li	'master_file' points to a valid string.
+ *\li	'lexer' points to a valid lexer.
+ *\li	'top' points to a valid name.
+ *\li	'origin' points to a valid name.
+ *\li	'callbacks->commit' points to a valid function.
+ *\li	'callbacks->error' points to a valid function.
+ *\li	'callbacks->warn' points to a valid function.
+ *\li	'mctx' points to a valid memory context.
+ *\li	'task' and 'done' to be valid.
+ *\li	'lmgr' to be valid.
+ *\li	'ctxp != NULL && ctxp == NULL'.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS upon successfully loading the master file.
+ *\li	ISC_R_SEENINCLUDE upon successfully loading the master file with
+ *		a $INCLUDE statement.
+ *\li	ISC_R_NOMEMORY out of memory.
+ *\li	ISC_R_UNEXPECTEDEND expected to be able to read a input token and
+ *		there was not one.
+ *\li	ISC_R_UNEXPECTED
+ *\li	DNS_R_NOOWNER failed to specify a ownername.
+ *\li	DNS_R_NOTTL failed to specify a ttl.
+ *\li	DNS_R_BADCLASS record class did not match zone class.
+ *\li	DNS_R_CONTINUE load still in progress (dns_master_load*inc() only).
+ *\li	Any dns_rdata_fromtext() error code.
+ *\li	Any error code from callbacks->commit().
+ */
+
+void
+dns_loadctx_detach(dns_loadctx_t **ctxp);
+/*%<
+ * Detach from the load context.
+ *
+ * Requires:
+ *\li	'*ctxp' to be valid.
+ *
+ * Ensures:
+ *\li	'*ctxp == NULL'
+ */
+
+void
+dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target);
+/*%<
+ * Attach to the load context.
+ *
+ * Requires:
+ *\li	'source' to be valid.
+ *\li	'target != NULL && *target == NULL'.
+ */
+
+void
+dns_loadctx_cancel(dns_loadctx_t *ctx);
+/*%<
+ * Cancel loading the zone file associated with this load context.
+ *
+ * Requires:
+ *\li	'ctx' to be valid
+ */
+
+void
+dns_master_initrawheader(dns_masterrawheader_t *header);
+/*%<
+ * Initializes the header for a raw master file, setting all
+ * values to zero.
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_MASTER_H */
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
new file mode 100644
index 0000000..917e31f
--- /dev/null
+++ b/lib/dns/include/dns/masterdump.h
@@ -0,0 +1,364 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_MASTERDUMP_H
+#define DNS_MASTERDUMP_H 1
+
+/*! \file dns/masterdump.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_master_style dns_master_style_t;
+
+/***
+ *** Definitions
+ ***/
+
+/*
+ * Flags affecting master file formatting.  Flags 0x0000FFFF
+ * define the formatting of the rdata part and are defined in
+ * rdata.h.
+ */
+
+/*% Omit the owner name when possible. */
+#define DNS_STYLEFLAG_OMIT_OWNER 0x000010000ULL
+
+/*%
+ * Omit the TTL when possible.  If DNS_STYLEFLAG_TTL is
+ * also set, this means no TTLs are ever printed
+ * because $TTL directives are generated before every
+ * change in the TTL.  In this case, no columns need to
+ * be reserved for the TTL.  Master files generated with
+ * these options will be rejected by BIND 4.x because it
+ * does not recognize the $TTL directive.
+ *
+ * If DNS_STYLEFLAG_TTL is not also set, the TTL will be
+ * omitted when it is equal to the previous TTL.
+ * This is correct according to RFC1035, but the
+ * TTLs may be silently misinterpreted by older
+ * versions of BIND which use the SOA MINTTL as a
+ * default TTL value.
+ */
+#define DNS_STYLEFLAG_OMIT_TTL 0x000020000ULL
+
+/*% Omit the class when possible. */
+#define DNS_STYLEFLAG_OMIT_CLASS 0x000040000ULL
+
+/*% Output $TTL directives. */
+#define DNS_STYLEFLAG_TTL 0x000080000ULL
+
+/*%
+ * Output $ORIGIN directives and print owner names relative to
+ * the origin when possible.
+ */
+#define DNS_STYLEFLAG_REL_OWNER 0x000100000ULL
+
+/*% Print domain names in RR data in relative form when possible.
+ * For this to take effect, DNS_STYLEFLAG_REL_OWNER must also be set. */
+#define DNS_STYLEFLAG_REL_DATA 0x000200000ULL
+
+/*% Print the trust level of each rdataset. */
+#define DNS_STYLEFLAG_TRUST 0x000400000ULL
+
+/*% Print negative caching entries. */
+#define DNS_STYLEFLAG_NCACHE 0x000800000ULL
+
+/*% Never print the TTL. */
+#define DNS_STYLEFLAG_NO_TTL 0x001000000ULL
+
+/*% Never print the CLASS. */
+#define DNS_STYLEFLAG_NO_CLASS 0x002000000ULL
+
+/*% Report re-signing time. */
+#define DNS_STYLEFLAG_RESIGN 0x004000000ULL
+
+/*% Don't printout the cryptographic parts of DNSSEC records. */
+#define DNS_STYLEFLAG_NOCRYPTO 0x008000000ULL
+
+/*% Comment out data by prepending with ";" */
+#define DNS_STYLEFLAG_COMMENTDATA 0x010000000ULL
+
+/*% Print TTL with human-readable units. */
+#define DNS_STYLEFLAG_TTL_UNITS 0x020000000ULL
+
+/*% Indent output. */
+#define DNS_STYLEFLAG_INDENT 0x040000000ULL
+
+/*% Output in YAML style. */
+#define DNS_STYLEFLAG_YAML 0x080000000ULL
+
+/*% Print ECS cache entries as comments (reserved for future use). */
+#define DNS_STYLEFLAG_ECSCACHE 0x100000000ULL
+
+/*% Print expired cache entries. */
+#define DNS_STYLEFLAG_EXPIRED 0x200000000ULL
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Constants
+ ***/
+
+/*%
+ * The default master file style.
+ *
+ * This uses $TTL directives to avoid the need to dedicate a
+ * tab stop for the TTL.  The class is only printed for the first
+ * rrset in the file and shares a tab stop with the RR type.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_default;
+
+/*%
+ * A master file style that dumps zones to a very generic format easily
+ * imported/checked with external tools.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_full;
+
+/*%
+ * A master file style that prints explicit TTL values on each
+ * record line, never using $TTL statements.  The TTL has a tab
+ * stop of its own, but the class and type share one.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
+	dns_master_style_explicitttl;
+
+/*%
+ * A master style format designed for cache files.  It prints explicit TTL
+ * values on each record line and never uses $ORIGIN or relative names.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_cache;
+
+/*%
+ * A master style format designed for cache files.  The same as above but
+ * this also prints expired entries.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
+	dns_master_style_cache_with_expired;
+
+/*%
+ * A master style that prints name, ttl, class, type, and value on
+ * every line.  Similar to explicitttl above, but more verbose.
+ * Intended for generating master files which can be easily parsed
+ * by perl scripts and similar applications.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
+
+/*%
+ * The style used for debugging, "dig" output, etc.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_debug;
+
+/*%
+ * Similar to dns_master_style_debug but data is prepended with ";"
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_comment;
+
+/*%
+ * Similar to dns_master_style_debug but data is indented with "\t" (tab)
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_indent;
+
+/*%
+ * The style used for dumping "key" zones.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_keyzone;
+
+/*%
+ * YAML-compatible output
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_yaml;
+
+/***
+ ***	Functions
+ ***/
+
+void
+dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target);
+/*%<
+ * Attach to a dump context.
+ *
+ * Require:
+ *\li	'source' to be valid.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_dumpctx_detach(dns_dumpctx_t **dctxp);
+/*%<
+ * Detach from a dump context.
+ *
+ * Require:
+ *\li	'dctxp' to point to a valid dump context.
+ *
+ * Ensures:
+ *\li	'*dctxp' is NULL.
+ */
+
+void
+dns_dumpctx_cancel(dns_dumpctx_t *dctx);
+/*%<
+ * Cancel a in progress dump.
+ *
+ * Require:
+ *\li	'dctx' to be valid.
+ */
+
+dns_dbversion_t *
+dns_dumpctx_version(dns_dumpctx_t *dctx);
+/*%<
+ * Return the version handle (if any) of the database being dumped.
+ *
+ * Require:
+ *\li	'dctx' to be valid.
+ */
+
+dns_db_t *
+dns_dumpctx_db(dns_dumpctx_t *dctx);
+/*%<
+ * Return the database being dumped.
+ *
+ * Require:
+ *\li	'dctx' to be valid.
+ */
+
+/*@{*/
+isc_result_t
+dns_master_dumptostreamasync(isc_mem_t *mctx, dns_db_t *db,
+			     dns_dbversion_t	      *version,
+			     const dns_master_style_t *style, FILE *f,
+			     isc_task_t *task, dns_dumpdonefunc_t done,
+			     void *done_arg, dns_dumpctx_t **dctxp);
+
+isc_result_t
+dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+			const dns_master_style_t *style,
+			dns_masterformat_t	  format,
+			dns_masterrawheader_t *header, FILE *f);
+/*%<
+ * Dump the database 'db' to the steam 'f' in the specified format by
+ * 'format'.  If the format is dns_masterformat_text (the RFC1035 format),
+ * 'style' specifies the file style (e.g., &dns_master_style_default).
+ *
+ * If 'format' is dns_masterformat_raw, then 'header' can contain
+ * information to be written to the file header.
+ *
+ * Temporary dynamic memory may be allocated from 'mctx'.
+ *
+ * Require:
+ *\li	'task' to be valid.
+ *\li	'done' to be non NULL.
+ *\li	'dctxp' to be non NULL && '*dctxp' to be NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMEMORY
+ *\li	Any database or rrset iterator error.
+ *\li	Any dns_rdata_totext() error code.
+ */
+/*@}*/
+
+/*@{*/
+
+isc_result_t
+dns_master_dumpasync(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		     const dns_master_style_t *style, const char *filename,
+		     isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		     dns_dumpctx_t **dctxp, dns_masterformat_t format,
+		     dns_masterrawheader_t *header);
+
+isc_result_t
+dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		const dns_master_style_t *style, const char *filename,
+		dns_masterformat_t format, dns_masterrawheader_t *header);
+
+/*%<
+ * Dump the database 'db' to the file 'filename' in the specified format by
+ * 'format'.  If the format is dns_masterformat_text (the RFC1035 format),
+ * 'style' specifies the file style (e.g., &dns_master_style_default).
+ *
+ * If 'format' is dns_masterformat_raw, then 'header' can contain
+ * information to be written to the file header.
+ *
+ * Temporary dynamic memory may be allocated from 'mctx'.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMEMORY
+ *\li	Any database or rrset iterator error.
+ *\li	Any dns_rdata_totext() error code.
+ */
+/*@}*/
+
+isc_result_t
+dns_master_rdatasettotext(const dns_name_t	   *owner_name,
+			  dns_rdataset_t	   *rdataset,
+			  const dns_master_style_t *style, dns_indent_t *indent,
+			  isc_buffer_t *target);
+/*%<
+ * Convert 'rdataset' to text format, storing the result in 'target'.
+ *
+ * Notes:
+ *\li	The rdata cursor position will be changed.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid non-question rdataset.
+ *
+ *\li	'rdataset' is not empty.
+ */
+
+isc_result_t
+dns_master_questiontotext(const dns_name_t	   *owner_name,
+			  dns_rdataset_t	   *rdataset,
+			  const dns_master_style_t *style,
+			  isc_buffer_t		   *target);
+
+isc_result_t
+dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
+			    dns_dbversion_t *version, dns_dbnode_t *node,
+			    const dns_name_t	     *name,
+			    const dns_master_style_t *style, FILE *f);
+
+isc_result_t
+dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, const dns_name_t *name,
+		    const dns_master_style_t *style, const char *filename);
+
+dns_masterstyle_flags_t
+dns_master_styleflags(const dns_master_style_t *style);
+
+isc_result_t
+dns_master_stylecreate(dns_master_style_t    **style,
+		       dns_masterstyle_flags_t flags, unsigned int ttl_column,
+		       unsigned int class_column, unsigned int type_column,
+		       unsigned int rdata_column, unsigned int line_length,
+		       unsigned int tab_width, unsigned int split_width,
+		       isc_mem_t *mctx);
+
+void
+dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_MASTERDUMP_H */
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
new file mode 100644
index 0000000..8214021
--- /dev/null
+++ b/lib/dns/include/dns/message.h
@@ -0,0 +1,1492 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/refcount.h>
+
+#include <dns/compress.h>
+#include <dns/masterdump.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+/*! \file dns/message.h
+ * \brief Message Handling Module
+ *
+ * How this beast works:
+ *
+ * When a dns message is received in a buffer, dns_message_parse() is called
+ * on the memory region.  Various items are checked including the format
+ * of the message (if counts are right, if counts consume the entire sections,
+ * and if sections consume the entire message) and known pseudo-RRs in the
+ * additional data section are analyzed and removed.
+ *
+ * TSIG checking is also done at this layer, and any DNSSEC transaction
+ * signatures should also be checked here.
+ *
+ * Notes on using the gettemp*() and puttemp*() functions:
+ *
+ * These functions return items (names, rdatasets, etc) allocated from some
+ * internal state of the dns_message_t.
+ *
+ * Names and rdatasets must be put back into the dns_message_t in
+ * one of two ways.  Assume a name was allocated via
+ * dns_message_gettempname():
+ *
+ *\li	(1) insert it into a section, using dns_message_addname().
+ *
+ *\li	(2) return it to the message using dns_message_puttempname().
+ *
+ * The same applies to rdatasets.
+ *
+ * On the other hand, offsets, rdatalists and rdatas allocated using
+ * dns_message_gettemp*() will always be freed automatically
+ * when the message is reset or destroyed; calling dns_message_puttemp*()
+ * on rdatalists and rdatas is optional and serves only to enable the item
+ * to be reused multiple times during the lifetime of the message; offsets
+ * cannot be reused.
+ *
+ * Buffers allocated using isc_buffer_allocate() can be automatically freed
+ * as well by giving the buffer to the message using dns_message_takebuffer().
+ * Doing this will cause the buffer to be freed using isc_buffer_free()
+ * when the section lists are cleared, such as in a reset or in a destroy.
+ * Since the buffer itself exists until the message is destroyed, this sort
+ * of code can be written:
+ *
+ * \code
+ *	buffer = isc_buffer_allocate(mctx, 512);
+ *	name = NULL;
+ *	result = dns_message_gettempname(message, &name);
+ *	result = dns_name_fromtext(name, &source, dns_rootname, 0, buffer);
+ *	dns_message_takebuffer(message, &buffer);
+ * \endcode
+ *
+ *
+ * TODO:
+ *
+ * XXX Needed:  ways to set and retrieve EDNS information, add rdata to a
+ * section, move rdata from one section to another, remove rdata, etc.
+ */
+
+#define DNS_MESSAGEFLAG_QR 0x8000U
+#define DNS_MESSAGEFLAG_AA 0x0400U
+#define DNS_MESSAGEFLAG_TC 0x0200U
+#define DNS_MESSAGEFLAG_RD 0x0100U
+#define DNS_MESSAGEFLAG_RA 0x0080U
+#define DNS_MESSAGEFLAG_AD 0x0020U
+#define DNS_MESSAGEFLAG_CD 0x0010U
+
+/*%< EDNS0 extended message flags */
+#define DNS_MESSAGEEXTFLAG_DO 0x8000U
+
+/*%< EDNS0 extended OPT codes */
+#define DNS_OPT_LLQ	      1	 /*%< LLQ opt code */
+#define DNS_OPT_NSID	      3	 /*%< NSID opt code */
+#define DNS_OPT_CLIENT_SUBNET 8	 /*%< client subnet opt code */
+#define DNS_OPT_EXPIRE	      9	 /*%< EXPIRE opt code */
+#define DNS_OPT_COOKIE	      10 /*%< COOKIE opt code */
+#define DNS_OPT_TCP_KEEPALIVE 11 /*%< TCP keepalive opt code */
+#define DNS_OPT_PAD	      12 /*%< PAD opt code */
+#define DNS_OPT_KEY_TAG	      14 /*%< Key tag opt code */
+#define DNS_OPT_EDE	      15 /*%< Extended DNS Error opt code */
+#define DNS_OPT_CLIENT_TAG    16 /*%< Client tag opt code */
+#define DNS_OPT_SERVER_TAG    17 /*%< Server tag opt code */
+
+/*%< Experimental options [65001...65534] as per RFC6891 */
+
+/*%< The number of EDNS options we know about. */
+#define DNS_EDNSOPTIONS 7
+
+#define DNS_MESSAGE_REPLYPRESERVE	 (DNS_MESSAGEFLAG_RD | DNS_MESSAGEFLAG_CD)
+#define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
+
+#define DNS_MESSAGE_HEADERLEN 12 /*%< 6 uint16_t's */
+
+#define DNS_MESSAGE_MAGIC      ISC_MAGIC('M', 'S', 'G', '@')
+#define DNS_MESSAGE_VALID(msg) ISC_MAGIC_VALID(msg, DNS_MESSAGE_MAGIC)
+
+/*
+ * Ordering here matters.  DNS_SECTION_ANY must be the lowest and negative,
+ * and DNS_SECTION_MAX must be one greater than the last used section.
+ */
+typedef int dns_section_t;
+#define DNS_SECTION_ANY	       (-1)
+#define DNS_SECTION_QUESTION   0
+#define DNS_SECTION_ANSWER     1
+#define DNS_SECTION_AUTHORITY  2
+#define DNS_SECTION_ADDITIONAL 3
+#define DNS_SECTION_MAX	       4
+
+typedef int dns_pseudosection_t;
+#define DNS_PSEUDOSECTION_ANY  (-1)
+#define DNS_PSEUDOSECTION_OPT  0
+#define DNS_PSEUDOSECTION_TSIG 1
+#define DNS_PSEUDOSECTION_SIG0 2
+#define DNS_PSEUDOSECTION_MAX  3
+
+typedef int dns_messagetextflag_t;
+#define DNS_MESSAGETEXTFLAG_NOCOMMENTS 0x0001
+#define DNS_MESSAGETEXTFLAG_NOHEADERS  0x0002
+#define DNS_MESSAGETEXTFLAG_ONESOA     0x0004
+#define DNS_MESSAGETEXTFLAG_OMITSOA    0x0008
+
+/*
+ * Dynamic update names for these sections.
+ */
+#define DNS_SECTION_ZONE	 DNS_SECTION_QUESTION
+#define DNS_SECTION_PREREQUISITE DNS_SECTION_ANSWER
+#define DNS_SECTION_UPDATE	 DNS_SECTION_AUTHORITY
+
+/*
+ * These tell the message library how the created dns_message_t will be used.
+ */
+#define DNS_MESSAGE_INTENTUNKNOWN 0 /*%< internal use only */
+#define DNS_MESSAGE_INTENTPARSE	  1 /*%< parsing messages */
+#define DNS_MESSAGE_INTENTRENDER  2 /*%< rendering */
+
+/*
+ * Control behavior of parsing
+ */
+#define DNS_MESSAGEPARSE_PRESERVEORDER 0x0001 /*%< preserve rdata order */
+#define DNS_MESSAGEPARSE_BESTEFFORT       \
+	0x0002 /*%< return a message if a \
+		* recoverable parse error \
+		* occurs */
+#define DNS_MESSAGEPARSE_CLONEBUFFER   \
+	0x0004 /*%< save a copy of the \
+		* source buffer */
+#define DNS_MESSAGEPARSE_IGNORETRUNCATION \
+	0x0008 /*%< truncation errors are \
+		* not fatal. */
+
+/*
+ * Control behavior of rendering
+ */
+#define DNS_MESSAGERENDER_ORDERED    0x0001 /*%< don't change order */
+#define DNS_MESSAGERENDER_PARTIAL    0x0002 /*%< allow a partial rdataset */
+#define DNS_MESSAGERENDER_OMITDNSSEC 0x0004 /*%< omit DNSSEC records */
+#define DNS_MESSAGERENDER_PREFER_A      \
+	0x0008 /*%< prefer A records in \
+		*   additional section. */
+#define DNS_MESSAGERENDER_PREFER_AAAA      \
+	0x0010 /*%< prefer AAAA records in \
+		*   additional section. */
+/* Obsolete: DNS_MESSAGERENDER_FILTER_AAAA	0x0020	*/
+
+typedef struct dns_msgblock dns_msgblock_t;
+
+struct dns_sortlist_arg {
+	dns_aclenv_t	       *env;
+	const dns_acl_t	       *acl;
+	const dns_aclelement_t *element;
+};
+
+struct dns_message {
+	/* public from here down */
+	unsigned int   magic;
+	isc_refcount_t refcount;
+
+	dns_messageid_t	 id;
+	unsigned int	 flags;
+	dns_rcode_t	 rcode;
+	dns_opcode_t	 opcode;
+	dns_rdataclass_t rdclass;
+
+	/* 4 real, 1 pseudo */
+	unsigned int counts[DNS_SECTION_MAX];
+
+	/* private from here down */
+	dns_namelist_t	sections[DNS_SECTION_MAX];
+	dns_name_t     *cursors[DNS_SECTION_MAX];
+	dns_rdataset_t *opt;
+	dns_rdataset_t *sig0;
+	dns_rdataset_t *tsig;
+
+	int	     state;
+	unsigned int from_to_wire     : 2;
+	unsigned int header_ok	      : 1;
+	unsigned int question_ok      : 1;
+	unsigned int tcp_continuation : 1;
+	unsigned int verified_sig     : 1;
+	unsigned int verify_attempted : 1;
+	unsigned int free_query	      : 1;
+	unsigned int free_saved	      : 1;
+	unsigned int cc_ok	      : 1;
+	unsigned int cc_bad	      : 1;
+	unsigned int tkey	      : 1;
+	unsigned int rdclass_set      : 1;
+
+	unsigned int opt_reserved;
+	unsigned int sig_reserved;
+	unsigned int reserved; /* reserved space (render) */
+
+	uint16_t     padding;
+	unsigned int padding_off;
+
+	isc_buffer_t   *buffer;
+	dns_compress_t *cctx;
+
+	isc_mem_t     *mctx;
+	isc_mempool_t *namepool;
+	isc_mempool_t *rdspool;
+
+	isc_bufferlist_t scratchpad;
+	isc_bufferlist_t cleanup;
+
+	ISC_LIST(dns_msgblock_t) rdatas;
+	ISC_LIST(dns_msgblock_t) rdatalists;
+	ISC_LIST(dns_msgblock_t) offsets;
+
+	ISC_LIST(dns_rdata_t) freerdata;
+	ISC_LIST(dns_rdatalist_t) freerdatalist;
+
+	dns_rcode_t tsigstatus;
+	dns_rcode_t querytsigstatus;
+	dns_name_t *tsigname; /* Owner name of TSIG, if any
+			       * */
+	dns_rdataset_t *querytsig;
+	dns_tsigkey_t  *tsigkey;
+	dst_context_t  *tsigctx;
+	int		sigstart;
+	int		timeadjust;
+
+	dns_name_t *sig0name; /* Owner name of SIG0, if any
+			       * */
+	dst_key_t   *sig0key;
+	dns_rcode_t  sig0status;
+	isc_region_t query;
+	isc_region_t saved;
+
+	dns_rdatasetorderfunc_t order;
+	dns_sortlist_arg_t	order_arg;
+
+	dns_indent_t indent;
+};
+
+struct dns_ednsopt {
+	uint16_t       code;
+	uint16_t       length;
+	unsigned char *value;
+};
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp);
+
+/*%<
+ * Create msg structure.
+ *
+ * This function will allocate some internal blocks of memory that are
+ * expected to be needed for parsing or rendering nearly any type of message.
+ *
+ * Requires:
+ *\li	'mctx' be a valid memory context.
+ *
+ *\li	'msgp' be non-null and '*msg' be NULL.
+ *
+ *\li	'intent' must be one of DNS_MESSAGE_INTENTPARSE or
+ *	#DNS_MESSAGE_INTENTRENDER.
+ *
+ * Ensures:
+ *\li	The data in "*msg" is set to indicate an unused and empty msg
+ *	structure.
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY		-- out of memory
+ *\li	#ISC_R_SUCCESS		-- success
+ */
+
+void
+dns_message_reset(dns_message_t *msg, unsigned int intent);
+/*%<
+ * Reset a message structure to default state.  All internal lists are freed
+ * or reset to a default state as well.  This is simply a more efficient
+ * way to call dns_message_detach() (assuming last reference is hold),
+ * followed by dns_message_create(), since it avoid many memory allocations.
+ *
+ * If any data loanouts (buffers, names, rdatas, etc) were requested,
+ * the caller must no longer use them after this call.
+ *
+ * The intended next use of the message will be 'intent'.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	'intent' is DNS_MESSAGE_INTENTPARSE or DNS_MESSAGE_INTENTRENDER
+ */
+
+void
+dns_message_attach(dns_message_t *source, dns_message_t **target);
+/*%<
+ * Attach to message 'source'.
+ *
+ * Requires:
+ *\li	'source' to be a valid message.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_message_detach(dns_message_t **messagep);
+/*%<
+ * Detach *messagep from its message.
+ * list.
+ *
+ * Requires:
+ *\li	'*messagep' to be a valid message.
+ */
+
+isc_result_t
+dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
+			  const dns_master_style_t *style,
+			  dns_messagetextflag_t flags, isc_buffer_t *target);
+
+isc_result_t
+dns_message_pseudosectiontotext(dns_message_t *msg, dns_pseudosection_t section,
+				const dns_master_style_t *style,
+				dns_messagetextflag_t	  flags,
+				isc_buffer_t		 *target);
+/*%<
+ * Convert section 'section' or 'pseudosection' of message 'msg' to
+ * a cleartext representation
+ *
+ * Notes:
+ *     \li See dns_message_totext for meanings of flags.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *
+ *\li	'style' is a valid master dump style.
+ *
+ *\li	'target' is a valid buffer.
+ *
+ *\li	'section' is a valid section label.
+ *
+ * Ensures:
+ *
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *\li	#ISC_R_NOMORE
+ *
+ *\li	Note: On error return, *target may be partially filled with data.
+ */
+
+isc_result_t
+dns_message_headertotext(dns_message_t *msg, const dns_master_style_t *style,
+			 dns_messagetextflag_t flags, isc_buffer_t *target);
+/*%<
+ * Convert the header section of message 'msg' to a cleartext
+ * representation. This is called from dns_message_totext().
+ *
+ * Notes on flags:
+ *\li	If #DNS_MESSAGETEXTFLAG_NOHEADERS is set, header lines will be
+ * 	suppressed and this function is a no-op.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *
+ *\li	'target' is a valid buffer.
+ *
+ * Ensures:
+ *
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *\li	#ISC_R_NOMORE
+ *
+ *\li	Note: On error return, *target may be partially filled with data.
+ */
+
+isc_result_t
+dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
+		   dns_messagetextflag_t flags, isc_buffer_t *target);
+/*%<
+ * Convert all sections of message 'msg' to a cleartext representation
+ *
+ * Notes on flags:
+ *\li	If #DNS_MESSAGETEXTFLAG_NOCOMMENTS is cleared, lines beginning with
+ * 	";;" will be emitted indicating section name.
+ *\li	If #DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will be
+ * 	emitted.
+ *\li   If #DNS_MESSAGETEXTFLAG_ONESOA is set then only print the first
+ *	SOA record in the answer section.
+ *\li	If *#DNS_MESSAGETEXTFLAG_OMITSOA is set don't print any SOA records
+ *	in the answer section.
+ *
+ * The SOA flags are useful for suppressing the display of the second
+ * SOA record in an AXFR by setting #DNS_MESSAGETEXTFLAG_ONESOA on the
+ * first message in an AXFR stream and #DNS_MESSAGETEXTFLAG_OMITSOA on
+ * subsequent messages.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *
+ *\li	'style' is a valid master dump style.
+ *
+ *\li	'target' is a valid buffer.
+ *
+ * Ensures:
+ *
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *\li	#ISC_R_NOMORE
+ *
+ *\li	Note: On error return, *target may be partially filled with data.
+ */
+
+isc_result_t
+dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+		  unsigned int options);
+/*%<
+ * Parse raw wire data in 'source' as a DNS message.
+ *
+ * OPT records are detected and stored in the pseudo-section "opt".
+ * TSIGs are detected and stored in the pseudo-section "tsig".
+ *
+ * If #DNS_MESSAGEPARSE_PRESERVEORDER is set, or if the opcode of the message
+ * is UPDATE, a separate dns_name_t object will be created for each RR in the
+ * message.  Each such dns_name_t will have a single rdataset containing the
+ * single RR, and the order of the RRs in the message is preserved.
+ * Otherwise, only one dns_name_t object will be created for each unique
+ * owner name in the section, and each such dns_name_t will have a list
+ * of rdatasets.  To access the names and their data, use
+ * dns_message_firstname() and dns_message_nextname().
+ *
+ * If #DNS_MESSAGEPARSE_BESTEFFORT is set, errors in message content will
+ * not be considered FORMERRs.  If the entire message can be parsed, it
+ * will be returned and DNS_R_RECOVERABLE will be returned.
+ *
+ * If #DNS_MESSAGEPARSE_IGNORETRUNCATION is set then return as many complete
+ * RR's as possible, DNS_R_RECOVERABLE will be returned.
+ *
+ * OPT and TSIG records are always handled specially, regardless of the
+ * 'preserve_order' setting.
+ *
+ * Requires:
+ *\li	"msg" be valid.
+ *
+ *\li	"buffer" be a wire format buffer.
+ *
+ * Ensures:
+ *\li	The buffer's data format is correct.
+ *
+ *\li	The buffer's contents verify as correct regarding header bits, buffer
+ * 	and rdata sizes, etc.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well
+ *\li	#ISC_R_NOMEMORY		-- no memory
+ *\li	#DNS_R_RECOVERABLE	-- the message parsed properly, but contained
+ *				   errors.
+ *\li	Many other errors possible XXXMLG
+ */
+
+isc_result_t
+dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
+			isc_buffer_t *buffer);
+/*%<
+ * Begin rendering on a message.  Only one call can be made to this function
+ * per message.
+ *
+ * The compression context is "owned" by the message library until
+ * dns_message_renderend() is called.  It must be invalidated by the caller.
+ *
+ * The buffer is "owned" by the message library until dns_message_renderend()
+ * is called.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	'cctx' be valid.
+ *
+ *\li	'buffer' is a valid buffer.
+ *
+ * Side Effects:
+ *
+ *\li	The buffer is cleared before it is used.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well
+ *\li	#ISC_R_NOSPACE		-- output buffer is too small
+ */
+
+isc_result_t
+dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer);
+/*%<
+ * Reset the buffer.  This can be used after growing the old buffer
+ * on a ISC_R_NOSPACE return from most of the render functions.
+ *
+ * On successful completion, the old buffer is no longer used by the
+ * library.  The new buffer is owned by the library until
+ * dns_message_renderend() is called.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	dns_message_renderbegin() was called.
+ *
+ *\li	buffer != NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_NOSPACE		-- new buffer is too small
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ */
+
+isc_result_t
+dns_message_renderreserve(dns_message_t *msg, unsigned int space);
+/*%<
+ * XXXMLG should use size_t rather than unsigned int once the buffer
+ * API is cleaned up
+ *
+ * Reserve "space" bytes in the given buffer.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOSPACE		-- not enough free space in the buffer.
+ */
+
+void
+dns_message_renderrelease(dns_message_t *msg, unsigned int space);
+/*%<
+ * XXXMLG should use size_t rather than unsigned int once the buffer
+ * API is cleaned up
+ *
+ * Release "space" bytes in the given buffer that was previously reserved.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	'space' is less than or equal to the total amount of space reserved
+ *	via prior calls to dns_message_renderreserve().
+ *
+ *\li	dns_message_renderbegin() was called.
+ */
+
+isc_result_t
+dns_message_rendersection(dns_message_t *msg, dns_section_t section,
+			  unsigned int options);
+/*%<
+ * Render all names, rdatalists, etc from the given section at the
+ * specified priority or higher.
+ *
+ * Requires:
+ *\li	'msg' be valid.
+ *
+ *\li	'section' be a valid section.
+ *
+ *\li	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all records were written, and there are
+ *				   no more records for this section.
+ *\li	#ISC_R_NOSPACE		-- Not enough room in the buffer to write
+ *				   all records requested.
+ *\li	#DNS_R_MOREDATA		-- All requested records written, and there
+ *				   are records remaining for this section.
+ */
+
+void
+dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target);
+/*%<
+ * Render the message header.  This is implicitly called by
+ * dns_message_renderend().
+ *
+ * Requires:
+ *
+ *\li	'msg' be a valid message.
+ *
+ *\li	dns_message_renderbegin() was called.
+ *
+ *\li	'target' is a valid buffer with enough space to hold a message header
+ */
+
+isc_result_t
+dns_message_renderend(dns_message_t *msg);
+/*%<
+ * Finish rendering to the buffer.  Note that more data can be in the
+ * 'msg' structure.  Destroying the structure will free this, or in a multi-
+ * part EDNS1 message this data can be rendered to another buffer later.
+ *
+ * Requires:
+ *
+ *\li	'msg' be a valid message.
+ *
+ *\li	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ */
+
+void
+dns_message_renderreset(dns_message_t *msg);
+/*%<
+ * Reset the message so that it may be rendered again.
+ *
+ * Notes:
+ *
+ *\li	If dns_message_renderbegin() has been called, dns_message_renderend()
+ *	must be called before calling this function.
+ *
+ * Requires:
+ *
+ *\li	'msg' be a valid message with rendering intent.
+ */
+
+isc_result_t
+dns_message_firstname(dns_message_t *msg, dns_section_t section);
+/*%<
+ * Set internal per-section name pointer to the beginning of the section.
+ *
+ * The functions dns_message_firstname() and dns_message_nextname() may
+ * be used for iterating over the owner names in a section.
+ *
+ * Requires:
+ *
+ *\li   	'msg' be valid.
+ *
+ *\li	'section' be a valid section.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMORE		-- No names on given section.
+ */
+
+isc_result_t
+dns_message_nextname(dns_message_t *msg, dns_section_t section);
+/*%<
+ * Sets the internal per-section name pointer to point to the next name
+ * in that section.
+ *
+ * Requires:
+ *
+ * \li  	'msg' be valid.
+ *
+ *\li	'section' be a valid section.
+ *
+ *\li	dns_message_firstname() must have been called on this section,
+ *	and the result was ISC_R_SUCCESS.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMORE		-- No more names in given section.
+ */
+
+void
+dns_message_currentname(dns_message_t *msg, dns_section_t section,
+			dns_name_t **name);
+/*%<
+ * Sets 'name' to point to the name where the per-section internal name
+ * pointer is currently set.
+ *
+ * This function returns the name in the database, so any data associated
+ * with it (via the name's "list" member) contains the actual rdatasets.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	'name' be non-NULL, and *name be NULL.
+ *
+ *\li	'section' be a valid section.
+ *
+ *\li	dns_message_firstname() must have been called on this section,
+ *	and the result of it and any dns_message_nextname() calls was
+ *	#ISC_R_SUCCESS.
+ */
+
+isc_result_t
+dns_message_findname(dns_message_t *msg, dns_section_t section,
+		     const dns_name_t *target, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_name_t **foundname,
+		     dns_rdataset_t **rdataset);
+/*%<
+ * Search for a name in the specified section.  If it is found, *name is
+ * set to point to the name, and *rdataset is set to point to the found
+ * rdataset (if type is specified as other than dns_rdatatype_any).
+ *
+ * Requires:
+ *\li	'msg' be valid.
+ *
+ *\li	'section' be a valid section.
+ *
+ *\li	If a pointer to the name is desired, 'foundname' should be non-NULL.
+ *	If it is non-NULL, '*foundname' MUST be NULL.
+ *
+ *\li	If a type other than dns_datatype_any is searched for, 'rdataset'
+ *	may be non-NULL, '*rdataset' be NULL, and will point at the found
+ *	rdataset.  If the type is dns_datatype_any, 'rdataset' must be NULL.
+ *
+ *\li	'target' be a valid name.
+ *
+ *\li	'type' be a valid type.
+ *
+ *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *	Otherwise it should be 0.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#DNS_R_NXDOMAIN		-- name does not exist in that section.
+ *\li	#DNS_R_NXRRSET		-- The name does exist, but the desired
+ *				   type does not.
+ */
+
+isc_result_t
+dns_message_findtype(const dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_rdataset_t **rdataset);
+/*%<
+ * Search the name for the specified type.  If it is found, *rdataset is
+ * filled in with a pointer to that rdataset.
+ *
+ * Requires:
+ *\li	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
+ *
+ *\li	'type' be a valid type, and NOT dns_rdatatype_any.
+ *
+ *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *	Otherwise it should be 0.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
+ */
+
+isc_result_t
+dns_message_find(const dns_name_t *name, dns_rdataclass_t rdclass,
+		 dns_rdatatype_t type, dns_rdatatype_t covers,
+		 dns_rdataset_t **rdataset);
+/*%<
+ * Search the name for the specified rdclass and type.  If it is found,
+ * *rdataset is filled in with a pointer to that rdataset.
+ *
+ * Requires:
+ *\li	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
+ *
+ *\li	'type' be a valid type, and NOT dns_rdatatype_any.
+ *
+ *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *	Otherwise it should be 0.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
+ */
+
+void
+dns_message_movename(dns_message_t *msg, dns_name_t *name,
+		     dns_section_t fromsection, dns_section_t tosection);
+/*%<
+ * Move a name from one section to another.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	'name' must be a name already in 'fromsection'.
+ *
+ *\li	'fromsection' must be a valid section.
+ *
+ *\li	'tosection' must be a valid section.
+ */
+
+void
+dns_message_addname(dns_message_t *msg, dns_name_t *name,
+		    dns_section_t section);
+/*%<
+ * Adds the name to the given section.
+ *
+ * It is the caller's responsibility to enforce any unique name requirements
+ * in a section.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid, and be a renderable message.
+ *
+ *\li	'name' be a valid absolute name.
+ *
+ *\li	'section' be a named section.
+ */
+
+void
+dns_message_removename(dns_message_t *msg, dns_name_t *name,
+		       dns_section_t section);
+/*%<
+ * Remove a existing name from a given section.
+ *
+ * It is the caller's responsibility to ensure the name is part of the
+ * given section.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid, and be a renderable message.
+ *
+ *\li	'name' be a valid absolute name.
+ *
+ *\li	'section' be a named section.
+ */
+
+/*
+ * LOANOUT FUNCTIONS
+ *
+ * Each of these functions loan a particular type of data to the caller.
+ * The storage for these will vanish when the message is destroyed or
+ * reset, and must NOT be used after these operations.
+ */
+
+isc_result_t
+dns_message_gettempname(dns_message_t *msg, dns_name_t **item);
+/*%<
+ * Return a name that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The name must be returned
+ * to the message code using dns_message_puttempname() or inserted into
+ * one of the message's sections before the message is destroyed.
+ *
+ * The name will be associated with a dns_fixedname object, and will
+ * be initialized.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item);
+/*%<
+ * Return a rdata that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The rdata will be freed
+ * when the message is destroyed or reset.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item);
+/*%<
+ * Return a rdataset that can be used for any temporary purpose, including
+ * inserting into the message's linked lists. The name must be returned
+ * to the message code using dns_message_puttempname() or inserted into
+ * one of the message's sections before the message is destroyed.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
+/*%<
+ * Return a rdatalist that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The rdatalist will be
+ * destroyed when the message is destroyed or reset.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+void
+dns_message_puttempname(dns_message_t *msg, dns_name_t **item);
+/*%<
+ * Return a borrowed name to the message's name free list.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item point to a name returned by
+ *	dns_message_gettempname()
+ *
+ * Ensures:
+ *\li	*item == NULL
+ */
+
+void
+dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item);
+/*%<
+ * Return a borrowed rdata to the message's rdata free list.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item point to a rdata returned by
+ *	dns_message_gettemprdata()
+ *
+ * Ensures:
+ *\li	*item == NULL
+ */
+
+void
+dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item);
+/*%<
+ * Return a borrowed rdataset to the message's rdataset free list.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item point to a rdataset returned by
+ *	dns_message_gettemprdataset()
+ *
+ * Ensures:
+ *\li	*item == NULL
+ */
+
+void
+dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
+/*%<
+ * Return a borrowed rdatalist to the message's rdatalist free list.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item point to a rdatalist returned by
+ *	dns_message_gettemprdatalist()
+ *
+ * Ensures:
+ *\li	*item == NULL
+ */
+
+isc_result_t
+dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
+		       unsigned int *flagsp);
+/*%<
+ * Assume the remaining region of "source" is a DNS message.  Peek into
+ * it and fill in "*idp" with the message id, and "*flagsp" with the flags.
+ *
+ * Requires:
+ *
+ *\li	source != NULL
+ *
+ * Ensures:
+ *
+ *\li	if (idp != NULL) *idp == message id.
+ *
+ *\li	if (flagsp != NULL) *flagsp == message flags.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *
+ *\li	#ISC_R_UNEXPECTEDEND	-- buffer doesn't contain enough for a header.
+ */
+
+isc_result_t
+dns_message_reply(dns_message_t *msg, bool want_question_section);
+/*%<
+ * Start formatting a reply to the query in 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message with parsing intent, and contains a query.
+ *
+ * Ensures:
+ *
+ *\li	The message will have a rendering intent.  If 'want_question_section'
+ *	is true, the message opcode is query or notify, and the question
+ *	section is present and properly formatted, then the question section
+ *	will be included in the reply.  All other sections will be cleared.
+ *	The QR flag will be set, the RD flag will be preserved, and all other
+ *	flags will be cleared.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *
+ *\li	#DNS_R_FORMERR		-- the header or question section of the
+ *				   message is invalid, replying is impossible.
+ *				   If DNS_R_FORMERR is returned when
+ *				   want_question_section is false, then
+ *				   it's the header section that's bad;
+ *				   otherwise either of the header or question
+ *				   sections may be bad.
+ */
+
+dns_rdataset_t *
+dns_message_getopt(dns_message_t *msg);
+/*%<
+ * Get the OPT record for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *
+ * Returns:
+ *
+ *\li	The OPT rdataset of 'msg', or NULL if there isn't one.
+ */
+
+isc_result_t
+dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
+/*%<
+ * Set the OPT record for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message with rendering intent
+ *	and no sections have been rendered.
+ *
+ *\li	'opt' is a valid OPT record.
+ *
+ * Ensures:
+ *
+ *\li	The OPT record has either been freed or ownership of it has
+ *	been transferred to the message.
+ *
+ *\li	If ISC_R_SUCCESS was returned, the OPT record will be rendered
+ *	when dns_message_renderend() is called.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *
+ *\li	#ISC_R_NOSPACE		-- there is no space for the OPT record.
+ */
+
+dns_rdataset_t *
+dns_message_gettsig(dns_message_t *msg, const dns_name_t **owner);
+/*%<
+ * Get the TSIG record and owner for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *\li	'owner' is NULL or *owner is NULL.
+ *
+ * Returns:
+ *
+ *\li	The TSIG rdataset of 'msg', or NULL if there isn't one.
+ *
+ * Ensures:
+ *
+ * \li	If 'owner' is not NULL, it will point to the owner name.
+ */
+
+isc_result_t
+dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key);
+/*%<
+ * Set the tsig key for 'msg'.  This is only necessary for when rendering a
+ * query or parsing a response.  The key (if non-NULL) is attached to, and
+ * will be detached when the message is destroyed.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message with rendering intent,
+ *	dns_message_renderbegin() has been called, and no sections have been
+ *	rendered.
+ *\li	'key' is a valid tsig key or NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *
+ *\li	#ISC_R_NOSPACE		-- there is no space for the TSIG record.
+ */
+
+dns_tsigkey_t *
+dns_message_gettsigkey(dns_message_t *msg);
+/*%<
+ * Gets the tsig key for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message
+ */
+
+isc_result_t
+dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig);
+/*%<
+ * Indicates that 'querytsig' is the TSIG from the signed query for which
+ * 'msg' is the response.  This is also used for chained TSIGs in TCP
+ * responses.
+ *
+ * Requires:
+ *
+ *\li	'querytsig' is a valid buffer as returned by dns_message_getquerytsig()
+ *	or NULL
+ *
+ *\li	'msg' is a valid message
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
+			 isc_buffer_t **querytsig);
+/*%<
+ * Gets the tsig from the TSIG from the signed query 'msg'.  This is also used
+ * for chained TSIGs in TCP responses.  Unlike dns_message_gettsig, this makes
+ * a copy of the data, so can be used if the message is destroyed.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid signed message
+ *\li	'mctx' is a valid memory context
+ *\li	querytsig != NULL && *querytsig == NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *
+ * Ensures:
+ *\li 	'tsig' points to NULL or an allocated buffer which must be freed
+ * 	by the caller.
+ */
+
+dns_rdataset_t *
+dns_message_getsig0(dns_message_t *msg, const dns_name_t **owner);
+/*%<
+ * Get the SIG(0) record and owner for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *\li	'owner' is NULL or *owner is NULL.
+ *
+ * Returns:
+ *
+ *\li	The SIG(0) rdataset of 'msg', or NULL if there isn't one.
+ *
+ * Ensures:
+ *
+ * \li	If 'owner' is not NULL, it will point to the owner name.
+ */
+
+isc_result_t
+dns_message_setsig0key(dns_message_t *msg, dst_key_t *key);
+/*%<
+ * Set the SIG(0) key for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message with rendering intent,
+ *	dns_message_renderbegin() has been called, and no sections have been
+ *	rendered.
+ *\li	'key' is a valid sig key or NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *
+ *\li	#ISC_R_NOSPACE		-- there is no space for the SIG(0) record.
+ */
+
+dst_key_t *
+dns_message_getsig0key(dns_message_t *msg);
+/*%<
+ * Gets the SIG(0) key for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message
+ */
+
+void
+dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
+/*%<
+ * Give the *buffer to the message code to clean up when it is no
+ * longer needed.  This is usually when the message is reset or
+ * destroyed.
+ *
+ * Requires:
+ *
+ *\li	msg be a valid message.
+ *
+ *\li	buffer != NULL && *buffer is a valid isc_buffer_t, which was
+ *	dynamically allocated via isc_buffer_allocate().
+ */
+
+isc_result_t
+dns_message_signer(dns_message_t *msg, dns_name_t *signer);
+/*%<
+ * If this message was signed, return the identity of the signer.
+ * Unless ISC_R_NOTFOUND is returned, signer will reflect the name of the
+ * key that signed the message.
+ *
+ * Requires:
+ *
+ *\li	msg is a valid parsed message.
+ *\li	signer is a valid name
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		- the message was signed, and *signer
+ *				  contains the signing identity
+ *
+ *\li	#ISC_R_NOTFOUND		- no TSIG or SIG(0) record is present in the
+ *				  message
+ *
+ *\li	#DNS_R_TSIGVERIFYFAILURE	- the message was signed by a TSIG, but
+ * the signature failed to verify
+ *
+ *\li	#DNS_R_TSIGERRORSET	- the message was signed by a TSIG and
+ *				  verified, but the query was rejected by
+ *				  the server
+ *
+ *\li	#DNS_R_NOIDENTITY	- the message was signed by a TSIG and
+ *				  verified, but the key has no identity since
+ *				  it was generated by an unsigned TKEY process
+ *
+ *\li	#DNS_R_SIGINVALID	- the message was signed by a SIG(0), but
+ *				  the signature failed to verify
+ *
+ *\li	#DNS_R_NOTVERIFIEDYET	- the message was signed by a TSIG or SIG(0),
+ *				  but the signature has not been verified yet
+ */
+
+isc_result_t
+dns_message_checksig(dns_message_t *msg, dns_view_t *view);
+/*%<
+ * If this message was signed, verify the signature.
+ *
+ * Requires:
+ *
+ *\li	msg is a valid parsed message.
+ *\li	view is a valid view or NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		- the message was unsigned, or the message
+ *				  was signed correctly.
+ *
+ *\li	#DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
+ *\li	#DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
+ *\li	#DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
+ */
+
+isc_result_t
+dns_message_rechecksig(dns_message_t *msg, dns_view_t *view);
+/*%<
+ * Reset the signature state and then if the message was signed,
+ * verify the message.
+ *
+ * Requires:
+ *
+ *\li	msg is a valid parsed message.
+ *\li	view is a valid view or NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		- the message was unsigned, or the message
+ *				  was signed correctly.
+ *
+ *\li	#DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
+ *\li	#DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
+ *\li	#DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
+ */
+
+void
+dns_message_resetsig(dns_message_t *msg);
+/*%<
+ * Reset the signature state.
+ *
+ * Requires:
+ *\li	'msg' is a valid parsed message.
+ */
+
+isc_region_t *
+dns_message_getrawmessage(dns_message_t *msg);
+/*%<
+ * Retrieve the raw message in compressed wire format.  The message must
+ * have been successfully parsed for it to have been saved.
+ *
+ * Requires:
+ *\li	msg is a valid parsed message.
+ *
+ * Returns:
+ *\li	NULL	if there is no saved message.
+ *	a pointer to a region which refers the dns message.
+ */
+
+void
+dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
+			 dns_aclenv_t *env, const dns_acl_t *acl,
+			 const dns_aclelement_t *element);
+/*%<
+ * Define the order in which RR sets get rendered by
+ * dns_message_rendersection() to be the ascending order
+ * defined by the integer value returned by 'order' when
+ * given each RR and a ns_sortlist_arg_t constructed from 'env',
+ * 'acl', and 'element' as arguments.
+ *
+ * If 'order' is NULL, a default order is used.
+ *
+ * Requires:
+ *\li	msg be a valid message.
+ *\li	If 'env' is NULL, 'order' must be NULL.
+ *\li	If 'env' is not NULL, 'order' must not be NULL and at least one of
+ *	'acl' and 'element' must also not be NULL.
+ */
+
+void
+dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
+/*%<
+ * Adjust the time used to sign/verify a message by timeadjust.
+ * Currently only TSIG.
+ *
+ * Requires:
+ *\li	msg be a valid message.
+ */
+
+int
+dns_message_gettimeadjust(dns_message_t *msg);
+/*%<
+ * Return the current time adjustment.
+ *
+ * Requires:
+ *\li	msg be a valid message.
+ */
+
+void
+dns_message_logpacket(dns_message_t *message, const char *description,
+		      const isc_sockaddr_t *address,
+		      isc_logcategory_t *category, isc_logmodule_t *module,
+		      int level, isc_mem_t *mctx);
+
+void
+dns_message_logfmtpacket(dns_message_t *message, const char *description,
+			 const isc_sockaddr_t *address,
+			 isc_logcategory_t *category, isc_logmodule_t *module,
+			 const dns_master_style_t *style, int level,
+			 isc_mem_t *mctx);
+/*%<
+ * Log 'message' at the specified logging parameters.
+ *
+ * For dns_message_logpacket and dns_message_logfmtpacket expect the
+ * 'description' to end in a newline.
+ *
+ * For dns_message_logpacket2 and dns_message_logfmtpacket2
+ * 'description' will be emitted at the start of the message followed
+ * by the formatted address and a newline.
+ *
+ * Requires:
+ * \li   message be a valid.
+ * \li   description to be non NULL.
+ * \li   address to be non NULL.
+ * \li   category to be valid.
+ * \li   module to be valid.
+ * \li   style to be valid.
+ * \li   mctx to be a valid.
+ */
+
+isc_result_t
+dns_message_buildopt(dns_message_t *msg, dns_rdataset_t **opt,
+		     unsigned int version, uint16_t udpsize, unsigned int flags,
+		     dns_ednsopt_t *ednsopts, size_t count);
+/*%<
+ * Built a opt record.
+ *
+ * Requires:
+ * \li   msg be a valid message.
+ * \li   opt to be a non NULL and *opt to be NULL.
+ *
+ * Returns:
+ * \li	 ISC_R_SUCCESS on success.
+ * \li	 ISC_R_NOMEMORY
+ * \li	 ISC_R_NOSPACE
+ * \li	 other.
+ */
+
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
+/*%<
+ * Set the expected class of records in the response.
+ *
+ * Requires:
+ * \li   msg be a valid message with parsing intent.
+ */
+
+void
+dns_message_setpadding(dns_message_t *msg, uint16_t padding);
+/*%<
+ * Set the padding block size in the response.
+ * 0 means no padding (default).
+ *
+ * Requires:
+ * \li	msg be a valid message.
+ */
+
+void
+dns_message_clonebuffer(dns_message_t *msg);
+/*%<
+ * Clone the query or saved buffers if they where not cloned
+ * when parsing.
+ *
+ * Requires:
+ * \li   msg be a valid message.
+ */
+
+ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
new file mode 100644
index 0000000..683f71d
--- /dev/null
+++ b/lib/dns/include/dns/name.h
@@ -0,0 +1,1410 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_NAME_H
+#define DNS_NAME_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/name.h
+ * \brief
+ * Provides facilities for manipulating DNS names and labels, including
+ * conversions to and from wire format and text format.
+ *
+ * Given the large number of names possible in a nameserver, and because
+ * names occur in rdata, it was important to come up with a very efficient
+ * way of storing name data, but at the same time allow names to be
+ * manipulated.  The decision was to store names in uncompressed wire format,
+ * and not to make them fully abstracted objects; i.e. certain parts of the
+ * server know names are stored that way.  This saves a lot of memory, and
+ * makes adding names to messages easy.  Having much of the server know
+ * the representation would be perilous, and we certainly don't want each
+ * user of names to be manipulating such a low-level structure.  This is
+ * where the Names and Labels module comes in.  The module allows name or
+ * label handles to be created and attached to uncompressed wire format
+ * regions.  All name operations and conversions are done through these
+ * handles.
+ *
+ * MP:
+ *\li	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *\li	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ * Resources:
+ *\li	None.
+ *
+ * Security:
+ *
+ *\li	*** WARNING ***
+ *
+ *\li	dns_name_fromwire() deals with raw network data.  An error in
+ *	this routine could result in the failure or hijacking of the server.
+ *
+ * Standards:
+ *\li	RFC1035
+ *\li	Draft EDNS0 (0)
+ *\li	Draft Binary Labels (2)
+ *
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/region.h> /* Required for storage size of dns_label_t. */
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+***** Labels
+*****
+***** A 'label' is basically a region.  It contains one DNS wire format
+***** label of type 00 (ordinary).
+*****/
+
+/*****
+***** Names
+*****
+***** A 'name' is a handle to a binary region.  It contains a sequence of one
+***** or more DNS wire format labels of type 00 (ordinary).
+***** Note that all names are not required to end with the root label,
+***** as they are in the actual DNS wire protocol.
+*****/
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * Clients are strongly discouraged from using this type directly,  with
+ * the exception of the 'link' and 'list' fields which may be used directly
+ * for whatever purpose the client desires.
+ */
+struct dns_name {
+	unsigned int   magic;
+	unsigned char *ndata;
+	unsigned int   length;
+	unsigned int   labels;
+	unsigned int   attributes;
+	unsigned char *offsets;
+	isc_buffer_t  *buffer;
+	ISC_LINK(dns_name_t) link;
+	ISC_LIST(dns_rdataset_t) list;
+};
+
+#define DNS_NAME_MAGIC ISC_MAGIC('D', 'N', 'S', 'n')
+
+#define DNS_NAMEATTR_ABSOLUTE	0x00000001
+#define DNS_NAMEATTR_READONLY	0x00000002
+#define DNS_NAMEATTR_DYNAMIC	0x00000004
+#define DNS_NAMEATTR_DYNOFFSETS 0x00000008
+#define DNS_NAMEATTR_NOCOMPRESS 0x00000010
+/*
+ * Attributes below 0x0100 reserved for name.c usage.
+ */
+#define DNS_NAMEATTR_CACHE	  0x00000100 /*%< Used by resolver. */
+#define DNS_NAMEATTR_ANSWER	  0x00000200 /*%< Used by resolver. */
+#define DNS_NAMEATTR_NCACHE	  0x00000400 /*%< Used by resolver. */
+#define DNS_NAMEATTR_CHAINING	  0x00000800 /*%< Used by resolver. */
+#define DNS_NAMEATTR_CHASE	  0x00001000 /*%< Used by resolver. */
+#define DNS_NAMEATTR_WILDCARD	  0x00002000 /*%< Used by server. */
+#define DNS_NAMEATTR_PREREQUISITE 0x00004000 /*%< Used by client. */
+#define DNS_NAMEATTR_UPDATE	  0x00008000 /*%< Used by client. */
+#define DNS_NAMEATTR_HASUPDATEREC 0x00010000 /*%< Used by client. */
+
+/*
+ * Various flags.
+ */
+#define DNS_NAME_DOWNCASE	0x0001
+#define DNS_NAME_CHECKNAMES	0x0002 /*%< Used by rdata. */
+#define DNS_NAME_CHECKNAMESFAIL 0x0004 /*%< Used by rdata. */
+#define DNS_NAME_CHECKREVERSE	0x0008 /*%< Used by rdata. */
+#define DNS_NAME_CHECKMX	0x0010 /*%< Used by rdata. */
+#define DNS_NAME_CHECKMXFAIL	0x0020 /*%< Used by rdata. */
+
+LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_rootname;
+LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_wildcardname;
+
+/*%<
+ * DNS_NAME_INITNONABSOLUTE and DNS_NAME_INITABSOLUTE are macros for
+ * initializing dns_name_t structures.
+ *
+ * Note[1]: 'length' is set to (sizeof(A) - 1) in DNS_NAME_INITNONABSOLUTE
+ * and sizeof(A) in DNS_NAME_INITABSOLUTE to allow C strings to be used
+ * to initialize 'ndata'.
+ *
+ * Note[2]: The final value of offsets for DNS_NAME_INITABSOLUTE should
+ * match (sizeof(A) - 1) which is the offset of the root label.
+ *
+ * Typical usage:
+ *	unsigned char data[] = "\005value";
+ *	unsigned char offsets[] = { 0 };
+ *	dns_name_t value = DNS_NAME_INITNONABSOLUTE(data, offsets);
+ *
+ *	unsigned char data[] = "\005value";
+ *	unsigned char offsets[] = { 0, 6 };
+ *	dns_name_t value = DNS_NAME_INITABSOLUTE(data, offsets);
+ */
+#define DNS_NAME_INITNONABSOLUTE(A, B)                         \
+	{                                                      \
+		DNS_NAME_MAGIC, A, (sizeof(A) - 1), sizeof(B), \
+			DNS_NAMEATTR_READONLY, B, NULL,        \
+			{ (void *)-1, (void *)-1 }, {          \
+			NULL, NULL                             \
+		}                                              \
+	}
+
+#define DNS_NAME_INITABSOLUTE(A, B)                                       \
+	{                                                                 \
+		DNS_NAME_MAGIC, A, sizeof(A), sizeof(B),                  \
+			DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, B, \
+			NULL, { (void *)-1, (void *)-1 }, {               \
+			NULL, NULL                                        \
+		}                                                         \
+	}
+
+#define DNS_NAME_INITEMPTY                                 \
+	{                                                  \
+		DNS_NAME_MAGIC, NULL, 0, 0, 0, NULL, NULL, \
+			{ (void *)-1, (void *)-1 }, {      \
+			NULL, NULL                         \
+		}                                          \
+	}
+
+/*%
+ * Standard size of a wire format name
+ */
+#define DNS_NAME_MAXWIRE 255
+
+/*
+ * Text output filter procedure.
+ * 'target' is the buffer to be converted.  The region to be converted
+ * is from 'buffer'->base + 'used_org' to the end of the used region.
+ */
+typedef isc_result_t(dns_name_totextfilter_t)(isc_buffer_t *target,
+					      unsigned int  used_org);
+
+/***
+ *** Initialization
+ ***/
+
+void
+dns_name_init(dns_name_t *name, unsigned char *offsets);
+/*%<
+ * Initialize 'name'.
+ *
+ * Notes:
+ * \li	'offsets' is never required to be non-NULL, but specifying a
+ *	dns_offsets_t for 'offsets' will improve the performance of most
+ *	name operations if the name is used more than once.
+ *
+ * Requires:
+ * \li	'name' is not NULL and points to a struct dns_name.
+ *
+ * \li	offsets == NULL or offsets is a dns_offsets_t.
+ *
+ * Ensures:
+ * \li	'name' is a valid name.
+ * \li	dns_name_countlabels(name) == 0
+ * \li	dns_name_isabsolute(name) == false
+ */
+
+void
+dns_name_reset(dns_name_t *name);
+/*%<
+ * Reinitialize 'name'.
+ *
+ * Notes:
+ * \li	This function distinguishes itself from dns_name_init() in two
+ *	key ways:
+ *
+ * \li	+ If any buffer is associated with 'name' (via dns_name_setbuffer()
+ *	  or by being part of a dns_fixedname_t) the link to the buffer
+ *	  is retained but the buffer itself is cleared.
+ *
+ * \li	+ Of the attributes associated with 'name', all are retained except
+ *	  DNS_NAMEATTR_ABSOLUTE.
+ *
+ * Requires:
+ * \li	'name' is a valid name.
+ *
+ * Ensures:
+ * \li	'name' is a valid name.
+ * \li	dns_name_countlabels(name) == 0
+ * \li	dns_name_isabsolute(name) == false
+ */
+
+void
+dns_name_invalidate(dns_name_t *name);
+/*%<
+ * Make 'name' invalid.
+ *
+ * Requires:
+ * \li	'name' is a valid name.
+ *
+ * Ensures:
+ * \li	If assertion checking is enabled, future attempts to use 'name'
+ *	without initializing it will cause an assertion failure.
+ *
+ * \li	If the name had a dedicated buffer, that association is ended.
+ */
+
+bool
+dns_name_isvalid(const dns_name_t *name);
+/*%<
+ * Check whether 'name' points to a valid dns_name
+ */
+
+/***
+ *** Dedicated Buffers
+ ***/
+
+void
+dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer);
+/*%<
+ * Dedicate a buffer for use with 'name'.
+ *
+ * Notes:
+ * \li	Specification of a target buffer in dns_name_fromwire(),
+ *	dns_name_fromtext(), and dns_name_concatenate() is optional if
+ *	'name' has a dedicated buffer.
+ *
+ * \li	The caller must not write to buffer until the name has been
+ *	invalidated or is otherwise known not to be in use.
+ *
+ * \li	If buffer is NULL and the name previously had a dedicated buffer,
+ *	than that buffer is no longer dedicated to use with this name.
+ *	The caller is responsible for ensuring that the storage used by
+ *	the name remains valid.
+ *
+ * Requires:
+ * \li	'name' is a valid name.
+ *
+ * \li	'buffer' is a valid binary buffer and 'name' doesn't have a
+ *	dedicated buffer already, or 'buffer' is NULL.
+ */
+
+bool
+dns_name_hasbuffer(const dns_name_t *name);
+/*%<
+ * Does 'name' have a dedicated buffer?
+ *
+ * Requires:
+ * \li	'name' is a valid name.
+ *
+ * Returns:
+ * \li	true	'name' has a dedicated buffer.
+ * \li	false	'name' does not have a dedicated buffer.
+ */
+
+/***
+ *** Properties
+ ***/
+
+bool
+dns_name_isabsolute(const dns_name_t *name);
+/*%<
+ * Does 'name' end in the root label?
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * Returns:
+ * \li	TRUE		The last label in 'name' is the root label.
+ * \li	FALSE		The last label in 'name' is not the root label.
+ */
+
+bool
+dns_name_iswildcard(const dns_name_t *name);
+/*%<
+ * Is 'name' a wildcard name?
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * \li	dns_name_countlabels(name) > 0
+ *
+ * Returns:
+ * \li	TRUE		The least significant label of 'name' is '*'.
+ * \li	FALSE		The least significant label of 'name' is not '*'.
+ */
+
+unsigned int
+dns_name_hash(const dns_name_t *name, bool case_sensitive);
+/*%<
+ * Provide a hash value for 'name'.
+ *
+ * Note: if 'case_sensitive' is false, then names which differ only in
+ * case will have the same hash value.
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * Returns:
+ * \li	A hash value
+ */
+
+unsigned int
+dns_name_fullhash(const dns_name_t *name, bool case_sensitive);
+/*%<
+ * Provide a hash value for 'name'.  Unlike dns_name_hash(), this function
+ * always takes into account of the entire name to calculate the hash value.
+ *
+ * Note: if 'case_sensitive' is false, then names which differ only in
+ * case will have the same hash value.
+ *
+ * Requires:
+ *\li	'name' is a valid name
+ *
+ * Returns:
+ *\li	A hash value
+ */
+
+/*
+ *** Comparisons
+ ***/
+
+dns_namereln_t
+dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
+		     int *orderp, unsigned int *nlabelsp);
+/*%<
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'name1' and 'name2', and also determine the hierarchical
+ * relationship of the names.
+ *
+ * Note: It makes no sense for one of the names to be relative and the
+ * other absolute.  If both names are relative, then to be meaningfully
+ * compared the caller must ensure that they are both relative to the
+ * same domain.
+ *
+ * Requires:
+ *\li	'name1' is a valid name
+ *
+ *\li	dns_name_countlabels(name1) > 0
+ *
+ *\li	'name2' is a valid name
+ *
+ *\li	dns_name_countlabels(name2) > 0
+ *
+ *\li	orderp and nlabelsp are valid pointers.
+ *
+ *\li	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Ensures:
+ *
+ *\li	*orderp is < 0 if name1 < name2, 0 if name1 = name2, > 0 if
+ *	name1 > name2.
+ *
+ *\li	*nlabelsp is the number of common significant labels.
+ *
+ * Returns:
+ *\li	dns_namereln_none		There's no hierarchical relationship
+ *					between name1 and name2.
+ *\li	dns_namereln_contains		name1 properly contains name2; i.e.
+ *					name2 is a proper subdomain of name1.
+ *\li	dns_namereln_subdomain		name1 is a proper subdomain of name2.
+ *\li	dns_namereln_equal		name1 and name2 are equal.
+ *\li	dns_namereln_commonancestor	name1 and name2 share a common
+ *					ancestor.
+ */
+
+int
+dns_name_compare(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'name1' and 'name2'.
+ *
+ * Note: It makes no sense for one of the names to be relative and the
+ * other absolute.  If both names are relative, then to be meaningfully
+ * compared the caller must ensure that they are both relative to the
+ * same domain.
+ *
+ * Requires:
+ * \li	'name1' is a valid name
+ *
+ * \li	'name2' is a valid name
+ *
+ * \li	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ * \li	< 0		'name1' is less than 'name2'
+ * \li	0		'name1' is equal to 'name2'
+ * \li	> 0		'name1' is greater than 'name2'
+ */
+
+bool
+dns_name_equal(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Are 'name1' and 'name2' equal?
+ *
+ * Notes:
+ * \li	Because it only needs to test for equality, dns_name_equal() can be
+ *	significantly faster than dns_name_fullcompare() or dns_name_compare().
+ *
+ * \li	Offsets tables are not used in the comparison.
+ *
+ * \li	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ * 	compared the caller must ensure that they are both relative to the
+ * 	same domain.
+ *
+ * Requires:
+ * \li	'name1' is a valid name
+ *
+ * \li	'name2' is a valid name
+ *
+ * \li	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ * \li	true	'name1' and 'name2' are equal
+ * \li	false	'name1' and 'name2' are not equal
+ */
+
+bool
+dns_name_caseequal(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Case sensitive version of dns_name_equal().
+ */
+
+int
+dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Compare two names as if they are part of rdata in DNSSEC canonical
+ * form.
+ *
+ * Requires:
+ * \li	'name1' is a valid absolute name
+ *
+ * \li	dns_name_countlabels(name1) > 0
+ *
+ * \li	'name2' is a valid absolute name
+ *
+ * \li	dns_name_countlabels(name2) > 0
+ *
+ * Returns:
+ * \li	< 0		'name1' is less than 'name2'
+ * \li	0		'name1' is equal to 'name2'
+ * \li	> 0		'name1' is greater than 'name2'
+ */
+
+bool
+dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Is 'name1' a subdomain of 'name2'?
+ *
+ * Notes:
+ * \li	name1 is a subdomain of name2 if name1 is contained in name2, or
+ *	name1 equals name2.
+ *
+ * \li	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ *	compared the caller must ensure that they are both relative to the
+ *	same domain.
+ *
+ * Requires:
+ * \li	'name1' is a valid name
+ *
+ * \li	'name2' is a valid name
+ *
+ * \li	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ * \li	TRUE		'name1' is a subdomain of 'name2'
+ * \li	FALSE		'name1' is not a subdomain of 'name2'
+ */
+
+bool
+dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname);
+/*%<
+ * Does 'name' match the wildcard specified in 'wname'?
+ *
+ * Notes:
+ * \li	name matches the wildcard specified in wname if all labels
+ *	following the wildcard in wname are identical to the same number
+ *	of labels at the end of name.
+ *
+ * \li	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ *	compared the caller must ensure that they are both relative to the
+ *	same domain.
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * \li	dns_name_countlabels(name) > 0
+ *
+ * \li	'wname' is a valid name
+ *
+ * \li	dns_name_countlabels(wname) > 0
+ *
+ * \li	dns_name_iswildcard(wname) is true
+ *
+ * \li	Either name is absolute and wname is absolute, or neither is.
+ *
+ * Returns:
+ * \li	TRUE		'name' matches the wildcard specified in 'wname'
+ * \li	FALSE		'name' does not match the wildcard specified in 'wname'
+ */
+
+/***
+ *** Labels
+ ***/
+
+unsigned int
+dns_name_countlabels(const dns_name_t *name);
+/*%<
+ * How many labels does 'name' have?
+ *
+ * Notes:
+ * \li	In this case, as in other places, a 'label' is an ordinary label.
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * Ensures:
+ * \li	The result is <= 128.
+ *
+ * Returns:
+ * \li	The number of labels in 'name'.
+ */
+
+void
+dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label);
+/*%<
+ * Make 'label' refer to the 'n'th least significant label of 'name'.
+ *
+ * Notes:
+ * \li	Numbering starts at 0.
+ *
+ * \li	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
+ *	root label.
+ *
+ * \li	'label' refers to the same memory as 'name', so 'name' must not
+ *	be changed while 'label' is still in use.
+ *
+ * Requires:
+ * \li	n < dns_name_countlabels(name)
+ */
+
+void
+dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
+			  unsigned int n, dns_name_t *target);
+/*%<
+ * Make 'target' refer to the 'n' labels including and following 'first'
+ * in 'source'.
+ *
+ * Notes:
+ * \li	Numbering starts at 0.
+ *
+ * \li	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
+ *	root label.
+ *
+ * \li	'target' refers to the same memory as 'source', so 'source'
+ *	must not be changed while 'target' is still in use.
+ *
+ * Requires:
+ * \li	'source' and 'target' are valid names.
+ *
+ * \li	first < dns_name_countlabels(name)
+ *
+ * \li	first + n <= dns_name_countlabels(name)
+ */
+
+void
+dns_name_clone(const dns_name_t *source, dns_name_t *target);
+/*%<
+ * Make 'target' refer to the same name as 'source'.
+ *
+ * Notes:
+ *
+ * \li	'target' refers to the same memory as 'source', so 'source'
+ *	must not be changed or freed while 'target' is still in use.
+ *
+ * \li	This call is functionally equivalent to:
+ *
+ * \code
+ *		dns_name_getlabelsequence(source, 0,
+ *					  dns_name_countlabels(source),
+ *					  target);
+ * \endcode
+ *
+ *	but is more efficient.  Also, dns_name_clone() works even if 'source'
+ *	is empty.
+ *
+ * Requires:
+ *
+ * \li	'source' is a valid name.
+ *
+ * \li	'target' is a valid name that is not read-only.
+ */
+
+/***
+ *** Conversions
+ ***/
+
+void
+dns_name_fromregion(dns_name_t *name, const isc_region_t *r);
+/*%<
+ * Make 'name' refer to region 'r'.
+ *
+ * Note:
+ * \li	If the conversion encounters a root label before the end of the
+ *	region the conversion stops and the length is set to the length
+ *	so far converted.  A maximum of 255 bytes is converted.
+ *
+ * Requires:
+ * \li	The data in 'r' is a sequence of one or more type 00 or type 01000001
+ *	labels.
+ */
+
+void
+dns_name_toregion(const dns_name_t *name, isc_region_t *r);
+/*%<
+ * Make 'r' refer to 'name'.
+ *
+ * Requires:
+ *
+ * \li	'name' is a valid name.
+ *
+ * \li	'r' is a valid region.
+ */
+
+isc_result_t
+dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
+		  dns_decompress_t *dctx, unsigned int options,
+		  isc_buffer_t *target);
+/*%<
+ * Copy the possibly-compressed name at source (active region) into target,
+ * decompressing it.
+ *
+ * Notes:
+ * \li	Decompression policy is controlled by 'dctx'.
+ *
+ * \li	If DNS_NAME_DOWNCASE is set, any uppercase letters in 'source' will be
+ *	downcased when they are copied into 'target'.
+ *
+ * Security:
+ *
+ * \li	*** WARNING ***
+ *
+ * \li	This routine will often be used when 'source' contains raw network
+ *	data.  A programming error in this routine could result in a denial
+ *	of service, or in the hijacking of the server.
+ *
+ * Requires:
+ *
+ * \li	'name' is a valid name.
+ *
+ * \li	'source' is a valid buffer and the first byte of the active
+ *	region should be the first byte of a DNS wire format domain name.
+ *
+ * \li	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
+ *
+ * \li	'dctx' is a valid decompression context.
+ *
+ * Ensures:
+ *
+ *	If result is success:
+ * \li	 	If 'target' is not NULL, 'name' is attached to it.
+ *
+ * \li		Uppercase letters are downcased in the copy iff
+ *		DNS_NAME_DOWNCASE is set in options.
+ *
+ * \li		The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ * \li	Success
+ * \li	Bad Form: Label Length
+ * \li	Bad Form: Unknown Label Type
+ * \li	Bad Form: Name Length
+ * \li	Bad Form: Compression type not allowed
+ * \li	Bad Form: Bad compression pointer
+ * \li	Bad Form: Input too short
+ * \li	Resource Limit: Too many compression pointers
+ * \li	Resource Limit: Not enough space in buffer
+ */
+
+isc_result_t
+dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
+		isc_buffer_t *target);
+isc_result_t
+dns_name_towire2(const dns_name_t *name, dns_compress_t *cctx,
+		 isc_buffer_t *target, uint16_t *comp_offsetp);
+/*%<
+ * Convert 'name' into wire format, compressing it as specified by the
+ * compression context 'cctx', and storing the result in 'target'.
+ *
+ * Notes:
+ * \li	If the compression context allows global compression, then the
+ *	global compression table may be updated.
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * \li	dns_name_countlabels(name) > 0
+ *
+ * \li	dns_name_isabsolute(name) == TRUE
+ *
+ * \li	target is a valid buffer.
+ *
+ * \li	Any offsets specified in a global compression table are valid
+ *	for buffer.
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ * \li		The used space in target is updated.
+ *
+ * Returns:
+ * \li	Success
+ * \li	Resource Limit: Not enough space in buffer
+ */
+
+isc_result_t
+dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
+		  const dns_name_t *origin, unsigned int options,
+		  isc_buffer_t *target);
+/*%<
+ * Convert the textual representation of a DNS name at source
+ * into uncompressed wire form stored in target.
+ *
+ * Notes:
+ * \li	Relative domain names will have 'origin' appended to them
+ *	unless 'origin' is NULL, in which case relative domain names
+ *	will remain relative.
+ *
+ * \li	If DNS_NAME_DOWNCASE is set in 'options', any uppercase letters
+ *	in 'source' will be downcased when they are copied into 'target'.
+ *
+ * Requires:
+ *
+ * \li	'name' is a valid name.
+ *
+ * \li	'source' is a valid buffer.
+ *
+ * \li	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
+ *
+ * Ensures:
+ *
+ *	If result is success:
+ * \li	 	If 'target' is not NULL, 'name' is attached to it.
+ *
+ * \li		Uppercase letters are downcased in the copy iff
+ *		DNS_NAME_DOWNCASE is set in 'options'.
+ *
+ * \li		The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_EMPTYLABEL
+ *\li	#DNS_R_LABELTOOLONG
+ *\li	#DNS_R_BADESCAPE
+ *\li	#DNS_R_BADDOTTEDQUAD
+ *\li	#ISC_R_NOSPACE
+ *\li	#ISC_R_UNEXPECTEDEND
+ */
+
+#define DNS_NAME_OMITFINALDOT 0x01U
+#define DNS_NAME_MASTERFILE   0x02U /* escape $ and @ */
+
+isc_result_t
+dns_name_toprincipal(const dns_name_t *name, isc_buffer_t *target);
+
+isc_result_t
+dns_name_totext(const dns_name_t *name, bool omit_final_dot,
+		isc_buffer_t *target);
+
+isc_result_t
+dns_name_totext2(const dns_name_t *name, unsigned int options,
+		 isc_buffer_t *target);
+/*%<
+ * Convert 'name' into text format, storing the result in 'target'.
+ *
+ * Notes:
+ *\li	If 'omit_final_dot' is true, then the final '.' in absolute
+ *	names other than the root name will be omitted.
+ *
+ *\li	If DNS_NAME_OMITFINALDOT is set in options, then the final '.'
+ *	in absolute names other than the root name will be omitted.
+ *
+ *\li	If DNS_NAME_MASTERFILE is set in options, '$' and '@' will also
+ *	be escaped.
+ *
+ *\li	If dns_name_countlabels == 0, the name will be "@", representing the
+ *	current origin as described by RFC1035.
+ *
+ *\li	The name is not NUL terminated.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name
+ *
+ *\li	'target' is a valid buffer.
+ *
+ *\li	if dns_name_isabsolute == FALSE, then omit_final_dot == FALSE
+ *
+ * Ensures:
+ *
+ *\li	If the result is success:
+ *		the used space in target is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ */
+
+#define DNS_NAME_MAXTEXT 1023
+/*%<
+ * The maximum length of the text representation of a domain
+ * name as generated by dns_name_totext().  This does not
+ * include space for a terminating NULL.
+ *
+ * This definition is conservative - the actual maximum
+ * is 1004, derived as follows:
+ *
+ *   A backslash-decimal escaped character takes 4 bytes.
+ *   A wire-encoded name can be up to 255 bytes and each
+ *   label is one length byte + at most 63 bytes of data.
+ *   Maximizing the label lengths gives us a name of
+ *   three 63-octet labels, one 61-octet label, and the
+ *   root label:
+ *
+ *      1 + 63 + 1 + 63 + 1 + 63 + 1 + 61 + 1 = 255
+ *
+ *   When printed, this is (3 * 63 + 61) * 4
+ *   bytes for the escaped label data + 4 bytes for the
+ *   dot terminating each label = 1004 bytes total.
+ */
+
+isc_result_t
+dns_name_tofilenametext(const dns_name_t *name, bool omit_final_dot,
+			isc_buffer_t *target);
+/*%<
+ * Convert 'name' into an alternate text format appropriate for filenames,
+ * storing the result in 'target'.  The name data is downcased, guaranteeing
+ * that the filename does not depend on the case of the converted name.
+ *
+ * Notes:
+ *\li	If 'omit_final_dot' is true, then the final '.' in absolute
+ *	names other than the root name will be omitted.
+ *
+ *\li	The name is not NUL terminated.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid absolute name
+ *
+ *\li	'target' is a valid buffer.
+ *
+ * Ensures:
+ *
+ *\li	If the result is success:
+ *		the used space in target is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ */
+
+isc_result_t
+dns_name_downcase(const dns_name_t *source, dns_name_t *name,
+		  isc_buffer_t *target);
+/*%<
+ * Downcase 'source'.
+ *
+ * Requires:
+ *
+ *\li	'source' and 'name' are valid names.
+ *
+ *\li	If source == name, then
+ *		'source' must not be read-only
+ *
+ *\li	Otherwise,
+ *		'target' is a valid buffer or 'target' is NULL and
+ *		'name' has a dedicated buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *
+ * Note: if source == name, then the result will always be ISC_R_SUCCESS.
+ */
+
+isc_result_t
+dns_name_concatenate(const dns_name_t *prefix, const dns_name_t *suffix,
+		     dns_name_t *name, isc_buffer_t *target);
+/*%<
+ *	Concatenate 'prefix' and 'suffix'.
+ *
+ * Requires:
+ *
+ *\li	'prefix' is a valid name or NULL.
+ *
+ *\li	'suffix' is a valid name or NULL.
+ *
+ *\li	'name' is a valid name or NULL.
+ *
+ *\li	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
+ *
+ *\li	If 'prefix' is absolute, 'suffix' must be NULL or the empty name.
+ *
+ * Ensures:
+ *
+ *\li	On success,
+ *	 	If 'target' is not NULL and 'name' is not NULL, then 'name'
+ *		is attached to it.
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *\li	#DNS_R_NAMETOOLONG
+ */
+
+void
+dns_name_split(const dns_name_t *name, unsigned int suffixlabels,
+	       dns_name_t *prefix, dns_name_t *suffix);
+/*%<
+ *
+ * Split 'name' into two pieces on a label boundary.
+ *
+ * Notes:
+ * \li     'name' is split such that 'suffix' holds the most significant
+ *      'suffixlabels' labels.  All other labels are stored in 'prefix'.
+ *
+ *\li	Copying name data is avoided as much as possible, so 'prefix'
+ *	and 'suffix' will end up pointing at the data for 'name'.
+ *
+ *\li	It is legitimate to pass a 'prefix' or 'suffix' that has
+ *	its name data stored someplace other than the dedicated buffer.
+ *	This is useful to avoid name copying in the calling function.
+ *
+ *\li	It is also legitimate to pass a 'prefix' or 'suffix' that is
+ *	the same dns_name_t as 'name'.
+ *
+ * Requires:
+ *\li	'name' is a valid name.
+ *
+ *\li	'suffixlabels' cannot exceed the number of labels in 'name'.
+ *
+ * \li	'prefix' is a valid name or NULL, and cannot be read-only.
+ *
+ *\li	'suffix' is a valid name or NULL, and cannot be read-only.
+ *
+ * Ensures:
+ *
+ *\li	On success:
+ *		If 'prefix' is not NULL it will contain the least significant
+ *		labels.
+ *		If 'suffix' is not NULL it will contain the most significant
+ *		labels.  dns_name_countlabels(suffix) will be equal to
+ *		suffixlabels.
+ *
+ *\li	On failure:
+ *		Either 'prefix' or 'suffix' is invalidated (depending
+ *		on which one the problem was encountered with).
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	No worries.  (This function should always success).
+ */
+
+void
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
+/*%<
+ * Make 'target' a dynamically allocated copy of 'source'.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid non-empty name.
+ *
+ *\li	'target' is a valid name that is not read-only.
+ *
+ *\li	'mctx' is a valid memory context.
+ */
+
+isc_result_t
+dns_name_dupwithoffsets(const dns_name_t *source, isc_mem_t *mctx,
+			dns_name_t *target);
+/*%<
+ * Make 'target' a read-only dynamically allocated copy of 'source'.
+ * 'target' will also have a dynamically allocated offsets table.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid non-empty name.
+ *
+ *\li	'target' is a valid name that is not read-only.
+ *
+ *\li	'target' has no offsets table.
+ *
+ *\li	'mctx' is a valid memory context.
+ */
+
+void
+dns_name_free(dns_name_t *name, isc_mem_t *mctx);
+/*%<
+ * Free 'name'.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name created previously in 'mctx' by dns_name_dup().
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ * Ensures:
+ *
+ *\li	All dynamic resources used by 'name' are freed and the name is
+ *	invalidated.
+ */
+
+isc_result_t
+dns_name_digest(const dns_name_t *name, dns_digestfunc_t digest, void *arg);
+/*%<
+ * Send 'name' in DNSSEC canonical form to 'digest'.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'digest' is a valid dns_digestfunc_t.
+ *
+ * Ensures:
+ *
+ *\li	If successful, the DNSSEC canonical form of 'name' will have been
+ *	sent to 'digest'.
+ *
+ *\li	If digest() returns something other than ISC_R_SUCCESS, that result
+ *	will be returned as the result of dns_name_digest().
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Many other results are possible if not successful.
+ *
+ */
+
+bool
+dns_name_dynamic(const dns_name_t *name);
+/*%<
+ * Returns whether there is dynamic memory associated with this name.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *
+ * Returns:
+ *
+ *\li	'true' if the name is dynamic otherwise 'false'.
+ */
+
+isc_result_t
+dns_name_print(const dns_name_t *name, FILE *stream);
+/*%<
+ * Print 'name' on 'stream'.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'stream' is a valid stream.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_name_totext() can return.
+ */
+
+void
+dns_name_format(const dns_name_t *name, char *cp, unsigned int size);
+/*%<
+ * Format 'name' as text appropriate for use in log messages.
+ *
+ * Store the formatted name at 'cp', writing no more than
+ * 'size' bytes.  The resulting string is guaranteed to be
+ * null terminated.
+ *
+ * The formatted name will have a terminating dot only if it is
+ * the root.
+ *
+ * This function cannot fail, instead any errors are indicated
+ * in the returned text.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'cp' points a valid character array of size 'size'.
+ *
+ *\li	'size' > 0.
+ *
+ */
+
+isc_result_t
+dns_name_tostring(const dns_name_t *source, char **target, isc_mem_t *mctx);
+/*%<
+ * Convert 'name' to string format, allocating sufficient memory to
+ * hold it (free with isc_mem_free()).
+ *
+ * Differs from dns_name_format in that it allocates its own memory.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *\li	'target' is not NULL.
+ *\li	'*target' is NULL.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMEMORY
+ *
+ *\li	Any error that dns_name_totext() can return.
+ */
+
+isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
+		    isc_mem_t *mctx);
+isc_result_t
+dns_name_fromstring2(dns_name_t *target, const char *src,
+		     const dns_name_t *origin, unsigned int options,
+		     isc_mem_t *mctx);
+/*%<
+ * Convert a string to a name and place it in target, allocating memory
+ * as necessary.  'options' has the same semantics as that of
+ * dns_name_fromtext().
+ *
+ * If 'target' has a buffer then the name will be copied into it rather than
+ * memory being allocated.
+ *
+ * Requires:
+ *
+ * \li	'target' is a valid name that is not read-only.
+ * \li	'src' is not NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_name_fromtext() can return.
+ *
+ *\li	Any error that dns_name_dup() can return.
+ */
+
+isc_result_t
+dns_name_settotextfilter(dns_name_totextfilter_t *proc);
+/*%<
+ * Set / clear a thread specific function 'proc' to be called at the
+ * end of dns_name_totext().
+ *
+ * Note: Under Windows you need to call "dns_name_settotextfilter(NULL);"
+ * prior to exiting the thread otherwise memory will be leaked.
+ * For other platforms, which are pthreads based, this is still a good
+ * idea but not required.
+ *
+ * Returns
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+#define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
+/*%<
+ * Suggested size of buffer passed to dns_name_format().
+ * Includes space for the terminating NULL.
+ */
+
+isc_result_t
+dns_name_copy(const dns_name_t *source, dns_name_t *dest, isc_buffer_t *target);
+/*%<
+ * Copies the name in 'source' into 'dest'.  The name data is copied to
+ * the 'target' buffer, which is then set as the buffer for 'dest'.
+ *
+ * Requires:
+ * \li	'source' is a valid name.
+ *
+ * \li	'dest' is an initialized name.
+ *
+ * \li	'target' is an initialized buffer.
+ *
+ * Ensures:
+ *
+ *\li	On success, the used space in target is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ */
+
+void
+dns_name_copynf(const dns_name_t *source, dns_name_t *dest);
+/*%<
+ * Copies the name in 'source' into 'dest'.  The name data is copied to
+ * the dedicated buffer for 'dest'.
+ *
+ * Requires:
+ * \li	'source' is a valid name.
+ *
+ * \li	'dest' is an initialized name with a dedicated buffer.
+ */
+
+bool
+dns_name_ishostname(const dns_name_t *name, bool wildcard);
+/*%<
+ * Return if 'name' is a valid hostname.  RFC 952 / RFC 1123.
+ * If 'wildcard' is true then allow the first label of name to
+ * be a wildcard.
+ * The root is also accepted.
+ *
+ * Requires:
+ *	'name' to be valid.
+ */
+
+bool
+dns_name_ismailbox(const dns_name_t *name);
+/*%<
+ * Return if 'name' is a valid mailbox.  RFC 821.
+ *
+ * Requires:
+ * \li	'name' to be valid.
+ */
+
+bool
+dns_name_internalwildcard(const dns_name_t *name);
+/*%<
+ * Return if 'name' contains a internal wildcard name.
+ *
+ * Requires:
+ * \li	'name' to be valid.
+ */
+
+bool
+dns_name_isdnssd(const dns_name_t *owner);
+/*%<
+ * Determine if the 'owner' is a DNS-SD prefix.
+ */
+
+bool
+dns_name_isrfc1918(const dns_name_t *owner);
+/*%<
+ * Determine if the 'name' is in the RFC 1918 reverse namespace.
+ */
+
+bool
+dns_name_isula(const dns_name_t *owner);
+/*%<
+ * Determine if the 'name' is in the ULA reverse namespace.
+ */
+
+bool
+dns_name_istat(const dns_name_t *name);
+/*
+ * Determine if 'name' is a potential 'trust-anchor-telemetry' name.
+ */
+
+ISC_LANG_ENDDECLS
+
+/*
+ *** High Performance Macros
+ ***/
+
+/*
+ * WARNING:  Use of these macros by applications may require recompilation
+ *           of the application in some situations where calling the function
+ *           would not.
+ *
+ * WARNING:  No assertion checking is done for these macros.
+ */
+
+#define DNS_NAME_INIT(n, o)                       \
+	do {                                      \
+		dns_name_t *_n = (n);             \
+		/* memset(_n, 0, sizeof(*_n)); */ \
+		_n->magic = DNS_NAME_MAGIC;       \
+		_n->ndata = NULL;                 \
+		_n->length = 0;                   \
+		_n->labels = 0;                   \
+		_n->attributes = 0;               \
+		_n->offsets = (o);                \
+		_n->buffer = NULL;                \
+		ISC_LINK_INIT(_n, link);          \
+		ISC_LIST_INIT(_n->list);          \
+	} while (0)
+
+#define DNS_NAME_RESET(n)                                  \
+	do {                                               \
+		(n)->ndata = NULL;                         \
+		(n)->length = 0;                           \
+		(n)->labels = 0;                           \
+		(n)->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
+		if ((n)->buffer != NULL)                   \
+			isc_buffer_clear((n)->buffer);     \
+	} while (0)
+
+#define DNS_NAME_SETBUFFER(n, b) (n)->buffer = (b)
+
+#define DNS_NAME_ISABSOLUTE(n) \
+	(((n)->attributes & DNS_NAMEATTR_ABSOLUTE) != 0 ? true : false)
+
+#define DNS_NAME_COUNTLABELS(n) ((n)->labels)
+
+#define DNS_NAME_TOREGION(n, r)            \
+	do {                               \
+		(r)->base = (n)->ndata;    \
+		(r)->length = (n)->length; \
+	} while (0)
+
+#define DNS_NAME_SPLIT(n, l, p, s)                                             \
+	do {                                                                   \
+		dns_name_t  *_n = (n);                                         \
+		dns_name_t  *_p = (p);                                         \
+		dns_name_t  *_s = (s);                                         \
+		unsigned int _l = (l);                                         \
+		if (_p != NULL)                                                \
+			dns_name_getlabelsequence(_n, 0, _n->labels - _l, _p); \
+		if (_s != NULL)                                                \
+			dns_name_getlabelsequence(_n, _n->labels - _l, _l,     \
+						  _s);                         \
+	} while (0)
+
+#ifdef DNS_NAME_USEINLINE
+
+#define dns_name_init(n, o)	   DNS_NAME_INIT(n, o)
+#define dns_name_reset(n)	   DNS_NAME_RESET(n)
+#define dns_name_setbuffer(n, b)   DNS_NAME_SETBUFFER(n, b)
+#define dns_name_countlabels(n)	   DNS_NAME_COUNTLABELS(n)
+#define dns_name_isabsolute(n)	   DNS_NAME_ISABSOLUTE(n)
+#define dns_name_toregion(n, r)	   DNS_NAME_TOREGION(n, r)
+#define dns_name_split(n, l, p, s) DNS_NAME_SPLIT(n, l, p, s)
+
+#endif /* DNS_NAME_USEINLINE */
+
+#endif /* DNS_NAME_H */
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
new file mode 100644
index 0000000..783808c
--- /dev/null
+++ b/lib/dns/include/dns/ncache.h
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_NCACHE_H
+#define DNS_NCACHE_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/ncache.h
+ *\brief
+ * DNS Ncache
+ *
+ * XXX TBS XXX
+ *
+ * MP:
+ *\li	The caller must ensure any required synchronization.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	RFC2308
+ */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * _OMITDNSSEC:
+ *      Omit DNSSEC records when rendering.
+ */
+#define DNS_NCACHETOWIRE_OMITDNSSEC 0x0001
+
+isc_result_t
+dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl,
+	       dns_ttl_t maxttl, dns_rdataset_t *addedrdataset);
+isc_result_t
+dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
+		     dns_dbnode_t *node, dns_rdatatype_t covers,
+		     isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl,
+		     bool optout, dns_rdataset_t *addedrdataset);
+/*%<
+ * Convert the authority data from 'message' into a negative cache
+ * rdataset, and store it in 'cache' at 'node' with a TTL limited to
+ * 'maxttl'.
+ *
+ * \li dns_ncache_add produces a negative cache entry with a trust of no
+ *     more than answer
+ * \li dns_ncache_addoptout produces a negative cache entry which will have
+ *     a trust of secure if all the records that make up the entry are secure.
+ *
+ * The 'covers' argument is the RR type whose nonexistence we are caching,
+ * or dns_rdatatype_any when caching a NXDOMAIN response.
+ *
+ * 'optout' indicates a DNS_RDATASETATTR_OPTOUT should be set.
+ *
+ * Note:
+ *\li	If 'addedrdataset' is not NULL, then it will be attached to the added
+ *	rdataset.  See dns_db_addrdataset() for more details.
+ *
+ * Requires:
+ *\li	'message' is a valid message with a properly formatting negative cache
+ *	authority section.
+ *
+ *\li	The requirements of dns_db_addrdataset() apply to 'cache', 'node',
+ *	'now', and 'addedrdataset'.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *
+ *\li	Any result code of dns_db_addrdataset() is a possible result code
+ *	of dns_ncache_add().
+ */
+
+isc_result_t
+dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
+		  isc_buffer_t *target, unsigned int options,
+		  unsigned int *countp);
+/*%<
+ * Convert the negative caching rdataset 'rdataset' to wire format,
+ * compressing names as specified in 'cctx', and storing the result in
+ * 'target'.  If 'omit_dnssec' is set, DNSSEC records will not
+ * be added to 'target'.
+ *
+ * Notes:
+ *\li	The number of RRs added to target will be added to *countp.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid negative caching rdataset.
+ *
+ *\li	'rdataset' is not empty.
+ *
+ *\li	'countp' is a valid pointer.
+ *
+ * Ensures:
+ *\li	On a return of ISC_R_SUCCESS, 'target' contains a wire format
+ *	for the data contained in 'rdataset'.  Any error return leaves
+ *	the buffer unchanged.
+ *
+ *\li	*countp has been incremented by the number of RRs added to
+ *	target.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		- all ok
+ *\li	#ISC_R_NOSPACE		- 'target' doesn't have enough room
+ *
+ *\li	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
+ *	dns_name_towire().
+ */
+
+isc_result_t
+dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+		       dns_rdatatype_t type, dns_rdataset_t *rdataset);
+/*%<
+ * Search the negative caching rdataset for an rdataset with the
+ * specified name and type.
+ *
+ * Requires:
+ *\li	'ncacherdataset' is a valid negative caching rdataset.
+ *
+ *\li	'ncacherdataset' is not empty.
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'type' is not SIG, or a meta-RR type.
+ *
+ *\li	'rdataset' is a valid disassociated rdataset.
+ *
+ * Ensures:
+ *\li	On a return of ISC_R_SUCCESS, 'rdataset' is bound to the found
+ *	rdataset.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		- the rdataset was found.
+ *\li	#ISC_R_NOTFOUND		- the rdataset was not found.
+ *
+ */
+
+isc_result_t
+dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+			  dns_rdatatype_t covers, dns_rdataset_t *rdataset);
+/*%<
+ * Similar to dns_ncache_getrdataset() but get the rrsig that matches.
+ */
+
+void
+dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
+		   dns_rdataset_t *rdataset);
+
+/*%<
+ * Extract the current rdataset and name from a ncache entry.
+ *
+ * Requires:
+ * \li	'ncacherdataset' to be valid and to be a negative cache entry
+ * \li	'found' to be valid.
+ * \li	'rdataset' to be unassociated.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NCACHE_H */
diff --git a/lib/dns/include/dns/nsec.h b/lib/dns/include/dns/nsec.h
new file mode 100644
index 0000000..efe2f94
--- /dev/null
+++ b/lib/dns/include/dns/nsec.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_NSEC_H
+#define DNS_NSEC_H 1
+
+/*! \file dns/nsec.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/name.h>
+#include <dns/types.h>
+
+#define DNS_NSEC_BUFFERSIZE (DNS_NAME_MAXWIRE + 8192 + 512)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+		    const dns_name_t *target, unsigned char *buffer,
+		    dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of a NSEC record.
+ *
+ * Requires:
+ *\li	buffer	Points to a temporary buffer of at least
+ * 		DNS_NSEC_BUFFERSIZE bytes.
+ *\li	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *  \li    *rdata	Contains a valid NSEC rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+isc_result_t
+dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+	       const dns_name_t *target, dns_ttl_t ttl);
+/*%<
+ * Build a NSEC record and add it to a database.
+ */
+
+bool
+dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
+/*%<
+ * Determine if a type is marked as present in an NSEC record.
+ *
+ * Requires:
+ *\li	'nsec' points to a valid rdataset of type NSEC
+ */
+
+isc_result_t
+dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version, bool *answer);
+/*
+ * Report whether the DNSKEY RRset has a NSEC only algorithm.  Unknown
+ * algorithms are assumed to support NSEC3.  If DNSKEY is not found,
+ * *answer is set to false, and ISC_R_NOTFOUND is returned.
+ *
+ * Requires:
+ * 	'answer' to be non NULL.
+ */
+
+unsigned int
+dns_nsec_compressbitmap(unsigned char *map, const unsigned char *raw,
+			unsigned int max_type);
+/*%<
+ * Convert a raw bitmap into a compressed windowed bit map.  'map' and 'raw'
+ * may overlap.
+ *
+ * Returns the length of the compressed windowed bit map.
+ */
+
+void
+dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit);
+/*%<
+ * Set type bit in raw 'array' to 'bit'.
+ */
+
+bool
+dns_nsec_isset(const unsigned char *array, unsigned int type);
+/*%<
+ * Test if the corresponding 'type' bit is set in 'array'.
+ */
+
+isc_result_t
+dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
+		       const dns_name_t *nsecname, dns_rdataset_t *nsecset,
+		       bool *exists, bool *data, dns_name_t *wild,
+		       dns_nseclog_t log, void *arg);
+/*%
+ * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
+ * or we can determine whether there is data or not at the name.
+ * If the name does not exist return the wildcard name.
+ *
+ * Return DNS_R_DNAME when the NSEC indicates that name is covered by
+ * a DNAME.  'wild' is not set in this case.
+ *
+ * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NSEC_H */
diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h
new file mode 100644
index 0000000..3f20816
--- /dev/null
+++ b/lib/dns/include/dns/nsec3.h
@@ -0,0 +1,272 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_NSEC3_H
+#define DNS_NSEC3_H 1
+
+#include <stdbool.h>
+
+#include <isc/iterated_hash.h>
+#include <isc/lang.h>
+#include <isc/log.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/name.h>
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+
+#define DNS_NSEC3_SALTSIZE	255
+#define DNS_NSEC3_MAXITERATIONS 150U
+
+/*
+ * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
+ * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
+ */
+#define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
+/*
+ * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
+ */
+#define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
+
+/*
+ * Test "unknown" algorithm.  Is mapped to dns_hash_sha1.
+ */
+#define DNS_NSEC3_UNKNOWNALG ((dns_hash_t)245U)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+		     unsigned int hashalg, unsigned int optin,
+		     unsigned int iterations, const unsigned char *salt,
+		     size_t salt_length, const unsigned char *nexthash,
+		     size_t hash_length, unsigned char *buffer,
+		     dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of a NSEC3 record for the data at 'node'.
+ * Note: 'node' is not the node where the NSEC3 record will be stored.
+ *
+ * Requires:
+ *	buffer	Points to a temporary buffer of at least
+ * 		DNS_NSEC_BUFFERSIZE bytes.
+ *	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *      *rdata	Contains a valid NSEC3 rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+bool
+dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
+/*%<
+ * Determine if a type is marked as present in an NSEC3 record.
+ *
+ * Requires:
+ *	'nsec' points to a valid rdataset of type NSEC3
+ */
+
+isc_result_t
+dns_nsec3_generate_salt(unsigned char *salt, size_t saltlen);
+/*%<
+ * Generate a salt with the given salt length.
+ */
+
+isc_result_t
+dns_nsec3_hashname(dns_fixedname_t *result,
+		   unsigned char    rethash[NSEC3_MAX_HASH_LENGTH],
+		   size_t *hash_length, const dns_name_t *name,
+		   const dns_name_t *origin, dns_hash_t hashalg,
+		   unsigned int iterations, const unsigned char *salt,
+		   size_t saltlength);
+/*%<
+ * Make a hashed domain name from an unhashed one. If rethash is not NULL
+ * the raw hash is stored there.
+ */
+
+unsigned int
+dns_nsec3_hashlength(dns_hash_t hash);
+/*%<
+ * Return the length of the hash produced by the specified algorithm
+ * or zero when unknown.
+ */
+
+bool
+dns_nsec3_supportedhash(dns_hash_t hash);
+/*%<
+ * Return whether we support this hash algorithm or not.
+ */
+
+isc_result_t
+dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
+		   const dns_name_t		*name,
+		   const dns_rdata_nsec3param_t *nsec3param, dns_ttl_t nsecttl,
+		   bool unsecure, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
+		    const dns_name_t *name, dns_ttl_t nsecttl, bool unsecure,
+		    dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     const dns_name_t *name, dns_ttl_t nsecttl, bool unsecure,
+		     dns_rdatatype_t private, dns_diff_t *diff);
+/*%<
+ * Add NSEC3 records for 'name', recording the change in 'diff'.
+ * Adjust previous NSEC3 records, if any, to reflect the addition.
+ * The existing NSEC3 records are removed.
+ *
+ * dns_nsec3_addnsec3() will only add records to the chain identified by
+ * 'nsec3param'.
+ *
+ * 'unsecure' should be set to reflect if this is a potentially
+ * unsecure delegation (no DS record).
+ *
+ * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
+ * chains to be updated.  NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
+ * will be preferentially chosen over NSEC3PARAM records without
+ * DNS_NSEC3FLAG_CREATE set.  NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
+ * set will be ignored by dns_nsec3_addnsec3s().  If DNS_NSEC3FLAG_CREATE
+ * is set then the new NSEC3 will have OPTOUT set to match the that in the
+ * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
+ * record in the chain.
+ *
+ * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'name' to be valid.
+ *	'nsec3param' to be valid.
+ *	'diff' to be valid.
+ */
+
+isc_result_t
+dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
+		   const dns_name_t		*name,
+		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version,
+		    const dns_name_t *name, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     const dns_name_t *name, dns_rdatatype_t private,
+		     dns_diff_t	      *diff);
+/*%<
+ * Remove NSEC3 records for 'name', recording the change in 'diff'.
+ * Adjust previous NSEC3 records, if any, to reflect the removal.
+ *
+ * dns_nsec3_delnsec3() performs the above for the chain identified by
+ * 'nsec3param'.
+ *
+ * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
+ * to dns_nsec3_addnsec3s().  Unlike dns_nsec3_addnsec3s() updated NSEC3
+ * records have the OPTOUT flag preserved.
+ *
+ * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'name' to be valid.
+ *	'nsec3param' to be valid.
+ *	'diff' to be valid.
+ */
+
+isc_result_t
+dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version, bool complete,
+		 bool *answer);
+
+isc_result_t
+dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, bool complete,
+		  dns_rdatatype_t private, bool *answer);
+/*%<
+ * Check if there are any complete/to be built NSEC3 chains.
+ * If 'complete' is true only complete chains will be recognized.
+ *
+ * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'answer' to be non NULL.
+ */
+
+unsigned int
+dns_nsec3_maxiterations(void);
+/*%<
+ * Return the maximum permissible number of NSEC3 iterations.
+ */
+
+bool
+dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
+			   unsigned char *buf, size_t buflen);
+/*%<
+ * Convert a private rdata to a nsec3param rdata.
+ *
+ * Return true if 'src' could be successfully converted.
+ *
+ * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
+ */
+
+void
+dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
+			 dns_rdatatype_t privatetype, unsigned char *buf,
+			 size_t buflen);
+/*%<
+ * Convert a nsec3param rdata to a private rdata.
+ *
+ * 'buf' should be at least src->length + 1 in size.
+ */
+
+isc_result_t
+dns_nsec3param_salttotext(dns_rdata_nsec3param_t *nsec3param, char *dst,
+			  size_t dstlen);
+/*%<
+ * Convert the salt of given NSEC3PARAM RDATA into hex-encoded, NULL-terminated
+ * text stored at "dst".
+ *
+ * Requires:
+ *
+ *\li 	"dst" to have enough space (as indicated by "dstlen") to hold the
+ * 	resulting text and its NULL-terminating byte.
+ */
+
+isc_result_t
+dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
+			    dns_zone_t *zone, bool nonsec, dns_diff_t *diff);
+
+/*%<
+ * Mark NSEC3PARAM for deletion.
+ */
+
+isc_result_t
+dns_nsec3_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
+			const dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
+			dns_name_t *zonename, bool *exists, bool *data,
+			bool *optout, bool *unknown, bool *setclosest,
+			bool *setnearest, dns_name_t *closest,
+			dns_name_t *nearest, dns_nseclog_t logit, void *arg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NSEC3_H */
diff --git a/lib/dns/include/dns/nta.h b/lib/dns/include/dns/nta.h
new file mode 100644
index 0000000..905bf64
--- /dev/null
+++ b/lib/dns/include/dns/nta.h
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_NTA_H
+#define DNS_NTA_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * The NTA module provides services for storing and retrieving negative
+ * trust anchors, and determine whether a given domain is subject to
+ * DNSSEC validation.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+
+#include <dns/rdataset.h>
+#include <dns/resolver.h>
+#include <dns/types.h>
+#include <dns/view.h>
+
+ISC_LANG_BEGINDECLS
+
+struct dns_ntatable {
+	/* Unlocked. */
+	unsigned int	magic;
+	dns_view_t     *view;
+	isc_rwlock_t	rwlock;
+	isc_taskmgr_t  *taskmgr;
+	isc_timermgr_t *timermgr;
+	isc_task_t     *task;
+	/* Protected by atomics */
+	isc_refcount_t references;
+	/* Locked by rwlock. */
+	dns_rbt_t *table;
+	bool	   shuttingdown;
+};
+
+#define NTATABLE_MAGIC	   ISC_MAGIC('N', 'T', 'A', 't')
+#define VALID_NTATABLE(nt) ISC_MAGIC_VALID(nt, NTATABLE_MAGIC)
+
+isc_result_t
+dns_ntatable_create(dns_view_t *view, isc_taskmgr_t *taskmgr,
+		    isc_timermgr_t *timermgr, dns_ntatable_t **ntatablep);
+/*%<
+ * Create an NTA table in view 'view'.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid view.
+ *
+ *\li	'tmgr' is a valid timer manager.
+ *
+ *\li	ntatablep != NULL && *ntatablep == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, *ntatablep is a valid, empty NTA table.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	Any other result indicates failure.
+ */
+
+void
+dns_ntatable_attach(dns_ntatable_t *source, dns_ntatable_t **targetp);
+/*%<
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid ntatable.
+ *
+ *\li	'targetp' points to a NULL dns_ntatable_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ */
+
+void
+dns_ntatable_detach(dns_ntatable_t **ntatablep);
+/*%<
+ * Detach *ntatablep from its ntatable.
+ *
+ * Requires:
+ *
+ *\li	'ntatablep' points to a valid ntatable.
+ *
+ * Ensures:
+ *
+ *\li	*ntatablep is NULL.
+ *
+ *\li	If '*ntatablep' is the last reference to the ntatable,
+ *		all resources used by the ntatable will be freed
+ */
+
+isc_result_t
+dns_ntatable_add(dns_ntatable_t *ntatable, const dns_name_t *name, bool force,
+		 isc_stdtime_t now, uint32_t lifetime);
+/*%<
+ * Add a negative trust anchor to 'ntatable' for name 'name',
+ * which will expire at time 'now' + 'lifetime'.  If 'force' is true,
+ * then the NTA will persist for the entire specified lifetime.
+ * If it is false, then the name will be queried periodically and
+ * validation will be attempted to see whether it's still bogus;
+ * if validation is successful, the NTA will be allowed to expire
+ * early and validation below the NTA will resume.
+ *
+ * Notes:
+ *
+ *\li   If an NTA already exists in the table, its expiry time
+ *      is updated.
+ *
+ * Requires:
+ *
+ *\li	'ntatable' points to a valid ntatable.
+ *
+ *\li	'name' points to a valid name.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_ntatable_delete(dns_ntatable_t *ntatable, const dns_name_t *keyname);
+/*%<
+ * Delete node(s) from 'ntatable' matching name 'keyname'
+ *
+ * Requires:
+ *
+ *\li	'ntatable' points to a valid ntatable.
+ *
+ *\li	'name' is not NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+bool
+dns_ntatable_covered(dns_ntatable_t *ntatable, isc_stdtime_t now,
+		     const dns_name_t *name, const dns_name_t *anchor);
+/*%<
+ * Return true if 'name' is below a non-expired negative trust
+ * anchor which in turn is at or below 'anchor'.
+ *
+ * If 'ntatable' has not been initialized, return false.
+ *
+ * Requires:
+ *
+ *\li	'ntatable' is NULL or is a valid ntatable.
+ *
+ *\li	'name' is a valid absolute name.
+ */
+
+isc_result_t
+dns_ntatable_totext(dns_ntatable_t *ntatable, const char *view,
+		    isc_buffer_t **buf);
+/*%<
+ * Dump the NTA table to buffer at 'buf', with view names
+ *
+ * Requires:
+ * \li   "ntatable" is a valid table.
+ *
+ * \li   "*buf" is a valid buffer.
+ */
+
+isc_result_t
+dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp);
+/*%<
+ * Dump the NTA table to the file opened as 'fp'.
+ */
+
+isc_result_t
+dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp);
+/*%<
+ * Save the NTA table to the file opened as 'fp', for later loading.
+ */
+
+void
+dns_ntatable_shutdown(dns_ntatable_t *ntatable);
+/*%<
+ * Cancel future checks to see if NTAs can be removed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NTA_H */
diff --git a/lib/dns/include/dns/opcode.h b/lib/dns/include/dns/opcode.h
new file mode 100644
index 0000000..8fc5020
--- /dev/null
+++ b/lib/dns/include/dns/opcode.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_OPCODE_H
+#define DNS_OPCODE_H 1
+
+/*! \file dns/opcode.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of error 'opcode' into 'target'.
+ *
+ * Requires:
+ *\li	'opcode' is a valid opcode.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_OPCODE_H */
diff --git a/lib/dns/include/dns/order.h b/lib/dns/include/dns/order.h
new file mode 100644
index 0000000..0d6c267
--- /dev/null
+++ b/lib/dns/include/dns/order.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ORDER_H
+#define DNS_ORDER_H 1
+
+/*! \file dns/order.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_order_create(isc_mem_t *mctx, dns_order_t **orderp);
+/*%<
+ * Create a order object.
+ *
+ * Requires:
+ * \li	'orderp' to be non NULL and '*orderp == NULL'.
+ *\li	'mctx' to be valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_order_add(dns_order_t *order, const dns_name_t *name,
+	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
+	      unsigned int mode);
+/*%<
+ * Add a entry to the end of the order list.
+ *
+ * Requires:
+ * \li	'order' to be valid.
+ *\li	'name' to be valid.
+ *\li	'mode' to be one of #DNS_RDATASETATTR_RANDOMIZE,
+ *		#DNS_RDATASETATTR_FIXEDORDER or zero (#DNS_RDATASETATTR_CYCLIC).
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+unsigned int
+dns_order_find(dns_order_t *order, const dns_name_t *name,
+	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass);
+/*%<
+ * Find the first matching entry on the list.
+ *
+ * Requires:
+ *\li	'order' to be valid.
+ *\li	'name' to be valid.
+ *
+ * Returns the mode set by dns_order_add() or zero.
+ */
+
+void
+dns_order_attach(dns_order_t *source, dns_order_t **target);
+/*%<
+ * Attach to the 'source' object.
+ *
+ * Requires:
+ * \li	'source' to be valid.
+ *\li	'target' to be non NULL and '*target == NULL'.
+ */
+
+void
+dns_order_detach(dns_order_t **orderp);
+/*%<
+ * Detach from the object.  Clean up if last this was the last
+ * reference.
+ *
+ * Requires:
+ *\li	'*orderp' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ORDER_H */
diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h
new file mode 100644
index 0000000..5f9a4de
--- /dev/null
+++ b/lib/dns/include/dns/peer.h
@@ -0,0 +1,279 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_PEER_H
+#define DNS_PEER_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/peer.h
+ * \brief
+ * Data structures for peers (e.g. a 'server' config file statement)
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/netaddr.h>
+#include <isc/refcount.h>
+
+#include <dns/types.h>
+
+#define DNS_PEERLIST_MAGIC ISC_MAGIC('s', 'e', 'R', 'L')
+#define DNS_PEER_MAGIC	   ISC_MAGIC('S', 'E', 'r', 'v')
+
+#define DNS_PEERLIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_PEERLIST_MAGIC)
+#define DNS_PEER_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEER_MAGIC)
+
+/***
+ *** Types
+ ***/
+
+struct dns_peerlist {
+	unsigned int   magic;
+	isc_refcount_t refs;
+
+	isc_mem_t *mem;
+
+	ISC_LIST(dns_peer_t) elements;
+};
+
+struct dns_peer {
+	unsigned int   magic;
+	isc_refcount_t refs;
+
+	isc_mem_t *mem;
+
+	isc_netaddr_t	      address;
+	unsigned int	      prefixlen;
+	bool		      bogus;
+	dns_transfer_format_t transfer_format;
+	uint32_t	      transfers;
+	bool		      support_ixfr;
+	bool		      provide_ixfr;
+	bool		      request_ixfr;
+	bool		      support_edns;
+	bool		      request_nsid;
+	bool		      send_cookie;
+	bool		      request_expire;
+	bool		      force_tcp;
+	bool		      tcp_keepalive;
+	dns_name_t	     *key;
+	isc_sockaddr_t	     *transfer_source;
+	isc_dscp_t	      transfer_dscp;
+	isc_sockaddr_t	     *notify_source;
+	isc_dscp_t	      notify_dscp;
+	isc_sockaddr_t	     *query_source;
+	isc_dscp_t	      query_dscp;
+	uint16_t	      udpsize;	   /* receive size */
+	uint16_t	      maxudp;	   /* transmit size */
+	uint16_t	      padding;	   /* pad block size */
+	uint8_t		      ednsversion; /* edns version */
+
+	uint32_t bitflags;
+
+	ISC_LINK(dns_peer_t) next;
+};
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list);
+
+void
+dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target);
+
+void
+dns_peerlist_detach(dns_peerlist_t **list);
+
+/*
+ * After return caller still holds a reference to peer.
+ */
+void
+dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer);
+
+/*
+ * Ditto. */
+isc_result_t
+dns_peerlist_peerbyaddr(dns_peerlist_t *peers, const isc_netaddr_t *addr,
+			dns_peer_t **retval);
+
+/*
+ * What he said.
+ */
+isc_result_t
+dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval);
+
+isc_result_t
+dns_peer_new(isc_mem_t *mem, const isc_netaddr_t *ipaddr, dns_peer_t **peer);
+
+isc_result_t
+dns_peer_newprefix(isc_mem_t *mem, const isc_netaddr_t *ipaddr,
+		   unsigned int prefixlen, dns_peer_t **peer);
+
+void
+dns_peer_attach(dns_peer_t *source, dns_peer_t **target);
+
+void
+dns_peer_detach(dns_peer_t **list);
+
+isc_result_t
+dns_peer_setbogus(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getbogus(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setrequestixfr(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getrequestixfr(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setprovideixfr(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getprovideixfr(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setrequestnsid(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getrequestnsid(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setsendcookie(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getsendcookie(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setrequestexpire(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getrequestexpire(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setsupportedns(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getforcetcp(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setforcetcp(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_gettcpkeepalive(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_settcpkeepalive(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getsupportedns(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_settransfers(dns_peer_t *peer, uint32_t newval);
+
+isc_result_t
+dns_peer_gettransfers(dns_peer_t *peer, uint32_t *retval);
+
+isc_result_t
+dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval);
+
+isc_result_t
+dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval);
+
+isc_result_t
+dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval);
+
+isc_result_t
+dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval);
+
+isc_result_t
+dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval);
+
+isc_result_t
+dns_peer_settransfersource(dns_peer_t		*peer,
+			   const isc_sockaddr_t *transfer_source);
+
+isc_result_t
+dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
+
+isc_result_t
+dns_peer_setudpsize(dns_peer_t *peer, uint16_t udpsize);
+
+isc_result_t
+dns_peer_getudpsize(dns_peer_t *peer, uint16_t *udpsize);
+
+isc_result_t
+dns_peer_setmaxudp(dns_peer_t *peer, uint16_t maxudp);
+
+isc_result_t
+dns_peer_getmaxudp(dns_peer_t *peer, uint16_t *maxudp);
+
+isc_result_t
+dns_peer_setpadding(dns_peer_t *peer, uint16_t padding);
+
+isc_result_t
+dns_peer_getpadding(dns_peer_t *peer, uint16_t *padding);
+
+isc_result_t
+dns_peer_setnotifysource(dns_peer_t *peer, const isc_sockaddr_t *notify_source);
+
+isc_result_t
+dns_peer_getnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source);
+
+isc_result_t
+dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source);
+
+isc_result_t
+dns_peer_getquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source);
+
+isc_result_t
+dns_peer_setnotifydscp(dns_peer_t *peer, isc_dscp_t dscp);
+
+isc_result_t
+dns_peer_getnotifydscp(dns_peer_t *peer, isc_dscp_t *dscpp);
+
+isc_result_t
+dns_peer_settransferdscp(dns_peer_t *peer, isc_dscp_t dscp);
+
+isc_result_t
+dns_peer_gettransferdscp(dns_peer_t *peer, isc_dscp_t *dscpp);
+
+isc_result_t
+dns_peer_setquerydscp(dns_peer_t *peer, isc_dscp_t dscp);
+
+isc_result_t
+dns_peer_getquerydscp(dns_peer_t *peer, isc_dscp_t *dscpp);
+
+isc_result_t
+dns_peer_setednsversion(dns_peer_t *peer, uint8_t ednsversion);
+
+isc_result_t
+dns_peer_getednsversion(dns_peer_t *peer, uint8_t *ednsversion);
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_PEER_H */
diff --git a/lib/dns/include/dns/portlist.h b/lib/dns/include/dns/portlist.h
new file mode 100644
index 0000000..03306db
--- /dev/null
+++ b/lib/dns/include/dns/portlist.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file dns/portlist.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+#ifndef DNS_PORTLIST_H
+#define DNS_PORTLIST_H 1
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp);
+/*%<
+ * Create a port list.
+ *
+ * Requires:
+ *\li	'mctx' to be valid.
+ *\li	'portlistp' to be non NULL and '*portlistp' to be NULL;
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port);
+/*%<
+ * Add the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	'af' to be AF_INET or AF_INET6
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+void
+dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port);
+/*%<
+ * Remove the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	'af' to be AF_INET or AF_INET6
+ */
+
+bool
+dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port);
+/*%<
+ * Find the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	'af' to be AF_INET or AF_INET6
+ *
+ * Returns
+ * \li	#true if the tuple is found, false otherwise.
+ */
+
+void
+dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp);
+/*%<
+ * Attach to a port list.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	'portlistp' to be non NULL and '*portlistp' to be NULL;
+ */
+
+void
+dns_portlist_detach(dns_portlist_t **portlistp);
+/*%<
+ * Detach from a port list.
+ *
+ * Requires:
+ *\li	'*portlistp' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_PORTLIST_H */
diff --git a/lib/dns/include/dns/private.h b/lib/dns/include/dns/private.h
new file mode 100644
index 0000000..8e1c4c7
--- /dev/null
+++ b/lib/dns/include/dns/private.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/db.h>
+#include <dns/types.h>
+
+#ifndef DNS_PRIVATE_H
+#define DNS_PRIVATE_H
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
+		   dns_rdatatype_t privatetype, bool *build_nsec,
+		   bool *build_nsec3);
+/*%<
+ * Examine the NSEC, NSEC3PARAM and privatetype RRsets at the apex of the
+ * database to determine which of NSEC or NSEC3 chains we are currently
+ * maintaining.  In normal operations only one of NSEC or NSEC3 is being
+ * maintained but when we are transitiong between NSEC and NSEC3 we need
+ * to update both sets of chains.  If 'privatetype' is zero then the
+ * privatetype RRset will not be examined.
+ *
+ * Requires:
+ * \li	'db' is valid.
+ * \li	'version' is valid or NULL.
+ * \li	'build_nsec' is a pointer to a bool or NULL.
+ * \li	'build_nsec3' is a pointer to a bool or NULL.
+ *
+ * Returns:
+ * \li 	ISC_R_SUCCESS, 'build_nsec' and 'build_nsec3' will be valid.
+ * \li	other on error
+ */
+
+isc_result_t
+dns_private_totext(dns_rdata_t *privaterdata, isc_buffer_t *buffer);
+/*%<
+ * Convert a private-type RR 'privaterdata' to human-readable form,
+ * and place the result in 'buffer'.  The text should indicate
+ * which action the private-type record specifies and whether the
+ * action has been completed.
+ *
+ * Requires:
+ * \li	'privaterdata' is a valid rdata containing at least five bytes
+ * \li	'buffer' is a valid buffer
+ *
+ * Returns:
+ * \li 	ISC_R_SUCCESS
+ * \li	other on error
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ifndef DNS_PRIVATE_H */
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
new file mode 100644
index 0000000..4a6b078
--- /dev/null
+++ b/lib/dns/include/dns/rbt.h
@@ -0,0 +1,1060 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RBT_H
+#define DNS_RBT_H 1
+
+/*! \file dns/rbt.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/assertions.h>
+#include <isc/crc64.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/refcount.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*@{*/
+/*%
+ * Option values for dns_rbt_findnode() and dns_rbt_findname().
+ * These are used to form a bitmask.
+ */
+#define DNS_RBTFIND_NOOPTIONS	  0x00
+#define DNS_RBTFIND_EMPTYDATA	  0x01
+#define DNS_RBTFIND_NOEXACT	  0x02
+#define DNS_RBTFIND_NOPREDECESSOR 0x04
+/*@}*/
+
+#define DNS_RBT_USEMAGIC 1
+
+#define DNS_RBT_LOCKLENGTH (sizeof(((dns_rbtnode_t *)0)->locknum) * 8)
+
+#define DNS_RBTNODE_MAGIC ISC_MAGIC('R', 'B', 'N', 'O')
+#if DNS_RBT_USEMAGIC
+#define DNS_RBTNODE_VALID(n) ISC_MAGIC_VALID(n, DNS_RBTNODE_MAGIC)
+#else /* if DNS_RBT_USEMAGIC */
+#define DNS_RBTNODE_VALID(n) true
+#endif /* if DNS_RBT_USEMAGIC */
+
+/*%
+ * This is the structure that is used for each node in the red/black
+ * tree of trees.  NOTE WELL:  the implementation manages this as a variable
+ * length structure, with the actual wire-format name and other data
+ * appended to this structure.  Allocating a contiguous block of memory for
+ * multiple dns_rbtnode structures will not work.
+ */
+typedef struct dns_rbtnode dns_rbtnode_t;
+enum {
+	DNS_RBT_NSEC_NORMAL = 0,   /* in main tree */
+	DNS_RBT_NSEC_HAS_NSEC = 1, /* also has node in nsec tree */
+	DNS_RBT_NSEC_NSEC = 2,	   /* in nsec tree */
+	DNS_RBT_NSEC_NSEC3 = 3	   /* in nsec3 tree */
+};
+struct dns_rbtnode {
+#if DNS_RBT_USEMAGIC
+	unsigned int magic;
+#endif /* if DNS_RBT_USEMAGIC */
+	/*@{*/
+	/*!
+	 * The following bitfields add up to a total bitwidth of 32.
+	 * The range of values necessary for each item is indicated,
+	 * but in the case of "attributes" the field is wider to accommodate
+	 * possible future expansion.
+	 *
+	 * In each case below the "range" indicated is what's _necessary_ for
+	 * the bitfield to hold, not what it actually _can_ hold.
+	 *
+	 * Note: Tree lock must be held before modifying these
+	 * bit-fields.
+	 *
+	 * Note: The two "unsigned int :0;" unnamed bitfields on either
+	 * side of the bitfields below are scaffolding that border the
+	 * set of bitfields which are accessed after acquiring the tree
+	 * lock. Please don't insert any other bitfield members between
+	 * the unnamed bitfields unless they should also be accessed
+	 * after acquiring the tree lock.
+	 */
+	unsigned int		   : 0; /* start of bitfields c/o tree lock */
+	unsigned int is_root	   : 1; /*%< range is 0..1 */
+	unsigned int color	   : 1; /*%< range is 0..1 */
+	unsigned int find_callback : 1; /*%< range is 0..1 */
+	unsigned int attributes	   : 3; /*%< range is 0..2 */
+	unsigned int nsec	   : 2; /*%< range is 0..3 */
+	unsigned int namelen	   : 8; /*%< range is 1..255 */
+	unsigned int offsetlen	   : 8; /*%< range is 1..128 */
+	unsigned int oldnamelen	   : 8; /*%< range is 1..255 */
+	/*@}*/
+
+	/* flags needed for serialization to file */
+	unsigned int is_mmapped		: 1;
+	unsigned int parent_is_relative : 1;
+	unsigned int left_is_relative	: 1;
+	unsigned int right_is_relative	: 1;
+	unsigned int down_is_relative	: 1;
+	unsigned int data_is_relative	: 1;
+
+	/*
+	 * full name length; set during serialization, and used
+	 * during deserialization to calculate database size.
+	 * should be cleared after use.
+	 */
+	unsigned int fullnamelen : 8; /*%< range is 1..255 */
+
+	/* node needs to be cleaned from rpz */
+	unsigned int rpz : 1;
+	unsigned int	 : 0; /* end of bitfields c/o tree lock */
+
+	/*%
+	 * These are needed for hashing. The 'uppernode' points to the
+	 * node's superdomain node in the parent subtree, so that it can
+	 * be reached from a child that was found by a hash lookup.
+	 */
+	unsigned int   hashval;
+	dns_rbtnode_t *uppernode;
+	dns_rbtnode_t *hashnext;
+
+	dns_rbtnode_t *parent;
+	dns_rbtnode_t *left;
+	dns_rbtnode_t *right;
+	dns_rbtnode_t *down;
+
+	/*%
+	 * Used for LRU cache.  This linked list is used to mark nodes which
+	 * have no data any longer, but we cannot unlink at that exact moment
+	 * because we did not or could not obtain a write lock on the tree.
+	 */
+	ISC_LINK(dns_rbtnode_t) deadlink;
+
+	/*@{*/
+	/*!
+	 * These values are used in the RBT DB implementation.  The appropriate
+	 * node lock must be held before accessing them.
+	 *
+	 * Note: The two "unsigned int :0;" unnamed bitfields on either
+	 * side of the bitfields below are scaffolding that border the
+	 * set of bitfields which are accessed after acquiring the node
+	 * lock. Please don't insert any other bitfield members between
+	 * the unnamed bitfields unless they should also be accessed
+	 * after acquiring the node lock.
+	 *
+	 * NOTE: Do not merge these fields into bitfields above, as
+	 * they'll all be put in the same qword that could be accessed
+	 * without the node lock as it shares the qword with other
+	 * members. Leave these members here so that they occupy a
+	 * separate region of memory.
+	 */
+	void *data;
+	uint8_t	      : 0; /* start of bitfields c/o node lock */
+	uint8_t dirty : 1;
+	uint8_t wild  : 1;
+	uint8_t	      : 0;	/* end of bitfields c/o node lock */
+	uint16_t       locknum; /* note that this is not in the bitfield */
+	isc_refcount_t references;
+	/*@}*/
+};
+
+typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
+					      dns_name_t    *name,
+					      void	    *callback_arg);
+
+typedef isc_result_t (*dns_rbtdatawriter_t)(FILE *file, unsigned char *data,
+					    void *arg, uint64_t *crc);
+
+typedef isc_result_t (*dns_rbtdatafixer_t)(dns_rbtnode_t *rbtnode, void *base,
+					   size_t offset, void *arg,
+					   uint64_t *crc);
+
+typedef void (*dns_rbtdeleter_t)(void *, void *);
+
+/*****
+*****  Chain Info
+*****/
+
+/*!
+ * A chain is used to keep track of the sequence of nodes to reach any given
+ * node from the root of the tree.  Originally nodes did not have parent
+ * pointers in them (for memory usage reasons) so there was no way to find
+ * the path back to the root from any given node.  Now that nodes have parent
+ * pointers, chains might be going away in a future release, though the
+ * movement functionality would remain.
+ *
+ * Chains may be used to iterate over a tree of trees.  After setting up the
+ * chain's structure using dns_rbtnodechain_init(), it needs to be initialized
+ * to point to the lexically first or lexically last node in the tree of trees
+ * using dns_rbtnodechain_first() or dns_rbtnodechain_last(), respectively.
+ * Calling dns_rbtnodechain_next() or dns_rbtnodechain_prev() then moves the
+ * chain over to the next or previous node, respectively.
+ *
+ * In any event, parent information, whether via parent pointers or chains, is
+ * necessary information for iterating through the tree or for basic internal
+ * tree maintenance issues (ie, the rotations that are done to rebalance the
+ * tree when a node is added).  The obvious implication of this is that for a
+ * chain to remain valid, the tree has to be locked down against writes for the
+ * duration of the useful life of the chain, because additions or removals can
+ * change the path from the root to the node the chain has targeted.
+ *
+ * The dns_rbtnodechain_ functions _first, _last, _prev and _next all take
+ * dns_name_t parameters for the name and the origin, which can be NULL.  If
+ * non-NULL, 'name' will end up pointing to the name data and offsets that are
+ * stored at the node (and thus it will be read-only), so it should be a
+ * regular dns_name_t that has been initialized with dns_name_init.  When
+ * 'origin' is non-NULL, it will get the name of the origin stored in it, so it
+ * needs to have its own buffer space and offsets, which is most easily
+ * accomplished with a dns_fixedname_t.  It is _not_ necessary to reinitialize
+ * either 'name' or 'origin' between calls to the chain functions.
+ *
+ * NOTE WELL: even though the name data at the root of the tree of trees will
+ * be absolute (typically just "."), it will will be made into a relative name
+ * with an origin of "." -- an empty name when the node is ".".  This is
+ * because a common on operation on 'name' and 'origin' is to use
+ * dns_name_concatenate() on them to generate the complete name.  An empty name
+ * can be detected when dns_name_countlabels == 0, and is printed by
+ * dns_name_totext()/dns_name_format() as "@", consistent with RFC1035's
+ * definition of "@" as the current origin.
+ *
+ * dns_rbtnodechain_current is similar to the _first, _last, _prev and _next
+ * functions but additionally can provide the node to which the chain points.
+ */
+
+/*%
+ * The number of level blocks to allocate at a time.  Currently the maximum
+ * number of levels is allocated directly in the structure, but future
+ * revisions of this code might have a static initial block with dynamic
+ * growth.  Allocating space for 256 levels when the tree is almost never that
+ * deep is wasteful, but it's not clear that it matters, since the waste is
+ * only 2MB for 1000 concurrently active chains on a system with 64-bit
+ * pointers.
+ */
+#define DNS_RBT_LEVELBLOCK 254
+
+typedef struct dns_rbtnodechain {
+	unsigned int magic;
+	/*%
+	 * The terminal node of the chain.  It is not in levels[].
+	 * This is ostensibly private ... but in a pinch it could be
+	 * used tell that the chain points nowhere without needing to
+	 * call dns_rbtnodechain_current().
+	 */
+	dns_rbtnode_t *end;
+	/*%
+	 * The maximum number of labels in a name is 128; bitstrings mean
+	 * a conceptually very large number (which I have not bothered to
+	 * compute) of logical levels because splitting can potentially occur
+	 * at each bit.  However, DNSSEC restricts the number of "logical"
+	 * labels in a name to 255, meaning only 254 pointers are needed
+	 * in the worst case.
+	 */
+	dns_rbtnode_t *levels[DNS_RBT_LEVELBLOCK];
+	/*%
+	 * level_count indicates how deep the chain points into the
+	 * tree of trees, and is the index into the levels[] array.
+	 * Thus, levels[level_count - 1] is the last level node stored.
+	 * A chain that points to the top level of the tree of trees has
+	 * a level_count of 0, the first level has a level_count of 1, and
+	 * so on.
+	 */
+	unsigned int level_count;
+	/*%
+	 * level_matches tells how many levels matched above the node
+	 * returned by dns_rbt_findnode().  A match (partial or exact) found
+	 * in the first level thus results in level_matches being set to 1.
+	 * This is used by the rbtdb to set the start point for a recursive
+	 * search of superdomains until the RR it is looking for is found.
+	 */
+	unsigned int level_matches;
+} dns_rbtnodechain_t;
+
+/*****
+***** Public interfaces.
+*****/
+isc_result_t
+dns_rbt_create(isc_mem_t *mctx, dns_rbtdeleter_t deleter, void *deleter_arg,
+	       dns_rbt_t **rbtp);
+/*%<
+ * Initialize a red-black tree of trees.
+ *
+ * Notes:
+ *\li   The deleter argument, if non-null, points to a function that is
+ *      responsible for cleaning up any memory associated with the data
+ *      pointer of a node when the node is deleted.  It is passed the
+ *      deleted node's data pointer as its first argument and deleter_arg
+ *      as its second argument.
+ *
+ * Requires:
+ * \li  mctx is a pointer to a valid memory context.
+ *\li   rbtp != NULL && *rbtp == NULL
+ *\li   arg == NULL iff deleter == NULL
+ *
+ * Ensures:
+ *\li   If result is ISC_R_SUCCESS:
+ *              *rbtp points to a valid red-black tree manager
+ *
+ *\li   If result is failure:
+ *              *rbtp does not point to a valid red-black tree manager.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_NOMEMORY Resource limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_addname(dns_rbt_t *rbt, const dns_name_t *name, void *data);
+/*%<
+ * Add 'name' to the tree of trees, associated with 'data'.
+ *
+ * Notes:
+ *\li   'data' is never required to be non-NULL, but specifying it
+ *      when the name is added is faster than searching for 'name'
+ *      again and then setting the data pointer.  The lack of a data pointer
+ *      for a node also has other ramifications regarding whether
+ *      dns_rbt_findname considers a node to exist, or dns_rbt_deletename
+ *      joins nodes.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE
+ *
+ * Ensures:
+ *\li   'name' is not altered in any way.
+ *
+ *\li   Any external references to nodes in the tree are unaffected by
+ *      node splits that are necessary to insert the new name.
+ *
+ *\li   If result is #ISC_R_SUCCESS:
+ *              'name' is findable in the red/black tree of trees in O(log N).
+ *              The data pointer of the node for 'name' is set to 'data'.
+ *
+ *\li   If result is #ISC_R_EXISTS or #ISC_R_NOSPACE:
+ *              The tree of trees is unaltered.
+ *
+ *\li   If result is #ISC_R_NOMEMORY:
+ *              No guarantees.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_EXISTS   The name already exists with associated data.
+ *\li   #ISC_R_NOSPACE  The name had more logical labels than are allowed.
+ *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_addnode(dns_rbt_t *rbt, const dns_name_t *name, dns_rbtnode_t **nodep);
+
+/*%<
+ * Just like dns_rbt_addname, but returns the address of the node.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt structure.
+ *\li   dns_name_isabsolute(name) == TRUE
+ *\li   nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *\li   'name' is not altered in any way.
+ *
+ *\li   Any external references to nodes in the tree are unaffected by
+ *      node splits that are necessary to insert the new name.
+ *
+ *\li   If result is ISC_R_SUCCESS:
+ *              'name' is findable in the red/black tree of trees in O(log N).
+ *              *nodep is the node that was added for 'name'.
+ *
+ *\li   If result is ISC_R_EXISTS:
+ *              The tree of trees is unaltered.
+ *              *nodep is the existing node for 'name'.
+ *
+ *\li   If result is ISC_R_NOMEMORY:
+ *              No guarantees.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_EXISTS   The name already exists, possibly without data.
+ *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_findname(dns_rbt_t *rbt, const dns_name_t *name, unsigned int options,
+		 dns_name_t *foundname, void **data);
+/*%<
+ * Get the data pointer associated with 'name'.
+ *
+ * Notes:
+ *\li   When #DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *      returned (also subject to #DNS_RBTFIND_EMPTYDATA), even when there is
+ *      an exact match in the tree.
+ *
+ *\li   A node that has no data is considered not to exist for this function,
+ *      unless the #DNS_RBTFIND_EMPTYDATA option is set.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE
+ *\li   data != NULL && *data == NULL
+ *
+ * Ensures:
+ *\li   'name' and the tree are not altered in any way.
+ *
+ *\li   If result is ISC_R_SUCCESS:
+ *              *data is the data associated with 'name'.
+ *
+ *\li   If result is DNS_R_PARTIALMATCH:
+ *              *data is the data associated with the deepest superdomain
+ *              of 'name' which has data.
+ *
+ *\li   If result is ISC_R_NOTFOUND:
+ *              Neither the name nor a superdomain was found with data.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS          Success
+ *\li   #DNS_R_PARTIALMATCH     Superdomain found with data
+ *\li   #ISC_R_NOTFOUND         No match
+ *\li   #ISC_R_NOSPACE          Concatenating nodes to form foundname failed
+ */
+
+isc_result_t
+dns_rbt_findnode(dns_rbt_t *rbt, const dns_name_t *name, dns_name_t *foundname,
+		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
+		 unsigned int options, dns_rbtfindcallback_t callback,
+		 void *callback_arg);
+/*%<
+ * Find the node for 'name'.
+ *
+ * Notes:
+ *\li   A node that has no data is considered not to exist for this function,
+ *      unless the DNS_RBTFIND_EMPTYDATA option is set.  This applies to both
+ *      exact matches and partial matches.
+ *
+ *\li   If the chain parameter is non-NULL, then the path through the tree
+ *      to the DNSSEC predecessor of the searched for name is maintained,
+ *      unless the DNS_RBTFIND_NOPREDECESSOR or DNS_RBTFIND_NOEXACT option
+ *      is used. (For more details on those options, see below.)
+ *
+ *\li   If there is no predecessor, then the chain will point to nowhere, as
+ *      indicated by chain->end being NULL or dns_rbtnodechain_current
+ *      returning ISC_R_NOTFOUND.  Note that in a normal Internet DNS RBT
+ *      there will always be a predecessor for all names except the root
+ *      name, because '.' will exist and '.' is the predecessor of
+ *      everything.  But you can certainly construct a trivial tree and a
+ *      search for it that has no predecessor.
+ *
+ *\li   Within the chain structure, the 'levels' member of the structure holds
+ *      the root node of each level except the first.
+ *
+ *\li   The 'level_count' of the chain indicates how deep the chain to the
+ *      predecessor name is, as an index into the 'levels[]' array.  It does
+ *      not count name elements, per se, but only levels of the tree of trees,
+ *      the distinction arising because multiple labels from a name can be
+ *      stored on only one level.  It is also does not include the level
+ *      that has the node, since that level is not stored in levels[].
+ *
+ *\li   The chain's 'level_matches' is not directly related to the predecessor.
+ *      It is the number of levels above the level of the found 'node',
+ *      regardless of whether it was a partial match or exact match.  When
+ *      the node is found in the top level tree, or no node is found at all,
+ *      level_matches is 0.
+ *
+ *\li   When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when
+ *      there is an exact match in the tree.  In this case, the chain
+ *      will not point to the DNSSEC predecessor, but will instead point
+ *      to the exact match, if there was any.  Thus the preceding paragraphs
+ *      should have "exact match" substituted for "predecessor" to describe
+ *      how the various elements of the chain are set.  This was done to
+ *      ensure that the chain's state was sane, and to prevent problems that
+ *      occurred when running the predecessor location code under conditions
+ *      it was not designed for.  It is not clear *where* the chain should
+ *      point when DNS_RBTFIND_NOEXACT is set, so if you end up using a chain
+ *      with this option because you want a particular node, let us know
+ *      where you want the chain pointed, so this can be made more firm.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE.
+ *\li   node != NULL && *node == NULL.
+ *\li   #DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutually
+ *              exclusive.
+ *
+ * Ensures:
+ *\li   'name' and the tree are not altered in any way.
+ *
+ *\li   If result is ISC_R_SUCCESS:
+ *\verbatim
+ *              *node is the terminal node for 'name'.
+ *
+ *              'foundname' and 'name' represent the same name (though not
+ *              the same memory).
+ *
+ *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *
+ *              chain->level_matches and chain->level_count are equal.
+ *\endverbatim
+ *
+ *      If result is DNS_R_PARTIALMATCH:
+ *\verbatim
+ *              *node is the data associated with the deepest superdomain
+ *              of 'name' which has data.
+ *
+ *              'foundname' is the name of deepest superdomain (which has
+ *              data, unless the DNS_RBTFIND_EMPTYDATA option is set).
+ *
+ *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *\endverbatim
+ *
+ *\li   If result is ISC_R_NOTFOUND:
+ *\verbatim
+ *              Neither the name nor a superdomain was found.  *node is NULL.
+ *
+ *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *
+ *              chain->level_matches is 0.
+ *\endverbatim
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS          Success
+ *\li   #DNS_R_PARTIALMATCH     Superdomain found with data
+ *\li   #ISC_R_NOTFOUND         No match, or superdomain with no data
+ *\li   #ISC_R_NOSPACE Concatenating nodes to form foundname failed
+ */
+
+isc_result_t
+dns_rbt_deletename(dns_rbt_t *rbt, const dns_name_t *name, bool recurse);
+/*%<
+ * Delete 'name' from the tree of trees.
+ *
+ * Notes:
+ *\li   When 'name' is removed, if recurse is true then all of its
+ *      subnames are removed too.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE
+ *
+ * Ensures:
+ *\li   'name' is not altered in any way.
+ *
+ *\li   Does NOT ensure that any external references to nodes in the tree
+ *      are unaffected by node joins.
+ *
+ *\li   If result is ISC_R_SUCCESS:
+ *              'name' does not appear in the tree with data; however,
+ *              the node for the name might still exist which can be
+ *              found with dns_rbt_findnode (but not dns_rbt_findname).
+ *
+ *\li   If result is ISC_R_NOTFOUND:
+ *              'name' does not appear in the tree with data, because
+ *              it did not appear in the tree before the function was called.
+ *
+ *\li   If result is something else:
+ *              See result codes for dns_rbt_findnode (if it fails, the
+ *              node is not deleted) or dns_rbt_deletenode (if it fails,
+ *              the node is deleted, but the tree is not optimized when
+ *              it could have been).
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_NOTFOUND No match
+ *\li   something_else  Any return code from dns_rbt_findnode except
+ *                      DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
+ *                      to be returned instead), and any code from
+ *                      dns_rbt_deletenode.
+ */
+
+isc_result_t
+dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, bool recurse);
+/*%<
+ * Delete 'node' from the tree of trees.
+ *
+ * Notes:
+ *\li   When 'node' is removed, if recurse is true then all nodes
+ *      in levels down from it are removed too.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt manager.
+ *\li   node != NULL.
+ *
+ * Ensures:
+ *\li   Does NOT ensure that any external references to nodes in the tree
+ *      are unaffected by node joins.
+ *
+ *\li   If result is ISC_R_SUCCESS:
+ *              'node' does not appear in the tree with data; however,
+ *              the node might still exist if it serves as a pointer to
+ *              a lower tree level as long as 'recurse' was false, hence
+ *              the node could can be found with dns_rbt_findnode when
+ *              that function's empty_data_ok parameter is true.
+ *
+ *\li   If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
+ *              The node was deleted, but the tree structure was not
+ *              optimized.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory when joining nodes.
+ *\li   #ISC_R_NOSPACE  dns_name_concatenate failed when joining nodes.
+ */
+
+void
+dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name);
+/*%<
+ * Convert the sequence of labels stored at 'node' into a 'name'.
+ *
+ * Notes:
+ *\li   This function does not return the full name, from the root, but
+ *      just the labels at the indicated node.
+ *
+ *\li   The name data pointed to by 'name' is the information stored
+ *      in the node, not a copy.  Altering the data at this pointer
+ *      will likely cause grief.
+ *
+ * Requires:
+ * \li  name->offsets == NULL
+ *
+ * Ensures:
+ * \li  'name' is DNS_NAMEATTR_READONLY.
+ *
+ * \li  'name' will point directly to the labels stored after the
+ *      dns_rbtnode_t struct.
+ *
+ * \li  'name' will have offsets that also point to the information stored
+ *      as part of the node.
+ */
+
+isc_result_t
+dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name);
+/*%<
+ * Like dns_rbt_namefromnode, but returns the full name from the root.
+ *
+ * Notes:
+ * \li  Unlike dns_rbt_namefromnode, the name will not point directly
+ *      to node data.  Rather, dns_name_concatenate will be used to copy
+ *      the name data from each node into the 'name' argument.
+ *
+ * Requires:
+ * \li  name != NULL
+ * \li  name has a dedicated buffer.
+ *
+ * Returns:
+ * \li  ISC_R_SUCCESS
+ * \li  ISC_R_NOSPACE           (possible via dns_name_concatenate)
+ * \li  DNS_R_NAMETOOLONG       (possible via dns_name_concatenate)
+ */
+
+char *
+dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname, unsigned int size);
+/*%<
+ * Format the full name of a node for printing, using dns_name_format().
+ *
+ * Notes:
+ * \li  'size' is the length of the printname buffer.  This should be
+ *      DNS_NAME_FORMATSIZE or larger.
+ *
+ * Requires:
+ * \li  node and printname are not NULL.
+ *
+ * Returns:
+ * \li  The 'printname' pointer.
+ */
+
+unsigned int
+dns_rbt_nodecount(dns_rbt_t *rbt);
+/*%<
+ * Obtain the number of nodes in the tree of trees.
+ *
+ * Requires:
+ * \li  rbt is a valid rbt manager.
+ */
+
+size_t
+dns_rbt_hashsize(dns_rbt_t *rbt);
+/*%<
+ * Obtain the current number of buckets in the 'rbt' hash table.
+ *
+ * Requires:
+ * \li  rbt is a valid rbt manager.
+ */
+
+isc_result_t
+dns_rbt_adjusthashsize(dns_rbt_t *rbt, size_t size);
+/*%<
+ * Adjust the number of buckets in the 'rbt' hash table, according to the
+ * expected maximum size of the rbt database.
+ *
+ * Requires:
+ * \li  rbt is a valid rbt manager.
+ * \li  size is expected maximum memory footprint of rbt.
+ */
+
+void
+dns_rbt_destroy(dns_rbt_t **rbtp);
+isc_result_t
+dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum);
+/*%<
+ * Stop working with a red-black tree of trees.
+ * If 'quantum' is zero then the entire tree will be destroyed.
+ * If 'quantum' is non zero then up to 'quantum' nodes will be destroyed
+ * allowing the rbt to be incrementally destroyed by repeated calls to
+ * dns_rbt_destroy2().  Once dns_rbt_destroy2() has been called no other
+ * operations than dns_rbt_destroy()/dns_rbt_destroy2() should be
+ * performed on the tree of trees.
+ *
+ * Requires:
+ * \li  *rbt is a valid rbt manager.
+ *
+ * Ensures on ISC_R_SUCCESS:
+ * \li  All space allocated by the RBT library has been returned.
+ *
+ * \li  *rbt is invalidated as an rbt manager.
+ *
+ * Returns:
+ * \li  ISC_R_SUCCESS
+ * \li  ISC_R_QUOTA if 'quantum' nodes have been destroyed.
+ */
+
+off_t
+dns_rbt_serialize_align(off_t target);
+/*%<
+ * Align the provided integer to a pointer-size boundary.
+ * This should be used if, during serialization of data to a will-be
+ * mmap()ed file, a pointer alignment is needed for some data.
+ */
+
+isc_result_t
+dns_rbt_serialize_tree(FILE *file, dns_rbt_t *rbt,
+		       dns_rbtdatawriter_t datawriter, void *writer_arg,
+		       off_t *offset);
+/*%<
+ * Write out the RBT structure and its data to a file.
+ *
+ * Notes:
+ * \li  The file must be an actual file which allows seek() calls, so it cannot
+ *      be a stream.  Returns ISC_R_INVALIDFILE if not.
+ */
+
+isc_result_t
+dns_rbt_deserialize_tree(void *base_address, size_t filesize,
+			 off_t header_offset, isc_mem_t *mctx,
+			 dns_rbtdeleter_t deleter, void *deleter_arg,
+			 dns_rbtdatafixer_t datafixer, void *fixer_arg,
+			 dns_rbtnode_t **originp, dns_rbt_t **rbtp);
+/*%<
+ * Read a RBT structure and its data from a file.
+ *
+ * If 'originp' is not NULL, then it is pointed to the root node of the RBT.
+ *
+ * Notes:
+ * \li  The file must be an actual file which allows seek() calls, so it cannot
+ *      be a stream.  This condition is not checked in the code.
+ */
+
+void
+dns_rbt_printtext(dns_rbt_t *rbt, void (*data_printer)(FILE *, void *),
+		  FILE	    *f);
+/*%<
+ * Print an ASCII representation of the internal structure of the red-black
+ * tree of trees to the passed stream.
+ *
+ * data_printer is a callback function that is called to print the data
+ * in a node. It should print it to the passed FILE stream.
+ *
+ * Notes:
+ * \li  The name stored at each node, along with the node's color, is printed.
+ *      Then the down pointer, left and right pointers are displayed
+ *      recursively in turn.  NULL down pointers are silently omitted;
+ *      NULL left and right pointers are printed.
+ */
+
+void
+dns_rbt_printdot(dns_rbt_t *rbt, bool show_pointers, FILE *f);
+/*%<
+ * Print a GraphViz dot representation of the internal structure of the
+ * red-black tree of trees to the passed stream.
+ *
+ * If show_pointers is TRUE, pointers are also included in the generated
+ * graph.
+ *
+ * Notes:
+ * \li	The name stored at each node, along with the node's color is displayed.
+ *	Then the down pointer, left and right pointers are displayed
+ *	recursively in turn.  NULL left, right and down pointers are
+ *	silently omitted.
+ */
+
+void
+dns_rbt_printnodeinfo(dns_rbtnode_t *n, FILE *f);
+/*%<
+ * Print out various information about a node
+ *
+ * Requires:
+ *\li	'n' is a valid pointer.
+ *
+ *\li	'f' points to a valid open FILE structure that allows writing.
+ */
+
+size_t
+dns__rbt_getheight(dns_rbt_t *rbt);
+/*%<
+ * Return the maximum height of sub-root nodes found in the red-black
+ * forest.
+ *
+ * The height of a node is defined as the number of nodes in the longest
+ * path from the node to a leaf. For each subtree in the forest, this
+ * function determines the height of its root node. Then it returns the
+ * maximum such height in the forest.
+ *
+ * Note: This function exists for testing purposes. Non-test code must
+ * not use it.
+ *
+ * Requires:
+ * \li  rbt is a valid rbt manager.
+ */
+
+bool
+dns__rbt_checkproperties(dns_rbt_t *rbt);
+/*%<
+ * Check red-black properties of the forest.
+ *
+ * Note: This function exists for testing purposes. Non-test code must
+ * not use it.
+ *
+ * Requires:
+ * \li  rbt is a valid rbt manager.
+ */
+
+size_t
+dns__rbtnode_getdistance(dns_rbtnode_t *node);
+/*%<
+ * Return the distance (in nodes) from the node to its upper node of its
+ * subtree. The root node has a distance of 1. A child of the root node
+ * has a distance of 2.
+ */
+
+/*****
+***** Chain Functions
+*****/
+
+void
+dns_rbtnodechain_init(dns_rbtnodechain_t *chain);
+/*%<
+ * Initialize 'chain'.
+ *
+ * Requires:
+ *\li   'chain' is a valid pointer.
+ *
+ * Ensures:
+ *\li   'chain' is suitable for use.
+ */
+
+void
+dns_rbtnodechain_reset(dns_rbtnodechain_t *chain);
+/*%<
+ * Free any dynamic storage associated with 'chain', and then reinitialize
+ * 'chain'.
+ *
+ * Requires:
+ *\li   'chain' is a valid pointer.
+ *
+ * Ensures:
+ *\li   'chain' is suitable for use, and uses no dynamic storage.
+ */
+
+void
+dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain);
+/*%<
+ * Free any dynamic storage associated with 'chain', and then invalidates it.
+ *
+ * Notes:
+ *\li   Future calls to any dns_rbtnodechain_ function will need to call
+ *      dns_rbtnodechain_init on the chain first (except, of course,
+ *      dns_rbtnodechain_init itself).
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *
+ * Ensures:
+ *\li   'chain' is no longer suitable for use, and uses no dynamic storage.
+ */
+
+isc_result_t
+dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
+			 dns_name_t *origin, dns_rbtnode_t **node);
+/*%<
+ * Provide the name, origin and node to which the chain is currently pointed.
+ *
+ * Notes:
+ *\li   The tree need not have be locked against additions for the chain
+ *      to remain valid, however there are no guarantees if any deletion
+ *      has been made since the chain was established.
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *
+ * Ensures:
+ *\li   'node', if non-NULL, is the node to which the chain was pointed
+ *      by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
+ *      If none were called for the chain since it was initialized or reset,
+ *      or if the was no predecessor to the name searched for with
+ *      dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
+ *
+ *\li   'name', if non-NULL, is the name stored at the terminal level of
+ *      the chain.  This is typically a single label, like the "www" of
+ *      "www.isc.org", but need not be so.  At the root of the tree of trees,
+ *      if the node is "." then 'name' is ".", otherwise it is relative to ".".
+ *      (Minimalist and atypical case:  if the tree has just the name
+ *      "isc.org." then the root node's stored name is "isc.org." but 'name'
+ *      will be "isc.org".)
+ *
+ *\li   'origin', if non-NULL, is the sequence of labels in the levels
+ *      above the terminal level, such as "isc.org." in the above example.
+ *      'origin' is always "." for the root node.
+ *
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS          name, origin & node were successfully set.
+ *\li   #ISC_R_NOTFOUND         The chain does not point to any node.
+ *\li   &lt;something_else>     Any error return from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin);
+/*%<
+ * Set the chain to the lexically first node in the tree of trees.
+ *
+ * Notes:
+ *\li   By the definition of ordering for DNS names, the root of the tree of
+ *      trees is the very first node, since everything else in the megatree
+ *      uses it as a common suffix.
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *\li   'rbt' is a valid rbt manager.
+ *
+ * Ensures:
+ *\li   The chain points to the very first node of the tree.
+ *
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.  Thus 'origin' will always be ".".
+ *
+ * Returns:
+ *\li   #DNS_R_NEWORIGIN                The name & origin were successfully set.
+ *\li   &lt;something_else>     Any error result from dns_rbtnodechain_current.
+ */
+
+isc_result_t
+dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		      dns_name_t *name, dns_name_t *origin);
+/*%<
+ * Set the chain to the lexically last node in the tree of trees.
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *\li   'rbt' is a valid rbt manager.
+ *
+ * Ensures:
+ *\li   The chain points to the very last node of the tree.
+ *
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.
+ *
+ * Returns:
+ *\li   #DNS_R_NEWORIGIN                The name & origin were successfully set.
+ *\li   #ISC_R_NOMEMORY         Resource Limit: Out of Memory building chain.
+ *\li   &lt;something_else>     Any error result from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*%<
+ * Adjusts chain to point the DNSSEC predecessor of the name to which it
+ * is currently pointed.
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *\li   'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *      dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ *      dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ *      since there may have been no predecessor to the searched for name.
+ *
+ * Ensures:
+ *\li   The chain is pointed to the predecessor of its current target.
+ *
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.
+ *
+ *\li   'origin' is only if a new origin was found.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS          The predecessor was found and 'name' was set.
+ *\li   #DNS_R_NEWORIGIN                The predecessor was found with a
+ * different origin and 'name' and 'origin' were set. \li   #ISC_R_NOMORE There
+ * was no predecessor. \li   &lt;something_else>     Any error result from
+ * dns_rbtnodechain_current.
+ */
+
+isc_result_t
+dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*%<
+ * Adjusts chain to point the DNSSEC successor of the name to which it
+ * is currently pointed.
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *\li   'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *      dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ *      dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ *      since there may have been no predecessor to the searched for name.
+ *
+ * Ensures:
+ *\li   The chain is pointed to the successor of its current target.
+ *
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.
+ *
+ *\li   'origin' is only if a new origin was found.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS          The successor was found and 'name' was set.
+ *\li   #DNS_R_NEWORIGIN                The successor was found with a different
+ *                              origin and 'name' and 'origin' were set.
+ *\li   #ISC_R_NOMORE           There was no successor.
+ *\li   &lt;something_else>     Any error result from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_down(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*%<
+ * Descend down if possible.
+ */
+
+isc_result_t
+dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name);
+/*%<
+ * Find the next node at the current depth in DNSSEC order.
+ */
+
+unsigned int
+dns__rbtnode_namelen(dns_rbtnode_t *node);
+/*%<
+ * Returns the length of the full name of the node. Used only internally
+ * and in unit tests.
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RBT_H */
diff --git a/lib/dns/include/dns/rcode.h b/lib/dns/include/dns/rcode.h
new file mode 100644
index 0000000..dbc2dfe
--- /dev/null
+++ b/lib/dns/include/dns/rcode.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RCODE_H
+#define DNS_RCODE_H 1
+
+/*! \file dns/rcode.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNS error value.
+ *
+ * Requires:
+ *\li	'rcodep' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			type is unknown
+ */
+
+isc_result_t
+dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of error 'rcode' into 'target'.
+ *
+ * Requires:
+ *\li	'rcode' is a valid rcode.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+isc_result_t
+dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a TSIG/TKEY error value.
+ *
+ * Requires:
+ *\li	'rcodep' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			type is unknown
+ */
+
+isc_result_t
+dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of TSIG/TKEY error 'rcode' into 'target'.
+ *
+ * Requires:
+ *\li	'rcode' is a valid TSIG/TKEY error code.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+isc_result_t
+dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a has algorithm value.
+ *
+ * Requires:
+ *\li	'hashalg' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			type is unknown
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RCODE_H */
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
new file mode 100644
index 0000000..2118dc4
--- /dev/null
+++ b/lib/dns/include/dns/rdata.h
@@ -0,0 +1,812 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATA_H
+#define DNS_RDATA_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/rdata.h
+ * \brief
+ * Provides facilities for manipulating DNS rdata, including conversions to
+ * and from wire format and text format.
+ *
+ * Given the large amount of rdata possible in a nameserver, it was important
+ * to come up with a very efficient way of storing rdata, but at the same
+ * time allow it to be manipulated.
+ *
+ * The decision was to store rdata in uncompressed wire format,
+ * and not to make it a fully abstracted object; i.e. certain parts of the
+ * server know rdata is stored that way.  This saves a lot of memory, and
+ * makes adding rdata to messages easy.  Having much of the server know
+ * the representation would be perilous, and we certainly don't want each
+ * user of rdata to be manipulating such a low-level structure.  This is
+ * where the rdata module comes in.  The module allows rdata handles to be
+ * created and attached to uncompressed wire format regions.  All rdata
+ * operations and conversions are done through these handles.
+ *
+ * Implementation Notes:
+ *
+ *\li	The routines in this module are expected to be synthesized by the
+ *	build process from a set of source files, one per rdata type.  For
+ *	portability, it's probably best that the building be done by a C
+ *	program.  Adding a new rdata type will be a simple matter of adding
+ *	a file to a directory and rebuilding the server.  *All* knowledge of
+ *	the format of a particular rdata type is in this file.
+ *
+ * MP:
+ *\li	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *\li	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ *\li	Rdata is typed, and the caller must know what type of rdata it has.
+ *	A caller that gets this wrong could crash the server.
+ *
+ *\li	The fromstruct() and tostruct() routines use a void * pointer to
+ *	represent the structure.  The caller must ensure that it passes a
+ *	pointer to the appropriate type, or the server could crash or memory
+ *	could be corrupted.
+ *
+ * Resources:
+ *\li	None.
+ *
+ * Security:
+ *
+ *\li	*** WARNING ***
+ *	dns_rdata_fromwire() deals with raw network data.  An error in
+ *	this routine could result in the failure or hijacking of the server.
+ *
+ * Standards:
+ *\li	RFC1035
+ *\li	Draft EDNS0 (0)
+ *\li	Draft EDNS1 (0)
+ *\li	Draft Binary Labels (2)
+ *\li	Draft Local Compression (1)
+ *\li	Various RFCs for particular types; these will be documented in the
+ *	 sources files of the types.
+ *
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ ***** An 'rdata' is a handle to a binary region.  The handle has an RR
+ ***** class and type, and the data in the binary region is in the format
+ ***** of the given class and type.
+ *****/
+/*%
+ * Clients are strongly discouraged from using this type directly, with
+ * the exception of the 'link' field which may be used directly for whatever
+ * purpose the client desires.
+ */
+struct dns_rdata {
+	unsigned char	*data;
+	unsigned int	 length;
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t	 type;
+	unsigned int	 flags;
+	ISC_LINK(dns_rdata_t) link;
+};
+
+#define DNS_RDATA_INIT                                           \
+	{                                                        \
+		NULL, 0, 0, 0, 0, { (void *)(-1), (void *)(-1) } \
+	}
+
+#define DNS_RDATA_CHECKINITIALIZED
+#ifdef DNS_RDATA_CHECKINITIALIZED
+#define DNS_RDATA_INITIALIZED(rdata)                                           \
+	((rdata)->data == NULL && (rdata)->length == 0 &&                      \
+	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
+	 !ISC_LINK_LINKED((rdata), link))
+#else /* ifdef DNS_RDATA_CHECKINITIALIZED */
+#ifdef ISC_LIST_CHECKINIT
+#define DNS_RDATA_INITIALIZED(rdata) (!ISC_LINK_LINKED((rdata), link))
+#else /* ifdef ISC_LIST_CHECKINIT */
+#define DNS_RDATA_INITIALIZED(rdata) true
+#endif /* ifdef ISC_LIST_CHECKINIT */
+#endif /* ifdef DNS_RDATA_CHECKINITIALIZED */
+
+#define DNS_RDATA_UPDATE  0x0001 /*%< update pseudo record. */
+#define DNS_RDATA_OFFLINE 0x0002 /*%< RRSIG has a offline key. */
+
+#define DNS_RDATA_VALIDFLAGS(rdata) \
+	(((rdata)->flags & ~(DNS_RDATA_UPDATE | DNS_RDATA_OFFLINE)) == 0)
+
+/*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH 65512U
+
+/*
+ * Flags affecting rdata formatting style.  Flags 0xFFFF0000
+ * are used by masterfile-level formatting and defined elsewhere.
+ * See additional comments at dns_rdata_tofmttext().
+ */
+
+/*% Split the rdata into multiple lines to try to keep it
+ * within the "width". */
+#define DNS_STYLEFLAG_MULTILINE 0x00000001ULL
+
+/*% Output explanatory comments. */
+#define DNS_STYLEFLAG_COMMENT	0x00000002ULL
+#define DNS_STYLEFLAG_RRCOMMENT 0x00000004ULL
+
+/*% Output KEYDATA in human readable format. */
+#define DNS_STYLEFLAG_KEYDATA 0x00000008ULL
+
+/*% Output textual RR type and RDATA in RFC 3597 unknown format */
+#define DNS_STYLEFLAG_UNKNOWNFORMAT 0x00000010ULL
+
+/*% Print AAAA record fully expanded */
+#define DNS_STYLEFLAG_EXPANDAAAA 0x00000020ULL
+
+#define DNS_RDATA_DOWNCASE	 DNS_NAME_DOWNCASE
+#define DNS_RDATA_CHECKNAMES	 DNS_NAME_CHECKNAMES
+#define DNS_RDATA_CHECKNAMESFAIL DNS_NAME_CHECKNAMESFAIL
+#define DNS_RDATA_CHECKREVERSE	 DNS_NAME_CHECKREVERSE
+#define DNS_RDATA_CHECKMX	 DNS_NAME_CHECKMX
+#define DNS_RDATA_CHECKMXFAIL	 DNS_NAME_CHECKMXFAIL
+#define DNS_RDATA_UNKNOWNESCAPE	 0x80000000
+
+/***
+ *** Initialization
+ ***/
+
+void
+dns_rdata_init(dns_rdata_t *rdata);
+/*%<
+ * Make 'rdata' empty.
+ *
+ * Requires:
+ *	'rdata' is a valid rdata (i.e. not NULL, points to a struct dns_rdata)
+ */
+
+void
+dns_rdata_reset(dns_rdata_t *rdata);
+/*%<
+ * Make 'rdata' empty.
+ *
+ * Requires:
+ *\li	'rdata' is a previously initialized rdata and is not linked.
+ */
+
+void
+dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target);
+/*%<
+ * Clone 'target' from 'src'.
+ *
+ * Requires:
+ *\li	'src' to be initialized.
+ *\li	'target' to be initialized.
+ */
+
+/***
+ *** Comparisons
+ ***/
+
+int
+dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
+/*%<
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'rdata1' and 'rdata2'.
+ *
+ * Requires:
+ *
+ *\li	'rdata1' is a valid, non-empty rdata
+ *
+ *\li	'rdata2' is a valid, non-empty rdata
+ *
+ * Returns:
+ *\li	< 0		'rdata1' is less than 'rdata2'
+ *\li	0		'rdata1' is equal to 'rdata2'
+ *\li	> 0		'rdata1' is greater than 'rdata2'
+ */
+
+int
+dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
+/*%<
+ * dns_rdata_casecompare() is similar to dns_rdata_compare() but also
+ * compares domain names case insensitively in known rdata types that
+ * are treated as opaque data by dns_rdata_compare().
+ *
+ * Requires:
+ *
+ *\li	'rdata1' is a valid, non-empty rdata
+ *
+ *\li	'rdata2' is a valid, non-empty rdata
+ *
+ * Returns:
+ *\li	< 0		'rdata1' is less than 'rdata2'
+ *\li	0		'rdata1' is equal to 'rdata2'
+ *\li	> 0		'rdata1' is greater than 'rdata2'
+ */
+
+/***
+ *** Conversions
+ ***/
+
+void
+dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, isc_region_t *r);
+/*%<
+ * Make 'rdata' refer to region 'r'.
+ *
+ * Requires:
+ *
+ *\li	The data in 'r' is properly formatted for whatever type it is.
+ */
+
+void
+dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r);
+/*%<
+ * Make 'r' refer to 'rdata'.
+ */
+
+isc_result_t
+dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_buffer_t *source,
+		   dns_decompress_t *dctx, unsigned int options,
+		   isc_buffer_t *target);
+/*%<
+ * Copy the possibly-compressed rdata at source into the target region.
+ *
+ * Notes:
+ *\li	Name decompression policy is controlled by 'dctx'.
+ *
+ *	'options'
+ *\li	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
+ *				into target.
+ *
+ * Requires:
+ *
+ *\li	'rdclass' and 'type' are valid.
+ *
+ *\li	'source' is a valid buffer, and the active region of 'source'
+ *	references the rdata to be processed.
+ *
+ *\li	'target' is a valid buffer.
+ *
+ *\li	'dctx' is a valid decompression context.
+ *
+ * Ensures,
+ *	if result is success:
+ *	\li 	If 'rdata' is not NULL, it is attached to the target.
+ *	\li	The conditions dns_name_fromwire() ensures for names hold
+ *		for all names in the rdata.
+ *	\li	The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ *\li	Success
+ *\li	Any non-success status from dns_name_fromwire()
+ *\li	Various 'Bad Form' class failures depending on class and type
+ *\li	Bad Form: Input too short
+ *\li	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
+		 isc_buffer_t *target);
+/*%<
+ * Convert 'rdata' into wire format, compressing it as specified by the
+ * compression context 'cctx', and storing the result in 'target'.
+ *
+ * Notes:
+ *\li	If the compression context allows global compression, then the
+ *	global compression table may be updated.
+ *
+ * Requires:
+ *\li	'rdata' is a valid, non-empty rdata
+ *
+ *\li	target is a valid buffer
+ *
+ *\li	Any offsets specified in a global compression table are valid
+ *	for target.
+ *
+ * Ensures,
+ *	if the result is success:
+ *	\li	The used space in target is updated.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Any non-success status from dns_name_towire()
+ *\li	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_lex_t *lexer,
+		   const dns_name_t *origin, unsigned int options,
+		   isc_mem_t *mctx, isc_buffer_t *target,
+		   dns_rdatacallbacks_t *callbacks);
+/*%<
+ * Convert the textual representation of a DNS rdata into uncompressed wire
+ * form stored in the target region.  Tokens constituting the text of the rdata
+ * are taken from 'lexer'.
+ *
+ * Notes:
+ *\li	Relative domain names in the rdata will have 'origin' appended to them.
+ *	A NULL origin implies "origin == dns_rootname".
+ *
+ *
+ *	'options'
+ *\li	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
+ *				into target.
+ *\li	DNS_RDATA_CHECKNAMES 	perform checknames checks.
+ *\li	DNS_RDATA_CHECKNAMESFAIL fail if the checknames check fail.  If
+ *				not set a warning will be issued.
+ *\li	DNS_RDATA_CHECKREVERSE  this should set if the owner name ends
+ *				in IP6.ARPA, IP6.INT or IN-ADDR.ARPA.
+ *
+ * Requires:
+ *
+ *\li	'rdclass' and 'type' are valid.
+ *
+ *\li	'lexer' is a valid isc_lex_t.
+ *
+ *\li	'mctx' is a valid isc_mem_t.
+ *
+ *\li	'target' is a valid region.
+ *
+ *\li	'origin' if non NULL it must be absolute.
+ *
+ *\li	'callbacks' to be NULL or callbacks->warn and callbacks->error be
+ *	initialized.
+ *
+ * Ensures,
+ *	if result is success:
+ *\li	 	If 'rdata' is not NULL, it is attached to the target.
+ *
+ *\li		The conditions dns_name_fromtext() ensures for names hold
+ *		for all names in the rdata.
+ *
+ *\li		The used space in target is updated.
+ *
+ * Result:
+ *\li	Success
+ *\li	Translated result codes from isc_lex_gettoken
+ *\li	Various 'Bad Form' class failures depending on class and type
+ *\li	Bad Form: Input too short
+ *\li	Resource Limit: Not enough space
+ *\li	Resource Limit: Not enough memory
+ */
+
+isc_result_t
+dns_rdata_totext(dns_rdata_t *rdata, const dns_name_t *origin,
+		 isc_buffer_t *target);
+/*%<
+ * Convert 'rdata' into text format, storing the result in 'target'.
+ * The text will consist of a single line, with fields separated by
+ * single spaces.
+ *
+ * Notes:
+ *\li	If 'origin' is not NULL, then any names in the rdata that are
+ *	subdomains of 'origin' will be made relative it.
+ *
+ *\li	XXX Do we *really* want to support 'origin'?  I'm inclined towards "no"
+ *	at the moment.
+ *
+ * Requires:
+ *
+ *\li	'rdata' is a valid, non-empty rdata
+ *
+ *\li	'origin' is NULL, or is a valid name
+ *
+ *\li	'target' is a valid text buffer
+ *
+ * Ensures,
+ *	if the result is success:
+ *
+ *	\li	The used space in target is updated.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Any non-success status from dns_name_totext()
+ *\li	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_tofmttext(dns_rdata_t *rdata, const dns_name_t *origin,
+		    dns_masterstyle_flags_t flags, unsigned int width,
+		    unsigned int split_width, const char *linebreak,
+		    isc_buffer_t *target);
+/*%<
+ * Like dns_rdata_totext, but do formatted output suitable for
+ * database dumps.  This is intended for use by dns_db_dump();
+ * library users are discouraged from calling it directly.
+ *
+ * If (flags & #DNS_STYLEFLAG_MULTILINE) != 0, attempt to stay
+ * within 'width' by breaking the text into multiple lines.
+ * The string 'linebreak' is inserted between lines, and parentheses
+ * are added when necessary.  Because RRs contain unbreakable elements
+ * such as domain names whose length is variable, unpredictable, and
+ * potentially large, there is no guarantee that the lines will
+ * not exceed 'width' anyway.
+ *
+ * If (flags & #DNS_STYLEFLAG_MULTILINE) == 0, the rdata is always
+ * printed as a single line, and no parentheses are used.
+ * The 'width' and 'linebreak' arguments are ignored.
+ *
+ * If (flags & #DNS_STYLEFLAG_COMMENT) != 0, output explanatory
+ * comments next to things like the SOA timer fields.  Some
+ * comments (e.g., the SOA ones) are only printed when multiline
+ * output is selected.
+ *
+ * base64 rdata text (e.g., DNSKEY records) will be split into chunks
+ * of 'split_width' characters.  If split_width == 0, the text will
+ * not be split at all.  If split_width == UINT_MAX (0xffffffff), then
+ * it is undefined and falls back to the default value of 'width'
+ */
+
+isc_result_t
+dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, void *source, isc_buffer_t *target);
+/*%<
+ * Convert the C structure representation of an rdata into uncompressed wire
+ * format in 'target'.
+ *
+ * XXX  Should we have a 'size' parameter as a sanity check on target?
+ *
+ * Requires:
+ *
+ *\li	'rdclass' and 'type' are valid.
+ *
+ *\li	'source' points to a valid C struct for the class and type.
+ *
+ *\li	'target' is a valid buffer.
+ *
+ *\li	All structure pointers to memory blocks should be NULL if their
+ *	corresponding length values are zero.
+ *
+ * Ensures,
+ *	if result is success:
+ *	\li 	If 'rdata' is not NULL, it is attached to the target.
+ *
+ *	\li	The used space in 'target' is updated.
+ *
+ * Result:
+ *\li	Success
+ *\li	Various 'Bad Form' class failures depending on class and type
+ *\li	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_tostruct(const dns_rdata_t *rdata, void *target, isc_mem_t *mctx);
+/*%<
+ * Convert an rdata into its C structure representation.
+ *
+ * If 'mctx' is NULL then 'rdata' must persist while 'target' is being used.
+ *
+ * If 'mctx' is non NULL then memory will be allocated if required.
+ *
+ * Requires:
+ *
+ *\li	'rdata' is a valid, non-empty, non-pseudo rdata.
+ *
+ *\li	'target' to point to a valid pointer for the type and class.
+ *
+ * Result:
+ *\li	Success
+ *\li	Resource Limit: Not enough memory
+ */
+
+void
+dns_rdata_freestruct(void *source);
+/*%<
+ * Free dynamic memory attached to 'source' (if any).
+ *
+ * Requires:
+ *
+ *\li	'source' to point to the structure previously filled in by
+ *	dns_rdata_tostruct().
+ */
+
+bool
+dns_rdatatype_ismeta(dns_rdatatype_t type);
+/*%<
+ * Return true iff the rdata type 'type' is a meta-type
+ * like ANY or AXFR.
+ */
+
+bool
+dns_rdatatype_issingleton(dns_rdatatype_t type);
+/*%<
+ * Return true iff the rdata type 'type' is a singleton type,
+ * like CNAME or SOA.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+bool
+dns_rdataclass_ismeta(dns_rdataclass_t rdclass);
+/*%<
+ * Return true iff the rdata class 'rdclass' is a meta-class
+ * like ANY or NONE.
+ */
+
+bool
+dns_rdatatype_isdnssec(dns_rdatatype_t type);
+/*%<
+ * Return true iff 'type' is one of the DNSSEC
+ * rdata types that may exist alongside a CNAME record.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ */
+
+bool
+dns_rdatatype_iszonecutauth(dns_rdatatype_t type);
+/*%<
+ * Return true iff rdata of type 'type' is considered authoritative
+ * data (not glue) in the NSEC chain when it occurs in the parent zone
+ * at a zone cut.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+bool
+dns_rdatatype_isknown(dns_rdatatype_t type);
+/*%<
+ * Return true iff the rdata type 'type' is known.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+isc_result_t
+dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
+			 void *arg);
+/*%<
+ * Call 'add' for each name and type from 'rdata' which is subject to
+ * additional section processing.
+ *
+ * Requires:
+ *
+ *\li	'rdata' is a valid, non-empty rdata.
+ *
+ *\li	'add' is a valid dns_additionalfunc_t.
+ *
+ * Ensures:
+ *
+ *\li	If successful, then add() will have been called for each name
+ *	and type subject to additional section processing.
+ *
+ *\li	If add() returns something other than #ISC_R_SUCCESS, that result
+ *	will be returned as the result of dns_rdata_additionaldata().
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Many other results are possible if not successful.
+ */
+
+isc_result_t
+dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg);
+/*%<
+ * Send 'rdata' in DNSSEC canonical form to 'digest'.
+ *
+ * Note:
+ *\li	'digest' may be called more than once by dns_rdata_digest().  The
+ *	concatenation of all the regions, in the order they were given
+ *	to 'digest', will be the DNSSEC canonical form of 'rdata'.
+ *
+ * Requires:
+ *
+ *\li	'rdata' is a valid, non-empty rdata.
+ *
+ *\li	'digest' is a valid dns_digestfunc_t.
+ *
+ * Ensures:
+ *
+ *\li	If successful, then all of the rdata's data has been sent, in
+ *	DNSSEC canonical form, to 'digest'.
+ *
+ *\li	If digest() returns something other than ISC_R_SUCCESS, that result
+ *	will be returned as the result of dns_rdata_digest().
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Many other results are possible if not successful.
+ */
+
+bool
+dns_rdatatype_questiononly(dns_rdatatype_t type);
+/*%<
+ * Return true iff rdata of type 'type' can only appear in the question
+ * section of a properly formatted message.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+bool
+dns_rdatatype_notquestion(dns_rdatatype_t type);
+/*%<
+ * Return true iff rdata of type 'type' can not appear in the question
+ * section of a properly formatted message.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+bool
+dns_rdatatype_atparent(dns_rdatatype_t type);
+/*%<
+ * Return true iff rdata of type 'type' should appear at the parent of
+ * a zone cut.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+bool
+dns_rdatatype_atcname(dns_rdatatype_t type);
+/*%<
+ * Return true iff rdata of type 'type' can appear beside a cname.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+bool
+dns_rdatatype_followadditional(dns_rdatatype_t type);
+/*%<
+ * Return true if adding a record of type 'type' to the ADDITIONAL section
+ * of a message can itself trigger the addition of still more data to the
+ * additional section.
+ *
+ * (For example: adding SRV to the ADDITIONAL section may trigger
+ * the addition of address records associated with that SRV.)
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+unsigned int
+dns_rdatatype_attributes(dns_rdatatype_t rdtype);
+/*%<
+ * Return attributes for the given type.
+ *
+ * Requires:
+ *\li	'rdtype' are known.
+ *
+ * Returns:
+ *\li	a bitmask consisting of the following flags.
+ */
+
+/*% only one may exist for a name */
+#define DNS_RDATATYPEATTR_SINGLETON 0x00000001U
+/*% requires no other data be present */
+#define DNS_RDATATYPEATTR_EXCLUSIVE 0x00000002U
+/*% Is a meta type */
+#define DNS_RDATATYPEATTR_META 0x00000004U
+/*% Is a DNSSEC type, like RRSIG or NSEC */
+#define DNS_RDATATYPEATTR_DNSSEC 0x00000008U
+/*% Is a zone cut authority type */
+#define DNS_RDATATYPEATTR_ZONECUTAUTH 0x00000010U
+/*% Is reserved (unusable) */
+#define DNS_RDATATYPEATTR_RESERVED 0x00000020U
+/*% Is an unknown type */
+#define DNS_RDATATYPEATTR_UNKNOWN 0x00000040U
+/*% Is META, and can only be in a question section */
+#define DNS_RDATATYPEATTR_QUESTIONONLY 0x00000080U
+/*% Is META, and can NOT be in a question section */
+#define DNS_RDATATYPEATTR_NOTQUESTION 0x00000100U
+/*% Is present at zone cuts in the parent, not the child */
+#define DNS_RDATATYPEATTR_ATPARENT 0x00000200U
+/*% Can exist along side a CNAME */
+#define DNS_RDATATYPEATTR_ATCNAME 0x00000400U
+/*% Follow additional */
+#define DNS_RDATATYPEATTR_FOLLOWADDITIONAL 0x00000800U
+
+dns_rdatatype_t
+dns_rdata_covers(dns_rdata_t *rdata);
+/*%<
+ * Return the rdatatype that this type covers.
+ *
+ * Requires:
+ *\li	'rdata' is a valid, non-empty rdata.
+ *
+ *\li	'rdata' is a type that covers other rdata types.
+ *
+ * Returns:
+ *\li	The type covered.
+ */
+
+bool
+dns_rdata_checkowner(const dns_name_t *name, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, bool wildcard);
+/*
+ * Returns whether this is a valid ownername for this <type,class>.
+ * If wildcard is true allow the first label to be a wildcard if
+ * appropriate.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ */
+
+bool
+dns_rdata_checknames(dns_rdata_t *rdata, const dns_name_t *owner,
+		     dns_name_t *bad);
+/*
+ * Returns whether 'rdata' contains valid domain names.  The checks are
+ * sensitive to the owner name.
+ *
+ * If 'bad' is non-NULL and a domain name fails the check the
+ * the offending name will be return in 'bad' by cloning from
+ * the 'rdata' contents.
+ *
+ * Requires:
+ *	'rdata' to be valid.
+ *	'owner' to be valid.
+ *	'bad'	to be NULL or valid.
+ */
+
+void
+dns_rdata_exists(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_notexist(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_deleterrset(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_makedelete(dns_rdata_t *rdata);
+
+const char *
+dns_rdata_updateop(dns_rdata_t *rdata, dns_section_t section);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATA_H */
diff --git a/lib/dns/include/dns/rdataclass.h b/lib/dns/include/dns/rdataclass.h
new file mode 100644
index 0000000..033d08d
--- /dev/null
+++ b/lib/dns/include/dns/rdataclass.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATACLASS_H
+#define DNS_RDATACLASS_H 1
+
+/*! \file dns/rdataclass.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNS class.
+ *
+ * Requires:
+ *\li	'classp' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			class is unknown
+ */
+
+isc_result_t
+dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of class 'rdclass' into 'target'.
+ *
+ * Requires:
+ *\li	'rdclass' is a valid class.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+isc_result_t
+dns_rdataclass_tounknowntext(dns_rdataclass_t rdclass, isc_buffer_t *target);
+/*%<
+ * Put textual RFC3597 CLASSXXXX representation of class 'rdclass' into
+ * 'target'.
+ *
+ * Requires:
+ *\li	'rdclass' is a valid class.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+void
+dns_rdataclass_format(dns_rdataclass_t rdclass, char *array, unsigned int size);
+/*%<
+ * Format a human-readable representation of the class 'rdclass'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+#define DNS_RDATACLASS_FORMATSIZE sizeof("CLASS65535")
+/*%<
+ * Minimum size of array to pass to dns_rdataclass_format().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATACLASS_H */
diff --git a/lib/dns/include/dns/rdatalist.h b/lib/dns/include/dns/rdatalist.h
new file mode 100644
index 0000000..3d49064
--- /dev/null
+++ b/lib/dns/include/dns/rdatalist.h
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATALIST_H
+#define DNS_RDATALIST_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/rdatalist.h
+ * \brief
+ * A DNS rdatalist is a list of rdata of a common type and class.
+ *
+ * MP:
+ *\li	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/*%
+ * Clients may use this type directly.
+ */
+struct dns_rdatalist {
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t	 type;
+	dns_rdatatype_t	 covers;
+	dns_ttl_t	 ttl;
+	ISC_LIST(dns_rdata_t) rdata;
+	ISC_LINK(dns_rdatalist_t) link;
+	/*%<
+	 * Case vector.  If the bit is set then the corresponding
+	 * character in the owner name needs to be AND'd with 0x20,
+	 * rendering that character upper case.
+	 */
+	unsigned char upper[32];
+};
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_rdatalist_init(dns_rdatalist_t *rdatalist);
+/*%<
+ * Initialize rdatalist.
+ *
+ * Ensures:
+ *\li	All fields of rdatalist have been initialized to their default
+ *	values.
+ */
+
+isc_result_t
+dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist, dns_rdataset_t *rdataset);
+/*%<
+ * Make 'rdataset' refer to the rdata in 'rdatalist'.
+ *
+ * Note:
+ *\li	The caller must ensure that 'rdatalist' remains valid and unchanged
+ *	while 'rdataset' is associated with it.
+ *
+ * Requires:
+ *
+ *\li	'rdatalist' is a valid rdatalist.
+ *
+ *\li	'rdataset' is a valid rdataset that is not currently associated with
+ *	any rdata.
+ *
+ * Ensures,
+ *	on success,
+ *
+ *\li		'rdataset' is associated with the rdata in rdatalist.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_rdatalist_fromrdataset(dns_rdataset_t   *rdataset,
+			   dns_rdatalist_t **rdatalist);
+/*%<
+ * Point 'rdatalist' to the rdatalist in 'rdataset'.
+ *
+ * Requires:
+ *
+ *\li	'rdatalist' is a pointer to a NULL dns_rdatalist_t pointer.
+ *
+ *\li	'rdataset' is a valid rdataset associated with an rdatalist.
+ *
+ * Ensures,
+ *	on success,
+ *
+ *\li		'rdatalist' is pointed to the rdatalist in rdataset.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATALIST_H */
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
new file mode 100644
index 0000000..de3f638
--- /dev/null
+++ b/lib/dns/include/dns/rdataset.h
@@ -0,0 +1,615 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATASET_H
+#define DNS_RDATASET_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/rdataset.h
+ * \brief
+ * A DNS rdataset is a handle that can be associated with a collection of
+ * rdata all having a common owner name, class, and type.
+ *
+ * The dns_rdataset_t type is like a "virtual class".  To actually use
+ * rdatasets, an implementation of the method suite (e.g. "slabbed rdata") is
+ * required.
+ *
+ * XXX &lt;more&gt; XXX
+ *
+ * MP:
+ *\li	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/stdtime.h>
+
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef enum {
+	dns_rdatasetadditional_fromauth,
+	dns_rdatasetadditional_fromcache,
+	dns_rdatasetadditional_fromglue
+} dns_rdatasetadditional_t;
+
+typedef struct dns_rdatasetmethods {
+	void (*disassociate)(dns_rdataset_t *rdataset);
+	isc_result_t (*first)(dns_rdataset_t *rdataset);
+	isc_result_t (*next)(dns_rdataset_t *rdataset);
+	void (*current)(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+	void (*clone)(dns_rdataset_t *source, dns_rdataset_t *target);
+	unsigned int (*count)(dns_rdataset_t *rdataset);
+	isc_result_t (*addnoqname)(dns_rdataset_t   *rdataset,
+				   const dns_name_t *name);
+	isc_result_t (*getnoqname)(dns_rdataset_t *rdataset, dns_name_t *name,
+				   dns_rdataset_t *neg, dns_rdataset_t *negsig);
+	isc_result_t (*addclosest)(dns_rdataset_t   *rdataset,
+				   const dns_name_t *name);
+	isc_result_t (*getclosest)(dns_rdataset_t *rdataset, dns_name_t *name,
+				   dns_rdataset_t *neg, dns_rdataset_t *negsig);
+	void (*settrust)(dns_rdataset_t *rdataset, dns_trust_t trust);
+	void (*expire)(dns_rdataset_t *rdataset);
+	void (*clearprefetch)(dns_rdataset_t *rdataset);
+	void (*setownercase)(dns_rdataset_t *rdataset, const dns_name_t *name);
+	void (*getownercase)(const dns_rdataset_t *rdataset, dns_name_t *name);
+	isc_result_t (*addglue)(dns_rdataset_t	*rdataset,
+				dns_dbversion_t *version, dns_message_t *msg);
+} dns_rdatasetmethods_t;
+
+#define DNS_RDATASET_MAGIC	ISC_MAGIC('D', 'N', 'S', 'R')
+#define DNS_RDATASET_VALID(set) ISC_MAGIC_VALID(set, DNS_RDATASET_MAGIC)
+
+/*%
+ * Direct use of this structure by clients is strongly discouraged, except
+ * for the 'link' field which may be used however the client wishes.  The
+ * 'private', 'current', and 'index' fields MUST NOT be changed by clients.
+ * rdataset implementations may change any of the fields.
+ */
+struct dns_rdataset {
+	unsigned int	       magic;
+	dns_rdatasetmethods_t *methods;
+	ISC_LINK(dns_rdataset_t) link;
+
+	/*
+	 * XXX do we need these, or should they be retrieved by methods?
+	 * Leaning towards the latter, since they are not frequently required
+	 * once you have the rdataset.
+	 */
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t	 type;
+	dns_ttl_t	 ttl;
+
+	dns_trust_t	trust;
+	dns_rdatatype_t covers;
+
+	/*
+	 * attributes
+	 */
+	unsigned int attributes;
+
+	/*%
+	 * the counter provides the starting point in the "cyclic" order.
+	 * The value UINT32_MAX has a special meaning of "picking up a
+	 * random value." in order to take care of databases that do not
+	 * increment the counter.
+	 */
+	uint32_t count;
+
+	/*
+	 * This RRSIG RRset should be re-generated around this time.
+	 * Only valid if DNS_RDATASETATTR_RESIGN is set in attributes.
+	 */
+	isc_stdtime_t resign;
+
+	/*@{*/
+	/*%
+	 * These are for use by the rdataset implementation, and MUST NOT
+	 * be changed by clients.
+	 */
+	void	    *private1;
+	void	    *private2;
+	void	    *private3;
+	unsigned int privateuint4;
+	void	    *private5;
+	const void  *private6;
+	const void  *private7;
+	/*@}*/
+};
+
+/*!
+ * \def DNS_RDATASETATTR_RENDERED
+ *	Used by message.c to indicate that the rdataset was rendered.
+ *
+ * \def DNS_RDATASETATTR_TTLADJUSTED
+ *	Used by message.c to indicate that the rdataset's rdata had differing
+ *	TTL values, and the rdataset->ttl holds the smallest.
+ *
+ * \def DNS_RDATASETATTR_LOADORDER
+ *	Output the RRset in load order.
+ *
+ * \def DNS_RDATASETATTR_STALE_ADDED
+ *	Set on rdatasets that were added during a stale-answer-client-timeout
+ *	lookup. In other words, the RRset was added during a lookup of stale
+ *	data and does not necessarily mean that the rdataset itself is stale.
+ */
+
+#define DNS_RDATASETATTR_NONE	      0x00000000 /*%< No ordering. */
+#define DNS_RDATASETATTR_QUESTION     0x00000001
+#define DNS_RDATASETATTR_RENDERED     0x00000002 /*%< Used by message.c */
+#define DNS_RDATASETATTR_ANSWERED     0x00000004 /*%< Used by server. */
+#define DNS_RDATASETATTR_CACHE	      0x00000008 /*%< Used by resolver. */
+#define DNS_RDATASETATTR_ANSWER	      0x00000010 /*%< Used by resolver. */
+#define DNS_RDATASETATTR_ANSWERSIG    0x00000020 /*%< Used by resolver. */
+#define DNS_RDATASETATTR_EXTERNAL     0x00000040 /*%< Used by resolver. */
+#define DNS_RDATASETATTR_NCACHE	      0x00000080 /*%< Used by resolver. */
+#define DNS_RDATASETATTR_CHAINING     0x00000100 /*%< Used by resolver. */
+#define DNS_RDATASETATTR_TTLADJUSTED  0x00000200 /*%< Used by message.c */
+#define DNS_RDATASETATTR_FIXEDORDER   0x00000400 /*%< Fixed ordering. */
+#define DNS_RDATASETATTR_RANDOMIZE    0x00000800 /*%< Random ordering. */
+#define DNS_RDATASETATTR_CHASE	      0x00001000 /*%< Used by resolver. */
+#define DNS_RDATASETATTR_NXDOMAIN     0x00002000
+#define DNS_RDATASETATTR_NOQNAME      0x00004000
+#define DNS_RDATASETATTR_CHECKNAMES   0x00008000 /*%< Used by resolver. */
+#define DNS_RDATASETATTR_REQUIRED     0x00010000
+#define DNS_RDATASETATTR_REQUIREDGLUE DNS_RDATASETATTR_REQUIRED
+#define DNS_RDATASETATTR_LOADORDER    0x00020000
+#define DNS_RDATASETATTR_RESIGN	      0x00040000
+#define DNS_RDATASETATTR_CLOSEST      0x00080000
+#define DNS_RDATASETATTR_OPTOUT	      0x00100000 /*%< OPTOUT proof */
+#define DNS_RDATASETATTR_NEGATIVE     0x00200000
+#define DNS_RDATASETATTR_PREFETCH     0x00400000
+#define DNS_RDATASETATTR_CYCLIC	      0x00800000 /*%< Cyclic ordering. */
+#define DNS_RDATASETATTR_STALE	      0x01000000
+#define DNS_RDATASETATTR_ANCIENT      0x02000000
+#define DNS_RDATASETATTR_STALE_WINDOW 0x04000000
+#define DNS_RDATASETATTR_STALE_ADDED  0x08000000
+
+/*%
+ * _OMITDNSSEC:
+ * 	Omit DNSSEC records when rendering ncache records.
+ */
+#define DNS_RDATASETTOWIRE_OMITDNSSEC 0x0001
+
+void
+dns_rdataset_init(dns_rdataset_t *rdataset);
+/*%<
+ * Make 'rdataset' a valid, disassociated rdataset.
+ *
+ * Requires:
+ *\li	'rdataset' is not NULL.
+ *
+ * Ensures:
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ */
+
+void
+dns_rdataset_invalidate(dns_rdataset_t *rdataset);
+/*%<
+ * Invalidate 'rdataset'.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *\li	If assertion checking is enabled, future attempts to use 'rdataset'
+ *	without initializing it will cause an assertion failure.
+ */
+
+void
+dns_rdataset_disassociate(dns_rdataset_t *rdataset);
+/*%<
+ * Disassociate 'rdataset' from its rdata, allowing it to be reused.
+ *
+ * Notes:
+ *\li	The client must ensure it has no references to rdata in the rdataset
+ *	before disassociating.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, associated rdataset.
+ *
+ * Ensures:
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ */
+
+bool
+dns_rdataset_isassociated(dns_rdataset_t *rdataset);
+/*%<
+ * Is 'rdataset' associated?
+ *
+ * Requires:
+ *\li	'rdataset' is a valid rdataset.
+ *
+ * Returns:
+ *\li	#true			'rdataset' is associated.
+ *\li	#false			'rdataset' is not associated.
+ */
+
+void
+dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
+			  dns_rdatatype_t type);
+/*%<
+ * Make 'rdataset' a valid, associated, question rdataset, with a
+ * question class of 'rdclass' and type 'type'.
+ *
+ * Notes:
+ *\li	Question rdatasets have a class and type, but no rdata.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *\li	'rdataset' is a valid, associated, question rdataset.
+ */
+
+void
+dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+/*%<
+ * Make 'target' refer to the same rdataset as 'source'.
+ *
+ * Requires:
+ *\li	'source' is a valid, associated rdataset.
+ *
+ *\li	'target' is a valid, dissociated rdataset.
+ *
+ * Ensures:
+ *\li	'target' references the same rdataset as 'source'.
+ */
+
+unsigned int
+dns_rdataset_count(dns_rdataset_t *rdataset);
+/*%<
+ * Return the number of records in 'rdataset'.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *\li	The number of records in 'rdataset'.
+ */
+
+isc_result_t
+dns_rdataset_first(dns_rdataset_t *rdataset);
+/*%<
+ * Move the rdata cursor to the first rdata in the rdataset (if any).
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no rdata in the set.
+ */
+
+isc_result_t
+dns_rdataset_next(dns_rdataset_t *rdataset);
+/*%<
+ * Move the rdata cursor to the next rdata in the rdataset (if any).
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no more rdata in the set.
+ */
+
+void
+dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+/*%<
+ * Make 'rdata' refer to the current rdata.
+ *
+ * Notes:
+ *
+ *\li	The data returned in 'rdata' is valid for the life of the
+ *	rdataset; in particular, subsequent changes in the cursor position
+ *	do not invalidate 'rdata'.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, associated rdataset.
+ *
+ *\li	The rdata cursor of 'rdataset' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was ISC_R_SUCCESS).
+ *
+ * Ensures:
+ *\li	'rdata' refers to the rdata at the rdata cursor location of
+ *\li	'rdataset'.
+ */
+
+isc_result_t
+dns_rdataset_totext(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+		    bool omit_final_dot, bool question, isc_buffer_t *target);
+/*%<
+ * Convert 'rdataset' to text format, storing the result in 'target'.
+ *
+ * Notes:
+ *\li	The rdata cursor position will be changed.
+ *
+ *\li	The 'question' flag should normally be #false.  If it is
+ *	#true, the TTL and rdata fields are not printed.  This is
+ *	for use when printing an rdata representing a question section.
+ *
+ *\li	This interface is deprecated; use dns_master_rdatasettottext()
+ * 	and/or dns_master_questiontotext() instead.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid rdataset.
+ *
+ *\li	'rdataset' is not empty.
+ */
+
+isc_result_t
+dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+		    dns_compress_t *cctx, isc_buffer_t *target,
+		    unsigned int options, unsigned int *countp);
+/*%<
+ * Convert 'rdataset' to wire format, compressing names as specified
+ * in 'cctx', and storing the result in 'target'.
+ *
+ * Notes:
+ *\li	The rdata cursor position will be changed.
+ *
+ *\li	The number of RRs added to target will be added to *countp.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid rdataset.
+ *
+ *\li	'rdataset' is not empty.
+ *
+ *\li	'countp' is a valid pointer.
+ *
+ * Ensures:
+ *\li	On a return of ISC_R_SUCCESS, 'target' contains a wire format
+ *	for the data contained in 'rdataset'.  Any error return leaves
+ *	the buffer unchanged.
+ *
+ *\li	*countp has been incremented by the number of RRs added to
+ *	target.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		- all ok
+ *\li	#ISC_R_NOSPACE		- 'target' doesn't have enough room
+ *
+ *\li	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
+ *	dns_name_towire().
+ */
+
+isc_result_t
+dns_rdataset_towiresorted(dns_rdataset_t   *rdataset,
+			  const dns_name_t *owner_name, dns_compress_t *cctx,
+			  isc_buffer_t *target, dns_rdatasetorderfunc_t order,
+			  const void *order_arg, unsigned int options,
+			  unsigned int *countp);
+/*%<
+ * Like dns_rdataset_towire(), but sorting the rdatasets according to
+ * the integer value returned by 'order' when called with the rdataset
+ * and 'order_arg' as arguments.
+ *
+ * Requires:
+ *\li	All the requirements of dns_rdataset_towire(), and
+ *	that order_arg is NULL if and only if order is NULL.
+ */
+
+isc_result_t
+dns_rdataset_towirepartial(dns_rdataset_t   *rdataset,
+			   const dns_name_t *owner_name, dns_compress_t *cctx,
+			   isc_buffer_t *target, dns_rdatasetorderfunc_t order,
+			   const void *order_arg, unsigned int options,
+			   unsigned int *countp, void **state);
+/*%<
+ * Like dns_rdataset_towiresorted() except that a partial rdataset
+ * may be written.
+ *
+ * Requires:
+ *\li	All the requirements of dns_rdataset_towiresorted().
+ *	If 'state' is non NULL then the current position in the
+ *	rdataset will be remembered if the rdataset in not
+ *	completely written and should be passed on on subsequent
+ *	calls (NOT CURRENTLY IMPLEMENTED).
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS if all of the records were written.
+ *\li	#ISC_R_NOSPACE if unable to fit in all of the records. *countp
+ *		      will be updated to reflect the number of records
+ *		      written.
+ */
+
+isc_result_t
+dns_rdataset_additionaldata(dns_rdataset_t	    *rdataset,
+			    dns_additionaldatafunc_t add, void *arg);
+/*%<
+ * For each rdata in rdataset, call 'add' for each name and type in the
+ * rdata which is subject to additional section processing.
+ *
+ * Requires:
+ *
+ *\li	'rdataset' is a valid, non-question rdataset.
+ *
+ *\li	'add' is a valid dns_additionaldatafunc_t
+ *
+ * Ensures:
+ *
+ *\li	If successful, dns_rdata_additionaldata() will have been called for
+ *	each rdata in 'rdataset'.
+ *
+ *\li	If a call to dns_rdata_additionaldata() is not successful, the
+ *	result returned will be the result of dns_rdataset_additionaldata().
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_rdata_additionaldata() can return.
+ */
+
+isc_result_t
+dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *neg, dns_rdataset_t *negsig);
+/*%<
+ * Return the noqname proof for this record.
+ *
+ * Requires:
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
+ *\li	'name' to be valid.
+ *\li	'neg' and 'negsig' to be valid and not associated.
+ */
+
+isc_result_t
+dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * Associate a noqname proof with this record.
+ * Sets #DNS_RDATASETATTR_NOQNAME if successful.
+ * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
+ * the 'nsec'/'nsec3' and 'rrsig(nsec)'/'rrsig(nsec3)' ttl.
+ *
+ * Requires:
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
+ *\li	'name' to be valid and have NSEC or NSEC3 and associated RRSIG
+ *	 rdatasets.
+ */
+
+isc_result_t
+dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+/*%<
+ * Return the closest encloser for this record.
+ *
+ * Requires:
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set.
+ *\li	'name' to be valid.
+ *\li	'nsec' and 'nsecsig' to be valid and not associated.
+ */
+
+isc_result_t
+dns_rdataset_addclosest(dns_rdataset_t *rdataset, const dns_name_t *name);
+/*%<
+ * Associate a closest encloset proof with this record.
+ * Sets #DNS_RDATASETATTR_CLOSEST if successful.
+ * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
+ * the 'nsec' and 'rrsig(nsec)' ttl.
+ *
+ * Requires:
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set.
+ *\li	'name' to be valid and have NSEC3 and RRSIG(NSEC3) rdatasets.
+ */
+
+void
+dns_rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
+/*%<
+ * Set the trust of the 'rdataset' to trust in any in the backing database.
+ * The local trust level of 'rdataset' is also set.
+ */
+
+void
+dns_rdataset_expire(dns_rdataset_t *rdataset);
+/*%<
+ * Mark the rdataset to be expired in the backing database.
+ */
+
+void
+dns_rdataset_clearprefetch(dns_rdataset_t *rdataset);
+/*%<
+ * Clear the PREFETCH attribute for the given rdataset in the
+ * underlying database.
+ *
+ * In the cache database, this signals that the rdataset is not
+ * eligible to be prefetched when the TTL is close to expiring.
+ * It has no function in other databases.
+ */
+
+void
+dns_rdataset_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name);
+/*%<
+ * Store the casing of 'name', the owner name of 'rdataset', into
+ * a bitfield so that the name can be capitalized the same when when
+ * the rdataset is used later. This sets the CASESET attribute.
+ */
+
+void
+dns_rdataset_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * If the CASESET attribute is set, retrieve the case bitfield that was
+ * previously stored by dns_rdataset_getownername(), and capitalize 'name'
+ * according to it. If CASESET is not set, do nothing.
+ */
+
+isc_result_t
+dns_rdataset_addglue(dns_rdataset_t *rdataset, dns_dbversion_t *version,
+		     dns_message_t *msg);
+/*%<
+ * Add glue records for rdataset to the additional section of message in
+ * 'msg'. 'rdataset' must be of type NS.
+ *
+ * In case a successful result is not returned, the caller should try to
+ * add glue directly to the message by iterating for additional data.
+ *
+ * Requires:
+ * \li	'rdataset' is a valid NS rdataset.
+ * \li	'version' is the DB version.
+ * \li	'msg' is the DNS message to which the glue should be added.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTIMPLEMENTED
+ *\li	#ISC_R_FAILURE
+ *\li	Any error that dns_rdata_additionaldata() can return.
+ */
+
+void
+dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
+		     bool acceptexpired);
+/*%<
+ * Trim the ttl of 'rdataset' and 'sigrdataset' so that they will expire
+ * at or before 'rrsig->expiretime'.  If 'acceptexpired' is true and the
+ * signature has expired or will expire in the next 120 seconds, limit
+ * the ttl to be no more than 120 seconds.
+ *
+ * The ttl is further limited by the original ttl as stored in 'rrsig'
+ * and the original ttl values of 'rdataset' and 'sigrdataset'.
+ *
+ * Requires:
+ * \li	'rdataset' is a valid rdataset.
+ * \li	'sigrdataset' is a valid rdataset.
+ * \li	'rrsig' is non NULL.
+ */
+
+const char *
+dns_trust_totext(dns_trust_t trust);
+/*%<
+ * Display trust in textual form.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASET_H */
diff --git a/lib/dns/include/dns/rdatasetiter.h b/lib/dns/include/dns/rdatasetiter.h
new file mode 100644
index 0000000..2df4aad
--- /dev/null
+++ b/lib/dns/include/dns/rdatasetiter.h
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATASETITER_H
+#define DNS_RDATASETITER_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/rdatasetiter.h
+ * \brief
+ * The DNS Rdataset Iterator interface allows iteration of all of the
+ * rdatasets at a node.
+ *
+ * The dns_rdatasetiter_t type is like a "virtual class".  To actually use
+ * it, an implementation of the class is required.  This implementation is
+ * supplied by the database.
+ *
+ * It is the client's responsibility to call dns_rdataset_disassociate()
+ * on all rdatasets returned.
+ *
+ * XXX more XXX
+ *
+ * MP:
+ *\li	The iterator itself is not locked.  The caller must ensure
+ *	synchronization.
+ *
+ *\li	The iterator methods ensure appropriate database locking.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+/*****
+***** Imports
+*****/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+***** Types
+*****/
+
+typedef struct dns_rdatasetitermethods {
+	void (*destroy)(dns_rdatasetiter_t **iteratorp);
+	isc_result_t (*first)(dns_rdatasetiter_t *iterator);
+	isc_result_t (*next)(dns_rdatasetiter_t *iterator);
+	void (*current)(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset);
+} dns_rdatasetitermethods_t;
+
+#define DNS_RDATASETITER_MAGIC	  ISC_MAGIC('D', 'N', 'S', 'i')
+#define DNS_RDATASETITER_VALID(i) ISC_MAGIC_VALID(i, DNS_RDATASETITER_MAGIC)
+
+/*%
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_rdatasetiter_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be #DNS_RDATASETITER_MAGIC for
+ * any of the dns_rdatasetiter routines to work.  DB implementations must
+ * maintain all DB rdataset iterator invariants.
+ */
+struct dns_rdatasetiter {
+	/* Unlocked. */
+	unsigned int		   magic;
+	dns_rdatasetitermethods_t *methods;
+	dns_db_t		  *db;
+	dns_dbnode_t		  *node;
+	dns_dbversion_t		  *version;
+	isc_stdtime_t		   now;
+	unsigned int		   options;
+};
+
+void
+dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+/*%<
+ * Destroy '*iteratorp'.
+ *
+ * Requires:
+ *
+ *\li	'*iteratorp' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *\li	All resources used by the iterator are freed.
+ *
+ *\li	*iteratorp == NULL.
+ */
+
+isc_result_t
+dns_rdatasetiter_first(dns_rdatasetiter_t *iterator);
+/*%<
+ * Move the rdataset cursor to the first rdataset at the node (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMORE			There are no rdatasets at the node.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_rdatasetiter_next(dns_rdatasetiter_t *iterator);
+/*%<
+ * Move the rdataset cursor to the next rdataset at the node (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMORE			There are no more rdatasets at the
+ *					node.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+void
+dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
+			 dns_rdataset_t	    *rdataset);
+/*%<
+ * Return the current rdataset.
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ *\li	The rdataset cursor of 'iterator' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was #ISC_R_SUCCESS).
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASETITER_H */
diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
new file mode 100644
index 0000000..5a1c30f
--- /dev/null
+++ b/lib/dns/include/dns/rdataslab.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATASLAB_H
+#define DNS_RDATASLAB_H 1
+
+/*! \file dns/rdataslab.h
+ * \brief
+ * Implements storage of rdatasets into slabs of memory.
+ *
+ * MP:
+ *\li	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *\li	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ *\li	If the caller passes invalid memory references, these functions are
+ *	likely to crash the server or corrupt memory.
+ *
+ * Resources:
+ *\li	None.
+ *
+ * Security:
+ *\li	None.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_RDATASLAB_FORCE 0x1
+#define DNS_RDATASLAB_EXACT 0x2
+
+#define DNS_RDATASLAB_OFFLINE 0x01 /* RRSIG is for offline DNSKEY */
+#define DNS_RDATASLAB_WARNMASK          \
+	0x0E /*%< RRSIG(DNSKEY) expired \
+	      * warnings number mask. */
+#define DNS_RDATASLAB_WARNSHIFT               \
+	1 /*%< How many bits to shift to find \
+	   * remaining expired warning number. */
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+			   isc_region_t *region, unsigned int reservelen);
+/*%<
+ * Slabify a rdataset.  The slab area will be allocated and returned
+ * in 'region'.
+ *
+ * Requires:
+ *\li	'rdataset' is valid.
+ *
+ * Ensures:
+ *\li	'region' will have base pointing to the start of allocated memory,
+ *	with the slabified region beginning at region->base + reservelen.
+ *	region->length contains the total length allocated.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS		- successful completion
+ *\li	ISC_R_NOMEMORY		- no memory.
+ *\li	XXX others
+ */
+
+unsigned int
+dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
+/*%<
+ * Return the total size of an rdataslab.
+ *
+ * Requires:
+ *\li	'slab' points to a slab.
+ *
+ * Returns:
+ *\li	The number of bytes in the slab, including the reservelen.
+ */
+
+unsigned int
+dns_rdataslab_rdatasize(unsigned char *slab, unsigned int reservelen);
+/*%<
+ * Return the size of the rdata in an rdataslab.
+ *
+ * Requires:
+ *\li	'slab' points to a slab.
+ */
+
+unsigned int
+dns_rdataslab_count(unsigned char *slab, unsigned int reservelen);
+/*%<
+ * Return the number of records in the rdataslab
+ *
+ * Requires:
+ *\li	'slab' points to a slab.
+ *
+ * Returns:
+ *\li	The number of records in the slab.
+ */
+
+isc_result_t
+dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+		    unsigned int reservelen, isc_mem_t *mctx,
+		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		    unsigned int flags, unsigned char **tslabp);
+/*%<
+ * Merge 'oslab' and 'nslab'.
+ */
+
+isc_result_t
+dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
+		       unsigned int reservelen, isc_mem_t *mctx,
+		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		       unsigned int flags, unsigned char **tslabp);
+/*%<
+ * Subtract 'sslab' from 'mslab'.  If 'exact' is true then all elements
+ * of 'sslab' must exist in 'mslab'.
+ *
+ * XXX
+ * valid flags are DNS_RDATASLAB_EXACT
+ */
+
+bool
+dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
+		    unsigned int reservelen);
+/*%<
+ * Compare two rdataslabs for equality.  This does _not_ do a full
+ * DNSSEC comparison.
+ *
+ * Requires:
+ *\li	'slab1' and 'slab2' point to slabs.
+ *
+ * Returns:
+ *\li	true if the slabs are equal, false otherwise.
+ */
+bool
+dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
+		     unsigned int reservelen, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type);
+/*%<
+ * Compare two rdataslabs for DNSSEC equality.
+ *
+ * Requires:
+ *\li	'slab1' and 'slab2' point to slabs.
+ *
+ * Returns:
+ *\li	true if the slabs are equal, #false otherwise.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASLAB_H */
diff --git a/lib/dns/include/dns/rdatatype.h b/lib/dns/include/dns/rdatatype.h
new file mode 100644
index 0000000..008f4da
--- /dev/null
+++ b/lib/dns/include/dns/rdatatype.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATATYPE_H
+#define DNS_RDATATYPE_H 1
+
+/*! \file dns/rdatatype.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNS rdata type.
+ *
+ * Requires:
+ *\li	'typep' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	DNS_R_UNKNOWN			type is unknown
+ */
+
+isc_result_t
+dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of type 'type' into 'target'.
+ *
+ * Requires:
+ *\li	'type' is a valid type.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+isc_result_t
+dns_rdatatype_tounknowntext(dns_rdatatype_t type, isc_buffer_t *target);
+/*%<
+ * Put textual RFC3597 TYPEXXXX representation of type 'type' into
+ * 'target'.
+ *
+ * Requires:
+ *\li	'type' is a valid type.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+void
+dns_rdatatype_format(dns_rdatatype_t rdtype, char *array, unsigned int size);
+/*%<
+ * Format a human-readable representation of the type 'rdtype'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+#define DNS_RDATATYPE_FORMATSIZE sizeof("NSEC3PARAM")
+
+/*%<
+ * Minimum size of array to pass to dns_rdatatype_format().
+ * May need to be adjusted if a new RR type with a very long
+ * name is defined.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATATYPE_H */
diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h
new file mode 100644
index 0000000..f745f02
--- /dev/null
+++ b/lib/dns/include/dns/request.h
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_REQUEST_H
+#define DNS_REQUEST_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/request.h
+ *
+ * \brief
+ * The request module provides simple request/response services useful for
+ * sending SOA queries, DNS Notify messages, and dynamic update requests.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ */
+
+#include <stdbool.h>
+
+#include <isc/event.h>
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#define DNS_REQUESTOPT_TCP     0x00000001U
+#define DNS_REQUESTOPT_CASE    0x00000002U
+#define DNS_REQUESTOPT_FIXEDID 0x00000004U
+#define DNS_REQUESTOPT_SHARE   0x00000008U
+
+typedef struct dns_requestevent {
+	ISC_EVENT_COMMON(struct dns_requestevent);
+	isc_result_t   result;
+	dns_request_t *request;
+} dns_requestevent_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_requestmgr_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		      isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
+		      dns_dispatchmgr_t *dispatchmgr,
+		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
+		      dns_requestmgr_t **requestmgrp);
+/*%<
+ * Create a request manager.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'timermgr' is a valid timer manager.
+ *
+ *\li	'socketmgr' is a valid socket manager.
+ *
+ *\li	'taskmgr' is a valid task manager.
+ *
+ *\li	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
+ *
+ *\li	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
+ *
+ *\li	requestmgrp != NULL && *requestmgrp == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, *requestmgrp is a valid request manager.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+void
+dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
+			    isc_event_t **eventp);
+/*%<
+ * Send '*eventp' to 'task' when 'requestmgr' has completed shutdown.
+ *
+ * Notes:
+ *
+ *\li	It is not safe to detach the last reference to 'requestmgr' until
+ *	shutdown is complete.
+ *
+ * Requires:
+ *
+ *\li	'requestmgr' is a valid request manager.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	*eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *\li	*eventp == NULL.
+ */
+
+void
+dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr);
+/*%<
+ * Start the shutdown process for 'requestmgr'.
+ *
+ * Notes:
+ *
+ *\li	This call has no effect if the request manager is already shutting
+ *	down.
+ *
+ * Requires:
+ *
+ *\li	'requestmgr' is a valid requestmgr.
+ */
+
+void
+dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp);
+/*%<
+ *	Attach to the request manager.  dns_requestmgr_shutdown() must not
+ *	have been called on 'source' prior to calling dns_requestmgr_attach().
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid requestmgr.
+ *
+ *\li	'targetp' to be non NULL and '*targetp' to be NULL.
+ */
+
+void
+dns_requestmgr_detach(dns_requestmgr_t **requestmgrp);
+/*%<
+ *	Detach from the given requestmgr.  If this is the final detach
+ *	requestmgr will be destroyed.  dns_requestmgr_shutdown() must
+ *	be called before the final detach.
+ *
+ * Requires:
+ *
+ *\li	'*requestmgrp' is a valid requestmgr.
+ *
+ * Ensures:
+ *\li	'*requestmgrp' is NULL.
+ */
+
+isc_result_t
+dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		   const isc_sockaddr_t *address, unsigned int options,
+		   dns_tsigkey_t *key, unsigned int timeout, isc_task_t *task,
+		   isc_taskaction_t action, void *arg,
+		   dns_request_t **requestp);
+/*%<
+ * Create and send a request.
+ *
+ * Notes:
+ *
+ *\li	'message' will be rendered and sent to 'address'.  If the
+ *	#DNS_REQUESTOPT_TCP option is set, TCP will be used,
+ *	#DNS_REQUESTOPT_SHARE option is set too, connecting TCP
+ *	(vs. connected) will be shared too.  The request
+ *	will timeout after 'timeout' seconds.
+ *
+ *\li	If the #DNS_REQUESTOPT_CASE option is set, use case sensitive
+ *	compression.
+ *
+ *\li	When the request completes, successfully, due to a timeout, or
+ *	because it was canceled, a completion event will be sent to 'task'.
+ *
+ * Requires:
+ *
+ *\li	'message' is a valid DNS message.
+ *
+ *\li	'address' is a valid sockaddr.
+ *
+ *\li	'timeout' > 0
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	requestp != NULL && *requestp == NULL
+ */
+
+isc_result_t
+dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		      const isc_sockaddr_t *srcaddr,
+		      const isc_sockaddr_t *destaddr, isc_dscp_t dscp,
+		      unsigned int options, dns_tsigkey_t *key,
+		      unsigned int timeout, unsigned int udptimeout,
+		      unsigned int udpretries, isc_task_t *task,
+		      isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp);
+/*%<
+ * Create and send a request.
+ *
+ * Notes:
+ *
+ *\li	'message' will be rendered and sent to 'address'.  If the
+ *	#DNS_REQUESTOPT_TCP option is set, TCP will be used,
+ *	#DNS_REQUESTOPT_SHARE option is set too, connecting TCP
+ *	(vs. connected) will be shared too.  The request
+ *	will timeout after 'timeout' seconds.  UDP requests will be resent
+ *	at 'udptimeout' intervals if non-zero or 'udpretries' is non-zero.
+ *
+ *\li	If the #DNS_REQUESTOPT_CASE option is set, use case sensitive
+ *	compression.
+ *
+ *\li	When the request completes, successfully, due to a timeout, or
+ *	because it was canceled, a completion event will be sent to 'task'.
+ *
+ * Requires:
+ *
+ *\li	'message' is a valid DNS message.
+ *
+ *\li	'dstaddr' is a valid sockaddr.
+ *
+ *\li	'srcaddr' is a valid sockaddr or NULL.
+ *
+ *\li	'srcaddr' and 'dstaddr' are the same protocol family.
+ *
+ *\li	'timeout' > 0
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	requestp != NULL && *requestp == NULL
+ */
+
+isc_result_t
+dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		      const isc_sockaddr_t *srcaddr,
+		      const isc_sockaddr_t *destaddr, isc_dscp_t dscp,
+		      unsigned int options, unsigned int timeout,
+		      unsigned int udptimeout, unsigned int udpretries,
+		      isc_task_t *task, isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp);
+/*!<
+ * \brief Create and send a request.
+ *
+ * Notes:
+ *
+ *\li	'msgbuf' will be sent to 'destaddr' after setting the id.  If the
+ *	#DNS_REQUESTOPT_TCP option is set, TCP will be used,
+ *	#DNS_REQUESTOPT_SHARE option is set too, connecting TCP
+ *	(vs. connected) will be shared too.  The request
+ *	will timeout after 'timeout' seconds.   UDP requests will be resent
+ *	at 'udptimeout' intervals if non-zero or if 'udpretries' is not zero.
+ *
+ *\li	When the request completes, successfully, due to a timeout, or
+ *	because it was canceled, a completion event will be sent to 'task'.
+ *
+ * Requires:
+ *
+ *\li	'msgbuf' is a valid DNS message in compressed wire format.
+ *
+ *\li	'destaddr' is a valid sockaddr.
+ *
+ *\li	'srcaddr' is a valid sockaddr or NULL.
+ *
+ *\li	'srcaddr' and 'dstaddr' are the same protocol family.
+ *
+ *\li	'timeout' > 0
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	requestp != NULL && *requestp == NULL
+ */
+
+void
+dns_request_cancel(dns_request_t *request);
+/*%<
+ * Cancel 'request'.
+ *
+ * Requires:
+ *
+ *\li	'request' is a valid request.
+ *
+ * Ensures:
+ *
+ *\li	If the completion event for 'request' has not yet been sent, it
+ *	will be sent, and the result code will be ISC_R_CANCELED.
+ */
+
+isc_result_t
+dns_request_getresponse(dns_request_t *request, dns_message_t *message,
+			unsigned int options);
+/*%<
+ * Get the response to 'request' by filling in 'message'.
+ *
+ * 'options' is passed to dns_message_parse().  See dns_message_parse()
+ * for more details.
+ *
+ * Requires:
+ *
+ *\li	'request' is a valid request for which the caller has received the
+ *	completion event.
+ *
+ *\li	The result code of the completion event was #ISC_R_SUCCESS.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any result that dns_message_parse() can return.
+ */
+isc_buffer_t *
+dns_request_getanswer(dns_request_t *request);
+/*
+ * Get the response to 'request' as a buffer.
+ *
+ * Requires:
+ *
+ *\li	'request' is a valid request for which the caller has received the
+ *	completion event.
+ *
+ * Returns:
+ *
+ *\li	a pointer to the answer buffer.
+ */
+
+bool
+dns_request_usedtcp(dns_request_t *request);
+/*%<
+ * Return whether this query used TCP or not.  Setting #DNS_REQUESTOPT_TCP
+ * in the call to dns_request_create() will cause the function to return
+ * #true, otherwise the result is based on the query message size.
+ *
+ * Requires:
+ *\li	'request' is a valid request.
+ *
+ * Returns:
+ *\li	true	if TCP was used.
+ *\li	false	if UDP was used.
+ */
+
+void
+dns_request_destroy(dns_request_t **requestp);
+/*%<
+ * Destroy 'request'.
+ *
+ * Requires:
+ *
+ *\li	'request' is a valid request for which the caller has received the
+ *	completion event.
+ *
+ * Ensures:
+ *
+ *\li	*requestp == NULL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_REQUEST_H */
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
new file mode 100644
index 0000000..22ad9df
--- /dev/null
+++ b/lib/dns/include/dns/resolver.h
@@ -0,0 +1,747 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RESOLVER_H
+#define DNS_RESOLVER_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/resolver.h
+ *
+ * \brief
+ * This is the BIND 9 resolver, the module responsible for resolving DNS
+ * requests by iteratively querying authoritative servers and following
+ * referrals.  This is a "full resolver", not to be confused with
+ * the stub resolvers most people associate with the word "resolver".
+ * The full resolver is part of the caching name server or resolver
+ * daemon the stub resolver talks to.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	RFCs:	1034, 1035, 2181, TBS
+ *\li	Drafts:	TBS
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+
+#include <dns/fixedname.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * A dns_fetchevent_t is sent when a 'fetch' completes.  Any of 'db',
+ * 'node', 'rdataset', and 'sigrdataset' may be bound.  It is the
+ * receiver's responsibility to detach before freeing the event.
+ * \brief
+ * 'rdataset', 'sigrdataset', 'client' and 'id' are the values that were
+ * supplied when dns_resolver_createfetch() was called.  They are returned
+ *  to the caller so that they may be freed.
+ */
+typedef struct dns_fetchevent {
+	ISC_EVENT_COMMON(struct dns_fetchevent);
+	dns_fetch_t	     *fetch;
+	isc_result_t	      result;
+	dns_rdatatype_t	      qtype;
+	dns_db_t	     *db;
+	dns_dbnode_t	     *node;
+	dns_rdataset_t	     *rdataset;
+	dns_rdataset_t	     *sigrdataset;
+	dns_fixedname_t	      foundname;
+	const isc_sockaddr_t *client;
+	dns_messageid_t	      id;
+	isc_result_t	      vresult;
+} dns_fetchevent_t;
+
+/*%
+ * The two quota types (fetches-per-zone and fetches-per-server)
+ */
+typedef enum { dns_quotatype_zone = 0, dns_quotatype_server } dns_quotatype_t;
+
+/*
+ * Options that modify how a 'fetch' is done.
+ */
+#define DNS_FETCHOPT_TCP	 0x00000001 /*%< Use TCP. */
+#define DNS_FETCHOPT_UNSHARED	 0x00000002 /*%< See below. */
+#define DNS_FETCHOPT_RECURSIVE	 0x00000004 /*%< Set RD? */
+#define DNS_FETCHOPT_NOEDNS0	 0x00000008 /*%< Do not use EDNS. */
+#define DNS_FETCHOPT_FORWARDONLY 0x00000010 /*%< Only use forwarders. */
+#define DNS_FETCHOPT_NOVALIDATE	 0x00000020 /*%< Disable validation. */
+#define DNS_FETCHOPT_EDNS512                                       \
+	0x00000040			 /*%< Advertise a 512 byte \
+					  *   UDP buffer. */
+#define DNS_FETCHOPT_WANTNSID 0x00000080 /*%< Request NSID */
+#define DNS_FETCHOPT_PREFETCH 0x00000100 /*%< Do prefetch */
+#define DNS_FETCHOPT_NOCDFLAG 0x00000200 /*%< Don't set CD flag. */
+#define DNS_FETCHOPT_NONTA    0x00000400 /*%< Ignore NTA table. */
+/* RESERVED ECS				0x00000000 */
+/* RESERVED ECS				0x00001000 */
+/* RESERVED ECS				0x00002000 */
+/* RESERVED TCPCLIENT			0x00004000 */
+#define DNS_FETCHOPT_NOCACHED 0x00008000 /*%< Force cache update. */
+#define DNS_FETCHOPT_QMINIMIZE    \
+	0x00010000 /*%< Use qname \
+		    *    minimization. */
+#define DNS_FETCHOPT_NOFOLLOW        \
+	0x00020000 /*%< Don't follow \
+		    *   delegations */
+#define DNS_FETCHOPT_QMIN_STRICT            \
+	0x00040000 /*%< Do not work around  \
+		    *   servers that return \
+		    *   errors on non-empty \
+		    *   terminals. */
+#define DNS_FETCHOPT_QMIN_USE_A            \
+	0x00080000 /*%< Use A type queries \
+		    *   instead of NS when \
+		    *   doing minimization */
+#define DNS_FETCHOPT_QMIN_SKIP_IP6A      \
+	0x00100000 /*%< Skip some labels \
+		    *   when doing qname \
+		    *   minimization on  \
+		    *   ip6.arpa. */
+#define DNS_FETCHOPT_NOFORWARD                \
+	0x00200000 /*%< Do not use forwarders \
+		    *   if possible. */
+
+/* Reserved in use by adb.c		0x00400000 */
+#define DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
+#define DNS_FETCHOPT_EDNSVERSIONMASK	0xff000000
+#define DNS_FETCHOPT_EDNSVERSIONSHIFT	24
+#define DNS_FETCHOPT_TRYSTALE_ONTIMEOUT 0x01000000
+
+/*
+ * Upper bounds of class of query RTT (ms).  Corresponds to
+ * dns_resstatscounter_queryrttX statistics counters.
+ */
+#define DNS_RESOLVER_QRYRTTCLASS0    10
+#define DNS_RESOLVER_QRYRTTCLASS0STR "10"
+#define DNS_RESOLVER_QRYRTTCLASS1    100
+#define DNS_RESOLVER_QRYRTTCLASS1STR "100"
+#define DNS_RESOLVER_QRYRTTCLASS2    500
+#define DNS_RESOLVER_QRYRTTCLASS2STR "500"
+#define DNS_RESOLVER_QRYRTTCLASS3    800
+#define DNS_RESOLVER_QRYRTTCLASS3STR "800"
+#define DNS_RESOLVER_QRYRTTCLASS4    1600
+#define DNS_RESOLVER_QRYRTTCLASS4STR "1600"
+
+/*
+ * XXXRTH  Should this API be made semi-private?  (I.e.
+ * _dns_resolver_create()).
+ */
+
+#define DNS_RESOLVER_CHECKNAMES	    0x01
+#define DNS_RESOLVER_CHECKNAMESFAIL 0x02
+
+#define DNS_QMIN_MAXLABELS	   7
+#define DNS_QMIN_MAX_NO_DELEGATION 3
+#define DNS_MAX_LABELS		   127
+
+isc_result_t
+dns_resolver_create(dns_view_t *view, isc_taskmgr_t *taskmgr,
+		    unsigned int ntasks, unsigned int ndisp,
+		    isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+		    unsigned int options, dns_dispatchmgr_t *dispatchmgr,
+		    dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
+		    dns_resolver_t **resp);
+
+/*%<
+ * Create a resolver.
+ *
+ * Notes:
+ *
+ *\li	Generally, applications should not create a resolver directly, but
+ *	should instead call dns_view_createresolver().
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid view.
+ *
+ *\li	'taskmgr' is a valid task manager.
+ *
+ *\li	'ntasks' > 0.
+ *
+ *\li	'socketmgr' is a valid socket manager.
+ *
+ *\li	'timermgr' is a valid timer manager.
+ *
+ *\li	'dispatchv4' is a dispatch with an IPv4 UDP socket, or is NULL.
+ *	If not NULL, 'ndisp' clones of it will be created by the resolver.
+ *
+ *\li	'dispatchv6' is a dispatch with an IPv6 UDP socket, or is NULL.
+ *	If not NULL, 'ndisp' clones of it will be created by the resolver.
+ *
+ *\li	resp != NULL && *resp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_resolver_freeze(dns_resolver_t *res);
+/*%<
+ * Freeze resolver.
+ *
+ * Notes:
+ *
+ *\li	Certain configuration changes cannot be made after the resolver
+ *	is frozen.  Fetches cannot be created until the resolver is frozen.
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid resolver.
+ *
+ * Ensures:
+ *
+ *\li	'res' is frozen.
+ */
+
+void
+dns_resolver_prime(dns_resolver_t *res);
+/*%<
+ * Prime resolver.
+ *
+ * Notes:
+ *
+ *\li	Resolvers which have a forwarding policy other than dns_fwdpolicy_only
+ *	need to be primed with the root nameservers, otherwise the root
+ *	nameserver hints data may be used indefinitely.  This function requests
+ *	that the resolver start a priming fetch, if it isn't already priming.
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid, frozen resolver.
+ */
+
+void
+dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
+			  isc_event_t **eventp);
+/*%<
+ * Send '*eventp' to 'task' when 'res' has completed shutdown.
+ *
+ * Notes:
+ *
+ *\li	It is not safe to detach the last reference to 'res' until
+ *	shutdown is complete.
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid resolver.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	*eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *\li	*eventp == NULL.
+ */
+
+void
+dns_resolver_shutdown(dns_resolver_t *res);
+/*%<
+ * Start the shutdown process for 'res'.
+ *
+ * Notes:
+ *
+ *\li	This call has no effect if the resolver is already shutting down.
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid resolver.
+ */
+
+void
+dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp);
+
+void
+dns_resolver_detach(dns_resolver_t **resp);
+
+isc_result_t
+dns_resolver_createfetch(dns_resolver_t *res, const dns_name_t *name,
+			 dns_rdatatype_t type, const dns_name_t *domain,
+			 dns_rdataset_t	      *nameservers,
+			 dns_forwarders_t     *forwarders,
+			 const isc_sockaddr_t *client, dns_messageid_t id,
+			 unsigned int options, unsigned int depth,
+			 isc_counter_t *qc, isc_task_t *task,
+			 isc_taskaction_t action, void *arg,
+			 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+			 dns_fetch_t **fetchp);
+/*%<
+ * Recurse to answer a question.
+ *
+ * Notes:
+ *
+ *\li	This call starts a query for 'name', type 'type'.
+ *
+ *\li	The 'domain' is a parent domain of 'name' for which
+ *	a set of name servers 'nameservers' is known.  If no
+ *	such name server information is available, set
+ * 	'domain' and 'nameservers' to NULL.
+ *
+ *\li	'forwarders' is unimplemented, and subject to change when
+ *	we figure out how selective forwarding will work.
+ *
+ *\li	When the fetch completes (successfully or otherwise), a
+ *	#DNS_EVENT_FETCHDONE event with action 'action' and arg 'arg' will be
+ *	posted to 'task'.
+ *
+ *\li	The values of 'rdataset' and 'sigrdataset' will be returned in
+ *	the FETCHDONE event.
+ *
+ *\li	'client' and 'id' are used for duplicate query detection.  '*client'
+ *	must remain stable until after 'action' has been called or
+ *	dns_resolver_cancelfetch() is called.
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid resolver that has been frozen.
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'type' is not a meta type other than ANY.
+ *
+ *\li	'domain' is a valid name or NULL.
+ *
+ *\li	'nameservers' is a valid NS rdataset (whose owner name is 'domain')
+ *	iff. 'domain' is not NULL.
+ *
+ *\li	'forwarders' is NULL.
+ *
+ *\li	'client' is a valid sockaddr or NULL.
+ *
+ *\li	'options' contains valid options.
+ *
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ *\li	fetchp != NULL && *fetchp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS					Success
+ *\li	#DNS_R_DUPLICATE
+ *\li	#DNS_R_DROP
+ *
+ *\li	Many other values are possible, all of which indicate failure.
+ */
+
+void
+dns_resolver_cancelfetch(dns_fetch_t *fetch);
+/*%<
+ * Cancel 'fetch'.
+ *
+ * Notes:
+ *
+ *\li	If 'fetch' has not completed, post its FETCHDONE event with a
+ *	result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'fetch' is a valid fetch.
+ */
+
+void
+dns_resolver_destroyfetch(dns_fetch_t **fetchp);
+/*%<
+ * Destroy 'fetch'.
+ *
+ * Requires:
+ *
+ *\li	'*fetchp' is a valid fetch.
+ *
+ *\li	The caller has received the FETCHDONE event (either because the
+ *	fetch completed or because dns_resolver_cancelfetch() was called).
+ *
+ * Ensures:
+ *
+ *\li	*fetchp == NULL.
+ */
+
+void
+dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
+		      isc_logcategory_t *category, isc_logmodule_t *module,
+		      int level, bool duplicateok);
+/*%<
+ * Dump a log message on internal state at the completion of given 'fetch'.
+ * 'lctx', 'category', 'module', and 'level' are used to write the log message.
+ * By default, only one log message is written even if the corresponding fetch
+ * context serves multiple clients; if 'duplicateok' is true the suppression
+ * is disabled and the message can be written every time this function is
+ * called.
+ *
+ * Requires:
+ *
+ *\li	'fetch' is a valid fetch, and has completed.
+ */
+
+dns_dispatchmgr_t *
+dns_resolver_dispatchmgr(dns_resolver_t *resolver);
+
+dns_dispatch_t *
+dns_resolver_dispatchv4(dns_resolver_t *resolver);
+
+dns_dispatch_t *
+dns_resolver_dispatchv6(dns_resolver_t *resolver);
+
+isc_socketmgr_t *
+dns_resolver_socketmgr(dns_resolver_t *resolver);
+
+isc_taskmgr_t *
+dns_resolver_taskmgr(dns_resolver_t *resolver);
+
+uint32_t
+dns_resolver_getlamettl(dns_resolver_t *resolver);
+/*%<
+ * Get the resolver's lame-ttl.  zero => no lame processing.
+ *
+ * Requires:
+ *\li	'resolver' to be valid.
+ */
+
+void
+dns_resolver_setlamettl(dns_resolver_t *resolver, uint32_t lame_ttl);
+/*%<
+ * Set the resolver's lame-ttl.  zero => no lame processing.
+ *
+ * Requires:
+ *\li	'resolver' to be valid.
+ */
+
+isc_result_t
+dns_resolver_addalternate(dns_resolver_t *resolver, const isc_sockaddr_t *alt,
+			  const dns_name_t *name, in_port_t port);
+/*%<
+ * Add alternate addresses to be tried in the event that the nameservers
+ * for a zone are not available in the address families supported by the
+ * operating system.
+ *
+ * Require:
+ * \li	only one of 'name' or 'alt' to be valid.
+ */
+
+void
+dns_resolver_setudpsize(dns_resolver_t *resolver, uint16_t udpsize);
+/*%<
+ * Set the EDNS UDP buffer size advertised by the server.
+ */
+
+uint16_t
+dns_resolver_getudpsize(dns_resolver_t *resolver);
+/*%<
+ * Get the current EDNS UDP buffer size.
+ */
+
+void
+dns_resolver_reset_algorithms(dns_resolver_t *resolver);
+/*%<
+ * Clear the disabled DNSSEC algorithms.
+ */
+
+void
+dns_resolver_reset_ds_digests(dns_resolver_t *resolver);
+/*%<
+ * Clear the disabled DS digest types.
+ */
+
+isc_result_t
+dns_resolver_disable_algorithm(dns_resolver_t *resolver, const dns_name_t *name,
+			       unsigned int alg);
+/*%<
+ * Mark the given DNSSEC algorithm as disabled and below 'name'.
+ * Valid algorithms are less than 256.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_RANGE
+ *\li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_resolver_disable_ds_digest(dns_resolver_t *resolver, const dns_name_t *name,
+			       unsigned int digest_type);
+/*%<
+ * Mark the given DS digest type as disabled and below 'name'.
+ * Valid types are less than 256.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_RANGE
+ *\li	#ISC_R_NOMEMORY
+ */
+
+bool
+dns_resolver_algorithm_supported(dns_resolver_t	  *resolver,
+				 const dns_name_t *name, unsigned int alg);
+/*%<
+ * Check if the given algorithm is supported by this resolver.
+ * This checks whether the algorithm has been disabled via
+ * dns_resolver_disable_algorithm(), then checks the underlying
+ * crypto libraries if it was not specifically disabled.
+ */
+
+bool
+dns_resolver_ds_digest_supported(dns_resolver_t	  *resolver,
+				 const dns_name_t *name,
+				 unsigned int	   digest_type);
+/*%<
+ * Check if the given digest type is supported by this resolver.
+ * This checks whether the digest type has been disabled via
+ * dns_resolver_disable_ds_digest(), then checks the underlying
+ * crypto libraries if it was not specifically disabled.
+ */
+
+void
+dns_resolver_resetmustbesecure(dns_resolver_t *resolver);
+
+isc_result_t
+dns_resolver_setmustbesecure(dns_resolver_t *resolver, const dns_name_t *name,
+			     bool value);
+
+bool
+dns_resolver_getmustbesecure(dns_resolver_t *resolver, const dns_name_t *name);
+
+void
+dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int timeout);
+/*%<
+ * Set the length of time the resolver will work on a query, in milliseconds.
+ *
+ * 'timeout' was originally defined in seconds, and later redefined to be in
+ * milliseconds.  Values less than or equal to 300 are treated as seconds.
+ *
+ * If timeout is 0, the default timeout will be applied.
+ *
+ * Requires:
+ * \li  resolver to be valid.
+ */
+
+unsigned int
+dns_resolver_gettimeout(dns_resolver_t *resolver);
+/*%<
+ * Get the current length of time the resolver will work on a query,
+ * in milliseconds.
+ *
+ * Requires:
+ * \li  resolver to be valid.
+ */
+
+void
+dns_resolver_setclientsperquery(dns_resolver_t *resolver, uint32_t min,
+				uint32_t max);
+void
+dns_resolver_setfetchesperzone(dns_resolver_t *resolver, uint32_t clients);
+
+void
+dns_resolver_getclientsperquery(dns_resolver_t *resolver, uint32_t *cur,
+				uint32_t *min, uint32_t *max);
+
+bool
+dns_resolver_getzeronosoattl(dns_resolver_t *resolver);
+
+void
+dns_resolver_setzeronosoattl(dns_resolver_t *resolver, bool state);
+
+unsigned int
+dns_resolver_getretryinterval(dns_resolver_t *resolver);
+
+void
+dns_resolver_setretryinterval(dns_resolver_t *resolver, unsigned int interval);
+/*%<
+ * Sets the amount of time, in milliseconds, that is waited for a reply
+ * to a server before another server is tried.  Interacts with the
+ * value of dns_resolver_getnonbackofftries() by trying that number of times
+ * at this interval, before doing exponential backoff and doubling the interval
+ * on each subsequent try, to a maximum of 10 seconds.  Defaults to 800 ms;
+ * silently capped at 2000 ms.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ * \li  interval > 0.
+ */
+
+unsigned int
+dns_resolver_getnonbackofftries(dns_resolver_t *resolver);
+
+void
+dns_resolver_setnonbackofftries(dns_resolver_t *resolver, unsigned int tries);
+/*%<
+ * Sets the number of failures of getting a reply from remote servers for
+ * a query before backing off by doubling the retry interval for each
+ * subsequent request sent.  Defaults to 3.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ * \li  tries > 0.
+ */
+
+unsigned int
+dns_resolver_getoptions(dns_resolver_t *resolver);
+/*%<
+ * Get the resolver options.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_addbadcache(dns_resolver_t *resolver, const dns_name_t *name,
+			 dns_rdatatype_t type, isc_time_t *expire);
+/*%<
+ * Add a entry to the bad cache for <name,type> that will expire at 'expire'.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ * \li	name to be valid.
+ */
+
+bool
+dns_resolver_getbadcache(dns_resolver_t *resolver, const dns_name_t *name,
+			 dns_rdatatype_t type, isc_time_t *now);
+/*%<
+ * Check to see if there is a unexpired entry in the bad cache for
+ * <name,type>.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ * \li	name to be valid.
+ */
+
+void
+dns_resolver_flushbadcache(dns_resolver_t *resolver, const dns_name_t *name);
+/*%<
+ * Flush the bad cache of all entries at 'name' if 'name' is non NULL.
+ * Flush the entire bad cache if 'name' is NULL.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_flushbadnames(dns_resolver_t *resolver, const dns_name_t *name);
+/*%<
+ * Flush the bad cache of all entries at or below 'name'.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ * \li  name != NULL
+ */
+
+void
+dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp);
+/*%
+ * Print out the contents of the bad cache to 'fp'.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_setquerydscp4(dns_resolver_t *resolver, isc_dscp_t dscp);
+isc_dscp_t
+dns_resolver_getquerydscp4(dns_resolver_t *resolver);
+
+void
+dns_resolver_setquerydscp6(dns_resolver_t *resolver, isc_dscp_t dscp);
+isc_dscp_t
+dns_resolver_getquerydscp6(dns_resolver_t *resolver);
+/*%
+ * Get and set the DSCP values for the resolver's IPv4 and IPV6 query
+ * sources.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth);
+unsigned int
+dns_resolver_getmaxdepth(dns_resolver_t *resolver);
+/*%
+ * Get and set how many NS indirections will be followed when looking for
+ * nameserver addresses.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries);
+unsigned int
+dns_resolver_getmaxqueries(dns_resolver_t *resolver);
+/*%
+ * Get and set how many iterative queries will be allowed before
+ * terminating a recursive query.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_setquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which,
+			      isc_result_t resp);
+isc_result_t
+dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which);
+/*%
+ * Get and set the result code that will be used when quotas
+ * are exceeded. If 'which' is set to quotatype "zone", then the
+ * result specified in 'resp' will be used when the fetches-per-zone
+ * quota is exceeded by a fetch.  If 'which' is set to quotatype "server",
+ * then the result specified in 'resp' will be used when the
+ * fetches-per-server quota has been exceeded for all the
+ * authoritative servers for a zone.  Valid choices are
+ * DNS_R_DROP or DNS_R_SERVFAIL.
+ *
+ * Requires:
+ * \li	'resolver' to be valid.
+ * \li	'which' to be dns_quotatype_zone or dns_quotatype_server
+ * \li	'resp' to be DNS_R_DROP or DNS_R_SERVFAIL.
+ */
+
+void
+dns_resolver_dumpfetches(dns_resolver_t *resolver, isc_statsformat_t format,
+			 FILE *fp);
+
+#ifdef ENABLE_AFL
+/*%
+ * Enable fuzzing of resolver, changes behaviour and eliminates retries
+ */
+void
+dns_resolver_setfuzzing(void);
+#endif /* ifdef ENABLE_AFL */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RESOLVER_H */
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
new file mode 100644
index 0000000..0ec874b
--- /dev/null
+++ b/lib/dns/include/dns/result.h
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RESULT_H
+#define DNS_RESULT_H 1
+
+/*! \file dns/result.h */
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+
+#include <dns/types.h>
+
+/*
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * DNS result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
+ */
+#include <isc/result.h> /* Contractual promise. */
+
+/*
+ * DNS library result codes
+ */
+#define DNS_R_LABELTOOLONG (ISC_RESULTCLASS_DNS + 0)
+#define DNS_R_BADESCAPE	   (ISC_RESULTCLASS_DNS + 1)
+/*
+ * Since we dropped the support of bitstring labels, deprecate the related
+ * result codes too.
+ *
+ #define DNS_R_BADBITSTRING		(ISC_RESULTCLASS_DNS + 2)
+ #define DNS_R_BITSTRINGTOOLONG		(ISC_RESULTCLASS_DNS + 3)
+ */
+#define DNS_R_EMPTYLABEL	(ISC_RESULTCLASS_DNS + 4)
+#define DNS_R_BADDOTTEDQUAD	(ISC_RESULTCLASS_DNS + 5)
+#define DNS_R_INVALIDNS		(ISC_RESULTCLASS_DNS + 6)
+#define DNS_R_UNKNOWN		(ISC_RESULTCLASS_DNS + 7)
+#define DNS_R_BADLABELTYPE	(ISC_RESULTCLASS_DNS + 8)
+#define DNS_R_BADPOINTER	(ISC_RESULTCLASS_DNS + 9)
+#define DNS_R_TOOMANYHOPS	(ISC_RESULTCLASS_DNS + 10)
+#define DNS_R_DISALLOWED	(ISC_RESULTCLASS_DNS + 11)
+#define DNS_R_EXTRATOKEN	(ISC_RESULTCLASS_DNS + 12)
+#define DNS_R_EXTRADATA		(ISC_RESULTCLASS_DNS + 13)
+#define DNS_R_TEXTTOOLONG	(ISC_RESULTCLASS_DNS + 14)
+#define DNS_R_NOTZONETOP	(ISC_RESULTCLASS_DNS + 15)
+#define DNS_R_SYNTAX		(ISC_RESULTCLASS_DNS + 16)
+#define DNS_R_BADCKSUM		(ISC_RESULTCLASS_DNS + 17)
+#define DNS_R_BADAAAA		(ISC_RESULTCLASS_DNS + 18)
+#define DNS_R_NOOWNER		(ISC_RESULTCLASS_DNS + 19)
+#define DNS_R_NOTTL		(ISC_RESULTCLASS_DNS + 20)
+#define DNS_R_BADCLASS		(ISC_RESULTCLASS_DNS + 21)
+#define DNS_R_NAMETOOLONG	(ISC_RESULTCLASS_DNS + 22)
+#define DNS_R_PARTIALMATCH	(ISC_RESULTCLASS_DNS + 23)
+#define DNS_R_NEWORIGIN		(ISC_RESULTCLASS_DNS + 24)
+#define DNS_R_UNCHANGED		(ISC_RESULTCLASS_DNS + 25)
+#define DNS_R_BADTTL		(ISC_RESULTCLASS_DNS + 26)
+#define DNS_R_NOREDATA		(ISC_RESULTCLASS_DNS + 27)
+#define DNS_R_CONTINUE		(ISC_RESULTCLASS_DNS + 28)
+#define DNS_R_DELEGATION	(ISC_RESULTCLASS_DNS + 29)
+#define DNS_R_GLUE		(ISC_RESULTCLASS_DNS + 30)
+#define DNS_R_DNAME		(ISC_RESULTCLASS_DNS + 31)
+#define DNS_R_CNAME		(ISC_RESULTCLASS_DNS + 32)
+#define DNS_R_BADDB		(ISC_RESULTCLASS_DNS + 33)
+#define DNS_R_ZONECUT		(ISC_RESULTCLASS_DNS + 34)
+#define DNS_R_BADZONE		(ISC_RESULTCLASS_DNS + 35)
+#define DNS_R_MOREDATA		(ISC_RESULTCLASS_DNS + 36)
+#define DNS_R_UPTODATE		(ISC_RESULTCLASS_DNS + 37)
+#define DNS_R_TSIGVERIFYFAILURE (ISC_RESULTCLASS_DNS + 38)
+#define DNS_R_TSIGERRORSET	(ISC_RESULTCLASS_DNS + 39)
+#define DNS_R_SIGINVALID	(ISC_RESULTCLASS_DNS + 40)
+#define DNS_R_SIGEXPIRED	(ISC_RESULTCLASS_DNS + 41)
+#define DNS_R_SIGFUTURE		(ISC_RESULTCLASS_DNS + 42)
+#define DNS_R_KEYUNAUTHORIZED	(ISC_RESULTCLASS_DNS + 43)
+#define DNS_R_INVALIDTIME	(ISC_RESULTCLASS_DNS + 44)
+#define DNS_R_EXPECTEDTSIG	(ISC_RESULTCLASS_DNS + 45)
+#define DNS_R_UNEXPECTEDTSIG	(ISC_RESULTCLASS_DNS + 46)
+#define DNS_R_INVALIDTKEY	(ISC_RESULTCLASS_DNS + 47)
+#define DNS_R_HINT		(ISC_RESULTCLASS_DNS + 48)
+#define DNS_R_DROP		(ISC_RESULTCLASS_DNS + 49)
+#define DNS_R_NOTLOADED		(ISC_RESULTCLASS_DNS + 50)
+#define DNS_R_NCACHENXDOMAIN	(ISC_RESULTCLASS_DNS + 51)
+#define DNS_R_NCACHENXRRSET	(ISC_RESULTCLASS_DNS + 52)
+#define DNS_R_WAIT		(ISC_RESULTCLASS_DNS + 53)
+#define DNS_R_NOTVERIFIEDYET	(ISC_RESULTCLASS_DNS + 54)
+#define DNS_R_NOIDENTITY	(ISC_RESULTCLASS_DNS + 55)
+#define DNS_R_NOJOURNAL		(ISC_RESULTCLASS_DNS + 56)
+#define DNS_R_ALIAS		(ISC_RESULTCLASS_DNS + 57)
+#define DNS_R_USETCP		(ISC_RESULTCLASS_DNS + 58)
+#define DNS_R_NOVALIDSIG	(ISC_RESULTCLASS_DNS + 59)
+#define DNS_R_NOVALIDNSEC	(ISC_RESULTCLASS_DNS + 60)
+#define DNS_R_NOTINSECURE	(ISC_RESULTCLASS_DNS + 61)
+#define DNS_R_UNKNOWNSERVICE	(ISC_RESULTCLASS_DNS + 62)
+#define DNS_R_RECOVERABLE	(ISC_RESULTCLASS_DNS + 63)
+#define DNS_R_UNKNOWNOPT	(ISC_RESULTCLASS_DNS + 64)
+#define DNS_R_UNEXPECTEDID	(ISC_RESULTCLASS_DNS + 65)
+#define DNS_R_SEENINCLUDE	(ISC_RESULTCLASS_DNS + 66)
+#define DNS_R_NOTEXACT		(ISC_RESULTCLASS_DNS + 67)
+#define DNS_R_BLACKHOLED	(ISC_RESULTCLASS_DNS + 68)
+#define DNS_R_BADALG		(ISC_RESULTCLASS_DNS + 69)
+#define DNS_R_METATYPE		(ISC_RESULTCLASS_DNS + 70)
+#define DNS_R_CNAMEANDOTHER	(ISC_RESULTCLASS_DNS + 71)
+#define DNS_R_SINGLETON		(ISC_RESULTCLASS_DNS + 72)
+#define DNS_R_HINTNXRRSET	(ISC_RESULTCLASS_DNS + 73)
+#define DNS_R_NOMASTERFILE	(ISC_RESULTCLASS_DNS + 74)
+#define DNS_R_UNKNOWNPROTO	(ISC_RESULTCLASS_DNS + 75)
+#define DNS_R_CLOCKSKEW		(ISC_RESULTCLASS_DNS + 76)
+#define DNS_R_BADIXFR		(ISC_RESULTCLASS_DNS + 77)
+#define DNS_R_NOTAUTHORITATIVE	(ISC_RESULTCLASS_DNS + 78)
+#define DNS_R_NOVALIDKEY	(ISC_RESULTCLASS_DNS + 79)
+#define DNS_R_OBSOLETE		(ISC_RESULTCLASS_DNS + 80)
+#define DNS_R_FROZEN		(ISC_RESULTCLASS_DNS + 81)
+#define DNS_R_UNKNOWNFLAG	(ISC_RESULTCLASS_DNS + 82)
+#define DNS_R_EXPECTEDRESPONSE	(ISC_RESULTCLASS_DNS + 83)
+#define DNS_R_NOVALIDDS		(ISC_RESULTCLASS_DNS + 84)
+#define DNS_R_NSISADDRESS	(ISC_RESULTCLASS_DNS + 85)
+#define DNS_R_REMOTEFORMERR	(ISC_RESULTCLASS_DNS + 86)
+#define DNS_R_TRUNCATEDTCP	(ISC_RESULTCLASS_DNS + 87)
+#define DNS_R_LAME		(ISC_RESULTCLASS_DNS + 88)
+#define DNS_R_UNEXPECTEDRCODE	(ISC_RESULTCLASS_DNS + 89)
+#define DNS_R_UNEXPECTEDOPCODE	(ISC_RESULTCLASS_DNS + 90)
+#define DNS_R_CHASEDSSERVERS	(ISC_RESULTCLASS_DNS + 91)
+#define DNS_R_EMPTYNAME		(ISC_RESULTCLASS_DNS + 92)
+#define DNS_R_EMPTYWILD		(ISC_RESULTCLASS_DNS + 93)
+#define DNS_R_BADBITMAP		(ISC_RESULTCLASS_DNS + 94)
+#define DNS_R_FROMWILDCARD	(ISC_RESULTCLASS_DNS + 95)
+#define DNS_R_BADOWNERNAME	(ISC_RESULTCLASS_DNS + 96)
+#define DNS_R_BADNAME		(ISC_RESULTCLASS_DNS + 97)
+#define DNS_R_DYNAMIC		(ISC_RESULTCLASS_DNS + 98)
+#define DNS_R_UNKNOWNCOMMAND	(ISC_RESULTCLASS_DNS + 99)
+#define DNS_R_MUSTBESECURE	(ISC_RESULTCLASS_DNS + 100)
+#define DNS_R_COVERINGNSEC	(ISC_RESULTCLASS_DNS + 101)
+#define DNS_R_MXISADDRESS	(ISC_RESULTCLASS_DNS + 102)
+#define DNS_R_DUPLICATE		(ISC_RESULTCLASS_DNS + 103)
+#define DNS_R_INVALIDNSEC3	(ISC_RESULTCLASS_DNS + 104)
+#define DNS_R_NOTMASTER		(ISC_RESULTCLASS_DNS + 105)
+#define DNS_R_BROKENCHAIN	(ISC_RESULTCLASS_DNS + 106)
+#define DNS_R_EXPIRED		(ISC_RESULTCLASS_DNS + 107)
+#define DNS_R_NOTDYNAMIC	(ISC_RESULTCLASS_DNS + 108)
+#define DNS_R_BADEUI		(ISC_RESULTCLASS_DNS + 109)
+#define DNS_R_NTACOVERED	(ISC_RESULTCLASS_DNS + 110)
+#define DNS_R_BADCDS		(ISC_RESULTCLASS_DNS + 111)
+#define DNS_R_BADCDNSKEY	(ISC_RESULTCLASS_DNS + 112)
+#define DNS_R_OPTERR		(ISC_RESULTCLASS_DNS + 113)
+#define DNS_R_BADDNSTAP		(ISC_RESULTCLASS_DNS + 114)
+#define DNS_R_BADTSIG		(ISC_RESULTCLASS_DNS + 115)
+#define DNS_R_BADSIG0		(ISC_RESULTCLASS_DNS + 116)
+#define DNS_R_TOOMANYRECORDS	(ISC_RESULTCLASS_DNS + 117)
+#define DNS_R_VERIFYFAILURE	(ISC_RESULTCLASS_DNS + 118)
+#define DNS_R_ATZONETOP		(ISC_RESULTCLASS_DNS + 119)
+#define DNS_R_NOKEYMATCH	(ISC_RESULTCLASS_DNS + 120)
+#define DNS_R_TOOMANYKEYS	(ISC_RESULTCLASS_DNS + 121)
+#define DNS_R_KEYNOTACTIVE	(ISC_RESULTCLASS_DNS + 122)
+#define DNS_R_NSEC3ITERRANGE	(ISC_RESULTCLASS_DNS + 123)
+#define DNS_R_NSEC3SALTRANGE	(ISC_RESULTCLASS_DNS + 124)
+#define DNS_R_NSEC3BADALG	(ISC_RESULTCLASS_DNS + 125)
+#define DNS_R_NSEC3RESALT	(ISC_RESULTCLASS_DNS + 126)
+#define DNS_R_INCONSISTENTRR	(ISC_RESULTCLASS_DNS + 127)
+
+#define DNS_R_NRESULTS 128 /*%< Number of results */
+
+/*
+ * DNS wire format rcodes.
+ *
+ * By making these their own class we can easily convert them into the
+ * wire-format rcode value simply by masking off the resultclass.
+ */
+#define DNS_R_NOERROR  (ISC_RESULTCLASS_DNSRCODE + 0)
+#define DNS_R_FORMERR  (ISC_RESULTCLASS_DNSRCODE + 1)
+#define DNS_R_SERVFAIL (ISC_RESULTCLASS_DNSRCODE + 2)
+#define DNS_R_NXDOMAIN (ISC_RESULTCLASS_DNSRCODE + 3)
+#define DNS_R_NOTIMP   (ISC_RESULTCLASS_DNSRCODE + 4)
+#define DNS_R_REFUSED  (ISC_RESULTCLASS_DNSRCODE + 5)
+#define DNS_R_YXDOMAIN (ISC_RESULTCLASS_DNSRCODE + 6)
+#define DNS_R_YXRRSET  (ISC_RESULTCLASS_DNSRCODE + 7)
+#define DNS_R_NXRRSET  (ISC_RESULTCLASS_DNSRCODE + 8)
+#define DNS_R_NOTAUTH  (ISC_RESULTCLASS_DNSRCODE + 9)
+#define DNS_R_NOTZONE  (ISC_RESULTCLASS_DNSRCODE + 10)
+#define DNS_R_RCODE11  (ISC_RESULTCLASS_DNSRCODE + 11)
+#define DNS_R_RCODE12  (ISC_RESULTCLASS_DNSRCODE + 12)
+#define DNS_R_RCODE13  (ISC_RESULTCLASS_DNSRCODE + 13)
+#define DNS_R_RCODE14  (ISC_RESULTCLASS_DNSRCODE + 14)
+#define DNS_R_RCODE15  (ISC_RESULTCLASS_DNSRCODE + 15)
+#define DNS_R_BADVERS  (ISC_RESULTCLASS_DNSRCODE + 16)
+
+#define DNS_R_NRCODERESULTS 17 /*%< Number of rcode results */
+
+#define DNS_RESULT_ISRCODE(result) \
+	(ISC_RESULTCLASS_INCLASS(ISC_RESULTCLASS_DNSRCODE, (result)))
+
+ISC_LANG_BEGINDECLS
+
+const char *dns_result_totext(isc_result_t);
+
+void
+dns_result_register(void);
+
+dns_rcode_t
+dns_result_torcode(isc_result_t result);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RESULT_H */
diff --git a/lib/dns/include/dns/rootns.h b/lib/dns/include/dns/rootns.h
new file mode 100644
index 0000000..140538b
--- /dev/null
+++ b/lib/dns/include/dns/rootns.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ROOTNS_H
+#define DNS_ROOTNS_H 1
+
+/*! \file dns/rootns.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		  const char *filename, dns_db_t **target);
+
+void
+dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db);
+/*
+ * Reports differences between hints and the real roots.
+ *
+ * Requires view, hints and (cache) db to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ROOTNS_H */
diff --git a/lib/dns/include/dns/rpz.h b/lib/dns/include/dns/rpz.h
new file mode 100644
index 0000000..f0cc578
--- /dev/null
+++ b/lib/dns/include/dns/rpz.h
@@ -0,0 +1,435 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RPZ_H
+#define DNS_RPZ_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/deprecated.h>
+#include <isc/event.h>
+#include <isc/ht.h>
+#include <isc/lang.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+
+#include <dns/fixedname.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_RPZ_PREFIX "rpz-"
+/*
+ * Sub-zones of various trigger types.
+ */
+#define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX "client-ip"
+#define DNS_RPZ_IP_ZONE	       DNS_RPZ_PREFIX "ip"
+#define DNS_RPZ_NSIP_ZONE      DNS_RPZ_PREFIX "nsip"
+#define DNS_RPZ_NSDNAME_ZONE   DNS_RPZ_PREFIX "nsdname"
+/*
+ * Special policies.
+ */
+#define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX "passthru"
+#define DNS_RPZ_DROP_NAME     DNS_RPZ_PREFIX "drop"
+#define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX "tcp-only"
+
+typedef uint8_t dns_rpz_prefix_t;
+
+typedef enum {
+	DNS_RPZ_TYPE_BAD,
+	DNS_RPZ_TYPE_CLIENT_IP,
+	DNS_RPZ_TYPE_QNAME,
+	DNS_RPZ_TYPE_IP,
+	DNS_RPZ_TYPE_NSDNAME,
+	DNS_RPZ_TYPE_NSIP
+} dns_rpz_type_t;
+
+/*
+ * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP
+ * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA
+ * < DNS_RPZ_POLICY_CNAME to choose among competing policies.
+ */
+typedef enum {
+	DNS_RPZ_POLICY_GIVEN = 0,    /* 'given': what policy record says */
+	DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */
+	DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */
+	DNS_RPZ_POLICY_DROP = 3,     /* 'drop': do not respond */
+	DNS_RPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */
+	DNS_RPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */
+	DNS_RPZ_POLICY_NODATA = 6,   /* 'nodata': answer with ANCOUNT=0 */
+	DNS_RPZ_POLICY_CNAME = 7,    /* 'cname x': answer with x's rrsets */
+	DNS_RPZ_POLICY_DNS64,	     /* Apply DN64 to the A rewrite */
+	DNS_RPZ_POLICY_RECORD,
+	DNS_RPZ_POLICY_WILDCNAME,
+	DNS_RPZ_POLICY_MISS,
+	DNS_RPZ_POLICY_ERROR
+} dns_rpz_policy_t;
+
+typedef uint8_t dns_rpz_num_t;
+
+#define DNS_RPZ_MAX_ZONES 64
+/*
+ * Type dns_rpz_zbits_t must be an unsigned int wide enough to contain
+ * at least DNS_RPZ_MAX_ZONES bits.
+ */
+typedef uint64_t dns_rpz_zbits_t;
+
+#define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1)
+
+#define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES
+
+#define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n))
+
+/*
+ * Mask of the specified and higher numbered policy zones
+ * Avoid hassles with (1<<33) or (1<<65)
+ */
+#define DNS_RPZ_ZMASK(n)                                     \
+	((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES - 1)   \
+				    ? 0                      \
+				    : (1ULL << ((n) + 1))) - \
+			   1))
+
+/*
+ * The trigger counter type.
+ */
+typedef size_t dns_rpz_trigger_counter_t;
+
+/*
+ * The number of triggers of each type in a response policy zone.
+ */
+typedef struct dns_rpz_triggers dns_rpz_triggers_t;
+struct dns_rpz_triggers {
+	dns_rpz_trigger_counter_t client_ipv4;
+	dns_rpz_trigger_counter_t client_ipv6;
+	dns_rpz_trigger_counter_t qname;
+	dns_rpz_trigger_counter_t ipv4;
+	dns_rpz_trigger_counter_t ipv6;
+	dns_rpz_trigger_counter_t nsdname;
+	dns_rpz_trigger_counter_t nsipv4;
+	dns_rpz_trigger_counter_t nsipv6;
+};
+
+/*
+ * A single response policy zone.
+ */
+typedef struct dns_rpz_zone  dns_rpz_zone_t;
+typedef struct dns_rpz_zones dns_rpz_zones_t;
+
+struct dns_rpz_zone {
+	isc_refcount_t	 refs;
+	dns_rpz_num_t	 num;	    /* ordinal in list of policy zones */
+	dns_name_t	 origin;    /* Policy zone name */
+	dns_name_t	 client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */
+	dns_name_t	 ip;	    /* DNS_RPZ_IP_ZONE.origin. */
+	dns_name_t	 nsdname;   /* DNS_RPZ_NSDNAME_ZONE.origin */
+	dns_name_t	 nsip;	    /* DNS_RPZ_NSIP_ZONE.origin. */
+	dns_name_t	 passthru;  /* DNS_RPZ_PASSTHRU_NAME. */
+	dns_name_t	 drop;	    /* DNS_RPZ_DROP_NAME. */
+	dns_name_t	 tcp_only;  /* DNS_RPZ_TCP_ONLY_NAME. */
+	dns_name_t	 cname;	    /* override value for ..._CNAME */
+	dns_ttl_t	 max_policy_ttl;
+	dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */
+
+	uint32_t min_update_interval;	 /* minimal interval between
+					  * updates */
+	isc_ht_t	*nodes;		 /* entries in zone */
+	dns_rpz_zones_t *rpzs;		 /* owner */
+	isc_time_t	 lastupdated;	 /* last time the zone was processed
+					  * */
+	bool updatepending;		 /* there is an update
+					  * pending/waiting */
+	bool		 updaterunning;	 /* there is an update running */
+	dns_db_t	*db;		 /* zones database */
+	dns_dbversion_t *dbversion;	 /* version we will be updating to */
+	dns_db_t	*updb;		 /* zones database we're working on */
+	dns_dbversion_t *updbversion;	 /* version we're currently working
+					  * on */
+	dns_dbiterator_t *updbit;	 /* iterator to use when updating */
+	isc_ht_t	 *newnodes;	 /* entries in zone being updated */
+	bool		  db_registered; /* is the notify event
+					  * registered? */
+	bool	     addsoa;		 /* add soa to the additional section */
+	isc_timer_t *updatetimer;
+	isc_event_t  updateevent;
+};
+
+/*
+ * Radix tree node for response policy IP addresses
+ */
+typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t;
+
+/*
+ * Bitfields indicating which policy zones have policies of
+ * which type.
+ */
+typedef struct dns_rpz_have dns_rpz_have_t;
+struct dns_rpz_have {
+	dns_rpz_zbits_t client_ipv4;
+	dns_rpz_zbits_t client_ipv6;
+	dns_rpz_zbits_t client_ip;
+	dns_rpz_zbits_t qname;
+	dns_rpz_zbits_t ipv4;
+	dns_rpz_zbits_t ipv6;
+	dns_rpz_zbits_t ip;
+	dns_rpz_zbits_t nsdname;
+	dns_rpz_zbits_t nsipv4;
+	dns_rpz_zbits_t nsipv6;
+	dns_rpz_zbits_t nsip;
+	dns_rpz_zbits_t qname_skip_recurse;
+};
+
+/*
+ * Policy options
+ */
+typedef struct dns_rpz_popt dns_rpz_popt_t;
+struct dns_rpz_popt {
+	dns_rpz_zbits_t no_rd_ok;
+	dns_rpz_zbits_t no_log;
+	dns_rpz_zbits_t nsip_on;
+	dns_rpz_zbits_t nsdname_on;
+	bool		dnsrps_enabled;
+	bool		break_dnssec;
+	bool		qname_wait_recurse;
+	bool		nsip_wait_recurse;
+	unsigned int	min_ns_labels;
+	dns_rpz_num_t	num_zones;
+};
+
+/*
+ * Response policy zones known to a view.
+ */
+struct dns_rpz_zones {
+	dns_rpz_popt_t	   p;
+	dns_rpz_zone_t	  *zones[DNS_RPZ_MAX_ZONES];
+	dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES];
+
+	/*
+	 * RPZ policy version number.
+	 * It is initially 0 and it increases whenever the server is
+	 * reconfigured with new zones or policy.
+	 */
+	int rpz_ver;
+
+	dns_rpz_zbits_t defined;
+
+	/*
+	 * The set of records for a policy zone are in one of these states:
+	 *	never loaded		    load_begun=0  have=0
+	 *	during initial loading	    load_begun=1  have=0
+	 *				and rbtdb->rpzsp == rbtdb->load_rpzsp
+	 *	after good load		    load_begun=1  have!=0
+	 *	after failed initial load   load_begun=1  have=0
+	 *				and rbtdb->load_rpzsp == NULL
+	 *	reloading after failure	    load_begun=1  have=0
+	 *	reloading after success
+	 *		main rpzs	    load_begun=1  have!=0
+	 *		load rpzs	    load_begun=1  have=0
+	 */
+	dns_rpz_zbits_t load_begun;
+	dns_rpz_have_t	have;
+
+	/*
+	 * total_triggers maintains the total number of triggers in all
+	 * policy zones in the view. It is only used to print summary
+	 * statistics after a zone load of how the trigger counts
+	 * changed.
+	 */
+	dns_rpz_triggers_t total_triggers;
+
+	isc_mem_t      *mctx;
+	isc_taskmgr_t  *taskmgr;
+	isc_timermgr_t *timermgr;
+	isc_task_t     *updater;
+	isc_refcount_t	refs;
+	isc_refcount_t	irefs;
+	/*
+	 * One lock for short term read-only search that guarantees the
+	 * consistency of the pointers.
+	 * A second lock for maintenance that guarantees no other thread
+	 * is adding or deleting nodes.
+	 */
+	isc_rwlock_t search_lock;
+	isc_mutex_t  maint_lock;
+
+	dns_rpz_cidr_node_t *cidr;
+	dns_rbt_t	    *rbt;
+
+	/*
+	 * DNSRPZ librpz configuration string and handle on librpz connection
+	 */
+	char		     *rps_cstr;
+	size_t		      rps_cstr_size;
+	struct librpz_client *rps_client;
+};
+
+/*
+ * context for finding the best policy
+ */
+typedef struct {
+	unsigned int state;
+#define DNS_RPZ_REWRITTEN      0x0001
+#define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */
+#define DNS_RPZ_DONE_QNAME     0x0004 /* qname checked */
+#define DNS_RPZ_DONE_QNAME_IP  0x0008 /* IP addresses of qname checked */
+#define DNS_RPZ_DONE_NSDNAME   0x0010 /* NS name missed; checking addresses */
+#define DNS_RPZ_DONE_IPv4      0x0020
+#define DNS_RPZ_RECURSING      0x0040
+#define DNS_RPZ_ACTIVE	       0x0080
+	/*
+	 * Best match so far.
+	 */
+	struct {
+		dns_rpz_type_t	 type;
+		dns_rpz_zone_t	*rpz;
+		dns_rpz_prefix_t prefix;
+		dns_rpz_policy_t policy;
+		dns_ttl_t	 ttl;
+		isc_result_t	 result;
+		dns_zone_t	*zone;
+		dns_db_t	*db;
+		dns_dbversion_t *version;
+		dns_dbnode_t	*node;
+		dns_rdataset_t	*rdataset;
+	} m;
+	/*
+	 * State for chasing IP addresses and NS names including recursion.
+	 */
+	struct {
+		unsigned int	label;
+		dns_db_t       *db;
+		dns_rdataset_t *ns_rdataset;
+		dns_rdatatype_t r_type;
+		isc_result_t	r_result;
+		dns_rdataset_t *r_rdataset;
+	} r;
+
+	/*
+	 * State of real query while recursing for NSIP or NSDNAME.
+	 */
+	struct {
+		isc_result_t	result;
+		bool		is_zone;
+		bool		authoritative;
+		dns_zone_t     *zone;
+		dns_db_t       *db;
+		dns_dbnode_t   *node;
+		dns_rdataset_t *rdataset;
+		dns_rdataset_t *sigrdataset;
+		dns_rdatatype_t qtype;
+	} q;
+
+	/*
+	 * A copy of the 'have' and 'p' structures and the RPZ
+	 * policy version as of the beginning of RPZ processing,
+	 * used to avoid problems when policy is updated while
+	 * RPZ recursion is ongoing.
+	 */
+	dns_rpz_have_t have;
+	dns_rpz_popt_t popt;
+	int	       rpz_ver;
+
+	/*
+	 * Shim db between BIND and DNRPS librpz.
+	 */
+	dns_db_t *rpsdb;
+
+	/*
+	 * p_name: current policy owner name
+	 * r_name: recursing for this name to possible policy triggers
+	 * f_name: saved found name from before recursion
+	 */
+	dns_name_t     *p_name;
+	dns_name_t     *r_name;
+	dns_name_t     *fname;
+	dns_fixedname_t _p_namef;
+	dns_fixedname_t _r_namef;
+	dns_fixedname_t _fnamef;
+} dns_rpz_st_t;
+
+#define DNS_RPZ_TTL_DEFAULT		  5
+#define DNS_RPZ_MAX_TTL_DEFAULT		  DNS_RPZ_TTL_DEFAULT
+#define DNS_RPZ_MINUPDATEINTERVAL_DEFAULT 60
+
+/*
+ * So various response policy zone messages can be turned up or down.
+ */
+#define DNS_RPZ_ERROR_LEVEL  ISC_LOG_WARNING
+#define DNS_RPZ_INFO_LEVEL   ISC_LOG_INFO
+#define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1)
+#define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2)
+#define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3)
+#define DNS_RPZ_DEBUG_QUIET  (DNS_RPZ_DEBUG_LEVEL3 + 1)
+
+const char *
+dns_rpz_type2str(dns_rpz_type_t type);
+
+dns_rpz_policy_t
+dns_rpz_str2policy(const char *str);
+
+const char *
+dns_rpz_policy2str(dns_rpz_policy_t policy);
+
+dns_rpz_policy_t
+dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
+		     dns_name_t *selfname);
+
+isc_result_t
+dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, char *rps_cstr, size_t rps_cstr_size,
+		  isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		  isc_timermgr_t *timermgr);
+
+isc_result_t
+dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp);
+
+isc_result_t
+dns_rpz_dbupdate_callback(dns_db_t *db, void *fn_arg);
+
+void
+dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target);
+
+void
+dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp);
+
+isc_result_t
+dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, dns_rpz_zones_t *rpzs,
+		  dns_rpz_num_t rpz_num) ISC_DEPRECATED;
+
+isc_result_t
+dns_rpz_ready(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **load_rpzsp,
+	      dns_rpz_num_t rpz_num) ISC_DEPRECATED;
+
+isc_result_t
+dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	    const dns_name_t *name);
+
+void
+dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	       const dns_name_t *name);
+
+dns_rpz_num_t
+dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
+		dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr,
+		dns_name_t *ip_name, dns_rpz_prefix_t *prefixp);
+
+dns_rpz_zbits_t
+dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
+		  dns_rpz_zbits_t zbits, dns_name_t *trig_name);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RPZ_H */
diff --git a/lib/dns/include/dns/rriterator.h b/lib/dns/include/dns/rriterator.h
new file mode 100644
index 0000000..2294d69
--- /dev/null
+++ b/lib/dns/include/dns/rriterator.h
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RRITERATOR_H
+#define DNS_RRITERATOR_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/rriterator.h
+ * \brief
+ * Functions for "walking" a zone database, visiting each RR or RRset in turn.
+ */
+
+/*****
+***** Imports
+*****/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/stdtime.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+***** Types
+*****/
+
+/*%
+ * A dns_rriterator_t is an iterator that iterates over an entire database,
+ * returning one RR at a time, in some arbitrary order.
+ */
+
+typedef struct dns_rriterator {
+	unsigned int	    magic;
+	isc_result_t	    result;
+	dns_db_t	   *db;
+	dns_dbiterator_t   *dbit;
+	dns_dbversion_t	   *ver;
+	isc_stdtime_t	    now;
+	dns_dbnode_t	   *node;
+	dns_fixedname_t	    fixedname;
+	dns_rdatasetiter_t *rdatasetit;
+	dns_rdataset_t	    rdataset;
+	dns_rdata_t	    rdata;
+} dns_rriterator_t;
+
+#define RRITERATOR_MAGIC    ISC_MAGIC('R', 'R', 'I', 't')
+#define VALID_RRITERATOR(m) ISC_MAGIC_VALID(m, RRITERATOR_MAGIC)
+
+isc_result_t
+dns_rriterator_init(dns_rriterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
+		    isc_stdtime_t now);
+/*%
+ * Initialize an rriterator; sets the cursor to the origin node
+ * of the database.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_rriterator_first(dns_rriterator_t *it);
+/*%<
+ * Move the rriterator cursor to the first rdata in the database.
+ *
+ * Requires:
+ *\li	'it' is a valid, initialized rriterator
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no rdata in the set.
+ */
+
+isc_result_t
+dns_rriterator_nextrrset(dns_rriterator_t *it);
+/*%<
+ * Move the rriterator cursor to the next rrset in the database,
+ * skipping over any remaining records that have the same rdatatype
+ * as the current one.
+ *
+ * Requires:
+ *\li	'it' is a valid, initialized rriterator
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			No more rrsets in the database
+ */
+
+isc_result_t
+dns_rriterator_next(dns_rriterator_t *it);
+/*%<
+ * Move the rriterator cursor to the next rrset in the database,
+ * skipping over any remaining records that have the same rdatatype
+ * as the current one.
+ *
+ * Requires:
+ *\li	'it' is a valid, initialized rriterator
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			No more records in the database
+ */
+
+void
+dns_rriterator_current(dns_rriterator_t *it, dns_name_t **name, uint32_t *ttl,
+		       dns_rdataset_t **rdataset, dns_rdata_t **rdata);
+/*%<
+ * Make '*name' refer to the current name.  If 'rdataset' is not NULL,
+ * make '*rdataset' refer to the current * rdataset.  If '*rdata' is not
+ * NULL, make '*rdata' refer to the current record.
+ *
+ * Requires:
+ *\li	'*name' is a valid name object
+ *\li	'rdataset' is NULL or '*rdataset' is NULL
+ *\li	'rdata' is NULL or '*rdata' is NULL
+ *
+ * Ensures:
+ *\li	'rdata' refers to the rdata at the rdata cursor location of
+ *\li	'rdataset'.
+ */
+
+void
+dns_rriterator_pause(dns_rriterator_t *it);
+/*%<
+ * Pause rriterator.  Frees any locks held by the database iterator.
+ * Callers should use this routine any time they are not going to
+ * execute another rriterator method in the immediate future.
+ *
+ * Requires:
+ *\li	'it' is a valid iterator.
+ *
+ * Ensures:
+ *\li	Any database locks being held for efficiency of iterator access are
+ *	released.
+ */
+
+void
+dns_rriterator_destroy(dns_rriterator_t *it);
+/*%<
+ * Shut down and free resources in rriterator 'it'.
+ *
+ * Requires:
+ *
+ *\li	'it' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *\li	All resources used by the rriterator are freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RRITERATOR_H */
diff --git a/lib/dns/include/dns/rrl.h b/lib/dns/include/dns/rrl.h
new file mode 100644
index 0000000..fabefa3
--- /dev/null
+++ b/lib/dns/include/dns/rrl.h
@@ -0,0 +1,272 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RRL_H
+#define DNS_RRL_H 1
+
+/*
+ * Rate limit DNS responses.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/fixedname.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Memory allocation or other failures.
+ */
+#define DNS_RRL_LOG_FAIL ISC_LOG_WARNING
+/*
+ * dropped or slipped responses.
+ */
+#define DNS_RRL_LOG_DROP ISC_LOG_INFO
+/*
+ * Major events in dropping or slipping.
+ */
+#define DNS_RRL_LOG_DEBUG1 ISC_LOG_DEBUG(3)
+/*
+ * Limit computations.
+ */
+#define DNS_RRL_LOG_DEBUG2 ISC_LOG_DEBUG(4)
+/*
+ * Even less interesting.
+ */
+#define DNS_RRL_LOG_DEBUG3 ISC_LOG_DEBUG(9)
+
+#define DNS_RRL_LOG_ERR_LEN 64
+#define DNS_RRL_LOG_BUF_LEN                                        \
+	(sizeof("would continue limiting") + DNS_RRL_LOG_ERR_LEN + \
+	 sizeof(" responses to ") + ISC_NETADDR_FORMATSIZE +       \
+	 sizeof("/128 for IN ") + DNS_RDATATYPE_FORMATSIZE +       \
+	 DNS_NAME_FORMATSIZE)
+
+typedef struct dns_rrl_hash dns_rrl_hash_t;
+
+/*
+ * Response types.
+ */
+typedef enum {
+	DNS_RRL_RTYPE_FREE = 0,
+	DNS_RRL_RTYPE_QUERY,
+	DNS_RRL_RTYPE_REFERRAL,
+	DNS_RRL_RTYPE_NODATA,
+	DNS_RRL_RTYPE_NXDOMAIN,
+	DNS_RRL_RTYPE_ERROR,
+	DNS_RRL_RTYPE_ALL,
+	DNS_RRL_RTYPE_TCP,
+} dns_rrl_rtype_t;
+
+/*
+ * A rate limit bucket key.
+ * This should be small to limit the total size of the database.
+ * The hash of the qname should be wide enough to make the probability
+ * of collisions among requests from a single IP address block less than 50%.
+ * We need a 32-bit hash value for 10000 qps (e.g. random qnames forged
+ * by attacker) to collide with legitimate qnames from the target with
+ * probability at most 1%.
+ */
+#define DNS_RRL_MAX_PREFIX 64
+typedef union dns_rrl_key dns_rrl_key_t;
+struct dns__rrl_key {
+	uint32_t	ip[DNS_RRL_MAX_PREFIX / 32];
+	uint32_t	qname_hash;
+	dns_rdatatype_t qtype;
+	uint8_t		qclass;
+	unsigned int	rtype : 4; /* dns_rrl_rtype_t */
+	unsigned int	ipv6  : 1;
+};
+union dns_rrl_key {
+	struct dns__rrl_key s;
+	uint16_t	    w[sizeof(struct dns__rrl_key) / sizeof(uint16_t)];
+};
+
+/*
+ * A rate-limit entry.
+ * This should be small to limit the total size of the table of entries.
+ */
+typedef struct dns_rrl_entry dns_rrl_entry_t;
+typedef ISC_LIST(dns_rrl_entry_t) dns_rrl_bin_t;
+struct dns_rrl_entry {
+	ISC_LINK(dns_rrl_entry_t) lru;
+	ISC_LINK(dns_rrl_entry_t) hlink;
+	dns_rrl_key_t key;
+#define DNS_RRL_RESPONSE_BITS 24
+	signed int responses : DNS_RRL_RESPONSE_BITS;
+#define DNS_RRL_QNAMES_BITS 8
+	unsigned int log_qname : DNS_RRL_QNAMES_BITS;
+
+#define DNS_RRL_TS_GEN_BITS 2
+	unsigned int ts_gen : DNS_RRL_TS_GEN_BITS;
+	unsigned int ts_valid : 1;
+#define DNS_RRL_HASH_GEN_BITS 1
+	unsigned int hash_gen : DNS_RRL_HASH_GEN_BITS;
+	unsigned int logged : 1;
+#define DNS_RRL_LOG_BITS 11
+	unsigned int log_secs : DNS_RRL_LOG_BITS;
+
+#define DNS_RRL_TS_BITS 12
+	unsigned int ts : DNS_RRL_TS_BITS;
+
+#define DNS_RRL_MAX_SLIP 10
+	unsigned int slip_cnt : 4;
+};
+
+#define DNS_RRL_MAX_TIME_TRAVEL 5
+#define DNS_RRL_FOREVER		(1 << DNS_RRL_TS_BITS)
+#define DNS_RRL_MAX_TS		(DNS_RRL_FOREVER - 1)
+
+#define DNS_RRL_MAX_RESPONSES ((1 << (DNS_RRL_RESPONSE_BITS - 1)) - 1)
+#define DNS_RRL_MAX_WINDOW    3600
+#if DNS_RRL_MAX_WINDOW >= DNS_RRL_MAX_TS
+#error "DNS_RRL_MAX_WINDOW is too large"
+#endif /* if DNS_RRL_MAX_WINDOW >= DNS_RRL_MAX_TS */
+#define DNS_RRL_MAX_RATE 1000
+#if DNS_RRL_MAX_RATE >= (DNS_RRL_MAX_RESPONSES / DNS_RRL_MAX_WINDOW)
+#error "DNS_RRL_MAX_rate is too large"
+#endif /* if DNS_RRL_MAX_RATE >= (DNS_RRL_MAX_RESPONSES / DNS_RRL_MAX_WINDOW) \
+	*/
+
+#if (1 << DNS_RRL_LOG_BITS) >= DNS_RRL_FOREVER
+#error DNS_RRL_LOG_BITS is too big
+#endif /* if (1 << DNS_RRL_LOG_BITS) >= DNS_RRL_FOREVER */
+#define DNS_RRL_MAX_LOG_SECS 1800
+#if DNS_RRL_MAX_LOG_SECS >= (1 << DNS_RRL_LOG_BITS)
+#error "DNS_RRL_MAX_LOG_SECS is too large"
+#endif /* if DNS_RRL_MAX_LOG_SECS >= (1 << DNS_RRL_LOG_BITS) */
+#define DNS_RRL_STOP_LOG_SECS 60
+#if DNS_RRL_STOP_LOG_SECS >= (1 << DNS_RRL_LOG_BITS)
+#error "DNS_RRL_STOP_LOG_SECS is too large"
+#endif /* if DNS_RRL_STOP_LOG_SECS >= (1 << DNS_RRL_LOG_BITS) */
+
+/*
+ * A hash table of rate-limit entries.
+ */
+struct dns_rrl_hash {
+	isc_stdtime_t check_time;
+	unsigned int  gen : DNS_RRL_HASH_GEN_BITS;
+	int	      length;
+	dns_rrl_bin_t bins[1];
+};
+
+/*
+ * A block of rate-limit entries.
+ */
+typedef struct dns_rrl_block dns_rrl_block_t;
+struct dns_rrl_block {
+	ISC_LINK(dns_rrl_block_t) link;
+	int		size;
+	dns_rrl_entry_t entries[1];
+};
+
+/*
+ * A rate limited qname buffer.
+ */
+typedef struct dns_rrl_qname_buf dns_rrl_qname_buf_t;
+struct dns_rrl_qname_buf {
+	ISC_LINK(dns_rrl_qname_buf_t) link;
+	const dns_rrl_entry_t *e;
+	unsigned int	       index;
+	dns_fixedname_t	       qname;
+};
+
+typedef struct dns_rrl_rate dns_rrl_rate_t;
+struct dns_rrl_rate {
+	int	    r;
+	int	    scaled;
+	const char *str;
+};
+
+/*
+ * Per-view query rate limit parameters and a pointer to database.
+ */
+typedef struct dns_rrl dns_rrl_t;
+struct dns_rrl {
+	isc_mutex_t lock;
+	isc_mem_t  *mctx;
+
+	bool	       log_only;
+	dns_rrl_rate_t responses_per_second;
+	dns_rrl_rate_t referrals_per_second;
+	dns_rrl_rate_t nodata_per_second;
+	dns_rrl_rate_t nxdomains_per_second;
+	dns_rrl_rate_t errors_per_second;
+	dns_rrl_rate_t all_per_second;
+	dns_rrl_rate_t slip;
+	int	       window;
+	double	       qps_scale;
+	int	       max_entries;
+
+	dns_acl_t *exempt;
+
+	int num_entries;
+
+	int	      qps_responses;
+	isc_stdtime_t qps_time;
+	double	      qps;
+
+	unsigned int probes;
+	unsigned int searches;
+
+	ISC_LIST(dns_rrl_block_t) blocks;
+	ISC_LIST(dns_rrl_entry_t) lru;
+
+	dns_rrl_hash_t *hash;
+	dns_rrl_hash_t *old_hash;
+	unsigned int	hash_gen;
+
+	unsigned int ts_gen;
+#define DNS_RRL_TS_BASES (1 << DNS_RRL_TS_GEN_BITS)
+	isc_stdtime_t ts_bases[DNS_RRL_TS_BASES];
+
+	int	 ipv4_prefixlen;
+	uint32_t ipv4_mask;
+	int	 ipv6_prefixlen;
+	uint32_t ipv6_mask[4];
+
+	isc_stdtime_t	 log_stops_time;
+	dns_rrl_entry_t *last_logged;
+	int		 num_logged;
+	int		 num_qnames;
+	ISC_LIST(dns_rrl_qname_buf_t) qname_free;
+#define DNS_RRL_QNAMES (1 << DNS_RRL_QNAMES_BITS)
+	dns_rrl_qname_buf_t *qnames[DNS_RRL_QNAMES];
+};
+
+typedef enum {
+	DNS_RRL_RESULT_OK,
+	DNS_RRL_RESULT_DROP,
+	DNS_RRL_RESULT_SLIP,
+} dns_rrl_result_t;
+
+dns_rrl_result_t
+dns_rrl(dns_view_t *view, dns_zone_t *zone, const isc_sockaddr_t *client_addr,
+	bool is_tcp, dns_rdataclass_t rdclass, dns_rdatatype_t qtype,
+	const dns_name_t *qname, isc_result_t resp_result, isc_stdtime_t now,
+	bool wouldlog, char *log_buf, unsigned int log_buf_len);
+
+void
+dns_rrl_view_destroy(dns_view_t *view);
+
+isc_result_t
+dns_rrl_init(dns_rrl_t **rrlp, dns_view_t *view, int min_entries);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RRL_H */
diff --git a/lib/dns/include/dns/sdb.h b/lib/dns/include/dns/sdb.h
new file mode 100644
index 0000000..578d7cc
--- /dev/null
+++ b/lib/dns/include/dns/sdb.h
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_SDB_H
+#define DNS_SDB_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/sdb.h
+ * \brief
+ * Simple database API.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+
+#include <dns/clientinfo.h>
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * A simple database.  This is an opaque type.
+ */
+typedef struct dns_sdb dns_sdb_t;
+
+/*%
+ * A simple database lookup in progress.  This is an opaque type.
+ */
+typedef struct dns_sdblookup dns_sdblookup_t;
+
+/*%
+ * A simple database traversal in progress.  This is an opaque type.
+ */
+typedef struct dns_sdballnodes dns_sdballnodes_t;
+
+typedef isc_result_t (*dns_sdblookupfunc_t)(const char *zone, const char *name,
+					    void		    *dbdata,
+					    dns_sdblookup_t	    *lookup,
+					    dns_clientinfomethods_t *methods,
+					    dns_clientinfo_t *clientinfo);
+typedef isc_result_t (*dns_sdblookup2func_t)(const dns_name_t	     *zone,
+					     const dns_name_t	     *name,
+					     void		     *dbdata,
+					     dns_sdblookup_t	     *lookup,
+					     dns_clientinfomethods_t *methods,
+					     dns_clientinfo_t *clientinfo);
+
+typedef isc_result_t (*dns_sdbauthorityfunc_t)(const char *zone, void *dbdata,
+					       dns_sdblookup_t *);
+
+typedef isc_result_t (*dns_sdballnodesfunc_t)(const char *zone, void *dbdata,
+					      dns_sdballnodes_t *allnodes);
+
+typedef isc_result_t (*dns_sdbcreatefunc_t)(const char *zone, int argc,
+					    char **argv, void *driverdata,
+					    void **dbdata);
+
+typedef void (*dns_sdbdestroyfunc_t)(const char *zone, void *driverdata,
+				     void **dbdata);
+
+typedef struct dns_sdbmethods {
+	dns_sdblookupfunc_t    lookup;
+	dns_sdbauthorityfunc_t authority;
+	dns_sdballnodesfunc_t  allnodes;
+	dns_sdbcreatefunc_t    create;
+	dns_sdbdestroyfunc_t   destroy;
+	dns_sdblookup2func_t   lookup2;
+} dns_sdbmethods_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_SDBFLAG_RELATIVEOWNER 0x00000001U
+#define DNS_SDBFLAG_RELATIVERDATA 0x00000002U
+#define DNS_SDBFLAG_THREADSAFE	  0x00000004U
+#define DNS_SDBFLAG_DNS64	  0x00000008U
+
+isc_result_t
+dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
+		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdbimplementation_t **sdbimp);
+/*%<
+ * Register a simple database driver for the database type 'drivername',
+ * implemented by the functions in '*methods'.
+ *
+ * sdbimp must point to a NULL dns_sdbimplementation_t pointer.  That is,
+ * sdbimp != NULL && *sdbimp == NULL.  It will be assigned a value that
+ * will later be used to identify the driver when deregistering it.
+ *
+ * The name server will perform lookups in the database by calling the
+ * function 'lookup', passing it a printable zone name 'zone', a printable
+ * domain name 'name', and a copy of the argument 'dbdata' that
+ * was potentially returned by the create function.  The 'dns_sdblookup_t'
+ * argument to 'lookup' and 'authority' is an opaque pointer to be passed to
+ * ns_sdb_putrr().
+ *
+ * The lookup function returns the lookup results to the name server
+ * by calling ns_sdb_putrr() once for each record found.  On success,
+ * the return value of the lookup function should be ISC_R_SUCCESS.
+ * If the domain name 'name' does not exist, the lookup function should
+ * ISC_R_NOTFOUND.  Any other return value is treated as an error.
+ *
+ * Lookups at the zone apex will cause the server to also call the
+ * function 'authority' (if non-NULL), which must provide an SOA record
+ * and NS records for the zone by calling ns_sdb_putrr() once for each of
+ * these records.  The 'authority' function may be NULL if invoking
+ * the 'lookup' function on the zone apex will return SOA and NS records.
+ *
+ * The allnodes function, if non-NULL, fills in an opaque structure to be
+ * used by a database iterator.  This allows the zone to be transferred.
+ * This may use a considerable amount of memory for large zones, and the
+ * zone transfer may not be fully RFC1035 compliant if the zone is
+ * frequently changed.
+ *
+ * The create function will be called for each zone configured
+ * into the name server using this database type.  It can be used
+ * to create a "database object" containing zone specific data,
+ * which can make use of the database arguments specified in the
+ * name server configuration.
+ *
+ * The destroy function will be called to free the database object
+ * when its zone is destroyed.
+ *
+ * The create and destroy functions may be NULL.
+ *
+ * If flags includes DNS_SDBFLAG_RELATIVEOWNER, the lookup and authority
+ * functions will be called with relative names rather than absolute names.
+ * The string "@" represents the zone apex in this case.
+ *
+ * If flags includes DNS_SDBFLAG_RELATIVERDATA, the rdata strings may
+ * include relative names.  Otherwise, all names in the rdata string must
+ * be absolute.  Be aware that if relative names are allowed, any
+ * absolute names must contain a trailing dot.
+ *
+ * If flags includes DNS_SDBFLAG_THREADSAFE, the driver must be able to
+ * handle multiple lookups in parallel.  Otherwise, calls into the driver
+ * are serialized.
+ */
+
+void
+dns_sdb_unregister(dns_sdbimplementation_t **sdbimp);
+/*%<
+ * Removes the simple database driver from the list of registered database
+ * types.  There must be no active databases of this type when this function
+ * is called.
+ */
+
+/*% See dns_sdb_putradata() */
+isc_result_t
+dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
+	      const char *data);
+isc_result_t
+dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t type, dns_ttl_t ttl,
+		 const unsigned char *rdata, unsigned int rdlen);
+/*%<
+ * Add a single resource record to the lookup structure to be
+ * returned in the query response.  dns_sdb_putrr() takes the
+ * resource record in master file text format as a null-terminated
+ * string, and dns_sdb_putrdata() takes the raw RDATA in
+ * uncompressed wire format.
+ */
+
+/*% See dns_sdb_putnamerdata() */
+isc_result_t
+dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
+		   const char *type, dns_ttl_t ttl, const char *data);
+isc_result_t
+dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
+		      dns_rdatatype_t type, dns_ttl_t ttl, const void *rdata,
+		      unsigned int rdlen);
+/*%<
+ * Add a single resource record to the allnodes structure to be
+ * included in a zone transfer response, in text or wire
+ * format as above.
+ */
+
+isc_result_t
+dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
+	       uint32_t serial);
+/*%<
+ * This function may optionally be called from the 'authority' callback
+ * to simplify construction of the SOA record for 'zone'.  It will
+ * provide a SOA listing 'mname' as as the master server and 'rname' as
+ * the responsible person mailbox.  It is the responsibility of the
+ * driver to increment the serial number between responses if necessary.
+ * All other SOA fields will have reasonable default values.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SDB_H */
diff --git a/lib/dns/include/dns/sdlz.h b/lib/dns/include/dns/sdlz.h
new file mode 100644
index 0000000..6a06c98
--- /dev/null
+++ b/lib/dns/include/dns/sdlz.h
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file dns/sdlz.h */
+
+#ifndef SDLZ_H
+#define SDLZ_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <dns/clientinfo.h>
+#include <dns/dlz.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_SDLZFLAG_THREADSAFE	   0x00000001U
+#define DNS_SDLZFLAG_RELATIVEOWNER 0x00000002U
+#define DNS_SDLZFLAG_RELATIVERDATA 0x00000004U
+
+/* A simple DLZ database. */
+typedef struct dns_sdlz_db dns_sdlz_db_t;
+
+/* A simple DLZ database lookup in progress. */
+typedef struct dns_sdlzlookup dns_sdlzlookup_t;
+
+/* A simple DLZ database traversal in progress. */
+typedef struct dns_sdlzallnodes dns_sdlzallnodes_t;
+
+typedef isc_result_t (*dns_sdlzallnodesfunc_t)(const char *zone,
+					       void *driverarg, void *dbdata,
+					       dns_sdlzallnodes_t *allnodes);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply an all nodes method.  This method is called when the DNS
+ * server is performing a zone transfer query, after the allow zone
+ * transfer method has been called.  This method is only called if the
+ * allow zone transfer method returned ISC_R_SUCCESS.  This method and
+ * the allow zone transfer method are both required for zone transfers
+ * to be supported.  If the driver generates data dynamically (instead
+ * of searching in a database for it) it should not implement this
+ * function as a zone transfer would be meaningless.  A SDLZ driver
+ * does not have to implement an all nodes method.
+ */
+
+typedef isc_result_t (*dns_sdlzallowzonexfr_t)(void *driverarg, void *dbdata,
+					       const char *name,
+					       const char *client);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply an allow zone transfer method.  This method is called when
+ * the DNS server is performing a zone transfer query, before the all
+ * nodes method can be called.  This method and the all node method
+ * are both required for zone transfers to be supported.  If the
+ * driver generates data dynamically (instead of searching in a
+ * database for it) it should not implement this function as a zone
+ * transfer would be meaningless.  A SDLZ driver does not have to
+ * implement an allow zone transfer method.
+ *
+ * This method should return ISC_R_SUCCESS if the zone is supported by
+ * the database and a zone transfer is allowed for the specified
+ * client.  If the zone is supported by the database, but zone
+ * transfers are not allowed for the specified client this method
+ * should return ISC_R_NOPERM..  Lastly the method should return
+ * ISC_R_NOTFOUND if the zone is not supported by the database.  If an
+ * error occurs it should return a result code indicating the type of
+ * error.
+ */
+
+typedef isc_result_t (*dns_sdlzauthorityfunc_t)(const char *zone,
+						void *driverarg, void *dbdata,
+						dns_sdlzlookup_t *lookup);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply an authority method.  This method is called when the DNS
+ * server is performing a query, after both the find zone and lookup
+ * methods have been called.  This method is required if the lookup
+ * function does not supply authority information for the dns
+ * record. A SDLZ driver does not have to implement an authority
+ * method.
+ */
+
+typedef isc_result_t (*dns_sdlzcreate_t)(const char *dlzname, unsigned int argc,
+					 char *argv[], void *driverarg,
+					 void **dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a create method.  This method is called when the DNS server
+ * is starting up and creating drivers for use later. A SDLZ driver
+ * does not have to implement a create method.
+ */
+
+typedef void (*dns_sdlzdestroy_t)(void *driverarg, void *dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a destroy method.  This method is called when the DNS server
+ * is shutting down and no longer needs the driver.  A SDLZ driver does
+ * not have to implement a destroy method.
+ */
+
+typedef isc_result_t (*dns_sdlzfindzone_t)(void *driverarg, void *dbdata,
+					   const char		   *name,
+					   dns_clientinfomethods_t *methods,
+					   dns_clientinfo_t	   *clientinfo);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface MUST
+ * supply a find zone method.  This method is called when the DNS
+ * server is performing a query to to determine if 'name' is a
+ * supported dns zone.  The find zone method will be called with the
+ * longest possible name first, and continue to be called with
+ * successively shorter domain names, until any of the following
+ * occur:
+ *
+ * \li	1) the function returns (ISC_R_SUCCESS) indicating a zone name
+ *	   match.
+ *
+ * \li	2) a problem occurs, and the functions returns anything other than
+ *	   (ISC_R_NOTFOUND)
+ *
+ * \li	3) we run out of domain name labels. I.E. we have tried the
+ *	   shortest domain name
+ *
+ * \li	4) the number of labels in the domain name is less than min_labels
+ *	   for dns_dlzfindzone
+ *
+ * The driver's find zone method should return ISC_R_SUCCESS if the
+ * zone is supported by the database.  Otherwise it should return
+ * ISC_R_NOTFOUND, if the zone is not supported.  If an error occurs
+ * it should return a result code indicating the type of error.
+ */
+
+typedef isc_result_t (*dns_sdlzlookupfunc_t)(const char *zone, const char *name,
+					     void *driverarg, void *dbdata,
+					     dns_sdlzlookup_t	     *lookup,
+					     dns_clientinfomethods_t *methods,
+					     dns_clientinfo_t *clientinfo);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface MUST
+ * supply a lookup method.  This method is called when the
+ * DNS server is performing a query, after the find zone and before any
+ * other methods have been called.  This function returns DNS record
+ * information using the dns_sdlz_putrr and dns_sdlz_putsoa functions.
+ * If this function supplies authority information for the DNS record
+ * the authority method is not required.  If it does not, the
+ * authority function is required.
+ *
+ * The 'methods' and 'clientinfo' args allow an SDLZ driver to retrieve
+ * information about the querying client (such as source IP address)
+ * from the caller.
+ */
+
+typedef isc_result_t (*dns_sdlznewversion_t)(const char *zone, void *driverarg,
+					     void *dbdata, void **versionp);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a newversion method.  This method is called to start a
+ * write transaction on a zone and should only be implemented by
+ * writeable backends.
+ * When implemented, the driver should create a new transaction, and
+ * fill *versionp with a pointer to the transaction state. The
+ * closeversion function will be called to close the transaction.
+ */
+
+typedef void (*dns_sdlzcloseversion_t)(const char *zone, bool commit,
+				       void *driverarg, void *dbdata,
+				       void **versionp);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface must
+ * supply a closeversion method if they supply a newversion method.
+ * When implemented, the driver should close the given transaction,
+ * committing changes if 'commit' is true. If 'commit' is not true
+ * then all changes should be discarded and the database rolled back.
+ * If the call is successful then *versionp should be set to NULL
+ */
+
+typedef isc_result_t (*dns_sdlzconfigure_t)(dns_view_t	*view,
+					    dns_dlzdb_t *dlzdb, void *driverarg,
+					    void *dbdata);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a configure method. When supplied, it will be called
+ * immediately after the create method to give the driver a chance
+ * to configure writeable zones
+ */
+
+typedef bool (*dns_sdlzssumatch_t)(const char *signer, const char *name,
+				   const char *tcpaddr, const char *type,
+				   const char *key, uint32_t keydatalen,
+				   unsigned char *keydata, void *driverarg,
+				   void *dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a ssumatch method. If supplied, then ssumatch will be
+ * called to authorize any zone updates. The driver should return
+ * true to allow the update, and false to deny it. For a DLZ
+ * controlled zone, this is the only access control on updates.
+ */
+
+typedef isc_result_t (*dns_sdlzmodrdataset_t)(const char *name,
+					      const char *rdatastr,
+					      void *driverarg, void *dbdata,
+					      void *version);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply addrdataset and subtractrdataset methods. If supplied, then these
+ * will be called when rdatasets are added/subtracted during
+ * updates. The version parameter comes from a call to the sdlz
+ * newversion() method from the driver. The rdataset parameter is a
+ * linearise string representation of the rdataset change. The format
+ * is the same as used by dig when displaying records. The fields are
+ * tab delimited.
+ */
+
+typedef isc_result_t (*dns_sdlzdelrdataset_t)(const char *name,
+					      const char *type, void *driverarg,
+					      void *dbdata, void *version);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a delrdataset method. If supplied, then this
+ * function will be called when rdatasets are deleted during
+ * updates. The call should remove all rdatasets of the given type for
+ * the specified name.
+ */
+
+typedef struct dns_sdlzmethods {
+	dns_sdlzcreate_t	create;
+	dns_sdlzdestroy_t	destroy;
+	dns_sdlzfindzone_t	findzone;
+	dns_sdlzlookupfunc_t	lookup;
+	dns_sdlzauthorityfunc_t authority;
+	dns_sdlzallnodesfunc_t	allnodes;
+	dns_sdlzallowzonexfr_t	allowzonexfr;
+	dns_sdlznewversion_t	newversion;
+	dns_sdlzcloseversion_t	closeversion;
+	dns_sdlzconfigure_t	configure;
+	dns_sdlzssumatch_t	ssumatch;
+	dns_sdlzmodrdataset_t	addrdataset;
+	dns_sdlzmodrdataset_t	subtractrdataset;
+	dns_sdlzdelrdataset_t	delrdataset;
+} dns_sdlzmethods_t;
+
+isc_result_t
+dns_sdlzregister(const char *drivername, const dns_sdlzmethods_t *methods,
+		 void *driverarg, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdlzimplementation_t **sdlzimp);
+/*%<
+ * Register a dynamically loadable zones (dlz) driver for the database
+ * type 'drivername', implemented by the functions in '*methods'.
+ *
+ * sdlzimp must point to a NULL dns_sdlzimplementation_t pointer.
+ * That is, sdlzimp != NULL && *sdlzimp == NULL.  It will be assigned
+ * a value that will later be used to identify the driver when
+ * deregistering it.
+ */
+
+void
+dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp);
+
+/*%<
+ * Removes the sdlz driver from the list of registered sdlz drivers.
+ * There must be no active sdlz drivers of this type when this
+ * function is called.
+ */
+
+typedef isc_result_t
+dns_sdlz_putnamedrr_t(dns_sdlzallnodes_t *allnodes, const char *name,
+		      const char *type, dns_ttl_t ttl, const char *data);
+dns_sdlz_putnamedrr_t dns_sdlz_putnamedrr;
+
+/*%<
+ * Add a single resource record to the allnodes structure to be later
+ * parsed into a zone transfer response.
+ */
+
+typedef isc_result_t
+dns_sdlz_putrr_t(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
+		 const char *data);
+dns_sdlz_putrr_t dns_sdlz_putrr;
+/*%<
+ * Add a single resource record to the lookup structure to be later
+ * parsed into a query response.
+ */
+
+typedef isc_result_t
+		  dns_sdlz_putsoa_t(dns_sdlzlookup_t *lookup, const char *mname,
+				    const char *rname, uint32_t serial);
+dns_sdlz_putsoa_t dns_sdlz_putsoa;
+/*%<
+ * This function may optionally be called from the 'authority'
+ * callback to simplify construction of the SOA record for 'zone'.  It
+ * will provide a SOA listing 'mname' as as the master server and
+ * 'rname' as the responsible person mailbox.  It is the
+ * responsibility of the driver to increment the serial number between
+ * responses if necessary.  All other SOA fields will have reasonable
+ * default values.
+ */
+
+typedef isc_result_t
+dns_sdlz_setdb_t(dns_dlzdb_t *dlzdatabase, dns_rdataclass_t rdclass,
+		 const dns_name_t *name, dns_db_t **dbp);
+dns_sdlz_setdb_t dns_sdlz_setdb;
+/*%<
+ * Create the database pointers for a writeable SDLZ zone
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* SDLZ_H */
diff --git a/lib/dns/include/dns/secalg.h b/lib/dns/include/dns/secalg.h
new file mode 100644
index 0000000..6ca61cb
--- /dev/null
+++ b/lib/dns/include/dns/secalg.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_SECALG_H
+#define DNS_SECALG_H 1
+
+/*! \file dns/secalg.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNSSEC security algorithm value.
+ * The text may contain either a mnemonic algorithm name or a decimal algorithm
+ * number.
+ *
+ * Requires:
+ *\li	'secalgp' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric type is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of the DNSSEC security algorithm 'secalg'
+ * into 'target'.
+ *
+ * Requires:
+ *\li	'secalg' is a valid secalg.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_NOSPACE			target buffer is too small
+ */
+
+#define DNS_SECALG_FORMATSIZE 20
+void
+dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size);
+/*%<
+ * Wrapper for dns_secalg_totext(), writing text into 'cp'
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SECALG_H */
diff --git a/lib/dns/include/dns/secproto.h b/lib/dns/include/dns/secproto.h
new file mode 100644
index 0000000..7eccfab
--- /dev/null
+++ b/lib/dns/include/dns/secproto.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_SECPROTO_H
+#define DNS_SECPROTO_H 1
+
+/*! \file dns/secproto.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNSSEC security protocol value.
+ * The text may contain either a mnemonic protocol name or a decimal protocol
+ * number.
+ *
+ * Requires:
+ *\li	'secprotop' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric type is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of the DNSSEC security protocol 'secproto'
+ * into 'target'.
+ *
+ * Requires:
+ *\li	'secproto' is a valid secproto.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *	\li	The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SECPROTO_H */
diff --git a/lib/dns/include/dns/soa.h b/lib/dns/include/dns/soa.h
new file mode 100644
index 0000000..a80a132
--- /dev/null
+++ b/lib/dns/include/dns/soa.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_SOA_H
+#define DNS_SOA_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/soa.h
+ * \brief
+ * SOA utilities.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_SOA_BUFFERSIZE ((2 * DNS_NAME_MAXWIRE) + (4 * 5))
+
+isc_result_t
+dns_soa_buildrdata(const dns_name_t *origin, const dns_name_t *contact,
+		   dns_rdataclass_t rdclass, uint32_t serial, uint32_t refresh,
+		   uint32_t retry, uint32_t expire, uint32_t minimum,
+		   unsigned char *buffer, dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of an SOA record.
+ *
+ * Requires:
+ *\li   buffer  Points to a temporary buffer of at least
+ *              DNS_SOA_BUFFERSIZE bytes.
+ *\li   rdata   Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *  \li    *rdata       Contains a valid SOA rdata.  The 'data' member
+ *  			refers to 'buffer'.
+ */
+
+uint32_t
+dns_soa_getserial(dns_rdata_t *rdata);
+uint32_t
+dns_soa_getrefresh(dns_rdata_t *rdata);
+uint32_t
+dns_soa_getretry(dns_rdata_t *rdata);
+uint32_t
+dns_soa_getexpire(dns_rdata_t *rdata);
+uint32_t
+dns_soa_getminimum(dns_rdata_t *rdata);
+/*
+ * Extract an integer field from the rdata of a SOA record.
+ *
+ * Requires:
+ *	rdata refers to the rdata of a well-formed SOA record.
+ */
+
+void
+dns_soa_setserial(uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setrefresh(uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setretry(uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setexpire(uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setminimum(uint32_t val, dns_rdata_t *rdata);
+/*
+ * Change an integer field of a SOA record by modifying the
+ * rdata in-place.
+ *
+ * Requires:
+ *	rdata refers to the rdata of a well-formed SOA record.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SOA_H */
diff --git a/lib/dns/include/dns/ssu.h b/lib/dns/include/dns/ssu.h
new file mode 100644
index 0000000..11d40f3
--- /dev/null
+++ b/lib/dns/include/dns/ssu.h
@@ -0,0 +1,243 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_SSU_H
+#define DNS_SSU_H 1
+
+/*! \file dns/ssu.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/acl.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef enum {
+	dns_ssumatchtype_name = 0,
+	dns_ssumatchtype_subdomain = 1,
+	dns_ssumatchtype_wildcard = 2,
+	dns_ssumatchtype_self = 3,
+	dns_ssumatchtype_selfsub = 4,
+	dns_ssumatchtype_selfwild = 5,
+	dns_ssumatchtype_selfkrb5 = 6,
+	dns_ssumatchtype_selfms = 7,
+	dns_ssumatchtype_subdomainms = 8,
+	dns_ssumatchtype_subdomainkrb5 = 9,
+	dns_ssumatchtype_tcpself = 10,
+	dns_ssumatchtype_6to4self = 11,
+	dns_ssumatchtype_external = 12,
+	dns_ssumatchtype_local = 13,
+	dns_ssumatchtype_selfsubms = 14,
+	dns_ssumatchtype_selfsubkrb5 = 15,
+	dns_ssumatchtype_max = 15, /* max value */
+
+	dns_ssumatchtype_dlz = 16 /* intentionally higher than _max */
+} dns_ssumatchtype_t;
+
+isc_result_t
+dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
+/*%<
+ *	Creates a table that will be used to store simple-secure-update rules.
+ *	Note: all locking must be provided by the client.
+ *
+ *	Requires:
+ *\li		'mctx' is a valid memory context
+ *\li		'table' is not NULL, and '*table' is NULL
+ *
+ *	Returns:
+ *\li		ISC_R_SUCCESS
+ *\li		ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
+		       dns_dlzdb_t *dlzdatabase);
+/*%<
+ * Create an SSU table that contains a dlzdatabase pointer, and a
+ * single rule with matchtype dns_ssumatchtype_dlz. This type of SSU
+ * table is used by writeable DLZ drivers to offload authorization for
+ * updates to the driver.
+ */
+
+void
+dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
+/*%<
+ *	Attach '*targetp' to 'source'.
+ *
+ *	Requires:
+ *\li		'source' is a valid SSU table
+ *\li		'targetp' points to a NULL dns_ssutable_t *.
+ *
+ *	Ensures:
+ *\li		*targetp is attached to source.
+ */
+
+void
+dns_ssutable_detach(dns_ssutable_t **tablep);
+/*%<
+ *	Detach '*tablep' from its simple-secure-update rule table.
+ *
+ *	Requires:
+ *\li		'tablep' points to a valid dns_ssutable_t
+ *
+ *	Ensures:
+ *\li		*tablep is NULL
+ *\li		If '*tablep' is the last reference to the SSU table, all
+ *			resources used by the table will be freed.
+ */
+
+isc_result_t
+dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
+		     const dns_name_t *identity, dns_ssumatchtype_t matchtype,
+		     const dns_name_t *name, unsigned int ntypes,
+		     dns_rdatatype_t *types);
+/*%<
+ *	Adds a new rule to a simple-secure-update rule table.  The rule
+ *	either grants or denies update privileges of an identity (or set of
+ *	identities) to modify a name (or set of names) or certain types present
+ *	at that name.
+ *
+ *	Notes:
+ *\li		If 'matchtype' is of SELF type, this rule only matches if the
+ *              name to be updated matches the signing identity.
+ *
+ *\li		If 'ntypes' is 0, this rule applies to all types except
+ *		NS, SOA, RRSIG, and NSEC.
+ *
+ *\li		If 'types' includes ANY, this rule applies to all types
+ *		except NSEC.
+ *
+ *	Requires:
+ *\li		'table' is a valid SSU table
+ *\li		'identity' is a valid absolute name
+ *\li		'matchtype' must be one of the defined constants.
+ *\li		'name' is a valid absolute name
+ *\li		If 'ntypes' > 0, 'types' must not be NULL
+ *
+ *	Returns:
+ *\li		ISC_R_SUCCESS
+ *\li		ISC_R_NOMEMORY
+ */
+
+bool
+dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
+			const dns_name_t *name, const isc_netaddr_t *addr,
+			bool tcp, const dns_aclenv_t *env, dns_rdatatype_t type,
+			const dst_key_t *key);
+/*%<
+ *	Checks that the attempted update of (name, type) is allowed according
+ *	to the rules specified in the simple-secure-update rule table.  If
+ *	no rules are matched, access is denied.
+ *
+ *	Notes:
+ *		In dns_ssutable_checkrules(), 'addr' should only be
+ *		set if the request received via TCP.  This provides a
+ *		weak assurance that the request was not spoofed.
+ *		'addr' is to to validate dns_ssumatchtype_tcpself
+ *		and dns_ssumatchtype_6to4self rules.
+ *
+ *		In dns_ssutable_checkrules2(), 'addr' can also be passed for
+ *		UDP requests and TCP is specified via the 'tcp' parameter.
+ *		In addition to dns_ssumatchtype_tcpself and
+ *		tcp_ssumatchtype_6to4self  rules, the address
+ *		also be used to check dns_ssumatchtype_local rules.
+ *		If 'addr' is set then 'env' must also be set so that
+ *		requests from non-localhost addresses can be rejected.
+ *
+ *		For dns_ssumatchtype_tcpself the addresses are mapped to
+ *		the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
+ *		RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
+ *		Section 2.5, "IP6.ARPA Domain".
+ *
+ *		For dns_ssumatchtype_6to4self, IPv4 address are converted
+ *		to a 6to4 prefix (48 bits) per the rules in RFC 3056.  Only
+ *		the top	48 bits of the IPv6 address are mapped to the reverse
+ *		name. This is independent of whether the most significant 16
+ *		bits match 2002::/16, assigned for 6to4 prefixes, or not.
+ *
+ *	Requires:
+ *\li		'table' is a valid SSU table
+ *\li		'signer' is NULL or a valid absolute name
+ *\li		'addr' is NULL or a valid network address.
+ *\li		'aclenv' is NULL or a valid ACL environment.
+ *\li		'name' is a valid absolute name
+ *\li		if 'addr' is not NULL, 'env' is not NULL.
+ */
+
+/*% Accessor functions to extract rule components */
+bool
+dns_ssurule_isgrant(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
+dns_name_t *
+dns_ssurule_identity(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
+unsigned int
+dns_ssurule_matchtype(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
+dns_name_t *
+dns_ssurule_name(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
+unsigned int
+dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types);
+
+isc_result_t
+dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule);
+/*%<
+ * Initiates a rule iterator.  There is no need to maintain any state.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE
+ */
+
+isc_result_t
+dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule);
+/*%<
+ * Returns the next rule in the table.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE
+ */
+
+bool
+dns_ssu_external_match(const dns_name_t *identity, const dns_name_t *signer,
+		       const dns_name_t *name, const isc_netaddr_t *tcpaddr,
+		       dns_rdatatype_t type, const dst_key_t *key,
+		       isc_mem_t *mctx);
+/*%<
+ * Check a policy rule via an external application
+ */
+
+isc_result_t
+dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype);
+/*%<
+ * Set 'mtype' from 'str'
+ *
+ * Requires:
+ *\li		'str' is not NULL.
+ *\li		'mtype' is not NULL,
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTFOUND
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SSU_H */
diff --git a/lib/dns/include/dns/stats.h b/lib/dns/include/dns/stats.h
new file mode 100644
index 0000000..fd1697e
--- /dev/null
+++ b/lib/dns/include/dns/stats.h
@@ -0,0 +1,826 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_STATS_H
+#define DNS_STATS_H 1
+
+/*! \file dns/stats.h */
+
+#include <inttypes.h>
+
+#include <dns/types.h>
+
+/*%
+ * Statistics counters.  Used as isc_statscounter_t values.
+ */
+enum {
+	/*%
+	 * Resolver statistics counters.
+	 */
+	dns_resstatscounter_queryv4 = 0,
+	dns_resstatscounter_queryv6 = 1,
+	dns_resstatscounter_responsev4 = 2,
+	dns_resstatscounter_responsev6 = 3,
+	dns_resstatscounter_nxdomain = 4,
+	dns_resstatscounter_servfail = 5,
+	dns_resstatscounter_formerr = 6,
+	dns_resstatscounter_othererror = 7,
+	dns_resstatscounter_edns0fail = 8,
+	dns_resstatscounter_mismatch = 9,
+	dns_resstatscounter_truncated = 10,
+	dns_resstatscounter_lame = 11,
+	dns_resstatscounter_retry = 12,
+	dns_resstatscounter_gluefetchv4 = 13,
+	dns_resstatscounter_gluefetchv6 = 14,
+	dns_resstatscounter_gluefetchv4fail = 15,
+	dns_resstatscounter_gluefetchv6fail = 16,
+	dns_resstatscounter_val = 17,
+	dns_resstatscounter_valsuccess = 18,
+	dns_resstatscounter_valnegsuccess = 19,
+	dns_resstatscounter_valfail = 20,
+	dns_resstatscounter_dispabort = 21,
+	dns_resstatscounter_dispsockfail = 22,
+	dns_resstatscounter_querytimeout = 23,
+	dns_resstatscounter_queryrtt0 = 24,
+	dns_resstatscounter_queryrtt1 = 25,
+	dns_resstatscounter_queryrtt2 = 26,
+	dns_resstatscounter_queryrtt3 = 27,
+	dns_resstatscounter_queryrtt4 = 28,
+	dns_resstatscounter_queryrtt5 = 29,
+	dns_resstatscounter_nfetch = 30,
+	dns_resstatscounter_disprequdp = 31,
+	dns_resstatscounter_dispreqtcp = 32,
+	dns_resstatscounter_buckets = 33,
+	dns_resstatscounter_refused = 34,
+	dns_resstatscounter_cookienew = 35,
+	dns_resstatscounter_cookieout = 36,
+	dns_resstatscounter_cookiein = 37,
+	dns_resstatscounter_cookieok = 38,
+	dns_resstatscounter_badvers = 39,
+	dns_resstatscounter_badcookie = 40,
+	dns_resstatscounter_zonequota = 41,
+	dns_resstatscounter_serverquota = 42,
+	dns_resstatscounter_nextitem = 43,
+	dns_resstatscounter_priming = 44,
+	dns_resstatscounter_max = 45,
+
+	/*
+	 * DNSSEC stats.
+	 */
+	dns_dnssecstats_asis = 0,
+	dns_dnssecstats_downcase = 1,
+	dns_dnssecstats_wildcard = 2,
+	dns_dnssecstats_fail = 3,
+
+	dns_dnssecstats_max = 4,
+
+	/*%
+	 * Zone statistics counters.
+	 */
+	dns_zonestatscounter_notifyoutv4 = 0,
+	dns_zonestatscounter_notifyoutv6 = 1,
+	dns_zonestatscounter_notifyinv4 = 2,
+	dns_zonestatscounter_notifyinv6 = 3,
+	dns_zonestatscounter_notifyrej = 4,
+	dns_zonestatscounter_soaoutv4 = 5,
+	dns_zonestatscounter_soaoutv6 = 6,
+	dns_zonestatscounter_axfrreqv4 = 7,
+	dns_zonestatscounter_axfrreqv6 = 8,
+	dns_zonestatscounter_ixfrreqv4 = 9,
+	dns_zonestatscounter_ixfrreqv6 = 10,
+	dns_zonestatscounter_xfrsuccess = 11,
+	dns_zonestatscounter_xfrfail = 12,
+
+	dns_zonestatscounter_max = 13,
+
+	/*
+	 * Adb statistics values.
+	 */
+	dns_adbstats_nentries = 0,
+	dns_adbstats_entriescnt = 1,
+	dns_adbstats_nnames = 2,
+	dns_adbstats_namescnt = 3,
+
+	dns_adbstats_max = 4,
+
+	/*
+	 * Cache statistics values.
+	 */
+	dns_cachestatscounter_hits = 1,
+	dns_cachestatscounter_misses = 2,
+	dns_cachestatscounter_queryhits = 3,
+	dns_cachestatscounter_querymisses = 4,
+	dns_cachestatscounter_deletelru = 5,
+	dns_cachestatscounter_deletettl = 6,
+
+	dns_cachestatscounter_max = 7,
+
+	/*%
+	 * Query statistics counters (obsolete).
+	 */
+	dns_statscounter_success = 0,	/*%< Successful lookup */
+	dns_statscounter_referral = 1,	/*%< Referral result */
+	dns_statscounter_nxrrset = 2,	/*%< NXRRSET result */
+	dns_statscounter_nxdomain = 3,	/*%< NXDOMAIN result */
+	dns_statscounter_recursion = 4, /*%< Recursion was used */
+	dns_statscounter_failure = 5,	/*%< Some other failure */
+	dns_statscounter_duplicate = 6, /*%< Duplicate query */
+	dns_statscounter_dropped = 7,	/*%< Duplicate query (dropped) */
+
+	/*%
+	 * DNSTAP statistics counters.
+	 */
+	dns_dnstapcounter_success = 0,
+	dns_dnstapcounter_drop = 1,
+	dns_dnstapcounter_max = 2,
+
+	/*
+	 * Glue cache statistics counters.
+	 */
+	dns_gluecachestatscounter_hits_present = 0,
+	dns_gluecachestatscounter_hits_absent = 1,
+	dns_gluecachestatscounter_inserts_present = 2,
+	dns_gluecachestatscounter_inserts_absent = 3,
+
+	dns_gluecachestatscounter_max = 4,
+};
+
+/*%
+ * Traffic size statistics counters. Used as isc_statscounter_t values.
+ */
+enum {
+	dns_sizecounter_in_0 = 0,
+	dns_sizecounter_in_16 = 1,
+	dns_sizecounter_in_32 = 2,
+	dns_sizecounter_in_48 = 3,
+	dns_sizecounter_in_64 = 4,
+	dns_sizecounter_in_80 = 5,
+	dns_sizecounter_in_96 = 6,
+	dns_sizecounter_in_112 = 7,
+	dns_sizecounter_in_128 = 8,
+	dns_sizecounter_in_144 = 9,
+	dns_sizecounter_in_160 = 10,
+	dns_sizecounter_in_176 = 11,
+	dns_sizecounter_in_192 = 12,
+	dns_sizecounter_in_208 = 13,
+	dns_sizecounter_in_224 = 14,
+	dns_sizecounter_in_240 = 15,
+	dns_sizecounter_in_256 = 16,
+	dns_sizecounter_in_272 = 17,
+	dns_sizecounter_in_288 = 18,
+
+	dns_sizecounter_in_max = 19,
+};
+
+enum {
+	dns_sizecounter_out_0 = 0,
+	dns_sizecounter_out_16 = 1,
+	dns_sizecounter_out_32 = 2,
+	dns_sizecounter_out_48 = 3,
+	dns_sizecounter_out_64 = 4,
+	dns_sizecounter_out_80 = 5,
+	dns_sizecounter_out_96 = 6,
+	dns_sizecounter_out_112 = 7,
+	dns_sizecounter_out_128 = 8,
+	dns_sizecounter_out_144 = 9,
+	dns_sizecounter_out_160 = 10,
+	dns_sizecounter_out_176 = 11,
+	dns_sizecounter_out_192 = 12,
+	dns_sizecounter_out_208 = 13,
+	dns_sizecounter_out_224 = 14,
+	dns_sizecounter_out_240 = 15,
+	dns_sizecounter_out_256 = 16,
+	dns_sizecounter_out_272 = 17,
+	dns_sizecounter_out_288 = 18,
+	dns_sizecounter_out_304 = 19,
+	dns_sizecounter_out_320 = 20,
+	dns_sizecounter_out_336 = 21,
+	dns_sizecounter_out_352 = 22,
+	dns_sizecounter_out_368 = 23,
+	dns_sizecounter_out_384 = 24,
+	dns_sizecounter_out_400 = 25,
+	dns_sizecounter_out_416 = 26,
+	dns_sizecounter_out_432 = 27,
+	dns_sizecounter_out_448 = 28,
+	dns_sizecounter_out_464 = 29,
+	dns_sizecounter_out_480 = 30,
+	dns_sizecounter_out_496 = 31,
+	dns_sizecounter_out_512 = 32,
+	dns_sizecounter_out_528 = 33,
+	dns_sizecounter_out_544 = 34,
+	dns_sizecounter_out_560 = 35,
+	dns_sizecounter_out_576 = 36,
+	dns_sizecounter_out_592 = 37,
+	dns_sizecounter_out_608 = 38,
+	dns_sizecounter_out_624 = 39,
+	dns_sizecounter_out_640 = 40,
+	dns_sizecounter_out_656 = 41,
+	dns_sizecounter_out_672 = 42,
+	dns_sizecounter_out_688 = 43,
+	dns_sizecounter_out_704 = 44,
+	dns_sizecounter_out_720 = 45,
+	dns_sizecounter_out_736 = 46,
+	dns_sizecounter_out_752 = 47,
+	dns_sizecounter_out_768 = 48,
+	dns_sizecounter_out_784 = 49,
+	dns_sizecounter_out_800 = 50,
+	dns_sizecounter_out_816 = 51,
+	dns_sizecounter_out_832 = 52,
+	dns_sizecounter_out_848 = 53,
+	dns_sizecounter_out_864 = 54,
+	dns_sizecounter_out_880 = 55,
+	dns_sizecounter_out_896 = 56,
+	dns_sizecounter_out_912 = 57,
+	dns_sizecounter_out_928 = 58,
+	dns_sizecounter_out_944 = 59,
+	dns_sizecounter_out_960 = 60,
+	dns_sizecounter_out_976 = 61,
+	dns_sizecounter_out_992 = 62,
+	dns_sizecounter_out_1008 = 63,
+	dns_sizecounter_out_1024 = 64,
+	dns_sizecounter_out_1040 = 65,
+	dns_sizecounter_out_1056 = 66,
+	dns_sizecounter_out_1072 = 67,
+	dns_sizecounter_out_1088 = 68,
+	dns_sizecounter_out_1104 = 69,
+	dns_sizecounter_out_1120 = 70,
+	dns_sizecounter_out_1136 = 71,
+	dns_sizecounter_out_1152 = 72,
+	dns_sizecounter_out_1168 = 73,
+	dns_sizecounter_out_1184 = 74,
+	dns_sizecounter_out_1200 = 75,
+	dns_sizecounter_out_1216 = 76,
+	dns_sizecounter_out_1232 = 77,
+	dns_sizecounter_out_1248 = 78,
+	dns_sizecounter_out_1264 = 79,
+	dns_sizecounter_out_1280 = 80,
+	dns_sizecounter_out_1296 = 81,
+	dns_sizecounter_out_1312 = 82,
+	dns_sizecounter_out_1328 = 83,
+	dns_sizecounter_out_1344 = 84,
+	dns_sizecounter_out_1360 = 85,
+	dns_sizecounter_out_1376 = 86,
+	dns_sizecounter_out_1392 = 87,
+	dns_sizecounter_out_1408 = 88,
+	dns_sizecounter_out_1424 = 89,
+	dns_sizecounter_out_1440 = 90,
+	dns_sizecounter_out_1456 = 91,
+	dns_sizecounter_out_1472 = 92,
+	dns_sizecounter_out_1488 = 93,
+	dns_sizecounter_out_1504 = 94,
+	dns_sizecounter_out_1520 = 95,
+	dns_sizecounter_out_1536 = 96,
+	dns_sizecounter_out_1552 = 97,
+	dns_sizecounter_out_1568 = 98,
+	dns_sizecounter_out_1584 = 99,
+	dns_sizecounter_out_1600 = 100,
+	dns_sizecounter_out_1616 = 101,
+	dns_sizecounter_out_1632 = 102,
+	dns_sizecounter_out_1648 = 103,
+	dns_sizecounter_out_1664 = 104,
+	dns_sizecounter_out_1680 = 105,
+	dns_sizecounter_out_1696 = 106,
+	dns_sizecounter_out_1712 = 107,
+	dns_sizecounter_out_1728 = 108,
+	dns_sizecounter_out_1744 = 109,
+	dns_sizecounter_out_1760 = 110,
+	dns_sizecounter_out_1776 = 111,
+	dns_sizecounter_out_1792 = 112,
+	dns_sizecounter_out_1808 = 113,
+	dns_sizecounter_out_1824 = 114,
+	dns_sizecounter_out_1840 = 115,
+	dns_sizecounter_out_1856 = 116,
+	dns_sizecounter_out_1872 = 117,
+	dns_sizecounter_out_1888 = 118,
+	dns_sizecounter_out_1904 = 119,
+	dns_sizecounter_out_1920 = 120,
+	dns_sizecounter_out_1936 = 121,
+	dns_sizecounter_out_1952 = 122,
+	dns_sizecounter_out_1968 = 123,
+	dns_sizecounter_out_1984 = 124,
+	dns_sizecounter_out_2000 = 125,
+	dns_sizecounter_out_2016 = 126,
+	dns_sizecounter_out_2032 = 127,
+	dns_sizecounter_out_2048 = 128,
+	dns_sizecounter_out_2064 = 129,
+	dns_sizecounter_out_2080 = 130,
+	dns_sizecounter_out_2096 = 131,
+	dns_sizecounter_out_2112 = 132,
+	dns_sizecounter_out_2128 = 133,
+	dns_sizecounter_out_2144 = 134,
+	dns_sizecounter_out_2160 = 135,
+	dns_sizecounter_out_2176 = 136,
+	dns_sizecounter_out_2192 = 137,
+	dns_sizecounter_out_2208 = 138,
+	dns_sizecounter_out_2224 = 139,
+	dns_sizecounter_out_2240 = 140,
+	dns_sizecounter_out_2256 = 141,
+	dns_sizecounter_out_2272 = 142,
+	dns_sizecounter_out_2288 = 143,
+	dns_sizecounter_out_2304 = 144,
+	dns_sizecounter_out_2320 = 145,
+	dns_sizecounter_out_2336 = 146,
+	dns_sizecounter_out_2352 = 147,
+	dns_sizecounter_out_2368 = 148,
+	dns_sizecounter_out_2384 = 149,
+	dns_sizecounter_out_2400 = 150,
+	dns_sizecounter_out_2416 = 151,
+	dns_sizecounter_out_2432 = 152,
+	dns_sizecounter_out_2448 = 153,
+	dns_sizecounter_out_2464 = 154,
+	dns_sizecounter_out_2480 = 155,
+	dns_sizecounter_out_2496 = 156,
+	dns_sizecounter_out_2512 = 157,
+	dns_sizecounter_out_2528 = 158,
+	dns_sizecounter_out_2544 = 159,
+	dns_sizecounter_out_2560 = 160,
+	dns_sizecounter_out_2576 = 161,
+	dns_sizecounter_out_2592 = 162,
+	dns_sizecounter_out_2608 = 163,
+	dns_sizecounter_out_2624 = 164,
+	dns_sizecounter_out_2640 = 165,
+	dns_sizecounter_out_2656 = 166,
+	dns_sizecounter_out_2672 = 167,
+	dns_sizecounter_out_2688 = 168,
+	dns_sizecounter_out_2704 = 169,
+	dns_sizecounter_out_2720 = 170,
+	dns_sizecounter_out_2736 = 171,
+	dns_sizecounter_out_2752 = 172,
+	dns_sizecounter_out_2768 = 173,
+	dns_sizecounter_out_2784 = 174,
+	dns_sizecounter_out_2800 = 175,
+	dns_sizecounter_out_2816 = 176,
+	dns_sizecounter_out_2832 = 177,
+	dns_sizecounter_out_2848 = 178,
+	dns_sizecounter_out_2864 = 179,
+	dns_sizecounter_out_2880 = 180,
+	dns_sizecounter_out_2896 = 181,
+	dns_sizecounter_out_2912 = 182,
+	dns_sizecounter_out_2928 = 183,
+	dns_sizecounter_out_2944 = 184,
+	dns_sizecounter_out_2960 = 185,
+	dns_sizecounter_out_2976 = 186,
+	dns_sizecounter_out_2992 = 187,
+	dns_sizecounter_out_3008 = 188,
+	dns_sizecounter_out_3024 = 189,
+	dns_sizecounter_out_3040 = 190,
+	dns_sizecounter_out_3056 = 191,
+	dns_sizecounter_out_3072 = 192,
+	dns_sizecounter_out_3088 = 193,
+	dns_sizecounter_out_3104 = 194,
+	dns_sizecounter_out_3120 = 195,
+	dns_sizecounter_out_3136 = 196,
+	dns_sizecounter_out_3152 = 197,
+	dns_sizecounter_out_3168 = 198,
+	dns_sizecounter_out_3184 = 199,
+	dns_sizecounter_out_3200 = 200,
+	dns_sizecounter_out_3216 = 201,
+	dns_sizecounter_out_3232 = 202,
+	dns_sizecounter_out_3248 = 203,
+	dns_sizecounter_out_3264 = 204,
+	dns_sizecounter_out_3280 = 205,
+	dns_sizecounter_out_3296 = 206,
+	dns_sizecounter_out_3312 = 207,
+	dns_sizecounter_out_3328 = 208,
+	dns_sizecounter_out_3344 = 209,
+	dns_sizecounter_out_3360 = 210,
+	dns_sizecounter_out_3376 = 211,
+	dns_sizecounter_out_3392 = 212,
+	dns_sizecounter_out_3408 = 213,
+	dns_sizecounter_out_3424 = 214,
+	dns_sizecounter_out_3440 = 215,
+	dns_sizecounter_out_3456 = 216,
+	dns_sizecounter_out_3472 = 217,
+	dns_sizecounter_out_3488 = 218,
+	dns_sizecounter_out_3504 = 219,
+	dns_sizecounter_out_3520 = 220,
+	dns_sizecounter_out_3536 = 221,
+	dns_sizecounter_out_3552 = 222,
+	dns_sizecounter_out_3568 = 223,
+	dns_sizecounter_out_3584 = 224,
+	dns_sizecounter_out_3600 = 225,
+	dns_sizecounter_out_3616 = 226,
+	dns_sizecounter_out_3632 = 227,
+	dns_sizecounter_out_3648 = 228,
+	dns_sizecounter_out_3664 = 229,
+	dns_sizecounter_out_3680 = 230,
+	dns_sizecounter_out_3696 = 231,
+	dns_sizecounter_out_3712 = 232,
+	dns_sizecounter_out_3728 = 233,
+	dns_sizecounter_out_3744 = 234,
+	dns_sizecounter_out_3760 = 235,
+	dns_sizecounter_out_3776 = 236,
+	dns_sizecounter_out_3792 = 237,
+	dns_sizecounter_out_3808 = 238,
+	dns_sizecounter_out_3824 = 239,
+	dns_sizecounter_out_3840 = 240,
+	dns_sizecounter_out_3856 = 241,
+	dns_sizecounter_out_3872 = 242,
+	dns_sizecounter_out_3888 = 243,
+	dns_sizecounter_out_3904 = 244,
+	dns_sizecounter_out_3920 = 245,
+	dns_sizecounter_out_3936 = 246,
+	dns_sizecounter_out_3952 = 247,
+	dns_sizecounter_out_3968 = 248,
+	dns_sizecounter_out_3984 = 249,
+	dns_sizecounter_out_4000 = 250,
+	dns_sizecounter_out_4016 = 251,
+	dns_sizecounter_out_4032 = 252,
+	dns_sizecounter_out_4048 = 253,
+	dns_sizecounter_out_4064 = 254,
+	dns_sizecounter_out_4080 = 255,
+	dns_sizecounter_out_4096 = 256,
+
+	dns_sizecounter_out_max = 257
+};
+
+#define DNS_STATS_NCOUNTERS 8
+
+#if 0
+/*%<
+ * Flag(s) for dns_xxxstats_dump().  DNS_STATSDUMP_VERBOSE is obsolete.
+ * ISC_STATSDUMP_VERBOSE should be used instead.  These two values are
+ * intentionally defined to be the same value to ensure binary compatibility.
+ */
+#define DNS_STATSDUMP_VERBOSE 0x00000001 /*%< dump 0-value counters */
+#endif					 /* if 0 */
+
+/*%<
+ * (Obsoleted)
+ */
+LIBDNS_EXTERNAL_DATA extern const char *dns_statscounter_names[];
+
+/*%
+ * Attributes for statistics counters of RRset and Rdatatype types.
+ *
+ * _OTHERTYPE
+ *	The rdata type is not explicitly supported and the corresponding counter
+ *	is counted for other such types, too.  When this attribute is set,
+ *	the base type is of no use.
+ *
+ * _NXRRSET
+ * 	RRset type counters only.  Indicates the RRset is non existent.
+ *
+ * _NXDOMAIN
+ *	RRset type counters only.  Indicates a non existent name.  When this
+ *	attribute is set, the base type is of no use.
+ *
+ * _STALE
+ *	RRset type counters only.  This indicates a record that is stale
+ *	but may still be served.
+ *
+ * _ANCIENT
+ *	RRset type counters only.  This indicates a record that is marked for
+ *	removal.
+ */
+#define DNS_RDATASTATSTYPE_ATTR_OTHERTYPE 0x0001
+#define DNS_RDATASTATSTYPE_ATTR_NXRRSET	  0x0002
+#define DNS_RDATASTATSTYPE_ATTR_NXDOMAIN  0x0004
+#define DNS_RDATASTATSTYPE_ATTR_STALE	  0x0008
+#define DNS_RDATASTATSTYPE_ATTR_ANCIENT	  0x0010
+
+/*%<
+ * Conversion macros among dns_rdatatype_t, attributes and isc_statscounter_t.
+ */
+#define DNS_RDATASTATSTYPE_BASE(type)  ((dns_rdatatype_t)((type)&0xFFFF))
+#define DNS_RDATASTATSTYPE_ATTR(type)  ((type) >> 16)
+#define DNS_RDATASTATSTYPE_VALUE(b, a) (((a) << 16) | (b))
+
+/*%
+ * Types of DNSSEC sign statistics operations.
+ */
+typedef enum {
+	dns_dnssecsignstats_sign = 1,
+	dns_dnssecsignstats_refresh = 2
+} dnssecsignstats_type_t;
+
+/*%<
+ * Types of dump callbacks.
+ */
+typedef void (*dns_generalstats_dumper_t)(isc_statscounter_t, uint64_t, void *);
+typedef void (*dns_rdatatypestats_dumper_t)(dns_rdatastatstype_t, uint64_t,
+					    void *);
+typedef void (*dns_dnssecsignstats_dumper_t)(dns_keytag_t, uint64_t, void *);
+typedef void (*dns_opcodestats_dumper_t)(dns_opcode_t, uint64_t, void *);
+typedef void (*dns_rcodestats_dumper_t)(dns_rcode_t, uint64_t, void *);
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_generalstats_create(isc_mem_t *mctx, dns_stats_t **statsp, int ncounters);
+/*%<
+ * Create a statistics counter structure of general type.  It counts a general
+ * set of counters indexed by an ID between 0 and ncounters -1.
+ * This function is obsolete.  A more general function, isc_stats_create(),
+ * should be used.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_rdatatypestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per rdatatype.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_rdatasetstats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per RRset.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_opcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per opcode.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_rcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per assigned rcode.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_dnssecsignstats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per assigned DNSKEY id.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+void
+dns_stats_attach(dns_stats_t *stats, dns_stats_t **statsp);
+/*%<
+ * Attach to a statistics set.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL
+ */
+
+void
+dns_stats_detach(dns_stats_t **statsp);
+/*%<
+ * Detaches from the statistics set.
+ *
+ * Requires:
+ *\li	'statsp' != NULL and '*statsp' is a valid dns_stats_t.
+ */
+
+void
+dns_generalstats_increment(dns_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Increment the counter-th counter of stats.  This function is obsolete.
+ * A more general function, isc_stats_increment(), should be used.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ *
+ *\li	counter is less than the maximum available ID for the stats specified
+ *	on creation.
+ */
+
+void
+dns_rdatatypestats_increment(dns_stats_t *stats, dns_rdatatype_t type);
+/*%<
+ * Increment the statistics counter for 'type'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rdatatypestats_create().
+ */
+
+void
+dns_rdatasetstats_increment(dns_stats_t *stats, dns_rdatastatstype_t rrsettype);
+/*%<
+ * Increment the statistics counter for 'rrsettype'.
+ *
+ * Note: if 'rrsettype' has the _STALE attribute set the corresponding
+ * non-stale counter will be decremented.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rdatasetstats_create().
+ */
+
+void
+dns_rdatasetstats_decrement(dns_stats_t *stats, dns_rdatastatstype_t rrsettype);
+/*%<
+ * Decrement the statistics counter for 'rrsettype'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rdatasetstats_create().
+ */
+
+void
+dns_opcodestats_increment(dns_stats_t *stats, dns_opcode_t code);
+/*%<
+ * Increment the statistics counter for 'code'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_opcodestats_create().
+ */
+
+void
+dns_rcodestats_increment(dns_stats_t *stats, dns_opcode_t code);
+/*%<
+ * Increment the statistics counter for 'code'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rcodestats_create().
+ */
+
+void
+dns_dnssecsignstats_increment(dns_stats_t *stats, dns_keytag_t id, uint8_t alg,
+			      dnssecsignstats_type_t operation);
+/*%<
+ * Increment the statistics counter for the DNSKEY 'id' with algorithm 'alg'.
+ * The 'operation' determines what counter is incremented.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_dnssecsignstats_create().
+ */
+
+void
+dns_dnssecsignstats_clear(dns_stats_t *stats, dns_keytag_t id, uint8_t alg);
+/*%<
+ * Clear the statistics counter for the DNSKEY 'id' with algorithm 'alg'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_dnssecsignstats_create().
+ */
+
+void
+dns_generalstats_dump(dns_stats_t *stats, dns_generalstats_dumper_t dump_fn,
+		      void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with its current value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * This function is obsolete.  A more general function, isc_stats_dump(),
+ * should be used.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_rdatatypestats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+			void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding type in the form of
+ * dns_rdatastatstype_t, the current counter value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_rdatasetstats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+		       void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding type in the form of
+ * dns_rdatastatstype_t, the current counter value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_dnssecsignstats_dump(dns_stats_t *stats, dnssecsignstats_type_t operation,
+			 dns_dnssecsignstats_dumper_t dump_fn, void *arg,
+			 unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding type in the form of
+ * dns_rdatastatstype_t, the current counter value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_opcodestats_dump(dns_stats_t *stats, dns_opcodestats_dumper_t dump_fn,
+		     void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding opcode, the current
+ * counter value and the given argument arg.  By default counters that have a
+ * value of 0 is skipped; if options has the ISC_STATSDUMP_VERBOSE flag, even
+ * such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_rcodestats_dump(dns_stats_t *stats, dns_rcodestats_dumper_t dump_fn,
+		    void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding rcode, the current
+ * counter value and the given argument arg.  By default counters that have a
+ * value of 0 is skipped; if options has the ISC_STATSDUMP_VERBOSE flag, even
+ * such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+isc_result_t
+dns_stats_alloccounters(isc_mem_t *mctx, uint64_t **ctrp);
+/*%<
+ * Allocate an array of query statistics counters from the memory
+ * context 'mctx'.
+ *
+ * This function is obsoleted.  Use dns_xxxstats_create() instead.
+ */
+
+void
+dns_stats_freecounters(isc_mem_t *mctx, uint64_t **ctrp);
+/*%<
+ * Free an array of query statistics counters allocated from the memory
+ * context 'mctx'.
+ *
+ * This function is obsoleted.  Use dns_stats_destroy() instead.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_STATS_H */
diff --git a/lib/dns/include/dns/tcpmsg.h b/lib/dns/include/dns/tcpmsg.h
new file mode 100644
index 0000000..df98cd7
--- /dev/null
+++ b/lib/dns/include/dns/tcpmsg.h
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_TCPMSG_H
+#define DNS_TCPMSG_H 1
+
+/*! \file dns/tcpmsg.h */
+
+#include <inttypes.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/socket.h>
+
+typedef struct dns_tcpmsg {
+	/* private (don't touch!) */
+	unsigned int	 magic;
+	uint16_t	 size;
+	isc_buffer_t	 buffer;
+	unsigned int	 maxsize;
+	isc_mem_t	*mctx;
+	isc_socket_t	*sock;
+	isc_task_t	*task;
+	isc_taskaction_t action;
+	void		*arg;
+	isc_event_t	 event;
+	/* public (read-only) */
+	isc_result_t   result;
+	isc_sockaddr_t address;
+} dns_tcpmsg_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg);
+/*%<
+ * Associate a tcp message state with a given memory context and
+ * TCP socket.
+ *
+ * Requires:
+ *
+ *\li	"mctx" and "sock" be non-NULL and valid types.
+ *
+ *\li	"sock" be a read/write TCP socket.
+ *
+ *\li	"tcpmsg" be non-NULL and an uninitialized or invalidated structure.
+ *
+ * Ensures:
+ *
+ *\li	"tcpmsg" is a valid structure.
+ */
+
+void
+dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize);
+/*%<
+ * Set the maximum packet size to "maxsize"
+ *
+ * Requires:
+ *
+ *\li	"tcpmsg" be valid.
+ *
+ *\li	512 <= "maxsize" <= 65536
+ */
+
+isc_result_t
+dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg, isc_task_t *task,
+		       isc_taskaction_t action, void *arg);
+/*%<
+ * Schedule an event to be delivered when a DNS message is readable, or
+ * when an error occurs on the socket.
+ *
+ * Requires:
+ *
+ *\li	"tcpmsg" be valid.
+ *
+ *\li	"task", "taskaction", and "arg" be valid.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS		-- no error
+ *\li	Anything that the isc_socket_recv() call can return.  XXXMLG
+ *
+ * Notes:
+ *
+ *\li	The event delivered is a fully generic event.  It will contain no
+ *	actual data.  The sender will be a pointer to the dns_tcpmsg_t.
+ *	The result code inside that structure should be checked to see
+ *	what the final result was.
+ */
+
+void
+dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg);
+/*%<
+ * Cancel a readmessage() call.  The event will still be posted with a
+ * CANCELED result code.
+ *
+ * Requires:
+ *
+ *\li	"tcpmsg" be valid.
+ */
+
+void
+dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer);
+/*%<
+ * If a dns buffer is to be kept between calls, this function marks the
+ * internal state-machine buffer as invalid, and copies all the contents
+ * of the state into "buffer".
+ *
+ * Requires:
+ *
+ *\li	"tcpmsg" be valid.
+ *
+ *\li	"buffer" be non-NULL.
+ */
+
+void
+dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg);
+/*%<
+ * Clean up all allocated state, and invalidate the structure.
+ *
+ * Requires:
+ *
+ *\li	"tcpmsg" be valid.
+ *
+ * Ensures:
+ *
+ *\li	"tcpmsg" is invalidated and disassociated with all memory contexts,
+ *	sockets, etc.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TCPMSG_H */
diff --git a/lib/dns/include/dns/time.h b/lib/dns/include/dns/time.h
new file mode 100644
index 0000000..62e0fa0
--- /dev/null
+++ b/lib/dns/include/dns/time.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_TIME_H
+#define DNS_TIME_H 1
+
+/*! \file dns/time.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_time64_fromtext(const char *source, int64_t *target);
+/*%<
+ * Convert a date and time in YYYYMMDDHHMMSS text format at 'source'
+ * into to a 64-bit count of seconds since Jan 1 1970 0:00 GMT.
+ * Store the count at 'target'.
+ */
+
+isc_result_t
+dns_time32_fromtext(const char *source, uint32_t *target);
+/*%<
+ * Like dns_time64_fromtext, but returns the second count modulo 2^32
+ * as per RFC2535.
+ */
+
+isc_result_t
+dns_time64_totext(int64_t value, isc_buffer_t *target);
+/*%<
+ * Convert a 64-bit count of seconds since Jan 1 1970 0:00 GMT into
+ * a YYYYMMDDHHMMSS text representation and append it to 'target'.
+ */
+
+isc_result_t
+dns_time32_totext(uint32_t value, isc_buffer_t *target);
+/*%<
+ * Like dns_time64_totext, but for a 32-bit cyclic time value.
+ * Of those dates whose counts of seconds since Jan 1 1970 0:00 GMT
+ * are congruent with 'value' modulo 2^32, the one closest to the
+ * current date is chosen.
+ */
+
+int64_t
+dns_time64_from32(uint32_t value);
+/*%<
+ * Covert a 32-bit cyclic time value into a 64 bit time stamp.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TIME_H */
diff --git a/lib/dns/include/dns/timer.h b/lib/dns/include/dns/timer.h
new file mode 100644
index 0000000..96fcd3b
--- /dev/null
+++ b/lib/dns/include/dns/timer.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_TIMER_H
+#define DNS_TIMER_H 1
+
+/*! \file dns/timer.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
+		  unsigned int idletime, bool purge);
+/*%<
+ * Convenience function for setting up simple, one-second-granularity
+ * idle timers as used by zone transfers.
+ * \brief
+ * Set the timer 'timer' to go off after 'idletime' seconds of inactivity,
+ * or after 'maxtime' at the very latest.  Events are purged iff
+ * 'purge' is true.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TIMER_H */
diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h
new file mode 100644
index 0000000..23d95ae
--- /dev/null
+++ b/lib/dns/include/dns/tkey.h
@@ -0,0 +1,246 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_TKEY_H
+#define DNS_TKEY_H 1
+
+/*! \file dns/tkey.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+#include <dst/gssapi.h>
+
+ISC_LANG_BEGINDECLS
+
+/* Key agreement modes */
+#define DNS_TKEYMODE_SERVERASSIGNED   1
+#define DNS_TKEYMODE_DIFFIEHELLMAN    2
+#define DNS_TKEYMODE_GSSAPI	      3
+#define DNS_TKEYMODE_RESOLVERASSIGNED 4
+#define DNS_TKEYMODE_DELETE	      5
+
+struct dns_tkeyctx {
+	dst_key_t	 *dhkey;
+	dns_name_t	 *domain;
+	dns_gss_cred_id_t gsscred;
+	isc_mem_t	 *mctx;
+	char		 *gssapi_keytab;
+};
+
+isc_result_t
+dns_tkeyctx_create(isc_mem_t *mctx, dns_tkeyctx_t **tctxp);
+/*%<
+ *	Create an empty TKEY context.
+ *
+ * 	Requires:
+ *\li		'mctx' is not NULL
+ *\li		'tctx' is not NULL
+ *\li		'*tctx' is NULL
+ *
+ *	Returns
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		return codes from dns_name_fromtext()
+ */
+
+void
+dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp);
+/*%<
+ *      Frees all data associated with the TKEY context
+ *
+ * 	Requires:
+ *\li		'tctx' is not NULL
+ *\li		'*tctx' is not NULL
+ */
+
+isc_result_t
+dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
+		      dns_tsig_keyring_t *ring);
+/*%<
+ *	Processes a query containing a TKEY record, adding or deleting TSIG
+ *	keys if necessary, and modifies the message to contain the response.
+ *
+ *	Requires:
+ *\li		'msg' is a valid message
+ *\li		'tctx' is a valid TKEY context
+ *\li		'ring' is a valid TSIG keyring
+ *
+ *	Returns
+ *\li		#ISC_R_SUCCESS	msg was updated (the TKEY operation succeeded,
+ *				or msg now includes a TKEY with an error set)
+ *		DNS_R_FORMERR	the packet was malformed (missing a TKEY
+ *				or KEY).
+ *\li		other		An error occurred while processing the message
+ */
+
+isc_result_t
+dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key,
+		      const dns_name_t *name, const dns_name_t *algorithm,
+		      isc_buffer_t *nonce, uint32_t lifetime);
+/*%<
+ *	Builds a query containing a TKEY that will generate a shared
+ *	secret using a Diffie-Hellman key exchange.  The shared key
+ *	will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME
+ *	is supported), and will be named either 'name',
+ *	'name' + server chosen domain, or random data + server chosen domain
+ *	if 'name' == dns_rootname.  If nonce is not NULL, it supplies
+ *	random data used in the shared secret computation.  The key is
+ *	requested to have the specified lifetime (in seconds)
+ *
+ *
+ *	Requires:
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid Diffie Hellman dst key
+ *\li		'name' is a valid name
+ *\li		'algorithm' is a valid name
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *\li		other		an error occurred while building the message
+ */
+
+isc_result_t
+dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
+		       const dns_name_t *gname, isc_buffer_t *intoken,
+		       uint32_t lifetime, dns_gss_ctx_id_t *context, bool win2k,
+		       isc_mem_t *mctx, char **err_message);
+/*%<
+ *	Builds a query containing a TKEY that will generate a GSSAPI context.
+ *	The key is requested to have the specified lifetime (in seconds).
+ *
+ *	Requires:
+ *\li		'msg'	  is a valid message
+ *\li		'name'	  is a valid name
+ *\li		'gname'	  is a valid name
+ *\li		'context' is a pointer to a valid gss_ctx_id_t
+ *			  (which may have the value GSS_C_NO_CONTEXT)
+ *\li		'win2k'   when true says to turn on some hacks to work
+ *			  with the non-standard GSS-TSIG of Windows 2000
+ *
+ *	Returns:
+ *\li		ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *\li		other		an error occurred while building the message
+ *\li		*err_message	optional error message
+ */
+
+isc_result_t
+dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
+/*%<
+ *	Builds a query containing a TKEY record that will delete the
+ *	specified shared secret from the server.
+ *
+ *	Requires:
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid TSIG key
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *\li		other		an error occurred while building the message
+ */
+
+isc_result_t
+dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			   dst_key_t *key, isc_buffer_t *nonce,
+			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
+/*%<
+ *	Processes a response to a query containing a TKEY that was
+ *	designed to generate a shared secret using a Diffie-Hellman key
+ *	exchange.  If the query was successful, a new shared key
+ *	is created and added to the list of shared keys.
+ *
+ *	Requires:
+ *\li		'qmsg' is a valid message (the query)
+ *\li		'rmsg' is a valid message (the response)
+ *\li		'key' is a valid Diffie Hellman dst key
+ *\li		'outkey' is either NULL or a pointer to NULL
+ *\li		'ring' is a valid keyring or NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS	the shared key was successfully added
+ *\li		#ISC_R_NOTFOUND	an error occurred while looking for a
+ *				component of the query or response
+ */
+
+isc_result_t
+dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			    const dns_name_t *gname, dns_gss_ctx_id_t *context,
+			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
+			    dns_tsig_keyring_t *ring, char **err_message);
+/*%<
+ * XXX
+ */
+
+isc_result_t
+dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			       dns_tsig_keyring_t *ring);
+/*%<
+ *	Processes a response to a query containing a TKEY that was
+ *	designed to delete a shared secret.  If the query was successful,
+ *	the shared key is deleted from the list of shared keys.
+ *
+ *	Requires:
+ *\li		'qmsg' is a valid message (the query)
+ *\li		'rmsg' is a valid message (the response)
+ *\li		'ring' is not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS	the shared key was successfully deleted
+ *\li		#ISC_R_NOTFOUND	an error occurred while looking for a
+ *				component of the query or response
+ */
+
+isc_result_t
+dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
+		      const dns_name_t *server, dns_gss_ctx_id_t *context,
+		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
+		      bool win2k, char **err_message);
+
+/*
+ *	Client side negotiation of GSS-TSIG.  Process the response
+ *	to a TKEY, and establish a TSIG key if negotiation was successful.
+ *	Build a response to the input TKEY message.  Can take multiple
+ *	calls to successfully establish the context.
+ *
+ *	Requires:
+ *		'qmsg'    is a valid message, the original TKEY request;
+ *			     it will be filled with the new message to send
+ *		'rmsg'    is a valid message, the incoming TKEY message
+ *		'server'  is the server name
+ *		'context' is the input context handle
+ *		'outkey'  receives the established key, if non-NULL;
+ *			      if non-NULL must point to NULL
+ *		'ring'	  is the keyring in which to establish the key,
+ *			      or NULL
+ *		'win2k'   when true says to turn on some hacks to work
+ *			      with the non-standard GSS-TSIG of Windows 2000
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	context was successfully established
+ *		ISC_R_NOTFOUND  couldn't find a needed part of the query
+ *					or response
+ *		DNS_R_CONTINUE  additional context negotiation is required;
+ *					send the new qmsg to the server
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TKEY_H */
diff --git a/lib/dns/include/dns/tsec.h b/lib/dns/include/dns/tsec.h
new file mode 100644
index 0000000..5ea7b8a
--- /dev/null
+++ b/lib/dns/include/dns/tsec.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_TSEC_H
+#define DNS_TSEC_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ *
+ * \brief
+ * The TSEC (Transaction Security) module is an abstraction layer for managing
+ * DNS transaction mechanisms such as TSIG or SIG(0).  A TSEC structure is a
+ * mechanism-independent object containing key information specific to the
+ * mechanism, and is expected to be used as an argument to other modules
+ * that use transaction security in a mechanism-independent manner.
+ *
+ * MP:
+ *\li	A TSEC structure is expected to be thread-specific.  No inter-thread
+ *	synchronization is ensured in multiple access to a single TSEC
+ *	structure.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	This module does not handle any low-level data directly, and so no
+ *	security issue specific to this module is anticipated.
+ */
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * Transaction security types.
+ */
+typedef enum {
+	dns_tsectype_none,
+	dns_tsectype_tsig,
+	dns_tsectype_sig0
+} dns_tsectype_t;
+
+isc_result_t
+dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+		dns_tsec_t **tsecp);
+/*%<
+ * Create a TSEC structure and stores a type-dependent key structure in it.
+ * For a TSIG key (type is dns_tsectype_tsig), dns_tsec_create() creates a
+ * TSIG key structure from '*key' and keeps it in the structure.  For other
+ * types, this function simply retains '*key' in the structure.  In either
+ * case, the ownership of '*key' is transferred to the TSEC module; the caller
+ * must not modify or destroy it after the call to dns_tsec_create().
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'type' is a valid value of dns_tsectype_t (see above).
+ *
+ *\li	'key' is a valid key.
+ *
+ *\li	tsecp != NULL && *tsecp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_tsec_destroy(dns_tsec_t **tsecp);
+/*%<
+ * Destroy the TSEC structure.  The stored key is also detached or destroyed.
+ *
+ * Requires
+ *
+ *\li	'*tsecp' is a valid TSEC structure.
+ *
+ * Ensures
+ *
+ *\li	*tsecp == NULL.
+ *
+ */
+
+dns_tsectype_t
+dns_tsec_gettype(dns_tsec_t *tsec);
+/*%<
+ * Return the TSEC type of '*tsec'.
+ *
+ * Requires
+ *
+ *\li	'tsec' is a valid TSEC structure.
+ *
+ */
+
+void
+dns_tsec_getkey(dns_tsec_t *tsec, void *keyp);
+/*%<
+ * Return the TSEC key of '*tsec' in '*keyp'.
+ *
+ * Requires
+ *
+ *\li	keyp != NULL
+ *
+ * Ensures
+ *
+ *\li	*tsecp points to a valid key structure depending on the TSEC type.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TSEC_H */
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
new file mode 100644
index 0000000..c908fa1
--- /dev/null
+++ b/lib/dns/include/dns/tsig.h
@@ -0,0 +1,297 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_TSIG_H
+#define DNS_TSIG_H 1
+
+/*! \file dns/tsig.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/stdio.h>
+#include <isc/stdtime.h>
+
+#include <dns/name.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+#include <pk11/site.h>
+
+/*
+ * Algorithms.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_hmacmd5_name;
+#define DNS_TSIG_HMACMD5_NAME dns_tsig_hmacmd5_name
+LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_gssapi_name;
+#define DNS_TSIG_GSSAPI_NAME dns_tsig_gssapi_name
+LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_gssapims_name;
+#define DNS_TSIG_GSSAPIMS_NAME dns_tsig_gssapims_name
+LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_hmacsha1_name;
+#define DNS_TSIG_HMACSHA1_NAME dns_tsig_hmacsha1_name
+LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_hmacsha224_name;
+#define DNS_TSIG_HMACSHA224_NAME dns_tsig_hmacsha224_name
+LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_hmacsha256_name;
+#define DNS_TSIG_HMACSHA256_NAME dns_tsig_hmacsha256_name
+LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_hmacsha384_name;
+#define DNS_TSIG_HMACSHA384_NAME dns_tsig_hmacsha384_name
+LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_hmacsha512_name;
+#define DNS_TSIG_HMACSHA512_NAME dns_tsig_hmacsha512_name
+
+/*%
+ * Default fudge value.
+ */
+#define DNS_TSIG_FUDGE 300
+
+struct dns_tsig_keyring {
+	dns_rbt_t   *keys;
+	unsigned int writecount;
+	isc_rwlock_t lock;
+	isc_mem_t   *mctx;
+	/*
+	 * LRU list of generated key along with a count of the keys on the
+	 * list and a maximum size.
+	 */
+	unsigned int generated;
+	unsigned int maxgenerated;
+	ISC_LIST(dns_tsigkey_t) lru;
+	isc_refcount_t references;
+};
+
+struct dns_tsigkey {
+	/* Unlocked */
+	unsigned int	    magic; /*%< Magic number. */
+	isc_mem_t	   *mctx;
+	dst_key_t	   *key;       /*%< Key */
+	dns_name_t	    name;      /*%< Key name */
+	const dns_name_t   *algorithm; /*%< Algorithm name */
+	dns_name_t	   *creator;   /*%< name that created secret */
+	bool		    generated; /*%< was this generated? */
+	isc_stdtime_t	    inception; /*%< start of validity period */
+	isc_stdtime_t	    expire;    /*%< end of validity period */
+	dns_tsig_keyring_t *ring;      /*%< the enclosing keyring */
+	isc_refcount_t	    refs;      /*%< reference counter */
+	ISC_LINK(dns_tsigkey_t) link;
+};
+
+ISC_LANG_BEGINDECLS
+
+const dns_name_t *
+dns_tsigkey_identity(const dns_tsigkey_t *tsigkey);
+/*%<
+ *	Returns the identity of the provided TSIG key.
+ *
+ *	Requires:
+ *\li		'tsigkey' is a valid TSIG key or NULL
+ *
+ *	Returns:
+ *\li		NULL if 'tsigkey' was NULL
+ *\li		identity of the provided TSIG key
+ */
+
+isc_result_t
+dns_tsigkey_create(const dns_name_t *name, const dns_name_t *algorithm,
+		   unsigned char *secret, int length, bool generated,
+		   const dns_name_t *creator, isc_stdtime_t inception,
+		   isc_stdtime_t expire, isc_mem_t *mctx,
+		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
+
+isc_result_t
+dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm,
+			  dst_key_t *dstkey, bool generated,
+			  const dns_name_t *creator, isc_stdtime_t inception,
+			  isc_stdtime_t expire, isc_mem_t *mctx,
+			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
+/*%<
+ *	Creates a tsig key structure and saves it in the keyring.  If key is
+ *	not NULL, *key will contain a copy of the key.  The keys validity
+ *	period is specified by (inception, expire), and will not expire if
+ *	inception == expire.  If the key was generated, the creating identity,
+ *	if there is one, should be in the creator parameter.  Specifying an
+ *	unimplemented algorithm will cause failure only if dstkey != NULL; this
+ *	allows a transient key with an invalid algorithm to exist long enough
+ *	to generate a BADKEY response.
+ *
+ *	If dns_tsigkey_createfromkey is successful a new reference to 'dstkey'
+ *	will have been made.
+ *
+ *	Requires:
+ *\li		'name' is a valid dns_name_t
+ *\li		'algorithm' is a valid dns_name_t
+ *\li		'secret' is a valid pointer
+ *\li		'length' is an integer >= 0
+ *\li		'dstkey' is a valid dst key or NULL
+ *\li		'creator' points to a valid dns_name_t or is NULL
+ *\li		'mctx' is a valid memory context
+ *\li		'ring' is a valid TSIG keyring or NULL
+ *\li		'key' or '*key' must be NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_EXISTS - a key with this name already exists
+ *\li		#ISC_R_NOTIMPLEMENTED - algorithm is not implemented
+ *\li		#ISC_R_NOMEMORY
+ */
+
+void
+dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp);
+/*%<
+ *	Attach '*targetp' to 'source'.
+ *
+ *	Requires:
+ *\li		'key' is a valid TSIG key
+ *
+ *	Ensures:
+ *\li		*targetp is attached to source.
+ */
+
+void
+dns_tsigkey_detach(dns_tsigkey_t **keyp);
+/*%<
+ *	Detaches from the tsig key structure pointed to by '*key'.
+ *
+ *	Requires:
+ *\li		'keyp' is not NULL and '*keyp' is a valid TSIG key
+ *
+ *	Ensures:
+ *\li		'keyp' points to NULL
+ */
+
+void
+dns_tsigkey_setdeleted(dns_tsigkey_t *key);
+/*%<
+ *	Prevents this key from being used again.  It will be deleted when
+ *	no references exist.
+ *
+ *	Requires:
+ *\li		'key' is a valid TSIG key on a keyring
+ */
+
+isc_result_t
+dns_tsig_sign(dns_message_t *msg);
+/*%<
+ *	Generates a TSIG record for this message
+ *
+ *	Requires:
+ *\li		'msg' is a valid message
+ *\li		'msg->tsigkey' is a valid TSIG key
+ *\li		'msg->tsig' is NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#ISC_R_NOSPACE
+ *\li		#DNS_R_EXPECTEDTSIG
+ *			- this is a response & msg->querytsig is NULL
+ */
+
+isc_result_t
+dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2);
+/*%<
+ *	Verifies the TSIG record in this message
+ *
+ *	Requires:
+ *\li		'source' is a valid buffer containing the unparsed message
+ *\li		'msg' is a valid message
+ *\li		'msg->tsigkey' is a valid TSIG key if this is a response
+ *\li		'msg->tsig' is NULL
+ *\li		'msg->querytsig' is not NULL if this is a response
+ *\li		'ring1' and 'ring2' are each either a valid keyring or NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#DNS_R_EXPECTEDTSIG - A TSIG was expected but not seen
+ *\li		#DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
+ *\li		#DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
+ *				     and this is a query
+ *\li		#DNS_R_CLOCKSKEW - the TSIG failed to verify because of
+ *				  the time was out of the allowed range.
+ *\li		#DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
+ *\li		#DNS_R_EXPECTEDRESPONSE - the message was set over TCP and
+ *					 should have been a response,
+ *					 but was not.
+ */
+
+isc_result_t
+dns_tsigkey_find(dns_tsigkey_t **tsigkey, const dns_name_t *name,
+		 const dns_name_t *algorithm, dns_tsig_keyring_t *ring);
+/*%<
+ *	Returns the TSIG key corresponding to this name and (possibly)
+ *	algorithm.  Also increments the key's reference counter.
+ *
+ *	Requires:
+ *\li		'tsigkey' is not NULL
+ *\li		'*tsigkey' is NULL
+ *\li		'name' is a valid dns_name_t
+ *\li		'algorithm' is a valid dns_name_t or NULL
+ *\li		'ring' is a valid keyring
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
+/*%<
+ *	Create an empty TSIG key ring.
+ *
+ *	Requires:
+ *\li		'mctx' is not NULL
+ *\li		'ringp' is not NULL, and '*ringp' is NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_tsigkeyring_add(dns_tsig_keyring_t *ring, const dns_name_t *name,
+		    dns_tsigkey_t *tkey);
+/*%<
+ *      Place a TSIG key onto a key ring.
+ *
+ *	Requires:
+ *\li		'ring', 'name' and 'tkey' are not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		Any other value indicates failure.
+ */
+
+void
+dns_tsigkeyring_attach(dns_tsig_keyring_t *source, dns_tsig_keyring_t **target);
+
+void
+dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp);
+
+isc_result_t
+dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp);
+
+/*%<
+ *	Destroy a TSIG key ring.
+ *
+ *	Requires:
+ *\li		'ringp' is not NULL
+ */
+
+void
+dns_keyring_restore(dns_tsig_keyring_t *ring, FILE *fp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TSIG_H */
diff --git a/lib/dns/include/dns/ttl.h b/lib/dns/include/dns/ttl.h
new file mode 100644
index 0000000..2d718f4
--- /dev/null
+++ b/lib/dns/include/dns/ttl.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_TTL_H
+#define DNS_TTL_H 1
+
+/*! \file dns/ttl.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_ttl_totext(uint32_t src, bool verbose, bool upcase, isc_buffer_t *target);
+/*%<
+ * Output a TTL or other time interval in a human-readable form.
+ * The time interval is given as a count of seconds in 'src'.
+ * The text representation is appended to 'target'.
+ *
+ * If 'verbose' is false, use the terse BIND 8 style, like "1w2d3h4m5s".
+ *
+ * If 'verbose' is true, use a verbose style like the SOA comments
+ * in "dig", like "1 week 2 days 3 hours 4 minutes 5 seconds".
+ *
+ * If 'upcase' is true, we conform to the BIND 8 style in which
+ * the unit letter is capitalized if there is only a single unit
+ * letter to print (for example, "1m30s", but "2M")
+ *
+ * If 'upcase' is false, unit letters are always in lower case.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOSPACE
+ */
+
+isc_result_t
+dns_counter_fromtext(isc_textregion_t *source, uint32_t *ttl);
+/*%<
+ * Converts a counter from either a plain number or a BIND 8 style value.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	DNS_R_SYNTAX
+ */
+
+isc_result_t
+dns_ttl_fromtext(isc_textregion_t *source, uint32_t *ttl);
+/*%<
+ * Converts a ttl from either a plain number or a BIND 8 style value.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	DNS_R_BADTTL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TTL_H */
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
new file mode 100644
index 0000000..641d81f
--- /dev/null
+++ b/lib/dns/include/dns/types.h
@@ -0,0 +1,438 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_TYPES_H
+#define DNS_TYPES_H 1
+
+/*! \file dns/types.h
+ * \brief
+ * Including this file gives you type declarations suitable for use in
+ * .h files, which lets us avoid circular type reference problems.
+ * \brief
+ * To actually use a type or get declarations of its methods, you must
+ * include the appropriate .h file too.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/types.h>
+
+typedef struct dns_acl	       dns_acl_t;
+typedef struct dns_aclelement  dns_aclelement_t;
+typedef struct dns_aclenv      dns_aclenv_t;
+typedef struct dns_adb	       dns_adb_t;
+typedef struct dns_adbaddrinfo dns_adbaddrinfo_t;
+typedef ISC_LIST(dns_adbaddrinfo_t) dns_adbaddrinfolist_t;
+typedef struct dns_adbentry dns_adbentry_t;
+typedef struct dns_adbfind  dns_adbfind_t;
+typedef ISC_LIST(dns_adbfind_t) dns_adbfindlist_t;
+typedef struct dns_badcache	       dns_badcache_t;
+typedef struct dns_byaddr	       dns_byaddr_t;
+typedef struct dns_catz_zonemodmethods dns_catz_zonemodmethods_t;
+typedef struct dns_catz_entry_options  dns_catz_options_t;
+typedef struct dns_catz_entry	       dns_catz_entry_t;
+typedef struct dns_catz_zone	       dns_catz_zone_t;
+typedef struct dns_catz_changed	       dns_catz_changed_t;
+typedef struct dns_catz_zones	       dns_catz_zones_t;
+typedef struct dns_client	       dns_client_t;
+typedef void			       dns_clientrestrans_t;
+typedef void			       dns_clientreqtrans_t;
+typedef void			       dns_clientupdatetrans_t;
+typedef struct dns_cache	       dns_cache_t;
+typedef uint16_t		       dns_cert_t;
+typedef struct dns_compress	       dns_compress_t;
+typedef struct dns_db		       dns_db_t;
+typedef struct dns_dbimplementation    dns_dbimplementation_t;
+typedef struct dns_dbiterator	       dns_dbiterator_t;
+typedef void			       dns_dbload_t;
+typedef void			       dns_dbnode_t;
+typedef struct dns_dbonupdatelistener  dns_dbonupdatelistener_t;
+typedef struct dns_dbtable	       dns_dbtable_t;
+typedef void			       dns_dbversion_t;
+typedef struct dns_dlzimplementation   dns_dlzimplementation_t;
+typedef struct dns_dlzdb	       dns_dlzdb_t;
+typedef ISC_LIST(dns_dlzdb_t) dns_dlzdblist_t;
+typedef struct dns_dyndbctx	      dns_dyndbctx_t;
+typedef struct dns_sdlzimplementation dns_sdlzimplementation_t;
+typedef struct dns_decompress	      dns_decompress_t;
+typedef struct dns_dispatch	      dns_dispatch_t;
+typedef struct dns_dispatchevent      dns_dispatchevent_t;
+typedef struct dns_dispatchlist	      dns_dispatchlist_t;
+typedef struct dns_dispatchset	      dns_dispatchset_t;
+typedef struct dns_dispatchmgr	      dns_dispatchmgr_t;
+typedef struct dns_dispentry	      dns_dispentry_t;
+typedef struct dns_dns64	      dns_dns64_t;
+typedef ISC_LIST(dns_dns64_t) dns_dns64list_t;
+typedef struct dns_dnsseckey dns_dnsseckey_t;
+typedef ISC_LIST(dns_dnsseckey_t) dns_dnsseckeylist_t;
+typedef uint8_t			   dns_dsdigest_t;
+typedef struct dns_dtdata	   dns_dtdata_t;
+typedef struct dns_dtenv	   dns_dtenv_t;
+typedef struct dns_dtmsg	   dns_dtmsg_t;
+typedef uint16_t		   dns_dtmsgtype_t;
+typedef struct dns_dumpctx	   dns_dumpctx_t;
+typedef struct dns_ecs		   dns_ecs_t;
+typedef struct dns_ednsopt	   dns_ednsopt_t;
+typedef struct dns_fetch	   dns_fetch_t;
+typedef struct dns_fixedname	   dns_fixedname_t;
+typedef struct dns_forwarders	   dns_forwarders_t;
+typedef struct dns_forwarder	   dns_forwarder_t;
+typedef struct dns_fwdtable	   dns_fwdtable_t;
+typedef struct dns_geoip_databases dns_geoip_databases_t;
+typedef struct dns_iptable	   dns_iptable_t;
+typedef uint32_t		   dns_iterations_t;
+typedef struct dns_kasp		   dns_kasp_t;
+typedef ISC_LIST(dns_kasp_t) dns_kasplist_t;
+typedef struct dns_kasp_key dns_kasp_key_t;
+typedef ISC_LIST(dns_kasp_key_t) dns_kasp_keylist_t;
+typedef struct dns_kasp_nsec3param dns_kasp_nsec3param_t;
+typedef uint16_t		   dns_keyflags_t;
+typedef struct dns_keynode	   dns_keynode_t;
+typedef ISC_LIST(dns_keynode_t) dns_keynodelist_t;
+typedef struct dns_keytable	   dns_keytable_t;
+typedef uint16_t		   dns_keytag_t;
+typedef struct dns_loadctx	   dns_loadctx_t;
+typedef struct dns_loadmgr	   dns_loadmgr_t;
+typedef struct dns_masterrawheader dns_masterrawheader_t;
+typedef uint64_t		   dns_masterstyle_flags_t;
+typedef struct dns_message	   dns_message_t;
+typedef uint16_t		   dns_messageid_t;
+typedef isc_region_t		   dns_label_t;
+typedef struct dns_lookup	   dns_lookup_t;
+typedef struct dns_name		   dns_name_t;
+typedef ISC_LIST(dns_name_t) dns_namelist_t;
+typedef struct dns_nta		  dns_nta_t;
+typedef struct dns_ntatable	  dns_ntatable_t;
+typedef uint16_t		  dns_opcode_t;
+typedef unsigned char		  dns_offsets_t[128];
+typedef struct dns_order	  dns_order_t;
+typedef struct dns_peer		  dns_peer_t;
+typedef struct dns_peerlist	  dns_peerlist_t;
+typedef struct dns_portlist	  dns_portlist_t;
+typedef struct dns_rbt		  dns_rbt_t;
+typedef uint16_t		  dns_rcode_t;
+typedef struct dns_rdata	  dns_rdata_t;
+typedef struct dns_rdatacallbacks dns_rdatacallbacks_t;
+typedef uint16_t		  dns_rdataclass_t;
+typedef struct dns_rdatalist	  dns_rdatalist_t;
+typedef struct dns_rdataset	  dns_rdataset_t;
+typedef ISC_LIST(dns_rdataset_t) dns_rdatasetlist_t;
+typedef struct dns_rdatasetiter	     dns_rdatasetiter_t;
+typedef uint16_t		     dns_rdatatype_t;
+typedef struct dns_request	     dns_request_t;
+typedef struct dns_requestmgr	     dns_requestmgr_t;
+typedef struct dns_resolver	     dns_resolver_t;
+typedef struct dns_sdbimplementation dns_sdbimplementation_t;
+typedef uint8_t			     dns_secalg_t;
+typedef uint8_t			     dns_secproto_t;
+typedef struct dns_signature	     dns_signature_t;
+typedef struct dns_sortlist_arg	     dns_sortlist_arg_t;
+typedef struct dns_ssurule	     dns_ssurule_t;
+typedef struct dns_ssutable	     dns_ssutable_t;
+typedef struct dns_stats	     dns_stats_t;
+typedef uint32_t		     dns_rdatastatstype_t;
+typedef struct dns_tkeyctx	     dns_tkeyctx_t;
+typedef uint16_t		     dns_trust_t;
+typedef struct dns_tsec		     dns_tsec_t;
+typedef struct dns_tsig_keyring	     dns_tsig_keyring_t;
+typedef struct dns_tsigkey	     dns_tsigkey_t;
+typedef uint32_t		     dns_ttl_t;
+typedef struct dns_update_state	     dns_update_state_t;
+typedef struct dns_validator	     dns_validator_t;
+typedef struct dns_view		     dns_view_t;
+typedef ISC_LIST(dns_view_t) dns_viewlist_t;
+typedef struct dns_zone dns_zone_t;
+typedef ISC_LIST(dns_zone_t) dns_zonelist_t;
+typedef struct dns_zonemgr   dns_zonemgr_t;
+typedef struct dns_zt	     dns_zt_t;
+typedef struct dns_ipkeylist dns_ipkeylist_t;
+
+/*
+ * If we are not using GSSAPI, define the types we use as opaque types here.
+ */
+#ifndef GSSAPI
+typedef struct not_defined_gss_cred_id *gss_cred_id_t;
+typedef struct not_defined_gss_ctx     *gss_ctx_id_t;
+#endif /* ifndef GSSAPI */
+typedef struct dst_gssapi_signverifyctx dst_gssapi_signverifyctx_t;
+
+typedef enum { dns_hash_sha1 = 1 } dns_hash_t;
+
+typedef enum {
+	dns_fwdpolicy_none = 0,
+	dns_fwdpolicy_first = 1,
+	dns_fwdpolicy_only = 2
+} dns_fwdpolicy_t;
+
+typedef enum {
+	dns_namereln_none = 0,
+	dns_namereln_contains = 1,
+	dns_namereln_subdomain = 2,
+	dns_namereln_equal = 3,
+	dns_namereln_commonancestor = 4
+} dns_namereln_t;
+
+typedef enum { dns_one_answer, dns_many_answers } dns_transfer_format_t;
+
+typedef enum {
+	dns_dbtype_zone = 0,
+	dns_dbtype_cache = 1,
+	dns_dbtype_stub = 3
+} dns_dbtype_t;
+
+typedef enum {
+	dns_notifytype_no = 0,
+	dns_notifytype_yes = 1,
+	dns_notifytype_explicit = 2,
+	dns_notifytype_masteronly = 3
+} dns_notifytype_t;
+
+typedef enum {
+	dns_minimal_no = 0,
+	dns_minimal_yes = 1,
+	dns_minimal_noauth = 2,
+	dns_minimal_noauthrec = 3
+} dns_minimaltype_t;
+
+typedef enum {
+	dns_dialuptype_no = 0,
+	dns_dialuptype_yes = 1,
+	dns_dialuptype_notify = 2,
+	dns_dialuptype_notifypassive = 3,
+	dns_dialuptype_refresh = 4,
+	dns_dialuptype_passive = 5
+} dns_dialuptype_t;
+
+typedef enum {
+	dns_masterformat_none = 0,
+	dns_masterformat_text = 1,
+	dns_masterformat_raw = 2,
+	dns_masterformat_map = 3
+} dns_masterformat_t;
+
+/*
+ * These are generated by gen.c.
+ */
+#include <dns/enumclass.h> /* Provides dns_rdataclass_t. */
+#include <dns/enumtype.h>  /* Provides dns_rdatatype_t. */
+
+/*%
+ * rcodes.
+ */
+enum {
+	/*
+	 * Standard rcodes.
+	 */
+	dns_rcode_noerror = 0,
+#define dns_rcode_noerror ((dns_rcode_t)dns_rcode_noerror)
+	dns_rcode_formerr = 1,
+#define dns_rcode_formerr ((dns_rcode_t)dns_rcode_formerr)
+	dns_rcode_servfail = 2,
+#define dns_rcode_servfail ((dns_rcode_t)dns_rcode_servfail)
+	dns_rcode_nxdomain = 3,
+#define dns_rcode_nxdomain ((dns_rcode_t)dns_rcode_nxdomain)
+	dns_rcode_notimp = 4,
+#define dns_rcode_notimp ((dns_rcode_t)dns_rcode_notimp)
+	dns_rcode_refused = 5,
+#define dns_rcode_refused ((dns_rcode_t)dns_rcode_refused)
+	dns_rcode_yxdomain = 6,
+#define dns_rcode_yxdomain ((dns_rcode_t)dns_rcode_yxdomain)
+	dns_rcode_yxrrset = 7,
+#define dns_rcode_yxrrset ((dns_rcode_t)dns_rcode_yxrrset)
+	dns_rcode_nxrrset = 8,
+#define dns_rcode_nxrrset ((dns_rcode_t)dns_rcode_nxrrset)
+	dns_rcode_notauth = 9,
+#define dns_rcode_notauth ((dns_rcode_t)dns_rcode_notauth)
+	dns_rcode_notzone = 10,
+#define dns_rcode_notzone ((dns_rcode_t)dns_rcode_notzone)
+	/*
+	 * Extended rcodes.
+	 */
+	dns_rcode_badvers = 16,
+#define dns_rcode_badvers ((dns_rcode_t)dns_rcode_badvers)
+	dns_rcode_badcookie = 23
+#define dns_rcode_badcookie ((dns_rcode_t)dns_rcode_badcookie)
+	/*
+	 * Update dns_rcodestats_create() and
+	 *dns_rcodestats_increment()
+	 * and this comment if a rcode >
+	 *dns_rcode_badcookie is assigned.
+	 */
+	/* Private space [3841..4095] */
+};
+
+/*%
+ * TSIG errors.
+ */
+enum {
+	dns_tsigerror_badsig = 16,
+	dns_tsigerror_badkey = 17,
+	dns_tsigerror_badtime = 18,
+	dns_tsigerror_badmode = 19,
+	dns_tsigerror_badname = 20,
+	dns_tsigerror_badalg = 21,
+	dns_tsigerror_badtrunc = 22
+};
+
+/*%
+ * Opcodes.
+ */
+enum {
+	dns_opcode_query = 0,
+#define dns_opcode_query ((dns_opcode_t)dns_opcode_query)
+	dns_opcode_iquery = 1,
+#define dns_opcode_iquery ((dns_opcode_t)dns_opcode_iquery)
+	dns_opcode_status = 2,
+#define dns_opcode_status ((dns_opcode_t)dns_opcode_status)
+	dns_opcode_notify = 4,
+#define dns_opcode_notify ((dns_opcode_t)dns_opcode_notify)
+	dns_opcode_update = 5 /* dynamic update */
+#define dns_opcode_update ((dns_opcode_t)dns_opcode_update)
+};
+
+/*%
+ * Trust levels.  Must be kept in sync with trustnames[] in masterdump.c.
+ */
+enum {
+	/* Sentinel value; no data should have this trust level. */
+	dns_trust_none = 0,
+#define dns_trust_none ((dns_trust_t)dns_trust_none)
+
+	/*%
+	 * Subject to DNSSEC validation but has not yet been validated
+	 * dns_trust_pending_additional (from the additional section).
+	 */
+	dns_trust_pending_additional = 1,
+#define dns_trust_pending_additional ((dns_trust_t)dns_trust_pending_additional)
+
+	dns_trust_pending_answer = 2,
+#define dns_trust_pending_answer ((dns_trust_t)dns_trust_pending_answer)
+
+	/*% Received in the additional section of a response. */
+	dns_trust_additional = 3,
+#define dns_trust_additional ((dns_trust_t)dns_trust_additional)
+
+	/* Received in a referral response. */
+	dns_trust_glue = 4,
+#define dns_trust_glue ((dns_trust_t)dns_trust_glue)
+
+	/* Answer from a non-authoritative server */
+	dns_trust_answer = 5,
+#define dns_trust_answer ((dns_trust_t)dns_trust_answer)
+
+	/*  Received in the authority section as part of an
+	 *  authoritative response */
+	dns_trust_authauthority = 6,
+#define dns_trust_authauthority ((dns_trust_t)dns_trust_authauthority)
+
+	/* Answer from an authoritative server */
+	dns_trust_authanswer = 7,
+#define dns_trust_authanswer ((dns_trust_t)dns_trust_authanswer)
+
+	/* Successfully DNSSEC validated */
+	dns_trust_secure = 8,
+#define dns_trust_secure ((dns_trust_t)dns_trust_secure)
+
+	/* This server is authoritative */
+	dns_trust_ultimate = 9
+#define dns_trust_ultimate ((dns_trust_t)dns_trust_ultimate)
+};
+
+#define DNS_TRUST_PENDING(x) \
+	((x) == dns_trust_pending_answer || (x) == dns_trust_pending_additional)
+#define DNS_TRUST_ADDITIONAL(x) \
+	((x) == dns_trust_additional || (x) == dns_trust_pending_additional)
+#define DNS_TRUST_GLUE(x)   ((x) == dns_trust_glue)
+#define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer)
+
+/*%
+ * Name checking severities.
+ */
+typedef enum {
+	dns_severity_ignore,
+	dns_severity_warn,
+	dns_severity_fail
+} dns_severity_t;
+
+/*%
+ * DNS Serial Number Update Method.
+ *
+ * \li	_none:		Keep the current serial.
+ * \li	_increment:	Add one to the current serial, skipping 0.
+ * \li	_unixtime:	Set to the seconds since 00:00 Jan 1, 1970,
+ *			if possible.
+ * \li	_date:		Set to today's date in YYYYMMDDVV format:
+ *                      (Year, Month, Day, Version)
+ */
+typedef enum {
+	dns_updatemethod_none = 0,
+	dns_updatemethod_increment,
+	dns_updatemethod_unixtime,
+	dns_updatemethod_date
+} dns_updatemethod_t;
+
+typedef enum {
+	dns_stale_answer_no,
+	dns_stale_answer_yes,
+	dns_stale_answer_conf
+} dns_stale_answer_t;
+
+typedef struct {
+	const char *string;
+	size_t	    count;
+} dns_indent_t;
+
+/*
+ * Functions.
+ */
+typedef void (*dns_dumpdonefunc_t)(void *, isc_result_t);
+
+typedef void (*dns_loaddonefunc_t)(void *, isc_result_t);
+
+typedef void (*dns_rawdatafunc_t)(dns_zone_t *, dns_masterrawheader_t *);
+
+typedef isc_result_t (*dns_addrdatasetfunc_t)(void *, const dns_name_t *,
+					      dns_rdataset_t *);
+
+typedef isc_result_t (*dns_additionaldatafunc_t)(void *, const dns_name_t *,
+						 dns_rdatatype_t);
+
+typedef isc_result_t (*dns_digestfunc_t)(void *, isc_region_t *);
+
+typedef void (*dns_xfrindone_t)(dns_zone_t *, isc_result_t);
+
+typedef void (*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
+
+typedef int (*dns_rdatasetorderfunc_t)(const dns_rdata_t *, const void *);
+
+typedef bool (*dns_checkmxfunc_t)(dns_zone_t *, const dns_name_t *,
+				  const dns_name_t *);
+
+typedef bool (*dns_checksrvfunc_t)(dns_zone_t *, const dns_name_t *,
+				   const dns_name_t *);
+
+typedef bool (*dns_checknsfunc_t)(dns_zone_t *, const dns_name_t *,
+				  const dns_name_t *, dns_rdataset_t *,
+				  dns_rdataset_t *);
+
+typedef bool (*dns_isselffunc_t)(dns_view_t *, dns_tsigkey_t *,
+				 const isc_sockaddr_t *, const isc_sockaddr_t *,
+				 dns_rdataclass_t, void *);
+
+typedef isc_result_t (*dns_deserializefunc_t)(void *, FILE *, off_t);
+
+typedef void (*dns_nseclog_t)(void *val, int, const char *, ...);
+
+#endif /* DNS_TYPES_H */
diff --git a/lib/dns/include/dns/update.h b/lib/dns/include/dns/update.h
new file mode 100644
index 0000000..aca9e71
--- /dev/null
+++ b/lib/dns/include/dns/update.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_UPDATE_H
+#define DNS_UPDATE_H 1
+
+/*! \file dns/update.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+
+#include <dns/diff.h>
+#include <dns/types.h>
+
+typedef struct {
+	void (*func)(void *arg, dns_zone_t *zone, int level,
+		     const char *message);
+	void *arg;
+} dns_update_log_t;
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+uint32_t
+dns_update_soaserial(uint32_t serial, dns_updatemethod_t method,
+		     dns_updatemethod_t *used);
+/*%<
+ * Return the next serial number after 'serial', depending on the
+ * update method 'method':
+ *
+ *\li	* dns_updatemethod_increment increments the serial number by one
+ *\li	* dns_updatemethod_date sets the serial number to YYYYMMDD00
+ *\li	* dns_updatemethod_unixtime sets the serial number to the current
+ *	  time (seconds since UNIX epoch)
+ *\li	* dns_updatemethod_none just returns the given serial
+ *
+ * NOTE: The dns_updatemethod_increment will be used if dns_updatemethod_date or
+ * dns_updatemethod_unixtime is used and the new serial number would be lower
+ * than current serial number.
+ *
+ * Sets *used to the method that was used.
+ */
+
+isc_result_t
+dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+		      dns_dbversion_t *oldver, dns_dbversion_t *newver,
+		      dns_diff_t *diff, uint32_t sigvalidityinterval);
+
+isc_result_t
+dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+			 dns_dbversion_t *oldver, dns_dbversion_t *newver,
+			 dns_diff_t *diff, uint32_t sigvalidityinterval,
+			 dns_update_state_t **state);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_UPDATE_H */
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
new file mode 100644
index 0000000..b435cd6
--- /dev/null
+++ b/lib/dns/include/dns/validator.h
@@ -0,0 +1,243 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_VALIDATOR_H
+#define DNS_VALIDATOR_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/validator.h
+ *
+ * \brief
+ * DNS Validator
+ * This is the BIND 9 validator, the module responsible for validating the
+ * rdatasets and negative responses (messages).  It makes use of zones in
+ * the view and may fetch RRset to complete trust chains.  It implements
+ * DNSSEC as specified in RFC 4033, 4034 and 4035.
+ *
+ * Correct operation is critical to preventing spoofed answers from secure
+ * zones being accepted.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	RFCs:	1034, 1035, 2181, 4033, 4034, 4035.
+ */
+
+#include <stdbool.h>
+
+#include <isc/event.h>
+#include <isc/lang.h>
+#include <isc/mutex.h>
+
+#include <dns/fixedname.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+/*%
+ * A dns_validatorevent_t is sent when a 'validation' completes.
+ * \brief
+ * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
+ * supplied when dns_validator_create() was called.  They are returned to the
+ * caller so that they may be freed.
+ *
+ * If the RESULT is ISC_R_SUCCESS and the answer is secure then
+ * proofs[] will contain the names of the NSEC records that hold the
+ * various proofs.  Note the same name may appear multiple times.
+ */
+typedef struct dns_validatorevent {
+	ISC_EVENT_COMMON(struct dns_validatorevent);
+	dns_validator_t *validator;
+	isc_result_t	 result;
+	/*
+	 * Name and type of the response to be validated.
+	 */
+	dns_name_t     *name;
+	dns_rdatatype_t type;
+	/*
+	 * Rdata and RRSIG (if any) for positive responses.
+	 */
+	dns_rdataset_t *rdataset;
+	dns_rdataset_t *sigrdataset;
+	/*
+	 * The full response.  Required for negative responses.
+	 * Also required for positive wildcard responses.
+	 */
+	dns_message_t *message;
+	/*
+	 * Proofs to be cached.
+	 */
+	dns_name_t *proofs[4];
+	/*
+	 * Optout proof seen.
+	 */
+	bool optout;
+	/*
+	 * Answer is secure.
+	 */
+	bool secure;
+} dns_validatorevent_t;
+
+#define DNS_VALIDATOR_NOQNAMEPROOF    0
+#define DNS_VALIDATOR_NODATAPROOF     1
+#define DNS_VALIDATOR_NOWILDCARDPROOF 2
+#define DNS_VALIDATOR_CLOSESTENCLOSER 3
+
+/*%
+ * A validator object represents a validation in progress.
+ * \brief
+ * Clients are strongly discouraged from using this type directly, with
+ * the exception of the 'link' field, which may be used directly for
+ * whatever purpose the client desires.
+ */
+struct dns_validator {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mutex_t  lock;
+	dns_view_t  *view;
+	/* Locked by lock. */
+	unsigned int	      options;
+	unsigned int	      attributes;
+	dns_validatorevent_t *event;
+	dns_fetch_t	     *fetch;
+	dns_validator_t	     *subvalidator;
+	dns_validator_t	     *parent;
+	dns_keytable_t	     *keytable;
+	dst_key_t	     *key;
+	dns_rdata_rrsig_t    *siginfo;
+	isc_task_t	     *task;
+	isc_taskaction_t      action;
+	void		     *arg;
+	unsigned int	      labels;
+	dns_rdataset_t	     *currentset;
+	dns_rdataset_t	     *keyset;
+	dns_rdataset_t	     *dsset;
+	dns_rdataset_t	      fdsset;
+	dns_rdataset_t	      frdataset;
+	dns_rdataset_t	      fsigrdataset;
+	dns_fixedname_t	      fname;
+	dns_fixedname_t	      wild;
+	dns_fixedname_t	      closest;
+	ISC_LINK(dns_validator_t) link;
+	bool	      mustbesecure;
+	unsigned int  depth;
+	unsigned int  authcount;
+	unsigned int  authfail;
+	isc_stdtime_t start;
+};
+
+/*%
+ * dns_validator_create() options.
+ */
+/* obsolete: #define DNS_VALIDATOR_DLV	0x0001U */
+#define DNS_VALIDATOR_DEFER    0x0002U
+#define DNS_VALIDATOR_NOCDFLAG 0x0004U
+#define DNS_VALIDATOR_NONTA    0x0008U /*% Ignore NTA table */
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_message_t *message, unsigned int options,
+		     isc_task_t *task, isc_taskaction_t action, void *arg,
+		     dns_validator_t **validatorp);
+/*%<
+ * Start a DNSSEC validation.
+ *
+ * This validates a response to the question given by
+ * 'name' and 'type'.
+ *
+ * To validate a positive response, the response data is
+ * given by 'rdataset' and 'sigrdataset'.  If 'sigrdataset'
+ * is NULL, the data is presumed insecure and an attempt
+ * is made to prove its insecurity by finding the appropriate
+ * null key.
+ *
+ * The complete response message may be given in 'message',
+ * to make available any authority section NSECs that may be
+ * needed for validation of a response resulting from a
+ * wildcard expansion (though no such wildcard validation
+ * is implemented yet).  If the complete response message
+ * is not available, 'message' is NULL.
+ *
+ * To validate a negative response, the complete negative response
+ * message is given in 'message'.  The 'rdataset', and
+ * 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
+ * arguments must be provided.
+ *
+ * The validation is performed in the context of 'view'.
+ *
+ * When the validation finishes, a dns_validatorevent_t with
+ * the given 'action' and 'arg' are sent to 'task'.
+ * Its 'result' field will be ISC_R_SUCCESS iff the
+ * response was successfully proven to be either secure or
+ * part of a known insecure domain.
+ */
+
+void
+dns_validator_send(dns_validator_t *validator);
+/*%<
+ * Send a deferred validation request
+ *
+ * Requires:
+ *	'validator' to points to a valid DNSSEC validator.
+ */
+
+void
+dns_validator_cancel(dns_validator_t *validator);
+/*%<
+ * Cancel a DNSSEC validation in progress.
+ *
+ * Requires:
+ *\li	'validator' points to a valid DNSSEC validator, which
+ *	may or may not already have completed.
+ *
+ * Ensures:
+ *\li	It the validator has not already sent its completion
+ *	event, it will send it with result code ISC_R_CANCELED.
+ */
+
+void
+dns_validator_destroy(dns_validator_t **validatorp);
+/*%<
+ * Destroy a DNSSEC validator.
+ *
+ * Requires:
+ *\li	'*validatorp' points to a valid DNSSEC validator.
+ * \li	The validator must have completed and sent its completion
+ * 	event.
+ *
+ * Ensures:
+ *\li	All resources used by the validator are freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_VALIDATOR_H */
diff --git a/lib/dns/include/dns/version.h b/lib/dns/include/dns/version.h
new file mode 100644
index 0000000..0f5ec7e
--- /dev/null
+++ b/lib/dns/include/dns/version.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file dns/version.h */
+
+#ifndef DNS_VERSION_H
+#define DNS_VERSION_H 1
+
+#include <isc/platform.h>
+
+LIBDNS_EXTERNAL_DATA extern const char dns_version[];
+LIBDNS_EXTERNAL_DATA extern const char dns_major[];
+LIBDNS_EXTERNAL_DATA extern const char dns_mapapi[];
+
+#endif /* DNS_VERSION_H */
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
new file mode 100644
index 0000000..d6e7f10
--- /dev/null
+++ b/lib/dns/include/dns/view.h
@@ -0,0 +1,1359 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_VIEW_H
+#define DNS_VIEW_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/view.h
+ * \brief
+ * DNS View
+ *
+ * A "view" is a DNS namespace, together with an optional resolver and a
+ * forwarding policy.  A "DNS namespace" is a (possibly empty) set of
+ * authoritative zones together with an optional cache and optional
+ * "hints" information.
+ *
+ * Views start out "unfrozen".  In this state, core attributes like
+ * the cache, set of zones, and forwarding policy may be set.  While
+ * "unfrozen", the caller (e.g. nameserver configuration loading
+ * code), must ensure exclusive access to the view.  When the view is
+ * "frozen", the core attributes become immutable, and the view module
+ * will ensure synchronization.  Freezing allows the view's core attributes
+ * to be accessed without locking.
+ *
+ * MP:
+ *\li	Before the view is frozen, the caller must ensure synchronization.
+ *
+ *\li	After the view is frozen, the module guarantees appropriate
+ *	synchronization of any data structures it creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/event.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
+
+#include <dns/acl.h>
+#include <dns/catz.h>
+#include <dns/clientinfo.h>
+#include <dns/dnstap.h>
+#include <dns/fixedname.h>
+#include <dns/rdatastruct.h>
+#include <dns/rpz.h>
+#include <dns/rrl.h>
+#include <dns/types.h>
+#include <dns/zt.h>
+
+ISC_LANG_BEGINDECLS
+
+struct dns_view {
+	/* Unlocked. */
+	unsigned int	  magic;
+	isc_mem_t	 *mctx;
+	dns_rdataclass_t  rdclass;
+	char		 *name;
+	dns_zt_t	 *zonetable;
+	dns_resolver_t	 *resolver;
+	dns_adb_t	 *adb;
+	dns_requestmgr_t *requestmgr;
+	dns_cache_t	 *cache;
+	dns_db_t	 *cachedb;
+	dns_db_t	 *hints;
+
+	/*
+	 * security roots and negative trust anchors.
+	 * internal use only; access via * dns_view_getsecroots()
+	 */
+	dns_keytable_t *secroots_priv;
+	dns_ntatable_t *ntatable_priv;
+
+	isc_mutex_t  lock;
+	bool	     frozen;
+	isc_task_t  *task;
+	isc_event_t  resevent;
+	isc_event_t  adbevent;
+	isc_event_t  reqevent;
+	isc_stats_t *adbstats;
+	isc_stats_t *resstats;
+	dns_stats_t *resquerystats;
+	bool	     cacheshared;
+
+	/* Configurable data. */
+	dns_tsig_keyring_t   *statickeys;
+	dns_tsig_keyring_t   *dynamickeys;
+	dns_peerlist_t	     *peers;
+	dns_order_t	     *order;
+	dns_fwdtable_t	     *fwdtable;
+	bool		      recursion;
+	bool		      qminimization;
+	bool		      qmin_strict;
+	bool		      auth_nxdomain;
+	bool		      use_glue_cache;
+	bool		      minimal_any;
+	dns_minimaltype_t     minimalresponses;
+	bool		      enablevalidation;
+	bool		      acceptexpired;
+	bool		      requireservercookie;
+	bool		      synthfromdnssec;
+	bool		      trust_anchor_telemetry;
+	bool		      root_key_sentinel;
+	dns_transfer_format_t transfer_format;
+	dns_acl_t	     *cacheacl;
+	dns_acl_t	     *cacheonacl;
+	dns_acl_t	     *queryacl;
+	dns_acl_t	     *queryonacl;
+	dns_acl_t	     *recursionacl;
+	dns_acl_t	     *recursiononacl;
+	dns_acl_t	     *sortlist;
+	dns_acl_t	     *notifyacl;
+	dns_acl_t	     *transferacl;
+	dns_acl_t	     *updateacl;
+	dns_acl_t	     *upfwdacl;
+	dns_acl_t	     *denyansweracl;
+	dns_acl_t	     *nocasecompress;
+	bool		      msgcompression;
+	dns_rbt_t	     *answeracl_exclude;
+	dns_rbt_t	     *denyanswernames;
+	dns_rbt_t	     *answernames_exclude;
+	dns_rrl_t	     *rrl;
+	bool		      provideixfr;
+	bool		      requestnsid;
+	bool		      sendcookie;
+	dns_ttl_t	      maxcachettl;
+	dns_ttl_t	      maxncachettl;
+	dns_ttl_t	      mincachettl;
+	dns_ttl_t	      minncachettl;
+	uint32_t	      nta_lifetime;
+	uint32_t	      nta_recheck;
+	char		     *nta_file;
+	dns_ttl_t	      prefetch_trigger;
+	dns_ttl_t	      prefetch_eligible;
+	in_port_t	      dstport;
+	dns_aclenv_t	      aclenv;
+	dns_rdatatype_t	      preferred_glue;
+	bool		      flush;
+	dns_namelist_t	     *delonly;
+	bool		      rootdelonly;
+	dns_namelist_t	     *rootexclude;
+	bool		      checknames;
+	uint16_t	      maxudp;
+	dns_ttl_t	      staleanswerttl;
+	dns_stale_answer_t    staleanswersok;	  /* rndc setting */
+	bool		      staleanswersenable; /* named.conf setting
+						   * */
+	uint32_t	  staleanswerclienttimeout;
+	uint16_t	  nocookieudp;
+	uint16_t	  padding;
+	dns_acl_t	 *pad_acl;
+	unsigned int	  maxbits;
+	dns_dns64list_t	  dns64;
+	unsigned int	  dns64cnt;
+	dns_rpz_zones_t	 *rpzs;
+	dns_catz_zones_t *catzs;
+	dns_dlzdblist_t	  dlz_searched;
+	dns_dlzdblist_t	  dlz_unsearched;
+	uint32_t	  fail_ttl;
+	dns_badcache_t	 *failcache;
+
+	/*
+	 * Configurable data for server use only,
+	 * locked by server configuration lock.
+	 */
+	dns_acl_t *matchclients;
+	dns_acl_t *matchdestinations;
+	bool	   matchrecursiveonly;
+
+	/* Locked by themselves. */
+	isc_refcount_t	     references;
+	isc_refcount_t	     weakrefs;
+	atomic_uint_fast32_t attributes;
+
+	/* Under owner's locking control. */
+	ISC_LINK(struct dns_view) link;
+	dns_viewlist_t *viewlist;
+
+	dns_zone_t *managed_keys;
+	dns_zone_t *redirect;
+	dns_name_t *redirectzone; /* points to
+				   * redirectfixed
+				   * when valid */
+	dns_fixedname_t redirectfixed;
+
+	/*
+	 * File and configuration data for zones added at runtime
+	 * (only used in BIND9).
+	 *
+	 * XXX: This should be a pointer to an opaque type that
+	 * named implements.
+	 */
+	char	*new_zone_dir;
+	char	*new_zone_file;
+	char	*new_zone_db;
+	void	*new_zone_dbenv;
+	uint64_t new_zone_mapsize;
+	void	*new_zone_config;
+	void (*cfg_destroy)(void **);
+	isc_mutex_t new_zone_lock;
+
+	unsigned char secret[32]; /* Client secret */
+	unsigned int  v6bias;
+
+	dns_dtenv_t    *dtenv;	 /* Dnstap environment */
+	dns_dtmsgtype_t dttypes; /* Dnstap message types
+				  * to log */
+
+	/* Registered module instances */
+	void *plugins;
+	void (*plugins_free)(isc_mem_t *, void **);
+
+	/* Hook table */
+	void *hooktable; /* ns_hooktable */
+	void (*hooktable_free)(isc_mem_t *, void **);
+};
+
+#define DNS_VIEW_MAGIC	     ISC_MAGIC('V', 'i', 'e', 'w')
+#define DNS_VIEW_VALID(view) ISC_MAGIC_VALID(view, DNS_VIEW_MAGIC)
+
+#define DNS_VIEWATTR_RESSHUTDOWN 0x01
+#define DNS_VIEWATTR_ADBSHUTDOWN 0x02
+#define DNS_VIEWATTR_REQSHUTDOWN 0x04
+
+isc_result_t
+dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, const char *name,
+		dns_view_t **viewp);
+/*%<
+ * Create a view.
+ *
+ * Notes:
+ *
+ *\li	The newly created view has no cache, no resolver, and an empty
+ *	zone table.  The view is not frozen.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'rdclass' is a valid class.
+ *
+ *\li	'name' is a valid C string.
+ *
+ *\li	viewp != NULL && *viewp == NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *
+ *\li	Other errors are possible.
+ */
+
+void
+dns_view_attach(dns_view_t *source, dns_view_t **targetp);
+/*%<
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid, frozen view.
+ *
+ *\li	'targetp' points to a NULL dns_view_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ *
+ *\li	While *targetp is attached, the view will not shut down.
+ */
+
+void
+dns_view_detach(dns_view_t **viewp);
+/*%<
+ * Detach '*viewp' from its view.
+ *
+ * Requires:
+ *
+ *\li	'viewp' points to a valid dns_view_t *
+ *
+ * Ensures:
+ *
+ *\li	*viewp is NULL.
+ */
+
+void
+dns_view_flushanddetach(dns_view_t **viewp);
+/*%<
+ * Detach '*viewp' from its view.  If this was the last reference
+ * uncommitted changed in zones will be flushed to disk.
+ *
+ * Requires:
+ *
+ *\li	'viewp' points to a valid dns_view_t *
+ *
+ * Ensures:
+ *
+ *\li	*viewp is NULL.
+ */
+
+void
+dns_view_weakattach(dns_view_t *source, dns_view_t **targetp);
+/*%<
+ * Weakly attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid, frozen view.
+ *
+ *\li	'targetp' points to a NULL dns_view_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ *
+ * \li	While *targetp is attached, the view will not be freed.
+ */
+
+void
+dns_view_weakdetach(dns_view_t **targetp);
+/*%<
+ * Detach '*viewp' from its view.
+ *
+ * Requires:
+ *
+ *\li	'viewp' points to a valid dns_view_t *.
+ *
+ * Ensures:
+ *
+ *\li	*viewp is NULL.
+ */
+
+isc_result_t
+dns_view_createzonetable(dns_view_t *view);
+/*%<
+ * Create a zonetable for the view.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view.
+ *
+ *\li	'view' does not have a zonetable already.
+ *
+ * Returns:
+ *
+ *\li   	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_zt_create() can return.
+ */
+
+isc_result_t
+dns_view_createresolver(dns_view_t *view, isc_taskmgr_t *taskmgr,
+			unsigned int ntasks, unsigned int ndisp,
+			isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+			unsigned int options, dns_dispatchmgr_t *dispatchmgr,
+			dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6);
+/*%<
+ * Create a resolver and address database for the view.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view.
+ *
+ *\li	'view' does not have a resolver already.
+ *
+ *\li	The requirements of dns_resolver_create() apply to 'taskmgr',
+ *	'ntasks', 'socketmgr', 'timermgr', 'options', 'dispatchv4', and
+ *	'dispatchv6'.
+ *
+ * Returns:
+ *
+ *\li   	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_resolver_create() can return.
+ */
+
+void
+dns_view_setcache(dns_view_t *view, dns_cache_t *cache, bool shared);
+/*%<
+ * Set the view's cache database.  If 'shared' is true, this means the cache
+ * is created by another view and is shared with that view.  dns_view_setcache()
+ * is a backward compatible version equivalent to setcache2(..., false).
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view.
+ *
+ *\li	'cache' is a valid cache.
+ *
+ * Ensures:
+ *
+ * \li    	The cache of 'view' is 'cached.
+ *
+ *\li	If this is not the first call to dns_view_setcache() for this
+ *	view, then previously set cache is detached.
+ */
+
+void
+dns_view_sethints(dns_view_t *view, dns_db_t *hints);
+/*%<
+ * Set the view's hints database.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view, whose hints database has not been
+ *	set.
+ *
+ *\li	'hints' is a valid zone database.
+ *
+ * Ensures:
+ *
+ * \li    	The hints database of 'view' is 'hints'.
+ */
+
+void
+dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
+void
+dns_view_setdynamickeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
+/*%<
+ * Set the view's static TSIG keys
+ *
+ * Requires:
+ *
+ *   \li   'view' is a valid, unfrozen view, whose static TSIG keyring has not
+ *	been set.
+ *
+ *\li      'ring' is a valid TSIG keyring
+ *
+ * Ensures:
+ *
+ *\li      The static TSIG keyring of 'view' is 'ring'.
+ */
+
+void
+dns_view_getdynamickeyring(dns_view_t *view, dns_tsig_keyring_t **ringp);
+/*%<
+ * Return the views dynamic keys.
+ *
+ *   \li  'view' is a valid, unfrozen view.
+ *   \li  'ringp' != NULL && ringp == NULL.
+ */
+
+void
+dns_view_setdstport(dns_view_t *view, in_port_t dstport);
+/*%<
+ * Set the view's destination port.  This is the port to
+ * which outgoing queries are sent.  The default is 53,
+ * the standard DNS port.
+ *
+ * Requires:
+ *
+ *\li      'view' is a valid view.
+ *
+ *\li      'dstport' is a valid TCP/UDP port number.
+ *
+ * Ensures:
+ *\li	External name servers will be assumed to be listening
+ *	on 'dstport'.  For servers whose address has already
+ *	obtained obtained at the time of the call, the view may
+ *	continue to use the previously set port until the address
+ *	times out from the view's address database.
+ */
+
+isc_result_t
+dns_view_addzone(dns_view_t *view, dns_zone_t *zone);
+/*%<
+ * Add zone 'zone' to 'view'.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view.
+ *
+ *\li	'zone' is a valid zone.
+ */
+
+void
+dns_view_freeze(dns_view_t *view);
+/*%<
+ * Freeze view.  No changes can be made to view configuration while frozen.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view.
+ *
+ * Ensures:
+ *
+ *\li	'view' is frozen.
+ */
+
+void
+dns_view_thaw(dns_view_t *view);
+/*%<
+ * Thaw view.  This allows zones to be added or removed at runtime.  This is
+ * NOT thread-safe; the caller MUST have run isc_task_exclusive() prior to
+ * thawing the view.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, frozen view.
+ *
+ * Ensures:
+ *
+ *\li	'view' is no longer frozen.
+ */
+
+isc_result_t
+dns_view_find(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
+	      isc_stdtime_t now, unsigned int options, bool use_hints,
+	      bool use_static_stub, dns_db_t **dbp, dns_dbnode_t **nodep,
+	      dns_name_t *foundname, dns_rdataset_t *rdataset,
+	      dns_rdataset_t *sigrdataset);
+/*%<
+ * Find an rdataset whose owner name is 'name', and whose type is
+ * 'type'.
+ * In general, this function first searches view's zone and cache DBs for the
+ * best match data against 'name'.  If nothing found there, and if 'use_hints'
+ * is true, the view's hint DB (if configured) is searched.
+ * If the view is configured with a static-stub zone which gives the longest
+ * match for 'name' among the zones, however, the cache DB is not consulted
+ * unless 'use_static_stub' is false (see below about this argument).
+ *
+ * dns_view_find() is a backward compatible version equivalent to
+ * dns_view_find2() with use_static_stub argument being false.
+ *
+ * Notes:
+ *
+ *\li	See the description of dns_db_find() for information about 'options'.
+ *	If the caller sets #DNS_DBFIND_GLUEOK, it must ensure that 'name'
+ *	and 'type' are appropriate for glue retrieval.
+ *
+ *\li	If 'now' is zero, then the current time will be used.
+ *
+ *\li	If 'use_hints' is true, and the view has a hints database, then
+ *	it will be searched last.  If the answer is found in the hints
+ *	database, the result code will be DNS_R_HINT.  If the name is found
+ *	in the hints database but not the type, the result code will be
+ *	#DNS_R_HINTNXRRSET.
+ *
+ *\li	If 'use_static_stub' is false and the longest match zone for 'name'
+ *	is a static-stub zone, it's ignored and the cache and/or hints will be
+ *	searched.  In the majority of the cases this argument should be
+ *	false.  The only known usage of this argument being true is
+ *	if this search is for a "bailiwick" glue A or AAAA RRset that may
+ *	best match a static-stub zone.  Consider the following example:
+ *	this view is configured with a static-stub zone "example.com",
+ *	and an attempt of recursive resolution needs to send a query for the
+ *	zone.  In this case it's quite likely that the resolver is trying to
+ *	find A/AAAA RRs for the apex name "example.com".  And, to honor the
+ *	static-stub configuration it needs to return the glue RRs in the
+ *	static-stub zone even if that exact RRs coming from the authoritative
+ *	zone has been cached.
+ *	In other general cases, the requested data is better to be
+ *	authoritative, either locally configured or retrieved from an external
+ *	server, and the data in the static-stub zone should better be ignored.
+ *
+ *\li	'foundname' must meet the requirements of dns_db_find().
+ *
+ *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, frozen view.
+ *
+ *\li	'name' is valid name.
+ *
+ *\li	'type' is a valid dns_rdatatype_t, and is not a meta query type
+ *	except dns_rdatatype_any.
+ *
+ *\li	dbp == NULL || *dbp == NULL
+ *
+ *\li	nodep == NULL || *nodep == NULL.  If nodep != NULL, dbp != NULL.
+ *
+ *\li	'foundname' is a valid name with a dedicated buffer or NULL.
+ *
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *
+ *\li	In successful cases, 'rdataset', and possibly 'sigrdataset', are
+ *	bound to the found data.
+ *
+ *\li	If dbp != NULL, it points to the database containing the data.
+ *
+ *\li	If nodep != NULL, it points to the database node containing the data.
+ *
+ *\li	If foundname != NULL, it contains the full name of the found data.
+ *
+ * Returns:
+ *
+ *\li	Any result that dns_db_find() can return, with the exception of
+ *	#DNS_R_DELEGATION.
+ */
+
+isc_result_t
+dns_view_simplefind(dns_view_t *view, const dns_name_t *name,
+		    dns_rdatatype_t type, isc_stdtime_t now,
+		    unsigned int options, bool use_hints,
+		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*%<
+ * Find an rdataset whose owner name is 'name', and whose type is
+ * 'type'.
+ *
+ * Notes:
+ *
+ *\li	This routine is appropriate for simple, exact-match queries of the
+ *	view.  'name' must be a canonical name; there is no DNAME or CNAME
+ *	processing.
+ *
+ *\li	See the description of dns_db_find() for information about 'options'.
+ *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
+ *	and 'type' are appropriate for glue retrieval.
+ *
+ *\li	If 'now' is zero, then the current time will be used.
+ *
+ *\li	If 'use_hints' is true, and the view has a hints database, then
+ *	it will be searched last.  If the answer is found in the hints
+ *	database, the result code will be DNS_R_HINT.  If the name is found
+ *	in the hints database but not the type, the result code will be
+ *	DNS_R_HINTNXRRSET.
+ *
+ *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, frozen view.
+ *
+ *\li	'name' is valid name.
+ *
+ *\li	'type' is a valid dns_rdatatype_t, and is not a meta query type
+ *	(e.g. dns_rdatatype_any), or dns_rdatatype_rrsig.
+ *
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *
+ *\li	In successful cases, 'rdataset', and possibly 'sigrdataset', are
+ *	bound to the found data.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS			Success; result is desired type.
+ *\li	DNS_R_GLUE			Success; result is glue.
+ *\li	DNS_R_HINT			Success; result is a hint.
+ *\li	DNS_R_NCACHENXDOMAIN		Success; result is a ncache entry.
+ *\li	DNS_R_NCACHENXRRSET		Success; result is a ncache entry.
+ *\li	DNS_R_NXDOMAIN			The name does not exist.
+ *\li	DNS_R_NXRRSET			The rrset does not exist.
+ *\li	#ISC_R_NOTFOUND			No matching data found,
+ *					or an error occurred.
+ */
+
+isc_result_t
+dns_view_findzonecut(dns_view_t *view, const dns_name_t *name,
+		     dns_name_t *fname, dns_name_t *dcname, isc_stdtime_t now,
+		     unsigned int options, bool use_hints, bool use_cache,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*%<
+ * Find the best known zonecut containing 'name'.
+ *
+ * This uses local authority, cache, and optionally hints data.
+ * No external queries are performed.
+ *
+ * Notes:
+ *
+ *\li	If 'now' is zero, then the current time will be used.
+ *
+ *\li	If 'use_hints' is true, and the view has a hints database, then
+ *	it will be searched last.
+ *
+ *\li	If 'use_cache' is true, and the view has a cache, then it will be
+ *	searched.
+ *
+ *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ *\li	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
+ *	(if any) will be the deepest known ancestor of 'name'.
+ *
+ *\li	If dcname is not NULL the deepest cached name is copied to it.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, frozen view.
+ *
+ *\li	'name' is valid name.
+ *
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				Success.
+ *
+ *\li	Many other results are possible.
+ */
+
+isc_result_t
+dns_viewlist_find(dns_viewlist_t *list, const char *name,
+		  dns_rdataclass_t rdclass, dns_view_t **viewp);
+/*%<
+ * Search for a view with name 'name' and class 'rdclass' in 'list'.
+ * If found, '*viewp' is (strongly) attached to it.
+ *
+ * Requires:
+ *
+ *\li	'viewp' points to a NULL dns_view_t *.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		A matching view was found.
+ *\li	#ISC_R_NOTFOUND		No matching view was found.
+ */
+
+isc_result_t
+dns_viewlist_findzone(dns_viewlist_t *list, const dns_name_t *name,
+		      bool allclasses, dns_rdataclass_t rdclass,
+		      dns_zone_t **zonep);
+
+/*%<
+ * Search zone with 'name' in view with 'rdclass' in viewlist 'list'
+ * If found, zone is returned in *zonep. If allclasses is set rdclass is ignored
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS          A matching zone was found.
+ *\li	#ISC_R_NOTFOUND         No matching zone was found.
+ *\li	#ISC_R_MULTIPLE         Multiple zones with the same name were found.
+ */
+
+isc_result_t
+dns_view_findzone(dns_view_t *view, const dns_name_t *name, dns_zone_t **zonep);
+/*%<
+ * Search for the zone 'name' in the zone table of 'view'.
+ * If found, 'zonep' is (strongly) attached to it.  There
+ * are no partial matches.
+ *
+ * Requires:
+ *
+ *\li	'zonep' points to a NULL dns_zone_t *.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		A matching zone was found.
+ *\li	#ISC_R_NOTFOUND		No matching zone was found.
+ *\li	others			An error occurred.
+ */
+
+isc_result_t
+dns_view_load(dns_view_t *view, bool stop, bool newonly);
+
+isc_result_t
+dns_view_asyncload(dns_view_t *view, bool newonly, dns_zt_allloaded_t callback,
+		   void *arg);
+/*%<
+ * Load zones attached to this view.  dns_view_load() loads
+ * all zones whose master file has changed since the last
+ * load
+ *
+ * dns_view_asyncload() loads zones asynchronously.  When all zones
+ * in the view have finished loading, 'callback' is called with argument
+ * 'arg' to inform the caller.
+ *
+ * If 'stop' is true, stop on the first error and return it.
+ * If 'stop' is false (or we are loading asynchronously), ignore errors.
+ *
+ * If 'newonly' is true load only zones that were never loaded.
+ *
+ * Requires:
+ *
+ *\li	'view' is valid.
+ */
+
+isc_result_t
+dns_view_gettsig(dns_view_t *view, const dns_name_t *keyname,
+		 dns_tsigkey_t **keyp);
+/*%<
+ * Find the TSIG key configured in 'view' with name 'keyname',
+ * if any.
+ *
+ * Requires:
+ *\li	keyp points to a NULL dns_tsigkey_t *.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
+ *\li	#ISC_R_NOTFOUND	No key was found.
+ *\li	others		An error occurred.
+ */
+
+isc_result_t
+dns_view_getpeertsig(dns_view_t *view, const isc_netaddr_t *peeraddr,
+		     dns_tsigkey_t **keyp);
+/*%<
+ * Find the TSIG key configured in 'view' for the server whose
+ * address is 'peeraddr', if any.
+ *
+ * Requires:
+ *	keyp points to a NULL dns_tsigkey_t *.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
+ *\li	#ISC_R_NOTFOUND	No key was found.
+ *\li	others		An error occurred.
+ */
+
+isc_result_t
+dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg);
+/*%<
+ * Verifies the signature of a message.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid view.
+ *\li	'source' is a valid buffer containing the message
+ *\li	'msg' is a valid message
+ *
+ * Returns:
+ *\li	see dns_tsig_verify()
+ */
+
+void
+dns_view_dialup(dns_view_t *view);
+/*%<
+ * Perform dialup-time maintenance on the zones of 'view'.
+ */
+
+isc_result_t
+dns_view_dumpdbtostream(dns_view_t *view, FILE *fp);
+/*%<
+ * Dump the current state of the view 'view' to the stream 'fp'
+ * for purposes of analysis or debugging.
+ *
+ * Currently the dumped state includes the view's cache; in the future
+ * it may also include other state such as the address database.
+ * It will not not include authoritative data since it is voluminous and
+ * easily obtainable by other means.
+ *
+ * Requires:
+ *
+ *\li	'view' is valid.
+ *
+ *\li	'fp' refers to a file open for writing.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS	The cache was successfully dumped.
+ * \li	others		An error occurred (see dns_master_dump)
+ */
+
+isc_result_t
+dns_view_flushcache(dns_view_t *view, bool fixuponly);
+/*%<
+ * Flush the view's cache (and ADB).  If 'fixuponly' is true, it only updates
+ * the internal reference to the cache DB with omitting actual flush operation.
+ * 'fixuponly' is intended to be used for a view that shares a cache with
+ * a different view.  dns_view_flushcache() is a backward compatible version
+ * that always sets fixuponly to false.
+ *
+ * Requires:
+ * 	'view' is valid.
+ *
+ * 	No other tasks are executing.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_view_flushnode(dns_view_t *view, const dns_name_t *name, bool tree);
+/*%<
+ * Flush the given name from the view's cache (and optionally ADB/badcache).
+ *
+ * Flush the given name from the cache, ADB, and bad cache.  If 'tree'
+ * is true, also flush all subdomains of 'name'.
+ *
+ * Requires:
+ *\li	'view' is valid.
+ *\li	'name' is valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *	other returns are failures.
+ */
+
+isc_result_t
+dns_view_flushname(dns_view_t *view, const dns_name_t *name);
+/*%<
+ * Flush the given name from the view's cache, ADB and badcache.
+ * Equivalent to dns_view_flushnode(view, name, false).
+ *
+ *
+ * Requires:
+ *\li	'view' is valid.
+ *\li	'name' is valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *	other returns are failures.
+ */
+
+isc_result_t
+dns_view_adddelegationonly(dns_view_t *view, const dns_name_t *name);
+/*%<
+ * Add the given name to the delegation only table.
+ *
+ * Requires:
+ *\li	'view' is valid.
+ *\li	'name' is valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_view_excludedelegationonly(dns_view_t *view, const dns_name_t *name);
+/*%<
+ * Add the given name to be excluded from the root-delegation-only.
+ *
+ *
+ * Requires:
+ *\li	'view' is valid.
+ *\li	'name' is valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+bool
+dns_view_isdelegationonly(dns_view_t *view, const dns_name_t *name);
+/*%<
+ * Check if 'name' is in the delegation only table or if
+ * rootdelonly is set that name is not being excluded.
+ *
+ * Requires:
+ *\li	'view' is valid.
+ *\li	'name' is valid.
+ *
+ * Returns:
+ *\li	#true if the name is the table.
+ *\li	#false otherwise.
+ */
+
+void
+dns_view_setrootdelonly(dns_view_t *view, bool value);
+/*%<
+ * Set the root delegation only flag.
+ *
+ * Requires:
+ *\li	'view' is valid.
+ */
+
+bool
+dns_view_getrootdelonly(dns_view_t *view);
+/*%<
+ * Get the root delegation only flag.
+ *
+ * Requires:
+ *\li	'view' is valid.
+ */
+
+isc_result_t
+dns_view_freezezones(dns_view_t *view, bool freeze);
+/*%<
+ * Freeze/thaw updates to master zones.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ */
+
+void
+dns_view_setadbstats(dns_view_t *view, isc_stats_t *stats);
+/*%<
+ * Set a adb statistics set 'stats' for 'view'.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	stats is a valid statistics supporting adb statistics
+ *	(see dns/stats.h).
+ */
+
+void
+dns_view_getadbstats(dns_view_t *view, isc_stats_t **statsp);
+/*%<
+ * Get the adb statistics counter set for 'view'.  If a statistics set is
+ * set '*statsp' will be attached to the set; otherwise, '*statsp' will be
+ * untouched.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	'statsp' != NULL && '*statsp' != NULL
+ */
+
+void
+dns_view_setresstats(dns_view_t *view, isc_stats_t *stats);
+/*%<
+ * Set a general resolver statistics counter set 'stats' for 'view'.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	stats is a valid statistics supporting resolver statistics counters
+ *	(see dns/stats.h).
+ */
+
+void
+dns_view_getresstats(dns_view_t *view, isc_stats_t **statsp);
+/*%<
+ * Get the general statistics counter set for 'view'.  If a statistics set is
+ * set '*statsp' will be attached to the set; otherwise, '*statsp' will be
+ * untouched.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	'statsp' != NULL && '*statsp' != NULL
+ */
+
+void
+dns_view_setresquerystats(dns_view_t *view, dns_stats_t *stats);
+/*%<
+ * Set a statistics counter set of rdata type, 'stats', for 'view'.  Once the
+ * statistic set is installed, view's resolver will count outgoing queries
+ * per rdata type.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	stats is a valid statistics created by dns_rdatatypestats_create().
+ */
+
+void
+dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp);
+/*%<
+ * Get the rdatatype statistics counter set for 'view'.  If a statistics set is
+ * set '*statsp' will be attached to the set; otherwise, '*statsp' will be
+ * untouched.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	'statsp' != NULL && '*statsp' != NULL
+ */
+
+bool
+dns_view_iscacheshared(dns_view_t *view);
+/*%<
+ * Check if the view shares the cache created by another view.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	#true if the cache is shared.
+ *\li	#false otherwise.
+ */
+
+isc_result_t
+dns_view_initntatable(dns_view_t *view, isc_taskmgr_t *taskmgr,
+		      isc_timermgr_t *timermgr);
+/*%<
+ * Initialize the negative trust anchor table for the view.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other result indicates failure
+ */
+
+isc_result_t
+dns_view_getntatable(dns_view_t *view, dns_ntatable_t **ntp);
+/*%<
+ * Get the negative trust anchor table for this view.  Returns
+ * ISC_R_NOTFOUND if the table not been initialized for the view.
+ *
+ * '*ntp' is attached on success; the caller is responsible for
+ * detaching it with dns_ntatable_detach().
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'nta' is not NULL and '*nta' is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx);
+/*%<
+ * Initialize security roots for the view, detaching any previously
+ * existing security roots first.  (Note that secroots_priv is
+ * NULL until this function is called, so any function using
+ * security roots must check that they have been initialized first.
+ * One way to do this is use dns_view_getsecroots() and check its
+ * return value.)
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other result indicates failure
+ */
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp);
+/*%<
+ * Get the security roots for this view.  Returns ISC_R_NOTFOUND if
+ * the security roots keytable has not been initialized for the view.
+ *
+ * '*ktp' is attached on success; the caller is responsible for
+ * detaching it with dns_keytable_detach().
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'ktp' is not NULL and '*ktp' is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name,
+			isc_stdtime_t now, bool checknta, bool *ntap,
+			bool *secure_domain);
+/*%<
+ * Is 'name' at or beneath a trusted key, and not covered by a valid
+ * negative trust anchor?  Put answer in '*secure_domain'.
+ *
+ * If 'checknta' is false, ignore the NTA table in determining
+ * whether this is a secure domain. If 'checknta' is not false, and if
+ * 'ntap' is non-NULL, then '*ntap' will be updated with true if the
+ * name is covered by an NTA.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other value indicates failure
+ */
+
+bool
+dns_view_ntacovers(dns_view_t *view, isc_stdtime_t now, const dns_name_t *name,
+		   const dns_name_t *anchor);
+/*%<
+ * Is there a current negative trust anchor above 'name' and below 'anchor'?
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_TRUE
+ *\li	ISC_R_FALSE
+ */
+
+void
+dns_view_untrust(dns_view_t *view, const dns_name_t *keyname,
+		 const dns_rdata_dnskey_t *dnskey);
+/*%<
+ * Remove keys that match 'keyname' and 'dnskey' from the views trust
+ * anchors.
+ *
+ * (NOTE: If the configuration specifies that there should be a
+ * trust anchor at 'keyname', but no keys are left after this
+ * operation, that is an error.  We fail closed, inserting a NULL
+ * key so as to prevent validation until a legimitate key has been
+ * provided.)
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'keyname' is valid.
+ * \li	'dnskey' is valid.
+ */
+
+bool
+dns_view_istrusted(dns_view_t *view, const dns_name_t *keyname,
+		   const dns_rdata_dnskey_t *dnskey);
+/*%<
+ * Determine if the key defined by 'keyname' and 'dnskey' is
+ * trusted by 'view'.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'keyname' is valid.
+ * \li	'dnskey' is valid.
+ */
+
+isc_result_t
+dns_view_setnewzones(dns_view_t *view, bool allow, void *cfgctx,
+		     void (*cfg_destroy)(void **), uint64_t mapsize);
+/*%<
+ * Set whether or not to allow zones to be created or deleted at runtime.
+ *
+ * If 'allow' is true, determines the filename into which new zone
+ * configuration will be written.  Preserves the configuration context
+ * (a pointer to which is passed in 'cfgctx') for use when parsing new
+ * zone configuration.  'cfg_destroy' points to a callback routine to
+ * destroy the configuration context when the view is destroyed.  (This
+ * roundabout method is used in order to avoid libdns having a dependency
+ * on libisccfg and libbind9.)
+ *
+ * If 'allow' is false, removes any existing references to
+ * configuration context and frees any memory.
+ *
+ * Requires:
+ * \li 'view' is valid.
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS
+ * \li ISC_R_NOSPACE
+ */
+
+void
+dns_view_setnewzonedir(dns_view_t *view, const char *dir);
+const char *
+dns_view_getnewzonedir(dns_view_t *view);
+/*%<
+ * Set/get the path to the directory in which NZF or NZD files should
+ * be stored. If the path was previously set to a non-NULL value,
+ * the previous value is freed.
+ *
+ * Requires:
+ * \li 'view' is valid.
+ */
+
+void
+dns_view_restorekeyring(dns_view_t *view);
+
+isc_result_t
+dns_view_searchdlz(dns_view_t *view, const dns_name_t *name,
+		   unsigned int minlabels, dns_clientinfomethods_t *methods,
+		   dns_clientinfo_t *clientinfo, dns_db_t **dbp);
+
+/*%<
+ * Search through the DLZ database(s) in view->dlz_searched to find
+ * one that can answer a query for 'name', using the DLZ driver's
+ * findzone method.  If successful, '*dbp' is set to point to the
+ * DLZ database.
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS
+ * \li ISC_R_NOTFOUND
+ *
+ * Requires:
+ * \li 'view' is valid.
+ * \li 'name' is not NULL.
+ * \li 'dbp' is not NULL and *dbp is NULL.
+ */
+
+uint32_t
+dns_view_getfailttl(dns_view_t *view);
+/*%<
+ * Get the view's servfail-ttl.  zero => no servfail caching.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+void
+dns_view_setfailttl(dns_view_t *view, uint32_t failttl);
+/*%<
+ * Set the view's servfail-ttl.  zero => no servfail caching.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+isc_result_t
+dns_view_saventa(dns_view_t *view);
+/*%<
+ * Save NTA for names in this view to a file.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+isc_result_t
+dns_view_loadnta(dns_view_t *view);
+/*%<
+ * Loads NTA for names in this view from a file.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+void
+dns_view_setviewcommit(dns_view_t *view);
+/*%<
+ * Commit dns_zone_setview() calls previously made for all zones in this
+ * view.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+void
+dns_view_setviewrevert(dns_view_t *view);
+/*%<
+ * Revert dns_zone_setview() calls previously made for all zones in this
+ * view.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+bool
+dns_view_staleanswerenabled(dns_view_t *view);
+/*%<
+ * Check if stale answers are enabled for this view.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_VIEW_H */
diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h
new file mode 100644
index 0000000..2c0f530
--- /dev/null
+++ b/lib/dns/include/dns/xfrin.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_XFRIN_H
+#define DNS_XFRIN_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file dns/xfrin.h
+ * \brief
+ * Incoming zone transfers (AXFR + IXFR).
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * A transfer in progress.  This is an opaque type.
+ */
+typedef struct dns_xfrin_ctx dns_xfrin_ctx_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		 const isc_sockaddr_t *masteraddr,
+		 const isc_sockaddr_t *sourceaddr, isc_dscp_t dscp,
+		 dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
+		 isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		 isc_task_t *task, dns_xfrindone_t done,
+		 dns_xfrin_ctx_t **xfrp);
+/*%<
+ * Attempt to start an incoming zone transfer of 'zone'
+ * from 'masteraddr', creating a dns_xfrin_ctx_t object to
+ * manage it.  Attach '*xfrp' to the newly created object.
+ *
+ * Iff ISC_R_SUCCESS is returned, '*done' is guaranteed to be
+ * called in the context of 'task', with 'zone' and a result
+ * code as arguments when the transfer finishes.
+ *
+ * Requires:
+ *\li	'xfrtype' is dns_rdatatype_axfr, dns_rdatatype_ixfr
+ *	or dns_rdatatype_soa (soa query followed by axfr if
+ *	serial is greater than current serial).
+ *
+ *\li	If 'xfrtype' is dns_rdatatype_ixfr or dns_rdatatype_soa,
+ *	the zone has a database.
+ */
+
+void
+dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr);
+/*%<
+ * If the zone transfer 'xfr' has already finished,
+ * do nothing.  Otherwise, abort it and cause it to call
+ * its done callback with a status of ISC_R_CANCELED.
+ */
+
+void
+dns_xfrin_detach(dns_xfrin_ctx_t **xfrp);
+/*%<
+ * Detach a reference to a zone transfer object.
+ * Caller to maintain external locking if required.
+ */
+
+void
+dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target);
+/*%<
+ * Caller to maintain external locking if required.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_XFRIN_H */
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
new file mode 100644
index 0000000..4bdc936
--- /dev/null
+++ b/lib/dns/include/dns/zone.h
@@ -0,0 +1,2726 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ZONE_H
+#define DNS_ZONE_H 1
+
+/*! \file dns/zone.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/rwlock.h>
+
+#include <dns/catz.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/rdatastruct.h>
+#include <dns/rpz.h>
+#include <dns/types.h>
+#include <dns/zt.h>
+
+typedef enum {
+	dns_zone_none,
+	dns_zone_primary,
+	dns_zone_secondary,
+	dns_zone_mirror,
+	dns_zone_stub,
+	dns_zone_staticstub,
+	dns_zone_key,
+	dns_zone_dlz,
+	dns_zone_redirect
+} dns_zonetype_t;
+
+#ifndef dns_zone_master
+#define dns_zone_master dns_zone_primary
+#endif /* dns_zone_master */
+
+#ifndef dns_zone_slave
+#define dns_zone_slave dns_zone_secondary
+#endif /* dns_zone_slave */
+
+typedef enum {
+	dns_zonestat_none = 0,
+	dns_zonestat_terse,
+	dns_zonestat_full
+} dns_zonestat_level_t;
+
+typedef enum {
+	DNS_ZONEOPT_MANYERRORS = 1 << 0,    /*%< return many errors on load */
+	DNS_ZONEOPT_IXFRFROMDIFFS = 1 << 1, /*%< calculate differences */
+	DNS_ZONEOPT_NOMERGE = 1 << 2,	    /*%< don't merge journal */
+	DNS_ZONEOPT_CHECKNS = 1 << 3,	    /*%< check if NS's are addresses */
+	DNS_ZONEOPT_FATALNS = 1 << 4,	    /*%< DNS_ZONEOPT_CHECKNS is fatal */
+	DNS_ZONEOPT_MULTIMASTER = 1 << 5,   /*%< this zone has multiple
+						 primaries */
+	DNS_ZONEOPT_USEALTXFRSRC = 1 << 6,  /*%< use alternate transfer sources
+					     */
+	DNS_ZONEOPT_CHECKNAMES = 1 << 7,    /*%< check-names */
+	DNS_ZONEOPT_CHECKNAMESFAIL = 1 << 8, /*%< fatal check-name failures */
+	DNS_ZONEOPT_CHECKWILDCARD = 1 << 9, /*%< check for internal wildcards */
+	DNS_ZONEOPT_CHECKMX = 1 << 10,	    /*%< check-mx */
+	DNS_ZONEOPT_CHECKMXFAIL = 1 << 11,  /*%< fatal check-mx failures */
+	DNS_ZONEOPT_CHECKINTEGRITY = 1 << 12, /*%< perform integrity checks */
+	DNS_ZONEOPT_CHECKSIBLING = 1 << 13, /*%< perform sibling glue checks */
+	DNS_ZONEOPT_NOCHECKNS = 1 << 14,    /*%< disable IN NS address checks */
+	DNS_ZONEOPT_WARNMXCNAME = 1 << 15,  /*%< warn on MX CNAME check */
+	DNS_ZONEOPT_IGNOREMXCNAME = 1 << 16,  /*%< ignore MX CNAME check */
+	DNS_ZONEOPT_WARNSRVCNAME = 1 << 17,   /*%< warn on SRV CNAME check */
+	DNS_ZONEOPT_IGNORESRVCNAME = 1 << 18, /*%< ignore SRV CNAME check */
+	DNS_ZONEOPT_UPDATECHECKKSK = 1 << 19, /*%< check dnskey KSK flag */
+	DNS_ZONEOPT_TRYTCPREFRESH = 1 << 20, /*%< try tcp refresh on udp failure
+					      */
+	DNS_ZONEOPT_NOTIFYTOSOA = 1 << 21,   /*%< Notify the SOA MNAME */
+	DNS_ZONEOPT_NSEC3TESTZONE = 1 << 22, /*%< nsec3-test-zone */
+	DNS_ZONEOPT_SECURETOINSECURE = 1 << 23, /*%< dnssec-secure-to-insecure
+						 */
+	DNS_ZONEOPT_DNSKEYKSKONLY = 1 << 24,	/*%< dnssec-dnskey-kskonly */
+	DNS_ZONEOPT_CHECKDUPRR = 1 << 25,	/*%< check-dup-records */
+	DNS_ZONEOPT_CHECKDUPRRFAIL = 1 << 26,	/*%< fatal check-dup-records
+						 * failures */
+	DNS_ZONEOPT_CHECKSPF = 1 << 27,		/*%< check SPF records */
+	DNS_ZONEOPT_CHECKTTL = 1 << 28,		/*%< check max-zone-ttl */
+	DNS_ZONEOPT_AUTOEMPTY = 1 << 29,	/*%< automatic empty zone */
+	DNS_ZONEOPT___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
+} dns_zoneopt_t;
+
+/*
+ * Zone key maintenance options
+ */
+typedef enum {
+	DNS_ZONEKEY_ALLOW = 0x00000001U,    /*%< fetch keys on command */
+	DNS_ZONEKEY_MAINTAIN = 0x00000002U, /*%< publish/sign on schedule */
+	DNS_ZONEKEY_CREATE = 0x00000004U,   /*%< make keys when needed */
+	DNS_ZONEKEY_FULLSIGN = 0x00000008U, /*%< roll to new keys immediately */
+	DNS_ZONEKEY_NORESIGN = 0x00000010U, /*%< no automatic resigning */
+	DNS_ZONEKEY___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
+} dns_zonekey_t;
+
+#ifndef DNS_ZONE_MINREFRESH
+#define DNS_ZONE_MINREFRESH 300 /*%< 5 minutes */
+#endif				/* ifndef DNS_ZONE_MINREFRESH */
+#ifndef DNS_ZONE_MAXREFRESH
+#define DNS_ZONE_MAXREFRESH 2419200 /*%< 4 weeks */
+#endif				    /* ifndef DNS_ZONE_MAXREFRESH */
+#ifndef DNS_ZONE_DEFAULTREFRESH
+#define DNS_ZONE_DEFAULTREFRESH 3600 /*%< 1 hour */
+#endif				     /* ifndef DNS_ZONE_DEFAULTREFRESH */
+#ifndef DNS_ZONE_MINRETRY
+#define DNS_ZONE_MINRETRY 300 /*%< 5 minutes */
+#endif			      /* ifndef DNS_ZONE_MINRETRY */
+#ifndef DNS_ZONE_MAXRETRY
+#define DNS_ZONE_MAXRETRY 1209600 /*%< 2 weeks */
+#endif				  /* ifndef DNS_ZONE_MAXRETRY */
+#ifndef DNS_ZONE_DEFAULTRETRY
+#define DNS_ZONE_DEFAULTRETRY        \
+	60 /*%< 1 minute, subject to \
+	    * exponential backoff */
+#endif	   /* ifndef DNS_ZONE_DEFAULTRETRY */
+
+#define DNS_ZONESTATE_XFERRUNNING  1
+#define DNS_ZONESTATE_XFERDEFERRED 2
+#define DNS_ZONESTATE_SOAQUERY	   3
+#define DNS_ZONESTATE_ANY	   4
+#define DNS_ZONESTATE_AUTOMATIC	   5
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx);
+/*%<
+ *	Creates a new empty zone and attach '*zonep' to it.
+ *
+ * Requires:
+ *\li	'zonep' to point to a NULL pointer.
+ *\li	'mctx' to be a valid memory context.
+ *
+ * Ensures:
+ *\li	'*zonep' refers to a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+void
+dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass);
+/*%<
+ *	Sets the class of a zone.  This operation can only be performed
+ *	once on a zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	dns_zone_setclass() not to have been called since the zone was
+ *	created.
+ *\li	'rdclass' != dns_rdataclass_none.
+ */
+
+dns_rdataclass_t
+dns_zone_getclass(dns_zone_t *zone);
+/*%<
+ *	Returns the current zone class.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_getserial(dns_zone_t *zone, uint32_t *serialp);
+/*%<
+ *	Returns the current serial number of the zone.  On success, the SOA
+ *	serial of the zone will be copied into '*serialp'.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ *\li	'serialp' to be non NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_NOTLOADED	zone DB is not loaded
+ */
+
+void
+dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
+/*%<
+ *	Sets the zone type. This operation can only be performed once on
+ *	a zone.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ *\li	dns_zone_settype() not to have been called since the zone was
+ *	created.
+ *\li	'type' != dns_zone_none
+ */
+
+void
+dns_zone_setview(dns_zone_t *zone, dns_view_t *view);
+/*%<
+ *	Associate the zone with a view.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+dns_view_t *
+dns_zone_getview(dns_zone_t *zone);
+/*%<
+ *	Returns the zone's associated view.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setviewcommit(dns_zone_t *zone);
+/*%<
+ *	Commit the previous view saved internally via dns_zone_setview().
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setviewrevert(dns_zone_t *zone);
+/*%<
+ *	Revert the most recent dns_zone_setview() on this zone,
+ *	restoring the previous view.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin);
+/*%<
+ *	Sets the zones origin to 'origin'.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'origin' to be non NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li 	#ISC_R_NOMEMORY
+ */
+
+dns_name_t *
+dns_zone_getorigin(dns_zone_t *zone);
+/*%<
+ *	Returns the value of the origin.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setfile(dns_zone_t *zone, const char *file, dns_masterformat_t format,
+		 const dns_master_style_t *style);
+/*%<
+ *    Sets the name of the master file in the format of 'format' from which
+ *    the zone loads its database to 'file'.
+ *
+ *    For zones that have no associated master file, 'file' will be NULL.
+ *
+ *	For zones with persistent databases, the file name
+ *	setting is ignored.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ */
+
+const char *
+dns_zone_getfile(dns_zone_t *zone);
+/*%<
+ * 	Gets the name of the zone's master file, if any.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li	Pointer to null-terminated file name, or NULL.
+ */
+
+void
+dns_zone_setmaxrecords(dns_zone_t *zone, uint32_t records);
+/*%<
+ * 	Sets the maximum number of records permitted in a zone.
+ *	0 implies unlimited.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li	void
+ */
+
+uint32_t
+dns_zone_getmaxrecords(dns_zone_t *zone);
+/*%<
+ * 	Gets the maximum number of records permitted in a zone.
+ *	0 implies unlimited.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li	uint32_t maxrecords.
+ */
+
+void
+dns_zone_setmaxttl(dns_zone_t *zone, uint32_t maxttl);
+/*%<
+ * 	Sets the max ttl of the zone.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li	void
+ */
+
+dns_ttl_t
+dns_zone_getmaxttl(dns_zone_t *zone);
+/*%<
+ * 	Gets the max ttl of the zone.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li	dns_ttl_t maxttl.
+ */
+
+void
+dns_zone_lock_keyfiles(dns_zone_t *zone);
+/*%<
+ *	Lock associated keyfiles for this zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_unlock_keyfiles(dns_zone_t *zone);
+/*%<
+ *	Unlock associated keyfiles for this zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_load(dns_zone_t *zone, bool newonly);
+
+isc_result_t
+dns_zone_loadandthaw(dns_zone_t *zone);
+
+/*%<
+ *	Cause the database to be loaded from its backing store.
+ *	Confirm that the minimum requirements for the zone type are
+ *	met, otherwise DNS_R_BADZONE is returned.
+ *
+ *	If newonly is set dns_zone_load() only loads new zones.
+ *	dns_zone_loadandthaw() is similar to dns_zone_load() but will
+ *	also re-enable DNS UPDATEs when the load completes.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	DNS_R_CONTINUE	  Incremental load has been queued.
+ *\li	DNS_R_UPTODATE	  The zone has already been loaded based on
+ *			  file system timestamps.
+ *\li	DNS_R_BADZONE
+ *\li	Any result value from dns_db_load().
+ */
+
+isc_result_t
+dns_zone_asyncload(dns_zone_t *zone, bool newonly, dns_zt_zoneloaded_t done,
+		   void *arg);
+/*%<
+ * Cause the database to be loaded from its backing store asynchronously.
+ * Other zone maintenance functions are suspended until this is complete.
+ * When finished, 'done' is called to inform the caller, with 'arg' as
+ * its first argument and 'zone' as its second.  (Normally, 'arg' is
+ * expected to point to the zone table but is left undefined for testing
+ * purposes.)
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_ALREADYRUNNING
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_FAILURE
+ *\li	#ISC_R_NOMEMORY
+ */
+
+bool
+dns__zone_loadpending(dns_zone_t *zone);
+/*%<
+ * Indicates whether the zone is waiting to be loaded asynchronously.
+ * (Not currently intended for use outside of this module and associated
+ * tests.)
+ */
+
+void
+dns_zone_attach(dns_zone_t *source, dns_zone_t **target);
+/*%<
+ *	Attach '*target' to 'source' incrementing its external
+ * 	reference count.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_zone_detach(dns_zone_t **zonep);
+/*%<
+ *	Detach from a zone decrementing its external reference count.
+ *	If this was the last external reference to the zone it will be
+ * 	shut down and eventually freed.
+ *
+ * Require:
+ *\li	'zonep' to point to a valid zone.
+ */
+
+void
+dns_zone_iattach(dns_zone_t *source, dns_zone_t **target);
+/*%<
+ *	Attach '*target' to 'source' incrementing its internal
+ * 	reference count.  This is intended for use by operations
+ * 	such as zone transfers that need to prevent the zone
+ * 	object from being freed but not from shutting down.
+ *
+ * Require:
+ *\li	The caller is running in the context of the zone's task.
+ *\li	'zone' to be a valid zone.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_zone_idetach(dns_zone_t **zonep);
+/*%<
+ *	Detach from a zone decrementing its internal reference count.
+ *	If there are no more internal or external references to the
+ * 	zone, it will be freed.
+ *
+ * Require:
+ *\li	The caller is running in the context of the zone's task.
+ *\li	'zonep' to point to a valid zone.
+ */
+
+isc_result_t
+dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
+/*%<
+ * 	Attach '*dbp' to the database to if it exists otherwise
+ *	return DNS_R_NOTLOADED.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'dbp' to be != NULL && '*dbp' == NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	DNS_R_NOTLOADED
+ */
+
+void
+dns_zone_setdb(dns_zone_t *zone, dns_db_t *db);
+/*%<
+ *	Sets the zone database to 'db'.
+ *
+ *	This function is expected to be used to configure a zone with a
+ *	database which is not loaded from a file or zone transfer.
+ *	It can be used for a general purpose zone, but right now its use
+ *	is limited to static-stub zones to avoid possible undiscovered
+ *	problems in the general cases.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone of static-stub.
+ *\li	zone doesn't have a database.
+ */
+
+void
+dns_zone_setdbtype(dns_zone_t *zone, unsigned int dbargc,
+		   const char *const *dbargv);
+/*%<
+ *	Sets the database type to dbargv[0] and database arguments
+ *	to subsequent dbargv elements.
+ *	'db_type' is not checked to see if it is a valid database type.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'database' to be non NULL.
+ *\li	'dbargc' to be >= 1
+ *\li	'dbargv' to point to dbargc NULL-terminated strings
+ */
+
+isc_result_t
+dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx);
+/*%<
+ *	Returns the current dbtype.  isc_mem_free() should be used
+ * 	to free 'argv' after use.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'argv' to be non NULL and *argv to be NULL.
+ *\li	'mctx' to be valid.
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ */
+
+void
+dns_zone_markdirty(dns_zone_t *zone);
+/*%<
+ *	Mark a zone as 'dirty'.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_expire(dns_zone_t *zone);
+/*%<
+ *	Mark the zone as expired.  If the zone requires dumping cause it to
+ *	be initiated.  Set the refresh and retry intervals to there default
+ *	values and unload the zone.
+ *
+ * Require
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_refresh(dns_zone_t *zone);
+/*%<
+ *	Initiate zone up to date checks.  The zone must already be being
+ *	managed.
+ *
+ * Require
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_flush(dns_zone_t *zone);
+/*%<
+ *	Write the zone to database if there are uncommitted changes.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_dump(dns_zone_t *zone);
+/*%<
+ *	Write the zone to database.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_dumptostream(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
+		      const dns_master_style_t *style,
+		      const uint32_t		rawversion);
+/*%<
+ *    Write the zone to stream 'fd' in the specified 'format'.
+ *    If the 'format' is dns_masterformat_text (RFC1035), 'style' also
+ *    specifies the file style (e.g., &dns_master_style_default).
+ *
+ *    dns_zone_dumptostream() is a backward-compatible form of
+ *    dns_zone_dumptostream2(), which always uses the dns_masterformat_text
+ *    format and the dns_master_style_default style.
+ *
+ *    dns_zone_dumptostream2() is a backward-compatible form of
+ *    dns_zone_dumptostream3(), which always uses the current
+ *    default raw file format version.
+ *
+ *    Note that dns_zone_dumptostream3() is the most flexible form.  It
+ *    can also provide the functionality of dns_zone_fulldumptostream().
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'fd' to be a stream open for writing.
+ */
+
+void
+dns_zone_maintenance(dns_zone_t *zone);
+/*%<
+ *	Perform regular maintenance on the zone.  This is called as a
+ *	result of a zone being managed.
+ *
+ * Require
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setprimaries(dns_zone_t *zone, const isc_sockaddr_t *primaries,
+		      uint32_t count);
+isc_result_t
+dns_zone_setprimarieswithkeys(dns_zone_t *zone, const isc_sockaddr_t *primaries,
+			      dns_name_t **keynames, uint32_t count);
+/*%<
+ *	Set the list of master servers for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'primaries' array of isc_sockaddr_t with port set or NULL.
+ *\li	'count' the number of primaries.
+ *\li	'keynames' array of dns_name_t's for tsig keys or NULL.
+ *
+ *\li	If 'primaries' is NULL then 'count' must be zero.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li      Any result dns_name_dup() can return, if keynames!=NULL
+ */
+
+isc_result_t
+dns_zone_setparentals(dns_zone_t *zone, const isc_sockaddr_t *parentals,
+		      dns_name_t **keynames, uint32_t count);
+/*%<
+ *	Set the list of parental agents for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'parentals' array of isc_sockaddr_t with port set or NULL.
+ *\li	'count' the number of primaries.
+ *\li	'keynames' array of dns_name_t's for tsig keys or NULL.
+ *
+ *\li	If 'parentals' is NULL then 'count' must be zero.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li      Any result dns_name_dup() can return, if keynames!=NULL
+ */
+
+isc_result_t
+dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
+		       uint32_t count);
+isc_result_t
+dns_zone_setalsonotifywithkeys(dns_zone_t *zone, const isc_sockaddr_t *notify,
+			       dns_name_t **keynames, uint32_t count);
+isc_result_t
+dns_zone_setalsonotifydscpkeys(dns_zone_t *zone, const isc_sockaddr_t *notify,
+			       const isc_dscp_t *dscps, dns_name_t **keynames,
+			       uint32_t count);
+/*%<
+ *	Set the list of additional servers to be notified when
+ *	a zone changes.	 To clear the list use 'count = 0'.
+ *
+ *	dns_zone_alsonotifywithkeys() allows each notify address to
+ *	be associated with a TSIG key.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'notify' to be non-NULL if count != 0.
+ *\li	'count' to be the number of notifiees.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+void
+dns_zone_unload(dns_zone_t *zone);
+/*%<
+ *	detach the database from the zone structure.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+dns_kasp_t *
+dns_zone_getkasp(dns_zone_t *zone);
+/*%<
+ *	Returns the current kasp.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp);
+/*%<
+ *	Set kasp for zone.  If a kasp is already set, it will be detached.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value);
+/*%<
+ *	Set the given options on ('value' == true) or off
+ *	('value' == #false).
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+dns_zoneopt_t
+dns_zone_getoptions(dns_zone_t *zone);
+/*%<
+ *	Returns the current zone options.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setkeyopt(dns_zone_t *zone, unsigned int option, bool value);
+/*%<
+ *	Set key options on ('value' == true) or off ('value' ==
+ *	#false).
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+unsigned int
+dns_zone_getkeyopts(dns_zone_t *zone);
+/*%<
+ *	Returns the current zone key options.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setminrefreshtime(dns_zone_t *zone, uint32_t val);
+/*%<
+ *	Set the minimum refresh time.
+ *
+ * Requires:
+ *\li	'zone' is valid.
+ *\li	val > 0.
+ */
+
+void
+dns_zone_setmaxrefreshtime(dns_zone_t *zone, uint32_t val);
+/*%<
+ *	Set the maximum refresh time.
+ *
+ * Requires:
+ *\li	'zone' is valid.
+ *\li	val > 0.
+ */
+
+void
+dns_zone_setminretrytime(dns_zone_t *zone, uint32_t val);
+/*%<
+ *	Set the minimum retry time.
+ *
+ * Requires:
+ *\li	'zone' is valid.
+ *\li	val > 0.
+ */
+
+void
+dns_zone_setmaxretrytime(dns_zone_t *zone, uint32_t val);
+/*%<
+ *	Set the maximum retry time.
+ *
+ * Requires:
+ *\li	'zone' is valid.
+ *	val > 0.
+ */
+
+isc_result_t
+dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
+isc_result_t
+dns_zone_setaltxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
+/*%<
+ * 	Set the source address to be used in IPv4 zone transfers.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'xfrsource' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getxfrsource4(dns_zone_t *zone);
+isc_sockaddr_t *
+dns_zone_getaltxfrsource4(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setxfrsource4
+ *	call, or the default of inaddr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setxfrsource4dscp(dns_zone_t *zone, isc_dscp_t dscp);
+isc_result_t
+dns_zone_setaltxfrsource4dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the transfer/alt-transfer source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_dscp_t
+dns_zone_getxfrsource4dscp(dns_zone_t *zone);
+isc_dscp_t
+dns_zone_getaltxfrsource4dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the transfer/alt-transfer source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
+isc_result_t
+dns_zone_setaltxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
+/*%<
+ * 	Set the source address to be used in IPv6 zone transfers.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'xfrsource' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getxfrsource6(dns_zone_t *zone);
+isc_sockaddr_t *
+dns_zone_getaltxfrsource6(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setxfrsource6
+ *	call, or the default of in6addr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_dscp_t
+dns_zone_getxfrsource6dscp(dns_zone_t *zone);
+isc_dscp_t
+dns_zone_getaltxfrsource6dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the transfer/alt-transfer source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setxfrsource6dscp(dns_zone_t *zone, isc_dscp_t dscp);
+isc_result_t
+dns_zone_setaltxfrsource6dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the transfer/alt-transfer source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_zone_setparentalsrc4(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc);
+/*%<
+ * 	Set the source address to be used with IPv4 parental DS queries.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'parentalsrc' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getparentalsrc4(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setparentalsrc4
+ *	call, or the default of inaddr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_dscp_t
+dns_zone_getparentalsrc4dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the IPv4 parental source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setparentalsrc4dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the IPv4 parental source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_zone_setparentalsrc6(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc);
+/*%<
+ * 	Set the source address to be used with IPv6 parental DS queries.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'parentalsrc' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getparentalsrc6(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setparentalsrc6
+ *	call, or the default of in6addr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_dscp_t
+dns_zone_getparentalsrc6dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the IPv6 parental source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setparentalsrc6dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the IPv6 parental source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
+/*%<
+ * 	Set the source address to be used with IPv4 NOTIFY messages.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'notifysrc' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc4(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setnotifysrc4
+ *	call, or the default of inaddr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_dscp_t
+dns_zone_getnotifysrc4dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the IPv4 notify source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setnotifysrc4dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the IPv4 notify source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
+/*%<
+ * 	Set the source address to be used with IPv6 NOTIFY messages.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'notifysrc' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc6(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setnotifysrc6
+ *	call, or the default of in6addr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_dscp_t
+dns_zone_getnotifysrc6dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the IPv6 notify source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setnotifysrc6dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the IPv6 notify source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+void
+dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the notify acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
+ */
+
+void
+dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the query acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
+ */
+
+void
+dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the query-on acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
+ */
+
+void
+dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the update acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be valid acl.
+ */
+
+void
+dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the forward unsigned updates acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be valid acl.
+ */
+
+void
+dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the transfer acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be valid acl.
+ */
+
+dns_acl_t *
+dns_zone_getnotifyacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current notify acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
+dns_zone_getqueryacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current query acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
+dns_zone_getqueryonacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current query-on acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
+dns_zone_getupdateacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current update acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
+dns_zone_getforwardacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current forward unsigned updates acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
+dns_zone_getxfracl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current transfer acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+void
+dns_zone_clearupdateacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current update acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearforwardacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current forward unsigned updates acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearnotifyacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current notify acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearqueryacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current query acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearqueryonacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current query-on acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearxfracl(dns_zone_t *zone);
+/*%<
+ *	Clear the current transfer acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+bool
+dns_zone_getupdatedisabled(dns_zone_t *zone);
+/*%<
+ * Return update disabled.
+ * Transient unless called when running in isc_task_exclusive() mode.
+ */
+
+void
+dns_zone_setupdatedisabled(dns_zone_t *zone, bool state);
+/*%<
+ * Set update disabled.
+ * Should only be called only when running in isc_task_exclusive() mode.
+ * Failure to do so may result in updates being committed after the
+ * call has been made.
+ */
+
+bool
+dns_zone_getzeronosoattl(dns_zone_t *zone);
+/*%<
+ * Return zero-no-soa-ttl status.
+ */
+
+void
+dns_zone_setzeronosoattl(dns_zone_t *zone, bool state);
+/*%<
+ * Set zero-no-soa-ttl status.
+ */
+
+void
+dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
+/*%<
+ * 	Set the severity of name checking when loading a zone.
+ *
+ * Require:
+ * \li     'zone' to be a valid zone.
+ */
+
+dns_severity_t
+dns_zone_getchecknames(dns_zone_t *zone);
+/*%<
+ *	Return the current severity of name checking.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setjournalsize(dns_zone_t *zone, int32_t size);
+/*%<
+ *	Sets the journal size for the zone.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+int32_t
+dns_zone_getjournalsize(dns_zone_t *zone);
+/*%<
+ *	Return the journal size as set with a previous call to
+ *	dns_zone_setjournalsize().
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
+		       isc_sockaddr_t *to, dns_message_t *msg);
+/*%<
+ *	Tell the zone that it has received a NOTIFY message from another
+ *	server.  This may cause some zone maintenance activity to occur.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ *\li	'*from' to contain the address of the server from which 'msg'
+ *		was received.
+ *\li	'msg' a message with opcode NOTIFY and qr clear.
+ *
+ * Returns:
+ *\li	DNS_R_REFUSED
+ *\li	DNS_R_NOTIMP
+ *\li	DNS_R_FORMERR
+ *\li	DNS_R_SUCCESS
+ */
+
+void
+dns_zone_setmaxxfrin(dns_zone_t *zone, uint32_t maxxfrin);
+/*%<
+ * Set the maximum time (in seconds) that a zone transfer in (AXFR/IXFR)
+ * of this zone will use before being aborted.
+ *
+ * Requires:
+ * \li	'zone' to be valid initialised zone.
+ */
+
+uint32_t
+dns_zone_getmaxxfrin(dns_zone_t *zone);
+/*%<
+ * Returns the maximum transfer time for this zone.  This will be
+ * either the value set by the last call to dns_zone_setmaxxfrin() or
+ * the default value of 1 hour.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ */
+
+void
+dns_zone_setmaxxfrout(dns_zone_t *zone, uint32_t maxxfrout);
+/*%<
+ * Set the maximum time (in seconds) that a zone transfer out (AXFR/IXFR)
+ * of this zone will use before being aborted.
+ *
+ * Requires:
+ * \li	'zone' to be valid initialised zone.
+ */
+
+uint32_t
+dns_zone_getmaxxfrout(dns_zone_t *zone);
+/*%<
+ * Returns the maximum transfer time for this zone.  This will be
+ * either the value set by the last call to dns_zone_setmaxxfrout() or
+ * the default value of 1 hour.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ */
+
+isc_result_t
+dns_zone_setjournal(dns_zone_t *zone, const char *myjournal);
+/*%<
+ * Sets the filename used for journaling updates / IXFR transfers.
+ * The default journal name is set by dns_zone_setfile() to be
+ * "file.jnl".  If 'myjournal' is NULL, the zone will have no
+ * journal name.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+char *
+dns_zone_getjournal(dns_zone_t *zone);
+/*%<
+ * Returns the journal name associated with this zone.
+ * If no journal has been set this will be NULL.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ */
+
+dns_zonetype_t
+dns_zone_gettype(dns_zone_t *zone);
+/*%<
+ * Returns the type of the zone (master/slave/etc.)
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ */
+
+dns_zonetype_t
+dns_zone_getredirecttype(dns_zone_t *zone);
+/*%<
+ * Returns whether the redirect zone is configured as a master or a
+ * slave zone.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *\li	'zone' to be a redirect zone.
+ *
+ * Returns:
+ *\li	'dns_zone_primary'
+ *\li	'dns_zone_secondary'
+ */
+
+void
+dns_zone_settask(dns_zone_t *zone, isc_task_t *task);
+/*%<
+ * Give a zone a task to work with.  Any current task will be detached.
+ *
+ * Requires:
+ *\li	'zone' to be valid.
+ *\li	'task' to be valid.
+ */
+
+void
+dns_zone_gettask(dns_zone_t *zone, isc_task_t **target);
+/*%<
+ * Attach '*target' to the zone's task.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *\li	'zone' to have a task.
+ *\li	'target' to be != NULL && '*target' == NULL.
+ */
+
+void
+dns_zone_notify(dns_zone_t *zone);
+/*%<
+ * Generate notify events for this zone.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump);
+/*%<
+ * Replace the database of "zone" with a new database "db".
+ *
+ * If "dump" is true, then the new zone contents are dumped
+ * into to the zone's master file for persistence.  When replacing
+ * a zone database by one just loaded from a master file, set
+ * "dump" to false to avoid a redundant redump of the data just
+ * loaded.  Otherwise, it should be set to true.
+ *
+ * If the "diff-on-reload" option is enabled in the configuration file,
+ * the differences between the old and the new database are added to the
+ * journal file, and the master file dump is postponed.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ * Returns:
+ * \li	DNS_R_SUCCESS
+ * \li	DNS_R_BADZONE	zone failed basic consistency checks:
+ *			* a single SOA must exist
+ *			* some NS records must exist.
+ *	Others
+ */
+
+uint32_t
+dns_zone_getidlein(dns_zone_t *zone);
+/*%<
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ * Returns:
+ * \li	number of seconds of idle time before we abort the transfer in.
+ */
+
+void
+dns_zone_setidlein(dns_zone_t *zone, uint32_t idlein);
+/*%<
+ * \li	Set the idle timeout for transfer the.
+ * \li	Zero set the default value, 1 hour.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+uint32_t
+dns_zone_getidleout(dns_zone_t *zone);
+/*%<
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ * Returns:
+ * \li	number of seconds of idle time before we abort a transfer out.
+ */
+
+void
+dns_zone_setidleout(dns_zone_t *zone, uint32_t idleout);
+/*%<
+ * \li	Set the idle timeout for transfers out.
+ * \li	Zero set the default value, 1 hour.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table);
+/*%<
+ * Get the simple-secure-update policy table.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table);
+/*%<
+ * Set / clear the simple-secure-update policy table.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+isc_mem_t *
+dns_zone_getmctx(dns_zone_t *zone);
+/*%<
+ * Get the memory context of a zone.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+dns_zonemgr_t *
+dns_zone_getmgr(dns_zone_t *zone);
+/*%<
+ *	If 'zone' is managed return the zone manager otherwise NULL.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setsigvalidityinterval(dns_zone_t *zone, uint32_t interval);
+/*%<
+ * Set the zone's general signature validity interval.  This is the length
+ * of time for which DNSSEC signatures created as a result of dynamic
+ * updates to secure zones will remain valid, in seconds.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+uint32_t
+dns_zone_getsigvalidityinterval(dns_zone_t *zone);
+/*%<
+ * Get the zone's general signature validity interval.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setkeyvalidityinterval(dns_zone_t *zone, uint32_t interval);
+/*%<
+ * Set the zone's DNSKEY signature validity interval.  This is the length
+ * of time for which DNSSEC signatures created for DNSKEY records
+ * will remain valid, in seconds.
+ *
+ * If this value is set to zero, then the regular signature validity
+ * interval (see dns_zone_setsigvalidityinterval(), above) is used
+ * for all RRSIGs. However, if this value is nonzero, then it is used
+ * as the validity interval for RRSIGs covering DNSKEY and CDNSKEY
+ * RRsets.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+uint32_t
+dns_zone_getkeyvalidityinterval(dns_zone_t *zone);
+/*%<
+ * Get the zone's DNSKEY signature validity interval.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setsigresigninginterval(dns_zone_t *zone, uint32_t interval);
+/*%<
+ * Set the zone's RRSIG re-signing interval.  A dynamic zone's RRSIG's
+ * will be re-signed 'interval' amount of time before they expire.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+uint32_t
+dns_zone_getsigresigninginterval(dns_zone_t *zone);
+/*%<
+ * Get the zone's RRSIG re-signing interval.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype);
+/*%<
+ * Sets zone notify method to "notifytype"
+ */
+
+isc_result_t
+dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
+		       dns_updatecallback_t callback, void *callback_arg);
+/*%<
+ * Forward 'msg' to each master in turn until we get an answer or we
+ * have exhausted the list of primaries. 'callback' will be called with
+ * ISC_R_SUCCESS if we get an answer and the returned message will be
+ * passed as 'answer_message', otherwise a non ISC_R_SUCCESS result code
+ * will be passed and answer_message will be NULL.  The callback function
+ * is responsible for destroying 'answer_message'.
+ *		(callback)(callback_arg, result, answer_message);
+ *
+ * Require:
+ *\li	'zone' to be valid
+ *\li	'msg' to be valid.
+ *\li	'callback' to be non NULL.
+ * Returns:
+ *\li	#ISC_R_SUCCESS if the message has been forwarded,
+ *\li	#ISC_R_NOMEMORY
+ *\li	Others
+ */
+
+isc_result_t
+dns_zone_next(dns_zone_t *zone, dns_zone_t **next);
+/*%<
+ * Find the next zone in the list of managed zones.
+ *
+ * Requires:
+ *\li	'zone' to be valid
+ *\li	The zone manager for the indicated zone MUST be locked
+ *	by the caller.  This is not checked.
+ *\li	'next' be non-NULL, and '*next' be NULL.
+ *
+ * Ensures:
+ *\li	'next' points to a valid zone (result ISC_R_SUCCESS) or to NULL
+ *	(result ISC_R_NOMORE).
+ */
+
+isc_result_t
+dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
+/*%<
+ * Find the first zone in the list of managed zones.
+ *
+ * Requires:
+ *\li	'zonemgr' to be valid
+ *\li	The zone manager for the indicated zone MUST be locked
+ *	by the caller.  This is not checked.
+ *\li	'first' be non-NULL, and '*first' be NULL
+ *
+ * Ensures:
+ *\li	'first' points to a valid zone (result ISC_R_SUCCESS) or to NULL
+ *	(result ISC_R_NOMORE).
+ */
+
+isc_result_t
+dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory);
+/*%<
+ *	Sets the name of the directory where private keys used for
+ *	online signing of dynamic zones are found.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ */
+
+const char *
+dns_zone_getkeydirectory(dns_zone_t *zone);
+/*%<
+ * 	Gets the name of the directory where private keys used for
+ *	online signing of dynamic zones are found.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *	Pointer to null-terminated file name, or NULL.
+ */
+
+isc_result_t
+dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		       isc_stdtime_t now, dns_dnsseckeylist_t *keys);
+/*%
+ * Find DNSSEC keys used for signing with dnssec-policy. Load these keys
+ * into 'keys'.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *\li	'keys' to be an initialised DNSSEC keylist.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	Error
+ */
+
+isc_result_t
+dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		   dns_zonemgr_t **zmgrp);
+/*%<
+ * Create a zone manager.  Note: the zone manager will not be able to
+ * manage any zones until dns_zonemgr_setsize() has been run.
+ *
+ * Requires:
+ *\li	'mctx' to be a valid memory context.
+ *\li	'taskmgr' to be a valid task manager.
+ *\li	'timermgr' to be a valid timer manager.
+ *\li	'zmgrp'	to point to a NULL pointer.
+ */
+
+isc_result_t
+dns_zonemgr_setsize(dns_zonemgr_t *zmgr, int num_zones);
+/*%<
+ *	Set the size of the zone manager task pool.  This must be run
+ *	before zmgr can be used for managing zones.  Currently, it can only
+ *	be run once; the task pool cannot be resized.
+ *
+ * Requires:
+ *\li	zmgr is a valid zone manager.
+ *\li	zmgr->zonetasks has been initialized.
+ */
+
+isc_result_t
+dns_zonemgr_createzone(dns_zonemgr_t *zmgr, dns_zone_t **zonep);
+/*%<
+ *	Allocate a new zone using a memory context from the
+ *	zone manager's memory context pool.
+ *
+ * Require:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'zonep' != NULL and '*zonep' == NULL.
+ */
+
+isc_result_t
+dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
+/*%<
+ *	Bring the zone under control of a zone manager.
+ *
+ * Require:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr);
+/*%<
+ * Force zone maintenance of all loaded zones managed by 'zmgr'
+ * to take place at the system's earliest convenience.
+ */
+
+void
+dns__zonemgr_run(isc_task_t *task, isc_event_t *event);
+/*%<
+ * Event handler to call dns_zonemgr_forcemaint(); used to start
+ * zone operations from a unit test.  Not intended for use outside
+ * libdns or related tests.
+ */
+
+void
+dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr);
+/*%<
+ * Attempt to start any stalled zone transfers.
+ */
+
+void
+dns_zonemgr_shutdown(dns_zonemgr_t *zmgr);
+/*%<
+ *	Shut down the zone manager.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target);
+/*%<
+ *	Attach '*target' to 'source' incrementing its external
+ * 	reference count.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_zonemgr_detach(dns_zonemgr_t **zmgrp);
+/*%<
+ *	 Detach from a zone manager.
+ *
+ * Requires:
+ *\li	'*zmgrp' is a valid, non-NULL zone manager pointer.
+ *
+ * Ensures:
+ *\li	'*zmgrp' is NULL.
+ */
+
+void
+dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
+/*%<
+ *	Release 'zone' from the managed by 'zmgr'.  'zmgr' is implicitly
+ *	detached from 'zone'.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'zone' to be a valid zone.
+ *\li	'zmgr' == 'zone->zmgr'
+ *
+ * Ensures:
+ *\li	'zone->zmgr' == NULL;
+ */
+
+isc_taskmgr_t *
+dns_zonemgr_gettaskmgr(dns_zonemgr_t *zmgr);
+/*%
+ * Get the tasmkgr object attached to 'zmgr'.
+ */
+
+void
+dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, uint32_t value);
+/*%<
+ *	Set the maximum number of simultaneous transfers in allowed by
+ *	the zone manager.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+uint32_t
+dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr);
+/*%<
+ *	Return the maximum number of simultaneous transfers in allowed.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, uint32_t value);
+/*%<
+ *	Set the number of zone transfers allowed per nameserver.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager
+ */
+
+uint32_t
+dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr);
+/*%<
+ *	Return the number of transfers allowed per nameserver.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, uint32_t iolimit);
+/*%<
+ *	Set the number of simultaneous file descriptors available for
+ *	reading and writing masterfiles.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'iolimit' to be positive.
+ */
+
+uint32_t
+dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr);
+/*%<
+ *	Get the number of simultaneous file descriptors available for
+ *	reading and writing masterfiles.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_setcheckdsrate(dns_zonemgr_t *zmgr, unsigned int value);
+/*%<
+ *	Set the number of parental DS queries sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager
+ */
+
+void
+dns_zonemgr_setnotifyrate(dns_zonemgr_t *zmgr, unsigned int value);
+/*%<
+ *	Set the number of NOTIFY requests sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager
+ */
+
+void
+dns_zonemgr_setstartupnotifyrate(dns_zonemgr_t *zmgr, unsigned int value);
+/*%<
+ *	Set the number of startup NOTIFY requests sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager
+ */
+
+void
+dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value);
+/*%<
+ *	Set the number of SOA queries sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager
+ */
+
+unsigned int
+dns_zonemgr_getnotifyrate(dns_zonemgr_t *zmgr);
+/*%<
+ *	Return the number of NOTIFY requests sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+unsigned int
+dns_zonemgr_getstartupnotifyrate(dns_zonemgr_t *zmgr);
+/*%<
+ *	Return the number of startup NOTIFY requests sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+unsigned int
+dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr);
+/*%<
+ *	Return the number of SOA queries sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+unsigned int
+dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state);
+/*%<
+ *	Returns the number of zones in the specified state.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'state' to be a valid DNS_ZONESTATE_ constant.
+ */
+
+void
+dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local, isc_time_t *now);
+/*%<
+ *	Add the pair of addresses to the unreachable cache.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'remote' to be a valid sockaddr.
+ *\li	'local' to be a valid sockaddr.
+ */
+
+bool
+dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			isc_sockaddr_t *local, isc_time_t *now);
+/*%<
+ *	Returns true if the given local/remote address pair
+ *	is found in the zone maanger's unreachable cache.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'remote' to be a valid sockaddr.
+ *\li	'local' to be a valid sockaddr.
+ *\li	'now' != NULL
+ */
+
+void
+dns_zonemgr_unreachabledel(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local);
+/*%<
+ *	Remove the pair of addresses from the unreachable cache.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'remote' to be a valid sockaddr.
+ *\li	'local' to be a valid sockaddr.
+ */
+
+void
+dns_zone_forcereload(dns_zone_t *zone);
+/*%<
+ *      Force a reload of specified zone.
+ *
+ * Requires:
+ *\li      'zone' to be a valid zone.
+ */
+
+bool
+dns_zone_isforced(dns_zone_t *zone);
+/*%<
+ *      Check if the zone is waiting a forced reload.
+ *
+ * Requires:
+ * \li     'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setstatistics(dns_zone_t *zone, bool on);
+/*%<
+ * This function is obsoleted by dns_zone_setrequeststats().
+ */
+
+uint64_t *
+dns_zone_getstatscounters(dns_zone_t *zone);
+/*%<
+ * This function is obsoleted by dns_zone_getrequeststats().
+ */
+
+void
+dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats);
+/*%<
+ * Set a general zone-maintenance statistics set 'stats' for 'zone'.  This
+ * function is expected to be called only on zone creation (when necessary).
+ * Once installed, it cannot be removed or replaced.  Also, there is no
+ * interface to get the installed stats from the zone; the caller must keep the
+ * stats to reference (e.g. dump) it later.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone and does not have a statistics set already
+ *	installed.
+ *
+ *\li	stats is a valid statistics supporting zone statistics counters
+ *	(see dns/stats.h).
+ */
+
+void
+dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats);
+
+void
+dns_zone_setrcvquerystats(dns_zone_t *zone, dns_stats_t *stats);
+
+void
+dns_zone_setdnssecsignstats(dns_zone_t *zone, dns_stats_t *stats);
+/*%<
+ * Set additional statistics sets to zone.  These are attached to the zone
+ * but are not counted in the zone module; only the caller updates the
+ * counters.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ *\li	stats is a valid statistics.
+ */
+
+isc_stats_t *
+dns_zone_getrequeststats(dns_zone_t *zone);
+
+dns_stats_t *
+dns_zone_getrcvquerystats(dns_zone_t *zone);
+
+dns_stats_t *
+dns_zone_getdnssecsignstats(dns_zone_t *zone);
+/*%<
+ * Get the additional statistics for zone, if one is installed.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ * Returns:
+ * \li	when available, a pointer to the statistics set installed in zone;
+ *	otherwise NULL.
+ */
+
+void
+dns_zone_dialup(dns_zone_t *zone);
+/*%<
+ * Perform dialup-time maintenance on 'zone'.
+ */
+
+void
+dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup);
+/*%<
+ * Set the dialup type of 'zone' to 'dialup'.
+ *
+ * Requires:
+ * \li	'zone' to be valid initialised zone.
+ *\li	'dialup' to be a valid dialup type.
+ */
+
+void
+dns_zone_logv(dns_zone_t *zone, isc_logcategory_t *category, int level,
+	      const char *prefix, const char *msg, va_list ap);
+/*%<
+ * Log the message 'msg...' at 'level' using log category 'category', including
+ * text that identifies the message as applying to 'zone'.  If the (optional)
+ * 'prefix' is not NULL, it will be placed at the start of the entire log line.
+ */
+
+void
+dns_zone_log(dns_zone_t *zone, int level, const char *msg, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+/*%<
+ * Log the message 'msg...' at 'level', including text that identifies
+ * the message as applying to 'zone'.
+ */
+
+void
+dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level,
+	      const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
+/*%<
+ * Log the message 'msg...' at 'level', including text that identifies
+ * the message as applying to 'zone'.
+ */
+
+void
+dns_zone_name(dns_zone_t *zone, char *buf, size_t len);
+/*%<
+ * Return the name of the zone with class and view.
+ *
+ * Requires:
+ *\li	'zone' to be valid.
+ *\li	'buf' to be non NULL.
+ */
+
+void
+dns_zone_nameonly(dns_zone_t *zone, char *buf, size_t len);
+/*%<
+ * Return the name of the zone only.
+ *
+ * Requires:
+ *\li	'zone' to be valid.
+ *\li	'buf' to be non NULL.
+ */
+
+isc_result_t
+dns_zone_checknames(dns_zone_t *zone, const dns_name_t *name,
+		    dns_rdata_t *rdata);
+/*%<
+ * Check if this record meets the check-names policy.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ *	'name' to be valid.
+ *	'rdata' to be valid.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		passed checks.
+ *	DNS_R_BADOWNERNAME	failed ownername checks.
+ *	DNS_R_BADNAME		failed rdata checks.
+ */
+
+void
+dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx);
+/*%<
+ *	Set the post load integrity callback function 'checkmx'.
+ *	'checkmx' will be called if the MX TARGET is not within the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setchecksrv(dns_zone_t *zone, dns_checkmxfunc_t checksrv);
+/*%<
+ *	Set the post load integrity callback function 'checksrv'.
+ *	'checksrv' will be called if the SRV TARGET is not within the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns);
+/*%<
+ *	Set the post load integrity callback function 'checkns'.
+ *	'checkns' will be called if the NS TARGET is not within the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setnotifydelay(dns_zone_t *zone, uint32_t delay);
+/*%<
+ * Set the minimum delay between sets of notify messages.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ */
+
+uint32_t
+dns_zone_getnotifydelay(dns_zone_t *zone);
+/*%<
+ * Get the minimum delay between sets of notify messages.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ */
+
+void
+dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg);
+/*%<
+ * Set the isself callback function and argument.
+ *
+ * bool
+ * isself(dns_view_t *myview, dns_tsigkey_t *mykey,
+ *	  const isc_netaddr_t *srcaddr, const isc_netaddr_t *destaddr,
+ *	  dns_rdataclass_t rdclass, void *arg);
+ *
+ * 'isself' returns true if a non-recursive query from 'srcaddr' to
+ * 'destaddr' with optional key 'mykey' for class 'rdclass' would be
+ * delivered to 'myview'.
+ */
+
+void
+dns_zone_setnodes(dns_zone_t *zone, uint32_t nodes);
+/*%<
+ * Set the number of nodes that will be checked per quantum.
+ */
+
+void
+dns_zone_setsignatures(dns_zone_t *zone, uint32_t signatures);
+/*%<
+ * Set the number of signatures that will be generated per quantum.
+ */
+
+uint32_t
+dns_zone_getsignatures(dns_zone_t *zone);
+/*%<
+ * Get the number of signatures that will be generated per quantum.
+ */
+
+isc_result_t
+dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
+		     bool deleteit);
+/*%<
+ * Initiate/resume signing of the entire zone with the zone DNSKEY(s)
+ * that match the given algorithm and keyid.
+ */
+
+isc_result_t
+dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param);
+/*%<
+ * Incrementally add a NSEC3 chain that corresponds to 'nsec3param'.
+ */
+
+void
+dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type);
+dns_rdatatype_t
+dns_zone_getprivatetype(dns_zone_t *zone);
+/*
+ * Get/Set the private record type.  It is expected that these interfaces
+ * will not be permanent.
+ */
+
+void
+dns_zone_rekey(dns_zone_t *zone, bool fullsign);
+/*%<
+ * Update the zone's DNSKEY set from the key repository.
+ *
+ * If 'fullsign' is true, trigger an immediate full signing of
+ * the zone with the new key.  Otherwise, if there are no keys or
+ * if the new keys are for algorithms that have already signed the
+ * zone, then the zone can be re-signed incrementally.
+ */
+
+isc_result_t
+dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		 unsigned int *errors);
+/*%
+ * Check if the name servers for the zone are sane (have address, don't
+ * refer to CNAMEs/DNAMEs.  The number of constiancy errors detected in
+ * returned in '*errors'
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ * \li	'db' to be valid.
+ * \li	'version' to be valid or NULL.
+ * \li	'errors' to be non NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS if there were no errors examining the zone contents.
+ */
+
+isc_result_t
+dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version);
+/*%
+ * Check if CSD, CDNSKEY and DNSKEY are consistent.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ * \li	'db' to be valid.
+ * \li	'version' to be valid or NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_BADCDS
+ *\li	#DNS_R_BADCDNSKEY
+ *	Others
+ */
+
+void
+dns_zone_setadded(dns_zone_t *zone, bool added);
+/*%
+ * Sets the value of zone->added, which should be true for
+ * zones that were originally added by "rndc addzone".
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+bool
+dns_zone_getadded(dns_zone_t *zone);
+/*%
+ * Returns true if the zone was originally added at runtime
+ * using "rndc addzone".
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setautomatic(dns_zone_t *zone, bool automatic);
+/*%
+ * Sets the value of zone->automatic, which should be true for
+ * zones that were automatically added by named.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+bool
+dns_zone_getautomatic(dns_zone_t *zone);
+/*%
+ * Returns true if the zone was added automatically by named.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+isc_result_t
+dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db);
+/*%
+ * Load the origin names for a writeable DLZ database.
+ */
+
+bool
+dns_zone_isdynamic(dns_zone_t *zone, bool ignore_freeze);
+/*%
+ * Return true iff the zone is "dynamic", in the sense that the zone's
+ * master file (if any) is written by the server, rather than being
+ * updated manually and read by the server.
+ *
+ * This is true for slave zones, stub zones, key zones, and zones that
+ * allow dynamic updates either by having an update policy ("ssutable")
+ * or an "allow-update" ACL with a value other than exactly "{ none; }".
+ *
+ * If 'ignore_freeze' is true, then the zone which has had updates disabled
+ * will still report itself to be dynamic.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+isc_result_t
+dns_zone_setrefreshkeyinterval(dns_zone_t *zone, uint32_t interval);
+/*%
+ * Sets the frequency, in minutes, with which the key repository will be
+ * checked to see if the keys for this zone have been updated.  Any value
+ * higher than 1440 minutes (24 hours) will be silently reduced.  A
+ * value of zero will return an out-of-range error.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+bool
+dns_zone_getrequestexpire(dns_zone_t *zone);
+/*%
+ * Returns the true/false value of the request-expire option in the zone.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setrequestexpire(dns_zone_t *zone, bool flag);
+/*%
+ * Sets the request-expire option for the zone. Either true or false. The
+ * default value is determined by the setting of this option in the view.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+bool
+dns_zone_getrequestixfr(dns_zone_t *zone);
+/*%
+ * Returns the true/false value of the request-ixfr option in the zone.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setrequestixfr(dns_zone_t *zone, bool flag);
+/*%
+ * Sets the request-ixfr option for the zone. Either true or false. The
+ * default value is determined by the setting of this option in the view.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+uint32_t
+dns_zone_getixfrratio(dns_zone_t *zone);
+/*%
+ * Returns the zone's current IXFR ratio.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setixfrratio(dns_zone_t *zone, uint32_t ratio);
+/*%
+ * Sets the ratio of IXFR size to zone size above which we use an AXFR
+ * response, expressed as a percentage. Cannot exceed 100.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setserialupdatemethod(dns_zone_t *zone, dns_updatemethod_t method);
+/*%
+ * Sets the update method to use when incrementing the zone serial number
+ * due to a DDNS update.  Valid options are dns_updatemethod_increment
+ * and dns_updatemethod_unixtime.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+dns_updatemethod_t
+dns_zone_getserialupdatemethod(dns_zone_t *zone);
+/*%
+ * Returns the update method to be used when incrementing the zone serial
+ * number due to a DDNS update.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+isc_result_t
+dns_zone_link(dns_zone_t *zone, dns_zone_t *raw);
+
+void
+dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw);
+
+isc_result_t
+dns_zone_keydone(dns_zone_t *zone, const char *data);
+
+isc_result_t
+dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
+		       uint16_t iter, uint8_t saltlen, unsigned char *salt,
+		       bool replace, bool resalt);
+/*%
+ * Set the NSEC3 parameters for the zone.
+ *
+ * If 'replace' is true, then the existing NSEC3 chain, if any, will
+ * be replaced with the new one.  If 'hash' is zero, then the replacement
+ * chain will be NSEC rather than NSEC3. If 'resalt' is true, or if 'salt'
+ * is NULL, generate a new salt with the given salt length.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header);
+/*%
+ * Set the data to be included in the header when the zone is dumped in
+ * binary format.
+ */
+
+isc_result_t
+dns_zone_synckeyzone(dns_zone_t *zone);
+/*%
+ * Force the managed key zone to synchronize, and start the key
+ * maintenance timer.
+ */
+
+isc_result_t
+dns_zone_getloadtime(dns_zone_t *zone, isc_time_t *loadtime);
+/*%
+ * Return the time when the zone was last loaded.
+ */
+
+isc_result_t
+dns_zone_getrefreshtime(dns_zone_t *zone, isc_time_t *refreshtime);
+/*%
+ * Return the time when the (slave) zone will need to be refreshed.
+ */
+
+isc_result_t
+dns_zone_getexpiretime(dns_zone_t *zone, isc_time_t *expiretime);
+/*%
+ * Return the time when the (slave) zone will expire.
+ */
+
+isc_result_t
+dns_zone_getrefreshkeytime(dns_zone_t *zone, isc_time_t *refreshkeytime);
+/*%
+ * Return the time of the next scheduled DNSSEC key event.
+ */
+
+unsigned int
+dns_zone_getincludes(dns_zone_t *zone, char ***includesp);
+/*%
+ * Return the number include files that were encountered
+ * during load.  If the number is greater than zero, 'includesp'
+ * will point to an array containing the filenames.
+ *
+ * The array and its contents need to be freed using isc_mem_free.
+ */
+
+isc_result_t
+dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
+		    dns_rpz_num_t rpz_num);
+/*%
+ * Set the response policy associated with a zone.
+ */
+
+void
+dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db);
+/*%
+ * If a zone is a response policy zone, mark its new database.
+ */
+
+dns_rpz_num_t
+dns_zone_get_rpz_num(dns_zone_t *zone);
+
+void
+dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
+/*%<
+ * Enable zone as catalog zone.
+ *
+ * Requires:
+ *
+ * \li	'zone' is a valid zone object
+ * \li	'catzs' is not NULL
+ * \li	prior to calling, zone->catzs is NULL or is equal to 'catzs'
+ */
+
+void
+dns_zone_catz_disable(dns_zone_t *zone);
+/*%<
+ * Disable zone as catalog zone, if it is one.  Also disables any
+ * registered callbacks for the catalog zone.
+ *
+ * Requires:
+ *
+ * \li	'zone' is a valid zone object
+ */
+
+bool
+dns_zone_catz_is_enabled(dns_zone_t *zone);
+/*%<
+ * Return a boolean indicating whether the zone is enabled as catalog zone.
+ *
+ * Requires:
+ *
+ * \li	'zone' is a valid zone object
+ */
+
+void
+dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db);
+/*%<
+ * If 'zone' is a catalog zone, then set up a notify-on-update trigger
+ * in its database. (If not a catalog zone, this function has no effect.)
+ *
+ * Requires:
+ *
+ * \li	'zone' is a valid zone object
+ * \li	'db' is not NULL
+ */
+void
+dns_zone_set_parentcatz(dns_zone_t *zone, dns_catz_zone_t *catz);
+/*%<
+ * Set parent catalog zone for this zone
+ *
+ * Requires:
+ *
+ * \li	'zone' is a valid zone object
+ * \li	'catz' is not NULL
+ */
+
+dns_catz_zone_t *
+dns_zone_get_parentcatz(const dns_zone_t *zone);
+/*%<
+ * Get parent catalog zone for this zone
+ *
+ * Requires:
+ *
+ * \li	'zone' is a valid zone object
+ */
+
+void
+dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level);
+
+dns_zonestat_level_t
+dns_zone_getstatlevel(dns_zone_t *zone);
+/*%
+ * Set and get the statistics reporting level for the zone;
+ * full, terse, or none.
+ */
+
+isc_result_t
+dns_zone_setserial(dns_zone_t *zone, uint32_t serial);
+/*%
+ * Set the zone's serial to 'serial'.
+ */
+ISC_LANG_ENDDECLS
+
+isc_stats_t *
+dns_zone_getgluecachestats(dns_zone_t *zone);
+/*%<
+ * Get the glue cache statistics for zone.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ * Returns:
+ * \li	if present, a pointer to the statistics set installed in zone;
+ *	otherwise NULL.
+ */
+
+bool
+dns_zone_isloaded(dns_zone_t *zone);
+/*%<
+ * Return true if 'zone' was loaded and has not expired yet, return
+ * false otherwise.
+ */
+
+isc_result_t
+dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver);
+/*%<
+ * If 'zone' is a mirror zone, perform DNSSEC validation of version 'ver' of
+ * its database, 'db'.  Ensure that the DNSKEY RRset at zone apex is signed by
+ * at least one trust anchor specified for the view that 'zone' is assigned to.
+ * If 'ver' is NULL, use the current version of 'db'.
+ *
+ * If 'zone' is not a mirror zone, return ISC_R_SUCCESS immediately.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS		either 'zone' is not a mirror zone or 'zone' is
+ *				a mirror zone and all DNSSEC checks succeeded
+ *				and the DNSKEY RRset at zone apex is signed by
+ *				a trusted key
+ *
+ * \li	#DNS_R_VERIFYFAILURE	any other case
+ */
+
+const char *
+dns_zonetype_name(dns_zonetype_t type);
+/*%<
+ * Return the name of the zone type 'type'.
+ */
+
+#endif /* DNS_ZONE_H */
diff --git a/lib/dns/include/dns/zonekey.h b/lib/dns/include/dns/zonekey.h
new file mode 100644
index 0000000..f03f0a5
--- /dev/null
+++ b/lib/dns/include/dns/zonekey.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ZONEKEY_H
+#define DNS_ZONEKEY_H 1
+
+/*! \file dns/zonekey.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+bool
+dns_zonekey_iszonekey(dns_rdata_t *keyrdata);
+/*%<
+ *	Determines if the key record contained in the rdata is a zone key.
+ *
+ *	Requires:
+ *		'keyrdata' is not NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ZONEKEY_H */
diff --git a/lib/dns/include/dns/zoneverify.h b/lib/dns/include/dns/zoneverify.h
new file mode 100644
index 0000000..22a680a
--- /dev/null
+++ b/lib/dns/include/dns/zoneverify.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file dns/zoneverify.h */
+
+#include <stdbool.h>
+
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * Verify that certain things are sane:
+ *
+ *   The apex has a DNSKEY record with at least one KSK, and at least
+ *   one ZSK if the -x flag was not used.
+ *
+ *   The DNSKEY record was signed with at least one of the KSKs in this
+ *   set.
+ *
+ *   The rest of the zone was signed with at least one of the ZSKs
+ *   present in the DNSKEY RRSET.
+ *
+ * Mark all RRsets correctly signed by one of the keys in the DNSKEY RRset at
+ * zone apex as secure.
+ *
+ * If 'secroots' is not NULL, mark the DNSKEY RRset as secure if it is
+ * correctly signed by at least one key present in 'secroots'.
+ */
+isc_result_t
+dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		      dns_name_t *origin, dns_keytable_t *secroots,
+		      isc_mem_t *mctx, bool ignore_kskflag, bool keyset_kskonly,
+		      void (*report)(const char *, ...));
+
+ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
new file mode 100644
index 0000000..2964fc9
--- /dev/null
+++ b/lib/dns/include/dns/zt.h
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ZT_H
+#define DNS_ZT_H 1
+
+/*! \file dns/zt.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/rwlock.h>
+
+#include <dns/types.h>
+
+#define DNS_ZTFIND_NOEXACT 0x01
+#define DNS_ZTFIND_MIRROR  0x02
+
+ISC_LANG_BEGINDECLS
+
+typedef isc_result_t (*dns_zt_allloaded_t)(void *arg);
+/*%<
+ * Method prototype: when all pending zone loads are complete,
+ * the zone table can inform the caller via a callback function with
+ * this signature.
+ */
+
+typedef isc_result_t (*dns_zt_zoneloaded_t)(dns_zt_t *zt, dns_zone_t *zone,
+					    isc_task_t *task);
+/*%<
+ * Method prototype: when a zone finishes loading, the zt object
+ * can be informed via a callback function with this signature.
+ */
+
+isc_result_t
+dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **zt);
+/*%<
+ * Creates a new zone table.
+ *
+ * Requires:
+ * \li	'mctx' to be initialized.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS on success.
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone);
+/*%<
+ * Mounts the zone on the zone table.
+ *
+ * Requires:
+ * \li	'zt' to be valid
+ * \li	'zone' to be valid
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_EXISTS
+ * \li	#ISC_R_NOSPACE
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone);
+/*%<
+ * Unmount the given zone from the table.
+ *
+ * Requires:
+ * 	'zt' to be valid
+ * \li	'zone' to be valid
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_zt_find(dns_zt_t *zt, const dns_name_t *name, unsigned int options,
+	    dns_name_t *foundname, dns_zone_t **zone);
+/*%<
+ * Find the best match for 'name' in 'zt'.  If foundname is non NULL
+ * then the name of the zone found is returned.
+ *
+ * Notes:
+ * \li	If the DNS_ZTFIND_NOEXACT is set, the best partial match (if any)
+ *	to 'name' will be returned.
+ *
+ * Requires:
+ * \li	'zt' to be valid
+ * \li	'name' to be valid
+ * \li	'foundname' to be initialized and associated with a fixedname or NULL
+ * \li	'zone' to be non NULL and '*zone' to be NULL
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_PARTIALMATCH
+ * \li	#ISC_R_NOTFOUND
+ * \li	#ISC_R_NOSPACE
+ */
+
+void
+dns_zt_detach(dns_zt_t **ztp);
+/*%<
+ * Detach the given zonetable, if the reference count goes to zero the
+ * zonetable will be freed.  In either case 'ztp' is set to NULL.
+ *
+ * Requires:
+ * \li	'*ztp' to be valid
+ */
+
+void
+dns_zt_flushanddetach(dns_zt_t **ztp);
+/*%<
+ * Detach the given zonetable, if the reference count goes to zero the
+ * zonetable will be flushed and then freed.  In either case 'ztp' is
+ * set to NULL.
+ *
+ * Requires:
+ * \li	'*ztp' to be valid
+ */
+
+void
+dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp);
+/*%<
+ * Attach 'zt' to '*ztp'.
+ *
+ * Requires:
+ * \li	'zt' to be valid
+ * \li	'*ztp' to be NULL
+ */
+
+isc_result_t
+dns_zt_load(dns_zt_t *zt, bool stop, bool newonly);
+
+isc_result_t
+dns_zt_asyncload(dns_zt_t *zt, bool newonly, dns_zt_allloaded_t alldone,
+		 void *arg);
+/*%<
+ * Load all zones in the table.  If 'stop' is true,
+ * stop on the first error and return it.  If 'stop'
+ * is false, ignore errors.
+ *
+ * if newonly is set only zones that were never loaded are loaded.
+ * dns_zt_asyncload() loads zones asynchronously; when all
+ * zones in the zone table have finished loaded (or failed due
+ * to errors), the caller is informed by calling 'alldone'
+ * with an argument of 'arg'.
+ *
+ * Requires:
+ * \li	'zt' to be valid
+ */
+
+isc_result_t
+dns_zt_freezezones(dns_zt_t *zt, dns_view_t *view, bool freeze);
+/*%<
+ * Freeze/thaw updates to master zones.
+ * Any pending updates will be flushed.
+ * Zones will be reloaded on thaw.
+ */
+
+isc_result_t
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
+	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
+/*%<
+ * Apply a given 'action' to all zone zones in the table.
+ * If 'stop' is 'true' then walking the zone tree will stop if
+ * 'action' does not return ISC_R_SUCCESS.
+ *
+ * Requires:
+ * \li	'zt' to be valid.
+ * \li	'action' to be non NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS if action was applied to all nodes.  If 'stop' is
+ *	false and 'sub' is non NULL then the first error (if any)
+ *	reported by 'action' is returned in '*sub';
+ *	any error code from 'action'.
+ */
+
+bool
+dns_zt_loadspending(dns_zt_t *zt);
+/*%<
+ * Returns true if and only if there are zones still waiting to
+ * be loaded in zone table 'zt'.
+ *
+ * Requires:
+ * \li	'zt' to be valid.
+ */
+
+void
+dns_zt_setviewcommit(dns_zt_t *zt);
+/*%<
+ * Commit dns_zone_setview() calls previously made for all zones in this
+ * zone table.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+void
+dns_zt_setviewrevert(dns_zt_t *zt);
+/*%<
+ * Revert dns_zone_setview() calls previously made for all zones in this
+ * zone table.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ZT_H */
diff --git a/lib/dns/include/dst/Makefile.in b/lib/dns/include/dst/Makefile.in
new file mode 100644
index 0000000..e4dad59
--- /dev/null
+++ b/lib/dns/include/dst/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	dst.h gssapi.h result.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/dst
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/dst || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/dst/$$i || exit 1; \
+	done
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
new file mode 100644
index 0000000..3185e9f
--- /dev/null
+++ b/lib/dns/include/dst/dst.h
@@ -0,0 +1,1227 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DST_DST_H
+#define DST_DST_H 1
+
+/*! \file dst/dst.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/ds.h>
+#include <dns/dsdigest.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/secalg.h>
+#include <dns/types.h>
+
+#include <dst/gssapi.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * The dst_key structure is opaque.  Applications should use the accessor
+ * functions provided to retrieve key attributes.  If an application needs
+ * to set attributes, new accessor functions will be written.
+ */
+
+typedef struct dst_key	   dst_key_t;
+typedef struct dst_context dst_context_t;
+
+/*%
+ * Key states for the DNSSEC records related to a key: DNSKEY, RRSIG (ksk),
+ * RRSIG (zsk), and DS.
+ *
+ * DST_KEY_STATE_HIDDEN:      Records of this type are not published in zone.
+ *                            This may be because the key parts were never
+ *                            introduced in the zone, or because the key has
+ *                            retired and has no records of this type left in
+ *                            the zone.
+ * DST_KEY_STATE_RUMOURED:    Records of this type are published in zone, but
+ *                            not long enough to ensure all resolvers know
+ *                            about it.
+ * DST_KEY_STATE_OMNIPRESENT: Records of this type are published in zone long
+ *                            enough so that all resolvers that know about
+ *                            these records, no longer have outdated data.
+ * DST_KEY_STATE_UNRETENTIVE: Records of this type have been removed from the
+ *                            zone, but there may be resolvers that still have
+ *                            have predecessor records cached.  Note that RRSIG
+ *                            records in this state may actually still be in the
+ *                            zone because they are reused, but retired RRSIG
+ *                            records will never be refreshed: A successor key
+ *                            is used to create signatures.
+ * DST_KEY_STATE_NA:          The state is not applicable for this record type.
+ */
+typedef enum dst_key_state {
+	DST_KEY_STATE_HIDDEN = 0,
+	DST_KEY_STATE_RUMOURED = 1,
+	DST_KEY_STATE_OMNIPRESENT = 2,
+	DST_KEY_STATE_UNRETENTIVE = 3,
+	DST_KEY_STATE_NA = 4
+} dst_key_state_t;
+
+/* DST algorithm codes */
+#define DST_ALG_UNKNOWN	     0
+#define DST_ALG_RSA	     1 /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */
+#define DST_ALG_RSAMD5	     1
+#define DST_ALG_DH	     2
+#define DST_ALG_DSA	     3
+#define DST_ALG_ECC	     4
+#define DST_ALG_RSASHA1	     5
+#define DST_ALG_NSEC3DSA     6
+#define DST_ALG_NSEC3RSASHA1 7
+#define DST_ALG_RSASHA256    8
+#define DST_ALG_RSASHA512    10
+#define DST_ALG_ECCGOST	     12
+#define DST_ALG_ECDSA256     13
+#define DST_ALG_ECDSA384     14
+#define DST_ALG_ED25519	     15
+#define DST_ALG_ED448	     16
+#define DST_ALG_HMACMD5	     157
+#define DST_ALG_GSSAPI	     160
+#define DST_ALG_HMACSHA1     161 /* XXXMPA */
+#define DST_ALG_HMACSHA224   162 /* XXXMPA */
+#define DST_ALG_HMACSHA256   163 /* XXXMPA */
+#define DST_ALG_HMACSHA384   164 /* XXXMPA */
+#define DST_ALG_HMACSHA512   165 /* XXXMPA */
+#define DST_ALG_INDIRECT     252
+#define DST_ALG_PRIVATE	     254
+#define DST_MAX_ALGS	     256
+
+/*% A buffer of this size is large enough to hold any key */
+#define DST_KEY_MAXSIZE 1280
+
+/*%
+ * A buffer of this size is large enough to hold the textual representation
+ * of any key
+ */
+#define DST_KEY_MAXTEXTSIZE 2048
+
+/*% 'Type' for dst_read_key() */
+#define DST_TYPE_KEY	 0x1000000 /* KEY key */
+#define DST_TYPE_PRIVATE 0x2000000
+#define DST_TYPE_PUBLIC	 0x4000000
+#define DST_TYPE_STATE	 0x8000000
+
+/* Key timing metadata definitions */
+#define DST_TIME_CREATED     0
+#define DST_TIME_PUBLISH     1
+#define DST_TIME_ACTIVATE    2
+#define DST_TIME_REVOKE	     3
+#define DST_TIME_INACTIVE    4
+#define DST_TIME_DELETE	     5
+#define DST_TIME_DSPUBLISH   6
+#define DST_TIME_SYNCPUBLISH 7
+#define DST_TIME_SYNCDELETE  8
+#define DST_TIME_DNSKEY	     9
+#define DST_TIME_ZRRSIG	     10
+#define DST_TIME_KRRSIG	     11
+#define DST_TIME_DS	     12
+#define DST_TIME_DSDELETE    13
+#define DST_MAX_TIMES	     13
+
+/* Numeric metadata definitions */
+#define DST_NUM_PREDECESSOR 0
+#define DST_NUM_SUCCESSOR   1
+#define DST_NUM_MAXTTL	    2
+#define DST_NUM_ROLLPERIOD  3
+#define DST_NUM_LIFETIME    4
+#define DST_NUM_DSPUBCOUNT  5
+#define DST_NUM_DSDELCOUNT  6
+#define DST_MAX_NUMERIC	    6
+
+/* Boolean metadata definitions */
+#define DST_BOOL_KSK	0
+#define DST_BOOL_ZSK	1
+#define DST_MAX_BOOLEAN 1
+
+/* Key state metadata definitions */
+#define DST_KEY_DNSKEY	  0
+#define DST_KEY_ZRRSIG	  1
+#define DST_KEY_KRRSIG	  2
+#define DST_KEY_DS	  3
+#define DST_KEY_GOAL	  4
+#define DST_MAX_KEYSTATES 4
+
+/*
+ * Current format version number of the private key parser.
+ *
+ * When parsing a key file with the same major number but a higher minor
+ * number, the key parser will ignore any fields it does not recognize.
+ * Thus, DST_MINOR_VERSION should be incremented whenever new
+ * fields are added to the private key file (such as new metadata).
+ *
+ * When rewriting these keys, those fields will be dropped, and the
+ * format version set back to the current one..
+ *
+ * When a key is seen with a higher major number, the key parser will
+ * reject it as invalid.  Thus, DST_MAJOR_VERSION should be incremented
+ * and DST_MINOR_VERSION set to zero whenever there is a format change
+ * which is not backward compatible to previous versions of the dst_key
+ * parser, such as change in the syntax of an existing field, the removal
+ * of a currently mandatory field, or a new field added which would
+ * alter the functioning of the key if it were absent.
+ */
+#define DST_MAJOR_VERSION 1
+#define DST_MINOR_VERSION 3
+
+/***
+ *** Functions
+ ***/
+isc_result_t
+dst_lib_init(isc_mem_t *mctx, const char *engine);
+/*%<
+ * Initializes the DST subsystem.
+ *
+ * Requires:
+ * \li 	"mctx" is a valid memory context
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
+ * \li	DST_R_NOENGINE
+ *
+ * Ensures:
+ * \li	DST is properly initialized.
+ */
+
+void
+dst_lib_destroy(void);
+/*%<
+ * Releases all resources allocated by DST.
+ */
+
+bool
+dst_algorithm_supported(unsigned int alg);
+/*%<
+ * Checks that a given algorithm is supported by DST.
+ *
+ * Returns:
+ * \li	true
+ * \li	false
+ */
+
+bool
+dst_ds_digest_supported(unsigned int digest_type);
+/*%<
+ * Checks that a given digest algorithm is supported by DST.
+ *
+ * Returns:
+ * \li	true
+ * \li	false
+ */
+
+isc_result_t
+dst_context_create(dst_key_t *key, isc_mem_t *mctx, isc_logcategory_t *category,
+		   bool useforsigning, int maxbits, dst_context_t **dctxp);
+/*%<
+ * Creates a context to be used for a sign or verify operation.
+ *
+ * Requires:
+ * \li	"key" is a valid key.
+ * \li	"mctx" is a valid memory context.
+ * \li	dctxp != NULL && *dctxp == NULL
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
+ *
+ * Ensures:
+ * \li	*dctxp will contain a usable context.
+ */
+
+void
+dst_context_destroy(dst_context_t **dctxp);
+/*%<
+ * Destroys all memory associated with a context.
+ *
+ * Requires:
+ * \li	*dctxp != NULL && *dctxp == NULL
+ *
+ * Ensures:
+ * \li	*dctxp == NULL
+ */
+
+isc_result_t
+dst_context_adddata(dst_context_t *dctx, const isc_region_t *data);
+/*%<
+ * Incrementally adds data to the context to be used in a sign or verify
+ * operation.
+ *
+ * Requires:
+ * \li	"dctx" is a valid context
+ * \li	"data" is a valid region
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	DST_R_SIGNFAILURE
+ * \li	all other errors indicate failure
+ */
+
+isc_result_t
+dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig);
+/*%<
+ * Computes a signature using the data and key stored in the context.
+ *
+ * Requires:
+ * \li	"dctx" is a valid context.
+ * \li	"sig" is a valid buffer.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	DST_R_VERIFYFAILURE
+ * \li	all other errors indicate failure
+ *
+ * Ensures:
+ * \li	"sig" will contain the signature
+ */
+
+isc_result_t
+dst_context_verify(dst_context_t *dctx, isc_region_t *sig);
+
+isc_result_t
+dst_context_verify2(dst_context_t *dctx, unsigned int maxbits,
+		    isc_region_t *sig);
+/*%<
+ * Verifies the signature using the data and key stored in the context.
+ *
+ * 'maxbits' specifies the maximum number of bits permitted in the RSA
+ * exponent.
+ *
+ * Requires:
+ * \li	"dctx" is a valid context.
+ * \li	"sig" is a valid region.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	all other errors indicate failure
+ *
+ * Ensures:
+ * \li	"sig" will contain the signature
+ */
+
+isc_result_t
+dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+		      isc_buffer_t *secret);
+/*%<
+ * Computes a shared secret from two (Diffie-Hellman) keys.
+ *
+ * Requires:
+ * \li	"pub" is a valid key that can be used to derive a shared secret
+ * \li	"priv" is a valid private key that can be used to derive a shared secret
+ * \li	"secret" is a valid buffer
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, secret will contain the derived shared secret.
+ */
+
+isc_result_t
+dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg,
+		    int type, const char *directory, isc_mem_t *mctx,
+		    isc_buffer_t *buf);
+/*%<
+ * Generates a key filename for the name, algorithm, and
+ * id, and places it in the buffer 'buf'. If directory is NULL, the
+ * current directory is assumed.
+ *
+ * Requires:
+ * \li	"name" is a valid absolute dns name.
+ * \li	"id" is a valid key tag identifier.
+ * \li	"alg" is a supported key algorithm.
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.
+ *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
+ * \li	"mctx" is a valid memory context.
+ * \li	"buf" is not NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ */
+
+isc_result_t
+dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type,
+		 const char *directory, isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Reads a key from permanent storage.  The key can either be a public or
+ * private key, or a key state. It specified by name, algorithm, and id.  If
+ * a private key or key state is specified, the public key must also be
+ * present.  If directory is NULL, the current directory is assumed.
+ *
+ * Requires:
+ * \li	"name" is a valid absolute dns name.
+ * \li	"id" is a valid key tag identifier.
+ * \li	"alg" is a supported key algorithm.
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE or the bitwise union.
+ *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY.
+ *		  DST_TYPE_STATE to also read the key state.
+ * \li	"mctx" is a valid memory context.
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, *keyp will contain a valid key.
+ */
+
+isc_result_t
+dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
+		      isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Reads a key from permanent storage.  The key can either be a public or
+ * private key, or a key state. It is specified by filename.  If a private key
+ * or key state is specified, the public key must also be present.
+ *
+ * If 'dirname' is not NULL, and 'filename' is a relative path,
+ * then the file is looked up relative to the given directory.
+ * If 'filename' is an absolute path, 'dirname' is ignored.
+ *
+ * Requires:
+ * \li	"filename" is not NULL
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.
+ *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY.
+ *		  DST_TYPE_STATE to also read the key state.
+ * \li	"mctx" is a valid memory context
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, *keyp will contain a valid key.
+ */
+
+isc_result_t
+dst_key_read_public(const char *filename, int type, isc_mem_t *mctx,
+		    dst_key_t **keyp);
+/*%<
+ * Reads a public key from permanent storage.  The key must be a public key.
+ *
+ * Requires:
+ * \li	"filename" is not NULL.
+ * \li	"type" is DST_TYPE_KEY look for a KEY record otherwise DNSKEY.
+ * \li	"mctx" is a valid memory context.
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	DST_R_BADKEYTYPE if the key type is not the expected one
+ * \li	ISC_R_UNEXPECTEDTOKEN if the file can not be parsed as a public key
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, *keyp will contain a valid key.
+ */
+
+isc_result_t
+dst_key_read_state(const char *filename, isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Reads a key state from permanent storage.
+ *
+ * Requires:
+ * \li	"filename" is not NULL.
+ * \li	"mctx" is a valid memory context.
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_UNEXPECTEDTOKEN if the file can not be parsed as a public key
+ * \li	any other result indicates failure
+ */
+
+isc_result_t
+dst_key_tofile(const dst_key_t *key, int type, const char *directory);
+/*%<
+ * Writes a key to permanent storage.  The key can either be a public or
+ * private key.  Public keys are written in DNS format and private keys
+ * are written as a set of base64 encoded values.  If directory is NULL,
+ * the current directory is assumed.
+ *
+ * Requires:
+ * \li	"key" is a valid key.
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ */
+
+isc_result_t
+dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
+		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Converts a DNS KEY record into a DST key.
+ *
+ * Requires:
+ * \li	"name" is a valid absolute dns name.
+ * \li	"source" is a valid buffer.  There must be at least 4 bytes available.
+ * \li	"mctx" is a valid memory context.
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, *keyp will contain a valid key, and the consumed
+ *	pointer in data will be advanced.
+ */
+
+isc_result_t
+dst_key_todns(const dst_key_t *key, isc_buffer_t *target);
+/*%<
+ * Converts a DST key into a DNS KEY record.
+ *
+ * Requires:
+ * \li	"key" is a valid key.
+ * \li	"target" is a valid buffer.  There must be at least 4 bytes unused.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, the used pointer in 'target' is advanced by at least 4.
+ */
+
+isc_result_t
+dst_key_frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
+		   unsigned int protocol, dns_rdataclass_t rdclass,
+		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Converts a buffer containing DNS KEY RDATA into a DST key.
+ *
+ * Requires:
+ *\li	"name" is a valid absolute dns name.
+ *\li	"alg" is a supported key algorithm.
+ *\li	"source" is a valid buffer.
+ *\li	"mctx" is a valid memory context.
+ *\li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ *\li	If successful, *keyp will contain a valid key, and the consumed
+ *	pointer in source will be advanced.
+ */
+
+isc_result_t
+dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target);
+/*%<
+ * Converts a DST key into DNS KEY RDATA format.
+ *
+ * Requires:
+ *\li	"key" is a valid key.
+ *\li	"target" is a valid buffer.
+ *
+ * Returns:
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ *\li	If successful, the used pointer in 'target' is advanced.
+ */
+
+isc_result_t
+dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer);
+/*%<
+ * Converts a public key into a private key, reading the private key
+ * information from the buffer.  The buffer should contain the same data
+ * as the .private key file would.
+ *
+ * Requires:
+ *\li	"key" is a valid public key.
+ *\li	"buffer" is not NULL.
+ *
+ * Returns:
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ *\li	If successful, key will contain a valid private key.
+ */
+
+dns_gss_ctx_id_t
+dst_key_getgssctx(const dst_key_t *key);
+/*%<
+ * Returns the opaque key data.
+ * Be cautions when using this value unless you know what you are doing.
+ *
+ * Requires:
+ *\li	"key" is not NULL.
+ *
+ * Returns:
+ *\li	gssctx key data, possibly NULL.
+ */
+
+isc_result_t
+dst_key_fromgssapi(const dns_name_t *name, dns_gss_ctx_id_t gssctx,
+		   isc_mem_t *mctx, dst_key_t **keyp, isc_region_t *intoken);
+/*%<
+ * Converts a GSSAPI opaque context id into a DST key.
+ *
+ * Requires:
+ *\li	"name" is a valid absolute dns name.
+ *\li	"gssctx" is a GSSAPI context id.
+ *\li	"mctx" is a valid memory context.
+ *\li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ *\li	If successful, *keyp will contain a valid key and be responsible for
+ *	the context id.
+ */
+
+#ifdef DST_KEY_INTERNAL
+isc_result_t
+dst_key_buildinternal(const dns_name_t *name, unsigned int alg,
+		      unsigned int bits, unsigned int flags,
+		      unsigned int protocol, dns_rdataclass_t rdclass,
+		      void *data, isc_mem_t *mctx, dst_key_t **keyp);
+#endif /* ifdef DST_KEY_INTERNAL */
+
+isc_result_t
+dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
+		  unsigned int protocol, dns_rdataclass_t rdclass,
+		  const char *engine, const char *label, const char *pin,
+		  isc_mem_t *mctx, dst_key_t **keyp);
+
+isc_result_t
+dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
+		 unsigned int param, unsigned int flags, unsigned int protocol,
+		 dns_rdataclass_t rdclass, isc_mem_t *mctx, dst_key_t **keyp,
+		 void (*callback)(int));
+
+/*%<
+ * Generate a DST key (or keypair) with the supplied parameters.  The
+ * interpretation of the "param" field depends on the algorithm:
+ * \code
+ * 	RSA:	exponent
+ * 		0	use exponent 3
+ * 		!0	use Fermat4 (2^16 + 1)
+ * 	DH:	generator
+ * 		0	default - use well known prime if bits == 768 or 1024,
+ * 			otherwise use 2 as the generator.
+ * 		!0	use this value as the generator.
+ * 	DSA:	unused
+ * 	HMACMD5: entropy
+ *		0	default - require good entropy
+ *		!0	lack of good entropy is ok
+ *\endcode
+ *
+ * Requires:
+ *\li	"name" is a valid absolute dns name.
+ *\li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ *\li	If successful, *keyp will contain a valid key.
+ */
+
+bool
+dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
+/*%<
+ * Compares two DST keys.  Returns true if they match, false otherwise.
+ *
+ * Keys ARE NOT considered to match if one of them is the revoked version
+ * of the other.
+ *
+ * Requires:
+ *\li	"key1" is a valid key.
+ *\li	"key2" is a valid key.
+ *
+ * Returns:
+ *\li 	true
+ * \li	false
+ */
+
+bool
+dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
+		   bool match_revoked_key);
+/*%<
+ * Compares only the public portions of two DST keys.  Returns true
+ * if they match, false otherwise.  This allows us, for example, to
+ * determine whether a public key found in a zone matches up with a
+ * key pair found on disk.
+ *
+ * If match_revoked_key is TRUE, then keys ARE considered to match if one
+ * of them is the revoked version of the other. Otherwise, they are not.
+ *
+ * Requires:
+ *\li	"key1" is a valid key.
+ *\li	"key2" is a valid key.
+ *
+ * Returns:
+ *\li 	true
+ * \li	false
+ */
+
+bool
+dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
+/*%<
+ * Compares the parameters of two DST keys.  This is used to determine if
+ * two (Diffie-Hellman) keys can be used to derive a shared secret.
+ *
+ * Requires:
+ *\li	"key1" is a valid key.
+ *\li	"key2" is a valid key.
+ *
+ * Returns:
+ *\li 	true
+ * \li	false
+ */
+
+void
+dst_key_attach(dst_key_t *source, dst_key_t **target);
+/*
+ * Attach to a existing key increasing the reference count.
+ *
+ * Requires:
+ *\li 'source' to be a valid key.
+ *\li 'target' to be non-NULL and '*target' to be NULL.
+ */
+
+void
+dst_key_free(dst_key_t **keyp);
+/*%<
+ * Decrement the key's reference counter and, when it reaches zero,
+ * release all memory associated with the key.
+ *
+ * Requires:
+ *\li	"keyp" is not NULL and "*keyp" is a valid key.
+ *\li	reference counter greater than zero.
+ *
+ * Ensures:
+ *\li	All memory associated with "*keyp" will be freed.
+ *\li	*keyp == NULL
+ */
+
+/*%<
+ * Accessor functions to obtain key fields.
+ *
+ * Require:
+ *\li	"key" is a valid key.
+ */
+dns_name_t *
+dst_key_name(const dst_key_t *key);
+
+unsigned int
+dst_key_size(const dst_key_t *key);
+
+unsigned int
+dst_key_proto(const dst_key_t *key);
+
+unsigned int
+dst_key_alg(const dst_key_t *key);
+
+uint32_t
+dst_key_flags(const dst_key_t *key);
+
+dns_keytag_t
+dst_key_id(const dst_key_t *key);
+
+dns_keytag_t
+dst_key_rid(const dst_key_t *key);
+
+dns_rdataclass_t
+dst_key_class(const dst_key_t *key);
+
+bool
+dst_key_isprivate(const dst_key_t *key);
+
+bool
+dst_key_iszonekey(const dst_key_t *key);
+
+bool
+dst_key_isnullkey(const dst_key_t *key);
+
+isc_result_t
+dst_key_buildfilename(const dst_key_t *key, int type, const char *directory,
+		      isc_buffer_t *out);
+/*%<
+ * Generates the filename used by dst to store the specified key.
+ * If directory is NULL, the current directory is assumed.
+ *
+ * Requires:
+ *\li	"key" is a valid key
+ *\li	"type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0 for no suffix.
+ *\li	"out" is a valid buffer
+ *
+ * Ensures:
+ *\li	the file name will be written to "out", and the used pointer will
+ *		be advanced.
+ */
+
+isc_result_t
+dst_key_sigsize(const dst_key_t *key, unsigned int *n);
+/*%<
+ * Computes the size of a signature generated by the given key.
+ *
+ * Requires:
+ *\li	"key" is a valid key.
+ *\li	"n" is not NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	DST_R_UNSUPPORTEDALG
+ *
+ * Ensures:
+ *\li	"n" stores the size of a generated signature
+ */
+
+isc_result_t
+dst_key_secretsize(const dst_key_t *key, unsigned int *n);
+/*%<
+ * Computes the size of a shared secret generated by the given key.
+ *
+ * Requires:
+ *\li	"key" is a valid key.
+ *\li	"n" is not NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	DST_R_UNSUPPORTEDALG
+ *
+ * Ensures:
+ *\li	"n" stores the size of a generated shared secret
+ */
+
+uint16_t
+dst_region_computeid(const isc_region_t *source);
+uint16_t
+dst_region_computerid(const isc_region_t *source);
+/*%<
+ * Computes the (revoked) key id of the key stored in the provided
+ * region.
+ *
+ * Requires:
+ *\li	"source" contains a valid, non-NULL region.
+ *
+ * Returns:
+ *\li 	the key id
+ */
+
+uint16_t
+dst_key_getbits(const dst_key_t *key);
+/*%<
+ * Get the number of digest bits required (0 == MAX).
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+void
+dst_key_setbits(dst_key_t *key, uint16_t bits);
+/*%<
+ * Set the number of digest bits required (0 == MAX).
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+void
+dst_key_setttl(dst_key_t *key, dns_ttl_t ttl);
+/*%<
+ * Set the default TTL to use when converting the key
+ * to a KEY or DNSKEY RR.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+dns_ttl_t
+dst_key_getttl(const dst_key_t *key);
+/*%<
+ * Get the default TTL to use when converting the key
+ * to a KEY or DNSKEY RR.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+isc_result_t
+dst_key_setflags(dst_key_t *key, uint32_t flags);
+/*
+ * Set the key flags, and recompute the key ID.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+isc_result_t
+dst_key_getbool(const dst_key_t *key, int type, bool *valuep);
+/*%<
+ * Get a member of the boolean metadata array and place it in '*valuep'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_BOOLEAN
+ *	"valuep" is not null.
+ */
+
+void
+dst_key_setbool(dst_key_t *key, int type, bool value);
+/*%<
+ * Set a member of the boolean metadata array.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_BOOLEAN
+ */
+
+void
+dst_key_unsetbool(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the boolean metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_BOOLEAN
+ */
+
+isc_result_t
+dst_key_getnum(const dst_key_t *key, int type, uint32_t *valuep);
+/*%<
+ * Get a member of the numeric metadata array and place it in '*valuep'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ *	"valuep" is not null.
+ */
+
+void
+dst_key_setnum(dst_key_t *key, int type, uint32_t value);
+/*%<
+ * Set a member of the numeric metadata array.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ */
+
+void
+dst_key_unsetnum(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the numeric metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ */
+
+isc_result_t
+dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep);
+/*%<
+ * Get a member of the timing metadata array and place it in '*timep'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_TIMES
+ *	"timep" is not null.
+ */
+
+void
+dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when);
+/*%<
+ * Set a member of the timing metadata array.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_TIMES
+ */
+
+void
+dst_key_unsettime(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the timing metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_TIMES
+ */
+
+isc_result_t
+dst_key_getstate(const dst_key_t *key, int type, dst_key_state_t *statep);
+/*%<
+ * Get a member of the keystate metadata array and place it in '*statep'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_KEYSTATES
+ *	"statep" is not null.
+ */
+
+void
+dst_key_setstate(dst_key_t *key, int type, dst_key_state_t state);
+/*%<
+ * Set a member of the keystate metadata array.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"state" is a valid state.
+ *	"type" is no larger than DST_MAX_KEYSTATES
+ */
+
+void
+dst_key_unsetstate(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the keystate metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_KEYSTATES
+ */
+
+isc_result_t
+dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp);
+/*%<
+ * Get the private key format version number.  (If the key does not have
+ * a private key associated with it, the version will be 0.0.)  The major
+ * version number is placed in '*majorp', and the minor version number in
+ * '*minorp'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"majorp" is not NULL.
+ *	"minorp" is not NULL.
+ */
+
+void
+dst_key_setprivateformat(dst_key_t *key, int major, int minor);
+/*%<
+ * Set the private key format version number.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+#define DST_KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + 7)
+
+void
+dst_key_format(const dst_key_t *key, char *cp, unsigned int size);
+/*%<
+ * Write the uniquely identifying information about the key (name,
+ * algorithm, key ID) into a string 'cp' of size 'size'.
+ */
+
+isc_buffer_t *
+dst_key_tkeytoken(const dst_key_t *key);
+/*%<
+ * Return the token from the TKEY request, if any.  If this key was
+ * not negotiated via TKEY, return NULL.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+isc_result_t
+dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length);
+/*%<
+ * Allocate 'buffer' and dump the key into it in base64 format. The buffer
+ * is not NUL terminated. The length of the buffer is returned in *length.
+ *
+ * 'buffer' needs to be freed using isc_mem_put(mctx, buffer, length);
+ *
+ * Requires:
+ *	'buffer' to be non NULL and *buffer to be NULL.
+ *	'length' to be non NULL and *length to be zero.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_NOTIMPLEMENTED
+ *	others.
+ */
+
+isc_result_t
+dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
+		unsigned int protocol, dns_rdataclass_t rdclass,
+		isc_mem_t *mctx, const char *keystr, dst_key_t **keyp);
+
+bool
+dst_key_inactive(const dst_key_t *key);
+/*%<
+ * Determines if the private key is missing due the key being deemed inactive.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+void
+dst_key_setinactive(dst_key_t *key, bool inactive);
+/*%<
+ * Set key inactive state.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+void
+dst_key_setexternal(dst_key_t *key, bool value);
+/*%<
+ * Set key external state.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+bool
+dst_key_isexternal(dst_key_t *key);
+/*%<
+ * Check if this is an external key.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+void
+dst_key_setmodified(dst_key_t *key, bool value);
+/*%<
+ * If 'value' is true, this marks the key to indicate that key file metadata
+ * has been modified. If 'value' is false, this resets the value, for example
+ * after you have written the key to file.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+bool
+dst_key_ismodified(const dst_key_t *key);
+/*%<
+ * Check if the key file has been modified.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+bool
+dst_key_haskasp(dst_key_t *key);
+/*%<
+ * Check if this key has state (and thus uses KASP).
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+bool
+dst_key_is_unused(dst_key_t *key);
+/*%<
+ * Check if this key is unused.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+bool
+dst_key_is_published(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *publish);
+/*%<
+ * Check if it is safe to publish this key (e.g. put the DNSKEY in the zone).
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+bool
+dst_key_is_active(dst_key_t *key, isc_stdtime_t now);
+/*%<
+ * Check if this key is active. This means that it is creating RRSIG records
+ * (ZSK), or that it is used to create a chain of trust (KSK), or both (CSK).
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+bool
+dst_key_is_signing(dst_key_t *key, int role, isc_stdtime_t now,
+		   isc_stdtime_t *active);
+/*%<
+ * Check if it is safe to use this key for signing, given the role.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+bool
+dst_key_is_revoked(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *revoke);
+/*%<
+ * Check if this key is revoked.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+bool
+dst_key_is_removed(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *remove);
+/*%<
+ * Check if this key is removed from the zone (e.g. the DNSKEY record should
+ * no longer be in the zone).
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+dst_key_state_t
+dst_key_goal(dst_key_t *key);
+/*%<
+ * Get the key goal. Should be OMNIPRESENT or HIDDEN.
+ * This can be used to determine if the key is being introduced or
+ * is on its way out.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+isc_result_t
+dst_key_role(dst_key_t *key, bool *ksk, bool *zsk);
+/*%<
+ * Get the key role. A key can have the KSK or the ZSK role, or both.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+void
+dst_key_copy_metadata(dst_key_t *to, dst_key_t *from);
+/*%<
+ * Copy key metadata from one key to another.
+ *
+ * Requires:
+ *	'to' and 'from' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_DST_H */
diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h
new file mode 100644
index 0000000..e783f20
--- /dev/null
+++ b/lib/dns/include/dst/gssapi.h
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DST_GSSAPI_H
+#define DST_GSSAPI_H 1
+
+/*! \file dst/gssapi.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+typedef void *dns_gss_cred_id_t;
+typedef void *dns_gss_ctx_id_t;
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+dst_gssapi_acquirecred(const dns_name_t *name, bool initiate,
+		       dns_gss_cred_id_t *cred);
+/*
+ *	Acquires GSS credentials.
+ *
+ *	Requires:
+ * 	'name' 	    is a valid name, preferably one known by the GSS provider
+ * 	'initiate'  indicates whether the credentials are for initiating or
+ *		    accepting contexts
+ *      'cred'      is a pointer to NULL, which will be allocated with the
+ *		    credential handle.  Call dst_gssapi_releasecred to free
+ *		    the memory.
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS msg was successfully updated to include the
+ *				      query to be sent
+ *		other		  an error occurred while building the message
+ */
+
+isc_result_t
+dst_gssapi_releasecred(dns_gss_cred_id_t *cred);
+/*
+ *	Releases GSS credentials.  Calling this function does release the
+ *  memory allocated for the credential in dst_gssapi_acquirecred()
+ *
+ *	Requires:
+ *      'mctx'  is a valid memory context
+ *      'cred'  is a pointer to the credential to be released
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS 	credential was released successfully
+ *		other		an error occurred while releaseing
+ *				the credential
+ */
+
+isc_result_t
+dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
+		   isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx,
+		   isc_mem_t *mctx, char **err_message);
+/*
+ *	Initiates a GSS context.
+ *
+ *	Requires:
+ * 	'name'     is a valid name, preferably one known by the GSS
+ * 	provider
+ * 	'intoken'  is a token received from the acceptor, or NULL if
+ *		   there isn't one
+ * 	'outtoken' is a buffer to receive the token generated by
+ *		   gss_init_sec_context() to be sent to the acceptor
+ *      'context'  is a pointer to a valid dns_gss_ctx_id_t
+ *                 (which may have the value GSS_C_NO_CONTEXT)
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS   msg was successfully updated to include the
+ * 				query to be sent
+ *		other		an error occurred while building the message
+ *		*err_message	optional error message
+ */
+
+isc_result_t
+dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
+		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     dns_gss_ctx_id_t *context, dns_name_t *principal,
+		     isc_mem_t *mctx);
+/*
+ *	Accepts a GSS context.
+ *
+ *	Requires:
+ * 	'mctx'     is a valid memory context
+ *      'cred'     is the acceptor's valid GSS credential handle
+ * 	'intoken'  is a token received from the initiator
+ * 	'outtoken' is a pointer a buffer pointer used to return the token
+ *		   generated by gss_accept_sec_context() to be sent to the
+ *		   initiator
+ *      'context'  is a valid pointer to receive the generated context handle.
+ *                 On the initial call, it should be a pointer to NULL, which
+ *		   will be allocated as a dns_gss_ctx_id_t.  Subsequent calls
+ *		   should pass in the handle generated on the first call.
+ *		   Call dst_gssapi_releasecred to delete the context and free
+ *		   the memory.
+ *
+ *	Requires:
+ *		'outtoken' to != NULL && *outtoken == NULL.
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS   msg was successfully updated to include the
+ * 				query to be sent
+ *		DNS_R_CONTINUE	transaction still in progress
+ *		other 		an error occurred while building the message
+ */
+
+isc_result_t
+dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx);
+/*
+ *	Destroys a GSS context.  This function deletes the context from the GSS
+ *  	provider and then frees the memory used by the context pointer.
+ *
+ *	Requires:
+ *      'mctx'    is a valid memory context
+ *	'context' is a valid GSS context
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ */
+
+void
+gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+/*
+ * Logging function for GSS.
+ *
+ *  Requires
+ *      'level' is the log level to be used, as an integer
+ *      'fmt'   is a printf format specifier
+ */
+
+char *
+gss_error_tostring(uint32_t major, uint32_t minor, char *buf, size_t buflen);
+/*
+ *	Render a GSS major status/minor status pair into a string
+ *
+ *	Requires:
+ *      'major' is a GSS major status code
+ * 	'minor' is a GSS minor status code
+ *
+ *	Returns:
+ *		A string containing the text representation of the error codes.
+ *      	Users should copy the string if they wish to keep it.
+ */
+
+bool
+dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
+				    const dns_name_t *name,
+				    const dns_name_t *realm, bool subdomain);
+/*
+ *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
+ *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
+ *	in "name" (which represents the realm name).
+ *
+ */
+
+bool
+dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
+				  const dns_name_t *name,
+				  const dns_name_t *realm, bool subdomain);
+/*
+ *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
+ *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
+ *	in "name" (which represents the realm name).
+ *
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_GSSAPI_H */
diff --git a/lib/dns/include/dst/result.h b/lib/dns/include/dst/result.h
new file mode 100644
index 0000000..b909f55
--- /dev/null
+++ b/lib/dns/include/dst/result.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DST_RESULT_H
+#define DST_RESULT_H 1
+
+/*! \file dst/result.h */
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+
+/*
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * DST result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
+ */
+#include <isc/result.h> /* Contractual promise. */
+
+#define DST_R_UNSUPPORTEDALG (ISC_RESULTCLASS_DST + 0)
+#define DST_R_CRYPTOFAILURE  (ISC_RESULTCLASS_DST + 1)
+/* compat */
+#define DST_R_OPENSSLFAILURE	DST_R_CRYPTOFAILURE
+#define DST_R_NOCRYPTO		(ISC_RESULTCLASS_DST + 2)
+#define DST_R_NULLKEY		(ISC_RESULTCLASS_DST + 3)
+#define DST_R_INVALIDPUBLICKEY	(ISC_RESULTCLASS_DST + 4)
+#define DST_R_INVALIDPRIVATEKEY (ISC_RESULTCLASS_DST + 5)
+/* 6 is unused */
+#define DST_R_WRITEERROR   (ISC_RESULTCLASS_DST + 7)
+#define DST_R_INVALIDPARAM (ISC_RESULTCLASS_DST + 8)
+/* 9 is unused */
+/* 10 is unused */
+#define DST_R_SIGNFAILURE (ISC_RESULTCLASS_DST + 11)
+/* 12 is unused */
+/* 13 is unused */
+#define DST_R_VERIFYFAILURE	     (ISC_RESULTCLASS_DST + 14)
+#define DST_R_NOTPUBLICKEY	     (ISC_RESULTCLASS_DST + 15)
+#define DST_R_NOTPRIVATEKEY	     (ISC_RESULTCLASS_DST + 16)
+#define DST_R_KEYCANNOTCOMPUTESECRET (ISC_RESULTCLASS_DST + 17)
+#define DST_R_COMPUTESECRETFAILURE   (ISC_RESULTCLASS_DST + 18)
+#define DST_R_NORANDOMNESS	     (ISC_RESULTCLASS_DST + 19)
+#define DST_R_BADKEYTYPE	     (ISC_RESULTCLASS_DST + 20)
+#define DST_R_NOENGINE		     (ISC_RESULTCLASS_DST + 21)
+#define DST_R_EXTERNALKEY	     (ISC_RESULTCLASS_DST + 22)
+
+#define DST_R_NRESULTS 23 /* Number of results */
+
+ISC_LANG_BEGINDECLS
+
+const char *dst_result_totext(isc_result_t);
+
+void
+dst_result_register(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_RESULT_H */
diff --git a/lib/dns/ipkeylist.c b/lib/dns/ipkeylist.c
new file mode 100644
index 0000000..07d2c12
--- /dev/null
+++ b/lib/dns/ipkeylist.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <dns/ipkeylist.h>
+#include <dns/name.h>
+
+void
+dns_ipkeylist_init(dns_ipkeylist_t *ipkl) {
+	ipkl->count = 0;
+	ipkl->allocated = 0;
+	ipkl->addrs = NULL;
+	ipkl->dscps = NULL;
+	ipkl->keys = NULL;
+	ipkl->labels = NULL;
+}
+
+void
+dns_ipkeylist_clear(isc_mem_t *mctx, dns_ipkeylist_t *ipkl) {
+	uint32_t i;
+
+	REQUIRE(ipkl != NULL);
+
+	if (ipkl->allocated == 0) {
+		return;
+	}
+
+	if (ipkl->addrs != NULL) {
+		isc_mem_put(mctx, ipkl->addrs,
+			    ipkl->allocated * sizeof(isc_sockaddr_t));
+	}
+
+	if (ipkl->dscps != NULL) {
+		isc_mem_put(mctx, ipkl->dscps,
+			    ipkl->allocated * sizeof(isc_dscp_t));
+	}
+
+	if (ipkl->keys != NULL) {
+		for (i = 0; i < ipkl->allocated; i++) {
+			if (ipkl->keys[i] == NULL) {
+				continue;
+			}
+			if (dns_name_dynamic(ipkl->keys[i])) {
+				dns_name_free(ipkl->keys[i], mctx);
+			}
+			isc_mem_put(mctx, ipkl->keys[i], sizeof(dns_name_t));
+		}
+		isc_mem_put(mctx, ipkl->keys,
+			    ipkl->allocated * sizeof(dns_name_t *));
+	}
+
+	if (ipkl->labels != NULL) {
+		for (i = 0; i < ipkl->allocated; i++) {
+			if (ipkl->labels[i] == NULL) {
+				continue;
+			}
+			if (dns_name_dynamic(ipkl->labels[i])) {
+				dns_name_free(ipkl->labels[i], mctx);
+			}
+			isc_mem_put(mctx, ipkl->labels[i], sizeof(dns_name_t));
+		}
+		isc_mem_put(mctx, ipkl->labels,
+			    ipkl->allocated * sizeof(dns_name_t *));
+	}
+
+	dns_ipkeylist_init(ipkl);
+}
+
+isc_result_t
+dns_ipkeylist_copy(isc_mem_t *mctx, const dns_ipkeylist_t *src,
+		   dns_ipkeylist_t *dst) {
+	isc_result_t result = ISC_R_SUCCESS;
+	uint32_t i;
+
+	REQUIRE(dst != NULL);
+	/* dst might be preallocated, we don't care, but it must be empty */
+	REQUIRE(dst->count == 0);
+
+	if (src->count == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_ipkeylist_resize(mctx, dst, src->count);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	memmove(dst->addrs, src->addrs, src->count * sizeof(isc_sockaddr_t));
+
+	if (src->dscps != NULL) {
+		memmove(dst->dscps, src->dscps,
+			src->count * sizeof(isc_dscp_t));
+	}
+
+	if (src->keys != NULL) {
+		for (i = 0; i < src->count; i++) {
+			if (src->keys[i] != NULL) {
+				dst->keys[i] = isc_mem_get(mctx,
+							   sizeof(dns_name_t));
+				dns_name_init(dst->keys[i], NULL);
+				dns_name_dup(src->keys[i], mctx, dst->keys[i]);
+			} else {
+				dst->keys[i] = NULL;
+			}
+		}
+	}
+
+	if (src->labels != NULL) {
+		for (i = 0; i < src->count; i++) {
+			if (src->labels[i] != NULL) {
+				dst->labels[i] =
+					isc_mem_get(mctx, sizeof(dns_name_t));
+				dns_name_init(dst->labels[i], NULL);
+				dns_name_dup(src->labels[i], mctx,
+					     dst->labels[i]);
+			} else {
+				dst->labels[i] = NULL;
+			}
+		}
+	}
+	dst->count = src->count;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ipkeylist_resize(isc_mem_t *mctx, dns_ipkeylist_t *ipkl, unsigned int n) {
+	isc_sockaddr_t *addrs = NULL;
+	isc_dscp_t *dscps = NULL;
+	dns_name_t **keys = NULL;
+	dns_name_t **labels = NULL;
+
+	REQUIRE(ipkl != NULL);
+	REQUIRE(n > ipkl->count);
+
+	if (n <= ipkl->allocated) {
+		return (ISC_R_SUCCESS);
+	}
+
+	addrs = isc_mem_get(mctx, n * sizeof(isc_sockaddr_t));
+	dscps = isc_mem_get(mctx, n * sizeof(isc_dscp_t));
+	keys = isc_mem_get(mctx, n * sizeof(dns_name_t *));
+	labels = isc_mem_get(mctx, n * sizeof(dns_name_t *));
+
+	if (ipkl->addrs != NULL) {
+		memmove(addrs, ipkl->addrs,
+			ipkl->allocated * sizeof(isc_sockaddr_t));
+		isc_mem_put(mctx, ipkl->addrs,
+			    ipkl->allocated * sizeof(isc_sockaddr_t));
+	}
+	ipkl->addrs = addrs;
+	memset(&ipkl->addrs[ipkl->allocated], 0,
+	       (n - ipkl->allocated) * sizeof(isc_sockaddr_t));
+
+	if (ipkl->dscps != NULL) {
+		memmove(dscps, ipkl->dscps,
+			ipkl->allocated * sizeof(isc_dscp_t));
+		isc_mem_put(mctx, ipkl->dscps,
+			    ipkl->allocated * sizeof(isc_dscp_t));
+	}
+	ipkl->dscps = dscps;
+	memset(&ipkl->dscps[ipkl->allocated], 0,
+	       (n - ipkl->allocated) * sizeof(isc_dscp_t));
+
+	if (ipkl->keys) {
+		memmove(keys, ipkl->keys,
+			ipkl->allocated * sizeof(dns_name_t *));
+		isc_mem_put(mctx, ipkl->keys,
+			    ipkl->allocated * sizeof(dns_name_t *));
+	}
+	ipkl->keys = keys;
+	memset(&ipkl->keys[ipkl->allocated], 0,
+	       (n - ipkl->allocated) * sizeof(dns_name_t *));
+
+	if (ipkl->labels != NULL) {
+		memmove(labels, ipkl->labels,
+			ipkl->allocated * sizeof(dns_name_t *));
+		isc_mem_put(mctx, ipkl->labels,
+			    ipkl->allocated * sizeof(dns_name_t *));
+	}
+	ipkl->labels = labels;
+	memset(&ipkl->labels[ipkl->allocated], 0,
+	       (n - ipkl->allocated) * sizeof(dns_name_t *));
+
+	ipkl->allocated = n;
+	return (ISC_R_SUCCESS);
+
+	isc_mem_put(mctx, addrs, n * sizeof(isc_sockaddr_t));
+	isc_mem_put(mctx, dscps, n * sizeof(isc_dscp_t));
+	isc_mem_put(mctx, keys, n * sizeof(dns_name_t *));
+	isc_mem_put(mctx, labels, n * sizeof(dns_name_t *));
+
+	return (ISC_R_NOMEMORY);
+}
diff --git a/lib/dns/iptable.c b/lib/dns/iptable.c
new file mode 100644
index 0000000..f479d71
--- /dev/null
+++ b/lib/dns/iptable.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/radix.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+
+static void
+destroy_iptable(dns_iptable_t *dtab);
+
+/*
+ * Create a new IP table and the underlying radix structure
+ */
+isc_result_t
+dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target) {
+	isc_result_t result;
+	dns_iptable_t *tab;
+
+	tab = isc_mem_get(mctx, sizeof(*tab));
+	tab->mctx = NULL;
+	isc_mem_attach(mctx, &tab->mctx);
+	isc_refcount_init(&tab->refcount, 1);
+	tab->radix = NULL;
+	tab->magic = DNS_IPTABLE_MAGIC;
+
+	result = isc_radix_create(mctx, &tab->radix, RADIX_MAXBITS);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	*target = tab;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_iptable_detach(&tab);
+	return (result);
+}
+
+static bool dns_iptable_neg = false;
+static bool dns_iptable_pos = true;
+
+/*
+ * Add an IP prefix to an existing IP table
+ */
+isc_result_t
+dns_iptable_addprefix(dns_iptable_t *tab, const isc_netaddr_t *addr,
+		      uint16_t bitlen, bool pos) {
+	isc_result_t result;
+	isc_prefix_t pfx;
+	isc_radix_node_t *node = NULL;
+	int i;
+
+	INSIST(DNS_IPTABLE_VALID(tab));
+	INSIST(tab->radix != NULL);
+
+	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
+
+	result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_destroy(&pfx.refcount);
+		return (result);
+	}
+
+	/* If a node already contains data, don't overwrite it */
+	if (pfx.family == AF_UNSPEC) {
+		/* "any" or "none" */
+		INSIST(pfx.bitlen == 0);
+		for (i = 0; i < RADIX_FAMILIES; i++) {
+			if (node->data[i] == NULL) {
+				node->data[i] = pos ? &dns_iptable_pos
+						    : &dns_iptable_neg;
+			}
+		}
+	} else {
+		/* any other prefix */
+		int fam = ISC_RADIX_FAMILY(&pfx);
+		if (node->data[fam] == NULL) {
+			node->data[fam] = pos ? &dns_iptable_pos
+					      : &dns_iptable_neg;
+		}
+	}
+
+	isc_refcount_destroy(&pfx.refcount);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Merge one IP table into another one.
+ */
+isc_result_t
+dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, bool pos) {
+	isc_result_t result;
+	isc_radix_node_t *node, *new_node;
+	int i, max_node = 0;
+
+	RADIX_WALK(source->radix->head, node) {
+		new_node = NULL;
+		result = isc_radix_insert(tab->radix, &new_node, node, NULL);
+
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		/*
+		 * If we're negating a nested ACL, then we should
+		 * reverse the sense of every node.  However, this
+		 * could lead to a negative node in a nested ACL
+		 * becoming a positive match in the parent, which
+		 * could be a security risk.  To prevent this, we
+		 * just leave the negative nodes negative.
+		 */
+		for (i = 0; i < RADIX_FAMILIES; i++) {
+			if (!pos) {
+				if (node->data[i] && *(bool *)node->data[i]) {
+					new_node->data[i] = &dns_iptable_neg;
+				}
+			}
+			if (node->node_num[i] > max_node) {
+				max_node = node->node_num[i];
+			}
+		}
+	}
+	RADIX_WALK_END;
+
+	tab->radix->num_added_node += max_node;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target) {
+	REQUIRE(DNS_IPTABLE_VALID(source));
+	isc_refcount_increment(&source->refcount);
+	*target = source;
+}
+
+void
+dns_iptable_detach(dns_iptable_t **tabp) {
+	REQUIRE(tabp != NULL && DNS_IPTABLE_VALID(*tabp));
+	dns_iptable_t *tab = *tabp;
+	*tabp = NULL;
+
+	if (isc_refcount_decrement(&tab->refcount) == 1) {
+		isc_refcount_destroy(&tab->refcount);
+		destroy_iptable(tab);
+	}
+}
+
+static void
+destroy_iptable(dns_iptable_t *dtab) {
+	REQUIRE(DNS_IPTABLE_VALID(dtab));
+
+	if (dtab->radix != NULL) {
+		isc_radix_destroy(dtab->radix, NULL);
+		dtab->radix = NULL;
+	}
+
+	dtab->magic = 0;
+	isc_mem_putanddetach(&dtab->mctx, dtab, sizeof(*dtab));
+}
diff --git a/lib/dns/journal.c b/lib/dns/journal.c
new file mode 100644
index 0000000..b586528
--- /dev/null
+++ b/lib/dns/journal.c
@@ -0,0 +1,2856 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/fixedname.h>
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+
+/*! \file
+ * \brief Journaling.
+ *
+ * A journal file consists of
+ *
+ *   \li A fixed-size header of type journal_rawheader_t.
+ *
+ *   \li The index.  This is an unordered array of index entries
+ *     of type journal_rawpos_t giving the locations
+ *     of some arbitrary subset of the journal's addressable
+ *     transactions.  The index entries are used as hints to
+ *     speed up the process of locating a transaction with a given
+ *     serial number.  Unused index entries have an "offset"
+ *     field of zero.  The size of the index can vary between
+ *     journal files, but does not change during the lifetime
+ *     of a file.  The size can be zero.
+ *
+ *   \li The journal data.  This  consists of one or more transactions.
+ *     Each transaction begins with a transaction header of type
+ *     journal_rawxhdr_t.  The transaction header is followed by a
+ *     sequence of RRs, similar in structure to an IXFR difference
+ *     sequence (RFC1995).  That is, the pre-transaction SOA,
+ *     zero or more other deleted RRs, the post-transaction SOA,
+ *     and zero or more other added RRs.  Unlike in IXFR, each RR
+ *     is prefixed with a 32-bit length.
+ *
+ *     The journal data part grows as new transactions are
+ *     appended to the file.  Only those transactions
+ *     whose serial number is current-(2^31-1) to current
+ *     are considered "addressable" and may be pointed
+ *     to from the header or index.  They may be preceded
+ *     by old transactions that are no longer addressable,
+ *     and they may be followed by transactions that were
+ *     appended to the journal but never committed by updating
+ *     the "end" position in the header.  The latter will
+ *     be overwritten when new transactions are added.
+ */
+
+/**************************************************************************/
+/*
+ * Miscellaneous utilities.
+ */
+
+#define JOURNAL_COMMON_LOGARGS \
+	dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_JOURNAL
+
+#define JOURNAL_DEBUG_LOGARGS(n) JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
+
+/*%
+ * It would be non-sensical (or at least obtuse) to use FAIL() with an
+ * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAIL(code)                           \
+	do {                                 \
+		result = (code);             \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+#define JOURNAL_SERIALSET 0x01U
+
+static isc_result_t
+index_to_disk(dns_journal_t *);
+
+static uint32_t
+decode_uint32(unsigned char *p) {
+	return (((uint32_t)p[0] << 24) + ((uint32_t)p[1] << 16) +
+		((uint32_t)p[2] << 8) + ((uint32_t)p[3] << 0));
+}
+
+static void
+encode_uint32(uint32_t val, unsigned char *p) {
+	p[0] = (uint8_t)(val >> 24);
+	p[1] = (uint8_t)(val >> 16);
+	p[2] = (uint8_t)(val >> 8);
+	p[3] = (uint8_t)(val >> 0);
+}
+
+isc_result_t
+dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
+		      dns_diffop_t op, dns_difftuple_t **tp) {
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_fixedname_t fixed;
+	dns_name_t *zonename;
+
+	zonename = dns_fixedname_initname(&fixed);
+	dns_name_copynf(dns_db_origin(db), zonename);
+
+	node = NULL;
+	result = dns_db_findnode(db, zonename, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto nonode;
+	}
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto freenode;
+	}
+
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto freenode;
+	}
+
+	dns_rdataset_current(&rdataset, &rdata);
+	dns_rdataset_getownercase(&rdataset, zonename);
+
+	result = dns_difftuple_create(mctx, op, zonename, rdataset.ttl, &rdata,
+				      tp);
+
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	return (result);
+
+freenode:
+	dns_db_detachnode(db, &node);
+nonode:
+	UNEXPECTED_ERROR(__FILE__, __LINE__, "missing SOA");
+	return (result);
+}
+
+/* Journaling */
+
+/*%
+ * On-disk representation of a "pointer" to a journal entry.
+ * These are used in the journal header to locate the beginning
+ * and end of the journal, and in the journal index to locate
+ * other transactions.
+ */
+typedef struct {
+	unsigned char serial[4]; /*%< SOA serial before update. */
+	/*
+	 * XXXRTH  Should offset be 8 bytes?
+	 * XXXDCL ... probably, since isc_offset_t is 8 bytes on many OSs.
+	 * XXXAG  ... but we will not be able to seek >2G anyway on many
+	 *            platforms as long as we are using fseek() rather
+	 *            than lseek().
+	 */
+	unsigned char offset[4]; /*%< Offset from beginning of file. */
+} journal_rawpos_t;
+
+/*%
+ * The header is of a fixed size, with some spare room for future
+ * extensions.
+ */
+#define JOURNAL_HEADER_SIZE 64 /* Bytes. */
+
+typedef enum {
+	XHDR_VERSION1 = 1,
+	XHDR_VERSION2 = 2,
+} xhdr_version_t;
+
+/*%
+ * The on-disk representation of the journal header.
+ * All numbers are stored in big-endian order.
+ */
+typedef union {
+	struct {
+		/*% File format version ID. */
+		unsigned char format[16];
+		/*% Position of the first addressable transaction */
+		journal_rawpos_t begin;
+		/*% Position of the next (yet nonexistent) transaction. */
+		journal_rawpos_t end;
+		/*% Number of index entries following the header. */
+		unsigned char index_size[4];
+		/*% Source serial number. */
+		unsigned char sourceserial[4];
+		unsigned char flags;
+	} h;
+	/* Pad the header to a fixed size. */
+	unsigned char pad[JOURNAL_HEADER_SIZE];
+} journal_rawheader_t;
+
+/*%
+ * The on-disk representation of the transaction header, version 2.
+ * There is one of these at the beginning of each transaction.
+ */
+typedef struct {
+	unsigned char size[4];	  /*%< In bytes, excluding header. */
+	unsigned char count[4];	  /*%< Number of records in transaction */
+	unsigned char serial0[4]; /*%< SOA serial before update. */
+	unsigned char serial1[4]; /*%< SOA serial after update. */
+} journal_rawxhdr_t;
+
+/*%
+ * Old-style raw transaction header, version 1, used for backward
+ * compatibility mode.
+ */
+typedef struct {
+	unsigned char size[4];
+	unsigned char serial0[4];
+	unsigned char serial1[4];
+} journal_rawxhdr_ver1_t;
+
+/*%
+ * The on-disk representation of the RR header.
+ * There is one of these at the beginning of each RR.
+ */
+typedef struct {
+	unsigned char size[4]; /*%< In bytes, excluding header. */
+} journal_rawrrhdr_t;
+
+/*%
+ * The in-core representation of the journal header.
+ */
+typedef struct {
+	uint32_t serial;
+	isc_offset_t offset;
+} journal_pos_t;
+
+#define POS_VALID(pos)	    ((pos).offset != 0)
+#define POS_INVALIDATE(pos) ((pos).offset = 0, (pos).serial = 0)
+
+typedef struct {
+	unsigned char format[16];
+	journal_pos_t begin;
+	journal_pos_t end;
+	uint32_t index_size;
+	uint32_t sourceserial;
+	bool serialset;
+} journal_header_t;
+
+/*%
+ * The in-core representation of the transaction header.
+ */
+typedef struct {
+	uint32_t size;
+	uint32_t count;
+	uint32_t serial0;
+	uint32_t serial1;
+} journal_xhdr_t;
+
+/*%
+ * The in-core representation of the RR header.
+ */
+typedef struct {
+	uint32_t size;
+} journal_rrhdr_t;
+
+/*%
+ * Initial contents to store in the header of a newly created
+ * journal file.
+ *
+ * The header starts with the magic string ";BIND LOG V9.2\n"
+ * to identify the file as a BIND 9 journal file.  An ASCII
+ * identification string is used rather than a binary magic
+ * number to be consistent with BIND 8 (BIND 8 journal files
+ * are ASCII text files).
+ */
+
+static journal_header_t journal_header_ver1 = {
+	";BIND LOG V9\n", { 0, 0 }, { 0, 0 }, 0, 0, 0
+};
+static journal_header_t initial_journal_header = {
+	";BIND LOG V9.2\n", { 0, 0 }, { 0, 0 }, 0, 0, 0
+};
+
+#define JOURNAL_EMPTY(h) ((h)->begin.offset == (h)->end.offset)
+
+typedef enum {
+	JOURNAL_STATE_INVALID,
+	JOURNAL_STATE_READ,
+	JOURNAL_STATE_WRITE,
+	JOURNAL_STATE_TRANSACTION,
+	JOURNAL_STATE_INLINE
+} journal_state_t;
+
+struct dns_journal {
+	unsigned int magic; /*%< JOUR */
+	isc_mem_t *mctx;    /*%< Memory context */
+	journal_state_t state;
+	xhdr_version_t xhdr_version; /*%< Expected transaction header version */
+	bool header_ver1;	     /*%< Transaction header compatibility
+				      *   mode is allowed */
+	bool recovered;		     /*%< A recoverable error was found
+				      *   while reading the journal */
+	char *filename;		     /*%< Journal file name */
+	FILE *fp;		     /*%< File handle */
+	isc_offset_t offset;	     /*%< Current file offset */
+	journal_xhdr_t curxhdr;	     /*%< Current transaction header */
+	journal_header_t header;     /*%< In-core journal header */
+	unsigned char *rawindex;     /*%< In-core buffer for journal index
+				      * in on-disk format */
+	journal_pos_t *index;	     /*%< In-core journal index */
+
+	/*% Current transaction state (when writing). */
+	struct {
+		unsigned int n_soa;   /*%< Number of SOAs seen */
+		unsigned int n_rr;    /*%< Number of RRs to write */
+		journal_pos_t pos[2]; /*%< Begin/end position */
+	} x;
+
+	/*% Iteration state (when reading). */
+	struct {
+		/* These define the part of the journal we iterate over. */
+		journal_pos_t bpos; /*%< Position before first, */
+		journal_pos_t cpos; /*%< before current, */
+		journal_pos_t epos; /*%< and after last transaction */
+		/* The rest is iterator state. */
+		uint32_t current_serial; /*%< Current SOA serial */
+		isc_buffer_t source;	 /*%< Data from disk */
+		isc_buffer_t target;	 /*%< Data from _fromwire check */
+		dns_decompress_t dctx;	 /*%< Dummy decompression ctx */
+		dns_name_t name;	 /*%< Current domain name */
+		dns_rdata_t rdata;	 /*%< Current rdata */
+		uint32_t ttl;		 /*%< Current TTL */
+		unsigned int xsize;	 /*%< Size of transaction data */
+		unsigned int xpos;	 /*%< Current position in it */
+		isc_result_t result;	 /*%< Result of last call */
+	} it;
+};
+
+#define DNS_JOURNAL_MAGIC    ISC_MAGIC('J', 'O', 'U', 'R')
+#define DNS_JOURNAL_VALID(t) ISC_MAGIC_VALID(t, DNS_JOURNAL_MAGIC)
+
+static void
+journal_pos_decode(journal_rawpos_t *raw, journal_pos_t *cooked) {
+	cooked->serial = decode_uint32(raw->serial);
+	cooked->offset = decode_uint32(raw->offset);
+}
+
+static void
+journal_pos_encode(journal_rawpos_t *raw, journal_pos_t *cooked) {
+	encode_uint32(cooked->serial, raw->serial);
+	encode_uint32(cooked->offset, raw->offset);
+}
+
+static void
+journal_header_decode(journal_rawheader_t *raw, journal_header_t *cooked) {
+	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
+
+	memmove(cooked->format, raw->h.format, sizeof(cooked->format));
+	journal_pos_decode(&raw->h.begin, &cooked->begin);
+	journal_pos_decode(&raw->h.end, &cooked->end);
+	cooked->index_size = decode_uint32(raw->h.index_size);
+	cooked->sourceserial = decode_uint32(raw->h.sourceserial);
+	cooked->serialset = ((raw->h.flags & JOURNAL_SERIALSET) != 0);
+}
+
+static void
+journal_header_encode(journal_header_t *cooked, journal_rawheader_t *raw) {
+	unsigned char flags = 0;
+
+	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
+
+	memset(raw->pad, 0, sizeof(raw->pad));
+	memmove(raw->h.format, cooked->format, sizeof(raw->h.format));
+	journal_pos_encode(&raw->h.begin, &cooked->begin);
+	journal_pos_encode(&raw->h.end, &cooked->end);
+	encode_uint32(cooked->index_size, raw->h.index_size);
+	encode_uint32(cooked->sourceserial, raw->h.sourceserial);
+	if (cooked->serialset) {
+		flags |= JOURNAL_SERIALSET;
+	}
+	raw->h.flags = flags;
+}
+
+/*
+ * Journal file I/O subroutines, with error checking and reporting.
+ */
+static isc_result_t
+journal_seek(dns_journal_t *j, uint32_t offset) {
+	isc_result_t result;
+
+	result = isc_stdio_seek(j->fp, (off_t)offset, SEEK_SET);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: seek: %s", j->filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	j->offset = offset;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_read(dns_journal_t *j, void *mem, size_t nbytes) {
+	isc_result_t result;
+
+	result = isc_stdio_read(mem, 1, nbytes, j->fp, NULL);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_EOF) {
+			return (ISC_R_NOMORE);
+		}
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: read: %s", j->filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	j->offset += (isc_offset_t)nbytes;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_write(dns_journal_t *j, void *mem, size_t nbytes) {
+	isc_result_t result;
+
+	result = isc_stdio_write(mem, 1, nbytes, j->fp, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: write: %s", j->filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	j->offset += (isc_offset_t)nbytes;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_fsync(dns_journal_t *j) {
+	isc_result_t result;
+
+	result = isc_stdio_flush(j->fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: flush: %s", j->filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	result = isc_stdio_sync(j->fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: fsync: %s", j->filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Read/write a transaction header at the current file position.
+ */
+static isc_result_t
+journal_read_xhdr(dns_journal_t *j, journal_xhdr_t *xhdr) {
+	isc_result_t result;
+
+	j->it.cpos.offset = j->offset;
+
+	switch (j->xhdr_version) {
+	case XHDR_VERSION1: {
+		journal_rawxhdr_ver1_t raw;
+		result = journal_read(j, &raw, sizeof(raw));
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		xhdr->size = decode_uint32(raw.size);
+		xhdr->count = 0;
+		xhdr->serial0 = decode_uint32(raw.serial0);
+		xhdr->serial1 = decode_uint32(raw.serial1);
+		j->curxhdr = *xhdr;
+		return (ISC_R_SUCCESS);
+	}
+
+	case XHDR_VERSION2: {
+		journal_rawxhdr_t raw;
+		result = journal_read(j, &raw, sizeof(raw));
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		xhdr->size = decode_uint32(raw.size);
+		xhdr->count = decode_uint32(raw.count);
+		xhdr->serial0 = decode_uint32(raw.serial0);
+		xhdr->serial1 = decode_uint32(raw.serial1);
+		j->curxhdr = *xhdr;
+		return (ISC_R_SUCCESS);
+	}
+
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+}
+
+static isc_result_t
+journal_write_xhdr(dns_journal_t *j, uint32_t size, uint32_t count,
+		   uint32_t serial0, uint32_t serial1) {
+	if (j->header_ver1) {
+		journal_rawxhdr_ver1_t raw;
+		encode_uint32(size, raw.size);
+		encode_uint32(serial0, raw.serial0);
+		encode_uint32(serial1, raw.serial1);
+		return (journal_write(j, &raw, sizeof(raw)));
+	} else {
+		journal_rawxhdr_t raw;
+		encode_uint32(size, raw.size);
+		encode_uint32(count, raw.count);
+		encode_uint32(serial0, raw.serial0);
+		encode_uint32(serial1, raw.serial1);
+		return (journal_write(j, &raw, sizeof(raw)));
+	}
+}
+
+/*
+ * Read an RR header at the current file position.
+ */
+
+static isc_result_t
+journal_read_rrhdr(dns_journal_t *j, journal_rrhdr_t *rrhdr) {
+	journal_rawrrhdr_t raw;
+	isc_result_t result;
+
+	result = journal_read(j, &raw, sizeof(raw));
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	rrhdr->size = decode_uint32(raw.size);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_file_create(isc_mem_t *mctx, bool downgrade, const char *filename) {
+	FILE *fp = NULL;
+	isc_result_t result;
+	journal_header_t header;
+	journal_rawheader_t rawheader;
+	int index_size = 56; /* XXX configurable */
+	int size;
+	void *mem = NULL; /* Memory for temporary index image. */
+
+	INSIST(sizeof(journal_rawheader_t) == JOURNAL_HEADER_SIZE);
+
+	result = isc_stdio_open(filename, "wb", &fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: create: %s", filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	if (downgrade) {
+		header = journal_header_ver1;
+	} else {
+		header = initial_journal_header;
+	}
+	header.index_size = index_size;
+	journal_header_encode(&header, &rawheader);
+
+	size = sizeof(journal_rawheader_t) +
+	       index_size * sizeof(journal_rawpos_t);
+
+	mem = isc_mem_get(mctx, size);
+	memset(mem, 0, size);
+	memmove(mem, &rawheader, sizeof(rawheader));
+
+	result = isc_stdio_write(mem, 1, (size_t)size, fp, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: write: %s", filename,
+			      isc_result_totext(result));
+		(void)isc_stdio_close(fp);
+		(void)isc_file_remove(filename);
+		isc_mem_put(mctx, mem, size);
+		return (ISC_R_UNEXPECTED);
+	}
+	isc_mem_put(mctx, mem, size);
+
+	result = isc_stdio_close(fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: close: %s", filename,
+			      isc_result_totext(result));
+		(void)isc_file_remove(filename);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_open(isc_mem_t *mctx, const char *filename, bool writable, bool create,
+	     bool downgrade, dns_journal_t **journalp) {
+	FILE *fp = NULL;
+	isc_result_t result;
+	journal_rawheader_t rawheader;
+	dns_journal_t *j;
+
+	REQUIRE(journalp != NULL && *journalp == NULL);
+
+	j = isc_mem_get(mctx, sizeof(*j));
+	*j = (dns_journal_t){ .state = JOURNAL_STATE_INVALID,
+			      .filename = isc_mem_strdup(mctx, filename),
+			      .xhdr_version = XHDR_VERSION2 };
+	isc_mem_attach(mctx, &j->mctx);
+
+	result = isc_stdio_open(j->filename, writable ? "rb+" : "rb", &fp);
+	if (result == ISC_R_FILENOTFOUND) {
+		if (create) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(1),
+				      "journal file %s does not exist, "
+				      "creating it",
+				      j->filename);
+			CHECK(journal_file_create(mctx, downgrade, filename));
+			/*
+			 * Retry.
+			 */
+			result = isc_stdio_open(j->filename, "rb+", &fp);
+		} else {
+			FAIL(ISC_R_NOTFOUND);
+		}
+	}
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: open: %s", j->filename,
+			      isc_result_totext(result));
+		FAIL(ISC_R_UNEXPECTED);
+	}
+
+	j->fp = fp;
+
+	/*
+	 * Set magic early so that seek/read can succeed.
+	 */
+	j->magic = DNS_JOURNAL_MAGIC;
+
+	CHECK(journal_seek(j, 0));
+	CHECK(journal_read(j, &rawheader, sizeof(rawheader)));
+
+	if (memcmp(rawheader.h.format, journal_header_ver1.format,
+		   sizeof(journal_header_ver1.format)) == 0)
+	{
+		/*
+		 * The file header says it's the old format, but it
+		 * still might have the new xhdr format because we
+		 * forgot to change the format string when we introduced
+		 * the new xhdr.  When we first try to read it, we assume
+		 * it uses the new xhdr format. If that fails, we'll be
+		 * called a second time with compat set to true, in which
+		 * case we can lower xhdr_version to 1 if we find a
+		 * corrupt transaction.
+		 */
+		j->header_ver1 = true;
+	} else if (memcmp(rawheader.h.format, initial_journal_header.format,
+			  sizeof(initial_journal_header.format)) == 0)
+	{
+		/*
+		 * File header says this is format version 2; all
+		 * transactions have to match.
+		 */
+		j->header_ver1 = false;
+	} else {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal format not recognized", j->filename);
+		FAIL(ISC_R_UNEXPECTED);
+	}
+	journal_header_decode(&rawheader, &j->header);
+
+	/*
+	 * If there is an index, read the raw index into a dynamically
+	 * allocated buffer and then convert it into a cooked index.
+	 */
+	if (j->header.index_size != 0) {
+		unsigned int i;
+		unsigned int rawbytes;
+		unsigned char *p;
+
+		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
+		j->rawindex = isc_mem_get(mctx, rawbytes);
+
+		CHECK(journal_read(j, j->rawindex, rawbytes));
+
+		j->index = isc_mem_get(mctx, j->header.index_size *
+						     sizeof(journal_pos_t));
+
+		p = j->rawindex;
+		for (i = 0; i < j->header.index_size; i++) {
+			j->index[i].serial = decode_uint32(p);
+			p += 4;
+			j->index[i].offset = decode_uint32(p);
+			p += 4;
+		}
+		INSIST(p == j->rawindex + rawbytes);
+	}
+	j->offset = -1; /* Invalid, must seek explicitly. */
+
+	/*
+	 * Initialize the iterator.
+	 */
+	dns_name_init(&j->it.name, NULL);
+	dns_rdata_init(&j->it.rdata);
+
+	/*
+	 * Set up empty initial buffers for unchecked and checked
+	 * wire format RR data.  They will be reallocated
+	 * later.
+	 */
+	isc_buffer_init(&j->it.source, NULL, 0);
+	isc_buffer_init(&j->it.target, NULL, 0);
+	dns_decompress_init(&j->it.dctx, -1, DNS_DECOMPRESS_NONE);
+
+	j->state = writable ? JOURNAL_STATE_WRITE : JOURNAL_STATE_READ;
+
+	*journalp = j;
+	return (ISC_R_SUCCESS);
+
+failure:
+	j->magic = 0;
+	if (j->rawindex != NULL) {
+		isc_mem_put(j->mctx, j->rawindex,
+			    j->header.index_size * sizeof(journal_rawpos_t));
+	}
+	if (j->index != NULL) {
+		isc_mem_put(j->mctx, j->index,
+			    j->header.index_size * sizeof(journal_pos_t));
+	}
+	isc_mem_free(j->mctx, j->filename);
+	if (j->fp != NULL) {
+		(void)isc_stdio_close(j->fp);
+	}
+	isc_mem_putanddetach(&j->mctx, j, sizeof(*j));
+	return (result);
+}
+
+isc_result_t
+dns_journal_open(isc_mem_t *mctx, const char *filename, unsigned int mode,
+		 dns_journal_t **journalp) {
+	isc_result_t result;
+	size_t namelen;
+	char backup[1024];
+	bool writable, create;
+
+	create = ((mode & DNS_JOURNAL_CREATE) != 0);
+	writable = ((mode & (DNS_JOURNAL_WRITE | DNS_JOURNAL_CREATE)) != 0);
+
+	result = journal_open(mctx, filename, writable, create, false,
+			      journalp);
+	if (result == ISC_R_NOTFOUND) {
+		namelen = strlen(filename);
+		if (namelen > 4U && strcmp(filename + namelen - 4, ".jnl") == 0)
+		{
+			namelen -= 4;
+		}
+
+		result = snprintf(backup, sizeof(backup), "%.*s.jbk",
+				  (int)namelen, filename);
+		if (result >= sizeof(backup)) {
+			return (ISC_R_NOSPACE);
+		}
+		result = journal_open(mctx, backup, writable, writable, false,
+				      journalp);
+	}
+	return (result);
+}
+
+/*
+ * A comparison function defining the sorting order for
+ * entries in the IXFR-style journal file.
+ *
+ * The IXFR format requires that deletions are sorted before
+ * additions, and within either one, SOA records are sorted
+ * before others.
+ *
+ * Also sort the non-SOA records by type as a courtesy to the
+ * server receiving the IXFR - it may help reduce the amount of
+ * rdataset merging it has to do.
+ */
+static int
+ixfr_order(const void *av, const void *bv) {
+	dns_difftuple_t const *const *ap = av;
+	dns_difftuple_t const *const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	int r;
+	int bop = 0, aop = 0;
+
+	switch (a->op) {
+	case DNS_DIFFOP_DEL:
+	case DNS_DIFFOP_DELRESIGN:
+		aop = 1;
+		break;
+	case DNS_DIFFOP_ADD:
+	case DNS_DIFFOP_ADDRESIGN:
+		aop = 0;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	switch (b->op) {
+	case DNS_DIFFOP_DEL:
+	case DNS_DIFFOP_DELRESIGN:
+		bop = 1;
+		break;
+	case DNS_DIFFOP_ADD:
+	case DNS_DIFFOP_ADDRESIGN:
+		bop = 0;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	r = bop - aop;
+	if (r != 0) {
+		return (r);
+	}
+
+	r = (b->rdata.type == dns_rdatatype_soa) -
+	    (a->rdata.type == dns_rdatatype_soa);
+	if (r != 0) {
+		return (r);
+	}
+
+	r = (a->rdata.type - b->rdata.type);
+	return (r);
+}
+
+static isc_result_t
+maybe_fixup_xhdr(dns_journal_t *j, journal_xhdr_t *xhdr, uint32_t serial,
+		 isc_offset_t offset) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	/*
+	 * Handle mixture of version 1 and version 2
+	 * transaction headers in a version 1 journal.
+	 */
+	if ((xhdr->serial0 != serial ||
+	     isc_serial_le(xhdr->serial1, xhdr->serial0)))
+	{
+		if (j->xhdr_version == XHDR_VERSION1 && xhdr->serial1 == serial)
+		{
+			isc_log_write(
+				JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(3),
+				"%s: XHDR_VERSION1 -> XHDR_VERSION2 at %u",
+				j->filename, serial);
+			j->xhdr_version = XHDR_VERSION2;
+			CHECK(journal_seek(j, offset));
+			CHECK(journal_read_xhdr(j, xhdr));
+			j->recovered = true;
+		} else if (j->xhdr_version == XHDR_VERSION2 &&
+			   xhdr->count == serial)
+		{
+			isc_log_write(
+				JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(3),
+				"%s: XHDR_VERSION2 -> XHDR_VERSION1 at %u",
+				j->filename, serial);
+			j->xhdr_version = XHDR_VERSION1;
+			CHECK(journal_seek(j, offset));
+			CHECK(journal_read_xhdr(j, xhdr));
+			j->recovered = true;
+		}
+	}
+
+	/*
+	 * Handle <size, serial0, serial1, 0> transaction header.
+	 */
+	if (j->xhdr_version == XHDR_VERSION1) {
+		uint32_t value;
+
+		CHECK(journal_read(j, &value, sizeof(value)));
+		if (value != 0L) {
+			CHECK(journal_seek(j, offset + 12));
+		} else {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(3),
+				      "%s: XHDR_VERSION1 count zero at %u",
+				      j->filename, serial);
+			j->xhdr_version = XHDR_VERSION2;
+			j->recovered = true;
+		}
+	} else if (j->xhdr_version == XHDR_VERSION2 && xhdr->count == serial &&
+		   xhdr->serial1 == 0U &&
+		   isc_serial_gt(xhdr->serial0, xhdr->count))
+	{
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(3),
+			      "%s: XHDR_VERSION2 count zero at %u", j->filename,
+			      serial);
+		xhdr->serial1 = xhdr->serial0;
+		xhdr->serial0 = xhdr->count;
+		xhdr->count = 0;
+		j->recovered = true;
+	}
+
+failure:
+	return (result);
+}
+
+/*
+ * Advance '*pos' to the next journal transaction.
+ *
+ * Requires:
+ *	*pos refers to a valid journal transaction.
+ *
+ * Ensures:
+ *	When ISC_R_SUCCESS is returned,
+ *	*pos refers to the next journal transaction.
+ *
+ * Returns one of:
+ *
+ *    ISC_R_SUCCESS
+ *    ISC_R_NOMORE 	*pos pointed at the last transaction
+ *    Other results due to file errors are possible.
+ */
+static isc_result_t
+journal_next(dns_journal_t *j, journal_pos_t *pos) {
+	isc_result_t result;
+	journal_xhdr_t xhdr;
+	size_t hdrsize;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+
+	result = journal_seek(j, pos->offset);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (pos->serial == j->header.end.serial) {
+		return (ISC_R_NOMORE);
+	}
+
+	/*
+	 * Read the header of the current transaction.
+	 * This will return ISC_R_NOMORE if we are at EOF.
+	 */
+	result = journal_read_xhdr(j, &xhdr);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (j->header_ver1) {
+		CHECK(maybe_fixup_xhdr(j, &xhdr, pos->serial, pos->offset));
+	}
+
+	/*
+	 * Check serial number consistency.
+	 */
+	if (xhdr.serial0 != pos->serial ||
+	    isc_serial_le(xhdr.serial1, xhdr.serial0))
+	{
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal file corrupt: "
+			      "expected serial %u, got %u",
+			      j->filename, pos->serial, xhdr.serial0);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Check for offset wraparound.
+	 */
+	hdrsize = (j->xhdr_version == XHDR_VERSION2)
+			  ? sizeof(journal_rawxhdr_t)
+			  : sizeof(journal_rawxhdr_ver1_t);
+
+	if ((isc_offset_t)(pos->offset + hdrsize + xhdr.size) < pos->offset) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: offset too large", j->filename);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	pos->offset += hdrsize + xhdr.size;
+	pos->serial = xhdr.serial1;
+	return (ISC_R_SUCCESS);
+
+failure:
+	return (result);
+}
+
+/*
+ * If the index of the journal 'j' contains an entry "better"
+ * than '*best_guess', replace '*best_guess' with it.
+ *
+ * "Better" means having a serial number closer to 'serial'
+ * but not greater than 'serial'.
+ */
+static void
+index_find(dns_journal_t *j, uint32_t serial, journal_pos_t *best_guess) {
+	unsigned int i;
+	if (j->index == NULL) {
+		return;
+	}
+	for (i = 0; i < j->header.index_size; i++) {
+		if (POS_VALID(j->index[i]) &&
+		    DNS_SERIAL_GE(serial, j->index[i].serial) &&
+		    DNS_SERIAL_GT(j->index[i].serial, best_guess->serial))
+		{
+			*best_guess = j->index[i];
+		}
+	}
+}
+
+/*
+ * Add a new index entry.  If there is no room, make room by removing
+ * the odd-numbered entries and compacting the others into the first
+ * half of the index.  This decimates old index entries exponentially
+ * over time, so that the index always contains a much larger fraction
+ * of recent serial numbers than of old ones.  This is deliberate -
+ * most index searches are for outgoing IXFR, and IXFR tends to request
+ * recent versions more often than old ones.
+ */
+static void
+index_add(dns_journal_t *j, journal_pos_t *pos) {
+	unsigned int i;
+
+	if (j->index == NULL) {
+		return;
+	}
+
+	/*
+	 * Search for a vacant position.
+	 */
+	for (i = 0; i < j->header.index_size; i++) {
+		if (!POS_VALID(j->index[i])) {
+			break;
+		}
+	}
+	if (i == j->header.index_size) {
+		unsigned int k = 0;
+		/*
+		 * Found no vacant position.  Make some room.
+		 */
+		for (i = 0; i < j->header.index_size; i += 2) {
+			j->index[k++] = j->index[i];
+		}
+		i = k; /* 'i' identifies the first vacant position. */
+		while (k < j->header.index_size) {
+			POS_INVALIDATE(j->index[k]);
+			k++;
+		}
+	}
+	INSIST(i < j->header.index_size);
+	INSIST(!POS_VALID(j->index[i]));
+
+	/*
+	 * Store the new index entry.
+	 */
+	j->index[i] = *pos;
+}
+
+/*
+ * Invalidate any existing index entries that could become
+ * ambiguous when a new transaction with number 'serial' is added.
+ */
+static void
+index_invalidate(dns_journal_t *j, uint32_t serial) {
+	unsigned int i;
+	if (j->index == NULL) {
+		return;
+	}
+	for (i = 0; i < j->header.index_size; i++) {
+		if (!DNS_SERIAL_GT(serial, j->index[i].serial)) {
+			POS_INVALIDATE(j->index[i]);
+		}
+	}
+}
+
+/*
+ * Try to find a transaction with initial serial number 'serial'
+ * in the journal 'j'.
+ *
+ * If found, store its position at '*pos' and return ISC_R_SUCCESS.
+ *
+ * If 'serial' is current (= the ending serial number of the
+ * last transaction in the journal), set '*pos' to
+ * the position immediately following the last transaction and
+ * return ISC_R_SUCCESS.
+ *
+ * If 'serial' is within the range of addressable serial numbers
+ * covered by the journal but that particular serial number is missing
+ * (from the journal, not just from the index), return ISC_R_NOTFOUND.
+ *
+ * If 'serial' is outside the range of addressable serial numbers
+ * covered by the journal, return ISC_R_RANGE.
+ *
+ */
+static isc_result_t
+journal_find(dns_journal_t *j, uint32_t serial, journal_pos_t *pos) {
+	isc_result_t result;
+	journal_pos_t current_pos;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+
+	if (DNS_SERIAL_GT(j->header.begin.serial, serial)) {
+		return (ISC_R_RANGE);
+	}
+	if (DNS_SERIAL_GT(serial, j->header.end.serial)) {
+		return (ISC_R_RANGE);
+	}
+	if (serial == j->header.end.serial) {
+		*pos = j->header.end;
+		return (ISC_R_SUCCESS);
+	}
+
+	current_pos = j->header.begin;
+	index_find(j, serial, &current_pos);
+
+	while (current_pos.serial != serial) {
+		if (DNS_SERIAL_GT(current_pos.serial, serial)) {
+			return (ISC_R_NOTFOUND);
+		}
+		result = journal_next(j, &current_pos);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	*pos = current_pos;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_journal_begin_transaction(dns_journal_t *j) {
+	uint32_t offset;
+	isc_result_t result;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+	REQUIRE(j->state == JOURNAL_STATE_WRITE ||
+		j->state == JOURNAL_STATE_INLINE);
+
+	/*
+	 * Find the file offset where the new transaction should
+	 * be written, and seek there.
+	 */
+	if (JOURNAL_EMPTY(&j->header)) {
+		offset = sizeof(journal_rawheader_t) +
+			 j->header.index_size * sizeof(journal_rawpos_t);
+	} else {
+		offset = j->header.end.offset;
+	}
+	j->x.pos[0].offset = offset;
+	j->x.pos[1].offset = offset; /* Initial value, will be incremented. */
+	j->x.n_soa = 0;
+
+	CHECK(journal_seek(j, offset));
+
+	/*
+	 * Write a dummy transaction header of all zeroes to reserve
+	 * space.  It will be filled in when the transaction is
+	 * finished.
+	 */
+	CHECK(journal_write_xhdr(j, 0, 0, 0, 0));
+	j->x.pos[1].offset = j->offset;
+
+	j->state = JOURNAL_STATE_TRANSACTION;
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+isc_result_t
+dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff) {
+	dns_difftuple_t *t;
+	isc_buffer_t buffer;
+	void *mem = NULL;
+	uint64_t size = 0;
+	uint32_t rrcount = 0;
+	isc_result_t result;
+	isc_region_t used;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION);
+
+	isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "writing to journal");
+	(void)dns_diff_print(diff, NULL);
+
+	/*
+	 * Pass 1: determine the buffer size needed, and
+	 * keep track of SOA serial numbers.
+	 */
+	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		if (t->rdata.type == dns_rdatatype_soa) {
+			if (j->x.n_soa < 2) {
+				j->x.pos[j->x.n_soa].serial =
+					dns_soa_getserial(&t->rdata);
+			}
+			j->x.n_soa++;
+		}
+		size += sizeof(journal_rawrrhdr_t);
+		size += t->name.length; /* XXX should have access macro? */
+		size += 10;
+		size += t->rdata.length;
+	}
+
+	if (size >= DNS_JOURNAL_SIZE_MAX) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "dns_journal_writediff: %s: journal entry "
+			      "too big to be stored: %" PRIu64 " bytes",
+			      j->filename, size);
+		return (ISC_R_NOSPACE);
+	}
+
+	mem = isc_mem_get(j->mctx, size);
+
+	isc_buffer_init(&buffer, mem, size);
+
+	/*
+	 * Pass 2.  Write RRs to buffer.
+	 */
+	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		/*
+		 * Write the RR header.
+		 */
+		isc_buffer_putuint32(&buffer,
+				     t->name.length + 10 + t->rdata.length);
+		/*
+		 * Write the owner name, RR header, and RR data.
+		 */
+		isc_buffer_putmem(&buffer, t->name.ndata, t->name.length);
+		isc_buffer_putuint16(&buffer, t->rdata.type);
+		isc_buffer_putuint16(&buffer, t->rdata.rdclass);
+		isc_buffer_putuint32(&buffer, t->ttl);
+		INSIST(t->rdata.length < 65536);
+		isc_buffer_putuint16(&buffer, (uint16_t)t->rdata.length);
+		INSIST(isc_buffer_availablelength(&buffer) >= t->rdata.length);
+		isc_buffer_putmem(&buffer, t->rdata.data, t->rdata.length);
+
+		rrcount++;
+	}
+
+	isc_buffer_usedregion(&buffer, &used);
+	INSIST(used.length == size);
+
+	j->x.pos[1].offset += used.length;
+	j->x.n_rr = rrcount;
+
+	/*
+	 * Write the buffer contents to the journal file.
+	 */
+	CHECK(journal_write(j, used.base, used.length));
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (mem != NULL) {
+		isc_mem_put(j->mctx, mem, size);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_journal_commit(dns_journal_t *j) {
+	isc_result_t result;
+	journal_rawheader_t rawheader;
+	uint64_t total;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION ||
+		j->state == JOURNAL_STATE_INLINE);
+
+	/*
+	 * Just write out a updated header.
+	 */
+	if (j->state == JOURNAL_STATE_INLINE) {
+		CHECK(journal_fsync(j));
+		journal_header_encode(&j->header, &rawheader);
+		CHECK(journal_seek(j, 0));
+		CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
+		CHECK(journal_fsync(j));
+		j->state = JOURNAL_STATE_WRITE;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Perform some basic consistency checks.
+	 */
+	if (j->x.n_soa != 2) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: malformed transaction: %d SOAs", j->filename,
+			      j->x.n_soa);
+		return (ISC_R_UNEXPECTED);
+	}
+	if (!DNS_SERIAL_GT(j->x.pos[1].serial, j->x.pos[0].serial)) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: malformed transaction: serial number "
+			      "did not increase",
+			      j->filename);
+		return (ISC_R_UNEXPECTED);
+	}
+	if (!JOURNAL_EMPTY(&j->header)) {
+		if (j->x.pos[0].serial != j->header.end.serial) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				      "malformed transaction: "
+				      "%s last serial %u != "
+				      "transaction first serial %u",
+				      j->filename, j->header.end.serial,
+				      j->x.pos[0].serial);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	/*
+	 * We currently don't support huge journal entries.
+	 */
+	total = j->x.pos[1].offset - j->x.pos[0].offset;
+	if (total >= DNS_JOURNAL_SIZE_MAX) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "transaction too big to be stored in journal: "
+			      "%" PRIu64 "b (max is %" PRIu64 "b)",
+			      total, (uint64_t)DNS_JOURNAL_SIZE_MAX);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Some old journal entries may become non-addressable
+	 * when we increment the current serial number.  Purge them
+	 * by stepping header.begin forward to the first addressable
+	 * transaction.  Also purge them from the index.
+	 */
+	if (!JOURNAL_EMPTY(&j->header)) {
+		while (!DNS_SERIAL_GT(j->x.pos[1].serial,
+				      j->header.begin.serial))
+		{
+			CHECK(journal_next(j, &j->header.begin));
+		}
+		index_invalidate(j, j->x.pos[1].serial);
+	}
+#ifdef notyet
+	if (DNS_SERIAL_GT(last_dumped_serial, j->x.pos[1].serial)) {
+		force_dump(...);
+	}
+#endif /* ifdef notyet */
+
+	/*
+	 * Commit the transaction data to stable storage.
+	 */
+	CHECK(journal_fsync(j));
+
+	if (j->state == JOURNAL_STATE_TRANSACTION) {
+		isc_offset_t offset;
+		offset = (j->x.pos[1].offset - j->x.pos[0].offset) -
+			 (j->header_ver1 ? sizeof(journal_rawxhdr_ver1_t)
+					 : sizeof(journal_rawxhdr_t));
+		/*
+		 * Update the transaction header.
+		 */
+		CHECK(journal_seek(j, j->x.pos[0].offset));
+		CHECK(journal_write_xhdr(j, offset, j->x.n_rr,
+					 j->x.pos[0].serial,
+					 j->x.pos[1].serial));
+	}
+
+	/*
+	 * Update the journal header.
+	 */
+	if (JOURNAL_EMPTY(&j->header)) {
+		j->header.begin = j->x.pos[0];
+	}
+	j->header.end = j->x.pos[1];
+	journal_header_encode(&j->header, &rawheader);
+	CHECK(journal_seek(j, 0));
+	CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
+
+	/*
+	 * Update the index.
+	 */
+	index_add(j, &j->x.pos[0]);
+
+	/*
+	 * Convert the index into on-disk format and write
+	 * it to disk.
+	 */
+	CHECK(index_to_disk(j));
+
+	/*
+	 * Commit the header to stable storage.
+	 */
+	CHECK(journal_fsync(j));
+
+	/*
+	 * We no longer have a transaction open.
+	 */
+	j->state = JOURNAL_STATE_WRITE;
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	return (result);
+}
+
+isc_result_t
+dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff) {
+	isc_result_t result;
+
+	CHECK(dns_diff_sort(diff, ixfr_order));
+	CHECK(dns_journal_begin_transaction(j));
+	CHECK(dns_journal_writediff(j, diff));
+	CHECK(dns_journal_commit(j));
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+void
+dns_journal_destroy(dns_journal_t **journalp) {
+	dns_journal_t *j = NULL;
+
+	REQUIRE(journalp != NULL);
+	REQUIRE(DNS_JOURNAL_VALID(*journalp));
+
+	j = *journalp;
+	*journalp = NULL;
+
+	j->it.result = ISC_R_FAILURE;
+	dns_name_invalidate(&j->it.name);
+	dns_decompress_invalidate(&j->it.dctx);
+	if (j->rawindex != NULL) {
+		isc_mem_put(j->mctx, j->rawindex,
+			    j->header.index_size * sizeof(journal_rawpos_t));
+	}
+	if (j->index != NULL) {
+		isc_mem_put(j->mctx, j->index,
+			    j->header.index_size * sizeof(journal_pos_t));
+	}
+	if (j->it.target.base != NULL) {
+		isc_mem_put(j->mctx, j->it.target.base, j->it.target.length);
+	}
+	if (j->it.source.base != NULL) {
+		isc_mem_put(j->mctx, j->it.source.base, j->it.source.length);
+	}
+	if (j->filename != NULL) {
+		isc_mem_free(j->mctx, j->filename);
+	}
+	if (j->fp != NULL) {
+		(void)isc_stdio_close(j->fp);
+	}
+	j->magic = 0;
+	isc_mem_putanddetach(&j->mctx, j, sizeof(*j));
+}
+
+/*
+ * Roll the open journal 'j' into the database 'db'.
+ * A new database version will be created.
+ */
+
+/* XXX Share code with incoming IXFR? */
+
+isc_result_t
+dns_journal_rollforward(dns_journal_t *j, dns_db_t *db, unsigned int options) {
+	isc_buffer_t source; /* Transaction data from disk */
+	isc_buffer_t target; /* Ditto after _fromwire check */
+	uint32_t db_serial;  /* Database SOA serial */
+	uint32_t end_serial; /* Last journal SOA serial */
+	isc_result_t result;
+	dns_dbversion_t *ver = NULL;
+	journal_pos_t pos;
+	dns_diff_t diff;
+	unsigned int n_soa = 0;
+	unsigned int n_put = 0;
+	dns_diffop_t op;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+	REQUIRE(DNS_DB_VALID(db));
+
+	dns_diff_init(j->mctx, &diff);
+
+	/*
+	 * Set up empty initial buffers for unchecked and checked
+	 * wire format transaction data.  They will be reallocated
+	 * later.
+	 */
+	isc_buffer_init(&source, NULL, 0);
+	isc_buffer_init(&target, NULL, 0);
+
+	/*
+	 * Create the new database version.
+	 */
+	CHECK(dns_db_newversion(db, &ver));
+
+	/*
+	 * Get the current database SOA serial number.
+	 */
+	CHECK(dns_db_getsoaserial(db, ver, &db_serial));
+
+	/*
+	 * Locate a journal entry for the current database serial.
+	 */
+	CHECK(journal_find(j, db_serial, &pos));
+
+	end_serial = dns_journal_last_serial(j);
+
+	/*
+	 * If we're reading a version 1 file, scan all the transactions
+	 * to see if the journal needs rewriting: if any outdated
+	 * transaction headers are found, j->recovered will be set.
+	 */
+	if (j->header_ver1) {
+		uint32_t start_serial = dns_journal_first_serial(j);
+
+		CHECK(dns_journal_iter_init(j, start_serial, db_serial, NULL));
+		for (result = dns_journal_first_rr(j); result == ISC_R_SUCCESS;
+		     result = dns_journal_next_rr(j))
+		{
+			continue;
+		}
+	}
+
+	if (db_serial == end_serial) {
+		CHECK(DNS_R_UPTODATE);
+	}
+
+	CHECK(dns_journal_iter_init(j, db_serial, end_serial, NULL));
+	for (result = dns_journal_first_rr(j); result == ISC_R_SUCCESS;
+	     result = dns_journal_next_rr(j))
+	{
+		dns_name_t *name = NULL;
+		dns_rdata_t *rdata = NULL;
+		dns_difftuple_t *tuple = NULL;
+		uint32_t ttl;
+
+		dns_journal_current_rr(j, &name, &ttl, &rdata);
+
+		if (rdata->type == dns_rdatatype_soa) {
+			n_soa++;
+			if (n_soa == 2) {
+				db_serial = j->it.current_serial;
+			}
+		}
+
+		if (n_soa == 3) {
+			n_soa = 1;
+		}
+		if (n_soa == 0) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				      "%s: journal file corrupt: missing "
+				      "initial SOA",
+				      j->filename);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+		if ((options & DNS_JOURNALOPT_RESIGN) != 0) {
+			op = (n_soa == 1) ? DNS_DIFFOP_DELRESIGN
+					  : DNS_DIFFOP_ADDRESIGN;
+		} else {
+			op = (n_soa == 1) ? DNS_DIFFOP_DEL : DNS_DIFFOP_ADD;
+		}
+
+		CHECK(dns_difftuple_create(diff.mctx, op, name, ttl, rdata,
+					   &tuple));
+		dns_diff_append(&diff, &tuple);
+
+		if (++n_put > 100) {
+			isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
+				      "%s: applying diff to database (%u)",
+				      j->filename, db_serial);
+			(void)dns_diff_print(&diff, NULL);
+			CHECK(dns_diff_apply(&diff, db, ver));
+			dns_diff_clear(&diff);
+			n_put = 0;
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+	CHECK(result);
+
+	if (n_put != 0) {
+		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
+			      "%s: applying final diff to database (%u)",
+			      j->filename, db_serial);
+		(void)dns_diff_print(&diff, NULL);
+		CHECK(dns_diff_apply(&diff, db, ver));
+		dns_diff_clear(&diff);
+	}
+
+failure:
+	if (ver != NULL) {
+		dns_db_closeversion(db, &ver,
+				    result == ISC_R_SUCCESS ? true : false);
+	}
+
+	if (source.base != NULL) {
+		isc_mem_put(j->mctx, source.base, source.length);
+	}
+	if (target.base != NULL) {
+		isc_mem_put(j->mctx, target.base, target.length);
+	}
+
+	dns_diff_clear(&diff);
+
+	INSIST(ver == NULL);
+
+	return (result);
+}
+
+isc_result_t
+dns_journal_print(isc_mem_t *mctx, uint32_t flags, const char *filename,
+		  FILE *file) {
+	dns_journal_t *j = NULL;
+	isc_buffer_t source;   /* Transaction data from disk */
+	isc_buffer_t target;   /* Ditto after _fromwire check */
+	uint32_t start_serial; /* Database SOA serial */
+	uint32_t end_serial;   /* Last journal SOA serial */
+	isc_result_t result;
+	dns_diff_t diff;
+	unsigned int n_soa = 0;
+	unsigned int n_put = 0;
+	bool printxhdr = ((flags & DNS_JOURNAL_PRINTXHDR) != 0);
+
+	REQUIRE(filename != NULL);
+
+	result = dns_journal_open(mctx, filename, DNS_JOURNAL_READ, &j);
+	if (result == ISC_R_NOTFOUND) {
+		isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no journal file");
+		return (DNS_R_NOJOURNAL);
+	} else if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "journal open failure: %s: %s",
+			      isc_result_totext(result), filename);
+		return (result);
+	}
+
+	if (printxhdr) {
+		fprintf(file, "Journal format = %sHeader version = %d\n",
+			j->header.format + 1, j->header_ver1 ? 1 : 2);
+		fprintf(file, "Start serial = %u\n", j->header.begin.serial);
+		fprintf(file, "End serial = %u\n", j->header.end.serial);
+		fprintf(file, "Index (size = %u):\n", j->header.index_size);
+		for (uint32_t i = 0; i < j->header.index_size; i++) {
+			if (j->index[i].offset == 0) {
+				fputc('\n', file);
+				break;
+			}
+			fprintf(file, "%lld", (long long)j->index[i].offset);
+			fputc((i + 1) % 8 == 0 ? '\n' : ' ', file);
+		}
+	}
+	if (j->header.serialset) {
+		fprintf(file, "Source serial = %u\n", j->header.sourceserial);
+	}
+	dns_diff_init(j->mctx, &diff);
+
+	/*
+	 * Set up empty initial buffers for unchecked and checked
+	 * wire format transaction data.  They will be reallocated
+	 * later.
+	 */
+	isc_buffer_init(&source, NULL, 0);
+	isc_buffer_init(&target, NULL, 0);
+
+	start_serial = dns_journal_first_serial(j);
+	end_serial = dns_journal_last_serial(j);
+
+	CHECK(dns_journal_iter_init(j, start_serial, end_serial, NULL));
+
+	for (result = dns_journal_first_rr(j); result == ISC_R_SUCCESS;
+	     result = dns_journal_next_rr(j))
+	{
+		dns_name_t *name = NULL;
+		dns_rdata_t *rdata = NULL;
+		dns_difftuple_t *tuple = NULL;
+		static uint32_t i = 0;
+		bool print = false;
+		uint32_t ttl;
+
+		dns_journal_current_rr(j, &name, &ttl, &rdata);
+
+		if (rdata->type == dns_rdatatype_soa) {
+			n_soa++;
+			if (n_soa == 3) {
+				n_soa = 1;
+			}
+			if (n_soa == 1) {
+				print = printxhdr;
+			}
+		}
+		if (n_soa == 0) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				      "%s: journal file corrupt: missing "
+				      "initial SOA",
+				      j->filename);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+
+		if (print) {
+			fprintf(file,
+				"Transaction: version %d offset %lld size %u "
+				"rrcount %u start %u end %u\n",
+				j->xhdr_version, (long long)j->it.cpos.offset,
+				j->curxhdr.size, j->curxhdr.count,
+				j->curxhdr.serial0, j->curxhdr.serial1);
+			if (j->it.cpos.offset > j->index[i].offset) {
+				fprintf(file,
+					"ERROR: Offset mismatch, "
+					"expected %lld\n",
+					(long long)j->index[i].offset);
+			} else if (j->it.cpos.offset == j->index[i].offset) {
+				i++;
+			}
+		}
+		CHECK(dns_difftuple_create(
+			diff.mctx, n_soa == 1 ? DNS_DIFFOP_DEL : DNS_DIFFOP_ADD,
+			name, ttl, rdata, &tuple));
+		dns_diff_append(&diff, &tuple);
+
+		if (++n_put > 100 || printxhdr) {
+			result = dns_diff_print(&diff, file);
+			dns_diff_clear(&diff);
+			n_put = 0;
+			if (result != ISC_R_SUCCESS) {
+				break;
+			}
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+	CHECK(result);
+
+	if (n_put != 0) {
+		result = dns_diff_print(&diff, file);
+		dns_diff_clear(&diff);
+	}
+	goto cleanup;
+
+failure:
+	isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+		      "%s: cannot print: journal file corrupt", j->filename);
+
+cleanup:
+	if (source.base != NULL) {
+		isc_mem_put(j->mctx, source.base, source.length);
+	}
+	if (target.base != NULL) {
+		isc_mem_put(j->mctx, target.base, target.length);
+	}
+
+	dns_diff_clear(&diff);
+	dns_journal_destroy(&j);
+
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Miscellaneous accessors.
+ */
+bool
+dns_journal_empty(dns_journal_t *j) {
+	return (JOURNAL_EMPTY(&j->header));
+}
+
+bool
+dns_journal_recovered(dns_journal_t *j) {
+	return (j->recovered);
+}
+
+uint32_t
+dns_journal_first_serial(dns_journal_t *j) {
+	return (j->header.begin.serial);
+}
+
+uint32_t
+dns_journal_last_serial(dns_journal_t *j) {
+	return (j->header.end.serial);
+}
+
+void
+dns_journal_set_sourceserial(dns_journal_t *j, uint32_t sourceserial) {
+	REQUIRE(j->state == JOURNAL_STATE_WRITE ||
+		j->state == JOURNAL_STATE_INLINE ||
+		j->state == JOURNAL_STATE_TRANSACTION);
+
+	j->header.sourceserial = sourceserial;
+	j->header.serialset = true;
+	if (j->state == JOURNAL_STATE_WRITE) {
+		j->state = JOURNAL_STATE_INLINE;
+	}
+}
+
+bool
+dns_journal_get_sourceserial(dns_journal_t *j, uint32_t *sourceserial) {
+	REQUIRE(sourceserial != NULL);
+
+	if (!j->header.serialset) {
+		return (false);
+	}
+	*sourceserial = j->header.sourceserial;
+	return (true);
+}
+
+/**************************************************************************/
+/*
+ * Iteration support.
+ *
+ * When serving an outgoing IXFR, we transmit a part the journal starting
+ * at the serial number in the IXFR request and ending at the serial
+ * number that is current when the IXFR request arrives.  The ending
+ * serial number is not necessarily at the end of the journal:
+ * the journal may grow while the IXFR is in progress, but we stop
+ * when we reach the serial number that was current when the IXFR started.
+ */
+
+static isc_result_t
+read_one_rr(dns_journal_t *j);
+
+/*
+ * Make sure the buffer 'b' is has at least 'size' bytes
+ * allocated, and clear it.
+ *
+ * Requires:
+ *	Either b->base is NULL, or it points to b->length bytes of memory
+ *	previously allocated by isc_mem_get().
+ */
+
+static isc_result_t
+size_buffer(isc_mem_t *mctx, isc_buffer_t *b, unsigned size) {
+	if (b->length < size) {
+		void *mem = isc_mem_get(mctx, size);
+		if (mem == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
+		if (b->base != NULL) {
+			isc_mem_put(mctx, b->base, b->length);
+		}
+		b->base = mem;
+		b->length = size;
+	}
+	isc_buffer_clear(b);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_journal_iter_init(dns_journal_t *j, uint32_t begin_serial,
+		      uint32_t end_serial, size_t *xfrsizep) {
+	isc_result_t result;
+
+	CHECK(journal_find(j, begin_serial, &j->it.bpos));
+	INSIST(j->it.bpos.serial == begin_serial);
+
+	CHECK(journal_find(j, end_serial, &j->it.epos));
+	INSIST(j->it.epos.serial == end_serial);
+
+	if (xfrsizep != NULL) {
+		journal_pos_t pos = j->it.bpos;
+		journal_xhdr_t xhdr;
+		uint64_t size = 0;
+		uint32_t count = 0;
+
+		/*
+		 * We already know the beginning and ending serial
+		 * numbers are in the journal. Scan through them,
+		 * adding up sizes and RR counts so we can calculate
+		 * the IXFR size.
+		 */
+		do {
+			CHECK(journal_seek(j, pos.offset));
+			CHECK(journal_read_xhdr(j, &xhdr));
+
+			if (j->header_ver1) {
+				CHECK(maybe_fixup_xhdr(j, &xhdr, pos.serial,
+						       pos.offset));
+			}
+
+			/*
+			 * Check that xhdr is consistent.
+			 */
+			if (xhdr.serial0 != pos.serial ||
+			    isc_serial_le(xhdr.serial1, xhdr.serial0))
+			{
+				CHECK(ISC_R_UNEXPECTED);
+			}
+
+			size += xhdr.size;
+			count += xhdr.count;
+
+			result = journal_next(j, &pos);
+			if (result == ISC_R_NOMORE) {
+				result = ISC_R_SUCCESS;
+			}
+			CHECK(result);
+		} while (pos.serial != end_serial);
+
+		/*
+		 * For each RR, subtract the length of the RR header,
+		 * as this would not be present in IXFR messages.
+		 * (We don't need to worry about the transaction header
+		 * because that was already excluded from xdr.size.)
+		 */
+		*xfrsizep = size - (count * sizeof(journal_rawrrhdr_t));
+	}
+
+	result = ISC_R_SUCCESS;
+failure:
+	j->it.result = result;
+	return (j->it.result);
+}
+
+isc_result_t
+dns_journal_first_rr(dns_journal_t *j) {
+	isc_result_t result;
+
+	/*
+	 * Seek to the beginning of the first transaction we are
+	 * interested in.
+	 */
+	CHECK(journal_seek(j, j->it.bpos.offset));
+	j->it.current_serial = j->it.bpos.serial;
+
+	j->it.xsize = 0; /* We have no transaction data yet... */
+	j->it.xpos = 0;	 /* ...and haven't used any of it. */
+
+	return (read_one_rr(j));
+
+failure:
+	return (result);
+}
+
+static isc_result_t
+read_one_rr(dns_journal_t *j) {
+	isc_result_t result;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	unsigned int rdlen;
+	uint32_t ttl;
+	journal_xhdr_t xhdr;
+	journal_rrhdr_t rrhdr;
+	dns_journal_t save = *j;
+
+	if (j->offset > j->it.epos.offset) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal corrupt: possible integer overflow",
+			      j->filename);
+		return (ISC_R_UNEXPECTED);
+	}
+	if (j->offset == j->it.epos.offset) {
+		return (ISC_R_NOMORE);
+	}
+	if (j->it.xpos == j->it.xsize) {
+		/*
+		 * We are at a transaction boundary.
+		 * Read another transaction header.
+		 */
+		CHECK(journal_read_xhdr(j, &xhdr));
+		if (xhdr.size == 0) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				      "%s: journal corrupt: empty transaction",
+				      j->filename);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+
+		if (j->header_ver1) {
+			CHECK(maybe_fixup_xhdr(j, &xhdr, j->it.current_serial,
+					       save.offset));
+		}
+
+		if (xhdr.serial0 != j->it.current_serial ||
+		    isc_serial_le(xhdr.serial1, xhdr.serial0))
+		{
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				      "%s: journal file corrupt: "
+				      "expected serial %u, got %u",
+				      j->filename, j->it.current_serial,
+				      xhdr.serial0);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+
+		j->it.xsize = xhdr.size;
+		j->it.xpos = 0;
+	}
+	/*
+	 * Read an RR.
+	 */
+	CHECK(journal_read_rrhdr(j, &rrhdr));
+	/*
+	 * Perform a sanity check on the journal RR size.
+	 * The smallest possible RR has a 1-byte owner name
+	 * and a 10-byte header.  The largest possible
+	 * RR has 65535 bytes of data, a header, and a maximum-
+	 * size owner name, well below 70 k total.
+	 */
+	if (rrhdr.size < 1 + 10 || rrhdr.size > 70000) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal corrupt: impossible RR size "
+			      "(%d bytes)",
+			      j->filename, rrhdr.size);
+		FAIL(ISC_R_UNEXPECTED);
+	}
+
+	CHECK(size_buffer(j->mctx, &j->it.source, rrhdr.size));
+	CHECK(journal_read(j, j->it.source.base, rrhdr.size));
+	isc_buffer_add(&j->it.source, rrhdr.size);
+
+	/*
+	 * The target buffer is made the same size
+	 * as the source buffer, with the assumption that when
+	 * no compression in present, the output of dns_*_fromwire()
+	 * is no larger than the input.
+	 */
+	CHECK(size_buffer(j->mctx, &j->it.target, rrhdr.size));
+
+	/*
+	 * Parse the owner name.  We don't know where it
+	 * ends yet, so we make the entire "remaining"
+	 * part of the buffer "active".
+	 */
+	isc_buffer_setactive(&j->it.source,
+			     j->it.source.used - j->it.source.current);
+	CHECK(dns_name_fromwire(&j->it.name, &j->it.source, &j->it.dctx, 0,
+				&j->it.target));
+
+	/*
+	 * Check that the RR header is there, and parse it.
+	 */
+	if (isc_buffer_remaininglength(&j->it.source) < 10) {
+		FAIL(DNS_R_FORMERR);
+	}
+
+	rdtype = isc_buffer_getuint16(&j->it.source);
+	rdclass = isc_buffer_getuint16(&j->it.source);
+	ttl = isc_buffer_getuint32(&j->it.source);
+	rdlen = isc_buffer_getuint16(&j->it.source);
+
+	if (rdlen > DNS_RDATA_MAXLENGTH) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal corrupt: impossible rdlen "
+			      "(%u bytes)",
+			      j->filename, rdlen);
+		FAIL(ISC_R_FAILURE);
+	}
+
+	/*
+	 * Parse the rdata.
+	 */
+	if (isc_buffer_remaininglength(&j->it.source) != rdlen) {
+		FAIL(DNS_R_FORMERR);
+	}
+	isc_buffer_setactive(&j->it.source, rdlen);
+	dns_rdata_reset(&j->it.rdata);
+	CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass, rdtype, &j->it.source,
+				 &j->it.dctx, 0, &j->it.target));
+	j->it.ttl = ttl;
+
+	j->it.xpos += sizeof(journal_rawrrhdr_t) + rrhdr.size;
+	if (rdtype == dns_rdatatype_soa) {
+		/* XXX could do additional consistency checks here */
+		j->it.current_serial = dns_soa_getserial(&j->it.rdata);
+	}
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	j->it.result = result;
+	return (result);
+}
+
+isc_result_t
+dns_journal_next_rr(dns_journal_t *j) {
+	j->it.result = read_one_rr(j);
+	return (j->it.result);
+}
+
+void
+dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, uint32_t *ttl,
+		       dns_rdata_t **rdata) {
+	REQUIRE(j->it.result == ISC_R_SUCCESS);
+	*name = &j->it.name;
+	*ttl = j->it.ttl;
+	*rdata = &j->it.rdata;
+}
+
+/**************************************************************************/
+/*
+ * Generating diffs from databases
+ */
+
+/*
+ * Construct a diff containing all the RRs at the current name of the
+ * database iterator 'dbit' in database 'db', version 'ver'.
+ * Set '*name' to the current name, and append the diff to 'diff'.
+ * All new tuples will have the operation 'op'.
+ *
+ * Requires: 'name' must have buffer large enough to hold the name.
+ * Typically, a dns_fixedname_t would be used.
+ */
+static isc_result_t
+get_name_diff(dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now,
+	      dns_dbiterator_t *dbit, dns_name_t *name, dns_diffop_t op,
+	      dns_diff_t *diff) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_difftuple_t *tuple = NULL;
+
+	result = dns_dbiterator_current(dbit, &node, name);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_allrdatasets(db, node, ver, 0, now, &rdsiter);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_node;
+	}
+
+	for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdataset_t rdataset;
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+
+		for (result = dns_rdataset_first(&rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rdataset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_difftuple_create(diff->mctx, op, name,
+						      rdataset.ttl, &rdata,
+						      &tuple);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdataset_disassociate(&rdataset);
+				goto cleanup_iterator;
+			}
+			dns_diff_append(diff, &tuple);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_NOMORE) {
+			goto cleanup_iterator;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup_iterator;
+	}
+
+	result = ISC_R_SUCCESS;
+
+cleanup_iterator:
+	dns_rdatasetiter_destroy(&rdsiter);
+
+cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/*
+ * Comparison function for use by dns_diff_subtract when sorting
+ * the diffs to be subtracted.  The sort keys are the rdata type
+ * and the rdata itself.  The owner name is ignored, because
+ * it is known to be the same for all tuples.
+ */
+static int
+rdata_order(const void *av, const void *bv) {
+	dns_difftuple_t const *const *ap = av;
+	dns_difftuple_t const *const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	int r;
+	r = (b->rdata.type - a->rdata.type);
+	if (r != 0) {
+		return (r);
+	}
+	r = dns_rdata_compare(&a->rdata, &b->rdata);
+	return (r);
+}
+
+static isc_result_t
+dns_diff_subtract(dns_diff_t diff[2], dns_diff_t *r) {
+	isc_result_t result;
+	dns_difftuple_t *p[2];
+	int i, t;
+	bool append;
+	dns_difftuplelist_t add, del;
+
+	CHECK(dns_diff_sort(&diff[0], rdata_order));
+	CHECK(dns_diff_sort(&diff[1], rdata_order));
+	ISC_LIST_INIT(add);
+	ISC_LIST_INIT(del);
+
+	for (;;) {
+		p[0] = ISC_LIST_HEAD(diff[0].tuples);
+		p[1] = ISC_LIST_HEAD(diff[1].tuples);
+		if (p[0] == NULL && p[1] == NULL) {
+			break;
+		}
+
+		for (i = 0; i < 2; i++) {
+			if (p[!i] == NULL) {
+				dns_difftuplelist_t *l = (i == 0) ? &add : &del;
+				ISC_LIST_UNLINK(diff[i].tuples, p[i], link);
+				ISC_LIST_APPEND(*l, p[i], link);
+				goto next;
+			}
+		}
+		t = rdata_order(&p[0], &p[1]);
+		if (t < 0) {
+			ISC_LIST_UNLINK(diff[0].tuples, p[0], link);
+			ISC_LIST_APPEND(add, p[0], link);
+			goto next;
+		}
+		if (t > 0) {
+			ISC_LIST_UNLINK(diff[1].tuples, p[1], link);
+			ISC_LIST_APPEND(del, p[1], link);
+			goto next;
+		}
+		INSIST(t == 0);
+		/*
+		 * Identical RRs in both databases; skip them both
+		 * if the ttl differs.
+		 */
+		append = (p[0]->ttl != p[1]->ttl);
+		for (i = 0; i < 2; i++) {
+			ISC_LIST_UNLINK(diff[i].tuples, p[i], link);
+			if (append) {
+				dns_difftuplelist_t *l = (i == 0) ? &add : &del;
+				ISC_LIST_APPEND(*l, p[i], link);
+			} else {
+				dns_difftuple_free(&p[i]);
+			}
+		}
+	next:;
+	}
+	ISC_LIST_APPENDLIST(r->tuples, del, link);
+	ISC_LIST_APPENDLIST(r->tuples, add, link);
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+static isc_result_t
+diff_namespace(dns_db_t *dba, dns_dbversion_t *dbvera, dns_db_t *dbb,
+	       dns_dbversion_t *dbverb, unsigned int options,
+	       dns_diff_t *resultdiff) {
+	dns_db_t *db[2];
+	dns_dbversion_t *ver[2];
+	dns_dbiterator_t *dbit[2] = { NULL, NULL };
+	bool have[2] = { false, false };
+	dns_fixedname_t fixname[2];
+	isc_result_t result, itresult[2];
+	dns_diff_t diff[2];
+	int i, t;
+
+	db[0] = dba, db[1] = dbb;
+	ver[0] = dbvera, ver[1] = dbverb;
+
+	dns_diff_init(resultdiff->mctx, &diff[0]);
+	dns_diff_init(resultdiff->mctx, &diff[1]);
+
+	dns_fixedname_init(&fixname[0]);
+	dns_fixedname_init(&fixname[1]);
+
+	result = dns_db_createiterator(db[0], options, &dbit[0]);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	result = dns_db_createiterator(db[1], options, &dbit[1]);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_iterator;
+	}
+
+	itresult[0] = dns_dbiterator_first(dbit[0]);
+	itresult[1] = dns_dbiterator_first(dbit[1]);
+
+	for (;;) {
+		for (i = 0; i < 2; i++) {
+			if (!have[i] && itresult[i] == ISC_R_SUCCESS) {
+				CHECK(get_name_diff(
+					db[i], ver[i], 0, dbit[i],
+					dns_fixedname_name(&fixname[i]),
+					i == 0 ? DNS_DIFFOP_ADD
+					       : DNS_DIFFOP_DEL,
+					&diff[i]));
+				itresult[i] = dns_dbiterator_next(dbit[i]);
+				have[i] = true;
+			}
+		}
+
+		if (!have[0] && !have[1]) {
+			INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+			INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+			break;
+		}
+
+		for (i = 0; i < 2; i++) {
+			if (!have[!i]) {
+				ISC_LIST_APPENDLIST(resultdiff->tuples,
+						    diff[i].tuples, link);
+				INSIST(ISC_LIST_EMPTY(diff[i].tuples));
+				have[i] = false;
+				goto next;
+			}
+		}
+
+		t = dns_name_compare(dns_fixedname_name(&fixname[0]),
+				     dns_fixedname_name(&fixname[1]));
+		if (t < 0) {
+			ISC_LIST_APPENDLIST(resultdiff->tuples, diff[0].tuples,
+					    link);
+			INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+			have[0] = false;
+			continue;
+		}
+		if (t > 0) {
+			ISC_LIST_APPENDLIST(resultdiff->tuples, diff[1].tuples,
+					    link);
+			INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+			have[1] = false;
+			continue;
+		}
+		INSIST(t == 0);
+		CHECK(dns_diff_subtract(diff, resultdiff));
+		INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+		INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+		have[0] = have[1] = false;
+	next:;
+	}
+	if (itresult[0] != ISC_R_NOMORE) {
+		FAIL(itresult[0]);
+	}
+	if (itresult[1] != ISC_R_NOMORE) {
+		FAIL(itresult[1]);
+	}
+
+	INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+	INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+
+failure:
+	dns_dbiterator_destroy(&dbit[1]);
+
+cleanup_iterator:
+	dns_dbiterator_destroy(&dbit[0]);
+	dns_diff_clear(&diff[0]);
+	dns_diff_clear(&diff[1]);
+	return (result);
+}
+
+/*
+ * Compare the databases 'dba' and 'dbb' and generate a journal
+ * entry containing the changes to make 'dba' from 'dbb' (note
+ * the order).  This journal entry will consist of a single,
+ * possibly very large transaction.
+ */
+isc_result_t
+dns_db_diff(isc_mem_t *mctx, dns_db_t *dba, dns_dbversion_t *dbvera,
+	    dns_db_t *dbb, dns_dbversion_t *dbverb, const char *filename) {
+	isc_result_t result;
+	dns_diff_t diff;
+
+	dns_diff_init(mctx, &diff);
+
+	result = dns_db_diffx(&diff, dba, dbvera, dbb, dbverb, filename);
+
+	dns_diff_clear(&diff);
+
+	return (result);
+}
+
+isc_result_t
+dns_db_diffx(dns_diff_t *diff, dns_db_t *dba, dns_dbversion_t *dbvera,
+	     dns_db_t *dbb, dns_dbversion_t *dbverb, const char *filename) {
+	isc_result_t result;
+	dns_journal_t *journal = NULL;
+
+	if (filename != NULL) {
+		result = dns_journal_open(diff->mctx, filename,
+					  DNS_JOURNAL_CREATE, &journal);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	CHECK(diff_namespace(dba, dbvera, dbb, dbverb, DNS_DB_NONSEC3, diff));
+	CHECK(diff_namespace(dba, dbvera, dbb, dbverb, DNS_DB_NSEC3ONLY, diff));
+
+	if (journal != NULL) {
+		if (ISC_LIST_EMPTY(diff->tuples)) {
+			isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no changes");
+		} else {
+			CHECK(dns_journal_write_transaction(journal, diff));
+		}
+	}
+
+failure:
+	if (journal != NULL) {
+		dns_journal_destroy(&journal);
+	}
+	return (result);
+}
+
+static uint32_t
+rrcount(unsigned char *buf, unsigned int size) {
+	isc_buffer_t b;
+	uint32_t rrsize, count = 0;
+
+	isc_buffer_init(&b, buf, size);
+	isc_buffer_add(&b, size);
+	while (isc_buffer_remaininglength(&b) > 0) {
+		rrsize = isc_buffer_getuint32(&b);
+		INSIST(isc_buffer_remaininglength(&b) >= rrsize);
+		isc_buffer_forward(&b, rrsize);
+		count++;
+	}
+
+	return (count);
+}
+
+static bool
+check_delta(unsigned char *buf, size_t size) {
+	isc_buffer_t b;
+	uint32_t rrsize;
+
+	isc_buffer_init(&b, buf, size);
+	isc_buffer_add(&b, size);
+	while (isc_buffer_remaininglength(&b) > 0) {
+		if (isc_buffer_remaininglength(&b) < 4) {
+			return (false);
+		}
+		rrsize = isc_buffer_getuint32(&b);
+		/* "." + type + class + ttl + rdlen => 11U */
+		if (rrsize < 11U || isc_buffer_remaininglength(&b) < rrsize) {
+			return (false);
+		}
+		isc_buffer_forward(&b, rrsize);
+	}
+
+	return (true);
+}
+
+isc_result_t
+dns_journal_compact(isc_mem_t *mctx, char *filename, uint32_t serial,
+		    uint32_t flags, uint32_t target_size) {
+	unsigned int i;
+	journal_pos_t best_guess;
+	journal_pos_t current_pos;
+	dns_journal_t *j1 = NULL;
+	dns_journal_t *j2 = NULL;
+	journal_rawheader_t rawheader;
+	unsigned int len;
+	size_t namelen;
+	unsigned char *buf = NULL;
+	unsigned int size = 0;
+	isc_result_t result;
+	unsigned int indexend;
+	char newname[PATH_MAX];
+	char backup[PATH_MAX];
+	bool is_backup = false;
+	bool rewrite = false;
+	bool downgrade = false;
+
+	REQUIRE(filename != NULL);
+
+	namelen = strlen(filename);
+	if (namelen > 4U && strcmp(filename + namelen - 4, ".jnl") == 0) {
+		namelen -= 4;
+	}
+
+	result = snprintf(newname, sizeof(newname), "%.*s.jnw", (int)namelen,
+			  filename);
+	RUNTIME_CHECK(result < sizeof(newname));
+
+	result = snprintf(backup, sizeof(backup), "%.*s.jbk", (int)namelen,
+			  filename);
+	RUNTIME_CHECK(result < sizeof(backup));
+
+	result = journal_open(mctx, filename, false, false, false, &j1);
+	if (result == ISC_R_NOTFOUND) {
+		is_backup = true;
+		result = journal_open(mctx, backup, false, false, false, &j1);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Always perform a re-write when processing a version 1 journal.
+	 */
+	rewrite = j1->header_ver1;
+
+	/*
+	 * Check whether we need to rewrite the whole journal
+	 * file (for example, to upversion it).
+	 */
+	if ((flags & DNS_JOURNAL_COMPACTALL) != 0) {
+		if ((flags & DNS_JOURNAL_VERSION1) != 0) {
+			downgrade = true;
+		}
+		rewrite = true;
+		serial = dns_journal_first_serial(j1);
+	} else if (JOURNAL_EMPTY(&j1->header)) {
+		dns_journal_destroy(&j1);
+		return (ISC_R_SUCCESS);
+	}
+
+	if (DNS_SERIAL_GT(j1->header.begin.serial, serial) ||
+	    DNS_SERIAL_GT(serial, j1->header.end.serial))
+	{
+		dns_journal_destroy(&j1);
+		return (ISC_R_RANGE);
+	}
+
+	/*
+	 * Cope with very small target sizes.
+	 */
+	indexend = sizeof(journal_rawheader_t) +
+		   j1->header.index_size * sizeof(journal_rawpos_t);
+	if (target_size < DNS_JOURNAL_SIZE_MIN) {
+		target_size = DNS_JOURNAL_SIZE_MIN;
+	}
+	if (target_size < indexend * 2) {
+		target_size = target_size / 2 + indexend;
+	}
+
+	/*
+	 * See if there is any work to do.
+	 */
+	if (!rewrite && (uint32_t)j1->header.end.offset < target_size) {
+		dns_journal_destroy(&j1);
+		return (ISC_R_SUCCESS);
+	}
+
+	CHECK(journal_open(mctx, newname, true, true, downgrade, &j2));
+	CHECK(journal_seek(j2, indexend));
+
+	/*
+	 * Remove overhead so space test below can succeed.
+	 */
+	if (target_size >= indexend) {
+		target_size -= indexend;
+	}
+
+	/*
+	 * Find if we can create enough free space.
+	 */
+	best_guess = j1->header.begin;
+	for (i = 0; i < j1->header.index_size; i++) {
+		if (POS_VALID(j1->index[i]) &&
+		    DNS_SERIAL_GE(serial, j1->index[i].serial) &&
+		    ((uint32_t)(j1->header.end.offset - j1->index[i].offset) >=
+		     target_size / 2) &&
+		    j1->index[i].offset > best_guess.offset)
+		{
+			best_guess = j1->index[i];
+		}
+	}
+
+	current_pos = best_guess;
+	while (current_pos.serial != serial) {
+		CHECK(journal_next(j1, &current_pos));
+		if (current_pos.serial == j1->header.end.serial) {
+			break;
+		}
+
+		if (DNS_SERIAL_GE(serial, current_pos.serial) &&
+		    ((uint32_t)(j1->header.end.offset - current_pos.offset) >=
+		     (target_size / 2)) &&
+		    current_pos.offset > best_guess.offset)
+		{
+			best_guess = current_pos;
+		} else {
+			break;
+		}
+	}
+
+	INSIST(best_guess.serial != j1->header.end.serial);
+	if (best_guess.serial != serial) {
+		CHECK(journal_next(j1, &best_guess));
+		serial = best_guess.serial;
+	}
+
+	/*
+	 * We should now be roughly half target_size provided
+	 * we did not reach 'serial'.  If not we will just copy
+	 * all uncommitted deltas regardless of the size.
+	 */
+	len = j1->header.end.offset - best_guess.offset;
+	if (len != 0) {
+		CHECK(journal_seek(j1, best_guess.offset));
+
+		/* Prepare new header */
+		j2->header.begin.serial = best_guess.serial;
+		j2->header.begin.offset = indexend;
+		j2->header.sourceserial = j1->header.sourceserial;
+		j2->header.serialset = j1->header.serialset;
+		j2->header.end.serial = j1->header.end.serial;
+
+		/*
+		 * Only use this method if we're rewriting the
+		 * journal to fix outdated transaction headers;
+		 * otherwise we'll copy the whole journal without
+		 * parsing individual deltas below.
+		 */
+		while (rewrite && len > 0) {
+			journal_xhdr_t xhdr;
+			isc_offset_t offset = j1->offset;
+			uint32_t count;
+
+			result = journal_read_xhdr(j1, &xhdr);
+			if (rewrite && result == ISC_R_NOMORE) {
+				break;
+			}
+			CHECK(result);
+
+			size = xhdr.size;
+			if (size > len) {
+				isc_log_write(JOURNAL_COMMON_LOGARGS,
+					      ISC_LOG_ERROR,
+					      "%s: journal file corrupt, "
+					      "transaction too large",
+					      j1->filename);
+				CHECK(ISC_R_FAILURE);
+			}
+			buf = isc_mem_get(mctx, size);
+			result = journal_read(j1, buf, size);
+
+			/*
+			 * If we're repairing an outdated journal, the
+			 * xhdr format may be wrong.
+			 */
+			if (rewrite && (result != ISC_R_SUCCESS ||
+					!check_delta(buf, size)))
+			{
+				if (j1->xhdr_version == XHDR_VERSION2) {
+					/* XHDR_VERSION2 -> XHDR_VERSION1 */
+					j1->xhdr_version = XHDR_VERSION1;
+					CHECK(journal_seek(j1, offset));
+					CHECK(journal_read_xhdr(j1, &xhdr));
+				} else if (j1->xhdr_version == XHDR_VERSION1) {
+					/* XHDR_VERSION1 -> XHDR_VERSION2 */
+					j1->xhdr_version = XHDR_VERSION2;
+					CHECK(journal_seek(j1, offset));
+					CHECK(journal_read_xhdr(j1, &xhdr));
+				}
+
+				/* Check again */
+				isc_mem_put(mctx, buf, size);
+				size = xhdr.size;
+				if (size > len) {
+					isc_log_write(
+						JOURNAL_COMMON_LOGARGS,
+						ISC_LOG_ERROR,
+						"%s: journal file corrupt, "
+						"transaction too large",
+						j1->filename);
+					CHECK(ISC_R_FAILURE);
+				}
+				buf = isc_mem_get(mctx, size);
+				CHECK(journal_read(j1, buf, size));
+
+				if (!check_delta(buf, size)) {
+					CHECK(ISC_R_UNEXPECTED);
+				}
+			} else {
+				CHECK(result);
+			}
+
+			/*
+			 * Recover from incorrectly written transaction header.
+			 * The incorrect header was written as size, serial0,
+			 * serial1, and 0.  XHDR_VERSION2 is expecting size,
+			 * count, serial0, and serial1.
+			 */
+			if (j1->xhdr_version == XHDR_VERSION2 &&
+			    xhdr.count == serial && xhdr.serial1 == 0U &&
+			    isc_serial_gt(xhdr.serial0, xhdr.count))
+			{
+				xhdr.serial1 = xhdr.serial0;
+				xhdr.serial0 = xhdr.count;
+				xhdr.count = 0;
+			}
+
+			/*
+			 * Check that xhdr is consistent.
+			 */
+			if (xhdr.serial0 != serial ||
+			    isc_serial_le(xhdr.serial1, xhdr.serial0))
+			{
+				CHECK(ISC_R_UNEXPECTED);
+			}
+
+			/*
+			 * Extract record count from the transaction.  This
+			 * is needed when converting from XHDR_VERSION1 to
+			 * XHDR_VERSION2, and when recovering from an
+			 * incorrectly written XHDR_VERSION2.
+			 */
+			count = rrcount(buf, size);
+			CHECK(journal_write_xhdr(j2, xhdr.size, count,
+						 xhdr.serial0, xhdr.serial1));
+			CHECK(journal_write(j2, buf, size));
+
+			j2->header.end.offset = j2->offset;
+
+			serial = xhdr.serial1;
+
+			len = j1->header.end.offset - j1->offset;
+			isc_mem_put(mctx, buf, size);
+		}
+
+		/*
+		 * If we're not rewriting transaction headers, we can use
+		 * this faster method instead.
+		 */
+		if (!rewrite) {
+			size = ISC_MIN(64 * 1024, len);
+			buf = isc_mem_get(mctx, size);
+			for (i = 0; i < len; i += size) {
+				unsigned int blob = ISC_MIN(size, len - i);
+				CHECK(journal_read(j1, buf, blob));
+				CHECK(journal_write(j2, buf, blob));
+			}
+
+			j2->header.end.offset = indexend + len;
+		}
+
+		CHECK(journal_fsync(j2));
+
+		/*
+		 * Update the journal header.
+		 */
+		journal_header_encode(&j2->header, &rawheader);
+		CHECK(journal_seek(j2, 0));
+		CHECK(journal_write(j2, &rawheader, sizeof(rawheader)));
+		CHECK(journal_fsync(j2));
+
+		/*
+		 * Build new index.
+		 */
+		current_pos = j2->header.begin;
+		while (current_pos.serial != j2->header.end.serial) {
+			index_add(j2, &current_pos);
+			CHECK(journal_next(j2, &current_pos));
+		}
+
+		/*
+		 * Write index.
+		 */
+		CHECK(index_to_disk(j2));
+		CHECK(journal_fsync(j2));
+
+		indexend = j2->header.end.offset;
+		POST(indexend);
+	}
+
+	/*
+	 * Close both journals before trying to rename files (this is
+	 * necessary on WIN32).
+	 */
+	dns_journal_destroy(&j1);
+	dns_journal_destroy(&j2);
+
+	/*
+	 * With a UFS file system this should just succeed and be atomic.
+	 * Any IXFR outs will just continue and the old journal will be
+	 * removed on final close.
+	 *
+	 * With MSDOS / NTFS we need to do a two stage rename, triggered
+	 * by EEXIST.  (If any IXFR's are running in other threads, however,
+	 * this will fail, and the journal will not be compacted.  But
+	 * if so, hopefully they'll be finished by the next time we
+	 * compact.)
+	 */
+	if (rename(newname, filename) == -1) {
+		if (errno == EEXIST && !is_backup) {
+			result = isc_file_remove(backup);
+			if (result != ISC_R_SUCCESS &&
+			    result != ISC_R_FILENOTFOUND)
+			{
+				goto failure;
+			}
+			if (rename(filename, backup) == -1) {
+				goto maperrno;
+			}
+			if (rename(newname, filename) == -1) {
+				goto maperrno;
+			}
+			(void)isc_file_remove(backup);
+		} else {
+		maperrno:
+			result = ISC_R_FAILURE;
+			goto failure;
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	(void)isc_file_remove(newname);
+	if (buf != NULL) {
+		isc_mem_put(mctx, buf, size);
+	}
+	if (j1 != NULL) {
+		dns_journal_destroy(&j1);
+	}
+	if (j2 != NULL) {
+		dns_journal_destroy(&j2);
+	}
+	return (result);
+}
+
+static isc_result_t
+index_to_disk(dns_journal_t *j) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (j->header.index_size != 0) {
+		unsigned int i;
+		unsigned char *p;
+		unsigned int rawbytes;
+
+		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
+
+		p = j->rawindex;
+		for (i = 0; i < j->header.index_size; i++) {
+			encode_uint32(j->index[i].serial, p);
+			p += 4;
+			encode_uint32(j->index[i].offset, p);
+			p += 4;
+		}
+		INSIST(p == j->rawindex + rawbytes);
+
+		CHECK(journal_seek(j, sizeof(journal_rawheader_t)));
+		CHECK(journal_write(j, j->rawindex, rawbytes));
+	}
+failure:
+	return (result);
+}
diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
new file mode 100644
index 0000000..09c6810
--- /dev/null
+++ b/lib/dns/kasp.c
@@ -0,0 +1,527 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <string.h>
+
+#include <isc/assertions.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/kasp.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+
+isc_result_t
+dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
+	dns_kasp_t *kasp;
+
+	REQUIRE(name != NULL);
+	REQUIRE(kaspp != NULL && *kaspp == NULL);
+
+	kasp = isc_mem_get(mctx, sizeof(*kasp));
+	kasp->mctx = NULL;
+	isc_mem_attach(mctx, &kasp->mctx);
+
+	kasp->name = isc_mem_strdup(mctx, name);
+	isc_mutex_init(&kasp->lock);
+	kasp->frozen = false;
+
+	isc_refcount_init(&kasp->references, 1);
+
+	ISC_LINK_INIT(kasp, link);
+
+	kasp->signatures_refresh = DNS_KASP_SIG_REFRESH;
+	kasp->signatures_validity = DNS_KASP_SIG_VALIDITY;
+	kasp->signatures_validity_dnskey = DNS_KASP_SIG_VALIDITY_DNSKEY;
+
+	ISC_LIST_INIT(kasp->keys);
+
+	kasp->dnskey_ttl = DNS_KASP_KEY_TTL;
+	kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY;
+	kasp->retire_safety = DNS_KASP_RETIRE_SAFETY;
+	kasp->purge_keys = DNS_KASP_PURGE_KEYS;
+
+	kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL;
+	kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY;
+
+	kasp->parent_ds_ttl = DNS_KASP_DS_TTL;
+	kasp->parent_propagation_delay = DNS_KASP_PARENT_PROPDELAY;
+
+	kasp->nsec3 = false;
+
+	kasp->magic = DNS_KASP_MAGIC;
+	*kaspp = kasp;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_kasp_attach(dns_kasp_t *source, dns_kasp_t **targetp) {
+	REQUIRE(DNS_KASP_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references);
+	*targetp = source;
+}
+
+static void
+destroy(dns_kasp_t *kasp) {
+	dns_kasp_key_t *key;
+	dns_kasp_key_t *key_next;
+
+	REQUIRE(!ISC_LINK_LINKED(kasp, link));
+
+	for (key = ISC_LIST_HEAD(kasp->keys); key != NULL; key = key_next) {
+		key_next = ISC_LIST_NEXT(key, link);
+		ISC_LIST_UNLINK(kasp->keys, key, link);
+		dns_kasp_key_destroy(key);
+	}
+	INSIST(ISC_LIST_EMPTY(kasp->keys));
+
+	isc_mutex_destroy(&kasp->lock);
+	isc_mem_free(kasp->mctx, kasp->name);
+	isc_mem_putanddetach(&kasp->mctx, kasp, sizeof(*kasp));
+}
+
+void
+dns_kasp_detach(dns_kasp_t **kaspp) {
+	REQUIRE(kaspp != NULL && DNS_KASP_VALID(*kaspp));
+
+	dns_kasp_t *kasp = *kaspp;
+	*kaspp = NULL;
+
+	if (isc_refcount_decrement(&kasp->references) == 1) {
+		destroy(kasp);
+	}
+}
+
+const char *
+dns_kasp_getname(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+
+	return (kasp->name);
+}
+
+void
+dns_kasp_freeze(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->frozen = true;
+}
+
+void
+dns_kasp_thaw(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	kasp->frozen = false;
+}
+
+uint32_t
+dns_kasp_signdelay(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->signatures_validity - kasp->signatures_refresh);
+}
+
+uint32_t
+dns_kasp_sigrefresh(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->signatures_refresh);
+}
+
+void
+dns_kasp_setsigrefresh(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->signatures_refresh = value;
+}
+
+uint32_t
+dns_kasp_sigvalidity(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->signatures_validity);
+}
+
+void
+dns_kasp_setsigvalidity(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->signatures_validity = value;
+}
+
+uint32_t
+dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->signatures_validity_dnskey);
+}
+
+void
+dns_kasp_setsigvalidity_dnskey(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->signatures_validity_dnskey = value;
+}
+
+dns_ttl_t
+dns_kasp_dnskeyttl(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->dnskey_ttl);
+}
+
+void
+dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->dnskey_ttl = ttl;
+}
+
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->purge_keys);
+}
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->purge_keys = value;
+}
+
+uint32_t
+dns_kasp_publishsafety(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->publish_safety);
+}
+
+void
+dns_kasp_setpublishsafety(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->publish_safety = value;
+}
+
+uint32_t
+dns_kasp_retiresafety(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->retire_safety);
+}
+
+void
+dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->retire_safety = value;
+}
+
+dns_ttl_t
+dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->zone_max_ttl);
+}
+
+void
+dns_kasp_setzonemaxttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->zone_max_ttl = ttl;
+}
+
+uint32_t
+dns_kasp_zonepropagationdelay(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->zone_propagation_delay);
+}
+
+void
+dns_kasp_setzonepropagationdelay(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->zone_propagation_delay = value;
+}
+
+dns_ttl_t
+dns_kasp_dsttl(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->parent_ds_ttl);
+}
+
+void
+dns_kasp_setdsttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->parent_ds_ttl = ttl;
+}
+
+uint32_t
+dns_kasp_parentpropagationdelay(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->parent_propagation_delay);
+}
+
+void
+dns_kasp_setparentpropagationdelay(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->parent_propagation_delay = value;
+}
+
+isc_result_t
+dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp) {
+	dns_kasp_t *kasp = NULL;
+
+	REQUIRE(kaspp != NULL && *kaspp == NULL);
+
+	if (list == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	for (kasp = ISC_LIST_HEAD(*list); kasp != NULL;
+	     kasp = ISC_LIST_NEXT(kasp, link))
+	{
+		if (strcmp(kasp->name, name) == 0) {
+			break;
+		}
+	}
+
+	if (kasp == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	dns_kasp_attach(kasp, kaspp);
+	return (ISC_R_SUCCESS);
+}
+
+dns_kasp_keylist_t
+dns_kasp_keys(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->keys);
+}
+
+bool
+dns_kasp_keylist_empty(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+
+	return (ISC_LIST_EMPTY(kasp->keys));
+}
+
+void
+dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+	REQUIRE(key != NULL);
+
+	ISC_LIST_APPEND(kasp->keys, key, link);
+}
+
+isc_result_t
+dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp) {
+	dns_kasp_key_t *key;
+
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	key = isc_mem_get(kasp->mctx, sizeof(*key));
+	key->mctx = NULL;
+	isc_mem_attach(kasp->mctx, &key->mctx);
+
+	ISC_LINK_INIT(key, link);
+
+	key->lifetime = 0;
+	key->algorithm = 0;
+	key->length = -1;
+	key->role = 0;
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_kasp_key_destroy(dns_kasp_key_t *key) {
+	REQUIRE(key != NULL);
+
+	isc_mem_putanddetach(&key->mctx, key, sizeof(*key));
+}
+
+uint32_t
+dns_kasp_key_algorithm(dns_kasp_key_t *key) {
+	REQUIRE(key != NULL);
+
+	return (key->algorithm);
+}
+
+unsigned int
+dns_kasp_key_size(dns_kasp_key_t *key) {
+	unsigned int size = 0;
+	unsigned int min = 0;
+
+	REQUIRE(key != NULL);
+
+	switch (key->algorithm) {
+	case DNS_KEYALG_RSASHA1:
+	case DNS_KEYALG_NSEC3RSASHA1:
+	case DNS_KEYALG_RSASHA256:
+	case DNS_KEYALG_RSASHA512:
+		min = (key->algorithm == DNS_KEYALG_RSASHA512) ? 1024 : 512;
+		if (key->length > -1) {
+			size = (unsigned int)key->length;
+			if (size < min) {
+				size = min;
+			}
+			if (size > 4096) {
+				size = 4096;
+			}
+		} else {
+			size = 2048;
+		}
+		break;
+	case DNS_KEYALG_ECDSA256:
+		size = 256;
+		break;
+	case DNS_KEYALG_ECDSA384:
+		size = 384;
+		break;
+	case DNS_KEYALG_ED25519:
+		size = 256;
+		break;
+	case DNS_KEYALG_ED448:
+		size = 456;
+		break;
+	default:
+		/* unsupported */
+		break;
+	}
+	return (size);
+}
+
+uint32_t
+dns_kasp_key_lifetime(dns_kasp_key_t *key) {
+	REQUIRE(key != NULL);
+
+	return (key->lifetime);
+}
+
+bool
+dns_kasp_key_ksk(dns_kasp_key_t *key) {
+	REQUIRE(key != NULL);
+
+	return (key->role & DNS_KASP_KEY_ROLE_KSK);
+}
+
+bool
+dns_kasp_key_zsk(dns_kasp_key_t *key) {
+	REQUIRE(key != NULL);
+
+	return (key->role & DNS_KASP_KEY_ROLE_ZSK);
+}
+
+uint8_t
+dns_kasp_nsec3iter(dns_kasp_t *kasp) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(kasp->frozen);
+	REQUIRE(kasp->nsec3);
+
+	return (kasp->nsec3param.iterations);
+}
+
+uint8_t
+dns_kasp_nsec3flags(dns_kasp_t *kasp) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(kasp->frozen);
+	REQUIRE(kasp->nsec3);
+
+	if (kasp->nsec3param.optout) {
+		return (0x01);
+	}
+	return (0x00);
+}
+
+uint8_t
+dns_kasp_nsec3saltlen(dns_kasp_t *kasp) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(kasp->frozen);
+	REQUIRE(kasp->nsec3);
+
+	return (kasp->nsec3param.saltlen);
+}
+
+bool
+dns_kasp_nsec3(dns_kasp_t *kasp) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(kasp->frozen);
+
+	return kasp->nsec3;
+}
+
+void
+dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(!kasp->frozen);
+
+	kasp->nsec3 = nsec3;
+}
+
+void
+dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
+		       uint8_t saltlen) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(!kasp->frozen);
+	REQUIRE(kasp->nsec3);
+
+	kasp->nsec3param.iterations = iter;
+	kasp->nsec3param.optout = optout;
+	kasp->nsec3param.saltlen = saltlen;
+}
diff --git a/lib/dns/key.c b/lib/dns/key.c
new file mode 100644
index 0000000..7d4f378
--- /dev/null
+++ b/lib/dns/key.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+
+#include <isc/region.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+
+#include <dst/dst.h>
+
+#include "dst_internal.h"
+
+uint16_t
+dst_region_computeid(const isc_region_t *source) {
+	uint32_t ac;
+	const unsigned char *p;
+	int size;
+
+	REQUIRE(source != NULL);
+	REQUIRE(source->length >= 4);
+
+	p = source->base;
+	size = source->length;
+
+	for (ac = 0; size > 1; size -= 2, p += 2) {
+		ac += ((*p) << 8) + *(p + 1);
+	}
+
+	if (size > 0) {
+		ac += ((*p) << 8);
+	}
+	ac += (ac >> 16) & 0xffff;
+
+	return ((uint16_t)(ac & 0xffff));
+}
+
+uint16_t
+dst_region_computerid(const isc_region_t *source) {
+	uint32_t ac;
+	const unsigned char *p;
+	int size;
+
+	REQUIRE(source != NULL);
+	REQUIRE(source->length >= 4);
+
+	p = source->base;
+	size = source->length;
+
+	ac = ((*p) << 8) + *(p + 1);
+	ac |= DNS_KEYFLAG_REVOKE;
+	for (size -= 2, p += 2; size > 1; size -= 2, p += 2) {
+		ac += ((*p) << 8) + *(p + 1);
+	}
+
+	if (size > 0) {
+		ac += ((*p) << 8);
+	}
+	ac += (ac >> 16) & 0xffff;
+
+	return ((uint16_t)(ac & 0xffff));
+}
+
+dns_name_t *
+dst_key_name(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_name);
+}
+
+unsigned int
+dst_key_size(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_size);
+}
+
+unsigned int
+dst_key_proto(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_proto);
+}
+
+unsigned int
+dst_key_alg(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_alg);
+}
+
+uint32_t
+dst_key_flags(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_flags);
+}
+
+dns_keytag_t
+dst_key_id(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_id);
+}
+
+dns_keytag_t
+dst_key_rid(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_rid);
+}
+
+dns_rdataclass_t
+dst_key_class(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_class);
+}
+
+bool
+dst_key_iszonekey(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+
+	if ((key->key_flags & DNS_KEYTYPE_NOAUTH) != 0) {
+		return (false);
+	}
+	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
+		return (false);
+	}
+	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
+	    key->key_proto != DNS_KEYPROTO_ANY)
+	{
+		return (false);
+	}
+	return (true);
+}
+
+bool
+dst_key_isnullkey(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+
+	if ((key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY) {
+		return (false);
+	}
+	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
+		return (false);
+	}
+	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
+	    key->key_proto != DNS_KEYPROTO_ANY)
+	{
+		return (false);
+	}
+	return (true);
+}
+
+void
+dst_key_setbits(dst_key_t *key, uint16_t bits) {
+	unsigned int maxbits;
+	REQUIRE(VALID_KEY(key));
+	if (bits != 0) {
+		RUNTIME_CHECK(dst_key_sigsize(key, &maxbits) == ISC_R_SUCCESS);
+		maxbits *= 8;
+		REQUIRE(bits <= maxbits);
+	}
+	key->key_bits = bits;
+}
+
+uint16_t
+dst_key_getbits(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_bits);
+}
+
+void
+dst_key_setttl(dst_key_t *key, dns_ttl_t ttl) {
+	REQUIRE(VALID_KEY(key));
+	key->key_ttl = ttl;
+}
+
+dns_ttl_t
+dst_key_getttl(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_ttl);
+}
+
+/*! \file */
diff --git a/lib/dns/keydata.c b/lib/dns/keydata.c
new file mode 100644
index 0000000..c8e2d80
--- /dev/null
+++ b/lib/dns/keydata.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keydata.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+
+isc_result_t
+dns_keydata_todnskey(dns_rdata_keydata_t *keydata, dns_rdata_dnskey_t *dnskey,
+		     isc_mem_t *mctx) {
+	REQUIRE(keydata != NULL && dnskey != NULL);
+
+	dnskey->common.rdtype = dns_rdatatype_dnskey;
+	dnskey->common.rdclass = keydata->common.rdclass;
+	dnskey->mctx = mctx;
+	dnskey->flags = keydata->flags;
+	dnskey->protocol = keydata->protocol;
+	dnskey->algorithm = keydata->algorithm;
+
+	dnskey->datalen = keydata->datalen;
+
+	if (mctx == NULL) {
+		dnskey->data = keydata->data;
+	} else {
+		dnskey->data = isc_mem_allocate(mctx, dnskey->datalen);
+		memmove(dnskey->data, keydata->data, dnskey->datalen);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_keydata_fromdnskey(dns_rdata_keydata_t *keydata, dns_rdata_dnskey_t *dnskey,
+		       uint32_t refresh, uint32_t addhd, uint32_t removehd,
+		       isc_mem_t *mctx) {
+	REQUIRE(keydata != NULL && dnskey != NULL);
+
+	keydata->common.rdtype = dns_rdatatype_keydata;
+	keydata->common.rdclass = dnskey->common.rdclass;
+	keydata->mctx = mctx;
+	keydata->refresh = refresh;
+	keydata->addhd = addhd;
+	keydata->removehd = removehd;
+	keydata->flags = dnskey->flags;
+	keydata->protocol = dnskey->protocol;
+	keydata->algorithm = dnskey->algorithm;
+
+	keydata->datalen = dnskey->datalen;
+	if (mctx == NULL) {
+		keydata->data = dnskey->data;
+	} else {
+		keydata->data = isc_mem_allocate(mctx, keydata->datalen);
+		memmove(keydata->data, dnskey->data, keydata->datalen);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
new file mode 100644
index 0000000..fe0af0e
--- /dev/null
+++ b/lib/dns/keymgr.c
@@ -0,0 +1,2628 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/dnssec.h>
+#include <dns/kasp.h>
+#include <dns/keymgr.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#define RETERR(x)                            \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+/*
+ * Set key state to `target` state and change last changed
+ * to `time`, only if key state has not been set before.
+ */
+#define INITIALIZE_STATE(key, state, timing, target, time)                    \
+	do {                                                                  \
+		dst_key_state_t s;                                            \
+		if (dst_key_getstate((key), (state), &s) == ISC_R_NOTFOUND) { \
+			dst_key_setstate((key), (state), (target));           \
+			dst_key_settime((key), (timing), time);               \
+		}                                                             \
+	} while (0)
+
+/* Shorter keywords for better readability. */
+#define HIDDEN	    DST_KEY_STATE_HIDDEN
+#define RUMOURED    DST_KEY_STATE_RUMOURED
+#define OMNIPRESENT DST_KEY_STATE_OMNIPRESENT
+#define UNRETENTIVE DST_KEY_STATE_UNRETENTIVE
+#define NA	    DST_KEY_STATE_NA
+
+/* Quickly get key state timing metadata. */
+#define NUM_KEYSTATES (DST_MAX_KEYSTATES)
+static int keystatetimes[NUM_KEYSTATES] = { DST_TIME_DNSKEY, DST_TIME_ZRRSIG,
+					    DST_TIME_KRRSIG, DST_TIME_DS };
+/* Readable key state types and values. */
+static const char *keystatetags[NUM_KEYSTATES] = { "DNSKEY", "ZRRSIG", "KRRSIG",
+						   "DS" };
+static const char *keystatestrings[4] = { "HIDDEN", "RUMOURED", "OMNIPRESENT",
+					  "UNRETENTIVE" };
+
+/*
+ * Print key role.
+ *
+ */
+static const char *
+keymgr_keyrole(dst_key_t *key) {
+	bool ksk = false, zsk = false;
+	isc_result_t ret;
+	ret = dst_key_getbool(key, DST_BOOL_KSK, &ksk);
+	if (ret != ISC_R_SUCCESS) {
+		return ("UNKNOWN");
+	}
+	ret = dst_key_getbool(key, DST_BOOL_ZSK, &zsk);
+	if (ret != ISC_R_SUCCESS) {
+		return ("UNKNOWN");
+	}
+	if (ksk && zsk) {
+		return ("CSK");
+	} else if (ksk) {
+		return ("KSK");
+	} else if (zsk) {
+		return ("ZSK");
+	}
+	return ("NOSIGN");
+}
+
+/*
+ * Set the remove time on key given its retire time.
+ *
+ */
+static void
+keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
+	isc_stdtime_t retire = 0, remove = 0, ksk_remove = 0, zsk_remove = 0;
+	bool zsk = false, ksk = false;
+	isc_result_t ret;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->key != NULL);
+
+	ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
+	if (ret != ISC_R_SUCCESS) {
+		return;
+	}
+
+	ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
+	if (ret == ISC_R_SUCCESS && zsk) {
+		/* ZSK: Iret = Dsgn + Dprp + TTLsig */
+		zsk_remove = retire + dns_kasp_zonemaxttl(kasp) +
+			     dns_kasp_zonepropagationdelay(kasp) +
+			     dns_kasp_retiresafety(kasp) +
+			     dns_kasp_signdelay(kasp);
+	}
+	ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
+	if (ret == ISC_R_SUCCESS && ksk) {
+		/* KSK: Iret = DprpP + TTLds */
+		ksk_remove = retire + dns_kasp_dsttl(kasp) +
+			     dns_kasp_parentpropagationdelay(kasp) +
+			     dns_kasp_retiresafety(kasp);
+	}
+
+	remove = ksk_remove > zsk_remove ? ksk_remove : zsk_remove;
+	dst_key_settime(key->key, DST_TIME_DELETE, remove);
+}
+
+/*
+ * Set the SyncPublish time (when the DS may be submitted to the parent)
+ *
+ */
+static void
+keymgr_settime_syncpublish(dns_dnsseckey_t *key, dns_kasp_t *kasp, bool first) {
+	isc_stdtime_t published, syncpublish;
+	bool ksk = false;
+	isc_result_t ret;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->key != NULL);
+
+	ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &published);
+	if (ret != ISC_R_SUCCESS) {
+		return;
+	}
+
+	ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
+	if (ret != ISC_R_SUCCESS || !ksk) {
+		return;
+	}
+
+	syncpublish = published + dst_key_getttl(key->key) +
+		      dns_kasp_zonepropagationdelay(kasp) +
+		      dns_kasp_publishsafety(kasp);
+	if (first) {
+		/* Also need to wait until the signatures are omnipresent. */
+		isc_stdtime_t zrrsig_present;
+		zrrsig_present = published + dns_kasp_zonemaxttl(kasp) +
+				 dns_kasp_zonepropagationdelay(kasp) +
+				 dns_kasp_publishsafety(kasp);
+		if (zrrsig_present > syncpublish) {
+			syncpublish = zrrsig_present;
+		}
+	}
+	dst_key_settime(key->key, DST_TIME_SYNCPUBLISH, syncpublish);
+}
+
+/*
+ * Calculate prepublication time of a successor key of 'key'.
+ * This function can have side effects:
+ * 1. If there is no active time set, which would be super weird, set it now.
+ * 2. If there is no published time set, also super weird, set it now.
+ * 3. If there is no syncpublished time set, set it now.
+ * 4. If the lifetime is not set, it will be set now.
+ * 5. If there should be a retire time and it is not set, it will be set now.
+ * 6. The removed time is adjusted accordingly.
+ *
+ * This returns when the successor key needs to be published in the zone.
+ * A special value of 0 means there is no need for a successor.
+ *
+ */
+static isc_stdtime_t
+keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
+			   uint32_t lifetime, isc_stdtime_t now) {
+	isc_result_t ret;
+	isc_stdtime_t active, retire, pub, prepub;
+	bool zsk = false, ksk = false;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->key != NULL);
+
+	active = 0;
+	pub = 0;
+	retire = 0;
+
+	/*
+	 * An active key must have publish and activate timing
+	 * metadata.
+	 */
+	ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
+	if (ret != ISC_R_SUCCESS) {
+		/* Super weird, but if it happens, set it to now. */
+		dst_key_settime(key->key, DST_TIME_ACTIVATE, now);
+		active = now;
+	}
+	ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &pub);
+	if (ret != ISC_R_SUCCESS) {
+		/* Super weird, but if it happens, set it to now. */
+		dst_key_settime(key->key, DST_TIME_PUBLISH, now);
+		pub = now;
+	}
+
+	/*
+	 * Calculate prepublication time.
+	 */
+	prepub = dst_key_getttl(key->key) + dns_kasp_publishsafety(kasp) +
+		 dns_kasp_zonepropagationdelay(kasp);
+	ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
+	if (ret == ISC_R_SUCCESS && ksk) {
+		isc_stdtime_t syncpub;
+
+		/*
+		 * Set PublishCDS if not set.
+		 */
+		ret = dst_key_gettime(key->key, DST_TIME_SYNCPUBLISH, &syncpub);
+		if (ret != ISC_R_SUCCESS) {
+			uint32_t tag;
+			isc_stdtime_t syncpub1, syncpub2;
+
+			syncpub1 = pub + prepub;
+			syncpub2 = 0;
+			ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
+					     &tag);
+			if (ret != ISC_R_SUCCESS) {
+				/*
+				 * No predecessor, wait for zone to be
+				 * completely signed.
+				 */
+				syncpub2 = pub + dns_kasp_zonemaxttl(kasp) +
+					   dns_kasp_publishsafety(kasp) +
+					   dns_kasp_zonepropagationdelay(kasp);
+			}
+
+			syncpub = syncpub1 > syncpub2 ? syncpub1 : syncpub2;
+			dst_key_settime(key->key, DST_TIME_SYNCPUBLISH,
+					syncpub);
+		}
+	}
+
+	/*
+	 * Not sure what to do when dst_key_getbool() fails here.  Extending
+	 * the prepublication time anyway is arguably the safest thing to do,
+	 * so ignore the result code.
+	 */
+	(void)dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
+
+	ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
+	if (ret != ISC_R_SUCCESS) {
+		uint32_t klifetime = 0;
+
+		ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime);
+		if (ret != ISC_R_SUCCESS) {
+			dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
+			klifetime = lifetime;
+		}
+		if (klifetime == 0) {
+			/*
+			 * No inactive time and no lifetime,
+			 * so no need to start a rollover.
+			 */
+			return (0);
+		}
+
+		retire = active + klifetime;
+		dst_key_settime(key->key, DST_TIME_INACTIVE, retire);
+	}
+
+	/*
+	 * Update remove time.
+	 */
+	keymgr_settime_remove(key, kasp);
+
+	/*
+	 * Publish successor 'prepub' time before the 'retire' time of 'key'.
+	 */
+	if (prepub > retire) {
+		/* We should have already prepublished the new key. */
+		return (now);
+	}
+	return (retire - prepub);
+}
+
+static void
+keymgr_key_retire(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now) {
+	char keystr[DST_KEY_FORMATSIZE];
+	isc_result_t ret;
+	isc_stdtime_t retire;
+	dst_key_state_t s;
+	bool ksk = false, zsk = false;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->key != NULL);
+
+	/* This key wants to retire and hide in a corner. */
+	ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
+	if (ret != ISC_R_SUCCESS || (retire > now)) {
+		dst_key_settime(key->key, DST_TIME_INACTIVE, now);
+	}
+	dst_key_setstate(key->key, DST_KEY_GOAL, HIDDEN);
+	keymgr_settime_remove(key, kasp);
+
+	/* This key may not have key states set yet. Pretend as if they are
+	 * in the OMNIPRESENT state.
+	 */
+	if (dst_key_getstate(key->key, DST_KEY_DNSKEY, &s) != ISC_R_SUCCESS) {
+		dst_key_setstate(key->key, DST_KEY_DNSKEY, OMNIPRESENT);
+		dst_key_settime(key->key, DST_TIME_DNSKEY, now);
+	}
+
+	ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
+	if (ret == ISC_R_SUCCESS && ksk) {
+		if (dst_key_getstate(key->key, DST_KEY_KRRSIG, &s) !=
+		    ISC_R_SUCCESS)
+		{
+			dst_key_setstate(key->key, DST_KEY_KRRSIG, OMNIPRESENT);
+			dst_key_settime(key->key, DST_TIME_KRRSIG, now);
+		}
+		if (dst_key_getstate(key->key, DST_KEY_DS, &s) != ISC_R_SUCCESS)
+		{
+			dst_key_setstate(key->key, DST_KEY_DS, OMNIPRESENT);
+			dst_key_settime(key->key, DST_TIME_DS, now);
+		}
+	}
+	ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
+	if (ret == ISC_R_SUCCESS && zsk) {
+		if (dst_key_getstate(key->key, DST_KEY_ZRRSIG, &s) !=
+		    ISC_R_SUCCESS)
+		{
+			dst_key_setstate(key->key, DST_KEY_ZRRSIG, OMNIPRESENT);
+			dst_key_settime(key->key, DST_TIME_ZRRSIG, now);
+		}
+	}
+
+	dst_key_format(key->key, keystr, sizeof(keystr));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_DNSSEC,
+		      ISC_LOG_INFO, "keymgr: retire DNSKEY %s (%s)", keystr,
+		      keymgr_keyrole(key->key));
+}
+
+/*
+ * Check if a dnsseckey matches kasp key configuration.  A dnsseckey matches
+ * if it has the same algorithm and size, and if it has the same role as the
+ * kasp key configuration.
+ *
+ */
+static bool
+keymgr_dnsseckey_kaspkey_match(dns_dnsseckey_t *dkey, dns_kasp_key_t *kkey) {
+	dst_key_t *key;
+	isc_result_t ret;
+	bool role = false;
+
+	REQUIRE(dkey != NULL);
+	REQUIRE(kkey != NULL);
+
+	key = dkey->key;
+
+	/* Matching algorithms? */
+	if (dst_key_alg(key) != dns_kasp_key_algorithm(kkey)) {
+		return (false);
+	}
+	/* Matching length? */
+	if (dst_key_size(key) != dns_kasp_key_size(kkey)) {
+		return (false);
+	}
+	/* Matching role? */
+	ret = dst_key_getbool(key, DST_BOOL_KSK, &role);
+	if (ret != ISC_R_SUCCESS || role != dns_kasp_key_ksk(kkey)) {
+		return (false);
+	}
+	ret = dst_key_getbool(key, DST_BOOL_ZSK, &role);
+	if (ret != ISC_R_SUCCESS || role != dns_kasp_key_zsk(kkey)) {
+		return (false);
+	}
+
+	/* Found a match. */
+	return (true);
+}
+
+static bool
+keymgr_keyid_conflict(dst_key_t *newkey, dns_dnsseckeylist_t *keys) {
+	uint16_t id = dst_key_id(newkey);
+	uint32_t rid = dst_key_rid(newkey);
+	uint32_t alg = dst_key_alg(newkey);
+
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keys); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		if (dst_key_alg(dkey->key) != alg) {
+			continue;
+		}
+		if (dst_key_id(dkey->key) == id ||
+		    dst_key_rid(dkey->key) == id ||
+		    dst_key_id(dkey->key) == rid ||
+		    dst_key_rid(dkey->key) == rid)
+		{
+			return (true);
+		}
+	}
+	return (false);
+}
+
+/*
+ * Create a new key for 'origin' given the kasp key configuration 'kkey'.
+ * This will check for key id collisions with keys in 'keylist'.
+ * The created key will be stored in 'dst_key'.
+ *
+ */
+static isc_result_t
+keymgr_createkey(dns_kasp_key_t *kkey, const dns_name_t *origin,
+		 dns_rdataclass_t rdclass, isc_mem_t *mctx,
+		 dns_dnsseckeylist_t *keylist, dns_dnsseckeylist_t *newkeys,
+		 dst_key_t **dst_key) {
+	bool conflict = false;
+	int keyflags = DNS_KEYOWNER_ZONE;
+	isc_result_t result = ISC_R_SUCCESS;
+	dst_key_t *newkey = NULL;
+
+	do {
+		uint32_t algo = dns_kasp_key_algorithm(kkey);
+		int size = dns_kasp_key_size(kkey);
+
+		if (dns_kasp_key_ksk(kkey)) {
+			keyflags |= DNS_KEYFLAG_KSK;
+		}
+		RETERR(dst_key_generate(origin, algo, size, 0, keyflags,
+					DNS_KEYPROTO_DNSSEC, rdclass, mctx,
+					&newkey, NULL));
+
+		/* Key collision? */
+		conflict = keymgr_keyid_conflict(newkey, keylist);
+		if (!conflict) {
+			conflict = keymgr_keyid_conflict(newkey, newkeys);
+		}
+		if (conflict) {
+			/* Try again. */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+				      "keymgr: key collision id %d",
+				      dst_key_id(newkey));
+			dst_key_free(&newkey);
+		}
+	} while (conflict);
+
+	INSIST(!conflict);
+	dst_key_setnum(newkey, DST_NUM_LIFETIME, dns_kasp_key_lifetime(kkey));
+	dst_key_setbool(newkey, DST_BOOL_KSK, dns_kasp_key_ksk(kkey));
+	dst_key_setbool(newkey, DST_BOOL_ZSK, dns_kasp_key_zsk(kkey));
+	*dst_key = newkey;
+	return (ISC_R_SUCCESS);
+
+failure:
+	return (result);
+}
+
+/*
+ * Return the desired state for this record 'type'.  The desired state depends
+ * on whether the key wants to be active, or wants to retire.  This implements
+ * the edges of our state machine:
+ *
+ *            ---->  OMNIPRESENT  ----
+ *            |                      |
+ *            |                     \|/
+ *
+ *        RUMOURED     <---->   UNRETENTIVE
+ *
+ *           /|\                     |
+ *            |                      |
+ *            ----     HIDDEN    <----
+ *
+ * A key that wants to be active eventually wants to have its record types
+ * in the OMNIPRESENT state (that is, all resolvers that know about these
+ * type of records know about these records specifically).
+ *
+ * A key that wants to be retired eventually wants to have its record types
+ * in the HIDDEN state (that is, all resolvers that know about these type
+ * of records specifically don't know about these records).
+ *
+ */
+static dst_key_state_t
+keymgr_desiredstate(dns_dnsseckey_t *key, dst_key_state_t state) {
+	dst_key_state_t goal;
+
+	if (dst_key_getstate(key->key, DST_KEY_GOAL, &goal) != ISC_R_SUCCESS) {
+		/* No goal? No movement. */
+		return (state);
+	}
+
+	if (goal == HIDDEN) {
+		switch (state) {
+		case RUMOURED:
+		case OMNIPRESENT:
+			return (UNRETENTIVE);
+		case HIDDEN:
+		case UNRETENTIVE:
+			return (HIDDEN);
+		default:
+			return (state);
+		}
+	} else if (goal == OMNIPRESENT) {
+		switch (state) {
+		case RUMOURED:
+		case OMNIPRESENT:
+			return (OMNIPRESENT);
+		case HIDDEN:
+		case UNRETENTIVE:
+			return (RUMOURED);
+		default:
+			return (state);
+		}
+	}
+
+	/* Unknown goal. */
+	return (state);
+}
+
+/*
+ * Check if 'key' matches specific 'states'.
+ * A state in 'states' that is NA matches any state.
+ * A state in 'states' that is HIDDEN also matches if the state is not set.
+ * If 'next_state' is set (not NA), we are pretending as if record 'type' of
+ * 'subject' key already transitioned to the 'next state'.
+ *
+ */
+static bool
+keymgr_key_match_state(dst_key_t *key, dst_key_t *subject, int type,
+		       dst_key_state_t next_state,
+		       dst_key_state_t states[NUM_KEYSTATES]) {
+	REQUIRE(key != NULL);
+
+	for (int i = 0; i < NUM_KEYSTATES; i++) {
+		dst_key_state_t state;
+		if (states[i] == NA) {
+			continue;
+		}
+		if (next_state != NA && i == type &&
+		    dst_key_id(key) == dst_key_id(subject))
+		{
+			/* Check next state rather than current state. */
+			state = next_state;
+		} else if (dst_key_getstate(key, i, &state) != ISC_R_SUCCESS) {
+			/* This is fine only if expected state is HIDDEN. */
+			if (states[i] != HIDDEN) {
+				return (false);
+			}
+			continue;
+		}
+		if (state != states[i]) {
+			return (false);
+		}
+	}
+	/* Match. */
+	return (true);
+}
+
+/*
+ * Key d directly depends on k if d is the direct predecessor of k.
+ */
+static bool
+keymgr_direct_dep(dst_key_t *d, dst_key_t *k) {
+	uint32_t s, p;
+
+	if (dst_key_getnum(d, DST_NUM_SUCCESSOR, &s) != ISC_R_SUCCESS) {
+		return (false);
+	}
+	if (dst_key_getnum(k, DST_NUM_PREDECESSOR, &p) != ISC_R_SUCCESS) {
+		return (false);
+	}
+	return (dst_key_id(d) == p && dst_key_id(k) == s);
+}
+
+/*
+ * Determine which key (if any) has a dependency on k.
+ */
+static bool
+keymgr_dep(dst_key_t *k, dns_dnsseckeylist_t *keyring, uint32_t *dep) {
+	for (dns_dnsseckey_t *d = ISC_LIST_HEAD(*keyring); d != NULL;
+	     d = ISC_LIST_NEXT(d, link))
+	{
+		/*
+		 * Check if k is a direct successor of d, e.g. d depends on k.
+		 */
+		if (keymgr_direct_dep(d->key, k)) {
+			if (dep != NULL) {
+				*dep = dst_key_id(d->key);
+			}
+			return (true);
+		}
+	}
+	return (false);
+}
+
+/*
+ * Check if a 'z' is a successor of 'x'.
+ * This implements Equation(2) of "Flexible and Robust Key Rollover".
+ */
+static bool
+keymgr_key_is_successor(dst_key_t *x, dst_key_t *z, dst_key_t *key, int type,
+			dst_key_state_t next_state,
+			dns_dnsseckeylist_t *keyring) {
+	uint32_t dep_x;
+	uint32_t dep_z;
+
+	/*
+	 * The successor relation requires that the predecessor key must not
+	 * have any other keys relying on it. In other words, there must be
+	 * nothing depending on x.
+	 */
+	if (keymgr_dep(x, keyring, &dep_x)) {
+		return (false);
+	}
+
+	/*
+	 * If there is no keys relying on key z, then z is not a successor.
+	 */
+	if (!keymgr_dep(z, keyring, &dep_z)) {
+		return (false);
+	}
+
+	/*
+	 * x depends on z, thus key z is a direct successor of key x.
+	 */
+	if (dst_key_id(x) == dep_z) {
+		return (true);
+	}
+
+	/*
+	 * It is possible to roll keys faster than the time required to finish
+	 * the rollover procedure. For example, consider the keys x, y, z.
+	 * Key x is currently published and is going to be replaced by y. The
+	 * DNSKEY for x is removed from the zone and at the same moment the
+	 * DNSKEY for y is introduced. Key y is a direct dependency for key x
+	 * and is therefore the successor of x. However, before the new DNSKEY
+	 * has been propagated, key z will replace key y. The DNSKEY for y is
+	 * removed and moves into the same state as key x. Key y now directly
+	 * depends on key z, and key z will be a new successor key for x.
+	 */
+	dst_key_state_t zst[NUM_KEYSTATES] = { NA, NA, NA, NA };
+	for (int i = 0; i < NUM_KEYSTATES; i++) {
+		dst_key_state_t state;
+		if (dst_key_getstate(z, i, &state) != ISC_R_SUCCESS) {
+			continue;
+		}
+		zst[i] = state;
+	}
+
+	for (dns_dnsseckey_t *y = ISC_LIST_HEAD(*keyring); y != NULL;
+	     y = ISC_LIST_NEXT(y, link))
+	{
+		if (dst_key_id(y->key) == dst_key_id(z)) {
+			continue;
+		}
+
+		if (dst_key_id(y->key) != dep_z) {
+			continue;
+		}
+		/*
+		 * This is another key y, that depends on key z. It may be
+		 * part of the successor relation if the key states match
+		 * those of key z.
+		 */
+
+		if (keymgr_key_match_state(y->key, key, type, next_state, zst))
+		{
+			/*
+			 * If y is a successor of x, then z is also a
+			 * successor of x.
+			 */
+			return (keymgr_key_is_successor(x, y->key, key, type,
+							next_state, keyring));
+		}
+	}
+
+	return (false);
+}
+
+/*
+ * Check if a key exists in 'keyring' that matches 'states'.
+ *
+ * If 'match_algorithms', the key must also match the algorithm of 'key'.
+ * If 'next_state' is not NA, we are actually looking for a key as if
+ *   'key' already transitioned to the next state.
+ * If 'check_successor', we also want to make sure there is a successor
+ *   relationship with the found key that matches 'states2'.
+ */
+static bool
+keymgr_key_exists_with_state(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key,
+			     int type, dst_key_state_t next_state,
+			     dst_key_state_t states[NUM_KEYSTATES],
+			     dst_key_state_t states2[NUM_KEYSTATES],
+			     bool check_successor, bool match_algorithms) {
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		if (match_algorithms &&
+		    (dst_key_alg(dkey->key) != dst_key_alg(key->key)))
+		{
+			continue;
+		}
+
+		if (!keymgr_key_match_state(dkey->key, key->key, type,
+					    next_state, states))
+		{
+			continue;
+		}
+
+		/* Found a match. */
+		if (!check_successor) {
+			return (true);
+		}
+
+		/*
+		 * We have to make sure that the key we are checking, also
+		 * has a successor relationship with another key.
+		 */
+		for (dns_dnsseckey_t *skey = ISC_LIST_HEAD(*keyring);
+		     skey != NULL; skey = ISC_LIST_NEXT(skey, link))
+		{
+			if (skey == dkey) {
+				continue;
+			}
+
+			if (!keymgr_key_match_state(skey->key, key->key, type,
+						    next_state, states2))
+			{
+				continue;
+			}
+
+			/*
+			 * Found a possible successor, check.
+			 */
+			if (keymgr_key_is_successor(dkey->key, skey->key,
+						    key->key, type, next_state,
+						    keyring))
+			{
+				return (true);
+			}
+		}
+	}
+	/* No match. */
+	return (false);
+}
+
+/*
+ * Check if a key has a successor.
+ */
+static bool
+keymgr_key_has_successor(dns_dnsseckey_t *predecessor,
+			 dns_dnsseckeylist_t *keyring) {
+	for (dns_dnsseckey_t *successor = ISC_LIST_HEAD(*keyring);
+	     successor != NULL; successor = ISC_LIST_NEXT(successor, link))
+	{
+		if (keymgr_direct_dep(predecessor->key, successor->key)) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+/*
+ * Check if all keys have their DS hidden.  If not, then there must be at
+ * least one key with an OMNIPRESENT DNSKEY.
+ *
+ * If 'next_state' is not NA, we are actually looking for a key as if
+ *   'key' already transitioned to the next state.
+ * If 'match_algorithms', only consider keys with same algorithm of 'key'.
+ *
+ */
+static bool
+keymgr_ds_hidden_or_chained(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key,
+			    int type, dst_key_state_t next_state,
+			    bool match_algorithms, bool must_be_hidden) {
+	/* (3e) */
+	dst_key_state_t dnskey_chained[NUM_KEYSTATES] = { OMNIPRESENT, NA,
+							  OMNIPRESENT, NA };
+	dst_key_state_t ds_hidden[NUM_KEYSTATES] = { NA, NA, NA, HIDDEN };
+	/* successor n/a */
+	dst_key_state_t na[NUM_KEYSTATES] = { NA, NA, NA, NA };
+
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		if (match_algorithms &&
+		    (dst_key_alg(dkey->key) != dst_key_alg(key->key)))
+		{
+			continue;
+		}
+
+		if (keymgr_key_match_state(dkey->key, key->key, type,
+					   next_state, ds_hidden))
+		{
+			/* This key has its DS hidden. */
+			continue;
+		}
+
+		if (must_be_hidden) {
+			return (false);
+		}
+
+		/*
+		 * This key does not have its DS hidden. There must be at
+		 * least one key with the same algorithm that provides a
+		 * chain of trust (can be this key).
+		 */
+		if (keymgr_key_match_state(dkey->key, key->key, type,
+					   next_state, dnskey_chained))
+		{
+			/* This DNSKEY and KRRSIG are OMNIPRESENT. */
+			continue;
+		}
+
+		/*
+		 * Perhaps another key provides a chain of trust.
+		 */
+		dnskey_chained[DST_KEY_DS] = OMNIPRESENT;
+		if (!keymgr_key_exists_with_state(keyring, key, type,
+						  next_state, dnskey_chained,
+						  na, false, match_algorithms))
+		{
+			/* There is no chain of trust. */
+			return (false);
+		}
+	}
+	/* All good. */
+	return (true);
+}
+
+/*
+ * Check if all keys have their DNSKEY hidden.  If not, then there must be at
+ * least one key with an OMNIPRESENT ZRRSIG.
+ *
+ * If 'next_state' is not NA, we are actually looking for a key as if
+ *   'key' already transitioned to the next state.
+ * If 'match_algorithms', only consider keys with same algorithm of 'key'.
+ *
+ */
+static bool
+keymgr_dnskey_hidden_or_chained(dns_dnsseckeylist_t *keyring,
+				dns_dnsseckey_t *key, int type,
+				dst_key_state_t next_state,
+				bool match_algorithms) {
+	/* (3i) */
+	dst_key_state_t rrsig_chained[NUM_KEYSTATES] = { OMNIPRESENT,
+							 OMNIPRESENT, NA, NA };
+	dst_key_state_t dnskey_hidden[NUM_KEYSTATES] = { HIDDEN, NA, NA, NA };
+	/* successor n/a */
+	dst_key_state_t na[NUM_KEYSTATES] = { NA, NA, NA, NA };
+
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		if (match_algorithms &&
+		    (dst_key_alg(dkey->key) != dst_key_alg(key->key)))
+		{
+			continue;
+		}
+
+		if (keymgr_key_match_state(dkey->key, key->key, type,
+					   next_state, dnskey_hidden))
+		{
+			/* This key has its DNSKEY hidden. */
+			continue;
+		}
+
+		/*
+		 * This key does not have its DNSKEY hidden. There must be at
+		 * least one key with the same algorithm that has its RRSIG
+		 * records OMNIPRESENT.
+		 */
+		(void)dst_key_getstate(dkey->key, DST_KEY_DNSKEY,
+				       &rrsig_chained[DST_KEY_DNSKEY]);
+		if (!keymgr_key_exists_with_state(keyring, key, type,
+						  next_state, rrsig_chained, na,
+						  false, match_algorithms))
+		{
+			/* There is no chain of trust. */
+			return (false);
+		}
+	}
+	/* All good. */
+	return (true);
+}
+
+/*
+ * Check for existence of DS.
+ *
+ */
+static bool
+keymgr_have_ds(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key, int type,
+	       dst_key_state_t next_state, bool secure_to_insecure) {
+	/* (3a) */
+	dst_key_state_t states[2][NUM_KEYSTATES] = {
+		/* DNSKEY, ZRRSIG, KRRSIG, DS */
+		{ NA, NA, NA, OMNIPRESENT }, /* DS present */
+		{ NA, NA, NA, RUMOURED }     /* DS introducing */
+	};
+	/* successor n/a */
+	dst_key_state_t na[NUM_KEYSTATES] = { NA, NA, NA, NA };
+
+	/*
+	 * Equation (3a):
+	 * There is a key with the DS in either RUMOURD or OMNIPRESENT state.
+	 */
+	return (keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[0], na, false, false) ||
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[1], na, false, false) ||
+		(secure_to_insecure &&
+		 keymgr_key_exists_with_state(keyring, key, type, next_state,
+					      na, na, false, false)));
+}
+
+/*
+ * Check for existence of DNSKEY, or at least a good DNSKEY state.
+ * See equations what are good DNSKEY states.
+ *
+ */
+static bool
+keymgr_have_dnskey(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key, int type,
+		   dst_key_state_t next_state) {
+	dst_key_state_t states[9][NUM_KEYSTATES] = {
+		/* DNSKEY,     ZRRSIG, KRRSIG,      DS */
+		{ OMNIPRESENT, NA, OMNIPRESENT, OMNIPRESENT }, /* (3b) */
+
+		{ OMNIPRESENT, NA, OMNIPRESENT, UNRETENTIVE }, /* (3c)p */
+		{ OMNIPRESENT, NA, OMNIPRESENT, RUMOURED },    /* (3c)s */
+
+		{ UNRETENTIVE, NA, UNRETENTIVE, OMNIPRESENT }, /* (3d)p */
+		{ OMNIPRESENT, NA, UNRETENTIVE, OMNIPRESENT }, /* (3d)p */
+		{ UNRETENTIVE, NA, OMNIPRESENT, OMNIPRESENT }, /* (3d)p */
+		{ RUMOURED, NA, RUMOURED, OMNIPRESENT },       /* (3d)s */
+		{ OMNIPRESENT, NA, RUMOURED, OMNIPRESENT },    /* (3d)s */
+		{ RUMOURED, NA, OMNIPRESENT, OMNIPRESENT },    /* (3d)s */
+	};
+	/* successor n/a */
+	dst_key_state_t na[NUM_KEYSTATES] = { NA, NA, NA, NA };
+
+	return (
+		/*
+		 * Equation (3b):
+		 * There is a key with the same algorithm with its DNSKEY,
+		 * KRRSIG and DS records in OMNIPRESENT state.
+		 */
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[0], na, false, true) ||
+		/*
+		 * Equation (3c):
+		 * There are two or more keys with an OMNIPRESENT DNSKEY and
+		 * the DS records get swapped.  These keys must be in a
+		 * successor relation.
+		 */
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[1], states[2], true,
+					     true) ||
+		/*
+		 * Equation (3d):
+		 * There are two or more keys with an OMNIPRESENT DS and
+		 * the DNSKEY records and its KRRSIG records get swapped.
+		 * These keys must be in a successor relation.  Since the
+		 * state for DNSKEY and KRRSIG move independently, we have
+		 * to check all combinations for DNSKEY and KRRSIG in
+		 * OMNIPRESENT/UNRETENTIVE state for the predecessor, and
+		 * OMNIPRESENT/RUMOURED state for the successor.
+		 */
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[3], states[6], true,
+					     true) ||
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[3], states[7], true,
+					     true) ||
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[3], states[8], true,
+					     true) ||
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[4], states[6], true,
+					     true) ||
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[4], states[7], true,
+					     true) ||
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[4], states[8], true,
+					     true) ||
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[5], states[6], true,
+					     true) ||
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[5], states[7], true,
+					     true) ||
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[5], states[8], true,
+					     true) ||
+		/*
+		 * Equation (3e):
+		 * The key may be in any state as long as all keys have their
+		 * DS HIDDEN, or when their DS is not HIDDEN, there must be a
+		 * key with its DS in the same state and its DNSKEY omnipresent.
+		 * In other words, if a DS record for the same algorithm is
+		 * is still available to some validators, there must be a
+		 * chain of trust for those validators.
+		 */
+		keymgr_ds_hidden_or_chained(keyring, key, type, next_state,
+					    true, false));
+}
+
+/*
+ * Check for existence of RRSIG (zsk), or a good RRSIG state.
+ * See equations what are good RRSIG states.
+ *
+ */
+static bool
+keymgr_have_rrsig(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key, int type,
+		  dst_key_state_t next_state) {
+	dst_key_state_t states[11][NUM_KEYSTATES] = {
+		/* DNSKEY,     ZRRSIG,      KRRSIG, DS */
+		{ OMNIPRESENT, OMNIPRESENT, NA, NA }, /* (3f) */
+		{ UNRETENTIVE, OMNIPRESENT, NA, NA }, /* (3g)p */
+		{ RUMOURED, OMNIPRESENT, NA, NA },    /* (3g)s */
+		{ OMNIPRESENT, UNRETENTIVE, NA, NA }, /* (3h)p */
+		{ OMNIPRESENT, RUMOURED, NA, NA },    /* (3h)s */
+	};
+	/* successor n/a */
+	dst_key_state_t na[NUM_KEYSTATES] = { NA, NA, NA, NA };
+
+	return (
+		/*
+		 * If all DS records are hidden than this rule can be ignored.
+		 */
+		keymgr_ds_hidden_or_chained(keyring, key, type, next_state,
+					    true, true) ||
+		/*
+		 * Equation (3f):
+		 * There is a key with the same algorithm with its DNSKEY and
+		 * ZRRSIG records in OMNIPRESENT state.
+		 */
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[0], na, false, true) ||
+		/*
+		 * Equation (3g):
+		 * There are two or more keys with OMNIPRESENT ZRRSIG
+		 * records and the DNSKEY records get swapped.  These keys
+		 * must be in a successor relation.
+		 */
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[1], states[2], true,
+					     true) ||
+		/*
+		 * Equation (3h):
+		 * There are two or more keys with an OMNIPRESENT DNSKEY
+		 * and the ZRRSIG records get swapped.  These keys must be in
+		 * a successor relation.
+		 */
+		keymgr_key_exists_with_state(keyring, key, type, next_state,
+					     states[3], states[4], true,
+					     true) ||
+		/*
+		 * Equation (3i):
+		 * If no DNSKEYs are published, the state of the signatures is
+		 * irrelevant.  In case a DNSKEY is published however, there
+		 * must be a path that can be validated from there.
+		 */
+		keymgr_dnskey_hidden_or_chained(keyring, key, type, next_state,
+						true));
+}
+
+/*
+ * Check if a transition in the state machine is allowed by the policy.
+ * This means when we do rollovers, we want to follow the rules of the
+ * 1. Pre-publish rollover method (in case of a ZSK)
+ *    - First introduce the DNSKEY record.
+ *    - Only if the DNSKEY record is OMNIPRESENT, introduce ZRRSIG records.
+ *
+ * 2. Double-KSK rollover method (in case of a KSK)
+ *    - First introduce the DNSKEY record, as well as the KRRSIG records.
+ *    - Only if the DNSKEY record is OMNIPRESENT, suggest to introduce the DS.
+ */
+static bool
+keymgr_policy_approval(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key,
+		       int type, dst_key_state_t next) {
+	dst_key_state_t dnskeystate = HIDDEN;
+	dst_key_state_t ksk_present[NUM_KEYSTATES] = { OMNIPRESENT, NA,
+						       OMNIPRESENT,
+						       OMNIPRESENT };
+	dst_key_state_t ds_rumoured[NUM_KEYSTATES] = { OMNIPRESENT, NA,
+						       OMNIPRESENT, RUMOURED };
+	dst_key_state_t ds_retired[NUM_KEYSTATES] = { OMNIPRESENT, NA,
+						      OMNIPRESENT,
+						      UNRETENTIVE };
+	dst_key_state_t ksk_rumoured[NUM_KEYSTATES] = { RUMOURED, NA, NA,
+							OMNIPRESENT };
+	dst_key_state_t ksk_retired[NUM_KEYSTATES] = { UNRETENTIVE, NA, NA,
+						       OMNIPRESENT };
+	/* successor n/a */
+	dst_key_state_t na[NUM_KEYSTATES] = { NA, NA, NA, NA };
+
+	if (next != RUMOURED) {
+		/*
+		 * Local policy only adds an extra barrier on transitions to
+		 * the RUMOURED state.
+		 */
+		return (true);
+	}
+
+	switch (type) {
+	case DST_KEY_DNSKEY:
+		/* No restrictions. */
+		return (true);
+	case DST_KEY_ZRRSIG:
+		/* Make sure the DNSKEY record is OMNIPRESENT. */
+		(void)dst_key_getstate(key->key, DST_KEY_DNSKEY, &dnskeystate);
+		if (dnskeystate == OMNIPRESENT) {
+			return (true);
+		}
+		/*
+		 * Or are we introducing a new key for this algorithm? Because
+		 * in that case allow publishing the RRSIG records before the
+		 * DNSKEY.
+		 */
+		return (!(keymgr_key_exists_with_state(keyring, key, type, next,
+						       ksk_present, na, false,
+						       true) ||
+			  keymgr_key_exists_with_state(keyring, key, type, next,
+						       ds_retired, ds_rumoured,
+						       true, true) ||
+			  keymgr_key_exists_with_state(
+				  keyring, key, type, next, ksk_retired,
+				  ksk_rumoured, true, true)));
+	case DST_KEY_KRRSIG:
+		/* Only introduce if the DNSKEY is also introduced. */
+		(void)dst_key_getstate(key->key, DST_KEY_DNSKEY, &dnskeystate);
+		return (dnskeystate != HIDDEN);
+	case DST_KEY_DS:
+		/* Make sure the DNSKEY record is OMNIPRESENT. */
+		(void)dst_key_getstate(key->key, DST_KEY_DNSKEY, &dnskeystate);
+		return (dnskeystate == OMNIPRESENT);
+	default:
+		return (false);
+	}
+}
+
+/*
+ * Check if a transition in the state machine is DNSSEC safe.
+ * This implements Equation(1) of "Flexible and Robust Key Rollover".
+ *
+ */
+static bool
+keymgr_transition_allowed(dns_dnsseckeylist_t *keyring, dns_dnsseckey_t *key,
+			  int type, dst_key_state_t next_state,
+			  bool secure_to_insecure) {
+	/* Debug logging. */
+	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+		bool rule1a, rule1b, rule2a, rule2b, rule3a, rule3b;
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key->key, keystr, sizeof(keystr));
+		rule1a = keymgr_have_ds(keyring, key, type, NA,
+					secure_to_insecure);
+		rule1b = keymgr_have_ds(keyring, key, type, next_state,
+					secure_to_insecure);
+		rule2a = keymgr_have_dnskey(keyring, key, type, NA);
+		rule2b = keymgr_have_dnskey(keyring, key, type, next_state);
+		rule3a = keymgr_have_rrsig(keyring, key, type, NA);
+		rule3b = keymgr_have_rrsig(keyring, key, type, next_state);
+		isc_log_write(
+			dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_DNSSEC,
+			ISC_LOG_DEBUG(1),
+			"keymgr: dnssec evaluation of %s %s record %s: "
+			"rule1=(~%s or %s) rule2=(~%s or %s) "
+			"rule3=(~%s or %s)",
+			keymgr_keyrole(key->key), keystr, keystatetags[type],
+			rule1a ? "true" : "false", rule1b ? "true" : "false",
+			rule2a ? "true" : "false", rule2b ? "true" : "false",
+			rule3a ? "true" : "false", rule3b ? "true" : "false");
+	}
+
+	return (
+		/*
+		 * Rule 1: There must be a DS at all times.
+		 * First check the current situation: if the rule check fails,
+		 * we allow the transition to attempt to move us out of the
+		 * invalid state.  If the rule check passes, also check if
+		 * the next state is also still a valid situation.
+		 */
+		(!keymgr_have_ds(keyring, key, type, NA, secure_to_insecure) ||
+		 keymgr_have_ds(keyring, key, type, next_state,
+				secure_to_insecure)) &&
+		/*
+		 * Rule 2: There must be a DNSKEY at all times.  Again, first
+		 * check the current situation, then assess the next state.
+		 */
+		(!keymgr_have_dnskey(keyring, key, type, NA) ||
+		 keymgr_have_dnskey(keyring, key, type, next_state)) &&
+		/*
+		 * Rule 3: There must be RRSIG records at all times. Again,
+		 * first check the current situation, then assess the next
+		 * state.
+		 */
+		(!keymgr_have_rrsig(keyring, key, type, NA) ||
+		 keymgr_have_rrsig(keyring, key, type, next_state)));
+}
+
+/*
+ * Calculate the time when it is safe to do the next transition.
+ *
+ */
+static void
+keymgr_transition_time(dns_dnsseckey_t *key, int type,
+		       dst_key_state_t next_state, dns_kasp_t *kasp,
+		       isc_stdtime_t now, isc_stdtime_t *when) {
+	isc_result_t ret;
+	isc_stdtime_t lastchange, dstime, nexttime = now;
+
+	/*
+	 * No need to wait if we move things into an uncertain state.
+	 */
+	if (next_state == RUMOURED || next_state == UNRETENTIVE) {
+		*when = now;
+		return;
+	}
+
+	ret = dst_key_gettime(key->key, keystatetimes[type], &lastchange);
+	if (ret != ISC_R_SUCCESS) {
+		/* No last change, for safety purposes let's set it to now. */
+		dst_key_settime(key->key, keystatetimes[type], now);
+		lastchange = now;
+	}
+
+	switch (type) {
+	case DST_KEY_DNSKEY:
+	case DST_KEY_KRRSIG:
+		switch (next_state) {
+		case OMNIPRESENT:
+			/*
+			 * RFC 7583: The publication interval (Ipub) is the
+			 * amount of time that must elapse after the
+			 * publication of a DNSKEY (plus RRSIG (KSK)) before
+			 * it can be assumed that any resolvers that have the
+			 * relevant RRset cached have a copy of the new
+			 * information.  This is the sum of the propagation
+			 * delay (Dprp) and the DNSKEY TTL (TTLkey).  This
+			 * translates to zone-propagation-delay + dnskey-ttl.
+			 * We will also add the publish-safety interval.
+			 */
+			nexttime = lastchange + dst_key_getttl(key->key) +
+				   dns_kasp_zonepropagationdelay(kasp) +
+				   dns_kasp_publishsafety(kasp);
+			break;
+		case HIDDEN:
+			/*
+			 * Same as OMNIPRESENT but without the publish-safety
+			 * interval.
+			 */
+			nexttime = lastchange + dst_key_getttl(key->key) +
+				   dns_kasp_zonepropagationdelay(kasp);
+			break;
+		default:
+			nexttime = now;
+			break;
+		}
+		break;
+	case DST_KEY_ZRRSIG:
+		switch (next_state) {
+		case OMNIPRESENT:
+		case HIDDEN:
+			/*
+			 * RFC 7583: The retire interval (Iret) is the amount
+			 * of time that must elapse after a DNSKEY or
+			 * associated data enters the retire state for any
+			 * dependent information (RRSIG ZSK) to be purged from
+			 * validating resolver caches.  This is defined as:
+			 *
+			 *     Iret = Dsgn + Dprp + TTLsig
+			 *
+			 * Where Dsgn is the Dsgn is the delay needed to
+			 * ensure that all existing RRsets have been re-signed
+			 * with the new key, Dprp is the propagation delay and
+			 * TTLsig is the maximum TTL of all zone RRSIG
+			 * records.  This translates to:
+			 *
+			 *     Dsgn + zone-propagation-delay + max-zone-ttl.
+			 *
+			 * We will also add the retire-safety interval.
+			 */
+			nexttime = lastchange + dns_kasp_zonemaxttl(kasp) +
+				   dns_kasp_zonepropagationdelay(kasp) +
+				   dns_kasp_retiresafety(kasp);
+			/*
+			 * Only add the sign delay Dsgn if there is an actual
+			 * predecessor or successor key.
+			 */
+			uint32_t tag;
+			ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
+					     &tag);
+			if (ret != ISC_R_SUCCESS) {
+				ret = dst_key_getnum(key->key,
+						     DST_NUM_SUCCESSOR, &tag);
+			}
+			if (ret == ISC_R_SUCCESS) {
+				nexttime += dns_kasp_signdelay(kasp);
+			}
+			break;
+		default:
+			nexttime = now;
+			break;
+		}
+		break;
+	case DST_KEY_DS:
+		switch (next_state) {
+		/*
+		 * RFC 7583: The successor DS record is published in
+		 * the parent zone and after the registration delay
+		 * (Dreg), the time taken after the DS record has been
+		 * submitted to the parent zone manager for it to be
+		 * placed in the zone.  Key N (the predecessor) must
+		 * remain in the zone until any caches that contain a
+		 * copy of the DS RRset have a copy containing the new
+		 * DS record. This interval is the retire interval
+		 * (Iret), given by:
+		 *
+		 *      Iret = DprpP + TTLds
+		 *
+		 * This translates to:
+		 *
+		 *      parent-propagation-delay + parent-ds-ttl.
+		 *
+		 * We will also add the retire-safety interval.
+		 */
+		case OMNIPRESENT:
+			/* Make sure DS has been seen in the parent. */
+			ret = dst_key_gettime(key->key, DST_TIME_DSPUBLISH,
+					      &dstime);
+			if (ret != ISC_R_SUCCESS || dstime > now) {
+				/* Not yet, try again in an hour. */
+				nexttime = now + 3600;
+			} else {
+				nexttime =
+					dstime + dns_kasp_dsttl(kasp) +
+					dns_kasp_parentpropagationdelay(kasp) +
+					dns_kasp_retiresafety(kasp);
+			}
+			break;
+		case HIDDEN:
+			/* Make sure DS has been withdrawn from the parent. */
+			ret = dst_key_gettime(key->key, DST_TIME_DSDELETE,
+					      &dstime);
+			if (ret != ISC_R_SUCCESS || dstime > now) {
+				/* Not yet, try again in an hour. */
+				nexttime = now + 3600;
+			} else {
+				nexttime =
+					dstime + dns_kasp_dsttl(kasp) +
+					dns_kasp_parentpropagationdelay(kasp) +
+					dns_kasp_retiresafety(kasp);
+			}
+			break;
+		default:
+			nexttime = now;
+			break;
+		}
+		break;
+	default:
+		UNREACHABLE();
+		break;
+	}
+
+	*when = nexttime;
+}
+
+/*
+ * Update keys.
+ * This implements Algorithm (1) of "Flexible and Robust Key Rollover".
+ *
+ */
+static isc_result_t
+keymgr_update(dns_dnsseckeylist_t *keyring, dns_kasp_t *kasp, isc_stdtime_t now,
+	      isc_stdtime_t *nexttime, bool secure_to_insecure) {
+	bool changed;
+
+	/* Repeat until nothing changed. */
+transition:
+	changed = false;
+
+	/* For all keys in the zone. */
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(dkey->key, keystr, sizeof(keystr));
+
+		/* For all records related to this key. */
+		for (int i = 0; i < NUM_KEYSTATES; i++) {
+			isc_result_t ret;
+			isc_stdtime_t when;
+			dst_key_state_t state, next_state;
+
+			ret = dst_key_getstate(dkey->key, i, &state);
+			if (ret == ISC_R_NOTFOUND) {
+				/*
+				 * This record type is not applicable for this
+				 * key, continue to the next record type.
+				 */
+				continue;
+			}
+
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+				      "keymgr: examine %s %s type %s "
+				      "in state %s",
+				      keymgr_keyrole(dkey->key), keystr,
+				      keystatetags[i], keystatestrings[state]);
+
+			/* Get the desired next state. */
+			next_state = keymgr_desiredstate(dkey, state);
+			if (state == next_state) {
+				/*
+				 * This record is in a stable state.
+				 * No change needed, continue with the next
+				 * record type.
+				 */
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					      DNS_LOGMODULE_DNSSEC,
+					      ISC_LOG_DEBUG(1),
+					      "keymgr: %s %s type %s in "
+					      "stable state %s",
+					      keymgr_keyrole(dkey->key), keystr,
+					      keystatetags[i],
+					      keystatestrings[state]);
+				continue;
+			}
+
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+				      "keymgr: can we transition %s %s type %s "
+				      "state %s to state %s?",
+				      keymgr_keyrole(dkey->key), keystr,
+				      keystatetags[i], keystatestrings[state],
+				      keystatestrings[next_state]);
+
+			/* Is the transition allowed according to policy? */
+			if (!keymgr_policy_approval(keyring, dkey, i,
+						    next_state))
+			{
+				/* No, please respect rollover methods. */
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+					"keymgr: policy says no to %s %s type "
+					"%s "
+					"state %s to state %s",
+					keymgr_keyrole(dkey->key), keystr,
+					keystatetags[i], keystatestrings[state],
+					keystatestrings[next_state]);
+
+				continue;
+			}
+
+			/* Is the transition DNSSEC safe? */
+			if (!keymgr_transition_allowed(keyring, dkey, i,
+						       next_state,
+						       secure_to_insecure))
+			{
+				/* No, this would make the zone bogus. */
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+					"keymgr: dnssec says no to %s %s type "
+					"%s "
+					"state %s to state %s",
+					keymgr_keyrole(dkey->key), keystr,
+					keystatetags[i], keystatestrings[state],
+					keystatestrings[next_state]);
+				continue;
+			}
+
+			/* Is it time to make the transition? */
+			when = now;
+			keymgr_transition_time(dkey, i, next_state, kasp, now,
+					       &when);
+			if (when > now) {
+				/* Not yet. */
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+					"keymgr: time says no to %s %s type %s "
+					"state %s to state %s (wait %u "
+					"seconds)",
+					keymgr_keyrole(dkey->key), keystr,
+					keystatetags[i], keystatestrings[state],
+					keystatestrings[next_state],
+					when - now);
+				if (*nexttime == 0 || *nexttime > when) {
+					*nexttime = when;
+				}
+				continue;
+			}
+
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+				      "keymgr: transition %s %s type %s "
+				      "state %s to state %s!",
+				      keymgr_keyrole(dkey->key), keystr,
+				      keystatetags[i], keystatestrings[state],
+				      keystatestrings[next_state]);
+
+			/* It is safe to make the transition. */
+			dst_key_setstate(dkey->key, i, next_state);
+			dst_key_settime(dkey->key, keystatetimes[i], now);
+			INSIST(dst_key_ismodified(dkey->key));
+			changed = true;
+		}
+	}
+
+	/* We changed something, continue processing. */
+	if (changed) {
+		goto transition;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * See if this key needs to be initialized with properties.  A key created
+ * and derived from a dnssec-policy will have the required metadata available,
+ * otherwise these may be missing and need to be initialized.  The key states
+ * will be initialized according to existing timing metadata.
+ *
+ */
+static void
+keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now,
+		bool csk) {
+	bool ksk, zsk;
+	isc_result_t ret;
+	isc_stdtime_t active = 0, pub = 0, syncpub = 0, retire = 0, remove = 0;
+	dst_key_state_t dnskey_state = HIDDEN;
+	dst_key_state_t ds_state = HIDDEN;
+	dst_key_state_t zrrsig_state = HIDDEN;
+	dst_key_state_t goal_state = HIDDEN;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->key != NULL);
+
+	/* Initialize role. */
+	ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
+	if (ret != ISC_R_SUCCESS) {
+		ksk = ((dst_key_flags(key->key) & DNS_KEYFLAG_KSK) != 0);
+		dst_key_setbool(key->key, DST_BOOL_KSK, (ksk || csk));
+	}
+	ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
+	if (ret != ISC_R_SUCCESS) {
+		zsk = ((dst_key_flags(key->key) & DNS_KEYFLAG_KSK) == 0);
+		dst_key_setbool(key->key, DST_BOOL_ZSK, (zsk || csk));
+	}
+
+	/* Get time metadata. */
+	ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
+	if (active <= now && ret == ISC_R_SUCCESS) {
+		dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp);
+		zone_ttl += dns_kasp_zonepropagationdelay(kasp);
+		if ((active + zone_ttl) <= now) {
+			zrrsig_state = OMNIPRESENT;
+		} else {
+			zrrsig_state = RUMOURED;
+		}
+		goal_state = OMNIPRESENT;
+	}
+	ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &pub);
+	if (pub <= now && ret == ISC_R_SUCCESS) {
+		dns_ttl_t key_ttl = dst_key_getttl(key->key);
+		key_ttl += dns_kasp_zonepropagationdelay(kasp);
+		if ((pub + key_ttl) <= now) {
+			dnskey_state = OMNIPRESENT;
+		} else {
+			dnskey_state = RUMOURED;
+		}
+		goal_state = OMNIPRESENT;
+	}
+	ret = dst_key_gettime(key->key, DST_TIME_SYNCPUBLISH, &syncpub);
+	if (syncpub <= now && ret == ISC_R_SUCCESS) {
+		dns_ttl_t ds_ttl = dns_kasp_dsttl(kasp);
+		ds_ttl += dns_kasp_parentpropagationdelay(kasp);
+		if ((syncpub + ds_ttl) <= now) {
+			ds_state = OMNIPRESENT;
+		} else {
+			ds_state = RUMOURED;
+		}
+		goal_state = OMNIPRESENT;
+	}
+	ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
+	if (retire <= now && ret == ISC_R_SUCCESS) {
+		dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp);
+		zone_ttl += dns_kasp_zonepropagationdelay(kasp);
+		if ((retire + zone_ttl) <= now) {
+			zrrsig_state = HIDDEN;
+		} else {
+			zrrsig_state = UNRETENTIVE;
+		}
+		ds_state = UNRETENTIVE;
+		goal_state = HIDDEN;
+	}
+	ret = dst_key_gettime(key->key, DST_TIME_DELETE, &remove);
+	if (remove <= now && ret == ISC_R_SUCCESS) {
+		dns_ttl_t key_ttl = dst_key_getttl(key->key);
+		key_ttl += dns_kasp_zonepropagationdelay(kasp);
+		if ((remove + key_ttl) <= now) {
+			dnskey_state = HIDDEN;
+		} else {
+			dnskey_state = UNRETENTIVE;
+		}
+		zrrsig_state = HIDDEN;
+		ds_state = HIDDEN;
+		goal_state = HIDDEN;
+	}
+
+	/* Set goal if not already set. */
+	if (dst_key_getstate(key->key, DST_KEY_GOAL, &goal_state) !=
+	    ISC_R_SUCCESS)
+	{
+		dst_key_setstate(key->key, DST_KEY_GOAL, goal_state);
+	}
+
+	/* Set key states for all keys that do not have them. */
+	INITIALIZE_STATE(key->key, DST_KEY_DNSKEY, DST_TIME_DNSKEY,
+			 dnskey_state, now);
+	if (ksk || csk) {
+		INITIALIZE_STATE(key->key, DST_KEY_KRRSIG, DST_TIME_KRRSIG,
+				 dnskey_state, now);
+		INITIALIZE_STATE(key->key, DST_KEY_DS, DST_TIME_DS, ds_state,
+				 now);
+	}
+	if (zsk || csk) {
+		INITIALIZE_STATE(key->key, DST_KEY_ZRRSIG, DST_TIME_ZRRSIG,
+				 zrrsig_state, now);
+	}
+}
+
+static isc_result_t
+keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key,
+		    dns_dnsseckeylist_t *keyring, dns_dnsseckeylist_t *newkeys,
+		    const dns_name_t *origin, dns_rdataclass_t rdclass,
+		    dns_kasp_t *kasp, uint32_t lifetime, bool rollover,
+		    isc_stdtime_t now, isc_stdtime_t *nexttime,
+		    isc_mem_t *mctx) {
+	char keystr[DST_KEY_FORMATSIZE];
+	isc_stdtime_t retire = 0, active = 0, prepub = 0;
+	dns_dnsseckey_t *new_key = NULL;
+	dns_dnsseckey_t *candidate = NULL;
+	dst_key_t *dst_key = NULL;
+
+	/* Do we need to create a successor for the active key? */
+	if (active_key != NULL) {
+		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+			dst_key_format(active_key->key, keystr, sizeof(keystr));
+			isc_log_write(
+				dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+				"keymgr: DNSKEY %s (%s) is active in policy %s",
+				keystr, keymgr_keyrole(active_key->key),
+				dns_kasp_getname(kasp));
+		}
+
+		/*
+		 * Calculate when the successor needs to be published
+		 * in the zone.
+		 */
+		prepub = keymgr_prepublication_time(active_key, kasp, lifetime,
+						    now);
+		if (prepub == 0 || prepub > now) {
+			if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+				dst_key_format(active_key->key, keystr,
+					       sizeof(keystr));
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+					"keymgr: new successor needed for "
+					"DNSKEY %s (%s) (policy %s) in %u "
+					"seconds",
+					keystr, keymgr_keyrole(active_key->key),
+					dns_kasp_getname(kasp), (prepub - now));
+			}
+
+			/* No need to start rollover now. */
+			if (*nexttime == 0 || prepub < *nexttime) {
+				*nexttime = prepub;
+			}
+			return (ISC_R_SUCCESS);
+		}
+
+		if (keymgr_key_has_successor(active_key, keyring)) {
+			/* Key already has successor. */
+			if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+				dst_key_format(active_key->key, keystr,
+					       sizeof(keystr));
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+					"keymgr: key DNSKEY %s (%s) (policy "
+					"%s) already has successor",
+					keystr, keymgr_keyrole(active_key->key),
+					dns_kasp_getname(kasp));
+			}
+			return (ISC_R_SUCCESS);
+		}
+
+		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+			dst_key_format(active_key->key, keystr, sizeof(keystr));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+				      "keymgr: need successor for DNSKEY %s "
+				      "(%s) (policy %s)",
+				      keystr, keymgr_keyrole(active_key->key),
+				      dns_kasp_getname(kasp));
+		}
+
+		/*
+		 * If rollover is not allowed, warn.
+		 */
+		if (!rollover) {
+			dst_key_format(active_key->key, keystr, sizeof(keystr));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+				      "keymgr: DNSKEY %s (%s) is offline in "
+				      "policy %s, cannot start rollover",
+				      keystr, keymgr_keyrole(active_key->key),
+				      dns_kasp_getname(kasp));
+			return (ISC_R_SUCCESS);
+		}
+	} else if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(origin, namestr, sizeof(namestr));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+			      "keymgr: no active key found for %s (policy %s)",
+			      namestr, dns_kasp_getname(kasp));
+	}
+
+	/* It is time to do key rollover, we need a new key. */
+
+	/*
+	 * Check if there is a key available in pool because keys
+	 * may have been pregenerated with dnssec-keygen.
+	 */
+	for (candidate = ISC_LIST_HEAD(*keyring); candidate != NULL;
+	     candidate = ISC_LIST_NEXT(candidate, link))
+	{
+		if (keymgr_dnsseckey_kaspkey_match(candidate, kaspkey) &&
+		    dst_key_is_unused(candidate->key))
+		{
+			/* Found a candidate in keyring. */
+			break;
+		}
+	}
+
+	if (candidate == NULL) {
+		/* No key available in keyring, create a new one. */
+		bool csk = (dns_kasp_key_ksk(kaspkey) &&
+			    dns_kasp_key_zsk(kaspkey));
+
+		isc_result_t result = keymgr_createkey(kaspkey, origin, rdclass,
+						       mctx, keyring, newkeys,
+						       &dst_key);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dst_key_setttl(dst_key, dns_kasp_dnskeyttl(kasp));
+		dst_key_settime(dst_key, DST_TIME_CREATED, now);
+		result = dns_dnsseckey_create(mctx, &dst_key, &new_key);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		keymgr_key_init(new_key, kasp, now, csk);
+	} else {
+		new_key = candidate;
+	}
+	dst_key_setnum(new_key->key, DST_NUM_LIFETIME, lifetime);
+
+	/* Got a key. */
+	if (active_key == NULL) {
+		/*
+		 * If there is no active key found yet for this kasp
+		 * key configuration, immediately make this key active.
+		 */
+		dst_key_settime(new_key->key, DST_TIME_PUBLISH, now);
+		dst_key_settime(new_key->key, DST_TIME_ACTIVATE, now);
+		keymgr_settime_syncpublish(new_key, kasp, true);
+		active = now;
+	} else {
+		/*
+		 * This is a successor.  Mark the relationship.
+		 */
+		isc_stdtime_t created;
+		(void)dst_key_gettime(new_key->key, DST_TIME_CREATED, &created);
+
+		dst_key_setnum(new_key->key, DST_NUM_PREDECESSOR,
+			       dst_key_id(active_key->key));
+		dst_key_setnum(active_key->key, DST_NUM_SUCCESSOR,
+			       dst_key_id(new_key->key));
+		(void)dst_key_gettime(active_key->key, DST_TIME_INACTIVE,
+				      &retire);
+		active = retire;
+
+		/*
+		 * If prepublication time and/or retire time are
+		 * in the past (before the new key was created), use
+		 * creation time as published and active time,
+		 * effectively immediately making the key active.
+		 */
+		if (prepub < created) {
+			active += (created - prepub);
+			prepub = created;
+		}
+		if (active < created) {
+			active = created;
+		}
+		dst_key_settime(new_key->key, DST_TIME_PUBLISH, prepub);
+		dst_key_settime(new_key->key, DST_TIME_ACTIVATE, active);
+		keymgr_settime_syncpublish(new_key, kasp, false);
+
+		/*
+		 * Retire predecessor.
+		 */
+		dst_key_setstate(active_key->key, DST_KEY_GOAL, HIDDEN);
+	}
+
+	/* This key wants to be present. */
+	dst_key_setstate(new_key->key, DST_KEY_GOAL, OMNIPRESENT);
+
+	/* Do we need to set retire time? */
+	if (lifetime > 0) {
+		dst_key_settime(new_key->key, DST_TIME_INACTIVE,
+				(active + lifetime));
+		keymgr_settime_remove(new_key, kasp);
+	}
+
+	/* Append dnsseckey to list of new keys. */
+	dns_dnssec_get_hints(new_key, now);
+	new_key->source = dns_keysource_repository;
+	INSIST(!new_key->legacy);
+	if (candidate == NULL) {
+		ISC_LIST_APPEND(*newkeys, new_key, link);
+	}
+
+	/* Logging. */
+	dst_key_format(new_key->key, keystr, sizeof(keystr));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_DNSSEC,
+		      ISC_LOG_INFO, "keymgr: DNSKEY %s (%s) %s for policy %s",
+		      keystr, keymgr_keyrole(new_key->key),
+		      (candidate != NULL) ? "selected" : "created",
+		      dns_kasp_getname(kasp));
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+keymgr_key_may_be_purged(dst_key_t *key, uint32_t after, isc_stdtime_t now) {
+	bool ksk = false;
+	bool zsk = false;
+	dst_key_state_t hidden[NUM_KEYSTATES] = { HIDDEN, NA, NA, NA };
+	isc_stdtime_t lastchange = 0;
+
+	char keystr[DST_KEY_FORMATSIZE];
+	dst_key_format(key, keystr, sizeof(keystr));
+
+	/* If 'purge-keys' is disabled, always retain keys. */
+	if (after == 0) {
+		return (false);
+	}
+
+	/* Don't purge keys with goal OMNIPRESENT */
+	if (dst_key_goal(key) == OMNIPRESENT) {
+		return (false);
+	}
+
+	/* Don't purge unused keys. */
+	if (dst_key_is_unused(key)) {
+		return (false);
+	}
+
+	/* If this key is completely HIDDEN it may be purged. */
+	(void)dst_key_getbool(key, DST_BOOL_KSK, &ksk);
+	(void)dst_key_getbool(key, DST_BOOL_ZSK, &zsk);
+	if (ksk) {
+		hidden[DST_KEY_KRRSIG] = HIDDEN;
+		hidden[DST_KEY_DS] = HIDDEN;
+	}
+	if (zsk) {
+		hidden[DST_KEY_ZRRSIG] = HIDDEN;
+	}
+	if (!keymgr_key_match_state(key, key, 0, NA, hidden)) {
+		return (false);
+	}
+
+	/*
+	 * Check 'purge-keys' interval. If the interval has passed since
+	 * the last key change, it may be purged.
+	 */
+	for (int i = 0; i < NUM_KEYSTATES; i++) {
+		isc_stdtime_t change = 0;
+		(void)dst_key_gettime(key, keystatetimes[i], &change);
+		if (change > lastchange) {
+			lastchange = change;
+		}
+	}
+
+	return ((lastchange + after) < now);
+}
+
+static void
+keymgr_purge_keyfile(dst_key_t *key, const char *dir, int type) {
+	isc_result_t ret;
+	isc_buffer_t fileb;
+	char filename[NAME_MAX];
+
+	/*
+	 * Make the filename.
+	 */
+	isc_buffer_init(&fileb, filename, sizeof(filename));
+	ret = dst_key_buildfilename(key, type, dir, &fileb);
+	if (ret != ISC_R_SUCCESS) {
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key, keystr, sizeof(keystr));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+			      "keymgr: failed to purge DNSKEY %s (%s): cannot "
+			      "build filename (%s)",
+			      keystr, keymgr_keyrole(key),
+			      isc_result_totext(ret));
+		return;
+	}
+
+	if (unlink(filename) < 0) {
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key, keystr, sizeof(keystr));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+			      "keymgr: failed to purge DNSKEY %s (%s): unlink "
+			      "'%s' failed",
+			      keystr, keymgr_keyrole(key), filename);
+	}
+}
+
+/*
+ * Examine 'keys' and match 'kasp' policy.
+ *
+ */
+isc_result_t
+dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
+	       const char *directory, isc_mem_t *mctx,
+	       dns_dnsseckeylist_t *keyring, dns_dnsseckeylist_t *dnskeys,
+	       dns_kasp_t *kasp, isc_stdtime_t now, isc_stdtime_t *nexttime) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_dnsseckeylist_t newkeys;
+	dns_kasp_key_t *kkey;
+	dns_dnsseckey_t *newkey = NULL;
+	isc_dir_t dir;
+	bool dir_open = false;
+	bool secure_to_insecure = false;
+	int numkeys = 0;
+	int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
+	char keystr[DST_KEY_FORMATSIZE];
+
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(keyring != NULL);
+
+	ISC_LIST_INIT(newkeys);
+
+	isc_dir_init(&dir);
+	if (directory == NULL) {
+		directory = ".";
+	}
+
+	RETERR(isc_dir_open(&dir, directory));
+	dir_open = true;
+
+	*nexttime = 0;
+
+	/* Debug logging: what keys are available in the keyring? */
+	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+		if (ISC_LIST_EMPTY(*keyring)) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(origin, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+				      "keymgr: keyring empty (zone %s policy "
+				      "%s)",
+				      namebuf, dns_kasp_getname(kasp));
+		}
+
+		for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring);
+		     dkey != NULL; dkey = ISC_LIST_NEXT(dkey, link))
+		{
+			dst_key_format(dkey->key, keystr, sizeof(keystr));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+				      "keymgr: keyring: %s (policy %s)", keystr,
+				      dns_kasp_getname(kasp));
+		}
+		for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*dnskeys);
+		     dkey != NULL; dkey = ISC_LIST_NEXT(dkey, link))
+		{
+			dst_key_format(dkey->key, keystr, sizeof(keystr));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+				      "keymgr: dnskeys: %s (policy %s)", keystr,
+				      dns_kasp_getname(kasp));
+		}
+	}
+
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*dnskeys); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		numkeys++;
+	}
+
+	/* Do we need to remove keys? */
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		bool found_match = false;
+
+		keymgr_key_init(dkey, kasp, now, (numkeys == 1));
+
+		for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
+		     kkey = ISC_LIST_NEXT(kkey, link))
+		{
+			if (keymgr_dnsseckey_kaspkey_match(dkey, kkey)) {
+				found_match = true;
+				break;
+			}
+		}
+
+		/* No match, so retire unwanted retire key. */
+		if (!found_match) {
+			keymgr_key_retire(dkey, kasp, now);
+		}
+
+		/* Check purge-keys interval. */
+		if (keymgr_key_may_be_purged(dkey->key,
+					     dns_kasp_purgekeys(kasp), now))
+		{
+			dst_key_format(dkey->key, keystr, sizeof(keystr));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+				      "keymgr: purge DNSKEY %s (%s) according "
+				      "to policy %s",
+				      keystr, keymgr_keyrole(dkey->key),
+				      dns_kasp_getname(kasp));
+
+			keymgr_purge_keyfile(dkey->key, directory,
+					     DST_TYPE_PUBLIC);
+			keymgr_purge_keyfile(dkey->key, directory,
+					     DST_TYPE_PRIVATE);
+			keymgr_purge_keyfile(dkey->key, directory,
+					     DST_TYPE_STATE);
+
+			dkey->purge = true;
+		}
+	}
+
+	/* Create keys according to the policy, if come in short. */
+	for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
+	     kkey = ISC_LIST_NEXT(kkey, link))
+	{
+		uint32_t lifetime = dns_kasp_key_lifetime(kkey);
+		dns_dnsseckey_t *active_key = NULL;
+		bool rollover_allowed = true;
+
+		/* Do we have keys available for this kasp key? */
+		for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring);
+		     dkey != NULL; dkey = ISC_LIST_NEXT(dkey, link))
+		{
+			if (keymgr_dnsseckey_kaspkey_match(dkey, kkey)) {
+				/* Found a match. */
+				dst_key_format(dkey->key, keystr,
+					       sizeof(keystr));
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+					      DNS_LOGMODULE_DNSSEC,
+					      ISC_LOG_DEBUG(1),
+					      "keymgr: DNSKEY %s (%s) matches "
+					      "policy %s",
+					      keystr, keymgr_keyrole(dkey->key),
+					      dns_kasp_getname(kasp));
+
+				/* Initialize lifetime if not set. */
+				uint32_t l;
+				if (dst_key_getnum(dkey->key, DST_NUM_LIFETIME,
+						   &l) != ISC_R_SUCCESS)
+				{
+					dst_key_setnum(dkey->key,
+						       DST_NUM_LIFETIME,
+						       lifetime);
+				}
+
+				if (active_key) {
+					/* We already have an active key that
+					 * matches the kasp policy.
+					 */
+					if (!dst_key_is_unused(dkey->key) &&
+					    (dst_key_goal(dkey->key) ==
+					     OMNIPRESENT) &&
+					    !keymgr_dep(dkey->key, keyring,
+							NULL) &&
+					    !keymgr_dep(active_key->key,
+							keyring, NULL))
+					{
+						/*
+						 * Multiple signing keys match
+						 * the kasp key configuration.
+						 * Retire excess keys in use.
+						 */
+						keymgr_key_retire(dkey, kasp,
+								  now);
+					}
+					continue;
+				}
+
+				/*
+				 * Save the matched key only if it is active
+				 * or desires to be active.
+				 */
+				if (dst_key_goal(dkey->key) == OMNIPRESENT ||
+				    dst_key_is_active(dkey->key, now))
+				{
+					active_key = dkey;
+				}
+			}
+		}
+
+		if (active_key == NULL) {
+			/*
+			 * We didn't found an active key, perhaps the .private
+			 * key file is offline. If so, we don't want to create
+			 * a successor key. Check if we have an appropriate
+			 * state file.
+			 */
+			for (dns_dnsseckey_t *dnskey = ISC_LIST_HEAD(*dnskeys);
+			     dnskey != NULL;
+			     dnskey = ISC_LIST_NEXT(dnskey, link))
+			{
+				if (keymgr_dnsseckey_kaspkey_match(dnskey,
+								   kkey))
+				{
+					/* Found a match. */
+					dst_key_format(dnskey->key, keystr,
+						       sizeof(keystr));
+					isc_log_write(
+						dns_lctx,
+						DNS_LOGCATEGORY_DNSSEC,
+						DNS_LOGMODULE_DNSSEC,
+						ISC_LOG_DEBUG(1),
+						"keymgr: DNSKEY %s (%s) "
+						"offline, policy %s",
+						keystr,
+						keymgr_keyrole(dnskey->key),
+						dns_kasp_getname(kasp));
+					rollover_allowed = false;
+					active_key = dnskey;
+					break;
+				}
+			}
+		}
+
+		/* See if this key requires a rollover. */
+		RETERR(keymgr_key_rollover(
+			kkey, active_key, keyring, &newkeys, origin, rdclass,
+			kasp, lifetime, rollover_allowed, now, nexttime, mctx));
+	}
+
+	/* Walked all kasp key configurations.  Append new keys. */
+	if (!ISC_LIST_EMPTY(newkeys)) {
+		ISC_LIST_APPENDLIST(*keyring, newkeys, link);
+	}
+
+	/*
+	 * If the policy has an empty key list, this means the zone is going
+	 * back to unsigned.
+	 */
+	secure_to_insecure = dns_kasp_keylist_empty(kasp);
+
+	/* Read to update key states. */
+	keymgr_update(keyring, kasp, now, nexttime, secure_to_insecure);
+
+	/* Store key states and update hints. */
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		if (dst_key_ismodified(dkey->key) && !dkey->purge) {
+			dns_dnssec_get_hints(dkey, now);
+			RETERR(dst_key_tofile(dkey->key, options, directory));
+			dst_key_setmodified(dkey->key, false);
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (dir_open) {
+		isc_dir_close(&dir);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		while ((newkey = ISC_LIST_HEAD(newkeys)) != NULL) {
+			ISC_LIST_UNLINK(newkeys, newkey, link);
+			INSIST(newkey->key != NULL);
+			dst_key_free(&newkey->key);
+			dns_dnsseckey_destroy(mctx, &newkey);
+		}
+	}
+
+	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(origin, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(3),
+			      "keymgr: %s done", namebuf);
+	}
+	return (result);
+}
+
+static isc_result_t
+keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+	       const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+	       bool dspublish, dns_keytag_t id, unsigned int alg,
+	       bool check_id) {
+	int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
+	isc_dir_t dir;
+	isc_result_t result;
+	dns_dnsseckey_t *ksk_key = NULL;
+
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(keyring != NULL);
+
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		isc_result_t ret;
+		bool ksk = false;
+
+		ret = dst_key_getbool(dkey->key, DST_BOOL_KSK, &ksk);
+		if (ret == ISC_R_SUCCESS && ksk) {
+			if (check_id && dst_key_id(dkey->key) != id) {
+				continue;
+			}
+			if (alg > 0 && dst_key_alg(dkey->key) != alg) {
+				continue;
+			}
+
+			if (ksk_key != NULL) {
+				/*
+				 * Only checkds for one key at a time.
+				 */
+				return (DNS_R_TOOMANYKEYS);
+			}
+
+			ksk_key = dkey;
+		}
+	}
+
+	if (ksk_key == NULL) {
+		return (DNS_R_NOKEYMATCH);
+	}
+
+	if (dspublish) {
+		dst_key_state_t s;
+		dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when);
+		result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s);
+		if (result != ISC_R_SUCCESS || s != RUMOURED) {
+			dst_key_setstate(ksk_key->key, DST_KEY_DS, RUMOURED);
+		}
+	} else {
+		dst_key_state_t s;
+		dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when);
+		result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s);
+		if (result != ISC_R_SUCCESS || s != UNRETENTIVE) {
+			dst_key_setstate(ksk_key->key, DST_KEY_DS, UNRETENTIVE);
+		}
+	}
+
+	if (isc_log_wouldlog(dns_lctx, ISC_LOG_NOTICE)) {
+		char keystr[DST_KEY_FORMATSIZE];
+		char timestr[26]; /* Minimal buf as per ctime_r() spec. */
+
+		dst_key_format(ksk_key->key, keystr, sizeof(keystr));
+		isc_stdtime_tostring(when, timestr, sizeof(timestr));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_NOTICE,
+			      "keymgr: checkds DS for key %s seen %s at %s",
+			      keystr, dspublish ? "published" : "withdrawn",
+			      timestr);
+	}
+
+	/* Store key state and update hints. */
+	isc_dir_init(&dir);
+	if (directory == NULL) {
+		directory = ".";
+	}
+	result = isc_dir_open(&dir, directory);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_dnssec_get_hints(ksk_key, now);
+	result = dst_key_tofile(ksk_key->key, options, directory);
+	if (result == ISC_R_SUCCESS) {
+		dst_key_setmodified(ksk_key->key, false);
+	}
+	isc_dir_close(&dir);
+
+	return (result);
+}
+
+isc_result_t
+dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+		   const char *directory, isc_stdtime_t now, isc_stdtime_t when,
+		   bool dspublish) {
+	return (keymgr_checkds(kasp, keyring, directory, now, when, dspublish,
+			       0, 0, false));
+}
+
+isc_result_t
+dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+		      const char *directory, isc_stdtime_t now,
+		      isc_stdtime_t when, bool dspublish, dns_keytag_t id,
+		      unsigned int alg) {
+	return (keymgr_checkds(kasp, keyring, directory, now, when, dspublish,
+			       id, alg, true));
+}
+
+static void
+keytime_status(dst_key_t *key, isc_stdtime_t now, isc_buffer_t *buf,
+	       const char *pre, int ks, int kt) {
+	char timestr[26]; /* Minimal buf as per ctime_r() spec. */
+	isc_result_t ret;
+	isc_stdtime_t when = 0;
+	dst_key_state_t state = NA;
+
+	isc_buffer_printf(buf, "%s", pre);
+	(void)dst_key_getstate(key, ks, &state);
+	ret = dst_key_gettime(key, kt, &when);
+	if (state == RUMOURED || state == OMNIPRESENT) {
+		isc_buffer_printf(buf, "yes - since ");
+	} else if (now < when) {
+		isc_buffer_printf(buf, "no  - scheduled ");
+	} else {
+		isc_buffer_printf(buf, "no\n");
+		return;
+	}
+	if (ret == ISC_R_SUCCESS) {
+		isc_stdtime_tostring(when, timestr, sizeof(timestr));
+		isc_buffer_printf(buf, "%s\n", timestr);
+	}
+}
+
+static void
+rollover_status(dns_dnsseckey_t *dkey, dns_kasp_t *kasp, isc_stdtime_t now,
+		isc_buffer_t *buf, bool zsk) {
+	char timestr[26]; /* Minimal buf as per ctime_r() spec. */
+	isc_result_t ret = ISC_R_SUCCESS;
+	isc_stdtime_t active_time = 0;
+	dst_key_state_t state = NA, goal = NA;
+	int rrsig, active, retire;
+	dst_key_t *key = dkey->key;
+
+	if (zsk) {
+		rrsig = DST_KEY_ZRRSIG;
+		active = DST_TIME_ACTIVATE;
+		retire = DST_TIME_INACTIVE;
+	} else {
+		rrsig = DST_KEY_KRRSIG;
+		active = DST_TIME_PUBLISH;
+		retire = DST_TIME_DELETE;
+	}
+
+	isc_buffer_printf(buf, "\n");
+
+	(void)dst_key_getstate(key, DST_KEY_GOAL, &goal);
+	(void)dst_key_getstate(key, rrsig, &state);
+	(void)dst_key_gettime(key, active, &active_time);
+	if (active_time == 0) {
+		// only interested in keys that were once active.
+		return;
+	}
+
+	if (goal == HIDDEN && (state == UNRETENTIVE || state == HIDDEN)) {
+		isc_stdtime_t remove_time = 0;
+		// is the key removed yet?
+		state = NA;
+		(void)dst_key_getstate(key, DST_KEY_DNSKEY, &state);
+		if (state == RUMOURED || state == OMNIPRESENT) {
+			ret = dst_key_gettime(key, DST_TIME_DELETE,
+					      &remove_time);
+			if (ret == ISC_R_SUCCESS) {
+				isc_buffer_printf(buf, "  Key is retired, will "
+						       "be removed on ");
+				isc_stdtime_tostring(remove_time, timestr,
+						     sizeof(timestr));
+				isc_buffer_printf(buf, "%s", timestr);
+			}
+		} else {
+			isc_buffer_printf(
+				buf, "  Key has been removed from the zone");
+		}
+	} else {
+		isc_stdtime_t retire_time = 0;
+		uint32_t lifetime = 0;
+		(void)dst_key_getnum(key, DST_NUM_LIFETIME, &lifetime);
+		ret = dst_key_gettime(key, retire, &retire_time);
+		if (ret == ISC_R_SUCCESS) {
+			if (now < retire_time) {
+				if (goal == OMNIPRESENT) {
+					isc_buffer_printf(buf,
+							  "  Next rollover "
+							  "scheduled on ");
+					retire_time = keymgr_prepublication_time(
+						dkey, kasp, lifetime, now);
+				} else {
+					isc_buffer_printf(
+						buf, "  Key will retire on ");
+				}
+			} else {
+				isc_buffer_printf(buf,
+						  "  Rollover is due since ");
+			}
+			isc_stdtime_tostring(retire_time, timestr,
+					     sizeof(timestr));
+			isc_buffer_printf(buf, "%s", timestr);
+		} else {
+			isc_buffer_printf(buf, "  No rollover scheduled");
+		}
+	}
+	isc_buffer_printf(buf, "\n");
+}
+
+static void
+keystate_status(dst_key_t *key, isc_buffer_t *buf, const char *pre, int ks) {
+	dst_key_state_t state = NA;
+
+	(void)dst_key_getstate(key, ks, &state);
+	switch (state) {
+	case HIDDEN:
+		isc_buffer_printf(buf, "  - %shidden\n", pre);
+		break;
+	case RUMOURED:
+		isc_buffer_printf(buf, "  - %srumoured\n", pre);
+		break;
+	case OMNIPRESENT:
+		isc_buffer_printf(buf, "  - %somnipresent\n", pre);
+		break;
+	case UNRETENTIVE:
+		isc_buffer_printf(buf, "  - %sunretentive\n", pre);
+		break;
+	case NA:
+	default:
+		/* print nothing */
+		break;
+	}
+}
+
+void
+dns_keymgr_status(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+		  isc_stdtime_t now, char *out, size_t out_len) {
+	isc_buffer_t buf;
+	char timestr[26]; /* Minimal buf as per ctime_r() spec. */
+
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(keyring != NULL);
+	REQUIRE(out != NULL);
+
+	isc_buffer_init(&buf, out, out_len);
+
+	// policy name
+	isc_buffer_printf(&buf, "dnssec-policy: %s\n", dns_kasp_getname(kasp));
+	isc_buffer_printf(&buf, "current time:  ");
+	isc_stdtime_tostring(now, timestr, sizeof(timestr));
+	isc_buffer_printf(&buf, "%s\n", timestr);
+
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		char algstr[DNS_NAME_FORMATSIZE];
+		bool ksk = false, zsk = false;
+		isc_result_t ret;
+
+		if (dst_key_is_unused(dkey->key)) {
+			continue;
+		}
+
+		// key data
+		dns_secalg_format((dns_secalg_t)dst_key_alg(dkey->key), algstr,
+				  sizeof(algstr));
+		isc_buffer_printf(&buf, "\nkey: %d (%s), %s\n",
+				  dst_key_id(dkey->key), algstr,
+				  keymgr_keyrole(dkey->key));
+
+		// publish status
+		keytime_status(dkey->key, now, &buf,
+			       "  published:      ", DST_KEY_DNSKEY,
+			       DST_TIME_PUBLISH);
+
+		// signing status
+		ret = dst_key_getbool(dkey->key, DST_BOOL_KSK, &ksk);
+		if (ret == ISC_R_SUCCESS && ksk) {
+			keytime_status(dkey->key, now, &buf,
+				       "  key signing:    ", DST_KEY_KRRSIG,
+				       DST_TIME_PUBLISH);
+		}
+		ret = dst_key_getbool(dkey->key, DST_BOOL_ZSK, &zsk);
+		if (ret == ISC_R_SUCCESS && zsk) {
+			keytime_status(dkey->key, now, &buf,
+				       "  zone signing:   ", DST_KEY_ZRRSIG,
+				       DST_TIME_ACTIVATE);
+		}
+
+		// rollover status
+		rollover_status(dkey, kasp, now, &buf, zsk);
+
+		// key states
+		keystate_status(dkey->key, &buf,
+				"goal:           ", DST_KEY_GOAL);
+		keystate_status(dkey->key, &buf,
+				"dnskey:         ", DST_KEY_DNSKEY);
+		keystate_status(dkey->key, &buf,
+				"ds:             ", DST_KEY_DS);
+		keystate_status(dkey->key, &buf,
+				"zone rrsig:     ", DST_KEY_ZRRSIG);
+		keystate_status(dkey->key, &buf,
+				"key rrsig:      ", DST_KEY_KRRSIG);
+	}
+}
+
+isc_result_t
+dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+		    const char *directory, isc_stdtime_t now,
+		    isc_stdtime_t when, dns_keytag_t id,
+		    unsigned int algorithm) {
+	int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
+	isc_dir_t dir;
+	isc_result_t result;
+	dns_dnsseckey_t *key = NULL;
+	isc_stdtime_t active, retire, prepub;
+
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(keyring != NULL);
+
+	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+	     dkey = ISC_LIST_NEXT(dkey, link))
+	{
+		if (dst_key_id(dkey->key) != id) {
+			continue;
+		}
+		if (algorithm > 0 && dst_key_alg(dkey->key) != algorithm) {
+			continue;
+		}
+		if (key != NULL) {
+			/*
+			 * Only rollover for one key at a time.
+			 */
+			return (DNS_R_TOOMANYKEYS);
+		}
+		key = dkey;
+	}
+
+	if (key == NULL) {
+		return (DNS_R_NOKEYMATCH);
+	}
+
+	result = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
+	if (result != ISC_R_SUCCESS || active > now) {
+		return (DNS_R_KEYNOTACTIVE);
+	}
+
+	result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
+	if (result != ISC_R_SUCCESS) {
+		/**
+		 * Default to as if this key was not scheduled to
+		 * become retired, as if it had unlimited lifetime.
+		 */
+		retire = 0;
+	}
+
+	/**
+	 * Usually when is set to now, which is before the scheduled
+	 * prepublication time, meaning we reduce the lifetime of the
+	 * key. But in some cases, the lifetime can also be extended.
+	 * We accept it, but we can return an error here if that
+	 * turns out to be unintuitive behavior.
+	 */
+	prepub = dst_key_getttl(key->key) + dns_kasp_publishsafety(kasp) +
+		 dns_kasp_zonepropagationdelay(kasp);
+	retire = when + prepub;
+
+	dst_key_settime(key->key, DST_TIME_INACTIVE, retire);
+	dst_key_setnum(key->key, DST_NUM_LIFETIME, (retire - active));
+
+	/* Store key state and update hints. */
+	isc_dir_init(&dir);
+	if (directory == NULL) {
+		directory = ".";
+	}
+	result = isc_dir_open(&dir, directory);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_dnssec_get_hints(key, now);
+	result = dst_key_tofile(key->key, options, directory);
+	if (result == ISC_R_SUCCESS) {
+		dst_key_setmodified(key->key, false);
+	}
+	isc_dir_close(&dir);
+
+	return (result);
+}
diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
new file mode 100644
index 0000000..e5786f1
--- /dev/null
+++ b/lib/dns/keytable.c
@@ -0,0 +1,943 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keytable.h>
+#include <dns/rbt.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#define KEYTABLE_MAGIC	   ISC_MAGIC('K', 'T', 'b', 'l')
+#define VALID_KEYTABLE(kt) ISC_MAGIC_VALID(kt, KEYTABLE_MAGIC)
+
+#define KEYNODE_MAGIC	  ISC_MAGIC('K', 'N', 'o', 'd')
+#define VALID_KEYNODE(kn) ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)
+
+struct dns_keytable {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_refcount_t references;
+	isc_rwlock_t rwlock;
+	/* Locked by rwlock. */
+	dns_rbt_t *table;
+};
+
+struct dns_keynode {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_refcount_t refcount;
+	isc_rwlock_t rwlock;
+	dns_rdatalist_t *dslist;
+	dns_rdataset_t dsset;
+	bool managed;
+	bool initial;
+};
+
+static dns_keynode_t *
+new_keynode(dns_rdata_ds_t *ds, dns_keytable_t *keytable, bool managed,
+	    bool initial);
+
+static void
+keynode_disassociate(dns_rdataset_t *rdataset);
+static isc_result_t
+keynode_first(dns_rdataset_t *rdataset);
+static isc_result_t
+keynode_next(dns_rdataset_t *rdataset);
+static void
+keynode_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+static void
+keynode_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+
+static dns_rdatasetmethods_t methods = {
+	keynode_disassociate,
+	keynode_first,
+	keynode_next,
+	keynode_current,
+	keynode_clone,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL, /* settrust */
+	NULL, /* expire */
+	NULL, /* clearprefetch */
+	NULL,
+	NULL,
+	NULL /* addglue */
+};
+
+static void
+keynode_attach(dns_keynode_t *source, dns_keynode_t **target) {
+	REQUIRE(VALID_KEYNODE(source));
+	isc_refcount_increment(&source->refcount);
+	*target = source;
+}
+
+static void
+keynode_detach(isc_mem_t *mctx, dns_keynode_t **keynodep) {
+	REQUIRE(keynodep != NULL && VALID_KEYNODE(*keynodep));
+	dns_keynode_t *knode = *keynodep;
+	*keynodep = NULL;
+
+	if (isc_refcount_decrement(&knode->refcount) == 1) {
+		dns_rdata_t *rdata = NULL;
+		isc_refcount_destroy(&knode->refcount);
+		isc_rwlock_destroy(&knode->rwlock);
+		if (knode->dslist != NULL) {
+			for (rdata = ISC_LIST_HEAD(knode->dslist->rdata);
+			     rdata != NULL;
+			     rdata = ISC_LIST_HEAD(knode->dslist->rdata))
+			{
+				ISC_LIST_UNLINK(knode->dslist->rdata, rdata,
+						link);
+				isc_mem_put(mctx, rdata->data,
+					    DNS_DS_BUFFERSIZE);
+				isc_mem_put(mctx, rdata, sizeof(*rdata));
+			}
+
+			isc_mem_put(mctx, knode->dslist,
+				    sizeof(*knode->dslist));
+			knode->dslist = NULL;
+		}
+		isc_mem_putanddetach(&knode->mctx, knode,
+				     sizeof(dns_keynode_t));
+	}
+}
+
+static void
+free_keynode(void *node, void *arg) {
+	dns_keynode_t *keynode = node;
+	isc_mem_t *mctx = arg;
+
+	keynode_detach(mctx, &keynode);
+}
+
+isc_result_t
+dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
+	dns_keytable_t *keytable;
+	isc_result_t result;
+
+	/*
+	 * Create a keytable.
+	 */
+
+	REQUIRE(keytablep != NULL && *keytablep == NULL);
+
+	keytable = isc_mem_get(mctx, sizeof(*keytable));
+
+	keytable->table = NULL;
+	result = dns_rbt_create(mctx, free_keynode, mctx, &keytable->table);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_keytable;
+	}
+
+	isc_rwlock_init(&keytable->rwlock, 0, 0);
+	isc_refcount_init(&keytable->references, 1);
+
+	keytable->mctx = NULL;
+	isc_mem_attach(mctx, &keytable->mctx);
+	keytable->magic = KEYTABLE_MAGIC;
+	*keytablep = keytable;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_keytable:
+	isc_mem_putanddetach(&mctx, keytable, sizeof(*keytable));
+
+	return (result);
+}
+
+void
+dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp) {
+	REQUIRE(VALID_KEYTABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*targetp = source;
+}
+
+void
+dns_keytable_detach(dns_keytable_t **keytablep) {
+	REQUIRE(keytablep != NULL && VALID_KEYTABLE(*keytablep));
+	dns_keytable_t *keytable = *keytablep;
+	*keytablep = NULL;
+
+	if (isc_refcount_decrement(&keytable->references) == 1) {
+		isc_refcount_destroy(&keytable->references);
+		dns_rbt_destroy(&keytable->table);
+		isc_rwlock_destroy(&keytable->rwlock);
+		keytable->magic = 0;
+		isc_mem_putanddetach(&keytable->mctx, keytable,
+				     sizeof(*keytable));
+	}
+}
+
+static void
+add_ds(dns_keynode_t *knode, dns_rdata_ds_t *ds, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_rdata_t *dsrdata = NULL, *rdata = NULL;
+	void *data = NULL;
+	bool exists = false;
+	isc_buffer_t b;
+
+	dsrdata = isc_mem_get(mctx, sizeof(*dsrdata));
+	dns_rdata_init(dsrdata);
+
+	data = isc_mem_get(mctx, DNS_DS_BUFFERSIZE);
+	isc_buffer_init(&b, data, DNS_DS_BUFFERSIZE);
+
+	result = dns_rdata_fromstruct(dsrdata, dns_rdataclass_in,
+				      dns_rdatatype_ds, ds, &b);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	RWLOCK(&knode->rwlock, isc_rwlocktype_write);
+
+	if (knode->dslist == NULL) {
+		knode->dslist = isc_mem_get(mctx, sizeof(*knode->dslist));
+		dns_rdatalist_init(knode->dslist);
+		knode->dslist->rdclass = dns_rdataclass_in;
+		knode->dslist->type = dns_rdatatype_ds;
+
+		INSIST(knode->dsset.methods == NULL);
+		knode->dsset.methods = &methods;
+		knode->dsset.rdclass = knode->dslist->rdclass;
+		knode->dsset.type = knode->dslist->type;
+		knode->dsset.covers = knode->dslist->covers;
+		knode->dsset.ttl = knode->dslist->ttl;
+		knode->dsset.private1 = knode;
+		knode->dsset.private2 = NULL;
+		knode->dsset.private3 = NULL;
+		knode->dsset.privateuint4 = 0;
+		knode->dsset.private5 = NULL;
+		knode->dsset.trust = dns_trust_ultimate;
+	}
+
+	for (rdata = ISC_LIST_HEAD(knode->dslist->rdata); rdata != NULL;
+	     rdata = ISC_LIST_NEXT(rdata, link))
+	{
+		if (dns_rdata_compare(rdata, dsrdata) == 0) {
+			exists = true;
+			break;
+		}
+	}
+
+	if (exists) {
+		isc_mem_put(mctx, dsrdata->data, DNS_DS_BUFFERSIZE);
+		isc_mem_put(mctx, dsrdata, sizeof(*dsrdata));
+	} else {
+		ISC_LIST_APPEND(knode->dslist->rdata, dsrdata, link);
+	}
+
+	RWUNLOCK(&knode->rwlock, isc_rwlocktype_write);
+}
+
+static isc_result_t
+delete_ds(dns_keytable_t *keytable, dns_rbtnode_t *node, dns_rdata_ds_t *ds) {
+	dns_keynode_t *knode = node->data;
+	isc_result_t result;
+	dns_rdata_t dsrdata = DNS_RDATA_INIT;
+	dns_rdata_t *rdata = NULL;
+	unsigned char data[DNS_DS_BUFFERSIZE];
+	bool found = false;
+	isc_buffer_t b;
+
+	RWLOCK(&knode->rwlock, isc_rwlocktype_read);
+	if (knode->dslist == NULL) {
+		RWUNLOCK(&knode->rwlock, isc_rwlocktype_read);
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_buffer_init(&b, data, DNS_DS_BUFFERSIZE);
+
+	result = dns_rdata_fromstruct(&dsrdata, dns_rdataclass_in,
+				      dns_rdatatype_ds, ds, &b);
+	if (result != ISC_R_SUCCESS) {
+		RWUNLOCK(&knode->rwlock, isc_rwlocktype_write);
+		return (result);
+	}
+
+	for (rdata = ISC_LIST_HEAD(knode->dslist->rdata); rdata != NULL;
+	     rdata = ISC_LIST_NEXT(rdata, link))
+	{
+		if (dns_rdata_compare(rdata, &dsrdata) == 0) {
+			found = true;
+			break;
+		}
+	}
+
+	if (!found) {
+		RWUNLOCK(&knode->rwlock, isc_rwlocktype_read);
+		/*
+		 * The keyname must have matched or we wouldn't be here,
+		 * so we use DNS_R_PARTIALMATCH instead of ISC_R_NOTFOUND.
+		 */
+		return (DNS_R_PARTIALMATCH);
+	}
+
+	/*
+	 * Replace knode with a new instance without the DS.
+	 */
+	node->data = new_keynode(NULL, keytable, knode->managed,
+				 knode->initial);
+	for (rdata = ISC_LIST_HEAD(knode->dslist->rdata); rdata != NULL;
+	     rdata = ISC_LIST_NEXT(rdata, link))
+	{
+		if (dns_rdata_compare(rdata, &dsrdata) != 0) {
+			dns_rdata_ds_t ds0;
+			result = dns_rdata_tostruct(rdata, &ds0, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			add_ds(node->data, &ds0, keytable->mctx);
+		}
+	}
+	RWUNLOCK(&knode->rwlock, isc_rwlocktype_read);
+
+	keynode_detach(keytable->mctx, &knode);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Create a keynode for "ds" (or a null key node if "ds" is NULL), set
+ * "managed" and "initial" as requested and attach the keynode to
+ * to "node" in "keytable".
+ */
+static dns_keynode_t *
+new_keynode(dns_rdata_ds_t *ds, dns_keytable_t *keytable, bool managed,
+	    bool initial) {
+	dns_keynode_t *knode = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(!initial || managed);
+
+	knode = isc_mem_get(keytable->mctx, sizeof(dns_keynode_t));
+	*knode = (dns_keynode_t){ .magic = KEYNODE_MAGIC };
+
+	dns_rdataset_init(&knode->dsset);
+	isc_refcount_init(&knode->refcount, 1);
+	isc_rwlock_init(&knode->rwlock, 0, 0);
+
+	/*
+	 * If a DS was supplied, initialize an rdatalist.
+	 */
+	if (ds != NULL) {
+		add_ds(knode, ds, keytable->mctx);
+	}
+
+	isc_mem_attach(keytable->mctx, &knode->mctx);
+	knode->managed = managed;
+	knode->initial = initial;
+
+	return (knode);
+}
+
+/*%
+ * Add key trust anchor "ds" at "keyname" in "keytable".  If an anchor
+ * already exists at the requested name does not contain "ds", update it.
+ * If "ds" is NULL, add a null key to indicate that "keyname" should be
+ * treated as a secure domain without supplying key data which would allow
+ * the domain to be validated.
+ */
+static isc_result_t
+insert(dns_keytable_t *keytable, bool managed, bool initial,
+       const dns_name_t *keyname, dns_rdata_ds_t *ds) {
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
+
+	result = dns_rbt_addnode(keytable->table, keyname, &node);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * There was no node for "keyname" in "keytable" yet, so one
+		 * was created.  Create a new key node for the supplied
+		 * trust anchor (or a null key node if "ds" is NULL)
+		 * and attach it to the created node.
+		 */
+		node->data = new_keynode(ds, keytable, managed, initial);
+	} else if (result == ISC_R_EXISTS) {
+		/*
+		 * A node already exists for "keyname" in "keytable".
+		 */
+		if (ds != NULL) {
+			dns_keynode_t *knode = node->data;
+			if (knode == NULL) {
+				node->data = new_keynode(ds, keytable, managed,
+							 initial);
+			} else {
+				add_ds(knode, ds, keytable->mctx);
+			}
+		}
+		result = ISC_R_SUCCESS;
+	}
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_add(dns_keytable_t *keytable, bool managed, bool initial,
+		 dns_name_t *name, dns_rdata_ds_t *ds) {
+	REQUIRE(ds != NULL);
+	REQUIRE(!initial || managed);
+
+	return (insert(keytable, managed, initial, name, ds));
+}
+
+isc_result_t
+dns_keytable_marksecure(dns_keytable_t *keytable, const dns_name_t *name) {
+	return (insert(keytable, true, false, name, NULL));
+}
+
+isc_result_t
+dns_keytable_delete(dns_keytable_t *keytable, const dns_name_t *keyname) {
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(keyname != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		if (node->data != NULL) {
+			result = dns_rbt_deletenode(keytable->table, node,
+						    false);
+		} else {
+			result = ISC_R_NOTFOUND;
+		}
+	} else if (result == DNS_R_PARTIALMATCH) {
+		result = ISC_R_NOTFOUND;
+	}
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_deletekey(dns_keytable_t *keytable, const dns_name_t *keyname,
+		       dns_rdata_dnskey_t *dnskey) {
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+	dns_keynode_t *knode = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[4096], digest[DNS_DS_BUFFERSIZE];
+	dns_rdata_ds_t ds;
+	isc_buffer_t b;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dnskey != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+
+	if (result == DNS_R_PARTIALMATCH) {
+		result = ISC_R_NOTFOUND;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto finish;
+	}
+
+	if (node->data == NULL) {
+		result = ISC_R_NOTFOUND;
+		goto finish;
+	}
+
+	knode = node->data;
+
+	RWLOCK(&knode->rwlock, isc_rwlocktype_read);
+	if (knode->dslist == NULL) {
+		RWUNLOCK(&knode->rwlock, isc_rwlocktype_read);
+		result = DNS_R_PARTIALMATCH;
+		goto finish;
+	}
+	RWUNLOCK(&knode->rwlock, isc_rwlocktype_read);
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
+				      dns_rdatatype_dnskey, dnskey, &b);
+	if (result != ISC_R_SUCCESS) {
+		goto finish;
+	}
+
+	result = dns_ds_fromkeyrdata(keyname, &rdata, DNS_DSDIGEST_SHA256,
+				     digest, &ds);
+	if (result != ISC_R_SUCCESS) {
+		goto finish;
+	}
+
+	result = delete_ds(keytable, node, &ds);
+
+finish:
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
+	return (result);
+}
+
+isc_result_t
+dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname,
+		  dns_keynode_t **keynodep) {
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(keyname != NULL);
+	REQUIRE(keynodep != NULL && *keynodep == NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		if (node->data != NULL) {
+			keynode_attach(node->data, keynodep);
+		} else {
+			result = ISC_R_NOTFOUND;
+		}
+	} else if (result == DNS_R_PARTIALMATCH) {
+		result = ISC_R_NOTFOUND;
+	}
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
+			      dns_name_t *foundname) {
+	isc_result_t result;
+	void *data;
+
+	/*
+	 * Search for the deepest match in 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(foundname != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	data = NULL;
+	result = dns_rbt_findname(keytable->table, name, 0, foundname, &data);
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		result = ISC_R_SUCCESS;
+	}
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep) {
+	/*
+	 * Give back a keynode found via dns_keytable_findkeynode().
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(keynodep != NULL && VALID_KEYNODE(*keynodep));
+
+	keynode_detach(keytable->mctx, keynodep);
+}
+
+isc_result_t
+dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
+			    dns_name_t *foundname, bool *wantdnssecp) {
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	/*
+	 * Is 'name' at or beneath a trusted key?
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(wantdnssecp != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	result = dns_rbt_findnode(keytable->table, name, foundname, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		INSIST(node->data != NULL);
+		*wantdnssecp = true;
+		result = ISC_R_SUCCESS;
+	} else if (result == ISC_R_NOTFOUND) {
+		*wantdnssecp = false;
+		result = ISC_R_SUCCESS;
+	}
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static isc_result_t
+putstr(isc_buffer_t **b, const char *str) {
+	isc_result_t result;
+
+	result = isc_buffer_reserve(b, strlen(str));
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	isc_buffer_putstr(*b, str);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp) {
+	isc_result_t result;
+	isc_buffer_t *text = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(fp != NULL);
+
+	isc_buffer_allocate(keytable->mctx, &text, 4096);
+
+	result = dns_keytable_totext(keytable, &text);
+
+	if (isc_buffer_usedlength(text) != 0) {
+		(void)putstr(&text, "\n");
+	} else if (result == ISC_R_SUCCESS) {
+		(void)putstr(&text, "none");
+	} else {
+		(void)putstr(&text, "could not dump key table: ");
+		(void)putstr(&text, isc_result_totext(result));
+	}
+
+	fprintf(fp, "%.*s", (int)isc_buffer_usedlength(text),
+		(char *)isc_buffer_base(text));
+
+	isc_buffer_free(&text);
+	return (result);
+}
+
+static isc_result_t
+keynode_dslist_totext(dns_name_t *name, dns_keynode_t *keynode,
+		      isc_buffer_t **text) {
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char obuf[DNS_NAME_FORMATSIZE + 200];
+	dns_rdataset_t dsset;
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+
+	dns_rdataset_init(&dsset);
+	if (!dns_keynode_dsset(keynode, &dsset)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	for (result = dns_rdataset_first(&dsset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&dsset))
+	{
+		char algbuf[DNS_SECALG_FORMATSIZE];
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_ds_t ds;
+
+		dns_rdataset_current(&dsset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ds, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		dns_secalg_format(ds.algorithm, algbuf, sizeof(algbuf));
+
+		RWLOCK(&keynode->rwlock, isc_rwlocktype_read);
+		snprintf(obuf, sizeof(obuf), "%s/%s/%d ; %s%s\n", namebuf,
+			 algbuf, ds.key_tag,
+			 keynode->initial ? "initializing " : "",
+			 keynode->managed ? "managed" : "static");
+		RWUNLOCK(&keynode->rwlock, isc_rwlocktype_read);
+
+		result = putstr(text, obuf);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&dsset);
+			return (result);
+		}
+	}
+	dns_rdataset_disassociate(&dsset);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **text) {
+	isc_result_t result;
+	dns_keynode_t *knode;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	dns_name_t *foundname, *origin, *fullname;
+	dns_fixedname_t fixedfoundname, fixedorigin, fixedfullname;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(text != NULL && *text != NULL);
+
+	origin = dns_fixedname_initname(&fixedorigin);
+	fullname = dns_fixedname_initname(&fixedfullname);
+	foundname = dns_fixedname_initname(&fixedfoundname);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain);
+	result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
+		goto cleanup;
+	}
+	for (;;) {
+		dns_rbtnodechain_current(&chain, foundname, origin, &node);
+
+		knode = node->data;
+		if (knode != NULL && knode->dslist != NULL) {
+			result = dns_name_concatenate(foundname, origin,
+						      fullname, NULL);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+
+			result = keynode_dslist_totext(fullname, knode, text);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
+
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE) {
+				result = ISC_R_SUCCESS;
+			}
+			break;
+		}
+	}
+
+cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+isc_result_t
+dns_keytable_forall(dns_keytable_t *keytable,
+		    void (*func)(dns_keytable_t *, dns_keynode_t *,
+				 dns_name_t *, void *),
+		    void *arg) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	dns_fixedname_t fixedfoundname, fixedorigin, fixedfullname;
+	dns_name_t *foundname, *origin, *fullname;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+
+	origin = dns_fixedname_initname(&fixedorigin);
+	fullname = dns_fixedname_initname(&fixedfullname);
+	foundname = dns_fixedname_initname(&fixedfoundname);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain);
+	result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
+		goto cleanup;
+	}
+
+	for (;;) {
+		dns_rbtnodechain_current(&chain, foundname, origin, &node);
+		if (node->data != NULL) {
+			result = dns_name_concatenate(foundname, origin,
+						      fullname, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			(*func)(keytable, node->data, fullname, arg);
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE) {
+				result = ISC_R_SUCCESS;
+			}
+			break;
+		}
+	}
+
+cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+bool
+dns_keynode_dsset(dns_keynode_t *keynode, dns_rdataset_t *rdataset) {
+	bool result;
+	REQUIRE(VALID_KEYNODE(keynode));
+	REQUIRE(rdataset == NULL || DNS_RDATASET_VALID(rdataset));
+
+	RWLOCK(&keynode->rwlock, isc_rwlocktype_read);
+	if (keynode->dslist != NULL) {
+		if (rdataset != NULL) {
+			keynode_clone(&keynode->dsset, rdataset);
+		}
+		result = true;
+	} else {
+		result = false;
+	}
+	RWUNLOCK(&keynode->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+bool
+dns_keynode_managed(dns_keynode_t *keynode) {
+	bool managed;
+
+	REQUIRE(VALID_KEYNODE(keynode));
+
+	RWLOCK(&keynode->rwlock, isc_rwlocktype_read);
+	managed = keynode->managed;
+	RWUNLOCK(&keynode->rwlock, isc_rwlocktype_read);
+
+	return (managed);
+}
+
+bool
+dns_keynode_initial(dns_keynode_t *keynode) {
+	bool initial;
+
+	REQUIRE(VALID_KEYNODE(keynode));
+
+	RWLOCK(&keynode->rwlock, isc_rwlocktype_read);
+	initial = keynode->initial;
+	RWUNLOCK(&keynode->rwlock, isc_rwlocktype_read);
+
+	return (initial);
+}
+
+void
+dns_keynode_trust(dns_keynode_t *keynode) {
+	REQUIRE(VALID_KEYNODE(keynode));
+
+	RWLOCK(&keynode->rwlock, isc_rwlocktype_write);
+	keynode->initial = false;
+	RWUNLOCK(&keynode->rwlock, isc_rwlocktype_write);
+}
+
+static void
+keynode_disassociate(dns_rdataset_t *rdataset) {
+	dns_keynode_t *keynode;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->methods == &methods);
+
+	rdataset->methods = NULL;
+	keynode = rdataset->private1;
+	rdataset->private1 = NULL;
+
+	keynode_detach(keynode->mctx, &keynode);
+}
+
+static isc_result_t
+keynode_first(dns_rdataset_t *rdataset) {
+	dns_keynode_t *keynode;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->methods == &methods);
+
+	keynode = rdataset->private1;
+	RWLOCK(&keynode->rwlock, isc_rwlocktype_read);
+	rdataset->private2 = ISC_LIST_HEAD(keynode->dslist->rdata);
+	RWUNLOCK(&keynode->rwlock, isc_rwlocktype_read);
+
+	if (rdataset->private2 == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+keynode_next(dns_rdataset_t *rdataset) {
+	dns_keynode_t *keynode;
+	dns_rdata_t *rdata;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->methods == &methods);
+
+	rdata = rdataset->private2;
+	if (rdata == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	keynode = rdataset->private1;
+	RWLOCK(&keynode->rwlock, isc_rwlocktype_read);
+	rdataset->private2 = ISC_LIST_NEXT(rdata, link);
+	RWUNLOCK(&keynode->rwlock, isc_rwlocktype_read);
+
+	if (rdataset->private2 == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+keynode_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	dns_rdata_t *list_rdata;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->methods == &methods);
+
+	list_rdata = rdataset->private2;
+	INSIST(list_rdata != NULL);
+
+	dns_rdata_clone(list_rdata, rdata);
+}
+
+static void
+keynode_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_keynode_t *keynode;
+
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL);
+	REQUIRE(source->methods == &methods);
+
+	keynode = source->private1;
+	isc_refcount_increment(&keynode->refcount);
+
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->private2 = NULL;
+}
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
new file mode 100644
index 0000000..e8eab73
--- /dev/null
+++ b/lib/dns/lib.c
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+#include <stddef.h>
+
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/refcount.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/ecdb.h>
+#include <dns/lib.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+/***
+ *** Globals
+ ***/
+
+LIBDNS_EXTERNAL_DATA unsigned int dns_pps = 0U;
+
+/***
+ *** Functions
+ ***/
+
+static isc_once_t init_once = ISC_ONCE_INIT;
+static isc_mem_t *dns_g_mctx = NULL;
+static dns_dbimplementation_t *dbimp = NULL;
+static bool initialize_done = false;
+static isc_refcount_t references;
+
+static void
+initialize(void) {
+	isc_result_t result;
+
+	REQUIRE(!initialize_done);
+
+	isc_refcount_init(&references, 0);
+
+	isc_mem_create(&dns_g_mctx);
+	dns_result_register();
+	result = dns_ecdb_register(dns_g_mctx, &dbimp);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_mctx;
+	}
+
+	result = dst_lib_init(dns_g_mctx, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_db;
+	}
+
+	initialize_done = true;
+	return;
+
+cleanup_db:
+	if (dbimp != NULL) {
+		dns_ecdb_unregister(&dbimp);
+	}
+cleanup_mctx:
+	if (dns_g_mctx != NULL) {
+		isc_mem_detach(&dns_g_mctx);
+	}
+}
+
+isc_result_t
+dns_lib_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Since this routine is expected to be used by a normal application,
+	 * it should be better to return an error, instead of an emergency
+	 * abort, on any failure.
+	 */
+	result = isc_once_do(&init_once, initialize);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (!initialize_done) {
+		return (ISC_R_FAILURE);
+	}
+
+	isc_refcount_increment0(&references);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_lib_shutdown(void) {
+	if (isc_refcount_decrement(&references) == 1) {
+		dst_lib_destroy();
+
+		isc_refcount_destroy(&references);
+
+		if (dbimp != NULL) {
+			dns_ecdb_unregister(&dbimp);
+		}
+		if (dns_g_mctx != NULL) {
+			isc_mem_detach(&dns_g_mctx);
+		}
+	}
+}
diff --git a/lib/dns/log.c b/lib/dns/log.c
new file mode 100644
index 0000000..af8a7d9
--- /dev/null
+++ b/lib/dns/log.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/util.h>
+
+#include <dns/log.h>
+
+/*%
+ * When adding a new category, be sure to add the appropriate
+ * \#define to <dns/log.h>.
+ */
+LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
+	{ "notify", 0 },
+	{ "database", 0 },
+	{ "security", 0 },
+	{ "_placeholder", 0 },
+	{ "dnssec", 0 },
+	{ "resolver", 0 },
+	{ "xfer-in", 0 },
+	{ "xfer-out", 0 },
+	{ "dispatch", 0 },
+	{ "lame-servers", 0 },
+	{ "delegation-only", 0 },
+	{ "edns-disabled", 0 },
+	{ "rpz", 0 },
+	{ "rate-limit", 0 },
+	{ "cname", 0 },
+	{ "spill", 0 },
+	{ "dnstap", 0 },
+	{ "zoneload", 0 },
+	{ "nsid", 0 },
+	{ NULL, 0 }
+};
+
+/*%
+ * When adding a new module, be sure to add the appropriate
+ * \#define to <dns/log.h>.
+ */
+LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
+	{ "dns/db", 0 },	 { "dns/rbtdb", 0 },
+	{ "dns/rbt", 0 },	 { "dns/rdata", 0 },
+	{ "dns/master", 0 },	 { "dns/message", 0 },
+	{ "dns/cache", 0 },	 { "dns/config", 0 },
+	{ "dns/resolver", 0 },	 { "dns/zone", 0 },
+	{ "dns/journal", 0 },	 { "dns/adb", 0 },
+	{ "dns/xfrin", 0 },	 { "dns/xfrout", 0 },
+	{ "dns/acl", 0 },	 { "dns/validator", 0 },
+	{ "dns/dispatch", 0 },	 { "dns/request", 0 },
+	{ "dns/masterdump", 0 }, { "dns/tsig", 0 },
+	{ "dns/tkey", 0 },	 { "dns/sdb", 0 },
+	{ "dns/diff", 0 },	 { "dns/hints", 0 },
+	{ "dns/unused1", 0 },	 { "dns/dlz", 0 },
+	{ "dns/dnssec", 0 },	 { "dns/crypto", 0 },
+	{ "dns/packets", 0 },	 { "dns/nta", 0 },
+	{ "dns/dyndb", 0 },	 { "dns/dnstap", 0 },
+	{ "dns/ssu", 0 },	 { NULL, 0 }
+};
+
+LIBDNS_EXTERNAL_DATA isc_log_t *dns_lctx = NULL;
+
+void
+dns_log_init(isc_log_t *lctx) {
+	REQUIRE(lctx != NULL);
+
+	isc_log_registercategories(lctx, dns_categories);
+	isc_log_registermodules(lctx, dns_modules);
+}
+
+void
+dns_log_setcontext(isc_log_t *lctx) {
+	dns_lctx = lctx;
+}
diff --git a/lib/dns/lookup.c b/lib/dns/lookup.c
new file mode 100644
index 0000000..5d3ee70
--- /dev/null
+++ b/lib/dns/lookup.c
@@ -0,0 +1,450 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/lookup.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+struct dns_lookup {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_mutex_t lock;
+	dns_rdatatype_t type;
+	dns_fixedname_t name;
+	/* Locked by lock. */
+	unsigned int options;
+	isc_task_t *task;
+	dns_view_t *view;
+	dns_lookupevent_t *event;
+	dns_fetch_t *fetch;
+	unsigned int restarts;
+	bool canceled;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t sigrdataset;
+};
+
+#define LOOKUP_MAGIC	ISC_MAGIC('l', 'o', 'o', 'k')
+#define VALID_LOOKUP(l) ISC_MAGIC_VALID((l), LOOKUP_MAGIC)
+
+#define MAX_RESTARTS 16
+
+static void
+lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event);
+
+static void
+fetch_done(isc_task_t *task, isc_event_t *event) {
+	dns_lookup_t *lookup = event->ev_arg;
+	dns_fetchevent_t *fevent;
+
+	UNUSED(task);
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	REQUIRE(VALID_LOOKUP(lookup));
+	REQUIRE(lookup->task == task);
+	fevent = (dns_fetchevent_t *)event;
+	REQUIRE(fevent->fetch == lookup->fetch);
+
+	lookup_find(lookup, fevent);
+}
+
+static isc_result_t
+start_fetch(dns_lookup_t *lookup) {
+	isc_result_t result;
+
+	/*
+	 * The caller must be holding the lookup's lock.
+	 */
+
+	REQUIRE(lookup->fetch == NULL);
+
+	result = dns_resolver_createfetch(
+		lookup->view->resolver, dns_fixedname_name(&lookup->name),
+		lookup->type, NULL, NULL, NULL, NULL, 0, 0, 0, NULL,
+		lookup->task, fetch_done, lookup, &lookup->rdataset,
+		&lookup->sigrdataset, &lookup->fetch);
+
+	return (result);
+}
+
+static isc_result_t
+build_event(dns_lookup_t *lookup) {
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdataset_t *sigrdataset = NULL;
+
+	name = isc_mem_get(lookup->mctx, sizeof(dns_name_t));
+	dns_name_init(name, NULL);
+	dns_name_dup(dns_fixedname_name(&lookup->name), lookup->mctx, name);
+
+	if (dns_rdataset_isassociated(&lookup->rdataset)) {
+		rdataset = isc_mem_get(lookup->mctx, sizeof(dns_rdataset_t));
+		dns_rdataset_init(rdataset);
+		dns_rdataset_clone(&lookup->rdataset, rdataset);
+	}
+
+	if (dns_rdataset_isassociated(&lookup->sigrdataset)) {
+		sigrdataset = isc_mem_get(lookup->mctx, sizeof(dns_rdataset_t));
+		dns_rdataset_init(sigrdataset);
+		dns_rdataset_clone(&lookup->sigrdataset, sigrdataset);
+	}
+
+	lookup->event->name = name;
+	lookup->event->rdataset = rdataset;
+	lookup->event->sigrdataset = sigrdataset;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+view_find(dns_lookup_t *lookup, dns_name_t *foundname) {
+	isc_result_t result;
+	dns_name_t *name = dns_fixedname_name(&lookup->name);
+	dns_rdatatype_t type;
+
+	if (lookup->type == dns_rdatatype_rrsig) {
+		type = dns_rdatatype_any;
+	} else {
+		type = lookup->type;
+	}
+
+	result = dns_view_find(lookup->view, name, type, 0, 0, false, false,
+			       &lookup->event->db, &lookup->event->node,
+			       foundname, &lookup->rdataset,
+			       &lookup->sigrdataset);
+	return (result);
+}
+
+static void
+lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
+	isc_result_t result;
+	bool want_restart;
+	bool send_event;
+	dns_name_t *name, *fname, *prefix;
+	dns_fixedname_t foundname, fixed;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+
+	REQUIRE(VALID_LOOKUP(lookup));
+
+	LOCK(&lookup->lock);
+
+	result = ISC_R_SUCCESS;
+	name = dns_fixedname_name(&lookup->name);
+
+	do {
+		lookup->restarts++;
+		want_restart = false;
+		send_event = true;
+
+		if (event == NULL && !lookup->canceled) {
+			fname = dns_fixedname_initname(&foundname);
+			INSIST(!dns_rdataset_isassociated(&lookup->rdataset));
+			INSIST(!dns_rdataset_isassociated(
+				&lookup->sigrdataset));
+			/*
+			 * If we have restarted then clear the old node.
+			 */
+			if (lookup->event->node != NULL) {
+				INSIST(lookup->event->db != NULL);
+				dns_db_detachnode(lookup->event->db,
+						  &lookup->event->node);
+			}
+			if (lookup->event->db != NULL) {
+				dns_db_detach(&lookup->event->db);
+			}
+			result = view_find(lookup, fname);
+			if (result == ISC_R_NOTFOUND) {
+				/*
+				 * We don't know anything about the name.
+				 * Launch a fetch.
+				 */
+				if (lookup->event->node != NULL) {
+					INSIST(lookup->event->db != NULL);
+					dns_db_detachnode(lookup->event->db,
+							  &lookup->event->node);
+				}
+				if (lookup->event->db != NULL) {
+					dns_db_detach(&lookup->event->db);
+				}
+				result = start_fetch(lookup);
+				if (result == ISC_R_SUCCESS) {
+					send_event = false;
+				}
+				goto done;
+			}
+		} else if (event != NULL) {
+			result = event->result;
+			fname = dns_fixedname_name(&event->foundname);
+			dns_resolver_destroyfetch(&lookup->fetch);
+			INSIST(event->rdataset == &lookup->rdataset);
+			INSIST(event->sigrdataset == &lookup->sigrdataset);
+		} else {
+			fname = NULL; /* Silence compiler warning. */
+		}
+
+		/*
+		 * If we've been canceled, forget about the result.
+		 */
+		if (lookup->canceled) {
+			result = ISC_R_CANCELED;
+		}
+
+		switch (result) {
+		case ISC_R_SUCCESS:
+			result = build_event(lookup);
+			if (event == NULL) {
+				break;
+			}
+			if (event->db != NULL) {
+				dns_db_attach(event->db, &lookup->event->db);
+			}
+			if (event->node != NULL) {
+				dns_db_attachnode(lookup->event->db,
+						  event->node,
+						  &lookup->event->node);
+			}
+			break;
+		case DNS_R_CNAME:
+			/*
+			 * Copy the CNAME's target into the lookup's
+			 * query name and start over.
+			 */
+			result = dns_rdataset_first(&lookup->rdataset);
+			if (result != ISC_R_SUCCESS) {
+				break;
+			}
+			dns_rdataset_current(&lookup->rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &cname, NULL);
+			dns_rdata_reset(&rdata);
+			if (result != ISC_R_SUCCESS) {
+				break;
+			}
+			dns_name_copynf(&cname.cname, name);
+			dns_rdata_freestruct(&cname);
+			want_restart = true;
+			send_event = false;
+			break;
+		case DNS_R_DNAME:
+			namereln = dns_name_fullcompare(name, fname, &order,
+							&nlabels);
+			INSIST(namereln == dns_namereln_subdomain);
+			/*
+			 * Get the target name of the DNAME.
+			 */
+			result = dns_rdataset_first(&lookup->rdataset);
+			if (result != ISC_R_SUCCESS) {
+				break;
+			}
+			dns_rdataset_current(&lookup->rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &dname, NULL);
+			dns_rdata_reset(&rdata);
+			if (result != ISC_R_SUCCESS) {
+				break;
+			}
+			/*
+			 * Construct the new query name and start over.
+			 */
+			prefix = dns_fixedname_initname(&fixed);
+			dns_name_split(name, nlabels, prefix, NULL);
+			result = dns_name_concatenate(prefix, &dname.dname,
+						      name, NULL);
+			dns_rdata_freestruct(&dname);
+			if (result == ISC_R_SUCCESS) {
+				want_restart = true;
+				send_event = false;
+			}
+			break;
+		default:
+			send_event = true;
+		}
+
+		if (dns_rdataset_isassociated(&lookup->rdataset)) {
+			dns_rdataset_disassociate(&lookup->rdataset);
+		}
+		if (dns_rdataset_isassociated(&lookup->sigrdataset)) {
+			dns_rdataset_disassociate(&lookup->sigrdataset);
+		}
+
+	done:
+		if (event != NULL) {
+			if (event->node != NULL) {
+				dns_db_detachnode(event->db, &event->node);
+			}
+			if (event->db != NULL) {
+				dns_db_detach(&event->db);
+			}
+			isc_event_free(ISC_EVENT_PTR(&event));
+		}
+
+		/*
+		 * Limit the number of restarts.
+		 */
+		if (want_restart && lookup->restarts == MAX_RESTARTS) {
+			want_restart = false;
+			result = ISC_R_QUOTA;
+			send_event = true;
+		}
+	} while (want_restart);
+
+	if (send_event) {
+		lookup->event->result = result;
+		lookup->event->ev_sender = lookup;
+		isc_task_sendanddetach(&lookup->task,
+				       (isc_event_t **)&lookup->event);
+		dns_view_detach(&lookup->view);
+	}
+
+	UNLOCK(&lookup->lock);
+}
+
+static void
+levent_destroy(isc_event_t *event) {
+	dns_lookupevent_t *levent;
+	isc_mem_t *mctx;
+
+	REQUIRE(event->ev_type == DNS_EVENT_LOOKUPDONE);
+	mctx = event->ev_destroy_arg;
+	levent = (dns_lookupevent_t *)event;
+
+	if (levent->name != NULL) {
+		if (dns_name_dynamic(levent->name)) {
+			dns_name_free(levent->name, mctx);
+		}
+		isc_mem_put(mctx, levent->name, sizeof(dns_name_t));
+	}
+	if (levent->rdataset != NULL) {
+		dns_rdataset_disassociate(levent->rdataset);
+		isc_mem_put(mctx, levent->rdataset, sizeof(dns_rdataset_t));
+	}
+	if (levent->sigrdataset != NULL) {
+		dns_rdataset_disassociate(levent->sigrdataset);
+		isc_mem_put(mctx, levent->sigrdataset, sizeof(dns_rdataset_t));
+	}
+	if (levent->node != NULL) {
+		dns_db_detachnode(levent->db, &levent->node);
+	}
+	if (levent->db != NULL) {
+		dns_db_detach(&levent->db);
+	}
+	isc_mem_put(mctx, event, event->ev_size);
+}
+
+isc_result_t
+dns_lookup_create(isc_mem_t *mctx, const dns_name_t *name, dns_rdatatype_t type,
+		  dns_view_t *view, unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp) {
+	dns_lookup_t *lookup;
+	isc_event_t *ievent;
+
+	lookup = isc_mem_get(mctx, sizeof(*lookup));
+	lookup->mctx = NULL;
+	isc_mem_attach(mctx, &lookup->mctx);
+	lookup->options = options;
+
+	ievent = isc_event_allocate(mctx, lookup, DNS_EVENT_LOOKUPDONE, action,
+				    arg, sizeof(*lookup->event));
+	lookup->event = (dns_lookupevent_t *)ievent;
+	lookup->event->ev_destroy = levent_destroy;
+	lookup->event->ev_destroy_arg = mctx;
+	lookup->event->result = ISC_R_FAILURE;
+	lookup->event->name = NULL;
+	lookup->event->rdataset = NULL;
+	lookup->event->sigrdataset = NULL;
+	lookup->event->db = NULL;
+	lookup->event->node = NULL;
+
+	lookup->task = NULL;
+	isc_task_attach(task, &lookup->task);
+
+	isc_mutex_init(&lookup->lock);
+
+	dns_fixedname_init(&lookup->name);
+
+	dns_name_copynf(name, dns_fixedname_name(&lookup->name));
+
+	lookup->type = type;
+	lookup->view = NULL;
+	dns_view_attach(view, &lookup->view);
+	lookup->fetch = NULL;
+	lookup->restarts = 0;
+	lookup->canceled = false;
+	dns_rdataset_init(&lookup->rdataset);
+	dns_rdataset_init(&lookup->sigrdataset);
+	lookup->magic = LOOKUP_MAGIC;
+
+	*lookupp = lookup;
+
+	lookup_find(lookup, NULL);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_lookup_cancel(dns_lookup_t *lookup) {
+	REQUIRE(VALID_LOOKUP(lookup));
+
+	LOCK(&lookup->lock);
+
+	if (!lookup->canceled) {
+		lookup->canceled = true;
+		if (lookup->fetch != NULL) {
+			INSIST(lookup->view != NULL);
+			dns_resolver_cancelfetch(lookup->fetch);
+		}
+	}
+
+	UNLOCK(&lookup->lock);
+}
+
+void
+dns_lookup_destroy(dns_lookup_t **lookupp) {
+	dns_lookup_t *lookup;
+
+	REQUIRE(lookupp != NULL);
+	lookup = *lookupp;
+	*lookupp = NULL;
+	REQUIRE(VALID_LOOKUP(lookup));
+	REQUIRE(lookup->event == NULL);
+	REQUIRE(lookup->task == NULL);
+	REQUIRE(lookup->view == NULL);
+	if (dns_rdataset_isassociated(&lookup->rdataset)) {
+		dns_rdataset_disassociate(&lookup->rdataset);
+	}
+	if (dns_rdataset_isassociated(&lookup->sigrdataset)) {
+		dns_rdataset_disassociate(&lookup->sigrdataset);
+	}
+
+	isc_mutex_destroy(&lookup->lock);
+	lookup->magic = 0;
+	isc_mem_putanddetach(&lookup->mctx, lookup, sizeof(*lookup));
+}
diff --git a/lib/dns/mapapi b/lib/dns/mapapi
new file mode 100644
index 0000000..1b502d3
--- /dev/null
+++ b/lib/dns/mapapi
@@ -0,0 +1,16 @@
+# This value should be increased whenever changing the structure of
+# any object that will appear in a type 'map' master file (which
+# contains a working memory image of an RBT database), as loading 
+# an incorrect memory image produces an inconsistent and probably
+# nonfunctional database.  These structures include but are not
+# necessarily limited to dns_masterrawheader, rbtdb_file_header,
+# rbt_file_header, dns_rbtdb, dns_rbt, dns_rbtnode, rdatasetheader.
+#
+# Err on the side of caution: if anything in the RBTDB is changed,
+# bump the value.  Making map files unreadable protects the system
+# from instability; it's a feature not a bug.
+#
+# Whenever releasing a new major release of BIND9, set this value
+# back to 1.0 when releasing the first alpha.  Map files are *never*
+# compatible across major releases.
+MAPAPI=3.0
diff --git a/lib/dns/master.c b/lib/dns/master.c
new file mode 100644
index 0000000..fc56107
--- /dev/null
+++ b/lib/dns/master.c
@@ -0,0 +1,3264 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/atomic.h>
+#include <isc/event.h>
+#include <isc/lex.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/serial.h>
+#include <isc/stdio.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/master.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/time.h>
+#include <dns/ttl.h>
+
+/*!
+ * Grow the number of dns_rdatalist_t (#RDLSZ) and dns_rdata_t (#RDSZ)
+ * structures by these sizes when we need to.
+ *
+ */
+/*% RDLSZ reflects the number of different types with the same name expected. */
+#define RDLSZ 32
+/*%
+ * RDSZ reflects the number of rdata expected at a give name that can fit into
+ * 64k.
+ */
+#define RDSZ 512
+
+#define NBUFS	  4
+#define MAXWIRESZ 255
+
+/*%
+ * Target buffer size and minimum target size.
+ * MINTSIZ must be big enough to hold the largest rdata record.
+ * \brief
+ * TSIZ >= MINTSIZ
+ */
+#define TSIZ (128 * 1024)
+/*%
+ * max message size - header - root - type - class - ttl - rdlen
+ */
+#define MINTSIZ DNS_RDATA_MAXLENGTH
+/*%
+ * Size for tokens in the presentation format,
+ * The largest tokens are the base64 blocks in KEY and CERT records,
+ * Largest key allowed is about 1372 bytes but
+ * there is no fixed upper bound on CERT records.
+ * 2K is too small for some X.509s, 8K is overkill.
+ */
+#define TOKENSIZ (8 * 1024)
+
+/*%
+ * Buffers sizes for $GENERATE.
+ */
+#define DNS_MASTER_LHS 2048
+#define DNS_MASTER_RHS MINTSIZ
+
+#define CHECKNAMESFAIL(x) (((x)&DNS_MASTER_CHECKNAMESFAIL) != 0)
+
+typedef ISC_LIST(dns_rdatalist_t) rdatalist_head_t;
+
+typedef struct dns_incctx dns_incctx_t;
+
+/*%
+ * Master file load state.
+ */
+
+struct dns_loadctx {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	dns_masterformat_t format;
+
+	dns_rdatacallbacks_t *callbacks;
+	isc_task_t *task;
+	dns_loaddonefunc_t done;
+	void *done_arg;
+
+	/* Common methods */
+	isc_result_t (*openfile)(dns_loadctx_t *lctx, const char *filename);
+	isc_result_t (*load)(dns_loadctx_t *lctx);
+
+	/* Members used by all formats */
+	uint32_t maxttl;
+
+	/* Members specific to the text format: */
+	isc_lex_t *lex;
+	bool keep_lex;
+	unsigned int options;
+	bool ttl_known;
+	bool default_ttl_known;
+	bool warn_1035;
+	bool warn_tcr;
+	bool warn_sigexpired;
+	bool seen_include;
+	uint32_t ttl;
+	uint32_t default_ttl;
+	dns_rdataclass_t zclass;
+	dns_fixedname_t fixed_top;
+	dns_name_t *top; /*%< top of zone */
+
+	/* Members specific to the raw format: */
+	FILE *f;
+	bool first;
+	dns_masterrawheader_t header;
+
+	/* Which fixed buffers we are using? */
+	unsigned int loop_cnt; /*% records per quantum,
+				* 0 => all. */
+	isc_result_t result;
+
+	/* Atomic */
+	isc_refcount_t references;
+	atomic_bool canceled;
+
+	/* locked by lock */
+	dns_incctx_t *inc;
+	uint32_t resign;
+	isc_stdtime_t now;
+
+	dns_masterincludecb_t include_cb;
+	void *include_arg;
+};
+
+struct dns_incctx {
+	dns_incctx_t *parent;
+	dns_name_t *origin;
+	dns_name_t *current;
+	dns_name_t *glue;
+	dns_fixedname_t fixed[NBUFS]; /* working buffers */
+	unsigned int in_use[NBUFS];   /* covert to bitmap? */
+	int glue_in_use;
+	int current_in_use;
+	int origin_in_use;
+	bool origin_changed;
+	bool drop;
+	unsigned int glue_line;
+	unsigned int current_line;
+};
+
+#define DNS_LCTX_MAGIC	     ISC_MAGIC('L', 'c', 't', 'x')
+#define DNS_LCTX_VALID(lctx) ISC_MAGIC_VALID(lctx, DNS_LCTX_MAGIC)
+
+#define DNS_AS_STR(t) ((t).value.as_textregion.base)
+
+static isc_result_t
+openfile_text(dns_loadctx_t *lctx, const char *master_file);
+
+static isc_result_t
+load_text(dns_loadctx_t *lctx);
+
+static isc_result_t
+openfile_raw(dns_loadctx_t *lctx, const char *master_file);
+
+static isc_result_t
+load_raw(dns_loadctx_t *lctx);
+
+static isc_result_t
+openfile_map(dns_loadctx_t *lctx, const char *master_file);
+
+static isc_result_t
+load_map(dns_loadctx_t *lctx);
+
+static isc_result_t
+pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx);
+
+static isc_result_t
+commit(dns_rdatacallbacks_t *, dns_loadctx_t *, rdatalist_head_t *,
+       dns_name_t *, const char *, unsigned int);
+
+static bool
+is_glue(rdatalist_head_t *, dns_name_t *);
+
+static dns_rdatalist_t *
+grow_rdatalist(int, dns_rdatalist_t *, int, rdatalist_head_t *,
+	       rdatalist_head_t *, isc_mem_t *mctx);
+
+static dns_rdata_t *
+grow_rdata(int, dns_rdata_t *, int, rdatalist_head_t *, rdatalist_head_t *,
+	   isc_mem_t *);
+
+static void
+load_quantum(isc_task_t *task, isc_event_t *event);
+
+static isc_result_t
+task_send(dns_loadctx_t *lctx);
+
+static void
+loadctx_destroy(dns_loadctx_t *lctx);
+
+#define GETTOKENERR(lexer, options, token, eol, err)                      \
+	do {                                                              \
+		result = gettoken(lexer, options, token, eol, callbacks); \
+		switch (result) {                                         \
+		case ISC_R_SUCCESS:                                       \
+			break;                                            \
+		case ISC_R_UNEXPECTED:                                    \
+			goto insist_and_cleanup;                          \
+		default:                                                  \
+			if (MANYERRS(lctx, result)) {                     \
+				SETRESULT(lctx, result);                  \
+				LOGIT(result);                            \
+				read_till_eol = true;                     \
+				err goto next_line;                       \
+			} else                                            \
+				goto log_and_cleanup;                     \
+		}                                                         \
+		if ((token)->type == isc_tokentype_special) {             \
+			result = DNS_R_SYNTAX;                            \
+			if (MANYERRS(lctx, result)) {                     \
+				SETRESULT(lctx, result);                  \
+				LOGIT(result);                            \
+				read_till_eol = true;                     \
+				goto next_line;                           \
+			} else                                            \
+				goto log_and_cleanup;                     \
+		}                                                         \
+	} while (0)
+#define GETTOKEN(lexer, options, token, eol) \
+	GETTOKENERR(lexer, options, token, eol, {})
+
+#define COMMITALL                                                              \
+	do {                                                                   \
+		result = commit(callbacks, lctx, &current_list, ictx->current, \
+				source, ictx->current_line);                   \
+		if (MANYERRS(lctx, result)) {                                  \
+			SETRESULT(lctx, result);                               \
+		} else if (result != ISC_R_SUCCESS)                            \
+			goto insist_and_cleanup;                               \
+		result = commit(callbacks, lctx, &glue_list, ictx->glue,       \
+				source, ictx->glue_line);                      \
+		if (MANYERRS(lctx, result)) {                                  \
+			SETRESULT(lctx, result);                               \
+		} else if (result != ISC_R_SUCCESS)                            \
+			goto insist_and_cleanup;                               \
+		rdcount = 0;                                                   \
+		rdlcount = 0;                                                  \
+		isc_buffer_init(&target, target_mem, target_size);             \
+		rdcount_save = rdcount;                                        \
+		rdlcount_save = rdlcount;                                      \
+	} while (0)
+
+#define WARNUNEXPECTEDEOF(lexer)                                         \
+	do {                                                             \
+		if (isc_lex_isfile(lexer))                               \
+			(*callbacks->warn)(callbacks,                    \
+					   "%s: file does not end with " \
+					   "newline",                    \
+					   source);                      \
+	} while (0)
+
+#define EXPECTEOL                                              \
+	do {                                                   \
+		GETTOKEN(lctx->lex, 0, &token, true);          \
+		if (token.type != isc_tokentype_eol) {         \
+			isc_lex_ungettoken(lctx->lex, &token); \
+			result = DNS_R_EXTRATOKEN;             \
+			if (MANYERRS(lctx, result)) {          \
+				SETRESULT(lctx, result);       \
+				LOGIT(result);                 \
+				read_till_eol = true;          \
+				break;                         \
+			} else if (result != ISC_R_SUCCESS)    \
+				goto log_and_cleanup;          \
+		}                                              \
+	} while (0)
+
+#define MANYERRS(lctx, result)                                     \
+	((result != ISC_R_SUCCESS) && (result != ISC_R_IOERROR) && \
+	 ((lctx)->options & DNS_MASTER_MANYERRORS) != 0)
+
+#define SETRESULT(lctx, r)                           \
+	do {                                         \
+		if ((lctx)->result == ISC_R_SUCCESS) \
+			(lctx)->result = r;          \
+	} while (0)
+
+#define LOGITFILE(result, filename)                                            \
+	if (result == ISC_R_INVALIDFILE || result == ISC_R_FILENOTFOUND ||     \
+	    result == ISC_R_IOERROR || result == ISC_R_TOOMANYOPENFILES ||     \
+	    result == ISC_R_NOPERM)                                            \
+		(*callbacks->error)(callbacks, "%s: %s:%lu: %s: %s",           \
+				    "dns_master_load", source, line, filename, \
+				    dns_result_totext(result));                \
+	else                                                                   \
+		LOGIT(result)
+
+#define LOGIT(result)                                                 \
+	if (result == ISC_R_NOMEMORY)                                 \
+		(*callbacks->error)(callbacks, "dns_master_load: %s", \
+				    dns_result_totext(result));       \
+	else                                                          \
+		(*callbacks->error)(callbacks, "%s: %s:%lu: %s",      \
+				    "dns_master_load", source, line,  \
+				    dns_result_totext(result))
+
+static unsigned char in_addr_arpa_data[] = "\007IN-ADDR\004ARPA";
+static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
+static dns_name_t const in_addr_arpa =
+	DNS_NAME_INITABSOLUTE(in_addr_arpa_data, in_addr_arpa_offsets);
+
+static unsigned char ip6_int_data[] = "\003IP6\003INT";
+static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
+static dns_name_t const ip6_int = DNS_NAME_INITABSOLUTE(ip6_int_data,
+							ip6_int_offsets);
+
+static unsigned char ip6_arpa_data[] = "\003IP6\004ARPA";
+static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
+static dns_name_t const ip6_arpa = DNS_NAME_INITABSOLUTE(ip6_arpa_data,
+							 ip6_arpa_offsets);
+
+static bool
+dns_master_isprimary(dns_loadctx_t *lctx) {
+	return ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+		(lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		(lctx->options & DNS_MASTER_KEY) == 0);
+}
+
+static isc_result_t
+gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token, bool eol,
+	 dns_rdatacallbacks_t *callbacks) {
+	isc_result_t result;
+
+	options |= ISC_LEXOPT_EOL | ISC_LEXOPT_EOF | ISC_LEXOPT_DNSMULTILINE |
+		   ISC_LEXOPT_ESCAPE;
+	result = isc_lex_gettoken(lex, options, token);
+	if (result != ISC_R_SUCCESS) {
+		switch (result) {
+		case ISC_R_NOMEMORY:
+			return (ISC_R_NOMEMORY);
+		default:
+			(*callbacks->error)(callbacks,
+					    "dns_master_load: %s:%lu:"
+					    " isc_lex_gettoken() failed: %s",
+					    isc_lex_getsourcename(lex),
+					    isc_lex_getsourceline(lex),
+					    isc_result_totext(result));
+			return (result);
+		}
+		/*NOTREACHED*/
+	}
+	if (eol != true) {
+		if (token->type == isc_tokentype_eol ||
+		    token->type == isc_tokentype_eof)
+		{
+			{
+				unsigned long int line;
+				const char *what;
+				const char *file;
+				file = isc_lex_getsourcename(lex);
+				line = isc_lex_getsourceline(lex);
+				if (token->type == isc_tokentype_eol) {
+					line--;
+					what = "line";
+				} else {
+					what = "file";
+				}
+				(*callbacks->error)(callbacks,
+						    "dns_master_load: %s:%lu: "
+						    "unexpected end of %s",
+						    file, line, what);
+				return (ISC_R_UNEXPECTEDEND);
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target) {
+	REQUIRE(target != NULL && *target == NULL);
+	REQUIRE(DNS_LCTX_VALID(source));
+
+	isc_refcount_increment(&source->references);
+
+	*target = source;
+}
+
+void
+dns_loadctx_detach(dns_loadctx_t **lctxp) {
+	dns_loadctx_t *lctx;
+
+	REQUIRE(lctxp != NULL);
+	lctx = *lctxp;
+	*lctxp = NULL;
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	if (isc_refcount_decrement(&lctx->references) == 1) {
+		loadctx_destroy(lctx);
+	}
+}
+
+static void
+incctx_destroy(isc_mem_t *mctx, dns_incctx_t *ictx) {
+	dns_incctx_t *parent;
+
+again:
+	parent = ictx->parent;
+	ictx->parent = NULL;
+
+	isc_mem_put(mctx, ictx, sizeof(*ictx));
+
+	if (parent != NULL) {
+		ictx = parent;
+		goto again;
+	}
+}
+
+static void
+loadctx_destroy(dns_loadctx_t *lctx) {
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	isc_refcount_destroy(&lctx->references);
+
+	lctx->magic = 0;
+	if (lctx->inc != NULL) {
+		incctx_destroy(lctx->mctx, lctx->inc);
+	}
+
+	if (lctx->f != NULL) {
+		isc_result_t result = isc_stdio_close(lctx->f);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_stdio_close() failed: %s",
+					 isc_result_totext(result));
+		}
+	}
+
+	/* isc_lex_destroy() will close all open streams */
+	if (lctx->lex != NULL && !lctx->keep_lex) {
+		isc_lex_destroy(&lctx->lex);
+	}
+
+	if (lctx->task != NULL) {
+		isc_task_detach(&lctx->task);
+	}
+
+	isc_mem_putanddetach(&lctx->mctx, lctx, sizeof(*lctx));
+}
+
+static isc_result_t
+incctx_create(isc_mem_t *mctx, dns_name_t *origin, dns_incctx_t **ictxp) {
+	dns_incctx_t *ictx;
+	isc_region_t r;
+	int i;
+
+	ictx = isc_mem_get(mctx, sizeof(*ictx));
+
+	for (i = 0; i < NBUFS; i++) {
+		dns_fixedname_init(&ictx->fixed[i]);
+		ictx->in_use[i] = false;
+	}
+
+	ictx->origin_in_use = 0;
+	ictx->origin = dns_fixedname_name(&ictx->fixed[ictx->origin_in_use]);
+	ictx->in_use[ictx->origin_in_use] = true;
+	dns_name_toregion(origin, &r);
+	dns_name_fromregion(ictx->origin, &r);
+
+	ictx->glue = NULL;
+	ictx->current = NULL;
+	ictx->glue_in_use = -1;
+	ictx->current_in_use = -1;
+	ictx->parent = NULL;
+	ictx->drop = false;
+	ictx->glue_line = 0;
+	ictx->current_line = 0;
+	ictx->origin_changed = true;
+
+	*ictxp = ictx;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loadctx_create(dns_masterformat_t format, isc_mem_t *mctx, unsigned int options,
+	       uint32_t resign, dns_name_t *top, dns_rdataclass_t zclass,
+	       dns_name_t *origin, dns_rdatacallbacks_t *callbacks,
+	       isc_task_t *task, dns_loaddonefunc_t done, void *done_arg,
+	       dns_masterincludecb_t include_cb, void *include_arg,
+	       isc_lex_t *lex, dns_loadctx_t **lctxp) {
+	dns_loadctx_t *lctx;
+	isc_result_t result;
+	isc_region_t r;
+	isc_lexspecials_t specials;
+
+	REQUIRE(lctxp != NULL && *lctxp == NULL);
+	REQUIRE(callbacks != NULL);
+	REQUIRE(callbacks->add != NULL);
+	REQUIRE(callbacks->error != NULL);
+	REQUIRE(callbacks->warn != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(dns_name_isabsolute(top));
+	REQUIRE(dns_name_isabsolute(origin));
+	REQUIRE((task == NULL && done == NULL) ||
+		(task != NULL && done != NULL));
+
+	lctx = isc_mem_get(mctx, sizeof(*lctx));
+
+	lctx->inc = NULL;
+	result = incctx_create(mctx, origin, &lctx->inc);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_ctx;
+	}
+
+	lctx->maxttl = 0;
+
+	lctx->format = format;
+	switch (format) {
+	case dns_masterformat_text:
+		lctx->openfile = openfile_text;
+		lctx->load = load_text;
+		break;
+	case dns_masterformat_raw:
+		lctx->openfile = openfile_raw;
+		lctx->load = load_raw;
+		break;
+	case dns_masterformat_map:
+		lctx->openfile = openfile_map;
+		lctx->load = load_map;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	if (lex != NULL) {
+		lctx->lex = lex;
+		lctx->keep_lex = true;
+	} else {
+		lctx->lex = NULL;
+		result = isc_lex_create(mctx, TOKENSIZ, &lctx->lex);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_inc;
+		}
+		lctx->keep_lex = false;
+		/*
+		 * If specials change update dns_test_rdatafromstring()
+		 * in lib/dns/tests/dnstest.c.
+		 */
+		memset(specials, 0, sizeof(specials));
+		specials[0] = 1;
+		specials['('] = 1;
+		specials[')'] = 1;
+		specials['"'] = 1;
+		isc_lex_setspecials(lctx->lex, specials);
+		isc_lex_setcomments(lctx->lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+	}
+
+	lctx->ttl_known = ((options & DNS_MASTER_NOTTL) != 0);
+	lctx->ttl = 0;
+	lctx->default_ttl_known = lctx->ttl_known;
+	lctx->default_ttl = 0;
+	lctx->warn_1035 = true;	      /* XXX Argument? */
+	lctx->warn_tcr = true;	      /* XXX Argument? */
+	lctx->warn_sigexpired = true; /* XXX Argument? */
+	lctx->options = options;
+	lctx->seen_include = false;
+	lctx->zclass = zclass;
+	lctx->resign = resign;
+	lctx->result = ISC_R_SUCCESS;
+	lctx->include_cb = include_cb;
+	lctx->include_arg = include_arg;
+	isc_stdtime_get(&lctx->now);
+
+	lctx->top = dns_fixedname_initname(&lctx->fixed_top);
+	dns_name_toregion(top, &r);
+	dns_name_fromregion(lctx->top, &r);
+
+	lctx->f = NULL;
+	lctx->first = true;
+	dns_master_initrawheader(&lctx->header);
+
+	lctx->loop_cnt = (done != NULL) ? 100 : 0;
+	lctx->callbacks = callbacks;
+	lctx->task = NULL;
+	if (task != NULL) {
+		isc_task_attach(task, &lctx->task);
+	}
+	lctx->done = done;
+	lctx->done_arg = done_arg;
+	atomic_init(&lctx->canceled, false);
+	lctx->mctx = NULL;
+	isc_mem_attach(mctx, &lctx->mctx);
+
+	isc_refcount_init(&lctx->references, 1); /* Implicit attach. */
+
+	lctx->magic = DNS_LCTX_MAGIC;
+	*lctxp = lctx;
+	return (ISC_R_SUCCESS);
+
+cleanup_inc:
+	incctx_destroy(mctx, lctx->inc);
+cleanup_ctx:
+	isc_mem_put(mctx, lctx, sizeof(*lctx));
+	return (result);
+}
+
+static const char *hex = "0123456789abcdef0123456789ABCDEF";
+
+/*%
+ * Convert value into a nibble sequence from least significant to most
+ * significant nibble.  Zero fill upper most significant nibbles if
+ * required to make the width.
+ *
+ * Returns the number of characters that should have been written without
+ * counting the terminating NUL.
+ */
+static unsigned int
+nibbles(char *numbuf, size_t length, unsigned int width, char mode, int value) {
+	unsigned int count = 0;
+
+	/*
+	 * This reserve space for the NUL string terminator.
+	 */
+	if (length > 0U) {
+		*numbuf = '\0';
+		length--;
+	}
+	do {
+		char val = hex[(value & 0x0f) + ((mode == 'n') ? 0 : 16)];
+		value >>= 4;
+		if (length > 0U) {
+			*numbuf++ = val;
+			*numbuf = '\0';
+			length--;
+		}
+		if (width > 0) {
+			width--;
+		}
+		count++;
+		/*
+		 * If width is non zero then we need to add a label separator.
+		 * If value is non zero then we need to add another label and
+		 * that requires a label separator.
+		 */
+		if (width > 0 || value != 0) {
+			if (length > 0U) {
+				*numbuf++ = '.';
+				*numbuf = '\0';
+				length--;
+			}
+			if (width > 0) {
+				width--;
+			}
+			count++;
+		}
+	} while (value != 0 || width > 0);
+	return (count);
+}
+
+static isc_result_t
+genname(char *name, int it, char *buffer, size_t length) {
+	char fmt[sizeof("%04000000000d")];
+	char numbuf[128];
+	char *cp;
+	char mode[2] = { 0 };
+	char brace[2] = { 0 };
+	char comma1[2] = { 0 };
+	char comma2[2] = { 0 };
+	int delta = 0;
+	isc_textregion_t r;
+	unsigned int n;
+	unsigned int width;
+	bool nibblemode;
+
+	r.base = buffer;
+	r.length = (unsigned int)length;
+
+	while (*name != '\0') {
+		if (*name == '$') {
+			name++;
+			if (*name == '$') {
+				if (r.length == 0) {
+					return (ISC_R_NOSPACE);
+				}
+				r.base[0] = *name++;
+				isc_textregion_consume(&r, 1);
+				continue;
+			}
+			nibblemode = false;
+			strlcpy(fmt, "%d", sizeof(fmt));
+			/* Get format specifier. */
+			if (*name == '{') {
+				n = sscanf(name,
+					   "{%d%1[,}]%u%1[,}]%1[doxXnN]%1[}]",
+					   &delta, comma1, &width, comma2, mode,
+					   brace);
+				if (n < 2 || n > 6) {
+					return (DNS_R_SYNTAX);
+				}
+				if (comma1[0] == '}') {
+					/* %{delta} */
+				} else if (comma1[0] == ',' && comma2[0] == '}')
+				{
+					/* %{delta,width} */
+					n = snprintf(fmt, sizeof(fmt), "%%0%ud",
+						     width);
+				} else if (comma1[0] == ',' &&
+					   comma2[0] == ',' && mode[0] != 0 &&
+					   brace[0] == '}')
+				{
+					/* %{delta,width,format} */
+					if (mode[0] == 'n' || mode[0] == 'N') {
+						nibblemode = true;
+					}
+					n = snprintf(fmt, sizeof(fmt),
+						     "%%0%u%c", width, mode[0]);
+				} else {
+					return (DNS_R_SYNTAX);
+				}
+				if (n >= sizeof(fmt)) {
+					return (ISC_R_NOSPACE);
+				}
+				/* Skip past closing brace. */
+				while (*name != '\0' && *name++ != '}') {
+					continue;
+				}
+			}
+			/*
+			 * 'it' is >= 0 so we don't need to check for
+			 * underflow.
+			 */
+			if ((it > 0 && delta > INT_MAX - it)) {
+				return (ISC_R_RANGE);
+			}
+			if (nibblemode) {
+				n = nibbles(numbuf, sizeof(numbuf), width,
+					    mode[0], it + delta);
+			} else {
+				n = snprintf(numbuf, sizeof(numbuf), fmt,
+					     it + delta);
+			}
+			if (n >= sizeof(numbuf)) {
+				return (ISC_R_NOSPACE);
+			}
+			cp = numbuf;
+			while (*cp != '\0') {
+				if (r.length == 0) {
+					return (ISC_R_NOSPACE);
+				}
+				r.base[0] = *cp++;
+				isc_textregion_consume(&r, 1);
+			}
+		} else if (*name == '\\') {
+			if (r.length == 0) {
+				return (ISC_R_NOSPACE);
+			}
+			r.base[0] = *name++;
+			isc_textregion_consume(&r, 1);
+			if (*name == '\0') {
+				continue;
+			}
+			if (r.length == 0) {
+				return (ISC_R_NOSPACE);
+			}
+			r.base[0] = *name++;
+			isc_textregion_consume(&r, 1);
+		} else {
+			if (r.length == 0) {
+				return (ISC_R_NOSPACE);
+			}
+			r.base[0] = *name++;
+			isc_textregion_consume(&r, 1);
+		}
+	}
+	if (r.length == 0) {
+		return (ISC_R_NOSPACE);
+	}
+	r.base[0] = '\0';
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
+	 const char *source, unsigned int line) {
+	char *target_mem = NULL;
+	char *lhsbuf = NULL;
+	char *rhsbuf = NULL;
+	dns_fixedname_t ownerfixed;
+	dns_name_t *owner;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatacallbacks_t *callbacks;
+	dns_rdatalist_t rdatalist;
+	dns_rdatatype_t type;
+	rdatalist_head_t head;
+	int target_size = MINTSIZ; /* only one rdata at a time */
+	isc_buffer_t buffer;
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_textregion_t r;
+	int n, start, stop, step = 0;
+	unsigned int i;
+	dns_incctx_t *ictx;
+	char dummy[2];
+
+	ictx = lctx->inc;
+	callbacks = lctx->callbacks;
+	owner = dns_fixedname_initname(&ownerfixed);
+	ISC_LIST_INIT(head);
+
+	target_mem = isc_mem_get(lctx->mctx, target_size);
+	rhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_RHS);
+	lhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_LHS);
+	if (target_mem == NULL || rhsbuf == NULL || lhsbuf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto error_cleanup;
+	}
+	isc_buffer_init(&target, target_mem, target_size);
+
+	n = sscanf(range, "%d-%d%1[/]%d", &start, &stop, dummy, &step);
+	if ((n != 2 && n != 4) || (start < 0) || (stop < 0) ||
+	    (n == 4 && step < 1) || (stop < start))
+	{
+		(*callbacks->error)(callbacks, "%s: %s:%lu: invalid range '%s'",
+				    "$GENERATE", source, line, range);
+		result = DNS_R_SYNTAX;
+		goto insist_cleanup;
+	}
+	if (n == 2) {
+		step = 1;
+	}
+
+	/*
+	 * Get type.
+	 */
+	r.base = gtype;
+	r.length = strlen(gtype);
+	result = dns_rdatatype_fromtext(&type, &r);
+	if (result != ISC_R_SUCCESS) {
+		(*callbacks->error)(callbacks,
+				    "%s: %s:%lu: unknown RR type '%s'",
+				    "$GENERATE", source, line, gtype);
+		goto insist_cleanup;
+	}
+
+	/*
+	 * RFC2930: TKEY and TSIG are not allowed to be loaded
+	 * from master files.
+	 */
+	if (dns_master_isprimary(lctx) && dns_rdatatype_ismeta(type)) {
+		(*callbacks->error)(callbacks, "%s: %s:%lu: meta RR type '%s'",
+				    "$GENERATE", source, line, gtype);
+		result = DNS_R_METATYPE;
+		goto insist_cleanup;
+	}
+
+	for (i = start; i <= (unsigned int)stop; i += step) {
+		result = genname(lhs, i, lhsbuf, DNS_MASTER_LHS);
+		if (result != ISC_R_SUCCESS) {
+			goto error_cleanup;
+		}
+		result = genname(rhs, i, rhsbuf, DNS_MASTER_RHS);
+		if (result != ISC_R_SUCCESS) {
+			goto error_cleanup;
+		}
+
+		isc_buffer_init(&buffer, lhsbuf, strlen(lhsbuf));
+		isc_buffer_add(&buffer, strlen(lhsbuf));
+		isc_buffer_setactive(&buffer, strlen(lhsbuf));
+		result = dns_name_fromtext(owner, &buffer, ictx->origin, 0,
+					   NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto error_cleanup;
+		}
+
+		if (dns_master_isprimary(lctx) &&
+		    !dns_name_issubdomain(owner, lctx->top))
+		{
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(owner, namebuf, sizeof(namebuf));
+			/*
+			 * Ignore out-of-zone data.
+			 */
+			(*callbacks->warn)(callbacks,
+					   "%s:%lu: "
+					   "ignoring out-of-zone data (%s)",
+					   source, line, namebuf);
+			continue;
+		}
+
+		isc_buffer_init(&buffer, rhsbuf, strlen(rhsbuf));
+		isc_buffer_add(&buffer, strlen(rhsbuf));
+		isc_buffer_setactive(&buffer, strlen(rhsbuf));
+
+		result = isc_lex_openbuffer(lctx->lex, &buffer);
+		if (result != ISC_R_SUCCESS) {
+			goto error_cleanup;
+		}
+
+		isc_buffer_init(&target, target_mem, target_size);
+		result = dns_rdata_fromtext(&rdata, lctx->zclass, type,
+					    lctx->lex, ictx->origin, 0,
+					    lctx->mctx, &target, callbacks);
+		RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS) {
+			goto error_cleanup;
+		}
+
+		dns_rdatalist_init(&rdatalist);
+		rdatalist.type = type;
+		rdatalist.rdclass = lctx->zclass;
+		rdatalist.ttl = lctx->ttl;
+		ISC_LIST_PREPEND(head, &rdatalist, link);
+		ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+		result = commit(callbacks, lctx, &head, owner, source, line);
+		ISC_LIST_UNLINK(rdatalist.rdata, &rdata, link);
+		if (result != ISC_R_SUCCESS) {
+			goto error_cleanup;
+		}
+		dns_rdata_reset(&rdata);
+	}
+	result = ISC_R_SUCCESS;
+	goto cleanup;
+
+error_cleanup:
+	if (result == ISC_R_NOMEMORY) {
+		(*callbacks->error)(callbacks, "$GENERATE: %s",
+				    dns_result_totext(result));
+	} else {
+		(*callbacks->error)(callbacks, "$GENERATE: %s:%lu: %s", source,
+				    line, dns_result_totext(result));
+	}
+
+insist_cleanup:
+	INSIST(result != ISC_R_SUCCESS);
+
+cleanup:
+	if (target_mem != NULL) {
+		isc_mem_put(lctx->mctx, target_mem, target_size);
+	}
+	if (lhsbuf != NULL) {
+		isc_mem_put(lctx->mctx, lhsbuf, DNS_MASTER_LHS);
+	}
+	if (rhsbuf != NULL) {
+		isc_mem_put(lctx->mctx, rhsbuf, DNS_MASTER_RHS);
+	}
+	return (result);
+}
+
+static void
+limit_ttl(dns_rdatacallbacks_t *callbacks, const char *source,
+	  unsigned int line, uint32_t *ttlp) {
+	if (*ttlp > 0x7fffffffUL) {
+		(callbacks->warn)(callbacks,
+				  "%s: %s:%lu: "
+				  "$TTL %lu > MAXTTL, "
+				  "setting $TTL to 0",
+				  "dns_master_load", source, line, *ttlp);
+		*ttlp = 0;
+	}
+}
+
+static isc_result_t
+check_ns(dns_loadctx_t *lctx, isc_token_t *token, const char *source,
+	 unsigned long line) {
+	char *tmp = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	void (*callback)(struct dns_rdatacallbacks *, const char *, ...);
+
+	if ((lctx->options & DNS_MASTER_FATALNS) != 0) {
+		callback = lctx->callbacks->error;
+	} else {
+		callback = lctx->callbacks->warn;
+	}
+
+	if (token->type == isc_tokentype_string) {
+		struct in_addr addr;
+		struct in6_addr addr6;
+
+		tmp = isc_mem_strdup(lctx->mctx, DNS_AS_STR(*token));
+		/*
+		 * Catch both "1.2.3.4" and "1.2.3.4."
+		 */
+		if (tmp[strlen(tmp) - 1] == '.') {
+			tmp[strlen(tmp) - 1] = '\0';
+		}
+		if (inet_pton(AF_INET, tmp, &addr) == 1 ||
+		    inet_pton(AF_INET6, tmp, &addr6) == 1)
+		{
+			result = DNS_R_NSISADDRESS;
+		}
+	}
+	if (result != ISC_R_SUCCESS) {
+		(*callback)(lctx->callbacks,
+			    "%s:%lu: NS record '%s' "
+			    "appears to be an address",
+			    source, line, DNS_AS_STR(*token));
+	}
+	if (tmp != NULL) {
+		isc_mem_free(lctx->mctx, tmp);
+	}
+	return (result);
+}
+
+static void
+check_wildcard(dns_incctx_t *ictx, const char *source, unsigned long line,
+	       dns_rdatacallbacks_t *callbacks) {
+	dns_name_t *name;
+
+	name = (ictx->glue != NULL) ? ictx->glue : ictx->current;
+	if (dns_name_internalwildcard(name)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		(*callbacks->warn)(callbacks,
+				   "%s:%lu: warning: ownername "
+				   "'%s' contains an non-terminal wildcard",
+				   source, line, namebuf);
+	}
+}
+
+static isc_result_t
+openfile_text(dns_loadctx_t *lctx, const char *master_file) {
+	return (isc_lex_openfile(lctx->lex, master_file));
+}
+
+static int
+find_free_name(dns_incctx_t *incctx) {
+	int i;
+
+	for (i = 0; i < (NBUFS - 1); i++) {
+		if (!incctx->in_use[i]) {
+			break;
+		}
+	}
+	INSIST(!incctx->in_use[i]);
+	return (i);
+}
+
+static isc_result_t
+load_text(dns_loadctx_t *lctx) {
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t type, covers;
+	uint32_t ttl_offset = 0;
+	dns_name_t *new_name;
+	bool current_has_delegation = false;
+	bool done = false;
+	bool finish_origin = false;
+	bool finish_include = false;
+	bool read_till_eol = false;
+	bool initialws;
+	char *include_file = NULL;
+	isc_token_t token;
+	isc_result_t result = ISC_R_UNEXPECTED;
+	rdatalist_head_t glue_list;
+	rdatalist_head_t current_list;
+	dns_rdatalist_t *this;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdatalist_t *new_rdatalist;
+	int rdlcount = 0;
+	int rdlcount_save = 0;
+	int rdatalist_size = 0;
+	isc_buffer_t buffer;
+	isc_buffer_t target;
+	isc_buffer_t target_ft;
+	isc_buffer_t target_save;
+	dns_rdata_t *rdata = NULL;
+	dns_rdata_t *new_rdata;
+	int rdcount = 0;
+	int rdcount_save = 0;
+	int rdata_size = 0;
+	unsigned char *target_mem = NULL;
+	int target_size = TSIZ;
+	int new_in_use;
+	unsigned int loop_cnt = 0;
+	isc_mem_t *mctx;
+	dns_rdatacallbacks_t *callbacks;
+	dns_incctx_t *ictx;
+	char *range = NULL;
+	char *lhs = NULL;
+	char *gtype = NULL;
+	char *rhs = NULL;
+	const char *source;
+	unsigned long line = 0;
+	bool explicit_ttl;
+	char classname1[DNS_RDATACLASS_FORMATSIZE];
+	char classname2[DNS_RDATACLASS_FORMATSIZE];
+	unsigned int options = 0;
+
+	REQUIRE(DNS_LCTX_VALID(lctx));
+	callbacks = lctx->callbacks;
+	mctx = lctx->mctx;
+	ictx = lctx->inc;
+
+	ISC_LIST_INIT(glue_list);
+	ISC_LIST_INIT(current_list);
+
+	/*
+	 * Allocate target_size of buffer space.  This is greater than twice
+	 * the maximum individual RR data size.
+	 */
+	target_mem = isc_mem_get(mctx, target_size);
+	isc_buffer_init(&target, target_mem, target_size);
+	target_save = target;
+
+	if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0) {
+		options |= DNS_RDATA_CHECKNAMES;
+	}
+	if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0) {
+		options |= DNS_RDATA_CHECKNAMESFAIL;
+	}
+	if ((lctx->options & DNS_MASTER_CHECKMX) != 0) {
+		options |= DNS_RDATA_CHECKMX;
+	}
+	if ((lctx->options & DNS_MASTER_CHECKMXFAIL) != 0) {
+		options |= DNS_RDATA_CHECKMXFAIL;
+	}
+	source = isc_lex_getsourcename(lctx->lex);
+	do {
+		initialws = false;
+		line = isc_lex_getsourceline(lctx->lex);
+		GETTOKEN(lctx->lex, ISC_LEXOPT_INITIALWS | ISC_LEXOPT_QSTRING,
+			 &token, true);
+		line = isc_lex_getsourceline(lctx->lex);
+
+		if (token.type == isc_tokentype_eof) {
+			if (read_till_eol) {
+				WARNUNEXPECTEDEOF(lctx->lex);
+			}
+			/* Pop the include stack? */
+			if (ictx->parent != NULL) {
+				COMMITALL;
+				lctx->inc = ictx->parent;
+				ictx->parent = NULL;
+				incctx_destroy(lctx->mctx, ictx);
+				RUNTIME_CHECK(isc_lex_close(lctx->lex) ==
+					      ISC_R_SUCCESS);
+				line = isc_lex_getsourceline(lctx->lex);
+				POST(line);
+				source = isc_lex_getsourcename(lctx->lex);
+				ictx = lctx->inc;
+				continue;
+			}
+			done = true;
+			continue;
+		}
+
+		if (token.type == isc_tokentype_eol) {
+			read_till_eol = false;
+			continue; /* blank line */
+		}
+
+		if (read_till_eol) {
+			continue;
+		}
+
+		if (token.type == isc_tokentype_initialws) {
+			/*
+			 * Still working on the same name.
+			 */
+			initialws = true;
+		} else if (token.type == isc_tokentype_string ||
+			   token.type == isc_tokentype_qstring)
+		{
+			/*
+			 * "$" Support.
+			 *
+			 * "$ORIGIN" and "$INCLUDE" can both take domain names.
+			 * The processing of "$ORIGIN" and "$INCLUDE" extends
+			 * across the normal domain name processing.
+			 */
+
+			if (strcasecmp(DNS_AS_STR(token), "$ORIGIN") == 0) {
+				GETTOKEN(lctx->lex, 0, &token, false);
+				finish_origin = true;
+			} else if (strcasecmp(DNS_AS_STR(token), "$TTL") == 0) {
+				GETTOKENERR(lctx->lex, 0, &token, false,
+					    lctx->ttl = 0;
+					    lctx->default_ttl_known = true;);
+				result = dns_ttl_fromtext(
+					&token.value.as_textregion, &lctx->ttl);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					lctx->ttl = 0;
+				} else if (result != ISC_R_SUCCESS) {
+					goto insist_and_cleanup;
+				}
+				limit_ttl(callbacks, source, line, &lctx->ttl);
+				lctx->default_ttl = lctx->ttl;
+				lctx->default_ttl_known = true;
+				EXPECTEOL;
+				continue;
+			} else if (strcasecmp(DNS_AS_STR(token), "$INCLUDE") ==
+				   0)
+			{
+				COMMITALL;
+				if ((lctx->options & DNS_MASTER_NOINCLUDE) != 0)
+				{
+					(callbacks->error)(callbacks,
+							   "%s: %s:%lu: "
+							   "$INCLUDE not "
+							   "allowed",
+							   "dns_master_load",
+							   source, line);
+					result = DNS_R_REFUSED;
+					goto insist_and_cleanup;
+				}
+				if (ttl_offset != 0) {
+					(callbacks->error)(callbacks,
+							   "%s: %s:%lu: "
+							   "$INCLUDE "
+							   "may not be used "
+							   "with $DATE",
+							   "dns_master_load",
+							   source, line);
+					result = DNS_R_SYNTAX;
+					goto insist_and_cleanup;
+				}
+				GETTOKEN(lctx->lex, ISC_LEXOPT_QSTRING, &token,
+					 false);
+				if (include_file != NULL) {
+					isc_mem_free(mctx, include_file);
+				}
+				include_file =
+					isc_mem_strdup(mctx, DNS_AS_STR(token));
+				GETTOKEN(lctx->lex, 0, &token, true);
+
+				if (token.type == isc_tokentype_eol ||
+				    token.type == isc_tokentype_eof)
+				{
+					if (token.type == isc_tokentype_eof) {
+						WARNUNEXPECTEDEOF(lctx->lex);
+					}
+					/*
+					 * No origin field.
+					 */
+					result = pushfile(include_file,
+							  ictx->origin, lctx);
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+						LOGITFILE(result, include_file);
+						continue;
+					} else if (result != ISC_R_SUCCESS) {
+						LOGITFILE(result, include_file);
+						goto insist_and_cleanup;
+					}
+					ictx = lctx->inc;
+					source = isc_lex_getsourcename(
+						lctx->lex);
+					line = isc_lex_getsourceline(lctx->lex);
+					POST(line);
+					continue;
+				}
+				/*
+				 * There is an origin field.  Fall through
+				 * to domain name processing code and do
+				 * the actual inclusion later.
+				 */
+				finish_include = true;
+			} else if (strcasecmp(DNS_AS_STR(token), "$DATE") == 0)
+			{
+				int64_t dump_time64;
+				isc_stdtime_t dump_time, current_time;
+				GETTOKEN(lctx->lex, 0, &token, false);
+				isc_stdtime_get(&current_time);
+				result = dns_time64_fromtext(DNS_AS_STR(token),
+							     &dump_time64);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					LOGIT(result);
+					dump_time64 = 0;
+				} else if (result != ISC_R_SUCCESS) {
+					goto log_and_cleanup;
+				}
+				dump_time = (isc_stdtime_t)dump_time64;
+				if (dump_time != dump_time64) {
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+							 "%s: %s:%lu: $DATE "
+							 "outside epoch",
+							 "dns_master_load",
+							 source, line);
+					result = ISC_R_UNEXPECTED;
+					goto insist_and_cleanup;
+				}
+				if (dump_time > current_time) {
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+							 "%s: %s:%lu: "
+							 "$DATE in future, "
+							 "using current date",
+							 "dns_master_load",
+							 source, line);
+					dump_time = current_time;
+				}
+				ttl_offset = current_time - dump_time;
+				EXPECTEOL;
+				continue;
+			} else if (strcasecmp(DNS_AS_STR(token), "$GENERATE") ==
+				   0)
+			{
+				/*
+				 * Lazy cleanup.
+				 */
+				if (range != NULL) {
+					isc_mem_free(mctx, range);
+				}
+				if (lhs != NULL) {
+					isc_mem_free(mctx, lhs);
+				}
+				if (gtype != NULL) {
+					isc_mem_free(mctx, gtype);
+				}
+				if (rhs != NULL) {
+					isc_mem_free(mctx, rhs);
+				}
+				range = lhs = gtype = rhs = NULL;
+				/* RANGE */
+				GETTOKEN(lctx->lex, 0, &token, false);
+				range = isc_mem_strdup(mctx, DNS_AS_STR(token));
+				/* LHS */
+				GETTOKEN(lctx->lex, 0, &token, false);
+				lhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
+				rdclass = 0;
+				explicit_ttl = false;
+				/* CLASS? */
+				GETTOKEN(lctx->lex, 0, &token, false);
+				if (dns_rdataclass_fromtext(
+					    &rdclass,
+					    &token.value.as_textregion) ==
+				    ISC_R_SUCCESS)
+				{
+					GETTOKEN(lctx->lex, 0, &token, false);
+				}
+				/* TTL? */
+				if (dns_ttl_fromtext(&token.value.as_textregion,
+						     &lctx->ttl) ==
+				    ISC_R_SUCCESS)
+				{
+					limit_ttl(callbacks, source, line,
+						  &lctx->ttl);
+					lctx->ttl_known = true;
+					explicit_ttl = true;
+					GETTOKEN(lctx->lex, 0, &token, false);
+				}
+				/* CLASS? */
+				if (rdclass == 0 &&
+				    dns_rdataclass_fromtext(
+					    &rdclass,
+					    &token.value.as_textregion) ==
+					    ISC_R_SUCCESS)
+				{
+					GETTOKEN(lctx->lex, 0, &token, false);
+				}
+				/* TYPE */
+				gtype = isc_mem_strdup(mctx, DNS_AS_STR(token));
+				/* RHS */
+				GETTOKEN(lctx->lex, ISC_LEXOPT_QSTRING, &token,
+					 false);
+				rhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
+				if (!lctx->ttl_known &&
+				    !lctx->default_ttl_known)
+				{
+					(*callbacks->error)(callbacks,
+							    "%s: %s:%lu: no "
+							    "TTL specified",
+							    "dns_master_load",
+							    source, line);
+					result = DNS_R_NOTTL;
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+						lctx->ttl = 0;
+					} else {
+						goto insist_and_cleanup;
+					}
+				} else if (!explicit_ttl &&
+					   lctx->default_ttl_known)
+				{
+					lctx->ttl = lctx->default_ttl;
+				}
+				/*
+				 * If the class specified does not match the
+				 * zone's class print out a error message and
+				 * exit.
+				 */
+				if (rdclass != 0 && rdclass != lctx->zclass) {
+					goto bad_class;
+				}
+				result = generate(lctx, range, lhs, gtype, rhs,
+						  source, line);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS) {
+					goto insist_and_cleanup;
+				}
+				EXPECTEOL;
+				continue;
+			} else if (strncasecmp(DNS_AS_STR(token), "$", 1) == 0)
+			{
+				(callbacks->error)(callbacks,
+						   "%s: %s:%lu: "
+						   "unknown $ directive '%s'",
+						   "dns_master_load", source,
+						   line, DNS_AS_STR(token));
+				result = DNS_R_SYNTAX;
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else {
+					goto insist_and_cleanup;
+				}
+			}
+
+			/*
+			 * Normal processing resumes.
+			 */
+			new_in_use = find_free_name(ictx);
+			new_name = dns_fixedname_initname(
+				&ictx->fixed[new_in_use]);
+			isc_buffer_init(&buffer, token.value.as_region.base,
+					token.value.as_region.length);
+			isc_buffer_add(&buffer, token.value.as_region.length);
+			isc_buffer_setactive(&buffer,
+					     token.value.as_region.length);
+			result = dns_name_fromtext(new_name, &buffer,
+						   ictx->origin, 0, NULL);
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				LOGIT(result);
+				read_till_eol = true;
+				continue;
+			} else if (result != ISC_R_SUCCESS) {
+				goto log_and_cleanup;
+			}
+
+			/*
+			 * Finish $ORIGIN / $INCLUDE processing if required.
+			 */
+			if (finish_origin) {
+				if (ictx->origin_in_use != -1) {
+					ictx->in_use[ictx->origin_in_use] =
+						false;
+				}
+				ictx->origin_in_use = new_in_use;
+				ictx->in_use[ictx->origin_in_use] = true;
+				ictx->origin = new_name;
+				ictx->origin_changed = true;
+				finish_origin = false;
+				EXPECTEOL;
+				continue;
+			}
+			if (finish_include) {
+				finish_include = false;
+				EXPECTEOL;
+				result = pushfile(include_file, new_name, lctx);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					LOGITFILE(result, include_file);
+					continue;
+				} else if (result != ISC_R_SUCCESS) {
+					LOGITFILE(result, include_file);
+					goto insist_and_cleanup;
+				}
+				ictx = lctx->inc;
+				ictx->origin_changed = true;
+				source = isc_lex_getsourcename(lctx->lex);
+				line = isc_lex_getsourceline(lctx->lex);
+				POST(line);
+				continue;
+			}
+
+			/*
+			 * "$" Processing Finished
+			 */
+
+			/*
+			 * If we are processing glue and the new name does
+			 * not match the current glue name, commit the glue
+			 * and pop stacks leaving us in 'normal' processing
+			 * state.  Linked lists are undone by commit().
+			 */
+			if (ictx->glue != NULL &&
+			    !dns_name_caseequal(ictx->glue, new_name))
+			{
+				result = commit(callbacks, lctx, &glue_list,
+						ictx->glue, source,
+						ictx->glue_line);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS) {
+					goto insist_and_cleanup;
+				}
+				if (ictx->glue_in_use != -1) {
+					ictx->in_use[ictx->glue_in_use] = false;
+				}
+				ictx->glue_in_use = -1;
+				ictx->glue = NULL;
+				rdcount = rdcount_save;
+				rdlcount = rdlcount_save;
+				target = target_save;
+			}
+
+			/*
+			 * If we are in 'normal' processing state and the new
+			 * name does not match the current name, see if the
+			 * new name is for glue and treat it as such,
+			 * otherwise we have a new name so commit what we
+			 * have.
+			 */
+			if ((ictx->glue == NULL) &&
+			    (ictx->current == NULL ||
+			     !dns_name_caseequal(ictx->current, new_name)))
+			{
+				if (current_has_delegation &&
+				    is_glue(&current_list, new_name))
+				{
+					rdcount_save = rdcount;
+					rdlcount_save = rdlcount;
+					target_save = target;
+					ictx->glue = new_name;
+					ictx->glue_in_use = new_in_use;
+					ictx->in_use[ictx->glue_in_use] = true;
+				} else {
+					result = commit(callbacks, lctx,
+							&current_list,
+							ictx->current, source,
+							ictx->current_line);
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+					} else if (result != ISC_R_SUCCESS) {
+						goto insist_and_cleanup;
+					}
+					rdcount = 0;
+					rdlcount = 0;
+					if (ictx->current_in_use != -1) {
+						ictx->in_use
+							[ictx->current_in_use] =
+							false;
+					}
+					ictx->current_in_use = new_in_use;
+					ictx->in_use[ictx->current_in_use] =
+						true;
+					ictx->current = new_name;
+					current_has_delegation = false;
+					isc_buffer_init(&target, target_mem,
+							target_size);
+				}
+				/*
+				 * Check for internal wildcards.
+				 */
+				if ((lctx->options &
+				     DNS_MASTER_CHECKWILDCARD) != 0)
+				{
+					check_wildcard(ictx, source, line,
+						       callbacks);
+				}
+			}
+			if (dns_master_isprimary(lctx) &&
+			    !dns_name_issubdomain(new_name, lctx->top))
+			{
+				char namebuf[DNS_NAME_FORMATSIZE];
+				dns_name_format(new_name, namebuf,
+						sizeof(namebuf));
+				/*
+				 * Ignore out-of-zone data.
+				 */
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: "
+						   "ignoring out-of-zone data "
+						   "(%s)",
+						   source, line, namebuf);
+				ictx->drop = true;
+			} else {
+				ictx->drop = false;
+			}
+		} else {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "%s:%lu: isc_lex_gettoken() returned "
+					 "unexpected token type (%d)",
+					 source, line, token.type);
+			result = ISC_R_UNEXPECTED;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				LOGIT(result);
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		/*
+		 * Find TTL, class and type.  Both TTL and class are optional
+		 * and may occur in any order if they exist. TTL and class
+		 * come before type which must exist.
+		 *
+		 * [<TTL>] [<class>] <type> <RDATA>
+		 * [<class>] [<TTL>] <type> <RDATA>
+		 */
+
+		type = 0;
+		rdclass = 0;
+
+		GETTOKEN(lctx->lex, 0, &token, initialws);
+
+		if (initialws) {
+			if (token.type == isc_tokentype_eol) {
+				read_till_eol = false;
+				continue; /* blank line */
+			}
+
+			if (token.type == isc_tokentype_eof) {
+				WARNUNEXPECTEDEOF(lctx->lex);
+				read_till_eol = false;
+				isc_lex_ungettoken(lctx->lex, &token);
+				continue;
+			}
+
+			if (ictx->current == NULL) {
+				(*callbacks->error)(callbacks,
+						    "%s:%lu: no current owner "
+						    "name",
+						    source, line);
+				result = DNS_R_NOOWNER;
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					read_till_eol = true;
+					continue;
+				} else {
+					goto insist_and_cleanup;
+				}
+			}
+
+			if (ictx->origin_changed) {
+				char cbuf[DNS_NAME_FORMATSIZE];
+				char obuf[DNS_NAME_FORMATSIZE];
+				dns_name_format(ictx->current, cbuf,
+						sizeof(cbuf));
+				dns_name_format(ictx->origin, obuf,
+						sizeof(obuf));
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: record with "
+						   "inherited "
+						   "owner (%s) immediately "
+						   "after "
+						   "$ORIGIN (%s)",
+						   source, line, cbuf, obuf);
+			}
+		}
+
+		ictx->origin_changed = false;
+
+		if (dns_rdataclass_fromtext(&rdclass,
+					    &token.value.as_textregion) ==
+		    ISC_R_SUCCESS)
+		{
+			GETTOKEN(lctx->lex, 0, &token, false);
+		}
+
+		explicit_ttl = false;
+		result = dns_ttl_fromtext(&token.value.as_textregion,
+					  &lctx->ttl);
+		if (result == ISC_R_SUCCESS) {
+			limit_ttl(callbacks, source, line, &lctx->ttl);
+			explicit_ttl = true;
+			lctx->ttl_known = true;
+			GETTOKEN(lctx->lex, 0, &token, false);
+		}
+
+		if (token.type != isc_tokentype_string) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_lex_gettoken() returned "
+					 "unexpected token type");
+			result = ISC_R_UNEXPECTED;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = true;
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		if (rdclass == 0 &&
+		    dns_rdataclass_fromtext(&rdclass,
+					    &token.value.as_textregion) ==
+			    ISC_R_SUCCESS)
+		{
+			GETTOKEN(lctx->lex, 0, &token, false);
+		}
+
+		if (token.type != isc_tokentype_string) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_lex_gettoken() returned "
+					 "unexpected token type");
+			result = ISC_R_UNEXPECTED;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = true;
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		result = dns_rdatatype_fromtext(&type,
+						&token.value.as_textregion);
+		if (result != ISC_R_SUCCESS) {
+			(*callbacks->warn)(
+				callbacks, "%s:%lu: unknown RR type '%.*s'",
+				source, line, token.value.as_textregion.length,
+				token.value.as_textregion.base);
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = true;
+				continue;
+			} else if (result != ISC_R_SUCCESS) {
+				goto insist_and_cleanup;
+			}
+		}
+
+		/*
+		 * If the class specified does not match the zone's class
+		 * print out a error message and exit.
+		 */
+		if (rdclass != 0 && rdclass != lctx->zclass) {
+		bad_class:
+
+			dns_rdataclass_format(rdclass, classname1,
+					      sizeof(classname1));
+			dns_rdataclass_format(lctx->zclass, classname2,
+					      sizeof(classname2));
+			(*callbacks->error)(callbacks,
+					    "%s:%lu: class '%s' != "
+					    "zone class '%s'",
+					    source, line, classname1,
+					    classname2);
+			result = DNS_R_BADCLASS;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = true;
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		if (type == dns_rdatatype_ns && ictx->glue == NULL) {
+			current_has_delegation = true;
+		}
+
+		/*
+		 * RFC1123: MD and MF are not allowed to be loaded from
+		 * master files.
+		 */
+		if (dns_master_isprimary(lctx) &&
+		    (type == dns_rdatatype_md || type == dns_rdatatype_mf))
+		{
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+			result = DNS_R_OBSOLETE;
+
+			dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+			(*callbacks->error)(callbacks, "%s:%lu: %s '%s': %s",
+					    source, line, "type", typebuf,
+					    dns_result_totext(result));
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		/*
+		 * RFC2930: TKEY and TSIG are not allowed to be loaded
+		 * from master files.
+		 */
+		if (dns_master_isprimary(lctx) && dns_rdatatype_ismeta(type)) {
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+			result = DNS_R_METATYPE;
+
+			dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+			(*callbacks->error)(callbacks, "%s:%lu: %s '%s': %s",
+					    source, line, "type", typebuf,
+					    dns_result_totext(result));
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		/*
+		 * Find a rdata structure.
+		 */
+		if (rdcount == rdata_size) {
+			new_rdata = grow_rdata(rdata_size + RDSZ, rdata,
+					       rdata_size, &current_list,
+					       &glue_list, mctx);
+			if (new_rdata == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto log_and_cleanup;
+			}
+			rdata_size += RDSZ;
+			rdata = new_rdata;
+		}
+
+		/*
+		 * Peek at the NS record.
+		 */
+		if (type == dns_rdatatype_ns &&
+		    lctx->zclass == dns_rdataclass_in &&
+		    (lctx->options & DNS_MASTER_CHECKNS) != 0)
+		{
+			GETTOKEN(lctx->lex, 0, &token, false);
+			result = check_ns(lctx, &token, source, line);
+			isc_lex_ungettoken(lctx->lex, &token);
+			if ((lctx->options & DNS_MASTER_FATALNS) != 0) {
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS) {
+					goto insist_and_cleanup;
+				}
+			}
+		}
+
+		/*
+		 * Check owner name.
+		 */
+		options &= ~DNS_RDATA_CHECKREVERSE;
+		if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0) {
+			bool ok;
+			dns_name_t *name;
+
+			name = (ictx->glue != NULL) ? ictx->glue
+						    : ictx->current;
+			ok = dns_rdata_checkowner(name, lctx->zclass, type,
+						  true);
+			if (!ok) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				const char *desc;
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				result = DNS_R_BADOWNERNAME;
+				desc = dns_result_totext(result);
+				if (CHECKNAMESFAIL(lctx->options) ||
+				    type == dns_rdatatype_nsec3)
+				{
+					(*callbacks->error)(
+						callbacks, "%s:%lu: %s: %s",
+						source, line, namebuf, desc);
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+					} else {
+						goto cleanup;
+					}
+				} else {
+					(*callbacks->warn)(
+						callbacks, "%s:%lu: %s: %s",
+						source, line, namebuf, desc);
+				}
+			}
+			if (type == dns_rdatatype_ptr &&
+			    !dns_name_isdnssd(name) &&
+			    (dns_name_issubdomain(name, &in_addr_arpa) ||
+			     dns_name_issubdomain(name, &ip6_arpa) ||
+			     dns_name_issubdomain(name, &ip6_int)))
+			{
+				options |= DNS_RDATA_CHECKREVERSE;
+			}
+		}
+
+		/*
+		 * Read rdata contents.
+		 */
+		dns_rdata_init(&rdata[rdcount]);
+		target_ft = target;
+		result = dns_rdata_fromtext(&rdata[rdcount], lctx->zclass, type,
+					    lctx->lex, ictx->origin, options,
+					    lctx->mctx, &target, callbacks);
+		if (MANYERRS(lctx, result)) {
+			SETRESULT(lctx, result);
+			continue;
+		} else if (result != ISC_R_SUCCESS) {
+			goto insist_and_cleanup;
+		}
+
+		if (ictx->drop) {
+			target = target_ft;
+			continue;
+		}
+
+		if (type == dns_rdatatype_soa &&
+		    (lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    !dns_name_equal(ictx->current, lctx->top))
+		{
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(ictx->current, namebuf,
+					sizeof(namebuf));
+			(*callbacks->error)(callbacks,
+					    "%s:%lu: SOA "
+					    "record not at top of zone (%s)",
+					    source, line, namebuf);
+			result = DNS_R_NOTZONETOP;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = true;
+				target = target_ft;
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		if (dns_rdatatype_atparent(type) &&
+		    dns_master_isprimary(lctx) &&
+		    dns_name_equal(ictx->current, lctx->top))
+		{
+			char namebuf[DNS_NAME_FORMATSIZE];
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+			dns_name_format(ictx->current, namebuf,
+					sizeof(namebuf));
+			dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+			(*callbacks->error)(
+				callbacks,
+				"%s:%lu: %s record at top of zone (%s)", source,
+				line, typebuf, namebuf);
+			result = DNS_R_ATZONETOP;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				target = target_ft;
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) {
+			covers = dns_rdata_covers(&rdata[rdcount]);
+		} else {
+			covers = 0;
+		}
+
+		if (!lctx->ttl_known && !lctx->default_ttl_known) {
+			if (type == dns_rdatatype_soa) {
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: no TTL specified; "
+						   "using SOA MINTTL instead",
+						   source, line);
+				lctx->ttl = dns_soa_getminimum(&rdata[rdcount]);
+				limit_ttl(callbacks, source, line, &lctx->ttl);
+				lctx->default_ttl = lctx->ttl;
+				lctx->default_ttl_known = true;
+			} else if ((lctx->options & DNS_MASTER_HINT) != 0) {
+				/*
+				 * Zero TTL's are fine for hints.
+				 */
+				lctx->ttl = 0;
+				lctx->default_ttl = lctx->ttl;
+				lctx->default_ttl_known = true;
+			} else {
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: no TTL specified; "
+						   "zone rejected",
+						   source, line);
+				result = DNS_R_NOTTL;
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					lctx->ttl = 0;
+				} else {
+					goto insist_and_cleanup;
+				}
+			}
+		} else if (!explicit_ttl && lctx->default_ttl_known) {
+			lctx->ttl = lctx->default_ttl;
+		} else if (!explicit_ttl && lctx->warn_1035) {
+			(*callbacks->warn)(callbacks,
+					   "%s:%lu: "
+					   "using RFC1035 TTL semantics",
+					   source, line);
+			lctx->warn_1035 = false;
+		}
+
+		if (type == dns_rdatatype_rrsig && lctx->warn_sigexpired) {
+			dns_rdata_rrsig_t sig;
+			result = dns_rdata_tostruct(&rdata[rdcount], &sig,
+						    NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (isc_serial_lt(sig.timeexpire, lctx->now)) {
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: "
+						   "signature has expired",
+						   source, line);
+				lctx->warn_sigexpired = false;
+			}
+		}
+
+		if ((type == dns_rdatatype_sig || type == dns_rdatatype_nxt) &&
+		    lctx->warn_tcr && dns_master_isprimary(lctx))
+		{
+			(*callbacks->warn)(callbacks,
+					   "%s:%lu: old style DNSSEC "
+					   " zone detected",
+					   source, line);
+			lctx->warn_tcr = false;
+		}
+
+		if ((lctx->options & DNS_MASTER_AGETTL) != 0) {
+			/*
+			 * Adjust the TTL for $DATE. If the RR has
+			 * already expired, set its TTL to 0. This
+			 * should be okay even if the TTL stretching
+			 * feature is not in effect, because it will
+			 * just be quickly expired by the cache, and the
+			 * way this was written before the patch it
+			 * could potentially add 0 TTLs anyway.
+			 */
+			if (lctx->ttl < ttl_offset) {
+				lctx->ttl = 0;
+			} else {
+				lctx->ttl -= ttl_offset;
+			}
+		}
+
+		/*
+		 * Find type in rdatalist.
+		 * If it does not exist create new one and prepend to list
+		 * as this will minimise list traversal.
+		 */
+		if (ictx->glue != NULL) {
+			this = ISC_LIST_HEAD(glue_list);
+		} else {
+			this = ISC_LIST_HEAD(current_list);
+		}
+
+		while (this != NULL) {
+			if (this->type == type && this->covers == covers) {
+				break;
+			}
+			this = ISC_LIST_NEXT(this, link);
+		}
+
+		if (this == NULL) {
+			if (rdlcount == rdatalist_size) {
+				new_rdatalist = grow_rdatalist(
+					rdatalist_size + RDLSZ, rdatalist,
+					rdatalist_size, &current_list,
+					&glue_list, mctx);
+				if (new_rdatalist == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				rdatalist = new_rdatalist;
+				rdatalist_size += RDLSZ;
+			}
+			this = &rdatalist[rdlcount++];
+			dns_rdatalist_init(this);
+			this->type = type;
+			this->covers = covers;
+			this->rdclass = lctx->zclass;
+			this->ttl = lctx->ttl;
+			if (ictx->glue != NULL) {
+				ISC_LIST_INITANDPREPEND(glue_list, this, link);
+			} else {
+				ISC_LIST_INITANDPREPEND(current_list, this,
+							link);
+			}
+		} else if (this->ttl != lctx->ttl) {
+			(*callbacks->warn)(callbacks,
+					   "%s:%lu: "
+					   "TTL set to prior TTL (%lu)",
+					   source, line, this->ttl);
+			lctx->ttl = this->ttl;
+		}
+
+		if ((lctx->options & DNS_MASTER_CHECKTTL) != 0 &&
+		    lctx->ttl > lctx->maxttl)
+		{
+			(callbacks->error)(callbacks,
+					   "dns_master_load: %s:%lu: "
+					   "TTL %d exceeds configured "
+					   "max-zone-ttl %d",
+					   source, line, lctx->ttl,
+					   lctx->maxttl);
+			result = ISC_R_RANGE;
+			goto log_and_cleanup;
+		}
+
+		ISC_LIST_APPEND(this->rdata, &rdata[rdcount], link);
+		if (ictx->glue != NULL) {
+			ictx->glue_line = line;
+		} else {
+			ictx->current_line = line;
+		}
+		rdcount++;
+
+		/*
+		 * We must have at least 64k as rdlen is 16 bits.
+		 * If we don't commit everything we have so far.
+		 */
+		if ((target.length - target.used) < MINTSIZ) {
+			COMMITALL;
+		}
+	next_line:;
+	} while (!done && (lctx->loop_cnt == 0 || loop_cnt++ < lctx->loop_cnt));
+
+	/*
+	 * Commit what has not yet been committed.
+	 */
+	result = commit(callbacks, lctx, &current_list, ictx->current, source,
+			ictx->current_line);
+	if (MANYERRS(lctx, result)) {
+		SETRESULT(lctx, result);
+	} else if (result != ISC_R_SUCCESS) {
+		goto insist_and_cleanup;
+	}
+	result = commit(callbacks, lctx, &glue_list, ictx->glue, source,
+			ictx->glue_line);
+	if (MANYERRS(lctx, result)) {
+		SETRESULT(lctx, result);
+	} else if (result != ISC_R_SUCCESS) {
+		goto insist_and_cleanup;
+	}
+
+	if (!done) {
+		INSIST(lctx->done != NULL && lctx->task != NULL);
+		result = DNS_R_CONTINUE;
+	} else if (result == ISC_R_SUCCESS && lctx->result != ISC_R_SUCCESS) {
+		result = lctx->result;
+	} else if (result == ISC_R_SUCCESS && lctx->seen_include) {
+		result = DNS_R_SEENINCLUDE;
+	}
+	goto cleanup;
+
+log_and_cleanup:
+	LOGIT(result);
+
+insist_and_cleanup:
+	INSIST(result != ISC_R_SUCCESS);
+
+cleanup:
+	while ((this = ISC_LIST_HEAD(current_list)) != NULL) {
+		ISC_LIST_UNLINK(current_list, this, link);
+	}
+	while ((this = ISC_LIST_HEAD(glue_list)) != NULL) {
+		ISC_LIST_UNLINK(glue_list, this, link);
+	}
+	if (rdatalist != NULL) {
+		isc_mem_put(mctx, rdatalist,
+			    rdatalist_size * sizeof(*rdatalist));
+	}
+	if (rdata != NULL) {
+		isc_mem_put(mctx, rdata, rdata_size * sizeof(*rdata));
+	}
+	if (target_mem != NULL) {
+		isc_mem_put(mctx, target_mem, target_size);
+	}
+	if (include_file != NULL) {
+		isc_mem_free(mctx, include_file);
+	}
+	if (range != NULL) {
+		isc_mem_free(mctx, range);
+	}
+	if (lhs != NULL) {
+		isc_mem_free(mctx, lhs);
+	}
+	if (gtype != NULL) {
+		isc_mem_free(mctx, gtype);
+	}
+	if (rhs != NULL) {
+		isc_mem_free(mctx, rhs);
+	}
+	return (result);
+}
+
+static isc_result_t
+pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
+	isc_result_t result;
+	dns_incctx_t *ictx;
+	dns_incctx_t *newctx = NULL;
+	isc_region_t r;
+
+	REQUIRE(master_file != NULL);
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	ictx = lctx->inc;
+	lctx->seen_include = true;
+
+	result = incctx_create(lctx->mctx, origin, &newctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Push origin_changed.
+	 */
+	newctx->origin_changed = ictx->origin_changed;
+
+	/* Set current domain. */
+	if (ictx->glue != NULL || ictx->current != NULL) {
+		newctx->current_in_use = find_free_name(newctx);
+		newctx->current = dns_fixedname_name(
+			&newctx->fixed[newctx->current_in_use]);
+		newctx->in_use[newctx->current_in_use] = true;
+		dns_name_toregion(
+			(ictx->glue != NULL) ? ictx->glue : ictx->current, &r);
+		dns_name_fromregion(newctx->current, &r);
+		newctx->drop = ictx->drop;
+	}
+
+	result = (lctx->openfile)(lctx, master_file);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	newctx->parent = ictx;
+	lctx->inc = newctx;
+
+	if (lctx->include_cb != NULL) {
+		lctx->include_cb(master_file, lctx->include_arg);
+	}
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	incctx_destroy(lctx->mctx, newctx);
+	return (result);
+}
+
+/*
+ * Fill/check exists buffer with 'len' bytes.  Track remaining bytes to be
+ * read when incrementally filling the buffer.
+ */
+static isc_result_t
+read_and_check(bool do_read, isc_buffer_t *buffer, size_t len, FILE *f,
+	       uint32_t *totallen) {
+	isc_result_t result;
+
+	REQUIRE(totallen != NULL);
+
+	if (do_read) {
+		INSIST(isc_buffer_availablelength(buffer) >= len);
+		result = isc_stdio_read(isc_buffer_used(buffer), 1, len, f,
+					NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		isc_buffer_add(buffer, (unsigned int)len);
+		if (*totallen < len) {
+			return (ISC_R_RANGE);
+		}
+		*totallen -= (uint32_t)len;
+	} else if (isc_buffer_remaininglength(buffer) < len) {
+		return (ISC_R_RANGE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_header(dns_loadctx_t *lctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_masterrawheader_t header;
+	dns_rdatacallbacks_t *callbacks;
+	size_t commonlen = sizeof(header.format) + sizeof(header.version);
+	size_t remainder;
+	unsigned char data[sizeof(header)];
+	isc_buffer_t target;
+
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	if (lctx->format != dns_masterformat_raw &&
+	    lctx->format != dns_masterformat_map)
+	{
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	callbacks = lctx->callbacks;
+	dns_master_initrawheader(&header);
+
+	INSIST(commonlen <= sizeof(header));
+	isc_buffer_init(&target, data, sizeof(data));
+
+	result = isc_stdio_read(data, 1, commonlen, lctx->f, NULL);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_stdio_read failed: %s",
+				 isc_result_totext(result));
+		return (result);
+	}
+
+	isc_buffer_add(&target, (unsigned int)commonlen);
+	header.format = isc_buffer_getuint32(&target);
+	if (header.format != lctx->format) {
+		(*callbacks->error)(callbacks,
+				    "dns_master_load: "
+				    "file format mismatch (not %s)",
+				    lctx->format == dns_masterformat_map ? "map"
+									 : "ra"
+									   "w");
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	header.version = isc_buffer_getuint32(&target);
+
+	switch (header.version) {
+	case 0:
+		remainder = sizeof(header.dumptime);
+		break;
+	case DNS_RAWFORMAT_VERSION:
+		remainder = sizeof(header) - commonlen;
+		break;
+	default:
+		(*callbacks->error)(callbacks, "dns_master_load: "
+					       "unsupported file format "
+					       "version");
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	result = isc_stdio_read(data + commonlen, 1, remainder, lctx->f, NULL);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_stdio_read failed: %s",
+				 isc_result_totext(result));
+		return (result);
+	}
+
+	isc_buffer_add(&target, (unsigned int)remainder);
+	header.dumptime = isc_buffer_getuint32(&target);
+	if (header.version == DNS_RAWFORMAT_VERSION) {
+		header.flags = isc_buffer_getuint32(&target);
+		header.sourceserial = isc_buffer_getuint32(&target);
+		header.lastxfrin = isc_buffer_getuint32(&target);
+	}
+
+	lctx->first = false;
+	lctx->header = header;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openfile_map(dns_loadctx_t *lctx, const char *master_file) {
+	isc_result_t result;
+
+	result = isc_stdio_open(master_file, "rb", &lctx->f);
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_stdio_open() failed: %s",
+				 isc_result_totext(result));
+	}
+
+	return (result);
+}
+
+/*
+ * Load a map format file, using mmap() to access RBT trees directly
+ */
+static isc_result_t
+load_map(dns_loadctx_t *lctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdatacallbacks_t *callbacks;
+
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	callbacks = lctx->callbacks;
+
+	if (lctx->first) {
+		result = load_header(lctx);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		result = (*callbacks->deserialize)(
+			callbacks->deserialize_private, lctx->f,
+			sizeof(dns_masterrawheader_t));
+	}
+
+	return (result);
+}
+
+static isc_result_t
+openfile_raw(dns_loadctx_t *lctx, const char *master_file) {
+	isc_result_t result;
+
+	result = isc_stdio_open(master_file, "rb", &lctx->f);
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_stdio_open() failed: %s",
+				 isc_result_totext(result));
+	}
+
+	return (result);
+}
+
+static isc_result_t
+load_raw(dns_loadctx_t *lctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool done = false;
+	unsigned int loop_cnt = 0;
+	dns_rdatacallbacks_t *callbacks;
+	unsigned char namebuf[DNS_NAME_MAXWIRE];
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	rdatalist_head_t head, dummy;
+	dns_rdatalist_t rdatalist;
+	isc_mem_t *mctx = lctx->mctx;
+	dns_rdata_t *rdata = NULL;
+	unsigned int rdata_size = 0;
+	int target_size = TSIZ;
+	isc_buffer_t target, buf;
+	unsigned char *target_mem = NULL;
+	dns_decompress_t dctx;
+
+	callbacks = lctx->callbacks;
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+
+	if (lctx->first) {
+		result = load_header(lctx);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	ISC_LIST_INIT(head);
+	ISC_LIST_INIT(dummy);
+
+	/*
+	 * Allocate target_size of buffer space.  This is greater than twice
+	 * the maximum individual RR data size.
+	 */
+	target_mem = isc_mem_get(mctx, target_size);
+	isc_buffer_init(&target, target_mem, target_size);
+
+	name = dns_fixedname_initname(&fixed);
+
+	/*
+	 * In the following loop, we regard any error fatal regardless of
+	 * whether "MANYERRORS" is set in the context option.  This is because
+	 * normal errors should already have been checked at creation time.
+	 * Besides, it is very unlikely that we can recover from an error
+	 * in this format, and so trying to continue parsing erroneous data
+	 * does not really make sense.
+	 */
+	for (loop_cnt = 0; (lctx->loop_cnt == 0 || loop_cnt < lctx->loop_cnt);
+	     loop_cnt++)
+	{
+		unsigned int i, rdcount;
+		uint16_t namelen;
+		uint32_t totallen;
+		size_t minlen, readlen;
+		bool sequential_read = false;
+
+		/* Read the data length */
+		isc_buffer_clear(&target);
+		INSIST(isc_buffer_availablelength(&target) >= sizeof(totallen));
+		result = isc_stdio_read(target.base, 1, sizeof(totallen),
+					lctx->f, NULL);
+		if (result == ISC_R_EOF) {
+			result = ISC_R_SUCCESS;
+			done = true;
+			break;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		isc_buffer_add(&target, sizeof(totallen));
+		totallen = isc_buffer_getuint32(&target);
+
+		/*
+		 * Validation: the input data must at least contain the common
+		 * header.
+		 */
+		minlen = sizeof(totallen) + sizeof(uint16_t) +
+			 sizeof(uint16_t) + sizeof(uint16_t) +
+			 sizeof(uint32_t) + sizeof(uint32_t);
+		if (totallen < minlen) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		totallen -= sizeof(totallen);
+
+		isc_buffer_clear(&target);
+		if (totallen > isc_buffer_availablelength(&target)) {
+			/*
+			 * The default buffer size should typically be large
+			 * enough to store the entire RRset.  We could try to
+			 * allocate enough space if this is not the case, but
+			 * it might cause a hazardous result when "totallen"
+			 * is forged.  Thus, we'd rather take an inefficient
+			 * but robust approach in this atypical case: read
+			 * data step by step, and commit partial data when
+			 * necessary.  Note that the buffer must be large
+			 * enough to store the "header part", owner name, and
+			 * at least one rdata (however large it is).
+			 */
+			sequential_read = true;
+			readlen = minlen - sizeof(totallen);
+		} else {
+			/*
+			 * Typical case.  We can read the whole RRset at once
+			 * with the default buffer.
+			 */
+			readlen = totallen;
+		}
+		result = isc_stdio_read(target.base, 1, readlen, lctx->f, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		isc_buffer_add(&target, (unsigned int)readlen);
+		totallen -= (uint32_t)readlen;
+
+		/* Construct RRset headers */
+		dns_rdatalist_init(&rdatalist);
+		rdatalist.rdclass = isc_buffer_getuint16(&target);
+		if (lctx->zclass != rdatalist.rdclass) {
+			result = DNS_R_BADCLASS;
+			goto cleanup;
+		}
+		rdatalist.type = isc_buffer_getuint16(&target);
+		rdatalist.covers = isc_buffer_getuint16(&target);
+		rdatalist.ttl = isc_buffer_getuint32(&target);
+		rdcount = isc_buffer_getuint32(&target);
+		if (rdcount == 0 || rdcount > 0xffff) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		INSIST(isc_buffer_consumedlength(&target) <= readlen);
+
+		/* Owner name: length followed by name */
+		result = read_and_check(sequential_read, &target,
+					sizeof(namelen), lctx->f, &totallen);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		namelen = isc_buffer_getuint16(&target);
+		if (namelen > sizeof(namebuf)) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+
+		result = read_and_check(sequential_read, &target, namelen,
+					lctx->f, &totallen);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		isc_buffer_setactive(&target, (unsigned int)namelen);
+		result = dns_name_fromwire(name, &target, &dctx, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		if ((lctx->options & DNS_MASTER_CHECKTTL) != 0 &&
+		    rdatalist.ttl > lctx->maxttl)
+		{
+			(callbacks->error)(callbacks,
+					   "dns_master_load: "
+					   "TTL %d exceeds configured "
+					   "max-zone-ttl %d",
+					   rdatalist.ttl, lctx->maxttl);
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+
+		/* Rdata contents. */
+		if (rdcount > rdata_size) {
+			dns_rdata_t *new_rdata = NULL;
+
+			new_rdata = grow_rdata(rdcount + RDSZ, rdata,
+					       rdata_size, &head, &dummy, mctx);
+			if (new_rdata == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			rdata_size = rdcount + RDSZ;
+			rdata = new_rdata;
+		}
+
+	continue_read:
+		for (i = 0; i < rdcount; i++) {
+			uint16_t rdlen;
+
+			dns_rdata_init(&rdata[i]);
+
+			if (sequential_read &&
+			    isc_buffer_availablelength(&target) < MINTSIZ)
+			{
+				unsigned int j;
+
+				INSIST(i > 0); /* detect an infinite loop */
+
+				/* Partial Commit. */
+				ISC_LIST_APPEND(head, &rdatalist, link);
+				result = commit(callbacks, lctx, &head, name,
+						NULL, 0);
+				for (j = 0; j < i; j++) {
+					ISC_LIST_UNLINK(rdatalist.rdata,
+							&rdata[j], link);
+					dns_rdata_reset(&rdata[j]);
+				}
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+
+				/* Rewind the buffer and continue */
+				isc_buffer_clear(&target);
+
+				rdcount -= i;
+
+				goto continue_read;
+			}
+
+			/* rdata length */
+			result = read_and_check(sequential_read, &target,
+						sizeof(rdlen), lctx->f,
+						&totallen);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			rdlen = isc_buffer_getuint16(&target);
+
+			/* rdata */
+			result = read_and_check(sequential_read, &target, rdlen,
+						lctx->f, &totallen);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			isc_buffer_setactive(&target, (unsigned int)rdlen);
+			/*
+			 * It is safe to have the source active region and
+			 * the target available region be the same if
+			 * decompression is disabled (see dctx above) and we
+			 * are not downcasing names (options == 0).
+			 */
+			isc_buffer_init(&buf, isc_buffer_current(&target),
+					(unsigned int)rdlen);
+			result = dns_rdata_fromwire(
+				&rdata[i], rdatalist.rdclass, rdatalist.type,
+				&target, &dctx, 0, &buf);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			ISC_LIST_APPEND(rdatalist.rdata, &rdata[i], link);
+		}
+
+		/*
+		 * Sanity check.  Still having remaining space is not
+		 * necessarily critical, but it very likely indicates broken
+		 * or malformed data.
+		 */
+		if (isc_buffer_remaininglength(&target) != 0 || totallen != 0) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+
+		ISC_LIST_APPEND(head, &rdatalist, link);
+
+		/* Commit this RRset.  rdatalist will be unlinked. */
+		result = commit(callbacks, lctx, &head, name, NULL, 0);
+
+		for (i = 0; i < rdcount; i++) {
+			ISC_LIST_UNLINK(rdatalist.rdata, &rdata[i], link);
+			dns_rdata_reset(&rdata[i]);
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	if (!done) {
+		INSIST(lctx->done != NULL && lctx->task != NULL);
+		result = DNS_R_CONTINUE;
+	} else if (result == ISC_R_SUCCESS && lctx->result != ISC_R_SUCCESS) {
+		result = lctx->result;
+	}
+
+	if (result == ISC_R_SUCCESS && callbacks->rawdata != NULL) {
+		(*callbacks->rawdata)(callbacks->zone, &lctx->header);
+	}
+
+cleanup:
+	if (rdata != NULL) {
+		isc_mem_put(mctx, rdata, rdata_size * sizeof(*rdata));
+	}
+	if (target_mem != NULL) {
+		isc_mem_put(mctx, target_mem, target_size);
+	}
+	if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE) {
+		(*callbacks->error)(callbacks, "dns_master_load: %s",
+				    dns_result_totext(result));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_master_loadfile(const char *master_file, dns_name_t *top,
+		    dns_name_t *origin, dns_rdataclass_t zclass,
+		    unsigned int options, uint32_t resign,
+		    dns_rdatacallbacks_t *callbacks,
+		    dns_masterincludecb_t include_cb, void *include_arg,
+		    isc_mem_t *mctx, dns_masterformat_t format,
+		    dns_ttl_t maxttl) {
+	dns_loadctx_t *lctx = NULL;
+	isc_result_t result;
+
+	result = loadctx_create(format, mctx, options, resign, top, zclass,
+				origin, callbacks, NULL, NULL, NULL, include_cb,
+				include_arg, NULL, &lctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	lctx->maxttl = maxttl;
+
+	result = (lctx->openfile)(lctx, master_file);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = (lctx->load)(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+cleanup:
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadfileinc(const char *master_file, dns_name_t *top,
+		       dns_name_t *origin, dns_rdataclass_t zclass,
+		       unsigned int options, uint32_t resign,
+		       dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+		       dns_loaddonefunc_t done, void *done_arg,
+		       dns_loadctx_t **lctxp, dns_masterincludecb_t include_cb,
+		       void *include_arg, isc_mem_t *mctx,
+		       dns_masterformat_t format, uint32_t maxttl) {
+	dns_loadctx_t *lctx = NULL;
+	isc_result_t result;
+
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(format, mctx, options, resign, top, zclass,
+				origin, callbacks, task, done, done_arg,
+				include_cb, include_arg, NULL, &lctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	lctx->maxttl = maxttl;
+
+	result = (lctx->openfile)(lctx, master_file);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+cleanup:
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
+		      dns_rdataclass_t zclass, unsigned int options,
+		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(stream != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, NULL, NULL, NULL,
+				NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = isc_lex_openstream(lctx->lex, stream);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = (lctx->load)(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+cleanup:
+	if (lctx != NULL) {
+		dns_loadctx_detach(&lctx);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
+			 dns_rdataclass_t zclass, unsigned int options,
+			 dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			 dns_loaddonefunc_t done, void *done_arg,
+			 dns_loadctx_t **lctxp, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(stream != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, task, done, done_arg,
+				NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = isc_lex_openstream(lctx->lex, stream);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+cleanup:
+	if (lctx != NULL) {
+		dns_loadctx_detach(&lctx);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top, dns_name_t *origin,
+		      dns_rdataclass_t zclass, unsigned int options,
+		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(buffer != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, NULL, NULL, NULL,
+				NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = isc_lex_openbuffer(lctx->lex, buffer);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = (lctx->load)(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+cleanup:
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
+			 dns_name_t *origin, dns_rdataclass_t zclass,
+			 unsigned int options, dns_rdatacallbacks_t *callbacks,
+			 isc_task_t *task, dns_loaddonefunc_t done,
+			 void *done_arg, dns_loadctx_t **lctxp,
+			 isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(buffer != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, task, done, done_arg,
+				NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = isc_lex_openbuffer(lctx->lex, buffer);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+cleanup:
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
+		     dns_rdataclass_t zclass, unsigned int options,
+		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(lex != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, NULL, NULL, NULL,
+				NULL, NULL, lex, &lctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = (lctx->load)(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
+			dns_rdataclass_t zclass, unsigned int options,
+			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **lctxp, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(lex != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, task, done, done_arg,
+				NULL, NULL, lex, &lctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+/*
+ * Grow the slab of dns_rdatalist_t structures.
+ * Re-link glue and current list.
+ */
+static dns_rdatalist_t *
+grow_rdatalist(int new_len, dns_rdatalist_t *oldlist, int old_len,
+	       rdatalist_head_t *current, rdatalist_head_t *glue,
+	       isc_mem_t *mctx) {
+	dns_rdatalist_t *newlist;
+	int rdlcount = 0;
+	ISC_LIST(dns_rdatalist_t) save;
+	dns_rdatalist_t *this;
+
+	newlist = isc_mem_get(mctx, new_len * sizeof(*newlist));
+	if (newlist == NULL) {
+		return (NULL);
+	}
+
+	ISC_LIST_INIT(save);
+	while ((this = ISC_LIST_HEAD(*current)) != NULL) {
+		ISC_LIST_UNLINK(*current, this, link);
+		ISC_LIST_APPEND(save, this, link);
+	}
+	while ((this = ISC_LIST_HEAD(save)) != NULL) {
+		ISC_LIST_UNLINK(save, this, link);
+		INSIST(rdlcount < new_len);
+		newlist[rdlcount] = *this;
+		ISC_LIST_APPEND(*current, &newlist[rdlcount], link);
+		rdlcount++;
+	}
+
+	ISC_LIST_INIT(save);
+	while ((this = ISC_LIST_HEAD(*glue)) != NULL) {
+		ISC_LIST_UNLINK(*glue, this, link);
+		ISC_LIST_APPEND(save, this, link);
+	}
+	while ((this = ISC_LIST_HEAD(save)) != NULL) {
+		ISC_LIST_UNLINK(save, this, link);
+		INSIST(rdlcount < new_len);
+		newlist[rdlcount] = *this;
+		ISC_LIST_APPEND(*glue, &newlist[rdlcount], link);
+		rdlcount++;
+	}
+
+	INSIST(rdlcount == old_len);
+	if (oldlist != NULL) {
+		isc_mem_put(mctx, oldlist, old_len * sizeof(*oldlist));
+	}
+	return (newlist);
+}
+
+/*
+ * Grow the slab of rdata structs.
+ * Re-link the current and glue chains.
+ */
+static dns_rdata_t *
+grow_rdata(int new_len, dns_rdata_t *oldlist, int old_len,
+	   rdatalist_head_t *current, rdatalist_head_t *glue, isc_mem_t *mctx) {
+	dns_rdata_t *newlist;
+	int rdcount = 0;
+	ISC_LIST(dns_rdata_t) save;
+	dns_rdatalist_t *this;
+	dns_rdata_t *rdata;
+
+	newlist = isc_mem_get(mctx, new_len * sizeof(*newlist));
+	if (newlist == NULL) {
+		return (NULL);
+	}
+	memset(newlist, 0, new_len * sizeof(*newlist));
+
+	/*
+	 * Copy current relinking.
+	 */
+	this = ISC_LIST_HEAD(*current);
+	while (this != NULL) {
+		ISC_LIST_INIT(save);
+		while ((rdata = ISC_LIST_HEAD(this->rdata)) != NULL) {
+			ISC_LIST_UNLINK(this->rdata, rdata, link);
+			ISC_LIST_APPEND(save, rdata, link);
+		}
+		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
+			ISC_LIST_UNLINK(save, rdata, link);
+			INSIST(rdcount < new_len);
+			newlist[rdcount] = *rdata;
+			ISC_LIST_APPEND(this->rdata, &newlist[rdcount], link);
+			rdcount++;
+		}
+		this = ISC_LIST_NEXT(this, link);
+	}
+
+	/*
+	 * Copy glue relinking.
+	 */
+	this = ISC_LIST_HEAD(*glue);
+	while (this != NULL) {
+		ISC_LIST_INIT(save);
+		while ((rdata = ISC_LIST_HEAD(this->rdata)) != NULL) {
+			ISC_LIST_UNLINK(this->rdata, rdata, link);
+			ISC_LIST_APPEND(save, rdata, link);
+		}
+		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
+			ISC_LIST_UNLINK(save, rdata, link);
+			INSIST(rdcount < new_len);
+			newlist[rdcount] = *rdata;
+			ISC_LIST_APPEND(this->rdata, &newlist[rdcount], link);
+			rdcount++;
+		}
+		this = ISC_LIST_NEXT(this, link);
+	}
+	INSIST(rdcount == old_len || rdcount == 0);
+	if (oldlist != NULL) {
+		isc_mem_put(mctx, oldlist, old_len * sizeof(*oldlist));
+	}
+	return (newlist);
+}
+
+static uint32_t
+resign_fromlist(dns_rdatalist_t *this, dns_loadctx_t *lctx) {
+	dns_rdata_t *rdata;
+	dns_rdata_rrsig_t sig;
+	uint32_t when;
+
+	rdata = ISC_LIST_HEAD(this->rdata);
+	INSIST(rdata != NULL);
+	(void)dns_rdata_tostruct(rdata, &sig, NULL);
+	if (isc_serial_gt(sig.timesigned, lctx->now)) {
+		when = lctx->now;
+	} else {
+		when = sig.timeexpire - lctx->resign;
+	}
+
+	rdata = ISC_LIST_NEXT(rdata, link);
+	while (rdata != NULL) {
+		(void)dns_rdata_tostruct(rdata, &sig, NULL);
+		if (isc_serial_gt(sig.timesigned, lctx->now)) {
+			when = lctx->now;
+		} else if (sig.timeexpire - lctx->resign < when) {
+			when = sig.timeexpire - lctx->resign;
+		}
+		rdata = ISC_LIST_NEXT(rdata, link);
+	}
+	return (when);
+}
+
+/*
+ * Convert each element from a rdatalist_t to rdataset then call commit.
+ * Unlink each element as we go.
+ */
+
+static isc_result_t
+commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
+       rdatalist_head_t *head, dns_name_t *owner, const char *source,
+       unsigned int line) {
+	dns_rdatalist_t *this;
+	dns_rdataset_t dataset;
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	void (*error)(struct dns_rdatacallbacks *, const char *, ...);
+
+	this = ISC_LIST_HEAD(*head);
+	error = callbacks->error;
+
+	if (this == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+	do {
+		dns_rdataset_init(&dataset);
+		RUNTIME_CHECK(dns_rdatalist_tordataset(this, &dataset) ==
+			      ISC_R_SUCCESS);
+		dataset.trust = dns_trust_ultimate;
+		/*
+		 * If this is a secure dynamic zone set the re-signing time.
+		 */
+		if (dataset.type == dns_rdatatype_rrsig &&
+		    (lctx->options & DNS_MASTER_RESIGN) != 0)
+		{
+			dataset.attributes |= DNS_RDATASETATTR_RESIGN;
+			dataset.resign = resign_fromlist(this, lctx);
+		}
+		result = ((*callbacks->add)(callbacks->add_private, owner,
+					    &dataset));
+		if (result == ISC_R_NOMEMORY) {
+			(*error)(callbacks, "dns_master_load: %s",
+				 dns_result_totext(result));
+		} else if (result != ISC_R_SUCCESS) {
+			dns_name_format(owner, namebuf, sizeof(namebuf));
+			if (source != NULL) {
+				(*error)(callbacks, "%s: %s:%lu: %s: %s",
+					 "dns_master_load", source, line,
+					 namebuf, dns_result_totext(result));
+			} else {
+				(*error)(callbacks, "%s: %s: %s",
+					 "dns_master_load", namebuf,
+					 dns_result_totext(result));
+			}
+		}
+		if (MANYERRS(lctx, result)) {
+			SETRESULT(lctx, result);
+		} else if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		ISC_LIST_UNLINK(*head, this, link);
+		this = ISC_LIST_HEAD(*head);
+	} while (this != NULL);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Returns true if one of the NS rdata's contains 'owner'.
+ */
+
+static bool
+is_glue(rdatalist_head_t *head, dns_name_t *owner) {
+	dns_rdatalist_t *this;
+	dns_rdata_t *rdata;
+	isc_region_t region;
+	dns_name_t name;
+
+	/*
+	 * Find NS rrset.
+	 */
+	this = ISC_LIST_HEAD(*head);
+	while (this != NULL) {
+		if (this->type == dns_rdatatype_ns) {
+			break;
+		}
+		this = ISC_LIST_NEXT(this, link);
+	}
+	if (this == NULL) {
+		return (false);
+	}
+
+	rdata = ISC_LIST_HEAD(this->rdata);
+	while (rdata != NULL) {
+		dns_name_init(&name, NULL);
+		dns_rdata_toregion(rdata, &region);
+		dns_name_fromregion(&name, &region);
+		if (dns_name_equal(&name, owner)) {
+			return (true);
+		}
+		rdata = ISC_LIST_NEXT(rdata, link);
+	}
+	return (false);
+}
+
+static void
+load_quantum(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_loadctx_t *lctx;
+
+	REQUIRE(event != NULL);
+	lctx = event->ev_arg;
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	if (atomic_load_acquire(&lctx->canceled)) {
+		result = ISC_R_CANCELED;
+	} else {
+		result = (lctx->load)(lctx);
+	}
+	if (result == DNS_R_CONTINUE) {
+		event->ev_arg = lctx;
+		isc_task_send(task, &event);
+	} else {
+		(lctx->done)(lctx->done_arg, result);
+		isc_event_free(&event);
+		dns_loadctx_detach(&lctx);
+	}
+}
+
+static isc_result_t
+task_send(dns_loadctx_t *lctx) {
+	isc_event_t *event;
+
+	event = isc_event_allocate(lctx->mctx, NULL, DNS_EVENT_MASTERQUANTUM,
+				   load_quantum, lctx, sizeof(*event));
+	isc_task_send(lctx->task, &event);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_loadctx_cancel(dns_loadctx_t *lctx) {
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	atomic_store_release(&lctx->canceled, true);
+}
+
+void
+dns_master_initrawheader(dns_masterrawheader_t *header) {
+	memset(header, 0, sizeof(dns_masterrawheader_t));
+}
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
new file mode 100644
index 0000000..7561061
--- /dev/null
+++ b/lib/dns/masterdump.c
@@ -0,0 +1,2133 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/atomic.h>
+#include <isc/buffer.h>
+#include <isc/event.h>
+#include <isc/file.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/lib.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/ncache.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/time.h>
+#include <dns/ttl.h>
+
+#define DNS_DCTX_MAGIC	  ISC_MAGIC('D', 'c', 't', 'x')
+#define DNS_DCTX_VALID(d) ISC_MAGIC_VALID(d, DNS_DCTX_MAGIC)
+
+#define RETERR(x)                        \
+	do {                             \
+		isc_result_t _r = (x);   \
+		if (_r != ISC_R_SUCCESS) \
+			return ((_r));   \
+	} while (0)
+
+#define CHECK(x)                          \
+	do {                              \
+		if ((x) != ISC_R_SUCCESS) \
+			goto cleanup;     \
+	} while (0)
+
+struct dns_master_style {
+	dns_masterstyle_flags_t flags; /* DNS_STYLEFLAG_* */
+	unsigned int ttl_column;
+	unsigned int class_column;
+	unsigned int type_column;
+	unsigned int rdata_column;
+	unsigned int line_length;
+	unsigned int tab_width;
+	unsigned int split_width;
+};
+
+/*%
+ * The maximum length of the newline+indentation that is output
+ * when inserting a line break in an RR.  This effectively puts an
+ * upper limits on the value of "rdata_column", because if it is
+ * very large, the tabs and spaces needed to reach it will not fit.
+ */
+#define DNS_TOTEXT_LINEBREAK_MAXLEN 100
+
+/*% Does the rdataset 'r' contain a stale answer? */
+#define STALE(r) (((r)->attributes & DNS_RDATASETATTR_STALE) != 0)
+/*% Does the rdataset 'r' contain an expired answer? */
+#define ANCIENT(r) (((r)->attributes & DNS_RDATASETATTR_ANCIENT) != 0)
+
+/*%
+ * Context structure for a masterfile dump in progress.
+ */
+typedef struct dns_totext_ctx {
+	dns_master_style_t style;
+	bool class_printed;
+	char *linebreak;
+	char linebreak_buf[DNS_TOTEXT_LINEBREAK_MAXLEN];
+	dns_name_t *origin;
+	dns_name_t *neworigin;
+	dns_fixedname_t origin_fixname;
+	uint32_t current_ttl;
+	bool current_ttl_valid;
+	dns_ttl_t serve_stale_ttl;
+	dns_indent_t indent;
+} dns_totext_ctx_t;
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t dns_master_style_keyzone = {
+	DNS_STYLEFLAG_OMIT_OWNER | DNS_STYLEFLAG_OMIT_CLASS |
+		DNS_STYLEFLAG_REL_OWNER | DNS_STYLEFLAG_REL_DATA |
+		DNS_STYLEFLAG_OMIT_TTL | DNS_STYLEFLAG_TTL |
+		DNS_STYLEFLAG_COMMENT | DNS_STYLEFLAG_RRCOMMENT |
+		DNS_STYLEFLAG_MULTILINE | DNS_STYLEFLAG_KEYDATA,
+	24,
+	24,
+	24,
+	32,
+	80,
+	8,
+	UINT_MAX
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t dns_master_style_default = {
+	DNS_STYLEFLAG_OMIT_OWNER | DNS_STYLEFLAG_OMIT_CLASS |
+		DNS_STYLEFLAG_REL_OWNER | DNS_STYLEFLAG_REL_DATA |
+		DNS_STYLEFLAG_OMIT_TTL | DNS_STYLEFLAG_TTL |
+		DNS_STYLEFLAG_COMMENT | DNS_STYLEFLAG_RRCOMMENT |
+		DNS_STYLEFLAG_MULTILINE,
+	24,
+	24,
+	24,
+	32,
+	80,
+	8,
+	UINT_MAX
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t dns_master_style_full = {
+	DNS_STYLEFLAG_COMMENT | DNS_STYLEFLAG_RESIGN,
+	46,
+	46,
+	46,
+	64,
+	120,
+	8,
+	UINT_MAX
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t dns_master_style_explicitttl = {
+	DNS_STYLEFLAG_OMIT_OWNER | DNS_STYLEFLAG_OMIT_CLASS |
+		DNS_STYLEFLAG_REL_OWNER | DNS_STYLEFLAG_REL_DATA |
+		DNS_STYLEFLAG_COMMENT | DNS_STYLEFLAG_RRCOMMENT |
+		DNS_STYLEFLAG_MULTILINE,
+	24,
+	32,
+	32,
+	40,
+	80,
+	8,
+	UINT_MAX
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t dns_master_style_cache = {
+	DNS_STYLEFLAG_OMIT_OWNER | DNS_STYLEFLAG_OMIT_CLASS |
+		DNS_STYLEFLAG_MULTILINE | DNS_STYLEFLAG_RRCOMMENT |
+		DNS_STYLEFLAG_TRUST | DNS_STYLEFLAG_NCACHE,
+	24,
+	32,
+	32,
+	40,
+	80,
+	8,
+	UINT_MAX
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+	dns_master_style_cache_with_expired = {
+		DNS_STYLEFLAG_OMIT_OWNER | DNS_STYLEFLAG_OMIT_CLASS |
+			DNS_STYLEFLAG_MULTILINE | DNS_STYLEFLAG_RRCOMMENT |
+			DNS_STYLEFLAG_TRUST | DNS_STYLEFLAG_NCACHE |
+			DNS_STYLEFLAG_EXPIRED,
+		24,
+		32,
+		32,
+		40,
+		80,
+		8,
+		UINT_MAX
+	};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t dns_master_style_simple = {
+	0, 24, 32, 32, 40, 80, 8, UINT_MAX
+};
+
+/*%
+ * A style suitable for dns_rdataset_totext().
+ */
+LIBDNS_EXTERNAL_DATA const dns_master_style_t dns_master_style_debug = {
+	DNS_STYLEFLAG_REL_OWNER, 24, 32, 40, 48, 80, 8, UINT_MAX
+};
+
+/*%
+ * Similar, but indented (i.e., prepended with indentctx.string).
+ */
+LIBDNS_EXTERNAL_DATA const dns_master_style_t dns_master_style_indent = {
+	DNS_STYLEFLAG_REL_OWNER | DNS_STYLEFLAG_INDENT,
+	24,
+	32,
+	40,
+	48,
+	80,
+	8,
+	UINT_MAX
+};
+
+/*%
+ * Similar, but with each line commented out.
+ */
+LIBDNS_EXTERNAL_DATA const dns_master_style_t dns_master_style_comment = {
+	DNS_STYLEFLAG_REL_OWNER | DNS_STYLEFLAG_MULTILINE |
+		DNS_STYLEFLAG_RRCOMMENT | DNS_STYLEFLAG_COMMENTDATA,
+	24,
+	32,
+	40,
+	48,
+	80,
+	8,
+	UINT_MAX
+};
+
+/*%
+ * YAML style
+ */
+LIBDNS_EXTERNAL_DATA const dns_master_style_t dns_master_style_yaml = {
+	DNS_STYLEFLAG_YAML | DNS_STYLEFLAG_REL_OWNER | DNS_STYLEFLAG_INDENT,
+	24,
+	32,
+	40,
+	48,
+	80,
+	8,
+	UINT_MAX
+};
+
+#define N_SPACES 10
+static char spaces[N_SPACES + 1] = "          ";
+
+#define N_TABS 10
+static char tabs[N_TABS + 1] = "\t\t\t\t\t\t\t\t\t\t";
+
+struct dns_dumpctx {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_mutex_t lock;
+	isc_refcount_t references;
+	atomic_bool canceled;
+	bool do_date;
+	isc_stdtime_t now;
+	FILE *f;
+	dns_db_t *db;
+	dns_dbversion_t *version;
+	dns_dbiterator_t *dbiter;
+	dns_totext_ctx_t tctx;
+	isc_task_t *task;
+	dns_dumpdonefunc_t done;
+	void *done_arg;
+	/* dns_master_dumpasync() */
+	isc_result_t result;
+	char *file;
+	char *tmpfile;
+	dns_masterformat_t format;
+	dns_masterrawheader_t header;
+	isc_result_t (*dumpsets)(isc_mem_t *mctx, const dns_name_t *name,
+				 dns_rdatasetiter_t *rdsiter,
+				 dns_totext_ctx_t *ctx, isc_buffer_t *buffer,
+				 FILE *f);
+};
+
+#define NXDOMAIN(x) (((x)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+
+static const dns_indent_t default_indent = { "\t", 1 };
+static const dns_indent_t default_yamlindent = { "  ", 1 };
+
+/*%
+ * Output tabs and spaces to go from column '*current' to
+ * column 'to', and update '*current' to reflect the new
+ * current column.
+ */
+static isc_result_t
+indent(unsigned int *current, unsigned int to, int tabwidth,
+       isc_buffer_t *target) {
+	isc_region_t r;
+	unsigned char *p;
+	unsigned int from;
+	int ntabs, nspaces, t;
+
+	from = *current;
+
+	if (to < from + 1) {
+		to = from + 1;
+	}
+
+	ntabs = to / tabwidth - from / tabwidth;
+	if (ntabs < 0) {
+		ntabs = 0;
+	}
+
+	if (ntabs > 0) {
+		isc_buffer_availableregion(target, &r);
+		if (r.length < (unsigned)ntabs) {
+			return (ISC_R_NOSPACE);
+		}
+		p = r.base;
+
+		t = ntabs;
+		while (t) {
+			int n = t;
+			if (n > N_TABS) {
+				n = N_TABS;
+			}
+			memmove(p, tabs, n);
+			p += n;
+			t -= n;
+		}
+		isc_buffer_add(target, ntabs);
+		from = (to / tabwidth) * tabwidth;
+	}
+
+	nspaces = to - from;
+	INSIST(nspaces >= 0);
+
+	isc_buffer_availableregion(target, &r);
+	if (r.length < (unsigned)nspaces) {
+		return (ISC_R_NOSPACE);
+	}
+	p = r.base;
+
+	t = nspaces;
+	while (t) {
+		int n = t;
+		if (n > N_SPACES) {
+			n = N_SPACES;
+		}
+		memmove(p, spaces, n);
+		p += n;
+		t -= n;
+	}
+	isc_buffer_add(target, nspaces);
+
+	*current = to;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_ctx_init(const dns_master_style_t *style, const dns_indent_t *indentctx,
+		dns_totext_ctx_t *ctx) {
+	isc_result_t result;
+
+	REQUIRE(style->tab_width != 0);
+
+	if (indentctx == NULL) {
+		if ((style->flags & DNS_STYLEFLAG_YAML) != 0) {
+			indentctx = &default_yamlindent;
+		} else {
+			indentctx = &default_indent;
+		}
+	}
+
+	ctx->style = *style;
+	ctx->class_printed = false;
+
+	dns_fixedname_init(&ctx->origin_fixname);
+
+	/*
+	 * Set up the line break string if needed.
+	 */
+	if ((ctx->style.flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		isc_buffer_t buf;
+		isc_region_t r;
+		unsigned int col = 0;
+
+		isc_buffer_init(&buf, ctx->linebreak_buf,
+				sizeof(ctx->linebreak_buf));
+
+		isc_buffer_availableregion(&buf, &r);
+		if (r.length < 1) {
+			return (DNS_R_TEXTTOOLONG);
+		}
+		r.base[0] = '\n';
+		isc_buffer_add(&buf, 1);
+
+		if ((ctx->style.flags & DNS_STYLEFLAG_INDENT) != 0 ||
+		    (ctx->style.flags & DNS_STYLEFLAG_YAML) != 0)
+		{
+			unsigned int i, len = strlen(indentctx->string);
+			for (i = 0; i < indentctx->count; i++) {
+				if (isc_buffer_availablelength(&buf) < len) {
+					return (DNS_R_TEXTTOOLONG);
+				}
+				isc_buffer_putstr(&buf, indentctx->string);
+			}
+		}
+
+		if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0) {
+			isc_buffer_availableregion(&buf, &r);
+			if (r.length < 1) {
+				return (DNS_R_TEXTTOOLONG);
+			}
+			r.base[0] = ';';
+			isc_buffer_add(&buf, 1);
+		}
+
+		result = indent(&col, ctx->style.rdata_column,
+				ctx->style.tab_width, &buf);
+		/*
+		 * Do not return ISC_R_NOSPACE if the line break string
+		 * buffer is too small, because that would just make
+		 * dump_rdataset() retry indefinitely with ever
+		 * bigger target buffers.  That's a different buffer,
+		 * so it won't help.  Use DNS_R_TEXTTOOLONG as a substitute.
+		 */
+		if (result == ISC_R_NOSPACE) {
+			return (DNS_R_TEXTTOOLONG);
+		}
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		isc_buffer_availableregion(&buf, &r);
+		if (r.length < 1) {
+			return (DNS_R_TEXTTOOLONG);
+		}
+		r.base[0] = '\0';
+		isc_buffer_add(&buf, 1);
+		ctx->linebreak = ctx->linebreak_buf;
+	} else {
+		ctx->linebreak = NULL;
+	}
+
+	ctx->origin = NULL;
+	ctx->neworigin = NULL;
+	ctx->current_ttl = 0;
+	ctx->current_ttl_valid = false;
+	ctx->serve_stale_ttl = 0;
+	ctx->indent = *indentctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+#define INDENT_TO(col)                                                        \
+	do {                                                                  \
+		if ((ctx->style.flags & DNS_STYLEFLAG_YAML) != 0) {           \
+			if ((result = str_totext(" ", target)) !=             \
+			    ISC_R_SUCCESS)                                    \
+				return ((result));                            \
+		} else if ((result = indent(&column, ctx->style.col,          \
+					    ctx->style.tab_width, target)) != \
+			   ISC_R_SUCCESS)                                     \
+			return ((result));                                    \
+	} while (0)
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+ncache_summary(dns_rdataset_t *rdataset, bool omit_final_dot,
+	       dns_totext_ctx_t *ctx, isc_buffer_t *target) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdataset_t rds;
+	dns_name_t name;
+
+	dns_rdataset_init(&rds);
+	dns_name_init(&name, NULL);
+
+	do {
+		dns_ncache_current(rdataset, &name, &rds);
+		for (result = dns_rdataset_first(&rds); result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rds))
+		{
+			if ((ctx->style.flags & DNS_STYLEFLAG_INDENT) != 0 ||
+			    (ctx->style.flags & DNS_STYLEFLAG_YAML) != 0)
+			{
+				unsigned int i;
+				for (i = 0; i < ctx->indent.count; i++) {
+					CHECK(str_totext(ctx->indent.string,
+							 target));
+				}
+			}
+
+			if ((ctx->style.flags & DNS_STYLEFLAG_YAML) != 0) {
+				CHECK(str_totext("- ", target));
+			} else {
+				CHECK(str_totext("; ", target));
+			}
+
+			CHECK(dns_name_totext(&name, omit_final_dot, target));
+			CHECK(str_totext(" ", target));
+			CHECK(dns_rdatatype_totext(rds.type, target));
+			if (rds.type == dns_rdatatype_rrsig) {
+				CHECK(str_totext(" ", target));
+				CHECK(dns_rdatatype_totext(rds.covers, target));
+				CHECK(str_totext(" ...\n", target));
+			} else {
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(&rds, &rdata);
+				CHECK(str_totext(" ", target));
+				CHECK(dns_rdata_tofmttext(&rdata, dns_rootname,
+							  0, 0, 0, " ",
+							  target));
+				CHECK(str_totext("\n", target));
+			}
+		}
+		dns_rdataset_disassociate(&rds);
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+cleanup:
+	if (dns_rdataset_isassociated(&rds)) {
+		dns_rdataset_disassociate(&rds);
+	}
+
+	return (result);
+}
+
+/*
+ * Convert 'rdataset' to master file text format according to 'ctx',
+ * storing the result in 'target'.  If 'owner_name' is NULL, it
+ * is omitted; otherwise 'owner_name' must be valid and have at least
+ * one label.
+ */
+
+static isc_result_t
+rdataset_totext(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+		dns_totext_ctx_t *ctx, bool omit_final_dot,
+		isc_buffer_t *target) {
+	isc_result_t result;
+	unsigned int column;
+	bool first = true;
+	uint32_t current_ttl;
+	bool current_ttl_valid;
+	dns_rdatatype_t type;
+	unsigned int type_start;
+	dns_fixedname_t fixed;
+	dns_name_t *name = NULL;
+	unsigned int i;
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
+	result = dns_rdataset_first(rdataset);
+
+	current_ttl = ctx->current_ttl;
+	current_ttl_valid = ctx->current_ttl_valid;
+
+	if (owner_name != NULL) {
+		name = dns_fixedname_initname(&fixed);
+		dns_name_copynf(owner_name, name);
+		dns_rdataset_getownercase(rdataset, name);
+	}
+
+	while (result == ISC_R_SUCCESS) {
+		column = 0;
+
+		/*
+		 * Indent?
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_INDENT) != 0 ||
+		    (ctx->style.flags & DNS_STYLEFLAG_YAML) != 0)
+		{
+			for (i = 0; i < ctx->indent.count; i++) {
+				RETERR(str_totext(ctx->indent.string, target));
+			}
+		}
+
+		/*
+		 * YAML or comment prefix?
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_YAML) != 0) {
+			RETERR(str_totext("- ", target));
+		} else if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0)
+		{
+			RETERR(str_totext(";", target));
+		}
+
+		/*
+		 * Owner name.
+		 */
+		if (name != NULL &&
+		    !((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0 &&
+		      !first))
+		{
+			unsigned int name_start = target->used;
+			RETERR(dns_name_totext(name, omit_final_dot, target));
+			column += target->used - name_start;
+		}
+
+		/*
+		 * TTL.
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_NO_TTL) == 0 &&
+		    !((ctx->style.flags & DNS_STYLEFLAG_OMIT_TTL) != 0 &&
+		      current_ttl_valid && rdataset->ttl == current_ttl))
+		{
+			char ttlbuf[64];
+			isc_region_t r;
+			unsigned int length;
+
+			INDENT_TO(ttl_column);
+			if ((ctx->style.flags & DNS_STYLEFLAG_TTL_UNITS) != 0) {
+				length = target->used;
+				result = dns_ttl_totext(rdataset->ttl, false,
+							false, target);
+				if (result != ISC_R_SUCCESS) {
+					return (result);
+				}
+				column += target->used - length;
+			} else {
+				length = snprintf(ttlbuf, sizeof(ttlbuf), "%u",
+						  rdataset->ttl);
+				INSIST(length <= sizeof(ttlbuf));
+				isc_buffer_availableregion(target, &r);
+				if (r.length < length) {
+					return (ISC_R_NOSPACE);
+				}
+				memmove(r.base, ttlbuf, length);
+				isc_buffer_add(target, length);
+				column += length;
+			}
+
+			/*
+			 * If the $TTL directive is not in use, the TTL we
+			 * just printed becomes the default for subsequent RRs.
+			 */
+			if ((ctx->style.flags & DNS_STYLEFLAG_TTL) == 0) {
+				current_ttl = rdataset->ttl;
+				current_ttl_valid = true;
+			}
+		}
+
+		/*
+		 * Class.
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_NO_CLASS) == 0 &&
+		    ((ctx->style.flags & DNS_STYLEFLAG_OMIT_CLASS) == 0 ||
+		     !ctx->class_printed))
+		{
+			unsigned int class_start;
+			INDENT_TO(class_column);
+			class_start = target->used;
+			if ((ctx->style.flags & DNS_STYLEFLAG_UNKNOWNFORMAT) !=
+			    0)
+			{
+				result = dns_rdataclass_tounknowntext(
+					rdataset->rdclass, target);
+			} else {
+				result = dns_rdataclass_totext(
+					rdataset->rdclass, target);
+			}
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+			column += (target->used - class_start);
+		}
+
+		/*
+		 * Type.
+		 */
+
+		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+			type = rdataset->covers;
+		} else {
+			type = rdataset->type;
+		}
+
+		INDENT_TO(type_column);
+		type_start = target->used;
+		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+			RETERR(str_totext("\\-", target));
+		}
+		switch (type) {
+		case dns_rdatatype_keydata:
+#define KEYDATA "KEYDATA"
+			if ((ctx->style.flags & DNS_STYLEFLAG_KEYDATA) != 0) {
+				if (isc_buffer_availablelength(target) <
+				    (sizeof(KEYDATA) - 1))
+				{
+					return (ISC_R_NOSPACE);
+				}
+				isc_buffer_putstr(target, KEYDATA);
+				break;
+			}
+			FALLTHROUGH;
+		default:
+			if ((ctx->style.flags & DNS_STYLEFLAG_UNKNOWNFORMAT) !=
+			    0)
+			{
+				result = dns_rdatatype_tounknowntext(type,
+								     target);
+			} else {
+				result = dns_rdatatype_totext(type, target);
+			}
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+		column += (target->used - type_start);
+
+		/*
+		 * Rdata.
+		 */
+		INDENT_TO(rdata_column);
+		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+			if (NXDOMAIN(rdataset)) {
+				RETERR(str_totext(";-$NXDOMAIN\n", target));
+			} else {
+				RETERR(str_totext(";-$NXRRSET\n", target));
+			}
+			/*
+			 * Print a summary of the cached records which make
+			 * up the negative response.
+			 */
+			RETERR(ncache_summary(rdataset, omit_final_dot, ctx,
+					      target));
+			break;
+		} else {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			isc_region_t r;
+
+			dns_rdataset_current(rdataset, &rdata);
+
+			RETERR(dns_rdata_tofmttext(
+				&rdata, ctx->origin, ctx->style.flags,
+				ctx->style.line_length -
+					ctx->style.rdata_column,
+				ctx->style.split_width, ctx->linebreak,
+				target));
+
+			isc_buffer_availableregion(target, &r);
+			if (r.length < 1) {
+				return (ISC_R_NOSPACE);
+			}
+			r.base[0] = '\n';
+			isc_buffer_add(target, 1);
+		}
+
+		first = false;
+		result = dns_rdataset_next(rdataset);
+	}
+
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+
+	/*
+	 * Update the ctx state to reflect what we just printed.
+	 * This is done last, only when we are sure we will return
+	 * success, because this function may be called multiple
+	 * times with increasing buffer sizes until it succeeds,
+	 * and failed attempts must not update the state prematurely.
+	 */
+	ctx->class_printed = true;
+	ctx->current_ttl = current_ttl;
+	ctx->current_ttl_valid = current_ttl_valid;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Print the name, type, and class of an empty rdataset,
+ * such as those used to represent the question section
+ * of a DNS message.
+ */
+static isc_result_t
+question_totext(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+		dns_totext_ctx_t *ctx, bool omit_final_dot,
+		isc_buffer_t *target) {
+	unsigned int column;
+	isc_result_t result;
+	isc_region_t r;
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	result = dns_rdataset_first(rdataset);
+	REQUIRE(result == ISC_R_NOMORE);
+
+	column = 0;
+
+	/* Owner name */
+	{
+		unsigned int name_start = target->used;
+		RETERR(dns_name_totext(owner_name, omit_final_dot, target));
+		column += target->used - name_start;
+	}
+
+	/* Class */
+	{
+		unsigned int class_start;
+		INDENT_TO(class_column);
+		class_start = target->used;
+		if ((ctx->style.flags & DNS_STYLEFLAG_UNKNOWNFORMAT) != 0) {
+			result = dns_rdataclass_tounknowntext(rdataset->rdclass,
+							      target);
+		} else {
+			result = dns_rdataclass_totext(rdataset->rdclass,
+						       target);
+		}
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		column += (target->used - class_start);
+	}
+
+	/* Type */
+	{
+		unsigned int type_start;
+		INDENT_TO(type_column);
+		type_start = target->used;
+		if ((ctx->style.flags & DNS_STYLEFLAG_UNKNOWNFORMAT) != 0) {
+			result = dns_rdatatype_tounknowntext(rdataset->type,
+							     target);
+		} else {
+			result = dns_rdatatype_totext(rdataset->type, target);
+		}
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		column += (target->used - type_start);
+	}
+
+	isc_buffer_availableregion(target, &r);
+	if (r.length < 1) {
+		return (ISC_R_NOSPACE);
+	}
+	r.base[0] = '\n';
+	isc_buffer_add(target, 1);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdataset_totext(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+		    bool omit_final_dot, bool question, isc_buffer_t *target) {
+	dns_totext_ctx_t ctx;
+	isc_result_t result;
+	result = totext_ctx_init(&dns_master_style_debug, NULL, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * The caller might want to give us an empty owner
+	 * name (e.g. if they are outputting into a master
+	 * file and this rdataset has the same name as the
+	 * previous one.)
+	 */
+	if (dns_name_countlabels(owner_name) == 0) {
+		owner_name = NULL;
+	}
+
+	if (question) {
+		return (question_totext(rdataset, owner_name, &ctx,
+					omit_final_dot, target));
+	} else {
+		return (rdataset_totext(rdataset, owner_name, &ctx,
+					omit_final_dot, target));
+	}
+}
+
+isc_result_t
+dns_master_rdatasettotext(const dns_name_t *owner_name,
+			  dns_rdataset_t *rdataset,
+			  const dns_master_style_t *style, dns_indent_t *indent,
+			  isc_buffer_t *target) {
+	dns_totext_ctx_t ctx;
+	isc_result_t result;
+	result = totext_ctx_init(style, indent, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (rdataset_totext(rdataset, owner_name, &ctx, false, target));
+}
+
+isc_result_t
+dns_master_questiontotext(const dns_name_t *owner_name,
+			  dns_rdataset_t *rdataset,
+			  const dns_master_style_t *style,
+			  isc_buffer_t *target) {
+	dns_totext_ctx_t ctx;
+	isc_result_t result;
+	result = totext_ctx_init(style, NULL, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (question_totext(rdataset, owner_name, &ctx, false, target));
+}
+
+/*
+ * Print an rdataset.  'buffer' is a scratch buffer, which must have been
+ * dynamically allocated by the caller.  It must be large enough to
+ * hold the result from dns_ttl_totext().  If more than that is needed,
+ * the buffer will be grown automatically.
+ */
+
+static isc_result_t
+dump_rdataset(isc_mem_t *mctx, const dns_name_t *name, dns_rdataset_t *rdataset,
+	      dns_totext_ctx_t *ctx, isc_buffer_t *buffer, FILE *f) {
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(buffer->length > 0);
+
+	/*
+	 * Output a $TTL directive if needed.
+	 */
+
+	if ((ctx->style.flags & DNS_STYLEFLAG_TTL) != 0) {
+		if (!ctx->current_ttl_valid ||
+		    ctx->current_ttl != rdataset->ttl)
+		{
+			if ((ctx->style.flags & DNS_STYLEFLAG_COMMENT) != 0) {
+				isc_buffer_clear(buffer);
+				result = dns_ttl_totext(rdataset->ttl, true,
+							true, buffer);
+				INSIST(result == ISC_R_SUCCESS);
+				isc_buffer_usedregion(buffer, &r);
+				fprintf(f, "$TTL %u\t; %.*s\n", rdataset->ttl,
+					(int)r.length, (char *)r.base);
+			} else {
+				fprintf(f, "$TTL %u\n", rdataset->ttl);
+			}
+			ctx->current_ttl = rdataset->ttl;
+			ctx->current_ttl_valid = true;
+		}
+	}
+
+	isc_buffer_clear(buffer);
+
+	/*
+	 * Generate the text representation of the rdataset into
+	 * the buffer.  If the buffer is too small, grow it.
+	 */
+	for (;;) {
+		int newlength;
+		void *newmem;
+		result = rdataset_totext(rdataset, name, ctx, false, buffer);
+		if (result != ISC_R_NOSPACE) {
+			break;
+		}
+
+		newlength = buffer->length * 2;
+		newmem = isc_mem_get(mctx, newlength);
+		isc_mem_put(mctx, buffer->base, buffer->length);
+		isc_buffer_init(buffer, newmem, newlength);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Write the buffer contents to the master file.
+	 */
+	isc_buffer_usedregion(buffer, &r);
+	result = isc_stdio_write(r.base, 1, (size_t)r.length, f, NULL);
+
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "master file write failed: %s",
+				 isc_result_totext(result));
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Define the order in which rdatasets should be printed in zone
+ * files.  We will print SOA and NS records before others, SIGs
+ * immediately following the things they sign, and order everything
+ * else by RR number.  This is all just for aesthetics and
+ * compatibility with buggy software that expects the SOA to be first;
+ * the DNS specifications allow any order.
+ */
+
+static int
+dump_order(const dns_rdataset_t *rds) {
+	int t;
+	int sig;
+	if (rds->type == dns_rdatatype_rrsig) {
+		t = rds->covers;
+		sig = 1;
+	} else {
+		t = rds->type;
+		sig = 0;
+	}
+	switch (t) {
+	case dns_rdatatype_soa:
+		t = 0;
+		break;
+	case dns_rdatatype_ns:
+		t = 1;
+		break;
+	default:
+		t += 2;
+		break;
+	}
+	return ((t << 1) + sig);
+}
+
+static int
+dump_order_compare(const void *a, const void *b) {
+	return (dump_order(*((const dns_rdataset_t *const *)a)) -
+		dump_order(*((const dns_rdataset_t *const *)b)));
+}
+
+/*
+ * Dump all the rdatasets of a domain name to a master file.  We make
+ * a "best effort" attempt to sort the RRsets in a nice order, but if
+ * there are more than MAXSORT RRsets, we punt and only sort them in
+ * groups of MAXSORT.  This is not expected to ever happen in practice
+ * since much less than 64 RR types have been registered with the
+ * IANA, so far, and the output will be correct (though not
+ * aesthetically pleasing) even if it does happen.
+ */
+
+#define MAXSORT 64
+
+static isc_result_t
+dump_rdatasets_text(isc_mem_t *mctx, const dns_name_t *name,
+		    dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
+		    isc_buffer_t *buffer, FILE *f) {
+	isc_result_t itresult, dumpresult;
+	isc_region_t r;
+	dns_rdataset_t rdatasets[MAXSORT];
+	dns_rdataset_t *sorted[MAXSORT];
+	int i, n;
+
+	itresult = dns_rdatasetiter_first(rdsiter);
+	dumpresult = ISC_R_SUCCESS;
+
+	if (itresult == ISC_R_SUCCESS && ctx->neworigin != NULL) {
+		isc_buffer_clear(buffer);
+		itresult = dns_name_totext(ctx->neworigin, false, buffer);
+		RUNTIME_CHECK(itresult == ISC_R_SUCCESS);
+		isc_buffer_usedregion(buffer, &r);
+		fprintf(f, "$ORIGIN %.*s\n", (int)r.length, (char *)r.base);
+		ctx->neworigin = NULL;
+	}
+
+again:
+	for (i = 0; itresult == ISC_R_SUCCESS && i < MAXSORT;
+	     itresult = dns_rdatasetiter_next(rdsiter), i++)
+	{
+		dns_rdataset_init(&rdatasets[i]);
+		dns_rdatasetiter_current(rdsiter, &rdatasets[i]);
+		sorted[i] = &rdatasets[i];
+	}
+	n = i;
+	INSIST(n <= MAXSORT);
+
+	qsort(sorted, n, sizeof(sorted[0]), dump_order_compare);
+
+	for (i = 0; i < n; i++) {
+		dns_rdataset_t *rds = sorted[i];
+
+		if (ANCIENT(rds) &&
+		    (ctx->style.flags & DNS_STYLEFLAG_EXPIRED) == 0)
+		{
+			/* Omit expired entries */
+			dns_rdataset_disassociate(rds);
+			continue;
+		}
+
+		if ((ctx->style.flags & DNS_STYLEFLAG_TRUST) != 0) {
+			if ((ctx->style.flags & DNS_STYLEFLAG_INDENT) != 0 ||
+			    (ctx->style.flags & DNS_STYLEFLAG_YAML) != 0)
+			{
+				unsigned int j;
+				for (j = 0; j < ctx->indent.count; j++) {
+					fprintf(f, "%s", ctx->indent.string);
+				}
+			}
+			fprintf(f, "; %s\n", dns_trust_totext(rds->trust));
+		}
+		if (((rds->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
+		    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0)
+		{
+			/* Omit negative cache entries */
+		} else {
+			isc_result_t result;
+			if (STALE(rds)) {
+				fprintf(f, "; stale\n");
+			} else if (ANCIENT(rds)) {
+				isc_buffer_t b;
+				char buf[sizeof("YYYYMMDDHHMMSS")];
+				memset(buf, 0, sizeof(buf));
+				isc_buffer_init(&b, buf, sizeof(buf) - 1);
+				dns_time64_totext((uint64_t)rds->ttl, &b);
+				fprintf(f,
+					"; expired since %s "
+					"(awaiting cleanup)\n",
+					buf);
+			}
+			result = dump_rdataset(mctx, name, rds, ctx, buffer, f);
+			if (result != ISC_R_SUCCESS) {
+				dumpresult = result;
+			}
+			if ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0)
+			{
+				name = NULL;
+			}
+		}
+		if (((ctx->style.flags & DNS_STYLEFLAG_RESIGN) != 0) &&
+		    ((rds->attributes & DNS_RDATASETATTR_RESIGN) != 0))
+		{
+			isc_buffer_t b;
+			char buf[sizeof("YYYYMMDDHHMMSS")];
+			memset(buf, 0, sizeof(buf));
+			isc_buffer_init(&b, buf, sizeof(buf) - 1);
+			dns_time64_totext((uint64_t)rds->resign, &b);
+			if ((ctx->style.flags & DNS_STYLEFLAG_INDENT) != 0 ||
+			    (ctx->style.flags & DNS_STYLEFLAG_YAML) != 0)
+			{
+				unsigned int j;
+				for (j = 0; j < ctx->indent.count; j++) {
+					fprintf(f, "%s", ctx->indent.string);
+				}
+			}
+			fprintf(f, "; resign=%s\n", buf);
+		}
+		dns_rdataset_disassociate(rds);
+	}
+
+	if (dumpresult != ISC_R_SUCCESS) {
+		return (dumpresult);
+	}
+
+	/*
+	 * If we got more data than could be sorted at once,
+	 * go handle the rest.
+	 */
+	if (itresult == ISC_R_SUCCESS) {
+		goto again;
+	}
+
+	if (itresult == ISC_R_NOMORE) {
+		itresult = ISC_R_SUCCESS;
+	}
+
+	return (itresult);
+}
+
+/*
+ * Dump given RRsets in the "raw" format.
+ */
+static isc_result_t
+dump_rdataset_raw(isc_mem_t *mctx, const dns_name_t *name,
+		  dns_rdataset_t *rdataset, isc_buffer_t *buffer, FILE *f) {
+	isc_result_t result;
+	uint32_t totallen;
+	uint16_t dlen;
+	isc_region_t r, r_hdr;
+
+	REQUIRE(buffer->length > 0);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
+restart:
+	totallen = 0;
+	result = dns_rdataset_first(rdataset);
+	REQUIRE(result == ISC_R_SUCCESS);
+
+	isc_buffer_clear(buffer);
+
+	/*
+	 * Common header and owner name (length followed by name)
+	 * These fields should be in a moderate length, so we assume we
+	 * can store all of them in the initial buffer.
+	 */
+	isc_buffer_availableregion(buffer, &r_hdr);
+	INSIST(r_hdr.length >= sizeof(dns_masterrawrdataset_t));
+	isc_buffer_putuint32(buffer, totallen);		 /* XXX: leave space */
+	isc_buffer_putuint16(buffer, rdataset->rdclass); /* 16-bit class */
+	isc_buffer_putuint16(buffer, rdataset->type);	 /* 16-bit type */
+	isc_buffer_putuint16(buffer, rdataset->covers);	 /* same as type */
+	isc_buffer_putuint32(buffer, rdataset->ttl);	 /* 32-bit TTL */
+	isc_buffer_putuint32(buffer, dns_rdataset_count(rdataset));
+	totallen = isc_buffer_usedlength(buffer);
+	INSIST(totallen <= sizeof(dns_masterrawrdataset_t));
+
+	dns_name_toregion(name, &r);
+	INSIST(isc_buffer_availablelength(buffer) >= (sizeof(dlen) + r.length));
+	dlen = (uint16_t)r.length;
+	isc_buffer_putuint16(buffer, dlen);
+	isc_buffer_copyregion(buffer, &r);
+	totallen += sizeof(dlen) + r.length;
+
+	do {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(rdataset, &rdata);
+		dns_rdata_toregion(&rdata, &r);
+		INSIST(r.length <= 0xffffU);
+		dlen = (uint16_t)r.length;
+
+		/*
+		 * Copy the rdata into the buffer.  If the buffer is too small,
+		 * grow it.  This should be rare, so we'll simply restart the
+		 * entire procedure (or should we copy the old data and
+		 * continue?).
+		 */
+		if (isc_buffer_availablelength(buffer) <
+		    sizeof(dlen) + r.length)
+		{
+			int newlength;
+			void *newmem;
+
+			newlength = buffer->length * 2;
+			newmem = isc_mem_get(mctx, newlength);
+			isc_mem_put(mctx, buffer->base, buffer->length);
+			isc_buffer_init(buffer, newmem, newlength);
+			goto restart;
+		}
+		isc_buffer_putuint16(buffer, dlen);
+		isc_buffer_copyregion(buffer, &r);
+		totallen += sizeof(dlen) + r.length;
+
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+
+	/*
+	 * Fill in the total length field.
+	 * XXX: this is a bit tricky.  Since we have already "used" the space
+	 * for the total length in the buffer, we first remember the entire
+	 * buffer length in the region, "rewind", and then write the value.
+	 */
+	isc_buffer_usedregion(buffer, &r);
+	isc_buffer_clear(buffer);
+	isc_buffer_putuint32(buffer, totallen);
+	INSIST(isc_buffer_usedlength(buffer) < totallen);
+
+	/*
+	 * Write the buffer contents to the raw master file.
+	 */
+	result = isc_stdio_write(r.base, 1, (size_t)r.length, f, NULL);
+
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "raw master file write failed: %s",
+				 isc_result_totext(result));
+		return (result);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dump_rdatasets_raw(isc_mem_t *mctx, const dns_name_t *owner_name,
+		   dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
+		   isc_buffer_t *buffer, FILE *f) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	name = dns_fixedname_initname(&fixed);
+	dns_name_copynf(owner_name, name);
+	for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+
+		dns_rdataset_getownercase(&rdataset, name);
+
+		if (((rdataset.attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
+		    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0)
+		{
+			/* Omit negative cache entries */
+		} else {
+			result = dump_rdataset_raw(mctx, name, &rdataset,
+						   buffer, f);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dump_rdatasets_map(isc_mem_t *mctx, const dns_name_t *name,
+		   dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
+		   isc_buffer_t *buffer, FILE *f) {
+	UNUSED(mctx);
+	UNUSED(name);
+	UNUSED(rdsiter);
+	UNUSED(ctx);
+	UNUSED(buffer);
+	UNUSED(f);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * Initial size of text conversion buffer.  The buffer is used
+ * for several purposes: converting origin names, rdatasets,
+ * $DATE timestamps, and comment strings for $TTL directives.
+ *
+ * When converting rdatasets, it is dynamically resized, but
+ * when converting origins, timestamps, etc it is not.  Therefore,
+ * the initial size must large enough to hold the longest possible
+ * text representation of any domain name (for $ORIGIN).
+ */
+static const int initial_buffer_length = 1200;
+
+static isc_result_t
+dumptostream(dns_dumpctx_t *dctx);
+
+static void
+dumpctx_destroy(dns_dumpctx_t *dctx) {
+	dctx->magic = 0;
+	isc_mutex_destroy(&dctx->lock);
+	dns_dbiterator_destroy(&dctx->dbiter);
+	if (dctx->version != NULL) {
+		dns_db_closeversion(dctx->db, &dctx->version, false);
+	}
+	dns_db_detach(&dctx->db);
+	if (dctx->task != NULL) {
+		isc_task_detach(&dctx->task);
+	}
+	if (dctx->file != NULL) {
+		isc_mem_free(dctx->mctx, dctx->file);
+	}
+	if (dctx->tmpfile != NULL) {
+		isc_mem_free(dctx->mctx, dctx->tmpfile);
+	}
+	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(*dctx));
+}
+
+void
+dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target) {
+	REQUIRE(DNS_DCTX_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*target = source;
+}
+
+void
+dns_dumpctx_detach(dns_dumpctx_t **dctxp) {
+	dns_dumpctx_t *dctx;
+
+	REQUIRE(dctxp != NULL);
+	dctx = *dctxp;
+	*dctxp = NULL;
+	REQUIRE(DNS_DCTX_VALID(dctx));
+
+	if (isc_refcount_decrement(&dctx->references) == 1) {
+		dumpctx_destroy(dctx);
+	}
+}
+
+dns_dbversion_t *
+dns_dumpctx_version(dns_dumpctx_t *dctx) {
+	REQUIRE(DNS_DCTX_VALID(dctx));
+	return (dctx->version);
+}
+
+dns_db_t *
+dns_dumpctx_db(dns_dumpctx_t *dctx) {
+	REQUIRE(DNS_DCTX_VALID(dctx));
+	return (dctx->db);
+}
+
+void
+dns_dumpctx_cancel(dns_dumpctx_t *dctx) {
+	REQUIRE(DNS_DCTX_VALID(dctx));
+
+	atomic_store_release(&dctx->canceled, true);
+}
+
+static isc_result_t
+flushandsync(FILE *f, isc_result_t result, const char *temp) {
+	bool logit = (result == ISC_R_SUCCESS);
+
+	if (result == ISC_R_SUCCESS) {
+		result = isc_stdio_flush(f);
+	}
+	if (result != ISC_R_SUCCESS && logit) {
+		if (temp != NULL) {
+			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+				      "dumping to master file: %s: flush: %s",
+				      temp, isc_result_totext(result));
+		} else {
+			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+				      "dumping to stream: flush: %s",
+				      isc_result_totext(result));
+		}
+		logit = false;
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		result = isc_stdio_sync(f);
+	}
+	if (result != ISC_R_SUCCESS && logit) {
+		if (temp != NULL) {
+			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+				      "dumping to master file: %s: fsync: %s",
+				      temp, isc_result_totext(result));
+		} else {
+			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+				      "dumping to stream: fsync: %s",
+				      isc_result_totext(result));
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+closeandrename(FILE *f, isc_result_t result, const char *temp,
+	       const char *file) {
+	isc_result_t tresult;
+	bool logit = (result == ISC_R_SUCCESS);
+
+	result = flushandsync(f, result, temp);
+	if (result != ISC_R_SUCCESS) {
+		logit = false;
+	}
+
+	tresult = isc_stdio_close(f);
+	if (result == ISC_R_SUCCESS) {
+		result = tresult;
+	}
+	if (result != ISC_R_SUCCESS && logit) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: fclose: %s", temp,
+			      isc_result_totext(result));
+		logit = false;
+	}
+	if (result == ISC_R_SUCCESS) {
+		result = isc_file_rename(temp, file);
+	} else {
+		(void)isc_file_remove(temp);
+	}
+	if (result != ISC_R_SUCCESS && logit) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: rename: %s: %s", file,
+			      isc_result_totext(result));
+	}
+	return (result);
+}
+
+/*
+ * This will run in a libuv threadpool thread.
+ */
+static void
+master_dump_cb(void *data) {
+	isc_result_t result = ISC_R_UNSET;
+	dns_dumpctx_t *dctx = data;
+	REQUIRE(DNS_DCTX_VALID(dctx));
+
+	if (atomic_load_acquire(&dctx->canceled)) {
+		result = ISC_R_CANCELED;
+	} else {
+		result = dumptostream(dctx);
+	}
+
+	if (dctx->file != NULL) {
+		isc_result_t tresult = ISC_R_UNSET;
+		tresult = closeandrename(dctx->f, result, dctx->tmpfile,
+					 dctx->file);
+		if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	} else {
+		result = flushandsync(dctx->f, result, NULL);
+	}
+
+	dctx->result = result;
+}
+
+/*
+ * This will run in a network/task manager thread when the dump is complete.
+ */
+static void
+master_dump_done_cb(void *data, isc_result_t result) {
+	dns_dumpctx_t *dctx = data;
+
+	if (result == ISC_R_SUCCESS && dctx->result != ISC_R_SUCCESS) {
+		result = dctx->result;
+	}
+
+	(dctx->done)(dctx->done_arg, result);
+	dns_dumpctx_detach(&dctx);
+}
+
+/*
+ * This must be run from a network/task manager thread.
+ */
+static void
+setup_dump(isc_task_t *task, isc_event_t *event) {
+	dns_dumpctx_t *dctx = NULL;
+
+	REQUIRE(isc_nm_tid() >= 0);
+	REQUIRE(event != NULL);
+
+	dctx = event->ev_arg;
+
+	REQUIRE(DNS_DCTX_VALID(dctx));
+
+	isc_nm_work_offload(isc_task_getnetmgr(task), master_dump_cb,
+			    master_dump_done_cb, dctx);
+
+	isc_event_free(&event);
+}
+
+static isc_result_t
+task_send(dns_dumpctx_t *dctx) {
+	isc_event_t *event;
+
+	event = isc_event_allocate(dctx->mctx, NULL, DNS_EVENT_DUMPQUANTUM,
+				   setup_dump, dctx, sizeof(*event));
+	isc_task_send(dctx->task, &event);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+	       const dns_master_style_t *style, FILE *f, dns_dumpctx_t **dctxp,
+	       dns_masterformat_t format, dns_masterrawheader_t *header) {
+	dns_dumpctx_t *dctx;
+	isc_result_t result;
+	unsigned int options;
+
+	dctx = isc_mem_get(mctx, sizeof(*dctx));
+
+	dctx->mctx = NULL;
+	dctx->f = f;
+	dctx->dbiter = NULL;
+	dctx->db = NULL;
+	dctx->version = NULL;
+	dctx->done = NULL;
+	dctx->done_arg = NULL;
+	dctx->task = NULL;
+	atomic_init(&dctx->canceled, false);
+	dctx->file = NULL;
+	dctx->tmpfile = NULL;
+	dctx->format = format;
+	if (header == NULL) {
+		dns_master_initrawheader(&dctx->header);
+	} else {
+		dctx->header = *header;
+	}
+
+	switch (format) {
+	case dns_masterformat_text:
+		dctx->dumpsets = dump_rdatasets_text;
+		break;
+	case dns_masterformat_raw:
+		dctx->dumpsets = dump_rdatasets_raw;
+		break;
+	case dns_masterformat_map:
+		dctx->dumpsets = dump_rdatasets_map;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	result = totext_ctx_init(style, NULL, &dctx->tctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		goto cleanup;
+	}
+
+	isc_stdtime_get(&dctx->now);
+	dns_db_attach(db, &dctx->db);
+
+	dctx->do_date = dns_db_iscache(dctx->db);
+	if (dctx->do_date) {
+		(void)dns_db_getservestalettl(dctx->db,
+					      &dctx->tctx.serve_stale_ttl);
+	}
+
+	if (dctx->format == dns_masterformat_text &&
+	    (dctx->tctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0)
+	{
+		options = DNS_DB_RELATIVENAMES;
+	} else {
+		options = 0;
+	}
+	result = dns_db_createiterator(dctx->db, options, &dctx->dbiter);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	isc_mutex_init(&dctx->lock);
+
+	if (version != NULL) {
+		dns_db_attachversion(dctx->db, version, &dctx->version);
+	} else if (!dns_db_iscache(db)) {
+		dns_db_currentversion(dctx->db, &dctx->version);
+	}
+	isc_mem_attach(mctx, &dctx->mctx);
+
+	isc_refcount_init(&dctx->references, 1);
+	dctx->magic = DNS_DCTX_MAGIC;
+	*dctxp = dctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (dctx->dbiter != NULL) {
+		dns_dbiterator_destroy(&dctx->dbiter);
+	}
+	if (dctx->db != NULL) {
+		dns_db_detach(&dctx->db);
+	}
+	isc_mem_put(mctx, dctx, sizeof(*dctx));
+	return (result);
+}
+
+static isc_result_t
+writeheader(dns_dumpctx_t *dctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_buffer_t buffer;
+	char *bufmem;
+	isc_region_t r;
+	dns_masterrawheader_t rawheader;
+	uint32_t rawversion, now32;
+
+	bufmem = isc_mem_get(dctx->mctx, initial_buffer_length);
+
+	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
+
+	switch (dctx->format) {
+	case dns_masterformat_text:
+		/*
+		 * If the database has cache semantics, output an
+		 * RFC2540 $DATE directive so that the TTLs can be
+		 * adjusted when it is reloaded.  For zones it is not
+		 * really needed, and it would make the file
+		 * incompatible with pre-RFC2540 software, so we omit
+		 * it in the zone case.
+		 */
+		if (dctx->do_date) {
+			fprintf(dctx->f, "; using a %u second stale ttl\n",
+				dctx->tctx.serve_stale_ttl);
+			result = dns_time32_totext(dctx->now, &buffer);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_buffer_usedregion(&buffer, &r);
+			fprintf(dctx->f, "$DATE %.*s\n", (int)r.length,
+				(char *)r.base);
+		}
+		break;
+	case dns_masterformat_raw:
+	case dns_masterformat_map:
+		r.base = (unsigned char *)&rawheader;
+		r.length = sizeof(rawheader);
+		isc_buffer_region(&buffer, &r);
+		now32 = dctx->now;
+		rawversion = 1;
+		if ((dctx->header.flags & DNS_MASTERRAW_COMPAT) != 0) {
+			rawversion = 0;
+		}
+
+		isc_buffer_putuint32(&buffer, dctx->format);
+		isc_buffer_putuint32(&buffer, rawversion);
+		isc_buffer_putuint32(&buffer, now32);
+
+		if (rawversion == 1) {
+			isc_buffer_putuint32(&buffer, dctx->header.flags);
+			isc_buffer_putuint32(&buffer,
+					     dctx->header.sourceserial);
+			isc_buffer_putuint32(&buffer, dctx->header.lastxfrin);
+		}
+
+		INSIST(isc_buffer_usedlength(&buffer) <= sizeof(rawheader));
+		result = isc_stdio_write(buffer.base, 1,
+					 isc_buffer_usedlength(&buffer),
+					 dctx->f, NULL);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	isc_mem_put(dctx->mctx, buffer.base, buffer.length);
+	return (result);
+}
+
+static isc_result_t
+dumptostream(dns_dumpctx_t *dctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_buffer_t buffer;
+	char *bufmem;
+	dns_name_t *name;
+	dns_fixedname_t fixname;
+	unsigned int options = DNS_DB_STALEOK;
+
+	if ((dctx->tctx.style.flags & DNS_STYLEFLAG_EXPIRED) != 0) {
+		options |= DNS_DB_EXPIREDOK;
+	}
+
+	bufmem = isc_mem_get(dctx->mctx, initial_buffer_length);
+
+	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
+
+	name = dns_fixedname_initname(&fixname);
+
+	CHECK(writeheader(dctx));
+
+	/*
+	 * Fast format is not currently written incrementally,
+	 * so we make the call to dns_db_serialize() here.
+	 * If the database is anything other than an rbtdb,
+	 * this should result in not implemented
+	 */
+	if (dctx->format == dns_masterformat_map) {
+		result = dns_db_serialize(dctx->db, dctx->version, dctx->f);
+		goto cleanup;
+	}
+
+	result = dns_dbiterator_first(dctx->dbiter);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE) {
+		goto cleanup;
+	}
+
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_t *rdsiter = NULL;
+		dns_dbnode_t *node = NULL;
+
+		result = dns_dbiterator_current(dctx->dbiter, &node, name);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			break;
+		}
+		if (result == DNS_R_NEWORIGIN) {
+			dns_name_t *origin =
+				dns_fixedname_name(&dctx->tctx.origin_fixname);
+			result = dns_dbiterator_origin(dctx->dbiter, origin);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if ((dctx->tctx.style.flags & DNS_STYLEFLAG_REL_DATA) !=
+			    0)
+			{
+				dctx->tctx.origin = origin;
+			}
+			dctx->tctx.neworigin = origin;
+		}
+
+		result = dns_dbiterator_pause(dctx->dbiter);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		result = dns_db_allrdatasets(dctx->db, node, dctx->version,
+					     options, dctx->now, &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			dns_db_detachnode(dctx->db, &node);
+			goto cleanup;
+		}
+		result = (dctx->dumpsets)(dctx->mctx, name, rdsiter,
+					  &dctx->tctx, &buffer, dctx->f);
+		dns_rdatasetiter_destroy(&rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			dns_db_detachnode(dctx->db, &node);
+			goto cleanup;
+		}
+		dns_db_detachnode(dctx->db, &node);
+		result = dns_dbiterator_next(dctx->dbiter);
+	}
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+cleanup:
+	RUNTIME_CHECK(dns_dbiterator_pause(dctx->dbiter) == ISC_R_SUCCESS);
+	isc_mem_put(dctx->mctx, buffer.base, buffer.length);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumptostreamasync(isc_mem_t *mctx, dns_db_t *db,
+			     dns_dbversion_t *version,
+			     const dns_master_style_t *style, FILE *f,
+			     isc_task_t *task, dns_dumpdonefunc_t done,
+			     void *done_arg, dns_dumpctx_t **dctxp) {
+	dns_dumpctx_t *dctx = NULL;
+	isc_result_t result;
+
+	REQUIRE(task != NULL);
+	REQUIRE(f != NULL);
+	REQUIRE(done != NULL);
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx,
+				dns_masterformat_text, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_task_attach(task, &dctx->task);
+	dctx->done = done;
+	dctx->done_arg = done_arg;
+
+	result = task_send(dctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_dumpctx_attach(dctx, dctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+	dns_dumpctx_detach(&dctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+			const dns_master_style_t *style,
+			dns_masterformat_t format,
+			dns_masterrawheader_t *header, FILE *f) {
+	dns_dumpctx_t *dctx = NULL;
+	isc_result_t result;
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx, format,
+				header);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dumptostream(dctx);
+	INSIST(result != DNS_R_CONTINUE);
+	dns_dumpctx_detach(&dctx);
+
+	result = flushandsync(f, result, NULL);
+	return (result);
+}
+
+static isc_result_t
+opentmp(isc_mem_t *mctx, dns_masterformat_t format, const char *file,
+	char **tempp, FILE **fp) {
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname = NULL;
+	int tempnamelen;
+
+	tempnamelen = strlen(file) + 20;
+	tempname = isc_mem_allocate(mctx, tempnamelen);
+
+	result = isc_file_mktemplate(file, tempname, tempnamelen);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	if (format == dns_masterformat_text) {
+		result = isc_file_openunique(tempname, &f);
+	} else {
+		result = isc_file_bopenunique(tempname, &f);
+	}
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: open: %s", tempname,
+			      isc_result_totext(result));
+		goto cleanup;
+	}
+
+#if defined(POSIX_FADV_DONTNEED)
+	posix_fadvise(fileno(f), 0, 0, POSIX_FADV_DONTNEED);
+#endif
+
+	*tempp = tempname;
+	*fp = f;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	isc_mem_free(mctx, tempname);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumpasync(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		     const dns_master_style_t *style, const char *filename,
+		     isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		     dns_dumpctx_t **dctxp, dns_masterformat_t format,
+		     dns_masterrawheader_t *header) {
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname = NULL;
+	char *file = NULL;
+	dns_dumpctx_t *dctx = NULL;
+
+	file = isc_mem_strdup(mctx, filename);
+
+	result = opentmp(mctx, format, filename, &tempname, &f);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx, format,
+				header);
+	if (result != ISC_R_SUCCESS) {
+		(void)isc_stdio_close(f);
+		(void)isc_file_remove(tempname);
+		goto cleanup;
+	}
+
+	isc_task_attach(task, &dctx->task);
+	dctx->done = done;
+	dctx->done_arg = done_arg;
+	dctx->file = file;
+	file = NULL;
+	dctx->tmpfile = tempname;
+	tempname = NULL;
+
+	result = task_send(dctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_dumpctx_attach(dctx, dctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+cleanup:
+	if (dctx != NULL) {
+		dns_dumpctx_detach(&dctx);
+	}
+	if (file != NULL) {
+		isc_mem_free(mctx, file);
+	}
+	if (tempname != NULL) {
+		isc_mem_free(mctx, tempname);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		const dns_master_style_t *style, const char *filename,
+		dns_masterformat_t format, dns_masterrawheader_t *header) {
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname;
+	dns_dumpctx_t *dctx = NULL;
+
+	result = opentmp(mctx, format, filename, &tempname, &f);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx, format,
+				header);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dumptostream(dctx);
+	INSIST(result != DNS_R_CONTINUE);
+	dns_dumpctx_detach(&dctx);
+
+	result = closeandrename(f, result, tempname, filename);
+
+cleanup:
+	isc_mem_free(mctx, tempname);
+	return (result);
+}
+
+/*
+ * Dump a database node into a master file.
+ * XXX: this function assumes the text format.
+ */
+isc_result_t
+dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
+			    dns_dbversion_t *version, dns_dbnode_t *node,
+			    const dns_name_t *name,
+			    const dns_master_style_t *style, FILE *f) {
+	isc_result_t result;
+	isc_buffer_t buffer;
+	char *bufmem;
+	isc_stdtime_t now;
+	dns_totext_ctx_t ctx;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	unsigned int options = DNS_DB_STALEOK;
+
+	if ((style->flags & DNS_STYLEFLAG_EXPIRED) != 0) {
+		options |= DNS_DB_EXPIREDOK;
+	}
+
+	result = totext_ctx_init(style, NULL, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	isc_stdtime_get(&now);
+
+	bufmem = isc_mem_get(mctx, initial_buffer_length);
+
+	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
+
+	result = dns_db_allrdatasets(db, node, version, options, now, &rdsiter);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	result = dump_rdatasets_text(mctx, name, rdsiter, &ctx, &buffer, f);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	isc_mem_put(mctx, buffer.base, buffer.length);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, const dns_name_t *name,
+		    const dns_master_style_t *style, const char *filename) {
+	FILE *f = NULL;
+	isc_result_t result;
+
+	result = isc_stdio_open(filename, "w", &f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping node to file: %s: open: %s", filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = dns_master_dumpnodetostream(mctx, db, version, node, name,
+					     style, f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: dump: %s", filename,
+			      isc_result_totext(result));
+		(void)isc_stdio_close(f);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = isc_stdio_close(f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: close: %s", filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (result);
+}
+
+dns_masterstyle_flags_t
+dns_master_styleflags(const dns_master_style_t *style) {
+	REQUIRE(style != NULL);
+	return (style->flags);
+}
+
+isc_result_t
+dns_master_stylecreate(dns_master_style_t **stylep,
+		       dns_masterstyle_flags_t flags, unsigned int ttl_column,
+		       unsigned int class_column, unsigned int type_column,
+		       unsigned int rdata_column, unsigned int line_length,
+		       unsigned int tab_width, unsigned int split_width,
+		       isc_mem_t *mctx) {
+	dns_master_style_t *style;
+
+	REQUIRE(stylep != NULL && *stylep == NULL);
+	style = isc_mem_get(mctx, sizeof(*style));
+
+	style->flags = flags;
+	style->ttl_column = ttl_column;
+	style->class_column = class_column;
+	style->type_column = type_column;
+	style->rdata_column = rdata_column;
+	style->line_length = line_length;
+	style->tab_width = tab_width;
+	style->split_width = split_width;
+	*stylep = style;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_master_styledestroy(dns_master_style_t **stylep, isc_mem_t *mctx) {
+	dns_master_style_t *style;
+
+	REQUIRE(stylep != NULL && *stylep != NULL);
+	style = *stylep;
+	*stylep = NULL;
+	isc_mem_put(mctx, style, sizeof(*style));
+}
diff --git a/lib/dns/message.c b/lib/dns/message.c
new file mode 100644
index 0000000..09645c2
--- /dev/null
+++ b/lib/dns/message.c
@@ -0,0 +1,4748 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/***
+ *** Imports
+ ***/
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/utf8.h>
+#include <isc/util.h>
+
+#include <dns/dnssec.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/opcode.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+#include <dns/ttl.h>
+#include <dns/view.h>
+
+#ifdef SKAN_MSG_DEBUG
+static void
+hexdump(const char *msg, const char *msg2, void *base, size_t len) {
+	unsigned char *p;
+	unsigned int cnt;
+
+	p = base;
+	cnt = 0;
+
+	printf("*** %s [%s] (%u bytes @ %p)\n", msg, msg2, (unsigned)len, base);
+
+	while (cnt < len) {
+		if (cnt % 16 == 0) {
+			printf("%p: ", p);
+		} else if (cnt % 8 == 0) {
+			printf(" |");
+		}
+		printf(" %02x %c", *p, (isprint(*p) ? *p : ' '));
+		p++;
+		cnt++;
+
+		if (cnt % 16 == 0) {
+			printf("\n");
+		}
+	}
+
+	if (cnt % 16 != 0) {
+		printf("\n");
+	}
+}
+#endif /* ifdef SKAN_MSG_DEBUG */
+
+#define DNS_MESSAGE_OPCODE_MASK	      0x7800U
+#define DNS_MESSAGE_OPCODE_SHIFT      11
+#define DNS_MESSAGE_RCODE_MASK	      0x000fU
+#define DNS_MESSAGE_FLAG_MASK	      0x8ff0U
+#define DNS_MESSAGE_EDNSRCODE_MASK    0xff000000U
+#define DNS_MESSAGE_EDNSRCODE_SHIFT   24
+#define DNS_MESSAGE_EDNSVERSION_MASK  0x00ff0000U
+#define DNS_MESSAGE_EDNSVERSION_SHIFT 16
+
+#define VALID_NAMED_SECTION(s) \
+	(((s) > DNS_SECTION_ANY) && ((s) < DNS_SECTION_MAX))
+#define VALID_SECTION(s) (((s) >= DNS_SECTION_ANY) && ((s) < DNS_SECTION_MAX))
+#define ADD_STRING(b, s)                                          \
+	{                                                         \
+		if (strlen(s) >= isc_buffer_availablelength(b)) { \
+			result = ISC_R_NOSPACE;                   \
+			goto cleanup;                             \
+		} else                                            \
+			isc_buffer_putstr(b, s);                  \
+	}
+#define VALID_PSEUDOSECTION(s) \
+	(((s) >= DNS_PSEUDOSECTION_ANY) && ((s) < DNS_PSEUDOSECTION_MAX))
+
+#define OPTOUT(x) (((x)->attributes & DNS_RDATASETATTR_OPTOUT) != 0)
+
+/*%
+ * This is the size of each individual scratchpad buffer, and the numbers
+ * of various block allocations used within the server.
+ * XXXMLG These should come from a config setting.
+ */
+#define SCRATCHPAD_SIZE	   1232
+#define NAME_FILLCOUNT	   4
+#define NAME_FREEMAX	   8 * NAME_FILLCOUNT
+#define OFFSET_COUNT	   4
+#define RDATA_COUNT	   8
+#define RDATALIST_COUNT	   8
+#define RDATASET_FILLCOUNT 4
+#define RDATASET_FREEMAX   8 * RDATASET_FILLCOUNT
+
+/*%
+ * Text representation of the different items, for message_totext
+ * functions.
+ */
+static const char *sectiontext[] = { "QUESTION", "ANSWER", "AUTHORITY",
+				     "ADDITIONAL" };
+
+static const char *updsectiontext[] = { "ZONE", "PREREQUISITE", "UPDATE",
+					"ADDITIONAL" };
+
+static const char *opcodetext[] = { "QUERY",	  "IQUERY",	"STATUS",
+				    "RESERVED3",  "NOTIFY",	"UPDATE",
+				    "RESERVED6",  "RESERVED7",	"RESERVED8",
+				    "RESERVED9",  "RESERVED10", "RESERVED11",
+				    "RESERVED12", "RESERVED13", "RESERVED14",
+				    "RESERVED15" };
+
+static const char *edetext[] = { "Other",
+				 "Unsupported DNSKEY Algorithm",
+				 "Unsupported DS Digest Type",
+				 "Stale Answer",
+				 "Forged Answer",
+				 "DNSSEC Indeterminate",
+				 "DNSSEC Bogus",
+				 "Signature Expired",
+				 "Signature Not Yet Valid",
+				 "DNSKEY Missing",
+				 "RRSIGs Missing",
+				 "No Zone Key Bit Set",
+				 "NSEC Missing",
+				 "Cached Error",
+				 "Not Ready",
+				 "Blocked",
+				 "Censored",
+				 "Filtered",
+				 "Prohibited",
+				 "Stale NXDOMAIN Answer",
+				 "Not Authoritative",
+				 "Not Supported",
+				 "No Reachable Authority",
+				 "Network Error",
+				 "Invalid Data" };
+
+/*%
+ * "helper" type, which consists of a block of some type, and is linkable.
+ * For it to work, sizeof(dns_msgblock_t) must be a multiple of the pointer
+ * size, or the allocated elements will not be aligned correctly.
+ */
+struct dns_msgblock {
+	unsigned int count;
+	unsigned int remaining;
+	ISC_LINK(dns_msgblock_t) link;
+}; /* dynamically sized */
+
+static dns_msgblock_t *
+msgblock_allocate(isc_mem_t *, unsigned int, unsigned int);
+
+#define msgblock_get(block, type) \
+	((type *)msgblock_internalget(block, sizeof(type)))
+
+static void *
+msgblock_internalget(dns_msgblock_t *, unsigned int);
+
+static void
+msgblock_reset(dns_msgblock_t *);
+
+static void
+msgblock_free(isc_mem_t *, dns_msgblock_t *, unsigned int);
+
+static void
+logfmtpacket(dns_message_t *message, const char *description,
+	     const isc_sockaddr_t *address, isc_logcategory_t *category,
+	     isc_logmodule_t *module, const dns_master_style_t *style,
+	     int level, isc_mem_t *mctx);
+
+/*
+ * Allocate a new dns_msgblock_t, and return a pointer to it.  If no memory
+ * is free, return NULL.
+ */
+static dns_msgblock_t *
+msgblock_allocate(isc_mem_t *mctx, unsigned int sizeof_type,
+		  unsigned int count) {
+	dns_msgblock_t *block;
+	unsigned int length;
+
+	length = sizeof(dns_msgblock_t) + (sizeof_type * count);
+
+	block = isc_mem_get(mctx, length);
+
+	block->count = count;
+	block->remaining = count;
+
+	ISC_LINK_INIT(block, link);
+
+	return (block);
+}
+
+/*
+ * Return an element from the msgblock.  If no more are available, return
+ * NULL.
+ */
+static void *
+msgblock_internalget(dns_msgblock_t *block, unsigned int sizeof_type) {
+	void *ptr;
+
+	if (block == NULL || block->remaining == 0) {
+		return (NULL);
+	}
+
+	block->remaining--;
+
+	ptr = (((unsigned char *)block) + sizeof(dns_msgblock_t) +
+	       (sizeof_type * block->remaining));
+
+	return (ptr);
+}
+
+static void
+msgblock_reset(dns_msgblock_t *block) {
+	block->remaining = block->count;
+}
+
+/*
+ * Release memory associated with a message block.
+ */
+static void
+msgblock_free(isc_mem_t *mctx, dns_msgblock_t *block,
+	      unsigned int sizeof_type) {
+	unsigned int length;
+
+	length = sizeof(dns_msgblock_t) + (sizeof_type * block->count);
+
+	isc_mem_put(mctx, block, length);
+}
+
+/*
+ * Allocate a new dynamic buffer, and attach it to this message as the
+ * "current" buffer.  (which is always the last on the list, for our
+ * uses)
+ */
+static isc_result_t
+newbuffer(dns_message_t *msg, unsigned int size) {
+	isc_buffer_t *dynbuf;
+
+	dynbuf = NULL;
+	isc_buffer_allocate(msg->mctx, &dynbuf, size);
+
+	ISC_LIST_APPEND(msg->scratchpad, dynbuf, link);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_buffer_t *
+currentbuffer(dns_message_t *msg) {
+	isc_buffer_t *dynbuf;
+
+	dynbuf = ISC_LIST_TAIL(msg->scratchpad);
+	INSIST(dynbuf != NULL);
+
+	return (dynbuf);
+}
+
+static void
+releaserdata(dns_message_t *msg, dns_rdata_t *rdata) {
+	ISC_LIST_PREPEND(msg->freerdata, rdata, link);
+}
+
+static dns_rdata_t *
+newrdata(dns_message_t *msg) {
+	dns_msgblock_t *msgblock;
+	dns_rdata_t *rdata;
+
+	rdata = ISC_LIST_HEAD(msg->freerdata);
+	if (rdata != NULL) {
+		ISC_LIST_UNLINK(msg->freerdata, rdata, link);
+		return (rdata);
+	}
+
+	msgblock = ISC_LIST_TAIL(msg->rdatas);
+	rdata = msgblock_get(msgblock, dns_rdata_t);
+	if (rdata == NULL) {
+		msgblock = msgblock_allocate(msg->mctx, sizeof(dns_rdata_t),
+					     RDATA_COUNT);
+		if (msgblock == NULL) {
+			return (NULL);
+		}
+
+		ISC_LIST_APPEND(msg->rdatas, msgblock, link);
+
+		rdata = msgblock_get(msgblock, dns_rdata_t);
+	}
+
+	dns_rdata_init(rdata);
+	return (rdata);
+}
+
+static void
+releaserdatalist(dns_message_t *msg, dns_rdatalist_t *rdatalist) {
+	ISC_LIST_PREPEND(msg->freerdatalist, rdatalist, link);
+}
+
+static dns_rdatalist_t *
+newrdatalist(dns_message_t *msg) {
+	dns_msgblock_t *msgblock;
+	dns_rdatalist_t *rdatalist;
+
+	rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
+	if (rdatalist != NULL) {
+		ISC_LIST_UNLINK(msg->freerdatalist, rdatalist, link);
+		goto out;
+	}
+
+	msgblock = ISC_LIST_TAIL(msg->rdatalists);
+	rdatalist = msgblock_get(msgblock, dns_rdatalist_t);
+	if (rdatalist == NULL) {
+		msgblock = msgblock_allocate(msg->mctx, sizeof(dns_rdatalist_t),
+					     RDATALIST_COUNT);
+		if (msgblock == NULL) {
+			return (NULL);
+		}
+
+		ISC_LIST_APPEND(msg->rdatalists, msgblock, link);
+
+		rdatalist = msgblock_get(msgblock, dns_rdatalist_t);
+	}
+out:
+	if (rdatalist != NULL) {
+		dns_rdatalist_init(rdatalist);
+	}
+
+	return (rdatalist);
+}
+
+static dns_offsets_t *
+newoffsets(dns_message_t *msg) {
+	dns_msgblock_t *msgblock;
+	dns_offsets_t *offsets;
+
+	msgblock = ISC_LIST_TAIL(msg->offsets);
+	offsets = msgblock_get(msgblock, dns_offsets_t);
+	if (offsets == NULL) {
+		msgblock = msgblock_allocate(msg->mctx, sizeof(dns_offsets_t),
+					     OFFSET_COUNT);
+		if (msgblock == NULL) {
+			return (NULL);
+		}
+
+		ISC_LIST_APPEND(msg->offsets, msgblock, link);
+
+		offsets = msgblock_get(msgblock, dns_offsets_t);
+	}
+
+	return (offsets);
+}
+
+static void
+msginitheader(dns_message_t *m) {
+	m->id = 0;
+	m->flags = 0;
+	m->rcode = 0;
+	m->opcode = 0;
+	m->rdclass = 0;
+}
+
+static void
+msginitprivate(dns_message_t *m) {
+	unsigned int i;
+
+	for (i = 0; i < DNS_SECTION_MAX; i++) {
+		m->cursors[i] = NULL;
+		m->counts[i] = 0;
+	}
+	m->opt = NULL;
+	m->sig0 = NULL;
+	m->sig0name = NULL;
+	m->tsig = NULL;
+	m->tsigname = NULL;
+	m->state = DNS_SECTION_ANY; /* indicate nothing parsed or rendered */
+	m->opt_reserved = 0;
+	m->sig_reserved = 0;
+	m->reserved = 0;
+	m->padding = 0;
+	m->padding_off = 0;
+	m->buffer = NULL;
+}
+
+static void
+msginittsig(dns_message_t *m) {
+	m->tsigstatus = dns_rcode_noerror;
+	m->querytsigstatus = dns_rcode_noerror;
+	m->tsigkey = NULL;
+	m->tsigctx = NULL;
+	m->sigstart = -1;
+	m->sig0key = NULL;
+	m->sig0status = dns_rcode_noerror;
+	m->timeadjust = 0;
+}
+
+/*
+ * Init elements to default state.  Used both when allocating a new element
+ * and when resetting one.
+ */
+static void
+msginit(dns_message_t *m) {
+	msginitheader(m);
+	msginitprivate(m);
+	msginittsig(m);
+	m->header_ok = 0;
+	m->question_ok = 0;
+	m->tcp_continuation = 0;
+	m->verified_sig = 0;
+	m->verify_attempted = 0;
+	m->order = NULL;
+	m->order_arg.env = NULL;
+	m->order_arg.acl = NULL;
+	m->order_arg.element = NULL;
+	m->query.base = NULL;
+	m->query.length = 0;
+	m->free_query = 0;
+	m->saved.base = NULL;
+	m->saved.length = 0;
+	m->free_saved = 0;
+	m->cc_ok = 0;
+	m->cc_bad = 0;
+	m->tkey = 0;
+	m->rdclass_set = 0;
+	m->querytsig = NULL;
+	m->indent.string = "\t";
+	m->indent.count = 0;
+}
+
+static void
+msgresetnames(dns_message_t *msg, unsigned int first_section) {
+	unsigned int i;
+	dns_name_t *name, *next_name;
+	dns_rdataset_t *rds, *next_rds;
+
+	/*
+	 * Clean up name lists by calling the rdataset disassociate function.
+	 */
+	for (i = first_section; i < DNS_SECTION_MAX; i++) {
+		name = ISC_LIST_HEAD(msg->sections[i]);
+		while (name != NULL) {
+			next_name = ISC_LIST_NEXT(name, link);
+			ISC_LIST_UNLINK(msg->sections[i], name, link);
+
+			rds = ISC_LIST_HEAD(name->list);
+			while (rds != NULL) {
+				next_rds = ISC_LIST_NEXT(rds, link);
+				ISC_LIST_UNLINK(name->list, rds, link);
+
+				INSIST(dns_rdataset_isassociated(rds));
+				dns_rdataset_disassociate(rds);
+				isc_mempool_put(msg->rdspool, rds);
+				rds = next_rds;
+			}
+			dns_message_puttempname(msg, &name);
+			name = next_name;
+		}
+	}
+}
+
+static void
+msgresetopt(dns_message_t *msg) {
+	if (msg->opt != NULL) {
+		if (msg->opt_reserved > 0) {
+			dns_message_renderrelease(msg, msg->opt_reserved);
+			msg->opt_reserved = 0;
+		}
+		INSIST(dns_rdataset_isassociated(msg->opt));
+		dns_rdataset_disassociate(msg->opt);
+		isc_mempool_put(msg->rdspool, msg->opt);
+		msg->opt = NULL;
+		msg->cc_ok = 0;
+		msg->cc_bad = 0;
+	}
+}
+
+static void
+msgresetsigs(dns_message_t *msg, bool replying) {
+	if (msg->sig_reserved > 0) {
+		dns_message_renderrelease(msg, msg->sig_reserved);
+		msg->sig_reserved = 0;
+	}
+	if (msg->tsig != NULL) {
+		INSIST(dns_rdataset_isassociated(msg->tsig));
+		INSIST(msg->namepool != NULL);
+		if (replying) {
+			INSIST(msg->querytsig == NULL);
+			msg->querytsig = msg->tsig;
+		} else {
+			dns_rdataset_disassociate(msg->tsig);
+			isc_mempool_put(msg->rdspool, msg->tsig);
+			if (msg->querytsig != NULL) {
+				dns_rdataset_disassociate(msg->querytsig);
+				isc_mempool_put(msg->rdspool, msg->querytsig);
+			}
+		}
+		dns_message_puttempname(msg, &msg->tsigname);
+		msg->tsig = NULL;
+	} else if (msg->querytsig != NULL && !replying) {
+		dns_rdataset_disassociate(msg->querytsig);
+		isc_mempool_put(msg->rdspool, msg->querytsig);
+		msg->querytsig = NULL;
+	}
+	if (msg->sig0 != NULL) {
+		INSIST(dns_rdataset_isassociated(msg->sig0));
+		dns_rdataset_disassociate(msg->sig0);
+		isc_mempool_put(msg->rdspool, msg->sig0);
+		if (msg->sig0name != NULL) {
+			dns_message_puttempname(msg, &msg->sig0name);
+		}
+		msg->sig0 = NULL;
+		msg->sig0name = NULL;
+	}
+}
+
+/*
+ * Free all but one (or everything) for this message.  This is used by
+ * both dns_message_reset() and dns__message_destroy().
+ */
+static void
+msgreset(dns_message_t *msg, bool everything) {
+	dns_msgblock_t *msgblock, *next_msgblock;
+	isc_buffer_t *dynbuf, *next_dynbuf;
+	dns_rdata_t *rdata;
+	dns_rdatalist_t *rdatalist;
+
+	msgresetnames(msg, 0);
+	msgresetopt(msg);
+	msgresetsigs(msg, false);
+
+	/*
+	 * Clean up linked lists.
+	 */
+
+	/*
+	 * Run through the free lists, and just unlink anything found there.
+	 * The memory isn't lost since these are part of message blocks we
+	 * have allocated.
+	 */
+	rdata = ISC_LIST_HEAD(msg->freerdata);
+	while (rdata != NULL) {
+		ISC_LIST_UNLINK(msg->freerdata, rdata, link);
+		rdata = ISC_LIST_HEAD(msg->freerdata);
+	}
+	rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
+	while (rdatalist != NULL) {
+		ISC_LIST_UNLINK(msg->freerdatalist, rdatalist, link);
+		rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
+	}
+
+	dynbuf = ISC_LIST_HEAD(msg->scratchpad);
+	INSIST(dynbuf != NULL);
+	if (!everything) {
+		isc_buffer_clear(dynbuf);
+		dynbuf = ISC_LIST_NEXT(dynbuf, link);
+	}
+	while (dynbuf != NULL) {
+		next_dynbuf = ISC_LIST_NEXT(dynbuf, link);
+		ISC_LIST_UNLINK(msg->scratchpad, dynbuf, link);
+		isc_buffer_free(&dynbuf);
+		dynbuf = next_dynbuf;
+	}
+
+	msgblock = ISC_LIST_HEAD(msg->rdatas);
+	if (!everything && msgblock != NULL) {
+		msgblock_reset(msgblock);
+		msgblock = ISC_LIST_NEXT(msgblock, link);
+	}
+	while (msgblock != NULL) {
+		next_msgblock = ISC_LIST_NEXT(msgblock, link);
+		ISC_LIST_UNLINK(msg->rdatas, msgblock, link);
+		msgblock_free(msg->mctx, msgblock, sizeof(dns_rdata_t));
+		msgblock = next_msgblock;
+	}
+
+	/*
+	 * rdatalists could be empty.
+	 */
+
+	msgblock = ISC_LIST_HEAD(msg->rdatalists);
+	if (!everything && msgblock != NULL) {
+		msgblock_reset(msgblock);
+		msgblock = ISC_LIST_NEXT(msgblock, link);
+	}
+	while (msgblock != NULL) {
+		next_msgblock = ISC_LIST_NEXT(msgblock, link);
+		ISC_LIST_UNLINK(msg->rdatalists, msgblock, link);
+		msgblock_free(msg->mctx, msgblock, sizeof(dns_rdatalist_t));
+		msgblock = next_msgblock;
+	}
+
+	msgblock = ISC_LIST_HEAD(msg->offsets);
+	if (!everything && msgblock != NULL) {
+		msgblock_reset(msgblock);
+		msgblock = ISC_LIST_NEXT(msgblock, link);
+	}
+	while (msgblock != NULL) {
+		next_msgblock = ISC_LIST_NEXT(msgblock, link);
+		ISC_LIST_UNLINK(msg->offsets, msgblock, link);
+		msgblock_free(msg->mctx, msgblock, sizeof(dns_offsets_t));
+		msgblock = next_msgblock;
+	}
+
+	if (msg->tsigkey != NULL) {
+		dns_tsigkey_detach(&msg->tsigkey);
+		msg->tsigkey = NULL;
+	}
+
+	if (msg->tsigctx != NULL) {
+		dst_context_destroy(&msg->tsigctx);
+	}
+
+	if (msg->query.base != NULL) {
+		if (msg->free_query != 0) {
+			isc_mem_put(msg->mctx, msg->query.base,
+				    msg->query.length);
+		}
+		msg->query.base = NULL;
+		msg->query.length = 0;
+	}
+
+	if (msg->saved.base != NULL) {
+		if (msg->free_saved != 0) {
+			isc_mem_put(msg->mctx, msg->saved.base,
+				    msg->saved.length);
+		}
+		msg->saved.base = NULL;
+		msg->saved.length = 0;
+	}
+
+	/*
+	 * cleanup the buffer cleanup list
+	 */
+	dynbuf = ISC_LIST_HEAD(msg->cleanup);
+	while (dynbuf != NULL) {
+		next_dynbuf = ISC_LIST_NEXT(dynbuf, link);
+		ISC_LIST_UNLINK(msg->cleanup, dynbuf, link);
+		isc_buffer_free(&dynbuf);
+		dynbuf = next_dynbuf;
+	}
+
+	/*
+	 * Set other bits to normal default values.
+	 */
+	if (!everything) {
+		msginit(msg);
+	}
+
+	ENSURE(isc_mempool_getallocated(msg->namepool) == 0);
+	ENSURE(isc_mempool_getallocated(msg->rdspool) == 0);
+}
+
+static unsigned int
+spacefortsig(dns_tsigkey_t *key, int otherlen) {
+	isc_region_t r1, r2;
+	unsigned int x;
+	isc_result_t result;
+
+	/*
+	 * The space required for an TSIG record is:
+	 *
+	 *	n1 bytes for the name
+	 *	2 bytes for the type
+	 *	2 bytes for the class
+	 *	4 bytes for the ttl
+	 *	2 bytes for the rdlength
+	 *	n2 bytes for the algorithm name
+	 *	6 bytes for the time signed
+	 *	2 bytes for the fudge
+	 *	2 bytes for the MAC size
+	 *	x bytes for the MAC
+	 *	2 bytes for the original id
+	 *	2 bytes for the error
+	 *	2 bytes for the other data length
+	 *	y bytes for the other data (at most)
+	 * ---------------------------------
+	 *     26 + n1 + n2 + x + y bytes
+	 */
+
+	dns_name_toregion(&key->name, &r1);
+	dns_name_toregion(key->algorithm, &r2);
+	if (key->key == NULL) {
+		x = 0;
+	} else {
+		result = dst_key_sigsize(key->key, &x);
+		if (result != ISC_R_SUCCESS) {
+			x = 0;
+		}
+	}
+	return (26 + r1.length + r2.length + x + otherlen);
+}
+
+void
+dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp) {
+	dns_message_t *m = NULL;
+	isc_buffer_t *dynbuf = NULL;
+	unsigned int i;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(msgp != NULL);
+	REQUIRE(*msgp == NULL);
+	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE ||
+		intent == DNS_MESSAGE_INTENTRENDER);
+
+	m = isc_mem_get(mctx, sizeof(dns_message_t));
+	*m = (dns_message_t){ .from_to_wire = intent };
+	isc_mem_attach(mctx, &m->mctx);
+	msginit(m);
+
+	for (i = 0; i < DNS_SECTION_MAX; i++) {
+		ISC_LIST_INIT(m->sections[i]);
+	}
+
+	ISC_LIST_INIT(m->scratchpad);
+	ISC_LIST_INIT(m->cleanup);
+	ISC_LIST_INIT(m->rdatas);
+	ISC_LIST_INIT(m->rdatalists);
+	ISC_LIST_INIT(m->offsets);
+	ISC_LIST_INIT(m->freerdata);
+	ISC_LIST_INIT(m->freerdatalist);
+
+	isc_mempool_create(m->mctx, sizeof(dns_fixedname_t), &m->namepool);
+	isc_mempool_setfillcount(m->namepool, NAME_FILLCOUNT);
+	isc_mempool_setfreemax(m->namepool, NAME_FREEMAX);
+	isc_mempool_setname(m->namepool, "msg:names");
+
+	isc_mempool_create(m->mctx, sizeof(dns_rdataset_t), &m->rdspool);
+	isc_mempool_setfillcount(m->rdspool, RDATASET_FILLCOUNT);
+	isc_mempool_setfreemax(m->rdspool, RDATASET_FREEMAX);
+	isc_mempool_setname(m->rdspool, "msg:rdataset");
+
+	isc_buffer_allocate(mctx, &dynbuf, SCRATCHPAD_SIZE);
+	ISC_LIST_APPEND(m->scratchpad, dynbuf, link);
+
+	isc_refcount_init(&m->refcount, 1);
+	m->magic = DNS_MESSAGE_MAGIC;
+
+	*msgp = m;
+}
+
+void
+dns_message_reset(dns_message_t *msg, unsigned int intent) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE ||
+		intent == DNS_MESSAGE_INTENTRENDER);
+
+	msgreset(msg, false);
+	msg->from_to_wire = intent;
+}
+
+static void
+dns__message_destroy(dns_message_t *msg) {
+	REQUIRE(msg != NULL);
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	msgreset(msg, true);
+	isc_mempool_destroy(&msg->namepool);
+	isc_mempool_destroy(&msg->rdspool);
+	isc_refcount_destroy(&msg->refcount);
+	msg->magic = 0;
+	isc_mem_putanddetach(&msg->mctx, msg, sizeof(dns_message_t));
+}
+
+void
+dns_message_attach(dns_message_t *source, dns_message_t **target) {
+	REQUIRE(DNS_MESSAGE_VALID(source));
+
+	isc_refcount_increment(&source->refcount);
+	*target = source;
+}
+
+void
+dns_message_detach(dns_message_t **messagep) {
+	REQUIRE(messagep != NULL && DNS_MESSAGE_VALID(*messagep));
+	dns_message_t *msg = *messagep;
+	*messagep = NULL;
+
+	if (isc_refcount_decrement(&msg->refcount) == 1) {
+		dns__message_destroy(msg);
+	}
+}
+
+static isc_result_t
+findname(dns_name_t **foundname, const dns_name_t *target,
+	 dns_namelist_t *section) {
+	dns_name_t *curr;
+
+	for (curr = ISC_LIST_TAIL(*section); curr != NULL;
+	     curr = ISC_LIST_PREV(curr, link))
+	{
+		if (dns_name_equal(curr, target)) {
+			if (foundname != NULL) {
+				*foundname = curr;
+			}
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_message_find(const dns_name_t *name, dns_rdataclass_t rdclass,
+		 dns_rdatatype_t type, dns_rdatatype_t covers,
+		 dns_rdataset_t **rdataset) {
+	dns_rdataset_t *curr;
+
+	REQUIRE(name != NULL);
+	REQUIRE(rdataset == NULL || *rdataset == NULL);
+
+	for (curr = ISC_LIST_TAIL(name->list); curr != NULL;
+	     curr = ISC_LIST_PREV(curr, link))
+	{
+		if (curr->rdclass == rdclass && curr->type == type &&
+		    curr->covers == covers)
+		{
+			if (rdataset != NULL) {
+				*rdataset = curr;
+			}
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_message_findtype(const dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_rdataset_t **rdataset) {
+	dns_rdataset_t *curr;
+
+	REQUIRE(name != NULL);
+	REQUIRE(rdataset == NULL || *rdataset == NULL);
+
+	for (curr = ISC_LIST_TAIL(name->list); curr != NULL;
+	     curr = ISC_LIST_PREV(curr, link))
+	{
+		if (curr->type == type && curr->covers == covers) {
+			if (ISC_UNLIKELY(rdataset != NULL)) {
+				*rdataset = curr;
+			}
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+/*
+ * Read a name from buffer "source".
+ */
+static isc_result_t
+getname(dns_name_t *name, isc_buffer_t *source, dns_message_t *msg,
+	dns_decompress_t *dctx) {
+	isc_buffer_t *scratch;
+	isc_result_t result;
+	unsigned int tries;
+
+	scratch = currentbuffer(msg);
+
+	/*
+	 * First try:  use current buffer.
+	 * Second try:  allocate a new buffer and use that.
+	 */
+	tries = 0;
+	while (tries < 2) {
+		result = dns_name_fromwire(name, source, dctx, 0, scratch);
+
+		if (result == ISC_R_NOSPACE) {
+			tries++;
+
+			result = newbuffer(msg, SCRATCHPAD_SIZE);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+
+			scratch = currentbuffer(msg);
+			dns_name_reset(name);
+		} else {
+			return (result);
+		}
+	}
+
+	UNREACHABLE();
+}
+
+static isc_result_t
+getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+	 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
+	 unsigned int rdatalen, dns_rdata_t *rdata) {
+	isc_buffer_t *scratch;
+	isc_result_t result;
+	unsigned int tries;
+	unsigned int trysize;
+
+	scratch = currentbuffer(msg);
+
+	isc_buffer_setactive(source, rdatalen);
+
+	/*
+	 * First try:  use current buffer.
+	 * Second try:  allocate a new buffer of size
+	 *     max(SCRATCHPAD_SIZE, 2 * compressed_rdatalen)
+	 *     (the data will fit if it was not more than 50% compressed)
+	 * Subsequent tries: double buffer size on each try.
+	 */
+	tries = 0;
+	trysize = 0;
+	/* XXX possibly change this to a while (tries < 2) loop */
+	for (;;) {
+		result = dns_rdata_fromwire(rdata, rdclass, rdtype, source,
+					    dctx, 0, scratch);
+
+		if (result == ISC_R_NOSPACE) {
+			if (tries == 0) {
+				trysize = 2 * rdatalen;
+				if (trysize < SCRATCHPAD_SIZE) {
+					trysize = SCRATCHPAD_SIZE;
+				}
+			} else {
+				INSIST(trysize != 0);
+				if (trysize >= 65535) {
+					return (ISC_R_NOSPACE);
+				}
+				/* XXX DNS_R_RRTOOLONG? */
+				trysize *= 2;
+			}
+			tries++;
+			result = newbuffer(msg, trysize);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+
+			scratch = currentbuffer(msg);
+		} else {
+			return (result);
+		}
+	}
+}
+
+#define DO_ERROR(r)                          \
+	do {                                 \
+		if (best_effort) {           \
+			seen_problem = true; \
+		} else {                     \
+			result = r;          \
+			goto cleanup;        \
+		}                            \
+	} while (0)
+
+static isc_result_t
+getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+	     unsigned int options) {
+	isc_region_t r;
+	unsigned int count;
+	dns_name_t *name = NULL;
+	dns_name_t *name2 = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	isc_result_t result;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	dns_namelist_t *section = &msg->sections[DNS_SECTION_QUESTION];
+	bool best_effort = ((options & DNS_MESSAGEPARSE_BESTEFFORT) != 0);
+	bool seen_problem = false;
+	bool free_name = false;
+
+	for (count = 0; count < msg->counts[DNS_SECTION_QUESTION]; count++) {
+		name = NULL;
+		result = dns_message_gettempname(msg, &name);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		name->offsets = (unsigned char *)newoffsets(msg);
+		free_name = true;
+
+		/*
+		 * Parse the name out of this packet.
+		 */
+		isc_buffer_remainingregion(source, &r);
+		isc_buffer_setactive(source, r.length);
+		result = getname(name, source, msg, dctx);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		/*
+		 * Run through the section, looking to see if this name
+		 * is already there.  If it is found, put back the allocated
+		 * name since we no longer need it, and set our name pointer
+		 * to point to the name we found.
+		 */
+		result = findname(&name2, name, section);
+
+		/*
+		 * If it is the first name in the section, accept it.
+		 *
+		 * If it is not, but is not the same as the name already
+		 * in the question section, append to the section.  Note that
+		 * here in the question section this is illegal, so return
+		 * FORMERR.  In the future, check the opcode to see if
+		 * this should be legal or not.  In either case we no longer
+		 * need this name pointer.
+		 */
+		if (result != ISC_R_SUCCESS) {
+			if (!ISC_LIST_EMPTY(*section)) {
+				DO_ERROR(DNS_R_FORMERR);
+			}
+			ISC_LIST_APPEND(*section, name, link);
+			free_name = false;
+		} else {
+			dns_message_puttempname(msg, &name);
+			name = name2;
+			name2 = NULL;
+			free_name = false;
+		}
+
+		/*
+		 * Get type and class.
+		 */
+		isc_buffer_remainingregion(source, &r);
+		if (r.length < 4) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto cleanup;
+		}
+		rdtype = isc_buffer_getuint16(source);
+		rdclass = isc_buffer_getuint16(source);
+
+		/*
+		 * If this class is different than the one we already read,
+		 * this is an error.
+		 */
+		if (msg->rdclass_set == 0) {
+			msg->rdclass = rdclass;
+			msg->rdclass_set = 1;
+		} else if (msg->rdclass != rdclass) {
+			DO_ERROR(DNS_R_FORMERR);
+		}
+
+		/*
+		 * Is this a TKEY query?
+		 */
+		if (rdtype == dns_rdatatype_tkey) {
+			msg->tkey = 1;
+		}
+
+		/*
+		 * Can't ask the same question twice.
+		 */
+		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
+		if (result == ISC_R_SUCCESS) {
+			DO_ERROR(DNS_R_FORMERR);
+		}
+
+		/*
+		 * Allocate a new rdatalist.
+		 */
+		rdatalist = newrdatalist(msg);
+		if (rdatalist == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		rdataset = isc_mempool_get(msg->rdspool);
+		if (rdataset == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		/*
+		 * Convert rdatalist to rdataset, and attach the latter to
+		 * the name.
+		 */
+		rdatalist->type = rdtype;
+		rdatalist->rdclass = rdclass;
+
+		dns_rdataset_init(rdataset);
+		result = dns_rdatalist_tordataset(rdatalist, rdataset);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
+
+		ISC_LIST_APPEND(name->list, rdataset, link);
+		rdataset = NULL;
+	}
+
+	if (seen_problem) {
+		return (DNS_R_RECOVERABLE);
+	}
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (rdataset != NULL) {
+		INSIST(!dns_rdataset_isassociated(rdataset));
+		isc_mempool_put(msg->rdspool, rdataset);
+	}
+	if (free_name) {
+		dns_message_puttempname(msg, &name);
+	}
+
+	return (result);
+}
+
+static bool
+update(dns_section_t section, dns_rdataclass_t rdclass) {
+	if (section == DNS_SECTION_PREREQUISITE) {
+		return (rdclass == dns_rdataclass_any ||
+			rdclass == dns_rdataclass_none);
+	}
+	if (section == DNS_SECTION_UPDATE) {
+		return (rdclass == dns_rdataclass_any);
+	}
+	return (false);
+}
+
+/*
+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
+ * covering RRSIGs.
+ */
+static bool
+auth_signed(dns_namelist_t *section) {
+	dns_name_t *name;
+
+	for (name = ISC_LIST_HEAD(*section); name != NULL;
+	     name = ISC_LIST_NEXT(name, link))
+	{
+		int auth_dnssec = 0, auth_rrsig = 0;
+		dns_rdataset_t *rds;
+
+		for (rds = ISC_LIST_HEAD(name->list); rds != NULL;
+		     rds = ISC_LIST_NEXT(rds, link))
+		{
+			switch (rds->type) {
+			case dns_rdatatype_ds:
+				auth_dnssec |= 0x1;
+				break;
+			case dns_rdatatype_nsec:
+				auth_dnssec |= 0x2;
+				break;
+			case dns_rdatatype_nsec3:
+				auth_dnssec |= 0x4;
+				break;
+			case dns_rdatatype_rrsig:
+				break;
+			default:
+				continue;
+			}
+
+			switch (rds->covers) {
+			case dns_rdatatype_ds:
+				auth_rrsig |= 0x1;
+				break;
+			case dns_rdatatype_nsec:
+				auth_rrsig |= 0x2;
+				break;
+			case dns_rdatatype_nsec3:
+				auth_rrsig |= 0x4;
+				break;
+			default:
+				break;
+			}
+		}
+
+		if (auth_dnssec != auth_rrsig) {
+			return (false);
+		}
+	}
+
+	return (true);
+}
+
+static isc_result_t
+getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+	   dns_section_t sectionid, unsigned int options) {
+	isc_region_t r;
+	unsigned int count, rdatalen;
+	dns_name_t *name = NULL;
+	dns_name_t *name2 = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	isc_result_t result;
+	dns_rdatatype_t rdtype, covers;
+	dns_rdataclass_t rdclass;
+	dns_rdata_t *rdata = NULL;
+	dns_ttl_t ttl;
+	dns_namelist_t *section = &msg->sections[sectionid];
+	bool free_name = false, free_rdataset = false, seen_problem = false;
+	bool preserve_order = ((options & DNS_MESSAGEPARSE_PRESERVEORDER) != 0);
+	bool best_effort = ((options & DNS_MESSAGEPARSE_BESTEFFORT) != 0);
+	bool isedns, issigzero, istsig;
+
+	for (count = 0; count < msg->counts[sectionid]; count++) {
+		int recstart = source->current;
+		bool skip_name_search, skip_type_search;
+
+		skip_name_search = false;
+		skip_type_search = false;
+		free_rdataset = false;
+		isedns = false;
+		issigzero = false;
+		istsig = false;
+
+		name = NULL;
+		result = dns_message_gettempname(msg, &name);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		name->offsets = (unsigned char *)newoffsets(msg);
+		free_name = true;
+
+		/*
+		 * Parse the name out of this packet.
+		 */
+		isc_buffer_remainingregion(source, &r);
+		isc_buffer_setactive(source, r.length);
+		result = getname(name, source, msg, dctx);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		/*
+		 * Get type, class, ttl, and rdatalen.  Verify that at least
+		 * rdatalen bytes remain.  (Some of this is deferred to
+		 * later.)
+		 */
+		isc_buffer_remainingregion(source, &r);
+		if (r.length < 2 + 2 + 4 + 2) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto cleanup;
+		}
+		rdtype = isc_buffer_getuint16(source);
+		rdclass = isc_buffer_getuint16(source);
+
+		/*
+		 * If there was no question section, we may not yet have
+		 * established a class.  Do so now.
+		 */
+		if (msg->rdclass_set == 0 &&
+		    rdtype != dns_rdatatype_opt &&  /* class is UDP SIZE */
+		    rdtype != dns_rdatatype_tsig && /* class is ANY */
+		    rdtype != dns_rdatatype_tkey)
+		{ /* class is undefined */
+			msg->rdclass = rdclass;
+			msg->rdclass_set = 1;
+		}
+
+		/*
+		 * If this class is different than the one in the question
+		 * section, bail.
+		 */
+		if (msg->opcode != dns_opcode_update &&
+		    rdtype != dns_rdatatype_tsig &&
+		    rdtype != dns_rdatatype_opt &&
+		    rdtype != dns_rdatatype_key &&  /* in a TKEY query */
+		    rdtype != dns_rdatatype_sig &&  /* SIG(0) */
+		    rdtype != dns_rdatatype_tkey && /* Win2000 TKEY */
+		    msg->rdclass != dns_rdataclass_any &&
+		    msg->rdclass != rdclass)
+		{
+			DO_ERROR(DNS_R_FORMERR);
+		}
+
+		/*
+		 * If this is not a TKEY query/response then the KEY
+		 * record's class needs to match.
+		 */
+		if (msg->opcode != dns_opcode_update && !msg->tkey &&
+		    rdtype == dns_rdatatype_key &&
+		    msg->rdclass != dns_rdataclass_any &&
+		    msg->rdclass != rdclass)
+		{
+			DO_ERROR(DNS_R_FORMERR);
+		}
+
+		/*
+		 * Special type handling for TSIG, OPT, and TKEY.
+		 */
+		if (rdtype == dns_rdatatype_tsig) {
+			/*
+			 * If it is a tsig, verify that it is in the
+			 * additional data section.
+			 */
+			if (sectionid != DNS_SECTION_ADDITIONAL ||
+			    rdclass != dns_rdataclass_any ||
+			    count != msg->counts[sectionid] - 1)
+			{
+				DO_ERROR(DNS_R_BADTSIG);
+			} else {
+				skip_name_search = true;
+				skip_type_search = true;
+				istsig = true;
+			}
+		} else if (rdtype == dns_rdatatype_opt) {
+			/*
+			 * The name of an OPT record must be ".", it
+			 * must be in the additional data section, and
+			 * it must be the first OPT we've seen.
+			 */
+			if (!dns_name_equal(dns_rootname, name) ||
+			    sectionid != DNS_SECTION_ADDITIONAL ||
+			    msg->opt != NULL)
+			{
+				DO_ERROR(DNS_R_FORMERR);
+			} else {
+				skip_name_search = true;
+				skip_type_search = true;
+				isedns = true;
+			}
+		} else if (rdtype == dns_rdatatype_tkey) {
+			/*
+			 * A TKEY must be in the additional section if this
+			 * is a query, and the answer section if this is a
+			 * response.  Unless it's a Win2000 client.
+			 *
+			 * Its class is ignored.
+			 */
+			dns_section_t tkeysection;
+
+			if ((msg->flags & DNS_MESSAGEFLAG_QR) == 0) {
+				tkeysection = DNS_SECTION_ADDITIONAL;
+			} else {
+				tkeysection = DNS_SECTION_ANSWER;
+			}
+			if (sectionid != tkeysection &&
+			    sectionid != DNS_SECTION_ANSWER)
+			{
+				DO_ERROR(DNS_R_FORMERR);
+			}
+		}
+
+		/*
+		 * ... now get ttl and rdatalen, and check buffer.
+		 */
+		ttl = isc_buffer_getuint32(source);
+		rdatalen = isc_buffer_getuint16(source);
+		r.length -= (2 + 2 + 4 + 2);
+		if (r.length < rdatalen) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto cleanup;
+		}
+
+		/*
+		 * Read the rdata from the wire format.  Interpret the
+		 * rdata according to its actual class, even if it had a
+		 * DynDNS meta-class in the packet (unless this is a TSIG).
+		 * Then put the meta-class back into the finished rdata.
+		 */
+		rdata = newrdata(msg);
+		if (rdata == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		if (msg->opcode == dns_opcode_update &&
+		    update(sectionid, rdclass))
+		{
+			if (rdatalen != 0) {
+				result = DNS_R_FORMERR;
+				goto cleanup;
+			}
+			/*
+			 * When the rdata is empty, the data pointer is
+			 * never dereferenced, but it must still be non-NULL.
+			 * Casting 1 rather than "" avoids warnings about
+			 * discarding the const attribute of a string,
+			 * for compilers that would warn about such things.
+			 */
+			rdata->data = (unsigned char *)1;
+			rdata->length = 0;
+			rdata->rdclass = rdclass;
+			rdata->type = rdtype;
+			rdata->flags = DNS_RDATA_UPDATE;
+			result = ISC_R_SUCCESS;
+		} else if (rdclass == dns_rdataclass_none &&
+			   msg->opcode == dns_opcode_update &&
+			   sectionid == DNS_SECTION_UPDATE)
+		{
+			result = getrdata(source, msg, dctx, msg->rdclass,
+					  rdtype, rdatalen, rdata);
+		} else {
+			result = getrdata(source, msg, dctx, rdclass, rdtype,
+					  rdatalen, rdata);
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		rdata->rdclass = rdclass;
+		if (rdtype == dns_rdatatype_rrsig && rdata->flags == 0) {
+			covers = dns_rdata_covers(rdata);
+			if (covers == 0) {
+				DO_ERROR(DNS_R_FORMERR);
+			}
+		} else if (rdtype == dns_rdatatype_sig /* SIG(0) */ &&
+			   rdata->flags == 0)
+		{
+			covers = dns_rdata_covers(rdata);
+			if (covers == 0) {
+				if (sectionid != DNS_SECTION_ADDITIONAL ||
+				    count != msg->counts[sectionid] - 1)
+				{
+					DO_ERROR(DNS_R_BADSIG0);
+				} else {
+					skip_name_search = true;
+					skip_type_search = true;
+					issigzero = true;
+				}
+			} else {
+				if (msg->rdclass != dns_rdataclass_any &&
+				    msg->rdclass != rdclass)
+				{
+					DO_ERROR(DNS_R_FORMERR);
+				}
+			}
+		} else {
+			covers = 0;
+		}
+
+		/*
+		 * Check the ownername of NSEC3 records
+		 */
+		if (rdtype == dns_rdatatype_nsec3 &&
+		    !dns_rdata_checkowner(name, msg->rdclass, rdtype, false))
+		{
+			result = DNS_R_BADOWNERNAME;
+			goto cleanup;
+		}
+
+		/*
+		 * If we are doing a dynamic update or this is a meta-type,
+		 * don't bother searching for a name, just append this one
+		 * to the end of the message.
+		 */
+		if (preserve_order || msg->opcode == dns_opcode_update ||
+		    skip_name_search)
+		{
+			if (!isedns && !istsig && !issigzero) {
+				ISC_LIST_APPEND(*section, name, link);
+				free_name = false;
+			}
+		} else {
+			/*
+			 * Run through the section, looking to see if this name
+			 * is already there.  If it is found, put back the
+			 * allocated name since we no longer need it, and set
+			 * our name pointer to point to the name we found.
+			 */
+			result = findname(&name2, name, section);
+
+			/*
+			 * If it is a new name, append to the section.
+			 */
+			if (result == ISC_R_SUCCESS) {
+				dns_message_puttempname(msg, &name);
+				name = name2;
+			} else {
+				ISC_LIST_APPEND(*section, name, link);
+			}
+			free_name = false;
+		}
+
+		/*
+		 * Search name for the particular type and class.
+		 * Skip this stage if in update mode or this is a meta-type.
+		 */
+		if (preserve_order || msg->opcode == dns_opcode_update ||
+		    skip_type_search)
+		{
+			result = ISC_R_NOTFOUND;
+		} else {
+			/*
+			 * If this is a type that can only occur in
+			 * the question section, fail.
+			 */
+			if (dns_rdatatype_questiononly(rdtype)) {
+				DO_ERROR(DNS_R_FORMERR);
+			}
+
+			rdataset = NULL;
+			result = dns_message_find(name, rdclass, rdtype, covers,
+						  &rdataset);
+		}
+
+		/*
+		 * If we found an rdataset that matches, we need to
+		 * append this rdata to that set.  If we did not, we need
+		 * to create a new rdatalist, store the important bits there,
+		 * convert it to an rdataset, and link the latter to the name.
+		 * Yuck.  When appending, make certain that the type isn't
+		 * a singleton type, such as SOA or CNAME.
+		 *
+		 * Note that this check will be bypassed when preserving order,
+		 * the opcode is an update, or the type search is skipped.
+		 */
+		if (result == ISC_R_SUCCESS) {
+			if (dns_rdatatype_issingleton(rdtype)) {
+				dns_rdata_t *first;
+				dns_rdatalist_fromrdataset(rdataset,
+							   &rdatalist);
+				first = ISC_LIST_HEAD(rdatalist->rdata);
+				INSIST(first != NULL);
+				if (dns_rdata_compare(rdata, first) != 0) {
+					DO_ERROR(DNS_R_FORMERR);
+				}
+			}
+		}
+
+		if (result == ISC_R_NOTFOUND) {
+			rdataset = isc_mempool_get(msg->rdspool);
+			if (rdataset == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			free_rdataset = true;
+
+			rdatalist = newrdatalist(msg);
+			if (rdatalist == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+
+			rdatalist->type = rdtype;
+			rdatalist->covers = covers;
+			rdatalist->rdclass = rdclass;
+			rdatalist->ttl = ttl;
+
+			dns_rdataset_init(rdataset);
+			RUNTIME_CHECK(
+				dns_rdatalist_tordataset(rdatalist, rdataset) ==
+				ISC_R_SUCCESS);
+			dns_rdataset_setownercase(rdataset, name);
+
+			if (!isedns && !istsig && !issigzero) {
+				ISC_LIST_APPEND(name->list, rdataset, link);
+				free_rdataset = false;
+			}
+		}
+
+		/*
+		 * Minimize TTLs.
+		 *
+		 * Section 5.2 of RFC2181 says we should drop
+		 * nonauthoritative rrsets where the TTLs differ, but we
+		 * currently treat them the as if they were authoritative and
+		 * minimize them.
+		 */
+		if (ttl != rdataset->ttl) {
+			rdataset->attributes |= DNS_RDATASETATTR_TTLADJUSTED;
+			if (ttl < rdataset->ttl) {
+				rdataset->ttl = ttl;
+			}
+		}
+
+		/* Append this rdata to the rdataset. */
+		dns_rdatalist_fromrdataset(rdataset, &rdatalist);
+		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+
+		/*
+		 * If this is an OPT, SIG(0) or TSIG record, remember it.
+		 * Also, set the extended rcode for TSIG.
+		 *
+		 * Note msg->opt, msg->sig0 and msg->tsig will only be
+		 * already set if best-effort parsing is enabled otherwise
+		 * there will only be at most one of each.
+		 */
+		if (isedns) {
+			dns_rcode_t ercode;
+
+			msg->opt = rdataset;
+			rdataset = NULL;
+			free_rdataset = false;
+			ercode = (dns_rcode_t)((msg->opt->ttl &
+						DNS_MESSAGE_EDNSRCODE_MASK) >>
+					       20);
+			msg->rcode |= ercode;
+			dns_message_puttempname(msg, &name);
+			free_name = false;
+		} else if (issigzero) {
+			msg->sig0 = rdataset;
+			msg->sig0name = name;
+			msg->sigstart = recstart;
+			rdataset = NULL;
+			free_rdataset = false;
+			free_name = false;
+		} else if (istsig) {
+			msg->tsig = rdataset;
+			msg->tsigname = name;
+			msg->sigstart = recstart;
+			/*
+			 * Windows doesn't like TSIG names to be compressed.
+			 */
+			msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+			rdataset = NULL;
+			free_rdataset = false;
+			free_name = false;
+		}
+
+		if (seen_problem) {
+			if (free_name) {
+				dns_message_puttempname(msg, &name);
+			}
+			if (free_rdataset) {
+				isc_mempool_put(msg->rdspool, rdataset);
+			}
+			free_name = free_rdataset = false;
+		}
+		INSIST(!free_name);
+		INSIST(!free_rdataset);
+	}
+
+	/*
+	 * If any of DS, NSEC or NSEC3 appeared in the
+	 * authority section of a query response without
+	 * a covering RRSIG, FORMERR
+	 */
+	if (sectionid == DNS_SECTION_AUTHORITY &&
+	    msg->opcode == dns_opcode_query &&
+	    ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
+	    ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) && !preserve_order &&
+	    !auth_signed(section))
+	{
+		DO_ERROR(DNS_R_FORMERR);
+	}
+
+	if (seen_problem) {
+		return (DNS_R_RECOVERABLE);
+	}
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (free_name) {
+		dns_message_puttempname(msg, &name);
+	}
+	if (free_rdataset) {
+		isc_mempool_put(msg->rdspool, rdataset);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+		  unsigned int options) {
+	isc_region_t r;
+	dns_decompress_t dctx;
+	isc_result_t ret;
+	uint16_t tmpflags;
+	isc_buffer_t origsource;
+	bool seen_problem;
+	bool ignore_tc;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(source != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+
+	seen_problem = false;
+	ignore_tc = ((options & DNS_MESSAGEPARSE_IGNORETRUNCATION) != 0);
+
+	origsource = *source;
+
+	msg->header_ok = 0;
+	msg->question_ok = 0;
+
+	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
+		isc_buffer_usedregion(&origsource, &msg->saved);
+	} else {
+		msg->saved.length = isc_buffer_usedlength(&origsource);
+		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+		memmove(msg->saved.base, isc_buffer_base(&origsource),
+			msg->saved.length);
+		msg->free_saved = 1;
+	}
+
+	isc_buffer_remainingregion(source, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	msg->id = isc_buffer_getuint16(source);
+	tmpflags = isc_buffer_getuint16(source);
+	msg->opcode = ((tmpflags & DNS_MESSAGE_OPCODE_MASK) >>
+		       DNS_MESSAGE_OPCODE_SHIFT);
+	msg->rcode = (dns_rcode_t)(tmpflags & DNS_MESSAGE_RCODE_MASK);
+	msg->flags = (tmpflags & DNS_MESSAGE_FLAG_MASK);
+	msg->counts[DNS_SECTION_QUESTION] = isc_buffer_getuint16(source);
+	msg->counts[DNS_SECTION_ANSWER] = isc_buffer_getuint16(source);
+	msg->counts[DNS_SECTION_AUTHORITY] = isc_buffer_getuint16(source);
+	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
+
+	msg->header_ok = 1;
+	msg->state = DNS_SECTION_QUESTION;
+
+	/*
+	 * -1 means no EDNS.
+	 */
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
+
+	dns_decompress_setmethods(&dctx, DNS_COMPRESS_GLOBAL14);
+
+	ret = getquestions(source, msg, &dctx, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) {
+		goto truncated;
+	}
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = true;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+	msg->question_ok = 1;
+
+	ret = getsection(source, msg, &dctx, DNS_SECTION_ANSWER, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) {
+		goto truncated;
+	}
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = true;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	ret = getsection(source, msg, &dctx, DNS_SECTION_AUTHORITY, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) {
+		goto truncated;
+	}
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = true;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	ret = getsection(source, msg, &dctx, DNS_SECTION_ADDITIONAL, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) {
+		goto truncated;
+	}
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = true;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	isc_buffer_remainingregion(source, &r);
+	if (r.length != 0) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MESSAGE, ISC_LOG_DEBUG(3),
+			      "message has %u byte(s) of trailing garbage",
+			      r.length);
+	}
+
+truncated:
+
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) {
+		return (DNS_R_RECOVERABLE);
+	}
+	if (seen_problem) {
+		return (DNS_R_RECOVERABLE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
+			isc_buffer_t *buffer) {
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(buffer != NULL);
+	REQUIRE(msg->buffer == NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+
+	msg->cctx = cctx;
+
+	/*
+	 * Erase the contents of this buffer.
+	 */
+	isc_buffer_clear(buffer);
+
+	/*
+	 * Make certain there is enough for at least the header in this
+	 * buffer.
+	 */
+	isc_buffer_availableregion(buffer, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN) {
+		return (ISC_R_NOSPACE);
+	}
+
+	if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * Reserve enough space for the header in this buffer.
+	 */
+	isc_buffer_add(buffer, DNS_MESSAGE_HEADERLEN);
+
+	msg->buffer = buffer;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer) {
+	isc_region_t r, rn;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(buffer != NULL);
+	REQUIRE(msg->buffer != NULL);
+
+	/*
+	 * Ensure that the new buffer is empty, and has enough space to
+	 * hold the current contents.
+	 */
+	isc_buffer_clear(buffer);
+
+	isc_buffer_availableregion(buffer, &rn);
+	isc_buffer_usedregion(msg->buffer, &r);
+	REQUIRE(rn.length > r.length);
+
+	/*
+	 * Copy the contents from the old to the new buffer.
+	 */
+	isc_buffer_add(buffer, r.length);
+	memmove(rn.base, r.base, r.length);
+
+	msg->buffer = buffer;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_renderrelease(dns_message_t *msg, unsigned int space) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(space <= msg->reserved);
+
+	msg->reserved -= space;
+}
+
+isc_result_t
+dns_message_renderreserve(dns_message_t *msg, unsigned int space) {
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	if (msg->buffer != NULL) {
+		isc_buffer_availableregion(msg->buffer, &r);
+		if (r.length < (space + msg->reserved)) {
+			return (ISC_R_NOSPACE);
+		}
+	}
+
+	msg->reserved += space;
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) {
+	int pass_needed;
+
+	/*
+	 * If we are not rendering class IN, this ordering is bogus.
+	 */
+	if (rds->rdclass != dns_rdataclass_in) {
+		return (false);
+	}
+
+	switch (rds->type) {
+	case dns_rdatatype_a:
+	case dns_rdatatype_aaaa:
+		if (preferred_glue == rds->type) {
+			pass_needed = 4;
+		} else {
+			pass_needed = 3;
+		}
+		break;
+	case dns_rdatatype_rrsig:
+	case dns_rdatatype_dnskey:
+		pass_needed = 2;
+		break;
+	default:
+		pass_needed = 1;
+	}
+
+	if (pass_needed >= pass) {
+		return (false);
+	}
+
+	return (true);
+}
+
+static isc_result_t
+renderset(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+	  dns_compress_t *cctx, isc_buffer_t *target, unsigned int reserved,
+	  unsigned int options, unsigned int *countp) {
+	isc_result_t result;
+
+	/*
+	 * Shrink the space in the buffer by the reserved amount.
+	 */
+	if (target->length - target->used < reserved) {
+		return (ISC_R_NOSPACE);
+	}
+
+	target->length -= reserved;
+	result = dns_rdataset_towire(rdataset, owner_name, cctx, target,
+				     options, countp);
+	target->length += reserved;
+
+	return (result);
+}
+
+static void
+maybe_clear_ad(dns_message_t *msg, dns_section_t sectionid) {
+	if (msg->counts[sectionid] == 0 &&
+	    (sectionid == DNS_SECTION_ANSWER ||
+	     (sectionid == DNS_SECTION_AUTHORITY &&
+	      msg->counts[DNS_SECTION_ANSWER] == 0)))
+	{
+		msg->flags &= ~DNS_MESSAGEFLAG_AD;
+	}
+}
+
+isc_result_t
+dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+			  unsigned int options) {
+	dns_namelist_t *section;
+	dns_name_t *name, *next_name;
+	dns_rdataset_t *rdataset, *next_rdataset;
+	unsigned int count, total;
+	isc_result_t result;
+	isc_buffer_t st; /* for rollbacks */
+	int pass;
+	bool partial = false;
+	unsigned int rd_options;
+	dns_rdatatype_t preferred_glue = 0;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->buffer != NULL);
+	REQUIRE(VALID_NAMED_SECTION(sectionid));
+
+	section = &msg->sections[sectionid];
+
+	if ((sectionid == DNS_SECTION_ADDITIONAL) &&
+	    (options & DNS_MESSAGERENDER_ORDERED) == 0)
+	{
+		if ((options & DNS_MESSAGERENDER_PREFER_A) != 0) {
+			preferred_glue = dns_rdatatype_a;
+			pass = 4;
+		} else if ((options & DNS_MESSAGERENDER_PREFER_AAAA) != 0) {
+			preferred_glue = dns_rdatatype_aaaa;
+			pass = 4;
+		} else {
+			pass = 3;
+		}
+	} else {
+		pass = 1;
+	}
+
+	if ((options & DNS_MESSAGERENDER_OMITDNSSEC) == 0) {
+		rd_options = 0;
+	} else {
+		rd_options = DNS_RDATASETTOWIRE_OMITDNSSEC;
+	}
+
+	/*
+	 * Shrink the space in the buffer by the reserved amount.
+	 */
+	if (msg->buffer->length - msg->buffer->used < msg->reserved) {
+		return (ISC_R_NOSPACE);
+	}
+	msg->buffer->length -= msg->reserved;
+
+	total = 0;
+	if (msg->reserved == 0 && (options & DNS_MESSAGERENDER_PARTIAL) != 0) {
+		partial = true;
+	}
+
+	/*
+	 * Render required glue first.  Set TC if it won't fit.
+	 */
+	name = ISC_LIST_HEAD(*section);
+	if (name != NULL) {
+		rdataset = ISC_LIST_HEAD(name->list);
+		if (rdataset != NULL &&
+		    (rdataset->attributes & DNS_RDATASETATTR_REQUIREDGLUE) !=
+			    0 &&
+		    (rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0)
+		{
+			const void *order_arg = &msg->order_arg;
+			st = *(msg->buffer);
+			count = 0;
+			if (partial) {
+				result = dns_rdataset_towirepartial(
+					rdataset, name, msg->cctx, msg->buffer,
+					msg->order, order_arg, rd_options,
+					&count, NULL);
+			} else {
+				result = dns_rdataset_towiresorted(
+					rdataset, name, msg->cctx, msg->buffer,
+					msg->order, order_arg, rd_options,
+					&count);
+			}
+			total += count;
+			if (partial && result == ISC_R_NOSPACE) {
+				msg->flags |= DNS_MESSAGEFLAG_TC;
+				msg->buffer->length += msg->reserved;
+				msg->counts[sectionid] += total;
+				return (result);
+			}
+			if (result == ISC_R_NOSPACE) {
+				msg->flags |= DNS_MESSAGEFLAG_TC;
+			}
+			if (result != ISC_R_SUCCESS) {
+				INSIST(st.used < 65536);
+				dns_compress_rollback(msg->cctx,
+						      (uint16_t)st.used);
+				*(msg->buffer) = st; /* rollback */
+				msg->buffer->length += msg->reserved;
+				msg->counts[sectionid] += total;
+				return (result);
+			}
+			rdataset->attributes |= DNS_RDATASETATTR_RENDERED;
+		}
+	}
+
+	do {
+		name = ISC_LIST_HEAD(*section);
+		if (name == NULL) {
+			msg->buffer->length += msg->reserved;
+			msg->counts[sectionid] += total;
+			return (ISC_R_SUCCESS);
+		}
+
+		while (name != NULL) {
+			next_name = ISC_LIST_NEXT(name, link);
+
+			rdataset = ISC_LIST_HEAD(name->list);
+			while (rdataset != NULL) {
+				next_rdataset = ISC_LIST_NEXT(rdataset, link);
+
+				if ((rdataset->attributes &
+				     DNS_RDATASETATTR_RENDERED) != 0)
+				{
+					goto next;
+				}
+
+				if (((options & DNS_MESSAGERENDER_ORDERED) ==
+				     0) &&
+				    (sectionid == DNS_SECTION_ADDITIONAL) &&
+				    wrong_priority(rdataset, pass,
+						   preferred_glue))
+				{
+					goto next;
+				}
+
+				st = *(msg->buffer);
+
+				count = 0;
+				if (partial) {
+					result = dns_rdataset_towirepartial(
+						rdataset, name, msg->cctx,
+						msg->buffer, msg->order,
+						&msg->order_arg, rd_options,
+						&count, NULL);
+				} else {
+					result = dns_rdataset_towiresorted(
+						rdataset, name, msg->cctx,
+						msg->buffer, msg->order,
+						&msg->order_arg, rd_options,
+						&count);
+				}
+
+				total += count;
+
+				/*
+				 * If out of space, record stats on what we
+				 * rendered so far, and return that status.
+				 *
+				 * XXXMLG Need to change this when
+				 * dns_rdataset_towire() can render partial
+				 * sets starting at some arbitrary point in the
+				 * set.  This will include setting a bit in the
+				 * rdataset to indicate that a partial
+				 * rendering was done, and some state saved
+				 * somewhere (probably in the message struct)
+				 * to indicate where to continue from.
+				 */
+				if (partial && result == ISC_R_NOSPACE) {
+					msg->buffer->length += msg->reserved;
+					msg->counts[sectionid] += total;
+					return (result);
+				}
+				if (result != ISC_R_SUCCESS) {
+					INSIST(st.used < 65536);
+					dns_compress_rollback(
+						msg->cctx, (uint16_t)st.used);
+					*(msg->buffer) = st; /* rollback */
+					msg->buffer->length += msg->reserved;
+					msg->counts[sectionid] += total;
+					maybe_clear_ad(msg, sectionid);
+					return (result);
+				}
+
+				/*
+				 * If we have rendered non-validated data,
+				 * ensure that the AD bit is not set.
+				 */
+				if (rdataset->trust != dns_trust_secure &&
+				    (sectionid == DNS_SECTION_ANSWER ||
+				     sectionid == DNS_SECTION_AUTHORITY))
+				{
+					msg->flags &= ~DNS_MESSAGEFLAG_AD;
+				}
+				if (OPTOUT(rdataset)) {
+					msg->flags &= ~DNS_MESSAGEFLAG_AD;
+				}
+
+				rdataset->attributes |=
+					DNS_RDATASETATTR_RENDERED;
+
+			next:
+				rdataset = next_rdataset;
+			}
+
+			name = next_name;
+		}
+	} while (--pass != 0);
+
+	msg->buffer->length += msg->reserved;
+	msg->counts[sectionid] += total;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target) {
+	uint16_t tmp;
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+
+	isc_buffer_availableregion(target, &r);
+	REQUIRE(r.length >= DNS_MESSAGE_HEADERLEN);
+
+	isc_buffer_putuint16(target, msg->id);
+
+	tmp = ((msg->opcode << DNS_MESSAGE_OPCODE_SHIFT) &
+	       DNS_MESSAGE_OPCODE_MASK);
+	tmp |= (msg->rcode & DNS_MESSAGE_RCODE_MASK);
+	tmp |= (msg->flags & DNS_MESSAGE_FLAG_MASK);
+
+	INSIST(msg->counts[DNS_SECTION_QUESTION] < 65536 &&
+	       msg->counts[DNS_SECTION_ANSWER] < 65536 &&
+	       msg->counts[DNS_SECTION_AUTHORITY] < 65536 &&
+	       msg->counts[DNS_SECTION_ADDITIONAL] < 65536);
+
+	isc_buffer_putuint16(target, tmp);
+	isc_buffer_putuint16(target,
+			     (uint16_t)msg->counts[DNS_SECTION_QUESTION]);
+	isc_buffer_putuint16(target, (uint16_t)msg->counts[DNS_SECTION_ANSWER]);
+	isc_buffer_putuint16(target,
+			     (uint16_t)msg->counts[DNS_SECTION_AUTHORITY]);
+	isc_buffer_putuint16(target,
+			     (uint16_t)msg->counts[DNS_SECTION_ADDITIONAL]);
+}
+
+isc_result_t
+dns_message_renderend(dns_message_t *msg) {
+	isc_buffer_t tmpbuf;
+	isc_region_t r;
+	int result;
+	unsigned int count;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->buffer != NULL);
+
+	if ((msg->rcode & ~DNS_MESSAGE_RCODE_MASK) != 0 && msg->opt == NULL) {
+		/*
+		 * We have an extended rcode but are not using EDNS.
+		 */
+		return (DNS_R_FORMERR);
+	}
+
+	/*
+	 * If we're adding a OPT, TSIG or SIG(0) to a truncated message,
+	 * clear all rdatasets from the message except for the question
+	 * before adding the OPT, TSIG or SIG(0).  If the question doesn't
+	 * fit, don't include it.
+	 */
+	if ((msg->tsigkey != NULL || msg->sig0key != NULL || msg->opt) &&
+	    (msg->flags & DNS_MESSAGEFLAG_TC) != 0)
+	{
+		isc_buffer_t *buf;
+
+		msgresetnames(msg, DNS_SECTION_ANSWER);
+		buf = msg->buffer;
+		dns_message_renderreset(msg);
+		msg->buffer = buf;
+		isc_buffer_clear(msg->buffer);
+		isc_buffer_add(msg->buffer, DNS_MESSAGE_HEADERLEN);
+		dns_compress_rollback(msg->cctx, 0);
+		result = dns_message_rendersection(msg, DNS_SECTION_QUESTION,
+						   0);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE) {
+			return (result);
+		}
+	}
+
+	/*
+	 * If we've got an OPT record, render it.
+	 */
+	if (msg->opt != NULL) {
+		dns_message_renderrelease(msg, msg->opt_reserved);
+		msg->opt_reserved = 0;
+		/*
+		 * Set the extended rcode.  Cast msg->rcode to dns_ttl_t
+		 * so that we do a unsigned shift.
+		 */
+		msg->opt->ttl &= ~DNS_MESSAGE_EDNSRCODE_MASK;
+		msg->opt->ttl |= (((dns_ttl_t)(msg->rcode) << 20) &
+				  DNS_MESSAGE_EDNSRCODE_MASK);
+		/*
+		 * Render.
+		 */
+		count = 0;
+		result = renderset(msg->opt, dns_rootname, msg->cctx,
+				   msg->buffer, msg->reserved, 0, &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	/*
+	 * Deal with EDNS padding.
+	 *
+	 * padding_off is the length of the OPT with the 0-length PAD
+	 * at the end.
+	 */
+	if (msg->padding_off > 0) {
+		unsigned char *cp = isc_buffer_used(msg->buffer);
+		unsigned int used, remaining;
+		uint16_t len, padsize = 0;
+
+		/* Check PAD */
+		if ((cp[-4] != 0) || (cp[-3] != DNS_OPT_PAD) || (cp[-2] != 0) ||
+		    (cp[-1] != 0))
+		{
+			return (ISC_R_UNEXPECTED);
+		}
+
+		/*
+		 * Zero-fill the PAD to the computed size;
+		 * patch PAD length and OPT rdlength
+		 */
+
+		/* Aligned used length + reserved to padding block */
+		used = isc_buffer_usedlength(msg->buffer);
+		if (msg->padding != 0) {
+			padsize = ((uint16_t)used + msg->reserved) %
+				  msg->padding;
+		}
+		if (padsize != 0) {
+			padsize = msg->padding - padsize;
+		}
+		/* Stay below the available length */
+		remaining = isc_buffer_availablelength(msg->buffer);
+		if (padsize > remaining) {
+			padsize = remaining;
+		}
+
+		isc_buffer_add(msg->buffer, padsize);
+		memset(cp, 0, padsize);
+		cp[-2] = (unsigned char)((padsize & 0xff00U) >> 8);
+		cp[-1] = (unsigned char)(padsize & 0x00ffU);
+		cp -= msg->padding_off;
+		len = ((uint16_t)(cp[-2])) << 8;
+		len |= ((uint16_t)(cp[-1]));
+		len += padsize;
+		cp[-2] = (unsigned char)((len & 0xff00U) >> 8);
+		cp[-1] = (unsigned char)(len & 0x00ffU);
+	}
+
+	/*
+	 * If we're adding a TSIG record, generate and render it.
+	 */
+	if (msg->tsigkey != NULL) {
+		dns_message_renderrelease(msg, msg->sig_reserved);
+		msg->sig_reserved = 0;
+		result = dns_tsig_sign(msg);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		count = 0;
+		result = renderset(msg->tsig, msg->tsigname, msg->cctx,
+				   msg->buffer, msg->reserved, 0, &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	/*
+	 * If we're adding a SIG(0) record, generate and render it.
+	 */
+	if (msg->sig0key != NULL) {
+		dns_message_renderrelease(msg, msg->sig_reserved);
+		msg->sig_reserved = 0;
+		result = dns_dnssec_signmessage(msg, msg->sig0key);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		count = 0;
+		/*
+		 * Note: dns_rootname is used here, not msg->sig0name, since
+		 * the owner name of a SIG(0) is irrelevant, and will not
+		 * be set in a message being rendered.
+		 */
+		result = renderset(msg->sig0, dns_rootname, msg->cctx,
+				   msg->buffer, msg->reserved, 0, &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	isc_buffer_usedregion(msg->buffer, &r);
+	isc_buffer_init(&tmpbuf, r.base, r.length);
+
+	dns_message_renderheader(msg, &tmpbuf);
+
+	msg->buffer = NULL; /* forget about this buffer only on success XXX */
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_renderreset(dns_message_t *msg) {
+	unsigned int i;
+	dns_name_t *name;
+	dns_rdataset_t *rds;
+
+	/*
+	 * Reset the message so that it may be rendered again.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+
+	msg->buffer = NULL;
+
+	for (i = 0; i < DNS_SECTION_MAX; i++) {
+		msg->cursors[i] = NULL;
+		msg->counts[i] = 0;
+		for (name = ISC_LIST_HEAD(msg->sections[i]); name != NULL;
+		     name = ISC_LIST_NEXT(name, link))
+		{
+			for (rds = ISC_LIST_HEAD(name->list); rds != NULL;
+			     rds = ISC_LIST_NEXT(rds, link))
+			{
+				rds->attributes &= ~DNS_RDATASETATTR_RENDERED;
+			}
+		}
+	}
+	if (msg->tsigname != NULL) {
+		dns_message_puttempname(msg, &msg->tsigname);
+	}
+	if (msg->tsig != NULL) {
+		dns_rdataset_disassociate(msg->tsig);
+		dns_message_puttemprdataset(msg, &msg->tsig);
+	}
+	if (msg->sig0 != NULL) {
+		dns_rdataset_disassociate(msg->sig0);
+		dns_message_puttemprdataset(msg, &msg->sig0);
+	}
+}
+
+isc_result_t
+dns_message_firstname(dns_message_t *msg, dns_section_t section) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(VALID_NAMED_SECTION(section));
+
+	msg->cursors[section] = ISC_LIST_HEAD(msg->sections[section]);
+
+	if (msg->cursors[section] == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_nextname(dns_message_t *msg, dns_section_t section) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(VALID_NAMED_SECTION(section));
+	REQUIRE(msg->cursors[section] != NULL);
+
+	msg->cursors[section] = ISC_LIST_NEXT(msg->cursors[section], link);
+
+	if (msg->cursors[section] == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_currentname(dns_message_t *msg, dns_section_t section,
+			dns_name_t **name) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(VALID_NAMED_SECTION(section));
+	REQUIRE(name != NULL && *name == NULL);
+	REQUIRE(msg->cursors[section] != NULL);
+
+	*name = msg->cursors[section];
+}
+
+isc_result_t
+dns_message_findname(dns_message_t *msg, dns_section_t section,
+		     const dns_name_t *target, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_name_t **name,
+		     dns_rdataset_t **rdataset) {
+	dns_name_t *foundname;
+	isc_result_t result;
+
+	/*
+	 * XXX These requirements are probably too intensive, especially
+	 * where things can be NULL, but as they are they ensure that if
+	 * something is NON-NULL, indicating that the caller expects it
+	 * to be filled in, that we can in fact fill it in.
+	 */
+	REQUIRE(msg != NULL);
+	REQUIRE(VALID_SECTION(section));
+	REQUIRE(target != NULL);
+	REQUIRE(name == NULL || *name == NULL);
+
+	if (type == dns_rdatatype_any) {
+		REQUIRE(rdataset == NULL);
+	} else {
+		REQUIRE(rdataset == NULL || *rdataset == NULL);
+	}
+
+	result = findname(&foundname, target, &msg->sections[section]);
+
+	if (result == ISC_R_NOTFOUND) {
+		return (DNS_R_NXDOMAIN);
+	} else if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (name != NULL) {
+		*name = foundname;
+	}
+
+	/*
+	 * And now look for the type.
+	 */
+	if (ISC_UNLIKELY(type == dns_rdatatype_any)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_message_findtype(foundname, type, covers, rdataset);
+	if (result == ISC_R_NOTFOUND) {
+		return (DNS_R_NXRRSET);
+	}
+
+	return (result);
+}
+
+void
+dns_message_movename(dns_message_t *msg, dns_name_t *name,
+		     dns_section_t fromsection, dns_section_t tosection) {
+	REQUIRE(msg != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_NAMED_SECTION(fromsection));
+	REQUIRE(VALID_NAMED_SECTION(tosection));
+
+	/*
+	 * Unlink the name from the old section
+	 */
+	ISC_LIST_UNLINK(msg->sections[fromsection], name, link);
+	ISC_LIST_APPEND(msg->sections[tosection], name, link);
+}
+
+void
+dns_message_addname(dns_message_t *msg, dns_name_t *name,
+		    dns_section_t section) {
+	REQUIRE(msg != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_NAMED_SECTION(section));
+
+	ISC_LIST_APPEND(msg->sections[section], name, link);
+}
+
+void
+dns_message_removename(dns_message_t *msg, dns_name_t *name,
+		       dns_section_t section) {
+	REQUIRE(msg != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_NAMED_SECTION(section));
+
+	ISC_LIST_UNLINK(msg->sections[section], name, link);
+}
+
+isc_result_t
+dns_message_gettempname(dns_message_t *msg, dns_name_t **item) {
+	dns_fixedname_t *fn = NULL;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	fn = isc_mempool_get(msg->namepool);
+	if (fn == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	*item = dns_fixedname_initname(fn);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = newrdata(msg);
+	if (*item == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = isc_mempool_get(msg->rdspool);
+	if (*item == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	dns_rdataset_init(*item);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = newrdatalist(msg);
+	if (*item == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_puttempname(dns_message_t *msg, dns_name_t **itemp) {
+	dns_name_t *item = NULL;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(itemp != NULL && *itemp != NULL);
+
+	item = *itemp;
+	*itemp = NULL;
+
+	REQUIRE(!ISC_LINK_LINKED(item, link));
+	REQUIRE(ISC_LIST_HEAD(item->list) == NULL);
+
+	/*
+	 * we need to check this in case dns_name_dup() was used.
+	 */
+	if (dns_name_dynamic(item)) {
+		dns_name_free(item, msg->mctx);
+	}
+
+	/*
+	 * 'name' is the first field in dns_fixedname_t, so putting
+	 * back the address of name is the same as putting back
+	 * the fixedname.
+	 */
+	isc_mempool_put(msg->namepool, item);
+}
+
+void
+dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	releaserdata(msg, *item);
+	*item = NULL;
+}
+
+void
+dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	REQUIRE(!dns_rdataset_isassociated(*item));
+	isc_mempool_put(msg->rdspool, *item);
+	*item = NULL;
+}
+
+void
+dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	releaserdatalist(msg, *item);
+	*item = NULL;
+}
+
+isc_result_t
+dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
+		       unsigned int *flagsp) {
+	isc_region_t r;
+	isc_buffer_t buffer;
+	dns_messageid_t id;
+	unsigned int flags;
+
+	REQUIRE(source != NULL);
+
+	buffer = *source;
+
+	isc_buffer_remainingregion(&buffer, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	id = isc_buffer_getuint16(&buffer);
+	flags = isc_buffer_getuint16(&buffer);
+	flags &= DNS_MESSAGE_FLAG_MASK;
+
+	if (flagsp != NULL) {
+		*flagsp = flags;
+	}
+	if (idp != NULL) {
+		*idp = id;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_reply(dns_message_t *msg, bool want_question_section) {
+	unsigned int clear_from;
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE((msg->flags & DNS_MESSAGEFLAG_QR) == 0);
+
+	if (!msg->header_ok) {
+		return (DNS_R_FORMERR);
+	}
+	if (msg->opcode != dns_opcode_query && msg->opcode != dns_opcode_notify)
+	{
+		want_question_section = false;
+	}
+	if (msg->opcode == dns_opcode_update) {
+		clear_from = DNS_SECTION_PREREQUISITE;
+	} else if (want_question_section) {
+		if (!msg->question_ok) {
+			return (DNS_R_FORMERR);
+		}
+		clear_from = DNS_SECTION_ANSWER;
+	} else {
+		clear_from = DNS_SECTION_QUESTION;
+	}
+	msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
+	msgresetnames(msg, clear_from);
+	msgresetopt(msg);
+	msgresetsigs(msg, true);
+	msginitprivate(msg);
+	/*
+	 * We now clear most flags and then set QR, ensuring that the
+	 * reply's flags will be in a reasonable state.
+	 */
+	if (msg->opcode == dns_opcode_query) {
+		msg->flags &= DNS_MESSAGE_REPLYPRESERVE;
+	} else {
+		msg->flags = 0;
+	}
+	msg->flags |= DNS_MESSAGEFLAG_QR;
+
+	/*
+	 * This saves the query TSIG status, if the query was signed, and
+	 * reserves space in the reply for the TSIG.
+	 */
+	if (msg->tsigkey != NULL) {
+		unsigned int otherlen = 0;
+		msg->querytsigstatus = msg->tsigstatus;
+		msg->tsigstatus = dns_rcode_noerror;
+		if (msg->querytsigstatus == dns_tsigerror_badtime) {
+			otherlen = 6;
+		}
+		msg->sig_reserved = spacefortsig(msg->tsigkey, otherlen);
+		result = dns_message_renderreserve(msg, msg->sig_reserved);
+		if (result != ISC_R_SUCCESS) {
+			msg->sig_reserved = 0;
+			return (result);
+		}
+	}
+	if (msg->saved.base != NULL) {
+		msg->query.base = msg->saved.base;
+		msg->query.length = msg->saved.length;
+		msg->free_query = msg->free_saved;
+		msg->saved.base = NULL;
+		msg->saved.length = 0;
+		msg->free_saved = 0;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+dns_rdataset_t *
+dns_message_getopt(dns_message_t *msg) {
+	/*
+	 * Get the OPT record for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	return (msg->opt);
+}
+
+isc_result_t
+dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Set the OPT record for 'msg'.
+	 */
+
+	/*
+	 * The space required for an OPT record is:
+	 *
+	 *	1 byte for the name
+	 *	2 bytes for the type
+	 *	2 bytes for the class
+	 *	4 bytes for the ttl
+	 *	2 bytes for the rdata length
+	 * ---------------------------------
+	 *     11 bytes
+	 *
+	 * plus the length of the rdata.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(opt->type == dns_rdatatype_opt);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+
+	msgresetopt(msg);
+
+	result = dns_rdataset_first(opt);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	dns_rdataset_current(opt, &rdata);
+	msg->opt_reserved = 11 + rdata.length;
+	result = dns_message_renderreserve(msg, msg->opt_reserved);
+	if (result != ISC_R_SUCCESS) {
+		msg->opt_reserved = 0;
+		goto cleanup;
+	}
+
+	msg->opt = opt;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_rdataset_disassociate(opt);
+	dns_message_puttemprdataset(msg, &opt);
+	return (result);
+}
+
+dns_rdataset_t *
+dns_message_gettsig(dns_message_t *msg, const dns_name_t **owner) {
+	/*
+	 * Get the TSIG record and owner for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(owner == NULL || *owner == NULL);
+
+	if (owner != NULL) {
+		*owner = msg->tsigname;
+	}
+	return (msg->tsig);
+}
+
+isc_result_t
+dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key) {
+	isc_result_t result;
+
+	/*
+	 * Set the TSIG key for 'msg'
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	if (key == NULL && msg->tsigkey != NULL) {
+		if (msg->sig_reserved != 0) {
+			dns_message_renderrelease(msg, msg->sig_reserved);
+			msg->sig_reserved = 0;
+		}
+		dns_tsigkey_detach(&msg->tsigkey);
+	}
+	if (key != NULL) {
+		REQUIRE(msg->tsigkey == NULL && msg->sig0key == NULL);
+		dns_tsigkey_attach(key, &msg->tsigkey);
+		if (msg->from_to_wire == DNS_MESSAGE_INTENTRENDER) {
+			msg->sig_reserved = spacefortsig(msg->tsigkey, 0);
+			result = dns_message_renderreserve(msg,
+							   msg->sig_reserved);
+			if (result != ISC_R_SUCCESS) {
+				dns_tsigkey_detach(&msg->tsigkey);
+				msg->sig_reserved = 0;
+				return (result);
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+dns_tsigkey_t *
+dns_message_gettsigkey(dns_message_t *msg) {
+	/*
+	 * Get the TSIG key for 'msg'
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	return (msg->tsigkey);
+}
+
+isc_result_t
+dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig) {
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *list = NULL;
+	dns_rdataset_t *set = NULL;
+	isc_buffer_t *buf = NULL;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->querytsig == NULL);
+
+	if (querytsig == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_message_gettemprdata(msg, &rdata);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_message_gettemprdatalist(msg, &list);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_gettemprdataset(msg, &set);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	isc_buffer_usedregion(querytsig, &r);
+	isc_buffer_allocate(msg->mctx, &buf, r.length);
+	isc_buffer_putmem(buf, r.base, r.length);
+	isc_buffer_usedregion(buf, &r);
+	dns_rdata_init(rdata);
+	dns_rdata_fromregion(rdata, dns_rdataclass_any, dns_rdatatype_tsig, &r);
+	dns_message_takebuffer(msg, &buf);
+	ISC_LIST_APPEND(list->rdata, rdata, link);
+	result = dns_rdatalist_tordataset(list, set);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	msg->querytsig = set;
+
+	return (result);
+
+cleanup:
+	if (rdata != NULL) {
+		dns_message_puttemprdata(msg, &rdata);
+	}
+	if (list != NULL) {
+		dns_message_puttemprdatalist(msg, &list);
+	}
+	if (set != NULL) {
+		dns_message_puttemprdataset(msg, &set);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+isc_result_t
+dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
+			 isc_buffer_t **querytsig) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(mctx != NULL);
+	REQUIRE(querytsig != NULL && *querytsig == NULL);
+
+	if (msg->tsig == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_rdataset_first(msg->tsig);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	dns_rdataset_current(msg->tsig, &rdata);
+	dns_rdata_toregion(&rdata, &r);
+
+	isc_buffer_allocate(mctx, querytsig, r.length);
+	isc_buffer_putmem(*querytsig, r.base, r.length);
+	return (ISC_R_SUCCESS);
+}
+
+dns_rdataset_t *
+dns_message_getsig0(dns_message_t *msg, const dns_name_t **owner) {
+	/*
+	 * Get the SIG(0) record for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(owner == NULL || *owner == NULL);
+
+	if (msg->sig0 != NULL && owner != NULL) {
+		/* If dns_message_getsig0 is called on a rendered message
+		 * after the SIG(0) has been applied, we need to return the
+		 * root name, not NULL.
+		 */
+		if (msg->sig0name == NULL) {
+			*owner = dns_rootname;
+		} else {
+			*owner = msg->sig0name;
+		}
+	}
+	return (msg->sig0);
+}
+
+isc_result_t
+dns_message_setsig0key(dns_message_t *msg, dst_key_t *key) {
+	isc_region_t r;
+	unsigned int x;
+	isc_result_t result;
+
+	/*
+	 * Set the SIG(0) key for 'msg'
+	 */
+
+	/*
+	 * The space required for an SIG(0) record is:
+	 *
+	 *	1 byte for the name
+	 *	2 bytes for the type
+	 *	2 bytes for the class
+	 *	4 bytes for the ttl
+	 *	2 bytes for the type covered
+	 *	1 byte for the algorithm
+	 *	1 bytes for the labels
+	 *	4 bytes for the original ttl
+	 *	4 bytes for the signature expiration
+	 *	4 bytes for the signature inception
+	 *	2 bytes for the key tag
+	 *	n bytes for the signer's name
+	 *	x bytes for the signature
+	 * ---------------------------------
+	 *     27 + n + x bytes
+	 */
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+
+	if (key != NULL) {
+		REQUIRE(msg->sig0key == NULL && msg->tsigkey == NULL);
+		dns_name_toregion(dst_key_name(key), &r);
+		result = dst_key_sigsize(key, &x);
+		if (result != ISC_R_SUCCESS) {
+			msg->sig_reserved = 0;
+			return (result);
+		}
+		msg->sig_reserved = 27 + r.length + x;
+		result = dns_message_renderreserve(msg, msg->sig_reserved);
+		if (result != ISC_R_SUCCESS) {
+			msg->sig_reserved = 0;
+			return (result);
+		}
+		msg->sig0key = key;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+dst_key_t *
+dns_message_getsig0key(dns_message_t *msg) {
+	/*
+	 * Get the SIG(0) key for 'msg'
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	return (msg->sig0key);
+}
+
+void
+dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(buffer != NULL);
+	REQUIRE(ISC_BUFFER_VALID(*buffer));
+
+	ISC_LIST_APPEND(msg->cleanup, *buffer, link);
+	*buffer = NULL;
+}
+
+isc_result_t
+dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(signer != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+
+	if (msg->tsig == NULL && msg->sig0 == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (msg->verify_attempted == 0) {
+		return (DNS_R_NOTVERIFIEDYET);
+	}
+
+	if (!dns_name_hasbuffer(signer)) {
+		isc_buffer_t *dynbuf = NULL;
+		isc_buffer_allocate(msg->mctx, &dynbuf, 512);
+		dns_name_setbuffer(signer, dynbuf);
+		dns_message_takebuffer(msg, &dynbuf);
+	}
+
+	if (msg->sig0 != NULL) {
+		dns_rdata_sig_t sig;
+
+		result = dns_rdataset_first(msg->sig0);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->sig0, &rdata);
+
+		result = dns_rdata_tostruct(&rdata, &sig, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		if (msg->verified_sig && msg->sig0status == dns_rcode_noerror) {
+			result = ISC_R_SUCCESS;
+		} else {
+			result = DNS_R_SIGINVALID;
+		}
+		dns_name_clone(&sig.signer, signer);
+		dns_rdata_freestruct(&sig);
+	} else {
+		const dns_name_t *identity;
+		dns_rdata_any_tsig_t tsig;
+
+		result = dns_rdataset_first(msg->tsig);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->tsig, &rdata);
+
+		result = dns_rdata_tostruct(&rdata, &tsig, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+		if (msg->verified_sig && msg->tsigstatus == dns_rcode_noerror &&
+		    tsig.error == dns_rcode_noerror)
+		{
+			result = ISC_R_SUCCESS;
+		} else if ((!msg->verified_sig) ||
+			   (msg->tsigstatus != dns_rcode_noerror))
+		{
+			result = DNS_R_TSIGVERIFYFAILURE;
+		} else {
+			INSIST(tsig.error != dns_rcode_noerror);
+			result = DNS_R_TSIGERRORSET;
+		}
+		dns_rdata_freestruct(&tsig);
+
+		if (msg->tsigkey == NULL) {
+			/*
+			 * If msg->tsigstatus & tsig.error are both
+			 * dns_rcode_noerror, the message must have been
+			 * verified, which means msg->tsigkey will be
+			 * non-NULL.
+			 */
+			INSIST(result != ISC_R_SUCCESS);
+		} else {
+			identity = dns_tsigkey_identity(msg->tsigkey);
+			if (identity == NULL) {
+				if (result == ISC_R_SUCCESS) {
+					result = DNS_R_NOIDENTITY;
+				}
+				identity = &msg->tsigkey->name;
+			}
+			dns_name_clone(identity, signer);
+		}
+	}
+
+	return (result);
+}
+
+void
+dns_message_resetsig(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	msg->verified_sig = 0;
+	msg->verify_attempted = 0;
+	msg->tsigstatus = dns_rcode_noerror;
+	msg->sig0status = dns_rcode_noerror;
+	msg->timeadjust = 0;
+	if (msg->tsigkey != NULL) {
+		dns_tsigkey_detach(&msg->tsigkey);
+		msg->tsigkey = NULL;
+	}
+}
+
+isc_result_t
+dns_message_rechecksig(dns_message_t *msg, dns_view_t *view) {
+	dns_message_resetsig(msg);
+	return (dns_message_checksig(msg, view));
+}
+
+#ifdef SKAN_MSG_DEBUG
+void
+dns_message_dumpsig(dns_message_t *msg, char *txt1) {
+	dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
+	dns_rdata_any_tsig_t querytsig;
+	isc_result_t result;
+
+	if (msg->tsig != NULL) {
+		result = dns_rdataset_first(msg->tsig);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->tsig, &querytsigrdata);
+		result = dns_rdata_tostruct(&querytsigrdata, &querytsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		hexdump(txt1, "TSIG", querytsig.signature, querytsig.siglen);
+	}
+
+	if (msg->querytsig != NULL) {
+		result = dns_rdataset_first(msg->querytsig);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->querytsig, &querytsigrdata);
+		result = dns_rdata_tostruct(&querytsigrdata, &querytsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		hexdump(txt1, "QUERYTSIG", querytsig.signature,
+			querytsig.siglen);
+	}
+}
+#endif /* ifdef SKAN_MSG_DEBUG */
+
+isc_result_t
+dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
+	isc_buffer_t b, msgb;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	INSIST(msg->saved.base != NULL);
+	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
+	isc_buffer_add(&msgb, msg->saved.length);
+	if (msg->tsigkey != NULL || msg->tsig != NULL) {
+#ifdef SKAN_MSG_DEBUG
+		dns_message_dumpsig(msg, "dns_message_checksig#1");
+#endif /* ifdef SKAN_MSG_DEBUG */
+		if (view != NULL) {
+			return (dns_view_checksig(view, &msgb, msg));
+		} else {
+			return (dns_tsig_verify(&msgb, msg, NULL, NULL));
+		}
+	} else {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_sig_t sig;
+		dns_rdataset_t keyset;
+		isc_result_t result;
+
+		result = dns_rdataset_first(msg->sig0);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->sig0, &rdata);
+
+		/*
+		 * This can occur when the message is a dynamic update, since
+		 * the rdata length checking is relaxed.  This should not
+		 * happen in a well-formed message, since the SIG(0) is only
+		 * looked for in the additional section, and the dynamic update
+		 * meta-records are in the prerequisite and update sections.
+		 */
+		if (rdata.length == 0) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+
+		result = dns_rdata_tostruct(&rdata, &sig, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		dns_rdataset_init(&keyset);
+		if (view == NULL) {
+			result = DNS_R_KEYUNAUTHORIZED;
+			goto freesig;
+		}
+		result = dns_view_simplefind(view, &sig.signer,
+					     dns_rdatatype_key /* SIG(0) */, 0,
+					     0, false, &keyset, NULL);
+
+		if (result != ISC_R_SUCCESS) {
+			/* XXXBEW Should possibly create a fetch here */
+			result = DNS_R_KEYUNAUTHORIZED;
+			goto freesig;
+		} else if (keyset.trust < dns_trust_secure) {
+			/* XXXBEW Should call a validator here */
+			result = DNS_R_KEYUNAUTHORIZED;
+			goto freesig;
+		}
+		result = dns_rdataset_first(&keyset);
+		INSIST(result == ISC_R_SUCCESS);
+		for (; result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&keyset))
+		{
+			dst_key_t *key = NULL;
+
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&keyset, &rdata);
+			isc_buffer_init(&b, rdata.data, rdata.length);
+			isc_buffer_add(&b, rdata.length);
+
+			result = dst_key_fromdns(&sig.signer, rdata.rdclass, &b,
+						 view->mctx, &key);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+			if (dst_key_alg(key) != sig.algorithm ||
+			    dst_key_id(key) != sig.keyid ||
+			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
+			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
+			{
+				dst_key_free(&key);
+				continue;
+			}
+			result = dns_dnssec_verifymessage(&msgb, msg, key);
+			dst_key_free(&key);
+			if (result == ISC_R_SUCCESS) {
+				break;
+			}
+		}
+		if (result == ISC_R_NOMORE) {
+			result = DNS_R_KEYUNAUTHORIZED;
+		}
+
+	freesig:
+		if (dns_rdataset_isassociated(&keyset)) {
+			dns_rdataset_disassociate(&keyset);
+		}
+		dns_rdata_freestruct(&sig);
+		return (result);
+	}
+}
+
+#define INDENT(sp)                                                           \
+	do {                                                                 \
+		unsigned int __i;                                            \
+		dns_masterstyle_flags_t __flags = dns_master_styleflags(sp); \
+		if ((__flags & DNS_STYLEFLAG_INDENT) == 0ULL &&              \
+		    (__flags & DNS_STYLEFLAG_YAML) == 0ULL)                  \
+			break;                                               \
+		for (__i = 0; __i < msg->indent.count; __i++) {              \
+			ADD_STRING(target, msg->indent.string);              \
+		}                                                            \
+	} while (0)
+
+isc_result_t
+dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
+			  const dns_master_style_t *style,
+			  dns_messagetextflag_t flags, isc_buffer_t *target) {
+	dns_name_t *name, empty_name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool seensoa = false;
+	size_t saved_count;
+	dns_masterstyle_flags_t sflags;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+	REQUIRE(VALID_SECTION(section));
+
+	saved_count = msg->indent.count;
+
+	if (ISC_LIST_EMPTY(msg->sections[section])) {
+		goto cleanup;
+	}
+
+	sflags = dns_master_styleflags(style);
+
+	INDENT(style);
+	if ((sflags & DNS_STYLEFLAG_YAML) != 0) {
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, sectiontext[section]);
+		} else {
+			ADD_STRING(target, updsectiontext[section]);
+		}
+		ADD_STRING(target, "_SECTION:\n");
+	} else if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0) {
+		ADD_STRING(target, ";; ");
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, sectiontext[section]);
+		} else {
+			ADD_STRING(target, updsectiontext[section]);
+		}
+		ADD_STRING(target, " SECTION:\n");
+	}
+
+	dns_name_init(&empty_name, NULL);
+	result = dns_message_firstname(msg, section);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	if ((sflags & DNS_STYLEFLAG_YAML) != 0) {
+		msg->indent.count++;
+	}
+	do {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (section == DNS_SECTION_ANSWER &&
+			    rdataset->type == dns_rdatatype_soa)
+			{
+				if ((flags & DNS_MESSAGETEXTFLAG_OMITSOA) != 0)
+				{
+					continue;
+				}
+				if (seensoa &&
+				    (flags & DNS_MESSAGETEXTFLAG_ONESOA) != 0)
+				{
+					continue;
+				}
+				seensoa = true;
+			}
+			if (section == DNS_SECTION_QUESTION) {
+				INDENT(style);
+				if ((sflags & DNS_STYLEFLAG_YAML) != 0) {
+					ADD_STRING(target, "- ");
+				} else {
+					ADD_STRING(target, ";");
+				}
+				result = dns_master_questiontotext(
+					name, rdataset, style, target);
+			} else {
+				result = dns_master_rdatasettotext(
+					name, rdataset, style, &msg->indent,
+					target);
+			}
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
+		result = dns_message_nextname(msg, section);
+	} while (result == ISC_R_SUCCESS);
+	if ((sflags & DNS_STYLEFLAG_YAML) != 0) {
+		msg->indent.count--;
+	}
+	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+	    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0 &&
+	    (sflags & DNS_STYLEFLAG_YAML) == 0)
+	{
+		INDENT(style);
+		ADD_STRING(target, "\n");
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup:
+	msg->indent.count = saved_count;
+	return (result);
+}
+
+static isc_result_t
+render_ecs(isc_buffer_t *ecsbuf, isc_buffer_t *target) {
+	int i;
+	char addr[16], addr_text[64];
+	uint16_t family;
+	uint8_t addrlen, addrbytes, scopelen;
+	isc_result_t result;
+
+	/*
+	 * Note: This routine needs to handle malformed ECS options.
+	 */
+
+	if (isc_buffer_remaininglength(ecsbuf) < 4) {
+		return (DNS_R_OPTERR);
+	}
+	family = isc_buffer_getuint16(ecsbuf);
+	addrlen = isc_buffer_getuint8(ecsbuf);
+	scopelen = isc_buffer_getuint8(ecsbuf);
+
+	addrbytes = (addrlen + 7) / 8;
+	if (isc_buffer_remaininglength(ecsbuf) < addrbytes) {
+		return (DNS_R_OPTERR);
+	}
+
+	if (addrbytes > sizeof(addr)) {
+		return (DNS_R_OPTERR);
+	}
+
+	memset(addr, 0, sizeof(addr));
+	for (i = 0; i < addrbytes; i++) {
+		addr[i] = isc_buffer_getuint8(ecsbuf);
+	}
+
+	switch (family) {
+	case 0:
+		if (addrlen != 0U || scopelen != 0U) {
+			return (DNS_R_OPTERR);
+		}
+		strlcpy(addr_text, "0", sizeof(addr_text));
+		break;
+	case 1:
+		if (addrlen > 32 || scopelen > 32) {
+			return (DNS_R_OPTERR);
+		}
+		inet_ntop(AF_INET, addr, addr_text, sizeof(addr_text));
+		break;
+	case 2:
+		if (addrlen > 128 || scopelen > 128) {
+			return (DNS_R_OPTERR);
+		}
+		inet_ntop(AF_INET6, addr, addr_text, sizeof(addr_text));
+		break;
+	default:
+		return (DNS_R_OPTERR);
+	}
+
+	ADD_STRING(target, " ");
+	ADD_STRING(target, addr_text);
+	snprintf(addr_text, sizeof(addr_text), "/%d/%d", addrlen, scopelen);
+	ADD_STRING(target, addr_text);
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+render_llq(isc_buffer_t *optbuf, isc_buffer_t *target) {
+	char buf[sizeof("18446744073709551615")]; /* 2^64-1 */
+	isc_result_t result = ISC_R_SUCCESS;
+	uint32_t u;
+	uint64_t q;
+
+	u = isc_buffer_getuint16(optbuf);
+	ADD_STRING(target, " Version: ");
+	snprintf(buf, sizeof(buf), "%u", u);
+	ADD_STRING(target, buf);
+
+	u = isc_buffer_getuint16(optbuf);
+	ADD_STRING(target, ", Opcode: ");
+	snprintf(buf, sizeof(buf), "%u", u);
+	ADD_STRING(target, buf);
+
+	u = isc_buffer_getuint16(optbuf);
+	ADD_STRING(target, ", Error: ");
+	snprintf(buf, sizeof(buf), "%u", u);
+	ADD_STRING(target, buf);
+
+	q = isc_buffer_getuint32(optbuf);
+	q <<= 32;
+	q |= isc_buffer_getuint32(optbuf);
+	ADD_STRING(target, ", Identifier: ");
+	snprintf(buf, sizeof(buf), "%" PRIu64, q);
+	ADD_STRING(target, buf);
+
+	u = isc_buffer_getuint32(optbuf);
+	ADD_STRING(target, ", Lifetime: ");
+	snprintf(buf, sizeof(buf), "%u", u);
+	ADD_STRING(target, buf);
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+dns_message_pseudosectiontoyaml(dns_message_t *msg, dns_pseudosection_t section,
+				const dns_master_style_t *style,
+				dns_messagetextflag_t flags,
+				isc_buffer_t *target) {
+	dns_rdataset_t *ps = NULL;
+	const dns_name_t *name = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	char buf[sizeof("1234567890")];
+	uint32_t mbz;
+	dns_rdata_t rdata;
+	isc_buffer_t optbuf;
+	uint16_t optcode, optlen;
+	size_t saved_count;
+	unsigned char *optdata;
+	unsigned int indent;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+	REQUIRE(VALID_PSEUDOSECTION(section));
+
+	saved_count = msg->indent.count;
+
+	switch (section) {
+	case DNS_PSEUDOSECTION_OPT:
+		ps = dns_message_getopt(msg);
+		if (ps == NULL) {
+			goto cleanup;
+		}
+
+		INDENT(style);
+		ADD_STRING(target, "OPT_PSEUDOSECTION:\n");
+		msg->indent.count++;
+
+		INDENT(style);
+		ADD_STRING(target, "EDNS:\n");
+		indent = ++msg->indent.count;
+
+		INDENT(style);
+		ADD_STRING(target, "version: ");
+		snprintf(buf, sizeof(buf), "%u",
+			 (unsigned int)((ps->ttl & 0x00ff0000) >> 16));
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, "flags:");
+		if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0) {
+			ADD_STRING(target, " do");
+		}
+		ADD_STRING(target, "\n");
+		mbz = ps->ttl & 0xffff;
+		mbz &= ~DNS_MESSAGEEXTFLAG_DO; /* Known Flags. */
+		if (mbz != 0) {
+			INDENT(style);
+			ADD_STRING(target, "MBZ: ");
+			snprintf(buf, sizeof(buf), "0x%.4x", mbz);
+			ADD_STRING(target, buf);
+			ADD_STRING(target, "\n");
+		}
+		INDENT(style);
+		ADD_STRING(target, "udp: ");
+		snprintf(buf, sizeof(buf), "%u\n", (unsigned int)ps->rdclass);
+		ADD_STRING(target, buf);
+		result = dns_rdataset_first(ps);
+		if (result != ISC_R_SUCCESS) {
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+
+		/*
+		 * Print EDNS info, if any.
+		 *
+		 * WARNING: The option contents may be malformed as
+		 * dig +ednsopt=value:<content> does not perform validity
+		 * checking.
+		 */
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(ps, &rdata);
+
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) != 0) {
+			bool extra_text = false;
+			msg->indent.count = indent;
+			INSIST(isc_buffer_remaininglength(&optbuf) >= 4U);
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+			INSIST(isc_buffer_remaininglength(&optbuf) >= optlen);
+
+			if (optcode == DNS_OPT_LLQ) {
+				INDENT(style);
+				ADD_STRING(target, "LLQ:");
+				if (optlen == 18U) {
+					result = render_llq(&optbuf, target);
+					if (result != ISC_R_SUCCESS) {
+						goto cleanup;
+					}
+					ADD_STRING(target, "\n");
+					continue;
+				}
+			} else if (optcode == DNS_OPT_NSID) {
+				INDENT(style);
+				ADD_STRING(target, "NSID:");
+			} else if (optcode == DNS_OPT_COOKIE) {
+				INDENT(style);
+				ADD_STRING(target, "COOKIE:");
+			} else if (optcode == DNS_OPT_CLIENT_SUBNET) {
+				isc_buffer_t ecsbuf;
+				INDENT(style);
+				ADD_STRING(target, "CLIENT-SUBNET:");
+				isc_buffer_init(&ecsbuf,
+						isc_buffer_current(&optbuf),
+						optlen);
+				isc_buffer_add(&ecsbuf, optlen);
+				result = render_ecs(&ecsbuf, target);
+				if (result == ISC_R_NOSPACE) {
+					goto cleanup;
+				}
+				if (result == ISC_R_SUCCESS) {
+					isc_buffer_forward(&optbuf, optlen);
+					ADD_STRING(target, "\n");
+					continue;
+				}
+				ADD_STRING(target, "\n");
+			} else if (optcode == DNS_OPT_EXPIRE) {
+				INDENT(style);
+				ADD_STRING(target, "EXPIRE:");
+				if (optlen == 4) {
+					uint32_t secs;
+					secs = isc_buffer_getuint32(&optbuf);
+					snprintf(buf, sizeof(buf), " %u", secs);
+					ADD_STRING(target, buf);
+					ADD_STRING(target, " (");
+					result = dns_ttl_totext(secs, true,
+								true, target);
+					if (result != ISC_R_SUCCESS) {
+						goto cleanup;
+					}
+					ADD_STRING(target, ")\n");
+					continue;
+				}
+			} else if (optcode == DNS_OPT_TCP_KEEPALIVE) {
+				if (optlen == 2) {
+					unsigned int dsecs;
+					dsecs = isc_buffer_getuint16(&optbuf);
+					INDENT(style);
+					ADD_STRING(target, "TCP-KEEPALIVE: ");
+					snprintf(buf, sizeof(buf), "%u.%u",
+						 dsecs / 10U, dsecs % 10U);
+					ADD_STRING(target, buf);
+					ADD_STRING(target, " secs\n");
+					continue;
+				}
+				INDENT(style);
+				ADD_STRING(target, "TCP-KEEPALIVE:");
+			} else if (optcode == DNS_OPT_PAD) {
+				INDENT(style);
+				ADD_STRING(target, "PAD:");
+			} else if (optcode == DNS_OPT_KEY_TAG) {
+				INDENT(style);
+				ADD_STRING(target, "KEY-TAG:");
+				if (optlen > 0U && (optlen % 2U) == 0U) {
+					const char *sep = "";
+					uint16_t id;
+					while (optlen > 0U) {
+						id = isc_buffer_getuint16(
+							&optbuf);
+						snprintf(buf, sizeof(buf),
+							 "%s %u", sep, id);
+						ADD_STRING(target, buf);
+						sep = ",";
+						optlen -= 2;
+					}
+					ADD_STRING(target, "\n");
+					continue;
+				}
+			} else if (optcode == DNS_OPT_EDE) {
+				INDENT(style);
+				ADD_STRING(target, "EDE:");
+				if (optlen >= 2U) {
+					uint16_t ede;
+					ADD_STRING(target, "\n");
+					msg->indent.count++;
+					INDENT(style);
+					ADD_STRING(target, "INFO-CODE:");
+					ede = isc_buffer_getuint16(&optbuf);
+					snprintf(buf, sizeof(buf), " %u", ede);
+					ADD_STRING(target, buf);
+					if (ede < ARRAY_SIZE(edetext)) {
+						ADD_STRING(target, " (");
+						ADD_STRING(target,
+							   edetext[ede]);
+						ADD_STRING(target, ")");
+					}
+					ADD_STRING(target, "\n");
+					optlen -= 2;
+					if (optlen != 0) {
+						INDENT(style);
+						ADD_STRING(target,
+							   "EXTRA-TEXT:");
+						extra_text = true;
+					}
+				}
+			} else if (optcode == DNS_OPT_CLIENT_TAG) {
+				uint16_t id;
+				INDENT(style);
+				ADD_STRING(target, "CLIENT-TAG:");
+				if (optlen == 2U) {
+					id = isc_buffer_getuint16(&optbuf);
+					snprintf(buf, sizeof(buf), " %u\n", id);
+					ADD_STRING(target, buf);
+					optlen -= 2;
+					POST(optlen);
+					continue;
+				}
+			} else if (optcode == DNS_OPT_SERVER_TAG) {
+				uint16_t id;
+				INDENT(style);
+				ADD_STRING(target, "SERVER-TAG:");
+				if (optlen == 2U) {
+					id = isc_buffer_getuint16(&optbuf);
+					snprintf(buf, sizeof(buf), " %u\n", id);
+					ADD_STRING(target, buf);
+					optlen -= 2;
+					POST(optlen);
+					continue;
+				}
+			} else {
+				INDENT(style);
+				ADD_STRING(target, "OPT=");
+				snprintf(buf, sizeof(buf), "%u:", optcode);
+				ADD_STRING(target, buf);
+			}
+
+			if (optlen != 0) {
+				int i;
+				bool utf8ok = false;
+
+				ADD_STRING(target, " ");
+
+				optdata = isc_buffer_current(&optbuf);
+				if (extra_text) {
+					utf8ok = isc_utf8_valid(optdata,
+								optlen);
+				}
+				if (!utf8ok) {
+					for (i = 0; i < optlen; i++) {
+						const char *sep;
+						switch (optcode) {
+						case DNS_OPT_COOKIE:
+							sep = "";
+							break;
+						default:
+							sep = " ";
+							break;
+						}
+						snprintf(buf, sizeof(buf),
+							 "%02x%s", optdata[i],
+							 sep);
+						ADD_STRING(target, buf);
+					}
+				}
+
+				isc_buffer_forward(&optbuf, optlen);
+
+				if (optcode == DNS_OPT_COOKIE) {
+					/*
+					 * Valid server cookie?
+					 */
+					if (msg->cc_ok && optlen >= 16) {
+						ADD_STRING(target, " (good)");
+					}
+					/*
+					 * Server cookie is not valid but
+					 * we had our cookie echoed back.
+					 */
+					if (msg->cc_ok && optlen < 16) {
+						ADD_STRING(target, " (echoed)");
+					}
+					/*
+					 * We didn't get our cookie echoed
+					 * back.
+					 */
+					if (msg->cc_bad) {
+						ADD_STRING(target, " (bad)");
+					}
+					ADD_STRING(target, "\n");
+					continue;
+				}
+
+				if (optcode == DNS_OPT_CLIENT_SUBNET) {
+					ADD_STRING(target, "\n");
+					continue;
+				}
+
+				/*
+				 * For non-COOKIE options, add a printable
+				 * version
+				 */
+				if (!extra_text) {
+					ADD_STRING(target, "(\"");
+				} else {
+					ADD_STRING(target, "\"");
+				}
+				if (isc_buffer_availablelength(target) < optlen)
+				{
+					result = ISC_R_NOSPACE;
+					goto cleanup;
+				}
+				for (i = 0; i < optlen; i++) {
+					if (isprint(optdata[i]) ||
+					    (utf8ok && optdata[i] > 127))
+					{
+						isc_buffer_putmem(
+							target, &optdata[i], 1);
+					} else {
+						isc_buffer_putstr(target, ".");
+					}
+				}
+				if (!extra_text) {
+					ADD_STRING(target, "\")");
+				} else {
+					ADD_STRING(target, "\"");
+				}
+			}
+			ADD_STRING(target, "\n");
+		}
+		msg->indent.count = indent;
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	case DNS_PSEUDOSECTION_TSIG:
+		ps = dns_message_gettsig(msg, &name);
+		if (ps == NULL) {
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+		INDENT(style);
+		ADD_STRING(target, "TSIG_PSEUDOSECTION:\n");
+		result = dns_master_rdatasettotext(name, ps, style,
+						   &msg->indent, target);
+		ADD_STRING(target, "\n");
+		goto cleanup;
+	case DNS_PSEUDOSECTION_SIG0:
+		ps = dns_message_getsig0(msg, &name);
+		if (ps == NULL) {
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+		INDENT(style);
+		ADD_STRING(target, "SIG0_PSEUDOSECTION:\n");
+		result = dns_master_rdatasettotext(name, ps, style,
+						   &msg->indent, target);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+		{
+			ADD_STRING(target, "\n");
+		}
+		goto cleanup;
+	}
+
+	result = ISC_R_UNEXPECTED;
+
+cleanup:
+	msg->indent.count = saved_count;
+	return (result);
+}
+
+isc_result_t
+dns_message_pseudosectiontotext(dns_message_t *msg, dns_pseudosection_t section,
+				const dns_master_style_t *style,
+				dns_messagetextflag_t flags,
+				isc_buffer_t *target) {
+	dns_rdataset_t *ps = NULL;
+	const dns_name_t *name = NULL;
+	isc_result_t result;
+	char buf[sizeof(" (65000 bytes)")];
+	uint32_t mbz;
+	dns_rdata_t rdata;
+	isc_buffer_t optbuf;
+	uint16_t optcode, optlen;
+	unsigned char *optdata;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+	REQUIRE(VALID_PSEUDOSECTION(section));
+
+	if ((dns_master_styleflags(style) & DNS_STYLEFLAG_YAML) != 0) {
+		return (dns_message_pseudosectiontoyaml(msg, section, style,
+							flags, target));
+	}
+
+	switch (section) {
+	case DNS_PSEUDOSECTION_OPT:
+		ps = dns_message_getopt(msg);
+		if (ps == NULL) {
+			return (ISC_R_SUCCESS);
+		}
+		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0) {
+			INDENT(style);
+			ADD_STRING(target, ";; OPT PSEUDOSECTION:\n");
+		}
+
+		INDENT(style);
+		ADD_STRING(target, "; EDNS: version: ");
+		snprintf(buf, sizeof(buf), "%u",
+			 (unsigned int)((ps->ttl & 0x00ff0000) >> 16));
+		ADD_STRING(target, buf);
+		ADD_STRING(target, ", flags:");
+		if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0) {
+			ADD_STRING(target, " do");
+		}
+		mbz = ps->ttl & 0xffff;
+		mbz &= ~DNS_MESSAGEEXTFLAG_DO; /* Known Flags. */
+		if (mbz != 0) {
+			ADD_STRING(target, "; MBZ: ");
+			snprintf(buf, sizeof(buf), "0x%.4x", mbz);
+			ADD_STRING(target, buf);
+			ADD_STRING(target, ", udp: ");
+		} else {
+			ADD_STRING(target, "; udp: ");
+		}
+		snprintf(buf, sizeof(buf), "%u\n", (unsigned int)ps->rdclass);
+		ADD_STRING(target, buf);
+
+		result = dns_rdataset_first(ps);
+		if (result != ISC_R_SUCCESS) {
+			return (ISC_R_SUCCESS);
+		}
+
+		/*
+		 * Print EDNS info, if any.
+		 *
+		 * WARNING: The option contents may be malformed as
+		 * dig +ednsopt=value:<content> does no validity
+		 * checking.
+		 */
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(ps, &rdata);
+
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) != 0) {
+			INSIST(isc_buffer_remaininglength(&optbuf) >= 4U);
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+
+			INSIST(isc_buffer_remaininglength(&optbuf) >= optlen);
+
+			INDENT(style);
+
+			if (optcode == DNS_OPT_LLQ) {
+				ADD_STRING(target, "; LLQ:");
+				if (optlen == 18U) {
+					result = render_llq(&optbuf, target);
+					if (result != ISC_R_SUCCESS) {
+						return (result);
+					}
+					ADD_STRING(target, "\n");
+					continue;
+				}
+			} else if (optcode == DNS_OPT_NSID) {
+				ADD_STRING(target, "; NSID:");
+			} else if (optcode == DNS_OPT_COOKIE) {
+				ADD_STRING(target, "; COOKIE:");
+			} else if (optcode == DNS_OPT_CLIENT_SUBNET) {
+				isc_buffer_t ecsbuf;
+
+				ADD_STRING(target, "; CLIENT-SUBNET:");
+				isc_buffer_init(&ecsbuf,
+						isc_buffer_current(&optbuf),
+						optlen);
+				isc_buffer_add(&ecsbuf, optlen);
+				result = render_ecs(&ecsbuf, target);
+				if (result == ISC_R_NOSPACE) {
+					return (result);
+				}
+				if (result == ISC_R_SUCCESS) {
+					isc_buffer_forward(&optbuf, optlen);
+					ADD_STRING(target, "\n");
+					continue;
+				}
+			} else if (optcode == DNS_OPT_EXPIRE) {
+				ADD_STRING(target, "; EXPIRE:");
+				if (optlen == 4) {
+					uint32_t secs;
+					secs = isc_buffer_getuint32(&optbuf);
+					snprintf(buf, sizeof(buf), " %u", secs);
+					ADD_STRING(target, buf);
+					ADD_STRING(target, " (");
+					result = dns_ttl_totext(secs, true,
+								true, target);
+					if (result != ISC_R_SUCCESS) {
+						return (result);
+					}
+					ADD_STRING(target, ")\n");
+					continue;
+				}
+			} else if (optcode == DNS_OPT_TCP_KEEPALIVE) {
+				ADD_STRING(target, "; TCP KEEPALIVE:");
+				if (optlen == 2) {
+					unsigned int dsecs;
+					dsecs = isc_buffer_getuint16(&optbuf);
+					snprintf(buf, sizeof(buf), " %u.%u",
+						 dsecs / 10U, dsecs % 10U);
+					ADD_STRING(target, buf);
+					ADD_STRING(target, " secs\n");
+					continue;
+				}
+			} else if (optcode == DNS_OPT_PAD) {
+				ADD_STRING(target, "; PAD:");
+				if (optlen > 0U) {
+					snprintf(buf, sizeof(buf),
+						 " (%u bytes)", optlen);
+					ADD_STRING(target, buf);
+					isc_buffer_forward(&optbuf, optlen);
+				}
+				ADD_STRING(target, "\n");
+				continue;
+			} else if (optcode == DNS_OPT_KEY_TAG) {
+				ADD_STRING(target, "; KEY-TAG:");
+				if (optlen > 0U && (optlen % 2U) == 0U) {
+					const char *sep = "";
+					uint16_t id;
+					while (optlen > 0U) {
+						id = isc_buffer_getuint16(
+							&optbuf);
+						snprintf(buf, sizeof(buf),
+							 "%s %u", sep, id);
+						ADD_STRING(target, buf);
+						sep = ",";
+						optlen -= 2;
+					}
+					ADD_STRING(target, "\n");
+					continue;
+				}
+			} else if (optcode == DNS_OPT_EDE) {
+				ADD_STRING(target, "; EDE:");
+				if (optlen >= 2U) {
+					uint16_t ede;
+					ede = isc_buffer_getuint16(&optbuf);
+					snprintf(buf, sizeof(buf), " %u", ede);
+					ADD_STRING(target, buf);
+					if (ede < ARRAY_SIZE(edetext)) {
+						ADD_STRING(target, " (");
+						ADD_STRING(target,
+							   edetext[ede]);
+						ADD_STRING(target, ")");
+					}
+					optlen -= 2;
+					if (optlen != 0) {
+						ADD_STRING(target, ":");
+					}
+				} else if (optlen == 1U) {
+					/* Malformed */
+					optdata = isc_buffer_current(&optbuf);
+					snprintf(buf, sizeof(buf),
+						 " %02x (\"%c\")\n", optdata[0],
+						 isprint(optdata[0])
+							 ? optdata[0]
+							 : '.');
+					isc_buffer_forward(&optbuf, optlen);
+					ADD_STRING(target, buf);
+					continue;
+				}
+			} else if (optcode == DNS_OPT_CLIENT_TAG) {
+				uint16_t id;
+				ADD_STRING(target, "; CLIENT-TAG:");
+				if (optlen == 2U) {
+					id = isc_buffer_getuint16(&optbuf);
+					snprintf(buf, sizeof(buf), " %u\n", id);
+					ADD_STRING(target, buf);
+					optlen -= 2;
+					POST(optlen);
+					continue;
+				}
+			} else if (optcode == DNS_OPT_SERVER_TAG) {
+				uint16_t id;
+				ADD_STRING(target, "; SERVER-TAG:");
+				if (optlen == 2U) {
+					id = isc_buffer_getuint16(&optbuf);
+					snprintf(buf, sizeof(buf), " %u\n", id);
+					ADD_STRING(target, buf);
+					optlen -= 2;
+					POST(optlen);
+					continue;
+				}
+			} else {
+				ADD_STRING(target, "; OPT=");
+				snprintf(buf, sizeof(buf), "%u:", optcode);
+				ADD_STRING(target, buf);
+			}
+
+			if (optlen != 0) {
+				int i;
+				bool utf8ok = false;
+
+				ADD_STRING(target, " ");
+
+				optdata = isc_buffer_current(&optbuf);
+				if (optcode == DNS_OPT_EDE) {
+					utf8ok = isc_utf8_valid(optdata,
+								optlen);
+				}
+				if (!utf8ok) {
+					for (i = 0; i < optlen; i++) {
+						const char *sep;
+						switch (optcode) {
+						case DNS_OPT_COOKIE:
+							sep = "";
+							break;
+						default:
+							sep = " ";
+							break;
+						}
+						snprintf(buf, sizeof(buf),
+							 "%02x%s", optdata[i],
+							 sep);
+						ADD_STRING(target, buf);
+					}
+				}
+
+				isc_buffer_forward(&optbuf, optlen);
+
+				if (optcode == DNS_OPT_COOKIE) {
+					/*
+					 * Valid server cookie?
+					 */
+					if (msg->cc_ok && optlen >= 16) {
+						ADD_STRING(target, " (good)");
+					}
+					/*
+					 * Server cookie is not valid but
+					 * we had our cookie echoed back.
+					 */
+					if (msg->cc_ok && optlen < 16) {
+						ADD_STRING(target, " (echoed)");
+					}
+					/*
+					 * We didn't get our cookie echoed
+					 * back.
+					 */
+					if (msg->cc_bad) {
+						ADD_STRING(target, " (bad)");
+					}
+					ADD_STRING(target, "\n");
+					continue;
+				}
+
+				if (optcode == DNS_OPT_CLIENT_SUBNET) {
+					ADD_STRING(target, "\n");
+					continue;
+				}
+
+				/*
+				 * For non-COOKIE options, add a printable
+				 * version.
+				 */
+				if (optcode != DNS_OPT_EDE) {
+					ADD_STRING(target, "(\"");
+				} else {
+					ADD_STRING(target, "(");
+				}
+				if (isc_buffer_availablelength(target) < optlen)
+				{
+					return (ISC_R_NOSPACE);
+				}
+				for (i = 0; i < optlen; i++) {
+					if (isprint(optdata[i]) ||
+					    (utf8ok && optdata[i] > 127))
+					{
+						isc_buffer_putmem(
+							target, &optdata[i], 1);
+					} else {
+						isc_buffer_putstr(target, ".");
+					}
+				}
+				if (optcode != DNS_OPT_EDE) {
+					ADD_STRING(target, "\")");
+				} else {
+					ADD_STRING(target, ")");
+				}
+			}
+			ADD_STRING(target, "\n");
+		}
+		return (ISC_R_SUCCESS);
+	case DNS_PSEUDOSECTION_TSIG:
+		ps = dns_message_gettsig(msg, &name);
+		if (ps == NULL) {
+			return (ISC_R_SUCCESS);
+		}
+		INDENT(style);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0) {
+			ADD_STRING(target, ";; TSIG PSEUDOSECTION:\n");
+		}
+		result = dns_master_rdatasettotext(name, ps, style,
+						   &msg->indent, target);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+		{
+			ADD_STRING(target, "\n");
+		}
+		return (result);
+	case DNS_PSEUDOSECTION_SIG0:
+		ps = dns_message_getsig0(msg, &name);
+		if (ps == NULL) {
+			return (ISC_R_SUCCESS);
+		}
+		INDENT(style);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0) {
+			ADD_STRING(target, ";; SIG0 PSEUDOSECTION:\n");
+		}
+		result = dns_master_rdatasettotext(name, ps, style,
+						   &msg->indent, target);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+		{
+			ADD_STRING(target, "\n");
+		}
+		return (result);
+	}
+	result = ISC_R_UNEXPECTED;
+cleanup:
+	return (result);
+}
+
+isc_result_t
+dns_message_headertotext(dns_message_t *msg, const dns_master_style_t *style,
+			 dns_messagetextflag_t flags, isc_buffer_t *target) {
+	char buf[sizeof("1234567890")];
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+
+	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) != 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (dns_master_styleflags(style) & DNS_STYLEFLAG_YAML) {
+		INDENT(style);
+		ADD_STRING(target, "opcode: ");
+		ADD_STRING(target, opcodetext[msg->opcode]);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, "status: ");
+		result = dns_rcode_totext(msg->rcode, target);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, "id: ");
+		snprintf(buf, sizeof(buf), "%u", msg->id);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, "flags:");
+		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
+			ADD_STRING(target, " qr");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
+			ADD_STRING(target, " aa");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+			ADD_STRING(target, " tc");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
+			ADD_STRING(target, " rd");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
+			ADD_STRING(target, " ra");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
+			ADD_STRING(target, " ad");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
+			ADD_STRING(target, " cd");
+		}
+		ADD_STRING(target, "\n");
+		/*
+		 * The final unnamed flag must be zero.
+		 */
+		if ((msg->flags & 0x0040U) != 0) {
+			INDENT(style);
+			ADD_STRING(target, "MBZ: 0x4");
+			ADD_STRING(target, "\n");
+		}
+		if (msg->opcode != dns_opcode_update) {
+			INDENT(style);
+			ADD_STRING(target, "QUESTION: ");
+		} else {
+			INDENT(style);
+			ADD_STRING(target, "ZONE: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_QUESTION]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		if (msg->opcode != dns_opcode_update) {
+			INDENT(style);
+			ADD_STRING(target, "ANSWER: ");
+		} else {
+			INDENT(style);
+			ADD_STRING(target, "PREREQ: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_ANSWER]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		if (msg->opcode != dns_opcode_update) {
+			INDENT(style);
+			ADD_STRING(target, "AUTHORITY: ");
+		} else {
+			INDENT(style);
+			ADD_STRING(target, "UPDATE: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_AUTHORITY]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, "ADDITIONAL: ");
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_ADDITIONAL]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+	} else {
+		INDENT(style);
+		ADD_STRING(target, ";; ->>HEADER<<- opcode: ");
+		ADD_STRING(target, opcodetext[msg->opcode]);
+		ADD_STRING(target, ", status: ");
+		result = dns_rcode_totext(msg->rcode, target);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		ADD_STRING(target, ", id: ");
+		snprintf(buf, sizeof(buf), "%6u", msg->id);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, ";; flags:");
+		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
+			ADD_STRING(target, " qr");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
+			ADD_STRING(target, " aa");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+			ADD_STRING(target, " tc");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
+			ADD_STRING(target, " rd");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
+			ADD_STRING(target, " ra");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
+			ADD_STRING(target, " ad");
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
+			ADD_STRING(target, " cd");
+		}
+		/*
+		 * The final unnamed flag must be zero.
+		 */
+		if ((msg->flags & 0x0040U) != 0) {
+			INDENT(style);
+			ADD_STRING(target, "; MBZ: 0x4");
+		}
+		if (msg->opcode != dns_opcode_update) {
+			INDENT(style);
+			ADD_STRING(target, "; QUESTION: ");
+		} else {
+			INDENT(style);
+			ADD_STRING(target, "; ZONE: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_QUESTION]);
+		ADD_STRING(target, buf);
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, ", ANSWER: ");
+		} else {
+			ADD_STRING(target, ", PREREQ: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_ANSWER]);
+		ADD_STRING(target, buf);
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, ", AUTHORITY: ");
+		} else {
+			ADD_STRING(target, ", UPDATE: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_AUTHORITY]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, ", ADDITIONAL: ");
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_ADDITIONAL]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+	}
+
+cleanup:
+	return (result);
+}
+
+isc_result_t
+dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
+		   dns_messagetextflag_t flags, isc_buffer_t *target) {
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+
+	result = dns_message_headertotext(msg, style, flags, target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_message_pseudosectiontotext(msg, DNS_PSEUDOSECTION_OPT,
+						 style, flags, target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_message_sectiontotext(msg, DNS_SECTION_QUESTION, style,
+					   flags, target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_message_sectiontotext(msg, DNS_SECTION_ANSWER, style,
+					   flags, target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_message_sectiontotext(msg, DNS_SECTION_AUTHORITY, style,
+					   flags, target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_message_sectiontotext(msg, DNS_SECTION_ADDITIONAL, style,
+					   flags, target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_message_pseudosectiontotext(msg, DNS_PSEUDOSECTION_TSIG,
+						 style, flags, target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_message_pseudosectiontotext(msg, DNS_PSEUDOSECTION_SIG0,
+						 style, flags, target);
+	return (result);
+}
+
+isc_region_t *
+dns_message_getrawmessage(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	return (&msg->saved);
+}
+
+void
+dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
+			 dns_aclenv_t *env, const dns_acl_t *acl,
+			 const dns_aclelement_t *elem) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE((order == NULL) == (env == NULL));
+	REQUIRE(env == NULL || (acl != NULL || elem != NULL));
+
+	msg->order = order;
+	msg->order_arg.env = env;
+	msg->order_arg.acl = acl;
+	msg->order_arg.element = elem;
+}
+
+void
+dns_message_settimeadjust(dns_message_t *msg, int timeadjust) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	msg->timeadjust = timeadjust;
+}
+
+int
+dns_message_gettimeadjust(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	return (msg->timeadjust);
+}
+
+isc_result_t
+dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target) {
+	REQUIRE(opcode < 16);
+
+	if (isc_buffer_availablelength(target) < strlen(opcodetext[opcode])) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putstr(target, opcodetext[opcode]);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_logpacket(dns_message_t *message, const char *description,
+		      const isc_sockaddr_t *address,
+		      isc_logcategory_t *category, isc_logmodule_t *module,
+		      int level, isc_mem_t *mctx) {
+	REQUIRE(address != NULL);
+
+	logfmtpacket(message, description, address, category, module,
+		     &dns_master_style_debug, level, mctx);
+}
+
+void
+dns_message_logfmtpacket(dns_message_t *message, const char *description,
+			 const isc_sockaddr_t *address,
+			 isc_logcategory_t *category, isc_logmodule_t *module,
+			 const dns_master_style_t *style, int level,
+			 isc_mem_t *mctx) {
+	REQUIRE(address != NULL);
+
+	logfmtpacket(message, description, address, category, module, style,
+		     level, mctx);
+}
+
+static void
+logfmtpacket(dns_message_t *message, const char *description,
+	     const isc_sockaddr_t *address, isc_logcategory_t *category,
+	     isc_logmodule_t *module, const dns_master_style_t *style,
+	     int level, isc_mem_t *mctx) {
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE] = { 0 };
+	const char *newline = "\n";
+	const char *space = " ";
+	isc_buffer_t buffer;
+	char *buf = NULL;
+	int len = 1024;
+	isc_result_t result;
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	/*
+	 * Note that these are multiline debug messages.  We want a newline
+	 * to appear in the log after each message.
+	 */
+
+	if (address != NULL) {
+		isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
+	} else {
+		newline = space = "";
+	}
+
+	do {
+		buf = isc_mem_get(mctx, len);
+		isc_buffer_init(&buffer, buf, len);
+		result = dns_message_totext(message, style, 0, &buffer);
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(mctx, buf, len);
+			len += 1024;
+		} else if (result == ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, category, module, level,
+				      "%s%s%s%s%.*s", description, space,
+				      addrbuf, newline,
+				      (int)isc_buffer_usedlength(&buffer), buf);
+		}
+	} while (result == ISC_R_NOSPACE);
+
+	if (buf != NULL) {
+		isc_mem_put(mctx, buf, len);
+	}
+}
+
+isc_result_t
+dns_message_buildopt(dns_message_t *message, dns_rdataset_t **rdatasetp,
+		     unsigned int version, uint16_t udpsize, unsigned int flags,
+		     dns_ednsopt_t *ednsopts, size_t count) {
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdata_t *rdata = NULL;
+	isc_result_t result;
+	unsigned int len = 0, i;
+
+	REQUIRE(DNS_MESSAGE_VALID(message));
+	REQUIRE(rdatasetp != NULL && *rdatasetp == NULL);
+
+	result = dns_message_gettemprdatalist(message, &rdatalist);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	result = dns_message_gettemprdata(message, &rdata);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_gettemprdataset(message, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	rdatalist->type = dns_rdatatype_opt;
+
+	/*
+	 * Set Maximum UDP buffer size.
+	 */
+	rdatalist->rdclass = udpsize;
+
+	/*
+	 * Set EXTENDED-RCODE and Z to 0.
+	 */
+	rdatalist->ttl = (version << 16);
+	rdatalist->ttl |= (flags & 0xffff);
+
+	/*
+	 * Set EDNS options if applicable
+	 */
+	if (count != 0U) {
+		isc_buffer_t *buf = NULL;
+		bool seenpad = false;
+		for (i = 0; i < count; i++) {
+			len += ednsopts[i].length + 4;
+		}
+
+		if (len > 0xffffU) {
+			result = ISC_R_NOSPACE;
+			goto cleanup;
+		}
+
+		isc_buffer_allocate(message->mctx, &buf, len);
+
+		for (i = 0; i < count; i++) {
+			if (ednsopts[i].code == DNS_OPT_PAD &&
+			    ednsopts[i].length == 0U && !seenpad)
+			{
+				seenpad = true;
+				continue;
+			}
+			isc_buffer_putuint16(buf, ednsopts[i].code);
+			isc_buffer_putuint16(buf, ednsopts[i].length);
+			if (ednsopts[i].length != 0) {
+				isc_buffer_putmem(buf, ednsopts[i].value,
+						  ednsopts[i].length);
+			}
+		}
+
+		/* Padding must be the final option */
+		if (seenpad) {
+			isc_buffer_putuint16(buf, DNS_OPT_PAD);
+			isc_buffer_putuint16(buf, 0);
+		}
+		rdata->data = isc_buffer_base(buf);
+		rdata->length = len;
+		dns_message_takebuffer(message, &buf);
+		if (seenpad) {
+			message->padding_off = len;
+		}
+	} else {
+		rdata->data = NULL;
+		rdata->length = 0;
+	}
+
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatalist->type;
+	rdata->flags = 0;
+
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	result = dns_rdatalist_tordataset(rdatalist, rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	*rdatasetp = rdataset;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (rdata != NULL) {
+		dns_message_puttemprdata(message, &rdata);
+	}
+	if (rdataset != NULL) {
+		dns_message_puttemprdataset(message, &rdataset);
+	}
+	if (rdatalist != NULL) {
+		dns_message_puttemprdatalist(message, &rdatalist);
+	}
+	return (result);
+}
+
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+	REQUIRE(msg->rdclass_set == 0);
+
+	msg->rdclass = rdclass;
+	msg->rdclass_set = 1;
+}
+
+void
+dns_message_setpadding(dns_message_t *msg, uint16_t padding) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	/* Avoid silly large padding */
+	if (padding > 512) {
+		padding = 512;
+	}
+	msg->padding = padding;
+}
+
+void
+dns_message_clonebuffer(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	if (msg->free_saved == 0 && msg->saved.base != NULL) {
+		msg->saved.base =
+			memmove(isc_mem_get(msg->mctx, msg->saved.length),
+				msg->saved.base, msg->saved.length);
+		msg->free_saved = 1;
+	}
+	if (msg->free_query == 0 && msg->query.base != NULL) {
+		msg->query.base =
+			memmove(isc_mem_get(msg->mctx, msg->query.length),
+				msg->query.base, msg->query.length);
+		msg->free_query = 1;
+	}
+}
diff --git a/lib/dns/name.c b/lib/dns/name.c
new file mode 100644
index 0000000..96f95b3
--- /dev/null
+++ b/lib/dns/name.c
@@ -0,0 +1,2692 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/result.h>
+
+#define VALID_NAME(n) ISC_MAGIC_VALID(n, DNS_NAME_MAGIC)
+
+typedef enum {
+	ft_init = 0,
+	ft_start,
+	ft_ordinary,
+	ft_initialescape,
+	ft_escape,
+	ft_escdecimal,
+	ft_at
+} ft_state;
+
+typedef enum { fw_start = 0, fw_ordinary, fw_newcurrent } fw_state;
+
+static char digitvalue[256] = {
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*16*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*32*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*48*/
+	0,  1,	2,  3,	4,  5,	6,  7,	8,  9,	-1, -1, -1, -1, -1, -1, /*64*/
+	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*80*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*96*/
+	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*112*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*128*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*256*/
+};
+
+static unsigned char maptolower[] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+	0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
+	0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
+	0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73,
+	0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+	0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83,
+	0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b,
+	0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3,
+	0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb,
+	0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3,
+	0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb,
+	0xfc, 0xfd, 0xfe, 0xff
+};
+
+#define CONVERTTOASCII(c)
+#define CONVERTFROMASCII(c)
+
+#define INIT_OFFSETS(name, var, default_offsets) \
+	if ((name)->offsets != NULL)             \
+		var = (name)->offsets;           \
+	else                                     \
+		var = (default_offsets);
+
+#define SETUP_OFFSETS(name, var, default_offsets) \
+	if ((name)->offsets != NULL) {            \
+		var = (name)->offsets;            \
+	} else {                                  \
+		var = (default_offsets);          \
+		set_offsets(name, var, NULL);     \
+	}
+
+/*%
+ * Note:  If additional attributes are added that should not be set for
+ *	  empty names, MAKE_EMPTY() must be changed so it clears them.
+ */
+#define MAKE_EMPTY(name)                                    \
+	do {                                                \
+		name->ndata = NULL;                         \
+		name->length = 0;                           \
+		name->labels = 0;                           \
+		name->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
+	} while (0);
+
+/*%
+ * A name is "bindable" if it can be set to point to a new value, i.e.
+ * name->ndata and name->length may be changed.
+ */
+#define BINDABLE(name)       \
+	((name->attributes & \
+	  (DNS_NAMEATTR_READONLY | DNS_NAMEATTR_DYNAMIC)) == 0)
+
+/*%
+ * Note that the name data must be a char array, not a string
+ * literal, to avoid compiler warnings about discarding
+ * the const attribute of a string.
+ */
+static unsigned char root_ndata[] = { "" };
+static unsigned char root_offsets[] = { 0 };
+
+static dns_name_t root = DNS_NAME_INITABSOLUTE(root_ndata, root_offsets);
+LIBDNS_EXTERNAL_DATA const dns_name_t *dns_rootname = &root;
+
+static unsigned char wild_ndata[] = { "\001*" };
+static unsigned char wild_offsets[] = { 0 };
+
+static dns_name_t const wild = DNS_NAME_INITNONABSOLUTE(wild_ndata,
+							wild_offsets);
+
+LIBDNS_EXTERNAL_DATA const dns_name_t *dns_wildcardname = &wild;
+
+/*
+ * dns_name_t to text post-conversion procedure.
+ */
+ISC_THREAD_LOCAL dns_name_totextfilter_t *totext_filter_proc = NULL;
+
+static void
+set_offsets(const dns_name_t *name, unsigned char *offsets,
+	    dns_name_t *set_name);
+
+void
+dns_name_init(dns_name_t *name, unsigned char *offsets) {
+	/*
+	 * Initialize 'name'.
+	 */
+	DNS_NAME_INIT(name, offsets);
+}
+
+void
+dns_name_reset(dns_name_t *name) {
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(BINDABLE(name));
+
+	DNS_NAME_RESET(name);
+}
+
+void
+dns_name_invalidate(dns_name_t *name) {
+	/*
+	 * Make 'name' invalid.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	name->magic = 0;
+	name->ndata = NULL;
+	name->length = 0;
+	name->labels = 0;
+	name->attributes = 0;
+	name->offsets = NULL;
+	name->buffer = NULL;
+	ISC_LINK_INIT(name, link);
+}
+
+bool
+dns_name_isvalid(const dns_name_t *name) {
+	unsigned char *ndata, *offsets;
+	unsigned int offset, count, length, nlabels;
+
+	if (!VALID_NAME(name)) {
+		return (false);
+	}
+
+	if (name->length > 255U || name->labels > 127U) {
+		return (false);
+	}
+
+	ndata = name->ndata;
+	length = name->length;
+	offsets = name->offsets;
+	offset = 0;
+	nlabels = 0;
+
+	while (offset != length) {
+		count = *ndata;
+		if (count > 63U) {
+			return (false);
+		}
+		if (offsets != NULL && offsets[nlabels] != offset) {
+			return (false);
+		}
+
+		nlabels++;
+		offset += count + 1;
+		ndata += count + 1;
+		if (offset > length) {
+			return (false);
+		}
+
+		if (count == 0) {
+			break;
+		}
+	}
+
+	if (nlabels != name->labels || offset != name->length) {
+		return (false);
+	}
+
+	return (true);
+}
+
+void
+dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer) {
+	/*
+	 * Dedicate a buffer for use with 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((buffer != NULL && name->buffer == NULL) || (buffer == NULL));
+
+	name->buffer = buffer;
+}
+
+bool
+dns_name_hasbuffer(const dns_name_t *name) {
+	/*
+	 * Does 'name' have a dedicated buffer?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	if (name->buffer != NULL) {
+		return (true);
+	}
+
+	return (false);
+}
+
+bool
+dns_name_isabsolute(const dns_name_t *name) {
+	/*
+	 * Does 'name' end in the root label?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	if ((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
+		return (true);
+	}
+	return (false);
+}
+
+#define hyphenchar(c) ((c) == 0x2d)
+#define asterchar(c)  ((c) == 0x2a)
+#define alphachar(c) \
+	(((c) >= 0x41 && (c) <= 0x5a) || ((c) >= 0x61 && (c) <= 0x7a))
+#define digitchar(c)  ((c) >= 0x30 && (c) <= 0x39)
+#define borderchar(c) (alphachar(c) || digitchar(c))
+#define middlechar(c) (borderchar(c) || hyphenchar(c))
+#define domainchar(c) ((c) > 0x20 && (c) < 0x7f)
+
+bool
+dns_name_ismailbox(const dns_name_t *name) {
+	unsigned char *ndata, ch;
+	unsigned int n;
+	bool first;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
+
+	/*
+	 * Root label.
+	 */
+	if (name->length == 1) {
+		return (true);
+	}
+
+	ndata = name->ndata;
+	n = *ndata++;
+	INSIST(n <= 63);
+	while (n--) {
+		ch = *ndata++;
+		if (!domainchar(ch)) {
+			return (false);
+		}
+	}
+
+	if (ndata == name->ndata + name->length) {
+		return (false);
+	}
+
+	/*
+	 * RFC292/RFC1123 hostname.
+	 */
+	while (ndata < (name->ndata + name->length)) {
+		n = *ndata++;
+		INSIST(n <= 63);
+		first = true;
+		while (n--) {
+			ch = *ndata++;
+			if (first || n == 0) {
+				if (!borderchar(ch)) {
+					return (false);
+				}
+			} else {
+				if (!middlechar(ch)) {
+					return (false);
+				}
+			}
+			first = false;
+		}
+	}
+	return (true);
+}
+
+bool
+dns_name_ishostname(const dns_name_t *name, bool wildcard) {
+	unsigned char *ndata, ch;
+	unsigned int n;
+	bool first;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
+
+	/*
+	 * Root label.
+	 */
+	if (name->length == 1) {
+		return (true);
+	}
+
+	/*
+	 * Skip wildcard if this is a ownername.
+	 */
+	ndata = name->ndata;
+	if (wildcard && ndata[0] == 1 && ndata[1] == '*') {
+		ndata += 2;
+	}
+
+	/*
+	 * RFC292/RFC1123 hostname.
+	 */
+	while (ndata < (name->ndata + name->length)) {
+		n = *ndata++;
+		INSIST(n <= 63);
+		first = true;
+		while (n--) {
+			ch = *ndata++;
+			if (first || n == 0) {
+				if (!borderchar(ch)) {
+					return (false);
+				}
+			} else {
+				if (!middlechar(ch)) {
+					return (false);
+				}
+			}
+			first = false;
+		}
+	}
+	return (true);
+}
+
+bool
+dns_name_iswildcard(const dns_name_t *name) {
+	unsigned char *ndata;
+
+	/*
+	 * Is 'name' a wildcard name?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+
+	if (name->length >= 2) {
+		ndata = name->ndata;
+		if (ndata[0] == 1 && ndata[1] == '*') {
+			return (true);
+		}
+	}
+
+	return (false);
+}
+
+bool
+dns_name_internalwildcard(const dns_name_t *name) {
+	unsigned char *ndata;
+	unsigned int count;
+	unsigned int label;
+
+	/*
+	 * Does 'name' contain a internal wildcard?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+
+	/*
+	 * Skip first label.
+	 */
+	ndata = name->ndata;
+	count = *ndata++;
+	INSIST(count <= 63);
+	ndata += count;
+	label = 1;
+	/*
+	 * Check all but the last of the remaining labels.
+	 */
+	while (label + 1 < name->labels) {
+		count = *ndata++;
+		INSIST(count <= 63);
+		if (count == 1 && *ndata == '*') {
+			return (true);
+		}
+		ndata += count;
+		label++;
+	}
+	return (false);
+}
+
+unsigned int
+dns_name_hash(const dns_name_t *name, bool case_sensitive) {
+	unsigned int length;
+
+	/*
+	 * Provide a hash value for 'name'.
+	 */
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels == 0) {
+		return (0);
+	}
+
+	length = name->length;
+	if (length > 16) {
+		length = 16;
+	}
+
+	/* High bits are more random. */
+	return (isc_hash32(name->ndata, length, case_sensitive));
+}
+
+unsigned int
+dns_name_fullhash(const dns_name_t *name, bool case_sensitive) {
+	/*
+	 * Provide a hash value for 'name'.
+	 */
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels == 0) {
+		return (0);
+	}
+
+	/* High bits are more random. */
+	return (isc_hash32(name->ndata, name->length, case_sensitive));
+}
+
+dns_namereln_t
+dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
+		     int *orderp, unsigned int *nlabelsp) {
+	unsigned int l1, l2, l, count1, count2, count, nlabels;
+	int cdiff, ldiff, chdiff;
+	unsigned char *label1, *label2;
+	unsigned char *offsets1, *offsets2;
+	dns_offsets_t odata1, odata2;
+	dns_namereln_t namereln = dns_namereln_none;
+
+	/*
+	 * Determine the relative ordering under the DNSSEC order relation of
+	 * 'name1' and 'name2', and also determine the hierarchical
+	 * relationship of the names.
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(VALID_NAME(name2));
+	REQUIRE(orderp != NULL);
+	REQUIRE(nlabelsp != NULL);
+	/*
+	 * Either name1 is absolute and name2 is absolute, or neither is.
+	 */
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
+		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
+
+	if (ISC_UNLIKELY(name1 == name2)) {
+		*orderp = 0;
+		*nlabelsp = name1->labels;
+		return (dns_namereln_equal);
+	}
+
+	SETUP_OFFSETS(name1, offsets1, odata1);
+	SETUP_OFFSETS(name2, offsets2, odata2);
+
+	nlabels = 0;
+	l1 = name1->labels;
+	l2 = name2->labels;
+	if (l2 > l1) {
+		l = l1;
+		ldiff = 0 - (l2 - l1);
+	} else {
+		l = l2;
+		ldiff = l1 - l2;
+	}
+
+	offsets1 += l1;
+	offsets2 += l2;
+
+	while (ISC_LIKELY(l > 0)) {
+		l--;
+		offsets1--;
+		offsets2--;
+		label1 = &name1->ndata[*offsets1];
+		label2 = &name2->ndata[*offsets2];
+		count1 = *label1++;
+		count2 = *label2++;
+
+		/*
+		 * We dropped bitstring labels, and we don't support any
+		 * other extended label types.
+		 */
+		INSIST(count1 <= 63 && count2 <= 63);
+
+		cdiff = (int)count1 - (int)count2;
+		if (cdiff < 0) {
+			count = count1;
+		} else {
+			count = count2;
+		}
+
+		/* Loop unrolled for performance */
+		while (ISC_LIKELY(count > 3)) {
+			chdiff = (int)maptolower[label1[0]] -
+				 (int)maptolower[label2[0]];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+			chdiff = (int)maptolower[label1[1]] -
+				 (int)maptolower[label2[1]];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+			chdiff = (int)maptolower[label1[2]] -
+				 (int)maptolower[label2[2]];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+			chdiff = (int)maptolower[label1[3]] -
+				 (int)maptolower[label2[3]];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+			count -= 4;
+			label1 += 4;
+			label2 += 4;
+		}
+		while (ISC_LIKELY(count-- > 0)) {
+			chdiff = (int)maptolower[*label1++] -
+				 (int)maptolower[*label2++];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+		}
+		if (cdiff != 0) {
+			*orderp = cdiff;
+			goto done;
+		}
+		nlabels++;
+	}
+
+	*orderp = ldiff;
+	if (ldiff < 0) {
+		namereln = dns_namereln_contains;
+	} else if (ldiff > 0) {
+		namereln = dns_namereln_subdomain;
+	} else {
+		namereln = dns_namereln_equal;
+	}
+	*nlabelsp = nlabels;
+	return (namereln);
+
+done:
+	*nlabelsp = nlabels;
+	if (nlabels > 0) {
+		namereln = dns_namereln_commonancestor;
+	}
+
+	return (namereln);
+}
+
+int
+dns_name_compare(const dns_name_t *name1, const dns_name_t *name2) {
+	int order;
+	unsigned int nlabels;
+
+	/*
+	 * Determine the relative ordering under the DNSSEC order relation of
+	 * 'name1' and 'name2'.
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	(void)dns_name_fullcompare(name1, name2, &order, &nlabels);
+
+	return (order);
+}
+
+bool
+dns_name_equal(const dns_name_t *name1, const dns_name_t *name2) {
+	unsigned int l, count;
+	unsigned char c;
+	unsigned char *label1, *label2;
+
+	/*
+	 * Are 'name1' and 'name2' equal?
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(VALID_NAME(name2));
+	/*
+	 * Either name1 is absolute and name2 is absolute, or neither is.
+	 */
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
+		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
+
+	if (ISC_UNLIKELY(name1 == name2)) {
+		return (true);
+	}
+
+	if (name1->length != name2->length) {
+		return (false);
+	}
+
+	l = name1->labels;
+
+	if (l != name2->labels) {
+		return (false);
+	}
+
+	label1 = name1->ndata;
+	label2 = name2->ndata;
+	while (ISC_LIKELY(l-- > 0)) {
+		count = *label1++;
+		if (count != *label2++) {
+			return (false);
+		}
+
+		INSIST(count <= 63); /* no bitstring support */
+
+		/* Loop unrolled for performance */
+		while (ISC_LIKELY(count > 3)) {
+			c = maptolower[label1[0]];
+			if (c != maptolower[label2[0]]) {
+				return (false);
+			}
+			c = maptolower[label1[1]];
+			if (c != maptolower[label2[1]]) {
+				return (false);
+			}
+			c = maptolower[label1[2]];
+			if (c != maptolower[label2[2]]) {
+				return (false);
+			}
+			c = maptolower[label1[3]];
+			if (c != maptolower[label2[3]]) {
+				return (false);
+			}
+			count -= 4;
+			label1 += 4;
+			label2 += 4;
+		}
+		while (ISC_LIKELY(count-- > 0)) {
+			c = maptolower[*label1++];
+			if (c != maptolower[*label2++]) {
+				return (false);
+			}
+		}
+	}
+
+	return (true);
+}
+
+bool
+dns_name_caseequal(const dns_name_t *name1, const dns_name_t *name2) {
+	/*
+	 * Are 'name1' and 'name2' equal?
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(VALID_NAME(name2));
+	/*
+	 * Either name1 is absolute and name2 is absolute, or neither is.
+	 */
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
+		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
+
+	if (name1->length != name2->length) {
+		return (false);
+	}
+
+	if (memcmp(name1->ndata, name2->ndata, name1->length) != 0) {
+		return (false);
+	}
+
+	return (true);
+}
+
+int
+dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2) {
+	unsigned int l1, l2, l, count1, count2, count;
+	unsigned char c1, c2;
+	unsigned char *label1, *label2;
+
+	/*
+	 * Compare two absolute names as rdata.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(name1->labels > 0);
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
+	REQUIRE(VALID_NAME(name2));
+	REQUIRE(name2->labels > 0);
+	REQUIRE((name2->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
+
+	l1 = name1->labels;
+	l2 = name2->labels;
+
+	l = (l1 < l2) ? l1 : l2;
+
+	label1 = name1->ndata;
+	label2 = name2->ndata;
+	while (l > 0) {
+		l--;
+		count1 = *label1++;
+		count2 = *label2++;
+
+		/* no bitstring support */
+		INSIST(count1 <= 63 && count2 <= 63);
+
+		if (count1 != count2) {
+			return ((count1 < count2) ? -1 : 1);
+		}
+		count = count1;
+		while (count > 0) {
+			count--;
+			c1 = maptolower[*label1++];
+			c2 = maptolower[*label2++];
+			if (c1 < c2) {
+				return (-1);
+			} else if (c1 > c2) {
+				return (1);
+			}
+		}
+	}
+
+	/*
+	 * If one name had more labels than the other, their common
+	 * prefix must have been different because the shorter name
+	 * ended with the root label and the longer one can't have
+	 * a root label in the middle of it.  Therefore, if we get
+	 * to this point, the lengths must be equal.
+	 */
+	INSIST(l1 == l2);
+
+	return (0);
+}
+
+bool
+dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2) {
+	int order;
+	unsigned int nlabels;
+	dns_namereln_t namereln;
+
+	/*
+	 * Is 'name1' a subdomain of 'name2'?
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
+	if (namereln == dns_namereln_subdomain ||
+	    namereln == dns_namereln_equal)
+	{
+		return (true);
+	}
+
+	return (false);
+}
+
+bool
+dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname) {
+	int order;
+	unsigned int nlabels, labels;
+	dns_name_t tname;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(VALID_NAME(wname));
+	labels = wname->labels;
+	REQUIRE(labels > 0);
+	REQUIRE(dns_name_iswildcard(wname));
+
+	DNS_NAME_INIT(&tname, NULL);
+	dns_name_getlabelsequence(wname, 1, labels - 1, &tname);
+	if (dns_name_fullcompare(name, &tname, &order, &nlabels) ==
+	    dns_namereln_subdomain)
+	{
+		return (true);
+	}
+	return (false);
+}
+
+unsigned int
+dns_name_countlabels(const dns_name_t *name) {
+	/*
+	 * How many labels does 'name' have?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	ENSURE(name->labels <= 128);
+
+	return (name->labels);
+}
+
+void
+dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label) {
+	unsigned char *offsets;
+	dns_offsets_t odata;
+
+	/*
+	 * Make 'label' refer to the 'n'th least significant label of 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(n < name->labels);
+	REQUIRE(label != NULL);
+
+	SETUP_OFFSETS(name, offsets, odata);
+
+	label->base = &name->ndata[offsets[n]];
+	if (n == name->labels - 1) {
+		label->length = name->length - offsets[n];
+	} else {
+		label->length = offsets[n + 1] - offsets[n];
+	}
+}
+
+void
+dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
+			  unsigned int n, dns_name_t *target) {
+	unsigned char *p, l;
+	unsigned int firstoffset, endoffset;
+	unsigned int i;
+
+	/*
+	 * Make 'target' refer to the 'n' labels including and following
+	 * 'first' in 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(first <= source->labels);
+	REQUIRE(n <= source->labels - first); /* note first+n could overflow */
+	REQUIRE(BINDABLE(target));
+
+	p = source->ndata;
+	if (ISC_UNLIKELY(first == source->labels)) {
+		firstoffset = source->length;
+	} else {
+		for (i = 0; i < first; i++) {
+			l = *p;
+			p += l + 1;
+		}
+		firstoffset = (unsigned int)(p - source->ndata);
+	}
+
+	if (ISC_LIKELY(first + n == source->labels)) {
+		endoffset = source->length;
+	} else {
+		for (i = 0; i < n; i++) {
+			l = *p;
+			p += l + 1;
+		}
+		endoffset = (unsigned int)(p - source->ndata);
+	}
+
+	target->ndata = &source->ndata[firstoffset];
+	target->length = endoffset - firstoffset;
+
+	if (first + n == source->labels && n > 0 &&
+	    (source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+	{
+		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	} else {
+		target->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+	}
+
+	target->labels = n;
+
+	/*
+	 * If source and target are the same, and we're making target
+	 * a prefix of source, the offsets table is correct already
+	 * so we don't need to call set_offsets().
+	 */
+	if (target->offsets != NULL && (target != source || first != 0)) {
+		set_offsets(target, target->offsets, NULL);
+	}
+}
+
+void
+dns_name_clone(const dns_name_t *source, dns_name_t *target) {
+	/*
+	 * Make 'target' refer to the same name as 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(BINDABLE(target));
+
+	target->ndata = source->ndata;
+	target->length = source->length;
+	target->labels = source->labels;
+	target->attributes = source->attributes &
+			     (unsigned int)~(DNS_NAMEATTR_READONLY |
+					     DNS_NAMEATTR_DYNAMIC |
+					     DNS_NAMEATTR_DYNOFFSETS);
+	if (target->offsets != NULL && source->labels > 0) {
+		if (source->offsets != NULL) {
+			memmove(target->offsets, source->offsets,
+				source->labels);
+		} else {
+			set_offsets(target, target->offsets, NULL);
+		}
+	}
+}
+
+void
+dns_name_fromregion(dns_name_t *name, const isc_region_t *r) {
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	unsigned int len;
+	isc_region_t r2;
+
+	/*
+	 * Make 'name' refer to region 'r'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(r != NULL);
+	REQUIRE(BINDABLE(name));
+
+	INIT_OFFSETS(name, offsets, odata);
+
+	if (name->buffer != NULL) {
+		isc_buffer_clear(name->buffer);
+		isc_buffer_availableregion(name->buffer, &r2);
+		len = (r->length < r2.length) ? r->length : r2.length;
+		if (len > DNS_NAME_MAXWIRE) {
+			len = DNS_NAME_MAXWIRE;
+		}
+		if (len != 0) {
+			memmove(r2.base, r->base, len);
+		}
+		name->ndata = r2.base;
+		name->length = len;
+	} else {
+		name->ndata = r->base;
+		name->length = (r->length <= DNS_NAME_MAXWIRE)
+				       ? r->length
+				       : DNS_NAME_MAXWIRE;
+	}
+
+	if (r->length > 0) {
+		set_offsets(name, offsets, name);
+	} else {
+		name->labels = 0;
+		name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+	}
+
+	if (name->buffer != NULL) {
+		isc_buffer_add(name->buffer, name->length);
+	}
+}
+
+void
+dns_name_toregion(const dns_name_t *name, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(r != NULL);
+
+	DNS_NAME_TOREGION(name, r);
+}
+
+isc_result_t
+dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
+		  const dns_name_t *origin, unsigned int options,
+		  isc_buffer_t *target) {
+	unsigned char *ndata, *label = NULL;
+	char *tdata;
+	char c;
+	ft_state state;
+	unsigned int value = 0, count = 0;
+	unsigned int n1 = 0, n2 = 0;
+	unsigned int tlen, nrem, nused, digits = 0, labels, tused;
+	bool done;
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	bool downcase;
+
+	/*
+	 * Convert the textual representation of a DNS name at source
+	 * into uncompressed wire form stored in target.
+	 *
+	 * Notes:
+	 *	Relative domain names will have 'origin' appended to them
+	 *	unless 'origin' is NULL, in which case relative domain names
+	 *	will remain relative.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(ISC_BUFFER_VALID(source));
+	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
+
+	downcase = ((options & DNS_NAME_DOWNCASE) != 0);
+
+	if (target == NULL && name->buffer != NULL) {
+		target = name->buffer;
+		isc_buffer_clear(target);
+	}
+
+	REQUIRE(BINDABLE(name));
+
+	INIT_OFFSETS(name, offsets, odata);
+	offsets[0] = 0;
+
+	/*
+	 * Make 'name' empty in case of failure.
+	 */
+	MAKE_EMPTY(name);
+
+	/*
+	 * Set up the state machine.
+	 */
+	tdata = (char *)source->base + source->current;
+	tlen = isc_buffer_remaininglength(source);
+	tused = 0;
+	ndata = isc_buffer_used(target);
+	nrem = isc_buffer_availablelength(target);
+	if (nrem > 255) {
+		nrem = 255;
+	}
+	nused = 0;
+	labels = 0;
+	done = false;
+	state = ft_init;
+
+	while (nrem > 0 && tlen > 0 && !done) {
+		c = *tdata++;
+		tlen--;
+		tused++;
+
+		switch (state) {
+		case ft_init:
+			/*
+			 * Is this the root name?
+			 */
+			if (c == '.') {
+				if (tlen != 0) {
+					return (DNS_R_EMPTYLABEL);
+				}
+				labels++;
+				*ndata++ = 0;
+				nrem--;
+				nused++;
+				done = true;
+				break;
+			}
+			if (c == '@' && tlen == 0) {
+				state = ft_at;
+				break;
+			}
+
+			FALLTHROUGH;
+		case ft_start:
+			label = ndata;
+			ndata++;
+			nrem--;
+			nused++;
+			count = 0;
+			if (c == '\\') {
+				state = ft_initialescape;
+				break;
+			}
+			state = ft_ordinary;
+			if (nrem == 0) {
+				return (ISC_R_NOSPACE);
+			}
+			FALLTHROUGH;
+		case ft_ordinary:
+			if (c == '.') {
+				if (count == 0) {
+					return (DNS_R_EMPTYLABEL);
+				}
+				*label = count;
+				labels++;
+				INSIST(labels <= 127);
+				offsets[labels] = nused;
+				if (tlen == 0) {
+					labels++;
+					*ndata++ = 0;
+					nrem--;
+					nused++;
+					done = true;
+				}
+				state = ft_start;
+			} else if (c == '\\') {
+				state = ft_escape;
+			} else {
+				if (count >= 63) {
+					return (DNS_R_LABELTOOLONG);
+				}
+				count++;
+				CONVERTTOASCII(c);
+				if (downcase) {
+					c = maptolower[c & 0xff];
+				}
+				*ndata++ = c;
+				nrem--;
+				nused++;
+			}
+			break;
+		case ft_initialescape:
+			if (c == '[') {
+				/*
+				 * This looks like a bitstring label, which
+				 * was deprecated.  Intentionally drop it.
+				 */
+				return (DNS_R_BADLABELTYPE);
+			}
+			state = ft_escape;
+			POST(state);
+			FALLTHROUGH;
+		case ft_escape:
+			if (!isdigit((unsigned char)c)) {
+				if (count >= 63) {
+					return (DNS_R_LABELTOOLONG);
+				}
+				count++;
+				CONVERTTOASCII(c);
+				if (downcase) {
+					c = maptolower[c & 0xff];
+				}
+				*ndata++ = c;
+				nrem--;
+				nused++;
+				state = ft_ordinary;
+				break;
+			}
+			digits = 0;
+			value = 0;
+			state = ft_escdecimal;
+			FALLTHROUGH;
+		case ft_escdecimal:
+			if (!isdigit((unsigned char)c)) {
+				return (DNS_R_BADESCAPE);
+			}
+			value *= 10;
+			value += digitvalue[c & 0xff];
+			digits++;
+			if (digits == 3) {
+				if (value > 255) {
+					return (DNS_R_BADESCAPE);
+				}
+				if (count >= 63) {
+					return (DNS_R_LABELTOOLONG);
+				}
+				count++;
+				if (downcase) {
+					value = maptolower[value];
+				}
+				*ndata++ = value;
+				nrem--;
+				nused++;
+				state = ft_ordinary;
+			}
+			break;
+		default:
+			FATAL_ERROR(__FILE__, __LINE__, "Unexpected state %d",
+				    state);
+			/* Does not return. */
+		}
+	}
+
+	if (!done) {
+		if (nrem == 0) {
+			return (ISC_R_NOSPACE);
+		}
+		INSIST(tlen == 0);
+		if (state != ft_ordinary && state != ft_at) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		if (state == ft_ordinary) {
+			INSIST(count != 0);
+			INSIST(label != NULL);
+			*label = count;
+			labels++;
+			INSIST(labels <= 127);
+			offsets[labels] = nused;
+		}
+		if (origin != NULL) {
+			if (nrem < origin->length) {
+				return (ISC_R_NOSPACE);
+			}
+			label = origin->ndata;
+			n1 = origin->length;
+			nrem -= n1;
+			POST(nrem);
+			while (n1 > 0) {
+				n2 = *label++;
+				INSIST(n2 <= 63); /* no bitstring support */
+				*ndata++ = n2;
+				n1 -= n2 + 1;
+				nused += n2 + 1;
+				while (n2 > 0) {
+					c = *label++;
+					if (downcase) {
+						c = maptolower[c & 0xff];
+					}
+					*ndata++ = c;
+					n2--;
+				}
+				labels++;
+				if (n1 > 0) {
+					INSIST(labels <= 127);
+					offsets[labels] = nused;
+				}
+			}
+			if ((origin->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
+				name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+			}
+		}
+	} else {
+		name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	}
+
+	name->ndata = (unsigned char *)target->base + target->used;
+	name->labels = labels;
+	name->length = nused;
+
+	isc_buffer_forward(source, tused);
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_totext(const dns_name_t *name, bool omit_final_dot,
+		isc_buffer_t *target) {
+	unsigned int options = DNS_NAME_MASTERFILE;
+
+	if (omit_final_dot) {
+		options |= DNS_NAME_OMITFINALDOT;
+	}
+	return (dns_name_totext2(name, options, target));
+}
+
+isc_result_t
+dns_name_toprincipal(const dns_name_t *name, isc_buffer_t *target) {
+	return (dns_name_totext2(name, DNS_NAME_OMITFINALDOT, target));
+}
+
+isc_result_t
+dns_name_totext2(const dns_name_t *name, unsigned int options,
+		 isc_buffer_t *target) {
+	unsigned char *ndata;
+	char *tdata;
+	unsigned int nlen, tlen;
+	unsigned char c;
+	unsigned int trem, count;
+	unsigned int labels;
+	bool saw_root = false;
+	unsigned int oused;
+	bool omit_final_dot = ((options & DNS_NAME_OMITFINALDOT) != 0);
+
+	/*
+	 * This function assumes the name is in proper uncompressed
+	 * wire format.
+	 */
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(ISC_BUFFER_VALID(target));
+
+	oused = target->used;
+
+	ndata = name->ndata;
+	nlen = name->length;
+	labels = name->labels;
+	tdata = isc_buffer_used(target);
+	tlen = isc_buffer_availablelength(target);
+
+	trem = tlen;
+
+	if (labels == 0 && nlen == 0) {
+		/*
+		 * Special handling for an empty name.
+		 */
+		if (trem == 0) {
+			return (ISC_R_NOSPACE);
+		}
+
+		/*
+		 * The names of these booleans are misleading in this case.
+		 * This empty name is not necessarily from the root node of
+		 * the DNS root zone, nor is a final dot going to be included.
+		 * They need to be set this way, though, to keep the "@"
+		 * from being trounced.
+		 */
+		saw_root = true;
+		omit_final_dot = false;
+		*tdata++ = '@';
+		trem--;
+
+		/*
+		 * Skip the while() loop.
+		 */
+		nlen = 0;
+	} else if (nlen == 1 && labels == 1 && *ndata == '\0') {
+		/*
+		 * Special handling for the root label.
+		 */
+		if (trem == 0) {
+			return (ISC_R_NOSPACE);
+		}
+
+		saw_root = true;
+		omit_final_dot = false;
+		*tdata++ = '.';
+		trem--;
+
+		/*
+		 * Skip the while() loop.
+		 */
+		nlen = 0;
+	}
+
+	while (labels > 0 && nlen > 0 && trem > 0) {
+		labels--;
+		count = *ndata++;
+		nlen--;
+		if (count == 0) {
+			saw_root = true;
+			break;
+		}
+		if (count < 64) {
+			INSIST(nlen >= count);
+			while (count > 0) {
+				c = *ndata;
+				switch (c) {
+				/* Special modifiers in zone files. */
+				case 0x40: /* '@' */
+				case 0x24: /* '$' */
+					if ((options & DNS_NAME_MASTERFILE) ==
+					    0)
+					{
+						goto no_escape;
+					}
+					FALLTHROUGH;
+				case 0x22: /* '"' */
+				case 0x28: /* '(' */
+				case 0x29: /* ')' */
+				case 0x2E: /* '.' */
+				case 0x3B: /* ';' */
+				case 0x5C: /* '\\' */
+					if (trem < 2) {
+						return (ISC_R_NOSPACE);
+					}
+					*tdata++ = '\\';
+					CONVERTFROMASCII(c);
+					*tdata++ = c;
+					ndata++;
+					trem -= 2;
+					nlen--;
+					break;
+				no_escape:
+				default:
+					if (c > 0x20 && c < 0x7f) {
+						if (trem == 0) {
+							return (ISC_R_NOSPACE);
+						}
+						CONVERTFROMASCII(c);
+						*tdata++ = c;
+						ndata++;
+						trem--;
+						nlen--;
+					} else {
+						if (trem < 4) {
+							return (ISC_R_NOSPACE);
+						}
+						*tdata++ = 0x5c;
+						*tdata++ = 0x30 +
+							   ((c / 100) % 10);
+						*tdata++ = 0x30 +
+							   ((c / 10) % 10);
+						*tdata++ = 0x30 + (c % 10);
+						trem -= 4;
+						ndata++;
+						nlen--;
+					}
+				}
+				count--;
+			}
+		} else {
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected label type %02x", count);
+			UNREACHABLE();
+		}
+
+		/*
+		 * The following assumes names are absolute.  If not, we
+		 * fix things up later.  Note that this means that in some
+		 * cases one more byte of text buffer is required than is
+		 * needed in the final output.
+		 */
+		if (trem == 0) {
+			return (ISC_R_NOSPACE);
+		}
+		*tdata++ = '.';
+		trem--;
+	}
+
+	if (nlen != 0 && trem == 0) {
+		return (ISC_R_NOSPACE);
+	}
+
+	if (!saw_root || omit_final_dot) {
+		trem++;
+		tdata--;
+	}
+	if (trem > 0) {
+		*tdata = 0;
+	}
+	isc_buffer_add(target, tlen - trem);
+
+	if (totext_filter_proc != NULL) {
+		return ((totext_filter_proc)(target, oused));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_tofilenametext(const dns_name_t *name, bool omit_final_dot,
+			isc_buffer_t *target) {
+	unsigned char *ndata;
+	char *tdata;
+	unsigned int nlen, tlen;
+	unsigned char c;
+	unsigned int trem, count;
+	unsigned int labels;
+
+	/*
+	 * This function assumes the name is in proper uncompressed
+	 * wire format.
+	 */
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
+	REQUIRE(ISC_BUFFER_VALID(target));
+
+	ndata = name->ndata;
+	nlen = name->length;
+	labels = name->labels;
+	tdata = isc_buffer_used(target);
+	tlen = isc_buffer_availablelength(target);
+
+	trem = tlen;
+
+	if (nlen == 1 && labels == 1 && *ndata == '\0') {
+		/*
+		 * Special handling for the root label.
+		 */
+		if (trem == 0) {
+			return (ISC_R_NOSPACE);
+		}
+
+		omit_final_dot = false;
+		*tdata++ = '.';
+		trem--;
+
+		/*
+		 * Skip the while() loop.
+		 */
+		nlen = 0;
+	}
+
+	while (labels > 0 && nlen > 0 && trem > 0) {
+		labels--;
+		count = *ndata++;
+		nlen--;
+		if (count == 0) {
+			break;
+		}
+		if (count < 64) {
+			INSIST(nlen >= count);
+			while (count > 0) {
+				c = *ndata;
+				if ((c >= 0x30 && c <= 0x39) || /* digit */
+				    (c >= 0x41 && c <= 0x5A) || /* uppercase */
+				    (c >= 0x61 && c <= 0x7A) || /* lowercase */
+				    c == 0x2D ||		/* hyphen */
+				    c == 0x5F)			/* underscore */
+				{
+					if (trem == 0) {
+						return (ISC_R_NOSPACE);
+					}
+					/* downcase */
+					if (c >= 0x41 && c <= 0x5A) {
+						c += 0x20;
+					}
+					CONVERTFROMASCII(c);
+					*tdata++ = c;
+					ndata++;
+					trem--;
+					nlen--;
+				} else {
+					if (trem < 4) {
+						return (ISC_R_NOSPACE);
+					}
+					snprintf(tdata, trem, "%%%02X", c);
+					tdata += 3;
+					trem -= 3;
+					ndata++;
+					nlen--;
+				}
+				count--;
+			}
+		} else {
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected label type %02x", count);
+			UNREACHABLE();
+		}
+
+		/*
+		 * The following assumes names are absolute.  If not, we
+		 * fix things up later.  Note that this means that in some
+		 * cases one more byte of text buffer is required than is
+		 * needed in the final output.
+		 */
+		if (trem == 0) {
+			return (ISC_R_NOSPACE);
+		}
+		*tdata++ = '.';
+		trem--;
+	}
+
+	if (nlen != 0 && trem == 0) {
+		return (ISC_R_NOSPACE);
+	}
+
+	if (omit_final_dot) {
+		trem++;
+	}
+
+	isc_buffer_add(target, tlen - trem);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_downcase(const dns_name_t *source, dns_name_t *name,
+		  isc_buffer_t *target) {
+	unsigned char *sndata, *ndata;
+	unsigned int nlen, count, labels;
+	isc_buffer_t buffer;
+
+	/*
+	 * Downcase 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(name));
+	if (source == name) {
+		REQUIRE((name->attributes & DNS_NAMEATTR_READONLY) == 0);
+		isc_buffer_init(&buffer, source->ndata, source->length);
+		target = &buffer;
+		ndata = source->ndata;
+	} else {
+		REQUIRE(BINDABLE(name));
+		REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+			(target == NULL && ISC_BUFFER_VALID(name->buffer)));
+		if (target == NULL) {
+			target = name->buffer;
+			isc_buffer_clear(name->buffer);
+		}
+		ndata = (unsigned char *)target->base + target->used;
+		name->ndata = ndata;
+	}
+
+	sndata = source->ndata;
+	nlen = source->length;
+	labels = source->labels;
+
+	if (nlen > (target->length - target->used)) {
+		MAKE_EMPTY(name);
+		return (ISC_R_NOSPACE);
+	}
+
+	while (labels > 0 && nlen > 0) {
+		labels--;
+		count = *sndata++;
+		*ndata++ = count;
+		nlen--;
+		if (count < 64) {
+			INSIST(nlen >= count);
+			while (count > 0) {
+				*ndata++ = maptolower[(*sndata++)];
+				nlen--;
+				count--;
+			}
+		} else {
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected label type %02x", count);
+			/* Does not return. */
+		}
+	}
+
+	if (source != name) {
+		name->labels = source->labels;
+		name->length = source->length;
+		if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
+			name->attributes = DNS_NAMEATTR_ABSOLUTE;
+		} else {
+			name->attributes = 0;
+		}
+		if (name->labels > 0 && name->offsets != NULL) {
+			set_offsets(name, name->offsets, NULL);
+		}
+	}
+
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+set_offsets(const dns_name_t *name, unsigned char *offsets,
+	    dns_name_t *set_name) {
+	unsigned int offset, count, length, nlabels;
+	unsigned char *ndata;
+	bool absolute;
+
+	ndata = name->ndata;
+	length = name->length;
+	offset = 0;
+	nlabels = 0;
+	absolute = false;
+	while (ISC_LIKELY(offset != length)) {
+		INSIST(nlabels < 128);
+		offsets[nlabels++] = offset;
+		count = *ndata;
+		INSIST(count <= 63);
+		offset += count + 1;
+		ndata += count + 1;
+		INSIST(offset <= length);
+		if (ISC_UNLIKELY(count == 0)) {
+			absolute = true;
+			break;
+		}
+	}
+	if (set_name != NULL) {
+		INSIST(set_name == name);
+
+		set_name->labels = nlabels;
+		set_name->length = offset;
+		if (absolute) {
+			set_name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+		} else {
+			set_name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+		}
+	}
+	INSIST(nlabels == name->labels);
+	INSIST(offset == name->length);
+}
+
+isc_result_t
+dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
+		  dns_decompress_t *dctx, unsigned int options,
+		  isc_buffer_t *target) {
+	unsigned char *cdata, *ndata;
+	unsigned int cused; /* Bytes of compressed name data used */
+	unsigned int nused, labels, n, nmax;
+	unsigned int current, new_current, biggest_pointer;
+	bool done;
+	fw_state state = fw_start;
+	unsigned int c;
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	bool downcase;
+	bool seen_pointer;
+
+	/*
+	 * Copy the possibly-compressed name at source into target,
+	 * decompressing it.  Loop prevention is performed by checking
+	 * the new pointer against biggest_pointer.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
+
+	downcase = ((options & DNS_NAME_DOWNCASE) != 0);
+
+	if (target == NULL && name->buffer != NULL) {
+		target = name->buffer;
+		isc_buffer_clear(target);
+	}
+
+	REQUIRE(dctx != NULL);
+	REQUIRE(BINDABLE(name));
+
+	INIT_OFFSETS(name, offsets, odata);
+
+	/*
+	 * Make 'name' empty in case of failure.
+	 */
+	MAKE_EMPTY(name);
+
+	/*
+	 * Initialize things to make the compiler happy; they're not required.
+	 */
+	n = 0;
+	new_current = 0;
+
+	/*
+	 * Set up.
+	 */
+	labels = 0;
+	done = false;
+
+	ndata = isc_buffer_used(target);
+	nused = 0;
+	seen_pointer = false;
+
+	/*
+	 * Find the maximum number of uncompressed target name
+	 * bytes we are willing to generate.  This is the smaller
+	 * of the available target buffer length and the
+	 * maximum legal domain name length (255).
+	 */
+	nmax = isc_buffer_availablelength(target);
+	if (nmax > DNS_NAME_MAXWIRE) {
+		nmax = DNS_NAME_MAXWIRE;
+	}
+
+	cdata = isc_buffer_current(source);
+	cused = 0;
+
+	current = source->current;
+	biggest_pointer = current;
+
+	/*
+	 * Note:  The following code is not optimized for speed, but
+	 * rather for correctness.  Speed will be addressed in the future.
+	 */
+
+	while (current < source->active && !done) {
+		c = *cdata++;
+		current++;
+		if (!seen_pointer) {
+			cused++;
+		}
+
+		switch (state) {
+		case fw_start:
+			if (c < 64) {
+				offsets[labels] = nused;
+				labels++;
+				if (nused + c + 1 > nmax) {
+					goto full;
+				}
+				nused += c + 1;
+				*ndata++ = c;
+				if (c == 0) {
+					done = true;
+				}
+				n = c;
+				state = fw_ordinary;
+			} else if (c >= 128 && c < 192) {
+				/*
+				 * 14 bit local compression pointer.
+				 * Local compression is no longer an
+				 * IETF draft.
+				 */
+				return (DNS_R_BADLABELTYPE);
+			} else if (c >= 192) {
+				/*
+				 * Ordinary 14-bit pointer.
+				 */
+				if ((dctx->allowed & DNS_COMPRESS_GLOBAL14) ==
+				    0)
+				{
+					return (DNS_R_DISALLOWED);
+				}
+				new_current = c & 0x3F;
+				state = fw_newcurrent;
+			} else {
+				return (DNS_R_BADLABELTYPE);
+			}
+			break;
+		case fw_ordinary:
+			if (downcase) {
+				c = maptolower[c];
+			}
+			*ndata++ = c;
+			n--;
+			if (n == 0) {
+				state = fw_start;
+			}
+			break;
+		case fw_newcurrent:
+			new_current *= 256;
+			new_current += c;
+			if (new_current >= biggest_pointer) {
+				return (DNS_R_BADPOINTER);
+			}
+			biggest_pointer = new_current;
+			current = new_current;
+			cdata = (unsigned char *)source->base + current;
+			seen_pointer = true;
+			state = fw_start;
+			break;
+		default:
+			FATAL_ERROR(__FILE__, __LINE__, "Unknown state %d",
+				    state);
+			/* Does not return. */
+		}
+	}
+
+	if (!done) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	name->ndata = (unsigned char *)target->base + target->used;
+	name->labels = labels;
+	name->length = nused;
+	name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+
+	isc_buffer_forward(source, cused);
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+
+full:
+	if (nmax == DNS_NAME_MAXWIRE) {
+		/*
+		 * The name did not fit even though we had a buffer
+		 * big enough to fit a maximum-length name.
+		 */
+		return (DNS_R_NAMETOOLONG);
+	} else {
+		/*
+		 * The name might fit if only the caller could give us a
+		 * big enough buffer.
+		 */
+		return (ISC_R_NOSPACE);
+	}
+}
+
+isc_result_t
+dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
+		isc_buffer_t *target) {
+	return (dns_name_towire2(name, cctx, target, NULL));
+}
+
+isc_result_t
+dns_name_towire2(const dns_name_t *name, dns_compress_t *cctx,
+		 isc_buffer_t *target, uint16_t *comp_offsetp) {
+	unsigned int methods;
+	uint16_t offset;
+	dns_name_t gp; /* Global compression prefix */
+	bool gf;       /* Global compression target found */
+	uint16_t go;   /* Global compression offset */
+	dns_offsets_t clo;
+	dns_name_t clname;
+
+	/*
+	 * Convert 'name' into wire format, compressing it as specified by the
+	 * compression context 'cctx', and storing the result in 'target'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(cctx != NULL);
+	REQUIRE(ISC_BUFFER_VALID(target));
+
+	/*
+	 * If this exact name was already rendered before, and the
+	 * offset of the previously rendered name is passed to us, write
+	 * a compression pointer directly.
+	 */
+	methods = dns_compress_getmethods(cctx);
+	if (comp_offsetp != NULL && *comp_offsetp < 0x4000 &&
+	    (name->attributes & DNS_NAMEATTR_NOCOMPRESS) == 0 &&
+	    (methods & DNS_COMPRESS_GLOBAL14) != 0)
+	{
+		if (ISC_UNLIKELY(target->length - target->used < 2)) {
+			return (ISC_R_NOSPACE);
+		}
+		offset = *comp_offsetp;
+		offset |= 0xc000;
+		isc_buffer_putuint16(target, offset);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If 'name' doesn't have an offsets table, make a clone which
+	 * has one.
+	 */
+	if (name->offsets == NULL) {
+		DNS_NAME_INIT(&clname, clo);
+		dns_name_clone(name, &clname);
+		name = &clname;
+	}
+	DNS_NAME_INIT(&gp, NULL);
+
+	offset = target->used; /*XXX*/
+
+	if ((name->attributes & DNS_NAMEATTR_NOCOMPRESS) == 0 &&
+	    (methods & DNS_COMPRESS_GLOBAL14) != 0)
+	{
+		gf = dns_compress_findglobal(cctx, name, &gp, &go);
+	} else {
+		gf = false;
+	}
+
+	/*
+	 * If the offset is too high for 14 bit global compression, we're
+	 * out of luck.
+	 */
+	if (gf && ISC_UNLIKELY(go >= 0x4000)) {
+		gf = false;
+	}
+
+	/*
+	 * Will the compression pointer reduce the message size?
+	 */
+	if (gf && (gp.length + 2) >= name->length) {
+		gf = false;
+	}
+
+	if (gf) {
+		if (ISC_UNLIKELY(target->length - target->used < gp.length)) {
+			return (ISC_R_NOSPACE);
+		}
+		if (gp.length != 0) {
+			unsigned char *base = target->base;
+			(void)memmove(base + target->used, gp.ndata,
+				      (size_t)gp.length);
+		}
+		isc_buffer_add(target, gp.length);
+		if (ISC_UNLIKELY(target->length - target->used < 2)) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putuint16(target, go | 0xc000);
+		if (gp.length != 0) {
+			dns_compress_add(cctx, name, &gp, offset);
+			if (comp_offsetp != NULL) {
+				*comp_offsetp = offset;
+			}
+		} else if (comp_offsetp != NULL) {
+			*comp_offsetp = go;
+		}
+	} else {
+		if (ISC_UNLIKELY(target->length - target->used < name->length))
+		{
+			return (ISC_R_NOSPACE);
+		}
+		if (name->length != 0) {
+			unsigned char *base = target->base;
+			(void)memmove(base + target->used, name->ndata,
+				      (size_t)name->length);
+		}
+		isc_buffer_add(target, name->length);
+		dns_compress_add(cctx, name, name, offset);
+		if (comp_offsetp != NULL) {
+			*comp_offsetp = offset;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_concatenate(const dns_name_t *prefix, const dns_name_t *suffix,
+		     dns_name_t *name, isc_buffer_t *target) {
+	unsigned char *ndata, *offsets;
+	unsigned int nrem, labels, prefix_length, length;
+	bool copy_prefix = true;
+	bool copy_suffix = true;
+	bool absolute = false;
+	dns_name_t tmp_name;
+	dns_offsets_t odata;
+
+	/*
+	 * Concatenate 'prefix' and 'suffix'.
+	 */
+
+	REQUIRE(prefix == NULL || VALID_NAME(prefix));
+	REQUIRE(suffix == NULL || VALID_NAME(suffix));
+	REQUIRE(name == NULL || VALID_NAME(name));
+	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+		(target == NULL && name != NULL &&
+		 ISC_BUFFER_VALID(name->buffer)));
+	if (prefix == NULL || prefix->labels == 0) {
+		copy_prefix = false;
+	}
+	if (suffix == NULL || suffix->labels == 0) {
+		copy_suffix = false;
+	}
+	if (copy_prefix && (prefix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
+		absolute = true;
+		REQUIRE(!copy_suffix);
+	}
+	if (name == NULL) {
+		DNS_NAME_INIT(&tmp_name, odata);
+		name = &tmp_name;
+	}
+	if (target == NULL) {
+		INSIST(name->buffer != NULL);
+		target = name->buffer;
+		isc_buffer_clear(name->buffer);
+	}
+
+	REQUIRE(BINDABLE(name));
+
+	/*
+	 * Set up.
+	 */
+	nrem = target->length - target->used;
+	ndata = (unsigned char *)target->base + target->used;
+	if (nrem > DNS_NAME_MAXWIRE) {
+		nrem = DNS_NAME_MAXWIRE;
+	}
+	length = 0;
+	prefix_length = 0;
+	labels = 0;
+	if (copy_prefix) {
+		prefix_length = prefix->length;
+		length += prefix_length;
+		labels += prefix->labels;
+	}
+	if (copy_suffix) {
+		length += suffix->length;
+		labels += suffix->labels;
+	}
+	if (length > DNS_NAME_MAXWIRE) {
+		MAKE_EMPTY(name);
+		return (DNS_R_NAMETOOLONG);
+	}
+	if (length > nrem) {
+		MAKE_EMPTY(name);
+		return (ISC_R_NOSPACE);
+	}
+
+	if (copy_suffix) {
+		if ((suffix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
+			absolute = true;
+		}
+		memmove(ndata + prefix_length, suffix->ndata, suffix->length);
+	}
+
+	/*
+	 * If 'prefix' and 'name' are the same object, and the object has
+	 * a dedicated buffer, and we're using it, then we don't have to
+	 * copy anything.
+	 */
+	if (copy_prefix && (prefix != name || prefix->buffer != target)) {
+		memmove(ndata, prefix->ndata, prefix_length);
+	}
+
+	name->ndata = ndata;
+	name->labels = labels;
+	name->length = length;
+	if (absolute) {
+		name->attributes = DNS_NAMEATTR_ABSOLUTE;
+	} else {
+		name->attributes = 0;
+	}
+
+	if (name->labels > 0 && name->offsets != NULL) {
+		INIT_OFFSETS(name, offsets, odata);
+		set_offsets(name, offsets, NULL);
+	}
+
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_name_split(const dns_name_t *name, unsigned int suffixlabels,
+	       dns_name_t *prefix, dns_name_t *suffix)
+
+{
+	unsigned int splitlabel;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(suffixlabels > 0);
+	REQUIRE(suffixlabels <= name->labels);
+	REQUIRE(prefix != NULL || suffix != NULL);
+	REQUIRE(prefix == NULL || (VALID_NAME(prefix) && BINDABLE(prefix)));
+	REQUIRE(suffix == NULL || (VALID_NAME(suffix) && BINDABLE(suffix)));
+
+	splitlabel = name->labels - suffixlabels;
+
+	if (prefix != NULL) {
+		dns_name_getlabelsequence(name, 0, splitlabel, prefix);
+	}
+
+	if (suffix != NULL) {
+		dns_name_getlabelsequence(name, splitlabel, suffixlabels,
+					  suffix);
+	}
+
+	return;
+}
+
+void
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
+	/*
+	 * Make 'target' a dynamically allocated copy of 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(source->length > 0);
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(BINDABLE(target));
+
+	/*
+	 * Make 'target' empty in case of failure.
+	 */
+	MAKE_EMPTY(target);
+
+	target->ndata = isc_mem_get(mctx, source->length);
+
+	memmove(target->ndata, source->ndata, source->length);
+
+	target->length = source->length;
+	target->labels = source->labels;
+	target->attributes = DNS_NAMEATTR_DYNAMIC;
+	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
+		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	}
+	if (target->offsets != NULL) {
+		if (source->offsets != NULL) {
+			memmove(target->offsets, source->offsets,
+				source->labels);
+		} else {
+			set_offsets(target, target->offsets, NULL);
+		}
+	}
+}
+
+isc_result_t
+dns_name_dupwithoffsets(const dns_name_t *source, isc_mem_t *mctx,
+			dns_name_t *target) {
+	/*
+	 * Make 'target' a read-only dynamically allocated copy of 'source'.
+	 * 'target' will also have a dynamically allocated offsets table.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(source->length > 0);
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(BINDABLE(target));
+	REQUIRE(target->offsets == NULL);
+
+	/*
+	 * Make 'target' empty in case of failure.
+	 */
+	MAKE_EMPTY(target);
+
+	target->ndata = isc_mem_get(mctx, source->length + source->labels);
+
+	memmove(target->ndata, source->ndata, source->length);
+
+	target->length = source->length;
+	target->labels = source->labels;
+	target->attributes = DNS_NAMEATTR_DYNAMIC | DNS_NAMEATTR_DYNOFFSETS |
+			     DNS_NAMEATTR_READONLY;
+	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
+		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	}
+	target->offsets = target->ndata + source->length;
+	if (source->offsets != NULL) {
+		memmove(target->offsets, source->offsets, source->labels);
+	} else {
+		set_offsets(target, target->offsets, NULL);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_name_free(dns_name_t *name, isc_mem_t *mctx) {
+	size_t size;
+
+	/*
+	 * Free 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0);
+
+	size = name->length;
+	if ((name->attributes & DNS_NAMEATTR_DYNOFFSETS) != 0) {
+		size += name->labels;
+	}
+	isc_mem_put(mctx, name->ndata, size);
+	dns_name_invalidate(name);
+}
+
+isc_result_t
+dns_name_digest(const dns_name_t *name, dns_digestfunc_t digest, void *arg) {
+	dns_name_t downname;
+	unsigned char data[256];
+	isc_buffer_t buffer;
+	isc_result_t result;
+	isc_region_t r;
+
+	/*
+	 * Send 'name' in DNSSEC canonical form to 'digest'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(digest != NULL);
+
+	DNS_NAME_INIT(&downname, NULL);
+
+	isc_buffer_init(&buffer, data, sizeof(data));
+
+	result = dns_name_downcase(name, &downname, &buffer);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	isc_buffer_usedregion(&buffer, &r);
+
+	return ((digest)(arg, &r));
+}
+
+bool
+dns_name_dynamic(const dns_name_t *name) {
+	REQUIRE(VALID_NAME(name));
+
+	/*
+	 * Returns whether there is dynamic memory associated with this name.
+	 */
+
+	return ((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0 ? true : false);
+}
+
+isc_result_t
+dns_name_print(const dns_name_t *name, FILE *stream) {
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+	char t[1024];
+
+	/*
+	 * Print 'name' on 'stream'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	isc_buffer_init(&b, t, sizeof(t));
+	result = dns_name_totext(name, false, &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_usedregion(&b, &r);
+	fprintf(stream, "%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_settotextfilter(dns_name_totextfilter_t *proc) {
+	/*
+	 * If we already have been here set / clear as appropriate.
+	 */
+	if (totext_filter_proc != NULL && proc != NULL) {
+		if (totext_filter_proc == proc) {
+			return (ISC_R_SUCCESS);
+		}
+	}
+	if (proc == NULL && totext_filter_proc != NULL) {
+		totext_filter_proc = NULL;
+		return (ISC_R_SUCCESS);
+	}
+
+	totext_filter_proc = proc;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_name_format(const dns_name_t *name, char *cp, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	REQUIRE(size > 0);
+
+	/*
+	 * Leave room for null termination after buffer.
+	 */
+	isc_buffer_init(&buf, cp, size - 1);
+	result = dns_name_totext(name, true, &buf);
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_putuint8(&buf, (uint8_t)'\0');
+	} else {
+		snprintf(cp, size, "<unknown>");
+	}
+}
+
+/*
+ * dns_name_tostring() -- similar to dns_name_format() but allocates its own
+ * memory.
+ */
+isc_result_t
+dns_name_tostring(const dns_name_t *name, char **target, isc_mem_t *mctx) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	isc_region_t reg;
+	char *p, txt[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_buffer_init(&buf, txt, sizeof(txt));
+	result = dns_name_totext(name, false, &buf);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	isc_buffer_usedregion(&buf, &reg);
+	p = isc_mem_allocate(mctx, reg.length + 1);
+	memmove(p, (char *)reg.base, (int)reg.length);
+	p[reg.length] = '\0';
+
+	*target = p;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * dns_name_fromstring() -- convert directly from a string to a name,
+ * allocating memory as needed
+ */
+isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
+		    isc_mem_t *mctx) {
+	return (dns_name_fromstring2(target, src, dns_rootname, options, mctx));
+}
+
+isc_result_t
+dns_name_fromstring2(dns_name_t *target, const char *src,
+		     const dns_name_t *origin, unsigned int options,
+		     isc_mem_t *mctx) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_fixedname_t fn;
+	dns_name_t *name;
+
+	REQUIRE(src != NULL);
+
+	isc_buffer_constinit(&buf, src, strlen(src));
+	isc_buffer_add(&buf, strlen(src));
+	if (BINDABLE(target) && target->buffer != NULL) {
+		name = target;
+	} else {
+		name = dns_fixedname_initname(&fn);
+	}
+
+	result = dns_name_fromtext(name, &buf, origin, options, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (name != target) {
+		result = dns_name_dupwithoffsets(name, mctx, target);
+	}
+	return (result);
+}
+
+static isc_result_t
+name_copy(const dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
+	unsigned char *ndata = NULL;
+
+	/*
+	 * Make dest a copy of source.
+	 */
+
+	REQUIRE(BINDABLE(dest));
+
+	/*
+	 * Set up.
+	 */
+	if (target->length - target->used < source->length) {
+		return (ISC_R_NOSPACE);
+	}
+
+	ndata = (unsigned char *)target->base + target->used;
+	dest->ndata = target->base;
+
+	if (source->length != 0) {
+		memmove(ndata, source->ndata, source->length);
+	}
+
+	dest->ndata = ndata;
+	dest->labels = source->labels;
+	dest->length = source->length;
+	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
+		dest->attributes = DNS_NAMEATTR_ABSOLUTE;
+	} else {
+		dest->attributes = 0;
+	}
+
+	if (dest->labels > 0 && dest->offsets != NULL) {
+		if (source->offsets != NULL && source->labels != 0) {
+			memmove(dest->offsets, source->offsets, source->labels);
+		} else {
+			set_offsets(dest, dest->offsets, NULL);
+		}
+	}
+
+	isc_buffer_add(target, dest->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_copy(const dns_name_t *source, dns_name_t *dest,
+	      isc_buffer_t *target) {
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(dest));
+	REQUIRE(target != NULL);
+
+	return (name_copy(source, dest, target));
+}
+
+void
+dns_name_copynf(const dns_name_t *source, dns_name_t *dest) {
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(dest));
+	REQUIRE(dest->buffer != NULL);
+
+	isc_buffer_clear(dest->buffer);
+	RUNTIME_CHECK(name_copy(source, dest, dest->buffer) == ISC_R_SUCCESS);
+}
+
+/*
+ * Service Discovery Prefixes RFC 6763.
+ */
+static unsigned char b_dns_sd_udp_data[] = "\001b\007_dns-sd\004_udp";
+static unsigned char b_dns_sd_udp_offsets[] = { 0, 2, 10 };
+static unsigned char db_dns_sd_udp_data[] = "\002db\007_dns-sd\004_udp";
+static unsigned char db_dns_sd_udp_offsets[] = { 0, 3, 11 };
+static unsigned char r_dns_sd_udp_data[] = "\001r\007_dns-sd\004_udp";
+static unsigned char r_dns_sd_udp_offsets[] = { 0, 2, 10 };
+static unsigned char dr_dns_sd_udp_data[] = "\002dr\007_dns-sd\004_udp";
+static unsigned char dr_dns_sd_udp_offsets[] = { 0, 3, 11 };
+static unsigned char lb_dns_sd_udp_data[] = "\002lb\007_dns-sd\004_udp";
+static unsigned char lb_dns_sd_udp_offsets[] = { 0, 3, 11 };
+
+static dns_name_t const dns_sd[] = {
+	DNS_NAME_INITNONABSOLUTE(b_dns_sd_udp_data, b_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(db_dns_sd_udp_data, db_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(r_dns_sd_udp_data, r_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(dr_dns_sd_udp_data, dr_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(lb_dns_sd_udp_data, lb_dns_sd_udp_offsets)
+};
+
+bool
+dns_name_isdnssd(const dns_name_t *name) {
+	size_t i;
+	dns_name_t prefix;
+
+	if (dns_name_countlabels(name) > 3U) {
+		dns_name_init(&prefix, NULL);
+		dns_name_getlabelsequence(name, 0, 3, &prefix);
+		for (i = 0; i < (sizeof(dns_sd) / sizeof(dns_sd[0])); i++) {
+			if (dns_name_equal(&prefix, &dns_sd[i])) {
+				return (true);
+			}
+		}
+	}
+
+	return (false);
+}
+
+static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
+static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
+static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
+
+static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA";
+
+static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA";
+
+static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA";
+
+static dns_name_t const rfc1918names[] = {
+	DNS_NAME_INITABSOLUTE(inaddr10, inaddr10_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr16172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr17172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr18172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr19172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr20172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr21172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr22172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr23172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr24172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr25172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr26172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr27172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr28172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr29172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr30172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr31172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr168192, inaddr192_offsets)
+};
+
+bool
+dns_name_isrfc1918(const dns_name_t *name) {
+	size_t i;
+
+	for (i = 0; i < (sizeof(rfc1918names) / sizeof(*rfc1918names)); i++) {
+		if (dns_name_issubdomain(name, &rfc1918names[i])) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+static unsigned char ulaoffsets[] = { 0, 2, 4, 8, 13 };
+static unsigned char ip6fc[] = "\001c\001f\003ip6\004ARPA";
+static unsigned char ip6fd[] = "\001d\001f\003ip6\004ARPA";
+
+static dns_name_t const ulanames[] = { DNS_NAME_INITABSOLUTE(ip6fc, ulaoffsets),
+				       DNS_NAME_INITABSOLUTE(ip6fd,
+							     ulaoffsets) };
+
+bool
+dns_name_isula(const dns_name_t *name) {
+	size_t i;
+
+	for (i = 0; i < (sizeof(ulanames) / sizeof(*ulanames)); i++) {
+		if (dns_name_issubdomain(name, &ulanames[i])) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+/*
+ * Use a simple table as we don't want all the locale stuff
+ * associated with ishexdigit().
+ */
+const char ishex[256] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+			  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+			  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+			  1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0,
+			  0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+			  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+			  0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+			  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+
+bool
+dns_name_istat(const dns_name_t *name) {
+	unsigned char len;
+	const unsigned char *ndata;
+
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels < 1) {
+		return (false);
+	}
+
+	ndata = name->ndata;
+	len = ndata[0];
+	INSIST(len <= name->length);
+	ndata++;
+
+	/*
+	 * Is there at least one trust anchor reported and is the
+	 * label length consistent with a trust-anchor-telemetry label.
+	 */
+	if ((len < 8) || (len - 3) % 5 != 0) {
+		return (false);
+	}
+
+	if (ndata[0] != '_' || maptolower[ndata[1]] != 't' ||
+	    maptolower[ndata[2]] != 'a')
+	{
+		return (false);
+	}
+	ndata += 3;
+	len -= 3;
+
+	while (len > 0) {
+		INSIST(len >= 5);
+		if (ndata[0] != '-' || !ishex[ndata[1]] || !ishex[ndata[2]] ||
+		    !ishex[ndata[3]] || !ishex[ndata[4]])
+		{
+			return (false);
+		}
+		ndata += 5;
+		len -= 5;
+	}
+	return (true);
+}
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
new file mode 100644
index 0000000..9247ac1
--- /dev/null
+++ b/lib/dns/ncache.c
@@ -0,0 +1,777 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+
+#define DNS_NCACHE_RDATA 100U
+
+/*
+ * The format of an ncache rdata is a sequence of zero or more records of
+ * the following format:
+ *
+ *	owner name
+ *	type
+ *	trust
+ *	rdata count
+ *		rdata length			These two occur 'rdata count'
+ *		rdata				times.
+ *
+ */
+
+static isc_result_t
+addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl,
+	  dns_ttl_t maxttl, bool optout, bool secure,
+	  dns_rdataset_t *addedrdataset);
+
+static isc_result_t
+copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
+	isc_result_t result;
+	unsigned int count;
+	isc_region_t ar, r;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Copy the rdataset count to the buffer.
+	 */
+	isc_buffer_availableregion(buffer, &ar);
+	if (ar.length < 2) {
+		return (ISC_R_NOSPACE);
+	}
+	count = dns_rdataset_count(rdataset);
+	INSIST(count <= 65535);
+	isc_buffer_putuint16(buffer, (uint16_t)count);
+
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rdataset, &rdata);
+		dns_rdata_toregion(&rdata, &r);
+		INSIST(r.length <= 65535);
+		isc_buffer_availableregion(buffer, &ar);
+		if (ar.length < 2) {
+			return (ISC_R_NOSPACE);
+		}
+		/*
+		 * Copy the rdata length to the buffer.
+		 */
+		isc_buffer_putuint16(buffer, (uint16_t)r.length);
+		/*
+		 * Copy the rdata to the buffer.
+		 */
+		result = isc_buffer_copyregion(buffer, &r);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(rdataset);
+	}
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl,
+	       dns_ttl_t maxttl, dns_rdataset_t *addedrdataset) {
+	return (addoptout(message, cache, node, covers, now, minttl, maxttl,
+			  false, false, addedrdataset));
+}
+
+isc_result_t
+dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
+		     dns_dbnode_t *node, dns_rdatatype_t covers,
+		     isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl,
+		     bool optout, dns_rdataset_t *addedrdataset) {
+	return (addoptout(message, cache, node, covers, now, minttl, maxttl,
+			  optout, true, addedrdataset));
+}
+
+static isc_result_t
+addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl,
+	  dns_ttl_t maxttl, bool optout, bool secure,
+	  dns_rdataset_t *addedrdataset) {
+	isc_result_t result;
+	isc_buffer_t buffer;
+	isc_region_t r;
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t type;
+	dns_name_t *name;
+	dns_ttl_t ttl;
+	dns_trust_t trust;
+	dns_rdata_t rdata[DNS_NCACHE_RDATA];
+	dns_rdataset_t ncrdataset;
+	dns_rdatalist_t ncrdatalist;
+	unsigned char data[65536];
+	unsigned int next = 0;
+
+	/*
+	 * Convert the authority data from 'message' into a negative cache
+	 * rdataset, and store it in 'cache' at 'node'.
+	 */
+
+	REQUIRE(message != NULL);
+
+	/*
+	 * We assume that all data in the authority section has been
+	 * validated by the caller.
+	 */
+
+	/*
+	 * Initialize the list.
+	 */
+	dns_rdatalist_init(&ncrdatalist);
+	ncrdatalist.rdclass = dns_db_class(cache);
+	ncrdatalist.covers = covers;
+	ncrdatalist.ttl = maxttl;
+
+	/*
+	 * Build an ncache rdatas into buffer.
+	 */
+	ttl = maxttl;
+	trust = 0xffff;
+	isc_buffer_init(&buffer, data, sizeof(data));
+	if (message->counts[DNS_SECTION_AUTHORITY]) {
+		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	} else {
+		result = ISC_R_NOMORE;
+	}
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) {
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if ((rdataset->attributes &
+				     DNS_RDATASETATTR_NCACHE) == 0)
+				{
+					continue;
+				}
+				type = rdataset->type;
+				if (type == dns_rdatatype_rrsig) {
+					type = rdataset->covers;
+				}
+				if (type == dns_rdatatype_soa ||
+				    type == dns_rdatatype_nsec ||
+				    type == dns_rdatatype_nsec3)
+				{
+					if (ttl > rdataset->ttl) {
+						ttl = rdataset->ttl;
+					}
+					if (ttl < minttl) {
+						ttl = minttl;
+					}
+					if (trust > rdataset->trust) {
+						trust = rdataset->trust;
+					}
+					/*
+					 * Copy the owner name to the buffer.
+					 */
+					dns_name_toregion(name, &r);
+					result = isc_buffer_copyregion(&buffer,
+								       &r);
+					if (result != ISC_R_SUCCESS) {
+						return (result);
+					}
+					/*
+					 * Copy the type to the buffer.
+					 */
+					isc_buffer_availableregion(&buffer, &r);
+					if (r.length < 3) {
+						return (ISC_R_NOSPACE);
+					}
+					isc_buffer_putuint16(&buffer,
+							     rdataset->type);
+					isc_buffer_putuint8(
+						&buffer,
+						(unsigned char)rdataset->trust);
+					/*
+					 * Copy the rdataset into the buffer.
+					 */
+					result = copy_rdataset(rdataset,
+							       &buffer);
+					if (result != ISC_R_SUCCESS) {
+						return (result);
+					}
+
+					if (next >= DNS_NCACHE_RDATA) {
+						return (ISC_R_NOSPACE);
+					}
+					dns_rdata_init(&rdata[next]);
+					isc_buffer_remainingregion(&buffer, &r);
+					rdata[next].data = r.base;
+					rdata[next].length = r.length;
+					rdata[next].rdclass =
+						ncrdatalist.rdclass;
+					rdata[next].type = 0;
+					rdata[next].flags = 0;
+					ISC_LIST_APPEND(ncrdatalist.rdata,
+							&rdata[next], link);
+					isc_buffer_forward(&buffer, r.length);
+					next++;
+				}
+			}
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+
+	if (trust == 0xffff) {
+		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
+		    message->counts[DNS_SECTION_ANSWER] == 0)
+		{
+			/*
+			 * The response has aa set and we haven't followed
+			 * any CNAME or DNAME chains.
+			 */
+			trust = dns_trust_authauthority;
+		} else {
+			trust = dns_trust_additional;
+		}
+		ttl = 0;
+	}
+
+	INSIST(trust != 0xffff);
+
+	ncrdatalist.ttl = ttl;
+
+	dns_rdataset_init(&ncrdataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset) ==
+		      ISC_R_SUCCESS);
+	if (!secure && trust > dns_trust_answer) {
+		trust = dns_trust_answer;
+	}
+	ncrdataset.trust = trust;
+	ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
+	if (message->rcode == dns_rcode_nxdomain) {
+		ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
+	}
+	if (optout) {
+		ncrdataset.attributes |= DNS_RDATASETATTR_OPTOUT;
+	}
+
+	return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset, 0,
+				   addedrdataset));
+}
+
+isc_result_t
+dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
+		  isc_buffer_t *target, unsigned int options,
+		  unsigned int *countp) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	isc_region_t remaining, tavailable;
+	isc_buffer_t source, savedbuffer, rdlen;
+	dns_name_t name;
+	dns_rdatatype_t type;
+	unsigned int i, rcount, count;
+
+	/*
+	 * Convert the negative caching rdataset 'rdataset' to wire format,
+	 * compressing names as specified in 'cctx', and storing the result in
+	 * 'target'.
+	 */
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->type == 0);
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+
+	savedbuffer = *target;
+	count = 0;
+
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rdataset, &rdata);
+		isc_buffer_init(&source, rdata.data, rdata.length);
+		isc_buffer_add(&source, rdata.length);
+		dns_name_init(&name, NULL);
+		isc_buffer_remainingregion(&source, &remaining);
+		dns_name_fromregion(&name, &remaining);
+		INSIST(remaining.length >= name.length);
+		isc_buffer_forward(&source, name.length);
+		remaining.length -= name.length;
+
+		INSIST(remaining.length >= 5);
+		type = isc_buffer_getuint16(&source);
+		isc_buffer_forward(&source, 1);
+		rcount = isc_buffer_getuint16(&source);
+
+		for (i = 0; i < rcount; i++) {
+			/*
+			 * Get the length of this rdata and set up an
+			 * rdata structure for it.
+			 */
+			isc_buffer_remainingregion(&source, &remaining);
+			INSIST(remaining.length >= 2);
+			dns_rdata_reset(&rdata);
+			rdata.length = isc_buffer_getuint16(&source);
+			isc_buffer_remainingregion(&source, &remaining);
+			rdata.data = remaining.base;
+			rdata.type = type;
+			rdata.rdclass = rdataset->rdclass;
+			INSIST(remaining.length >= rdata.length);
+			isc_buffer_forward(&source, rdata.length);
+
+			if ((options & DNS_NCACHETOWIRE_OMITDNSSEC) != 0 &&
+			    dns_rdatatype_isdnssec(type))
+			{
+				continue;
+			}
+
+			/*
+			 * Write the name.
+			 */
+			dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+			result = dns_name_towire(&name, cctx, target);
+			if (result != ISC_R_SUCCESS) {
+				goto rollback;
+			}
+
+			/*
+			 * See if we have space for type, class, ttl, and
+			 * rdata length.  Write the type, class, and ttl.
+			 */
+			isc_buffer_availableregion(target, &tavailable);
+			if (tavailable.length < 10) {
+				result = ISC_R_NOSPACE;
+				goto rollback;
+			}
+			isc_buffer_putuint16(target, type);
+			isc_buffer_putuint16(target, rdataset->rdclass);
+			isc_buffer_putuint32(target, rdataset->ttl);
+
+			/*
+			 * Save space for rdata length.
+			 */
+			rdlen = *target;
+			isc_buffer_add(target, 2);
+
+			/*
+			 * Write the rdata.
+			 */
+			result = dns_rdata_towire(&rdata, cctx, target);
+			if (result != ISC_R_SUCCESS) {
+				goto rollback;
+			}
+
+			/*
+			 * Set the rdata length field to the compressed
+			 * length.
+			 */
+			INSIST((target->used >= rdlen.used + 2) &&
+			       (target->used - rdlen.used - 2 < 65536));
+			isc_buffer_putuint16(
+				&rdlen,
+				(uint16_t)(target->used - rdlen.used - 2));
+
+			count++;
+		}
+		INSIST(isc_buffer_remaininglength(&source) == 0);
+		result = dns_rdataset_next(rdataset);
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto rollback;
+	}
+
+	*countp = count;
+
+	return (ISC_R_SUCCESS);
+
+rollback:
+	INSIST(savedbuffer.used < 65536);
+	dns_compress_rollback(cctx, (uint16_t)savedbuffer.used);
+	*countp = 0;
+	*target = savedbuffer;
+
+	return (result);
+}
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+	raw += 2;
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0) {
+		return (ISC_R_NOMORE);
+	}
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+	raw += length + 2;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+
+	REQUIRE(raw != NULL);
+
+	r.length = raw[0] * 256 + raw[1];
+	raw += 2;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static void
+rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
+	unsigned char *raw = rdataset->private3;
+
+	raw[-1] = (unsigned char)trust;
+	rdataset->trust = trust;
+}
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,		   /* addnoqname */
+	NULL,		   /* getnoqname */
+	NULL,		   /* addclosest */
+	NULL,		   /* getclosest */
+	rdataset_settrust, /* settrust */
+	NULL,		   /* expire */
+	NULL,		   /* clearprefetch */
+	NULL,		   /* setownercase */
+	NULL,		   /* getownercase */
+	NULL		   /* addglue */
+};
+
+isc_result_t
+dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+		       dns_rdatatype_t type, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t remaining;
+	isc_buffer_t source;
+	dns_name_t tname;
+	dns_rdatatype_t ttype;
+	dns_trust_t trust = dns_trust_none;
+	dns_rdataset_t rclone;
+
+	REQUIRE(ncacherdataset != NULL);
+	REQUIRE(ncacherdataset->type == 0);
+	REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+	REQUIRE(name != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+	REQUIRE(type != dns_rdatatype_rrsig);
+
+	dns_rdataset_init(&rclone);
+	dns_rdataset_clone(ncacherdataset, &rclone);
+	result = dns_rdataset_first(&rclone);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&rclone, &rdata);
+		isc_buffer_init(&source, rdata.data, rdata.length);
+		isc_buffer_add(&source, rdata.length);
+		dns_name_init(&tname, NULL);
+		isc_buffer_remainingregion(&source, &remaining);
+		dns_name_fromregion(&tname, &remaining);
+		INSIST(remaining.length >= tname.length);
+		isc_buffer_forward(&source, tname.length);
+		remaining.length -= tname.length;
+
+		INSIST(remaining.length >= 3);
+		ttype = isc_buffer_getuint16(&source);
+
+		if (ttype == type && dns_name_equal(&tname, name)) {
+			trust = isc_buffer_getuint8(&source);
+			INSIST(trust <= dns_trust_ultimate);
+			isc_buffer_remainingregion(&source, &remaining);
+			break;
+		}
+		result = dns_rdataset_next(&rclone);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rclone);
+	if (result == ISC_R_NOMORE) {
+		return (ISC_R_NOTFOUND);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	INSIST(remaining.length != 0);
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ncacherdataset->rdclass;
+	rdataset->type = type;
+	rdataset->covers = 0;
+	rdataset->ttl = ncacherdataset->ttl;
+	rdataset->trust = trust;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+
+	rdataset->private3 = remaining.base;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+			  dns_rdatatype_t covers, dns_rdataset_t *rdataset) {
+	dns_name_t tname;
+	dns_rdata_rrsig_t rrsig;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rclone;
+	dns_rdatatype_t type;
+	dns_trust_t trust = dns_trust_none;
+	isc_buffer_t source;
+	isc_region_t remaining, sigregion;
+	isc_result_t result;
+	unsigned char *raw;
+	unsigned int count;
+
+	REQUIRE(ncacherdataset != NULL);
+	REQUIRE(ncacherdataset->type == 0);
+	REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+	REQUIRE(name != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	dns_rdataset_init(&rclone);
+	dns_rdataset_clone(ncacherdataset, &rclone);
+	result = dns_rdataset_first(&rclone);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&rclone, &rdata);
+		isc_buffer_init(&source, rdata.data, rdata.length);
+		isc_buffer_add(&source, rdata.length);
+		dns_name_init(&tname, NULL);
+		isc_buffer_remainingregion(&source, &remaining);
+		dns_name_fromregion(&tname, &remaining);
+		INSIST(remaining.length >= tname.length);
+		isc_buffer_forward(&source, tname.length);
+		isc_region_consume(&remaining, tname.length);
+
+		INSIST(remaining.length >= 2);
+		type = isc_buffer_getuint16(&source);
+		isc_region_consume(&remaining, 2);
+
+		if (type != dns_rdatatype_rrsig ||
+		    !dns_name_equal(&tname, name))
+		{
+			result = dns_rdataset_next(&rclone);
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		INSIST(remaining.length >= 1);
+		trust = isc_buffer_getuint8(&source);
+		INSIST(trust <= dns_trust_ultimate);
+		isc_region_consume(&remaining, 1);
+
+		raw = remaining.base;
+		count = raw[0] * 256 + raw[1];
+		INSIST(count > 0);
+		raw += 2;
+		sigregion.length = raw[0] * 256 + raw[1];
+		raw += 2;
+		sigregion.base = raw;
+		dns_rdata_reset(&rdata);
+		dns_rdata_fromregion(&rdata, rdataset->rdclass,
+				     dns_rdatatype_rrsig, &sigregion);
+		(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		if (rrsig.covered == covers) {
+			isc_buffer_remainingregion(&source, &remaining);
+			break;
+		}
+
+		result = dns_rdataset_next(&rclone);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rclone);
+	if (result == ISC_R_NOMORE) {
+		return (ISC_R_NOTFOUND);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	INSIST(remaining.length != 0);
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ncacherdataset->rdclass;
+	rdataset->type = dns_rdatatype_rrsig;
+	rdataset->covers = covers;
+	rdataset->ttl = ncacherdataset->ttl;
+	rdataset->trust = trust;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+
+	rdataset->private3 = remaining.base;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
+		   dns_rdataset_t *rdataset) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_trust_t trust;
+	isc_region_t remaining, sigregion;
+	isc_buffer_t source;
+	dns_name_t tname;
+	dns_rdatatype_t type;
+	unsigned int count;
+	dns_rdata_rrsig_t rrsig;
+	unsigned char *raw;
+
+	REQUIRE(ncacherdataset != NULL);
+	REQUIRE(ncacherdataset->type == 0);
+	REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+	REQUIRE(found != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	dns_rdataset_current(ncacherdataset, &rdata);
+	isc_buffer_init(&source, rdata.data, rdata.length);
+	isc_buffer_add(&source, rdata.length);
+
+	dns_name_init(&tname, NULL);
+	isc_buffer_remainingregion(&source, &remaining);
+	dns_name_fromregion(found, &remaining);
+	INSIST(remaining.length >= found->length);
+	isc_buffer_forward(&source, found->length);
+	remaining.length -= found->length;
+
+	INSIST(remaining.length >= 5);
+	type = isc_buffer_getuint16(&source);
+	trust = isc_buffer_getuint8(&source);
+	INSIST(trust <= dns_trust_ultimate);
+	isc_buffer_remainingregion(&source, &remaining);
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ncacherdataset->rdclass;
+	rdataset->type = type;
+	if (type == dns_rdatatype_rrsig) {
+		/*
+		 * Extract covers from RRSIG.
+		 */
+		raw = remaining.base;
+		count = raw[0] * 256 + raw[1];
+		INSIST(count > 0);
+		raw += 2;
+		sigregion.length = raw[0] * 256 + raw[1];
+		raw += 2;
+		sigregion.base = raw;
+		dns_rdata_reset(&rdata);
+		dns_rdata_fromregion(&rdata, rdataset->rdclass, rdataset->type,
+				     &sigregion);
+		(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		rdataset->covers = rrsig.covered;
+	} else {
+		rdataset->covers = 0;
+	}
+	rdataset->ttl = ncacherdataset->ttl;
+	rdataset->trust = trust;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+
+	rdataset->private3 = remaining.base;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+}
diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
new file mode 100644
index 0000000..3089c9e
--- /dev/null
+++ b/lib/dns/nsec.c
@@ -0,0 +1,466 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/log.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/nsec.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#define RETERR(x)                            \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+void
+dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit) {
+	unsigned int shift, mask;
+
+	shift = 7 - (type % 8);
+	mask = 1 << shift;
+
+	if (bit != 0) {
+		array[type / 8] |= mask;
+	} else {
+		array[type / 8] &= (~mask & 0xFF);
+	}
+}
+
+bool
+dns_nsec_isset(const unsigned char *array, unsigned int type) {
+	unsigned int byte, shift, mask;
+
+	byte = array[type / 8];
+	shift = 7 - (type % 8);
+	mask = 1 << shift;
+
+	return ((byte & mask) != 0);
+}
+
+unsigned int
+dns_nsec_compressbitmap(unsigned char *map, const unsigned char *raw,
+			unsigned int max_type) {
+	unsigned char *start = map;
+	unsigned int window;
+	int octet;
+
+	if (raw == NULL) {
+		return (0);
+	}
+
+	for (window = 0; window < 256; window++) {
+		if (window * 256 > max_type) {
+			break;
+		}
+		for (octet = 31; octet >= 0; octet--) {
+			if (*(raw + octet) != 0) {
+				break;
+			}
+		}
+		if (octet < 0) {
+			raw += 32;
+			continue;
+		}
+		*map++ = window;
+		*map++ = octet + 1;
+		/*
+		 * Note: potential overlapping move.
+		 */
+		memmove(map, raw, octet + 1);
+		map += octet + 1;
+		raw += 32;
+	}
+	return ((unsigned int)(map - start));
+}
+
+isc_result_t
+dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+		    const dns_name_t *target, unsigned char *buffer,
+		    dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	isc_region_t r;
+	unsigned int i;
+
+	unsigned char *nsec_bits, *bm;
+	unsigned int max_type;
+	dns_rdatasetiter_t *rdsiter;
+
+	REQUIRE(target != NULL);
+
+	memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
+	dns_name_toregion(target, &r);
+	memmove(buffer, r.base, r.length);
+	r.base = buffer;
+	/*
+	 * Use the end of the space for a raw bitmap leaving enough
+	 * space for the window identifiers and length octets.
+	 */
+	bm = r.base + r.length + 512;
+	nsec_bits = r.base + r.length;
+	dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
+	dns_nsec_setbit(bm, dns_rdatatype_nsec, 1);
+	max_type = dns_rdatatype_nsec;
+	dns_rdataset_init(&rdataset);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec &&
+		    rdataset.type != dns_rdatatype_nsec3 &&
+		    rdataset.type != dns_rdatatype_rrsig)
+		{
+			if (rdataset.type > max_type) {
+				max_type = rdataset.type;
+			}
+			dns_nsec_setbit(bm, rdataset.type, 1);
+		}
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	/*
+	 * At zone cuts, deny the existence of glue in the parent zone.
+	 */
+	if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
+	    !dns_nsec_isset(bm, dns_rdatatype_soa))
+	{
+		for (i = 0; i <= max_type; i++) {
+			if (dns_nsec_isset(bm, i) &&
+			    !dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
+			{
+				dns_nsec_setbit(bm, i, 0);
+			}
+		}
+	}
+
+	dns_rdatasetiter_destroy(&rdsiter);
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+
+	nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);
+
+	r.length = (unsigned int)(nsec_bits - r.base);
+	INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
+	dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+	       const dns_name_t *target, dns_ttl_t ttl) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[DNS_NSEC_BUFFERSIZE];
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	dns_rdata_init(&rdata);
+
+	RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
+
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = dns_db_class(db);
+	rdatalist.type = dns_rdatatype_nsec;
+	rdatalist.ttl = ttl;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	RETERR(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	result = dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL);
+	if (result == DNS_R_UNCHANGED) {
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	return (result);
+}
+
+bool
+dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
+	dns_rdata_nsec_t nsecstruct;
+	isc_result_t result;
+	bool present;
+	unsigned int i, len, window;
+
+	REQUIRE(nsec != NULL);
+	REQUIRE(nsec->type == dns_rdatatype_nsec);
+
+	/* This should never fail */
+	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
+	INSIST(result == ISC_R_SUCCESS);
+
+	present = false;
+	for (i = 0; i < nsecstruct.len; i += len) {
+		INSIST(i + 2 <= nsecstruct.len);
+		window = nsecstruct.typebits[i];
+		len = nsecstruct.typebits[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= nsecstruct.len);
+		if (window * 256 > type) {
+			break;
+		}
+		if ((window + 1) * 256 <= type) {
+			continue;
+		}
+		if (type < (window * 256) + len * 8) {
+			present = dns_nsec_isset(&nsecstruct.typebits[i],
+						 type % 256);
+		}
+		break;
+	}
+	dns_rdata_freestruct(&nsecstruct);
+	return (present);
+}
+
+isc_result_t
+dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version, bool *answer) {
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_dnskey_t dnskey;
+	isc_result_t result;
+
+	REQUIRE(answer != NULL);
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
+				     0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+
+	if (result == ISC_R_NOTFOUND) {
+		*answer = false;
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (dnskey.algorithm == DST_ALG_RSAMD5 ||
+		    dnskey.algorithm == DST_ALG_RSASHA1)
+		{
+			break;
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*answer = true;
+	}
+	if (result == ISC_R_NOMORE) {
+		*answer = false;
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+/*%
+ * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
+ * or we can determine whether there is data or not at the name.
+ * If the name does not exist return the wildcard name.
+ *
+ * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
+ */
+isc_result_t
+dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
+		       const dns_name_t *nsecname, dns_rdataset_t *nsecset,
+		       bool *exists, bool *data, dns_name_t *wild,
+		       dns_nseclog_t logit, void *arg) {
+	int order;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dns_namereln_t relation;
+	unsigned int olabels, nlabels, labels;
+	dns_rdata_nsec_t nsec;
+	bool atparent;
+	bool ns;
+	bool soa;
+
+	REQUIRE(exists != NULL);
+	REQUIRE(data != NULL);
+	REQUIRE(nsecset != NULL && nsecset->type == dns_rdatatype_nsec);
+
+	result = dns_rdataset_first(nsecset);
+	if (result != ISC_R_SUCCESS) {
+		(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC set");
+		return (result);
+	}
+	dns_rdataset_current(nsecset, &rdata);
+
+	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
+	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
+
+	if (order < 0) {
+		/*
+		 * The name is not within the NSEC range.
+		 */
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "NSEC does not cover name, before NSEC");
+		return (ISC_R_IGNORE);
+	}
+
+	if (order == 0) {
+		/*
+		 * The names are the same.   If we are validating "."
+		 * then atparent should not be set as there is no parent.
+		 */
+		atparent = (olabels != 1) && dns_rdatatype_atparent(type);
+		ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
+		soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
+		if (ns && !soa) {
+			if (!atparent) {
+				/*
+				 * This NSEC record is from somewhere higher in
+				 * the DNS, and at the parent of a delegation.
+				 * It can not be legitimately used here.
+				 */
+				(*logit)(arg, ISC_LOG_DEBUG(3),
+					 "ignoring parent nsec");
+				return (ISC_R_IGNORE);
+			}
+		} else if (atparent && ns && soa) {
+			/*
+			 * This NSEC record is from the child.
+			 * It can not be legitimately used here.
+			 */
+			(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring child nsec");
+			return (ISC_R_IGNORE);
+		}
+		if (type == dns_rdatatype_cname || type == dns_rdatatype_nxt ||
+		    type == dns_rdatatype_nsec || type == dns_rdatatype_key ||
+		    !dns_nsec_typepresent(&rdata, dns_rdatatype_cname))
+		{
+			*exists = true;
+			*data = dns_nsec_typepresent(&rdata, type);
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "nsec proves name exists (owner) data=%d",
+				 *data);
+			return (ISC_R_SUCCESS);
+		}
+		(*logit)(arg, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
+		return (ISC_R_IGNORE);
+	}
+
+	if (relation == dns_namereln_subdomain &&
+	    dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
+	    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
+	{
+		/*
+		 * This NSEC record is from somewhere higher in
+		 * the DNS, and at the parent of a delegation or
+		 * at a DNAME.
+		 * It can not be legitimately used here.
+		 */
+		(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
+		return (ISC_R_IGNORE);
+	}
+
+	if (relation == dns_namereln_subdomain &&
+	    dns_nsec_typepresent(&rdata, dns_rdatatype_dname))
+	{
+		(*logit)(arg, ISC_LOG_DEBUG(3), "nsec proves covered by dname");
+		*exists = false;
+		return (DNS_R_DNAME);
+	}
+
+	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
+	if (order == 0) {
+		dns_rdata_freestruct(&nsec);
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "ignoring nsec matches next name");
+		return (ISC_R_IGNORE);
+	}
+
+	if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
+		/*
+		 * The name is not within the NSEC range.
+		 */
+		dns_rdata_freestruct(&nsec);
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "ignoring nsec because name is past end of range");
+		return (ISC_R_IGNORE);
+	}
+
+	if (order > 0 && relation == dns_namereln_subdomain) {
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "nsec proves name exist (empty)");
+		dns_rdata_freestruct(&nsec);
+		*exists = true;
+		*data = false;
+		return (ISC_R_SUCCESS);
+	}
+	if (wild != NULL) {
+		dns_name_t common;
+		dns_name_init(&common, NULL);
+		if (olabels > nlabels) {
+			labels = dns_name_countlabels(nsecname);
+			dns_name_getlabelsequence(nsecname, labels - olabels,
+						  olabels, &common);
+		} else {
+			labels = dns_name_countlabels(&nsec.next);
+			dns_name_getlabelsequence(&nsec.next, labels - nlabels,
+						  nlabels, &common);
+		}
+		result = dns_name_concatenate(dns_wildcardname, &common, wild,
+					      NULL);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdata_freestruct(&nsec);
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "failure generating wildcard name");
+			return (result);
+		}
+	}
+	dns_rdata_freestruct(&nsec);
+	(*logit)(arg, ISC_LOG_DEBUG(3), "nsec range ok");
+	*exists = false;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
new file mode 100644
index 0000000..7f68580
--- /dev/null
+++ b/lib/dns/nsec3.c
@@ -0,0 +1,2195 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/iterated_hash.h>
+#include <isc/md.h>
+#include <isc/nonce.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/fixedname.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/zone.h>
+
+#include <dst/dst.h>
+
+#define CHECK(x)                             \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+#define OPTOUT(x)  (((x)&DNS_NSEC3FLAG_OPTOUT) != 0)
+#define CREATE(x)  (((x)&DNS_NSEC3FLAG_CREATE) != 0)
+#define INITIAL(x) (((x)&DNS_NSEC3FLAG_INITIAL) != 0)
+#define REMOVE(x)  (((x)&DNS_NSEC3FLAG_REMOVE) != 0)
+
+isc_result_t
+dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+		     unsigned int hashalg, unsigned int flags,
+		     unsigned int iterations, const unsigned char *salt,
+		     size_t salt_length, const unsigned char *nexthash,
+		     size_t hash_length, unsigned char *buffer,
+		     dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	isc_region_t r;
+	unsigned int i;
+	bool found;
+	bool found_ns;
+	bool need_rrsig;
+
+	unsigned char *nsec_bits, *bm;
+	unsigned int max_type;
+	dns_rdatasetiter_t *rdsiter;
+	unsigned char *p;
+
+	REQUIRE(salt_length < 256U);
+	REQUIRE(hash_length < 256U);
+	REQUIRE(flags <= 0xffU);
+	REQUIRE(hashalg <= 0xffU);
+	REQUIRE(iterations <= 0xffffU);
+
+	switch (hashalg) {
+	case dns_hash_sha1:
+		REQUIRE(hash_length == ISC_SHA1_DIGESTLENGTH);
+		break;
+	}
+
+	memset(buffer, 0, DNS_NSEC3_BUFFERSIZE);
+
+	p = buffer;
+
+	*p++ = hashalg;
+	*p++ = flags;
+
+	*p++ = iterations >> 8;
+	*p++ = iterations;
+
+	*p++ = (unsigned char)salt_length;
+	memmove(p, salt, salt_length);
+	p += salt_length;
+
+	*p++ = (unsigned char)hash_length;
+	memmove(p, nexthash, hash_length);
+	p += hash_length;
+
+	r.length = (unsigned int)(p - buffer);
+	r.base = buffer;
+
+	/*
+	 * Use the end of the space for a raw bitmap leaving enough
+	 * space for the window identifiers and length octets.
+	 */
+	bm = r.base + r.length + 512;
+	nsec_bits = r.base + r.length;
+	max_type = 0;
+	if (node == NULL) {
+		goto collapse_bitmap;
+	}
+	dns_rdataset_init(&rdataset);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	found = found_ns = need_rrsig = false;
+	for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec &&
+		    rdataset.type != dns_rdatatype_nsec3 &&
+		    rdataset.type != dns_rdatatype_rrsig)
+		{
+			if (rdataset.type > max_type) {
+				max_type = rdataset.type;
+			}
+			dns_nsec_setbit(bm, rdataset.type, 1);
+			/*
+			 * Work out if we need to set the RRSIG bit for
+			 * this node.  We set the RRSIG bit if either of
+			 * the following conditions are met:
+			 * 1) We have a SOA or DS then we need to set
+			 *    the RRSIG bit as both always will be signed.
+			 * 2) We set the RRSIG bit if we don't have
+			 *    a NS record but do have other data.
+			 */
+			if (rdataset.type == dns_rdatatype_soa ||
+			    rdataset.type == dns_rdatatype_ds)
+			{
+				need_rrsig = true;
+			} else if (rdataset.type == dns_rdatatype_ns) {
+				found_ns = true;
+			} else {
+				found = true;
+			}
+		}
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if ((found && !found_ns) || need_rrsig) {
+		if (dns_rdatatype_rrsig > max_type) {
+			max_type = dns_rdatatype_rrsig;
+		}
+		dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
+	}
+
+	/*
+	 * At zone cuts, deny the existence of glue in the parent zone.
+	 */
+	if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
+	    !dns_nsec_isset(bm, dns_rdatatype_soa))
+	{
+		for (i = 0; i <= max_type; i++) {
+			if (dns_nsec_isset(bm, i) &&
+			    !dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
+			{
+				dns_nsec_setbit(bm, i, 0);
+			}
+		}
+	}
+
+	dns_rdatasetiter_destroy(&rdsiter);
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+
+collapse_bitmap:
+	nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);
+	r.length = (unsigned int)(nsec_bits - r.base);
+	INSIST(r.length <= DNS_NSEC3_BUFFERSIZE);
+	dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec3, &r);
+
+	return (ISC_R_SUCCESS);
+}
+
+bool
+dns_nsec3_typepresent(dns_rdata_t *rdata, dns_rdatatype_t type) {
+	dns_rdata_nsec3_t nsec3;
+	isc_result_t result;
+	bool present;
+	unsigned int i, len, window;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+
+	/* This should never fail */
+	result = dns_rdata_tostruct(rdata, &nsec3, NULL);
+	INSIST(result == ISC_R_SUCCESS);
+
+	present = false;
+	for (i = 0; i < nsec3.len; i += len) {
+		INSIST(i + 2 <= nsec3.len);
+		window = nsec3.typebits[i];
+		len = nsec3.typebits[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= nsec3.len);
+		if (window * 256 > type) {
+			break;
+		}
+		if ((window + 1) * 256 <= type) {
+			continue;
+		}
+		if (type < (window * 256) + len * 8) {
+			present = dns_nsec_isset(&nsec3.typebits[i],
+						 type % 256);
+		}
+		break;
+	}
+	dns_rdata_freestruct(&nsec3);
+	return (present);
+}
+
+isc_result_t
+dns_nsec3_generate_salt(unsigned char *salt, size_t saltlen) {
+	if (saltlen > 255U) {
+		return (ISC_R_RANGE);
+	}
+	isc_nonce_buf(salt, saltlen);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_nsec3_hashname(dns_fixedname_t *result,
+		   unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
+		   size_t *hash_length, const dns_name_t *name,
+		   const dns_name_t *origin, dns_hash_t hashalg,
+		   unsigned int iterations, const unsigned char *salt,
+		   size_t saltlength) {
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char nametext[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *downcased;
+	isc_buffer_t namebuffer;
+	isc_region_t region;
+	size_t len;
+
+	if (rethash == NULL) {
+		rethash = hash;
+	}
+
+	memset(rethash, 0, NSEC3_MAX_HASH_LENGTH);
+
+	downcased = dns_fixedname_initname(&fixed);
+	dns_name_downcase(name, downcased, NULL);
+
+	/* hash the node name */
+	len = isc_iterated_hash(rethash, hashalg, iterations, salt,
+				(int)saltlength, downcased->ndata,
+				downcased->length);
+	if (len == 0U) {
+		return (DNS_R_BADALG);
+	}
+
+	if (hash_length != NULL) {
+		*hash_length = len;
+	}
+
+	/* convert the hash to base32hex non-padded */
+	region.base = rethash;
+	region.length = (unsigned int)len;
+	isc_buffer_init(&namebuffer, nametext, sizeof nametext);
+	isc_base32hexnp_totext(&region, 1, "", &namebuffer);
+
+	/* convert the hex to a domain name */
+	dns_fixedname_init(result);
+	return (dns_name_fromtext(dns_fixedname_name(result), &namebuffer,
+				  origin, 0, NULL));
+}
+
+unsigned int
+dns_nsec3_hashlength(dns_hash_t hash) {
+	switch (hash) {
+	case dns_hash_sha1:
+		return (ISC_SHA1_DIGESTLENGTH);
+	}
+	return (0);
+}
+
+bool
+dns_nsec3_supportedhash(dns_hash_t hash) {
+	switch (hash) {
+	case dns_hash_sha1:
+		return (true);
+	}
+	return (false);
+}
+
+/*%
+ * Update a single RR in version 'ver' of 'db' and log the
+ * update in 'diff'.
+ *
+ * Ensures:
+ * \li  '*tuple' == NULL.  Either the tuple is freed, or its
+ *      ownership has been transferred to the diff.
+ */
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff) {
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Set '*exists' to true iff the given name exists, to false otherwise.
+ */
+static isc_result_t
+name_exists(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name,
+	    bool *exists) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdatasetiter_t *iter = NULL;
+
+	result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND) {
+		*exists = false;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_allrdatasets(db, node, version, 0, (isc_stdtime_t)0,
+				     &iter);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_node;
+	}
+
+	result = dns_rdatasetiter_first(iter);
+	if (result == ISC_R_SUCCESS) {
+		*exists = true;
+	} else if (result == ISC_R_NOMORE) {
+		*exists = false;
+		result = ISC_R_SUCCESS;
+	} else {
+		*exists = false;
+	}
+	dns_rdatasetiter_destroy(&iter);
+
+cleanup_node:
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static bool
+match_nsec3param(const dns_rdata_nsec3_t *nsec3,
+		 const dns_rdata_nsec3param_t *nsec3param) {
+	if (nsec3->hash == nsec3param->hash &&
+	    nsec3->iterations == nsec3param->iterations &&
+	    nsec3->salt_length == nsec3param->salt_length &&
+	    !memcmp(nsec3->salt, nsec3param->salt, nsec3->salt_length))
+	{
+		return (true);
+	}
+	return (false);
+}
+
+/*%
+ * Delete NSEC3 records at "name" which match "param", recording the
+ * change in "diff".
+ */
+static isc_result_t
+delnsec3(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name,
+	 const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) {
+	dns_dbnode_t *node = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	result = dns_db_findnsec3node(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto cleanup_node;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_node;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
+
+		if (!match_nsec3param(&nsec3, nsec3param)) {
+			continue;
+		}
+
+		result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name,
+					      rdataset.ttl, &rdata, &tuple);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+		result = do_one_tuple(&tuple, db, version, diff);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+	result = ISC_R_SUCCESS;
+
+failure:
+	dns_rdataset_disassociate(&rdataset);
+cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+static bool
+better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	if (REMOVE(param->data[1])) {
+		return (true);
+	}
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_clone(nsec3paramset, &rdataset);
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		if (rdataset.type != dns_rdatatype_nsec3param) {
+			dns_rdata_t tmprdata = DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &tmprdata);
+			if (!dns_nsec3param_fromprivate(&tmprdata, &rdata, buf,
+							sizeof(buf)))
+			{
+				continue;
+			}
+		} else {
+			dns_rdataset_current(&rdataset, &rdata);
+		}
+
+		if (rdata.length != param->length) {
+			continue;
+		}
+		if (rdata.data[0] != param->data[0] || REMOVE(rdata.data[1]) ||
+		    rdata.data[2] != param->data[2] ||
+		    rdata.data[3] != param->data[3] ||
+		    rdata.data[4] != param->data[4] ||
+		    memcmp(&rdata.data[5], &param->data[5], param->data[4]))
+		{
+			continue;
+		}
+		if (CREATE(rdata.data[1]) && !CREATE(param->data[1])) {
+			dns_rdataset_disassociate(&rdataset);
+			return (true);
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	return (false);
+}
+
+static isc_result_t
+find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset,
+	   const dns_rdata_nsec3param_t *nsec3param) {
+	isc_result_t result;
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, nsec3, NULL));
+		dns_rdata_reset(&rdata);
+		if (match_nsec3param(nsec3, nsec3param)) {
+			break;
+		}
+	}
+failure:
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
+		   const dns_name_t *name,
+		   const dns_rdata_nsec3param_t *nsec3param, dns_ttl_t nsecttl,
+		   bool unsecure, dns_diff_t *diff) {
+	dns_dbiterator_t *dbit = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbnode_t *newnode = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fprev;
+	dns_hash_t hash;
+	dns_name_t *hashname;
+	dns_name_t *origin;
+	dns_name_t *prev;
+	dns_name_t empty;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	int pass;
+	bool exists = false;
+	bool maybe_remove_unsecure = false;
+	uint8_t flags;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	unsigned char *old_next;
+	unsigned char *salt;
+	unsigned char nexthash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE];
+	unsigned int iterations;
+	unsigned int labels;
+	size_t next_length;
+	unsigned int old_length;
+	unsigned int salt_length;
+
+	hashname = dns_fixedname_initname(&fixed);
+	prev = dns_fixedname_initname(&fprev);
+
+	dns_rdataset_init(&rdataset);
+
+	origin = dns_db_origin(db);
+
+	/*
+	 * Chain parameters.
+	 */
+	hash = nsec3param->hash;
+	iterations = nsec3param->iterations;
+	salt_length = nsec3param->salt_length;
+	salt = nsec3param->salt;
+
+	/*
+	 * Default flags for a new chain.
+	 */
+	flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
+
+	/*
+	 * If this is the first NSEC3 in the chain nexthash will
+	 * remain pointing to itself.
+	 */
+	next_length = sizeof(nexthash);
+	CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, name, origin,
+				 hash, iterations, salt, salt_length));
+	INSIST(next_length <= sizeof(nexthash));
+
+	/*
+	 * Create the node if it doesn't exist and hold
+	 * a reference to it until we have added the NSEC3.
+	 */
+	CHECK(dns_db_findnsec3node(db, hashname, true, &newnode));
+
+	/*
+	 * Seek the iterator to the 'newnode'.
+	 */
+	CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
+	CHECK(dns_dbiterator_seek(dbit, hashname));
+	CHECK(dns_dbiterator_pause(dbit));
+	result = dns_db_findrdataset(db, newnode, version, dns_rdatatype_nsec3,
+				     0, (isc_stdtime_t)0, &rdataset, NULL);
+	/*
+	 * If we updating a existing NSEC3 then find its
+	 * next field.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_SUCCESS) {
+			if (!CREATE(nsec3param->flags)) {
+				flags = nsec3.flags;
+			}
+			next_length = nsec3.next_length;
+			INSIST(next_length <= sizeof(nexthash));
+			memmove(nexthash, nsec3.next, next_length);
+			dns_rdataset_disassociate(&rdataset);
+			/*
+			 * If the NSEC3 is not for a unsecure delegation then
+			 * we are just updating it.  If it is for a unsecure
+			 * delegation then we need find out if we need to
+			 * remove the NSEC3 record or not by examining the
+			 * previous NSEC3 record.
+			 */
+			if (!unsecure) {
+				goto addnsec3;
+			} else if (CREATE(nsec3param->flags) && OPTOUT(flags)) {
+				result = dns_nsec3_delnsec3(db, version, name,
+							    nsec3param, diff);
+				goto failure;
+			} else {
+				maybe_remove_unsecure = true;
+			}
+		} else {
+			dns_rdataset_disassociate(&rdataset);
+			if (result != ISC_R_NOMORE) {
+				goto failure;
+			}
+		}
+	}
+
+	/*
+	 * Find the previous NSEC3 (if any) and update it if required.
+	 */
+	pass = 0;
+	do {
+		result = dns_dbiterator_prev(dbit);
+		if (result == ISC_R_NOMORE) {
+			pass++;
+			CHECK(dns_dbiterator_last(dbit));
+		}
+		CHECK(dns_dbiterator_current(dbit, &node, prev));
+		CHECK(dns_dbiterator_pause(dbit));
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t)0, &rdataset, NULL);
+		dns_db_detachnode(db, &node);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_NOMORE) {
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		if (maybe_remove_unsecure) {
+			dns_rdataset_disassociate(&rdataset);
+			/*
+			 * If we have OPTOUT set in the previous NSEC3 record
+			 * we actually need to delete the NSEC3 record.
+			 * Otherwise we just need to replace the NSEC3 record.
+			 */
+			if (OPTOUT(nsec3.flags)) {
+				result = dns_nsec3_delnsec3(db, version, name,
+							    nsec3param, diff);
+				goto failure;
+			}
+			goto addnsec3;
+		} else {
+			/*
+			 * Is this is a unsecure delegation we are adding?
+			 * If so no change is required.
+			 */
+			if (OPTOUT(nsec3.flags) && unsecure) {
+				dns_rdataset_disassociate(&rdataset);
+				goto failure;
+			}
+		}
+
+		old_next = nsec3.next;
+		old_length = nsec3.next_length;
+
+		/*
+		 * Delete the old previous NSEC3.
+		 */
+		CHECK(delnsec3(db, version, prev, nsec3param, diff));
+
+		/*
+		 * Fixup the previous NSEC3.
+		 */
+		nsec3.next = nexthash;
+		nsec3.next_length = (unsigned char)next_length;
+		isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
+		CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+					   dns_rdatatype_nsec3, &nsec3,
+					   &buffer));
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, version, diff));
+		INSIST(old_length <= sizeof(nexthash));
+		memmove(nexthash, old_next, old_length);
+		if (!CREATE(nsec3param->flags)) {
+			flags = nsec3.flags;
+		}
+		dns_rdata_reset(&rdata);
+		dns_rdataset_disassociate(&rdataset);
+		break;
+	} while (pass < 2);
+
+addnsec3:
+	/*
+	 * Create the NSEC3 RDATA.
+	 */
+	CHECK(dns_db_findnode(db, name, false, &node));
+	CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations,
+				   salt, salt_length, nexthash, next_length,
+				   nsec3buf, &rdata));
+	dns_db_detachnode(db, &node);
+
+	/*
+	 * Delete the old NSEC3 and record the change.
+	 */
+	CHECK(delnsec3(db, version, hashname, nsec3param, diff));
+	/*
+	 * Add the new NSEC3 and record the change.
+	 */
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, hashname,
+				   nsecttl, &rdata, &tuple));
+	CHECK(do_one_tuple(&tuple, db, version, diff));
+	INSIST(tuple == NULL);
+	dns_rdata_reset(&rdata);
+	dns_db_detachnode(db, &newnode);
+
+	/*
+	 * Add missing NSEC3 records for empty nodes
+	 */
+	dns_name_init(&empty, NULL);
+	dns_name_clone(name, &empty);
+	do {
+		labels = dns_name_countlabels(&empty) - 1;
+		if (labels <= dns_name_countlabels(origin)) {
+			break;
+		}
+		dns_name_getlabelsequence(&empty, 1, labels, &empty);
+		CHECK(name_exists(db, version, &empty, &exists));
+		if (exists) {
+			break;
+		}
+		CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, &empty,
+					 origin, hash, iterations, salt,
+					 salt_length));
+
+		/*
+		 * Create the node if it doesn't exist and hold
+		 * a reference to it until we have added the NSEC3
+		 * or we discover we don't need to add make a change.
+		 */
+		CHECK(dns_db_findnsec3node(db, hashname, true, &newnode));
+		result = dns_db_findrdataset(db, newnode, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t)0, &rdataset, NULL);
+		if (result == ISC_R_SUCCESS) {
+			result = find_nsec3(&nsec3, &rdataset, nsec3param);
+			dns_rdataset_disassociate(&rdataset);
+			if (result == ISC_R_SUCCESS) {
+				dns_db_detachnode(db, &newnode);
+				break;
+			}
+			if (result != ISC_R_NOMORE) {
+				goto failure;
+			}
+		}
+
+		/*
+		 * Find the previous NSEC3 and update it.
+		 */
+		CHECK(dns_dbiterator_seek(dbit, hashname));
+		pass = 0;
+		do {
+			result = dns_dbiterator_prev(dbit);
+			if (result == ISC_R_NOMORE) {
+				pass++;
+				CHECK(dns_dbiterator_last(dbit));
+			}
+			CHECK(dns_dbiterator_current(dbit, &node, prev));
+			CHECK(dns_dbiterator_pause(dbit));
+			result = dns_db_findrdataset(
+				db, node, version, dns_rdatatype_nsec3, 0,
+				(isc_stdtime_t)0, &rdataset, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+			result = find_nsec3(&nsec3, &rdataset, nsec3param);
+			if (result == ISC_R_NOMORE) {
+				dns_rdataset_disassociate(&rdataset);
+				continue;
+			}
+			if (result != ISC_R_SUCCESS) {
+				goto failure;
+			}
+
+			old_next = nsec3.next;
+			old_length = nsec3.next_length;
+
+			/*
+			 * Delete the old previous NSEC3.
+			 */
+			CHECK(delnsec3(db, version, prev, nsec3param, diff));
+
+			/*
+			 * Fixup the previous NSEC3.
+			 */
+			nsec3.next = nexthash;
+			nsec3.next_length = (unsigned char)next_length;
+			isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
+			CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+						   dns_rdatatype_nsec3, &nsec3,
+						   &buffer));
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   prev, rdataset.ttl, &rdata,
+						   &tuple));
+			CHECK(do_one_tuple(&tuple, db, version, diff));
+			INSIST(old_length <= sizeof(nexthash));
+			memmove(nexthash, old_next, old_length);
+			if (!CREATE(nsec3param->flags)) {
+				flags = nsec3.flags;
+			}
+			dns_rdata_reset(&rdata);
+			dns_rdataset_disassociate(&rdataset);
+			break;
+		} while (pass < 2);
+
+		INSIST(pass < 2);
+
+		/*
+		 * Create the NSEC3 RDATA for the empty node.
+		 */
+		CHECK(dns_nsec3_buildrdata(
+			db, version, NULL, hash, flags, iterations, salt,
+			salt_length, nexthash, next_length, nsec3buf, &rdata));
+		/*
+		 * Delete the old NSEC3 and record the change.
+		 */
+		CHECK(delnsec3(db, version, hashname, nsec3param, diff));
+
+		/*
+		 * Add the new NSEC3 and record the change.
+		 */
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, hashname,
+					   nsecttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, version, diff));
+		INSIST(tuple == NULL);
+		dns_rdata_reset(&rdata);
+		dns_db_detachnode(db, &newnode);
+	} while (1);
+
+	/* result cannot be ISC_R_NOMORE here */
+	INSIST(result != ISC_R_NOMORE);
+
+failure:
+	if (dbit != NULL) {
+		dns_dbiterator_destroy(&dbit);
+	}
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (newnode != NULL) {
+		dns_db_detachnode(db, &newnode);
+	}
+	return (result);
+}
+
+/*%
+ * Add NSEC3 records for "name", recording the change in "diff".
+ * The existing NSEC3 records are removed.
+ */
+isc_result_t
+dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
+		    const dns_name_t *name, dns_ttl_t nsecttl, bool unsecure,
+		    dns_diff_t *diff) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0, &rdataset,
+				     NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.flags != 0) {
+			continue;
+		}
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+
+	return (result);
+}
+
+bool
+dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
+			   unsigned char *buf, size_t buflen) {
+	dns_decompress_t dctx;
+	isc_result_t result;
+	isc_buffer_t buf1;
+	isc_buffer_t buf2;
+
+	/*
+	 * Algorithm 0 (reserved by RFC 4034) is used to identify
+	 * NSEC3PARAM records from DNSKEY pointers.
+	 */
+	if (src->length < 1 || src->data[0] != 0) {
+		return (false);
+	}
+
+	isc_buffer_init(&buf1, src->data + 1, src->length - 1);
+	isc_buffer_add(&buf1, src->length - 1);
+	isc_buffer_setactive(&buf1, src->length - 1);
+	isc_buffer_init(&buf2, buf, (unsigned int)buflen);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+	result = dns_rdata_fromwire(target, src->rdclass,
+				    dns_rdatatype_nsec3param, &buf1, &dctx, 0,
+				    &buf2);
+	dns_decompress_invalidate(&dctx);
+
+	return (result == ISC_R_SUCCESS);
+}
+
+void
+dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
+			 dns_rdatatype_t privatetype, unsigned char *buf,
+			 size_t buflen) {
+	REQUIRE(buflen >= src->length + 1);
+
+	REQUIRE(DNS_RDATA_INITIALIZED(target));
+
+	memmove(buf + 1, src->data, src->length);
+	buf[0] = 0;
+	target->data = buf;
+	target->length = src->length + 1;
+	target->type = privatetype;
+	target->rdclass = src->rdclass;
+	target->flags = 0;
+	ISC_LINK_INIT(target, link);
+}
+
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, const dns_name_t *name,
+	  const dns_rdata_t *rdata, bool *flag) {
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	if (rdata->type == dns_rdatatype_nsec3) {
+		CHECK(dns_db_findnsec3node(db, name, false, &node));
+	} else {
+		CHECK(dns_db_findnode(db, name, false, &node));
+	}
+	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*flag = false;
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t myrdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &myrdata);
+		if (!dns_rdata_casecompare(&myrdata, rdata)) {
+			break;
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*flag = true;
+	} else if (result == ISC_R_NOMORE) {
+		*flag = false;
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_nsec3param_salttotext(dns_rdata_nsec3param_t *nsec3param, char *dst,
+			  size_t dstlen) {
+	isc_result_t result;
+	isc_region_t r;
+	isc_buffer_t b;
+
+	REQUIRE(nsec3param != NULL);
+	REQUIRE(dst != NULL);
+
+	if (nsec3param->salt_length == 0) {
+		if (dstlen < 2U) {
+			return (ISC_R_NOSPACE);
+		}
+		strlcpy(dst, "-", dstlen);
+		return (ISC_R_SUCCESS);
+	}
+
+	r.base = nsec3param->salt;
+	r.length = nsec3param->salt_length;
+	isc_buffer_init(&b, dst, (unsigned int)dstlen);
+
+	result = isc_hex_totext(&r, 2, "", &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (isc_buffer_availablelength(&b) < 1) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
+			    dns_zone_t *zone, bool nonsec, dns_diff_t *diff) {
+	dns_dbnode_t *node = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_name_t next;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	bool flag;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
+	dns_name_t *origin = dns_zone_getorigin(zone);
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+
+	dns_name_init(&next, NULL);
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Cause all NSEC3 chains to be deleted.
+	 */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		goto try_private;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, ver, diff));
+		INSIST(tuple == NULL);
+
+		dns_nsec3param_toprivate(&rdata, &private, privatetype, buf,
+					 sizeof(buf));
+		buf[2] = DNS_NSEC3FLAG_REMOVE;
+		if (nonsec) {
+			buf[2] |= DNS_NSEC3FLAG_NONSEC;
+		}
+
+		CHECK(rr_exists(db, ver, origin, &private, &flag));
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   origin, 0, &private,
+						   &tuple));
+			CHECK(do_one_tuple(&tuple, db, ver, diff));
+			INSIST(tuple == NULL);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+
+	dns_rdataset_disassociate(&rdataset);
+
+try_private:
+	if (privatetype == 0) {
+		goto success;
+	}
+	result = dns_db_findrdataset(db, node, ver, privatetype, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		goto success;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		INSIST(rdata.length <= sizeof(buf));
+		memmove(buf, rdata.data, rdata.length);
+
+		/*
+		 * Private NSEC3 record length >= 6.
+		 * <0(1), hash(1), flags(1), iterations(2), saltlen(1)>
+		 */
+		if (rdata.length < 6 || buf[0] != 0 ||
+		    (buf[2] & DNS_NSEC3FLAG_REMOVE) != 0 ||
+		    (nonsec && (buf[2] & DNS_NSEC3FLAG_NONSEC) != 0))
+		{
+			continue;
+		}
+
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
+					   0, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, ver, diff));
+		INSIST(tuple == NULL);
+
+		rdata.data = buf;
+		buf[2] = DNS_NSEC3FLAG_REMOVE;
+		if (nonsec) {
+			buf[2] |= DNS_NSEC3FLAG_NONSEC;
+		}
+
+		CHECK(rr_exists(db, ver, origin, &rdata, &flag));
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   origin, 0, &rdata, &tuple));
+			CHECK(do_one_tuple(&tuple, db, ver, diff));
+			INSIST(tuple == NULL);
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+success:
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     const dns_name_t *name, dns_ttl_t nsecttl, bool unsecure,
+		     dns_rdatatype_t type, dns_diff_t *diff) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t prdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&prdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_findrdataset(db, node, version, type, 0, 0, &prdataset,
+				     NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0, &rdataset,
+				     NULL);
+	if (result == ISC_R_NOTFOUND) {
+		goto try_private;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.flags != 0) {
+			continue;
+		}
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+
+	dns_rdataset_disassociate(&rdataset);
+
+try_private:
+	if (!dns_rdataset_isassociated(&prdataset)) {
+		goto success;
+	}
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&prdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&prdataset))
+	{
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&prdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, buf,
+						sizeof(buf)))
+		{
+			continue;
+		}
+		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
+
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
+			continue;
+		}
+		if (better_param(&prdataset, &rdata2)) {
+			continue;
+		}
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result == ISC_R_NOMORE) {
+	success:
+		result = ISC_R_SUCCESS;
+	}
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (dns_rdataset_isassociated(&prdataset)) {
+		dns_rdataset_disassociate(&prdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+
+	return (result);
+}
+
+/*%
+ * Determine whether any NSEC3 records that were associated with
+ * 'name' should be deleted or if they should continue to exist.
+ * true indicates they should be deleted.
+ * false indicates they should be retained.
+ */
+static isc_result_t
+deleteit(dns_db_t *db, dns_dbversion_t *ver, const dns_name_t *name,
+	 bool *yesno) {
+	isc_result_t result;
+	dns_fixedname_t foundname;
+	dns_fixedname_init(&foundname);
+
+	result = dns_db_find(db, name, ver, dns_rdatatype_any,
+			     DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
+			     (isc_stdtime_t)0, NULL,
+			     dns_fixedname_name(&foundname), NULL, NULL);
+	if (result == DNS_R_EMPTYNAME || result == ISC_R_SUCCESS ||
+	    result == DNS_R_ZONECUT)
+	{
+		*yesno = false;
+		return (ISC_R_SUCCESS);
+	}
+	if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
+	    result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN)
+	{
+		*yesno = true;
+		return (ISC_R_SUCCESS);
+	}
+	/*
+	 * Silence compiler.
+	 */
+	*yesno = true;
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
+		   const dns_name_t *name,
+		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) {
+	dns_dbiterator_t *dbit = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fprev;
+	dns_hash_t hash;
+	dns_name_t *hashname;
+	dns_name_t *origin;
+	dns_name_t *prev;
+	dns_name_t empty;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	int pass;
+	bool yesno;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	unsigned char *salt;
+	unsigned char nexthash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE];
+	unsigned int iterations;
+	unsigned int labels;
+	size_t next_length;
+	unsigned int salt_length;
+
+	hashname = dns_fixedname_initname(&fixed);
+	prev = dns_fixedname_initname(&fprev);
+
+	dns_rdataset_init(&rdataset);
+
+	origin = dns_db_origin(db);
+
+	/*
+	 * Chain parameters.
+	 */
+	hash = nsec3param->hash;
+	iterations = nsec3param->iterations;
+	salt_length = nsec3param->salt_length;
+	salt = nsec3param->salt;
+
+	/*
+	 * If this is the first NSEC3 in the chain nexthash will
+	 * remain pointing to itself.
+	 */
+	next_length = sizeof(nexthash);
+	CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, name, origin,
+				 hash, iterations, salt, salt_length));
+
+	CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
+
+	result = dns_dbiterator_seek(dbit, hashname);
+	if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) {
+		goto cleanup_orphaned_ents;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	CHECK(dns_dbiterator_current(dbit, &node, NULL));
+	CHECK(dns_dbiterator_pause(dbit));
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND) {
+		goto cleanup_orphaned_ents;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	/*
+	 * If we find a existing NSEC3 for this chain then save the
+	 * next field.
+	 */
+	result = find_nsec3(&nsec3, &rdataset, nsec3param);
+	if (result == ISC_R_SUCCESS) {
+		next_length = nsec3.next_length;
+		INSIST(next_length <= sizeof(nexthash));
+		memmove(nexthash, nsec3.next, next_length);
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_NOMORE) {
+		goto success;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	/*
+	 * Find the previous NSEC3 and update it.
+	 */
+	pass = 0;
+	do {
+		result = dns_dbiterator_prev(dbit);
+		if (result == ISC_R_NOMORE) {
+			pass++;
+			CHECK(dns_dbiterator_last(dbit));
+		}
+		CHECK(dns_dbiterator_current(dbit, &node, prev));
+		CHECK(dns_dbiterator_pause(dbit));
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t)0, &rdataset, NULL);
+		dns_db_detachnode(db, &node);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_NOMORE) {
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		/*
+		 * Delete the old previous NSEC3.
+		 */
+		CHECK(delnsec3(db, version, prev, nsec3param, diff));
+
+		/*
+		 * Fixup the previous NSEC3.
+		 */
+		nsec3.next = nexthash;
+		nsec3.next_length = (unsigned char)next_length;
+		if (CREATE(nsec3param->flags)) {
+			nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
+		}
+		isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
+		CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+					   dns_rdatatype_nsec3, &nsec3,
+					   &buffer));
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, version, diff));
+		dns_rdata_reset(&rdata);
+		dns_rdataset_disassociate(&rdataset);
+		break;
+	} while (pass < 2);
+
+	/*
+	 * Delete the old NSEC3 and record the change.
+	 */
+	CHECK(delnsec3(db, version, hashname, nsec3param, diff));
+
+	/*
+	 *  Delete NSEC3 records for now non active nodes.
+	 */
+cleanup_orphaned_ents:
+	dns_name_init(&empty, NULL);
+	dns_name_clone(name, &empty);
+	do {
+		labels = dns_name_countlabels(&empty) - 1;
+		if (labels <= dns_name_countlabels(origin)) {
+			break;
+		}
+		dns_name_getlabelsequence(&empty, 1, labels, &empty);
+		CHECK(deleteit(db, version, &empty, &yesno));
+		if (!yesno) {
+			break;
+		}
+
+		CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length, &empty,
+					 origin, hash, iterations, salt,
+					 salt_length));
+		result = dns_dbiterator_seek(dbit, hashname);
+		if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) {
+			goto success;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		CHECK(dns_dbiterator_current(dbit, &node, NULL));
+		CHECK(dns_dbiterator_pause(dbit));
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t)0, &rdataset, NULL);
+		dns_db_detachnode(db, &node);
+		if (result == ISC_R_NOTFOUND) {
+			goto success;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_SUCCESS) {
+			next_length = nsec3.next_length;
+			INSIST(next_length <= sizeof(nexthash));
+			memmove(nexthash, nsec3.next, next_length);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result == ISC_R_NOMORE) {
+			goto success;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		pass = 0;
+		do {
+			result = dns_dbiterator_prev(dbit);
+			if (result == ISC_R_NOMORE) {
+				pass++;
+				CHECK(dns_dbiterator_last(dbit));
+			}
+			CHECK(dns_dbiterator_current(dbit, &node, prev));
+			CHECK(dns_dbiterator_pause(dbit));
+			result = dns_db_findrdataset(
+				db, node, version, dns_rdatatype_nsec3, 0,
+				(isc_stdtime_t)0, &rdataset, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+			result = find_nsec3(&nsec3, &rdataset, nsec3param);
+			if (result == ISC_R_NOMORE) {
+				dns_rdataset_disassociate(&rdataset);
+				continue;
+			}
+			if (result != ISC_R_SUCCESS) {
+				goto failure;
+			}
+
+			/*
+			 * Delete the old previous NSEC3.
+			 */
+			CHECK(delnsec3(db, version, prev, nsec3param, diff));
+
+			/*
+			 * Fixup the previous NSEC3.
+			 */
+			nsec3.next = nexthash;
+			nsec3.next_length = (unsigned char)next_length;
+			isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
+			CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+						   dns_rdatatype_nsec3, &nsec3,
+						   &buffer));
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   prev, rdataset.ttl, &rdata,
+						   &tuple));
+			CHECK(do_one_tuple(&tuple, db, version, diff));
+			dns_rdata_reset(&rdata);
+			dns_rdataset_disassociate(&rdataset);
+			break;
+		} while (pass < 2);
+
+		INSIST(pass < 2);
+
+		/*
+		 * Delete the old NSEC3 and record the change.
+		 */
+		CHECK(delnsec3(db, version, hashname, nsec3param, diff));
+	} while (1);
+
+success:
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (dbit != NULL) {
+		dns_dbiterator_destroy(&dbit);
+	}
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version,
+		    const dns_name_t *name, dns_diff_t *diff) {
+	return (dns_nsec3_delnsec3sx(db, version, name, 0, diff));
+}
+
+isc_result_t
+dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     const dns_name_t *name, dns_rdatatype_t privatetype,
+		     dns_diff_t *diff) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0, &rdataset,
+				     NULL);
+	if (result == ISC_R_NOTFOUND) {
+		goto try_private;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.flags != 0) {
+			continue;
+		}
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+try_private:
+	if (privatetype == 0) {
+		goto success;
+	}
+	result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		goto success;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	/*
+	 * Update each NSEC3 chain being built.
+	 */
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, buf,
+						sizeof(buf)))
+		{
+			continue;
+		}
+		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
+
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
+			continue;
+		}
+		if (better_param(&rdataset, &rdata2)) {
+			continue;
+		}
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
+	}
+	if (result == ISC_R_NOMORE) {
+	success:
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version, bool complete,
+		 bool *answer) {
+	return (dns_nsec3_activex(db, version, complete, 0, answer));
+}
+
+isc_result_t
+dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, bool complete,
+		  dns_rdatatype_t privatetype, bool *answer) {
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3param_t nsec3param;
+	isc_result_t result;
+
+	REQUIRE(answer != NULL);
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0, &rdataset,
+				     NULL);
+
+	if (result == ISC_R_NOTFOUND) {
+		goto try_private;
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (nsec3param.flags == 0) {
+			break;
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		*answer = true;
+		return (ISC_R_SUCCESS);
+	}
+	if (result == ISC_R_NOMORE) {
+		*answer = false;
+	}
+
+try_private:
+	if (privatetype == 0 || complete) {
+		dns_db_detachnode(db, &node);
+		*answer = false;
+		return (ISC_R_SUCCESS);
+	}
+	result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
+				     &rdataset, NULL);
+
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND) {
+		*answer = false;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2, buf,
+						sizeof(buf)))
+		{
+			continue;
+		}
+		result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!complete && CREATE(nsec3param.flags)) {
+			break;
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*answer = true;
+		result = ISC_R_SUCCESS;
+	}
+	if (result == ISC_R_NOMORE) {
+		*answer = false;
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+unsigned int
+dns_nsec3_maxiterations(void) {
+	return (DNS_NSEC3_MAXITERATIONS);
+}
+
+isc_result_t
+dns_nsec3_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
+			const dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
+			dns_name_t *zonename, bool *exists, bool *data,
+			bool *optout, bool *unknown, bool *setclosest,
+			bool *setnearest, dns_name_t *closest,
+			dns_name_t *nearest, dns_nseclog_t logit, void *arg) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fzone;
+	dns_fixedname_t qfixed;
+	dns_label_t hashlabel;
+	dns_name_t *qname;
+	dns_name_t *zone;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	int order;
+	int scope;
+	bool atparent;
+	bool first;
+	bool ns;
+	bool soa;
+	isc_buffer_t buffer;
+	isc_result_t answer = ISC_R_IGNORE;
+	isc_result_t result;
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
+	unsigned int length;
+	unsigned int qlabels;
+	unsigned int zlabels;
+
+	REQUIRE((exists == NULL && data == NULL) ||
+		(exists != NULL && data != NULL));
+	REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3);
+	REQUIRE((setclosest == NULL && closest == NULL) ||
+		(setclosest != NULL && closest != NULL));
+	REQUIRE((setnearest == NULL && nearest == NULL) ||
+		(setnearest != NULL && nearest != NULL));
+
+	result = dns_rdataset_first(nsec3set);
+	if (result != ISC_R_SUCCESS) {
+		(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC3 set");
+		return (result);
+	}
+
+	dns_rdataset_current(nsec3set, &rdata);
+
+	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC3");
+
+	zone = dns_fixedname_initname(&fzone);
+	zlabels = dns_name_countlabels(nsec3name);
+
+	/*
+	 * NSEC3 records must have two or more labels to be valid.
+	 */
+	if (zlabels < 2) {
+		return (ISC_R_IGNORE);
+	}
+
+	/*
+	 * Strip off the NSEC3 hash to get the zone.
+	 */
+	zlabels--;
+	dns_name_split(nsec3name, zlabels, NULL, zone);
+
+	/*
+	 * If not below the zone name we can ignore this record.
+	 */
+	if (!dns_name_issubdomain(name, zone)) {
+		return (ISC_R_IGNORE);
+	}
+
+	/*
+	 * Is this zone the same or deeper than the current zone?
+	 */
+	if (dns_name_countlabels(zonename) == 0 ||
+	    dns_name_issubdomain(zone, zonename))
+	{
+		dns_name_copynf(zone, zonename);
+	}
+
+	if (!dns_name_equal(zone, zonename)) {
+		return (ISC_R_IGNORE);
+	}
+
+	/*
+	 * Are we only looking for the most enclosing zone?
+	 */
+	if (exists == NULL || data == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Only set unknown once we are sure that this NSEC3 is from
+	 * the deepest covering zone.
+	 */
+	if (!dns_nsec3_supportedhash(nsec3.hash)) {
+		if (unknown != NULL) {
+			*unknown = true;
+		}
+		return (ISC_R_IGNORE);
+	}
+
+	/*
+	 * Recover the hash from the first label.
+	 */
+	dns_name_getlabel(nsec3name, 0, &hashlabel);
+	isc_region_consume(&hashlabel, 1);
+	isc_buffer_init(&buffer, owner, sizeof(owner));
+	result = isc_base32hex_decoderegion(&hashlabel, &buffer);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * The hash lengths should match.  If not ignore the record.
+	 */
+	if (isc_buffer_usedlength(&buffer) != nsec3.next_length) {
+		return (ISC_R_IGNORE);
+	}
+
+	/*
+	 * Work out what this NSEC3 covers.
+	 * Inside (<0) or outside (>=0).
+	 */
+	scope = memcmp(owner, nsec3.next, nsec3.next_length);
+
+	/*
+	 * Prepare to compute all the hashes.
+	 */
+	qname = dns_fixedname_initname(&qfixed);
+	dns_name_downcase(name, qname, NULL);
+	qlabels = dns_name_countlabels(qname);
+	first = true;
+
+	while (qlabels >= zlabels) {
+		/*
+		 * If there are too many iterations reject the NSEC3 record.
+		 */
+		if (nsec3.iterations > DNS_NSEC3_MAXITERATIONS) {
+			return (DNS_R_NSEC3ITERRANGE);
+		}
+
+		length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations,
+					   nsec3.salt, nsec3.salt_length,
+					   qname->ndata, qname->length);
+		/*
+		 * The computed hash length should match.
+		 */
+		if (length != nsec3.next_length) {
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "ignoring NSEC bad length %u vs %u", length,
+				 nsec3.next_length);
+			return (ISC_R_IGNORE);
+		}
+
+		order = memcmp(hash, owner, length);
+		if (first && order == 0) {
+			/*
+			 * The hashes are the same.
+			 */
+			atparent = dns_rdatatype_atparent(type);
+			ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns);
+			soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa);
+			if (ns && !soa) {
+				if (!atparent) {
+					/*
+					 * This NSEC3 record is from somewhere
+					 * higher in the DNS, and at the
+					 * parent of a delegation. It can not
+					 * be legitimately used here.
+					 */
+					(*logit)(arg, ISC_LOG_DEBUG(3),
+						 "ignoring parent NSEC3");
+					return (ISC_R_IGNORE);
+				}
+			} else if (atparent && ns && soa) {
+				/*
+				 * This NSEC3 record is from the child.
+				 * It can not be legitimately used here.
+				 */
+				(*logit)(arg, ISC_LOG_DEBUG(3),
+					 "ignoring child NSEC3");
+				return (ISC_R_IGNORE);
+			}
+			if (type == dns_rdatatype_cname ||
+			    type == dns_rdatatype_nxt ||
+			    type == dns_rdatatype_nsec ||
+			    type == dns_rdatatype_key ||
+			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname))
+			{
+				*exists = true;
+				*data = dns_nsec3_typepresent(&rdata, type);
+				(*logit)(arg, ISC_LOG_DEBUG(3),
+					 "NSEC3 proves name exists (owner) "
+					 "data=%d",
+					 *data);
+				return (ISC_R_SUCCESS);
+			}
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "NSEC3 proves CNAME exists");
+			return (ISC_R_IGNORE);
+		}
+
+		if (order == 0 &&
+		    dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) &&
+		    !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa))
+		{
+			/*
+			 * This NSEC3 record is from somewhere higher in
+			 * the DNS, and at the parent of a delegation.
+			 * It can not be legitimately used here.
+			 */
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "ignoring parent NSEC3");
+			return (ISC_R_IGNORE);
+		}
+
+		/*
+		 * Potential closest encloser.
+		 */
+		if (order == 0) {
+			if (closest != NULL &&
+			    (dns_name_countlabels(closest) == 0 ||
+			     dns_name_issubdomain(qname, closest)) &&
+			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) &&
+			    !dns_nsec3_typepresent(&rdata,
+						   dns_rdatatype_dname) &&
+			    (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) ||
+			     !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns)))
+			{
+				dns_name_format(qname, namebuf,
+						sizeof(namebuf));
+				(*logit)(arg, ISC_LOG_DEBUG(3),
+					 "NSEC3 indicates potential closest "
+					 "encloser: '%s'",
+					 namebuf);
+				dns_name_copynf(qname, closest);
+				*setclosest = true;
+			}
+			dns_name_format(qname, namebuf, sizeof(namebuf));
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "NSEC3 at super-domain %s", namebuf);
+			return (answer);
+		}
+
+		/*
+		 * Find if the name does not exist.
+		 *
+		 * We continue as we need to find the name closest to the
+		 * closest encloser that doesn't exist.
+		 *
+		 * We also need to continue to ensure that we are not
+		 * proving the non-existence of a record in a sub-zone.
+		 * If that would be the case we will return ISC_R_IGNORE
+		 * above.
+		 */
+		if ((scope < 0 && order > 0 &&
+		     memcmp(hash, nsec3.next, length) < 0) ||
+		    (scope >= 0 &&
+		     (order > 0 || memcmp(hash, nsec3.next, length) < 0)))
+		{
+			dns_name_format(qname, namebuf, sizeof(namebuf));
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "NSEC3 proves "
+				 "name does not exist: '%s'",
+				 namebuf);
+			if (nearest != NULL &&
+			    (dns_name_countlabels(nearest) == 0 ||
+			     dns_name_issubdomain(nearest, qname)))
+			{
+				dns_name_copynf(qname, nearest);
+				*setnearest = true;
+			}
+
+			*exists = false;
+			*data = false;
+			if (optout != NULL) {
+				*optout = ((nsec3.flags &
+					    DNS_NSEC3FLAG_OPTOUT) != 0);
+				(*logit)(arg, ISC_LOG_DEBUG(3),
+					 (*optout ? "NSEC3 indicates optout"
+						  : "NSEC3 indicates secure "
+						    "range"));
+			}
+			answer = ISC_R_SUCCESS;
+		}
+
+		qlabels--;
+		if (qlabels > 0) {
+			dns_name_split(qname, qlabels, NULL, qname);
+		}
+		first = false;
+	}
+	return (answer);
+}
diff --git a/lib/dns/nta.c b/lib/dns/nta.c
new file mode 100644
index 0000000..c6725c7
--- /dev/null
+++ b/lib/dns/nta.c
@@ -0,0 +1,722 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/nta.h>
+#include <dns/rbt.h>
+#include <dns/rdataset.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/time.h>
+
+struct dns_nta {
+	unsigned int magic;
+	isc_refcount_t refcount;
+	dns_ntatable_t *ntatable;
+	bool forced;
+	isc_timer_t *timer;
+	dns_fetch_t *fetch;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t sigrdataset;
+	dns_fixedname_t fn;
+	dns_name_t *name;
+	isc_stdtime_t expiry;
+};
+
+#define NTA_MAGIC     ISC_MAGIC('N', 'T', 'A', 'n')
+#define VALID_NTA(nn) ISC_MAGIC_VALID(nn, NTA_MAGIC)
+
+/*
+ * Obtain a reference to the nta object.  Released by
+ * nta_detach.
+ */
+static void
+nta_ref(dns_nta_t *nta) {
+	isc_refcount_increment(&nta->refcount);
+}
+
+static void
+nta_detach(isc_mem_t *mctx, dns_nta_t **ntap) {
+	REQUIRE(ntap != NULL && VALID_NTA(*ntap));
+	dns_nta_t *nta = *ntap;
+	*ntap = NULL;
+
+	if (isc_refcount_decrement(&nta->refcount) == 1) {
+		isc_refcount_destroy(&nta->refcount);
+		nta->magic = 0;
+		if (nta->timer != NULL) {
+			(void)isc_timer_reset(nta->timer,
+					      isc_timertype_inactive, NULL,
+					      NULL, true);
+			isc_timer_destroy(&nta->timer);
+		}
+		if (dns_rdataset_isassociated(&nta->rdataset)) {
+			dns_rdataset_disassociate(&nta->rdataset);
+		}
+		if (dns_rdataset_isassociated(&nta->sigrdataset)) {
+			dns_rdataset_disassociate(&nta->sigrdataset);
+		}
+		if (nta->fetch != NULL) {
+			dns_resolver_cancelfetch(nta->fetch);
+			dns_resolver_destroyfetch(&nta->fetch);
+		}
+		isc_mem_put(mctx, nta, sizeof(dns_nta_t));
+	}
+}
+
+static void
+free_nta(void *data, void *arg) {
+	dns_nta_t *nta = (dns_nta_t *)data;
+	isc_mem_t *mctx = (isc_mem_t *)arg;
+
+	nta_detach(mctx, &nta);
+}
+
+isc_result_t
+dns_ntatable_create(dns_view_t *view, isc_taskmgr_t *taskmgr,
+		    isc_timermgr_t *timermgr, dns_ntatable_t **ntatablep) {
+	dns_ntatable_t *ntatable;
+	isc_result_t result;
+
+	REQUIRE(ntatablep != NULL && *ntatablep == NULL);
+
+	ntatable = isc_mem_get(view->mctx, sizeof(*ntatable));
+
+	ntatable->task = NULL;
+	result = isc_task_create(taskmgr, 0, &ntatable->task);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_ntatable;
+	}
+	isc_task_setname(ntatable->task, "ntatable", ntatable);
+
+	ntatable->table = NULL;
+	result = dns_rbt_create(view->mctx, free_nta, view->mctx,
+				&ntatable->table);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_task;
+	}
+
+	isc_rwlock_init(&ntatable->rwlock, 0, 0);
+
+	ntatable->shuttingdown = false;
+	ntatable->timermgr = timermgr;
+	ntatable->taskmgr = taskmgr;
+
+	ntatable->view = view;
+	isc_refcount_init(&ntatable->references, 1);
+
+	ntatable->magic = NTATABLE_MAGIC;
+	*ntatablep = ntatable;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_task:
+	isc_task_detach(&ntatable->task);
+
+cleanup_ntatable:
+	isc_mem_put(view->mctx, ntatable, sizeof(*ntatable));
+
+	return (result);
+}
+
+void
+dns_ntatable_attach(dns_ntatable_t *source, dns_ntatable_t **targetp) {
+	REQUIRE(VALID_NTATABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*targetp = source;
+}
+
+void
+dns_ntatable_detach(dns_ntatable_t **ntatablep) {
+	dns_ntatable_t *ntatable;
+
+	REQUIRE(ntatablep != NULL && VALID_NTATABLE(*ntatablep));
+
+	ntatable = *ntatablep;
+	*ntatablep = NULL;
+
+	if (isc_refcount_decrement(&ntatable->references) == 1) {
+		dns_rbt_destroy(&ntatable->table);
+		isc_rwlock_destroy(&ntatable->rwlock);
+		isc_refcount_destroy(&ntatable->references);
+		if (ntatable->task != NULL) {
+			isc_task_detach(&ntatable->task);
+		}
+		ntatable->timermgr = NULL;
+		ntatable->taskmgr = NULL;
+		ntatable->magic = 0;
+		isc_mem_put(ntatable->view->mctx, ntatable, sizeof(*ntatable));
+	}
+}
+
+static void
+fetch_done(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
+	dns_nta_t *nta = devent->ev_arg;
+	isc_result_t eresult = devent->result;
+	dns_ntatable_t *ntatable = nta->ntatable;
+	dns_view_t *view = ntatable->view;
+	isc_stdtime_t now;
+
+	UNUSED(task);
+
+	if (dns_rdataset_isassociated(&nta->rdataset)) {
+		dns_rdataset_disassociate(&nta->rdataset);
+	}
+	if (dns_rdataset_isassociated(&nta->sigrdataset)) {
+		dns_rdataset_disassociate(&nta->sigrdataset);
+	}
+	if (nta->fetch == devent->fetch) {
+		nta->fetch = NULL;
+	}
+	dns_resolver_destroyfetch(&devent->fetch);
+
+	if (devent->node != NULL) {
+		dns_db_detachnode(devent->db, &devent->node);
+	}
+	if (devent->db != NULL) {
+		dns_db_detach(&devent->db);
+	}
+
+	isc_event_free(&event);
+	isc_stdtime_get(&now);
+
+	switch (eresult) {
+	case ISC_R_SUCCESS:
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+	case DNS_R_NXRRSET:
+		if (nta->expiry > now) {
+			nta->expiry = now;
+		}
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * If we're expiring before the next recheck, we might
+	 * as well stop the timer now.
+	 */
+	if (nta->timer != NULL && nta->expiry - now < view->nta_recheck) {
+		(void)isc_timer_reset(nta->timer, isc_timertype_inactive, NULL,
+				      NULL, true);
+	}
+	nta_detach(view->mctx, &nta);
+	dns_view_weakdetach(&view);
+}
+
+static void
+checkbogus(isc_task_t *task, isc_event_t *event) {
+	dns_nta_t *nta = event->ev_arg;
+	dns_ntatable_t *ntatable = nta->ntatable;
+	dns_view_t *view = NULL;
+	isc_result_t result;
+
+	if (nta->fetch != NULL) {
+		dns_resolver_cancelfetch(nta->fetch);
+		nta->fetch = NULL;
+	}
+	if (dns_rdataset_isassociated(&nta->rdataset)) {
+		dns_rdataset_disassociate(&nta->rdataset);
+	}
+	if (dns_rdataset_isassociated(&nta->sigrdataset)) {
+		dns_rdataset_disassociate(&nta->sigrdataset);
+	}
+
+	isc_event_free(&event);
+
+	nta_ref(nta);
+	dns_view_weakattach(ntatable->view, &view);
+	result = dns_resolver_createfetch(
+		view->resolver, nta->name, dns_rdatatype_nsec, NULL, NULL, NULL,
+		NULL, 0, DNS_FETCHOPT_NONTA, 0, NULL, task, fetch_done, nta,
+		&nta->rdataset, &nta->sigrdataset, &nta->fetch);
+	if (result != ISC_R_SUCCESS) {
+		nta_detach(view->mctx, &nta);
+		dns_view_weakdetach(&view);
+	}
+}
+
+static isc_result_t
+settimer(dns_ntatable_t *ntatable, dns_nta_t *nta, uint32_t lifetime) {
+	isc_result_t result;
+	isc_interval_t interval;
+	dns_view_t *view;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+	REQUIRE(VALID_NTA(nta));
+
+	if (ntatable->timermgr == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	view = ntatable->view;
+	if (view->nta_recheck == 0 || lifetime <= view->nta_recheck) {
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_interval_set(&interval, view->nta_recheck, 0);
+	result = isc_timer_create(ntatable->timermgr, isc_timertype_ticker,
+				  NULL, &interval, ntatable->task, checkbogus,
+				  nta, &nta->timer);
+	if (result != ISC_R_SUCCESS) {
+		isc_timer_destroy(&nta->timer);
+	}
+	return (result);
+}
+
+static isc_result_t
+nta_create(dns_ntatable_t *ntatable, const dns_name_t *name,
+	   dns_nta_t **target) {
+	dns_nta_t *nta = NULL;
+	dns_view_t *view;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+	REQUIRE(target != NULL && *target == NULL);
+
+	view = ntatable->view;
+
+	nta = isc_mem_get(view->mctx, sizeof(dns_nta_t));
+
+	nta->ntatable = ntatable;
+	nta->expiry = 0;
+	nta->timer = NULL;
+	nta->fetch = NULL;
+	dns_rdataset_init(&nta->rdataset);
+	dns_rdataset_init(&nta->sigrdataset);
+
+	isc_refcount_init(&nta->refcount, 1);
+
+	nta->name = dns_fixedname_initname(&nta->fn);
+	dns_name_copynf(name, nta->name);
+
+	nta->magic = NTA_MAGIC;
+
+	*target = nta;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ntatable_add(dns_ntatable_t *ntatable, const dns_name_t *name, bool force,
+		 isc_stdtime_t now, uint32_t lifetime) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_nta_t *nta = NULL;
+	dns_rbtnode_t *node;
+	dns_view_t *view;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+
+	view = ntatable->view;
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+
+	if (ntatable->shuttingdown) {
+		goto unlock;
+	}
+
+	result = nta_create(ntatable, name, &nta);
+	if (result != ISC_R_SUCCESS) {
+		goto unlock;
+	}
+
+	nta->expiry = now + lifetime;
+	nta->forced = force;
+
+	node = NULL;
+	result = dns_rbt_addnode(ntatable->table, name, &node);
+	if (result == ISC_R_SUCCESS) {
+		if (!force) {
+			(void)settimer(ntatable, nta, lifetime);
+		}
+		node->data = nta;
+		nta = NULL;
+	} else if (result == ISC_R_EXISTS) {
+		dns_nta_t *n = node->data;
+		if (n == NULL) {
+			if (!force) {
+				(void)settimer(ntatable, nta, lifetime);
+			}
+			node->data = nta;
+			nta = NULL;
+		} else {
+			n->expiry = nta->expiry;
+			nta_detach(view->mctx, &nta);
+		}
+		result = ISC_R_SUCCESS;
+	}
+
+unlock:
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+
+	if (nta != NULL) {
+		nta_detach(view->mctx, &nta);
+	}
+
+	return (result);
+}
+
+/*
+ * Caller must hold a write lock on rwlock.
+ */
+static isc_result_t
+deletenode(dns_ntatable_t *ntatable, const dns_name_t *name) {
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+	REQUIRE(name != NULL);
+
+	result = dns_rbt_findnode(ntatable->table, name, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		if (node->data != NULL) {
+			result = dns_rbt_deletenode(ntatable->table, node,
+						    false);
+		} else {
+			result = ISC_R_NOTFOUND;
+		}
+	} else if (result == DNS_R_PARTIALMATCH) {
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_ntatable_delete(dns_ntatable_t *ntatable, const dns_name_t *name) {
+	isc_result_t result;
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+	result = deletenode(ntatable, name);
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+bool
+dns_ntatable_covered(dns_ntatable_t *ntatable, isc_stdtime_t now,
+		     const dns_name_t *name, const dns_name_t *anchor) {
+	isc_result_t result;
+	dns_fixedname_t fn;
+	dns_rbtnode_t *node;
+	dns_name_t *foundname;
+	dns_nta_t *nta = NULL;
+	bool answer = false;
+	isc_rwlocktype_t locktype = isc_rwlocktype_read;
+
+	REQUIRE(ntatable == NULL || VALID_NTATABLE(ntatable));
+	REQUIRE(dns_name_isabsolute(name));
+
+	if (ntatable == NULL) {
+		return (false);
+	}
+
+	foundname = dns_fixedname_initname(&fn);
+
+relock:
+	RWLOCK(&ntatable->rwlock, locktype);
+again:
+	node = NULL;
+	result = dns_rbt_findnode(ntatable->table, name, foundname, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == DNS_R_PARTIALMATCH) {
+		if (dns_name_issubdomain(foundname, anchor)) {
+			result = ISC_R_SUCCESS;
+		}
+	}
+	if (result == ISC_R_SUCCESS) {
+		nta = (dns_nta_t *)node->data;
+		answer = (nta->expiry > now);
+	}
+
+	/* Deal with expired NTA */
+	if (result == ISC_R_SUCCESS && !answer) {
+		char nb[DNS_NAME_FORMATSIZE];
+
+		if (locktype == isc_rwlocktype_read) {
+			RWUNLOCK(&ntatable->rwlock, locktype);
+			locktype = isc_rwlocktype_write;
+			goto relock;
+		}
+
+		dns_name_format(foundname, nb, sizeof(nb));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_NTA, ISC_LOG_INFO,
+			      "deleting expired NTA at %s", nb);
+
+		if (nta->timer != NULL) {
+			(void)isc_timer_reset(nta->timer,
+					      isc_timertype_inactive, NULL,
+					      NULL, true);
+			isc_timer_destroy(&nta->timer);
+		}
+
+		result = deletenode(ntatable, foundname);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_NTA, ISC_LOG_INFO,
+				      "deleting NTA failed: %s",
+				      isc_result_totext(result));
+		}
+		goto again;
+	}
+	RWUNLOCK(&ntatable->rwlock, locktype);
+
+	return (answer);
+}
+
+static isc_result_t
+putstr(isc_buffer_t **b, const char *str) {
+	isc_result_t result;
+
+	result = isc_buffer_reserve(b, strlen(str));
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	isc_buffer_putstr(*b, str);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ntatable_totext(dns_ntatable_t *ntatable, const char *view,
+		    isc_buffer_t **buf) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	bool first = true;
+	isc_stdtime_t now;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+
+	isc_stdtime_get(&now);
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain);
+	result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
+		goto cleanup;
+	}
+	for (;;) {
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (node->data != NULL) {
+			dns_nta_t *n = (dns_nta_t *)node->data;
+			char nbuf[DNS_NAME_FORMATSIZE];
+			char tbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+			char obuf[DNS_NAME_FORMATSIZE +
+				  ISC_FORMATHTTPTIMESTAMP_SIZE +
+				  sizeof("expired:  \n")];
+			dns_fixedname_t fn;
+			dns_name_t *name;
+			isc_time_t t;
+
+			/*
+			 * Skip "validate-except" entries.
+			 */
+			if (n->expiry != 0xffffffffU) {
+				name = dns_fixedname_initname(&fn);
+				dns_rbt_fullnamefromnode(node, name);
+				dns_name_format(name, nbuf, sizeof(nbuf));
+				isc_time_set(&t, n->expiry, 0);
+				isc_time_formattimestamp(&t, tbuf,
+							 sizeof(tbuf));
+
+				snprintf(obuf, sizeof(obuf), "%s%s%s%s: %s %s",
+					 first ? "" : "\n", nbuf,
+					 view != NULL ? "/" : "",
+					 view != NULL ? view : "",
+					 n->expiry <= now ? "expired"
+							  : "expiry",
+					 tbuf);
+				first = false;
+				result = putstr(buf, obuf);
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+			}
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE) {
+				result = ISC_R_SUCCESS;
+			}
+			break;
+		}
+	}
+
+cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+isc_result_t
+dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
+	isc_result_t result;
+	isc_buffer_t *text = NULL;
+	int len = 4096;
+
+	isc_buffer_allocate(ntatable->view->mctx, &text, len);
+
+	result = dns_ntatable_totext(ntatable, NULL, &text);
+
+	if (isc_buffer_usedlength(text) != 0) {
+		(void)putstr(&text, "\n");
+	} else if (result == ISC_R_SUCCESS) {
+		(void)putstr(&text, "none");
+	} else {
+		(void)putstr(&text, "could not dump NTA table: ");
+		(void)putstr(&text, isc_result_totext(result));
+	}
+
+	fprintf(fp, "%.*s", (int)isc_buffer_usedlength(text),
+		(char *)isc_buffer_base(text));
+	isc_buffer_free(&text);
+	return (result);
+}
+
+isc_result_t
+dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_stdtime_t now;
+	bool written = false;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+
+	isc_stdtime_get(&now);
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain);
+	result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		goto cleanup;
+	}
+
+	for (;;) {
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (node->data != NULL) {
+			isc_buffer_t b;
+			char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
+			dns_fixedname_t fn;
+			dns_name_t *name;
+			dns_nta_t *n = (dns_nta_t *)node->data;
+
+			/*
+			 * Skip this node if the expiry is already in the
+			 * past, or if this is a "validate-except" entry.
+			 */
+			if (n->expiry <= now || n->expiry == 0xffffffffU) {
+				goto skip;
+			}
+
+			name = dns_fixedname_initname(&fn);
+			dns_rbt_fullnamefromnode(node, name);
+
+			isc_buffer_init(&b, nbuf, sizeof(nbuf));
+			result = dns_name_totext(name, false, &b);
+			if (result != ISC_R_SUCCESS) {
+				goto skip;
+			}
+
+			/* Zero terminate. */
+			isc_buffer_putuint8(&b, 0);
+
+			isc_buffer_init(&b, tbuf, sizeof(tbuf));
+			dns_time32_totext(n->expiry, &b);
+
+			/* Zero terminate. */
+			isc_buffer_putuint8(&b, 0);
+
+			fprintf(fp, "%s %s %s\n", nbuf,
+				n->forced ? "forced" : "regular", tbuf);
+			written = true;
+		}
+	skip:
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE) {
+				result = ISC_R_SUCCESS;
+			}
+			break;
+		}
+	}
+
+cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
+
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	} else {
+		return (written ? ISC_R_SUCCESS : ISC_R_NOTFOUND);
+	}
+}
+
+void
+dns_ntatable_shutdown(dns_ntatable_t *ntatable) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+	ntatable->shuttingdown = true;
+
+	dns_rbtnodechain_init(&chain);
+	result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
+	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (node->data != NULL) {
+			dns_nta_t *nta = (dns_nta_t *)node->data;
+			if (nta->timer != NULL) {
+				(void)isc_timer_reset(nta->timer,
+						      isc_timertype_inactive,
+						      NULL, NULL, true);
+			}
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+}
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
new file mode 100644
index 0000000..4878f57
--- /dev/null
+++ b/lib/dns/openssl_link.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/mutexblock.h>
+#include <isc/platform.h>
+#include <isc/string.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+
+#if !defined(OPENSSL_NO_ENGINE)
+#include <openssl/engine.h>
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+
+#if !defined(OPENSSL_NO_ENGINE)
+static ENGINE *e = NULL;
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+
+static void
+enable_fips_mode(void) {
+#ifdef HAVE_FIPS_MODE
+	if (FIPS_mode() != 0) {
+		/*
+		 * FIPS mode is already enabled.
+		 */
+		return;
+	}
+
+	if (FIPS_mode_set(1) == 0) {
+		dst__openssl_toresult2("FIPS_mode_set", DST_R_OPENSSLFAILURE);
+		exit(1);
+	}
+#endif /* HAVE_FIPS_MODE */
+}
+
+isc_result_t
+dst__openssl_init(const char *engine) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	enable_fips_mode();
+
+#if !defined(OPENSSL_NO_ENGINE)
+	if (engine != NULL && *engine == '\0') {
+		engine = NULL;
+	}
+
+	if (engine != NULL) {
+		e = ENGINE_by_id(engine);
+		if (e == NULL) {
+			result = DST_R_NOENGINE;
+			goto cleanup_rm;
+		}
+		/* This will init the engine. */
+		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+			result = DST_R_NOENGINE;
+			goto cleanup_rm;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+cleanup_rm:
+	if (e != NULL) {
+		ENGINE_free(e);
+	}
+	e = NULL;
+#else
+	UNUSED(engine);
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+	return (result);
+}
+
+void
+dst__openssl_destroy(void) {
+#if !defined(OPENSSL_NO_ENGINE)
+	if (e != NULL) {
+		ENGINE_free(e);
+	}
+	e = NULL;
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+}
+
+static isc_result_t
+toresult(isc_result_t fallback) {
+	isc_result_t result = fallback;
+	unsigned long err = ERR_peek_error();
+#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+	int lib = ERR_GET_LIB(err);
+#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
+	int reason = ERR_GET_REASON(err);
+
+	switch (reason) {
+	/*
+	 * ERR_* errors are globally unique; others
+	 * are unique per sublibrary
+	 */
+	case ERR_R_MALLOC_FAILURE:
+		result = ISC_R_NOMEMORY;
+		break;
+	default:
+#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+		if (lib == ERR_R_ECDSA_LIB &&
+		    reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+		{
+			result = ISC_R_NOENTROPY;
+			break;
+		}
+#endif /* if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) */
+		break;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dst__openssl_toresult(isc_result_t fallback) {
+	isc_result_t result;
+
+	result = toresult(fallback);
+
+	ERR_clear_error();
+	return (result);
+}
+
+isc_result_t
+dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
+	return (dst__openssl_toresult3(DNS_LOGCATEGORY_GENERAL, funcname,
+				       fallback));
+}
+
+isc_result_t
+dst__openssl_toresult3(isc_logcategory_t *category, const char *funcname,
+		       isc_result_t fallback) {
+	isc_result_t result;
+	unsigned long err;
+	const char *file, *data;
+	int line, flags;
+	char buf[256];
+
+	result = toresult(fallback);
+
+	isc_log_write(dns_lctx, category, DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
+		      "%s failed (%s)", funcname, isc_result_totext(result));
+
+	if (result == ISC_R_NOMEMORY) {
+		goto done;
+	}
+
+	for (;;) {
+		err = ERR_get_error_line_data(&file, &line, &data, &flags);
+		if (err == 0U) {
+			goto done;
+		}
+		ERR_error_string_n(err, buf, sizeof(buf));
+		isc_log_write(dns_lctx, category, DNS_LOGMODULE_CRYPTO,
+			      ISC_LOG_INFO, "%s:%s:%d:%s", buf, file, line,
+			      ((flags & ERR_TXT_STRING) != 0) ? data : "");
+	}
+
+done:
+	ERR_clear_error();
+	return (result);
+}
+
+#if !defined(OPENSSL_NO_ENGINE)
+ENGINE *
+dst__openssl_getengine(const char *engine) {
+	if (engine == NULL) {
+		return (NULL);
+	}
+	if (e == NULL) {
+		return (NULL);
+	}
+	if (strcmp(engine, ENGINE_get_id(e)) == 0) {
+		return (e);
+	}
+	return (NULL);
+}
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+
+/*! \file */
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
new file mode 100644
index 0000000..f514931
--- /dev/null
+++ b/lib/dns/openssldh_link.c
@@ -0,0 +1,815 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <openssl/opensslv.h>
+
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#define PRIME2 "02"
+
+#define PRIME768                                                               \
+	"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088"            \
+	"A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25"   \
+	"F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFF" \
+	"F"
+
+#define PRIME1024                                                            \
+	"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"           \
+	"8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF2" \
+	"5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \
+	"B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
+
+#define PRIME1536                                          \
+	"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
+	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
+	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
+	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
+	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
+	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
+	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
+	"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
+
+static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
+
+#if !HAVE_DH_GET0_KEY
+/*
+ * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg
+ * are from OpenSSL 1.1.0.
+ */
+static void
+DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) {
+	if (pub_key != NULL) {
+		*pub_key = dh->pub_key;
+	}
+	if (priv_key != NULL) {
+		*priv_key = dh->priv_key;
+	}
+}
+
+static int
+DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) {
+	if (pub_key != NULL) {
+		BN_free(dh->pub_key);
+		dh->pub_key = pub_key;
+	}
+
+	if (priv_key != NULL) {
+		BN_free(dh->priv_key);
+		dh->priv_key = priv_key;
+	}
+
+	return (1);
+}
+
+static void
+DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
+	    const BIGNUM **g) {
+	if (p != NULL) {
+		*p = dh->p;
+	}
+	if (q != NULL) {
+		*q = dh->q;
+	}
+	if (g != NULL) {
+		*g = dh->g;
+	}
+}
+
+static int
+DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
+	/* If the fields p and g in d are NULL, the corresponding input
+	 * parameters MUST be non-NULL.  q may remain NULL.
+	 */
+	if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) {
+		return (0);
+	}
+
+	if (p != NULL) {
+		BN_free(dh->p);
+		dh->p = p;
+	}
+	if (q != NULL) {
+		BN_free(dh->q);
+		dh->q = q;
+	}
+	if (g != NULL) {
+		BN_free(dh->g);
+		dh->g = g;
+	}
+
+	if (q != NULL) {
+		dh->length = BN_num_bits(q);
+	}
+
+	return (1);
+}
+
+#define DH_clear_flags(d, f) (d)->flags &= ~(f)
+
+#endif /* !HAVE_DH_GET0_KEY */
+
+static isc_result_t
+openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+			isc_buffer_t *secret) {
+	DH *dhpub, *dhpriv;
+	const BIGNUM *pub_key = NULL;
+	int ret;
+	isc_region_t r;
+	unsigned int len;
+
+	REQUIRE(pub->keydata.dh != NULL);
+	REQUIRE(priv->keydata.dh != NULL);
+
+	dhpub = pub->keydata.dh;
+	dhpriv = priv->keydata.dh;
+
+	len = DH_size(dhpriv);
+	isc_buffer_availableregion(secret, &r);
+	if (r.length < len) {
+		return (ISC_R_NOSPACE);
+	}
+
+	DH_get0_key(dhpub, &pub_key, NULL);
+	ret = DH_compute_key(r.base, pub_key, dhpriv);
+	if (ret <= 0) {
+		return (dst__openssl_toresult2("DH_compute_key",
+					       DST_R_COMPUTESECRETFAILURE));
+	}
+	isc_buffer_add(secret, len);
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	DH *dh1, *dh2;
+	const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
+	const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
+	const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
+
+	dh1 = key1->keydata.dh;
+	dh2 = key2->keydata.dh;
+
+	if (dh1 == NULL && dh2 == NULL) {
+		return (true);
+	} else if (dh1 == NULL || dh2 == NULL) {
+		return (false);
+	}
+
+	DH_get0_key(dh1, &pub_key1, &priv_key1);
+	DH_get0_key(dh2, &pub_key2, &priv_key2);
+	DH_get0_pqg(dh1, &p1, NULL, &g1);
+	DH_get0_pqg(dh2, &p2, NULL, &g2);
+
+	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
+	    BN_cmp(pub_key1, pub_key2) != 0)
+	{
+		return (false);
+	}
+
+	if (priv_key1 != NULL || priv_key2 != NULL) {
+		if (priv_key1 == NULL || priv_key2 == NULL) {
+			return (false);
+		}
+		if (BN_cmp(priv_key1, priv_key2) != 0) {
+			return (false);
+		}
+	}
+	return (true);
+}
+
+static bool
+openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+	DH *dh1, *dh2;
+	const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
+
+	dh1 = key1->keydata.dh;
+	dh2 = key2->keydata.dh;
+
+	if (dh1 == NULL && dh2 == NULL) {
+		return (true);
+	} else if (dh1 == NULL || dh2 == NULL) {
+		return (false);
+	}
+
+	DH_get0_pqg(dh1, &p1, NULL, &g1);
+	DH_get0_pqg(dh2, &p2, NULL, &g2);
+
+	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) {
+		return (false);
+	}
+	return (true);
+}
+
+static int
+progress_cb(int p, int n, BN_GENCB *cb) {
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+	UNUSED(n);
+
+	u.dptr = BN_GENCB_get_arg(cb);
+	if (u.fptr != NULL) {
+		u.fptr(p);
+	}
+	return (1);
+}
+
+static isc_result_t
+openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+	DH *dh = NULL;
+	BN_GENCB *cb;
+#if !HAVE_BN_GENCB_NEW
+	BN_GENCB _cb;
+#endif /* !HAVE_BN_GENCB_NEW */
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+	if (generator == 0) {
+		if (key->key_size == 768 || key->key_size == 1024 ||
+		    key->key_size == 1536)
+		{
+			BIGNUM *p, *g;
+			dh = DH_new();
+			if (key->key_size == 768) {
+				p = BN_dup(bn768);
+			} else if (key->key_size == 1024) {
+				p = BN_dup(bn1024);
+			} else {
+				p = BN_dup(bn1536);
+			}
+			g = BN_dup(bn2);
+			if (dh == NULL || p == NULL || g == NULL) {
+				if (dh != NULL) {
+					DH_free(dh);
+				}
+				if (p != NULL) {
+					BN_free(p);
+				}
+				if (g != NULL) {
+					BN_free(g);
+				}
+				return (dst__openssl_toresult(ISC_R_NOMEMORY));
+			}
+			DH_set0_pqg(dh, p, NULL, g);
+		} else {
+			generator = 2;
+		}
+	}
+
+	if (generator != 0) {
+		dh = DH_new();
+		if (dh == NULL) {
+			return (dst__openssl_toresult(ISC_R_NOMEMORY));
+		}
+		cb = BN_GENCB_new();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+		if (cb == NULL) {
+			DH_free(dh);
+			return (dst__openssl_toresult(ISC_R_NOMEMORY));
+		}
+#endif /* if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+	* !defined(LIBRESSL_VERSION_NUMBER) */
+		if (callback == NULL) {
+			BN_GENCB_set_old(cb, NULL, NULL);
+		} else {
+			u.fptr = callback;
+			BN_GENCB_set(cb, progress_cb, u.dptr);
+		}
+
+		if (!DH_generate_parameters_ex(dh, key->key_size, generator,
+					       cb))
+		{
+			DH_free(dh);
+			BN_GENCB_free(cb);
+			return (dst__openssl_toresult2("DH_generate_parameters_"
+						       "ex",
+						       DST_R_OPENSSLFAILURE));
+		}
+		BN_GENCB_free(cb);
+		cb = NULL;
+	}
+
+	if (DH_generate_key(dh) == 0) {
+		DH_free(dh);
+		return (dst__openssl_toresult2("DH_generate_key",
+					       DST_R_OPENSSLFAILURE));
+	}
+	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
+	key->keydata.dh = dh;
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+openssldh_isprivate(const dst_key_t *key) {
+	DH *dh = key->keydata.dh;
+	const BIGNUM *priv_key = NULL;
+
+	DH_get0_key(dh, NULL, &priv_key);
+	return (dh != NULL && priv_key != NULL);
+}
+
+static void
+openssldh_destroy(dst_key_t *key) {
+	DH *dh = key->keydata.dh;
+
+	if (dh == NULL) {
+		return;
+	}
+
+	DH_free(dh);
+	key->keydata.dh = NULL;
+}
+
+static void
+uint16_toregion(uint16_t val, isc_region_t *region) {
+	*region->base = (val & 0xff00) >> 8;
+	isc_region_consume(region, 1);
+	*region->base = (val & 0x00ff);
+	isc_region_consume(region, 1);
+}
+
+static uint16_t
+uint16_fromregion(isc_region_t *region) {
+	uint16_t val;
+	unsigned char *cp = region->base;
+
+	val = ((unsigned int)(cp[0])) << 8;
+	val |= ((unsigned int)(cp[1]));
+
+	isc_region_consume(region, 2);
+
+	return (val);
+}
+
+static isc_result_t
+openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+	DH *dh;
+	const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
+	isc_region_t r;
+	uint16_t dnslen, plen, glen, publen;
+
+	REQUIRE(key->keydata.dh != NULL);
+
+	dh = key->keydata.dh;
+
+	isc_buffer_availableregion(data, &r);
+
+	DH_get0_pqg(dh, &p, NULL, &g);
+	if (BN_cmp(g, bn2) == 0 &&
+	    (BN_cmp(p, bn768) == 0 || BN_cmp(p, bn1024) == 0 ||
+	     BN_cmp(p, bn1536) == 0))
+	{
+		plen = 1;
+		glen = 0;
+	} else {
+		plen = BN_num_bytes(p);
+		glen = BN_num_bytes(g);
+	}
+	DH_get0_key(dh, &pub_key, NULL);
+	publen = BN_num_bytes(pub_key);
+	dnslen = plen + glen + publen + 6;
+	if (r.length < (unsigned int)dnslen) {
+		return (ISC_R_NOSPACE);
+	}
+
+	uint16_toregion(plen, &r);
+	if (plen == 1) {
+		if (BN_cmp(p, bn768) == 0) {
+			*r.base = 1;
+		} else if (BN_cmp(p, bn1024) == 0) {
+			*r.base = 2;
+		} else {
+			*r.base = 3;
+		}
+	} else {
+		BN_bn2bin(p, r.base);
+	}
+	isc_region_consume(&r, plen);
+
+	uint16_toregion(glen, &r);
+	if (glen > 0) {
+		BN_bn2bin(g, r.base);
+	}
+	isc_region_consume(&r, glen);
+
+	uint16_toregion(publen, &r);
+	BN_bn2bin(pub_key, r.base);
+	isc_region_consume(&r, publen);
+
+	isc_buffer_add(data, dnslen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	DH *dh;
+	BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
+	isc_region_t r;
+	uint16_t plen, glen, publen;
+	int special = 0;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	dh = DH_new();
+	if (dh == NULL) {
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
+	}
+	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
+
+	/*
+	 * Read the prime length.  1 & 2 are table entries, > 16 means a
+	 * prime follows, otherwise an error.
+	 */
+	if (r.length < 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	plen = uint16_fromregion(&r);
+	if (plen < 16 && plen != 1 && plen != 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	if (r.length < plen) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	if (plen == 1 || plen == 2) {
+		if (plen == 1) {
+			special = *r.base;
+			isc_region_consume(&r, 1);
+		} else {
+			special = uint16_fromregion(&r);
+		}
+		switch (special) {
+		case 1:
+			p = BN_dup(bn768);
+			break;
+		case 2:
+			p = BN_dup(bn1024);
+			break;
+		case 3:
+			p = BN_dup(bn1536);
+			break;
+		default:
+			DH_free(dh);
+			return (DST_R_INVALIDPUBLICKEY);
+		}
+	} else {
+		p = BN_bin2bn(r.base, plen, NULL);
+		isc_region_consume(&r, plen);
+	}
+
+	/*
+	 * Read the generator length.  This should be 0 if the prime was
+	 * special, but it might not be.  If it's 0 and the prime is not
+	 * special, we have a problem.
+	 */
+	if (r.length < 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	glen = uint16_fromregion(&r);
+	if (r.length < glen) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	if (special != 0) {
+		if (glen == 0) {
+			g = BN_dup(bn2);
+		} else {
+			g = BN_bin2bn(r.base, glen, NULL);
+			if (g != NULL && BN_cmp(g, bn2) != 0) {
+				DH_free(dh);
+				BN_free(g);
+				return (DST_R_INVALIDPUBLICKEY);
+			}
+		}
+	} else {
+		if (glen == 0) {
+			DH_free(dh);
+			return (DST_R_INVALIDPUBLICKEY);
+		}
+		g = BN_bin2bn(r.base, glen, NULL);
+	}
+	isc_region_consume(&r, glen);
+
+	if (p == NULL || g == NULL) {
+		DH_free(dh);
+		if (p != NULL) {
+			BN_free(p);
+		}
+		if (g != NULL) {
+			BN_free(g);
+		}
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
+	}
+	DH_set0_pqg(dh, p, NULL, g);
+
+	if (r.length < 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	publen = uint16_fromregion(&r);
+	if (r.length < publen) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	pub_key = BN_bin2bn(r.base, publen, NULL);
+	if (pub_key == NULL) {
+		DH_free(dh);
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
+	}
+#if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \
+	(LIBRESSL_VERSION_NUMBER <= 0x2070200fL)
+	/*
+	 * LibreSSL << 2.7.3 DH_get0_key requires priv_key to be set when
+	 * DH structure is empty, hence we cannot use DH_get0_key().
+	 */
+	dh->pub_key = pub_key;
+#else  /* LIBRESSL_VERSION_NUMBER */
+	DH_set0_key(dh, pub_key, NULL);
+#endif /* LIBRESSL_VERSION_NUMBER */
+	isc_region_consume(&r, publen);
+
+	key->key_size = BN_num_bits(p);
+
+	isc_buffer_forward(data, plen + glen + publen + 6);
+
+	key->keydata.dh = dh;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssldh_tofile(const dst_key_t *key, const char *directory) {
+	int i;
+	DH *dh;
+	const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
+	dst_private_t priv;
+	unsigned char *bufs[4];
+	isc_result_t result;
+
+	if (key->keydata.dh == NULL) {
+		return (DST_R_NULLKEY);
+	}
+
+	if (key->external) {
+		return (DST_R_EXTERNALKEY);
+	}
+
+	dh = key->keydata.dh;
+	DH_get0_key(dh, &pub_key, &priv_key);
+	DH_get0_pqg(dh, &p, NULL, &g);
+
+	memset(bufs, 0, sizeof(bufs));
+	for (i = 0; i < 4; i++) {
+		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(p));
+	}
+
+	i = 0;
+
+	priv.elements[i].tag = TAG_DH_PRIME;
+	priv.elements[i].length = BN_num_bytes(p);
+	BN_bn2bin(p, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_GENERATOR;
+	priv.elements[i].length = BN_num_bytes(g);
+	BN_bn2bin(g, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_PRIVATE;
+	priv.elements[i].length = BN_num_bytes(priv_key);
+	BN_bn2bin(priv_key, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_PUBLIC;
+	priv.elements[i].length = BN_num_bytes(pub_key);
+	BN_bn2bin(pub_key, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.nelements = i;
+	result = dst__privstruct_writefile(key, &priv, directory);
+
+	for (i = 0; i < 4; i++) {
+		if (bufs[i] == NULL) {
+			break;
+		}
+		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(p));
+	}
+	return (result);
+}
+
+static isc_result_t
+openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	DH *dh = NULL;
+	BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
+	isc_mem_t *mctx;
+#define DST_RET(a)        \
+	{                 \
+		ret = a;  \
+		goto err; \
+	}
+
+	UNUSED(pub);
+	mctx = key->mctx;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	if (key->external) {
+		DST_RET(DST_R_EXTERNALKEY);
+	}
+
+	dh = DH_new();
+	if (dh == NULL) {
+		DST_RET(ISC_R_NOMEMORY);
+	}
+	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
+	key->keydata.dh = dh;
+
+	for (i = 0; i < priv.nelements; i++) {
+		BIGNUM *bn;
+		bn = BN_bin2bn(priv.elements[i].data, priv.elements[i].length,
+			       NULL);
+		if (bn == NULL) {
+			DST_RET(ISC_R_NOMEMORY);
+		}
+
+		switch (priv.elements[i].tag) {
+		case TAG_DH_PRIME:
+			p = bn;
+			break;
+		case TAG_DH_GENERATOR:
+			g = bn;
+			break;
+		case TAG_DH_PRIVATE:
+			priv_key = bn;
+			break;
+		case TAG_DH_PUBLIC:
+			pub_key = bn;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	DH_set0_key(dh, pub_key, priv_key);
+	DH_set0_pqg(dh, p, NULL, g);
+
+	key->key_size = BN_num_bits(p);
+	return (ISC_R_SUCCESS);
+
+err:
+	if (p != NULL) {
+		BN_free(p);
+	}
+	if (g != NULL) {
+		BN_free(g);
+	}
+	if (pub_key != NULL) {
+		BN_free(pub_key);
+	}
+	if (priv_key != NULL) {
+		BN_free(priv_key);
+	}
+	openssldh_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static void
+openssldh_cleanup(void) {
+	BN_free(bn2);
+	bn2 = NULL;
+
+	BN_free(bn768);
+	bn768 = NULL;
+
+	BN_free(bn1024);
+	bn1024 = NULL;
+
+	BN_free(bn1536);
+	bn1536 = NULL;
+}
+
+static dst_func_t openssldh_functions = {
+	NULL, /*%< createctx */
+	NULL, /*%< createctx2 */
+	NULL, /*%< destroyctx */
+	NULL, /*%< adddata */
+	NULL, /*%< openssldh_sign */
+	NULL, /*%< openssldh_verify */
+	NULL, /*%< openssldh_verify2 */
+	openssldh_computesecret,
+	openssldh_compare,
+	openssldh_paramcompare,
+	openssldh_generate,
+	openssldh_isprivate,
+	openssldh_destroy,
+	openssldh_todns,
+	openssldh_fromdns,
+	openssldh_tofile,
+	openssldh_parse,
+	openssldh_cleanup,
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__openssldh_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL) {
+		if (BN_hex2bn(&bn2, PRIME2) == 0 || bn2 == NULL) {
+			goto cleanup;
+		}
+		if (BN_hex2bn(&bn768, PRIME768) == 0 || bn768 == NULL) {
+			goto cleanup;
+		}
+		if (BN_hex2bn(&bn1024, PRIME1024) == 0 || bn1024 == NULL) {
+			goto cleanup;
+		}
+		if (BN_hex2bn(&bn1536, PRIME1536) == 0 || bn1536 == NULL) {
+			goto cleanup;
+		}
+		*funcp = &openssldh_functions;
+	}
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (bn2 != NULL) {
+		BN_free(bn2);
+	}
+	if (bn768 != NULL) {
+		BN_free(bn768);
+	}
+	if (bn1024 != NULL) {
+		BN_free(bn1024);
+	}
+	if (bn1536 != NULL) {
+		BN_free(bn1536);
+	}
+	return (ISC_R_NOMEMORY);
+}
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
new file mode 100644
index 0000000..e9f5185
--- /dev/null
+++ b/lib/dns/opensslecdsa_link.c
@@ -0,0 +1,905 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#if !USE_PKCS11
+
+#include <stdbool.h>
+
+#include <openssl/bn.h>
+#include <openssl/ecdsa.h>
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#if !defined(OPENSSL_NO_ENGINE)
+#include <openssl/engine.h>
+#endif
+
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#ifndef NID_X9_62_prime256v1
+#error "P-256 group is not known (NID_X9_62_prime256v1)"
+#endif /* ifndef NID_X9_62_prime256v1 */
+#ifndef NID_secp384r1
+#error "P-384 group is not known (NID_secp384r1)"
+#endif /* ifndef NID_secp384r1 */
+
+#define DST_RET(a)        \
+	{                 \
+		ret = a;  \
+		goto err; \
+	}
+
+#if !HAVE_ECDSA_SIG_GET0
+/* From OpenSSL 1.1 */
+static void
+ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
+	if (pr != NULL) {
+		*pr = sig->r;
+	}
+	if (ps != NULL) {
+		*ps = sig->s;
+	}
+}
+
+static int
+ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
+	if (r == NULL || s == NULL) {
+		return (0);
+	}
+
+	BN_clear_free(sig->r);
+	BN_clear_free(sig->s);
+	sig->r = r;
+	sig->s = s;
+
+	return (1);
+}
+#endif /* !HAVE_ECDSA_SIG_GET0 */
+
+static isc_result_t
+opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx;
+	const EVP_MD *type = NULL;
+
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	evp_md_ctx = EVP_MD_CTX_create();
+	if (evp_md_ctx == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	if (dctx->key->key_alg == DST_ALG_ECDSA256) {
+		type = EVP_sha256();
+	} else {
+		type = EVP_sha384();
+	}
+
+	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		return (dst__openssl_toresult3(
+			dctx->category, "EVP_DigestInit_ex", ISC_R_FAILURE));
+	}
+
+	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+opensslecdsa_destroyctx(dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		dctx->ctxdata.evp_md_ctx = NULL;
+	}
+}
+
+static isc_result_t
+opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
+		return (dst__openssl_toresult3(
+			dctx->category, "EVP_DigestUpdate", ISC_R_FAILURE));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static int
+BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
+	int bytes = size - BN_num_bytes(bn);
+
+	while (bytes-- > 0) {
+		*buf++ = 0;
+	}
+	BN_bn2bin(bn, buf);
+	return (size);
+}
+
+static isc_result_t
+opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	isc_region_t region;
+	ECDSA_SIG *ecdsasig;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	unsigned int dgstlen, siglen;
+	unsigned char digest[EVP_MAX_MD_SIZE];
+	const BIGNUM *r, *s;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (eckey == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		siglen = DNS_SIG_ECDSA256SIZE;
+	} else {
+		siglen = DNS_SIG_ECDSA384SIZE;
+	}
+
+	isc_buffer_availableregion(sig, &region);
+	if (region.length < siglen) {
+		DST_RET(ISC_R_NOSPACE);
+	}
+
+	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) {
+		DST_RET(dst__openssl_toresult3(
+			dctx->category, "EVP_DigestFinal_ex", ISC_R_FAILURE));
+	}
+
+	ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey);
+	if (ecdsasig == NULL) {
+		DST_RET(dst__openssl_toresult3(dctx->category, "ECDSA_do_sign",
+					       DST_R_SIGNFAILURE));
+	}
+	ECDSA_SIG_get0(ecdsasig, &r, &s);
+	BN_bn2bin_fixed(r, region.base, siglen / 2);
+	isc_region_consume(&region, siglen / 2);
+	BN_bn2bin_fixed(s, region.base, siglen / 2);
+	isc_region_consume(&region, siglen / 2);
+	ECDSA_SIG_free(ecdsasig);
+	isc_buffer_add(sig, siglen);
+	ret = ISC_R_SUCCESS;
+
+err:
+	EC_KEY_free(eckey);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	int status;
+	unsigned char *cp = sig->base;
+	ECDSA_SIG *ecdsasig = NULL;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	unsigned int dgstlen, siglen;
+	unsigned char digest[EVP_MAX_MD_SIZE];
+	BIGNUM *r = NULL, *s = NULL;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (eckey == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		siglen = DNS_SIG_ECDSA256SIZE;
+	} else {
+		siglen = DNS_SIG_ECDSA384SIZE;
+	}
+
+	if (sig->length != siglen) {
+		DST_RET(DST_R_VERIFYFAILURE);
+	}
+
+	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) {
+		DST_RET(dst__openssl_toresult3(
+			dctx->category, "EVP_DigestFinal_ex", ISC_R_FAILURE));
+	}
+
+	ecdsasig = ECDSA_SIG_new();
+	if (ecdsasig == NULL) {
+		DST_RET(ISC_R_NOMEMORY);
+	}
+	r = BN_bin2bn(cp, siglen / 2, NULL);
+	cp += siglen / 2;
+	s = BN_bin2bn(cp, siglen / 2, NULL);
+	ECDSA_SIG_set0(ecdsasig, r, s);
+	/* cp += siglen / 2; */
+
+	status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey);
+	switch (status) {
+	case 1:
+		ret = ISC_R_SUCCESS;
+		break;
+	case 0:
+		ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
+		break;
+	default:
+		ret = dst__openssl_toresult3(dctx->category, "ECDSA_do_verify",
+					     DST_R_VERIFYFAILURE);
+		break;
+	}
+
+err:
+	if (ecdsasig != NULL) {
+		ECDSA_SIG_free(ecdsasig);
+	}
+	EC_KEY_free(eckey);
+	return (ret);
+}
+
+static bool
+opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	bool ret;
+	int status;
+	EVP_PKEY *pkey1 = key1->keydata.pkey;
+	EVP_PKEY *pkey2 = key2->keydata.pkey;
+	EC_KEY *eckey1 = NULL;
+	EC_KEY *eckey2 = NULL;
+	const BIGNUM *priv1, *priv2;
+
+	if (pkey1 == NULL && pkey2 == NULL) {
+		return (true);
+	} else if (pkey1 == NULL || pkey2 == NULL) {
+		return (false);
+	}
+
+	eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
+	eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
+	if (eckey1 == NULL && eckey2 == NULL) {
+		DST_RET(true);
+	} else if (eckey1 == NULL || eckey2 == NULL) {
+		DST_RET(false);
+	}
+
+	status = EVP_PKEY_cmp(pkey1, pkey2);
+	if (status != 1) {
+		DST_RET(false);
+	}
+
+	priv1 = EC_KEY_get0_private_key(eckey1);
+	priv2 = EC_KEY_get0_private_key(eckey2);
+	if (priv1 != NULL || priv2 != NULL) {
+		if (priv1 == NULL || priv2 == NULL) {
+			DST_RET(false);
+		}
+		if (BN_cmp(priv1, priv2) != 0) {
+			DST_RET(false);
+		}
+	}
+	ret = true;
+
+err:
+	if (eckey1 != NULL) {
+		EC_KEY_free(eckey1);
+	}
+	if (eckey2 != NULL) {
+		EC_KEY_free(eckey2);
+	}
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	int group_nid;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		group_nid = NID_X9_62_prime256v1;
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+	} else {
+		group_nid = NID_secp384r1;
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+	}
+
+	eckey = EC_KEY_new_by_curve_name(group_nid);
+	if (eckey == NULL) {
+		return (dst__openssl_toresult2("EC_KEY_new_by_curve_name",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	if (EC_KEY_generate_key(eckey) != 1) {
+		DST_RET(dst__openssl_toresult2("EC_KEY_generate_key",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL) {
+		DST_RET(ISC_R_NOMEMORY);
+	}
+	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
+		EVP_PKEY_free(pkey);
+		DST_RET(ISC_R_FAILURE);
+	}
+	key->keydata.pkey = pkey;
+	ret = ISC_R_SUCCESS;
+
+err:
+	EC_KEY_free(eckey);
+	return (ret);
+}
+
+static bool
+opensslecdsa_isprivate(const dst_key_t *key) {
+	bool ret;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
+
+	ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
+	if (eckey != NULL) {
+		EC_KEY_free(eckey);
+	}
+	return (ret);
+}
+
+static void
+opensslecdsa_destroy(dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	isc_region_t r;
+	int len;
+	unsigned char *cp;
+	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	pkey = key->keydata.pkey;
+	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	if (eckey == NULL) {
+		return (dst__openssl_toresult(ISC_R_FAILURE));
+	}
+	len = i2o_ECPublicKey(eckey, NULL);
+	/* skip form */
+	len--;
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < (unsigned int)len) {
+		DST_RET(ISC_R_NOSPACE);
+	}
+	cp = buf;
+	if (!i2o_ECPublicKey(eckey, &cp)) {
+		DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
+	}
+	memmove(r.base, buf + 1, len);
+	isc_buffer_add(data, len);
+	ret = ISC_R_SUCCESS;
+
+err:
+	EC_KEY_free(eckey);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	isc_region_t r;
+	int group_nid;
+	unsigned int len;
+	const unsigned char *cp;
+	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		len = DNS_KEY_ECDSA256SIZE;
+		group_nid = NID_X9_62_prime256v1;
+	} else {
+		len = DNS_KEY_ECDSA384SIZE;
+		group_nid = NID_secp384r1;
+	}
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+	if (r.length < len) {
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+
+	eckey = EC_KEY_new_by_curve_name(group_nid);
+	if (eckey == NULL) {
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+
+	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
+	memmove(buf + 1, r.base, len);
+	cp = buf;
+	if (o2i_ECPublicKey(&eckey, (const unsigned char **)&cp,
+			    (long)len + 1) == NULL)
+	{
+		DST_RET(dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
+	}
+	if (EC_KEY_check_key(eckey) != 1) {
+		DST_RET(dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
+	}
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL) {
+		DST_RET(ISC_R_NOMEMORY);
+	}
+	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
+		EVP_PKEY_free(pkey);
+		DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
+	}
+
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = pkey;
+	key->key_size = len * 4;
+	ret = ISC_R_SUCCESS;
+
+err:
+	if (eckey != NULL) {
+		EC_KEY_free(eckey);
+	}
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	const BIGNUM *privkey;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	unsigned short i;
+
+	if (key->keydata.pkey == NULL) {
+		return (DST_R_NULLKEY);
+	}
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	pkey = key->keydata.pkey;
+	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	if (eckey == NULL) {
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	privkey = EC_KEY_get0_private_key(eckey);
+	if (privkey == NULL) {
+		ret = dst__openssl_toresult(DST_R_OPENSSLFAILURE);
+		goto err;
+	}
+
+	buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
+
+	i = 0;
+
+	priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
+	priv.elements[i].length = BN_num_bytes(privkey);
+	BN_bn2bin(privkey, buf);
+	priv.elements[i].data = buf;
+	i++;
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_ECDSA_ENGINE;
+		priv.elements[i].length = (unsigned short)strlen(key->engine) +
+					  1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_ECDSA_LABEL;
+		priv.elements[i].length = (unsigned short)strlen(key->label) +
+					  1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+	priv.nelements = i;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+err:
+	EC_KEY_free(eckey);
+	if (buf != NULL) {
+		isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
+	}
+	return (ret);
+}
+
+static isc_result_t
+ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) {
+	const EC_POINT *pubkey;
+
+	pubkey = EC_KEY_get0_public_key(eckey);
+	if (pubkey != NULL) {
+		return (ISC_R_SUCCESS);
+	} else if (pubeckey != NULL) {
+		pubkey = EC_KEY_get0_public_key(pubeckey);
+		if (pubkey == NULL) {
+			return (ISC_R_SUCCESS);
+		}
+		if (EC_KEY_set_public_key(eckey, pubkey) != 1) {
+			return (ISC_R_SUCCESS);
+		}
+	}
+	if (EC_KEY_check_key(eckey) == 1) {
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_FAILURE);
+}
+
+static isc_result_t
+load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv) {
+	BIGNUM *privkey = BN_bin2bn(priv->elements[0].data,
+				    priv->elements[0].length, NULL);
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (privkey == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (!EC_KEY_set_private_key(eckey, privkey)) {
+		result = ISC_R_NOMEMORY;
+	}
+
+	BN_clear_free(privkey);
+	return (result);
+}
+
+static isc_result_t
+eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) {
+	REQUIRE(pkey != NULL && *pkey == NULL);
+
+	*pkey = EVP_PKEY_new();
+	if (*pkey == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	if (!EVP_PKEY_set1_EC_KEY(*pkey, eckey)) {
+		EVP_PKEY_free(*pkey);
+		*pkey = NULL;
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+finalize_eckey(dst_key_t *key, EC_KEY *eckey, const char *engine,
+	       const char *label) {
+	isc_result_t result = ISC_R_SUCCESS;
+	EVP_PKEY *pkey = NULL;
+
+	result = eckey_to_pkey(eckey, &pkey);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	key->keydata.pkey = pkey;
+
+	if (label != NULL) {
+		key->label = isc_mem_strdup(key->mctx, label);
+		key->engine = isc_mem_strdup(key->mctx, engine);
+	}
+
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+	} else {
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
+	REQUIRE(eckey != NULL && *eckey == NULL);
+
+	int group_nid;
+	switch (key->key_alg) {
+	case DST_ALG_ECDSA256:
+		group_nid = NID_X9_62_prime256v1;
+		break;
+	case DST_ALG_ECDSA384:
+		group_nid = NID_secp384r1;
+		break;
+	default:
+		UNREACHABLE();
+	}
+	*eckey = EC_KEY_new_by_curve_name(group_nid);
+	if (*eckey == NULL) {
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		       const char *pin);
+
+static isc_result_t
+opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t result = ISC_R_SUCCESS;
+	EC_KEY *eckey = NULL;
+	EC_KEY *pubeckey = NULL;
+	const char *engine = NULL;
+	const char *label = NULL;
+	int i, privkey_index = -1;
+	bool finalize_key = false;
+
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, key->mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	if (key->external) {
+		if (priv.nelements != 0 || pub == NULL) {
+			result = DST_R_INVALIDPRIVATEKEY;
+			goto end;
+		}
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		goto end;
+	}
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_ECDSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_ECDSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		case TAG_ECDSA_PRIVATEKEY:
+			privkey_index = i;
+			break;
+		default:
+			break;
+		}
+	}
+
+	if (privkey_index < 0) {
+		result = DST_R_INVALIDPRIVATEKEY;
+		goto end;
+	}
+
+	if (label != NULL) {
+		result = opensslecdsa_fromlabel(key, engine, label, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto end;
+		}
+
+		eckey = EVP_PKEY_get1_EC_KEY(key->keydata.pkey);
+		if (eckey == NULL) {
+			result = dst__openssl_toresult(DST_R_OPENSSLFAILURE);
+			goto end;
+		}
+
+	} else {
+		result = dst__key_to_eckey(key, &eckey);
+		if (result != ISC_R_SUCCESS) {
+			goto end;
+		}
+
+		result = load_privkey_from_privstruct(eckey, &priv);
+		if (result != ISC_R_SUCCESS) {
+			goto end;
+		}
+
+		finalize_key = true;
+	}
+
+	if (pub != NULL && pub->keydata.pkey != NULL) {
+		pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey);
+	}
+
+	if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
+		result = DST_R_INVALIDPRIVATEKEY;
+		goto end;
+	}
+
+	if (finalize_key) {
+		result = finalize_eckey(key, eckey, engine, label);
+	}
+
+end:
+	if (pubeckey != NULL) {
+		EC_KEY_free(pubeckey);
+	}
+	if (eckey != NULL) {
+		EC_KEY_free(eckey);
+	}
+	dst__privstruct_free(&priv, key->mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (result);
+}
+
+static isc_result_t
+opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		       const char *pin) {
+#if !defined(OPENSSL_NO_ENGINE)
+	isc_result_t ret = ISC_R_SUCCESS;
+	ENGINE *e;
+	EC_KEY *eckey = NULL;
+	EC_KEY *pubeckey = NULL;
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY *pubkey = NULL;
+	int group_nid = 0;
+
+	UNUSED(pin);
+
+	if (engine == NULL || label == NULL) {
+		return (DST_R_NOENGINE);
+	}
+	e = dst__openssl_getengine(engine);
+	if (e == NULL) {
+		return (DST_R_NOENGINE);
+	}
+
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		group_nid = NID_X9_62_prime256v1;
+	} else {
+		group_nid = NID_secp384r1;
+	}
+
+	/* Load private key. */
+	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+	if (pkey == NULL) {
+		return (dst__openssl_toresult2("ENGINE_load_private_key",
+					       DST_R_OPENSSLFAILURE));
+	}
+	/* Check base id, group nid */
+	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	if (eckey == NULL) {
+		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+
+	/* Load public key. */
+	pubkey = ENGINE_load_public_key(e, label, NULL, NULL);
+	if (pubkey == NULL) {
+		DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
+					       DST_R_OPENSSLFAILURE));
+	}
+	/* Check base id, group nid */
+	if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_EC) {
+		DST_RET(DST_R_INVALIDPUBLICKEY);
+	}
+	pubeckey = EVP_PKEY_get1_EC_KEY(pubkey);
+	if (pubeckey == NULL) {
+		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
+		DST_RET(DST_R_INVALIDPUBLICKEY);
+	}
+
+	if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	key->engine = isc_mem_strdup(key->mctx, engine);
+	key->key_size = EVP_PKEY_bits(pkey);
+	key->keydata.pkey = pkey;
+	pkey = NULL;
+
+err:
+	if (pubkey != NULL) {
+		EVP_PKEY_free(pubkey);
+	}
+	if (pkey != NULL) {
+		EVP_PKEY_free(pkey);
+	}
+	if (pubeckey != NULL) {
+		EC_KEY_free(pubeckey);
+	}
+	if (eckey != NULL) {
+		EC_KEY_free(eckey);
+	}
+
+	return (ret);
+#else
+	UNUSED(key);
+	UNUSED(engine);
+	UNUSED(label);
+	UNUSED(pin);
+	return (DST_R_NOENGINE);
+#endif
+}
+
+static dst_func_t opensslecdsa_functions = {
+	opensslecdsa_createctx,
+	NULL, /*%< createctx2 */
+	opensslecdsa_destroyctx,
+	opensslecdsa_adddata,
+	opensslecdsa_sign,
+	opensslecdsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	opensslecdsa_compare,
+	NULL, /*%< paramcompare */
+	opensslecdsa_generate,
+	opensslecdsa_isprivate,
+	opensslecdsa_destroy,
+	opensslecdsa_todns,
+	opensslecdsa_fromdns,
+	opensslecdsa_tofile,
+	opensslecdsa_parse,
+	NULL,			/*%< cleanup */
+	opensslecdsa_fromlabel, /*%< fromlabel */
+	NULL,			/*%< dump */
+	NULL,			/*%< restore */
+};
+
+isc_result_t
+dst__opensslecdsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL) {
+		*funcp = &opensslecdsa_functions;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* !USE_PKCS11 */
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
new file mode 100644
index 0000000..295b8b8
--- /dev/null
+++ b/lib/dns/openssleddsa_link.c
@@ -0,0 +1,708 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if !USE_PKCS11
+
+#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
+
+#include <stdbool.h>
+
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#if !defined(OPENSSL_NO_ENGINE)
+#include <openssl/engine.h>
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+#include "openssl_shim.h"
+
+#define DST_RET(a)        \
+	{                 \
+		ret = a;  \
+		goto err; \
+	}
+
+#if HAVE_OPENSSL_ED25519
+#ifndef NID_ED25519
+#error "Ed25519 group is not known (NID_ED25519)"
+#endif /* ifndef NID_ED25519 */
+#endif /* HAVE_OPENSSL_ED25519 */
+
+#if HAVE_OPENSSL_ED448
+#ifndef NID_ED448
+#error "Ed448 group is not known (NID_ED448)"
+#endif /* ifndef NID_ED448 */
+#endif /* HAVE_OPENSSL_ED448 */
+
+static isc_result_t
+raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
+		size_t *key_len, EVP_PKEY **pkey) {
+	isc_result_t ret;
+	int pkey_type = EVP_PKEY_NONE;
+	size_t len = 0;
+
+#if HAVE_OPENSSL_ED25519
+	if (key_alg == DST_ALG_ED25519) {
+		pkey_type = EVP_PKEY_ED25519;
+		len = DNS_KEY_ED25519SIZE;
+	}
+#endif /* HAVE_OPENSSL_ED25519 */
+#if HAVE_OPENSSL_ED448
+	if (key_alg == DST_ALG_ED448) {
+		pkey_type = EVP_PKEY_ED448;
+		len = DNS_KEY_ED448SIZE;
+	}
+#endif /* HAVE_OPENSSL_ED448 */
+	if (pkey_type == EVP_PKEY_NONE) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	ret = (private ? DST_R_INVALIDPRIVATEKEY : DST_R_INVALIDPUBLICKEY);
+	if (*key_len < len) {
+		return (ret);
+	}
+
+	if (private) {
+		*pkey = EVP_PKEY_new_raw_private_key(pkey_type, NULL, key, len);
+	} else {
+		*pkey = EVP_PKEY_new_raw_public_key(pkey_type, NULL, key, len);
+	}
+	if (*pkey == NULL) {
+		return (dst__openssl_toresult(ret));
+	}
+
+	*key_len = len;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		       const char *pin);
+
+static isc_result_t
+openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_buffer_t *buf = NULL;
+
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	isc_buffer_allocate(dctx->mctx, &buf, 64);
+	dctx->ctxdata.generic = buf;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+openssleddsa_destroyctx(dst_context_t *dctx) {
+	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+	if (buf != NULL) {
+		isc_buffer_free(&buf);
+	}
+	dctx->ctxdata.generic = NULL;
+}
+
+static isc_result_t
+openssleddsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
+	isc_buffer_t *nbuf = NULL;
+	isc_region_t r;
+	unsigned int length;
+	isc_result_t result;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	result = isc_buffer_copyregion(buf, data);
+	if (result == ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	length = isc_buffer_length(buf) + data->length + 64;
+	isc_buffer_allocate(dctx->mctx, &nbuf, length);
+	isc_buffer_usedregion(buf, &r);
+	(void)isc_buffer_copyregion(nbuf, &r);
+	(void)isc_buffer_copyregion(nbuf, data);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = nbuf;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssleddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	isc_region_t tbsreg;
+	isc_region_t sigreg;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
+	size_t siglen;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (ctx == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (key->key_alg == DST_ALG_ED25519) {
+		siglen = DNS_SIG_ED25519SIZE;
+	} else {
+		siglen = DNS_SIG_ED448SIZE;
+	}
+
+	isc_buffer_availableregion(sig, &sigreg);
+	if (sigreg.length < (unsigned int)siglen) {
+		DST_RET(ISC_R_NOSPACE);
+	}
+
+	isc_buffer_usedregion(buf, &tbsreg);
+
+	if (EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey) != 1) {
+		DST_RET(dst__openssl_toresult3(
+			dctx->category, "EVP_DigestSignInit", ISC_R_FAILURE));
+	}
+	if (EVP_DigestSign(ctx, sigreg.base, &siglen, tbsreg.base,
+			   tbsreg.length) != 1)
+	{
+		DST_RET(dst__openssl_toresult3(dctx->category, "EVP_DigestSign",
+					       DST_R_SIGNFAILURE));
+	}
+	isc_buffer_add(sig, (unsigned int)siglen);
+	ret = ISC_R_SUCCESS;
+
+err:
+	EVP_MD_CTX_free(ctx);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static isc_result_t
+openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	int status;
+	isc_region_t tbsreg;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
+	unsigned int siglen = 0;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (ctx == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+#if HAVE_OPENSSL_ED25519
+	if (key->key_alg == DST_ALG_ED25519) {
+		siglen = DNS_SIG_ED25519SIZE;
+	}
+#endif /* if HAVE_OPENSSL_ED25519 */
+#if HAVE_OPENSSL_ED448
+	if (key->key_alg == DST_ALG_ED448) {
+		siglen = DNS_SIG_ED448SIZE;
+	}
+#endif /* if HAVE_OPENSSL_ED448 */
+	if (siglen == 0) {
+		DST_RET(ISC_R_NOTIMPLEMENTED);
+	}
+
+	if (sig->length != siglen) {
+		DST_RET(DST_R_VERIFYFAILURE);
+	}
+
+	isc_buffer_usedregion(buf, &tbsreg);
+
+	if (EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey) != 1) {
+		DST_RET(dst__openssl_toresult3(
+			dctx->category, "EVP_DigestVerifyInit", ISC_R_FAILURE));
+	}
+
+	status = EVP_DigestVerify(ctx, sig->base, siglen, tbsreg.base,
+				  tbsreg.length);
+
+	switch (status) {
+	case 1:
+		ret = ISC_R_SUCCESS;
+		break;
+	case 0:
+		ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
+		break;
+	default:
+		ret = dst__openssl_toresult3(dctx->category, "EVP_DigestVerify",
+					     DST_R_VERIFYFAILURE);
+		break;
+	}
+
+err:
+	EVP_MD_CTX_free(ctx);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static bool
+openssleddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	int status;
+	EVP_PKEY *pkey1 = key1->keydata.pkey;
+	EVP_PKEY *pkey2 = key2->keydata.pkey;
+
+	if (pkey1 == NULL && pkey2 == NULL) {
+		return (true);
+	} else if (pkey1 == NULL || pkey2 == NULL) {
+		return (false);
+	}
+
+	status = EVP_PKEY_cmp(pkey1, pkey2);
+	if (status == 1) {
+		return (true);
+	}
+	return (false);
+}
+
+static isc_result_t
+openssleddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	isc_result_t ret;
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY_CTX *ctx = NULL;
+	int nid = 0, status;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	UNUSED(unused);
+	UNUSED(callback);
+
+#if HAVE_OPENSSL_ED25519
+	if (key->key_alg == DST_ALG_ED25519) {
+		nid = NID_ED25519;
+		key->key_size = DNS_KEY_ED25519SIZE * 8;
+	}
+#endif /* if HAVE_OPENSSL_ED25519 */
+#if HAVE_OPENSSL_ED448
+	if (key->key_alg == DST_ALG_ED448) {
+		nid = NID_ED448;
+		key->key_size = DNS_KEY_ED448SIZE * 8;
+	}
+#endif /* if HAVE_OPENSSL_ED448 */
+	if (nid == 0) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	ctx = EVP_PKEY_CTX_new_id(nid, NULL);
+	if (ctx == NULL) {
+		return (dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	status = EVP_PKEY_keygen_init(ctx);
+	if (status != 1) {
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	status = EVP_PKEY_keygen(ctx, &pkey);
+	if (status != 1) {
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	key->keydata.pkey = pkey;
+	ret = ISC_R_SUCCESS;
+
+err:
+	EVP_PKEY_CTX_free(ctx);
+	return (ret);
+}
+
+static bool
+openssleddsa_isprivate(const dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+	size_t len;
+
+	if (pkey == NULL) {
+		return (false);
+	}
+
+	if (EVP_PKEY_get_raw_private_key(pkey, NULL, &len) == 1 && len > 0) {
+		return (true);
+	}
+	/* can check if first error is EC_R_INVALID_PRIVATE_KEY */
+	while (ERR_get_error() != 0) {
+		/**/
+	}
+
+	return (false);
+}
+
+static void
+openssleddsa_destroy(dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+openssleddsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+	isc_region_t r;
+	size_t len;
+
+	REQUIRE(pkey != NULL);
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (key->key_alg == DST_ALG_ED25519) {
+		len = DNS_KEY_ED25519SIZE;
+	} else {
+		len = DNS_KEY_ED448SIZE;
+	}
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < len) {
+		return (ISC_R_NOSPACE);
+	}
+
+	if (EVP_PKEY_get_raw_public_key(pkey, r.base, &len) != 1) {
+		return (dst__openssl_toresult(ISC_R_FAILURE));
+	}
+
+	isc_buffer_add(data, len);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssleddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	isc_result_t ret;
+	isc_region_t r;
+	size_t len;
+	EVP_PKEY *pkey;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	len = r.length;
+	ret = raw_key_to_ossl(key->key_alg, 0, r.base, &len, &pkey);
+	if (ret != ISC_R_SUCCESS) {
+		return ret;
+	}
+
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = pkey;
+	key->key_size = len * 8;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssleddsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	size_t len;
+	int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (key->keydata.pkey == NULL) {
+		return (DST_R_NULLKEY);
+	}
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	i = 0;
+
+	if (openssleddsa_isprivate(key)) {
+		if (key->key_alg == DST_ALG_ED25519) {
+			len = DNS_KEY_ED25519SIZE;
+		} else {
+			len = DNS_KEY_ED448SIZE;
+		}
+		buf = isc_mem_get(key->mctx, len);
+		if (EVP_PKEY_get_raw_private_key(key->keydata.pkey, buf,
+						 &len) != 1)
+		{
+			DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
+		}
+		priv.elements[i].tag = TAG_EDDSA_PRIVATEKEY;
+		priv.elements[i].length = len;
+		priv.elements[i].data = buf;
+		i++;
+	}
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_EDDSA_ENGINE;
+		priv.elements[i].length = (unsigned short)strlen(key->engine) +
+					  1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_EDDSA_LABEL;
+		priv.elements[i].length = (unsigned short)strlen(key->label) +
+					  1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+	priv.nelements = i;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+err:
+	if (buf != NULL) {
+		isc_mem_put(key->mctx, buf, len);
+	}
+	return (ret);
+}
+
+static isc_result_t
+eddsa_check(EVP_PKEY *pkey, EVP_PKEY *pubpkey) {
+	if (pubpkey == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+	if (EVP_PKEY_cmp(pkey, pubpkey) == 1) {
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_FAILURE);
+}
+
+static isc_result_t
+openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i, privkey_index = -1;
+	const char *engine = NULL, *label = NULL;
+	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
+	size_t len;
+	isc_mem_t *mctx = key->mctx;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	if (key->external) {
+		if (priv.nelements != 0) {
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		}
+		if (pub == NULL) {
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		}
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ISC_R_SUCCESS);
+	}
+
+	if (pub != NULL) {
+		pubpkey = pub->keydata.pkey;
+	}
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_EDDSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_EDDSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		case TAG_EDDSA_PRIVATEKEY:
+			privkey_index = i;
+			break;
+		default:
+			break;
+		}
+	}
+
+	if (label != NULL) {
+		ret = openssleddsa_fromlabel(key, engine, label, NULL);
+		if (ret != ISC_R_SUCCESS) {
+			goto err;
+		}
+		if (eddsa_check(key->keydata.pkey, pubpkey) != ISC_R_SUCCESS) {
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		}
+		DST_RET(ISC_R_SUCCESS);
+	}
+
+	if (privkey_index < 0) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+
+	len = priv.elements[privkey_index].length;
+	ret = raw_key_to_ossl(key->key_alg, 1,
+			      priv.elements[privkey_index].data, &len, &pkey);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	if (eddsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
+		EVP_PKEY_free(pkey);
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+	key->keydata.pkey = pkey;
+	key->key_size = len * 8;
+	ret = ISC_R_SUCCESS;
+
+err:
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static isc_result_t
+openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		       const char *pin) {
+#if !defined(OPENSSL_NO_ENGINE)
+	isc_result_t ret;
+	ENGINE *e;
+	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
+	int baseid = EVP_PKEY_NONE;
+
+	UNUSED(pin);
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+#if HAVE_OPENSSL_ED25519
+	if (key->key_alg == DST_ALG_ED25519) {
+		baseid = EVP_PKEY_ED25519;
+	}
+#endif /* if HAVE_OPENSSL_ED25519 */
+#if HAVE_OPENSSL_ED448
+	if (key->key_alg == DST_ALG_ED448) {
+		baseid = EVP_PKEY_ED448;
+	}
+#endif /* if HAVE_OPENSSL_ED448 */
+	if (baseid == EVP_PKEY_NONE) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	if (engine == NULL) {
+		return (DST_R_NOENGINE);
+	}
+	e = dst__openssl_getengine(engine);
+	if (e == NULL) {
+		return (DST_R_NOENGINE);
+	}
+	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+	if (pkey == NULL) {
+		return (dst__openssl_toresult2("ENGINE_load_private_key",
+					       ISC_R_NOTFOUND));
+	}
+	if (EVP_PKEY_base_id(pkey) != baseid) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+
+	pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
+	if (eddsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+
+	key->engine = isc_mem_strdup(key->mctx, engine);
+	key->label = isc_mem_strdup(key->mctx, label);
+	key->key_size = EVP_PKEY_bits(pkey);
+	key->keydata.pkey = pkey;
+	pkey = NULL;
+	ret = ISC_R_SUCCESS;
+
+err:
+	if (pubpkey != NULL) {
+		EVP_PKEY_free(pubpkey);
+	}
+	if (pkey != NULL) {
+		EVP_PKEY_free(pkey);
+	}
+	return (ret);
+#else  /* if !defined(OPENSSL_NO_ENGINE) */
+	UNUSED(key);
+	UNUSED(engine);
+	UNUSED(label);
+	UNUSED(pin);
+	return (DST_R_NOENGINE);
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+}
+
+static dst_func_t openssleddsa_functions = {
+	openssleddsa_createctx,
+	NULL, /*%< createctx2 */
+	openssleddsa_destroyctx,
+	openssleddsa_adddata,
+	openssleddsa_sign,
+	openssleddsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	openssleddsa_compare,
+	NULL, /*%< paramcompare */
+	openssleddsa_generate,
+	openssleddsa_isprivate,
+	openssleddsa_destroy,
+	openssleddsa_todns,
+	openssleddsa_fromdns,
+	openssleddsa_tofile,
+	openssleddsa_parse,
+	NULL, /*%< cleanup */
+	openssleddsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__openssleddsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL) {
+		*funcp = &openssleddsa_functions;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
+
+#endif /* !USE_PKCS11 */
+
+/*! \file */
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
new file mode 100644
index 0000000..1f2a2e0
--- /dev/null
+++ b/lib/dns/opensslrsa_link.c
@@ -0,0 +1,1405 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if !USE_PKCS11
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+#if !defined(OPENSSL_NO_ENGINE)
+#include <openssl/engine.h>
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+
+/*
+ * Limit the size of public exponents.
+ */
+#ifndef RSA_MAX_PUBEXP_BITS
+#define RSA_MAX_PUBEXP_BITS 35
+#endif /* ifndef RSA_MAX_PUBEXP_BITS */
+
+/*
+ * We don't use configure for windows so enforce the OpenSSL version
+ * here.  Unlike with configure we don't support overriding this test.
+ */
+#if defined(WIN32) && (OPENSSL_VERSION_NUMBER < 0x10000000L)
+#error Please upgrade OpenSSL to 1.0.0 or greater.
+#endif /* if defined(WIN32) && (OPENSSL_VERSION_NUMBER < 0x10000000L) */
+
+#define DST_RET(a)        \
+	{                 \
+		ret = a;  \
+		goto err; \
+	}
+
+#if !HAVE_RSA_SET0_KEY
+/* From OpenSSL 1.1.0 */
+static int
+RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
+	/*
+	 * If the fields n and e in r are NULL, the corresponding input
+	 * parameters MUST be non-NULL for n and e.  d may be
+	 * left NULL (in case only the public key is used).
+	 */
+	if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
+		return (0);
+	}
+
+	if (n != NULL) {
+		BN_free(r->n);
+		r->n = n;
+	}
+	if (e != NULL) {
+		BN_free(r->e);
+		r->e = e;
+	}
+	if (d != NULL) {
+		BN_free(r->d);
+		r->d = d;
+	}
+
+	return (1);
+}
+
+static int
+RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
+	/*
+	 * If the fields p and q in r are NULL, the corresponding input
+	 * parameters MUST be non-NULL.
+	 */
+	if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {
+		return (0);
+	}
+
+	if (p != NULL) {
+		BN_free(r->p);
+		r->p = p;
+	}
+	if (q != NULL) {
+		BN_free(r->q);
+		r->q = q;
+	}
+
+	return (1);
+}
+
+static int
+RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
+	/*
+	 * If the fields dmp1, dmq1 and iqmp in r are NULL, the
+	 * corresponding input parameters MUST be non-NULL.
+	 */
+	if ((r->dmp1 == NULL && dmp1 == NULL) ||
+	    (r->dmq1 == NULL && dmq1 == NULL) ||
+	    (r->iqmp == NULL && iqmp == NULL))
+	{
+		return (0);
+	}
+
+	if (dmp1 != NULL) {
+		BN_free(r->dmp1);
+		r->dmp1 = dmp1;
+	}
+	if (dmq1 != NULL) {
+		BN_free(r->dmq1);
+		r->dmq1 = dmq1;
+	}
+	if (iqmp != NULL) {
+		BN_free(r->iqmp);
+		r->iqmp = iqmp;
+	}
+
+	return (1);
+}
+
+static void
+RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
+	     const BIGNUM **d) {
+	if (n != NULL) {
+		*n = r->n;
+	}
+	if (e != NULL) {
+		*e = r->e;
+	}
+	if (d != NULL) {
+		*d = r->d;
+	}
+}
+
+static void
+RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
+	if (p != NULL) {
+		*p = r->p;
+	}
+	if (q != NULL) {
+		*q = r->q;
+	}
+}
+
+static void
+RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
+		    const BIGNUM **iqmp) {
+	if (dmp1 != NULL) {
+		*dmp1 = r->dmp1;
+	}
+	if (dmq1 != NULL) {
+		*dmq1 = r->dmq1;
+	}
+	if (iqmp != NULL) {
+		*iqmp = r->iqmp;
+	}
+}
+
+static int
+RSA_test_flags(const RSA *r, int flags) {
+	return (r->flags & flags);
+}
+
+#endif /* !HAVE_RSA_SET0_KEY */
+
+static isc_result_t
+opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx;
+	const EVP_MD *type = NULL;
+
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096) {
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
+		{
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+		{
+			return (ISC_R_FAILURE);
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	evp_md_ctx = EVP_MD_CTX_create();
+	if (evp_md_ctx == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		type = EVP_sha1(); /* SHA1 + RSA */
+		break;
+	case DST_ALG_RSASHA256:
+		type = EVP_sha256(); /* SHA256 + RSA */
+		break;
+	case DST_ALG_RSASHA512:
+		type = EVP_sha512();
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		return (dst__openssl_toresult3(
+			dctx->category, "EVP_DigestInit_ex", ISC_R_FAILURE));
+	}
+	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+opensslrsa_destroyctx(dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		dctx->ctxdata.evp_md_ctx = NULL;
+	}
+}
+
+static isc_result_t
+opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+
+	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
+		return (dst__openssl_toresult3(
+			dctx->category, "EVP_DigestUpdate", ISC_R_FAILURE));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_key_t *key = dctx->key;
+	isc_region_t r;
+	unsigned int siglen = 0;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+
+	isc_buffer_availableregion(sig, &r);
+
+	if (r.length < (unsigned int)EVP_PKEY_size(pkey)) {
+		return (ISC_R_NOSPACE);
+	}
+
+	if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
+		return (dst__openssl_toresult3(dctx->category, "EVP_SignFinal",
+					       ISC_R_FAILURE));
+	}
+
+	isc_buffer_add(sig, siglen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
+	dst_key_t *key = dctx->key;
+	int status = 0;
+	const BIGNUM *e = NULL;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	RSA *rsa;
+	int bits;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	if (rsa == NULL) {
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	RSA_get0_key(rsa, NULL, &e, NULL);
+	if (e == NULL) {
+		RSA_free(rsa);
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+	}
+	bits = BN_num_bits(e);
+	RSA_free(rsa);
+	if (bits > maxbits && maxbits != 0) {
+		return (DST_R_VERIFYFAILURE);
+	}
+
+	status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
+	switch (status) {
+	case 1:
+		return (ISC_R_SUCCESS);
+	case 0:
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+	default:
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_VerifyFinal",
+					       DST_R_VERIFYFAILURE));
+	}
+}
+
+static isc_result_t
+opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	return (opensslrsa_verify2(dctx, 0, sig));
+}
+
+static bool
+opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	int status;
+	RSA *rsa1 = NULL, *rsa2 = NULL;
+	const BIGNUM *n1 = NULL, *n2 = NULL;
+	const BIGNUM *e1 = NULL, *e2 = NULL;
+	const BIGNUM *d1 = NULL, *d2 = NULL;
+	const BIGNUM *p1 = NULL, *p2 = NULL;
+	const BIGNUM *q1 = NULL, *q2 = NULL;
+	EVP_PKEY *pkey1, *pkey2;
+
+	pkey1 = key1->keydata.pkey;
+	pkey2 = key2->keydata.pkey;
+	/*
+	 * The pkey reference will keep these around after
+	 * the RSA_free() call.
+	 */
+	if (pkey1 != NULL) {
+		rsa1 = EVP_PKEY_get1_RSA(pkey1);
+		RSA_free(rsa1);
+	}
+	if (pkey2 != NULL) {
+		rsa2 = EVP_PKEY_get1_RSA(pkey2);
+		RSA_free(rsa2);
+	}
+
+	if (rsa1 == NULL && rsa2 == NULL) {
+		return (true);
+	} else if (rsa1 == NULL || rsa2 == NULL) {
+		return (false);
+	}
+
+	RSA_get0_key(rsa1, &n1, &e1, &d1);
+	RSA_get0_key(rsa2, &n2, &e2, &d2);
+	status = BN_cmp(n1, n2) || BN_cmp(e1, e2);
+
+	if (status != 0) {
+		return (false);
+	}
+
+	if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) != 0 ||
+	    RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) != 0)
+	{
+		if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) == 0 ||
+		    RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) == 0)
+		{
+			return (false);
+		}
+		/*
+		 * Can't compare private parameters, BTW does it make sense?
+		 */
+		return (true);
+	}
+
+	if (d1 != NULL || d2 != NULL) {
+		if (d1 == NULL || d2 == NULL) {
+			return (false);
+		}
+		RSA_get0_factors(rsa1, &p1, &q1);
+		RSA_get0_factors(rsa2, &p2, &q2);
+		status = BN_cmp(d1, d2) || BN_cmp(p1, p2) || BN_cmp(q1, q2);
+
+		if (status != 0) {
+			return (false);
+		}
+	}
+	return (true);
+}
+
+static int
+progress_cb(int p, int n, BN_GENCB *cb) {
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+	UNUSED(n);
+
+	u.dptr = BN_GENCB_get_arg(cb);
+	if (u.fptr != NULL) {
+		u.fptr(p);
+	}
+	return (1);
+}
+
+static isc_result_t
+opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+	isc_result_t ret = DST_R_OPENSSLFAILURE;
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+	RSA *rsa = RSA_new();
+	BIGNUM *e = BN_new();
+#if !HAVE_BN_GENCB_NEW
+	BN_GENCB _cb;
+#endif /* !HAVE_BN_GENCB_NEW */
+	BN_GENCB *cb = BN_GENCB_new();
+	EVP_PKEY *pkey = EVP_PKEY_new();
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (key->key_size > 4096) {
+			goto err;
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((key->key_size < 512) || (key->key_size > 4096)) {
+			goto err;
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((key->key_size < 1024) || (key->key_size > 4096)) {
+			goto err;
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	if (rsa == NULL || e == NULL || cb == NULL) {
+		goto err;
+	}
+	if (pkey == NULL) {
+		goto err;
+	}
+	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
+		goto err;
+	}
+
+	if (exp == 0) {
+		/* RSA_F4 0x10001 */
+		BN_set_bit(e, 0);
+		BN_set_bit(e, 16);
+	} else {
+		/* (phased-out) F5 0x100000001 */
+		BN_set_bit(e, 0);
+		BN_set_bit(e, 32);
+	}
+
+	if (callback == NULL) {
+		BN_GENCB_set_old(cb, NULL, NULL);
+	} else {
+		u.fptr = callback;
+		BN_GENCB_set(cb, progress_cb, u.dptr);
+	}
+
+	if (RSA_generate_key_ex(rsa, key->key_size, e, cb)) {
+		BN_free(e);
+		BN_GENCB_free(cb);
+		cb = NULL;
+		key->keydata.pkey = pkey;
+
+		RSA_free(rsa);
+		return (ISC_R_SUCCESS);
+	}
+	ret = dst__openssl_toresult2("RSA_generate_key_ex",
+				     DST_R_OPENSSLFAILURE);
+
+err:
+	if (pkey != NULL) {
+		EVP_PKEY_free(pkey);
+		pkey = NULL;
+	}
+	if (e != NULL) {
+		BN_free(e);
+		e = NULL;
+	}
+	if (rsa != NULL) {
+		RSA_free(rsa);
+		rsa = NULL;
+	}
+	if (cb != NULL) {
+		BN_GENCB_free(cb);
+		cb = NULL;
+	}
+	return (dst__openssl_toresult(ret));
+}
+
+static bool
+opensslrsa_isprivate(const dst_key_t *key) {
+	const BIGNUM *d = NULL;
+	RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
+	INSIST(rsa != NULL);
+	RSA_free(rsa);
+	/* key->keydata.pkey still has a reference so rsa is still valid. */
+	if (rsa != NULL && RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0) {
+		return (true);
+	}
+	RSA_get0_key(rsa, NULL, NULL, &d);
+	return (rsa != NULL && d != NULL);
+}
+
+static void
+opensslrsa_destroy(dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	isc_region_t r;
+	unsigned int e_bytes;
+	unsigned int mod_bytes;
+	isc_result_t ret;
+	RSA *rsa;
+	EVP_PKEY *pkey;
+	const BIGNUM *e = NULL, *n = NULL;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	pkey = key->keydata.pkey;
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	if (rsa == NULL) {
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	RSA_get0_key(rsa, &n, &e, NULL);
+	if (e == NULL || n == NULL) {
+		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	mod_bytes = BN_num_bytes(n);
+	e_bytes = BN_num_bytes(e);
+
+	isc_buffer_availableregion(data, &r);
+
+	if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
+		if (r.length < 1) {
+			DST_RET(ISC_R_NOSPACE);
+		}
+		isc_buffer_putuint8(data, (uint8_t)e_bytes);
+		isc_region_consume(&r, 1);
+	} else {
+		if (r.length < 3) {
+			DST_RET(ISC_R_NOSPACE);
+		}
+		isc_buffer_putuint8(data, 0);
+		isc_buffer_putuint16(data, (uint16_t)e_bytes);
+		isc_region_consume(&r, 3);
+	}
+
+	if (r.length < e_bytes + mod_bytes) {
+		DST_RET(ISC_R_NOSPACE);
+	}
+
+	RSA_get0_key(rsa, &n, &e, NULL);
+	BN_bn2bin(e, r.base);
+	isc_region_consume(&r, e_bytes);
+	BN_bn2bin(n, r.base);
+
+	isc_buffer_add(data, e_bytes + mod_bytes);
+
+	ret = ISC_R_SUCCESS;
+err:
+	RSA_free(rsa);
+	return (ret);
+}
+
+static isc_result_t
+opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	RSA *rsa;
+	isc_region_t r;
+	unsigned int e_bytes;
+	unsigned int length;
+	EVP_PKEY *pkey;
+	BIGNUM *e = NULL, *n = NULL;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+	length = r.length;
+
+	rsa = RSA_new();
+	if (rsa == NULL) {
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
+	}
+
+	if (r.length < 1) {
+		RSA_free(rsa);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	e_bytes = *r.base;
+	isc_region_consume(&r, 1);
+
+	if (e_bytes == 0) {
+		if (r.length < 2) {
+			RSA_free(rsa);
+			return (DST_R_INVALIDPUBLICKEY);
+		}
+		e_bytes = (*r.base) << 8;
+		isc_region_consume(&r, 1);
+		e_bytes += *r.base;
+		isc_region_consume(&r, 1);
+	}
+
+	if (r.length < e_bytes) {
+		RSA_free(rsa);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	e = BN_bin2bn(r.base, e_bytes, NULL);
+	isc_region_consume(&r, e_bytes);
+	n = BN_bin2bn(r.base, r.length, NULL);
+	if (e == NULL || n == NULL) {
+		RSA_free(rsa);
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (RSA_set0_key(rsa, n, e, NULL) == 0) {
+		if (n != NULL) {
+			BN_free(n);
+		}
+		if (e != NULL) {
+			BN_free(e);
+		}
+		RSA_free(rsa);
+		return (ISC_R_NOMEMORY);
+	}
+	key->key_size = BN_num_bits(n);
+
+	isc_buffer_forward(data, length);
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL) {
+		RSA_free(rsa);
+		return (ISC_R_NOMEMORY);
+	}
+	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
+		EVP_PKEY_free(pkey);
+		RSA_free(rsa);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	key->keydata.pkey = pkey;
+	RSA_free(rsa);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_tofile(const dst_key_t *key, const char *directory) {
+	int i;
+	RSA *rsa;
+	dst_private_t priv;
+	unsigned char *bufs[8];
+	isc_result_t result;
+	const BIGNUM *n = NULL, *e = NULL, *d = NULL;
+	const BIGNUM *p = NULL, *q = NULL;
+	const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	if (key->keydata.pkey == NULL) {
+		return (DST_R_NULLKEY);
+	}
+	rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
+	if (rsa == NULL) {
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	memset(bufs, 0, sizeof(bufs));
+
+	RSA_get0_key(rsa, &n, &e, &d);
+	RSA_get0_factors(rsa, &p, &q);
+	RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
+
+	for (i = 0; i < 8; i++) {
+		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(n));
+	}
+
+	i = 0;
+
+	priv.elements[i].tag = TAG_RSA_MODULUS;
+	priv.elements[i].length = BN_num_bytes(n);
+	BN_bn2bin(n, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
+	priv.elements[i].length = BN_num_bytes(e);
+	BN_bn2bin(e, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	if (d != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
+		priv.elements[i].length = BN_num_bytes(d);
+		BN_bn2bin(d, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (p != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIME1;
+		priv.elements[i].length = BN_num_bytes(p);
+		BN_bn2bin(p, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (q != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIME2;
+		priv.elements[i].length = BN_num_bytes(q);
+		BN_bn2bin(q, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (dmp1 != NULL) {
+		priv.elements[i].tag = TAG_RSA_EXPONENT1;
+		priv.elements[i].length = BN_num_bytes(dmp1);
+		BN_bn2bin(dmp1, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (dmq1 != NULL) {
+		priv.elements[i].tag = TAG_RSA_EXPONENT2;
+		priv.elements[i].length = BN_num_bytes(dmq1);
+		BN_bn2bin(dmq1, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (iqmp != NULL) {
+		priv.elements[i].tag = TAG_RSA_COEFFICIENT;
+		priv.elements[i].length = BN_num_bytes(iqmp);
+		BN_bn2bin(iqmp, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_RSA_ENGINE;
+		priv.elements[i].length = (unsigned short)strlen(key->engine) +
+					  1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_RSA_LABEL;
+		priv.elements[i].length = (unsigned short)strlen(key->label) +
+					  1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+	priv.nelements = i;
+	result = dst__privstruct_writefile(key, &priv, directory);
+
+	RSA_free(rsa);
+	for (i = 0; i < 8; i++) {
+		if (bufs[i] == NULL) {
+			break;
+		}
+		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(n));
+	}
+	return (result);
+}
+
+static isc_result_t
+rsa_check(RSA *rsa, RSA *pub) {
+	const BIGNUM *n1 = NULL, *n2 = NULL;
+	const BIGNUM *e1 = NULL, *e2 = NULL;
+	BIGNUM *n = NULL, *e = NULL;
+
+	/*
+	 * Public parameters should be the same but if they are not set
+	 * copy them from the public key.
+	 */
+	RSA_get0_key(rsa, &n1, &e1, NULL);
+	if (pub != NULL) {
+		RSA_get0_key(pub, &n2, &e2, NULL);
+		if (n1 != NULL) {
+			if (BN_cmp(n1, n2) != 0) {
+				return (DST_R_INVALIDPRIVATEKEY);
+			}
+		} else {
+			n = BN_dup(n2);
+			if (n == NULL) {
+				return (ISC_R_NOMEMORY);
+			}
+		}
+		if (e1 != NULL) {
+			if (BN_cmp(e1, e2) != 0) {
+				if (n != NULL) {
+					BN_free(n);
+				}
+				return (DST_R_INVALIDPRIVATEKEY);
+			}
+		} else {
+			e = BN_dup(e2);
+			if (e == NULL) {
+				if (n != NULL) {
+					BN_free(n);
+				}
+				return (ISC_R_NOMEMORY);
+			}
+		}
+		if (RSA_set0_key(rsa, n, e, NULL) == 0) {
+			if (n != NULL) {
+				BN_free(n);
+			}
+			if (e != NULL) {
+				BN_free(e);
+			}
+		}
+	}
+	RSA_get0_key(rsa, &n1, &e1, NULL);
+	if (n1 == NULL || e1 == NULL) {
+		return (DST_R_INVALIDPRIVATEKEY);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	RSA *rsa = NULL, *pubrsa = NULL;
+#if !defined(OPENSSL_NO_ENGINE)
+	ENGINE *ep = NULL;
+	const BIGNUM *ex = NULL;
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+	isc_mem_t *mctx = key->mctx;
+	const char *engine = NULL, *label = NULL;
+	EVP_PKEY *pkey = NULL;
+	BIGNUM *n = NULL, *e = NULL, *d = NULL;
+	BIGNUM *p = NULL, *q = NULL;
+	BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	if (key->external) {
+		if (priv.nelements != 0) {
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		}
+		if (pub == NULL) {
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		}
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ISC_R_SUCCESS);
+	}
+
+	if (pub != NULL && pub->keydata.pkey != NULL) {
+		pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
+	}
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_RSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		default:
+			break;
+		}
+	}
+
+	/*
+	 * Is this key is stored in a HSM?
+	 * See if we can fetch it.
+	 */
+	if (label != NULL) {
+#if !defined(OPENSSL_NO_ENGINE)
+		if (engine == NULL) {
+			DST_RET(DST_R_NOENGINE);
+		}
+		ep = dst__openssl_getengine(engine);
+		if (ep == NULL) {
+			DST_RET(DST_R_NOENGINE);
+		}
+		pkey = ENGINE_load_private_key(ep, label, NULL, NULL);
+		if (pkey == NULL) {
+			DST_RET(dst__openssl_toresult2("ENGINE_load_private_"
+						       "key",
+						       ISC_R_NOTFOUND));
+		}
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		key->label = isc_mem_strdup(key->mctx, label);
+		rsa = EVP_PKEY_get1_RSA(pkey);
+		if (rsa == NULL) {
+			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		}
+		if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		}
+		RSA_get0_key(rsa, NULL, &ex, NULL);
+		if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
+			DST_RET(ISC_R_RANGE);
+		}
+		if (pubrsa != NULL) {
+			RSA_free(pubrsa);
+		}
+		key->key_size = EVP_PKEY_bits(pkey);
+		key->keydata.pkey = pkey;
+		RSA_free(rsa);
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ISC_R_SUCCESS);
+#else  /* if !defined(OPENSSL_NO_ENGINE) */
+		DST_RET(DST_R_NOENGINE);
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+	}
+
+	rsa = RSA_new();
+	if (rsa == NULL) {
+		DST_RET(ISC_R_NOMEMORY);
+	}
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL) {
+		DST_RET(ISC_R_NOMEMORY);
+	}
+	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
+		DST_RET(ISC_R_FAILURE);
+	}
+	key->keydata.pkey = pkey;
+
+	for (i = 0; i < priv.nelements; i++) {
+		BIGNUM *bn;
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_ENGINE:
+			continue;
+		case TAG_RSA_LABEL:
+			continue;
+		default:
+			bn = BN_bin2bn(priv.elements[i].data,
+				       priv.elements[i].length, NULL);
+			if (bn == NULL) {
+				DST_RET(ISC_R_NOMEMORY);
+			}
+			switch (priv.elements[i].tag) {
+			case TAG_RSA_MODULUS:
+				n = bn;
+				break;
+			case TAG_RSA_PUBLICEXPONENT:
+				e = bn;
+				break;
+			case TAG_RSA_PRIVATEEXPONENT:
+				d = bn;
+				break;
+			case TAG_RSA_PRIME1:
+				p = bn;
+				break;
+			case TAG_RSA_PRIME2:
+				q = bn;
+				break;
+			case TAG_RSA_EXPONENT1:
+				dmp1 = bn;
+				break;
+			case TAG_RSA_EXPONENT2:
+				dmq1 = bn;
+				break;
+			case TAG_RSA_COEFFICIENT:
+				iqmp = bn;
+				break;
+			}
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+
+	if (RSA_set0_key(rsa, n, e, d) == 0) {
+		if (n != NULL) {
+			BN_free(n);
+		}
+		if (e != NULL) {
+			BN_free(e);
+		}
+		if (d != NULL) {
+			BN_free(d);
+		}
+	}
+	if (RSA_set0_factors(rsa, p, q) == 0) {
+		if (p != NULL) {
+			BN_free(p);
+		}
+		if (q != NULL) {
+			BN_free(q);
+		}
+	}
+	if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0) {
+		if (dmp1 != NULL) {
+			BN_free(dmp1);
+		}
+		if (dmq1 != NULL) {
+			BN_free(dmq1);
+		}
+		if (iqmp != NULL) {
+			BN_free(iqmp);
+		}
+	}
+
+	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+	if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
+		DST_RET(ISC_R_RANGE);
+	}
+	key->key_size = BN_num_bits(n);
+	if (pubrsa != NULL) {
+		RSA_free(pubrsa);
+	}
+	RSA_free(rsa);
+
+	return (ISC_R_SUCCESS);
+
+err:
+	if (pkey != NULL) {
+		EVP_PKEY_free(pkey);
+	}
+	if (rsa != NULL) {
+		RSA_free(rsa);
+	}
+	if (pubrsa != NULL) {
+		RSA_free(pubrsa);
+	}
+	key->keydata.generic = NULL;
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static isc_result_t
+opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		     const char *pin) {
+#if !defined(OPENSSL_NO_ENGINE)
+	ENGINE *e = NULL;
+	isc_result_t ret;
+	EVP_PKEY *pkey = NULL;
+	RSA *rsa = NULL, *pubrsa = NULL;
+	const BIGNUM *ex = NULL;
+
+	UNUSED(pin);
+
+	if (engine == NULL) {
+		DST_RET(DST_R_NOENGINE);
+	}
+	e = dst__openssl_getengine(engine);
+	if (e == NULL) {
+		DST_RET(DST_R_NOENGINE);
+	}
+	pkey = ENGINE_load_public_key(e, label, NULL, NULL);
+	if (pkey != NULL) {
+		pubrsa = EVP_PKEY_get1_RSA(pkey);
+		EVP_PKEY_free(pkey);
+		if (pubrsa == NULL) {
+			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		}
+	}
+	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+	if (pkey == NULL) {
+		DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
+					       ISC_R_NOTFOUND));
+	}
+	key->engine = isc_mem_strdup(key->mctx, engine);
+	key->label = isc_mem_strdup(key->mctx, label);
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	if (rsa == NULL) {
+		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+	RSA_get0_key(rsa, NULL, &ex, NULL);
+	if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
+		DST_RET(ISC_R_RANGE);
+	}
+	if (pubrsa != NULL) {
+		RSA_free(pubrsa);
+	}
+	key->key_size = EVP_PKEY_bits(pkey);
+	key->keydata.pkey = pkey;
+	RSA_free(rsa);
+	return (ISC_R_SUCCESS);
+
+err:
+	if (rsa != NULL) {
+		RSA_free(rsa);
+	}
+	if (pubrsa != NULL) {
+		RSA_free(pubrsa);
+	}
+	if (pkey != NULL) {
+		EVP_PKEY_free(pkey);
+	}
+	return (ret);
+#else  /* if !defined(OPENSSL_NO_ENGINE) */
+	UNUSED(key);
+	UNUSED(engine);
+	UNUSED(label);
+	UNUSED(pin);
+	return (DST_R_NOENGINE);
+#endif /* if !defined(OPENSSL_NO_ENGINE) */
+}
+
+static dst_func_t opensslrsa_functions = {
+	opensslrsa_createctx,
+	NULL, /*%< createctx2 */
+	opensslrsa_destroyctx,
+	opensslrsa_adddata,
+	opensslrsa_sign,
+	opensslrsa_verify,
+	opensslrsa_verify2,
+	NULL, /*%< computesecret */
+	opensslrsa_compare,
+	NULL, /*%< paramcompare */
+	opensslrsa_generate,
+	opensslrsa_isprivate,
+	opensslrsa_destroy,
+	opensslrsa_todns,
+	opensslrsa_fromdns,
+	opensslrsa_tofile,
+	opensslrsa_parse,
+	NULL, /*%< cleanup */
+	opensslrsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+/*
+ * An RSA public key with 2048 bits
+ */
+static const unsigned char e_bytes[] = "\x01\x00\x01";
+static const unsigned char n_bytes[] =
+	"\xc3\x90\x07\xbe\xf1\x85\xfc\x1a\x43\xb1\xa5\x15\xce\x71\x34\xfc\xc1"
+	"\x87\x27\x28\x38\xa4\xcf\x7c\x1a\x82\xa8\xdc\x04\x14\xd0\x3f\xb4\xfe"
+	"\x20\x4a\xdd\xd9\x0d\xd7\xcd\x61\x8c\xbd\x61\xa8\x10\xb5\x63\x1c\x29"
+	"\x15\xcb\x41\xee\x43\x91\x7f\xeb\xa5\x2c\xab\x81\x75\x0d\xa3\x3d\xe4"
+	"\xc8\x49\xb9\xca\x5a\x55\xa1\xbb\x09\xd1\xfb\xcd\xa2\xd2\x12\xa4\x85"
+	"\xdf\xa5\x65\xc9\x27\x2d\x8b\xd7\x8b\xfe\x6d\xc4\xd1\xd9\x83\x1c\x91"
+	"\x7d\x3d\xd0\xa4\xcd\xe1\xe7\xb9\x7a\x11\x38\xf9\x8b\x3c\xec\x30\xb6"
+	"\x36\xb9\x92\x64\x81\x56\x3c\xbc\xf9\x49\xfb\xba\x82\xb7\xa0\xfa\x65"
+	"\x79\x83\xb9\x4c\xa7\xfd\x53\x0b\x5a\xe4\xde\xf9\xfc\x38\x7e\xb5\x2c"
+	"\xa0\xc3\xb2\xfc\x7c\x38\xb0\x63\x50\xaf\x00\xaa\xb2\xad\x49\x54\x1e"
+	"\x8b\x11\x88\x9b\x6e\xae\x3b\x23\xa3\xdd\x53\x51\x80\x7a\x0b\x91\x4e"
+	"\x6d\x32\x01\xbd\x17\x81\x12\x64\x9f\x84\xae\x76\x53\x1a\x63\xa0\xda"
+	"\xcc\x45\x04\x72\xb0\xa7\xfb\xfa\x02\x39\x53\xc1\x83\x1f\x88\x54\x47"
+	"\x88\x63\x20\x71\x5d\xe2\xaa\x7c\x53\x39\x5e\x35\x25\xee\xe6\x5c\x15"
+	"\x5e\x14\xbe\x99\xde\x25\x19\xe7\x13\xdb\xce\xa3\xd3\x6c\x5c\xbb\x0e"
+	"\x6b";
+
+static const unsigned char sha1_sig[] =
+	"\x69\x99\x89\x28\xe0\x38\x34\x91\x29\xb6\xac\x4b\xe9\x51\xbd\xbe\xc8"
+	"\x1a\x2d\xb6\xca\x99\xa3\x9f\x6a\x8b\x94\x5a\x51\x37\xd5\x8d\xae\x87"
+	"\xed\xbc\x8e\xb8\xa3\x60\x6b\xf6\xe6\x72\xfc\x26\x2a\x39\x2b\xfe\x88"
+	"\x1a\xa9\xd1\x93\xc7\xb9\xf8\xb6\x45\xa1\xf9\xa1\x56\x78\x7b\x00\xec"
+	"\x33\x83\xd4\x93\x25\x48\xb3\x50\x09\xd0\xbc\x7f\xac\x67\xc7\xa2\x7f"
+	"\xfc\xf6\x5a\xef\xf8\x5a\xad\x52\x74\xf5\x71\x34\xd9\x3d\x33\x8b\x4d"
+	"\x99\x64\x7e\x14\x59\xbe\xdf\x26\x8a\x67\x96\x6c\x1f\x79\x85\x10\x0d"
+	"\x7f\xd6\xa4\xba\x57\x41\x03\x71\x4e\x8c\x17\xd5\xc4\xfb\x4a\xbe\x66"
+	"\x45\x15\x45\x0c\x02\xe0\x10\xe1\xbb\x33\x8d\x90\x34\x3c\x94\xa4\x4c"
+	"\x7c\xd0\x5e\x90\x76\x80\x59\xb2\xfa\x54\xbf\xa9\x86\xb8\x84\x1e\x28"
+	"\x48\x60\x2f\x9e\xa4\xbc\xd4\x9c\x20\x27\x16\xac\x33\xcb\xcf\xab\x93"
+	"\x7a\x3b\x74\xa0\x18\x92\xa1\x4f\xfc\x52\x19\xee\x7a\x13\x73\xba\x36"
+	"\xaf\x78\x5d\xb6\x1f\x96\x76\x15\x73\xee\x04\xa8\x70\x27\xf7\xe7\xfa"
+	"\xe8\xf6\xc8\x5f\x4a\x81\x56\x0a\x94\xf3\xc6\x98\xd2\x93\xc4\x0b\x49"
+	"\x6b\x44\xd3\x73\xa2\xe3\xef\x5d\x9e\x68\xac\xa7\x42\xb1\xbb\x65\xbe"
+	"\x59";
+
+static const unsigned char sha256_sig[] =
+	"\x0f\x8c\xdb\xe6\xb6\x21\xc8\xc5\x28\x76\x7d\xf6\xf2\x3b\x78\x47\x77"
+	"\x03\x34\xc5\x5e\xc0\xda\x42\x41\xc0\x0f\x97\xd3\xd0\x53\xa1\xd6\x87"
+	"\xe4\x16\x29\x9a\xa5\x59\xf4\x01\xad\xc9\x04\xe7\x61\xe2\xcb\x79\x73"
+	"\xce\xe0\xa6\x85\xe5\x10\x8c\x4b\xc5\x68\x3b\x96\x42\x3f\x56\xb3\x6d"
+	"\x89\xc4\xff\x72\x36\xf2\x3f\xed\xe9\xb8\xe3\xae\xab\x3c\xb7\xaa\xf7"
+	"\x1f\x8f\x26\x6b\xee\xc1\xac\x72\x89\x23\x8b\x7a\xd7\x8c\x84\xf3\xf5"
+	"\x97\xa8\x8d\xd3\xef\xb2\x5e\x06\x04\x21\xdd\x28\xa2\x28\x83\x68\x9b"
+	"\xac\x34\xdd\x36\x33\xda\xdd\xa4\x59\xc7\x5a\x4d\xf3\x83\x06\xd5\xc0"
+	"\x0d\x1f\x4f\x47\x2f\x9f\xcc\xc2\x0d\x21\x1e\x82\xb9\x3d\xf3\xa4\x1a"
+	"\xa6\xd8\x0e\x72\x1d\x71\x17\x1c\x54\xad\x37\x3e\xa4\x0e\x70\x86\x53"
+	"\xfb\x40\xad\xb9\x14\xf8\x8d\x93\xbb\xd7\xe7\x31\xce\xe0\x98\xda\x27"
+	"\x1c\x18\x8e\xd8\x85\xcb\xa7\xb1\x18\xac\x8c\xa8\x9d\xa9\xe2\xf6\x30"
+	"\x95\xa4\x81\xf4\x1c\xa0\x31\xd5\xc7\x9d\x28\x33\xee\x7f\x08\x4f\xcb"
+	"\xd1\x14\x17\xdf\xd0\x88\x78\x47\x29\xaf\x6c\xb2\x62\xa6\x30\x87\x29"
+	"\xaa\x80\x19\x7d\x2f\x05\xe3\x7e\x23\x73\x88\x08\xcc\xbd\x50\x46\x09"
+	"\x2a";
+
+static const unsigned char sha512_sig[] =
+	"\x15\xda\x87\x87\x1f\x76\x08\xd3\x9d\x3a\xb9\xd2\x6a\x0e\x3b\x7d\xdd"
+	"\xec\x7d\xc4\x6d\x26\xf5\x04\xd3\x76\xc7\x83\xc4\x81\x69\x35\xe9\x47"
+	"\xbf\x49\xd1\xc0\xf9\x01\x4e\x0a\x34\x5b\xd0\xec\x6e\xe2\x2e\xe9\x2d"
+	"\x00\xfd\xe0\xa0\x28\x54\x53\x19\x49\x6d\xd2\x58\xb9\x47\xfa\x45\xad"
+	"\xd2\x1d\x52\xac\x80\xcb\xfc\x91\x97\x84\x58\x5f\xab\x21\x62\x60\x79"
+	"\xb8\x8a\x83\xe1\xf1\xcb\x05\x4c\x92\x56\x62\xd9\xbf\xa7\x81\x34\x23"
+	"\xdf\xd7\xa7\xc4\xdf\xde\x96\x00\x57\x4b\x78\x85\xb9\x3b\xdd\x3f\x98"
+	"\x88\x59\x1d\x48\xcf\x5a\xa8\xb7\x2a\x8b\x77\x93\x8e\x38\x3a\x0c\xa7"
+	"\x8a\x5f\xe6\x9f\xcb\xf0\x9a\x6b\xb6\x91\x04\x8b\x69\x6a\x37\xee\xa2"
+	"\xad\x5f\x31\x20\x96\xd6\x51\x80\xbf\x62\x48\xb8\xe4\x94\x10\x86\x4e"
+	"\xf2\x22\x1e\xa4\xd5\x54\xfe\xe1\x35\x49\xaf\xf8\x62\xfc\x11\xeb\xf7"
+	"\x3d\xd5\x5e\xaf\x11\xbd\x3d\xa9\x3a\x9f\x7f\xe8\xb4\x0d\xa2\xbb\x1c"
+	"\xbd\x4c\xed\x9e\x81\xb1\xec\xd3\xea\xaa\x03\xe3\x14\xdf\x8c\xb3\x78"
+	"\x85\x5e\x87\xad\xec\x41\x1a\xa9\x4f\xd2\xe6\xc6\xbe\xfa\xb8\x10\xea"
+	"\x74\x25\x36\x0c\x23\xe2\x24\xb7\x21\xb7\x0d\xaf\xf6\xb4\x31\xf5\x75"
+	"\xf1";
+
+static isc_result_t
+check_algorithm(unsigned char algorithm) {
+	BIGNUM *n = NULL, *e = NULL;
+	EVP_MD_CTX *evp_md_ctx = EVP_MD_CTX_create();
+	EVP_PKEY *pkey = NULL;
+	const EVP_MD *type = NULL;
+	const unsigned char *sig = NULL;
+	int status;
+	isc_result_t ret = ISC_R_SUCCESS;
+	size_t len;
+	RSA *rsa = NULL;
+
+	if (evp_md_ctx == NULL) {
+		DST_RET(ISC_R_NOMEMORY);
+	}
+
+	switch (algorithm) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		type = EVP_sha1(); /* SHA1 + RSA */
+		sig = sha1_sig;
+		len = sizeof(sha1_sig) - 1;
+		break;
+	case DST_ALG_RSASHA256:
+		type = EVP_sha256(); /* SHA256 + RSA */
+		sig = sha256_sig;
+		len = sizeof(sha256_sig) - 1;
+		break;
+	case DST_ALG_RSASHA512:
+		type = EVP_sha512();
+		sig = sha512_sig;
+		len = sizeof(sha512_sig) - 1;
+		break;
+	default:
+		DST_RET(ISC_R_NOTIMPLEMENTED);
+	}
+
+	if (type == NULL) {
+		DST_RET(ISC_R_NOTIMPLEMENTED);
+	}
+
+	/*
+	 * Construct pkey.
+	 */
+	e = BN_bin2bn(e_bytes, sizeof(e_bytes) - 1, NULL);
+	n = BN_bin2bn(n_bytes, sizeof(n_bytes) - 1, NULL);
+	if (e == NULL || n == NULL) {
+		DST_RET(ISC_R_NOMEMORY);
+	}
+
+	rsa = RSA_new();
+	if (rsa == NULL) {
+		DST_RET(dst__openssl_toresult2("RSA_new",
+					       DST_R_OPENSSLFAILURE));
+	}
+	status = RSA_set0_key(rsa, n, e, NULL);
+	if (status != 1) {
+		DST_RET(dst__openssl_toresult2("RSA_set0_key",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	/* These are now managed by OpenSSL. */
+	n = NULL;
+	e = NULL;
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL) {
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_new",
+					       DST_R_OPENSSLFAILURE));
+	}
+	status = EVP_PKEY_set1_RSA(pkey, rsa);
+	if (status != 1) {
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_set1_RSA",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	/*
+	 * Check that we can verify the signature.
+	 */
+	if (EVP_DigestInit_ex(evp_md_ctx, type, NULL) != 1 ||
+	    EVP_DigestUpdate(evp_md_ctx, "test", 4) != 1 ||
+	    EVP_VerifyFinal(evp_md_ctx, sig, len, pkey) != 1)
+	{
+		DST_RET(ISC_R_NOTIMPLEMENTED);
+	}
+
+err:
+	BN_free(e);
+	BN_free(n);
+	if (rsa != NULL) {
+		RSA_free(rsa);
+	}
+	if (pkey != NULL) {
+		EVP_PKEY_free(pkey);
+	}
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+	}
+	ERR_clear_error();
+	return (ret);
+}
+
+isc_result_t
+dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
+	isc_result_t result;
+
+	REQUIRE(funcp != NULL);
+
+	result = check_algorithm(algorithm);
+
+	if (result == ISC_R_SUCCESS) {
+		if (*funcp == NULL) {
+			*funcp = &opensslrsa_functions;
+		}
+	} else if (result == ISC_R_NOTIMPLEMENTED) {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+#endif /* !USE_PKCS11 */
+
+/*! \file */
diff --git a/lib/dns/order.c b/lib/dns/order.c
new file mode 100644
index 0000000..94e5f81
--- /dev/null
+++ b/lib/dns/order.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/refcount.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/order.h>
+#include <dns/rdataset.h>
+#include <dns/types.h>
+
+typedef struct dns_order_ent dns_order_ent_t;
+struct dns_order_ent {
+	dns_fixedname_t name;
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t rdtype;
+	unsigned int mode;
+	ISC_LINK(dns_order_ent_t) link;
+};
+
+struct dns_order {
+	unsigned int magic;
+	isc_refcount_t references;
+	ISC_LIST(dns_order_ent_t) ents;
+	isc_mem_t *mctx;
+};
+
+#define DNS_ORDER_MAGIC	       ISC_MAGIC('O', 'r', 'd', 'r')
+#define DNS_ORDER_VALID(order) ISC_MAGIC_VALID(order, DNS_ORDER_MAGIC)
+
+isc_result_t
+dns_order_create(isc_mem_t *mctx, dns_order_t **orderp) {
+	dns_order_t *order;
+
+	REQUIRE(orderp != NULL && *orderp == NULL);
+
+	order = isc_mem_get(mctx, sizeof(*order));
+
+	ISC_LIST_INIT(order->ents);
+
+	/* Implicit attach. */
+	isc_refcount_init(&order->references, 1);
+
+	order->mctx = NULL;
+	isc_mem_attach(mctx, &order->mctx);
+	order->magic = DNS_ORDER_MAGIC;
+	*orderp = order;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_order_add(dns_order_t *order, const dns_name_t *name,
+	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
+	      unsigned int mode) {
+	dns_order_ent_t *ent;
+
+	REQUIRE(DNS_ORDER_VALID(order));
+	REQUIRE(mode == DNS_RDATASETATTR_RANDOMIZE ||
+		mode == DNS_RDATASETATTR_FIXEDORDER ||
+		mode == DNS_RDATASETATTR_CYCLIC ||
+		mode == DNS_RDATASETATTR_NONE);
+
+	ent = isc_mem_get(order->mctx, sizeof(*ent));
+
+	dns_fixedname_init(&ent->name);
+	dns_name_copynf(name, dns_fixedname_name(&ent->name));
+	ent->rdtype = rdtype;
+	ent->rdclass = rdclass;
+	ent->mode = mode;
+	ISC_LINK_INIT(ent, link);
+	ISC_LIST_INITANDAPPEND(order->ents, ent, link);
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+match(const dns_name_t *name1, const dns_name_t *name2) {
+	if (dns_name_iswildcard(name2)) {
+		return (dns_name_matcheswildcard(name1, name2));
+	}
+	return (dns_name_equal(name1, name2));
+}
+
+unsigned int
+dns_order_find(dns_order_t *order, const dns_name_t *name,
+	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass) {
+	dns_order_ent_t *ent;
+	REQUIRE(DNS_ORDER_VALID(order));
+
+	for (ent = ISC_LIST_HEAD(order->ents); ent != NULL;
+	     ent = ISC_LIST_NEXT(ent, link))
+	{
+		if (ent->rdtype != rdtype && ent->rdtype != dns_rdatatype_any) {
+			continue;
+		}
+		if (ent->rdclass != rdclass &&
+		    ent->rdclass != dns_rdataclass_any)
+		{
+			continue;
+		}
+		if (match(name, dns_fixedname_name(&ent->name))) {
+			return (ent->mode);
+		}
+	}
+	return (DNS_RDATASETATTR_NONE);
+}
+
+void
+dns_order_attach(dns_order_t *source, dns_order_t **target) {
+	REQUIRE(DNS_ORDER_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	isc_refcount_increment(&source->references);
+	*target = source;
+}
+
+void
+dns_order_detach(dns_order_t **orderp) {
+	REQUIRE(orderp != NULL && DNS_ORDER_VALID(*orderp));
+	dns_order_t *order;
+	order = *orderp;
+	*orderp = NULL;
+
+	if (isc_refcount_decrement(&order->references) == 1) {
+		isc_refcount_destroy(&order->references);
+		order->magic = 0;
+		dns_order_ent_t *ent;
+		while ((ent = ISC_LIST_HEAD(order->ents)) != NULL) {
+			ISC_LIST_UNLINK(order->ents, ent, link);
+			isc_mem_put(order->mctx, ent, sizeof(*ent));
+		}
+		isc_mem_putanddetach(&order->mctx, order, sizeof(*order));
+	}
+}
diff --git a/lib/dns/peer.c b/lib/dns/peer.c
new file mode 100644
index 0000000..d07933d
--- /dev/null
+++ b/lib/dns/peer.c
@@ -0,0 +1,919 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/bit.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/peer.h>
+
+/*%
+ * Bit positions in the dns_peer_t structure flags field
+ */
+#define BOGUS_BIT		   0
+#define SERVER_TRANSFER_FORMAT_BIT 1
+#define TRANSFERS_BIT		   2
+#define PROVIDE_IXFR_BIT	   3
+#define REQUEST_IXFR_BIT	   4
+#define SUPPORT_EDNS_BIT	   5
+#define SERVER_UDPSIZE_BIT	   6
+#define SERVER_MAXUDP_BIT	   7
+#define REQUEST_NSID_BIT	   8
+#define SEND_COOKIE_BIT		   9
+#define NOTIFY_DSCP_BIT		   10
+#define TRANSFER_DSCP_BIT	   11
+#define QUERY_DSCP_BIT		   12
+#define REQUEST_EXPIRE_BIT	   13
+#define EDNS_VERSION_BIT	   14
+#define FORCE_TCP_BIT		   15
+#define SERVER_PADDING_BIT	   16
+#define REQUEST_TCP_KEEPALIVE_BIT  17
+
+static void
+peerlist_delete(dns_peerlist_t **list);
+
+static void
+peer_delete(dns_peer_t **peer);
+
+isc_result_t
+dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list) {
+	dns_peerlist_t *l;
+
+	REQUIRE(list != NULL);
+
+	l = isc_mem_get(mem, sizeof(*l));
+
+	ISC_LIST_INIT(l->elements);
+	l->mem = mem;
+	isc_refcount_init(&l->refs, 1);
+	l->magic = DNS_PEERLIST_MAGIC;
+
+	*list = l;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target) {
+	REQUIRE(DNS_PEERLIST_VALID(source));
+	REQUIRE(target != NULL);
+	REQUIRE(*target == NULL);
+
+	isc_refcount_increment(&source->refs);
+
+	*target = source;
+}
+
+void
+dns_peerlist_detach(dns_peerlist_t **list) {
+	dns_peerlist_t *plist;
+
+	REQUIRE(list != NULL);
+	REQUIRE(*list != NULL);
+	REQUIRE(DNS_PEERLIST_VALID(*list));
+
+	plist = *list;
+	*list = NULL;
+
+	if (isc_refcount_decrement(&plist->refs) == 1) {
+		peerlist_delete(&plist);
+	}
+}
+
+static void
+peerlist_delete(dns_peerlist_t **list) {
+	dns_peerlist_t *l;
+	dns_peer_t *server, *stmp;
+
+	REQUIRE(list != NULL);
+	REQUIRE(DNS_PEERLIST_VALID(*list));
+
+	l = *list;
+	*list = NULL;
+
+	isc_refcount_destroy(&l->refs);
+
+	server = ISC_LIST_HEAD(l->elements);
+	while (server != NULL) {
+		stmp = ISC_LIST_NEXT(server, next);
+		ISC_LIST_UNLINK(l->elements, server, next);
+		dns_peer_detach(&server);
+		server = stmp;
+	}
+
+	l->magic = 0;
+	isc_mem_put(l->mem, l, sizeof(*l));
+}
+
+void
+dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer) {
+	dns_peer_t *p = NULL;
+
+	dns_peer_attach(peer, &p);
+
+	/*
+	 * More specifics to front of list.
+	 */
+	for (p = ISC_LIST_HEAD(peers->elements); p != NULL;
+	     p = ISC_LIST_NEXT(p, next))
+	{
+		if (p->prefixlen < peer->prefixlen) {
+			break;
+		}
+	}
+
+	if (p != NULL) {
+		ISC_LIST_INSERTBEFORE(peers->elements, p, peer, next);
+	} else {
+		ISC_LIST_APPEND(peers->elements, peer, next);
+	}
+}
+
+isc_result_t
+dns_peerlist_peerbyaddr(dns_peerlist_t *servers, const isc_netaddr_t *addr,
+			dns_peer_t **retval) {
+	dns_peer_t *server;
+	isc_result_t res;
+
+	REQUIRE(retval != NULL);
+	REQUIRE(DNS_PEERLIST_VALID(servers));
+
+	server = ISC_LIST_HEAD(servers->elements);
+	while (server != NULL) {
+		if (isc_netaddr_eqprefix(addr, &server->address,
+					 server->prefixlen))
+		{
+			break;
+		}
+
+		server = ISC_LIST_NEXT(server, next);
+	}
+
+	if (server != NULL) {
+		*retval = server;
+		res = ISC_R_SUCCESS;
+	} else {
+		res = ISC_R_NOTFOUND;
+	}
+
+	return (res);
+}
+
+isc_result_t
+dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval) {
+	dns_peer_t *p = NULL;
+
+	p = ISC_LIST_TAIL(peers->elements);
+
+	dns_peer_attach(p, retval);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_new(isc_mem_t *mem, const isc_netaddr_t *addr, dns_peer_t **peerptr) {
+	unsigned int prefixlen = 0;
+
+	REQUIRE(peerptr != NULL);
+	switch (addr->family) {
+	case AF_INET:
+		prefixlen = 32;
+		break;
+	case AF_INET6:
+		prefixlen = 128;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	return (dns_peer_newprefix(mem, addr, prefixlen, peerptr));
+}
+
+isc_result_t
+dns_peer_newprefix(isc_mem_t *mem, const isc_netaddr_t *addr,
+		   unsigned int prefixlen, dns_peer_t **peerptr) {
+	dns_peer_t *peer;
+
+	REQUIRE(peerptr != NULL && *peerptr == NULL);
+
+	peer = isc_mem_get(mem, sizeof(*peer));
+
+	*peer = (dns_peer_t){
+		.magic = DNS_PEER_MAGIC,
+		.address = *addr,
+		.prefixlen = prefixlen,
+		.mem = mem,
+		.transfer_format = dns_one_answer,
+	};
+
+	isc_refcount_init(&peer->refs, 1);
+
+	ISC_LINK_INIT(peer, next);
+
+	*peerptr = peer;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_peer_attach(dns_peer_t *source, dns_peer_t **target) {
+	REQUIRE(DNS_PEER_VALID(source));
+	REQUIRE(target != NULL);
+	REQUIRE(*target == NULL);
+
+	isc_refcount_increment(&source->refs);
+
+	*target = source;
+}
+
+void
+dns_peer_detach(dns_peer_t **peer) {
+	dns_peer_t *p;
+
+	REQUIRE(peer != NULL);
+	REQUIRE(*peer != NULL);
+	REQUIRE(DNS_PEER_VALID(*peer));
+
+	p = *peer;
+	*peer = NULL;
+
+	if (isc_refcount_decrement(&p->refs) == 1) {
+		peer_delete(&p);
+	}
+}
+
+static void
+peer_delete(dns_peer_t **peer) {
+	dns_peer_t *p;
+	isc_mem_t *mem;
+
+	REQUIRE(peer != NULL);
+	REQUIRE(DNS_PEER_VALID(*peer));
+
+	p = *peer;
+	*peer = NULL;
+
+	isc_refcount_destroy(&p->refs);
+
+	mem = p->mem;
+	p->mem = NULL;
+	p->magic = 0;
+
+	if (p->key != NULL) {
+		dns_name_free(p->key, mem);
+		isc_mem_put(mem, p->key, sizeof(dns_name_t));
+	}
+
+	if (p->query_source != NULL) {
+		isc_mem_put(mem, p->query_source, sizeof(*p->query_source));
+	}
+
+	if (p->notify_source != NULL) {
+		isc_mem_put(mem, p->notify_source, sizeof(*p->notify_source));
+	}
+
+	if (p->transfer_source != NULL) {
+		isc_mem_put(mem, p->transfer_source,
+			    sizeof(*p->transfer_source));
+	}
+
+	isc_mem_put(mem, p, sizeof(*p));
+}
+
+isc_result_t
+dns_peer_setbogus(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags);
+
+	peer->bogus = newval;
+	DNS_BIT_SET(BOGUS_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getbogus(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags)) {
+		*retval = peer->bogus;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setprovideixfr(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags);
+
+	peer->provide_ixfr = newval;
+	DNS_BIT_SET(PROVIDE_IXFR_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getprovideixfr(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags)) {
+		*retval = peer->provide_ixfr;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setrequestixfr(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags);
+
+	peer->request_ixfr = newval;
+	DNS_BIT_SET(REQUEST_IXFR_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getrequestixfr(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags)) {
+		*retval = peer->request_ixfr;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setsupportedns(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags);
+
+	peer->support_edns = newval;
+	DNS_BIT_SET(SUPPORT_EDNS_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getsupportedns(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags)) {
+		*retval = peer->support_edns;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setrequestnsid(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(REQUEST_NSID_BIT, &peer->bitflags);
+
+	peer->request_nsid = newval;
+	DNS_BIT_SET(REQUEST_NSID_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getrequestnsid(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(REQUEST_NSID_BIT, &peer->bitflags)) {
+		*retval = peer->request_nsid;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setsendcookie(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SEND_COOKIE_BIT, &peer->bitflags);
+
+	peer->send_cookie = newval;
+	DNS_BIT_SET(SEND_COOKIE_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getsendcookie(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(SEND_COOKIE_BIT, &peer->bitflags)) {
+		*retval = peer->send_cookie;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setrequestexpire(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(REQUEST_EXPIRE_BIT, &peer->bitflags);
+
+	peer->request_expire = newval;
+	DNS_BIT_SET(REQUEST_EXPIRE_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getrequestexpire(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(REQUEST_EXPIRE_BIT, &peer->bitflags)) {
+		*retval = peer->request_expire;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setforcetcp(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(FORCE_TCP_BIT, &peer->bitflags);
+
+	peer->force_tcp = newval;
+	DNS_BIT_SET(FORCE_TCP_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getforcetcp(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(FORCE_TCP_BIT, &peer->bitflags)) {
+		*retval = peer->force_tcp;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_settcpkeepalive(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(REQUEST_TCP_KEEPALIVE_BIT, &peer->bitflags);
+
+	peer->tcp_keepalive = newval;
+	DNS_BIT_SET(REQUEST_TCP_KEEPALIVE_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettcpkeepalive(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(REQUEST_TCP_KEEPALIVE_BIT, &peer->bitflags)) {
+		*retval = peer->tcp_keepalive;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_settransfers(dns_peer_t *peer, uint32_t newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags);
+
+	peer->transfers = newval;
+	DNS_BIT_SET(TRANSFERS_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransfers(dns_peer_t *peer, uint32_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags)) {
+		*retval = peer->transfers;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags);
+
+	peer->transfer_format = newval;
+	DNS_BIT_SET(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags)) {
+		*retval = peer->transfer_format;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (peer->key != NULL) {
+		*retval = peer->key;
+	}
+
+	return (peer->key == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval) {
+	bool exists = false;
+
+	if (peer->key != NULL) {
+		dns_name_free(peer->key, peer->mem);
+		isc_mem_put(peer->mem, peer->key, sizeof(dns_name_t));
+		exists = true;
+	}
+
+	peer->key = *keyval;
+	*keyval = NULL;
+
+	return (exists ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval) {
+	isc_buffer_t b;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	dns_fixedname_init(&fname);
+	isc_buffer_constinit(&b, keyval, strlen(keyval));
+	isc_buffer_add(&b, strlen(keyval));
+	result = dns_name_fromtext(dns_fixedname_name(&fname), &b, dns_rootname,
+				   0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	name = isc_mem_get(peer->mem, sizeof(dns_name_t));
+
+	dns_name_init(name, NULL);
+	dns_name_dup(dns_fixedname_name(&fname), peer->mem, name);
+
+	result = dns_peer_setkey(peer, &name);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(peer->mem, name, sizeof(dns_name_t));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_peer_settransfersource(dns_peer_t *peer,
+			   const isc_sockaddr_t *transfer_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	if (peer->transfer_source != NULL) {
+		isc_mem_put(peer->mem, peer->transfer_source,
+			    sizeof(*peer->transfer_source));
+		peer->transfer_source = NULL;
+	}
+	if (transfer_source != NULL) {
+		peer->transfer_source =
+			isc_mem_get(peer->mem, sizeof(*peer->transfer_source));
+
+		*peer->transfer_source = *transfer_source;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(transfer_source != NULL);
+
+	if (peer->transfer_source == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	*transfer_source = *peer->transfer_source;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setnotifysource(dns_peer_t *peer,
+			 const isc_sockaddr_t *notify_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	if (peer->notify_source != NULL) {
+		isc_mem_put(peer->mem, peer->notify_source,
+			    sizeof(*peer->notify_source));
+		peer->notify_source = NULL;
+	}
+	if (notify_source != NULL) {
+		peer->notify_source = isc_mem_get(peer->mem,
+						  sizeof(*peer->notify_source));
+
+		*peer->notify_source = *notify_source;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(notify_source != NULL);
+
+	if (peer->notify_source == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	*notify_source = *peer->notify_source;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	if (peer->query_source != NULL) {
+		isc_mem_put(peer->mem, peer->query_source,
+			    sizeof(*peer->query_source));
+		peer->query_source = NULL;
+	}
+	if (query_source != NULL) {
+		peer->query_source = isc_mem_get(peer->mem,
+						 sizeof(*peer->query_source));
+
+		*peer->query_source = *query_source;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(query_source != NULL);
+
+	if (peer->query_source == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	*query_source = *peer->query_source;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setudpsize(dns_peer_t *peer, uint16_t udpsize) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SERVER_UDPSIZE_BIT, &peer->bitflags);
+
+	peer->udpsize = udpsize;
+	DNS_BIT_SET(SERVER_UDPSIZE_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getudpsize(dns_peer_t *peer, uint16_t *udpsize) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(udpsize != NULL);
+
+	if (DNS_BIT_CHECK(SERVER_UDPSIZE_BIT, &peer->bitflags)) {
+		*udpsize = peer->udpsize;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setmaxudp(dns_peer_t *peer, uint16_t maxudp) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SERVER_MAXUDP_BIT, &peer->bitflags);
+
+	peer->maxudp = maxudp;
+	DNS_BIT_SET(SERVER_MAXUDP_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getmaxudp(dns_peer_t *peer, uint16_t *maxudp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(maxudp != NULL);
+
+	if (DNS_BIT_CHECK(SERVER_MAXUDP_BIT, &peer->bitflags)) {
+		*maxudp = peer->maxudp;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setpadding(dns_peer_t *peer, uint16_t padding) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SERVER_PADDING_BIT, &peer->bitflags);
+
+	if (padding > 512) {
+		padding = 512;
+	}
+	peer->padding = padding;
+	DNS_BIT_SET(SERVER_PADDING_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getpadding(dns_peer_t *peer, uint16_t *padding) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(padding != NULL);
+
+	if (DNS_BIT_CHECK(SERVER_PADDING_BIT, &peer->bitflags)) {
+		*padding = peer->padding;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setnotifydscp(dns_peer_t *peer, isc_dscp_t dscp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscp < 64);
+
+	peer->notify_dscp = dscp;
+	DNS_BIT_SET(NOTIFY_DSCP_BIT, &peer->bitflags);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getnotifydscp(dns_peer_t *peer, isc_dscp_t *dscpp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscpp != NULL);
+
+	if (DNS_BIT_CHECK(NOTIFY_DSCP_BIT, &peer->bitflags)) {
+		*dscpp = peer->notify_dscp;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_settransferdscp(dns_peer_t *peer, isc_dscp_t dscp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscp < 64);
+
+	peer->transfer_dscp = dscp;
+	DNS_BIT_SET(TRANSFER_DSCP_BIT, &peer->bitflags);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransferdscp(dns_peer_t *peer, isc_dscp_t *dscpp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscpp != NULL);
+
+	if (DNS_BIT_CHECK(TRANSFER_DSCP_BIT, &peer->bitflags)) {
+		*dscpp = peer->transfer_dscp;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_setquerydscp(dns_peer_t *peer, isc_dscp_t dscp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscp < 64);
+
+	peer->query_dscp = dscp;
+	DNS_BIT_SET(QUERY_DSCP_BIT, &peer->bitflags);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getquerydscp(dns_peer_t *peer, isc_dscp_t *dscpp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscpp != NULL);
+
+	if (DNS_BIT_CHECK(QUERY_DSCP_BIT, &peer->bitflags)) {
+		*dscpp = peer->query_dscp;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_setednsversion(dns_peer_t *peer, uint8_t ednsversion) {
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	peer->ednsversion = ednsversion;
+	DNS_BIT_SET(EDNS_VERSION_BIT, &peer->bitflags);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getednsversion(dns_peer_t *peer, uint8_t *ednsversion) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(ednsversion != NULL);
+
+	if (DNS_BIT_CHECK(EDNS_VERSION_BIT, &peer->bitflags)) {
+		*ednsversion = peer->ednsversion;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c
new file mode 100644
index 0000000..4eb90b9
--- /dev/null
+++ b/lib/dns/pkcs11.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if USE_PKCS11
+
+#include <isc/util.h>
+
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include "dst_internal.h"
+#include "dst_pkcs11.h"
+
+isc_result_t
+dst__pkcs11_toresult(const char *funcname, const char *file, int line,
+		     isc_result_t fallback, CK_RV rv) {
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_CRYPTO,
+		      ISC_LOG_WARNING, "%s:%d: %s: Error = 0x%.8lX\n", file,
+		      line, funcname, rv);
+	if (rv == CKR_HOST_MEMORY) {
+		return (ISC_R_NOMEMORY);
+	}
+	return (fallback);
+}
+
+#endif /* USE_PKCS11 */
+/*! \file */
diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c
new file mode 100644
index 0000000..2806c3b
--- /dev/null
+++ b/lib/dns/pkcs11ecdsa_link.c
@@ -0,0 +1,1153 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#if USE_PKCS11
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/constants.h>
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+#include <pkcs11/pkcs11.h>
+
+#include <dns/keyvalues.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+/*
+ * FIPS 186-3 ECDSA keys:
+ *  mechanisms:
+ *    CKM_ECDSA,
+ *    CKM_EC_KEY_PAIR_GEN
+ *  domain parameters:
+ *    CKA_EC_PARAMS (choice with OID namedCurve)
+ *  public keys:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_EC
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_EC_POINT (point Q)
+ *  private keys:
+ *    object class CKO_PRIVATE_KEY
+ *    key type CKK_EC
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_VALUE (big int d)
+ *  point format: 0x04 (octet-string) <2*size+1> 0x4 (uncompressed) <x> <y>
+ */
+
+#define TAG_OCTECT_STRING 0x04
+#define UNCOMPRESSED	  0x04
+
+#define DST_RET(a)        \
+	{                 \
+		ret = a;  \
+		goto err; \
+	}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static void
+pkcs11ecdsa_destroy(dst_key_t *key);
+
+static isc_result_t
+pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { 0, NULL, 0 };
+	CK_SLOT_ID slotid;
+	pk11_context_t *pk11_ctx;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_result_t ret;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+	REQUIRE(ec != NULL);
+
+	if (dctx->key->key_alg == DST_ALG_ECDSA256) {
+		mech.mechanism = CKM_SHA256;
+	} else {
+		mech.mechanism = CKM_SHA384;
+	}
+
+	pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (ec->ontoken && (dctx->use == DO_SIGN)) {
+		slotid = ec->slot;
+	} else {
+		slotid = pk11_get_best_token(OP_ECDSA);
+	}
+	ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, ec->reqlogon,
+			       NULL, slotid);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE);
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+	return (ISC_R_SUCCESS);
+
+err:
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static void
+pkcs11ecdsa_destroyctx(dst_context_t *dctx) {
+	CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	if (pk11_ctx != NULL) {
+		(void)pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
+		memset(garbage, 0, sizeof(garbage));
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+		dctx->ctxdata.pk11_ctx = NULL;
+	}
+}
+
+static isc_result_t
+pkcs11ecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	PK11_CALL(pkcs_C_DigestUpdate,
+		  (pk11_ctx->session, (CK_BYTE_PTR)data->base,
+		   (CK_ULONG)data->length),
+		  ISC_R_FAILURE);
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_EC;
+	CK_ATTRIBUTE keyTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_BYTE digest[ISC_SHA384_DIGESTLENGTH];
+	CK_ULONG dgstlen;
+	CK_ULONG siglen;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_region_t r;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+	REQUIRE(ec != NULL);
+
+	switch (key->key_alg) {
+	case DST_ALG_ECDSA256:
+		dgstlen = ISC_SHA256_DIGESTLENGTH;
+		siglen = DNS_SIG_ECDSA256SIZE;
+		break;
+	case DST_ALG_ECDSA384:
+		siglen = DNS_SIG_ECDSA384SIZE;
+		dgstlen = ISC_SHA384_DIGESTLENGTH;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen),
+		 ISC_R_FAILURE);
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < siglen) {
+		DST_RET(ISC_R_NOSPACE);
+	}
+
+	if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = ec->ontoken;
+		pk11_ctx->object = ec->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(ec); attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+	{
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_VALUE:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
+		 ISC_R_FAILURE);
+
+token_key:
+
+	PK11_RET(pkcs_C_SignInit,
+		 (pk11_ctx->session, &mech,
+		  pk11_ctx->ontoken ? pk11_ctx->object : hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_Sign,
+		 (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)r.base,
+		  &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_add(sig, (unsigned int)siglen);
+
+err:
+
+	if (hKey != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	}
+	for (i = 5; i <= 6; i++) {
+		if (keyTemplate[i].pValue != NULL) {
+			{
+				memset(keyTemplate[i].pValue, 0,
+				       keyTemplate[i].ulValueLen);
+				isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
+					    keyTemplate[i].ulValueLen);
+			}
+		}
+	}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	dctx->ctxdata.pk11_ctx = NULL;
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EC;
+	CK_ATTRIBUTE keyTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 },
+		{ CKA_EC_POINT, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_BYTE digest[ISC_SHA384_DIGESTLENGTH];
+	CK_ULONG dgstlen;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+	REQUIRE(ec != NULL);
+
+	switch (key->key_alg) {
+	case DST_ALG_ECDSA256:
+		dgstlen = ISC_SHA256_DIGESTLENGTH;
+		break;
+	case DST_ALG_ECDSA384:
+		dgstlen = ISC_SHA384_DIGESTLENGTH;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen),
+		 ISC_R_FAILURE);
+
+	for (attr = pk11_attribute_first(ec); attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+	{
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EC_POINT:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_VerifyInit, (pk11_ctx->session, &mech, hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_Verify,
+		 (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)sig->base,
+		  (CK_ULONG)sig->length),
+		 DST_R_VERIFYFAILURE);
+
+err:
+
+	if (hKey != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	}
+	for (i = 5; i <= 6; i++) {
+		if (keyTemplate[i].pValue != NULL) {
+			{
+				memset(keyTemplate[i].pValue, 0,
+				       keyTemplate[i].ulValueLen);
+				isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
+					    keyTemplate[i].ulValueLen);
+			}
+		}
+	}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	dctx->ctxdata.pk11_ctx = NULL;
+
+	return (ret);
+}
+
+static bool
+pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *ec1, *ec2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	ec1 = key1->keydata.pkey;
+	ec2 = key2->keydata.pkey;
+
+	if ((ec1 == NULL) && (ec2 == NULL)) {
+		return (true);
+	} else if ((ec1 == NULL) || (ec2 == NULL)) {
+		return (false);
+	}
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS);
+	attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS);
+	if ((attr1 == NULL) && (attr2 == NULL)) {
+		return (true);
+	} else if ((attr1 == NULL) || (attr2 == NULL) ||
+		   (attr1->ulValueLen != attr2->ulValueLen) ||
+		   !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				      attr1->ulValueLen))
+	{
+		return (false);
+	}
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT);
+	attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT);
+	if ((attr1 == NULL) && (attr2 == NULL)) {
+		return (true);
+	} else if ((attr1 == NULL) || (attr2 == NULL) ||
+		   (attr1->ulValueLen != attr2->ulValueLen) ||
+		   !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				      attr1->ulValueLen))
+	{
+		return (false);
+	}
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_VALUE);
+	attr2 = pk11_attribute_bytype(ec2, CKA_VALUE);
+	if (((attr1 != NULL) || (attr2 != NULL)) &&
+	    ((attr1 == NULL) || (attr2 == NULL) ||
+	     (attr1->ulValueLen != attr2->ulValueLen) ||
+	     !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				attr1->ulValueLen)))
+	{
+		return (false);
+	}
+
+	if (!ec1->ontoken && !ec2->ontoken) {
+		return (true);
+	} else if (ec1->ontoken || ec2->ontoken || (ec1->object != ec2->object))
+	{
+		return (false);
+	}
+
+	return (true);
+}
+
+#define SETCURVE()                                                       \
+	switch (key->key_alg) {                                          \
+	case DST_ALG_ECDSA256:                                           \
+		attr->pValue = isc_mem_get(key->mctx,                    \
+					   sizeof(PK11_ECC_PRIME256V1)); \
+		memmove(attr->pValue, PK11_ECC_PRIME256V1,               \
+			sizeof(PK11_ECC_PRIME256V1));                    \
+		attr->ulValueLen = sizeof(PK11_ECC_PRIME256V1);          \
+		break;                                                   \
+	case DST_ALG_ECDSA384:                                           \
+		attr->pValue = isc_mem_get(key->mctx,                    \
+					   sizeof(PK11_ECC_SECP384R1));  \
+		memmove(attr->pValue, PK11_ECC_SECP384R1,                \
+			sizeof(PK11_ECC_SECP384R1));                     \
+		attr->ulValueLen = sizeof(PK11_ECC_SECP384R1);           \
+		break;                                                   \
+	default:                                                         \
+		UNREACHABLE();                                           \
+	}
+
+#define FREECURVE()                                                     \
+	if (attr->pValue != NULL) {                                     \
+		memset(attr->pValue, 0, attr->ulValueLen);              \
+		isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \
+		attr->pValue = NULL;                                    \
+	}
+
+static isc_result_t
+pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EC_KEY_PAIR_GEN, NULL, 0 };
+	CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EC;
+	CK_ATTRIBUTE pubTemplate[] = {
+		{ CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 }
+	};
+	CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE privTemplate[] = {
+		{ CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) }
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *ec;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
+	ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, false, NULL,
+			       pk11_get_best_token(OP_ECDSA));
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	ec = isc_mem_get(key->mctx, sizeof(*ec));
+	memset(ec, 0, sizeof(*ec));
+	key->keydata.pkey = ec;
+	ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	memset(ec->repr, 0, sizeof(*attr) * 3);
+	ec->attrcnt = 3;
+
+	attr = ec->repr;
+	attr[0].type = CKA_EC_PARAMS;
+	attr[1].type = CKA_EC_POINT;
+	attr[2].type = CKA_VALUE;
+
+	attr = &pubTemplate[5];
+	SETCURVE();
+
+	PK11_RET(pkcs_C_GenerateKeyPair,
+		 (pk11_ctx->session, &mech, pubTemplate, (CK_ULONG)6,
+		  privTemplate, (CK_ULONG)7, &pub, &priv),
+		 DST_R_CRYPTOFAILURE);
+
+	attr = &pubTemplate[5];
+	FREECURVE();
+
+	attr = ec->repr;
+	SETCURVE();
+
+	attr++;
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	attr++;
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	(void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	(void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	switch (key->key_alg) {
+	case DST_ALG_ECDSA256:
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+		break;
+	case DST_ALG_ECDSA384:
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	return (ISC_R_SUCCESS);
+
+err:
+	pkcs11ecdsa_destroy(key);
+	if (priv != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	}
+	if (pub != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static bool
+pkcs11ecdsa_isprivate(const dst_key_t *key) {
+	pk11_object_t *ec = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (ec == NULL) {
+		return (false);
+	}
+	attr = pk11_attribute_bytype(ec, CKA_VALUE);
+	return (attr != NULL || ec->ontoken);
+}
+
+static void
+pkcs11ecdsa_destroy(dst_key_t *key) {
+	pk11_object_t *ec = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (ec == NULL) {
+		return;
+	}
+
+	INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken);
+
+	for (attr = pk11_attribute_first(ec); attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+	{
+		switch (attr->type) {
+		case CKA_LABEL:
+		case CKA_ID:
+		case CKA_EC_PARAMS:
+		case CKA_EC_POINT:
+		case CKA_VALUE:
+			FREECURVE();
+			break;
+		}
+	}
+	if (ec->repr != NULL) {
+		memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr));
+	}
+	memset(ec, 0, sizeof(*ec));
+	isc_mem_put(key->mctx, ec, sizeof(*ec));
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *ec;
+	isc_region_t r;
+	unsigned int len;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	switch (key->key_alg) {
+	case DST_ALG_ECDSA256:
+		len = DNS_KEY_ECDSA256SIZE;
+		break;
+	case DST_ALG_ECDSA384:
+		len = DNS_KEY_ECDSA384SIZE;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	ec = key->keydata.pkey;
+	attr = pk11_attribute_bytype(ec, CKA_EC_POINT);
+	if ((attr == NULL) || (attr->ulValueLen != len + 3) ||
+	    (((CK_BYTE_PTR)attr->pValue)[0] != TAG_OCTECT_STRING) ||
+	    (((CK_BYTE_PTR)attr->pValue)[1] != len + 1) ||
+	    (((CK_BYTE_PTR)attr->pValue)[2] != UNCOMPRESSED))
+	{
+		return (ISC_R_FAILURE);
+	}
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < len) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(r.base, (CK_BYTE_PTR)attr->pValue + 3, len);
+	isc_buffer_add(data, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *ec;
+	isc_region_t r;
+	unsigned int len;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	switch (key->key_alg) {
+	case DST_ALG_ECDSA256:
+		len = DNS_KEY_ECDSA256SIZE;
+		break;
+	case DST_ALG_ECDSA384:
+		len = DNS_KEY_ECDSA384SIZE;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+	if (r.length != len) {
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+
+	ec = isc_mem_get(key->mctx, sizeof(*ec));
+	memset(ec, 0, sizeof(*ec));
+	ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+
+	attr = ec->repr;
+	attr->type = CKA_EC_PARAMS;
+	SETCURVE();
+
+	attr++;
+	attr->type = CKA_EC_POINT;
+	attr->pValue = isc_mem_get(key->mctx, len + 3);
+	((CK_BYTE_PTR)attr->pValue)[0] = TAG_OCTECT_STRING;
+	((CK_BYTE_PTR)attr->pValue)[1] = len + 1;
+	((CK_BYTE_PTR)attr->pValue)[2] = UNCOMPRESSED;
+	memmove((CK_BYTE_PTR)attr->pValue + 3, r.base, len);
+	attr->ulValueLen = len + 3;
+
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = ec;
+	key->key_size = len * 4;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11ecdsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	pk11_object_t *ec;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	unsigned int i = 0;
+	CK_ATTRIBUTE *attr;
+
+	if (key->keydata.pkey == NULL) {
+		return (DST_R_NULLKEY);
+	}
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	ec = key->keydata.pkey;
+	attr = pk11_attribute_bytype(ec, CKA_VALUE);
+	if (attr != NULL) {
+		buf = isc_mem_get(key->mctx, attr->ulValueLen);
+		priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
+		priv.elements[i].length = (unsigned short)attr->ulValueLen;
+		memmove(buf, attr->pValue, attr->ulValueLen);
+		priv.elements[i].data = buf;
+		i++;
+	}
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_ECDSA_ENGINE;
+		priv.elements[i].length = strlen(key->engine) + 1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_ECDSA_LABEL;
+		priv.elements[i].length = strlen(key->label) + 1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+	priv.nelements = i;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+	if (buf != NULL) {
+		memset(buf, 0, attr->ulValueLen);
+		isc_mem_put(key->mctx, buf, attr->ulValueLen);
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
+		  dst_key_t *pub) {
+	CK_RV rv;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_EC;
+	CK_ATTRIBUTE searchTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *pubattr;
+	pk11_object_t *ec;
+	pk11_object_t *pubec;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+
+	if (label == NULL) {
+		return (DST_R_NOENGINE);
+	}
+
+	ec = key->keydata.pkey;
+	pubec = pub->keydata.pkey;
+
+	ec->object = CK_INVALID_HANDLE;
+	ec->ontoken = true;
+	ec->reqlogon = true;
+	ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	memset(ec->repr, 0, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+	attr = ec->repr;
+
+	attr->type = CKA_EC_PARAMS;
+	pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS);
+	INSIST(pubattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+	attr++;
+
+	attr->type = CKA_EC_POINT;
+	pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT);
+	INSIST(pubattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
+	ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, ec->reqlogon,
+			       NULL, ec->slot);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	attr = pk11_attribute_bytype(ec, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(ec, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0) {
+		DST_RET(ISC_R_NOTFOUND);
+	}
+	if (cnt > 1) {
+		DST_RET(ISC_R_EXISTS);
+	}
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	return (ISC_R_SUCCESS);
+
+err:
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	pk11_object_t *ec = NULL;
+	CK_ATTRIBUTE *attr, *pattr;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+	const char *engine = NULL, *label = NULL;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if ((pub == NULL) || (pub->keydata.pkey == NULL)) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	if (key->external) {
+		if (priv.nelements != 0) {
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		}
+
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+
+		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
+
+		return (ISC_R_SUCCESS);
+	}
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_ECDSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_ECDSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		default:
+			break;
+		}
+	}
+	ec = isc_mem_get(key->mctx, sizeof(*ec));
+	memset(ec, 0, sizeof(*ec));
+	key->keydata.pkey = ec;
+
+	/* Is this key is stored in a HSM? See if we can fetch it. */
+	if ((label != NULL) || (engine != NULL)) {
+		ret = pkcs11ecdsa_fetch(key, engine, label, pub);
+		if (ret != ISC_R_SUCCESS) {
+			goto err;
+		}
+		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
+		return (ret);
+	}
+
+	ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	memset(ec->repr, 0, sizeof(*attr) * 3);
+	ec->attrcnt = 3;
+
+	attr = ec->repr;
+	attr->type = CKA_EC_PARAMS;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_EC_POINT;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_VALUE;
+	attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
+	memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length);
+	attr->ulValueLen = priv.elements[0].length;
+
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	switch (key->key_alg) {
+	case DST_ALG_ECDSA256:
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+		break;
+	case DST_ALG_ECDSA384:
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	return (ISC_R_SUCCESS);
+
+err:
+	pkcs11ecdsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		      const char *pin) {
+	CK_RV rv;
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EC;
+	CK_ATTRIBUTE searchTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *ec;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+	unsigned int i;
+
+	UNUSED(pin);
+
+	ec = isc_mem_get(key->mctx, sizeof(*ec));
+	memset(ec, 0, sizeof(*ec));
+	ec->object = CK_INVALID_HANDLE;
+	ec->ontoken = true;
+	ec->reqlogon = true;
+	key->keydata.pkey = ec;
+
+	ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	memset(ec->repr, 0, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+	attr = ec->repr;
+	attr[0].type = CKA_EC_PARAMS;
+	attr[1].type = CKA_EC_POINT;
+
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
+	ret = pk11_get_session(pk11_ctx, OP_ECDSA, true, false, ec->reqlogon,
+			       NULL, ec->slot);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	attr = pk11_attribute_bytype(ec, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(ec, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &hKey, (CK_ULONG)1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0) {
+		DST_RET(ISC_R_NOTFOUND);
+	}
+	if (cnt > 1) {
+		DST_RET(ISC_R_EXISTS);
+	}
+
+	attr = ec->repr;
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 1; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+
+	keyClass = CKO_PRIVATE_KEY;
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0) {
+		DST_RET(ISC_R_NOTFOUND);
+	}
+	if (cnt > 1) {
+		DST_RET(ISC_R_EXISTS);
+	}
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	switch (key->key_alg) {
+	case DST_ALG_ECDSA256:
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+		break;
+	case DST_ALG_ECDSA384:
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	return (ISC_R_SUCCESS);
+
+err:
+	pkcs11ecdsa_destroy(key);
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+	return (ret);
+}
+
+static dst_func_t pkcs11ecdsa_functions = {
+	pkcs11ecdsa_createctx,
+	NULL, /*%< createctx2 */
+	pkcs11ecdsa_destroyctx,
+	pkcs11ecdsa_adddata,
+	pkcs11ecdsa_sign,
+	pkcs11ecdsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	pkcs11ecdsa_compare,
+	NULL, /*%< paramcompare */
+	pkcs11ecdsa_generate,
+	pkcs11ecdsa_isprivate,
+	pkcs11ecdsa_destroy,
+	pkcs11ecdsa_todns,
+	pkcs11ecdsa_fromdns,
+	pkcs11ecdsa_tofile,
+	pkcs11ecdsa_parse,
+	NULL, /*%< cleanup */
+	pkcs11ecdsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11ecdsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL) {
+		*funcp = &pkcs11ecdsa_functions;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* USE_PKCS11 */
diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c
new file mode 100644
index 0000000..a6aff28
--- /dev/null
+++ b/lib/dns/pkcs11eddsa_link.c
@@ -0,0 +1,1124 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#if USE_PKCS11
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/constants.h>
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+#include <pkcs11/pkcs11.h>
+
+#include <dns/keyvalues.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+/*
+ * FIPS 186-3 EDDSA keys:
+ *  mechanisms:
+ *    CKM_EDDSA,
+ *    CKM_EC_EDWARDS_KEY_PAIR_GEN
+ *  domain parameters:
+ *    CKA_EC_PARAMS (choice with OID namedCurve)
+ *  public keys:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_EC_EDWARDS
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_EC_POINT (big int A)
+ *  private keys:
+ *    object class CKO_PRIVATE_KEY
+ *    key type CKK_EC_EDWARDS
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_VALUE (big int k)
+ *  point format: 0x04 (octet-string) <size> <A>
+ */
+
+#define TAG_OCTECT_STRING 0x04
+
+#define DST_RET(a)        \
+	{                 \
+		ret = a;  \
+		goto err; \
+	}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static void
+pkcs11eddsa_destroy(dst_key_t *key);
+
+static isc_result_t
+pkcs11eddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_buffer_t *buf = NULL;
+
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	isc_buffer_allocate(dctx->mctx, &buf, 16);
+	isc_buffer_setautorealloc(buf, true);
+	dctx->ctxdata.generic = buf;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+pkcs11eddsa_destroyctx(dst_context_t *dctx) {
+	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+	if (buf != NULL) {
+		isc_buffer_free(&buf);
+	}
+	dctx->ctxdata.generic = NULL;
+}
+
+static isc_result_t
+pkcs11eddsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
+	isc_result_t result;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	result = isc_buffer_copyregion(buf, data);
+	INSIST(result == ISC_R_SUCCESS);
+
+	return (result);
+}
+
+static isc_result_t
+pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
+	CK_ATTRIBUTE keyTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_ULONG siglen;
+	CK_SLOT_ID slotid;
+	pk11_context_t *pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_region_t t;
+	isc_region_t r;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	REQUIRE(ec != NULL);
+
+	switch (key->key_alg) {
+	case DST_ALG_ED25519:
+		siglen = DNS_SIG_ED25519SIZE;
+		break;
+	case DST_ALG_ED448:
+		siglen = DNS_SIG_ED448SIZE;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (ec->ontoken && (dctx->use == DO_SIGN)) {
+		slotid = ec->slot;
+	} else {
+		slotid = pk11_get_best_token(OP_EDDSA);
+	}
+	ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
+			       NULL, slotid);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < siglen) {
+		DST_RET(ISC_R_NOSPACE);
+	}
+
+	if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = ec->ontoken;
+		pk11_ctx->object = ec->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(ec); attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+	{
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_VALUE:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
+		 ISC_R_FAILURE);
+
+token_key:
+
+	PK11_RET(pkcs_C_SignInit,
+		 (pk11_ctx->session, &mech,
+		  pk11_ctx->ontoken ? pk11_ctx->object : hKey),
+		 ISC_R_FAILURE);
+
+	isc_buffer_usedregion(buf, &t);
+
+	PK11_RET(pkcs_C_Sign,
+		 (pk11_ctx->session, (CK_BYTE_PTR)t.base, (CK_ULONG)t.length,
+		  (CK_BYTE_PTR)r.base, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_add(sig, (unsigned int)siglen);
+
+err:
+
+	if (hKey != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	}
+	for (i = 5; i <= 6; i++) {
+		if (keyTemplate[i].pValue != NULL) {
+			{
+				memset(keyTemplate[i].pValue, 0,
+				       keyTemplate[i].ulValueLen);
+				isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
+					    keyTemplate[i].ulValueLen);
+			}
+		}
+	}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
+	CK_ATTRIBUTE keyTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 },
+		{ CKA_EC_POINT, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_SLOT_ID slotid;
+	pk11_context_t *pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_region_t t;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	REQUIRE(ec != NULL);
+
+	pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (ec->ontoken && (dctx->use == DO_SIGN)) {
+		slotid = ec->slot;
+	} else {
+		slotid = pk11_get_best_token(OP_EDDSA);
+	}
+	ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
+			       NULL, slotid);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	for (attr = pk11_attribute_first(ec); attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+	{
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EC_POINT:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_VerifyInit, (pk11_ctx->session, &mech, hKey),
+		 ISC_R_FAILURE);
+
+	isc_buffer_usedregion(buf, &t);
+
+	PK11_RET(pkcs_C_Verify,
+		 (pk11_ctx->session, (CK_BYTE_PTR)t.base, (CK_ULONG)t.length,
+		  (CK_BYTE_PTR)sig->base, (CK_ULONG)sig->length),
+		 DST_R_VERIFYFAILURE);
+
+err:
+
+	if (hKey != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	}
+	for (i = 5; i <= 6; i++) {
+		if (keyTemplate[i].pValue != NULL) {
+			{
+				memset(keyTemplate[i].pValue, 0,
+				       keyTemplate[i].ulValueLen);
+				isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
+					    keyTemplate[i].ulValueLen);
+			}
+		}
+	}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static bool
+pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *ec1, *ec2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	ec1 = key1->keydata.pkey;
+	ec2 = key2->keydata.pkey;
+
+	if ((ec1 == NULL) && (ec2 == NULL)) {
+		return (true);
+	} else if ((ec1 == NULL) || (ec2 == NULL)) {
+		return (false);
+	}
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS);
+	attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS);
+	if ((attr1 == NULL) && (attr2 == NULL)) {
+		return (true);
+	} else if ((attr1 == NULL) || (attr2 == NULL) ||
+		   (attr1->ulValueLen != attr2->ulValueLen) ||
+		   !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				      attr1->ulValueLen))
+	{
+		return (false);
+	}
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT);
+	attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT);
+	if ((attr1 == NULL) && (attr2 == NULL)) {
+		return (true);
+	} else if ((attr1 == NULL) || (attr2 == NULL) ||
+		   (attr1->ulValueLen != attr2->ulValueLen) ||
+		   !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				      attr1->ulValueLen))
+	{
+		return (false);
+	}
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_VALUE);
+	attr2 = pk11_attribute_bytype(ec2, CKA_VALUE);
+	if (((attr1 != NULL) || (attr2 != NULL)) &&
+	    ((attr1 == NULL) || (attr2 == NULL) ||
+	     (attr1->ulValueLen != attr2->ulValueLen) ||
+	     !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				attr1->ulValueLen)))
+	{
+		return (false);
+	}
+
+	if (!ec1->ontoken && !ec2->ontoken) {
+		return (true);
+	} else if (ec1->ontoken || ec2->ontoken || (ec1->object != ec2->object))
+	{
+		return (false);
+	}
+
+	return (true);
+}
+
+#define SETCURVE()                                                             \
+	switch (key->key_alg) {                                                \
+	case DST_ALG_ED25519:                                                  \
+		attr->pValue = isc_mem_get(key->mctx,                          \
+					   sizeof(PK11_ECX_ED25519));          \
+		memmove(attr->pValue, PK11_ECX_ED25519,                        \
+			sizeof(PK11_ECX_ED25519));                             \
+		attr->ulValueLen = sizeof(PK11_ECX_ED25519);                   \
+		break;                                                         \
+	case DST_ALG_ED448:                                                    \
+		attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED448)); \
+		memmove(attr->pValue, PK11_ECX_ED448, sizeof(PK11_ECX_ED448)); \
+		attr->ulValueLen = sizeof(PK11_ECX_ED448);                     \
+		break;                                                         \
+	default:                                                               \
+		UNREACHABLE();                                                 \
+	}
+
+#define FREECURVE()                                                     \
+	if (attr->pValue != NULL) {                                     \
+		memset(attr->pValue, 0, attr->ulValueLen);              \
+		isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \
+		attr->pValue = NULL;                                    \
+	}
+
+static isc_result_t
+pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EC_EDWARDS_KEY_PAIR_GEN, NULL, 0 };
+	CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
+	CK_ATTRIBUTE pubTemplate[] = {
+		{ CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 }
+	};
+	CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE privTemplate[] = {
+		{ CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) }
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *ec;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
+	ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, false, NULL,
+			       pk11_get_best_token(OP_EDDSA));
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	ec = isc_mem_get(key->mctx, sizeof(*ec));
+	memset(ec, 0, sizeof(*ec));
+	key->keydata.pkey = ec;
+	ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	memset(ec->repr, 0, sizeof(*attr) * 3);
+	ec->attrcnt = 3;
+
+	attr = ec->repr;
+	attr[0].type = CKA_EC_PARAMS;
+	attr[1].type = CKA_EC_POINT;
+	attr[2].type = CKA_VALUE;
+
+	attr = &pubTemplate[5];
+	SETCURVE();
+
+	PK11_RET(pkcs_C_GenerateKeyPair,
+		 (pk11_ctx->session, &mech, pubTemplate, (CK_ULONG)6,
+		  privTemplate, (CK_ULONG)7, &pub, &priv),
+		 DST_R_CRYPTOFAILURE);
+
+	attr = &pubTemplate[5];
+	FREECURVE();
+
+	attr = ec->repr;
+	SETCURVE();
+
+	attr++;
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	attr++;
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	(void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	(void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	switch (key->key_alg) {
+	case DST_ALG_ED25519:
+		key->key_size = DNS_KEY_ED25519SIZE * 8;
+		break;
+	case DST_ALG_ED448:
+		key->key_size = DNS_KEY_ED448SIZE * 8;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	return (ISC_R_SUCCESS);
+
+err:
+	pkcs11eddsa_destroy(key);
+	if (priv != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	}
+	if (pub != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static bool
+pkcs11eddsa_isprivate(const dst_key_t *key) {
+	pk11_object_t *ec = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (ec == NULL) {
+		return (false);
+	}
+	attr = pk11_attribute_bytype(ec, CKA_VALUE);
+	return (attr != NULL || ec->ontoken);
+}
+
+static void
+pkcs11eddsa_destroy(dst_key_t *key) {
+	pk11_object_t *ec = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (ec == NULL) {
+		return;
+	}
+
+	INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken);
+
+	for (attr = pk11_attribute_first(ec); attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+	{
+		switch (attr->type) {
+		case CKA_LABEL:
+		case CKA_ID:
+		case CKA_EC_PARAMS:
+		case CKA_EC_POINT:
+		case CKA_VALUE:
+			FREECURVE();
+			break;
+		}
+	}
+	if (ec->repr != NULL) {
+		memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr));
+	}
+	memset(ec, 0, sizeof(*ec));
+	isc_mem_put(key->mctx, ec, sizeof(*ec));
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *ec;
+	isc_region_t r;
+	unsigned int len;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	switch (key->key_alg) {
+	case DST_ALG_ED25519:
+		len = DNS_KEY_ED25519SIZE;
+		break;
+	case DST_ALG_ED448:
+		len = DNS_KEY_ED448SIZE;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	ec = key->keydata.pkey;
+	attr = pk11_attribute_bytype(ec, CKA_EC_POINT);
+	if ((attr == NULL) || (attr->ulValueLen != len + 2) ||
+	    (((CK_BYTE_PTR)attr->pValue)[0] != TAG_OCTECT_STRING) ||
+	    (((CK_BYTE_PTR)attr->pValue)[1] != len))
+	{
+		return (ISC_R_FAILURE);
+	}
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < len) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(r.base, (CK_BYTE_PTR)attr->pValue + 2, len);
+	isc_buffer_add(data, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *ec;
+	isc_region_t r;
+	unsigned int len;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	switch (key->key_alg) {
+	case DST_ALG_ED25519:
+		len = DNS_KEY_ED25519SIZE;
+		break;
+	case DST_ALG_ED448:
+		len = DNS_KEY_ED448SIZE;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+	if (r.length != len) {
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+
+	ec = isc_mem_get(key->mctx, sizeof(*ec));
+	memset(ec, 0, sizeof(*ec));
+	ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+
+	attr = ec->repr;
+	attr->type = CKA_EC_PARAMS;
+	SETCURVE();
+
+	attr++;
+	attr->type = CKA_EC_POINT;
+	attr->pValue = isc_mem_get(key->mctx, len + 2);
+	((CK_BYTE_PTR)attr->pValue)[0] = TAG_OCTECT_STRING;
+	((CK_BYTE_PTR)attr->pValue)[1] = len;
+	memmove((CK_BYTE_PTR)attr->pValue + 2, r.base, len);
+	attr->ulValueLen = len + 2;
+
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = ec;
+	key->key_size = len * 8;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11eddsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	pk11_object_t *ec;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	unsigned int i = 0;
+	CK_ATTRIBUTE *attr;
+
+	if (key->keydata.pkey == NULL) {
+		return (DST_R_NULLKEY);
+	}
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	ec = key->keydata.pkey;
+	attr = pk11_attribute_bytype(ec, CKA_VALUE);
+	if (attr != NULL) {
+		buf = isc_mem_get(key->mctx, attr->ulValueLen);
+		priv.elements[i].tag = TAG_EDDSA_PRIVATEKEY;
+		priv.elements[i].length = (unsigned short)attr->ulValueLen;
+		memmove(buf, attr->pValue, attr->ulValueLen);
+		priv.elements[i].data = buf;
+		i++;
+	}
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_EDDSA_ENGINE;
+		priv.elements[i].length = strlen(key->engine) + 1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_EDDSA_LABEL;
+		priv.elements[i].length = strlen(key->label) + 1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+	priv.nelements = i;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+	if (buf != NULL) {
+		memset(buf, 0, attr->ulValueLen);
+		isc_mem_put(key->mctx, buf, attr->ulValueLen);
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label,
+		  dst_key_t *pub) {
+	CK_RV rv;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
+	CK_ATTRIBUTE searchTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *pubattr;
+	pk11_object_t *ec;
+	pk11_object_t *pubec;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+
+	if (label == NULL) {
+		return (DST_R_NOENGINE);
+	}
+
+	ec = key->keydata.pkey;
+	pubec = pub->keydata.pkey;
+
+	ec->object = CK_INVALID_HANDLE;
+	ec->ontoken = true;
+	ec->reqlogon = true;
+	ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	memset(ec->repr, 0, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+	attr = ec->repr;
+
+	attr->type = CKA_EC_PARAMS;
+	pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS);
+	INSIST(pubattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+	attr++;
+
+	attr->type = CKA_EC_POINT;
+	pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT);
+	INSIST(pubattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
+	ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
+			       NULL, ec->slot);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	attr = pk11_attribute_bytype(ec, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(ec, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0) {
+		DST_RET(ISC_R_NOTFOUND);
+	}
+	if (cnt > 1) {
+		DST_RET(ISC_R_EXISTS);
+	}
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	return (ISC_R_SUCCESS);
+
+err:
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	pk11_object_t *ec = NULL;
+	CK_ATTRIBUTE *attr, *pattr;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+	const char *engine = NULL, *label = NULL;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if ((pub == NULL) || (pub->keydata.pkey == NULL)) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	if (key->external) {
+		if (priv.nelements != 0) {
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		}
+
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+
+		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
+
+		return (ISC_R_SUCCESS);
+	}
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_EDDSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_EDDSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		default:
+			break;
+		}
+	}
+	ec = isc_mem_get(key->mctx, sizeof(*ec));
+	memset(ec, 0, sizeof(*ec));
+	key->keydata.pkey = ec;
+
+	/* Is this key is stored in a HSM? See if we can fetch it. */
+	if ((label != NULL) || (engine != NULL)) {
+		ret = pkcs11eddsa_fetch(key, engine, label, pub);
+		if (ret != ISC_R_SUCCESS) {
+			goto err;
+		}
+		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
+		return (ret);
+	}
+
+	ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	memset(ec->repr, 0, sizeof(*attr) * 3);
+	ec->attrcnt = 3;
+
+	attr = ec->repr;
+	attr->type = CKA_EC_PARAMS;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_EC_POINT;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_VALUE;
+	attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
+	memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length);
+	attr->ulValueLen = priv.elements[0].length;
+
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	switch (key->key_alg) {
+	case DST_ALG_ED25519:
+		key->key_size = DNS_KEY_ED25519SIZE * 8;
+		break;
+	case DST_ALG_ED448:
+		key->key_size = DNS_KEY_ED448SIZE * 8;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	return (ISC_R_SUCCESS);
+
+err:
+	pkcs11eddsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		      const char *pin) {
+	CK_RV rv;
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
+	CK_ATTRIBUTE searchTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *ec;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+	unsigned int i;
+
+	UNUSED(pin);
+
+	ec = isc_mem_get(key->mctx, sizeof(*ec));
+	memset(ec, 0, sizeof(*ec));
+	ec->object = CK_INVALID_HANDLE;
+	ec->ontoken = true;
+	ec->reqlogon = true;
+	key->keydata.pkey = ec;
+
+	ec->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	memset(ec->repr, 0, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+	attr = ec->repr;
+	attr[0].type = CKA_EC_PARAMS;
+	attr[1].type = CKA_EC_POINT;
+
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
+	ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
+			       NULL, ec->slot);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	attr = pk11_attribute_bytype(ec, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(ec, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &hKey, (CK_ULONG)1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0) {
+		DST_RET(ISC_R_NOTFOUND);
+	}
+	if (cnt > 1) {
+		DST_RET(ISC_R_EXISTS);
+	}
+
+	attr = ec->repr;
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 1; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+
+	keyClass = CKO_PRIVATE_KEY;
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &ec->object, (CK_ULONG)1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0) {
+		DST_RET(ISC_R_NOTFOUND);
+	}
+	if (cnt > 1) {
+		DST_RET(ISC_R_EXISTS);
+	}
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	switch (key->key_alg) {
+	case DST_ALG_ED25519:
+		key->key_size = DNS_KEY_ED25519SIZE * 8;
+		break;
+	case DST_ALG_ED448:
+		key->key_size = DNS_KEY_ED448SIZE * 8;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	return (ISC_R_SUCCESS);
+
+err:
+	pkcs11eddsa_destroy(key);
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+	return (ret);
+}
+
+static dst_func_t pkcs11eddsa_functions = {
+	pkcs11eddsa_createctx,
+	NULL, /*%< createctx2 */
+	pkcs11eddsa_destroyctx,
+	pkcs11eddsa_adddata,
+	pkcs11eddsa_sign,
+	pkcs11eddsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	pkcs11eddsa_compare,
+	NULL, /*%< paramcompare */
+	pkcs11eddsa_generate,
+	pkcs11eddsa_isprivate,
+	pkcs11eddsa_destroy,
+	pkcs11eddsa_todns,
+	pkcs11eddsa_fromdns,
+	pkcs11eddsa_tofile,
+	pkcs11eddsa_parse,
+	NULL, /*%< cleanup */
+	pkcs11eddsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11eddsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL) {
+		*funcp = &pkcs11eddsa_functions;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* USE_PKCS11 */
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
new file mode 100644
index 0000000..b439dd7
--- /dev/null
+++ b/lib/dns/pkcs11rsa_link.c
@@ -0,0 +1,2115 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#if USE_PKCS11
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/internal.h>
+#include <pk11/site.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+/*
+ * Limit the size of public exponents.
+ */
+#ifndef RSA_MAX_PUBEXP_BITS
+#define RSA_MAX_PUBEXP_BITS 35
+#endif /* ifndef RSA_MAX_PUBEXP_BITS */
+
+#define DST_RET(a)        \
+	{                 \
+		ret = a;  \
+		goto err; \
+	}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static void
+pkcs11rsa_destroy(dst_key_t *key);
+
+#ifndef PK11_RSA_PKCS_REPLACE
+
+static isc_result_t
+pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { 0, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE keyTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_MODULUS, NULL, 0 },
+		{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+		{ CKA_PRIVATE_EXPONENT, NULL, 0 },
+		{ CKA_PRIME_1, NULL, 0 },
+		{ CKA_PRIME_2, NULL, 0 },
+		{ CKA_EXPONENT_1, NULL, 0 },
+		{ CKA_EXPONENT_2, NULL, 0 },
+		{ CKA_COEFFICIENT, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_SLOT_ID slotid;
+	pk11_object_t *rsa;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096) {
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
+		{
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+		{
+			return (ISC_R_FAILURE);
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	rsa = key->keydata.pkey;
+
+	pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (rsa->ontoken) {
+		slotid = rsa->slot;
+	} else {
+		slotid = pk11_get_best_token(OP_RSA);
+	}
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
+			       NULL, slotid);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = rsa->ontoken;
+		pk11_ctx->object = rsa->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(rsa); attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+	{
+		switch (attr->type) {
+		case CKA_MODULUS:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PUBLIC_EXPONENT:
+			INSIST(keyTemplate[7].type == attr->type);
+			keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[7].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[7].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIVATE_EXPONENT:
+			INSIST(keyTemplate[8].type == attr->type);
+			keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[8].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[8].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIME_1:
+			INSIST(keyTemplate[9].type == attr->type);
+			keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[9].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[9].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIME_2:
+			INSIST(keyTemplate[10].type == attr->type);
+			keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			memmove(keyTemplate[10].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[10].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EXPONENT_1:
+			INSIST(keyTemplate[11].type == attr->type);
+			keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			memmove(keyTemplate[11].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[11].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EXPONENT_2:
+			INSIST(keyTemplate[12].type == attr->type);
+			keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			memmove(keyTemplate[12].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[12].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_COEFFICIENT:
+			INSIST(keyTemplate[13].type == attr->type);
+			keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			memmove(keyTemplate[13].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[13].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session, keyTemplate, (CK_ULONG)14,
+		  &pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+token_key:
+
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		mech.mechanism = CKM_SHA1_RSA_PKCS;
+		break;
+	case DST_ALG_RSASHA256:
+		mech.mechanism = CKM_SHA256_RSA_PKCS;
+		break;
+	case DST_ALG_RSASHA512:
+		mech.mechanism = CKM_SHA512_RSA_PKCS;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	PK11_RET(pkcs_C_SignInit, (pk11_ctx->session, &mech, pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+	for (i = 6; i <= 13; i++) {
+		if (keyTemplate[i].pValue != NULL) {
+			{
+				isc_safe_memwipe(keyTemplate[i].pValue,
+						 keyTemplate[i].ulValueLen);
+				isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
+					    keyTemplate[i].ulValueLen);
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+err:
+	if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+	}
+	for (i = 6; i <= 13; i++) {
+		if (keyTemplate[i].pValue != NULL) {
+			{
+				isc_safe_memwipe(keyTemplate[i].pValue,
+						 keyTemplate[i].ulValueLen);
+				isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
+					    keyTemplate[i].ulValueLen);
+			}
+		}
+	}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
+			   dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { 0, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE keyTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_MODULUS, NULL, 0 },
+		{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *rsa;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+	REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096) {
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
+		{
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+		{
+			return (ISC_R_FAILURE);
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	rsa = key->keydata.pkey;
+
+	pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
+			       NULL, pk11_get_best_token(OP_RSA));
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	for (attr = pk11_attribute_first(rsa); attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+	{
+		unsigned int bits;
+
+		switch (attr->type) {
+		case CKA_MODULUS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PUBLIC_EXPONENT:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+					   &bits);
+			if (ret != ISC_R_SUCCESS ||
+			    (bits > maxbits && maxbits != 0))
+			{
+				DST_RET(DST_R_VERIFYFAILURE);
+			}
+			break;
+		}
+	}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session, keyTemplate, (CK_ULONG)7,
+		  &pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		mech.mechanism = CKM_SHA1_RSA_PKCS;
+		break;
+	case DST_ALG_RSASHA256:
+		mech.mechanism = CKM_SHA256_RSA_PKCS;
+		break;
+	case DST_ALG_RSASHA512:
+		mech.mechanism = CKM_SHA512_RSA_PKCS;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	PK11_RET(pkcs_C_VerifyInit,
+		 (pk11_ctx->session, &mech, pk11_ctx->object), ISC_R_FAILURE);
+
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+	for (i = 5; i <= 6; i++) {
+		if (keyTemplate[i].pValue != NULL) {
+			{
+				isc_safe_memwipe(keyTemplate[i].pValue,
+						 keyTemplate[i].ulValueLen);
+				isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
+					    keyTemplate[i].ulValueLen);
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+err:
+	if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+	}
+	for (i = 5; i <= 6; i++) {
+		if (keyTemplate[i].pValue != NULL) {
+			{
+				isc_safe_memwipe(keyTemplate[i].pValue,
+						 keyTemplate[i].ulValueLen);
+				isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
+					    keyTemplate[i].ulValueLen);
+			}
+		}
+	}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	if (dctx->use == DO_SIGN) {
+		return (pkcs11rsa_createctx_sign(key, dctx));
+	} else {
+		return (pkcs11rsa_createctx_verify(key, 0U, dctx));
+	}
+}
+
+static isc_result_t
+pkcs11rsa_createctx2(dst_key_t *key, int maxbits, dst_context_t *dctx) {
+	if (dctx->use == DO_SIGN) {
+		return (pkcs11rsa_createctx_sign(key, dctx));
+	} else {
+		return (pkcs11rsa_createctx_verify(key, (unsigned)maxbits,
+						   dctx));
+	}
+}
+
+static void
+pkcs11rsa_destroyctx(dst_context_t *dctx) {
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+	if (pk11_ctx != NULL) {
+		if (!pk11_ctx->ontoken &&
+		    (pk11_ctx->object != CK_INVALID_HANDLE))
+		{
+			(void)pkcs_C_DestroyObject(pk11_ctx->session,
+						   pk11_ctx->object);
+		}
+		pk11_return_session(pk11_ctx);
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+		dctx->ctxdata.pk11_ctx = NULL;
+	}
+}
+
+static isc_result_t
+pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	if (dctx->use == DO_SIGN) {
+		PK11_CALL(pkcs_C_SignUpdate,
+			  (pk11_ctx->session, (CK_BYTE_PTR)data->base,
+			   (CK_ULONG)data->length),
+			  ISC_R_FAILURE);
+	} else {
+		PK11_CALL(pkcs_C_VerifyUpdate,
+			  (pk11_ctx->session, (CK_BYTE_PTR)data->base,
+			   (CK_ULONG)data->length),
+			  ISC_R_FAILURE);
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	CK_RV rv;
+	CK_ULONG siglen = 0;
+	isc_region_t r;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	PK11_RET(pkcs_C_SignFinal, (pk11_ctx->session, NULL, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_availableregion(sig, &r);
+
+	if (r.length < (unsigned int)siglen) {
+		return (ISC_R_NOSPACE);
+	}
+
+	PK11_RET(pkcs_C_SignFinal,
+		 (pk11_ctx->session, (CK_BYTE_PTR)r.base, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_add(sig, (unsigned int)siglen);
+
+err:
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	PK11_CALL(pkcs_C_VerifyFinal,
+		  (pk11_ctx->session, (CK_BYTE_PTR)sig->base,
+		   (CK_ULONG)sig->length),
+		  DST_R_VERIFYFAILURE);
+	return (ret);
+}
+
+#else /* ifndef PK11_RSA_PKCS_REPLACE */
+
+/*
+ * CKM_<hash>_RSA_PKCS mechanisms are not available so fall back
+ * to CKM_RSA_PKCS and do the EMSA-PKCS#1-v1.5 encapsulation by hand.
+ */
+
+CK_BYTE md5_der[] = { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48,
+		      0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
+CK_BYTE sha1_der[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
+		       0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
+CK_BYTE sha256_der[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
+			 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
+			 0x01, 0x05, 0x00, 0x04, 0x20 };
+CK_BYTE sha512_der[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
+			 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
+			 0x03, 0x05, 0x00, 0x04, 0x40 };
+#define MAX_DER_SIZE	 19
+#define MIN_PKCS1_PADLEN 11
+
+static isc_result_t
+pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { 0, NULL, 0 };
+	CK_SLOT_ID slotid;
+	pk11_object_t *rsa = key->keydata.pkey;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+
+	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+	REQUIRE(rsa != NULL);
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096) {
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
+		{
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+		{
+			return (ISC_R_FAILURE);
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	switch (key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		mech.mechanism = CKM_SHA_1;
+		break;
+	case DST_ALG_RSASHA256:
+		mech.mechanism = CKM_SHA256;
+		break;
+	case DST_ALG_RSASHA512:
+		mech.mechanism = CKM_SHA512;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (rsa->ontoken) {
+		slotid = rsa->slot;
+	} else {
+		slotid = pk11_get_best_token(OP_RSA);
+	}
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
+			       NULL, slotid);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE);
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+	return (ISC_R_SUCCESS);
+
+err:
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static void
+pkcs11rsa_destroyctx(dst_context_t *dctx) {
+	CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+	if (pk11_ctx != NULL) {
+		(void)pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
+		isc_safe_memwipe(garbage, sizeof(garbage));
+		pk11_return_session(pk11_ctx);
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+		dctx->ctxdata.pk11_ctx = NULL;
+	}
+}
+
+static isc_result_t
+pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	PK11_CALL(pkcs_C_DigestUpdate,
+		  (pk11_ctx->session, (CK_BYTE_PTR)data->base,
+		   (CK_ULONG)data->length),
+		  ISC_R_FAILURE);
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE keyTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_MODULUS, NULL, 0 },
+		{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+		{ CKA_PRIVATE_EXPONENT, NULL, 0 },
+		{ CKA_PRIME_1, NULL, 0 },
+		{ CKA_PRIME_2, NULL, 0 },
+		{ CKA_EXPONENT_1, NULL, 0 },
+		{ CKA_EXPONENT_2, NULL, 0 },
+		{ CKA_COEFFICIENT, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH];
+	CK_BYTE *der;
+	CK_ULONG derlen;
+	CK_ULONG hashlen;
+	CK_ULONG dgstlen;
+	CK_ULONG siglen = 0;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *rsa = key->keydata.pkey;
+	isc_region_t r;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+	REQUIRE(rsa != NULL);
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096) {
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
+		{
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+		{
+			return (ISC_R_FAILURE);
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	switch (key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		der = sha1_der;
+		derlen = sizeof(sha1_der);
+		hashlen = ISC_SHA1_DIGESTLENGTH;
+		break;
+	case DST_ALG_RSASHA256:
+		der = sha256_der;
+		derlen = sizeof(sha256_der);
+		hashlen = ISC_SHA256_DIGESTLENGTH;
+		break;
+	case DST_ALG_RSASHA512:
+		der = sha512_der;
+		derlen = sizeof(sha512_der);
+		hashlen = ISC_SHA512_DIGESTLENGTH;
+		break;
+	default:
+		UNREACHABLE();
+	}
+	dgstlen = derlen + hashlen;
+	INSIST(dgstlen <= sizeof(digest));
+	memmove(digest, der, derlen);
+
+	PK11_RET(pkcs_C_DigestFinal,
+		 (pk11_ctx->session, digest + derlen, &hashlen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < (unsigned int)dgstlen + MIN_PKCS1_PADLEN) {
+		return (ISC_R_NOSPACE);
+	}
+
+	if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = rsa->ontoken;
+		pk11_ctx->object = rsa->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(rsa); attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+	{
+		switch (attr->type) {
+		case CKA_MODULUS:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PUBLIC_EXPONENT:
+			INSIST(keyTemplate[7].type == attr->type);
+			keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[7].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[7].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIVATE_EXPONENT:
+			INSIST(keyTemplate[8].type == attr->type);
+			keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[8].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[8].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIME_1:
+			INSIST(keyTemplate[9].type == attr->type);
+			keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[9].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[9].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIME_2:
+			INSIST(keyTemplate[10].type == attr->type);
+			keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			memmove(keyTemplate[10].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[10].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EXPONENT_1:
+			INSIST(keyTemplate[11].type == attr->type);
+			keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			memmove(keyTemplate[11].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[11].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EXPONENT_2:
+			INSIST(keyTemplate[12].type == attr->type);
+			keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			memmove(keyTemplate[12].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[12].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_COEFFICIENT:
+			INSIST(keyTemplate[13].type == attr->type);
+			keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			memmove(keyTemplate[13].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[13].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session, keyTemplate, (CK_ULONG)14, &hKey),
+		 ISC_R_FAILURE);
+
+token_key:
+
+	PK11_RET(pkcs_C_SignInit,
+		 (pk11_ctx->session, &mech,
+		  pk11_ctx->ontoken ? pk11_ctx->object : hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_Sign,
+		 (pk11_ctx->session, digest, dgstlen, NULL, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	if (r.length < (unsigned int)siglen) {
+		return (ISC_R_NOSPACE);
+	}
+
+	PK11_RET(pkcs_C_Sign,
+		 (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)r.base,
+		  &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_add(sig, (unsigned int)siglen);
+
+err:
+	if (hKey != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	}
+	for (i = 6; i <= 13; i++) {
+		if (keyTemplate[i].pValue != NULL) {
+			{
+				isc_safe_memwipe(keyTemplate[i].pValue,
+						 keyTemplate[i].ulValueLen);
+				isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
+					    keyTemplate[i].ulValueLen);
+			}
+		}
+	}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	dctx->ctxdata.pk11_ctx = NULL;
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE keyTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_MODULUS, NULL, 0 },
+		{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+	};
+	CK_ATTRIBUTE *attr;
+	CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH];
+	CK_BYTE *der;
+	CK_ULONG derlen;
+	CK_ULONG hashlen;
+	CK_ULONG dgstlen;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *rsa = key->keydata.pkey;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+	REQUIRE(rsa != NULL);
+
+	switch (key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		der = sha1_der;
+		derlen = sizeof(sha1_der);
+		hashlen = ISC_SHA1_DIGESTLENGTH;
+		break;
+	case DST_ALG_RSASHA256:
+		der = sha256_der;
+		derlen = sizeof(sha256_der);
+		hashlen = ISC_SHA256_DIGESTLENGTH;
+		break;
+	case DST_ALG_RSASHA512:
+		der = sha512_der;
+		derlen = sizeof(sha512_der);
+		hashlen = ISC_SHA512_DIGESTLENGTH;
+		break;
+	default:
+		UNREACHABLE();
+	}
+	dgstlen = derlen + hashlen;
+	INSIST(dgstlen <= sizeof(digest));
+	memmove(digest, der, derlen);
+
+	PK11_RET(pkcs_C_DigestFinal,
+		 (pk11_ctx->session, digest + derlen, &hashlen),
+		 DST_R_SIGNFAILURE);
+
+	for (attr = pk11_attribute_first(rsa); attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+	{
+		unsigned int bits;
+
+		switch (attr->type) {
+		case CKA_MODULUS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PUBLIC_EXPONENT:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+					   &bits);
+			if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
+			{
+				DST_RET(DST_R_VERIFYFAILURE);
+			}
+			break;
+		}
+	}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session, keyTemplate, (CK_ULONG)7, &hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_VerifyInit, (pk11_ctx->session, &mech, hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_Verify,
+		 (pk11_ctx->session, digest, dgstlen, (CK_BYTE_PTR)sig->base,
+		  (CK_ULONG)sig->length),
+		 DST_R_VERIFYFAILURE);
+
+err:
+	if (hKey != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	}
+	for (i = 5; i <= 6; i++) {
+		if (keyTemplate[i].pValue != NULL) {
+			{
+				isc_safe_memwipe(keyTemplate[i].pValue,
+						 keyTemplate[i].ulValueLen);
+				isc_mem_put(dctx->mctx, keyTemplate[i].pValue,
+					    keyTemplate[i].ulValueLen);
+			}
+		}
+	}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	dctx->ctxdata.pk11_ctx = NULL;
+
+	return (ret);
+}
+#endif /* ifndef PK11_RSA_PKCS_REPLACE */
+
+static bool
+pkcs11rsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *rsa1, *rsa2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	rsa1 = key1->keydata.pkey;
+	rsa2 = key2->keydata.pkey;
+
+	if ((rsa1 == NULL) && (rsa2 == NULL)) {
+		return (true);
+	} else if ((rsa1 == NULL) || (rsa2 == NULL)) {
+		return (false);
+	}
+
+	attr1 = pk11_attribute_bytype(rsa1, CKA_MODULUS);
+	attr2 = pk11_attribute_bytype(rsa2, CKA_MODULUS);
+	if ((attr1 == NULL) && (attr2 == NULL)) {
+		return (true);
+	} else if ((attr1 == NULL) || (attr2 == NULL) ||
+		   (attr1->ulValueLen != attr2->ulValueLen) ||
+		   !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				      attr1->ulValueLen))
+	{
+		return (false);
+	}
+
+	attr1 = pk11_attribute_bytype(rsa1, CKA_PUBLIC_EXPONENT);
+	attr2 = pk11_attribute_bytype(rsa2, CKA_PUBLIC_EXPONENT);
+	if ((attr1 == NULL) && (attr2 == NULL)) {
+		return (true);
+	} else if ((attr1 == NULL) || (attr2 == NULL) ||
+		   (attr1->ulValueLen != attr2->ulValueLen) ||
+		   !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				      attr1->ulValueLen))
+	{
+		return (false);
+	}
+
+	attr1 = pk11_attribute_bytype(rsa1, CKA_PRIVATE_EXPONENT);
+	attr2 = pk11_attribute_bytype(rsa2, CKA_PRIVATE_EXPONENT);
+	if (((attr1 != NULL) || (attr2 != NULL)) &&
+	    ((attr1 == NULL) || (attr2 == NULL) ||
+	     (attr1->ulValueLen != attr2->ulValueLen) ||
+	     !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				attr1->ulValueLen)))
+	{
+		return (false);
+	}
+
+	if (!rsa1->ontoken && !rsa2->ontoken) {
+		return (true);
+	} else if (rsa1->ontoken || rsa2->ontoken ||
+		   (rsa1->object != rsa2->object))
+	{
+		return (false);
+	}
+
+	return (true);
+}
+
+static isc_result_t
+pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 };
+	CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+	CK_ULONG bits = 0;
+	CK_BYTE pubexp[5];
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE pubTemplate[] = {
+		{ CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_MODULUS_BITS, &bits, (CK_ULONG)sizeof(bits) },
+		{ CKA_PUBLIC_EXPONENT, &pubexp, (CK_ULONG)sizeof(pubexp) }
+	};
+	CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE privTemplate[] = {
+		{ CKA_CLASS, &privClass, (CK_ULONG)sizeof(privClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG)sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *rsa;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+	UNUSED(callback);
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (key->key_alg) {
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (key->key_size > 4096) {
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((key->key_size < 512) || (key->key_size > 4096)) {
+			return (ISC_R_FAILURE);
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((key->key_size < 1024) || (key->key_size > 4096)) {
+			return (ISC_R_FAILURE);
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, false, NULL,
+			       pk11_get_best_token(OP_RSA));
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	bits = key->key_size;
+	if (exp == 0) {
+		/* RSA_F4 0x10001 */
+		pubexp[0] = 1;
+		pubexp[1] = 0;
+		pubexp[2] = 1;
+		pubTemplate[6].ulValueLen = 3;
+	} else {
+		/* F5 0x100000001 */
+		pubexp[0] = 1;
+		pubexp[1] = 0;
+		pubexp[2] = 0;
+		pubexp[3] = 0;
+		pubexp[4] = 1;
+		pubTemplate[6].ulValueLen = 5;
+	}
+
+	PK11_RET(pkcs_C_GenerateKeyPair,
+		 (pk11_ctx->session, &mech, pubTemplate, (CK_ULONG)7,
+		  privTemplate, (CK_ULONG)7, &pub, &priv),
+		 DST_R_CRYPTOFAILURE);
+
+	rsa = isc_mem_get(key->mctx, sizeof(*rsa));
+	memset(rsa, 0, sizeof(*rsa));
+	key->keydata.pkey = rsa;
+	rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 8);
+	memset(rsa->repr, 0, sizeof(*attr) * 8);
+	rsa->attrcnt = 8;
+
+	attr = rsa->repr;
+	attr[0].type = CKA_MODULUS;
+	attr[1].type = CKA_PUBLIC_EXPONENT;
+	attr[2].type = CKA_PRIVATE_EXPONENT;
+	attr[3].type = CKA_PRIME_1;
+	attr[4].type = CKA_PRIME_2;
+	attr[5].type = CKA_EXPONENT_1;
+	attr[6].type = CKA_EXPONENT_2;
+	attr[7].type = CKA_COEFFICIENT;
+
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 1; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, pub, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+
+	attr += 2;
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 6),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 5; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, priv, attr, 6),
+		 DST_R_CRYPTOFAILURE);
+
+	(void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	(void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ISC_R_SUCCESS);
+
+err:
+	pkcs11rsa_destroy(key);
+	if (priv != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	}
+	if (pub != CK_INVALID_HANDLE) {
+		(void)pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static bool
+pkcs11rsa_isprivate(const dst_key_t *key) {
+	pk11_object_t *rsa = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (rsa == NULL) {
+		return (false);
+	}
+	attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT);
+	return (attr != NULL || rsa->ontoken);
+}
+
+static void
+pkcs11rsa_destroy(dst_key_t *key) {
+	pk11_object_t *rsa = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (rsa == NULL) {
+		return;
+	}
+
+	INSIST((rsa->object == CK_INVALID_HANDLE) || rsa->ontoken);
+
+	for (attr = pk11_attribute_first(rsa); attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+	{
+		switch (attr->type) {
+		case CKA_LABEL:
+		case CKA_ID:
+		case CKA_MODULUS:
+		case CKA_PUBLIC_EXPONENT:
+		case CKA_PRIVATE_EXPONENT:
+		case CKA_PRIME_1:
+		case CKA_PRIME_2:
+		case CKA_EXPONENT_1:
+		case CKA_EXPONENT_2:
+		case CKA_COEFFICIENT:
+			if (attr->pValue != NULL) {
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
+				isc_mem_put(key->mctx, attr->pValue,
+					    attr->ulValueLen);
+			}
+			break;
+		}
+	}
+	if (rsa->repr != NULL) {
+		isc_safe_memwipe(rsa->repr, rsa->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx, rsa->repr, rsa->attrcnt * sizeof(*attr));
+	}
+	isc_safe_memwipe(rsa, sizeof(*rsa));
+	isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *rsa;
+	CK_ATTRIBUTE *attr;
+	isc_region_t r;
+	unsigned int e_bytes = 0, mod_bytes = 0;
+	CK_BYTE *exponent = NULL, *modulus = NULL;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	rsa = key->keydata.pkey;
+
+	for (attr = pk11_attribute_first(rsa); attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+	{
+		switch (attr->type) {
+		case CKA_PUBLIC_EXPONENT:
+			exponent = (CK_BYTE *)attr->pValue;
+			e_bytes = (unsigned int)attr->ulValueLen;
+			break;
+		case CKA_MODULUS:
+			modulus = (CK_BYTE *)attr->pValue;
+			mod_bytes = (unsigned int)attr->ulValueLen;
+			break;
+		}
+	}
+	REQUIRE((exponent != NULL) && (modulus != NULL));
+
+	isc_buffer_availableregion(data, &r);
+
+	if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
+		if (r.length < 1) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putuint8(data, (uint8_t)e_bytes);
+		isc_region_consume(&r, 1);
+	} else {
+		if (r.length < 3) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putuint8(data, 0);
+		isc_buffer_putuint16(data, (uint16_t)e_bytes);
+		isc_region_consume(&r, 3);
+	}
+
+	if (r.length < e_bytes + mod_bytes) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(r.base, exponent, e_bytes);
+	isc_region_consume(&r, e_bytes);
+	memmove(r.base, modulus, mod_bytes);
+
+	isc_buffer_add(data, e_bytes + mod_bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *rsa;
+	isc_region_t r;
+	unsigned int e_bytes, mod_bytes;
+	CK_BYTE *exponent = NULL, *modulus = NULL;
+	CK_ATTRIBUTE *attr;
+	unsigned int length;
+	unsigned int bits;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+	length = r.length;
+
+	rsa = isc_mem_get(key->mctx, sizeof(*rsa));
+
+	memset(rsa, 0, sizeof(*rsa));
+
+	e_bytes = *r.base;
+	isc_region_consume(&r, 1);
+
+	if (e_bytes == 0) {
+		if (r.length < 2) {
+			DST_RET(DST_R_INVALIDPUBLICKEY);
+		}
+		e_bytes = (*r.base) << 8;
+		isc_region_consume(&r, 1);
+		e_bytes += *r.base;
+		isc_region_consume(&r, 1);
+	}
+
+	if (r.length < e_bytes) {
+		DST_RET(DST_R_INVALIDPUBLICKEY);
+	}
+	exponent = r.base;
+	isc_region_consume(&r, e_bytes);
+	modulus = r.base;
+	mod_bytes = r.length;
+
+	ret = pk11_numbits(modulus, mod_bytes, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	key->key_size = bits;
+
+	isc_buffer_forward(data, length);
+
+	rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	memset(rsa->repr, 0, sizeof(*attr) * 2);
+	rsa->attrcnt = 2;
+	attr = rsa->repr;
+	attr[0].type = CKA_MODULUS;
+	attr[0].pValue = isc_mem_get(key->mctx, mod_bytes);
+	memmove(attr[0].pValue, modulus, mod_bytes);
+	attr[0].ulValueLen = (CK_ULONG)mod_bytes;
+	attr[1].type = CKA_PUBLIC_EXPONENT;
+	attr[1].pValue = isc_mem_get(key->mctx, e_bytes);
+	memmove(attr[1].pValue, exponent, e_bytes);
+	attr[1].ulValueLen = (CK_ULONG)e_bytes;
+
+	key->keydata.pkey = rsa;
+
+	return (ISC_R_SUCCESS);
+err:
+	isc_safe_memwipe(rsa, sizeof(*rsa));
+	isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_tofile(const dst_key_t *key, const char *directory) {
+	int i;
+	pk11_object_t *rsa;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *modulus = NULL, *exponent = NULL;
+	CK_ATTRIBUTE *d = NULL, *p = NULL, *q = NULL;
+	CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+	dst_private_t priv;
+	unsigned char *bufs[10];
+	isc_result_t result;
+
+	if (key->keydata.pkey == NULL) {
+		return (DST_R_NULLKEY);
+	}
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	rsa = key->keydata.pkey;
+
+	for (attr = pk11_attribute_first(rsa); attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+	{
+		switch (attr->type) {
+		case CKA_MODULUS:
+			modulus = attr;
+			break;
+		case CKA_PUBLIC_EXPONENT:
+			exponent = attr;
+			break;
+		case CKA_PRIVATE_EXPONENT:
+			d = attr;
+			break;
+		case CKA_PRIME_1:
+			p = attr;
+			break;
+		case CKA_PRIME_2:
+			q = attr;
+			break;
+		case CKA_EXPONENT_1:
+			dmp1 = attr;
+			break;
+		case CKA_EXPONENT_2:
+			dmq1 = attr;
+			break;
+		case CKA_COEFFICIENT:
+			iqmp = attr;
+			break;
+		}
+	}
+	if ((modulus == NULL) || (exponent == NULL)) {
+		return (DST_R_NULLKEY);
+	}
+
+	memset(bufs, 0, sizeof(bufs));
+
+	for (i = 0; i < 10; i++) {
+		bufs[i] = isc_mem_get(key->mctx, modulus->ulValueLen);
+		memset(bufs[i], 0, modulus->ulValueLen);
+	}
+
+	i = 0;
+
+	priv.elements[i].tag = TAG_RSA_MODULUS;
+	priv.elements[i].length = (unsigned short)modulus->ulValueLen;
+	memmove(bufs[i], modulus->pValue, modulus->ulValueLen);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
+	priv.elements[i].length = (unsigned short)exponent->ulValueLen;
+	memmove(bufs[i], exponent->pValue, exponent->ulValueLen);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	if (d != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
+		priv.elements[i].length = (unsigned short)d->ulValueLen;
+		memmove(bufs[i], d->pValue, d->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (p != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIME1;
+		priv.elements[i].length = (unsigned short)p->ulValueLen;
+		memmove(bufs[i], p->pValue, p->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (q != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIME2;
+		priv.elements[i].length = (unsigned short)q->ulValueLen;
+		memmove(bufs[i], q->pValue, q->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (dmp1 != NULL) {
+		priv.elements[i].tag = TAG_RSA_EXPONENT1;
+		priv.elements[i].length = (unsigned short)dmp1->ulValueLen;
+		memmove(bufs[i], dmp1->pValue, dmp1->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (dmq1 != NULL) {
+		priv.elements[i].tag = TAG_RSA_EXPONENT2;
+		priv.elements[i].length = (unsigned short)dmq1->ulValueLen;
+		memmove(bufs[i], dmq1->pValue, dmq1->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (iqmp != NULL) {
+		priv.elements[i].tag = TAG_RSA_COEFFICIENT;
+		priv.elements[i].length = (unsigned short)iqmp->ulValueLen;
+		memmove(bufs[i], iqmp->pValue, iqmp->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_RSA_ENGINE;
+		priv.elements[i].length = (unsigned short)strlen(key->engine) +
+					  1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_RSA_LABEL;
+		priv.elements[i].length = (unsigned short)strlen(key->label) +
+					  1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+	priv.nelements = i;
+	result = dst__privstruct_writefile(key, &priv, directory);
+	for (i = 0; i < 10; i++) {
+		if (bufs[i] == NULL) {
+			break;
+		}
+		isc_safe_memwipe(bufs[i], modulus->ulValueLen);
+		isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen);
+	}
+	return (result);
+}
+
+static isc_result_t
+pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
+		dst_key_t *pub) {
+	CK_RV rv;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE searchTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *pubattr;
+	pk11_object_t *rsa;
+	pk11_object_t *pubrsa;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+	unsigned int bits;
+
+	if (label == NULL) {
+		return (DST_R_NOENGINE);
+	}
+
+	rsa = key->keydata.pkey;
+	pubrsa = pub->keydata.pkey;
+
+	rsa->object = CK_INVALID_HANDLE;
+	rsa->ontoken = true;
+	rsa->reqlogon = true;
+	rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	memset(rsa->repr, 0, sizeof(*attr) * 2);
+	rsa->attrcnt = 2;
+	attr = rsa->repr;
+
+	attr->type = CKA_MODULUS;
+	pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
+	INSIST(pubattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+	attr++;
+
+	attr->type = CKA_PUBLIC_EXPONENT;
+	pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
+	INSIST(pubattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+
+	ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
+			       NULL, rsa->slot);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	attr = pk11_attribute_bytype(rsa, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(rsa, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &rsa->object, (CK_ULONG)1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0) {
+		DST_RET(ISC_R_NOTFOUND);
+	}
+	if (cnt > 1) {
+		DST_RET(ISC_R_EXISTS);
+	}
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+	INSIST(attr != NULL);
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	key->key_size = bits;
+
+	return (ISC_R_SUCCESS);
+
+err:
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+
+	return (ret);
+}
+
+static isc_result_t
+rsa_check(pk11_object_t *rsa, pk11_object_t *pubrsa) {
+	CK_ATTRIBUTE *pubattr, *privattr;
+	CK_BYTE *priv_exp = NULL, *priv_mod = NULL;
+	CK_BYTE *pub_exp = NULL, *pub_mod = NULL;
+	unsigned int priv_explen = 0, priv_modlen = 0;
+	unsigned int pub_explen = 0, pub_modlen = 0;
+
+	REQUIRE(rsa != NULL && pubrsa != NULL);
+
+	privattr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+	INSIST(privattr != NULL);
+	priv_exp = privattr->pValue;
+	priv_explen = privattr->ulValueLen;
+
+	pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
+	INSIST(pubattr != NULL);
+	pub_exp = pubattr->pValue;
+	pub_explen = pubattr->ulValueLen;
+
+	if (priv_exp != NULL) {
+		if (priv_explen != pub_explen) {
+			return (DST_R_INVALIDPRIVATEKEY);
+		}
+		if (!isc_safe_memequal(priv_exp, pub_exp, pub_explen)) {
+			return (DST_R_INVALIDPRIVATEKEY);
+		}
+	} else {
+		privattr->pValue = pub_exp;
+		privattr->ulValueLen = pub_explen;
+		pubattr->pValue = NULL;
+		pubattr->ulValueLen = 0;
+	}
+
+	if (privattr->pValue == NULL) {
+		return (DST_R_INVALIDPRIVATEKEY);
+	}
+
+	privattr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+	INSIST(privattr != NULL);
+	priv_mod = privattr->pValue;
+	priv_modlen = privattr->ulValueLen;
+
+	pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
+	INSIST(pubattr != NULL);
+	pub_mod = pubattr->pValue;
+	pub_modlen = pubattr->ulValueLen;
+
+	if (priv_mod != NULL) {
+		if (priv_modlen != pub_modlen) {
+			return (DST_R_INVALIDPRIVATEKEY);
+		}
+		if (!isc_safe_memequal(priv_mod, pub_mod, pub_modlen)) {
+			return (DST_R_INVALIDPRIVATEKEY);
+		}
+	} else {
+		privattr->pValue = pub_mod;
+		privattr->ulValueLen = pub_modlen;
+		pubattr->pValue = NULL;
+		pubattr->ulValueLen = 0;
+	}
+
+	if (privattr->pValue == NULL) {
+		return (DST_R_INVALIDPRIVATEKEY);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	pk11_object_t *rsa;
+	CK_ATTRIBUTE *attr;
+	isc_mem_t *mctx = key->mctx;
+	const char *engine = NULL, *label = NULL;
+	unsigned int bits;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	if (key->external) {
+		if (priv.nelements != 0) {
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		}
+		if (pub == NULL) {
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		}
+
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+
+		return (ISC_R_SUCCESS);
+	}
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_RSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		default:
+			break;
+		}
+	}
+	rsa = isc_mem_get(key->mctx, sizeof(*rsa));
+	memset(rsa, 0, sizeof(*rsa));
+	key->keydata.pkey = rsa;
+
+	/* Is this key is stored in a HSM? See if we can fetch it. */
+	if ((label != NULL) || (engine != NULL)) {
+		ret = pkcs11rsa_fetch(key, engine, label, pub);
+		if (ret != ISC_R_SUCCESS) {
+			goto err;
+		}
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ret);
+	}
+
+	rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 8);
+	memset(rsa->repr, 0, sizeof(*attr) * 8);
+	rsa->attrcnt = 8;
+	attr = rsa->repr;
+	attr[0].type = CKA_MODULUS;
+	attr[1].type = CKA_PUBLIC_EXPONENT;
+	attr[2].type = CKA_PRIVATE_EXPONENT;
+	attr[3].type = CKA_PRIME_1;
+	attr[4].type = CKA_PRIME_2;
+	attr[5].type = CKA_EXPONENT_1;
+	attr[6].type = CKA_EXPONENT_2;
+	attr[7].type = CKA_COEFFICIENT;
+
+	for (i = 0; i < priv.nelements; i++) {
+		CK_BYTE *bn;
+
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_ENGINE:
+			continue;
+		case TAG_RSA_LABEL:
+			continue;
+		default:
+			bn = isc_mem_get(key->mctx, priv.elements[i].length);
+			memmove(bn, priv.elements[i].data,
+				priv.elements[i].length);
+		}
+
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_MODULUS:
+			attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+			INSIST(attr != NULL);
+			attr->pValue = bn;
+			attr->ulValueLen = priv.elements[i].length;
+			break;
+		case TAG_RSA_PUBLICEXPONENT:
+			attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+			INSIST(attr != NULL);
+			attr->pValue = bn;
+			attr->ulValueLen = priv.elements[i].length;
+			break;
+		case TAG_RSA_PRIVATEEXPONENT:
+			attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT);
+			INSIST(attr != NULL);
+			attr->pValue = bn;
+			attr->ulValueLen = priv.elements[i].length;
+			break;
+		case TAG_RSA_PRIME1:
+			attr = pk11_attribute_bytype(rsa, CKA_PRIME_1);
+			INSIST(attr != NULL);
+			attr->pValue = bn;
+			attr->ulValueLen = priv.elements[i].length;
+			break;
+		case TAG_RSA_PRIME2:
+			attr = pk11_attribute_bytype(rsa, CKA_PRIME_2);
+			INSIST(attr != NULL);
+			attr->pValue = bn;
+			attr->ulValueLen = priv.elements[i].length;
+			break;
+		case TAG_RSA_EXPONENT1:
+			attr = pk11_attribute_bytype(rsa, CKA_EXPONENT_1);
+			INSIST(attr != NULL);
+			attr->pValue = bn;
+			attr->ulValueLen = priv.elements[i].length;
+			break;
+		case TAG_RSA_EXPONENT2:
+			attr = pk11_attribute_bytype(rsa, CKA_EXPONENT_2);
+			INSIST(attr != NULL);
+			attr->pValue = bn;
+			attr->ulValueLen = priv.elements[i].length;
+			break;
+		case TAG_RSA_COEFFICIENT:
+			attr = pk11_attribute_bytype(rsa, CKA_COEFFICIENT);
+			INSIST(attr != NULL);
+			attr->pValue = bn;
+			attr->ulValueLen = priv.elements[i].length;
+			break;
+		}
+	}
+
+	if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS) {
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+
+	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+	INSIST(attr != NULL);
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	key->key_size = bits;
+
+	attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+	INSIST(attr != NULL);
+
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	if (bits > RSA_MAX_PUBEXP_BITS) {
+		DST_RET(ISC_R_RANGE);
+	}
+
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+
+	return (ISC_R_SUCCESS);
+
+err:
+	pkcs11rsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		    const char *pin) {
+	CK_RV rv;
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE searchTemplate[] = {
+		{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG)sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *rsa;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+	unsigned int i;
+	unsigned int bits;
+
+	UNUSED(pin);
+
+	rsa = isc_mem_get(key->mctx, sizeof(*rsa));
+	memset(rsa, 0, sizeof(*rsa));
+	rsa->object = CK_INVALID_HANDLE;
+	rsa->ontoken = true;
+	rsa->reqlogon = true;
+	key->keydata.pkey = rsa;
+
+	rsa->repr = isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	memset(rsa->repr, 0, sizeof(*attr) * 2);
+	rsa->attrcnt = 2;
+	attr = rsa->repr;
+	attr[0].type = CKA_MODULUS;
+	attr[1].type = CKA_PUBLIC_EXPONENT;
+
+	ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false, rsa->reqlogon,
+			       NULL, rsa->slot);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+
+	attr = pk11_attribute_bytype(rsa, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(rsa, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &hKey, (CK_ULONG)1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0) {
+		DST_RET(ISC_R_NOTFOUND);
+	}
+	if (cnt > 1) {
+		DST_RET(ISC_R_EXISTS);
+	}
+
+	attr = rsa->repr;
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 1; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue, (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+
+	keyClass = CKO_PRIVATE_KEY;
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG)4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &rsa->object, (CK_ULONG)1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void)pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0) {
+		DST_RET(ISC_R_NOTFOUND);
+	}
+	if (cnt > 1) {
+		DST_RET(ISC_R_EXISTS);
+	}
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+
+	attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+	INSIST(attr != NULL);
+
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	if (bits > RSA_MAX_PUBEXP_BITS) {
+		DST_RET(ISC_R_RANGE);
+	}
+
+	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+	INSIST(attr != NULL);
+	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+	if (ret != ISC_R_SUCCESS) {
+		goto err;
+	}
+	key->key_size = bits;
+
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ISC_R_SUCCESS);
+
+err:
+	pkcs11rsa_destroy(key);
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+
+	return (ret);
+}
+
+static dst_func_t pkcs11rsa_functions = {
+	pkcs11rsa_createctx,
+#ifndef PK11_RSA_PKCS_REPLACE
+	pkcs11rsa_createctx2,
+#else  /* ifndef PK11_RSA_PKCS_REPLACE */
+	NULL, /*%< createctx2 */
+#endif /* ifndef PK11_RSA_PKCS_REPLACE */
+	pkcs11rsa_destroyctx,
+	pkcs11rsa_adddata,
+	pkcs11rsa_sign,
+	pkcs11rsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	pkcs11rsa_compare,
+	NULL, /*%< paramcompare */
+	pkcs11rsa_generate,
+	pkcs11rsa_isprivate,
+	pkcs11rsa_destroy,
+	pkcs11rsa_todns,
+	pkcs11rsa_fromdns,
+	pkcs11rsa_tofile,
+	pkcs11rsa_parse,
+	NULL, /*%< cleanup */
+	pkcs11rsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11rsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+
+	if (*funcp == NULL) {
+		*funcp = &pkcs11rsa_functions;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* USE_PKCS11 */
diff --git a/lib/dns/portlist.c b/lib/dns/portlist.c
new file mode 100644
index 0000000..c1d523c
--- /dev/null
+++ b/lib/dns/portlist.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/refcount.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/portlist.h>
+#include <dns/types.h>
+
+#define DNS_PORTLIST_MAGIC    ISC_MAGIC('P', 'L', 'S', 'T')
+#define DNS_VALID_PORTLIST(p) ISC_MAGIC_VALID(p, DNS_PORTLIST_MAGIC)
+
+typedef struct dns_element {
+	in_port_t port;
+	uint16_t flags;
+} dns_element_t;
+
+struct dns_portlist {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_refcount_t refcount;
+	isc_mutex_t lock;
+	dns_element_t *list;
+	unsigned int allocated;
+	unsigned int active;
+};
+
+#define DNS_PL_INET	0x0001
+#define DNS_PL_INET6	0x0002
+#define DNS_PL_ALLOCATE 16
+
+static int
+compare(const void *arg1, const void *arg2) {
+	const dns_element_t *e1 = (const dns_element_t *)arg1;
+	const dns_element_t *e2 = (const dns_element_t *)arg2;
+
+	if (e1->port < e2->port) {
+		return (-1);
+	}
+	if (e1->port > e2->port) {
+		return (1);
+	}
+	return (0);
+}
+
+isc_result_t
+dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp) {
+	dns_portlist_t *portlist;
+
+	REQUIRE(portlistp != NULL && *portlistp == NULL);
+
+	portlist = isc_mem_get(mctx, sizeof(*portlist));
+	isc_mutex_init(&portlist->lock);
+	isc_refcount_init(&portlist->refcount, 1);
+	portlist->list = NULL;
+	portlist->allocated = 0;
+	portlist->active = 0;
+	portlist->mctx = NULL;
+	isc_mem_attach(mctx, &portlist->mctx);
+	portlist->magic = DNS_PORTLIST_MAGIC;
+	*portlistp = portlist;
+	return (ISC_R_SUCCESS);
+}
+
+static dns_element_t *
+find_port(dns_element_t *list, unsigned int len, in_port_t port) {
+	unsigned int xtry = len / 2;
+	unsigned int min = 0;
+	unsigned int max = len - 1;
+	unsigned int last = len;
+
+	for (;;) {
+		if (list[xtry].port == port) {
+			return (&list[xtry]);
+		}
+		if (port > list[xtry].port) {
+			if (xtry == max) {
+				break;
+			}
+			min = xtry;
+			xtry = xtry + (max - xtry + 1) / 2;
+			INSIST(xtry <= max);
+			if (xtry == last) {
+				break;
+			}
+			last = min;
+		} else {
+			if (xtry == min) {
+				break;
+			}
+			max = xtry;
+			xtry = xtry - (xtry - min + 1) / 2;
+			INSIST(xtry >= min);
+			if (xtry == last) {
+				break;
+			}
+			last = max;
+		}
+	}
+	return (NULL);
+}
+
+isc_result_t
+dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+	isc_result_t result;
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET) {
+				el->flags |= DNS_PL_INET;
+			} else {
+				el->flags |= DNS_PL_INET6;
+			}
+			result = ISC_R_SUCCESS;
+			goto unlock;
+		}
+	}
+
+	if (portlist->allocated <= portlist->active) {
+		unsigned int allocated;
+		allocated = portlist->allocated + DNS_PL_ALLOCATE;
+		el = isc_mem_get(portlist->mctx, sizeof(*el) * allocated);
+		if (portlist->list != NULL) {
+			memmove(el, portlist->list,
+				portlist->allocated * sizeof(*el));
+			isc_mem_put(portlist->mctx, portlist->list,
+				    portlist->allocated * sizeof(*el));
+		}
+		portlist->list = el;
+		portlist->allocated = allocated;
+	}
+	portlist->list[portlist->active].port = port;
+	if (af == AF_INET) {
+		portlist->list[portlist->active].flags = DNS_PL_INET;
+	} else {
+		portlist->list[portlist->active].flags = DNS_PL_INET6;
+	}
+	portlist->active++;
+	qsort(portlist->list, portlist->active, sizeof(*el), compare);
+	result = ISC_R_SUCCESS;
+unlock:
+	UNLOCK(&portlist->lock);
+	return (result);
+}
+
+void
+dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET) {
+				el->flags &= ~DNS_PL_INET;
+			} else {
+				el->flags &= ~DNS_PL_INET6;
+			}
+			if (el->flags == 0) {
+				*el = portlist->list[portlist->active];
+				portlist->active--;
+				qsort(portlist->list, portlist->active,
+				      sizeof(*el), compare);
+			}
+		}
+	}
+	UNLOCK(&portlist->lock);
+}
+
+bool
+dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+	bool result = false;
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET && (el->flags & DNS_PL_INET) != 0) {
+				result = true;
+			}
+			if (af == AF_INET6 && (el->flags & DNS_PL_INET6) != 0) {
+				result = true;
+			}
+		}
+	}
+	UNLOCK(&portlist->lock);
+	return (result);
+}
+
+void
+dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp) {
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(portlistp != NULL && *portlistp == NULL);
+
+	isc_refcount_increment(&portlist->refcount);
+	*portlistp = portlist;
+}
+
+void
+dns_portlist_detach(dns_portlist_t **portlistp) {
+	REQUIRE(portlistp != NULL && DNS_VALID_PORTLIST(*portlistp));
+	dns_portlist_t *portlist = *portlistp;
+	*portlistp = NULL;
+
+	if (isc_refcount_decrement(&portlist->refcount) == 1) {
+		portlist->magic = 0;
+		isc_refcount_destroy(&portlist->refcount);
+		if (portlist->list != NULL) {
+			isc_mem_put(portlist->mctx, portlist->list,
+				    portlist->allocated *
+					    sizeof(*portlist->list));
+		}
+		isc_mutex_destroy(&portlist->lock);
+		isc_mem_putanddetach(&portlist->mctx, portlist,
+				     sizeof(*portlist));
+	}
+}
diff --git a/lib/dns/private.c b/lib/dns/private.c
new file mode 100644
index 0000000..56573b3
--- /dev/null
+++ b/lib/dns/private.c
@@ -0,0 +1,417 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+
+#include <isc/base64.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/nsec3.h>
+#include <dns/private.h>
+
+/*
+ * We need to build the relevant chain if there exists a NSEC/NSEC3PARAM
+ * at the apex; normally only one or the other of NSEC/NSEC3PARAM will exist.
+ *
+ * If a NSEC3PARAM RRset exists then we will need to build a NSEC chain
+ * if all the NSEC3PARAM records (and associated chains) are slated for
+ * destruction and we have not been told to NOT build the NSEC chain.
+ *
+ * If the NSEC set exist then check to see if there is a request to create
+ * a NSEC3 chain.
+ *
+ * If neither NSEC/NSEC3PARAM RRsets exist at the origin and the private
+ * type exists then we need to examine it to determine if NSEC3 chain has
+ * been requested to be built otherwise a NSEC chain needs to be built.
+ */
+
+#define REMOVE(x)  (((x)&DNS_NSEC3FLAG_REMOVE) != 0)
+#define CREATE(x)  (((x)&DNS_NSEC3FLAG_CREATE) != 0)
+#define INITIAL(x) (((x)&DNS_NSEC3FLAG_INITIAL) != 0)
+#define NONSEC(x)  (((x)&DNS_NSEC3FLAG_NONSEC) != 0)
+
+#define CHECK(x)                             \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+/*
+ * Work out if 'param' should be ignored or not (i.e. it is in the process
+ * of being removed).
+ *
+ * Note: we 'belt-and-braces' here by also checking for a CREATE private
+ * record and keep the param record in this case.
+ */
+
+static bool
+ignore(dns_rdata_t *param, dns_rdataset_t *privateset) {
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(privateset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(privateset))
+	{
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t private = DNS_RDATA_INIT;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(privateset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+						sizeof(buf)))
+		{
+			continue;
+		}
+		/*
+		 * We are going to create a new NSEC3 chain so it
+		 * doesn't matter if we are removing this one.
+		 */
+		if (CREATE(rdata.data[1])) {
+			return (false);
+		}
+		if (rdata.data[0] != param->data[0] ||
+		    rdata.data[2] != param->data[2] ||
+		    rdata.data[3] != param->data[3] ||
+		    rdata.data[4] != param->data[4] ||
+		    memcmp(&rdata.data[5], &param->data[5], param->data[4]))
+		{
+			continue;
+		}
+		/*
+		 * The removal of this NSEC3 chain does NOT cause a
+		 * NSEC chain to be created so we don't need to tell
+		 * the caller that it will be removed.
+		 */
+		if (NONSEC(rdata.data[1])) {
+			return (false);
+		}
+		return (true);
+	}
+	return (false);
+}
+
+isc_result_t
+dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
+		   dns_rdatatype_t privatetype, bool *build_nsec,
+		   bool *build_nsec3) {
+	dns_dbnode_t *node;
+	dns_rdataset_t nsecset, nsec3paramset, privateset;
+	bool nsec3chain;
+	bool signing;
+	isc_result_t result;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+	unsigned int count;
+
+	node = NULL;
+	dns_rdataset_init(&nsecset);
+	dns_rdataset_init(&nsec3paramset);
+	dns_rdataset_init(&privateset);
+
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec, 0,
+				     (isc_stdtime_t)0, &nsecset, NULL);
+
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
+				     (isc_stdtime_t)0, &nsec3paramset, NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+
+	if (dns_rdataset_isassociated(&nsecset) &&
+	    dns_rdataset_isassociated(&nsec3paramset))
+	{
+		if (build_nsec != NULL) {
+			*build_nsec = true;
+		}
+		if (build_nsec3 != NULL) {
+			*build_nsec3 = true;
+		}
+		goto success;
+	}
+
+	if (privatetype != (dns_rdatatype_t)0) {
+		result = dns_db_findrdataset(db, node, ver, privatetype, 0,
+					     (isc_stdtime_t)0, &privateset,
+					     NULL);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+			goto failure;
+		}
+	}
+
+	/*
+	 * Look to see if we also need to be creating a NSEC3 chain.
+	 */
+	if (dns_rdataset_isassociated(&nsecset)) {
+		if (build_nsec != NULL) {
+			*build_nsec = true;
+		}
+		if (build_nsec3 != NULL) {
+			*build_nsec3 = false;
+		}
+		if (!dns_rdataset_isassociated(&privateset)) {
+			goto success;
+		}
+		for (result = dns_rdataset_first(&privateset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&privateset))
+		{
+			dns_rdata_t private = DNS_RDATA_INIT;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(&privateset, &private);
+			if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+							sizeof(buf)))
+			{
+				continue;
+			}
+			if (REMOVE(rdata.data[1])) {
+				continue;
+			}
+			if (build_nsec3 != NULL) {
+				*build_nsec3 = true;
+			}
+			break;
+		}
+		goto success;
+	}
+
+	if (dns_rdataset_isassociated(&nsec3paramset)) {
+		if (build_nsec3 != NULL) {
+			*build_nsec3 = true;
+		}
+		if (build_nsec != NULL) {
+			*build_nsec = false;
+		}
+		if (!dns_rdataset_isassociated(&privateset)) {
+			goto success;
+		}
+		/*
+		 * If we are in the process of building a new NSEC3 chain
+		 * then we don't need to build a NSEC chain.
+		 */
+		for (result = dns_rdataset_first(&privateset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&privateset))
+		{
+			dns_rdata_t private = DNS_RDATA_INIT;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(&privateset, &private);
+			if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+							sizeof(buf)))
+			{
+				continue;
+			}
+			if (CREATE(rdata.data[1])) {
+				goto success;
+			}
+		}
+
+		/*
+		 * Check to see if there will be a active NSEC3CHAIN once
+		 * the changes queued complete.
+		 */
+		count = 0;
+		for (result = dns_rdataset_first(&nsec3paramset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&nsec3paramset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			/*
+			 * If there is more that one NSEC3 chain present then
+			 * we don't need to construct a NSEC chain.
+			 */
+			if (++count > 1) {
+				goto success;
+			}
+			dns_rdataset_current(&nsec3paramset, &rdata);
+			if (ignore(&rdata, &privateset)) {
+				continue;
+			}
+			/*
+			 * We still have a good NSEC3 chain or we are
+			 * not creating a NSEC chain as NONSEC is set.
+			 */
+			goto success;
+		}
+
+		/*
+		 * The last NSEC3 chain is being removed and does not have
+		 * have NONSEC set.
+		 */
+		if (build_nsec != NULL) {
+			*build_nsec = true;
+		}
+		goto success;
+	}
+
+	if (build_nsec != NULL) {
+		*build_nsec = false;
+	}
+	if (build_nsec3 != NULL) {
+		*build_nsec3 = false;
+	}
+	if (!dns_rdataset_isassociated(&privateset)) {
+		goto success;
+	}
+
+	signing = false;
+	nsec3chain = false;
+
+	for (result = dns_rdataset_first(&privateset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&privateset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&privateset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+						sizeof(buf)))
+		{
+			/*
+			 * Look for record that says we are signing the
+			 * zone with a key.
+			 */
+			if (private.length == 5 && private.data[0] != 0 &&
+			    private.data[3] == 0 && private.data[4] == 0)
+			{
+				signing = true;
+			}
+		} else {
+			if (CREATE(rdata.data[1])) {
+				nsec3chain = true;
+			}
+		}
+	}
+
+	if (signing) {
+		if (nsec3chain) {
+			if (build_nsec3 != NULL) {
+				*build_nsec3 = true;
+			}
+		} else {
+			if (build_nsec != NULL) {
+				*build_nsec = true;
+			}
+		}
+	}
+
+success:
+	result = ISC_R_SUCCESS;
+failure:
+	if (dns_rdataset_isassociated(&nsecset)) {
+		dns_rdataset_disassociate(&nsecset);
+	}
+	if (dns_rdataset_isassociated(&nsec3paramset)) {
+		dns_rdataset_disassociate(&nsec3paramset);
+	}
+	if (dns_rdataset_isassociated(&privateset)) {
+		dns_rdataset_disassociate(&privateset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
+	isc_result_t result;
+
+	if (private->length < 5) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (private->data[0] == 0) {
+		unsigned char nsec3buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		unsigned char newbuf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_nsec3param_t nsec3param;
+		bool del, init, nonsec;
+		isc_buffer_t b;
+
+		if (!dns_nsec3param_fromprivate(private, &rdata, nsec3buf,
+						sizeof(nsec3buf)))
+		{
+			CHECK(ISC_R_FAILURE);
+		}
+
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		del = ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0);
+		init = ((nsec3param.flags & DNS_NSEC3FLAG_INITIAL) != 0);
+		nonsec = ((nsec3param.flags & DNS_NSEC3FLAG_NONSEC) != 0);
+
+		nsec3param.flags &=
+			~(DNS_NSEC3FLAG_CREATE | DNS_NSEC3FLAG_REMOVE |
+			  DNS_NSEC3FLAG_INITIAL | DNS_NSEC3FLAG_NONSEC);
+
+		if (init) {
+			isc_buffer_putstr(buf, "Pending NSEC3 chain ");
+		} else if (del) {
+			isc_buffer_putstr(buf, "Removing NSEC3 chain ");
+		} else {
+			isc_buffer_putstr(buf, "Creating NSEC3 chain ");
+		}
+
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&b, newbuf, sizeof(newbuf));
+		CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_in,
+					   dns_rdatatype_nsec3param,
+					   &nsec3param, &b));
+
+		CHECK(dns_rdata_totext(&rdata, NULL, buf));
+
+		if (del && !nonsec) {
+			isc_buffer_putstr(buf, " / creating NSEC chain");
+		}
+	} else if (private->length == 5) {
+		unsigned char alg = private->data[0];
+		dns_keytag_t keyid = (private->data[2] | private->data[1] << 8);
+		char keybuf[DNS_SECALG_FORMATSIZE + BUFSIZ],
+			algbuf[DNS_SECALG_FORMATSIZE];
+		bool del = private->data[3];
+		bool complete = private->data[4];
+
+		if (del && complete) {
+			isc_buffer_putstr(buf, "Done removing signatures for ");
+		} else if (del) {
+			isc_buffer_putstr(buf, "Removing signatures for ");
+		} else if (complete) {
+			isc_buffer_putstr(buf, "Done signing with ");
+		} else {
+			isc_buffer_putstr(buf, "Signing with ");
+		}
+
+		dns_secalg_format(alg, algbuf, sizeof(algbuf));
+		snprintf(keybuf, sizeof(keybuf), "key %d/%s", keyid, algbuf);
+		isc_buffer_putstr(buf, keybuf);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+
+	isc_buffer_putuint8(buf, 0);
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
new file mode 100644
index 0000000..d5d18b8
--- /dev/null
+++ b/lib/dns/rbt.c
@@ -0,0 +1,3808 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <sys/stat.h>
+
+#include <isc/crc64.h>
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*%
+ * This define is so dns/name.h (included by dns/fixedname.h) uses more
+ * efficient macro calls instead of functions for a few operations.
+ */
+#define DNS_NAME_USEINLINE 1
+#define ALIGNMENT_SIZE	   8U /* see lib/isc/mem.c */
+
+#include <unistd.h>
+
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+#include <dns/version.h>
+
+#define CHECK(x)                             \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+#define RBT_MAGIC      ISC_MAGIC('R', 'B', 'T', '+')
+#define VALID_RBT(rbt) ISC_MAGIC_VALID(rbt, RBT_MAGIC)
+
+/*
+ * XXXDCL Since parent pointers were added in again, I could remove all of the
+ * chain junk, and replace with dns_rbt_firstnode, _previousnode, _nextnode,
+ * _lastnode.  This would involve pretty major change to the API.
+ */
+#define CHAIN_MAGIC	   ISC_MAGIC('0', '-', '0', '-')
+#define VALID_CHAIN(chain) ISC_MAGIC_VALID(chain, CHAIN_MAGIC)
+
+#define RBT_HASH_MIN_BITS   4
+#define RBT_HASH_MAX_BITS   32
+#define RBT_HASH_OVERCOMMIT 3
+#define RBT_HASH_BUCKETSIZE 4096 /* FIXME: What would be a good value here? */
+
+#ifdef RBT_MEM_TEST
+#undef RBT_HASH_SIZE
+#define RBT_HASH_SIZE 2 /*%< To give the reallocation code a workout. */
+#endif			/* ifdef RBT_MEM_TEST */
+
+#define GOLDEN_RATIO_32 0x61C88647
+
+#define HASHSIZE(bits) (UINT64_C(1) << (bits))
+
+static uint32_t
+hash_32(uint32_t val, unsigned int bits) {
+	REQUIRE(bits <= RBT_HASH_MAX_BITS);
+	/* High bits are more random. */
+	return (val * GOLDEN_RATIO_32 >> (32 - bits));
+}
+
+struct dns_rbt {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	dns_rbtnode_t *root;
+	void (*data_deleter)(void *, void *);
+	void *deleter_arg;
+	unsigned int nodecount;
+	uint16_t hashbits;
+	uint16_t maxhashbits;
+	dns_rbtnode_t **hashtable;
+	void *mmap_location;
+};
+
+#define RED   0
+#define BLACK 1
+
+/*
+ * This is the header for map-format RBT images.  It is populated,
+ * and then written, as the LAST thing done to the file before returning.
+ * Writing this last (with zeros in the header area initially) will ensure
+ * that the header is only valid when the RBT image is also valid.
+ */
+typedef struct file_header file_header_t;
+
+/* Pad to 32 bytes */
+static char FILE_VERSION[32] = "\0";
+
+/* Header length, always the same size regardless of structure size */
+#define HEADER_LENGTH 1024
+
+struct file_header {
+	char version1[32];
+	uint64_t first_node_offset; /* usually 1024 */
+	/*
+	 * information about the system on which the map file was generated
+	 * will be used to tell if we can load the map file or not
+	 */
+	uint32_t ptrsize;
+	unsigned int bigendian	    : 1; /* big or little endian system */
+	unsigned int rdataset_fixed : 1; /* compiled with
+					  * --enable-rrset-fixed
+					  */
+	unsigned int nodecount;		 /* shadow from rbt structure */
+	uint64_t crc;
+	char version2[32]; /* repeated; must match version1 */
+};
+
+/*
+ * The following declarations are for the serialization of an RBT:
+ *
+ * step one: write out a zeroed header of 1024 bytes
+ * step two: walk the tree in a depth-first, left-right-down order, writing
+ * out the nodes, reserving space as we go, correcting addresses to point
+ * at the proper offset in the file, and setting a flag for each pointer to
+ * indicate that it is a reference to a location in the file, rather than in
+ * memory.
+ * step three: write out the header, adding the information that will be
+ * needed to re-create the tree object itself.
+ *
+ * The RBTDB object will do this three times, once for each of the three
+ * RBT objects it contains.
+ *
+ * Note: 'file' must point an actual open file that can be mmapped
+ * and fseeked, not to a pipe or stream
+ */
+
+static isc_result_t
+dns_rbt_zero_header(FILE *file);
+
+static isc_result_t
+write_header(FILE *file, dns_rbt_t *rbt, uint64_t first_node_offset,
+	     uint64_t crc);
+
+static bool
+match_header_version(file_header_t *header);
+
+static isc_result_t
+serialize_node(FILE *file, dns_rbtnode_t *node, uintptr_t left, uintptr_t right,
+	       uintptr_t down, uintptr_t parent, uintptr_t data, uint64_t *crc);
+
+static isc_result_t
+serialize_nodes(FILE *file, dns_rbtnode_t *node, uintptr_t parent,
+		dns_rbtdatawriter_t datawriter, void *writer_arg,
+		uintptr_t *where, uint64_t *crc);
+
+#define ADJUST_ADDRESS(address, relative, header)        \
+	if (address != NULL && header != NULL) {         \
+		address += relative * (uintptr_t)header; \
+	}
+/*
+ * The following functions allow you to get the actual address of a pointer
+ * without having to use an if statement to check to see if that address is
+ * relative or not
+ */
+static dns_rbtnode_t *
+getparent(dns_rbtnode_t *node, file_header_t *header) {
+	char *adjusted_address = (char *)(node->parent);
+
+	ADJUST_ADDRESS(adjusted_address, node->parent_is_relative, header);
+
+	return ((dns_rbtnode_t *)adjusted_address);
+}
+
+static dns_rbtnode_t *
+getleft(dns_rbtnode_t *node, file_header_t *header) {
+	char *adjusted_address = (char *)(node->left);
+
+	ADJUST_ADDRESS(adjusted_address, node->left_is_relative, header);
+
+	return ((dns_rbtnode_t *)adjusted_address);
+}
+
+static dns_rbtnode_t *
+getright(dns_rbtnode_t *node, file_header_t *header) {
+	char *adjusted_address = (char *)(node->right);
+
+	ADJUST_ADDRESS(adjusted_address, node->right_is_relative, header);
+
+	return ((dns_rbtnode_t *)adjusted_address);
+}
+
+static dns_rbtnode_t *
+getdown(dns_rbtnode_t *node, file_header_t *header) {
+	char *adjusted_address = (char *)(node->down);
+
+	ADJUST_ADDRESS(adjusted_address, node->down_is_relative, header);
+
+	return ((dns_rbtnode_t *)adjusted_address);
+}
+
+static dns_rbtnode_t *
+getdata(dns_rbtnode_t *node, file_header_t *header) {
+	char *adjusted_address = (char *)(node->data);
+
+	ADJUST_ADDRESS(adjusted_address, node->data_is_relative, header);
+
+	return ((dns_rbtnode_t *)adjusted_address);
+}
+
+/*%
+ * Elements of the rbtnode structure.
+ */
+#define PARENT(node)	   ((node)->parent)
+#define LEFT(node)	   ((node)->left)
+#define RIGHT(node)	   ((node)->right)
+#define DOWN(node)	   ((node)->down)
+#define UPPERNODE(node)	   ((node)->uppernode)
+#define DATA(node)	   ((node)->data)
+#define IS_EMPTY(node)	   ((node)->data == NULL)
+#define HASHNEXT(node)	   ((node)->hashnext)
+#define HASHVAL(node)	   ((node)->hashval)
+#define COLOR(node)	   ((node)->color)
+#define NAMELEN(node)	   ((node)->namelen)
+#define OLDNAMELEN(node)   ((node)->oldnamelen)
+#define OFFSETLEN(node)	   ((node)->offsetlen)
+#define ATTRS(node)	   ((node)->attributes)
+#define IS_ROOT(node)	   ((node)->is_root)
+#define FINDCALLBACK(node) ((node)->find_callback)
+
+#define WANTEMPTYDATA_OR_DATA(options, node) \
+	((options & DNS_RBTFIND_EMPTYDATA) != 0 || DATA(node) != NULL)
+
+/*%
+ * Structure elements from the rbtdb.c, not
+ * used as part of the rbt.c algorithms.
+ */
+#define DIRTY(node)   ((node)->dirty)
+#define WILD(node)    ((node)->wild)
+#define LOCKNUM(node) ((node)->locknum)
+
+/*%
+ * The variable length stuff stored after the node has the following
+ * structure.
+ *
+ *	&lt;name_data&gt;{1..255}&lt;oldoffsetlen&gt;{1}&lt;offsets&gt;{1..128}
+ *
+ * &lt;name_data&gt; contains the name of the node when it was created.
+ * &lt;oldoffsetlen&gt; contains the length of &lt;offsets&gt; when the node
+ * was created.
+ * &lt;offsets&gt; contains the offsets into name for each label when the node
+ * was created.
+ */
+
+#define NAME(node)	   ((unsigned char *)((node) + 1))
+#define OFFSETS(node)	   (NAME(node) + OLDNAMELEN(node) + 1)
+#define OLDOFFSETLEN(node) (OFFSETS(node)[-1])
+
+#define NODE_SIZE(node) \
+	(sizeof(*node) + OLDNAMELEN(node) + OLDOFFSETLEN(node) + 1)
+
+/*%
+ * Color management.
+ */
+#define IS_RED(node)	 ((node) != NULL && (node)->color == RED)
+#define IS_BLACK(node)	 ((node) == NULL || (node)->color == BLACK)
+#define MAKE_RED(node)	 ((node)->color = RED)
+#define MAKE_BLACK(node) ((node)->color = BLACK)
+
+/*%
+ * Chain management.
+ *
+ * The "ancestors" member of chains were removed, with their job now
+ * being wholly handled by parent pointers (which didn't exist, because
+ * of memory concerns, when chains were first implemented).
+ */
+#define ADD_LEVEL(chain, node)                                     \
+	do {                                                       \
+		INSIST((chain)->level_count < DNS_RBT_LEVELBLOCK); \
+		(chain)->levels[(chain)->level_count++] = (node);  \
+	} while (0)
+
+/*%
+ * The following macros directly access normally private name variables.
+ * These macros are used to avoid a lot of function calls in the critical
+ * path of the tree traversal code.
+ */
+
+static void
+NODENAME(dns_rbtnode_t *node, dns_name_t *name) {
+	name->length = NAMELEN(node);
+	name->labels = OFFSETLEN(node);
+	name->ndata = NAME(node);
+	name->offsets = OFFSETS(node);
+	name->attributes = ATTRS(node);
+	name->attributes |= DNS_NAMEATTR_READONLY;
+}
+
+#ifdef DEBUG
+#define inline
+/*
+ * A little something to help out in GDB.
+ */
+dns_name_t
+Name(dns_rbtnode_t *node);
+dns_name_t
+Name(dns_rbtnode_t *node) {
+	dns_name_t name;
+
+	dns_name_init(&name, NULL);
+	if (node != NULL) {
+		NODENAME(node, &name);
+	}
+
+	return (name);
+}
+
+static void
+hexdump(const char *desc, unsigned char *data, size_t size) {
+	char hexdump[BUFSIZ * 2 + 1];
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	size_t bytes;
+
+	fprintf(stderr, "%s: ", desc);
+	do {
+		isc_buffer_init(&b, hexdump, sizeof(hexdump));
+		r.base = data;
+		r.length = bytes = (size > BUFSIZ) ? BUFSIZ : size;
+		result = isc_hex_totext(&r, 0, "", &b);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		isc_buffer_putuint8(&b, 0);
+		fprintf(stderr, "%s", hexdump);
+		data += bytes;
+		size -= bytes;
+	} while (size > 0);
+	fprintf(stderr, "\n");
+}
+#endif /* DEBUG */
+
+/*
+ * Upper node is the parent of the root of the passed node's
+ * subtree. The passed node must not be NULL.
+ */
+static dns_rbtnode_t *
+get_upper_node(dns_rbtnode_t *node) {
+	return (UPPERNODE(node));
+}
+
+static void
+fixup_uppernodes_helper(dns_rbtnode_t *node, dns_rbtnode_t *uppernode) {
+	if (node == NULL) {
+		return;
+	}
+
+	UPPERNODE(node) = uppernode;
+
+	fixup_uppernodes_helper(LEFT(node), uppernode);
+	fixup_uppernodes_helper(RIGHT(node), uppernode);
+	fixup_uppernodes_helper(DOWN(node), node);
+}
+
+/*
+ * This function is used to fixup uppernode members of all dns_rbtnodes
+ * after deserialization.
+ */
+static void
+fixup_uppernodes(dns_rbt_t *rbt) {
+	fixup_uppernodes_helper(rbt->root, NULL);
+}
+
+size_t
+dns__rbtnode_getdistance(dns_rbtnode_t *node) {
+	size_t nodes = 1;
+
+	while (node != NULL) {
+		if (IS_ROOT(node)) {
+			break;
+		}
+		nodes++;
+		node = PARENT(node);
+	}
+
+	return (nodes);
+}
+
+/*
+ * Forward declarations.
+ */
+static isc_result_t
+create_node(isc_mem_t *mctx, const dns_name_t *name, dns_rbtnode_t **nodep);
+
+static isc_result_t
+inithash(dns_rbt_t *rbt);
+
+static void
+hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, const dns_name_t *name);
+
+static void
+unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node);
+
+static uint32_t
+rehash_bits(dns_rbt_t *rbt, size_t newcount);
+static void
+rehash(dns_rbt_t *rbt, uint32_t newbits);
+static void
+maybe_rehash(dns_rbt_t *rbt, size_t size);
+
+static void
+rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
+static void
+rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
+
+static void
+addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order,
+	   dns_rbtnode_t **rootp);
+
+static void
+deletefromlevel(dns_rbtnode_t *item, dns_rbtnode_t **rootp);
+
+static isc_result_t
+treefix(dns_rbt_t *rbt, void *base, size_t size, dns_rbtnode_t *n,
+	const dns_name_t *name, dns_rbtdatafixer_t datafixer, void *fixer_arg,
+	uint64_t *crc);
+
+static void
+deletetreeflat(dns_rbt_t *rbt, unsigned int quantum, bool unhash,
+	       dns_rbtnode_t **nodep);
+
+static void
+printnodename(dns_rbtnode_t *node, bool quoted, FILE *f);
+
+static void
+freenode(dns_rbt_t *rbt, dns_rbtnode_t **nodep);
+
+static isc_result_t
+dns_rbt_zero_header(FILE *file) {
+	/*
+	 * Write out a zeroed header as a placeholder.  Doing this ensures
+	 * that the file will not read while it is partially written, should
+	 * writing fail or be interrupted.
+	 */
+	char buffer[HEADER_LENGTH];
+	isc_result_t result;
+
+	memset(buffer, 0, HEADER_LENGTH);
+	result = isc_stdio_write(buffer, 1, HEADER_LENGTH, file, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = fflush(file);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+init_file_version(void) {
+	int n;
+
+	memset(FILE_VERSION, 0, sizeof(FILE_VERSION));
+	n = snprintf(FILE_VERSION, sizeof(FILE_VERSION), "RBT Image %s %s",
+		     dns_major, dns_mapapi);
+	INSIST(n > 0 && (unsigned int)n < sizeof(FILE_VERSION));
+}
+
+/*
+ * Write out the real header, including NodeDump version information
+ * and the offset of the first node.
+ *
+ * Any information stored in the rbt object itself should be stored
+ * here.
+ */
+static isc_result_t
+write_header(FILE *file, dns_rbt_t *rbt, uint64_t first_node_offset,
+	     uint64_t crc) {
+	file_header_t header;
+	isc_result_t result;
+	off_t location;
+
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
+
+	memset(&header, 0, sizeof(file_header_t));
+	memmove(header.version1, FILE_VERSION, sizeof(header.version1));
+	memmove(header.version2, FILE_VERSION, sizeof(header.version2));
+	header.first_node_offset = first_node_offset;
+	header.ptrsize = (uint32_t)sizeof(void *);
+	header.bigendian = (1 == htonl(1)) ? 1 : 0;
+
+#ifdef DNS_RDATASET_FIXED
+	header.rdataset_fixed = 1;
+#else  /* ifdef DNS_RDATASET_FIXED */
+	header.rdataset_fixed = 0;
+#endif /* ifdef DNS_RDATASET_FIXED */
+
+	header.nodecount = rbt->nodecount;
+
+	header.crc = crc;
+
+	CHECK(isc_stdio_tell(file, &location));
+	location = dns_rbt_serialize_align(location);
+	CHECK(isc_stdio_seek(file, location, SEEK_SET));
+	CHECK(isc_stdio_write(&header, 1, sizeof(file_header_t), file, NULL));
+	CHECK(fflush(file));
+
+	/* Ensure we are always at the end of the file. */
+	CHECK(isc_stdio_seek(file, 0, SEEK_END));
+
+cleanup:
+	return (result);
+}
+
+static bool
+match_header_version(file_header_t *header) {
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
+
+	if (memcmp(header->version1, FILE_VERSION, sizeof(header->version1)) !=
+		    0 ||
+	    memcmp(header->version2, FILE_VERSION, sizeof(header->version1)) !=
+		    0)
+	{
+		return (false);
+	}
+
+	return (true);
+}
+
+unsigned int
+dns__rbtnode_namelen(dns_rbtnode_t *node) {
+	dns_name_t current;
+	unsigned int len = 0;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+
+	dns_name_init(&current, NULL);
+
+	do {
+		if (node != NULL) {
+			NODENAME(node, &current);
+			len += current.length;
+		} else {
+			len += 1;
+			break;
+		}
+
+		node = get_upper_node(node);
+	} while (!dns_name_isabsolute(&current));
+
+	return (len);
+}
+
+static isc_result_t
+serialize_node(FILE *file, dns_rbtnode_t *node, uintptr_t left, uintptr_t right,
+	       uintptr_t down, uintptr_t parent, uintptr_t data,
+	       uint64_t *crc) {
+	isc_result_t result;
+	dns_rbtnode_t temp_node;
+	off_t file_position;
+	unsigned char *node_data = NULL;
+	size_t datasize;
+#ifdef DEBUG
+	dns_name_t nodename;
+#endif /* ifdef DEBUG */
+
+	INSIST(node != NULL);
+
+	CHECK(isc_stdio_tell(file, &file_position));
+	file_position = dns_rbt_serialize_align(file_position);
+	CHECK(isc_stdio_seek(file, file_position, SEEK_SET));
+
+	temp_node = *node;
+	temp_node.down_is_relative = 0;
+	temp_node.left_is_relative = 0;
+	temp_node.right_is_relative = 0;
+	temp_node.parent_is_relative = 0;
+	temp_node.data_is_relative = 0;
+	temp_node.is_mmapped = 1;
+
+	/*
+	 * If the next node is not NULL, calculate the next node's location
+	 * in the file.  Note that this will have to change when the data
+	 * structure changes, and it also assumes that we always write the
+	 * nodes out in list order (which we currently do.)
+	 */
+	if (temp_node.parent != NULL) {
+		temp_node.parent = (dns_rbtnode_t *)(parent);
+		temp_node.parent_is_relative = 1;
+	}
+	if (temp_node.left != NULL) {
+		temp_node.left = (dns_rbtnode_t *)(left);
+		temp_node.left_is_relative = 1;
+	}
+	if (temp_node.right != NULL) {
+		temp_node.right = (dns_rbtnode_t *)(right);
+		temp_node.right_is_relative = 1;
+	}
+	if (temp_node.down != NULL) {
+		temp_node.down = (dns_rbtnode_t *)(down);
+		temp_node.down_is_relative = 1;
+	}
+	if (temp_node.data != NULL) {
+		temp_node.data = (dns_rbtnode_t *)(data);
+		temp_node.data_is_relative = 1;
+	}
+
+	temp_node.fullnamelen = dns__rbtnode_namelen(node);
+
+	node_data = (unsigned char *)node + sizeof(dns_rbtnode_t);
+	datasize = NODE_SIZE(node) - sizeof(dns_rbtnode_t);
+
+	CHECK(isc_stdio_write(&temp_node, 1, sizeof(dns_rbtnode_t), file,
+			      NULL));
+	CHECK(isc_stdio_write(node_data, 1, datasize, file, NULL));
+
+#ifdef DEBUG
+	dns_name_init(&nodename, NULL);
+	NODENAME(node, &nodename);
+	fprintf(stderr, "serialize ");
+	dns_name_print(&nodename, stderr);
+	fprintf(stderr, "\n");
+	hexdump("node header", (unsigned char *)&temp_node,
+		sizeof(dns_rbtnode_t));
+	hexdump("node data", node_data, datasize);
+#endif /* ifdef DEBUG */
+
+	isc_crc64_update(crc, (const uint8_t *)&temp_node,
+			 sizeof(dns_rbtnode_t));
+	isc_crc64_update(crc, (const uint8_t *)node_data, datasize);
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+serialize_nodes(FILE *file, dns_rbtnode_t *node, uintptr_t parent,
+		dns_rbtdatawriter_t datawriter, void *writer_arg,
+		uintptr_t *where, uint64_t *crc) {
+	uintptr_t left = 0, right = 0, down = 0, data = 0;
+	off_t location = 0, offset_adjust;
+	isc_result_t result;
+
+	if (node == NULL) {
+		if (where != NULL) {
+			*where = 0;
+		}
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Reserve space for current node. */
+	CHECK(isc_stdio_tell(file, &location));
+	location = dns_rbt_serialize_align(location);
+	CHECK(isc_stdio_seek(file, location, SEEK_SET));
+
+	offset_adjust = dns_rbt_serialize_align(location + NODE_SIZE(node));
+	CHECK(isc_stdio_seek(file, offset_adjust, SEEK_SET));
+
+	/*
+	 * Serialize the rest of the tree.
+	 *
+	 * WARNING: A change in the order (from left, right, down)
+	 * will break the way the crc hash is computed.
+	 */
+	CHECK(serialize_nodes(file, getleft(node, NULL), location, datawriter,
+			      writer_arg, &left, crc));
+	CHECK(serialize_nodes(file, getright(node, NULL), location, datawriter,
+			      writer_arg, &right, crc));
+	CHECK(serialize_nodes(file, getdown(node, NULL), location, datawriter,
+			      writer_arg, &down, crc));
+
+	if (node->data != NULL) {
+		off_t ret;
+
+		CHECK(isc_stdio_tell(file, &ret));
+		ret = dns_rbt_serialize_align(ret);
+		CHECK(isc_stdio_seek(file, ret, SEEK_SET));
+		data = ret;
+
+		datawriter(file, node->data, writer_arg, crc);
+	}
+
+	/* Seek back to reserved space. */
+	CHECK(isc_stdio_seek(file, location, SEEK_SET));
+
+	/* Serialize the current node. */
+	CHECK(serialize_node(file, node, left, right, down, parent, data, crc));
+
+	/* Ensure we are always at the end of the file. */
+	CHECK(isc_stdio_seek(file, 0, SEEK_END));
+
+	if (where != NULL) {
+		*where = (uintptr_t)location;
+	}
+
+cleanup:
+	return (result);
+}
+
+off_t
+dns_rbt_serialize_align(off_t target) {
+	off_t offset = target % 8;
+
+	if (offset == 0) {
+		return (target);
+	} else {
+		return (target + 8 - offset);
+	}
+}
+
+isc_result_t
+dns_rbt_serialize_tree(FILE *file, dns_rbt_t *rbt,
+		       dns_rbtdatawriter_t datawriter, void *writer_arg,
+		       off_t *offset) {
+	isc_result_t result;
+	off_t header_position, node_position, end_position;
+	uint64_t crc;
+
+	REQUIRE(file != NULL);
+
+	CHECK(isc_file_isplainfilefd(fileno(file)));
+
+	isc_crc64_init(&crc);
+
+	CHECK(isc_stdio_tell(file, &header_position));
+
+	/* Write dummy header */
+	CHECK(dns_rbt_zero_header(file));
+
+	/* Serialize nodes */
+	CHECK(isc_stdio_tell(file, &node_position));
+	CHECK(serialize_nodes(file, rbt->root, 0, datawriter, writer_arg, NULL,
+			      &crc));
+
+	CHECK(isc_stdio_tell(file, &end_position));
+	if (node_position == end_position) {
+		CHECK(isc_stdio_seek(file, header_position, SEEK_SET));
+		*offset = 0;
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_crc64_final(&crc);
+#ifdef DEBUG
+	hexdump("serializing CRC", (unsigned char *)&crc, sizeof(crc));
+#endif /* ifdef DEBUG */
+
+	/* Serialize header */
+	CHECK(isc_stdio_seek(file, header_position, SEEK_SET));
+	CHECK(write_header(file, rbt, HEADER_LENGTH, crc));
+
+	/* Ensure we are always at the end of the file. */
+	CHECK(isc_stdio_seek(file, 0, SEEK_END));
+	*offset = dns_rbt_serialize_align(header_position);
+
+cleanup:
+	return (result);
+}
+
+#define CONFIRM(a)                                  \
+	do {                                        \
+		if (!(a)) {                         \
+			result = ISC_R_INVALIDFILE; \
+			goto cleanup;               \
+		}                                   \
+	} while (0);
+
+static isc_result_t
+treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
+	const dns_name_t *name, dns_rbtdatafixer_t datafixer, void *fixer_arg,
+	uint64_t *crc) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_fixedname_t fixed;
+	dns_name_t nodename, *fullname = NULL;
+	unsigned char *node_data = NULL;
+	dns_rbtnode_t header;
+	size_t nodemax = filesize - sizeof(dns_rbtnode_t);
+	size_t datasize;
+
+	if (n == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+#define CHECK_ALIGNMENT(n) \
+	(((uintptr_t)n & ~((uintptr_t)ALIGNMENT_SIZE - 1)) == (uintptr_t)n)
+
+	CONFIRM((void *)n >= base);
+	CONFIRM((size_t)((char *)n - (char *)base) <= nodemax);
+	CONFIRM(CHECK_ALIGNMENT(n));
+	CONFIRM(DNS_RBTNODE_VALID(n));
+
+	dns_name_init(&nodename, NULL);
+	NODENAME(n, &nodename);
+
+	fullname = &nodename;
+	CONFIRM(dns_name_isvalid(fullname));
+
+	if (!dns_name_isabsolute(&nodename)) {
+		fullname = dns_fixedname_initname(&fixed);
+		CHECK(dns_name_concatenate(&nodename, name, fullname, NULL));
+	}
+
+	/* memorize header contents prior to fixup */
+	memmove(&header, n, sizeof(header));
+
+	if (n->left_is_relative) {
+		CONFIRM(n->left <= (dns_rbtnode_t *)nodemax);
+		n->left = getleft(n, rbt->mmap_location);
+		n->left_is_relative = 0;
+		CONFIRM(CHECK_ALIGNMENT(n->left));
+		CONFIRM(DNS_RBTNODE_VALID(n->left));
+	} else {
+		CONFIRM(n->left == NULL);
+	}
+
+	if (n->right_is_relative) {
+		CONFIRM(n->right <= (dns_rbtnode_t *)nodemax);
+		n->right = getright(n, rbt->mmap_location);
+		n->right_is_relative = 0;
+		CONFIRM(CHECK_ALIGNMENT(n->right));
+		CONFIRM(DNS_RBTNODE_VALID(n->right));
+	} else {
+		CONFIRM(n->right == NULL);
+	}
+
+	if (n->down_is_relative) {
+		CONFIRM(n->down <= (dns_rbtnode_t *)nodemax);
+		n->down = getdown(n, rbt->mmap_location);
+		n->down_is_relative = 0;
+		CONFIRM(n->down > (dns_rbtnode_t *)n);
+		CONFIRM(CHECK_ALIGNMENT(n->down));
+		CONFIRM(DNS_RBTNODE_VALID(n->down));
+	} else {
+		CONFIRM(n->down == NULL);
+	}
+
+	if (n->parent_is_relative) {
+		CONFIRM(n->parent <= (dns_rbtnode_t *)nodemax);
+		n->parent = getparent(n, rbt->mmap_location);
+		n->parent_is_relative = 0;
+		CONFIRM(n->parent < (dns_rbtnode_t *)n);
+		CONFIRM(CHECK_ALIGNMENT(n->parent));
+		CONFIRM(DNS_RBTNODE_VALID(n->parent));
+	} else {
+		CONFIRM(n->parent == NULL);
+	}
+
+	if (n->data_is_relative) {
+		CONFIRM(n->data <= (void *)filesize);
+		n->data = getdata(n, rbt->mmap_location);
+		n->data_is_relative = 0;
+		CONFIRM(n->data > (void *)n);
+		CONFIRM(CHECK_ALIGNMENT(n->data));
+	} else {
+		CONFIRM(n->data == NULL);
+	}
+
+	hash_node(rbt, n, fullname);
+
+	/* a change in the order (from left, right, down) will break hashing*/
+	if (n->left != NULL) {
+		CHECK(treefix(rbt, base, filesize, n->left, name, datafixer,
+			      fixer_arg, crc));
+	}
+	if (n->right != NULL) {
+		CHECK(treefix(rbt, base, filesize, n->right, name, datafixer,
+			      fixer_arg, crc));
+	}
+	if (n->down != NULL) {
+		CHECK(treefix(rbt, base, filesize, n->down, fullname, datafixer,
+			      fixer_arg, crc));
+	}
+
+	if (datafixer != NULL && n->data != NULL) {
+		CHECK(datafixer(n, base, filesize, fixer_arg, crc));
+	}
+
+	rbt->nodecount++;
+	node_data = (unsigned char *)n + sizeof(dns_rbtnode_t);
+	datasize = NODE_SIZE(n) - sizeof(dns_rbtnode_t);
+
+#ifdef DEBUG
+	fprintf(stderr, "deserialize ");
+	dns_name_print(&nodename, stderr);
+	fprintf(stderr, "\n");
+	hexdump("node header", (unsigned char *)&header, sizeof(dns_rbtnode_t));
+	hexdump("node data", node_data, datasize);
+#endif /* ifdef DEBUG */
+	isc_crc64_update(crc, (const uint8_t *)&header, sizeof(dns_rbtnode_t));
+	isc_crc64_update(crc, (const uint8_t *)node_data, datasize);
+
+cleanup:
+	return (result);
+}
+
+isc_result_t
+dns_rbt_deserialize_tree(void *base_address, size_t filesize,
+			 off_t header_offset, isc_mem_t *mctx,
+			 dns_rbtdeleter_t deleter, void *deleter_arg,
+			 dns_rbtdatafixer_t datafixer, void *fixer_arg,
+			 dns_rbtnode_t **originp, dns_rbt_t **rbtp) {
+	isc_result_t result = ISC_R_SUCCESS;
+	file_header_t *header;
+	dns_rbt_t *rbt = NULL;
+	uint64_t crc;
+	unsigned int host_big_endian;
+
+	REQUIRE(originp == NULL || *originp == NULL);
+	REQUIRE(rbtp != NULL && *rbtp == NULL);
+
+	isc_crc64_init(&crc);
+
+	CHECK(dns_rbt_create(mctx, deleter, deleter_arg, &rbt));
+
+	rbt->mmap_location = base_address;
+
+	header = (file_header_t *)((char *)base_address + header_offset);
+	if (!match_header_version(header)) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+#ifdef DNS_RDATASET_FIXED
+	if (header->rdataset_fixed != 1) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+#else  /* ifdef DNS_RDATASET_FIXED */
+	if (header->rdataset_fixed != 0) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+#endif /* ifdef DNS_RDATASET_FIXED */
+
+	if (header->ptrsize != (uint32_t)sizeof(void *)) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+	host_big_endian = (1 == htonl(1));
+	if (header->bigendian != host_big_endian) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+	/* Copy other data items from the header into our rbt. */
+	rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
+				      header->first_node_offset);
+
+	if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+	maybe_rehash(rbt, header->nodecount);
+
+	CHECK(treefix(rbt, base_address, filesize, rbt->root, dns_rootname,
+		      datafixer, fixer_arg, &crc));
+
+	isc_crc64_final(&crc);
+#ifdef DEBUG
+	hexdump("deserializing CRC", (unsigned char *)&crc, sizeof(crc));
+#endif /* ifdef DEBUG */
+
+	/* Check file hash */
+	if (header->crc != crc) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+	if (header->nodecount != rbt->nodecount) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+	fixup_uppernodes(rbt);
+
+	*rbtp = rbt;
+	if (originp != NULL) {
+		*originp = rbt->root;
+	}
+
+cleanup:
+	if (result != ISC_R_SUCCESS && rbt != NULL) {
+		rbt->root = NULL;
+		rbt->nodecount = 0;
+		dns_rbt_destroy(&rbt);
+	}
+
+	return (result);
+}
+
+/*
+ * Initialize a red/black tree of trees.
+ */
+isc_result_t
+dns_rbt_create(isc_mem_t *mctx, dns_rbtdeleter_t deleter, void *deleter_arg,
+	       dns_rbt_t **rbtp) {
+	isc_result_t result;
+	dns_rbt_t *rbt;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(rbtp != NULL && *rbtp == NULL);
+	REQUIRE(deleter == NULL ? deleter_arg == NULL : 1);
+
+	rbt = isc_mem_get(mctx, sizeof(*rbt));
+
+	rbt->mctx = NULL;
+	isc_mem_attach(mctx, &rbt->mctx);
+	rbt->data_deleter = deleter;
+	rbt->deleter_arg = deleter_arg;
+	rbt->root = NULL;
+	rbt->nodecount = 0;
+	rbt->hashtable = NULL;
+	rbt->hashbits = 0;
+	rbt->maxhashbits = RBT_HASH_MAX_BITS;
+	rbt->mmap_location = NULL;
+
+	result = inithash(rbt);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_putanddetach(&rbt->mctx, rbt, sizeof(*rbt));
+		return (result);
+	}
+
+	rbt->magic = RBT_MAGIC;
+
+	*rbtp = rbt;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Deallocate a red/black tree of trees.
+ */
+void
+dns_rbt_destroy(dns_rbt_t **rbtp) {
+	RUNTIME_CHECK(dns_rbt_destroy2(rbtp, 0) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum) {
+	dns_rbt_t *rbt;
+
+	REQUIRE(rbtp != NULL && VALID_RBT(*rbtp));
+
+	rbt = *rbtp;
+
+	deletetreeflat(rbt, quantum, false, &rbt->root);
+	if (rbt->root != NULL) {
+		return (ISC_R_QUOTA);
+	}
+
+	*rbtp = NULL;
+
+	INSIST(rbt->nodecount == 0);
+
+	rbt->mmap_location = NULL;
+
+	if (rbt->hashtable != NULL) {
+		size_t size = HASHSIZE(rbt->hashbits) * sizeof(dns_rbtnode_t *);
+		isc_mem_put(rbt->mctx, rbt->hashtable, size);
+	}
+
+	rbt->magic = 0;
+
+	isc_mem_putanddetach(&rbt->mctx, rbt, sizeof(*rbt));
+	return (ISC_R_SUCCESS);
+}
+
+unsigned int
+dns_rbt_nodecount(dns_rbt_t *rbt) {
+	REQUIRE(VALID_RBT(rbt));
+
+	return (rbt->nodecount);
+}
+
+size_t
+dns_rbt_hashsize(dns_rbt_t *rbt) {
+	REQUIRE(VALID_RBT(rbt));
+
+	return (1 << rbt->hashbits);
+}
+
+isc_result_t
+dns_rbt_adjusthashsize(dns_rbt_t *rbt, size_t size) {
+	REQUIRE(VALID_RBT(rbt));
+
+	if (size > 0) {
+		/*
+		 * Setting a new, finite size limit was requested for the RBT.
+		 * Estimate how many hash table slots are needed for the
+		 * requested size and how many bits would be needed to index
+		 * those hash table slots, then rehash the RBT if necessary.
+		 * Note that the hash table can only grow, it is not shrunk if
+		 * the requested size limit is lower than the current one.
+		 */
+		size_t newsize = size / RBT_HASH_BUCKETSIZE;
+		rbt->maxhashbits = rehash_bits(rbt, newsize);
+		maybe_rehash(rbt, newsize);
+	} else {
+		/*
+		 * Setting an infinite size limit was requested for the RBT.
+		 * Increase the maximum allowed number of hash table slots to
+		 * 2^32, which enables the hash table to grow as nodes are
+		 * added to the RBT without immediately preallocating 2^32 hash
+		 * table slots.
+		 */
+		rbt->maxhashbits = RBT_HASH_MAX_BITS;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+chain_name(dns_rbtnodechain_t *chain, dns_name_t *name,
+	   bool include_chain_end) {
+	dns_name_t nodename;
+	isc_result_t result = ISC_R_SUCCESS;
+	int i;
+
+	dns_name_init(&nodename, NULL);
+
+	if (include_chain_end && chain->end != NULL) {
+		NODENAME(chain->end, &nodename);
+		dns_name_copynf(&nodename, name);
+	} else {
+		dns_name_reset(name);
+	}
+
+	for (i = (int)chain->level_count - 1; i >= 0; i--) {
+		NODENAME(chain->levels[i], &nodename);
+		result = dns_name_concatenate(name, &nodename, name, NULL);
+
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+move_chain_to_last(dns_rbtnodechain_t *chain, dns_rbtnode_t *node) {
+	do {
+		/*
+		 * Go as far right and then down as much as possible,
+		 * as long as the rightmost node has a down pointer.
+		 */
+		while (RIGHT(node) != NULL) {
+			node = RIGHT(node);
+		}
+
+		if (DOWN(node) == NULL) {
+			break;
+		}
+
+		ADD_LEVEL(chain, node);
+		node = DOWN(node);
+	} while (1);
+
+	chain->end = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Add 'name' to tree, initializing its data pointer with 'data'.
+ */
+
+isc_result_t
+dns_rbt_addnode(dns_rbt_t *rbt, const dns_name_t *name, dns_rbtnode_t **nodep) {
+	/*
+	 * Does this thing have too many variables or what?
+	 */
+	dns_rbtnode_t **root, *parent, *child, *current, *new_current;
+	dns_name_t *add_name, *new_name, current_name, *prefix, *suffix;
+	dns_fixedname_t fixedcopy, fixedprefix, fixedsuffix, fnewname;
+	dns_offsets_t current_offsets;
+	dns_namereln_t compared;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int level_count;
+	unsigned int common_labels;
+	unsigned int nlabels, hlabels;
+	int order;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	/*
+	 * Dear future BIND developer,
+	 *
+	 * After you have tried attempting to optimize this routine by
+	 * using the hashtable and have realized your folly, please
+	 * append another cross ("X") below as a warning to the next
+	 * future BIND developer:
+	 *
+	 * Number of victim developers: X
+	 *
+	 * I wish the past developer had included such a notice.
+	 *
+	 * Long form: Unlike dns_rbt_findnode(), this function does not
+	 * lend itself to be optimized using the hashtable:
+	 *
+	 * 1. In the subtree where the insertion occurs, this function
+	 * needs to have the insertion point and the order where the
+	 * lookup terminated (i.e., at the insertion point where left or
+	 * right child is NULL). This cannot be determined from the
+	 * hashtable, so at least in that subtree, a BST O(log N) lookup
+	 * is necessary.
+	 *
+	 * 2. Our RBT nodes contain not only single labels but label
+	 * sequences to optimize space usage. So at every level, we have
+	 * to look for a match in the hashtable for all superdomains in
+	 * the rest of the name we're searching. This is an O(N)
+	 * operation at least, here N being the label size of name, each
+	 * of which is a hashtable lookup involving dns_name_equal()
+	 * comparisons.
+	 */
+
+	/*
+	 * Create a copy of the name so the original name structure is
+	 * not modified.
+	 */
+	add_name = dns_fixedname_initname(&fixedcopy);
+	INSIST(add_name != NULL);
+	dns_name_clone(name, add_name);
+
+	if (ISC_UNLIKELY(rbt->root == NULL)) {
+		result = create_node(rbt->mctx, add_name, &new_current);
+		if (result == ISC_R_SUCCESS) {
+			rbt->nodecount++;
+			new_current->is_root = 1;
+
+			UPPERNODE(new_current) = NULL;
+
+			rbt->root = new_current;
+			*nodep = new_current;
+			hash_node(rbt, new_current, name);
+		}
+		return (result);
+	}
+
+	level_count = 0;
+
+	prefix = dns_fixedname_initname(&fixedprefix);
+	suffix = dns_fixedname_initname(&fixedsuffix);
+
+	INSIST(prefix != NULL);
+	INSIST(suffix != NULL);
+
+	root = &rbt->root;
+	INSIST(IS_ROOT(*root));
+	parent = NULL;
+	current = NULL;
+	child = *root;
+	dns_name_init(&current_name, current_offsets);
+	new_name = dns_fixedname_initname(&fnewname);
+	nlabels = dns_name_countlabels(name);
+	hlabels = 0;
+
+	do {
+		current = child;
+
+		NODENAME(current, &current_name);
+		compared = dns_name_fullcompare(add_name, &current_name, &order,
+						&common_labels);
+
+		if (compared == dns_namereln_equal) {
+			*nodep = current;
+			result = ISC_R_EXISTS;
+			break;
+		}
+
+		if (compared == dns_namereln_none) {
+			if (order < 0) {
+				parent = current;
+				child = LEFT(current);
+			} else if (order > 0) {
+				parent = current;
+				child = RIGHT(current);
+			}
+		} else {
+			/*
+			 * This name has some suffix in common with the
+			 * name at the current node.  If the name at
+			 * the current node is shorter, that means the
+			 * new name should be in a subtree.  If the
+			 * name at the current node is longer, that means
+			 * the down pointer to this tree should point
+			 * to a new tree that has the common suffix, and
+			 * the non-common parts of these two names should
+			 * start a new tree.
+			 */
+			hlabels += common_labels;
+			if (compared == dns_namereln_subdomain) {
+				/*
+				 * All of the existing labels are in common,
+				 * so the new name is in a subtree.
+				 * Whack off the common labels for the
+				 * not-in-common part to be searched for
+				 * in the next level.
+				 */
+				dns_name_split(add_name, common_labels,
+					       add_name, NULL);
+
+				/*
+				 * Follow the down pointer (possibly NULL).
+				 */
+				root = &DOWN(current);
+
+				INSIST(*root == NULL ||
+				       (IS_ROOT(*root) &&
+					PARENT(*root) == current));
+
+				parent = NULL;
+				child = DOWN(current);
+
+				INSIST(level_count < DNS_RBT_LEVELBLOCK);
+				level_count++;
+			} else {
+				/*
+				 * The number of labels in common is fewer
+				 * than the number of labels at the current
+				 * node, so the current node must be adjusted
+				 * to have just the common suffix, and a down
+				 * pointer made to a new tree.
+				 */
+
+				INSIST(compared ==
+					       dns_namereln_commonancestor ||
+				       compared == dns_namereln_contains);
+
+				/*
+				 * Ensure the number of levels in the tree
+				 * does not exceed the number of logical
+				 * levels allowed by DNSSEC.
+				 *
+				 * XXXDCL need a better error result?
+				 */
+				if (level_count >= DNS_RBT_LEVELBLOCK) {
+					result = ISC_R_NOSPACE;
+					break;
+				}
+
+				/*
+				 * Split the name into two parts, a prefix
+				 * which is the not-in-common parts of the
+				 * two names and a suffix that is the common
+				 * parts of them.
+				 */
+				dns_name_split(&current_name, common_labels,
+					       prefix, suffix);
+				result = create_node(rbt->mctx, suffix,
+						     &new_current);
+
+				if (result != ISC_R_SUCCESS) {
+					break;
+				}
+
+				/*
+				 * Reproduce the tree attributes of the
+				 * current node.
+				 */
+				new_current->is_root = current->is_root;
+				if (current->nsec == DNS_RBT_NSEC_HAS_NSEC) {
+					new_current->nsec = DNS_RBT_NSEC_NORMAL;
+				} else {
+					new_current->nsec = current->nsec;
+				}
+				PARENT(new_current) = PARENT(current);
+				LEFT(new_current) = LEFT(current);
+				RIGHT(new_current) = RIGHT(current);
+				COLOR(new_current) = COLOR(current);
+
+				/*
+				 * Fix pointers that were to the current node.
+				 */
+				if (parent != NULL) {
+					if (LEFT(parent) == current) {
+						LEFT(parent) = new_current;
+					} else {
+						RIGHT(parent) = new_current;
+					}
+				}
+				if (LEFT(new_current) != NULL) {
+					PARENT(LEFT(new_current)) = new_current;
+				}
+				if (RIGHT(new_current) != NULL) {
+					PARENT(RIGHT(new_current)) =
+						new_current;
+				}
+				if (*root == current) {
+					*root = new_current;
+				}
+
+				NAMELEN(current) = prefix->length;
+				OFFSETLEN(current) = prefix->labels;
+
+				/*
+				 * Set up the new root of the next level.
+				 * By definition it will not be the top
+				 * level tree, so clear DNS_NAMEATTR_ABSOLUTE.
+				 */
+				current->is_root = 1;
+				PARENT(current) = new_current;
+				DOWN(new_current) = current;
+				root = &DOWN(new_current);
+
+				UPPERNODE(new_current) = UPPERNODE(current);
+				UPPERNODE(current) = new_current;
+
+				INSIST(level_count < DNS_RBT_LEVELBLOCK);
+				level_count++;
+
+				LEFT(current) = NULL;
+				RIGHT(current) = NULL;
+
+				MAKE_BLACK(current);
+				ATTRS(current) &= ~DNS_NAMEATTR_ABSOLUTE;
+
+				rbt->nodecount++;
+				dns_name_getlabelsequence(name,
+							  nlabels - hlabels,
+							  hlabels, new_name);
+				hash_node(rbt, new_current, new_name);
+
+				if (common_labels ==
+				    dns_name_countlabels(add_name))
+				{
+					/*
+					 * The name has been added by pushing
+					 * the not-in-common parts down to
+					 * a new level.
+					 */
+					*nodep = new_current;
+					return (ISC_R_SUCCESS);
+				} else {
+					/*
+					 * The current node has no data,
+					 * because it is just a placeholder.
+					 * Its data pointer is already NULL
+					 * from create_node()), so there's
+					 * nothing more to do to it.
+					 */
+
+					/*
+					 * The not-in-common parts of the new
+					 * name will be inserted into the new
+					 * level following this loop (unless
+					 * result != ISC_R_SUCCESS, which
+					 * is tested after the loop ends).
+					 */
+					dns_name_split(add_name, common_labels,
+						       add_name, NULL);
+
+					break;
+				}
+			}
+		}
+	} while (ISC_LIKELY(child != NULL));
+
+	if (ISC_LIKELY(result == ISC_R_SUCCESS)) {
+		result = create_node(rbt->mctx, add_name, &new_current);
+	}
+
+	if (ISC_LIKELY(result == ISC_R_SUCCESS)) {
+		if (*root == NULL) {
+			UPPERNODE(new_current) = current;
+		} else {
+			UPPERNODE(new_current) = PARENT(*root);
+		}
+
+		addonlevel(new_current, current, order, root);
+		rbt->nodecount++;
+		*nodep = new_current;
+		hash_node(rbt, new_current, name);
+	}
+
+	return (result);
+}
+
+/*
+ * Add a name to the tree of trees, associating it with some data.
+ */
+isc_result_t
+dns_rbt_addname(dns_rbt_t *rbt, const dns_name_t *name, void *data) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+
+	node = NULL;
+
+	result = dns_rbt_addnode(rbt, name, &node);
+
+	/*
+	 * dns_rbt_addnode will report the node exists even when
+	 * it does not have data associated with it, but the
+	 * dns_rbt_*name functions all behave depending on whether
+	 * there is data associated with a node.
+	 */
+	if (result == ISC_R_SUCCESS ||
+	    (result == ISC_R_EXISTS && DATA(node) == NULL))
+	{
+		DATA(node) = data;
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+/*
+ * Find the node for "name" in the tree of trees.
+ */
+isc_result_t
+dns_rbt_findnode(dns_rbt_t *rbt, const dns_name_t *name, dns_name_t *foundname,
+		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
+		 unsigned int options, dns_rbtfindcallback_t callback,
+		 void *callback_arg) {
+	dns_rbtnode_t *current, *last_compared;
+	dns_rbtnodechain_t localchain;
+	dns_name_t *search_name, current_name, *callback_name;
+	dns_fixedname_t fixedcallbackname, fixedsearchname;
+	dns_namereln_t compared;
+	isc_result_t result, saved_result;
+	unsigned int common_labels;
+	unsigned int hlabels = 0;
+	int order;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(node != NULL && *node == NULL);
+	REQUIRE((options & (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR)) !=
+		(DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR));
+
+	/*
+	 * If there is a chain it needs to appear to be in a sane state,
+	 * otherwise a chain is still needed to generate foundname and
+	 * callback_name.
+	 */
+	if (chain == NULL) {
+		options |= DNS_RBTFIND_NOPREDECESSOR;
+		chain = &localchain;
+		dns_rbtnodechain_init(chain);
+	} else {
+		dns_rbtnodechain_reset(chain);
+	}
+
+	if (ISC_UNLIKELY(rbt->root == NULL)) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * Appease GCC about variables it incorrectly thinks are
+	 * possibly used uninitialized.
+	 */
+	compared = dns_namereln_none;
+	last_compared = NULL;
+	order = 0;
+
+	callback_name = dns_fixedname_initname(&fixedcallbackname);
+
+	/*
+	 * search_name is the name segment being sought in each tree level.
+	 * By using a fixedname, the search_name will definitely have offsets
+	 * for use by any splitting.
+	 * By using dns_name_clone, no name data should be copied thanks to
+	 * the lack of bitstring labels.
+	 */
+	search_name = dns_fixedname_initname(&fixedsearchname);
+	INSIST(search_name != NULL);
+	dns_name_clone(name, search_name);
+
+	dns_name_init(&current_name, NULL);
+
+	saved_result = ISC_R_SUCCESS;
+	current = rbt->root;
+
+	while (ISC_LIKELY(current != NULL)) {
+		NODENAME(current, &current_name);
+		compared = dns_name_fullcompare(search_name, &current_name,
+						&order, &common_labels);
+		/*
+		 * last_compared is used as a shortcut to start (or
+		 * continue rather) finding the stop-node of the search
+		 * when hashing was used (see much below in this
+		 * function).
+		 */
+		last_compared = current;
+
+		if (compared == dns_namereln_equal) {
+			break;
+		}
+
+		if (compared == dns_namereln_none) {
+			/*
+			 * Here, current is pointing at a subtree root
+			 * node. We try to find a matching node using
+			 * the hashtable. We can get one of 3 results
+			 * here: (a) we locate the matching node, (b) we
+			 * find a node to which the current node has a
+			 * subdomain relation, (c) we fail to find (a)
+			 * or (b).
+			 */
+
+			dns_name_t hash_name;
+			dns_rbtnode_t *hnode;
+			dns_rbtnode_t *up_current;
+			unsigned int nlabels;
+			unsigned int tlabels = 1;
+			uint32_t hash;
+
+			/*
+			 * The case of current not being a subtree root,
+			 * that means a left or right pointer was
+			 * followed, only happens when the algorithm
+			 * fell through to the traditional binary search
+			 * because of a bitstring label.  Since we
+			 * dropped the bitstring support, this should
+			 * not happen.
+			 */
+			INSIST(IS_ROOT(current));
+
+			nlabels = dns_name_countlabels(search_name);
+
+			/*
+			 * current is the root of the current level, so
+			 * its parent is the same as its "up" pointer.
+			 */
+			up_current = PARENT(current);
+			dns_name_init(&hash_name, NULL);
+
+		hashagain:
+			/*
+			 * Compute the hash over the full absolute
+			 * name. Look for the smallest suffix match at
+			 * this tree level (hlevel), and then at every
+			 * iteration, look for the next smallest suffix
+			 * match (add another subdomain label to the
+			 * absolute name being hashed).
+			 */
+			dns_name_getlabelsequence(name, nlabels - tlabels,
+						  hlabels + tlabels,
+						  &hash_name);
+			hash = dns_name_fullhash(&hash_name, false);
+			dns_name_getlabelsequence(search_name,
+						  nlabels - tlabels, tlabels,
+						  &hash_name);
+
+			/*
+			 * Walk all the nodes in the hash bucket pointed
+			 * by the computed hash value.
+			 */
+			for (hnode = rbt->hashtable[hash_32(hash,
+							    rbt->hashbits)];
+			     hnode != NULL; hnode = hnode->hashnext)
+			{
+				dns_name_t hnode_name;
+
+				if (ISC_LIKELY(hash != HASHVAL(hnode))) {
+					continue;
+				}
+				/*
+				 * This checks that the hashed label
+				 * sequence being looked up is at the
+				 * same tree level, so that we don't
+				 * match a labelsequence from some other
+				 * subdomain.
+				 */
+				if (ISC_LIKELY(get_upper_node(hnode) !=
+					       up_current))
+				{
+					continue;
+				}
+
+				dns_name_init(&hnode_name, NULL);
+				NODENAME(hnode, &hnode_name);
+				if (ISC_LIKELY(dns_name_equal(&hnode_name,
+							      &hash_name)))
+				{
+					break;
+				}
+			}
+
+			if (hnode != NULL) {
+				current = hnode;
+				/*
+				 * This is an optimization.  If hashing found
+				 * the right node, the next call to
+				 * dns_name_fullcompare() would obviously
+				 * return _equal or _subdomain.  Determine
+				 * which of those would be the case by
+				 * checking if the full name was hashed.  Then
+				 * make it look like dns_name_fullcompare
+				 * was called and jump to the right place.
+				 */
+				if (tlabels == nlabels) {
+					compared = dns_namereln_equal;
+					break;
+				} else {
+					common_labels = tlabels;
+					compared = dns_namereln_subdomain;
+					goto subdomain;
+				}
+			}
+
+			if (tlabels++ < nlabels) {
+				goto hashagain;
+			}
+
+			/*
+			 * All of the labels have been tried against the hash
+			 * table.  Since we dropped the support of bitstring
+			 * labels, the name isn't in the table.
+			 */
+			current = NULL;
+			continue;
+		} else {
+			/*
+			 * The names have some common suffix labels.
+			 *
+			 * If the number in common are equal in length to
+			 * the current node's name length, then follow the
+			 * down pointer and search in the new tree.
+			 */
+			if (compared == dns_namereln_subdomain) {
+			subdomain:
+				/*
+				 * Whack off the current node's common parts
+				 * for the name to search in the next level.
+				 */
+				dns_name_split(search_name, common_labels,
+					       search_name, NULL);
+				hlabels += common_labels;
+				/*
+				 * This might be the closest enclosing name.
+				 */
+				if (WANTEMPTYDATA_OR_DATA(options, current)) {
+					*node = current;
+				}
+
+				/*
+				 * Point the chain to the next level.   This
+				 * needs to be done before 'current' is pointed
+				 * there because the callback in the next
+				 * block of code needs the current 'current',
+				 * but in the event the callback requests that
+				 * the search be stopped then the
+				 * DNS_R_PARTIALMATCH code at the end of this
+				 * function needs the chain pointed to the
+				 * next level.
+				 */
+				ADD_LEVEL(chain, current);
+
+				/*
+				 * The caller may want to interrupt the
+				 * downward search when certain special nodes
+				 * are traversed.  If this is a special node,
+				 * the callback is used to learn what the
+				 * caller wants to do.
+				 */
+				if (callback != NULL && FINDCALLBACK(current)) {
+					result = chain_name(
+						chain, callback_name, false);
+					if (result != ISC_R_SUCCESS) {
+						dns_rbtnodechain_reset(chain);
+						return (result);
+					}
+
+					result = (callback)(current,
+							    callback_name,
+							    callback_arg);
+					if (result != DNS_R_CONTINUE) {
+						saved_result = result;
+						/*
+						 * Treat this node as if it
+						 * had no down pointer.
+						 */
+						current = NULL;
+						break;
+					}
+				}
+
+				/*
+				 * Finally, head to the next tree level.
+				 */
+				current = DOWN(current);
+			} else {
+				/*
+				 * Though there are labels in common, the
+				 * entire name at this node is not common
+				 * with the search name so the search
+				 * name does not exist in the tree.
+				 */
+				INSIST(compared ==
+					       dns_namereln_commonancestor ||
+				       compared == dns_namereln_contains);
+
+				current = NULL;
+			}
+		}
+	}
+
+	/*
+	 * If current is not NULL, NOEXACT is not disallowing exact matches,
+	 * and either the node has data or an empty node is ok, return
+	 * ISC_R_SUCCESS to indicate an exact match.
+	 */
+	if (current != NULL && (options & DNS_RBTFIND_NOEXACT) == 0 &&
+	    WANTEMPTYDATA_OR_DATA(options, current))
+	{
+		/*
+		 * Found an exact match.
+		 */
+		chain->end = current;
+		chain->level_matches = chain->level_count;
+
+		if (foundname != NULL) {
+			result = chain_name(chain, foundname, true);
+		} else {
+			result = ISC_R_SUCCESS;
+		}
+
+		if (result == ISC_R_SUCCESS) {
+			*node = current;
+			result = saved_result;
+		} else {
+			*node = NULL;
+		}
+	} else {
+		/*
+		 * Did not find an exact match (or did not want one).
+		 */
+		if (*node != NULL) {
+			/*
+			 * ... but found a partially matching superdomain.
+			 * Unwind the chain to the partial match node
+			 * to set level_matches to the level above the node,
+			 * and then to derive the name.
+			 *
+			 * chain->level_count is guaranteed to be at least 1
+			 * here because by definition of finding a superdomain,
+			 * the chain is pointed to at least the first subtree.
+			 */
+			chain->level_matches = chain->level_count - 1;
+
+			while (chain->levels[chain->level_matches] != *node) {
+				INSIST(chain->level_matches > 0);
+				chain->level_matches--;
+			}
+
+			if (foundname != NULL) {
+				unsigned int saved_count = chain->level_count;
+
+				chain->level_count = chain->level_matches + 1;
+
+				result = chain_name(chain, foundname, false);
+
+				chain->level_count = saved_count;
+			} else {
+				result = ISC_R_SUCCESS;
+			}
+
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_PARTIALMATCH;
+			}
+		} else {
+			result = ISC_R_NOTFOUND;
+		}
+
+		if (current != NULL) {
+			/*
+			 * There was an exact match but either
+			 * DNS_RBTFIND_NOEXACT was set, or
+			 * DNS_RBTFIND_EMPTYDATA was set and the node had no
+			 * data.  A policy decision was made to set the
+			 * chain to the exact match, but this is subject
+			 * to change if it becomes apparent that something
+			 * else would be more useful.  It is important that
+			 * this case is handled here, because the predecessor
+			 * setting code below assumes the match was not exact.
+			 */
+			INSIST(((options & DNS_RBTFIND_NOEXACT) != 0) ||
+			       ((options & DNS_RBTFIND_EMPTYDATA) == 0 &&
+				DATA(current) == NULL));
+			chain->end = current;
+		} else if ((options & DNS_RBTFIND_NOPREDECESSOR) != 0) {
+			/*
+			 * Ensure the chain points nowhere.
+			 */
+			chain->end = NULL;
+		} else {
+			/*
+			 * Since there was no exact match, the chain argument
+			 * needs to be pointed at the DNSSEC predecessor of
+			 * the search name.
+			 */
+			if (compared == dns_namereln_subdomain) {
+				/*
+				 * Attempted to follow a down pointer that was
+				 * NULL, which means the searched for name was
+				 * a subdomain of a terminal name in the tree.
+				 * Since there are no existing subdomains to
+				 * order against, the terminal name is the
+				 * predecessor.
+				 */
+				INSIST(chain->level_count > 0);
+				INSIST(chain->level_matches <
+				       chain->level_count);
+				chain->end =
+					chain->levels[--chain->level_count];
+			} else {
+				isc_result_t result2;
+
+				/*
+				 * Point current to the node that stopped
+				 * the search.
+				 *
+				 * With the hashing modification that has been
+				 * added to the algorithm, the stop node of a
+				 * standard binary search is not known.  So it
+				 * has to be found.  There is probably a more
+				 * clever way of doing this.
+				 *
+				 * The assignment of current to NULL when
+				 * the relationship is *not* dns_namereln_none,
+				 * even though it later gets set to the same
+				 * last_compared anyway, is simply to not push
+				 * the while loop in one more level of
+				 * indentation.
+				 */
+				if (compared == dns_namereln_none) {
+					current = last_compared;
+				} else {
+					current = NULL;
+				}
+
+				while (current != NULL) {
+					NODENAME(current, &current_name);
+					compared = dns_name_fullcompare(
+						search_name, &current_name,
+						&order, &common_labels);
+					POST(compared);
+
+					last_compared = current;
+
+					/*
+					 * Standard binary search movement.
+					 */
+					if (order < 0) {
+						current = LEFT(current);
+					} else {
+						current = RIGHT(current);
+					}
+				}
+
+				current = last_compared;
+
+				/*
+				 * Reached a point within a level tree that
+				 * positively indicates the name is not
+				 * present, but the stop node could be either
+				 * less than the desired name (order > 0) or
+				 * greater than the desired name (order < 0).
+				 *
+				 * If the stop node is less, it is not
+				 * necessarily the predecessor.  If the stop
+				 * node has a down pointer, then the real
+				 * predecessor is at the end of a level below
+				 * (not necessarily the next level).
+				 * Move down levels until the rightmost node
+				 * does not have a down pointer.
+				 *
+				 * When the stop node is greater, it is
+				 * the successor.  All the logic for finding
+				 * the predecessor is handily encapsulated
+				 * in dns_rbtnodechain_prev.  In the event
+				 * that the search name is less than anything
+				 * else in the tree, the chain is reset.
+				 * XXX DCL What is the best way for the caller
+				 *         to know that the search name has
+				 *         no predecessor?
+				 */
+
+				if (order > 0) {
+					if (DOWN(current) != NULL) {
+						ADD_LEVEL(chain, current);
+
+						result2 = move_chain_to_last(
+							chain, DOWN(current));
+
+						if (result2 != ISC_R_SUCCESS) {
+							result = result2;
+						}
+					} else {
+						/*
+						 * Ah, the pure and simple
+						 * case.  The stop node is the
+						 * predecessor.
+						 */
+						chain->end = current;
+					}
+				} else {
+					INSIST(order < 0);
+
+					chain->end = current;
+
+					result2 = dns_rbtnodechain_prev(
+						chain, NULL, NULL);
+					if (result2 == ISC_R_SUCCESS ||
+					    result2 == DNS_R_NEWORIGIN)
+					{
+						/* Nothing. */
+					} else if (result2 == ISC_R_NOMORE) {
+						/*
+						 * There is no predecessor.
+						 */
+						dns_rbtnodechain_reset(chain);
+					} else {
+						result = result2;
+					}
+				}
+			}
+		}
+	}
+
+	ENSURE(*node == NULL || DNS_RBTNODE_VALID(*node));
+
+	return (result);
+}
+
+/*
+ * Get the data pointer associated with 'name'.
+ */
+isc_result_t
+dns_rbt_findname(dns_rbt_t *rbt, const dns_name_t *name, unsigned int options,
+		 dns_name_t *foundname, void **data) {
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+
+	REQUIRE(data != NULL && *data == NULL);
+
+	result = dns_rbt_findnode(rbt, name, foundname, &node, NULL, options,
+				  NULL, NULL);
+
+	if (node != NULL && WANTEMPTYDATA_OR_DATA(options, node)) {
+		*data = DATA(node);
+	} else {
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+/*
+ * Delete a name from the tree of trees.
+ */
+isc_result_t
+dns_rbt_deletename(dns_rbt_t *rbt, const dns_name_t *name, bool recurse) {
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+
+	/*
+	 * First, find the node.
+	 *
+	 * When searching, the name might not have an exact match:
+	 * consider a.b.a.com, b.b.a.com and c.b.a.com as the only
+	 * elements of a tree, which would make layer 1 a single
+	 * node tree of "b.a.com" and layer 2 a three node tree of
+	 * a, b, and c.  Deleting a.com would find only a partial depth
+	 * match in the first layer.  Should it be a requirement that
+	 * that the name to be deleted have data?  For now, it is.
+	 *
+	 * ->dirty, ->locknum and ->references are ignored; they are
+	 * solely the province of rbtdb.c.
+	 */
+	result = dns_rbt_findnode(rbt, name, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+
+	if (result == ISC_R_SUCCESS) {
+		if (DATA(node) != NULL) {
+			result = dns_rbt_deletenode(rbt, node, recurse);
+		} else {
+			result = ISC_R_NOTFOUND;
+		}
+	} else if (result == DNS_R_PARTIALMATCH) {
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+/*
+ * Remove a node from the tree of trees.
+ *
+ * NOTE WELL: deletion is *not* symmetric with addition; that is, reversing
+ * a sequence of additions to be deletions will not generally get the
+ * tree back to the state it started in.  For example, if the addition
+ * of "b.c" caused the node "a.b.c" to be split, pushing "a" to its own level,
+ * then the subsequent deletion of "b.c" will not cause "a" to be pulled up,
+ * restoring "a.b.c".  The RBT *used* to do this kind of rejoining, but it
+ * turned out to be a bad idea because it could corrupt an active nodechain
+ * that had "b.c" as one of its levels -- and the RBT has no idea what
+ * nodechains are in use by callers, so it can't even *try* to helpfully
+ * fix them up (which would probably be doomed to failure anyway).
+ *
+ * Similarly, it is possible to leave the tree in a state where a supposedly
+ * deleted node still exists.  The first case of this is obvious; take
+ * the tree which has "b.c" on one level, pointing to "a".  Now deleted "b.c".
+ * It was just established in the previous paragraph why we can't pull "a"
+ * back up to its parent level.  But what happens when "a" then gets deleted?
+ * "b.c" is left hanging around without data or children.  This condition
+ * is actually pretty easy to detect, but ... should it really be removed?
+ * Is a chain pointing to it?  An iterator?  Who knows!  (Note that the
+ * references structure member cannot be looked at because it is private to
+ * rbtdb.)  This is ugly and makes me unhappy, but after hours of trying to
+ * make it more aesthetically proper and getting nowhere, this is the way it
+ * is going to stay until such time as it proves to be a *real* problem.
+ *
+ * Finally, for reference, note that the original routine that did node
+ * joining was called join_nodes().  It has been excised, living now only
+ * in the CVS history, but comments have been left behind that point to it just
+ * in case someone wants to muck with this some more.
+ *
+ * The one positive aspect of all of this is that joining used to have a
+ * case where it might fail.  Without trying to join, now this function always
+ * succeeds. It still returns isc_result_t, though, so the API wouldn't change.
+ */
+isc_result_t
+dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, bool recurse) {
+	dns_rbtnode_t *parent;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	INSIST(rbt->nodecount != 0);
+
+	if (DOWN(node) != NULL) {
+		if (recurse) {
+			PARENT(DOWN(node)) = NULL;
+			deletetreeflat(rbt, 0, true, &DOWN(node));
+		} else {
+			if (DATA(node) != NULL && rbt->data_deleter != NULL) {
+				rbt->data_deleter(DATA(node), rbt->deleter_arg);
+			}
+			DATA(node) = NULL;
+
+			/*
+			 * Since there is at least one node below this one and
+			 * no recursion was requested, the deletion is
+			 * complete.  The down node from this node might be all
+			 * by itself on a single level, so join_nodes() could
+			 * be used to collapse the tree (with all the caveats
+			 * of the comment at the start of this function).
+			 * But join_nodes() function has now been removed.
+			 */
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	/*
+	 * Note the node that points to the level of the node
+	 * that is being deleted.  If the deleted node is the
+	 * top level, parent will be set to NULL.
+	 */
+	parent = get_upper_node(node);
+
+	/*
+	 * This node now has no down pointer, so now it needs
+	 * to be removed from this level.
+	 */
+	deletefromlevel(node, parent == NULL ? &rbt->root : &DOWN(parent));
+
+	if (DATA(node) != NULL && rbt->data_deleter != NULL) {
+		rbt->data_deleter(DATA(node), rbt->deleter_arg);
+	}
+
+	unhash_node(rbt, node);
+#if DNS_RBT_USEMAGIC
+	node->magic = 0;
+#endif /* if DNS_RBT_USEMAGIC */
+	isc_refcount_destroy(&node->references);
+
+	freenode(rbt, &node);
+
+	/*
+	 * This function never fails.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name) {
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(name != NULL);
+	REQUIRE(name->offsets == NULL);
+
+	NODENAME(node, name);
+}
+
+isc_result_t
+dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name) {
+	dns_name_t current;
+	isc_result_t result;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(name != NULL);
+	REQUIRE(name->buffer != NULL);
+
+	dns_name_init(&current, NULL);
+	dns_name_reset(name);
+
+	do {
+		INSIST(node != NULL);
+
+		NODENAME(node, &current);
+
+		result = dns_name_concatenate(name, &current, name, NULL);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		node = get_upper_node(node);
+	} while (!dns_name_isabsolute(name));
+
+	return (result);
+}
+
+char *
+dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname,
+		       unsigned int size) {
+	dns_fixedname_t fixedname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(printname != NULL);
+
+	name = dns_fixedname_initname(&fixedname);
+	result = dns_rbt_fullnamefromnode(node, name);
+	if (result == ISC_R_SUCCESS) {
+		dns_name_format(name, printname, size);
+	} else {
+		snprintf(printname, size, "<error building name: %s>",
+			 dns_result_totext(result));
+	}
+
+	return (printname);
+}
+
+static isc_result_t
+create_node(isc_mem_t *mctx, const dns_name_t *name, dns_rbtnode_t **nodep) {
+	dns_rbtnode_t *node;
+	isc_region_t region;
+	unsigned int labels;
+	size_t nodelen;
+
+	REQUIRE(name->offsets != NULL);
+
+	dns_name_toregion(name, &region);
+	labels = dns_name_countlabels(name);
+	ENSURE(labels > 0);
+
+	/*
+	 * Allocate space for the node structure, the name, and the offsets.
+	 */
+	nodelen = sizeof(dns_rbtnode_t) + region.length + labels + 1;
+	node = isc_mem_get(mctx, nodelen);
+	memset(node, 0, nodelen);
+
+	node->is_root = 0;
+	PARENT(node) = NULL;
+	RIGHT(node) = NULL;
+	LEFT(node) = NULL;
+	DOWN(node) = NULL;
+	DATA(node) = NULL;
+	node->is_mmapped = 0;
+	node->down_is_relative = 0;
+	node->left_is_relative = 0;
+	node->right_is_relative = 0;
+	node->parent_is_relative = 0;
+	node->data_is_relative = 0;
+	node->rpz = 0;
+
+	HASHNEXT(node) = NULL;
+	HASHVAL(node) = 0;
+
+	ISC_LINK_INIT(node, deadlink);
+
+	LOCKNUM(node) = 0;
+	WILD(node) = 0;
+	DIRTY(node) = 0;
+	isc_refcount_init(&node->references, 0);
+	node->find_callback = 0;
+	node->nsec = DNS_RBT_NSEC_NORMAL;
+
+	MAKE_BLACK(node);
+
+	/*
+	 * The following is stored to make reconstructing a name from the
+	 * stored value in the node easy:  the length of the name, the number
+	 * of labels, whether the name is absolute or not, the name itself,
+	 * and the name's offsets table.
+	 *
+	 * XXX RTH
+	 *      The offsets table could be made smaller by eliminating the
+	 *      first offset, which is always 0.  This requires changes to
+	 *      lib/dns/name.c.
+	 *
+	 * Note: OLDOFFSETLEN *must* be assigned *after* OLDNAMELEN is assigned
+	 * 	 as it uses OLDNAMELEN.
+	 */
+	OLDNAMELEN(node) = NAMELEN(node) = region.length;
+	OLDOFFSETLEN(node) = OFFSETLEN(node) = labels;
+	ATTRS(node) = name->attributes;
+
+	memmove(NAME(node), region.base, region.length);
+	memmove(OFFSETS(node), name->offsets, labels);
+
+#if DNS_RBT_USEMAGIC
+	node->magic = DNS_RBTNODE_MAGIC;
+#endif /* if DNS_RBT_USEMAGIC */
+	*nodep = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Add a node to the hash table
+ */
+static void
+hash_add_node(dns_rbt_t *rbt, dns_rbtnode_t *node, const dns_name_t *name) {
+	uint32_t hash;
+
+	REQUIRE(name != NULL);
+
+	HASHVAL(node) = dns_name_fullhash(name, false);
+
+	hash = hash_32(HASHVAL(node), rbt->hashbits);
+	HASHNEXT(node) = rbt->hashtable[hash];
+
+	rbt->hashtable[hash] = node;
+}
+
+/*
+ * Initialize hash table
+ */
+static isc_result_t
+inithash(dns_rbt_t *rbt) {
+	size_t size;
+
+	rbt->hashbits = RBT_HASH_MIN_BITS;
+	size = HASHSIZE(rbt->hashbits) * sizeof(dns_rbtnode_t *);
+	rbt->hashtable = isc_mem_get(rbt->mctx, size);
+	memset(rbt->hashtable, 0, size);
+
+	return (ISC_R_SUCCESS);
+}
+
+static uint32_t
+rehash_bits(dns_rbt_t *rbt, size_t newcount) {
+	uint32_t newbits = rbt->hashbits;
+
+	while (newcount >= HASHSIZE(newbits) && newbits < RBT_HASH_MAX_BITS) {
+		newbits += 1;
+	}
+
+	return (newbits);
+}
+
+/*
+ * Rebuild the hashtable to reduce the load factor
+ */
+static void
+rehash(dns_rbt_t *rbt, uint32_t newbits) {
+	uint32_t oldbits;
+	size_t oldsize;
+	dns_rbtnode_t **oldtable;
+	size_t newsize;
+
+	REQUIRE(rbt->hashbits <= rbt->maxhashbits);
+	REQUIRE(newbits <= rbt->maxhashbits);
+
+	oldbits = rbt->hashbits;
+	oldsize = HASHSIZE(oldbits);
+	oldtable = rbt->hashtable;
+
+	rbt->hashbits = newbits;
+	newsize = HASHSIZE(rbt->hashbits);
+	rbt->hashtable = isc_mem_get(rbt->mctx,
+				     newsize * sizeof(dns_rbtnode_t *));
+	memset(rbt->hashtable, 0, newsize * sizeof(dns_rbtnode_t *));
+
+	for (size_t i = 0; i < oldsize; i++) {
+		dns_rbtnode_t *node;
+		dns_rbtnode_t *nextnode;
+		for (node = oldtable[i]; node != NULL; node = nextnode) {
+			uint32_t hash = hash_32(HASHVAL(node), rbt->hashbits);
+			nextnode = HASHNEXT(node);
+			HASHNEXT(node) = rbt->hashtable[hash];
+			rbt->hashtable[hash] = node;
+		}
+	}
+
+	isc_mem_put(rbt->mctx, oldtable, oldsize * sizeof(dns_rbtnode_t *));
+}
+
+static void
+maybe_rehash(dns_rbt_t *rbt, size_t newcount) {
+	uint32_t newbits = rehash_bits(rbt, newcount);
+	if (rbt->hashbits < newbits && newbits <= rbt->maxhashbits) {
+		rehash(rbt, newbits);
+	}
+}
+
+/*
+ * Add a node to the hash table. Rehash the hashtable if the node count
+ * rises above a critical level.
+ */
+static void
+hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, const dns_name_t *name) {
+	REQUIRE(DNS_RBTNODE_VALID(node));
+
+	if (rbt->nodecount >= (HASHSIZE(rbt->hashbits) * RBT_HASH_OVERCOMMIT)) {
+		maybe_rehash(rbt, rbt->nodecount);
+	}
+
+	hash_add_node(rbt, node, name);
+}
+
+/*
+ * Remove a node from the hash table
+ */
+static void
+unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node) {
+	uint32_t bucket;
+	dns_rbtnode_t *bucket_node;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+
+	bucket = hash_32(HASHVAL(node), rbt->hashbits);
+	bucket_node = rbt->hashtable[bucket];
+
+	if (bucket_node == node) {
+		rbt->hashtable[bucket] = HASHNEXT(node);
+	} else {
+		while (HASHNEXT(bucket_node) != node) {
+			INSIST(HASHNEXT(bucket_node) != NULL);
+			bucket_node = HASHNEXT(bucket_node);
+		}
+		HASHNEXT(bucket_node) = HASHNEXT(node);
+	}
+}
+
+static void
+rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
+	dns_rbtnode_t *child;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(rootp != NULL);
+
+	child = RIGHT(node);
+	INSIST(child != NULL);
+
+	RIGHT(node) = LEFT(child);
+	if (LEFT(child) != NULL) {
+		PARENT(LEFT(child)) = node;
+	}
+	LEFT(child) = node;
+
+	PARENT(child) = PARENT(node);
+
+	if (IS_ROOT(node)) {
+		*rootp = child;
+		child->is_root = 1;
+		node->is_root = 0;
+	} else {
+		if (LEFT(PARENT(node)) == node) {
+			LEFT(PARENT(node)) = child;
+		} else {
+			RIGHT(PARENT(node)) = child;
+		}
+	}
+
+	PARENT(node) = child;
+}
+
+static void
+rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
+	dns_rbtnode_t *child;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(rootp != NULL);
+
+	child = LEFT(node);
+	INSIST(child != NULL);
+
+	LEFT(node) = RIGHT(child);
+	if (RIGHT(child) != NULL) {
+		PARENT(RIGHT(child)) = node;
+	}
+	RIGHT(child) = node;
+
+	PARENT(child) = PARENT(node);
+
+	if (IS_ROOT(node)) {
+		*rootp = child;
+		child->is_root = 1;
+		node->is_root = 0;
+	} else {
+		if (LEFT(PARENT(node)) == node) {
+			LEFT(PARENT(node)) = child;
+		} else {
+			RIGHT(PARENT(node)) = child;
+		}
+	}
+
+	PARENT(node) = child;
+}
+
+/*
+ * This is the real workhorse of the insertion code, because it does the
+ * true red/black tree on a single level.
+ */
+static void
+addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order,
+	   dns_rbtnode_t **rootp) {
+	dns_rbtnode_t *child, *root, *parent, *grandparent;
+	dns_name_t add_name, current_name;
+	dns_offsets_t add_offsets, current_offsets;
+
+	REQUIRE(rootp != NULL);
+	REQUIRE(DNS_RBTNODE_VALID(node) && LEFT(node) == NULL &&
+		RIGHT(node) == NULL);
+	REQUIRE(current != NULL);
+
+	root = *rootp;
+	if (root == NULL) {
+		/*
+		 * First node of a level.
+		 */
+		MAKE_BLACK(node);
+		node->is_root = 1;
+		PARENT(node) = current;
+		*rootp = node;
+		return;
+	}
+
+	child = root;
+	POST(child);
+
+	dns_name_init(&add_name, add_offsets);
+	NODENAME(node, &add_name);
+
+	dns_name_init(&current_name, current_offsets);
+	NODENAME(current, &current_name);
+
+	if (order < 0) {
+		INSIST(LEFT(current) == NULL);
+		LEFT(current) = node;
+	} else {
+		INSIST(RIGHT(current) == NULL);
+		RIGHT(current) = node;
+	}
+
+	INSIST(PARENT(node) == NULL);
+	PARENT(node) = current;
+
+	MAKE_RED(node);
+
+	while (node != root && IS_RED(PARENT(node))) {
+		/*
+		 * XXXDCL could do away with separate parent and grandparent
+		 * variables.  They are vestiges of the days before parent
+		 * pointers.  However, they make the code a little clearer.
+		 */
+
+		parent = PARENT(node);
+		grandparent = PARENT(parent);
+
+		if (parent == LEFT(grandparent)) {
+			child = RIGHT(grandparent);
+			if (child != NULL && IS_RED(child)) {
+				MAKE_BLACK(parent);
+				MAKE_BLACK(child);
+				MAKE_RED(grandparent);
+				node = grandparent;
+			} else {
+				if (node == RIGHT(parent)) {
+					rotate_left(parent, &root);
+					node = parent;
+					parent = PARENT(node);
+					grandparent = PARENT(parent);
+				}
+				MAKE_BLACK(parent);
+				MAKE_RED(grandparent);
+				rotate_right(grandparent, &root);
+			}
+		} else {
+			child = LEFT(grandparent);
+			if (child != NULL && IS_RED(child)) {
+				MAKE_BLACK(parent);
+				MAKE_BLACK(child);
+				MAKE_RED(grandparent);
+				node = grandparent;
+			} else {
+				if (node == LEFT(parent)) {
+					rotate_right(parent, &root);
+					node = parent;
+					parent = PARENT(node);
+					grandparent = PARENT(parent);
+				}
+				MAKE_BLACK(parent);
+				MAKE_RED(grandparent);
+				rotate_left(grandparent, &root);
+			}
+		}
+	}
+
+	MAKE_BLACK(root);
+	ENSURE(IS_ROOT(root));
+	*rootp = root;
+
+	return;
+}
+
+/*
+ * This is the real workhorse of the deletion code, because it does the
+ * true red/black tree on a single level.
+ */
+static void
+deletefromlevel(dns_rbtnode_t *item, dns_rbtnode_t **rootp) {
+	dns_rbtnode_t *child, *sibling, *parent;
+	dns_rbtnode_t *successor;
+
+	REQUIRE(item != NULL);
+
+	/*
+	 * Verify that the parent history is (apparently) correct.
+	 */
+	INSIST((IS_ROOT(item) && *rootp == item) ||
+	       (!IS_ROOT(item) &&
+		(LEFT(PARENT(item)) == item || RIGHT(PARENT(item)) == item)));
+
+	child = NULL;
+
+	if (LEFT(item) == NULL) {
+		if (RIGHT(item) == NULL) {
+			if (IS_ROOT(item)) {
+				/*
+				 * This is the only item in the tree.
+				 */
+				*rootp = NULL;
+				return;
+			}
+		} else {
+			/*
+			 * This node has one child, on the right.
+			 */
+			child = RIGHT(item);
+		}
+	} else if (RIGHT(item) == NULL) {
+		/*
+		 * This node has one child, on the left.
+		 */
+		child = LEFT(item);
+	} else {
+		dns_rbtnode_t *saved_parent, *saved_right;
+		int saved_color;
+
+		/*
+		 * This node has two children, so it cannot be directly
+		 * deleted.  Find its immediate in-order successor and
+		 * move it to this location, then do the deletion at the
+		 * old site of the successor.
+		 */
+		successor = RIGHT(item);
+		while (LEFT(successor) != NULL) {
+			successor = LEFT(successor);
+		}
+
+		/*
+		 * The successor cannot possibly have a left child;
+		 * if there is any child, it is on the right.
+		 */
+		if (RIGHT(successor) != NULL) {
+			child = RIGHT(successor);
+		}
+
+		/*
+		 * Swap the two nodes; it would be simpler to just replace
+		 * the value being deleted with that of the successor,
+		 * but this rigamarole is done so the caller has complete
+		 * control over the pointers (and memory allocation) of
+		 * all of nodes.  If just the key value were removed from
+		 * the tree, the pointer to the node would be unchanged.
+		 */
+
+		/*
+		 * First, put the successor in the tree location of the
+		 * node to be deleted.  Save its existing tree pointer
+		 * information, which will be needed when linking up
+		 * delete to the successor's old location.
+		 */
+		saved_parent = PARENT(successor);
+		saved_right = RIGHT(successor);
+		saved_color = COLOR(successor);
+
+		if (IS_ROOT(item)) {
+			*rootp = successor;
+			successor->is_root = true;
+			item->is_root = false;
+		} else if (LEFT(PARENT(item)) == item) {
+			LEFT(PARENT(item)) = successor;
+		} else {
+			RIGHT(PARENT(item)) = successor;
+		}
+
+		PARENT(successor) = PARENT(item);
+		LEFT(successor) = LEFT(item);
+		RIGHT(successor) = RIGHT(item);
+		COLOR(successor) = COLOR(item);
+
+		if (LEFT(successor) != NULL) {
+			PARENT(LEFT(successor)) = successor;
+		}
+		if (RIGHT(successor) != successor) {
+			PARENT(RIGHT(successor)) = successor;
+		}
+
+		/*
+		 * Now relink the node to be deleted into the
+		 * successor's previous tree location.
+		 */
+		INSIST(!IS_ROOT(item));
+
+		if (saved_parent == item) {
+			/*
+			 * Node being deleted was successor's parent.
+			 */
+			RIGHT(successor) = item;
+			PARENT(item) = successor;
+		} else {
+			LEFT(saved_parent) = item;
+			PARENT(item) = saved_parent;
+		}
+
+		/*
+		 * Original location of successor node has no left.
+		 */
+		LEFT(item) = NULL;
+		RIGHT(item) = saved_right;
+		COLOR(item) = saved_color;
+	}
+
+	/*
+	 * Remove the node by removing the links from its parent.
+	 */
+	if (!IS_ROOT(item)) {
+		if (LEFT(PARENT(item)) == item) {
+			LEFT(PARENT(item)) = child;
+		} else {
+			RIGHT(PARENT(item)) = child;
+		}
+
+		if (child != NULL) {
+			PARENT(child) = PARENT(item);
+		}
+	} else {
+		/*
+		 * This is the root being deleted, and at this point
+		 * it is known to have just one child.
+		 */
+		*rootp = child;
+		child->is_root = 1;
+		PARENT(child) = PARENT(item);
+	}
+
+	/*
+	 * Fix color violations.
+	 */
+	if (IS_BLACK(item)) {
+		/* cppcheck-suppress nullPointerRedundantCheck symbolName=item
+		 */
+		parent = PARENT(item);
+
+		while (child != *rootp && IS_BLACK(child)) {
+			INSIST(child == NULL || !IS_ROOT(child));
+
+			if (LEFT(parent) == child) {
+				sibling = RIGHT(parent);
+
+				if (IS_RED(sibling)) {
+					MAKE_BLACK(sibling);
+					MAKE_RED(parent);
+					rotate_left(parent, rootp);
+					sibling = RIGHT(parent);
+				}
+
+				INSIST(sibling != NULL);
+
+				/* cppcheck-suppress nullPointerRedundantCheck
+				 * symbolName=sibling */
+				if (IS_BLACK(LEFT(sibling)) &&
+				    IS_BLACK(RIGHT(sibling)))
+				{
+					MAKE_RED(sibling);
+					child = parent;
+				} else {
+					if (IS_BLACK(RIGHT(sibling))) {
+						MAKE_BLACK(LEFT(sibling));
+						MAKE_RED(sibling);
+						rotate_right(sibling, rootp);
+						sibling = RIGHT(parent);
+					}
+
+					COLOR(sibling) = COLOR(parent);
+					MAKE_BLACK(parent);
+					INSIST(RIGHT(sibling) != NULL);
+					MAKE_BLACK(RIGHT(sibling));
+					rotate_left(parent, rootp);
+					child = *rootp;
+				}
+			} else {
+				/*
+				 * Child is parent's right child.
+				 * Everything is done the same as above,
+				 * except mirrored.
+				 */
+				sibling = LEFT(parent);
+
+				if (IS_RED(sibling)) {
+					MAKE_BLACK(sibling);
+					MAKE_RED(parent);
+					rotate_right(parent, rootp);
+					sibling = LEFT(parent);
+				}
+
+				INSIST(sibling != NULL);
+
+				/* cppcheck-suppress nullPointerRedundantCheck
+				 * symbolName=sibling */
+				if (IS_BLACK(LEFT(sibling)) &&
+				    IS_BLACK(RIGHT(sibling)))
+				{
+					MAKE_RED(sibling);
+					child = parent;
+				} else {
+					if (IS_BLACK(LEFT(sibling))) {
+						MAKE_BLACK(RIGHT(sibling));
+						MAKE_RED(sibling);
+						rotate_left(sibling, rootp);
+						sibling = LEFT(parent);
+					}
+
+					COLOR(sibling) = COLOR(parent);
+					MAKE_BLACK(parent);
+					INSIST(LEFT(sibling) != NULL);
+					MAKE_BLACK(LEFT(sibling));
+					rotate_right(parent, rootp);
+					child = *rootp;
+				}
+			}
+
+			parent = PARENT(child);
+		}
+
+		if (IS_RED(child)) {
+			MAKE_BLACK(child);
+		}
+	}
+}
+
+static void
+freenode(dns_rbt_t *rbt, dns_rbtnode_t **nodep) {
+	dns_rbtnode_t *node = *nodep;
+	*nodep = NULL;
+
+	if (node->is_mmapped == 0) {
+		isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
+	}
+
+	rbt->nodecount--;
+}
+
+static void
+deletetreeflat(dns_rbt_t *rbt, unsigned int quantum, bool unhash,
+	       dns_rbtnode_t **nodep) {
+	dns_rbtnode_t *root = *nodep;
+
+	while (root != NULL) {
+		/*
+		 * If there is a left, right or down node, walk into it
+		 * and iterate.
+		 */
+		if (LEFT(root) != NULL) {
+			dns_rbtnode_t *node = root;
+			root = LEFT(root);
+			LEFT(node) = NULL;
+		} else if (RIGHT(root) != NULL) {
+			dns_rbtnode_t *node = root;
+			root = RIGHT(root);
+			RIGHT(node) = NULL;
+		} else if (DOWN(root) != NULL) {
+			dns_rbtnode_t *node = root;
+			root = DOWN(root);
+			DOWN(node) = NULL;
+		} else {
+			/*
+			 * There are no left, right or down nodes, so we
+			 * can free this one and go back to its parent.
+			 */
+			dns_rbtnode_t *node = root;
+			root = PARENT(root);
+
+			if (rbt->data_deleter != NULL && DATA(node) != NULL) {
+				rbt->data_deleter(DATA(node), rbt->deleter_arg);
+			}
+			if (unhash) {
+				unhash_node(rbt, node);
+			}
+			/*
+			 * Note: we don't call unhash_node() here as we
+			 * are destroying the complete RBT tree.
+			 */
+#if DNS_RBT_USEMAGIC
+			node->magic = 0;
+#endif /* if DNS_RBT_USEMAGIC */
+			freenode(rbt, &node);
+			if (quantum != 0 && --quantum == 0) {
+				break;
+			}
+		}
+	}
+
+	*nodep = root;
+}
+
+static size_t
+getheight_helper(dns_rbtnode_t *node) {
+	size_t dl, dr;
+	size_t this_height, down_height;
+
+	if (node == NULL) {
+		return (0);
+	}
+
+	dl = getheight_helper(LEFT(node));
+	dr = getheight_helper(RIGHT(node));
+
+	this_height = ISC_MAX(dl + 1, dr + 1);
+	down_height = getheight_helper(DOWN(node));
+
+	return (ISC_MAX(this_height, down_height));
+}
+
+size_t
+dns__rbt_getheight(dns_rbt_t *rbt) {
+	return (getheight_helper(rbt->root));
+}
+
+static bool
+check_properties_helper(dns_rbtnode_t *node) {
+	if (node == NULL) {
+		return (true);
+	}
+
+	if (IS_RED(node)) {
+		/* Root nodes must be BLACK. */
+		if (IS_ROOT(node)) {
+			return (false);
+		}
+
+		/* Both children of RED nodes must be BLACK. */
+		if (IS_RED(LEFT(node)) || IS_RED(RIGHT(node))) {
+			return (false);
+		}
+	}
+
+	/* cppcheck-suppress nullPointerRedundantCheck symbolName=node */
+	if ((DOWN(node) != NULL) && (!IS_ROOT(DOWN(node)))) {
+		return (false);
+	}
+
+	if (IS_ROOT(node)) {
+		if ((PARENT(node) != NULL) && (DOWN(PARENT(node)) != node)) {
+			return (false);
+		}
+
+		if (get_upper_node(node) != PARENT(node)) {
+			return (false);
+		}
+	}
+
+	/* If node is assigned to the down_ pointer of its parent, it is
+	 * a subtree root and must have the flag set.
+	 */
+	if (((!PARENT(node)) || (DOWN(PARENT(node)) == node)) &&
+	    (!IS_ROOT(node)))
+	{
+		return (false);
+	}
+
+	/* Repeat tests with this node's children. */
+	return (check_properties_helper(LEFT(node)) &&
+		check_properties_helper(RIGHT(node)) &&
+		check_properties_helper(DOWN(node)));
+}
+
+static bool
+check_black_distance_helper(dns_rbtnode_t *node, size_t *distance) {
+	size_t dl, dr, dd;
+
+	if (node == NULL) {
+		*distance = 1;
+		return (true);
+	}
+
+	/* cppcheck-suppress nullPointerRedundantCheck symbolName=node */
+	if (!check_black_distance_helper(LEFT(node), &dl)) {
+		return (false);
+	}
+
+	/* cppcheck-suppress nullPointerRedundantCheck symbolName=node */
+	if (!check_black_distance_helper(RIGHT(node), &dr)) {
+		return (false);
+	}
+
+	/* cppcheck-suppress nullPointerRedundantCheck symbolName=node */
+	if (!check_black_distance_helper(DOWN(node), &dd)) {
+		return (false);
+	}
+
+	/* Left and right side black node counts must match. */
+	if (dl != dr) {
+		return (false);
+	}
+
+	if (IS_BLACK(node)) {
+		dl++;
+	}
+
+	*distance = dl;
+
+	return (true);
+}
+
+bool
+dns__rbt_checkproperties(dns_rbt_t *rbt) {
+	size_t dd;
+
+	if (!check_properties_helper(rbt->root)) {
+		return (false);
+	}
+
+	/* Path from a given node to all its leaves must contain the
+	 * same number of BLACK child nodes. This is done separately
+	 * here instead of inside check_properties_helper() as
+	 * it would take (n log n) complexity otherwise.
+	 */
+	return (check_black_distance_helper(rbt->root, &dd));
+}
+
+static void
+dns_rbt_indent(FILE *f, int depth) {
+	int i;
+
+	fprintf(f, "%4d ", depth);
+
+	for (i = 0; i < depth; i++) {
+		fprintf(f, "- ");
+	}
+}
+
+void
+dns_rbt_printnodeinfo(dns_rbtnode_t *n, FILE *f) {
+	if (n == NULL) {
+		fprintf(f, "Null node\n");
+		return;
+	}
+
+	fprintf(f, "Node info for nodename: ");
+	printnodename(n, true, f);
+	fprintf(f, "\n");
+
+	fprintf(f, "n = %p\n", n);
+
+	fprintf(f, "Relative pointers: %s%s%s%s%s\n",
+		(n->parent_is_relative == 1 ? " P" : ""),
+		(n->right_is_relative == 1 ? " R" : ""),
+		(n->left_is_relative == 1 ? " L" : ""),
+		(n->down_is_relative == 1 ? " D" : ""),
+		(n->data_is_relative == 1 ? " T" : ""));
+
+	fprintf(f, "node lock address = %u\n", n->locknum);
+
+	fprintf(f, "Parent: %p\n", n->parent);
+	fprintf(f, "Right: %p\n", n->right);
+	fprintf(f, "Left: %p\n", n->left);
+	fprintf(f, "Down: %p\n", n->down);
+	fprintf(f, "Data: %p\n", n->data);
+}
+
+static void
+printnodename(dns_rbtnode_t *node, bool quoted, FILE *f) {
+	isc_region_t r;
+	dns_name_t name;
+	char buffer[DNS_NAME_FORMATSIZE];
+	dns_offsets_t offsets;
+
+	r.length = NAMELEN(node);
+	r.base = NAME(node);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &r);
+
+	dns_name_format(&name, buffer, sizeof(buffer));
+
+	if (quoted) {
+		fprintf(f, "\"%s\"", buffer);
+	} else {
+		fprintf(f, "%s", buffer);
+	}
+}
+
+static void
+print_text_helper(dns_rbtnode_t *root, dns_rbtnode_t *parent, int depth,
+		  const char *direction, void (*data_printer)(FILE *, void *),
+		  FILE *f) {
+	dns_rbt_indent(f, depth);
+
+	if (root != NULL) {
+		printnodename(root, true, f);
+		/*
+		 * Don't use IS_RED(root) as it tests for 'root != NULL'
+		 * and cppcheck produces false positives.
+		 */
+		fprintf(f, " (%s, %s", direction,
+			COLOR(root) == RED ? "RED" : "BLACK");
+
+		if ((!IS_ROOT(root) && PARENT(root) != parent) ||
+		    (IS_ROOT(root) && depth > 0 && DOWN(PARENT(root)) != root))
+		{
+			fprintf(f, " (BAD parent pointer! -> ");
+			if (PARENT(root) != NULL) {
+				printnodename(PARENT(root), true, f);
+			} else {
+				fprintf(f, "NULL");
+			}
+			fprintf(f, ")");
+		}
+
+		fprintf(f, ")");
+
+		if (root->data != NULL && data_printer != NULL) {
+			fprintf(f, " data@%p: ", root->data);
+			data_printer(f, root->data);
+		}
+		fprintf(f, "\n");
+
+		depth++;
+
+		/*
+		 * Don't use IS_RED(root) as it tests for 'root != NULL'
+		 * and cppcheck produces false positives.
+		 */
+		if (COLOR(root) == RED && IS_RED(LEFT(root))) {
+			fprintf(f, "** Red/Red color violation on left\n");
+		}
+		print_text_helper(LEFT(root), root, depth, "left", data_printer,
+				  f);
+
+		/*
+		 * Don't use IS_RED(root) as cppcheck produces false positives.
+		 */
+		if (COLOR(root) == RED && IS_RED(RIGHT(root))) {
+			fprintf(f, "** Red/Red color violation on right\n");
+		}
+		print_text_helper(RIGHT(root), root, depth, "right",
+				  data_printer, f);
+
+		print_text_helper(DOWN(root), NULL, depth, "down", data_printer,
+				  f);
+	} else {
+		fprintf(f, "NULL (%s)\n", direction);
+	}
+}
+
+void
+dns_rbt_printtext(dns_rbt_t *rbt, void (*data_printer)(FILE *, void *),
+		  FILE *f) {
+	REQUIRE(VALID_RBT(rbt));
+
+	print_text_helper(rbt->root, NULL, 0, "root", data_printer, f);
+}
+
+static int
+print_dot_helper(dns_rbtnode_t *node, unsigned int *nodecount,
+		 bool show_pointers, FILE *f) {
+	unsigned int l, r, d;
+
+	if (node == NULL) {
+		return (0);
+	}
+
+	l = print_dot_helper(LEFT(node), nodecount, show_pointers, f);
+	r = print_dot_helper(RIGHT(node), nodecount, show_pointers, f);
+	d = print_dot_helper(DOWN(node), nodecount, show_pointers, f);
+
+	*nodecount += 1;
+
+	fprintf(f, "node%u[label = \"<f0> |<f1> ", *nodecount);
+	printnodename(node, false, f);
+	fprintf(f, "|<f2>");
+
+	if (show_pointers) {
+		fprintf(f, "|<f3> n=%p|<f4> p=%p", node, PARENT(node));
+	}
+
+	fprintf(f, "\"] [");
+
+	if (IS_RED(node)) {
+		fprintf(f, "color=red");
+	} else {
+		fprintf(f, "color=black");
+	}
+
+	/* XXXMUKS: verify that IS_ROOT() indicates subtree root and not
+	 * forest root.
+	 */
+	if (IS_ROOT(node)) {
+		fprintf(f, ",penwidth=3");
+	}
+
+	if (IS_EMPTY(node)) {
+		fprintf(f, ",style=filled,fillcolor=lightgrey");
+	}
+
+	fprintf(f, "];\n");
+
+	if (LEFT(node) != NULL) {
+		fprintf(f, "\"node%u\":f0 -> \"node%u\":f1;\n", *nodecount, l);
+	}
+
+	if (DOWN(node) != NULL) {
+		fprintf(f, "\"node%u\":f1 -> \"node%u\":f1 [penwidth=5];\n",
+			*nodecount, d);
+	}
+
+	if (RIGHT(node) != NULL) {
+		fprintf(f, "\"node%u\":f2 -> \"node%u\":f1;\n", *nodecount, r);
+	}
+
+	return (*nodecount);
+}
+
+void
+dns_rbt_printdot(dns_rbt_t *rbt, bool show_pointers, FILE *f) {
+	unsigned int nodecount = 0;
+
+	REQUIRE(VALID_RBT(rbt));
+
+	fprintf(f, "digraph g {\n");
+	fprintf(f, "node [shape = record,height=.1];\n");
+	print_dot_helper(rbt->root, &nodecount, show_pointers, f);
+	fprintf(f, "}\n");
+}
+
+/*
+ * Chain Functions
+ */
+
+void
+dns_rbtnodechain_init(dns_rbtnodechain_t *chain) {
+	REQUIRE(chain != NULL);
+
+	/*
+	 * Initialize 'chain'.
+	 */
+	chain->end = NULL;
+	chain->level_count = 0;
+	chain->level_matches = 0;
+	memset(chain->levels, 0, sizeof(chain->levels));
+
+	chain->magic = CHAIN_MAGIC;
+}
+
+isc_result_t
+dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
+			 dns_name_t *origin, dns_rbtnode_t **node) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_CHAIN(chain));
+
+	if (node != NULL) {
+		*node = chain->end;
+	}
+
+	if (chain->end == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (name != NULL) {
+		NODENAME(chain->end, name);
+
+		if (chain->level_count == 0) {
+			/*
+			 * Names in the top level tree are all absolute.
+			 * Always make 'name' relative.
+			 */
+			INSIST(dns_name_isabsolute(name));
+
+			/*
+			 * This is cheaper than dns_name_getlabelsequence().
+			 */
+			name->labels--;
+			name->length--;
+			name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+		}
+	}
+
+	if (origin != NULL) {
+		if (chain->level_count > 0) {
+			result = chain_name(chain, origin, false);
+		} else {
+			dns_name_copynf(dns_rootname, origin);
+		}
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin) {
+	dns_rbtnode_t *current, *previous, *predecessor;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool new_origin = false;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	predecessor = NULL;
+
+	current = chain->end;
+
+	if (LEFT(current) != NULL) {
+		/*
+		 * Moving left one then right as far as possible is the
+		 * previous node, at least for this level.
+		 */
+		current = LEFT(current);
+
+		while (RIGHT(current) != NULL) {
+			current = RIGHT(current);
+		}
+
+		predecessor = current;
+	} else {
+		/*
+		 * No left links, so move toward the root.  If at any point on
+		 * the way there the link from parent to child is a right
+		 * link, then the parent is the previous node, at least
+		 * for this level.
+		 */
+		while (!IS_ROOT(current)) {
+			previous = current;
+			current = PARENT(current);
+
+			if (RIGHT(current) == previous) {
+				predecessor = current;
+				break;
+			}
+		}
+	}
+
+	if (predecessor != NULL) {
+		/*
+		 * Found a predecessor node in this level.  It might not
+		 * really be the predecessor, however.
+		 */
+		if (DOWN(predecessor) != NULL) {
+			/*
+			 * The predecessor is really down at least one level.
+			 * Go down and as far right as possible, and repeat
+			 * as long as the rightmost node has a down pointer.
+			 */
+			do {
+				/*
+				 * XXX DCL Need to do something about origins
+				 * here. See whether to go down, and if so
+				 * whether it is truly what Bob calls a
+				 * new origin.
+				 */
+				ADD_LEVEL(chain, predecessor);
+				predecessor = DOWN(predecessor);
+
+				/* XXX DCL duplicated from above; clever
+				 * way to unduplicate? */
+
+				while (RIGHT(predecessor) != NULL) {
+					predecessor = RIGHT(predecessor);
+				}
+			} while (DOWN(predecessor) != NULL);
+
+			/* XXX DCL probably needs work on the concept */
+			if (origin != NULL) {
+				new_origin = true;
+			}
+		}
+	} else if (chain->level_count > 0) {
+		/*
+		 * Dang, didn't find a predecessor in this level.
+		 * Got to the root of this level without having traversed
+		 * any right links.  Ascend the tree one level; the
+		 * node that points to this tree is the predecessor.
+		 */
+		INSIST(chain->level_count > 0 && IS_ROOT(current));
+		predecessor = chain->levels[--chain->level_count];
+
+		/* XXX DCL probably needs work on the concept */
+		/*
+		 * Don't declare an origin change when the new origin is "."
+		 * at the top level tree, because "." is declared as the origin
+		 * for the second level tree.
+		 */
+		if (origin != NULL &&
+		    (chain->level_count > 0 || OFFSETLEN(predecessor) > 1))
+		{
+			new_origin = true;
+		}
+	}
+
+	if (predecessor != NULL) {
+		chain->end = predecessor;
+
+		if (new_origin) {
+			result = dns_rbtnodechain_current(chain, name, origin,
+							  NULL);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_NEWORIGIN;
+			}
+		} else {
+			result = dns_rbtnodechain_current(chain, name, NULL,
+							  NULL);
+		}
+	} else {
+		result = ISC_R_NOMORE;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_down(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin) {
+	dns_rbtnode_t *current, *successor;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool new_origin = false;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	successor = NULL;
+
+	current = chain->end;
+
+	if (DOWN(current) != NULL) {
+		/*
+		 * Don't declare an origin change when the new origin is "."
+		 * at the second level tree, because "." is already declared
+		 * as the origin for the top level tree.
+		 */
+		if (chain->level_count > 0 || OFFSETLEN(current) > 1) {
+			new_origin = true;
+		}
+
+		ADD_LEVEL(chain, current);
+		current = DOWN(current);
+
+		while (LEFT(current) != NULL) {
+			current = LEFT(current);
+		}
+
+		successor = current;
+	}
+
+	if (successor != NULL) {
+		chain->end = successor;
+
+		/*
+		 * It is not necessary to use dns_rbtnodechain_current like
+		 * the other functions because this function will never
+		 * find a node in the topmost level.  This is because the
+		 * root level will never be more than one name, and everything
+		 * in the megatree is a successor to that node, down at
+		 * the second level or below.
+		 */
+
+		if (name != NULL) {
+			NODENAME(chain->end, name);
+		}
+
+		if (new_origin) {
+			if (origin != NULL) {
+				result = chain_name(chain, origin, false);
+			}
+
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_NEWORIGIN;
+			}
+		} else {
+			result = ISC_R_SUCCESS;
+		}
+	} else {
+		result = ISC_R_NOMORE;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name) {
+	dns_rbtnode_t *current, *previous, *successor;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	successor = NULL;
+
+	current = chain->end;
+
+	if (RIGHT(current) == NULL) {
+		while (!IS_ROOT(current)) {
+			previous = current;
+			current = PARENT(current);
+
+			if (LEFT(current) == previous) {
+				successor = current;
+				break;
+			}
+		}
+	} else {
+		current = RIGHT(current);
+
+		while (LEFT(current) != NULL) {
+			current = LEFT(current);
+		}
+
+		successor = current;
+	}
+
+	if (successor != NULL) {
+		chain->end = successor;
+
+		if (name != NULL) {
+			NODENAME(chain->end, name);
+		}
+
+		result = ISC_R_SUCCESS;
+	} else {
+		result = ISC_R_NOMORE;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin) {
+	dns_rbtnode_t *current, *previous, *successor;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool new_origin = false;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	successor = NULL;
+
+	current = chain->end;
+
+	/*
+	 * If there is a level below this node, the next node is the leftmost
+	 * node of the next level.
+	 */
+	if (DOWN(current) != NULL) {
+		/*
+		 * Don't declare an origin change when the new origin is "."
+		 * at the second level tree, because "." is already declared
+		 * as the origin for the top level tree.
+		 */
+		if (chain->level_count > 0 || OFFSETLEN(current) > 1) {
+			new_origin = true;
+		}
+
+		ADD_LEVEL(chain, current);
+		current = DOWN(current);
+
+		while (LEFT(current) != NULL) {
+			current = LEFT(current);
+		}
+
+		successor = current;
+	} else if (RIGHT(current) == NULL) {
+		/*
+		 * The successor is up, either in this level or a previous one.
+		 * Head back toward the root of the tree, looking for any path
+		 * that was via a left link; the successor is the node that has
+		 * that left link.  In the event the root of the level is
+		 * reached without having traversed any left links, ascend one
+		 * level and look for either a right link off the point of
+		 * ascent, or search for a left link upward again, repeating
+		 * ascends until either case is true.
+		 */
+		do {
+			while (!IS_ROOT(current)) {
+				previous = current;
+				current = PARENT(current);
+
+				if (LEFT(current) == previous) {
+					successor = current;
+					break;
+				}
+			}
+
+			if (successor == NULL) {
+				/*
+				 * Reached the root without having traversed
+				 * any left pointers, so this level is done.
+				 */
+				if (chain->level_count == 0) {
+					/*
+					 * If the tree we are iterating over
+					 * was modified since this chain was
+					 * initialized in a way that caused
+					 * node splits to occur, "current" may
+					 * now be pointing to a root node which
+					 * appears to be at level 0, but still
+					 * has a parent.  If that happens,
+					 * abort.  Otherwise, we are done
+					 * looking for a successor as we really
+					 * reached the root node on level 0.
+					 */
+					INSIST(PARENT(current) == NULL);
+					break;
+				}
+
+				current = chain->levels[--chain->level_count];
+				new_origin = true;
+
+				if (RIGHT(current) != NULL) {
+					break;
+				}
+			}
+		} while (successor == NULL);
+	}
+
+	if (successor == NULL && RIGHT(current) != NULL) {
+		current = RIGHT(current);
+
+		while (LEFT(current) != NULL) {
+			current = LEFT(current);
+		}
+
+		successor = current;
+	}
+
+	if (successor != NULL) {
+		/*
+		 * If we determine that the current node is the successor to
+		 * itself, we will run into an infinite loop, so abort instead.
+		 */
+		INSIST(chain->end != successor);
+
+		chain->end = successor;
+
+		/*
+		 * It is not necessary to use dns_rbtnodechain_current like
+		 * the other functions because this function will never
+		 * find a node in the topmost level.  This is because the
+		 * root level will never be more than one name, and everything
+		 * in the megatree is a successor to that node, down at
+		 * the second level or below.
+		 */
+
+		if (name != NULL) {
+			NODENAME(chain->end, name);
+		}
+
+		if (new_origin) {
+			if (origin != NULL) {
+				result = chain_name(chain, origin, false);
+			}
+
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_NEWORIGIN;
+			}
+		} else {
+			result = ISC_R_SUCCESS;
+		}
+	} else {
+		result = ISC_R_NOMORE;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin)
+
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(VALID_CHAIN(chain));
+
+	dns_rbtnodechain_reset(chain);
+
+	chain->end = rbt->root;
+
+	result = dns_rbtnodechain_current(chain, name, origin, NULL);
+
+	if (result == ISC_R_SUCCESS) {
+		result = DNS_R_NEWORIGIN;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		      dns_name_t *name, dns_name_t *origin)
+
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(VALID_CHAIN(chain));
+
+	dns_rbtnodechain_reset(chain);
+
+	result = move_chain_to_last(chain, rbt->root);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_rbtnodechain_current(chain, name, origin, NULL);
+
+	if (result == ISC_R_SUCCESS) {
+		result = DNS_R_NEWORIGIN;
+	}
+
+	return (result);
+}
+
+void
+dns_rbtnodechain_reset(dns_rbtnodechain_t *chain) {
+	REQUIRE(VALID_CHAIN(chain));
+
+	/*
+	 * Free any dynamic storage associated with 'chain', and then
+	 * reinitialize 'chain'.
+	 */
+	chain->end = NULL;
+	chain->level_count = 0;
+	chain->level_matches = 0;
+}
+
+void
+dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain) {
+	/*
+	 * Free any dynamic storage associated with 'chain', and then
+	 * invalidate 'chain'.
+	 */
+
+	dns_rbtnodechain_reset(chain);
+
+	chain->magic = 0;
+}
+
+/* XXXMUKS:
+ *
+ * - worth removing inline as static functions are inlined automatically
+ *   where suitable by modern compilers.
+ * - bump the size of dns_rbt.nodecount to size_t.
+ * - the dumpfile header also contains a nodecount that is unsigned
+ *   int. If large files (> 2^32 nodes) are to be supported, the
+ *   allocation for this field should be increased.
+ */
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
new file mode 100644
index 0000000..ee06c51
--- /dev/null
+++ b/lib/dns/rbtdb.c
@@ -0,0 +1,10667 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/atomic.h>
+#include <isc/crc64.h>
+#include <isc/event.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/heap.h>
+#include <isc/hex.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/serial.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/lib.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rbt.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdataslab.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+#include <dns/time.h>
+#include <dns/version.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zonekey.h>
+
+#ifndef WIN32
+#include <sys/mman.h>
+#else /* ifndef WIN32 */
+#define PROT_READ   0x01
+#define PROT_WRITE  0x02
+#define MAP_PRIVATE 0x0002
+#define MAP_FAILED  ((void *)-1)
+#endif /* ifndef WIN32 */
+
+#include "rbtdb.h"
+
+#define RBTDB_MAGIC ISC_MAGIC('R', 'B', 'D', '4')
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+/*
+ * This is the map file header for RBTDB images.  It is populated, and then
+ * written, as the LAST thing done to the file.  Writing this last (with
+ * zeros in the header area initially) will ensure that the header is only
+ * valid when the RBTDB image is also valid.
+ */
+typedef struct rbtdb_file_header rbtdb_file_header_t;
+
+/* Header length, always the same size regardless of structure size */
+#define RBTDB_HEADER_LENGTH 1024
+
+struct rbtdb_file_header {
+	char version1[32];
+	uint32_t ptrsize;
+	unsigned int bigendian : 1;
+	uint64_t tree;
+	uint64_t nsec;
+	uint64_t nsec3;
+
+	char version2[32]; /* repeated; must match version1 */
+};
+
+/*%
+ * Note that "impmagic" is not the first four bytes of the struct, so
+ * ISC_MAGIC_VALID cannot be used.
+ */
+#define VALID_RBTDB(rbtdb) \
+	((rbtdb) != NULL && (rbtdb)->common.impmagic == RBTDB_MAGIC)
+
+typedef uint32_t rbtdb_serial_t;
+typedef uint32_t rbtdb_rdatatype_t;
+
+#define RBTDB_RDATATYPE_BASE(type) ((dns_rdatatype_t)((type)&0xFFFF))
+#define RBTDB_RDATATYPE_EXT(type)  ((dns_rdatatype_t)((type) >> 16))
+#define RBTDB_RDATATYPE_VALUE(base, ext)              \
+	((rbtdb_rdatatype_t)(((uint32_t)ext) << 16) | \
+	 (((uint32_t)base) & 0xffff))
+
+#define RBTDB_RDATATYPE_SIGNSEC \
+	RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec)
+#define RBTDB_RDATATYPE_SIGNSEC3 \
+	RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3)
+#define RBTDB_RDATATYPE_SIGNS \
+	RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns)
+#define RBTDB_RDATATYPE_SIGCNAME \
+	RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname)
+#define RBTDB_RDATATYPE_SIGDNAME \
+	RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname)
+#define RBTDB_RDATATYPE_SIGDS \
+	RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds)
+#define RBTDB_RDATATYPE_SIGSOA \
+	RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa)
+#define RBTDB_RDATATYPE_NCACHEANY RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any)
+
+#define RBTDB_INITLOCK(l)    isc_rwlock_init((l), 0, 0)
+#define RBTDB_DESTROYLOCK(l) isc_rwlock_destroy(l)
+#define RBTDB_LOCK(l, t)     RWLOCK((l), (t))
+#define RBTDB_UNLOCK(l, t)   RWUNLOCK((l), (t))
+
+/*
+ * Since node locking is sensitive to both performance and memory footprint,
+ * we need some trick here.  If we have both high-performance rwlock and
+ * high performance and small-memory reference counters, we use rwlock for
+ * node lock and isc_refcount for node references.  In this case, we don't have
+ * to protect the access to the counters by locks.
+ * Otherwise, we simply use ordinary mutex lock for node locking, and use
+ * simple integers as reference counters which is protected by the lock.
+ * In most cases, we can simply use wrapper macros such as NODE_LOCK and
+ * NODE_UNLOCK.  In some other cases, however, we need to protect reference
+ * counters first and then protect other parts of a node as read-only data.
+ * Special additional macros, NODE_STRONGLOCK(), NODE_WEAKLOCK(), etc, are also
+ * provided for these special cases.  When we can use the efficient backend
+ * routines, we should only protect the "other members" by NODE_WEAKLOCK(read).
+ * Otherwise, we should use NODE_STRONGLOCK() to protect the entire critical
+ * section including the access to the reference counter.
+ * Note that we cannot use NODE_LOCK()/NODE_UNLOCK() wherever the protected
+ * section is also protected by NODE_STRONGLOCK().
+ */
+typedef isc_rwlock_t nodelock_t;
+
+#define NODE_INITLOCK(l)    isc_rwlock_init((l), 0, 0)
+#define NODE_DESTROYLOCK(l) isc_rwlock_destroy(l)
+#define NODE_LOCK(l, t)	    RWLOCK((l), (t))
+#define NODE_UNLOCK(l, t)   RWUNLOCK((l), (t))
+#define NODE_TRYUPGRADE(l)  isc_rwlock_tryupgrade(l)
+#define NODE_DOWNGRADE(l)   isc_rwlock_downgrade(l)
+
+/*%
+ * Whether to rate-limit updating the LRU to avoid possible thread contention.
+ * Updating LRU requires write locking, so we don't do it every time the
+ * record is touched - only after some time passes.
+ */
+#ifndef DNS_RBTDB_LIMITLRUUPDATE
+#define DNS_RBTDB_LIMITLRUUPDATE 1
+#endif
+
+/*% Time after which we update LRU for glue records, 5 minutes */
+#define DNS_RBTDB_LRUUPDATE_GLUE 300
+/*% Time after which we update LRU for all other records, 10 minutes */
+#define DNS_RBTDB_LRUUPDATE_REGULAR 600
+
+/*
+ * Allow clients with a virtual time of up to 5 minutes in the past to see
+ * records that would have otherwise have expired.
+ */
+#define RBTDB_VIRTUAL 300
+
+struct noqname {
+	dns_name_t name;
+	void *neg;
+	void *negsig;
+	dns_rdatatype_t type;
+};
+
+typedef struct rdatasetheader {
+	/*%
+	 * Locked by the owning node's lock.
+	 */
+	rbtdb_serial_t serial;
+	dns_ttl_t rdh_ttl;
+	rbtdb_rdatatype_t type;
+	atomic_uint_least16_t attributes;
+	dns_trust_t trust;
+	atomic_uint_fast32_t last_refresh_fail_ts;
+	struct noqname *noqname;
+	struct noqname *closest;
+	unsigned int is_mmapped	      : 1;
+	unsigned int next_is_relative : 1;
+	unsigned int node_is_relative : 1;
+	unsigned int resign_lsb	      : 1;
+	/*%<
+	 * We don't use the LIST macros, because the LIST structure has
+	 * both head and tail pointers, and is doubly linked.
+	 */
+
+	struct rdatasetheader *next;
+	/*%<
+	 * If this is the top header for an rdataset, 'next' points
+	 * to the top header for the next rdataset (i.e., the next type).
+	 * Otherwise, it points up to the header whose down pointer points
+	 * at this header.
+	 */
+
+	struct rdatasetheader *down;
+	/*%<
+	 * Points to the header for the next older version of
+	 * this rdataset.
+	 */
+
+	atomic_uint_fast32_t count;
+	/*%<
+	 * Monotonously increased every time this rdataset is bound so that
+	 * it is used as the base of the starting point in DNS responses
+	 * when the "cyclic" rrset-order is required.
+	 */
+
+	dns_rbtnode_t *node;
+	isc_stdtime_t last_used;
+	ISC_LINK(struct rdatasetheader) link;
+
+	unsigned int heap_index;
+	/*%<
+	 * Used for TTL-based cache cleaning.
+	 */
+	isc_stdtime_t resign;
+	/*%<
+	 * Case vector.  If the bit is set then the corresponding
+	 * character in the owner name needs to be AND'd with 0x20,
+	 * rendering that character upper case.
+	 */
+	unsigned char upper[32];
+} rdatasetheader_t;
+
+typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t;
+typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t;
+
+#define RDATASET_ATTR_NONEXISTENT 0x0001
+/*%< May be potentially served as stale data. */
+#define RDATASET_ATTR_STALE	     0x0002
+#define RDATASET_ATTR_IGNORE	     0x0004
+#define RDATASET_ATTR_RETAIN	     0x0008
+#define RDATASET_ATTR_NXDOMAIN	     0x0010
+#define RDATASET_ATTR_RESIGN	     0x0020
+#define RDATASET_ATTR_STATCOUNT	     0x0040
+#define RDATASET_ATTR_OPTOUT	     0x0080
+#define RDATASET_ATTR_NEGATIVE	     0x0100
+#define RDATASET_ATTR_PREFETCH	     0x0200
+#define RDATASET_ATTR_CASESET	     0x0400
+#define RDATASET_ATTR_ZEROTTL	     0x0800
+#define RDATASET_ATTR_CASEFULLYLOWER 0x1000
+/*%< Ancient - awaiting cleanup. */
+#define RDATASET_ATTR_ANCIENT	   0x2000
+#define RDATASET_ATTR_STALE_WINDOW 0x4000
+
+/*
+ * XXX
+ * When the cache will pre-expire data (due to memory low or other
+ * situations) before the rdataset's TTL has expired, it MUST
+ * respect the RETAIN bit and not expire the data until its TTL is
+ * expired.
+ */
+
+#undef IGNORE /* WIN32 winbase.h defines this. */
+
+#define EXISTS(header)                                 \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_NONEXISTENT) == 0)
+#define NONEXISTENT(header)                            \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_NONEXISTENT) != 0)
+#define IGNORE(header)                                 \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_IGNORE) != 0)
+#define RETAIN(header)                                 \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_RETAIN) != 0)
+#define NXDOMAIN(header)                               \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_NXDOMAIN) != 0)
+#define STALE(header)                                                          \
+	((atomic_load_acquire(&(header)->attributes) & RDATASET_ATTR_STALE) != \
+	 0)
+#define STALE_WINDOW(header)                           \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_STALE_WINDOW) != 0)
+#define RESIGN(header)                                 \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_RESIGN) != 0)
+#define OPTOUT(header)                                 \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_OPTOUT) != 0)
+#define NEGATIVE(header)                               \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_NEGATIVE) != 0)
+#define PREFETCH(header)                               \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_PREFETCH) != 0)
+#define CASESET(header)                                \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_CASESET) != 0)
+#define ZEROTTL(header)                                \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_ZEROTTL) != 0)
+#define CASEFULLYLOWER(header)                         \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_CASEFULLYLOWER) != 0)
+#define ANCIENT(header)                                \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_ANCIENT) != 0)
+#define STATCOUNT(header)                              \
+	((atomic_load_acquire(&(header)->attributes) & \
+	  RDATASET_ATTR_STATCOUNT) != 0)
+
+#define RDATASET_ATTR_GET(header, attribute) \
+	(atomic_load_acquire(&(header)->attributes) & attribute)
+#define RDATASET_ATTR_SET(header, attribute) \
+	atomic_fetch_or_release(&(header)->attributes, attribute)
+#define RDATASET_ATTR_CLR(header, attribute) \
+	atomic_fetch_and_release(&(header)->attributes, ~(attribute))
+
+#define ACTIVE(header, now)             \
+	(((header)->rdh_ttl > (now)) || \
+	 ((header)->rdh_ttl == (now) && ZEROTTL(header)))
+
+#define DEFAULT_NODE_LOCK_COUNT	    7 /*%< Should be prime. */
+#define RBTDB_GLUE_TABLE_INIT_BITS  2U
+#define RBTDB_GLUE_TABLE_MAX_BITS   32U
+#define RBTDB_GLUE_TABLE_OVERCOMMIT 3
+
+#define GOLDEN_RATIO_32 0x61C88647
+#define HASHSIZE(bits)	(UINT64_C(1) << (bits))
+
+static uint32_t
+hash_32(uint32_t val, unsigned int bits) {
+	REQUIRE(bits <= RBTDB_GLUE_TABLE_MAX_BITS);
+	/* High bits are more random. */
+	return (val * GOLDEN_RATIO_32 >> (32 - bits));
+}
+
+#define EXPIREDOK(rbtiterator) \
+	(((rbtiterator)->common.options & DNS_DB_EXPIREDOK) != 0)
+
+#define STALEOK(rbtiterator) \
+	(((rbtiterator)->common.options & DNS_DB_STALEOK) != 0)
+
+/*%
+ * Number of buckets for cache DB entries (locks, LRU lists, TTL heaps).
+ * There is a tradeoff issue about configuring this value: if this is too
+ * small, it may cause heavier contention between threads; if this is too large,
+ * LRU purge algorithm won't work well (entries tend to be purged prematurely).
+ * The default value should work well for most environments, but this can
+ * also be configurable at compilation time via the
+ * DNS_RBTDB_CACHE_NODE_LOCK_COUNT variable.  This value must be larger than
+ * 1 due to the assumption of overmem_purge().
+ */
+#ifdef DNS_RBTDB_CACHE_NODE_LOCK_COUNT
+#if DNS_RBTDB_CACHE_NODE_LOCK_COUNT <= 1
+#error "DNS_RBTDB_CACHE_NODE_LOCK_COUNT must be larger than 1"
+#else /* if DNS_RBTDB_CACHE_NODE_LOCK_COUNT <= 1 */
+#define DEFAULT_CACHE_NODE_LOCK_COUNT DNS_RBTDB_CACHE_NODE_LOCK_COUNT
+#endif /* if DNS_RBTDB_CACHE_NODE_LOCK_COUNT <= 1 */
+#else  /* ifdef DNS_RBTDB_CACHE_NODE_LOCK_COUNT */
+#define DEFAULT_CACHE_NODE_LOCK_COUNT 17
+#endif /* DNS_RBTDB_CACHE_NODE_LOCK_COUNT */
+
+typedef struct {
+	nodelock_t lock;
+	/* Protected in the refcount routines. */
+	isc_refcount_t references;
+	/* Locked by lock. */
+	bool exiting;
+} rbtdb_nodelock_t;
+
+typedef struct rbtdb_changed {
+	dns_rbtnode_t *node;
+	bool dirty;
+	ISC_LINK(struct rbtdb_changed) link;
+} rbtdb_changed_t;
+
+typedef ISC_LIST(rbtdb_changed_t) rbtdb_changedlist_t;
+
+typedef enum { dns_db_insecure, dns_db_partial, dns_db_secure } dns_db_secure_t;
+
+typedef struct dns_rbtdb dns_rbtdb_t;
+
+/* Reason for expiring a record from cache */
+typedef enum { expire_lru, expire_ttl, expire_flush } expire_t;
+
+typedef struct rbtdb_glue rbtdb_glue_t;
+
+typedef struct rbtdb_glue_table_node {
+	struct rbtdb_glue_table_node *next;
+	dns_rbtnode_t *node;
+	rbtdb_glue_t *glue_list;
+} rbtdb_glue_table_node_t;
+
+typedef enum {
+	rdataset_ttl_fresh,
+	rdataset_ttl_stale,
+	rdataset_ttl_ancient
+} rdataset_ttl_t;
+
+typedef struct rbtdb_version {
+	/* Not locked */
+	rbtdb_serial_t serial;
+	dns_rbtdb_t *rbtdb;
+	/*
+	 * Protected in the refcount routines.
+	 * XXXJT: should we change the lock policy based on the refcount
+	 * performance?
+	 */
+	isc_refcount_t references;
+	/* Locked by database lock. */
+	bool writer;
+	bool commit_ok;
+	rbtdb_changedlist_t changed_list;
+	rdatasetheaderlist_t resigned_list;
+	ISC_LINK(struct rbtdb_version) link;
+	dns_db_secure_t secure;
+	bool havensec3;
+	/* NSEC3 parameters */
+	dns_hash_t hash;
+	uint8_t flags;
+	uint16_t iterations;
+	uint8_t salt_length;
+	unsigned char salt[DNS_NSEC3_SALTSIZE];
+
+	/*
+	 * records and xfrsize are covered by rwlock.
+	 */
+	isc_rwlock_t rwlock;
+	uint64_t records;
+	uint64_t xfrsize;
+
+	isc_rwlock_t glue_rwlock;
+	size_t glue_table_bits;
+	size_t glue_table_nodecount;
+	rbtdb_glue_table_node_t **glue_table;
+} rbtdb_version_t;
+
+typedef ISC_LIST(rbtdb_version_t) rbtdb_versionlist_t;
+
+struct dns_rbtdb {
+	/* Unlocked. */
+	dns_db_t common;
+	/* Locks the data in this struct */
+	isc_rwlock_t lock;
+	/* Locks the tree structure (prevents nodes appearing/disappearing) */
+	isc_rwlock_t tree_lock;
+	/* Locks for individual tree nodes */
+	unsigned int node_lock_count;
+	rbtdb_nodelock_t *node_locks;
+	dns_rbtnode_t *origin_node;
+	dns_rbtnode_t *nsec3_origin_node;
+	dns_stats_t *rrsetstats;     /* cache DB only */
+	isc_stats_t *cachestats;     /* cache DB only */
+	isc_stats_t *gluecachestats; /* zone DB only */
+	/* Locked by lock. */
+	unsigned int active;
+	isc_refcount_t references;
+	unsigned int attributes;
+	rbtdb_serial_t current_serial;
+	rbtdb_serial_t least_serial;
+	rbtdb_serial_t next_serial;
+	rbtdb_version_t *current_version;
+	rbtdb_version_t *future_version;
+	rbtdb_versionlist_t open_versions;
+	isc_task_t *task;
+	dns_dbnode_t *soanode;
+	dns_dbnode_t *nsnode;
+
+	/*
+	 * Maximum length of time to keep using a stale answer past its
+	 * normal TTL expiry.
+	 */
+	dns_ttl_t serve_stale_ttl;
+
+	/*
+	 * The time after a failed lookup, where stale answers from cache
+	 * may be used directly in a DNS response without attempting a
+	 * new iterative lookup.
+	 */
+	uint32_t serve_stale_refresh;
+
+	/*
+	 * This is a linked list used to implement the LRU cache.  There will
+	 * be node_lock_count linked lists here.  Nodes in bucket 1 will be
+	 * placed on the linked list rdatasets[1].
+	 */
+	rdatasetheaderlist_t *rdatasets;
+
+	/*%
+	 * Temporary storage for stale cache nodes and dynamically deleted
+	 * nodes that await being cleaned up.
+	 */
+	rbtnodelist_t *deadnodes;
+
+	/*
+	 * Heaps.  These are used for TTL based expiry in a cache,
+	 * or for zone resigning in a zone DB.  hmctx is the memory
+	 * context to use for the heap (which differs from the main
+	 * database memory context in the case of a cache).
+	 */
+	isc_mem_t *hmctx;
+	isc_heap_t **heaps;
+
+	/*
+	 * Base values for the mmap() code.
+	 */
+	void *mmap_location;
+	size_t mmap_size;
+
+	/* Locked by tree_lock. */
+	dns_rbt_t *tree;
+	dns_rbt_t *nsec;
+	dns_rbt_t *nsec3;
+
+	/* Unlocked */
+	unsigned int quantum;
+};
+
+#define RBTDB_ATTR_LOADED  0x01
+#define RBTDB_ATTR_LOADING 0x02
+
+#define KEEPSTALE(rbtdb) ((rbtdb)->serve_stale_ttl > 0)
+
+/*%
+ * Search Context
+ */
+typedef struct {
+	dns_rbtdb_t *rbtdb;
+	rbtdb_version_t *rbtversion;
+	rbtdb_serial_t serial;
+	unsigned int options;
+	dns_rbtnodechain_t chain;
+	bool copy_name;
+	bool need_cleanup;
+	bool wild;
+	dns_rbtnode_t *zonecut;
+	rdatasetheader_t *zonecut_rdataset;
+	rdatasetheader_t *zonecut_sigrdataset;
+	dns_fixedname_t zonecut_name;
+	isc_stdtime_t now;
+} rbtdb_search_t;
+
+/*%
+ * Load Context
+ */
+typedef struct {
+	dns_rbtdb_t *rbtdb;
+	isc_stdtime_t now;
+} rbtdb_load_t;
+
+static void
+delete_callback(void *data, void *arg);
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset);
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset);
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset);
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset);
+static isc_result_t
+rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+		    dns_rdataset_t *neg, dns_rdataset_t *negsig);
+static isc_result_t
+rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+		    dns_rdataset_t *neg, dns_rdataset_t *negsig);
+static bool
+need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now);
+static void
+update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now);
+static void
+expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked,
+	      expire_t reason);
+static void
+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
+	      bool tree_locked);
+static void
+resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader);
+static void
+resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+	      rdatasetheader_t *header);
+static void
+prune_tree(isc_task_t *task, isc_event_t *event);
+static void
+rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
+static void
+rdataset_expire(dns_rdataset_t *rdataset);
+static void
+rdataset_clearprefetch(dns_rdataset_t *rdataset);
+static void
+rdataset_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name);
+static void
+rdataset_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name);
+static isc_result_t
+rdataset_addglue(dns_rdataset_t *rdataset, dns_dbversion_t *version,
+		 dns_message_t *msg);
+static void
+free_gluetable(rbtdb_version_t *version);
+static isc_result_t
+nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name);
+
+static dns_rdatasetmethods_t rdataset_methods = { rdataset_disassociate,
+						  rdataset_first,
+						  rdataset_next,
+						  rdataset_current,
+						  rdataset_clone,
+						  rdataset_count,
+						  NULL, /* addnoqname */
+						  rdataset_getnoqname,
+						  NULL, /* addclosest */
+						  rdataset_getclosest,
+						  rdataset_settrust,
+						  rdataset_expire,
+						  rdataset_clearprefetch,
+						  rdataset_setownercase,
+						  rdataset_getownercase,
+						  rdataset_addglue };
+
+static dns_rdatasetmethods_t slab_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL, /* addnoqname */
+	NULL, /* getnoqname */
+	NULL, /* addclosest */
+	NULL, /* getclosest */
+	NULL, /* settrust */
+	NULL, /* expire */
+	NULL, /* clearprefetch */
+	NULL, /* setownercase */
+	NULL, /* getownercase */
+	NULL  /* addglue */
+};
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator);
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator);
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset);
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy, rdatasetiter_first, rdatasetiter_next,
+	rdatasetiter_current
+};
+
+typedef struct rbtdb_rdatasetiter {
+	dns_rdatasetiter_t common;
+	rdatasetheader_t *current;
+} rbtdb_rdatasetiter_t;
+
+/*
+ * Note that these iterators, unless created with either DNS_DB_NSEC3ONLY or
+ * DNS_DB_NONSEC3, will transparently move between the last node of the
+ * "regular" RBT ("chain" field) and the root node of the NSEC3 RBT
+ * ("nsec3chain" field) of the database in question, as if the latter was a
+ * successor to the former in lexical order.  The "current" field always holds
+ * the address of either "chain" or "nsec3chain", depending on which RBT is
+ * being traversed at given time.
+ */
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp);
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, const dns_name_t *name);
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name);
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
+
+static dns_dbiteratormethods_t dbiterator_methods = {
+	dbiterator_destroy, dbiterator_first, dbiterator_last,
+	dbiterator_seek,    dbiterator_prev,  dbiterator_next,
+	dbiterator_current, dbiterator_pause, dbiterator_origin
+};
+
+#define DELETION_BATCH_MAX 64
+
+/*
+ * If 'paused' is true, then the tree lock is not being held.
+ */
+typedef struct rbtdb_dbiterator {
+	dns_dbiterator_t common;
+	bool paused;
+	bool new_origin;
+	isc_rwlocktype_t tree_locked;
+	isc_result_t result;
+	dns_fixedname_t name;
+	dns_fixedname_t origin;
+	dns_rbtnodechain_t chain;
+	dns_rbtnodechain_t nsec3chain;
+	dns_rbtnodechain_t *current;
+	dns_rbtnode_t *node;
+	dns_rbtnode_t *deletions[DELETION_BATCH_MAX];
+	int delcnt;
+	bool nsec3only;
+	bool nonsec3;
+} rbtdb_dbiterator_t;
+
+#define IS_STUB(rbtdb)	(((rbtdb)->common.attributes & DNS_DBATTR_STUB) != 0)
+#define IS_CACHE(rbtdb) (((rbtdb)->common.attributes & DNS_DBATTR_CACHE) != 0)
+
+static void
+free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event);
+static void
+overmem(dns_db_t *db, bool over);
+static void
+setnsec3parameters(dns_db_t *db, rbtdb_version_t *version);
+static void
+setownercase(rdatasetheader_t *header, const dns_name_t *name);
+
+static bool
+match_header_version(rbtdb_file_header_t *header);
+
+/* Pad to 32 bytes */
+static char FILE_VERSION[32] = "\0";
+
+/*%
+ * 'init_count' is used to initialize 'newheader->count' which inturn
+ * is used to determine where in the cycle rrset-order cyclic starts.
+ * We don't lock this as we don't care about simultaneous updates.
+ *
+ * Note:
+ *      Both init_count and header->count can be UINT32_MAX.
+ *      The count on the returned rdataset however can't be as
+ *      that indicates that the database does not implement cyclic
+ *      processing.
+ */
+static atomic_uint_fast32_t init_count = 0;
+
+/*
+ * Locking
+ *
+ * If a routine is going to lock more than one lock in this module, then
+ * the locking must be done in the following order:
+ *
+ *      Tree Lock
+ *
+ *      Node Lock       (Only one from the set may be locked at one time by
+ *                       any caller)
+ *
+ *      Database Lock
+ *
+ * Failure to follow this hierarchy can result in deadlock.
+ */
+
+/*
+ * Deleting Nodes
+ *
+ * For zone databases the node for the origin of the zone MUST NOT be deleted.
+ */
+
+/*
+ * Debugging routines
+ */
+#ifdef DEBUG
+static void
+hexdump(const char *desc, unsigned char *data, size_t size) {
+	char hexdump[BUFSIZ * 2 + 1];
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	size_t bytes;
+
+	fprintf(stderr, "%s: ", desc);
+	do {
+		isc_buffer_init(&b, hexdump, sizeof(hexdump));
+		r.base = data;
+		r.length = bytes = (size > BUFSIZ) ? BUFSIZ : size;
+		result = isc_hex_totext(&r, 0, "", &b);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		isc_buffer_putuint8(&b, 0);
+		fprintf(stderr, "%s", hexdump);
+		data += bytes;
+		size -= bytes;
+	} while (size > 0);
+	fprintf(stderr, "\n");
+}
+#endif /* ifdef DEBUG */
+
+/* Fixed RRSet helper macros */
+
+#define DNS_RDATASET_LENGTH 2;
+
+#if DNS_RDATASET_FIXED
+#define DNS_RDATASET_ORDER 2
+#define DNS_RDATASET_COUNT (count * 4)
+#else /* !DNS_RDATASET_FIXED */
+#define DNS_RDATASET_ORDER 0
+#define DNS_RDATASET_COUNT 0
+#endif /* DNS_RDATASET_FIXED */
+
+/*
+ * DB Routines
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)source;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	isc_refcount_increment(&rbtdb->references);
+
+	*targetp = source;
+}
+
+static void
+free_rbtdb_callback(isc_task_t *task, isc_event_t *event) {
+	dns_rbtdb_t *rbtdb = event->ev_arg;
+
+	UNUSED(task);
+
+	free_rbtdb(rbtdb, true, event);
+}
+
+static void
+update_cachestats(dns_rbtdb_t *rbtdb, isc_result_t result) {
+	INSIST(IS_CACHE(rbtdb));
+
+	if (rbtdb->cachestats == NULL) {
+		return;
+	}
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+	case DNS_R_DELEGATION:
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+		isc_stats_increment(rbtdb->cachestats,
+				    dns_cachestatscounter_hits);
+		break;
+	default:
+		isc_stats_increment(rbtdb->cachestats,
+				    dns_cachestatscounter_misses);
+	}
+}
+
+static bool
+do_stats(rdatasetheader_t *header) {
+	return (EXISTS(header) && STATCOUNT(header));
+}
+
+static void
+update_rrsetstats(dns_rbtdb_t *rbtdb, const rbtdb_rdatatype_t htype,
+		  const uint_least16_t hattributes, const bool increment) {
+	dns_rdatastatstype_t statattributes = 0;
+	dns_rdatastatstype_t base = 0;
+	dns_rdatastatstype_t type;
+	rdatasetheader_t *header = &(rdatasetheader_t){
+		.type = htype,
+		.attributes = hattributes,
+	};
+
+	if (!do_stats(header)) {
+		return;
+	}
+
+	/* At the moment we count statistics only for cache DB */
+	INSIST(IS_CACHE(rbtdb));
+
+	if (NEGATIVE(header)) {
+		if (NXDOMAIN(header)) {
+			statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
+		} else {
+			statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
+			base = RBTDB_RDATATYPE_EXT(header->type);
+		}
+	} else {
+		base = RBTDB_RDATATYPE_BASE(header->type);
+	}
+
+	if (STALE(header)) {
+		statattributes |= DNS_RDATASTATSTYPE_ATTR_STALE;
+	}
+	if (ANCIENT(header)) {
+		statattributes |= DNS_RDATASTATSTYPE_ATTR_ANCIENT;
+	}
+
+	type = DNS_RDATASTATSTYPE_VALUE(base, statattributes);
+	if (increment) {
+		dns_rdatasetstats_increment(rbtdb->rrsetstats, type);
+	} else {
+		dns_rdatasetstats_decrement(rbtdb->rrsetstats, type);
+	}
+}
+
+static void
+set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
+	int idx;
+	isc_heap_t *heap;
+	dns_ttl_t oldttl;
+
+	if (!IS_CACHE(rbtdb)) {
+		header->rdh_ttl = newttl;
+		return;
+	}
+
+	oldttl = header->rdh_ttl;
+	header->rdh_ttl = newttl;
+
+	/*
+	 * It's possible the rbtdb is not a cache.  If this is the case,
+	 * we will not have a heap, and we move on.  If we do, though,
+	 * we might need to adjust things.
+	 */
+	if (header->heap_index == 0 || newttl == oldttl) {
+		return;
+	}
+	idx = header->node->locknum;
+	if (rbtdb->heaps == NULL || rbtdb->heaps[idx] == NULL) {
+		return;
+	}
+	heap = rbtdb->heaps[idx];
+
+	if (newttl < oldttl) {
+		isc_heap_increased(heap, header->heap_index);
+	} else {
+		isc_heap_decreased(heap, header->heap_index);
+	}
+}
+
+/*%
+ * These functions allow the heap code to rank the priority of each
+ * element.  It returns true if v1 happens "sooner" than v2.
+ */
+static bool
+ttl_sooner(void *v1, void *v2) {
+	rdatasetheader_t *h1 = v1;
+	rdatasetheader_t *h2 = v2;
+
+	return (h1->rdh_ttl < h2->rdh_ttl);
+}
+
+/*%
+ * Return which RRset should be resigned sooner.  If the RRsets have the
+ * same signing time, prefer the other RRset over the SOA RRset.
+ */
+static bool
+resign_sooner(void *v1, void *v2) {
+	rdatasetheader_t *h1 = v1;
+	rdatasetheader_t *h2 = v2;
+
+	return (h1->resign < h2->resign ||
+		(h1->resign == h2->resign && h1->resign_lsb < h2->resign_lsb) ||
+		(h1->resign == h2->resign && h1->resign_lsb == h2->resign_lsb &&
+		 h2->type == RBTDB_RDATATYPE_SIGSOA));
+}
+
+/*%
+ * This function sets the heap index into the header.
+ */
+static void
+set_index(void *what, unsigned int idx) {
+	rdatasetheader_t *h = what;
+
+	h->heap_index = idx;
+}
+
+/*%
+ * Work out how many nodes can be deleted in the time between two
+ * requests to the nameserver.  Smooth the resulting number and use it
+ * as a estimate for the number of nodes to be deleted in the next
+ * iteration.
+ */
+static unsigned int
+adjust_quantum(unsigned int old, isc_time_t *start) {
+	unsigned int pps = dns_pps; /* packets per second */
+	unsigned int interval;
+	uint64_t usecs;
+	isc_time_t end;
+	unsigned int nodes;
+
+	if (pps < 100) {
+		pps = 100;
+	}
+	isc_time_now(&end);
+
+	interval = 1000000 / pps; /* interval in usec */
+	if (interval == 0) {
+		interval = 1;
+	}
+	usecs = isc_time_microdiff(&end, start);
+	if (usecs == 0) {
+		/*
+		 * We were unable to measure the amount of time taken.
+		 * Double the nodes deleted next time.
+		 */
+		old *= 2;
+		if (old > 1000) {
+			old = 1000;
+		}
+		return (old);
+	}
+	nodes = old * interval;
+	nodes /= (unsigned int)usecs;
+	if (nodes == 0) {
+		nodes = 1;
+	} else if (nodes > 1000) {
+		nodes = 1000;
+	}
+
+	/* Smooth */
+	nodes = (nodes + old * 3) / 4;
+
+	if (nodes != old) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "adjust_quantum: old=%d, new=%d", old, nodes);
+	}
+
+	return (nodes);
+}
+
+static void
+free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
+	unsigned int i;
+	isc_result_t result;
+	char buf[DNS_NAME_FORMATSIZE];
+	dns_rbt_t **treep;
+	isc_time_t start;
+
+	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in) {
+		overmem((dns_db_t *)rbtdb, (bool)-1);
+	}
+
+	REQUIRE(rbtdb->current_version != NULL || EMPTY(rbtdb->open_versions));
+	REQUIRE(rbtdb->future_version == NULL);
+
+	if (rbtdb->current_version != NULL) {
+		isc_refcount_decrementz(&rbtdb->current_version->references);
+		UNLINK(rbtdb->open_versions, rbtdb->current_version, link);
+		isc_rwlock_destroy(&rbtdb->current_version->glue_rwlock);
+		isc_refcount_destroy(&rbtdb->current_version->references);
+		isc_rwlock_destroy(&rbtdb->current_version->rwlock);
+		isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
+			    sizeof(rbtdb_version_t));
+	}
+
+	/*
+	 * We assume the number of remaining dead nodes is reasonably small;
+	 * the overhead of unlinking all nodes here should be negligible.
+	 */
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		dns_rbtnode_t *node;
+
+		node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
+		while (node != NULL) {
+			ISC_LIST_UNLINK(rbtdb->deadnodes[i], node, deadlink);
+			node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
+		}
+	}
+
+	if (event == NULL) {
+		rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0;
+	}
+
+	for (;;) {
+		/*
+		 * pick the next tree to (start to) destroy
+		 */
+		treep = &rbtdb->tree;
+		if (*treep == NULL) {
+			treep = &rbtdb->nsec;
+			if (*treep == NULL) {
+				treep = &rbtdb->nsec3;
+				/*
+				 * we're finished after clear cutting
+				 */
+				if (*treep == NULL) {
+					break;
+				}
+			}
+		}
+
+		isc_time_now(&start);
+		result = dns_rbt_destroy2(treep, rbtdb->quantum);
+		if (result == ISC_R_QUOTA) {
+			INSIST(rbtdb->task != NULL);
+			if (rbtdb->quantum != 0) {
+				rbtdb->quantum = adjust_quantum(rbtdb->quantum,
+								&start);
+			}
+			if (event == NULL) {
+				event = isc_event_allocate(
+					rbtdb->common.mctx, NULL,
+					DNS_EVENT_FREESTORAGE,
+					free_rbtdb_callback, rbtdb,
+					sizeof(isc_event_t));
+			}
+			isc_task_send(rbtdb->task, &event);
+			return;
+		}
+		INSIST(result == ISC_R_SUCCESS && *treep == NULL);
+	}
+
+	if (event != NULL) {
+		isc_event_free(&event);
+	}
+	if (log) {
+		if (dns_name_dynamic(&rbtdb->common.origin)) {
+			dns_name_format(&rbtdb->common.origin, buf,
+					sizeof(buf));
+		} else {
+			strlcpy(buf, "<UNKNOWN>", sizeof(buf));
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "done free_rbtdb(%s)", buf);
+	}
+	if (dns_name_dynamic(&rbtdb->common.origin)) {
+		dns_name_free(&rbtdb->common.origin, rbtdb->common.mctx);
+	}
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		isc_refcount_destroy(&rbtdb->node_locks[i].references);
+		NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
+	}
+
+	/*
+	 * Clean up LRU / re-signing order lists.
+	 */
+	if (rbtdb->rdatasets != NULL) {
+		for (i = 0; i < rbtdb->node_lock_count; i++) {
+			INSIST(ISC_LIST_EMPTY(rbtdb->rdatasets[i]));
+		}
+		isc_mem_put(rbtdb->common.mctx, rbtdb->rdatasets,
+			    rbtdb->node_lock_count *
+				    sizeof(rdatasetheaderlist_t));
+	}
+	/*
+	 * Clean up dead node buckets.
+	 */
+	if (rbtdb->deadnodes != NULL) {
+		for (i = 0; i < rbtdb->node_lock_count; i++) {
+			INSIST(ISC_LIST_EMPTY(rbtdb->deadnodes[i]));
+		}
+		isc_mem_put(rbtdb->common.mctx, rbtdb->deadnodes,
+			    rbtdb->node_lock_count * sizeof(rbtnodelist_t));
+	}
+	/*
+	 * Clean up heap objects.
+	 */
+	if (rbtdb->heaps != NULL) {
+		for (i = 0; i < rbtdb->node_lock_count; i++) {
+			isc_heap_destroy(&rbtdb->heaps[i]);
+		}
+		isc_mem_put(rbtdb->hmctx, rbtdb->heaps,
+			    rbtdb->node_lock_count * sizeof(isc_heap_t *));
+	}
+
+	if (rbtdb->rrsetstats != NULL) {
+		dns_stats_detach(&rbtdb->rrsetstats);
+	}
+	if (rbtdb->cachestats != NULL) {
+		isc_stats_detach(&rbtdb->cachestats);
+	}
+	if (rbtdb->gluecachestats != NULL) {
+		isc_stats_detach(&rbtdb->gluecachestats);
+	}
+
+	isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
+		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
+	isc_rwlock_destroy(&rbtdb->tree_lock);
+	isc_refcount_destroy(&rbtdb->references);
+	if (rbtdb->task != NULL) {
+		isc_task_detach(&rbtdb->task);
+	}
+
+	RBTDB_DESTROYLOCK(&rbtdb->lock);
+	rbtdb->common.magic = 0;
+	rbtdb->common.impmagic = 0;
+	isc_mem_detach(&rbtdb->hmctx);
+
+	if (rbtdb->mmap_location != NULL) {
+		isc_file_munmap(rbtdb->mmap_location, (size_t)rbtdb->mmap_size);
+	}
+
+	INSIST(ISC_LIST_EMPTY(rbtdb->common.update_listeners));
+
+	isc_mem_putanddetach(&rbtdb->common.mctx, rbtdb, sizeof(*rbtdb));
+}
+
+static void
+maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
+	bool want_free = false;
+	unsigned int i;
+	unsigned int inactive = 0;
+
+	/* XXX check for open versions here */
+
+	if (rbtdb->soanode != NULL) {
+		dns_db_detachnode((dns_db_t *)rbtdb, &rbtdb->soanode);
+	}
+	if (rbtdb->nsnode != NULL) {
+		dns_db_detachnode((dns_db_t *)rbtdb, &rbtdb->nsnode);
+	}
+
+	/*
+	 * The current version's glue table needs to be freed early
+	 * so the nodes are dereferenced before we check the active
+	 * node count below.
+	 */
+	if (rbtdb->current_version != NULL) {
+		free_gluetable(rbtdb->current_version);
+	}
+
+	/*
+	 * Even though there are no external direct references, there still
+	 * may be nodes in use.
+	 */
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
+		rbtdb->node_locks[i].exiting = true;
+		if (isc_refcount_current(&rbtdb->node_locks[i].references) == 0)
+		{
+			inactive++;
+		}
+		NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
+	}
+
+	if (inactive != 0) {
+		RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+		rbtdb->active -= inactive;
+		if (rbtdb->active == 0) {
+			want_free = true;
+		}
+		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+		if (want_free) {
+			char buf[DNS_NAME_FORMATSIZE];
+			if (dns_name_dynamic(&rbtdb->common.origin)) {
+				dns_name_format(&rbtdb->common.origin, buf,
+						sizeof(buf));
+			} else {
+				strlcpy(buf, "<UNKNOWN>", sizeof(buf));
+			}
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+				      "calling free_rbtdb(%s)", buf);
+			free_rbtdb(rbtdb, true, NULL);
+		}
+	}
+}
+
+static void
+detach(dns_db_t **dbp) {
+	REQUIRE(dbp != NULL && VALID_RBTDB((dns_rbtdb_t *)(*dbp)));
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(*dbp);
+	*dbp = NULL;
+
+	if (isc_refcount_decrement(&rbtdb->references) == 1) {
+		maybe_free_rbtdb(rbtdb);
+	}
+}
+
+static void
+currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *version;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+	version = rbtdb->current_version;
+	isc_refcount_increment(&version->references);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+
+	*versionp = (dns_dbversion_t *)version;
+}
+
+static rbtdb_version_t *
+allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
+		 unsigned int references, bool writer) {
+	rbtdb_version_t *version;
+	size_t size;
+
+	version = isc_mem_get(mctx, sizeof(*version));
+	version->serial = serial;
+
+	isc_refcount_init(&version->references, references);
+	isc_rwlock_init(&version->glue_rwlock, 0, 0);
+
+	version->glue_table_bits = RBTDB_GLUE_TABLE_INIT_BITS;
+	version->glue_table_nodecount = 0U;
+
+	size = HASHSIZE(version->glue_table_bits) *
+	       sizeof(version->glue_table[0]);
+	version->glue_table = isc_mem_get(mctx, size);
+	memset(version->glue_table, 0, size);
+
+	version->writer = writer;
+	version->commit_ok = false;
+	ISC_LIST_INIT(version->changed_list);
+	ISC_LIST_INIT(version->resigned_list);
+	ISC_LINK_INIT(version, link);
+
+	return (version);
+}
+
+static isc_result_t
+newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *version;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(versionp != NULL && *versionp == NULL);
+	REQUIRE(rbtdb->future_version == NULL);
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+	RUNTIME_CHECK(rbtdb->next_serial != 0); /* XXX Error? */
+	version = allocate_version(rbtdb->common.mctx, rbtdb->next_serial, 1,
+				   true);
+	version->rbtdb = rbtdb;
+	version->commit_ok = true;
+	version->secure = rbtdb->current_version->secure;
+	version->havensec3 = rbtdb->current_version->havensec3;
+	if (version->havensec3) {
+		version->flags = rbtdb->current_version->flags;
+		version->iterations = rbtdb->current_version->iterations;
+		version->hash = rbtdb->current_version->hash;
+		version->salt_length = rbtdb->current_version->salt_length;
+		memmove(version->salt, rbtdb->current_version->salt,
+			version->salt_length);
+	} else {
+		version->flags = 0;
+		version->iterations = 0;
+		version->hash = 0;
+		version->salt_length = 0;
+		memset(version->salt, 0, sizeof(version->salt));
+	}
+	isc_rwlock_init(&version->rwlock, 0, 0);
+	RWLOCK(&rbtdb->current_version->rwlock, isc_rwlocktype_read);
+	version->records = rbtdb->current_version->records;
+	version->xfrsize = rbtdb->current_version->xfrsize;
+	RWUNLOCK(&rbtdb->current_version->rwlock, isc_rwlocktype_read);
+	rbtdb->next_serial++;
+	rbtdb->future_version = version;
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	*versionp = version;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+attachversion(dns_db_t *db, dns_dbversion_t *source,
+	      dns_dbversion_t **targetp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *rbtversion = source;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion != NULL && rbtversion->rbtdb == rbtdb);
+
+	isc_refcount_increment(&rbtversion->references);
+
+	*targetp = rbtversion;
+}
+
+static rbtdb_changed_t *
+add_changed(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, dns_rbtnode_t *node) {
+	rbtdb_changed_t *changed;
+
+	/*
+	 * Caller must be holding the node lock if its reference must be
+	 * protected by the lock.
+	 */
+
+	changed = isc_mem_get(rbtdb->common.mctx, sizeof(*changed));
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	REQUIRE(version->writer);
+
+	if (changed != NULL) {
+		isc_refcount_increment(&node->references);
+		changed->node = node;
+		changed->dirty = false;
+		ISC_LIST_INITANDAPPEND(version->changed_list, changed, link);
+	} else {
+		version->commit_ok = false;
+	}
+
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	return (changed);
+}
+
+static void
+free_noqname(isc_mem_t *mctx, struct noqname **noqname) {
+	if (dns_name_dynamic(&(*noqname)->name)) {
+		dns_name_free(&(*noqname)->name, mctx);
+	}
+	if ((*noqname)->neg != NULL) {
+		isc_mem_put(mctx, (*noqname)->neg,
+			    dns_rdataslab_size((*noqname)->neg, 0));
+	}
+	if ((*noqname)->negsig != NULL) {
+		isc_mem_put(mctx, (*noqname)->negsig,
+			    dns_rdataslab_size((*noqname)->negsig, 0));
+	}
+	isc_mem_put(mctx, *noqname, sizeof(**noqname));
+	*noqname = NULL;
+}
+
+static void
+init_rdataset(dns_rbtdb_t *rbtdb, rdatasetheader_t *h) {
+	ISC_LINK_INIT(h, link);
+	h->heap_index = 0;
+	h->is_mmapped = 0;
+	h->next_is_relative = 0;
+	h->node_is_relative = 0;
+	atomic_init(&h->attributes, 0);
+	atomic_init(&h->last_refresh_fail_ts, 0);
+
+	STATIC_ASSERT((sizeof(h->attributes) == 2),
+		      "The .attributes field of rdatasetheader_t needs to be "
+		      "16-bit int type exactly.");
+
+#if TRACE_HEADER
+	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in) {
+		fprintf(stderr, "initialized header: %p\n", h);
+	}
+#else  /* if TRACE_HEADER */
+	UNUSED(rbtdb);
+#endif /* if TRACE_HEADER */
+}
+
+/*
+ * Update the copied values of 'next' and 'node' if they are relative.
+ */
+static void
+update_newheader(rdatasetheader_t *newh, rdatasetheader_t *old) {
+	char *p;
+
+	if (old->next_is_relative) {
+		p = (char *)old;
+		p += (uintptr_t)old->next;
+		newh->next = (rdatasetheader_t *)p;
+	}
+	if (old->node_is_relative) {
+		p = (char *)old;
+		p += (uintptr_t)old->node;
+		newh->node = (dns_rbtnode_t *)p;
+	}
+	if (CASESET(old)) {
+		uint_least16_t attr = RDATASET_ATTR_GET(
+			old,
+			(RDATASET_ATTR_CASESET | RDATASET_ATTR_CASEFULLYLOWER));
+		RDATASET_ATTR_SET(newh, attr);
+		memmove(newh->upper, old->upper, sizeof(old->upper));
+	}
+}
+
+static rdatasetheader_t *
+new_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx) {
+	rdatasetheader_t *h;
+
+	h = isc_mem_get(mctx, sizeof(*h));
+
+#if TRACE_HEADER
+	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in) {
+		fprintf(stderr, "allocated header: %p\n", h);
+	}
+#endif /* if TRACE_HEADER */
+	memset(h->upper, 0xeb, sizeof(h->upper));
+	init_rdataset(rbtdb, h);
+	h->rdh_ttl = 0;
+	return (h);
+}
+
+static void
+free_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *rdataset) {
+	unsigned int size;
+	int idx;
+
+	update_rrsetstats(rbtdb, rdataset->type,
+			  atomic_load_acquire(&rdataset->attributes), false);
+
+	idx = rdataset->node->locknum;
+	if (ISC_LINK_LINKED(rdataset, link)) {
+		INSIST(IS_CACHE(rbtdb));
+		ISC_LIST_UNLINK(rbtdb->rdatasets[idx], rdataset, link);
+	}
+
+	if (rdataset->heap_index != 0) {
+		isc_heap_delete(rbtdb->heaps[idx], rdataset->heap_index);
+	}
+	rdataset->heap_index = 0;
+
+	if (rdataset->noqname != NULL) {
+		free_noqname(mctx, &rdataset->noqname);
+	}
+	if (rdataset->closest != NULL) {
+		free_noqname(mctx, &rdataset->closest);
+	}
+
+	if (NONEXISTENT(rdataset)) {
+		size = sizeof(*rdataset);
+	} else {
+		size = dns_rdataslab_size((unsigned char *)rdataset,
+					  sizeof(*rdataset));
+	}
+
+	if (rdataset->is_mmapped == 1) {
+		return;
+	}
+
+	isc_mem_put(mctx, rdataset, size);
+}
+
+static void
+rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
+	rdatasetheader_t *header, *dcurrent;
+	bool make_dirty = false;
+
+	/*
+	 * Caller must hold the node lock.
+	 */
+
+	/*
+	 * We set the IGNORE attribute on rdatasets with serial number
+	 * 'serial'.  When the reference count goes to zero, these rdatasets
+	 * will be cleaned up; until that time, they will be ignored.
+	 */
+	for (header = node->data; header != NULL; header = header->next) {
+		if (header->serial == serial) {
+			RDATASET_ATTR_SET(header, RDATASET_ATTR_IGNORE);
+			make_dirty = true;
+		}
+		for (dcurrent = header->down; dcurrent != NULL;
+		     dcurrent = dcurrent->down)
+		{
+			if (dcurrent->serial == serial) {
+				RDATASET_ATTR_SET(dcurrent,
+						  RDATASET_ATTR_IGNORE);
+				make_dirty = true;
+			}
+		}
+	}
+	if (make_dirty) {
+		node->dirty = 1;
+	}
+}
+
+static void
+mark_header_ancient(dns_rbtdb_t *rbtdb, rdatasetheader_t *header) {
+	uint_least16_t attributes = atomic_load_acquire(&header->attributes);
+	uint_least16_t newattributes = 0;
+
+	/*
+	 * If we are already ancient there is nothing to do.
+	 */
+	do {
+		if ((attributes & RDATASET_ATTR_ANCIENT) != 0) {
+			return;
+		}
+		newattributes = attributes | RDATASET_ATTR_ANCIENT;
+	} while (!atomic_compare_exchange_weak_acq_rel(
+		&header->attributes, &attributes, newattributes));
+
+	/*
+	 * Decrement the stats counter for the appropriate RRtype.
+	 * If the STALE attribute is set, this will decrement the
+	 * stale type counter, otherwise it decrements the active
+	 * stats type counter.
+	 */
+	update_rrsetstats(rbtdb, header->type, attributes, false);
+	header->node->dirty = 1;
+
+	/* Increment the stats counter for the ancient RRtype. */
+	update_rrsetstats(rbtdb, header->type, newattributes, true);
+}
+
+static void
+mark_header_stale(dns_rbtdb_t *rbtdb, rdatasetheader_t *header) {
+	uint_least16_t attributes = atomic_load_acquire(&header->attributes);
+	uint_least16_t newattributes = 0;
+
+	INSIST((attributes & RDATASET_ATTR_ZEROTTL) == 0);
+
+	/*
+	 * If we are already stale there is nothing to do.
+	 */
+	do {
+		if ((attributes & RDATASET_ATTR_STALE) != 0) {
+			return;
+		}
+		newattributes = attributes | RDATASET_ATTR_STALE;
+	} while (!atomic_compare_exchange_weak_acq_rel(
+		&header->attributes, &attributes, newattributes));
+
+	/* Decrement the stats counter for the appropriate RRtype.
+	 * If the ANCIENT attribute is set (although it is very
+	 * unlikely that an RRset goes from ANCIENT to STALE), this
+	 * will decrement the ancient stale type counter, otherwise it
+	 * decrements the active stats type counter.
+	 */
+
+	update_rrsetstats(rbtdb, header->type, attributes, false);
+	update_rrsetstats(rbtdb, header->type, newattributes, true);
+}
+
+static void
+clean_stale_headers(dns_rbtdb_t *rbtdb, isc_mem_t *mctx,
+		    rdatasetheader_t *top) {
+	rdatasetheader_t *d, *down_next;
+
+	for (d = top->down; d != NULL; d = down_next) {
+		down_next = d->down;
+		free_rdataset(rbtdb, mctx, d);
+	}
+	top->down = NULL;
+}
+
+static void
+clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+	rdatasetheader_t *current, *top_prev, *top_next;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	top_prev = NULL;
+	for (current = node->data; current != NULL; current = top_next) {
+		top_next = current->next;
+		clean_stale_headers(rbtdb, mctx, current);
+		/*
+		 * If current is nonexistent, ancient, or stale and
+		 * we are not keeping stale, we can clean it up.
+		 */
+		if (NONEXISTENT(current) || ANCIENT(current) ||
+		    (STALE(current) && !KEEPSTALE(rbtdb)))
+		{
+			if (top_prev != NULL) {
+				top_prev->next = current->next;
+			} else {
+				node->data = current->next;
+			}
+			free_rdataset(rbtdb, mctx, current);
+		} else {
+			top_prev = current;
+		}
+	}
+	node->dirty = 0;
+}
+
+static void
+clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		rbtdb_serial_t least_serial) {
+	rdatasetheader_t *current, *dcurrent, *down_next, *dparent;
+	rdatasetheader_t *top_prev, *top_next;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+	bool still_dirty = false;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+	REQUIRE(least_serial != 0);
+
+	top_prev = NULL;
+	for (current = node->data; current != NULL; current = top_next) {
+		top_next = current->next;
+
+		/*
+		 * First, we clean up any instances of multiple rdatasets
+		 * with the same serial number, or that have the IGNORE
+		 * attribute.
+		 */
+		dparent = current;
+		for (dcurrent = current->down; dcurrent != NULL;
+		     dcurrent = down_next)
+		{
+			down_next = dcurrent->down;
+			INSIST(dcurrent->serial <= dparent->serial);
+			if (dcurrent->serial == dparent->serial ||
+			    IGNORE(dcurrent))
+			{
+				if (down_next != NULL) {
+					down_next->next = dparent;
+				}
+				dparent->down = down_next;
+				free_rdataset(rbtdb, mctx, dcurrent);
+			} else {
+				dparent = dcurrent;
+			}
+		}
+
+		/*
+		 * We've now eliminated all IGNORE datasets with the possible
+		 * exception of current, which we now check.
+		 */
+		if (IGNORE(current)) {
+			down_next = current->down;
+			if (down_next == NULL) {
+				if (top_prev != NULL) {
+					top_prev->next = current->next;
+				} else {
+					node->data = current->next;
+				}
+				free_rdataset(rbtdb, mctx, current);
+				/*
+				 * current no longer exists, so we can
+				 * just continue with the loop.
+				 */
+				continue;
+			} else {
+				/*
+				 * Pull up current->down, making it the new
+				 * current.
+				 */
+				if (top_prev != NULL) {
+					top_prev->next = down_next;
+				} else {
+					node->data = down_next;
+				}
+				down_next->next = top_next;
+				free_rdataset(rbtdb, mctx, current);
+				current = down_next;
+			}
+		}
+
+		/*
+		 * We now try to find the first down node less than the
+		 * least serial.
+		 */
+		dparent = current;
+		for (dcurrent = current->down; dcurrent != NULL;
+		     dcurrent = down_next)
+		{
+			down_next = dcurrent->down;
+			if (dcurrent->serial < least_serial) {
+				break;
+			}
+			dparent = dcurrent;
+		}
+
+		/*
+		 * If there is a such an rdataset, delete it and any older
+		 * versions.
+		 */
+		if (dcurrent != NULL) {
+			do {
+				down_next = dcurrent->down;
+				INSIST(dcurrent->serial <= least_serial);
+				free_rdataset(rbtdb, mctx, dcurrent);
+				dcurrent = down_next;
+			} while (dcurrent != NULL);
+			dparent->down = NULL;
+		}
+
+		/*
+		 * Note.  The serial number of 'current' might be less than
+		 * least_serial too, but we cannot delete it because it is
+		 * the most recent version, unless it is a NONEXISTENT
+		 * rdataset.
+		 */
+		if (current->down != NULL) {
+			still_dirty = true;
+			top_prev = current;
+		} else {
+			/*
+			 * If this is a NONEXISTENT rdataset, we can delete it.
+			 */
+			if (NONEXISTENT(current)) {
+				if (top_prev != NULL) {
+					top_prev->next = current->next;
+				} else {
+					node->data = current->next;
+				}
+				free_rdataset(rbtdb, mctx, current);
+			} else {
+				top_prev = current;
+			}
+		}
+	}
+	if (!still_dirty) {
+		node->dirty = 0;
+	}
+}
+
+/*
+ * tree_lock(write) must be held.
+ */
+static void
+delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+	dns_rbtnode_t *nsecnode;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result = ISC_R_UNEXPECTED;
+
+	INSIST(!ISC_LINK_LINKED(node, deadlink));
+
+	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+		char printname[DNS_NAME_FORMATSIZE];
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "delete_node(): %p %s (bucket %d)", node,
+			      dns_rbt_formatnodename(node, printname,
+						     sizeof(printname)),
+			      node->locknum);
+	}
+
+	switch (node->nsec) {
+	case DNS_RBT_NSEC_NORMAL:
+		/*
+		 * Though this may be wasteful, it has to be done before
+		 * node is deleted.
+		 */
+		name = dns_fixedname_initname(&fname);
+		dns_rbt_fullnamefromnode(node, name);
+
+		result = dns_rbt_deletenode(rbtdb->tree, node, false);
+		break;
+	case DNS_RBT_NSEC_HAS_NSEC:
+		name = dns_fixedname_initname(&fname);
+		dns_rbt_fullnamefromnode(node, name);
+		/*
+		 * Delete the corresponding node from the auxiliary NSEC
+		 * tree before deleting from the main tree.
+		 */
+		nsecnode = NULL;
+		result = dns_rbt_findnode(rbtdb->nsec, name, NULL, &nsecnode,
+					  NULL, DNS_RBTFIND_EMPTYDATA, NULL,
+					  NULL);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "delete_node: "
+				      "dns_rbt_findnode(nsec): %s",
+				      isc_result_totext(result));
+		} else {
+			result = dns_rbt_deletenode(rbtdb->nsec, nsecnode,
+						    false);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_DATABASE,
+					DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+					"delete_node(): "
+					"dns_rbt_deletenode(nsecnode): %s",
+					isc_result_totext(result));
+			}
+		}
+		result = dns_rbt_deletenode(rbtdb->tree, node, false);
+		break;
+	case DNS_RBT_NSEC_NSEC:
+		result = dns_rbt_deletenode(rbtdb->nsec, node, false);
+		break;
+	case DNS_RBT_NSEC_NSEC3:
+		result = dns_rbt_deletenode(rbtdb->nsec3, node, false);
+		break;
+	}
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+			      "delete_node(): "
+			      "dns_rbt_deletenode: %s",
+			      isc_result_totext(result));
+	}
+}
+
+/*
+ * Caller must be holding the node lock.
+ */
+static void
+new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+	      isc_rwlocktype_t locktype) {
+	if (locktype == isc_rwlocktype_write && ISC_LINK_LINKED(node, deadlink))
+	{
+		ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum], node,
+				deadlink);
+	}
+	if (isc_refcount_increment0(&node->references) == 0) {
+		/* this is the first reference to the node */
+		isc_refcount_increment0(
+			&rbtdb->node_locks[node->locknum].references);
+	}
+}
+
+/*%
+ * The tree lock must be held for the result to be valid.
+ */
+static bool
+is_leaf(dns_rbtnode_t *node) {
+	return (node->parent != NULL && node->parent->down == node &&
+		node->left == NULL && node->right == NULL);
+}
+
+static void
+send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		   isc_rwlocktype_t locktype) {
+	isc_event_t *ev;
+	dns_db_t *db;
+
+	ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE,
+				prune_tree, node, sizeof(isc_event_t));
+	new_reference(rbtdb, node, locktype);
+	db = NULL;
+	attach((dns_db_t *)rbtdb, &db);
+	ev->ev_sender = db;
+	isc_task_send(rbtdb->task, &ev);
+}
+
+/*%
+ * Clean up dead nodes.  These are nodes which have no references, and
+ * have no data.  They are dead but we could not or chose not to delete
+ * them when we deleted all the data at that node because we did not want
+ * to wait for the tree write lock.
+ *
+ * The caller must hold a tree write lock and bucketnum'th node (write) lock.
+ */
+static void
+cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
+	dns_rbtnode_t *node;
+	int count = 10; /* XXXJT: should be adjustable */
+
+	node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
+	while (node != NULL && count > 0) {
+		ISC_LIST_UNLINK(rbtdb->deadnodes[bucketnum], node, deadlink);
+
+		/*
+		 * We might have reactivated this node without a tree write
+		 * lock, so we couldn't remove this node from deadnodes then
+		 * and we have to do it now.
+		 */
+		if (isc_refcount_current(&node->references) != 0 ||
+		    node->data != NULL)
+		{
+			node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
+			count--;
+			continue;
+		}
+
+		if (is_leaf(node) && rbtdb->task != NULL) {
+			send_to_prune_tree(rbtdb, node, isc_rwlocktype_write);
+		} else if (node->down == NULL && node->data == NULL) {
+			/*
+			 * Not a interior node and not needing to be
+			 * reactivated.
+			 */
+			delete_node(rbtdb, node);
+		} else if (node->data == NULL) {
+			/*
+			 * A interior node without data. Leave linked to
+			 * to be cleaned up when node->down becomes NULL.
+			 */
+			ISC_LIST_APPEND(rbtdb->deadnodes[bucketnum], node,
+					deadlink);
+		}
+		node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
+		count--;
+	}
+}
+
+/*
+ * This function is assumed to be called when a node is newly referenced
+ * and can be in the deadnode list.  In that case the node must be retrieved
+ * from the list because it is going to be used.  In addition, if the caller
+ * happens to hold a write lock on the tree, it's a good chance to purge dead
+ * nodes.
+ * Note: while a new reference is gained in multiple places, there are only very
+ * few cases where the node can be in the deadnode list (only empty nodes can
+ * have been added to the list).
+ */
+static void
+reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		isc_rwlocktype_t treelocktype) {
+	isc_rwlocktype_t locktype = isc_rwlocktype_read;
+	nodelock_t *nodelock = &rbtdb->node_locks[node->locknum].lock;
+	bool maybe_cleanup = false;
+
+	POST(locktype);
+
+	NODE_LOCK(nodelock, locktype);
+
+	/*
+	 * Check if we can possibly cleanup the dead node.  If so, upgrade
+	 * the node lock below to perform the cleanup.
+	 */
+	if (!ISC_LIST_EMPTY(rbtdb->deadnodes[node->locknum]) &&
+	    treelocktype == isc_rwlocktype_write)
+	{
+		maybe_cleanup = true;
+	}
+
+	if (ISC_LINK_LINKED(node, deadlink) || maybe_cleanup) {
+		/*
+		 * Upgrade the lock and test if we still need to unlink.
+		 */
+		NODE_UNLOCK(nodelock, locktype);
+		locktype = isc_rwlocktype_write;
+		POST(locktype);
+		NODE_LOCK(nodelock, locktype);
+		if (ISC_LINK_LINKED(node, deadlink)) {
+			ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum], node,
+					deadlink);
+		}
+		if (maybe_cleanup) {
+			cleanup_dead_nodes(rbtdb, node->locknum);
+		}
+	}
+
+	new_reference(rbtdb, node, locktype);
+
+	NODE_UNLOCK(nodelock, locktype);
+}
+
+/*
+ * Caller must be holding the node lock; either the "strong", read or write
+ * lock.  Note that the lock must be held even when node references are
+ * atomically modified; in that case the decrement operation itself does not
+ * have to be protected, but we must avoid a race condition where multiple
+ * threads are decreasing the reference to zero simultaneously and at least
+ * one of them is going to free the node.
+ *
+ * This function returns true if and only if the node reference decreases
+ * to zero.
+ *
+ * NOTE: Decrementing the reference count of a node to zero does not mean it
+ * will be immediately freed.
+ */
+static bool
+decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		    rbtdb_serial_t least_serial, isc_rwlocktype_t nlock,
+		    isc_rwlocktype_t tlock, bool pruning) {
+	isc_result_t result;
+	bool write_locked;
+	bool locked = tlock != isc_rwlocktype_none;
+	rbtdb_nodelock_t *nodelock;
+	int bucket = node->locknum;
+	bool no_reference = true;
+	uint_fast32_t refs;
+
+	nodelock = &rbtdb->node_locks[bucket];
+
+#define KEEP_NODE(n, r, l)                                  \
+	((n)->data != NULL || ((l) && (n)->down != NULL) || \
+	 (n) == (r)->origin_node || (n) == (r)->nsec3_origin_node)
+
+	/* Handle easy and typical case first. */
+	if (!node->dirty && KEEP_NODE(node, rbtdb, locked)) {
+		if (isc_refcount_decrement(&node->references) == 1) {
+			refs = isc_refcount_decrement(&nodelock->references);
+			INSIST(refs > 0);
+			return (true);
+		} else {
+			return (false);
+		}
+	}
+
+	/* Upgrade the lock? */
+	if (nlock == isc_rwlocktype_read) {
+		NODE_UNLOCK(&nodelock->lock, isc_rwlocktype_read);
+		NODE_LOCK(&nodelock->lock, isc_rwlocktype_write);
+	}
+
+	if (isc_refcount_decrement(&node->references) > 1) {
+		/* Restore the lock? */
+		if (nlock == isc_rwlocktype_read) {
+			NODE_DOWNGRADE(&nodelock->lock);
+		}
+		return (false);
+	}
+
+	if (node->dirty) {
+		if (IS_CACHE(rbtdb)) {
+			clean_cache_node(rbtdb, node);
+		} else {
+			if (least_serial == 0) {
+				/*
+				 * Caller doesn't know the least serial.
+				 * Get it.
+				 */
+				RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+				least_serial = rbtdb->least_serial;
+				RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+			}
+			clean_zone_node(rbtdb, node, least_serial);
+		}
+	}
+
+	/*
+	 * Attempt to switch to a write lock on the tree.  If this fails,
+	 * we will add this node to a linked list of nodes in this locking
+	 * bucket which we will free later.
+	 */
+	if (tlock != isc_rwlocktype_write) {
+		/*
+		 * Locking hierarchy notwithstanding, we don't need to free
+		 * the node lock before acquiring the tree write lock because
+		 * we only do a trylock.
+		 */
+		if (tlock == isc_rwlocktype_read) {
+			result = isc_rwlock_tryupgrade(&rbtdb->tree_lock);
+		} else {
+			result = isc_rwlock_trylock(&rbtdb->tree_lock,
+						    isc_rwlocktype_write);
+		}
+		RUNTIME_CHECK(result == ISC_R_SUCCESS ||
+			      result == ISC_R_LOCKBUSY);
+
+		write_locked = (result == ISC_R_SUCCESS);
+	} else {
+		write_locked = true;
+	}
+
+	refs = isc_refcount_decrement(&nodelock->references);
+	INSIST(refs > 0);
+
+	if (KEEP_NODE(node, rbtdb, locked || write_locked)) {
+		goto restore_locks;
+	}
+
+#undef KEEP_NODE
+
+	if (write_locked) {
+		/*
+		 * We can now delete the node.
+		 */
+
+		/*
+		 * If this node is the only one in the level it's in, deleting
+		 * this node may recursively make its parent the only node in
+		 * the parent level; if so, and if no one is currently using
+		 * the parent node, this is almost the only opportunity to
+		 * clean it up.  But the recursive cleanup is not that trivial
+		 * since the child and parent may be in different lock buckets,
+		 * which would cause a lock order reversal problem.  To avoid
+		 * the trouble, we'll dispatch a separate event for batch
+		 * cleaning.  We need to check whether we're deleting the node
+		 * as a result of pruning to avoid infinite dispatching.
+		 * Note: pruning happens only when a task has been set for the
+		 * rbtdb.  If the user of the rbtdb chooses not to set a task,
+		 * it's their responsibility to purge stale leaves (e.g. by
+		 * periodic walk-through).
+		 */
+		if (!pruning && is_leaf(node) && rbtdb->task != NULL) {
+			send_to_prune_tree(rbtdb, node, isc_rwlocktype_write);
+			no_reference = false;
+		} else {
+			delete_node(rbtdb, node);
+		}
+	} else {
+		INSIST(node->data == NULL);
+		if (!ISC_LINK_LINKED(node, deadlink)) {
+			ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node,
+					deadlink);
+		}
+	}
+
+restore_locks:
+	/* Restore the lock? */
+	if (nlock == isc_rwlocktype_read) {
+		NODE_DOWNGRADE(&nodelock->lock);
+	}
+
+	/*
+	 * Relock a read lock, or unlock the write lock if no lock was held.
+	 */
+	if (tlock == isc_rwlocktype_none) {
+		if (write_locked) {
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+		}
+	}
+
+	if (tlock == isc_rwlocktype_read) {
+		if (write_locked) {
+			isc_rwlock_downgrade(&rbtdb->tree_lock);
+		}
+	}
+
+	return (no_reference);
+}
+
+/*
+ * Prune the tree by recursively cleaning-up single leaves.  In the worst
+ * case, the number of iteration is the number of tree levels, which is at
+ * most the maximum number of domain name labels, i.e, 127.  In practice, this
+ * should be much smaller (only a few times), and even the worst case would be
+ * acceptable for a single event.
+ */
+static void
+prune_tree(isc_task_t *task, isc_event_t *event) {
+	dns_rbtdb_t *rbtdb = event->ev_sender;
+	dns_rbtnode_t *node = event->ev_arg;
+	dns_rbtnode_t *parent;
+	unsigned int locknum;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	locknum = node->locknum;
+	NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+	do {
+		parent = node->parent;
+		decrement_reference(rbtdb, node, 0, isc_rwlocktype_write,
+				    isc_rwlocktype_write, true);
+
+		if (parent != NULL && parent->down == NULL) {
+			/*
+			 * node was the only down child of the parent and has
+			 * just been removed.  We'll then need to examine the
+			 * parent.  Keep the lock if possible; otherwise,
+			 * release the old lock and acquire one for the parent.
+			 */
+			if (parent->locknum != locknum) {
+				NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+					    isc_rwlocktype_write);
+				locknum = parent->locknum;
+				NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+					  isc_rwlocktype_write);
+			}
+
+			/*
+			 * We need to gain a reference to the node before
+			 * decrementing it in the next iteration.
+			 */
+			if (ISC_LINK_LINKED(parent, deadlink)) {
+				ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
+						parent, deadlink);
+			}
+			new_reference(rbtdb, parent, isc_rwlocktype_write);
+		} else {
+			parent = NULL;
+		}
+
+		node = parent;
+	} while (node != NULL);
+	NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+
+	detach((dns_db_t **)&rbtdb);
+}
+
+static void
+make_least_version(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+		   rbtdb_changedlist_t *cleanup_list) {
+	/*
+	 * Caller must be holding the database lock.
+	 */
+
+	rbtdb->least_serial = version->serial;
+	*cleanup_list = version->changed_list;
+	ISC_LIST_INIT(version->changed_list);
+}
+
+static void
+cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) {
+	rbtdb_changed_t *changed, *next_changed;
+
+	/*
+	 * If the changed record is dirty, then
+	 * an update created multiple versions of
+	 * a given rdataset.  We keep this list
+	 * until we're the least open version, at
+	 * which point it's safe to get rid of any
+	 * older versions.
+	 *
+	 * If the changed record isn't dirty, then
+	 * we don't need it anymore since we're
+	 * committing and not rolling back.
+	 *
+	 * The caller must be holding the database lock.
+	 */
+	for (changed = HEAD(version->changed_list); changed != NULL;
+	     changed = next_changed)
+	{
+		next_changed = NEXT(changed, link);
+		if (!changed->dirty) {
+			UNLINK(version->changed_list, changed, link);
+			APPEND(*cleanup_list, changed, link);
+		}
+	}
+}
+
+static void
+iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
+	dns_rdataset_t keyset;
+	dns_rdataset_t nsecset, signsecset;
+	bool haszonekey = false;
+	bool hasnsec = false;
+	isc_result_t result;
+
+	dns_rdataset_init(&keyset);
+	result = dns_db_findrdataset(db, origin, version, dns_rdatatype_dnskey,
+				     0, 0, &keyset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_rdataset_first(&keyset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_t keyrdata = DNS_RDATA_INIT;
+			dns_rdataset_current(&keyset, &keyrdata);
+			if (dns_zonekey_iszonekey(&keyrdata)) {
+				haszonekey = true;
+				break;
+			}
+			result = dns_rdataset_next(&keyset);
+		}
+		dns_rdataset_disassociate(&keyset);
+	}
+	if (!haszonekey) {
+		version->secure = dns_db_insecure;
+		version->havensec3 = false;
+		return;
+	}
+
+	dns_rdataset_init(&nsecset);
+	dns_rdataset_init(&signsecset);
+	result = dns_db_findrdataset(db, origin, version, dns_rdatatype_nsec, 0,
+				     0, &nsecset, &signsecset);
+	if (result == ISC_R_SUCCESS) {
+		if (dns_rdataset_isassociated(&signsecset)) {
+			hasnsec = true;
+			dns_rdataset_disassociate(&signsecset);
+		}
+		dns_rdataset_disassociate(&nsecset);
+	}
+
+	setnsec3parameters(db, version);
+
+	/*
+	 * Do we have a valid NSEC/NSEC3 chain?
+	 */
+	if (version->havensec3 || hasnsec) {
+		version->secure = dns_db_secure;
+	} else {
+		version->secure = dns_db_insecure;
+	}
+}
+
+/*%<
+ * Walk the origin node looking for NSEC3PARAM records.
+ * Cache the nsec3 parameters.
+ */
+static void
+setnsec3parameters(dns_db_t *db, rbtdb_version_t *version) {
+	dns_rbtnode_t *node;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t region;
+	isc_result_t result;
+	rdatasetheader_t *header, *header_next;
+	unsigned char *raw; /* RDATASLAB */
+	unsigned int count, length;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	version->havensec3 = false;
+	node = rbtdb->origin_node;
+	NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+		  isc_rwlocktype_read);
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		do {
+			if (header->serial <= version->serial &&
+			    !IGNORE(header))
+			{
+				if (NONEXISTENT(header)) {
+					header = NULL;
+				}
+				break;
+			} else {
+				header = header->down;
+			}
+		} while (header != NULL);
+
+		if (header != NULL &&
+		    (header->type == dns_rdatatype_nsec3param))
+		{
+			/*
+			 * Find A NSEC3PARAM with a supported algorithm.
+			 */
+			raw = (unsigned char *)header + sizeof(*header);
+			count = raw[0] * 256 + raw[1]; /* count */
+			raw += DNS_RDATASET_COUNT + DNS_RDATASET_LENGTH;
+			while (count-- > 0U) {
+				length = raw[0] * 256 + raw[1];
+				raw += DNS_RDATASET_ORDER + DNS_RDATASET_LENGTH;
+				region.base = raw;
+				region.length = length;
+				raw += length;
+				dns_rdata_fromregion(
+					&rdata, rbtdb->common.rdclass,
+					dns_rdatatype_nsec3param, &region);
+				result = dns_rdata_tostruct(&rdata, &nsec3param,
+							    NULL);
+				INSIST(result == ISC_R_SUCCESS);
+				dns_rdata_reset(&rdata);
+
+				if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG &&
+				    !dns_nsec3_supportedhash(nsec3param.hash))
+				{
+					continue;
+				}
+
+				if (nsec3param.flags != 0) {
+					continue;
+				}
+
+				memmove(version->salt, nsec3param.salt,
+					nsec3param.salt_length);
+				version->hash = nsec3param.hash;
+				version->salt_length = nsec3param.salt_length;
+				version->iterations = nsec3param.iterations;
+				version->flags = nsec3param.flags;
+				version->havensec3 = true;
+				/*
+				 * Look for a better algorithm than the
+				 * unknown test algorithm.
+				 */
+				if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG) {
+					goto unlock;
+				}
+			}
+		}
+	}
+unlock:
+	NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+		    isc_rwlocktype_read);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+}
+
+static void
+cleanup_dead_nodes_callback(isc_task_t *task, isc_event_t *event) {
+	dns_rbtdb_t *rbtdb = event->ev_arg;
+	bool again = false;
+	unsigned int locknum;
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	for (locknum = 0; locknum < rbtdb->node_lock_count; locknum++) {
+		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+			  isc_rwlocktype_write);
+		cleanup_dead_nodes(rbtdb, locknum);
+		if (ISC_LIST_HEAD(rbtdb->deadnodes[locknum]) != NULL) {
+			again = true;
+		}
+		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+			    isc_rwlocktype_write);
+	}
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	if (again) {
+		isc_task_send(task, &event);
+	} else {
+		isc_event_free(&event);
+		if (isc_refcount_decrement(&rbtdb->references) == 1) {
+			(void)isc_refcount_current(&rbtdb->references);
+			maybe_free_rbtdb(rbtdb);
+		}
+	}
+}
+
+static void
+closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *version, *cleanup_version, *least_greater;
+	bool rollback = false;
+	rbtdb_changedlist_t cleanup_list;
+	rdatasetheaderlist_t resigned_list;
+	rbtdb_changed_t *changed, *next_changed;
+	rbtdb_serial_t serial, least_serial;
+	dns_rbtnode_t *rbtnode;
+	rdatasetheader_t *header;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	version = (rbtdb_version_t *)*versionp;
+	INSIST(version->rbtdb == rbtdb);
+
+	cleanup_version = NULL;
+	ISC_LIST_INIT(cleanup_list);
+	ISC_LIST_INIT(resigned_list);
+
+	if (isc_refcount_decrement(&version->references) > 1) {
+		/* typical and easy case first */
+		if (commit) {
+			RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+			INSIST(!version->writer);
+			RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+		}
+		goto end;
+	}
+
+	/*
+	 * Update the zone's secure status in version before making
+	 * it the current version.
+	 */
+	if (version->writer && commit && !IS_CACHE(rbtdb)) {
+		iszonesecure(db, version, rbtdb->origin_node);
+	}
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+	serial = version->serial;
+	if (version->writer) {
+		if (commit) {
+			unsigned cur_ref;
+			rbtdb_version_t *cur_version;
+
+			INSIST(version->commit_ok);
+			INSIST(version == rbtdb->future_version);
+			/*
+			 * The current version is going to be replaced.
+			 * Release the (likely last) reference to it from the
+			 * DB itself and unlink it from the open list.
+			 */
+			cur_version = rbtdb->current_version;
+			cur_ref = isc_refcount_decrement(
+				&cur_version->references);
+			if (cur_ref == 1) {
+				(void)isc_refcount_current(
+					&cur_version->references);
+				if (cur_version->serial == rbtdb->least_serial)
+				{
+					INSIST(EMPTY(
+						cur_version->changed_list));
+				}
+				UNLINK(rbtdb->open_versions, cur_version, link);
+			}
+			if (EMPTY(rbtdb->open_versions)) {
+				/*
+				 * We're going to become the least open
+				 * version.
+				 */
+				make_least_version(rbtdb, version,
+						   &cleanup_list);
+			} else {
+				/*
+				 * Some other open version is the
+				 * least version.  We can't cleanup
+				 * records that were changed in this
+				 * version because the older versions
+				 * may still be in use by an open
+				 * version.
+				 *
+				 * We can, however, discard the
+				 * changed records for things that
+				 * we've added that didn't exist in
+				 * prior versions.
+				 */
+				cleanup_nondirty(version, &cleanup_list);
+			}
+			/*
+			 * If the (soon to be former) current version
+			 * isn't being used by anyone, we can clean
+			 * it up.
+			 */
+			if (cur_ref == 1) {
+				cleanup_version = cur_version;
+				APPENDLIST(version->changed_list,
+					   cleanup_version->changed_list, link);
+			}
+			/*
+			 * Become the current version.
+			 */
+			version->writer = false;
+			rbtdb->current_version = version;
+			rbtdb->current_serial = version->serial;
+			rbtdb->future_version = NULL;
+
+			/*
+			 * Keep the current version in the open list, and
+			 * gain a reference for the DB itself (see the DB
+			 * creation function below).  This must be the only
+			 * case where we need to increment the counter from
+			 * zero and need to use isc_refcount_increment0().
+			 */
+			INSIST(isc_refcount_increment0(&version->references) ==
+			       0);
+			PREPEND(rbtdb->open_versions, rbtdb->current_version,
+				link);
+			resigned_list = version->resigned_list;
+			ISC_LIST_INIT(version->resigned_list);
+		} else {
+			/*
+			 * We're rolling back this transaction.
+			 */
+			cleanup_list = version->changed_list;
+			ISC_LIST_INIT(version->changed_list);
+			resigned_list = version->resigned_list;
+			ISC_LIST_INIT(version->resigned_list);
+			rollback = true;
+			cleanup_version = version;
+			rbtdb->future_version = NULL;
+		}
+	} else {
+		if (version != rbtdb->current_version) {
+			/*
+			 * There are no external or internal references
+			 * to this version and it can be cleaned up.
+			 */
+			cleanup_version = version;
+
+			/*
+			 * Find the version with the least serial
+			 * number greater than ours.
+			 */
+			least_greater = PREV(version, link);
+			if (least_greater == NULL) {
+				least_greater = rbtdb->current_version;
+			}
+
+			INSIST(version->serial < least_greater->serial);
+			/*
+			 * Is this the least open version?
+			 */
+			if (version->serial == rbtdb->least_serial) {
+				/*
+				 * Yes.  Install the new least open
+				 * version.
+				 */
+				make_least_version(rbtdb, least_greater,
+						   &cleanup_list);
+			} else {
+				/*
+				 * Add any unexecuted cleanups to
+				 * those of the least greater version.
+				 */
+				APPENDLIST(least_greater->changed_list,
+					   version->changed_list, link);
+			}
+		} else if (version->serial == rbtdb->least_serial) {
+			INSIST(EMPTY(version->changed_list));
+		}
+		UNLINK(rbtdb->open_versions, version, link);
+	}
+	least_serial = rbtdb->least_serial;
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	if (cleanup_version != NULL) {
+		INSIST(EMPTY(cleanup_version->changed_list));
+		free_gluetable(cleanup_version);
+		isc_rwlock_destroy(&cleanup_version->glue_rwlock);
+		isc_rwlock_destroy(&cleanup_version->rwlock);
+		isc_mem_put(rbtdb->common.mctx, cleanup_version,
+			    sizeof(*cleanup_version));
+	}
+
+	/*
+	 * Commit/rollback re-signed headers.
+	 */
+	for (header = HEAD(resigned_list); header != NULL;
+	     header = HEAD(resigned_list))
+	{
+		nodelock_t *lock;
+
+		ISC_LIST_UNLINK(resigned_list, header, link);
+
+		lock = &rbtdb->node_locks[header->node->locknum].lock;
+		NODE_LOCK(lock, isc_rwlocktype_write);
+		if (rollback && !IGNORE(header)) {
+			resign_insert(rbtdb, header->node->locknum, header);
+		}
+		decrement_reference(rbtdb, header->node, least_serial,
+				    isc_rwlocktype_write, isc_rwlocktype_none,
+				    false);
+		NODE_UNLOCK(lock, isc_rwlocktype_write);
+	}
+
+	if (!EMPTY(cleanup_list)) {
+		isc_event_t *event = NULL;
+		isc_rwlocktype_t tlock = isc_rwlocktype_none;
+
+		if (rbtdb->task != NULL) {
+			event = isc_event_allocate(rbtdb->common.mctx, NULL,
+						   DNS_EVENT_RBTDEADNODES,
+						   cleanup_dead_nodes_callback,
+						   rbtdb, sizeof(isc_event_t));
+		}
+		if (event == NULL) {
+			/*
+			 * We acquire a tree write lock here in order to make
+			 * sure that stale nodes will be removed in
+			 * decrement_reference().  If we didn't have the lock,
+			 * those nodes could miss the chance to be removed
+			 * until the server stops.  The write lock is
+			 * expensive, but this event should be rare enough
+			 * to justify the cost.
+			 */
+			RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+			tlock = isc_rwlocktype_write;
+		}
+
+		for (changed = HEAD(cleanup_list); changed != NULL;
+		     changed = next_changed)
+		{
+			nodelock_t *lock;
+
+			next_changed = NEXT(changed, link);
+			rbtnode = changed->node;
+			lock = &rbtdb->node_locks[rbtnode->locknum].lock;
+
+			NODE_LOCK(lock, isc_rwlocktype_write);
+			/*
+			 * This is a good opportunity to purge any dead nodes,
+			 * so use it.
+			 */
+			if (event == NULL) {
+				cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+			}
+
+			if (rollback) {
+				rollback_node(rbtnode, serial);
+			}
+			decrement_reference(rbtdb, rbtnode, least_serial,
+					    isc_rwlocktype_write, tlock, false);
+
+			NODE_UNLOCK(lock, isc_rwlocktype_write);
+
+			isc_mem_put(rbtdb->common.mctx, changed,
+				    sizeof(*changed));
+		}
+		if (event != NULL) {
+			isc_refcount_increment(&rbtdb->references);
+			isc_task_send(rbtdb->task, &event);
+		} else {
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+		}
+	}
+
+end:
+	*versionp = NULL;
+}
+
+/*
+ * Add the necessary magic for the wildcard name 'name'
+ * to be found in 'rbtdb'.
+ *
+ * In order for wildcard matching to work correctly in
+ * zone_find(), we must ensure that a node for the wildcarding
+ * level exists in the database, and has its 'find_callback'
+ * and 'wild' bits set.
+ *
+ * E.g. if the wildcard name is "*.sub.example." then we
+ * must ensure that "sub.example." exists and is marked as
+ * a wildcard level.
+ *
+ * tree_lock(write) must be held.
+ */
+static isc_result_t
+add_wildcard_magic(dns_rbtdb_t *rbtdb, const dns_name_t *name, bool lock) {
+	isc_result_t result;
+	dns_name_t foundname;
+	dns_offsets_t offsets;
+	unsigned int n;
+	dns_rbtnode_t *node = NULL;
+
+	dns_name_init(&foundname, offsets);
+	n = dns_name_countlabels(name);
+	INSIST(n >= 2);
+	n--;
+	dns_name_getlabelsequence(name, 1, n, &foundname);
+	result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
+	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
+		return (result);
+	}
+	if (result == ISC_R_SUCCESS) {
+		node->nsec = DNS_RBT_NSEC_NORMAL;
+	}
+	node->find_callback = 1;
+	if (lock) {
+		NODE_LOCK(&rbtdb->node_locks[node->locknum].lock,
+			  isc_rwlocktype_write);
+	}
+	node->wild = 1;
+	if (lock) {
+		NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock,
+			    isc_rwlocktype_write);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * tree_lock(write) must be held.
+ */
+static isc_result_t
+add_empty_wildcards(dns_rbtdb_t *rbtdb, const dns_name_t *name, bool lock) {
+	isc_result_t result;
+	dns_name_t foundname;
+	dns_offsets_t offsets;
+	unsigned int n, l, i;
+
+	dns_name_init(&foundname, offsets);
+	n = dns_name_countlabels(name);
+	l = dns_name_countlabels(&rbtdb->common.origin);
+	i = l + 1;
+	while (i < n) {
+		dns_rbtnode_t *node = NULL; /* dummy */
+		dns_name_getlabelsequence(name, n - i, i, &foundname);
+		if (dns_name_iswildcard(&foundname)) {
+			result = add_wildcard_magic(rbtdb, &foundname, lock);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+			result = dns_rbt_addnode(rbtdb->tree, &foundname,
+						 &node);
+			if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
+				return (result);
+			}
+			if (result == ISC_R_SUCCESS) {
+				node->nsec = DNS_RBT_NSEC_NORMAL;
+			}
+		}
+		i++;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findnodeintree(dns_rbtdb_t *rbtdb, dns_rbt_t *tree, const dns_name_t *name,
+	       bool create, dns_dbnode_t **nodep) {
+	dns_rbtnode_t *node = NULL;
+	dns_name_t nodename;
+	isc_result_t result;
+	isc_rwlocktype_t locktype = isc_rwlocktype_read;
+
+	INSIST(tree == rbtdb->tree || tree == rbtdb->nsec3);
+
+	dns_name_init(&nodename, NULL);
+	RWLOCK(&rbtdb->tree_lock, locktype);
+	result = dns_rbt_findnode(tree, name, NULL, &node, NULL,
+				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		RWUNLOCK(&rbtdb->tree_lock, locktype);
+		if (!create) {
+			if (result == DNS_R_PARTIALMATCH) {
+				result = ISC_R_NOTFOUND;
+			}
+			return (result);
+		}
+		/*
+		 * It would be nice to try to upgrade the lock instead of
+		 * unlocking then relocking.
+		 */
+		locktype = isc_rwlocktype_write;
+		RWLOCK(&rbtdb->tree_lock, locktype);
+		node = NULL;
+		result = dns_rbt_addnode(tree, name, &node);
+		if (result == ISC_R_SUCCESS) {
+			dns_rbt_namefromnode(node, &nodename);
+			node->locknum = node->hashval % rbtdb->node_lock_count;
+			if (tree == rbtdb->tree) {
+				add_empty_wildcards(rbtdb, name, true);
+
+				if (dns_name_iswildcard(name)) {
+					result = add_wildcard_magic(rbtdb, name,
+								    true);
+					if (result != ISC_R_SUCCESS) {
+						RWUNLOCK(&rbtdb->tree_lock,
+							 locktype);
+						return (result);
+					}
+				}
+			}
+			if (tree == rbtdb->nsec3) {
+				node->nsec = DNS_RBT_NSEC_NSEC3;
+			}
+		} else if (result != ISC_R_EXISTS) {
+			RWUNLOCK(&rbtdb->tree_lock, locktype);
+			return (result);
+		}
+	}
+
+	if (tree == rbtdb->nsec3) {
+		INSIST(node->nsec == DNS_RBT_NSEC_NSEC3);
+	}
+
+	reactivate_node(rbtdb, node, locktype);
+
+	RWUNLOCK(&rbtdb->tree_lock, locktype);
+
+	*nodep = (dns_dbnode_t *)node;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findnode(dns_db_t *db, const dns_name_t *name, bool create,
+	 dns_dbnode_t **nodep) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	return (findnodeintree(rbtdb, rbtdb->tree, name, create, nodep));
+}
+
+static isc_result_t
+findnsec3node(dns_db_t *db, const dns_name_t *name, bool create,
+	      dns_dbnode_t **nodep) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	return (findnodeintree(rbtdb, rbtdb->nsec3, name, create, nodep));
+}
+
+static isc_result_t
+zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
+	rbtdb_search_t *search = arg;
+	rdatasetheader_t *header, *header_next;
+	rdatasetheader_t *dname_header, *sigdname_header, *ns_header;
+	rdatasetheader_t *found;
+	isc_result_t result;
+	dns_rbtnode_t *onode;
+
+	/*
+	 * We only want to remember the topmost zone cut, since it's the one
+	 * that counts, so we'll just continue if we've already found a
+	 * zonecut.
+	 */
+	if (search->zonecut != NULL) {
+		return (DNS_R_CONTINUE);
+	}
+
+	found = NULL;
+	result = DNS_R_CONTINUE;
+	onode = search->rbtdb->origin_node;
+
+	NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+		  isc_rwlocktype_read);
+
+	/*
+	 * Look for an NS or DNAME rdataset active in our version.
+	 */
+	ns_header = NULL;
+	dname_header = NULL;
+	sigdname_header = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (header->type == dns_rdatatype_ns ||
+		    header->type == dns_rdatatype_dname ||
+		    header->type == RBTDB_RDATATYPE_SIGDNAME)
+		{
+			do {
+				if (header->serial <= search->serial &&
+				    !IGNORE(header))
+				{
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 */
+					if (NONEXISTENT(header)) {
+						header = NULL;
+					}
+					break;
+				} else {
+					header = header->down;
+				}
+			} while (header != NULL);
+			if (header != NULL) {
+				if (header->type == dns_rdatatype_dname) {
+					dname_header = header;
+				} else if (header->type ==
+					   RBTDB_RDATATYPE_SIGDNAME)
+				{
+					sigdname_header = header;
+				} else if (node != onode ||
+					   IS_STUB(search->rbtdb))
+				{
+					/*
+					 * We've found an NS rdataset that
+					 * isn't at the origin node.  We check
+					 * that they're not at the origin node,
+					 * because otherwise we'd erroneously
+					 * treat the zone top as if it were
+					 * a delegation.
+					 */
+					ns_header = header;
+				}
+			}
+		}
+	}
+
+	/*
+	 * Did we find anything?
+	 */
+	if (!IS_CACHE(search->rbtdb) && !IS_STUB(search->rbtdb) &&
+	    ns_header != NULL)
+	{
+		/*
+		 * Note that NS has precedence over DNAME if both exist
+		 * in a zone.  Otherwise DNAME take precedence over NS.
+		 */
+		found = ns_header;
+		search->zonecut_sigrdataset = NULL;
+	} else if (dname_header != NULL) {
+		found = dname_header;
+		search->zonecut_sigrdataset = sigdname_header;
+	} else if (ns_header != NULL) {
+		found = ns_header;
+		search->zonecut_sigrdataset = NULL;
+	}
+
+	if (found != NULL) {
+		/*
+		 * We increment the reference count on node to ensure that
+		 * search->zonecut_rdataset will still be valid later.
+		 */
+		new_reference(search->rbtdb, node, isc_rwlocktype_read);
+		search->zonecut = node;
+		search->zonecut_rdataset = found;
+		search->need_cleanup = true;
+		/*
+		 * Since we've found a zonecut, anything beneath it is
+		 * glue and is not subject to wildcard matching, so we
+		 * may clear search->wild.
+		 */
+		search->wild = false;
+		if ((search->options & DNS_DBFIND_GLUEOK) == 0) {
+			/*
+			 * If the caller does not want to find glue, then
+			 * this is the best answer and the search should
+			 * stop now.
+			 */
+			result = DNS_R_PARTIALMATCH;
+		} else {
+			dns_name_t *zcname;
+
+			/*
+			 * The search will continue beneath the zone cut.
+			 * This may or may not be the best match.  In case it
+			 * is, we need to remember the node name.
+			 */
+			zcname = dns_fixedname_name(&search->zonecut_name);
+			dns_name_copynf(name, zcname);
+			search->copy_name = true;
+		}
+	} else {
+		/*
+		 * There is no zonecut at this node which is active in this
+		 * version.
+		 *
+		 * If this is a "wild" node and the caller hasn't disabled
+		 * wildcard matching, remember that we've seen a wild node
+		 * in case we need to go searching for wildcard matches
+		 * later on.
+		 */
+		if (node->wild && (search->options & DNS_DBFIND_NOWILD) == 0) {
+			search->wild = true;
+		}
+	}
+
+	NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+		    isc_rwlocktype_read);
+
+	return (result);
+}
+
+static void
+bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header,
+	      isc_stdtime_t now, isc_rwlocktype_t locktype,
+	      dns_rdataset_t *rdataset) {
+	unsigned char *raw; /* RDATASLAB */
+	bool stale = STALE(header);
+	bool ancient = ANCIENT(header);
+
+	/*
+	 * Caller must be holding the node reader lock.
+	 * XXXJT: technically, we need a writer lock, since we'll increment
+	 * the header count below.  However, since the actual counter value
+	 * doesn't matter, we prioritize performance here.  (We may want to
+	 * use atomic increment when available).
+	 */
+
+	if (rdataset == NULL) {
+		return;
+	}
+
+	new_reference(rbtdb, node, locktype);
+
+	INSIST(rdataset->methods == NULL); /* We must be disassociated. */
+
+	/*
+	 * Mark header stale or ancient if the RRset is no longer active.
+	 */
+	if (!ACTIVE(header, now)) {
+		dns_ttl_t stale_ttl = header->rdh_ttl + rbtdb->serve_stale_ttl;
+		/*
+		 * If this data is in the stale window keep it and if
+		 * DNS_DBFIND_STALEOK is not set we tell the caller to
+		 * skip this record.  We skip the records with ZEROTTL
+		 * (these records should not be cached anyway).
+		 */
+
+		if (KEEPSTALE(rbtdb) && stale_ttl > now) {
+			stale = true;
+		} else {
+			/*
+			 * We are not keeping stale, or it is outside the
+			 * stale window. Mark ancient, i.e. ready for cleanup.
+			 */
+			ancient = true;
+		}
+	}
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = rbtdb->common.rdclass;
+	rdataset->type = RBTDB_RDATATYPE_BASE(header->type);
+	rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
+	rdataset->ttl = header->rdh_ttl - now;
+	rdataset->trust = header->trust;
+
+	if (NEGATIVE(header)) {
+		rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
+	}
+	if (NXDOMAIN(header)) {
+		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
+	}
+	if (OPTOUT(header)) {
+		rdataset->attributes |= DNS_RDATASETATTR_OPTOUT;
+	}
+	if (PREFETCH(header)) {
+		rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
+	}
+
+	if (stale && !ancient) {
+		dns_ttl_t stale_ttl = header->rdh_ttl + rbtdb->serve_stale_ttl;
+		if (stale_ttl > now) {
+			rdataset->ttl = stale_ttl - now;
+		} else {
+			rdataset->ttl = 0;
+		}
+		if (STALE_WINDOW(header)) {
+			rdataset->attributes |= DNS_RDATASETATTR_STALE_WINDOW;
+		}
+		rdataset->attributes |= DNS_RDATASETATTR_STALE;
+	} else if (IS_CACHE(rbtdb) && !ACTIVE(header, now)) {
+		rdataset->attributes |= DNS_RDATASETATTR_ANCIENT;
+		rdataset->ttl = header->rdh_ttl;
+	}
+
+	rdataset->private1 = rbtdb;
+	rdataset->private2 = node;
+	raw = (unsigned char *)header + sizeof(*header);
+	rdataset->private3 = raw;
+	rdataset->count = atomic_fetch_add_relaxed(&header->count, 1);
+	if (rdataset->count == UINT32_MAX) {
+		rdataset->count = 0;
+	}
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+
+	/*
+	 * Add noqname proof.
+	 */
+	rdataset->private6 = header->noqname;
+	if (rdataset->private6 != NULL) {
+		rdataset->attributes |= DNS_RDATASETATTR_NOQNAME;
+	}
+	rdataset->private7 = header->closest;
+	if (rdataset->private7 != NULL) {
+		rdataset->attributes |= DNS_RDATASETATTR_CLOSEST;
+	}
+
+	/*
+	 * Copy out re-signing information.
+	 */
+	if (RESIGN(header)) {
+		rdataset->attributes |= DNS_RDATASETATTR_RESIGN;
+		rdataset->resign = (header->resign << 1) | header->resign_lsb;
+	} else {
+		rdataset->resign = 0;
+	}
+}
+
+static isc_result_t
+setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
+		 dns_name_t *foundname, dns_rdataset_t *rdataset,
+		 dns_rdataset_t *sigrdataset) {
+	dns_name_t *zcname;
+	rbtdb_rdatatype_t type;
+	dns_rbtnode_t *node;
+
+	/*
+	 * The caller MUST NOT be holding any node locks.
+	 */
+
+	node = search->zonecut;
+	type = search->zonecut_rdataset->type;
+
+	/*
+	 * If we have to set foundname, we do it before anything else.
+	 * If we were to set foundname after we had set nodep or bound the
+	 * rdataset, then we'd have to undo that work if dns_name_copy()
+	 * failed.  By setting foundname first, there's nothing to undo if
+	 * we have trouble.
+	 */
+	if (foundname != NULL && search->copy_name) {
+		zcname = dns_fixedname_name(&search->zonecut_name);
+		dns_name_copynf(zcname, foundname);
+	}
+	if (nodep != NULL) {
+		/*
+		 * Note that we don't have to increment the node's reference
+		 * count here because we're going to use the reference we
+		 * already have in the search block.
+		 */
+		*nodep = node;
+		search->need_cleanup = false;
+	}
+	if (rdataset != NULL) {
+		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+		bind_rdataset(search->rbtdb, node, search->zonecut_rdataset,
+			      search->now, isc_rwlocktype_read, rdataset);
+		if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL)
+		{
+			bind_rdataset(search->rbtdb, node,
+				      search->zonecut_sigrdataset, search->now,
+				      isc_rwlocktype_read, sigrdataset);
+		}
+		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+	}
+
+	if (type == dns_rdatatype_dname) {
+		return (DNS_R_DNAME);
+	}
+	return (DNS_R_DELEGATION);
+}
+
+static bool
+valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
+	   dns_rbtnode_t *node) {
+	unsigned char *raw; /* RDATASLAB */
+	unsigned int count, size;
+	dns_name_t ns_name;
+	bool valid = false;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	rdatasetheader_t *header;
+
+	/*
+	 * No additional locking is required.
+	 */
+
+	/*
+	 * Valid glue types are A, AAAA, A6.  NS is also a valid glue type
+	 * if it occurs at a zone cut, but is not valid below it.
+	 */
+	if (type == dns_rdatatype_ns) {
+		if (node != search->zonecut) {
+			return (false);
+		}
+	} else if (type != dns_rdatatype_a && type != dns_rdatatype_aaaa &&
+		   type != dns_rdatatype_a6)
+	{
+		return (false);
+	}
+
+	header = search->zonecut_rdataset;
+	raw = (unsigned char *)header + sizeof(*header);
+	count = raw[0] * 256 + raw[1];
+	raw += DNS_RDATASET_COUNT + DNS_RDATASET_LENGTH;
+
+	while (count > 0) {
+		count--;
+		size = raw[0] * 256 + raw[1];
+		raw += DNS_RDATASET_ORDER + DNS_RDATASET_LENGTH;
+		region.base = raw;
+		region.length = size;
+		raw += size;
+		/*
+		 * XXX Until we have rdata structures, we have no choice but
+		 * to directly access the rdata format.
+		 */
+		dns_name_init(&ns_name, offsets);
+		dns_name_fromregion(&ns_name, &region);
+		if (dns_name_compare(&ns_name, name) == 0) {
+			valid = true;
+			break;
+		}
+	}
+
+	return (valid);
+}
+
+static bool
+activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain,
+	    const dns_name_t *name) {
+	dns_fixedname_t fnext;
+	dns_fixedname_t forigin;
+	dns_name_t *next;
+	dns_name_t *origin;
+	dns_name_t prefix;
+	dns_rbtdb_t *rbtdb;
+	dns_rbtnode_t *node;
+	isc_result_t result;
+	bool answer = false;
+	rdatasetheader_t *header;
+
+	rbtdb = search->rbtdb;
+
+	dns_name_init(&prefix, NULL);
+	next = dns_fixedname_initname(&fnext);
+	origin = dns_fixedname_initname(&forigin);
+
+	result = dns_rbtnodechain_next(chain, NULL, NULL);
+	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		node = NULL;
+		result = dns_rbtnodechain_current(chain, &prefix, origin,
+						  &node);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+		for (header = node->data; header != NULL; header = header->next)
+		{
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+			{
+				break;
+			}
+		}
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+		if (header != NULL) {
+			break;
+		}
+		result = dns_rbtnodechain_next(chain, NULL, NULL);
+	}
+	if (result == ISC_R_SUCCESS) {
+		result = dns_name_concatenate(&prefix, origin, next, NULL);
+	}
+	if (result == ISC_R_SUCCESS && dns_name_issubdomain(next, name)) {
+		answer = true;
+	}
+	return (answer);
+}
+
+static bool
+activeemptynode(rbtdb_search_t *search, const dns_name_t *qname,
+		dns_name_t *wname) {
+	dns_fixedname_t fnext;
+	dns_fixedname_t forigin;
+	dns_fixedname_t fprev;
+	dns_name_t *next;
+	dns_name_t *origin;
+	dns_name_t *prev;
+	dns_name_t name;
+	dns_name_t rname;
+	dns_name_t tname;
+	dns_rbtdb_t *rbtdb;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	bool check_next = true;
+	bool check_prev = true;
+	bool answer = false;
+	isc_result_t result;
+	rdatasetheader_t *header;
+	unsigned int n;
+
+	rbtdb = search->rbtdb;
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&tname, NULL);
+	dns_name_init(&rname, NULL);
+	next = dns_fixedname_initname(&fnext);
+	prev = dns_fixedname_initname(&fprev);
+	origin = dns_fixedname_initname(&forigin);
+
+	/*
+	 * Find if qname is at or below a empty node.
+	 * Use our own copy of the chain.
+	 */
+
+	chain = search->chain;
+	do {
+		node = NULL;
+		result = dns_rbtnodechain_current(&chain, &name, origin, &node);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+		for (header = node->data; header != NULL; header = header->next)
+		{
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+			{
+				break;
+			}
+		}
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+		if (header != NULL) {
+			break;
+		}
+		result = dns_rbtnodechain_prev(&chain, NULL, NULL);
+	} while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_name_concatenate(&name, origin, prev, NULL);
+	}
+	if (result != ISC_R_SUCCESS) {
+		check_prev = false;
+	}
+
+	result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		node = NULL;
+		result = dns_rbtnodechain_current(&chain, &name, origin, &node);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+		for (header = node->data; header != NULL; header = header->next)
+		{
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+			{
+				break;
+			}
+		}
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+		if (header != NULL) {
+			break;
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+	if (result == ISC_R_SUCCESS) {
+		result = dns_name_concatenate(&name, origin, next, NULL);
+	}
+	if (result != ISC_R_SUCCESS) {
+		check_next = false;
+	}
+
+	dns_name_clone(qname, &rname);
+
+	/*
+	 * Remove the wildcard label to find the terminal name.
+	 */
+	n = dns_name_countlabels(wname);
+	dns_name_getlabelsequence(wname, 1, n - 1, &tname);
+
+	do {
+		if ((check_prev && dns_name_issubdomain(prev, &rname)) ||
+		    (check_next && dns_name_issubdomain(next, &rname)))
+		{
+			answer = true;
+			break;
+		}
+		/*
+		 * Remove the left hand label.
+		 */
+		n = dns_name_countlabels(&rname);
+		dns_name_getlabelsequence(&rname, 1, n - 1, &rname);
+	} while (!dns_name_equal(&rname, &tname));
+	return (answer);
+}
+
+static isc_result_t
+find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
+	      const dns_name_t *qname) {
+	unsigned int i, j;
+	dns_rbtnode_t *node, *level_node, *wnode;
+	rdatasetheader_t *header;
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_name_t name;
+	dns_name_t *wname;
+	dns_fixedname_t fwname;
+	dns_rbtdb_t *rbtdb;
+	bool done, wild, active;
+	dns_rbtnodechain_t wchain;
+
+	/*
+	 * Caller must be holding the tree lock and MUST NOT be holding
+	 * any node locks.
+	 */
+
+	/*
+	 * Examine each ancestor level.  If the level's wild bit
+	 * is set, then construct the corresponding wildcard name and
+	 * search for it.  If the wildcard node exists, and is active in
+	 * this version, we're done.  If not, then we next check to see
+	 * if the ancestor is active in this version.  If so, then there
+	 * can be no possible wildcard match and again we're done.  If not,
+	 * continue the search.
+	 */
+
+	rbtdb = search->rbtdb;
+	i = search->chain.level_matches;
+	done = false;
+	node = *nodep;
+	do {
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+
+		/*
+		 * First we try to figure out if this node is active in
+		 * the search's version.  We do this now, even though we
+		 * may not need the information, because it simplifies the
+		 * locking and code flow.
+		 */
+		for (header = node->data; header != NULL; header = header->next)
+		{
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header) &&
+			    !ANCIENT(header))
+			{
+				break;
+			}
+		}
+		if (header != NULL) {
+			active = true;
+		} else {
+			active = false;
+		}
+
+		if (node->wild) {
+			wild = true;
+		} else {
+			wild = false;
+		}
+
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+
+		if (wild) {
+			/*
+			 * Construct the wildcard name for this level.
+			 */
+			dns_name_init(&name, NULL);
+			dns_rbt_namefromnode(node, &name);
+			wname = dns_fixedname_initname(&fwname);
+			result = dns_name_concatenate(dns_wildcardname, &name,
+						      wname, NULL);
+			j = i;
+			while (result == ISC_R_SUCCESS && j != 0) {
+				j--;
+				level_node = search->chain.levels[j];
+				dns_name_init(&name, NULL);
+				dns_rbt_namefromnode(level_node, &name);
+				result = dns_name_concatenate(wname, &name,
+							      wname, NULL);
+			}
+			if (result != ISC_R_SUCCESS) {
+				break;
+			}
+
+			wnode = NULL;
+			dns_rbtnodechain_init(&wchain);
+			result = dns_rbt_findnode(
+				rbtdb->tree, wname, NULL, &wnode, &wchain,
+				DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+			if (result == ISC_R_SUCCESS) {
+				nodelock_t *lock;
+
+				/*
+				 * We have found the wildcard node.  If it
+				 * is active in the search's version, we're
+				 * done.
+				 */
+				lock = &rbtdb->node_locks[wnode->locknum].lock;
+				NODE_LOCK(lock, isc_rwlocktype_read);
+				for (header = wnode->data; header != NULL;
+				     header = header->next)
+				{
+					if (header->serial <= search->serial &&
+					    !IGNORE(header) && EXISTS(header) &&
+					    !ANCIENT(header))
+					{
+						break;
+					}
+				}
+				NODE_UNLOCK(lock, isc_rwlocktype_read);
+				if (header != NULL ||
+				    activeempty(search, &wchain, wname))
+				{
+					if (activeemptynode(search, qname,
+							    wname))
+					{
+						return (ISC_R_NOTFOUND);
+					}
+					/*
+					 * The wildcard node is active!
+					 *
+					 * Note: result is still ISC_R_SUCCESS
+					 * so we don't have to set it.
+					 */
+					*nodep = wnode;
+					break;
+				}
+			} else if (result != ISC_R_NOTFOUND &&
+				   result != DNS_R_PARTIALMATCH)
+			{
+				/*
+				 * An error has occurred.  Bail out.
+				 */
+				break;
+			}
+		}
+
+		if (active) {
+			/*
+			 * The level node is active.  Any wildcarding
+			 * present at higher levels has no
+			 * effect and we're done.
+			 */
+			result = ISC_R_NOTFOUND;
+			break;
+		}
+
+		if (i > 0) {
+			i--;
+			node = search->chain.levels[i];
+		} else {
+			done = true;
+		}
+	} while (!done);
+
+	return (result);
+}
+
+static bool
+matchparams(rdatasetheader_t *header, rbtdb_search_t *search) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3_t nsec3;
+	unsigned char *raw; /* RDATASLAB */
+	unsigned int rdlen, count;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(header->type == dns_rdatatype_nsec3);
+
+	raw = (unsigned char *)header + sizeof(*header);
+	count = raw[0] * 256 + raw[1]; /* count */
+	raw += DNS_RDATASET_COUNT + DNS_RDATASET_LENGTH;
+
+	while (count-- > 0) {
+		rdlen = raw[0] * 256 + raw[1];
+		raw += DNS_RDATASET_ORDER + DNS_RDATASET_LENGTH;
+		region.base = raw;
+		region.length = rdlen;
+		dns_rdata_fromregion(&rdata, search->rbtdb->common.rdclass,
+				     dns_rdatatype_nsec3, &region);
+		raw += rdlen;
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+		if (nsec3.hash == search->rbtversion->hash &&
+		    nsec3.iterations == search->rbtversion->iterations &&
+		    nsec3.salt_length == search->rbtversion->salt_length &&
+		    memcmp(nsec3.salt, search->rbtversion->salt,
+			   nsec3.salt_length) == 0)
+		{
+			return (true);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	return (false);
+}
+
+/*
+ * Find node of the NSEC/NSEC3 record that is 'name'.
+ */
+static isc_result_t
+previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
+		      dns_name_t *name, dns_name_t *origin,
+		      dns_rbtnode_t **nodep, dns_rbtnodechain_t *nsecchain,
+		      bool *firstp) {
+	dns_fixedname_t ftarget;
+	dns_name_t *target;
+	dns_rbtnode_t *nsecnode;
+	isc_result_t result;
+
+	REQUIRE(nodep != NULL && *nodep == NULL);
+	REQUIRE(type == dns_rdatatype_nsec3 || firstp != NULL);
+
+	if (type == dns_rdatatype_nsec3) {
+		result = dns_rbtnodechain_prev(&search->chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			return (result);
+		}
+		result = dns_rbtnodechain_current(&search->chain, name, origin,
+						  nodep);
+		return (result);
+	}
+
+	target = dns_fixedname_initname(&ftarget);
+
+	for (;;) {
+		if (*firstp) {
+			/*
+			 * Construct the name of the second node to check.
+			 * It is the first node sought in the NSEC tree.
+			 */
+			*firstp = false;
+			dns_rbtnodechain_init(nsecchain);
+			result = dns_name_concatenate(name, origin, target,
+						      NULL);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+			nsecnode = NULL;
+			result = dns_rbt_findnode(
+				search->rbtdb->nsec, target, NULL, &nsecnode,
+				nsecchain, DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+			if (result == ISC_R_SUCCESS) {
+				/*
+				 * Since this was the first loop, finding the
+				 * name in the NSEC tree implies that the first
+				 * node checked in the main tree had an
+				 * unacceptable NSEC record.
+				 * Try the previous node in the NSEC tree.
+				 */
+				result = dns_rbtnodechain_prev(nsecchain, name,
+							       origin);
+				if (result == DNS_R_NEWORIGIN) {
+					result = ISC_R_SUCCESS;
+				}
+			} else if (result == ISC_R_NOTFOUND ||
+				   result == DNS_R_PARTIALMATCH)
+			{
+				result = dns_rbtnodechain_current(
+					nsecchain, name, origin, NULL);
+				if (result == ISC_R_NOTFOUND) {
+					result = ISC_R_NOMORE;
+				}
+			}
+		} else {
+			/*
+			 * This is a second or later trip through the auxiliary
+			 * tree for the name of a third or earlier NSEC node in
+			 * the main tree.  Previous trips through the NSEC tree
+			 * must have found nodes in the main tree with NSEC
+			 * records.  Perhaps they lacked signature records.
+			 */
+			result = dns_rbtnodechain_prev(nsecchain, name, origin);
+			if (result == DNS_R_NEWORIGIN) {
+				result = ISC_R_SUCCESS;
+			}
+		}
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		/*
+		 * Construct the name to seek in the main tree.
+		 */
+		result = dns_name_concatenate(name, origin, target, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		*nodep = NULL;
+		result = dns_rbt_findnode(search->rbtdb->tree, target, NULL,
+					  nodep, &search->chain,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+		if (result == ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		/*
+		 * There should always be a node in the main tree with the
+		 * same name as the node in the auxiliary NSEC tree, except for
+		 * nodes in the auxiliary tree that are awaiting deletion.
+		 */
+		if (result != DNS_R_PARTIALMATCH && result != ISC_R_NOTFOUND) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_ERROR,
+				      "previous_closest_nsec(): %s",
+				      isc_result_totext(result));
+			return (DNS_R_BADDB);
+		}
+	}
+}
+
+/*
+ * Find the NSEC/NSEC3 which is or before the current point on the
+ * search chain.  For NSEC3 records only NSEC3 records that match the
+ * current NSEC3PARAM record are considered.
+ */
+static isc_result_t
+find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
+		  dns_name_t *foundname, dns_rdataset_t *rdataset,
+		  dns_rdataset_t *sigrdataset, dns_rbt_t *tree,
+		  dns_db_secure_t secure) {
+	dns_rbtnode_t *node, *prevnode;
+	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	dns_rbtnodechain_t nsecchain;
+	bool empty_node;
+	isc_result_t result;
+	dns_fixedname_t fname, forigin;
+	dns_name_t *name, *origin;
+	dns_rdatatype_t type;
+	rbtdb_rdatatype_t sigtype;
+	bool wraps;
+	bool first = true;
+	bool need_sig = (secure == dns_db_secure);
+
+	if (tree == search->rbtdb->nsec3) {
+		type = dns_rdatatype_nsec3;
+		sigtype = RBTDB_RDATATYPE_SIGNSEC3;
+		wraps = true;
+	} else {
+		type = dns_rdatatype_nsec;
+		sigtype = RBTDB_RDATATYPE_SIGNSEC;
+		wraps = false;
+	}
+
+	/*
+	 * Use the auxiliary tree only starting with the second node in the
+	 * hope that the original node will be right much of the time.
+	 */
+	name = dns_fixedname_initname(&fname);
+	origin = dns_fixedname_initname(&forigin);
+again:
+	node = NULL;
+	prevnode = NULL;
+	result = dns_rbtnodechain_current(&search->chain, name, origin, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	do {
+		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+		found = NULL;
+		foundsig = NULL;
+		empty_node = true;
+		for (header = node->data; header != NULL; header = header_next)
+		{
+			header_next = header->next;
+			/*
+			 * Look for an active, extant NSEC or RRSIG NSEC.
+			 */
+			do {
+				if (header->serial <= search->serial &&
+				    !IGNORE(header))
+				{
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 */
+					if (NONEXISTENT(header)) {
+						header = NULL;
+					}
+					break;
+				} else {
+					header = header->down;
+				}
+			} while (header != NULL);
+			if (header != NULL) {
+				/*
+				 * We now know that there is at least one
+				 * active rdataset at this node.
+				 */
+				empty_node = false;
+				if (header->type == type) {
+					found = header;
+					if (foundsig != NULL) {
+						break;
+					}
+				} else if (header->type == sigtype) {
+					foundsig = header;
+					if (found != NULL) {
+						break;
+					}
+				}
+			}
+		}
+		if (!empty_node) {
+			if (found != NULL && search->rbtversion->havensec3 &&
+			    found->type == dns_rdatatype_nsec3 &&
+			    !matchparams(found, search))
+			{
+				empty_node = true;
+				found = NULL;
+				foundsig = NULL;
+				result = previous_closest_nsec(
+					type, search, name, origin, &prevnode,
+					NULL, NULL);
+			} else if (found != NULL &&
+				   (foundsig != NULL || !need_sig))
+			{
+				/*
+				 * We've found the right NSEC/NSEC3 record.
+				 *
+				 * Note: for this to really be the right
+				 * NSEC record, it's essential that the NSEC
+				 * records of any nodes obscured by a zone
+				 * cut have been removed; we assume this is
+				 * the case.
+				 */
+				result = dns_name_concatenate(name, origin,
+							      foundname, NULL);
+				if (result == ISC_R_SUCCESS) {
+					if (nodep != NULL) {
+						new_reference(
+							search->rbtdb, node,
+							isc_rwlocktype_read);
+						*nodep = node;
+					}
+					bind_rdataset(search->rbtdb, node,
+						      found, search->now,
+						      isc_rwlocktype_read,
+						      rdataset);
+					if (foundsig != NULL) {
+						bind_rdataset(
+							search->rbtdb, node,
+							foundsig, search->now,
+							isc_rwlocktype_read,
+							sigrdataset);
+					}
+				}
+			} else if (found == NULL && foundsig == NULL) {
+				/*
+				 * This node is active, but has no NSEC or
+				 * RRSIG NSEC.  That means it's glue or
+				 * other obscured zone data that isn't
+				 * relevant for our search.  Treat the
+				 * node as if it were empty and keep looking.
+				 */
+				empty_node = true;
+				result = previous_closest_nsec(
+					type, search, name, origin, &prevnode,
+					&nsecchain, &first);
+			} else {
+				/*
+				 * We found an active node, but either the
+				 * NSEC or the RRSIG NSEC is missing.  This
+				 * shouldn't happen.
+				 */
+				result = DNS_R_BADDB;
+			}
+		} else {
+			/*
+			 * This node isn't active.  We've got to keep
+			 * looking.
+			 */
+			result = previous_closest_nsec(type, search, name,
+						       origin, &prevnode,
+						       &nsecchain, &first);
+		}
+		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+		node = prevnode;
+		prevnode = NULL;
+	} while (empty_node && result == ISC_R_SUCCESS);
+
+	if (!first) {
+		dns_rbtnodechain_invalidate(&nsecchain);
+	}
+
+	if (result == ISC_R_NOMORE && wraps) {
+		result = dns_rbtnodechain_last(&search->chain, tree, NULL,
+					       NULL);
+		if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+			wraps = false;
+			goto again;
+		}
+	}
+
+	/*
+	 * If the result is ISC_R_NOMORE, then we got to the beginning of
+	 * the database and didn't find a NSEC record.  This shouldn't
+	 * happen.
+	 */
+	if (result == ISC_R_NOMORE) {
+		result = DNS_R_BADDB;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+zone_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+	  dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	  dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
+	  dns_rdataset_t *sigrdataset) {
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+	rbtdb_search_t search;
+	bool cname_ok = true;
+	bool close_version = false;
+	bool maybe_zonecut = false;
+	bool at_zonecut = false;
+	bool wild;
+	bool empty_node;
+	rdatasetheader_t *header, *header_next, *found, *nsecheader;
+	rdatasetheader_t *foundsig, *cnamesig, *nsecsig;
+	rbtdb_rdatatype_t sigtype;
+	bool active;
+	nodelock_t *lock;
+	dns_rbt_t *tree;
+
+	search.rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(search.rbtdb));
+	INSIST(version == NULL ||
+	       ((rbtdb_version_t *)version)->rbtdb == (dns_rbtdb_t *)db);
+
+	/*
+	 * We don't care about 'now'.
+	 */
+	UNUSED(now);
+
+	/*
+	 * If the caller didn't supply a version, attach to the current
+	 * version.
+	 */
+	if (version == NULL) {
+		currentversion(db, &version);
+		close_version = true;
+	}
+
+	search.rbtversion = version;
+	search.serial = search.rbtversion->serial;
+	search.options = options;
+	search.copy_name = false;
+	search.need_cleanup = false;
+	search.wild = false;
+	search.zonecut = NULL;
+	dns_fixedname_init(&search.zonecut_name);
+	dns_rbtnodechain_init(&search.chain);
+	search.now = 0;
+
+	/*
+	 * 'wild' will be true iff. we've matched a wildcard.
+	 */
+	wild = false;
+
+	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * Search down from the root of the tree.  If, while going down, we
+	 * encounter a callback node, zone_zonecut_callback() will search the
+	 * rdatasets at the zone cut for active DNAME or NS rdatasets.
+	 */
+	tree = (options & DNS_DBFIND_FORCENSEC3) != 0 ? search.rbtdb->nsec3
+						      : search.rbtdb->tree;
+	result = dns_rbt_findnode(tree, name, foundname, &node, &search.chain,
+				  DNS_RBTFIND_EMPTYDATA, zone_zonecut_callback,
+				  &search);
+
+	if (result == DNS_R_PARTIALMATCH) {
+	partial_match:
+		if (search.zonecut != NULL) {
+			result = setup_delegation(&search, nodep, foundname,
+						  rdataset, sigrdataset);
+			goto tree_exit;
+		}
+
+		if (search.wild) {
+			/*
+			 * At least one of the levels in the search chain
+			 * potentially has a wildcard.  For each such level,
+			 * we must see if there's a matching wildcard active
+			 * in the current version.
+			 */
+			result = find_wildcard(&search, &node, name);
+			if (result == ISC_R_SUCCESS) {
+				dns_name_copynf(name, foundname);
+				wild = true;
+				goto found;
+			} else if (result != ISC_R_NOTFOUND) {
+				goto tree_exit;
+			}
+		}
+
+		active = false;
+		if ((options & DNS_DBFIND_FORCENSEC3) == 0) {
+			/*
+			 * The NSEC3 tree won't have empty nodes,
+			 * so it isn't necessary to check for them.
+			 */
+			dns_rbtnodechain_t chain = search.chain;
+			active = activeempty(&search, &chain, name);
+		}
+
+		/*
+		 * If we're here, then the name does not exist, is not
+		 * beneath a zonecut, and there's no matching wildcard.
+		 */
+		if ((search.rbtversion->secure == dns_db_secure &&
+		     !search.rbtversion->havensec3) ||
+		    (search.options & DNS_DBFIND_FORCENSEC) != 0 ||
+		    (search.options & DNS_DBFIND_FORCENSEC3) != 0)
+		{
+			result = find_closest_nsec(&search, nodep, foundname,
+						   rdataset, sigrdataset, tree,
+						   search.rbtversion->secure);
+			if (result == ISC_R_SUCCESS) {
+				result = active ? DNS_R_EMPTYNAME
+						: DNS_R_NXDOMAIN;
+			}
+		} else {
+			result = active ? DNS_R_EMPTYNAME : DNS_R_NXDOMAIN;
+		}
+		goto tree_exit;
+	} else if (result != ISC_R_SUCCESS) {
+		goto tree_exit;
+	}
+
+found:
+	/*
+	 * We have found a node whose name is the desired name, or we
+	 * have matched a wildcard.
+	 */
+
+	if (search.zonecut != NULL) {
+		/*
+		 * If we're beneath a zone cut, we don't want to look for
+		 * CNAMEs because they're not legitimate zone glue.
+		 */
+		cname_ok = false;
+	} else {
+		/*
+		 * The node may be a zone cut itself.  If it might be one,
+		 * make sure we check for it later.
+		 *
+		 * DS records live above the zone cut in ordinary zone so
+		 * we want to ignore any referral.
+		 *
+		 * Stub zones don't have anything "above" the delegation so
+		 * we always return a referral.
+		 */
+		if (node->find_callback &&
+		    ((node != search.rbtdb->origin_node &&
+		      !dns_rdatatype_atparent(type)) ||
+		     IS_STUB(search.rbtdb)))
+		{
+			maybe_zonecut = true;
+		}
+	}
+
+	/*
+	 * Certain DNSSEC types are not subject to CNAME matching
+	 * (RFC4035, section 2.5 and RFC3007).
+	 *
+	 * We don't check for RRSIG, because we don't store RRSIG records
+	 * directly.
+	 */
+	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec) {
+		cname_ok = false;
+	}
+
+	/*
+	 * We now go looking for rdata...
+	 */
+
+	lock = &search.rbtdb->node_locks[node->locknum].lock;
+	NODE_LOCK(lock, isc_rwlocktype_read);
+
+	found = NULL;
+	foundsig = NULL;
+	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	nsecheader = NULL;
+	nsecsig = NULL;
+	cnamesig = NULL;
+	empty_node = true;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		/*
+		 * Look for an active, extant rdataset.
+		 */
+		do {
+			if (header->serial <= search.serial && !IGNORE(header))
+			{
+				/*
+				 * Is this a "this rdataset doesn't
+				 * exist" record?
+				 */
+				if (NONEXISTENT(header)) {
+					header = NULL;
+				}
+				break;
+			} else {
+				header = header->down;
+			}
+		} while (header != NULL);
+		if (header != NULL) {
+			/*
+			 * We now know that there is at least one active
+			 * rdataset at this node.
+			 */
+			empty_node = false;
+
+			/*
+			 * Do special zone cut handling, if requested.
+			 */
+			if (maybe_zonecut && header->type == dns_rdatatype_ns) {
+				/*
+				 * We increment the reference count on node to
+				 * ensure that search->zonecut_rdataset will
+				 * still be valid later.
+				 */
+				new_reference(search.rbtdb, node,
+					      isc_rwlocktype_read);
+				search.zonecut = node;
+				search.zonecut_rdataset = header;
+				search.zonecut_sigrdataset = NULL;
+				search.need_cleanup = true;
+				maybe_zonecut = false;
+				at_zonecut = true;
+				/*
+				 * It is not clear if KEY should still be
+				 * allowed at the parent side of the zone
+				 * cut or not.  It is needed for RFC3007
+				 * validated updates.
+				 */
+				if ((search.options & DNS_DBFIND_GLUEOK) == 0 &&
+				    type != dns_rdatatype_nsec &&
+				    type != dns_rdatatype_key)
+				{
+					/*
+					 * Glue is not OK, but any answer we
+					 * could return would be glue.  Return
+					 * the delegation.
+					 */
+					found = NULL;
+					break;
+				}
+				if (found != NULL && foundsig != NULL) {
+					break;
+				}
+			}
+
+			/*
+			 * If the NSEC3 record doesn't match the chain
+			 * we are using behave as if it isn't here.
+			 */
+			if (header->type == dns_rdatatype_nsec3 &&
+			    !matchparams(header, &search))
+			{
+				NODE_UNLOCK(lock, isc_rwlocktype_read);
+				goto partial_match;
+			}
+			/*
+			 * If we found a type we were looking for,
+			 * remember it.
+			 */
+			if (header->type == type || type == dns_rdatatype_any ||
+			    (header->type == dns_rdatatype_cname && cname_ok))
+			{
+				/*
+				 * We've found the answer!
+				 */
+				found = header;
+				if (header->type == dns_rdatatype_cname &&
+				    cname_ok)
+				{
+					/*
+					 * We may be finding a CNAME instead
+					 * of the desired type.
+					 *
+					 * If we've already got the CNAME RRSIG,
+					 * use it, otherwise change sigtype
+					 * so that we find it.
+					 */
+					if (cnamesig != NULL) {
+						foundsig = cnamesig;
+					} else {
+						sigtype =
+							RBTDB_RDATATYPE_SIGCNAME;
+					}
+				}
+				/*
+				 * If we've got all we need, end the search.
+				 */
+				if (!maybe_zonecut && foundsig != NULL) {
+					break;
+				}
+			} else if (header->type == sigtype) {
+				/*
+				 * We've found the RRSIG rdataset for our
+				 * target type.  Remember it.
+				 */
+				foundsig = header;
+				/*
+				 * If we've got all we need, end the search.
+				 */
+				if (!maybe_zonecut && found != NULL) {
+					break;
+				}
+			} else if (header->type == dns_rdatatype_nsec &&
+				   !search.rbtversion->havensec3)
+			{
+				/*
+				 * Remember a NSEC rdataset even if we're
+				 * not specifically looking for it, because
+				 * we might need it later.
+				 */
+				nsecheader = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNSEC &&
+				   !search.rbtversion->havensec3)
+			{
+				/*
+				 * If we need the NSEC rdataset, we'll also
+				 * need its signature.
+				 */
+				nsecsig = header;
+			} else if (cname_ok &&
+				   header->type == RBTDB_RDATATYPE_SIGCNAME)
+			{
+				/*
+				 * If we get a CNAME match, we'll also need
+				 * its signature.
+				 */
+				cnamesig = header;
+			}
+		}
+	}
+
+	if (empty_node) {
+		/*
+		 * We have an exact match for the name, but there are no
+		 * active rdatasets in the desired version.  That means that
+		 * this node doesn't exist in the desired version, and that
+		 * we really have a partial match.
+		 */
+		if (!wild) {
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+			goto partial_match;
+		}
+	}
+
+	/*
+	 * If we didn't find what we were looking for...
+	 */
+	if (found == NULL) {
+		if (search.zonecut != NULL) {
+			/*
+			 * We were trying to find glue at a node beneath a
+			 * zone cut, but didn't.
+			 *
+			 * Return the delegation.
+			 */
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+			result = setup_delegation(&search, nodep, foundname,
+						  rdataset, sigrdataset);
+			goto tree_exit;
+		}
+		/*
+		 * The desired type doesn't exist.
+		 */
+		result = DNS_R_NXRRSET;
+		if (search.rbtversion->secure == dns_db_secure &&
+		    !search.rbtversion->havensec3 &&
+		    (nsecheader == NULL || nsecsig == NULL))
+		{
+			/*
+			 * The zone is secure but there's no NSEC,
+			 * or the NSEC has no signature!
+			 */
+			if (!wild) {
+				result = DNS_R_BADDB;
+				goto node_exit;
+			}
+
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+			result = find_closest_nsec(&search, nodep, foundname,
+						   rdataset, sigrdataset,
+						   search.rbtdb->tree,
+						   search.rbtversion->secure);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_EMPTYWILD;
+			}
+			goto tree_exit;
+		}
+		if ((search.options & DNS_DBFIND_FORCENSEC) != 0 &&
+		    nsecheader == NULL)
+		{
+			/*
+			 * There's no NSEC record, and we were told
+			 * to find one.
+			 */
+			result = DNS_R_BADDB;
+			goto node_exit;
+		}
+		if (nodep != NULL) {
+			new_reference(search.rbtdb, node, isc_rwlocktype_read);
+			*nodep = node;
+		}
+		if ((search.rbtversion->secure == dns_db_secure &&
+		     !search.rbtversion->havensec3) ||
+		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
+		{
+			bind_rdataset(search.rbtdb, node, nsecheader, 0,
+				      isc_rwlocktype_read, rdataset);
+			if (nsecsig != NULL) {
+				bind_rdataset(search.rbtdb, node, nsecsig, 0,
+					      isc_rwlocktype_read, sigrdataset);
+			}
+		}
+		if (wild) {
+			foundname->attributes |= DNS_NAMEATTR_WILDCARD;
+		}
+		goto node_exit;
+	}
+
+	/*
+	 * We found what we were looking for, or we found a CNAME.
+	 */
+
+	if (type != found->type && type != dns_rdatatype_any &&
+	    found->type == dns_rdatatype_cname)
+	{
+		/*
+		 * We weren't doing an ANY query and we found a CNAME instead
+		 * of the type we were looking for, so we need to indicate
+		 * that result to the caller.
+		 */
+		result = DNS_R_CNAME;
+	} else if (search.zonecut != NULL) {
+		/*
+		 * If we're beneath a zone cut, we must indicate that the
+		 * result is glue, unless we're actually at the zone cut
+		 * and the type is NSEC or KEY.
+		 */
+		if (search.zonecut == node) {
+			/*
+			 * It is not clear if KEY should still be
+			 * allowed at the parent side of the zone
+			 * cut or not.  It is needed for RFC3007
+			 * validated updates.
+			 */
+			if (type == dns_rdatatype_nsec ||
+			    type == dns_rdatatype_nsec3 ||
+			    type == dns_rdatatype_key)
+			{
+				result = ISC_R_SUCCESS;
+			} else if (type == dns_rdatatype_any) {
+				result = DNS_R_ZONECUT;
+			} else {
+				result = DNS_R_GLUE;
+			}
+		} else {
+			result = DNS_R_GLUE;
+		}
+		/*
+		 * We might have found data that isn't glue, but was occluded
+		 * by a dynamic update.  If the caller cares about this, they
+		 * will have told us to validate glue.
+		 *
+		 * XXX We should cache the glue validity state!
+		 */
+		if (result == DNS_R_GLUE &&
+		    (search.options & DNS_DBFIND_VALIDATEGLUE) != 0 &&
+		    !valid_glue(&search, foundname, type, node))
+		{
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+			result = setup_delegation(&search, nodep, foundname,
+						  rdataset, sigrdataset);
+			goto tree_exit;
+		}
+	} else {
+		/*
+		 * An ordinary successful query!
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	if (nodep != NULL) {
+		if (!at_zonecut) {
+			new_reference(search.rbtdb, node, isc_rwlocktype_read);
+		} else {
+			search.need_cleanup = false;
+		}
+		*nodep = node;
+	}
+
+	if (type != dns_rdatatype_any) {
+		bind_rdataset(search.rbtdb, node, found, 0, isc_rwlocktype_read,
+			      rdataset);
+		if (foundsig != NULL) {
+			bind_rdataset(search.rbtdb, node, foundsig, 0,
+				      isc_rwlocktype_read, sigrdataset);
+		}
+	}
+
+	if (wild) {
+		foundname->attributes |= DNS_NAMEATTR_WILDCARD;
+	}
+
+node_exit:
+	NODE_UNLOCK(lock, isc_rwlocktype_read);
+
+tree_exit:
+	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * If we found a zonecut but aren't going to use it, we have to
+	 * let go of it.
+	 */
+	if (search.need_cleanup) {
+		node = search.zonecut;
+		INSIST(node != NULL);
+		lock = &(search.rbtdb->node_locks[node->locknum].lock);
+
+		NODE_LOCK(lock, isc_rwlocktype_read);
+		decrement_reference(search.rbtdb, node, 0, isc_rwlocktype_read,
+				    isc_rwlocktype_none, false);
+		NODE_UNLOCK(lock, isc_rwlocktype_read);
+	}
+
+	if (close_version) {
+		closeversion(db, &version, false);
+	}
+
+	dns_rbtnodechain_reset(&search.chain);
+
+	return (result);
+}
+
+static isc_result_t
+zone_findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
+		 isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
+		 dns_name_t *dcname, dns_rdataset_t *rdataset,
+		 dns_rdataset_t *sigrdataset) {
+	UNUSED(db);
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(dcname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	FATAL_ERROR(__FILE__, __LINE__, "zone_findzonecut() called!");
+
+	UNREACHABLE();
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static bool
+check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
+		   isc_rwlocktype_t *locktype, nodelock_t *lock,
+		   rbtdb_search_t *search, rdatasetheader_t **header_prev) {
+	if (!ACTIVE(header, search->now)) {
+		dns_ttl_t stale = header->rdh_ttl +
+				  search->rbtdb->serve_stale_ttl;
+		/*
+		 * If this data is in the stale window keep it and if
+		 * DNS_DBFIND_STALEOK is not set we tell the caller to
+		 * skip this record.  We skip the records with ZEROTTL
+		 * (these records should not be cached anyway).
+		 */
+
+		RDATASET_ATTR_CLR(header, RDATASET_ATTR_STALE_WINDOW);
+		if (!ZEROTTL(header) && KEEPSTALE(search->rbtdb) &&
+		    stale > search->now)
+		{
+			mark_header_stale(search->rbtdb, header);
+			*header_prev = header;
+			/*
+			 * If DNS_DBFIND_STALESTART is set then it means we
+			 * failed to resolve the name during recursion, in
+			 * this case we mark the time in which the refresh
+			 * failed.
+			 */
+			if ((search->options & DNS_DBFIND_STALESTART) != 0) {
+				atomic_store_release(
+					&header->last_refresh_fail_ts,
+					search->now);
+			} else if ((search->options &
+				    DNS_DBFIND_STALEENABLED) != 0 &&
+				   search->now <
+					   (atomic_load_acquire(
+						    &header->last_refresh_fail_ts) +
+					    search->rbtdb->serve_stale_refresh))
+			{
+				/*
+				 * If we are within interval between last
+				 * refresh failure time + 'stale-refresh-time',
+				 * then don't skip this stale entry but use it
+				 * instead.
+				 */
+				RDATASET_ATTR_SET(header,
+						  RDATASET_ATTR_STALE_WINDOW);
+				return (false);
+			} else if ((search->options &
+				    DNS_DBFIND_STALETIMEOUT) != 0)
+			{
+				/*
+				 * We want stale RRset due to timeout, so we
+				 * don't skip it.
+				 */
+				return (false);
+			}
+			return ((search->options & DNS_DBFIND_STALEOK) == 0);
+		}
+
+		/*
+		 * This rdataset is stale.  If no one else is using the
+		 * node, we can clean it up right now, otherwise we mark
+		 * it as ancient, and the node as dirty, so it will get
+		 * cleaned up later.
+		 */
+		if ((header->rdh_ttl < search->now - RBTDB_VIRTUAL) &&
+		    (*locktype == isc_rwlocktype_write ||
+		     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS))
+		{
+			/*
+			 * We update the node's status only when we can
+			 * get write access; otherwise, we leave others
+			 * to this work.  Periodical cleaning will
+			 * eventually take the job as the last resort.
+			 * We won't downgrade the lock, since other
+			 * rdatasets are probably stale, too.
+			 */
+			*locktype = isc_rwlocktype_write;
+
+			if (isc_refcount_current(&node->references) == 0) {
+				isc_mem_t *mctx;
+
+				/*
+				 * header->down can be non-NULL if the
+				 * refcount has just decremented to 0
+				 * but decrement_reference() has not
+				 * performed clean_cache_node(), in
+				 * which case we need to purge the stale
+				 * headers first.
+				 */
+				mctx = search->rbtdb->common.mctx;
+				clean_stale_headers(search->rbtdb, mctx,
+						    header);
+				if (*header_prev != NULL) {
+					(*header_prev)->next = header->next;
+				} else {
+					node->data = header->next;
+				}
+				free_rdataset(search->rbtdb, mctx, header);
+			} else {
+				mark_header_ancient(search->rbtdb, header);
+				*header_prev = header;
+			}
+		} else {
+			*header_prev = header;
+		}
+		return (true);
+	}
+	return (false);
+}
+
+static isc_result_t
+cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
+	rbtdb_search_t *search = arg;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *dname_header, *sigdname_header;
+	isc_result_t result;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
+
+	/* XXX comment */
+
+	REQUIRE(search->zonecut == NULL);
+
+	/*
+	 * Keep compiler silent.
+	 */
+	UNUSED(name);
+
+	lock = &(search->rbtdb->node_locks[node->locknum].lock);
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
+
+	/*
+	 * Look for a DNAME or RRSIG DNAME rdataset.
+	 */
+	dname_header = NULL;
+	sigdname_header = NULL;
+	header_prev = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (check_stale_header(node, header, &locktype, lock, search,
+				       &header_prev))
+		{
+			/* Do nothing. */
+		} else if (header->type == dns_rdatatype_dname &&
+			   EXISTS(header) && !ANCIENT(header))
+		{
+			dname_header = header;
+			header_prev = header;
+		} else if (header->type == RBTDB_RDATATYPE_SIGDNAME &&
+			   EXISTS(header) && !ANCIENT(header))
+		{
+			sigdname_header = header;
+			header_prev = header;
+		} else {
+			header_prev = header;
+		}
+	}
+
+	if (dname_header != NULL &&
+	    (!DNS_TRUST_PENDING(dname_header->trust) ||
+	     (search->options & DNS_DBFIND_PENDINGOK) != 0))
+	{
+		/*
+		 * We increment the reference count on node to ensure that
+		 * search->zonecut_rdataset will still be valid later.
+		 */
+		new_reference(search->rbtdb, node, locktype);
+		search->zonecut = node;
+		search->zonecut_rdataset = dname_header;
+		search->zonecut_sigrdataset = sigdname_header;
+		search->need_cleanup = true;
+		result = DNS_R_PARTIALMATCH;
+	} else {
+		result = DNS_R_CONTINUE;
+	}
+
+	NODE_UNLOCK(lock, locktype);
+
+	return (result);
+}
+
+static isc_result_t
+find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
+		     dns_dbnode_t **nodep, dns_name_t *foundname,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	unsigned int i;
+	dns_rbtnode_t *level_node;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *found, *foundsig;
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_name_t name;
+	dns_rbtdb_t *rbtdb;
+	bool done;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
+
+	/*
+	 * Caller must be holding the tree lock.
+	 */
+
+	rbtdb = search->rbtdb;
+	i = search->chain.level_matches;
+	done = false;
+	do {
+		locktype = isc_rwlocktype_read;
+		lock = &rbtdb->node_locks[node->locknum].lock;
+		NODE_LOCK(lock, locktype);
+
+		/*
+		 * Look for NS and RRSIG NS rdatasets.
+		 */
+		found = NULL;
+		foundsig = NULL;
+		header_prev = NULL;
+		for (header = node->data; header != NULL; header = header_next)
+		{
+			header_next = header->next;
+			if (check_stale_header(node, header, &locktype, lock,
+					       search, &header_prev))
+			{
+				/* Do nothing. */
+			} else if (EXISTS(header) && !ANCIENT(header)) {
+				/*
+				 * We've found an extant rdataset.  See if
+				 * we're interested in it.
+				 */
+				if (header->type == dns_rdatatype_ns) {
+					found = header;
+					if (foundsig != NULL) {
+						break;
+					}
+				} else if (header->type ==
+					   RBTDB_RDATATYPE_SIGNS)
+				{
+					foundsig = header;
+					if (found != NULL) {
+						break;
+					}
+				}
+				header_prev = header;
+			} else {
+				header_prev = header;
+			}
+		}
+
+		if (found != NULL) {
+			/*
+			 * If we have to set foundname, we do it before
+			 * anything else.  If we were to set foundname after
+			 * we had set nodep or bound the rdataset, then we'd
+			 * have to undo that work if dns_name_concatenate()
+			 * failed.  By setting foundname first, there's
+			 * nothing to undo if we have trouble.
+			 */
+			if (foundname != NULL) {
+				dns_name_init(&name, NULL);
+				dns_rbt_namefromnode(node, &name);
+				dns_name_copynf(&name, foundname);
+				while (i > 0) {
+					i--;
+					level_node = search->chain.levels[i];
+					dns_name_init(&name, NULL);
+					dns_rbt_namefromnode(level_node, &name);
+					result = dns_name_concatenate(
+						foundname, &name, foundname,
+						NULL);
+					if (result != ISC_R_SUCCESS) {
+						if (nodep != NULL) {
+							*nodep = NULL;
+						}
+						goto node_exit;
+					}
+				}
+			}
+			result = DNS_R_DELEGATION;
+			if (nodep != NULL) {
+				new_reference(search->rbtdb, node, locktype);
+				*nodep = node;
+			}
+			bind_rdataset(search->rbtdb, node, found, search->now,
+				      locktype, rdataset);
+			if (foundsig != NULL) {
+				bind_rdataset(search->rbtdb, node, foundsig,
+					      search->now, locktype,
+					      sigrdataset);
+			}
+			if (need_headerupdate(found, search->now) ||
+			    (foundsig != NULL &&
+			     need_headerupdate(foundsig, search->now)))
+			{
+				if (locktype != isc_rwlocktype_write) {
+					NODE_UNLOCK(lock, locktype);
+					NODE_LOCK(lock, isc_rwlocktype_write);
+					locktype = isc_rwlocktype_write;
+					POST(locktype);
+				}
+				if (need_headerupdate(found, search->now)) {
+					update_header(search->rbtdb, found,
+						      search->now);
+				}
+				if (foundsig != NULL &&
+				    need_headerupdate(foundsig, search->now))
+				{
+					update_header(search->rbtdb, foundsig,
+						      search->now);
+				}
+			}
+		}
+
+	node_exit:
+		NODE_UNLOCK(lock, locktype);
+
+		if (found == NULL && i > 0) {
+			i--;
+			node = search->chain.levels[i];
+		} else {
+			done = true;
+		}
+	} while (!done);
+
+	return (result);
+}
+
+static isc_result_t
+find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
+		  isc_stdtime_t now, dns_name_t *foundname,
+		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	dns_rbtnode_t *node;
+	rdatasetheader_t *header, *header_next, *header_prev;
+	rdatasetheader_t *found, *foundsig;
+	bool empty_node;
+	isc_result_t result;
+	dns_fixedname_t fname, forigin;
+	dns_name_t *name, *origin;
+	rbtdb_rdatatype_t matchtype, sigmatchtype;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
+	dns_rbtnodechain_t chain;
+
+	chain = search->chain;
+
+	matchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_nsec, 0);
+	sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
+					     dns_rdatatype_nsec);
+
+	do {
+		node = NULL;
+		name = dns_fixedname_initname(&fname);
+		origin = dns_fixedname_initname(&forigin);
+		result = dns_rbtnodechain_current(&chain, name, origin, &node);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		locktype = isc_rwlocktype_read;
+		lock = &(search->rbtdb->node_locks[node->locknum].lock);
+		NODE_LOCK(lock, locktype);
+		found = NULL;
+		foundsig = NULL;
+		empty_node = true;
+		header_prev = NULL;
+		for (header = node->data; header != NULL; header = header_next)
+		{
+			header_next = header->next;
+			if (check_stale_header(node, header, &locktype, lock,
+					       search, &header_prev))
+			{
+				continue;
+			}
+			if (NONEXISTENT(header) ||
+			    RBTDB_RDATATYPE_BASE(header->type) == 0)
+			{
+				header_prev = header;
+				continue;
+			}
+			/*
+			 * Don't stop on provable noqname / RRSIG.
+			 */
+			if (header->noqname == NULL &&
+			    RBTDB_RDATATYPE_BASE(header->type) !=
+				    dns_rdatatype_rrsig)
+			{
+				empty_node = false;
+			}
+			if (header->type == matchtype) {
+				found = header;
+			} else if (header->type == sigmatchtype) {
+				foundsig = header;
+			}
+			header_prev = header;
+		}
+		if (found != NULL) {
+			result = dns_name_concatenate(name, origin, foundname,
+						      NULL);
+			if (result != ISC_R_SUCCESS) {
+				goto unlock_node;
+			}
+			bind_rdataset(search->rbtdb, node, found, now, locktype,
+				      rdataset);
+			if (foundsig != NULL) {
+				bind_rdataset(search->rbtdb, node, foundsig,
+					      now, locktype, sigrdataset);
+			}
+			new_reference(search->rbtdb, node, locktype);
+			*nodep = node;
+			result = DNS_R_COVERINGNSEC;
+		} else if (!empty_node) {
+			result = ISC_R_NOTFOUND;
+		} else {
+			result = dns_rbtnodechain_prev(&chain, NULL, NULL);
+		}
+	unlock_node:
+		NODE_UNLOCK(lock, locktype);
+	} while (empty_node && result == ISC_R_SUCCESS);
+	return (result);
+}
+
+static isc_result_t
+cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+	   dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	   dns_dbnode_t **nodep, dns_name_t *foundname,
+	   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+	rbtdb_search_t search;
+	bool cname_ok = true;
+	bool empty_node;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *found, *nsheader;
+	rdatasetheader_t *foundsig, *nssig, *cnamesig;
+	rdatasetheader_t *update, *updatesig;
+	rdatasetheader_t *nsecheader, *nsecsig;
+	rbtdb_rdatatype_t sigtype, negtype;
+
+	UNUSED(version);
+
+	search.rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(search.rbtdb));
+	REQUIRE(version == NULL);
+
+	if (now == 0) {
+		isc_stdtime_get(&now);
+	}
+
+	search.rbtversion = NULL;
+	search.serial = 1;
+	search.options = options;
+	search.copy_name = false;
+	search.need_cleanup = false;
+	search.wild = false;
+	search.zonecut = NULL;
+	dns_fixedname_init(&search.zonecut_name);
+	dns_rbtnodechain_init(&search.chain);
+	search.now = now;
+	update = NULL;
+	updatesig = NULL;
+
+	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * Search down from the root of the tree.  If, while going down, we
+	 * encounter a callback node, cache_zonecut_callback() will search the
+	 * rdatasets at the zone cut for a DNAME rdataset.
+	 */
+	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
+				  &search.chain, DNS_RBTFIND_EMPTYDATA,
+				  cache_zonecut_callback, &search);
+
+	if (result == DNS_R_PARTIALMATCH) {
+		if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0) {
+			result = find_coveringnsec(&search, nodep, now,
+						   foundname, rdataset,
+						   sigrdataset);
+			if (result == DNS_R_COVERINGNSEC) {
+				goto tree_exit;
+			}
+		}
+		if (search.zonecut != NULL) {
+			result = setup_delegation(&search, nodep, foundname,
+						  rdataset, sigrdataset);
+			goto tree_exit;
+		} else {
+		find_ns:
+			result = find_deepest_zonecut(&search, node, nodep,
+						      foundname, rdataset,
+						      sigrdataset);
+			goto tree_exit;
+		}
+	} else if (result != ISC_R_SUCCESS) {
+		goto tree_exit;
+	}
+
+	/*
+	 * Certain DNSSEC types are not subject to CNAME matching
+	 * (RFC4035, section 2.5 and RFC3007).
+	 *
+	 * We don't check for RRSIG, because we don't store RRSIG records
+	 * directly.
+	 */
+	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec) {
+		cname_ok = false;
+	}
+
+	/*
+	 * We now go looking for rdata...
+	 */
+
+	lock = &(search.rbtdb->node_locks[node->locknum].lock);
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
+
+	found = NULL;
+	foundsig = NULL;
+	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	negtype = RBTDB_RDATATYPE_VALUE(0, type);
+	nsheader = NULL;
+	nsecheader = NULL;
+	nssig = NULL;
+	nsecsig = NULL;
+	cnamesig = NULL;
+	empty_node = true;
+	header_prev = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (check_stale_header(node, header, &locktype, lock, &search,
+				       &header_prev))
+		{
+			/* Do nothing. */
+		} else if (EXISTS(header) && !ANCIENT(header)) {
+			/*
+			 * We now know that there is at least one active
+			 * non-stale rdataset at this node.
+			 */
+			empty_node = false;
+
+			/*
+			 * If we found a type we were looking for, remember
+			 * it.
+			 */
+			if (header->type == type ||
+			    (type == dns_rdatatype_any &&
+			     RBTDB_RDATATYPE_BASE(header->type) != 0) ||
+			    (cname_ok && header->type == dns_rdatatype_cname))
+			{
+				/*
+				 * We've found the answer.
+				 */
+				found = header;
+				if (header->type == dns_rdatatype_cname &&
+				    cname_ok && cnamesig != NULL)
+				{
+					/*
+					 * If we've already got the
+					 * CNAME RRSIG, use it.
+					 */
+					foundsig = cnamesig;
+				}
+			} else if (header->type == sigtype) {
+				/*
+				 * We've found the RRSIG rdataset for our
+				 * target type.  Remember it.
+				 */
+				foundsig = header;
+			} else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
+				   header->type == negtype)
+			{
+				/*
+				 * We've found a negative cache entry.
+				 */
+				found = header;
+			} else if (header->type == dns_rdatatype_ns) {
+				/*
+				 * Remember a NS rdataset even if we're
+				 * not specifically looking for it, because
+				 * we might need it later.
+				 */
+				nsheader = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNS) {
+				/*
+				 * If we need the NS rdataset, we'll also
+				 * need its signature.
+				 */
+				nssig = header;
+			} else if (header->type == dns_rdatatype_nsec) {
+				nsecheader = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNSEC) {
+				nsecsig = header;
+			} else if (cname_ok &&
+				   header->type == RBTDB_RDATATYPE_SIGCNAME)
+			{
+				/*
+				 * If we get a CNAME match, we'll also need
+				 * its signature.
+				 */
+				cnamesig = header;
+			}
+			header_prev = header;
+		} else {
+			header_prev = header;
+		}
+	}
+
+	if (empty_node) {
+		/*
+		 * We have an exact match for the name, but there are no
+		 * extant rdatasets.  That means that this node doesn't
+		 * meaningfully exist, and that we really have a partial match.
+		 */
+		NODE_UNLOCK(lock, locktype);
+		goto find_ns;
+	}
+
+	/*
+	 * If we didn't find what we were looking for...
+	 */
+	if (found == NULL ||
+	    (DNS_TRUST_ADDITIONAL(found->trust) &&
+	     ((options & DNS_DBFIND_ADDITIONALOK) == 0)) ||
+	    (found->trust == dns_trust_glue &&
+	     ((options & DNS_DBFIND_GLUEOK) == 0)) ||
+	    (DNS_TRUST_PENDING(found->trust) &&
+	     ((options & DNS_DBFIND_PENDINGOK) == 0)))
+	{
+		/*
+		 * Return covering NODATA NSEC record.
+		 */
+		if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0 &&
+		    nsecheader != NULL)
+		{
+			if (nodep != NULL) {
+				new_reference(search.rbtdb, node, locktype);
+				*nodep = node;
+			}
+			bind_rdataset(search.rbtdb, node, nsecheader,
+				      search.now, locktype, rdataset);
+			if (need_headerupdate(nsecheader, search.now)) {
+				update = nsecheader;
+			}
+			if (nsecsig != NULL) {
+				bind_rdataset(search.rbtdb, node, nsecsig,
+					      search.now, locktype,
+					      sigrdataset);
+				if (need_headerupdate(nsecsig, search.now)) {
+					updatesig = nsecsig;
+				}
+			}
+			result = DNS_R_COVERINGNSEC;
+			goto node_exit;
+		}
+
+		/*
+		 * If there is an NS rdataset at this node, then this is the
+		 * deepest zone cut.
+		 */
+		if (nsheader != NULL) {
+			if (nodep != NULL) {
+				new_reference(search.rbtdb, node, locktype);
+				*nodep = node;
+			}
+			bind_rdataset(search.rbtdb, node, nsheader, search.now,
+				      locktype, rdataset);
+			if (need_headerupdate(nsheader, search.now)) {
+				update = nsheader;
+			}
+			if (nssig != NULL) {
+				bind_rdataset(search.rbtdb, node, nssig,
+					      search.now, locktype,
+					      sigrdataset);
+				if (need_headerupdate(nssig, search.now)) {
+					updatesig = nssig;
+				}
+			}
+			result = DNS_R_DELEGATION;
+			goto node_exit;
+		}
+
+		/*
+		 * Go find the deepest zone cut.
+		 */
+		NODE_UNLOCK(lock, locktype);
+		goto find_ns;
+	}
+
+	/*
+	 * We found what we were looking for, or we found a CNAME.
+	 */
+
+	if (nodep != NULL) {
+		new_reference(search.rbtdb, node, locktype);
+		*nodep = node;
+	}
+
+	if (NEGATIVE(found)) {
+		/*
+		 * We found a negative cache entry.
+		 */
+		if (NXDOMAIN(found)) {
+			result = DNS_R_NCACHENXDOMAIN;
+		} else {
+			result = DNS_R_NCACHENXRRSET;
+		}
+	} else if (type != found->type && type != dns_rdatatype_any &&
+		   found->type == dns_rdatatype_cname)
+	{
+		/*
+		 * We weren't doing an ANY query and we found a CNAME instead
+		 * of the type we were looking for, so we need to indicate
+		 * that result to the caller.
+		 */
+		result = DNS_R_CNAME;
+	} else {
+		/*
+		 * An ordinary successful query!
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN ||
+	    result == DNS_R_NCACHENXRRSET)
+	{
+		bind_rdataset(search.rbtdb, node, found, search.now, locktype,
+			      rdataset);
+		if (need_headerupdate(found, search.now)) {
+			update = found;
+		}
+		if (!NEGATIVE(found) && foundsig != NULL) {
+			bind_rdataset(search.rbtdb, node, foundsig, search.now,
+				      locktype, sigrdataset);
+			if (need_headerupdate(foundsig, search.now)) {
+				updatesig = foundsig;
+			}
+		}
+	}
+
+node_exit:
+	if ((update != NULL || updatesig != NULL) &&
+	    locktype != isc_rwlocktype_write)
+	{
+		NODE_UNLOCK(lock, locktype);
+		NODE_LOCK(lock, isc_rwlocktype_write);
+		locktype = isc_rwlocktype_write;
+		POST(locktype);
+	}
+	if (update != NULL && need_headerupdate(update, search.now)) {
+		update_header(search.rbtdb, update, search.now);
+	}
+	if (updatesig != NULL && need_headerupdate(updatesig, search.now)) {
+		update_header(search.rbtdb, updatesig, search.now);
+	}
+
+	NODE_UNLOCK(lock, locktype);
+
+tree_exit:
+	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * If we found a zonecut but aren't going to use it, we have to
+	 * let go of it.
+	 */
+	if (search.need_cleanup) {
+		node = search.zonecut;
+		INSIST(node != NULL);
+		lock = &(search.rbtdb->node_locks[node->locknum].lock);
+
+		NODE_LOCK(lock, isc_rwlocktype_read);
+		decrement_reference(search.rbtdb, node, 0, isc_rwlocktype_read,
+				    isc_rwlocktype_none, false);
+		NODE_UNLOCK(lock, isc_rwlocktype_read);
+	}
+
+	dns_rbtnodechain_reset(&search.chain);
+
+	update_cachestats(search.rbtdb, result);
+	return (result);
+}
+
+static isc_result_t
+cache_findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
+		  isc_stdtime_t now, dns_dbnode_t **nodep,
+		  dns_name_t *foundname, dns_name_t *dcname,
+		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	dns_rbtnode_t *node = NULL;
+	nodelock_t *lock;
+	isc_result_t result;
+	rbtdb_search_t search;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *found, *foundsig;
+	unsigned int rbtoptions = DNS_RBTFIND_EMPTYDATA;
+	isc_rwlocktype_t locktype;
+	bool dcnull = (dcname == NULL);
+
+	search.rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(search.rbtdb));
+
+	if (now == 0) {
+		isc_stdtime_get(&now);
+	}
+
+	search.rbtversion = NULL;
+	search.serial = 1;
+	search.options = options;
+	search.copy_name = false;
+	search.need_cleanup = false;
+	search.wild = false;
+	search.zonecut = NULL;
+	dns_fixedname_init(&search.zonecut_name);
+	dns_rbtnodechain_init(&search.chain);
+	search.now = now;
+
+	if (dcnull) {
+		dcname = foundname;
+	}
+
+	if ((options & DNS_DBFIND_NOEXACT) != 0) {
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+	}
+
+	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * Search down from the root of the tree.
+	 */
+	result = dns_rbt_findnode(search.rbtdb->tree, name, dcname, &node,
+				  &search.chain, rbtoptions, NULL, &search);
+
+	if (result == DNS_R_PARTIALMATCH) {
+		result = find_deepest_zonecut(&search, node, nodep, foundname,
+					      rdataset, sigrdataset);
+		goto tree_exit;
+	} else if (result != ISC_R_SUCCESS) {
+		goto tree_exit;
+	} else if (!dcnull) {
+		dns_name_copynf(dcname, foundname);
+	}
+
+	/*
+	 * We now go looking for an NS rdataset at the node.
+	 */
+
+	lock = &(search.rbtdb->node_locks[node->locknum].lock);
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
+
+	found = NULL;
+	foundsig = NULL;
+	header_prev = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (check_stale_header(node, header, &locktype, lock, &search,
+				       &header_prev))
+		{
+			/*
+			 * The function dns_rbt_findnode found us the a matching
+			 * node for 'name' and stored the result in 'dcname'.
+			 * This is the deepest known zonecut in our database.
+			 * However, this node may be stale and if serve-stale
+			 * is not enabled (in other words 'stale-answer-enable'
+			 * is set to no), this node may not be used as a
+			 * zonecut we know about. If so, find the deepest
+			 * zonecut from this node up and return that instead.
+			 */
+			NODE_UNLOCK(lock, locktype);
+			result = find_deepest_zonecut(&search, node, nodep,
+						      foundname, rdataset,
+						      sigrdataset);
+			dns_name_copynf(foundname, dcname);
+			goto tree_exit;
+		} else if (EXISTS(header) && !ANCIENT(header)) {
+			/*
+			 * If we found a type we were looking for, remember
+			 * it.
+			 */
+			if (header->type == dns_rdatatype_ns) {
+				/*
+				 * Remember a NS rdataset even if we're
+				 * not specifically looking for it, because
+				 * we might need it later.
+				 */
+				found = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNS) {
+				/*
+				 * If we need the NS rdataset, we'll also
+				 * need its signature.
+				 */
+				foundsig = header;
+			}
+			header_prev = header;
+		} else {
+			header_prev = header;
+		}
+	}
+
+	if (found == NULL) {
+		/*
+		 * No NS records here.
+		 */
+		NODE_UNLOCK(lock, locktype);
+		result = find_deepest_zonecut(&search, node, nodep, foundname,
+					      rdataset, sigrdataset);
+		goto tree_exit;
+	}
+
+	if (nodep != NULL) {
+		new_reference(search.rbtdb, node, locktype);
+		*nodep = node;
+	}
+
+	bind_rdataset(search.rbtdb, node, found, search.now, locktype,
+		      rdataset);
+	if (foundsig != NULL) {
+		bind_rdataset(search.rbtdb, node, foundsig, search.now,
+			      locktype, sigrdataset);
+	}
+
+	if (need_headerupdate(found, search.now) ||
+	    (foundsig != NULL && need_headerupdate(foundsig, search.now)))
+	{
+		if (locktype != isc_rwlocktype_write) {
+			NODE_UNLOCK(lock, locktype);
+			NODE_LOCK(lock, isc_rwlocktype_write);
+			locktype = isc_rwlocktype_write;
+			POST(locktype);
+		}
+		if (need_headerupdate(found, search.now)) {
+			update_header(search.rbtdb, found, search.now);
+		}
+		if (foundsig != NULL && need_headerupdate(foundsig, search.now))
+		{
+			update_header(search.rbtdb, foundsig, search.now);
+		}
+	}
+
+	NODE_UNLOCK(lock, locktype);
+
+tree_exit:
+	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	INSIST(!search.need_cleanup);
+
+	dns_rbtnodechain_reset(&search.chain);
+
+	if (result == DNS_R_DELEGATION) {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node = (dns_rbtnode_t *)source;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&node->references);
+
+	*targetp = source;
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node;
+	bool want_free = false;
+	bool inactive = false;
+	rbtdb_nodelock_t *nodelock;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(targetp != NULL && *targetp != NULL);
+
+	node = (dns_rbtnode_t *)(*targetp);
+	nodelock = &rbtdb->node_locks[node->locknum];
+
+	NODE_LOCK(&nodelock->lock, isc_rwlocktype_read);
+
+	if (decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
+				isc_rwlocktype_none, false))
+	{
+		if (isc_refcount_current(&nodelock->references) == 0 &&
+		    nodelock->exiting)
+		{
+			inactive = true;
+		}
+	}
+
+	NODE_UNLOCK(&nodelock->lock, isc_rwlocktype_read);
+
+	*targetp = NULL;
+
+	if (inactive) {
+		RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+		rbtdb->active--;
+		if (rbtdb->active == 0) {
+			want_free = true;
+		}
+		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+		if (want_free) {
+			char buf[DNS_NAME_FORMATSIZE];
+			if (dns_name_dynamic(&rbtdb->common.origin)) {
+				dns_name_format(&rbtdb->common.origin, buf,
+						sizeof(buf));
+			} else {
+				strlcpy(buf, "<UNKNOWN>", sizeof(buf));
+			}
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+				      "calling free_rbtdb(%s)", buf);
+			free_rbtdb(rbtdb, true, NULL);
+		}
+	}
+}
+
+static isc_result_t
+expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = node;
+	rdatasetheader_t *header;
+	bool force_expire = false;
+	/*
+	 * These are the category and module used by the cache cleaner.
+	 */
+	bool log = false;
+	isc_logcategory_t *category = DNS_LOGCATEGORY_DATABASE;
+	isc_logmodule_t *module = DNS_LOGMODULE_CACHE;
+	int level = ISC_LOG_DEBUG(2);
+	char printname[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	/*
+	 * Caller must hold a tree lock.
+	 */
+
+	if (now == 0) {
+		isc_stdtime_get(&now);
+	}
+
+	if (isc_mem_isovermem(rbtdb->common.mctx)) {
+		/*
+		 * Force expire with 25% probability.
+		 * XXXDCL Could stand to have a better policy, like LRU.
+		 */
+		force_expire = (rbtnode->down == NULL &&
+				(isc_random32() % 4) == 0);
+
+		/*
+		 * Note that 'log' can be true IFF overmem is also true.
+		 * overmem can currently only be true for cache
+		 * databases -- hence all of the "overmem cache" log strings.
+		 */
+		log = isc_log_wouldlog(dns_lctx, level);
+		if (log) {
+			isc_log_write(
+				dns_lctx, category, module, level,
+				"overmem cache: %s %s",
+				force_expire ? "FORCE" : "check",
+				dns_rbt_formatnodename(rbtnode, printname,
+						       sizeof(printname)));
+		}
+	}
+
+	/*
+	 * We may not need write access, but this code path is not performance
+	 * sensitive, so it should be okay to always lock as a writer.
+	 */
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+
+	for (header = rbtnode->data; header != NULL; header = header->next) {
+		if (header->rdh_ttl + rbtdb->serve_stale_ttl <=
+		    now - RBTDB_VIRTUAL)
+		{
+			/*
+			 * We don't check if refcurrent(rbtnode) == 0 and try
+			 * to free like we do in cache_find(), because
+			 * refcurrent(rbtnode) must be non-zero.  This is so
+			 * because 'node' is an argument to the function.
+			 */
+			mark_header_ancient(rbtdb, header);
+			if (log) {
+				isc_log_write(dns_lctx, category, module, level,
+					      "overmem cache: ancient %s",
+					      printname);
+			}
+		} else if (force_expire) {
+			if (!RETAIN(header)) {
+				set_ttl(rbtdb, header, 0);
+				mark_header_ancient(rbtdb, header);
+			} else if (log) {
+				isc_log_write(dns_lctx, category, module, level,
+					      "overmem cache: "
+					      "reprieve by RETAIN() %s",
+					      printname);
+			}
+		} else if (isc_mem_isovermem(rbtdb->common.mctx) && log) {
+			isc_log_write(dns_lctx, category, module, level,
+				      "overmem cache: saved %s", printname);
+		}
+	}
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+overmem(dns_db_t *db, bool over) {
+	/* This is an empty callback.  See adb.c:water() */
+
+	UNUSED(db);
+	UNUSED(over);
+
+	return;
+}
+
+static void
+printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = node;
+	bool first;
+	uint32_t refs;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	refs = isc_refcount_current(&rbtnode->references);
+	fprintf(out, "node %p, %" PRIu32 " references, locknum = %u\n", rbtnode,
+		refs, rbtnode->locknum);
+	if (rbtnode->data != NULL) {
+		rdatasetheader_t *current, *top_next;
+
+		for (current = rbtnode->data; current != NULL;
+		     current = top_next)
+		{
+			top_next = current->next;
+			first = true;
+			fprintf(out, "\ttype %u", current->type);
+			do {
+				uint_least16_t attributes = atomic_load_acquire(
+					&current->attributes);
+				if (!first) {
+					fprintf(out, "\t");
+				}
+				first = false;
+				fprintf(out,
+					"\tserial = %lu, ttl = %u, "
+					"trust = %u, attributes = %" PRIuLEAST16
+					", "
+					"resign = %u\n",
+					(unsigned long)current->serial,
+					current->rdh_ttl, current->trust,
+					attributes,
+					(current->resign << 1) |
+						current->resign_lsb);
+				current = current->down;
+			} while (current != NULL);
+		}
+	} else {
+		fprintf(out, "(empty)\n");
+	}
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, unsigned int options,
+	       dns_dbiterator_t **iteratorp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_dbiterator_t *rbtdbiter;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	rbtdbiter = isc_mem_get(rbtdb->common.mctx, sizeof(*rbtdbiter));
+
+	rbtdbiter->common.methods = &dbiterator_methods;
+	rbtdbiter->common.db = NULL;
+	dns_db_attach(db, &rbtdbiter->common.db);
+	rbtdbiter->common.relative_names = ((options & DNS_DB_RELATIVENAMES) !=
+					    0);
+	rbtdbiter->common.magic = DNS_DBITERATOR_MAGIC;
+	rbtdbiter->common.cleaning = false;
+	rbtdbiter->paused = true;
+	rbtdbiter->tree_locked = isc_rwlocktype_none;
+	rbtdbiter->result = ISC_R_SUCCESS;
+	dns_fixedname_init(&rbtdbiter->name);
+	dns_fixedname_init(&rbtdbiter->origin);
+	rbtdbiter->node = NULL;
+	rbtdbiter->delcnt = 0;
+	rbtdbiter->nsec3only = ((options & DNS_DB_NSEC3ONLY) != 0);
+	rbtdbiter->nonsec3 = ((options & DNS_DB_NONSEC3) != 0);
+	memset(rbtdbiter->deletions, 0, sizeof(rbtdbiter->deletions));
+	dns_rbtnodechain_init(&rbtdbiter->chain);
+	dns_rbtnodechain_init(&rbtdbiter->nsec3chain);
+	if (rbtdbiter->nsec3only) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+	} else {
+		rbtdbiter->current = &rbtdbiter->chain;
+	}
+
+	*iteratorp = (dns_dbiterator_t *)rbtdbiter;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		  dns_rdatatype_t type, dns_rdatatype_t covers,
+		  isc_stdtime_t now, dns_rdataset_t *rdataset,
+		  dns_rdataset_t *sigrdataset) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	rbtdb_serial_t serial;
+	rbtdb_version_t *rbtversion = version;
+	bool close_version = false;
+	rbtdb_rdatatype_t matchtype, sigmatchtype;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(type != dns_rdatatype_any);
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	if (rbtversion == NULL) {
+		currentversion(db, (dns_dbversion_t **)(void *)(&rbtversion));
+		close_version = true;
+	}
+	serial = rbtversion->serial;
+	now = 0;
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	found = NULL;
+	foundsig = NULL;
+	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
+	if (covers == 0) {
+		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	} else {
+		sigmatchtype = 0;
+	}
+
+	for (header = rbtnode->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		do {
+			if (header->serial <= serial && !IGNORE(header)) {
+				/*
+				 * Is this a "this rdataset doesn't
+				 * exist" record?
+				 */
+				if (NONEXISTENT(header)) {
+					header = NULL;
+				}
+				break;
+			} else {
+				header = header->down;
+			}
+		} while (header != NULL);
+		if (header != NULL) {
+			/*
+			 * We have an active, extant rdataset.  If it's a
+			 * type we're looking for, remember it.
+			 */
+			if (header->type == matchtype) {
+				found = header;
+				if (foundsig != NULL) {
+					break;
+				}
+			} else if (header->type == sigmatchtype) {
+				foundsig = header;
+				if (found != NULL) {
+					break;
+				}
+			}
+		}
+	}
+	if (found != NULL) {
+		bind_rdataset(rbtdb, rbtnode, found, now, isc_rwlocktype_read,
+			      rdataset);
+		if (foundsig != NULL) {
+			bind_rdataset(rbtdb, rbtnode, foundsig, now,
+				      isc_rwlocktype_read, sigrdataset);
+		}
+	}
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+
+	if (close_version) {
+		closeversion(db, (dns_dbversion_t **)(void *)(&rbtversion),
+			     false);
+	}
+
+	if (found == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   dns_rdatatype_t type, dns_rdatatype_t covers,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   dns_rdataset_t *sigrdataset) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	rbtdb_rdatatype_t matchtype, sigmatchtype, negtype;
+	isc_result_t result;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(type != dns_rdatatype_any);
+
+	UNUSED(version);
+
+	result = ISC_R_SUCCESS;
+
+	if (now == 0) {
+		isc_stdtime_get(&now);
+	}
+
+	lock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
+
+	found = NULL;
+	foundsig = NULL;
+	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
+	negtype = RBTDB_RDATATYPE_VALUE(0, type);
+	if (covers == 0) {
+		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	} else {
+		sigmatchtype = 0;
+	}
+
+	for (header = rbtnode->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (!ACTIVE(header, now)) {
+			if ((header->rdh_ttl + rbtdb->serve_stale_ttl <
+			     now - RBTDB_VIRTUAL) &&
+			    (locktype == isc_rwlocktype_write ||
+			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS))
+			{
+				/*
+				 * We update the node's status only when we
+				 * can get write access.
+				 */
+				locktype = isc_rwlocktype_write;
+
+				/*
+				 * We don't check if refcurrent(rbtnode) == 0
+				 * and try to free like we do in cache_find(),
+				 * because refcurrent(rbtnode) must be
+				 * non-zero.  This is so because 'node' is an
+				 * argument to the function.
+				 */
+				mark_header_ancient(rbtdb, header);
+			}
+		} else if (EXISTS(header) && !ANCIENT(header)) {
+			if (header->type == matchtype) {
+				found = header;
+			} else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
+				   header->type == negtype)
+			{
+				found = header;
+			} else if (header->type == sigmatchtype) {
+				foundsig = header;
+			}
+		}
+	}
+	if (found != NULL) {
+		bind_rdataset(rbtdb, rbtnode, found, now, locktype, rdataset);
+		if (!NEGATIVE(found) && foundsig != NULL) {
+			bind_rdataset(rbtdb, rbtnode, foundsig, now, locktype,
+				      sigrdataset);
+		}
+	}
+
+	NODE_UNLOCK(lock, locktype);
+
+	if (found == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (NEGATIVE(found)) {
+		/*
+		 * We found a negative cache entry.
+		 */
+		if (NXDOMAIN(found)) {
+			result = DNS_R_NCACHENXDOMAIN;
+		} else {
+			result = DNS_R_NCACHENXRRSET;
+		}
+	}
+
+	update_cachestats(rbtdb, result);
+
+	return (result);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     unsigned int options, isc_stdtime_t now,
+	     dns_rdatasetiter_t **iteratorp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	rbtdb_rdatasetiter_t *iterator;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	iterator = isc_mem_get(rbtdb->common.mctx, sizeof(*iterator));
+
+	if ((db->attributes & DNS_DBATTR_CACHE) == 0) {
+		now = 0;
+		if (rbtversion == NULL) {
+			currentversion(
+				db, (dns_dbversion_t **)(void *)(&rbtversion));
+		} else {
+			INSIST(rbtversion->rbtdb == rbtdb);
+
+			(void)isc_refcount_increment(&rbtversion->references);
+		}
+	} else {
+		if (now == 0) {
+			isc_stdtime_get(&now);
+		}
+		rbtversion = NULL;
+	}
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = node;
+	iterator->common.version = (dns_dbversion_t *)rbtversion;
+	iterator->common.options = options;
+	iterator->common.now = now;
+
+	isc_refcount_increment(&rbtnode->references);
+
+	iterator->current = NULL;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
+	rdatasetheader_t *header, *header_next;
+	bool cname, other_data;
+	dns_rdatatype_t rdtype;
+
+	/*
+	 * The caller must hold the node lock.
+	 */
+
+	/*
+	 * Look for CNAME and "other data" rdatasets active in our version.
+	 */
+	cname = false;
+	other_data = false;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (header->type == dns_rdatatype_cname) {
+			/*
+			 * Look for an active extant CNAME.
+			 */
+			do {
+				if (header->serial <= serial && !IGNORE(header))
+				{
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 */
+					if (NONEXISTENT(header)) {
+						header = NULL;
+					}
+					break;
+				} else {
+					header = header->down;
+				}
+			} while (header != NULL);
+			if (header != NULL) {
+				cname = true;
+			}
+		} else {
+			/*
+			 * Look for active extant "other data".
+			 *
+			 * "Other data" is any rdataset whose type is not
+			 * KEY, NSEC, SIG or RRSIG.
+			 */
+			rdtype = RBTDB_RDATATYPE_BASE(header->type);
+			if (rdtype != dns_rdatatype_key &&
+			    rdtype != dns_rdatatype_sig &&
+			    rdtype != dns_rdatatype_nsec &&
+			    rdtype != dns_rdatatype_rrsig)
+			{
+				/*
+				 * Is it active and extant?
+				 */
+				do {
+					if (header->serial <= serial &&
+					    !IGNORE(header))
+					{
+						/*
+						 * Is this a "this rdataset
+						 * doesn't exist" record?
+						 */
+						if (NONEXISTENT(header)) {
+							header = NULL;
+						}
+						break;
+					} else {
+						header = header->down;
+					}
+				} while (header != NULL);
+				if (header != NULL) {
+					other_data = true;
+				}
+			}
+		}
+	}
+
+	if (cname && other_data) {
+		return (true);
+	}
+
+	return (false);
+}
+
+static void
+resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) {
+	INSIST(!IS_CACHE(rbtdb));
+	INSIST(newheader->heap_index == 0);
+	INSIST(!ISC_LINK_LINKED(newheader, link));
+
+	isc_heap_insert(rbtdb->heaps[idx], newheader);
+}
+
+/*
+ * node write lock must be held.
+ */
+static void
+resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+	      rdatasetheader_t *header) {
+	/*
+	 * Remove the old header from the heap
+	 */
+	if (header != NULL && header->heap_index != 0) {
+		isc_heap_delete(rbtdb->heaps[header->node->locknum],
+				header->heap_index);
+		header->heap_index = 0;
+		if (version != NULL) {
+			new_reference(rbtdb, header->node,
+				      isc_rwlocktype_write);
+			ISC_LIST_APPEND(version->resigned_list, header, link);
+		}
+	}
+}
+
+static uint64_t
+recordsize(rdatasetheader_t *header, unsigned int namelen) {
+	return (dns_rdataslab_rdatasize((unsigned char *)header,
+					sizeof(*header)) +
+		sizeof(dns_ttl_t) + sizeof(dns_rdatatype_t) +
+		sizeof(dns_rdataclass_t) + namelen);
+}
+
+static void
+update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
+			 rdatasetheader_t *header, unsigned int namelen) {
+	unsigned char *hdr = (unsigned char *)header;
+	size_t hdrsize = sizeof(*header);
+
+	RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
+	if (add) {
+		rbtversion->records += dns_rdataslab_count(hdr, hdrsize);
+		rbtversion->xfrsize += recordsize(header, namelen);
+	} else {
+		rbtversion->records -= dns_rdataslab_count(hdr, hdrsize);
+		rbtversion->xfrsize -= recordsize(header, namelen);
+	}
+	RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
+}
+
+/*
+ * write lock on rbtnode must be held.
+ */
+static isc_result_t
+add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
+      rbtdb_version_t *rbtversion, rdatasetheader_t *newheader,
+      unsigned int options, bool loading, dns_rdataset_t *addedrdataset,
+      isc_stdtime_t now) {
+	rbtdb_changed_t *changed = NULL;
+	rdatasetheader_t *topheader = NULL, *topheader_prev = NULL;
+	rdatasetheader_t *header = NULL, *sigheader = NULL;
+	unsigned char *merged = NULL;
+	isc_result_t result;
+	bool header_nx;
+	bool newheader_nx;
+	bool merge;
+	dns_rdatatype_t rdtype, covers;
+	rbtdb_rdatatype_t negtype, sigtype;
+	dns_trust_t trust;
+	int idx;
+
+	/*
+	 * Add an rdatasetheader_t to a node.
+	 */
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	if ((options & DNS_DBADD_MERGE) != 0) {
+		REQUIRE(rbtversion != NULL);
+		merge = true;
+	} else {
+		merge = false;
+	}
+
+	if ((options & DNS_DBADD_FORCE) != 0) {
+		trust = dns_trust_ultimate;
+	} else {
+		trust = newheader->trust;
+	}
+
+	if (rbtversion != NULL && !loading) {
+		/*
+		 * We always add a changed record, even if no changes end up
+		 * being made to this node, because it's harmless and
+		 * simplifies the code.
+		 */
+		changed = add_changed(rbtdb, rbtversion, rbtnode);
+		if (changed == NULL) {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			return (ISC_R_NOMEMORY);
+		}
+	}
+
+	newheader_nx = NONEXISTENT(newheader) ? true : false;
+	topheader_prev = NULL;
+	sigheader = NULL;
+	negtype = 0;
+	if (rbtversion == NULL && !newheader_nx) {
+		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
+		covers = RBTDB_RDATATYPE_EXT(newheader->type);
+		sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, covers);
+		if (NEGATIVE(newheader)) {
+			/*
+			 * We're adding a negative cache entry.
+			 */
+			if (covers == dns_rdatatype_any) {
+				/*
+				 * If we're adding an negative cache entry
+				 * which covers all types (NXDOMAIN,
+				 * NODATA(QTYPE=ANY)),
+				 *
+				 * We make all other data ancient so that the
+				 * only rdataset that can be found at this
+				 * node is the negative cache entry.
+				 */
+				for (topheader = rbtnode->data;
+				     topheader != NULL;
+				     topheader = topheader->next)
+				{
+					set_ttl(rbtdb, topheader, 0);
+					mark_header_ancient(rbtdb, topheader);
+				}
+				goto find_header;
+			}
+			/*
+			 * Otherwise look for any RRSIGs of the given
+			 * type so they can be marked ancient later.
+			 */
+			for (topheader = rbtnode->data; topheader != NULL;
+			     topheader = topheader->next)
+			{
+				if (topheader->type == sigtype) {
+					sigheader = topheader;
+				}
+			}
+			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+		} else {
+			/*
+			 * We're adding something that isn't a
+			 * negative cache entry.  Look for an extant
+			 * non-ancient NXDOMAIN/NODATA(QTYPE=ANY) negative
+			 * cache entry.  If we're adding an RRSIG, also
+			 * check for an extant non-ancient NODATA ncache
+			 * entry which covers the same type as the RRSIG.
+			 */
+			for (topheader = rbtnode->data; topheader != NULL;
+			     topheader = topheader->next)
+			{
+				if ((topheader->type ==
+				     RBTDB_RDATATYPE_NCACHEANY) ||
+				    (newheader->type == sigtype &&
+				     topheader->type ==
+					     RBTDB_RDATATYPE_VALUE(0, covers)))
+				{
+					break;
+				}
+			}
+			if (topheader != NULL && EXISTS(topheader) &&
+			    ACTIVE(topheader, now))
+			{
+				/*
+				 * Found one.
+				 */
+				if (trust < topheader->trust) {
+					/*
+					 * The NXDOMAIN/NODATA(QTYPE=ANY)
+					 * is more trusted.
+					 */
+					free_rdataset(rbtdb, rbtdb->common.mctx,
+						      newheader);
+					if (addedrdataset != NULL) {
+						bind_rdataset(
+							rbtdb, rbtnode,
+							topheader, now,
+							isc_rwlocktype_write,
+							addedrdataset);
+					}
+					return (DNS_R_UNCHANGED);
+				}
+				/*
+				 * The new rdataset is better.  Expire the
+				 * ncache entry.
+				 */
+				set_ttl(rbtdb, topheader, 0);
+				mark_header_ancient(rbtdb, topheader);
+				topheader = NULL;
+				goto find_header;
+			}
+			negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
+		}
+	}
+
+	for (topheader = rbtnode->data; topheader != NULL;
+	     topheader = topheader->next)
+	{
+		if (topheader->type == newheader->type ||
+		    topheader->type == negtype)
+		{
+			break;
+		}
+		topheader_prev = topheader;
+	}
+
+find_header:
+	/*
+	 * If header isn't NULL, we've found the right type.  There may be
+	 * IGNORE rdatasets between the top of the chain and the first real
+	 * data.  We skip over them.
+	 */
+	header = topheader;
+	while (header != NULL && IGNORE(header)) {
+		header = header->down;
+	}
+	if (header != NULL) {
+		header_nx = NONEXISTENT(header) ? true : false;
+
+		/*
+		 * Deleting an already non-existent rdataset has no effect.
+		 */
+		if (header_nx && newheader_nx) {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			return (DNS_R_UNCHANGED);
+		}
+
+		/*
+		 * Trying to add an rdataset with lower trust to a cache
+		 * DB has no effect, provided that the cache data isn't
+		 * stale. If the cache data is stale, new lower trust
+		 * data will supersede it below. Unclear what the best
+		 * policy is here.
+		 */
+		if (rbtversion == NULL && trust < header->trust &&
+		    (ACTIVE(header, now) || header_nx))
+		{
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			if (addedrdataset != NULL) {
+				bind_rdataset(rbtdb, rbtnode, header, now,
+					      isc_rwlocktype_write,
+					      addedrdataset);
+			}
+			return (DNS_R_UNCHANGED);
+		}
+
+		/*
+		 * Don't merge if a nonexistent rdataset is involved.
+		 */
+		if (merge && (header_nx || newheader_nx)) {
+			merge = false;
+		}
+
+		/*
+		 * If 'merge' is true, we'll try to create a new rdataset
+		 * that is the union of 'newheader' and 'header'.
+		 */
+		if (merge) {
+			unsigned int flags = 0;
+			INSIST(rbtversion->serial >= header->serial);
+			merged = NULL;
+			result = ISC_R_SUCCESS;
+
+			if ((options & DNS_DBADD_EXACT) != 0) {
+				flags |= DNS_RDATASLAB_EXACT;
+			}
+			/*
+			 * TTL use here is irrelevant to the cache;
+			 * merge is only done with zonedbs.
+			 */
+			if ((options & DNS_DBADD_EXACTTTL) != 0 &&
+			    newheader->rdh_ttl != header->rdh_ttl)
+			{
+				result = DNS_R_NOTEXACT;
+			} else if (newheader->rdh_ttl != header->rdh_ttl) {
+				flags |= DNS_RDATASLAB_FORCE;
+			}
+			if (result == ISC_R_SUCCESS) {
+				result = dns_rdataslab_merge(
+					(unsigned char *)header,
+					(unsigned char *)newheader,
+					(unsigned int)(sizeof(*newheader)),
+					rbtdb->common.mctx,
+					rbtdb->common.rdclass,
+					(dns_rdatatype_t)header->type, flags,
+					&merged);
+			}
+			if (result == ISC_R_SUCCESS) {
+				/*
+				 * If 'header' has the same serial number as
+				 * we do, we could clean it up now if we knew
+				 * that our caller had no references to it.
+				 * We don't know this, however, so we leave it
+				 * alone.  It will get cleaned up when
+				 * clean_zone_node() runs.
+				 */
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				newheader = (rdatasetheader_t *)merged;
+				init_rdataset(rbtdb, newheader);
+				update_newheader(newheader, header);
+				if (loading && RESIGN(newheader) &&
+				    RESIGN(header) &&
+				    resign_sooner(header, newheader))
+				{
+					newheader->resign = header->resign;
+					newheader->resign_lsb =
+						header->resign_lsb;
+				}
+			} else {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+		}
+		/*
+		 * Don't replace existing NS, A and AAAA RRsets in the
+		 * cache if they are already exist. This prevents named
+		 * being locked to old servers. Don't lower trust of
+		 * existing record if the update is forced. Nothing
+		 * special to be done w.r.t stale data; it gets replaced
+		 * normally further down.
+		 */
+		if (IS_CACHE(rbtdb) && ACTIVE(header, now) &&
+		    header->type == dns_rdatatype_ns && !header_nx &&
+		    !newheader_nx && header->trust >= newheader->trust &&
+		    dns_rdataslab_equalx((unsigned char *)header,
+					 (unsigned char *)newheader,
+					 (unsigned int)(sizeof(*newheader)),
+					 rbtdb->common.rdclass,
+					 (dns_rdatatype_t)header->type))
+		{
+			/*
+			 * Honour the new ttl if it is less than the
+			 * older one.
+			 */
+			if (header->rdh_ttl > newheader->rdh_ttl) {
+				set_ttl(rbtdb, header, newheader->rdh_ttl);
+			}
+			if (header->noqname == NULL &&
+			    newheader->noqname != NULL)
+			{
+				header->noqname = newheader->noqname;
+				newheader->noqname = NULL;
+			}
+			if (header->closest == NULL &&
+			    newheader->closest != NULL)
+			{
+				header->closest = newheader->closest;
+				newheader->closest = NULL;
+			}
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			if (addedrdataset != NULL) {
+				bind_rdataset(rbtdb, rbtnode, header, now,
+					      isc_rwlocktype_write,
+					      addedrdataset);
+			}
+			return (ISC_R_SUCCESS);
+		}
+		/*
+		 * If we have will be replacing a NS RRset force its TTL
+		 * to be no more than the current NS RRset's TTL.  This
+		 * ensures the delegations that are withdrawn are honoured.
+		 */
+		if (IS_CACHE(rbtdb) && ACTIVE(header, now) &&
+		    header->type == dns_rdatatype_ns && !header_nx &&
+		    !newheader_nx && header->trust <= newheader->trust)
+		{
+			if (newheader->rdh_ttl > header->rdh_ttl) {
+				newheader->rdh_ttl = header->rdh_ttl;
+			}
+		}
+		if (IS_CACHE(rbtdb) && ACTIVE(header, now) &&
+		    (options & DNS_DBADD_PREFETCH) == 0 &&
+		    (header->type == dns_rdatatype_a ||
+		     header->type == dns_rdatatype_aaaa ||
+		     header->type == dns_rdatatype_ds ||
+		     header->type == RBTDB_RDATATYPE_SIGDS) &&
+		    !header_nx && !newheader_nx &&
+		    header->trust >= newheader->trust &&
+		    dns_rdataslab_equal((unsigned char *)header,
+					(unsigned char *)newheader,
+					(unsigned int)(sizeof(*newheader))))
+		{
+			/*
+			 * Honour the new ttl if it is less than the
+			 * older one.
+			 */
+			if (header->rdh_ttl > newheader->rdh_ttl) {
+				set_ttl(rbtdb, header, newheader->rdh_ttl);
+			}
+			if (header->noqname == NULL &&
+			    newheader->noqname != NULL)
+			{
+				header->noqname = newheader->noqname;
+				newheader->noqname = NULL;
+			}
+			if (header->closest == NULL &&
+			    newheader->closest != NULL)
+			{
+				header->closest = newheader->closest;
+				newheader->closest = NULL;
+			}
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			if (addedrdataset != NULL) {
+				bind_rdataset(rbtdb, rbtnode, header, now,
+					      isc_rwlocktype_write,
+					      addedrdataset);
+			}
+			return (ISC_R_SUCCESS);
+		}
+		INSIST(rbtversion == NULL ||
+		       rbtversion->serial >= topheader->serial);
+		if (loading) {
+			newheader->down = NULL;
+			idx = newheader->node->locknum;
+			if (IS_CACHE(rbtdb)) {
+				if (ZEROTTL(newheader)) {
+					ISC_LIST_APPEND(rbtdb->rdatasets[idx],
+							newheader, link);
+				} else {
+					ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+							 newheader, link);
+				}
+				INSIST(rbtdb->heaps != NULL);
+				isc_heap_insert(rbtdb->heaps[idx], newheader);
+			} else if (RESIGN(newheader)) {
+				resign_insert(rbtdb, idx, newheader);
+				/*
+				 * Don't call resign_delete as we don't need
+				 * to reverse the delete.  The free_rdataset
+				 * call below will clean up the heap entry.
+				 */
+			}
+
+			/*
+			 * There are no other references to 'header' when
+			 * loading, so we MAY clean up 'header' now.
+			 * Since we don't generate changed records when
+			 * loading, we MUST clean up 'header' now.
+			 */
+			if (topheader_prev != NULL) {
+				topheader_prev->next = newheader;
+			} else {
+				rbtnode->data = newheader;
+			}
+			newheader->next = topheader->next;
+			if (rbtversion != NULL && !header_nx) {
+				update_recordsandxfrsize(false, rbtversion,
+							 header,
+							 nodename->length);
+			}
+			free_rdataset(rbtdb, rbtdb->common.mctx, header);
+		} else {
+			idx = newheader->node->locknum;
+			if (IS_CACHE(rbtdb)) {
+				INSIST(rbtdb->heaps != NULL);
+				isc_heap_insert(rbtdb->heaps[idx], newheader);
+				if (ZEROTTL(newheader)) {
+					ISC_LIST_APPEND(rbtdb->rdatasets[idx],
+							newheader, link);
+				} else {
+					ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+							 newheader, link);
+				}
+			} else if (RESIGN(newheader)) {
+				resign_insert(rbtdb, idx, newheader);
+				resign_delete(rbtdb, rbtversion, header);
+			}
+			if (topheader_prev != NULL) {
+				topheader_prev->next = newheader;
+			} else {
+				rbtnode->data = newheader;
+			}
+			newheader->next = topheader->next;
+			newheader->down = topheader;
+			topheader->next = newheader;
+			rbtnode->dirty = 1;
+			if (changed != NULL) {
+				changed->dirty = true;
+			}
+			if (rbtversion == NULL) {
+				set_ttl(rbtdb, header, 0);
+				mark_header_ancient(rbtdb, header);
+				if (sigheader != NULL) {
+					set_ttl(rbtdb, sigheader, 0);
+					mark_header_ancient(rbtdb, sigheader);
+				}
+			}
+			if (rbtversion != NULL && !header_nx) {
+				update_recordsandxfrsize(false, rbtversion,
+							 header,
+							 nodename->length);
+			}
+		}
+	} else {
+		/*
+		 * No non-IGNORED rdatasets of the given type exist at
+		 * this node.
+		 */
+
+		/*
+		 * If we're trying to delete the type, don't bother.
+		 */
+		if (newheader_nx) {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			return (DNS_R_UNCHANGED);
+		}
+
+		idx = newheader->node->locknum;
+		if (IS_CACHE(rbtdb)) {
+			isc_heap_insert(rbtdb->heaps[idx], newheader);
+			if (ZEROTTL(newheader)) {
+				ISC_LIST_APPEND(rbtdb->rdatasets[idx],
+						newheader, link);
+			} else {
+				ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+						 newheader, link);
+			}
+		} else if (RESIGN(newheader)) {
+			resign_insert(rbtdb, idx, newheader);
+			resign_delete(rbtdb, rbtversion, header);
+		}
+
+		if (topheader != NULL) {
+			/*
+			 * We have an list of rdatasets of the given type,
+			 * but they're all marked IGNORE.  We simply insert
+			 * the new rdataset at the head of the list.
+			 *
+			 * Ignored rdatasets cannot occur during loading, so
+			 * we INSIST on it.
+			 */
+			INSIST(!loading);
+			INSIST(rbtversion == NULL ||
+			       rbtversion->serial >= topheader->serial);
+			if (topheader_prev != NULL) {
+				topheader_prev->next = newheader;
+			} else {
+				rbtnode->data = newheader;
+			}
+			newheader->next = topheader->next;
+			newheader->down = topheader;
+			topheader->next = newheader;
+			rbtnode->dirty = 1;
+			if (changed != NULL) {
+				changed->dirty = true;
+			}
+		} else {
+			/*
+			 * No rdatasets of the given type exist at the node.
+			 */
+			newheader->next = rbtnode->data;
+			newheader->down = NULL;
+			rbtnode->data = newheader;
+		}
+	}
+
+	if (rbtversion != NULL && !newheader_nx) {
+		update_recordsandxfrsize(true, rbtversion, newheader,
+					 nodename->length);
+	}
+
+	/*
+	 * Check if the node now contains CNAME and other data.
+	 */
+	if (rbtversion != NULL &&
+	    cname_and_other_data(rbtnode, rbtversion->serial))
+	{
+		return (DNS_R_CNAMEANDOTHER);
+	}
+
+	if (addedrdataset != NULL) {
+		bind_rdataset(rbtdb, rbtnode, newheader, now,
+			      isc_rwlocktype_write, addedrdataset);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+delegating_type(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		rbtdb_rdatatype_t type) {
+	if (IS_CACHE(rbtdb)) {
+		if (type == dns_rdatatype_dname) {
+			return (true);
+		} else {
+			return (false);
+		}
+	} else if (type == dns_rdatatype_dname ||
+		   (type == dns_rdatatype_ns &&
+		    (node != rbtdb->origin_node || IS_STUB(rbtdb))))
+	{
+		return (true);
+	}
+	return (false);
+}
+
+static isc_result_t
+addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+	   dns_rdataset_t *rdataset) {
+	struct noqname *noqname;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+	dns_name_t name;
+	dns_rdataset_t neg, negsig;
+	isc_result_t result;
+	isc_region_t r;
+
+	dns_name_init(&name, NULL);
+	dns_rdataset_init(&neg);
+	dns_rdataset_init(&negsig);
+
+	result = dns_rdataset_getnoqname(rdataset, &name, &neg, &negsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	noqname = isc_mem_get(mctx, sizeof(*noqname));
+	dns_name_init(&noqname->name, NULL);
+	noqname->neg = NULL;
+	noqname->negsig = NULL;
+	noqname->type = neg.type;
+	dns_name_dup(&name, mctx, &noqname->name);
+	result = dns_rdataslab_fromrdataset(&neg, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	noqname->neg = r.base;
+	result = dns_rdataslab_fromrdataset(&negsig, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	noqname->negsig = r.base;
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
+	newheader->noqname = noqname;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
+	free_noqname(mctx, &noqname);
+	return (result);
+}
+
+static isc_result_t
+addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+	   dns_rdataset_t *rdataset) {
+	struct noqname *closest;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+	dns_name_t name;
+	dns_rdataset_t neg, negsig;
+	isc_result_t result;
+	isc_region_t r;
+
+	dns_name_init(&name, NULL);
+	dns_rdataset_init(&neg);
+	dns_rdataset_init(&negsig);
+
+	result = dns_rdataset_getclosest(rdataset, &name, &neg, &negsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	closest = isc_mem_get(mctx, sizeof(*closest));
+	dns_name_init(&closest->name, NULL);
+	closest->neg = NULL;
+	closest->negsig = NULL;
+	closest->type = neg.type;
+	dns_name_dup(&name, mctx, &closest->name);
+	result = dns_rdataslab_fromrdataset(&neg, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	closest->neg = r.base;
+	result = dns_rdataslab_fromrdataset(&negsig, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	closest->negsig = r.base;
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
+	newheader->closest = closest;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
+	free_noqname(mctx, &closest);
+	return (result);
+}
+
+static dns_dbmethods_t zone_methods;
+
+static size_t
+rdataset_size(rdatasetheader_t *header) {
+	if (!NONEXISTENT(header)) {
+		return (dns_rdataslab_size((unsigned char *)header,
+					   sizeof(*header)));
+	}
+
+	return (sizeof(*header));
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	isc_region_t region;
+	rdatasetheader_t *newheader;
+	rdatasetheader_t *header;
+	isc_result_t result;
+	bool delegating;
+	bool newnsec;
+	bool tree_locked = false;
+	bool cache_is_overmem = false;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	if (rbtdb->common.methods == &zone_methods) {
+		/*
+		 * SOA records are only allowed at top of zone.
+		 */
+		if (rdataset->type == dns_rdatatype_soa &&
+		    node != rbtdb->origin_node)
+		{
+			return (DNS_R_NOTZONETOP);
+		}
+		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
+			  (rdataset->type == dns_rdatatype_nsec3 ||
+			   rdataset->covers == dns_rdatatype_nsec3)) ||
+			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
+			  rdataset->type != dns_rdatatype_nsec3 &&
+			  rdataset->covers != dns_rdatatype_nsec3)));
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	}
+
+	if (rbtversion == NULL) {
+		if (now == 0) {
+			isc_stdtime_get(&now);
+		}
+	} else {
+		now = 0;
+	}
+
+	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
+					    &region, sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	name = dns_fixedname_initname(&fixed);
+	nodefullname(db, node, name);
+	dns_rdataset_getownercase(rdataset, name);
+
+	newheader = (rdatasetheader_t *)region.base;
+	init_rdataset(rbtdb, newheader);
+	setownercase(newheader, name);
+	set_ttl(rbtdb, newheader, rdataset->ttl + now);
+	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
+						rdataset->covers);
+	atomic_init(&newheader->attributes, 0);
+	if (rdataset->ttl == 0U) {
+		RDATASET_ATTR_SET(newheader, RDATASET_ATTR_ZEROTTL);
+	}
+	newheader->noqname = NULL;
+	newheader->closest = NULL;
+	atomic_init(&newheader->count,
+		    atomic_fetch_add_relaxed(&init_count, 1));
+	newheader->trust = rdataset->trust;
+	newheader->last_used = now;
+	newheader->node = rbtnode;
+	if (rbtversion != NULL) {
+		newheader->serial = rbtversion->serial;
+		now = 0;
+
+		if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
+			RDATASET_ATTR_SET(newheader, RDATASET_ATTR_RESIGN);
+			newheader->resign =
+				(isc_stdtime_t)(dns_time64_from32(
+							rdataset->resign) >>
+						1);
+			newheader->resign_lsb = rdataset->resign & 0x1;
+		} else {
+			newheader->resign = 0;
+			newheader->resign_lsb = 0;
+		}
+	} else {
+		newheader->serial = 1;
+		newheader->resign = 0;
+		newheader->resign_lsb = 0;
+		if ((rdataset->attributes & DNS_RDATASETATTR_PREFETCH) != 0) {
+			RDATASET_ATTR_SET(newheader, RDATASET_ATTR_PREFETCH);
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+			RDATASET_ATTR_SET(newheader, RDATASET_ATTR_NEGATIVE);
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) {
+			RDATASET_ATTR_SET(newheader, RDATASET_ATTR_NXDOMAIN);
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_OPTOUT) != 0) {
+			RDATASET_ATTR_SET(newheader, RDATASET_ATTR_OPTOUT);
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) {
+			result = addnoqname(rbtdb, newheader, rdataset);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0) {
+			result = addclosest(rbtdb, newheader, rdataset);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+		}
+	}
+
+	/*
+	 * If we're adding a delegation type (e.g. NS or DNAME for a zone,
+	 * just DNAME for the cache), then we need to set the callback bit
+	 * on the node.
+	 */
+	if (delegating_type(rbtdb, rbtnode, rdataset->type)) {
+		delegating = true;
+	} else {
+		delegating = false;
+	}
+
+	/*
+	 * Add to the auxiliary NSEC tree if we're adding an NSEC record.
+	 */
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	if (rbtnode->nsec != DNS_RBT_NSEC_HAS_NSEC &&
+	    rdataset->type == dns_rdatatype_nsec)
+	{
+		newnsec = true;
+	} else {
+		newnsec = false;
+	}
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * If we're adding a delegation type, adding to the auxiliary NSEC
+	 * tree, or the DB is a cache in an overmem state, hold an
+	 * exclusive lock on the tree.  In the latter case the lock does
+	 * not necessarily have to be acquired but it will help purge
+	 * ancient entries more effectively.
+	 */
+	if (IS_CACHE(rbtdb) && isc_mem_isovermem(rbtdb->common.mctx)) {
+		cache_is_overmem = true;
+	}
+	if (delegating || newnsec || cache_is_overmem) {
+		tree_locked = true;
+		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	}
+
+	if (cache_is_overmem) {
+		overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
+			      tree_locked);
+	}
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+
+	if (rbtdb->rrsetstats != NULL) {
+		RDATASET_ATTR_SET(newheader, RDATASET_ATTR_STATCOUNT);
+		update_rrsetstats(rbtdb, newheader->type,
+				  atomic_load_acquire(&newheader->attributes),
+				  true);
+	}
+
+	if (IS_CACHE(rbtdb)) {
+		if (tree_locked) {
+			cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+		}
+
+		header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+		if (header != NULL) {
+			dns_ttl_t rdh_ttl = header->rdh_ttl;
+
+			/* Only account for stale TTL if cache is not overmem */
+			if (!cache_is_overmem) {
+				rdh_ttl += rbtdb->serve_stale_ttl;
+			}
+
+			if (rdh_ttl < now - RBTDB_VIRTUAL) {
+				expire_header(rbtdb, header, tree_locked,
+					      expire_ttl);
+			}
+		}
+
+		/*
+		 * If we've been holding a write lock on the tree just for
+		 * cleaning, we can release it now.  However, we still need the
+		 * node lock.
+		 */
+		if (tree_locked && !delegating && !newnsec) {
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+			tree_locked = false;
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+	if (newnsec) {
+		dns_rbtnode_t *nsecnode;
+
+		nsecnode = NULL;
+		result = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
+		if (result == ISC_R_SUCCESS) {
+			nsecnode->nsec = DNS_RBT_NSEC_NSEC;
+			rbtnode->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		} else if (result == ISC_R_EXISTS) {
+			rbtnode->nsec = DNS_RBT_NSEC_HAS_NSEC;
+			result = ISC_R_SUCCESS;
+		}
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		result = add32(rbtdb, rbtnode, name, rbtversion, newheader,
+			       options, false, addedrdataset, now);
+	}
+	if (result == ISC_R_SUCCESS && delegating) {
+		rbtnode->find_callback = 1;
+	}
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+
+	if (tree_locked) {
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	}
+
+	/*
+	 * Update the zone's secure status.  If version is non-NULL
+	 * this is deferred until closeversion() is called.
+	 */
+	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb)) {
+		iszonesecure(db, version, rbtdb->origin_node);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 dns_rdataset_t *rdataset, unsigned int options,
+		 dns_rdataset_t *newrdataset) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	dns_fixedname_t fname;
+	dns_name_t *nodename = dns_fixedname_initname(&fname);
+	rdatasetheader_t *topheader, *topheader_prev, *header, *newheader;
+	unsigned char *subresult;
+	isc_region_t region;
+	isc_result_t result;
+	rbtdb_changed_t *changed;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(rbtversion != NULL && rbtversion->rbtdb == rbtdb);
+
+	if (rbtdb->common.methods == &zone_methods) {
+		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
+			  (rdataset->type == dns_rdatatype_nsec3 ||
+			   rdataset->covers == dns_rdatatype_nsec3)) ||
+			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
+			  rdataset->type != dns_rdatatype_nsec3 &&
+			  rdataset->covers != dns_rdatatype_nsec3)));
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	}
+
+	nodefullname(db, node, nodename);
+
+	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
+					    &region, sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	newheader = (rdatasetheader_t *)region.base;
+	init_rdataset(rbtdb, newheader);
+	set_ttl(rbtdb, newheader, rdataset->ttl);
+	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
+						rdataset->covers);
+	atomic_init(&newheader->attributes, 0);
+	newheader->serial = rbtversion->serial;
+	newheader->trust = 0;
+	newheader->noqname = NULL;
+	newheader->closest = NULL;
+	atomic_init(&newheader->count,
+		    atomic_fetch_add_relaxed(&init_count, 1));
+	newheader->last_used = 0;
+	newheader->node = rbtnode;
+	if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
+		RDATASET_ATTR_SET(newheader, RDATASET_ATTR_RESIGN);
+		newheader->resign =
+			(isc_stdtime_t)(dns_time64_from32(rdataset->resign) >>
+					1);
+		newheader->resign_lsb = rdataset->resign & 0x1;
+	} else {
+		newheader->resign = 0;
+		newheader->resign_lsb = 0;
+	}
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+
+	changed = add_changed(rbtdb, rbtversion, rbtnode);
+	if (changed == NULL) {
+		free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+		NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+			    isc_rwlocktype_write);
+		return (ISC_R_NOMEMORY);
+	}
+
+	topheader_prev = NULL;
+	for (topheader = rbtnode->data; topheader != NULL;
+	     topheader = topheader->next)
+	{
+		if (topheader->type == newheader->type) {
+			break;
+		}
+		topheader_prev = topheader;
+	}
+	/*
+	 * If header isn't NULL, we've found the right type.  There may be
+	 * IGNORE rdatasets between the top of the chain and the first real
+	 * data.  We skip over them.
+	 */
+	header = topheader;
+	while (header != NULL && IGNORE(header)) {
+		header = header->down;
+	}
+	if (header != NULL && EXISTS(header)) {
+		unsigned int flags = 0;
+		subresult = NULL;
+		result = ISC_R_SUCCESS;
+		if ((options & DNS_DBSUB_EXACT) != 0) {
+			flags |= DNS_RDATASLAB_EXACT;
+			if (newheader->rdh_ttl != header->rdh_ttl) {
+				result = DNS_R_NOTEXACT;
+			}
+		}
+		if (result == ISC_R_SUCCESS) {
+			result = dns_rdataslab_subtract(
+				(unsigned char *)header,
+				(unsigned char *)newheader,
+				(unsigned int)(sizeof(*newheader)),
+				rbtdb->common.mctx, rbtdb->common.rdclass,
+				(dns_rdatatype_t)header->type, flags,
+				&subresult);
+		}
+		if (result == ISC_R_SUCCESS) {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			newheader = (rdatasetheader_t *)subresult;
+			init_rdataset(rbtdb, newheader);
+			update_newheader(newheader, header);
+			if (RESIGN(header)) {
+				RDATASET_ATTR_SET(newheader,
+						  RDATASET_ATTR_RESIGN);
+				newheader->resign = header->resign;
+				newheader->resign_lsb = header->resign_lsb;
+				resign_insert(rbtdb, rbtnode->locknum,
+					      newheader);
+			}
+			/*
+			 * We have to set the serial since the rdataslab
+			 * subtraction routine copies the reserved portion of
+			 * header, not newheader.
+			 */
+			newheader->serial = rbtversion->serial;
+			/*
+			 * XXXJT: dns_rdataslab_subtract() copied the pointers
+			 * to additional info.  We need to clear these fields
+			 * to avoid having duplicated references.
+			 */
+			update_recordsandxfrsize(true, rbtversion, newheader,
+						 nodename->length);
+		} else if (result == DNS_R_NXRRSET) {
+			/*
+			 * This subtraction would remove all of the rdata;
+			 * add a nonexistent header instead.
+			 */
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			newheader = new_rdataset(rbtdb, rbtdb->common.mctx);
+			if (newheader == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto unlock;
+			}
+			init_rdataset(rbtdb, newheader);
+			set_ttl(rbtdb, newheader, 0);
+			newheader->type = topheader->type;
+			atomic_init(&newheader->attributes,
+				    RDATASET_ATTR_NONEXISTENT);
+			newheader->trust = 0;
+			newheader->serial = rbtversion->serial;
+			newheader->noqname = NULL;
+			newheader->closest = NULL;
+			atomic_init(&newheader->count, 0);
+			newheader->node = rbtnode;
+			newheader->resign = 0;
+			newheader->resign_lsb = 0;
+			newheader->last_used = 0;
+		} else {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			goto unlock;
+		}
+
+		/*
+		 * If we're here, we want to link newheader in front of
+		 * topheader.
+		 */
+		INSIST(rbtversion->serial >= topheader->serial);
+		update_recordsandxfrsize(false, rbtversion, header,
+					 nodename->length);
+		if (topheader_prev != NULL) {
+			topheader_prev->next = newheader;
+		} else {
+			rbtnode->data = newheader;
+		}
+		newheader->next = topheader->next;
+		newheader->down = topheader;
+		topheader->next = newheader;
+		rbtnode->dirty = 1;
+		changed->dirty = true;
+		resign_delete(rbtdb, rbtversion, header);
+	} else {
+		/*
+		 * The rdataset doesn't exist, so we don't need to do anything
+		 * to satisfy the deletion request.
+		 */
+		free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+		if ((options & DNS_DBSUB_EXACT) != 0) {
+			result = DNS_R_NOTEXACT;
+		} else {
+			result = DNS_R_UNCHANGED;
+		}
+	}
+
+	if (result == ISC_R_SUCCESS && newrdataset != NULL) {
+		bind_rdataset(rbtdb, rbtnode, newheader, 0,
+			      isc_rwlocktype_write, newrdataset);
+	}
+
+	if (result == DNS_R_NXRRSET && newrdataset != NULL &&
+	    (options & DNS_DBSUB_WANTOLD) != 0)
+	{
+		bind_rdataset(rbtdb, rbtnode, header, 0, isc_rwlocktype_write,
+			      newrdataset);
+	}
+
+unlock:
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+
+	/*
+	 * Update the zone's secure status.  If version is non-NULL
+	 * this is deferred until closeversion() is called.
+	 */
+	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb)) {
+		RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+		version = rbtdb->current_version;
+		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+		iszonesecure(db, version, rbtdb->origin_node);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	dns_fixedname_t fname;
+	dns_name_t *nodename = dns_fixedname_initname(&fname);
+	isc_result_t result;
+	rdatasetheader_t *newheader;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	if (type == dns_rdatatype_any) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	if (type == dns_rdatatype_rrsig && covers == 0) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	newheader = new_rdataset(rbtdb, rbtdb->common.mctx);
+	if (newheader == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	init_rdataset(rbtdb, newheader);
+	set_ttl(rbtdb, newheader, 0);
+	newheader->type = RBTDB_RDATATYPE_VALUE(type, covers);
+	atomic_init(&newheader->attributes, RDATASET_ATTR_NONEXISTENT);
+	newheader->trust = 0;
+	newheader->noqname = NULL;
+	newheader->closest = NULL;
+	if (rbtversion != NULL) {
+		newheader->serial = rbtversion->serial;
+	} else {
+		newheader->serial = 0;
+	}
+	atomic_init(&newheader->count, 0);
+	newheader->last_used = 0;
+	newheader->node = rbtnode;
+
+	nodefullname(db, node, nodename);
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+	result = add32(rbtdb, rbtnode, nodename, rbtversion, newheader,
+		       DNS_DBADD_FORCE, false, NULL, 0);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+
+	/*
+	 * Update the zone's secure status.  If version is non-NULL
+	 * this is deferred until closeversion() is called.
+	 */
+	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb)) {
+		RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+		version = rbtdb->current_version;
+		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+		iszonesecure(db, version, rbtdb->origin_node);
+	}
+
+	return (result);
+}
+
+/*
+ * load a non-NSEC3 node in the main tree and optionally to the auxiliary NSEC
+ */
+static isc_result_t
+loadnode(dns_rbtdb_t *rbtdb, const dns_name_t *name, dns_rbtnode_t **nodep,
+	 bool hasnsec) {
+	isc_result_t noderesult, nsecresult, tmpresult;
+	dns_rbtnode_t *nsecnode = NULL, *node = NULL;
+
+	noderesult = dns_rbt_addnode(rbtdb->tree, name, &node);
+	if (!hasnsec) {
+		goto done;
+	}
+	if (noderesult == ISC_R_EXISTS) {
+		/*
+		 * Add a node to the auxiliary NSEC tree for an old node
+		 * just now getting an NSEC record.
+		 */
+		if (node->nsec == DNS_RBT_NSEC_HAS_NSEC) {
+			goto done;
+		}
+	} else if (noderesult != ISC_R_SUCCESS) {
+		goto done;
+	}
+
+	/*
+	 * Build the auxiliary tree for NSECs as we go.
+	 * This tree speeds searches for closest NSECs that would otherwise
+	 * need to examine many irrelevant nodes in large TLDs.
+	 *
+	 * Add nodes to the auxiliary tree after corresponding nodes have
+	 * been added to the main tree.
+	 */
+	nsecresult = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
+	if (nsecresult == ISC_R_SUCCESS) {
+		nsecnode->nsec = DNS_RBT_NSEC_NSEC;
+		node->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		goto done;
+	}
+
+	if (nsecresult == ISC_R_EXISTS) {
+#if 1 /* 0 */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+			      "addnode: NSEC node already exists");
+#endif /* if 1 */
+		node->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		goto done;
+	}
+
+	if (noderesult == ISC_R_SUCCESS) {
+		/*
+		 * Remove the node we just added above.
+		 */
+		tmpresult = dns_rbt_deletenode(rbtdb->tree, node, false);
+		if (tmpresult != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "loading_addrdataset: "
+				      "dns_rbt_deletenode: %s after "
+				      "dns_rbt_addnode(NSEC): %s",
+				      isc_result_totext(tmpresult),
+				      isc_result_totext(noderesult));
+		}
+	}
+
+	/*
+	 * Set the error condition to be returned.
+	 */
+	noderesult = nsecresult;
+
+done:
+	if (noderesult == ISC_R_SUCCESS || noderesult == ISC_R_EXISTS) {
+		*nodep = node;
+	}
+
+	return (noderesult);
+}
+
+static isc_result_t
+loading_addrdataset(void *arg, const dns_name_t *name,
+		    dns_rdataset_t *rdataset) {
+	rbtdb_load_t *loadctx = arg;
+	dns_rbtdb_t *rbtdb = loadctx->rbtdb;
+	dns_rbtnode_t *node;
+	isc_result_t result;
+	isc_region_t region;
+	rdatasetheader_t *newheader;
+
+	REQUIRE(rdataset->rdclass == rbtdb->common.rdclass);
+
+	/*
+	 * SOA records are only allowed at top of zone.
+	 */
+	if (rdataset->type == dns_rdatatype_soa && !IS_CACHE(rbtdb) &&
+	    !dns_name_equal(name, &rbtdb->common.origin))
+	{
+		return (DNS_R_NOTZONETOP);
+	}
+
+	if (rdataset->type != dns_rdatatype_nsec3 &&
+	    rdataset->covers != dns_rdatatype_nsec3)
+	{
+		add_empty_wildcards(rbtdb, name, false);
+	}
+
+	if (dns_name_iswildcard(name)) {
+		/*
+		 * NS record owners cannot legally be wild cards.
+		 */
+		if (rdataset->type == dns_rdatatype_ns) {
+			return (DNS_R_INVALIDNS);
+		}
+		/*
+		 * NSEC3 record owners cannot legally be wild cards.
+		 */
+		if (rdataset->type == dns_rdatatype_nsec3) {
+			return (DNS_R_INVALIDNSEC3);
+		}
+		result = add_wildcard_magic(rbtdb, name, false);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	node = NULL;
+	if (rdataset->type == dns_rdatatype_nsec3 ||
+	    rdataset->covers == dns_rdatatype_nsec3)
+	{
+		result = dns_rbt_addnode(rbtdb->nsec3, name, &node);
+		if (result == ISC_R_SUCCESS) {
+			node->nsec = DNS_RBT_NSEC_NSEC3;
+		}
+	} else if (rdataset->type == dns_rdatatype_nsec) {
+		result = loadnode(rbtdb, name, &node, true);
+	} else {
+		result = loadnode(rbtdb, name, &node, false);
+	}
+	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
+		return (result);
+	}
+	if (result == ISC_R_SUCCESS) {
+		node->locknum = node->hashval % rbtdb->node_lock_count;
+	}
+
+	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
+					    &region, sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	newheader = (rdatasetheader_t *)region.base;
+	init_rdataset(rbtdb, newheader);
+	set_ttl(rbtdb, newheader, rdataset->ttl + loadctx->now); /* XXX overflow
+								  * check */
+	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
+						rdataset->covers);
+	atomic_init(&newheader->attributes, 0);
+	newheader->trust = rdataset->trust;
+	newheader->serial = 1;
+	newheader->noqname = NULL;
+	newheader->closest = NULL;
+	atomic_init(&newheader->count,
+		    atomic_fetch_add_relaxed(&init_count, 1));
+	newheader->last_used = 0;
+	newheader->node = node;
+	setownercase(newheader, name);
+
+	if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
+		RDATASET_ATTR_SET(newheader, RDATASET_ATTR_RESIGN);
+		newheader->resign =
+			(isc_stdtime_t)(dns_time64_from32(rdataset->resign) >>
+					1);
+		newheader->resign_lsb = rdataset->resign & 0x1;
+	} else {
+		newheader->resign = 0;
+		newheader->resign_lsb = 0;
+	}
+
+	NODE_LOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_write);
+	result = add32(rbtdb, node, name, rbtdb->current_version, newheader,
+		       DNS_DBADD_MERGE, true, NULL, 0);
+	NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock,
+		    isc_rwlocktype_write);
+
+	if (result == ISC_R_SUCCESS &&
+	    delegating_type(rbtdb, node, rdataset->type))
+	{
+		node->find_callback = 1;
+	} else if (result == DNS_R_UNCHANGED) {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize, void *arg,
+	      uint64_t *crc) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)arg;
+	rdatasetheader_t *header;
+	unsigned char *limit = ((unsigned char *)base) + filesize;
+
+	REQUIRE(rbtnode != NULL);
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	for (header = rbtnode->data; header != NULL; header = header->next) {
+		unsigned char *p = (unsigned char *)header;
+		size_t size = dns_rdataslab_size(p, sizeof(*header));
+		isc_crc64_update(crc, p, size);
+#ifdef DEBUG
+		hexdump("hashing header", p, sizeof(rdatasetheader_t));
+		hexdump("hashing slab", p + sizeof(rdatasetheader_t),
+			size - sizeof(rdatasetheader_t));
+#endif /* ifdef DEBUG */
+		header->serial = 1;
+		header->is_mmapped = 1;
+		header->node = rbtnode;
+		header->node_is_relative = 0;
+
+		if (RESIGN(header) &&
+		    (header->resign != 0 || header->resign_lsb != 0))
+		{
+			int idx = header->node->locknum;
+			isc_heap_insert(rbtdb->heaps[idx], header);
+		}
+
+		if (header->next != NULL) {
+			size_t cooked = dns_rbt_serialize_align(size);
+			if ((uintptr_t)header->next !=
+			    (p - (unsigned char *)base) + cooked)
+			{
+				return (ISC_R_INVALIDFILE);
+			}
+			header->next = (rdatasetheader_t *)(p + cooked);
+			header->next_is_relative = 0;
+			if ((header->next < (rdatasetheader_t *)base) ||
+			    (header->next > (rdatasetheader_t *)limit))
+			{
+				return (ISC_R_INVALIDFILE);
+			}
+		}
+
+		update_recordsandxfrsize(true, rbtdb->current_version, header,
+					 rbtnode->fullnamelen);
+	}
+
+	/* We're done deserializing; clear fullnamelen */
+	rbtnode->fullnamelen = 0;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Load the RBT database from the image in 'f'
+ */
+static isc_result_t
+deserialize(void *arg, FILE *f, off_t offset) {
+	isc_result_t result;
+	rbtdb_load_t *loadctx = arg;
+	dns_rbtdb_t *rbtdb = loadctx->rbtdb;
+	rbtdb_file_header_t *header;
+	int fd;
+	off_t filesize = 0;
+	char *base;
+	dns_rbt_t *tree = NULL, *nsec = NULL, *nsec3 = NULL;
+	int protect, flags;
+	dns_rbtnode_t *origin_node = NULL;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	/*
+	 * TODO CKB: since this is read-write (had to be to add nodes later)
+	 * we will need to lock the file or the nodes in it before modifying
+	 * the nodes in the file.
+	 */
+
+	/* Map in the whole file in one go */
+	fd = fileno(f);
+	isc_file_getsizefd(fd, &filesize);
+	protect = PROT_READ | PROT_WRITE;
+	flags = MAP_PRIVATE;
+#ifdef MAP_FILE
+	flags |= MAP_FILE;
+#endif /* ifdef MAP_FILE */
+
+	base = isc_file_mmap(NULL, filesize, protect, flags, fd, 0);
+	if (base == NULL || base == MAP_FAILED) {
+		return (ISC_R_FAILURE);
+	}
+
+	header = (rbtdb_file_header_t *)(base + offset);
+	if (!match_header_version(header)) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+	if (header->tree != 0) {
+		result = dns_rbt_deserialize_tree(
+			base, filesize, (off_t)header->tree, rbtdb->common.mctx,
+			delete_callback, rbtdb, rbt_datafixer, rbtdb, NULL,
+			&tree);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		result = dns_rbt_findnode(tree, &rbtdb->common.origin, NULL,
+					  &origin_node, NULL,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	if (header->nsec != 0) {
+		result = dns_rbt_deserialize_tree(
+			base, filesize, (off_t)header->nsec, rbtdb->common.mctx,
+			delete_callback, rbtdb, rbt_datafixer, rbtdb, NULL,
+			&nsec);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	if (header->nsec3 != 0) {
+		result = dns_rbt_deserialize_tree(
+			base, filesize, (off_t)header->nsec3,
+			rbtdb->common.mctx, delete_callback, rbtdb,
+			rbt_datafixer, rbtdb, NULL, &nsec3);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * We have a successfully loaded all the rbt trees now update
+	 * rbtdb to use them.
+	 */
+
+	rbtdb->mmap_location = base;
+	rbtdb->mmap_size = (size_t)filesize;
+
+	if (tree != NULL) {
+		dns_rbt_destroy(&rbtdb->tree);
+		rbtdb->tree = tree;
+		rbtdb->origin_node = origin_node;
+	}
+
+	if (nsec != NULL) {
+		dns_rbt_destroy(&rbtdb->nsec);
+		rbtdb->nsec = nsec;
+	}
+
+	if (nsec3 != NULL) {
+		dns_rbt_destroy(&rbtdb->nsec3);
+		rbtdb->nsec3 = nsec3;
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (tree != NULL) {
+		dns_rbt_destroy(&tree);
+	}
+	if (nsec != NULL) {
+		dns_rbt_destroy(&nsec);
+	}
+	if (nsec3 != NULL) {
+		dns_rbt_destroy(&nsec3);
+	}
+	isc_file_munmap(base, (size_t)filesize);
+	return (result);
+}
+
+static isc_result_t
+beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	rbtdb_load_t *loadctx;
+	dns_rbtdb_t *rbtdb;
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(DNS_CALLBACK_VALID(callbacks));
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	loadctx = isc_mem_get(rbtdb->common.mctx, sizeof(*loadctx));
+
+	loadctx->rbtdb = rbtdb;
+	if (IS_CACHE(rbtdb)) {
+		isc_stdtime_get(&loadctx->now);
+	} else {
+		loadctx->now = 0;
+	}
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	REQUIRE((rbtdb->attributes &
+		 (RBTDB_ATTR_LOADED | RBTDB_ATTR_LOADING)) == 0);
+	rbtdb->attributes |= RBTDB_ATTR_LOADING;
+
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	callbacks->add = loading_addrdataset;
+	callbacks->add_private = loadctx;
+	callbacks->deserialize = deserialize;
+	callbacks->deserialize_private = loadctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	rbtdb_load_t *loadctx;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(DNS_CALLBACK_VALID(callbacks));
+	loadctx = callbacks->add_private;
+	REQUIRE(loadctx != NULL);
+	REQUIRE(loadctx->rbtdb == rbtdb);
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADING) != 0);
+	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADED) == 0);
+
+	rbtdb->attributes &= ~RBTDB_ATTR_LOADING;
+	rbtdb->attributes |= RBTDB_ATTR_LOADED;
+
+	/*
+	 * If there's a KEY rdataset at the zone origin containing a
+	 * zone key, we consider the zone secure.
+	 */
+	if (!IS_CACHE(rbtdb) && rbtdb->origin_node != NULL) {
+		dns_dbversion_t *version = rbtdb->current_version;
+		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+		iszonesecure(db, version, rbtdb->origin_node);
+	} else {
+		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+	}
+
+	callbacks->add = NULL;
+	callbacks->add_private = NULL;
+	callbacks->deserialize = NULL;
+	callbacks->deserialize_private = NULL;
+
+	isc_mem_put(rbtdb->common.mctx, loadctx, sizeof(*loadctx));
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * helper function to handle writing out the rdataset data pointed to
+ * by the void *data pointer in the dns_rbtnode
+ */
+static isc_result_t
+rbt_datawriter(FILE *rbtfile, unsigned char *data, void *arg, uint64_t *crc) {
+	rbtdb_version_t *version = (rbtdb_version_t *)arg;
+	rbtdb_serial_t serial;
+	rdatasetheader_t newheader;
+	rdatasetheader_t *header = (rdatasetheader_t *)data, *next;
+	off_t where;
+	size_t cooked, size;
+	unsigned char *p;
+	isc_result_t result = ISC_R_SUCCESS;
+	char pad[sizeof(char *)];
+	uintptr_t off;
+
+	REQUIRE(rbtfile != NULL);
+	REQUIRE(data != NULL);
+	REQUIRE(version != NULL);
+
+	serial = version->serial;
+
+	for (; header != NULL; header = next) {
+		next = header->next;
+		do {
+			if (header->serial <= serial && !IGNORE(header)) {
+				if (NONEXISTENT(header)) {
+					header = NULL;
+				}
+				break;
+			} else {
+				header = header->down;
+			}
+		} while (header != NULL);
+
+		if (header == NULL) {
+			continue;
+		}
+
+		CHECK(isc_stdio_tell(rbtfile, &where));
+		size = dns_rdataslab_size((unsigned char *)header,
+					  sizeof(rdatasetheader_t));
+
+		p = (unsigned char *)header;
+		memmove(&newheader, p, sizeof(rdatasetheader_t));
+		newheader.down = NULL;
+		newheader.next = NULL;
+		off = where;
+		if ((off_t)off != where) {
+			return (ISC_R_RANGE);
+		}
+		newheader.node = (dns_rbtnode_t *)off;
+		newheader.node_is_relative = 1;
+		newheader.serial = 1;
+
+		/*
+		 * Round size up to the next pointer sized offset so it
+		 * will be properly aligned when read back in.
+		 */
+		cooked = dns_rbt_serialize_align(size);
+		if (next != NULL) {
+			newheader.next = (rdatasetheader_t *)(off + cooked);
+			newheader.next_is_relative = 1;
+		}
+
+#ifdef DEBUG
+		hexdump("writing header", (unsigned char *)&newheader,
+			sizeof(rdatasetheader_t));
+		hexdump("writing slab", p + sizeof(rdatasetheader_t),
+			size - sizeof(rdatasetheader_t));
+#endif /* ifdef DEBUG */
+		isc_crc64_update(crc, (unsigned char *)&newheader,
+				 sizeof(rdatasetheader_t));
+		CHECK(isc_stdio_write(&newheader, sizeof(rdatasetheader_t), 1,
+				      rbtfile, NULL));
+
+		isc_crc64_update(crc, p + sizeof(rdatasetheader_t),
+				 size - sizeof(rdatasetheader_t));
+		CHECK(isc_stdio_write(p + sizeof(rdatasetheader_t),
+				      size - sizeof(rdatasetheader_t), 1,
+				      rbtfile, NULL));
+		/*
+		 * Pad to force alignment.
+		 */
+		if (size != (size_t)cooked) {
+			memset(pad, 0, sizeof(pad));
+			CHECK(isc_stdio_write(pad, cooked - size, 1, rbtfile,
+					      NULL));
+		}
+	}
+
+failure:
+	return (result);
+}
+
+/*
+ * Write out a zeroed header as a placeholder.  Doing this ensures
+ * that the file will not read while it is partially written, should
+ * writing fail or be interrupted.
+ */
+static isc_result_t
+rbtdb_zero_header(FILE *rbtfile) {
+	char buffer[RBTDB_HEADER_LENGTH];
+	isc_result_t result;
+
+	memset(buffer, 0, RBTDB_HEADER_LENGTH);
+	result = isc_stdio_write(buffer, 1, RBTDB_HEADER_LENGTH, rbtfile, NULL);
+	fflush(rbtfile);
+
+	return (result);
+}
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+init_file_version(void) {
+	int n;
+
+	memset(FILE_VERSION, 0, sizeof(FILE_VERSION));
+	n = snprintf(FILE_VERSION, sizeof(FILE_VERSION), "RBTDB Image %s %s",
+		     dns_major, dns_mapapi);
+	INSIST(n > 0 && (unsigned int)n < sizeof(FILE_VERSION));
+}
+
+/*
+ * Write the file header out, recording the locations of the three
+ * RBT's used in the rbtdb: tree, nsec, and nsec3, and including NodeDump
+ * version information and any information stored in the rbtdb object
+ * itself that should be stored here.
+ */
+static isc_result_t
+rbtdb_write_header(FILE *rbtfile, off_t tree_location, off_t nsec_location,
+		   off_t nsec3_location) {
+	rbtdb_file_header_t header;
+	isc_result_t result;
+
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
+
+	memset(&header, 0, sizeof(rbtdb_file_header_t));
+	memmove(header.version1, FILE_VERSION, sizeof(header.version1));
+	memmove(header.version2, FILE_VERSION, sizeof(header.version2));
+	header.ptrsize = (uint32_t)sizeof(void *);
+	header.bigendian = (1 == htonl(1)) ? 1 : 0;
+	header.tree = (uint64_t)tree_location;
+	header.nsec = (uint64_t)nsec_location;
+	header.nsec3 = (uint64_t)nsec3_location;
+	result = isc_stdio_write(&header, 1, sizeof(rbtdb_file_header_t),
+				 rbtfile, NULL);
+	fflush(rbtfile);
+
+	return (result);
+}
+
+static bool
+match_header_version(rbtdb_file_header_t *header) {
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
+
+	if (memcmp(header->version1, FILE_VERSION, sizeof(header->version1)) !=
+		    0 ||
+	    memcmp(header->version2, FILE_VERSION, sizeof(header->version1)) !=
+		    0)
+	{
+		return (false);
+	}
+
+	return (true);
+}
+
+static isc_result_t
+serialize(dns_db_t *db, dns_dbversion_t *ver, FILE *rbtfile) {
+	rbtdb_version_t *version = (rbtdb_version_t *)ver;
+	dns_rbtdb_t *rbtdb;
+	isc_result_t result;
+	off_t tree_location, nsec_location, nsec3_location, header_location;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(rbtfile != NULL);
+
+	/* Ensure we're writing to a plain file */
+	CHECK(isc_file_isplainfilefd(fileno(rbtfile)));
+
+	/*
+	 * first, write out a zeroed header to store rbtdb information
+	 *
+	 * then for each of the three trees, store the current position
+	 * in the file and call dns_rbt_serialize_tree
+	 *
+	 * finally, write out the rbtdb header, storing the locations of the
+	 * rbtheaders
+	 *
+	 * NOTE: need to do something better with the return codes, &= will
+	 * not work.
+	 */
+	CHECK(isc_stdio_tell(rbtfile, &header_location));
+	CHECK(rbtdb_zero_header(rbtfile));
+	CHECK(dns_rbt_serialize_tree(rbtfile, rbtdb->tree, rbt_datawriter,
+				     version, &tree_location));
+	CHECK(dns_rbt_serialize_tree(rbtfile, rbtdb->nsec, rbt_datawriter,
+				     version, &nsec_location));
+	CHECK(dns_rbt_serialize_tree(rbtfile, rbtdb->nsec3, rbt_datawriter,
+				     version, &nsec3_location));
+
+	CHECK(isc_stdio_seek(rbtfile, header_location, SEEK_SET));
+	CHECK(rbtdb_write_header(rbtfile, tree_location, nsec_location,
+				 nsec3_location));
+failure:
+	return (result);
+}
+
+static isc_result_t
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+     dns_masterformat_t masterformat) {
+	dns_rbtdb_t *rbtdb;
+	rbtdb_version_t *rbtversion = version;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	return (dns_master_dump(rbtdb->common.mctx, db, version,
+				&dns_master_style_default, filename,
+				masterformat, NULL));
+}
+
+static void
+delete_callback(void *data, void *arg) {
+	dns_rbtdb_t *rbtdb = arg;
+	rdatasetheader_t *current, *next;
+	unsigned int locknum;
+
+	current = data;
+	locknum = current->node->locknum;
+	NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+	while (current != NULL) {
+		next = current->next;
+		free_rdataset(rbtdb, rbtdb->common.mctx, current);
+		current = next;
+	}
+	NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+}
+
+static bool
+issecure(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	bool secure;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+	secure = (rbtdb->current_version->secure == dns_db_secure);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+
+	return (secure);
+}
+
+static bool
+isdnssec(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	bool dnssec;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+	dnssec = (rbtdb->current_version->secure != dns_db_insecure);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+
+	return (dnssec);
+}
+
+static unsigned int
+nodecount(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	unsigned int count;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	count = dns_rbt_nodecount(rbtdb->tree);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (count);
+}
+
+static size_t
+hashsize(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	size_t size;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	size = dns_rbt_hashsize(rbtdb->tree);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (size);
+}
+
+static isc_result_t
+adjusthashsize(dns_db_t *db, size_t size) {
+	isc_result_t result;
+	dns_rbtdb_t *rbtdb;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	result = dns_rbt_adjusthashsize(rbtdb->tree, size);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+static void
+settask(dns_db_t *db, isc_task_t *task) {
+	dns_rbtdb_t *rbtdb;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+	if (rbtdb->task != NULL) {
+		isc_task_detach(&rbtdb->task);
+	}
+	if (task != NULL) {
+		isc_task_attach(task, &rbtdb->task);
+	}
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+}
+
+static bool
+ispersistent(dns_db_t *db) {
+	UNUSED(db);
+	return (false);
+}
+
+static isc_result_t
+getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *onode;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	/* Note that the access to origin_node doesn't require a DB lock */
+	onode = (dns_rbtnode_t *)rbtdb->origin_node;
+	if (onode != NULL) {
+		new_reference(rbtdb, onode, isc_rwlocktype_none);
+		*nodep = rbtdb->origin_node;
+	} else {
+		INSIST(IS_CACHE(rbtdb));
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash,
+		   uint8_t *flags, uint16_t *iterations, unsigned char *salt,
+		   size_t *salt_length) {
+	dns_rbtdb_t *rbtdb;
+	isc_result_t result = ISC_R_NOTFOUND;
+	rbtdb_version_t *rbtversion = version;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+	if (rbtversion == NULL) {
+		rbtversion = rbtdb->current_version;
+	}
+
+	if (rbtversion->havensec3) {
+		if (hash != NULL) {
+			*hash = rbtversion->hash;
+		}
+		if (salt != NULL && salt_length != NULL) {
+			REQUIRE(*salt_length >= rbtversion->salt_length);
+			memmove(salt, rbtversion->salt,
+				rbtversion->salt_length);
+		}
+		if (salt_length != NULL) {
+			*salt_length = rbtversion->salt_length;
+		}
+		if (iterations != NULL) {
+			*iterations = rbtversion->iterations;
+		}
+		if (flags != NULL) {
+			*flags = rbtversion->flags;
+		}
+		result = ISC_R_SUCCESS;
+	}
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static isc_result_t
+getsize(dns_db_t *db, dns_dbversion_t *version, uint64_t *records,
+	uint64_t *xfrsize) {
+	dns_rbtdb_t *rbtdb;
+	isc_result_t result = ISC_R_SUCCESS;
+	rbtdb_version_t *rbtversion = version;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+	if (rbtversion == NULL) {
+		rbtversion = rbtdb->current_version;
+	}
+
+	RWLOCK(&rbtversion->rwlock, isc_rwlocktype_read);
+	if (records != NULL) {
+		*records = rbtversion->records;
+	}
+
+	if (xfrsize != NULL) {
+		*xfrsize = rbtversion->xfrsize;
+	}
+	RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_read);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static isc_result_t
+setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rdatasetheader_t *header, oldheader;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(!IS_CACHE(rbtdb));
+	REQUIRE(rdataset != NULL);
+
+	header = rdataset->private3;
+	header--;
+
+	NODE_LOCK(&rbtdb->node_locks[header->node->locknum].lock,
+		  isc_rwlocktype_write);
+
+	oldheader = *header;
+	/*
+	 * Only break the heap invariant (by adjusting resign and resign_lsb)
+	 * if we are going to be restoring it by calling isc_heap_increased
+	 * or isc_heap_decreased.
+	 */
+	if (resign != 0) {
+		header->resign = (isc_stdtime_t)(dns_time64_from32(resign) >>
+						 1);
+		header->resign_lsb = resign & 0x1;
+	}
+	if (header->heap_index != 0) {
+		INSIST(RESIGN(header));
+		if (resign == 0) {
+			isc_heap_delete(rbtdb->heaps[header->node->locknum],
+					header->heap_index);
+			header->heap_index = 0;
+		} else if (resign_sooner(header, &oldheader)) {
+			isc_heap_increased(rbtdb->heaps[header->node->locknum],
+					   header->heap_index);
+		} else if (resign_sooner(&oldheader, header)) {
+			isc_heap_decreased(rbtdb->heaps[header->node->locknum],
+					   header->heap_index);
+		}
+	} else if (resign != 0) {
+		RDATASET_ATTR_SET(header, RDATASET_ATTR_RESIGN);
+		resign_insert(rbtdb, header->node->locknum, header);
+	}
+	NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock,
+		    isc_rwlocktype_write);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *foundname) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rdatasetheader_t *header = NULL, *this;
+	unsigned int i;
+	isc_result_t result = ISC_R_NOTFOUND;
+	unsigned int locknum = 0;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read);
+
+		/*
+		 * Find for the earliest signing time among all of the
+		 * heaps, each of which is covered by a different bucket
+		 * lock.
+		 */
+		this = isc_heap_element(rbtdb->heaps[i], 1);
+		if (this == NULL) {
+			/* Nothing found; unlock and try the next heap. */
+			NODE_UNLOCK(&rbtdb->node_locks[i].lock,
+				    isc_rwlocktype_read);
+			continue;
+		}
+
+		if (header == NULL) {
+			/*
+			 * Found a signing time: retain the bucket lock and
+			 * preserve the lock number so we can unlock it
+			 * later.
+			 */
+			header = this;
+			locknum = i;
+		} else if (resign_sooner(this, header)) {
+			/*
+			 * Found an earlier signing time; release the
+			 * previous bucket lock and retain this one instead.
+			 */
+			NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+				    isc_rwlocktype_read);
+			header = this;
+			locknum = i;
+		} else {
+			/*
+			 * Earliest signing time in this heap isn't
+			 * an improvement; unlock and try the next heap.
+			 */
+			NODE_UNLOCK(&rbtdb->node_locks[i].lock,
+				    isc_rwlocktype_read);
+		}
+	}
+
+	if (header != NULL) {
+		/*
+		 * Found something; pass back the answer and unlock
+		 * the bucket.
+		 */
+		bind_rdataset(rbtdb, header->node, header, 0,
+			      isc_rwlocktype_read, rdataset);
+
+		if (foundname != NULL) {
+			dns_rbt_fullnamefromnode(header->node, foundname);
+		}
+
+		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+			    isc_rwlocktype_read);
+
+		result = ISC_R_SUCCESS;
+	}
+
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static void
+resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version) {
+	rbtdb_version_t *rbtversion = (rbtdb_version_t *)version;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node;
+	rdatasetheader_t *header;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->methods == &rdataset_methods);
+	REQUIRE(rbtdb->future_version == rbtversion);
+	REQUIRE(rbtversion != NULL);
+	REQUIRE(rbtversion->writer);
+	REQUIRE(rbtversion->rbtdb == rbtdb);
+
+	node = rdataset->private2;
+	INSIST(node != NULL);
+	header = rdataset->private3;
+	INSIST(header != NULL);
+	header--;
+
+	if (header->heap_index == 0) {
+		return;
+	}
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	NODE_LOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_write);
+	/*
+	 * Delete from heap and save to re-signed list so that it can
+	 * be restored if we backout of this change.
+	 */
+	resign_delete(rbtdb, rbtversion, header);
+	NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock,
+		    isc_rwlocktype_write);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+}
+
+static isc_result_t
+setcachestats(dns_db_t *db, isc_stats_t *stats) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(IS_CACHE(rbtdb)); /* current restriction */
+	REQUIRE(stats != NULL);
+
+	isc_stats_attach(stats, &rbtdb->cachestats);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+setgluecachestats(dns_db_t *db, isc_stats_t *stats) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(!IS_CACHE(rbtdb) && !IS_STUB(rbtdb));
+	REQUIRE(stats != NULL);
+
+	isc_stats_attach(stats, &rbtdb->gluecachestats);
+	return (ISC_R_SUCCESS);
+}
+
+static dns_stats_t *
+getrrsetstats(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(IS_CACHE(rbtdb)); /* current restriction */
+
+	return (rbtdb->rrsetstats);
+}
+
+static isc_result_t
+nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	isc_result_t result;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(node != NULL);
+	REQUIRE(name != NULL);
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	result = dns_rbt_fullnamefromnode(rbtnode, name);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static isc_result_t
+setservestalettl(dns_db_t *db, dns_ttl_t ttl) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(IS_CACHE(rbtdb));
+
+	/* currently no bounds checking.  0 means disable. */
+	rbtdb->serve_stale_ttl = ttl;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+getservestalettl(dns_db_t *db, dns_ttl_t *ttl) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(IS_CACHE(rbtdb));
+
+	*ttl = rbtdb->serve_stale_ttl;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+setservestalerefresh(dns_db_t *db, uint32_t interval) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(IS_CACHE(rbtdb));
+
+	/* currently no bounds checking.  0 means disable. */
+	rbtdb->serve_stale_refresh = interval;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+getservestalerefresh(dns_db_t *db, uint32_t *interval) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(IS_CACHE(rbtdb));
+
+	*interval = rbtdb->serve_stale_refresh;
+	return (ISC_R_SUCCESS);
+}
+
+static dns_dbmethods_t zone_methods = { attach,
+					detach,
+					beginload,
+					endload,
+					serialize,
+					dump,
+					currentversion,
+					newversion,
+					attachversion,
+					closeversion,
+					findnode,
+					zone_find,
+					zone_findzonecut,
+					attachnode,
+					detachnode,
+					expirenode,
+					printnode,
+					createiterator,
+					zone_findrdataset,
+					allrdatasets,
+					addrdataset,
+					subtractrdataset,
+					deleterdataset,
+					issecure,
+					nodecount,
+					ispersistent,
+					overmem,
+					settask,
+					getoriginnode,
+					NULL, /* transfernode */
+					getnsec3parameters,
+					findnsec3node,
+					setsigningtime,
+					getsigningtime,
+					resigned,
+					isdnssec,
+					NULL, /* getrrsetstats */
+					NULL, /* rpz_attach */
+					NULL, /* rpz_ready */
+					NULL, /* findnodeext */
+					NULL, /* findext */
+					NULL, /* setcachestats */
+					hashsize,
+					nodefullname,
+					getsize,
+					NULL, /* setservestalettl */
+					NULL, /* getservestalettl */
+					NULL, /* setservestalerefresh */
+					NULL, /* getservestalerefresh */
+					setgluecachestats,
+					adjusthashsize };
+
+static dns_dbmethods_t cache_methods = { attach,
+					 detach,
+					 beginload,
+					 endload,
+					 NULL, /* serialize */
+					 dump,
+					 currentversion,
+					 newversion,
+					 attachversion,
+					 closeversion,
+					 findnode,
+					 cache_find,
+					 cache_findzonecut,
+					 attachnode,
+					 detachnode,
+					 expirenode,
+					 printnode,
+					 createiterator,
+					 cache_findrdataset,
+					 allrdatasets,
+					 addrdataset,
+					 subtractrdataset,
+					 deleterdataset,
+					 issecure,
+					 nodecount,
+					 ispersistent,
+					 overmem,
+					 settask,
+					 getoriginnode,
+					 NULL, /* transfernode */
+					 NULL, /* getnsec3parameters */
+					 NULL, /* findnsec3node */
+					 NULL, /* setsigningtime */
+					 NULL, /* getsigningtime */
+					 NULL, /* resigned */
+					 isdnssec,
+					 getrrsetstats,
+					 NULL, /* rpz_attach */
+					 NULL, /* rpz_ready */
+					 NULL, /* findnodeext */
+					 NULL, /* findext */
+					 setcachestats,
+					 hashsize,
+					 nodefullname,
+					 NULL, /* getsize */
+					 setservestalettl,
+					 getservestalettl,
+					 setservestalerefresh,
+					 getservestalerefresh,
+					 NULL,
+					 adjusthashsize };
+
+isc_result_t
+dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		 void *driverarg, dns_db_t **dbp) {
+	dns_rbtdb_t *rbtdb;
+	isc_result_t result;
+	int i;
+	dns_name_t name;
+	bool (*sooner)(void *, void *);
+	isc_mem_t *hmctx = mctx;
+
+	/* Keep the compiler happy. */
+	UNUSED(driverarg);
+
+	rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
+
+	/*
+	 * If argv[0] exists, it points to a memory context to use for heap
+	 */
+	if (argc != 0) {
+		hmctx = (isc_mem_t *)argv[0];
+	}
+
+	memset(rbtdb, '\0', sizeof(*rbtdb));
+	dns_name_init(&rbtdb->common.origin, NULL);
+	rbtdb->common.attributes = 0;
+	if (type == dns_dbtype_cache) {
+		rbtdb->common.methods = &cache_methods;
+		rbtdb->common.attributes |= DNS_DBATTR_CACHE;
+	} else if (type == dns_dbtype_stub) {
+		rbtdb->common.methods = &zone_methods;
+		rbtdb->common.attributes |= DNS_DBATTR_STUB;
+	} else {
+		rbtdb->common.methods = &zone_methods;
+	}
+	rbtdb->common.rdclass = rdclass;
+	rbtdb->common.mctx = NULL;
+
+	ISC_LIST_INIT(rbtdb->common.update_listeners);
+
+	RBTDB_INITLOCK(&rbtdb->lock);
+
+	isc_rwlock_init(&rbtdb->tree_lock, 0, 0);
+
+	/*
+	 * Initialize node_lock_count in a generic way to support future
+	 * extension which allows the user to specify this value on creation.
+	 * Note that when specified for a cache DB it must be larger than 1
+	 * as commented with the definition of DEFAULT_CACHE_NODE_LOCK_COUNT.
+	 */
+	if (rbtdb->node_lock_count == 0) {
+		if (IS_CACHE(rbtdb)) {
+			rbtdb->node_lock_count = DEFAULT_CACHE_NODE_LOCK_COUNT;
+		} else {
+			rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT;
+		}
+	} else if (rbtdb->node_lock_count < 2 && IS_CACHE(rbtdb)) {
+		result = ISC_R_RANGE;
+		goto cleanup_tree_lock;
+	}
+	INSIST(rbtdb->node_lock_count < (1 << DNS_RBT_LOCKLENGTH));
+	rbtdb->node_locks = isc_mem_get(mctx, rbtdb->node_lock_count *
+						      sizeof(rbtdb_nodelock_t));
+
+	rbtdb->cachestats = NULL;
+	rbtdb->gluecachestats = NULL;
+
+	rbtdb->rrsetstats = NULL;
+	if (IS_CACHE(rbtdb)) {
+		result = dns_rdatasetstats_create(mctx, &rbtdb->rrsetstats);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_node_locks;
+		}
+		rbtdb->rdatasets = isc_mem_get(
+			mctx,
+			rbtdb->node_lock_count * sizeof(rdatasetheaderlist_t));
+		for (i = 0; i < (int)rbtdb->node_lock_count; i++) {
+			ISC_LIST_INIT(rbtdb->rdatasets[i]);
+		}
+	} else {
+		rbtdb->rdatasets = NULL;
+	}
+
+	/*
+	 * Create the heaps.
+	 */
+	rbtdb->heaps = isc_mem_get(hmctx, rbtdb->node_lock_count *
+						  sizeof(isc_heap_t *));
+	for (i = 0; i < (int)rbtdb->node_lock_count; i++) {
+		rbtdb->heaps[i] = NULL;
+	}
+	sooner = IS_CACHE(rbtdb) ? ttl_sooner : resign_sooner;
+	for (i = 0; i < (int)rbtdb->node_lock_count; i++) {
+		isc_heap_create(hmctx, sooner, set_index, 0, &rbtdb->heaps[i]);
+	}
+
+	/*
+	 * Create deadnode lists.
+	 */
+	rbtdb->deadnodes = isc_mem_get(mctx, rbtdb->node_lock_count *
+						     sizeof(rbtnodelist_t));
+	for (i = 0; i < (int)rbtdb->node_lock_count; i++) {
+		ISC_LIST_INIT(rbtdb->deadnodes[i]);
+	}
+
+	rbtdb->active = rbtdb->node_lock_count;
+
+	for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
+		NODE_INITLOCK(&rbtdb->node_locks[i].lock);
+		isc_refcount_init(&rbtdb->node_locks[i].references, 0);
+		rbtdb->node_locks[i].exiting = false;
+	}
+
+	/*
+	 * Attach to the mctx.  The database will persist so long as there
+	 * are references to it, and attaching to the mctx ensures that our
+	 * mctx won't disappear out from under us.
+	 */
+	isc_mem_attach(mctx, &rbtdb->common.mctx);
+	isc_mem_attach(hmctx, &rbtdb->hmctx);
+
+	/*
+	 * Make a copy of the origin name.
+	 */
+	result = dns_name_dupwithoffsets(origin, mctx, &rbtdb->common.origin);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, false, NULL);
+		return (result);
+	}
+
+	/*
+	 * Make the Red-Black Trees.
+	 */
+	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->tree);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, false, NULL);
+		return (result);
+	}
+
+	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, false, NULL);
+		return (result);
+	}
+
+	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec3);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, false, NULL);
+		return (result);
+	}
+
+	/*
+	 * In order to set the node callback bit correctly in zone databases,
+	 * we need to know if the node has the origin name of the zone.
+	 * In loading_addrdataset() we could simply compare the new name
+	 * to the origin name, but this is expensive.  Also, we don't know the
+	 * node name in addrdataset(), so we need another way of knowing the
+	 * zone's top.
+	 *
+	 * We now explicitly create a node for the zone's origin, and then
+	 * we simply remember the node's address.  This is safe, because
+	 * the top-of-zone node can never be deleted, nor can its address
+	 * change.
+	 */
+	if (!IS_CACHE(rbtdb)) {
+		rbtdb->origin_node = NULL;
+		result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin,
+					 &rbtdb->origin_node);
+		if (result != ISC_R_SUCCESS) {
+			INSIST(result != ISC_R_EXISTS);
+			free_rbtdb(rbtdb, false, NULL);
+			return (result);
+		}
+		INSIST(rbtdb->origin_node != NULL);
+		rbtdb->origin_node->nsec = DNS_RBT_NSEC_NORMAL;
+		/*
+		 * We need to give the origin node the right locknum.
+		 */
+		dns_name_init(&name, NULL);
+		dns_rbt_namefromnode(rbtdb->origin_node, &name);
+		rbtdb->origin_node->locknum = rbtdb->origin_node->hashval %
+					      rbtdb->node_lock_count;
+		/*
+		 * Add an apex node to the NSEC3 tree so that NSEC3 searches
+		 * return partial matches when there is only a single NSEC3
+		 * record in the tree.
+		 */
+		rbtdb->nsec3_origin_node = NULL;
+		result = dns_rbt_addnode(rbtdb->nsec3, &rbtdb->common.origin,
+					 &rbtdb->nsec3_origin_node);
+		if (result != ISC_R_SUCCESS) {
+			INSIST(result != ISC_R_EXISTS);
+			free_rbtdb(rbtdb, false, NULL);
+			return (result);
+		}
+		rbtdb->nsec3_origin_node->nsec = DNS_RBT_NSEC_NSEC3;
+		/*
+		 * We need to give the nsec3 origin node the right locknum.
+		 */
+		dns_name_init(&name, NULL);
+		dns_rbt_namefromnode(rbtdb->nsec3_origin_node, &name);
+		rbtdb->nsec3_origin_node->locknum =
+			rbtdb->nsec3_origin_node->hashval %
+			rbtdb->node_lock_count;
+	}
+
+	/*
+	 * Misc. Initialization.
+	 */
+	isc_refcount_init(&rbtdb->references, 1);
+	rbtdb->attributes = 0;
+	rbtdb->task = NULL;
+	rbtdb->serve_stale_ttl = 0;
+
+	/*
+	 * Version Initialization.
+	 */
+	rbtdb->current_serial = 1;
+	rbtdb->least_serial = 1;
+	rbtdb->next_serial = 2;
+	rbtdb->current_version = allocate_version(mctx, 1, 1, false);
+	rbtdb->current_version->rbtdb = rbtdb;
+	rbtdb->current_version->secure = dns_db_insecure;
+	rbtdb->current_version->havensec3 = false;
+	rbtdb->current_version->flags = 0;
+	rbtdb->current_version->iterations = 0;
+	rbtdb->current_version->hash = 0;
+	rbtdb->current_version->salt_length = 0;
+	memset(rbtdb->current_version->salt, 0,
+	       sizeof(rbtdb->current_version->salt));
+	isc_rwlock_init(&rbtdb->current_version->rwlock, 0, 0);
+	rbtdb->current_version->records = 0;
+	rbtdb->current_version->xfrsize = 0;
+	rbtdb->future_version = NULL;
+	ISC_LIST_INIT(rbtdb->open_versions);
+	/*
+	 * Keep the current version in the open list so that list operation
+	 * won't happen in normal lookup operations.
+	 */
+	PREPEND(rbtdb->open_versions, rbtdb->current_version, link);
+
+	rbtdb->common.magic = DNS_DB_MAGIC;
+	rbtdb->common.impmagic = RBTDB_MAGIC;
+
+	*dbp = (dns_db_t *)rbtdb;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_node_locks:
+	isc_mem_put(mctx, rbtdb->node_locks,
+		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
+
+cleanup_tree_lock:
+	isc_rwlock_destroy(&rbtdb->tree_lock);
+	RBTDB_DESTROYLOCK(&rbtdb->lock);
+	isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
+	return (result);
+}
+
+/*
+ * Slabbed Rdataset Methods
+ */
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+
+	detachnode(db, &node);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3; /* RDATASLAB */
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0) {
+		raw += DNS_RDATASET_COUNT;
+	}
+
+	raw += DNS_RDATASET_LENGTH;
+
+	/*
+	 * The privateuint4 field is the number of rdata beyond the
+	 * cursor position, so we decrement the total count by one
+	 * before storing it.
+	 *
+	 * If DNS_RDATASETATTR_LOADORDER is not set 'raw' points to the
+	 * first record.  If DNS_RDATASETATTR_LOADORDER is set 'raw' points
+	 * to the first entry in the offset table.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw; /* RDATASLAB */
+
+	count = rdataset->privateuint4;
+	if (count == 0) {
+		return (ISC_R_NOMORE);
+	}
+	count--;
+	rdataset->privateuint4 = count;
+
+	/*
+	 * Skip forward one record (length + 4) or one offset (4).
+	 */
+	raw = rdataset->private5;
+#if DNS_RDATASET_FIXED
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0)
+#endif /* DNS_RDATASET_FIXED */
+	{
+		length = raw[0] * 256 + raw[1];
+		raw += length;
+	}
+
+	rdataset->private5 = raw + DNS_RDATASET_ORDER + DNS_RDATASET_LENGTH;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5; /* RDATASLAB */
+	unsigned int length;
+	isc_region_t r;
+	unsigned int flags = 0;
+
+	REQUIRE(raw != NULL);
+
+	/*
+	 * Find the start of the record if not already in private5
+	 * then skip the length and order fields.
+	 */
+#if DNS_RDATASET_FIXED
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) != 0) {
+		unsigned int offset;
+		offset = ((unsigned int)raw[0] << 24) +
+			 ((unsigned int)raw[1] << 16) +
+			 ((unsigned int)raw[2] << 8) + (unsigned int)raw[3];
+		raw = rdataset->private3;
+		raw += offset;
+	}
+#endif /* if DNS_RDATASET_FIXED */
+
+	length = raw[0] * 256 + raw[1];
+
+	raw += DNS_RDATASET_ORDER + DNS_RDATASET_LENGTH;
+
+	if (rdataset->type == dns_rdatatype_rrsig) {
+		if (*raw & DNS_RDATASLAB_OFFLINE) {
+			flags |= DNS_RDATA_OFFLINE;
+		}
+		length--;
+		raw++;
+	}
+	r.length = length;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+	rdata->flags |= flags;
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_db_t *db = source->private1;
+	dns_dbnode_t *node = source->private2;
+	dns_dbnode_t *cloned_node = NULL;
+
+	attachnode(db, node, &cloned_node);
+	INSIST(!ISC_LINK_LINKED(target, link));
+	*target = *source;
+	ISC_LINK_INIT(target, link);
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3; /* RDATASLAB */
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static isc_result_t
+rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+		    dns_rdataset_t *nsec, dns_rdataset_t *nsecsig) {
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+	dns_dbnode_t *cloned_node;
+	const struct noqname *noqname = rdataset->private6;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsec->methods = &slab_methods;
+	nsec->rdclass = db->rdclass;
+	nsec->type = noqname->type;
+	nsec->covers = 0;
+	nsec->ttl = rdataset->ttl;
+	nsec->trust = rdataset->trust;
+	nsec->private1 = rdataset->private1;
+	nsec->private2 = rdataset->private2;
+	nsec->private3 = noqname->neg;
+	nsec->privateuint4 = 0;
+	nsec->private5 = NULL;
+	nsec->private6 = NULL;
+	nsec->private7 = NULL;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsecsig->methods = &slab_methods;
+	nsecsig->rdclass = db->rdclass;
+	nsecsig->type = dns_rdatatype_rrsig;
+	nsecsig->covers = noqname->type;
+	nsecsig->ttl = rdataset->ttl;
+	nsecsig->trust = rdataset->trust;
+	nsecsig->private1 = rdataset->private1;
+	nsecsig->private2 = rdataset->private2;
+	nsecsig->private3 = noqname->negsig;
+	nsecsig->privateuint4 = 0;
+	nsecsig->private5 = NULL;
+	nsec->private6 = NULL;
+	nsec->private7 = NULL;
+
+	dns_name_clone(&noqname->name, name);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+		    dns_rdataset_t *nsec, dns_rdataset_t *nsecsig) {
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+	dns_dbnode_t *cloned_node;
+	const struct noqname *closest = rdataset->private7;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsec->methods = &slab_methods;
+	nsec->rdclass = db->rdclass;
+	nsec->type = closest->type;
+	nsec->covers = 0;
+	nsec->ttl = rdataset->ttl;
+	nsec->trust = rdataset->trust;
+	nsec->private1 = rdataset->private1;
+	nsec->private2 = rdataset->private2;
+	nsec->private3 = closest->neg;
+	nsec->privateuint4 = 0;
+	nsec->private5 = NULL;
+	nsec->private6 = NULL;
+	nsec->private7 = NULL;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsecsig->methods = &slab_methods;
+	nsecsig->rdclass = db->rdclass;
+	nsecsig->type = dns_rdatatype_rrsig;
+	nsecsig->covers = closest->type;
+	nsecsig->ttl = rdataset->ttl;
+	nsecsig->trust = rdataset->trust;
+	nsecsig->private1 = rdataset->private1;
+	nsecsig->private2 = rdataset->private2;
+	nsecsig->private3 = closest->negsig;
+	nsecsig->privateuint4 = 0;
+	nsecsig->private5 = NULL;
+	nsec->private6 = NULL;
+	nsec->private7 = NULL;
+
+	dns_name_clone(&closest->name, name);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	rdatasetheader_t *header = rdataset->private3;
+
+	header--;
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+	header->trust = rdataset->trust = trust;
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+}
+
+static void
+rdataset_expire(dns_rdataset_t *rdataset) {
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	rdatasetheader_t *header = rdataset->private3;
+
+	header--;
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+	expire_header(rbtdb, header, false, expire_flush);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+}
+
+static void
+rdataset_clearprefetch(dns_rdataset_t *rdataset) {
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	rdatasetheader_t *header = rdataset->private3;
+
+	header--;
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+	RDATASET_ATTR_CLR(header, RDATASET_ATTR_PREFETCH);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+}
+
+/*
+ * Rdataset Iterator Methods
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	rbtdb_rdatasetiter_t *rbtiterator;
+
+	rbtiterator = (rbtdb_rdatasetiter_t *)(*iteratorp);
+
+	if (rbtiterator->common.version != NULL) {
+		closeversion(rbtiterator->common.db,
+			     &rbtiterator->common.version, false);
+	}
+	detachnode(rbtiterator->common.db, &rbtiterator->common.node);
+	isc_mem_put(rbtiterator->common.db->mctx, rbtiterator,
+		    sizeof(*rbtiterator));
+
+	*iteratorp = NULL;
+}
+
+static bool
+iterator_active(dns_rbtdb_t *rbtdb, rbtdb_rdatasetiter_t *rbtiterator,
+		rdatasetheader_t *header) {
+	dns_ttl_t stale_ttl = header->rdh_ttl + rbtdb->serve_stale_ttl;
+
+	/*
+	 * Is this a "this rdataset doesn't exist" record?
+	 */
+	if (NONEXISTENT(header)) {
+		return (false);
+	}
+
+	/*
+	 * If this is a zone or this header still active then return it.
+	 */
+	if (!IS_CACHE(rbtdb) || ACTIVE(header, rbtiterator->common.now)) {
+		return (true);
+	}
+
+	/*
+	 * If we are not returning stale records or the rdataset is
+	 * too old don't return it.
+	 */
+	if (!STALEOK(rbtiterator) || (rbtiterator->common.now > stale_ttl)) {
+		return (false);
+	}
+	return (true);
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
+	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+	rbtdb_version_t *rbtversion = rbtiterator->common.version;
+	rdatasetheader_t *header, *top_next;
+	rbtdb_serial_t serial = IS_CACHE(rbtdb) ? 1 : rbtversion->serial;
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	for (header = rbtnode->data; header != NULL; header = top_next) {
+		top_next = header->next;
+		do {
+			if (EXPIREDOK(rbtiterator)) {
+				if (!NONEXISTENT(header)) {
+					break;
+				}
+				header = header->down;
+			} else if (header->serial <= serial && !IGNORE(header))
+			{
+				if (!iterator_active(rbtdb, rbtiterator,
+						     header))
+				{
+					header = NULL;
+				}
+				break;
+			} else {
+				header = header->down;
+			}
+		} while (header != NULL);
+		if (header != NULL) {
+			break;
+		}
+	}
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+
+	rbtiterator->current = header;
+
+	if (header == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
+	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+	rbtdb_version_t *rbtversion = rbtiterator->common.version;
+	rdatasetheader_t *header, *top_next;
+	rbtdb_serial_t serial = IS_CACHE(rbtdb) ? 1 : rbtversion->serial;
+	rbtdb_rdatatype_t type, negtype;
+	dns_rdatatype_t rdtype, covers;
+	bool expiredok = EXPIREDOK(rbtiterator);
+
+	header = rbtiterator->current;
+	if (header == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	type = header->type;
+	rdtype = RBTDB_RDATATYPE_BASE(header->type);
+	if (NEGATIVE(header)) {
+		covers = RBTDB_RDATATYPE_EXT(header->type);
+		negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+	} else {
+		negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
+	}
+
+	/*
+	 * Find the start of the header chain for the next type
+	 * by walking back up the list.
+	 */
+	top_next = header->next;
+	while (top_next != NULL &&
+	       (top_next->type == type || top_next->type == negtype))
+	{
+		top_next = top_next->next;
+	}
+	if (expiredok) {
+		/*
+		 * Keep walking down the list if possible or
+		 * start the next type.
+		 */
+		header = header->down != NULL ? header->down : top_next;
+	} else {
+		header = top_next;
+	}
+	for (; header != NULL; header = top_next) {
+		top_next = header->next;
+		do {
+			if (expiredok) {
+				if (!NONEXISTENT(header)) {
+					break;
+				}
+				header = header->down;
+			} else if (header->serial <= serial && !IGNORE(header))
+			{
+				if (!iterator_active(rbtdb, rbtiterator,
+						     header))
+				{
+					header = NULL;
+				}
+				break;
+			} else {
+				header = header->down;
+			}
+		} while (header != NULL);
+		if (header != NULL) {
+			break;
+		}
+		/*
+		 * Find the start of the header chain for the next type
+		 * by walking back up the list.
+		 */
+		while (top_next != NULL &&
+		       (top_next->type == type || top_next->type == negtype))
+		{
+			top_next = top_next->next;
+		}
+	}
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+
+	rbtiterator->current = header;
+
+	if (header == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
+	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+	rdatasetheader_t *header;
+
+	header = rbtiterator->current;
+	REQUIRE(header != NULL);
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now,
+		      isc_rwlocktype_read, rdataset);
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+}
+
+/*
+ * Database Iterator Methods
+ */
+
+static void
+reference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	dns_rbtnode_t *node = rbtdbiter->node;
+
+	if (node == NULL) {
+		return;
+	}
+
+	INSIST(rbtdbiter->tree_locked != isc_rwlocktype_none);
+	reactivate_node(rbtdb, node, rbtdbiter->tree_locked);
+}
+
+static void
+dereference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	dns_rbtnode_t *node = rbtdbiter->node;
+	nodelock_t *lock;
+
+	if (node == NULL) {
+		return;
+	}
+
+	lock = &rbtdb->node_locks[node->locknum].lock;
+	NODE_LOCK(lock, isc_rwlocktype_read);
+	decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
+			    rbtdbiter->tree_locked, false);
+	NODE_UNLOCK(lock, isc_rwlocktype_read);
+
+	rbtdbiter->node = NULL;
+}
+
+static void
+flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtnode_t *node;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	bool was_read_locked = false;
+	nodelock_t *lock;
+	int i;
+
+	if (rbtdbiter->delcnt != 0) {
+		/*
+		 * Note that "%d node of %d in tree" can report things like
+		 * "flush_deletions: 59 nodes of 41 in tree".  This means
+		 * That some nodes appear on the deletions list more than
+		 * once.  Only the last occurrence will actually be deleted.
+		 */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "flush_deletions: %d nodes of %d in tree",
+			      rbtdbiter->delcnt,
+			      dns_rbt_nodecount(rbtdb->tree));
+
+		if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+			was_read_locked = true;
+		}
+		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+		rbtdbiter->tree_locked = isc_rwlocktype_write;
+
+		for (i = 0; i < rbtdbiter->delcnt; i++) {
+			node = rbtdbiter->deletions[i];
+			lock = &rbtdb->node_locks[node->locknum].lock;
+
+			NODE_LOCK(lock, isc_rwlocktype_read);
+			decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
+					    rbtdbiter->tree_locked, false);
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+		}
+
+		rbtdbiter->delcnt = 0;
+
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+		if (was_read_locked) {
+			RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+			rbtdbiter->tree_locked = isc_rwlocktype_read;
+		} else {
+			rbtdbiter->tree_locked = isc_rwlocktype_none;
+		}
+	}
+}
+
+static void
+resume_iteration(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+
+	REQUIRE(rbtdbiter->paused);
+	REQUIRE(rbtdbiter->tree_locked == isc_rwlocktype_none);
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	rbtdbiter->tree_locked = isc_rwlocktype_read;
+
+	rbtdbiter->paused = false;
+}
+
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)(*iteratorp);
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	dns_db_t *db = NULL;
+
+	if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+		rbtdbiter->tree_locked = isc_rwlocktype_none;
+	} else {
+		INSIST(rbtdbiter->tree_locked == isc_rwlocktype_none);
+	}
+
+	dereference_iter_node(rbtdbiter);
+
+	flush_deletions(rbtdbiter);
+
+	dns_db_attach(rbtdbiter->common.db, &db);
+	dns_db_detach(&rbtdbiter->common.db);
+
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
+	isc_mem_put(db->mctx, rbtdbiter, sizeof(*rbtdbiter));
+	dns_db_detach(&db);
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	dns_name_t *name, *origin;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOTFOUND &&
+	    rbtdbiter->result != DNS_R_PARTIALMATCH &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+	{
+		return (rbtdbiter->result);
+	}
+
+	if (rbtdbiter->paused) {
+		resume_iteration(rbtdbiter);
+	}
+
+	dereference_iter_node(rbtdbiter);
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
+
+	if (rbtdbiter->nsec3only) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		result = dns_rbtnodechain_first(rbtdbiter->current,
+						rbtdb->nsec3, name, origin);
+	} else {
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbtnodechain_first(rbtdbiter->current, rbtdb->tree,
+						name, origin);
+		if (!rbtdbiter->nonsec3 && result == ISC_R_NOTFOUND) {
+			rbtdbiter->current = &rbtdbiter->nsec3chain;
+			result = dns_rbtnodechain_first(
+				rbtdbiter->current, rbtdb->nsec3, name, origin);
+		}
+	}
+	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
+						  NULL, &rbtdbiter->node);
+		if (result == ISC_R_SUCCESS) {
+			rbtdbiter->new_origin = true;
+			reference_iter_node(rbtdbiter);
+		}
+	} else {
+		INSIST(result == ISC_R_NOTFOUND);
+		result = ISC_R_NOMORE; /* The tree is empty. */
+	}
+
+	rbtdbiter->result = result;
+
+	if (result != ISC_R_SUCCESS) {
+		ENSURE(!rbtdbiter->paused);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	dns_name_t *name, *origin;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOTFOUND &&
+	    rbtdbiter->result != DNS_R_PARTIALMATCH &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+	{
+		return (rbtdbiter->result);
+	}
+
+	if (rbtdbiter->paused) {
+		resume_iteration(rbtdbiter);
+	}
+
+	dereference_iter_node(rbtdbiter);
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
+
+	result = ISC_R_NOTFOUND;
+	if (rbtdbiter->nsec3only && !rbtdbiter->nonsec3) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->nsec3,
+					       name, origin);
+	}
+	if (!rbtdbiter->nsec3only && result == ISC_R_NOTFOUND) {
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree,
+					       name, origin);
+	}
+	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
+						  NULL, &rbtdbiter->node);
+		if (result == ISC_R_SUCCESS) {
+			rbtdbiter->new_origin = true;
+			reference_iter_node(rbtdbiter);
+		}
+	} else {
+		INSIST(result == ISC_R_NOTFOUND);
+		result = ISC_R_NOMORE; /* The tree is empty. */
+	}
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, const dns_name_t *name) {
+	isc_result_t result, tresult;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	dns_name_t *iname, *origin;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOTFOUND &&
+	    rbtdbiter->result != DNS_R_PARTIALMATCH &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+	{
+		return (rbtdbiter->result);
+	}
+
+	if (rbtdbiter->paused) {
+		resume_iteration(rbtdbiter);
+	}
+
+	dereference_iter_node(rbtdbiter);
+
+	iname = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
+
+	if (rbtdbiter->nsec3only) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		result = dns_rbt_findnode(rbtdb->nsec3, name, NULL,
+					  &rbtdbiter->node, rbtdbiter->current,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	} else if (rbtdbiter->nonsec3) {
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbt_findnode(rbtdb->tree, name, NULL,
+					  &rbtdbiter->node, rbtdbiter->current,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	} else {
+		/*
+		 * Stay on main chain if not found on either chain.
+		 */
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbt_findnode(rbtdb->tree, name, NULL,
+					  &rbtdbiter->node, rbtdbiter->current,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+		if (result == DNS_R_PARTIALMATCH) {
+			dns_rbtnode_t *node = NULL;
+			tresult = dns_rbt_findnode(
+				rbtdb->nsec3, name, NULL, &node,
+				&rbtdbiter->nsec3chain, DNS_RBTFIND_EMPTYDATA,
+				NULL, NULL);
+			if (tresult == ISC_R_SUCCESS) {
+				rbtdbiter->node = node;
+				rbtdbiter->current = &rbtdbiter->nsec3chain;
+				result = tresult;
+			}
+		}
+	}
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		tresult = dns_rbtnodechain_current(rbtdbiter->current, iname,
+						   origin, NULL);
+		if (tresult == ISC_R_SUCCESS) {
+			rbtdbiter->new_origin = true;
+			reference_iter_node(rbtdbiter);
+		} else {
+			result = tresult;
+			rbtdbiter->node = NULL;
+		}
+	} else {
+		rbtdbiter->node = NULL;
+	}
+
+	rbtdbiter->result = (result == DNS_R_PARTIALMATCH) ? ISC_R_SUCCESS
+							   : result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_name_t *name, *origin;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+
+	REQUIRE(rbtdbiter->node != NULL);
+
+	if (rbtdbiter->result != ISC_R_SUCCESS) {
+		return (rbtdbiter->result);
+	}
+
+	if (rbtdbiter->paused) {
+		resume_iteration(rbtdbiter);
+	}
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	result = dns_rbtnodechain_prev(rbtdbiter->current, name, origin);
+	if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only &&
+	    !rbtdbiter->nonsec3 && &rbtdbiter->nsec3chain == rbtdbiter->current)
+	{
+		rbtdbiter->current = &rbtdbiter->chain;
+		dns_rbtnodechain_reset(rbtdbiter->current);
+		result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree,
+					       name, origin);
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_NOMORE;
+		}
+	}
+
+	dereference_iter_node(rbtdbiter);
+
+	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		rbtdbiter->new_origin = (result == DNS_R_NEWORIGIN);
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
+						  NULL, &rbtdbiter->node);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		reference_iter_node(rbtdbiter);
+	}
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_name_t *name, *origin;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+
+	REQUIRE(rbtdbiter->node != NULL);
+
+	if (rbtdbiter->result != ISC_R_SUCCESS) {
+		return (rbtdbiter->result);
+	}
+
+	if (rbtdbiter->paused) {
+		resume_iteration(rbtdbiter);
+	}
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	result = dns_rbtnodechain_next(rbtdbiter->current, name, origin);
+	if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only &&
+	    !rbtdbiter->nonsec3 && &rbtdbiter->chain == rbtdbiter->current)
+	{
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		dns_rbtnodechain_reset(rbtdbiter->current);
+		result = dns_rbtnodechain_first(rbtdbiter->current,
+						rbtdb->nsec3, name, origin);
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_NOMORE;
+		}
+	}
+
+	dereference_iter_node(rbtdbiter);
+
+	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		rbtdbiter->new_origin = (result == DNS_R_NEWORIGIN);
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
+						  NULL, &rbtdbiter->node);
+	}
+	if (result == ISC_R_SUCCESS) {
+		reference_iter_node(rbtdbiter);
+	}
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtnode_t *node = rbtdbiter->node;
+	isc_result_t result;
+	dns_name_t *nodename = dns_fixedname_name(&rbtdbiter->name);
+	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
+
+	REQUIRE(rbtdbiter->result == ISC_R_SUCCESS);
+	REQUIRE(rbtdbiter->node != NULL);
+
+	if (rbtdbiter->paused) {
+		resume_iteration(rbtdbiter);
+	}
+
+	if (name != NULL) {
+		if (rbtdbiter->common.relative_names) {
+			origin = NULL;
+		}
+		result = dns_name_concatenate(nodename, origin, name, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		if (rbtdbiter->common.relative_names && rbtdbiter->new_origin) {
+			result = DNS_R_NEWORIGIN;
+		}
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+	new_reference(rbtdb, node, isc_rwlocktype_none);
+
+	*nodep = rbtdbiter->node;
+
+	if (iterator->cleaning && result == ISC_R_SUCCESS) {
+		isc_result_t expire_result;
+
+		/*
+		 * If the deletion array is full, flush it before trying
+		 * to expire the current node.  The current node can't
+		 * fully deleted while the iteration cursor is still on it.
+		 */
+		if (rbtdbiter->delcnt == DELETION_BATCH_MAX) {
+			flush_deletions(rbtdbiter);
+		}
+
+		expire_result = expirenode(iterator->db, *nodep, 0);
+
+		/*
+		 * expirenode() currently always returns success.
+		 */
+		if (expire_result == ISC_R_SUCCESS && node->down == NULL) {
+			rbtdbiter->deletions[rbtdbiter->delcnt++] = node;
+			isc_refcount_increment(&node->references);
+		}
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOTFOUND &&
+	    rbtdbiter->result != DNS_R_PARTIALMATCH &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+	{
+		return (rbtdbiter->result);
+	}
+
+	if (rbtdbiter->paused) {
+		return (ISC_R_SUCCESS);
+	}
+
+	rbtdbiter->paused = true;
+
+	if (rbtdbiter->tree_locked != isc_rwlocktype_none) {
+		INSIST(rbtdbiter->tree_locked == isc_rwlocktype_read);
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+		rbtdbiter->tree_locked = isc_rwlocktype_none;
+	}
+
+	flush_deletions(rbtdbiter);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
+
+	if (rbtdbiter->result != ISC_R_SUCCESS) {
+		return (rbtdbiter->result);
+	}
+
+	dns_name_copynf(origin, name);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+setownercase(rdatasetheader_t *header, const dns_name_t *name) {
+	unsigned int i;
+	bool fully_lower;
+
+	/*
+	 * We do not need to worry about label lengths as they are all
+	 * less than or equal to 63.
+	 */
+	memset(header->upper, 0, sizeof(header->upper));
+	fully_lower = true;
+	for (i = 0; i < name->length; i++) {
+		if (isupper(name->ndata[i])) {
+			header->upper[i / 8] |= 1 << (i % 8);
+			fully_lower = false;
+		}
+	}
+	RDATASET_ATTR_SET(header, RDATASET_ATTR_CASESET);
+	if (ISC_LIKELY(fully_lower)) {
+		RDATASET_ATTR_SET(header, RDATASET_ATTR_CASEFULLYLOWER);
+	}
+}
+
+static void
+rdataset_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name) {
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	unsigned char *raw = rdataset->private3; /* RDATASLAB */
+	rdatasetheader_t *header;
+
+	header = (struct rdatasetheader *)(raw - sizeof(*header));
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+	setownercase(header, name);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+}
+
+static void
+rdataset_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name) {
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	unsigned char *raw = rdataset->private3; /* RDATASLAB */
+	rdatasetheader_t *header = NULL;
+	uint8_t mask = (1 << 7);
+	uint8_t bits = 0;
+
+	header = (struct rdatasetheader *)(raw - sizeof(*header));
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	if (!CASESET(header)) {
+		goto unlock;
+	}
+
+	if (ISC_LIKELY(CASEFULLYLOWER(header))) {
+		for (size_t i = 0; i < name->length; i++) {
+			name->ndata[i] = tolower(name->ndata[i]);
+		}
+	} else {
+		for (size_t i = 0; i < name->length; i++) {
+			if (mask == (1 << 7)) {
+				bits = header->upper[i / 8];
+				mask = 1;
+			} else {
+				mask <<= 1;
+			}
+
+			name->ndata[i] = ((bits & mask) != 0)
+						 ? toupper(name->ndata[i])
+						 : tolower(name->ndata[i]);
+		}
+	}
+
+unlock:
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+}
+
+struct rbtdb_glue {
+	struct rbtdb_glue *next;
+	dns_fixedname_t fixedname;
+	dns_rdataset_t rdataset_a;
+	dns_rdataset_t sigrdataset_a;
+	dns_rdataset_t rdataset_aaaa;
+	dns_rdataset_t sigrdataset_aaaa;
+};
+
+typedef struct {
+	rbtdb_glue_t *glue_list;
+	dns_rbtdb_t *rbtdb;
+	rbtdb_version_t *rbtversion;
+} rbtdb_glue_additionaldata_ctx_t;
+
+static void
+free_gluelist(rbtdb_glue_t *glue_list, dns_rbtdb_t *rbtdb) {
+	rbtdb_glue_t *cur, *cur_next;
+
+	if (glue_list == (void *)-1) {
+		return;
+	}
+
+	cur = glue_list;
+	while (cur != NULL) {
+		cur_next = cur->next;
+
+		if (dns_rdataset_isassociated(&cur->rdataset_a)) {
+			dns_rdataset_disassociate(&cur->rdataset_a);
+		}
+		if (dns_rdataset_isassociated(&cur->sigrdataset_a)) {
+			dns_rdataset_disassociate(&cur->sigrdataset_a);
+		}
+
+		if (dns_rdataset_isassociated(&cur->rdataset_aaaa)) {
+			dns_rdataset_disassociate(&cur->rdataset_aaaa);
+		}
+		if (dns_rdataset_isassociated(&cur->sigrdataset_aaaa)) {
+			dns_rdataset_disassociate(&cur->sigrdataset_aaaa);
+		}
+
+		dns_rdataset_invalidate(&cur->rdataset_a);
+		dns_rdataset_invalidate(&cur->sigrdataset_a);
+		dns_rdataset_invalidate(&cur->rdataset_aaaa);
+		dns_rdataset_invalidate(&cur->sigrdataset_aaaa);
+
+		isc_mem_put(rbtdb->common.mctx, cur, sizeof(*cur));
+		cur = cur_next;
+	}
+}
+
+static void
+free_gluetable(rbtdb_version_t *version) {
+	dns_rbtdb_t *rbtdb;
+	size_t size, i;
+
+	RWLOCK(&version->glue_rwlock, isc_rwlocktype_write);
+
+	rbtdb = version->rbtdb;
+
+	for (i = 0; i < HASHSIZE(version->glue_table_bits); i++) {
+		rbtdb_glue_table_node_t *cur, *cur_next;
+
+		cur = version->glue_table[i];
+		while (cur != NULL) {
+			cur_next = cur->next;
+			/* isc_refcount_decrement(&cur->node->references); */
+			cur->node = NULL;
+			free_gluelist(cur->glue_list, rbtdb);
+			cur->glue_list = NULL;
+			isc_mem_put(rbtdb->common.mctx, cur, sizeof(*cur));
+			cur = cur_next;
+		}
+		version->glue_table[i] = NULL;
+	}
+
+	size = HASHSIZE(version->glue_table_bits) *
+	       sizeof(*version->glue_table);
+	isc_mem_put(rbtdb->common.mctx, version->glue_table, size);
+
+	RWUNLOCK(&version->glue_rwlock, isc_rwlocktype_write);
+}
+
+static uint32_t
+rehash_bits(rbtdb_version_t *version, size_t newcount) {
+	uint32_t oldbits = version->glue_table_bits;
+	uint32_t newbits = oldbits;
+
+	while (newcount >= HASHSIZE(newbits) &&
+	       newbits <= RBTDB_GLUE_TABLE_MAX_BITS)
+	{
+		newbits += 1;
+	}
+
+	return (newbits);
+}
+
+/*%
+ * Write lock (version->glue_rwlock) must be held.
+ */
+static void
+rehash_gluetable(rbtdb_version_t *version) {
+	uint32_t oldbits, newbits;
+	size_t newsize, oldcount, i;
+	rbtdb_glue_table_node_t **oldtable;
+
+	oldbits = version->glue_table_bits;
+	oldcount = HASHSIZE(oldbits);
+	oldtable = version->glue_table;
+
+	newbits = rehash_bits(version, version->glue_table_nodecount);
+	newsize = HASHSIZE(newbits) * sizeof(version->glue_table[0]);
+
+	version->glue_table = isc_mem_get(version->rbtdb->common.mctx, newsize);
+	version->glue_table_bits = newbits;
+	memset(version->glue_table, 0, newsize);
+
+	for (i = 0; i < oldcount; i++) {
+		rbtdb_glue_table_node_t *gluenode;
+		rbtdb_glue_table_node_t *nextgluenode;
+		for (gluenode = oldtable[i]; gluenode != NULL;
+		     gluenode = nextgluenode)
+		{
+			uint32_t hash = isc_hash32(
+				&gluenode->node, sizeof(gluenode->node), true);
+			uint32_t idx = hash_32(hash, newbits);
+			nextgluenode = gluenode->next;
+			gluenode->next = version->glue_table[idx];
+			version->glue_table[idx] = gluenode;
+		}
+	}
+
+	isc_mem_put(version->rbtdb->common.mctx, oldtable,
+		    oldcount * sizeof(*version->glue_table));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ZONE,
+		      ISC_LOG_DEBUG(3),
+		      "rehash_gluetable(): "
+		      "resized glue table from %zu to "
+		      "%zu",
+		      oldcount, newsize / sizeof(version->glue_table[0]));
+}
+
+static void
+maybe_rehash_gluetable(rbtdb_version_t *version) {
+	size_t overcommit = HASHSIZE(version->glue_table_bits) *
+			    RBTDB_GLUE_TABLE_OVERCOMMIT;
+	if (ISC_LIKELY(version->glue_table_nodecount < overcommit)) {
+		return;
+	}
+
+	rehash_gluetable(version);
+}
+
+static isc_result_t
+glue_nsdname_cb(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
+	rbtdb_glue_additionaldata_ctx_t *ctx;
+	isc_result_t result;
+	dns_fixedname_t fixedname_a;
+	dns_name_t *name_a = NULL;
+	dns_rdataset_t rdataset_a, sigrdataset_a;
+	dns_rbtnode_t *node_a = NULL;
+	dns_fixedname_t fixedname_aaaa;
+	dns_name_t *name_aaaa = NULL;
+	dns_rdataset_t rdataset_aaaa, sigrdataset_aaaa;
+	dns_rbtnode_t *node_aaaa = NULL;
+	rbtdb_glue_t *glue = NULL;
+	dns_name_t *gluename = NULL;
+
+	/*
+	 * NS records want addresses in additional records.
+	 */
+	INSIST(qtype == dns_rdatatype_a);
+
+	ctx = (rbtdb_glue_additionaldata_ctx_t *)arg;
+
+	name_a = dns_fixedname_initname(&fixedname_a);
+	dns_rdataset_init(&rdataset_a);
+	dns_rdataset_init(&sigrdataset_a);
+
+	name_aaaa = dns_fixedname_initname(&fixedname_aaaa);
+	dns_rdataset_init(&rdataset_aaaa);
+	dns_rdataset_init(&sigrdataset_aaaa);
+
+	result = zone_find((dns_db_t *)ctx->rbtdb, name, ctx->rbtversion,
+			   dns_rdatatype_a, DNS_DBFIND_GLUEOK, 0,
+			   (dns_dbnode_t **)&node_a, name_a, &rdataset_a,
+			   &sigrdataset_a);
+	if (result == DNS_R_GLUE) {
+		glue = isc_mem_get(ctx->rbtdb->common.mctx, sizeof(*glue));
+
+		gluename = dns_fixedname_initname(&glue->fixedname);
+		dns_name_copynf(name_a, gluename);
+
+		dns_rdataset_init(&glue->rdataset_a);
+		dns_rdataset_init(&glue->sigrdataset_a);
+		dns_rdataset_init(&glue->rdataset_aaaa);
+		dns_rdataset_init(&glue->sigrdataset_aaaa);
+
+		dns_rdataset_clone(&rdataset_a, &glue->rdataset_a);
+		if (dns_rdataset_isassociated(&sigrdataset_a)) {
+			dns_rdataset_clone(&sigrdataset_a,
+					   &glue->sigrdataset_a);
+		}
+	}
+
+	result = zone_find((dns_db_t *)ctx->rbtdb, name, ctx->rbtversion,
+			   dns_rdatatype_aaaa, DNS_DBFIND_GLUEOK, 0,
+			   (dns_dbnode_t **)&node_aaaa, name_aaaa,
+			   &rdataset_aaaa, &sigrdataset_aaaa);
+	if (result == DNS_R_GLUE) {
+		if (glue == NULL) {
+			glue = isc_mem_get(ctx->rbtdb->common.mctx,
+					   sizeof(*glue));
+
+			gluename = dns_fixedname_initname(&glue->fixedname);
+			dns_name_copynf(name_aaaa, gluename);
+
+			dns_rdataset_init(&glue->rdataset_a);
+			dns_rdataset_init(&glue->sigrdataset_a);
+			dns_rdataset_init(&glue->rdataset_aaaa);
+			dns_rdataset_init(&glue->sigrdataset_aaaa);
+		} else {
+			INSIST(node_a == node_aaaa);
+			INSIST(dns_name_equal(name_a, name_aaaa));
+		}
+
+		dns_rdataset_clone(&rdataset_aaaa, &glue->rdataset_aaaa);
+		if (dns_rdataset_isassociated(&sigrdataset_aaaa)) {
+			dns_rdataset_clone(&sigrdataset_aaaa,
+					   &glue->sigrdataset_aaaa);
+		}
+	}
+
+	if (glue != NULL) {
+		glue->next = ctx->glue_list;
+		ctx->glue_list = glue;
+	}
+
+	result = ISC_R_SUCCESS;
+
+	if (dns_rdataset_isassociated(&rdataset_a)) {
+		rdataset_disassociate(&rdataset_a);
+	}
+	if (dns_rdataset_isassociated(&sigrdataset_a)) {
+		rdataset_disassociate(&sigrdataset_a);
+	}
+
+	if (dns_rdataset_isassociated(&rdataset_aaaa)) {
+		rdataset_disassociate(&rdataset_aaaa);
+	}
+	if (dns_rdataset_isassociated(&sigrdataset_aaaa)) {
+		rdataset_disassociate(&sigrdataset_aaaa);
+	}
+
+	if (node_a != NULL) {
+		detachnode((dns_db_t *)ctx->rbtdb, (dns_dbnode_t *)&node_a);
+	}
+	if (node_aaaa != NULL) {
+		detachnode((dns_db_t *)ctx->rbtdb, (dns_dbnode_t *)&node_aaaa);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+rdataset_addglue(dns_rdataset_t *rdataset, dns_dbversion_t *version,
+		 dns_message_t *msg) {
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *node = rdataset->private2;
+	rbtdb_version_t *rbtversion = version;
+	uint32_t idx;
+	rbtdb_glue_table_node_t *cur;
+	bool found = false;
+	bool restarted = false;
+	rbtdb_glue_t *ge;
+	rbtdb_glue_additionaldata_ctx_t ctx;
+	isc_result_t result;
+	uint64_t hash;
+
+	REQUIRE(rdataset->type == dns_rdatatype_ns);
+	REQUIRE(rbtdb == rbtversion->rbtdb);
+	REQUIRE(!IS_CACHE(rbtdb) && !IS_STUB(rbtdb));
+
+	/*
+	 * The glue table cache that forms a part of the DB version
+	 * structure is not explicitly bounded and there's no cache
+	 * cleaning. The zone data size itself is an implicit bound.
+	 *
+	 * The key into the glue hashtable is the node pointer. This is
+	 * because the glue hashtable is a property of the DB version,
+	 * and the glue is keyed for the ownername/NS tuple. We don't
+	 * bother with using an expensive dns_name_t comparison here as
+	 * the node pointer is a fixed value that won't change for a DB
+	 * version and can be compared directly.
+	 */
+	hash = isc_hash_function(&node, sizeof(node), true);
+
+restart:
+	/*
+	 * First, check if we have the additional entries already cached
+	 * in the glue table.
+	 */
+	RWLOCK(&rbtversion->glue_rwlock, isc_rwlocktype_read);
+
+	idx = hash_32(hash, rbtversion->glue_table_bits);
+
+	for (cur = rbtversion->glue_table[idx]; cur != NULL; cur = cur->next) {
+		if (cur->node == node) {
+			break;
+		}
+	}
+
+	if (cur == NULL) {
+		goto no_glue;
+	}
+	/*
+	 * We found a cached result. Add it to the message and
+	 * return.
+	 */
+	found = true;
+	ge = cur->glue_list;
+
+	/*
+	 * (void *) -1 is a special value that means no glue is
+	 * present in the zone.
+	 */
+	if (ge == (void *)-1) {
+		if (!restarted && (rbtdb->gluecachestats != NULL)) {
+			isc_stats_increment(
+				rbtdb->gluecachestats,
+				dns_gluecachestatscounter_hits_absent);
+		}
+		goto no_glue;
+	} else {
+		if (!restarted && (rbtdb->gluecachestats != NULL)) {
+			isc_stats_increment(
+				rbtdb->gluecachestats,
+				dns_gluecachestatscounter_hits_present);
+		}
+	}
+
+	for (; ge != NULL; ge = ge->next) {
+		dns_name_t *name = NULL;
+		dns_rdataset_t *rdataset_a = NULL;
+		dns_rdataset_t *sigrdataset_a = NULL;
+		dns_rdataset_t *rdataset_aaaa = NULL;
+		dns_rdataset_t *sigrdataset_aaaa = NULL;
+		dns_name_t *gluename = dns_fixedname_name(&ge->fixedname);
+
+		result = dns_message_gettempname(msg, &name);
+		if (ISC_UNLIKELY(result != ISC_R_SUCCESS)) {
+			goto no_glue;
+		}
+
+		dns_name_copynf(gluename, name);
+
+		if (dns_rdataset_isassociated(&ge->rdataset_a)) {
+			result = dns_message_gettemprdataset(msg, &rdataset_a);
+			if (ISC_UNLIKELY(result != ISC_R_SUCCESS)) {
+				dns_message_puttempname(msg, &name);
+				goto no_glue;
+			}
+		}
+
+		if (dns_rdataset_isassociated(&ge->sigrdataset_a)) {
+			result = dns_message_gettemprdataset(msg,
+							     &sigrdataset_a);
+			if (ISC_UNLIKELY(result != ISC_R_SUCCESS)) {
+				if (rdataset_a != NULL) {
+					dns_message_puttemprdataset(
+						msg, &rdataset_a);
+				}
+				dns_message_puttempname(msg, &name);
+				goto no_glue;
+			}
+		}
+
+		if (dns_rdataset_isassociated(&ge->rdataset_aaaa)) {
+			result = dns_message_gettemprdataset(msg,
+							     &rdataset_aaaa);
+			if (ISC_UNLIKELY(result != ISC_R_SUCCESS)) {
+				dns_message_puttempname(msg, &name);
+				if (rdataset_a != NULL) {
+					dns_message_puttemprdataset(
+						msg, &rdataset_a);
+				}
+				if (sigrdataset_a != NULL) {
+					dns_message_puttemprdataset(
+						msg, &sigrdataset_a);
+				}
+				goto no_glue;
+			}
+		}
+
+		if (dns_rdataset_isassociated(&ge->sigrdataset_aaaa)) {
+			result = dns_message_gettemprdataset(msg,
+							     &sigrdataset_aaaa);
+			if (ISC_UNLIKELY(result != ISC_R_SUCCESS)) {
+				dns_message_puttempname(msg, &name);
+				if (rdataset_a != NULL) {
+					dns_message_puttemprdataset(
+						msg, &rdataset_a);
+				}
+				if (sigrdataset_a != NULL) {
+					dns_message_puttemprdataset(
+						msg, &sigrdataset_a);
+				}
+				if (rdataset_aaaa != NULL) {
+					dns_message_puttemprdataset(
+						msg, &rdataset_aaaa);
+				}
+				goto no_glue;
+			}
+		}
+
+		if (ISC_LIKELY(rdataset_a != NULL)) {
+			dns_rdataset_clone(&ge->rdataset_a, rdataset_a);
+			ISC_LIST_APPEND(name->list, rdataset_a, link);
+		}
+
+		if (sigrdataset_a != NULL) {
+			dns_rdataset_clone(&ge->sigrdataset_a, sigrdataset_a);
+			ISC_LIST_APPEND(name->list, sigrdataset_a, link);
+		}
+
+		if (rdataset_aaaa != NULL) {
+			dns_rdataset_clone(&ge->rdataset_aaaa, rdataset_aaaa);
+			ISC_LIST_APPEND(name->list, rdataset_aaaa, link);
+		}
+		if (sigrdataset_aaaa != NULL) {
+			dns_rdataset_clone(&ge->sigrdataset_aaaa,
+					   sigrdataset_aaaa);
+			ISC_LIST_APPEND(name->list, sigrdataset_aaaa, link);
+		}
+
+		dns_message_addname(msg, name, DNS_SECTION_ADDITIONAL);
+	}
+
+no_glue:
+	RWUNLOCK(&rbtversion->glue_rwlock, isc_rwlocktype_read);
+
+	if (found) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (restarted) {
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * No cached glue was found in the table. Cache it and restart
+	 * this function.
+	 *
+	 * Due to the gap between the read lock and the write lock, it's
+	 * possible that we may cache a duplicate glue table entry, but
+	 * we don't care.
+	 */
+
+	ctx.glue_list = NULL;
+	ctx.rbtdb = rbtdb;
+	ctx.rbtversion = rbtversion;
+
+	RWLOCK(&rbtversion->glue_rwlock, isc_rwlocktype_write);
+
+	maybe_rehash_gluetable(rbtversion);
+	idx = hash_32(hash, rbtversion->glue_table_bits);
+
+	(void)dns_rdataset_additionaldata(rdataset, glue_nsdname_cb, &ctx);
+
+	cur = isc_mem_get(rbtdb->common.mctx, sizeof(*cur));
+
+	/*
+	 * XXXMUKS: it looks like the dns_dbversion is not destroyed
+	 * when named is terminated by a keyboard break. This doesn't
+	 * cleanup the node reference and keeps the process dangling.
+	 */
+	/* isc_refcount_increment0(&node->references); */
+	cur->node = node;
+
+	if (ctx.glue_list == NULL) {
+		/*
+		 * No glue was found. Cache it so.
+		 */
+		cur->glue_list = (void *)-1;
+		if (rbtdb->gluecachestats != NULL) {
+			isc_stats_increment(
+				rbtdb->gluecachestats,
+				dns_gluecachestatscounter_inserts_absent);
+		}
+	} else {
+		cur->glue_list = ctx.glue_list;
+		if (rbtdb->gluecachestats != NULL) {
+			isc_stats_increment(
+				rbtdb->gluecachestats,
+				dns_gluecachestatscounter_inserts_present);
+		}
+	}
+
+	cur->next = rbtversion->glue_table[idx];
+	rbtversion->glue_table[idx] = cur;
+	rbtversion->glue_table_nodecount++;
+
+	RWUNLOCK(&rbtversion->glue_rwlock, isc_rwlocktype_write);
+
+	restarted = true;
+	goto restart;
+
+	/* UNREACHABLE */
+}
+
+/*%
+ * Routines for LRU-based cache management.
+ */
+
+/*%
+ * See if a given cache entry that is being reused needs to be updated
+ * in the LRU-list.  From the LRU management point of view, this function is
+ * expected to return true for almost all cases.  When used with threads,
+ * however, this may cause a non-negligible performance penalty because a
+ * writer lock will have to be acquired before updating the list.
+ * If DNS_RBTDB_LIMITLRUUPDATE is defined to be non 0 at compilation time, this
+ * function returns true if the entry has not been updated for some period of
+ * time.  We differentiate the NS or glue address case and the others since
+ * experiments have shown that the former tends to be accessed relatively
+ * infrequently and the cost of cache miss is higher (e.g., a missing NS records
+ * may cause external queries at a higher level zone, involving more
+ * transactions).
+ *
+ * Caller must hold the node (read or write) lock.
+ */
+static bool
+need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) {
+	if (RDATASET_ATTR_GET(header, (RDATASET_ATTR_NONEXISTENT |
+				       RDATASET_ATTR_ANCIENT |
+				       RDATASET_ATTR_ZEROTTL)) != 0)
+	{
+		return (false);
+	}
+
+#if DNS_RBTDB_LIMITLRUUPDATE
+	if (header->type == dns_rdatatype_ns ||
+	    (header->trust == dns_trust_glue &&
+	     (header->type == dns_rdatatype_a ||
+	      header->type == dns_rdatatype_aaaa)))
+	{
+		/*
+		 * Glue records are updated if at least DNS_RBTDB_LRUUPDATE_GLUE
+		 * seconds have passed since the previous update time.
+		 */
+		return (header->last_used + DNS_RBTDB_LRUUPDATE_GLUE <= now);
+	}
+
+	/*
+	 * Other records are updated if DNS_RBTDB_LRUUPDATE_REGULAR seconds
+	 * have passed.
+	 */
+	return (header->last_used + DNS_RBTDB_LRUUPDATE_REGULAR <= now);
+#else
+	UNUSED(now);
+
+	return (true);
+#endif /* if DNS_RBTDB_LIMITLRUUPDATE */
+}
+
+/*%
+ * Update the timestamp of a given cache entry and move it to the head
+ * of the corresponding LRU list.
+ *
+ * Caller must hold the node (write) lock.
+ *
+ * Note that the we do NOT touch the heap here, as the TTL has not changed.
+ */
+static void
+update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now) {
+	INSIST(IS_CACHE(rbtdb));
+
+	/* To be checked: can we really assume this? XXXMLG */
+	INSIST(ISC_LINK_LINKED(header, link));
+
+	ISC_LIST_UNLINK(rbtdb->rdatasets[header->node->locknum], header, link);
+	header->last_used = now;
+	ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
+}
+
+static size_t
+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
+		   bool tree_locked) {
+	rdatasetheader_t *header, *header_prev;
+	size_t purged = 0;
+
+	for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+	     header != NULL && purged <= purgesize; header = header_prev)
+	{
+		header_prev = ISC_LIST_PREV(header, link);
+		/*
+		 * Unlink the entry at this point to avoid checking it
+		 * again even if it's currently used someone else and
+		 * cannot be purged at this moment.  This entry won't be
+		 * referenced any more (so unlinking is safe) since the
+		 * TTL was reset to 0.
+		 */
+		ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
+		size_t header_size = rdataset_size(header);
+		expire_header(rbtdb, header, tree_locked, expire_lru);
+		purged += header_size;
+	}
+
+	return (purged);
+}
+
+/*%
+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
+ * entries under the overmem condition.  To recover from this condition quickly,
+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
+ *
+ * This process is triggered while adding a new entry, and we specifically avoid
+ * purging entries in the same LRU bucket as the one to which the new entry will
+ * belong.  Otherwise, we might purge entries of the same name of different RR
+ * types while adding RRsets from a single response (consider the case where
+ * we're adding A and AAAA glue records of the same NS name).
+ */
+static void
+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
+	      bool tree_locked) {
+	unsigned int locknum;
+	size_t purged = 0;
+
+	for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
+	     locknum != locknum_start && purged <= purgesize;
+	     locknum = (locknum + 1) % rbtdb->node_lock_count)
+	{
+		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+			  isc_rwlocktype_write);
+
+		purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
+					     tree_locked);
+
+		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+			    isc_rwlocktype_write);
+	}
+}
+
+static void
+expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked,
+	      expire_t reason) {
+	set_ttl(rbtdb, header, 0);
+	mark_header_ancient(rbtdb, header);
+
+	/*
+	 * Caller must hold the node (write) lock.
+	 */
+
+	if (isc_refcount_current(&header->node->references) == 0) {
+		/*
+		 * If no one else is using the node, we can clean it up now.
+		 * We first need to gain a new reference to the node to meet a
+		 * requirement of decrement_reference().
+		 */
+		new_reference(rbtdb, header->node, isc_rwlocktype_write);
+		decrement_reference(rbtdb, header->node, 0,
+				    isc_rwlocktype_write,
+				    tree_locked ? isc_rwlocktype_write
+						: isc_rwlocktype_none,
+				    false);
+
+		if (rbtdb->cachestats == NULL) {
+			return;
+		}
+
+		switch (reason) {
+		case expire_ttl:
+			isc_stats_increment(rbtdb->cachestats,
+					    dns_cachestatscounter_deletettl);
+			break;
+		case expire_lru:
+			isc_stats_increment(rbtdb->cachestats,
+					    dns_cachestatscounter_deletelru);
+			break;
+		default:
+			break;
+		}
+	}
+}
diff --git a/lib/dns/rbtdb.h b/lib/dns/rbtdb.h
new file mode 100644
index 0000000..54f0b44
--- /dev/null
+++ b/lib/dns/rbtdb.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RBTDB_H
+#define DNS_RBTDB_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * DNS Red-Black Tree DB Implementation
+ */
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *base, dns_dbtype_t type,
+		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		 void *driverarg, dns_db_t **dbp);
+
+/*%<
+ * Create a new database of type "rbt" (or "rbt64").  Called via
+ * dns_db_create(); see documentation for that function for more details.
+ *
+ * If argv[0] is set, it points to a valid memory context to be used for
+ * allocation of heap memory.  Generally this is used for cache databases
+ * only.
+ *
+ * Requires:
+ *
+ * \li argc == 0 or argv[0] is a valid memory context.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RBTDB_H */
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
new file mode 100644
index 0000000..4beb5a2
--- /dev/null
+++ b/lib/dns/rcode.c
@@ -0,0 +1,588 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/cert.h>
+#include <dns/ds.h>
+#include <dns/dsdigest.h>
+#include <dns/keyflags.h>
+#include <dns/keyvalues.h>
+#include <dns/rcode.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/secproto.h>
+
+#define RETERR(x)                        \
+	do {                             \
+		isc_result_t _r = (x);   \
+		if (_r != ISC_R_SUCCESS) \
+			return ((_r));   \
+	} while (0)
+
+#define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */
+
+#define TOTEXTONLY 0x01
+
+#define RCODENAMES                                     \
+	/* standard rcodes */                          \
+	{ dns_rcode_noerror, "NOERROR", 0 },           \
+		{ dns_rcode_formerr, "FORMERR", 0 },   \
+		{ dns_rcode_servfail, "SERVFAIL", 0 }, \
+		{ dns_rcode_nxdomain, "NXDOMAIN", 0 }, \
+		{ dns_rcode_notimp, "NOTIMP", 0 },     \
+		{ dns_rcode_refused, "REFUSED", 0 },   \
+		{ dns_rcode_yxdomain, "YXDOMAIN", 0 }, \
+		{ dns_rcode_yxrrset, "YXRRSET", 0 },   \
+		{ dns_rcode_nxrrset, "NXRRSET", 0 },   \
+		{ dns_rcode_notauth, "NOTAUTH", 0 },   \
+		{ dns_rcode_notzone, "NOTZONE", 0 },   \
+		{ 11, "RESERVED11", TOTEXTONLY },      \
+		{ 12, "RESERVED12", TOTEXTONLY },      \
+		{ 13, "RESERVED13", TOTEXTONLY },      \
+		{ 14, "RESERVED14", TOTEXTONLY },      \
+		{ 15, "RESERVED15", TOTEXTONLY },
+
+#define ERCODENAMES                                        \
+	/* extended rcodes */                              \
+	{ dns_rcode_badvers, "BADVERS", 0 },               \
+		{ dns_rcode_badcookie, "BADCOOKIE", 0 }, { \
+		0, NULL, 0                                 \
+	}
+
+#define TSIGRCODENAMES                                       \
+	/* extended rcodes */                                \
+	{ dns_tsigerror_badsig, "BADSIG", 0 },               \
+		{ dns_tsigerror_badkey, "BADKEY", 0 },       \
+		{ dns_tsigerror_badtime, "BADTIME", 0 },     \
+		{ dns_tsigerror_badmode, "BADMODE", 0 },     \
+		{ dns_tsigerror_badname, "BADNAME", 0 },     \
+		{ dns_tsigerror_badalg, "BADALG", 0 },       \
+		{ dns_tsigerror_badtrunc, "BADTRUNC", 0 }, { \
+		0, NULL, 0                                   \
+	}
+
+/* RFC4398 section 2.1 */
+
+#define CERTNAMES                                                           \
+	{ 1, "PKIX", 0 }, { 2, "SPKI", 0 }, { 3, "PGP", 0 },                \
+		{ 4, "IPKIX", 0 }, { 5, "ISPKI", 0 }, { 6, "IPGP", 0 },     \
+		{ 7, "ACPKIX", 0 }, { 8, "IACPKIX", 0 }, { 253, "URI", 0 }, \
+		{ 254, "OID", 0 }, {                                        \
+		0, NULL, 0                                                  \
+	}
+
+/* RFC2535 section 7, RFC3110 */
+
+#define SECALGNAMES                                                     \
+	{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, { DNS_KEYALG_DH, "DH", 0 }, \
+		{ DNS_KEYALG_DSA, "DSA", 0 },                           \
+		{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 },                   \
+		{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 },                 \
+		{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 },         \
+		{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 },               \
+		{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 },               \
+		{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 },                   \
+		{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 },          \
+		{ DNS_KEYALG_ECDSA256, "ECDSA256", 0 },                 \
+		{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 },          \
+		{ DNS_KEYALG_ECDSA384, "ECDSA384", 0 },                 \
+		{ DNS_KEYALG_ED25519, "ED25519", 0 },                   \
+		{ DNS_KEYALG_ED448, "ED448", 0 },                       \
+		{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 },                 \
+		{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 },             \
+		{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, {           \
+		0, NULL, 0                                              \
+	}
+
+/* RFC2535 section 7.1 */
+
+#define SECPROTONAMES                                                       \
+	{ 0, "NONE", 0 }, { 1, "TLS", 0 }, { 2, "EMAIL", 0 },               \
+		{ 3, "DNSSEC", 0 }, { 4, "IPSEC", 0 }, { 255, "ALL", 0 }, { \
+		0, NULL, 0                                                  \
+	}
+
+#define HASHALGNAMES \
+	{ 1, "SHA-1", 0 }, { 0, NULL, 0 }
+
+/* RFC3658, RFC4509, RFC5933, RFC6605 */
+
+#define DSDIGESTNAMES                                                        \
+	{ DNS_DSDIGEST_SHA1, "SHA-1", 0 }, { DNS_DSDIGEST_SHA1, "SHA1", 0 }, \
+		{ DNS_DSDIGEST_SHA256, "SHA-256", 0 },                       \
+		{ DNS_DSDIGEST_SHA256, "SHA256", 0 },                        \
+		{ DNS_DSDIGEST_GOST, "GOST", 0 },                            \
+		{ DNS_DSDIGEST_SHA384, "SHA-384", 0 },                       \
+		{ DNS_DSDIGEST_SHA384, "SHA384", 0 }, {                      \
+		0, NULL, 0                                                   \
+	}
+
+struct tbl {
+	unsigned int value;
+	const char *name;
+	int flags;
+};
+
+static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
+static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
+static struct tbl certs[] = { CERTNAMES };
+static struct tbl secalgs[] = { SECALGNAMES };
+static struct tbl secprotos[] = { SECPROTONAMES };
+static struct tbl hashalgs[] = { HASHALGNAMES };
+static struct tbl dsdigests[] = { DSDIGESTNAMES };
+
+static struct keyflag {
+	const char *name;
+	unsigned int value;
+	unsigned int mask;
+} keyflags[] = { { "NOCONF", 0x4000, 0xC000 },
+		 { "NOAUTH", 0x8000, 0xC000 },
+		 { "NOKEY", 0xC000, 0xC000 },
+		 { "FLAG2", 0x2000, 0x2000 },
+		 { "EXTEND", 0x1000, 0x1000 },
+		 { "FLAG4", 0x0800, 0x0800 },
+		 { "FLAG5", 0x0400, 0x0400 },
+		 { "USER", 0x0000, 0x0300 },
+		 { "ZONE", 0x0100, 0x0300 },
+		 { "HOST", 0x0200, 0x0300 },
+		 { "NTYP3", 0x0300, 0x0300 },
+		 { "FLAG8", 0x0080, 0x0080 },
+		 { "FLAG9", 0x0040, 0x0040 },
+		 { "FLAG10", 0x0020, 0x0020 },
+		 { "FLAG11", 0x0010, 0x0010 },
+		 { "SIG0", 0x0000, 0x000F },
+		 { "SIG1", 0x0001, 0x000F },
+		 { "SIG2", 0x0002, 0x000F },
+		 { "SIG3", 0x0003, 0x000F },
+		 { "SIG4", 0x0004, 0x000F },
+		 { "SIG5", 0x0005, 0x000F },
+		 { "SIG6", 0x0006, 0x000F },
+		 { "SIG7", 0x0007, 0x000F },
+		 { "SIG8", 0x0008, 0x000F },
+		 { "SIG9", 0x0009, 0x000F },
+		 { "SIG10", 0x000A, 0x000F },
+		 { "SIG11", 0x000B, 0x000F },
+		 { "SIG12", 0x000C, 0x000F },
+		 { "SIG13", 0x000D, 0x000F },
+		 { "SIG14", 0x000E, 0x000F },
+		 { "SIG15", 0x000F, 0x000F },
+		 { "KSK", DNS_KEYFLAG_KSK, DNS_KEYFLAG_KSK },
+		 { NULL, 0, 0 } };
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+maybe_numeric(unsigned int *valuep, isc_textregion_t *source, unsigned int max,
+	      bool hex_allowed) {
+	isc_result_t result;
+	uint32_t n;
+	char buffer[NUMBERSIZE];
+	int v;
+
+	if (!isdigit((unsigned char)source->base[0]) ||
+	    source->length > NUMBERSIZE - 1)
+	{
+		return (ISC_R_BADNUMBER);
+	}
+
+	/*
+	 * We have a potential number.	Try to parse it with
+	 * isc_parse_uint32().	isc_parse_uint32() requires
+	 * null termination, so we must make a copy.
+	 */
+	v = snprintf(buffer, sizeof(buffer), "%.*s", (int)source->length,
+		     source->base);
+	if (v < 0 || (unsigned)v != source->length) {
+		return (ISC_R_BADNUMBER);
+	}
+	INSIST(buffer[source->length] == '\0');
+
+	result = isc_parse_uint32(&n, buffer, 10);
+	if (result == ISC_R_BADNUMBER && hex_allowed) {
+		result = isc_parse_uint32(&n, buffer, 16);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (n > max) {
+		return (ISC_R_RANGE);
+	}
+	*valuep = n;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source,
+		      struct tbl *table, unsigned int max) {
+	isc_result_t result;
+	int i;
+
+	result = maybe_numeric(valuep, source, max, false);
+	if (result != ISC_R_BADNUMBER) {
+		return (result);
+	}
+
+	for (i = 0; table[i].name != NULL; i++) {
+		unsigned int n;
+		n = strlen(table[i].name);
+		if (n == source->length && (table[i].flags & TOTEXTONLY) == 0 &&
+		    strncasecmp(source->base, table[i].name, n) == 0)
+		{
+			*valuep = table[i].value;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (DNS_R_UNKNOWN);
+}
+
+static isc_result_t
+dns_mnemonic_totext(unsigned int value, isc_buffer_t *target,
+		    struct tbl *table) {
+	int i = 0;
+	char buf[sizeof("4294967296")];
+	while (table[i].name != NULL) {
+		if (table[i].value == value) {
+			return (str_totext(table[i].name, target));
+		}
+		i++;
+	}
+	snprintf(buf, sizeof(buf), "%u", value);
+	return (str_totext(buf, target));
+}
+
+isc_result_t
+dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff));
+	*rcodep = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(rcode, target, rcodes));
+}
+
+isc_result_t
+dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff));
+	*rcodep = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(rcode, target, tsigrcodes));
+}
+
+isc_result_t
+dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff));
+	*certp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(cert, target, certs));
+}
+
+isc_result_t
+dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff));
+	*secalgp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(secalg, target, secalgs));
+}
+
+void
+dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(cp != NULL && size > 0);
+	isc_buffer_init(&b, cp, size - 1);
+	result = dns_secalg_totext(alg, &b);
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	if (result != ISC_R_SUCCESS) {
+		r.base[0] = 0;
+	}
+}
+
+isc_result_t
+dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff));
+	*secprotop = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(secproto, target, secprotos));
+}
+
+isc_result_t
+dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, hashalgs, 0xff));
+	*hashalg = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source) {
+	isc_result_t result;
+	char *text, *end;
+	unsigned int value = 0;
+#ifdef notyet
+	unsigned int mask = 0;
+#endif /* ifdef notyet */
+
+	result = maybe_numeric(&value, source, 0xffff, true);
+	if (result == ISC_R_SUCCESS) {
+		*flagsp = value;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_BADNUMBER) {
+		return (result);
+	}
+
+	text = source->base;
+	end = source->base + source->length;
+
+	while (text < end) {
+		struct keyflag *p;
+		unsigned int len;
+		char *delim = memchr(text, '|', end - text);
+		if (delim != NULL) {
+			len = (unsigned int)(delim - text);
+		} else {
+			len = (unsigned int)(end - text);
+		}
+		for (p = keyflags; p->name != NULL; p++) {
+			if (strncasecmp(p->name, text, len) == 0) {
+				break;
+			}
+		}
+		if (p->name == NULL) {
+			return (DNS_R_UNKNOWNFLAG);
+		}
+		value |= p->value;
+#ifdef notyet
+		if ((mask & p->mask) != 0) {
+			warn("overlapping key flags");
+		}
+		mask |= p->mask;
+#endif /* ifdef notyet */
+		text += len;
+		if (delim != NULL) {
+			text++; /* Skip "|" */
+		}
+	}
+	*flagsp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dsdigest_fromtext(dns_dsdigest_t *dsdigestp, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, dsdigests, 0xff));
+	*dsdigestp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dsdigest_totext(dns_dsdigest_t dsdigest, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(dsdigest, target, dsdigests));
+}
+
+void
+dns_dsdigest_format(dns_dsdigest_t typ, char *cp, unsigned int size) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(cp != NULL && size > 0);
+	isc_buffer_init(&b, cp, size - 1);
+	result = dns_dsdigest_totext(typ, &b);
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	if (result != ISC_R_SUCCESS) {
+		r.base[0] = 0;
+	}
+}
+
+/*
+ * This uses lots of hard coded values, but how often do we actually
+ * add classes?
+ */
+isc_result_t
+dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) {
+#define COMPARE(string, rdclass)                                      \
+	if (((sizeof(string) - 1) == source->length) &&               \
+	    (strncasecmp(source->base, string, source->length) == 0)) \
+	{                                                             \
+		*classp = rdclass;                                    \
+		return (ISC_R_SUCCESS);                               \
+	}
+
+	switch (tolower((unsigned char)source->base[0])) {
+	case 'a':
+		COMPARE("any", dns_rdataclass_any);
+		break;
+	case 'c':
+		/*
+		 * RFC1035 says the mnemonic for the CHAOS class is CH,
+		 * but historical BIND practice is to call it CHAOS.
+		 * We will accept both forms, but only generate CH.
+		 */
+		COMPARE("ch", dns_rdataclass_chaos);
+		COMPARE("chaos", dns_rdataclass_chaos);
+
+		if (source->length > 5 &&
+		    source->length < (5 + sizeof("65000")) &&
+		    strncasecmp("class", source->base, 5) == 0)
+		{
+			char buf[sizeof("65000")];
+			char *endp;
+			unsigned int val;
+
+			/*
+			 * source->base is not required to be NUL terminated.
+			 * Copy up to remaining bytes and NUL terminate.
+			 */
+			snprintf(buf, sizeof(buf), "%.*s",
+				 (int)(source->length - 5), source->base + 5);
+			val = strtoul(buf, &endp, 10);
+			if (*endp == '\0' && val <= 0xffff) {
+				*classp = (dns_rdataclass_t)val;
+				return (ISC_R_SUCCESS);
+			}
+		}
+		break;
+	case 'h':
+		COMPARE("hs", dns_rdataclass_hs);
+		COMPARE("hesiod", dns_rdataclass_hs);
+		break;
+	case 'i':
+		COMPARE("in", dns_rdataclass_in);
+		break;
+	case 'n':
+		COMPARE("none", dns_rdataclass_none);
+		break;
+	case 'r':
+		COMPARE("reserved0", dns_rdataclass_reserved0);
+		break;
+	}
+
+#undef COMPARE
+
+	return (DNS_R_UNKNOWN);
+}
+
+isc_result_t
+dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) {
+	switch (rdclass) {
+	case dns_rdataclass_any:
+		return (str_totext("ANY", target));
+	case dns_rdataclass_chaos:
+		return (str_totext("CH", target));
+	case dns_rdataclass_hs:
+		return (str_totext("HS", target));
+	case dns_rdataclass_in:
+		return (str_totext("IN", target));
+	case dns_rdataclass_none:
+		return (str_totext("NONE", target));
+	case dns_rdataclass_reserved0:
+		return (str_totext("RESERVED0", target));
+	default:
+		return (dns_rdataclass_tounknowntext(rdclass, target));
+	}
+}
+
+isc_result_t
+dns_rdataclass_tounknowntext(dns_rdataclass_t rdclass, isc_buffer_t *target) {
+	char buf[sizeof("CLASS65535")];
+
+	snprintf(buf, sizeof(buf), "CLASS%u", rdclass);
+	return (str_totext(buf, target));
+}
+
+void
+dns_rdataclass_format(dns_rdataclass_t rdclass, char *array,
+		      unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	if (size == 0U) {
+		return;
+	}
+
+	isc_buffer_init(&buf, array, size);
+	result = dns_rdataclass_totext(rdclass, &buf);
+	/*
+	 * Null terminate.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(&buf) >= 1) {
+			isc_buffer_putuint8(&buf, 0);
+		} else {
+			result = ISC_R_NOSPACE;
+		}
+	}
+	if (result != ISC_R_SUCCESS) {
+		strlcpy(array, "<unknown>", size);
+	}
+}
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
new file mode 100644
index 0000000..a283831
--- /dev/null
+++ b/lib/dns/rdata.c
@@ -0,0 +1,2365 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/base64.h>
+#include <isc/hex.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/cert.h>
+#include <dns/compress.h>
+#include <dns/dsdigest.h>
+#include <dns/enumtype.h>
+#include <dns/keyflags.h>
+#include <dns/keyvalues.h>
+#include <dns/message.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/secproto.h>
+#include <dns/time.h>
+#include <dns/ttl.h>
+
+#define RETERR(x)                        \
+	do {                             \
+		isc_result_t _r = (x);   \
+		if (_r != ISC_R_SUCCESS) \
+			return ((_r));   \
+	} while (0)
+
+#define RETTOK(x)                                          \
+	do {                                               \
+		isc_result_t _r = (x);                     \
+		if (_r != ISC_R_SUCCESS) {                 \
+			isc_lex_ungettoken(lexer, &token); \
+			return (_r);                       \
+		}                                          \
+	} while (0)
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+#define CHECKTOK(op)                                       \
+	do {                                               \
+		result = (op);                             \
+		if (result != ISC_R_SUCCESS) {             \
+			isc_lex_ungettoken(lexer, &token); \
+			goto cleanup;                      \
+		}                                          \
+	} while (0)
+
+#define DNS_AS_STR(t) ((t).value.as_textregion.base)
+
+#define ARGS_FROMTEXT                                           \
+	int rdclass, dns_rdatatype_t type, isc_lex_t *lexer,    \
+		const dns_name_t *origin, unsigned int options, \
+		isc_buffer_t *target, dns_rdatacallbacks_t *callbacks
+
+#define CALL_FROMTEXT rdclass, type, lexer, origin, options, target, callbacks
+
+#define ARGS_TOTEXT \
+	dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, isc_buffer_t *target
+
+#define CALL_TOTEXT rdata, tctx, target
+
+#define ARGS_FROMWIRE                                            \
+	int rdclass, dns_rdatatype_t type, isc_buffer_t *source, \
+		dns_decompress_t *dctx, unsigned int options,    \
+		isc_buffer_t *target
+
+#define CALL_FROMWIRE rdclass, type, source, dctx, options, target
+
+#define ARGS_TOWIRE \
+	dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target
+
+#define CALL_TOWIRE rdata, cctx, target
+
+#define ARGS_COMPARE const dns_rdata_t *rdata1, const dns_rdata_t *rdata2
+
+#define CALL_COMPARE rdata1, rdata2
+
+#define ARGS_FROMSTRUCT \
+	int rdclass, dns_rdatatype_t type, void *source, isc_buffer_t *target
+
+#define CALL_FROMSTRUCT rdclass, type, source, target
+
+#define ARGS_TOSTRUCT const dns_rdata_t *rdata, void *target, isc_mem_t *mctx
+
+#define CALL_TOSTRUCT rdata, target, mctx
+
+#define ARGS_FREESTRUCT void *source
+
+#define CALL_FREESTRUCT source
+
+#define ARGS_ADDLDATA \
+	dns_rdata_t *rdata, dns_additionaldatafunc_t add, void *arg
+
+#define CALL_ADDLDATA rdata, add, arg
+
+#define ARGS_DIGEST dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg
+
+#define CALL_DIGEST rdata, digest, arg
+
+#define ARGS_CHECKOWNER                                   \
+	const dns_name_t *name, dns_rdataclass_t rdclass, \
+		dns_rdatatype_t type, bool wildcard
+
+#define CALL_CHECKOWNER name, rdclass, type, wildcard
+
+#define ARGS_CHECKNAMES \
+	dns_rdata_t *rdata, const dns_name_t *owner, dns_name_t *bad
+
+#define CALL_CHECKNAMES rdata, owner, bad
+
+/*%
+ * Context structure for the totext_ functions.
+ * Contains formatting options for rdata-to-text
+ * conversion.
+ */
+typedef struct dns_rdata_textctx {
+	const dns_name_t *origin;      /*%< Current origin, or NULL. */
+	dns_masterstyle_flags_t flags; /*%< DNS_STYLEFLAG_*  */
+	unsigned int width;	       /*%< Width of rdata column. */
+	const char *linebreak;	       /*%< Line break string. */
+} dns_rdata_textctx_t;
+
+static isc_result_t
+txt_totext(isc_region_t *source, bool quote, isc_buffer_t *target);
+
+static isc_result_t
+txt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
+
+static isc_result_t
+txt_fromwire(isc_buffer_t *source, isc_buffer_t *target);
+
+static isc_result_t
+commatxt_fromtext(isc_textregion_t *source, bool comma, isc_buffer_t *target);
+
+static isc_result_t
+commatxt_totext(isc_region_t *source, bool quote, bool comma,
+		isc_buffer_t *target);
+
+static isc_result_t
+multitxt_totext(isc_region_t *source, isc_buffer_t *target);
+
+static isc_result_t
+multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
+
+static bool
+name_prefix(dns_name_t *name, const dns_name_t *origin, dns_name_t *target);
+
+static unsigned int
+name_length(const dns_name_t *name);
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+inet_totext(int af, uint32_t flags, isc_region_t *src, isc_buffer_t *target);
+
+static bool
+buffer_empty(isc_buffer_t *source);
+
+static void
+buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region);
+
+static isc_result_t
+uint32_tobuffer(uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+uint16_tobuffer(uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+uint8_tobuffer(uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+name_tobuffer(const dns_name_t *name, isc_buffer_t *target);
+
+static uint32_t
+uint32_fromregion(isc_region_t *region);
+
+static uint16_t
+uint16_fromregion(isc_region_t *region);
+
+static uint8_t
+uint8_fromregion(isc_region_t *region);
+
+static uint8_t
+uint8_consume_fromregion(isc_region_t *region);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+static int
+hexvalue(char value);
+
+static int
+decvalue(char value);
+
+static void
+default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *, ...)
+	ISC_FORMAT_PRINTF(2, 3);
+
+static void
+fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
+	       dns_rdatacallbacks_t *callbacks, const char *name,
+	       unsigned long line, isc_token_t *token, isc_result_t result);
+
+static void
+fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks);
+
+static isc_result_t
+rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	     isc_buffer_t *target);
+
+static void
+warn_badname(const dns_name_t *name, isc_lex_t *lexer,
+	     dns_rdatacallbacks_t *callbacks);
+
+static void
+warn_badmx(isc_token_t *token, isc_lex_t *lexer,
+	   dns_rdatacallbacks_t *callbacks);
+
+static uint16_t
+uint16_consume_fromregion(isc_region_t *region);
+
+static isc_result_t
+unknown_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	       isc_buffer_t *target);
+
+static isc_result_t generic_fromtext_key(ARGS_FROMTEXT);
+
+static isc_result_t generic_totext_key(ARGS_TOTEXT);
+
+static isc_result_t generic_fromwire_key(ARGS_FROMWIRE);
+
+static isc_result_t generic_fromstruct_key(ARGS_FROMSTRUCT);
+
+static isc_result_t generic_tostruct_key(ARGS_TOSTRUCT);
+
+static void generic_freestruct_key(ARGS_FREESTRUCT);
+
+static isc_result_t generic_fromtext_txt(ARGS_FROMTEXT);
+
+static isc_result_t generic_totext_txt(ARGS_TOTEXT);
+
+static isc_result_t generic_fromwire_txt(ARGS_FROMWIRE);
+
+static isc_result_t generic_fromstruct_txt(ARGS_FROMSTRUCT);
+
+static isc_result_t generic_tostruct_txt(ARGS_TOSTRUCT);
+
+static void generic_freestruct_txt(ARGS_FREESTRUCT);
+
+static isc_result_t
+generic_txt_first(dns_rdata_txt_t *txt);
+
+static isc_result_t
+generic_txt_next(dns_rdata_txt_t *txt);
+
+static isc_result_t
+generic_txt_current(dns_rdata_txt_t *txt, dns_rdata_txt_string_t *string);
+
+static isc_result_t generic_totext_ds(ARGS_TOTEXT);
+
+static isc_result_t generic_tostruct_ds(ARGS_TOSTRUCT);
+
+static isc_result_t generic_fromtext_ds(ARGS_FROMTEXT);
+
+static isc_result_t generic_fromwire_ds(ARGS_FROMWIRE);
+
+static isc_result_t generic_fromstruct_ds(ARGS_FROMSTRUCT);
+
+static isc_result_t generic_fromtext_tlsa(ARGS_FROMTEXT);
+
+static isc_result_t generic_totext_tlsa(ARGS_TOTEXT);
+
+static isc_result_t generic_fromwire_tlsa(ARGS_FROMWIRE);
+
+static isc_result_t generic_fromstruct_tlsa(ARGS_FROMSTRUCT);
+
+static isc_result_t generic_tostruct_tlsa(ARGS_TOSTRUCT);
+
+static void generic_freestruct_tlsa(ARGS_FREESTRUCT);
+
+static isc_result_t generic_fromtext_in_svcb(ARGS_FROMTEXT);
+static isc_result_t generic_totext_in_svcb(ARGS_TOTEXT);
+static isc_result_t generic_fromwire_in_svcb(ARGS_FROMWIRE);
+static isc_result_t generic_towire_in_svcb(ARGS_TOWIRE);
+static isc_result_t generic_fromstruct_in_svcb(ARGS_FROMSTRUCT);
+static isc_result_t generic_tostruct_in_svcb(ARGS_TOSTRUCT);
+static void generic_freestruct_in_svcb(ARGS_FREESTRUCT);
+static isc_result_t generic_additionaldata_in_svcb(ARGS_ADDLDATA);
+static bool generic_checknames_in_svcb(ARGS_CHECKNAMES);
+static isc_result_t
+generic_rdata_in_svcb_first(dns_rdata_in_svcb_t *);
+static isc_result_t
+generic_rdata_in_svcb_next(dns_rdata_in_svcb_t *);
+static void
+generic_rdata_in_svcb_current(dns_rdata_in_svcb_t *, isc_region_t *);
+
+/*% INT16 Size */
+#define NS_INT16SZ 2
+/*% IPv6 Address Size */
+#define NS_LOCATORSZ 8
+
+/*
+ * Active Directory gc._msdcs.<forest> prefix.
+ */
+static unsigned char gc_msdcs_data[] = "\002gc\006_msdcs";
+static unsigned char gc_msdcs_offset[] = { 0, 3 };
+
+static dns_name_t const gc_msdcs = DNS_NAME_INITNONABSOLUTE(gc_msdcs_data,
+							    gc_msdcs_offset);
+
+/*%
+ *	convert presentation level address to network order binary form.
+ * \return
+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * \note
+ *	(1) does not touch `dst' unless it's returning 1.
+ */
+static int
+locator_pton(const char *src, unsigned char *dst) {
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	unsigned char tmp[NS_LOCATORSZ];
+	unsigned char *tp = tmp, *endp;
+	const char *xdigits;
+	int ch, seen_xdigits;
+	unsigned int val;
+
+	memset(tp, '\0', NS_LOCATORSZ);
+	endp = tp + NS_LOCATORSZ;
+	seen_xdigits = 0;
+	val = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		pch = strchr((xdigits = xdigits_l), ch);
+		if (pch == NULL) {
+			pch = strchr((xdigits = xdigits_u), ch);
+		}
+		if (pch != NULL) {
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (++seen_xdigits > 4) {
+				return (0);
+			}
+			continue;
+		}
+		if (ch == ':') {
+			if (!seen_xdigits) {
+				return (0);
+			}
+			if (tp + NS_INT16SZ > endp) {
+				return (0);
+			}
+			*tp++ = (unsigned char)(val >> 8) & 0xff;
+			*tp++ = (unsigned char)val & 0xff;
+			seen_xdigits = 0;
+			val = 0;
+			continue;
+		}
+		return (0);
+	}
+	if (seen_xdigits) {
+		if (tp + NS_INT16SZ > endp) {
+			return (0);
+		}
+		*tp++ = (unsigned char)(val >> 8) & 0xff;
+		*tp++ = (unsigned char)val & 0xff;
+	}
+	if (tp != endp) {
+		return (0);
+	}
+	memmove(dst, tmp, NS_LOCATORSZ);
+	return (1);
+}
+
+static isc_result_t
+name_duporclone(const dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
+	if (mctx != NULL) {
+		dns_name_dup(source, mctx, target);
+	} else {
+		dns_name_clone(source, target);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static void *
+mem_maybedup(isc_mem_t *mctx, void *source, size_t length) {
+	void *copy;
+
+	if (mctx == NULL) {
+		return (source);
+	}
+	copy = isc_mem_allocate(mctx, length);
+	memmove(copy, source, length);
+
+	return (copy);
+}
+
+static isc_result_t
+typemap_fromtext(isc_lex_t *lexer, isc_buffer_t *target, bool allow_empty) {
+	isc_token_t token;
+	unsigned char bm[8 * 1024]; /* 64k bits */
+	dns_rdatatype_t covered, max_used;
+	int octet;
+	unsigned int max_octet, newend, end;
+	int window;
+	bool first = true;
+
+	max_used = 0;
+	bm[0] = 0;
+	end = 0;
+
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, true));
+		if (token.type != isc_tokentype_string) {
+			break;
+		}
+		RETTOK(dns_rdatatype_fromtext(&covered,
+					      &token.value.as_textregion));
+		if (covered > max_used) {
+			newend = covered / 8;
+			if (newend > end) {
+				memset(&bm[end + 1], 0, newend - end);
+				end = newend;
+			}
+			max_used = covered;
+		}
+		bm[covered / 8] |= (0x80 >> (covered % 8));
+		first = false;
+	} while (1);
+	isc_lex_ungettoken(lexer, &token);
+	if (!allow_empty && first) {
+		return (DNS_R_FORMERR);
+	}
+
+	for (window = 0; window < 256; window++) {
+		if (max_used < window * 256) {
+			break;
+		}
+
+		max_octet = max_used - (window * 256);
+		if (max_octet >= 256) {
+			max_octet = 31;
+		} else {
+			max_octet /= 8;
+		}
+
+		/*
+		 * Find if we have a type in this window.
+		 */
+		for (octet = max_octet; octet >= 0; octet--) {
+			if (bm[window * 32 + octet] != 0) {
+				break;
+			}
+		}
+		if (octet < 0) {
+			continue;
+		}
+		RETERR(uint8_tobuffer(window, target));
+		RETERR(uint8_tobuffer(octet + 1, target));
+		RETERR(mem_tobuffer(target, &bm[window * 32], octet + 1));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+typemap_totext(isc_region_t *sr, dns_rdata_textctx_t *tctx,
+	       isc_buffer_t *target) {
+	unsigned int i, j, k;
+	unsigned int window, len;
+	bool first = true;
+
+	for (i = 0; i < sr->length; i += len) {
+		if (tctx != NULL &&
+		    (tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		{
+			RETERR(str_totext(tctx->linebreak, target));
+			first = true;
+		}
+		INSIST(i + 2 <= sr->length);
+		window = sr->base[i];
+		len = sr->base[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= sr->length);
+		for (j = 0; j < len; j++) {
+			dns_rdatatype_t t;
+			if (sr->base[i + j] == 0) {
+				continue;
+			}
+			for (k = 0; k < 8; k++) {
+				if ((sr->base[i + j] & (0x80 >> k)) == 0) {
+					continue;
+				}
+				t = window * 256 + j * 8 + k;
+				if (!first) {
+					RETERR(str_totext(" ", target));
+				}
+				first = false;
+				if (dns_rdatatype_isknown(t)) {
+					RETERR(dns_rdatatype_totext(t, target));
+				} else {
+					char buf[sizeof("TYPE65535")];
+					snprintf(buf, sizeof(buf), "TYPE%u", t);
+					RETERR(str_totext(buf, target));
+				}
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+typemap_test(isc_region_t *sr, bool allow_empty) {
+	unsigned int window, lastwindow = 0;
+	unsigned int len;
+	bool first = true;
+	unsigned int i;
+
+	for (i = 0; i < sr->length; i += len) {
+		/*
+		 * Check for overflow.
+		 */
+		if (i + 2 > sr->length) {
+			RETERR(DNS_R_FORMERR);
+		}
+		window = sr->base[i];
+		len = sr->base[i + 1];
+		i += 2;
+		/*
+		 * Check that bitmap windows are in the correct order.
+		 */
+		if (!first && window <= lastwindow) {
+			RETERR(DNS_R_FORMERR);
+		}
+		/*
+		 * Check for legal lengths.
+		 */
+		if (len < 1 || len > 32) {
+			RETERR(DNS_R_FORMERR);
+		}
+		/*
+		 * Check for overflow.
+		 */
+		if (i + len > sr->length) {
+			RETERR(DNS_R_FORMERR);
+		}
+		/*
+		 * The last octet of the bitmap must be non zero.
+		 */
+		if (sr->base[i + len - 1] == 0) {
+			RETERR(DNS_R_FORMERR);
+		}
+		lastwindow = window;
+		first = false;
+	}
+	if (i != sr->length) {
+		return (DNS_R_EXTRADATA);
+	}
+	if (!allow_empty && first) {
+		RETERR(DNS_R_FORMERR);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static const char hexdigits[] = "0123456789abcdef";
+static const char decdigits[] = "0123456789";
+
+#include "code.h"
+
+#define META	 0x0001
+#define RESERVED 0x0002
+
+/***
+ *** Initialization
+ ***/
+
+void
+dns_rdata_init(dns_rdata_t *rdata) {
+	REQUIRE(rdata != NULL);
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->rdclass = 0;
+	rdata->type = 0;
+	rdata->flags = 0;
+	ISC_LINK_INIT(rdata, link);
+	/* ISC_LIST_INIT(rdata->list); */
+}
+
+void
+dns_rdata_reset(dns_rdata_t *rdata) {
+	REQUIRE(rdata != NULL);
+
+	REQUIRE(!ISC_LINK_LINKED(rdata, link));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->rdclass = 0;
+	rdata->type = 0;
+	rdata->flags = 0;
+}
+
+/***
+ ***
+ ***/
+
+void
+dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target) {
+	REQUIRE(src != NULL);
+	REQUIRE(target != NULL);
+
+	REQUIRE(DNS_RDATA_INITIALIZED(target));
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(src));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(target));
+
+	target->data = src->data;
+	target->length = src->length;
+	target->rdclass = src->rdclass;
+	target->type = src->type;
+	target->flags = src->flags;
+}
+
+/***
+ *** Comparisons
+ ***/
+
+int
+dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
+	int result = 0;
+	bool use_default = false;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
+	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+
+	if (rdata1->rdclass != rdata2->rdclass) {
+		return (rdata1->rdclass < rdata2->rdclass ? -1 : 1);
+	}
+
+	if (rdata1->type != rdata2->type) {
+		return (rdata1->type < rdata2->type ? -1 : 1);
+	}
+
+	COMPARESWITCH
+
+	if (use_default) {
+		isc_region_t r1;
+		isc_region_t r2;
+
+		dns_rdata_toregion(rdata1, &r1);
+		dns_rdata_toregion(rdata2, &r2);
+		result = isc_region_compare(&r1, &r2);
+	}
+	return (result);
+}
+
+int
+dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
+	int result = 0;
+	bool use_default = false;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
+	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+
+	if (rdata1->rdclass != rdata2->rdclass) {
+		return (rdata1->rdclass < rdata2->rdclass ? -1 : 1);
+	}
+
+	if (rdata1->type != rdata2->type) {
+		return (rdata1->type < rdata2->type ? -1 : 1);
+	}
+
+	CASECOMPARESWITCH
+
+	if (use_default) {
+		isc_region_t r1;
+		isc_region_t r2;
+
+		dns_rdata_toregion(rdata1, &r1);
+		dns_rdata_toregion(rdata2, &r2);
+		result = isc_region_compare(&r1, &r2);
+	}
+	return (result);
+}
+
+/***
+ *** Conversions
+ ***/
+
+void
+dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, isc_region_t *r) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+	REQUIRE(r != NULL);
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	rdata->data = r->base;
+	rdata->length = r->length;
+	rdata->rdclass = rdclass;
+	rdata->type = type;
+	rdata->flags = 0;
+}
+
+void
+dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(r != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	r->base = rdata->data;
+	r->length = rdata->length;
+}
+
+isc_result_t
+dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_buffer_t *source,
+		   dns_decompress_t *dctx, unsigned int options,
+		   isc_buffer_t *target) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_region_t region;
+	isc_buffer_t ss;
+	isc_buffer_t st;
+	bool use_default = false;
+	uint32_t activelength;
+	unsigned int length;
+
+	REQUIRE(dctx != NULL);
+	if (rdata != NULL) {
+		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	}
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL);
+
+	if (type == 0) {
+		return (DNS_R_FORMERR);
+	}
+
+	ss = *source;
+	st = *target;
+
+	activelength = isc_buffer_activelength(source);
+	INSIST(activelength < 65536);
+
+	FROMWIRESWITCH
+
+	if (use_default) {
+		if (activelength > isc_buffer_availablelength(target)) {
+			result = ISC_R_NOSPACE;
+		} else {
+			isc_buffer_putmem(target, isc_buffer_current(source),
+					  activelength);
+			isc_buffer_forward(source, activelength);
+			result = ISC_R_SUCCESS;
+		}
+	}
+
+	/*
+	 * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+	 * as we cannot transmit it.
+	 */
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) {
+		result = DNS_R_FORMERR;
+	}
+
+	/*
+	 * We should have consumed all of our buffer.
+	 */
+	if (result == ISC_R_SUCCESS && !buffer_empty(source)) {
+		result = DNS_R_EXTRADATA;
+	}
+
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
+		region.base = isc_buffer_used(&st);
+		region.length = length;
+		dns_rdata_fromregion(rdata, rdclass, type, &region);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		*source = ss;
+		*target = st;
+	}
+	return (result);
+}
+
+isc_result_t
+dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
+		 isc_buffer_t *target) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	bool use_default = false;
+	isc_region_t tr;
+	isc_buffer_t st;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	/*
+	 * Some DynDNS meta-RRs have empty rdata.
+	 */
+	if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+		INSIST(rdata->length == 0);
+		return (ISC_R_SUCCESS);
+	}
+
+	st = *target;
+
+	TOWIRESWITCH
+
+	if (use_default) {
+		isc_buffer_availableregion(target, &tr);
+		if (tr.length < rdata->length) {
+			return (ISC_R_NOSPACE);
+		}
+		memmove(tr.base, rdata->data, rdata->length);
+		isc_buffer_add(target, rdata->length);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		*target = st;
+		INSIST(target->used < 65536);
+		dns_compress_rollback(cctx, (uint16_t)target->used);
+	}
+	return (result);
+}
+
+/*
+ * If the binary data in 'src' is valid uncompressed wire format
+ * rdata of class 'rdclass' and type 'type', return ISC_R_SUCCESS
+ * and copy the validated rdata to 'dest'.  Otherwise return an error.
+ */
+static isc_result_t
+rdata_validate(isc_buffer_t *src, isc_buffer_t *dest, dns_rdataclass_t rdclass,
+	       dns_rdatatype_t type) {
+	dns_decompress_t dctx;
+	isc_result_t result;
+
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+	isc_buffer_setactive(src, isc_buffer_usedlength(src));
+	result = dns_rdata_fromwire(NULL, rdclass, type, src, &dctx, 0, dest);
+	dns_decompress_invalidate(&dctx);
+
+	return (result);
+}
+
+static isc_result_t
+unknown_fromtext(dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		 isc_lex_t *lexer, isc_mem_t *mctx, isc_buffer_t *target) {
+	isc_result_t result;
+	isc_buffer_t *buf = NULL;
+	isc_token_t token;
+
+	if (type == 0 || dns_rdatatype_ismeta(type)) {
+		return (DNS_R_METATYPE);
+	}
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 65535U) {
+		return (ISC_R_RANGE);
+	}
+	isc_buffer_allocate(mctx, &buf, token.value.as_ulong);
+
+	if (token.value.as_ulong != 0U) {
+		result = isc_hex_tobuffer(lexer, buf,
+					  (unsigned int)token.value.as_ulong);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+		if (isc_buffer_usedlength(buf) != token.value.as_ulong) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto failure;
+		}
+	}
+
+	if (dns_rdatatype_isknown(type)) {
+		result = rdata_validate(buf, target, rdclass, type);
+	} else {
+		isc_region_t r;
+		isc_buffer_usedregion(buf, &r);
+		result = isc_buffer_copyregion(target, &r);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	isc_buffer_free(&buf);
+	return (ISC_R_SUCCESS);
+
+failure:
+	isc_buffer_free(&buf);
+	return (result);
+}
+
+isc_result_t
+dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_lex_t *lexer,
+		   const dns_name_t *origin, unsigned int options,
+		   isc_mem_t *mctx, isc_buffer_t *target,
+		   dns_rdatacallbacks_t *callbacks) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_region_t region;
+	isc_buffer_t st;
+	isc_token_t token;
+	unsigned int lexoptions = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
+				  ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
+	char *name;
+	unsigned long line;
+	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
+	isc_result_t tresult;
+	unsigned int length;
+	bool unknown;
+
+	REQUIRE(origin == NULL || dns_name_isabsolute(origin));
+	if (rdata != NULL) {
+		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	}
+	if (callbacks != NULL) {
+		REQUIRE(callbacks->warn != NULL);
+		REQUIRE(callbacks->error != NULL);
+	}
+
+	st = *target;
+
+	if (callbacks != NULL) {
+		callback = callbacks->error;
+	} else {
+		callback = default_fromtext_callback;
+	}
+
+	result = isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+					true);
+	if (result != ISC_R_SUCCESS) {
+		name = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		fromtext_error(callback, callbacks, name, line, NULL, result);
+		return (result);
+	}
+
+	unknown = false;
+	if (token.type == isc_tokentype_string &&
+	    strcmp(DNS_AS_STR(token), "\\#") == 0)
+	{
+		/*
+		 * If this is a TXT record '\#' could be a escaped '#'.
+		 * Look to see if the next token is a number and if so
+		 * treat it as a unknown record format.
+		 */
+		if (type == dns_rdatatype_txt) {
+			result = isc_lex_getmastertoken(
+				lexer, &token, isc_tokentype_number, false);
+			if (result == ISC_R_SUCCESS) {
+				isc_lex_ungettoken(lexer, &token);
+			}
+		}
+
+		if (result == ISC_R_SUCCESS) {
+			unknown = true;
+			result = unknown_fromtext(rdclass, type, lexer, mctx,
+						  target);
+		} else {
+			options |= DNS_RDATA_UNKNOWNESCAPE;
+		}
+	} else {
+		isc_lex_ungettoken(lexer, &token);
+	}
+
+	if (!unknown) {
+		FROMTEXTSWITCH
+
+		/*
+		 * Consume to end of line / file.
+		 * If not at end of line initially set error code.
+		 * Call callback via fromtext_error once if there was an error.
+		 */
+	}
+	do {
+		name = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		tresult = isc_lex_gettoken(lexer, lexoptions, &token);
+		if (tresult != ISC_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS) {
+				result = tresult;
+			}
+			if (callback != NULL) {
+				fromtext_error(callback, callbacks, name, line,
+					       NULL, result);
+			}
+			break;
+		} else if (token.type != isc_tokentype_eol &&
+			   token.type != isc_tokentype_eof)
+		{
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_EXTRATOKEN;
+			}
+			if (callback != NULL) {
+				fromtext_error(callback, callbacks, name, line,
+					       &token, result);
+				callback = NULL;
+			}
+		} else if (result != ISC_R_SUCCESS && callback != NULL) {
+			fromtext_error(callback, callbacks, name, line, &token,
+				       result);
+			break;
+		} else {
+			if (token.type == isc_tokentype_eof) {
+				fromtext_warneof(lexer, callbacks);
+			}
+			break;
+		}
+	} while (1);
+
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) {
+		result = ISC_R_NOSPACE;
+	}
+
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
+		region.base = isc_buffer_used(&st);
+		region.length = length;
+		dns_rdata_fromregion(rdata, rdclass, type, &region);
+	}
+	if (result != ISC_R_SUCCESS) {
+		*target = st;
+	}
+	return (result);
+}
+
+static isc_result_t
+unknown_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	       isc_buffer_t *target) {
+	isc_result_t result;
+	char buf[sizeof("65535")];
+	isc_region_t sr;
+
+	strlcpy(buf, "\\# ", sizeof(buf));
+	result = str_totext(buf, target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdata_toregion(rdata, &sr);
+	INSIST(sr.length < 65536);
+	snprintf(buf, sizeof(buf), "%u", sr.length);
+	result = str_totext(buf, target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (sr.length != 0U) {
+		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+			result = str_totext(" ( ", target);
+		} else {
+			result = str_totext(" ", target);
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		if (tctx->width == 0) { /* No splitting */
+			result = isc_hex_totext(&sr, 0, "", target);
+		} else {
+			result = isc_hex_totext(&sr, tctx->width - 2,
+						tctx->linebreak, target);
+		}
+		if (result == ISC_R_SUCCESS &&
+		    (tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		{
+			result = str_totext(" )", target);
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	     isc_buffer_t *target) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	bool use_default = false;
+	unsigned int cur;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(tctx->origin == NULL || dns_name_isabsolute(tctx->origin));
+
+	/*
+	 * Some DynDNS meta-RRs have empty rdata.
+	 */
+	if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+		INSIST(rdata->length == 0);
+		return (ISC_R_SUCCESS);
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_UNKNOWNFORMAT) != 0) {
+		return (unknown_totext(rdata, tctx, target));
+	}
+
+	cur = isc_buffer_usedlength(target);
+
+	TOTEXTSWITCH
+
+	if (use_default || (result == ISC_R_NOTIMPLEMENTED)) {
+		unsigned int u = isc_buffer_usedlength(target);
+
+		INSIST(u >= cur);
+		isc_buffer_subtract(target, u - cur);
+		result = unknown_totext(rdata, tctx, target);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rdata_totext(dns_rdata_t *rdata, const dns_name_t *origin,
+		 isc_buffer_t *target) {
+	dns_rdata_textctx_t tctx;
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	/*
+	 * Set up formatting options for single-line output.
+	 */
+	tctx.origin = origin;
+	tctx.flags = 0;
+	tctx.width = 60;
+	tctx.linebreak = " ";
+	return (rdata_totext(rdata, &tctx, target));
+}
+
+isc_result_t
+dns_rdata_tofmttext(dns_rdata_t *rdata, const dns_name_t *origin,
+		    dns_masterstyle_flags_t flags, unsigned int width,
+		    unsigned int split_width, const char *linebreak,
+		    isc_buffer_t *target) {
+	dns_rdata_textctx_t tctx;
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	/*
+	 * Set up formatting options for formatted output.
+	 */
+	tctx.origin = origin;
+	tctx.flags = flags;
+	if (split_width == 0xffffffff) {
+		tctx.width = width;
+	} else {
+		tctx.width = split_width;
+	}
+
+	if ((flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		tctx.linebreak = linebreak;
+	} else {
+		if (split_width == 0xffffffff) {
+			tctx.width = 60; /* Used for hex word length only. */
+		}
+		tctx.linebreak = " ";
+	}
+	return (rdata_totext(rdata, &tctx, target));
+}
+
+isc_result_t
+dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, void *source, isc_buffer_t *target) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_buffer_t st;
+	isc_region_t region;
+	bool use_default = false;
+	unsigned int length;
+
+	REQUIRE(source != NULL);
+	if (rdata != NULL) {
+		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	}
+
+	st = *target;
+
+	FROMSTRUCTSWITCH
+
+	if (use_default) {
+		(void)NULL;
+	}
+
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) {
+		result = ISC_R_NOSPACE;
+	}
+
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
+		region.base = isc_buffer_used(&st);
+		region.length = length;
+		dns_rdata_fromregion(rdata, rdclass, type, &region);
+	}
+	if (result != ISC_R_SUCCESS) {
+		*target = st;
+	}
+	return (result);
+}
+
+isc_result_t
+dns_rdata_tostruct(const dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	bool use_default = false;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	REQUIRE((rdata->flags & DNS_RDATA_UPDATE) == 0);
+
+	TOSTRUCTSWITCH
+
+	if (use_default) {
+		(void)NULL;
+	}
+
+	return (result);
+}
+
+void
+dns_rdata_freestruct(void *source) {
+	dns_rdatacommon_t *common = source;
+	REQUIRE(common != NULL);
+
+	FREESTRUCTSWITCH
+}
+
+isc_result_t
+dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
+			 void *arg) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	bool use_default = false;
+
+	/*
+	 * Call 'add' for each name and type from 'rdata' which is subject to
+	 * additional section processing.
+	 */
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(add != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	ADDITIONALDATASWITCH
+
+	/* No additional processing for unknown types */
+	if (use_default) {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	bool use_default = false;
+	isc_region_t r;
+
+	/*
+	 * Send 'rdata' in DNSSEC canonical form to 'digest'.
+	 */
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(digest != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	DIGESTSWITCH
+
+	if (use_default) {
+		dns_rdata_toregion(rdata, &r);
+		result = (digest)(arg, &r);
+	}
+
+	return (result);
+}
+
+bool
+dns_rdata_checkowner(const dns_name_t *name, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, bool wildcard) {
+	bool result;
+
+	CHECKOWNERSWITCH
+	return (result);
+}
+
+bool
+dns_rdata_checknames(dns_rdata_t *rdata, const dns_name_t *owner,
+		     dns_name_t *bad) {
+	bool result;
+
+	CHECKNAMESSWITCH
+	return (result);
+}
+
+unsigned int
+dns_rdatatype_attributes(dns_rdatatype_t type) {
+	RDATATYPE_ATTRIBUTE_SW
+	if (type >= (dns_rdatatype_t)128 && type <= (dns_rdatatype_t)255) {
+		return (DNS_RDATATYPEATTR_UNKNOWN | DNS_RDATATYPEATTR_META);
+	}
+	return (DNS_RDATATYPEATTR_UNKNOWN);
+}
+
+isc_result_t
+dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) {
+	unsigned int hash;
+	unsigned int n;
+	unsigned char a, b;
+
+	n = source->length;
+
+	if (n == 0) {
+		return (DNS_R_UNKNOWN);
+	}
+
+	a = tolower((unsigned char)source->base[0]);
+	b = tolower((unsigned char)source->base[n - 1]);
+
+	hash = ((a + n) * b) % 256;
+
+	/*
+	 * This switch block is inlined via \#define, and will use "return"
+	 * to return a result to the caller if it is a valid (known)
+	 * rdatatype name.
+	 */
+	RDATATYPE_FROMTEXT_SW(hash, source->base, n, typep);
+
+	if (source->length > 4 && source->length < (4 + sizeof("65000")) &&
+	    strncasecmp("type", source->base, 4) == 0)
+	{
+		char buf[sizeof("65000")];
+		char *endp;
+		unsigned int val;
+
+		/*
+		 * source->base is not required to be NUL terminated.
+		 * Copy up to remaining bytes and NUL terminate.
+		 */
+		snprintf(buf, sizeof(buf), "%.*s", (int)(source->length - 4),
+			 source->base + 4);
+		val = strtoul(buf, &endp, 10);
+		if (*endp == '\0' && val <= 0xffff) {
+			*typep = (dns_rdatatype_t)val;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (DNS_R_UNKNOWN);
+}
+
+isc_result_t
+dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target) {
+	RDATATYPE_TOTEXT_SW
+
+	return (dns_rdatatype_tounknowntext(type, target));
+}
+
+isc_result_t
+dns_rdatatype_tounknowntext(dns_rdatatype_t type, isc_buffer_t *target) {
+	char buf[sizeof("TYPE65535")];
+
+	snprintf(buf, sizeof(buf), "TYPE%u", type);
+	return (str_totext(buf, target));
+}
+
+void
+dns_rdatatype_format(dns_rdatatype_t rdtype, char *array, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	if (size == 0U) {
+		return;
+	}
+
+	isc_buffer_init(&buf, array, size);
+	result = dns_rdatatype_totext(rdtype, &buf);
+	/*
+	 * Null terminate.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(&buf) >= 1) {
+			isc_buffer_putuint8(&buf, 0);
+		} else {
+			result = ISC_R_NOSPACE;
+		}
+	}
+	if (result != ISC_R_SUCCESS) {
+		strlcpy(array, "<unknown>", size);
+	}
+}
+
+/*
+ * Private function.
+ */
+
+static unsigned int
+name_length(const dns_name_t *name) {
+	return (name->length);
+}
+
+static isc_result_t
+commatxt_totext(isc_region_t *source, bool quote, bool comma,
+		isc_buffer_t *target) {
+	unsigned int tl;
+	unsigned int n;
+	unsigned char *sp;
+	char *tp;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	sp = source->base;
+	tp = (char *)region.base;
+	tl = region.length;
+
+	n = *sp++;
+
+	REQUIRE(n + 1 <= source->length);
+	if (n == 0U) {
+		REQUIRE(quote);
+	}
+
+	if (quote) {
+		if (tl < 1) {
+			return (ISC_R_NOSPACE);
+		}
+		*tp++ = '"';
+		tl--;
+	}
+	while (n--) {
+		/*
+		 * \DDD space (0x20) if not quoting.
+		 */
+		if (*sp < (quote ? ' ' : '!') || *sp >= 0x7f) {
+			if (tl < 4) {
+				return (ISC_R_NOSPACE);
+			}
+			*tp++ = '\\';
+			*tp++ = '0' + ((*sp / 100) % 10);
+			*tp++ = '0' + ((*sp / 10) % 10);
+			*tp++ = '0' + (*sp % 10);
+			sp++;
+			tl -= 4;
+			continue;
+		}
+		/*
+		 * Escape double quote and backslash.  If we are not
+		 * enclosing the string in double quotes, also escape
+		 * at sign (@) and semicolon (;) unless comma is set.
+		 * If comma is set, then only escape commas (,).
+		 */
+		if (*sp == '"' || *sp == '\\' || (comma && *sp == ',') ||
+		    (!comma && !quote && (*sp == '@' || *sp == ';')))
+		{
+			if (tl < 2) {
+				return (ISC_R_NOSPACE);
+			}
+			*tp++ = '\\';
+			tl--;
+			/*
+			 * Perform comma escape processing.
+			 * ',' => '\\,'
+			 * '\' => '\\\\'
+			 */
+			if (comma && (*sp == ',' || *sp == '\\')) {
+				if (tl < ((*sp == '\\') ? 3 : 2)) {
+					return (ISC_R_NOSPACE);
+				}
+				*tp++ = '\\';
+				tl--;
+				if (*sp == '\\') {
+					*tp++ = '\\';
+					tl--;
+				}
+			}
+		}
+		if (tl < 1) {
+			return (ISC_R_NOSPACE);
+		}
+		*tp++ = *sp++;
+		tl--;
+	}
+	if (quote) {
+		if (tl < 1) {
+			return (ISC_R_NOSPACE);
+		}
+		*tp++ = '"';
+		tl--;
+		POST(tl);
+	}
+	isc_buffer_add(target, (unsigned int)(tp - (char *)region.base));
+	isc_region_consume(source, *source->base + 1);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+txt_totext(isc_region_t *source, bool quote, isc_buffer_t *target) {
+	return (commatxt_totext(source, quote, false, target));
+}
+
+static isc_result_t
+commatxt_fromtext(isc_textregion_t *source, bool comma, isc_buffer_t *target) {
+	isc_region_t tregion;
+	bool escape = false, comma_escape = false, seen_comma = false;
+	unsigned int n, nrem;
+	char *s;
+	unsigned char *t;
+	int d;
+	int c;
+
+	isc_buffer_availableregion(target, &tregion);
+	s = source->base;
+	n = source->length;
+	t = tregion.base;
+	nrem = tregion.length;
+	if (nrem < 1) {
+		return (ISC_R_NOSPACE);
+	}
+	/*
+	 * Length byte.
+	 */
+	nrem--;
+	t++;
+	/*
+	 * Maximum text string length.
+	 */
+	if (nrem > 255) {
+		nrem = 255;
+	}
+	while (n-- != 0) {
+		c = (*s++) & 0xff;
+		if (escape && (d = decvalue((char)c)) != -1) {
+			c = d;
+			if (n == 0) {
+				return (DNS_R_SYNTAX);
+			}
+			n--;
+			if ((d = decvalue(*s++)) != -1) {
+				c = c * 10 + d;
+			} else {
+				return (DNS_R_SYNTAX);
+			}
+			if (n == 0) {
+				return (DNS_R_SYNTAX);
+			}
+			n--;
+			if ((d = decvalue(*s++)) != -1) {
+				c = c * 10 + d;
+			} else {
+				return (DNS_R_SYNTAX);
+			}
+			if (c > 255) {
+				return (DNS_R_SYNTAX);
+			}
+		} else if (!escape && c == '\\') {
+			escape = true;
+			continue;
+		}
+		escape = false;
+		/*
+		 * Level 1 escape processing complete.
+		 * If comma is set perform comma escape processing.
+		 *
+		 * Level 1	Level 2		ALPN's
+		 * h1\,h2   =>	h1,h2   =>	h1 and h2
+		 * h1\\,h2  =>	h1\,h2  =>	h1,h2
+		 * h1\\h2   =>	h1\h2   =>	h1h2
+		 * h1\\\\h2 =>	h1\\h2  =>	h1\h2
+		 */
+		if (comma && !comma_escape && c == ',') {
+			seen_comma = true;
+			break;
+		}
+		if (comma && !comma_escape && c == '\\') {
+			comma_escape = true;
+			continue;
+		}
+		comma_escape = false;
+		if (nrem == 0) {
+			return ((tregion.length <= 256U) ? ISC_R_NOSPACE
+							 : DNS_R_SYNTAX);
+		}
+		*t++ = c;
+		nrem--;
+	}
+
+	/*
+	 * Incomplete escape processing?
+	 */
+	if (escape || (comma && comma_escape)) {
+		return (DNS_R_SYNTAX);
+	}
+
+	if (comma) {
+		/*
+		 * Disallow empty ALPN at start (",h1") or in the
+		 * middle ("h1,,h2").
+		 */
+		if (s == source->base || (seen_comma && s == source->base + 1))
+		{
+			return (DNS_R_SYNTAX);
+		}
+		isc_textregion_consume(source, s - source->base);
+		/*
+		 * Disallow empty ALPN at end ("h1,").
+		 */
+		if (seen_comma && source->length == 0) {
+			return (DNS_R_SYNTAX);
+		}
+	}
+	*tregion.base = (unsigned char)(t - tregion.base - 1);
+	isc_buffer_add(target, *tregion.base + 1);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+txt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
+	return (commatxt_fromtext(source, false, target));
+}
+
+static isc_result_t
+txt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
+	unsigned int n;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length == 0) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	n = *sregion.base + 1;
+	if (n > sregion.length) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	isc_buffer_availableregion(target, &tregion);
+	if (n > tregion.length) {
+		return (ISC_R_NOSPACE);
+	}
+
+	if (tregion.base != sregion.base) {
+		memmove(tregion.base, sregion.base, n);
+	}
+	isc_buffer_forward(source, n);
+	isc_buffer_add(target, n);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Conversion of TXT-like rdata fields without length limits.
+ */
+static isc_result_t
+multitxt_totext(isc_region_t *source, isc_buffer_t *target) {
+	unsigned int tl;
+	unsigned int n0, n;
+	unsigned char *sp;
+	char *tp;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	sp = source->base;
+	tp = (char *)region.base;
+	tl = region.length;
+
+	if (tl < 1) {
+		return (ISC_R_NOSPACE);
+	}
+	*tp++ = '"';
+	tl--;
+	do {
+		n = source->length;
+		n0 = source->length - 1;
+
+		while (n--) {
+			if (*sp < ' ' || *sp >= 0x7f) {
+				if (tl < 4) {
+					return (ISC_R_NOSPACE);
+				}
+				*tp++ = '\\';
+				*tp++ = '0' + ((*sp / 100) % 10);
+				*tp++ = '0' + ((*sp / 10) % 10);
+				*tp++ = '0' + (*sp % 10);
+				sp++;
+				tl -= 4;
+				continue;
+			}
+			/* double quote, backslash */
+			if (*sp == '"' || *sp == '\\') {
+				if (tl < 2) {
+					return (ISC_R_NOSPACE);
+				}
+				*tp++ = '\\';
+				tl--;
+			}
+			if (tl < 1) {
+				return (ISC_R_NOSPACE);
+			}
+			*tp++ = *sp++;
+			tl--;
+		}
+		isc_region_consume(source, n0 + 1);
+	} while (source->length != 0);
+	if (tl < 1) {
+		return (ISC_R_NOSPACE);
+	}
+	*tp++ = '"';
+	tl--;
+	POST(tl);
+	isc_buffer_add(target, (unsigned int)(tp - (char *)region.base));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
+	isc_region_t tregion;
+	bool escape;
+	unsigned int n, nrem;
+	char *s;
+	unsigned char *t0, *t;
+	int d;
+	int c;
+
+	s = source->base;
+	n = source->length;
+	escape = false;
+
+	do {
+		isc_buffer_availableregion(target, &tregion);
+		t0 = t = tregion.base;
+		nrem = tregion.length;
+		if (nrem < 1) {
+			return (ISC_R_NOSPACE);
+		}
+
+		while (n != 0) {
+			--n;
+			c = (*s++) & 0xff;
+			if (escape && (d = decvalue((char)c)) != -1) {
+				c = d;
+				if (n == 0) {
+					return (DNS_R_SYNTAX);
+				}
+				n--;
+				if ((d = decvalue(*s++)) != -1) {
+					c = c * 10 + d;
+				} else {
+					return (DNS_R_SYNTAX);
+				}
+				if (n == 0) {
+					return (DNS_R_SYNTAX);
+				}
+				n--;
+				if ((d = decvalue(*s++)) != -1) {
+					c = c * 10 + d;
+				} else {
+					return (DNS_R_SYNTAX);
+				}
+				if (c > 255) {
+					return (DNS_R_SYNTAX);
+				}
+			} else if (!escape && c == '\\') {
+				escape = true;
+				continue;
+			}
+			escape = false;
+			*t++ = c;
+			nrem--;
+			if (nrem == 0) {
+				break;
+			}
+		}
+		if (escape) {
+			return (DNS_R_SYNTAX);
+		}
+
+		isc_buffer_add(target, (unsigned int)(t - t0));
+	} while (n != 0);
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+name_prefix(dns_name_t *name, const dns_name_t *origin, dns_name_t *target) {
+	int l1, l2;
+
+	if (origin == NULL) {
+		goto return_false;
+	}
+
+	if (dns_name_compare(origin, dns_rootname) == 0) {
+		goto return_false;
+	}
+
+	if (!dns_name_issubdomain(name, origin)) {
+		goto return_false;
+	}
+
+	l1 = dns_name_countlabels(name);
+	l2 = dns_name_countlabels(origin);
+
+	if (l1 == l2) {
+		goto return_false;
+	}
+
+	/* Master files should be case preserving. */
+	dns_name_getlabelsequence(name, l1 - l2, l2, target);
+	if (!dns_name_caseequal(origin, target)) {
+		goto return_false;
+	}
+
+	dns_name_getlabelsequence(name, 0, l1 - l2, target);
+	return (true);
+
+return_false:
+	*target = *name;
+	return (false);
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+inet_totext(int af, uint32_t flags, isc_region_t *src, isc_buffer_t *target) {
+	char tmpbuf[64];
+
+	/* Note - inet_ntop doesn't do size checking on its input. */
+	if (inet_ntop(af, src->base, tmpbuf, sizeof(tmpbuf)) == NULL) {
+		return (ISC_R_NOSPACE);
+	}
+	if (strlen(tmpbuf) > isc_buffer_availablelength(target)) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putstr(target, tmpbuf);
+
+	/*
+	 * An IPv6 address ending in "::" breaks YAML
+	 * parsing, so append 0 in that case.
+	 */
+	if (af == AF_INET6 && (flags & DNS_STYLEFLAG_YAML) != 0) {
+		isc_region_t r;
+		isc_buffer_usedregion(target, &r);
+		if (r.length > 0 && r.base[r.length - 1] == ':') {
+			if (isc_buffer_availablelength(target) == 0) {
+				return (ISC_R_NOSPACE);
+			}
+			isc_buffer_putmem(target, (const unsigned char *)"0",
+					  1);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+buffer_empty(isc_buffer_t *source) {
+	return ((source->current == source->active) ? true : false);
+}
+
+static void
+buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region) {
+	isc_buffer_init(buffer, region->base, region->length);
+	isc_buffer_add(buffer, region->length);
+	isc_buffer_setactive(buffer, region->length);
+}
+
+static isc_result_t
+uint32_tobuffer(uint32_t value, isc_buffer_t *target) {
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putuint32(target, value);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+uint16_tobuffer(uint32_t value, isc_buffer_t *target) {
+	isc_region_t region;
+
+	if (value > 0xffff) {
+		return (ISC_R_RANGE);
+	}
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 2) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putuint16(target, (uint16_t)value);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+uint8_tobuffer(uint32_t value, isc_buffer_t *target) {
+	isc_region_t region;
+
+	if (value > 0xff) {
+		return (ISC_R_RANGE);
+	}
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 1) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putuint8(target, (uint8_t)value);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+name_tobuffer(const dns_name_t *name, isc_buffer_t *target) {
+	isc_region_t r;
+	dns_name_toregion(name, &r);
+	return (isc_buffer_copyregion(target, &r));
+}
+
+static uint32_t
+uint32_fromregion(isc_region_t *region) {
+	uint32_t value;
+
+	REQUIRE(region->length >= 4);
+	value = (uint32_t)region->base[0] << 24;
+	value |= (uint32_t)region->base[1] << 16;
+	value |= (uint32_t)region->base[2] << 8;
+	value |= (uint32_t)region->base[3];
+	return (value);
+}
+
+static uint16_t
+uint16_consume_fromregion(isc_region_t *region) {
+	uint16_t r = uint16_fromregion(region);
+
+	isc_region_consume(region, 2);
+	return (r);
+}
+
+static uint16_t
+uint16_fromregion(isc_region_t *region) {
+	REQUIRE(region->length >= 2);
+
+	return ((region->base[0] << 8) | region->base[1]);
+}
+
+static uint8_t
+uint8_fromregion(isc_region_t *region) {
+	REQUIRE(region->length >= 1);
+
+	return (region->base[0]);
+}
+
+static uint8_t
+uint8_consume_fromregion(isc_region_t *region) {
+	uint8_t r = uint8_fromregion(region);
+
+	isc_region_consume(region, 1);
+	return (r);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	if (length == 0U) {
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length) {
+		return (ISC_R_NOSPACE);
+	}
+	if (tr.base != base) {
+		memmove(tr.base, base, length);
+	}
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
+
+static int
+hexvalue(char value) {
+	const char *s;
+	unsigned char c;
+
+	c = (unsigned char)value;
+
+	if (!isascii(c)) {
+		return (-1);
+	}
+	if (isupper(c)) {
+		c = tolower(c);
+	}
+	if ((s = strchr(hexdigits, c)) == NULL) {
+		return (-1);
+	}
+	return ((int)(s - hexdigits));
+}
+
+static int
+decvalue(char value) {
+	const char *s;
+
+	/*
+	 * isascii() is valid for full range of int values, no need to
+	 * mask or cast.
+	 */
+	if (!isascii(value)) {
+		return (-1);
+	}
+	if ((s = strchr(decdigits, value)) == NULL) {
+		return (-1);
+	}
+	return ((int)(s - decdigits));
+}
+
+static void
+default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *fmt,
+			  ...) {
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+	fprintf(stderr, "\n");
+}
+
+static void
+fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks) {
+	if (isc_lex_isfile(lexer) && callbacks != NULL) {
+		const char *name = isc_lex_getsourcename(lexer);
+		if (name == NULL) {
+			name = "UNKNOWN";
+		}
+		(*callbacks->warn)(callbacks,
+				   "%s:%lu: file does not end with newline",
+				   name, isc_lex_getsourceline(lexer));
+	}
+}
+
+static void
+warn_badmx(isc_token_t *token, isc_lex_t *lexer,
+	   dns_rdatacallbacks_t *callbacks) {
+	const char *file;
+	unsigned long line;
+
+	if (lexer != NULL) {
+		file = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		(*callbacks->warn)(callbacks, "%s:%u: warning: '%s': %s", file,
+				   line, DNS_AS_STR(*token),
+				   dns_result_totext(DNS_R_MXISADDRESS));
+	}
+}
+
+static void
+warn_badname(const dns_name_t *name, isc_lex_t *lexer,
+	     dns_rdatacallbacks_t *callbacks) {
+	const char *file;
+	unsigned long line;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	if (lexer != NULL) {
+		file = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		(*callbacks->warn)(callbacks, "%s:%u: warning: %s: %s", file,
+				   line, namebuf,
+				   dns_result_totext(DNS_R_BADNAME));
+	}
+}
+
+static void
+fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
+	       dns_rdatacallbacks_t *callbacks, const char *name,
+	       unsigned long line, isc_token_t *token, isc_result_t result) {
+	if (name == NULL) {
+		name = "UNKNOWN";
+	}
+
+	if (token != NULL) {
+		switch (token->type) {
+		case isc_tokentype_eol:
+			(*callback)(callbacks, "%s: %s:%lu: near eol: %s",
+				    "dns_rdata_fromtext", name, line,
+				    dns_result_totext(result));
+			break;
+		case isc_tokentype_eof:
+			(*callback)(callbacks, "%s: %s:%lu: near eof: %s",
+				    "dns_rdata_fromtext", name, line,
+				    dns_result_totext(result));
+			break;
+		case isc_tokentype_number:
+			(*callback)(callbacks, "%s: %s:%lu: near %lu: %s",
+				    "dns_rdata_fromtext", name, line,
+				    token->value.as_ulong,
+				    dns_result_totext(result));
+			break;
+		case isc_tokentype_string:
+		case isc_tokentype_qstring:
+			(*callback)(callbacks, "%s: %s:%lu: near '%s': %s",
+				    "dns_rdata_fromtext", name, line,
+				    DNS_AS_STR(*token),
+				    dns_result_totext(result));
+			break;
+		default:
+			(*callback)(callbacks, "%s: %s:%lu: %s",
+				    "dns_rdata_fromtext", name, line,
+				    dns_result_totext(result));
+			break;
+		}
+	} else {
+		(*callback)(callbacks, "dns_rdata_fromtext: %s:%lu: %s", name,
+			    line, dns_result_totext(result));
+	}
+}
+
+dns_rdatatype_t
+dns_rdata_covers(dns_rdata_t *rdata) {
+	if (rdata->type == dns_rdatatype_rrsig) {
+		return (covers_rrsig(rdata));
+	}
+	return (covers_sig(rdata));
+}
+
+bool
+dns_rdatatype_ismeta(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_META) != 0) {
+		return (true);
+	}
+	return (false);
+}
+
+bool
+dns_rdatatype_issingleton(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_SINGLETON) != 0)
+	{
+		return (true);
+	}
+	return (false);
+}
+
+bool
+dns_rdatatype_notquestion(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_NOTQUESTION) !=
+	    0)
+	{
+		return (true);
+	}
+	return (false);
+}
+
+bool
+dns_rdatatype_questiononly(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_QUESTIONONLY) !=
+	    0)
+	{
+		return (true);
+	}
+	return (false);
+}
+
+bool
+dns_rdatatype_atcname(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ATCNAME) != 0) {
+		return (true);
+	}
+	return (false);
+}
+
+bool
+dns_rdatatype_atparent(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ATPARENT) != 0)
+	{
+		return (true);
+	}
+	return (false);
+}
+
+bool
+dns_rdatatype_followadditional(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) &
+	     DNS_RDATATYPEATTR_FOLLOWADDITIONAL) != 0)
+	{
+		return (true);
+	}
+	return (false);
+}
+
+bool
+dns_rdataclass_ismeta(dns_rdataclass_t rdclass) {
+	if (rdclass == dns_rdataclass_reserved0 ||
+	    rdclass == dns_rdataclass_none || rdclass == dns_rdataclass_any)
+	{
+		return (true);
+	}
+
+	return (false); /* Assume it is not a meta class. */
+}
+
+bool
+dns_rdatatype_isdnssec(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_DNSSEC) != 0) {
+		return (true);
+	}
+	return (false);
+}
+
+bool
+dns_rdatatype_iszonecutauth(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ZONECUTAUTH) !=
+	    0)
+	{
+		return (true);
+	}
+	return (false);
+}
+
+bool
+dns_rdatatype_isknown(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_UNKNOWN) == 0) {
+		return (true);
+	}
+	return (false);
+}
+
+void
+dns_rdata_exists(dns_rdata_t *rdata, dns_rdatatype_t type) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_any;
+}
+
+void
+dns_rdata_notexist(dns_rdata_t *rdata, dns_rdatatype_t type) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_none;
+}
+
+void
+dns_rdata_deleterrset(dns_rdata_t *rdata, dns_rdatatype_t type) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_any;
+}
+
+void
+dns_rdata_makedelete(dns_rdata_t *rdata) {
+	REQUIRE(rdata != NULL);
+
+	rdata->rdclass = dns_rdataclass_none;
+}
+
+const char *
+dns_rdata_updateop(dns_rdata_t *rdata, dns_section_t section) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	switch (section) {
+	case DNS_SECTION_PREREQUISITE:
+		switch (rdata->rdclass) {
+		case dns_rdataclass_none:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("domain doesn't exist");
+			default:
+				return ("rrset doesn't exist");
+			}
+		case dns_rdataclass_any:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("domain exists");
+			default:
+				return ("rrset exists (value independent)");
+			}
+		default:
+			return ("rrset exists (value dependent)");
+		}
+	case DNS_SECTION_UPDATE:
+		switch (rdata->rdclass) {
+		case dns_rdataclass_none:
+			return ("delete");
+		case dns_rdataclass_any:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("delete all rrsets");
+			default:
+				return ("delete rrset");
+			}
+		default:
+			return ("add");
+		}
+	}
+	return ("invalid");
+}
diff --git a/lib/dns/rdata/any_255/tsig_250.c b/lib/dns/rdata/any_255/tsig_250.c
new file mode 100644
index 0000000..4c6b715
--- /dev/null
+++ b/lib/dns/rdata/any_255/tsig_250.c
@@ -0,0 +1,621 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_ANY_255_TSIG_250_C
+#define RDATA_ANY_255_TSIG_250_C
+
+#define RRTYPE_TSIG_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_NOTQUESTION)
+
+static isc_result_t
+fromtext_any_tsig(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	uint64_t sigtime;
+	isc_buffer_t buffer;
+	dns_rcode_t rcode;
+	long i;
+	char *e;
+
+	REQUIRE(type == dns_rdatatype_tsig);
+	REQUIRE(rdclass == dns_rdataclass_any);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Time Signed: 48 bits.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	sigtime = strtoull(DNS_AS_STR(token), &e, 10);
+	if (*e != 0) {
+		RETTOK(DNS_R_SYNTAX);
+	}
+	if ((sigtime >> 48) != 0) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer((uint16_t)(sigtime >> 32), target));
+	RETERR(uint32_tobuffer((uint32_t)(sigtime & 0xffffffffU), target));
+
+	/*
+	 * Fudge.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature Size.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature.
+	 */
+	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+
+	/*
+	 * Original ID.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Error.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion) !=
+	    ISC_R_SUCCESS)
+	{
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (*e != 0) {
+			RETTOK(DNS_R_UNKNOWN);
+		}
+		if (i < 0 || i > 0xffff) {
+			RETTOK(ISC_R_RANGE);
+		}
+		rcode = (dns_rcode_t)i;
+	}
+	RETERR(uint16_tobuffer(rcode, target));
+
+	/*
+	 * Other Len.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Other Data.
+	 */
+	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+}
+
+static isc_result_t
+totext_any_tsig(ARGS_TOTEXT) {
+	isc_region_t sr;
+	isc_region_t sigr;
+	char buf[sizeof(" 281474976710655 ")];
+	char *bufp;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	uint64_t sigtime;
+	unsigned short n;
+
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+	RETERR(str_totext(" ", target));
+	isc_region_consume(&sr, name_length(&name));
+
+	/*
+	 * Time Signed.
+	 */
+	sigtime = ((uint64_t)sr.base[0] << 40) | ((uint64_t)sr.base[1] << 32) |
+		  ((uint64_t)sr.base[2] << 24) | ((uint64_t)sr.base[3] << 16) |
+		  ((uint64_t)sr.base[4] << 8) | (uint64_t)sr.base[5];
+	isc_region_consume(&sr, 6);
+	bufp = &buf[sizeof(buf) - 1];
+	*bufp-- = 0;
+	*bufp-- = ' ';
+	do {
+		*bufp-- = decdigits[sigtime % 10];
+		sigtime /= 10;
+	} while (sigtime != 0);
+	bufp++;
+	RETERR(str_totext(bufp, target));
+
+	/*
+	 * Fudge.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Signature Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Signature.
+	 */
+	if (n != 0U) {
+		REQUIRE(n <= sr.length);
+		sigr = sr;
+		sigr.length = n;
+		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+			RETERR(str_totext(" (", target));
+		}
+		RETERR(str_totext(tctx->linebreak, target));
+		if (tctx->width == 0) { /* No splitting */
+			RETERR(isc_base64_totext(&sigr, 60, "", target));
+		} else {
+			RETERR(isc_base64_totext(&sigr, tctx->width - 2,
+						 tctx->linebreak, target));
+		}
+		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+			RETERR(str_totext(" ) ", target));
+		} else {
+			RETERR(str_totext(" ", target));
+		}
+		isc_region_consume(&sr, n);
+	} else {
+		RETERR(str_totext(" ", target));
+	}
+
+	/*
+	 * Original ID.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Error.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	RETERR(dns_tsigrcode_totext((dns_rcode_t)n, target));
+
+	/*
+	 * Other Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), " %u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Other.
+	 */
+	if (tctx->width == 0) { /* No splitting */
+		return (isc_base64_totext(&sr, 60, "", target));
+	} else {
+		return (isc_base64_totext(&sr, 60, " ", target));
+	}
+}
+
+static isc_result_t
+fromwire_any_tsig(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	unsigned long n;
+
+	REQUIRE(type == dns_rdatatype_tsig);
+	REQUIRE(rdclass == dns_rdataclass_any);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * Time Signed + Fudge.
+	 */
+	if (sr.length < 8) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sr.base, 8));
+	isc_region_consume(&sr, 8);
+	isc_buffer_forward(source, 8);
+
+	/*
+	 * Signature Length + Signature.
+	 */
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sr.base, n + 2));
+	isc_region_consume(&sr, n + 2);
+	isc_buffer_forward(source, n + 2);
+
+	/*
+	 * Original ID + Error.
+	 */
+	if (sr.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_region_consume(&sr, 4);
+	isc_buffer_forward(source, 4);
+
+	/*
+	 * Other Length + Other.
+	 */
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	isc_buffer_forward(source, n + 2);
+	return (mem_tobuffer(target, sr.base, n + 2));
+}
+
+static isc_result_t
+towire_any_tsig(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	RETERR(dns_name_towire(&name, cctx, target));
+	isc_region_consume(&sr, name_length(&name));
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_any_tsig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_tsig);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_any);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_any_tsig(ARGS_FROMSTRUCT) {
+	dns_rdata_any_tsig_t *tsig = source;
+	isc_region_t tr;
+
+	REQUIRE(type == dns_rdatatype_tsig);
+	REQUIRE(rdclass == dns_rdataclass_any);
+	REQUIRE(tsig != NULL);
+	REQUIRE(tsig->common.rdclass == rdclass);
+	REQUIRE(tsig->common.rdtype == type);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(name_tobuffer(&tsig->algorithm, target));
+
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 6 + 2 + 2) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * Time Signed: 48 bits.
+	 */
+	RETERR(uint16_tobuffer((uint16_t)(tsig->timesigned >> 32), target));
+	RETERR(uint32_tobuffer((uint32_t)(tsig->timesigned & 0xffffffffU),
+			       target));
+
+	/*
+	 * Fudge.
+	 */
+	RETERR(uint16_tobuffer(tsig->fudge, target));
+
+	/*
+	 * Signature Size.
+	 */
+	RETERR(uint16_tobuffer(tsig->siglen, target));
+
+	/*
+	 * Signature.
+	 */
+	RETERR(mem_tobuffer(target, tsig->signature, tsig->siglen));
+
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 2 + 2 + 2) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * Original ID.
+	 */
+	RETERR(uint16_tobuffer(tsig->originalid, target));
+
+	/*
+	 * Error.
+	 */
+	RETERR(uint16_tobuffer(tsig->error, target));
+
+	/*
+	 * Other Len.
+	 */
+	RETERR(uint16_tobuffer(tsig->otherlen, target));
+
+	/*
+	 * Other Data.
+	 */
+	return (mem_tobuffer(target, tsig->other, tsig->otherlen));
+}
+
+static isc_result_t
+tostruct_any_tsig(ARGS_TOSTRUCT) {
+	dns_rdata_any_tsig_t *tsig;
+	dns_name_t alg;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+	REQUIRE(rdata->length != 0);
+
+	tsig = (dns_rdata_any_tsig_t *)target;
+	tsig->common.rdclass = rdata->rdclass;
+	tsig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&tsig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&alg, NULL);
+	dns_name_fromregion(&alg, &sr);
+	dns_name_init(&tsig->algorithm, NULL);
+	RETERR(name_duporclone(&alg, mctx, &tsig->algorithm));
+
+	isc_region_consume(&sr, name_length(&tsig->algorithm));
+
+	/*
+	 * Time Signed.
+	 */
+	INSIST(sr.length >= 6);
+	tsig->timesigned = ((uint64_t)sr.base[0] << 40) |
+			   ((uint64_t)sr.base[1] << 32) |
+			   ((uint64_t)sr.base[2] << 24) |
+			   ((uint64_t)sr.base[3] << 16) |
+			   ((uint64_t)sr.base[4] << 8) | (uint64_t)sr.base[5];
+	isc_region_consume(&sr, 6);
+
+	/*
+	 * Fudge.
+	 */
+	tsig->fudge = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Signature Size.
+	 */
+	tsig->siglen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Signature.
+	 */
+	INSIST(sr.length >= tsig->siglen);
+	tsig->signature = mem_maybedup(mctx, sr.base, tsig->siglen);
+	if (tsig->signature == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&sr, tsig->siglen);
+
+	/*
+	 * Original ID.
+	 */
+	tsig->originalid = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Error.
+	 */
+	tsig->error = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Other Size.
+	 */
+	tsig->otherlen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Other.
+	 */
+	INSIST(sr.length == tsig->otherlen);
+	tsig->other = mem_maybedup(mctx, sr.base, tsig->otherlen);
+	if (tsig->other == NULL) {
+		goto cleanup;
+	}
+
+	tsig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL) {
+		dns_name_free(&tsig->algorithm, tsig->mctx);
+	}
+	if (mctx != NULL && tsig->signature != NULL) {
+		isc_mem_free(mctx, tsig->signature);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_any_tsig(ARGS_FREESTRUCT) {
+	dns_rdata_any_tsig_t *tsig = (dns_rdata_any_tsig_t *)source;
+
+	REQUIRE(tsig != NULL);
+	REQUIRE(tsig->common.rdtype == dns_rdatatype_tsig);
+	REQUIRE(tsig->common.rdclass == dns_rdataclass_any);
+
+	if (tsig->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&tsig->algorithm, tsig->mctx);
+	if (tsig->signature != NULL) {
+		isc_mem_free(tsig->mctx, tsig->signature);
+	}
+	if (tsig->other != NULL) {
+		isc_mem_free(tsig->mctx, tsig->other);
+	}
+	tsig->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_any_tsig(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_any_tsig(ARGS_DIGEST) {
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static bool
+checkowner_any_tsig(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_tsig);
+	REQUIRE(rdclass == dns_rdataclass_any);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_any_tsig(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_any_tsig(ARGS_COMPARE) {
+	return (compare_any_tsig(rdata1, rdata2));
+}
+
+#endif /* RDATA_ANY_255_TSIG_250_C */
diff --git a/lib/dns/rdata/any_255/tsig_250.h b/lib/dns/rdata/any_255/tsig_250.h
new file mode 100644
index 0000000..3df1d82
--- /dev/null
+++ b/lib/dns/rdata/any_255/tsig_250.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ANY_255_TSIG_250_H
+#define ANY_255_TSIG_250_H 1
+
+/*% RFC2845 */
+typedef struct dns_rdata_any_tsig {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t algorithm;
+	uint64_t timesigned;
+	uint16_t fudge;
+	uint16_t siglen;
+	unsigned char *signature;
+	uint16_t originalid;
+	uint16_t error;
+	uint16_t otherlen;
+	unsigned char *other;
+} dns_rdata_any_tsig_t;
+
+#endif /* ANY_255_TSIG_250_H */
diff --git a/lib/dns/rdata/ch_3/a_1.c b/lib/dns/rdata/ch_3/a_1.c
new file mode 100644
index 0000000..4814a02
--- /dev/null
+++ b/lib/dns/rdata/ch_3/a_1.c
@@ -0,0 +1,325 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* by Bjorn.Victor@it.uu.se, 2005-05-07 */
+/* Based on generic/soa_6.c and generic/mx_15.c */
+
+#ifndef RDATA_CH_3_A_1_C
+#define RDATA_CH_3_A_1_C
+
+#include <isc/net.h>
+
+#define RRTYPE_A_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_ch_a(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_ch); /* 3 */
+
+	UNUSED(type);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	/* get domain name */
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	if ((options & DNS_RDATA_CHECKNAMES) != 0 &&
+	    (options & DNS_RDATA_CHECKREVERSE) != 0)
+	{
+		bool ok;
+		ok = dns_name_ishostname(&name, false);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+			RETTOK(DNS_R_BADNAME);
+		}
+		if (!ok && callbacks != NULL) {
+			warn_badname(&name, lexer, callbacks);
+		}
+	}
+
+	/* 16-bit octal address */
+	RETERR(isc_lex_getoctaltoken(lexer, &token, false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	return (uint16_tobuffer(token.value.as_ulong, target));
+}
+
+static isc_result_t
+totext_ch_a(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("0177777")];
+	uint16_t addr;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch); /* 3 */
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	addr = uint16_fromregion(&region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	snprintf(buf, sizeof(buf), "%o", addr); /* note octal */
+	RETERR(str_totext(" ", target));
+	return (str_totext(buf, target));
+}
+
+static isc_result_t
+fromwire_ch_a(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_ch);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	if (tregion.length < 2) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(tregion.base, sregion.base, 2);
+	isc_buffer_forward(source, 2);
+	isc_buffer_add(target, 2);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_ch_a(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+
+	dns_rdata_toregion(rdata, &sregion);
+
+	dns_name_fromregion(&name, &sregion);
+	isc_region_consume(&sregion, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < 2) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(tregion.base, sregion.base, 2);
+	isc_buffer_add(target, 2);
+	return (ISC_R_SUCCESS);
+}
+
+static int
+compare_ch_a(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_a);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_ch);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	order = memcmp(region1.base, region2.base, 2);
+	if (order != 0) {
+		order = (order < 0) ? -1 : 1;
+	}
+	return (order);
+}
+
+static isc_result_t
+fromstruct_ch_a(ARGS_FROMSTRUCT) {
+	dns_rdata_ch_a_t *a = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(a != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&a->ch_addr_dom, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+
+	return (uint16_tobuffer(ntohs(a->ch_addr), target));
+}
+
+static isc_result_t
+tostruct_ch_a(ARGS_TOSTRUCT) {
+	dns_rdata_ch_a_t *a = target;
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+	REQUIRE(rdata->length != 0);
+
+	a->common.rdclass = rdata->rdclass;
+	a->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+
+	dns_name_init(&a->ch_addr_dom, NULL);
+	RETERR(name_duporclone(&name, mctx, &a->ch_addr_dom));
+	a->ch_addr = htons(uint16_fromregion(&region));
+	a->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_ch_a(ARGS_FREESTRUCT) {
+	dns_rdata_ch_a_t *a = source;
+
+	REQUIRE(a != NULL);
+	REQUIRE(a->common.rdtype == dns_rdatatype_a);
+
+	if (a->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&a->ch_addr_dom, a->mctx);
+	a->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_ch_a(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_ch_a(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	isc_region_consume(&r, name_length(&name));
+	RETERR(dns_name_digest(&name, digest, arg));
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_ch_a(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_ch);
+
+	UNUSED(type);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static bool
+checknames_ch_a(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+
+	return (true);
+}
+
+static int
+casecompare_ch_a(ARGS_COMPARE) {
+	return (compare_ch_a(rdata1, rdata2));
+}
+#endif /* RDATA_CH_3_A_1_C */
diff --git a/lib/dns/rdata/ch_3/a_1.h b/lib/dns/rdata/ch_3/a_1.h
new file mode 100644
index 0000000..231665d
--- /dev/null
+++ b/lib/dns/rdata/ch_3/a_1.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* by Bjorn.Victor@it.uu.se, 2005-05-07 */
+/* Based on generic/mx_15.h */
+
+#ifndef CH_3_A_1_H
+#define CH_3_A_1_H 1
+
+typedef uint16_t ch_addr_t;
+
+typedef struct dns_rdata_ch_a {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t ch_addr_dom; /* ch-addr domain for back mapping
+				 * */
+	ch_addr_t ch_addr;	/* chaos address (16 bit) network
+				 * order */
+} dns_rdata_ch_a_t;
+
+#endif /* CH_3_A_1_H */
diff --git a/lib/dns/rdata/generic/afsdb_18.c b/lib/dns/rdata/generic/afsdb_18.c
new file mode 100644
index 0000000..2c4eb27
--- /dev/null
+++ b/lib/dns/rdata/generic/afsdb_18.c
@@ -0,0 +1,316 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1183 */
+
+#ifndef RDATA_GENERIC_AFSDB_18_C
+#define RDATA_GENERIC_AFSDB_18_C
+
+#define RRTYPE_AFSDB_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_afsdb(ARGS_FROMTEXT) {
+	isc_token_t token;
+	isc_buffer_t buffer;
+	dns_name_t name;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_afsdb);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Subtype.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Hostname.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0) {
+		ok = dns_name_ishostname(&name, false);
+	}
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+		RETTOK(DNS_R_BADNAME);
+	}
+	if (!ok && callbacks != NULL) {
+		warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_afsdb(ARGS_TOTEXT) {
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_region_t region;
+	char buf[sizeof("64000 ")];
+	bool sub;
+	unsigned int num;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u ", num);
+	RETERR(str_totext(buf, target));
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_afsdb(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sr;
+	isc_region_t tr;
+
+	REQUIRE(type == dns_rdatatype_afsdb);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 2) {
+		return (ISC_R_NOSPACE);
+	}
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	memmove(tr.base, sr.base, 2);
+	isc_buffer_forward(source, 2);
+	isc_buffer_add(target, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_afsdb(ARGS_TOWIRE) {
+	isc_region_t tr;
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	isc_buffer_availableregion(target, &tr);
+	dns_rdata_toregion(rdata, &sr);
+	if (tr.length < 2) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(tr.base, sr.base, 2);
+	isc_region_consume(&sr, 2);
+	isc_buffer_add(target, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_afsdb(ARGS_COMPARE) {
+	int result;
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_afsdb);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	result = memcmp(rdata1->data, rdata2->data, 2);
+	if (result != 0) {
+		return (result < 0 ? -1 : 1);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_afsdb(ARGS_FROMSTRUCT) {
+	dns_rdata_afsdb_t *afsdb = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_afsdb);
+	REQUIRE(afsdb != NULL);
+	REQUIRE(afsdb->common.rdclass == rdclass);
+	REQUIRE(afsdb->common.rdtype == type);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(afsdb->subtype, target));
+	dns_name_toregion(&afsdb->server, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_afsdb(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_afsdb_t *afsdb = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+	REQUIRE(afsdb != NULL);
+	REQUIRE(rdata->length != 0);
+
+	afsdb->common.rdclass = rdata->rdclass;
+	afsdb->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&afsdb->common, link);
+
+	dns_name_init(&afsdb->server, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	afsdb->subtype = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+
+	RETERR(name_duporclone(&name, mctx, &afsdb->server));
+	afsdb->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_afsdb(ARGS_FREESTRUCT) {
+	dns_rdata_afsdb_t *afsdb = source;
+
+	REQUIRE(afsdb != NULL);
+	REQUIRE(afsdb->common.rdtype == dns_rdatatype_afsdb);
+
+	if (afsdb->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&afsdb->server, afsdb->mctx);
+	afsdb->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_afsdb(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static isc_result_t
+digest_afsdb(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_afsdb(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_afsdb);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_afsdb(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	return (true);
+}
+
+static int
+casecompare_afsdb(ARGS_COMPARE) {
+	return (compare_afsdb(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_AFSDB_18_C */
diff --git a/lib/dns/rdata/generic/afsdb_18.h b/lib/dns/rdata/generic/afsdb_18.h
new file mode 100644
index 0000000..878ca9d
--- /dev/null
+++ b/lib/dns/rdata/generic/afsdb_18.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_AFSDB_18_H
+#define GENERIC_AFSDB_18_H 1
+
+/*!
+ *  \brief Per RFC1183 */
+
+typedef struct dns_rdata_afsdb {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t subtype;
+	dns_name_t server;
+} dns_rdata_afsdb_t;
+
+#endif /* GENERIC_AFSDB_18_H */
diff --git a/lib/dns/rdata/generic/amtrelay_260.c b/lib/dns/rdata/generic/amtrelay_260.c
new file mode 100644
index 0000000..6938c43
--- /dev/null
+++ b/lib/dns/rdata/generic/amtrelay_260.c
@@ -0,0 +1,471 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_AMTRELAY_260_C
+#define RDATA_GENERIC_AMTRELAY_260_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_AMTRELAY_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_amtrelay(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	unsigned int discovery;
+	unsigned int gateway;
+	struct in_addr addr;
+	unsigned char addr6[16];
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_amtrelay);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Precedence.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Discovery.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 1U) {
+		RETTOK(ISC_R_RANGE);
+	}
+	discovery = token.value.as_ulong;
+
+	/*
+	 * Gateway type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0x7fU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong | (discovery << 7), target));
+	gateway = token.value.as_ulong;
+
+	if (gateway == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (gateway > 3) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	/*
+	 * Gateway.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	switch (gateway) {
+	case 1:
+		if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) {
+			RETTOK(DNS_R_BADDOTTEDQUAD);
+		}
+		isc_buffer_availableregion(target, &region);
+		if (region.length < 4) {
+			return (ISC_R_NOSPACE);
+		}
+		memmove(region.base, &addr, 4);
+		isc_buffer_add(target, 4);
+		return (ISC_R_SUCCESS);
+
+	case 2:
+		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr6) != 1) {
+			RETTOK(DNS_R_BADAAAA);
+		}
+		isc_buffer_availableregion(target, &region);
+		if (region.length < 16) {
+			return (ISC_R_NOSPACE);
+		}
+		memmove(region.base, addr6, 16);
+		isc_buffer_add(target, 16);
+		return (ISC_R_SUCCESS);
+
+	case 3:
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		if (origin == NULL) {
+			origin = dns_rootname;
+		}
+		return (dns_name_fromtext(&name, &buffer, origin, options,
+					  target));
+	default:
+		UNREACHABLE();
+	}
+}
+
+static isc_result_t
+totext_amtrelay(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	char buf[sizeof("0 255 ")];
+	unsigned char precedence;
+	unsigned char discovery;
+	unsigned char gateway;
+	const char *space;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_amtrelay);
+	REQUIRE(rdata->length >= 2);
+
+	if ((rdata->data[1] & 0x7f) > 3U) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	/*
+	 * Precedence.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	precedence = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u ", precedence);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Discovery and Gateway type.
+	 */
+	gateway = uint8_fromregion(&region);
+	discovery = gateway >> 7;
+	gateway &= 0x7f;
+	space = (gateway != 0U) ? " " : "";
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u %u%s", discovery, gateway, space);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Gateway.
+	 */
+	switch (gateway) {
+	case 0:
+		break;
+	case 1:
+		return (inet_totext(AF_INET, tctx->flags, &region, target));
+
+	case 2:
+		return (inet_totext(AF_INET6, tctx->flags, &region, target));
+
+	case 3:
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &region);
+		return (dns_name_totext(&name, false, target));
+
+	default:
+		UNREACHABLE();
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_amtrelay(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_amtrelay);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	switch (region.base[1] & 0x7f) {
+	case 0:
+		if (region.length != 2) {
+			return (DNS_R_FORMERR);
+		}
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 1:
+		if (region.length != 6) {
+			return (DNS_R_FORMERR);
+		}
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 2:
+		if (region.length != 18) {
+			return (DNS_R_FORMERR);
+		}
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 3:
+		RETERR(mem_tobuffer(target, region.base, 2));
+		isc_buffer_forward(source, 2);
+		dns_name_init(&name, NULL);
+		return (dns_name_fromwire(&name, source, dctx, options,
+					  target));
+
+	default:
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+	}
+}
+
+static isc_result_t
+towire_amtrelay(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_amtrelay);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static int
+compare_amtrelay(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_amtrelay);
+	REQUIRE(rdata1->length >= 2);
+	REQUIRE(rdata2->length >= 2);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_amtrelay(ARGS_FROMSTRUCT) {
+	dns_rdata_amtrelay_t *amtrelay = source;
+	isc_region_t region;
+	uint32_t n;
+
+	REQUIRE(type == dns_rdatatype_amtrelay);
+	REQUIRE(amtrelay != NULL);
+	REQUIRE(amtrelay->common.rdtype == type);
+	REQUIRE(amtrelay->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(amtrelay->precedence, target));
+	n = (amtrelay->discovery ? 0x80 : 0) | amtrelay->gateway_type;
+	RETERR(uint8_tobuffer(n, target));
+
+	switch (amtrelay->gateway_type) {
+	case 0:
+		return (ISC_R_SUCCESS);
+
+	case 1:
+		n = ntohl(amtrelay->in_addr.s_addr);
+		return (uint32_tobuffer(n, target));
+
+	case 2:
+		return (mem_tobuffer(target, amtrelay->in6_addr.s6_addr, 16));
+		break;
+
+	case 3:
+		dns_name_toregion(&amtrelay->gateway, &region);
+		return (isc_buffer_copyregion(target, &region));
+		break;
+
+	default:
+		return (mem_tobuffer(target, amtrelay->data, amtrelay->length));
+	}
+}
+
+static isc_result_t
+tostruct_amtrelay(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_amtrelay_t *amtrelay = target;
+	dns_name_t name;
+	uint32_t n;
+
+	REQUIRE(rdata->type == dns_rdatatype_amtrelay);
+	REQUIRE(amtrelay != NULL);
+	REQUIRE(rdata->length >= 2);
+
+	amtrelay->common.rdclass = rdata->rdclass;
+	amtrelay->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&amtrelay->common, link);
+
+	dns_name_init(&amtrelay->gateway, NULL);
+	amtrelay->data = NULL;
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+
+	amtrelay->precedence = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	amtrelay->gateway_type = uint8_fromregion(&region);
+	amtrelay->discovery = (amtrelay->gateway_type & 0x80) != 0;
+	amtrelay->gateway_type &= 0x7f;
+	isc_region_consume(&region, 1);
+
+	switch (amtrelay->gateway_type) {
+	case 0:
+		break;
+
+	case 1:
+		n = uint32_fromregion(&region);
+		amtrelay->in_addr.s_addr = htonl(n);
+		isc_region_consume(&region, 4);
+		break;
+
+	case 2:
+		memmove(amtrelay->in6_addr.s6_addr, region.base, 16);
+		isc_region_consume(&region, 16);
+		break;
+
+	case 3:
+		dns_name_fromregion(&name, &region);
+		RETERR(name_duporclone(&name, mctx, &amtrelay->gateway));
+		isc_region_consume(&region, name_length(&name));
+		break;
+
+	default:
+		if (region.length != 0) {
+			amtrelay->data = mem_maybedup(mctx, region.base,
+						      region.length);
+			if (amtrelay->data == NULL) {
+				return (ISC_R_NOMEMORY);
+			}
+		}
+		amtrelay->length = region.length;
+	}
+	amtrelay->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_amtrelay(ARGS_FREESTRUCT) {
+	dns_rdata_amtrelay_t *amtrelay = source;
+
+	REQUIRE(amtrelay != NULL);
+	REQUIRE(amtrelay->common.rdtype == dns_rdatatype_amtrelay);
+
+	if (amtrelay->mctx == NULL) {
+		return;
+	}
+
+	if (amtrelay->gateway_type == 3) {
+		dns_name_free(&amtrelay->gateway, amtrelay->mctx);
+	}
+
+	if (amtrelay->data != NULL) {
+		isc_mem_free(amtrelay->mctx, amtrelay->data);
+	}
+
+	amtrelay->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_amtrelay(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_amtrelay);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_amtrelay(ARGS_DIGEST) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_amtrelay);
+
+	dns_rdata_toregion(rdata, &region);
+	return ((digest)(arg, &region));
+}
+
+static bool
+checkowner_amtrelay(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_amtrelay);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_amtrelay(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_amtrelay);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_amtrelay(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_amtrelay);
+	REQUIRE(rdata1->length >= 2);
+	REQUIRE(rdata2->length >= 2);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	if (memcmp(region1.base, region2.base, 2) != 0 ||
+	    (region1.base[1] & 0x7f) != 3)
+	{
+		return (isc_region_compare(&region1, &region2));
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+#endif /* RDATA_GENERIC_AMTRELAY_260_C */
diff --git a/lib/dns/rdata/generic/amtrelay_260.h b/lib/dns/rdata/generic/amtrelay_260.h
new file mode 100644
index 0000000..48a3fbb
--- /dev/null
+++ b/lib/dns/rdata/generic/amtrelay_260.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_AMTRELAY_260_H
+#define GENERIC_AMTRELAY_260_H 1
+
+typedef struct dns_rdata_amtrelay {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint8_t precedence;
+	bool discovery;
+	uint8_t gateway_type;
+	struct in_addr in_addr;	  /* gateway type 1 */
+	struct in6_addr in6_addr; /* gateway type 2 */
+	dns_name_t gateway;	  /* gateway type 3 */
+	unsigned char *data;	  /* gateway type > 3 */
+	uint16_t length;
+} dns_rdata_amtrelay_t;
+
+#endif /* GENERIC_AMTRELAY_260_H */
diff --git a/lib/dns/rdata/generic/avc_258.c b/lib/dns/rdata/generic/avc_258.c
new file mode 100644
index 0000000..34d0048
--- /dev/null
+++ b/lib/dns/rdata/generic/avc_258.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_AVC_258_C
+#define RDATA_GENERIC_AVC_258_C
+
+#define RRTYPE_AVC_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_avc(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_avc);
+
+	return (generic_fromtext_txt(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_avc(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+
+	return (generic_totext_txt(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_avc(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_avc);
+
+	return (generic_fromwire_txt(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_avc(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_avc(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_avc);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_avc(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_avc);
+
+	return (generic_fromstruct_txt(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_avc(ARGS_TOSTRUCT) {
+	dns_rdata_avc_t *avc = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+	REQUIRE(avc != NULL);
+
+	avc->common.rdclass = rdata->rdclass;
+	avc->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&avc->common, link);
+
+	return (generic_tostruct_txt(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_avc(ARGS_FREESTRUCT) {
+	dns_rdata_avc_t *avc = source;
+
+	REQUIRE(avc != NULL);
+	REQUIRE(avc->common.rdtype == dns_rdatatype_avc);
+
+	generic_freestruct_txt(source);
+}
+
+static isc_result_t
+additionaldata_avc(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_avc(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_avc(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_avc);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_avc(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_avc(ARGS_COMPARE) {
+	return (compare_avc(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_AVC_258_C */
diff --git a/lib/dns/rdata/generic/avc_258.h b/lib/dns/rdata/generic/avc_258.h
new file mode 100644
index 0000000..c158764
--- /dev/null
+++ b/lib/dns/rdata/generic/avc_258.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_AVC_258_H
+#define GENERIC_AVC_258_H 1
+
+typedef dns_rdata_txt_string_t dns_rdata_avc_string_t;
+
+typedef struct dns_rdata_avc {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *data;
+	uint16_t length;
+	/* private */
+	uint16_t offset;
+} dns_rdata_avc_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+#endif /* GENERIC_AVC_258_H */
diff --git a/lib/dns/rdata/generic/caa_257.c b/lib/dns/rdata/generic/caa_257.c
new file mode 100644
index 0000000..0e6170b
--- /dev/null
+++ b/lib/dns/rdata/generic/caa_257.c
@@ -0,0 +1,627 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CAA_257_C
+#define GENERIC_CAA_257_C 1
+
+#define RRTYPE_CAA_ATTRIBUTES (0)
+
+static unsigned char const alphanumeric[256] = {
+	/* 0x00-0x0f */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0x10-0x1f */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0x20-0x2f */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0x30-0x3f */ 1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0x40-0x4f */ 0,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	/* 0x50-0x5f */ 1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0x60-0x6f */ 0,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	/* 0x70-0x7f */ 1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	1,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0x80-0x8f */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0x90-0x9f */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0xa0-0xaf */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0xb0-0xbf */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0xc0-0xcf */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0xd0-0xdf */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0xe0-0xef */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	/* 0xf0-0xff */ 0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+};
+
+static isc_result_t
+fromtext_caa(ARGS_FROMTEXT) {
+	isc_token_t token;
+	isc_textregion_t tr;
+	uint8_t flags;
+	unsigned int i;
+
+	REQUIRE(type == dns_rdatatype_caa);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* Flags. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 255U) {
+		RETTOK(ISC_R_RANGE);
+	}
+	flags = (uint8_t)(token.value.as_ulong & 255U);
+	RETERR(uint8_tobuffer(flags, target));
+
+	/*
+	 * Tag
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	tr = token.value.as_textregion;
+	for (i = 0; i < tr.length; i++) {
+		if (!alphanumeric[(unsigned char)tr.base[i]]) {
+			RETTOK(DNS_R_SYNTAX);
+		}
+	}
+	RETERR(uint8_tobuffer(tr.length, target));
+	RETERR(mem_tobuffer(target, tr.base, tr.length));
+
+	/*
+	 * Value
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	if (token.type != isc_tokentype_qstring &&
+	    token.type != isc_tokentype_string)
+	{
+		RETERR(DNS_R_SYNTAX);
+	}
+	RETERR(multitxt_fromtext(&token.value.as_textregion, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_caa(ARGS_TOTEXT) {
+	isc_region_t region;
+	uint8_t flags;
+	char buf[256];
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(rdata->length >= 3U);
+	REQUIRE(rdata->data != NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * Flags
+	 */
+	flags = uint8_consume_fromregion(&region);
+	snprintf(buf, sizeof(buf), "%u ", flags);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Tag
+	 */
+	RETERR(txt_totext(&region, false, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Value
+	 */
+	RETERR(multitxt_totext(&region, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_caa(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned int len, i;
+
+	REQUIRE(type == dns_rdatatype_caa);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	/*
+	 * Flags
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/*
+	 * Flags, tag length
+	 */
+	RETERR(mem_tobuffer(target, sr.base, 2));
+	len = sr.base[1];
+	isc_region_consume(&sr, 2);
+	isc_buffer_forward(source, 2);
+
+	/*
+	 * Zero length tag fields are illegal.
+	 */
+	if (sr.length < len || len == 0) {
+		RETERR(DNS_R_FORMERR);
+	}
+
+	/* Check the Tag's value */
+	for (i = 0; i < len; i++) {
+		if (!alphanumeric[sr.base[i]]) {
+			RETERR(DNS_R_FORMERR);
+			/*
+			 * Tag + Value
+			 */
+		}
+	}
+	/*
+	 * Tag + Value
+	 */
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+towire_caa(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(rdata->length >= 3U);
+	REQUIRE(rdata->data != NULL);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static int
+compare_caa(ARGS_COMPARE) {
+	isc_region_t r1, r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_caa);
+	REQUIRE(rdata1->length >= 3U);
+	REQUIRE(rdata2->length >= 3U);
+	REQUIRE(rdata1->data != NULL);
+	REQUIRE(rdata2->data != NULL);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_caa(ARGS_FROMSTRUCT) {
+	dns_rdata_caa_t *caa = source;
+	isc_region_t region;
+	unsigned int i;
+
+	REQUIRE(type == dns_rdatatype_caa);
+	REQUIRE(caa != NULL);
+	REQUIRE(caa->common.rdtype == type);
+	REQUIRE(caa->common.rdclass == rdclass);
+	REQUIRE(caa->tag != NULL && caa->tag_len != 0);
+	REQUIRE(caa->value != NULL);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Flags
+	 */
+	RETERR(uint8_tobuffer(caa->flags, target));
+
+	/*
+	 * Tag length
+	 */
+	RETERR(uint8_tobuffer(caa->tag_len, target));
+
+	/*
+	 * Tag
+	 */
+	region.base = caa->tag;
+	region.length = caa->tag_len;
+	for (i = 0; i < region.length; i++) {
+		if (!alphanumeric[region.base[i]]) {
+			RETERR(DNS_R_SYNTAX);
+		}
+	}
+	RETERR(isc_buffer_copyregion(target, &region));
+
+	/*
+	 * Value
+	 */
+	region.base = caa->value;
+	region.length = caa->value_len;
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_caa(ARGS_TOSTRUCT) {
+	dns_rdata_caa_t *caa = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(caa != NULL);
+	REQUIRE(rdata->length >= 3U);
+	REQUIRE(rdata->data != NULL);
+
+	caa->common.rdclass = rdata->rdclass;
+	caa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&caa->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Flags
+	 */
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	caa->flags = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Tag length
+	 */
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	caa->tag_len = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Tag
+	 */
+	if (sr.length < caa->tag_len) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	caa->tag = mem_maybedup(mctx, sr.base, caa->tag_len);
+	if (caa->tag == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	isc_region_consume(&sr, caa->tag_len);
+
+	/*
+	 * Value
+	 */
+	caa->value_len = sr.length;
+	caa->value = mem_maybedup(mctx, sr.base, sr.length);
+	if (caa->value == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	caa->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_caa(ARGS_FREESTRUCT) {
+	dns_rdata_caa_t *caa = (dns_rdata_caa_t *)source;
+
+	REQUIRE(caa != NULL);
+	REQUIRE(caa->common.rdtype == dns_rdatatype_caa);
+
+	if (caa->mctx == NULL) {
+		return;
+	}
+
+	if (caa->tag != NULL) {
+		isc_mem_free(caa->mctx, caa->tag);
+	}
+	if (caa->value != NULL) {
+		isc_mem_free(caa->mctx, caa->value);
+	}
+	caa->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_caa(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(rdata->data != NULL);
+	REQUIRE(rdata->length >= 3U);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_caa(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(rdata->data != NULL);
+	REQUIRE(rdata->length >= 3U);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_caa(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_caa);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_caa(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(rdata->data != NULL);
+	REQUIRE(rdata->length >= 3U);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_caa(ARGS_COMPARE) {
+	return (compare_caa(rdata1, rdata2));
+}
+
+#endif /* GENERIC_CAA_257_C */
diff --git a/lib/dns/rdata/generic/caa_257.h b/lib/dns/rdata/generic/caa_257.h
new file mode 100644
index 0000000..ff1c605
--- /dev/null
+++ b/lib/dns/rdata/generic/caa_257.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CAA_257_H
+#define GENERIC_CAA_257_H 1
+
+typedef struct dns_rdata_caa {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint8_t flags;
+	unsigned char *tag;
+	uint8_t tag_len;
+	unsigned char *value;
+	uint16_t value_len;
+} dns_rdata_caa_t;
+
+#endif /* GENERIC_CAA_257_H */
diff --git a/lib/dns/rdata/generic/cdnskey_60.c b/lib/dns/rdata/generic/cdnskey_60.c
new file mode 100644
index 0000000..672bf12
--- /dev/null
+++ b/lib/dns/rdata/generic/cdnskey_60.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* draft-ietf-dnsop-delegation-trust-maintainance-14 */
+
+#ifndef RDATA_GENERIC_CDNSKEY_60_C
+#define RDATA_GENERIC_CDNSKEY_60_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_CDNSKEY_ATTRIBUTES 0
+
+static isc_result_t
+fromtext_cdnskey(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_cdnskey);
+
+	return (generic_fromtext_key(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_cdnskey(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+
+	return (generic_totext_key(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_cdnskey(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_cdnskey);
+
+	return (generic_fromwire_key(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_cdnskey(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_cdnskey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_cdnskey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_cdnskey(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_cdnskey);
+
+	return (generic_fromstruct_key(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_cdnskey(ARGS_TOSTRUCT) {
+	dns_rdata_cdnskey_t *dnskey = target;
+
+	REQUIRE(dnskey != NULL);
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+
+	dnskey->common.rdclass = rdata->rdclass;
+	dnskey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dnskey->common, link);
+
+	return (generic_tostruct_key(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_cdnskey(ARGS_FREESTRUCT) {
+	dns_rdata_cdnskey_t *dnskey = (dns_rdata_cdnskey_t *)source;
+
+	REQUIRE(dnskey != NULL);
+	REQUIRE(dnskey->common.rdtype == dns_rdatatype_cdnskey);
+
+	generic_freestruct_key(source);
+}
+
+static isc_result_t
+additionaldata_cdnskey(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_cdnskey(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_cdnskey(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_cdnskey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_cdnskey(ARGS_CHECKNAMES) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_cdnskey(ARGS_COMPARE) {
+	/*
+	 * Treat ALG 253 (private DNS) subtype name case sensitively.
+	 */
+	return (compare_cdnskey(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_CDNSKEY_60_C */
diff --git a/lib/dns/rdata/generic/cdnskey_60.h b/lib/dns/rdata/generic/cdnskey_60.h
new file mode 100644
index 0000000..a1a6e57
--- /dev/null
+++ b/lib/dns/rdata/generic/cdnskey_60.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CDNSKEY_60_H
+#define GENERIC_CDNSKEY_60_H 1
+
+/* CDNSKEY records have the same RDATA fields as DNSKEY records. */
+typedef struct dns_rdata_key dns_rdata_cdnskey_t;
+
+#endif /* GENERIC_CDNSKEY_60_H */
diff --git a/lib/dns/rdata/generic/cds_59.c b/lib/dns/rdata/generic/cds_59.c
new file mode 100644
index 0000000..4b3a79b
--- /dev/null
+++ b/lib/dns/rdata/generic/cds_59.c
@@ -0,0 +1,166 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* draft-ietf-dnsop-delegation-trust-maintainance-14 */
+
+#ifndef RDATA_GENERIC_CDS_59_C
+#define RDATA_GENERIC_CDS_59_C
+
+#define RRTYPE_CDS_ATTRIBUTES 0
+
+#include <dns/ds.h>
+
+static isc_result_t
+fromtext_cds(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_cds);
+
+	return (generic_fromtext_ds(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_cds(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+
+	return (generic_totext_ds(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_cds(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_cds);
+
+	return (generic_fromwire_ds(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_cds(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_cds(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_cds);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_cds(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_cds);
+
+	return (generic_fromstruct_ds(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_cds(ARGS_TOSTRUCT) {
+	dns_rdata_cds_t *cds = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+	REQUIRE(cds != NULL);
+	REQUIRE(rdata->length != 0);
+
+	/*
+	 * Checked by generic_tostruct_ds().
+	 */
+	cds->common.rdclass = rdata->rdclass;
+	cds->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&cds->common, link);
+
+	return (generic_tostruct_ds(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_cds(ARGS_FREESTRUCT) {
+	dns_rdata_cds_t *cds = source;
+
+	REQUIRE(cds != NULL);
+	REQUIRE(cds->common.rdtype == dns_rdatatype_cds);
+
+	if (cds->mctx == NULL) {
+		return;
+	}
+
+	if (cds->digest != NULL) {
+		isc_mem_free(cds->mctx, cds->digest);
+	}
+	cds->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_cds(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_cds(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_cds(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_cds);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_cds(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_cds(ARGS_COMPARE) {
+	return (compare_cds(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_CDS_59_C */
diff --git a/lib/dns/rdata/generic/cds_59.h b/lib/dns/rdata/generic/cds_59.h
new file mode 100644
index 0000000..31996b1
--- /dev/null
+++ b/lib/dns/rdata/generic/cds_59.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CDS_59_H
+#define GENERIC_CDS_59_H 1
+
+/* CDS records have the same RDATA fields as DS records. */
+typedef struct dns_rdata_ds dns_rdata_cds_t;
+
+#endif /* GENERIC_CDS_59_H */
diff --git a/lib/dns/rdata/generic/cert_37.c b/lib/dns/rdata/generic/cert_37.c
new file mode 100644
index 0000000..4bd8c0a
--- /dev/null
+++ b/lib/dns/rdata/generic/cert_37.c
@@ -0,0 +1,284 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2538 */
+
+#ifndef RDATA_GENERIC_CERT_37_C
+#define RDATA_GENERIC_CERT_37_C
+
+#define RRTYPE_CERT_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_cert(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_secalg_t secalg;
+	dns_cert_t cert;
+
+	REQUIRE(type == dns_rdatatype_cert);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Cert type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_cert_fromtext(&cert, &token.value.as_textregion));
+	RETERR(uint16_tobuffer(cert, target));
+
+	/*
+	 * Key tag.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&secalg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &secalg, 1));
+
+	return (isc_base64_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+totext_cert(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	RETERR(dns_cert_totext((dns_cert_t)n, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Key tag.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(dns_secalg_totext(sr.base[0], target));
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Cert.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0) { /* No splitting */
+		RETERR(isc_base64_totext(&sr, 60, "", target));
+	} else {
+		RETERR(isc_base64_totext(&sr, tctx->width - 2, tctx->linebreak,
+					 target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_cert(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_cert);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 6) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+towire_cert(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_cert(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_cert);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_cert(ARGS_FROMSTRUCT) {
+	dns_rdata_cert_t *cert = source;
+
+	REQUIRE(type == dns_rdatatype_cert);
+	REQUIRE(cert != NULL);
+	REQUIRE(cert->common.rdtype == type);
+	REQUIRE(cert->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(cert->type, target));
+	RETERR(uint16_tobuffer(cert->key_tag, target));
+	RETERR(uint8_tobuffer(cert->algorithm, target));
+
+	return (mem_tobuffer(target, cert->certificate, cert->length));
+}
+
+static isc_result_t
+tostruct_cert(ARGS_TOSTRUCT) {
+	dns_rdata_cert_t *cert = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+	REQUIRE(cert != NULL);
+	REQUIRE(rdata->length != 0);
+
+	cert->common.rdclass = rdata->rdclass;
+	cert->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&cert->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	cert->type = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	cert->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	cert->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	cert->length = region.length;
+
+	cert->certificate = mem_maybedup(mctx, region.base, region.length);
+	if (cert->certificate == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	cert->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_cert(ARGS_FREESTRUCT) {
+	dns_rdata_cert_t *cert = source;
+
+	REQUIRE(cert != NULL);
+	REQUIRE(cert->common.rdtype == dns_rdatatype_cert);
+
+	if (cert->mctx == NULL) {
+		return;
+	}
+
+	if (cert->certificate != NULL) {
+		isc_mem_free(cert->mctx, cert->certificate);
+	}
+	cert->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_cert(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_cert(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_cert(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_cert);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_cert(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_cert(ARGS_COMPARE) {
+	return (compare_cert(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_CERT_37_C */
diff --git a/lib/dns/rdata/generic/cert_37.h b/lib/dns/rdata/generic/cert_37.h
new file mode 100644
index 0000000..3fd305e
--- /dev/null
+++ b/lib/dns/rdata/generic/cert_37.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CERT_37_H
+#define GENERIC_CERT_37_H 1
+
+/*% RFC2538 */
+typedef struct dns_rdata_cert {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t type;
+	uint16_t key_tag;
+	uint8_t algorithm;
+	uint16_t length;
+	unsigned char *certificate;
+} dns_rdata_cert_t;
+
+#endif /* GENERIC_CERT_37_H */
diff --git a/lib/dns/rdata/generic/cname_5.c b/lib/dns/rdata/generic/cname_5.c
new file mode 100644
index 0000000..a7248cd
--- /dev/null
+++ b/lib/dns/rdata/generic/cname_5.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_CNAME_5_C
+#define RDATA_GENERIC_CNAME_5_C
+
+#define RRTYPE_CNAME_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_EXCLUSIVE | DNS_RDATATYPEATTR_SINGLETON)
+
+static isc_result_t
+fromtext_cname(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_cname);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_cname(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_cname(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_cname);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_cname(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_cname(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_cname);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_cname(ARGS_FROMSTRUCT) {
+	dns_rdata_cname_t *cname = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_cname);
+	REQUIRE(cname != NULL);
+	REQUIRE(cname->common.rdtype == type);
+	REQUIRE(cname->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&cname->cname, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_cname(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_cname_t *cname = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+	REQUIRE(cname != NULL);
+	REQUIRE(rdata->length != 0);
+
+	cname->common.rdclass = rdata->rdclass;
+	cname->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&cname->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&cname->cname, NULL);
+	RETERR(name_duporclone(&name, mctx, &cname->cname));
+	cname->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_cname(ARGS_FREESTRUCT) {
+	dns_rdata_cname_t *cname = source;
+
+	REQUIRE(cname != NULL);
+
+	if (cname->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&cname->cname, cname->mctx);
+	cname->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_cname(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_cname(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_cname(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_cname);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_cname(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_cname(ARGS_COMPARE) {
+	return (compare_cname(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_CNAME_5_C */
diff --git a/lib/dns/rdata/generic/cname_5.h b/lib/dns/rdata/generic/cname_5.h
new file mode 100644
index 0000000..a44dfbe
--- /dev/null
+++ b/lib/dns/rdata/generic/cname_5.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CNAME_5_H
+#define GENERIC_CNAME_5_H 1
+
+typedef struct dns_rdata_cname {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t cname;
+} dns_rdata_cname_t;
+
+#endif /* GENERIC_CNAME_5_H */
diff --git a/lib/dns/rdata/generic/csync_62.c b/lib/dns/rdata/generic/csync_62.c
new file mode 100644
index 0000000..f988729
--- /dev/null
+++ b/lib/dns/rdata/generic/csync_62.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC 7477 */
+
+#ifndef RDATA_GENERIC_CSYNC_62_C
+#define RDATA_GENERIC_CSYNC_62_C
+
+#define RRTYPE_CSYNC_ATTRIBUTES 0
+
+static isc_result_t
+fromtext_csync(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_csync);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* Serial. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/* Flags. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/* Type Map */
+	return (typemap_fromtext(lexer, target, true));
+}
+
+static isc_result_t
+totext_csync(ARGS_TOTEXT) {
+	unsigned long num;
+	char buf[sizeof("0123456789")]; /* Also TYPE65535 */
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+	REQUIRE(rdata->length >= 6);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	num = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	num = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu", num);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (sr.length > 0) {
+		RETERR(str_totext(" ", target));
+	}
+	return (typemap_totext(&sr, NULL, target));
+}
+
+static isc_result_t
+fromwire_csync(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_csync);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(options);
+	UNUSED(dctx);
+
+	/*
+	 * Serial + Flags
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 6) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	RETERR(mem_tobuffer(target, sr.base, 6));
+	isc_buffer_forward(source, 6);
+	isc_region_consume(&sr, 6);
+
+	RETERR(typemap_test(&sr, true));
+
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_csync(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+	REQUIRE(rdata->length >= 6);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_csync(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_csync);
+	REQUIRE(rdata1->length >= 6);
+	REQUIRE(rdata2->length >= 6);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_csync(ARGS_FROMSTRUCT) {
+	dns_rdata_csync_t *csync = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_csync);
+	REQUIRE(csync != NULL);
+	REQUIRE(csync->common.rdtype == type);
+	REQUIRE(csync->common.rdclass == rdclass);
+	REQUIRE(csync->typebits != NULL || csync->len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint32_tobuffer(csync->serial, target));
+	RETERR(uint16_tobuffer(csync->flags, target));
+
+	region.base = csync->typebits;
+	region.length = csync->len;
+	RETERR(typemap_test(&region, true));
+	return (mem_tobuffer(target, csync->typebits, csync->len));
+}
+
+static isc_result_t
+tostruct_csync(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_csync_t *csync = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+	REQUIRE(csync != NULL);
+	REQUIRE(rdata->length != 0);
+
+	csync->common.rdclass = rdata->rdclass;
+	csync->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&csync->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	csync->serial = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	csync->flags = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	csync->len = region.length;
+	csync->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (csync->typebits == NULL) {
+		goto cleanup;
+	}
+
+	csync->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_csync(ARGS_FREESTRUCT) {
+	dns_rdata_csync_t *csync = source;
+
+	REQUIRE(csync != NULL);
+	REQUIRE(csync->common.rdtype == dns_rdatatype_csync);
+
+	if (csync->mctx == NULL) {
+		return;
+	}
+
+	if (csync->typebits != NULL) {
+		isc_mem_free(csync->mctx, csync->typebits);
+	}
+	csync->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_csync(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_csync(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_csync(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_csync);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_csync(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_csync(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_csync);
+	REQUIRE(rdata1->length >= 6);
+	REQUIRE(rdata2->length >= 6);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+#endif /* RDATA_GENERIC_CSYNC_62_C */
diff --git a/lib/dns/rdata/generic/csync_62.h b/lib/dns/rdata/generic/csync_62.h
new file mode 100644
index 0000000..ecc2202
--- /dev/null
+++ b/lib/dns/rdata/generic/csync_62.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CSYNC_62_H
+#define GENERIC_CSYNC_62_H 1
+
+/*!
+ * \brief Per RFC 7477
+ */
+
+typedef struct dns_rdata_csync {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint32_t serial;
+	uint16_t flags;
+	unsigned char *typebits;
+	uint16_t len;
+} dns_rdata_csync_t;
+
+#endif /* GENERIC_CSYNC_62_H */
diff --git a/lib/dns/rdata/generic/dlv_32769.c b/lib/dns/rdata/generic/dlv_32769.c
new file mode 100644
index 0000000..f45b196
--- /dev/null
+++ b/lib/dns/rdata/generic/dlv_32769.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC3658 */
+
+#ifndef RDATA_GENERIC_DLV_32769_C
+#define RDATA_GENERIC_DLV_32769_C
+
+#define RRTYPE_DLV_ATTRIBUTES 0
+
+#include <dns/ds.h>
+
+static isc_result_t
+fromtext_dlv(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_dlv);
+
+	return (generic_fromtext_ds(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_dlv(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+
+	return (generic_totext_ds(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_dlv(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_dlv);
+
+	return (generic_fromwire_ds(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_dlv(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_dlv(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_dlv);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_dlv(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_dlv);
+
+	return (generic_fromstruct_ds(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_dlv(ARGS_TOSTRUCT) {
+	dns_rdata_dlv_t *dlv = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+	REQUIRE(dlv != NULL);
+
+	dlv->common.rdclass = rdata->rdclass;
+	dlv->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dlv->common, link);
+
+	return (generic_tostruct_ds(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_dlv(ARGS_FREESTRUCT) {
+	dns_rdata_dlv_t *dlv = source;
+
+	REQUIRE(dlv != NULL);
+	REQUIRE(dlv->common.rdtype == dns_rdatatype_dlv);
+
+	if (dlv->mctx == NULL) {
+		return;
+	}
+
+	if (dlv->digest != NULL) {
+		isc_mem_free(dlv->mctx, dlv->digest);
+	}
+	dlv->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_dlv(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_dlv(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_dlv(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_dlv);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_dlv(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_dlv(ARGS_COMPARE) {
+	return (compare_dlv(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_DLV_32769_C */
diff --git a/lib/dns/rdata/generic/dlv_32769.h b/lib/dns/rdata/generic/dlv_32769.h
new file mode 100644
index 0000000..bf3734e
--- /dev/null
+++ b/lib/dns/rdata/generic/dlv_32769.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+#ifndef GENERIC_DLV_32769_H
+#define GENERIC_DLV_32769_H 1
+
+typedef struct dns_rdata_ds dns_rdata_dlv_t;
+
+#endif /* GENERIC_DLV_32769_H */
diff --git a/lib/dns/rdata/generic/dname_39.c b/lib/dns/rdata/generic/dname_39.c
new file mode 100644
index 0000000..87f417c
--- /dev/null
+++ b/lib/dns/rdata/generic/dname_39.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2672 */
+
+#ifndef RDATA_GENERIC_DNAME_39_C
+#define RDATA_GENERIC_DNAME_39_C
+
+#define RRTYPE_DNAME_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
+
+static isc_result_t
+fromtext_dname(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_dname);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_dname(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_dname(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_dname);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_dname(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_dname(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_dname);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_dname(ARGS_FROMSTRUCT) {
+	dns_rdata_dname_t *dname = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_dname);
+	REQUIRE(dname != NULL);
+	REQUIRE(dname->common.rdtype == type);
+	REQUIRE(dname->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&dname->dname, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_dname(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_dname_t *dname = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+	REQUIRE(dname != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dname->common.rdclass = rdata->rdclass;
+	dname->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dname->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&dname->dname, NULL);
+	RETERR(name_duporclone(&name, mctx, &dname->dname));
+	dname->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_dname(ARGS_FREESTRUCT) {
+	dns_rdata_dname_t *dname = source;
+
+	REQUIRE(dname != NULL);
+	REQUIRE(dname->common.rdtype == dns_rdatatype_dname);
+
+	if (dname->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&dname->dname, dname->mctx);
+	dname->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_dname(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_dname(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_dname(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_dname);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_dname(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_dname(ARGS_COMPARE) {
+	return (compare_dname(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_DNAME_39_C */
diff --git a/lib/dns/rdata/generic/dname_39.h b/lib/dns/rdata/generic/dname_39.h
new file mode 100644
index 0000000..b1cc198
--- /dev/null
+++ b/lib/dns/rdata/generic/dname_39.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_DNAME_39_H
+#define GENERIC_DNAME_39_H 1
+
+/*!
+ *  \brief per RFC2672 */
+
+typedef struct dns_rdata_dname {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t dname;
+} dns_rdata_dname_t;
+
+#endif /* GENERIC_DNAME_39_H */
diff --git a/lib/dns/rdata/generic/dnskey_48.c b/lib/dns/rdata/generic/dnskey_48.c
new file mode 100644
index 0000000..c609ff0
--- /dev/null
+++ b/lib/dns/rdata/generic/dnskey_48.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2535 */
+
+#ifndef RDATA_GENERIC_DNSKEY_48_C
+#define RDATA_GENERIC_DNSKEY_48_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_DNSKEY_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static isc_result_t
+fromtext_dnskey(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_dnskey);
+
+	return (generic_fromtext_key(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_dnskey(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+
+	return (generic_totext_key(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_dnskey(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_dnskey);
+
+	return (generic_fromwire_key(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_dnskey(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_dnskey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_dnskey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_dnskey(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_dnskey);
+
+	return (generic_fromstruct_key(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_dnskey(ARGS_TOSTRUCT) {
+	dns_rdata_dnskey_t *dnskey = target;
+
+	REQUIRE(dnskey != NULL);
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+
+	dnskey->common.rdclass = rdata->rdclass;
+	dnskey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dnskey->common, link);
+
+	return (generic_tostruct_key(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_dnskey(ARGS_FREESTRUCT) {
+	dns_rdata_dnskey_t *dnskey = (dns_rdata_dnskey_t *)source;
+
+	REQUIRE(dnskey != NULL);
+	REQUIRE(dnskey->common.rdtype == dns_rdatatype_dnskey);
+
+	generic_freestruct_key(source);
+}
+
+static isc_result_t
+additionaldata_dnskey(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_dnskey(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_dnskey(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_dnskey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_dnskey(ARGS_CHECKNAMES) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_dnskey(ARGS_COMPARE) {
+	/*
+	 * Treat ALG 253 (private DNS) subtype name case sensitively.
+	 */
+	return (compare_dnskey(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_DNSKEY_48_C */
diff --git a/lib/dns/rdata/generic/dnskey_48.h b/lib/dns/rdata/generic/dnskey_48.h
new file mode 100644
index 0000000..385d5e0
--- /dev/null
+++ b/lib/dns/rdata/generic/dnskey_48.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_DNSKEY_48_H
+#define GENERIC_DNSKEY_48_H 1
+
+/*!
+ *  \brief per RFC2535
+ */
+
+typedef struct dns_rdata_key dns_rdata_dnskey_t;
+
+#endif /* GENERIC_DNSKEY_48_H */
diff --git a/lib/dns/rdata/generic/doa_259.c b/lib/dns/rdata/generic/doa_259.c
new file mode 100644
index 0000000..e35f2ca
--- /dev/null
+++ b/lib/dns/rdata/generic/doa_259.c
@@ -0,0 +1,361 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_DOA_259_C
+#define RDATA_GENERIC_DOA_259_C
+
+#define RRTYPE_DOA_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_doa(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_doa);
+
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * DOA-ENTERPRISE
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * DOA-TYPE
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * DOA-LOCATION
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * DOA-MEDIA-TYPE
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/*
+	 * DOA-DATA
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strcmp(DNS_AS_STR(token), "-") == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		isc_lex_ungettoken(lexer, &token);
+		return (isc_base64_tobuffer(lexer, target, -1));
+	}
+}
+
+static isc_result_t
+totext_doa(ARGS_TOTEXT) {
+	char buf[sizeof("4294967295 ")];
+	isc_region_t region;
+	uint32_t n;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * DOA-ENTERPRISE
+	 */
+	n = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * DOA-TYPE
+	 */
+	n = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * DOA-LOCATION
+	 */
+	n = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * DOA-MEDIA-TYPE
+	 */
+	RETERR(txt_totext(&region, true, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * DOA-DATA
+	 */
+	if (region.length == 0) {
+		return (str_totext("-", target));
+	} else {
+		return (isc_base64_totext(&region, 60, "", target));
+	}
+}
+
+static isc_result_t
+fromwire_doa(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	REQUIRE(type == dns_rdatatype_doa);
+
+	isc_buffer_activeregion(source, &region);
+	/*
+	 * DOA-MEDIA-TYPE may be an empty <character-string> (i.e.,
+	 * comprising of just the length octet) and DOA-DATA can have
+	 * zero length.
+	 */
+	if (region.length < 4 + 4 + 1 + 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/*
+	 * Check whether DOA-MEDIA-TYPE length is not malformed.
+	 */
+	if (region.base[9] > region.length - 10) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	isc_buffer_forward(source, region.length);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static isc_result_t
+towire_doa(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static int
+compare_doa(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->type == dns_rdatatype_doa);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_doa(ARGS_FROMSTRUCT) {
+	dns_rdata_doa_t *doa = source;
+
+	REQUIRE(type == dns_rdatatype_doa);
+	REQUIRE(doa != NULL);
+	REQUIRE(doa->common.rdtype == dns_rdatatype_doa);
+	REQUIRE(doa->common.rdclass == rdclass);
+
+	RETERR(uint32_tobuffer(doa->enterprise, target));
+	RETERR(uint32_tobuffer(doa->type, target));
+	RETERR(uint8_tobuffer(doa->location, target));
+	RETERR(uint8_tobuffer(doa->mediatype_len, target));
+	RETERR(mem_tobuffer(target, doa->mediatype, doa->mediatype_len));
+	return (mem_tobuffer(target, doa->data, doa->data_len));
+}
+
+static isc_result_t
+tostruct_doa(ARGS_TOSTRUCT) {
+	dns_rdata_doa_t *doa = target;
+	isc_region_t region;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+	REQUIRE(doa != NULL);
+	REQUIRE(rdata->length != 0);
+
+	doa->common.rdclass = rdata->rdclass;
+	doa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&doa->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * DOA-ENTERPRISE
+	 */
+	if (region.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->enterprise = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	/*
+	 * DOA-TYPE
+	 */
+	if (region.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->type = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	/*
+	 * DOA-LOCATION
+	 */
+	if (region.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->location = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	/*
+	 * DOA-MEDIA-TYPE
+	 */
+	if (region.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->mediatype_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	INSIST(doa->mediatype_len <= region.length);
+	doa->mediatype = mem_maybedup(mctx, region.base, doa->mediatype_len);
+	if (doa->mediatype == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&region, doa->mediatype_len);
+
+	/*
+	 * DOA-DATA
+	 */
+	doa->data_len = region.length;
+	doa->data = NULL;
+	if (doa->data_len > 0) {
+		doa->data = mem_maybedup(mctx, region.base, doa->data_len);
+		if (doa->data == NULL) {
+			goto cleanup;
+		}
+		isc_region_consume(&region, doa->data_len);
+	}
+
+	doa->mctx = mctx;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL && doa->mediatype != NULL) {
+		isc_mem_free(mctx, doa->mediatype);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_doa(ARGS_FREESTRUCT) {
+	dns_rdata_doa_t *doa = source;
+
+	REQUIRE(doa != NULL);
+	REQUIRE(doa->common.rdtype == dns_rdatatype_doa);
+
+	if (doa->mctx == NULL) {
+		return;
+	}
+
+	if (doa->mediatype != NULL) {
+		isc_mem_free(doa->mctx, doa->mediatype);
+	}
+	if (doa->data != NULL) {
+		isc_mem_free(doa->mctx, doa->data);
+	}
+
+	doa->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_doa(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_doa(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_doa(ARGS_CHECKOWNER) {
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	REQUIRE(type == dns_rdatatype_doa);
+
+	return (true);
+}
+
+static bool
+checknames_doa(ARGS_CHECKNAMES) {
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+
+	return (true);
+}
+
+static int
+casecompare_doa(ARGS_COMPARE) {
+	return (compare_doa(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_DOA_259_C */
diff --git a/lib/dns/rdata/generic/doa_259.h b/lib/dns/rdata/generic/doa_259.h
new file mode 100644
index 0000000..92999a1
--- /dev/null
+++ b/lib/dns/rdata/generic/doa_259.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_DOA_259_H
+#define GENERIC_DOA_259_H 1
+
+typedef struct dns_rdata_doa {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *mediatype;
+	unsigned char *data;
+	uint32_t enterprise;
+	uint32_t type;
+	uint16_t data_len;
+	uint8_t location;
+	uint8_t mediatype_len;
+} dns_rdata_doa_t;
+
+#endif /* GENERIC_DOA_259_H */
diff --git a/lib/dns/rdata/generic/ds_43.c b/lib/dns/rdata/generic/ds_43.c
new file mode 100644
index 0000000..0b6fa0a
--- /dev/null
+++ b/lib/dns/rdata/generic/ds_43.c
@@ -0,0 +1,385 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC3658 */
+
+#ifndef RDATA_GENERIC_DS_43_C
+#define RDATA_GENERIC_DS_43_C
+
+#define RRTYPE_DS_ATTRIBUTES                                        \
+	(DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH | \
+	 DNS_RDATATYPEATTR_ATPARENT)
+
+#include <isc/md.h>
+
+#include <dns/ds.h>
+
+static isc_result_t
+generic_fromtext_ds(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char c;
+	int length;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Key tag.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_dsdigest_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Digest.
+	 */
+	switch (c) {
+	case DNS_DSDIGEST_SHA1:
+		length = ISC_SHA1_DIGESTLENGTH;
+		break;
+	case DNS_DSDIGEST_SHA256:
+		length = ISC_SHA256_DIGESTLENGTH;
+		break;
+	case DNS_DSDIGEST_SHA384:
+		length = ISC_SHA384_DIGESTLENGTH;
+		break;
+	default:
+		length = -2;
+		break;
+	}
+	return (isc_hex_tobuffer(lexer, target, length));
+}
+
+static isc_result_t
+fromtext_ds(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_ds);
+
+	return (generic_fromtext_ds(CALL_FROMTEXT));
+}
+
+static isc_result_t
+generic_totext_ds(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Key tag.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+		if (tctx->width == 0) { /* No splitting */
+			RETERR(isc_hex_totext(&sr, 0, "", target));
+		} else {
+			RETERR(isc_hex_totext(&sr, tctx->width - 2,
+					      tctx->linebreak, target));
+		}
+	} else {
+		RETERR(str_totext("[omitted]", target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_ds(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+
+	return (generic_totext_ds(CALL_TOTEXT));
+}
+
+static isc_result_t
+generic_fromwire_ds(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+
+	/*
+	 * Check digest lengths if we know them.
+	 */
+	if (sr.length < 5 ||
+	    (sr.base[3] == DNS_DSDIGEST_SHA1 &&
+	     sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
+	    (sr.base[3] == DNS_DSDIGEST_SHA256 &&
+	     sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
+	    (sr.base[3] == DNS_DSDIGEST_SHA384 &&
+	     sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
+	{
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/*
+	 * Only copy digest lengths if we know them.
+	 * If there is extra data dns_rdata_fromwire() will
+	 * detect that.
+	 */
+	if (sr.base[3] == DNS_DSDIGEST_SHA1) {
+		sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
+	} else if (sr.base[3] == DNS_DSDIGEST_SHA256) {
+		sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
+	} else if (sr.base[3] == DNS_DSDIGEST_SHA384) {
+		sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
+	}
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+fromwire_ds(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_ds);
+
+	return (generic_fromwire_ds(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_ds(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_ds(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ds);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+generic_fromstruct_ds(ARGS_FROMSTRUCT) {
+	dns_rdata_ds_t *ds = source;
+
+	REQUIRE(ds != NULL);
+	REQUIRE(ds->common.rdtype == type);
+	REQUIRE(ds->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	switch (ds->digest_type) {
+	case DNS_DSDIGEST_SHA1:
+		REQUIRE(ds->length == ISC_SHA1_DIGESTLENGTH);
+		break;
+	case DNS_DSDIGEST_SHA256:
+		REQUIRE(ds->length == ISC_SHA256_DIGESTLENGTH);
+		break;
+	case DNS_DSDIGEST_SHA384:
+		REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH);
+		break;
+	}
+
+	RETERR(uint16_tobuffer(ds->key_tag, target));
+	RETERR(uint8_tobuffer(ds->algorithm, target));
+	RETERR(uint8_tobuffer(ds->digest_type, target));
+
+	return (mem_tobuffer(target, ds->digest, ds->length));
+}
+
+static isc_result_t
+fromstruct_ds(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_ds);
+
+	return (generic_fromstruct_ds(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+generic_tostruct_ds(ARGS_TOSTRUCT) {
+	dns_rdata_ds_t *ds = target;
+	isc_region_t region;
+
+	REQUIRE(ds != NULL);
+	REQUIRE(rdata->length != 0);
+	REQUIRE(ds->common.rdtype == rdata->type);
+	REQUIRE(ds->common.rdclass == rdata->rdclass);
+	REQUIRE(!ISC_LINK_LINKED(&ds->common, link));
+
+	dns_rdata_toregion(rdata, &region);
+
+	ds->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	ds->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	ds->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	ds->length = region.length;
+
+	ds->digest = mem_maybedup(mctx, region.base, region.length);
+	if (ds->digest == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	ds->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+tostruct_ds(ARGS_TOSTRUCT) {
+	dns_rdata_ds_t *ds = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+	REQUIRE(ds != NULL);
+
+	ds->common.rdclass = rdata->rdclass;
+	ds->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ds->common, link);
+
+	return (generic_tostruct_ds(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_ds(ARGS_FREESTRUCT) {
+	dns_rdata_ds_t *ds = source;
+
+	REQUIRE(ds != NULL);
+	REQUIRE(ds->common.rdtype == dns_rdatatype_ds);
+
+	if (ds->mctx == NULL) {
+		return;
+	}
+
+	if (ds->digest != NULL) {
+		isc_mem_free(ds->mctx, ds->digest);
+	}
+	ds->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_ds(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_ds(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_ds(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_ds);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_ds(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_ds(ARGS_COMPARE) {
+	return (compare_ds(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_DS_43_C */
diff --git a/lib/dns/rdata/generic/ds_43.h b/lib/dns/rdata/generic/ds_43.h
new file mode 100644
index 0000000..26ef13e
--- /dev/null
+++ b/lib/dns/rdata/generic/ds_43.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_DS_43_H
+#define GENERIC_DS_43_H 1
+
+/*!
+ *  \brief per draft-ietf-dnsext-delegation-signer-05.txt */
+typedef struct dns_rdata_ds {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t key_tag;
+	dns_secalg_t algorithm;
+	dns_dsdigest_t digest_type;
+	uint16_t length;
+	unsigned char *digest;
+} dns_rdata_ds_t;
+
+#endif /* GENERIC_DS_43_H */
diff --git a/lib/dns/rdata/generic/eui48_108.c b/lib/dns/rdata/generic/eui48_108.c
new file mode 100644
index 0000000..7926708
--- /dev/null
+++ b/lib/dns/rdata/generic/eui48_108.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_EUI48_108_C
+#define RDATA_GENERIC_EUI48_108_C
+
+#include <string.h>
+
+#define RRTYPE_EUI48_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_eui48(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char eui48[6];
+	unsigned int l0, l1, l2, l3, l4, l5;
+	int n;
+
+	REQUIRE(type == dns_rdatatype_eui48);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	n = sscanf(DNS_AS_STR(token), "%2x-%2x-%2x-%2x-%2x-%2x", &l0, &l1, &l2,
+		   &l3, &l4, &l5);
+	if (n != 6 || l0 > 255U || l1 > 255U || l2 > 255U || l3 > 255U ||
+	    l4 > 255U || l5 > 255U)
+	{
+		return (DNS_R_BADEUI);
+	}
+
+	eui48[0] = l0;
+	eui48[1] = l1;
+	eui48[2] = l2;
+	eui48[3] = l3;
+	eui48[4] = l4;
+	eui48[5] = l5;
+	return (mem_tobuffer(target, eui48, sizeof(eui48)));
+}
+
+static isc_result_t
+totext_eui48(ARGS_TOTEXT) {
+	char buf[sizeof("xx-xx-xx-xx-xx-xx")];
+
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(tctx);
+
+	(void)snprintf(buf, sizeof(buf), "%02x-%02x-%02x-%02x-%02x-%02x",
+		       rdata->data[0], rdata->data[1], rdata->data[2],
+		       rdata->data[3], rdata->data[4], rdata->data[5]);
+	return (str_totext(buf, target));
+}
+
+static isc_result_t
+fromwire_eui48(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_eui48);
+
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length != 6) {
+		return (DNS_R_FORMERR);
+	}
+	isc_buffer_forward(source, sregion.length);
+	return (mem_tobuffer(target, sregion.base, sregion.length));
+}
+
+static isc_result_t
+towire_eui48(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_eui48(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_eui48);
+	REQUIRE(rdata1->length == 6);
+	REQUIRE(rdata2->length == 6);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_eui48(ARGS_FROMSTRUCT) {
+	dns_rdata_eui48_t *eui48 = source;
+
+	REQUIRE(type == dns_rdatatype_eui48);
+	REQUIRE(eui48 != NULL);
+	REQUIRE(eui48->common.rdtype == type);
+	REQUIRE(eui48->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, eui48->eui48, sizeof(eui48->eui48)));
+}
+
+static isc_result_t
+tostruct_eui48(ARGS_TOSTRUCT) {
+	dns_rdata_eui48_t *eui48 = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(eui48 != NULL);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(mctx);
+
+	eui48->common.rdclass = rdata->rdclass;
+	eui48->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&eui48->common, link);
+
+	memmove(eui48->eui48, rdata->data, rdata->length);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_eui48(ARGS_FREESTRUCT) {
+	dns_rdata_eui48_t *eui48 = source;
+
+	REQUIRE(eui48 != NULL);
+	REQUIRE(eui48->common.rdtype == dns_rdatatype_eui48);
+
+	return;
+}
+
+static isc_result_t
+additionaldata_eui48(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_eui48(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(rdata->length == 6);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_eui48(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_eui48);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_eui48(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_eui48(ARGS_COMPARE) {
+	return (compare_eui48(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_EUI48_108_C */
diff --git a/lib/dns/rdata/generic/eui48_108.h b/lib/dns/rdata/generic/eui48_108.h
new file mode 100644
index 0000000..2ce2706
--- /dev/null
+++ b/lib/dns/rdata/generic/eui48_108.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_EUI48_108_H
+#define GENERIC_EUI48_108_H 1
+
+typedef struct dns_rdata_eui48 {
+	dns_rdatacommon_t common;
+	unsigned char eui48[6];
+} dns_rdata_eui48_t;
+
+#endif /* GENERIC_EUI48_10k_H */
diff --git a/lib/dns/rdata/generic/eui64_109.c b/lib/dns/rdata/generic/eui64_109.c
new file mode 100644
index 0000000..5cb788a
--- /dev/null
+++ b/lib/dns/rdata/generic/eui64_109.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_EUI64_109_C
+#define RDATA_GENERIC_EUI64_109_C
+
+#include <string.h>
+
+#define RRTYPE_EUI64_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_eui64(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char eui64[8];
+	unsigned int l0, l1, l2, l3, l4, l5, l6, l7;
+	int n;
+
+	REQUIRE(type == dns_rdatatype_eui64);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	n = sscanf(DNS_AS_STR(token), "%2x-%2x-%2x-%2x-%2x-%2x-%2x-%2x", &l0,
+		   &l1, &l2, &l3, &l4, &l5, &l6, &l7);
+	if (n != 8 || l0 > 255U || l1 > 255U || l2 > 255U || l3 > 255U ||
+	    l4 > 255U || l5 > 255U || l6 > 255U || l7 > 255U)
+	{
+		return (DNS_R_BADEUI);
+	}
+
+	eui64[0] = l0;
+	eui64[1] = l1;
+	eui64[2] = l2;
+	eui64[3] = l3;
+	eui64[4] = l4;
+	eui64[5] = l5;
+	eui64[6] = l6;
+	eui64[7] = l7;
+	return (mem_tobuffer(target, eui64, sizeof(eui64)));
+}
+
+static isc_result_t
+totext_eui64(ARGS_TOTEXT) {
+	char buf[sizeof("xx-xx-xx-xx-xx-xx-xx-xx")];
+
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(rdata->length == 8);
+
+	UNUSED(tctx);
+
+	(void)snprintf(
+		buf, sizeof(buf), "%02x-%02x-%02x-%02x-%02x-%02x-%02x-%02x",
+		rdata->data[0], rdata->data[1], rdata->data[2], rdata->data[3],
+		rdata->data[4], rdata->data[5], rdata->data[6], rdata->data[7]);
+	return (str_totext(buf, target));
+}
+
+static isc_result_t
+fromwire_eui64(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_eui64);
+
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length != 8) {
+		return (DNS_R_FORMERR);
+	}
+	isc_buffer_forward(source, sregion.length);
+	return (mem_tobuffer(target, sregion.base, sregion.length));
+}
+
+static isc_result_t
+towire_eui64(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(rdata->length == 8);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_eui64(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_eui64);
+	REQUIRE(rdata1->length == 8);
+	REQUIRE(rdata2->length == 8);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_eui64(ARGS_FROMSTRUCT) {
+	dns_rdata_eui64_t *eui64 = source;
+
+	REQUIRE(type == dns_rdatatype_eui64);
+	REQUIRE(eui64 != NULL);
+	REQUIRE(eui64->common.rdtype == type);
+	REQUIRE(eui64->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, eui64->eui64, sizeof(eui64->eui64)));
+}
+
+static isc_result_t
+tostruct_eui64(ARGS_TOSTRUCT) {
+	dns_rdata_eui64_t *eui64 = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(eui64 != NULL);
+	REQUIRE(rdata->length == 8);
+
+	UNUSED(mctx);
+
+	eui64->common.rdclass = rdata->rdclass;
+	eui64->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&eui64->common, link);
+
+	memmove(eui64->eui64, rdata->data, rdata->length);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_eui64(ARGS_FREESTRUCT) {
+	dns_rdata_eui64_t *eui64 = source;
+
+	REQUIRE(eui64 != NULL);
+	REQUIRE(eui64->common.rdtype == dns_rdatatype_eui64);
+
+	return;
+}
+
+static isc_result_t
+additionaldata_eui64(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(rdata->length == 8);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_eui64(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(rdata->length == 8);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_eui64(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_eui64);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_eui64(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(rdata->length == 8);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_eui64(ARGS_COMPARE) {
+	return (compare_eui64(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_EUI64_109_C */
diff --git a/lib/dns/rdata/generic/eui64_109.h b/lib/dns/rdata/generic/eui64_109.h
new file mode 100644
index 0000000..0783197
--- /dev/null
+++ b/lib/dns/rdata/generic/eui64_109.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_EUI64_109_H
+#define GENERIC_EUI64_109_H 1
+
+typedef struct dns_rdata_eui64 {
+	dns_rdatacommon_t common;
+	unsigned char eui64[8];
+} dns_rdata_eui64_t;
+
+#endif /* GENERIC_EUI64_10k_H */
diff --git a/lib/dns/rdata/generic/gpos_27.c b/lib/dns/rdata/generic/gpos_27.c
new file mode 100644
index 0000000..9d02779
--- /dev/null
+++ b/lib/dns/rdata/generic/gpos_27.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1712 */
+
+#ifndef RDATA_GENERIC_GPOS_27_C
+#define RDATA_GENERIC_GPOS_27_C
+
+#define RRTYPE_GPOS_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_gpos(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int i;
+
+	REQUIRE(type == dns_rdatatype_gpos);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	for (i = 0; i < 3; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qstring, false));
+		RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_gpos(ARGS_TOTEXT) {
+	isc_region_t region;
+	int i;
+
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+
+	for (i = 0; i < 3; i++) {
+		RETERR(txt_totext(&region, true, target));
+		if (i != 2) {
+			RETERR(str_totext(" ", target));
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_gpos(ARGS_FROMWIRE) {
+	int i;
+
+	REQUIRE(type == dns_rdatatype_gpos);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	for (i = 0; i < 3; i++) {
+		RETERR(txt_fromwire(source, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_gpos(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_gpos(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_gpos);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_gpos(ARGS_FROMSTRUCT) {
+	dns_rdata_gpos_t *gpos = source;
+
+	REQUIRE(type == dns_rdatatype_gpos);
+	REQUIRE(gpos != NULL);
+	REQUIRE(gpos->common.rdtype == type);
+	REQUIRE(gpos->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(gpos->long_len, target));
+	RETERR(mem_tobuffer(target, gpos->longitude, gpos->long_len));
+	RETERR(uint8_tobuffer(gpos->lat_len, target));
+	RETERR(mem_tobuffer(target, gpos->latitude, gpos->lat_len));
+	RETERR(uint8_tobuffer(gpos->alt_len, target));
+	return (mem_tobuffer(target, gpos->altitude, gpos->alt_len));
+}
+
+static isc_result_t
+tostruct_gpos(ARGS_TOSTRUCT) {
+	dns_rdata_gpos_t *gpos = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+	REQUIRE(gpos != NULL);
+	REQUIRE(rdata->length != 0);
+
+	gpos->common.rdclass = rdata->rdclass;
+	gpos->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&gpos->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	gpos->long_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	gpos->longitude = mem_maybedup(mctx, region.base, gpos->long_len);
+	if (gpos->longitude == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	isc_region_consume(&region, gpos->long_len);
+
+	gpos->lat_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	gpos->latitude = mem_maybedup(mctx, region.base, gpos->lat_len);
+	if (gpos->latitude == NULL) {
+		goto cleanup_longitude;
+	}
+	isc_region_consume(&region, gpos->lat_len);
+
+	gpos->alt_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	if (gpos->lat_len > 0) {
+		gpos->altitude = mem_maybedup(mctx, region.base, gpos->alt_len);
+		if (gpos->altitude == NULL) {
+			goto cleanup_latitude;
+		}
+	} else {
+		gpos->altitude = NULL;
+	}
+
+	gpos->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup_latitude:
+	if (mctx != NULL && gpos->longitude != NULL) {
+		isc_mem_free(mctx, gpos->longitude);
+	}
+
+cleanup_longitude:
+	if (mctx != NULL && gpos->latitude != NULL) {
+		isc_mem_free(mctx, gpos->latitude);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_gpos(ARGS_FREESTRUCT) {
+	dns_rdata_gpos_t *gpos = source;
+
+	REQUIRE(gpos != NULL);
+	REQUIRE(gpos->common.rdtype == dns_rdatatype_gpos);
+
+	if (gpos->mctx == NULL) {
+		return;
+	}
+
+	if (gpos->longitude != NULL) {
+		isc_mem_free(gpos->mctx, gpos->longitude);
+	}
+	if (gpos->latitude != NULL) {
+		isc_mem_free(gpos->mctx, gpos->latitude);
+	}
+	if (gpos->altitude != NULL) {
+		isc_mem_free(gpos->mctx, gpos->altitude);
+	}
+	gpos->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_gpos(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_gpos(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_gpos(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_gpos);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_gpos(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_gpos(ARGS_COMPARE) {
+	return (compare_gpos(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_GPOS_27_C */
diff --git a/lib/dns/rdata/generic/gpos_27.h b/lib/dns/rdata/generic/gpos_27.h
new file mode 100644
index 0000000..08b6b84
--- /dev/null
+++ b/lib/dns/rdata/generic/gpos_27.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_GPOS_27_H
+#define GENERIC_GPOS_27_H 1
+
+/*!
+ *  \brief per RFC1712 */
+
+typedef struct dns_rdata_gpos {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	char *longitude;
+	char *latitude;
+	char *altitude;
+	uint8_t long_len;
+	uint8_t lat_len;
+	uint8_t alt_len;
+} dns_rdata_gpos_t;
+
+#endif /* GENERIC_GPOS_27_H */
diff --git a/lib/dns/rdata/generic/hinfo_13.c b/lib/dns/rdata/generic/hinfo_13.c
new file mode 100644
index 0000000..d483839
--- /dev/null
+++ b/lib/dns/rdata/generic/hinfo_13.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_HINFO_13_C
+#define RDATA_GENERIC_HINFO_13_C
+
+#define RRTYPE_HINFO_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_hinfo(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int i;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	REQUIRE(type == dns_rdatatype_hinfo);
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qstring, false));
+		RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_hinfo(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(txt_totext(&region, true, target));
+	RETERR(str_totext(" ", target));
+	return (txt_totext(&region, true, target));
+}
+
+static isc_result_t
+fromwire_hinfo(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_hinfo);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	RETERR(txt_fromwire(source, target));
+	return (txt_fromwire(source, target));
+}
+
+static isc_result_t
+towire_hinfo(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_hinfo(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_hinfo);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_hinfo(ARGS_FROMSTRUCT) {
+	dns_rdata_hinfo_t *hinfo = source;
+
+	REQUIRE(type == dns_rdatatype_hinfo);
+	REQUIRE(hinfo != NULL);
+	REQUIRE(hinfo->common.rdtype == type);
+	REQUIRE(hinfo->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(hinfo->cpu_len, target));
+	RETERR(mem_tobuffer(target, hinfo->cpu, hinfo->cpu_len));
+	RETERR(uint8_tobuffer(hinfo->os_len, target));
+	return (mem_tobuffer(target, hinfo->os, hinfo->os_len));
+}
+
+static isc_result_t
+tostruct_hinfo(ARGS_TOSTRUCT) {
+	dns_rdata_hinfo_t *hinfo = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+	REQUIRE(hinfo != NULL);
+	REQUIRE(rdata->length != 0);
+
+	hinfo->common.rdclass = rdata->rdclass;
+	hinfo->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&hinfo->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	hinfo->cpu_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	hinfo->cpu = mem_maybedup(mctx, region.base, hinfo->cpu_len);
+	if (hinfo->cpu == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	isc_region_consume(&region, hinfo->cpu_len);
+
+	hinfo->os_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	hinfo->os = mem_maybedup(mctx, region.base, hinfo->os_len);
+	if (hinfo->os == NULL) {
+		goto cleanup;
+	}
+
+	hinfo->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL && hinfo->cpu != NULL) {
+		isc_mem_free(mctx, hinfo->cpu);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_hinfo(ARGS_FREESTRUCT) {
+	dns_rdata_hinfo_t *hinfo = source;
+
+	REQUIRE(hinfo != NULL);
+
+	if (hinfo->mctx == NULL) {
+		return;
+	}
+
+	if (hinfo->cpu != NULL) {
+		isc_mem_free(hinfo->mctx, hinfo->cpu);
+	}
+	if (hinfo->os != NULL) {
+		isc_mem_free(hinfo->mctx, hinfo->os);
+	}
+	hinfo->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_hinfo(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+
+	UNUSED(add);
+	UNUSED(arg);
+	UNUSED(rdata);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_hinfo(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_hinfo(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_hinfo);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_hinfo(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_hinfo(ARGS_COMPARE) {
+	return (compare_hinfo(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_HINFO_13_C */
diff --git a/lib/dns/rdata/generic/hinfo_13.h b/lib/dns/rdata/generic/hinfo_13.h
new file mode 100644
index 0000000..294b4bf
--- /dev/null
+++ b/lib/dns/rdata/generic/hinfo_13.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_HINFO_13_H
+#define GENERIC_HINFO_13_H 1
+
+typedef struct dns_rdata_hinfo {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	char *cpu;
+	char *os;
+	uint8_t cpu_len;
+	uint8_t os_len;
+} dns_rdata_hinfo_t;
+
+#endif /* GENERIC_HINFO_13_H */
diff --git a/lib/dns/rdata/generic/hip_55.c b/lib/dns/rdata/generic/hip_55.c
new file mode 100644
index 0000000..5c9041a
--- /dev/null
+++ b/lib/dns/rdata/generic/hip_55.c
@@ -0,0 +1,525 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC 5205 */
+
+#ifndef RDATA_GENERIC_HIP_5_C
+#define RDATA_GENERIC_HIP_5_C
+
+#define RRTYPE_HIP_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_hip(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_buffer_t hit_len;
+	isc_buffer_t key_len;
+	unsigned char *start;
+	size_t len;
+
+	REQUIRE(type == dns_rdatatype_hip);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Dummy HIT len.
+	 */
+	hit_len = *target;
+	RETERR(uint8_tobuffer(0, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Dummy KEY len.
+	 */
+	key_len = *target;
+	RETERR(uint16_tobuffer(0, target));
+
+	/*
+	 * HIT (base16).
+	 */
+	start = isc_buffer_used(target);
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(isc_hex_decodestring(DNS_AS_STR(token), target));
+
+	/*
+	 * Fill in HIT len.
+	 */
+	len = (unsigned char *)isc_buffer_used(target) - start;
+	if (len > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer((uint32_t)len, &hit_len));
+
+	/*
+	 * Public key (base64).
+	 */
+	start = isc_buffer_used(target);
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(isc_base64_decodestring(DNS_AS_STR(token), target));
+
+	/*
+	 * Fill in KEY len.
+	 */
+	len = (unsigned char *)isc_buffer_used(target) - start;
+	if (len > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer((uint32_t)len, &key_len));
+
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+
+	/*
+	 * Rendezvous Servers.
+	 */
+	dns_name_init(&name, NULL);
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, true));
+		if (token.type != isc_tokentype_string) {
+			break;
+		}
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin, options,
+					 target));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_hip(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	unsigned int length, key_len, hit_len;
+	unsigned char algorithm;
+	char buf[sizeof("225 ")];
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+
+	hit_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	key_len = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext("( ", target));
+	}
+
+	/*
+	 * Algorithm
+	 */
+	snprintf(buf, sizeof(buf), "%u ", algorithm);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * HIT.
+	 */
+	INSIST(hit_len < region.length);
+	length = region.length;
+	region.length = hit_len;
+	RETERR(isc_hex_totext(&region, 1, "", target));
+	region.length = length - hit_len;
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Public KEY.
+	 */
+	INSIST(key_len <= region.length);
+	length = region.length;
+	region.length = key_len;
+	RETERR(isc_base64_totext(&region, 1, "", target));
+	region.length = length - key_len;
+	if (region.length > 0) {
+		RETERR(str_totext(tctx->linebreak, target));
+	}
+
+	/*
+	 * Rendezvous Servers.
+	 */
+	dns_name_init(&name, NULL);
+	while (region.length > 0) {
+		dns_name_fromregion(&name, &region);
+
+		RETERR(dns_name_totext(&name, false, target));
+		isc_region_consume(&region, name.length);
+		if (region.length > 0) {
+			RETERR(str_totext(tctx->linebreak, target));
+		}
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_hip(ARGS_FROMWIRE) {
+	isc_region_t region, rr;
+	dns_name_t name;
+	uint8_t hit_len;
+	uint16_t key_len;
+	size_t len;
+
+	REQUIRE(type == dns_rdatatype_hip);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 4U) {
+		RETERR(DNS_R_FORMERR);
+	}
+
+	rr = region;
+	hit_len = uint8_fromregion(&region);
+	if (hit_len == 0) {
+		RETERR(DNS_R_FORMERR);
+	}
+	isc_region_consume(&region, 2); /* hit length + algorithm */
+	key_len = uint16_fromregion(&region);
+	if (key_len == 0) {
+		RETERR(DNS_R_FORMERR);
+	}
+	isc_region_consume(&region, 2);
+	len = hit_len + key_len;
+	if (len > region.length) {
+		RETERR(DNS_R_FORMERR);
+	}
+
+	RETERR(mem_tobuffer(target, rr.base, 4 + len));
+	isc_buffer_forward(source, 4 + len);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	while (isc_buffer_activelength(source) > 0) {
+		dns_name_init(&name, NULL);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_hip(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static int
+compare_hip(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_hip);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_hip(ARGS_FROMSTRUCT) {
+	dns_rdata_hip_t *hip = source;
+	dns_rdata_hip_t myhip;
+	isc_result_t result;
+
+	REQUIRE(type == dns_rdatatype_hip);
+	REQUIRE(hip != NULL);
+	REQUIRE(hip->common.rdtype == type);
+	REQUIRE(hip->common.rdclass == rdclass);
+	REQUIRE(hip->hit_len > 0 && hip->hit != NULL);
+	REQUIRE(hip->key_len > 0 && hip->key != NULL);
+	REQUIRE((hip->servers == NULL && hip->servers_len == 0) ||
+		(hip->servers != NULL && hip->servers_len != 0));
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(hip->hit_len, target));
+	RETERR(uint8_tobuffer(hip->algorithm, target));
+	RETERR(uint16_tobuffer(hip->key_len, target));
+	RETERR(mem_tobuffer(target, hip->hit, hip->hit_len));
+	RETERR(mem_tobuffer(target, hip->key, hip->key_len));
+
+	myhip = *hip;
+	for (result = dns_rdata_hip_first(&myhip); result == ISC_R_SUCCESS;
+	     result = dns_rdata_hip_next(&myhip))
+	{
+		/* initialize the names */
+	}
+
+	return (mem_tobuffer(target, hip->servers, hip->servers_len));
+}
+
+static isc_result_t
+tostruct_hip(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_hip_t *hip = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+	REQUIRE(hip != NULL);
+	REQUIRE(rdata->length != 0);
+
+	hip->common.rdclass = rdata->rdclass;
+	hip->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&hip->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	hip->hit_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	hip->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	hip->key_len = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	hip->hit = hip->key = hip->servers = NULL;
+
+	hip->hit = mem_maybedup(mctx, region.base, hip->hit_len);
+	if (hip->hit == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&region, hip->hit_len);
+
+	INSIST(hip->key_len <= region.length);
+
+	hip->key = mem_maybedup(mctx, region.base, hip->key_len);
+	if (hip->key == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&region, hip->key_len);
+
+	hip->servers_len = region.length;
+	if (hip->servers_len != 0) {
+		hip->servers = mem_maybedup(mctx, region.base, region.length);
+		if (hip->servers == NULL) {
+			goto cleanup;
+		}
+	}
+
+	hip->offset = hip->servers_len;
+	hip->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (hip->hit != NULL) {
+		isc_mem_free(mctx, hip->hit);
+	}
+	if (hip->key != NULL) {
+		isc_mem_free(mctx, hip->key);
+	}
+	if (hip->servers != NULL) {
+		isc_mem_free(mctx, hip->servers);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_hip(ARGS_FREESTRUCT) {
+	dns_rdata_hip_t *hip = source;
+
+	REQUIRE(hip != NULL);
+
+	if (hip->mctx == NULL) {
+		return;
+	}
+
+	isc_mem_free(hip->mctx, hip->hit);
+	isc_mem_free(hip->mctx, hip->key);
+	if (hip->servers != NULL) {
+		isc_mem_free(hip->mctx, hip->servers);
+	}
+	hip->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_hip(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_hip(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_hip(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_hip);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_hip(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+isc_result_t
+dns_rdata_hip_first(dns_rdata_hip_t *hip) {
+	if (hip->servers_len == 0) {
+		return (ISC_R_NOMORE);
+	}
+	hip->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_hip_next(dns_rdata_hip_t *hip) {
+	isc_region_t region;
+	dns_name_t name;
+
+	if (hip->offset >= hip->servers_len) {
+		return (ISC_R_NOMORE);
+	}
+
+	region.base = hip->servers + hip->offset;
+	region.length = hip->servers_len - hip->offset;
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	hip->offset += name.length;
+	INSIST(hip->offset <= hip->servers_len);
+	return (hip->offset < hip->servers_len ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+void
+dns_rdata_hip_current(dns_rdata_hip_t *hip, dns_name_t *name) {
+	isc_region_t region;
+
+	REQUIRE(hip->offset < hip->servers_len);
+
+	region.base = hip->servers + hip->offset;
+	region.length = hip->servers_len - hip->offset;
+	dns_name_fromregion(name, &region);
+
+	INSIST(name->length + hip->offset <= hip->servers_len);
+}
+
+static int
+casecompare_hip(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+	uint8_t hit_len;
+	uint16_t key_len;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_hip);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	INSIST(r1.length > 4);
+	INSIST(r2.length > 4);
+	order = memcmp(r1.base, r2.base, 4);
+	if (order != 0) {
+		return (order);
+	}
+
+	hit_len = uint8_fromregion(&r1);
+	isc_region_consume(&r1, 2); /* hit length + algorithm */
+	key_len = uint16_fromregion(&r1);
+	isc_region_consume(&r1, 2); /* key length */
+	isc_region_consume(&r2, 4);
+
+	INSIST(r1.length >= (unsigned)(hit_len + key_len));
+	INSIST(r2.length >= (unsigned)(hit_len + key_len));
+	order = memcmp(r1.base, r2.base, hit_len + key_len);
+	if (order != 0) {
+		return (order);
+	}
+	isc_region_consume(&r1, hit_len + key_len);
+	isc_region_consume(&r2, hit_len + key_len);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	while (r1.length != 0 && r2.length != 0) {
+		dns_name_fromregion(&name1, &r1);
+		dns_name_fromregion(&name2, &r2);
+		order = dns_name_rdatacompare(&name1, &name2);
+		if (order != 0) {
+			return (order);
+		}
+
+		isc_region_consume(&r1, name_length(&name1));
+		isc_region_consume(&r2, name_length(&name2));
+	}
+	return (isc_region_compare(&r1, &r2));
+}
+
+#endif /* RDATA_GENERIC_HIP_5_C */
diff --git a/lib/dns/rdata/generic/hip_55.h b/lib/dns/rdata/generic/hip_55.h
new file mode 100644
index 0000000..4b852fa
--- /dev/null
+++ b/lib/dns/rdata/generic/hip_55.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_HIP_5_H
+#define GENERIC_HIP_5_H 1
+
+/* RFC 5205 */
+
+typedef struct dns_rdata_hip {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *hit;
+	unsigned char *key;
+	unsigned char *servers;
+	uint8_t algorithm;
+	uint8_t hit_len;
+	uint16_t key_len;
+	uint16_t servers_len;
+	/* Private */
+	uint16_t offset;
+} dns_rdata_hip_t;
+
+isc_result_t
+dns_rdata_hip_first(dns_rdata_hip_t *);
+
+isc_result_t
+dns_rdata_hip_next(dns_rdata_hip_t *);
+
+void
+dns_rdata_hip_current(dns_rdata_hip_t *, dns_name_t *);
+
+#endif /* GENERIC_HIP_5_H */
diff --git a/lib/dns/rdata/generic/ipseckey_45.c b/lib/dns/rdata/generic/ipseckey_45.c
new file mode 100644
index 0000000..bc9d457
--- /dev/null
+++ b/lib/dns/rdata/generic/ipseckey_45.c
@@ -0,0 +1,526 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_IPSECKEY_45_C
+#define RDATA_GENERIC_IPSECKEY_45_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_IPSECKEY_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_ipseckey(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	unsigned int gateway;
+	struct in_addr addr;
+	unsigned char addr6[16];
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_ipseckey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Precedence.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Gateway type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0x3U) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	gateway = token.value.as_ulong;
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Gateway.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	switch (gateway) {
+	case 0:
+		if (strcmp(DNS_AS_STR(token), ".") != 0) {
+			RETTOK(DNS_R_SYNTAX);
+		}
+		break;
+
+	case 1:
+		if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) {
+			RETTOK(DNS_R_BADDOTTEDQUAD);
+		}
+		isc_buffer_availableregion(target, &region);
+		if (region.length < 4) {
+			return (ISC_R_NOSPACE);
+		}
+		memmove(region.base, &addr, 4);
+		isc_buffer_add(target, 4);
+		break;
+
+	case 2:
+		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr6) != 1) {
+			RETTOK(DNS_R_BADAAAA);
+		}
+		isc_buffer_availableregion(target, &region);
+		if (region.length < 16) {
+			return (ISC_R_NOSPACE);
+		}
+		memmove(region.base, addr6, 16);
+		isc_buffer_add(target, 16);
+		break;
+
+	case 3:
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		if (origin == NULL) {
+			origin = dns_rootname;
+		}
+		RETTOK(dns_name_fromtext(&name, &buffer, origin, options,
+					 target));
+		break;
+	}
+
+	/*
+	 * Public key.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+totext_ipseckey(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	char buf[sizeof("255 ")];
+	unsigned short num;
+	unsigned short gateway;
+
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+	REQUIRE(rdata->length >= 3);
+
+	dns_name_init(&name, NULL);
+
+	if (rdata->data[1] > 3U) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext("( ", target));
+	}
+
+	/*
+	 * Precedence.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	num = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u ", num);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Gateway type.
+	 */
+	gateway = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u ", gateway);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	num = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u ", num);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Gateway.
+	 */
+	switch (gateway) {
+	case 0:
+		RETERR(str_totext(".", target));
+		break;
+
+	case 1:
+		RETERR(inet_totext(AF_INET, tctx->flags, &region, target));
+		isc_region_consume(&region, 4);
+		break;
+
+	case 2:
+		RETERR(inet_totext(AF_INET6, tctx->flags, &region, target));
+		isc_region_consume(&region, 16);
+		break;
+
+	case 3:
+		dns_name_fromregion(&name, &region);
+		RETERR(dns_name_totext(&name, false, target));
+		isc_region_consume(&region, name_length(&name));
+		break;
+	}
+
+	/*
+	 * Key.
+	 */
+	if (region.length > 0U) {
+		RETERR(str_totext(tctx->linebreak, target));
+		if (tctx->width == 0) { /* No splitting */
+			RETERR(isc_base64_totext(&region, 60, "", target));
+		} else {
+			RETERR(isc_base64_totext(&region, tctx->width - 2,
+						 tctx->linebreak, target));
+		}
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_ipseckey(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_ipseckey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 3) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	switch (region.base[1]) {
+	case 0:
+		if (region.length < 4) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 1:
+		if (region.length < 8) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 2:
+		if (region.length < 20) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 3:
+		RETERR(mem_tobuffer(target, region.base, 3));
+		isc_buffer_forward(source, 3);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+		isc_buffer_activeregion(source, &region);
+		isc_buffer_forward(source, region.length);
+		if (region.length < 1) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		return (mem_tobuffer(target, region.base, region.length));
+
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+}
+
+static isc_result_t
+towire_ipseckey(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static int
+compare_ipseckey(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ipseckey);
+	REQUIRE(rdata1->length >= 3);
+	REQUIRE(rdata2->length >= 3);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_ipseckey(ARGS_FROMSTRUCT) {
+	dns_rdata_ipseckey_t *ipseckey = source;
+	isc_region_t region;
+	uint32_t n;
+
+	REQUIRE(type == dns_rdatatype_ipseckey);
+	REQUIRE(ipseckey != NULL);
+	REQUIRE(ipseckey->common.rdtype == type);
+	REQUIRE(ipseckey->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (ipseckey->gateway_type > 3U) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	RETERR(uint8_tobuffer(ipseckey->precedence, target));
+	RETERR(uint8_tobuffer(ipseckey->gateway_type, target));
+	RETERR(uint8_tobuffer(ipseckey->algorithm, target));
+
+	switch (ipseckey->gateway_type) {
+	case 0:
+		break;
+
+	case 1:
+		n = ntohl(ipseckey->in_addr.s_addr);
+		RETERR(uint32_tobuffer(n, target));
+		break;
+
+	case 2:
+		RETERR(mem_tobuffer(target, ipseckey->in6_addr.s6_addr, 16));
+		break;
+
+	case 3:
+		dns_name_toregion(&ipseckey->gateway, &region);
+		RETERR(isc_buffer_copyregion(target, &region));
+		break;
+	}
+
+	return (mem_tobuffer(target, ipseckey->key, ipseckey->keylength));
+}
+
+static isc_result_t
+tostruct_ipseckey(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_ipseckey_t *ipseckey = target;
+	dns_name_t name;
+	uint32_t n;
+
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+	REQUIRE(ipseckey != NULL);
+	REQUIRE(rdata->length >= 3);
+
+	if (rdata->data[1] > 3U) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	ipseckey->common.rdclass = rdata->rdclass;
+	ipseckey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ipseckey->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+
+	ipseckey->precedence = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	ipseckey->gateway_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	ipseckey->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	switch (ipseckey->gateway_type) {
+	case 0:
+		break;
+
+	case 1:
+		n = uint32_fromregion(&region);
+		ipseckey->in_addr.s_addr = htonl(n);
+		isc_region_consume(&region, 4);
+		break;
+
+	case 2:
+		memmove(ipseckey->in6_addr.s6_addr, region.base, 16);
+		isc_region_consume(&region, 16);
+		break;
+
+	case 3:
+		dns_name_init(&ipseckey->gateway, NULL);
+		dns_name_fromregion(&name, &region);
+		RETERR(name_duporclone(&name, mctx, &ipseckey->gateway));
+		isc_region_consume(&region, name_length(&name));
+		break;
+	}
+
+	ipseckey->keylength = region.length;
+	if (ipseckey->keylength != 0U) {
+		ipseckey->key = mem_maybedup(mctx, region.base,
+					     ipseckey->keylength);
+		if (ipseckey->key == NULL) {
+			if (ipseckey->gateway_type == 3) {
+				dns_name_free(&ipseckey->gateway,
+					      ipseckey->mctx);
+			}
+			return (ISC_R_NOMEMORY);
+		}
+	} else {
+		ipseckey->key = NULL;
+	}
+
+	ipseckey->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_ipseckey(ARGS_FREESTRUCT) {
+	dns_rdata_ipseckey_t *ipseckey = source;
+
+	REQUIRE(ipseckey != NULL);
+	REQUIRE(ipseckey->common.rdtype == dns_rdatatype_ipseckey);
+
+	if (ipseckey->mctx == NULL) {
+		return;
+	}
+
+	if (ipseckey->gateway_type == 3) {
+		dns_name_free(&ipseckey->gateway, ipseckey->mctx);
+	}
+
+	if (ipseckey->key != NULL) {
+		isc_mem_free(ipseckey->mctx, ipseckey->key);
+	}
+
+	ipseckey->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_ipseckey(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_ipseckey(ARGS_DIGEST) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+
+	dns_rdata_toregion(rdata, &region);
+	return ((digest)(arg, &region));
+}
+
+static bool
+checkowner_ipseckey(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_ipseckey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_ipseckey(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_ipseckey(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ipseckey);
+	REQUIRE(rdata1->length >= 3);
+	REQUIRE(rdata2->length >= 3);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	if (memcmp(region1.base, region2.base, 3) != 0 || region1.base[1] != 3)
+	{
+		return (isc_region_compare(&region1, &region2));
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	isc_region_consume(&region1, 3);
+	isc_region_consume(&region2, 3);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+#endif /* RDATA_GENERIC_IPSECKEY_45_C */
diff --git a/lib/dns/rdata/generic/ipseckey_45.h b/lib/dns/rdata/generic/ipseckey_45.h
new file mode 100644
index 0000000..bdace0e
--- /dev/null
+++ b/lib/dns/rdata/generic/ipseckey_45.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_IPSECKEY_45_H
+#define GENERIC_IPSECKEY_45_H 1
+
+typedef struct dns_rdata_ipseckey {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint8_t precedence;
+	uint8_t gateway_type;
+	uint8_t algorithm;
+	struct in_addr in_addr;	  /* gateway type 1 */
+	struct in6_addr in6_addr; /* gateway type 2 */
+	dns_name_t gateway;	  /* gateway type 3 */
+	unsigned char *key;
+	uint16_t keylength;
+} dns_rdata_ipseckey_t;
+
+#endif /* GENERIC_IPSECKEY_45_H */
diff --git a/lib/dns/rdata/generic/isdn_20.c b/lib/dns/rdata/generic/isdn_20.c
new file mode 100644
index 0000000..3fd756a
--- /dev/null
+++ b/lib/dns/rdata/generic/isdn_20.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1183 */
+
+#ifndef RDATA_GENERIC_ISDN_20_C
+#define RDATA_GENERIC_ISDN_20_C
+
+#define RRTYPE_ISDN_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_isdn(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_isdn);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* ISDN-address */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/* sa: optional */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      true));
+	if (token.type != isc_tokentype_string &&
+	    token.type != isc_tokentype_qstring)
+	{
+		isc_lex_ungettoken(lexer, &token);
+		return (ISC_R_SUCCESS);
+	}
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_isdn(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(txt_totext(&region, true, target));
+	if (region.length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+	RETERR(str_totext(" ", target));
+	return (txt_totext(&region, true, target));
+}
+
+static isc_result_t
+fromwire_isdn(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_isdn);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	RETERR(txt_fromwire(source, target));
+	if (buffer_empty(source)) {
+		return (ISC_R_SUCCESS);
+	}
+	return (txt_fromwire(source, target));
+}
+
+static isc_result_t
+towire_isdn(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_isdn(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_isdn);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_isdn(ARGS_FROMSTRUCT) {
+	dns_rdata_isdn_t *isdn = source;
+
+	REQUIRE(type == dns_rdatatype_isdn);
+	REQUIRE(isdn != NULL);
+	REQUIRE(isdn->common.rdtype == type);
+	REQUIRE(isdn->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(isdn->isdn_len, target));
+	RETERR(mem_tobuffer(target, isdn->isdn, isdn->isdn_len));
+	if (isdn->subaddress == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+	RETERR(uint8_tobuffer(isdn->subaddress_len, target));
+	return (mem_tobuffer(target, isdn->subaddress, isdn->subaddress_len));
+}
+
+static isc_result_t
+tostruct_isdn(ARGS_TOSTRUCT) {
+	dns_rdata_isdn_t *isdn = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+	REQUIRE(isdn != NULL);
+	REQUIRE(rdata->length != 0);
+
+	isdn->common.rdclass = rdata->rdclass;
+	isdn->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&isdn->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+
+	isdn->isdn_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	isdn->isdn = mem_maybedup(mctx, r.base, isdn->isdn_len);
+	if (isdn->isdn == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	isc_region_consume(&r, isdn->isdn_len);
+
+	if (r.length == 0) {
+		isdn->subaddress_len = 0;
+		isdn->subaddress = NULL;
+	} else {
+		isdn->subaddress_len = uint8_fromregion(&r);
+		isc_region_consume(&r, 1);
+		isdn->subaddress = mem_maybedup(mctx, r.base,
+						isdn->subaddress_len);
+		if (isdn->subaddress == NULL) {
+			goto cleanup;
+		}
+	}
+
+	isdn->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL && isdn->isdn != NULL) {
+		isc_mem_free(mctx, isdn->isdn);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_isdn(ARGS_FREESTRUCT) {
+	dns_rdata_isdn_t *isdn = source;
+
+	REQUIRE(isdn != NULL);
+
+	if (isdn->mctx == NULL) {
+		return;
+	}
+
+	if (isdn->isdn != NULL) {
+		isc_mem_free(isdn->mctx, isdn->isdn);
+	}
+	if (isdn->subaddress != NULL) {
+		isc_mem_free(isdn->mctx, isdn->subaddress);
+	}
+	isdn->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_isdn(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_isdn(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_isdn(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_isdn);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_isdn(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_isdn(ARGS_COMPARE) {
+	return (compare_isdn(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_ISDN_20_C */
diff --git a/lib/dns/rdata/generic/isdn_20.h b/lib/dns/rdata/generic/isdn_20.h
new file mode 100644
index 0000000..17bb155
--- /dev/null
+++ b/lib/dns/rdata/generic/isdn_20.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_ISDN_20_H
+#define GENERIC_ISDN_20_H 1
+
+/*!
+ * \brief Per RFC1183 */
+
+typedef struct dns_rdata_isdn {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	char *isdn;
+	char *subaddress;
+	uint8_t isdn_len;
+	uint8_t subaddress_len;
+} dns_rdata_isdn_t;
+
+#endif /* GENERIC_ISDN_20_H */
diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c
new file mode 100644
index 0000000..a94ebc2
--- /dev/null
+++ b/lib/dns/rdata/generic/key_25.c
@@ -0,0 +1,468 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2535 */
+
+#ifndef RDATA_GENERIC_KEY_25_C
+#define RDATA_GENERIC_KEY_25_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_KEY_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_ATCNAME | DNS_RDATATYPEATTR_ZONECUTAUTH)
+
+/*
+ * RFC 2535 section 3.1.2 says that if bits 0-1 of the Flags field are
+ * both set, it means there is no key information and the RR stops after
+ * the algorithm octet.  However, this only applies to KEY records, as
+ * indicated by the specifications of the RR types based on KEY:
+ *
+ *     CDNSKEY - RFC 7344
+ *     DNSKEY - RFC 4034
+ *     RKEY - draft-reid-dnsext-rkey-00
+ */
+static bool
+generic_key_nokey(dns_rdatatype_t type, unsigned int flags) {
+	switch (type) {
+	case dns_rdatatype_cdnskey:
+	case dns_rdatatype_dnskey:
+	case dns_rdatatype_rkey:
+		return (false);
+	case dns_rdatatype_key:
+	default:
+		return ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY);
+	}
+}
+
+static isc_result_t
+generic_fromtext_key(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_secalg_t alg;
+	dns_secproto_t proto;
+	dns_keyflags_t flags;
+
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* flags */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
+	if (type == dns_rdatatype_rkey && flags != 0U) {
+		RETTOK(DNS_R_FORMERR);
+	}
+	RETERR(uint16_tobuffer(flags, target));
+
+	/* protocol */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &proto, 1));
+
+	/* algorithm */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &alg, 1));
+
+	/* No Key? */
+	if (generic_key_nokey(type, flags)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	return (isc_base64_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+generic_totext_key(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("[key id = 64000]")];
+	unsigned int flags;
+	unsigned char algorithm;
+	char algbuf[DNS_NAME_FORMATSIZE];
+	const char *keyinfo;
+	isc_region_t tmpr;
+
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* flags */
+	flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u", flags);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+	if ((flags & DNS_KEYFLAG_KSK) != 0) {
+		if (flags & DNS_KEYFLAG_REVOKE) {
+			keyinfo = "revoked KSK";
+		} else {
+			keyinfo = "KSK";
+		}
+	} else {
+		keyinfo = "ZSK";
+	}
+
+	/* protocol */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* algorithm */
+	algorithm = sr.base[0];
+	snprintf(buf, sizeof(buf), "%u", algorithm);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+
+	/* No Key? */
+	if (generic_key_nokey(rdata->type, flags)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0 &&
+	    algorithm == DNS_KEYALG_PRIVATEDNS)
+	{
+		dns_name_t name;
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &sr);
+		dns_name_format(&name, algbuf, sizeof(algbuf));
+	} else {
+		dns_secalg_format((dns_secalg_t)algorithm, algbuf,
+				  sizeof(algbuf));
+	}
+
+	/* key */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+		if (tctx->width == 0) { /* No splitting */
+			RETERR(isc_base64_totext(&sr, 60, "", target));
+		} else {
+			RETERR(isc_base64_totext(&sr, tctx->width - 2,
+						 tctx->linebreak, target));
+		}
+	} else {
+		dns_rdata_toregion(rdata, &tmpr);
+		snprintf(buf, sizeof(buf), "[key id = %u]",
+			 dst_region_computeid(&tmpr));
+		RETERR(str_totext(buf, target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
+		RETERR(str_totext(tctx->linebreak, target));
+	} else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" ", target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(")", target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
+		if (rdata->type == dns_rdatatype_dnskey ||
+		    rdata->type == dns_rdatatype_cdnskey)
+		{
+			RETERR(str_totext(" ; ", target));
+			RETERR(str_totext(keyinfo, target));
+		}
+		RETERR(str_totext("; alg = ", target));
+		RETERR(str_totext(algbuf, target));
+		RETERR(str_totext(" ; key id = ", target));
+		dns_rdata_toregion(rdata, &tmpr);
+		snprintf(buf, sizeof(buf), "%u", dst_region_computeid(&tmpr));
+		RETERR(str_totext(buf, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generic_fromwire_key(ARGS_FROMWIRE) {
+	unsigned char algorithm;
+	uint16_t flags;
+	isc_region_t sr;
+
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	flags = (sr.base[0] << 8) | sr.base[1];
+
+	if (type == dns_rdatatype_rkey && flags != 0U) {
+		return (DNS_R_FORMERR);
+	}
+
+	algorithm = sr.base[3];
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_region_consume(&sr, 4);
+	isc_buffer_forward(source, 4);
+
+	if (generic_key_nokey(type, flags)) {
+		return (ISC_R_SUCCESS);
+	}
+	if (sr.length == 0) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	if (algorithm == DNS_KEYALG_PRIVATEDNS) {
+		dns_name_t name;
+		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+		dns_name_init(&name, NULL);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+	}
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+fromtext_key(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_key);
+
+	return (generic_fromtext_key(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_key(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+
+	return (generic_totext_key(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_key(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_key);
+
+	return (generic_fromwire_key(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_key(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_key(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_key);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+generic_fromstruct_key(ARGS_FROMSTRUCT) {
+	dns_rdata_key_t *key = source;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->common.rdtype == type);
+	REQUIRE(key->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (type == dns_rdatatype_rkey) {
+		INSIST(key->flags == 0U);
+	}
+
+	/* Flags */
+	RETERR(uint16_tobuffer(key->flags, target));
+
+	/* Protocol */
+	RETERR(uint8_tobuffer(key->protocol, target));
+
+	/* Algorithm */
+	RETERR(uint8_tobuffer(key->algorithm, target));
+
+	/* Data */
+	return (mem_tobuffer(target, key->data, key->datalen));
+}
+
+static isc_result_t
+generic_tostruct_key(ARGS_TOSTRUCT) {
+	dns_rdata_key_t *key = target;
+	isc_region_t sr;
+
+	REQUIRE(key != NULL);
+	REQUIRE(rdata->length != 0);
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->common.rdclass == rdata->rdclass);
+	REQUIRE(key->common.rdtype == rdata->type);
+	REQUIRE(!ISC_LINK_LINKED(&key->common, link));
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Flags */
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	key->flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/* Protocol */
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	key->protocol = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Algorithm */
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	key->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Data */
+	key->datalen = sr.length;
+	key->data = mem_maybedup(mctx, sr.base, key->datalen);
+	if (key->data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	key->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+generic_freestruct_key(ARGS_FREESTRUCT) {
+	dns_rdata_key_t *key = (dns_rdata_key_t *)source;
+
+	REQUIRE(key != NULL);
+
+	if (key->mctx == NULL) {
+		return;
+	}
+
+	if (key->data != NULL) {
+		isc_mem_free(key->mctx, key->data);
+	}
+	key->mctx = NULL;
+}
+
+static isc_result_t
+fromstruct_key(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_key);
+
+	return (generic_fromstruct_key(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_key(ARGS_TOSTRUCT) {
+	dns_rdata_key_t *key = target;
+
+	REQUIRE(key != NULL);
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+
+	key->common.rdclass = rdata->rdclass;
+	key->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&key->common, link);
+
+	return (generic_tostruct_key(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_key(ARGS_FREESTRUCT) {
+	dns_rdata_key_t *key = (dns_rdata_key_t *)source;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->common.rdtype == dns_rdatatype_key);
+
+	generic_freestruct_key(source);
+}
+
+static isc_result_t
+additionaldata_key(ARGS_ADDLDATA) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_key(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_key(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_key);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_key(ARGS_CHECKNAMES) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_key(ARGS_COMPARE) {
+	return (compare_key(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_KEY_25_C */
diff --git a/lib/dns/rdata/generic/key_25.h b/lib/dns/rdata/generic/key_25.h
new file mode 100644
index 0000000..c528224
--- /dev/null
+++ b/lib/dns/rdata/generic/key_25.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_KEY_25_H
+#define GENERIC_KEY_25_H 1
+
+/*!
+ * \brief Per RFC2535 */
+
+typedef struct dns_rdata_key {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t flags;
+	dns_secproto_t protocol;
+	dns_secalg_t algorithm;
+	uint16_t datalen;
+	unsigned char *data;
+} dns_rdata_key_t;
+
+#endif /* GENERIC_KEY_25_H */
diff --git a/lib/dns/rdata/generic/keydata_65533.c b/lib/dns/rdata/generic/keydata_65533.c
new file mode 100644
index 0000000..46ae5dd
--- /dev/null
+++ b/lib/dns/rdata/generic/keydata_65533.c
@@ -0,0 +1,462 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_KEYDATA_65533_C
+#define GENERIC_KEYDATA_65533_C 1
+
+#include <isc/stdtime.h>
+#include <isc/time.h>
+
+#include <dst/dst.h>
+
+#define RRTYPE_KEYDATA_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_keydata(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_secalg_t alg;
+	dns_secproto_t proto;
+	dns_keyflags_t flags;
+	uint32_t refresh, addhd, removehd;
+
+	REQUIRE(type == dns_rdatatype_keydata);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* refresh timer */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &refresh));
+	RETERR(uint32_tobuffer(refresh, target));
+
+	/* add hold-down */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &addhd));
+	RETERR(uint32_tobuffer(addhd, target));
+
+	/* remove hold-down */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &removehd));
+	RETERR(uint32_tobuffer(removehd, target));
+
+	/* flags */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
+	RETERR(uint16_tobuffer(flags, target));
+
+	/* protocol */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &proto, 1));
+
+	/* algorithm */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &alg, 1));
+
+	/* Do we have a placeholder KEYDATA record? */
+	if (flags == 0 && proto == 0 && alg == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000) {
+		return (ISC_R_SUCCESS);
+	}
+
+	return (isc_base64_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+totext_keydata(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000")];
+	unsigned int flags;
+	unsigned char proto, algorithm;
+	unsigned long refresh, add, deltime;
+	char algbuf[DNS_NAME_FORMATSIZE];
+	const char *keyinfo;
+
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+
+	if ((tctx->flags & DNS_STYLEFLAG_KEYDATA) == 0 || rdata->length < 16) {
+		return (unknown_totext(rdata, tctx, target));
+	}
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* refresh timer */
+	refresh = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(refresh, target));
+	RETERR(str_totext(" ", target));
+
+	/* add hold-down */
+	add = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(add, target));
+	RETERR(str_totext(" ", target));
+
+	/* remove hold-down */
+	deltime = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(deltime, target));
+	RETERR(str_totext(" ", target));
+
+	/* flags */
+	flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u", flags);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+	if ((flags & DNS_KEYFLAG_KSK) != 0) {
+		if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+			keyinfo = "revoked KSK";
+		} else {
+			keyinfo = "KSK";
+		}
+	} else {
+		keyinfo = "ZSK";
+	}
+
+	/* protocol */
+	proto = sr.base[0];
+	snprintf(buf, sizeof(buf), "%u", proto);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* algorithm */
+	algorithm = sr.base[0];
+	snprintf(buf, sizeof(buf), "%u", algorithm);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+
+	/* Do we have a placeholder KEYDATA record? */
+	if (flags == 0 && proto == 0 && algorithm == 0) {
+		if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
+			RETERR(str_totext(" ; placeholder", target));
+		}
+		return (ISC_R_SUCCESS);
+	}
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* key */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0) { /* No splitting */
+		RETERR(isc_base64_totext(&sr, 60, "", target));
+	} else {
+		RETERR(isc_base64_totext(&sr, tctx->width - 2, tctx->linebreak,
+					 target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
+		RETERR(str_totext(tctx->linebreak, target));
+	} else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" ", target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(")", target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
+		isc_region_t tmpr;
+		char rbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+		char abuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+		char dbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+		isc_time_t t;
+
+		RETERR(str_totext(" ; ", target));
+		RETERR(str_totext(keyinfo, target));
+		dns_secalg_format((dns_secalg_t)algorithm, algbuf,
+				  sizeof(algbuf));
+		RETERR(str_totext("; alg = ", target));
+		RETERR(str_totext(algbuf, target));
+		RETERR(str_totext("; key id = ", target));
+		dns_rdata_toregion(rdata, &tmpr);
+		/* Skip over refresh, addhd, and removehd */
+		isc_region_consume(&tmpr, 12);
+		snprintf(buf, sizeof(buf), "%u", dst_region_computeid(&tmpr));
+		RETERR(str_totext(buf, target));
+
+		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+			isc_stdtime_t now;
+
+			isc_stdtime_get(&now);
+
+			RETERR(str_totext(tctx->linebreak, target));
+			RETERR(str_totext("; next refresh: ", target));
+			isc_time_set(&t, refresh, 0);
+			isc_time_formathttptimestamp(&t, rbuf, sizeof(rbuf));
+			RETERR(str_totext(rbuf, target));
+
+			if (add == 0U) {
+				RETERR(str_totext(tctx->linebreak, target));
+				RETERR(str_totext("; no trust", target));
+			} else {
+				RETERR(str_totext(tctx->linebreak, target));
+				if (add < now) {
+					RETERR(str_totext("; trusted since: ",
+							  target));
+				} else {
+					RETERR(str_totext("; trust pending: ",
+							  target));
+				}
+				isc_time_set(&t, add, 0);
+				isc_time_formathttptimestamp(&t, abuf,
+							     sizeof(abuf));
+				RETERR(str_totext(abuf, target));
+			}
+
+			if (deltime != 0U) {
+				RETERR(str_totext(tctx->linebreak, target));
+				RETERR(str_totext("; removal pending: ",
+						  target));
+				isc_time_set(&t, deltime, 0);
+				isc_time_formathttptimestamp(&t, dbuf,
+							     sizeof(dbuf));
+				RETERR(str_totext(dbuf, target));
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_keydata(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_keydata);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+towire_keydata(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_keydata(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_keydata);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_keydata(ARGS_FROMSTRUCT) {
+	dns_rdata_keydata_t *keydata = source;
+
+	REQUIRE(type == dns_rdatatype_keydata);
+	REQUIRE(keydata != NULL);
+	REQUIRE(keydata->common.rdtype == type);
+	REQUIRE(keydata->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/* Refresh timer */
+	RETERR(uint32_tobuffer(keydata->refresh, target));
+
+	/* Add hold-down */
+	RETERR(uint32_tobuffer(keydata->addhd, target));
+
+	/* Remove hold-down */
+	RETERR(uint32_tobuffer(keydata->removehd, target));
+
+	/* Flags */
+	RETERR(uint16_tobuffer(keydata->flags, target));
+
+	/* Protocol */
+	RETERR(uint8_tobuffer(keydata->protocol, target));
+
+	/* Algorithm */
+	RETERR(uint8_tobuffer(keydata->algorithm, target));
+
+	/* Data */
+	return (mem_tobuffer(target, keydata->data, keydata->datalen));
+}
+
+static isc_result_t
+tostruct_keydata(ARGS_TOSTRUCT) {
+	dns_rdata_keydata_t *keydata = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+	REQUIRE(keydata != NULL);
+
+	keydata->common.rdclass = rdata->rdclass;
+	keydata->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&keydata->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Refresh timer */
+	if (sr.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	keydata->refresh = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/* Add hold-down */
+	if (sr.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	keydata->addhd = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/* Remove hold-down */
+	if (sr.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	keydata->removehd = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/* Flags */
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	keydata->flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/* Protocol */
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	keydata->protocol = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Algorithm */
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	keydata->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Data */
+	keydata->datalen = sr.length;
+	keydata->data = mem_maybedup(mctx, sr.base, keydata->datalen);
+	if (keydata->data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	keydata->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_keydata(ARGS_FREESTRUCT) {
+	dns_rdata_keydata_t *keydata = (dns_rdata_keydata_t *)source;
+
+	REQUIRE(keydata != NULL);
+	REQUIRE(keydata->common.rdtype == dns_rdatatype_keydata);
+
+	if (keydata->mctx == NULL) {
+		return;
+	}
+
+	if (keydata->data != NULL) {
+		isc_mem_free(keydata->mctx, keydata->data);
+	}
+	keydata->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_keydata(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_keydata(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_keydata(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_keydata);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_keydata(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_keydata(ARGS_COMPARE) {
+	return (compare_keydata(rdata1, rdata2));
+}
+
+#endif /* GENERIC_KEYDATA_65533_C */
diff --git a/lib/dns/rdata/generic/keydata_65533.h b/lib/dns/rdata/generic/keydata_65533.h
new file mode 100644
index 0000000..5ad0715
--- /dev/null
+++ b/lib/dns/rdata/generic/keydata_65533.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_KEYDATA_65533_H
+#define GENERIC_KEYDATA_65533_H 1
+
+typedef struct dns_rdata_keydata {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint32_t refresh;  /* Timer for refreshing data */
+	uint32_t addhd;	   /* Hold-down timer for adding */
+	uint32_t removehd; /* Hold-down timer for removing */
+	uint16_t flags;	   /* Copy of DNSKEY_48 */
+	dns_secproto_t protocol;
+	dns_secalg_t algorithm;
+	uint16_t datalen;
+	unsigned char *data;
+} dns_rdata_keydata_t;
+
+#endif /* GENERIC_KEYDATA_65533_H */
diff --git a/lib/dns/rdata/generic/l32_105.c b/lib/dns/rdata/generic/l32_105.c
new file mode 100644
index 0000000..07cbc0f
--- /dev/null
+++ b/lib/dns/rdata/generic/l32_105.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_L32_105_C
+#define RDATA_GENERIC_L32_105_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_L32_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_l32(ARGS_FROMTEXT) {
+	isc_token_t token;
+	struct in_addr addr;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_l32);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) {
+		RETTOK(DNS_R_BADDOTTEDQUAD);
+	}
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_l32(ARGS_TOTEXT) {
+	isc_region_t region;
+	char buf[sizeof("65000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	return (inet_totext(AF_INET, tctx->flags, &region, target));
+}
+
+static isc_result_t
+fromwire_l32(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_l32);
+
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length != 6) {
+		return (DNS_R_FORMERR);
+	}
+	isc_buffer_forward(source, sregion.length);
+	return (mem_tobuffer(target, sregion.base, sregion.length));
+}
+
+static isc_result_t
+towire_l32(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_l32(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_l32);
+	REQUIRE(rdata1->length == 6);
+	REQUIRE(rdata2->length == 6);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_l32(ARGS_FROMSTRUCT) {
+	dns_rdata_l32_t *l32 = source;
+	uint32_t n;
+
+	REQUIRE(type == dns_rdatatype_l32);
+	REQUIRE(l32 != NULL);
+	REQUIRE(l32->common.rdtype == type);
+	REQUIRE(l32->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(l32->pref, target));
+	n = ntohl(l32->l32.s_addr);
+	return (uint32_tobuffer(n, target));
+}
+
+static isc_result_t
+tostruct_l32(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_l32_t *l32 = target;
+	uint32_t n;
+
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(l32 != NULL);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(mctx);
+
+	l32->common.rdclass = rdata->rdclass;
+	l32->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&l32->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	l32->pref = uint16_fromregion(&region);
+	n = uint32_fromregion(&region);
+	l32->l32.s_addr = htonl(n);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_l32(ARGS_FREESTRUCT) {
+	dns_rdata_l32_t *l32 = source;
+
+	REQUIRE(l32 != NULL);
+	REQUIRE(l32->common.rdtype == dns_rdatatype_l32);
+
+	return;
+}
+
+static isc_result_t
+additionaldata_l32(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_l32(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(rdata->length == 6);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_l32(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_l32);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_l32(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_l32(ARGS_COMPARE) {
+	return (compare_l32(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_L32_105_C */
diff --git a/lib/dns/rdata/generic/l32_105.h b/lib/dns/rdata/generic/l32_105.h
new file mode 100644
index 0000000..8bf2a5c
--- /dev/null
+++ b/lib/dns/rdata/generic/l32_105.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_L32_105_H
+#define GENERIC_L32_105_H 1
+
+typedef struct dns_rdata_l32 {
+	dns_rdatacommon_t common;
+	uint16_t pref;
+	struct in_addr l32;
+} dns_rdata_l32_t;
+
+#endif /* GENERIC_L32_105_H */
diff --git a/lib/dns/rdata/generic/l64_106.c b/lib/dns/rdata/generic/l64_106.c
new file mode 100644
index 0000000..c5daf07
--- /dev/null
+++ b/lib/dns/rdata/generic/l64_106.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_L64_106_C
+#define RDATA_GENERIC_L64_106_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_L64_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_l64(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char locator[NS_LOCATORSZ];
+
+	REQUIRE(type == dns_rdatatype_l64);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (locator_pton(DNS_AS_STR(token), locator) != 1) {
+		RETTOK(DNS_R_SYNTAX);
+	}
+	return (mem_tobuffer(target, locator, NS_LOCATORSZ));
+}
+
+static isc_result_t
+totext_l64(ARGS_TOTEXT) {
+	isc_region_t region;
+	char buf[sizeof("xxxx:xxxx:xxxx:xxxx")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	snprintf(buf, sizeof(buf), "%x:%x:%x:%x",
+		 region.base[0] << 8 | region.base[1],
+		 region.base[2] << 8 | region.base[3],
+		 region.base[4] << 8 | region.base[5],
+		 region.base[6] << 8 | region.base[7]);
+	return (str_totext(buf, target));
+}
+
+static isc_result_t
+fromwire_l64(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_l64);
+
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length != 10) {
+		return (DNS_R_FORMERR);
+	}
+	isc_buffer_forward(source, sregion.length);
+	return (mem_tobuffer(target, sregion.base, sregion.length));
+}
+
+static isc_result_t
+towire_l64(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_l64(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_l64);
+	REQUIRE(rdata1->length == 10);
+	REQUIRE(rdata2->length == 10);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_l64(ARGS_FROMSTRUCT) {
+	dns_rdata_l64_t *l64 = source;
+
+	REQUIRE(type == dns_rdatatype_l64);
+	REQUIRE(l64 != NULL);
+	REQUIRE(l64->common.rdtype == type);
+	REQUIRE(l64->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(l64->pref, target));
+	return (mem_tobuffer(target, l64->l64, sizeof(l64->l64)));
+}
+
+static isc_result_t
+tostruct_l64(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_l64_t *l64 = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(l64 != NULL);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(mctx);
+
+	l64->common.rdclass = rdata->rdclass;
+	l64->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&l64->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	l64->pref = uint16_fromregion(&region);
+	memmove(l64->l64, region.base, region.length);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_l64(ARGS_FREESTRUCT) {
+	dns_rdata_l64_t *l64 = source;
+
+	REQUIRE(l64 != NULL);
+	REQUIRE(l64->common.rdtype == dns_rdatatype_l64);
+
+	return;
+}
+
+static isc_result_t
+additionaldata_l64(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_l64(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(rdata->length == 10);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_l64(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_l64);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_l64(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_l64(ARGS_COMPARE) {
+	return (compare_l64(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_L64_106_C */
diff --git a/lib/dns/rdata/generic/l64_106.h b/lib/dns/rdata/generic/l64_106.h
new file mode 100644
index 0000000..314e583
--- /dev/null
+++ b/lib/dns/rdata/generic/l64_106.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_L64_106_H
+#define GENERIC_L64_106_H 1
+
+typedef struct dns_rdata_l64 {
+	dns_rdatacommon_t common;
+	uint16_t pref;
+	unsigned char l64[8];
+} dns_rdata_l64_t;
+
+#endif /* GENERIC_L64_106_H */
diff --git a/lib/dns/rdata/generic/loc_29.c b/lib/dns/rdata/generic/loc_29.c
new file mode 100644
index 0000000..f2a08b5
--- /dev/null
+++ b/lib/dns/rdata/generic/loc_29.c
@@ -0,0 +1,838 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1876 */
+
+#ifndef RDATA_GENERIC_LOC_29_C
+#define RDATA_GENERIC_LOC_29_C
+
+#define RRTYPE_LOC_ATTRIBUTES (0)
+
+static isc_result_t
+loc_getdecimal(const char *str, unsigned long max, size_t precision, char units,
+	       unsigned long *valuep) {
+	bool ok;
+	char *e;
+	size_t i;
+	long tmp;
+	unsigned long value;
+
+	value = strtoul(str, &e, 10);
+	if (*e != 0 && *e != '.' && *e != units) {
+		return (DNS_R_SYNTAX);
+	}
+	if (value > max) {
+		return (ISC_R_RANGE);
+	}
+	ok = e != str;
+	if (*e == '.') {
+		e++;
+		for (i = 0; i < precision; i++) {
+			if (*e == 0 || *e == units) {
+				break;
+			}
+			if ((tmp = decvalue(*e++)) < 0) {
+				return (DNS_R_SYNTAX);
+			}
+			ok = true;
+			value *= 10;
+			value += tmp;
+		}
+		for (; i < precision; i++) {
+			value *= 10;
+		}
+	} else {
+		for (i = 0; i < precision; i++) {
+			value *= 10;
+		}
+	}
+	if (*e != 0 && *e == units) {
+		e++;
+	}
+	if (!ok || *e != 0) {
+		return (DNS_R_SYNTAX);
+	}
+	*valuep = value;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loc_getprecision(const char *str, unsigned char *valuep) {
+	unsigned long poweroften[8] = { 1,     10,     100,	1000,
+					10000, 100000, 1000000, 10000000 };
+	unsigned long m, cm;
+	bool ok;
+	char *e;
+	size_t i;
+	long tmp;
+	int man;
+	int exp;
+
+	m = strtoul(str, &e, 10);
+	if (*e != 0 && *e != '.' && *e != 'm') {
+		return (DNS_R_SYNTAX);
+	}
+	if (m > 90000000) {
+		return (ISC_R_RANGE);
+	}
+	cm = 0;
+	ok = e != str;
+	if (*e == '.') {
+		e++;
+		for (i = 0; i < 2; i++) {
+			if (*e == 0 || *e == 'm') {
+				break;
+			}
+			if ((tmp = decvalue(*e++)) < 0) {
+				return (DNS_R_SYNTAX);
+			}
+			ok = true;
+			cm *= 10;
+			cm += tmp;
+		}
+		for (; i < 2; i++) {
+			cm *= 10;
+		}
+	}
+	if (*e == 'm') {
+		e++;
+	}
+	if (!ok || *e != 0) {
+		return (DNS_R_SYNTAX);
+	}
+
+	/*
+	 * We don't just multiply out as we will overflow.
+	 */
+	if (m > 0) {
+		for (exp = 0; exp < 7; exp++) {
+			if (m < poweroften[exp + 1]) {
+				break;
+			}
+		}
+		man = m / poweroften[exp];
+		exp += 2;
+	} else if (cm >= 10) {
+		man = cm / 10;
+		exp = 1;
+	} else {
+		man = cm;
+		exp = 0;
+	}
+	*valuep = (man << 4) + exp;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+get_degrees(isc_lex_t *lexer, isc_token_t *token, unsigned long *d) {
+	RETERR(isc_lex_getmastertoken(lexer, token, isc_tokentype_number,
+				      false));
+	*d = token->value.as_ulong;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+check_coordinate(unsigned long d, unsigned long m, unsigned long s,
+		 unsigned long maxd) {
+	if (d > maxd || m > 59U) {
+		return (ISC_R_RANGE);
+	}
+	if (d == maxd && (m != 0 || s != 0)) {
+		return (ISC_R_RANGE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+get_minutes(isc_lex_t *lexer, isc_token_t *token, unsigned long *m) {
+	RETERR(isc_lex_getmastertoken(lexer, token, isc_tokentype_number,
+				      false));
+
+	*m = token->value.as_ulong;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+get_seconds(isc_lex_t *lexer, isc_token_t *token, unsigned long *s) {
+	RETERR(isc_lex_getmastertoken(lexer, token, isc_tokentype_string,
+				      false));
+	RETERR(loc_getdecimal(DNS_AS_STR(*token), 59, 3, '\0', s));
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+get_direction(isc_lex_t *lexer, isc_token_t *token, const char *directions,
+	      int *direction) {
+	RETERR(isc_lex_getmastertoken(lexer, token, isc_tokentype_string,
+				      false));
+	if (DNS_AS_STR(*token)[0] == directions[1] &&
+	    DNS_AS_STR(*token)[1] == 0)
+	{
+		*direction = DNS_AS_STR(*token)[0];
+		return (ISC_R_SUCCESS);
+	}
+
+	if (DNS_AS_STR(*token)[0] == directions[0] &&
+	    DNS_AS_STR(*token)[1] == 0)
+	{
+		*direction = DNS_AS_STR(*token)[0];
+		return (ISC_R_SUCCESS);
+	}
+
+	*direction = 0;
+	isc_lex_ungettoken(lexer, token);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loc_getcoordinate(isc_lex_t *lexer, unsigned long *dp, unsigned long *mp,
+		  unsigned long *sp, const char *directions, int *directionp,
+		  unsigned long maxd) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_token_t token;
+	unsigned long d, m, s;
+	int direction = 0;
+
+	m = 0;
+	s = 0;
+
+	/*
+	 * Degrees.
+	 */
+	RETERR(get_degrees(lexer, &token, &d));
+	RETTOK(check_coordinate(d, m, s, maxd));
+
+	/*
+	 * Minutes.
+	 */
+	RETERR(get_direction(lexer, &token, directions, &direction));
+	if (direction > 0) {
+		goto done;
+	}
+
+	RETERR(get_minutes(lexer, &token, &m));
+	RETTOK(check_coordinate(d, m, s, maxd));
+
+	/*
+	 * Seconds.
+	 */
+	RETERR(get_direction(lexer, &token, directions, &direction));
+	if (direction > 0) {
+		goto done;
+	}
+
+	result = get_seconds(lexer, &token, &s);
+	if (result == ISC_R_RANGE || result == DNS_R_SYNTAX) {
+		RETTOK(result);
+	}
+	RETERR(result);
+	RETTOK(check_coordinate(d, m, s, maxd));
+
+	/*
+	 * Direction.
+	 */
+	RETERR(get_direction(lexer, &token, directions, &direction));
+	if (direction == 0) {
+		RETERR(DNS_R_SYNTAX);
+	}
+done:
+
+	*directionp = direction;
+	*dp = d;
+	*mp = m;
+	*sp = s;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loc_getlatitude(isc_lex_t *lexer, unsigned long *latitude) {
+	unsigned long d1 = 0, m1 = 0, s1 = 0;
+	int direction = 0;
+
+	RETERR(loc_getcoordinate(lexer, &d1, &m1, &s1, "SN", &direction, 90U));
+
+	switch (direction) {
+	case 'N':
+		*latitude = 0x80000000 + (d1 * 3600 + m1 * 60) * 1000 + s1;
+		break;
+	case 'S':
+		*latitude = 0x80000000 - (d1 * 3600 + m1 * 60) * 1000 - s1;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loc_getlongitude(isc_lex_t *lexer, unsigned long *longitude) {
+	unsigned long d2 = 0, m2 = 0, s2 = 0;
+	int direction = 0;
+
+	RETERR(loc_getcoordinate(lexer, &d2, &m2, &s2, "WE", &direction, 180U));
+
+	switch (direction) {
+	case 'E':
+		*longitude = 0x80000000 + (d2 * 3600 + m2 * 60) * 1000 + s2;
+		break;
+	case 'W':
+		*longitude = 0x80000000 - (d2 * 3600 + m2 * 60) * 1000 - s2;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loc_getaltitude(isc_lex_t *lexer, unsigned long *altitude) {
+	isc_token_t token;
+	unsigned long cm;
+	const char *str;
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	str = DNS_AS_STR(token);
+	if (DNS_AS_STR(token)[0] == '-') {
+		RETTOK(loc_getdecimal(str + 1, 100000, 2, 'm', &cm));
+		if (cm > 10000000UL) {
+			RETTOK(ISC_R_RANGE);
+		}
+		*altitude = 10000000 - cm;
+	} else {
+		RETTOK(loc_getdecimal(str, 42849672, 2, 'm', &cm));
+		if (cm > 4284967295UL) {
+			RETTOK(ISC_R_RANGE);
+		}
+		*altitude = 10000000 + cm;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loc_getoptionalprecision(isc_lex_t *lexer, unsigned char *valuep) {
+	isc_token_t token;
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      true));
+	if (token.type == isc_tokentype_eol || token.type == isc_tokentype_eof)
+	{
+		isc_lex_ungettoken(lexer, &token);
+		return (ISC_R_NOMORE);
+	}
+	RETTOK(loc_getprecision(DNS_AS_STR(token), valuep));
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loc_getsize(isc_lex_t *lexer, unsigned char *sizep) {
+	return (loc_getoptionalprecision(lexer, sizep));
+}
+
+static isc_result_t
+loc_gethorizontalprecision(isc_lex_t *lexer, unsigned char *hpp) {
+	return (loc_getoptionalprecision(lexer, hpp));
+}
+
+static isc_result_t
+loc_getverticalprecision(isc_lex_t *lexer, unsigned char *vpp) {
+	return (loc_getoptionalprecision(lexer, vpp));
+}
+
+/* The LOC record is expressed in a master file in the following format:
+ *
+ * <owner> <TTL> <class> LOC ( d1 [m1 [s1]] {"N"|"S"} d2 [m2 [s2]]
+ *                             {"E"|"W"} alt["m"] [siz["m"] [hp["m"]
+ *                             [vp["m"]]]] )
+ *
+ * (The parentheses are used for multi-line data as specified in [RFC
+ * 1035] section 5.1.)
+ *
+ * where:
+ *
+ *     d1:     [0 .. 90]            (degrees latitude)
+ *     d2:     [0 .. 180]           (degrees longitude)
+ *     m1, m2: [0 .. 59]            (minutes latitude/longitude)
+ *     s1, s2: [0 .. 59.999]        (seconds latitude/longitude)
+ *     alt:    [-100000.00 .. 42849672.95] BY .01 (altitude in meters)
+ *     siz, hp, vp: [0 .. 90000000.00] (size/precision in meters)
+ *
+ * If omitted, minutes and seconds default to zero, size defaults to 1m,
+ * horizontal precision defaults to 10000m, and vertical precision
+ * defaults to 10m.  These defaults are chosen to represent typical
+ * ZIP/postal code area sizes, since it is often easy to find
+ * approximate geographical location by ZIP/postal code.
+ */
+static isc_result_t
+fromtext_loc(ARGS_FROMTEXT) {
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned long latitude = 0;
+	unsigned long longitude = 0;
+	unsigned long altitude = 0;
+	unsigned char size = 0x12; /* Default: 1.00m */
+	unsigned char hp = 0x16;   /* Default: 10000.00 m */
+	unsigned char vp = 0x13;   /* Default: 10.00 m */
+	unsigned char version = 0;
+
+	REQUIRE(type == dns_rdatatype_loc);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(loc_getlatitude(lexer, &latitude));
+	RETERR(loc_getlongitude(lexer, &longitude));
+	RETERR(loc_getaltitude(lexer, &altitude));
+	result = loc_getsize(lexer, &size);
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+		goto encode;
+	}
+	RETERR(result);
+	result = loc_gethorizontalprecision(lexer, &hp);
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+		goto encode;
+	}
+	RETERR(result);
+	result = loc_getverticalprecision(lexer, &vp);
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+		goto encode;
+	}
+	RETERR(result);
+encode:
+	RETERR(mem_tobuffer(target, &version, 1));
+	RETERR(mem_tobuffer(target, &size, 1));
+	RETERR(mem_tobuffer(target, &hp, 1));
+	RETERR(mem_tobuffer(target, &vp, 1));
+
+	RETERR(uint32_tobuffer(latitude, target));
+	RETERR(uint32_tobuffer(longitude, target));
+	RETERR(uint32_tobuffer(altitude, target));
+
+	return (result);
+}
+
+static isc_result_t
+totext_loc(ARGS_TOTEXT) {
+	int d1, m1, s1, fs1;
+	int d2, m2, s2, fs2;
+	unsigned long latitude;
+	unsigned long longitude;
+	unsigned long altitude;
+	bool north;
+	bool east;
+	bool below;
+	isc_region_t sr;
+	char sbuf[sizeof("90000000m")];
+	char hbuf[sizeof("90000000m")];
+	char vbuf[sizeof("90000000m")];
+	/* "89 59 59.999 N 179 59 59.999 E " */
+	/* "-42849672.95m 90000000m 90000000m 90000000m"; */
+	char buf[8 * 6 + 12 * 1 + 2 * 10 + sizeof(sbuf) + sizeof(hbuf) +
+		 sizeof(vbuf)];
+	unsigned char size, hp, vp;
+	unsigned long poweroften[8] = { 1,     10,     100,	1000,
+					10000, 100000, 1000000, 10000000 };
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	if (sr.base[0] != 0) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	REQUIRE(rdata->length == 16);
+
+	size = sr.base[1];
+	INSIST((size & 0x0f) < 10 && (size >> 4) < 10);
+	if ((size & 0x0f) > 1) {
+		snprintf(sbuf, sizeof(sbuf), "%lum",
+			 (size >> 4) * poweroften[(size & 0x0f) - 2]);
+	} else {
+		snprintf(sbuf, sizeof(sbuf), "0.%02lum",
+			 (size >> 4) * poweroften[(size & 0x0f)]);
+	}
+	hp = sr.base[2];
+	INSIST((hp & 0x0f) < 10 && (hp >> 4) < 10);
+	if ((hp & 0x0f) > 1) {
+		snprintf(hbuf, sizeof(hbuf), "%lum",
+			 (hp >> 4) * poweroften[(hp & 0x0f) - 2]);
+	} else {
+		snprintf(hbuf, sizeof(hbuf), "0.%02lum",
+			 (hp >> 4) * poweroften[(hp & 0x0f)]);
+	}
+	vp = sr.base[3];
+	INSIST((vp & 0x0f) < 10 && (vp >> 4) < 10);
+	if ((vp & 0x0f) > 1) {
+		snprintf(vbuf, sizeof(vbuf), "%lum",
+			 (vp >> 4) * poweroften[(vp & 0x0f) - 2]);
+	} else {
+		snprintf(vbuf, sizeof(vbuf), "0.%02lum",
+			 (vp >> 4) * poweroften[(vp & 0x0f)]);
+	}
+	isc_region_consume(&sr, 4);
+
+	latitude = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	if (latitude >= 0x80000000) {
+		north = true;
+		latitude -= 0x80000000;
+	} else {
+		north = false;
+		latitude = 0x80000000 - latitude;
+	}
+	fs1 = (int)(latitude % 1000);
+	latitude /= 1000;
+	s1 = (int)(latitude % 60);
+	latitude /= 60;
+	m1 = (int)(latitude % 60);
+	latitude /= 60;
+	d1 = (int)latitude;
+	INSIST(latitude <= 90U);
+
+	longitude = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	if (longitude >= 0x80000000) {
+		east = true;
+		longitude -= 0x80000000;
+	} else {
+		east = false;
+		longitude = 0x80000000 - longitude;
+	}
+	fs2 = (int)(longitude % 1000);
+	longitude /= 1000;
+	s2 = (int)(longitude % 60);
+	longitude /= 60;
+	m2 = (int)(longitude % 60);
+	longitude /= 60;
+	d2 = (int)longitude;
+	INSIST(longitude <= 180U);
+
+	altitude = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	if (altitude < 10000000U) {
+		below = true;
+		altitude = 10000000 - altitude;
+	} else {
+		below = false;
+		altitude -= 10000000;
+	}
+
+	snprintf(buf, sizeof(buf),
+		 "%d %d %d.%03d %s %d %d %d.%03d %s %s%lu.%02lum %s %s %s", d1,
+		 m1, s1, fs1, north ? "N" : "S", d2, m2, s2, fs2,
+		 east ? "E" : "W", below ? "-" : "", altitude / 100,
+		 altitude % 100, sbuf, hbuf, vbuf);
+
+	return (str_totext(buf, target));
+}
+
+static isc_result_t
+fromwire_loc(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned char c;
+	unsigned long latitude;
+	unsigned long longitude;
+
+	REQUIRE(type == dns_rdatatype_loc);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	if (sr.base[0] != 0) {
+		/* Treat as unknown. */
+		isc_buffer_forward(source, sr.length);
+		return (mem_tobuffer(target, sr.base, sr.length));
+	}
+	if (sr.length < 16) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/*
+	 * Size.
+	 */
+	c = sr.base[1];
+	if (c != 0) {
+		if ((c & 0xf) > 9 || ((c >> 4) & 0xf) > 9 ||
+		    ((c >> 4) & 0xf) == 0)
+		{
+			return (ISC_R_RANGE);
+
+			/*
+			 * Horizontal precision.
+			 */
+		}
+	}
+
+	/*
+	 * Horizontal precision.
+	 */
+	c = sr.base[2];
+	if (c != 0) {
+		if ((c & 0xf) > 9 || ((c >> 4) & 0xf) > 9 ||
+		    ((c >> 4) & 0xf) == 0)
+		{
+			return (ISC_R_RANGE);
+
+			/*
+			 * Vertical precision.
+			 */
+		}
+	}
+
+	/*
+	 * Vertical precision.
+	 */
+	c = sr.base[3];
+	if (c != 0) {
+		if ((c & 0xf) > 9 || ((c >> 4) & 0xf) > 9 ||
+		    ((c >> 4) & 0xf) == 0)
+		{
+			return (ISC_R_RANGE);
+		}
+	}
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Latitude.
+	 */
+	latitude = uint32_fromregion(&sr);
+	if (latitude < (0x80000000UL - 90 * 3600000) ||
+	    latitude > (0x80000000UL + 90 * 3600000))
+	{
+		return (ISC_R_RANGE);
+	}
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Longitude.
+	 */
+	longitude = uint32_fromregion(&sr);
+	if (longitude < (0x80000000UL - 180 * 3600000) ||
+	    longitude > (0x80000000UL + 180 * 3600000))
+	{
+		return (ISC_R_RANGE);
+	}
+
+	/*
+	 * Altitude.
+	 * All values possible.
+	 */
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, 16);
+	return (mem_tobuffer(target, sr.base, 16));
+}
+
+static isc_result_t
+towire_loc(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_loc(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_loc);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_loc(ARGS_FROMSTRUCT) {
+	dns_rdata_loc_t *loc = source;
+	uint8_t c;
+
+	REQUIRE(type == dns_rdatatype_loc);
+	REQUIRE(loc != NULL);
+	REQUIRE(loc->common.rdtype == type);
+	REQUIRE(loc->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (loc->v.v0.version != 0) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	RETERR(uint8_tobuffer(loc->v.v0.version, target));
+
+	c = loc->v.v0.size;
+	if ((c & 0xf) > 9 || ((c >> 4) & 0xf) > 9 || ((c >> 4) & 0xf) == 0) {
+		return (ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(loc->v.v0.size, target));
+
+	c = loc->v.v0.horizontal;
+	if ((c & 0xf) > 9 || ((c >> 4) & 0xf) > 9 || ((c >> 4) & 0xf) == 0) {
+		return (ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(loc->v.v0.horizontal, target));
+
+	c = loc->v.v0.vertical;
+	if ((c & 0xf) > 9 || ((c >> 4) & 0xf) > 9 || ((c >> 4) & 0xf) == 0) {
+		return (ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(loc->v.v0.vertical, target));
+
+	if (loc->v.v0.latitude < (0x80000000UL - 90 * 3600000) ||
+	    loc->v.v0.latitude > (0x80000000UL + 90 * 3600000))
+	{
+		return (ISC_R_RANGE);
+	}
+	RETERR(uint32_tobuffer(loc->v.v0.latitude, target));
+
+	if (loc->v.v0.longitude < (0x80000000UL - 180 * 3600000) ||
+	    loc->v.v0.longitude > (0x80000000UL + 180 * 3600000))
+	{
+		return (ISC_R_RANGE);
+	}
+	RETERR(uint32_tobuffer(loc->v.v0.longitude, target));
+	return (uint32_tobuffer(loc->v.v0.altitude, target));
+}
+
+static isc_result_t
+tostruct_loc(ARGS_TOSTRUCT) {
+	dns_rdata_loc_t *loc = target;
+	isc_region_t r;
+	uint8_t version;
+
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+	REQUIRE(loc != NULL);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(mctx);
+
+	dns_rdata_toregion(rdata, &r);
+	version = uint8_fromregion(&r);
+	if (version != 0) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	loc->common.rdclass = rdata->rdclass;
+	loc->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&loc->common, link);
+
+	loc->v.v0.version = version;
+	isc_region_consume(&r, 1);
+	loc->v.v0.size = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.horizontal = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.vertical = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.latitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	loc->v.v0.longitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	loc->v.v0.altitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_loc(ARGS_FREESTRUCT) {
+	dns_rdata_loc_t *loc = source;
+
+	REQUIRE(loc != NULL);
+	REQUIRE(loc->common.rdtype == dns_rdatatype_loc);
+
+	UNUSED(source);
+	UNUSED(loc);
+}
+
+static isc_result_t
+additionaldata_loc(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_loc(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_loc(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_loc);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_loc(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_loc(ARGS_COMPARE) {
+	return (compare_loc(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_LOC_29_C */
diff --git a/lib/dns/rdata/generic/loc_29.h b/lib/dns/rdata/generic/loc_29.h
new file mode 100644
index 0000000..c523785
--- /dev/null
+++ b/lib/dns/rdata/generic/loc_29.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_LOC_29_H
+#define GENERIC_LOC_29_H 1
+
+/*!
+ * \brief Per RFC1876 */
+
+typedef struct dns_rdata_loc_0 {
+	uint8_t version; /* must be first and zero */
+	uint8_t size;
+	uint8_t horizontal;
+	uint8_t vertical;
+	uint32_t latitude;
+	uint32_t longitude;
+	uint32_t altitude;
+} dns_rdata_loc_0_t;
+
+typedef struct dns_rdata_loc {
+	dns_rdatacommon_t common;
+	union {
+		dns_rdata_loc_0_t v0;
+	} v;
+} dns_rdata_loc_t;
+
+#endif /* GENERIC_LOC_29_H */
diff --git a/lib/dns/rdata/generic/lp_107.c b/lib/dns/rdata/generic/lp_107.c
new file mode 100644
index 0000000..50b2e29
--- /dev/null
+++ b/lib/dns/rdata/generic/lp_107.c
@@ -0,0 +1,276 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_LP_107_C
+#define RDATA_GENERIC_LP_107_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_LP_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_lp(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_lp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	return (dns_name_fromtext(&name, &buffer, origin, options, target));
+}
+
+static isc_result_t
+totext_lp(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_lp(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_lp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_lp(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_lp(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_lp);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_lp(ARGS_FROMSTRUCT) {
+	dns_rdata_lp_t *lp = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_lp);
+	REQUIRE(lp != NULL);
+	REQUIRE(lp->common.rdtype == type);
+	REQUIRE(lp->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(lp->pref, target));
+	dns_name_toregion(&lp->lp, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_lp(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_lp_t *lp = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+	REQUIRE(lp != NULL);
+	REQUIRE(rdata->length != 0);
+
+	lp->common.rdclass = rdata->rdclass;
+	lp->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&lp->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	lp->pref = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&lp->lp, NULL);
+	RETERR(name_duporclone(&name, mctx, &lp->lp));
+	lp->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_lp(ARGS_FREESTRUCT) {
+	dns_rdata_lp_t *lp = source;
+
+	REQUIRE(lp != NULL);
+	REQUIRE(lp->common.rdtype == dns_rdatatype_lp);
+
+	if (lp->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&lp->lp, lp->mctx);
+	lp->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_lp(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	result = (add)(arg, &name, dns_rdatatype_l32);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	return ((add)(arg, &name, dns_rdatatype_l64));
+}
+
+static isc_result_t
+digest_lp(ARGS_DIGEST) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+
+	dns_rdata_toregion(rdata, &region);
+	return ((digest)(arg, &region));
+}
+
+static bool
+checkowner_lp(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_lp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(name);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_lp(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+
+	UNUSED(bad);
+	UNUSED(owner);
+
+	return (true);
+}
+
+static int
+casecompare_lp(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_lp);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+#endif /* RDATA_GENERIC_LP_107_C */
diff --git a/lib/dns/rdata/generic/lp_107.h b/lib/dns/rdata/generic/lp_107.h
new file mode 100644
index 0000000..71cd196
--- /dev/null
+++ b/lib/dns/rdata/generic/lp_107.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_LP_107_H
+#define GENERIC_LP_107_H 1
+
+typedef struct dns_rdata_lp {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t pref;
+	dns_name_t lp;
+} dns_rdata_lp_t;
+
+#endif /* GENERIC_LP_107_H */
diff --git a/lib/dns/rdata/generic/mb_7.c b/lib/dns/rdata/generic/mb_7.c
new file mode 100644
index 0000000..a3923eb
--- /dev/null
+++ b/lib/dns/rdata/generic/mb_7.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MB_7_C
+#define RDATA_GENERIC_MB_7_C
+
+#define RRTYPE_MB_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_mb(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_mb);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_mb(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_mb(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_mb);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_mb(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_mb(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_mb);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_mb(ARGS_FROMSTRUCT) {
+	dns_rdata_mb_t *mb = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_mb);
+	REQUIRE(mb != NULL);
+	REQUIRE(mb->common.rdtype == type);
+	REQUIRE(mb->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mb->mb, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_mb(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mb_t *mb = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+	REQUIRE(mb != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mb->common.rdclass = rdata->rdclass;
+	mb->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mb->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mb->mb, NULL);
+	RETERR(name_duporclone(&name, mctx, &mb->mb));
+	mb->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_mb(ARGS_FREESTRUCT) {
+	dns_rdata_mb_t *mb = source;
+
+	REQUIRE(mb != NULL);
+
+	if (mb->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&mb->mb, mb->mctx);
+	mb->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_mb(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static isc_result_t
+digest_mb(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_mb(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_mb);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_ismailbox(name));
+}
+
+static bool
+checknames_mb(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_mb(ARGS_COMPARE) {
+	return (compare_mb(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_MB_7_C */
diff --git a/lib/dns/rdata/generic/mb_7.h b/lib/dns/rdata/generic/mb_7.h
new file mode 100644
index 0000000..ae7e2e2
--- /dev/null
+++ b/lib/dns/rdata/generic/mb_7.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MB_7_H
+#define GENERIC_MB_7_H 1
+
+typedef struct dns_rdata_mb {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t mb;
+} dns_rdata_mb_t;
+
+#endif /* GENERIC_MB_7_H */
diff --git a/lib/dns/rdata/generic/md_3.c b/lib/dns/rdata/generic/md_3.c
new file mode 100644
index 0000000..9e2b778
--- /dev/null
+++ b/lib/dns/rdata/generic/md_3.c
@@ -0,0 +1,234 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MD_3_C
+#define RDATA_GENERIC_MD_3_C
+
+#define RRTYPE_MD_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_md(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_md);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_md(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_md(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_md);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_md(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_md(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_md);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_md(ARGS_FROMSTRUCT) {
+	dns_rdata_md_t *md = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_md);
+	REQUIRE(md != NULL);
+	REQUIRE(md->common.rdtype == type);
+	REQUIRE(md->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&md->md, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_md(ARGS_TOSTRUCT) {
+	dns_rdata_md_t *md = target;
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+	REQUIRE(md != NULL);
+	REQUIRE(rdata->length != 0);
+
+	md->common.rdclass = rdata->rdclass;
+	md->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&md->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &r);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&md->md, NULL);
+	RETERR(name_duporclone(&name, mctx, &md->md));
+	md->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_md(ARGS_FREESTRUCT) {
+	dns_rdata_md_t *md = source;
+
+	REQUIRE(md != NULL);
+	REQUIRE(md->common.rdtype == dns_rdatatype_md);
+
+	if (md->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&md->md, md->mctx);
+	md->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_md(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static isc_result_t
+digest_md(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_md(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_md);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_md(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_md);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_md(ARGS_COMPARE) {
+	return (compare_md(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_MD_3_C */
diff --git a/lib/dns/rdata/generic/md_3.h b/lib/dns/rdata/generic/md_3.h
new file mode 100644
index 0000000..643bd03
--- /dev/null
+++ b/lib/dns/rdata/generic/md_3.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MD_3_H
+#define GENERIC_MD_3_H 1
+
+typedef struct dns_rdata_md {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t md;
+} dns_rdata_md_t;
+
+#endif /* GENERIC_MD_3_H */
diff --git a/lib/dns/rdata/generic/mf_4.c b/lib/dns/rdata/generic/mf_4.c
new file mode 100644
index 0000000..30ea010
--- /dev/null
+++ b/lib/dns/rdata/generic/mf_4.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MF_4_C
+#define RDATA_GENERIC_MF_4_C
+
+#define RRTYPE_MF_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_mf(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_mf);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_mf(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_mf(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_mf);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_mf(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_mf(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_mf);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_mf(ARGS_FROMSTRUCT) {
+	dns_rdata_mf_t *mf = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_mf);
+	REQUIRE(mf != NULL);
+	REQUIRE(mf->common.rdtype == type);
+	REQUIRE(mf->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mf->mf, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_mf(ARGS_TOSTRUCT) {
+	dns_rdata_mf_t *mf = target;
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+	REQUIRE(mf != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mf->common.rdclass = rdata->rdclass;
+	mf->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mf->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &r);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&mf->mf, NULL);
+	RETERR(name_duporclone(&name, mctx, &mf->mf));
+	mf->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_mf(ARGS_FREESTRUCT) {
+	dns_rdata_mf_t *mf = source;
+
+	REQUIRE(mf != NULL);
+	REQUIRE(mf->common.rdtype == dns_rdatatype_mf);
+
+	if (mf->mctx == NULL) {
+		return;
+	}
+	dns_name_free(&mf->mf, mf->mctx);
+	mf->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_mf(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static isc_result_t
+digest_mf(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_mf(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_mf);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_mf(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_mf(ARGS_COMPARE) {
+	return (compare_mf(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_MF_4_C */
diff --git a/lib/dns/rdata/generic/mf_4.h b/lib/dns/rdata/generic/mf_4.h
new file mode 100644
index 0000000..6a4b514
--- /dev/null
+++ b/lib/dns/rdata/generic/mf_4.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MF_4_H
+#define GENERIC_MF_4_H 1
+
+typedef struct dns_rdata_mf {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t mf;
+} dns_rdata_mf_t;
+
+#endif /* GENERIC_MF_4_H */
diff --git a/lib/dns/rdata/generic/mg_8.c b/lib/dns/rdata/generic/mg_8.c
new file mode 100644
index 0000000..183e428
--- /dev/null
+++ b/lib/dns/rdata/generic/mg_8.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MG_8_C
+#define RDATA_GENERIC_MG_8_C
+
+#define RRTYPE_MG_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_mg(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_mg);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_mg(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_mg(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_mg);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_mg(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_mg(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_mg);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_mg(ARGS_FROMSTRUCT) {
+	dns_rdata_mg_t *mg = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_mg);
+	REQUIRE(mg != NULL);
+	REQUIRE(mg->common.rdtype == type);
+	REQUIRE(mg->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mg->mg, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_mg(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mg_t *mg = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+	REQUIRE(mg != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mg->common.rdclass = rdata->rdclass;
+	mg->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mg->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mg->mg, NULL);
+	RETERR(name_duporclone(&name, mctx, &mg->mg));
+	mg->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_mg(ARGS_FREESTRUCT) {
+	dns_rdata_mg_t *mg = source;
+
+	REQUIRE(mg != NULL);
+	REQUIRE(mg->common.rdtype == dns_rdatatype_mg);
+
+	if (mg->mctx == NULL) {
+		return;
+	}
+	dns_name_free(&mg->mg, mg->mctx);
+	mg->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_mg(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+
+	UNUSED(add);
+	UNUSED(arg);
+	UNUSED(rdata);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_mg(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_mg(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_mg);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_ismailbox(name));
+}
+
+static bool
+checknames_mg(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_mg(ARGS_COMPARE) {
+	return (compare_mg(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_MG_8_C */
diff --git a/lib/dns/rdata/generic/mg_8.h b/lib/dns/rdata/generic/mg_8.h
new file mode 100644
index 0000000..815b46a
--- /dev/null
+++ b/lib/dns/rdata/generic/mg_8.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MG_8_H
+#define GENERIC_MG_8_H 1
+
+typedef struct dns_rdata_mg {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t mg;
+} dns_rdata_mg_t;
+
+#endif /* GENERIC_MG_8_H */
diff --git a/lib/dns/rdata/generic/minfo_14.c b/lib/dns/rdata/generic/minfo_14.c
new file mode 100644
index 0000000..e396cff
--- /dev/null
+++ b/lib/dns/rdata/generic/minfo_14.c
@@ -0,0 +1,332 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MINFO_14_C
+#define RDATA_GENERIC_MINFO_14_C
+
+#define RRTYPE_MINFO_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_minfo(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_minfo);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, false));
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin, options,
+					 target));
+		ok = true;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0) {
+			ok = dns_name_ismailbox(&name);
+		}
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+			RETTOK(DNS_R_BADNAME);
+		}
+		if (!ok && callbacks != NULL) {
+			warn_badname(&name, lexer, callbacks);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_minfo(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&rmail, NULL);
+	dns_name_init(&email, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	dns_name_fromregion(&email, &region);
+	isc_region_consume(&region, email.length);
+
+	sub = name_prefix(&rmail, tctx->origin, &prefix);
+
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&email, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_minfo(ARGS_FROMWIRE) {
+	dns_name_t rmail;
+	dns_name_t email;
+
+	REQUIRE(type == dns_rdatatype_minfo);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&rmail, NULL);
+	dns_name_init(&email, NULL);
+
+	RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
+	return (dns_name_fromwire(&email, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_minfo(ARGS_TOWIRE) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_offsets_t roffsets;
+	dns_offsets_t eoffsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&rmail, roffsets);
+	dns_name_init(&email, eoffsets);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, name_length(&rmail));
+
+	RETERR(dns_name_towire(&rmail, cctx, target));
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	return (dns_name_towire(&rmail, cctx, target));
+}
+
+static int
+compare_minfo(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_minfo);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	return (order);
+}
+
+static isc_result_t
+fromstruct_minfo(ARGS_FROMSTRUCT) {
+	dns_rdata_minfo_t *minfo = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_minfo);
+	REQUIRE(minfo != NULL);
+	REQUIRE(minfo->common.rdtype == type);
+	REQUIRE(minfo->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&minfo->rmailbox, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&minfo->emailbox, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_minfo(ARGS_TOSTRUCT) {
+	dns_rdata_minfo_t *minfo = target;
+	isc_region_t region;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+	REQUIRE(minfo != NULL);
+	REQUIRE(rdata->length != 0);
+
+	minfo->common.rdclass = rdata->rdclass;
+	minfo->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&minfo->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&minfo->rmailbox, NULL);
+	RETERR(name_duporclone(&name, mctx, &minfo->rmailbox));
+	isc_region_consume(&region, name_length(&name));
+
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&minfo->emailbox, NULL);
+	result = name_duporclone(&name, mctx, &minfo->emailbox);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	minfo->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL) {
+		dns_name_free(&minfo->rmailbox, mctx);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_minfo(ARGS_FREESTRUCT) {
+	dns_rdata_minfo_t *minfo = source;
+
+	REQUIRE(minfo != NULL);
+	REQUIRE(minfo->common.rdtype == dns_rdatatype_minfo);
+
+	if (minfo->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&minfo->rmailbox, minfo->mctx);
+	dns_name_free(&minfo->emailbox, minfo->mctx);
+	minfo->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_minfo(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_minfo(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	result = dns_name_digest(&name, digest, arg);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_region_consume(&r, name_length(&name));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_minfo(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_minfo);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_minfo(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	return (true);
+}
+
+static int
+casecompare_minfo(ARGS_COMPARE) {
+	return (compare_minfo(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_MINFO_14_C */
diff --git a/lib/dns/rdata/generic/minfo_14.h b/lib/dns/rdata/generic/minfo_14.h
new file mode 100644
index 0000000..f2017e6
--- /dev/null
+++ b/lib/dns/rdata/generic/minfo_14.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MINFO_14_H
+#define GENERIC_MINFO_14_H 1
+
+typedef struct dns_rdata_minfo {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t rmailbox;
+	dns_name_t emailbox;
+} dns_rdata_minfo_t;
+
+#endif /* GENERIC_MINFO_14_H */
diff --git a/lib/dns/rdata/generic/mr_9.c b/lib/dns/rdata/generic/mr_9.c
new file mode 100644
index 0000000..aff5da3
--- /dev/null
+++ b/lib/dns/rdata/generic/mr_9.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MR_9_C
+#define RDATA_GENERIC_MR_9_C
+
+#define RRTYPE_MR_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_mr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_mr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_mr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_mr(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_mr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_mr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_mr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_mr);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_mr(ARGS_FROMSTRUCT) {
+	dns_rdata_mr_t *mr = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_mr);
+	REQUIRE(mr != NULL);
+	REQUIRE(mr->common.rdtype == type);
+	REQUIRE(mr->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mr->mr, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_mr(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mr_t *mr = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+	REQUIRE(mr != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mr->common.rdclass = rdata->rdclass;
+	mr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mr->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mr->mr, NULL);
+	RETERR(name_duporclone(&name, mctx, &mr->mr));
+	mr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_mr(ARGS_FREESTRUCT) {
+	dns_rdata_mr_t *mr = source;
+
+	REQUIRE(mr != NULL);
+	REQUIRE(mr->common.rdtype == dns_rdatatype_mr);
+
+	if (mr->mctx == NULL) {
+		return;
+	}
+	dns_name_free(&mr->mr, mr->mctx);
+	mr->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_mr(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_mr(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_mr(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_mr);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_mr(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_mr(ARGS_COMPARE) {
+	return (compare_mr(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_MR_9_C */
diff --git a/lib/dns/rdata/generic/mr_9.h b/lib/dns/rdata/generic/mr_9.h
new file mode 100644
index 0000000..6855933
--- /dev/null
+++ b/lib/dns/rdata/generic/mr_9.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MR_9_H
+#define GENERIC_MR_9_H 1
+
+typedef struct dns_rdata_mr {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t mr;
+} dns_rdata_mr_t;
+
+#endif /* GENERIC_MR_9_H */
diff --git a/lib/dns/rdata/generic/mx_15.c b/lib/dns/rdata/generic/mx_15.c
new file mode 100644
index 0000000..ff6637c
--- /dev/null
+++ b/lib/dns/rdata/generic/mx_15.c
@@ -0,0 +1,356 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MX_15_C
+#define RDATA_GENERIC_MX_15_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#include <dns/fixedname.h>
+
+#define RRTYPE_MX_ATTRIBUTES (0)
+
+static bool
+check_mx(isc_token_t *token) {
+	char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
+	struct in_addr addr;
+	struct in6_addr addr6;
+
+	if (strlcpy(tmp, DNS_AS_STR(*token), sizeof(tmp)) >= sizeof(tmp)) {
+		return (true);
+	}
+
+	if (tmp[strlen(tmp) - 1] == '.') {
+		tmp[strlen(tmp) - 1] = '\0';
+	}
+	if (inet_pton(AF_INET, tmp, &addr) == 1 ||
+	    inet_pton(AF_INET6, tmp, &addr6) == 1)
+	{
+		return (false);
+	}
+
+	return (true);
+}
+
+static isc_result_t
+fromtext_mx(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_mx);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	ok = true;
+	if ((options & DNS_RDATA_CHECKMX) != 0) {
+		ok = check_mx(&token);
+	}
+	if (!ok && (options & DNS_RDATA_CHECKMXFAIL) != 0) {
+		RETTOK(DNS_R_MXISADDRESS);
+	}
+	if (!ok && callbacks != NULL) {
+		warn_badmx(&token, lexer, callbacks);
+	}
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0) {
+		ok = dns_name_ishostname(&name, false);
+	}
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+		RETTOK(DNS_R_BADNAME);
+	}
+	if (!ok && callbacks != NULL) {
+		warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_mx(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_mx(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_mx);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_mx(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(mem_tobuffer(target, region.base, 2));
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_mx(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_mx);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_mx(ARGS_FROMSTRUCT) {
+	dns_rdata_mx_t *mx = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_mx);
+	REQUIRE(mx != NULL);
+	REQUIRE(mx->common.rdtype == type);
+	REQUIRE(mx->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(mx->pref, target));
+	dns_name_toregion(&mx->mx, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_mx(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mx_t *mx = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+	REQUIRE(mx != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mx->common.rdclass = rdata->rdclass;
+	mx->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mx->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	mx->pref = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mx->mx, NULL);
+	RETERR(name_duporclone(&name, mctx, &mx->mx));
+	mx->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_mx(ARGS_FREESTRUCT) {
+	dns_rdata_mx_t *mx = source;
+
+	REQUIRE(mx != NULL);
+	REQUIRE(mx->common.rdtype == dns_rdatatype_mx);
+
+	if (mx->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&mx->mx, mx->mctx);
+	mx->mctx = NULL;
+}
+
+static unsigned char port25_offset[] = { 0, 3 };
+static unsigned char port25_ndata[] = "\003_25\004_tcp";
+static dns_name_t port25 = DNS_NAME_INITNONABSOLUTE(port25_ndata,
+						    port25_offset);
+
+static isc_result_t
+additionaldata_mx(ARGS_ADDLDATA) {
+	isc_result_t result;
+	dns_fixedname_t fixed;
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	if (dns_name_equal(&name, dns_rootname)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = (add)(arg, &name, dns_rdatatype_a);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_fixedname_init(&fixed);
+	result = dns_name_concatenate(&port25, &name,
+				      dns_fixedname_name(&fixed), NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	return ((add)(arg, dns_fixedname_name(&fixed), dns_rdatatype_tlsa));
+}
+
+static isc_result_t
+digest_mx(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_mx(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_mx);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static bool
+checknames_mx(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	return (true);
+}
+
+static int
+casecompare_mx(ARGS_COMPARE) {
+	return (compare_mx(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_MX_15_C */
diff --git a/lib/dns/rdata/generic/mx_15.h b/lib/dns/rdata/generic/mx_15.h
new file mode 100644
index 0000000..14f9189
--- /dev/null
+++ b/lib/dns/rdata/generic/mx_15.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MX_15_H
+#define GENERIC_MX_15_H 1
+
+typedef struct dns_rdata_mx {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t pref;
+	dns_name_t mx;
+} dns_rdata_mx_t;
+
+#endif /* GENERIC_MX_15_H */
diff --git a/lib/dns/rdata/generic/naptr_35.c b/lib/dns/rdata/generic/naptr_35.c
new file mode 100644
index 0000000..3f43e0e
--- /dev/null
+++ b/lib/dns/rdata/generic/naptr_35.c
@@ -0,0 +1,740 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2915 */
+
+#ifndef RDATA_GENERIC_NAPTR_35_C
+#define RDATA_GENERIC_NAPTR_35_C
+
+#define RRTYPE_NAPTR_ATTRIBUTES (0)
+
+#include <isc/regex.h>
+
+/*
+ * Check the wire format of the Regexp field.
+ * Don't allow embedded NUL's.
+ */
+static isc_result_t
+txt_valid_regex(const unsigned char *txt) {
+	unsigned int nsub = 0;
+	char regex[256];
+	char *cp;
+	bool flags = false;
+	bool replace = false;
+	unsigned char c;
+	unsigned char delim;
+	unsigned int len;
+	int n;
+
+	len = *txt++;
+	if (len == 0U) {
+		return (ISC_R_SUCCESS);
+	}
+
+	delim = *txt++;
+	len--;
+
+	/*
+	 * Digits, backslash and flags can't be delimiters.
+	 */
+	switch (delim) {
+	case '0':
+	case '1':
+	case '2':
+	case '3':
+	case '4':
+	case '5':
+	case '6':
+	case '7':
+	case '8':
+	case '9':
+	case '\\':
+	case 'i':
+	case 0:
+		return (DNS_R_SYNTAX);
+	}
+
+	cp = regex;
+	while (len-- > 0) {
+		c = *txt++;
+		if (c == 0) {
+			return (DNS_R_SYNTAX);
+		}
+		if (c == delim && !replace) {
+			replace = true;
+			continue;
+		} else if (c == delim && !flags) {
+			flags = true;
+			continue;
+		} else if (c == delim) {
+			return (DNS_R_SYNTAX);
+		}
+		/*
+		 * Flags are not escaped.
+		 */
+		if (flags) {
+			switch (c) {
+			case 'i':
+				continue;
+			default:
+				return (DNS_R_SYNTAX);
+			}
+		}
+		if (!replace) {
+			*cp++ = c;
+		}
+		if (c == '\\') {
+			if (len == 0) {
+				return (DNS_R_SYNTAX);
+			}
+			c = *txt++;
+			if (c == 0) {
+				return (DNS_R_SYNTAX);
+			}
+			len--;
+			if (replace) {
+				switch (c) {
+				case '0':
+					return (DNS_R_SYNTAX);
+				case '1':
+					if (nsub < 1) {
+						nsub = 1;
+					}
+					break;
+				case '2':
+					if (nsub < 2) {
+						nsub = 2;
+					}
+					break;
+				case '3':
+					if (nsub < 3) {
+						nsub = 3;
+					}
+					break;
+				case '4':
+					if (nsub < 4) {
+						nsub = 4;
+					}
+					break;
+				case '5':
+					if (nsub < 5) {
+						nsub = 5;
+					}
+					break;
+				case '6':
+					if (nsub < 6) {
+						nsub = 6;
+					}
+					break;
+				case '7':
+					if (nsub < 7) {
+						nsub = 7;
+					}
+					break;
+				case '8':
+					if (nsub < 8) {
+						nsub = 8;
+					}
+					break;
+				case '9':
+					if (nsub < 9) {
+						nsub = 9;
+					}
+					break;
+				}
+			}
+			if (!replace) {
+				*cp++ = c;
+			}
+		}
+	}
+	if (!flags) {
+		return (DNS_R_SYNTAX);
+	}
+	*cp = '\0';
+	n = isc_regex_validate(regex);
+	if (n < 0 || nsub > (unsigned int)n) {
+		return (DNS_R_SYNTAX);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromtext_naptr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	unsigned char *regex;
+
+	REQUIRE(type == dns_rdatatype_naptr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Order.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Preference.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Flags.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/*
+	 * Service.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/*
+	 * Regexp.
+	 */
+	regex = isc_buffer_used(target);
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	RETTOK(txt_valid_regex(regex));
+
+	/*
+	 * Replacement.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_naptr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * Order.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Preference.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Flags.
+	 */
+	RETERR(txt_totext(&region, true, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Service.
+	 */
+	RETERR(txt_totext(&region, true, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Regexp.
+	 */
+	RETERR(txt_totext(&region, true, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_naptr(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sr;
+	unsigned char *regex;
+
+	REQUIRE(type == dns_rdatatype_naptr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	/*
+	 * Order, preference.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_buffer_forward(source, 4);
+
+	/*
+	 * Flags.
+	 */
+	RETERR(txt_fromwire(source, target));
+
+	/*
+	 * Service.
+	 */
+	RETERR(txt_fromwire(source, target));
+
+	/*
+	 * Regexp.
+	 */
+	regex = isc_buffer_used(target);
+	RETERR(txt_fromwire(source, target));
+	RETERR(txt_valid_regex(regex));
+
+	/*
+	 * Replacement.
+	 */
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_naptr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Order, preference.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Flags.
+	 */
+	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Service.
+	 */
+	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Regexp.
+	 */
+	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_naptr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order, len;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_naptr);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	/*
+	 * Order, preference.
+	 */
+	order = memcmp(region1.base, region2.base, 4);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+	isc_region_consume(&region1, 4);
+	isc_region_consume(&region2, 4);
+
+	/*
+	 * Flags.
+	 */
+	len = ISC_MIN(region1.base[0], region2.base[0]);
+	order = memcmp(region1.base, region2.base, len + 1);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+	isc_region_consume(&region1, region1.base[0] + 1);
+	isc_region_consume(&region2, region2.base[0] + 1);
+
+	/*
+	 * Service.
+	 */
+	len = ISC_MIN(region1.base[0], region2.base[0]);
+	order = memcmp(region1.base, region2.base, len + 1);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+	isc_region_consume(&region1, region1.base[0] + 1);
+	isc_region_consume(&region2, region2.base[0] + 1);
+
+	/*
+	 * Regexp.
+	 */
+	len = ISC_MIN(region1.base[0], region2.base[0]);
+	order = memcmp(region1.base, region2.base, len + 1);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+	isc_region_consume(&region1, region1.base[0] + 1);
+	isc_region_consume(&region2, region2.base[0] + 1);
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_naptr(ARGS_FROMSTRUCT) {
+	dns_rdata_naptr_t *naptr = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_naptr);
+	REQUIRE(naptr != NULL);
+	REQUIRE(naptr->common.rdtype == type);
+	REQUIRE(naptr->common.rdclass == rdclass);
+	REQUIRE(naptr->flags != NULL || naptr->flags_len == 0);
+	REQUIRE(naptr->service != NULL || naptr->service_len == 0);
+	REQUIRE(naptr->regexp != NULL || naptr->regexp_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(naptr->order, target));
+	RETERR(uint16_tobuffer(naptr->preference, target));
+	RETERR(uint8_tobuffer(naptr->flags_len, target));
+	RETERR(mem_tobuffer(target, naptr->flags, naptr->flags_len));
+	RETERR(uint8_tobuffer(naptr->service_len, target));
+	RETERR(mem_tobuffer(target, naptr->service, naptr->service_len));
+	RETERR(uint8_tobuffer(naptr->regexp_len, target));
+	RETERR(mem_tobuffer(target, naptr->regexp, naptr->regexp_len));
+	dns_name_toregion(&naptr->replacement, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_naptr(ARGS_TOSTRUCT) {
+	dns_rdata_naptr_t *naptr = target;
+	isc_region_t r;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+	REQUIRE(naptr != NULL);
+	REQUIRE(rdata->length != 0);
+
+	naptr->common.rdclass = rdata->rdclass;
+	naptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&naptr->common, link);
+
+	naptr->flags = NULL;
+	naptr->service = NULL;
+	naptr->regexp = NULL;
+
+	dns_rdata_toregion(rdata, &r);
+
+	naptr->order = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+
+	naptr->preference = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+
+	naptr->flags_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	INSIST(naptr->flags_len <= r.length);
+	naptr->flags = mem_maybedup(mctx, r.base, naptr->flags_len);
+	if (naptr->flags == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&r, naptr->flags_len);
+
+	naptr->service_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	INSIST(naptr->service_len <= r.length);
+	naptr->service = mem_maybedup(mctx, r.base, naptr->service_len);
+	if (naptr->service == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&r, naptr->service_len);
+
+	naptr->regexp_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	INSIST(naptr->regexp_len <= r.length);
+	naptr->regexp = mem_maybedup(mctx, r.base, naptr->regexp_len);
+	if (naptr->regexp == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&r, naptr->regexp_len);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&naptr->replacement, NULL);
+	result = name_duporclone(&name, mctx, &naptr->replacement);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	naptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL && naptr->flags != NULL) {
+		isc_mem_free(mctx, naptr->flags);
+	}
+	if (mctx != NULL && naptr->service != NULL) {
+		isc_mem_free(mctx, naptr->service);
+	}
+	if (mctx != NULL && naptr->regexp != NULL) {
+		isc_mem_free(mctx, naptr->regexp);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_naptr(ARGS_FREESTRUCT) {
+	dns_rdata_naptr_t *naptr = source;
+
+	REQUIRE(naptr != NULL);
+	REQUIRE(naptr->common.rdtype == dns_rdatatype_naptr);
+
+	if (naptr->mctx == NULL) {
+		return;
+	}
+
+	if (naptr->flags != NULL) {
+		isc_mem_free(naptr->mctx, naptr->flags);
+	}
+	if (naptr->service != NULL) {
+		isc_mem_free(naptr->mctx, naptr->service);
+	}
+	if (naptr->regexp != NULL) {
+		isc_mem_free(naptr->mctx, naptr->regexp);
+	}
+	dns_name_free(&naptr->replacement, naptr->mctx);
+	naptr->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_naptr(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sr;
+	dns_rdatatype_t atype;
+	unsigned int i, flagslen;
+	char *cp;
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+
+	/*
+	 * Order, preference.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Flags.
+	 */
+	atype = 0;
+	flagslen = sr.base[0];
+	cp = (char *)&sr.base[1];
+	for (i = 0; i < flagslen; i++, cp++) {
+		if (*cp == 'S' || *cp == 's') {
+			atype = dns_rdatatype_srv;
+			break;
+		}
+		if (*cp == 'A' || *cp == 'a') {
+			atype = dns_rdatatype_a;
+			break;
+		}
+	}
+	isc_region_consume(&sr, flagslen + 1);
+
+	/*
+	 * Service.
+	 */
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Regexp.
+	 */
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+
+	if (atype != 0) {
+		return ((add)(arg, &name, atype));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_naptr(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	unsigned int length, n;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	length = 0;
+
+	/*
+	 * Order, preference.
+	 */
+	length += 4;
+	isc_region_consume(&r2, 4);
+
+	/*
+	 * Flags.
+	 */
+	n = r2.base[0] + 1;
+	length += n;
+	isc_region_consume(&r2, n);
+
+	/*
+	 * Service.
+	 */
+	n = r2.base[0] + 1;
+	length += n;
+	isc_region_consume(&r2, n);
+
+	/*
+	 * Regexp.
+	 */
+	n = r2.base[0] + 1;
+	length += n;
+	isc_region_consume(&r2, n);
+
+	/*
+	 * Digest the RR up to the replacement name.
+	 */
+	r1.length = length;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Replacement.
+	 */
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_naptr(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_naptr);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_naptr(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_naptr(ARGS_COMPARE) {
+	return (compare_naptr(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_NAPTR_35_C */
diff --git a/lib/dns/rdata/generic/naptr_35.h b/lib/dns/rdata/generic/naptr_35.h
new file mode 100644
index 0000000..d221823
--- /dev/null
+++ b/lib/dns/rdata/generic/naptr_35.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_NAPTR_35_H
+#define GENERIC_NAPTR_35_H 1
+
+/*!
+ *  \brief Per RFC2915 */
+
+typedef struct dns_rdata_naptr {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t order;
+	uint16_t preference;
+	char *flags;
+	uint8_t flags_len;
+	char *service;
+	uint8_t service_len;
+	char *regexp;
+	uint8_t regexp_len;
+	dns_name_t replacement;
+} dns_rdata_naptr_t;
+
+#endif /* GENERIC_NAPTR_35_H */
diff --git a/lib/dns/rdata/generic/nid_104.c b/lib/dns/rdata/generic/nid_104.c
new file mode 100644
index 0000000..0297da7
--- /dev/null
+++ b/lib/dns/rdata/generic/nid_104.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_NID_104_C
+#define RDATA_GENERIC_NID_104_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_NID_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_nid(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char locator[NS_LOCATORSZ];
+
+	REQUIRE(type == dns_rdatatype_nid);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (locator_pton(DNS_AS_STR(token), locator) != 1) {
+		RETTOK(DNS_R_SYNTAX);
+	}
+	return (mem_tobuffer(target, locator, NS_LOCATORSZ));
+}
+
+static isc_result_t
+totext_nid(ARGS_TOTEXT) {
+	isc_region_t region;
+	char buf[sizeof("xxxx:xxxx:xxxx:xxxx")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	snprintf(buf, sizeof(buf), "%x:%x:%x:%x",
+		 region.base[0] << 8 | region.base[1],
+		 region.base[2] << 8 | region.base[3],
+		 region.base[4] << 8 | region.base[5],
+		 region.base[6] << 8 | region.base[7]);
+	return (str_totext(buf, target));
+}
+
+static isc_result_t
+fromwire_nid(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_nid);
+
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length != 10) {
+		return (DNS_R_FORMERR);
+	}
+	isc_buffer_forward(source, sregion.length);
+	return (mem_tobuffer(target, sregion.base, sregion.length));
+}
+
+static isc_result_t
+towire_nid(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_nid(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nid);
+	REQUIRE(rdata1->length == 10);
+	REQUIRE(rdata2->length == 10);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_nid(ARGS_FROMSTRUCT) {
+	dns_rdata_nid_t *nid = source;
+
+	REQUIRE(type == dns_rdatatype_nid);
+	REQUIRE(nid != NULL);
+	REQUIRE(nid->common.rdtype == type);
+	REQUIRE(nid->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(nid->pref, target));
+	return (mem_tobuffer(target, nid->nid, sizeof(nid->nid)));
+}
+
+static isc_result_t
+tostruct_nid(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nid_t *nid = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(nid != NULL);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(mctx);
+
+	nid->common.rdclass = rdata->rdclass;
+	nid->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nid->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	nid->pref = uint16_fromregion(&region);
+	memmove(nid->nid, region.base, region.length);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_nid(ARGS_FREESTRUCT) {
+	dns_rdata_nid_t *nid = source;
+
+	REQUIRE(nid != NULL);
+	REQUIRE(nid->common.rdtype == dns_rdatatype_nid);
+
+	return;
+}
+
+static isc_result_t
+additionaldata_nid(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_nid(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(rdata->length == 10);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_nid(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_nid);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_nid(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_nid(ARGS_COMPARE) {
+	return (compare_nid(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_NID_104_C */
diff --git a/lib/dns/rdata/generic/nid_104.h b/lib/dns/rdata/generic/nid_104.h
new file mode 100644
index 0000000..cab4330
--- /dev/null
+++ b/lib/dns/rdata/generic/nid_104.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_NID_104_H
+#define GENERIC_NID_104_H 1
+
+typedef struct dns_rdata_nid {
+	dns_rdatacommon_t common;
+	uint16_t pref;
+	unsigned char nid[8];
+} dns_rdata_nid_t;
+
+#endif /* GENERIC_NID_104_H */
diff --git a/lib/dns/rdata/generic/ninfo_56.c b/lib/dns/rdata/generic/ninfo_56.c
new file mode 100644
index 0000000..3fcc582
--- /dev/null
+++ b/lib/dns/rdata/generic/ninfo_56.c
@@ -0,0 +1,169 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_NINFO_56_C
+#define RDATA_GENERIC_NINFO_56_C
+
+#define RRTYPE_NINFO_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_ninfo(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_ninfo);
+
+	return (generic_fromtext_txt(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_ninfo(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	return (generic_totext_txt(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_ninfo(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_ninfo);
+
+	return (generic_fromwire_txt(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_ninfo(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_ninfo(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ninfo);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_ninfo(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_ninfo);
+
+	return (generic_fromstruct_txt(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_ninfo(ARGS_TOSTRUCT) {
+	dns_rdata_ninfo_t *ninfo = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+	REQUIRE(ninfo != NULL);
+
+	ninfo->common.rdclass = rdata->rdclass;
+	ninfo->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ninfo->common, link);
+
+	return (generic_tostruct_txt(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_ninfo(ARGS_FREESTRUCT) {
+	dns_rdata_ninfo_t *ninfo = source;
+
+	REQUIRE(ninfo != NULL);
+	REQUIRE(ninfo->common.rdtype == dns_rdatatype_ninfo);
+
+	generic_freestruct_txt(source);
+}
+
+static isc_result_t
+additionaldata_ninfo(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_ninfo(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_ninfo(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_ninfo);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_ninfo(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_ninfo(ARGS_COMPARE) {
+	return (compare_ninfo(rdata1, rdata2));
+}
+
+isc_result_t
+dns_rdata_ninfo_first(dns_rdata_ninfo_t *ninfo) {
+	REQUIRE(ninfo != NULL);
+	REQUIRE(ninfo->common.rdtype == dns_rdatatype_ninfo);
+
+	return (generic_txt_first(ninfo));
+}
+
+isc_result_t
+dns_rdata_ninfo_next(dns_rdata_ninfo_t *ninfo) {
+	REQUIRE(ninfo != NULL);
+	REQUIRE(ninfo->common.rdtype == dns_rdatatype_ninfo);
+
+	return (generic_txt_next(ninfo));
+}
+
+isc_result_t
+dns_rdata_ninfo_current(dns_rdata_ninfo_t *ninfo,
+			dns_rdata_ninfo_string_t *string) {
+	REQUIRE(ninfo != NULL);
+	REQUIRE(ninfo->common.rdtype == dns_rdatatype_ninfo);
+
+	return (generic_txt_current(ninfo, string));
+}
+#endif /* RDATA_GENERIC_NINFO_56_C */
diff --git a/lib/dns/rdata/generic/ninfo_56.h b/lib/dns/rdata/generic/ninfo_56.h
new file mode 100644
index 0000000..0630ff2
--- /dev/null
+++ b/lib/dns/rdata/generic/ninfo_56.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_NINFO_56_H
+#define GENERIC_NINFO_56_H 1
+
+typedef struct dns_rdata_txt_string dns_rdata_ninfo_string_t;
+
+typedef struct dns_rdata_txt dns_rdata_ninfo_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_ninfo_first(dns_rdata_ninfo_t *);
+
+isc_result_t
+dns_rdata_ninfo_next(dns_rdata_ninfo_t *);
+
+isc_result_t
+dns_rdata_ninfo_current(dns_rdata_ninfo_t *, dns_rdata_ninfo_string_t *);
+
+#endif /* GENERIC_NINFO_16_H */
diff --git a/lib/dns/rdata/generic/ns_2.c b/lib/dns/rdata/generic/ns_2.c
new file mode 100644
index 0000000..265f3bb
--- /dev/null
+++ b/lib/dns/rdata/generic/ns_2.c
@@ -0,0 +1,254 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_NS_2_C
+#define RDATA_GENERIC_NS_2_C
+
+#define RRTYPE_NS_ATTRIBUTES (DNS_RDATATYPEATTR_ZONECUTAUTH)
+
+static isc_result_t
+fromtext_ns(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_ns);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0) {
+		ok = dns_name_ishostname(&name, false);
+	}
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+		RETTOK(DNS_R_BADNAME);
+	}
+	if (!ok && callbacks != NULL) {
+		warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_ns(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_ns(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_ns);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_ns(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_ns(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ns);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_ns(ARGS_FROMSTRUCT) {
+	dns_rdata_ns_t *ns = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_ns);
+	REQUIRE(ns != NULL);
+	REQUIRE(ns->common.rdtype == type);
+	REQUIRE(ns->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&ns->name, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_ns(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_ns_t *ns = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+	REQUIRE(ns != NULL);
+	REQUIRE(rdata->length != 0);
+
+	ns->common.rdclass = rdata->rdclass;
+	ns->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ns->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&ns->name, NULL);
+	RETERR(name_duporclone(&name, mctx, &ns->name));
+	ns->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_ns(ARGS_FREESTRUCT) {
+	dns_rdata_ns_t *ns = source;
+
+	REQUIRE(ns != NULL);
+
+	if (ns->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&ns->name, ns->mctx);
+	ns->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_ns(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static isc_result_t
+digest_ns(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_ns(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_ns);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_ns(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	return (true);
+}
+
+static int
+casecompare_ns(ARGS_COMPARE) {
+	return (compare_ns(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_NS_2_C */
diff --git a/lib/dns/rdata/generic/ns_2.h b/lib/dns/rdata/generic/ns_2.h
new file mode 100644
index 0000000..3cb9e65
--- /dev/null
+++ b/lib/dns/rdata/generic/ns_2.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_NS_2_H
+#define GENERIC_NS_2_H 1
+
+typedef struct dns_rdata_ns {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t name;
+} dns_rdata_ns_t;
+
+#endif /* GENERIC_NS_2_H */
diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c
new file mode 100644
index 0000000..c0d81a6
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3_50.c
@@ -0,0 +1,424 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2004  Nominet, Ltd.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* RFC 5155 */
+
+#ifndef RDATA_GENERIC_NSEC3_50_C
+#define RDATA_GENERIC_NSEC3_50_C
+
+#include <isc/base32.h>
+#include <isc/iterated_hash.h>
+
+#define RRTYPE_NSEC3_ATTRIBUTES DNS_RDATATYPEATTR_DNSSEC
+
+static isc_result_t
+fromtext_nsec3(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned int flags;
+	unsigned char hashalg;
+	isc_buffer_t b;
+	unsigned char buf[256];
+
+	REQUIRE(type == dns_rdatatype_nsec3);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+	UNUSED(origin);
+	UNUSED(options);
+
+	/* Hash. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_hashalg_fromtext(&hashalg, &token.value.as_textregion));
+	RETERR(uint8_tobuffer(hashalg, target));
+
+	/* Flags. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	flags = token.value.as_ulong;
+	if (flags > 255U) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(flags, target));
+
+	/* Iterations. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/* salt */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (token.value.as_textregion.length > (255 * 2)) {
+		RETTOK(DNS_R_TEXTTOOLONG);
+	}
+	if (strcmp(DNS_AS_STR(token), "-") == 0) {
+		RETERR(uint8_tobuffer(0, target));
+	} else {
+		RETERR(uint8_tobuffer(strlen(DNS_AS_STR(token)) / 2, target));
+		RETERR(isc_hex_decodestring(DNS_AS_STR(token), target));
+	}
+
+	/*
+	 * Next hash a single base32hex word.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	isc_buffer_init(&b, buf, sizeof(buf));
+	RETTOK(isc_base32hexnp_decodestring(DNS_AS_STR(token), &b));
+	if (isc_buffer_usedlength(&b) > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(isc_buffer_usedlength(&b), target));
+	RETERR(mem_tobuffer(target, &buf, isc_buffer_usedlength(&b)));
+
+	return (typemap_fromtext(lexer, target, true));
+}
+
+static isc_result_t
+totext_nsec3(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j;
+	unsigned char hash;
+	unsigned char flags;
+	char buf[sizeof("TYPE65535")];
+	uint32_t iterations;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Hash */
+	hash = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", hash);
+	RETERR(str_totext(buf, target));
+
+	/* Flags */
+	flags = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", flags);
+	RETERR(str_totext(buf, target));
+
+	/* Iterations */
+	iterations = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u ", iterations);
+	RETERR(str_totext(buf, target));
+
+	/* Salt */
+	j = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	INSIST(j <= sr.length);
+
+	if (j != 0) {
+		i = sr.length;
+		sr.length = j;
+		RETERR(isc_hex_totext(&sr, 1, "", target));
+		sr.length = i - j;
+	} else {
+		RETERR(str_totext("-", target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/* Next hash */
+	j = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	INSIST(j <= sr.length);
+
+	i = sr.length;
+	sr.length = j;
+	RETERR(isc_base32hexnp_totext(&sr, 1, "", target));
+	sr.length = i - j;
+
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (((tctx->flags & DNS_STYLEFLAG_MULTILINE) == 0) && (sr.length > 0)) {
+		RETERR(str_totext(" ", target));
+	}
+	RETERR(typemap_totext(&sr, tctx, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_nsec3(ARGS_FROMWIRE) {
+	isc_region_t sr, rr;
+	unsigned int saltlen, hashlen;
+
+	REQUIRE(type == dns_rdatatype_nsec3);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(options);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sr);
+	rr = sr;
+
+	/* hash(1), flags(1), iteration(2), saltlen(1) */
+	if (sr.length < 5U) {
+		RETERR(DNS_R_FORMERR);
+	}
+	saltlen = sr.base[4];
+	isc_region_consume(&sr, 5);
+
+	if (sr.length < saltlen) {
+		RETERR(DNS_R_FORMERR);
+	}
+	isc_region_consume(&sr, saltlen);
+
+	if (sr.length < 1U) {
+		RETERR(DNS_R_FORMERR);
+	}
+	hashlen = sr.base[0];
+	isc_region_consume(&sr, 1);
+
+	if (hashlen < 1 || sr.length < hashlen) {
+		RETERR(DNS_R_FORMERR);
+	}
+	isc_region_consume(&sr, hashlen);
+
+	RETERR(typemap_test(&sr, true));
+
+	RETERR(mem_tobuffer(target, rr.base, rr.length));
+	isc_buffer_forward(source, rr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_nsec3(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_nsec3(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsec3);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_nsec3(ARGS_FROMSTRUCT) {
+	dns_rdata_nsec3_t *nsec3 = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nsec3);
+	REQUIRE(nsec3 != NULL);
+	REQUIRE(nsec3->common.rdtype == type);
+	REQUIRE(nsec3->common.rdclass == rdclass);
+	REQUIRE(nsec3->typebits != NULL || nsec3->len == 0);
+	REQUIRE(nsec3->hash == dns_hash_sha1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(nsec3->hash, target));
+	RETERR(uint8_tobuffer(nsec3->flags, target));
+	RETERR(uint16_tobuffer(nsec3->iterations, target));
+	RETERR(uint8_tobuffer(nsec3->salt_length, target));
+	RETERR(mem_tobuffer(target, nsec3->salt, nsec3->salt_length));
+	RETERR(uint8_tobuffer(nsec3->next_length, target));
+	RETERR(mem_tobuffer(target, nsec3->next, nsec3->next_length));
+
+	region.base = nsec3->typebits;
+	region.length = nsec3->len;
+	RETERR(typemap_test(&region, true));
+	return (mem_tobuffer(target, nsec3->typebits, nsec3->len));
+}
+
+static isc_result_t
+tostruct_nsec3(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nsec3_t *nsec3 = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+	REQUIRE(nsec3 != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsec3->common.rdclass = rdata->rdclass;
+	nsec3->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsec3->common, link);
+
+	region.base = rdata->data;
+	region.length = rdata->length;
+	nsec3->hash = uint8_consume_fromregion(&region);
+	nsec3->flags = uint8_consume_fromregion(&region);
+	nsec3->iterations = uint16_consume_fromregion(&region);
+
+	nsec3->salt_length = uint8_consume_fromregion(&region);
+	INSIST(nsec3->salt_length <= region.length);
+	nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
+	if (nsec3->salt == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	isc_region_consume(&region, nsec3->salt_length);
+
+	nsec3->next_length = uint8_consume_fromregion(&region);
+	INSIST(nsec3->next_length <= region.length);
+	nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
+	if (nsec3->next == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&region, nsec3->next_length);
+
+	nsec3->len = region.length;
+	nsec3->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (nsec3->typebits == NULL) {
+		goto cleanup;
+	}
+
+	nsec3->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (nsec3->next != NULL) {
+		isc_mem_free(mctx, nsec3->next);
+	}
+	isc_mem_free(mctx, nsec3->salt);
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_nsec3(ARGS_FREESTRUCT) {
+	dns_rdata_nsec3_t *nsec3 = source;
+
+	REQUIRE(nsec3 != NULL);
+	REQUIRE(nsec3->common.rdtype == dns_rdatatype_nsec3);
+
+	if (nsec3->mctx == NULL) {
+		return;
+	}
+
+	if (nsec3->salt != NULL) {
+		isc_mem_free(nsec3->mctx, nsec3->salt);
+	}
+	if (nsec3->next != NULL) {
+		isc_mem_free(nsec3->mctx, nsec3->next);
+	}
+	if (nsec3->typebits != NULL) {
+		isc_mem_free(nsec3->mctx, nsec3->typebits);
+	}
+	nsec3->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_nsec3(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_nsec3(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_nsec3(ARGS_CHECKOWNER) {
+	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
+	isc_buffer_t buffer;
+	dns_label_t label;
+
+	REQUIRE(type == dns_rdatatype_nsec3);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	/*
+	 * First label is a base32hex string without padding.
+	 */
+	dns_name_getlabel(name, 0, &label);
+	isc_region_consume(&label, 1);
+	isc_buffer_init(&buffer, owner, sizeof(owner));
+	if (isc_base32hexnp_decoderegion(&label, &buffer) == ISC_R_SUCCESS) {
+		return (true);
+	}
+
+	return (false);
+}
+
+static bool
+checknames_nsec3(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_nsec3(ARGS_COMPARE) {
+	return (compare_nsec3(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_NSEC3_50_C */
diff --git a/lib/dns/rdata/generic/nsec3_50.h b/lib/dns/rdata/generic/nsec3_50.h
new file mode 100644
index 0000000..e773437
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3_50.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_NSEC3_50_H
+#define GENERIC_NSEC3_50_H 1
+
+/*!
+ * \brief Per RFC 5155 */
+
+#include <isc/iterated_hash.h>
+
+typedef struct dns_rdata_nsec3 {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_hash_t hash;
+	unsigned char flags;
+	dns_iterations_t iterations;
+	unsigned char salt_length;
+	unsigned char next_length;
+	uint16_t len;
+	unsigned char *salt;
+	unsigned char *next;
+	unsigned char *typebits;
+} dns_rdata_nsec3_t;
+
+/*
+ * The corresponding NSEC3 interval is OPTOUT indicating possible
+ * insecure delegations.
+ */
+#define DNS_NSEC3FLAG_OPTOUT 0x01U
+
+/*%
+ * The following flags are used in the private-type record (implemented in
+ * lib/dns/private.c) which is used to store NSEC3PARAM data during the
+ * time when it is not legal to have an actual NSEC3PARAM record in the
+ * zone.  They are defined here because the private-type record uses the
+ * same flags field for the OPTOUT flag above and for the private flags
+ * below.  XXX: This should be considered for refactoring.
+ */
+
+/*%
+ * Non-standard, private type only.
+ *
+ * Create a corresponding NSEC3 chain.
+ * Once the NSEC3 chain is complete this flag will be removed to signal
+ * that there is a complete chain.
+ *
+ * This flag is automatically set when a NSEC3PARAM record is added to
+ * the zone via UPDATE.
+ *
+ * NSEC3PARAM records containing this flag should never be published,
+ * but if they are, they should be ignored by RFC 5155 compliant
+ * nameservers.
+ */
+#define DNS_NSEC3FLAG_CREATE 0x80U
+
+/*%
+ * Non-standard, private type only.
+ *
+ * The corresponding NSEC3 set is to be removed once the NSEC chain
+ * has been generated.
+ *
+ * This flag is automatically set when the last active NSEC3PARAM record
+ * is removed from the zone via UPDATE.
+ *
+ * NSEC3PARAM records containing this flag should never be published,
+ * but if they are, they should be ignored by RFC 5155 compliant
+ * nameservers.
+ */
+#define DNS_NSEC3FLAG_REMOVE 0x40U
+
+/*%
+ * Non-standard, private type only.
+ *
+ * When set with the CREATE flag, a corresponding NSEC3 chain will be
+ * created when the zone becomes capable of supporting one (i.e., when it
+ * has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
+ * Without this flag, NSEC3 chain creation would be attempted immediately,
+ * fail, and the private type record would be removed.  With it, the NSEC3
+ * parameters are stored until they can be used.  When the zone has the
+ * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
+ * and the record will be cleaned up normally.
+ *
+ * NSEC3PARAM records containing this flag should never be published, but
+ * if they are, they should be ignored by RFC 5155 compliant nameservers.
+ */
+#define DNS_NSEC3FLAG_INITIAL 0x20U
+
+/*%
+ * Non-standard, private type only.
+ *
+ * Prevent the creation of a NSEC chain before the last NSEC3 chain
+ * is removed.  This will normally only be set when the zone is
+ * transitioning from secure with NSEC3 chains to insecure.
+ *
+ * NSEC3PARAM records containing this flag should never be published,
+ * but if they are, they should be ignored by RFC 5155 compliant
+ * nameservers.
+ */
+#define DNS_NSEC3FLAG_NONSEC 0x10U
+
+#endif /* GENERIC_NSEC3_50_H */
diff --git a/lib/dns/rdata/generic/nsec3param_51.c b/lib/dns/rdata/generic/nsec3param_51.c
new file mode 100644
index 0000000..1d08d72
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3param_51.c
@@ -0,0 +1,321 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2004  Nominet, Ltd.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* RFC 5155 */
+
+#ifndef RDATA_GENERIC_NSEC3PARAM_51_C
+#define RDATA_GENERIC_NSEC3PARAM_51_C
+
+#include <isc/base32.h>
+#include <isc/iterated_hash.h>
+
+#define RRTYPE_NSEC3PARAM_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static isc_result_t
+fromtext_nsec3param(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned int flags = 0;
+	unsigned char hashalg;
+
+	REQUIRE(type == dns_rdatatype_nsec3param);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+	UNUSED(origin);
+	UNUSED(options);
+
+	/* Hash. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_hashalg_fromtext(&hashalg, &token.value.as_textregion));
+	RETERR(uint8_tobuffer(hashalg, target));
+
+	/* Flags. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	flags = token.value.as_ulong;
+	if (flags > 255U) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(flags, target));
+
+	/* Iterations. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/* Salt. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (token.value.as_textregion.length > (255 * 2)) {
+		RETTOK(DNS_R_TEXTTOOLONG);
+	}
+	if (strcmp(DNS_AS_STR(token), "-") == 0) {
+		RETERR(uint8_tobuffer(0, target));
+	} else {
+		RETERR(uint8_tobuffer(strlen(DNS_AS_STR(token)) / 2, target));
+		RETERR(isc_hex_decodestring(DNS_AS_STR(token), target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_nsec3param(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j;
+	unsigned char hash;
+	unsigned char flags;
+	char buf[sizeof("65535 ")];
+	uint32_t iterations;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	hash = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	flags = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	iterations = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	snprintf(buf, sizeof(buf), "%u ", hash);
+	RETERR(str_totext(buf, target));
+
+	snprintf(buf, sizeof(buf), "%u ", flags);
+	RETERR(str_totext(buf, target));
+
+	snprintf(buf, sizeof(buf), "%u ", iterations);
+	RETERR(str_totext(buf, target));
+
+	j = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	INSIST(j <= sr.length);
+
+	if (j != 0) {
+		i = sr.length;
+		sr.length = j;
+		RETERR(isc_hex_totext(&sr, 1, "", target));
+		sr.length = i - j;
+	} else {
+		RETERR(str_totext("-", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_nsec3param(ARGS_FROMWIRE) {
+	isc_region_t sr, rr;
+	unsigned int saltlen;
+
+	REQUIRE(type == dns_rdatatype_nsec3param);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(options);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sr);
+	rr = sr;
+
+	/* hash(1), flags(1), iterations(2), saltlen(1) */
+	if (sr.length < 5U) {
+		RETERR(DNS_R_FORMERR);
+	}
+	saltlen = sr.base[4];
+	isc_region_consume(&sr, 5);
+
+	if (sr.length != saltlen) {
+		RETERR(DNS_R_FORMERR);
+	}
+	isc_region_consume(&sr, saltlen);
+	RETERR(mem_tobuffer(target, rr.base, rr.length));
+	isc_buffer_forward(source, rr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_nsec3param(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_nsec3param(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsec3param);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_nsec3param(ARGS_FROMSTRUCT) {
+	dns_rdata_nsec3param_t *nsec3param = source;
+
+	REQUIRE(type == dns_rdatatype_nsec3param);
+	REQUIRE(nsec3param != NULL);
+	REQUIRE(nsec3param->common.rdtype == type);
+	REQUIRE(nsec3param->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(nsec3param->hash, target));
+	RETERR(uint8_tobuffer(nsec3param->flags, target));
+	RETERR(uint16_tobuffer(nsec3param->iterations, target));
+	RETERR(uint8_tobuffer(nsec3param->salt_length, target));
+	RETERR(mem_tobuffer(target, nsec3param->salt, nsec3param->salt_length));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+tostruct_nsec3param(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nsec3param_t *nsec3param = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+	REQUIRE(nsec3param != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsec3param->common.rdclass = rdata->rdclass;
+	nsec3param->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsec3param->common, link);
+
+	region.base = rdata->data;
+	region.length = rdata->length;
+	nsec3param->hash = uint8_consume_fromregion(&region);
+	nsec3param->flags = uint8_consume_fromregion(&region);
+	nsec3param->iterations = uint16_consume_fromregion(&region);
+
+	nsec3param->salt_length = uint8_consume_fromregion(&region);
+	INSIST(nsec3param->salt_length == region.length);
+	nsec3param->salt = mem_maybedup(mctx, region.base,
+					nsec3param->salt_length);
+	if (nsec3param->salt == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	isc_region_consume(&region, nsec3param->salt_length);
+
+	nsec3param->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_nsec3param(ARGS_FREESTRUCT) {
+	dns_rdata_nsec3param_t *nsec3param = source;
+
+	REQUIRE(nsec3param != NULL);
+	REQUIRE(nsec3param->common.rdtype == dns_rdatatype_nsec3param);
+
+	if (nsec3param->mctx == NULL) {
+		return;
+	}
+
+	if (nsec3param->salt != NULL) {
+		isc_mem_free(nsec3param->mctx, nsec3param->salt);
+	}
+	nsec3param->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_nsec3param(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_nsec3param(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_nsec3param(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_nsec3param);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_nsec3param(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_nsec3param(ARGS_COMPARE) {
+	return (compare_nsec3param(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_NSEC3PARAM_51_C */
diff --git a/lib/dns/rdata/generic/nsec3param_51.h b/lib/dns/rdata/generic/nsec3param_51.h
new file mode 100644
index 0000000..2ff3029
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3param_51.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_NSEC3PARAM_51_H
+#define GENERIC_NSEC3PARAM_51_H 1
+
+/*!
+ * \brief Per RFC 5155 */
+
+#include <isc/iterated_hash.h>
+
+typedef struct dns_rdata_nsec3param {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_hash_t hash;
+	unsigned char flags; /* DNS_NSEC3FLAG_* */
+	dns_iterations_t iterations;
+	unsigned char salt_length;
+	unsigned char *salt;
+} dns_rdata_nsec3param_t;
+
+#endif /* GENERIC_NSEC3PARAM_51_H */
diff --git a/lib/dns/rdata/generic/nsec_47.c b/lib/dns/rdata/generic/nsec_47.c
new file mode 100644
index 0000000..03aab8c
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec_47.c
@@ -0,0 +1,290 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC 3845 */
+
+#ifndef RDATA_GENERIC_NSEC_47_C
+#define RDATA_GENERIC_NSEC_47_C
+
+/*
+ * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
+ * because we must be able to handle a parent/child NSEC pair.
+ */
+#define RRTYPE_NSEC_ATTRIBUTES                                      \
+	(DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH | \
+	 DNS_RDATATYPEATTR_ATCNAME)
+
+static isc_result_t
+fromtext_nsec(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_nsec);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Next domain.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	return (typemap_fromtext(lexer, target, false));
+}
+
+static isc_result_t
+totext_nsec(ARGS_TOTEXT) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_totext(&name, false, target));
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (sr.length > 0) {
+		RETERR(str_totext(" ", target));
+	}
+	return (typemap_totext(&sr, NULL, target));
+}
+
+static isc_result_t
+fromwire_nsec(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_nsec);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sr);
+	RETERR(typemap_test(&sr, false));
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_nsec(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_nsec(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsec);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_nsec(ARGS_FROMSTRUCT) {
+	dns_rdata_nsec_t *nsec = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nsec);
+	REQUIRE(nsec != NULL);
+	REQUIRE(nsec->common.rdtype == type);
+	REQUIRE(nsec->common.rdclass == rdclass);
+	REQUIRE(nsec->typebits != NULL || nsec->len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&nsec->next, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+
+	region.base = nsec->typebits;
+	region.length = nsec->len;
+	RETERR(typemap_test(&region, false));
+	return (mem_tobuffer(target, nsec->typebits, nsec->len));
+}
+
+static isc_result_t
+tostruct_nsec(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nsec_t *nsec = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+	REQUIRE(nsec != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsec->common.rdclass = rdata->rdclass;
+	nsec->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsec->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&nsec->next, NULL);
+	RETERR(name_duporclone(&name, mctx, &nsec->next));
+
+	nsec->len = region.length;
+	nsec->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (nsec->typebits == NULL) {
+		goto cleanup;
+	}
+
+	nsec->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL) {
+		dns_name_free(&nsec->next, mctx);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_nsec(ARGS_FREESTRUCT) {
+	dns_rdata_nsec_t *nsec = source;
+
+	REQUIRE(nsec != NULL);
+	REQUIRE(nsec->common.rdtype == dns_rdatatype_nsec);
+
+	if (nsec->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&nsec->next, nsec->mctx);
+	if (nsec->typebits != NULL) {
+		isc_mem_free(nsec->mctx, nsec->typebits);
+	}
+	nsec->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_nsec(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_nsec(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_nsec(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_nsec);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_nsec(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_nsec(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsec);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	return (isc_region_compare(&region1, &region2));
+}
+#endif /* RDATA_GENERIC_NSEC_47_C */
diff --git a/lib/dns/rdata/generic/nsec_47.h b/lib/dns/rdata/generic/nsec_47.h
new file mode 100644
index 0000000..98cb788
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec_47.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_NSEC_47_H
+#define GENERIC_NSEC_47_H 1
+
+/*!
+ * \brief Per RFC 3845 */
+
+typedef struct dns_rdata_nsec {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t next;
+	unsigned char *typebits;
+	uint16_t len;
+} dns_rdata_nsec_t;
+
+#endif /* GENERIC_NSEC_47_H */
diff --git a/lib/dns/rdata/generic/null_10.c b/lib/dns/rdata/generic/null_10.c
new file mode 100644
index 0000000..c5884bf
--- /dev/null
+++ b/lib/dns/rdata/generic/null_10.c
@@ -0,0 +1,186 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_NULL_10_C
+#define RDATA_GENERIC_NULL_10_C
+
+#define RRTYPE_NULL_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_null(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_null);
+
+	UNUSED(rdclass);
+	UNUSED(type);
+	UNUSED(lexer);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(target);
+	UNUSED(callbacks);
+
+	return (DNS_R_SYNTAX);
+}
+
+static isc_result_t
+totext_null(ARGS_TOTEXT) {
+	REQUIRE(rdata->type == dns_rdatatype_null);
+
+	return (unknown_totext(rdata, tctx, target));
+}
+
+static isc_result_t
+fromwire_null(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_null);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+towire_null(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_null);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_null(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_null);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_null(ARGS_FROMSTRUCT) {
+	dns_rdata_null_t *null = source;
+
+	REQUIRE(type == dns_rdatatype_null);
+	REQUIRE(null != NULL);
+	REQUIRE(null->common.rdtype == type);
+	REQUIRE(null->common.rdclass == rdclass);
+	REQUIRE(null->data != NULL || null->length == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, null->data, null->length));
+}
+
+static isc_result_t
+tostruct_null(ARGS_TOSTRUCT) {
+	dns_rdata_null_t *null = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_null);
+	REQUIRE(null != NULL);
+
+	null->common.rdclass = rdata->rdclass;
+	null->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&null->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	null->length = r.length;
+	null->data = mem_maybedup(mctx, r.base, r.length);
+	if (null->data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	null->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_null(ARGS_FREESTRUCT) {
+	dns_rdata_null_t *null = source;
+
+	REQUIRE(null != NULL);
+	REQUIRE(null->common.rdtype == dns_rdatatype_null);
+
+	if (null->mctx == NULL) {
+		return;
+	}
+
+	if (null->data != NULL) {
+		isc_mem_free(null->mctx, null->data);
+	}
+	null->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_null(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_null);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_null(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_null);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_null(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_null);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_null(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_null);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_null(ARGS_COMPARE) {
+	return (compare_null(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_NULL_10_C */
diff --git a/lib/dns/rdata/generic/null_10.h b/lib/dns/rdata/generic/null_10.h
new file mode 100644
index 0000000..cc17e23
--- /dev/null
+++ b/lib/dns/rdata/generic/null_10.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_NULL_10_H
+#define GENERIC_NULL_10_H 1
+
+typedef struct dns_rdata_null {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t length;
+	unsigned char *data;
+} dns_rdata_null_t;
+
+#endif /* GENERIC_NULL_10_H */
diff --git a/lib/dns/rdata/generic/nxt_30.c b/lib/dns/rdata/generic/nxt_30.c
new file mode 100644
index 0000000..5a3dcb5
--- /dev/null
+++ b/lib/dns/rdata/generic/nxt_30.c
@@ -0,0 +1,350 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2535 */
+
+#ifndef RDATA_GENERIC_NXT_30_C
+#define RDATA_GENERIC_NXT_30_C
+
+/*
+ * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
+ * because we must be able to handle a parent/child NXT pair.
+ */
+#define RRTYPE_NXT_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_nxt(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	char *e;
+	unsigned char bm[8 * 1024]; /* 64k bits */
+	dns_rdatatype_t covered;
+	dns_rdatatype_t maxcovered = 0;
+	bool first = true;
+	long n;
+
+	REQUIRE(type == dns_rdatatype_nxt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Next domain.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	memset(bm, 0, sizeof(bm));
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, true));
+		if (token.type != isc_tokentype_string) {
+			break;
+		}
+		n = strtol(DNS_AS_STR(token), &e, 10);
+		if (e != DNS_AS_STR(token) && *e == '\0') {
+			covered = (dns_rdatatype_t)n;
+		} else if (dns_rdatatype_fromtext(&covered,
+						  &token.value.as_textregion) ==
+			   DNS_R_UNKNOWN)
+		{
+			RETTOK(DNS_R_UNKNOWN);
+		}
+		/*
+		 * NXT is only specified for types 1..127.
+		 */
+		if (covered < 1 || covered > 127) {
+			return (ISC_R_RANGE);
+		}
+		if (first || covered > maxcovered) {
+			maxcovered = covered;
+		}
+		first = false;
+		bm[covered / 8] |= (0x80 >> (covered % 8));
+	} while (1);
+	isc_lex_ungettoken(lexer, &token);
+	if (first) {
+		return (ISC_R_SUCCESS);
+	}
+	n = (maxcovered + 8) / 8;
+	return (mem_tobuffer(target, bm, n));
+}
+
+static isc_result_t
+totext_nxt(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	for (i = 0; i < sr.length; i++) {
+		if (sr.base[i] != 0) {
+			for (j = 0; j < 8; j++) {
+				if ((sr.base[i] & (0x80 >> j)) != 0) {
+					{
+						dns_rdatatype_t t = i * 8 + j;
+						RETERR(str_totext(" ", target));
+						if (dns_rdatatype_isknown(t)) {
+							RETERR(dns_rdatatype_totext(
+								t, target));
+						} else {
+							char buf[sizeof("6553"
+									"5")];
+							snprintf(buf,
+								 sizeof(buf),
+								 "%u", t);
+							RETERR(str_totext(
+								buf, target));
+						}
+					}
+				}
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_nxt(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_nxt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length > 0 && ((sr.base[0] & 0x80) != 0 || sr.length > 16 ||
+			      sr.base[sr.length - 1] == 0))
+	{
+		return (DNS_R_BADBITMAP);
+	}
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_nxt(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_nxt(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nxt);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_nxt(ARGS_FROMSTRUCT) {
+	dns_rdata_nxt_t *nxt = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nxt);
+	REQUIRE(nxt != NULL);
+	REQUIRE(nxt->common.rdtype == type);
+	REQUIRE(nxt->common.rdclass == rdclass);
+	REQUIRE(nxt->typebits != NULL || nxt->len == 0);
+	if (nxt->typebits != NULL && (nxt->typebits[0] & 0x80) == 0) {
+		REQUIRE(nxt->len <= 16);
+		REQUIRE(nxt->typebits[nxt->len - 1] != 0);
+	}
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&nxt->next, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+
+	return (mem_tobuffer(target, nxt->typebits, nxt->len));
+}
+
+static isc_result_t
+tostruct_nxt(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nxt_t *nxt = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+	REQUIRE(nxt != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nxt->common.rdclass = rdata->rdclass;
+	nxt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nxt->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&nxt->next, NULL);
+	RETERR(name_duporclone(&name, mctx, &nxt->next));
+
+	nxt->len = region.length;
+	nxt->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (nxt->typebits == NULL) {
+		goto cleanup;
+	}
+
+	nxt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL) {
+		dns_name_free(&nxt->next, mctx);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_nxt(ARGS_FREESTRUCT) {
+	dns_rdata_nxt_t *nxt = source;
+
+	REQUIRE(nxt != NULL);
+	REQUIRE(nxt->common.rdtype == dns_rdatatype_nxt);
+
+	if (nxt->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&nxt->next, nxt->mctx);
+	if (nxt->typebits != NULL) {
+		isc_mem_free(nxt->mctx, nxt->typebits);
+	}
+	nxt->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_nxt(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_nxt(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	result = dns_name_digest(&name, digest, arg);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_region_consume(&r, name_length(&name));
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_nxt(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_nxt);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_nxt(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_nxt(ARGS_COMPARE) {
+	return (compare_nxt(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_NXT_30_C */
diff --git a/lib/dns/rdata/generic/nxt_30.h b/lib/dns/rdata/generic/nxt_30.h
new file mode 100644
index 0000000..a7cae69
--- /dev/null
+++ b/lib/dns/rdata/generic/nxt_30.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_NXT_30_H
+#define GENERIC_NXT_30_H 1
+
+/*!
+ *  \brief RFC2535 */
+
+typedef struct dns_rdata_nxt {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t next;
+	unsigned char *typebits;
+	uint16_t len;
+} dns_rdata_nxt_t;
+
+#endif /* GENERIC_NXT_30_H */
diff --git a/lib/dns/rdata/generic/openpgpkey_61.c b/lib/dns/rdata/generic/openpgpkey_61.c
new file mode 100644
index 0000000..719c081
--- /dev/null
+++ b/lib/dns/rdata/generic/openpgpkey_61.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_OPENPGPKEY_61_C
+#define RDATA_GENERIC_OPENPGPKEY_61_C
+
+#define RRTYPE_OPENPGPKEY_ATTRIBUTES 0
+
+static isc_result_t
+fromtext_openpgpkey(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_openpgpkey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+	UNUSED(options);
+	UNUSED(origin);
+
+	/*
+	 * Keyring.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+totext_openpgpkey(ARGS_TOTEXT) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Keyring
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext("( ", target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+		if (tctx->width == 0) { /* No splitting */
+			RETERR(isc_base64_totext(&sr, 60, "", target));
+		} else {
+			RETERR(isc_base64_totext(&sr, tctx->width - 2,
+						 tctx->linebreak, target));
+		}
+	} else {
+		RETERR(str_totext("[omitted]", target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_openpgpkey(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_openpgpkey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	/*
+	 * Keyring.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+towire_openpgpkey(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_openpgpkey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_openpgpkey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_openpgpkey(ARGS_FROMSTRUCT) {
+	dns_rdata_openpgpkey_t *sig = source;
+
+	REQUIRE(type == dns_rdatatype_openpgpkey);
+	REQUIRE(sig != NULL);
+	REQUIRE(sig->common.rdtype == type);
+	REQUIRE(sig->common.rdclass == rdclass);
+	REQUIRE(sig->keyring != NULL && sig->length != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Keyring.
+	 */
+	return (mem_tobuffer(target, sig->keyring, sig->length));
+}
+
+static isc_result_t
+tostruct_openpgpkey(ARGS_TOSTRUCT) {
+	isc_region_t sr;
+	dns_rdata_openpgpkey_t *sig = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+	REQUIRE(sig != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sig->common.rdclass = rdata->rdclass;
+	sig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Keyring.
+	 */
+	sig->length = sr.length;
+	sig->keyring = mem_maybedup(mctx, sr.base, sig->length);
+	if (sig->keyring == NULL) {
+		goto cleanup;
+	}
+
+	sig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_openpgpkey(ARGS_FREESTRUCT) {
+	dns_rdata_openpgpkey_t *sig = (dns_rdata_openpgpkey_t *)source;
+
+	REQUIRE(sig != NULL);
+	REQUIRE(sig->common.rdtype == dns_rdatatype_openpgpkey);
+
+	if (sig->mctx == NULL) {
+		return;
+	}
+
+	if (sig->keyring != NULL) {
+		isc_mem_free(sig->mctx, sig->keyring);
+	}
+	sig->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_openpgpkey(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_openpgpkey(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_openpgpkey(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_openpgpkey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_openpgpkey(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_openpgpkey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_openpgpkey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+#endif /* RDATA_GENERIC_OPENPGPKEY_61_C */
diff --git a/lib/dns/rdata/generic/openpgpkey_61.h b/lib/dns/rdata/generic/openpgpkey_61.h
new file mode 100644
index 0000000..b78923b
--- /dev/null
+++ b/lib/dns/rdata/generic/openpgpkey_61.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_OPENPGPKEY_61_H
+#define GENERIC_OPENPGPKEY_61_H 1
+
+typedef struct dns_rdata_openpgpkey {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t length;
+	unsigned char *keyring;
+} dns_rdata_openpgpkey_t;
+
+#endif /* GENERIC_OPENPGPKEY_61_H */
diff --git a/lib/dns/rdata/generic/opt_41.c b/lib/dns/rdata/generic/opt_41.c
new file mode 100644
index 0000000..8aa7b52
--- /dev/null
+++ b/lib/dns/rdata/generic/opt_41.c
@@ -0,0 +1,472 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2671 */
+
+#ifndef RDATA_GENERIC_OPT_41_C
+#define RDATA_GENERIC_OPT_41_C
+
+#define RRTYPE_OPT_ATTRIBUTES                                   \
+	(DNS_RDATATYPEATTR_SINGLETON | DNS_RDATATYPEATTR_META | \
+	 DNS_RDATATYPEATTR_NOTQUESTION)
+
+#include <isc/utf8.h>
+
+static isc_result_t
+fromtext_opt(ARGS_FROMTEXT) {
+	/*
+	 * OPT records do not have a text format.
+	 */
+
+	REQUIRE(type == dns_rdatatype_opt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(lexer);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(target);
+	UNUSED(callbacks);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+totext_opt(ARGS_TOTEXT) {
+	isc_region_t r;
+	isc_region_t or ;
+	uint16_t option;
+	uint16_t length;
+	char buf[sizeof("64000 64000")];
+
+	/*
+	 * OPT records do not have a text format.
+	 */
+
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+
+	dns_rdata_toregion(rdata, &r);
+	while (r.length > 0) {
+		option = uint16_fromregion(&r);
+		isc_region_consume(&r, 2);
+		length = uint16_fromregion(&r);
+		isc_region_consume(&r, 2);
+		snprintf(buf, sizeof(buf), "%u %u", option, length);
+		RETERR(str_totext(buf, target));
+		INSIST(r.length >= length);
+		if (length > 0) {
+			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+				RETERR(str_totext(" (", target));
+			}
+			RETERR(str_totext(tctx->linebreak, target));
+			or = r;
+			or.length = length;
+			if (tctx->width == 0) { /* No splitting */
+				RETERR(isc_base64_totext(& or, 60, "", target));
+			} else {
+				RETERR(isc_base64_totext(& or, tctx->width - 2,
+							 tctx->linebreak,
+							 target));
+			}
+			isc_region_consume(&r, length);
+			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+				RETERR(str_totext(" )", target));
+			}
+		}
+		if (r.length > 0) {
+			RETERR(str_totext(" ", target));
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_opt(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+	uint16_t opt;
+	uint16_t length;
+	unsigned int total;
+
+	REQUIRE(type == dns_rdatatype_opt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length == 0) {
+		return (ISC_R_SUCCESS);
+	}
+	total = 0;
+	while (sregion.length != 0) {
+		if (sregion.length < 4) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		opt = uint16_fromregion(&sregion);
+		isc_region_consume(&sregion, 2);
+		length = uint16_fromregion(&sregion);
+		isc_region_consume(&sregion, 2);
+		total += 4;
+		if (sregion.length < length) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		switch (opt) {
+		case DNS_OPT_LLQ:
+			if (length != 18U) {
+				return (DNS_R_OPTERR);
+			}
+			isc_region_consume(&sregion, length);
+			break;
+		case DNS_OPT_CLIENT_SUBNET: {
+			uint16_t family;
+			uint8_t addrlen;
+			uint8_t scope;
+			uint8_t addrbytes;
+
+			if (length < 4) {
+				return (DNS_R_OPTERR);
+			}
+			family = uint16_fromregion(&sregion);
+			isc_region_consume(&sregion, 2);
+			addrlen = uint8_fromregion(&sregion);
+			isc_region_consume(&sregion, 1);
+			scope = uint8_fromregion(&sregion);
+			isc_region_consume(&sregion, 1);
+
+			switch (family) {
+			case 0:
+				/*
+				 * XXXMUKS: In queries and replies, if
+				 * FAMILY is set to 0, SOURCE
+				 * PREFIX-LENGTH and SCOPE PREFIX-LENGTH
+				 * must be 0 and ADDRESS should not be
+				 * present as the address and prefix
+				 * lengths don't make sense because the
+				 * family is unknown.
+				 */
+				if (addrlen != 0U || scope != 0U) {
+					return (DNS_R_OPTERR);
+				}
+				break;
+			case 1:
+				if (addrlen > 32U || scope > 32U) {
+					return (DNS_R_OPTERR);
+				}
+				break;
+			case 2:
+				if (addrlen > 128U || scope > 128U) {
+					return (DNS_R_OPTERR);
+				}
+				break;
+			default:
+				return (DNS_R_OPTERR);
+			}
+			addrbytes = (addrlen + 7) / 8;
+			if (addrbytes + 4 != length) {
+				return (DNS_R_OPTERR);
+			}
+
+			if (addrbytes != 0U && (addrlen % 8) != 0) {
+				uint8_t bits = ~0U << (8 - (addrlen % 8));
+				bits &= sregion.base[addrbytes - 1];
+				if (bits != sregion.base[addrbytes - 1]) {
+					return (DNS_R_OPTERR);
+				}
+			}
+			isc_region_consume(&sregion, addrbytes);
+			break;
+		}
+		case DNS_OPT_EXPIRE:
+			/*
+			 * Request has zero length.  Response is 32 bits.
+			 */
+			if (length != 0 && length != 4) {
+				return (DNS_R_OPTERR);
+			}
+			isc_region_consume(&sregion, length);
+			break;
+		case DNS_OPT_COOKIE:
+			/*
+			 * Client cookie alone has length 8.
+			 * Client + server cookie is 8 + [8..32].
+			 */
+			if (length != 8 && (length < 16 || length > 40)) {
+				return (DNS_R_OPTERR);
+			}
+			isc_region_consume(&sregion, length);
+			break;
+		case DNS_OPT_KEY_TAG:
+			if (length == 0 || (length % 2) != 0) {
+				return (DNS_R_OPTERR);
+			}
+			isc_region_consume(&sregion, length);
+			break;
+		case DNS_OPT_EDE:
+			if (length < 2) {
+				return (DNS_R_OPTERR);
+			}
+			/* UTF-8 Byte Order Mark is not permitted. RFC 5198 */
+			if (isc_utf8_bom(sregion.base + 2, length - 2)) {
+				return (DNS_R_OPTERR);
+			}
+			/*
+			 * The EXTRA-TEXT field is specified as UTF-8, and
+			 * therefore must be validated for correctness
+			 * according to RFC 3269 security considerations.
+			 */
+			if (!isc_utf8_valid(sregion.base + 2, length - 2)) {
+				return (DNS_R_OPTERR);
+			}
+			isc_region_consume(&sregion, length);
+			break;
+		case DNS_OPT_CLIENT_TAG:
+			FALLTHROUGH;
+		case DNS_OPT_SERVER_TAG:
+			if (length != 2) {
+				return (DNS_R_OPTERR);
+			}
+			isc_region_consume(&sregion, length);
+			break;
+		default:
+			isc_region_consume(&sregion, length);
+			break;
+		}
+		total += length;
+	}
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < total) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(tregion.base, sregion.base, total);
+	isc_buffer_forward(source, total);
+	isc_buffer_add(target, total);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_opt(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_opt(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_opt);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_opt(ARGS_FROMSTRUCT) {
+	dns_rdata_opt_t *opt = source;
+	isc_region_t region;
+	uint16_t length;
+
+	REQUIRE(type == dns_rdatatype_opt);
+	REQUIRE(opt != NULL);
+	REQUIRE(opt->common.rdtype == type);
+	REQUIRE(opt->common.rdclass == rdclass);
+	REQUIRE(opt->options != NULL || opt->length == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	region.base = opt->options;
+	region.length = opt->length;
+	while (region.length >= 4) {
+		isc_region_consume(&region, 2); /* opt */
+		length = uint16_fromregion(&region);
+		isc_region_consume(&region, 2);
+		if (region.length < length) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		isc_region_consume(&region, length);
+	}
+	if (region.length != 0) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	return (mem_tobuffer(target, opt->options, opt->length));
+}
+
+static isc_result_t
+tostruct_opt(ARGS_TOSTRUCT) {
+	dns_rdata_opt_t *opt = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+	REQUIRE(opt != NULL);
+
+	opt->common.rdclass = rdata->rdclass;
+	opt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&opt->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	opt->length = r.length;
+	opt->options = mem_maybedup(mctx, r.base, r.length);
+	if (opt->options == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	opt->offset = 0;
+	opt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_opt(ARGS_FREESTRUCT) {
+	dns_rdata_opt_t *opt = source;
+
+	REQUIRE(opt != NULL);
+	REQUIRE(opt->common.rdtype == dns_rdatatype_opt);
+
+	if (opt->mctx == NULL) {
+		return;
+	}
+
+	if (opt->options != NULL) {
+		isc_mem_free(opt->mctx, opt->options);
+	}
+	opt->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_opt(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_opt(ARGS_DIGEST) {
+	/*
+	 * OPT records are not digested.
+	 */
+
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static bool
+checkowner_opt(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_opt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_equal(name, dns_rootname));
+}
+
+static bool
+checknames_opt(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_opt(ARGS_COMPARE) {
+	return (compare_opt(rdata1, rdata2));
+}
+
+isc_result_t
+dns_rdata_opt_first(dns_rdata_opt_t *opt) {
+	REQUIRE(opt != NULL);
+	REQUIRE(opt->common.rdtype == dns_rdatatype_opt);
+	REQUIRE(opt->options != NULL || opt->length == 0);
+
+	if (opt->length == 0) {
+		return (ISC_R_NOMORE);
+	}
+
+	opt->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_opt_next(dns_rdata_opt_t *opt) {
+	isc_region_t r;
+	uint16_t length;
+
+	REQUIRE(opt != NULL);
+	REQUIRE(opt->common.rdtype == dns_rdatatype_opt);
+	REQUIRE(opt->options != NULL && opt->length != 0);
+	REQUIRE(opt->offset < opt->length);
+
+	INSIST(opt->offset + 4 <= opt->length);
+	r.base = opt->options + opt->offset + 2;
+	r.length = opt->length - opt->offset - 2;
+	length = uint16_fromregion(&r);
+	INSIST(opt->offset + 4 + length <= opt->length);
+	opt->offset = opt->offset + 4 + length;
+	if (opt->offset == opt->length) {
+		return (ISC_R_NOMORE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_opt_current(dns_rdata_opt_t *opt, dns_rdata_opt_opcode_t *opcode) {
+	isc_region_t r;
+
+	REQUIRE(opt != NULL);
+	REQUIRE(opcode != NULL);
+	REQUIRE(opt->common.rdtype == dns_rdatatype_opt);
+	REQUIRE(opt->options != NULL);
+	REQUIRE(opt->offset < opt->length);
+
+	INSIST(opt->offset + 4 <= opt->length);
+	r.base = opt->options + opt->offset;
+	r.length = opt->length - opt->offset;
+
+	opcode->opcode = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+	opcode->length = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+	opcode->data = r.base;
+	INSIST(opt->offset + 4 + opcode->length <= opt->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* RDATA_GENERIC_OPT_41_C */
diff --git a/lib/dns/rdata/generic/opt_41.h b/lib/dns/rdata/generic/opt_41.h
new file mode 100644
index 0000000..a5e4c0d
--- /dev/null
+++ b/lib/dns/rdata/generic/opt_41.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_OPT_41_H
+#define GENERIC_OPT_41_H 1
+
+/*!
+ *  \brief Per RFC2671 */
+
+typedef struct dns_rdata_opt_opcode {
+	uint16_t opcode;
+	uint16_t length;
+	unsigned char *data;
+} dns_rdata_opt_opcode_t;
+
+typedef struct dns_rdata_opt {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *options;
+	uint16_t length;
+	/* private */
+	uint16_t offset;
+} dns_rdata_opt_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_opt_first(dns_rdata_opt_t *);
+
+isc_result_t
+dns_rdata_opt_next(dns_rdata_opt_t *);
+
+isc_result_t
+dns_rdata_opt_current(dns_rdata_opt_t *, dns_rdata_opt_opcode_t *);
+
+#endif /* GENERIC_OPT_41_H */
diff --git a/lib/dns/rdata/generic/proforma.c b/lib/dns/rdata/generic/proforma.c
new file mode 100644
index 0000000..9d97699
--- /dev/null
+++ b/lib/dns/rdata/generic/proforma.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_ #_ #_C
+#define RDATA_GENERIC_ #_ #_C
+
+#define RRTYPE_ #_ATTRIBUTES(0)
+
+static isc_result_t fromtext_ #(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdclass == #);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t totext_ #(ARGS_TOTEXT) {
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdata->rdclass == #);
+	REQUIRE(rdata->length != 0); /* XXX */
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t fromwire_ #(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdclass == #);
+
+	/* NONE or GLOBAL14 */
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t towire_ #(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdata->rdclass == #);
+	REQUIRE(rdata->length != 0); /* XXX */
+
+	/* NONE or GLOBAL14 */
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static int compare_ #(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == dns_rdatatype_proforma.crdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdata1->rdclass == #);
+	REQUIRE(rdata1->length != 0); /* XXX */
+	REQUIRE(rdata2->length != 0); /* XXX */
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t fromstruct_ #(ARGS_FROMSTRUCT) {
+	dns_rdata_ #_t *# = source;
+
+	REQUIRE(type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdclass == #);
+	REQUIRE(# != NULL);
+	REQUIRE(#->common.rdtype == dns_rdatatype_proforma.ctype);
+	REQUIRE(#->common.rdclass == rdclass);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t tostruct_ #(ARGS_TOSTRUCT) {
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdata->rdclass == #);
+	REQUIRE(rdata->length != 0); /* XXX */
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void freestruct_ #(ARGS_FREESTRUCT) {
+	dns_rdata_ #_t *# = source;
+
+	REQUIRE(# != NULL);
+	REQUIRE(#->common.rdtype == dns_rdatatype_proforma.c #);
+	REQUIRE(#->common.rdclass == #);
+}
+
+static isc_result_t additionaldata_ #(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdata->rdclass == #);
+
+	(void)add;
+	(void)arg;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t digest_ #(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdata->rdclass == #);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool checkowner_ #(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdclass == #);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool checknames_ #(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdata->rdclass == #);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int casecompare_ #(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == dns_rdatatype_proforma.crdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_proforma.c #);
+	REQUIRE(rdata1->rdclass == #);
+	REQUIRE(rdata1->length != 0); /* XXX */
+	REQUIRE(rdata2->length != 0); /* XXX */
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+#endif /* RDATA_GENERIC_#_#_C */
diff --git a/lib/dns/rdata/generic/proforma.h b/lib/dns/rdata/generic/proforma.h
new file mode 100644
index 0000000..5610c06
--- /dev/null
+++ b/lib/dns/rdata/generic/proforma.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_PROFORMA_H
+#define GENERIC_PROFORMA_H 1
+
+typedef struct dns_rdata_ #{
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx; /* if required */
+			 /* type & class specific elements */
+}
+dns_rdata_ #_t;
+
+#endif /* GENERIC_PROFORMA_H */
diff --git a/lib/dns/rdata/generic/ptr_12.c b/lib/dns/rdata/generic/ptr_12.c
new file mode 100644
index 0000000..5d39300
--- /dev/null
+++ b/lib/dns/rdata/generic/ptr_12.c
@@ -0,0 +1,278 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_PTR_12_C
+#define RDATA_GENERIC_PTR_12_C
+
+#define RRTYPE_PTR_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_ptr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_ptr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	if (rdclass == dns_rdataclass_in &&
+	    (options & DNS_RDATA_CHECKNAMES) != 0 &&
+	    (options & DNS_RDATA_CHECKREVERSE) != 0)
+	{
+		bool ok;
+		ok = dns_name_ishostname(&name, false);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+			RETTOK(DNS_R_BADNAME);
+		}
+		if (!ok && callbacks != NULL) {
+			warn_badname(&name, lexer, callbacks);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_ptr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_ptr(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_ptr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_ptr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_ptr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ptr);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_ptr(ARGS_FROMSTRUCT) {
+	dns_rdata_ptr_t *ptr = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_ptr);
+	REQUIRE(ptr != NULL);
+	REQUIRE(ptr->common.rdtype == type);
+	REQUIRE(ptr->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&ptr->ptr, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_ptr(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_ptr_t *ptr = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+	REQUIRE(ptr != NULL);
+	REQUIRE(rdata->length != 0);
+
+	ptr->common.rdclass = rdata->rdclass;
+	ptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ptr->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&ptr->ptr, NULL);
+	RETERR(name_duporclone(&name, mctx, &ptr->ptr));
+	ptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_ptr(ARGS_FREESTRUCT) {
+	dns_rdata_ptr_t *ptr = source;
+
+	REQUIRE(ptr != NULL);
+	REQUIRE(ptr->common.rdtype == dns_rdatatype_ptr);
+
+	if (ptr->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&ptr->ptr, ptr->mctx);
+	ptr->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_ptr(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_ptr(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_ptr(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_ptr);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static unsigned char ip6_arpa_data[] = "\003IP6\004ARPA";
+static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
+static const dns_name_t ip6_arpa = DNS_NAME_INITABSOLUTE(ip6_arpa_data,
+							 ip6_arpa_offsets);
+
+static unsigned char ip6_int_data[] = "\003IP6\003INT";
+static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
+static const dns_name_t ip6_int = DNS_NAME_INITABSOLUTE(ip6_int_data,
+							ip6_int_offsets);
+
+static unsigned char in_addr_arpa_data[] = "\007IN-ADDR\004ARPA";
+static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
+static const dns_name_t in_addr_arpa =
+	DNS_NAME_INITABSOLUTE(in_addr_arpa_data, in_addr_arpa_offsets);
+
+static bool
+checknames_ptr(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+
+	if (rdata->rdclass != dns_rdataclass_in) {
+		return (true);
+	}
+
+	if (dns_name_isdnssd(owner)) {
+		return (true);
+	}
+
+	if (dns_name_issubdomain(owner, &in_addr_arpa) ||
+	    dns_name_issubdomain(owner, &ip6_arpa) ||
+	    dns_name_issubdomain(owner, &ip6_int))
+	{
+		dns_rdata_toregion(rdata, &region);
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &region);
+		if (!dns_name_ishostname(&name, false)) {
+			if (bad != NULL) {
+				dns_name_clone(&name, bad);
+			}
+			return (false);
+		}
+	}
+	return (true);
+}
+
+static int
+casecompare_ptr(ARGS_COMPARE) {
+	return (compare_ptr(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_PTR_12_C */
diff --git a/lib/dns/rdata/generic/ptr_12.h b/lib/dns/rdata/generic/ptr_12.h
new file mode 100644
index 0000000..310a4ea
--- /dev/null
+++ b/lib/dns/rdata/generic/ptr_12.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_PTR_12_H
+#define GENERIC_PTR_12_H 1
+
+typedef struct dns_rdata_ptr {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t ptr;
+} dns_rdata_ptr_t;
+
+#endif /* GENERIC_PTR_12_H */
diff --git a/lib/dns/rdata/generic/rkey_57.c b/lib/dns/rdata/generic/rkey_57.c
new file mode 100644
index 0000000..06d8495
--- /dev/null
+++ b/lib/dns/rdata/generic/rkey_57.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_RKEY_57_C
+#define RDATA_GENERIC_RKEY_57_C
+
+#define RRTYPE_RKEY_ATTRIBUTES 0
+
+static isc_result_t
+fromtext_rkey(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_rkey);
+
+	return (generic_fromtext_key(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_rkey(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+
+	return (generic_totext_key(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_rkey(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_rkey);
+
+	return (generic_fromwire_key(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_rkey(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_rkey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_rkey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_rkey(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_rkey);
+
+	return (generic_fromstruct_key(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_rkey(ARGS_TOSTRUCT) {
+	dns_rdata_rkey_t *rkey = target;
+
+	REQUIRE(rkey != NULL);
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+
+	rkey->common.rdclass = rdata->rdclass;
+	rkey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&rkey->common, link);
+
+	return (generic_tostruct_key(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_rkey(ARGS_FREESTRUCT) {
+	dns_rdata_rkey_t *rkey = (dns_rdata_rkey_t *)source;
+
+	REQUIRE(rkey != NULL);
+	REQUIRE(rkey->common.rdtype == dns_rdatatype_rkey);
+
+	generic_freestruct_key(source);
+}
+
+static isc_result_t
+additionaldata_rkey(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_rkey(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_rkey(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_rkey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_rkey(ARGS_CHECKNAMES) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_rkey(ARGS_COMPARE) {
+	/*
+	 * Treat ALG 253 (private DNS) subtype name case sensitively.
+	 */
+	return (compare_rkey(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_RKEY_57_C */
diff --git a/lib/dns/rdata/generic/rkey_57.h b/lib/dns/rdata/generic/rkey_57.h
new file mode 100644
index 0000000..f5665f6
--- /dev/null
+++ b/lib/dns/rdata/generic/rkey_57.h
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_RKEY_57_H
+#define GENERIC_RKEY_57_H 1
+
+typedef struct dns_rdata_key dns_rdata_rkey_t;
+
+#endif /* GENERIC_RKEY_57_H */
diff --git a/lib/dns/rdata/generic/rp_17.c b/lib/dns/rdata/generic/rp_17.c
new file mode 100644
index 0000000..3abe55d
--- /dev/null
+++ b/lib/dns/rdata/generic/rp_17.c
@@ -0,0 +1,320 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1183 */
+
+#ifndef RDATA_GENERIC_RP_17_C
+#define RDATA_GENERIC_RP_17_C
+
+#define RRTYPE_RP_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_rp(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_rp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, false));
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin, options,
+					 target));
+		ok = true;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0 && i == 0) {
+			ok = dns_name_ismailbox(&name);
+		}
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+			RETTOK(DNS_R_BADNAME);
+		}
+		if (!ok && callbacks != NULL) {
+			warn_badname(&name, lexer, callbacks);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_rp(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&rmail, NULL);
+	dns_name_init(&email, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	dns_name_fromregion(&email, &region);
+	isc_region_consume(&region, email.length);
+
+	sub = name_prefix(&rmail, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&email, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_rp(ARGS_FROMWIRE) {
+	dns_name_t rmail;
+	dns_name_t email;
+
+	REQUIRE(type == dns_rdatatype_rp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&rmail, NULL);
+	dns_name_init(&email, NULL);
+
+	RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
+	return (dns_name_fromwire(&email, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_rp(ARGS_TOWIRE) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_offsets_t roffsets;
+	dns_offsets_t eoffsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&rmail, roffsets);
+	dns_name_init(&email, eoffsets);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	RETERR(dns_name_towire(&rmail, cctx, target));
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	return (dns_name_towire(&rmail, cctx, target));
+}
+
+static int
+compare_rp(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_rp);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_rp(ARGS_FROMSTRUCT) {
+	dns_rdata_rp_t *rp = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_rp);
+	REQUIRE(rp != NULL);
+	REQUIRE(rp->common.rdtype == type);
+	REQUIRE(rp->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&rp->mail, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&rp->text, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_rp(ARGS_TOSTRUCT) {
+	isc_result_t result;
+	isc_region_t region;
+	dns_rdata_rp_t *rp = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+	REQUIRE(rp != NULL);
+	REQUIRE(rdata->length != 0);
+
+	rp->common.rdclass = rdata->rdclass;
+	rp->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&rp->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rp->mail, NULL);
+	RETERR(name_duporclone(&name, mctx, &rp->mail));
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rp->text, NULL);
+	result = name_duporclone(&name, mctx, &rp->text);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	rp->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL) {
+		dns_name_free(&rp->mail, mctx);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_rp(ARGS_FREESTRUCT) {
+	dns_rdata_rp_t *rp = source;
+
+	REQUIRE(rp != NULL);
+	REQUIRE(rp->common.rdtype == dns_rdatatype_rp);
+
+	if (rp->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&rp->mail, rp->mctx);
+	dns_name_free(&rp->text, rp->mctx);
+	rp->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_rp(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_rp(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+
+	dns_name_fromregion(&name, &r);
+	RETERR(dns_name_digest(&name, digest, arg));
+	isc_region_consume(&r, name_length(&name));
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_rp(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_rp);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_rp(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	return (true);
+}
+
+static int
+casecompare_rp(ARGS_COMPARE) {
+	return (compare_rp(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_RP_17_C */
diff --git a/lib/dns/rdata/generic/rp_17.h b/lib/dns/rdata/generic/rp_17.h
new file mode 100644
index 0000000..824b576
--- /dev/null
+++ b/lib/dns/rdata/generic/rp_17.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_RP_17_H
+#define GENERIC_RP_17_H 1
+
+/*!
+ *  \brief Per RFC1183 */
+
+typedef struct dns_rdata_rp {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t mail;
+	dns_name_t text;
+} dns_rdata_rp_t;
+
+#endif /* GENERIC_RP_17_H */
diff --git a/lib/dns/rdata/generic/rrsig_46.c b/lib/dns/rdata/generic/rrsig_46.c
new file mode 100644
index 0000000..8e22030
--- /dev/null
+++ b/lib/dns/rdata/generic/rrsig_46.c
@@ -0,0 +1,639 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2535 */
+
+#ifndef RDATA_GENERIC_RRSIG_46_C
+#define RDATA_GENERIC_RRSIG_46_C
+
+#define RRTYPE_RRSIG_ATTRIBUTES                                     \
+	(DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH | \
+	 DNS_RDATATYPEATTR_ATCNAME)
+
+static isc_result_t
+fromtext_rrsig(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char c;
+	long i;
+	dns_rdatatype_t covered;
+	char *e;
+	isc_result_t result;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	uint32_t time_signed, time_expire;
+
+	REQUIRE(type == dns_rdatatype_rrsig);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (i < 0 || i > 65535) {
+			RETTOK(ISC_R_RANGE);
+		}
+		if (*e != 0) {
+			RETTOK(result);
+		}
+		covered = (dns_rdatatype_t)i;
+	}
+	RETERR(uint16_tobuffer(covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	c = (unsigned char)token.value.as_ulong;
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Original ttl.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature expiration.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strlen(DNS_AS_STR(token)) <= 10U && *DNS_AS_STR(token) != '-' &&
+	    *DNS_AS_STR(token) != '+')
+	{
+		char *end;
+		unsigned long u;
+		uint64_t u64;
+
+		u64 = u = strtoul(DNS_AS_STR(token), &end, 10);
+		if (u == ULONG_MAX || *end != 0) {
+			RETTOK(DNS_R_SYNTAX);
+		}
+		if (u64 > 0xffffffffUL) {
+			RETTOK(ISC_R_RANGE);
+		}
+		time_expire = u;
+	} else {
+		RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
+	}
+	RETERR(uint32_tobuffer(time_expire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strlen(DNS_AS_STR(token)) <= 10U && *DNS_AS_STR(token) != '-' &&
+	    *DNS_AS_STR(token) != '+')
+	{
+		char *end;
+		unsigned long u;
+		uint64_t u64;
+
+		u64 = u = strtoul(DNS_AS_STR(token), &end, 10);
+		if (u == ULONG_MAX || *end != 0) {
+			RETTOK(DNS_R_SYNTAX);
+		}
+		if (u64 > 0xffffffffUL) {
+			RETTOK(ISC_R_RANGE);
+		}
+		time_signed = u;
+	} else {
+		RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
+	}
+	RETERR(uint32_tobuffer(time_signed, target));
+
+	/*
+	 * Key footprint.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signer.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Sig.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+totext_rrsig(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("4294967295")]; /* Also TYPE65000. */
+	dns_rdatatype_t covered;
+	unsigned long ttl;
+	unsigned long when;
+	unsigned long exp;
+	unsigned long foot;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	/*
+	 * XXXAG We should have something like dns_rdatatype_isknown()
+	 * that does the right thing with type 0.
+	 */
+	if (dns_rdatatype_isknown(covered) && covered != 0) {
+		RETERR(dns_rdatatype_totext(covered, target));
+	} else {
+		snprintf(buf, sizeof(buf), "TYPE%u", covered);
+		RETERR(str_totext(buf, target));
+	}
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Algorithm.
+	 */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Labels.
+	 */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Ttl.
+	 */
+	ttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu", ttl);
+	RETERR(str_totext(buf, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Sig exp.
+	 */
+	exp = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(exp, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Time signed.
+	 */
+	when = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(when, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Footprint.
+	 */
+	foot = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu", foot);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_totext(&name, false, target));
+
+	/*
+	 * Sig.
+	 */
+	RETERR(str_totext(tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+		if (tctx->width == 0) { /* No splitting */
+			RETERR(isc_base64_totext(&sr, 60, "", target));
+		} else {
+			RETERR(isc_base64_totext(&sr, tctx->width - 2,
+						 tctx->linebreak, target));
+		}
+	} else {
+		RETERR(str_totext("[omitted]", target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_rrsig(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_rrsig);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	if (sr.length < 18) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	isc_buffer_forward(source, 18);
+	RETERR(mem_tobuffer(target, sr.base, 18));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * Sig.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 1) {
+		return (DNS_R_FORMERR);
+	}
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+towire_rrsig(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	RETERR(mem_tobuffer(target, sr.base, 18));
+	isc_region_consume(&sr, 18);
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_rrsig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_rrsig);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_rrsig(ARGS_FROMSTRUCT) {
+	dns_rdata_rrsig_t *sig = source;
+
+	REQUIRE(type == dns_rdatatype_rrsig);
+	REQUIRE(sig != NULL);
+	REQUIRE(sig->common.rdtype == type);
+	REQUIRE(sig->common.rdclass == rdclass);
+	REQUIRE(sig->signature != NULL || sig->siglen == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(uint16_tobuffer(sig->covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(uint8_tobuffer(sig->algorithm, target));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(uint8_tobuffer(sig->labels, target));
+
+	/*
+	 * Original TTL.
+	 */
+	RETERR(uint32_tobuffer(sig->originalttl, target));
+
+	/*
+	 * Expire time.
+	 */
+	RETERR(uint32_tobuffer(sig->timeexpire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(uint32_tobuffer(sig->timesigned, target));
+
+	/*
+	 * Key ID.
+	 */
+	RETERR(uint16_tobuffer(sig->keyid, target));
+
+	/*
+	 * Signer name.
+	 */
+	RETERR(name_tobuffer(&sig->signer, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sig->signature, sig->siglen));
+}
+
+static isc_result_t
+tostruct_rrsig(ARGS_TOSTRUCT) {
+	isc_region_t sr;
+	dns_rdata_rrsig_t *sig = target;
+	dns_name_t signer;
+
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+	REQUIRE(sig != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sig->common.rdclass = rdata->rdclass;
+	sig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	sig->covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Algorithm.
+	 */
+	sig->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Labels.
+	 */
+	sig->labels = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Original TTL.
+	 */
+	sig->originalttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Expire time.
+	 */
+	sig->timeexpire = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Time signed.
+	 */
+	sig->timesigned = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Key ID.
+	 */
+	sig->keyid = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	dns_name_init(&signer, NULL);
+	dns_name_fromregion(&signer, &sr);
+	dns_name_init(&sig->signer, NULL);
+	RETERR(name_duporclone(&signer, mctx, &sig->signer));
+	isc_region_consume(&sr, name_length(&sig->signer));
+
+	/*
+	 * Signature.
+	 */
+	sig->siglen = sr.length;
+	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
+	if (sig->signature == NULL) {
+		goto cleanup;
+	}
+
+	sig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL) {
+		dns_name_free(&sig->signer, mctx);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_rrsig(ARGS_FREESTRUCT) {
+	dns_rdata_rrsig_t *sig = (dns_rdata_rrsig_t *)source;
+
+	REQUIRE(sig != NULL);
+	REQUIRE(sig->common.rdtype == dns_rdatatype_rrsig);
+
+	if (sig->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&sig->signer, sig->mctx);
+	if (sig->signature != NULL) {
+		isc_mem_free(sig->mctx, sig->signature);
+	}
+	sig->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_rrsig(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_rrsig(ARGS_DIGEST) {
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static dns_rdatatype_t
+covers_rrsig(dns_rdata_t *rdata) {
+	dns_rdatatype_t type;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+
+	dns_rdata_toregion(rdata, &r);
+	type = uint16_fromregion(&r);
+
+	return (type);
+}
+
+static bool
+checkowner_rrsig(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_rrsig);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_rrsig(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_rrsig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_rrsig);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	INSIST(r1.length > 18);
+	INSIST(r2.length > 18);
+	r1.length = 18;
+	r2.length = 18;
+	order = isc_region_compare(&r1, &r2);
+	if (order != 0) {
+		return (order);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	isc_region_consume(&r1, 18);
+	isc_region_consume(&r2, 18);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+#endif /* RDATA_GENERIC_RRSIG_46_C */
diff --git a/lib/dns/rdata/generic/rrsig_46.h b/lib/dns/rdata/generic/rrsig_46.h
new file mode 100644
index 0000000..3d4d7a5
--- /dev/null
+++ b/lib/dns/rdata/generic/rrsig_46.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_DNSSIG_46_H
+#define GENERIC_DNSSIG_46_H 1
+
+/*!
+ *  \brief Per RFC2535 */
+typedef struct dns_rdata_rrsig {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_rdatatype_t covered;
+	dns_secalg_t algorithm;
+	uint8_t labels;
+	uint32_t originalttl;
+	uint32_t timeexpire;
+	uint32_t timesigned;
+	uint16_t keyid;
+	dns_name_t signer;
+	uint16_t siglen;
+	unsigned char *signature;
+} dns_rdata_rrsig_t;
+
+#endif /* GENERIC_DNSSIG_46_H */
diff --git a/lib/dns/rdata/generic/rt_21.c b/lib/dns/rdata/generic/rt_21.c
new file mode 100644
index 0000000..1396b4d
--- /dev/null
+++ b/lib/dns/rdata/generic/rt_21.c
@@ -0,0 +1,322 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1183 */
+
+#ifndef RDATA_GENERIC_RT_21_C
+#define RDATA_GENERIC_RT_21_C
+
+#define RRTYPE_RT_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_rt(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_rt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0) {
+		ok = dns_name_ishostname(&name, false);
+	}
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+		RETTOK(DNS_R_BADNAME);
+	}
+	if (!ok && callbacks != NULL) {
+		warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_rt(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_rt(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == dns_rdatatype_rt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < 2) {
+		return (ISC_R_NOSPACE);
+	}
+	if (sregion.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	memmove(tregion.base, sregion.base, 2);
+	isc_buffer_forward(source, 2);
+	isc_buffer_add(target, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_rt(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	isc_region_t tr;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	isc_buffer_availableregion(target, &tr);
+	dns_rdata_toregion(rdata, &region);
+	if (tr.length < 2) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(tr.base, region.base, 2);
+	isc_region_consume(&region, 2);
+	isc_buffer_add(target, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_rt(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_rt);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_rt(ARGS_FROMSTRUCT) {
+	dns_rdata_rt_t *rt = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_rt);
+	REQUIRE(rt != NULL);
+	REQUIRE(rt->common.rdtype == type);
+	REQUIRE(rt->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(rt->preference, target));
+	dns_name_toregion(&rt->host, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_rt(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_rt_t *rt = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+	REQUIRE(rt != NULL);
+	REQUIRE(rdata->length != 0);
+
+	rt->common.rdclass = rdata->rdclass;
+	rt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&rt->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	rt->preference = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rt->host, NULL);
+	RETERR(name_duporclone(&name, mctx, &rt->host));
+
+	rt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_rt(ARGS_FREESTRUCT) {
+	dns_rdata_rt_t *rt = source;
+
+	REQUIRE(rt != NULL);
+	REQUIRE(rt->common.rdtype == dns_rdatatype_rt);
+
+	if (rt->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&rt->host, rt->mctx);
+	rt->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_rt(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	result = (add)(arg, &name, dns_rdatatype_x25);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	result = (add)(arg, &name, dns_rdatatype_isdn);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static isc_result_t
+digest_rt(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_rt(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_rt);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_rt(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	return (true);
+}
+
+static int
+casecompare_rt(ARGS_COMPARE) {
+	return (compare_rt(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_RT_21_C */
diff --git a/lib/dns/rdata/generic/rt_21.h b/lib/dns/rdata/generic/rt_21.h
new file mode 100644
index 0000000..24a6529
--- /dev/null
+++ b/lib/dns/rdata/generic/rt_21.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_RT_21_H
+#define GENERIC_RT_21_H 1
+
+/*!
+ *  \brief Per RFC1183 */
+
+typedef struct dns_rdata_rt {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t preference;
+	dns_name_t host;
+} dns_rdata_rt_t;
+
+#endif /* GENERIC_RT_21_H */
diff --git a/lib/dns/rdata/generic/sig_24.c b/lib/dns/rdata/generic/sig_24.c
new file mode 100644
index 0000000..8424992
--- /dev/null
+++ b/lib/dns/rdata/generic/sig_24.c
@@ -0,0 +1,590 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2535 */
+
+#ifndef RDATA_GENERIC_SIG_24_C
+#define RDATA_GENERIC_SIG_24_C
+
+#define RRTYPE_SIG_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_sig(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char c;
+	long i;
+	dns_rdatatype_t covered;
+	char *e;
+	isc_result_t result;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	uint32_t time_signed, time_expire;
+
+	REQUIRE(type == dns_rdatatype_sig);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (i < 0 || i > 65535) {
+			RETTOK(ISC_R_RANGE);
+		}
+		if (*e != 0) {
+			RETTOK(result);
+		}
+		covered = (dns_rdatatype_t)i;
+	}
+	RETERR(uint16_tobuffer(covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	c = (unsigned char)token.value.as_ulong;
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Original ttl.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature expiration.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
+	RETERR(uint32_tobuffer(time_expire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
+	RETERR(uint32_tobuffer(time_signed, target));
+
+	/*
+	 * Key footprint.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signer.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Sig.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+totext_sig(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("4294967295")];
+	dns_rdatatype_t covered;
+	unsigned long ttl;
+	unsigned long when;
+	unsigned long exp;
+	unsigned long foot;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	/*
+	 * XXXAG We should have something like dns_rdatatype_isknown()
+	 * that does the right thing with type 0.
+	 */
+	if (dns_rdatatype_isknown(covered) && covered != 0) {
+		RETERR(dns_rdatatype_totext(covered, target));
+	} else {
+		snprintf(buf, sizeof(buf), "%u", covered);
+		RETERR(str_totext(buf, target));
+	}
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Algorithm.
+	 */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Labels.
+	 */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Ttl.
+	 */
+	ttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu", ttl);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Sig exp.
+	 */
+	exp = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(exp, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Time signed.
+	 */
+	when = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(when, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Footprint.
+	 */
+	foot = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu", foot);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	/*
+	 * Sig.
+	 */
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0) { /* No splitting */
+		RETERR(isc_base64_totext(&sr, 60, "", target));
+	} else {
+		RETERR(isc_base64_totext(&sr, tctx->width - 2, tctx->linebreak,
+					 target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_sig(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_sig);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	if (sr.length < 18) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	isc_buffer_forward(source, 18);
+	RETERR(mem_tobuffer(target, sr.base, 18));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * Sig.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length == 0) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+towire_sig(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	RETERR(mem_tobuffer(target, sr.base, 18));
+	isc_region_consume(&sr, 18);
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_sig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_sig);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	INSIST(r1.length > 18);
+	INSIST(r2.length > 18);
+	r1.length = 18;
+	r2.length = 18;
+	order = isc_region_compare(&r1, &r2);
+	if (order != 0) {
+		return (order);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	isc_region_consume(&r1, 18);
+	isc_region_consume(&r2, 18);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_sig(ARGS_FROMSTRUCT) {
+	dns_rdata_sig_t *sig = source;
+
+	REQUIRE(type == dns_rdatatype_sig);
+	REQUIRE(sig != NULL);
+	REQUIRE(sig->common.rdtype == type);
+	REQUIRE(sig->common.rdclass == rdclass);
+	REQUIRE(sig->signature != NULL || sig->siglen == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(uint16_tobuffer(sig->covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(uint8_tobuffer(sig->algorithm, target));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(uint8_tobuffer(sig->labels, target));
+
+	/*
+	 * Original TTL.
+	 */
+	RETERR(uint32_tobuffer(sig->originalttl, target));
+
+	/*
+	 * Expire time.
+	 */
+	RETERR(uint32_tobuffer(sig->timeexpire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(uint32_tobuffer(sig->timesigned, target));
+
+	/*
+	 * Key ID.
+	 */
+	RETERR(uint16_tobuffer(sig->keyid, target));
+
+	/*
+	 * Signer name.
+	 */
+	RETERR(name_tobuffer(&sig->signer, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sig->signature, sig->siglen));
+}
+
+static isc_result_t
+tostruct_sig(ARGS_TOSTRUCT) {
+	isc_region_t sr;
+	dns_rdata_sig_t *sig = target;
+	dns_name_t signer;
+
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+	REQUIRE(sig != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sig->common.rdclass = rdata->rdclass;
+	sig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	sig->covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Algorithm.
+	 */
+	sig->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Labels.
+	 */
+	sig->labels = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Original TTL.
+	 */
+	sig->originalttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Expire time.
+	 */
+	sig->timeexpire = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Time signed.
+	 */
+	sig->timesigned = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Key ID.
+	 */
+	sig->keyid = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	dns_name_init(&signer, NULL);
+	dns_name_fromregion(&signer, &sr);
+	dns_name_init(&sig->signer, NULL);
+	RETERR(name_duporclone(&signer, mctx, &sig->signer));
+	isc_region_consume(&sr, name_length(&sig->signer));
+
+	/*
+	 * Signature.
+	 */
+	sig->siglen = sr.length;
+	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
+	if (sig->signature == NULL) {
+		goto cleanup;
+	}
+
+	sig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL) {
+		dns_name_free(&sig->signer, mctx);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_sig(ARGS_FREESTRUCT) {
+	dns_rdata_sig_t *sig = (dns_rdata_sig_t *)source;
+
+	REQUIRE(sig != NULL);
+	REQUIRE(sig->common.rdtype == dns_rdatatype_sig);
+
+	if (sig->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&sig->signer, sig->mctx);
+	if (sig->signature != NULL) {
+		isc_mem_free(sig->mctx, sig->signature);
+	}
+	sig->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_sig(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_sig(ARGS_DIGEST) {
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static dns_rdatatype_t
+covers_sig(dns_rdata_t *rdata) {
+	dns_rdatatype_t type;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+
+	dns_rdata_toregion(rdata, &r);
+	type = uint16_fromregion(&r);
+
+	return (type);
+}
+
+static bool
+checkowner_sig(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_sig);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_sig(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_sig(ARGS_COMPARE) {
+	return (compare_sig(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_SIG_24_C */
diff --git a/lib/dns/rdata/generic/sig_24.h b/lib/dns/rdata/generic/sig_24.h
new file mode 100644
index 0000000..5e5db8c
--- /dev/null
+++ b/lib/dns/rdata/generic/sig_24.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_SIG_24_H
+#define GENERIC_SIG_24_H 1
+
+/*!
+ *  \brief Per RFC2535 */
+
+typedef struct dns_rdata_sig_t {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_rdatatype_t covered;
+	dns_secalg_t algorithm;
+	uint8_t labels;
+	uint32_t originalttl;
+	uint32_t timeexpire;
+	uint32_t timesigned;
+	uint16_t keyid;
+	dns_name_t signer;
+	uint16_t siglen;
+	unsigned char *signature;
+} dns_rdata_sig_t;
+
+#endif /* GENERIC_SIG_24_H */
diff --git a/lib/dns/rdata/generic/sink_40.c b/lib/dns/rdata/generic/sink_40.c
new file mode 100644
index 0000000..b4ad0b9
--- /dev/null
+++ b/lib/dns/rdata/generic/sink_40.c
@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_SINK_40_C
+#define RDATA_GENERIC_SINK_40_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_SINK_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_sink(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_sink);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* meaning */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/* coding */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/* subcoding */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static isc_result_t
+totext_sink(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("255 255 255")];
+	uint8_t meaning, coding, subcoding;
+
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+	REQUIRE(rdata->length >= 3);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Meaning, Coding and Subcoding */
+	meaning = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	coding = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	subcoding = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u %u %u", meaning, coding, subcoding);
+	RETERR(str_totext(buf, target));
+
+	if (sr.length == 0U) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* data */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+
+	RETERR(str_totext(tctx->linebreak, target));
+
+	if (tctx->width == 0) { /* No splitting */
+		RETERR(isc_base64_totext(&sr, 60, "", target));
+	} else {
+		RETERR(isc_base64_totext(&sr, tctx->width - 2, tctx->linebreak,
+					 target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_sink(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_sink);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 3) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_sink(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+	REQUIRE(rdata->length >= 3);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_sink(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_sink);
+	REQUIRE(rdata1->length >= 3);
+	REQUIRE(rdata2->length >= 3);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_sink(ARGS_FROMSTRUCT) {
+	dns_rdata_sink_t *sink = source;
+
+	REQUIRE(type == dns_rdatatype_sink);
+	REQUIRE(sink != NULL);
+	REQUIRE(sink->common.rdtype == type);
+	REQUIRE(sink->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/* Meaning */
+	RETERR(uint8_tobuffer(sink->meaning, target));
+
+	/* Coding */
+	RETERR(uint8_tobuffer(sink->coding, target));
+
+	/* Subcoding */
+	RETERR(uint8_tobuffer(sink->subcoding, target));
+
+	/* Data */
+	return (mem_tobuffer(target, sink->data, sink->datalen));
+}
+
+static isc_result_t
+tostruct_sink(ARGS_TOSTRUCT) {
+	dns_rdata_sink_t *sink = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+	REQUIRE(sink != NULL);
+	REQUIRE(rdata->length >= 3);
+
+	sink->common.rdclass = rdata->rdclass;
+	sink->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sink->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Meaning */
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	sink->meaning = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Coding */
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	sink->coding = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Subcoding */
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	sink->subcoding = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Data */
+	sink->datalen = sr.length;
+	sink->data = mem_maybedup(mctx, sr.base, sink->datalen);
+	if (sink->data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	sink->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_sink(ARGS_FREESTRUCT) {
+	dns_rdata_sink_t *sink = (dns_rdata_sink_t *)source;
+
+	REQUIRE(sink != NULL);
+	REQUIRE(sink->common.rdtype == dns_rdatatype_sink);
+
+	if (sink->mctx == NULL) {
+		return;
+	}
+
+	if (sink->data != NULL) {
+		isc_mem_free(sink->mctx, sink->data);
+	}
+	sink->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_sink(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_sink(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_sink(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_sink);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_sink(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_sink(ARGS_COMPARE) {
+	return (compare_sink(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_SINK_40_C */
diff --git a/lib/dns/rdata/generic/sink_40.h b/lib/dns/rdata/generic/sink_40.h
new file mode 100644
index 0000000..b2956b7
--- /dev/null
+++ b/lib/dns/rdata/generic/sink_40.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_SINK_40_H
+#define GENERIC_SINK_40_H 1
+
+typedef struct dns_rdata_sink_t {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint8_t meaning;
+	uint8_t coding;
+	uint8_t subcoding;
+	uint16_t datalen;
+	unsigned char *data;
+} dns_rdata_sink_t;
+
+#endif /* GENERIC_SINK_40_H */
diff --git a/lib/dns/rdata/generic/smimea_53.c b/lib/dns/rdata/generic/smimea_53.c
new file mode 100644
index 0000000..ecdfea3
--- /dev/null
+++ b/lib/dns/rdata/generic/smimea_53.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_SMIMEA_53_C
+#define RDATA_GENERIC_SMIMEA_53_C
+
+#define RRTYPE_SMIMEA_ATTRIBUTES 0
+
+static isc_result_t
+fromtext_smimea(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_smimea);
+
+	return (generic_fromtext_tlsa(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_smimea(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+
+	return (generic_totext_tlsa(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_smimea(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_smimea);
+
+	return (generic_fromwire_tlsa(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_smimea(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_smimea(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_smimea);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_smimea(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_smimea);
+
+	return (generic_fromstruct_tlsa(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_smimea(ARGS_TOSTRUCT) {
+	dns_rdata_smimea_t *smimea = target;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+	REQUIRE(smimea != NULL);
+
+	smimea->common.rdclass = rdata->rdclass;
+	smimea->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&smimea->common, link);
+
+	return (generic_tostruct_tlsa(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_smimea(ARGS_FREESTRUCT) {
+	dns_rdata_smimea_t *smimea = source;
+
+	REQUIRE(smimea != NULL);
+	REQUIRE(smimea->common.rdtype == dns_rdatatype_smimea);
+
+	generic_freestruct_tlsa(source);
+}
+
+static isc_result_t
+additionaldata_smimea(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_smimea(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_smimea(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_smimea);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_smimea(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_smimea(ARGS_COMPARE) {
+	return (compare_smimea(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_SMIMEA_53_C */
diff --git a/lib/dns/rdata/generic/smimea_53.h b/lib/dns/rdata/generic/smimea_53.h
new file mode 100644
index 0000000..527f596
--- /dev/null
+++ b/lib/dns/rdata/generic/smimea_53.h
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_SMIMEA_53_H
+#define GENERIC_SMIMEA_53_H 1
+
+typedef struct dns_rdata_tlsa dns_rdata_smimea_t;
+
+#endif /* GENERIC_SMIMEA_53_H */
diff --git a/lib/dns/rdata/generic/soa_6.c b/lib/dns/rdata/generic/soa_6.c
new file mode 100644
index 0000000..70c9cd3
--- /dev/null
+++ b/lib/dns/rdata/generic/soa_6.c
@@ -0,0 +1,452 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_SOA_6_C
+#define RDATA_GENERIC_SOA_6_C
+
+#define RRTYPE_SOA_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
+
+static isc_result_t
+fromtext_soa(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+	uint32_t n;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_soa);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, false));
+
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin, options,
+					 target));
+		ok = true;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0) {
+			switch (i) {
+			case 0:
+				ok = dns_name_ishostname(&name, false);
+				break;
+			case 1:
+				ok = dns_name_ismailbox(&name);
+				break;
+			}
+		}
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+			RETTOK(DNS_R_BADNAME);
+		}
+		if (!ok && callbacks != NULL) {
+			warn_badname(&name, lexer, callbacks);
+		}
+	}
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	for (i = 0; i < 4; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, false));
+		RETTOK(dns_counter_fromtext(&token.value.as_textregion, &n));
+		RETERR(uint32_tobuffer(n, target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static const char *soa_fieldnames[5] = { "serial", "refresh", "retry", "expire",
+					 "minimum" };
+
+static isc_result_t
+totext_soa(ARGS_TOTEXT) {
+	isc_region_t dregion;
+	dns_name_t mname;
+	dns_name_t rname;
+	dns_name_t prefix;
+	bool sub;
+	int i;
+	bool multiline;
+	bool comm;
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+	REQUIRE(rdata->length != 0);
+
+	multiline = ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0);
+	if (multiline) {
+		comm = ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0);
+	} else {
+		comm = false;
+	}
+
+	dns_name_init(&mname, NULL);
+	dns_name_init(&rname, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &dregion);
+
+	dns_name_fromregion(&mname, &dregion);
+	isc_region_consume(&dregion, name_length(&mname));
+
+	dns_name_fromregion(&rname, &dregion);
+	isc_region_consume(&dregion, name_length(&rname));
+
+	sub = name_prefix(&mname, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&rname, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	if (multiline) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+
+	for (i = 0; i < 5; i++) {
+		char buf[sizeof("0123456789 ; ")];
+		unsigned long num;
+		num = uint32_fromregion(&dregion);
+		isc_region_consume(&dregion, 4);
+		snprintf(buf, sizeof(buf), comm ? "%-10lu ; " : "%lu", num);
+		RETERR(str_totext(buf, target));
+		if (comm) {
+			RETERR(str_totext(soa_fieldnames[i], target));
+			/* Print times in week/day/hour/minute/second form */
+			if (i >= 1) {
+				RETERR(str_totext(" (", target));
+				RETERR(dns_ttl_totext(num, true, true, target));
+				RETERR(str_totext(")", target));
+			}
+			RETERR(str_totext(tctx->linebreak, target));
+		} else if (i < 4) {
+			RETERR(str_totext(tctx->linebreak, target));
+		}
+	}
+
+	if (multiline) {
+		RETERR(str_totext(")", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_soa(ARGS_FROMWIRE) {
+	dns_name_t mname;
+	dns_name_t rname;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == dns_rdatatype_soa);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&mname, NULL);
+	dns_name_init(&rname, NULL);
+
+	RETERR(dns_name_fromwire(&mname, source, dctx, options, target));
+	RETERR(dns_name_fromwire(&rname, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+
+	if (sregion.length < 20) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	if (tregion.length < 20) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(tregion.base, sregion.base, 20);
+	isc_buffer_forward(source, 20);
+	isc_buffer_add(target, 20);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_soa(ARGS_TOWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+	dns_name_t mname;
+	dns_name_t rname;
+	dns_offsets_t moffsets;
+	dns_offsets_t roffsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&mname, moffsets);
+	dns_name_init(&rname, roffsets);
+
+	dns_rdata_toregion(rdata, &sregion);
+
+	dns_name_fromregion(&mname, &sregion);
+	isc_region_consume(&sregion, name_length(&mname));
+	RETERR(dns_name_towire(&mname, cctx, target));
+
+	dns_name_fromregion(&rname, &sregion);
+	isc_region_consume(&sregion, name_length(&rname));
+	RETERR(dns_name_towire(&rname, cctx, target));
+
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < 20) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(tregion.base, sregion.base, 20);
+	isc_buffer_add(target, 20);
+	return (ISC_R_SUCCESS);
+}
+
+static int
+compare_soa(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_soa);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_soa(ARGS_FROMSTRUCT) {
+	dns_rdata_soa_t *soa = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_soa);
+	REQUIRE(soa != NULL);
+	REQUIRE(soa->common.rdtype == type);
+	REQUIRE(soa->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&soa->origin, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&soa->contact, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	RETERR(uint32_tobuffer(soa->serial, target));
+	RETERR(uint32_tobuffer(soa->refresh, target));
+	RETERR(uint32_tobuffer(soa->retry, target));
+	RETERR(uint32_tobuffer(soa->expire, target));
+	return (uint32_tobuffer(soa->minimum, target));
+}
+
+static isc_result_t
+tostruct_soa(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_soa_t *soa = target;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+	REQUIRE(soa != NULL);
+	REQUIRE(rdata->length != 0);
+
+	soa->common.rdclass = rdata->rdclass;
+	soa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&soa->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&soa->origin, NULL);
+	RETERR(name_duporclone(&name, mctx, &soa->origin));
+
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&soa->contact, NULL);
+	result = name_duporclone(&name, mctx, &soa->contact);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	soa->serial = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->refresh = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->retry = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->expire = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->minimum = uint32_fromregion(&region);
+
+	soa->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL) {
+		dns_name_free(&soa->origin, mctx);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_soa(ARGS_FREESTRUCT) {
+	dns_rdata_soa_t *soa = source;
+
+	REQUIRE(soa != NULL);
+	REQUIRE(soa->common.rdtype == dns_rdatatype_soa);
+
+	if (soa->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&soa->origin, soa->mctx);
+	dns_name_free(&soa->contact, soa->mctx);
+	soa->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_soa(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_soa(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+
+	dns_rdata_toregion(rdata, &r);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	RETERR(dns_name_digest(&name, digest, arg));
+	isc_region_consume(&r, name_length(&name));
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	RETERR(dns_name_digest(&name, digest, arg));
+	isc_region_consume(&r, name_length(&name));
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_soa(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_soa);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_soa(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	return (true);
+}
+
+static int
+casecompare_soa(ARGS_COMPARE) {
+	return (compare_soa(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_SOA_6_C */
diff --git a/lib/dns/rdata/generic/soa_6.h b/lib/dns/rdata/generic/soa_6.h
new file mode 100644
index 0000000..ba5f000
--- /dev/null
+++ b/lib/dns/rdata/generic/soa_6.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_SOA_6_H
+#define GENERIC_SOA_6_H 1
+
+typedef struct dns_rdata_soa {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t origin;
+	dns_name_t contact;
+	uint32_t serial;  /*%< host order */
+	uint32_t refresh; /*%< host order */
+	uint32_t retry;	  /*%< host order */
+	uint32_t expire;  /*%< host order */
+	uint32_t minimum; /*%< host order */
+} dns_rdata_soa_t;
+
+#endif /* GENERIC_SOA_6_H */
diff --git a/lib/dns/rdata/generic/spf_99.c b/lib/dns/rdata/generic/spf_99.c
new file mode 100644
index 0000000..1df3e75
--- /dev/null
+++ b/lib/dns/rdata/generic/spf_99.c
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_SPF_99_C
+#define RDATA_GENERIC_SPF_99_C
+
+#define RRTYPE_SPF_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_spf(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_spf);
+
+	return (generic_fromtext_txt(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_spf(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	return (generic_totext_txt(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_spf(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_spf);
+
+	return (generic_fromwire_txt(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_spf(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_spf(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_spf);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_spf(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_spf);
+
+	return (generic_fromstruct_txt(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_spf(ARGS_TOSTRUCT) {
+	dns_rdata_spf_t *spf = target;
+
+	REQUIRE(spf != NULL);
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	spf->common.rdclass = rdata->rdclass;
+	spf->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&spf->common, link);
+
+	return (generic_tostruct_txt(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_spf(ARGS_FREESTRUCT) {
+	dns_rdata_spf_t *spf = source;
+
+	REQUIRE(spf != NULL);
+	REQUIRE(spf->common.rdtype == dns_rdatatype_spf);
+
+	generic_freestruct_txt(source);
+}
+
+static isc_result_t
+additionaldata_spf(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_spf(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_spf(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_spf);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_spf(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_spf(ARGS_COMPARE) {
+	return (compare_spf(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_SPF_99_C */
diff --git a/lib/dns/rdata/generic/spf_99.h b/lib/dns/rdata/generic/spf_99.h
new file mode 100644
index 0000000..1c98259
--- /dev/null
+++ b/lib/dns/rdata/generic/spf_99.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_SPF_99_H
+#define GENERIC_SPF_99_H 1
+
+typedef struct dns_rdata_spf_string {
+	uint8_t length;
+	unsigned char *data;
+} dns_rdata_spf_string_t;
+
+typedef struct dns_rdata_spf {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *txt;
+	uint16_t txt_len;
+	/* private */
+	uint16_t offset;
+} dns_rdata_spf_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+#endif /* GENERIC_SPF_99_H */
diff --git a/lib/dns/rdata/generic/sshfp_44.c b/lib/dns/rdata/generic/sshfp_44.c
new file mode 100644
index 0000000..9ca97b4
--- /dev/null
+++ b/lib/dns/rdata/generic/sshfp_44.c
@@ -0,0 +1,296 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC 4255 */
+
+#ifndef RDATA_GENERIC_SSHFP_44_C
+#define RDATA_GENERIC_SSHFP_44_C
+
+#define RRTYPE_SSHFP_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_sshfp(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int len = -1;
+
+	REQUIRE(type == dns_rdatatype_sshfp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Enforce known digest lengths.
+	 */
+	switch (token.value.as_ulong) {
+	case 1:
+		len = ISC_SHA1_DIGESTLENGTH;
+		break;
+	case 2:
+		len = ISC_SHA256_DIGESTLENGTH;
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Digest.
+	 */
+	return (isc_hex_tobuffer(lexer, target, len));
+}
+
+static isc_result_t
+totext_sshfp(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u", n);
+	RETERR(str_totext(buf, target));
+
+	if (sr.length == 0U) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0) { /* No splitting */
+		RETERR(isc_hex_totext(&sr, 0, "", target));
+	} else {
+		RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak,
+				      target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_sshfp(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_sshfp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	if ((sr.base[1] == 1 && sr.length != ISC_SHA1_DIGESTLENGTH + 2) ||
+	    (sr.base[1] == 2 && sr.length != ISC_SHA256_DIGESTLENGTH + 2))
+	{
+		return (DNS_R_FORMERR);
+	}
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+towire_sshfp(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_sshfp(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_sshfp);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_sshfp(ARGS_FROMSTRUCT) {
+	dns_rdata_sshfp_t *sshfp = source;
+
+	REQUIRE(type == dns_rdatatype_sshfp);
+	REQUIRE(sshfp != NULL);
+	REQUIRE(sshfp->common.rdtype == type);
+	REQUIRE(sshfp->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(sshfp->algorithm, target));
+	RETERR(uint8_tobuffer(sshfp->digest_type, target));
+
+	return (mem_tobuffer(target, sshfp->digest, sshfp->length));
+}
+
+static isc_result_t
+tostruct_sshfp(ARGS_TOSTRUCT) {
+	dns_rdata_sshfp_t *sshfp = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+	REQUIRE(sshfp != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sshfp->common.rdclass = rdata->rdclass;
+	sshfp->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sshfp->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	sshfp->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sshfp->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sshfp->length = region.length;
+
+	sshfp->digest = mem_maybedup(mctx, region.base, region.length);
+	if (sshfp->digest == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	sshfp->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_sshfp(ARGS_FREESTRUCT) {
+	dns_rdata_sshfp_t *sshfp = source;
+
+	REQUIRE(sshfp != NULL);
+	REQUIRE(sshfp->common.rdtype == dns_rdatatype_sshfp);
+
+	if (sshfp->mctx == NULL) {
+		return;
+	}
+
+	if (sshfp->digest != NULL) {
+		isc_mem_free(sshfp->mctx, sshfp->digest);
+	}
+	sshfp->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_sshfp(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_sshfp(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_sshfp(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_sshfp);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_sshfp(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_sshfp(ARGS_COMPARE) {
+	return (compare_sshfp(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_SSHFP_44_C */
diff --git a/lib/dns/rdata/generic/sshfp_44.h b/lib/dns/rdata/generic/sshfp_44.h
new file mode 100644
index 0000000..61d5a00
--- /dev/null
+++ b/lib/dns/rdata/generic/sshfp_44.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*!
+ *  \brief Per RFC 4255 */
+
+#ifndef GENERIC_SSHFP_44_H
+#define GENERIC_SSHFP_44_H 1
+
+typedef struct dns_rdata_sshfp {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint8_t algorithm;
+	uint8_t digest_type;
+	uint16_t length;
+	unsigned char *digest;
+} dns_rdata_sshfp_t;
+
+#endif /* GENERIC_SSHFP_44_H */
diff --git a/lib/dns/rdata/generic/ta_32768.c b/lib/dns/rdata/generic/ta_32768.c
new file mode 100644
index 0000000..eeab50b
--- /dev/null
+++ b/lib/dns/rdata/generic/ta_32768.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* http://www.watson.org/~weiler/INI1999-19.pdf */
+
+#ifndef RDATA_GENERIC_TA_32768_C
+#define RDATA_GENERIC_TA_32768_C
+
+#define RRTYPE_TA_ATTRIBUTES 0
+
+static isc_result_t
+fromtext_ta(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_ta);
+
+	return (generic_fromtext_ds(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_ta(ARGS_TOTEXT) {
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+
+	return (generic_totext_ds(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_ta(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_ta);
+
+	return (generic_fromwire_ds(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_ta(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_ta(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ta);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_ta(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_ta);
+
+	return (generic_fromstruct_ds(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_ta(ARGS_TOSTRUCT) {
+	dns_rdata_ds_t *ds = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+	REQUIRE(ds != NULL);
+
+	/*
+	 * Checked by generic_tostruct_ds().
+	 */
+	ds->common.rdclass = rdata->rdclass;
+	ds->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ds->common, link);
+
+	return (generic_tostruct_ds(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_ta(ARGS_FREESTRUCT) {
+	dns_rdata_ta_t *ds = source;
+
+	REQUIRE(ds != NULL);
+	REQUIRE(ds->common.rdtype == dns_rdatatype_ta);
+
+	if (ds->mctx == NULL) {
+		return;
+	}
+
+	if (ds->digest != NULL) {
+		isc_mem_free(ds->mctx, ds->digest);
+	}
+	ds->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_ta(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_ta(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_ta(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_ta);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_ta(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_ta(ARGS_COMPARE) {
+	return (compare_ta(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_TA_32768_C */
diff --git a/lib/dns/rdata/generic/ta_32768.h b/lib/dns/rdata/generic/ta_32768.h
new file mode 100644
index 0000000..7ea6e40
--- /dev/null
+++ b/lib/dns/rdata/generic/ta_32768.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_TA_32768_H
+#define GENERIC_TA_32768_H 1
+
+/*
+ * TA records are identical to DS records.
+ */
+typedef struct dns_rdata_ds dns_rdata_ta_t;
+
+#endif /* GENERIC_TA_32768_H */
diff --git a/lib/dns/rdata/generic/talink_58.c b/lib/dns/rdata/generic/talink_58.c
new file mode 100644
index 0000000..4460ffb
--- /dev/null
+++ b/lib/dns/rdata/generic/talink_58.c
@@ -0,0 +1,267 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_TALINK_58_C
+#define RDATA_GENERIC_TALINK_58_C
+
+#define RRTYPE_TALINK_ATTRIBUTES 0
+
+static isc_result_t
+fromtext_talink(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+
+	REQUIRE(type == dns_rdatatype_talink);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, false));
+
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin, options,
+					 target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_talink(ARGS_TOTEXT) {
+	isc_region_t dregion;
+	dns_name_t prev;
+	dns_name_t next;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&prev, NULL);
+	dns_name_init(&next, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &dregion);
+
+	dns_name_fromregion(&prev, &dregion);
+	isc_region_consume(&dregion, name_length(&prev));
+
+	dns_name_fromregion(&next, &dregion);
+	isc_region_consume(&dregion, name_length(&next));
+
+	sub = name_prefix(&prev, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&next, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_talink(ARGS_FROMWIRE) {
+	dns_name_t prev;
+	dns_name_t next;
+
+	REQUIRE(type == dns_rdatatype_talink);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&prev, NULL);
+	dns_name_init(&next, NULL);
+
+	RETERR(dns_name_fromwire(&prev, source, dctx, options, target));
+	return (dns_name_fromwire(&next, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_talink(ARGS_TOWIRE) {
+	isc_region_t sregion;
+	dns_name_t prev;
+	dns_name_t next;
+	dns_offsets_t moffsets;
+	dns_offsets_t roffsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&prev, moffsets);
+	dns_name_init(&next, roffsets);
+
+	dns_rdata_toregion(rdata, &sregion);
+
+	dns_name_fromregion(&prev, &sregion);
+	isc_region_consume(&sregion, name_length(&prev));
+	RETERR(dns_name_towire(&prev, cctx, target));
+
+	dns_name_fromregion(&next, &sregion);
+	isc_region_consume(&sregion, name_length(&next));
+	return (dns_name_towire(&next, cctx, target));
+}
+
+static int
+compare_talink(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_talink);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_talink(ARGS_FROMSTRUCT) {
+	dns_rdata_talink_t *talink = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_talink);
+	REQUIRE(talink != NULL);
+	REQUIRE(talink->common.rdtype == type);
+	REQUIRE(talink->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&talink->prev, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&talink->next, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_talink(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_talink_t *talink = target;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+	REQUIRE(talink != NULL);
+	REQUIRE(rdata->length != 0);
+
+	talink->common.rdclass = rdata->rdclass;
+	talink->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&talink->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&talink->prev, NULL);
+	RETERR(name_duporclone(&name, mctx, &talink->prev));
+
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&talink->next, NULL);
+	result = name_duporclone(&name, mctx, &talink->next);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	talink->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL) {
+		dns_name_free(&talink->prev, mctx);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_talink(ARGS_FREESTRUCT) {
+	dns_rdata_talink_t *talink = source;
+
+	REQUIRE(talink != NULL);
+	REQUIRE(talink->common.rdtype == dns_rdatatype_talink);
+
+	if (talink->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&talink->prev, talink->mctx);
+	dns_name_free(&talink->next, talink->mctx);
+	talink->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_talink(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_talink(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_talink(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_talink);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_talink(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+
+	UNUSED(bad);
+	UNUSED(owner);
+
+	return (true);
+}
+
+static int
+casecompare_talink(ARGS_COMPARE) {
+	return (compare_talink(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_TALINK_58_C */
diff --git a/lib/dns/rdata/generic/talink_58.h b/lib/dns/rdata/generic/talink_58.h
new file mode 100644
index 0000000..08ea600
--- /dev/null
+++ b/lib/dns/rdata/generic/talink_58.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * http://www.iana.org/assignments/dns-parameters/TALINK/talink-completed-template
+ */
+
+#ifndef GENERIC_TALINK_58_H
+#define GENERIC_TALINK_58_H 1
+
+typedef struct dns_rdata_talink {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t prev;
+	dns_name_t next;
+} dns_rdata_talink_t;
+
+#endif /* GENERIC_TALINK_58_H */
diff --git a/lib/dns/rdata/generic/tkey_249.c b/lib/dns/rdata/generic/tkey_249.c
new file mode 100644
index 0000000..7d3ea0e
--- /dev/null
+++ b/lib/dns/rdata/generic/tkey_249.c
@@ -0,0 +1,580 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* draft-ietf-dnsext-tkey-01.txt */
+
+#ifndef RDATA_GENERIC_TKEY_249_C
+#define RDATA_GENERIC_TKEY_249_C
+
+#define RRTYPE_TKEY_ATTRIBUTES (DNS_RDATATYPEATTR_META)
+
+static isc_result_t
+fromtext_tkey(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_rcode_t rcode;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	long i;
+	char *e;
+
+	REQUIRE(type == dns_rdatatype_tkey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Inception.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Expiration.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Mode.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Error.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion) !=
+	    ISC_R_SUCCESS)
+	{
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (*e != 0) {
+			RETTOK(DNS_R_UNKNOWN);
+		}
+		if (i < 0 || i > 0xffff) {
+			RETTOK(ISC_R_RANGE);
+		}
+		rcode = (dns_rcode_t)i;
+	}
+	RETERR(uint16_tobuffer(rcode, target));
+
+	/*
+	 * Key Size.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Key Data.
+	 */
+	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+
+	/*
+	 * Other Size.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Other Data.
+	 */
+	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+}
+
+static isc_result_t
+totext_tkey(ARGS_TOTEXT) {
+	isc_region_t sr, dr;
+	char buf[sizeof("4294967295 ")];
+	unsigned long n;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+	RETERR(str_totext(" ", target));
+	isc_region_consume(&sr, name_length(&name));
+
+	/*
+	 * Inception.
+	 */
+	n = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Expiration.
+	 */
+	n = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Mode.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Error.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	if (dns_tsigrcode_totext((dns_rcode_t)n, target) == ISC_R_SUCCESS) {
+		RETERR(str_totext(" ", target));
+	} else {
+		snprintf(buf, sizeof(buf), "%lu ", n);
+		RETERR(str_totext(buf, target));
+	}
+
+	/*
+	 * Key Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Key Data.
+	 */
+	REQUIRE(n <= sr.length);
+	dr = sr;
+	dr.length = n;
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0) { /* No splitting */
+		RETERR(isc_base64_totext(&dr, 60, "", target));
+	} else {
+		RETERR(isc_base64_totext(&dr, tctx->width - 2, tctx->linebreak,
+					 target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" ) ", target));
+	} else {
+		RETERR(str_totext(" ", target));
+	}
+	isc_region_consume(&sr, n);
+
+	/*
+	 * Other Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Other Data.
+	 */
+	REQUIRE(n <= sr.length);
+	if (n != 0U) {
+		dr = sr;
+		dr.length = n;
+		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+			RETERR(str_totext(" (", target));
+		}
+		RETERR(str_totext(tctx->linebreak, target));
+		if (tctx->width == 0) { /* No splitting */
+			RETERR(isc_base64_totext(&dr, 60, "", target));
+		} else {
+			RETERR(isc_base64_totext(&dr, tctx->width - 2,
+						 tctx->linebreak, target));
+		}
+		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+			RETERR(str_totext(" )", target));
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_tkey(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned long n;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_tkey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	/*
+	 * Algorithm.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * Inception: 4
+	 * Expiration: 4
+	 * Mode: 2
+	 * Error: 2
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 12) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sr.base, 12));
+	isc_region_consume(&sr, 12);
+	isc_buffer_forward(source, 12);
+
+	/*
+	 * Key Length + Key Data.
+	 */
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sr.base, n + 2));
+	isc_region_consume(&sr, n + 2);
+	isc_buffer_forward(source, n + 2);
+
+	/*
+	 * Other Length + Other Data.
+	 */
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	isc_buffer_forward(source, n + 2);
+	return (mem_tobuffer(target, sr.base, n + 2));
+}
+
+static isc_result_t
+towire_tkey(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Algorithm.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	RETERR(dns_name_towire(&name, cctx, target));
+	isc_region_consume(&sr, name_length(&name));
+
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_tkey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_tkey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	/*
+	 * Algorithm.
+	 */
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	if ((order = dns_name_rdatacompare(&name1, &name2)) != 0) {
+		return (order);
+	}
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_tkey(ARGS_FROMSTRUCT) {
+	dns_rdata_tkey_t *tkey = source;
+
+	REQUIRE(type == dns_rdatatype_tkey);
+	REQUIRE(tkey != NULL);
+	REQUIRE(tkey->common.rdtype == type);
+	REQUIRE(tkey->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(name_tobuffer(&tkey->algorithm, target));
+
+	/*
+	 * Inception: 32 bits.
+	 */
+	RETERR(uint32_tobuffer(tkey->inception, target));
+
+	/*
+	 * Expire: 32 bits.
+	 */
+	RETERR(uint32_tobuffer(tkey->expire, target));
+
+	/*
+	 * Mode: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->mode, target));
+
+	/*
+	 * Error: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->error, target));
+
+	/*
+	 * Key size: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->keylen, target));
+
+	/*
+	 * Key.
+	 */
+	RETERR(mem_tobuffer(target, tkey->key, tkey->keylen));
+
+	/*
+	 * Other size: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->otherlen, target));
+
+	/*
+	 * Other data.
+	 */
+	return (mem_tobuffer(target, tkey->other, tkey->otherlen));
+}
+
+static isc_result_t
+tostruct_tkey(ARGS_TOSTRUCT) {
+	dns_rdata_tkey_t *tkey = target;
+	dns_name_t alg;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+	REQUIRE(tkey != NULL);
+	REQUIRE(rdata->length != 0);
+
+	tkey->common.rdclass = rdata->rdclass;
+	tkey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&tkey->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&alg, NULL);
+	dns_name_fromregion(&alg, &sr);
+	dns_name_init(&tkey->algorithm, NULL);
+	RETERR(name_duporclone(&alg, mctx, &tkey->algorithm));
+	isc_region_consume(&sr, name_length(&tkey->algorithm));
+
+	/*
+	 * Inception.
+	 */
+	tkey->inception = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Expire.
+	 */
+	tkey->expire = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Mode.
+	 */
+	tkey->mode = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Error.
+	 */
+	tkey->error = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Key size.
+	 */
+	tkey->keylen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Key.
+	 */
+	INSIST(tkey->keylen + 2U <= sr.length);
+	tkey->key = mem_maybedup(mctx, sr.base, tkey->keylen);
+	if (tkey->key == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&sr, tkey->keylen);
+
+	/*
+	 * Other size.
+	 */
+	tkey->otherlen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Other.
+	 */
+	INSIST(tkey->otherlen <= sr.length);
+	tkey->other = mem_maybedup(mctx, sr.base, tkey->otherlen);
+	if (tkey->other == NULL) {
+		goto cleanup;
+	}
+
+	tkey->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL) {
+		dns_name_free(&tkey->algorithm, mctx);
+	}
+	if (mctx != NULL && tkey->key != NULL) {
+		isc_mem_free(mctx, tkey->key);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_tkey(ARGS_FREESTRUCT) {
+	dns_rdata_tkey_t *tkey = (dns_rdata_tkey_t *)source;
+
+	REQUIRE(tkey != NULL);
+
+	if (tkey->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&tkey->algorithm, tkey->mctx);
+	if (tkey->key != NULL) {
+		isc_mem_free(tkey->mctx, tkey->key);
+	}
+	if (tkey->other != NULL) {
+		isc_mem_free(tkey->mctx, tkey->other);
+	}
+	tkey->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_tkey(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_tkey(ARGS_DIGEST) {
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static bool
+checkowner_tkey(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_tkey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_tkey(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_tkey(ARGS_COMPARE) {
+	return (compare_tkey(rdata1, rdata2));
+}
+#endif /* RDATA_GENERIC_TKEY_249_C */
diff --git a/lib/dns/rdata/generic/tkey_249.h b/lib/dns/rdata/generic/tkey_249.h
new file mode 100644
index 0000000..eed3c68
--- /dev/null
+++ b/lib/dns/rdata/generic/tkey_249.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_TKEY_249_H
+#define GENERIC_TKEY_249_H 1
+
+/*!
+ *  \brief Per draft-ietf-dnsind-tkey-00.txt */
+
+typedef struct dns_rdata_tkey {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t algorithm;
+	uint32_t inception;
+	uint32_t expire;
+	uint16_t mode;
+	uint16_t error;
+	uint16_t keylen;
+	unsigned char *key;
+	uint16_t otherlen;
+	unsigned char *other;
+} dns_rdata_tkey_t;
+
+#endif /* GENERIC_TKEY_249_H */
diff --git a/lib/dns/rdata/generic/tlsa_52.c b/lib/dns/rdata/generic/tlsa_52.c
new file mode 100644
index 0000000..ddd437b
--- /dev/null
+++ b/lib/dns/rdata/generic/tlsa_52.c
@@ -0,0 +1,339 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* rfc6698.txt */
+
+#ifndef RDATA_GENERIC_TLSA_52_C
+#define RDATA_GENERIC_TLSA_52_C
+
+#define RRTYPE_TLSA_ATTRIBUTES 0
+
+static isc_result_t
+generic_fromtext_tlsa(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Certificate Usage.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Selector.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Matching type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Certificate Association Data.
+	 */
+	return (isc_hex_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+generic_totext_tlsa(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Certificate Usage.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Selector.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Matching type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Certificate Association Data.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0) { /* No splitting */
+		RETERR(isc_hex_totext(&sr, 0, "", target));
+	} else {
+		RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak,
+				      target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generic_fromwire_tlsa(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+
+	/* Usage(1), Selector(1), Type(1), Data(1+) */
+	if (sr.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+fromtext_tlsa(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_tlsa);
+
+	return (generic_fromtext_tlsa(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_tlsa(ARGS_TOTEXT) {
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+
+	return (generic_totext_tlsa(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_tlsa(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_tlsa);
+
+	return (generic_fromwire_tlsa(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_tlsa(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_tlsa(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_tlsa);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+generic_fromstruct_tlsa(ARGS_FROMSTRUCT) {
+	dns_rdata_tlsa_t *tlsa = source;
+
+	REQUIRE(tlsa != NULL);
+	REQUIRE(tlsa->common.rdtype == type);
+	REQUIRE(tlsa->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(tlsa->usage, target));
+	RETERR(uint8_tobuffer(tlsa->selector, target));
+	RETERR(uint8_tobuffer(tlsa->match, target));
+
+	return (mem_tobuffer(target, tlsa->data, tlsa->length));
+}
+
+static isc_result_t
+generic_tostruct_tlsa(ARGS_TOSTRUCT) {
+	dns_rdata_tlsa_t *tlsa = target;
+	isc_region_t region;
+
+	REQUIRE(tlsa != NULL);
+	REQUIRE(rdata->length != 0);
+
+	REQUIRE(tlsa != NULL);
+	REQUIRE(tlsa->common.rdclass == rdata->rdclass);
+	REQUIRE(tlsa->common.rdtype == rdata->type);
+	REQUIRE(!ISC_LINK_LINKED(&tlsa->common, link));
+
+	dns_rdata_toregion(rdata, &region);
+
+	tlsa->usage = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	tlsa->selector = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	tlsa->match = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	tlsa->length = region.length;
+
+	tlsa->data = mem_maybedup(mctx, region.base, region.length);
+	if (tlsa->data == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	tlsa->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+generic_freestruct_tlsa(ARGS_FREESTRUCT) {
+	dns_rdata_tlsa_t *tlsa = source;
+
+	REQUIRE(tlsa != NULL);
+
+	if (tlsa->mctx == NULL) {
+		return;
+	}
+
+	if (tlsa->data != NULL) {
+		isc_mem_free(tlsa->mctx, tlsa->data);
+	}
+	tlsa->mctx = NULL;
+}
+
+static isc_result_t
+fromstruct_tlsa(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_tlsa);
+
+	return (generic_fromstruct_tlsa(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_tlsa(ARGS_TOSTRUCT) {
+	dns_rdata_tlsa_t *tlsa = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+	REQUIRE(tlsa != NULL);
+
+	tlsa->common.rdclass = rdata->rdclass;
+	tlsa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&tlsa->common, link);
+
+	return (generic_tostruct_tlsa(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_tlsa(ARGS_FREESTRUCT) {
+	dns_rdata_tlsa_t *tlsa = source;
+
+	REQUIRE(tlsa != NULL);
+	REQUIRE(tlsa->common.rdtype == dns_rdatatype_tlsa);
+
+	generic_freestruct_tlsa(source);
+}
+
+static isc_result_t
+additionaldata_tlsa(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_tlsa(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_tlsa(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_tlsa);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_tlsa(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_tlsa(ARGS_COMPARE) {
+	return (compare_tlsa(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_TLSA_52_C */
diff --git a/lib/dns/rdata/generic/tlsa_52.h b/lib/dns/rdata/generic/tlsa_52.h
new file mode 100644
index 0000000..a95b882
--- /dev/null
+++ b/lib/dns/rdata/generic/tlsa_52.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_TLSA_52_H
+#define GENERIC_TLSA_52_H 1
+
+/*!
+ *  \brief per rfc6698.txt
+ */
+typedef struct dns_rdata_tlsa {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint8_t usage;
+	uint8_t selector;
+	uint8_t match;
+	uint16_t length;
+	unsigned char *data;
+} dns_rdata_tlsa_t;
+
+#endif /* GENERIC_TLSA_52_H */
diff --git a/lib/dns/rdata/generic/txt_16.c b/lib/dns/rdata/generic/txt_16.c
new file mode 100644
index 0000000..c4d338b
--- /dev/null
+++ b/lib/dns/rdata/generic/txt_16.c
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_TXT_16_C
+#define RDATA_GENERIC_TXT_16_C
+
+#define RRTYPE_TXT_ATTRIBUTES (0)
+
+static isc_result_t
+generic_fromtext_txt(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int strings;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	strings = 0;
+	if ((options & DNS_RDATA_UNKNOWNESCAPE) != 0) {
+		isc_textregion_t r;
+		DE_CONST("#", r.base);
+		r.length = 1;
+		RETERR(txt_fromtext(&r, target));
+		strings++;
+	}
+	for (;;) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qstring, true));
+		if (token.type != isc_tokentype_qstring &&
+		    token.type != isc_tokentype_string)
+		{
+			break;
+		}
+		RETTOK(txt_fromtext(&token.value.as_textregion, target));
+		strings++;
+	}
+	/* Let upper layer handle eol/eof. */
+	isc_lex_ungettoken(lexer, &token);
+	return (strings == 0 ? ISC_R_UNEXPECTEDEND : ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generic_totext_txt(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+
+	while (region.length > 0) {
+		RETERR(txt_totext(&region, true, target));
+		if (region.length > 0) {
+			RETERR(str_totext(" ", target));
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generic_fromwire_txt(ARGS_FROMWIRE) {
+	isc_result_t result;
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	do {
+		result = txt_fromwire(source, target);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	} while (!buffer_empty(source));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromtext_txt(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_txt);
+
+	return (generic_fromtext_txt(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_txt(ARGS_TOTEXT) {
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+
+	return (generic_totext_txt(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_txt(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_txt);
+
+	return (generic_fromwire_txt(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_txt(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_txt(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_txt);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+generic_fromstruct_txt(ARGS_FROMSTRUCT) {
+	dns_rdata_txt_t *txt = source;
+	isc_region_t region;
+	uint8_t length;
+
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->common.rdtype == type);
+	REQUIRE(txt->common.rdclass == rdclass);
+	REQUIRE(txt->txt != NULL && txt->txt_len != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	region.base = txt->txt;
+	region.length = txt->txt_len;
+	while (region.length > 0) {
+		length = uint8_fromregion(&region);
+		isc_region_consume(&region, 1);
+		if (region.length < length) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		isc_region_consume(&region, length);
+	}
+
+	return (mem_tobuffer(target, txt->txt, txt->txt_len));
+}
+
+static isc_result_t
+generic_tostruct_txt(ARGS_TOSTRUCT) {
+	dns_rdata_txt_t *txt = target;
+	isc_region_t r;
+
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->common.rdclass == rdata->rdclass);
+	REQUIRE(txt->common.rdtype == rdata->type);
+	REQUIRE(!ISC_LINK_LINKED(&txt->common, link));
+
+	dns_rdata_toregion(rdata, &r);
+	txt->txt_len = r.length;
+	txt->txt = mem_maybedup(mctx, r.base, r.length);
+	if (txt->txt == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	txt->offset = 0;
+	txt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+generic_freestruct_txt(ARGS_FREESTRUCT) {
+	dns_rdata_txt_t *txt = source;
+
+	REQUIRE(txt != NULL);
+
+	if (txt->mctx == NULL) {
+		return;
+	}
+
+	if (txt->txt != NULL) {
+		isc_mem_free(txt->mctx, txt->txt);
+	}
+	txt->mctx = NULL;
+}
+
+static isc_result_t
+fromstruct_txt(ARGS_FROMSTRUCT) {
+	REQUIRE(type == dns_rdatatype_txt);
+
+	return (generic_fromstruct_txt(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_txt(ARGS_TOSTRUCT) {
+	dns_rdata_txt_t *txt = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+	REQUIRE(txt != NULL);
+
+	txt->common.rdclass = rdata->rdclass;
+	txt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&txt->common, link);
+
+	return (generic_tostruct_txt(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_txt(ARGS_FREESTRUCT) {
+	dns_rdata_txt_t *txt = source;
+
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->common.rdtype == dns_rdatatype_txt);
+
+	generic_freestruct_txt(source);
+}
+
+static isc_result_t
+additionaldata_txt(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_txt(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_txt(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_txt);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_txt(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_txt(ARGS_COMPARE) {
+	return (compare_txt(rdata1, rdata2));
+}
+
+static isc_result_t
+generic_txt_first(dns_rdata_txt_t *txt) {
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->txt != NULL || txt->txt_len == 0);
+
+	if (txt->txt_len == 0) {
+		return (ISC_R_NOMORE);
+	}
+
+	txt->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generic_txt_next(dns_rdata_txt_t *txt) {
+	isc_region_t r;
+	uint8_t length;
+
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->txt != NULL && txt->txt_len != 0);
+
+	INSIST(txt->offset + 1 <= txt->txt_len);
+	r.base = txt->txt + txt->offset;
+	r.length = txt->txt_len - txt->offset;
+	length = uint8_fromregion(&r);
+	INSIST(txt->offset + 1 + length <= txt->txt_len);
+	txt->offset = txt->offset + 1 + length;
+	if (txt->offset == txt->txt_len) {
+		return (ISC_R_NOMORE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generic_txt_current(dns_rdata_txt_t *txt, dns_rdata_txt_string_t *string) {
+	isc_region_t r;
+
+	REQUIRE(txt != NULL);
+	REQUIRE(string != NULL);
+	REQUIRE(txt->txt != NULL);
+	REQUIRE(txt->offset < txt->txt_len);
+
+	INSIST(txt->offset + 1 <= txt->txt_len);
+	r.base = txt->txt + txt->offset;
+	r.length = txt->txt_len - txt->offset;
+
+	string->length = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	string->data = r.base;
+	INSIST(txt->offset + 1 + string->length <= txt->txt_len);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_txt_first(dns_rdata_txt_t *txt) {
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->common.rdtype == dns_rdatatype_txt);
+
+	return (generic_txt_first(txt));
+}
+
+isc_result_t
+dns_rdata_txt_next(dns_rdata_txt_t *txt) {
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->common.rdtype == dns_rdatatype_txt);
+
+	return (generic_txt_next(txt));
+}
+
+isc_result_t
+dns_rdata_txt_current(dns_rdata_txt_t *txt, dns_rdata_txt_string_t *string) {
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->common.rdtype == dns_rdatatype_txt);
+
+	return (generic_txt_current(txt, string));
+}
+#endif /* RDATA_GENERIC_TXT_16_C */
diff --git a/lib/dns/rdata/generic/txt_16.h b/lib/dns/rdata/generic/txt_16.h
new file mode 100644
index 0000000..d94eb70
--- /dev/null
+++ b/lib/dns/rdata/generic/txt_16.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_TXT_16_H
+#define GENERIC_TXT_16_H 1
+
+typedef struct dns_rdata_txt_string {
+	uint8_t length;
+	unsigned char *data;
+} dns_rdata_txt_string_t;
+
+typedef struct dns_rdata_txt {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *txt;
+	uint16_t txt_len;
+	/* private */
+	uint16_t offset;
+} dns_rdata_txt_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_txt_first(dns_rdata_txt_t *);
+
+isc_result_t
+dns_rdata_txt_next(dns_rdata_txt_t *);
+
+isc_result_t
+dns_rdata_txt_current(dns_rdata_txt_t *, dns_rdata_txt_string_t *);
+
+#endif /* GENERIC_TXT_16_H */
diff --git a/lib/dns/rdata/generic/uri_256.c b/lib/dns/rdata/generic/uri_256.c
new file mode 100644
index 0000000..a3c61d8
--- /dev/null
+++ b/lib/dns/rdata/generic/uri_256.c
@@ -0,0 +1,318 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_URI_256_C
+#define GENERIC_URI_256_C 1
+
+#define RRTYPE_URI_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_uri(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_uri);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Priority
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Weight
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Target URI
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	if (token.type != isc_tokentype_qstring) {
+		RETTOK(DNS_R_SYNTAX);
+	}
+	RETTOK(multitxt_fromtext(&token.value.as_textregion, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_uri(ARGS_TOTEXT) {
+	isc_region_t region;
+	unsigned short priority, weight;
+	char buf[sizeof("65000 ")];
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * Priority
+	 */
+	priority = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u ", priority);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Weight
+	 */
+	weight = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u ", weight);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Target URI
+	 */
+	RETERR(multitxt_totext(&region, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_uri(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_uri);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	/*
+	 * Priority, weight
+	 */
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/*
+	 * Priority, weight and target URI
+	 */
+	isc_buffer_forward(source, region.length);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static isc_result_t
+towire_uri(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static int
+compare_uri(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_uri);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	/*
+	 * Priority
+	 */
+	order = memcmp(r1.base, r2.base, 2);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+	isc_region_consume(&r1, 2);
+	isc_region_consume(&r2, 2);
+
+	/*
+	 * Weight
+	 */
+	order = memcmp(r1.base, r2.base, 2);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+	isc_region_consume(&r1, 2);
+	isc_region_consume(&r2, 2);
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_uri(ARGS_FROMSTRUCT) {
+	dns_rdata_uri_t *uri = source;
+
+	REQUIRE(type == dns_rdatatype_uri);
+	REQUIRE(uri != NULL);
+	REQUIRE(uri->common.rdtype == type);
+	REQUIRE(uri->common.rdclass == rdclass);
+	REQUIRE(uri->target != NULL && uri->tgt_len != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Priority
+	 */
+	RETERR(uint16_tobuffer(uri->priority, target));
+
+	/*
+	 * Weight
+	 */
+	RETERR(uint16_tobuffer(uri->weight, target));
+
+	/*
+	 * Target URI
+	 */
+	return (mem_tobuffer(target, uri->target, uri->tgt_len));
+}
+
+static isc_result_t
+tostruct_uri(ARGS_TOSTRUCT) {
+	dns_rdata_uri_t *uri = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+	REQUIRE(uri != NULL);
+	REQUIRE(rdata->length != 0);
+
+	uri->common.rdclass = rdata->rdclass;
+	uri->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&uri->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Priority
+	 */
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	uri->priority = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Weight
+	 */
+	if (sr.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	uri->weight = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Target URI
+	 */
+	uri->tgt_len = sr.length;
+	uri->target = mem_maybedup(mctx, sr.base, sr.length);
+	if (uri->target == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	uri->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_uri(ARGS_FREESTRUCT) {
+	dns_rdata_uri_t *uri = (dns_rdata_uri_t *)source;
+
+	REQUIRE(uri != NULL);
+	REQUIRE(uri->common.rdtype == dns_rdatatype_uri);
+
+	if (uri->mctx == NULL) {
+		return;
+	}
+
+	if (uri->target != NULL) {
+		isc_mem_free(uri->mctx, uri->target);
+	}
+	uri->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_uri(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_uri(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_uri(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_uri);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_uri(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_uri(ARGS_COMPARE) {
+	return (compare_uri(rdata1, rdata2));
+}
+
+#endif /* GENERIC_URI_256_C */
diff --git a/lib/dns/rdata/generic/uri_256.h b/lib/dns/rdata/generic/uri_256.h
new file mode 100644
index 0000000..8786eff
--- /dev/null
+++ b/lib/dns/rdata/generic/uri_256.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_URI_256_H
+#define GENERIC_URI_256_H 1
+
+typedef struct dns_rdata_uri {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t priority;
+	uint16_t weight;
+	unsigned char *target;
+	uint16_t tgt_len;
+} dns_rdata_uri_t;
+
+#endif /* GENERIC_URI_256_H */
diff --git a/lib/dns/rdata/generic/x25_19.c b/lib/dns/rdata/generic/x25_19.c
new file mode 100644
index 0000000..e8ed4dd
--- /dev/null
+++ b/lib/dns/rdata/generic/x25_19.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1183 */
+
+#ifndef RDATA_GENERIC_X25_19_C
+#define RDATA_GENERIC_X25_19_C
+
+#define RRTYPE_X25_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_x25(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned int i;
+
+	REQUIRE(type == dns_rdatatype_x25);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	if (token.value.as_textregion.length < 4) {
+		RETTOK(DNS_R_SYNTAX);
+	}
+	for (i = 0; i < token.value.as_textregion.length; i++) {
+		if (!isdigit((unsigned char)token.value.as_textregion.base[i]))
+		{
+			RETTOK(ISC_R_RANGE);
+		}
+	}
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_x25(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+	return (txt_totext(&region, true, target));
+}
+
+static isc_result_t
+fromwire_x25(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned int i;
+
+	REQUIRE(type == dns_rdatatype_x25);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 5 || sr.base[0] != (sr.length - 1)) {
+		return (DNS_R_FORMERR);
+	}
+	for (i = 1; i < sr.length; i++) {
+		if (sr.base[i] < 0x30 || sr.base[i] > 0x39) {
+			return (DNS_R_FORMERR);
+		}
+	}
+	return (txt_fromwire(source, target));
+}
+
+static isc_result_t
+towire_x25(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_x25(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_x25);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_x25(ARGS_FROMSTRUCT) {
+	dns_rdata_x25_t *x25 = source;
+	uint8_t i;
+
+	REQUIRE(type == dns_rdatatype_x25);
+	REQUIRE(x25 != NULL);
+	REQUIRE(x25->common.rdtype == type);
+	REQUIRE(x25->common.rdclass == rdclass);
+	REQUIRE(x25->x25 != NULL && x25->x25_len != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (x25->x25_len < 4) {
+		return (ISC_R_RANGE);
+	}
+
+	for (i = 0; i < x25->x25_len; i++) {
+		if (!isdigit((unsigned char)x25->x25[i])) {
+			return (ISC_R_RANGE);
+		}
+	}
+
+	RETERR(uint8_tobuffer(x25->x25_len, target));
+	return (mem_tobuffer(target, x25->x25, x25->x25_len));
+}
+
+static isc_result_t
+tostruct_x25(ARGS_TOSTRUCT) {
+	dns_rdata_x25_t *x25 = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+	REQUIRE(x25 != NULL);
+	REQUIRE(rdata->length != 0);
+
+	x25->common.rdclass = rdata->rdclass;
+	x25->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&x25->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	x25->x25_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	x25->x25 = mem_maybedup(mctx, r.base, x25->x25_len);
+	if (x25->x25 == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	x25->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_x25(ARGS_FREESTRUCT) {
+	dns_rdata_x25_t *x25 = source;
+
+	REQUIRE(x25 != NULL);
+	REQUIRE(x25->common.rdtype == dns_rdatatype_x25);
+
+	if (x25->mctx == NULL) {
+		return;
+	}
+
+	if (x25->x25 != NULL) {
+		isc_mem_free(x25->mctx, x25->x25);
+	}
+	x25->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_x25(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_x25(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_x25(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_x25);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_x25(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_x25(ARGS_COMPARE) {
+	return (compare_x25(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_X25_19_C */
diff --git a/lib/dns/rdata/generic/x25_19.h b/lib/dns/rdata/generic/x25_19.h
new file mode 100644
index 0000000..5f8981e
--- /dev/null
+++ b/lib/dns/rdata/generic/x25_19.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_X25_19_H
+#define GENERIC_X25_19_H 1
+
+/*!
+ *  \brief Per RFC1183 */
+
+typedef struct dns_rdata_x25 {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *x25;
+	uint8_t x25_len;
+} dns_rdata_x25_t;
+
+#endif /* GENERIC_X25_19_H */
diff --git a/lib/dns/rdata/generic/zonemd_63.c b/lib/dns/rdata/generic/zonemd_63.c
new file mode 100644
index 0000000..949507e
--- /dev/null
+++ b/lib/dns/rdata/generic/zonemd_63.c
@@ -0,0 +1,350 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC 8976 */
+
+#ifndef RDATA_GENERIC_ZONEMD_63_C
+#define RDATA_GENERIC_ZONEMD_63_C
+
+#define RRTYPE_ZONEMD_ATTRIBUTES 0
+
+static isc_result_t
+fromtext_zonemd(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int digest_type, length;
+	isc_buffer_t save;
+	isc_result_t result;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Zone Serial.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest Scheme.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest Type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	digest_type = token.value.as_ulong;
+	RETERR(uint8_tobuffer(digest_type, target));
+
+	/*
+	 * Digest.
+	 */
+	switch (digest_type) {
+	case DNS_ZONEMD_DIGEST_SHA384:
+		length = ISC_SHA384_DIGESTLENGTH;
+		break;
+	case DNS_ZONEMD_DIGEST_SHA512:
+		length = ISC_SHA512_DIGESTLENGTH;
+		break;
+	default:
+		length = -2;
+		break;
+	}
+
+	save = *target;
+	result = isc_hex_tobuffer(lexer, target, length);
+	/* Minimum length of digest is 12 octets. */
+	if (isc_buffer_usedlength(target) - isc_buffer_usedlength(&save) < 12) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	return (result);
+}
+
+static isc_result_t
+totext_zonemd(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("0123456789")];
+	unsigned long num;
+
+	REQUIRE(rdata->length > 6);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Zone Serial.
+	 */
+	num = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Digest scheme.
+	 */
+	num = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%lu", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Digest type.
+	 */
+	num = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%lu", num);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" (", target));
+	}
+	RETERR(str_totext(tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+		if (tctx->width == 0) { /* No splitting */
+			RETERR(isc_hex_totext(&sr, 0, "", target));
+		} else {
+			RETERR(isc_hex_totext(&sr, tctx->width - 2,
+					      tctx->linebreak, target));
+		}
+	} else {
+		RETERR(str_totext("[omitted]", target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_zonemd(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	size_t digestlen = 0;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+
+	/*
+	 * If we do not recognize the digest type, ensure that the digest
+	 * meets minimum length (12).
+	 *
+	 * If we do recognize the digest type, ensure that the digest is of the
+	 * correct length.
+	 */
+	if (sr.length < 18) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	switch (sr.base[5]) {
+	case DNS_ZONEMD_DIGEST_SHA384:
+		digestlen = ISC_SHA384_DIGESTLENGTH;
+		break;
+	case DNS_ZONEMD_DIGEST_SHA512:
+		digestlen = ISC_SHA512_DIGESTLENGTH;
+		break;
+	default:
+		break;
+	}
+
+	if (digestlen != 0 && sr.length < 6 + digestlen) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/*
+	 * Only specify the number of octets to consume if we recognize the
+	 * digest type.
+	 *
+	 * If there is extra data, dns_rdata_fromwire() will detect that.
+	 */
+	if (digestlen != 0) {
+		sr.length = 6 + digestlen;
+	}
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+towire_zonemd(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_zonemd);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_zonemd(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_zonemd);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_zonemd(ARGS_FROMSTRUCT) {
+	dns_rdata_zonemd_t *zonemd = source;
+
+	REQUIRE(zonemd != NULL);
+	REQUIRE(zonemd->common.rdtype == type);
+	REQUIRE(zonemd->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	switch (zonemd->digest_type) {
+	case DNS_ZONEMD_DIGEST_SHA384:
+		REQUIRE(zonemd->length == ISC_SHA384_DIGESTLENGTH);
+		break;
+	case DNS_ZONEMD_DIGEST_SHA512:
+		REQUIRE(zonemd->length == ISC_SHA512_DIGESTLENGTH);
+		break;
+	}
+
+	RETERR(uint32_tobuffer(zonemd->serial, target));
+	RETERR(uint8_tobuffer(zonemd->scheme, target));
+	RETERR(uint8_tobuffer(zonemd->digest_type, target));
+
+	return (mem_tobuffer(target, zonemd->digest, zonemd->length));
+}
+
+static isc_result_t
+tostruct_zonemd(ARGS_TOSTRUCT) {
+	dns_rdata_zonemd_t *zonemd = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_zonemd);
+	REQUIRE(zonemd != NULL);
+	REQUIRE(rdata->length != 0);
+
+	zonemd->common.rdclass = rdata->rdclass;
+	zonemd->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&zonemd->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	zonemd->serial = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+	zonemd->scheme = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	zonemd->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	zonemd->length = region.length;
+
+	zonemd->digest = mem_maybedup(mctx, region.base, region.length);
+	if (zonemd->digest == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	zonemd->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_zonemd(ARGS_FREESTRUCT) {
+	dns_rdata_zonemd_t *zonemd = source;
+
+	REQUIRE(zonemd != NULL);
+	REQUIRE(zonemd->common.rdtype == dns_rdatatype_zonemd);
+
+	if (zonemd->mctx == NULL) {
+		return;
+	}
+
+	if (zonemd->digest != NULL) {
+		isc_mem_free(zonemd->mctx, zonemd->digest);
+	}
+	zonemd->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_zonemd(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_zonemd);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_zonemd(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_zonemd);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_zonemd(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_zonemd);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_zonemd(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_zonemd);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_zonemd(ARGS_COMPARE) {
+	return (compare_zonemd(rdata1, rdata2));
+}
+
+#endif /* RDATA_GENERIC_ZONEMD_63_C */
diff --git a/lib/dns/rdata/generic/zonemd_63.h b/lib/dns/rdata/generic/zonemd_63.h
new file mode 100644
index 0000000..02adc14
--- /dev/null
+++ b/lib/dns/rdata/generic/zonemd_63.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_ZONEMD_63_H
+#define GENERIC_ZONEMD_63_H 1
+
+/* Known digest type(s). */
+#define DNS_ZONEMD_DIGEST_SHA384 (1)
+#define DNS_ZONEMD_DIGEST_SHA512 (2)
+
+/*
+ *  \brief per RFC 8976
+ */
+typedef struct dns_rdata_zonemd {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint32_t serial;
+	uint8_t scheme;
+	uint8_t digest_type;
+	unsigned char *digest;
+	uint16_t length;
+} dns_rdata_zonemd_t;
+
+#endif /* GENERIC_ZONEMD_63_H */
diff --git a/lib/dns/rdata/hs_4/a_1.c b/lib/dns/rdata/hs_4/a_1.c
new file mode 100644
index 0000000..8943e7e
--- /dev/null
+++ b/lib/dns/rdata/hs_4/a_1.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_HS_4_A_1_C
+#define RDATA_HS_4_A_1_C
+
+#include <isc/net.h>
+
+#define RRTYPE_A_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_hs_a(ARGS_FROMTEXT) {
+	isc_token_t token;
+	struct in_addr addr;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_hs);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) {
+		RETTOK(DNS_R_BADDOTTEDQUAD);
+	}
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_hs_a(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (inet_totext(AF_INET, tctx->flags, &region, target));
+}
+
+static isc_result_t
+fromwire_hs_a(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_hs);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	if (tregion.length < 4) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(tregion.base, sregion.base, 4);
+	isc_buffer_forward(source, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_hs_a(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(cctx);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static int
+compare_hs_a(ARGS_COMPARE) {
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_a);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_hs);
+	REQUIRE(rdata1->length == 4);
+	REQUIRE(rdata2->length == 4);
+
+	order = memcmp(rdata1->data, rdata2->data, 4);
+	if (order != 0) {
+		order = (order < 0) ? -1 : 1;
+	}
+
+	return (order);
+}
+
+static isc_result_t
+fromstruct_hs_a(ARGS_FROMSTRUCT) {
+	dns_rdata_hs_a_t *a = source;
+	uint32_t n;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_hs);
+	REQUIRE(a != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	n = ntohl(a->in_addr.s_addr);
+
+	return (uint32_tobuffer(n, target));
+}
+
+static isc_result_t
+tostruct_hs_a(ARGS_TOSTRUCT) {
+	dns_rdata_hs_a_t *a = target;
+	uint32_t n;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+	REQUIRE(rdata->length == 4);
+	REQUIRE(a != NULL);
+
+	UNUSED(mctx);
+
+	a->common.rdclass = rdata->rdclass;
+	a->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	n = uint32_fromregion(&region);
+	a->in_addr.s_addr = htonl(n);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_hs_a(ARGS_FREESTRUCT) {
+	UNUSED(source);
+
+	REQUIRE(source != NULL);
+}
+
+static isc_result_t
+additionaldata_hs_a(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_hs_a(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_hs_a(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_hs);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_hs_a(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_hs_a(ARGS_COMPARE) {
+	return (compare_hs_a(rdata1, rdata2));
+}
+
+#endif /* RDATA_HS_4_A_1_C */
diff --git a/lib/dns/rdata/hs_4/a_1.h b/lib/dns/rdata/hs_4/a_1.h
new file mode 100644
index 0000000..1bd8c5d
--- /dev/null
+++ b/lib/dns/rdata/hs_4/a_1.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef HS_4_A_1_H
+#define HS_4_A_1_H 1
+
+typedef struct dns_rdata_hs_a {
+	dns_rdatacommon_t common;
+	struct in_addr in_addr;
+} dns_rdata_hs_a_t;
+
+#endif /* HS_4_A_1_H */
diff --git a/lib/dns/rdata/in_1/a6_38.c b/lib/dns/rdata/in_1/a6_38.c
new file mode 100644
index 0000000..65c0a69
--- /dev/null
+++ b/lib/dns/rdata/in_1/a6_38.c
@@ -0,0 +1,486 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2874 */
+
+#ifndef RDATA_IN_1_A6_28_C
+#define RDATA_IN_1_A6_28_C
+
+#include <isc/net.h>
+
+#define RRTYPE_A6_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_a6(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char addr[16];
+	unsigned char prefixlen;
+	unsigned char octets;
+	unsigned char mask;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_a6);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Prefix length.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 128U) {
+		RETTOK(ISC_R_RANGE);
+	}
+
+	prefixlen = (unsigned char)token.value.as_ulong;
+	RETERR(mem_tobuffer(target, &prefixlen, 1));
+
+	/*
+	 * Suffix.
+	 */
+	if (prefixlen != 128) {
+		/*
+		 * Prefix 0..127.
+		 */
+		octets = prefixlen / 8;
+		/*
+		 * Octets 0..15.
+		 */
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, false));
+		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1) {
+			RETTOK(DNS_R_BADAAAA);
+		}
+		mask = 0xff >> (prefixlen % 8);
+		addr[octets] &= mask;
+		RETERR(mem_tobuffer(target, &addr[octets], 16 - octets));
+	}
+
+	if (prefixlen == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0) {
+		ok = dns_name_ishostname(&name, false);
+	}
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+		RETTOK(DNS_R_BADNAME);
+	}
+	if (!ok && callbacks != NULL) {
+		warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_a6(ARGS_TOTEXT) {
+	isc_region_t sr, ar;
+	unsigned char addr[16];
+	unsigned char prefixlen;
+	unsigned char octets;
+	unsigned char mask;
+	char buf[sizeof("128")];
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	prefixlen = sr.base[0];
+	INSIST(prefixlen <= 128);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u", prefixlen);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	if (prefixlen != 128) {
+		octets = prefixlen / 8;
+		memset(addr, 0, sizeof(addr));
+		memmove(&addr[octets], sr.base, 16 - octets);
+		mask = 0xff >> (prefixlen % 8);
+		addr[octets] &= mask;
+		ar.base = addr;
+		ar.length = sizeof(addr);
+		RETERR(inet_totext(AF_INET6, tctx->flags, &ar, target));
+		isc_region_consume(&sr, 16 - octets);
+	}
+
+	if (prefixlen == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	RETERR(str_totext(" ", target));
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_in_a6(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned char prefixlen;
+	unsigned char octets;
+	unsigned char mask;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_a6);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * Prefix length.
+	 */
+	if (sr.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	prefixlen = sr.base[0];
+	if (prefixlen > 128) {
+		return (ISC_R_RANGE);
+	}
+	isc_region_consume(&sr, 1);
+	RETERR(mem_tobuffer(target, &prefixlen, 1));
+	isc_buffer_forward(source, 1);
+
+	/*
+	 * Suffix.
+	 */
+	if (prefixlen != 128) {
+		octets = 16 - prefixlen / 8;
+		if (sr.length < octets) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		mask = 0xff >> (prefixlen % 8);
+		if ((sr.base[0] & ~mask) != 0) {
+			return (DNS_R_FORMERR);
+		}
+		RETERR(mem_tobuffer(target, sr.base, octets));
+		isc_buffer_forward(source, octets);
+	}
+
+	if (prefixlen == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_in_a6(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+	unsigned char prefixlen;
+	unsigned char octets;
+
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	prefixlen = sr.base[0];
+	INSIST(prefixlen <= 128);
+
+	octets = 1 + 16 - prefixlen / 8;
+	RETERR(mem_tobuffer(target, sr.base, octets));
+	isc_region_consume(&sr, octets);
+
+	if (prefixlen == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_in_a6(ARGS_COMPARE) {
+	int order;
+	unsigned char prefixlen1, prefixlen2;
+	unsigned char octets;
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_a6);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	prefixlen1 = region1.base[0];
+	prefixlen2 = region2.base[0];
+	isc_region_consume(&region1, 1);
+	isc_region_consume(&region2, 1);
+	if (prefixlen1 < prefixlen2) {
+		return (-1);
+	} else if (prefixlen1 > prefixlen2) {
+		return (1);
+	}
+	/*
+	 * Prefix lengths are equal.
+	 */
+	octets = 16 - prefixlen1 / 8;
+
+	if (octets > 0) {
+		order = memcmp(region1.base, region2.base, octets);
+		if (order < 0) {
+			return (-1);
+		} else if (order > 0) {
+			return (1);
+		}
+		/*
+		 * Address suffixes are equal.
+		 */
+		if (prefixlen1 == 0) {
+			return (order);
+		}
+		isc_region_consume(&region1, octets);
+		isc_region_consume(&region2, octets);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_in_a6(ARGS_FROMSTRUCT) {
+	dns_rdata_in_a6_t *a6 = source;
+	isc_region_t region;
+	int octets;
+	uint8_t bits;
+	uint8_t first;
+	uint8_t mask;
+
+	REQUIRE(type == dns_rdatatype_a6);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(a6 != NULL);
+	REQUIRE(a6->common.rdtype == type);
+	REQUIRE(a6->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (a6->prefixlen > 128) {
+		return (ISC_R_RANGE);
+	}
+
+	RETERR(uint8_tobuffer(a6->prefixlen, target));
+
+	/* Suffix */
+	if (a6->prefixlen != 128) {
+		octets = 16 - a6->prefixlen / 8;
+		bits = a6->prefixlen % 8;
+		if (bits != 0) {
+			mask = 0xffU >> bits;
+			first = a6->in6_addr.s6_addr[16 - octets] & mask;
+			RETERR(uint8_tobuffer(first, target));
+			octets--;
+		}
+		if (octets > 0) {
+			RETERR(mem_tobuffer(target,
+					    a6->in6_addr.s6_addr + 16 - octets,
+					    octets));
+		}
+	}
+
+	if (a6->prefixlen == 0) {
+		return (ISC_R_SUCCESS);
+	}
+	dns_name_toregion(&a6->prefix, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_in_a6(ARGS_TOSTRUCT) {
+	dns_rdata_in_a6_t *a6 = target;
+	unsigned char octets;
+	dns_name_t name;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(a6 != NULL);
+	REQUIRE(rdata->length != 0);
+
+	a6->common.rdclass = rdata->rdclass;
+	a6->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a6->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+
+	a6->prefixlen = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	memset(a6->in6_addr.s6_addr, 0, sizeof(a6->in6_addr.s6_addr));
+
+	/*
+	 * Suffix.
+	 */
+	if (a6->prefixlen != 128) {
+		octets = 16 - a6->prefixlen / 8;
+		INSIST(r.length >= octets);
+		memmove(a6->in6_addr.s6_addr + 16 - octets, r.base, octets);
+		isc_region_consume(&r, octets);
+	}
+
+	/*
+	 * Prefix.
+	 */
+	dns_name_init(&a6->prefix, NULL);
+	if (a6->prefixlen != 0) {
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &r);
+		RETERR(name_duporclone(&name, mctx, &a6->prefix));
+	}
+	a6->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_a6(ARGS_FREESTRUCT) {
+	dns_rdata_in_a6_t *a6 = source;
+
+	REQUIRE(a6 != NULL);
+	REQUIRE(a6->common.rdclass == dns_rdataclass_in);
+	REQUIRE(a6->common.rdtype == dns_rdatatype_a6);
+
+	if (a6->mctx == NULL) {
+		return;
+	}
+
+	if (dns_name_dynamic(&a6->prefix)) {
+		dns_name_free(&a6->prefix, a6->mctx);
+	}
+	a6->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_a6(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_a6(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	unsigned char prefixlen, octets;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	prefixlen = r1.base[0];
+	octets = 1 + 16 - prefixlen / 8;
+
+	r1.length = octets;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (prefixlen == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_region_consume(&r2, octets);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_in_a6(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_a6);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static bool
+checknames_in_a6(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+	unsigned int prefixlen;
+
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	prefixlen = uint8_fromregion(&region);
+	if (prefixlen == 0) {
+		return (true);
+	}
+	isc_region_consume(&region, 1 + 16 - prefixlen / 8);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	return (true);
+}
+
+static int
+casecompare_in_a6(ARGS_COMPARE) {
+	return (compare_in_a6(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_A6_38_C */
diff --git a/lib/dns/rdata/in_1/a6_38.h b/lib/dns/rdata/in_1/a6_38.h
new file mode 100644
index 0000000..bd83092
--- /dev/null
+++ b/lib/dns/rdata/in_1/a6_38.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_A6_38_H
+#define IN_1_A6_38_H 1
+
+/*!
+ *  \brief Per RFC2874 */
+
+typedef struct dns_rdata_in_a6 {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t prefix;
+	uint8_t prefixlen;
+	struct in6_addr in6_addr;
+} dns_rdata_in_a6_t;
+
+#endif /* IN_1_A6_38_H */
diff --git a/lib/dns/rdata/in_1/a_1.c b/lib/dns/rdata/in_1/a_1.c
new file mode 100644
index 0000000..b474aa7
--- /dev/null
+++ b/lib/dns/rdata/in_1/a_1.c
@@ -0,0 +1,278 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_IN_1_A_1_C
+#define RDATA_IN_1_A_1_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_A_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_a(ARGS_FROMTEXT) {
+	isc_token_t token;
+	struct in_addr addr;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) {
+		RETTOK(DNS_R_BADDOTTEDQUAD);
+	}
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_a(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (inet_totext(AF_INET, tctx->flags, &region, target));
+}
+
+static isc_result_t
+fromwire_in_a(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	if (tregion.length < 4) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(tregion.base, sregion.base, 4);
+	isc_buffer_forward(source, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_in_a(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(cctx);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static int
+compare_in_a(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_a);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length == 4);
+	REQUIRE(rdata2->length == 4);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_in_a(ARGS_FROMSTRUCT) {
+	dns_rdata_in_a_t *a = source;
+	uint32_t n;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(a != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	n = ntohl(a->in_addr.s_addr);
+
+	return (uint32_tobuffer(n, target));
+}
+
+static isc_result_t
+tostruct_in_a(ARGS_TOSTRUCT) {
+	dns_rdata_in_a_t *a = target;
+	uint32_t n;
+	isc_region_t region;
+
+	REQUIRE(a != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(mctx);
+
+	a->common.rdclass = rdata->rdclass;
+	a->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	n = uint32_fromregion(&region);
+	a->in_addr.s_addr = htonl(n);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_a(ARGS_FREESTRUCT) {
+	dns_rdata_in_a_t *a = source;
+
+	REQUIRE(a != NULL);
+	REQUIRE(a->common.rdtype == dns_rdatatype_a);
+	REQUIRE(a->common.rdclass == dns_rdataclass_in);
+
+	UNUSED(a);
+}
+
+static isc_result_t
+additionaldata_in_a(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_a(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_in_a(ARGS_CHECKOWNER) {
+	dns_name_t prefix, suffix;
+	unsigned int labels, i;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	labels = dns_name_countlabels(name);
+	if (labels > 2U) {
+		/*
+		 * Handle Active Directory gc._msdcs.<forest> name.
+		 */
+		dns_name_init(&prefix, NULL);
+		dns_name_init(&suffix, NULL);
+		dns_name_split(name, labels - 2, &prefix, &suffix);
+		if (dns_name_equal(&gc_msdcs, &prefix) &&
+		    dns_name_ishostname(&suffix, false))
+		{
+			return (true);
+		}
+
+		/*
+		 * Handle SPF exists targets when the seperating label is:
+		 * - "_spf" RFC7208, section 5.7
+		 * - "_spf_verify" RFC7208, Appendix D1
+		 * - "_spf_rate" RFC7208, Appendix D1
+		 */
+		for (i = 0; i < labels - 2; i++) {
+			dns_label_t label;
+			dns_name_getlabel(name, i, &label);
+			if ((label.length == 5 &&
+			     strncasecmp((char *)label.base, "\x04_spf", 5) ==
+				     0) ||
+			    (label.length == 12 &&
+			     strncasecmp((char *)label.base, "\x0b_spf_verify",
+					 12) == 0) ||
+			    (label.length == 10 &&
+			     strncasecmp((char *)label.base, "\x09_spf_rate",
+					 10) == 0))
+			{
+				return (true);
+			}
+		}
+	}
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static bool
+checknames_in_a(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_a(ARGS_COMPARE) {
+	return (compare_in_a(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_A_1_C */
diff --git a/lib/dns/rdata/in_1/a_1.h b/lib/dns/rdata/in_1/a_1.h
new file mode 100644
index 0000000..aefc4f3
--- /dev/null
+++ b/lib/dns/rdata/in_1/a_1.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef IN_1_A_1_H
+#define IN_1_A_1_H 1
+
+typedef struct dns_rdata_in_a {
+	dns_rdatacommon_t common;
+	struct in_addr in_addr;
+} dns_rdata_in_a_t;
+
+#endif /* IN_1_A_1_H */
diff --git a/lib/dns/rdata/in_1/aaaa_28.c b/lib/dns/rdata/in_1/aaaa_28.c
new file mode 100644
index 0000000..d60175a
--- /dev/null
+++ b/lib/dns/rdata/in_1/aaaa_28.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1886 */
+
+#ifndef RDATA_IN_1_AAAA_28_C
+#define RDATA_IN_1_AAAA_28_C
+
+#include <isc/net.h>
+
+#define RRTYPE_AAAA_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_aaaa(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char addr[16];
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_aaaa);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1) {
+		RETTOK(DNS_R_BADAAAA);
+	}
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 16) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(region.base, addr, 16);
+	isc_buffer_add(target, 16);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_aaaa(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length == 16);
+
+	if ((tctx->flags & DNS_STYLEFLAG_EXPANDAAAA) != 0) {
+		char buf[5 * 8];
+		const char *sep = "";
+		int i, n;
+		unsigned int len = 0;
+
+		for (i = 0; i < 16; i += 2) {
+			INSIST(len < sizeof(buf));
+			n = snprintf(buf + len, sizeof(buf) - len, "%s%02x%02x",
+				     sep, rdata->data[i], rdata->data[i + 1]);
+			if (n < 0) {
+				return (ISC_R_FAILURE);
+			}
+			len += n;
+			sep = ":";
+		}
+		return (str_totext(buf, target));
+	}
+	dns_rdata_toregion(rdata, &region);
+	return (inet_totext(AF_INET6, tctx->flags, &region, target));
+}
+
+static isc_result_t
+fromwire_in_aaaa(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == dns_rdatatype_aaaa);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 16) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	if (tregion.length < 16) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(tregion.base, sregion.base, 16);
+	isc_buffer_forward(source, 16);
+	isc_buffer_add(target, 16);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_in_aaaa(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length == 16);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, 16);
+	return (ISC_R_SUCCESS);
+}
+
+static int
+compare_in_aaaa(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length == 16);
+	REQUIRE(rdata2->length == 16);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_in_aaaa(ARGS_FROMSTRUCT) {
+	dns_rdata_in_aaaa_t *aaaa = source;
+
+	REQUIRE(type == dns_rdatatype_aaaa);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(aaaa != NULL);
+	REQUIRE(aaaa->common.rdtype == type);
+	REQUIRE(aaaa->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, aaaa->in6_addr.s6_addr, 16));
+}
+
+static isc_result_t
+tostruct_in_aaaa(ARGS_TOSTRUCT) {
+	dns_rdata_in_aaaa_t *aaaa = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(aaaa != NULL);
+	REQUIRE(rdata->length == 16);
+
+	UNUSED(mctx);
+
+	aaaa->common.rdclass = rdata->rdclass;
+	aaaa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&aaaa->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	INSIST(r.length == 16);
+	memmove(aaaa->in6_addr.s6_addr, r.base, 16);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_aaaa(ARGS_FREESTRUCT) {
+	dns_rdata_in_aaaa_t *aaaa = source;
+
+	REQUIRE(aaaa != NULL);
+	REQUIRE(aaaa->common.rdclass == dns_rdataclass_in);
+	REQUIRE(aaaa->common.rdtype == dns_rdatatype_aaaa);
+
+	UNUSED(aaaa);
+}
+
+static isc_result_t
+additionaldata_in_aaaa(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_aaaa(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_in_aaaa(ARGS_CHECKOWNER) {
+	dns_name_t prefix, suffix;
+
+	REQUIRE(type == dns_rdatatype_aaaa);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Handle Active Directory gc._msdcs.<forest> name.
+	 */
+	if (dns_name_countlabels(name) > 2U) {
+		dns_name_init(&prefix, NULL);
+		dns_name_init(&suffix, NULL);
+		dns_name_split(name, dns_name_countlabels(name) - 2, &prefix,
+			       &suffix);
+		if (dns_name_equal(&gc_msdcs, &prefix) &&
+		    dns_name_ishostname(&suffix, false))
+		{
+			return (true);
+		}
+	}
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static bool
+checknames_in_aaaa(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_aaaa(ARGS_COMPARE) {
+	return (compare_in_aaaa(rdata1, rdata2));
+}
+#endif /* RDATA_IN_1_AAAA_28_C */
diff --git a/lib/dns/rdata/in_1/aaaa_28.h b/lib/dns/rdata/in_1/aaaa_28.h
new file mode 100644
index 0000000..b7310b2
--- /dev/null
+++ b/lib/dns/rdata/in_1/aaaa_28.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_AAAA_28_H
+#define IN_1_AAAA_28_H 1
+
+/*!
+ *  \brief Per RFC1886 */
+
+typedef struct dns_rdata_in_aaaa {
+	dns_rdatacommon_t common;
+	struct in6_addr in6_addr;
+} dns_rdata_in_aaaa_t;
+
+#endif /* IN_1_AAAA_28_H */
diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c
new file mode 100644
index 0000000..96372e0
--- /dev/null
+++ b/lib/dns/rdata/in_1/apl_42.c
@@ -0,0 +1,481 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC3123 */
+
+#ifndef RDATA_IN_1_APL_42_C
+#define RDATA_IN_1_APL_42_C
+
+#define RRTYPE_APL_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_apl(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char addr[16];
+	unsigned long afi;
+	uint8_t prefix;
+	uint8_t len;
+	bool neg;
+	char *cp, *ap, *slash;
+	int n;
+
+	REQUIRE(type == dns_rdatatype_apl);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, true));
+		if (token.type != isc_tokentype_string) {
+			break;
+		}
+
+		cp = DNS_AS_STR(token);
+		neg = (*cp == '!');
+		if (neg) {
+			cp++;
+		}
+		afi = strtoul(cp, &ap, 10);
+		if (*ap++ != ':' || cp == ap) {
+			RETTOK(DNS_R_SYNTAX);
+		}
+		if (afi > 0xffffU) {
+			RETTOK(ISC_R_RANGE);
+		}
+		slash = strchr(ap, '/');
+		if (slash == NULL || slash == ap) {
+			RETTOK(DNS_R_SYNTAX);
+		}
+		RETTOK(isc_parse_uint8(&prefix, slash + 1, 10));
+		switch (afi) {
+		case 1:
+			*slash = '\0';
+			n = inet_pton(AF_INET, ap, addr);
+			*slash = '/';
+			if (n != 1) {
+				RETTOK(DNS_R_BADDOTTEDQUAD);
+			}
+			if (prefix > 32) {
+				RETTOK(ISC_R_RANGE);
+			}
+			for (len = 4; len > 0; len--) {
+				if (addr[len - 1] != 0) {
+					break;
+				}
+			}
+			break;
+
+		case 2:
+			*slash = '\0';
+			n = inet_pton(AF_INET6, ap, addr);
+			*slash = '/';
+			if (n != 1) {
+				RETTOK(DNS_R_BADAAAA);
+			}
+			if (prefix > 128) {
+				RETTOK(ISC_R_RANGE);
+			}
+			for (len = 16; len > 0; len--) {
+				if (addr[len - 1] != 0) {
+					break;
+				}
+			}
+			break;
+
+		default:
+			RETTOK(ISC_R_NOTIMPLEMENTED);
+		}
+		RETERR(uint16_tobuffer(afi, target));
+		RETERR(uint8_tobuffer(prefix, target));
+		RETERR(uint8_tobuffer(len | ((neg) ? 0x80 : 0), target));
+		RETERR(mem_tobuffer(target, addr, len));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_apl(ARGS_TOTEXT) {
+	isc_region_t sr;
+	isc_region_t ir;
+	uint16_t afi;
+	uint8_t prefix;
+	uint8_t len;
+	bool neg;
+	unsigned char buf[16];
+	char txt[sizeof(" !64000:")];
+	const char *sep = "";
+	int n;
+
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	ir.base = buf;
+	ir.length = sizeof(buf);
+
+	while (sr.length > 0) {
+		INSIST(sr.length >= 4);
+		afi = uint16_fromregion(&sr);
+		isc_region_consume(&sr, 2);
+		prefix = *sr.base;
+		isc_region_consume(&sr, 1);
+		len = (*sr.base & 0x7f);
+		neg = (*sr.base & 0x80);
+		isc_region_consume(&sr, 1);
+		INSIST(len <= sr.length);
+		n = snprintf(txt, sizeof(txt), "%s%s%u:", sep, neg ? "!" : "",
+			     afi);
+		INSIST(n < (int)sizeof(txt));
+		RETERR(str_totext(txt, target));
+		switch (afi) {
+		case 1:
+			INSIST(len <= 4);
+			INSIST(prefix <= 32);
+			memset(buf, 0, sizeof(buf));
+			memmove(buf, sr.base, len);
+			RETERR(inet_totext(AF_INET, tctx->flags, &ir, target));
+			break;
+
+		case 2:
+			INSIST(len <= 16);
+			INSIST(prefix <= 128);
+			memset(buf, 0, sizeof(buf));
+			memmove(buf, sr.base, len);
+			RETERR(inet_totext(AF_INET6, tctx->flags, &ir, target));
+			break;
+
+		default:
+			return (ISC_R_NOTIMPLEMENTED);
+		}
+		n = snprintf(txt, sizeof(txt), "/%u", prefix);
+		INSIST(n < (int)sizeof(txt));
+		RETERR(str_totext(txt, target));
+		isc_region_consume(&sr, len);
+		sep = " ";
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_in_apl(ARGS_FROMWIRE) {
+	isc_region_t sr, sr2;
+	isc_region_t tr;
+	uint16_t afi;
+	uint8_t prefix;
+	uint8_t len;
+
+	REQUIRE(type == dns_rdatatype_apl);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
+	if (sr.length > tr.length) {
+		return (ISC_R_NOSPACE);
+	}
+	sr2 = sr;
+
+	/* Zero or more items */
+	while (sr.length > 0) {
+		if (sr.length < 4) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		afi = uint16_fromregion(&sr);
+		isc_region_consume(&sr, 2);
+		prefix = *sr.base;
+		isc_region_consume(&sr, 1);
+		len = (*sr.base & 0x7f);
+		isc_region_consume(&sr, 1);
+		if (len > sr.length) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		switch (afi) {
+		case 1:
+			if (prefix > 32 || len > 4) {
+				return (ISC_R_RANGE);
+			}
+			break;
+		case 2:
+			if (prefix > 128 || len > 16) {
+				return (ISC_R_RANGE);
+			}
+		}
+		if (len > 0 && sr.base[len - 1] == 0) {
+			return (DNS_R_FORMERR);
+		}
+		isc_region_consume(&sr, len);
+	}
+	isc_buffer_forward(source, sr2.length);
+	return (mem_tobuffer(target, sr2.base, sr2.length));
+}
+
+static isc_result_t
+towire_in_apl(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_in_apl(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_apl);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_in_apl(ARGS_FROMSTRUCT) {
+	dns_rdata_in_apl_t *apl = source;
+	isc_buffer_t b;
+
+	REQUIRE(type == dns_rdatatype_apl);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(apl != NULL);
+	REQUIRE(apl->common.rdtype == type);
+	REQUIRE(apl->common.rdclass == rdclass);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	isc_buffer_init(&b, apl->apl, apl->apl_len);
+	isc_buffer_add(&b, apl->apl_len);
+	isc_buffer_setactive(&b, apl->apl_len);
+	return (fromwire_in_apl(rdclass, type, &b, NULL, false, target));
+}
+
+static isc_result_t
+tostruct_in_apl(ARGS_TOSTRUCT) {
+	dns_rdata_in_apl_t *apl = target;
+	isc_region_t r;
+
+	REQUIRE(apl != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	apl->common.rdclass = rdata->rdclass;
+	apl->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&apl->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	apl->apl_len = r.length;
+	apl->apl = mem_maybedup(mctx, r.base, r.length);
+	if (apl->apl == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	apl->offset = 0;
+	apl->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_apl(ARGS_FREESTRUCT) {
+	dns_rdata_in_apl_t *apl = source;
+
+	REQUIRE(apl != NULL);
+	REQUIRE(apl->common.rdtype == dns_rdatatype_apl);
+	REQUIRE(apl->common.rdclass == dns_rdataclass_in);
+
+	if (apl->mctx == NULL) {
+		return;
+	}
+	if (apl->apl != NULL) {
+		isc_mem_free(apl->mctx, apl->apl);
+	}
+	apl->mctx = NULL;
+}
+
+isc_result_t
+dns_rdata_apl_first(dns_rdata_in_apl_t *apl) {
+	uint32_t length;
+
+	REQUIRE(apl != NULL);
+	REQUIRE(apl->common.rdtype == dns_rdatatype_apl);
+	REQUIRE(apl->common.rdclass == dns_rdataclass_in);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	/*
+	 * If no APL return ISC_R_NOMORE.
+	 */
+	if (apl->apl == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	/*
+	 * Sanity check data.
+	 */
+	INSIST(apl->apl_len > 3U);
+	length = apl->apl[apl->offset + 3] & 0x7f;
+	INSIST(4 + length <= apl->apl_len);
+
+	apl->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_apl_next(dns_rdata_in_apl_t *apl) {
+	uint32_t length;
+
+	REQUIRE(apl != NULL);
+	REQUIRE(apl->common.rdtype == dns_rdatatype_apl);
+	REQUIRE(apl->common.rdclass == dns_rdataclass_in);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	/*
+	 * No APL or have already reached the end return ISC_R_NOMORE.
+	 */
+	if (apl->apl == NULL || apl->offset == apl->apl_len) {
+		return (ISC_R_NOMORE);
+	}
+
+	/*
+	 * Sanity check data.
+	 */
+	INSIST(apl->offset < apl->apl_len);
+	INSIST(apl->apl_len > 3U);
+	INSIST(apl->offset <= apl->apl_len - 4U);
+	length = apl->apl[apl->offset + 3] & 0x7f;
+	/*
+	 * 16 to 32 bits promotion as 'length' is 32 bits so there is
+	 * no overflow problems.
+	 */
+	INSIST(4 + length + apl->offset <= apl->apl_len);
+
+	apl->offset += 4 + length;
+	return ((apl->offset < apl->apl_len) ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+isc_result_t
+dns_rdata_apl_current(dns_rdata_in_apl_t *apl, dns_rdata_apl_ent_t *ent) {
+	uint32_t length;
+
+	REQUIRE(apl != NULL);
+	REQUIRE(apl->common.rdtype == dns_rdatatype_apl);
+	REQUIRE(apl->common.rdclass == dns_rdataclass_in);
+	REQUIRE(ent != NULL);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+	REQUIRE(apl->offset <= apl->apl_len);
+
+	if (apl->offset == apl->apl_len) {
+		return (ISC_R_NOMORE);
+	}
+
+	/*
+	 * Sanity check data.
+	 */
+	INSIST(apl->apl_len > 3U);
+	INSIST(apl->offset <= apl->apl_len - 4U);
+	length = (apl->apl[apl->offset + 3] & 0x7f);
+	/*
+	 * 16 to 32 bits promotion as 'length' is 32 bits so there is
+	 * no overflow problems.
+	 */
+	INSIST(4 + length + apl->offset <= apl->apl_len);
+
+	ent->family = (apl->apl[apl->offset] << 8) + apl->apl[apl->offset + 1];
+	ent->prefix = apl->apl[apl->offset + 2];
+	ent->length = length;
+	ent->negative = (apl->apl[apl->offset + 3] & 0x80);
+	if (ent->length != 0) {
+		ent->data = &apl->apl[apl->offset + 4];
+	} else {
+		ent->data = NULL;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+unsigned int
+dns_rdata_apl_count(const dns_rdata_in_apl_t *apl) {
+	return (apl->apl_len);
+}
+
+static isc_result_t
+additionaldata_in_apl(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	(void)add;
+	(void)arg;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_apl(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_in_apl(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_apl);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_apl(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_apl(ARGS_COMPARE) {
+	return (compare_in_apl(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_APL_42_C */
diff --git a/lib/dns/rdata/in_1/apl_42.h b/lib/dns/rdata/in_1/apl_42.h
new file mode 100644
index 0000000..603fd3e
--- /dev/null
+++ b/lib/dns/rdata/in_1/apl_42.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef IN_1_APL_42_H
+#define IN_1_APL_42_H 1
+
+typedef struct dns_rdata_apl_ent {
+	bool negative;
+	uint16_t family;
+	uint8_t prefix;
+	uint8_t length;
+	unsigned char *data;
+} dns_rdata_apl_ent_t;
+
+typedef struct dns_rdata_in_apl {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	/* type & class specific elements */
+	unsigned char *apl;
+	uint16_t apl_len;
+	/* private */
+	uint16_t offset;
+} dns_rdata_in_apl_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_apl_first(dns_rdata_in_apl_t *);
+
+isc_result_t
+dns_rdata_apl_next(dns_rdata_in_apl_t *);
+
+isc_result_t
+dns_rdata_apl_current(dns_rdata_in_apl_t *, dns_rdata_apl_ent_t *);
+
+unsigned int
+dns_rdata_apl_count(const dns_rdata_in_apl_t *apl);
+
+#endif /* IN_1_APL_42_H */
diff --git a/lib/dns/rdata/in_1/atma_34.c b/lib/dns/rdata/in_1/atma_34.c
new file mode 100644
index 0000000..c00defd
--- /dev/null
+++ b/lib/dns/rdata/in_1/atma_34.c
@@ -0,0 +1,317 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* http://www.broadband-forum.org/ftp/pub/approved-specs/af-dans-0152.000.pdf */
+
+#ifndef RDATA_IN_1_ATMA_22_C
+#define RDATA_IN_1_ATMA_22_C
+
+#define RRTYPE_ATMA_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_atma(ARGS_FROMTEXT) {
+	isc_token_t token;
+	isc_textregion_t *sr;
+	int n;
+	bool valid = false;
+	bool lastwasperiod = true; /* leading periods not allowed */
+	int digits = 0;
+	unsigned char c = 0;
+
+	REQUIRE(type == dns_rdatatype_atma);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/* ATM End System Address (AESA) format or E.164 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	sr = &token.value.as_textregion;
+	if (sr->length < 1) {
+		RETTOK(ISC_R_UNEXPECTEDEND);
+	}
+
+	if (sr->base[0] != '+') {
+		/*
+		 * Format 0: ATM End System Address (AESA) format.
+		 */
+		c = 0;
+		RETERR(mem_tobuffer(target, &c, 1));
+		while (sr->length > 0) {
+			if (sr->base[0] == '.') {
+				if (lastwasperiod) {
+					RETTOK(DNS_R_SYNTAX);
+				}
+				isc_textregion_consume(sr, 1);
+				lastwasperiod = true;
+				continue;
+			}
+			if ((n = hexvalue(sr->base[0])) == -1) {
+				RETTOK(DNS_R_SYNTAX);
+			}
+			c <<= 4;
+			c += n;
+			if (++digits == 2) {
+				RETERR(mem_tobuffer(target, &c, 1));
+				valid = true;
+				digits = 0;
+				c = 0;
+			}
+			isc_textregion_consume(sr, 1);
+			lastwasperiod = false;
+		}
+		if (digits != 0 || !valid || lastwasperiod) {
+			RETTOK(ISC_R_UNEXPECTEDEND);
+		}
+	} else {
+		/*
+		 * Format 1:  E.164.
+		 */
+		c = 1;
+		RETERR(mem_tobuffer(target, &c, 1));
+		isc_textregion_consume(sr, 1);
+		while (sr->length > 0) {
+			if (sr->base[0] == '.') {
+				if (lastwasperiod) {
+					RETTOK(DNS_R_SYNTAX);
+				}
+				isc_textregion_consume(sr, 1);
+				lastwasperiod = true;
+				continue;
+			}
+			if (!isdigit((unsigned char)sr->base[0])) {
+				RETTOK(DNS_R_SYNTAX);
+			}
+			RETERR(mem_tobuffer(target, sr->base, 1));
+			isc_textregion_consume(sr, 1);
+			lastwasperiod = false;
+		}
+		if (lastwasperiod) {
+			RETTOK(ISC_R_UNEXPECTEDEND);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_atma(ARGS_TOTEXT) {
+	isc_region_t region;
+	char buf[sizeof("xx")];
+
+	REQUIRE(rdata->type == dns_rdatatype_atma);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	INSIST(region.length > 1);
+	switch (region.base[0]) {
+	case 0:
+		isc_region_consume(&region, 1);
+		while (region.length != 0) {
+			snprintf(buf, sizeof(buf), "%02x", region.base[0]);
+			isc_region_consume(&region, 1);
+			RETERR(str_totext(buf, target));
+		}
+		break;
+	case 1:
+		RETERR(str_totext("+", target));
+		isc_region_consume(&region, 1);
+		RETERR(mem_tobuffer(target, region.base, region.length));
+		break;
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_in_atma(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_atma);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	if (region.base[0] == 1) {
+		unsigned int i;
+		for (i = 1; i < region.length; i++) {
+			if (!isdigit((unsigned char)region.base[i])) {
+				return (DNS_R_FORMERR);
+			}
+		}
+	}
+	RETERR(mem_tobuffer(target, region.base, region.length));
+	isc_buffer_forward(source, region.length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_in_atma(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_atma);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_in_atma(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_atma);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_in_atma(ARGS_FROMSTRUCT) {
+	dns_rdata_in_atma_t *atma = source;
+
+	REQUIRE(type == dns_rdatatype_atma);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(atma != NULL);
+	REQUIRE(atma->common.rdtype == type);
+	REQUIRE(atma->common.rdclass == rdclass);
+	REQUIRE(atma->atma != NULL || atma->atma_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(mem_tobuffer(target, &atma->format, 1));
+	return (mem_tobuffer(target, atma->atma, atma->atma_len));
+}
+
+static isc_result_t
+tostruct_in_atma(ARGS_TOSTRUCT) {
+	dns_rdata_in_atma_t *atma = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_atma);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(atma != NULL);
+	REQUIRE(rdata->length != 0);
+
+	atma->common.rdclass = rdata->rdclass;
+	atma->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&atma->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	atma->format = r.base[0];
+	isc_region_consume(&r, 1);
+	atma->atma_len = r.length;
+	atma->atma = mem_maybedup(mctx, r.base, r.length);
+	if (atma->atma == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	atma->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_atma(ARGS_FREESTRUCT) {
+	dns_rdata_in_atma_t *atma = source;
+
+	REQUIRE(atma != NULL);
+	REQUIRE(atma->common.rdclass == dns_rdataclass_in);
+	REQUIRE(atma->common.rdtype == dns_rdatatype_atma);
+
+	if (atma->mctx == NULL) {
+		return;
+	}
+
+	if (atma->atma != NULL) {
+		isc_mem_free(atma->mctx, atma->atma);
+	}
+	atma->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_atma(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_atma);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_atma(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_atma);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_in_atma(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_atma);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_atma(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_atma);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_atma(ARGS_COMPARE) {
+	return (compare_in_atma(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_atma_22_C */
diff --git a/lib/dns/rdata/in_1/atma_34.h b/lib/dns/rdata/in_1/atma_34.h
new file mode 100644
index 0000000..abb5457
--- /dev/null
+++ b/lib/dns/rdata/in_1/atma_34.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_ATMA_22_H
+#define IN_1_ATMA_22_H 1
+
+/*!
+ *  \brief Per RFC1706 */
+
+typedef struct dns_rdata_in_atma {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char format;
+	unsigned char *atma;
+	uint16_t atma_len;
+} dns_rdata_in_atma_t;
+
+#endif /* IN_1_ATMA_22_H */
diff --git a/lib/dns/rdata/in_1/dhcid_49.c b/lib/dns/rdata/in_1/dhcid_49.c
new file mode 100644
index 0000000..7d36d50
--- /dev/null
+++ b/lib/dns/rdata/in_1/dhcid_49.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC 4701 */
+
+#ifndef RDATA_IN_1_DHCID_49_C
+#define RDATA_IN_1_DHCID_49_C 1
+
+#define RRTYPE_DHCID_ATTRIBUTES 0
+
+static isc_result_t
+fromtext_in_dhcid(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_dhcid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	return (isc_base64_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+totext_in_dhcid(ARGS_TOTEXT) {
+	isc_region_t sr, sr2;
+	/* " ; 64000 255 64000" */
+	char buf[5 + 3 * 11 + 1];
+
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	sr2 = sr;
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext("( " /*)*/, target));
+	}
+	if (tctx->width == 0) { /* No splitting */
+		RETERR(isc_base64_totext(&sr, 60, "", target));
+	} else {
+		RETERR(isc_base64_totext(&sr, tctx->width - 2, tctx->linebreak,
+					 target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(/* ( */ " )", target));
+		if (rdata->length > 2) {
+			snprintf(buf, sizeof(buf), " ; %u %u %u",
+				 sr2.base[0] * 256U + sr2.base[1], sr2.base[2],
+				 rdata->length - 3U);
+			RETERR(str_totext(buf, target));
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_in_dhcid(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_dhcid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length == 0) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static isc_result_t
+towire_in_dhcid(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_in_dhcid(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_in_dhcid(ARGS_FROMSTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = source;
+
+	REQUIRE(type == dns_rdatatype_dhcid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(dhcid != NULL);
+	REQUIRE(dhcid->common.rdtype == type);
+	REQUIRE(dhcid->common.rdclass == rdclass);
+	REQUIRE(dhcid->length != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, dhcid->dhcid, dhcid->length));
+}
+
+static isc_result_t
+tostruct_in_dhcid(ARGS_TOSTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(dhcid != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dhcid->common.rdclass = rdata->rdclass;
+	dhcid->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dhcid->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dhcid->dhcid = mem_maybedup(mctx, region.base, region.length);
+	if (dhcid->dhcid == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	dhcid->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_dhcid(ARGS_FREESTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = source;
+
+	REQUIRE(dhcid != NULL);
+	REQUIRE(dhcid->common.rdtype == dns_rdatatype_dhcid);
+	REQUIRE(dhcid->common.rdclass == dns_rdataclass_in);
+
+	if (dhcid->mctx == NULL) {
+		return;
+	}
+
+	if (dhcid->dhcid != NULL) {
+		isc_mem_free(dhcid->mctx, dhcid->dhcid);
+	}
+	dhcid->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_dhcid(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_dhcid(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_in_dhcid(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_dhcid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_dhcid(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_dhcid(ARGS_COMPARE) {
+	return (compare_in_dhcid(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_DHCID_49_C */
diff --git a/lib/dns/rdata/in_1/dhcid_49.h b/lib/dns/rdata/in_1/dhcid_49.h
new file mode 100644
index 0000000..071ea41
--- /dev/null
+++ b/lib/dns/rdata/in_1/dhcid_49.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef IN_1_DHCID_49_H
+#define IN_1_DHCID_49_H 1
+
+typedef struct dns_rdata_in_dhcid {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *dhcid;
+	unsigned int length;
+} dns_rdata_in_dhcid_t;
+
+#endif /* IN_1_DHCID_49_H */
diff --git a/lib/dns/rdata/in_1/eid_31.c b/lib/dns/rdata/in_1/eid_31.c
new file mode 100644
index 0000000..104837c
--- /dev/null
+++ b/lib/dns/rdata/in_1/eid_31.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt */
+
+#ifndef RDATA_IN_1_EID_31_C
+#define RDATA_IN_1_EID_31_C
+
+#define RRTYPE_EID_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_eid(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_eid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	return (isc_hex_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+totext_in_eid(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_eid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext("( ", target));
+	}
+	if (tctx->width == 0) {
+		RETERR(isc_hex_totext(&region, 60, "", target));
+	} else {
+		RETERR(isc_hex_totext(&region, tctx->width - 2, tctx->linebreak,
+				      target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_in_eid(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_eid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	RETERR(mem_tobuffer(target, region.base, region.length));
+	isc_buffer_forward(source, region.length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_in_eid(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_eid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_in_eid(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_eid);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_in_eid(ARGS_FROMSTRUCT) {
+	dns_rdata_in_eid_t *eid = source;
+
+	REQUIRE(type == dns_rdatatype_eid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(eid != NULL);
+	REQUIRE(eid->common.rdtype == type);
+	REQUIRE(eid->common.rdclass == rdclass);
+	REQUIRE(eid->eid != NULL || eid->eid_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, eid->eid, eid->eid_len));
+}
+
+static isc_result_t
+tostruct_in_eid(ARGS_TOSTRUCT) {
+	dns_rdata_in_eid_t *eid = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_eid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(eid != NULL);
+	REQUIRE(rdata->length != 0);
+
+	eid->common.rdclass = rdata->rdclass;
+	eid->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&eid->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	eid->eid_len = r.length;
+	eid->eid = mem_maybedup(mctx, r.base, r.length);
+	if (eid->eid == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	eid->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_eid(ARGS_FREESTRUCT) {
+	dns_rdata_in_eid_t *eid = source;
+
+	REQUIRE(eid != NULL);
+	REQUIRE(eid->common.rdclass == dns_rdataclass_in);
+	REQUIRE(eid->common.rdtype == dns_rdatatype_eid);
+
+	if (eid->mctx == NULL) {
+		return;
+	}
+
+	if (eid->eid != NULL) {
+		isc_mem_free(eid->mctx, eid->eid);
+	}
+	eid->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_eid(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_eid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_eid(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_eid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_in_eid(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_eid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_eid(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_eid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_eid(ARGS_COMPARE) {
+	return (compare_in_eid(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_EID_31_C */
diff --git a/lib/dns/rdata/in_1/eid_31.h b/lib/dns/rdata/in_1/eid_31.h
new file mode 100644
index 0000000..879bcf5
--- /dev/null
+++ b/lib/dns/rdata/in_1/eid_31.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_EID_31_H
+#define IN_1_EID_31_H 1
+
+/*!
+ *  \brief http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt
+ */
+
+typedef struct dns_rdata_in_eid {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *eid;
+	uint16_t eid_len;
+} dns_rdata_in_eid_t;
+
+#endif /* IN_1_EID_31_H */
diff --git a/lib/dns/rdata/in_1/https_65.c b/lib/dns/rdata/in_1/https_65.c
new file mode 100644
index 0000000..0581645
--- /dev/null
+++ b/lib/dns/rdata/in_1/https_65.c
@@ -0,0 +1,186 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* draft-ietf-dnsop-svcb-https-02 */
+
+#ifndef RDATA_IN_1_HTTPS_65_C
+#define RDATA_IN_1_HTTPS_65_C
+
+#define RRTYPE_HTTPS_ATTRIBUTES 0
+
+/*
+ * Most of these functions refer to equivalent functions for SVCB,
+ * since wire and presentation formats are identical.
+ */
+
+static isc_result_t
+fromtext_in_https(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_https);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	return (generic_fromtext_in_svcb(CALL_FROMTEXT));
+}
+
+static isc_result_t
+totext_in_https(ARGS_TOTEXT) {
+	REQUIRE(rdata->type == dns_rdatatype_https);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	return (generic_totext_in_svcb(CALL_TOTEXT));
+}
+
+static isc_result_t
+fromwire_in_https(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_https);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	return (generic_fromwire_in_svcb(CALL_FROMWIRE));
+}
+
+static isc_result_t
+towire_in_https(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_https);
+	REQUIRE(rdata->length != 0);
+
+	return (generic_towire_in_svcb(CALL_TOWIRE));
+}
+
+static int
+compare_in_https(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_https);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+fromstruct_in_https(ARGS_FROMSTRUCT) {
+	dns_rdata_in_https_t *https = source;
+
+	REQUIRE(type == dns_rdatatype_https);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(https != NULL);
+	REQUIRE(https->common.rdtype == type);
+	REQUIRE(https->common.rdclass == rdclass);
+
+	return (generic_fromstruct_in_svcb(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+tostruct_in_https(ARGS_TOSTRUCT) {
+	dns_rdata_in_https_t *https = target;
+
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->type == dns_rdatatype_https);
+	REQUIRE(https != NULL);
+	REQUIRE(rdata->length != 0);
+
+	return (generic_tostruct_in_svcb(CALL_TOSTRUCT));
+}
+
+static void
+freestruct_in_https(ARGS_FREESTRUCT) {
+	dns_rdata_in_https_t *https = source;
+
+	REQUIRE(https != NULL);
+	REQUIRE(https->common.rdclass == dns_rdataclass_in);
+	REQUIRE(https->common.rdtype == dns_rdatatype_https);
+
+	generic_freestruct_in_svcb(CALL_FREESTRUCT);
+}
+
+static isc_result_t
+additionaldata_in_https(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_https);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	return (generic_additionaldata_in_svcb(CALL_ADDLDATA));
+}
+
+static isc_result_t
+digest_in_https(ARGS_DIGEST) {
+	isc_region_t region1;
+
+	REQUIRE(rdata->type == dns_rdatatype_https);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &region1);
+	return ((digest)(arg, &region1));
+}
+
+static bool
+checkowner_in_https(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_https);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_https(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_https);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	return (generic_checknames_in_svcb(CALL_CHECKNAMES));
+}
+
+static int
+casecompare_in_https(ARGS_COMPARE) {
+	return (compare_in_https(rdata1, rdata2));
+}
+
+isc_result_t
+dns_rdata_in_https_first(dns_rdata_in_https_t *https) {
+	REQUIRE(https != NULL);
+	REQUIRE(https->common.rdtype == dns_rdatatype_https);
+	REQUIRE(https->common.rdclass == dns_rdataclass_in);
+
+	return (generic_rdata_in_svcb_first(https));
+}
+
+isc_result_t
+dns_rdata_in_https_next(dns_rdata_in_https_t *https) {
+	REQUIRE(https != NULL);
+	REQUIRE(https->common.rdtype == dns_rdatatype_https);
+	REQUIRE(https->common.rdclass == dns_rdataclass_in);
+
+	return (generic_rdata_in_svcb_next(https));
+}
+
+void
+dns_rdata_in_https_current(dns_rdata_in_https_t *https, isc_region_t *region) {
+	REQUIRE(https != NULL);
+	REQUIRE(https->common.rdtype == dns_rdatatype_https);
+	REQUIRE(https->common.rdclass == dns_rdataclass_in);
+	REQUIRE(region != NULL);
+
+	generic_rdata_in_svcb_current(https, region);
+}
+
+#endif /* RDATA_IN_1_HTTPS_65_C */
diff --git a/lib/dns/rdata/in_1/https_65.h b/lib/dns/rdata/in_1/https_65.h
new file mode 100644
index 0000000..a5967a3
--- /dev/null
+++ b/lib/dns/rdata/in_1/https_65.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_HTTPS_65_H
+#define IN_1_HTTPS_65_H 1
+
+/*!
+ *  \brief Per draft-ietf-dnsop-svcb-https-02
+ */
+
+/*
+ * Wire and presentation formats for HTTPS are identical to SVCB.
+ */
+typedef struct dns_rdata_in_svcb dns_rdata_in_https_t;
+
+isc_result_t
+dns_rdata_in_https_first(dns_rdata_in_https_t *);
+
+isc_result_t
+dns_rdata_in_https_next(dns_rdata_in_https_t *);
+
+void
+dns_rdata_in_https_current(dns_rdata_in_https_t *, isc_region_t *);
+
+#endif /* IN_1_HTTPS_65_H */
diff --git a/lib/dns/rdata/in_1/kx_36.c b/lib/dns/rdata/in_1/kx_36.c
new file mode 100644
index 0000000..508def3
--- /dev/null
+++ b/lib/dns/rdata/in_1/kx_36.c
@@ -0,0 +1,289 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2230 */
+
+#ifndef RDATA_IN_1_KX_36_C
+#define RDATA_IN_1_KX_36_C
+
+#define RRTYPE_KX_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_kx(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_kx);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_kx(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_in_kx(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_kx);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_in_kx(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &region);
+	RETERR(mem_tobuffer(target, region.base, 2));
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_in_kx(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_kx);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_in_kx(ARGS_FROMSTRUCT) {
+	dns_rdata_in_kx_t *kx = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_kx);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(kx != NULL);
+	REQUIRE(kx->common.rdtype == type);
+	REQUIRE(kx->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(kx->preference, target));
+	dns_name_toregion(&kx->exchange, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_in_kx(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_in_kx_t *kx = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(kx != NULL);
+	REQUIRE(rdata->length != 0);
+
+	kx->common.rdclass = rdata->rdclass;
+	kx->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&kx->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+
+	kx->preference = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&kx->exchange, NULL);
+	RETERR(name_duporclone(&name, mctx, &kx->exchange));
+	kx->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_kx(ARGS_FREESTRUCT) {
+	dns_rdata_in_kx_t *kx = source;
+
+	REQUIRE(kx != NULL);
+	REQUIRE(kx->common.rdclass == dns_rdataclass_in);
+	REQUIRE(kx->common.rdtype == dns_rdatatype_kx);
+
+	if (kx->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&kx->exchange, kx->mctx);
+	kx->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_kx(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static isc_result_t
+digest_in_kx(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_in_kx(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_kx);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_kx(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_kx(ARGS_COMPARE) {
+	return (compare_in_kx(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_KX_36_C */
diff --git a/lib/dns/rdata/in_1/kx_36.h b/lib/dns/rdata/in_1/kx_36.h
new file mode 100644
index 0000000..b71aadc
--- /dev/null
+++ b/lib/dns/rdata/in_1/kx_36.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_KX_36_H
+#define IN_1_KX_36_H 1
+
+/*!
+ *  \brief Per RFC2230 */
+
+typedef struct dns_rdata_in_kx {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t preference;
+	dns_name_t exchange;
+} dns_rdata_in_kx_t;
+
+#endif /* IN_1_KX_36_H */
diff --git a/lib/dns/rdata/in_1/nimloc_32.c b/lib/dns/rdata/in_1/nimloc_32.c
new file mode 100644
index 0000000..6f1e3d6
--- /dev/null
+++ b/lib/dns/rdata/in_1/nimloc_32.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt */
+
+#ifndef RDATA_IN_1_NIMLOC_32_C
+#define RDATA_IN_1_NIMLOC_32_C
+
+#define RRTYPE_NIMLOC_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_nimloc(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_nimloc);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	return (isc_hex_tobuffer(lexer, target, -2));
+}
+
+static isc_result_t
+totext_in_nimloc(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_nimloc);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext("( ", target));
+	}
+	if (tctx->width == 0) {
+		RETERR(isc_hex_totext(&region, 60, "", target));
+	} else {
+		RETERR(isc_hex_totext(&region, tctx->width - 2, tctx->linebreak,
+				      target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_in_nimloc(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nimloc);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	RETERR(mem_tobuffer(target, region.base, region.length));
+	isc_buffer_forward(source, region.length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_in_nimloc(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_nimloc);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_in_nimloc(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nimloc);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_in_nimloc(ARGS_FROMSTRUCT) {
+	dns_rdata_in_nimloc_t *nimloc = source;
+
+	REQUIRE(type == dns_rdatatype_nimloc);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(nimloc != NULL);
+	REQUIRE(nimloc->common.rdtype == type);
+	REQUIRE(nimloc->common.rdclass == rdclass);
+	REQUIRE(nimloc->nimloc != NULL || nimloc->nimloc_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, nimloc->nimloc, nimloc->nimloc_len));
+}
+
+static isc_result_t
+tostruct_in_nimloc(ARGS_TOSTRUCT) {
+	dns_rdata_in_nimloc_t *nimloc = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nimloc);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(nimloc != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nimloc->common.rdclass = rdata->rdclass;
+	nimloc->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nimloc->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	nimloc->nimloc_len = r.length;
+	nimloc->nimloc = mem_maybedup(mctx, r.base, r.length);
+	if (nimloc->nimloc == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	nimloc->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_nimloc(ARGS_FREESTRUCT) {
+	dns_rdata_in_nimloc_t *nimloc = source;
+
+	REQUIRE(nimloc != NULL);
+	REQUIRE(nimloc->common.rdclass == dns_rdataclass_in);
+	REQUIRE(nimloc->common.rdtype == dns_rdatatype_nimloc);
+
+	if (nimloc->mctx == NULL) {
+		return;
+	}
+
+	if (nimloc->nimloc != NULL) {
+		isc_mem_free(nimloc->mctx, nimloc->nimloc);
+	}
+	nimloc->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_nimloc(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nimloc);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_nimloc(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nimloc);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_in_nimloc(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_nimloc);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_nimloc(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_nimloc);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_nimloc(ARGS_COMPARE) {
+	return (compare_in_nimloc(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_NIMLOC_32_C */
diff --git a/lib/dns/rdata/in_1/nimloc_32.h b/lib/dns/rdata/in_1/nimloc_32.h
new file mode 100644
index 0000000..02ca047
--- /dev/null
+++ b/lib/dns/rdata/in_1/nimloc_32.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_NIMLOC_32_H
+#define IN_1_NIMLOC_32_H 1
+
+/*!
+ *  \brief http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt
+ */
+
+typedef struct dns_rdata_in_nimloc {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *nimloc;
+	uint16_t nimloc_len;
+} dns_rdata_in_nimloc_t;
+
+#endif /* IN_1_NIMLOC_32_H */
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.c b/lib/dns/rdata/in_1/nsap-ptr_23.c
new file mode 100644
index 0000000..326e878
--- /dev/null
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -0,0 +1,243 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
+
+#ifndef RDATA_IN_1_NSAP_PTR_23_C
+#define RDATA_IN_1_NSAP_PTR_23_C
+
+#define RRTYPE_NSAP_PTR_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_nsap_ptr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_nsap_ptr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_in_nsap_ptr(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_in_nsap_ptr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_in_nsap_ptr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_in_nsap_ptr(ARGS_FROMSTRUCT) {
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(nsap_ptr != NULL);
+	REQUIRE(nsap_ptr->common.rdtype == type);
+	REQUIRE(nsap_ptr->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&nsap_ptr->owner, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_in_nsap_ptr(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(nsap_ptr != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsap_ptr->common.rdclass = rdata->rdclass;
+	nsap_ptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsap_ptr->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&nsap_ptr->owner, NULL);
+	RETERR(name_duporclone(&name, mctx, &nsap_ptr->owner));
+	nsap_ptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_nsap_ptr(ARGS_FREESTRUCT) {
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
+
+	REQUIRE(nsap_ptr != NULL);
+	REQUIRE(nsap_ptr->common.rdclass == dns_rdataclass_in);
+	REQUIRE(nsap_ptr->common.rdtype == dns_rdatatype_nsap_ptr);
+
+	if (nsap_ptr->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&nsap_ptr->owner, nsap_ptr->mctx);
+	nsap_ptr->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_nsap_ptr(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_nsap_ptr(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_in_nsap_ptr(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_nsap_ptr(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_nsap_ptr(ARGS_COMPARE) {
+	return (compare_in_nsap_ptr(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_NSAP_PTR_23_C */
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.h b/lib/dns/rdata/in_1/nsap-ptr_23.h
new file mode 100644
index 0000000..ef1ee60
--- /dev/null
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_NSAP_PTR_23_H
+#define IN_1_NSAP_PTR_23_H 1
+
+/*!
+ *  \brief Per RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
+
+typedef struct dns_rdata_in_nsap_ptr {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	dns_name_t owner;
+} dns_rdata_in_nsap_ptr_t;
+
+#endif /* IN_1_NSAP_PTR_23_H */
diff --git a/lib/dns/rdata/in_1/nsap_22.c b/lib/dns/rdata/in_1/nsap_22.c
new file mode 100644
index 0000000..5ccb793
--- /dev/null
+++ b/lib/dns/rdata/in_1/nsap_22.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1706 */
+
+#ifndef RDATA_IN_1_NSAP_22_C
+#define RDATA_IN_1_NSAP_22_C
+
+#define RRTYPE_NSAP_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_nsap(ARGS_FROMTEXT) {
+	isc_token_t token;
+	isc_textregion_t *sr;
+	int n;
+	bool valid = false;
+	int digits = 0;
+	unsigned char c = 0;
+
+	REQUIRE(type == dns_rdatatype_nsap);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/* 0x<hex.string.with.periods> */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	sr = &token.value.as_textregion;
+	if (sr->length < 2) {
+		RETTOK(ISC_R_UNEXPECTEDEND);
+	}
+	if (sr->base[0] != '0' || (sr->base[1] != 'x' && sr->base[1] != 'X')) {
+		RETTOK(DNS_R_SYNTAX);
+	}
+	isc_textregion_consume(sr, 2);
+	while (sr->length > 0) {
+		if (sr->base[0] == '.') {
+			isc_textregion_consume(sr, 1);
+			continue;
+		}
+		if ((n = hexvalue(sr->base[0])) == -1) {
+			RETTOK(DNS_R_SYNTAX);
+		}
+		c <<= 4;
+		c += n;
+		if (++digits == 2) {
+			RETERR(mem_tobuffer(target, &c, 1));
+			valid = true;
+			digits = 0;
+			c = 0;
+		}
+		isc_textregion_consume(sr, 1);
+	}
+	if (digits != 0 || !valid) {
+		RETTOK(ISC_R_UNEXPECTEDEND);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_nsap(ARGS_TOTEXT) {
+	isc_region_t region;
+	char buf[sizeof("xx")];
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(str_totext("0x", target));
+	while (region.length != 0) {
+		snprintf(buf, sizeof(buf), "%02x", region.base[0]);
+		isc_region_consume(&region, 1);
+		RETERR(str_totext(buf, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_in_nsap(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nsap);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	RETERR(mem_tobuffer(target, region.base, region.length));
+	isc_buffer_forward(source, region.length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_in_nsap(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static int
+compare_in_nsap(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsap);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_in_nsap(ARGS_FROMSTRUCT) {
+	dns_rdata_in_nsap_t *nsap = source;
+
+	REQUIRE(type == dns_rdatatype_nsap);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(nsap != NULL);
+	REQUIRE(nsap->common.rdtype == type);
+	REQUIRE(nsap->common.rdclass == rdclass);
+	REQUIRE(nsap->nsap != NULL || nsap->nsap_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, nsap->nsap, nsap->nsap_len));
+}
+
+static isc_result_t
+tostruct_in_nsap(ARGS_TOSTRUCT) {
+	dns_rdata_in_nsap_t *nsap = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(nsap != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsap->common.rdclass = rdata->rdclass;
+	nsap->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsap->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	nsap->nsap_len = r.length;
+	nsap->nsap = mem_maybedup(mctx, r.base, r.length);
+	if (nsap->nsap == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	nsap->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_nsap(ARGS_FREESTRUCT) {
+	dns_rdata_in_nsap_t *nsap = source;
+
+	REQUIRE(nsap != NULL);
+	REQUIRE(nsap->common.rdclass == dns_rdataclass_in);
+	REQUIRE(nsap->common.rdtype == dns_rdatatype_nsap);
+
+	if (nsap->mctx == NULL) {
+		return;
+	}
+
+	if (nsap->nsap != NULL) {
+		isc_mem_free(nsap->mctx, nsap->nsap);
+	}
+	nsap->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_nsap(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_nsap(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_in_nsap(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_nsap);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_nsap(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_nsap(ARGS_COMPARE) {
+	return (compare_in_nsap(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_NSAP_22_C */
diff --git a/lib/dns/rdata/in_1/nsap_22.h b/lib/dns/rdata/in_1/nsap_22.h
new file mode 100644
index 0000000..f65c913
--- /dev/null
+++ b/lib/dns/rdata/in_1/nsap_22.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_NSAP_22_H
+#define IN_1_NSAP_22_H 1
+
+/*!
+ *  \brief Per RFC1706 */
+
+typedef struct dns_rdata_in_nsap {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	unsigned char *nsap;
+	uint16_t nsap_len;
+} dns_rdata_in_nsap_t;
+
+#endif /* IN_1_NSAP_22_H */
diff --git a/lib/dns/rdata/in_1/px_26.c b/lib/dns/rdata/in_1/px_26.c
new file mode 100644
index 0000000..9f6a21a
--- /dev/null
+++ b/lib/dns/rdata/in_1/px_26.c
@@ -0,0 +1,379 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2163 */
+
+#ifndef RDATA_IN_1_PX_26_C
+#define RDATA_IN_1_PX_26_C
+
+#define RRTYPE_PX_ATTRIBUTES (0)
+
+static isc_result_t
+fromtext_in_px(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_px);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+
+	/*
+	 * Preference.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * MAP822.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * MAPX400.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_px(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	/*
+	 * Preference.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * MAP822.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	isc_region_consume(&region, name_length(&name));
+	RETERR(dns_name_totext(&prefix, sub, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * MAPX400.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_in_px(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_px);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	/*
+	 * Preference.
+	 */
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+
+	/*
+	 * MAP822.
+	 */
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * MAPX400.
+	 */
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_in_px(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Preference.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	RETERR(mem_tobuffer(target, region.base, 2));
+	isc_region_consume(&region, 2);
+
+	/*
+	 * MAP822.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+	RETERR(dns_name_towire(&name, cctx, target));
+	isc_region_consume(&region, name_length(&name));
+
+	/*
+	 * MAPX400.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_in_px(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_px);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0) {
+		return (order);
+	}
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_in_px(ARGS_FROMSTRUCT) {
+	dns_rdata_in_px_t *px = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_px);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(px != NULL);
+	REQUIRE(px->common.rdtype == type);
+	REQUIRE(px->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(px->preference, target));
+	dns_name_toregion(&px->map822, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&px->mapx400, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_in_px(ARGS_TOSTRUCT) {
+	dns_rdata_in_px_t *px = target;
+	dns_name_t name;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(px != NULL);
+	REQUIRE(rdata->length != 0);
+
+	px->common.rdclass = rdata->rdclass;
+	px->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&px->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+
+	px->preference = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_fromregion(&name, &region);
+
+	dns_name_init(&px->map822, NULL);
+	RETERR(name_duporclone(&name, mctx, &px->map822));
+	isc_region_consume(&region, name_length(&px->map822));
+
+	dns_name_init(&px->mapx400, NULL);
+	result = name_duporclone(&name, mctx, &px->mapx400);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	px->mctx = mctx;
+	return (result);
+
+cleanup:
+	dns_name_free(&px->map822, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+freestruct_in_px(ARGS_FREESTRUCT) {
+	dns_rdata_in_px_t *px = source;
+
+	REQUIRE(px != NULL);
+	REQUIRE(px->common.rdclass == dns_rdataclass_in);
+	REQUIRE(px->common.rdtype == dns_rdatatype_px);
+
+	if (px->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&px->map822, px->mctx);
+	dns_name_free(&px->mapx400, px->mctx);
+	px->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_px(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_px(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	result = dns_name_digest(&name, digest, arg);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_region_consume(&r2, name_length(&name));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_in_px(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_px);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_px(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_px(ARGS_COMPARE) {
+	return (compare_in_px(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_PX_26_C */
diff --git a/lib/dns/rdata/in_1/px_26.h b/lib/dns/rdata/in_1/px_26.h
new file mode 100644
index 0000000..1fcbd36
--- /dev/null
+++ b/lib/dns/rdata/in_1/px_26.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_PX_26_H
+#define IN_1_PX_26_H 1
+
+/*!
+ *  \brief Per RFC2163 */
+
+typedef struct dns_rdata_in_px {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t preference;
+	dns_name_t map822;
+	dns_name_t mapx400;
+} dns_rdata_in_px_t;
+
+#endif /* IN_1_PX_26_H */
diff --git a/lib/dns/rdata/in_1/srv_33.c b/lib/dns/rdata/in_1/srv_33.c
new file mode 100644
index 0000000..6e24867
--- /dev/null
+++ b/lib/dns/rdata/in_1/srv_33.c
@@ -0,0 +1,410 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2782 */
+
+#ifndef RDATA_IN_1_SRV_33_C
+#define RDATA_IN_1_SRV_33_C
+
+#define RRTYPE_SRV_ATTRIBUTES (DNS_RDATATYPEATTR_FOLLOWADDITIONAL)
+
+static isc_result_t
+fromtext_in_srv(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_srv);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Priority.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Weight.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Port.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Target.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0) {
+		ok = dns_name_ishostname(&name, false);
+	}
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+		RETTOK(DNS_R_BADNAME);
+	}
+	if (!ok && callbacks != NULL) {
+		warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_srv(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	/*
+	 * Priority.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Weight.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Port.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Target.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static isc_result_t
+fromwire_in_srv(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_srv);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	/*
+	 * Priority, weight, port.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 6) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, sr.base, 6));
+	isc_buffer_forward(source, 6);
+
+	/*
+	 * Target.
+	 */
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static isc_result_t
+towire_in_srv(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Priority, weight, port.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	RETERR(mem_tobuffer(target, sr.base, 6));
+	isc_region_consume(&sr, 6);
+
+	/*
+	 * Target.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static int
+compare_in_srv(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_srv);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	/*
+	 * Priority, weight, port.
+	 */
+	order = memcmp(rdata1->data, rdata2->data, 6);
+	if (order != 0) {
+		return (order < 0 ? -1 : 1);
+	}
+
+	/*
+	 * Target.
+	 */
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 6);
+	isc_region_consume(&region2, 6);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static isc_result_t
+fromstruct_in_srv(ARGS_FROMSTRUCT) {
+	dns_rdata_in_srv_t *srv = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_srv);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(srv != NULL);
+	REQUIRE(srv->common.rdtype == type);
+	REQUIRE(srv->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(srv->priority, target));
+	RETERR(uint16_tobuffer(srv->weight, target));
+	RETERR(uint16_tobuffer(srv->port, target));
+	dns_name_toregion(&srv->target, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static isc_result_t
+tostruct_in_srv(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_in_srv_t *srv = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(srv != NULL);
+	REQUIRE(rdata->length != 0);
+
+	srv->common.rdclass = rdata->rdclass;
+	srv->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&srv->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	srv->priority = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	srv->weight = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	srv->port = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&srv->target, NULL);
+	RETERR(name_duporclone(&name, mctx, &srv->target));
+	srv->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_srv(ARGS_FREESTRUCT) {
+	dns_rdata_in_srv_t *srv = source;
+
+	REQUIRE(srv != NULL);
+	REQUIRE(srv->common.rdclass == dns_rdataclass_in);
+	REQUIRE(srv->common.rdtype == dns_rdatatype_srv);
+
+	if (srv->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&srv->target, srv->mctx);
+	srv->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_srv(ARGS_ADDLDATA) {
+	char buf[sizeof("_65000._tcp")];
+	dns_fixedname_t fixed;
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	uint16_t port;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 4);
+	port = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	if (dns_name_equal(&name, dns_rootname)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = (add)(arg, &name, dns_rdatatype_a);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_fixedname_init(&fixed);
+	snprintf(buf, sizeof(buf), "_%u._tcp", port);
+	result = dns_name_fromstring2(dns_fixedname_name(&fixed), buf, NULL, 0,
+				      NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_name_concatenate(dns_fixedname_name(&fixed), &name,
+				      dns_fixedname_name(&fixed), NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	return ((add)(arg, dns_fixedname_name(&fixed), dns_rdatatype_tlsa));
+}
+
+static isc_result_t
+digest_in_srv(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 6);
+	r1.length = 6;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static bool
+checkowner_in_srv(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_srv);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+checknames_in_srv(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 6);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	return (true);
+}
+
+static int
+casecompare_in_srv(ARGS_COMPARE) {
+	return (compare_in_srv(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_SRV_33_C */
diff --git a/lib/dns/rdata/in_1/srv_33.h b/lib/dns/rdata/in_1/srv_33.h
new file mode 100644
index 0000000..554180a
--- /dev/null
+++ b/lib/dns/rdata/in_1/srv_33.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_SRV_33_H
+#define IN_1_SRV_33_H 1
+
+/*!
+ *  \brief Per RFC2782 */
+
+typedef struct dns_rdata_in_srv {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t priority;
+	uint16_t weight;
+	uint16_t port;
+	dns_name_t target;
+} dns_rdata_in_srv_t;
+
+#endif /* IN_1_SRV_33_H */
diff --git a/lib/dns/rdata/in_1/svcb_64.c b/lib/dns/rdata/in_1/svcb_64.c
new file mode 100644
index 0000000..a87473f
--- /dev/null
+++ b/lib/dns/rdata/in_1/svcb_64.c
@@ -0,0 +1,1268 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* draft-ietf-dnsop-svcb-https-02 */
+
+#ifndef RDATA_IN_1_SVCB_64_C
+#define RDATA_IN_1_SVCB_64_C
+
+#define RRTYPE_SVCB_ATTRIBUTES 0
+
+#define SVCB_MAN_KEY		 0
+#define SVCB_ALPN_KEY		 1
+#define SVCB_NO_DEFAULT_ALPN_KEY 2
+
+/*
+ * Service Binding Parameter Registry
+ */
+enum encoding {
+	sbpr_text,
+	sbpr_port,
+	sbpr_ipv4s,
+	sbpr_ipv6s,
+	sbpr_base64,
+	sbpr_empty,
+	sbpr_alpn,
+	sbpr_keylist,
+	sbpr_dohpath
+};
+static const struct {
+	const char *name; /* Restricted to lowercase LDH by registry. */
+	unsigned int value;
+	enum encoding encoding;
+	bool initial; /* Part of the first defined set of encodings. */
+} sbpr[] = {
+	{ "mandatory", 0, sbpr_keylist, true },
+	{ "alpn", 1, sbpr_alpn, true },
+	{ "no-default-alpn", 2, sbpr_empty, true },
+	{ "port", 3, sbpr_port, true },
+	{ "ipv4hint", 4, sbpr_ipv4s, true },
+	{ "ech", 5, sbpr_base64, true },
+	{ "ipv6hint", 6, sbpr_ipv6s, true },
+	{ "dohpath", 7, sbpr_dohpath, false },
+};
+
+static isc_result_t
+alpn_fromtxt(isc_textregion_t *source, isc_buffer_t *target) {
+	isc_textregion_t source0 = *source;
+	do {
+		RETERR(commatxt_fromtext(&source0, true, target));
+	} while (source0.length != 0);
+	return (ISC_R_SUCCESS);
+}
+
+static int
+svckeycmp(const void *a1, const void *a2) {
+	const unsigned char *u1 = a1, *u2 = a2;
+	if (*u1 != *u2) {
+		return (*u1 - *u2);
+	}
+	return (*(++u1) - *(++u2));
+}
+
+static isc_result_t
+svcsortkeylist(isc_buffer_t *target, unsigned int used) {
+	isc_region_t region;
+
+	isc_buffer_usedregion(target, &region);
+	isc_region_consume(&region, used);
+	INSIST(region.length > 0U);
+	qsort(region.base, region.length / 2, 2, svckeycmp);
+	/* Reject duplicates. */
+	while (region.length >= 4) {
+		if (region.base[0] == region.base[2] &&
+		    region.base[1] == region.base[3])
+		{
+			return (DNS_R_SYNTAX);
+		}
+		isc_region_consume(&region, 2);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+svcb_validate(uint16_t key, isc_region_t *region) {
+	size_t i;
+
+#ifndef ARRAYSIZE
+/* defined in winnt.h */
+#define ARRAYSIZE(x) (sizeof(x) / sizeof(*x))
+#endif
+
+	for (i = 0; i < ARRAYSIZE(sbpr); i++) {
+		if (sbpr[i].value == key) {
+			switch (sbpr[i].encoding) {
+			case sbpr_port:
+				if (region->length != 2) {
+					return (DNS_R_FORMERR);
+				}
+				break;
+			case sbpr_ipv4s:
+				if ((region->length % 4) != 0 ||
+				    region->length == 0)
+				{
+					return (DNS_R_FORMERR);
+				}
+				break;
+			case sbpr_ipv6s:
+				if ((region->length % 16) != 0 ||
+				    region->length == 0)
+				{
+					return (DNS_R_FORMERR);
+				}
+				break;
+			case sbpr_alpn: {
+				if (region->length == 0) {
+					return (DNS_R_FORMERR);
+				}
+				while (region->length != 0) {
+					size_t l = *region->base + 1;
+					if (l == 1U || l > region->length) {
+						return (DNS_R_FORMERR);
+					}
+					isc_region_consume(region, l);
+				}
+				break;
+			}
+			case sbpr_keylist: {
+				if ((region->length % 2) != 0 ||
+				    region->length == 0)
+				{
+					return (DNS_R_FORMERR);
+				}
+				/* In order? */
+				while (region->length >= 4) {
+					if (region->base[0] > region->base[2] ||
+					    (region->base[0] ==
+						     region->base[2] &&
+					     region->base[1] >=
+						     region->base[3]))
+					{
+						return (DNS_R_FORMERR);
+					}
+					isc_region_consume(region, 2);
+				}
+				break;
+			}
+			case sbpr_text:
+			case sbpr_base64:
+				break;
+			case sbpr_dohpath:
+				/*
+				 * Minimum valid dohpath is "/{?dns}" as
+				 * it MUST be relative (leading "/") and
+				 * MUST contain "{?dns}".
+				 */
+				if (region->length < 7) {
+					return (DNS_R_FORMERR);
+				}
+				/* MUST be relative */
+				if (region->base[0] != '/') {
+					return (DNS_R_FORMERR);
+				}
+				/* MUST be UTF8 */
+				if (!isc_utf8_valid(region->base,
+						    region->length))
+				{
+					return (DNS_R_FORMERR);
+				}
+				/* MUST contain "{?dns}" */
+				if (strnstr((char *)region->base, "{?dns}",
+					    region->length) == NULL)
+				{
+					return (DNS_R_FORMERR);
+				}
+				break;
+			case sbpr_empty:
+				if (region->length != 0) {
+					return (DNS_R_FORMERR);
+				}
+				break;
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Parse keyname from region.
+ */
+static isc_result_t
+svc_keyfromregion(isc_textregion_t *region, char sep, uint16_t *value,
+		  isc_buffer_t *target) {
+	char *e = NULL;
+	size_t i;
+	unsigned long ul;
+
+	/* Look for known key names.  */
+	for (i = 0; i < ARRAYSIZE(sbpr); i++) {
+		size_t len = strlen(sbpr[i].name);
+		if (strncasecmp(region->base, sbpr[i].name, len) != 0 ||
+		    (region->base[len] != 0 && region->base[len] != sep))
+		{
+			continue;
+		}
+		isc_textregion_consume(region, len);
+		ul = sbpr[i].value;
+		goto finish;
+	}
+	/* Handle keyXXXXX form. */
+	if (strncmp(region->base, "key", 3) != 0) {
+		return (DNS_R_SYNTAX);
+	}
+	isc_textregion_consume(region, 3);
+	/* Disallow [+-]XXXXX which is allowed by strtoul. */
+	if (region->length == 0 || *region->base == '-' || *region->base == '+')
+	{
+		return (DNS_R_SYNTAX);
+	}
+	/* No zero padding. */
+	if (region->length > 1 && *region->base == '0' &&
+	    region->base[1] != sep)
+	{
+		return (DNS_R_SYNTAX);
+	}
+	ul = strtoul(region->base, &e, 10);
+	/* Valid number? */
+	if (e == region->base || (*e != sep && *e != 0)) {
+		return (DNS_R_SYNTAX);
+	}
+	if (ul > 0xffff) {
+		return (ISC_R_RANGE);
+	}
+	isc_textregion_consume(region, e - region->base);
+finish:
+	if (sep == ',' && region->length == 1) {
+		return (DNS_R_SYNTAX);
+	}
+	/* Consume separator. */
+	if (region->length != 0) {
+		isc_textregion_consume(region, 1);
+	}
+	RETERR(uint16_tobuffer(ul, target));
+	if (value != NULL) {
+		*value = ul;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+svc_fromtext(isc_textregion_t *region, isc_buffer_t *target) {
+	char *e = NULL;
+	char abuf[16];
+	char tbuf[sizeof("aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:255.255.255.255,")];
+	isc_buffer_t sb;
+	isc_region_t keyregion;
+	size_t len;
+	uint16_t key;
+	unsigned int i;
+	unsigned int used;
+	unsigned long ul;
+
+	for (i = 0; i < ARRAYSIZE(sbpr); i++) {
+		len = strlen(sbpr[i].name);
+		if (strncmp(region->base, sbpr[i].name, len) != 0 ||
+		    (region->base[len] != 0 && region->base[len] != '='))
+		{
+			continue;
+		}
+
+		if (region->base[len] == '=') {
+			len++;
+		}
+
+		RETERR(uint16_tobuffer(sbpr[i].value, target));
+		isc_textregion_consume(region, len);
+
+		sb = *target;
+		RETERR(uint16_tobuffer(0, target)); /* length */
+
+		switch (sbpr[i].encoding) {
+		case sbpr_text:
+		case sbpr_dohpath:
+			RETERR(multitxt_fromtext(region, target));
+			break;
+		case sbpr_alpn:
+			RETERR(alpn_fromtxt(region, target));
+			break;
+		case sbpr_port:
+			if (!isdigit((unsigned char)*region->base)) {
+				return (DNS_R_SYNTAX);
+			}
+			ul = strtoul(region->base, &e, 10);
+			if (*e != '\0') {
+				return (DNS_R_SYNTAX);
+			}
+			if (ul > 0xffff) {
+				return (ISC_R_RANGE);
+			}
+			RETERR(uint16_tobuffer(ul, target));
+			break;
+		case sbpr_ipv4s:
+			do {
+				snprintf(tbuf, sizeof(tbuf), "%*s",
+					 (int)(region->length), region->base);
+				e = strchr(tbuf, ',');
+				if (e != NULL) {
+					*e++ = 0;
+					isc_textregion_consume(region,
+							       e - tbuf);
+				}
+				if (inet_pton(AF_INET, tbuf, abuf) != 1) {
+					return (DNS_R_SYNTAX);
+				}
+				mem_tobuffer(target, abuf, 4);
+			} while (e != NULL);
+			break;
+		case sbpr_ipv6s:
+			do {
+				snprintf(tbuf, sizeof(tbuf), "%*s",
+					 (int)(region->length), region->base);
+				e = strchr(tbuf, ',');
+				if (e != NULL) {
+					*e++ = 0;
+					isc_textregion_consume(region,
+							       e - tbuf);
+				}
+				if (inet_pton(AF_INET6, tbuf, abuf) != 1) {
+					return (DNS_R_SYNTAX);
+				}
+				mem_tobuffer(target, abuf, 16);
+			} while (e != NULL);
+			break;
+		case sbpr_base64:
+			RETERR(isc_base64_decodestring(region->base, target));
+			break;
+		case sbpr_empty:
+			if (region->length != 0) {
+				return (DNS_R_SYNTAX);
+			}
+			break;
+		case sbpr_keylist:
+			if (region->length == 0) {
+				return (DNS_R_SYNTAX);
+			}
+			used = isc_buffer_usedlength(target);
+			while (region->length != 0) {
+				RETERR(svc_keyfromregion(region, ',', NULL,
+							 target));
+			}
+			RETERR(svcsortkeylist(target, used));
+			break;
+		default:
+			UNREACHABLE();
+		}
+
+		len = isc_buffer_usedlength(target) -
+		      isc_buffer_usedlength(&sb) - 2;
+		RETERR(uint16_tobuffer(len, &sb)); /* length */
+		switch (sbpr[i].encoding) {
+		case sbpr_dohpath:
+			/*
+			 * Apply constraints not applied by multitxt_fromtext.
+			 */
+			keyregion.base = isc_buffer_used(&sb);
+			keyregion.length = isc_buffer_usedlength(target) -
+					   isc_buffer_usedlength(&sb);
+			RETERR(svcb_validate(sbpr[i].value, &keyregion));
+			break;
+		default:
+			break;
+		}
+		return (ISC_R_SUCCESS);
+	}
+
+	RETERR(svc_keyfromregion(region, '=', &key, target));
+	if (region->length == 0) {
+		RETERR(uint16_tobuffer(0, target)); /* length */
+		/* Sanity check keyXXXXX form. */
+		keyregion.base = isc_buffer_used(target);
+		keyregion.length = 0;
+		return (svcb_validate(key, &keyregion));
+	}
+	sb = *target;
+	RETERR(uint16_tobuffer(0, target)); /* dummy length */
+	RETERR(multitxt_fromtext(region, target));
+	len = isc_buffer_usedlength(target) - isc_buffer_usedlength(&sb) - 2;
+	RETERR(uint16_tobuffer(len, &sb)); /* length */
+	/* Sanity check keyXXXXX form. */
+	keyregion.base = isc_buffer_used(&sb);
+	keyregion.length = len;
+	return (svcb_validate(key, &keyregion));
+}
+
+static const char *
+svcparamkey(unsigned short value, enum encoding *encoding, char *buf,
+	    size_t len) {
+	size_t i;
+	int n;
+
+	for (i = 0; i < ARRAYSIZE(sbpr); i++) {
+		if (sbpr[i].value == value && sbpr[i].initial) {
+			*encoding = sbpr[i].encoding;
+			return (sbpr[i].name);
+		}
+	}
+	n = snprintf(buf, len, "key%u", value);
+	INSIST(n > 0 && (unsigned)n < len);
+	*encoding = sbpr_text;
+	return (buf);
+}
+
+static isc_result_t
+svcsortkeys(isc_buffer_t *target, unsigned int used) {
+	isc_region_t r1, r2, man = { .base = NULL, .length = 0 };
+	unsigned char buf[1024];
+	uint16_t mankey = 0;
+	bool have_alpn = false;
+
+	if (isc_buffer_usedlength(target) == used) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Get the parameters into r1.
+	 */
+	isc_buffer_usedregion(target, &r1);
+	isc_region_consume(&r1, used);
+
+	while (1) {
+		uint16_t key1, len1, key2, len2;
+		unsigned char *base1, *base2;
+
+		r2 = r1;
+
+		/*
+		 * Get the first parameter.
+		 */
+		base1 = r1.base;
+		key1 = uint16_fromregion(&r1);
+		isc_region_consume(&r1, 2);
+		len1 = uint16_fromregion(&r1);
+		isc_region_consume(&r1, 2);
+		isc_region_consume(&r1, len1);
+
+		/*
+		 * Was there only one key left?
+		 */
+		if (r1.length == 0) {
+			if (mankey != 0) {
+				/* Is this the last mandatory key? */
+				if (key1 != mankey || man.length != 0) {
+					return (DNS_R_INCONSISTENTRR);
+				}
+			} else if (key1 == SVCB_MAN_KEY) {
+				/* Lone mandatory field. */
+				return (DNS_R_DISALLOWED);
+			} else if (key1 == SVCB_NO_DEFAULT_ALPN_KEY &&
+				   !have_alpn)
+			{
+				/* Missing required ALPN field. */
+				return (DNS_R_DISALLOWED);
+			}
+			return (ISC_R_SUCCESS);
+		}
+
+		/*
+		 * Find the smallest parameter.
+		 */
+		while (r1.length != 0) {
+			base2 = r1.base;
+			key2 = uint16_fromregion(&r1);
+			isc_region_consume(&r1, 2);
+			len2 = uint16_fromregion(&r1);
+			isc_region_consume(&r1, 2);
+			isc_region_consume(&r1, len2);
+			if (key2 == key1) {
+				return (DNS_R_DUPLICATE);
+			}
+			if (key2 < key1) {
+				base1 = base2;
+				key1 = key2;
+				len1 = len2;
+			}
+		}
+
+		/*
+		 * Do we need to move the smallest parameter to the start?
+		 */
+		if (base1 != r2.base) {
+			size_t offset = 0;
+			size_t bytes = len1 + 4;
+			size_t length = base1 - r2.base;
+
+			/*
+			 * Move the smallest parameter to the start.
+			 */
+			while (bytes > 0) {
+				size_t count;
+
+				if (bytes > sizeof(buf)) {
+					count = sizeof(buf);
+				} else {
+					count = bytes;
+				}
+				memmove(buf, base1, count);
+				memmove(r2.base + offset + count,
+					r2.base + offset, length);
+				memmove(r2.base + offset, buf, count);
+				base1 += count;
+				bytes -= count;
+				offset += count;
+			}
+		}
+
+		/*
+		 * Check ALPN is present when NO-DEFAULT-ALPN is set.
+		 */
+		if (key1 == SVCB_ALPN_KEY) {
+			have_alpn = true;
+		} else if (key1 == SVCB_NO_DEFAULT_ALPN_KEY && !have_alpn) {
+			/* Missing required ALPN field. */
+			return (DNS_R_DISALLOWED);
+		}
+
+		/*
+		 * Check key against mandatory key list.
+		 */
+		if (mankey != 0) {
+			if (key1 > mankey) {
+				return (DNS_R_INCONSISTENTRR);
+			}
+			if (key1 == mankey) {
+				if (man.length >= 2) {
+					mankey = uint16_fromregion(&man);
+					isc_region_consume(&man, 2);
+				} else {
+					mankey = 0;
+				}
+			}
+		}
+
+		/*
+		 * Is this the mandatory key?
+		 */
+		if (key1 == SVCB_MAN_KEY) {
+			man = r2;
+			man.length = len1 + 4;
+			isc_region_consume(&man, 4);
+			if (man.length >= 2) {
+				mankey = uint16_fromregion(&man);
+				isc_region_consume(&man, 2);
+				if (mankey == SVCB_MAN_KEY) {
+					return (DNS_R_DISALLOWED);
+				}
+			} else {
+				return (DNS_R_SYNTAX);
+			}
+		}
+
+		/*
+		 * Consume the smallest parameter.
+		 */
+		isc_region_consume(&r2, len1 + 4);
+		r1 = r2;
+	}
+}
+
+static isc_result_t
+generic_fromtext_in_svcb(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool alias;
+	bool ok = true;
+	unsigned int used;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * SvcPriority.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	alias = token.value.as_ulong == 0;
+
+	/*
+	 * TargetName.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL) {
+		origin = dns_rootname;
+	}
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	if (!alias && (options & DNS_RDATA_CHECKNAMES) != 0) {
+		ok = dns_name_ishostname(&name, false);
+	}
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0) {
+		RETTOK(DNS_R_BADNAME);
+	}
+	if (!ok && callbacks != NULL) {
+		warn_badname(&name, lexer, callbacks);
+	}
+
+	if (alias) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * SvcParams
+	 */
+	used = isc_buffer_usedlength(target);
+	while (1) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qvpair, true));
+		if (token.type == isc_tokentype_eol ||
+		    token.type == isc_tokentype_eof)
+		{
+			isc_lex_ungettoken(lexer, &token);
+			return (svcsortkeys(target, used));
+		}
+
+		if (token.type != isc_tokentype_string && /* key only */
+		    token.type != isc_tokentype_qvpair &&
+		    token.type != isc_tokentype_vpair)
+		{
+			RETTOK(DNS_R_SYNTAX);
+		}
+		RETTOK(svc_fromtext(&token.value.as_textregion, target));
+	}
+}
+
+static isc_result_t
+fromtext_in_svcb(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_svcb);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	return (generic_fromtext_in_svcb(CALL_FROMTEXT));
+}
+
+static isc_result_t
+generic_totext_in_svcb(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")];
+	unsigned short num;
+	int n;
+
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * SvcPriority.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	n = snprintf(buf, sizeof(buf), "%u ", num);
+	INSIST(n > 0 && (unsigned)n < sizeof(buf));
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * TargetName.
+	 */
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	while (region.length > 0) {
+		isc_region_t r;
+		enum encoding encoding;
+
+		RETERR(str_totext(" ", target));
+
+		INSIST(region.length >= 2);
+		num = uint16_fromregion(&region);
+		isc_region_consume(&region, 2);
+		RETERR(str_totext(svcparamkey(num, &encoding, buf, sizeof(buf)),
+				  target));
+
+		INSIST(region.length >= 2);
+		num = uint16_fromregion(&region);
+		isc_region_consume(&region, 2);
+
+		INSIST(region.length >= num);
+		r = region;
+		r.length = num;
+		isc_region_consume(&region, num);
+		if (num == 0) {
+			continue;
+		}
+		if (encoding != sbpr_empty) {
+			RETERR(str_totext("=", target));
+		}
+		switch (encoding) {
+		case sbpr_text:
+			RETERR(multitxt_totext(&r, target));
+			break;
+		case sbpr_port:
+			num = uint16_fromregion(&r);
+			isc_region_consume(&r, 2);
+			n = snprintf(buf, sizeof(buf), "%u", num);
+			INSIST(n > 0 && (unsigned)n < sizeof(buf));
+			RETERR(str_totext(buf, target));
+			INSIST(r.length == 0U);
+			break;
+		case sbpr_ipv4s:
+			while (r.length > 0U) {
+				INSIST(r.length >= 4U);
+				inet_ntop(AF_INET, r.base, buf, sizeof(buf));
+				RETERR(str_totext(buf, target));
+				isc_region_consume(&r, 4);
+				if (r.length != 0U) {
+					RETERR(str_totext(",", target));
+				}
+			}
+			break;
+		case sbpr_ipv6s:
+			while (r.length > 0U) {
+				INSIST(r.length >= 16U);
+				inet_ntop(AF_INET6, r.base, buf, sizeof(buf));
+				RETERR(str_totext(buf, target));
+				isc_region_consume(&r, 16);
+				if (r.length != 0U) {
+					RETERR(str_totext(",", target));
+				}
+			}
+			break;
+		case sbpr_base64:
+			RETERR(isc_base64_totext(&r, 0, "", target));
+			break;
+		case sbpr_alpn:
+			INSIST(r.length != 0U);
+			RETERR(str_totext("\"", target));
+			while (r.length != 0) {
+				commatxt_totext(&r, false, true, target);
+				if (r.length != 0) {
+					RETERR(str_totext(",", target));
+				}
+			}
+			RETERR(str_totext("\"", target));
+			break;
+		case sbpr_empty:
+			INSIST(r.length == 0U);
+			break;
+		case sbpr_keylist:
+			while (r.length > 0) {
+				num = uint16_fromregion(&r);
+				isc_region_consume(&r, 2);
+				RETERR(str_totext(svcparamkey(num, &encoding,
+							      buf, sizeof(buf)),
+						  target));
+				if (r.length != 0) {
+					RETERR(str_totext(",", target));
+				}
+			}
+			break;
+		default:
+			UNREACHABLE();
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_in_svcb(ARGS_TOTEXT) {
+	REQUIRE(rdata->type == dns_rdatatype_svcb);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	return (generic_totext_in_svcb(CALL_TOTEXT));
+}
+
+static isc_result_t
+generic_fromwire_in_svcb(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t region, man = { .base = NULL, .length = 0 };
+	bool alias, first = true, have_alpn = false;
+	uint16_t lastkey = 0, mankey = 0;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	/*
+	 * SvcPriority.
+	 */
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 2) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	RETERR(mem_tobuffer(target, region.base, 2));
+	alias = uint16_fromregion(&region) == 0;
+	isc_buffer_forward(source, 2);
+
+	/*
+	 * TargetName.
+	 */
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	if (alias) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * SvcParams.
+	 */
+	isc_buffer_activeregion(source, &region);
+	while (region.length > 0U) {
+		isc_region_t keyregion;
+		uint16_t key, len;
+
+		/*
+		 * SvcParamKey
+		 */
+		if (region.length < 2U) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		RETERR(mem_tobuffer(target, region.base, 2));
+		key = uint16_fromregion(&region);
+		isc_region_consume(&region, 2);
+
+		/*
+		 * Keys must be unique and in order.
+		 */
+		if (!first && key <= lastkey) {
+			return (DNS_R_FORMERR);
+		}
+
+		/*
+		 * Check mandatory keys.
+		 */
+		if (mankey != 0) {
+			/* Missing mandatory key? */
+			if (key > mankey) {
+				return (DNS_R_FORMERR);
+			}
+			if (key == mankey) {
+				/* Get next mandatory key. */
+				if (man.length >= 2) {
+					mankey = uint16_fromregion(&man);
+					isc_region_consume(&man, 2);
+				} else {
+					mankey = 0;
+				}
+			}
+		}
+
+		/*
+		 * Check alpn present when no-default-alpn is set.
+		 */
+		if (key == SVCB_ALPN_KEY) {
+			have_alpn = true;
+		} else if (key == SVCB_NO_DEFAULT_ALPN_KEY && !have_alpn) {
+			return (DNS_R_FORMERR);
+		}
+
+		first = false;
+		lastkey = key;
+
+		/*
+		 * SvcParamValue length.
+		 */
+		if (region.length < 2U) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		RETERR(mem_tobuffer(target, region.base, 2));
+		len = uint16_fromregion(&region);
+		isc_region_consume(&region, 2);
+
+		/*
+		 * SvcParamValue.
+		 */
+		if (region.length < len) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+
+		/*
+		 * Remember manatory key.
+		 */
+		if (key == SVCB_MAN_KEY) {
+			man = region;
+			man.length = len;
+			/* Get first mandatory key */
+			if (man.length >= 2) {
+				mankey = uint16_fromregion(&man);
+				isc_region_consume(&man, 2);
+				if (mankey == SVCB_MAN_KEY) {
+					return (DNS_R_FORMERR);
+				}
+			} else {
+				return (DNS_R_FORMERR);
+			}
+		}
+		keyregion = region;
+		keyregion.length = len;
+		RETERR(svcb_validate(key, &keyregion));
+		RETERR(mem_tobuffer(target, region.base, len));
+		isc_region_consume(&region, len);
+		isc_buffer_forward(source, len + 4);
+	}
+
+	/*
+	 * Do we have an outstanding mandatory key?
+	 */
+	if (mankey != 0) {
+		return (DNS_R_FORMERR);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_in_svcb(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_svcb);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	return (generic_fromwire_in_svcb(CALL_FROMWIRE));
+}
+
+static isc_result_t
+generic_towire_in_svcb(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+
+	/*
+	 * SvcPriority.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	RETERR(mem_tobuffer(target, region.base, 2));
+	isc_region_consume(&region, 2);
+
+	/*
+	 * TargetName.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+	RETERR(dns_name_towire(&name, cctx, target));
+	isc_region_consume(&region, name_length(&name));
+
+	/*
+	 * SvcParams.
+	 */
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static isc_result_t
+towire_in_svcb(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_svcb);
+	REQUIRE(rdata->length != 0);
+
+	return (generic_towire_in_svcb(CALL_TOWIRE));
+}
+
+static int
+compare_in_svcb(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_svcb);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static isc_result_t
+generic_fromstruct_in_svcb(ARGS_FROMSTRUCT) {
+	dns_rdata_in_svcb_t *svcb = source;
+	isc_region_t region;
+
+	REQUIRE(svcb != NULL);
+	REQUIRE(svcb->common.rdtype == type);
+	REQUIRE(svcb->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(svcb->priority, target));
+	dns_name_toregion(&svcb->svcdomain, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+
+	return (mem_tobuffer(target, svcb->svc, svcb->svclen));
+}
+
+static isc_result_t
+fromstruct_in_svcb(ARGS_FROMSTRUCT) {
+	dns_rdata_in_svcb_t *svcb = source;
+
+	REQUIRE(type == dns_rdatatype_svcb);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(svcb != NULL);
+	REQUIRE(svcb->common.rdtype == type);
+	REQUIRE(svcb->common.rdclass == rdclass);
+
+	return (generic_fromstruct_in_svcb(CALL_FROMSTRUCT));
+}
+
+static isc_result_t
+generic_tostruct_in_svcb(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_in_svcb_t *svcb = target;
+	dns_name_t name;
+
+	REQUIRE(svcb != NULL);
+	REQUIRE(rdata->length != 0);
+
+	svcb->common.rdclass = rdata->rdclass;
+	svcb->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&svcb->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	svcb->priority = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&svcb->svcdomain, NULL);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+
+	RETERR(name_duporclone(&name, mctx, &svcb->svcdomain));
+	svcb->svclen = region.length;
+	svcb->svc = mem_maybedup(mctx, region.base, region.length);
+
+	if (svcb->svc == NULL) {
+		if (mctx != NULL) {
+			dns_name_free(&svcb->svcdomain, svcb->mctx);
+		}
+		return (ISC_R_NOMEMORY);
+	}
+
+	svcb->offset = 0;
+	svcb->mctx = mctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+tostruct_in_svcb(ARGS_TOSTRUCT) {
+	dns_rdata_in_svcb_t *svcb = target;
+
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->type == dns_rdatatype_svcb);
+	REQUIRE(svcb != NULL);
+	REQUIRE(rdata->length != 0);
+
+	return (generic_tostruct_in_svcb(CALL_TOSTRUCT));
+}
+
+static void
+generic_freestruct_in_svcb(ARGS_FREESTRUCT) {
+	dns_rdata_in_svcb_t *svcb = source;
+
+	REQUIRE(svcb != NULL);
+
+	if (svcb->mctx == NULL) {
+		return;
+	}
+
+	dns_name_free(&svcb->svcdomain, svcb->mctx);
+	isc_mem_free(svcb->mctx, svcb->svc);
+	svcb->mctx = NULL;
+}
+
+static void
+freestruct_in_svcb(ARGS_FREESTRUCT) {
+	dns_rdata_in_svcb_t *svcb = source;
+
+	REQUIRE(svcb != NULL);
+	REQUIRE(svcb->common.rdclass == dns_rdataclass_in);
+	REQUIRE(svcb->common.rdtype == dns_rdatatype_svcb);
+
+	generic_freestruct_in_svcb(CALL_FREESTRUCT);
+}
+
+static isc_result_t
+generic_additionaldata_in_svcb(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+additionaldata_in_svcb(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_svcb);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	return (generic_additionaldata_in_svcb(CALL_ADDLDATA));
+}
+
+static isc_result_t
+digest_in_svcb(ARGS_DIGEST) {
+	isc_region_t region1;
+
+	REQUIRE(rdata->type == dns_rdatatype_svcb);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &region1);
+	return ((digest)(arg, &region1));
+}
+
+static bool
+checkowner_in_svcb(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_svcb);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static bool
+generic_checknames_in_svcb(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+	bool alias;
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	INSIST(region.length > 1);
+	alias = uint16_fromregion(&region) == 0;
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!alias && !dns_name_ishostname(&name, false)) {
+		if (bad != NULL) {
+			dns_name_clone(&name, bad);
+		}
+		return (false);
+	}
+	return (true);
+}
+
+static bool
+checknames_in_svcb(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_svcb);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	return (generic_checknames_in_svcb(CALL_CHECKNAMES));
+}
+
+static int
+casecompare_in_svcb(ARGS_COMPARE) {
+	return (compare_in_svcb(rdata1, rdata2));
+}
+
+static isc_result_t
+generic_rdata_in_svcb_first(dns_rdata_in_svcb_t *svcb) {
+	if (svcb->svclen == 0) {
+		return (ISC_R_NOMORE);
+	}
+	svcb->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generic_rdata_in_svcb_next(dns_rdata_in_svcb_t *svcb) {
+	isc_region_t region;
+	size_t len;
+
+	if (svcb->offset >= svcb->svclen) {
+		return (ISC_R_NOMORE);
+	}
+
+	region.base = svcb->svc + svcb->offset;
+	region.length = svcb->svclen - svcb->offset;
+	INSIST(region.length >= 4);
+	isc_region_consume(&region, 2);
+	len = uint16_fromregion(&region);
+	INSIST(region.length >= len + 2);
+	svcb->offset += len + 4;
+	return (svcb->offset >= svcb->svclen ? ISC_R_NOMORE : ISC_R_SUCCESS);
+}
+
+static void
+generic_rdata_in_svcb_current(dns_rdata_in_svcb_t *svcb, isc_region_t *region) {
+	size_t len;
+
+	INSIST(svcb->offset <= svcb->svclen);
+
+	region->base = svcb->svc + svcb->offset;
+	region->length = svcb->svclen - svcb->offset;
+	INSIST(region->length >= 4);
+	isc_region_consume(region, 2);
+	len = uint16_fromregion(region);
+	INSIST(region->length >= len + 2);
+	region->base = svcb->svc + svcb->offset;
+	region->length = len + 4;
+}
+
+isc_result_t
+dns_rdata_in_svcb_first(dns_rdata_in_svcb_t *svcb) {
+	REQUIRE(svcb != NULL);
+	REQUIRE(svcb->common.rdtype == dns_rdatatype_svcb);
+	REQUIRE(svcb->common.rdclass == dns_rdataclass_in);
+
+	return (generic_rdata_in_svcb_first(svcb));
+}
+
+isc_result_t
+dns_rdata_in_svcb_next(dns_rdata_in_svcb_t *svcb) {
+	REQUIRE(svcb != NULL);
+	REQUIRE(svcb->common.rdtype == dns_rdatatype_svcb);
+	REQUIRE(svcb->common.rdclass == dns_rdataclass_in);
+
+	return (generic_rdata_in_svcb_next(svcb));
+}
+
+void
+dns_rdata_in_svcb_current(dns_rdata_in_svcb_t *svcb, isc_region_t *region) {
+	REQUIRE(svcb != NULL);
+	REQUIRE(svcb->common.rdtype == dns_rdatatype_svcb);
+	REQUIRE(svcb->common.rdclass == dns_rdataclass_in);
+	REQUIRE(region != NULL);
+
+	generic_rdata_in_svcb_current(svcb, region);
+}
+
+#endif /* RDATA_IN_1_SVCB_64_C */
diff --git a/lib/dns/rdata/in_1/svcb_64.h b/lib/dns/rdata/in_1/svcb_64.h
new file mode 100644
index 0000000..e4ddc64
--- /dev/null
+++ b/lib/dns/rdata/in_1/svcb_64.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_SVCB_64_H
+#define IN_1_SVCB_64_H 1
+
+/*!
+ *  \brief Per draft-ietf-dnsop-svcb-https-02
+ */
+
+typedef struct dns_rdata_in_svcb {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	uint16_t priority;
+	dns_name_t svcdomain;
+	unsigned char *svc;
+	uint16_t svclen;
+	uint16_t offset;
+} dns_rdata_in_svcb_t;
+
+isc_result_t
+dns_rdata_in_svcb_first(dns_rdata_in_svcb_t *);
+
+isc_result_t
+dns_rdata_in_svcb_next(dns_rdata_in_svcb_t *);
+
+void
+dns_rdata_in_svcb_current(dns_rdata_in_svcb_t *, isc_region_t *);
+
+#endif /* IN_1_SVCB_64_H */
diff --git a/lib/dns/rdata/in_1/wks_11.c b/lib/dns/rdata/in_1/wks_11.c
new file mode 100644
index 0000000..bf9f830
--- /dev/null
+++ b/lib/dns/rdata/in_1/wks_11.c
@@ -0,0 +1,440 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_IN_1_WKS_11_C
+#define RDATA_IN_1_WKS_11_C
+
+#include <limits.h>
+#include <stdlib.h>
+
+#include <isc/net.h>
+#include <isc/netdb.h>
+#include <isc/once.h>
+
+/*
+ * Redefine CHECK here so cppcheck "sees" the define.
+ */
+#ifndef CHECK
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+#endif /* ifndef CHECK */
+
+#define RRTYPE_WKS_ATTRIBUTES (0)
+
+static isc_mutex_t wks_lock;
+
+static void
+init_lock(void) {
+	isc_mutex_init(&wks_lock);
+}
+
+static bool
+mygetprotobyname(const char *name, long *proto) {
+	struct protoent *pe;
+
+	LOCK(&wks_lock);
+	pe = getprotobyname(name);
+	if (pe != NULL) {
+		*proto = pe->p_proto;
+	}
+	UNLOCK(&wks_lock);
+	return (pe != NULL);
+}
+
+static bool
+mygetservbyname(const char *name, const char *proto, long *port) {
+	struct servent *se;
+
+	LOCK(&wks_lock);
+	se = getservbyname(name, proto);
+	if (se != NULL) {
+		*port = ntohs(se->s_port);
+	}
+	UNLOCK(&wks_lock);
+	return (se != NULL);
+}
+
+#ifdef _WIN32
+#include <windows.h>
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#endif /* ifdef _WIN32 */
+
+static isc_result_t
+fromtext_in_wks(ARGS_FROMTEXT) {
+	static isc_once_t once = ISC_ONCE_INIT;
+	isc_token_t token;
+	isc_region_t region;
+	struct in_addr addr;
+	char *e = NULL;
+	long proto;
+	unsigned char bm[8 * 1024]; /* 64k bits */
+	long port;
+	long maxport = -1;
+	const char *ps = NULL;
+	unsigned int n;
+	char service[32];
+	int i;
+	isc_result_t result;
+
+	REQUIRE(type == dns_rdatatype_wks);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RUNTIME_CHECK(isc_once_do(&once, init_lock) == ISC_R_SUCCESS);
+
+#ifdef _WIN32
+	{
+		WORD wVersionRequested;
+		WSADATA wsaData;
+		int err;
+
+		wVersionRequested = MAKEWORD(2, 0);
+
+		err = WSAStartup(wVersionRequested, &wsaData);
+		if (err != 0) {
+			return (ISC_R_FAILURE);
+		}
+	}
+#endif /* ifdef _WIN32 */
+
+	/*
+	 * IPv4 dotted quad.
+	 */
+	CHECK(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				     false));
+
+	isc_buffer_availableregion(target, &region);
+	if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) {
+		CHECKTOK(DNS_R_BADDOTTEDQUAD);
+	}
+	if (region.length < 4) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+
+	/*
+	 * Protocol.
+	 */
+	CHECK(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				     false));
+
+	proto = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != '\0' && !mygetprotobyname(DNS_AS_STR(token), &proto)) {
+		CHECKTOK(DNS_R_UNKNOWNPROTO);
+	}
+
+	if (proto < 0 || proto > 0xff) {
+		CHECKTOK(ISC_R_RANGE);
+	}
+
+	if (proto == IPPROTO_TCP) {
+		ps = "tcp";
+	} else if (proto == IPPROTO_UDP) {
+		ps = "udp";
+	}
+
+	CHECK(uint8_tobuffer(proto, target));
+
+	memset(bm, 0, sizeof(bm));
+	do {
+		CHECK(isc_lex_getmastertoken(lexer, &token,
+					     isc_tokentype_string, true));
+		if (token.type != isc_tokentype_string) {
+			break;
+		}
+
+		/*
+		 * Lowercase the service string as some getservbyname() are
+		 * case sensitive and the database is usually in lowercase.
+		 */
+		strlcpy(service, DNS_AS_STR(token), sizeof(service));
+		for (i = strlen(service) - 1; i >= 0; i--) {
+			if (isupper(service[i] & 0xff)) {
+				service[i] = tolower(service[i] & 0xff);
+			}
+		}
+
+		port = strtol(DNS_AS_STR(token), &e, 10);
+		if (*e != 0 && !mygetservbyname(service, ps, &port) &&
+		    !mygetservbyname(DNS_AS_STR(token), ps, &port))
+		{
+			CHECKTOK(DNS_R_UNKNOWNSERVICE);
+		}
+		if (port < 0 || port > 0xffff) {
+			CHECKTOK(ISC_R_RANGE);
+		}
+		if (port > maxport) {
+			maxport = port;
+		}
+		bm[port / 8] |= (0x80 >> (port % 8));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	n = (maxport + 8) / 8;
+	result = mem_tobuffer(target, bm, n);
+
+cleanup:
+#ifdef _WIN32
+	WSACleanup();
+#endif /* ifdef _WIN32 */
+
+	return (result);
+}
+
+static isc_result_t
+totext_in_wks(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned short proto;
+	char buf[sizeof("65535")];
+	unsigned int i, j;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length >= 5);
+
+	dns_rdata_toregion(rdata, &sr);
+	RETERR(inet_totext(AF_INET, tctx->flags, &sr, target));
+	isc_region_consume(&sr, 4);
+
+	proto = uint8_fromregion(&sr);
+	snprintf(buf, sizeof(buf), "%u", proto);
+	RETERR(str_totext(" ", target));
+	RETERR(str_totext(buf, target));
+	isc_region_consume(&sr, 1);
+
+	INSIST(sr.length <= 8 * 1024);
+	for (i = 0; i < sr.length; i++) {
+		if (sr.base[i] != 0) {
+			for (j = 0; j < 8; j++) {
+				if ((sr.base[i] & (0x80 >> j)) != 0) {
+					{
+						snprintf(buf, sizeof(buf), "%u",
+							 i * 8 + j);
+						RETERR(str_totext(" ", target));
+						RETERR(str_totext(buf, target));
+					}
+				}
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fromwire_in_wks(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	isc_region_t tr;
+
+	REQUIRE(type == dns_rdatatype_wks);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
+
+	if (sr.length < 5) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	if (sr.length > 8 * 1024 + 5) {
+		return (DNS_R_EXTRADATA);
+	}
+	if (sr.length > 5 && sr.base[sr.length - 1] == 0) {
+		return (DNS_R_FORMERR);
+	}
+	if (tr.length < sr.length) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(tr.base, sr.base, sr.length);
+	isc_buffer_add(target, sr.length);
+	isc_buffer_forward(source, sr.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+towire_in_wks(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static int
+compare_in_wks(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_wks);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static isc_result_t
+fromstruct_in_wks(ARGS_FROMSTRUCT) {
+	dns_rdata_in_wks_t *wks = source;
+	uint32_t a;
+
+	REQUIRE(type == dns_rdatatype_wks);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(wks != NULL);
+	REQUIRE(wks->common.rdtype == type);
+	REQUIRE(wks->common.rdclass == rdclass);
+	REQUIRE((wks->map != NULL && wks->map_len <= 8 * 1024) ||
+		wks->map_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	a = ntohl(wks->in_addr.s_addr);
+	RETERR(uint32_tobuffer(a, target));
+	RETERR(uint8_tobuffer(wks->protocol, target));
+	return (mem_tobuffer(target, wks->map, wks->map_len));
+}
+
+static isc_result_t
+tostruct_in_wks(ARGS_TOSTRUCT) {
+	dns_rdata_in_wks_t *wks = target;
+	uint32_t n;
+	isc_region_t region;
+
+	REQUIRE(wks != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	wks->common.rdclass = rdata->rdclass;
+	wks->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&wks->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	n = uint32_fromregion(&region);
+	wks->in_addr.s_addr = htonl(n);
+	isc_region_consume(&region, 4);
+	wks->protocol = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	wks->map_len = region.length;
+	wks->map = mem_maybedup(mctx, region.base, region.length);
+	if (wks->map == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	wks->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+freestruct_in_wks(ARGS_FREESTRUCT) {
+	dns_rdata_in_wks_t *wks = source;
+
+	REQUIRE(wks != NULL);
+	REQUIRE(wks->common.rdtype == dns_rdatatype_wks);
+	REQUIRE(wks->common.rdclass == dns_rdataclass_in);
+
+	if (wks->mctx == NULL) {
+		return;
+	}
+
+	if (wks->map != NULL) {
+		isc_mem_free(wks->mctx, wks->map);
+	}
+	wks->mctx = NULL;
+}
+
+static isc_result_t
+additionaldata_in_wks(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+digest_in_wks(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static bool
+checkowner_in_wks(ARGS_CHECKOWNER) {
+	REQUIRE(type == dns_rdatatype_wks);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static bool
+checknames_in_wks(ARGS_CHECKNAMES) {
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static int
+casecompare_in_wks(ARGS_COMPARE) {
+	return (compare_in_wks(rdata1, rdata2));
+}
+
+#endif /* RDATA_IN_1_WKS_11_C */
diff --git a/lib/dns/rdata/in_1/wks_11.h b/lib/dns/rdata/in_1/wks_11.h
new file mode 100644
index 0000000..9a926b1
--- /dev/null
+++ b/lib/dns/rdata/in_1/wks_11.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_WKS_11_H
+#define IN_1_WKS_11_H 1
+
+typedef struct dns_rdata_in_wks {
+	dns_rdatacommon_t common;
+	isc_mem_t *mctx;
+	struct in_addr in_addr;
+	uint16_t protocol;
+	unsigned char *map;
+	uint16_t map_len;
+} dns_rdata_in_wks_t;
+
+#endif /* IN_1_WKS_11_H */
diff --git a/lib/dns/rdata/rdatastructpre.h b/lib/dns/rdata/rdatastructpre.h
new file mode 100644
index 0000000..eb96ba8
--- /dev/null
+++ b/lib/dns/rdata/rdatastructpre.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATASTRUCT_H
+#define DNS_RDATASTRUCT_H 1
+
+#include <isc/lang.h>
+#include <isc/sockaddr.h>
+
+#include <dns/name.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef struct dns_rdatacommon {
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t rdtype;
+	ISC_LINK(struct dns_rdatacommon) link;
+} dns_rdatacommon_t;
+
+#define DNS_RDATACOMMON_INIT(_data, _rdtype, _rdclass) \
+	do {                                           \
+		(_data)->common.rdtype = (_rdtype);    \
+		(_data)->common.rdclass = (_rdclass);  \
+		ISC_LINK_INIT(&(_data)->common, link); \
+	} while (0)
diff --git a/lib/dns/rdata/rdatastructsuf.h b/lib/dns/rdata/rdatastructsuf.h
new file mode 100644
index 0000000..f242908
--- /dev/null
+++ b/lib/dns/rdata/rdatastructsuf.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASTRUCT_H */
diff --git a/lib/dns/rdatalist.c b/lib/dns/rdatalist.c
new file mode 100644
index 0000000..a2643c7
--- /dev/null
+++ b/lib/dns/rdatalist.c
@@ -0,0 +1,448 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stddef.h>
+#include <string.h>
+
+#include <isc/util.h>
+
+#include <dns/name.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+
+#include "rdatalist_p.h"
+
+static dns_rdatasetmethods_t methods = {
+	isc__rdatalist_disassociate,
+	isc__rdatalist_first,
+	isc__rdatalist_next,
+	isc__rdatalist_current,
+	isc__rdatalist_clone,
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname,
+	isc__rdatalist_addclosest,
+	isc__rdatalist_getclosest,
+	NULL, /* settrust */
+	NULL, /* expire */
+	NULL, /* clearprefetch */
+	isc__rdatalist_setownercase,
+	isc__rdatalist_getownercase,
+	NULL /* addglue */
+};
+
+void
+dns_rdatalist_init(dns_rdatalist_t *rdatalist) {
+	REQUIRE(rdatalist != NULL);
+
+	/*
+	 * Initialize rdatalist.
+	 */
+
+	rdatalist->rdclass = 0;
+	rdatalist->type = 0;
+	rdatalist->covers = 0;
+	rdatalist->ttl = 0;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LINK_INIT(rdatalist, link);
+	memset(rdatalist->upper, 0xeb, sizeof(rdatalist->upper));
+	/*
+	 * Clear upper set bit.
+	 */
+	rdatalist->upper[0] &= ~0x01;
+}
+
+isc_result_t
+dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist, dns_rdataset_t *rdataset) {
+	/*
+	 * Make 'rdataset' refer to the rdata in 'rdatalist'.
+	 */
+
+	REQUIRE(rdatalist != NULL);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	/* Check if dns_rdatalist_init has was called. */
+	REQUIRE(rdatalist->upper[0] == 0xea);
+
+	rdataset->methods = &methods;
+	rdataset->rdclass = rdatalist->rdclass;
+	rdataset->type = rdatalist->type;
+	rdataset->covers = rdatalist->covers;
+	rdataset->ttl = rdatalist->ttl;
+	rdataset->trust = 0;
+	rdataset->private1 = rdatalist;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset,
+			   dns_rdatalist_t **rdatalist) {
+	REQUIRE(rdatalist != NULL && rdataset != NULL);
+	*rdatalist = rdataset->private1;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__rdatalist_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+isc_result_t
+isc__rdatalist_first(dns_rdataset_t *rdataset) {
+	dns_rdatalist_t *rdatalist;
+
+	rdatalist = rdataset->private1;
+	rdataset->private2 = ISC_LIST_HEAD(rdatalist->rdata);
+
+	if (rdataset->private2 == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_next(dns_rdataset_t *rdataset) {
+	dns_rdata_t *rdata;
+
+	REQUIRE(rdataset != NULL);
+
+	rdata = rdataset->private2;
+	if (rdata == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	rdataset->private2 = ISC_LIST_NEXT(rdata, link);
+
+	if (rdataset->private2 == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	dns_rdata_t *list_rdata;
+
+	REQUIRE(rdataset != NULL);
+
+	list_rdata = rdataset->private2;
+	INSIST(list_rdata != NULL);
+
+	dns_rdata_clone(list_rdata, rdata);
+}
+
+void
+isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL);
+
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->private2 = NULL;
+}
+
+unsigned int
+isc__rdatalist_count(dns_rdataset_t *rdataset) {
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	unsigned int count;
+
+	REQUIRE(rdataset != NULL);
+
+	rdatalist = rdataset->private1;
+
+	count = 0;
+	for (rdata = ISC_LIST_HEAD(rdatalist->rdata); rdata != NULL;
+	     rdata = ISC_LIST_NEXT(rdata, link))
+	{
+		count++;
+	}
+
+	return (count);
+}
+
+isc_result_t
+isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, const dns_name_t *name) {
+	dns_rdataset_t *neg = NULL;
+	dns_rdataset_t *negsig = NULL;
+	dns_rdataset_t *rdset;
+	dns_ttl_t ttl;
+
+	REQUIRE(rdataset != NULL);
+
+	for (rdset = ISC_LIST_HEAD(name->list); rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->rdclass != rdataset->rdclass) {
+			continue;
+		}
+		if (rdset->type == dns_rdatatype_nsec ||
+		    rdset->type == dns_rdatatype_nsec3)
+		{
+			neg = rdset;
+		}
+	}
+	if (neg == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	for (rdset = ISC_LIST_HEAD(name->list); rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->type == dns_rdatatype_rrsig &&
+		    rdset->covers == neg->type)
+		{
+			negsig = rdset;
+		}
+	}
+
+	if (negsig == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	/*
+	 * Minimise ttl.
+	 */
+	ttl = rdataset->ttl;
+	if (neg->ttl < ttl) {
+		ttl = neg->ttl;
+	}
+	if (negsig->ttl < ttl) {
+		ttl = negsig->ttl;
+	}
+	rdataset->ttl = neg->ttl = negsig->ttl = ttl;
+	rdataset->attributes |= DNS_RDATASETATTR_NOQNAME;
+	rdataset->private6 = name;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig) {
+	dns_rdataclass_t rdclass;
+	dns_rdataset_t *tneg = NULL;
+	dns_rdataset_t *tnegsig = NULL;
+	const dns_name_t *noqname;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0);
+
+	rdclass = rdataset->rdclass;
+	noqname = rdataset->private6;
+
+	(void)dns_name_dynamic(noqname); /* Sanity Check. */
+
+	for (rdataset = ISC_LIST_HEAD(noqname->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->rdclass != rdclass) {
+			continue;
+		}
+		if (rdataset->type == dns_rdatatype_nsec ||
+		    rdataset->type == dns_rdatatype_nsec3)
+		{
+			tneg = rdataset;
+		}
+	}
+	if (tneg == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	for (rdataset = ISC_LIST_HEAD(noqname->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->type == dns_rdatatype_rrsig &&
+		    rdataset->covers == tneg->type)
+		{
+			tnegsig = rdataset;
+		}
+	}
+	if (tnegsig == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	dns_name_clone(noqname, name);
+	dns_rdataset_clone(tneg, neg);
+	dns_rdataset_clone(tnegsig, negsig);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_addclosest(dns_rdataset_t *rdataset, const dns_name_t *name) {
+	dns_rdataset_t *neg = NULL;
+	dns_rdataset_t *negsig = NULL;
+	dns_rdataset_t *rdset;
+	dns_ttl_t ttl;
+
+	REQUIRE(rdataset != NULL);
+
+	for (rdset = ISC_LIST_HEAD(name->list); rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->rdclass != rdataset->rdclass) {
+			continue;
+		}
+		if (rdset->type == dns_rdatatype_nsec ||
+		    rdset->type == dns_rdatatype_nsec3)
+		{
+			neg = rdset;
+		}
+	}
+	if (neg == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	for (rdset = ISC_LIST_HEAD(name->list); rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->type == dns_rdatatype_rrsig &&
+		    rdset->covers == neg->type)
+		{
+			negsig = rdset;
+		}
+	}
+
+	if (negsig == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	/*
+	 * Minimise ttl.
+	 */
+	ttl = rdataset->ttl;
+	if (neg->ttl < ttl) {
+		ttl = neg->ttl;
+	}
+	if (negsig->ttl < ttl) {
+		ttl = negsig->ttl;
+	}
+	rdataset->ttl = neg->ttl = negsig->ttl = ttl;
+	rdataset->attributes |= DNS_RDATASETATTR_CLOSEST;
+	rdataset->private7 = name;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig) {
+	dns_rdataclass_t rdclass;
+	dns_rdataset_t *tneg = NULL;
+	dns_rdataset_t *tnegsig = NULL;
+	const dns_name_t *closest;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0);
+
+	rdclass = rdataset->rdclass;
+	closest = rdataset->private7;
+
+	(void)dns_name_dynamic(closest); /* Sanity Check. */
+
+	for (rdataset = ISC_LIST_HEAD(closest->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->rdclass != rdclass) {
+			continue;
+		}
+		if (rdataset->type == dns_rdatatype_nsec ||
+		    rdataset->type == dns_rdatatype_nsec3)
+		{
+			tneg = rdataset;
+		}
+	}
+	if (tneg == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	for (rdataset = ISC_LIST_HEAD(closest->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->type == dns_rdatatype_rrsig &&
+		    rdataset->covers == tneg->type)
+		{
+			tnegsig = rdataset;
+		}
+	}
+	if (tnegsig == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	dns_name_clone(closest, name);
+	dns_rdataset_clone(tneg, neg);
+	dns_rdataset_clone(tnegsig, negsig);
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__rdatalist_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name) {
+	dns_rdatalist_t *rdatalist;
+	unsigned int i;
+
+	/*
+	 * We do not need to worry about label lengths as they are all
+	 * less than or equal to 63.
+	 */
+	rdatalist = rdataset->private1;
+	memset(rdatalist->upper, 0, sizeof(rdatalist->upper));
+	for (i = 1; i < name->length; i++) {
+		if (name->ndata[i] >= 0x41 && name->ndata[i] <= 0x5a) {
+			rdatalist->upper[i / 8] |= 1 << (i % 8);
+			/*
+			 * Record that upper has been set.
+			 */
+		}
+	}
+	/*
+	 * Record that upper has been set.
+	 */
+	rdatalist->upper[0] |= 0x01;
+}
+
+void
+isc__rdatalist_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name) {
+	dns_rdatalist_t *rdatalist;
+	unsigned int i;
+
+	rdatalist = rdataset->private1;
+	if ((rdatalist->upper[0] & 0x01) == 0) {
+		return;
+	}
+	for (i = 0; i < name->length; i++) {
+		/*
+		 * Set the case bit if it does not match the recorded bit.
+		 */
+		if (name->ndata[i] >= 0x61 && name->ndata[i] <= 0x7a &&
+		    (rdatalist->upper[i / 8] & (1 << (i % 8))) != 0)
+		{
+			name->ndata[i] &= ~0x20; /* clear the lower case bit */
+		} else if (name->ndata[i] >= 0x41 && name->ndata[i] <= 0x5a &&
+			   (rdatalist->upper[i / 8] & (1 << (i % 8))) == 0)
+		{
+			name->ndata[i] |= 0x20; /* set the lower case bit */
+		}
+	}
+}
diff --git a/lib/dns/rdatalist_p.h b/lib/dns/rdatalist_p.h
new file mode 100644
index 0000000..adc4496
--- /dev/null
+++ b/lib/dns/rdatalist_p.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATALIST_P_H
+#define DNS_RDATALIST_P_H
+
+/*! \file */
+
+#include <isc/result.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+void
+isc__rdatalist_disassociate(dns_rdataset_t *rdatasetp);
+
+isc_result_t
+isc__rdatalist_first(dns_rdataset_t *rdataset);
+
+isc_result_t
+isc__rdatalist_next(dns_rdataset_t *rdataset);
+
+void
+isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+
+void
+isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+
+unsigned int
+isc__rdatalist_count(dns_rdataset_t *rdataset);
+
+isc_result_t
+isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, const dns_name_t *name);
+
+isc_result_t
+isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig);
+
+isc_result_t
+isc__rdatalist_addclosest(dns_rdataset_t *rdataset, const dns_name_t *name);
+
+isc_result_t
+isc__rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig);
+
+void
+isc__rdatalist_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name);
+
+void
+isc__rdatalist_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATALIST_P_H */
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
new file mode 100644
index 0000000..221d7f8
--- /dev/null
+++ b/lib/dns/rdataset.c
@@ -0,0 +1,750 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/random.h>
+#include <isc/serial.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/ncache.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+
+static const char *trustnames[] = {
+	"none",		  "pending-additional",
+	"pending-answer", "additional",
+	"glue",		  "answer",
+	"authauthority",  "authanswer",
+	"secure",	  "local" /* aka ultimate */
+};
+
+const char *
+dns_trust_totext(dns_trust_t trust) {
+	if (trust >= sizeof(trustnames) / sizeof(*trustnames)) {
+		return ("bad");
+	}
+	return (trustnames[trust]);
+}
+
+#define DNS_RDATASET_COUNT_UNDEFINED UINT32_MAX
+
+void
+dns_rdataset_init(dns_rdataset_t *rdataset) {
+	/*
+	 * Make 'rdataset' a valid, disassociated rdataset.
+	 */
+
+	REQUIRE(rdataset != NULL);
+
+	rdataset->magic = DNS_RDATASET_MAGIC;
+	rdataset->methods = NULL;
+	ISC_LINK_INIT(rdataset, link);
+	rdataset->rdclass = 0;
+	rdataset->type = 0;
+	rdataset->ttl = 0;
+	rdataset->trust = 0;
+	rdataset->covers = 0;
+	rdataset->attributes = 0;
+	rdataset->count = DNS_RDATASET_COUNT_UNDEFINED;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+	rdataset->private7 = NULL;
+	rdataset->resign = 0;
+}
+
+void
+dns_rdataset_invalidate(dns_rdataset_t *rdataset) {
+	/*
+	 * Invalidate 'rdataset'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods == NULL);
+
+	rdataset->magic = 0;
+	ISC_LINK_INIT(rdataset, link);
+	rdataset->rdclass = 0;
+	rdataset->type = 0;
+	rdataset->ttl = 0;
+	rdataset->trust = 0;
+	rdataset->covers = 0;
+	rdataset->attributes = 0;
+	rdataset->count = DNS_RDATASET_COUNT_UNDEFINED;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+}
+
+void
+dns_rdataset_disassociate(dns_rdataset_t *rdataset) {
+	/*
+	 * Disassociate 'rdataset' from its rdata, allowing it to be reused.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	(rdataset->methods->disassociate)(rdataset);
+	rdataset->methods = NULL;
+	ISC_LINK_INIT(rdataset, link);
+	rdataset->rdclass = 0;
+	rdataset->type = 0;
+	rdataset->ttl = 0;
+	rdataset->trust = 0;
+	rdataset->covers = 0;
+	rdataset->attributes = 0;
+	rdataset->count = DNS_RDATASET_COUNT_UNDEFINED;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+}
+
+bool
+dns_rdataset_isassociated(dns_rdataset_t *rdataset) {
+	/*
+	 * Is 'rdataset' associated?
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+	if (rdataset->methods != NULL) {
+		return (true);
+	}
+
+	return (false);
+}
+
+static void
+question_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+static isc_result_t
+question_cursor(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+
+	return (ISC_R_NOMORE);
+}
+
+static void
+question_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	/*
+	 * This routine should never be called.
+	 */
+	UNUSED(rdataset);
+	UNUSED(rdata);
+
+	REQUIRE(0);
+}
+
+static void
+question_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+}
+
+static unsigned int
+question_count(dns_rdataset_t *rdataset) {
+	/*
+	 * This routine should never be called.
+	 */
+	UNUSED(rdataset);
+	REQUIRE(0);
+
+	return (0);
+}
+
+static dns_rdatasetmethods_t question_methods = {
+	question_disassociate,
+	question_cursor,
+	question_cursor,
+	question_current,
+	question_clone,
+	question_count,
+	NULL, /* addnoqname */
+	NULL, /* getnoqname */
+	NULL, /* addclosest */
+	NULL, /* getclosest */
+	NULL, /* settrust */
+	NULL, /* expire */
+	NULL, /* clearprefetch */
+	NULL, /* setownercase */
+	NULL, /* getownercase */
+	NULL  /* addglue */
+};
+
+void
+dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
+			  dns_rdatatype_t type) {
+	/*
+	 * Make 'rdataset' a valid, associated, question rdataset, with a
+	 * question class of 'rdclass' and type 'type'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods == NULL);
+
+	rdataset->methods = &question_methods;
+	rdataset->rdclass = rdclass;
+	rdataset->type = type;
+	rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
+}
+
+unsigned int
+dns_rdataset_count(dns_rdataset_t *rdataset) {
+	/*
+	 * Return the number of records in 'rdataset'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	return ((rdataset->methods->count)(rdataset));
+}
+
+void
+dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	/*
+	 * Make 'target' refer to the same rdataset as 'source'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(source));
+	REQUIRE(source->methods != NULL);
+	REQUIRE(DNS_RDATASET_VALID(target));
+	REQUIRE(target->methods == NULL);
+
+	(source->methods->clone)(source, target);
+}
+
+isc_result_t
+dns_rdataset_first(dns_rdataset_t *rdataset) {
+	/*
+	 * Move the rdata cursor to the first rdata in the rdataset (if any).
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	return ((rdataset->methods->first)(rdataset));
+}
+
+isc_result_t
+dns_rdataset_next(dns_rdataset_t *rdataset) {
+	/*
+	 * Move the rdata cursor to the next rdata in the rdataset (if any).
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	return ((rdataset->methods->next)(rdataset));
+}
+
+void
+dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	/*
+	 * Make 'rdata' refer to the current rdata.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	(rdataset->methods->current)(rdataset, rdata);
+}
+
+#define MAX_SHUFFLE    32
+#define WANT_FIXED(r)  (((r)->attributes & DNS_RDATASETATTR_FIXEDORDER) != 0)
+#define WANT_RANDOM(r) (((r)->attributes & DNS_RDATASETATTR_RANDOMIZE) != 0)
+#define WANT_CYCLIC(r) (((r)->attributes & DNS_RDATASETATTR_CYCLIC) != 0)
+
+struct towire_sort {
+	int key;
+	dns_rdata_t *rdata;
+};
+
+static int
+towire_compare(const void *av, const void *bv) {
+	const struct towire_sort *a = (const struct towire_sort *)av;
+	const struct towire_sort *b = (const struct towire_sort *)bv;
+	return (a->key - b->key);
+}
+
+static void
+swap_rdata(dns_rdata_t *in, unsigned int a, unsigned int b) {
+	dns_rdata_t rdata = in[a];
+	in[a] = in[b];
+	in[b] = rdata;
+}
+
+static isc_result_t
+towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+	     dns_compress_t *cctx, isc_buffer_t *target,
+	     dns_rdatasetorderfunc_t order, const void *order_arg, bool partial,
+	     unsigned int options, unsigned int *countp, void **state) {
+	isc_region_t r;
+	isc_result_t result;
+	unsigned int i, count = 0, added;
+	isc_buffer_t savedbuffer, rdlen, rrbuffer;
+	unsigned int headlen;
+	bool question = false;
+	bool shuffle = false, sort = false;
+	bool want_random, want_cyclic;
+	dns_rdata_t in_fixed[MAX_SHUFFLE];
+	dns_rdata_t *in = in_fixed;
+	struct towire_sort out_fixed[MAX_SHUFFLE];
+	struct towire_sort *out = out_fixed;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	uint16_t offset;
+
+	UNUSED(state);
+
+	/*
+	 * Convert 'rdataset' to wire format, compressing names as specified
+	 * in cctx, and storing the result in 'target'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	REQUIRE(countp != NULL);
+	REQUIRE(cctx != NULL && cctx->mctx != NULL);
+
+	want_random = WANT_RANDOM(rdataset);
+	want_cyclic = WANT_CYCLIC(rdataset);
+
+	if ((rdataset->attributes & DNS_RDATASETATTR_QUESTION) != 0) {
+		question = true;
+		count = 1;
+		result = dns_rdataset_first(rdataset);
+		INSIST(result == ISC_R_NOMORE);
+	} else if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+		/*
+		 * This is a negative caching rdataset.
+		 */
+		unsigned int ncache_opts = 0;
+		if ((options & DNS_RDATASETTOWIRE_OMITDNSSEC) != 0) {
+			ncache_opts |= DNS_NCACHETOWIRE_OMITDNSSEC;
+		}
+		return (dns_ncache_towire(rdataset, cctx, target, ncache_opts,
+					  countp));
+	} else {
+		count = (rdataset->methods->count)(rdataset);
+		result = dns_rdataset_first(rdataset);
+		if (result == ISC_R_NOMORE) {
+			return (ISC_R_SUCCESS);
+		}
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	/*
+	 * Do we want to sort and/or shuffle this answer?
+	 */
+	if (!question && count > 1 && rdataset->type != dns_rdatatype_rrsig) {
+		if (order != NULL) {
+			sort = true;
+		}
+		if (want_random || want_cyclic) {
+			shuffle = true;
+		}
+	}
+
+	if ((shuffle || sort)) {
+		if (count > MAX_SHUFFLE) {
+			in = isc_mem_get(cctx->mctx, count * sizeof(*in));
+			out = isc_mem_get(cctx->mctx, count * sizeof(*out));
+			if (in == NULL || out == NULL) {
+				shuffle = sort = false;
+			}
+		}
+	}
+
+	if ((shuffle || sort)) {
+		uint32_t seed = 0;
+		unsigned int j = 0;
+
+		/*
+		 * First we get handles to all of the rdata.
+		 */
+		i = 0;
+		do {
+			INSIST(i < count);
+			dns_rdata_init(&in[i]);
+			dns_rdataset_current(rdataset, &in[i]);
+			i++;
+			result = dns_rdataset_next(rdataset);
+		} while (result == ISC_R_SUCCESS);
+		if (result != ISC_R_NOMORE) {
+			goto cleanup;
+		}
+		INSIST(i == count);
+
+		if (ISC_LIKELY(want_random)) {
+			seed = isc_random32();
+		}
+
+		if (ISC_UNLIKELY(want_cyclic) &&
+		    (rdataset->count != DNS_RDATASET_COUNT_UNDEFINED))
+		{
+			j = rdataset->count % count;
+		}
+
+		for (i = 0; i < count; i++) {
+			if (ISC_LIKELY(want_random)) {
+				swap_rdata(in, j, j + seed % (count - j));
+			}
+
+			out[i].key = (sort) ? (*order)(&in[j], order_arg) : 0;
+			out[i].rdata = &in[j];
+			if (++j == count) {
+				j = 0;
+			}
+		}
+		/*
+		 * Sortlist order.
+		 */
+		if (sort) {
+			qsort(out, count, sizeof(out[0]), towire_compare);
+		}
+	}
+
+	savedbuffer = *target;
+	i = 0;
+	added = 0;
+
+	name = dns_fixedname_initname(&fixed);
+	dns_name_copynf(owner_name, name);
+	dns_rdataset_getownercase(rdataset, name);
+	offset = 0xffff;
+
+	name->attributes |= owner_name->attributes & DNS_NAMEATTR_NOCOMPRESS;
+
+	do {
+		/*
+		 * Copy out the name, type, class, ttl.
+		 */
+
+		rrbuffer = *target;
+		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+		result = dns_name_towire2(name, cctx, target, &offset);
+		if (result != ISC_R_SUCCESS) {
+			goto rollback;
+		}
+		headlen = sizeof(dns_rdataclass_t) + sizeof(dns_rdatatype_t);
+		if (!question) {
+			headlen += sizeof(dns_ttl_t) + 2;
+		} /* XXX 2 for rdata len
+		   */
+		isc_buffer_availableregion(target, &r);
+		if (r.length < headlen) {
+			result = ISC_R_NOSPACE;
+			goto rollback;
+		}
+		isc_buffer_putuint16(target, rdataset->type);
+		isc_buffer_putuint16(target, rdataset->rdclass);
+		if (!question) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			isc_buffer_putuint32(target, rdataset->ttl);
+
+			/*
+			 * Save space for rdlen.
+			 */
+			rdlen = *target;
+			isc_buffer_add(target, 2);
+
+			/*
+			 * Copy out the rdata
+			 */
+			if (shuffle || sort) {
+				rdata = *(out[i].rdata);
+			} else {
+				dns_rdata_reset(&rdata);
+				dns_rdataset_current(rdataset, &rdata);
+			}
+			result = dns_rdata_towire(&rdata, cctx, target);
+			if (result != ISC_R_SUCCESS) {
+				goto rollback;
+			}
+			INSIST((target->used >= rdlen.used + 2) &&
+			       (target->used - rdlen.used - 2 < 65536));
+			isc_buffer_putuint16(
+				&rdlen,
+				(uint16_t)(target->used - rdlen.used - 2));
+			added++;
+		}
+
+		if (shuffle || sort) {
+			i++;
+			if (i == count) {
+				result = ISC_R_NOMORE;
+			} else {
+				result = ISC_R_SUCCESS;
+			}
+		} else {
+			result = dns_rdataset_next(rdataset);
+		}
+	} while (result == ISC_R_SUCCESS);
+
+	if (result != ISC_R_NOMORE) {
+		goto rollback;
+	}
+
+	*countp += count;
+
+	result = ISC_R_SUCCESS;
+	goto cleanup;
+
+rollback:
+	if (partial && result == ISC_R_NOSPACE) {
+		INSIST(rrbuffer.used < 65536);
+		dns_compress_rollback(cctx, (uint16_t)rrbuffer.used);
+		*countp += added;
+		*target = rrbuffer;
+		goto cleanup;
+	}
+	INSIST(savedbuffer.used < 65536);
+	dns_compress_rollback(cctx, (uint16_t)savedbuffer.used);
+	*countp = 0;
+	*target = savedbuffer;
+
+cleanup:
+	if (out != NULL && out != out_fixed) {
+		isc_mem_put(cctx->mctx, out, count * sizeof(*out));
+	}
+	if (in != NULL && in != in_fixed) {
+		isc_mem_put(cctx->mctx, in, count * sizeof(*in));
+	}
+	return (result);
+}
+
+isc_result_t
+dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
+			  const dns_name_t *owner_name, dns_compress_t *cctx,
+			  isc_buffer_t *target, dns_rdatasetorderfunc_t order,
+			  const void *order_arg, unsigned int options,
+			  unsigned int *countp) {
+	return (towiresorted(rdataset, owner_name, cctx, target, order,
+			     order_arg, false, options, countp, NULL));
+}
+
+isc_result_t
+dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
+			   const dns_name_t *owner_name, dns_compress_t *cctx,
+			   isc_buffer_t *target, dns_rdatasetorderfunc_t order,
+			   const void *order_arg, unsigned int options,
+			   unsigned int *countp, void **state) {
+	REQUIRE(state == NULL); /* XXX remove when implemented */
+	return (towiresorted(rdataset, owner_name, cctx, target, order,
+			     order_arg, true, options, countp, state));
+}
+
+isc_result_t
+dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+		    dns_compress_t *cctx, isc_buffer_t *target,
+		    unsigned int options, unsigned int *countp) {
+	return (towiresorted(rdataset, owner_name, cctx, target, NULL, NULL,
+			     false, options, countp, NULL));
+}
+
+isc_result_t
+dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+			    dns_additionaldatafunc_t add, void *arg) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+
+	/*
+	 * For each rdata in rdataset, call 'add' for each name and type in the
+	 * rdata which is subject to additional section processing.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	do {
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_additionaldata(&rdata, add, arg);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_rdataset_next(rdataset);
+		}
+		dns_rdata_reset(&rdata);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	if (rdataset->methods->addnoqname == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	return ((rdataset->methods->addnoqname)(rdataset, name));
+}
+
+isc_result_t
+dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *neg, dns_rdataset_t *negsig) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->getnoqname == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	return ((rdataset->methods->getnoqname)(rdataset, name, neg, negsig));
+}
+
+isc_result_t
+dns_rdataset_addclosest(dns_rdataset_t *rdataset, const dns_name_t *name) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	if (rdataset->methods->addclosest == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	return ((rdataset->methods->addclosest)(rdataset, name));
+}
+
+isc_result_t
+dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *neg, dns_rdataset_t *negsig) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->getclosest == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	return ((rdataset->methods->getclosest)(rdataset, name, neg, negsig));
+}
+
+void
+dns_rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->settrust != NULL) {
+		(rdataset->methods->settrust)(rdataset, trust);
+	} else {
+		rdataset->trust = trust;
+	}
+}
+
+void
+dns_rdataset_expire(dns_rdataset_t *rdataset) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->expire != NULL) {
+		(rdataset->methods->expire)(rdataset);
+	}
+}
+
+void
+dns_rdataset_clearprefetch(dns_rdataset_t *rdataset) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->clearprefetch != NULL) {
+		(rdataset->methods->clearprefetch)(rdataset);
+	}
+}
+
+void
+dns_rdataset_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->setownercase != NULL) {
+		(rdataset->methods->setownercase)(rdataset, name);
+	}
+}
+
+void
+dns_rdataset_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->getownercase != NULL) {
+		(rdataset->methods->getownercase)(rdataset, name);
+	}
+}
+
+void
+dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
+		     bool acceptexpired) {
+	uint32_t ttl = 0;
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(DNS_RDATASET_VALID(sigrdataset));
+	REQUIRE(rrsig != NULL);
+
+	/*
+	 * If we accept expired RRsets keep them for no more than 120 seconds.
+	 */
+	if (acceptexpired &&
+	    (isc_serial_le(rrsig->timeexpire, ((now + 120) & 0xffffffff)) ||
+	     isc_serial_le(rrsig->timeexpire, now)))
+	{
+		ttl = 120;
+	} else if (isc_serial_ge(rrsig->timeexpire, now)) {
+		ttl = rrsig->timeexpire - now;
+	}
+
+	ttl = ISC_MIN(ISC_MIN(rdataset->ttl, sigrdataset->ttl),
+		      ISC_MIN(rrsig->originalttl, ttl));
+	rdataset->ttl = ttl;
+	sigrdataset->ttl = ttl;
+}
+
+isc_result_t
+dns_rdataset_addglue(dns_rdataset_t *rdataset, dns_dbversion_t *version,
+		     dns_message_t *msg) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	REQUIRE(rdataset->type == dns_rdatatype_ns);
+
+	if (rdataset->methods->addglue == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	return ((rdataset->methods->addglue)(rdataset, version, msg));
+}
diff --git a/lib/dns/rdatasetiter.c b/lib/dns/rdatasetiter.c
new file mode 100644
index 0000000..8e8159f
--- /dev/null
+++ b/lib/dns/rdatasetiter.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stddef.h>
+
+#include <isc/util.h>
+
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+
+void
+dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	/*
+	 * Destroy '*iteratorp'.
+	 */
+
+	REQUIRE(iteratorp != NULL);
+	REQUIRE(DNS_RDATASETITER_VALID(*iteratorp));
+
+	(*iteratorp)->methods->destroy(iteratorp);
+
+	ENSURE(*iteratorp == NULL);
+}
+
+isc_result_t
+dns_rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	/*
+	 * Move the rdataset cursor to the first rdataset at the node (if any).
+	 */
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	return (iterator->methods->first(iterator));
+}
+
+isc_result_t
+dns_rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	/*
+	 * Move the rdataset cursor to the next rdataset at the node (if any).
+	 */
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	return (iterator->methods->next(iterator));
+}
+
+void
+dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
+			 dns_rdataset_t *rdataset) {
+	/*
+	 * Return the current rdataset.
+	 */
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	iterator->methods->current(iterator, rdataset);
+}
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
new file mode 100644
index 0000000..2783c1c
--- /dev/null
+++ b/lib/dns/rdataslab.c
@@ -0,0 +1,1005 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdataslab.h>
+#include <dns/result.h>
+
+/*
+ * The rdataslab structure allows iteration to occur in both load order
+ * and DNSSEC order.  The structure is as follows:
+ *
+ *	header		(reservelen bytes)
+ *	record count	(2 bytes)
+ *	offset table	(4 x record count bytes in load order)
+ *	data records
+ *		data length	(2 bytes)
+ *		order		(2 bytes)
+ *		meta data	(1 byte for RRSIG's)
+ *		data		(data length bytes)
+ *
+ * If DNS_RDATASET_FIXED is defined to be zero (0) the format of a
+ * rdataslab is as follows:
+ *
+ *	header		(reservelen bytes)
+ *	record count	(2 bytes)
+ *	data records
+ *		data length	(2 bytes)
+ *		meta data	(1 byte for RRSIG's)
+ *		data		(data length bytes)
+ *
+ * Offsets are from the end of the header.
+ *
+ * Load order traversal is performed by walking the offset table to find
+ * the start of the record (DNS_RDATASET_FIXED = 1).
+ *
+ * DNSSEC order traversal is performed by walking the data records.
+ *
+ * The order is stored with record to allow for efficient reconstruction
+ * of the offset table following a merge or subtraction.
+ *
+ * The iterator methods in rbtdb support both load order and DNSSEC order
+ * iteration.
+ *
+ * WARNING:
+ *	rbtdb.c directly interacts with the slab's raw structures.  If the
+ *	structure changes then rbtdb.c also needs to be updated to reflect
+ *	the changes.  See the areas tagged with "RDATASLAB".
+ */
+
+struct xrdata {
+	dns_rdata_t rdata;
+	unsigned int order;
+};
+
+/*% Note: the "const void *" are just to make qsort happy.  */
+static int
+compare_rdata(const void *p1, const void *p2) {
+	const struct xrdata *x1 = p1;
+	const struct xrdata *x2 = p2;
+	return (dns_rdata_compare(&x1->rdata, &x2->rdata));
+}
+
+#if DNS_RDATASET_FIXED
+static void
+fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
+	       unsigned length) {
+	unsigned int i, j;
+	unsigned char *raw;
+
+	for (i = 0, j = 0; i < length; i++) {
+		if (offsettable[i] == 0) {
+			continue;
+		}
+
+		/*
+		 * Fill in offset table.
+		 */
+		raw = &offsetbase[j * 4 + 2];
+		*raw++ = (offsettable[i] & 0xff000000) >> 24;
+		*raw++ = (offsettable[i] & 0xff0000) >> 16;
+		*raw++ = (offsettable[i] & 0xff00) >> 8;
+		*raw = offsettable[i] & 0xff;
+
+		/*
+		 * Fill in table index.
+		 */
+		raw = offsetbase + offsettable[i] + 2;
+		*raw++ = (j & 0xff00) >> 8;
+		*raw = j++ & 0xff;
+	}
+}
+#endif /* if DNS_RDATASET_FIXED */
+
+isc_result_t
+dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+			   isc_region_t *region, unsigned int reservelen) {
+	/*
+	 * Use &removed as a sentinel pointer for duplicate
+	 * rdata as rdata.data == NULL is valid.
+	 */
+	static unsigned char removed;
+	struct xrdata *x;
+	unsigned char *rawbuf;
+#if DNS_RDATASET_FIXED
+	unsigned char *offsetbase;
+#endif /* if DNS_RDATASET_FIXED */
+	unsigned int buflen;
+	isc_result_t result;
+	unsigned int nitems;
+	unsigned int nalloc;
+	unsigned int i;
+#if DNS_RDATASET_FIXED
+	unsigned int *offsettable;
+#endif /* if DNS_RDATASET_FIXED */
+	unsigned int length;
+
+	buflen = reservelen + 2;
+
+	nitems = dns_rdataset_count(rdataset);
+
+	/*
+	 * If there are no rdata then we can just need to allocate a header
+	 * with zero a record count.
+	 */
+	if (nitems == 0) {
+		if (rdataset->type != 0) {
+			return (ISC_R_FAILURE);
+		}
+		rawbuf = isc_mem_get(mctx, buflen);
+		region->base = rawbuf;
+		region->length = buflen;
+		rawbuf += reservelen;
+		*rawbuf++ = 0;
+		*rawbuf = 0;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (nitems > 0xffff) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * Remember the original number of items.
+	 */
+	nalloc = nitems;
+	x = isc_mem_get(mctx, nalloc * sizeof(struct xrdata));
+
+	/*
+	 * Save all of the rdata members into an array.
+	 */
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE) {
+		goto free_rdatas;
+	}
+	for (i = 0; i < nalloc && result == ISC_R_SUCCESS; i++) {
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdata_init(&x[i].rdata);
+		dns_rdataset_current(rdataset, &x[i].rdata);
+		INSIST(x[i].rdata.data != &removed);
+#if DNS_RDATASET_FIXED
+		x[i].order = i;
+#endif /* if DNS_RDATASET_FIXED */
+		result = dns_rdataset_next(rdataset);
+	}
+	if (i != nalloc || result != ISC_R_NOMORE) {
+		/*
+		 * Somehow we iterated over fewer rdatas than
+		 * dns_rdataset_count() said there were or there
+		 * were more items than dns_rdataset_count said
+		 * there were.
+		 */
+		result = ISC_R_FAILURE;
+		goto free_rdatas;
+	}
+
+	/*
+	 * Put into DNSSEC order.
+	 */
+	if (nalloc > 1U) {
+		qsort(x, nalloc, sizeof(struct xrdata), compare_rdata);
+	}
+
+	/*
+	 * Remove duplicates and compute the total storage required.
+	 *
+	 * If an rdata is not a duplicate, accumulate the storage size
+	 * required for the rdata.  We do not store the class, type, etc,
+	 * just the rdata, so our overhead is 2 bytes for the number of
+	 * records, and 8 for each rdata, (length(2), offset(4) and order(2))
+	 * and then the rdata itself.
+	 */
+	for (i = 1; i < nalloc; i++) {
+		if (compare_rdata(&x[i - 1].rdata, &x[i].rdata) == 0) {
+			x[i - 1].rdata.data = &removed;
+#if DNS_RDATASET_FIXED
+			/*
+			 * Preserve the least order so A, B, A -> A, B
+			 * after duplicate removal.
+			 */
+			if (x[i - 1].order < x[i].order) {
+				x[i].order = x[i - 1].order;
+			}
+#endif /* if DNS_RDATASET_FIXED */
+			nitems--;
+		} else {
+#if DNS_RDATASET_FIXED
+			buflen += (8 + x[i - 1].rdata.length);
+#else  /* if DNS_RDATASET_FIXED */
+			buflen += (2 + x[i - 1].rdata.length);
+#endif /* if DNS_RDATASET_FIXED */
+			/*
+			 * Provide space to store the per RR meta data.
+			 */
+			if (rdataset->type == dns_rdatatype_rrsig) {
+				buflen++;
+			}
+		}
+	}
+
+	/*
+	 * Don't forget the last item!
+	 */
+#if DNS_RDATASET_FIXED
+	buflen += (8 + x[i - 1].rdata.length);
+#else  /* if DNS_RDATASET_FIXED */
+	buflen += (2 + x[i - 1].rdata.length);
+#endif /* if DNS_RDATASET_FIXED */
+	/*
+	 * Provide space to store the per RR meta data.
+	 */
+	if (rdataset->type == dns_rdatatype_rrsig) {
+		buflen++;
+	}
+
+	/*
+	 * Ensure that singleton types are actually singletons.
+	 */
+	if (nitems > 1 && dns_rdatatype_issingleton(rdataset->type)) {
+		/*
+		 * We have a singleton type, but there's more than one
+		 * RR in the rdataset.
+		 */
+		result = DNS_R_SINGLETON;
+		goto free_rdatas;
+	}
+
+	/*
+	 * Allocate the memory, set up a buffer, start copying in
+	 * data.
+	 */
+	rawbuf = isc_mem_get(mctx, buflen);
+
+#if DNS_RDATASET_FIXED
+	/* Allocate temporary offset table. */
+	offsettable = isc_mem_get(mctx, nalloc * sizeof(unsigned int));
+	memset(offsettable, 0, nalloc * sizeof(unsigned int));
+#endif /* if DNS_RDATASET_FIXED */
+
+	region->base = rawbuf;
+	region->length = buflen;
+
+	memset(rawbuf, 0, buflen);
+	rawbuf += reservelen;
+
+#if DNS_RDATASET_FIXED
+	offsetbase = rawbuf;
+#endif /* if DNS_RDATASET_FIXED */
+
+	*rawbuf++ = (nitems & 0xff00) >> 8;
+	*rawbuf++ = (nitems & 0x00ff);
+
+#if DNS_RDATASET_FIXED
+	/* Skip load order table.  Filled in later. */
+	rawbuf += nitems * 4;
+#endif /* if DNS_RDATASET_FIXED */
+
+	for (i = 0; i < nalloc; i++) {
+		if (x[i].rdata.data == &removed) {
+			continue;
+		}
+#if DNS_RDATASET_FIXED
+		offsettable[x[i].order] = rawbuf - offsetbase;
+#endif /* if DNS_RDATASET_FIXED */
+		length = x[i].rdata.length;
+		if (rdataset->type == dns_rdatatype_rrsig) {
+			length++;
+		}
+		INSIST(length <= 0xffff);
+		*rawbuf++ = (length & 0xff00) >> 8;
+		*rawbuf++ = (length & 0x00ff);
+#if DNS_RDATASET_FIXED
+		rawbuf += 2; /* filled in later */
+#endif			     /* if DNS_RDATASET_FIXED */
+		/*
+		 * Store the per RR meta data.
+		 */
+		if (rdataset->type == dns_rdatatype_rrsig) {
+			*rawbuf++ = (x[i].rdata.flags & DNS_RDATA_OFFLINE)
+					    ? DNS_RDATASLAB_OFFLINE
+					    : 0;
+		}
+		memmove(rawbuf, x[i].rdata.data, x[i].rdata.length);
+		rawbuf += x[i].rdata.length;
+	}
+
+#if DNS_RDATASET_FIXED
+	fillin_offsets(offsetbase, offsettable, nalloc);
+	isc_mem_put(mctx, offsettable, nalloc * sizeof(unsigned int));
+#endif /* if DNS_RDATASET_FIXED */
+
+	result = ISC_R_SUCCESS;
+
+free_rdatas:
+	isc_mem_put(mctx, x, nalloc * sizeof(struct xrdata));
+	return (result);
+}
+
+unsigned int
+dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
+	unsigned int count, length;
+	unsigned char *current;
+
+	REQUIRE(slab != NULL);
+
+	current = slab + reservelen;
+	count = *current++ * 256;
+	count += *current++;
+#if DNS_RDATASET_FIXED
+	current += (4 * count);
+#endif /* if DNS_RDATASET_FIXED */
+	while (count > 0) {
+		count--;
+		length = *current++ * 256;
+		length += *current++;
+#if DNS_RDATASET_FIXED
+		current += length + 2;
+#else  /* if DNS_RDATASET_FIXED */
+		current += length;
+#endif /* if DNS_RDATASET_FIXED */
+	}
+
+	return ((unsigned int)(current - slab));
+}
+
+unsigned int
+dns_rdataslab_rdatasize(unsigned char *slab, unsigned int reservelen) {
+	unsigned int count, length, rdatalen = 0;
+	unsigned char *current;
+
+	REQUIRE(slab != NULL);
+
+	current = slab + reservelen;
+	count = *current++ * 256;
+	count += *current++;
+#if DNS_RDATASET_FIXED
+	current += (4 * count);
+#endif /* if DNS_RDATASET_FIXED */
+	while (count > 0) {
+		count--;
+		length = *current++ * 256;
+		length += *current++;
+		rdatalen += length;
+#if DNS_RDATASET_FIXED
+		current += length + 2;
+#else  /* if DNS_RDATASET_FIXED */
+		current += length;
+#endif /* if DNS_RDATASET_FIXED */
+	}
+
+	return (rdatalen);
+}
+
+unsigned int
+dns_rdataslab_count(unsigned char *slab, unsigned int reservelen) {
+	unsigned int count;
+	unsigned char *current;
+
+	REQUIRE(slab != NULL);
+
+	current = slab + reservelen;
+	count = *current++ * 256;
+	count += *current++;
+	return (count);
+}
+
+/*
+ * Make the dns_rdata_t 'rdata' refer to the slab item
+ * beginning at '*current', which is part of a slab of type
+ * 'type' and class 'rdclass', and advance '*current' to
+ * point to the next item in the slab.
+ */
+static void
+rdata_from_slab(unsigned char **current, dns_rdataclass_t rdclass,
+		dns_rdatatype_t type, dns_rdata_t *rdata) {
+	unsigned char *tcurrent = *current;
+	isc_region_t region;
+	unsigned int length;
+	bool offline = false;
+
+	length = *tcurrent++ * 256;
+	length += *tcurrent++;
+
+	if (type == dns_rdatatype_rrsig) {
+		if ((*tcurrent & DNS_RDATASLAB_OFFLINE) != 0) {
+			offline = true;
+		}
+		length--;
+		tcurrent++;
+	}
+	region.length = length;
+#if DNS_RDATASET_FIXED
+	tcurrent += 2;
+#endif /* if DNS_RDATASET_FIXED */
+	region.base = tcurrent;
+	tcurrent += region.length;
+	dns_rdata_fromregion(rdata, rdclass, type, &region);
+	if (offline) {
+		rdata->flags |= DNS_RDATA_OFFLINE;
+	}
+	*current = tcurrent;
+}
+
+/*
+ * Return true iff 'slab' (slab data of type 'type' and class 'rdclass')
+ * contains an rdata identical to 'rdata'.  This does case insensitive
+ * comparisons per DNSSEC.
+ */
+static bool
+rdata_in_slab(unsigned char *slab, unsigned int reservelen,
+	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
+	      dns_rdata_t *rdata) {
+	unsigned int count, i;
+	unsigned char *current;
+	dns_rdata_t trdata = DNS_RDATA_INIT;
+	int n;
+
+	current = slab + reservelen;
+	count = *current++ * 256;
+	count += *current++;
+
+#if DNS_RDATASET_FIXED
+	current += (4 * count);
+#endif /* if DNS_RDATASET_FIXED */
+
+	for (i = 0; i < count; i++) {
+		rdata_from_slab(&current, rdclass, type, &trdata);
+
+		n = dns_rdata_compare(&trdata, rdata);
+		if (n == 0) {
+			return (true);
+		}
+		if (n > 0) { /* In DNSSEC order. */
+			break;
+		}
+		dns_rdata_reset(&trdata);
+	}
+	return (false);
+}
+
+isc_result_t
+dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+		    unsigned int reservelen, isc_mem_t *mctx,
+		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		    unsigned int flags, unsigned char **tslabp) {
+	unsigned char *ocurrent, *ostart, *ncurrent, *tstart, *tcurrent, *data;
+	unsigned int ocount, ncount, count, olength, tlength, tcount, length;
+	dns_rdata_t ordata = DNS_RDATA_INIT;
+	dns_rdata_t nrdata = DNS_RDATA_INIT;
+	bool added_something = false;
+	unsigned int oadded = 0;
+	unsigned int nadded = 0;
+	unsigned int nncount = 0;
+#if DNS_RDATASET_FIXED
+	unsigned int oncount;
+	unsigned int norder = 0;
+	unsigned int oorder = 0;
+	unsigned char *offsetbase;
+	unsigned int *offsettable;
+#endif /* if DNS_RDATASET_FIXED */
+
+	/*
+	 * XXX  Need parameter to allow "delete rdatasets in nslab" merge,
+	 * or perhaps another merge routine for this purpose.
+	 */
+
+	REQUIRE(tslabp != NULL && *tslabp == NULL);
+	REQUIRE(oslab != NULL && nslab != NULL);
+
+	ocurrent = oslab + reservelen;
+	ocount = *ocurrent++ * 256;
+	ocount += *ocurrent++;
+#if DNS_RDATASET_FIXED
+	ocurrent += (4 * ocount);
+#endif /* if DNS_RDATASET_FIXED */
+	ostart = ocurrent;
+	ncurrent = nslab + reservelen;
+	ncount = *ncurrent++ * 256;
+	ncount += *ncurrent++;
+#if DNS_RDATASET_FIXED
+	ncurrent += (4 * ncount);
+#endif /* if DNS_RDATASET_FIXED */
+	INSIST(ocount > 0 && ncount > 0);
+
+#if DNS_RDATASET_FIXED
+	oncount = ncount;
+#endif /* if DNS_RDATASET_FIXED */
+
+	/*
+	 * Yes, this is inefficient!
+	 */
+
+	/*
+	 * Figure out the length of the old slab's data.
+	 */
+	olength = 0;
+	for (count = 0; count < ocount; count++) {
+		length = *ocurrent++ * 256;
+		length += *ocurrent++;
+#if DNS_RDATASET_FIXED
+		olength += length + 8;
+		ocurrent += length + 2;
+#else  /* if DNS_RDATASET_FIXED */
+		olength += length + 2;
+		ocurrent += length;
+#endif /* if DNS_RDATASET_FIXED */
+	}
+
+	/*
+	 * Start figuring out the target length and count.
+	 */
+	tlength = reservelen + 2 + olength;
+	tcount = ocount;
+
+	/*
+	 * Add in the length of rdata in the new slab that aren't in
+	 * the old slab.
+	 */
+	do {
+		dns_rdata_init(&nrdata);
+		rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
+		if (!rdata_in_slab(oslab, reservelen, rdclass, type, &nrdata)) {
+			/*
+			 * This rdata isn't in the old slab.
+			 */
+#if DNS_RDATASET_FIXED
+			tlength += nrdata.length + 8;
+#else  /* if DNS_RDATASET_FIXED */
+			tlength += nrdata.length + 2;
+#endif /* if DNS_RDATASET_FIXED */
+			if (type == dns_rdatatype_rrsig) {
+				tlength++;
+			}
+			tcount++;
+			nncount++;
+			added_something = true;
+		}
+		ncount--;
+	} while (ncount > 0);
+	ncount = nncount;
+
+	if (((flags & DNS_RDATASLAB_EXACT) != 0) && (tcount != ncount + ocount))
+	{
+		return (DNS_R_NOTEXACT);
+	}
+
+	if (!added_something && (flags & DNS_RDATASLAB_FORCE) == 0) {
+		return (DNS_R_UNCHANGED);
+	}
+
+	/*
+	 * Ensure that singleton types are actually singletons.
+	 */
+	if (tcount > 1 && dns_rdatatype_issingleton(type)) {
+		/*
+		 * We have a singleton type, but there's more than one
+		 * RR in the rdataset.
+		 */
+		return (DNS_R_SINGLETON);
+	}
+
+	if (tcount > 0xffff) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * Copy the reserved area from the new slab.
+	 */
+	tstart = isc_mem_get(mctx, tlength);
+	memmove(tstart, nslab, reservelen);
+	tcurrent = tstart + reservelen;
+#if DNS_RDATASET_FIXED
+	offsetbase = tcurrent;
+#endif /* if DNS_RDATASET_FIXED */
+
+	/*
+	 * Write the new count.
+	 */
+	*tcurrent++ = (tcount & 0xff00) >> 8;
+	*tcurrent++ = (tcount & 0x00ff);
+
+#if DNS_RDATASET_FIXED
+	/*
+	 * Skip offset table.
+	 */
+	tcurrent += (tcount * 4);
+
+	offsettable = isc_mem_get(mctx,
+				  (ocount + oncount) * sizeof(unsigned int));
+	memset(offsettable, 0, (ocount + oncount) * sizeof(unsigned int));
+#endif /* if DNS_RDATASET_FIXED */
+
+	/*
+	 * Merge the two slabs.
+	 */
+	ocurrent = ostart;
+	INSIST(ocount != 0);
+#if DNS_RDATASET_FIXED
+	oorder = ocurrent[2] * 256 + ocurrent[3];
+	INSIST(oorder < ocount);
+#endif /* if DNS_RDATASET_FIXED */
+	rdata_from_slab(&ocurrent, rdclass, type, &ordata);
+
+	ncurrent = nslab + reservelen + 2;
+#if DNS_RDATASET_FIXED
+	ncurrent += (4 * oncount);
+#endif /* if DNS_RDATASET_FIXED */
+
+	if (ncount > 0) {
+		do {
+			dns_rdata_reset(&nrdata);
+#if DNS_RDATASET_FIXED
+			norder = ncurrent[2] * 256 + ncurrent[3];
+
+			INSIST(norder < oncount);
+#endif /* if DNS_RDATASET_FIXED */
+			rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
+		} while (rdata_in_slab(oslab, reservelen, rdclass, type,
+				       &nrdata));
+	}
+
+	while (oadded < ocount || nadded < ncount) {
+		bool fromold;
+		if (oadded == ocount) {
+			fromold = false;
+		} else if (nadded == ncount) {
+			fromold = true;
+		} else {
+			fromold = (dns_rdata_compare(&ordata, &nrdata) < 0);
+		}
+		if (fromold) {
+#if DNS_RDATASET_FIXED
+			offsettable[oorder] = tcurrent - offsetbase;
+#endif /* if DNS_RDATASET_FIXED */
+			length = ordata.length;
+			data = ordata.data;
+			if (type == dns_rdatatype_rrsig) {
+				length++;
+				data--;
+			}
+			*tcurrent++ = (length & 0xff00) >> 8;
+			*tcurrent++ = (length & 0x00ff);
+#if DNS_RDATASET_FIXED
+			tcurrent += 2; /* fill in later */
+#endif				       /* if DNS_RDATASET_FIXED */
+			memmove(tcurrent, data, length);
+			tcurrent += length;
+			oadded++;
+			if (oadded < ocount) {
+				dns_rdata_reset(&ordata);
+#if DNS_RDATASET_FIXED
+				oorder = ocurrent[2] * 256 + ocurrent[3];
+				INSIST(oorder < ocount);
+#endif /* if DNS_RDATASET_FIXED */
+				rdata_from_slab(&ocurrent, rdclass, type,
+						&ordata);
+			}
+		} else {
+#if DNS_RDATASET_FIXED
+			offsettable[ocount + norder] = tcurrent - offsetbase;
+#endif /* if DNS_RDATASET_FIXED */
+			length = nrdata.length;
+			data = nrdata.data;
+			if (type == dns_rdatatype_rrsig) {
+				length++;
+				data--;
+			}
+			*tcurrent++ = (length & 0xff00) >> 8;
+			*tcurrent++ = (length & 0x00ff);
+#if DNS_RDATASET_FIXED
+			tcurrent += 2; /* fill in later */
+#endif				       /* if DNS_RDATASET_FIXED */
+			memmove(tcurrent, data, length);
+			tcurrent += length;
+			nadded++;
+			if (nadded < ncount) {
+				do {
+					dns_rdata_reset(&nrdata);
+#if DNS_RDATASET_FIXED
+					norder = ncurrent[2] * 256 +
+						 ncurrent[3];
+					INSIST(norder < oncount);
+#endif /* if DNS_RDATASET_FIXED */
+					rdata_from_slab(&ncurrent, rdclass,
+							type, &nrdata);
+				} while (rdata_in_slab(oslab, reservelen,
+						       rdclass, type, &nrdata));
+			}
+		}
+	}
+
+#if DNS_RDATASET_FIXED
+	fillin_offsets(offsetbase, offsettable, ocount + oncount);
+
+	isc_mem_put(mctx, offsettable,
+		    (ocount + oncount) * sizeof(unsigned int));
+#endif /* if DNS_RDATASET_FIXED */
+
+	INSIST(tcurrent == tstart + tlength);
+
+	*tslabp = tstart;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
+		       unsigned int reservelen, isc_mem_t *mctx,
+		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		       unsigned int flags, unsigned char **tslabp) {
+	unsigned char *mcurrent, *sstart, *scurrent, *tstart, *tcurrent;
+	unsigned int mcount, scount, rcount, count, tlength, tcount, i;
+	dns_rdata_t srdata = DNS_RDATA_INIT;
+	dns_rdata_t mrdata = DNS_RDATA_INIT;
+#if DNS_RDATASET_FIXED
+	unsigned char *offsetbase;
+	unsigned int *offsettable;
+	unsigned int order;
+#endif /* if DNS_RDATASET_FIXED */
+
+	REQUIRE(tslabp != NULL && *tslabp == NULL);
+	REQUIRE(mslab != NULL && sslab != NULL);
+
+	mcurrent = mslab + reservelen;
+	mcount = *mcurrent++ * 256;
+	mcount += *mcurrent++;
+	scurrent = sslab + reservelen;
+	scount = *scurrent++ * 256;
+	scount += *scurrent++;
+	INSIST(mcount > 0 && scount > 0);
+
+	/*
+	 * Yes, this is inefficient!
+	 */
+
+	/*
+	 * Start figuring out the target length and count.
+	 */
+	tlength = reservelen + 2;
+	tcount = 0;
+	rcount = 0;
+
+#if DNS_RDATASET_FIXED
+	mcurrent += 4 * mcount;
+	scurrent += 4 * scount;
+#endif /* if DNS_RDATASET_FIXED */
+	sstart = scurrent;
+
+	/*
+	 * Add in the length of rdata in the mslab that aren't in
+	 * the sslab.
+	 */
+	for (i = 0; i < mcount; i++) {
+		unsigned char *mrdatabegin = mcurrent;
+		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
+		scurrent = sstart;
+		for (count = 0; count < scount; count++) {
+			dns_rdata_reset(&srdata);
+			rdata_from_slab(&scurrent, rdclass, type, &srdata);
+			if (dns_rdata_compare(&mrdata, &srdata) == 0) {
+				break;
+			}
+		}
+		if (count == scount) {
+			/*
+			 * This rdata isn't in the sslab, and thus isn't
+			 * being subtracted.
+			 */
+			tlength += (unsigned int)(mcurrent - mrdatabegin);
+			tcount++;
+		} else {
+			rcount++;
+		}
+		dns_rdata_reset(&mrdata);
+	}
+
+#if DNS_RDATASET_FIXED
+	tlength += (4 * tcount);
+#endif /* if DNS_RDATASET_FIXED */
+
+	/*
+	 * Check that all the records originally existed.  The numeric
+	 * check only works as rdataslabs do not contain duplicates.
+	 */
+	if (((flags & DNS_RDATASLAB_EXACT) != 0) && (rcount != scount)) {
+		return (DNS_R_NOTEXACT);
+	}
+
+	/*
+	 * Don't continue if the new rdataslab would be empty.
+	 */
+	if (tcount == 0) {
+		return (DNS_R_NXRRSET);
+	}
+
+	/*
+	 * If nothing is going to change, we can stop.
+	 */
+	if (rcount == 0) {
+		return (DNS_R_UNCHANGED);
+	}
+
+	/*
+	 * Copy the reserved area from the mslab.
+	 */
+	tstart = isc_mem_get(mctx, tlength);
+	memmove(tstart, mslab, reservelen);
+	tcurrent = tstart + reservelen;
+#if DNS_RDATASET_FIXED
+	offsetbase = tcurrent;
+
+	offsettable = isc_mem_get(mctx, mcount * sizeof(unsigned int));
+	memset(offsettable, 0, mcount * sizeof(unsigned int));
+#endif /* if DNS_RDATASET_FIXED */
+
+	/*
+	 * Write the new count.
+	 */
+	*tcurrent++ = (tcount & 0xff00) >> 8;
+	*tcurrent++ = (tcount & 0x00ff);
+
+#if DNS_RDATASET_FIXED
+	tcurrent += (4 * tcount);
+#endif /* if DNS_RDATASET_FIXED */
+
+	/*
+	 * Copy the parts of mslab not in sslab.
+	 */
+	mcurrent = mslab + reservelen;
+	mcount = *mcurrent++ * 256;
+	mcount += *mcurrent++;
+#if DNS_RDATASET_FIXED
+	mcurrent += (4 * mcount);
+#endif /* if DNS_RDATASET_FIXED */
+	for (i = 0; i < mcount; i++) {
+		unsigned char *mrdatabegin = mcurrent;
+#if DNS_RDATASET_FIXED
+		order = mcurrent[2] * 256 + mcurrent[3];
+		INSIST(order < mcount);
+#endif /* if DNS_RDATASET_FIXED */
+		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
+		scurrent = sstart;
+		for (count = 0; count < scount; count++) {
+			dns_rdata_reset(&srdata);
+			rdata_from_slab(&scurrent, rdclass, type, &srdata);
+			if (dns_rdata_compare(&mrdata, &srdata) == 0) {
+				break;
+			}
+		}
+		if (count == scount) {
+			/*
+			 * This rdata isn't in the sslab, and thus should be
+			 * copied to the tslab.
+			 */
+			unsigned int length;
+			length = (unsigned int)(mcurrent - mrdatabegin);
+#if DNS_RDATASET_FIXED
+			offsettable[order] = tcurrent - offsetbase;
+#endif /* if DNS_RDATASET_FIXED */
+			memmove(tcurrent, mrdatabegin, length);
+			tcurrent += length;
+		}
+		dns_rdata_reset(&mrdata);
+	}
+
+#if DNS_RDATASET_FIXED
+	fillin_offsets(offsetbase, offsettable, mcount);
+
+	isc_mem_put(mctx, offsettable, mcount * sizeof(unsigned int));
+#endif /* if DNS_RDATASET_FIXED */
+
+	INSIST(tcurrent == tstart + tlength);
+
+	*tslabp = tstart;
+
+	return (ISC_R_SUCCESS);
+}
+
+bool
+dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
+		    unsigned int reservelen) {
+	unsigned char *current1, *current2;
+	unsigned int count1, count2;
+	unsigned int length1, length2;
+
+	current1 = slab1 + reservelen;
+	count1 = *current1++ * 256;
+	count1 += *current1++;
+
+	current2 = slab2 + reservelen;
+	count2 = *current2++ * 256;
+	count2 += *current2++;
+
+	if (count1 != count2) {
+		return (false);
+	}
+
+#if DNS_RDATASET_FIXED
+	current1 += (4 * count1);
+	current2 += (4 * count2);
+#endif /* if DNS_RDATASET_FIXED */
+
+	while (count1 > 0) {
+		length1 = *current1++ * 256;
+		length1 += *current1++;
+
+		length2 = *current2++ * 256;
+		length2 += *current2++;
+
+#if DNS_RDATASET_FIXED
+		current1 += 2;
+		current2 += 2;
+#endif /* if DNS_RDATASET_FIXED */
+
+		if (length1 != length2 ||
+		    memcmp(current1, current2, length1) != 0)
+		{
+			return (false);
+		}
+
+		current1 += length1;
+		current2 += length1;
+
+		count1--;
+	}
+	return (true);
+}
+
+bool
+dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
+		     unsigned int reservelen, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type) {
+	unsigned char *current1, *current2;
+	unsigned int count1, count2;
+	dns_rdata_t rdata1 = DNS_RDATA_INIT;
+	dns_rdata_t rdata2 = DNS_RDATA_INIT;
+
+	current1 = slab1 + reservelen;
+	count1 = *current1++ * 256;
+	count1 += *current1++;
+
+	current2 = slab2 + reservelen;
+	count2 = *current2++ * 256;
+	count2 += *current2++;
+
+	if (count1 != count2) {
+		return (false);
+	}
+
+#if DNS_RDATASET_FIXED
+	current1 += (4 * count1);
+	current2 += (4 * count2);
+#endif /* if DNS_RDATASET_FIXED */
+
+	while (count1-- > 0) {
+		rdata_from_slab(&current1, rdclass, type, &rdata1);
+		rdata_from_slab(&current2, rdclass, type, &rdata2);
+		if (dns_rdata_compare(&rdata1, &rdata2) != 0) {
+			return (false);
+		}
+		dns_rdata_reset(&rdata1);
+		dns_rdata_reset(&rdata2);
+	}
+	return (true);
+}
diff --git a/lib/dns/request.c b/lib/dns/request.c
new file mode 100644
index 0000000..2e21ca6
--- /dev/null
+++ b/lib/dns/request.c
@@ -0,0 +1,1545 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/compress.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/request.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#define REQUESTMGR_MAGIC      ISC_MAGIC('R', 'q', 'u', 'M')
+#define VALID_REQUESTMGR(mgr) ISC_MAGIC_VALID(mgr, REQUESTMGR_MAGIC)
+
+#define REQUEST_MAGIC	       ISC_MAGIC('R', 'q', 'u', '!')
+#define VALID_REQUEST(request) ISC_MAGIC_VALID(request, REQUEST_MAGIC)
+
+typedef ISC_LIST(dns_request_t) dns_requestlist_t;
+
+#define DNS_REQUEST_NLOCKS 7
+
+struct dns_requestmgr {
+	unsigned int magic;
+	isc_mutex_t lock;
+	isc_mem_t *mctx;
+
+	/* locked */
+	int32_t eref;
+	int32_t iref;
+	isc_timermgr_t *timermgr;
+	isc_socketmgr_t *socketmgr;
+	isc_taskmgr_t *taskmgr;
+	dns_dispatchmgr_t *dispatchmgr;
+	dns_dispatch_t *dispatchv4;
+	dns_dispatch_t *dispatchv6;
+	bool exiting;
+	isc_eventlist_t whenshutdown;
+	unsigned int hash;
+	isc_mutex_t locks[DNS_REQUEST_NLOCKS];
+	dns_requestlist_t requests;
+};
+
+struct dns_request {
+	unsigned int magic;
+	unsigned int hash;
+	isc_mem_t *mctx;
+	int32_t flags;
+	ISC_LINK(dns_request_t) link;
+	isc_buffer_t *query;
+	isc_buffer_t *answer;
+	dns_requestevent_t *event;
+	dns_dispatch_t *dispatch;
+	dns_dispentry_t *dispentry;
+	isc_timer_t *timer;
+	dns_requestmgr_t *requestmgr;
+	isc_buffer_t *tsig;
+	dns_tsigkey_t *tsigkey;
+	isc_event_t ctlevent;
+	bool canceling; /* ctlevent outstanding */
+	isc_sockaddr_t destaddr;
+	unsigned int udpcount;
+	isc_dscp_t dscp;
+};
+
+#define DNS_REQUEST_F_CONNECTING 0x0001
+#define DNS_REQUEST_F_SENDING	 0x0002
+#define DNS_REQUEST_F_CANCELED                                                \
+	0x0004				 /*%< ctlevent received, or otherwise \
+					  * synchronously canceled */
+#define DNS_REQUEST_F_TIMEDOUT	  0x0008 /*%< canceled due to a timeout */
+#define DNS_REQUEST_F_TCP	  0x0010 /*%< This request used TCP */
+#define DNS_REQUEST_CANCELED(r)	  (((r)->flags & DNS_REQUEST_F_CANCELED) != 0)
+#define DNS_REQUEST_CONNECTING(r) (((r)->flags & DNS_REQUEST_F_CONNECTING) != 0)
+#define DNS_REQUEST_SENDING(r)	  (((r)->flags & DNS_REQUEST_F_SENDING) != 0)
+#define DNS_REQUEST_TIMEDOUT(r)	  (((r)->flags & DNS_REQUEST_F_TIMEDOUT) != 0)
+
+/***
+ *** Forward
+ ***/
+
+static void
+mgr_destroy(dns_requestmgr_t *requestmgr);
+static void
+mgr_shutdown(dns_requestmgr_t *requestmgr);
+static unsigned int
+mgr_gethash(dns_requestmgr_t *requestmgr);
+static void
+send_shutdown_events(dns_requestmgr_t *requestmgr);
+
+static isc_result_t
+req_render(dns_message_t *message, isc_buffer_t **buffer, unsigned int options,
+	   isc_mem_t *mctx);
+static void
+req_senddone(isc_task_t *task, isc_event_t *event);
+static void
+req_response(isc_task_t *task, isc_event_t *event);
+static void
+req_timeout(isc_task_t *task, isc_event_t *event);
+static isc_socket_t *
+req_getsocket(dns_request_t *request);
+static void
+req_connected(isc_task_t *task, isc_event_t *event);
+static void
+req_sendevent(dns_request_t *request, isc_result_t result);
+static void
+req_cancel(dns_request_t *request);
+static void
+req_destroy(dns_request_t *request);
+static void
+req_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+static void
+do_cancel(isc_task_t *task, isc_event_t *event);
+
+/***
+ *** Public
+ ***/
+
+isc_result_t
+dns_requestmgr_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		      isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
+		      dns_dispatchmgr_t *dispatchmgr,
+		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
+		      dns_requestmgr_t **requestmgrp) {
+	dns_requestmgr_t *requestmgr;
+	int i;
+	unsigned int dispattr;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create");
+
+	REQUIRE(requestmgrp != NULL && *requestmgrp == NULL);
+	REQUIRE(timermgr != NULL);
+	REQUIRE(socketmgr != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(dispatchmgr != NULL);
+
+	if (dispatchv4 != NULL) {
+		dispattr = dns_dispatch_getattributes(dispatchv4);
+		REQUIRE((dispattr & DNS_DISPATCHATTR_UDP) != 0);
+	}
+	if (dispatchv6 != NULL) {
+		dispattr = dns_dispatch_getattributes(dispatchv6);
+		REQUIRE((dispattr & DNS_DISPATCHATTR_UDP) != 0);
+	}
+
+	requestmgr = isc_mem_get(mctx, sizeof(*requestmgr));
+
+	isc_mutex_init(&requestmgr->lock);
+
+	for (i = 0; i < DNS_REQUEST_NLOCKS; i++) {
+		isc_mutex_init(&requestmgr->locks[i]);
+	}
+	requestmgr->timermgr = timermgr;
+	requestmgr->socketmgr = socketmgr;
+	requestmgr->taskmgr = taskmgr;
+	requestmgr->dispatchmgr = dispatchmgr;
+	requestmgr->dispatchv4 = NULL;
+	if (dispatchv4 != NULL) {
+		dns_dispatch_attach(dispatchv4, &requestmgr->dispatchv4);
+	}
+	requestmgr->dispatchv6 = NULL;
+	if (dispatchv6 != NULL) {
+		dns_dispatch_attach(dispatchv6, &requestmgr->dispatchv6);
+	}
+	requestmgr->mctx = NULL;
+	isc_mem_attach(mctx, &requestmgr->mctx);
+	requestmgr->eref = 1; /* implicit attach */
+	requestmgr->iref = 0;
+	ISC_LIST_INIT(requestmgr->whenshutdown);
+	ISC_LIST_INIT(requestmgr->requests);
+	requestmgr->exiting = false;
+	requestmgr->hash = 0;
+	requestmgr->magic = REQUESTMGR_MAGIC;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create: %p", requestmgr);
+
+	*requestmgrp = requestmgr;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
+			    isc_event_t **eventp) {
+	isc_task_t *tclone;
+	isc_event_t *event;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_whenshutdown");
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+	REQUIRE(eventp != NULL);
+
+	event = *eventp;
+	*eventp = NULL;
+
+	LOCK(&requestmgr->lock);
+
+	if (requestmgr->exiting) {
+		/*
+		 * We're already shutdown.  Send the event.
+		 */
+		event->ev_sender = requestmgr;
+		isc_task_send(task, &event);
+	} else {
+		tclone = NULL;
+		isc_task_attach(task, &tclone);
+		event->ev_sender = tclone;
+		ISC_LIST_APPEND(requestmgr->whenshutdown, event, ev_link);
+	}
+	UNLOCK(&requestmgr->lock);
+}
+
+void
+dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr) {
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_shutdown: %p", requestmgr);
+
+	LOCK(&requestmgr->lock);
+	mgr_shutdown(requestmgr);
+	UNLOCK(&requestmgr->lock);
+}
+
+static void
+mgr_shutdown(dns_requestmgr_t *requestmgr) {
+	dns_request_t *request;
+
+	/*
+	 * Caller holds lock.
+	 */
+	if (!requestmgr->exiting) {
+		requestmgr->exiting = true;
+		for (request = ISC_LIST_HEAD(requestmgr->requests);
+		     request != NULL; request = ISC_LIST_NEXT(request, link))
+		{
+			dns_request_cancel(request);
+		}
+		if (requestmgr->iref == 0) {
+			INSIST(ISC_LIST_EMPTY(requestmgr->requests));
+			send_shutdown_events(requestmgr);
+		}
+	}
+}
+
+static void
+requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
+	/*
+	 * Locked by caller.
+	 */
+
+	REQUIRE(VALID_REQUESTMGR(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	REQUIRE(!source->exiting);
+
+	source->iref++;
+	*targetp = source;
+
+	req_log(ISC_LOG_DEBUG(3), "requestmgr_attach: %p: eref %d iref %d",
+		source, source->eref, source->iref);
+}
+
+static void
+requestmgr_detach(dns_requestmgr_t **requestmgrp) {
+	dns_requestmgr_t *requestmgr;
+	bool need_destroy = false;
+
+	REQUIRE(requestmgrp != NULL);
+	requestmgr = *requestmgrp;
+	*requestmgrp = NULL;
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+
+	LOCK(&requestmgr->lock);
+	INSIST(requestmgr->iref > 0);
+	requestmgr->iref--;
+
+	req_log(ISC_LOG_DEBUG(3), "requestmgr_detach: %p: eref %d iref %d",
+		requestmgr, requestmgr->eref, requestmgr->iref);
+
+	if (requestmgr->iref == 0 && requestmgr->exiting) {
+		INSIST(ISC_LIST_HEAD(requestmgr->requests) == NULL);
+		send_shutdown_events(requestmgr);
+		if (requestmgr->eref == 0) {
+			need_destroy = true;
+		}
+	}
+	UNLOCK(&requestmgr->lock);
+
+	if (need_destroy) {
+		mgr_destroy(requestmgr);
+	}
+}
+
+void
+dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
+	REQUIRE(VALID_REQUESTMGR(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+	REQUIRE(!source->exiting);
+
+	LOCK(&source->lock);
+	source->eref++;
+	*targetp = source;
+	UNLOCK(&source->lock);
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_attach: %p: eref %d iref %d",
+		source, source->eref, source->iref);
+}
+
+void
+dns_requestmgr_detach(dns_requestmgr_t **requestmgrp) {
+	dns_requestmgr_t *requestmgr;
+	bool need_destroy = false;
+
+	REQUIRE(requestmgrp != NULL);
+	requestmgr = *requestmgrp;
+	*requestmgrp = NULL;
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+
+	LOCK(&requestmgr->lock);
+	INSIST(requestmgr->eref > 0);
+	requestmgr->eref--;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_detach: %p: eref %d iref %d",
+		requestmgr, requestmgr->eref, requestmgr->iref);
+
+	if (requestmgr->eref == 0 && requestmgr->iref == 0) {
+		INSIST(requestmgr->exiting &&
+		       ISC_LIST_HEAD(requestmgr->requests) == NULL);
+		need_destroy = true;
+	}
+	UNLOCK(&requestmgr->lock);
+
+	if (need_destroy) {
+		mgr_destroy(requestmgr);
+	}
+}
+
+static void
+send_shutdown_events(dns_requestmgr_t *requestmgr) {
+	isc_event_t *event, *next_event;
+	isc_task_t *etask;
+
+	req_log(ISC_LOG_DEBUG(3), "send_shutdown_events: %p", requestmgr);
+
+	/*
+	 * Caller must be holding the manager lock.
+	 */
+	for (event = ISC_LIST_HEAD(requestmgr->whenshutdown); event != NULL;
+	     event = next_event)
+	{
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(requestmgr->whenshutdown, event, ev_link);
+		etask = event->ev_sender;
+		event->ev_sender = requestmgr;
+		isc_task_sendanddetach(&etask, &event);
+	}
+}
+
+static void
+mgr_destroy(dns_requestmgr_t *requestmgr) {
+	int i;
+
+	req_log(ISC_LOG_DEBUG(3), "mgr_destroy");
+
+	REQUIRE(requestmgr->eref == 0);
+	REQUIRE(requestmgr->iref == 0);
+
+	isc_mutex_destroy(&requestmgr->lock);
+	for (i = 0; i < DNS_REQUEST_NLOCKS; i++) {
+		isc_mutex_destroy(&requestmgr->locks[i]);
+	}
+	if (requestmgr->dispatchv4 != NULL) {
+		dns_dispatch_detach(&requestmgr->dispatchv4);
+	}
+	if (requestmgr->dispatchv6 != NULL) {
+		dns_dispatch_detach(&requestmgr->dispatchv6);
+	}
+	requestmgr->magic = 0;
+	isc_mem_putanddetach(&requestmgr->mctx, requestmgr,
+			     sizeof(*requestmgr));
+}
+
+static unsigned int
+mgr_gethash(dns_requestmgr_t *requestmgr) {
+	req_log(ISC_LOG_DEBUG(3), "mgr_gethash");
+	/*
+	 * Locked by caller.
+	 */
+	requestmgr->hash++;
+	return (requestmgr->hash % DNS_REQUEST_NLOCKS);
+}
+
+static isc_result_t
+req_send(dns_request_t *request, isc_task_t *task,
+	 const isc_sockaddr_t *address) {
+	isc_region_t r;
+	isc_socket_t *sock;
+	isc_socketevent_t *sendevent;
+	isc_result_t result;
+
+	req_log(ISC_LOG_DEBUG(3), "req_send: request %p", request);
+
+	REQUIRE(VALID_REQUEST(request));
+	sock = req_getsocket(request);
+	isc_buffer_usedregion(request->query, &r);
+	/*
+	 * We could connect the socket when we are using an exclusive dispatch
+	 * as we do in resolver.c, but we prefer implementation simplicity
+	 * at this moment.
+	 */
+	sendevent = isc_socket_socketevent(request->mctx, sock,
+					   ISC_SOCKEVENT_SENDDONE, req_senddone,
+					   request);
+	if (sendevent == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	if (request->dscp == -1) {
+		sendevent->attributes &= ~ISC_SOCKEVENTATTR_DSCP;
+		sendevent->dscp = 0;
+	} else {
+		sendevent->attributes |= ISC_SOCKEVENTATTR_DSCP;
+		sendevent->dscp = request->dscp;
+	}
+
+	request->flags |= DNS_REQUEST_F_SENDING;
+	result = isc_socket_sendto2(sock, &r, task, address, NULL, sendevent,
+				    0);
+	INSIST(result == ISC_R_SUCCESS);
+	return (result);
+}
+
+static isc_result_t
+new_request(isc_mem_t *mctx, dns_request_t **requestp) {
+	dns_request_t *request;
+
+	request = isc_mem_get(mctx, sizeof(*request));
+
+	/*
+	 * Zero structure.
+	 */
+	request->magic = 0;
+	request->mctx = NULL;
+	request->flags = 0;
+	ISC_LINK_INIT(request, link);
+	request->query = NULL;
+	request->answer = NULL;
+	request->event = NULL;
+	request->dispatch = NULL;
+	request->dispentry = NULL;
+	request->timer = NULL;
+	request->requestmgr = NULL;
+	request->tsig = NULL;
+	request->tsigkey = NULL;
+	request->dscp = -1;
+	ISC_EVENT_INIT(&request->ctlevent, sizeof(request->ctlevent), 0, NULL,
+		       DNS_EVENT_REQUESTCONTROL, do_cancel, request, NULL, NULL,
+		       NULL);
+	request->canceling = false;
+	request->udpcount = 0;
+
+	isc_mem_attach(mctx, &request->mctx);
+
+	request->magic = REQUEST_MAGIC;
+	*requestp = request;
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+isblackholed(dns_dispatchmgr_t *dispatchmgr, const isc_sockaddr_t *destaddr) {
+	dns_acl_t *blackhole;
+	isc_netaddr_t netaddr;
+	int match;
+	bool drop = false;
+	char netaddrstr[ISC_NETADDR_FORMATSIZE];
+
+	blackhole = dns_dispatchmgr_getblackhole(dispatchmgr);
+	if (blackhole != NULL) {
+		isc_netaddr_fromsockaddr(&netaddr, destaddr);
+		if (dns_acl_match(&netaddr, NULL, blackhole, NULL, &match,
+				  NULL) == ISC_R_SUCCESS &&
+		    match > 0)
+		{
+			drop = true;
+		}
+	}
+	if (drop) {
+		isc_netaddr_format(&netaddr, netaddrstr, sizeof(netaddrstr));
+		req_log(ISC_LOG_DEBUG(10), "blackholed address %s", netaddrstr);
+	}
+	return (drop);
+}
+
+static isc_result_t
+create_tcp_dispatch(bool newtcp, bool share, dns_requestmgr_t *requestmgr,
+		    const isc_sockaddr_t *srcaddr,
+		    const isc_sockaddr_t *destaddr, isc_dscp_t dscp,
+		    bool *connected, dns_dispatch_t **dispatchp) {
+	isc_result_t result;
+	isc_socket_t *sock = NULL;
+	isc_sockaddr_t src;
+	unsigned int attrs;
+	isc_sockaddr_t bind_any;
+
+	if (!newtcp && share) {
+		result = dns_dispatch_gettcp(requestmgr->dispatchmgr, destaddr,
+					     srcaddr, connected, dispatchp);
+		if (result == ISC_R_SUCCESS) {
+			char peer[ISC_SOCKADDR_FORMATSIZE];
+
+			isc_sockaddr_format(destaddr, peer, sizeof(peer));
+			req_log(ISC_LOG_DEBUG(1),
+				"attached to %s TCP "
+				"connection to %s",
+				*connected ? "existing" : "pending", peer);
+			return (result);
+		}
+	} else if (!newtcp) {
+		result = dns_dispatch_gettcp(requestmgr->dispatchmgr, destaddr,
+					     srcaddr, NULL, dispatchp);
+		if (result == ISC_R_SUCCESS) {
+			char peer[ISC_SOCKADDR_FORMATSIZE];
+
+			*connected = true;
+			isc_sockaddr_format(destaddr, peer, sizeof(peer));
+			req_log(ISC_LOG_DEBUG(1),
+				"attached to existing TCP "
+				"connection to %s",
+				peer);
+			return (result);
+		}
+	}
+
+	result = isc_socket_create(requestmgr->socketmgr,
+				   isc_sockaddr_pf(destaddr),
+				   isc_sockettype_tcp, &sock);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
+	if (srcaddr == NULL) {
+		isc_sockaddr_anyofpf(&bind_any, isc_sockaddr_pf(destaddr));
+		result = isc_socket_bind(sock, &bind_any, 0);
+	} else {
+		src = *srcaddr;
+		isc_sockaddr_setport(&src, 0);
+		result = isc_socket_bind(sock, &src, 0);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+#endif /* ifndef BROKEN_TCP_BIND_BEFORE_CONNECT */
+
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_TCP;
+	if (isc_sockaddr_pf(destaddr) == AF_INET) {
+		attrs |= DNS_DISPATCHATTR_IPV4;
+	} else {
+		attrs |= DNS_DISPATCHATTR_IPV6;
+	}
+	attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+
+	isc_socket_dscp(sock, dscp);
+	result = dns_dispatch_createtcp(
+		requestmgr->dispatchmgr, sock, requestmgr->taskmgr, srcaddr,
+		destaddr, 4096, 32768, 32768, 16411, 16433, attrs, dispatchp);
+cleanup:
+	isc_socket_detach(&sock);
+	return (result);
+}
+
+static isc_result_t
+find_udp_dispatch(dns_requestmgr_t *requestmgr, const isc_sockaddr_t *srcaddr,
+		  const isc_sockaddr_t *destaddr, dns_dispatch_t **dispatchp) {
+	dns_dispatch_t *disp = NULL;
+	unsigned int attrs, attrmask;
+
+	if (srcaddr == NULL) {
+		switch (isc_sockaddr_pf(destaddr)) {
+		case PF_INET:
+			disp = requestmgr->dispatchv4;
+			break;
+
+		case PF_INET6:
+			disp = requestmgr->dispatchv6;
+			break;
+
+		default:
+			return (ISC_R_NOTIMPLEMENTED);
+		}
+		if (disp == NULL) {
+			return (ISC_R_FAMILYNOSUPPORT);
+		}
+		dns_dispatch_attach(disp, dispatchp);
+		return (ISC_R_SUCCESS);
+	}
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (isc_sockaddr_pf(srcaddr)) {
+	case PF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+
+	case PF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+	return (dns_dispatch_getudp(requestmgr->dispatchmgr,
+				    requestmgr->socketmgr, requestmgr->taskmgr,
+				    srcaddr, 4096, 32768, 32768, 16411, 16433,
+				    attrs, attrmask, dispatchp));
+}
+
+static isc_result_t
+get_dispatch(bool tcp, bool newtcp, bool share, dns_requestmgr_t *requestmgr,
+	     const isc_sockaddr_t *srcaddr, const isc_sockaddr_t *destaddr,
+	     isc_dscp_t dscp, bool *connected, dns_dispatch_t **dispatchp) {
+	isc_result_t result;
+
+	if (tcp) {
+		result = create_tcp_dispatch(newtcp, share, requestmgr, srcaddr,
+					     destaddr, dscp, connected,
+					     dispatchp);
+	} else {
+		result = find_udp_dispatch(requestmgr, srcaddr, destaddr,
+					   dispatchp);
+	}
+	return (result);
+}
+
+static isc_result_t
+set_timer(isc_timer_t *timer, unsigned int timeout, unsigned int udpresend) {
+	isc_time_t expires;
+	isc_interval_t interval;
+	isc_result_t result;
+	isc_timertype_t timertype;
+
+	isc_interval_set(&interval, timeout, 0);
+	result = isc_time_nowplusinterval(&expires, &interval);
+	isc_interval_set(&interval, udpresend, 0);
+
+	timertype = udpresend != 0 ? isc_timertype_limited : isc_timertype_once;
+	if (result == ISC_R_SUCCESS) {
+		result = isc_timer_reset(timer, timertype, &expires, &interval,
+					 false);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		      const isc_sockaddr_t *srcaddr,
+		      const isc_sockaddr_t *destaddr, isc_dscp_t dscp,
+		      unsigned int options, unsigned int timeout,
+		      unsigned int udptimeout, unsigned int udpretries,
+		      isc_task_t *task, isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp) {
+	dns_request_t *request = NULL;
+	isc_task_t *tclone = NULL;
+	isc_socket_t *sock = NULL;
+	isc_result_t result;
+	isc_mem_t *mctx;
+	dns_messageid_t id;
+	bool tcp = false;
+	bool newtcp = false;
+	bool share = false;
+	isc_region_t r;
+	bool connected = false;
+	unsigned int dispopt = 0;
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+	REQUIRE(msgbuf != NULL);
+	REQUIRE(destaddr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+	REQUIRE(requestp != NULL && *requestp == NULL);
+	REQUIRE(timeout > 0);
+	if (srcaddr != NULL) {
+		REQUIRE(isc_sockaddr_pf(srcaddr) == isc_sockaddr_pf(destaddr));
+	}
+
+	mctx = requestmgr->mctx;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw");
+
+	if (isblackholed(requestmgr->dispatchmgr, destaddr)) {
+		return (DNS_R_BLACKHOLED);
+	}
+
+	request = NULL;
+	result = new_request(mctx, &request);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (udptimeout == 0 && udpretries != 0) {
+		udptimeout = timeout / (udpretries + 1);
+		if (udptimeout == 0) {
+			udptimeout = 1;
+		}
+	}
+	request->udpcount = udpretries;
+	request->dscp = dscp;
+
+	/*
+	 * Create timer now.  We will set it below once.
+	 */
+	result = isc_timer_create(requestmgr->timermgr, isc_timertype_inactive,
+				  NULL, NULL, task, req_timeout, request,
+				  &request->timer);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	request->event = (dns_requestevent_t *)isc_event_allocate(
+		mctx, task, DNS_EVENT_REQUESTDONE, action, arg,
+		sizeof(dns_requestevent_t));
+	isc_task_attach(task, &tclone);
+	request->event->ev_sender = task;
+	request->event->request = request;
+	request->event->result = ISC_R_FAILURE;
+
+	isc_buffer_usedregion(msgbuf, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN || r.length > 65535) {
+		result = DNS_R_FORMERR;
+		goto cleanup;
+	}
+
+	if ((options & DNS_REQUESTOPT_TCP) != 0 || r.length > 512) {
+		tcp = true;
+	}
+	share = (options & DNS_REQUESTOPT_SHARE);
+
+again:
+	result = get_dispatch(tcp, newtcp, share, requestmgr, srcaddr, destaddr,
+			      dscp, &connected, &request->dispatch);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	if ((options & DNS_REQUESTOPT_FIXEDID) != 0) {
+		id = (r.base[0] << 8) | r.base[1];
+		dispopt |= DNS_DISPATCHOPT_FIXEDID;
+	}
+
+	result = dns_dispatch_addresponse(
+		request->dispatch, dispopt, destaddr, task, req_response,
+		request, &id, &request->dispentry, requestmgr->socketmgr);
+	if (result != ISC_R_SUCCESS) {
+		if ((options & DNS_REQUESTOPT_FIXEDID) != 0 && !newtcp) {
+			newtcp = true;
+			connected = false;
+			dns_dispatch_detach(&request->dispatch);
+			goto again;
+		}
+		goto cleanup;
+	}
+
+	sock = req_getsocket(request);
+	INSIST(sock != NULL);
+
+	isc_buffer_allocate(mctx, &request->query, r.length + (tcp ? 2 : 0));
+	if (tcp) {
+		isc_buffer_putuint16(request->query, (uint16_t)r.length);
+	}
+	result = isc_buffer_copyregion(request->query, &r);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/* Add message ID. */
+	isc_buffer_usedregion(request->query, &r);
+	if (tcp) {
+		isc_region_consume(&r, 2);
+	}
+	r.base[0] = (id >> 8) & 0xff;
+	r.base[1] = id & 0xff;
+
+	LOCK(&requestmgr->lock);
+	if (requestmgr->exiting) {
+		UNLOCK(&requestmgr->lock);
+		result = ISC_R_SHUTTINGDOWN;
+		goto cleanup;
+	}
+	requestmgr_attach(requestmgr, &request->requestmgr);
+	request->hash = mgr_gethash(requestmgr);
+	ISC_LIST_APPEND(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
+	if (result != ISC_R_SUCCESS) {
+		goto unlink;
+	}
+
+	request->destaddr = *destaddr;
+	if (tcp && !connected) {
+		result = isc_socket_connect(sock, destaddr, task, req_connected,
+					    request);
+		if (result != ISC_R_SUCCESS) {
+			goto unlink;
+		}
+		request->flags |= DNS_REQUEST_F_CONNECTING | DNS_REQUEST_F_TCP;
+	} else {
+		result = req_send(request, task, connected ? NULL : destaddr);
+		if (result != ISC_R_SUCCESS) {
+			goto unlink;
+		}
+	}
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw: request %p", request);
+	*requestp = request;
+	return (ISC_R_SUCCESS);
+
+unlink:
+	LOCK(&requestmgr->lock);
+	ISC_LIST_UNLINK(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+cleanup:
+	if (tclone != NULL) {
+		isc_task_detach(&tclone);
+	}
+	req_destroy(request);
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw: failed %s",
+		dns_result_totext(result));
+	return (result);
+}
+
+isc_result_t
+dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		   const isc_sockaddr_t *address, unsigned int options,
+		   dns_tsigkey_t *key, unsigned int timeout, isc_task_t *task,
+		   isc_taskaction_t action, void *arg,
+		   dns_request_t **requestp) {
+	return (dns_request_createvia(requestmgr, message, NULL, address, -1,
+				      options, key, timeout, 0, 0, task, action,
+				      arg, requestp));
+}
+
+isc_result_t
+dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		      const isc_sockaddr_t *srcaddr,
+		      const isc_sockaddr_t *destaddr, isc_dscp_t dscp,
+		      unsigned int options, dns_tsigkey_t *key,
+		      unsigned int timeout, unsigned int udptimeout,
+		      unsigned int udpretries, isc_task_t *task,
+		      isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp) {
+	dns_request_t *request = NULL;
+	isc_task_t *tclone = NULL;
+	isc_socket_t *sock = NULL;
+	isc_result_t result;
+	isc_mem_t *mctx;
+	dns_messageid_t id;
+	bool tcp;
+	bool share;
+	bool settsigkey = true;
+	bool connected = false;
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+	REQUIRE(message != NULL);
+	REQUIRE(destaddr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+	REQUIRE(requestp != NULL && *requestp == NULL);
+	REQUIRE(timeout > 0);
+
+	mctx = requestmgr->mctx;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia");
+
+	if (srcaddr != NULL &&
+	    isc_sockaddr_pf(srcaddr) != isc_sockaddr_pf(destaddr))
+	{
+		return (ISC_R_FAMILYMISMATCH);
+	}
+
+	if (isblackholed(requestmgr->dispatchmgr, destaddr)) {
+		return (DNS_R_BLACKHOLED);
+	}
+
+	request = NULL;
+	result = new_request(mctx, &request);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (udptimeout == 0 && udpretries != 0) {
+		udptimeout = timeout / (udpretries + 1);
+		if (udptimeout == 0) {
+			udptimeout = 1;
+		}
+	}
+	request->udpcount = udpretries;
+	request->dscp = dscp;
+
+	/*
+	 * Create timer now.  We will set it below once.
+	 */
+	result = isc_timer_create(requestmgr->timermgr, isc_timertype_inactive,
+				  NULL, NULL, task, req_timeout, request,
+				  &request->timer);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	request->event = (dns_requestevent_t *)isc_event_allocate(
+		mctx, task, DNS_EVENT_REQUESTDONE, action, arg,
+		sizeof(dns_requestevent_t));
+	isc_task_attach(task, &tclone);
+	request->event->ev_sender = task;
+	request->event->request = request;
+	request->event->result = ISC_R_FAILURE;
+	if (key != NULL) {
+		dns_tsigkey_attach(key, &request->tsigkey);
+	}
+
+use_tcp:
+	tcp = ((options & DNS_REQUESTOPT_TCP) != 0);
+	share = ((options & DNS_REQUESTOPT_SHARE) != 0);
+	result = get_dispatch(tcp, false, share, requestmgr, srcaddr, destaddr,
+			      dscp, &connected, &request->dispatch);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_dispatch_addresponse(
+		request->dispatch, 0, destaddr, task, req_response, request,
+		&id, &request->dispentry, requestmgr->socketmgr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	sock = req_getsocket(request);
+	INSIST(sock != NULL);
+
+	message->id = id;
+	if (settsigkey) {
+		result = dns_message_settsigkey(message, request->tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+	result = req_render(message, &request->query, options, mctx);
+	if (result == DNS_R_USETCP && (options & DNS_REQUESTOPT_TCP) == 0) {
+		/*
+		 * Try again using TCP.
+		 */
+		dns_message_renderreset(message);
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
+		dns_dispatch_detach(&request->dispatch);
+		sock = NULL;
+		options |= DNS_REQUESTOPT_TCP;
+		settsigkey = false;
+		goto use_tcp;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_message_getquerytsig(message, mctx, &request->tsig);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	LOCK(&requestmgr->lock);
+	if (requestmgr->exiting) {
+		UNLOCK(&requestmgr->lock);
+		result = ISC_R_SHUTTINGDOWN;
+		goto cleanup;
+	}
+	requestmgr_attach(requestmgr, &request->requestmgr);
+	request->hash = mgr_gethash(requestmgr);
+	ISC_LIST_APPEND(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
+	if (result != ISC_R_SUCCESS) {
+		goto unlink;
+	}
+
+	request->destaddr = *destaddr;
+	if (tcp && !connected) {
+		result = isc_socket_connect(sock, destaddr, task, req_connected,
+					    request);
+		if (result != ISC_R_SUCCESS) {
+			goto unlink;
+		}
+		request->flags |= DNS_REQUEST_F_CONNECTING | DNS_REQUEST_F_TCP;
+	} else {
+		result = req_send(request, task, connected ? NULL : destaddr);
+		if (result != ISC_R_SUCCESS) {
+			goto unlink;
+		}
+	}
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia: request %p", request);
+	*requestp = request;
+	return (ISC_R_SUCCESS);
+
+unlink:
+	LOCK(&requestmgr->lock);
+	ISC_LIST_UNLINK(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+cleanup:
+	if (tclone != NULL) {
+		isc_task_detach(&tclone);
+	}
+	req_destroy(request);
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia: failed %s",
+		dns_result_totext(result));
+	return (result);
+}
+
+static isc_result_t
+req_render(dns_message_t *message, isc_buffer_t **bufferp, unsigned int options,
+	   isc_mem_t *mctx) {
+	isc_buffer_t *buf1 = NULL;
+	isc_buffer_t *buf2 = NULL;
+	isc_result_t result;
+	isc_region_t r;
+	bool tcp = false;
+	dns_compress_t cctx;
+	bool cleanup_cctx = false;
+
+	REQUIRE(bufferp != NULL && *bufferp == NULL);
+
+	req_log(ISC_LOG_DEBUG(3), "request_render");
+
+	/*
+	 * Create buffer able to hold largest possible message.
+	 */
+	isc_buffer_allocate(mctx, &buf1, 65535);
+
+	result = dns_compress_init(&cctx, -1, mctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	cleanup_cctx = true;
+
+	if ((options & DNS_REQUESTOPT_CASE) != 0) {
+		dns_compress_setsensitive(&cctx, true);
+	}
+
+	/*
+	 * Render message.
+	 */
+	result = dns_message_renderbegin(message, &cctx, buf1);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_rendersection(message, DNS_SECTION_QUESTION, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_rendersection(message, DNS_SECTION_ANSWER, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_rendersection(message, DNS_SECTION_AUTHORITY, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_rendersection(message, DNS_SECTION_ADDITIONAL, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_renderend(message);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dns_compress_invalidate(&cctx);
+	cleanup_cctx = false;
+
+	/*
+	 * Copy rendered message to exact sized buffer.
+	 */
+	isc_buffer_usedregion(buf1, &r);
+	if ((options & DNS_REQUESTOPT_TCP) != 0) {
+		tcp = true;
+	} else if (r.length > 512) {
+		result = DNS_R_USETCP;
+		goto cleanup;
+	}
+	isc_buffer_allocate(mctx, &buf2, r.length + (tcp ? 2 : 0));
+	if (tcp) {
+		isc_buffer_putuint16(buf2, (uint16_t)r.length);
+	}
+	result = isc_buffer_copyregion(buf2, &r);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * Cleanup and return.
+	 */
+	isc_buffer_free(&buf1);
+	*bufferp = buf2;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_message_renderreset(message);
+	if (buf1 != NULL) {
+		isc_buffer_free(&buf1);
+	}
+	if (buf2 != NULL) {
+		isc_buffer_free(&buf2);
+	}
+	if (cleanup_cctx) {
+		dns_compress_invalidate(&cctx);
+	}
+	return (result);
+}
+
+/*
+ * If this request is no longer waiting for events,
+ * send the completion event.  This will ultimately
+ * cause the request to be destroyed.
+ *
+ * Requires:
+ *	'request' is locked by the caller.
+ */
+static void
+send_if_done(dns_request_t *request, isc_result_t result) {
+	if (request->event != NULL && !request->canceling) {
+		req_sendevent(request, result);
+	}
+}
+
+/*
+ * Handle the control event.
+ */
+static void
+do_cancel(isc_task_t *task, isc_event_t *event) {
+	dns_request_t *request = event->ev_arg;
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_REQUESTCONTROL);
+	LOCK(&request->requestmgr->locks[request->hash]);
+	request->canceling = false;
+	if (!DNS_REQUEST_CANCELED(request)) {
+		req_cancel(request);
+	}
+	send_if_done(request, ISC_R_CANCELED);
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+void
+dns_request_cancel(dns_request_t *request) {
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_cancel: request %p", request);
+
+	REQUIRE(VALID_REQUEST(request));
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	if (!request->canceling && !DNS_REQUEST_CANCELED(request)) {
+		isc_event_t *ev = &request->ctlevent;
+		isc_task_send(request->event->ev_sender, &ev);
+		request->canceling = true;
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+isc_result_t
+dns_request_getresponse(dns_request_t *request, dns_message_t *message,
+			unsigned int options) {
+	isc_result_t result;
+
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(request->answer != NULL);
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_getresponse: request %p",
+		request);
+
+	result = dns_message_setquerytsig(message, request->tsig);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	result = dns_message_settsigkey(message, request->tsigkey);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	result = dns_message_parse(message, request->answer, options);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (request->tsigkey != NULL) {
+		result = dns_tsig_verify(request->answer, message, NULL, NULL);
+	}
+	return (result);
+}
+
+isc_buffer_t *
+dns_request_getanswer(dns_request_t *request) {
+	REQUIRE(VALID_REQUEST(request));
+
+	return (request->answer);
+}
+
+bool
+dns_request_usedtcp(dns_request_t *request) {
+	REQUIRE(VALID_REQUEST(request));
+
+	return ((request->flags & DNS_REQUEST_F_TCP) != 0);
+}
+
+void
+dns_request_destroy(dns_request_t **requestp) {
+	dns_request_t *request;
+
+	REQUIRE(requestp != NULL && VALID_REQUEST(*requestp));
+
+	request = *requestp;
+	*requestp = NULL;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_destroy: request %p", request);
+
+	LOCK(&request->requestmgr->lock);
+	LOCK(&request->requestmgr->locks[request->hash]);
+	ISC_LIST_UNLINK(request->requestmgr->requests, request, link);
+	INSIST(!DNS_REQUEST_CONNECTING(request));
+	INSIST(!DNS_REQUEST_SENDING(request));
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+	UNLOCK(&request->requestmgr->lock);
+
+	/*
+	 * These should have been cleaned up by req_cancel() before
+	 * the completion event was sent.
+	 */
+	INSIST(!ISC_LINK_LINKED(request, link));
+	INSIST(request->dispentry == NULL);
+	INSIST(request->dispatch == NULL);
+	INSIST(request->timer == NULL);
+
+	req_destroy(request);
+}
+
+/***
+ *** Private: request.
+ ***/
+
+static isc_socket_t *
+req_getsocket(dns_request_t *request) {
+	unsigned int dispattr;
+	isc_socket_t *sock;
+
+	dispattr = dns_dispatch_getattributes(request->dispatch);
+	if ((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		INSIST(request->dispentry != NULL);
+		sock = dns_dispatch_getentrysocket(request->dispentry);
+	} else {
+		sock = dns_dispatch_getsocket(request->dispatch);
+	}
+
+	return (sock);
+}
+
+static void
+req_connected(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isc_result_t result;
+	dns_request_t *request = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(DNS_REQUEST_CONNECTING(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_connected: request %p", request);
+
+	result = sevent->result;
+	isc_event_free(&event);
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	request->flags &= ~DNS_REQUEST_F_CONNECTING;
+
+	if (DNS_REQUEST_CANCELED(request)) {
+		/*
+		 * Send delayed event.
+		 */
+		if (DNS_REQUEST_TIMEDOUT(request)) {
+			send_if_done(request, ISC_R_TIMEDOUT);
+		} else {
+			send_if_done(request, ISC_R_CANCELED);
+		}
+	} else {
+		dns_dispatch_starttcp(request->dispatch);
+		if (result == ISC_R_SUCCESS) {
+			result = req_send(request, task, NULL);
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			req_cancel(request);
+			send_if_done(request, ISC_R_CANCELED);
+		}
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+static void
+req_senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	dns_request_t *request = event->ev_arg;
+	isc_result_t result = sevent->result;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(DNS_REQUEST_SENDING(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_senddone: request %p", request);
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	request->flags &= ~DNS_REQUEST_F_SENDING;
+
+	if (DNS_REQUEST_CANCELED(request)) {
+		/*
+		 * Send delayed event.
+		 */
+		if (DNS_REQUEST_TIMEDOUT(request)) {
+			send_if_done(request, ISC_R_TIMEDOUT);
+		} else {
+			send_if_done(request, ISC_R_CANCELED);
+		}
+	} else if (result != ISC_R_SUCCESS) {
+		req_cancel(request);
+		send_if_done(request, ISC_R_CANCELED);
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+static void
+req_response(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_request_t *request = event->ev_arg;
+	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
+	isc_region_t r;
+
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
+
+	UNUSED(task);
+
+	req_log(ISC_LOG_DEBUG(3), "req_response: request %p: %s", request,
+		dns_result_totext(devent->result));
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	result = devent->result;
+	if (result != ISC_R_SUCCESS) {
+		goto done;
+	}
+
+	/*
+	 * Copy buffer to request.
+	 */
+	isc_buffer_usedregion(&devent->buffer, &r);
+	isc_buffer_allocate(request->mctx, &request->answer, r.length);
+	result = isc_buffer_copyregion(request->answer, &r);
+	if (result != ISC_R_SUCCESS) {
+		isc_buffer_free(&request->answer);
+	}
+done:
+	/*
+	 * Cleanup.
+	 */
+	dns_dispatch_removeresponse(&request->dispentry, &devent);
+	req_cancel(request);
+	/*
+	 * Send completion event.
+	 */
+	send_if_done(request, result);
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+static void
+req_timeout(isc_task_t *task, isc_event_t *event) {
+	dns_request_t *request = event->ev_arg;
+	isc_result_t result;
+	isc_eventtype_t ev_type = event->ev_type;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_timeout: request %p", request);
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	if (ev_type == ISC_TIMEREVENT_TICK && request->udpcount-- != 0) {
+		if (!DNS_REQUEST_SENDING(request)) {
+			result = req_send(request, task, &request->destaddr);
+			if (result != ISC_R_SUCCESS) {
+				req_cancel(request);
+				send_if_done(request, result);
+			}
+		}
+	} else {
+		request->flags |= DNS_REQUEST_F_TIMEDOUT;
+		req_cancel(request);
+		send_if_done(request, ISC_R_TIMEDOUT);
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+static void
+req_sendevent(dns_request_t *request, isc_result_t result) {
+	isc_task_t *task;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_sendevent: request %p", request);
+
+	/*
+	 * Lock held by caller.
+	 */
+	task = request->event->ev_sender;
+	request->event->ev_sender = request;
+	request->event->result = result;
+	isc_task_sendanddetach(&task, (isc_event_t **)&request->event);
+}
+
+static void
+req_destroy(dns_request_t *request) {
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_destroy: request %p", request);
+
+	request->magic = 0;
+	if (request->query != NULL) {
+		isc_buffer_free(&request->query);
+	}
+	if (request->answer != NULL) {
+		isc_buffer_free(&request->answer);
+	}
+	if (request->event != NULL) {
+		isc_event_free((isc_event_t **)&request->event);
+	}
+	if (request->dispentry != NULL) {
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
+	}
+	if (request->dispatch != NULL) {
+		dns_dispatch_detach(&request->dispatch);
+	}
+	if (request->timer != NULL) {
+		isc_timer_destroy(&request->timer);
+	}
+	if (request->tsig != NULL) {
+		isc_buffer_free(&request->tsig);
+	}
+	if (request->tsigkey != NULL) {
+		dns_tsigkey_detach(&request->tsigkey);
+	}
+	if (request->requestmgr != NULL) {
+		requestmgr_detach(&request->requestmgr);
+	}
+	isc_mem_putanddetach(&request->mctx, request, sizeof(*request));
+}
+
+/*
+ * Stop the current request.  Must be called from the request's task.
+ */
+static void
+req_cancel(dns_request_t *request) {
+	isc_socket_t *sock;
+	unsigned int dispattr;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_cancel: request %p", request);
+
+	/*
+	 * Lock held by caller.
+	 */
+	request->flags |= DNS_REQUEST_F_CANCELED;
+
+	if (request->timer != NULL) {
+		isc_timer_destroy(&request->timer);
+	}
+	dispattr = dns_dispatch_getattributes(request->dispatch);
+	sock = NULL;
+	if (DNS_REQUEST_CONNECTING(request) || DNS_REQUEST_SENDING(request)) {
+		if ((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+			if (request->dispentry != NULL) {
+				sock = dns_dispatch_getentrysocket(
+					request->dispentry);
+			}
+		} else {
+			sock = dns_dispatch_getsocket(request->dispatch);
+		}
+		if (DNS_REQUEST_CONNECTING(request) && sock != NULL) {
+			isc_socket_cancel(sock, NULL, ISC_SOCKCANCEL_CONNECT);
+		}
+		if (DNS_REQUEST_SENDING(request) && sock != NULL) {
+			isc_socket_cancel(sock, NULL, ISC_SOCKCANCEL_SEND);
+		}
+	}
+	if (request->dispentry != NULL) {
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
+	}
+	dns_dispatch_detach(&request->dispatch);
+}
+
+static void
+req_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_REQUEST,
+		       level, fmt, ap);
+	va_end(ap);
+}
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
new file mode 100644
index 0000000..a97aaa8
--- /dev/null
+++ b/lib/dns/resolver.c
@@ -0,0 +1,12095 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/atomic.h>
+#include <isc/counter.h>
+#include <isc/log.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/siphash.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/adb.h>
+#include <dns/badcache.h>
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/dnstap.h>
+#include <dns/ds.h>
+#include <dns/edns.h>
+#include <dns/events.h>
+#include <dns/forward.h>
+#include <dns/keytable.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/opcode.h>
+#include <dns/peer.h>
+#include <dns/rbt.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/rootns.h>
+#include <dns/stats.h>
+#include <dns/tsig.h>
+#include <dns/validator.h>
+#include <dns/zone.h>
+
+#ifdef WANT_QUERYTRACE
+#define RTRACE(m)                                                             \
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                     \
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), "res %p: %s", \
+		      res, (m))
+#define RRTRACE(r, m)                                                         \
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                     \
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), "res %p: %s", \
+		      (r), (m))
+#define FCTXTRACE(m)                                            \
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,       \
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), \
+		      "fctx %p(%s): %s", fctx, fctx->info, (m))
+#define FCTXTRACE2(m1, m2)                                      \
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,       \
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), \
+		      "fctx %p(%s): %s %s", fctx, fctx->info, (m1), (m2))
+#define FCTXTRACE3(m, res)                                              \
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,               \
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),         \
+		      "fctx %p(%s): [result: %s] %s", fctx, fctx->info, \
+		      isc_result_totext(res), (m))
+#define FCTXTRACE4(m1, m2, res)                                            \
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                  \
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),            \
+		      "fctx %p(%s): [result: %s] %s %s", fctx, fctx->info, \
+		      isc_result_totext(res), (m1), (m2))
+#define FCTXTRACE5(m1, m2, v)                                               \
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                   \
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),             \
+		      "fctx %p(%s): %s %s%u", fctx, fctx->info, (m1), (m2), \
+		      (v))
+#define FTRACE(m)                                                          \
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                  \
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),            \
+		      "fetch %p (fctx %p(%s)): %s", fetch, fetch->private, \
+		      fetch->private->info, (m))
+#define QTRACE(m)                                                          \
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                  \
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),            \
+		      "resquery %p (fctx %p(%s)): %s", query, query->fctx, \
+		      query->fctx->info, (m))
+#else /* ifdef WANT_QUERYTRACE */
+#define RTRACE(m)          \
+	do {               \
+		UNUSED(m); \
+	} while (0)
+#define RRTRACE(r, m)      \
+	do {               \
+		UNUSED(r); \
+		UNUSED(m); \
+	} while (0)
+#define FCTXTRACE(m)       \
+	do {               \
+		UNUSED(m); \
+	} while (0)
+#define FCTXTRACE2(m1, m2)  \
+	do {                \
+		UNUSED(m1); \
+		UNUSED(m2); \
+	} while (0)
+#define FCTXTRACE3(m1, res)  \
+	do {                 \
+		UNUSED(m1);  \
+		UNUSED(res); \
+	} while (0)
+#define FCTXTRACE4(m1, m2, res) \
+	do {                    \
+		UNUSED(m1);     \
+		UNUSED(m2);     \
+		UNUSED(res);    \
+	} while (0)
+#define FCTXTRACE5(m1, m2, v) \
+	do {                  \
+		UNUSED(m1);   \
+		UNUSED(m2);   \
+		UNUSED(v);    \
+	} while (0)
+#define FTRACE(m)          \
+	do {               \
+		UNUSED(m); \
+	} while (0)
+#define QTRACE(m)          \
+	do {               \
+		UNUSED(m); \
+	} while (0)
+#endif /* WANT_QUERYTRACE */
+
+#define US_PER_SEC  1000000U
+#define US_PER_MSEC 1000U
+/*
+ * The maximum time we will wait for a single query.
+ */
+#define MAX_SINGLE_QUERY_TIMEOUT    9000U
+#define MAX_SINGLE_QUERY_TIMEOUT_US (MAX_SINGLE_QUERY_TIMEOUT * US_PER_MSEC)
+
+/*
+ * We need to allow a individual query time to complete / timeout.
+ */
+#define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1000U)
+
+/* The default time in seconds for the whole query to live. */
+#ifndef DEFAULT_QUERY_TIMEOUT
+#define DEFAULT_QUERY_TIMEOUT MINIMUM_QUERY_TIMEOUT
+#endif /* ifndef DEFAULT_QUERY_TIMEOUT */
+
+/* The maximum time in seconds for the whole query to live. */
+#ifndef MAXIMUM_QUERY_TIMEOUT
+#define MAXIMUM_QUERY_TIMEOUT 30000
+#endif /* ifndef MAXIMUM_QUERY_TIMEOUT */
+
+/* The default maximum number of recursions to follow before giving up. */
+#ifndef DEFAULT_RECURSION_DEPTH
+#define DEFAULT_RECURSION_DEPTH 7
+#endif /* ifndef DEFAULT_RECURSION_DEPTH */
+
+/* The default maximum number of iterative queries to allow before giving up. */
+#ifndef DEFAULT_MAX_QUERIES
+#define DEFAULT_MAX_QUERIES 100
+#endif /* ifndef DEFAULT_MAX_QUERIES */
+
+/*
+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
+ * stop trying to fetch, in order to avoid wasting resources.
+ */
+#define NS_FAIL_LIMIT 4
+#define NS_RR_LIMIT   5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
+
+/* Number of hash buckets for zone counters */
+#ifndef RES_DOMAIN_BUCKETS
+#define RES_DOMAIN_BUCKETS 523
+#endif /* ifndef RES_DOMAIN_BUCKETS */
+#define RES_NOBUCKET 0xffffffff
+
+/*%
+ * Maximum EDNS0 input packet size.
+ */
+#define RECV_BUFFER_SIZE 4096 /* XXXRTH  Constant. */
+
+/*%
+ * This defines the maximum number of timeouts we will permit before we
+ * disable EDNS0 on the query.
+ */
+#define MAX_EDNS0_TIMEOUTS 3
+
+#define DNS_RESOLVER_BADCACHESIZE 1021
+#define DNS_RESOLVER_BADCACHETTL(fctx) \
+	(((fctx)->res->lame_ttl > 30) ? (fctx)->res->lame_ttl : 30)
+
+typedef struct fetchctx fetchctx_t;
+
+typedef struct query {
+	/* Locked by task event serialization. */
+	unsigned int magic;
+	fetchctx_t *fctx;
+	dns_message_t *rmessage;
+	isc_mem_t *mctx;
+	dns_dispatchmgr_t *dispatchmgr;
+	dns_dispatch_t *dispatch;
+	bool exclusivesocket;
+	dns_adbaddrinfo_t *addrinfo;
+	isc_socket_t *tcpsocket;
+	isc_time_t start;
+	dns_messageid_t id;
+	dns_dispentry_t *dispentry;
+	ISC_LINK(struct query) link;
+	isc_buffer_t buffer;
+	isc_buffer_t *tsig;
+	dns_tsigkey_t *tsigkey;
+	isc_socketevent_t sendevent;
+	isc_dscp_t dscp;
+	int ednsversion;
+	unsigned int options;
+	isc_sockeventattr_t attributes;
+	unsigned int sends;
+	unsigned int connects;
+	unsigned int udpsize;
+	unsigned char data[512];
+} resquery_t;
+
+struct tried {
+	isc_sockaddr_t addr;
+	unsigned int count;
+	ISC_LINK(struct tried) link;
+};
+
+#define QUERY_MAGIC	   ISC_MAGIC('Q', '!', '!', '!')
+#define VALID_QUERY(query) ISC_MAGIC_VALID(query, QUERY_MAGIC)
+
+#define RESQUERY_ATTR_CANCELED 0x02
+
+#define RESQUERY_CONNECTING(q) ((q)->connects > 0)
+#define RESQUERY_CANCELED(q)   (((q)->attributes & RESQUERY_ATTR_CANCELED) != 0)
+#define RESQUERY_SENDING(q)    ((q)->sends > 0)
+
+typedef enum {
+	fetchstate_init = 0, /*%< Start event has not run yet. */
+	fetchstate_active,
+	fetchstate_done /*%< FETCHDONE events posted. */
+} fetchstate;
+
+typedef enum {
+	badns_unreachable = 0,
+	badns_response,
+	badns_validation,
+	badns_forwarder,
+} badnstype_t;
+
+struct fetchctx {
+	/*% Not locked. */
+	unsigned int magic;
+	dns_resolver_t *res;
+	dns_name_t name;
+	dns_rdatatype_t type;
+	unsigned int options;
+	unsigned int bucketnum;
+	unsigned int dbucketnum;
+	char *info;
+	isc_mem_t *mctx;
+	isc_stdtime_t now;
+
+	/* Atomic */
+	isc_refcount_t references;
+
+	/*% Locked by appropriate bucket lock. */
+	fetchstate state;
+	bool want_shutdown;
+	bool cloned;
+	bool spilled;
+	isc_event_t control_event;
+	ISC_LINK(struct fetchctx) link;
+	ISC_LIST(dns_fetchevent_t) events;
+
+	/*% Locked by task event serialization. */
+	dns_name_t domain;
+	dns_rdataset_t nameservers;
+	atomic_uint_fast32_t attributes;
+	isc_timer_t *timer;
+	isc_timer_t *timer_try_stale;
+	isc_time_t expires;
+	isc_time_t expires_try_stale;
+	isc_interval_t interval;
+	dns_message_t *qmessage;
+	ISC_LIST(resquery_t) queries;
+	dns_adbfindlist_t finds;
+	dns_adbfind_t *find;
+	/*
+	 * altfinds are names and/or addresses of dual stack servers that
+	 * should be used when iterative resolution to a server is not
+	 * possible because the address family of that server is not usable.
+	 */
+	dns_adbfindlist_t altfinds;
+	dns_adbfind_t *altfind;
+	dns_adbaddrinfolist_t forwaddrs;
+	dns_adbaddrinfolist_t altaddrs;
+	dns_forwarderlist_t forwarders;
+	dns_fwdpolicy_t fwdpolicy;
+	isc_sockaddrlist_t bad;
+	ISC_LIST(struct tried) edns;
+	ISC_LIST(struct tried) edns512;
+	isc_sockaddrlist_t bad_edns;
+	dns_validator_t *validator;
+	ISC_LIST(dns_validator_t) validators;
+	dns_db_t *cache;
+	dns_adb_t *adb;
+	bool ns_ttl_ok;
+	uint32_t ns_ttl;
+	isc_counter_t *qc;
+	bool minimized;
+	unsigned int qmin_labels;
+	isc_result_t qmin_warning;
+	bool ip6arpaskip;
+	bool forwarding;
+	dns_name_t qminname;
+	dns_rdatatype_t qmintype;
+	dns_fetch_t *qminfetch;
+	dns_rdataset_t qminrrset;
+	dns_name_t qmindcname;
+	dns_fixedname_t fwdfname;
+	dns_name_t *fwdname;
+
+	/*%
+	 * The number of events we're waiting for.
+	 */
+	unsigned int pending; /* Bucket lock. */
+
+	/*%
+	 * The number of times we've "restarted" the current
+	 * nameserver set.  This acts as a failsafe to prevent
+	 * us from pounding constantly on a particular set of
+	 * servers that, for whatever reason, are not giving
+	 * us useful responses, but are responding in such a
+	 * way that they are not marked "bad".
+	 */
+	unsigned int restarts;
+
+	/*%
+	 * The number of timeouts that have occurred since we
+	 * last successfully received a response packet.  This
+	 * is used for EDNS0 black hole detection.
+	 */
+	unsigned int timeouts;
+
+	/*%
+	 * Look aside state for DS lookups.
+	 */
+	dns_name_t nsname;
+	dns_fetch_t *nsfetch;
+	dns_rdataset_t nsrrset;
+
+	/*%
+	 * Number of queries that reference this context.
+	 */
+	unsigned int nqueries; /* Bucket lock. */
+
+	/*%
+	 * The reason to print when logging a successful
+	 * response to a query.
+	 */
+	const char *reason;
+
+	/*%
+	 * Random numbers to use for mixing up server addresses.
+	 */
+	uint32_t rand_buf;
+	uint32_t rand_bits;
+
+	/*%
+	 * Fetch-local statistics for detailed logging.
+	 */
+	isc_result_t result;  /*%< fetch result  */
+	isc_result_t vresult; /*%< validation result  */
+	int exitline;
+	isc_time_t start;
+	uint64_t duration;
+	bool logged;
+	unsigned int querysent;
+	unsigned int referrals;
+	unsigned int lamecount;
+	unsigned int quotacount;
+	unsigned int neterr;
+	unsigned int badresp;
+	unsigned int adberr;
+	unsigned int findfail;
+	unsigned int valfail;
+	bool timeout;
+	dns_adbaddrinfo_t *addrinfo;
+	dns_messageid_t id;
+	unsigned int depth;
+	char clientstr[ISC_SOCKADDR_FORMATSIZE];
+};
+
+#define FCTX_MAGIC	 ISC_MAGIC('F', '!', '!', '!')
+#define VALID_FCTX(fctx) ISC_MAGIC_VALID(fctx, FCTX_MAGIC)
+
+#define FCTX_ATTR_HAVEANSWER   0x0001
+#define FCTX_ATTR_GLUING       0x0002
+#define FCTX_ATTR_ADDRWAIT     0x0004
+#define FCTX_ATTR_SHUTTINGDOWN 0x0008 /* Bucket lock */
+#define FCTX_ATTR_WANTCACHE    0x0010
+#define FCTX_ATTR_WANTNCACHE   0x0020
+#define FCTX_ATTR_NEEDEDNS0    0x0040
+#define FCTX_ATTR_TRIEDFIND    0x0080
+#define FCTX_ATTR_TRIEDALT     0x0100
+
+#define HAVE_ANSWER(f) \
+	((atomic_load_acquire(&(f)->attributes) & FCTX_ATTR_HAVEANSWER) != 0)
+#define GLUING(f) \
+	((atomic_load_acquire(&(f)->attributes) & FCTX_ATTR_GLUING) != 0)
+#define ADDRWAIT(f) \
+	((atomic_load_acquire(&(f)->attributes) & FCTX_ATTR_ADDRWAIT) != 0)
+#define SHUTTINGDOWN(f) \
+	((atomic_load_acquire(&(f)->attributes) & FCTX_ATTR_SHUTTINGDOWN) != 0)
+#define WANTCACHE(f) \
+	((atomic_load_acquire(&(f)->attributes) & FCTX_ATTR_WANTCACHE) != 0)
+#define WANTNCACHE(f) \
+	((atomic_load_acquire(&(f)->attributes) & FCTX_ATTR_WANTNCACHE) != 0)
+#define NEEDEDNS0(f) \
+	((atomic_load_acquire(&(f)->attributes) & FCTX_ATTR_NEEDEDNS0) != 0)
+#define TRIEDFIND(f) \
+	((atomic_load_acquire(&(f)->attributes) & FCTX_ATTR_TRIEDFIND) != 0)
+#define TRIEDALT(f) \
+	((atomic_load_acquire(&(f)->attributes) & FCTX_ATTR_TRIEDALT) != 0)
+
+#define FCTX_ATTR_SET(f, a) atomic_fetch_or_release(&(f)->attributes, (a))
+#define FCTX_ATTR_CLR(f, a) atomic_fetch_and_release(&(f)->attributes, ~(a))
+
+typedef struct {
+	dns_adbaddrinfo_t *addrinfo;
+	fetchctx_t *fctx;
+	dns_message_t *message;
+} dns_valarg_t;
+
+struct dns_fetch {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	fetchctx_t *private;
+};
+
+#define DNS_FETCH_MAGIC	       ISC_MAGIC('F', 't', 'c', 'h')
+#define DNS_FETCH_VALID(fetch) ISC_MAGIC_VALID(fetch, DNS_FETCH_MAGIC)
+
+typedef struct fctxbucket {
+	isc_task_t *task;
+	isc_mutex_t lock;
+	ISC_LIST(fetchctx_t) fctxs;
+	atomic_bool exiting;
+	isc_mem_t *mctx;
+} fctxbucket_t;
+
+typedef struct fctxcount fctxcount_t;
+struct fctxcount {
+	dns_fixedname_t fdname;
+	dns_name_t *domain;
+	uint32_t count;
+	uint32_t allowed;
+	uint32_t dropped;
+	isc_stdtime_t logged;
+	ISC_LINK(fctxcount_t) link;
+};
+
+typedef struct zonebucket {
+	isc_mutex_t lock;
+	isc_mem_t *mctx;
+	ISC_LIST(fctxcount_t) list;
+} zonebucket_t;
+
+typedef struct alternate {
+	bool isaddress;
+	union {
+		isc_sockaddr_t addr;
+		struct {
+			dns_name_t name;
+			in_port_t port;
+		} _n;
+	} _u;
+	ISC_LINK(struct alternate) link;
+} alternate_t;
+
+struct dns_resolver {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_mutex_t lock;
+	isc_mutex_t primelock;
+	dns_rdataclass_t rdclass;
+	isc_socketmgr_t *socketmgr;
+	isc_timermgr_t *timermgr;
+	isc_taskmgr_t *taskmgr;
+	dns_view_t *view;
+	bool frozen;
+	unsigned int options;
+	dns_dispatchmgr_t *dispatchmgr;
+	dns_dispatchset_t *dispatches4;
+	bool exclusivev4;
+	dns_dispatchset_t *dispatches6;
+	isc_dscp_t querydscp4;
+	isc_dscp_t querydscp6;
+	bool exclusivev6;
+	unsigned int nbuckets;
+	fctxbucket_t *buckets;
+	zonebucket_t *dbuckets;
+	uint32_t lame_ttl;
+	ISC_LIST(alternate_t) alternates;
+	uint16_t udpsize;
+#if USE_ALGLOCK
+	isc_rwlock_t alglock;
+#endif /* if USE_ALGLOCK */
+	dns_rbt_t *algorithms;
+	dns_rbt_t *digests;
+#if USE_MBSLOCK
+	isc_rwlock_t mbslock;
+#endif /* if USE_MBSLOCK */
+	dns_rbt_t *mustbesecure;
+	unsigned int spillatmax;
+	unsigned int spillatmin;
+	isc_timer_t *spillattimer;
+	bool zero_no_soa_ttl;
+	unsigned int query_timeout;
+	unsigned int maxdepth;
+	unsigned int maxqueries;
+	isc_result_t quotaresp[2];
+
+	/* Additions for serve-stale feature. */
+	unsigned int retryinterval; /* in milliseconds */
+	unsigned int nonbackofftries;
+
+	/* Atomic */
+	isc_refcount_t references;
+	atomic_uint_fast32_t zspill; /* fetches-per-zone */
+	atomic_bool exiting;
+	atomic_bool priming;
+
+	/* Locked by lock. */
+	isc_eventlist_t whenshutdown;
+	unsigned int activebuckets;
+	unsigned int spillat; /* clients-per-query */
+
+	dns_badcache_t *badcache; /* Bad cache. */
+
+	/* Locked by primelock. */
+	dns_fetch_t *primefetch;
+
+	/* Atomic. */
+	atomic_uint_fast32_t nfctx;
+};
+
+#define RES_MAGIC	    ISC_MAGIC('R', 'e', 's', '!')
+#define VALID_RESOLVER(res) ISC_MAGIC_VALID(res, RES_MAGIC)
+
+/*%
+ * Private addrinfo flags.  These must not conflict with DNS_FETCHOPT_NOEDNS0
+ * (0x008) which we also use as an addrinfo flag.
+ */
+#define FCTX_ADDRINFO_MARK	0x00001
+#define FCTX_ADDRINFO_FORWARDER 0x01000
+#define FCTX_ADDRINFO_EDNSOK	0x04000
+#define FCTX_ADDRINFO_NOCOOKIE	0x08000
+#define FCTX_ADDRINFO_BADCOOKIE 0x10000
+#define FCTX_ADDRINFO_DUALSTACK 0x20000
+
+#define UNMARKED(a)    (((a)->flags & FCTX_ADDRINFO_MARK) == 0)
+#define ISFORWARDER(a) (((a)->flags & FCTX_ADDRINFO_FORWARDER) != 0)
+#define NOCOOKIE(a)    (((a)->flags & FCTX_ADDRINFO_NOCOOKIE) != 0)
+#define EDNSOK(a)      (((a)->flags & FCTX_ADDRINFO_EDNSOK) != 0)
+#define BADCOOKIE(a)   (((a)->flags & FCTX_ADDRINFO_BADCOOKIE) != 0)
+#define ISDUALSTACK(a) (((a)->flags & FCTX_ADDRINFO_DUALSTACK) != 0)
+
+#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+
+#define NXDOMAIN_RESULT(r) \
+	((r) == DNS_R_NXDOMAIN || (r) == DNS_R_NCACHENXDOMAIN)
+#define NXRRSET_RESULT(r)                                      \
+	((r) == DNS_R_NCACHENXRRSET || (r) == DNS_R_NXRRSET || \
+	 (r) == DNS_R_HINTNXRRSET)
+
+#ifdef ENABLE_AFL
+bool dns_fuzzing_resolver = false;
+void
+dns_resolver_setfuzzing() {
+	dns_fuzzing_resolver = true;
+}
+#endif /* ifdef ENABLE_AFL */
+
+static unsigned char ip6_arpa_data[] = "\003IP6\004ARPA";
+static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
+static const dns_name_t ip6_arpa = DNS_NAME_INITABSOLUTE(ip6_arpa_data,
+							 ip6_arpa_offsets);
+
+static unsigned char underscore_data[] = "\001_";
+static unsigned char underscore_offsets[] = { 0 };
+static const dns_name_t underscore_name =
+	DNS_NAME_INITNONABSOLUTE(underscore_data, underscore_offsets);
+
+static void
+destroy(dns_resolver_t *res);
+static void
+empty_bucket(dns_resolver_t *res);
+static isc_result_t
+resquery_send(resquery_t *query);
+static void
+resquery_response(isc_task_t *task, isc_event_t *event);
+static void
+resquery_connected(isc_task_t *task, isc_event_t *event);
+static void
+fctx_try(fetchctx_t *fctx, bool retrying, bool badcache);
+static isc_result_t
+fctx_minimize_qname(fetchctx_t *fctx);
+static void
+fctx_destroy(fetchctx_t *fctx);
+static bool
+fctx_unlink(fetchctx_t *fctx);
+static isc_result_t
+ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl,
+		  dns_ttl_t maxttl, bool optout, bool secure,
+		  dns_rdataset_t *ardataset, isc_result_t *eresultp);
+static void
+validated(isc_task_t *task, isc_event_t *event);
+static void
+add_bad(fetchctx_t *fctx, dns_message_t *rmessage, dns_adbaddrinfo_t *addrinfo,
+	isc_result_t reason, badnstype_t badtype);
+static isc_result_t
+findnoqname(fetchctx_t *fctx, dns_message_t *message, dns_name_t *name,
+	    dns_rdatatype_t type, dns_name_t **noqname);
+static void
+fctx_increference(fetchctx_t *fctx);
+static bool
+fctx_decreference(fetchctx_t *fctx);
+static void
+resume_qmin(isc_task_t *task, isc_event_t *event);
+
+/*%
+ * The structure and functions defined below implement the resolver
+ * query (resquery) response handling logic.
+ *
+ * When a resolver query is sent and a response is received, the
+ * resquery_response() event handler is run, which calls the rctx_*()
+ * functions.  The respctx_t structure maintains state from function
+ * to function.
+ *
+ * The call flow is described below:
+ *
+ * 1. resquery_response():
+ *    - Initialize a respctx_t structure (rctx_respinit()).
+ *    - Check for dispatcher failure (rctx_dispfail()).
+ *    - Parse the response (rctx_parse()).
+ *    - Log the response (rctx_logpacket()).
+ *    - Check the parsed response for an OPT record and handle
+ *      EDNS (rctx_opt(), rctx_edns()).
+ *    - Check for a bad or lame server (rctx_badserver(), rctx_lameserver()).
+ *    - Handle delegation-only zones (rctx_delonly_zone()).
+ *    - If RCODE and ANCOUNT suggest this is a positive answer, and
+ *      if so, call rctx_answer(): go to step 2.
+ *    - If RCODE and NSCOUNT suggest this is a negative answer or a
+ *      referral, call rctx_answer_none(): go to step 4.
+ *    - Check the additional section for data that should be cached
+ *      (rctx_additional()).
+ *    - Clean up and finish by calling rctx_done(): go to step 5.
+ *
+ * 2. rctx_answer():
+ *    - If the answer appears to be positive, call rctx_answer_positive():
+ *      go to step 3.
+ *    - If the response is a malformed delegation (with glue or NS records
+ *      in the answer section), call rctx_answer_none(): go to step 4.
+ *
+ * 3. rctx_answer_positive():
+ *    - Initialize the portions of respctx_t needed for processing an answer
+ *      (rctx_answer_init()).
+ *    - Scan the answer section to find records that are responsive to the
+ *      query (rctx_answer_scan()).
+ *    - For whichever type of response was found, call a separate routine
+ *      to handle it: matching QNAME/QTYPE (rctx_answer_match()),
+ *      CNAME (rctx_answer_cname()), covering DNAME (rctx_answer_dname()),
+ *      or any records returned in response to a query of type ANY
+ *      (rctx_answer_any()).
+ *    - Scan the authority section for NS or other records that may be
+ *      included with a positive answer (rctx_authority_scan()).
+ *
+ * 4. rctx_answer_none():
+ *    - Determine whether this is an NXDOMAIN, NXRRSET, or referral.
+ *    - If referral, set up the resolver to follow the delegation
+ *      (rctx_referral()).
+ *    - If NXDOMAIN/NXRRSET, scan the authority section for NS and SOA
+ *      records included with a negative response (rctx_authority_negative()),
+ *      then for DNSSEC proof of nonexistence (rctx_authority_dnssec()).
+ *
+ * 5. rctx_done():
+ *    - Set up chasing of DS records if needed (rctx_chaseds()).
+ *    - If the response wasn't intended for us, wait for another response
+ *      from the dispatcher (rctx_next()).
+ *    - If there is a problem with the responding server, set up another
+ *      query to a different server (rctx_nextserver()).
+ *    - If there is a problem that might be temporary or dependent on
+ *      EDNS options, set up another query to the same server with changed
+ *      options (rctx_resend()).
+ *    - Shut down the fetch context.
+ */
+
+typedef struct respctx {
+	isc_task_t *task;
+	dns_dispatchevent_t *devent;
+	resquery_t *query;
+	fetchctx_t *fctx;
+	isc_result_t result;
+	unsigned int retryopts; /* updated options to pass to
+				 * fctx_query() when resending */
+
+	dns_rdatatype_t type; /* type being sought (set to
+			       * ANY if qtype was SIG or RRSIG) */
+	bool aa;	      /* authoritative answer? */
+	dns_trust_t trust;    /* answer trust level */
+	bool chaining;	      /* CNAME/DNAME processing? */
+	bool next_server;     /* give up, try the next server
+			       * */
+
+	badnstype_t broken_type; /* type of name server problem
+				  * */
+	isc_result_t broken_server;
+
+	bool get_nameservers; /* get a new NS rrset at
+			       * zone cut? */
+	bool resend;	      /* resend this query? */
+	bool nextitem;	      /* invalid response; keep
+			       * listening for the correct one */
+	bool truncated;	      /* response was truncated */
+	bool no_response;     /* no response was received */
+	bool glue_in_answer;  /* glue may be in the answer
+			       * section */
+	bool ns_in_answer;    /* NS may be in the answer
+			       * section */
+	bool negative;	      /* is this a negative response? */
+
+	isc_stdtime_t now; /* time info */
+	isc_time_t tnow;
+	isc_time_t *finish;
+
+	unsigned int dname_labels;
+	unsigned int domain_labels; /* range of permissible number
+				     * of
+				     * labels in a DNAME */
+
+	dns_name_t *aname;	   /* answer name */
+	dns_rdataset_t *ardataset; /* answer rdataset */
+
+	dns_name_t *cname;	   /* CNAME name */
+	dns_rdataset_t *crdataset; /* CNAME rdataset */
+
+	dns_name_t *dname;	   /* DNAME name */
+	dns_rdataset_t *drdataset; /* DNAME rdataset */
+
+	dns_name_t *ns_name;	     /* NS name */
+	dns_rdataset_t *ns_rdataset; /* NS rdataset */
+
+	dns_name_t *soa_name; /* SOA name in a negative answer */
+	dns_name_t *ds_name;  /* DS name in a negative answer */
+
+	dns_name_t *found_name;	    /* invalid name in negative
+				     * response */
+	dns_rdatatype_t found_type; /* invalid type in negative
+				     * response */
+
+	dns_rdataset_t *opt; /* OPT rdataset */
+} respctx_t;
+
+static void
+rctx_respinit(isc_task_t *task, dns_dispatchevent_t *devent, resquery_t *query,
+	      fetchctx_t *fctx, respctx_t *rctx);
+
+static void
+rctx_answer_init(respctx_t *rctx);
+
+static void
+rctx_answer_scan(respctx_t *rctx);
+
+static void
+rctx_authority_positive(respctx_t *rctx);
+
+static isc_result_t
+rctx_answer_any(respctx_t *rctx);
+
+static isc_result_t
+rctx_answer_match(respctx_t *rctx);
+
+static isc_result_t
+rctx_answer_cname(respctx_t *rctx);
+
+static isc_result_t
+rctx_answer_dname(respctx_t *rctx);
+
+static isc_result_t
+rctx_answer_positive(respctx_t *rctx);
+
+static isc_result_t
+rctx_authority_negative(respctx_t *rctx);
+
+static isc_result_t
+rctx_authority_dnssec(respctx_t *rctx);
+
+static void
+rctx_additional(respctx_t *rctx);
+
+static isc_result_t
+rctx_referral(respctx_t *rctx);
+
+static isc_result_t
+rctx_answer_none(respctx_t *rctx);
+
+static void
+rctx_nextserver(respctx_t *rctx, dns_message_t *message,
+		dns_adbaddrinfo_t *addrinfo, isc_result_t result);
+
+static void
+rctx_resend(respctx_t *rctx, dns_adbaddrinfo_t *addrinfo);
+
+static void
+rctx_next(respctx_t *rctx);
+
+static void
+rctx_chaseds(respctx_t *rctx, dns_message_t *message,
+	     dns_adbaddrinfo_t *addrinfo, isc_result_t result);
+
+static void
+rctx_done(respctx_t *rctx, isc_result_t result);
+
+static void
+rctx_logpacket(respctx_t *rctx);
+
+static void
+rctx_opt(respctx_t *rctx);
+
+static void
+rctx_edns(respctx_t *rctx);
+
+static isc_result_t
+rctx_parse(respctx_t *rctx);
+
+static isc_result_t
+rctx_badserver(respctx_t *rctx, isc_result_t result);
+
+static isc_result_t
+rctx_answer(respctx_t *rctx);
+
+static isc_result_t
+rctx_lameserver(respctx_t *rctx);
+
+static isc_result_t
+rctx_dispfail(respctx_t *rctx);
+
+static void
+rctx_delonly_zone(respctx_t *rctx);
+
+static void
+rctx_ncache(respctx_t *rctx);
+
+/*%
+ * Increment resolver-related statistics counters.
+ */
+static void
+inc_stats(dns_resolver_t *res, isc_statscounter_t counter) {
+	if (res->view->resstats != NULL) {
+		isc_stats_increment(res->view->resstats, counter);
+	}
+}
+
+static void
+dec_stats(dns_resolver_t *res, isc_statscounter_t counter) {
+	if (res->view->resstats != NULL) {
+		isc_stats_decrement(res->view->resstats, counter);
+	}
+}
+
+static isc_result_t
+valcreate(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo,
+	  dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset,
+	  dns_rdataset_t *sigrdataset, unsigned int valoptions,
+	  isc_task_t *task) {
+	dns_validator_t *validator = NULL;
+	dns_valarg_t *valarg = NULL;
+	isc_result_t result;
+
+	if (SHUTTINGDOWN(fctx)) {
+		return (ISC_R_SHUTTINGDOWN);
+	}
+
+	valarg = isc_mem_get(fctx->mctx, sizeof(*valarg));
+	*valarg = (dns_valarg_t){ .fctx = fctx, .addrinfo = addrinfo };
+
+	dns_message_attach(message, &valarg->message);
+
+	if (!ISC_LIST_EMPTY(fctx->validators)) {
+		valoptions |= DNS_VALIDATOR_DEFER;
+	} else {
+		valoptions &= ~DNS_VALIDATOR_DEFER;
+	}
+
+	result = dns_validator_create(fctx->res->view, name, type, rdataset,
+				      sigrdataset, message, valoptions, task,
+				      validated, valarg, &validator);
+	if (result == ISC_R_SUCCESS) {
+		inc_stats(fctx->res, dns_resstatscounter_val);
+		if ((valoptions & DNS_VALIDATOR_DEFER) == 0) {
+			INSIST(fctx->validator == NULL);
+			fctx->validator = validator;
+		}
+		ISC_LIST_APPEND(fctx->validators, validator, link);
+	} else {
+		dns_message_detach(&valarg->message);
+		isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
+	}
+	return (result);
+}
+
+static bool
+rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) {
+	dns_namereln_t namereln;
+	dns_rdata_rrsig_t rrsig;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	int order;
+	isc_result_t result;
+	unsigned int labels;
+
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		namereln = dns_name_fullcompare(&rrsig.signer, &fctx->domain,
+						&order, &labels);
+		if (namereln == dns_namereln_subdomain) {
+			return (true);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	return (false);
+}
+
+static bool
+fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
+	dns_name_t *name;
+	dns_name_t *domain = &fctx->domain;
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t type;
+	isc_result_t result;
+	bool keep_auth = false;
+
+	if (message->rcode == dns_rcode_nxdomain) {
+		return (false);
+	}
+
+	/*
+	 * A DS RRset can appear anywhere in a zone, even for a delegation-only
+	 * zone.  So a response to an explicit query for this type should be
+	 * excluded from delegation-only fixup.
+	 *
+	 * SOA, NS, and DNSKEY can only exist at a zone apex, so a positive
+	 * response to a query for these types can never violate the
+	 * delegation-only assumption: if the query name is below a
+	 * zone cut, the response should normally be a referral, which should
+	 * be accepted; if the query name is below a zone cut but the server
+	 * happens to have authority for the zone of the query name, the
+	 * response is a (non-referral) answer.  But this does not violate
+	 * delegation-only because the query name must be in a different zone
+	 * due to the "apex-only" nature of these types.  Note that if the
+	 * remote server happens to have authority for a child zone of a
+	 * delegation-only zone, we may still incorrectly "fix" the response
+	 * with NXDOMAIN for queries for other types.  Unfortunately it's
+	 * generally impossible to differentiate this case from violation of
+	 * the delegation-only assumption.  Once the resolver learns the
+	 * correct zone cut, possibly via a separate query for an "apex-only"
+	 * type, queries for other types will be resolved correctly.
+	 *
+	 * A query for type ANY will be accepted if it hits an exceptional
+	 * type above in the answer section as it should be from a child
+	 * zone.
+	 *
+	 * Also accept answers with RRSIG records from the child zone.
+	 * Direct queries for RRSIG records should not be answered from
+	 * the parent zone.
+	 */
+
+	if (message->counts[DNS_SECTION_ANSWER] != 0 &&
+	    (fctx->type == dns_rdatatype_ns || fctx->type == dns_rdatatype_ds ||
+	     fctx->type == dns_rdatatype_soa ||
+	     fctx->type == dns_rdatatype_any ||
+	     fctx->type == dns_rdatatype_rrsig ||
+	     fctx->type == dns_rdatatype_dnskey))
+	{
+		result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+		while (result == ISC_R_SUCCESS) {
+			name = NULL;
+			dns_message_currentname(message, DNS_SECTION_ANSWER,
+						&name);
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (!dns_name_equal(name, &fctx->name)) {
+					continue;
+				}
+				type = rdataset->type;
+				/*
+				 * RRsig from child?
+				 */
+				if (type == dns_rdatatype_rrsig &&
+				    rrsig_fromchildzone(fctx, rdataset))
+				{
+					return (false);
+				}
+				/*
+				 * Direct query for apex records or DS.
+				 */
+				if (fctx->type == type &&
+				    (type == dns_rdatatype_ds ||
+				     type == dns_rdatatype_ns ||
+				     type == dns_rdatatype_soa ||
+				     type == dns_rdatatype_dnskey))
+				{
+					return (false);
+				}
+				/*
+				 * Indirect query for apex records or DS.
+				 */
+				if (fctx->type == dns_rdatatype_any &&
+				    (type == dns_rdatatype_ns ||
+				     type == dns_rdatatype_ds ||
+				     type == dns_rdatatype_soa ||
+				     type == dns_rdatatype_dnskey))
+				{
+					return (false);
+				}
+			}
+			result = dns_message_nextname(message,
+						      DNS_SECTION_ANSWER);
+		}
+	}
+
+	/*
+	 * A NODATA response to a DS query?
+	 */
+	if (fctx->type == dns_rdatatype_ds &&
+	    message->counts[DNS_SECTION_ANSWER] == 0)
+	{
+		return (false);
+	}
+
+	/* Look for referral or indication of answer from child zone? */
+	if (message->counts[DNS_SECTION_AUTHORITY] == 0) {
+		goto munge;
+	}
+
+	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			type = rdataset->type;
+			if (type == dns_rdatatype_soa &&
+			    dns_name_equal(name, domain))
+			{
+				keep_auth = true;
+			}
+
+			if (type != dns_rdatatype_ns &&
+			    type != dns_rdatatype_soa &&
+			    type != dns_rdatatype_rrsig)
+			{
+				continue;
+			}
+
+			if (type == dns_rdatatype_rrsig) {
+				if (rrsig_fromchildzone(fctx, rdataset)) {
+					return (false);
+				} else {
+					continue;
+				}
+			}
+
+			/* NS or SOA records. */
+			if (dns_name_equal(name, domain)) {
+				/*
+				 * If a query for ANY causes a negative
+				 * response, we can be sure that this is
+				 * an empty node.  For other type of queries
+				 * we cannot differentiate an empty node
+				 * from a node that just doesn't have that
+				 * type of record.  We only accept the former
+				 * case.
+				 */
+				if (message->counts[DNS_SECTION_ANSWER] == 0 &&
+				    fctx->type == dns_rdatatype_any)
+				{
+					return (false);
+				}
+			} else if (dns_name_issubdomain(name, domain)) {
+				/* Referral or answer from child zone. */
+				return (false);
+			}
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+
+munge:
+	message->rcode = dns_rcode_nxdomain;
+	message->counts[DNS_SECTION_ANSWER] = 0;
+	if (!keep_auth) {
+		message->counts[DNS_SECTION_AUTHORITY] = 0;
+	}
+	message->counts[DNS_SECTION_ADDITIONAL] = 0;
+	return (true);
+}
+
+static isc_result_t
+fctx_starttimer(fetchctx_t *fctx) {
+	/*
+	 * Start the lifetime timer for fctx.
+	 *
+	 * This is also used for stopping the idle timer; in that
+	 * case we must purge events already posted to ensure that
+	 * no further idle events are delivered.
+	 */
+	return (isc_timer_reset(fctx->timer, isc_timertype_once, &fctx->expires,
+				NULL, true));
+}
+
+static isc_result_t
+fctx_starttimer_trystale(fetchctx_t *fctx) {
+	/*
+	 * Start the stale-answer-client-timeout timer for fctx.
+	 */
+
+	return (isc_timer_reset(fctx->timer_try_stale, isc_timertype_once,
+				&fctx->expires_try_stale, NULL, true));
+}
+
+static void
+fctx_stoptimer(fetchctx_t *fctx) {
+	isc_result_t result;
+
+	/*
+	 * We don't return a result if resetting the timer to inactive fails
+	 * since there's nothing to be done about it.  Resetting to inactive
+	 * should never fail anyway, since the code as currently written
+	 * cannot fail in that case.
+	 */
+	result = isc_timer_reset(fctx->timer, isc_timertype_inactive, NULL,
+				 NULL, true);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_timer_reset(): %s",
+				 isc_result_totext(result));
+	}
+}
+
+static void
+fctx_stoptimer_trystale(fetchctx_t *fctx) {
+	isc_result_t result;
+
+	if (fctx->timer_try_stale != NULL) {
+		result = isc_timer_reset(fctx->timer_try_stale,
+					 isc_timertype_inactive, NULL, NULL,
+					 true);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_timer_reset(): %s",
+					 isc_result_totext(result));
+		}
+	}
+}
+
+static isc_result_t
+fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) {
+	/*
+	 * Start the idle timer for fctx.  The lifetime timer continues
+	 * to be in effect.
+	 */
+	return (isc_timer_reset(fctx->timer, isc_timertype_once, &fctx->expires,
+				interval, false));
+}
+
+/*
+ * Stopping the idle timer is equivalent to calling fctx_starttimer(), but
+ * we use fctx_stopidletimer for readability in the code below.
+ */
+#define fctx_stopidletimer fctx_starttimer
+
+static void
+resquery_destroy(resquery_t **queryp) {
+	dns_resolver_t *res;
+	bool empty;
+	resquery_t *query;
+	fetchctx_t *fctx;
+	unsigned int bucket;
+
+	REQUIRE(queryp != NULL);
+	query = *queryp;
+	*queryp = NULL;
+	REQUIRE(!ISC_LINK_LINKED(query, link));
+
+	INSIST(query->tcpsocket == NULL);
+
+	fctx = query->fctx;
+	res = fctx->res;
+	bucket = fctx->bucketnum;
+
+	LOCK(&res->buckets[bucket].lock);
+	fctx->nqueries--;
+	empty = fctx_decreference(query->fctx);
+	UNLOCK(&res->buckets[bucket].lock);
+
+	if (query->rmessage != NULL) {
+		dns_message_detach(&query->rmessage);
+	}
+
+	query->magic = 0;
+	isc_mem_put(query->mctx, query, sizeof(*query));
+
+	if (empty) {
+		empty_bucket(res);
+	}
+}
+
+/*%
+ * Update EDNS statistics for a server after not getting a response to a UDP
+ * query sent to it.
+ */
+static void
+update_edns_stats(resquery_t *query) {
+	fetchctx_t *fctx = query->fctx;
+
+	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+		return;
+	}
+
+	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+		dns_adb_ednsto(fctx->adb, query->addrinfo, query->udpsize);
+	} else {
+		dns_adb_timeout(fctx->adb, query->addrinfo);
+	}
+}
+
+static void
+fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
+		 isc_time_t *finish, bool no_response, bool age_untried) {
+	fetchctx_t *fctx;
+	resquery_t *query;
+	unsigned int rtt, rttms;
+	unsigned int factor;
+	dns_adbfind_t *find;
+	dns_adbaddrinfo_t *addrinfo;
+	isc_socket_t *sock;
+	isc_stdtime_t now;
+
+	query = *queryp;
+	fctx = query->fctx;
+
+	FCTXTRACE("cancelquery");
+
+	REQUIRE(!RESQUERY_CANCELED(query));
+
+	query->attributes |= RESQUERY_ATTR_CANCELED;
+
+	/*
+	 * Should we update the RTT?
+	 */
+	if (finish != NULL || no_response) {
+		if (finish != NULL) {
+			/*
+			 * We have both the start and finish times for this
+			 * packet, so we can compute a real RTT.
+			 */
+			rtt = (unsigned int)isc_time_microdiff(finish,
+							       &query->start);
+			factor = DNS_ADB_RTTADJDEFAULT;
+
+			rttms = rtt / 1000;
+			if (rttms < DNS_RESOLVER_QRYRTTCLASS0) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt0);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS1) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt1);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS2) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt2);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS3) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt3);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS4) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt4);
+			} else {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt5);
+			}
+		} else {
+			uint32_t value;
+			uint32_t mask;
+
+			update_edns_stats(query);
+
+			/*
+			 * If "forward first;" is used and a forwarder timed
+			 * out, do not attempt to query it again in this fetch
+			 * context.
+			 */
+			if (fctx->fwdpolicy == dns_fwdpolicy_first &&
+			    ISFORWARDER(query->addrinfo))
+			{
+				add_bad(fctx, query->rmessage, query->addrinfo,
+					ISC_R_TIMEDOUT, badns_forwarder);
+			}
+
+			/*
+			 * We don't have an RTT for this query.  Maybe the
+			 * packet was lost, or maybe this server is very
+			 * slow.  We don't know.  Increase the RTT.
+			 */
+			INSIST(no_response);
+			value = isc_random32();
+			if (query->addrinfo->srtt > 800000) {
+				mask = 0x3fff;
+			} else if (query->addrinfo->srtt > 400000) {
+				mask = 0x7fff;
+			} else if (query->addrinfo->srtt > 200000) {
+				mask = 0xffff;
+			} else if (query->addrinfo->srtt > 100000) {
+				mask = 0x1ffff;
+			} else if (query->addrinfo->srtt > 50000) {
+				mask = 0x3ffff;
+			} else if (query->addrinfo->srtt > 25000) {
+				mask = 0x7ffff;
+			} else {
+				mask = 0xfffff;
+			}
+
+			/*
+			 * Don't adjust timeout on EDNS queries unless we have
+			 * seen a EDNS response.
+			 */
+			if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0 &&
+			    !EDNSOK(query->addrinfo))
+			{
+				mask >>= 2;
+			}
+
+			rtt = query->addrinfo->srtt + (value & mask);
+			if (rtt > MAX_SINGLE_QUERY_TIMEOUT_US) {
+				rtt = MAX_SINGLE_QUERY_TIMEOUT_US;
+			}
+
+			/*
+			 * Replace the current RTT with our value.
+			 */
+			factor = DNS_ADB_RTTADJREPLACE;
+		}
+
+		dns_adb_adjustsrtt(fctx->adb, query->addrinfo, rtt, factor);
+	}
+	if ((query->options & DNS_FETCHOPT_TCP) == 0) {
+		/* Inform the ADB that we're ending a UDP fetch */
+		dns_adb_endudpfetch(fctx->adb, query->addrinfo);
+	}
+
+	/*
+	 * Age RTTs of servers not tried.
+	 */
+	isc_stdtime_get(&now);
+	if (finish != NULL || age_untried) {
+		for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+		{
+			if (UNMARKED(addrinfo)) {
+				dns_adb_agesrtt(fctx->adb, addrinfo, now);
+			}
+		}
+	}
+
+	if ((finish != NULL || age_untried) && TRIEDFIND(fctx)) {
+		for (find = ISC_LIST_HEAD(fctx->finds); find != NULL;
+		     find = ISC_LIST_NEXT(find, publink))
+		{
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+			{
+				if (UNMARKED(addrinfo)) {
+					dns_adb_agesrtt(fctx->adb, addrinfo,
+							now);
+				}
+			}
+		}
+	}
+
+	if ((finish != NULL || age_untried) && TRIEDALT(fctx)) {
+		for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs); addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+		{
+			if (UNMARKED(addrinfo)) {
+				dns_adb_agesrtt(fctx->adb, addrinfo, now);
+			}
+		}
+		for (find = ISC_LIST_HEAD(fctx->altfinds); find != NULL;
+		     find = ISC_LIST_NEXT(find, publink))
+		{
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+			{
+				if (UNMARKED(addrinfo)) {
+					dns_adb_agesrtt(fctx->adb, addrinfo,
+							now);
+				}
+			}
+		}
+	}
+
+	/*
+	 * Check for any outstanding socket events.  If they exist, cancel
+	 * them and let the event handlers finish the cleanup.  The resolver
+	 * only needs to worry about managing the connect and send events;
+	 * the dispatcher manages the recv events.
+	 */
+	if (RESQUERY_CONNECTING(query)) {
+		/*
+		 * Cancel the connect.
+		 */
+		if (query->tcpsocket != NULL) {
+			isc_socket_cancel(query->tcpsocket, NULL,
+					  ISC_SOCKCANCEL_CONNECT);
+		} else if (query->dispentry != NULL) {
+			INSIST(query->exclusivesocket);
+			sock = dns_dispatch_getentrysocket(query->dispentry);
+			if (sock != NULL) {
+				isc_socket_cancel(sock, NULL,
+						  ISC_SOCKCANCEL_CONNECT);
+			}
+		}
+	}
+	if (RESQUERY_SENDING(query)) {
+		/*
+		 * Cancel the pending send.
+		 */
+		if (query->exclusivesocket && query->dispentry != NULL) {
+			sock = dns_dispatch_getentrysocket(query->dispentry);
+		} else {
+			sock = dns_dispatch_getsocket(query->dispatch);
+		}
+		if (sock != NULL) {
+			isc_socket_cancel(sock, NULL, ISC_SOCKCANCEL_SEND);
+		}
+	}
+
+	if (query->dispentry != NULL) {
+		dns_dispatch_removeresponse(&query->dispentry, deventp);
+	}
+
+	ISC_LIST_UNLINK(fctx->queries, query, link);
+
+	if (query->tsig != NULL) {
+		isc_buffer_free(&query->tsig);
+	}
+
+	if (query->tsigkey != NULL) {
+		dns_tsigkey_detach(&query->tsigkey);
+	}
+
+	if (query->dispatch != NULL) {
+		dns_dispatch_detach(&query->dispatch);
+	}
+
+	if (!(RESQUERY_CONNECTING(query) || RESQUERY_SENDING(query))) {
+		/*
+		 * It's safe to destroy the query now.
+		 */
+		resquery_destroy(&query);
+	}
+}
+
+static void
+fctx_cancelqueries(fetchctx_t *fctx, bool no_response, bool age_untried) {
+	resquery_t *query, *next_query;
+
+	FCTXTRACE("cancelqueries");
+
+	for (query = ISC_LIST_HEAD(fctx->queries); query != NULL;
+	     query = next_query)
+	{
+		next_query = ISC_LIST_NEXT(query, link);
+		fctx_cancelquery(&query, NULL, NULL, no_response, age_untried);
+	}
+}
+
+static void
+fctx_cleanupfinds(fetchctx_t *fctx) {
+	dns_adbfind_t *find, *next_find;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (find = ISC_LIST_HEAD(fctx->finds); find != NULL; find = next_find)
+	{
+		next_find = ISC_LIST_NEXT(find, publink);
+		ISC_LIST_UNLINK(fctx->finds, find, publink);
+		dns_adb_destroyfind(&find);
+	}
+	fctx->find = NULL;
+}
+
+static void
+fctx_cleanupaltfinds(fetchctx_t *fctx) {
+	dns_adbfind_t *find, *next_find;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (find = ISC_LIST_HEAD(fctx->altfinds); find != NULL;
+	     find = next_find)
+	{
+		next_find = ISC_LIST_NEXT(find, publink);
+		ISC_LIST_UNLINK(fctx->altfinds, find, publink);
+		dns_adb_destroyfind(&find);
+	}
+	fctx->altfind = NULL;
+}
+
+static void
+fctx_cleanupforwaddrs(fetchctx_t *fctx) {
+	dns_adbaddrinfo_t *addr, *next_addr;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (addr = ISC_LIST_HEAD(fctx->forwaddrs); addr != NULL;
+	     addr = next_addr)
+	{
+		next_addr = ISC_LIST_NEXT(addr, publink);
+		ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
+		dns_adb_freeaddrinfo(fctx->adb, &addr);
+	}
+}
+
+static void
+fctx_cleanupaltaddrs(fetchctx_t *fctx) {
+	dns_adbaddrinfo_t *addr, *next_addr;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (addr = ISC_LIST_HEAD(fctx->altaddrs); addr != NULL;
+	     addr = next_addr)
+	{
+		next_addr = ISC_LIST_NEXT(addr, publink);
+		ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
+		dns_adb_freeaddrinfo(fctx->adb, &addr);
+	}
+}
+
+static void
+fctx_stopqueries(fetchctx_t *fctx, bool no_response, bool age_untried) {
+	FCTXTRACE("stopqueries");
+	fctx_cancelqueries(fctx, no_response, age_untried);
+	fctx_stoptimer(fctx);
+	fctx_stoptimer_trystale(fctx);
+}
+
+static void
+fctx_cleanupall(fetchctx_t *fctx) {
+	fctx_cleanupfinds(fctx);
+	fctx_cleanupaltfinds(fctx);
+	fctx_cleanupforwaddrs(fctx);
+	fctx_cleanupaltaddrs(fctx);
+}
+
+static void
+fcount_logspill(fetchctx_t *fctx, fctxcount_t *counter, bool final) {
+	char dbuf[DNS_NAME_FORMATSIZE];
+	isc_stdtime_t now;
+
+	if (!isc_log_wouldlog(dns_lctx, ISC_LOG_INFO)) {
+		return;
+	}
+
+	/* Do not log a message if there were no dropped fetches. */
+	if (counter->dropped == 0) {
+		return;
+	}
+
+	/* Do not log the cumulative message if the previous log is recent. */
+	isc_stdtime_get(&now);
+	if (!final && counter->logged > now - 60) {
+		return;
+	}
+
+	dns_name_format(&fctx->domain, dbuf, sizeof(dbuf));
+
+	if (!final) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_SPILL,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+			      "too many simultaneous fetches for %s "
+			      "(allowed %d spilled %d)",
+			      dbuf, counter->allowed, counter->dropped);
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_SPILL,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+			      "fetch counters for %s now being discarded "
+			      "(allowed %d spilled %d; cumulative since "
+			      "initial trigger event)",
+			      dbuf, counter->allowed, counter->dropped);
+	}
+
+	counter->logged = now;
+}
+
+static isc_result_t
+fcount_incr(fetchctx_t *fctx, bool force) {
+	isc_result_t result = ISC_R_SUCCESS;
+	zonebucket_t *dbucket;
+	fctxcount_t *counter;
+	unsigned int bucketnum;
+
+	REQUIRE(fctx != NULL);
+	REQUIRE(fctx->res != NULL);
+
+	INSIST(fctx->dbucketnum == RES_NOBUCKET);
+	bucketnum = dns_name_fullhash(&fctx->domain, false) %
+		    RES_DOMAIN_BUCKETS;
+
+	dbucket = &fctx->res->dbuckets[bucketnum];
+
+	LOCK(&dbucket->lock);
+	for (counter = ISC_LIST_HEAD(dbucket->list); counter != NULL;
+	     counter = ISC_LIST_NEXT(counter, link))
+	{
+		if (dns_name_equal(counter->domain, &fctx->domain)) {
+			break;
+		}
+	}
+
+	if (counter == NULL) {
+		counter = isc_mem_get(dbucket->mctx, sizeof(fctxcount_t));
+		{
+			ISC_LINK_INIT(counter, link);
+			counter->count = 1;
+			counter->logged = 0;
+			counter->allowed = 1;
+			counter->dropped = 0;
+			counter->domain =
+				dns_fixedname_initname(&counter->fdname);
+			dns_name_copynf(&fctx->domain, counter->domain);
+			ISC_LIST_APPEND(dbucket->list, counter, link);
+		}
+	} else {
+		uint_fast32_t spill = atomic_load_acquire(&fctx->res->zspill);
+		if (!force && spill != 0 && counter->count >= spill) {
+			counter->dropped++;
+			fcount_logspill(fctx, counter, false);
+			result = ISC_R_QUOTA;
+		} else {
+			counter->count++;
+			counter->allowed++;
+		}
+	}
+	UNLOCK(&dbucket->lock);
+
+	if (result == ISC_R_SUCCESS) {
+		fctx->dbucketnum = bucketnum;
+	}
+
+	return (result);
+}
+
+static void
+fcount_decr(fetchctx_t *fctx) {
+	zonebucket_t *dbucket;
+	fctxcount_t *counter;
+
+	REQUIRE(fctx != NULL);
+
+	if (fctx->dbucketnum == RES_NOBUCKET) {
+		return;
+	}
+
+	dbucket = &fctx->res->dbuckets[fctx->dbucketnum];
+
+	LOCK(&dbucket->lock);
+	for (counter = ISC_LIST_HEAD(dbucket->list); counter != NULL;
+	     counter = ISC_LIST_NEXT(counter, link))
+	{
+		if (dns_name_equal(counter->domain, &fctx->domain)) {
+			break;
+		}
+	}
+
+	if (counter != NULL) {
+		INSIST(counter->count != 0);
+		counter->count--;
+		fctx->dbucketnum = RES_NOBUCKET;
+
+		if (counter->count == 0) {
+			fcount_logspill(fctx, counter, true);
+			ISC_LIST_UNLINK(dbucket->list, counter, link);
+			isc_mem_put(dbucket->mctx, counter, sizeof(*counter));
+		}
+	}
+
+	UNLOCK(&dbucket->lock);
+}
+
+static void
+fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
+	dns_fetchevent_t *event, *next_event;
+	isc_task_t *task;
+	unsigned int count = 0;
+	isc_interval_t i;
+	bool logit = false;
+	isc_time_t now;
+	unsigned int old_spillat;
+	unsigned int new_spillat = 0; /* initialized to silence
+				       * compiler warnings */
+
+	/*
+	 * Caller must be holding the appropriate bucket lock.
+	 */
+	REQUIRE(fctx->state == fetchstate_done);
+
+	FCTXTRACE("sendevents");
+
+	/*
+	 * Keep some record of fetch result for logging later (if required).
+	 */
+	fctx->result = result;
+	fctx->exitline = line;
+	TIME_NOW(&now);
+	fctx->duration = isc_time_microdiff(&now, &fctx->start);
+
+	for (event = ISC_LIST_HEAD(fctx->events); event != NULL;
+	     event = next_event)
+	{
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(fctx->events, event, ev_link);
+		if (event->ev_type == DNS_EVENT_TRYSTALE) {
+			/*
+			 * Not applicable to TRY STALE events, this function is
+			 * called when the fetch has either completed or timed
+			 * out due to resolver-query-timeout being reached.
+			 */
+			isc_task_detach((isc_task_t **)&event->ev_sender);
+			isc_event_free((isc_event_t **)&event);
+			continue;
+		}
+		task = event->ev_sender;
+		event->ev_sender = fctx;
+		event->vresult = fctx->vresult;
+		if (!HAVE_ANSWER(fctx)) {
+			event->result = result;
+		}
+
+		INSIST(event->result != ISC_R_SUCCESS ||
+		       dns_rdataset_isassociated(event->rdataset) ||
+		       fctx->type == dns_rdatatype_any ||
+		       fctx->type == dns_rdatatype_rrsig ||
+		       fctx->type == dns_rdatatype_sig);
+
+		/*
+		 * Negative results must be indicated in event->result.
+		 */
+		if (dns_rdataset_isassociated(event->rdataset) &&
+		    NEGATIVE(event->rdataset))
+		{
+			INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
+			       event->result == DNS_R_NCACHENXRRSET);
+		}
+
+		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
+		count++;
+	}
+
+	if (HAVE_ANSWER(fctx) && fctx->spilled &&
+	    (count < fctx->res->spillatmax || fctx->res->spillatmax == 0))
+	{
+		LOCK(&fctx->res->lock);
+		if (count == fctx->res->spillat &&
+		    !atomic_load_acquire(&fctx->res->exiting))
+		{
+			old_spillat = fctx->res->spillat;
+			fctx->res->spillat += 5;
+			if (fctx->res->spillat > fctx->res->spillatmax &&
+			    fctx->res->spillatmax != 0)
+			{
+				fctx->res->spillat = fctx->res->spillatmax;
+			}
+			new_spillat = fctx->res->spillat;
+			if (new_spillat != old_spillat) {
+				logit = true;
+			}
+			isc_interval_set(&i, 20 * 60, 0);
+			result = isc_timer_reset(fctx->res->spillattimer,
+						 isc_timertype_ticker, NULL, &i,
+						 true);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
+		UNLOCK(&fctx->res->lock);
+		if (logit) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "clients-per-query increased to %u",
+				      new_spillat);
+		}
+	}
+}
+
+static void
+log_edns(fetchctx_t *fctx) {
+	char domainbuf[DNS_NAME_FORMATSIZE];
+
+	if (fctx->reason == NULL) {
+		return;
+	}
+
+	/*
+	 * We do not know if fctx->domain is the actual domain the record
+	 * lives in or a parent domain so we have a '?' after it.
+	 */
+	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "success resolving '%s' (in '%s'?) after %s", fctx->info,
+		      domainbuf, fctx->reason);
+}
+
+static void
+fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
+	dns_resolver_t *res;
+	bool no_response = false;
+	bool age_untried = false;
+
+	REQUIRE(line >= 0);
+
+	FCTXTRACE("done");
+
+	res = fctx->res;
+
+	if (result == ISC_R_SUCCESS) {
+		/*%
+		 * Log any deferred EDNS timeout messages.
+		 */
+		log_edns(fctx);
+		no_response = true;
+		if (fctx->qmin_warning != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+				      "success resolving '%s' "
+				      "after disabling qname minimization due "
+				      "to '%s'",
+				      fctx->info,
+				      isc_result_totext(fctx->qmin_warning));
+		}
+	} else if (result == ISC_R_TIMEDOUT) {
+		age_untried = true;
+	}
+
+	fctx->qmin_warning = ISC_R_SUCCESS;
+	fctx->reason = NULL;
+
+	fctx_stopqueries(fctx, no_response, age_untried);
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	fctx->state = fetchstate_done;
+	FCTX_ATTR_CLR(fctx, FCTX_ATTR_ADDRWAIT);
+	fctx_sendevents(fctx, result, line);
+
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+}
+
+static void
+process_sendevent(resquery_t *query, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	bool destroy_query = false;
+	bool retry = false;
+	isc_result_t result;
+	fetchctx_t *fctx;
+
+	fctx = query->fctx;
+
+	if (RESQUERY_CANCELED(query)) {
+		if (query->sends == 0 && query->connects == 0) {
+			/*
+			 * This query was canceled while the
+			 * isc_socket_sendto/connect() was in progress.
+			 */
+			if (query->tcpsocket != NULL) {
+				isc_socket_detach(&query->tcpsocket);
+			}
+			destroy_query = true;
+		}
+	} else {
+		switch (sevent->result) {
+		case ISC_R_SUCCESS:
+			break;
+
+		case ISC_R_HOSTUNREACH:
+		case ISC_R_NETUNREACH:
+		case ISC_R_NOPERM:
+		case ISC_R_ADDRNOTAVAIL:
+		case ISC_R_CONNREFUSED:
+			FCTXTRACE3("query canceled in sendevent(): "
+				   "no route to host; no response",
+				   sevent->result);
+
+			/*
+			 * No route to remote.
+			 */
+			add_bad(fctx, query->rmessage, query->addrinfo,
+				sevent->result, badns_unreachable);
+			fctx_cancelquery(&query, NULL, NULL, true, false);
+			retry = true;
+			break;
+
+		default:
+			FCTXTRACE3("query canceled in sendevent() due to "
+				   "unexpected event result; responding",
+				   sevent->result);
+
+			fctx_cancelquery(&query, NULL, NULL, false, false);
+			break;
+		}
+	}
+
+	if (event->ev_type == ISC_SOCKEVENT_CONNECT) {
+		isc_event_free(&event);
+	}
+
+	if (retry) {
+		/*
+		 * Behave as if the idle timer has expired.  For TCP
+		 * this may not actually reflect the latest timer.
+		 */
+		FCTX_ATTR_CLR(fctx, FCTX_ATTR_ADDRWAIT);
+		result = fctx_stopidletimer(fctx);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, result, __LINE__);
+		} else {
+			fctx_try(fctx, true, false);
+		}
+	}
+
+	if (destroy_query) {
+		resquery_destroy(&query);
+	}
+}
+
+static void
+resquery_udpconnected(isc_task_t *task, isc_event_t *event) {
+	resquery_t *query = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+
+	QTRACE("udpconnected");
+
+	UNUSED(task);
+
+	INSIST(RESQUERY_CONNECTING(query));
+
+	query->connects--;
+
+	process_sendevent(query, event);
+}
+
+static void
+resquery_senddone(isc_task_t *task, isc_event_t *event) {
+	resquery_t *query = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+
+	QTRACE("senddone");
+
+	/*
+	 * XXXRTH
+	 *
+	 * Currently we don't wait for the senddone event before retrying
+	 * a query.  This means that if we get really behind, we may end
+	 * up doing extra work!
+	 */
+
+	UNUSED(task);
+
+	INSIST(RESQUERY_SENDING(query));
+
+	query->sends--;
+
+	process_sendevent(query, event);
+}
+
+static isc_result_t
+fctx_addopt(dns_message_t *message, unsigned int version, uint16_t udpsize,
+	    dns_ednsopt_t *ednsopts, size_t count) {
+	dns_rdataset_t *rdataset = NULL;
+	isc_result_t result;
+
+	result = dns_message_buildopt(message, &rdataset, version, udpsize,
+				      DNS_MESSAGEEXTFLAG_DO, ednsopts, count);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	return (dns_message_setopt(message, rdataset));
+}
+
+static void
+fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
+	unsigned int seconds;
+	unsigned int us;
+
+	us = fctx->res->retryinterval * 1000;
+	/*
+	 * Exponential backoff after the first few tries.
+	 */
+	if (fctx->restarts > fctx->res->nonbackofftries) {
+		int shift = fctx->restarts - fctx->res->nonbackofftries;
+		if (shift > 6) {
+			shift = 6;
+		}
+		us <<= shift;
+	}
+
+	/*
+	 * Add a fudge factor to the expected rtt based on the current
+	 * estimate.
+	 */
+	if (rtt < 50000) {
+		rtt += 50000;
+	} else if (rtt < 100000) {
+		rtt += 100000;
+	} else {
+		rtt += 200000;
+	}
+
+	/*
+	 * Always wait for at least the expected rtt.
+	 */
+	if (us < rtt) {
+		us = rtt;
+	}
+
+	/*
+	 * But don't ever wait for more than 10 seconds.
+	 */
+	if (us > MAX_SINGLE_QUERY_TIMEOUT_US) {
+		us = MAX_SINGLE_QUERY_TIMEOUT_US;
+	}
+
+	seconds = us / US_PER_SEC;
+	us -= seconds * US_PER_SEC;
+	isc_interval_set(&fctx->interval, seconds, us * 1000);
+}
+
+static isc_result_t
+fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+	   unsigned int options) {
+	dns_resolver_t *res;
+	isc_task_t *task;
+	isc_result_t result;
+	resquery_t *query;
+	isc_sockaddr_t addr;
+	bool have_addr = false;
+	unsigned int srtt;
+	isc_dscp_t dscp = -1;
+	unsigned int bucketnum;
+
+	FCTXTRACE("query");
+
+	res = fctx->res;
+	task = res->buckets[fctx->bucketnum].task;
+
+	srtt = addrinfo->srtt;
+
+	/*
+	 * Allow an additional second for the kernel to resend the SYN (or
+	 * SYN without ECN in the case of stupid firewalls blocking ECN
+	 * negotiation) over the current RTT estimate.
+	 */
+	if ((options & DNS_FETCHOPT_TCP) != 0) {
+		srtt += 1000000;
+	}
+
+	/*
+	 * A forwarder needs to make multiple queries. Give it at least
+	 * a second to do these in.
+	 */
+	if (ISFORWARDER(addrinfo) && srtt < 1000000) {
+		srtt = 1000000;
+	}
+
+	fctx_setretryinterval(fctx, srtt);
+	result = fctx_startidletimer(fctx, &fctx->interval);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	INSIST(ISC_LIST_EMPTY(fctx->validators));
+
+	query = isc_mem_get(fctx->mctx, sizeof(*query));
+	query->rmessage = NULL;
+	dns_message_create(fctx->mctx, DNS_MESSAGE_INTENTPARSE,
+			   &query->rmessage);
+	query->mctx = fctx->mctx;
+	query->options = options;
+	query->attributes = 0;
+	query->sends = 0;
+	query->connects = 0;
+	query->dscp = addrinfo->dscp;
+	query->udpsize = 0;
+	/*
+	 * Note that the caller MUST guarantee that 'addrinfo' will remain
+	 * valid until this query is canceled.
+	 */
+	query->addrinfo = addrinfo;
+	TIME_NOW(&query->start);
+
+	/*
+	 * If this is a TCP query, then we need to make a socket and
+	 * a dispatch for it here.  Otherwise we use the resolver's
+	 * shared dispatch.
+	 */
+	query->dispatchmgr = res->dispatchmgr;
+	query->dispatch = NULL;
+	query->exclusivesocket = false;
+	query->tcpsocket = NULL;
+	if (res->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		isc_netaddr_t dstip;
+		bool usetcp = false;
+		isc_netaddr_fromsockaddr(&dstip, &addrinfo->sockaddr);
+		result = dns_peerlist_peerbyaddr(res->view->peers, &dstip,
+						 &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getquerysource(peer, &addr);
+			if (result == ISC_R_SUCCESS) {
+				have_addr = true;
+			}
+			result = dns_peer_getquerydscp(peer, &dscp);
+			if (result == ISC_R_SUCCESS) {
+				query->dscp = dscp;
+			}
+			result = dns_peer_getforcetcp(peer, &usetcp);
+			if (result == ISC_R_SUCCESS && usetcp) {
+				query->options |= DNS_FETCHOPT_TCP;
+			}
+		}
+	}
+
+	dscp = -1;
+	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+		int pf;
+
+		pf = isc_sockaddr_pf(&addrinfo->sockaddr);
+		if (!have_addr) {
+			switch (pf) {
+			case PF_INET:
+				result = dns_dispatch_getlocaladdress(
+					res->dispatches4->dispatches[0], &addr);
+				dscp = dns_resolver_getquerydscp4(fctx->res);
+				break;
+			case PF_INET6:
+				result = dns_dispatch_getlocaladdress(
+					res->dispatches6->dispatches[0], &addr);
+				dscp = dns_resolver_getquerydscp6(fctx->res);
+				break;
+			default:
+				result = ISC_R_NOTIMPLEMENTED;
+				break;
+			}
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup_query;
+			}
+		}
+		isc_sockaddr_setport(&addr, 0);
+		if (query->dscp == -1) {
+			query->dscp = dscp;
+		}
+
+		result = isc_socket_create(res->socketmgr, pf,
+					   isc_sockettype_tcp,
+					   &query->tcpsocket);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_query;
+		}
+
+#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
+		result = isc_socket_bind(query->tcpsocket, &addr, 0);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_socket;
+		}
+#endif /* ifndef BROKEN_TCP_BIND_BEFORE_CONNECT */
+
+		/*
+		 * A dispatch will be created once the connect succeeds.
+		 */
+	} else {
+		if (have_addr) {
+			unsigned int attrs, attrmask;
+			attrs = DNS_DISPATCHATTR_UDP;
+			switch (isc_sockaddr_pf(&addr)) {
+			case AF_INET:
+				attrs |= DNS_DISPATCHATTR_IPV4;
+				dscp = dns_resolver_getquerydscp4(fctx->res);
+				break;
+			case AF_INET6:
+				attrs |= DNS_DISPATCHATTR_IPV6;
+				dscp = dns_resolver_getquerydscp6(fctx->res);
+				break;
+			default:
+				result = ISC_R_NOTIMPLEMENTED;
+				goto cleanup_query;
+			}
+			attrmask = DNS_DISPATCHATTR_UDP;
+			attrmask |= DNS_DISPATCHATTR_TCP;
+			attrmask |= DNS_DISPATCHATTR_IPV4;
+			attrmask |= DNS_DISPATCHATTR_IPV6;
+			result = dns_dispatch_getudp(
+				res->dispatchmgr, res->socketmgr, res->taskmgr,
+				&addr, 4096, 20000, 32768, 16411, 16433, attrs,
+				attrmask, &query->dispatch);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup_query;
+			}
+		} else {
+			switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
+			case PF_INET:
+				dns_dispatch_attach(
+					dns_resolver_dispatchv4(res),
+					&query->dispatch);
+				query->exclusivesocket = res->exclusivev4;
+				dscp = dns_resolver_getquerydscp4(fctx->res);
+				break;
+			case PF_INET6:
+				dns_dispatch_attach(
+					dns_resolver_dispatchv6(res),
+					&query->dispatch);
+				query->exclusivesocket = res->exclusivev6;
+				dscp = dns_resolver_getquerydscp6(fctx->res);
+				break;
+			default:
+				result = ISC_R_NOTIMPLEMENTED;
+				goto cleanup_query;
+			}
+		}
+
+		if (query->dscp == -1) {
+			query->dscp = dscp;
+		}
+		/*
+		 * We should always have a valid dispatcher here.  If we
+		 * don't support a protocol family, then its dispatcher
+		 * will be NULL, but we shouldn't be finding addresses for
+		 * protocol types we don't support, so the dispatcher
+		 * we found should never be NULL.
+		 */
+		INSIST(query->dispatch != NULL);
+	}
+
+	query->dispentry = NULL;
+	query->fctx = fctx; /* reference added by caller */
+	query->tsig = NULL;
+	query->tsigkey = NULL;
+	ISC_LINK_INIT(query, link);
+	query->magic = QUERY_MAGIC;
+
+	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+		/*
+		 * Connect to the remote server.
+		 *
+		 * XXXRTH  Should we attach to the socket?
+		 */
+		if (query->dscp != -1) {
+			isc_socket_dscp(query->tcpsocket, query->dscp);
+		}
+		result = isc_socket_connect(query->tcpsocket,
+					    &addrinfo->sockaddr, task,
+					    resquery_connected, query);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_socket;
+		}
+		query->connects++;
+		QTRACE("connecting via TCP");
+	} else {
+		if (dns_adbentry_overquota(addrinfo->entry)) {
+			goto cleanup_dispatch;
+		}
+
+		/* Inform the ADB that we're starting a UDP fetch */
+		dns_adb_beginudpfetch(fctx->adb, addrinfo);
+
+		result = resquery_send(query);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_udpfetch;
+		}
+	}
+
+	fctx->querysent++;
+
+	ISC_LIST_APPEND(fctx->queries, query, link);
+	bucketnum = fctx->bucketnum;
+	LOCK(&res->buckets[bucketnum].lock);
+	fctx->nqueries++;
+	UNLOCK(&res->buckets[bucketnum].lock);
+	if (isc_sockaddr_pf(&addrinfo->sockaddr) == PF_INET) {
+		inc_stats(res, dns_resstatscounter_queryv4);
+	} else {
+		inc_stats(res, dns_resstatscounter_queryv6);
+	}
+	if (res->view->resquerystats != NULL) {
+		dns_rdatatypestats_increment(res->view->resquerystats,
+					     fctx->type);
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup_socket:
+	isc_socket_detach(&query->tcpsocket);
+
+cleanup_udpfetch:
+	if (!RESQUERY_CANCELED(query)) {
+		if ((query->options & DNS_FETCHOPT_TCP) == 0) {
+			/* Inform the ADB that we're ending a UDP fetch */
+			dns_adb_endudpfetch(fctx->adb, addrinfo);
+		}
+	}
+
+cleanup_dispatch:
+	if (query->dispatch != NULL) {
+		dns_dispatch_detach(&query->dispatch);
+	}
+
+cleanup_query:
+	if (query->connects == 0) {
+		query->magic = 0;
+		dns_message_detach(&query->rmessage);
+		isc_mem_put(fctx->mctx, query, sizeof(*query));
+	}
+
+	RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
+
+	return (result);
+}
+
+static bool
+bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+	for (sa = ISC_LIST_HEAD(fctx->bad_edns); sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link))
+	{
+		if (isc_sockaddr_equal(sa, address)) {
+			return (true);
+		}
+	}
+
+	return (false);
+}
+
+static void
+add_bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+#ifdef ENABLE_AFL
+	if (dns_fuzzing_resolver) {
+		return;
+	}
+#endif /* ifdef ENABLE_AFL */
+	if (bad_edns(fctx, address)) {
+		return;
+	}
+
+	sa = isc_mem_get(fctx->mctx, sizeof(*sa));
+
+	*sa = *address;
+	ISC_LIST_INITANDAPPEND(fctx->bad_edns, sa, link);
+}
+
+static struct tried *
+triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	struct tried *tried;
+
+	for (tried = ISC_LIST_HEAD(fctx->edns); tried != NULL;
+	     tried = ISC_LIST_NEXT(tried, link))
+	{
+		if (isc_sockaddr_equal(&tried->addr, address)) {
+			return (tried);
+		}
+	}
+
+	return (NULL);
+}
+
+static void
+add_triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	struct tried *tried;
+
+	tried = triededns(fctx, address);
+	if (tried != NULL) {
+		tried->count++;
+		return;
+	}
+
+	tried = isc_mem_get(fctx->mctx, sizeof(*tried));
+
+	tried->addr = *address;
+	tried->count = 1;
+	ISC_LIST_INITANDAPPEND(fctx->edns, tried, link);
+}
+
+static struct tried *
+triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	struct tried *tried;
+
+	for (tried = ISC_LIST_HEAD(fctx->edns512); tried != NULL;
+	     tried = ISC_LIST_NEXT(tried, link))
+	{
+		if (isc_sockaddr_equal(&tried->addr, address)) {
+			return (tried);
+		}
+	}
+
+	return (NULL);
+}
+
+static void
+add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	struct tried *tried;
+
+	tried = triededns512(fctx, address);
+	if (tried != NULL) {
+		tried->count++;
+		return;
+	}
+
+	tried = isc_mem_get(fctx->mctx, sizeof(*tried));
+
+	tried->addr = *address;
+	tried->count = 1;
+	ISC_LIST_INITANDAPPEND(fctx->edns512, tried, link);
+}
+
+static size_t
+addr2buf(void *buf, const size_t bufsize, const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+	switch (netaddr.family) {
+	case AF_INET:
+		INSIST(bufsize >= 4);
+		memmove(buf, &netaddr.type.in, 4);
+		return (4);
+	case AF_INET6:
+		INSIST(bufsize >= 16);
+		memmove(buf, &netaddr.type.in6, 16);
+		return (16);
+	default:
+		UNREACHABLE();
+	}
+	return (0);
+}
+
+static isc_socket_t *
+query2sock(const resquery_t *query) {
+	if (query->exclusivesocket) {
+		return (dns_dispatch_getentrysocket(query->dispentry));
+	} else {
+		return (dns_dispatch_getsocket(query->dispatch));
+	}
+}
+
+static size_t
+add_serveraddr(uint8_t *buf, const size_t bufsize, const resquery_t *query) {
+	return (addr2buf(buf, bufsize, &query->addrinfo->sockaddr));
+}
+
+/*
+ * Client cookie is 8 octets.
+ * Server cookie is [8..32] octets.
+ */
+#define CLIENT_COOKIE_SIZE 8U
+#define COOKIE_BUFFER_SIZE (8U + 32U)
+
+static void
+compute_cc(const resquery_t *query, uint8_t *cookie, const size_t len) {
+	INSIST(len >= CLIENT_COOKIE_SIZE);
+	STATIC_ASSERT(sizeof(query->fctx->res->view->secret) >=
+			      ISC_SIPHASH24_KEY_LENGTH,
+		      "The view->secret size can't fit SipHash 2-4 key length");
+
+	uint8_t buf[16] ISC_NONSTRING = { 0 };
+	size_t buflen = add_serveraddr(buf, sizeof(buf), query);
+
+	uint8_t digest[ISC_SIPHASH24_TAG_LENGTH] ISC_NONSTRING = { 0 };
+	isc_siphash24(query->fctx->res->view->secret, buf, buflen, digest);
+	memmove(cookie, digest, CLIENT_COOKIE_SIZE);
+}
+
+static isc_result_t
+issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
+	       isc_stdtime_t now, bool checknta, bool *ntap, bool *issecure) {
+	dns_name_t suffix;
+	unsigned int labels;
+
+	/*
+	 * For DS variants we need to check fom the parent domain,
+	 * since there may be a negative trust anchor for the name,
+	 * while the enclosing domain where the DS record lives is
+	 * under a secure entry point.
+	 */
+	labels = dns_name_countlabels(name);
+	if (dns_rdatatype_atparent(type) && labels > 1) {
+		dns_name_init(&suffix, NULL);
+		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+		name = &suffix;
+	}
+
+	return (dns_view_issecuredomain(view, name, now, checknta, ntap,
+					issecure));
+}
+
+static isc_result_t
+resquery_send(resquery_t *query) {
+	fetchctx_t *fctx;
+	isc_result_t result;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_region_t r;
+	dns_resolver_t *res;
+	isc_task_t *task;
+	isc_socket_t *sock;
+	isc_buffer_t tcpbuffer;
+	isc_sockaddr_t *address;
+	isc_buffer_t *buffer;
+	isc_netaddr_t ipaddr;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_peer_t *peer = NULL;
+	bool useedns;
+	dns_compress_t cctx;
+	bool cleanup_cctx = false;
+	bool secure_domain;
+	bool tcp = ((query->options & DNS_FETCHOPT_TCP) != 0);
+	dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS];
+	unsigned ednsopt = 0;
+	uint16_t hint = 0, udpsize = 0; /* No EDNS */
+#ifdef HAVE_DNSTAP
+	isc_sockaddr_t localaddr, *la = NULL;
+	unsigned char zone[DNS_NAME_MAXWIRE];
+	dns_dtmsgtype_t dtmsgtype;
+	isc_region_t zr;
+	isc_buffer_t zb;
+#endif /* HAVE_DNSTAP */
+
+	fctx = query->fctx;
+	QTRACE("send");
+
+	res = fctx->res;
+	task = res->buckets[fctx->bucketnum].task;
+	address = NULL;
+
+	if (tcp) {
+		/*
+		 * Reserve space for the TCP message length.
+		 */
+		isc_buffer_init(&tcpbuffer, query->data, sizeof(query->data));
+		isc_buffer_init(&query->buffer, query->data + 2,
+				sizeof(query->data) - 2);
+		buffer = &tcpbuffer;
+	} else {
+		isc_buffer_init(&query->buffer, query->data,
+				sizeof(query->data));
+		buffer = &query->buffer;
+	}
+
+	result = dns_message_gettempname(fctx->qmessage, &qname);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_temps;
+	}
+	result = dns_message_gettemprdataset(fctx->qmessage, &qrdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_temps;
+	}
+
+	/*
+	 * Get a query id from the dispatch.
+	 */
+	result = dns_dispatch_addresponse(query->dispatch, 0,
+					  &query->addrinfo->sockaddr, task,
+					  resquery_response, query, &query->id,
+					  &query->dispentry, res->socketmgr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_temps;
+	}
+
+	fctx->qmessage->opcode = dns_opcode_query;
+
+	/*
+	 * Set up question.
+	 */
+	dns_name_clone(&fctx->name, qname);
+	dns_rdataset_makequestion(qrdataset, res->rdclass, fctx->type);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(fctx->qmessage, qname, DNS_SECTION_QUESTION);
+	qname = NULL;
+	qrdataset = NULL;
+
+	/*
+	 * Set RD if the client has requested that we do a recursive query,
+	 * or if we're sending to a forwarder.
+	 */
+	if ((query->options & DNS_FETCHOPT_RECURSIVE) != 0 ||
+	    ISFORWARDER(query->addrinfo))
+	{
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
+	}
+
+	/*
+	 * Set CD if the client says not to validate, or if the
+	 * question is under a secure entry point and this is a
+	 * recursive/forward query -- unless the client said not to.
+	 */
+	if ((query->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
+		/* Do nothing */
+	} else if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	} else if (res->view->enablevalidation &&
+		   ((fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0))
+	{
+		bool checknta = ((query->options & DNS_FETCHOPT_NONTA) == 0);
+		bool ntacovered = false;
+		result = issecuredomain(res->view, &fctx->name, fctx->type,
+					isc_time_seconds(&query->start),
+					checknta, &ntacovered, &secure_domain);
+		if (result != ISC_R_SUCCESS) {
+			secure_domain = false;
+		}
+		if (secure_domain ||
+		    (ISFORWARDER(query->addrinfo) && ntacovered))
+		{
+			fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+		}
+	}
+
+	/*
+	 * We don't have to set opcode because it defaults to query.
+	 */
+	fctx->qmessage->id = query->id;
+
+	/*
+	 * Convert the question to wire format.
+	 */
+	result = dns_compress_init(&cctx, -1, fctx->res->mctx);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_message;
+	}
+	cleanup_cctx = true;
+
+	result = dns_message_renderbegin(fctx->qmessage, &cctx, &query->buffer);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_message;
+	}
+
+	result = dns_message_rendersection(fctx->qmessage, DNS_SECTION_QUESTION,
+					   0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_message;
+	}
+
+	peer = NULL;
+	isc_netaddr_fromsockaddr(&ipaddr, &query->addrinfo->sockaddr);
+	(void)dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer);
+
+	/*
+	 * The ADB does not know about servers with "edns no".  Check this,
+	 * and then inform the ADB for future use.
+	 */
+	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 &&
+	    peer != NULL &&
+	    dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS &&
+	    !useedns)
+	{
+		query->options |= DNS_FETCHOPT_NOEDNS0;
+		dns_adb_changeflags(fctx->adb, query->addrinfo,
+				    DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0);
+	}
+
+	/* Sync NOEDNS0 flag in addrinfo->flags and options now. */
+	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0) {
+		query->options |= DNS_FETCHOPT_NOEDNS0;
+	}
+
+	if (fctx->timeout && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+		isc_sockaddr_t *sockaddr = &query->addrinfo->sockaddr;
+		struct tried *tried;
+
+		if ((tried = triededns(fctx, sockaddr)) != NULL) {
+			if (tried->count == 1U) {
+				hint = dns_adb_getudpsize(fctx->adb,
+							  query->addrinfo);
+			} else if (tried->count >= 2U) {
+				query->options |= DNS_FETCHOPT_EDNS512;
+				fctx->reason = "reducing the advertised EDNS "
+					       "UDP packet size to 512 octets";
+			}
+		}
+	}
+	fctx->timeout = false;
+
+	/*
+	 * Use EDNS0, unless the caller doesn't want it, or we know that the
+	 * remote server doesn't like it.
+	 */
+	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
+			unsigned int version = DNS_EDNS_VERSION;
+			unsigned int flags = query->addrinfo->flags;
+			bool reqnsid = res->view->requestnsid;
+			bool sendcookie = res->view->sendcookie;
+			bool tcpkeepalive = false;
+			unsigned char cookie[COOKIE_BUFFER_SIZE];
+			uint16_t padding = 0;
+
+			if ((flags & FCTX_ADDRINFO_EDNSOK) != 0 &&
+			    (query->options & DNS_FETCHOPT_EDNS512) == 0)
+			{
+				udpsize = dns_adb_probesize(fctx->adb,
+							    query->addrinfo,
+							    fctx->timeouts);
+				if (udpsize > res->udpsize) {
+					udpsize = res->udpsize;
+				}
+			}
+
+			if (peer != NULL) {
+				(void)dns_peer_getudpsize(peer, &udpsize);
+			}
+
+			if (udpsize == 0U && res->udpsize == 512U) {
+				udpsize = 512;
+			}
+
+			/*
+			 * Was the size forced to 512 in the configuration?
+			 */
+			if (udpsize == 512U) {
+				query->options |= DNS_FETCHOPT_EDNS512;
+			}
+
+			/*
+			 * We have talked to this server before.
+			 */
+			if (hint != 0U) {
+				udpsize = hint;
+			}
+
+			/*
+			 * We know nothing about the peer's capabilities
+			 * so start with minimal EDNS UDP size.
+			 */
+			if (udpsize == 0U) {
+				udpsize = 512;
+			}
+
+			if ((flags & DNS_FETCHOPT_EDNSVERSIONSET) != 0) {
+				version = flags & DNS_FETCHOPT_EDNSVERSIONMASK;
+				version >>= DNS_FETCHOPT_EDNSVERSIONSHIFT;
+			}
+
+			/* Request NSID/COOKIE/VERSION for current peer? */
+			if (peer != NULL) {
+				uint8_t ednsversion;
+				(void)dns_peer_getrequestnsid(peer, &reqnsid);
+				(void)dns_peer_getsendcookie(peer, &sendcookie);
+				result = dns_peer_getednsversion(peer,
+								 &ednsversion);
+				if (result == ISC_R_SUCCESS &&
+				    ednsversion < version)
+				{
+					version = ednsversion;
+				}
+			}
+			if (NOCOOKIE(query->addrinfo)) {
+				sendcookie = false;
+			}
+			if (reqnsid) {
+				INSIST(ednsopt < DNS_EDNSOPTIONS);
+				ednsopts[ednsopt].code = DNS_OPT_NSID;
+				ednsopts[ednsopt].length = 0;
+				ednsopts[ednsopt].value = NULL;
+				ednsopt++;
+			}
+			if (sendcookie) {
+				INSIST(ednsopt < DNS_EDNSOPTIONS);
+				ednsopts[ednsopt].code = DNS_OPT_COOKIE;
+				ednsopts[ednsopt].length =
+					(uint16_t)dns_adb_getcookie(
+						fctx->adb, query->addrinfo,
+						cookie, sizeof(cookie));
+				if (ednsopts[ednsopt].length != 0) {
+					ednsopts[ednsopt].value = cookie;
+					inc_stats(
+						fctx->res,
+						dns_resstatscounter_cookieout);
+				} else {
+					compute_cc(query, cookie,
+						   CLIENT_COOKIE_SIZE);
+					ednsopts[ednsopt].value = cookie;
+					ednsopts[ednsopt].length =
+						CLIENT_COOKIE_SIZE;
+					inc_stats(
+						fctx->res,
+						dns_resstatscounter_cookienew);
+				}
+				ednsopt++;
+			}
+
+			/* Add TCP keepalive option if appropriate */
+			if ((peer != NULL) && tcp) {
+				(void)dns_peer_gettcpkeepalive(peer,
+							       &tcpkeepalive);
+			}
+			if (tcpkeepalive) {
+				INSIST(ednsopt < DNS_EDNSOPTIONS);
+				ednsopts[ednsopt].code = DNS_OPT_TCP_KEEPALIVE;
+				ednsopts[ednsopt].length = 0;
+				ednsopts[ednsopt].value = NULL;
+				ednsopt++;
+			}
+
+			/* Add PAD for current peer? Require TCP for now */
+			if ((peer != NULL) && tcp) {
+				(void)dns_peer_getpadding(peer, &padding);
+			}
+			if (padding != 0) {
+				INSIST(ednsopt < DNS_EDNSOPTIONS);
+				ednsopts[ednsopt].code = DNS_OPT_PAD;
+				ednsopts[ednsopt].length = 0;
+				ednsopt++;
+				dns_message_setpadding(fctx->qmessage, padding);
+			}
+
+			query->ednsversion = version;
+			result = fctx_addopt(fctx->qmessage, version, udpsize,
+					     ednsopts, ednsopt);
+			if (reqnsid && result == ISC_R_SUCCESS) {
+				query->options |= DNS_FETCHOPT_WANTNSID;
+			} else if (result != ISC_R_SUCCESS) {
+				/*
+				 * We couldn't add the OPT, but we'll press on.
+				 * We're not using EDNS0, so set the NOEDNS0
+				 * bit.
+				 */
+				query->options |= DNS_FETCHOPT_NOEDNS0;
+				query->ednsversion = -1;
+				udpsize = 0;
+			}
+		} else {
+			/*
+			 * We know this server doesn't like EDNS0, so we
+			 * won't use it.  Set the NOEDNS0 bit since we're
+			 * not using EDNS0.
+			 */
+			query->options |= DNS_FETCHOPT_NOEDNS0;
+			query->ednsversion = -1;
+		}
+	} else {
+		query->ednsversion = -1;
+	}
+
+	/*
+	 * Record the UDP EDNS size chosen.
+	 */
+	query->udpsize = udpsize;
+
+	/*
+	 * If we need EDNS0 to do this query and aren't using it, we lose.
+	 */
+	if (NEEDEDNS0(fctx) && (query->options & DNS_FETCHOPT_NOEDNS0) != 0) {
+		result = DNS_R_SERVFAIL;
+		goto cleanup_message;
+	}
+
+	if (udpsize > 512U) {
+		add_triededns(fctx, &query->addrinfo->sockaddr);
+	}
+
+	if (udpsize == 512U) {
+		add_triededns512(fctx, &query->addrinfo->sockaddr);
+	}
+
+	/*
+	 * Clear CD if EDNS is not in use.
+	 */
+	if ((query->options & DNS_FETCHOPT_NOEDNS0) != 0) {
+		fctx->qmessage->flags &= ~DNS_MESSAGEFLAG_CD;
+	}
+
+	/*
+	 * Add TSIG record tailored to the current recipient.
+	 */
+	result = dns_view_getpeertsig(fctx->res->view, &ipaddr, &tsigkey);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto cleanup_message;
+	}
+
+	if (tsigkey != NULL) {
+		result = dns_message_settsigkey(fctx->qmessage, tsigkey);
+		dns_tsigkey_detach(&tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_message;
+		}
+	}
+
+	result = dns_message_rendersection(fctx->qmessage,
+					   DNS_SECTION_ADDITIONAL, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_message;
+	}
+
+	result = dns_message_renderend(fctx->qmessage);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_message;
+	}
+
+#ifdef HAVE_DNSTAP
+	memset(&zr, 0, sizeof(zr));
+	isc_buffer_init(&zb, zone, sizeof(zone));
+	dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE);
+	result = dns_name_towire(&fctx->domain, &cctx, &zb);
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_usedregion(&zb, &zr);
+	}
+#endif /* HAVE_DNSTAP */
+
+	dns_compress_invalidate(&cctx);
+	cleanup_cctx = false;
+
+	if (dns_message_gettsigkey(fctx->qmessage) != NULL) {
+		dns_tsigkey_attach(dns_message_gettsigkey(fctx->qmessage),
+				   &query->tsigkey);
+		result = dns_message_getquerytsig(
+			fctx->qmessage, fctx->res->mctx, &query->tsig);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_message;
+		}
+	}
+
+	/*
+	 * If using TCP, write the length of the message at the beginning
+	 * of the buffer.
+	 */
+	if (tcp) {
+		isc_buffer_usedregion(&query->buffer, &r);
+		isc_buffer_putuint16(&tcpbuffer, (uint16_t)r.length);
+		isc_buffer_add(&tcpbuffer, r.length);
+	}
+
+	/*
+	 * Log the outgoing packet.
+	 */
+	dns_message_logfmtpacket(
+		fctx->qmessage, "sending packet to", &query->addrinfo->sockaddr,
+		DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_PACKETS,
+		&dns_master_style_comment, ISC_LOG_DEBUG(11), fctx->res->mctx);
+
+	/*
+	 * We're now done with the query message.
+	 */
+	dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
+
+	sock = query2sock(query);
+
+	/*
+	 * Send the query!
+	 */
+	if (!tcp) {
+		address = &query->addrinfo->sockaddr;
+		if (query->exclusivesocket) {
+			result = isc_socket_connect(sock, address, task,
+						    resquery_udpconnected,
+						    query);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup_message;
+			}
+			query->connects++;
+		}
+	}
+	isc_buffer_usedregion(buffer, &r);
+
+	/*
+	 * XXXRTH  Make sure we don't send to ourselves!  We should probably
+	 *		prune out these addresses when we get them from the ADB.
+	 */
+	memset(&query->sendevent, 0, sizeof(query->sendevent));
+	ISC_EVENT_INIT(&query->sendevent, sizeof(query->sendevent), 0, NULL,
+		       ISC_SOCKEVENT_SENDDONE, resquery_senddone, query, NULL,
+		       NULL, NULL);
+
+	if (query->dscp == -1) {
+		query->sendevent.attributes &= ~ISC_SOCKEVENTATTR_DSCP;
+		query->sendevent.dscp = 0;
+	} else {
+		query->sendevent.attributes |= ISC_SOCKEVENTATTR_DSCP;
+		query->sendevent.dscp = query->dscp;
+		if (tcp) {
+			isc_socket_dscp(sock, query->dscp);
+		}
+	}
+
+	result = isc_socket_sendto2(sock, &r, task, address, NULL,
+				    &query->sendevent, 0);
+	INSIST(result == ISC_R_SUCCESS);
+
+	query->sends++;
+
+	QTRACE("sent");
+
+#ifdef HAVE_DNSTAP
+	/*
+	 * Log the outgoing query via dnstap.
+	 */
+	if ((fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0) {
+		dtmsgtype = DNS_DTTYPE_FQ;
+	} else {
+		dtmsgtype = DNS_DTTYPE_RQ;
+	}
+
+	result = isc_socket_getsockname(sock, &localaddr);
+	if (result == ISC_R_SUCCESS) {
+		la = &localaddr;
+	}
+
+	dns_dt_send(fctx->res->view, dtmsgtype, la, &query->addrinfo->sockaddr,
+		    tcp, &zr, &query->start, NULL, &query->buffer);
+#endif /* HAVE_DNSTAP */
+
+	return (ISC_R_SUCCESS);
+
+cleanup_message:
+	if (cleanup_cctx) {
+		dns_compress_invalidate(&cctx);
+	}
+
+	dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
+
+	/*
+	 * Stop the dispatcher from listening.
+	 */
+	dns_dispatch_removeresponse(&query->dispentry, NULL);
+
+cleanup_temps:
+	if (qname != NULL) {
+		dns_message_puttempname(fctx->qmessage, &qname);
+	}
+	if (qrdataset != NULL) {
+		dns_message_puttemprdataset(fctx->qmessage, &qrdataset);
+	}
+
+	return (result);
+}
+
+static void
+resquery_connected(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	resquery_t *query = event->ev_arg;
+	bool retry = false;
+	isc_interval_t interval;
+	isc_result_t result;
+	unsigned int attrs;
+	fetchctx_t *fctx;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	REQUIRE(VALID_QUERY(query));
+
+	QTRACE("connected");
+
+	UNUSED(task);
+
+	/*
+	 * XXXRTH
+	 *
+	 * Currently we don't wait for the connect event before retrying
+	 * a query.  This means that if we get really behind, we may end
+	 * up doing extra work!
+	 */
+
+	query->connects--;
+	fctx = query->fctx;
+
+	if (RESQUERY_CANCELED(query)) {
+		/*
+		 * This query was canceled while the connect() was in
+		 * progress.
+		 */
+		isc_socket_detach(&query->tcpsocket);
+		resquery_destroy(&query);
+	} else {
+		switch (sevent->result) {
+		case ISC_R_SUCCESS:
+
+			/*
+			 * Extend the idle timer for TCP.  Half of
+			 * "resolver-query-timeout" will hopefully be long
+			 * enough for a TCP connection to be established, a
+			 * single DNS request to be sent, and the response
+			 * received.
+			 */
+			isc_interval_set(&interval,
+					 fctx->res->query_timeout / 1000 / 2,
+					 0);
+			result = fctx_startidletimer(query->fctx, &interval);
+			if (result != ISC_R_SUCCESS) {
+				FCTXTRACE("query canceled: idle timer failed; "
+					  "responding");
+
+				fctx_cancelquery(&query, NULL, NULL, false,
+						 false);
+				fctx_done(fctx, result, __LINE__);
+				break;
+			}
+			/*
+			 * We are connected.  Create a dispatcher and
+			 * send the query.
+			 */
+			attrs = 0;
+			attrs |= DNS_DISPATCHATTR_TCP;
+			attrs |= DNS_DISPATCHATTR_PRIVATE;
+			attrs |= DNS_DISPATCHATTR_CONNECTED;
+			if (isc_sockaddr_pf(&query->addrinfo->sockaddr) ==
+			    AF_INET)
+			{
+				attrs |= DNS_DISPATCHATTR_IPV4;
+			} else {
+				attrs |= DNS_DISPATCHATTR_IPV6;
+			}
+			attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+
+			result = dns_dispatch_createtcp(
+				query->dispatchmgr, query->tcpsocket,
+				query->fctx->res->taskmgr, NULL, NULL, 4096, 2,
+				1, 1, 3, attrs, &query->dispatch);
+
+			/*
+			 * Regardless of whether dns_dispatch_create()
+			 * succeeded or not, we don't need our reference
+			 * to the socket anymore.
+			 */
+			isc_socket_detach(&query->tcpsocket);
+
+			if (result == ISC_R_SUCCESS) {
+				result = resquery_send(query);
+			}
+
+			if (result != ISC_R_SUCCESS) {
+				FCTXTRACE("query canceled: "
+					  "resquery_send() failed; responding");
+
+				fctx_cancelquery(&query, NULL, NULL, false,
+						 false);
+				fctx_done(fctx, result, __LINE__);
+			}
+			break;
+
+		case ISC_R_NETUNREACH:
+		case ISC_R_HOSTUNREACH:
+		case ISC_R_CONNREFUSED:
+		case ISC_R_NOPERM:
+		case ISC_R_ADDRNOTAVAIL:
+		case ISC_R_CONNECTIONRESET:
+			FCTXTRACE3("query canceled in connected(): "
+				   "no route to host; no response",
+				   sevent->result);
+
+			/*
+			 * No route to remote.
+			 */
+			isc_socket_detach(&query->tcpsocket);
+			/*
+			 * Do not query this server again in this fetch context
+			 * if we already tried reducing the advertised EDNS UDP
+			 * payload size to 512 bytes and the server is
+			 * unavailable over TCP.  This prevents query loops
+			 * lasting until the fetch context restart limit is
+			 * reached when attempting to get answers whose size
+			 * exceeds 512 bytes from broken servers.
+			 */
+			if ((query->options & DNS_FETCHOPT_EDNS512) != 0) {
+				add_bad(fctx, query->rmessage, query->addrinfo,
+					sevent->result, badns_unreachable);
+			}
+			fctx_cancelquery(&query, NULL, NULL, true, false);
+			retry = true;
+			break;
+
+		default:
+			FCTXTRACE3("query canceled in connected() due to "
+				   "unexpected event result; responding",
+				   sevent->result);
+
+			isc_socket_detach(&query->tcpsocket);
+			fctx_cancelquery(&query, NULL, NULL, false, false);
+			break;
+		}
+	}
+
+	isc_event_free(&event);
+
+	if (retry) {
+		/*
+		 * Behave as if the idle timer has expired.  For TCP
+		 * connections this may not actually reflect the latest timer.
+		 */
+		FCTX_ATTR_CLR(fctx, FCTX_ATTR_ADDRWAIT);
+		result = fctx_stopidletimer(fctx);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, result, __LINE__);
+		} else {
+			fctx_try(fctx, true, false);
+		}
+	}
+}
+
+static void
+fctx_finddone(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx;
+	dns_adbfind_t *find;
+	dns_resolver_t *res;
+	bool want_try = false;
+	bool want_done = false;
+	bool bucket_empty = false;
+	unsigned int bucketnum;
+	bool dodestroy = false;
+
+	find = event->ev_sender;
+	fctx = event->ev_arg;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	UNUSED(task);
+
+	FCTXTRACE("finddone");
+
+	bucketnum = fctx->bucketnum;
+	LOCK(&res->buckets[bucketnum].lock);
+
+	INSIST(fctx->pending > 0);
+	fctx->pending--;
+
+	if (ADDRWAIT(fctx)) {
+		/*
+		 * The fetch is waiting for a name to be found.
+		 */
+		INSIST(!SHUTTINGDOWN(fctx));
+		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) {
+			FCTX_ATTR_CLR(fctx, FCTX_ATTR_ADDRWAIT);
+			want_try = true;
+		} else {
+			fctx->findfail++;
+			if (fctx->pending == 0) {
+				/*
+				 * We've got nothing else to wait for and don't
+				 * know the answer.  There's nothing to do but
+				 * fail the fctx.
+				 */
+				FCTX_ATTR_CLR(fctx, FCTX_ATTR_ADDRWAIT);
+				want_done = true;
+			}
+		}
+	} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
+		   fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators))
+	{
+		if (isc_refcount_current(&fctx->references) == 0) {
+			bucket_empty = fctx_unlink(fctx);
+			dodestroy = true;
+		}
+	}
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	isc_event_free(&event);
+	dns_adb_destroyfind(&find);
+
+	if (want_try) {
+		fctx_try(fctx, true, false);
+	} else if (want_done) {
+		FCTXTRACE("fetch failed in finddone(); return ISC_R_FAILURE");
+		fctx_done(fctx, ISC_R_FAILURE, __LINE__);
+	} else if (dodestroy) {
+		fctx_destroy(fctx);
+		if (bucket_empty) {
+			empty_bucket(res);
+		}
+	}
+}
+
+static bool
+bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+	for (sa = ISC_LIST_HEAD(fctx->bad); sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link))
+	{
+		if (isc_sockaddr_equal(sa, address)) {
+			return (true);
+		}
+	}
+
+	return (false);
+}
+
+static bool
+mark_bad(fetchctx_t *fctx) {
+	dns_adbfind_t *curr;
+	dns_adbaddrinfo_t *addrinfo;
+	bool all_bad = true;
+
+#ifdef ENABLE_AFL
+	if (dns_fuzzing_resolver) {
+		return (false);
+	}
+#endif /* ifdef ENABLE_AFL */
+
+	/*
+	 * Mark all known bad servers, so we don't try to talk to them
+	 * again.
+	 */
+
+	/*
+	 * Mark any bad nameservers.
+	 */
+	for (curr = ISC_LIST_HEAD(fctx->finds); curr != NULL;
+	     curr = ISC_LIST_NEXT(curr, publink))
+	{
+		for (addrinfo = ISC_LIST_HEAD(curr->list); addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+		{
+			if (bad_server(fctx, &addrinfo->sockaddr)) {
+				addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			} else {
+				all_bad = false;
+			}
+		}
+	}
+
+	/*
+	 * Mark any bad forwarders.
+	 */
+	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs); addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+	{
+		if (bad_server(fctx, &addrinfo->sockaddr)) {
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+		} else {
+			all_bad = false;
+		}
+	}
+
+	/*
+	 * Mark any bad alternates.
+	 */
+	for (curr = ISC_LIST_HEAD(fctx->altfinds); curr != NULL;
+	     curr = ISC_LIST_NEXT(curr, publink))
+	{
+		for (addrinfo = ISC_LIST_HEAD(curr->list); addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+		{
+			if (bad_server(fctx, &addrinfo->sockaddr)) {
+				addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			} else {
+				all_bad = false;
+			}
+		}
+	}
+
+	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs); addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+	{
+		if (bad_server(fctx, &addrinfo->sockaddr)) {
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+		} else {
+			all_bad = false;
+		}
+	}
+
+	return (all_bad);
+}
+
+static void
+add_bad(fetchctx_t *fctx, dns_message_t *rmessage, dns_adbaddrinfo_t *addrinfo,
+	isc_result_t reason, badnstype_t badtype) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+	char code[64];
+	isc_buffer_t b;
+	isc_sockaddr_t *sa;
+	const char *spc = "";
+	isc_sockaddr_t *address = &addrinfo->sockaddr;
+
+#ifdef ENABLE_AFL
+	if (dns_fuzzing_resolver) {
+		return;
+	}
+#endif /* ifdef ENABLE_AFL */
+
+	if (reason == DNS_R_LAME) {
+		fctx->lamecount++;
+	} else {
+		switch (badtype) {
+		case badns_unreachable:
+			fctx->neterr++;
+			break;
+		case badns_response:
+			fctx->badresp++;
+			break;
+		case badns_validation:
+			break; /* counted as 'valfail' */
+		case badns_forwarder:
+			/*
+			 * We were called to prevent the given forwarder from
+			 * being used again for this fetch context.
+			 */
+			break;
+		}
+	}
+
+	if (bad_server(fctx, address)) {
+		/*
+		 * We already know this server is bad.
+		 */
+		return;
+	}
+
+	FCTXTRACE("add_bad");
+
+	sa = isc_mem_get(fctx->mctx, sizeof(*sa));
+	*sa = *address;
+	ISC_LIST_INITANDAPPEND(fctx->bad, sa, link);
+
+	if (reason == DNS_R_LAME) { /* already logged */
+		return;
+	}
+
+	if (reason == DNS_R_UNEXPECTEDRCODE &&
+	    rmessage->rcode == dns_rcode_servfail && ISFORWARDER(addrinfo))
+	{
+		return;
+	}
+
+	if (reason == DNS_R_UNEXPECTEDRCODE) {
+		isc_buffer_init(&b, code, sizeof(code) - 1);
+		dns_rcode_totext(rmessage->rcode, &b);
+		code[isc_buffer_usedlength(&b)] = '\0';
+		spc = " ";
+	} else if (reason == DNS_R_UNEXPECTEDOPCODE) {
+		isc_buffer_init(&b, code, sizeof(code) - 1);
+		dns_opcode_totext((dns_opcode_t)rmessage->opcode, &b);
+		code[isc_buffer_usedlength(&b)] = '\0';
+		spc = " ";
+	} else {
+		code[0] = '\0';
+	}
+	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
+	dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
+	isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
+	isc_log_write(
+		dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, DNS_LOGMODULE_RESOLVER,
+		ISC_LOG_INFO, "%s%s%s resolving '%s/%s/%s': %s", code, spc,
+		dns_result_totext(reason), namebuf, typebuf, classbuf, addrbuf);
+}
+
+/*
+ * Sort addrinfo list by RTT.
+ */
+static void
+sort_adbfind(dns_adbfind_t *find, unsigned int bias) {
+	dns_adbaddrinfo_t *best, *curr;
+	dns_adbaddrinfolist_t sorted;
+	unsigned int best_srtt, curr_srtt;
+
+	/* Lame N^2 bubble sort. */
+	ISC_LIST_INIT(sorted);
+	while (!ISC_LIST_EMPTY(find->list)) {
+		best = ISC_LIST_HEAD(find->list);
+		best_srtt = best->srtt;
+		if (isc_sockaddr_pf(&best->sockaddr) != AF_INET6) {
+			best_srtt += bias;
+		}
+		curr = ISC_LIST_NEXT(best, publink);
+		while (curr != NULL) {
+			curr_srtt = curr->srtt;
+			if (isc_sockaddr_pf(&curr->sockaddr) != AF_INET6) {
+				curr_srtt += bias;
+			}
+			if (curr_srtt < best_srtt) {
+				best = curr;
+				best_srtt = curr_srtt;
+			}
+			curr = ISC_LIST_NEXT(curr, publink);
+		}
+		ISC_LIST_UNLINK(find->list, best, publink);
+		ISC_LIST_APPEND(sorted, best, publink);
+	}
+	find->list = sorted;
+}
+
+/*
+ * Sort a list of finds by server RTT.
+ */
+static void
+sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
+	dns_adbfind_t *best, *curr;
+	dns_adbfindlist_t sorted;
+	dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
+	unsigned int best_srtt, curr_srtt;
+
+	/* Sort each find's addrinfo list by SRTT. */
+	for (curr = ISC_LIST_HEAD(*findlist); curr != NULL;
+	     curr = ISC_LIST_NEXT(curr, publink))
+	{
+		sort_adbfind(curr, bias);
+	}
+
+	/* Lame N^2 bubble sort. */
+	ISC_LIST_INIT(sorted);
+	while (!ISC_LIST_EMPTY(*findlist)) {
+		best = ISC_LIST_HEAD(*findlist);
+		bestaddrinfo = ISC_LIST_HEAD(best->list);
+		INSIST(bestaddrinfo != NULL);
+		best_srtt = bestaddrinfo->srtt;
+		if (isc_sockaddr_pf(&bestaddrinfo->sockaddr) != AF_INET6) {
+			best_srtt += bias;
+		}
+		curr = ISC_LIST_NEXT(best, publink);
+		while (curr != NULL) {
+			addrinfo = ISC_LIST_HEAD(curr->list);
+			INSIST(addrinfo != NULL);
+			curr_srtt = addrinfo->srtt;
+			if (isc_sockaddr_pf(&addrinfo->sockaddr) != AF_INET6) {
+				curr_srtt += bias;
+			}
+			if (curr_srtt < best_srtt) {
+				best = curr;
+				best_srtt = curr_srtt;
+			}
+			curr = ISC_LIST_NEXT(curr, publink);
+		}
+		ISC_LIST_UNLINK(*findlist, best, publink);
+		ISC_LIST_APPEND(sorted, best, publink);
+	}
+	*findlist = sorted;
+}
+
+static void
+findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port,
+	 unsigned int options, unsigned int flags, isc_stdtime_t now,
+	 bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
+	dns_adbaddrinfo_t *ai;
+	dns_adbfind_t *find;
+	dns_resolver_t *res;
+	bool unshared;
+	isc_result_t result;
+
+	FCTXTRACE("FINDNAME");
+	res = fctx->res;
+	unshared = ((fctx->options & DNS_FETCHOPT_UNSHARED) != 0);
+	/*
+	 * If this name is a subdomain of the query domain, tell
+	 * the ADB to start looking using zone/hint data. This keeps us
+	 * from getting stuck if the nameserver is beneath the zone cut
+	 * and we don't know its address (e.g. because the A record has
+	 * expired).
+	 */
+	if (dns_name_issubdomain(name, &fctx->domain)) {
+		options |= DNS_ADBFIND_STARTATZONE;
+	}
+	options |= DNS_ADBFIND_GLUEOK;
+	options |= DNS_ADBFIND_HINTOK;
+
+	/*
+	 * See what we know about this address.
+	 */
+	find = NULL;
+	result = dns_adb_createfind(
+		fctx->adb, res->buckets[fctx->bucketnum].task, fctx_finddone,
+		fctx, name, &fctx->name, fctx->type, options, now, NULL,
+		res->view->dstport, fctx->depth + 1, fctx->qc, &find);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+		      "fctx %p(%s): createfind for %s/%d - %s", fctx,
+		      fctx->info, fctx->clientstr, fctx->id,
+		      isc_result_totext(result));
+
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_ALIAS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			/*
+			 * XXXRTH  Follow the CNAME/DNAME chain?
+			 */
+			dns_adb_destroyfind(&find);
+			fctx->adberr++;
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_CNAME,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+				      "skipping nameserver '%s' because it "
+				      "is a CNAME, while resolving '%s'",
+				      namebuf, fctx->info);
+		}
+	} else if (!ISC_LIST_EMPTY(find->list)) {
+		/*
+		 * We have at least some of the addresses for the
+		 * name.
+		 */
+		INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
+		if (flags != 0 || port != 0) {
+			for (ai = ISC_LIST_HEAD(find->list); ai != NULL;
+			     ai = ISC_LIST_NEXT(ai, publink))
+			{
+				ai->flags |= flags;
+				if (port != 0) {
+					isc_sockaddr_setport(&ai->sockaddr,
+							     port);
+				}
+			}
+		}
+		if ((flags & FCTX_ADDRINFO_DUALSTACK) != 0) {
+			ISC_LIST_APPEND(fctx->altfinds, find, publink);
+		} else {
+			ISC_LIST_APPEND(fctx->finds, find, publink);
+		}
+	} else {
+		/*
+		 * We don't know any of the addresses for this
+		 * name.
+		 */
+		if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
+			/*
+			 * We're looking for them and will get an
+			 * event about it later.
+			 */
+			fctx->pending++;
+			/*
+			 * Bootstrap.
+			 */
+			if (need_alternate != NULL && !*need_alternate &&
+			    unshared &&
+			    ((res->dispatches4 == NULL &&
+			      find->result_v6 != DNS_R_NXDOMAIN) ||
+			     (res->dispatches6 == NULL &&
+			      find->result_v4 != DNS_R_NXDOMAIN)))
+			{
+				*need_alternate = true;
+			}
+			if (no_addresses != NULL) {
+				(*no_addresses)++;
+			}
+		} else {
+			if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
+				if (overquota != NULL) {
+					*overquota = true;
+				}
+				fctx->quotacount++; /* quota exceeded */
+			} else if ((find->options & DNS_ADBFIND_LAMEPRUNED) !=
+				   0)
+			{
+				fctx->lamecount++; /* cached lame server */
+			} else {
+				fctx->adberr++; /* unreachable server, etc. */
+			}
+
+			/*
+			 * If we know there are no addresses for
+			 * the family we are using then try to add
+			 * an alternative server.
+			 */
+			if (need_alternate != NULL && !*need_alternate &&
+			    ((res->dispatches4 == NULL &&
+			      find->result_v6 == DNS_R_NXRRSET) ||
+			     (res->dispatches6 == NULL &&
+			      find->result_v4 == DNS_R_NXRRSET)))
+			{
+				*need_alternate = true;
+			}
+			dns_adb_destroyfind(&find);
+		}
+	}
+}
+
+static bool
+isstrictsubdomain(const dns_name_t *name1, const dns_name_t *name2) {
+	int order;
+	unsigned int nlabels;
+	dns_namereln_t namereln;
+
+	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
+	return (namereln == dns_namereln_subdomain);
+}
+
+static isc_result_t
+fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dns_resolver_t *res;
+	isc_stdtime_t now;
+	unsigned int stdoptions = 0;
+	dns_forwarder_t *fwd;
+	dns_adbaddrinfo_t *ai;
+	bool all_bad;
+	dns_rdata_ns_t ns;
+	bool need_alternate = false;
+	bool all_spilled = true;
+	unsigned int no_addresses = 0;
+	unsigned int ns_processed = 0;
+
+	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+
+	/*
+	 * Don't pound on remote servers.  (Failsafe!)
+	 */
+	fctx->restarts++;
+	if (fctx->restarts > 100) {
+		FCTXTRACE("too many restarts");
+		return (DNS_R_SERVFAIL);
+	}
+
+	res = fctx->res;
+
+	if (fctx->depth > res->maxdepth) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+			      "too much NS indirection resolving '%s' "
+			      "(depth=%u, maxdepth=%u)",
+			      fctx->info, fctx->depth, res->maxdepth);
+		return (DNS_R_SERVFAIL);
+	}
+
+	/*
+	 * Forwarders.
+	 */
+
+	INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
+	INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
+
+	/*
+	 * If we have DNS_FETCHOPT_NOFORWARD set and forwarding policy
+	 * allows us to not forward - skip forwarders and go straight
+	 * to NSes. This is currently used to make sure that priming query
+	 * gets root servers' IP addresses in ADDITIONAL section.
+	 */
+	if ((fctx->options & DNS_FETCHOPT_NOFORWARD) != 0 &&
+	    (fctx->fwdpolicy != dns_fwdpolicy_only))
+	{
+		goto normal_nses;
+	}
+
+	/*
+	 * If this fctx has forwarders, use them; otherwise use any
+	 * selective forwarders specified in the view; otherwise use the
+	 * resolver's forwarders (if any).
+	 */
+	fwd = ISC_LIST_HEAD(fctx->forwarders);
+	if (fwd == NULL) {
+		dns_forwarders_t *forwarders = NULL;
+		dns_name_t *name = &fctx->name;
+		dns_name_t suffix;
+		unsigned int labels;
+		dns_fixedname_t fixed;
+		dns_name_t *domain;
+
+		/*
+		 * DS records are found in the parent server.
+		 * Strip label to get the correct forwarder (if any).
+		 */
+		if (dns_rdatatype_atparent(fctx->type) &&
+		    dns_name_countlabels(name) > 1)
+		{
+			dns_name_init(&suffix, NULL);
+			labels = dns_name_countlabels(name);
+			dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+			name = &suffix;
+		}
+
+		domain = dns_fixedname_initname(&fixed);
+		result = dns_fwdtable_find(res->view->fwdtable, name, domain,
+					   &forwarders);
+		if (result == ISC_R_SUCCESS) {
+			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+			fctx->fwdpolicy = forwarders->fwdpolicy;
+			dns_name_copynf(domain, fctx->fwdname);
+			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
+			    isstrictsubdomain(domain, &fctx->domain))
+			{
+				fcount_decr(fctx);
+				dns_name_free(&fctx->domain, fctx->mctx);
+				dns_name_init(&fctx->domain, NULL);
+				dns_name_dup(domain, fctx->mctx, &fctx->domain);
+				result = fcount_incr(fctx, true);
+				if (result != ISC_R_SUCCESS) {
+					return (result);
+				}
+			}
+		}
+	}
+
+	while (fwd != NULL) {
+		if ((isc_sockaddr_pf(&fwd->addr) == AF_INET &&
+		     res->dispatches4 == NULL) ||
+		    (isc_sockaddr_pf(&fwd->addr) == AF_INET6 &&
+		     res->dispatches6 == NULL))
+		{
+			fwd = ISC_LIST_NEXT(fwd, link);
+			continue;
+		}
+		ai = NULL;
+		result = dns_adb_findaddrinfo(fctx->adb, &fwd->addr, &ai, 0);
+		if (result == ISC_R_SUCCESS) {
+			dns_adbaddrinfo_t *cur;
+			ai->flags |= FCTX_ADDRINFO_FORWARDER;
+			ai->dscp = fwd->dscp;
+			cur = ISC_LIST_HEAD(fctx->forwaddrs);
+			while (cur != NULL && cur->srtt < ai->srtt) {
+				cur = ISC_LIST_NEXT(cur, publink);
+			}
+			if (cur != NULL) {
+				ISC_LIST_INSERTBEFORE(fctx->forwaddrs, cur, ai,
+						      publink);
+			} else {
+				ISC_LIST_APPEND(fctx->forwaddrs, ai, publink);
+			}
+		}
+		fwd = ISC_LIST_NEXT(fwd, link);
+	}
+
+	/*
+	 * If the forwarding policy is "only", we don't need the addresses
+	 * of the nameservers.
+	 */
+	if (fctx->fwdpolicy == dns_fwdpolicy_only) {
+		goto out;
+	}
+
+	/*
+	 * Normal nameservers.
+	 */
+normal_nses:
+	stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
+	if (fctx->restarts == 1) {
+		/*
+		 * To avoid sending out a flood of queries likely to
+		 * result in NXRRSET, we suppress fetches for address
+		 * families we don't have the first time through,
+		 * provided that we have addresses in some family we
+		 * can use.
+		 *
+		 * We don't want to set this option all the time, since
+		 * if fctx->restarts > 1, we've clearly been having trouble
+		 * with the addresses we had, so getting more could help.
+		 */
+		stdoptions |= DNS_ADBFIND_AVOIDFETCHES;
+	}
+	if (res->dispatches4 != NULL) {
+		stdoptions |= DNS_ADBFIND_INET;
+	}
+	if (res->dispatches6 != NULL) {
+		stdoptions |= DNS_ADBFIND_INET6;
+	}
+
+	if ((stdoptions & DNS_ADBFIND_ADDRESSMASK) == 0) {
+		return (DNS_R_SERVFAIL);
+	}
+
+	isc_stdtime_get(&now);
+
+	INSIST(ISC_LIST_EMPTY(fctx->finds));
+	INSIST(ISC_LIST_EMPTY(fctx->altfinds));
+
+	for (result = dns_rdataset_first(&fctx->nameservers);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&fctx->nameservers))
+	{
+		bool overquota = false;
+
+		dns_rdataset_current(&fctx->nameservers, &rdata);
+		/*
+		 * Extract the name from the NS record.
+		 */
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		if (no_addresses > NS_FAIL_LIMIT &&
+		    dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
+		{
+			stdoptions |= DNS_ADBFIND_NOFETCH;
+		}
+		findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
+			 &need_alternate, &no_addresses);
+
+		if (!overquota) {
+			all_spilled = false;
+		}
+
+		dns_rdata_reset(&rdata);
+		dns_rdata_freestruct(&ns);
+
+		if (++ns_processed >= NS_PROCESSING_LIMIT) {
+			result = ISC_R_NOMORE;
+			break;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+
+	/*
+	 * Do we need to use 6 to 4?
+	 */
+	if (need_alternate) {
+		int family;
+		alternate_t *a;
+		family = (res->dispatches6 != NULL) ? AF_INET6 : AF_INET;
+		for (a = ISC_LIST_HEAD(res->alternates); a != NULL;
+		     a = ISC_LIST_NEXT(a, link))
+		{
+			if (!a->isaddress) {
+				findname(fctx, &a->_u._n.name, a->_u._n.port,
+					 stdoptions, FCTX_ADDRINFO_DUALSTACK,
+					 now, NULL, NULL, NULL);
+				continue;
+			}
+			if (isc_sockaddr_pf(&a->_u.addr) != family) {
+				continue;
+			}
+			ai = NULL;
+			result = dns_adb_findaddrinfo(fctx->adb, &a->_u.addr,
+						      &ai, 0);
+			if (result == ISC_R_SUCCESS) {
+				dns_adbaddrinfo_t *cur;
+				ai->flags |= FCTX_ADDRINFO_FORWARDER;
+				ai->flags |= FCTX_ADDRINFO_DUALSTACK;
+				cur = ISC_LIST_HEAD(fctx->altaddrs);
+				while (cur != NULL && cur->srtt < ai->srtt) {
+					cur = ISC_LIST_NEXT(cur, publink);
+				}
+				if (cur != NULL) {
+					ISC_LIST_INSERTBEFORE(fctx->altaddrs,
+							      cur, ai, publink);
+				} else {
+					ISC_LIST_APPEND(fctx->altaddrs, ai,
+							publink);
+				}
+			}
+		}
+	}
+
+out:
+	/*
+	 * Mark all known bad servers.
+	 */
+	all_bad = mark_bad(fctx);
+
+	/*
+	 * How are we doing?
+	 */
+	if (all_bad) {
+		/*
+		 * We've got no addresses.
+		 */
+		if (fctx->pending > 0) {
+			/*
+			 * We're fetching the addresses, but don't have any
+			 * yet.   Tell the caller to wait for an answer.
+			 */
+			result = DNS_R_WAIT;
+		} else {
+			isc_time_t expire;
+			isc_interval_t i;
+			/*
+			 * We've lost completely.  We don't know any
+			 * addresses, and the ADB has told us it can't get
+			 * them.
+			 */
+			FCTXTRACE("no addresses");
+			isc_interval_set(&i, DNS_RESOLVER_BADCACHETTL(fctx), 0);
+			result = isc_time_nowplusinterval(&expire, &i);
+			if (badcache &&
+			    (fctx->type == dns_rdatatype_dnskey ||
+			     fctx->type == dns_rdatatype_ds) &&
+			    result == ISC_R_SUCCESS)
+			{
+				dns_resolver_addbadcache(res, &fctx->name,
+							 fctx->type, &expire);
+			}
+
+			result = ISC_R_FAILURE;
+
+			/*
+			 * If all of the addresses found were over the
+			 * fetches-per-server quota, return the configured
+			 * response.
+			 */
+			if (all_spilled) {
+				result = res->quotaresp[dns_quotatype_server];
+				inc_stats(res, dns_resstatscounter_serverquota);
+			}
+		}
+	} else {
+		/*
+		 * We've found some addresses.  We might still be looking
+		 * for more addresses.
+		 */
+		sort_finds(&fctx->finds, res->view->v6bias);
+		sort_finds(&fctx->altfinds, 0);
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static void
+possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr) {
+	isc_netaddr_t na;
+	char buf[ISC_NETADDR_FORMATSIZE];
+	isc_sockaddr_t *sa;
+	bool aborted = false;
+	bool bogus;
+	dns_acl_t *blackhole;
+	isc_netaddr_t ipaddr;
+	dns_peer_t *peer = NULL;
+	dns_resolver_t *res;
+	const char *msg = NULL;
+
+	sa = &addr->sockaddr;
+
+	res = fctx->res;
+	isc_netaddr_fromsockaddr(&ipaddr, sa);
+	blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr);
+	(void)dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer);
+
+	if (blackhole != NULL) {
+		int match;
+
+		if ((dns_acl_match(&ipaddr, NULL, blackhole, &res->view->aclenv,
+				   &match, NULL) == ISC_R_SUCCESS) &&
+		    match > 0)
+		{
+			aborted = true;
+		}
+	}
+
+	if (peer != NULL && dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS &&
+	    bogus)
+	{
+		aborted = true;
+	}
+
+	if (aborted) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring blackholed / bogus server: ";
+	} else if (isc_sockaddr_isnetzero(sa)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring net zero address: ";
+	} else if (isc_sockaddr_ismulticast(sa)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring multicast address: ";
+	} else if (isc_sockaddr_isexperimental(sa)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring experimental address: ";
+	} else if (sa->type.sa.sa_family != AF_INET6) {
+		return;
+	} else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring IPv6 mapped IPV4 address: ";
+	} else if (IN6_IS_ADDR_V4COMPAT(&sa->type.sin6.sin6_addr)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring IPv6 compatibility IPV4 address: ";
+	} else {
+		return;
+	}
+
+	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+		isc_netaddr_fromsockaddr(&na, sa);
+		isc_netaddr_format(&na, buf, sizeof(buf));
+		FCTXTRACE2(msg, buf);
+	}
+}
+
+static dns_adbaddrinfo_t *
+fctx_nextaddress(fetchctx_t *fctx) {
+	dns_adbfind_t *find, *start;
+	dns_adbaddrinfo_t *addrinfo;
+	dns_adbaddrinfo_t *faddrinfo;
+
+	/*
+	 * Return the next untried address, if any.
+	 */
+
+	/*
+	 * Find the first unmarked forwarder (if any).
+	 */
+	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs); addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+	{
+		if (!UNMARKED(addrinfo)) {
+			continue;
+		}
+		possibly_mark(fctx, addrinfo);
+		if (UNMARKED(addrinfo)) {
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			fctx->find = NULL;
+			fctx->forwarding = true;
+
+			/*
+			 * QNAME minimization is disabled when
+			 * forwarding, and has to remain disabled if
+			 * we switch back to normal recursion; otherwise
+			 * forwarding could leave us in an inconsistent
+			 * state.
+			 */
+			fctx->minimized = false;
+			return (addrinfo);
+		}
+	}
+
+	/*
+	 * No forwarders.  Move to the next find.
+	 */
+	fctx->forwarding = false;
+	FCTX_ATTR_SET(fctx, FCTX_ATTR_TRIEDFIND);
+
+	find = fctx->find;
+	if (find == NULL) {
+		find = ISC_LIST_HEAD(fctx->finds);
+	} else {
+		find = ISC_LIST_NEXT(find, publink);
+		if (find == NULL) {
+			find = ISC_LIST_HEAD(fctx->finds);
+		}
+	}
+
+	/*
+	 * Find the first unmarked addrinfo.
+	 */
+	addrinfo = NULL;
+	if (find != NULL) {
+		start = find;
+		do {
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+			{
+				if (!UNMARKED(addrinfo)) {
+					continue;
+				}
+				possibly_mark(fctx, addrinfo);
+				if (UNMARKED(addrinfo)) {
+					addrinfo->flags |= FCTX_ADDRINFO_MARK;
+					break;
+				}
+			}
+			if (addrinfo != NULL) {
+				break;
+			}
+			find = ISC_LIST_NEXT(find, publink);
+			if (find == NULL) {
+				find = ISC_LIST_HEAD(fctx->finds);
+			}
+		} while (find != start);
+	}
+
+	fctx->find = find;
+	if (addrinfo != NULL) {
+		return (addrinfo);
+	}
+
+	/*
+	 * No nameservers left.  Try alternates.
+	 */
+
+	FCTX_ATTR_SET(fctx, FCTX_ATTR_TRIEDALT);
+
+	find = fctx->altfind;
+	if (find == NULL) {
+		find = ISC_LIST_HEAD(fctx->altfinds);
+	} else {
+		find = ISC_LIST_NEXT(find, publink);
+		if (find == NULL) {
+			find = ISC_LIST_HEAD(fctx->altfinds);
+		}
+	}
+
+	/*
+	 * Find the first unmarked addrinfo.
+	 */
+	addrinfo = NULL;
+	if (find != NULL) {
+		start = find;
+		do {
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+			{
+				if (!UNMARKED(addrinfo)) {
+					continue;
+				}
+				possibly_mark(fctx, addrinfo);
+				if (UNMARKED(addrinfo)) {
+					addrinfo->flags |= FCTX_ADDRINFO_MARK;
+					break;
+				}
+			}
+			if (addrinfo != NULL) {
+				break;
+			}
+			find = ISC_LIST_NEXT(find, publink);
+			if (find == NULL) {
+				find = ISC_LIST_HEAD(fctx->altfinds);
+			}
+		} while (find != start);
+	}
+
+	faddrinfo = addrinfo;
+
+	/*
+	 * See if we have a better alternate server by address.
+	 */
+
+	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs); addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+	{
+		if (!UNMARKED(addrinfo)) {
+			continue;
+		}
+		possibly_mark(fctx, addrinfo);
+		if (UNMARKED(addrinfo) &&
+		    (faddrinfo == NULL || addrinfo->srtt < faddrinfo->srtt))
+		{
+			if (faddrinfo != NULL) {
+				faddrinfo->flags &= ~FCTX_ADDRINFO_MARK;
+			}
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			break;
+		}
+	}
+
+	if (addrinfo == NULL) {
+		addrinfo = faddrinfo;
+		fctx->altfind = find;
+	}
+
+	return (addrinfo);
+}
+
+static void
+fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
+	isc_result_t result;
+	dns_adbaddrinfo_t *addrinfo = NULL;
+	dns_resolver_t *res;
+	isc_task_t *task;
+	unsigned int bucketnum;
+	bool bucket_empty;
+
+	FCTXTRACE5("try", "fctx->qc=", isc_counter_used(fctx->qc));
+
+	REQUIRE(!ADDRWAIT(fctx));
+
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	/* We've already exceeded maximum query count */
+	if (isc_counter_used(fctx->qc) > res->maxqueries) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+			      "exceeded max queries resolving '%s' "
+			      "(querycount=%u, maxqueries=%u)",
+			      fctx->info, isc_counter_used(fctx->qc),
+			      res->maxqueries);
+		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+		return;
+	}
+
+	addrinfo = fctx_nextaddress(fctx);
+
+	/* Try to find an address that isn't over quota */
+	while (addrinfo != NULL && dns_adbentry_overquota(addrinfo->entry)) {
+		addrinfo = fctx_nextaddress(fctx);
+	}
+
+	if (addrinfo == NULL) {
+		/* We have no more addresses.  Start over. */
+		fctx_cancelqueries(fctx, true, false);
+		fctx_cleanupall(fctx);
+		result = fctx_getaddresses(fctx, badcache);
+		if (result == DNS_R_WAIT) {
+			/*
+			 * Sleep waiting for addresses.
+			 */
+			FCTXTRACE("addrwait");
+			FCTX_ATTR_SET(fctx, FCTX_ATTR_ADDRWAIT);
+			return;
+		} else if (result != ISC_R_SUCCESS) {
+			/*
+			 * Something bad happened.
+			 */
+			fctx_done(fctx, result, __LINE__);
+			return;
+		}
+
+		addrinfo = fctx_nextaddress(fctx);
+
+		while (addrinfo != NULL &&
+		       dns_adbentry_overquota(addrinfo->entry))
+		{
+			addrinfo = fctx_nextaddress(fctx);
+		}
+
+		/*
+		 * While we may have addresses from the ADB, they
+		 * might be bad ones.  In this case, return SERVFAIL.
+		 */
+		if (addrinfo == NULL) {
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			return;
+		}
+	}
+	/*
+	 * We're minimizing and we're not yet at the final NS -
+	 * we need to launch a query for NS for 'upper' domain
+	 */
+	if (fctx->minimized && !fctx->forwarding) {
+		unsigned int options = fctx->options;
+		/*
+		 * Also clear DNS_FETCHOPT_TRYSTALE_ONTIMEOUT here, otherwise
+		 * every query minimization step will activate the try-stale
+		 * timer again.
+		 */
+		options &= ~(DNS_FETCHOPT_QMINIMIZE |
+			     DNS_FETCHOPT_TRYSTALE_ONTIMEOUT);
+
+		/*
+		 * Is another QNAME minimization fetch still running?
+		 */
+		if (fctx->qminfetch != NULL) {
+			bool validfctx = (DNS_FETCH_VALID(fctx->qminfetch) &&
+					  VALID_FCTX(fctx->qminfetch->private));
+			char namebuf[DNS_NAME_FORMATSIZE];
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+			dns_name_format(&fctx->qminname, namebuf,
+					sizeof(namebuf));
+			dns_rdatatype_format(fctx->qmintype, typebuf,
+					     sizeof(typebuf));
+
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+				      "fctx %p(%s): attempting QNAME "
+				      "minimization fetch for %s/%s but "
+				      "fetch %p(%s) still running",
+				      fctx, fctx->info, namebuf, typebuf,
+				      fctx->qminfetch,
+				      validfctx ? fctx->qminfetch->private->info
+						: "<invalid>");
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			return;
+		}
+
+		/*
+		 * In "_ A" mode we're asking for _.domain -
+		 * resolver by default will follow delegations
+		 * then, we don't want that.
+		 */
+		if ((options & DNS_FETCHOPT_QMIN_USE_A) != 0) {
+			options |= DNS_FETCHOPT_NOFOLLOW;
+		}
+		fctx_increference(fctx);
+		task = res->buckets[bucketnum].task;
+		fctx_stoptimer(fctx);
+		fctx_stoptimer_trystale(fctx);
+		result = dns_resolver_createfetch(
+			fctx->res, &fctx->qminname, fctx->qmintype,
+			&fctx->domain, &fctx->nameservers, NULL, NULL, 0,
+			options, 0, fctx->qc, task, resume_qmin, fctx,
+			&fctx->qminrrset, NULL, &fctx->qminfetch);
+		if (result != ISC_R_SUCCESS) {
+			LOCK(&res->buckets[bucketnum].lock);
+			RUNTIME_CHECK(!fctx_decreference(fctx));
+			UNLOCK(&res->buckets[bucketnum].lock);
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+		}
+		return;
+	}
+
+	result = isc_counter_increment(fctx->qc);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+			      "exceeded max queries resolving '%s'",
+			      fctx->info);
+		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+		return;
+	}
+
+	fctx_increference(fctx);
+
+	result = fctx_query(fctx, addrinfo, fctx->options);
+	if (result != ISC_R_SUCCESS) {
+		fctx_done(fctx, result, __LINE__);
+		LOCK(&res->buckets[bucketnum].lock);
+		bucket_empty = fctx_decreference(fctx);
+		UNLOCK(&res->buckets[bucketnum].lock);
+		if (bucket_empty) {
+			empty_bucket(res);
+		}
+	} else if (retrying) {
+		inc_stats(res, dns_resstatscounter_retry);
+	}
+}
+
+static void
+resume_qmin(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *fevent;
+	dns_resolver_t *res;
+	fetchctx_t *fctx;
+	isc_result_t result;
+	bool bucket_empty;
+	unsigned int bucketnum;
+	unsigned int findoptions = 0;
+	dns_name_t *fname, *dcname;
+	dns_fixedname_t ffixed, dcfixed;
+	fname = dns_fixedname_initname(&ffixed);
+	dcname = dns_fixedname_initname(&dcfixed);
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	fevent = (dns_fetchevent_t *)event;
+	fctx = event->ev_arg;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	UNUSED(task);
+	FCTXTRACE("resume_qmin");
+
+	if (fevent->node != NULL) {
+		dns_db_detachnode(fevent->db, &fevent->node);
+	}
+	if (fevent->db != NULL) {
+		dns_db_detach(&fevent->db);
+	}
+
+	bucketnum = fctx->bucketnum;
+
+	if (dns_rdataset_isassociated(fevent->rdataset)) {
+		dns_rdataset_disassociate(fevent->rdataset);
+	}
+	result = fevent->result;
+	fevent = NULL;
+	isc_event_free(&event);
+
+	dns_resolver_destroyfetch(&fctx->qminfetch);
+
+	LOCK(&res->buckets[bucketnum].lock);
+	if (SHUTTINGDOWN(fctx)) {
+		UNLOCK(&res->buckets[bucketnum].lock);
+		goto cleanup;
+	}
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	/*
+	 * Note: fevent->rdataset must be disassociated and
+	 * isc_event_free(&event) be called before resuming
+	 * processing of the 'fctx' to prevent use-after-free.
+	 * 'fevent' is set to NULL so as to not have a dangling
+	 * pointer.
+	 */
+	if (result == ISC_R_CANCELED) {
+		fctx_done(fctx, result, __LINE__);
+		goto cleanup;
+	}
+
+	/*
+	 * If we're doing "_ A"-style minimization we can get
+	 * NX answer to minimized query - we need to continue then.
+	 *
+	 * Otherwise - either disable minimization if we're
+	 * in relaxed mode or fail if we're in strict mode.
+	 */
+
+	if ((NXDOMAIN_RESULT(result) &&
+	     (fctx->options & DNS_FETCHOPT_QMIN_USE_A) == 0) ||
+	    result == DNS_R_FORMERR || result == DNS_R_REMOTEFORMERR ||
+	    result == ISC_R_FAILURE)
+	{
+		if ((fctx->options & DNS_FETCHOPT_QMIN_STRICT) == 0) {
+			fctx->qmin_labels = DNS_MAX_LABELS + 1;
+			/*
+			 * We store the result. If we succeed in the end
+			 * we'll issue a warning that the server is broken.
+			 */
+			fctx->qmin_warning = result;
+		} else {
+			fctx_done(fctx, result, __LINE__);
+			goto cleanup;
+		}
+	}
+
+	if (dns_rdataset_isassociated(&fctx->nameservers)) {
+		dns_rdataset_disassociate(&fctx->nameservers);
+	}
+
+	if (dns_rdatatype_atparent(fctx->type)) {
+		findoptions |= DNS_DBFIND_NOEXACT;
+	}
+	result = dns_view_findzonecut(res->view, &fctx->name, fname, dcname,
+				      fctx->now, findoptions, true, true,
+				      &fctx->nameservers, NULL);
+
+	/*
+	 * DNS_R_NXDOMAIN here means we have not loaded the root zone mirror
+	 * yet - but DNS_R_NXDOMAIN is not a valid return value when doing
+	 * recursion, we need to patch it.
+	 */
+	if (result == DNS_R_NXDOMAIN) {
+		result = DNS_R_SERVFAIL;
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		fctx_done(fctx, result, __LINE__);
+		goto cleanup;
+	}
+	fcount_decr(fctx);
+	dns_name_free(&fctx->domain, fctx->mctx);
+	dns_name_init(&fctx->domain, NULL);
+	dns_name_dup(fname, fctx->mctx, &fctx->domain);
+
+	result = fcount_incr(fctx, false);
+	if (result != ISC_R_SUCCESS) {
+		fctx_done(fctx, result, __LINE__);
+		goto cleanup;
+	}
+
+	dns_name_free(&fctx->qmindcname, fctx->mctx);
+	dns_name_init(&fctx->qmindcname, NULL);
+	dns_name_dup(dcname, fctx->mctx, &fctx->qmindcname);
+	fctx->ns_ttl = fctx->nameservers.ttl;
+	fctx->ns_ttl_ok = true;
+
+	result = fctx_minimize_qname(fctx);
+	if (result != ISC_R_SUCCESS) {
+		fctx_done(fctx, result, __LINE__);
+		goto cleanup;
+	}
+
+	if (!fctx->minimized) {
+		/*
+		 * We have finished minimizing, but fctx->finds was filled at
+		 * the beginning of the run - now we need to clear it before
+		 * sending the final query to use proper nameservers.
+		 */
+		fctx_cancelqueries(fctx, false, false);
+		fctx_cleanupall(fctx);
+	}
+
+	fctx_try(fctx, true, false);
+
+cleanup:
+	INSIST(event == NULL);
+	INSIST(fevent == NULL);
+	LOCK(&res->buckets[bucketnum].lock);
+	bucket_empty = fctx_decreference(fctx);
+	UNLOCK(&res->buckets[bucketnum].lock);
+	if (bucket_empty) {
+		empty_bucket(res);
+	}
+}
+
+static bool
+fctx_unlink(fetchctx_t *fctx) {
+	dns_resolver_t *res;
+	unsigned int bucketnum;
+
+	/*
+	 * Caller must be holding the bucket lock.
+	 */
+
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(fctx->state == fetchstate_done ||
+		fctx->state == fetchstate_init);
+	REQUIRE(ISC_LIST_EMPTY(fctx->events));
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
+	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
+	REQUIRE(fctx->pending == 0);
+	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
+
+	FCTXTRACE("unlink");
+
+	isc_refcount_destroy(&fctx->references);
+
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	ISC_LIST_UNLINK(res->buckets[bucketnum].fctxs, fctx, link);
+
+	INSIST(atomic_fetch_sub_release(&res->nfctx, 1) > 0);
+
+	dec_stats(res, dns_resstatscounter_nfetch);
+
+	if (atomic_load_acquire(&res->buckets[bucketnum].exiting) &&
+	    ISC_LIST_EMPTY(res->buckets[bucketnum].fctxs))
+	{
+		return (true);
+	}
+
+	return (false);
+}
+
+static void
+fctx_destroy(fetchctx_t *fctx) {
+	isc_sockaddr_t *sa, *next_sa;
+	struct tried *tried;
+
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(fctx->state == fetchstate_done ||
+		fctx->state == fetchstate_init);
+	REQUIRE(ISC_LIST_EMPTY(fctx->events));
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
+	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
+	REQUIRE(fctx->pending == 0);
+	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
+	REQUIRE(!ISC_LINK_LINKED(fctx, link));
+
+	FCTXTRACE("destroy");
+
+	isc_refcount_destroy(&fctx->references);
+
+	/*
+	 * Free bad.
+	 */
+	for (sa = ISC_LIST_HEAD(fctx->bad); sa != NULL; sa = next_sa) {
+		next_sa = ISC_LIST_NEXT(sa, link);
+		ISC_LIST_UNLINK(fctx->bad, sa, link);
+		isc_mem_put(fctx->mctx, sa, sizeof(*sa));
+	}
+
+	for (tried = ISC_LIST_HEAD(fctx->edns); tried != NULL;
+	     tried = ISC_LIST_HEAD(fctx->edns))
+	{
+		ISC_LIST_UNLINK(fctx->edns, tried, link);
+		isc_mem_put(fctx->mctx, tried, sizeof(*tried));
+	}
+
+	for (tried = ISC_LIST_HEAD(fctx->edns512); tried != NULL;
+	     tried = ISC_LIST_HEAD(fctx->edns512))
+	{
+		ISC_LIST_UNLINK(fctx->edns512, tried, link);
+		isc_mem_put(fctx->mctx, tried, sizeof(*tried));
+	}
+
+	for (sa = ISC_LIST_HEAD(fctx->bad_edns); sa != NULL; sa = next_sa) {
+		next_sa = ISC_LIST_NEXT(sa, link);
+		ISC_LIST_UNLINK(fctx->bad_edns, sa, link);
+		isc_mem_put(fctx->mctx, sa, sizeof(*sa));
+	}
+
+	isc_counter_detach(&fctx->qc);
+	fcount_decr(fctx);
+	isc_timer_destroy(&fctx->timer);
+	if (fctx->timer_try_stale != NULL) {
+		isc_timer_destroy(&fctx->timer_try_stale);
+	}
+	dns_message_detach(&fctx->qmessage);
+	if (dns_name_countlabels(&fctx->domain) > 0) {
+		dns_name_free(&fctx->domain, fctx->mctx);
+	}
+	if (dns_rdataset_isassociated(&fctx->nameservers)) {
+		dns_rdataset_disassociate(&fctx->nameservers);
+	}
+	dns_name_free(&fctx->name, fctx->mctx);
+	dns_name_free(&fctx->qminname, fctx->mctx);
+	dns_name_free(&fctx->qmindcname, fctx->mctx);
+	dns_db_detach(&fctx->cache);
+	dns_adb_detach(&fctx->adb);
+	isc_mem_free(fctx->mctx, fctx->info);
+	isc_mem_putanddetach(&fctx->mctx, fctx, sizeof(*fctx));
+}
+
+/*
+ * Fetch event handlers.
+ */
+
+static void
+fctx_timeout(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx = event->ev_arg;
+	isc_timerevent_t *tevent = (isc_timerevent_t *)event;
+	resquery_t *query;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	UNUSED(task);
+
+	FCTXTRACE("timeout");
+
+	inc_stats(fctx->res, dns_resstatscounter_querytimeout);
+
+	if (event->ev_type == ISC_TIMEREVENT_LIFE) {
+		fctx->reason = NULL;
+		fctx_done(fctx, ISC_R_TIMEDOUT, __LINE__);
+	} else {
+		isc_result_t result;
+
+		fctx->timeouts++;
+		fctx->timeout = true;
+
+		/*
+		 * We could cancel the running queries here, or we could let
+		 * them keep going.  Since we normally use separate sockets for
+		 * different queries, we adopt the former approach to reduce
+		 * the number of open sockets: cancel the oldest query if it
+		 * expired after the query had started (this is usually the
+		 * case but is not always so, depending on the task schedule
+		 * timing).
+		 */
+		query = ISC_LIST_HEAD(fctx->queries);
+		if (query != NULL &&
+		    isc_time_compare(&tevent->due, &query->start) >= 0)
+		{
+			FCTXTRACE("query timed out; no response");
+			fctx_cancelquery(&query, NULL, NULL, true, false);
+		}
+		FCTX_ATTR_CLR(fctx, FCTX_ATTR_ADDRWAIT);
+
+		/*
+		 * Our timer has triggered.  Reestablish the fctx lifetime
+		 * timer.
+		 */
+		result = fctx_starttimer(fctx);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, result, __LINE__);
+		} else {
+			/* Keep trying */
+			fctx_try(fctx, true, false);
+		}
+	}
+
+	isc_event_free(&event);
+}
+
+/*
+ * Fetch event handlers called if stale answers are enabled
+ * (stale-answer-enabled) and the fetch took more than
+ * stale-answer-client-timeout to complete.
+ */
+static void
+fctx_timeout_try_stale(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx = event->ev_arg;
+	dns_fetchevent_t *dns_event, *next_event;
+	isc_task_t *sender_task;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	UNUSED(task);
+
+	FCTXTRACE("timeout_try_stale");
+
+	if (event->ev_type != ISC_TIMEREVENT_LIFE) {
+		return;
+	}
+
+	LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+
+	/*
+	 * Trigger events of type DNS_EVENT_TRYSTALE.
+	 */
+	for (dns_event = ISC_LIST_HEAD(fctx->events); dns_event != NULL;
+	     dns_event = next_event)
+	{
+		next_event = ISC_LIST_NEXT(dns_event, ev_link);
+
+		if (dns_event->ev_type != DNS_EVENT_TRYSTALE) {
+			continue;
+		}
+
+		ISC_LIST_UNLINK(fctx->events, dns_event, ev_link);
+		sender_task = dns_event->ev_sender;
+		dns_event->ev_sender = fctx;
+		dns_event->vresult = ISC_R_TIMEDOUT;
+		dns_event->result = ISC_R_TIMEDOUT;
+
+		isc_task_sendanddetach(&sender_task, ISC_EVENT_PTR(&dns_event));
+	}
+
+	UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+
+	isc_event_free(&event);
+}
+
+static void
+fctx_shutdown(fetchctx_t *fctx) {
+	isc_event_t *cevent;
+
+	/*
+	 * Start the shutdown process for fctx, if it isn't already underway.
+	 */
+
+	FCTXTRACE("shutdown");
+
+	/*
+	 * The caller must be holding the appropriate bucket lock.
+	 */
+
+	if (fctx->want_shutdown) {
+		return;
+	}
+
+	fctx->want_shutdown = true;
+
+	/*
+	 * Unless we're still initializing (in which case the
+	 * control event is still outstanding), we need to post
+	 * the control event to tell the fetch we want it to
+	 * exit.
+	 */
+	if (fctx->state != fetchstate_init) {
+		cevent = &fctx->control_event;
+		isc_task_sendto(fctx->res->buckets[fctx->bucketnum].task,
+				&cevent, fctx->bucketnum);
+	}
+}
+
+static void
+fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx = event->ev_arg;
+	bool bucket_empty = false;
+	dns_resolver_t *res;
+	unsigned int bucketnum;
+	dns_validator_t *validator;
+	bool dodestroy = false;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	UNUSED(task);
+
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	FCTXTRACE("doshutdown");
+
+	/*
+	 * An fctx that is shutting down is no longer in ADDRWAIT mode.
+	 */
+	FCTX_ATTR_CLR(fctx, FCTX_ATTR_ADDRWAIT);
+
+	/*
+	 * Cancel all pending validators.  Note that this must be done
+	 * without the bucket lock held, since that could cause deadlock.
+	 */
+	validator = ISC_LIST_HEAD(fctx->validators);
+	while (validator != NULL) {
+		dns_validator_cancel(validator);
+		validator = ISC_LIST_NEXT(validator, link);
+	}
+
+	if (fctx->nsfetch != NULL) {
+		dns_resolver_cancelfetch(fctx->nsfetch);
+	}
+
+	if (fctx->qminfetch != NULL) {
+		dns_resolver_cancelfetch(fctx->qminfetch);
+	}
+
+	/*
+	 * Shut down anything still running on behalf of this
+	 * fetch, and clean up finds and addresses.  To avoid deadlock
+	 * with the ADB, we must do this before we lock the bucket lock.
+	 */
+	fctx_stopqueries(fctx, false, false);
+	fctx_cleanupall(fctx);
+
+	LOCK(&res->buckets[bucketnum].lock);
+
+	FCTX_ATTR_SET(fctx, FCTX_ATTR_SHUTTINGDOWN);
+
+	INSIST(fctx->state == fetchstate_active ||
+	       fctx->state == fetchstate_done);
+	INSIST(fctx->want_shutdown);
+
+	if (fctx->state != fetchstate_done) {
+		fctx->state = fetchstate_done;
+		fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
+	}
+
+	if (isc_refcount_current(&fctx->references) == 0 &&
+	    fctx->pending == 0 && fctx->nqueries == 0 &&
+	    ISC_LIST_EMPTY(fctx->validators))
+	{
+		bucket_empty = fctx_unlink(fctx);
+		dodestroy = true;
+	}
+
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (dodestroy) {
+		fctx_destroy(fctx);
+		if (bucket_empty) {
+			empty_bucket(res);
+		}
+	}
+}
+
+static void
+fctx_start(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx = event->ev_arg;
+	bool done = false, bucket_empty = false;
+	dns_resolver_t *res;
+	unsigned int bucketnum;
+	bool dodestroy = false;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	UNUSED(task);
+
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	FCTXTRACE("start");
+
+	LOCK(&res->buckets[bucketnum].lock);
+
+	INSIST(fctx->state == fetchstate_init);
+	if (fctx->want_shutdown) {
+		/*
+		 * We haven't started this fctx yet, and we've been requested
+		 * to shut it down.
+		 */
+		FCTX_ATTR_SET(fctx, FCTX_ATTR_SHUTTINGDOWN);
+		fctx->state = fetchstate_done;
+		fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
+		/*
+		 * Since we haven't started, we INSIST that we have no
+		 * pending ADB finds and no pending validations.
+		 */
+		INSIST(fctx->pending == 0);
+		INSIST(fctx->nqueries == 0);
+		INSIST(ISC_LIST_EMPTY(fctx->validators));
+		if (isc_refcount_current(&fctx->references) == 0) {
+			/*
+			 * It's now safe to destroy this fctx.
+			 */
+			bucket_empty = fctx_unlink(fctx);
+			dodestroy = true;
+		}
+		done = true;
+	} else {
+		/*
+		 * Normal fctx startup.
+		 */
+		fctx->state = fetchstate_active;
+		/*
+		 * Reset the control event for later use in shutting down
+		 * the fctx.
+		 */
+		ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
+			       DNS_EVENT_FETCHCONTROL, fctx_doshutdown, fctx,
+			       NULL, NULL, NULL);
+	}
+
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (!done) {
+		isc_result_t result;
+
+		INSIST(!dodestroy);
+
+		/*
+		 * All is well.  Start working on the fetch.
+		 */
+		result = fctx_starttimer(fctx);
+		if (result == ISC_R_SUCCESS && fctx->timer_try_stale != NULL) {
+			result = fctx_starttimer_trystale(fctx);
+		}
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, result, __LINE__);
+		} else {
+			fctx_try(fctx, false, false);
+		}
+	} else if (dodestroy) {
+		fctx_destroy(fctx);
+		if (bucket_empty) {
+			empty_bucket(res);
+		}
+	}
+}
+
+/*
+ * Fetch Creation, Joining, and Cancellation.
+ */
+
+static isc_result_t
+fctx_join(fetchctx_t *fctx, isc_task_t *task, const isc_sockaddr_t *client,
+	  dns_messageid_t id, isc_taskaction_t action, void *arg,
+	  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+	  dns_fetch_t *fetch) {
+	isc_task_t *tclone;
+	dns_fetchevent_t *event;
+
+	FCTXTRACE("join");
+
+	/*
+	 * We store the task we're going to send this event to in the
+	 * sender field.  We'll make the fetch the sender when we actually
+	 * send the event.
+	 */
+	tclone = NULL;
+	isc_task_attach(task, &tclone);
+	event = (dns_fetchevent_t *)isc_event_allocate(
+		fctx->res->mctx, tclone, DNS_EVENT_FETCHDONE, action, arg,
+		sizeof(*event));
+	event->result = DNS_R_SERVFAIL;
+	event->qtype = fctx->type;
+	event->db = NULL;
+	event->node = NULL;
+	event->rdataset = rdataset;
+	event->sigrdataset = sigrdataset;
+	event->fetch = fetch;
+	event->client = client;
+	event->id = id;
+	dns_fixedname_init(&event->foundname);
+
+	/*
+	 * Make sure that we can store the sigrdataset in the
+	 * first event if it is needed by any of the events.
+	 */
+	if (event->sigrdataset != NULL) {
+		ISC_LIST_PREPEND(fctx->events, event, ev_link);
+	} else {
+		ISC_LIST_APPEND(fctx->events, event, ev_link);
+	}
+
+	fctx_increference(fctx);
+
+	fetch->magic = DNS_FETCH_MAGIC;
+	fetch->private = fctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+fctx_add_event(fetchctx_t *fctx, isc_task_t *task, const isc_sockaddr_t *client,
+	       dns_messageid_t id, isc_taskaction_t action, void *arg,
+	       dns_fetch_t *fetch, isc_eventtype_t event_type) {
+	isc_task_t *tclone;
+	dns_fetchevent_t *event;
+	/*
+	 * We store the task we're going to send this event to in the
+	 * sender field.  We'll make the fetch the sender when we actually
+	 * send the event.
+	 */
+	tclone = NULL;
+	isc_task_attach(task, &tclone);
+	event = (dns_fetchevent_t *)isc_event_allocate(fctx->res->mctx, tclone,
+						       event_type, action, arg,
+						       sizeof(*event));
+	event->result = DNS_R_SERVFAIL;
+	event->qtype = fctx->type;
+	event->db = NULL;
+	event->node = NULL;
+	event->rdataset = NULL;
+	event->sigrdataset = NULL;
+	event->fetch = fetch;
+	event->client = client;
+	event->id = id;
+	ISC_LIST_APPEND(fctx->events, event, ev_link);
+}
+
+static void
+log_ns_ttl(fetchctx_t *fctx, const char *where) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char domainbuf[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(10),
+		      "log_ns_ttl: fctx %p: %s: %s (in '%s'?): %u %u", fctx,
+		      where, namebuf, domainbuf, fctx->ns_ttl_ok, fctx->ns_ttl);
+}
+
+static isc_result_t
+fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
+	    const dns_name_t *domain, dns_rdataset_t *nameservers,
+	    const isc_sockaddr_t *client, dns_messageid_t id,
+	    unsigned int options, unsigned int bucketnum, unsigned int depth,
+	    isc_counter_t *qc, fetchctx_t **fctxp) {
+	fetchctx_t *fctx;
+	isc_result_t result;
+	isc_result_t iresult;
+	isc_interval_t interval;
+	unsigned int findoptions = 0;
+	char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + 1];
+	isc_mem_t *mctx;
+	size_t p;
+	bool try_stale;
+
+	/*
+	 * Caller must be holding the lock for bucket number 'bucketnum'.
+	 */
+	REQUIRE(fctxp != NULL && *fctxp == NULL);
+
+	mctx = res->buckets[bucketnum].mctx;
+	fctx = isc_mem_get(mctx, sizeof(*fctx));
+
+	fctx->qc = NULL;
+	if (qc != NULL) {
+		isc_counter_attach(qc, &fctx->qc);
+	} else {
+		result = isc_counter_create(res->mctx, res->maxqueries,
+					    &fctx->qc);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_fetch;
+		}
+	}
+
+	/*
+	 * Make fctx->info point to a copy of a formatted string
+	 * "name/type".
+	 */
+	dns_name_format(name, buf, sizeof(buf));
+	p = strlcat(buf, "/", sizeof(buf));
+	INSIST(p + DNS_RDATATYPE_FORMATSIZE < sizeof(buf));
+	dns_rdatatype_format(type, buf + p, sizeof(buf) - p);
+	fctx->info = isc_mem_strdup(mctx, buf);
+
+	FCTXTRACE("create");
+	dns_name_init(&fctx->name, NULL);
+	dns_name_dup(name, mctx, &fctx->name);
+	dns_name_init(&fctx->qminname, NULL);
+	dns_name_dup(name, mctx, &fctx->qminname);
+	dns_name_init(&fctx->domain, NULL);
+	dns_rdataset_init(&fctx->nameservers);
+
+	fctx->type = type;
+	fctx->qmintype = type;
+	fctx->options = options;
+	/*
+	 * Note!  We do not attach to the task.  We are relying on the
+	 * resolver to ensure that this task doesn't go away while we are
+	 * using it.
+	 */
+	fctx->res = res;
+	isc_refcount_init(&fctx->references, 0);
+	fctx->bucketnum = bucketnum;
+	fctx->dbucketnum = RES_NOBUCKET;
+	fctx->state = fetchstate_init;
+	fctx->want_shutdown = false;
+	fctx->cloned = false;
+	fctx->depth = depth;
+	fctx->minimized = false;
+	fctx->ip6arpaskip = false;
+	fctx->forwarding = false;
+	fctx->qmin_labels = 1;
+	fctx->qmin_warning = ISC_R_SUCCESS;
+	fctx->qminfetch = NULL;
+	dns_rdataset_init(&fctx->qminrrset);
+	dns_name_init(&fctx->qmindcname, NULL);
+	isc_stdtime_get(&fctx->now);
+	ISC_LIST_INIT(fctx->queries);
+	ISC_LIST_INIT(fctx->finds);
+	ISC_LIST_INIT(fctx->altfinds);
+	ISC_LIST_INIT(fctx->forwaddrs);
+	ISC_LIST_INIT(fctx->altaddrs);
+	ISC_LIST_INIT(fctx->forwarders);
+	fctx->fwdpolicy = dns_fwdpolicy_none;
+	ISC_LIST_INIT(fctx->bad);
+	ISC_LIST_INIT(fctx->edns);
+	ISC_LIST_INIT(fctx->edns512);
+	ISC_LIST_INIT(fctx->bad_edns);
+	ISC_LIST_INIT(fctx->validators);
+	fctx->validator = NULL;
+	fctx->find = NULL;
+	fctx->altfind = NULL;
+	fctx->pending = 0;
+	fctx->restarts = 0;
+	fctx->querysent = 0;
+	fctx->referrals = 0;
+
+	fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
+
+	TIME_NOW(&fctx->start);
+	fctx->timeouts = 0;
+	fctx->lamecount = 0;
+	fctx->quotacount = 0;
+	fctx->adberr = 0;
+	fctx->neterr = 0;
+	fctx->badresp = 0;
+	fctx->findfail = 0;
+	fctx->valfail = 0;
+	fctx->result = ISC_R_FAILURE;
+	fctx->vresult = ISC_R_SUCCESS;
+	fctx->exitline = -1; /* sentinel */
+	fctx->logged = false;
+	atomic_init(&fctx->attributes, 0);
+	fctx->spilled = false;
+	fctx->nqueries = 0;
+	fctx->reason = NULL;
+	fctx->rand_buf = 0;
+	fctx->rand_bits = 0;
+	fctx->timeout = false;
+	fctx->addrinfo = NULL;
+	if (client != NULL) {
+		isc_sockaddr_format(client, fctx->clientstr,
+				    sizeof(fctx->clientstr));
+	} else {
+		strlcpy(fctx->clientstr, "<unknown>", sizeof(fctx->clientstr));
+	}
+	fctx->id = id;
+	fctx->ns_ttl = 0;
+	fctx->ns_ttl_ok = false;
+
+	dns_name_init(&fctx->nsname, NULL);
+	fctx->nsfetch = NULL;
+	dns_rdataset_init(&fctx->nsrrset);
+
+	if (domain == NULL) {
+		dns_forwarders_t *forwarders = NULL;
+		dns_fixedname_t fixed;
+		unsigned int labels;
+		const dns_name_t *fwdname = name;
+		dns_name_t suffix;
+		dns_name_t *fname;
+
+		/*
+		 * DS records are found in the parent server. Strip one
+		 * leading label from the name (to be used in finding
+		 * the forwarder).
+		 */
+		if (dns_rdatatype_atparent(fctx->type) &&
+		    dns_name_countlabels(name) > 1)
+		{
+			dns_name_init(&suffix, NULL);
+			labels = dns_name_countlabels(name);
+			dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+			fwdname = &suffix;
+		}
+
+		/* Find the forwarder for this name. */
+		fname = dns_fixedname_initname(&fixed);
+		result = dns_fwdtable_find(fctx->res->view->fwdtable, fwdname,
+					   fname, &forwarders);
+		if (result == ISC_R_SUCCESS) {
+			fctx->fwdpolicy = forwarders->fwdpolicy;
+			dns_name_copynf(fname, fctx->fwdname);
+		}
+
+		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
+			dns_fixedname_t dcfixed;
+			dns_name_t *dcname;
+			dcname = dns_fixedname_initname(&dcfixed);
+			/*
+			 * The caller didn't supply a query domain and
+			 * nameservers, and we're not in forward-only mode,
+			 * so find the best nameservers to use.
+			 */
+			if (dns_rdatatype_atparent(fctx->type)) {
+				findoptions |= DNS_DBFIND_NOEXACT;
+			}
+			result = dns_view_findzonecut(res->view, name, fname,
+						      dcname, fctx->now,
+						      findoptions, true, true,
+						      &fctx->nameservers, NULL);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup_nameservers;
+			}
+
+			dns_name_dup(fname, mctx, &fctx->domain);
+			dns_name_dup(dcname, mctx, &fctx->qmindcname);
+			fctx->ns_ttl = fctx->nameservers.ttl;
+			fctx->ns_ttl_ok = true;
+		} else {
+			/*
+			 * We're in forward-only mode.  Set the query domain.
+			 */
+			dns_name_dup(fname, mctx, &fctx->domain);
+			dns_name_dup(fname, mctx, &fctx->qmindcname);
+			/*
+			 * Disable query minimization
+			 */
+			options &= ~DNS_FETCHOPT_QMINIMIZE;
+		}
+	} else {
+		dns_name_dup(domain, mctx, &fctx->domain);
+		dns_name_dup(domain, mctx, &fctx->qmindcname);
+		dns_rdataset_clone(nameservers, &fctx->nameservers);
+		fctx->ns_ttl = fctx->nameservers.ttl;
+		fctx->ns_ttl_ok = true;
+	}
+
+	/*
+	 * Are there too many simultaneous queries for this domain?
+	 */
+	result = fcount_incr(fctx, false);
+	if (result != ISC_R_SUCCESS) {
+		result = fctx->res->quotaresp[dns_quotatype_zone];
+		inc_stats(res, dns_resstatscounter_zonequota);
+		goto cleanup_domain;
+	}
+
+	log_ns_ttl(fctx, "fctx_create");
+
+	if (!dns_name_issubdomain(&fctx->name, &fctx->domain)) {
+		dns_name_format(&fctx->domain, buf, sizeof(buf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "'%s' is not subdomain of '%s'", fctx->info,
+				 buf);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_fcount;
+	}
+
+	fctx->qmessage = NULL;
+	dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &fctx->qmessage);
+
+	/*
+	 * Compute an expiration time for the entire fetch.
+	 */
+	isc_interval_set(&interval, res->query_timeout / 1000,
+			 res->query_timeout % 1000 * 1000000);
+	iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
+	if (iresult != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_time_nowplusinterval: %s",
+				 isc_result_totext(iresult));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_qmessage;
+	}
+
+	try_stale = ((options & DNS_FETCHOPT_TRYSTALE_ONTIMEOUT) != 0);
+	if (try_stale) {
+		INSIST(res->view->staleanswerclienttimeout <=
+		       (res->query_timeout - 1000));
+		/*
+		 * Compute an expiration time after which stale data will
+		 * attempted to be served, if stale answers are enabled and
+		 * target RRset is available in cache.
+		 */
+		isc_interval_set(
+			&interval, res->view->staleanswerclienttimeout / 1000,
+			res->view->staleanswerclienttimeout % 1000 * 1000000);
+		iresult = isc_time_nowplusinterval(&fctx->expires_try_stale,
+						   &interval);
+		if (iresult != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_time_nowplusinterval: %s",
+					 isc_result_totext(iresult));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup_qmessage;
+		}
+	}
+
+	/*
+	 * Default retry interval initialization.  We set the interval now
+	 * mostly so it won't be uninitialized.  It will be set to the
+	 * correct value before a query is issued.
+	 */
+	isc_interval_set(&fctx->interval, 2, 0);
+
+	/*
+	 * Create an inactive timer for resolver-query-timeout. It
+	 * will be made active when the fetch is actually started.
+	 */
+	fctx->timer = NULL;
+
+	iresult = isc_timer_create(res->timermgr, isc_timertype_inactive, NULL,
+				   NULL, res->buckets[bucketnum].task,
+				   fctx_timeout, fctx, &fctx->timer);
+	if (iresult != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_timer_create: %s",
+				 isc_result_totext(iresult));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_qmessage;
+	}
+
+	/*
+	 * If stale answers are enabled, then create an inactive timer
+	 * for stale-answer-client-timeout. It will be made active when
+	 * the fetch is actually started.
+	 */
+	fctx->timer_try_stale = NULL;
+	if (try_stale) {
+		iresult = isc_timer_create(
+			res->timermgr, isc_timertype_inactive, NULL, NULL,
+			res->buckets[bucketnum].task, fctx_timeout_try_stale,
+			fctx, &fctx->timer_try_stale);
+		if (iresult != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_timer_create: %s",
+					 isc_result_totext(iresult));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup_qmessage;
+		}
+	}
+
+	/*
+	 * Attach to the view's cache and adb.
+	 */
+	fctx->cache = NULL;
+	dns_db_attach(res->view->cachedb, &fctx->cache);
+	fctx->adb = NULL;
+	dns_adb_attach(res->view->adb, &fctx->adb);
+	fctx->mctx = NULL;
+	isc_mem_attach(mctx, &fctx->mctx);
+
+	ISC_LIST_INIT(fctx->events);
+	ISC_LINK_INIT(fctx, link);
+	fctx->magic = FCTX_MAGIC;
+
+	/*
+	 * If qname minimization is enabled we need to trim
+	 * the name in fctx to proper length.
+	 */
+	if ((options & DNS_FETCHOPT_QMINIMIZE) != 0) {
+		fctx->ip6arpaskip =
+			(options & DNS_FETCHOPT_QMIN_SKIP_IP6A) != 0 &&
+			dns_name_issubdomain(&fctx->name, &ip6_arpa);
+		result = fctx_minimize_qname(fctx);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_mctx;
+		}
+	}
+
+	ISC_LIST_APPEND(res->buckets[bucketnum].fctxs, fctx, link);
+
+	INSIST(atomic_fetch_add_relaxed(&res->nfctx, 1) < UINT32_MAX);
+
+	inc_stats(res, dns_resstatscounter_nfetch);
+
+	*fctxp = fctx;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_mctx:
+	fctx->magic = 0;
+	isc_mem_detach(&fctx->mctx);
+	dns_adb_detach(&fctx->adb);
+	dns_db_detach(&fctx->cache);
+	isc_timer_destroy(&fctx->timer);
+	isc_timer_destroy(&fctx->timer_try_stale);
+
+cleanup_qmessage:
+	dns_message_detach(&fctx->qmessage);
+
+cleanup_fcount:
+	fcount_decr(fctx);
+
+cleanup_domain:
+	if (dns_name_countlabels(&fctx->domain) > 0) {
+		dns_name_free(&fctx->domain, mctx);
+	}
+	if (dns_name_countlabels(&fctx->qmindcname) > 0) {
+		dns_name_free(&fctx->qmindcname, mctx);
+	}
+
+cleanup_nameservers:
+	if (dns_rdataset_isassociated(&fctx->nameservers)) {
+		dns_rdataset_disassociate(&fctx->nameservers);
+	}
+	dns_name_free(&fctx->name, mctx);
+	dns_name_free(&fctx->qminname, mctx);
+	isc_mem_free(mctx, fctx->info);
+	isc_counter_detach(&fctx->qc);
+
+cleanup_fetch:
+	isc_mem_put(mctx, fctx, sizeof(*fctx));
+
+	return (result);
+}
+
+/*
+ * Handle Responses
+ */
+static bool
+is_lame(fetchctx_t *fctx, dns_message_t *message) {
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	if (message->rcode != dns_rcode_noerror &&
+	    message->rcode != dns_rcode_yxdomain &&
+	    message->rcode != dns_rcode_nxdomain)
+	{
+		return (false);
+	}
+
+	if (message->counts[DNS_SECTION_ANSWER] != 0) {
+		return (false);
+	}
+
+	if (message->counts[DNS_SECTION_AUTHORITY] == 0) {
+		return (false);
+	}
+
+	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			dns_namereln_t namereln;
+			int order;
+			unsigned int labels;
+			if (rdataset->type != dns_rdatatype_ns) {
+				continue;
+			}
+			namereln = dns_name_fullcompare(name, &fctx->domain,
+							&order, &labels);
+			if (namereln == dns_namereln_equal &&
+			    (message->flags & DNS_MESSAGEFLAG_AA) != 0)
+			{
+				return (false);
+			}
+			if (namereln == dns_namereln_subdomain) {
+				return (false);
+			}
+			return (true);
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+
+	return (false);
+}
+
+static void
+log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char domainbuf[DNS_NAME_FORMATSIZE];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+	isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "lame server resolving '%s' (in '%s'?): %s", namebuf,
+		      domainbuf, addrbuf);
+}
+
+static void
+log_formerr(fetchctx_t *fctx, const char *format, ...) {
+	char nsbuf[ISC_SOCKADDR_FORMATSIZE];
+	char msgbuf[2048];
+	va_list args;
+
+	va_start(args, format);
+	vsnprintf(msgbuf, sizeof(msgbuf), format, args);
+	va_end(args);
+
+	isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+		      "DNS format error from %s resolving %s for %s: %s", nsbuf,
+		      fctx->info, fctx->clientstr, msgbuf);
+}
+
+static isc_result_t
+same_question(fetchctx_t *fctx, dns_message_t *message) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+
+	/*
+	 * Caller must be holding the fctx lock.
+	 */
+
+	/*
+	 * XXXRTH  Currently we support only one question.
+	 */
+	if (ISC_UNLIKELY(message->counts[DNS_SECTION_QUESTION] == 0)) {
+		if ((message->flags & DNS_MESSAGEFLAG_TC) != 0) {
+			/*
+			 * If TC=1 and the question section is empty, we
+			 * accept the reply message as a truncated
+			 * answer, to be retried over TCP.
+			 *
+			 * It is really a FORMERR condition, but this is
+			 * a workaround to accept replies from some
+			 * implementations.
+			 *
+			 * Because the question section matching is not
+			 * performed, the worst that could happen is
+			 * that an attacker who gets past the ID and
+			 * source port checks can force the use of
+			 * TCP. This is considered an acceptable risk.
+			 */
+			log_formerr(fctx, "empty question section, "
+					  "accepting it anyway as TC=1");
+			return (ISC_R_SUCCESS);
+		} else {
+			log_formerr(fctx, "empty question section");
+			return (DNS_R_FORMERR);
+		}
+	} else if (ISC_UNLIKELY(message->counts[DNS_SECTION_QUESTION] > 1)) {
+		log_formerr(fctx, "too many questions");
+		return (DNS_R_FORMERR);
+	}
+
+	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	name = NULL;
+	dns_message_currentname(message, DNS_SECTION_QUESTION, &name);
+	rdataset = ISC_LIST_HEAD(name->list);
+	INSIST(rdataset != NULL);
+	INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
+
+	if (fctx->type != rdataset->type ||
+	    fctx->res->rdclass != rdataset->rdclass ||
+	    !dns_name_equal(&fctx->name, name))
+	{
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char classbuf[DNS_RDATACLASS_FORMATSIZE];
+		char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdataclass_format(rdataset->rdclass, classbuf,
+				      sizeof(classbuf));
+		dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
+		log_formerr(fctx, "question section mismatch: got %s/%s/%s",
+			    namebuf, classbuf, typebuf);
+		return (DNS_R_FORMERR);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+clone_results(fetchctx_t *fctx) {
+	dns_fetchevent_t *event, *hevent;
+	dns_name_t *name, *hname;
+
+	FCTXTRACE("clone_results");
+
+	/*
+	 * Set up any other events to have the same data as the first
+	 * event.
+	 *
+	 * Caller must be holding the appropriate lock.
+	 */
+
+	fctx->cloned = true;
+	hevent = ISC_LIST_HEAD(fctx->events);
+	if (hevent == NULL) {
+		return;
+	}
+	hname = dns_fixedname_name(&hevent->foundname);
+	for (event = ISC_LIST_NEXT(hevent, ev_link); event != NULL;
+	     event = ISC_LIST_NEXT(event, ev_link))
+	{
+		if (event->ev_type == DNS_EVENT_TRYSTALE) {
+			/*
+			 * We don't need to clone resulting data to this
+			 * type of event, as its associated callback is only
+			 * called when stale-answer-client-timeout triggers,
+			 * and the logic in there doesn't expect any result
+			 * as input, as it will itself lookup for stale data
+			 * in cache to use as result, if any is available.
+			 *
+			 * Also, if we reached this point, then the whole fetch
+			 * context is done, it will cancel timers, process
+			 * associated callbacks of type DNS_EVENT_FETCHDONE, and
+			 * silently remove/free events of type
+			 * DNS_EVENT_TRYSTALE.
+			 */
+			continue;
+		}
+		name = dns_fixedname_name(&event->foundname);
+		dns_name_copynf(hname, name);
+		event->result = hevent->result;
+		dns_db_attach(hevent->db, &event->db);
+		dns_db_attachnode(hevent->db, hevent->node, &event->node);
+		INSIST(hevent->rdataset != NULL);
+		INSIST(event->rdataset != NULL);
+		if (dns_rdataset_isassociated(hevent->rdataset)) {
+			dns_rdataset_clone(hevent->rdataset, event->rdataset);
+		}
+		INSIST(!(hevent->sigrdataset == NULL &&
+			 event->sigrdataset != NULL));
+		if (hevent->sigrdataset != NULL &&
+		    dns_rdataset_isassociated(hevent->sigrdataset) &&
+		    event->sigrdataset != NULL)
+		{
+			dns_rdataset_clone(hevent->sigrdataset,
+					   event->sigrdataset);
+		}
+	}
+}
+
+#define CACHE(r)      (((r)->attributes & DNS_RDATASETATTR_CACHE) != 0)
+#define ANSWER(r)     (((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0)
+#define ANSWERSIG(r)  (((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0)
+#define EXTERNAL(r)   (((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
+#define CHAINING(r)   (((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
+#define CHASE(r)      (((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
+#define CHECKNAMES(r) (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
+
+/*
+ * The validator has finished.
+ */
+static void
+validated(isc_task_t *task, isc_event_t *event) {
+	dns_adbaddrinfo_t *addrinfo;
+	dns_dbnode_t *node = NULL;
+	dns_dbnode_t *nsnode = NULL;
+	dns_fetchevent_t *hevent;
+	dns_name_t *name;
+	dns_rdataset_t *ardataset = NULL;
+	dns_rdataset_t *asigrdataset = NULL;
+	dns_rdataset_t *rdataset;
+	dns_rdataset_t *sigrdataset;
+	dns_resolver_t *res;
+	dns_valarg_t *valarg = event->ev_arg;
+	dns_validatorevent_t *vevent;
+	fetchctx_t *fctx;
+	bool chaining;
+	bool negative;
+	bool sentresponse;
+	bool bucket_empty;
+	isc_result_t eresult = ISC_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_stdtime_t now;
+	uint32_t ttl;
+	unsigned options;
+	uint32_t bucketnum;
+	dns_fixedname_t fwild;
+	dns_name_t *wild = NULL;
+	dns_message_t *message = NULL;
+
+	UNUSED(task); /* for now */
+
+	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
+	REQUIRE(VALID_FCTX(valarg->fctx));
+	REQUIRE(!ISC_LIST_EMPTY(valarg->fctx->validators));
+
+	fctx = valarg->fctx;
+	fctx_increference(fctx);
+	dns_message_attach(valarg->message, &message);
+
+	res = fctx->res;
+	addrinfo = valarg->addrinfo;
+
+	vevent = (dns_validatorevent_t *)event;
+	fctx->vresult = vevent->result;
+
+	FCTXTRACE("received validation completion event");
+
+	bucketnum = fctx->bucketnum;
+	LOCK(&res->buckets[bucketnum].lock);
+
+	ISC_LIST_UNLINK(fctx->validators, vevent->validator, link);
+	fctx->validator = NULL;
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	/*
+	 * Destroy the validator early so that we can
+	 * destroy the fctx if necessary.  Save the wildcard name.
+	 */
+	if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) {
+		wild = dns_fixedname_initname(&fwild);
+		dns_name_copynf(dns_fixedname_name(&vevent->validator->wild),
+				wild);
+	}
+	dns_validator_destroy(&vevent->validator);
+	dns_message_detach(&valarg->message);
+	isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
+
+	negative = (vevent->rdataset == NULL);
+
+	LOCK(&res->buckets[bucketnum].lock);
+	sentresponse = ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0);
+
+	/*
+	 * If shutting down, ignore the results.
+	 */
+	if (SHUTTINGDOWN(fctx) && !sentresponse) {
+		UNLOCK(&res->buckets[bucketnum].lock);
+		goto cleanup_event;
+	}
+
+	isc_stdtime_get(&now);
+
+	/*
+	 * If chaining, we need to make sure that the right result code is
+	 * returned, and that the rdatasets are bound.
+	 */
+	if (vevent->result == ISC_R_SUCCESS && !negative &&
+	    vevent->rdataset != NULL && CHAINING(vevent->rdataset))
+	{
+		if (vevent->rdataset->type == dns_rdatatype_cname) {
+			eresult = DNS_R_CNAME;
+		} else {
+			INSIST(vevent->rdataset->type == dns_rdatatype_dname);
+			eresult = DNS_R_DNAME;
+		}
+		chaining = true;
+	} else {
+		chaining = false;
+	}
+
+	/*
+	 * Either we're not shutting down, or we are shutting down but want
+	 * to cache the result anyway (if this was a validation started by
+	 * a query with cd set)
+	 */
+
+	hevent = ISC_LIST_HEAD(fctx->events);
+	if (hevent != NULL) {
+		if (!negative && !chaining &&
+		    (fctx->type == dns_rdatatype_any ||
+		     fctx->type == dns_rdatatype_rrsig ||
+		     fctx->type == dns_rdatatype_sig))
+		{
+			/*
+			 * Don't bind rdatasets; the caller
+			 * will iterate the node.
+			 */
+		} else {
+			ardataset = hevent->rdataset;
+			asigrdataset = hevent->sigrdataset;
+		}
+	}
+
+	if (vevent->result != ISC_R_SUCCESS) {
+		FCTXTRACE("validation failed");
+		inc_stats(res, dns_resstatscounter_valfail);
+		fctx->valfail++;
+		fctx->vresult = vevent->result;
+		if (fctx->vresult != DNS_R_BROKENCHAIN) {
+			result = ISC_R_NOTFOUND;
+			if (vevent->rdataset != NULL) {
+				result = dns_db_findnode(
+					fctx->cache, vevent->name, true, &node);
+			}
+			if (result == ISC_R_SUCCESS) {
+				(void)dns_db_deleterdataset(fctx->cache, node,
+							    NULL, vevent->type,
+							    0);
+				if (vevent->sigrdataset != NULL) {
+					(void)dns_db_deleterdataset(
+						fctx->cache, node, NULL,
+						dns_rdatatype_rrsig,
+						vevent->type);
+				}
+				dns_db_detachnode(fctx->cache, &node);
+			}
+		} else if (!negative) {
+			/*
+			 * Cache the data as pending for later validation.
+			 */
+			result = ISC_R_NOTFOUND;
+			if (vevent->rdataset != NULL) {
+				result = dns_db_findnode(
+					fctx->cache, vevent->name, true, &node);
+			}
+			if (result == ISC_R_SUCCESS) {
+				(void)dns_db_addrdataset(
+					fctx->cache, node, NULL, now,
+					vevent->rdataset, 0, NULL);
+				if (vevent->sigrdataset != NULL) {
+					(void)dns_db_addrdataset(
+						fctx->cache, node, NULL, now,
+						vevent->sigrdataset, 0, NULL);
+				}
+				dns_db_detachnode(fctx->cache, &node);
+			}
+		}
+		result = fctx->vresult;
+		add_bad(fctx, message, addrinfo, result, badns_validation);
+		UNLOCK(&res->buckets[bucketnum].lock);
+		INSIST(fctx->validator == NULL);
+		fctx->validator = ISC_LIST_HEAD(fctx->validators);
+		if (fctx->validator != NULL) {
+			dns_validator_send(fctx->validator);
+		} else if (sentresponse) {
+			fctx_done(fctx, result, __LINE__); /* Locks bucket. */
+		} else if (result == DNS_R_BROKENCHAIN) {
+			isc_result_t tresult;
+			isc_time_t expire;
+			isc_interval_t i;
+
+			isc_interval_set(&i, DNS_RESOLVER_BADCACHETTL(fctx), 0);
+			tresult = isc_time_nowplusinterval(&expire, &i);
+			if (negative &&
+			    (fctx->type == dns_rdatatype_dnskey ||
+			     fctx->type == dns_rdatatype_ds) &&
+			    tresult == ISC_R_SUCCESS)
+			{
+				dns_resolver_addbadcache(res, &fctx->name,
+							 fctx->type, &expire);
+			}
+			fctx_done(fctx, result, __LINE__); /* Locks bucket. */
+		} else {
+			fctx_try(fctx, true, true); /* Locks bucket. */
+		}
+
+		goto cleanup_event;
+	}
+
+	if (negative) {
+		dns_rdatatype_t covers;
+		FCTXTRACE("nonexistence validation OK");
+
+		inc_stats(res, dns_resstatscounter_valnegsuccess);
+
+		/*
+		 * Cache DS NXDOMAIN separately to other types.
+		 */
+		if (message->rcode == dns_rcode_nxdomain &&
+		    fctx->type != dns_rdatatype_ds)
+		{
+			covers = dns_rdatatype_any;
+		} else {
+			covers = fctx->type;
+		}
+
+		result = dns_db_findnode(fctx->cache, vevent->name, true,
+					 &node);
+		if (result != ISC_R_SUCCESS) {
+			goto noanswer_response;
+		}
+
+		/*
+		 * If we are asking for a SOA record set the cache time
+		 * to zero to facilitate locating the containing zone of
+		 * a arbitrary zone.
+		 */
+		ttl = res->view->maxncachettl;
+		if (fctx->type == dns_rdatatype_soa &&
+		    covers == dns_rdatatype_any && res->zero_no_soa_ttl)
+		{
+			ttl = 0;
+		}
+
+		result = ncache_adderesult(message, fctx->cache, node, covers,
+					   now, fctx->res->view->minncachettl,
+					   ttl, vevent->optout, vevent->secure,
+					   ardataset, &eresult);
+		if (result != ISC_R_SUCCESS) {
+			goto noanswer_response;
+		}
+		goto answer_response;
+	} else {
+		inc_stats(res, dns_resstatscounter_valsuccess);
+	}
+
+	FCTXTRACE("validation OK");
+
+	if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) {
+		result = dns_rdataset_addnoqname(
+			vevent->rdataset,
+			vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		INSIST(vevent->sigrdataset != NULL);
+		vevent->sigrdataset->ttl = vevent->rdataset->ttl;
+		if (vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER] != NULL) {
+			result = dns_rdataset_addclosest(
+				vevent->rdataset,
+				vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER]);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
+	} else if (vevent->rdataset->trust == dns_trust_answer &&
+		   vevent->rdataset->type != dns_rdatatype_rrsig)
+	{
+		isc_result_t tresult;
+		dns_name_t *noqname = NULL;
+		tresult = findnoqname(fctx, message, vevent->name,
+				      vevent->rdataset->type, &noqname);
+		if (tresult == ISC_R_SUCCESS && noqname != NULL) {
+			tresult = dns_rdataset_addnoqname(vevent->rdataset,
+							  noqname);
+			RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
+		}
+	}
+
+	/*
+	 * The data was already cached as pending data.
+	 * Re-cache it as secure and bind the cached
+	 * rdatasets to the first event on the fetch
+	 * event list.
+	 */
+	result = dns_db_findnode(fctx->cache, vevent->name, true, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto noanswer_response;
+	}
+
+	options = 0;
+	if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0) {
+		options = DNS_DBADD_PREFETCH;
+	}
+	result = dns_db_addrdataset(fctx->cache, node, NULL, now,
+				    vevent->rdataset, options, ardataset);
+	if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) {
+		goto noanswer_response;
+	}
+	if (ardataset != NULL && NEGATIVE(ardataset)) {
+		if (NXDOMAIN(ardataset)) {
+			eresult = DNS_R_NCACHENXDOMAIN;
+		} else {
+			eresult = DNS_R_NCACHENXRRSET;
+		}
+	} else if (vevent->sigrdataset != NULL) {
+		result = dns_db_addrdataset(fctx->cache, node, NULL, now,
+					    vevent->sigrdataset, options,
+					    asigrdataset);
+		if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) {
+			goto noanswer_response;
+		}
+	}
+
+	if (sentresponse) {
+		/*
+		 * If we only deferred the destroy because we wanted to cache
+		 * the data, destroy now.
+		 */
+		dns_db_detachnode(fctx->cache, &node);
+		UNLOCK(&res->buckets[bucketnum].lock);
+		goto cleanup_event;
+	}
+
+	if (!ISC_LIST_EMPTY(fctx->validators)) {
+		INSIST(!negative);
+		INSIST(fctx->type == dns_rdatatype_any ||
+		       fctx->type == dns_rdatatype_rrsig ||
+		       fctx->type == dns_rdatatype_sig);
+		/*
+		 * Don't send a response yet - we have
+		 * more rdatasets that still need to
+		 * be validated.
+		 */
+		dns_db_detachnode(fctx->cache, &node);
+		UNLOCK(&res->buckets[bucketnum].lock);
+		dns_validator_send(ISC_LIST_HEAD(fctx->validators));
+		goto cleanup_event;
+	}
+
+answer_response:
+	/*
+	 * Cache any SOA/NS/NSEC records that happened to be validated.
+	 */
+	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if ((rdataset->type != dns_rdatatype_ns &&
+			     rdataset->type != dns_rdatatype_soa &&
+			     rdataset->type != dns_rdatatype_nsec) ||
+			    rdataset->trust != dns_trust_secure)
+			{
+				continue;
+			}
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+			{
+				if (sigrdataset->type != dns_rdatatype_rrsig ||
+				    sigrdataset->covers != rdataset->type)
+				{
+					continue;
+				}
+				break;
+			}
+			if (sigrdataset == NULL ||
+			    sigrdataset->trust != dns_trust_secure)
+			{
+				continue;
+			}
+			result = dns_db_findnode(fctx->cache, name, true,
+						 &nsnode);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+
+			result = dns_db_addrdataset(fctx->cache, nsnode, NULL,
+						    now, rdataset, 0, NULL);
+			if (result == ISC_R_SUCCESS) {
+				result = dns_db_addrdataset(
+					fctx->cache, nsnode, NULL, now,
+					sigrdataset, 0, NULL);
+			}
+			dns_db_detachnode(fctx->cache, &nsnode);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+
+	/*
+	 * Add the wild card entry.
+	 */
+	if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL &&
+	    vevent->rdataset != NULL &&
+	    dns_rdataset_isassociated(vevent->rdataset) &&
+	    vevent->rdataset->trust == dns_trust_secure &&
+	    vevent->sigrdataset != NULL &&
+	    dns_rdataset_isassociated(vevent->sigrdataset) &&
+	    vevent->sigrdataset->trust == dns_trust_secure && wild != NULL)
+	{
+		dns_dbnode_t *wnode = NULL;
+
+		result = dns_db_findnode(fctx->cache, wild, true, &wnode);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_db_addrdataset(fctx->cache, wnode, NULL,
+						    now, vevent->rdataset, 0,
+						    NULL);
+		}
+		if (result == ISC_R_SUCCESS) {
+			(void)dns_db_addrdataset(fctx->cache, wnode, NULL, now,
+						 vevent->sigrdataset, 0, NULL);
+		}
+		if (wnode != NULL) {
+			dns_db_detachnode(fctx->cache, &wnode);
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+	/*
+	 * Respond with an answer, positive or negative,
+	 * as opposed to an error.  'node' must be non-NULL.
+	 */
+
+	FCTX_ATTR_SET(fctx, FCTX_ATTR_HAVEANSWER);
+
+	if (hevent != NULL) {
+		/*
+		 * Negative results must be indicated in event->result.
+		 */
+		INSIST(hevent->rdataset != NULL);
+		if (dns_rdataset_isassociated(hevent->rdataset) &&
+		    NEGATIVE(hevent->rdataset))
+		{
+			INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
+			       eresult == DNS_R_NCACHENXRRSET);
+		}
+		hevent->result = eresult;
+		dns_name_copynf(vevent->name,
+				dns_fixedname_name(&hevent->foundname));
+		dns_db_attach(fctx->cache, &hevent->db);
+		dns_db_transfernode(fctx->cache, &node, &hevent->node);
+		clone_results(fctx);
+	}
+
+noanswer_response:
+	if (node != NULL) {
+		dns_db_detachnode(fctx->cache, &node);
+	}
+
+	UNLOCK(&res->buckets[bucketnum].lock);
+	fctx_done(fctx, result, __LINE__); /* Locks bucket. */
+
+cleanup_event:
+	INSIST(node == NULL);
+	dns_message_detach(&message);
+	isc_event_free(&event);
+
+	LOCK(&res->buckets[bucketnum].lock);
+	bucket_empty = fctx_decreference(fctx);
+	UNLOCK(&res->buckets[bucketnum].lock);
+	if (bucket_empty) {
+		empty_bucket(res);
+	}
+}
+
+static void
+fctx_log(void *arg, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list args;
+	fetchctx_t *fctx = arg;
+
+	va_start(args, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
+	va_end(args);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, level, "fctx %p(%s): %s", fctx,
+		      fctx->info, msgbuf);
+}
+
+static isc_result_t
+findnoqname(fetchctx_t *fctx, dns_message_t *message, dns_name_t *name,
+	    dns_rdatatype_t type, dns_name_t **noqnamep) {
+	dns_rdataset_t *nrdataset, *next, *sigrdataset;
+	dns_rdata_rrsig_t rrsig;
+	isc_result_t result;
+	unsigned int labels;
+	dns_section_t section;
+	dns_name_t *zonename;
+	dns_fixedname_t fzonename;
+	dns_name_t *closest;
+	dns_fixedname_t fclosest;
+	dns_name_t *nearest;
+	dns_fixedname_t fnearest;
+	dns_rdatatype_t found = dns_rdatatype_none;
+	dns_name_t *noqname = NULL;
+
+	FCTXTRACE("findnoqname");
+
+	REQUIRE(noqnamep != NULL && *noqnamep == NULL);
+
+	/*
+	 * Find the SIG for this rdataset, if we have it.
+	 */
+	for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL;
+	     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+	{
+		if (sigrdataset->type == dns_rdatatype_rrsig &&
+		    sigrdataset->covers == type)
+		{
+			break;
+		}
+	}
+
+	if (sigrdataset == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	labels = dns_name_countlabels(name);
+
+	for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(sigrdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(sigrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		/* Wildcard has rrsig.labels < labels - 1. */
+		if (rrsig.labels + 1U >= labels) {
+			continue;
+		}
+		break;
+	}
+
+	if (result == ISC_R_NOMORE) {
+		return (ISC_R_NOTFOUND);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	zonename = dns_fixedname_initname(&fzonename);
+	closest = dns_fixedname_initname(&fclosest);
+	nearest = dns_fixedname_initname(&fnearest);
+
+#define NXND(x) ((x) == ISC_R_SUCCESS)
+
+	section = DNS_SECTION_AUTHORITY;
+	for (result = dns_message_firstname(message, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, section))
+	{
+		dns_name_t *nsec = NULL;
+		dns_message_currentname(message, section, &nsec);
+		for (nrdataset = ISC_LIST_HEAD(nsec->list); nrdataset != NULL;
+		     nrdataset = next)
+		{
+			bool data = false, exists = false;
+			bool optout = false, unknown = false;
+			bool setclosest = false;
+			bool setnearest = false;
+
+			next = ISC_LIST_NEXT(nrdataset, link);
+			if (nrdataset->type != dns_rdatatype_nsec &&
+			    nrdataset->type != dns_rdatatype_nsec3)
+			{
+				continue;
+			}
+
+			if (nrdataset->type == dns_rdatatype_nsec &&
+			    NXND(dns_nsec_noexistnodata(
+				    type, name, nsec, nrdataset, &exists, &data,
+				    NULL, fctx_log, fctx)))
+			{
+				if (!exists) {
+					noqname = nsec;
+					found = dns_rdatatype_nsec;
+				}
+			}
+
+			if (nrdataset->type == dns_rdatatype_nsec3 &&
+			    NXND(dns_nsec3_noexistnodata(
+				    type, name, nsec, nrdataset, zonename,
+				    &exists, &data, &optout, &unknown,
+				    &setclosest, &setnearest, closest, nearest,
+				    fctx_log, fctx)))
+			{
+				if (!exists && setnearest) {
+					noqname = nsec;
+					found = dns_rdatatype_nsec3;
+				}
+			}
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+	if (noqname != NULL) {
+		for (sigrdataset = ISC_LIST_HEAD(noqname->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+		{
+			if (sigrdataset->type == dns_rdatatype_rrsig &&
+			    sigrdataset->covers == found)
+			{
+				break;
+			}
+		}
+		if (sigrdataset != NULL) {
+			*noqnamep = noqname;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+cache_name(fetchctx_t *fctx, dns_name_t *name, dns_message_t *message,
+	   dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now) {
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t *addedrdataset = NULL;
+	dns_rdataset_t *ardataset = NULL, *asigrdataset = NULL;
+	dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL;
+	dns_dbnode_t *node = NULL, **anodep = NULL;
+	dns_db_t **adbp = NULL;
+	dns_name_t *aname = NULL;
+	dns_resolver_t *res = fctx->res;
+	bool need_validation = false;
+	bool secure_domain = false;
+	bool have_answer = false;
+	isc_result_t result, eresult = ISC_R_SUCCESS;
+	dns_fetchevent_t *event = NULL;
+	unsigned int options;
+	isc_task_t *task;
+	bool fail;
+	unsigned int valoptions = 0;
+	bool checknta = true;
+
+	FCTXTRACE("cache_name");
+
+	/*
+	 * The appropriate bucket lock must be held.
+	 */
+	task = res->buckets[fctx->bucketnum].task;
+
+	/*
+	 * Is DNSSEC validation required for this name?
+	 */
+	if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
+		valoptions |= DNS_VALIDATOR_NONTA;
+		checknta = false;
+	}
+
+	if (res->view->enablevalidation) {
+		result = issecuredomain(res->view, name, fctx->type, now,
+					checknta, NULL, &secure_domain);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
+		valoptions |= DNS_VALIDATOR_NOCDFLAG;
+	}
+
+	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
+		need_validation = false;
+	} else {
+		need_validation = secure_domain;
+	}
+
+	if (((name->attributes & DNS_NAMEATTR_ANSWER) != 0) &&
+	    (!need_validation))
+	{
+		have_answer = true;
+		event = ISC_LIST_HEAD(fctx->events);
+
+		if (event != NULL) {
+			adbp = &event->db;
+			aname = dns_fixedname_name(&event->foundname);
+			dns_name_copynf(name, aname);
+			anodep = &event->node;
+			/*
+			 * If this is an ANY, SIG or RRSIG query, we're not
+			 * going to return any rdatasets, unless we encountered
+			 * a CNAME or DNAME as "the answer".  In this case,
+			 * we're going to return DNS_R_CNAME or DNS_R_DNAME
+			 * and we must set up the rdatasets.
+			 */
+			if ((fctx->type != dns_rdatatype_any &&
+			     fctx->type != dns_rdatatype_rrsig &&
+			     fctx->type != dns_rdatatype_sig) ||
+			    (name->attributes & DNS_NAMEATTR_CHAINING) != 0)
+			{
+				ardataset = event->rdataset;
+				asigrdataset = event->sigrdataset;
+			}
+		}
+	}
+
+	/*
+	 * Find or create the cache node.
+	 */
+	node = NULL;
+	result = dns_db_findnode(fctx->cache, name, true, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Cache or validate each cacheable rdataset.
+	 */
+	fail = ((fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0);
+	for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (!CACHE(rdataset)) {
+			continue;
+		}
+		if (CHECKNAMES(rdataset)) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+			char classbuf[DNS_RDATATYPE_FORMATSIZE];
+
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "check-names %s %s/%s/%s",
+				      fail ? "failure" : "warning", namebuf,
+				      typebuf, classbuf);
+			if (fail) {
+				if (ANSWER(rdataset)) {
+					dns_db_detachnode(fctx->cache, &node);
+					return (DNS_R_BADNAME);
+				}
+				continue;
+			}
+		}
+
+		/*
+		 * Enforce the configure maximum cache TTL.
+		 */
+		if (rdataset->ttl > res->view->maxcachettl) {
+			rdataset->ttl = res->view->maxcachettl;
+		}
+
+		/*
+		 * Enforce configured minimum cache TTL.
+		 */
+		if (rdataset->ttl < res->view->mincachettl) {
+			rdataset->ttl = res->view->mincachettl;
+		}
+
+		/*
+		 * Mark the rdataset as being prefetch eligible.
+		 */
+		if (rdataset->ttl >= fctx->res->view->prefetch_eligible) {
+			rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
+		}
+
+		/*
+		 * Find the SIG for this rdataset, if we have it.
+		 */
+		for (sigrdataset = ISC_LIST_HEAD(name->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+		{
+			if (sigrdataset->type == dns_rdatatype_rrsig &&
+			    sigrdataset->covers == rdataset->type)
+			{
+				break;
+			}
+		}
+
+		/*
+		 * If this RRset is in a secure domain, is in bailiwick,
+		 * and is not glue, attempt DNSSEC validation.	(We do not
+		 * attempt to validate glue or out-of-bailiwick data--even
+		 * though there might be some performance benefit to doing
+		 * so--because it makes it simpler and safer to ensure that
+		 * records from a secure domain are only cached if validated
+		 * within the context of a query to the domain that owns
+		 * them.)
+		 */
+		if (secure_domain && rdataset->trust != dns_trust_glue &&
+		    !EXTERNAL(rdataset))
+		{
+			dns_trust_t trust;
+
+			/*
+			 * RRSIGs are validated as part of validating the
+			 * type they cover.
+			 */
+			if (rdataset->type == dns_rdatatype_rrsig) {
+				continue;
+			}
+
+			if (sigrdataset == NULL && need_validation &&
+			    !ANSWER(rdataset))
+			{
+				/*
+				 * Ignore unrelated non-answer
+				 * rdatasets that are missing signatures.
+				 */
+				continue;
+			}
+
+			/*
+			 * Normalize the rdataset and sigrdataset TTLs.
+			 */
+			if (sigrdataset != NULL) {
+				rdataset->ttl = ISC_MIN(rdataset->ttl,
+							sigrdataset->ttl);
+				sigrdataset->ttl = rdataset->ttl;
+			}
+
+			/*
+			 * Mark the rdataset as being prefetch eligible.
+			 */
+			if (rdataset->ttl >= fctx->res->view->prefetch_eligible)
+			{
+				rdataset->attributes |=
+					DNS_RDATASETATTR_PREFETCH;
+			}
+
+			/*
+			 * Cache this rdataset/sigrdataset pair as
+			 * pending data.  Track whether it was additional
+			 * or not. If this was a priming query, additional
+			 * should be cached as glue.
+			 */
+			if (rdataset->trust == dns_trust_additional) {
+				trust = dns_trust_pending_additional;
+			} else {
+				trust = dns_trust_pending_answer;
+			}
+
+			rdataset->trust = trust;
+			if (sigrdataset != NULL) {
+				sigrdataset->trust = trust;
+			}
+			if (!need_validation || !ANSWER(rdataset)) {
+				options = 0;
+				if (ANSWER(rdataset) &&
+				    rdataset->type != dns_rdatatype_rrsig)
+				{
+					isc_result_t tresult;
+					dns_name_t *noqname = NULL;
+					tresult = findnoqname(
+						fctx, message, name,
+						rdataset->type, &noqname);
+					if (tresult == ISC_R_SUCCESS &&
+					    noqname != NULL)
+					{
+						(void)dns_rdataset_addnoqname(
+							rdataset, noqname);
+					}
+				}
+				if ((fctx->options & DNS_FETCHOPT_PREFETCH) !=
+				    0)
+				{
+					options = DNS_DBADD_PREFETCH;
+				}
+				if ((fctx->options & DNS_FETCHOPT_NOCACHED) !=
+				    0)
+				{
+					options |= DNS_DBADD_FORCE;
+				}
+				addedrdataset = ardataset;
+				result = dns_db_addrdataset(
+					fctx->cache, node, NULL, now, rdataset,
+					options, addedrdataset);
+				if (result == DNS_R_UNCHANGED) {
+					result = ISC_R_SUCCESS;
+					if (!need_validation &&
+					    ardataset != NULL &&
+					    NEGATIVE(ardataset))
+					{
+						/*
+						 * The answer in the cache is
+						 * better than the answer we
+						 * found, and is a negative
+						 * cache entry, so we must set
+						 * eresult appropriately.
+						 */
+						if (NXDOMAIN(ardataset)) {
+							eresult =
+								DNS_R_NCACHENXDOMAIN;
+						} else {
+							eresult =
+								DNS_R_NCACHENXRRSET;
+						}
+						/*
+						 * We have a negative response
+						 * from the cache so don't
+						 * attempt to add the RRSIG
+						 * rrset.
+						 */
+						continue;
+					}
+				}
+				if (result != ISC_R_SUCCESS) {
+					break;
+				}
+				if (sigrdataset != NULL) {
+					addedrdataset = asigrdataset;
+					result = dns_db_addrdataset(
+						fctx->cache, node, NULL, now,
+						sigrdataset, options,
+						addedrdataset);
+					if (result == DNS_R_UNCHANGED) {
+						result = ISC_R_SUCCESS;
+					}
+					if (result != ISC_R_SUCCESS) {
+						break;
+					}
+				} else if (!ANSWER(rdataset)) {
+					continue;
+				}
+			}
+
+			if (ANSWER(rdataset) && need_validation) {
+				if (fctx->type != dns_rdatatype_any &&
+				    fctx->type != dns_rdatatype_rrsig &&
+				    fctx->type != dns_rdatatype_sig)
+				{
+					/*
+					 * This is The Answer.  We will
+					 * validate it, but first we cache
+					 * the rest of the response - it may
+					 * contain useful keys.
+					 */
+					INSIST(valrdataset == NULL &&
+					       valsigrdataset == NULL);
+					valrdataset = rdataset;
+					valsigrdataset = sigrdataset;
+				} else {
+					/*
+					 * This is one of (potentially)
+					 * multiple answers to an ANY
+					 * or SIG query.  To keep things
+					 * simple, we just start the
+					 * validator right away rather
+					 * than caching first and
+					 * having to remember which
+					 * rdatasets needed validation.
+					 */
+					result = valcreate(
+						fctx, message, addrinfo, name,
+						rdataset->type, rdataset,
+						sigrdataset, valoptions, task);
+				}
+			} else if (CHAINING(rdataset)) {
+				if (rdataset->type == dns_rdatatype_cname) {
+					eresult = DNS_R_CNAME;
+				} else {
+					INSIST(rdataset->type ==
+					       dns_rdatatype_dname);
+					eresult = DNS_R_DNAME;
+				}
+			}
+		} else if (!EXTERNAL(rdataset)) {
+			/*
+			 * It's OK to cache this rdataset now.
+			 */
+			if (ANSWER(rdataset)) {
+				addedrdataset = ardataset;
+			} else if (ANSWERSIG(rdataset)) {
+				addedrdataset = asigrdataset;
+			} else {
+				addedrdataset = NULL;
+			}
+			if (CHAINING(rdataset)) {
+				if (rdataset->type == dns_rdatatype_cname) {
+					eresult = DNS_R_CNAME;
+				} else {
+					INSIST(rdataset->type ==
+					       dns_rdatatype_dname);
+					eresult = DNS_R_DNAME;
+				}
+			}
+			if (rdataset->trust == dns_trust_glue &&
+			    (rdataset->type == dns_rdatatype_ns ||
+			     (rdataset->type == dns_rdatatype_rrsig &&
+			      rdataset->covers == dns_rdatatype_ns)))
+			{
+				/*
+				 * If the trust level is 'dns_trust_glue'
+				 * then we are adding data from a referral
+				 * we got while executing the search algorithm.
+				 * New referral data always takes precedence
+				 * over the existing cache contents.
+				 */
+				options = DNS_DBADD_FORCE;
+			} else if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0)
+			{
+				options = DNS_DBADD_PREFETCH;
+			} else {
+				options = 0;
+			}
+
+			if (ANSWER(rdataset) &&
+			    rdataset->type != dns_rdatatype_rrsig)
+			{
+				isc_result_t tresult;
+				dns_name_t *noqname = NULL;
+				tresult = findnoqname(fctx, message, name,
+						      rdataset->type, &noqname);
+				if (tresult == ISC_R_SUCCESS && noqname != NULL)
+				{
+					(void)dns_rdataset_addnoqname(rdataset,
+								      noqname);
+				}
+			}
+
+			/*
+			 * Now we can add the rdataset.
+			 */
+			result = dns_db_addrdataset(fctx->cache, node, NULL,
+						    now, rdataset, options,
+						    addedrdataset);
+
+			if (result == DNS_R_UNCHANGED) {
+				if (ANSWER(rdataset) && ardataset != NULL &&
+				    NEGATIVE(ardataset))
+				{
+					/*
+					 * The answer in the cache is better
+					 * than the answer we found, and is
+					 * a negative cache entry, so we
+					 * must set eresult appropriately.
+					 */
+					if (NXDOMAIN(ardataset)) {
+						eresult = DNS_R_NCACHENXDOMAIN;
+					} else {
+						eresult = DNS_R_NCACHENXRRSET;
+					}
+				}
+				result = ISC_R_SUCCESS;
+			} else if (result != ISC_R_SUCCESS) {
+				break;
+			}
+		}
+	}
+
+	if (valrdataset != NULL) {
+		dns_rdatatype_t vtype = fctx->type;
+		if (CHAINING(valrdataset)) {
+			if (valrdataset->type == dns_rdatatype_cname) {
+				vtype = dns_rdatatype_cname;
+			} else {
+				vtype = dns_rdatatype_dname;
+			}
+		}
+
+		result = valcreate(fctx, message, addrinfo, name, vtype,
+				   valrdataset, valsigrdataset, valoptions,
+				   task);
+	}
+
+	if (result == ISC_R_SUCCESS && have_answer) {
+		FCTX_ATTR_SET(fctx, FCTX_ATTR_HAVEANSWER);
+		if (event != NULL) {
+			/*
+			 * Negative results must be indicated in event->result.
+			 */
+			if (dns_rdataset_isassociated(event->rdataset) &&
+			    NEGATIVE(event->rdataset))
+			{
+				INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
+				       eresult == DNS_R_NCACHENXRRSET);
+			}
+			event->result = eresult;
+			if (adbp != NULL && *adbp != NULL) {
+				if (anodep != NULL && *anodep != NULL) {
+					dns_db_detachnode(*adbp, anodep);
+				}
+				dns_db_detach(adbp);
+			}
+			dns_db_attach(fctx->cache, adbp);
+			dns_db_transfernode(fctx->cache, &node, anodep);
+			clone_results(fctx);
+		}
+	}
+
+	if (node != NULL) {
+		dns_db_detachnode(fctx->cache, &node);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+cache_message(fetchctx_t *fctx, dns_message_t *message,
+	      dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now) {
+	isc_result_t result;
+	dns_section_t section;
+	dns_name_t *name;
+
+	FCTXTRACE("cache_message");
+
+	FCTX_ATTR_CLR(fctx, FCTX_ATTR_WANTCACHE);
+
+	LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+
+	for (section = DNS_SECTION_ANSWER; section <= DNS_SECTION_ADDITIONAL;
+	     section++)
+	{
+		result = dns_message_firstname(message, section);
+		while (result == ISC_R_SUCCESS) {
+			name = NULL;
+			dns_message_currentname(message, section, &name);
+			if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) {
+				result = cache_name(fctx, name, message,
+						    addrinfo, now);
+				if (result != ISC_R_SUCCESS) {
+					break;
+				}
+			}
+			result = dns_message_nextname(message, section);
+		}
+		if (result != ISC_R_NOMORE) {
+			break;
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+
+	return (result);
+}
+
+/*
+ * Do what dns_ncache_addoptout() does, and then compute an appropriate eresult.
+ */
+static isc_result_t
+ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl,
+		  dns_ttl_t maxttl, bool optout, bool secure,
+		  dns_rdataset_t *ardataset, isc_result_t *eresultp) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	if (ardataset == NULL) {
+		dns_rdataset_init(&rdataset);
+		ardataset = &rdataset;
+	}
+	if (secure) {
+		result = dns_ncache_addoptout(message, cache, node, covers, now,
+					      minttl, maxttl, optout,
+					      ardataset);
+	} else {
+		result = dns_ncache_add(message, cache, node, covers, now,
+					minttl, maxttl, ardataset);
+	}
+	if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
+		/*
+		 * If the cache now contains a negative entry and we
+		 * care about whether it is DNS_R_NCACHENXDOMAIN or
+		 * DNS_R_NCACHENXRRSET then extract it.
+		 */
+		if (NEGATIVE(ardataset)) {
+			/*
+			 * The cache data is a negative cache entry.
+			 */
+			if (NXDOMAIN(ardataset)) {
+				*eresultp = DNS_R_NCACHENXDOMAIN;
+			} else {
+				*eresultp = DNS_R_NCACHENXRRSET;
+			}
+		} else {
+			/*
+			 * Either we don't care about the nature of the
+			 * cache rdataset (because no fetch is interested
+			 * in the outcome), or the cache rdataset is not
+			 * a negative cache entry.  Whichever case it is,
+			 * we can return success.
+			 *
+			 * XXXRTH  There's a CNAME/DNAME problem here.
+			 */
+			*eresultp = ISC_R_SUCCESS;
+		}
+		result = ISC_R_SUCCESS;
+	}
+	if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset)) {
+		dns_rdataset_disassociate(ardataset);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+ncache_message(fetchctx_t *fctx, dns_message_t *message,
+	       dns_adbaddrinfo_t *addrinfo, dns_rdatatype_t covers,
+	       isc_stdtime_t now) {
+	isc_result_t result, eresult;
+	dns_name_t *name;
+	dns_resolver_t *res;
+	dns_db_t **adbp;
+	dns_dbnode_t *node, **anodep;
+	dns_rdataset_t *ardataset;
+	bool need_validation, secure_domain;
+	dns_name_t *aname;
+	dns_fetchevent_t *event;
+	uint32_t ttl;
+	unsigned int valoptions = 0;
+	bool checknta = true;
+
+	FCTXTRACE("ncache_message");
+
+	FCTX_ATTR_CLR(fctx, FCTX_ATTR_WANTNCACHE);
+
+	res = fctx->res;
+	need_validation = false;
+	POST(need_validation);
+	secure_domain = false;
+	eresult = ISC_R_SUCCESS;
+	name = &fctx->name;
+	node = NULL;
+
+	/*
+	 * XXXMPA remove when we follow cnames and adjust the setting
+	 * of FCTX_ATTR_WANTNCACHE in rctx_answer_none().
+	 */
+	INSIST(message->counts[DNS_SECTION_ANSWER] == 0);
+
+	/*
+	 * Is DNSSEC validation required for this name?
+	 */
+	if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
+		valoptions |= DNS_VALIDATOR_NONTA;
+		checknta = false;
+	}
+
+	if (fctx->res->view->enablevalidation) {
+		result = issecuredomain(res->view, name, fctx->type, now,
+					checknta, NULL, &secure_domain);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
+		valoptions |= DNS_VALIDATOR_NOCDFLAG;
+	}
+
+	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
+		need_validation = false;
+	} else {
+		need_validation = secure_domain;
+	}
+
+	if (secure_domain) {
+		/*
+		 * Mark all rdatasets as pending.
+		 */
+		dns_rdataset_t *trdataset;
+		dns_name_t *tname;
+
+		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+		while (result == ISC_R_SUCCESS) {
+			tname = NULL;
+			dns_message_currentname(message, DNS_SECTION_AUTHORITY,
+						&tname);
+			for (trdataset = ISC_LIST_HEAD(tname->list);
+			     trdataset != NULL;
+			     trdataset = ISC_LIST_NEXT(trdataset, link))
+			{
+				trdataset->trust = dns_trust_pending_answer;
+			}
+			result = dns_message_nextname(message,
+						      DNS_SECTION_AUTHORITY);
+		}
+		if (result != ISC_R_NOMORE) {
+			return (result);
+		}
+	}
+
+	if (need_validation) {
+		/*
+		 * Do negative response validation.
+		 */
+		result = valcreate(fctx, message, addrinfo, name, fctx->type,
+				   NULL, NULL, valoptions,
+				   res->buckets[fctx->bucketnum].task);
+		/*
+		 * If validation is necessary, return now.  Otherwise continue
+		 * to process the message, letting the validation complete
+		 * in its own good time.
+		 */
+		return (result);
+	}
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	adbp = NULL;
+	aname = NULL;
+	anodep = NULL;
+	ardataset = NULL;
+	if (!HAVE_ANSWER(fctx)) {
+		event = ISC_LIST_HEAD(fctx->events);
+		if (event != NULL) {
+			adbp = &event->db;
+			aname = dns_fixedname_name(&event->foundname);
+			dns_name_copynf(name, aname);
+			anodep = &event->node;
+			ardataset = event->rdataset;
+		}
+	} else {
+		event = NULL;
+	}
+
+	result = dns_db_findnode(fctx->cache, name, true, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto unlock;
+	}
+
+	/*
+	 * If we are asking for a SOA record set the cache time
+	 * to zero to facilitate locating the containing zone of
+	 * a arbitrary zone.
+	 */
+	ttl = fctx->res->view->maxncachettl;
+	if (fctx->type == dns_rdatatype_soa && covers == dns_rdatatype_any &&
+	    fctx->res->zero_no_soa_ttl)
+	{
+		ttl = 0;
+	}
+
+	result = ncache_adderesult(message, fctx->cache, node, covers, now,
+				   fctx->res->view->minncachettl, ttl, false,
+				   false, ardataset, &eresult);
+	if (result != ISC_R_SUCCESS) {
+		goto unlock;
+	}
+
+	if (!HAVE_ANSWER(fctx)) {
+		FCTX_ATTR_SET(fctx, FCTX_ATTR_HAVEANSWER);
+		if (event != NULL) {
+			event->result = eresult;
+			if (adbp != NULL && *adbp != NULL) {
+				if (anodep != NULL && *anodep != NULL) {
+					dns_db_detachnode(*adbp, anodep);
+				}
+				dns_db_detach(adbp);
+			}
+			dns_db_attach(fctx->cache, adbp);
+			dns_db_transfernode(fctx->cache, &node, anodep);
+			clone_results(fctx);
+		}
+	}
+
+unlock:
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+
+	if (node != NULL) {
+		dns_db_detachnode(fctx->cache, &node);
+	}
+
+	return (result);
+}
+
+static void
+mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
+	     bool gluing) {
+	name->attributes |= DNS_NAMEATTR_CACHE;
+	if (gluing) {
+		rdataset->trust = dns_trust_glue;
+		/*
+		 * Glue with 0 TTL causes problems.  We force the TTL to
+		 * 1 second to prevent this.
+		 */
+		if (rdataset->ttl == 0) {
+			rdataset->ttl = 1;
+		}
+	} else {
+		rdataset->trust = dns_trust_additional;
+	}
+	/*
+	 * Avoid infinite loops by only marking new rdatasets.
+	 */
+	if (!CACHE(rdataset)) {
+		name->attributes |= DNS_NAMEATTR_CHASE;
+		rdataset->attributes |= DNS_RDATASETATTR_CHASE;
+	}
+	rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+	if (external) {
+		rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
+	}
+}
+
+/*
+ * Returns true if 'name' is external to the namespace for which
+ * the server being queried can answer, either because it's not a
+ * subdomain or because it's below a forward declaration or a
+ * locally served zone.
+ */
+static bool
+name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_forwarders_t *forwarders = NULL;
+	dns_fixedname_t fixed, zfixed;
+	dns_name_t *fname = dns_fixedname_initname(&fixed);
+	dns_name_t *zfname = dns_fixedname_initname(&zfixed);
+	dns_name_t *apex = NULL;
+	dns_name_t suffix;
+	dns_zone_t *zone = NULL;
+	unsigned int labels;
+	dns_namereln_t rel;
+
+	apex = (ISDUALSTACK(fctx->addrinfo) || !ISFORWARDER(fctx->addrinfo))
+		       ? &fctx->domain
+		       : fctx->fwdname;
+
+	/*
+	 * The name is outside the queried namespace.
+	 */
+	rel = dns_name_fullcompare(name, apex, &(int){ 0 },
+				   &(unsigned int){ 0U });
+	if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
+		return (true);
+	}
+
+	/*
+	 * If the record lives in the parent zone, adjust the name so we
+	 * look for the correct zone or forward clause.
+	 */
+	labels = dns_name_countlabels(name);
+	if (dns_rdatatype_atparent(type) && labels > 1U) {
+		dns_name_init(&suffix, NULL);
+		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+		name = &suffix;
+	} else if (rel == dns_namereln_equal) {
+		/* If 'name' is 'apex', no further checking is needed. */
+		return (false);
+	}
+
+	/*
+	 * If there is a locally served zone between 'apex' and 'name'
+	 * then don't cache.
+	 */
+	LOCK(&fctx->res->view->lock);
+	if (fctx->res->view->zonetable != NULL) {
+		unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR;
+		result = dns_zt_find(fctx->res->view->zonetable, name, options,
+				     zfname, &zone);
+		if (zone != NULL) {
+			dns_zone_detach(&zone);
+		}
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+			if (dns_name_fullcompare(zfname, apex, &(int){ 0 },
+						 &(unsigned int){ 0U }) ==
+			    dns_namereln_subdomain)
+			{
+				UNLOCK(&fctx->res->view->lock);
+				return (true);
+			}
+		}
+	}
+	UNLOCK(&fctx->res->view->lock);
+
+	/*
+	 * Look for a forward declaration below 'name'.
+	 */
+	result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
+				   &forwarders);
+
+	if (ISFORWARDER(fctx->addrinfo)) {
+		/*
+		 * See if the forwarder declaration is better.
+		 */
+		if (result == ISC_R_SUCCESS) {
+			return (!dns_name_equal(fname, fctx->fwdname));
+		}
+
+		/*
+		 * If the lookup failed, the configuration must have
+		 * changed: play it safe and don't cache.
+		 */
+		return (true);
+	} else if (result == ISC_R_SUCCESS &&
+		   forwarders->fwdpolicy == dns_fwdpolicy_only &&
+		   !ISC_LIST_EMPTY(forwarders->fwdrs))
+	{
+		/*
+		 * If 'name' is covered by a 'forward only' clause then we
+		 * can't cache this repsonse.
+		 */
+		return (true);
+	}
+
+	return (false);
+}
+
+static isc_result_t
+check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
+	      dns_section_t section) {
+	respctx_t *rctx = arg;
+	fetchctx_t *fctx = rctx->fctx;
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	bool external;
+	dns_rdatatype_t rtype;
+	bool gluing;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+#if CHECK_FOR_GLUE_IN_ANSWER
+	if (section == DNS_SECTION_ANSWER && type != dns_rdatatype_a) {
+		return (ISC_R_SUCCESS);
+	}
+#endif /* if CHECK_FOR_GLUE_IN_ANSWER */
+
+	gluing = (GLUING(fctx) || (fctx->type == dns_rdatatype_ns &&
+				   dns_name_equal(&fctx->name, dns_rootname)));
+
+	result = dns_message_findname(rctx->query->rmessage, section, addname,
+				      dns_rdatatype_any, 0, &name, NULL);
+	if (result == ISC_R_SUCCESS) {
+		external = name_external(name, type, fctx);
+		if (type == dns_rdatatype_a) {
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (rdataset->type == dns_rdatatype_rrsig) {
+					rtype = rdataset->covers;
+				} else {
+					rtype = rdataset->type;
+				}
+				if (rtype == dns_rdatatype_a ||
+				    rtype == dns_rdatatype_aaaa)
+				{
+					mark_related(name, rdataset, external,
+						     gluing);
+				}
+			}
+		} else {
+			result = dns_message_findtype(name, type, 0, &rdataset);
+			if (result == ISC_R_SUCCESS) {
+				mark_related(name, rdataset, external, gluing);
+				/*
+				 * Do we have its SIG too?
+				 */
+				rdataset = NULL;
+				result = dns_message_findtype(
+					name, dns_rdatatype_rrsig, type,
+					&rdataset);
+				if (result == ISC_R_SUCCESS) {
+					mark_related(name, rdataset, external,
+						     gluing);
+				}
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+check_related(void *arg, const dns_name_t *addname, dns_rdatatype_t type) {
+	return (check_section(arg, addname, type, DNS_SECTION_ADDITIONAL));
+}
+
+#ifndef CHECK_FOR_GLUE_IN_ANSWER
+#define CHECK_FOR_GLUE_IN_ANSWER 0
+#endif /* ifndef CHECK_FOR_GLUE_IN_ANSWER */
+
+#if CHECK_FOR_GLUE_IN_ANSWER
+static isc_result_t
+check_answer(void *arg, const dns_name_t *addname, dns_rdatatype_t type) {
+	return (check_section(arg, addname, type, DNS_SECTION_ANSWER));
+}
+#endif /* if CHECK_FOR_GLUE_IN_ANSWER */
+
+static bool
+is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
+			 dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct in_addr ina;
+	struct in6_addr in6a;
+	isc_netaddr_t netaddr;
+	char addrbuf[ISC_NETADDR_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+	int match;
+
+	/* By default, we allow any addresses. */
+	if (view->denyansweracl == NULL) {
+		return (true);
+	}
+
+	/*
+	 * If the owner name matches one in the exclusion list, either exactly
+	 * or partially, allow it.
+	 */
+	if (view->answeracl_exclude != NULL) {
+		dns_rbtnode_t *node = NULL;
+
+		result = dns_rbt_findnode(view->answeracl_exclude, name, NULL,
+					  &node, NULL, 0, NULL, NULL);
+
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+			return (true);
+		}
+	}
+
+	/*
+	 * Otherwise, search the filter list for a match for each address
+	 * record.  If a match is found, the address should be filtered,
+	 * so should the entire answer.
+	 */
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		if (rdataset->type == dns_rdatatype_a) {
+			INSIST(rdata.length == sizeof(ina.s_addr));
+			memmove(&ina.s_addr, rdata.data, sizeof(ina.s_addr));
+			isc_netaddr_fromin(&netaddr, &ina);
+		} else {
+			INSIST(rdata.length == sizeof(in6a.s6_addr));
+			memmove(in6a.s6_addr, rdata.data, sizeof(in6a.s6_addr));
+			isc_netaddr_fromin6(&netaddr, &in6a);
+		}
+
+		result = dns_acl_match(&netaddr, NULL, view->denyansweracl,
+				       &view->aclenv, &match, NULL);
+		if (result == ISC_R_SUCCESS && match > 0) {
+			isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "answer address %s denied for %s/%s/%s",
+				      addrbuf, namebuf, typebuf, classbuf);
+			return (false);
+		}
+	}
+
+	return (true);
+}
+
+static bool
+is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+			dns_rdataset_t *rdataset, bool *chainingp) {
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+	char qnamebuf[DNS_NAME_FORMATSIZE];
+	char tnamebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+	dns_name_t *tname = NULL;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+	dns_view_t *view = fctx->res->view;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	dns_fixedname_t fixed;
+	dns_name_t prefix;
+	int order;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->type == dns_rdatatype_cname ||
+		rdataset->type == dns_rdatatype_dname);
+
+	/*
+	 * By default, we allow any target name.
+	 * If newqname != NULL we also need to extract the newqname.
+	 */
+	if (chainingp == NULL && view->denyanswernames == NULL) {
+		return (true);
+	}
+
+	result = dns_rdataset_first(rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdataset_current(rdataset, &rdata);
+	switch (rdataset->type) {
+	case dns_rdatatype_cname:
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		tname = &cname.cname;
+		break;
+	case dns_rdatatype_dname:
+		if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
+		    dns_namereln_subdomain)
+		{
+			return (true);
+		}
+		result = dns_rdata_tostruct(&rdata, &dname, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_name_init(&prefix, NULL);
+		tname = dns_fixedname_initname(&fixed);
+		nlabels = dns_name_countlabels(rname);
+		dns_name_split(qname, nlabels, &prefix, NULL);
+		result = dns_name_concatenate(&prefix, &dname.dname, tname,
+					      NULL);
+		if (result == DNS_R_NAMETOOLONG) {
+			if (chainingp != NULL) {
+				*chainingp = true;
+			}
+			return (true);
+		}
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	if (chainingp != NULL) {
+		*chainingp = true;
+	}
+
+	if (view->denyanswernames == NULL) {
+		return (true);
+	}
+
+	/*
+	 * If the owner name matches one in the exclusion list, either exactly
+	 * or partially, allow it.
+	 */
+	if (view->answernames_exclude != NULL) {
+		result = dns_rbt_findnode(view->answernames_exclude, qname,
+					  NULL, &node, NULL, 0, NULL, NULL);
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+			return (true);
+		}
+	}
+
+	/*
+	 * If the target name is a subdomain of the search domain, allow it.
+	 *
+	 * Note that if BIND is configured as a forwarding DNS server, the
+	 * search domain will always match the root domain ("."), so we
+	 * must also check whether forwarding is enabled so that filters
+	 * can be applied; see GL #1574.
+	 */
+	if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) {
+		return (true);
+	}
+
+	/*
+	 * Otherwise, apply filters.
+	 */
+	result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
+				  NULL, 0, NULL, NULL);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		dns_name_format(qname, qnamebuf, sizeof(qnamebuf));
+		dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
+		dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
+		dns_rdataclass_format(view->rdclass, classbuf,
+				      sizeof(classbuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+			      "%s target %s denied for %s/%s", typebuf,
+			      tnamebuf, qnamebuf, classbuf);
+		return (false);
+	}
+
+	return (true);
+}
+
+static void
+trim_ns_ttl(fetchctx_t *fctx, dns_name_t *name, dns_rdataset_t *rdataset) {
+	char ns_namebuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char tbuf[DNS_RDATATYPE_FORMATSIZE];
+
+	if (fctx->ns_ttl_ok && rdataset->ttl > fctx->ns_ttl) {
+		dns_name_format(name, ns_namebuf, sizeof(ns_namebuf));
+		dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(fctx->type, tbuf, sizeof(tbuf));
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(10),
+			      "fctx %p: trimming ttl of %s/NS for %s/%s: "
+			      "%u -> %u",
+			      fctx, ns_namebuf, namebuf, tbuf, rdataset->ttl,
+			      fctx->ns_ttl);
+		rdataset->ttl = fctx->ns_ttl;
+	}
+}
+
+static bool
+validinanswer(dns_rdataset_t *rdataset, fetchctx_t *fctx) {
+	if (rdataset->type == dns_rdatatype_nsec3) {
+		/*
+		 * NSEC3 records are not allowed to
+		 * appear in the answer section.
+		 */
+		log_formerr(fctx, "NSEC3 in answer");
+		return (false);
+	}
+	if (rdataset->type == dns_rdatatype_tkey) {
+		/*
+		 * TKEY is not a valid record in a
+		 * response to any query we can make.
+		 */
+		log_formerr(fctx, "TKEY in answer");
+		return (false);
+	}
+	if (rdataset->rdclass != fctx->res->rdclass) {
+		log_formerr(fctx, "Mismatched class in answer");
+		return (false);
+	}
+	return (true);
+}
+
+static void
+fctx_increference(fetchctx_t *fctx) {
+	REQUIRE(VALID_FCTX(fctx));
+
+	isc_refcount_increment0(&fctx->references);
+}
+
+/*
+ * Requires bucket lock to be held.
+ */
+static bool
+fctx_decreference(fetchctx_t *fctx) {
+	bool bucket_empty = false;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	if (isc_refcount_decrement(&fctx->references) == 1) {
+		/*
+		 * No one cares about the result of this fetch anymore.
+		 */
+		if (fctx->pending == 0 && fctx->nqueries == 0 &&
+		    ISC_LIST_EMPTY(fctx->validators) && SHUTTINGDOWN(fctx))
+		{
+			/*
+			 * This fctx is already shutdown; we were just
+			 * waiting for the last reference to go away.
+			 */
+			bucket_empty = fctx_unlink(fctx);
+			fctx_destroy(fctx);
+		} else {
+			/*
+			 * Initiate shutdown.
+			 */
+			fctx_shutdown(fctx);
+		}
+	}
+	return (bucket_empty);
+}
+
+static void
+resume_dslookup(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *fevent;
+	dns_resolver_t *res;
+	fetchctx_t *fctx;
+	isc_result_t result;
+	uint32_t bucketnum;
+	bool bucket_empty;
+	dns_rdataset_t nameservers;
+	dns_fixedname_t fixed;
+	dns_name_t *domain;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	fevent = (dns_fetchevent_t *)event;
+	fctx = event->ev_arg;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	UNUSED(task);
+	FCTXTRACE("resume_dslookup");
+
+	if (fevent->node != NULL) {
+		dns_db_detachnode(fevent->db, &fevent->node);
+	}
+	if (fevent->db != NULL) {
+		dns_db_detach(&fevent->db);
+	}
+
+	dns_rdataset_init(&nameservers);
+
+	/*
+	 * Note: fevent->rdataset must be disassociated and
+	 * isc_event_free(&event) be called before resuming
+	 * processing of the 'fctx' to prevent use-after-free.
+	 * 'fevent' is set to NULL so as to not have a dangling
+	 * pointer.
+	 */
+	if (fevent->result == ISC_R_CANCELED) {
+		if (dns_rdataset_isassociated(fevent->rdataset)) {
+			dns_rdataset_disassociate(fevent->rdataset);
+		}
+		fevent = NULL;
+		isc_event_free(&event);
+
+		dns_resolver_destroyfetch(&fctx->nsfetch);
+		fctx_done(fctx, ISC_R_CANCELED, __LINE__);
+	} else if (fevent->result == ISC_R_SUCCESS) {
+		FCTXTRACE("resuming DS lookup");
+
+		dns_resolver_destroyfetch(&fctx->nsfetch);
+		if (dns_rdataset_isassociated(&fctx->nameservers)) {
+			dns_rdataset_disassociate(&fctx->nameservers);
+		}
+		dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
+		fctx->ns_ttl = fctx->nameservers.ttl;
+		fctx->ns_ttl_ok = true;
+		log_ns_ttl(fctx, "resume_dslookup");
+
+		if (dns_rdataset_isassociated(fevent->rdataset)) {
+			dns_rdataset_disassociate(fevent->rdataset);
+		}
+		fevent = NULL;
+		isc_event_free(&event);
+
+		fcount_decr(fctx);
+		dns_name_free(&fctx->domain, fctx->mctx);
+		dns_name_init(&fctx->domain, NULL);
+		dns_name_dup(&fctx->nsname, fctx->mctx, &fctx->domain);
+		result = fcount_incr(fctx, true);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			goto cleanup;
+		}
+		/*
+		 * Try again.
+		 */
+		fctx_try(fctx, true, false);
+	} else {
+		unsigned int n;
+		dns_rdataset_t *nsrdataset = NULL;
+
+		/*
+		 * Retrieve state from fctx->nsfetch before we destroy it.
+		 */
+		domain = dns_fixedname_initname(&fixed);
+		dns_name_copynf(&fctx->nsfetch->private->domain, domain);
+		if (dns_name_equal(&fctx->nsname, domain)) {
+			if (dns_rdataset_isassociated(fevent->rdataset)) {
+				dns_rdataset_disassociate(fevent->rdataset);
+			}
+			fevent = NULL;
+			isc_event_free(&event);
+
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			dns_resolver_destroyfetch(&fctx->nsfetch);
+			goto cleanup;
+		}
+		if (dns_rdataset_isassociated(
+			    &fctx->nsfetch->private->nameservers))
+		{
+			dns_rdataset_clone(&fctx->nsfetch->private->nameservers,
+					   &nameservers);
+			nsrdataset = &nameservers;
+		} else {
+			domain = NULL;
+		}
+		dns_resolver_destroyfetch(&fctx->nsfetch);
+		n = dns_name_countlabels(&fctx->nsname);
+		dns_name_getlabelsequence(&fctx->nsname, 1, n - 1,
+					  &fctx->nsname);
+
+		if (dns_rdataset_isassociated(fevent->rdataset)) {
+			dns_rdataset_disassociate(fevent->rdataset);
+		}
+		fevent = NULL;
+		isc_event_free(&event);
+
+		FCTXTRACE("continuing to look for parent's NS records");
+
+		result = dns_resolver_createfetch(
+			fctx->res, &fctx->nsname, dns_rdatatype_ns, domain,
+			nsrdataset, NULL, NULL, 0, fctx->options, 0, NULL, task,
+			resume_dslookup, fctx, &fctx->nsrrset, NULL,
+			&fctx->nsfetch);
+		/*
+		 * fevent->rdataset (a.k.a. fctx->nsrrset) must not be
+		 * accessed below this point to prevent races with
+		 * another thread concurrently processing the fetch.
+		 */
+		if (result != ISC_R_SUCCESS) {
+			if (result == DNS_R_DUPLICATE) {
+				result = DNS_R_SERVFAIL;
+			}
+			fctx_done(fctx, result, __LINE__);
+		} else {
+			fctx_increference(fctx);
+		}
+	}
+
+cleanup:
+	INSIST(event == NULL);
+	INSIST(fevent == NULL);
+	if (dns_rdataset_isassociated(&nameservers)) {
+		dns_rdataset_disassociate(&nameservers);
+	}
+	LOCK(&res->buckets[bucketnum].lock);
+	bucket_empty = fctx_decreference(fctx);
+	UNLOCK(&res->buckets[bucketnum].lock);
+	if (bucket_empty) {
+		empty_bucket(res);
+	}
+}
+
+static void
+checknamessection(dns_message_t *message, dns_section_t section) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t *rdataset;
+
+	for (result = dns_message_firstname(message, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, section))
+	{
+		name = NULL;
+		dns_message_currentname(message, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset))
+			{
+				dns_rdataset_current(rdataset, &rdata);
+				if (!dns_rdata_checkowner(name, rdata.rdclass,
+							  rdata.type, false) ||
+				    !dns_rdata_checknames(&rdata, name, NULL))
+				{
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CHECKNAMES;
+				}
+				dns_rdata_reset(&rdata);
+			}
+		}
+	}
+}
+
+static void
+checknames(dns_message_t *message) {
+	checknamessection(message, DNS_SECTION_ANSWER);
+	checknamessection(message, DNS_SECTION_AUTHORITY);
+	checknamessection(message, DNS_SECTION_ADDITIONAL);
+}
+
+/*
+ * Log server NSID at log level 'level'
+ */
+static void
+log_nsid(isc_buffer_t *opt, size_t nsid_len, resquery_t *query, int level,
+	 isc_mem_t *mctx) {
+	static const char hex[17] = "0123456789abcdef";
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	size_t buflen;
+	unsigned char *p, *nsid;
+	unsigned char *buf = NULL, *pbuf = NULL;
+
+	REQUIRE(nsid_len <= UINT16_MAX);
+
+	/* Allocate buffer for storing hex version of the NSID */
+	buflen = nsid_len * 2 + 1;
+	buf = isc_mem_get(mctx, buflen);
+	pbuf = isc_mem_get(mctx, nsid_len + 1);
+
+	/* Convert to hex */
+	p = buf;
+	nsid = isc_buffer_current(opt);
+	for (size_t i = 0; i < nsid_len; i++) {
+		*p++ = hex[(nsid[i] >> 4) & 0xf];
+		*p++ = hex[nsid[i] & 0xf];
+	}
+	*p = '\0';
+
+	/* Make printable version */
+	p = pbuf;
+	for (size_t i = 0; i < nsid_len; i++) {
+		*p++ = isprint(nsid[i]) ? nsid[i] : '.';
+	}
+	*p = '\0';
+
+	isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
+			    sizeof(addrbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_NSID, DNS_LOGMODULE_RESOLVER,
+		      level, "received NSID %s (\"%s\") from %s", buf, pbuf,
+		      addrbuf);
+
+	isc_mem_put(mctx, pbuf, nsid_len + 1);
+	isc_mem_put(mctx, buf, buflen);
+}
+
+static bool
+iscname(dns_message_t *message, dns_name_t *name) {
+	isc_result_t result;
+
+	result = dns_message_findname(message, DNS_SECTION_ANSWER, name,
+				      dns_rdatatype_cname, 0, NULL, NULL);
+	return (result == ISC_R_SUCCESS ? true : false);
+}
+
+static bool
+betterreferral(respctx_t *rctx) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+
+	for (result = dns_message_firstname(rctx->query->rmessage,
+					    DNS_SECTION_AUTHORITY);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(rctx->query->rmessage,
+					   DNS_SECTION_AUTHORITY))
+	{
+		name = NULL;
+		dns_message_currentname(rctx->query->rmessage,
+					DNS_SECTION_AUTHORITY, &name);
+		if (!isstrictsubdomain(name, &rctx->fctx->domain)) {
+			continue;
+		}
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->type == dns_rdatatype_ns) {
+				return (true);
+			}
+		}
+	}
+	return (false);
+}
+
+/*
+ * resquery_response():
+ * Handles responses received in response to iterative queries sent by
+ * resquery_send(). Sets up a response context (respctx_t).
+ */
+static void
+resquery_response(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+	resquery_t *query = event->ev_arg;
+	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
+	fetchctx_t *fctx;
+	respctx_t rctx;
+
+	REQUIRE(VALID_QUERY(query));
+	fctx = query->fctx;
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
+
+	QTRACE("response");
+
+	if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == PF_INET) {
+		inc_stats(fctx->res, dns_resstatscounter_responsev4);
+	} else {
+		inc_stats(fctx->res, dns_resstatscounter_responsev6);
+	}
+
+	(void)isc_timer_touch(fctx->timer);
+
+	rctx_respinit(task, devent, query, fctx, &rctx);
+
+	if (atomic_load_acquire(&fctx->res->exiting)) {
+		result = ISC_R_SHUTTINGDOWN;
+		FCTXTRACE("resolver shutting down");
+		rctx_done(&rctx, result);
+		return;
+	}
+
+	fctx->timeouts = 0;
+	fctx->timeout = false;
+	fctx->addrinfo = query->addrinfo;
+
+	/*
+	 * Check whether the dispatcher has failed; if so we're done
+	 */
+	result = rctx_dispfail(&rctx);
+	if (result == ISC_R_COMPLETE) {
+		return;
+	}
+
+	if (query->tsig != NULL) {
+		result = dns_message_setquerytsig(query->rmessage, query->tsig);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE3("unable to set query tsig", result);
+			rctx_done(&rctx, result);
+			return;
+		}
+	}
+
+	if (query->tsigkey) {
+		result = dns_message_settsigkey(query->rmessage,
+						query->tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE3("unable to set tsig key", result);
+			rctx_done(&rctx, result);
+			return;
+		}
+	}
+
+	dns_message_setclass(query->rmessage, fctx->res->rdclass);
+
+	if ((rctx.retryopts & DNS_FETCHOPT_TCP) == 0) {
+		if ((rctx.retryopts & DNS_FETCHOPT_NOEDNS0) == 0) {
+			dns_adb_setudpsize(
+				fctx->adb, query->addrinfo,
+				isc_buffer_usedlength(&devent->buffer));
+		} else {
+			dns_adb_plainresponse(fctx->adb, query->addrinfo);
+		}
+	}
+
+	/*
+	 * Parse response message.
+	 */
+	result = rctx_parse(&rctx);
+	if (result == ISC_R_COMPLETE) {
+		return;
+	}
+
+	/*
+	 * Log the incoming packet.
+	 */
+	rctx_logpacket(&rctx);
+
+	if (query->rmessage->rdclass != fctx->res->rdclass) {
+		rctx.resend = true;
+		FCTXTRACE("bad class");
+		rctx_done(&rctx, result);
+		return;
+	}
+
+	/*
+	 * Process receive opt record.
+	 */
+	rctx.opt = dns_message_getopt(query->rmessage);
+	if (rctx.opt != NULL) {
+		rctx_opt(&rctx);
+	}
+
+	if (query->rmessage->cc_bad && (rctx.retryopts & DNS_FETCHOPT_TCP) == 0)
+	{
+		/*
+		 * If the COOKIE is bad, assume it is an attack and
+		 * keep listening for a good answer.
+		 */
+		rctx.nextitem = true;
+		if (isc_log_wouldlog(dns_lctx, ISC_LOG_INFO)) {
+			char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+			isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
+					    sizeof(addrbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+				      "bad cookie from %s", addrbuf);
+		}
+		rctx_done(&rctx, result);
+		return;
+	}
+
+	/*
+	 * Is the question the same as the one we asked?
+	 * NOERROR/NXDOMAIN/YXDOMAIN/REFUSED/SERVFAIL/BADCOOKIE must have
+	 * the same question.
+	 * FORMERR/NOTIMP if they have a question section then it must match.
+	 */
+	switch (query->rmessage->rcode) {
+	case dns_rcode_notimp:
+	case dns_rcode_formerr:
+		if (query->rmessage->counts[DNS_SECTION_QUESTION] == 0) {
+			break;
+		}
+		FALLTHROUGH;
+	case dns_rcode_nxrrset: /* Not expected. */
+	case dns_rcode_badcookie:
+	case dns_rcode_noerror:
+	case dns_rcode_nxdomain:
+	case dns_rcode_yxdomain:
+	case dns_rcode_refused:
+	case dns_rcode_servfail:
+	default:
+		result = same_question(fctx, query->rmessage);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE3("response did not match question", result);
+			rctx.nextitem = true;
+			rctx_done(&rctx, result);
+			return;
+		}
+		break;
+	}
+
+	/*
+	 * If the message is signed, check the signature.  If not, this
+	 * returns success anyway.
+	 */
+	result = dns_message_checksig(query->rmessage, fctx->res->view);
+	if (result != ISC_R_SUCCESS) {
+		FCTXTRACE3("signature check failed", result);
+		if (result == DNS_R_UNEXPECTEDTSIG ||
+		    result == DNS_R_EXPECTEDTSIG)
+		{
+			rctx.nextitem = true;
+		}
+		rctx_done(&rctx, result);
+		return;
+	}
+
+	/*
+	 * The dispatcher should ensure we only get responses with QR set.
+	 */
+	INSIST((query->rmessage->flags & DNS_MESSAGEFLAG_QR) != 0);
+	/*
+	 * INSIST() that the message comes from the place we sent it to,
+	 * since the dispatch code should ensure this.
+	 *
+	 * INSIST() that the message id is correct (this should also be
+	 * ensured by the dispatch code).
+	 */
+
+	/*
+	 * If we have had a server cookie and don't get one retry over TCP.
+	 * This may be a misconfigured anycast server or an attempt to send
+	 * a spoofed response.  Skip if we have a valid tsig.
+	 */
+	if (dns_message_gettsig(query->rmessage, NULL) == NULL &&
+	    !query->rmessage->cc_ok && !query->rmessage->cc_bad &&
+	    (rctx.retryopts & DNS_FETCHOPT_TCP) == 0)
+	{
+		unsigned char cookie[COOKIE_BUFFER_SIZE];
+		if (dns_adb_getcookie(fctx->adb, query->addrinfo, cookie,
+				      sizeof(cookie)) > CLIENT_COOKIE_SIZE)
+		{
+			if (isc_log_wouldlog(dns_lctx, ISC_LOG_INFO)) {
+				char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+				isc_sockaddr_format(&query->addrinfo->sockaddr,
+						    addrbuf, sizeof(addrbuf));
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+					DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+					"missing expected cookie from %s",
+					addrbuf);
+			}
+			rctx.retryopts |= DNS_FETCHOPT_TCP;
+			rctx.resend = true;
+			rctx_done(&rctx, result);
+			return;
+		}
+		/*
+		 * XXXMPA When support for DNS COOKIE becomes ubiquitous, fall
+		 * back to TCP for all non-COOKIE responses.
+		 */
+	}
+
+	rctx_edns(&rctx);
+
+	/*
+	 * Deal with truncated responses by retrying using TCP.
+	 */
+	if ((query->rmessage->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		rctx.truncated = true;
+	}
+
+	if (rctx.truncated) {
+		inc_stats(fctx->res, dns_resstatscounter_truncated);
+		if ((rctx.retryopts & DNS_FETCHOPT_TCP) != 0) {
+			rctx.broken_server = DNS_R_TRUNCATEDTCP;
+			rctx.next_server = true;
+		} else {
+			rctx.retryopts |= DNS_FETCHOPT_TCP;
+			rctx.resend = true;
+		}
+		FCTXTRACE3("message truncated", result);
+		rctx_done(&rctx, result);
+		return;
+	}
+
+	/*
+	 * Is it a query response?
+	 */
+	if (query->rmessage->opcode != dns_opcode_query) {
+		rctx.broken_server = DNS_R_UNEXPECTEDOPCODE;
+		rctx.next_server = true;
+		FCTXTRACE("invalid message opcode");
+		rctx_done(&rctx, result);
+		return;
+	}
+
+	/*
+	 * Update statistics about erroneous responses.
+	 */
+	switch (query->rmessage->rcode) {
+	case dns_rcode_noerror:
+		/* no error */
+		break;
+	case dns_rcode_nxdomain:
+		inc_stats(fctx->res, dns_resstatscounter_nxdomain);
+		break;
+	case dns_rcode_servfail:
+		inc_stats(fctx->res, dns_resstatscounter_servfail);
+		break;
+	case dns_rcode_formerr:
+		inc_stats(fctx->res, dns_resstatscounter_formerr);
+		break;
+	case dns_rcode_refused:
+		inc_stats(fctx->res, dns_resstatscounter_refused);
+		break;
+	case dns_rcode_badvers:
+		inc_stats(fctx->res, dns_resstatscounter_badvers);
+		break;
+	case dns_rcode_badcookie:
+		inc_stats(fctx->res, dns_resstatscounter_badcookie);
+		break;
+	default:
+		inc_stats(fctx->res, dns_resstatscounter_othererror);
+		break;
+	}
+
+	/*
+	 * Bad server?
+	 */
+	result = rctx_badserver(&rctx, result);
+	if (result == ISC_R_COMPLETE) {
+		return;
+	}
+
+	/*
+	 * Lame server?
+	 */
+	result = rctx_lameserver(&rctx);
+	if (result == ISC_R_COMPLETE) {
+		return;
+	}
+
+	/*
+	 * Handle delegation-only zones like NET or COM.
+	 */
+	rctx_delonly_zone(&rctx);
+
+	/*
+	 * Optionally call dns_rdata_checkowner() and dns_rdata_checknames()
+	 * to validate the names in the response message.
+	 */
+	if ((fctx->res->options & DNS_RESOLVER_CHECKNAMES) != 0) {
+		checknames(query->rmessage);
+	}
+
+	/*
+	 * Clear cache bits.
+	 */
+	FCTX_ATTR_CLR(fctx, (FCTX_ATTR_WANTNCACHE | FCTX_ATTR_WANTCACHE));
+
+	/*
+	 * Did we get any answers?
+	 */
+	if (query->rmessage->counts[DNS_SECTION_ANSWER] > 0 &&
+	    (query->rmessage->rcode == dns_rcode_noerror ||
+	     query->rmessage->rcode == dns_rcode_yxdomain ||
+	     query->rmessage->rcode == dns_rcode_nxdomain))
+	{
+		result = rctx_answer(&rctx);
+		if (result == ISC_R_COMPLETE) {
+			return;
+		}
+	} else if (query->rmessage->counts[DNS_SECTION_AUTHORITY] > 0 ||
+		   query->rmessage->rcode == dns_rcode_noerror ||
+		   query->rmessage->rcode == dns_rcode_nxdomain)
+	{
+		/*
+		 * This might be an NXDOMAIN, NXRRSET, or referral.
+		 * Call rctx_answer_none() to determine which it is.
+		 */
+		result = rctx_answer_none(&rctx);
+		switch (result) {
+		case ISC_R_SUCCESS:
+		case DNS_R_CHASEDSSERVERS:
+			break;
+		case DNS_R_DELEGATION:
+			/* With NOFOLLOW we want to pass the result code */
+			if ((fctx->options & DNS_FETCHOPT_NOFOLLOW) == 0) {
+				result = ISC_R_SUCCESS;
+			}
+			break;
+		default:
+			/*
+			 * Something has gone wrong.
+			 */
+			if (result == DNS_R_FORMERR) {
+				rctx.next_server = true;
+			}
+			FCTXTRACE3("rctx_answer_none", result);
+			rctx_done(&rctx, result);
+			return;
+		}
+	} else {
+		/*
+		 * The server is insane.
+		 */
+		/* XXXRTH Log */
+		rctx.broken_server = DNS_R_UNEXPECTEDRCODE;
+		rctx.next_server = true;
+		FCTXTRACE("broken server: unexpected rcode");
+		rctx_done(&rctx, result);
+		return;
+	}
+
+	/*
+	 * Follow additional section data chains.
+	 */
+	rctx_additional(&rctx);
+
+	/*
+	 * Cache the cacheable parts of the message.  This may also cause
+	 * work to be queued to the DNSSEC validator.
+	 */
+	if (WANTCACHE(fctx)) {
+		isc_result_t tresult;
+		tresult = cache_message(fctx, query->rmessage, query->addrinfo,
+					rctx.now);
+		if (tresult != ISC_R_SUCCESS) {
+			FCTXTRACE3("cache_message complete", tresult);
+			rctx_done(&rctx, tresult);
+			return;
+		}
+	}
+
+	/*
+	 * Negative caching
+	 */
+	rctx_ncache(&rctx);
+
+	rctx_done(&rctx, result);
+}
+
+/*
+ * rctx_respinit():
+ * Initialize the response context structure 'rctx' to all zeroes, then set
+ * the task, event, query and fctx information from resquery_response().
+ */
+static void
+rctx_respinit(isc_task_t *task, dns_dispatchevent_t *devent, resquery_t *query,
+	      fetchctx_t *fctx, respctx_t *rctx) {
+	memset(rctx, 0, sizeof(*rctx));
+
+	rctx->task = task;
+	rctx->devent = devent;
+	rctx->query = query;
+	rctx->fctx = fctx;
+	rctx->broken_type = badns_response;
+	rctx->retryopts = query->options;
+
+	/*
+	 * XXXRTH  We should really get the current time just once.  We
+	 *		need a routine to convert from an isc_time_t to an
+	 *		isc_stdtime_t.
+	 */
+	TIME_NOW(&rctx->tnow);
+	rctx->finish = &rctx->tnow;
+	isc_stdtime_get(&rctx->now);
+}
+
+/*
+ * rctx_answer_init():
+ * Clear and reinitialize those portions of 'rctx' that will be needed
+ * when scanning the answer section of the response message. This can be
+ * called more than once if scanning needs to be restarted (though currently
+ * there are no cases in which this occurs).
+ */
+static void
+rctx_answer_init(respctx_t *rctx) {
+	fetchctx_t *fctx = rctx->fctx;
+
+	rctx->aa = ((rctx->query->rmessage->flags & DNS_MESSAGEFLAG_AA) != 0);
+	if (rctx->aa) {
+		rctx->trust = dns_trust_authanswer;
+	} else {
+		rctx->trust = dns_trust_answer;
+	}
+
+	/*
+	 * There can be multiple RRSIG and SIG records at a name so
+	 * we treat these types as a subset of ANY.
+	 */
+	rctx->type = fctx->type;
+	if (rctx->type == dns_rdatatype_rrsig ||
+	    rctx->type == dns_rdatatype_sig)
+	{
+		rctx->type = dns_rdatatype_any;
+	}
+
+	/*
+	 * Bigger than any valid DNAME label count.
+	 */
+	rctx->dname_labels = dns_name_countlabels(&fctx->name);
+	rctx->domain_labels = dns_name_countlabels(&fctx->domain);
+
+	rctx->found_type = dns_rdatatype_none;
+
+	rctx->aname = NULL;
+	rctx->ardataset = NULL;
+
+	rctx->cname = NULL;
+	rctx->crdataset = NULL;
+
+	rctx->dname = NULL;
+	rctx->drdataset = NULL;
+
+	rctx->ns_name = NULL;
+	rctx->ns_rdataset = NULL;
+
+	rctx->soa_name = NULL;
+	rctx->ds_name = NULL;
+	rctx->found_name = NULL;
+}
+
+/*
+ * rctx_dispfail():
+ * Handle the case where the dispatcher failed
+ */
+static isc_result_t
+rctx_dispfail(respctx_t *rctx) {
+	dns_dispatchevent_t *devent = rctx->devent;
+	fetchctx_t *fctx = rctx->fctx;
+	resquery_t *query = rctx->query;
+
+	if (devent->result == ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (devent->result == ISC_R_EOF &&
+	    (rctx->retryopts & DNS_FETCHOPT_NOEDNS0) == 0)
+	{
+		/*
+		 * The problem might be that they don't understand EDNS0.
+		 * Turn it off and try again.
+		 */
+		rctx->retryopts |= DNS_FETCHOPT_NOEDNS0;
+		rctx->resend = true;
+		add_bad_edns(fctx, &query->addrinfo->sockaddr);
+	} else {
+		/*
+		 * There's no hope for this response.
+		 */
+		rctx->next_server = true;
+
+		/*
+		 * If this is a network error on an exclusive query
+		 * socket, mark the server as bad so that we won't try
+		 * it for this fetch again.  Also adjust finish and
+		 * no_response so that we penalize this address in SRTT
+		 * adjustment later.
+		 */
+		if (query->exclusivesocket &&
+		    (devent->result == ISC_R_HOSTUNREACH ||
+		     devent->result == ISC_R_NETUNREACH ||
+		     devent->result == ISC_R_CONNREFUSED ||
+		     devent->result == ISC_R_CANCELED))
+		{
+			rctx->broken_server = devent->result;
+			rctx->broken_type = badns_unreachable;
+			rctx->finish = NULL;
+			rctx->no_response = true;
+		}
+	}
+	FCTXTRACE3("dispatcher failure", devent->result);
+	rctx_done(rctx, ISC_R_SUCCESS);
+	return (ISC_R_COMPLETE);
+}
+
+/*
+ * rctx_parse():
+ * Parse the response message.
+ */
+static isc_result_t
+rctx_parse(respctx_t *rctx) {
+	isc_result_t result;
+	fetchctx_t *fctx = rctx->fctx;
+	resquery_t *query = rctx->query;
+
+	result = dns_message_parse(query->rmessage, &rctx->devent->buffer, 0);
+	if (result == ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	FCTXTRACE3("message failed to parse", result);
+
+	switch (result) {
+	case ISC_R_UNEXPECTEDEND:
+		if (query->rmessage->question_ok &&
+		    (query->rmessage->flags & DNS_MESSAGEFLAG_TC) != 0 &&
+		    (rctx->retryopts & DNS_FETCHOPT_TCP) == 0)
+		{
+			/*
+			 * We defer retrying via TCP for a bit so we can
+			 * check out this message further.
+			 */
+			rctx->truncated = true;
+			return (ISC_R_SUCCESS);
+		}
+
+		/*
+		 * Either the message ended prematurely,
+		 * and/or wasn't marked as being truncated,
+		 * and/or this is a response to a query we
+		 * sent over TCP.  In all of these cases,
+		 * something is wrong with the remote
+		 * server and we don't want to retry using
+		 * TCP.
+		 */
+		if ((rctx->retryopts & DNS_FETCHOPT_NOEDNS0) == 0) {
+			/*
+			 * The problem might be that they
+			 * don't understand EDNS0.  Turn it
+			 * off and try again.
+			 */
+			rctx->retryopts |= DNS_FETCHOPT_NOEDNS0;
+			rctx->resend = true;
+			add_bad_edns(fctx, &query->addrinfo->sockaddr);
+			inc_stats(fctx->res, dns_resstatscounter_edns0fail);
+		} else {
+			rctx->broken_server = result;
+			rctx->next_server = true;
+		}
+
+		rctx_done(rctx, result);
+		break;
+	case DNS_R_FORMERR:
+		if ((rctx->retryopts & DNS_FETCHOPT_NOEDNS0) == 0) {
+			/*
+			 * The problem might be that they
+			 * don't understand EDNS0.  Turn it
+			 * off and try again.
+			 */
+			rctx->retryopts |= DNS_FETCHOPT_NOEDNS0;
+			rctx->resend = true;
+			add_bad_edns(fctx, &query->addrinfo->sockaddr);
+			inc_stats(fctx->res, dns_resstatscounter_edns0fail);
+		} else {
+			rctx->broken_server = DNS_R_UNEXPECTEDRCODE;
+			rctx->next_server = true;
+		}
+
+		rctx_done(rctx, result);
+		break;
+	default:
+		/*
+		 * Something bad has happened.
+		 */
+		rctx_done(rctx, result);
+		break;
+	}
+
+	return (ISC_R_COMPLETE);
+}
+
+/*
+ * rctx_opt():
+ * Process the OPT record in the response.
+ */
+static void
+rctx_opt(respctx_t *rctx) {
+	resquery_t *query = rctx->query;
+	fetchctx_t *fctx = rctx->fctx;
+	dns_rdata_t rdata;
+	isc_buffer_t optbuf;
+	isc_result_t result;
+	uint16_t optcode;
+	uint16_t optlen;
+	unsigned char *optvalue;
+	dns_adbaddrinfo_t *addrinfo;
+	unsigned char cookie[CLIENT_COOKIE_SIZE];
+	bool seen_cookie = false;
+	bool seen_nsid = false;
+
+	result = dns_rdataset_first(rctx->opt);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(rctx->opt, &rdata);
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) >= 4) {
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+			INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
+			switch (optcode) {
+			case DNS_OPT_NSID:
+				if (!seen_nsid && (query->options &
+						   DNS_FETCHOPT_WANTNSID) != 0)
+				{
+					log_nsid(&optbuf, optlen, query,
+						 ISC_LOG_INFO, fctx->res->mctx);
+				}
+				isc_buffer_forward(&optbuf, optlen);
+				seen_nsid = true;
+				break;
+			case DNS_OPT_COOKIE:
+				/*
+				 * Only process the first cookie option.
+				 */
+				if (seen_cookie) {
+					isc_buffer_forward(&optbuf, optlen);
+					break;
+				}
+				optvalue = isc_buffer_current(&optbuf);
+				compute_cc(query, cookie, sizeof(cookie));
+				INSIST(query->rmessage->cc_bad == 0 &&
+				       query->rmessage->cc_ok == 0);
+				if (optlen >= CLIENT_COOKIE_SIZE &&
+				    memcmp(cookie, optvalue,
+					   CLIENT_COOKIE_SIZE) == 0)
+				{
+					query->rmessage->cc_ok = 1;
+					inc_stats(fctx->res,
+						  dns_resstatscounter_cookieok);
+					addrinfo = query->addrinfo;
+					dns_adb_setcookie(fctx->adb, addrinfo,
+							  optvalue, optlen);
+				} else {
+					query->rmessage->cc_bad = 1;
+				}
+				isc_buffer_forward(&optbuf, optlen);
+				inc_stats(fctx->res,
+					  dns_resstatscounter_cookiein);
+				seen_cookie = true;
+				break;
+			default:
+				isc_buffer_forward(&optbuf, optlen);
+				break;
+			}
+		}
+		INSIST(isc_buffer_remaininglength(&optbuf) == 0U);
+	}
+}
+
+/*
+ * rctx_edns():
+ * Determine whether the remote server is using EDNS correctly or
+ * incorrectly and record that information if needed.
+ */
+static void
+rctx_edns(respctx_t *rctx) {
+	resquery_t *query = rctx->query;
+	fetchctx_t *fctx = rctx->fctx;
+
+	/*
+	 * We have an affirmative response to the query and we have
+	 * previously got a response from this server which indicated
+	 * EDNS may not be supported so we can now cache the lack of
+	 * EDNS support.
+	 */
+	if (rctx->opt == NULL && !EDNSOK(query->addrinfo) &&
+	    (query->rmessage->rcode == dns_rcode_noerror ||
+	     query->rmessage->rcode == dns_rcode_nxdomain ||
+	     query->rmessage->rcode == dns_rcode_refused ||
+	     query->rmessage->rcode == dns_rcode_yxdomain) &&
+	    bad_edns(fctx, &query->addrinfo->sockaddr))
+	{
+		dns_message_logpacket(
+			query->rmessage, "received packet (bad edns) from",
+			&query->addrinfo->sockaddr, DNS_LOGCATEGORY_RESOLVER,
+			DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+			fctx->res->mctx);
+		dns_adb_changeflags(fctx->adb, query->addrinfo,
+				    DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0);
+	} else if (rctx->opt == NULL &&
+		   (query->rmessage->flags & DNS_MESSAGEFLAG_TC) == 0 &&
+		   !EDNSOK(query->addrinfo) &&
+		   (query->rmessage->rcode == dns_rcode_noerror ||
+		    query->rmessage->rcode == dns_rcode_nxdomain) &&
+		   (rctx->retryopts & DNS_FETCHOPT_NOEDNS0) == 0)
+	{
+		/*
+		 * We didn't get a OPT record in response to a EDNS query.
+		 *
+		 * Old versions of named incorrectly drop the OPT record
+		 * when there is a signed, truncated response so we check
+		 * that TC is not set.
+		 *
+		 * Record that the server is not talking EDNS.  While this
+		 * should be safe to do for any rcode we limit it to NOERROR
+		 * and NXDOMAIN.
+		 */
+		dns_message_logpacket(
+			query->rmessage, "received packet (no opt) from",
+			&query->addrinfo->sockaddr, DNS_LOGCATEGORY_RESOLVER,
+			DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+			fctx->res->mctx);
+		dns_adb_changeflags(fctx->adb, query->addrinfo,
+				    DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0);
+	}
+
+	/*
+	 * If we get a non error EDNS response record the fact so we
+	 * won't fallback to plain DNS in the future for this server.
+	 */
+	if (rctx->opt != NULL && !EDNSOK(query->addrinfo) &&
+	    (rctx->retryopts & DNS_FETCHOPT_NOEDNS0) == 0 &&
+	    (query->rmessage->rcode == dns_rcode_noerror ||
+	     query->rmessage->rcode == dns_rcode_nxdomain ||
+	     query->rmessage->rcode == dns_rcode_refused ||
+	     query->rmessage->rcode == dns_rcode_yxdomain))
+	{
+		dns_adb_changeflags(fctx->adb, query->addrinfo,
+				    FCTX_ADDRINFO_EDNSOK, FCTX_ADDRINFO_EDNSOK);
+	}
+}
+
+/*
+ * rctx_answer():
+ * We might have answers, or we might have a malformed delegation with
+ * records in the answer section. Call rctx_answer_positive() or
+ * rctx_answer_none() as appropriate.
+ */
+static isc_result_t
+rctx_answer(respctx_t *rctx) {
+	isc_result_t result;
+	fetchctx_t *fctx = rctx->fctx;
+	resquery_t *query = rctx->query;
+
+	if ((query->rmessage->flags & DNS_MESSAGEFLAG_AA) != 0 ||
+	    ISFORWARDER(query->addrinfo))
+	{
+		result = rctx_answer_positive(rctx);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE3("rctx_answer_positive (AA/fwd)", result);
+		}
+	} else if (iscname(query->rmessage, &fctx->name) &&
+		   fctx->type != dns_rdatatype_any &&
+		   fctx->type != dns_rdatatype_cname)
+	{
+		/*
+		 * A BIND8 server could return a non-authoritative
+		 * answer when a CNAME is followed.  We should treat
+		 * it as a valid answer.
+		 */
+		result = rctx_answer_positive(rctx);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE3("rctx_answer_positive (!ANY/!CNAME)",
+				   result);
+		}
+	} else if (fctx->type != dns_rdatatype_ns && !betterreferral(rctx)) {
+		result = rctx_answer_positive(rctx);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE3("rctx_answer_positive (!NS)", result);
+		}
+	} else {
+		/*
+		 * This may be a delegation. First let's check for
+		 */
+
+		if (fctx->type == dns_rdatatype_ns) {
+			/*
+			 * A BIND 8 server could incorrectly return a
+			 * non-authoritative answer to an NS query
+			 * instead of a referral. Since this answer
+			 * lacks the SIGs necessary to do DNSSEC
+			 * validation, we must invoke the following
+			 * special kludge to treat it as a referral.
+			 */
+			rctx->ns_in_answer = true;
+			result = rctx_answer_none(rctx);
+			if (result != ISC_R_SUCCESS) {
+				FCTXTRACE3("rctx_answer_none (NS)", result);
+			}
+		} else {
+			/*
+			 * Some other servers may still somehow include
+			 * an answer when it should return a referral
+			 * with an empty answer.  Check to see if we can
+			 * treat this as a referral by ignoring the
+			 * answer.  Further more, there may be an
+			 * implementation that moves A/AAAA glue records
+			 * to the answer section for that type of
+			 * delegation when the query is for that glue
+			 * record. glue_in_answer will handle
+			 * such a corner case.
+			 */
+			rctx->glue_in_answer = true;
+			result = rctx_answer_none(rctx);
+			if (result != ISC_R_SUCCESS) {
+				FCTXTRACE3("rctx_answer_none", result);
+			}
+		}
+
+		if (result == DNS_R_DELEGATION) {
+			result = ISC_R_SUCCESS;
+		} else {
+			/*
+			 * At this point, AA is not set, the response
+			 * is not a referral, and the server is not a
+			 * forwarder.  It is technically lame and it's
+			 * easier to treat it as such than to figure out
+			 * some more elaborate course of action.
+			 */
+			rctx->broken_server = DNS_R_LAME;
+			rctx->next_server = true;
+			rctx_done(rctx, result);
+			return (ISC_R_COMPLETE);
+		}
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_FORMERR) {
+			rctx->next_server = true;
+		}
+		rctx_done(rctx, result);
+		return (ISC_R_COMPLETE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * rctx_answer_positive():
+ * Handles positive responses. Depending which type of answer this is
+ * (matching QNAME/QTYPE, CNAME, DNAME, ANY) calls the proper routine
+ * to handle it (rctx_answer_match(), rctx_answer_cname(),
+ * rctx_answer_dname(), rctx_answer_any()).
+ */
+static isc_result_t
+rctx_answer_positive(respctx_t *rctx) {
+	isc_result_t result;
+	fetchctx_t *fctx = rctx->fctx;
+
+	FCTXTRACE("rctx_answer");
+
+	rctx_answer_init(rctx);
+	rctx_answer_scan(rctx);
+
+	/*
+	 * Determine which type of positive answer this is:
+	 * type ANY, CNAME, DNAME, or an answer matching QNAME/QTYPE.
+	 * Call the appropriate routine to handle the answer type.
+	 */
+	if (rctx->aname != NULL && rctx->type == dns_rdatatype_any) {
+		result = rctx_answer_any(rctx);
+		if (result == ISC_R_COMPLETE) {
+			return (rctx->result);
+		}
+	} else if (rctx->aname != NULL) {
+		result = rctx_answer_match(rctx);
+		if (result == ISC_R_COMPLETE) {
+			return (rctx->result);
+		}
+	} else if (rctx->cname != NULL) {
+		result = rctx_answer_cname(rctx);
+		if (result == ISC_R_COMPLETE) {
+			return (rctx->result);
+		}
+	} else if (rctx->dname != NULL) {
+		result = rctx_answer_dname(rctx);
+		if (result == ISC_R_COMPLETE) {
+			return (rctx->result);
+		}
+	} else {
+		log_formerr(fctx, "reply has no answer");
+		return (DNS_R_FORMERR);
+	}
+
+	/*
+	 * This response is now potentially cacheable.
+	 */
+	FCTX_ATTR_SET(fctx, FCTX_ATTR_WANTCACHE);
+
+	/*
+	 * Did chaining end before we got the final answer?
+	 */
+	if (rctx->chaining) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * We didn't end with an incomplete chain, so the rcode should be
+	 * "no error".
+	 */
+	if (rctx->query->rmessage->rcode != dns_rcode_noerror) {
+		log_formerr(fctx, "CNAME/DNAME chain complete, but RCODE "
+				  "indicates error");
+		return (DNS_R_FORMERR);
+	}
+
+	/*
+	 * Cache records in the authority section, if
+	 * there are any suitable for caching.
+	 */
+	rctx_authority_positive(rctx);
+
+	log_ns_ttl(fctx, "rctx_answer");
+
+	if (rctx->ns_rdataset != NULL &&
+	    dns_name_equal(&fctx->domain, rctx->ns_name) &&
+	    !dns_name_equal(rctx->ns_name, dns_rootname))
+	{
+		trim_ns_ttl(fctx, rctx->ns_name, rctx->ns_rdataset);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * rctx_answer_scan():
+ * Perform a single pass over the answer section of a response, looking
+ * for an answer that matches QNAME/QTYPE, or a CNAME matching QNAME, or a
+ * covering DNAME. If more than one rdataset is found matching these
+ * criteria, then only one is kept. Order of preference is 1) the
+ * shortest DNAME, 2) the first matching answer, or 3) the first CNAME.
+ */
+static void
+rctx_answer_scan(respctx_t *rctx) {
+	isc_result_t result;
+	fetchctx_t *fctx = rctx->fctx;
+	dns_rdataset_t *rdataset = NULL;
+
+	for (result = dns_message_firstname(rctx->query->rmessage,
+					    DNS_SECTION_ANSWER);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(rctx->query->rmessage,
+					   DNS_SECTION_ANSWER))
+	{
+		int order;
+		unsigned int nlabels;
+		dns_namereln_t namereln;
+		dns_name_t *name = NULL;
+
+		dns_message_currentname(rctx->query->rmessage,
+					DNS_SECTION_ANSWER, &name);
+		namereln = dns_name_fullcompare(&fctx->name, name, &order,
+						&nlabels);
+		switch (namereln) {
+		case dns_namereln_equal:
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (rdataset->type == rctx->type ||
+				    rctx->type == dns_rdatatype_any)
+				{
+					rctx->aname = name;
+					if (rctx->type != dns_rdatatype_any) {
+						rctx->ardataset = rdataset;
+					}
+					break;
+				}
+				if (rdataset->type == dns_rdatatype_cname) {
+					rctx->cname = name;
+					rctx->crdataset = rdataset;
+					break;
+				}
+			}
+			break;
+
+		case dns_namereln_subdomain:
+			/*
+			 * Don't accept DNAME from parent namespace.
+			 */
+			if (name_external(name, dns_rdatatype_dname, fctx)) {
+				continue;
+			}
+
+			/*
+			 * In-scope DNAME records must have at least
+			 * as many labels as the domain being queried.
+			 * They also must be less that qname's labels
+			 * and any previously found dname.
+			 */
+			if (nlabels >= rctx->dname_labels ||
+			    nlabels < rctx->domain_labels)
+			{
+				continue;
+			}
+
+			/*
+			 * We are looking for the shortest DNAME if there
+			 * are multiple ones (which there shouldn't be).
+			 */
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (rdataset->type != dns_rdatatype_dname) {
+					continue;
+				}
+				rctx->dname = name;
+				rctx->drdataset = rdataset;
+				rctx->dname_labels = nlabels;
+				break;
+			}
+			break;
+		default:
+			break;
+		}
+	}
+
+	/*
+	 * If a DNAME was found, then any CNAME or other answer matching
+	 * QNAME that may also have been found must be ignored.  Similarly,
+	 * if a matching answer was found along with a CNAME, the CNAME
+	 * must be ignored.
+	 */
+	if (rctx->dname != NULL) {
+		rctx->aname = NULL;
+		rctx->ardataset = NULL;
+		rctx->cname = NULL;
+		rctx->crdataset = NULL;
+	} else if (rctx->aname != NULL) {
+		rctx->cname = NULL;
+		rctx->crdataset = NULL;
+	}
+}
+
+/*
+ * rctx_answer_any():
+ * Handle responses to queries of type ANY. Scan the answer section,
+ * and as long as each RRset is of a type that is valid in the answer
+ * section, and the rdata isn't filtered, cache it.
+ */
+static isc_result_t
+rctx_answer_any(respctx_t *rctx) {
+	dns_rdataset_t *rdataset = NULL;
+	fetchctx_t *fctx = rctx->fctx;
+
+	for (rdataset = ISC_LIST_HEAD(rctx->aname->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (!validinanswer(rdataset, fctx)) {
+			rctx->result = DNS_R_FORMERR;
+			return (ISC_R_COMPLETE);
+		}
+
+		if ((fctx->type == dns_rdatatype_sig ||
+		     fctx->type == dns_rdatatype_rrsig) &&
+		    rdataset->type != fctx->type)
+		{
+			continue;
+		}
+
+		if ((rdataset->type == dns_rdatatype_a ||
+		     rdataset->type == dns_rdatatype_aaaa) &&
+		    !is_answeraddress_allowed(fctx->res->view, rctx->aname,
+					      rdataset))
+		{
+			rctx->result = DNS_R_SERVFAIL;
+			return (ISC_R_COMPLETE);
+		}
+
+		if ((rdataset->type == dns_rdatatype_cname ||
+		     rdataset->type == dns_rdatatype_dname) &&
+		    !is_answertarget_allowed(fctx, &fctx->name, rctx->aname,
+					     rdataset, NULL))
+		{
+			rctx->result = DNS_R_SERVFAIL;
+			return (ISC_R_COMPLETE);
+		}
+
+		rctx->aname->attributes |= DNS_NAMEATTR_CACHE;
+		rctx->aname->attributes |= DNS_NAMEATTR_ANSWER;
+		rdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+		rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+		rdataset->trust = rctx->trust;
+
+		(void)dns_rdataset_additionaldata(rdataset, check_related,
+						  rctx);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * rctx_answer_match():
+ * Handle responses that match the QNAME/QTYPE of the resolver query.
+ * If QTYPE is valid in the answer section and the rdata isn't filtered,
+ * the answer can be cached. If there is additional section data related
+ * to the answer, it can be cached as well.
+ */
+static isc_result_t
+rctx_answer_match(respctx_t *rctx) {
+	dns_rdataset_t *sigrdataset = NULL;
+	fetchctx_t *fctx = rctx->fctx;
+
+	if (!validinanswer(rctx->ardataset, fctx)) {
+		rctx->result = DNS_R_FORMERR;
+		return (ISC_R_COMPLETE);
+	}
+
+	if ((rctx->ardataset->type == dns_rdatatype_a ||
+	     rctx->ardataset->type == dns_rdatatype_aaaa) &&
+	    !is_answeraddress_allowed(fctx->res->view, rctx->aname,
+				      rctx->ardataset))
+	{
+		rctx->result = DNS_R_SERVFAIL;
+		return (ISC_R_COMPLETE);
+	}
+	if ((rctx->ardataset->type == dns_rdatatype_cname ||
+	     rctx->ardataset->type == dns_rdatatype_dname) &&
+	    rctx->type != rctx->ardataset->type &&
+	    rctx->type != dns_rdatatype_any &&
+	    !is_answertarget_allowed(fctx, &fctx->name, rctx->aname,
+				     rctx->ardataset, NULL))
+	{
+		rctx->result = DNS_R_SERVFAIL;
+		return (ISC_R_COMPLETE);
+	}
+
+	rctx->aname->attributes |= DNS_NAMEATTR_CACHE;
+	rctx->aname->attributes |= DNS_NAMEATTR_ANSWER;
+	rctx->ardataset->attributes |= DNS_RDATASETATTR_ANSWER;
+	rctx->ardataset->attributes |= DNS_RDATASETATTR_CACHE;
+	rctx->ardataset->trust = rctx->trust;
+	(void)dns_rdataset_additionaldata(rctx->ardataset, check_related, rctx);
+
+	for (sigrdataset = ISC_LIST_HEAD(rctx->aname->list);
+	     sigrdataset != NULL;
+	     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+	{
+		if (!validinanswer(sigrdataset, fctx)) {
+			rctx->result = DNS_R_FORMERR;
+			return (ISC_R_COMPLETE);
+		}
+
+		if (sigrdataset->type != dns_rdatatype_rrsig ||
+		    sigrdataset->covers != rctx->type)
+		{
+			continue;
+		}
+
+		sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+		sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+		sigrdataset->trust = rctx->trust;
+		break;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * rctx_answer_cname():
+ * Handle answers containing a CNAME. Cache the CNAME, and flag that
+ * there may be additional chain answers to find.
+ */
+static isc_result_t
+rctx_answer_cname(respctx_t *rctx) {
+	dns_rdataset_t *sigrdataset = NULL;
+	fetchctx_t *fctx = rctx->fctx;
+
+	if (!validinanswer(rctx->crdataset, fctx)) {
+		rctx->result = DNS_R_FORMERR;
+		return (ISC_R_COMPLETE);
+	}
+
+	if (rctx->type == dns_rdatatype_rrsig ||
+	    rctx->type == dns_rdatatype_key || rctx->type == dns_rdatatype_nsec)
+	{
+		char buf[DNS_RDATATYPE_FORMATSIZE];
+		dns_rdatatype_format(rctx->type, buf, sizeof(buf));
+		log_formerr(fctx, "CNAME response for %s RR", buf);
+		rctx->result = DNS_R_FORMERR;
+		return (ISC_R_COMPLETE);
+	}
+
+	if (!is_answertarget_allowed(fctx, &fctx->name, rctx->cname,
+				     rctx->crdataset, NULL))
+	{
+		rctx->result = DNS_R_SERVFAIL;
+		return (ISC_R_COMPLETE);
+	}
+
+	rctx->cname->attributes |= DNS_NAMEATTR_CACHE;
+	rctx->cname->attributes |= DNS_NAMEATTR_ANSWER;
+	rctx->cname->attributes |= DNS_NAMEATTR_CHAINING;
+	rctx->crdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+	rctx->crdataset->attributes |= DNS_RDATASETATTR_CACHE;
+	rctx->crdataset->attributes |= DNS_RDATASETATTR_CHAINING;
+	rctx->crdataset->trust = rctx->trust;
+
+	for (sigrdataset = ISC_LIST_HEAD(rctx->cname->list);
+	     sigrdataset != NULL;
+	     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+	{
+		if (!validinanswer(sigrdataset, fctx)) {
+			rctx->result = DNS_R_FORMERR;
+			return (ISC_R_COMPLETE);
+		}
+
+		if (sigrdataset->type != dns_rdatatype_rrsig ||
+		    sigrdataset->covers != dns_rdatatype_cname)
+		{
+			continue;
+		}
+
+		sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+		sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+		sigrdataset->trust = rctx->trust;
+		break;
+	}
+
+	rctx->chaining = true;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * rctx_answer_dname():
+ * Handle responses with covering DNAME records.
+ */
+static isc_result_t
+rctx_answer_dname(respctx_t *rctx) {
+	dns_rdataset_t *sigrdataset = NULL;
+	fetchctx_t *fctx = rctx->fctx;
+
+	if (!validinanswer(rctx->drdataset, fctx)) {
+		rctx->result = DNS_R_FORMERR;
+		return (ISC_R_COMPLETE);
+	}
+
+	if (!is_answertarget_allowed(fctx, &fctx->name, rctx->dname,
+				     rctx->drdataset, &rctx->chaining))
+	{
+		rctx->result = DNS_R_SERVFAIL;
+		return (ISC_R_COMPLETE);
+	}
+
+	rctx->dname->attributes |= DNS_NAMEATTR_CACHE;
+	rctx->dname->attributes |= DNS_NAMEATTR_ANSWER;
+	rctx->dname->attributes |= DNS_NAMEATTR_CHAINING;
+	rctx->drdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+	rctx->drdataset->attributes |= DNS_RDATASETATTR_CACHE;
+	rctx->drdataset->attributes |= DNS_RDATASETATTR_CHAINING;
+	rctx->drdataset->trust = rctx->trust;
+
+	for (sigrdataset = ISC_LIST_HEAD(rctx->dname->list);
+	     sigrdataset != NULL;
+	     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+	{
+		if (!validinanswer(sigrdataset, fctx)) {
+			rctx->result = DNS_R_FORMERR;
+			return (ISC_R_COMPLETE);
+		}
+
+		if (sigrdataset->type != dns_rdatatype_rrsig ||
+		    sigrdataset->covers != dns_rdatatype_dname)
+		{
+			continue;
+		}
+
+		sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+		sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+		sigrdataset->trust = rctx->trust;
+		break;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * rctx_authority_positive():
+ * Examine the records in the authority section (if there are any) for a
+ * positive answer.  We expect the names for all rdatasets in this section
+ * to be subdomains of the domain being queried; any that are not are
+ * skipped.  We expect to find only *one* owner name; any names
+ * after the first one processed are ignored. We expect to find only
+ * rdatasets of type NS, RRSIG, or SIG; all others are ignored. Whatever
+ * remains can be cached at trust level authauthority or additional
+ * (depending on whether the AA bit was set on the answer).
+ */
+static void
+rctx_authority_positive(respctx_t *rctx) {
+	fetchctx_t *fctx = rctx->fctx;
+	bool done = false;
+	isc_result_t result;
+
+	result = dns_message_firstname(rctx->query->rmessage,
+				       DNS_SECTION_AUTHORITY);
+	while (!done && result == ISC_R_SUCCESS) {
+		dns_name_t *name = NULL;
+
+		dns_message_currentname(rctx->query->rmessage,
+					DNS_SECTION_AUTHORITY, &name);
+
+		if (!name_external(name, dns_rdatatype_ns, fctx)) {
+			dns_rdataset_t *rdataset = NULL;
+
+			/*
+			 * We expect to find NS or SIG NS rdatasets, and
+			 * nothing else.
+			 */
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (rdataset->type == dns_rdatatype_ns ||
+				    (rdataset->type == dns_rdatatype_rrsig &&
+				     rdataset->covers == dns_rdatatype_ns))
+				{
+					name->attributes |= DNS_NAMEATTR_CACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CACHE;
+
+					if (rctx->aa) {
+						rdataset->trust =
+							dns_trust_authauthority;
+					} else {
+						rdataset->trust =
+							dns_trust_additional;
+					}
+
+					if (rdataset->type == dns_rdatatype_ns)
+					{
+						rctx->ns_name = name;
+						rctx->ns_rdataset = rdataset;
+					}
+					/*
+					 * Mark any additional data related
+					 * to this rdataset.
+					 */
+					(void)dns_rdataset_additionaldata(
+						rdataset, check_related, rctx);
+					done = true;
+				}
+			}
+		}
+
+		result = dns_message_nextname(rctx->query->rmessage,
+					      DNS_SECTION_AUTHORITY);
+	}
+}
+
+/*
+ * rctx_answer_none():
+ * Handles a response without an answer: this is either a negative
+ * response (NXDOMAIN or NXRRSET) or a referral. Determine which it is,
+ * then either scan the authority section for negative caching and
+ * DNSSEC proof of nonexistence, or else call rctx_referral().
+ */
+static isc_result_t
+rctx_answer_none(respctx_t *rctx) {
+	isc_result_t result;
+	fetchctx_t *fctx = rctx->fctx;
+
+	FCTXTRACE("rctx_answer_none");
+
+	rctx_answer_init(rctx);
+
+	/*
+	 * Sometimes we can tell if its a negative response by looking at
+	 * the message header.
+	 */
+	if (rctx->query->rmessage->rcode == dns_rcode_nxdomain ||
+	    (rctx->query->rmessage->counts[DNS_SECTION_ANSWER] == 0 &&
+	     rctx->query->rmessage->counts[DNS_SECTION_AUTHORITY] == 0))
+	{
+		rctx->negative = true;
+	}
+
+	/*
+	 * Process the authority section
+	 */
+	result = rctx_authority_negative(rctx);
+	if (result == ISC_R_COMPLETE) {
+		return (rctx->result);
+	}
+
+	log_ns_ttl(fctx, "rctx_answer_none");
+
+	if (rctx->ns_rdataset != NULL &&
+	    dns_name_equal(&fctx->domain, rctx->ns_name) &&
+	    !dns_name_equal(rctx->ns_name, dns_rootname))
+	{
+		trim_ns_ttl(fctx, rctx->ns_name, rctx->ns_rdataset);
+	}
+
+	/*
+	 * A negative response has a SOA record (Type 2)
+	 * and a optional NS RRset (Type 1) or it has neither
+	 * a SOA or a NS RRset (Type 3, handled above) or
+	 * rcode is NXDOMAIN (handled above) in which case
+	 * the NS RRset is allowed (Type 4).
+	 */
+	if (rctx->soa_name != NULL) {
+		rctx->negative = true;
+	}
+
+	if (!rctx->ns_in_answer && !rctx->glue_in_answer) {
+		/*
+		 * Process DNSSEC records in the authority section.
+		 */
+		result = rctx_authority_dnssec(rctx);
+		if (result == ISC_R_COMPLETE) {
+			return (rctx->result);
+		}
+	}
+
+	/*
+	 * Trigger lookups for DNS nameservers.
+	 */
+	if (rctx->negative &&
+	    rctx->query->rmessage->rcode == dns_rcode_noerror &&
+	    fctx->type == dns_rdatatype_ds && rctx->soa_name != NULL &&
+	    dns_name_equal(rctx->soa_name, &fctx->name) &&
+	    !dns_name_equal(&fctx->name, dns_rootname))
+	{
+		return (DNS_R_CHASEDSSERVERS);
+	}
+
+	/*
+	 * Did we find anything?
+	 */
+	if (!rctx->negative && rctx->ns_name == NULL) {
+		/*
+		 * The responder is insane.
+		 */
+		if (rctx->found_name == NULL) {
+			log_formerr(fctx, "invalid response");
+			return (DNS_R_FORMERR);
+		}
+		if (!dns_name_issubdomain(rctx->found_name, &fctx->domain)) {
+			char nbuf[DNS_NAME_FORMATSIZE];
+			char dbuf[DNS_NAME_FORMATSIZE];
+			char tbuf[DNS_RDATATYPE_FORMATSIZE];
+
+			dns_rdatatype_format(rctx->found_type, tbuf,
+					     sizeof(tbuf));
+			dns_name_format(rctx->found_name, nbuf, sizeof(nbuf));
+			dns_name_format(&fctx->domain, dbuf, sizeof(dbuf));
+
+			log_formerr(fctx,
+				    "Name %s (%s) not subdomain"
+				    " of zone %s -- invalid response",
+				    nbuf, tbuf, dbuf);
+		} else {
+			log_formerr(fctx, "invalid response");
+		}
+		return (DNS_R_FORMERR);
+	}
+
+	/*
+	 * If we found both NS and SOA, they should be the same name.
+	 */
+	if (rctx->ns_name != NULL && rctx->soa_name != NULL &&
+	    rctx->ns_name != rctx->soa_name)
+	{
+		log_formerr(fctx, "NS/SOA mismatch");
+		return (DNS_R_FORMERR);
+	}
+
+	/*
+	 * Handle a referral.
+	 */
+	result = rctx_referral(rctx);
+	if (result == ISC_R_COMPLETE) {
+		return (rctx->result);
+	}
+
+	/*
+	 * Since we're not doing a referral, we don't want to cache any
+	 * NS RRs we may have found.
+	 */
+	if (rctx->ns_name != NULL) {
+		rctx->ns_name->attributes &= ~DNS_NAMEATTR_CACHE;
+	}
+
+	if (rctx->negative) {
+		FCTX_ATTR_SET(fctx, FCTX_ATTR_WANTNCACHE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * rctx_authority_negative():
+ * Scan the authority section of a negative answer, handling
+ * NS and SOA records. (Note that this function does *not* handle
+ * DNSSEC records; those are addressed separately in
+ * rctx_authority_dnssec() below.)
+ */
+static isc_result_t
+rctx_authority_negative(respctx_t *rctx) {
+	isc_result_t result;
+	fetchctx_t *fctx = rctx->fctx;
+	dns_section_t section;
+	dns_rdataset_t *rdataset = NULL;
+	bool finished = false;
+
+	if (rctx->ns_in_answer) {
+		INSIST(fctx->type == dns_rdatatype_ns);
+		section = DNS_SECTION_ANSWER;
+	} else {
+		section = DNS_SECTION_AUTHORITY;
+	}
+
+	result = dns_message_firstname(rctx->query->rmessage, section);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	while (!finished) {
+		dns_name_t *name = NULL;
+
+		dns_message_currentname(rctx->query->rmessage, section, &name);
+		result = dns_message_nextname(rctx->query->rmessage, section);
+		if (result != ISC_R_SUCCESS) {
+			finished = true;
+		}
+
+		if (!dns_name_issubdomain(name, &fctx->domain)) {
+			continue;
+		}
+
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			dns_rdatatype_t type = rdataset->type;
+			if (type == dns_rdatatype_rrsig) {
+				type = rdataset->covers;
+			}
+			if (((type == dns_rdatatype_ns ||
+			      type == dns_rdatatype_soa) &&
+			     !dns_name_issubdomain(&fctx->name, name)))
+			{
+				char qbuf[DNS_NAME_FORMATSIZE];
+				char nbuf[DNS_NAME_FORMATSIZE];
+				char tbuf[DNS_RDATATYPE_FORMATSIZE];
+				dns_rdatatype_format(type, tbuf, sizeof(tbuf));
+				dns_name_format(name, nbuf, sizeof(nbuf));
+				dns_name_format(&fctx->name, qbuf,
+						sizeof(qbuf));
+				log_formerr(fctx,
+					    "unrelated %s %s in "
+					    "%s authority section",
+					    tbuf, nbuf, qbuf);
+				break;
+			}
+
+			switch (type) {
+			case dns_rdatatype_ns:
+				/*
+				 * NS or RRSIG NS.
+				 *
+				 * Only one set of NS RRs is allowed.
+				 */
+				if (rdataset->type == dns_rdatatype_ns) {
+					if (rctx->ns_name != NULL &&
+					    name != rctx->ns_name)
+					{
+						log_formerr(fctx, "multiple NS "
+								  "RRsets "
+								  "in "
+								  "authority "
+								  "section");
+						rctx->result = DNS_R_FORMERR;
+						return (ISC_R_COMPLETE);
+					}
+					rctx->ns_name = name;
+					rctx->ns_rdataset = rdataset;
+				}
+				name->attributes |= DNS_NAMEATTR_CACHE;
+				rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+				rdataset->trust = dns_trust_glue;
+				break;
+			case dns_rdatatype_soa:
+				/*
+				 * SOA, or RRSIG SOA.
+				 *
+				 * Only one SOA is allowed.
+				 */
+				if (rdataset->type == dns_rdatatype_soa) {
+					if (rctx->soa_name != NULL &&
+					    name != rctx->soa_name)
+					{
+						log_formerr(fctx, "multiple "
+								  "SOA RRs "
+								  "in "
+								  "authority "
+								  "section");
+						rctx->result = DNS_R_FORMERR;
+						return (ISC_R_COMPLETE);
+					}
+					rctx->soa_name = name;
+				}
+				name->attributes |= DNS_NAMEATTR_NCACHE;
+				rdataset->attributes |= DNS_RDATASETATTR_NCACHE;
+				if (rctx->aa) {
+					rdataset->trust =
+						dns_trust_authauthority;
+				} else if (ISFORWARDER(fctx->addrinfo)) {
+					rdataset->trust = dns_trust_answer;
+				} else {
+					rdataset->trust = dns_trust_additional;
+				}
+				break;
+			default:
+				continue;
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * rctx_ncache():
+ * Cache the negatively cacheable parts of the message.  This may
+ * also cause work to be queued to the DNSSEC validator.
+ */
+static void
+rctx_ncache(respctx_t *rctx) {
+	isc_result_t result;
+	dns_rdatatype_t covers;
+	fetchctx_t *fctx = rctx->fctx;
+
+	if (!WANTNCACHE(fctx)) {
+		return;
+	}
+
+	/*
+	 * Cache DS NXDOMAIN separately to other types.
+	 */
+	if (rctx->query->rmessage->rcode == dns_rcode_nxdomain &&
+	    fctx->type != dns_rdatatype_ds)
+	{
+		covers = dns_rdatatype_any;
+	} else {
+		covers = fctx->type;
+	}
+
+	/*
+	 * Cache any negative cache entries in the message.
+	 */
+	result = ncache_message(fctx, rctx->query->rmessage,
+				rctx->query->addrinfo, covers, rctx->now);
+	if (result != ISC_R_SUCCESS) {
+		FCTXTRACE3("ncache_message complete", result);
+	}
+}
+
+/*
+ * rctx_authority_dnssec():
+ *
+ * Scan the authority section of a negative answer or referral,
+ * handling DNSSEC records (i.e. NSEC, NSEC3, DS).
+ */
+static isc_result_t
+rctx_authority_dnssec(respctx_t *rctx) {
+	isc_result_t result;
+	fetchctx_t *fctx = rctx->fctx;
+	dns_rdataset_t *rdataset = NULL;
+	bool finished = false;
+
+	REQUIRE(!rctx->ns_in_answer && !rctx->glue_in_answer);
+
+	result = dns_message_firstname(rctx->query->rmessage,
+				       DNS_SECTION_AUTHORITY);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	while (!finished) {
+		dns_name_t *name = NULL;
+
+		dns_message_currentname(rctx->query->rmessage,
+					DNS_SECTION_AUTHORITY, &name);
+		result = dns_message_nextname(rctx->query->rmessage,
+					      DNS_SECTION_AUTHORITY);
+		if (result != ISC_R_SUCCESS) {
+			finished = true;
+		}
+
+		if (!dns_name_issubdomain(name, &fctx->domain)) {
+			/*
+			 * Invalid name found; preserve it for logging
+			 * later.
+			 */
+			rctx->found_name = name;
+			rctx->found_type = ISC_LIST_HEAD(name->list)->type;
+			continue;
+		}
+
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			bool checknta = true;
+			bool secure_domain = false;
+			dns_rdatatype_t type = rdataset->type;
+
+			if (type == dns_rdatatype_rrsig) {
+				type = rdataset->covers;
+			}
+
+			switch (type) {
+			case dns_rdatatype_nsec:
+			case dns_rdatatype_nsec3:
+				if (rctx->negative) {
+					name->attributes |= DNS_NAMEATTR_NCACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_NCACHE;
+				} else if (type == dns_rdatatype_nsec) {
+					name->attributes |= DNS_NAMEATTR_CACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CACHE;
+				}
+
+				if (rctx->aa) {
+					rdataset->trust =
+						dns_trust_authauthority;
+				} else if (ISFORWARDER(fctx->addrinfo)) {
+					rdataset->trust = dns_trust_answer;
+				} else {
+					rdataset->trust = dns_trust_additional;
+				}
+				/*
+				 * No additional data needs to be marked.
+				 */
+				break;
+			case dns_rdatatype_ds:
+				/*
+				 * DS or SIG DS.
+				 *
+				 * These should only be here if this is a
+				 * referral, and there should only be one
+				 * DS RRset.
+				 */
+				if (rctx->ns_name == NULL) {
+					log_formerr(fctx, "DS with no "
+							  "referral");
+					rctx->result = DNS_R_FORMERR;
+					return (ISC_R_COMPLETE);
+				}
+
+				if (rdataset->type == dns_rdatatype_ds) {
+					if (rctx->ds_name != NULL &&
+					    name != rctx->ds_name)
+					{
+						log_formerr(fctx, "DS doesn't "
+								  "match "
+								  "referral "
+								  "(NS)");
+						rctx->result = DNS_R_FORMERR;
+						return (ISC_R_COMPLETE);
+					}
+					rctx->ds_name = name;
+				}
+
+				name->attributes |= DNS_NAMEATTR_CACHE;
+				rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+
+				if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
+					checknta = false;
+				}
+				if (fctx->res->view->enablevalidation) {
+					result = issecuredomain(
+						fctx->res->view, name,
+						dns_rdatatype_ds, fctx->now,
+						checknta, NULL, &secure_domain);
+					if (result != ISC_R_SUCCESS) {
+						return (result);
+					}
+				}
+				if (secure_domain) {
+					rdataset->trust =
+						dns_trust_pending_answer;
+				} else if (rctx->aa) {
+					rdataset->trust =
+						dns_trust_authauthority;
+				} else if (ISFORWARDER(fctx->addrinfo)) {
+					rdataset->trust = dns_trust_answer;
+				} else {
+					rdataset->trust = dns_trust_additional;
+				}
+				break;
+			default:
+				continue;
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * rctx_referral():
+ * Handles referral responses. Check for sanity, find glue as needed,
+ * and update the fetch context to follow the delegation.
+ */
+static isc_result_t
+rctx_referral(respctx_t *rctx) {
+	isc_result_t result;
+	fetchctx_t *fctx = rctx->fctx;
+
+	if (rctx->negative || rctx->ns_name == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * We already know ns_name is a subdomain of fctx->domain.
+	 * If ns_name is equal to fctx->domain, we're not making
+	 * progress.  We return DNS_R_FORMERR so that we'll keep
+	 * trying other servers.
+	 */
+	if (dns_name_equal(rctx->ns_name, &fctx->domain)) {
+		log_formerr(fctx, "non-improving referral");
+		rctx->result = DNS_R_FORMERR;
+		return (ISC_R_COMPLETE);
+	}
+
+	/*
+	 * If the referral name is not a parent of the query
+	 * name, consider the responder insane.
+	 */
+	if (!dns_name_issubdomain(&fctx->name, rctx->ns_name)) {
+		/* Logged twice */
+		log_formerr(fctx, "referral to non-parent");
+		FCTXTRACE("referral to non-parent");
+		rctx->result = DNS_R_FORMERR;
+		return (ISC_R_COMPLETE);
+	}
+
+	/*
+	 * Mark any additional data related to this rdataset.
+	 * It's important that we do this before we change the
+	 * query domain.
+	 */
+	INSIST(rctx->ns_rdataset != NULL);
+	FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING);
+	(void)dns_rdataset_additionaldata(rctx->ns_rdataset, check_related,
+					  rctx);
+#if CHECK_FOR_GLUE_IN_ANSWER
+	/*
+	 * Look in the answer section for "glue" that is incorrectly
+	 * returned as a answer.  This is needed if the server also
+	 * minimizes the response size by not adding records to the
+	 * additional section that are in the answer section or if
+	 * the record gets dropped due to message size constraints.
+	 */
+	if (rctx->glue_in_answer &&
+	    (fctx->type == dns_rdatatype_aaaa || fctx->type == dns_rdatatype_a))
+	{
+		(void)dns_rdataset_additionaldata(rctx->ns_rdataset,
+						  check_answer, fctx);
+	}
+#endif /* if CHECK_FOR_GLUE_IN_ANSWER */
+	FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
+
+	/*
+	 * NS rdatasets with 0 TTL cause problems.
+	 * dns_view_findzonecut() will not find them when we
+	 * try to follow the referral, and we'll SERVFAIL
+	 * because the best nameservers are now above QDOMAIN.
+	 * We force the TTL to 1 second to prevent this.
+	 */
+	if (rctx->ns_rdataset->ttl == 0) {
+		rctx->ns_rdataset->ttl = 1;
+	}
+
+	/*
+	 * Set the current query domain to the referral name.
+	 *
+	 * XXXRTH  We should check if we're in forward-only mode, and
+	 *		if so we should bail out.
+	 */
+	INSIST(dns_name_countlabels(&fctx->domain) > 0);
+	fcount_decr(fctx);
+
+	dns_name_free(&fctx->domain, fctx->mctx);
+	if (dns_rdataset_isassociated(&fctx->nameservers)) {
+		dns_rdataset_disassociate(&fctx->nameservers);
+	}
+
+	dns_name_init(&fctx->domain, NULL);
+	dns_name_dup(rctx->ns_name, fctx->mctx, &fctx->domain);
+
+	if ((fctx->options & DNS_FETCHOPT_QMINIMIZE) != 0) {
+		dns_name_free(&fctx->qmindcname, fctx->mctx);
+		dns_name_init(&fctx->qmindcname, NULL);
+		dns_name_dup(rctx->ns_name, fctx->mctx, &fctx->qmindcname);
+
+		result = fctx_minimize_qname(fctx);
+		if (result != ISC_R_SUCCESS) {
+			rctx->result = result;
+			return (ISC_R_COMPLETE);
+		}
+	}
+
+	result = fcount_incr(fctx, true);
+	if (result != ISC_R_SUCCESS) {
+		rctx->result = result;
+		return (ISC_R_COMPLETE);
+	}
+
+	FCTX_ATTR_SET(fctx, FCTX_ATTR_WANTCACHE);
+	fctx->ns_ttl_ok = false;
+	log_ns_ttl(fctx, "DELEGATION");
+	rctx->result = DNS_R_DELEGATION;
+
+	/*
+	 * Reinitialize 'rctx' to prepare for following the delegation:
+	 * set the get_nameservers and next_server flags appropriately and
+	 * reset the fetch context counters.
+	 *
+	 */
+	if ((rctx->fctx->options & DNS_FETCHOPT_NOFOLLOW) == 0) {
+		rctx->get_nameservers = true;
+		rctx->next_server = true;
+		rctx->fctx->restarts = 0;
+		rctx->fctx->referrals++;
+		rctx->fctx->querysent = 0;
+		rctx->fctx->lamecount = 0;
+		rctx->fctx->quotacount = 0;
+		rctx->fctx->neterr = 0;
+		rctx->fctx->badresp = 0;
+		rctx->fctx->adberr = 0;
+	}
+
+	return (ISC_R_COMPLETE);
+}
+
+/*
+ * rctx_additional():
+ * Scan the additional section of a response to find records related
+ * to answers we were interested in.
+ */
+static void
+rctx_additional(respctx_t *rctx) {
+	bool rescan;
+	dns_section_t section = DNS_SECTION_ADDITIONAL;
+	isc_result_t result;
+
+again:
+	rescan = false;
+
+	for (result = dns_message_firstname(rctx->query->rmessage, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(rctx->query->rmessage, section))
+	{
+		dns_name_t *name = NULL;
+		dns_rdataset_t *rdataset;
+		dns_message_currentname(rctx->query->rmessage,
+					DNS_SECTION_ADDITIONAL, &name);
+		if ((name->attributes & DNS_NAMEATTR_CHASE) == 0) {
+			continue;
+		}
+		name->attributes &= ~DNS_NAMEATTR_CHASE;
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (CHASE(rdataset)) {
+				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
+				(void)dns_rdataset_additionaldata(
+					rdataset, check_related, rctx);
+				rescan = true;
+			}
+		}
+	}
+	if (rescan) {
+		goto again;
+	}
+}
+
+/*
+ * rctx_nextserver():
+ * We found something wrong with the remote server, but it may be
+ * useful to try another one.
+ */
+static void
+rctx_nextserver(respctx_t *rctx, dns_message_t *message,
+		dns_adbaddrinfo_t *addrinfo, isc_result_t result) {
+	fetchctx_t *fctx = rctx->fctx;
+
+	if (result == DNS_R_FORMERR) {
+		rctx->broken_server = DNS_R_FORMERR;
+	}
+	if (rctx->broken_server != ISC_R_SUCCESS) {
+		/*
+		 * Add this server to the list of bad servers for
+		 * this fctx.
+		 */
+		add_bad(fctx, message, addrinfo, rctx->broken_server,
+			rctx->broken_type);
+	}
+
+	if (rctx->get_nameservers) {
+		dns_fixedname_t foundname, founddc;
+		dns_name_t *name, *fname, *dcname;
+		unsigned int findoptions = 0;
+
+		fname = dns_fixedname_initname(&foundname);
+		dcname = dns_fixedname_initname(&founddc);
+
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			return;
+		}
+		if (dns_rdatatype_atparent(fctx->type)) {
+			findoptions |= DNS_DBFIND_NOEXACT;
+		}
+		if ((rctx->retryopts & DNS_FETCHOPT_UNSHARED) == 0) {
+			name = &fctx->name;
+		} else {
+			name = &fctx->domain;
+		}
+		result = dns_view_findzonecut(
+			fctx->res->view, name, fname, dcname, fctx->now,
+			findoptions, true, true, &fctx->nameservers, NULL);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE("couldn't find a zonecut");
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			return;
+		}
+		if (!dns_name_issubdomain(fname, &fctx->domain)) {
+			/*
+			 * The best nameservers are now above our QDOMAIN.
+			 */
+			FCTXTRACE("nameservers now above QDOMAIN");
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			return;
+		}
+
+		fcount_decr(fctx);
+
+		dns_name_free(&fctx->domain, fctx->mctx);
+		dns_name_init(&fctx->domain, NULL);
+		dns_name_dup(fname, fctx->mctx, &fctx->domain);
+		dns_name_free(&fctx->qmindcname, fctx->mctx);
+		dns_name_init(&fctx->qmindcname, NULL);
+		dns_name_dup(dcname, fctx->mctx, &fctx->qmindcname);
+
+		result = fcount_incr(fctx, true);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			return;
+		}
+		fctx->ns_ttl = fctx->nameservers.ttl;
+		fctx->ns_ttl_ok = true;
+		fctx_cancelqueries(fctx, true, false);
+		fctx_cleanupall(fctx);
+	}
+
+	/*
+	 * Try again.
+	 */
+	fctx_try(fctx, !rctx->get_nameservers, false);
+}
+
+/*
+ * rctx_resend():
+ *
+ * Resend the query, probably with the options changed. Calls fctx_query(),
+ * passing rctx->retryopts (which is based on query->options, but may have been
+ * updated since the last time fctx_query() was called).
+ */
+static void
+rctx_resend(respctx_t *rctx, dns_adbaddrinfo_t *addrinfo) {
+	isc_result_t result;
+	fetchctx_t *fctx = rctx->fctx;
+	bool bucket_empty;
+	dns_resolver_t *res = fctx->res;
+	unsigned int bucketnum;
+
+	FCTXTRACE("resend");
+	inc_stats(fctx->res, dns_resstatscounter_retry);
+	fctx_increference(fctx);
+	result = fctx_query(fctx, addrinfo, rctx->retryopts);
+	if (result == ISC_R_SUCCESS) {
+		return;
+	}
+
+	bucketnum = fctx->bucketnum;
+	fctx_done(fctx, result, __LINE__);
+	LOCK(&res->buckets[bucketnum].lock);
+	bucket_empty = fctx_decreference(fctx);
+	UNLOCK(&res->buckets[bucketnum].lock);
+	if (bucket_empty) {
+		empty_bucket(res);
+	}
+}
+
+/*
+ * rctx_next():
+ * We got what appeared to be a response but it didn't match the question
+ * or the cookie; it may have been meant for someone else, or it may be a
+ * spoofing attack. Drop it and continue listening for the response we
+ * wanted.
+ */
+static void
+rctx_next(respctx_t *rctx) {
+#ifdef WANT_QUERYTRACE
+	fetchctx_t *fctx = rctx->fctx;
+#endif /* ifdef WANT_QUERYTRACE */
+	isc_result_t result;
+
+	FCTXTRACE("nextitem");
+	inc_stats(rctx->fctx->res, dns_resstatscounter_nextitem);
+	INSIST(rctx->query->dispentry != NULL);
+	dns_message_reset(rctx->query->rmessage, DNS_MESSAGE_INTENTPARSE);
+	result = dns_dispatch_getnext(rctx->query->dispentry, &rctx->devent);
+	if (result != ISC_R_SUCCESS) {
+		fctx_done(rctx->fctx, result, __LINE__);
+	}
+}
+
+/*
+ * rctx_chaseds():
+ * Look up the parent zone's NS records so that DS records can be fetched.
+ */
+static void
+rctx_chaseds(respctx_t *rctx, dns_message_t *message,
+	     dns_adbaddrinfo_t *addrinfo, isc_result_t result) {
+	fetchctx_t *fctx = rctx->fctx;
+	unsigned int n;
+
+	add_bad(fctx, message, addrinfo, result, rctx->broken_type);
+	fctx_cancelqueries(fctx, true, false);
+	fctx_cleanupfinds(fctx);
+	fctx_cleanupforwaddrs(fctx);
+
+	n = dns_name_countlabels(&fctx->name);
+	dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname);
+
+	FCTXTRACE("suspending DS lookup to find parent's NS records");
+
+	result = dns_resolver_createfetch(
+		fctx->res, &fctx->nsname, dns_rdatatype_ns, NULL, NULL, NULL,
+		NULL, 0, fctx->options, 0, NULL, rctx->task, resume_dslookup,
+		fctx, &fctx->nsrrset, NULL, &fctx->nsfetch);
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_DUPLICATE) {
+			result = DNS_R_SERVFAIL;
+		}
+		fctx_done(fctx, result, __LINE__);
+	} else {
+		fctx_increference(fctx);
+		result = fctx_stopidletimer(fctx);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, result, __LINE__);
+		}
+	}
+}
+
+/*
+ * rctx_done():
+ * This resolver query response is finished, either because we encountered
+ * a problem or because we've gotten all the information from it that we
+ * can.  We either wait for another response, resend the query to the
+ * same server, resend to a new server, or clean up and shut down the fetch.
+ */
+static void
+rctx_done(respctx_t *rctx, isc_result_t result) {
+	resquery_t *query = rctx->query;
+	fetchctx_t *fctx = rctx->fctx;
+	dns_adbaddrinfo_t *addrinfo = query->addrinfo;
+	/*
+	 * Need to attach to the message until the scope
+	 * of this function ends, since there are many places
+	 * where te message is used and/or may be destroyed
+	 * before this function ends.
+	 */
+	dns_message_t *message = NULL;
+	dns_message_attach(query->rmessage, &message);
+
+	FCTXTRACE4("query canceled in response(); ",
+		   rctx->no_response ? "no response" : "responding", result);
+
+	/*
+	 * Cancel the query.
+	 *
+	 * XXXRTH  Don't cancel the query if waiting for validation?
+	 */
+	if (!rctx->nextitem) {
+		fctx_cancelquery(&query, &rctx->devent, rctx->finish,
+				 rctx->no_response, false);
+	}
+
+#ifdef ENABLE_AFL
+	if (dns_fuzzing_resolver &&
+	    (rctx->next_server || rctx->resend || rctx->nextitem))
+	{
+		if (rctx->nextitem) {
+			fctx_cancelquery(&query, &rctx->devent, rctx->finish,
+					 rctx->no_response, false);
+		}
+		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+		return;
+	} else
+#endif /* ifdef ENABLE_AFL */
+		if (rctx->next_server) {
+			rctx_nextserver(rctx, message, addrinfo, result);
+		} else if (rctx->resend) {
+			rctx_resend(rctx, addrinfo);
+		} else if (rctx->nextitem) {
+			rctx_next(rctx);
+		} else if (result == DNS_R_CHASEDSSERVERS) {
+			rctx_chaseds(rctx, message, addrinfo, result);
+		} else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) {
+			/*
+			 * All has gone well so far, but we are waiting for the
+			 * DNSSEC validator to validate the answer.
+			 */
+			FCTXTRACE("wait for validator");
+			fctx_cancelqueries(fctx, true, false);
+			/*
+			 * We must not retransmit while the validator is
+			 * working; it has references to the current rmessage.
+			 */
+			result = fctx_stopidletimer(fctx);
+			if (result != ISC_R_SUCCESS) {
+				fctx_done(fctx, result, __LINE__);
+			}
+		} else {
+			/*
+			 * We're done.
+			 */
+			fctx_done(fctx, result, __LINE__);
+		}
+
+	dns_message_detach(&message);
+}
+
+/*
+ * rctx_logpacket():
+ * Log the incoming packet; also log to DNSTAP if configured.
+ */
+static void
+rctx_logpacket(respctx_t *rctx) {
+#ifdef HAVE_DNSTAP
+	isc_result_t result;
+	fetchctx_t *fctx = rctx->fctx;
+	isc_socket_t *sock = NULL;
+	isc_sockaddr_t localaddr, *la = NULL;
+	unsigned char zone[DNS_NAME_MAXWIRE];
+	dns_dtmsgtype_t dtmsgtype;
+	dns_compress_t cctx;
+	isc_region_t zr;
+	isc_buffer_t zb;
+#endif /* HAVE_DNSTAP */
+
+	dns_message_logfmtpacket(
+		rctx->query->rmessage, "received packet from",
+		&rctx->query->addrinfo->sockaddr, DNS_LOGCATEGORY_RESOLVER,
+		DNS_LOGMODULE_PACKETS, &dns_master_style_comment,
+		ISC_LOG_DEBUG(10), rctx->fctx->res->mctx);
+
+#ifdef HAVE_DNSTAP
+	/*
+	 * Log the response via dnstap.
+	 */
+	memset(&zr, 0, sizeof(zr));
+	result = dns_compress_init(&cctx, -1, fctx->res->mctx);
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_init(&zb, zone, sizeof(zone));
+		dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE);
+		result = dns_name_towire(&fctx->domain, &cctx, &zb);
+		if (result == ISC_R_SUCCESS) {
+			isc_buffer_usedregion(&zb, &zr);
+		}
+		dns_compress_invalidate(&cctx);
+	}
+
+	if ((fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0) {
+		dtmsgtype = DNS_DTTYPE_FR;
+	} else {
+		dtmsgtype = DNS_DTTYPE_RR;
+	}
+
+	sock = query2sock(rctx->query);
+
+	if (sock != NULL) {
+		result = isc_socket_getsockname(sock, &localaddr);
+		if (result == ISC_R_SUCCESS) {
+			la = &localaddr;
+		}
+	}
+
+	dns_dt_send(fctx->res->view, dtmsgtype, la,
+		    &rctx->query->addrinfo->sockaddr,
+		    ((rctx->query->options & DNS_FETCHOPT_TCP) != 0), &zr,
+		    &rctx->query->start, NULL, &rctx->devent->buffer);
+#endif /* HAVE_DNSTAP */
+}
+
+/*
+ * rctx_badserver():
+ * Is the remote server broken, or does it dislike us?
+ */
+static isc_result_t
+rctx_badserver(respctx_t *rctx, isc_result_t result) {
+	fetchctx_t *fctx = rctx->fctx;
+	resquery_t *query = rctx->query;
+	isc_buffer_t b;
+	char code[64];
+	dns_rcode_t rcode = rctx->query->rmessage->rcode;
+
+	if (rcode == dns_rcode_noerror || rcode == dns_rcode_yxdomain ||
+	    rcode == dns_rcode_nxdomain)
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	if ((rcode == dns_rcode_formerr) &&
+	    (rctx->retryopts & DNS_FETCHOPT_NOEDNS0) == 0)
+	{
+		/*
+		 * It's very likely they don't like EDNS0.
+		 * If the response code is SERVFAIL, also check if the
+		 * response contains an OPT RR and don't cache the
+		 * failure since it can be returned for various other
+		 * reasons.
+		 *
+		 * XXXRTH  We should check if the question
+		 *		we're asking requires EDNS0, and
+		 *		if so, we should bail out.
+		 */
+		rctx->retryopts |= DNS_FETCHOPT_NOEDNS0;
+		rctx->resend = true;
+		/*
+		 * Remember that they may not like EDNS0.
+		 */
+		add_bad_edns(fctx, &query->addrinfo->sockaddr);
+		inc_stats(fctx->res, dns_resstatscounter_edns0fail);
+	} else if (rcode == dns_rcode_formerr) {
+		if (ISFORWARDER(query->addrinfo)) {
+			/*
+			 * This forwarder doesn't understand us,
+			 * but other forwarders might.  Keep trying.
+			 */
+			rctx->broken_server = DNS_R_REMOTEFORMERR;
+			rctx->next_server = true;
+		} else {
+			/*
+			 * The server doesn't understand us.  Since
+			 * all servers for a zone need similar
+			 * capabilities, we assume that we will get
+			 * FORMERR from all servers, and thus we
+			 * cannot make any more progress with this
+			 * fetch.
+			 */
+			log_formerr(fctx, "server sent FORMERR");
+			result = DNS_R_FORMERR;
+		}
+	} else if (rcode == dns_rcode_badvers) {
+		unsigned int version;
+#if DNS_EDNS_VERSION > 0
+		unsigned int flags, mask;
+#endif /* if DNS_EDNS_VERSION > 0 */
+
+		INSIST(rctx->opt != NULL);
+		version = (rctx->opt->ttl >> 16) & 0xff;
+#if DNS_EDNS_VERSION > 0
+		flags = (version << DNS_FETCHOPT_EDNSVERSIONSHIFT) |
+			DNS_FETCHOPT_EDNSVERSIONSET;
+		mask = DNS_FETCHOPT_EDNSVERSIONMASK |
+		       DNS_FETCHOPT_EDNSVERSIONSET;
+#endif /* if DNS_EDNS_VERSION > 0 */
+
+		/*
+		 * Record that we got a good EDNS response.
+		 */
+		if (query->ednsversion > (int)version &&
+		    !EDNSOK(query->addrinfo))
+		{
+			dns_adb_changeflags(fctx->adb, query->addrinfo,
+					    FCTX_ADDRINFO_EDNSOK,
+					    FCTX_ADDRINFO_EDNSOK);
+		}
+
+		/*
+		 * RFC 2671 was not clear that unknown options should
+		 * be ignored.  RFC 6891 is clear that that they
+		 * should be ignored. If we are supporting the
+		 * experimental EDNS > 0 then perform strict
+		 * version checking of badvers responses.  We won't
+		 * be sending COOKIE etc. in that case.
+		 */
+#if DNS_EDNS_VERSION > 0
+		if ((int)version < query->ednsversion) {
+			dns_adb_changeflags(fctx->adb, query->addrinfo, flags,
+					    mask);
+			rctx->resend = true;
+		} else {
+			rctx->broken_server = DNS_R_BADVERS;
+			rctx->next_server = true;
+		}
+#else  /* if DNS_EDNS_VERSION > 0 */
+		rctx->broken_server = DNS_R_BADVERS;
+		rctx->next_server = true;
+#endif /* if DNS_EDNS_VERSION > 0 */
+	} else if (rcode == dns_rcode_badcookie && rctx->query->rmessage->cc_ok)
+	{
+		/*
+		 * We have recorded the new cookie.
+		 */
+		if (BADCOOKIE(query->addrinfo)) {
+			rctx->retryopts |= DNS_FETCHOPT_TCP;
+		}
+		query->addrinfo->flags |= FCTX_ADDRINFO_BADCOOKIE;
+		rctx->resend = true;
+	} else {
+		rctx->broken_server = DNS_R_UNEXPECTEDRCODE;
+		rctx->next_server = true;
+	}
+
+	isc_buffer_init(&b, code, sizeof(code) - 1);
+	dns_rcode_totext(rcode, &b);
+	code[isc_buffer_usedlength(&b)] = '\0';
+	FCTXTRACE2("remote server broken: returned ", code);
+	rctx_done(rctx, result);
+
+	return (ISC_R_COMPLETE);
+}
+
+/*
+ * rctx_lameserver():
+ * Is the server lame?
+ */
+static isc_result_t
+rctx_lameserver(respctx_t *rctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	fetchctx_t *fctx = rctx->fctx;
+	resquery_t *query = rctx->query;
+
+	if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	inc_stats(fctx->res, dns_resstatscounter_lame);
+	log_lame(fctx, query->addrinfo);
+	if (fctx->res->lame_ttl != 0) {
+		result = dns_adb_marklame(fctx->adb, query->addrinfo,
+					  &fctx->name, fctx->type,
+					  rctx->now + fctx->res->lame_ttl);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+				      "could not mark server as lame: %s",
+				      isc_result_totext(result));
+		}
+	}
+	rctx->broken_server = DNS_R_LAME;
+	rctx->next_server = true;
+	FCTXTRACE("lame server");
+	rctx_done(rctx, result);
+
+	return (ISC_R_COMPLETE);
+}
+
+/*
+ * rctx_delonly_zone():
+ * Handle delegation-only zones like NET and COM.
+ */
+static void
+rctx_delonly_zone(respctx_t *rctx) {
+	fetchctx_t *fctx = rctx->fctx;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char domainbuf[DNS_NAME_FORMATSIZE];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+
+	if (ISFORWARDER(rctx->query->addrinfo) ||
+	    !dns_view_isdelegationonly(fctx->res->view, &fctx->domain) ||
+	    dns_name_equal(&fctx->domain, &fctx->name) ||
+	    !fix_mustbedelegationornxdomain(rctx->query->rmessage, fctx))
+	{
+		return;
+	}
+
+	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+	dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
+	dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
+	isc_sockaddr_format(&rctx->query->addrinfo->sockaddr, addrbuf,
+			    sizeof(addrbuf));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+		      "enforced delegation-only for '%s' (%s/%s/%s) from %s",
+		      domainbuf, namebuf, typebuf, classbuf, addrbuf);
+}
+
+/***
+ *** Resolver Methods
+ ***/
+static void
+destroy(dns_resolver_t *res) {
+	unsigned int i;
+	alternate_t *a;
+
+	isc_refcount_destroy(&res->references);
+	REQUIRE(!atomic_load_acquire(&res->priming));
+	REQUIRE(res->primefetch == NULL);
+
+	RTRACE("destroy");
+
+	REQUIRE(atomic_load_acquire(&res->nfctx) == 0);
+
+	isc_mutex_destroy(&res->primelock);
+	isc_mutex_destroy(&res->lock);
+	for (i = 0; i < res->nbuckets; i++) {
+		INSIST(ISC_LIST_EMPTY(res->buckets[i].fctxs));
+		isc_task_shutdown(res->buckets[i].task);
+		isc_task_detach(&res->buckets[i].task);
+		isc_mutex_destroy(&res->buckets[i].lock);
+		isc_mem_detach(&res->buckets[i].mctx);
+	}
+	isc_mem_put(res->mctx, res->buckets,
+		    res->nbuckets * sizeof(fctxbucket_t));
+	for (i = 0; i < RES_DOMAIN_BUCKETS; i++) {
+		INSIST(ISC_LIST_EMPTY(res->dbuckets[i].list));
+		isc_mem_detach(&res->dbuckets[i].mctx);
+		isc_mutex_destroy(&res->dbuckets[i].lock);
+	}
+	isc_mem_put(res->mctx, res->dbuckets,
+		    RES_DOMAIN_BUCKETS * sizeof(zonebucket_t));
+	if (res->dispatches4 != NULL) {
+		dns_dispatchset_destroy(&res->dispatches4);
+	}
+	if (res->dispatches6 != NULL) {
+		dns_dispatchset_destroy(&res->dispatches6);
+	}
+	while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
+		ISC_LIST_UNLINK(res->alternates, a, link);
+		if (!a->isaddress) {
+			dns_name_free(&a->_u._n.name, res->mctx);
+		}
+		isc_mem_put(res->mctx, a, sizeof(*a));
+	}
+	dns_resolver_reset_algorithms(res);
+	dns_resolver_reset_ds_digests(res);
+	dns_badcache_destroy(&res->badcache);
+	dns_resolver_resetmustbesecure(res);
+#if USE_ALGLOCK
+	isc_rwlock_destroy(&res->alglock);
+#endif /* if USE_ALGLOCK */
+#if USE_MBSLOCK
+	isc_rwlock_destroy(&res->mbslock);
+#endif /* if USE_MBSLOCK */
+	isc_timer_destroy(&res->spillattimer);
+	res->magic = 0;
+	isc_mem_put(res->mctx, res, sizeof(*res));
+}
+
+static void
+send_shutdown_events(dns_resolver_t *res) {
+	isc_event_t *event, *next_event;
+	isc_task_t *etask;
+
+	/*
+	 * Caller must be holding the resolver lock.
+	 */
+
+	for (event = ISC_LIST_HEAD(res->whenshutdown); event != NULL;
+	     event = next_event)
+	{
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(res->whenshutdown, event, ev_link);
+		etask = event->ev_sender;
+		event->ev_sender = res;
+		isc_task_sendanddetach(&etask, &event);
+	}
+}
+
+static void
+empty_bucket(dns_resolver_t *res) {
+	RTRACE("empty_bucket");
+
+	LOCK(&res->lock);
+
+	INSIST(res->activebuckets > 0);
+	res->activebuckets--;
+	if (res->activebuckets == 0) {
+		send_shutdown_events(res);
+	}
+
+	UNLOCK(&res->lock);
+}
+
+static void
+spillattimer_countdown(isc_task_t *task, isc_event_t *event) {
+	dns_resolver_t *res = event->ev_arg;
+	isc_result_t result;
+	unsigned int count;
+	bool logit = false;
+
+	REQUIRE(VALID_RESOLVER(res));
+
+	UNUSED(task);
+
+	LOCK(&res->lock);
+	INSIST(!atomic_load_acquire(&res->exiting));
+	if (res->spillat > res->spillatmin) {
+		res->spillat--;
+		logit = true;
+	}
+	if (res->spillat <= res->spillatmin) {
+		result = isc_timer_reset(res->spillattimer,
+					 isc_timertype_inactive, NULL, NULL,
+					 true);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+	count = res->spillat;
+	UNLOCK(&res->lock);
+	if (logit) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+			      "clients-per-query decreased to %u", count);
+	}
+
+	isc_event_free(&event);
+}
+
+isc_result_t
+dns_resolver_create(dns_view_t *view, isc_taskmgr_t *taskmgr,
+		    unsigned int ntasks, unsigned int ndisp,
+		    isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+		    unsigned int options, dns_dispatchmgr_t *dispatchmgr,
+		    dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
+		    dns_resolver_t **resp) {
+	dns_resolver_t *res;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int i, buckets_created = 0, dbuckets_created = 0;
+	isc_task_t *task = NULL;
+	char name[16];
+	unsigned dispattr;
+
+	/*
+	 * Create a resolver.
+	 */
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ntasks > 0);
+	REQUIRE(ndisp > 0);
+	REQUIRE(resp != NULL && *resp == NULL);
+	REQUIRE(dispatchmgr != NULL);
+	REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL);
+
+	res = isc_mem_get(view->mctx, sizeof(*res));
+	RTRACE("create");
+	res->mctx = view->mctx;
+	res->rdclass = view->rdclass;
+	res->socketmgr = socketmgr;
+	res->timermgr = timermgr;
+	res->taskmgr = taskmgr;
+	res->dispatchmgr = dispatchmgr;
+	res->view = view;
+	res->options = options;
+	res->lame_ttl = 0;
+	ISC_LIST_INIT(res->alternates);
+	res->udpsize = RECV_BUFFER_SIZE;
+	res->algorithms = NULL;
+	res->digests = NULL;
+	res->badcache = NULL;
+	result = dns_badcache_init(res->mctx, DNS_RESOLVER_BADCACHESIZE,
+				   &res->badcache);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_res;
+	}
+	res->mustbesecure = NULL;
+	res->spillatmin = res->spillat = 10;
+	res->spillatmax = 100;
+	res->spillattimer = NULL;
+	atomic_init(&res->zspill, 0);
+	res->zero_no_soa_ttl = false;
+	res->retryinterval = 30000;
+	res->nonbackofftries = 3;
+	res->query_timeout = DEFAULT_QUERY_TIMEOUT;
+	res->maxdepth = DEFAULT_RECURSION_DEPTH;
+	res->maxqueries = DEFAULT_MAX_QUERIES;
+	res->quotaresp[dns_quotatype_zone] = DNS_R_DROP;
+	res->quotaresp[dns_quotatype_server] = DNS_R_SERVFAIL;
+	res->nbuckets = ntasks;
+	if (view->resstats != NULL) {
+		isc_stats_set(view->resstats, ntasks,
+			      dns_resstatscounter_buckets);
+	}
+	res->activebuckets = ntasks;
+	res->buckets = isc_mem_get(view->mctx, ntasks * sizeof(fctxbucket_t));
+	for (i = 0; i < ntasks; i++) {
+		isc_mutex_init(&res->buckets[i].lock);
+
+		res->buckets[i].task = NULL;
+		/*
+		 * Since we have a pool of tasks we bind them to task queues
+		 * to spread the load evenly
+		 */
+		result = isc_task_create_bound(taskmgr, 0,
+					       &res->buckets[i].task, i);
+		if (result != ISC_R_SUCCESS) {
+			isc_mutex_destroy(&res->buckets[i].lock);
+			goto cleanup_buckets;
+		}
+		res->buckets[i].mctx = NULL;
+		snprintf(name, sizeof(name), "res%u", i);
+		/*
+		 * Use a separate memory context for each bucket to reduce
+		 * contention among multiple threads.  Do this only when
+		 * enabling threads because it will be require more memory.
+		 */
+		isc_mem_create(&res->buckets[i].mctx);
+		isc_mem_setname(res->buckets[i].mctx, name, NULL);
+		isc_task_setname(res->buckets[i].task, name, res);
+		ISC_LIST_INIT(res->buckets[i].fctxs);
+		atomic_init(&res->buckets[i].exiting, false);
+		buckets_created++;
+	}
+
+	res->dbuckets = isc_mem_get(view->mctx,
+				    RES_DOMAIN_BUCKETS * sizeof(zonebucket_t));
+	for (i = 0; i < RES_DOMAIN_BUCKETS; i++) {
+		ISC_LIST_INIT(res->dbuckets[i].list);
+		res->dbuckets[i].mctx = NULL;
+		isc_mem_attach(view->mctx, &res->dbuckets[i].mctx);
+		isc_mutex_init(&res->dbuckets[i].lock);
+		dbuckets_created++;
+	}
+
+	res->dispatches4 = NULL;
+	if (dispatchv4 != NULL) {
+		dns_dispatchset_create(view->mctx, socketmgr, taskmgr,
+				       dispatchv4, &res->dispatches4, ndisp);
+		dispattr = dns_dispatch_getattributes(dispatchv4);
+		res->exclusivev4 = (dispattr & DNS_DISPATCHATTR_EXCLUSIVE);
+	}
+
+	res->dispatches6 = NULL;
+	if (dispatchv6 != NULL) {
+		dns_dispatchset_create(view->mctx, socketmgr, taskmgr,
+				       dispatchv6, &res->dispatches6, ndisp);
+		dispattr = dns_dispatch_getattributes(dispatchv6);
+		res->exclusivev6 = (dispattr & DNS_DISPATCHATTR_EXCLUSIVE);
+	}
+
+	res->querydscp4 = -1;
+	res->querydscp6 = -1;
+	isc_refcount_init(&res->references, 1);
+	atomic_init(&res->exiting, false);
+	res->frozen = false;
+	ISC_LIST_INIT(res->whenshutdown);
+	atomic_init(&res->priming, false);
+	res->primefetch = NULL;
+
+	atomic_init(&res->nfctx, 0);
+
+	isc_mutex_init(&res->lock);
+	isc_mutex_init(&res->primelock);
+
+	task = NULL;
+	result = isc_task_create(taskmgr, 0, &task);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_primelock;
+	}
+	isc_task_setname(task, "resolver_task", NULL);
+
+	result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
+				  task, spillattimer_countdown, res,
+				  &res->spillattimer);
+	isc_task_detach(&task);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_primelock;
+	}
+
+#if USE_ALGLOCK
+	isc_rwlock_init(&res->alglock, 0, 0);
+#endif /* if USE_ALGLOCK */
+#if USE_MBSLOCK
+	isc_rwlock_init(&res->mbslock, 0, 0);
+#endif /* if USE_MBSLOCK */
+
+	res->magic = RES_MAGIC;
+
+	*resp = res;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_primelock:
+	isc_mutex_destroy(&res->primelock);
+	isc_mutex_destroy(&res->lock);
+
+	if (res->dispatches6 != NULL) {
+		dns_dispatchset_destroy(&res->dispatches6);
+	}
+	if (res->dispatches4 != NULL) {
+		dns_dispatchset_destroy(&res->dispatches4);
+	}
+
+	for (i = 0; i < dbuckets_created; i++) {
+		isc_mutex_destroy(&res->dbuckets[i].lock);
+		isc_mem_detach(&res->dbuckets[i].mctx);
+	}
+	isc_mem_put(view->mctx, res->dbuckets,
+		    RES_DOMAIN_BUCKETS * sizeof(zonebucket_t));
+
+cleanup_buckets:
+	for (i = 0; i < buckets_created; i++) {
+		isc_mem_detach(&res->buckets[i].mctx);
+		isc_mutex_destroy(&res->buckets[i].lock);
+		isc_task_shutdown(res->buckets[i].task);
+		isc_task_detach(&res->buckets[i].task);
+	}
+	isc_mem_put(view->mctx, res->buckets,
+		    res->nbuckets * sizeof(fctxbucket_t));
+
+	dns_badcache_destroy(&res->badcache);
+
+cleanup_res:
+	isc_mem_put(view->mctx, res, sizeof(*res));
+
+	return (result);
+}
+
+static void
+prime_done(isc_task_t *task, isc_event_t *event) {
+	dns_resolver_t *res;
+	dns_fetchevent_t *fevent;
+	dns_fetch_t *fetch;
+	dns_db_t *db = NULL;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	fevent = (dns_fetchevent_t *)event;
+	res = event->ev_arg;
+	REQUIRE(VALID_RESOLVER(res));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "resolver priming query complete");
+
+	UNUSED(task);
+
+	LOCK(&res->primelock);
+	fetch = res->primefetch;
+	res->primefetch = NULL;
+	UNLOCK(&res->primelock);
+
+	INSIST(atomic_compare_exchange_strong_acq_rel(&res->priming,
+						      &(bool){ true }, false));
+
+	if (fevent->result == ISC_R_SUCCESS && res->view->cache != NULL &&
+	    res->view->hints != NULL)
+	{
+		dns_cache_attachdb(res->view->cache, &db);
+		dns_root_checkhints(res->view, res->view->hints, db);
+		dns_db_detach(&db);
+	}
+
+	if (fevent->node != NULL) {
+		dns_db_detachnode(fevent->db, &fevent->node);
+	}
+	if (fevent->db != NULL) {
+		dns_db_detach(&fevent->db);
+	}
+	if (dns_rdataset_isassociated(fevent->rdataset)) {
+		dns_rdataset_disassociate(fevent->rdataset);
+	}
+	INSIST(fevent->sigrdataset == NULL);
+
+	isc_mem_put(res->mctx, fevent->rdataset, sizeof(*fevent->rdataset));
+
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&fetch);
+}
+
+void
+dns_resolver_prime(dns_resolver_t *res) {
+	bool want_priming = false;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(res->frozen);
+
+	RTRACE("dns_resolver_prime");
+
+	if (!atomic_load_acquire(&res->exiting)) {
+		want_priming = atomic_compare_exchange_strong_acq_rel(
+			&res->priming, &(bool){ false }, true);
+	}
+
+	if (want_priming) {
+		/*
+		 * To avoid any possible recursive locking problems, we
+		 * start the priming fetch like any other fetch, and holding
+		 * no resolver locks.  No one else will try to start it
+		 * because we're the ones who set res->priming to true.
+		 * Any other callers of dns_resolver_prime() while we're
+		 * running will see that res->priming is already true and
+		 * do nothing.
+		 */
+		RTRACE("priming");
+		rdataset = isc_mem_get(res->mctx, sizeof(*rdataset));
+		dns_rdataset_init(rdataset);
+
+		LOCK(&res->primelock);
+		INSIST(res->primefetch == NULL);
+		result = dns_resolver_createfetch(
+			res, dns_rootname, dns_rdatatype_ns, NULL, NULL, NULL,
+			NULL, 0, DNS_FETCHOPT_NOFORWARD, 0, NULL,
+			res->buckets[0].task, prime_done, res, rdataset, NULL,
+			&res->primefetch);
+		UNLOCK(&res->primelock);
+
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(res->mctx, rdataset, sizeof(*rdataset));
+			INSIST(atomic_compare_exchange_strong_acq_rel(
+				&res->priming, &(bool){ true }, false));
+		}
+		inc_stats(res, dns_resstatscounter_priming);
+	}
+}
+
+void
+dns_resolver_freeze(dns_resolver_t *res) {
+	/*
+	 * Freeze resolver.
+	 */
+
+	REQUIRE(VALID_RESOLVER(res));
+
+	res->frozen = true;
+}
+
+void
+dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp) {
+	REQUIRE(VALID_RESOLVER(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	RRTRACE(source, "attach");
+
+	LOCK(&source->lock);
+	REQUIRE(!atomic_load_acquire(&source->exiting));
+	isc_refcount_increment(&source->references);
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
+			  isc_event_t **eventp) {
+	isc_task_t *tclone;
+	isc_event_t *event;
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(eventp != NULL);
+
+	event = *eventp;
+	*eventp = NULL;
+
+	LOCK(&res->lock);
+
+	if (atomic_load_acquire(&res->exiting) && res->activebuckets == 0) {
+		/*
+		 * We're already shutdown.  Send the event.
+		 */
+		event->ev_sender = res;
+		isc_task_send(task, &event);
+	} else {
+		tclone = NULL;
+		isc_task_attach(task, &tclone);
+		event->ev_sender = tclone;
+		ISC_LIST_APPEND(res->whenshutdown, event, ev_link);
+	}
+
+	UNLOCK(&res->lock);
+}
+
+void
+dns_resolver_shutdown(dns_resolver_t *res) {
+	unsigned int i;
+	fetchctx_t *fctx;
+	isc_result_t result;
+	bool is_false = false;
+
+	REQUIRE(VALID_RESOLVER(res));
+
+	RTRACE("shutdown");
+
+	LOCK(&res->lock);
+	if (atomic_compare_exchange_strong(&res->exiting, &is_false, true)) {
+		RTRACE("exiting");
+
+		for (i = 0; i < res->nbuckets; i++) {
+			LOCK(&res->buckets[i].lock);
+			for (fctx = ISC_LIST_HEAD(res->buckets[i].fctxs);
+			     fctx != NULL; fctx = ISC_LIST_NEXT(fctx, link))
+			{
+				fctx_shutdown(fctx);
+			}
+			if (res->dispatches4 != NULL && !res->exclusivev4) {
+				dns_dispatchset_cancelall(res->dispatches4,
+							  res->buckets[i].task);
+			}
+			if (res->dispatches6 != NULL && !res->exclusivev6) {
+				dns_dispatchset_cancelall(res->dispatches6,
+							  res->buckets[i].task);
+			}
+			atomic_store(&res->buckets[i].exiting, true);
+			if (ISC_LIST_EMPTY(res->buckets[i].fctxs)) {
+				INSIST(res->activebuckets > 0);
+				res->activebuckets--;
+			}
+			UNLOCK(&res->buckets[i].lock);
+		}
+		if (res->activebuckets == 0) {
+			send_shutdown_events(res);
+		}
+		result = isc_timer_reset(res->spillattimer,
+					 isc_timertype_inactive, NULL, NULL,
+					 true);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+	UNLOCK(&res->lock);
+}
+
+void
+dns_resolver_detach(dns_resolver_t **resp) {
+	dns_resolver_t *res;
+
+	REQUIRE(resp != NULL);
+	res = *resp;
+	*resp = NULL;
+	REQUIRE(VALID_RESOLVER(res));
+
+	RTRACE("detach");
+
+	if (isc_refcount_decrement(&res->references) == 1) {
+		LOCK(&res->lock);
+		INSIST(atomic_load_acquire(&res->exiting));
+		INSIST(res->activebuckets == 0);
+		UNLOCK(&res->lock);
+		destroy(res);
+	}
+}
+
+static bool
+fctx_match(fetchctx_t *fctx, const dns_name_t *name, dns_rdatatype_t type,
+	   unsigned int options) {
+	/*
+	 * Don't match fetch contexts that are shutting down.
+	 */
+	if (fctx->cloned || fctx->state == fetchstate_done ||
+	    ISC_LIST_EMPTY(fctx->events))
+	{
+		return (false);
+	}
+
+	if (fctx->type != type || fctx->options != options) {
+		return (false);
+	}
+	return (dns_name_equal(&fctx->name, name));
+}
+
+static void
+log_fetch(const dns_name_t *name, dns_rdatatype_t type) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	int level = ISC_LOG_DEBUG(1);
+
+	/*
+	 * If there's no chance of logging it, don't render (format) the
+	 * name and RDATA type (further below), and return early.
+	 */
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, level, "fetch: %s/%s", namebuf,
+		      typebuf);
+}
+
+static isc_result_t
+fctx_minimize_qname(fetchctx_t *fctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int dlabels, nlabels;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	dlabels = dns_name_countlabels(&fctx->qmindcname);
+	nlabels = dns_name_countlabels(&fctx->name);
+	dns_name_free(&fctx->qminname, fctx->mctx);
+	dns_name_init(&fctx->qminname, NULL);
+
+	if (dlabels > fctx->qmin_labels) {
+		fctx->qmin_labels = dlabels + 1;
+	} else {
+		fctx->qmin_labels++;
+	}
+
+	if (fctx->ip6arpaskip) {
+		/*
+		 * For ip6.arpa we want to skip some of the labels, with
+		 * boundaries at /16, /32, /48, /56, /64 and /128
+		 * In 'label count' terms that's equal to
+		 *    7    11   15   17   19      35
+		 * We fix fctx->qmin_labels to point to the nearest boundary
+		 */
+		if (fctx->qmin_labels < 7) {
+			fctx->qmin_labels = 7;
+		} else if (fctx->qmin_labels < 11) {
+			fctx->qmin_labels = 11;
+		} else if (fctx->qmin_labels < 15) {
+			fctx->qmin_labels = 15;
+		} else if (fctx->qmin_labels < 17) {
+			fctx->qmin_labels = 17;
+		} else if (fctx->qmin_labels < 19) {
+			fctx->qmin_labels = 19;
+		} else if (fctx->qmin_labels < 35) {
+			fctx->qmin_labels = 35;
+		} else {
+			fctx->qmin_labels = nlabels;
+		}
+	} else if (fctx->qmin_labels > DNS_QMIN_MAXLABELS) {
+		fctx->qmin_labels = DNS_MAX_LABELS + 1;
+	}
+
+	if (fctx->qmin_labels < nlabels) {
+		/*
+		 * We want to query for qmin_labels from fctx->name
+		 */
+		dns_fixedname_t fname;
+		dns_name_t *name = dns_fixedname_initname(&fname);
+		dns_name_split(&fctx->name, fctx->qmin_labels, NULL,
+			       dns_fixedname_name(&fname));
+		if ((fctx->options & DNS_FETCHOPT_QMIN_USE_A) != 0) {
+			isc_buffer_t dbuf;
+			dns_fixedname_t tmpname;
+			dns_name_t *tname = dns_fixedname_initname(&tmpname);
+			char ndata[DNS_NAME_MAXWIRE];
+
+			isc_buffer_init(&dbuf, ndata, DNS_NAME_MAXWIRE);
+			dns_fixedname_init(&tmpname);
+			result = dns_name_concatenate(&underscore_name, name,
+						      tname, &dbuf);
+			if (result == ISC_R_SUCCESS) {
+				dns_name_dup(tname, fctx->mctx,
+					     &fctx->qminname);
+			}
+			fctx->qmintype = dns_rdatatype_a;
+		} else {
+			dns_name_dup(dns_fixedname_name(&fname), fctx->mctx,
+				     &fctx->qminname);
+			fctx->qmintype = dns_rdatatype_ns;
+		}
+		fctx->minimized = true;
+	} else {
+		/* Minimization is done, we'll ask for whole qname */
+		fctx->qmintype = fctx->type;
+		dns_name_dup(&fctx->name, fctx->mctx, &fctx->qminname);
+		fctx->minimized = false;
+	}
+
+	char domainbuf[DNS_NAME_FORMATSIZE];
+	dns_name_format(&fctx->qminname, domainbuf, sizeof(domainbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(5),
+		      "QNAME minimization - %s minimized, qmintype %d "
+		      "qminname %s",
+		      fctx->minimized ? "" : "not", fctx->qmintype, domainbuf);
+
+	return (result);
+}
+
+isc_result_t
+dns_resolver_createfetch(dns_resolver_t *res, const dns_name_t *name,
+			 dns_rdatatype_t type, const dns_name_t *domain,
+			 dns_rdataset_t *nameservers,
+			 dns_forwarders_t *forwarders,
+			 const isc_sockaddr_t *client, dns_messageid_t id,
+			 unsigned int options, unsigned int depth,
+			 isc_counter_t *qc, isc_task_t *task,
+			 isc_taskaction_t action, void *arg,
+			 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+			 dns_fetch_t **fetchp) {
+	dns_fetch_t *fetch;
+	fetchctx_t *fctx = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int bucketnum;
+	bool new_fctx = false;
+	isc_event_t *event;
+	unsigned int count = 0;
+	unsigned int spillat;
+	unsigned int spillatmin;
+	bool dodestroy = false;
+
+	UNUSED(forwarders);
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(res->frozen);
+	/* XXXRTH  Check for meta type */
+	if (domain != NULL) {
+		REQUIRE(DNS_RDATASET_VALID(nameservers));
+		REQUIRE(nameservers->type == dns_rdatatype_ns);
+	} else {
+		REQUIRE(nameservers == NULL);
+	}
+	REQUIRE(forwarders == NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+	REQUIRE(sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset));
+	REQUIRE(fetchp != NULL && *fetchp == NULL);
+
+	log_fetch(name, type);
+
+	/*
+	 * XXXRTH  use a mempool?
+	 */
+	fetch = isc_mem_get(res->mctx, sizeof(*fetch));
+	fetch->mctx = NULL;
+	isc_mem_attach(res->mctx, &fetch->mctx);
+
+	bucketnum = dns_name_fullhash(name, false) % res->nbuckets;
+
+	LOCK(&res->lock);
+	spillat = res->spillat;
+	spillatmin = res->spillatmin;
+	UNLOCK(&res->lock);
+	LOCK(&res->buckets[bucketnum].lock);
+
+	if (atomic_load(&res->buckets[bucketnum].exiting)) {
+		result = ISC_R_SHUTTINGDOWN;
+		goto unlock;
+	}
+
+	if ((options & DNS_FETCHOPT_UNSHARED) == 0) {
+		for (fctx = ISC_LIST_HEAD(res->buckets[bucketnum].fctxs);
+		     fctx != NULL; fctx = ISC_LIST_NEXT(fctx, link))
+		{
+			if (fctx_match(fctx, name, type, options)) {
+				break;
+			}
+		}
+	}
+
+	/*
+	 * Is this a duplicate?
+	 */
+	if (fctx != NULL && client != NULL) {
+		dns_fetchevent_t *fevent;
+		for (fevent = ISC_LIST_HEAD(fctx->events); fevent != NULL;
+		     fevent = ISC_LIST_NEXT(fevent, ev_link))
+		{
+			if (fevent->client != NULL && fevent->id == id &&
+			    isc_sockaddr_equal(fevent->client, client))
+			{
+				result = DNS_R_DUPLICATE;
+				goto unlock;
+			}
+			count++;
+		}
+	}
+	if (count >= spillatmin && spillatmin != 0) {
+		INSIST(fctx != NULL);
+		if (count >= spillat) {
+			fctx->spilled = true;
+		}
+		if (fctx->spilled) {
+			result = DNS_R_DROP;
+			goto unlock;
+		}
+	}
+
+	if (fctx == NULL) {
+		result = fctx_create(res, name, type, domain, nameservers,
+				     client, id, options, bucketnum, depth, qc,
+				     &fctx);
+		if (result != ISC_R_SUCCESS) {
+			goto unlock;
+		}
+		new_fctx = true;
+	} else if (fctx->depth > depth) {
+		fctx->depth = depth;
+	}
+
+	result = fctx_join(fctx, task, client, id, action, arg, rdataset,
+			   sigrdataset, fetch);
+
+	if (result == ISC_R_SUCCESS &&
+	    ((options & DNS_FETCHOPT_TRYSTALE_ONTIMEOUT) != 0))
+	{
+		fctx_add_event(fctx, task, client, id, action, arg, fetch,
+			       DNS_EVENT_TRYSTALE);
+	}
+
+	if (new_fctx) {
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * Launch this fctx.
+			 */
+			event = &fctx->control_event;
+			ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
+				       DNS_EVENT_FETCHCONTROL, fctx_start, fctx,
+				       NULL, NULL, NULL);
+			isc_task_send(res->buckets[bucketnum].task, &event);
+		} else {
+			/*
+			 * We don't care about the result of fctx_unlink()
+			 * since we know we're not exiting.
+			 */
+			(void)fctx_unlink(fctx);
+			dodestroy = true;
+		}
+	}
+
+unlock:
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (dodestroy) {
+		fctx_destroy(fctx);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		FTRACE("created");
+		*fetchp = fetch;
+	} else {
+		isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch));
+	}
+
+	return (result);
+}
+
+void
+dns_resolver_cancelfetch(dns_fetch_t *fetch) {
+	fetchctx_t *fctx;
+	dns_resolver_t *res;
+	dns_fetchevent_t *event = NULL;
+	dns_fetchevent_t *event_trystale = NULL;
+	dns_fetchevent_t *event_fetchdone = NULL;
+
+	REQUIRE(DNS_FETCH_VALID(fetch));
+	fctx = fetch->private;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	FTRACE("cancelfetch");
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	/*
+	 * Find the events for this fetch (as opposed
+	 * to those for other fetches that have joined the same
+	 * fctx) and send them with result = ISC_R_CANCELED.
+	 */
+	if (fctx->state != fetchstate_done) {
+		dns_fetchevent_t *next_event = NULL;
+		for (event = ISC_LIST_HEAD(fctx->events); event != NULL;
+		     event = next_event)
+		{
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			if (event->fetch == fetch) {
+				ISC_LIST_UNLINK(fctx->events, event, ev_link);
+				switch (event->ev_type) {
+				case DNS_EVENT_TRYSTALE:
+					INSIST(event_trystale == NULL);
+					event_trystale = event;
+					break;
+				case DNS_EVENT_FETCHDONE:
+					INSIST(event_fetchdone == NULL);
+					event_fetchdone = event;
+					break;
+				default:
+					UNREACHABLE();
+				}
+				if (event_trystale != NULL &&
+				    event_fetchdone != NULL)
+				{
+					break;
+				}
+			}
+		}
+	}
+	/*
+	 * The "trystale" event must be sent before the "fetchdone" event,
+	 * because the latter clears the "recursing" query attribute, which is
+	 * required by both events (handled by the same callback function).
+	 */
+	if (event_trystale != NULL) {
+		isc_task_t *etask = event_trystale->ev_sender;
+		event_trystale->ev_sender = fctx;
+		event_trystale->result = ISC_R_CANCELED;
+		isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_trystale));
+	}
+	if (event_fetchdone != NULL) {
+		isc_task_t *etask = event_fetchdone->ev_sender;
+		event_fetchdone->ev_sender = fctx;
+		event_fetchdone->result = ISC_R_CANCELED;
+		isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_fetchdone));
+	}
+
+	/*
+	 * The fctx continues running even if no fetches remain;
+	 * the answer is still cached.
+	 */
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+}
+
+void
+dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
+	dns_fetch_t *fetch;
+	dns_resolver_t *res;
+	dns_fetchevent_t *event, *next_event;
+	fetchctx_t *fctx;
+	unsigned int bucketnum;
+	bool bucket_empty;
+
+	REQUIRE(fetchp != NULL);
+	fetch = *fetchp;
+	*fetchp = NULL;
+	REQUIRE(DNS_FETCH_VALID(fetch));
+	fctx = fetch->private;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	FTRACE("destroyfetch");
+
+	bucketnum = fctx->bucketnum;
+	LOCK(&res->buckets[bucketnum].lock);
+
+	/*
+	 * Sanity check: the caller should have gotten its event before
+	 * trying to destroy the fetch.
+	 */
+	event = NULL;
+	if (fctx->state != fetchstate_done) {
+		for (event = ISC_LIST_HEAD(fctx->events); event != NULL;
+		     event = next_event)
+		{
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			RUNTIME_CHECK(event->fetch != fetch);
+		}
+	}
+
+	bucket_empty = fctx_decreference(fctx);
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch));
+
+	if (bucket_empty) {
+		empty_bucket(res);
+	}
+}
+
+void
+dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
+		      isc_logcategory_t *category, isc_logmodule_t *module,
+		      int level, bool duplicateok) {
+	fetchctx_t *fctx;
+	dns_resolver_t *res;
+	char domainbuf[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(DNS_FETCH_VALID(fetch));
+	fctx = fetch->private;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	INSIST(fctx->exitline >= 0);
+	if (!fctx->logged || duplicateok) {
+		dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+		isc_log_write(lctx, category, module, level,
+			      "fetch completed at %s:%d for %s in "
+			      "%" PRIu64 "."
+			      "%06" PRIu64 ": %s/%s "
+			      "[domain:%s,referral:%u,restart:%u,qrysent:%u,"
+			      "timeout:%u,lame:%u,quota:%u,neterr:%u,"
+			      "badresp:%u,adberr:%u,findfail:%u,valfail:%u]",
+			      __FILE__, fctx->exitline, fctx->info,
+			      fctx->duration / US_PER_SEC,
+			      fctx->duration % US_PER_SEC,
+			      isc_result_totext(fctx->result),
+			      isc_result_totext(fctx->vresult), domainbuf,
+			      fctx->referrals, fctx->restarts, fctx->querysent,
+			      fctx->timeouts, fctx->lamecount, fctx->quotacount,
+			      fctx->neterr, fctx->badresp, fctx->adberr,
+			      fctx->findfail, fctx->valfail);
+		fctx->logged = true;
+	}
+
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+}
+
+dns_dispatchmgr_t *
+dns_resolver_dispatchmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->dispatchmgr);
+}
+
+dns_dispatch_t *
+dns_resolver_dispatchv4(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (dns_dispatchset_get(resolver->dispatches4));
+}
+
+dns_dispatch_t *
+dns_resolver_dispatchv6(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (dns_dispatchset_get(resolver->dispatches6));
+}
+
+isc_socketmgr_t *
+dns_resolver_socketmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->socketmgr);
+}
+
+isc_taskmgr_t *
+dns_resolver_taskmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->taskmgr);
+}
+
+uint32_t
+dns_resolver_getlamettl(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->lame_ttl);
+}
+
+void
+dns_resolver_setlamettl(dns_resolver_t *resolver, uint32_t lame_ttl) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->lame_ttl = lame_ttl;
+}
+
+isc_result_t
+dns_resolver_addalternate(dns_resolver_t *resolver, const isc_sockaddr_t *alt,
+			  const dns_name_t *name, in_port_t port) {
+	alternate_t *a;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(!resolver->frozen);
+	REQUIRE((alt == NULL) ^ (name == NULL));
+
+	a = isc_mem_get(resolver->mctx, sizeof(*a));
+	if (alt != NULL) {
+		a->isaddress = true;
+		a->_u.addr = *alt;
+	} else {
+		a->isaddress = false;
+		a->_u._n.port = port;
+		dns_name_init(&a->_u._n.name, NULL);
+		dns_name_dup(name, resolver->mctx, &a->_u._n.name);
+	}
+	ISC_LINK_INIT(a, link);
+	ISC_LIST_APPEND(resolver->alternates, a, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_resolver_setudpsize(dns_resolver_t *resolver, uint16_t udpsize) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->udpsize = udpsize;
+}
+
+uint16_t
+dns_resolver_getudpsize(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->udpsize);
+}
+
+void
+dns_resolver_flushbadcache(dns_resolver_t *resolver, const dns_name_t *name) {
+	if (name != NULL) {
+		dns_badcache_flushname(resolver->badcache, name);
+	} else {
+		dns_badcache_flush(resolver->badcache);
+	}
+}
+
+void
+dns_resolver_flushbadnames(dns_resolver_t *resolver, const dns_name_t *name) {
+	dns_badcache_flushtree(resolver->badcache, name);
+}
+
+void
+dns_resolver_addbadcache(dns_resolver_t *resolver, const dns_name_t *name,
+			 dns_rdatatype_t type, isc_time_t *expire) {
+#ifdef ENABLE_AFL
+	if (!dns_fuzzing_resolver)
+#endif /* ifdef ENABLE_AFL */
+	{
+		dns_badcache_add(resolver->badcache, name, type, false, 0,
+				 expire);
+	}
+}
+
+bool
+dns_resolver_getbadcache(dns_resolver_t *resolver, const dns_name_t *name,
+			 dns_rdatatype_t type, isc_time_t *now) {
+	return (dns_badcache_find(resolver->badcache, name, type, NULL, now));
+}
+
+void
+dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp) {
+	(void)dns_badcache_print(resolver->badcache, "Bad cache", fp);
+}
+
+static void
+free_algorithm(void *node, void *arg) {
+	unsigned char *algorithms = node;
+	isc_mem_t *mctx = arg;
+
+	isc_mem_put(mctx, algorithms, *algorithms);
+}
+
+void
+dns_resolver_reset_algorithms(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif /* if USE_ALGLOCK */
+	if (resolver->algorithms != NULL) {
+		dns_rbt_destroy(&resolver->algorithms);
+	}
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif /* if USE_ALGLOCK */
+}
+
+isc_result_t
+dns_resolver_disable_algorithm(dns_resolver_t *resolver, const dns_name_t *name,
+			       unsigned int alg) {
+	unsigned int len, mask;
+	unsigned char *tmp;
+	unsigned char *algorithms;
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	/*
+	 * Whether an algorithm is disabled (or not) is stored in a
+	 * per-name bitfield that is stored as the node data of an
+	 * RBT.
+	 */
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	if (alg > 255) {
+		return (ISC_R_RANGE);
+	}
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif /* if USE_ALGLOCK */
+	if (resolver->algorithms == NULL) {
+		result = dns_rbt_create(resolver->mctx, free_algorithm,
+					resolver->mctx, &resolver->algorithms);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	len = alg / 8 + 2;
+	mask = 1 << (alg % 8);
+
+	result = dns_rbt_addnode(resolver->algorithms, name, &node);
+
+	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
+		algorithms = node->data;
+		/*
+		 * If algorithms is set, algorithms[0] contains its
+		 * length.
+		 */
+		if (algorithms == NULL || len > *algorithms) {
+			/*
+			 * If no bitfield exists in the node data, or if
+			 * it is not long enough, allocate a new
+			 * bitfield and copy the old (smaller) bitfield
+			 * into it if one exists.
+			 */
+			tmp = isc_mem_get(resolver->mctx, len);
+			memset(tmp, 0, len);
+			if (algorithms != NULL) {
+				memmove(tmp, algorithms, *algorithms);
+			}
+			tmp[len - 1] |= mask;
+			/* 'tmp[0]' should contain the length of 'tmp'. */
+			*tmp = len;
+			node->data = tmp;
+			/* Free the older bitfield. */
+			if (algorithms != NULL) {
+				isc_mem_put(resolver->mctx, algorithms,
+					    *algorithms);
+			}
+		} else {
+			algorithms[len - 1] |= mask;
+		}
+	}
+	result = ISC_R_SUCCESS;
+cleanup:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif /* if USE_ALGLOCK */
+	return (result);
+}
+
+bool
+dns_resolver_algorithm_supported(dns_resolver_t *resolver,
+				 const dns_name_t *name, unsigned int alg) {
+	unsigned int len, mask;
+	unsigned char *algorithms;
+	void *data = NULL;
+	isc_result_t result;
+	bool found = false;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	/*
+	 * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
+	 */
+	if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) {
+		return (false);
+	}
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+#endif /* if USE_ALGLOCK */
+	if (resolver->algorithms == NULL) {
+		goto unlock;
+	}
+	result = dns_rbt_findname(resolver->algorithms, name, 0, NULL, &data);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		len = alg / 8 + 2;
+		mask = 1 << (alg % 8);
+		algorithms = data;
+		if (len <= *algorithms && (algorithms[len - 1] & mask) != 0) {
+			found = true;
+		}
+	}
+unlock:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_read);
+#endif /* if USE_ALGLOCK */
+	if (found) {
+		return (false);
+	}
+
+	return (dst_algorithm_supported(alg));
+}
+
+static void
+free_digest(void *node, void *arg) {
+	unsigned char *digests = node;
+	isc_mem_t *mctx = arg;
+
+	isc_mem_put(mctx, digests, *digests);
+}
+
+void
+dns_resolver_reset_ds_digests(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif /* if USE_ALGLOCK */
+	if (resolver->digests != NULL) {
+		dns_rbt_destroy(&resolver->digests);
+	}
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif /* if USE_ALGLOCK */
+}
+
+isc_result_t
+dns_resolver_disable_ds_digest(dns_resolver_t *resolver, const dns_name_t *name,
+			       unsigned int digest_type) {
+	unsigned int len, mask;
+	unsigned char *tmp;
+	unsigned char *digests;
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	/*
+	 * Whether a digest is disabled (or not) is stored in a per-name
+	 * bitfield that is stored as the node data of an RBT.
+	 */
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	if (digest_type > 255) {
+		return (ISC_R_RANGE);
+	}
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif /* if USE_ALGLOCK */
+	if (resolver->digests == NULL) {
+		result = dns_rbt_create(resolver->mctx, free_digest,
+					resolver->mctx, &resolver->digests);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	len = digest_type / 8 + 2;
+	mask = 1 << (digest_type % 8);
+
+	result = dns_rbt_addnode(resolver->digests, name, &node);
+
+	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
+		digests = node->data;
+		/* If digests is set, digests[0] contains its length. */
+		if (digests == NULL || len > *digests) {
+			/*
+			 * If no bitfield exists in the node data, or if
+			 * it is not long enough, allocate a new
+			 * bitfield and copy the old (smaller) bitfield
+			 * into it if one exists.
+			 */
+			tmp = isc_mem_get(resolver->mctx, len);
+			memset(tmp, 0, len);
+			if (digests != NULL) {
+				memmove(tmp, digests, *digests);
+			}
+			tmp[len - 1] |= mask;
+			/* tmp[0] should contain the length of 'tmp'. */
+			*tmp = len;
+			node->data = tmp;
+			/* Free the older bitfield. */
+			if (digests != NULL) {
+				isc_mem_put(resolver->mctx, digests, *digests);
+			}
+		} else {
+			digests[len - 1] |= mask;
+		}
+	}
+	result = ISC_R_SUCCESS;
+cleanup:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif /* if USE_ALGLOCK */
+	return (result);
+}
+
+bool
+dns_resolver_ds_digest_supported(dns_resolver_t *resolver,
+				 const dns_name_t *name,
+				 unsigned int digest_type) {
+	unsigned int len, mask;
+	unsigned char *digests;
+	void *data = NULL;
+	isc_result_t result;
+	bool found = false;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+#endif /* if USE_ALGLOCK */
+	if (resolver->digests == NULL) {
+		goto unlock;
+	}
+	result = dns_rbt_findname(resolver->digests, name, 0, NULL, &data);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		len = digest_type / 8 + 2;
+		mask = 1 << (digest_type % 8);
+		digests = data;
+		if (len <= *digests && (digests[len - 1] & mask) != 0) {
+			found = true;
+		}
+	}
+unlock:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_read);
+#endif /* if USE_ALGLOCK */
+	if (found) {
+		return (false);
+	}
+	return (dst_ds_digest_supported(digest_type));
+}
+
+void
+dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_MBSLOCK
+	RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif /* if USE_MBSLOCK */
+	if (resolver->mustbesecure != NULL) {
+		dns_rbt_destroy(&resolver->mustbesecure);
+	}
+#if USE_MBSLOCK
+	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif /* if USE_MBSLOCK */
+}
+
+static bool yes = true, no = false;
+
+isc_result_t
+dns_resolver_setmustbesecure(dns_resolver_t *resolver, const dns_name_t *name,
+			     bool value) {
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_MBSLOCK
+	RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif /* if USE_MBSLOCK */
+	if (resolver->mustbesecure == NULL) {
+		result = dns_rbt_create(resolver->mctx, NULL, NULL,
+					&resolver->mustbesecure);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+	result = dns_rbt_addname(resolver->mustbesecure, name,
+				 value ? &yes : &no);
+cleanup:
+#if USE_MBSLOCK
+	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif /* if USE_MBSLOCK */
+	return (result);
+}
+
+bool
+dns_resolver_getmustbesecure(dns_resolver_t *resolver, const dns_name_t *name) {
+	void *data = NULL;
+	bool value = false;
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_MBSLOCK
+	RWLOCK(&resolver->mbslock, isc_rwlocktype_read);
+#endif /* if USE_MBSLOCK */
+	if (resolver->mustbesecure == NULL) {
+		goto unlock;
+	}
+	result = dns_rbt_findname(resolver->mustbesecure, name, 0, NULL, &data);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		value = *(bool *)data;
+	}
+unlock:
+#if USE_MBSLOCK
+	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_read);
+#endif /* if USE_MBSLOCK */
+	return (value);
+}
+
+void
+dns_resolver_getclientsperquery(dns_resolver_t *resolver, uint32_t *cur,
+				uint32_t *min, uint32_t *max) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	LOCK(&resolver->lock);
+	if (cur != NULL) {
+		*cur = resolver->spillat;
+	}
+	if (min != NULL) {
+		*min = resolver->spillatmin;
+	}
+	if (max != NULL) {
+		*max = resolver->spillatmax;
+	}
+	UNLOCK(&resolver->lock);
+}
+
+void
+dns_resolver_setclientsperquery(dns_resolver_t *resolver, uint32_t min,
+				uint32_t max) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	LOCK(&resolver->lock);
+	resolver->spillatmin = resolver->spillat = min;
+	resolver->spillatmax = max;
+	UNLOCK(&resolver->lock);
+}
+
+void
+dns_resolver_setfetchesperzone(dns_resolver_t *resolver, uint32_t clients) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	atomic_store_release(&resolver->zspill, clients);
+}
+
+bool
+dns_resolver_getzeronosoattl(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->zero_no_soa_ttl);
+}
+
+void
+dns_resolver_setzeronosoattl(dns_resolver_t *resolver, bool state) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	resolver->zero_no_soa_ttl = state;
+}
+
+unsigned int
+dns_resolver_getoptions(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->options);
+}
+
+unsigned int
+dns_resolver_gettimeout(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->query_timeout);
+}
+
+void
+dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int timeout) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	if (timeout <= 300) {
+		timeout *= 1000;
+	}
+
+	if (timeout == 0) {
+		timeout = DEFAULT_QUERY_TIMEOUT;
+	}
+	if (timeout > MAXIMUM_QUERY_TIMEOUT) {
+		timeout = MAXIMUM_QUERY_TIMEOUT;
+	}
+	if (timeout < MINIMUM_QUERY_TIMEOUT) {
+		timeout = MINIMUM_QUERY_TIMEOUT;
+	}
+
+	resolver->query_timeout = timeout;
+}
+
+void
+dns_resolver_setquerydscp4(dns_resolver_t *resolver, isc_dscp_t dscp) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	resolver->querydscp4 = dscp;
+}
+
+isc_dscp_t
+dns_resolver_getquerydscp4(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->querydscp4);
+}
+
+void
+dns_resolver_setquerydscp6(dns_resolver_t *resolver, isc_dscp_t dscp) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	resolver->querydscp6 = dscp;
+}
+
+isc_dscp_t
+dns_resolver_getquerydscp6(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->querydscp6);
+}
+
+void
+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->maxdepth = maxdepth;
+}
+
+unsigned int
+dns_resolver_getmaxdepth(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->maxdepth);
+}
+
+void
+dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->maxqueries = queries;
+}
+
+unsigned int
+dns_resolver_getmaxqueries(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->maxqueries);
+}
+
+void
+dns_resolver_dumpfetches(dns_resolver_t *resolver, isc_statsformat_t format,
+			 FILE *fp) {
+	int i;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(fp != NULL);
+	REQUIRE(format == isc_statsformat_file);
+
+	for (i = 0; i < RES_DOMAIN_BUCKETS; i++) {
+		fctxcount_t *fc;
+		LOCK(&resolver->dbuckets[i].lock);
+		for (fc = ISC_LIST_HEAD(resolver->dbuckets[i].list); fc != NULL;
+		     fc = ISC_LIST_NEXT(fc, link))
+		{
+			dns_name_print(fc->domain, fp);
+			fprintf(fp, ": %u active (%u spilled, %u allowed)\n",
+				fc->count, fc->dropped, fc->allowed);
+		}
+		UNLOCK(&resolver->dbuckets[i].lock);
+	}
+}
+
+void
+dns_resolver_setquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which,
+			      isc_result_t resp) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(which == dns_quotatype_zone || which == dns_quotatype_server);
+	REQUIRE(resp == DNS_R_DROP || resp == DNS_R_SERVFAIL);
+
+	resolver->quotaresp[which] = resp;
+}
+
+isc_result_t
+dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(which == dns_quotatype_zone || which == dns_quotatype_server);
+
+	return (resolver->quotaresp[which]);
+}
+
+unsigned int
+dns_resolver_getretryinterval(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->retryinterval);
+}
+
+void
+dns_resolver_setretryinterval(dns_resolver_t *resolver, unsigned int interval) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(interval > 0);
+
+	resolver->retryinterval = ISC_MIN(interval, 2000);
+}
+
+unsigned int
+dns_resolver_getnonbackofftries(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->nonbackofftries);
+}
+
+void
+dns_resolver_setnonbackofftries(dns_resolver_t *resolver, unsigned int tries) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(tries > 0);
+
+	resolver->nonbackofftries = tries;
+}
diff --git a/lib/dns/result.c b/lib/dns/result.c
new file mode 100644
index 0000000..9921291
--- /dev/null
+++ b/lib/dns/result.c
@@ -0,0 +1,454 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <dns/lib.h>
+#include <dns/result.h>
+
+static const char *text[DNS_R_NRESULTS] = {
+	"label too long", /*%< 0 DNS_R_LABELTOOLONG */
+	"bad escape",	  /*%< 1 DNS_R_BADESCAPE */
+	/*!
+	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
+	 * deprecated.
+	 */
+	"bad bitstring",      /*%< 2 DNS_R_BADBITSTRING */
+	"bitstring too long", /*%< 3 DNS_R_BITSTRINGTOOLONG */
+	"empty label",	      /*%< 4 DNS_R_EMPTYLABEL */
+
+	"bad dotted quad",		    /*%< 5 DNS_R_BADDOTTEDQUAD */
+	"invalid NS owner name (wildcard)", /*%< 6 DNS_R_INVALIDNS */
+	"unknown class/type",		    /*%< 7 DNS_R_UNKNOWN */
+	"bad label type",		    /*%< 8 DNS_R_BADLABELTYPE */
+	"bad compression pointer",	    /*%< 9 DNS_R_BADPOINTER */
+
+	"too many hops",		      /*%< 10 DNS_R_TOOMANYHOPS */
+	"disallowed (by application policy)", /*%< 11 DNS_R_DISALLOWED */
+	"extra input text",		      /*%< 12 DNS_R_EXTRATOKEN */
+	"extra input data",		      /*%< 13 DNS_R_EXTRADATA */
+	"text too long",		      /*%< 14 DNS_R_TEXTTOOLONG */
+
+	"not at top of zone", /*%< 15 DNS_R_NOTZONETOP */
+	"syntax error",	      /*%< 16 DNS_R_SYNTAX */
+	"bad checksum",	      /*%< 17 DNS_R_BADCKSUM */
+	"bad IPv6 address",   /*%< 18 DNS_R_BADAAAA */
+	"no owner",	      /*%< 19 DNS_R_NOOWNER */
+
+	"no ttl",	 /*%< 20 DNS_R_NOTTL */
+	"bad class",	 /*%< 21 DNS_R_BADCLASS */
+	"name too long", /*%< 22 DNS_R_NAMETOOLONG */
+	"partial match", /*%< 23 DNS_R_PARTIALMATCH */
+	"new origin",	 /*%< 24 DNS_R_NEWORIGIN */
+
+	"unchanged",			   /*%< 25 DNS_R_UNCHANGED */
+	"bad ttl",			   /*%< 26 DNS_R_BADTTL */
+	"more data needed/to be rendered", /*%< 27 DNS_R_NOREDATA */
+	"continue",			   /*%< 28 DNS_R_CONTINUE */
+	"delegation",			   /*%< 29 DNS_R_DELEGATION */
+
+	"glue",		/*%< 30 DNS_R_GLUE */
+	"dname",	/*%< 31 DNS_R_DNAME */
+	"cname",	/*%< 32 DNS_R_CNAME */
+	"bad database", /*%< 33 DNS_R_BADDB */
+	"zonecut",	/*%< 34 DNS_R_ZONECUT */
+
+	"bad zone",		/*%< 35 DNS_R_BADZONE */
+	"more data",		/*%< 36 DNS_R_MOREDATA */
+	"up to date",		/*%< 37 DNS_R_UPTODATE */
+	"tsig verify failure",	/*%< 38 DNS_R_TSIGVERIFYFAILURE */
+	"tsig indicates error", /*%< 39 DNS_R_TSIGERRORSET */
+
+	"RRSIG failed to verify",	       /*%< 40 DNS_R_SIGINVALID */
+	"RRSIG has expired",		       /*%< 41 DNS_R_SIGEXPIRED */
+	"RRSIG validity period has not begun", /*%< 42 DNS_R_SIGFUTURE */
+	"key is unauthorized to sign data",    /*%< 43 DNS_R_KEYUNAUTHORIZED */
+	"invalid time",			       /*%< 44 DNS_R_INVALIDTIME */
+
+	"expected a TSIG or SIG(0)",	   /*%< 45 DNS_R_EXPECTEDTSIG */
+	"did not expect a TSIG or SIG(0)", /*%< 46 DNS_R_UNEXPECTEDTSIG */
+	"TKEY is unacceptable",		   /*%< 47 DNS_R_INVALIDTKEY */
+	"hint",				   /*%< 48 DNS_R_HINT */
+	"drop",				   /*%< 49 DNS_R_DROP */
+
+	"zone not loaded",  /*%< 50 DNS_R_NOTLOADED */
+	"ncache nxdomain",  /*%< 51 DNS_R_NCACHENXDOMAIN */
+	"ncache nxrrset",   /*%< 52 DNS_R_NCACHENXRRSET */
+	"wait",		    /*%< 53 DNS_R_WAIT */
+	"not verified yet", /*%< 54 DNS_R_NOTVERIFIEDYET */
+
+	"no identity",	  /*%< 55 DNS_R_NOIDENTITY */
+	"no journal",	  /*%< 56 DNS_R_NOJOURNAL */
+	"alias",	  /*%< 57 DNS_R_ALIAS */
+	"use TCP",	  /*%< 58 DNS_R_USETCP */
+	"no valid RRSIG", /*%< 59 DNS_R_NOVALIDSIG */
+
+	"no valid NSEC",		/*%< 60 DNS_R_NOVALIDNSEC */
+	"insecurity proof failed",	/*%< 61 DNS_R_NOTINSECURE */
+	"unknown service",		/*%< 62 DNS_R_UNKNOWNSERVICE */
+	"recoverable error occurred",	/*%< 63 DNS_R_RECOVERABLE */
+	"unknown opt attribute record", /*%< 64 DNS_R_UNKNOWNOPT */
+
+	"unexpected message id", /*%< 65 DNS_R_UNEXPECTEDID */
+	"seen include file",	 /*%< 66 DNS_R_SEENINCLUDE */
+	"not exact",		 /*%< 67 DNS_R_NOTEXACT */
+	"address blackholed",	 /*%< 68 DNS_R_BLACKHOLED */
+	"bad algorithm",	 /*%< 69 DNS_R_BADALG */
+
+	"invalid use of a meta type",	  /*%< 70 DNS_R_METATYPE */
+	"CNAME and other data",		  /*%< 71 DNS_R_CNAMEANDOTHER */
+	"multiple RRs of singleton type", /*%< 72 DNS_R_SINGLETON */
+	"hint nxrrset",			  /*%< 73 DNS_R_HINTNXRRSET */
+	"no master file configured",	  /*%< 74 DNS_R_NOMASTERFILE */
+
+	"unknown protocol",	     /*%< 75 DNS_R_UNKNOWNPROTO */
+	"clocks are unsynchronized", /*%< 76 DNS_R_CLOCKSKEW */
+	"IXFR failed",		     /*%< 77 DNS_R_BADIXFR */
+	"not authoritative",	     /*%< 78 DNS_R_NOTAUTHORITATIVE */
+	"no valid KEY",		     /*%< 79 DNS_R_NOVALIDKEY */
+
+	"obsolete",	       /*%< 80 DNS_R_OBSOLETE */
+	"already frozen",      /*%< 81 DNS_R_FROZEN */
+	"unknown flag",	       /*%< 82 DNS_R_UNKNOWNFLAG */
+	"expected a response", /*%< 83 DNS_R_EXPECTEDRESPONSE */
+	"no valid DS",	       /*%< 84 DNS_R_NOVALIDDS */
+
+	"NS is an address",	  /*%< 85 DNS_R_NSISADDRESS */
+	"received FORMERR",	  /*%< 86 DNS_R_REMOTEFORMERR */
+	"truncated TCP response", /*%< 87 DNS_R_TRUNCATEDTCP */
+	"lame server detected",	  /*%< 88 DNS_R_LAME */
+	"unexpected RCODE",	  /*%< 89 DNS_R_UNEXPECTEDRCODE */
+
+	"unexpected OPCODE", /*%< 90 DNS_R_UNEXPECTEDOPCODE */
+	"chase DS servers",  /*%< 91 DNS_R_CHASEDSSERVERS */
+	"empty name",	     /*%< 92 DNS_R_EMPTYNAME */
+	"empty wild",	     /*%< 93 DNS_R_EMPTYWILD */
+	"bad bitmap",	     /*%< 94 DNS_R_BADBITMAP */
+
+	"from wildcard",		/*%< 95 DNS_R_FROMWILDCARD */
+	"bad owner name (check-names)", /*%< 96 DNS_R_BADOWNERNAME */
+	"bad name (check-names)",	/*%< 97 DNS_R_BADNAME */
+	"dynamic zone",			/*%< 98 DNS_R_DYNAMIC */
+	"unknown command",		/*%< 99 DNS_R_UNKNOWNCOMMAND */
+
+	"must-be-secure",		       /*%< 100 DNS_R_MUSTBESECURE */
+	"covering NSEC record returned",       /*%< 101 DNS_R_COVERINGNSEC */
+	"MX is an address",		       /*%< 102 DNS_R_MXISADDRESS */
+	"duplicate query",		       /*%< 103 DNS_R_DUPLICATE */
+	"invalid NSEC3 owner name (wildcard)", /*%< 104 DNS_R_INVALIDNSEC3 */
+
+	"not master",	      /*%< 105 DNS_R_NOTMASTER */
+	"broken trust chain", /*%< 106 DNS_R_BROKENCHAIN */
+	"expired",	      /*%< 107 DNS_R_EXPIRED */
+	"not dynamic",	      /*%< 108 DNS_R_NOTDYNAMIC */
+	"bad EUI",	      /*%< 109 DNS_R_BADEUI */
+
+	"covered by negative trust anchor", /*%< 110 DNS_R_NTACOVERED */
+	"bad CDS",			    /*%< 111 DNS_R_BADCDS */
+	"bad CDNSKEY",			    /*%< 112 DNS_R_BADCDNSKEY */
+	"malformed OPT option",		    /*%< 113 DNS_R_OPTERR */
+	"malformed DNSTAP data",	    /*%< 114 DNS_R_BADDNSTAP */
+
+	"TSIG in wrong location",   /*%< 115 DNS_R_BADTSIG */
+	"SIG(0) in wrong location", /*%< 116 DNS_R_BADSIG0 */
+	"too many records",	    /*%< 117 DNS_R_TOOMANYRECORDS */
+	"verify failure",	    /*%< 118 DNS_R_VERIFYFAILURE */
+	"at top of zone",	    /*%< 119 DNS_R_ATZONETOP */
+
+	"no matching key found",	 /*%< 120 DNS_R_NOKEYMATCH */
+	"too many keys matching",	 /*%< 121 DNS_R_TOOMANYKEYS */
+	"key is not actively signing",	 /*%< 122 DNS_R_KEYNOTACTIVE */
+	"NSEC3 iterations out of range", /*%< 123 DNS_R_NSEC3ITERRANGE */
+	"NSEC3 salt length too high",	 /*%< 124 DNS_R_NSEC3SALTRANGE */
+
+	"cannot use NSEC3 with key algorithm", /*%< 125 DNS_R_NSEC3BADALG */
+	"NSEC3 resalt",			       /*%< 126 DNS_R_NSEC3RESALT */
+	"inconsistent resource record",	       /*%< 127 DNS_R_INCONSISTENTRR */
+};
+
+static const char *ids[DNS_R_NRESULTS] = {
+	"DNS_R_LABELTOOLONG",
+	"DNS_R_BADESCAPE",
+	/*!
+	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
+	 * deprecated.
+	 */
+	"DNS_R_BADBITSTRING",
+	"DNS_R_BITSTRINGTOOLONG",
+	"DNS_R_EMPTYLABEL",
+	"DNS_R_BADDOTTEDQUAD",
+	"DNS_R_INVALIDNS",
+	"DNS_R_UNKNOWN",
+	"DNS_R_BADLABELTYPE",
+	"DNS_R_BADPOINTER",
+	"DNS_R_TOOMANYHOPS",
+	"DNS_R_DISALLOWED",
+	"DNS_R_EXTRATOKEN",
+	"DNS_R_EXTRADATA",
+	"DNS_R_TEXTTOOLONG",
+	"DNS_R_NOTZONETOP",
+	"DNS_R_SYNTAX",
+	"DNS_R_BADCKSUM",
+	"DNS_R_BADAAAA",
+	"DNS_R_NOOWNER",
+	"DNS_R_NOTTL",
+	"DNS_R_BADCLASS",
+	"DNS_R_NAMETOOLONG",
+	"DNS_R_PARTIALMATCH",
+	"DNS_R_NEWORIGIN",
+	"DNS_R_UNCHANGED",
+	"DNS_R_BADTTL",
+	"DNS_R_NOREDATA",
+	"DNS_R_CONTINUE",
+	"DNS_R_DELEGATION",
+	"DNS_R_GLUE",
+	"DNS_R_DNAME",
+	"DNS_R_CNAME",
+	"DNS_R_BADDB",
+	"DNS_R_ZONECUT",
+	"DNS_R_BADZONE",
+	"DNS_R_MOREDATA",
+	"DNS_R_UPTODATE",
+	"DNS_R_TSIGVERIFYFAILURE",
+	"DNS_R_TSIGERRORSET",
+	"DNS_R_SIGINVALID",
+	"DNS_R_SIGEXPIRED",
+	"DNS_R_SIGFUTURE",
+	"DNS_R_KEYUNAUTHORIZED",
+	"DNS_R_INVALIDTIME",
+	"DNS_R_EXPECTEDTSIG",
+	"DNS_R_UNEXPECTEDTSIG",
+	"DNS_R_INVALIDTKEY",
+	"DNS_R_HINT",
+	"DNS_R_DROP",
+	"DNS_R_NOTLOADED",
+	"DNS_R_NCACHENXDOMAIN",
+	"DNS_R_NCACHENXRRSET",
+	"DNS_R_WAIT",
+	"DNS_R_NOTVERIFIEDYET",
+	"DNS_R_NOIDENTITY",
+	"DNS_R_NOJOURNAL",
+	"DNS_R_ALIAS",
+	"DNS_R_USETCP",
+	"DNS_R_NOVALIDSIG",
+	"DNS_R_NOVALIDNSEC",
+	"DNS_R_NOTINSECURE",
+	"DNS_R_UNKNOWNSERVICE",
+	"DNS_R_RECOVERABLE",
+	"DNS_R_UNKNOWNOPT",
+	"DNS_R_UNEXPECTEDID",
+	"DNS_R_SEENINCLUDE",
+	"DNS_R_NOTEXACT",
+	"DNS_R_BLACKHOLED",
+	"DNS_R_BADALG",
+	"DNS_R_METATYPE",
+	"DNS_R_CNAMEANDOTHER",
+	"DNS_R_SINGLETON",
+	"DNS_R_HINTNXRRSET",
+	"DNS_R_NOMASTERFILE",
+	"DNS_R_UNKNOWNPROTO",
+	"DNS_R_CLOCKSKEW",
+	"DNS_R_BADIXFR",
+	"DNS_R_NOTAUTHORITATIVE",
+	"DNS_R_NOVALIDKEY",
+	"DNS_R_OBSOLETE",
+	"DNS_R_FROZEN",
+	"DNS_R_UNKNOWNFLAG",
+	"DNS_R_EXPECTEDRESPONSE",
+	"DNS_R_NOVALIDDS",
+	"DNS_R_NSISADDRESS",
+	"DNS_R_REMOTEFORMERR",
+	"DNS_R_TRUNCATEDTCP",
+	"DNS_R_LAME",
+	"DNS_R_UNEXPECTEDRCODE",
+	"DNS_R_UNEXPECTEDOPCODE",
+	"DNS_R_CHASEDSSERVERS",
+	"DNS_R_EMPTYNAME",
+	"DNS_R_EMPTYWILD",
+	"DNS_R_BADBITMAP",
+	"DNS_R_FROMWILDCARD",
+	"DNS_R_BADOWNERNAME",
+	"DNS_R_BADNAME",
+	"DNS_R_DYNAMIC",
+	"DNS_R_UNKNOWNCOMMAND",
+	"DNS_R_MUSTBESECURE",
+	"DNS_R_COVERINGNSEC",
+	"DNS_R_MXISADDRESS",
+	"DNS_R_DUPLICATE",
+	"DNS_R_INVALIDNSEC3",
+	"DNS_R_NOTMASTER",
+	"DNS_R_BROKENCHAIN",
+	"DNS_R_EXPIRED",
+	"DNS_R_NOTDYNAMIC",
+	"DNS_R_BADEUI",
+	"DNS_R_NTACOVERED",
+	"DNS_R_BADCDS",
+	"DNS_R_BADCDNSKEY",
+	"DNS_R_OPTERR",
+	"DNS_R_BADDNSTAP",
+	"DNS_R_BADTSIG",
+	"DNS_R_BADSIG0",
+	"DNS_R_TOOMANYRECORDS",
+	"DNS_R_VERIFYFAILURE",
+	"DNS_R_ATZONETOP",
+	"DNS_R_NOKEYMATCH",
+	"DNS_R_TOOMANYKEYS",
+	"DNS_R_KEYNOTACTIVE",
+	"DNS_R_NSEC3ITERRANGE",
+	"DNS_R_NSEC3SALTRANGE",
+	"DNS_R_NSEC3BADALG",
+	"DNS_R_NSEC3RESALT",
+	"DNS_R_INCONSISTENTRR",
+};
+
+static const char *rcode_text[DNS_R_NRCODERESULTS] = {
+	"NOERROR",  /*%< 0 DNS_R_NOERROR */
+	"FORMERR",  /*%< 1 DNS_R_FORMERR */
+	"SERVFAIL", /*%< 2 DNS_R_SERVFAIL */
+	"NXDOMAIN", /*%< 3 DNS_R_NXDOMAIN */
+	"NOTIMP",   /*%< 4 DNS_R_NOTIMP */
+
+	"REFUSED",  /*%< 5 DNS_R_REFUSED */
+	"YXDOMAIN", /*%< 6 DNS_R_YXDOMAIN */
+	"YXRRSET",  /*%< 7 DNS_R_YXRRSET */
+	"NXRRSET",  /*%< 8 DNS_R_NXRRSET */
+	"NOTAUTH",  /*%< 9 DNS_R_NOTAUTH */
+
+	"NOTZONE",    /*%< 10 DNS_R_NOTZONE */
+	"<rcode 11>", /*%< 11 DNS_R_RCODE11 */
+	"<rcode 12>", /*%< 12 DNS_R_RCODE12 */
+	"<rcode 13>", /*%< 13 DNS_R_RCODE13 */
+	"<rcode 14>", /*%< 14 DNS_R_RCODE14 */
+
+	"<rcode 15>", /*%< 15 DNS_R_RCODE15 */
+	"BADVERS",    /*%< 16 DNS_R_BADVERS */
+};
+
+static const char *rcode_ids[DNS_R_NRCODERESULTS] = {
+	"DNS_R_NOERROR", "DNS_R_FORMERR", "DNS_R_SERVFAIL", "DNS_R_NXDOMAIN",
+	"DNS_R_NOTIMP",	 "DNS_R_REFUSED", "DNS_R_YXDOMAIN", "DNS_R_YXRRSET",
+	"DNS_R_NXRRSET", "DNS_R_NOTAUTH", "DNS_R_NOTZONE",  "DNS_R_RCODE11",
+	"RNS_R_RCODE12", "DNS_R_RCODE13", "DNS_R_RCODE14",  "DNS_R_RCODE15",
+	"DNS_R_BADVERS",
+};
+
+#define DNS_RESULT_RESULTSET	  2
+#define DNS_RESULT_RCODERESULTSET 3
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_DNS, DNS_R_NRESULTS, text,
+				     DNS_RESULT_RESULTSET);
+	if (result == ISC_R_SUCCESS) {
+		result = isc_result_register(ISC_RESULTCLASS_DNSRCODE,
+					     DNS_R_NRCODERESULTS, rcode_text,
+					     DNS_RESULT_RCODERESULTSET);
+	}
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+	}
+
+	result = isc_result_registerids(ISC_RESULTCLASS_DNS, DNS_R_NRESULTS,
+					ids, DNS_RESULT_RESULTSET);
+	if (result == ISC_R_SUCCESS) {
+		result = isc_result_registerids(ISC_RESULTCLASS_DNSRCODE,
+						DNS_R_NRCODERESULTS, rcode_ids,
+						DNS_RESULT_RCODERESULTSET);
+	}
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_registerids() failed: %u", result);
+	}
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+dns_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+dns_result_register(void) {
+	initialize();
+}
+
+dns_rcode_t
+dns_result_torcode(isc_result_t result) {
+	dns_rcode_t rcode = dns_rcode_servfail;
+
+	if (DNS_RESULT_ISRCODE(result)) {
+		/*
+		 * Rcodes can't be bigger than 12 bits, which is why we
+		 * AND with 0xFFF instead of 0xFFFF.
+		 */
+		return ((dns_rcode_t)((result)&0xFFF));
+	}
+
+	/*
+	 * Try to supply an appropriate rcode.
+	 */
+	switch (result) {
+	case ISC_R_SUCCESS:
+		rcode = dns_rcode_noerror;
+		break;
+	case ISC_R_BADBASE64:
+	case ISC_R_RANGE:
+	case ISC_R_UNEXPECTEDEND:
+	case DNS_R_BADAAAA:
+	/* case DNS_R_BADBITSTRING: deprecated */
+	case DNS_R_BADCKSUM:
+	case DNS_R_BADCLASS:
+	case DNS_R_BADLABELTYPE:
+	case DNS_R_BADPOINTER:
+	case DNS_R_BADTTL:
+	case DNS_R_BADZONE:
+	/* case DNS_R_BITSTRINGTOOLONG: deprecated */
+	case DNS_R_EXTRADATA:
+	case DNS_R_LABELTOOLONG:
+	case DNS_R_NOREDATA:
+	case DNS_R_SYNTAX:
+	case DNS_R_TEXTTOOLONG:
+	case DNS_R_TOOMANYHOPS:
+	case DNS_R_TSIGERRORSET:
+	case DNS_R_UNKNOWN:
+	case DNS_R_NAMETOOLONG:
+	case DNS_R_OPTERR:
+		rcode = dns_rcode_formerr;
+		break;
+	case DNS_R_DISALLOWED:
+		rcode = dns_rcode_refused;
+		break;
+	case DNS_R_TSIGVERIFYFAILURE:
+	case DNS_R_CLOCKSKEW:
+		rcode = dns_rcode_notauth;
+		break;
+	default:
+		rcode = dns_rcode_servfail;
+	}
+
+	return (rcode);
+}
diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
new file mode 100644
index 0000000..69e2667
--- /dev/null
+++ b/lib/dns/rootns.c
@@ -0,0 +1,566 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/rootns.h>
+#include <dns/view.h>
+
+static char root_ns[] =
+	";\n"
+	"; Internet Root Nameservers\n"
+	";\n"
+	"$TTL 518400\n"
+	".                       518400  IN      NS      A.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      B.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      C.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      D.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      E.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      F.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      G.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      H.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      I.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      J.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      K.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      L.ROOT-SERVERS.NET.\n"
+	".                       518400  IN      NS      M.ROOT-SERVERS.NET.\n"
+	"A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4\n"
+	"A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:BA3E::2:30\n"
+	"B.ROOT-SERVERS.NET.     3600000 IN      A       199.9.14.201\n"
+	"B.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:200::b\n"
+	"C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12\n"
+	"C.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2::c\n"
+	"D.ROOT-SERVERS.NET.     3600000 IN      A       199.7.91.13\n"
+	"D.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2d::d\n"
+	"E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10\n"
+	"E.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:a8::e\n"
+	"F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241\n"
+	"F.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2F::F\n"
+	"G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4\n"
+	"G.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:12::d0d\n"
+	"H.ROOT-SERVERS.NET.     3600000 IN      A       198.97.190.53\n"
+	"H.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:1::53\n"
+	"I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17\n"
+	"I.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7fe::53\n"
+	"J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30\n"
+	"J.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:C27::2:30\n"
+	"K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129\n"
+	"K.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7FD::1\n"
+	"L.ROOT-SERVERS.NET.     3600000 IN      A       199.7.83.42\n"
+	"L.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:9f::42\n"
+	"M.ROOT-SERVERS.NET.     3600000 IN      A       202.12.27.33\n"
+	"M.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:DC3::35\n";
+
+static isc_result_t
+in_rootns(dns_rdataset_t *rootns, dns_name_t *name) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_ns_t ns;
+
+	if (!dns_rdataset_isassociated(rootns)) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	result = dns_rdataset_first(rootns);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rootns, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		if (dns_name_compare(name, &ns.name) == 0) {
+			return (ISC_R_SUCCESS);
+		}
+		result = dns_rdataset_next(rootns);
+		dns_rdata_reset(&rdata);
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_NOTFOUND;
+	}
+	return (result);
+}
+
+static isc_result_t
+check_node(dns_rdataset_t *rootns, dns_name_t *name,
+	   dns_rdatasetiter_t *rdsiter) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		switch (rdataset.type) {
+		case dns_rdatatype_a:
+		case dns_rdatatype_aaaa:
+			result = in_rootns(rootns, name);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			break;
+		case dns_rdatatype_ns:
+			if (dns_name_compare(name, dns_rootname) == 0) {
+				break;
+			}
+			FALLTHROUGH;
+		default:
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+cleanup:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	return (result);
+}
+
+static isc_result_t
+check_hints(dns_db_t *db) {
+	isc_result_t result;
+	dns_rdataset_t rootns;
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node = NULL;
+	isc_stdtime_t now;
+	dns_fixedname_t fixname;
+	dns_name_t *name;
+	dns_rdatasetiter_t *rdsiter = NULL;
+
+	isc_stdtime_get(&now);
+
+	name = dns_fixedname_initname(&fixname);
+
+	dns_rdataset_init(&rootns);
+	(void)dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0, now,
+			  NULL, name, &rootns, NULL);
+	result = dns_db_createiterator(db, 0, &dbiter);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_dbiterator_first(dbiter);
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(dbiter, &node, name);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		result = dns_db_allrdatasets(db, node, NULL, 0, now, &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		result = check_node(&rootns, name, rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		dns_rdatasetiter_destroy(&rdsiter);
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(dbiter);
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup:
+	if (dns_rdataset_isassociated(&rootns)) {
+		dns_rdataset_disassociate(&rootns);
+	}
+	if (rdsiter != NULL) {
+		dns_rdatasetiter_destroy(&rdsiter);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (dbiter != NULL) {
+		dns_dbiterator_destroy(&dbiter);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		  const char *filename, dns_db_t **target) {
+	isc_result_t result, eresult;
+	isc_buffer_t source;
+	unsigned int len;
+	dns_rdatacallbacks_t callbacks;
+	dns_db_t *db = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       rdclass, 0, NULL, &db);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	len = strlen(root_ns);
+	isc_buffer_init(&source, root_ns, len);
+	isc_buffer_add(&source, len);
+
+	dns_rdatacallbacks_init(&callbacks);
+	result = dns_db_beginload(db, &callbacks);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	if (filename != NULL) {
+		/*
+		 * Load the hints from the specified filename.
+		 */
+		result = dns_master_loadfile(filename, &db->origin, &db->origin,
+					     db->rdclass, DNS_MASTER_HINT, 0,
+					     &callbacks, NULL, NULL, db->mctx,
+					     dns_masterformat_text, 0);
+	} else if (rdclass == dns_rdataclass_in) {
+		/*
+		 * Default to using the Internet root servers.
+		 */
+		result = dns_master_loadbuffer(
+			&source, &db->origin, &db->origin, db->rdclass,
+			DNS_MASTER_HINT, &callbacks, db->mctx);
+	} else {
+		result = ISC_R_NOTFOUND;
+	}
+	eresult = dns_db_endload(db, &callbacks);
+	if (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE) {
+		result = eresult;
+	}
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+		goto failure;
+	}
+	if (check_hints(db) != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "extra data in root hints '%s'",
+			      (filename != NULL) ? filename : "<BUILT-IN>");
+	}
+	*target = db;
+	return (ISC_R_SUCCESS);
+
+failure:
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_HINTS,
+		      ISC_LOG_ERROR,
+		      "could not configure root hints from "
+		      "'%s': %s",
+		      (filename != NULL) ? filename : "<BUILT-IN>",
+		      isc_result_totext(result));
+
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	return (result);
+}
+
+static void
+report(dns_view_t *view, dns_name_t *name, bool missing, dns_rdata_t *rdata) {
+	const char *viewname = "", *sep = "";
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char databuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
+	isc_buffer_t buffer;
+	isc_result_t result;
+
+	if (strcmp(view->name, "_bind") != 0 &&
+	    strcmp(view->name, "_default") != 0)
+	{
+		viewname = view->name;
+		sep = ": view ";
+	}
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+	isc_buffer_init(&buffer, databuf, sizeof(databuf) - 1);
+	result = dns_rdata_totext(rdata, NULL, &buffer);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	databuf[isc_buffer_usedlength(&buffer)] = '\0';
+
+	if (missing) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: %s/%s (%s) missing from hints",
+			      sep, viewname, namebuf, typebuf, databuf);
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: %s/%s (%s) extra record "
+			      "in hints",
+			      sep, viewname, namebuf, typebuf, databuf);
+	}
+}
+
+static bool
+inrrset(dns_rdataset_t *rrset, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_rdata_t current = DNS_RDATA_INIT;
+
+	result = dns_rdataset_first(rrset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rrset, &current);
+		if (dns_rdata_compare(rdata, &current) == 0) {
+			return (true);
+		}
+		dns_rdata_reset(&current);
+		result = dns_rdataset_next(rrset);
+	}
+	return (false);
+}
+
+/*
+ * Check that the address RRsets match.
+ *
+ * Note we don't complain about missing glue records.
+ */
+
+static void
+check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
+		      dns_name_t *name, isc_stdtime_t now) {
+	isc_result_t hresult, rresult, result;
+	dns_rdataset_t hintrrset, rootrrset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_name_t *foundname;
+	dns_fixedname_t fixed;
+
+	dns_rdataset_init(&hintrrset);
+	dns_rdataset_init(&rootrrset);
+	foundname = dns_fixedname_initname(&fixed);
+
+	hresult = dns_db_find(hints, name, NULL, dns_rdatatype_a, 0, now, NULL,
+			      foundname, &hintrrset, NULL);
+	rresult = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			      DNS_DBFIND_GLUEOK, now, NULL, foundname,
+			      &rootrrset, NULL);
+	if (hresult == ISC_R_SUCCESS &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE))
+	{
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&rootrrset, &rdata);
+			if (!inrrset(&hintrrset, &rdata)) {
+				report(view, name, true, &rdata);
+			}
+			result = dns_rdataset_next(&rootrrset);
+		}
+		result = dns_rdataset_first(&hintrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&hintrrset, &rdata);
+			if (!inrrset(&rootrrset, &rdata)) {
+				report(view, name, false, &rdata);
+			}
+			result = dns_rdataset_next(&hintrrset);
+		}
+	}
+	if (hresult == ISC_R_NOTFOUND &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE))
+	{
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&rootrrset, &rdata);
+			report(view, name, true, &rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+	}
+	if (dns_rdataset_isassociated(&rootrrset)) {
+		dns_rdataset_disassociate(&rootrrset);
+	}
+	if (dns_rdataset_isassociated(&hintrrset)) {
+		dns_rdataset_disassociate(&hintrrset);
+	}
+
+	/*
+	 * Check AAAA records.
+	 */
+	hresult = dns_db_find(hints, name, NULL, dns_rdatatype_aaaa, 0, now,
+			      NULL, foundname, &hintrrset, NULL);
+	rresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+			      DNS_DBFIND_GLUEOK, now, NULL, foundname,
+			      &rootrrset, NULL);
+	if (hresult == ISC_R_SUCCESS &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE))
+	{
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&rootrrset, &rdata);
+			if (!inrrset(&hintrrset, &rdata)) {
+				report(view, name, true, &rdata);
+			}
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+		result = dns_rdataset_first(&hintrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&hintrrset, &rdata);
+			if (!inrrset(&rootrrset, &rdata)) {
+				report(view, name, false, &rdata);
+			}
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&hintrrset);
+		}
+	}
+	if (hresult == ISC_R_NOTFOUND &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE))
+	{
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&rootrrset, &rdata);
+			report(view, name, true, &rdata);
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+	}
+	if (dns_rdataset_isassociated(&rootrrset)) {
+		dns_rdataset_disassociate(&rootrrset);
+	}
+	if (dns_rdataset_isassociated(&hintrrset)) {
+		dns_rdataset_disassociate(&hintrrset);
+	}
+}
+
+void
+dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_ns_t ns;
+	dns_rdataset_t hintns, rootns;
+	const char *viewname = "", *sep = "";
+	isc_stdtime_t now;
+	dns_name_t *name;
+	dns_fixedname_t fixed;
+
+	REQUIRE(hints != NULL);
+	REQUIRE(db != NULL);
+	REQUIRE(view != NULL);
+
+	isc_stdtime_get(&now);
+
+	if (strcmp(view->name, "_bind") != 0 &&
+	    strcmp(view->name, "_default") != 0)
+	{
+		viewname = view->name;
+		sep = ": view ";
+	}
+
+	dns_rdataset_init(&hintns);
+	dns_rdataset_init(&rootns);
+	name = dns_fixedname_initname(&fixed);
+
+	result = dns_db_find(hints, dns_rootname, NULL, dns_rdatatype_ns, 0,
+			     now, NULL, name, &hintns, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: unable to get root NS rrset "
+			      "from hints: %s",
+			      sep, viewname, dns_result_totext(result));
+		goto cleanup;
+	}
+
+	result = dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0, now,
+			     NULL, name, &rootns, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: unable to get root NS rrset "
+			      "from cache: %s",
+			      sep, viewname, dns_result_totext(result));
+		goto cleanup;
+	}
+
+	/*
+	 * Look for missing root NS names.
+	 */
+	result = dns_rdataset_first(&rootns);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&rootns, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = in_rootns(&hintns, &ns.name);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			/* missing from hints */
+			dns_name_format(&ns.name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+				      "checkhints%s%s: unable to find root "
+				      "NS '%s' in hints",
+				      sep, viewname, namebuf);
+		} else {
+			check_address_records(view, hints, db, &ns.name, now);
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&rootns);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup;
+	}
+
+	/*
+	 * Look for extra root NS names.
+	 */
+	result = dns_rdataset_first(&hintns);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&hintns, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = in_rootns(&rootns, &ns.name);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			/* extra entry in hints */
+			dns_name_format(&ns.name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+				      "checkhints%s%s: extra NS '%s' in hints",
+				      sep, viewname, namebuf);
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&hintns);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup;
+	}
+
+cleanup:
+	if (dns_rdataset_isassociated(&rootns)) {
+		dns_rdataset_disassociate(&rootns);
+	}
+	if (dns_rdataset_isassociated(&hintns)) {
+		dns_rdataset_disassociate(&hintns);
+	}
+}
diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
new file mode 100644
index 0000000..20db72f
--- /dev/null
+++ b/lib/dns/rpz.c
@@ -0,0 +1,2891 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dnsrps.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rbt.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/rpz.h>
+#include <dns/view.h>
+
+/*
+ * Parallel radix trees for databases of response policy IP addresses
+ *
+ * The radix or patricia trees are somewhat specialized to handle response
+ * policy addresses by representing the two sets of IP addresses and name
+ * server IP addresses in a single tree.  One set of IP addresses is
+ * for rpz-ip policies or policies triggered by addresses in A or
+ * AAAA records in responses.
+ * The second set is for rpz-nsip policies or policies triggered by addresses
+ * in A or AAAA records for NS records that are authorities for responses.
+ *
+ * Each leaf indicates that an IP address is listed in the IP address or the
+ * name server IP address policy sub-zone (or both) of the corresponding
+ * response policy zone.  The policy data such as a CNAME or an A record
+ * is kept in the policy zone.  After an IP address has been found in a radix
+ * tree, the node in the policy zone's database is found by converting
+ * the IP address to a domain name in a canonical form.
+ *
+ *
+ * The response policy zone canonical form of an IPv6 address is one of:
+ *	prefix.W.W.W.W.W.W.W.W
+ *	prefix.WORDS.zz
+ *	prefix.WORDS.zz.WORDS
+ *	prefix.zz.WORDS
+ *  where
+ *	prefix	is the prefix length of the IPv6 address between 1 and 128
+ *	W	is a number between 0 and 65535
+ *	WORDS	is one or more numbers W separated with "."
+ *	zz	corresponds to :: in the standard IPv6 text representation
+ *
+ * The canonical form of IPv4 addresses is:
+ *	prefix.B.B.B.B
+ *  where
+ *	prefix	is the prefix length of the address between 1 and 32
+ *	B	is a number between 0 and 255
+ *
+ * Names for IPv4 addresses are distinguished from IPv6 addresses by having
+ * 5 labels all of which are numbers, and a prefix between 1 and 32.
+ */
+
+/*
+ * Nodes hashtable calculation parameters
+ */
+#define DNS_RPZ_HTSIZE_MAX 24
+#define DNS_RPZ_HTSIZE_DIV 3
+
+/*
+ * Maximum number of nodes to process per quantum
+ */
+#define DNS_RPZ_QUANTUM 1024
+
+static void
+dns_rpz_update_from_db(dns_rpz_zone_t *rpz);
+
+static void
+dns_rpz_update_taskaction(isc_task_t *task, isc_event_t *event);
+
+/*
+ * Use a private definition of IPv6 addresses because s6_addr32 is not
+ * always defined and our IPv6 addresses are in non-standard byte order
+ */
+typedef uint32_t dns_rpz_cidr_word_t;
+#define DNS_RPZ_CIDR_WORD_BITS ((int)sizeof(dns_rpz_cidr_word_t) * 8)
+#define DNS_RPZ_CIDR_KEY_BITS  ((int)sizeof(dns_rpz_cidr_key_t) * 8)
+#define DNS_RPZ_CIDR_WORDS     (128 / DNS_RPZ_CIDR_WORD_BITS)
+typedef struct {
+	dns_rpz_cidr_word_t w[DNS_RPZ_CIDR_WORDS];
+} dns_rpz_cidr_key_t;
+
+#define ADDR_V4MAPPED 0xffff
+#define KEY_IS_IPV4(prefix, ip)                                  \
+	((prefix) >= 96 && (ip)->w[0] == 0 && (ip)->w[1] == 0 && \
+	 (ip)->w[2] == ADDR_V4MAPPED)
+
+#define DNS_RPZ_WORD_MASK(b)                   \
+	((b) == 0 ? (dns_rpz_cidr_word_t)(-1)  \
+		  : ((dns_rpz_cidr_word_t)(-1) \
+		     << (DNS_RPZ_CIDR_WORD_BITS - (b))))
+
+/*
+ * Get bit #n from the array of words of an IP address.
+ */
+#define DNS_RPZ_IP_BIT(ip, n)                          \
+	(1 & ((ip)->w[(n) / DNS_RPZ_CIDR_WORD_BITS] >> \
+	      (DNS_RPZ_CIDR_WORD_BITS - 1 - ((n) % DNS_RPZ_CIDR_WORD_BITS))))
+
+/*
+ * A triplet of arrays of bits flagging the existence of
+ * client-IP, IP, and NSIP policy triggers.
+ */
+typedef struct dns_rpz_addr_zbits dns_rpz_addr_zbits_t;
+struct dns_rpz_addr_zbits {
+	dns_rpz_zbits_t client_ip;
+	dns_rpz_zbits_t ip;
+	dns_rpz_zbits_t nsip;
+};
+
+/*
+ * A CIDR or radix tree node.
+ */
+struct dns_rpz_cidr_node {
+	dns_rpz_cidr_node_t *parent;
+	dns_rpz_cidr_node_t *child[2];
+	dns_rpz_cidr_key_t ip;
+	dns_rpz_prefix_t prefix;
+	dns_rpz_addr_zbits_t set;
+	dns_rpz_addr_zbits_t sum;
+};
+
+/*
+ * A pair of arrays of bits flagging the existence of
+ * QNAME and NSDNAME policy triggers.
+ */
+typedef struct dns_rpz_nm_zbits dns_rpz_nm_zbits_t;
+struct dns_rpz_nm_zbits {
+	dns_rpz_zbits_t qname;
+	dns_rpz_zbits_t ns;
+};
+
+/*
+ * The data in a RBT node has two pairs of bits for policy zones.
+ * One pair is for the corresponding name of the node such as example.com
+ * and the other pair is for a wildcard child such as *.example.com.
+ */
+typedef struct dns_rpz_nm_data dns_rpz_nm_data_t;
+struct dns_rpz_nm_data {
+	dns_rpz_nm_zbits_t set;
+	dns_rpz_nm_zbits_t wild;
+};
+
+static void
+rpz_detach(dns_rpz_zone_t **rpzp);
+
+static void
+rpz_detach_rpzs(dns_rpz_zones_t **rpzsp);
+
+#if 0
+/*
+ * Catch a name while debugging.
+ */
+static void
+catch_name(const dns_name_t *src_name, const char *tgt, const char *str) {
+	dns_fixedname_t tgt_namef;
+	dns_name_t *tgt_name;
+
+	tgt_name = dns_fixedname_initname(&tgt_namef);
+	dns_name_fromstring(tgt_name, tgt, DNS_NAME_DOWNCASE, NULL);
+	if (dns_name_equal(src_name, tgt_name)) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "rpz hit failed: %s %s", str, tgt);
+	}
+}
+#endif /* if 0 */
+
+const char *
+dns_rpz_type2str(dns_rpz_type_t type) {
+	switch (type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		return ("CLIENT-IP");
+	case DNS_RPZ_TYPE_QNAME:
+		return ("QNAME");
+	case DNS_RPZ_TYPE_IP:
+		return ("IP");
+	case DNS_RPZ_TYPE_NSIP:
+		return ("NSIP");
+	case DNS_RPZ_TYPE_NSDNAME:
+		return ("NSDNAME");
+	case DNS_RPZ_TYPE_BAD:
+		break;
+	}
+	FATAL_ERROR(__FILE__, __LINE__, "impossible rpz type %d", type);
+	return ("impossible");
+}
+
+dns_rpz_policy_t
+dns_rpz_str2policy(const char *str) {
+	static struct {
+		const char *str;
+		dns_rpz_policy_t policy;
+	} tbl[] = {
+		{ "given", DNS_RPZ_POLICY_GIVEN },
+		{ "disabled", DNS_RPZ_POLICY_DISABLED },
+		{ "passthru", DNS_RPZ_POLICY_PASSTHRU },
+		{ "drop", DNS_RPZ_POLICY_DROP },
+		{ "tcp-only", DNS_RPZ_POLICY_TCP_ONLY },
+		{ "nxdomain", DNS_RPZ_POLICY_NXDOMAIN },
+		{ "nodata", DNS_RPZ_POLICY_NODATA },
+		{ "cname", DNS_RPZ_POLICY_CNAME },
+		{ "no-op", DNS_RPZ_POLICY_PASSTHRU }, /* old passthru */
+	};
+	unsigned int n;
+
+	if (str == NULL) {
+		return (DNS_RPZ_POLICY_ERROR);
+	}
+	for (n = 0; n < sizeof(tbl) / sizeof(tbl[0]); ++n) {
+		if (!strcasecmp(tbl[n].str, str)) {
+			return (tbl[n].policy);
+		}
+	}
+	return (DNS_RPZ_POLICY_ERROR);
+}
+
+const char *
+dns_rpz_policy2str(dns_rpz_policy_t policy) {
+	const char *str;
+
+	switch (policy) {
+	case DNS_RPZ_POLICY_PASSTHRU:
+		str = "PASSTHRU";
+		break;
+	case DNS_RPZ_POLICY_DROP:
+		str = "DROP";
+		break;
+	case DNS_RPZ_POLICY_TCP_ONLY:
+		str = "TCP-ONLY";
+		break;
+	case DNS_RPZ_POLICY_NXDOMAIN:
+		str = "NXDOMAIN";
+		break;
+	case DNS_RPZ_POLICY_NODATA:
+		str = "NODATA";
+		break;
+	case DNS_RPZ_POLICY_RECORD:
+		str = "Local-Data";
+		break;
+	case DNS_RPZ_POLICY_CNAME:
+	case DNS_RPZ_POLICY_WILDCNAME:
+		str = "CNAME";
+		break;
+	case DNS_RPZ_POLICY_MISS:
+		str = "MISS";
+		break;
+	case DNS_RPZ_POLICY_DNS64:
+		str = "DNS64";
+		break;
+	case DNS_RPZ_POLICY_ERROR:
+		str = "ERROR";
+		break;
+	default:
+		UNREACHABLE();
+	}
+	return (str);
+}
+
+/*
+ * Return the bit number of the highest set bit in 'zbit'.
+ * (for example, 0x01 returns 0, 0xFF returns 7, etc.)
+ */
+static int
+zbit_to_num(dns_rpz_zbits_t zbit) {
+	dns_rpz_num_t rpz_num;
+
+	REQUIRE(zbit != 0);
+	rpz_num = 0;
+	if ((zbit & 0xffffffff00000000ULL) != 0) {
+		zbit >>= 32;
+		rpz_num += 32;
+	}
+	if ((zbit & 0xffff0000) != 0) {
+		zbit >>= 16;
+		rpz_num += 16;
+	}
+	if ((zbit & 0xff00) != 0) {
+		zbit >>= 8;
+		rpz_num += 8;
+	}
+	if ((zbit & 0xf0) != 0) {
+		zbit >>= 4;
+		rpz_num += 4;
+	}
+	if ((zbit & 0xc) != 0) {
+		zbit >>= 2;
+		rpz_num += 2;
+	}
+	if ((zbit & 2) != 0) {
+		++rpz_num;
+	}
+	return (rpz_num);
+}
+
+/*
+ * Make a set of bit masks given one or more bits and their type.
+ */
+static void
+make_addr_set(dns_rpz_addr_zbits_t *tgt_set, dns_rpz_zbits_t zbits,
+	      dns_rpz_type_t type) {
+	switch (type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		tgt_set->client_ip = zbits;
+		tgt_set->ip = 0;
+		tgt_set->nsip = 0;
+		break;
+	case DNS_RPZ_TYPE_IP:
+		tgt_set->client_ip = 0;
+		tgt_set->ip = zbits;
+		tgt_set->nsip = 0;
+		break;
+	case DNS_RPZ_TYPE_NSIP:
+		tgt_set->client_ip = 0;
+		tgt_set->ip = 0;
+		tgt_set->nsip = zbits;
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+static void
+make_nm_set(dns_rpz_nm_zbits_t *tgt_set, dns_rpz_num_t rpz_num,
+	    dns_rpz_type_t type) {
+	switch (type) {
+	case DNS_RPZ_TYPE_QNAME:
+		tgt_set->qname = DNS_RPZ_ZBIT(rpz_num);
+		tgt_set->ns = 0;
+		break;
+	case DNS_RPZ_TYPE_NSDNAME:
+		tgt_set->qname = 0;
+		tgt_set->ns = DNS_RPZ_ZBIT(rpz_num);
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+/*
+ * Mark a node and all of its parents as having client-IP, IP, or NSIP data
+ */
+static void
+set_sum_pair(dns_rpz_cidr_node_t *cnode) {
+	dns_rpz_cidr_node_t *child;
+	dns_rpz_addr_zbits_t sum;
+
+	do {
+		sum = cnode->set;
+
+		child = cnode->child[0];
+		if (child != NULL) {
+			sum.client_ip |= child->sum.client_ip;
+			sum.ip |= child->sum.ip;
+			sum.nsip |= child->sum.nsip;
+		}
+
+		child = cnode->child[1];
+		if (child != NULL) {
+			sum.client_ip |= child->sum.client_ip;
+			sum.ip |= child->sum.ip;
+			sum.nsip |= child->sum.nsip;
+		}
+
+		if (cnode->sum.client_ip == sum.client_ip &&
+		    cnode->sum.ip == sum.ip && cnode->sum.nsip == sum.nsip)
+		{
+			break;
+		}
+		cnode->sum = sum;
+		cnode = cnode->parent;
+	} while (cnode != NULL);
+}
+
+/* Caller must hold rpzs->maint_lock */
+static void
+fix_qname_skip_recurse(dns_rpz_zones_t *rpzs) {
+	dns_rpz_zbits_t mask;
+
+	/*
+	 * qname_wait_recurse and qname_skip_recurse are used to
+	 * implement the "qname-wait-recurse" config option.
+	 *
+	 * When "qname-wait-recurse" is yes, no processing happens without
+	 * recursion. In this case, qname_wait_recurse is true, and
+	 * qname_skip_recurse (a bit field indicating which policy zones
+	 * can be processed without recursion) is set to all 0's by
+	 * fix_qname_skip_recurse().
+	 *
+	 * When "qname-wait-recurse" is no, qname_skip_recurse may be
+	 * set to a non-zero value by fix_qname_skip_recurse(). The mask
+	 * has to have bits set for the policy zones for which
+	 * processing may continue without recursion, and bits cleared
+	 * for the rest.
+	 *
+	 * (1) The ARM says:
+	 *
+	 *   The "qname-wait-recurse no" option overrides that default
+	 *   behavior when recursion cannot change a non-error
+	 *   response. The option does not affect QNAME or client-IP
+	 *   triggers in policy zones listed after other zones
+	 *   containing IP, NSIP and NSDNAME triggers, because those may
+	 *   depend on the A, AAAA, and NS records that would be found
+	 *   during recursive resolution.
+	 *
+	 * Let's consider the following:
+	 *
+	 *     zbits_req = (rpzs->have.ipv4 | rpzs->have.ipv6 |
+	 *		    rpzs->have.nsdname |
+	 *		    rpzs->have.nsipv4 | rpzs->have.nsipv6);
+	 *
+	 * zbits_req now contains bits set for zones which require
+	 * recursion.
+	 *
+	 * But going by the description in the ARM, if the first policy
+	 * zone requires recursion, then all zones after that (higher
+	 * order bits) have to wait as well.  If the Nth zone requires
+	 * recursion, then (N+1)th zone onwards all need to wait.
+	 *
+	 * So mapping this, examples:
+	 *
+	 * zbits_req = 0b000  mask = 0xffffffff (no zones have to wait for
+	 *					 recursion)
+	 * zbits_req = 0b001  mask = 0x00000000 (all zones have to wait)
+	 * zbits_req = 0b010  mask = 0x00000001 (the first zone doesn't have to
+	 *					 wait, second zone onwards need
+	 *					 to wait)
+	 * zbits_req = 0b011  mask = 0x00000000 (all zones have to wait)
+	 * zbits_req = 0b100  mask = 0x00000011 (the 1st and 2nd zones don't
+	 *					 have to wait, third zone
+	 *					 onwards need to wait)
+	 *
+	 * More generally, we have to count the number of trailing 0
+	 * bits in zbits_req and only these can be processed without
+	 * recursion. All the rest need to wait.
+	 *
+	 * (2) The ARM says that "qname-wait-recurse no" option
+	 * overrides the default behavior when recursion cannot change a
+	 * non-error response. So, in the order of listing of policy
+	 * zones, within the first policy zone where recursion may be
+	 * required, we should first allow CLIENT-IP and QNAME policy
+	 * records to be attempted without recursion.
+	 */
+
+	/*
+	 * Get a mask covering all policy zones that are not subordinate to
+	 * other policy zones containing triggers that require that the
+	 * qname be resolved before they can be checked.
+	 */
+	rpzs->have.client_ip = rpzs->have.client_ipv4 | rpzs->have.client_ipv6;
+	rpzs->have.ip = rpzs->have.ipv4 | rpzs->have.ipv6;
+	rpzs->have.nsip = rpzs->have.nsipv4 | rpzs->have.nsipv6;
+
+	if (rpzs->p.qname_wait_recurse) {
+		mask = 0;
+	} else {
+		dns_rpz_zbits_t zbits_req;
+		dns_rpz_zbits_t zbits_notreq;
+		dns_rpz_zbits_t mask2;
+		dns_rpz_zbits_t req_mask;
+
+		/*
+		 * Get the masks of zones with policies that
+		 * do/don't require recursion
+		 */
+
+		zbits_req = (rpzs->have.ipv4 | rpzs->have.ipv6 |
+			     rpzs->have.nsdname | rpzs->have.nsipv4 |
+			     rpzs->have.nsipv6);
+		zbits_notreq = (rpzs->have.client_ip | rpzs->have.qname);
+
+		if (zbits_req == 0) {
+			mask = DNS_RPZ_ALL_ZBITS;
+			goto set;
+		}
+
+		/*
+		 * req_mask is a mask covering used bits in
+		 * zbits_req. (For instance, 0b1 => 0b1, 0b101 => 0b111,
+		 * 0b11010101 => 0b11111111).
+		 */
+		req_mask = zbits_req;
+		req_mask |= req_mask >> 1;
+		req_mask |= req_mask >> 2;
+		req_mask |= req_mask >> 4;
+		req_mask |= req_mask >> 8;
+		req_mask |= req_mask >> 16;
+		req_mask |= req_mask >> 32;
+
+		/*
+		 * There's no point in skipping recursion for a later
+		 * zone if it is required in a previous zone.
+		 */
+		if ((zbits_notreq & req_mask) == 0) {
+			mask = 0;
+			goto set;
+		}
+
+		/*
+		 * This bit arithmetic creates a mask of zones in which
+		 * it is okay to skip recursion. After the first zone
+		 * that has to wait for recursion, all the others have
+		 * to wait as well, so we want to create a mask in which
+		 * all the trailing zeroes in zbits_req are are 1, and
+		 * more significant bits are 0. (For instance,
+		 * 0x0700 => 0x00ff, 0x0007 => 0x0000)
+		 */
+		mask = ~(zbits_req | ((~zbits_req) + 1));
+
+		/*
+		 * As mentioned in (2) above, the zone corresponding to
+		 * the least significant zero could have its CLIENT-IP
+		 * and QNAME policies checked before recursion, if it
+		 * has any of those policies.  So if it does, we
+		 * can set its 0 to 1.
+		 *
+		 * Locate the least significant 0 bit in the mask (for
+		 * instance, 0xff => 0x100)...
+		 */
+		mask2 = (mask << 1) & ~mask;
+
+		/*
+		 * Also set the bit for zone 0, because if it's in
+		 * zbits_notreq then it's definitely okay to attempt to
+		 * skip recursion for zone 0...
+		 */
+		mask2 |= 1;
+
+		/* Clear any bits *not* in zbits_notreq... */
+		mask2 &= zbits_notreq;
+
+		/* And merge the result into the skip-recursion mask */
+		mask |= mask2;
+	}
+
+set:
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB,
+		      DNS_RPZ_DEBUG_QUIET,
+		      "computed RPZ qname_skip_recurse mask=0x%" PRIx64,
+		      (uint64_t)mask);
+	rpzs->have.qname_skip_recurse = mask;
+}
+
+static void
+adj_trigger_cnt(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+		dns_rpz_type_t rpz_type, const dns_rpz_cidr_key_t *tgt_ip,
+		dns_rpz_prefix_t tgt_prefix, bool inc) {
+	dns_rpz_trigger_counter_t *cnt = NULL;
+	dns_rpz_zbits_t *have = NULL;
+
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		REQUIRE(tgt_ip != NULL);
+		if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
+			cnt = &rpzs->triggers[rpz_num].client_ipv4;
+			have = &rpzs->have.client_ipv4;
+		} else {
+			cnt = &rpzs->triggers[rpz_num].client_ipv6;
+			have = &rpzs->have.client_ipv6;
+		}
+		break;
+	case DNS_RPZ_TYPE_QNAME:
+		cnt = &rpzs->triggers[rpz_num].qname;
+		have = &rpzs->have.qname;
+		break;
+	case DNS_RPZ_TYPE_IP:
+		REQUIRE(tgt_ip != NULL);
+		if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
+			cnt = &rpzs->triggers[rpz_num].ipv4;
+			have = &rpzs->have.ipv4;
+		} else {
+			cnt = &rpzs->triggers[rpz_num].ipv6;
+			have = &rpzs->have.ipv6;
+		}
+		break;
+	case DNS_RPZ_TYPE_NSDNAME:
+		cnt = &rpzs->triggers[rpz_num].nsdname;
+		have = &rpzs->have.nsdname;
+		break;
+	case DNS_RPZ_TYPE_NSIP:
+		REQUIRE(tgt_ip != NULL);
+		if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
+			cnt = &rpzs->triggers[rpz_num].nsipv4;
+			have = &rpzs->have.nsipv4;
+		} else {
+			cnt = &rpzs->triggers[rpz_num].nsipv6;
+			have = &rpzs->have.nsipv6;
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	if (inc) {
+		if (++*cnt == 1U) {
+			*have |= DNS_RPZ_ZBIT(rpz_num);
+			fix_qname_skip_recurse(rpzs);
+		}
+	} else {
+		REQUIRE(*cnt != 0U);
+		if (--*cnt == 0U) {
+			*have &= ~DNS_RPZ_ZBIT(rpz_num);
+			fix_qname_skip_recurse(rpzs);
+		}
+	}
+}
+
+static dns_rpz_cidr_node_t *
+new_node(dns_rpz_zones_t *rpzs, const dns_rpz_cidr_key_t *ip,
+	 dns_rpz_prefix_t prefix, const dns_rpz_cidr_node_t *child) {
+	dns_rpz_cidr_node_t *node;
+	int i, words, wlen;
+
+	node = isc_mem_get(rpzs->mctx, sizeof(*node));
+	memset(node, 0, sizeof(*node));
+
+	if (child != NULL) {
+		node->sum = child->sum;
+	}
+
+	node->prefix = prefix;
+	words = prefix / DNS_RPZ_CIDR_WORD_BITS;
+	wlen = prefix % DNS_RPZ_CIDR_WORD_BITS;
+	i = 0;
+	while (i < words) {
+		node->ip.w[i] = ip->w[i];
+		++i;
+	}
+	if (wlen != 0) {
+		node->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen);
+		++i;
+	}
+	while (i < DNS_RPZ_CIDR_WORDS) {
+		node->ip.w[i++] = 0;
+	}
+
+	return (node);
+}
+
+static void
+badname(int level, const dns_name_t *name, const char *str1, const char *str2) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	/*
+	 * bin/tests/system/rpz/tests.sh looks for "invalid rpz".
+	 */
+	if (level < DNS_RPZ_DEBUG_QUIET && isc_log_wouldlog(dns_lctx, level)) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, level,
+			      "invalid rpz IP address \"%s\"%s%s", namebuf,
+			      str1, str2);
+	}
+}
+
+/*
+ * Convert an IP address from radix tree binary (host byte order) to
+ * to its canonical response policy domain name without the origin of the
+ * policy zone.
+ *
+ * Generate a name for an IPv6 address that fits RFC 5952, except that our
+ * reversed format requires that when the length of the consecutive 16-bit
+ * 0 fields are equal (e.g., 1.0.0.1.0.0.db8.2001 corresponding to
+ * 2001:db8:0:0:1:0:0:1), we shorted the last instead of the first
+ * (e.g., 1.0.0.1.zz.db8.2001 corresponding to 2001:db8::1:0:0:1).
+ */
+static isc_result_t
+ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
+	const dns_name_t *base_name, dns_name_t *ip_name) {
+#ifndef INET6_ADDRSTRLEN
+#define INET6_ADDRSTRLEN 46
+#endif /* ifndef INET6_ADDRSTRLEN */
+	int w[DNS_RPZ_CIDR_WORDS * 2];
+	char str[1 + 8 + 1 + INET6_ADDRSTRLEN + 1];
+	isc_buffer_t buffer;
+	isc_result_t result;
+	int best_first, best_len, cur_first, cur_len;
+	int i, n, len;
+
+	if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
+		len = snprintf(str, sizeof(str), "%u.%u.%u.%u.%u",
+			       tgt_prefix - 96U, tgt_ip->w[3] & 0xffU,
+			       (tgt_ip->w[3] >> 8) & 0xffU,
+			       (tgt_ip->w[3] >> 16) & 0xffU,
+			       (tgt_ip->w[3] >> 24) & 0xffU);
+		if (len < 0 || (size_t)len >= sizeof(str)) {
+			return (ISC_R_FAILURE);
+		}
+	} else {
+		len = snprintf(str, sizeof(str), "%d", tgt_prefix);
+		if (len < 0 || (size_t)len >= sizeof(str)) {
+			return (ISC_R_FAILURE);
+		}
+
+		for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) {
+			w[i * 2 + 1] =
+				((tgt_ip->w[DNS_RPZ_CIDR_WORDS - 1 - i] >> 16) &
+				 0xffff);
+			w[i * 2] = tgt_ip->w[DNS_RPZ_CIDR_WORDS - 1 - i] &
+				   0xffff;
+		}
+		/*
+		 * Find the start and length of the first longest sequence
+		 * of zeros in the address.
+		 */
+		best_first = -1;
+		best_len = 0;
+		cur_first = -1;
+		cur_len = 0;
+		for (n = 0; n <= 7; ++n) {
+			if (w[n] != 0) {
+				cur_len = 0;
+				cur_first = -1;
+			} else {
+				++cur_len;
+				if (cur_first < 0) {
+					cur_first = n;
+				} else if (cur_len >= best_len) {
+					best_first = cur_first;
+					best_len = cur_len;
+				}
+			}
+		}
+
+		for (n = 0; n <= 7; ++n) {
+			INSIST(len > 0 && (size_t)len < sizeof(str));
+			if (n == best_first) {
+				i = snprintf(str + len, sizeof(str) - len,
+					     ".zz");
+				n += best_len - 1;
+			} else {
+				i = snprintf(str + len, sizeof(str) - len,
+					     ".%x", w[n]);
+			}
+			if (i < 0 || (size_t)i >= (size_t)(sizeof(str) - len)) {
+				return (ISC_R_FAILURE);
+			}
+			len += i;
+		}
+	}
+
+	isc_buffer_init(&buffer, str, sizeof(str));
+	isc_buffer_add(&buffer, len);
+	result = dns_name_fromtext(ip_name, &buffer, base_name, 0, NULL);
+	return (result);
+}
+
+/*
+ * Determine the type of a name in a response policy zone.
+ */
+static dns_rpz_type_t
+type_from_name(const dns_rpz_zones_t *rpzs, dns_rpz_zone_t *rpz,
+	       const dns_name_t *name) {
+	if (dns_name_issubdomain(name, &rpz->ip)) {
+		return (DNS_RPZ_TYPE_IP);
+	}
+
+	if (dns_name_issubdomain(name, &rpz->client_ip)) {
+		return (DNS_RPZ_TYPE_CLIENT_IP);
+	}
+
+	if ((rpzs->p.nsip_on & DNS_RPZ_ZBIT(rpz->num)) != 0 &&
+	    dns_name_issubdomain(name, &rpz->nsip))
+	{
+		return (DNS_RPZ_TYPE_NSIP);
+	}
+
+	if ((rpzs->p.nsdname_on & DNS_RPZ_ZBIT(rpz->num)) != 0 &&
+	    dns_name_issubdomain(name, &rpz->nsdname))
+	{
+		return (DNS_RPZ_TYPE_NSDNAME);
+	}
+
+	return (DNS_RPZ_TYPE_QNAME);
+}
+
+/*
+ * Convert an IP address from canonical response policy domain name form
+ * to radix tree binary (host byte order) for adding or deleting IP or NSIP
+ * data.
+ */
+static isc_result_t
+name2ipkey(int log_level, const dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	   dns_rpz_type_t rpz_type, const dns_name_t *src_name,
+	   dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t *tgt_prefix,
+	   dns_rpz_addr_zbits_t *new_set) {
+	dns_rpz_zone_t *rpz;
+	char ip_str[DNS_NAME_FORMATSIZE], ip2_str[DNS_NAME_FORMATSIZE];
+	dns_offsets_t ip_name_offsets;
+	dns_fixedname_t ip_name2f;
+	dns_name_t ip_name, *ip_name2;
+	const char *prefix_str, *cp, *end;
+	char *cp2;
+	int ip_labels;
+	dns_rpz_prefix_t prefix;
+	unsigned long prefix_num, l;
+	isc_result_t result;
+	int i;
+
+	REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
+	rpz = rpzs->zones[rpz_num];
+	REQUIRE(rpz != NULL);
+
+	make_addr_set(new_set, DNS_RPZ_ZBIT(rpz_num), rpz_type);
+
+	ip_labels = dns_name_countlabels(src_name);
+	if (rpz_type == DNS_RPZ_TYPE_QNAME) {
+		ip_labels -= dns_name_countlabels(&rpz->origin);
+	} else {
+		ip_labels -= dns_name_countlabels(&rpz->nsdname);
+	}
+	if (ip_labels < 2) {
+		badname(log_level, src_name, "; too short", "");
+		return (ISC_R_FAILURE);
+	}
+	dns_name_init(&ip_name, ip_name_offsets);
+	dns_name_getlabelsequence(src_name, 0, ip_labels, &ip_name);
+
+	/*
+	 * Get text for the IP address
+	 */
+	dns_name_format(&ip_name, ip_str, sizeof(ip_str));
+	end = &ip_str[strlen(ip_str) + 1];
+	prefix_str = ip_str;
+
+	prefix_num = strtoul(prefix_str, &cp2, 10);
+	if (*cp2 != '.') {
+		badname(log_level, src_name, "; invalid leading prefix length",
+			"");
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * Patch in trailing nul character to print just the length
+	 * label (for various cases below).
+	 */
+	*cp2 = '\0';
+	if (prefix_num < 1U || prefix_num > 128U) {
+		badname(log_level, src_name, "; invalid prefix length of ",
+			prefix_str);
+		return (ISC_R_FAILURE);
+	}
+	cp = cp2 + 1;
+
+	if (--ip_labels == 4 && !strchr(cp, 'z')) {
+		/*
+		 * Convert an IPv4 address
+		 * from the form "prefix.z.y.x.w"
+		 */
+		if (prefix_num > 32U) {
+			badname(log_level, src_name,
+				"; invalid IPv4 prefix length of ", prefix_str);
+			return (ISC_R_FAILURE);
+		}
+		prefix_num += 96;
+		*tgt_prefix = (dns_rpz_prefix_t)prefix_num;
+		tgt_ip->w[0] = 0;
+		tgt_ip->w[1] = 0;
+		tgt_ip->w[2] = ADDR_V4MAPPED;
+		tgt_ip->w[3] = 0;
+		for (i = 0; i < 32; i += 8) {
+			l = strtoul(cp, &cp2, 10);
+			if (l > 255U || (*cp2 != '.' && *cp2 != '\0')) {
+				if (*cp2 == '.') {
+					*cp2 = '\0';
+				}
+				badname(log_level, src_name,
+					"; invalid IPv4 octet ", cp);
+				return (ISC_R_FAILURE);
+			}
+			tgt_ip->w[3] |= l << i;
+			cp = cp2 + 1;
+		}
+	} else {
+		/*
+		 * Convert a text IPv6 address.
+		 */
+		*tgt_prefix = (dns_rpz_prefix_t)prefix_num;
+		for (i = 0; ip_labels > 0 && i < DNS_RPZ_CIDR_WORDS * 2;
+		     ip_labels--)
+		{
+			if (cp[0] == 'z' && cp[1] == 'z' &&
+			    (cp[2] == '.' || cp[2] == '\0') && i <= 6)
+			{
+				do {
+					if ((i & 1) == 0) {
+						tgt_ip->w[3 - i / 2] = 0;
+					}
+					++i;
+				} while (ip_labels + i <= 8);
+				cp += 3;
+			} else {
+				l = strtoul(cp, &cp2, 16);
+				if (l > 0xffffu ||
+				    (*cp2 != '.' && *cp2 != '\0'))
+				{
+					if (*cp2 == '.') {
+						*cp2 = '\0';
+					}
+					badname(log_level, src_name,
+						"; invalid IPv6 word ", cp);
+					return (ISC_R_FAILURE);
+				}
+				if ((i & 1) == 0) {
+					tgt_ip->w[3 - i / 2] = l;
+				} else {
+					tgt_ip->w[3 - i / 2] |= l << 16;
+				}
+				i++;
+				cp = cp2 + 1;
+			}
+		}
+	}
+	if (cp != end) {
+		badname(log_level, src_name, "", "");
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * Check for 1s after the prefix length.
+	 */
+	prefix = (dns_rpz_prefix_t)prefix_num;
+	while (prefix < DNS_RPZ_CIDR_KEY_BITS) {
+		dns_rpz_cidr_word_t aword;
+
+		i = prefix % DNS_RPZ_CIDR_WORD_BITS;
+		aword = tgt_ip->w[prefix / DNS_RPZ_CIDR_WORD_BITS];
+		if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) {
+			badname(log_level, src_name,
+				"; too small prefix length of ", prefix_str);
+			return (ISC_R_FAILURE);
+		}
+		prefix -= i;
+		prefix += DNS_RPZ_CIDR_WORD_BITS;
+	}
+
+	/*
+	 * Complain about bad names but be generous and accept them.
+	 */
+	if (log_level < DNS_RPZ_DEBUG_QUIET &&
+	    isc_log_wouldlog(dns_lctx, log_level))
+	{
+		/*
+		 * Convert the address back to a canonical domain name
+		 * to ensure that the original name is in canonical form.
+		 */
+		ip_name2 = dns_fixedname_initname(&ip_name2f);
+		result = ip2name(tgt_ip, (dns_rpz_prefix_t)prefix_num, NULL,
+				 ip_name2);
+		if (result != ISC_R_SUCCESS ||
+		    !dns_name_equal(&ip_name, ip_name2))
+		{
+			dns_name_format(ip_name2, ip2_str, sizeof(ip2_str));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+				      DNS_LOGMODULE_RBTDB, log_level,
+				      "rpz IP address \"%s\""
+				      " is not the canonical \"%s\"",
+				      ip_str, ip2_str);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Get trigger name and data bits for adding or deleting summary NSDNAME
+ * or QNAME data.
+ */
+static void
+name2data(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_rpz_type_t rpz_type,
+	  const dns_name_t *src_name, dns_name_t *trig_name,
+	  dns_rpz_nm_data_t *new_data) {
+	dns_rpz_zone_t *rpz;
+	dns_offsets_t tmp_name_offsets;
+	dns_name_t tmp_name;
+	unsigned int prefix_len, n;
+
+	REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
+	rpz = rpzs->zones[rpz_num];
+	REQUIRE(rpz != NULL);
+
+	/*
+	 * Handle wildcards by putting only the parent into the
+	 * summary RBT.  The summary database only causes a check of the
+	 * real policy zone where wildcards will be handled.
+	 */
+	if (dns_name_iswildcard(src_name)) {
+		prefix_len = 1;
+		memset(&new_data->set, 0, sizeof(new_data->set));
+		make_nm_set(&new_data->wild, rpz_num, rpz_type);
+	} else {
+		prefix_len = 0;
+		make_nm_set(&new_data->set, rpz_num, rpz_type);
+		memset(&new_data->wild, 0, sizeof(new_data->wild));
+	}
+
+	dns_name_init(&tmp_name, tmp_name_offsets);
+	n = dns_name_countlabels(src_name);
+	n -= prefix_len;
+	if (rpz_type == DNS_RPZ_TYPE_QNAME) {
+		n -= dns_name_countlabels(&rpz->origin);
+	} else {
+		n -= dns_name_countlabels(&rpz->nsdname);
+	}
+	dns_name_getlabelsequence(src_name, prefix_len, n, &tmp_name);
+	(void)dns_name_concatenate(&tmp_name, dns_rootname, trig_name, NULL);
+}
+
+#ifndef HAVE_BUILTIN_CLZ
+/**
+ * \brief Count Leading Zeros: Find the location of the left-most set
+ * bit.
+ */
+static unsigned int
+clz(dns_rpz_cidr_word_t w) {
+	unsigned int bit;
+
+	bit = DNS_RPZ_CIDR_WORD_BITS - 1;
+
+	if ((w & 0xffff0000) != 0) {
+		w >>= 16;
+		bit -= 16;
+	}
+
+	if ((w & 0xff00) != 0) {
+		w >>= 8;
+		bit -= 8;
+	}
+
+	if ((w & 0xf0) != 0) {
+		w >>= 4;
+		bit -= 4;
+	}
+
+	if ((w & 0xc) != 0) {
+		w >>= 2;
+		bit -= 2;
+	}
+
+	if ((w & 2) != 0) {
+		--bit;
+	}
+
+	return (bit);
+}
+#endif /* ifndef HAVE_BUILTIN_CLZ */
+
+/*
+ * Find the first differing bit in two keys (IP addresses).
+ */
+static int
+diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_prefix_t prefix1,
+	  const dns_rpz_cidr_key_t *key2, dns_rpz_prefix_t prefix2) {
+	dns_rpz_cidr_word_t delta;
+	dns_rpz_prefix_t maxbit, bit;
+	int i;
+
+	bit = 0;
+	maxbit = ISC_MIN(prefix1, prefix2);
+
+	/*
+	 * find the first differing words
+	 */
+	for (i = 0; bit < maxbit; i++, bit += DNS_RPZ_CIDR_WORD_BITS) {
+		delta = key1->w[i] ^ key2->w[i];
+		if (ISC_UNLIKELY(delta != 0)) {
+#ifdef HAVE_BUILTIN_CLZ
+			bit += __builtin_clz(delta);
+#else  /* ifdef HAVE_BUILTIN_CLZ */
+			bit += clz(delta);
+#endif /* ifdef HAVE_BUILTIN_CLZ */
+			break;
+		}
+	}
+	return (ISC_MIN(bit, maxbit));
+}
+
+/*
+ * Given a hit while searching the radix trees,
+ * clear all bits for higher numbered zones.
+ */
+static dns_rpz_zbits_t
+trim_zbits(dns_rpz_zbits_t zbits, dns_rpz_zbits_t found) {
+	dns_rpz_zbits_t x;
+
+	/*
+	 * Isolate the first or smallest numbered hit bit.
+	 * Make a mask of that bit and all smaller numbered bits.
+	 */
+	x = zbits & found;
+	x &= (~x + 1);
+	x = (x << 1) - 1;
+	zbits &= x;
+	return (zbits);
+}
+
+/*
+ * Search a radix tree for an IP address for ordinary lookup
+ *	or for a CIDR block adding or deleting an entry
+ *
+ * Return ISC_R_SUCCESS, DNS_R_PARTIALMATCH, ISC_R_NOTFOUND,
+ *	    and *found=longest match node
+ *	or with create==true, ISC_R_EXISTS or ISC_R_NOMEMORY
+ */
+static isc_result_t
+search(dns_rpz_zones_t *rpzs, const dns_rpz_cidr_key_t *tgt_ip,
+       dns_rpz_prefix_t tgt_prefix, const dns_rpz_addr_zbits_t *tgt_set,
+       bool create, dns_rpz_cidr_node_t **found) {
+	dns_rpz_cidr_node_t *cur, *parent, *child, *new_parent, *sibling;
+	dns_rpz_addr_zbits_t set;
+	int cur_num, child_num;
+	dns_rpz_prefix_t dbit;
+	isc_result_t find_result;
+
+	set = *tgt_set;
+	find_result = ISC_R_NOTFOUND;
+	*found = NULL;
+	cur = rpzs->cidr;
+	parent = NULL;
+	cur_num = 0;
+	for (;;) {
+		if (cur == NULL) {
+			/*
+			 * No child so we cannot go down.
+			 * Quit with whatever we already found
+			 * or add the target as a child of the current parent.
+			 */
+			if (!create) {
+				return (find_result);
+			}
+			child = new_node(rpzs, tgt_ip, tgt_prefix, NULL);
+			if (child == NULL) {
+				return (ISC_R_NOMEMORY);
+			}
+			if (parent == NULL) {
+				rpzs->cidr = child;
+			} else {
+				parent->child[cur_num] = child;
+			}
+			child->parent = parent;
+			child->set.client_ip |= tgt_set->client_ip;
+			child->set.ip |= tgt_set->ip;
+			child->set.nsip |= tgt_set->nsip;
+			set_sum_pair(child);
+			*found = child;
+			return (ISC_R_SUCCESS);
+		}
+
+		if ((cur->sum.client_ip & set.client_ip) == 0 &&
+		    (cur->sum.ip & set.ip) == 0 &&
+		    (cur->sum.nsip & set.nsip) == 0)
+		{
+			/*
+			 * This node has no relevant data
+			 * and is in none of the target trees.
+			 * Pretend it does not exist if we are not adding.
+			 *
+			 * If we are adding, continue down to eventually add
+			 * a node and mark/put this node in the correct tree.
+			 */
+			if (!create) {
+				return (find_result);
+			}
+		}
+
+		dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->prefix);
+		/*
+		 * dbit <= tgt_prefix and dbit <= cur->prefix always.
+		 * We are finished searching if we matched all of the target.
+		 */
+		if (dbit == tgt_prefix) {
+			if (tgt_prefix == cur->prefix) {
+				/*
+				 * The node's key matches the target exactly.
+				 */
+				if ((cur->set.client_ip & set.client_ip) != 0 ||
+				    (cur->set.ip & set.ip) != 0 ||
+				    (cur->set.nsip & set.nsip) != 0)
+				{
+					/*
+					 * It is the answer if it has data.
+					 */
+					*found = cur;
+					if (create) {
+						find_result = ISC_R_EXISTS;
+					} else {
+						find_result = ISC_R_SUCCESS;
+					}
+				} else if (create) {
+					/*
+					 * The node lacked relevant data,
+					 * but will have it now.
+					 */
+					cur->set.client_ip |=
+						tgt_set->client_ip;
+					cur->set.ip |= tgt_set->ip;
+					cur->set.nsip |= tgt_set->nsip;
+					set_sum_pair(cur);
+					*found = cur;
+					find_result = ISC_R_SUCCESS;
+				}
+				return (find_result);
+			}
+
+			/*
+			 * We know tgt_prefix < cur->prefix which means that
+			 * the target is shorter than the current node.
+			 * Add the target as the current node's parent.
+			 */
+			if (!create) {
+				return (find_result);
+			}
+
+			new_parent = new_node(rpzs, tgt_ip, tgt_prefix, cur);
+			if (new_parent == NULL) {
+				return (ISC_R_NOMEMORY);
+			}
+			new_parent->parent = parent;
+			if (parent == NULL) {
+				rpzs->cidr = new_parent;
+			} else {
+				parent->child[cur_num] = new_parent;
+			}
+			child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix);
+			new_parent->child[child_num] = cur;
+			cur->parent = new_parent;
+			new_parent->set = *tgt_set;
+			set_sum_pair(new_parent);
+			*found = new_parent;
+			return (ISC_R_SUCCESS);
+		}
+
+		if (dbit == cur->prefix) {
+			if ((cur->set.client_ip & set.client_ip) != 0 ||
+			    (cur->set.ip & set.ip) != 0 ||
+			    (cur->set.nsip & set.nsip) != 0)
+			{
+				/*
+				 * We have a partial match between of all of the
+				 * current node but only part of the target.
+				 * Continue searching for other hits in the
+				 * same or lower numbered trees.
+				 */
+				find_result = DNS_R_PARTIALMATCH;
+				*found = cur;
+				set.client_ip = trim_zbits(set.client_ip,
+							   cur->set.client_ip);
+				set.ip = trim_zbits(set.ip, cur->set.ip);
+				set.nsip = trim_zbits(set.nsip, cur->set.nsip);
+			}
+			parent = cur;
+			cur_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
+			cur = cur->child[cur_num];
+			continue;
+		}
+
+		/*
+		 * dbit < tgt_prefix and dbit < cur->prefix,
+		 * so we failed to match both the target and the current node.
+		 * Insert a fork of a parent above the current node and
+		 * add the target as a sibling of the current node
+		 */
+		if (!create) {
+			return (find_result);
+		}
+
+		sibling = new_node(rpzs, tgt_ip, tgt_prefix, NULL);
+		if (sibling == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
+		new_parent = new_node(rpzs, tgt_ip, dbit, cur);
+		if (new_parent == NULL) {
+			isc_mem_put(rpzs->mctx, sibling, sizeof(*sibling));
+			return (ISC_R_NOMEMORY);
+		}
+		new_parent->parent = parent;
+		if (parent == NULL) {
+			rpzs->cidr = new_parent;
+		} else {
+			parent->child[cur_num] = new_parent;
+		}
+		child_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
+		new_parent->child[child_num] = sibling;
+		new_parent->child[1 - child_num] = cur;
+		cur->parent = new_parent;
+		sibling->parent = new_parent;
+		sibling->set = *tgt_set;
+		set_sum_pair(sibling);
+		*found = sibling;
+		return (ISC_R_SUCCESS);
+	}
+}
+
+/*
+ * Add an IP address to the radix tree.
+ */
+static isc_result_t
+add_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_rpz_type_t rpz_type,
+	 const dns_name_t *src_name) {
+	dns_rpz_cidr_key_t tgt_ip;
+	dns_rpz_prefix_t tgt_prefix;
+	dns_rpz_addr_zbits_t set;
+	dns_rpz_cidr_node_t *found;
+	isc_result_t result;
+
+	result = name2ipkey(DNS_RPZ_ERROR_LEVEL, rpzs, rpz_num, rpz_type,
+			    src_name, &tgt_ip, &tgt_prefix, &set);
+	/*
+	 * Log complaints about bad owner names but let the zone load.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = search(rpzs, &tgt_ip, tgt_prefix, &set, true, &found);
+	if (result != ISC_R_SUCCESS) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		/*
+		 * Do not worry if the radix tree already exists,
+		 * because diff_apply() likes to add nodes before deleting.
+		 */
+		if (result == ISC_R_EXISTS) {
+			return (ISC_R_SUCCESS);
+		}
+
+		/*
+		 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+		 */
+		dns_name_format(src_name, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "rpz add_cidr(%s) failed: %s", namebuf,
+			      isc_result_totext(result));
+		return (result);
+	}
+
+	adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, true);
+	return (result);
+}
+
+static isc_result_t
+add_nm(dns_rpz_zones_t *rpzs, dns_name_t *trig_name,
+       const dns_rpz_nm_data_t *new_data) {
+	dns_rbtnode_t *nmnode;
+	dns_rpz_nm_data_t *nm_data;
+	isc_result_t result;
+
+	nmnode = NULL;
+	result = dns_rbt_addnode(rpzs->rbt, trig_name, &nmnode);
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case ISC_R_EXISTS:
+		nm_data = nmnode->data;
+		if (nm_data == NULL) {
+			nm_data = isc_mem_get(rpzs->mctx, sizeof(*nm_data));
+			*nm_data = *new_data;
+			nmnode->data = nm_data;
+			return (ISC_R_SUCCESS);
+		}
+		break;
+	default:
+		return (result);
+	}
+
+	/*
+	 * Do not count bits that are already present
+	 */
+	if ((nm_data->set.qname & new_data->set.qname) != 0 ||
+	    (nm_data->set.ns & new_data->set.ns) != 0 ||
+	    (nm_data->wild.qname & new_data->wild.qname) != 0 ||
+	    (nm_data->wild.ns & new_data->wild.ns) != 0)
+	{
+		return (ISC_R_EXISTS);
+	}
+
+	nm_data->set.qname |= new_data->set.qname;
+	nm_data->set.ns |= new_data->set.ns;
+	nm_data->wild.qname |= new_data->wild.qname;
+	nm_data->wild.ns |= new_data->wild.ns;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_rpz_type_t rpz_type,
+	 const dns_name_t *src_name) {
+	dns_rpz_nm_data_t new_data;
+	dns_fixedname_t trig_namef;
+	dns_name_t *trig_name;
+	isc_result_t result;
+
+	/*
+	 * We need a summary database of names even with 1 policy zone,
+	 * because wildcard triggers are handled differently.
+	 */
+
+	trig_name = dns_fixedname_initname(&trig_namef);
+	name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &new_data);
+
+	result = add_nm(rpzs, trig_name, &new_data);
+
+	/*
+	 * Do not worry if the node already exists,
+	 * because diff_apply() likes to add nodes before deleting.
+	 */
+	if (result == ISC_R_EXISTS) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result == ISC_R_SUCCESS) {
+		adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
+	}
+	return (result);
+}
+
+/*
+ * Callback to free the data for a node in the summary RBT database.
+ */
+static void
+rpz_node_deleter(void *nm_data, void *mctx) {
+	isc_mem_put(mctx, nm_data, sizeof(dns_rpz_nm_data_t));
+}
+
+/*
+ * Get ready for a new set of policy zones for a view.
+ */
+isc_result_t
+dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, char *rps_cstr, size_t rps_cstr_size,
+		  isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		  isc_timermgr_t *timermgr) {
+	dns_rpz_zones_t *zones;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rpzsp != NULL && *rpzsp == NULL);
+
+	zones = isc_mem_get(mctx, sizeof(*zones));
+	memset(zones, 0, sizeof(*zones));
+
+	isc_rwlock_init(&zones->search_lock, 0, 0);
+	isc_mutex_init(&zones->maint_lock);
+	isc_refcount_init(&zones->refs, 1);
+	isc_refcount_init(&zones->irefs, 1);
+
+	zones->rps_cstr = rps_cstr;
+	zones->rps_cstr_size = rps_cstr_size;
+#ifdef USE_DNSRPS
+	if (rps_cstr != NULL) {
+		result = dns_dnsrps_view_init(zones, rps_cstr);
+	}
+#else  /* ifdef USE_DNSRPS */
+	INSIST(!zones->p.dnsrps_enabled);
+#endif /* ifdef USE_DNSRPS */
+	if (result == ISC_R_SUCCESS && !zones->p.dnsrps_enabled) {
+		result = dns_rbt_create(mctx, rpz_node_deleter, mctx,
+					&zones->rbt);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_rbt;
+	}
+
+	result = isc_task_create(taskmgr, 0, &zones->updater);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_task;
+	}
+
+	isc_mem_attach(mctx, &zones->mctx);
+	zones->timermgr = timermgr;
+	zones->taskmgr = taskmgr;
+
+	*rpzsp = zones;
+	return (ISC_R_SUCCESS);
+
+cleanup_task:
+	dns_rbt_destroy(&zones->rbt);
+
+cleanup_rbt:
+	isc_refcount_decrementz(&zones->irefs);
+	isc_refcount_destroy(&zones->irefs);
+	isc_refcount_decrementz(&zones->refs);
+	isc_refcount_destroy(&zones->refs);
+	isc_mutex_destroy(&zones->maint_lock);
+	isc_rwlock_destroy(&zones->search_lock);
+	isc_mem_put(mctx, zones, sizeof(*zones));
+
+	return (result);
+}
+
+isc_result_t
+dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp) {
+	dns_rpz_zone_t *zone;
+	isc_result_t result;
+
+	REQUIRE(rpzp != NULL && *rpzp == NULL);
+	REQUIRE(rpzs != NULL);
+	if (rpzs->p.num_zones >= DNS_RPZ_MAX_ZONES) {
+		return (ISC_R_NOSPACE);
+	}
+
+	zone = isc_mem_get(rpzs->mctx, sizeof(*zone));
+
+	memset(zone, 0, sizeof(*zone));
+	isc_refcount_init(&zone->refs, 1);
+
+	result = isc_timer_create(rpzs->timermgr, isc_timertype_inactive, NULL,
+				  NULL, rpzs->updater,
+				  dns_rpz_update_taskaction, zone,
+				  &zone->updatetimer);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_timer;
+	}
+
+	/*
+	 * This will never be used, but costs us nothing and
+	 * simplifies update_from_db
+	 */
+
+	isc_ht_init(&zone->nodes, rpzs->mctx, 1);
+
+	dns_name_init(&zone->origin, NULL);
+	dns_name_init(&zone->client_ip, NULL);
+	dns_name_init(&zone->ip, NULL);
+	dns_name_init(&zone->nsdname, NULL);
+	dns_name_init(&zone->nsip, NULL);
+	dns_name_init(&zone->passthru, NULL);
+	dns_name_init(&zone->drop, NULL);
+	dns_name_init(&zone->tcp_only, NULL);
+	dns_name_init(&zone->cname, NULL);
+
+	isc_time_settoepoch(&zone->lastupdated);
+	zone->updatepending = false;
+	zone->updaterunning = false;
+	zone->db = NULL;
+	zone->dbversion = NULL;
+	zone->updb = NULL;
+	zone->updbversion = NULL;
+	zone->updbit = NULL;
+	isc_refcount_increment(&rpzs->irefs);
+	zone->rpzs = rpzs;
+	zone->db_registered = false;
+	zone->addsoa = true;
+	ISC_EVENT_INIT(&zone->updateevent, sizeof(zone->updateevent), 0, NULL,
+		       0, NULL, NULL, NULL, NULL, NULL);
+
+	zone->num = rpzs->p.num_zones++;
+	rpzs->zones[zone->num] = zone;
+
+	*rpzp = zone;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_timer:
+	isc_refcount_decrementz(&zone->refs);
+	isc_refcount_destroy(&zone->refs);
+
+	isc_mem_put(rpzs->mctx, zone, sizeof(*zone));
+
+	return (result);
+}
+
+isc_result_t
+dns_rpz_dbupdate_callback(dns_db_t *db, void *fn_arg) {
+	dns_rpz_zone_t *zone = (dns_rpz_zone_t *)fn_arg;
+	isc_time_t now;
+	uint64_t tdiff;
+	isc_result_t result = ISC_R_SUCCESS;
+	char dname[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(zone != NULL);
+
+	LOCK(&zone->rpzs->maint_lock);
+
+	/* New zone came as AXFR */
+	if (zone->db != NULL && zone->db != db) {
+		/* We need to clean up the old DB */
+		if (zone->dbversion != NULL) {
+			dns_db_closeversion(zone->db, &zone->dbversion, false);
+		}
+		dns_db_updatenotify_unregister(zone->db,
+					       dns_rpz_dbupdate_callback, zone);
+		dns_db_detach(&zone->db);
+	}
+
+	if (zone->db == NULL) {
+		RUNTIME_CHECK(zone->dbversion == NULL);
+		dns_db_attach(db, &zone->db);
+	}
+
+	if (!zone->updatepending && !zone->updaterunning) {
+		zone->updatepending = true;
+		isc_time_now(&now);
+		tdiff = isc_time_microdiff(&now, &zone->lastupdated) / 1000000;
+		if (tdiff < zone->min_update_interval) {
+			uint64_t defer = zone->min_update_interval - tdiff;
+			isc_interval_t interval;
+			dns_name_format(&zone->origin, dname,
+					DNS_NAME_FORMATSIZE);
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+				      "rpz: %s: new zone version came "
+				      "too soon, deferring update for "
+				      "%" PRIu64 " seconds",
+				      dname, defer);
+			isc_interval_set(&interval, (unsigned int)defer, 0);
+			dns_db_currentversion(zone->db, &zone->dbversion);
+			result = isc_timer_reset(zone->updatetimer,
+						 isc_timertype_once, NULL,
+						 &interval, true);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		} else {
+			isc_event_t *event;
+
+			dns_db_currentversion(zone->db, &zone->dbversion);
+			INSIST(!ISC_LINK_LINKED(&zone->updateevent, ev_link));
+			ISC_EVENT_INIT(&zone->updateevent,
+				       sizeof(zone->updateevent), 0, NULL,
+				       DNS_EVENT_RPZUPDATED,
+				       dns_rpz_update_taskaction, zone, zone,
+				       NULL, NULL);
+			event = &zone->updateevent;
+			isc_task_send(zone->rpzs->updater, &event);
+		}
+	} else {
+		zone->updatepending = true;
+		dns_name_format(&zone->origin, dname, DNS_NAME_FORMATSIZE);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_DEBUG(3),
+			      "rpz: %s: update already queued or running",
+			      dname);
+		if (zone->dbversion != NULL) {
+			dns_db_closeversion(zone->db, &zone->dbversion, false);
+		}
+		dns_db_currentversion(zone->db, &zone->dbversion);
+	}
+
+cleanup:
+	UNLOCK(&zone->rpzs->maint_lock);
+
+	return (result);
+}
+
+static void
+dns_rpz_update_taskaction(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_rpz_zone_t *zone;
+
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_arg != NULL);
+
+	UNUSED(task);
+	zone = (dns_rpz_zone_t *)event->ev_arg;
+	isc_event_free(&event);
+	LOCK(&zone->rpzs->maint_lock);
+	zone->updatepending = false;
+	zone->updaterunning = true;
+	dns_rpz_update_from_db(zone);
+	result = isc_timer_reset(zone->updatetimer, isc_timertype_inactive,
+				 NULL, NULL, true);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	result = isc_time_now(&zone->lastupdated);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	UNLOCK(&zone->rpzs->maint_lock);
+}
+
+static isc_result_t
+setup_update(dns_rpz_zone_t *rpz) {
+	isc_result_t result;
+	char domain[DNS_NAME_FORMATSIZE];
+	unsigned int nodecount;
+	uint32_t hashsize;
+
+	dns_name_format(&rpz->origin, domain, DNS_NAME_FORMATSIZE);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER,
+		      ISC_LOG_INFO, "rpz: %s: reload start", domain);
+
+	nodecount = dns_db_nodecount(rpz->updb);
+	hashsize = 1;
+	while (nodecount != 0 &&
+	       hashsize <= (DNS_RPZ_HTSIZE_MAX + DNS_RPZ_HTSIZE_DIV))
+	{
+		hashsize++;
+		nodecount >>= 1;
+	}
+
+	if (hashsize > DNS_RPZ_HTSIZE_DIV) {
+		hashsize -= DNS_RPZ_HTSIZE_DIV;
+	}
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER,
+		      ISC_LOG_DEBUG(1), "rpz: %s: using hashtable size %d",
+		      domain, hashsize);
+
+	isc_ht_init(&rpz->newnodes, rpz->rpzs->mctx, hashsize);
+
+	result = dns_db_createiterator(rpz->updb, DNS_DB_NONSEC3, &rpz->updbit);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "rpz: %s: failed to create DB iterator - %s",
+			      domain, isc_result_totext(result));
+		goto cleanup;
+	}
+
+	result = dns_dbiterator_first(rpz->updbit);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "rpz: %s: failed to get db iterator - %s", domain,
+			      isc_result_totext(result));
+		goto cleanup;
+	}
+
+	result = dns_dbiterator_pause(rpz->updbit);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "rpz: %s: failed to pause db iterator - %s",
+			      domain, isc_result_totext(result));
+		goto cleanup;
+	}
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		if (rpz->updbit != NULL) {
+			dns_dbiterator_destroy(&rpz->updbit);
+		}
+		if (rpz->newnodes != NULL) {
+			isc_ht_destroy(&rpz->newnodes);
+		}
+		dns_db_closeversion(rpz->updb, &rpz->updbversion, false);
+	}
+
+	return (result);
+}
+
+static void
+finish_update(dns_rpz_zone_t *rpz) {
+	LOCK(&rpz->rpzs->maint_lock);
+	rpz->updaterunning = false;
+
+	/*
+	 * If there's an update pending, schedule it.
+	 */
+	if (rpz->updatepending) {
+		if (rpz->min_update_interval > 0) {
+			uint64_t defer = rpz->min_update_interval;
+			char dname[DNS_NAME_FORMATSIZE];
+			isc_interval_t interval;
+
+			dns_name_format(&rpz->origin, dname,
+					DNS_NAME_FORMATSIZE);
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+				      "rpz: %s: new zone version came "
+				      "too soon, deferring update for "
+				      "%" PRIu64 " seconds",
+				      dname, defer);
+			isc_interval_set(&interval, (unsigned int)defer, 0);
+			isc_timer_reset(rpz->updatetimer, isc_timertype_once,
+					NULL, &interval, true);
+		} else {
+			isc_event_t *event = NULL;
+			INSIST(!ISC_LINK_LINKED(&rpz->updateevent, ev_link));
+			ISC_EVENT_INIT(&rpz->updateevent,
+				       sizeof(rpz->updateevent), 0, NULL,
+				       DNS_EVENT_RPZUPDATED,
+				       dns_rpz_update_taskaction, rpz, rpz,
+				       NULL, NULL);
+			event = &rpz->updateevent;
+			isc_task_send(rpz->rpzs->updater, &event);
+		}
+	}
+	UNLOCK(&rpz->rpzs->maint_lock);
+}
+
+static void
+cleanup_quantum(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+	char domain[DNS_NAME_FORMATSIZE];
+	dns_rpz_zone_t *rpz = NULL;
+	isc_ht_iter_t *iter = NULL;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+	int count = 0;
+
+	UNUSED(task);
+
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_sender != NULL);
+
+	rpz = (dns_rpz_zone_t *)event->ev_sender;
+	iter = (isc_ht_iter_t *)event->ev_arg;
+	isc_event_free(&event);
+
+	if (iter == NULL) {
+		/*
+		 * Iterate over old ht with existing nodes deleted to
+		 * delete deleted nodes from RPZ
+		 */
+		isc_ht_iter_create(rpz->nodes, &iter);
+	}
+
+	name = dns_fixedname_initname(&fname);
+
+	LOCK(&rpz->rpzs->maint_lock);
+
+	/* Check that we aren't shutting down. */
+	if (rpz->rpzs->zones[rpz->num] == NULL) {
+		UNLOCK(&rpz->rpzs->maint_lock);
+		goto cleanup;
+	}
+
+	for (result = isc_ht_iter_first(iter);
+	     result == ISC_R_SUCCESS && count++ < DNS_RPZ_QUANTUM;
+	     result = isc_ht_iter_delcurrent_next(iter))
+	{
+		isc_region_t region;
+		unsigned char *key = NULL;
+		size_t keysize;
+
+		isc_ht_iter_currentkey(iter, &key, &keysize);
+		region.base = key;
+		region.length = (unsigned int)keysize;
+		dns_name_fromregion(name, &region);
+		dns_rpz_delete(rpz->rpzs, rpz->num, name);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		isc_event_t *nevent = NULL;
+
+		/*
+		 * We finished a quantum; trigger the next one and return.
+		 */
+
+		INSIST(!ISC_LINK_LINKED(&rpz->updateevent, ev_link));
+		ISC_EVENT_INIT(&rpz->updateevent, sizeof(rpz->updateevent), 0,
+			       NULL, DNS_EVENT_RPZUPDATED, cleanup_quantum,
+			       iter, rpz, NULL, NULL);
+		nevent = &rpz->updateevent;
+		isc_task_send(rpz->rpzs->updater, &nevent);
+		UNLOCK(&rpz->rpzs->maint_lock);
+		return;
+	} else if (result == ISC_R_NOMORE) {
+		isc_ht_t *tmpht = NULL;
+
+		/*
+		 * Done with cleanup of deleted nodes; finalize
+		 * the update.
+		 */
+		tmpht = rpz->nodes;
+		rpz->nodes = rpz->newnodes;
+		rpz->newnodes = tmpht;
+
+		UNLOCK(&rpz->rpzs->maint_lock);
+		finish_update(rpz);
+		dns_name_format(&rpz->origin, domain, DNS_NAME_FORMATSIZE);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+			      "rpz: %s: reload done", domain);
+	} else {
+		UNLOCK(&rpz->rpzs->maint_lock);
+	}
+
+	/*
+	 * If we're here, we're finished or something went wrong.
+	 */
+cleanup:
+	if (iter != NULL) {
+		isc_ht_iter_destroy(&iter);
+	}
+	if (rpz->newnodes != NULL) {
+		isc_ht_destroy(&rpz->newnodes);
+	}
+	dns_db_closeversion(rpz->updb, &rpz->updbversion, false);
+	dns_db_detach(&rpz->updb);
+	rpz_detach(&rpz);
+}
+
+static void
+update_quantum(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_dbnode_t *node = NULL;
+	dns_rpz_zone_t *rpz = NULL;
+	char domain[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixname;
+	dns_name_t *name = NULL;
+	isc_event_t *nevent = NULL;
+	int count = 0;
+
+	UNUSED(task);
+
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_arg != NULL);
+
+	rpz = (dns_rpz_zone_t *)event->ev_arg;
+	isc_event_free(&event);
+
+	REQUIRE(rpz->updbit != NULL);
+	REQUIRE(rpz->newnodes != NULL);
+
+	name = dns_fixedname_initname(&fixname);
+
+	dns_name_format(&rpz->origin, domain, DNS_NAME_FORMATSIZE);
+
+	LOCK(&rpz->rpzs->maint_lock);
+
+	/* Check that we aren't shutting down. */
+	if (rpz->rpzs->zones[rpz->num] == NULL) {
+		UNLOCK(&rpz->rpzs->maint_lock);
+		goto cleanup;
+	}
+
+	while (result == ISC_R_SUCCESS && count++ < DNS_RPZ_QUANTUM) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_rdatasetiter_t *rdsiter = NULL;
+
+		result = dns_dbiterator_current(rpz->updbit, &node, name);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+				      "rpz: %s: failed to get dbiterator - %s",
+				      domain, isc_result_totext(result));
+			dns_db_detachnode(rpz->updb, &node);
+			break;
+		}
+
+		result = dns_db_allrdatasets(rpz->updb, node, rpz->updbversion,
+					     0, 0, &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+				      "rpz: %s: failed to fetch "
+				      "rrdatasets - %s",
+				      domain, isc_result_totext(result));
+			dns_db_detachnode(rpz->updb, &node);
+			break;
+		}
+
+		result = dns_rdatasetiter_first(rdsiter);
+		dns_rdatasetiter_destroy(&rdsiter);
+		if (result != ISC_R_SUCCESS) { /* empty non-terminal */
+			if (result != ISC_R_NOMORE) {
+				isc_log_write(
+					dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+					"rpz: %s: error %s while creating "
+					"rdatasetiter",
+					domain, isc_result_totext(result));
+			}
+			dns_db_detachnode(rpz->updb, &node);
+			result = dns_dbiterator_next(rpz->updbit);
+			continue;
+		}
+
+		dns_name_downcase(name, name, NULL);
+		result = isc_ht_add(rpz->newnodes, name->ndata, name->length,
+				    rpz);
+		if (result != ISC_R_SUCCESS) {
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+				      "rpz: %s, adding node %s to HT error %s",
+				      domain, namebuf,
+				      isc_result_totext(result));
+			dns_db_detachnode(rpz->updb, &node);
+			result = dns_dbiterator_next(rpz->updbit);
+			continue;
+		}
+
+		result = isc_ht_find(rpz->nodes, name->ndata, name->length,
+				     NULL);
+		if (result == ISC_R_SUCCESS) {
+			isc_ht_delete(rpz->nodes, name->ndata, name->length);
+		} else { /* not found */
+			result = dns_rpz_add(rpz->rpzs, rpz->num, name);
+			if (result != ISC_R_SUCCESS) {
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_MASTER,
+					      ISC_LOG_ERROR,
+					      "rpz: %s: adding node %s "
+					      "to RPZ error %s",
+					      domain, namebuf,
+					      isc_result_totext(result));
+			} else {
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_MASTER,
+					      ISC_LOG_DEBUG(3),
+					      "rpz: %s: adding node %s", domain,
+					      namebuf);
+			}
+		}
+
+		dns_db_detachnode(rpz->updb, &node);
+		result = dns_dbiterator_next(rpz->updbit);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Pause the iterator so that the DB is not locked.
+		 */
+		dns_dbiterator_pause(rpz->updbit);
+
+		/*
+		 * We finished a quantum; trigger the next one and return.
+		 */
+		INSIST(!ISC_LINK_LINKED(&rpz->updateevent, ev_link));
+		ISC_EVENT_INIT(&rpz->updateevent, sizeof(rpz->updateevent), 0,
+			       NULL, DNS_EVENT_RPZUPDATED, update_quantum, rpz,
+			       rpz, NULL, NULL);
+		nevent = &rpz->updateevent;
+		isc_task_send(rpz->rpzs->updater, &nevent);
+		UNLOCK(&rpz->rpzs->maint_lock);
+		return;
+	} else if (result == ISC_R_NOMORE) {
+		/*
+		 * Done with the new database; now we just need to
+		 * clean up the old.
+		 */
+		dns_dbiterator_destroy(&rpz->updbit);
+
+		INSIST(!ISC_LINK_LINKED(&rpz->updateevent, ev_link));
+		ISC_EVENT_INIT(&rpz->updateevent, sizeof(rpz->updateevent), 0,
+			       NULL, DNS_EVENT_RPZUPDATED, cleanup_quantum,
+			       NULL, rpz, NULL, NULL);
+		nevent = &rpz->updateevent;
+		isc_task_send(rpz->rpzs->updater, &nevent);
+		UNLOCK(&rpz->rpzs->maint_lock);
+		return;
+	}
+
+	/*
+	 * If we're here, something went wrong, so clean up.
+	 */
+	UNLOCK(&rpz->rpzs->maint_lock);
+
+cleanup:
+	if (rpz->updbit != NULL) {
+		dns_dbiterator_destroy(&rpz->updbit);
+	}
+	if (rpz->newnodes != NULL) {
+		isc_ht_destroy(&rpz->newnodes);
+	}
+	dns_db_closeversion(rpz->updb, &rpz->updbversion, false);
+	dns_db_detach(&rpz->updb);
+	rpz_detach(&rpz);
+}
+
+static void
+dns_rpz_update_from_db(dns_rpz_zone_t *rpz) {
+	isc_result_t result;
+	isc_event_t *event;
+
+	REQUIRE(rpz != NULL);
+	REQUIRE(DNS_DB_VALID(rpz->db));
+	REQUIRE(rpz->updb == NULL);
+	REQUIRE(rpz->updbversion == NULL);
+	REQUIRE(rpz->updbit == NULL);
+	REQUIRE(rpz->newnodes == NULL);
+
+	isc_refcount_increment(&rpz->refs);
+	dns_db_attach(rpz->db, &rpz->updb);
+	rpz->updbversion = rpz->dbversion;
+	rpz->dbversion = NULL;
+
+	result = setup_update(rpz);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	event = &rpz->updateevent;
+	INSIST(!ISC_LINK_LINKED(&rpz->updateevent, ev_link));
+	ISC_EVENT_INIT(&rpz->updateevent, sizeof(rpz->updateevent), 0, NULL,
+		       DNS_EVENT_RPZUPDATED, update_quantum, rpz, rpz, NULL,
+		       NULL);
+	isc_task_send(rpz->rpzs->updater, &event);
+	return;
+
+cleanup:
+	if (rpz->updbit != NULL) {
+		dns_dbiterator_destroy(&rpz->updbit);
+	}
+	if (rpz->newnodes != NULL) {
+		isc_ht_destroy(&rpz->newnodes);
+	}
+	dns_db_closeversion(rpz->updb, &rpz->updbversion, false);
+	dns_db_detach(&rpz->updb);
+	rpz_detach(&rpz);
+}
+
+/*
+ * Free the radix tree of a response policy database.
+ */
+static void
+cidr_free(dns_rpz_zones_t *rpzs) {
+	dns_rpz_cidr_node_t *cur, *child, *parent;
+
+	cur = rpzs->cidr;
+	while (cur != NULL) {
+		/* Depth first. */
+		child = cur->child[0];
+		if (child != NULL) {
+			cur = child;
+			continue;
+		}
+		child = cur->child[1];
+		if (child != NULL) {
+			cur = child;
+			continue;
+		}
+
+		/* Delete this leaf and go up. */
+		parent = cur->parent;
+		if (parent == NULL) {
+			rpzs->cidr = NULL;
+		} else {
+			parent->child[parent->child[1] == cur] = NULL;
+		}
+		isc_mem_put(rpzs->mctx, cur, sizeof(*cur));
+		cur = parent;
+	}
+}
+
+/*
+ * Discard a response policy zone blob
+ * before discarding the overall rpz structure.
+ */
+static void
+rpz_detach(dns_rpz_zone_t **rpzp) {
+	dns_rpz_zone_t *rpz;
+	dns_rpz_zones_t *rpzs;
+
+	REQUIRE(rpzp != NULL && *rpzp != NULL);
+
+	rpz = *rpzp;
+	*rpzp = NULL;
+
+	if (isc_refcount_decrement(&rpz->refs) == 1) {
+		isc_refcount_destroy(&rpz->refs);
+
+		rpzs = rpz->rpzs;
+		rpz->rpzs = NULL;
+
+		if (dns_name_dynamic(&rpz->origin)) {
+			dns_name_free(&rpz->origin, rpzs->mctx);
+		}
+		if (dns_name_dynamic(&rpz->client_ip)) {
+			dns_name_free(&rpz->client_ip, rpzs->mctx);
+		}
+		if (dns_name_dynamic(&rpz->ip)) {
+			dns_name_free(&rpz->ip, rpzs->mctx);
+		}
+		if (dns_name_dynamic(&rpz->nsdname)) {
+			dns_name_free(&rpz->nsdname, rpzs->mctx);
+		}
+		if (dns_name_dynamic(&rpz->nsip)) {
+			dns_name_free(&rpz->nsip, rpzs->mctx);
+		}
+		if (dns_name_dynamic(&rpz->passthru)) {
+			dns_name_free(&rpz->passthru, rpzs->mctx);
+		}
+		if (dns_name_dynamic(&rpz->drop)) {
+			dns_name_free(&rpz->drop, rpzs->mctx);
+		}
+		if (dns_name_dynamic(&rpz->tcp_only)) {
+			dns_name_free(&rpz->tcp_only, rpzs->mctx);
+		}
+		if (dns_name_dynamic(&rpz->cname)) {
+			dns_name_free(&rpz->cname, rpzs->mctx);
+		}
+		if (rpz->db != NULL) {
+			if (rpz->dbversion != NULL) {
+				dns_db_closeversion(rpz->db, &rpz->dbversion,
+						    false);
+			}
+			dns_db_updatenotify_unregister(
+				rpz->db, dns_rpz_dbupdate_callback, rpz);
+			dns_db_detach(&rpz->db);
+		}
+		if (rpz->updaterunning) {
+			isc_task_purgeevent(rpzs->updater, &rpz->updateevent);
+			if (rpz->updbit != NULL) {
+				dns_dbiterator_destroy(&rpz->updbit);
+			}
+			if (rpz->newnodes != NULL) {
+				isc_ht_destroy(&rpz->newnodes);
+			}
+			if (rpz->updb != NULL) {
+				if (rpz->updbversion != NULL) {
+					dns_db_closeversion(rpz->updb,
+							    &rpz->updbversion,
+							    false);
+				}
+				dns_db_detach(&rpz->updb);
+			}
+		}
+
+		isc_timer_reset(rpz->updatetimer, isc_timertype_inactive, NULL,
+				NULL, true);
+		isc_timer_destroy(&rpz->updatetimer);
+
+		isc_ht_destroy(&rpz->nodes);
+
+		isc_mem_put(rpzs->mctx, rpz, sizeof(*rpz));
+		rpz_detach_rpzs(&rpzs);
+	}
+}
+
+void
+dns_rpz_attach_rpzs(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **rpzsp) {
+	REQUIRE(rpzsp != NULL && *rpzsp == NULL);
+	isc_refcount_increment(&rpzs->refs);
+	*rpzsp = rpzs;
+}
+
+/*
+ * Forget a view's policy zones.
+ */
+void
+dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp) {
+	REQUIRE(rpzsp != NULL && *rpzsp != NULL);
+	dns_rpz_zones_t *rpzs = *rpzsp;
+	*rpzsp = NULL;
+
+	if (isc_refcount_decrement(&rpzs->refs) == 1) {
+		LOCK(&rpzs->maint_lock);
+		/*
+		 * Forget the last of view's rpz machinery after
+		 * the last reference.
+		 */
+		for (dns_rpz_num_t rpz_num = 0; rpz_num < DNS_RPZ_MAX_ZONES;
+		     ++rpz_num)
+		{
+			dns_rpz_zone_t *rpz = rpzs->zones[rpz_num];
+			rpzs->zones[rpz_num] = NULL;
+			if (rpz != NULL) {
+				rpz_detach(&rpz);
+			}
+		}
+		UNLOCK(&rpzs->maint_lock);
+		rpz_detach_rpzs(&rpzs);
+	}
+}
+
+static void
+rpz_detach_rpzs(dns_rpz_zones_t **rpzsp) {
+	REQUIRE(rpzsp != NULL && *rpzsp != NULL);
+	dns_rpz_zones_t *rpzs = *rpzsp;
+	*rpzsp = NULL;
+
+	if (isc_refcount_decrement(&rpzs->irefs) == 1) {
+		if (rpzs->rps_cstr_size != 0) {
+#ifdef USE_DNSRPS
+			librpz->client_detach(&rpzs->rps_client);
+#endif /* ifdef USE_DNSRPS */
+			isc_mem_put(rpzs->mctx, rpzs->rps_cstr,
+				    rpzs->rps_cstr_size);
+		}
+
+		cidr_free(rpzs);
+		if (rpzs->rbt != NULL) {
+			dns_rbt_destroy(&rpzs->rbt);
+		}
+		isc_task_destroy(&rpzs->updater);
+		isc_mutex_destroy(&rpzs->maint_lock);
+		isc_rwlock_destroy(&rpzs->search_lock);
+		isc_refcount_destroy(&rpzs->refs);
+		isc_mem_putanddetach(&rpzs->mctx, rpzs, sizeof(*rpzs));
+	}
+}
+
+/*
+ * Deprecated and removed.
+ */
+isc_result_t
+dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, dns_rpz_zones_t *rpzs,
+		  dns_rpz_num_t rpz_num) {
+	UNUSED(load_rpzsp);
+	UNUSED(rpzs);
+	UNUSED(rpz_num);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * Deprecated and removed.
+ */
+isc_result_t
+dns_rpz_ready(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **load_rpzsp,
+	      dns_rpz_num_t rpz_num) {
+	UNUSED(rpzs);
+	UNUSED(load_rpzsp);
+	UNUSED(rpz_num);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * Add an IP address to the radix tree or a name to the summary database.
+ */
+isc_result_t
+dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	    const dns_name_t *src_name) {
+	dns_rpz_zone_t *rpz;
+	dns_rpz_type_t rpz_type;
+	isc_result_t result = ISC_R_FAILURE;
+
+	REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
+	rpz = rpzs->zones[rpz_num];
+	REQUIRE(rpz != NULL);
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+
+	rpz_type = type_from_name(rpzs, rpz, src_name);
+
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_QNAME:
+	case DNS_RPZ_TYPE_NSDNAME:
+		result = add_name(rpzs, rpz_num, rpz_type, src_name);
+		break;
+	case DNS_RPZ_TYPE_CLIENT_IP:
+	case DNS_RPZ_TYPE_IP:
+	case DNS_RPZ_TYPE_NSIP:
+		result = add_cidr(rpzs, rpz_num, rpz_type, src_name);
+		break;
+	case DNS_RPZ_TYPE_BAD:
+		break;
+	}
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+/*
+ * Remove an IP address from the radix tree.
+ */
+static void
+del_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_rpz_type_t rpz_type,
+	 const dns_name_t *src_name) {
+	isc_result_t result;
+	dns_rpz_cidr_key_t tgt_ip;
+	dns_rpz_prefix_t tgt_prefix;
+	dns_rpz_addr_zbits_t tgt_set;
+	dns_rpz_cidr_node_t *tgt, *parent, *child;
+
+	/*
+	 * Do not worry about invalid rpz IP address names.  If we
+	 * are here, then something relevant was added and so was
+	 * valid.  Invalid names here are usually internal RBTDB nodes.
+	 */
+	result = name2ipkey(DNS_RPZ_DEBUG_QUIET, rpzs, rpz_num, rpz_type,
+			    src_name, &tgt_ip, &tgt_prefix, &tgt_set);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	result = search(rpzs, &tgt_ip, tgt_prefix, &tgt_set, false, &tgt);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(result == ISC_R_NOTFOUND ||
+		       result == DNS_R_PARTIALMATCH);
+		/*
+		 * Do not worry about missing summary RBT nodes that probably
+		 * correspond to RBTDB nodes that were implicit RBT nodes
+		 * that were later added for (often empty) wildcards
+		 * and then to the RBTDB deferred cleanup list.
+		 */
+		return;
+	}
+
+	/*
+	 * Mark the node and its parents to reflect the deleted IP address.
+	 * Do not count bits that are already clear for internal RBTDB nodes.
+	 */
+	tgt_set.client_ip &= tgt->set.client_ip;
+	tgt_set.ip &= tgt->set.ip;
+	tgt_set.nsip &= tgt->set.nsip;
+	tgt->set.client_ip &= ~tgt_set.client_ip;
+	tgt->set.ip &= ~tgt_set.ip;
+	tgt->set.nsip &= ~tgt_set.nsip;
+	set_sum_pair(tgt);
+
+	adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, false);
+
+	/*
+	 * We might need to delete 2 nodes.
+	 */
+	do {
+		/*
+		 * The node is now useless if it has no data of its own
+		 * and 0 or 1 children.  We are finished if it is not useless.
+		 */
+		if ((child = tgt->child[0]) != NULL) {
+			if (tgt->child[1] != NULL) {
+				break;
+			}
+		} else {
+			child = tgt->child[1];
+		}
+		if (tgt->set.client_ip != 0 || tgt->set.ip != 0 ||
+		    tgt->set.nsip != 0)
+		{
+			break;
+		}
+
+		/*
+		 * Replace the pointer to this node in the parent with
+		 * the remaining child or NULL.
+		 */
+		parent = tgt->parent;
+		if (parent == NULL) {
+			rpzs->cidr = child;
+		} else {
+			parent->child[parent->child[1] == tgt] = child;
+		}
+		/*
+		 * If the child exists fix up its parent pointer.
+		 */
+		if (child != NULL) {
+			child->parent = parent;
+		}
+		isc_mem_put(rpzs->mctx, tgt, sizeof(*tgt));
+
+		tgt = parent;
+	} while (tgt != NULL);
+}
+
+static void
+del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_rpz_type_t rpz_type,
+	 const dns_name_t *src_name) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t trig_namef;
+	dns_name_t *trig_name;
+	dns_rbtnode_t *nmnode;
+	dns_rpz_nm_data_t *nm_data, del_data;
+	isc_result_t result;
+	bool exists;
+
+	/*
+	 * We need a summary database of names even with 1 policy zone,
+	 * because wildcard triggers are handled differently.
+	 */
+
+	trig_name = dns_fixedname_initname(&trig_namef);
+	name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &del_data);
+
+	nmnode = NULL;
+	result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, 0,
+				  NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Do not worry about missing summary RBT nodes that probably
+		 * correspond to RBTDB nodes that were implicit RBT nodes
+		 * that were later added for (often empty) wildcards
+		 * and then to the RBTDB deferred cleanup list.
+		 */
+		if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) {
+			return;
+		}
+		dns_name_format(src_name, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "rpz del_name(%s) node search failed: %s",
+			      namebuf, isc_result_totext(result));
+		return;
+	}
+
+	nm_data = nmnode->data;
+	INSIST(nm_data != NULL);
+
+	/*
+	 * Do not count bits that next existed for RBT nodes that would we
+	 * would not have found in a summary for a single RBTDB tree.
+	 */
+	del_data.set.qname &= nm_data->set.qname;
+	del_data.set.ns &= nm_data->set.ns;
+	del_data.wild.qname &= nm_data->wild.qname;
+	del_data.wild.ns &= nm_data->wild.ns;
+
+	exists = (del_data.set.qname != 0 || del_data.set.ns != 0 ||
+		  del_data.wild.qname != 0 || del_data.wild.ns != 0);
+
+	nm_data->set.qname &= ~del_data.set.qname;
+	nm_data->set.ns &= ~del_data.set.ns;
+	nm_data->wild.qname &= ~del_data.wild.qname;
+	nm_data->wild.ns &= ~del_data.wild.ns;
+
+	if (nm_data->set.qname == 0 && nm_data->set.ns == 0 &&
+	    nm_data->wild.qname == 0 && nm_data->wild.ns == 0)
+	{
+		result = dns_rbt_deletenode(rpzs->rbt, nmnode, false);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * bin/tests/system/rpz/tests.sh looks for
+			 * "rpz.*failed".
+			 */
+			dns_name_format(src_name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+				      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+				      "rpz del_name(%s) node delete failed: %s",
+				      namebuf, isc_result_totext(result));
+		}
+	}
+
+	if (exists) {
+		adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, false);
+	}
+}
+
+/*
+ * Remove an IP address from the radix tree or a name from the summary database.
+ */
+void
+dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	       const dns_name_t *src_name) {
+	dns_rpz_zone_t *rpz;
+	dns_rpz_type_t rpz_type;
+
+	REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
+	rpz = rpzs->zones[rpz_num];
+	REQUIRE(rpz != NULL);
+
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+
+	rpz_type = type_from_name(rpzs, rpz, src_name);
+
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_QNAME:
+	case DNS_RPZ_TYPE_NSDNAME:
+		del_name(rpzs, rpz_num, rpz_type, src_name);
+		break;
+	case DNS_RPZ_TYPE_CLIENT_IP:
+	case DNS_RPZ_TYPE_IP:
+	case DNS_RPZ_TYPE_NSIP:
+		del_cidr(rpzs, rpz_num, rpz_type, src_name);
+		break;
+	case DNS_RPZ_TYPE_BAD:
+		break;
+	}
+
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+}
+
+/*
+ * Search the summary radix tree to get a relative owner name in a
+ * policy zone relevant to a triggering IP address.
+ *	rpz_type and zbits limit the search for IP address netaddr
+ *	return the policy zone's number or DNS_RPZ_INVALID_NUM
+ *	ip_name is the relative owner name found and
+ *	*prefixp is its prefix length.
+ */
+dns_rpz_num_t
+dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
+		dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr,
+		dns_name_t *ip_name, dns_rpz_prefix_t *prefixp) {
+	dns_rpz_cidr_key_t tgt_ip;
+	dns_rpz_addr_zbits_t tgt_set;
+	dns_rpz_cidr_node_t *found;
+	isc_result_t result;
+	dns_rpz_num_t rpz_num = 0;
+	dns_rpz_have_t have;
+	int i;
+
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+	have = rpzs->have;
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+
+	/*
+	 * Convert IP address to CIDR tree key.
+	 */
+	if (netaddr->family == AF_INET) {
+		tgt_ip.w[0] = 0;
+		tgt_ip.w[1] = 0;
+		tgt_ip.w[2] = ADDR_V4MAPPED;
+		tgt_ip.w[3] = ntohl(netaddr->type.in.s_addr);
+		switch (rpz_type) {
+		case DNS_RPZ_TYPE_CLIENT_IP:
+			zbits &= have.client_ipv4;
+			break;
+		case DNS_RPZ_TYPE_IP:
+			zbits &= have.ipv4;
+			break;
+		case DNS_RPZ_TYPE_NSIP:
+			zbits &= have.nsipv4;
+			break;
+		default:
+			UNREACHABLE();
+		}
+	} else if (netaddr->family == AF_INET6) {
+		dns_rpz_cidr_key_t src_ip6;
+
+		/*
+		 * Given the int aligned struct in_addr member of netaddr->type
+		 * one could cast netaddr->type.in6 to dns_rpz_cidr_key_t *,
+		 * but some people object.
+		 */
+		memmove(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w));
+		for (i = 0; i < 4; i++) {
+			tgt_ip.w[i] = ntohl(src_ip6.w[i]);
+		}
+		switch (rpz_type) {
+		case DNS_RPZ_TYPE_CLIENT_IP:
+			zbits &= have.client_ipv6;
+			break;
+		case DNS_RPZ_TYPE_IP:
+			zbits &= have.ipv6;
+			break;
+		case DNS_RPZ_TYPE_NSIP:
+			zbits &= have.nsipv6;
+			break;
+		default:
+			UNREACHABLE();
+		}
+	} else {
+		return (DNS_RPZ_INVALID_NUM);
+	}
+
+	if (zbits == 0) {
+		return (DNS_RPZ_INVALID_NUM);
+	}
+	make_addr_set(&tgt_set, zbits, rpz_type);
+
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+	result = search(rpzs, &tgt_ip, 128, &tgt_set, false, &found);
+	if (result == ISC_R_NOTFOUND) {
+		/*
+		 * There are no eligible zones for this IP address.
+		 */
+		RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+		return (DNS_RPZ_INVALID_NUM);
+	}
+
+	/*
+	 * Construct the trigger name for the longest matching trigger
+	 * in the first eligible zone with a match.
+	 */
+	*prefixp = found->prefix;
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		rpz_num = zbit_to_num(found->set.client_ip & tgt_set.client_ip);
+		break;
+	case DNS_RPZ_TYPE_IP:
+		rpz_num = zbit_to_num(found->set.ip & tgt_set.ip);
+		break;
+	case DNS_RPZ_TYPE_NSIP:
+		rpz_num = zbit_to_num(found->set.nsip & tgt_set.nsip);
+		break;
+	default:
+		UNREACHABLE();
+	}
+	result = ip2name(&found->ip, found->prefix, dns_rootname, ip_name);
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+		 */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "rpz ip2name() failed: %s",
+			      isc_result_totext(result));
+		return (DNS_RPZ_INVALID_NUM);
+	}
+	return (rpz_num);
+}
+
+/*
+ * Search the summary radix tree for policy zones with triggers matching
+ * a name.
+ */
+dns_rpz_zbits_t
+dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
+		  dns_rpz_zbits_t zbits, dns_name_t *trig_name) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_rbtnode_t *nmnode;
+	const dns_rpz_nm_data_t *nm_data;
+	dns_rpz_zbits_t found_zbits;
+	dns_rbtnodechain_t chain;
+	isc_result_t result;
+	int i;
+
+	if (zbits == 0) {
+		return (0);
+	}
+
+	found_zbits = 0;
+
+	dns_rbtnodechain_init(&chain);
+
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+
+	nmnode = NULL;
+	result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, &chain,
+				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+		nm_data = nmnode->data;
+		if (nm_data != NULL) {
+			if (rpz_type == DNS_RPZ_TYPE_QNAME) {
+				found_zbits = nm_data->set.qname;
+			} else {
+				found_zbits = nm_data->set.ns;
+			}
+		}
+		FALLTHROUGH;
+
+	case DNS_R_PARTIALMATCH:
+		i = chain.level_matches;
+		nmnode = chain.levels[chain.level_matches];
+
+		/*
+		 * Whenever an exact match is found by dns_rbt_findnode(),
+		 * the highest level node in the chain will not be put into
+		 * chain->levels[] array, but instead the chain->end
+		 * pointer will be adjusted to point to that node.
+		 *
+		 * Suppose we have the following entries in a rpz zone:
+		 *   example.com     CNAME rpz-passthru.
+		 *   *.example.com   CNAME rpz-passthru.
+		 *
+		 * A query for www.example.com would result in the
+		 * following chain object returned by dns_rbt_findnode():
+		 *   chain->level_count = 2
+		 *   chain->level_matches = 2
+		 *   chain->levels[0] = .
+		 *   chain->levels[1] = example.com
+		 *   chain->levels[2] = NULL
+		 *   chain->end = www
+		 *
+		 * Since exact matches only care for testing rpz set bits,
+		 * we need to test for rpz wild bits through iterating the
+		 * nodechain, and that includes testing the rpz wild bits
+		 * in the highest level node found. In the case of an exact
+		 * match, chain->levels[chain->level_matches] will be NULL,
+		 * to address that we must use chain->end as the start
+		 * point, then iterate over the remaining levels in the
+		 * chain.
+		 */
+		if (nmnode == NULL) {
+			--i;
+			nmnode = chain.end;
+		}
+
+		while (nmnode != NULL) {
+			nm_data = nmnode->data;
+			if (nm_data != NULL) {
+				if (rpz_type == DNS_RPZ_TYPE_QNAME) {
+					found_zbits |= nm_data->wild.qname;
+				} else {
+					found_zbits |= nm_data->wild.ns;
+				}
+			}
+
+			if (i >= 0) {
+				nmnode = chain.levels[i];
+				--i;
+			} else {
+				break;
+			}
+		}
+		break;
+
+	case ISC_R_NOTFOUND:
+		break;
+
+	default:
+		/*
+		 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+		 */
+		dns_name_format(trig_name, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "dns_rpz_find_name(%s) failed: %s", namebuf,
+			      isc_result_totext(result));
+		break;
+	}
+
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+
+	dns_rbtnodechain_invalidate(&chain);
+
+	return (zbits & found_zbits);
+}
+
+/*
+ * Translate CNAME rdata to a QNAME response policy action.
+ */
+dns_rpz_policy_t
+dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
+		     dns_name_t *selfname) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_cname_t cname;
+	isc_result_t result;
+
+	result = dns_rdataset_first(rdataset);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &cname, NULL);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_rdata_reset(&rdata);
+
+	/*
+	 * CNAME . means NXDOMAIN
+	 */
+	if (dns_name_equal(&cname.cname, dns_rootname)) {
+		return (DNS_RPZ_POLICY_NXDOMAIN);
+	}
+
+	if (dns_name_iswildcard(&cname.cname)) {
+		/*
+		 * CNAME *. means NODATA
+		 */
+		if (dns_name_countlabels(&cname.cname) == 2) {
+			return (DNS_RPZ_POLICY_NODATA);
+		}
+
+		/*
+		 * A qname of www.evil.com and a policy of
+		 *	*.evil.com    CNAME   *.garden.net
+		 * gives a result of
+		 *	evil.com    CNAME   evil.com.garden.net
+		 */
+		if (dns_name_countlabels(&cname.cname) > 2) {
+			return (DNS_RPZ_POLICY_WILDCNAME);
+		}
+	}
+
+	/*
+	 * CNAME rpz-tcp-only. means "send truncated UDP responses."
+	 */
+	if (dns_name_equal(&cname.cname, &rpz->tcp_only)) {
+		return (DNS_RPZ_POLICY_TCP_ONLY);
+	}
+
+	/*
+	 * CNAME rpz-drop. means "do not respond."
+	 */
+	if (dns_name_equal(&cname.cname, &rpz->drop)) {
+		return (DNS_RPZ_POLICY_DROP);
+	}
+
+	/*
+	 * CNAME rpz-passthru. means "do not rewrite."
+	 */
+	if (dns_name_equal(&cname.cname, &rpz->passthru)) {
+		return (DNS_RPZ_POLICY_PASSTHRU);
+	}
+
+	/*
+	 * 128.1.0.127.rpz-ip CNAME  128.1.0.0.127. is obsolete PASSTHRU
+	 */
+	if (selfname != NULL && dns_name_equal(&cname.cname, selfname)) {
+		return (DNS_RPZ_POLICY_PASSTHRU);
+	}
+
+	/*
+	 * Any other rdata gives a response consisting of the rdata.
+	 */
+	return (DNS_RPZ_POLICY_RECORD);
+}
diff --git a/lib/dns/rriterator.c b/lib/dns/rriterator.c
new file mode 100644
index 0000000..9b40597
--- /dev/null
+++ b/lib/dns/rriterator.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/rriterator.h>
+
+/***
+ *** RRiterator methods
+ ***/
+
+isc_result_t
+dns_rriterator_init(dns_rriterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
+		    isc_stdtime_t now) {
+	isc_result_t result;
+	it->magic = RRITERATOR_MAGIC;
+	it->db = db;
+	it->dbit = NULL;
+	it->ver = ver;
+	it->now = now;
+	it->node = NULL;
+	result = dns_db_createiterator(it->db, 0, &it->dbit);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	it->rdatasetit = NULL;
+	dns_rdata_init(&it->rdata);
+	dns_rdataset_init(&it->rdataset);
+	dns_fixedname_init(&it->fixedname);
+	INSIST(!dns_rdataset_isassociated(&it->rdataset));
+	it->result = ISC_R_SUCCESS;
+	return (it->result);
+}
+
+isc_result_t
+dns_rriterator_first(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	/* Reset state */
+	if (dns_rdataset_isassociated(&it->rdataset)) {
+		dns_rdataset_disassociate(&it->rdataset);
+	}
+	if (it->rdatasetit != NULL) {
+		dns_rdatasetiter_destroy(&it->rdatasetit);
+	}
+	if (it->node != NULL) {
+		dns_db_detachnode(it->db, &it->node);
+	}
+	it->result = dns_dbiterator_first(it->dbit);
+
+	/*
+	 * The top node may be empty when out of zone glue exists.
+	 * Walk the tree to find the first node with data.
+	 */
+	while (it->result == ISC_R_SUCCESS) {
+		it->result = dns_dbiterator_current(
+			it->dbit, &it->node,
+			dns_fixedname_name(&it->fixedname));
+		if (it->result != ISC_R_SUCCESS) {
+			return (it->result);
+		}
+
+		it->result = dns_db_allrdatasets(it->db, it->node, it->ver, 0,
+						 it->now, &it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS) {
+			return (it->result);
+		}
+
+		it->result = dns_rdatasetiter_first(it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS) {
+			/*
+			 * This node is empty. Try next node.
+			 */
+			dns_rdatasetiter_destroy(&it->rdatasetit);
+			dns_db_detachnode(it->db, &it->node);
+			it->result = dns_dbiterator_next(it->dbit);
+			continue;
+		}
+		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
+		dns_rdataset_getownercase(&it->rdataset,
+					  dns_fixedname_name(&it->fixedname));
+		it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
+		it->result = dns_rdataset_first(&it->rdataset);
+		return (it->result);
+	}
+	return (it->result);
+}
+
+isc_result_t
+dns_rriterator_nextrrset(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	if (dns_rdataset_isassociated(&it->rdataset)) {
+		dns_rdataset_disassociate(&it->rdataset);
+	}
+	it->result = dns_rdatasetiter_next(it->rdatasetit);
+	/*
+	 * The while loop body is executed more than once
+	 * only when an empty dbnode needs to be skipped.
+	 */
+	while (it->result == ISC_R_NOMORE) {
+		dns_rdatasetiter_destroy(&it->rdatasetit);
+		dns_db_detachnode(it->db, &it->node);
+		it->result = dns_dbiterator_next(it->dbit);
+		if (it->result == ISC_R_NOMORE) {
+			/* We are at the end of the entire database. */
+			return (it->result);
+		}
+		if (it->result != ISC_R_SUCCESS) {
+			return (it->result);
+		}
+		it->result = dns_dbiterator_current(
+			it->dbit, &it->node,
+			dns_fixedname_name(&it->fixedname));
+		if (it->result != ISC_R_SUCCESS) {
+			return (it->result);
+		}
+		it->result = dns_db_allrdatasets(it->db, it->node, it->ver, 0,
+						 it->now, &it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS) {
+			return (it->result);
+		}
+		it->result = dns_rdatasetiter_first(it->rdatasetit);
+	}
+	if (it->result != ISC_R_SUCCESS) {
+		return (it->result);
+	}
+	dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
+	dns_rdataset_getownercase(&it->rdataset,
+				  dns_fixedname_name(&it->fixedname));
+	it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
+	it->result = dns_rdataset_first(&it->rdataset);
+	return (it->result);
+}
+
+isc_result_t
+dns_rriterator_next(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	if (it->result != ISC_R_SUCCESS) {
+		return (it->result);
+	}
+
+	INSIST(it->dbit != NULL);
+	INSIST(it->node != NULL);
+	INSIST(it->rdatasetit != NULL);
+
+	it->result = dns_rdataset_next(&it->rdataset);
+	if (it->result == ISC_R_NOMORE) {
+		return (dns_rriterator_nextrrset(it));
+	}
+	return (it->result);
+}
+
+void
+dns_rriterator_pause(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	RUNTIME_CHECK(dns_dbiterator_pause(it->dbit) == ISC_R_SUCCESS);
+}
+
+void
+dns_rriterator_destroy(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	if (dns_rdataset_isassociated(&it->rdataset)) {
+		dns_rdataset_disassociate(&it->rdataset);
+	}
+	if (it->rdatasetit != NULL) {
+		dns_rdatasetiter_destroy(&it->rdatasetit);
+	}
+	if (it->node != NULL) {
+		dns_db_detachnode(it->db, &it->node);
+	}
+	dns_dbiterator_destroy(&it->dbit);
+}
+
+void
+dns_rriterator_current(dns_rriterator_t *it, dns_name_t **name, uint32_t *ttl,
+		       dns_rdataset_t **rdataset, dns_rdata_t **rdata) {
+	REQUIRE(name != NULL && *name == NULL);
+	REQUIRE(VALID_RRITERATOR(it));
+	REQUIRE(it->result == ISC_R_SUCCESS);
+	REQUIRE(rdataset == NULL || *rdataset == NULL);
+	REQUIRE(rdata == NULL || *rdata == NULL);
+
+	*name = dns_fixedname_name(&it->fixedname);
+	*ttl = it->rdataset.ttl;
+
+	dns_rdata_reset(&it->rdata);
+	dns_rdataset_current(&it->rdataset, &it->rdata);
+
+	if (rdataset != NULL) {
+		*rdataset = &it->rdataset;
+	}
+
+	if (rdata != NULL) {
+		*rdata = &it->rdata;
+	}
+}
diff --git a/lib/dns/rrl.c b/lib/dns/rrl.c
new file mode 100644
index 0000000..a8c2525
--- /dev/null
+++ b/lib/dns/rrl.c
@@ -0,0 +1,1367 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/*
+ * Rate limit DNS responses.
+ */
+
+/* #define ISC_LIST_CHECKINIT */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rcode.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/rrl.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+static void
+log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, bool early, char *log_buf,
+	unsigned int log_buf_len);
+
+/*
+ * Get a modulus for a hash function that is tolerably likely to be
+ * relatively prime to most inputs.  Of course, we get a prime for for initial
+ * values not larger than the square of the last prime.  We often get a prime
+ * after that.
+ * This works well in practice for hash tables up to at least 100
+ * times the square of the last prime and better than a multiplicative hash.
+ */
+static int
+hash_divisor(unsigned int initial) {
+	static uint16_t primes[] = {
+		3,
+		5,
+		7,
+		11,
+		13,
+		17,
+		19,
+		23,
+		29,
+		31,
+		37,
+		41,
+		43,
+		47,
+		53,
+		59,
+		61,
+		67,
+		71,
+		73,
+		79,
+		83,
+		89,
+		97,
+#if 0
+		101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157,
+		163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227,
+		229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283,
+		293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367,
+		373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439,
+		443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509,
+		521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599,
+		601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661,
+		673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743, 751,
+		757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829,
+		839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919,
+		929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997, 1009,
+#endif /* if 0 */
+	};
+	int divisions, tries;
+	unsigned int result;
+	uint16_t *pp, p;
+
+	result = initial;
+
+	if (primes[sizeof(primes) / sizeof(primes[0]) - 1] >= result) {
+		pp = primes;
+		while (*pp < result) {
+			++pp;
+		}
+		return (*pp);
+	}
+
+	if ((result & 1) == 0) {
+		++result;
+	}
+
+	divisions = 0;
+	tries = 1;
+	pp = primes;
+	do {
+		p = *pp++;
+		++divisions;
+		if ((result % p) == 0) {
+			++tries;
+			result += 2;
+			pp = primes;
+		}
+	} while (pp < &primes[sizeof(primes) / sizeof(primes[0])]);
+
+	if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG3,
+			      "%d hash_divisor() divisions in %d tries"
+			      " to get %d from %d",
+			      divisions, tries, result, initial);
+	}
+
+	return (result);
+}
+
+/*
+ * Convert a timestamp to a number of seconds in the past.
+ */
+static int
+delta_rrl_time(isc_stdtime_t ts, isc_stdtime_t now) {
+	int delta;
+
+	delta = now - ts;
+	if (delta >= 0) {
+		return (delta);
+	}
+
+	/*
+	 * The timestamp is in the future.  That future might result from
+	 * re-ordered requests, because we use timestamps on requests
+	 * instead of consulting a clock.  Timestamps in the distant future are
+	 * assumed to result from clock changes.  When the clock changes to
+	 * the past, make existing timestamps appear to be in the past.
+	 */
+	if (delta < -DNS_RRL_MAX_TIME_TRAVEL) {
+		return (DNS_RRL_FOREVER);
+	}
+	return (0);
+}
+
+static int
+get_age(const dns_rrl_t *rrl, const dns_rrl_entry_t *e, isc_stdtime_t now) {
+	if (!e->ts_valid) {
+		return (DNS_RRL_FOREVER);
+	}
+	return (delta_rrl_time(e->ts + rrl->ts_bases[e->ts_gen], now));
+}
+
+static void
+set_age(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_stdtime_t now) {
+	dns_rrl_entry_t *e_old;
+	unsigned int ts_gen;
+	int i, ts;
+
+	ts_gen = rrl->ts_gen;
+	ts = now - rrl->ts_bases[ts_gen];
+	if (ts < 0) {
+		if (ts < -DNS_RRL_MAX_TIME_TRAVEL) {
+			ts = DNS_RRL_FOREVER;
+		} else {
+			ts = 0;
+		}
+	}
+
+	/*
+	 * Make a new timestamp base if the current base is too old.
+	 * All entries older than DNS_RRL_MAX_WINDOW seconds are ancient,
+	 * useless history.  Their timestamps can be treated as if they are
+	 * all the same.
+	 * We only do arithmetic on more recent timestamps, so bases for
+	 * older timestamps can be recycled provided the old timestamps are
+	 * marked as ancient history.
+	 * This loop is almost always very short because most entries are
+	 * recycled after one second and any entries that need to be marked
+	 * are older than (DNS_RRL_TS_BASES)*DNS_RRL_MAX_TS seconds.
+	 */
+	if (ts >= DNS_RRL_MAX_TS) {
+		ts_gen = (ts_gen + 1) % DNS_RRL_TS_BASES;
+		for (e_old = ISC_LIST_TAIL(rrl->lru), i = 0;
+		     e_old != NULL && (e_old->ts_gen == ts_gen ||
+				       !ISC_LINK_LINKED(e_old, hlink));
+		     e_old = ISC_LIST_PREV(e_old, lru), ++i)
+		{
+			e_old->ts_valid = false;
+		}
+		if (i != 0) {
+			isc_log_write(
+				dns_lctx, DNS_LOGCATEGORY_RRL,
+				DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1,
+				"rrl new time base scanned %d entries"
+				" at %d for %d %d %d %d",
+				i, now, rrl->ts_bases[ts_gen],
+				rrl->ts_bases[(ts_gen + 1) % DNS_RRL_TS_BASES],
+				rrl->ts_bases[(ts_gen + 2) % DNS_RRL_TS_BASES],
+				rrl->ts_bases[(ts_gen + 3) % DNS_RRL_TS_BASES]);
+		}
+		rrl->ts_gen = ts_gen;
+		rrl->ts_bases[ts_gen] = now;
+		ts = 0;
+	}
+
+	e->ts_gen = ts_gen;
+	e->ts = ts;
+	e->ts_valid = true;
+}
+
+static isc_result_t
+expand_entries(dns_rrl_t *rrl, int newsize) {
+	unsigned int bsize;
+	dns_rrl_block_t *b;
+	dns_rrl_entry_t *e;
+	double rate;
+	int i;
+
+	if (rrl->num_entries + newsize >= rrl->max_entries &&
+	    rrl->max_entries != 0)
+	{
+		newsize = rrl->max_entries - rrl->num_entries;
+		if (newsize <= 0) {
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	/*
+	 * Log expansions so that the user can tune max-table-size
+	 * and min-table-size.
+	 */
+	if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP) && rrl->hash != NULL) {
+		rate = rrl->probes;
+		if (rrl->searches != 0) {
+			rate /= rrl->searches;
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP,
+			      "increase from %d to %d RRL entries with"
+			      " %d bins; average search length %.1f",
+			      rrl->num_entries, rrl->num_entries + newsize,
+			      rrl->hash->length, rate);
+	}
+
+	bsize = sizeof(dns_rrl_block_t) +
+		(newsize - 1) * sizeof(dns_rrl_entry_t);
+	b = isc_mem_get(rrl->mctx, bsize);
+	memset(b, 0, bsize);
+	b->size = bsize;
+
+	e = b->entries;
+	for (i = 0; i < newsize; ++i, ++e) {
+		ISC_LINK_INIT(e, hlink);
+		ISC_LIST_INITANDAPPEND(rrl->lru, e, lru);
+	}
+	rrl->num_entries += newsize;
+	ISC_LIST_INITANDAPPEND(rrl->blocks, b, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+static dns_rrl_bin_t *
+get_bin(dns_rrl_hash_t *hash, unsigned int hval) {
+	INSIST(hash != NULL);
+	return (&hash->bins[hval % hash->length]);
+}
+
+static void
+free_old_hash(dns_rrl_t *rrl) {
+	dns_rrl_hash_t *old_hash;
+	dns_rrl_bin_t *old_bin;
+	dns_rrl_entry_t *e, *e_next;
+
+	old_hash = rrl->old_hash;
+	for (old_bin = &old_hash->bins[0];
+	     old_bin < &old_hash->bins[old_hash->length]; ++old_bin)
+	{
+		for (e = ISC_LIST_HEAD(*old_bin); e != NULL; e = e_next) {
+			e_next = ISC_LIST_NEXT(e, hlink);
+			ISC_LINK_INIT(e, hlink);
+		}
+	}
+
+	isc_mem_put(rrl->mctx, old_hash,
+		    sizeof(*old_hash) +
+			    (old_hash->length - 1) * sizeof(old_hash->bins[0]));
+	rrl->old_hash = NULL;
+}
+
+static isc_result_t
+expand_rrl_hash(dns_rrl_t *rrl, isc_stdtime_t now) {
+	dns_rrl_hash_t *hash;
+	int old_bins, new_bins, hsize;
+	double rate;
+
+	if (rrl->old_hash != NULL) {
+		free_old_hash(rrl);
+	}
+
+	/*
+	 * Most searches fail and so go to the end of the chain.
+	 * Use a small hash table load factor.
+	 */
+	old_bins = (rrl->hash == NULL) ? 0 : rrl->hash->length;
+	new_bins = old_bins / 8 + old_bins;
+	if (new_bins < rrl->num_entries) {
+		new_bins = rrl->num_entries;
+	}
+	new_bins = hash_divisor(new_bins);
+
+	hsize = sizeof(dns_rrl_hash_t) + (new_bins - 1) * sizeof(hash->bins[0]);
+	hash = isc_mem_get(rrl->mctx, hsize);
+	memset(hash, 0, hsize);
+	hash->length = new_bins;
+	rrl->hash_gen ^= 1;
+	hash->gen = rrl->hash_gen;
+
+	if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP) && old_bins != 0) {
+		rate = rrl->probes;
+		if (rrl->searches != 0) {
+			rate /= rrl->searches;
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP,
+			      "increase from %d to %d RRL bins for"
+			      " %d entries; average search length %.1f",
+			      old_bins, new_bins, rrl->num_entries, rate);
+	}
+
+	rrl->old_hash = rrl->hash;
+	if (rrl->old_hash != NULL) {
+		rrl->old_hash->check_time = now;
+	}
+	rrl->hash = hash;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+ref_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, int probes, isc_stdtime_t now) {
+	/*
+	 * Make the entry most recently used.
+	 */
+	if (ISC_LIST_HEAD(rrl->lru) != e) {
+		if (e == rrl->last_logged) {
+			rrl->last_logged = ISC_LIST_PREV(e, lru);
+		}
+		ISC_LIST_UNLINK(rrl->lru, e, lru);
+		ISC_LIST_PREPEND(rrl->lru, e, lru);
+	}
+
+	/*
+	 * Expand the hash table if it is time and necessary.
+	 * This will leave the newly referenced entry in a chain in the
+	 * old hash table.  It will migrate to the new hash table the next
+	 * time it is used or be cut loose when the old hash table is destroyed.
+	 */
+	rrl->probes += probes;
+	++rrl->searches;
+	if (rrl->searches > 100 &&
+	    delta_rrl_time(rrl->hash->check_time, now) > 1)
+	{
+		if (rrl->probes / rrl->searches > 2) {
+			expand_rrl_hash(rrl, now);
+		}
+		rrl->hash->check_time = now;
+		rrl->probes = 0;
+		rrl->searches = 0;
+	}
+}
+
+static bool
+key_cmp(const dns_rrl_key_t *a, const dns_rrl_key_t *b) {
+	if (memcmp(a, b, sizeof(dns_rrl_key_t)) == 0) {
+		return (true);
+	}
+	return (false);
+}
+
+static uint32_t
+hash_key(const dns_rrl_key_t *key) {
+	uint32_t hval;
+	int i;
+
+	hval = key->w[0];
+	for (i = sizeof(key->w) / sizeof(key->w[0]) - 1; i >= 0; --i) {
+		hval = key->w[i] + (hval << 1);
+	}
+	return (hval);
+}
+
+/*
+ * Construct the hash table key.
+ * Use a hash of the DNS query name to save space in the database.
+ * Collisions result in legitimate rate limiting responses for one
+ * query name also limiting responses for other names to the
+ * same client.  This is rare and benign enough given the large
+ * space costs compared to keeping the entire name in the database
+ * entry or the time costs of dynamic allocation.
+ */
+static void
+make_key(const dns_rrl_t *rrl, dns_rrl_key_t *key,
+	 const isc_sockaddr_t *client_addr, dns_zone_t *zone,
+	 dns_rdatatype_t qtype, const dns_name_t *qname,
+	 dns_rdataclass_t qclass, dns_rrl_rtype_t rtype) {
+	int i;
+
+	memset(key, 0, sizeof(*key));
+
+	key->s.rtype = rtype;
+	if (rtype == DNS_RRL_RTYPE_QUERY) {
+		key->s.qtype = qtype;
+		key->s.qclass = qclass & 0xff;
+	} else if (rtype == DNS_RRL_RTYPE_REFERRAL ||
+		   rtype == DNS_RRL_RTYPE_NODATA)
+	{
+		/*
+		 * Because there is no qtype in the empty answer sections of
+		 * referral and NODATA responses, count them as the same.
+		 */
+		key->s.qclass = qclass & 0xff;
+	}
+
+	if (qname != NULL && qname->labels != 0) {
+		dns_name_t *origin = NULL;
+
+		if ((qname->attributes & DNS_NAMEATTR_WILDCARD) != 0 &&
+		    zone != NULL && (origin = dns_zone_getorigin(zone)) != NULL)
+		{
+			dns_fixedname_t fixed;
+			dns_name_t *wild;
+			isc_result_t result;
+
+			/*
+			 * Put all wildcard names in one bucket using the zone's
+			 * origin name concatenated to the "*" name.
+			 */
+			wild = dns_fixedname_initname(&fixed);
+			result = dns_name_concatenate(dns_wildcardname, origin,
+						      wild, NULL);
+			if (result != ISC_R_SUCCESS) {
+				/*
+				 * Fallback to use the zone's origin name
+				 * instead of the concatenated name.
+				 */
+				wild = origin;
+			}
+			key->s.qname_hash = dns_name_fullhash(wild, false);
+		} else {
+			key->s.qname_hash = dns_name_fullhash(qname, false);
+		}
+	}
+
+	switch (client_addr->type.sa.sa_family) {
+	case AF_INET:
+		key->s.ip[0] = (client_addr->type.sin.sin_addr.s_addr &
+				rrl->ipv4_mask);
+		break;
+	case AF_INET6:
+		key->s.ipv6 = true;
+		memmove(key->s.ip, &client_addr->type.sin6.sin6_addr,
+			sizeof(key->s.ip));
+		for (i = 0; i < DNS_RRL_MAX_PREFIX / 32; ++i) {
+			key->s.ip[i] &= rrl->ipv6_mask[i];
+		}
+		break;
+	}
+}
+
+static dns_rrl_rate_t *
+get_rate(dns_rrl_t *rrl, dns_rrl_rtype_t rtype) {
+	switch (rtype) {
+	case DNS_RRL_RTYPE_QUERY:
+		return (&rrl->responses_per_second);
+	case DNS_RRL_RTYPE_REFERRAL:
+		return (&rrl->referrals_per_second);
+	case DNS_RRL_RTYPE_NODATA:
+		return (&rrl->nodata_per_second);
+	case DNS_RRL_RTYPE_NXDOMAIN:
+		return (&rrl->nxdomains_per_second);
+	case DNS_RRL_RTYPE_ERROR:
+		return (&rrl->errors_per_second);
+	case DNS_RRL_RTYPE_ALL:
+		return (&rrl->all_per_second);
+	default:
+		UNREACHABLE();
+	}
+}
+
+static int
+response_balance(dns_rrl_t *rrl, const dns_rrl_entry_t *e, int age) {
+	dns_rrl_rate_t *ratep;
+	int balance, rate;
+
+	if (e->key.s.rtype == DNS_RRL_RTYPE_TCP) {
+		rate = 1;
+	} else {
+		ratep = get_rate(rrl, e->key.s.rtype);
+		rate = ratep->scaled;
+	}
+
+	balance = e->responses + age * rate;
+	if (balance > rate) {
+		balance = rate;
+	}
+	return (balance);
+}
+
+/*
+ * Search for an entry for a response and optionally create it.
+ */
+static dns_rrl_entry_t *
+get_entry(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr, dns_zone_t *zone,
+	  dns_rdataclass_t qclass, dns_rdatatype_t qtype,
+	  const dns_name_t *qname, dns_rrl_rtype_t rtype, isc_stdtime_t now,
+	  bool create, char *log_buf, unsigned int log_buf_len) {
+	dns_rrl_key_t key;
+	uint32_t hval;
+	dns_rrl_entry_t *e;
+	dns_rrl_hash_t *hash;
+	dns_rrl_bin_t *new_bin, *old_bin;
+	int probes, age;
+
+	make_key(rrl, &key, client_addr, zone, qtype, qname, qclass, rtype);
+	hval = hash_key(&key);
+
+	/*
+	 * Look for the entry in the current hash table.
+	 */
+	new_bin = get_bin(rrl->hash, hval);
+	probes = 1;
+	e = ISC_LIST_HEAD(*new_bin);
+	while (e != NULL) {
+		if (key_cmp(&e->key, &key)) {
+			ref_entry(rrl, e, probes, now);
+			return (e);
+		}
+		++probes;
+		e = ISC_LIST_NEXT(e, hlink);
+	}
+
+	/*
+	 * Look in the old hash table.
+	 */
+	if (rrl->old_hash != NULL) {
+		old_bin = get_bin(rrl->old_hash, hval);
+		e = ISC_LIST_HEAD(*old_bin);
+		while (e != NULL) {
+			if (key_cmp(&e->key, &key)) {
+				ISC_LIST_UNLINK(*old_bin, e, hlink);
+				ISC_LIST_PREPEND(*new_bin, e, hlink);
+				e->hash_gen = rrl->hash_gen;
+				ref_entry(rrl, e, probes, now);
+				return (e);
+			}
+			e = ISC_LIST_NEXT(e, hlink);
+		}
+
+		/*
+		 * Discard previous hash table when all of its entries are old.
+		 */
+		age = delta_rrl_time(rrl->old_hash->check_time, now);
+		if (age > rrl->window) {
+			free_old_hash(rrl);
+		}
+	}
+
+	if (!create) {
+		return (NULL);
+	}
+
+	/*
+	 * The entry does not exist, so create it by finding a free entry.
+	 * Keep currently penalized and logged entries.
+	 * Try to make more entries if none are idle.
+	 * Steal the oldest entry if we cannot create more.
+	 */
+	for (e = ISC_LIST_TAIL(rrl->lru); e != NULL; e = ISC_LIST_PREV(e, lru))
+	{
+		if (!ISC_LINK_LINKED(e, hlink)) {
+			break;
+		}
+		age = get_age(rrl, e, now);
+		if (age <= 1) {
+			e = NULL;
+			break;
+		}
+		if (!e->logged && response_balance(rrl, e, age) > 0) {
+			break;
+		}
+	}
+	if (e == NULL) {
+		expand_entries(rrl, ISC_MIN((rrl->num_entries + 1) / 2, 1000));
+		e = ISC_LIST_TAIL(rrl->lru);
+	}
+	if (e->logged) {
+		log_end(rrl, e, true, log_buf, log_buf_len);
+	}
+	if (ISC_LINK_LINKED(e, hlink)) {
+		if (e->hash_gen == rrl->hash_gen) {
+			hash = rrl->hash;
+		} else {
+			hash = rrl->old_hash;
+		}
+		old_bin = get_bin(hash, hash_key(&e->key));
+		ISC_LIST_UNLINK(*old_bin, e, hlink);
+	}
+	ISC_LIST_PREPEND(*new_bin, e, hlink);
+	e->hash_gen = rrl->hash_gen;
+	e->key = key;
+	e->ts_valid = false;
+	ref_entry(rrl, e, probes, now);
+	return (e);
+}
+
+static void
+debit_log(const dns_rrl_entry_t *e, int age, const char *action) {
+	char buf[sizeof("age=2147483647")];
+	const char *age_str;
+
+	if (age == DNS_RRL_FOREVER) {
+		age_str = "";
+	} else {
+		snprintf(buf, sizeof(buf), "age=%d", age);
+		age_str = buf;
+	}
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, DNS_LOGMODULE_REQUEST,
+		      DNS_RRL_LOG_DEBUG3, "rrl %08x %6s  responses=%-3d %s",
+		      hash_key(&e->key), age_str, e->responses, action);
+}
+
+static dns_rrl_result_t
+debit_rrl_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, double qps, double scale,
+		const isc_sockaddr_t *client_addr, isc_stdtime_t now,
+		char *log_buf, unsigned int log_buf_len) {
+	int rate, new_rate, slip, new_slip, age, log_secs, min;
+	dns_rrl_rate_t *ratep;
+	dns_rrl_entry_t const *credit_e;
+
+	/*
+	 * Pick the rate counter.
+	 * Optionally adjust the rate by the estimated query/second rate.
+	 */
+	ratep = get_rate(rrl, e->key.s.rtype);
+	rate = ratep->r;
+	if (rate == 0) {
+		return (DNS_RRL_RESULT_OK);
+	}
+
+	if (scale < 1.0) {
+		/*
+		 * The limit for clients that have used TCP is not scaled.
+		 */
+		credit_e = get_entry(
+			rrl, client_addr, NULL, 0, dns_rdatatype_none, NULL,
+			DNS_RRL_RTYPE_TCP, now, false, log_buf, log_buf_len);
+		if (credit_e != NULL) {
+			age = get_age(rrl, e, now);
+			if (age < rrl->window) {
+				scale = 1.0;
+			}
+		}
+	}
+	if (scale < 1.0) {
+		new_rate = (int)(rate * scale);
+		if (new_rate < 1) {
+			new_rate = 1;
+		}
+		if (ratep->scaled != new_rate) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+				      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1,
+				      "%d qps scaled %s by %.2f"
+				      " from %d to %d",
+				      (int)qps, ratep->str, scale, rate,
+				      new_rate);
+			rate = new_rate;
+			ratep->scaled = rate;
+		}
+	}
+
+	min = -rrl->window * rate;
+
+	/*
+	 * Treat time jumps into the recent past as no time.
+	 * Treat entries older than the window as if they were just created
+	 * Credit other entries.
+	 */
+	age = get_age(rrl, e, now);
+	if (age > 0) {
+		/*
+		 * Credit tokens earned during elapsed time.
+		 */
+		if (age > rrl->window) {
+			e->responses = rate;
+			e->slip_cnt = 0;
+		} else {
+			e->responses += rate * age;
+			if (e->responses > rate) {
+				e->responses = rate;
+				e->slip_cnt = 0;
+			}
+		}
+		/*
+		 * Find the seconds since last log message without overflowing
+		 * small counter.  This counter is reset when an entry is
+		 * created.  It is not necessarily reset when some requests
+		 * are answered provided other requests continue to be dropped
+		 * or slipped.  This can happen when the request rate is just
+		 * at the limit.
+		 */
+		if (e->logged) {
+			log_secs = e->log_secs;
+			log_secs += age;
+			if (log_secs > DNS_RRL_MAX_LOG_SECS || log_secs < 0) {
+				log_secs = DNS_RRL_MAX_LOG_SECS;
+			}
+			e->log_secs = log_secs;
+		}
+	}
+	set_age(rrl, e, now);
+
+	/*
+	 * Debit the entry for this response.
+	 */
+	if (--e->responses >= 0) {
+		if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) {
+			debit_log(e, age, "");
+		}
+		return (DNS_RRL_RESULT_OK);
+	}
+
+	if (e->responses < min) {
+		e->responses = min;
+	}
+
+	/*
+	 * Drop this response unless it should slip or leak.
+	 */
+	slip = rrl->slip.r;
+	if (slip > 2 && scale < 1.0) {
+		new_slip = (int)(slip * scale);
+		if (new_slip < 2) {
+			new_slip = 2;
+		}
+		if (rrl->slip.scaled != new_slip) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+				      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1,
+				      "%d qps scaled slip"
+				      " by %.2f from %d to %d",
+				      (int)qps, scale, slip, new_slip);
+			slip = new_slip;
+			rrl->slip.scaled = slip;
+		}
+	}
+	if (slip != 0 && e->key.s.rtype != DNS_RRL_RTYPE_ALL) {
+		if (e->slip_cnt++ == 0) {
+			if ((int)e->slip_cnt >= slip) {
+				e->slip_cnt = 0;
+			}
+			if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) {
+				debit_log(e, age, "slip");
+			}
+			return (DNS_RRL_RESULT_SLIP);
+		} else if ((int)e->slip_cnt >= slip) {
+			e->slip_cnt = 0;
+		}
+	}
+
+	if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) {
+		debit_log(e, age, "drop");
+	}
+	return (DNS_RRL_RESULT_DROP);
+}
+
+static dns_rrl_qname_buf_t *
+get_qname(dns_rrl_t *rrl, const dns_rrl_entry_t *e) {
+	dns_rrl_qname_buf_t *qbuf;
+
+	qbuf = rrl->qnames[e->log_qname];
+	if (qbuf == NULL || qbuf->e != e) {
+		return (NULL);
+	}
+	return (qbuf);
+}
+
+static void
+free_qname(dns_rrl_t *rrl, dns_rrl_entry_t *e) {
+	dns_rrl_qname_buf_t *qbuf;
+
+	qbuf = get_qname(rrl, e);
+	if (qbuf != NULL) {
+		qbuf->e = NULL;
+		ISC_LIST_APPEND(rrl->qname_free, qbuf, link);
+	}
+}
+
+static void
+add_log_str(isc_buffer_t *lb, const char *str, unsigned int str_len) {
+	isc_region_t region;
+
+	isc_buffer_availableregion(lb, &region);
+	if (str_len >= region.length) {
+		if (region.length == 0U) {
+			return;
+		}
+		str_len = region.length;
+	}
+	memmove(region.base, str, str_len);
+	isc_buffer_add(lb, str_len);
+}
+
+#define ADD_LOG_CSTR(eb, s) add_log_str(eb, s, sizeof(s) - 1)
+
+/*
+ * Build strings for the logs
+ */
+static void
+make_log_buf(dns_rrl_t *rrl, dns_rrl_entry_t *e, const char *str1,
+	     const char *str2, bool plural, const dns_name_t *qname,
+	     bool save_qname, dns_rrl_result_t rrl_result,
+	     isc_result_t resp_result, char *log_buf,
+	     unsigned int log_buf_len) {
+	isc_buffer_t lb;
+	dns_rrl_qname_buf_t *qbuf;
+	isc_netaddr_t cidr;
+	char strbuf[ISC_MAX(sizeof("/123"), sizeof("  (12345678)"))];
+	const char *rstr;
+	isc_result_t msg_result;
+
+	if (log_buf_len <= 1) {
+		if (log_buf_len == 1) {
+			log_buf[0] = '\0';
+		}
+		return;
+	}
+	isc_buffer_init(&lb, log_buf, log_buf_len - 1);
+
+	if (str1 != NULL) {
+		add_log_str(&lb, str1, strlen(str1));
+	}
+	if (str2 != NULL) {
+		add_log_str(&lb, str2, strlen(str2));
+	}
+
+	switch (rrl_result) {
+	case DNS_RRL_RESULT_OK:
+		break;
+	case DNS_RRL_RESULT_DROP:
+		ADD_LOG_CSTR(&lb, "drop ");
+		break;
+	case DNS_RRL_RESULT_SLIP:
+		ADD_LOG_CSTR(&lb, "slip ");
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	switch (e->key.s.rtype) {
+	case DNS_RRL_RTYPE_QUERY:
+		break;
+	case DNS_RRL_RTYPE_REFERRAL:
+		ADD_LOG_CSTR(&lb, "referral ");
+		break;
+	case DNS_RRL_RTYPE_NODATA:
+		ADD_LOG_CSTR(&lb, "NODATA ");
+		break;
+	case DNS_RRL_RTYPE_NXDOMAIN:
+		ADD_LOG_CSTR(&lb, "NXDOMAIN ");
+		break;
+	case DNS_RRL_RTYPE_ERROR:
+		if (resp_result == ISC_R_SUCCESS) {
+			ADD_LOG_CSTR(&lb, "error ");
+		} else {
+			rstr = isc_result_totext(resp_result);
+			add_log_str(&lb, rstr, strlen(rstr));
+			ADD_LOG_CSTR(&lb, " error ");
+		}
+		break;
+	case DNS_RRL_RTYPE_ALL:
+		ADD_LOG_CSTR(&lb, "all ");
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	if (plural) {
+		ADD_LOG_CSTR(&lb, "responses to ");
+	} else {
+		ADD_LOG_CSTR(&lb, "response to ");
+	}
+
+	memset(&cidr, 0, sizeof(cidr));
+	if (e->key.s.ipv6) {
+		snprintf(strbuf, sizeof(strbuf), "/%d", rrl->ipv6_prefixlen);
+		cidr.family = AF_INET6;
+		memset(&cidr.type.in6, 0, sizeof(cidr.type.in6));
+		memmove(&cidr.type.in6, e->key.s.ip, sizeof(e->key.s.ip));
+	} else {
+		snprintf(strbuf, sizeof(strbuf), "/%d", rrl->ipv4_prefixlen);
+		cidr.family = AF_INET;
+		cidr.type.in.s_addr = e->key.s.ip[0];
+	}
+	msg_result = isc_netaddr_totext(&cidr, &lb);
+	if (msg_result != ISC_R_SUCCESS) {
+		ADD_LOG_CSTR(&lb, "?");
+	}
+	add_log_str(&lb, strbuf, strlen(strbuf));
+
+	if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY ||
+	    e->key.s.rtype == DNS_RRL_RTYPE_REFERRAL ||
+	    e->key.s.rtype == DNS_RRL_RTYPE_NODATA ||
+	    e->key.s.rtype == DNS_RRL_RTYPE_NXDOMAIN)
+	{
+		qbuf = get_qname(rrl, e);
+		if (save_qname && qbuf == NULL && qname != NULL &&
+		    dns_name_isabsolute(qname))
+		{
+			/*
+			 * Capture the qname for the "stop limiting" message.
+			 */
+			qbuf = ISC_LIST_TAIL(rrl->qname_free);
+			if (qbuf != NULL) {
+				ISC_LIST_UNLINK(rrl->qname_free, qbuf, link);
+			} else if (rrl->num_qnames < DNS_RRL_QNAMES) {
+				qbuf = isc_mem_get(rrl->mctx, sizeof(*qbuf));
+				{
+					memset(qbuf, 0, sizeof(*qbuf));
+					ISC_LINK_INIT(qbuf, link);
+					qbuf->index = rrl->num_qnames;
+					rrl->qnames[rrl->num_qnames++] = qbuf;
+				}
+			}
+			if (qbuf != NULL) {
+				e->log_qname = qbuf->index;
+				qbuf->e = e;
+				dns_fixedname_init(&qbuf->qname);
+				dns_name_copynf(qname, dns_fixedname_name(
+							       &qbuf->qname));
+			}
+		}
+		if (qbuf != NULL) {
+			qname = dns_fixedname_name(&qbuf->qname);
+		}
+		if (qname != NULL) {
+			ADD_LOG_CSTR(&lb, " for ");
+			(void)dns_name_totext(qname, true, &lb);
+		} else {
+			ADD_LOG_CSTR(&lb, " for (?)");
+		}
+		if (e->key.s.rtype != DNS_RRL_RTYPE_NXDOMAIN) {
+			ADD_LOG_CSTR(&lb, " ");
+			(void)dns_rdataclass_totext(e->key.s.qclass, &lb);
+			if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY) {
+				ADD_LOG_CSTR(&lb, " ");
+				(void)dns_rdatatype_totext(e->key.s.qtype, &lb);
+			}
+		}
+		snprintf(strbuf, sizeof(strbuf), "  (%08" PRIx32 ")",
+			 e->key.s.qname_hash);
+		add_log_str(&lb, strbuf, strlen(strbuf));
+	}
+
+	/*
+	 * We saved room for '\0'.
+	 */
+	log_buf[isc_buffer_usedlength(&lb)] = '\0';
+}
+
+static void
+log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, bool early, char *log_buf,
+	unsigned int log_buf_len) {
+	if (e->logged) {
+		make_log_buf(rrl, e, early ? "*" : NULL,
+			     rrl->log_only ? "would stop limiting "
+					   : "stop limiting ",
+			     true, NULL, false, DNS_RRL_RESULT_OK,
+			     ISC_R_SUCCESS, log_buf, log_buf_len);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, "%s",
+			      log_buf);
+		free_qname(rrl, e);
+		e->logged = false;
+		--rrl->num_logged;
+	}
+}
+
+/*
+ * Log messages for streams that have stopped being rate limited.
+ */
+static void
+log_stops(dns_rrl_t *rrl, isc_stdtime_t now, int limit, char *log_buf,
+	  unsigned int log_buf_len) {
+	dns_rrl_entry_t *e;
+	int age;
+
+	for (e = rrl->last_logged; e != NULL; e = ISC_LIST_PREV(e, lru)) {
+		if (!e->logged) {
+			continue;
+		}
+		if (now != 0) {
+			age = get_age(rrl, e, now);
+			if (age < DNS_RRL_STOP_LOG_SECS ||
+			    response_balance(rrl, e, age) < 0)
+			{
+				break;
+			}
+		}
+
+		log_end(rrl, e, now == 0, log_buf, log_buf_len);
+		if (rrl->num_logged <= 0) {
+			break;
+		}
+
+		/*
+		 * Too many messages could stall real work.
+		 */
+		if (--limit < 0) {
+			rrl->last_logged = ISC_LIST_PREV(e, lru);
+			return;
+		}
+	}
+	if (e == NULL) {
+		INSIST(rrl->num_logged == 0);
+		rrl->log_stops_time = now;
+	}
+	rrl->last_logged = e;
+}
+
+/*
+ * Main rate limit interface.
+ */
+dns_rrl_result_t
+dns_rrl(dns_view_t *view, dns_zone_t *zone, const isc_sockaddr_t *client_addr,
+	bool is_tcp, dns_rdataclass_t qclass, dns_rdatatype_t qtype,
+	const dns_name_t *qname, isc_result_t resp_result, isc_stdtime_t now,
+	bool wouldlog, char *log_buf, unsigned int log_buf_len) {
+	dns_rrl_t *rrl;
+	dns_rrl_rtype_t rtype;
+	dns_rrl_entry_t *e;
+	isc_netaddr_t netclient;
+	int secs;
+	double qps, scale;
+	int exempt_match;
+	isc_result_t result;
+	dns_rrl_result_t rrl_result;
+
+	INSIST(log_buf != NULL && log_buf_len > 0);
+
+	rrl = view->rrl;
+	if (rrl->exempt != NULL) {
+		isc_netaddr_fromsockaddr(&netclient, client_addr);
+		result = dns_acl_match(&netclient, NULL, rrl->exempt,
+				       &view->aclenv, &exempt_match, NULL);
+		if (result == ISC_R_SUCCESS && exempt_match > 0) {
+			return (DNS_RRL_RESULT_OK);
+		}
+	}
+
+	LOCK(&rrl->lock);
+
+	/*
+	 * Estimate total query per second rate when scaling by qps.
+	 */
+	if (rrl->qps_scale == 0) {
+		qps = 0.0;
+		scale = 1.0;
+	} else {
+		++rrl->qps_responses;
+		secs = delta_rrl_time(rrl->qps_time, now);
+		if (secs <= 0) {
+			qps = rrl->qps;
+		} else {
+			qps = (1.0 * rrl->qps_responses) / secs;
+			if (secs >= rrl->window) {
+				if (isc_log_wouldlog(dns_lctx,
+						     DNS_RRL_LOG_DEBUG3))
+				{
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_RRL,
+						      DNS_LOGMODULE_REQUEST,
+						      DNS_RRL_LOG_DEBUG3,
+						      "%d responses/%d seconds"
+						      " = %d qps",
+						      rrl->qps_responses, secs,
+						      (int)qps);
+				}
+				rrl->qps = qps;
+				rrl->qps_responses = 0;
+				rrl->qps_time = now;
+			} else if (qps < rrl->qps) {
+				qps = rrl->qps;
+			}
+		}
+		scale = rrl->qps_scale / qps;
+	}
+
+	/*
+	 * Do maintenance once per second.
+	 */
+	if (rrl->num_logged > 0 && rrl->log_stops_time != now) {
+		log_stops(rrl, now, 8, log_buf, log_buf_len);
+	}
+
+	/*
+	 * Notice TCP responses when scaling limits by qps.
+	 * Do not try to rate limit TCP responses.
+	 */
+	if (is_tcp) {
+		if (scale < 1.0) {
+			e = get_entry(rrl, client_addr, NULL, 0,
+				      dns_rdatatype_none, NULL,
+				      DNS_RRL_RTYPE_TCP, now, true, log_buf,
+				      log_buf_len);
+			if (e != NULL) {
+				e->responses = -(rrl->window + 1);
+				set_age(rrl, e, now);
+			}
+		}
+		UNLOCK(&rrl->lock);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Find the right kind of entry, creating it if necessary.
+	 * If that is impossible, then nothing more can be done
+	 */
+	switch (resp_result) {
+	case ISC_R_SUCCESS:
+		rtype = DNS_RRL_RTYPE_QUERY;
+		break;
+	case DNS_R_DELEGATION:
+		rtype = DNS_RRL_RTYPE_REFERRAL;
+		break;
+	case DNS_R_NXRRSET:
+		rtype = DNS_RRL_RTYPE_NODATA;
+		break;
+	case DNS_R_NXDOMAIN:
+		rtype = DNS_RRL_RTYPE_NXDOMAIN;
+		break;
+	default:
+		rtype = DNS_RRL_RTYPE_ERROR;
+		break;
+	}
+	e = get_entry(rrl, client_addr, zone, qclass, qtype, qname, rtype, now,
+		      true, log_buf, log_buf_len);
+	if (e == NULL) {
+		UNLOCK(&rrl->lock);
+		return (DNS_RRL_RESULT_OK);
+	}
+
+	if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1)) {
+		/*
+		 * Do not worry about speed or releasing the lock.
+		 * This message appears before messages from debit_rrl_entry().
+		 */
+		make_log_buf(rrl, e, "consider limiting ", NULL, false, qname,
+			     false, DNS_RRL_RESULT_OK, resp_result, log_buf,
+			     log_buf_len);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1, "%s",
+			      log_buf);
+	}
+
+	rrl_result = debit_rrl_entry(rrl, e, qps, scale, client_addr, now,
+				     log_buf, log_buf_len);
+
+	if (rrl->all_per_second.r != 0) {
+		/*
+		 * We must debit the all-per-second token bucket if we have
+		 * an all-per-second limit for the IP address.
+		 * The all-per-second limit determines the log message
+		 * when both limits are hit.
+		 * The response limiting must continue if the
+		 * all-per-second limiting lapses.
+		 */
+		dns_rrl_entry_t *e_all;
+		dns_rrl_result_t rrl_all_result;
+
+		e_all = get_entry(rrl, client_addr, zone, 0, dns_rdatatype_none,
+				  NULL, DNS_RRL_RTYPE_ALL, now, true, log_buf,
+				  log_buf_len);
+		if (e_all == NULL) {
+			UNLOCK(&rrl->lock);
+			return (DNS_RRL_RESULT_OK);
+		}
+		rrl_all_result = debit_rrl_entry(rrl, e_all, qps, scale,
+						 client_addr, now, log_buf,
+						 log_buf_len);
+		if (rrl_all_result != DNS_RRL_RESULT_OK) {
+			e = e_all;
+			rrl_result = rrl_all_result;
+			if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1)) {
+				make_log_buf(rrl, e,
+					     "prefer all-per-second limiting ",
+					     NULL, true, qname, false,
+					     DNS_RRL_RESULT_OK, resp_result,
+					     log_buf, log_buf_len);
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+					      DNS_LOGMODULE_REQUEST,
+					      DNS_RRL_LOG_DEBUG1, "%s",
+					      log_buf);
+			}
+		}
+	}
+
+	if (rrl_result == DNS_RRL_RESULT_OK) {
+		UNLOCK(&rrl->lock);
+		return (DNS_RRL_RESULT_OK);
+	}
+
+	/*
+	 * Log occasionally in the rate-limit category.
+	 */
+	if ((!e->logged || e->log_secs >= DNS_RRL_MAX_LOG_SECS) &&
+	    isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP))
+	{
+		make_log_buf(rrl, e, rrl->log_only ? "would " : NULL,
+			     e->logged ? "continue limiting " : "limit ", true,
+			     qname, true, DNS_RRL_RESULT_OK, resp_result,
+			     log_buf, log_buf_len);
+		if (!e->logged) {
+			e->logged = true;
+			if (++rrl->num_logged <= 1) {
+				rrl->last_logged = e;
+			}
+		}
+		e->log_secs = 0;
+
+		/*
+		 * Avoid holding the lock.
+		 */
+		if (!wouldlog) {
+			UNLOCK(&rrl->lock);
+			e = NULL;
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, "%s",
+			      log_buf);
+	}
+
+	/*
+	 * Make a log message for the caller.
+	 */
+	if (wouldlog) {
+		make_log_buf(rrl, e,
+			     rrl->log_only ? "would rate limit "
+					   : "rate limit ",
+			     NULL, false, qname, false, rrl_result, resp_result,
+			     log_buf, log_buf_len);
+	}
+
+	if (e != NULL) {
+		/*
+		 * Do not save the qname unless we might need it for
+		 * the ending log message.
+		 */
+		if (!e->logged) {
+			free_qname(rrl, e);
+		}
+		UNLOCK(&rrl->lock);
+	}
+
+	return (rrl_result);
+}
+
+void
+dns_rrl_view_destroy(dns_view_t *view) {
+	dns_rrl_t *rrl;
+	dns_rrl_block_t *b;
+	dns_rrl_hash_t *h;
+	char log_buf[DNS_RRL_LOG_BUF_LEN];
+	int i;
+
+	rrl = view->rrl;
+	if (rrl == NULL) {
+		return;
+	}
+	view->rrl = NULL;
+
+	/*
+	 * Assume the caller takes care of locking the view and anything else.
+	 */
+
+	if (rrl->num_logged > 0) {
+		log_stops(rrl, 0, INT32_MAX, log_buf, sizeof(log_buf));
+	}
+
+	for (i = 0; i < DNS_RRL_QNAMES; ++i) {
+		if (rrl->qnames[i] == NULL) {
+			break;
+		}
+		isc_mem_put(rrl->mctx, rrl->qnames[i], sizeof(*rrl->qnames[i]));
+	}
+
+	if (rrl->exempt != NULL) {
+		dns_acl_detach(&rrl->exempt);
+	}
+
+	isc_mutex_destroy(&rrl->lock);
+
+	while (!ISC_LIST_EMPTY(rrl->blocks)) {
+		b = ISC_LIST_HEAD(rrl->blocks);
+		ISC_LIST_UNLINK(rrl->blocks, b, link);
+		isc_mem_put(rrl->mctx, b, b->size);
+	}
+
+	h = rrl->hash;
+	if (h != NULL) {
+		isc_mem_put(rrl->mctx, h,
+			    sizeof(*h) + (h->length - 1) * sizeof(h->bins[0]));
+	}
+
+	h = rrl->old_hash;
+	if (h != NULL) {
+		isc_mem_put(rrl->mctx, h,
+			    sizeof(*h) + (h->length - 1) * sizeof(h->bins[0]));
+	}
+
+	isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl));
+}
+
+isc_result_t
+dns_rrl_init(dns_rrl_t **rrlp, dns_view_t *view, int min_entries) {
+	dns_rrl_t *rrl;
+	isc_result_t result;
+
+	*rrlp = NULL;
+
+	rrl = isc_mem_get(view->mctx, sizeof(*rrl));
+	memset(rrl, 0, sizeof(*rrl));
+	isc_mem_attach(view->mctx, &rrl->mctx);
+	isc_mutex_init(&rrl->lock);
+	isc_stdtime_get(&rrl->ts_bases[0]);
+
+	view->rrl = rrl;
+
+	result = expand_entries(rrl, min_entries);
+	if (result != ISC_R_SUCCESS) {
+		dns_rrl_view_destroy(view);
+		return (result);
+	}
+	result = expand_rrl_hash(rrl, 0);
+	if (result != ISC_R_SUCCESS) {
+		dns_rrl_view_destroy(view);
+		return (result);
+	}
+
+	*rrlp = rrl;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
new file mode 100644
index 0000000..2c6802f
--- /dev/null
+++ b/lib/dns/sdb.c
@@ -0,0 +1,1613 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/region.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/sdb.h>
+#include <dns/types.h>
+
+#include "rdatalist_p.h"
+
+struct dns_sdbimplementation {
+	const dns_sdbmethods_t *methods;
+	void *driverdata;
+	unsigned int flags;
+	isc_mem_t *mctx;
+	isc_mutex_t driverlock;
+	dns_dbimplementation_t *dbimp;
+};
+
+struct dns_sdb {
+	/* Unlocked */
+	dns_db_t common;
+	char *zone;
+	dns_sdbimplementation_t *implementation;
+	void *dbdata;
+
+	/* Atomic */
+	isc_refcount_t references;
+};
+
+struct dns_sdblookup {
+	/* Unlocked */
+	unsigned int magic;
+	dns_sdb_t *sdb;
+	ISC_LIST(dns_rdatalist_t) lists;
+	ISC_LIST(isc_buffer_t) buffers;
+	dns_name_t *name;
+	ISC_LINK(dns_sdblookup_t) link;
+	dns_rdatacallbacks_t callbacks;
+
+	/* Atomic */
+	isc_refcount_t references;
+};
+
+typedef struct dns_sdblookup dns_sdbnode_t;
+
+struct dns_sdballnodes {
+	dns_dbiterator_t common;
+	ISC_LIST(dns_sdbnode_t) nodelist;
+	dns_sdbnode_t *current;
+	dns_sdbnode_t *origin;
+};
+
+typedef dns_sdballnodes_t sdb_dbiterator_t;
+
+typedef struct sdb_rdatasetiter {
+	dns_rdatasetiter_t common;
+	dns_rdatalist_t *current;
+} sdb_rdatasetiter_t;
+
+#define SDB_MAGIC ISC_MAGIC('S', 'D', 'B', '-')
+
+/*%
+ * Note that "impmagic" is not the first four bytes of the struct, so
+ * ISC_MAGIC_VALID cannot be used.
+ */
+#define VALID_SDB(sdb) ((sdb) != NULL && (sdb)->common.impmagic == SDB_MAGIC)
+
+#define SDBLOOKUP_MAGIC	      ISC_MAGIC('S', 'D', 'B', 'L')
+#define VALID_SDBLOOKUP(sdbl) ISC_MAGIC_VALID(sdbl, SDBLOOKUP_MAGIC)
+#define VALID_SDBNODE(sdbn)   VALID_SDBLOOKUP(sdbn)
+
+/* These values are taken from RFC1537 */
+#define SDB_DEFAULT_REFRESH 28800U  /* 8 hours */
+#define SDB_DEFAULT_RETRY   7200U   /* 2 hours */
+#define SDB_DEFAULT_EXPIRE  604800U /* 7 days */
+#define SDB_DEFAULT_MINIMUM 86400U  /* 1 day */
+
+/* This is a reasonable value */
+#define SDB_DEFAULT_TTL (60 * 60 * 24)
+
+#ifdef __COVERITY__
+#define MAYBE_LOCK(sdb)	  LOCK(&sdb->implementation->driverlock)
+#define MAYBE_UNLOCK(sdb) UNLOCK(&sdb->implementation->driverlock)
+#else /* ifdef __COVERITY__ */
+#define MAYBE_LOCK(sdb)                                          \
+	do {                                                     \
+		unsigned int flags = sdb->implementation->flags; \
+		if ((flags & DNS_SDBFLAG_THREADSAFE) == 0)       \
+			LOCK(&sdb->implementation->driverlock);  \
+	} while (0)
+
+#define MAYBE_UNLOCK(sdb)                                         \
+	do {                                                      \
+		unsigned int flags = sdb->implementation->flags;  \
+		if ((flags & DNS_SDBFLAG_THREADSAFE) == 0)        \
+			UNLOCK(&sdb->implementation->driverlock); \
+	} while (0)
+#endif /* ifdef __COVERITY__ */
+
+static int dummy;
+
+static isc_result_t
+dns_sdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+	       dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+	       void *driverarg, dns_db_t **dbp);
+
+static isc_result_t
+findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now,
+	     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+
+static isc_result_t
+createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep);
+
+static void
+destroynode(dns_sdbnode_t *node);
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp);
+
+static void
+list_tordataset(dns_rdatalist_t *rdatalist, dns_db_t *db, dns_dbnode_t *node,
+		dns_rdataset_t *rdataset);
+
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp);
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, const dns_name_t *name);
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name);
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
+
+static dns_dbiteratormethods_t dbiterator_methods = {
+	dbiterator_destroy, dbiterator_first, dbiterator_last,
+	dbiterator_seek,    dbiterator_prev,  dbiterator_next,
+	dbiterator_current, dbiterator_pause, dbiterator_origin
+};
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator);
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator);
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset);
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy, rdatasetiter_first, rdatasetiter_next,
+	rdatasetiter_current
+};
+
+/*
+ * Functions used by implementors of simple databases
+ */
+isc_result_t
+dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
+		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdbimplementation_t **sdbimp) {
+	dns_sdbimplementation_t *imp;
+	isc_result_t result;
+
+	REQUIRE(drivername != NULL);
+	REQUIRE(methods != NULL);
+	REQUIRE(methods->lookup != NULL || methods->lookup2 != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sdbimp != NULL && *sdbimp == NULL);
+	REQUIRE((flags &
+		 ~(DNS_SDBFLAG_RELATIVEOWNER | DNS_SDBFLAG_RELATIVERDATA |
+		   DNS_SDBFLAG_THREADSAFE | DNS_SDBFLAG_DNS64)) == 0);
+
+	imp = isc_mem_get(mctx, sizeof(dns_sdbimplementation_t));
+	imp->methods = methods;
+	imp->driverdata = driverdata;
+	imp->flags = flags;
+	imp->mctx = NULL;
+	isc_mem_attach(mctx, &imp->mctx);
+	isc_mutex_init(&imp->driverlock);
+
+	imp->dbimp = NULL;
+	result = dns_db_register(drivername, dns_sdb_create, imp, mctx,
+				 &imp->dbimp);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_mutex;
+	}
+	*sdbimp = imp;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_mutex:
+	isc_mutex_destroy(&imp->driverlock);
+	isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t));
+	return (result);
+}
+
+void
+dns_sdb_unregister(dns_sdbimplementation_t **sdbimp) {
+	dns_sdbimplementation_t *imp;
+
+	REQUIRE(sdbimp != NULL && *sdbimp != NULL);
+
+	imp = *sdbimp;
+	*sdbimp = NULL;
+	dns_db_unregister(&imp->dbimp);
+	isc_mutex_destroy(&imp->driverlock);
+
+	isc_mem_putanddetach(&imp->mctx, imp, sizeof(dns_sdbimplementation_t));
+}
+
+static unsigned int
+initial_size(unsigned int len) {
+	unsigned int size;
+
+	for (size = 1024; size < (64 * 1024); size *= 2) {
+		if (len < size) {
+			return (size);
+		}
+	}
+	return (65535);
+}
+
+isc_result_t
+dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval,
+		 dns_ttl_t ttl, const unsigned char *rdatap,
+		 unsigned int rdlen) {
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	isc_buffer_t *rdatabuf = NULL;
+	isc_mem_t *mctx;
+	isc_region_t region;
+
+	mctx = lookup->sdb->common.mctx;
+
+	rdatalist = ISC_LIST_HEAD(lookup->lists);
+	while (rdatalist != NULL) {
+		if (rdatalist->type == typeval) {
+			break;
+		}
+		rdatalist = ISC_LIST_NEXT(rdatalist, link);
+	}
+
+	if (rdatalist == NULL) {
+		rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t));
+		dns_rdatalist_init(rdatalist);
+		rdatalist->rdclass = lookup->sdb->common.rdclass;
+		rdatalist->type = typeval;
+		rdatalist->ttl = ttl;
+		ISC_LIST_APPEND(lookup->lists, rdatalist, link);
+	} else if (rdatalist->ttl != ttl) {
+		return (DNS_R_BADTTL);
+	}
+
+	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+
+	isc_buffer_allocate(mctx, &rdatabuf, rdlen);
+	DE_CONST(rdatap, region.base);
+	region.length = rdlen;
+	isc_buffer_copyregion(rdatabuf, &region);
+	isc_buffer_usedregion(rdatabuf, &region);
+	dns_rdata_init(rdata);
+	dns_rdata_fromregion(rdata, rdatalist->rdclass, rdatalist->type,
+			     &region);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
+	      const char *data) {
+	unsigned int datalen;
+	dns_rdatatype_t typeval;
+	isc_textregion_t r;
+	isc_lex_t *lex = NULL;
+	isc_result_t result;
+	unsigned char *p = NULL;
+	unsigned int size = 0; /* Init to suppress compiler warning */
+	isc_mem_t *mctx;
+	dns_sdbimplementation_t *imp;
+	const dns_name_t *origin;
+	isc_buffer_t b;
+	isc_buffer_t rb;
+
+	REQUIRE(VALID_SDBLOOKUP(lookup));
+	REQUIRE(type != NULL);
+	REQUIRE(data != NULL);
+
+	mctx = lookup->sdb->common.mctx;
+
+	DE_CONST(type, r.base);
+	r.length = strlen(type);
+	result = dns_rdatatype_fromtext(&typeval, &r);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	imp = lookup->sdb->implementation;
+	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0) {
+		origin = &lookup->sdb->common.origin;
+	} else {
+		origin = dns_rootname;
+	}
+
+	result = isc_lex_create(mctx, 64, &lex);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	datalen = strlen(data);
+	size = initial_size(datalen);
+	do {
+		isc_buffer_constinit(&b, data, datalen);
+		isc_buffer_add(&b, datalen);
+		result = isc_lex_openbuffer(lex, &b);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		if (size >= 65535) {
+			size = 65535;
+		}
+		p = isc_mem_get(mctx, size);
+		isc_buffer_init(&rb, p, size);
+		result = dns_rdata_fromtext(NULL, lookup->sdb->common.rdclass,
+					    typeval, lex, origin, 0, mctx, &rb,
+					    &lookup->callbacks);
+		if (result != ISC_R_NOSPACE) {
+			break;
+		}
+
+		/*
+		 * Is the RR too big?
+		 */
+		if (size >= 65535) {
+			break;
+		}
+		isc_mem_put(mctx, p, size);
+		p = NULL;
+		size *= 2;
+	} while (result == ISC_R_NOSPACE);
+
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	result = dns_sdb_putrdata(lookup, typeval, ttl, isc_buffer_base(&rb),
+				  isc_buffer_usedlength(&rb));
+failure:
+	if (p != NULL) {
+		isc_mem_put(mctx, p, size);
+	}
+	if (lex != NULL) {
+		isc_lex_destroy(&lex);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+getnode(dns_sdballnodes_t *allnodes, const char *name, dns_sdbnode_t **nodep) {
+	dns_name_t *newname;
+	const dns_name_t *origin;
+	dns_fixedname_t fnewname;
+	dns_sdb_t *sdb = (dns_sdb_t *)allnodes->common.db;
+	dns_sdbimplementation_t *imp = sdb->implementation;
+	dns_sdbnode_t *sdbnode;
+	isc_mem_t *mctx = sdb->common.mctx;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	newname = dns_fixedname_initname(&fnewname);
+
+	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0) {
+		origin = &sdb->common.origin;
+	} else {
+		origin = dns_rootname;
+	}
+	isc_buffer_constinit(&b, name, strlen(name));
+	isc_buffer_add(&b, strlen(name));
+
+	result = dns_name_fromtext(newname, &b, origin, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (allnodes->common.relative_names) {
+		/* All names are relative to the root */
+		unsigned int nlabels = dns_name_countlabels(newname);
+		dns_name_getlabelsequence(newname, 0, nlabels - 1, newname);
+	}
+
+	sdbnode = ISC_LIST_HEAD(allnodes->nodelist);
+	if (sdbnode == NULL || !dns_name_equal(sdbnode->name, newname)) {
+		sdbnode = NULL;
+		result = createnode(sdb, &sdbnode);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		sdbnode->name = isc_mem_get(mctx, sizeof(dns_name_t));
+		dns_name_init(sdbnode->name, NULL);
+		dns_name_dup(newname, mctx, sdbnode->name);
+		ISC_LIST_PREPEND(allnodes->nodelist, sdbnode, link);
+		if (allnodes->origin == NULL &&
+		    dns_name_equal(newname, &sdb->common.origin))
+		{
+			allnodes->origin = sdbnode;
+		}
+	}
+	*nodep = sdbnode;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
+		   const char *type, dns_ttl_t ttl, const char *data) {
+	isc_result_t result;
+	dns_sdbnode_t *sdbnode = NULL;
+	result = getnode(allnodes, name, &sdbnode);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	return (dns_sdb_putrr(sdbnode, type, ttl, data));
+}
+
+isc_result_t
+dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
+		      dns_rdatatype_t type, dns_ttl_t ttl, const void *rdata,
+		      unsigned int rdlen) {
+	isc_result_t result;
+	dns_sdbnode_t *sdbnode = NULL;
+	result = getnode(allnodes, name, &sdbnode);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	return (dns_sdb_putrdata(sdbnode, type, ttl, rdata, rdlen));
+}
+
+isc_result_t
+dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
+	       uint32_t serial) {
+	char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7];
+	int n;
+
+	REQUIRE(mname != NULL);
+	REQUIRE(rname != NULL);
+
+	n = snprintf(str, sizeof(str), "%s %s %u %u %u %u %u", mname, rname,
+		     serial, SDB_DEFAULT_REFRESH, SDB_DEFAULT_RETRY,
+		     SDB_DEFAULT_EXPIRE, SDB_DEFAULT_MINIMUM);
+	if (n >= (int)sizeof(str) || n < 0) {
+		return (ISC_R_NOSPACE);
+	}
+	return (dns_sdb_putrr(lookup, "SOA", SDB_DEFAULT_TTL, str));
+}
+
+/*
+ * DB routines
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)source;
+
+	REQUIRE(VALID_SDB(sdb));
+
+	isc_refcount_increment(&sdb->references);
+
+	*targetp = source;
+}
+
+static void
+destroy(dns_sdb_t *sdb) {
+	dns_sdbimplementation_t *imp = sdb->implementation;
+
+	isc_refcount_destroy(&sdb->references);
+
+	if (imp->methods->destroy != NULL) {
+		MAYBE_LOCK(sdb);
+		imp->methods->destroy(sdb->zone, imp->driverdata, &sdb->dbdata);
+		MAYBE_UNLOCK(sdb);
+	}
+
+	isc_mem_free(sdb->common.mctx, sdb->zone);
+
+	sdb->common.magic = 0;
+	sdb->common.impmagic = 0;
+
+	dns_name_free(&sdb->common.origin, sdb->common.mctx);
+
+	isc_mem_putanddetach(&sdb->common.mctx, sdb, sizeof(dns_sdb_t));
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)(*dbp);
+
+	REQUIRE(VALID_SDB(sdb));
+
+	*dbp = NULL;
+
+	if (isc_refcount_decrement(&sdb->references) == 1) {
+		destroy(sdb);
+	}
+}
+
+static isc_result_t
+beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	UNUSED(db);
+	UNUSED(callbacks);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	UNUSED(db);
+	UNUSED(callbacks);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+     dns_masterformat_t masterformat) {
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(filename);
+	UNUSED(masterformat);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	UNUSED(db);
+
+	*versionp = (void *)&dummy;
+	return;
+}
+
+static isc_result_t
+newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	UNUSED(db);
+	UNUSED(versionp);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+attachversion(dns_db_t *db, dns_dbversion_t *source,
+	      dns_dbversion_t **targetp) {
+	REQUIRE(source != NULL && source == (void *)&dummy);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	UNUSED(db);
+	*targetp = source;
+	return;
+}
+
+static void
+closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit) {
+	REQUIRE(versionp != NULL && *versionp == (void *)&dummy);
+	REQUIRE(!commit);
+
+	UNUSED(db);
+	UNUSED(commit);
+
+	*versionp = NULL;
+}
+
+static isc_result_t
+createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep) {
+	dns_sdbnode_t *node;
+
+	node = isc_mem_get(sdb->common.mctx, sizeof(dns_sdbnode_t));
+
+	node->sdb = NULL;
+	attach((dns_db_t *)sdb, (dns_db_t **)&node->sdb);
+	ISC_LIST_INIT(node->lists);
+	ISC_LIST_INIT(node->buffers);
+	ISC_LINK_INIT(node, link);
+	node->name = NULL;
+	dns_rdatacallbacks_init(&node->callbacks);
+
+	isc_refcount_init(&node->references, 1);
+
+	node->magic = SDBLOOKUP_MAGIC;
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroynode(dns_sdbnode_t *node) {
+	dns_rdatalist_t *list;
+	dns_rdata_t *rdata;
+	isc_buffer_t *b;
+	dns_sdb_t *sdb;
+	isc_mem_t *mctx;
+
+	sdb = node->sdb;
+	mctx = sdb->common.mctx;
+
+	while (!ISC_LIST_EMPTY(node->lists)) {
+		list = ISC_LIST_HEAD(node->lists);
+		while (!ISC_LIST_EMPTY(list->rdata)) {
+			rdata = ISC_LIST_HEAD(list->rdata);
+			ISC_LIST_UNLINK(list->rdata, rdata, link);
+			isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+		}
+		ISC_LIST_UNLINK(node->lists, list, link);
+		isc_mem_put(mctx, list, sizeof(dns_rdatalist_t));
+	}
+
+	while (!ISC_LIST_EMPTY(node->buffers)) {
+		b = ISC_LIST_HEAD(node->buffers);
+		ISC_LIST_UNLINK(node->buffers, b, link);
+		isc_buffer_free(&b);
+	}
+
+	if (node->name != NULL) {
+		dns_name_free(node->name, mctx);
+		isc_mem_put(mctx, node->name, sizeof(dns_name_t));
+	}
+
+	node->magic = 0;
+	isc_mem_put(mctx, node, sizeof(dns_sdbnode_t));
+	detach((dns_db_t **)(void *)&sdb);
+}
+
+static isc_result_t
+getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	dns_sdbimplementation_t *imp;
+	dns_name_t relname;
+	dns_name_t *name;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	imp = sdb->implementation;
+	name = &sdb->common.origin;
+
+	if (imp->methods->lookup2 != NULL) {
+		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+			dns_name_init(&relname, NULL);
+			name = &relname;
+		}
+	} else {
+		isc_buffer_init(&b, namestr, sizeof(namestr));
+		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+			dns_name_init(&relname, NULL);
+			result = dns_name_totext(&relname, true, &b);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		} else {
+			result = dns_name_totext(name, true, &b);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+		isc_buffer_putuint8(&b, 0);
+	}
+
+	result = createnode(sdb, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	MAYBE_LOCK(sdb);
+	if (imp->methods->lookup2 != NULL) {
+		result = imp->methods->lookup2(&sdb->common.origin, name,
+					       sdb->dbdata, node, NULL, NULL);
+	} else {
+		result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata,
+					      node, NULL, NULL);
+	}
+	MAYBE_UNLOCK(sdb);
+	if (result != ISC_R_SUCCESS &&
+	    !(result == ISC_R_NOTFOUND && imp->methods->authority != NULL))
+	{
+		destroynode(node);
+		return (result);
+	}
+
+	if (imp->methods->authority != NULL) {
+		MAYBE_LOCK(sdb);
+		result = imp->methods->authority(sdb->zone, sdb->dbdata, node);
+		MAYBE_UNLOCK(sdb);
+		if (result != ISC_R_SUCCESS) {
+			destroynode(node);
+			return (result);
+		}
+	}
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findnodeext(dns_db_t *db, const dns_name_t *name, bool create,
+	    dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	    dns_dbnode_t **nodep) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	bool isorigin;
+	dns_sdbimplementation_t *imp;
+	dns_name_t relname;
+	unsigned int labels;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	UNUSED(name);
+	UNUSED(create);
+
+	imp = sdb->implementation;
+
+	isorigin = dns_name_equal(name, &sdb->common.origin);
+
+	if (imp->methods->lookup2 != NULL) {
+		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+			labels = dns_name_countlabels(name) -
+				 dns_name_countlabels(&db->origin);
+			dns_name_init(&relname, NULL);
+			dns_name_getlabelsequence(name, 0, labels, &relname);
+			name = &relname;
+		}
+	} else {
+		isc_buffer_init(&b, namestr, sizeof(namestr));
+		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+			labels = dns_name_countlabels(name) -
+				 dns_name_countlabels(&db->origin);
+			dns_name_init(&relname, NULL);
+			dns_name_getlabelsequence(name, 0, labels, &relname);
+			result = dns_name_totext(&relname, true, &b);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		} else {
+			result = dns_name_totext(name, true, &b);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+		isc_buffer_putuint8(&b, 0);
+	}
+
+	result = createnode(sdb, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	MAYBE_LOCK(sdb);
+	if (imp->methods->lookup2 != NULL) {
+		result = imp->methods->lookup2(&sdb->common.origin, name,
+					       sdb->dbdata, node, methods,
+					       clientinfo);
+	} else {
+		result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata,
+					      node, methods, clientinfo);
+	}
+	MAYBE_UNLOCK(sdb);
+	if (result != ISC_R_SUCCESS && !(result == ISC_R_NOTFOUND && isorigin &&
+					 imp->methods->authority != NULL))
+	{
+		destroynode(node);
+		return (result);
+	}
+
+	if (isorigin && imp->methods->authority != NULL) {
+		MAYBE_LOCK(sdb);
+		result = imp->methods->authority(sdb->zone, sdb->dbdata, node);
+		MAYBE_UNLOCK(sdb);
+		if (result != ISC_R_SUCCESS) {
+			destroynode(node);
+			return (result);
+		}
+	}
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findext(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+	dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	dns_dbnode_t **nodep, dns_name_t *foundname,
+	dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fname;
+	dns_rdataset_t xrdataset;
+	dns_name_t *xname;
+	unsigned int nlabels, olabels;
+	isc_result_t result;
+	unsigned int i;
+	unsigned int flags;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(version == NULL || version == (void *)&dummy);
+
+	UNUSED(options);
+
+	if (!dns_name_issubdomain(name, &db->origin)) {
+		return (DNS_R_NXDOMAIN);
+	}
+
+	olabels = dns_name_countlabels(&db->origin);
+	nlabels = dns_name_countlabels(name);
+
+	xname = dns_fixedname_initname(&fname);
+
+	if (rdataset == NULL) {
+		dns_rdataset_init(&xrdataset);
+		rdataset = &xrdataset;
+	}
+
+	result = DNS_R_NXDOMAIN;
+	flags = sdb->implementation->flags;
+	i = (flags & DNS_SDBFLAG_DNS64) != 0 ? nlabels : olabels;
+	for (; i <= nlabels; i++) {
+		/*
+		 * Look up the next label.
+		 */
+		dns_name_getlabelsequence(name, nlabels - i, i, xname);
+		result = findnodeext(db, xname, false, methods, clientinfo,
+				     &node);
+		if (result == ISC_R_NOTFOUND) {
+			/*
+			 * No data at zone apex?
+			 */
+			if (i == olabels) {
+				return (DNS_R_BADDB);
+			}
+			result = DNS_R_NXDOMAIN;
+			continue;
+		}
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		/*
+		 * DNS64 zone's don't have DNAME or NS records.
+		 */
+		if ((flags & DNS_SDBFLAG_DNS64) != 0) {
+			goto skip;
+		}
+
+		/*
+		 * DNS64 zone's don't have DNAME or NS records.
+		 */
+		if ((flags & DNS_SDBFLAG_DNS64) != 0) {
+			goto skip;
+		}
+
+		/*
+		 * Look for a DNAME at the current label, unless this is
+		 * the qname.
+		 */
+		if (i < nlabels) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_dname, 0, now,
+					      rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_DNAME;
+				break;
+			}
+		}
+
+		/*
+		 * Look for an NS at the current label, unless this is the
+		 * origin or glue is ok.
+		 */
+		if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_ns, 0, now,
+					      rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				if (i == nlabels && type == dns_rdatatype_any) {
+					result = DNS_R_ZONECUT;
+					dns_rdataset_disassociate(rdataset);
+					if (sigrdataset != NULL &&
+					    dns_rdataset_isassociated(
+						    sigrdataset))
+					{
+						dns_rdataset_disassociate(
+							sigrdataset);
+					}
+				} else {
+					result = DNS_R_DELEGATION;
+				}
+				break;
+			}
+		}
+
+		/*
+		 * If the current name is not the qname, add another label
+		 * and try again.
+		 */
+		if (i < nlabels) {
+			destroynode(node);
+			node = NULL;
+			continue;
+		}
+
+	skip:
+		/*
+		 * If we're looking for ANY, we're done.
+		 */
+		if (type == dns_rdatatype_any) {
+			result = ISC_R_SUCCESS;
+			break;
+		}
+
+		/*
+		 * Look for the qtype.
+		 */
+		result = findrdataset(db, node, version, type, 0, now, rdataset,
+				      sigrdataset);
+		if (result == ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Look for a CNAME
+		 */
+		if (type != dns_rdatatype_cname) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_cname, 0, now,
+					      rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_CNAME;
+				break;
+			}
+		}
+
+		result = DNS_R_NXRRSET;
+		break;
+	}
+
+	if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset)) {
+		dns_rdataset_disassociate(rdataset);
+	}
+
+	if (foundname != NULL) {
+		dns_name_copynf(xname, foundname);
+	}
+
+	if (nodep != NULL) {
+		*nodep = node;
+	} else if (node != NULL) {
+		detachnode(db, &node);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
+	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_name_t *dcname, dns_rdataset_t *rdataset,
+	    dns_rdataset_t *sigrdataset) {
+	UNUSED(db);
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(dcname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node = (dns_sdbnode_t *)source;
+
+	REQUIRE(VALID_SDB(sdb));
+
+	UNUSED(sdb);
+
+	isc_refcount_increment(&node->references);
+
+	*targetp = source;
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(targetp != NULL && *targetp != NULL);
+
+	UNUSED(sdb);
+
+	node = (dns_sdbnode_t *)(*targetp);
+
+	*targetp = NULL;
+
+	if (isc_refcount_decrement(&node->references) == 1) {
+		destroynode(node);
+	}
+}
+
+static isc_result_t
+expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(now);
+	UNREACHABLE();
+}
+
+static void
+printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(out);
+	return;
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, unsigned int options,
+	       dns_dbiterator_t **iteratorp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	REQUIRE(VALID_SDB(sdb));
+
+	sdb_dbiterator_t *sdbiter;
+	isc_result_t result;
+	dns_sdbimplementation_t *imp = sdb->implementation;
+
+	if (imp->methods->allnodes == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	if ((options & DNS_DB_NSEC3ONLY) != 0 ||
+	    (options & DNS_DB_NONSEC3) != 0)
+	{
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	sdbiter = isc_mem_get(sdb->common.mctx, sizeof(sdb_dbiterator_t));
+
+	sdbiter->common.methods = &dbiterator_methods;
+	sdbiter->common.db = NULL;
+	dns_db_attach(db, &sdbiter->common.db);
+	sdbiter->common.relative_names = ((options & DNS_DB_RELATIVENAMES) !=
+					  0);
+	sdbiter->common.magic = DNS_DBITERATOR_MAGIC;
+	ISC_LIST_INIT(sdbiter->nodelist);
+	sdbiter->current = NULL;
+	sdbiter->origin = NULL;
+
+	MAYBE_LOCK(sdb);
+	result = imp->methods->allnodes(sdb->zone, sdb->dbdata, sdbiter);
+	MAYBE_UNLOCK(sdb);
+	if (result != ISC_R_SUCCESS) {
+		dbiterator_destroy((dns_dbiterator_t **)(void *)&sdbiter);
+		return (result);
+	}
+
+	if (sdbiter->origin != NULL) {
+		ISC_LIST_UNLINK(sdbiter->nodelist, sdbiter->origin, link);
+		ISC_LIST_PREPEND(sdbiter->nodelist, sdbiter->origin, link);
+	}
+
+	*iteratorp = (dns_dbiterator_t *)sdbiter;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now,
+	     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	REQUIRE(VALID_SDBNODE(node));
+
+	dns_rdatalist_t *list;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)node;
+
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(covers);
+	UNUSED(now);
+	UNUSED(sigrdataset);
+
+	if (type == dns_rdatatype_rrsig) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	list = ISC_LIST_HEAD(sdbnode->lists);
+	while (list != NULL) {
+		if (list->type == type) {
+			break;
+		}
+		list = ISC_LIST_NEXT(list, link);
+	}
+	if (list == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	list_tordataset(list, db, node, rdataset);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     unsigned int options, isc_stdtime_t now,
+	     dns_rdatasetiter_t **iteratorp) {
+	sdb_rdatasetiter_t *iterator;
+
+	REQUIRE(version == NULL || version == &dummy);
+
+	UNUSED(version);
+	UNUSED(now);
+
+	iterator = isc_mem_get(db->mctx, sizeof(sdb_rdatasetiter_t));
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = NULL;
+	attachnode(db, node, &iterator->common.node);
+	iterator->common.version = version;
+	iterator->common.options = options;
+	iterator->common.now = now;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(now);
+	UNUSED(rdataset);
+	UNUSED(options);
+	UNUSED(addedrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 dns_rdataset_t *rdataset, unsigned int options,
+		 dns_rdataset_t *newrdataset) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(rdataset);
+	UNUSED(options);
+	UNUSED(newrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(covers);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static bool
+issecure(dns_db_t *db) {
+	UNUSED(db);
+
+	return (false);
+}
+
+static unsigned int
+nodecount(dns_db_t *db) {
+	UNUSED(db);
+
+	return (0);
+}
+
+static bool
+ispersistent(dns_db_t *db) {
+	UNUSED(db);
+	return (true);
+}
+
+static void
+overmem(dns_db_t *db, bool over) {
+	UNUSED(db);
+	UNUSED(over);
+}
+
+static void
+settask(dns_db_t *db, isc_task_t *task) {
+	UNUSED(db);
+	UNUSED(task);
+}
+
+static dns_dbmethods_t sdb_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	NULL, /* serialize */
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	NULL, /* findnode */
+	NULL, /* find */
+	findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask,
+	getoriginnode, /* getoriginnode */
+	NULL,	       /* transfernode */
+	NULL,	       /* getnsec3parameters */
+	NULL,	       /* findnsec3node */
+	NULL,	       /* setsigningtime */
+	NULL,	       /* getsigningtime */
+	NULL,	       /* resigned */
+	NULL,	       /* isdnssec */
+	NULL,	       /* getrrsetstats */
+	NULL,	       /* rpz_attach */
+	NULL,	       /* rpz_ready */
+	findnodeext,
+	findext,
+	NULL, /* setcachestats */
+	NULL, /* hashsize */
+	NULL, /* nodefullname */
+	NULL, /* getsize */
+	NULL, /* setservestalettl */
+	NULL, /* getservestalettl */
+	NULL, /* setservestalerefresh */
+	NULL, /* getservestalerefresh */
+	NULL, /* setgluecachestats */
+	NULL  /* adjusthashsize */
+};
+
+static isc_result_t
+dns_sdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+	       dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+	       void *driverarg, dns_db_t **dbp) {
+	dns_sdb_t *sdb;
+	isc_result_t result;
+	char zonestr[DNS_NAME_MAXTEXT + 1];
+	isc_buffer_t b;
+	dns_sdbimplementation_t *imp;
+
+	REQUIRE(driverarg != NULL);
+
+	imp = driverarg;
+
+	if (type != dns_dbtype_zone) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	sdb = isc_mem_get(mctx, sizeof(dns_sdb_t));
+	memset(sdb, 0, sizeof(dns_sdb_t));
+
+	dns_name_init(&sdb->common.origin, NULL);
+	sdb->common.attributes = 0;
+	sdb->common.methods = &sdb_methods;
+	sdb->common.rdclass = rdclass;
+	sdb->common.mctx = NULL;
+	sdb->implementation = imp;
+
+	isc_mem_attach(mctx, &sdb->common.mctx);
+
+	result = dns_name_dupwithoffsets(origin, mctx, &sdb->common.origin);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_lock;
+	}
+
+	isc_buffer_init(&b, zonestr, sizeof(zonestr));
+	result = dns_name_totext(origin, true, &b);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_origin;
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	sdb->zone = isc_mem_strdup(mctx, zonestr);
+
+	sdb->dbdata = NULL;
+	if (imp->methods->create != NULL) {
+		MAYBE_LOCK(sdb);
+		result = imp->methods->create(sdb->zone, argc, argv,
+					      imp->driverdata, &sdb->dbdata);
+		MAYBE_UNLOCK(sdb);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_zonestr;
+		}
+	}
+
+	isc_refcount_init(&sdb->references, 1);
+
+	sdb->common.magic = DNS_DB_MAGIC;
+	sdb->common.impmagic = SDB_MAGIC;
+
+	*dbp = (dns_db_t *)sdb;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_zonestr:
+	isc_mem_free(mctx, sdb->zone);
+cleanup_origin:
+	dns_name_free(&sdb->common.origin, mctx);
+cleanup_lock:
+	isc_mem_putanddetach(&mctx, sdb, sizeof(dns_sdb_t));
+
+	return (result);
+}
+
+/*
+ * Rdataset Methods
+ */
+
+static void
+disassociate(dns_rdataset_t *rdataset) {
+	dns_dbnode_t *node = rdataset->private5;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)node;
+	dns_db_t *db = (dns_db_t *)sdbnode->sdb;
+
+	detachnode(db, &node);
+	isc__rdatalist_disassociate(rdataset);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_dbnode_t *node = source->private5;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)node;
+	dns_db_t *db = (dns_db_t *)sdbnode->sdb;
+	dns_dbnode_t *tempdb = NULL;
+
+	isc__rdatalist_clone(source, target);
+	attachnode(db, node, &tempdb);
+	source->private5 = tempdb;
+}
+
+static dns_rdatasetmethods_t sdb_rdataset_methods = {
+	disassociate,
+	isc__rdatalist_first,
+	isc__rdatalist_next,
+	isc__rdatalist_current,
+	rdataset_clone,
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname,
+	NULL, /* addclosest */
+	NULL, /* getclosest */
+	NULL, /* settrust */
+	NULL, /* expire */
+	NULL, /* clearprefetch */
+	NULL, /* setownercase */
+	NULL, /* getownercase */
+	NULL  /* addglue */
+};
+
+static void
+list_tordataset(dns_rdatalist_t *rdatalist, dns_db_t *db, dns_dbnode_t *node,
+		dns_rdataset_t *rdataset) {
+	/*
+	 * The sdb rdataset is an rdatalist with some additions.
+	 *	- private1 & private2 are used by the rdatalist.
+	 *	- private3 & private 4 are unused.
+	 *	- private5 is the node.
+	 */
+
+	/* This should never fail. */
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
+		      ISC_R_SUCCESS);
+
+	rdataset->methods = &sdb_rdataset_methods;
+	dns_db_attachnode(db, node, &rdataset->private5);
+}
+
+/*
+ * Database Iterator Methods
+ */
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)(*iteratorp);
+	dns_sdb_t *sdb = (dns_sdb_t *)sdbiter->common.db;
+
+	while (!ISC_LIST_EMPTY(sdbiter->nodelist)) {
+		dns_sdbnode_t *node;
+		node = ISC_LIST_HEAD(sdbiter->nodelist);
+		ISC_LIST_UNLINK(sdbiter->nodelist, node, link);
+		destroynode(node);
+	}
+
+	dns_db_detach(&sdbiter->common.db);
+	isc_mem_put(sdb->common.mctx, sdbiter, sizeof(sdb_dbiterator_t));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist);
+	if (sdbiter->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_TAIL(sdbiter->nodelist);
+	if (sdbiter->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, const dns_name_t *name) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist);
+	while (sdbiter->current != NULL) {
+		if (dns_name_equal(sdbiter->current->name, name)) {
+			return (ISC_R_SUCCESS);
+		}
+		sdbiter->current = ISC_LIST_NEXT(sdbiter->current, link);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_PREV(sdbiter->current, link);
+	if (sdbiter->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_NEXT(sdbiter->current, link);
+	if (sdbiter->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	attachnode(iterator->db, sdbiter->current, nodep);
+	if (name != NULL) {
+		dns_name_copynf(sdbiter->current->name, name);
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator) {
+	UNUSED(iterator);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+	UNUSED(iterator);
+	dns_name_copynf(dns_rootname, name);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Rdataset Iterator Methods
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)(*iteratorp);
+	detachnode(sdbiterator->common.db, &sdbiterator->common.node);
+	isc_mem_put(sdbiterator->common.db->mctx, sdbiterator,
+		    sizeof(sdb_rdatasetiter_t));
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)iterator->node;
+
+	if (ISC_LIST_EMPTY(sdbnode->lists)) {
+		return (ISC_R_NOMORE);
+	}
+	sdbiterator->current = ISC_LIST_HEAD(sdbnode->lists);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
+
+	sdbiterator->current = ISC_LIST_NEXT(sdbiterator->current, link);
+	if (sdbiterator->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
+
+	list_tordataset(sdbiterator->current, iterator->db, iterator->node,
+			rdataset);
+}
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
new file mode 100644
index 0000000..8ba7aae
--- /dev/null
+++ b/lib/dns/sdlz.c
@@ -0,0 +1,2108 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dlz.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
+#include <dns/types.h>
+
+#include "rdatalist_p.h"
+
+/*
+ * Private Types
+ */
+
+struct dns_sdlzimplementation {
+	const dns_sdlzmethods_t *methods;
+	isc_mem_t *mctx;
+	void *driverarg;
+	unsigned int flags;
+	isc_mutex_t driverlock;
+	dns_dlzimplementation_t *dlz_imp;
+};
+
+struct dns_sdlz_db {
+	/* Unlocked */
+	dns_db_t common;
+	void *dbdata;
+	dns_sdlzimplementation_t *dlzimp;
+
+	/* Atomic */
+	isc_refcount_t references;
+
+	/* Locked */
+	dns_dbversion_t *future_version;
+	int dummy_version;
+};
+
+struct dns_sdlzlookup {
+	/* Unlocked */
+	unsigned int magic;
+	dns_sdlz_db_t *sdlz;
+	ISC_LIST(dns_rdatalist_t) lists;
+	ISC_LIST(isc_buffer_t) buffers;
+	dns_name_t *name;
+	ISC_LINK(dns_sdlzlookup_t) link;
+	dns_rdatacallbacks_t callbacks;
+
+	/* Atomic */
+	isc_refcount_t references;
+};
+
+typedef struct dns_sdlzlookup dns_sdlznode_t;
+
+struct dns_sdlzallnodes {
+	dns_dbiterator_t common;
+	ISC_LIST(dns_sdlznode_t) nodelist;
+	dns_sdlznode_t *current;
+	dns_sdlznode_t *origin;
+};
+
+typedef dns_sdlzallnodes_t sdlz_dbiterator_t;
+
+typedef struct sdlz_rdatasetiter {
+	dns_rdatasetiter_t common;
+	dns_rdatalist_t *current;
+} sdlz_rdatasetiter_t;
+
+#define SDLZDB_MAGIC ISC_MAGIC('D', 'L', 'Z', 'S')
+
+/*
+ * Note that "impmagic" is not the first four bytes of the struct, so
+ * ISC_MAGIC_VALID cannot be used.
+ */
+
+#define VALID_SDLZDB(sdlzdb) \
+	((sdlzdb) != NULL && (sdlzdb)->common.impmagic == SDLZDB_MAGIC)
+
+#define SDLZLOOKUP_MAGIC	ISC_MAGIC('D', 'L', 'Z', 'L')
+#define VALID_SDLZLOOKUP(sdlzl) ISC_MAGIC_VALID(sdlzl, SDLZLOOKUP_MAGIC)
+#define VALID_SDLZNODE(sdlzn)	VALID_SDLZLOOKUP(sdlzn)
+
+/* These values are taken from RFC 1537 */
+#define SDLZ_DEFAULT_REFRESH 28800U  /* 8 hours */
+#define SDLZ_DEFAULT_RETRY   7200U   /* 2 hours */
+#define SDLZ_DEFAULT_EXPIRE  604800U /* 7 days */
+#define SDLZ_DEFAULT_MINIMUM 86400U  /* 1 day */
+
+/* This is a reasonable value */
+#define SDLZ_DEFAULT_TTL (60 * 60 * 24)
+
+#ifdef __COVERITY__
+#define MAYBE_LOCK(imp)	  LOCK(&imp->driverlock)
+#define MAYBE_UNLOCK(imp) UNLOCK(&imp->driverlock)
+#else /* ifdef __COVERITY__ */
+#define MAYBE_LOCK(imp)                                     \
+	do {                                                \
+		unsigned int flags = imp->flags;            \
+		if ((flags & DNS_SDLZFLAG_THREADSAFE) == 0) \
+			LOCK(&imp->driverlock);             \
+	} while (0)
+
+#define MAYBE_UNLOCK(imp)                                   \
+	do {                                                \
+		unsigned int flags = imp->flags;            \
+		if ((flags & DNS_SDLZFLAG_THREADSAFE) == 0) \
+			UNLOCK(&imp->driverlock);           \
+	} while (0)
+#endif /* ifdef __COVERITY__ */
+
+/*
+ * Forward references.
+ */
+static isc_result_t
+getnodedata(dns_db_t *db, const dns_name_t *name, bool create,
+	    unsigned int options, dns_clientinfomethods_t *methods,
+	    dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep);
+
+static void
+list_tordataset(dns_rdatalist_t *rdatalist, dns_db_t *db, dns_dbnode_t *node,
+		dns_rdataset_t *rdataset);
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp);
+
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp);
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, const dns_name_t *name);
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name);
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator);
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
+
+static dns_dbiteratormethods_t dbiterator_methods = {
+	dbiterator_destroy, dbiterator_first, dbiterator_last,
+	dbiterator_seek,    dbiterator_prev,  dbiterator_next,
+	dbiterator_current, dbiterator_pause, dbiterator_origin
+};
+
+/*
+ * Utility functions
+ */
+
+/*
+ * Log a message at the given level
+ */
+static void
+sdlz_log(int level, const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ,
+		       ISC_LOG_DEBUG(level), fmt, ap);
+	va_end(ap);
+}
+
+/*% Converts the input string to lowercase, in place. */
+static void
+dns_sdlz_tolower(char *str) {
+	unsigned int len = strlen(str);
+	unsigned int i;
+
+	for (i = 0; i < len; i++) {
+		if (str[i] >= 'A' && str[i] <= 'Z') {
+			str[i] += 32;
+		}
+	}
+}
+
+static unsigned int
+initial_size(const char *data) {
+	unsigned int len = (strlen(data) / 64) + 1;
+	return (len * 64 + 64);
+}
+
+/*
+ * Rdataset Iterator Methods. These methods were "borrowed" from the SDB
+ * driver interface.  See the SDB driver interface documentation for more info.
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)(*iteratorp);
+
+	detachnode(sdlziterator->common.db, &sdlziterator->common.node);
+	isc_mem_put(sdlziterator->common.db->mctx, sdlziterator,
+		    sizeof(sdlz_rdatasetiter_t));
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)iterator->node;
+
+	if (ISC_LIST_EMPTY(sdlznode->lists)) {
+		return (ISC_R_NOMORE);
+	}
+	sdlziterator->current = ISC_LIST_HEAD(sdlznode->lists);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
+
+	sdlziterator->current = ISC_LIST_NEXT(sdlziterator->current, link);
+	if (sdlziterator->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
+
+	list_tordataset(sdlziterator->current, iterator->db, iterator->node,
+			rdataset);
+}
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy, rdatasetiter_first, rdatasetiter_next,
+	rdatasetiter_current
+};
+
+/*
+ * DB routines. These methods were "borrowed" from the SDB driver interface.
+ * See the SDB driver interface documentation for more info.
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)source;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	isc_refcount_increment(&sdlz->references);
+
+	*targetp = source;
+}
+
+static void
+destroy(dns_sdlz_db_t *sdlz) {
+	sdlz->common.magic = 0;
+	sdlz->common.impmagic = 0;
+
+	dns_name_free(&sdlz->common.origin, sdlz->common.mctx);
+
+	isc_refcount_destroy(&sdlz->references);
+	isc_mem_putanddetach(&sdlz->common.mctx, sdlz, sizeof(dns_sdlz_db_t));
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)(*dbp);
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	*dbp = NULL;
+
+	if (isc_refcount_decrement(&sdlz->references) == 1) {
+		destroy(sdlz);
+	}
+}
+
+static isc_result_t
+beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	UNUSED(db);
+	UNUSED(callbacks);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	UNUSED(db);
+	UNUSED(callbacks);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+     dns_masterformat_t masterformat) {
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(filename);
+	UNUSED(masterformat);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	*versionp = (void *)&sdlz->dummy_version;
+	return;
+}
+
+static isc_result_t
+newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	char origin[DNS_NAME_MAXTEXT + 1];
+	isc_result_t result;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->newversion == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	dns_name_format(&sdlz->common.origin, origin, sizeof(origin));
+
+	result = sdlz->dlzimp->methods->newversion(
+		origin, sdlz->dlzimp->driverarg, sdlz->dbdata, versionp);
+	if (result != ISC_R_SUCCESS) {
+		sdlz_log(ISC_LOG_ERROR,
+			 "sdlz newversion on origin %s failed : %s", origin,
+			 isc_result_totext(result));
+		return (result);
+	}
+
+	sdlz->future_version = *versionp;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+attachversion(dns_db_t *db, dns_dbversion_t *source,
+	      dns_dbversion_t **targetp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(source != NULL && source == (void *)&sdlz->dummy_version);
+
+	*targetp = source;
+}
+
+static void
+closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	char origin[DNS_NAME_MAXTEXT + 1];
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(versionp != NULL);
+
+	if (*versionp == (void *)&sdlz->dummy_version) {
+		*versionp = NULL;
+		return;
+	}
+
+	REQUIRE(*versionp == sdlz->future_version);
+	REQUIRE(sdlz->dlzimp->methods->closeversion != NULL);
+
+	dns_name_format(&sdlz->common.origin, origin, sizeof(origin));
+
+	sdlz->dlzimp->methods->closeversion(origin, commit,
+					    sdlz->dlzimp->driverarg,
+					    sdlz->dbdata, versionp);
+	if (*versionp != NULL) {
+		sdlz_log(ISC_LOG_ERROR, "sdlz closeversion on origin %s failed",
+			 origin);
+	}
+
+	sdlz->future_version = NULL;
+}
+
+static isc_result_t
+createnode(dns_sdlz_db_t *sdlz, dns_sdlznode_t **nodep) {
+	dns_sdlznode_t *node;
+
+	node = isc_mem_get(sdlz->common.mctx, sizeof(dns_sdlznode_t));
+
+	node->sdlz = NULL;
+	attach((dns_db_t *)sdlz, (dns_db_t **)&node->sdlz);
+	ISC_LIST_INIT(node->lists);
+	ISC_LIST_INIT(node->buffers);
+	ISC_LINK_INIT(node, link);
+	node->name = NULL;
+	dns_rdatacallbacks_init(&node->callbacks);
+
+	isc_refcount_init(&node->references, 1);
+	node->magic = SDLZLOOKUP_MAGIC;
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroynode(dns_sdlznode_t *node) {
+	dns_rdatalist_t *list;
+	dns_rdata_t *rdata;
+	isc_buffer_t *b;
+	dns_sdlz_db_t *sdlz;
+	dns_db_t *db;
+	isc_mem_t *mctx;
+
+	isc_refcount_destroy(&node->references);
+
+	sdlz = node->sdlz;
+	mctx = sdlz->common.mctx;
+
+	while (!ISC_LIST_EMPTY(node->lists)) {
+		list = ISC_LIST_HEAD(node->lists);
+		while (!ISC_LIST_EMPTY(list->rdata)) {
+			rdata = ISC_LIST_HEAD(list->rdata);
+			ISC_LIST_UNLINK(list->rdata, rdata, link);
+			isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+		}
+		ISC_LIST_UNLINK(node->lists, list, link);
+		isc_mem_put(mctx, list, sizeof(dns_rdatalist_t));
+	}
+
+	while (!ISC_LIST_EMPTY(node->buffers)) {
+		b = ISC_LIST_HEAD(node->buffers);
+		ISC_LIST_UNLINK(node->buffers, b, link);
+		isc_buffer_free(&b);
+	}
+
+	if (node->name != NULL) {
+		dns_name_free(node->name, mctx);
+		isc_mem_put(mctx, node->name, sizeof(dns_name_t));
+	}
+
+	node->magic = 0;
+	isc_mem_put(mctx, node, sizeof(dns_sdlznode_t));
+	db = &sdlz->common;
+	detach(&db);
+}
+
+static isc_result_t
+getnodedata(dns_db_t *db, const dns_name_t *name, bool create,
+	    unsigned int options, dns_clientinfomethods_t *methods,
+	    dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_sdlznode_t *node = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	isc_buffer_t b2;
+	char zonestr[DNS_NAME_MAXTEXT + 1];
+	bool isorigin;
+	dns_sdlzauthorityfunc_t authority;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (sdlz->dlzimp->methods->newversion == NULL) {
+		REQUIRE(!create);
+	}
+
+	isc_buffer_init(&b, namestr, sizeof(namestr));
+	if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVEOWNER) != 0) {
+		dns_name_t relname;
+		unsigned int labels;
+
+		labels = dns_name_countlabels(name) -
+			 dns_name_countlabels(&sdlz->common.origin);
+		dns_name_init(&relname, NULL);
+		dns_name_getlabelsequence(name, 0, labels, &relname);
+		result = dns_name_totext(&relname, true, &b);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	} else {
+		result = dns_name_totext(name, true, &b);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	isc_buffer_init(&b2, zonestr, sizeof(zonestr));
+	result = dns_name_totext(&sdlz->common.origin, true, &b2);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_putuint8(&b2, 0);
+
+	result = createnode(sdlz, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	isorigin = dns_name_equal(name, &sdlz->common.origin);
+
+	/* make sure strings are always lowercase */
+	dns_sdlz_tolower(zonestr);
+	dns_sdlz_tolower(namestr);
+
+	MAYBE_LOCK(sdlz->dlzimp);
+
+	/* try to lookup the host (namestr) */
+	result = sdlz->dlzimp->methods->lookup(
+		zonestr, namestr, sdlz->dlzimp->driverarg, sdlz->dbdata, node,
+		methods, clientinfo);
+
+	/*
+	 * If the name was not found and DNS_DBFIND_NOWILD is not
+	 * set, then we try to find a wildcard entry.
+	 *
+	 * If DNS_DBFIND_NOZONECUT is set and there are multiple
+	 * levels between the host and the zone origin, we also look
+	 * for wildcards at each level.
+	 */
+	if (result == ISC_R_NOTFOUND && !create &&
+	    (options & DNS_DBFIND_NOWILD) == 0)
+	{
+		unsigned int i, dlabels, nlabels;
+
+		nlabels = dns_name_countlabels(name);
+		dlabels = nlabels - dns_name_countlabels(&sdlz->common.origin);
+		for (i = 0; i < dlabels; i++) {
+			char wildstr[DNS_NAME_MAXTEXT + 1];
+			dns_fixedname_t fixed;
+			const dns_name_t *wild;
+
+			dns_fixedname_init(&fixed);
+			if (i == dlabels - 1) {
+				wild = dns_wildcardname;
+			} else {
+				dns_name_t *fname;
+				fname = dns_fixedname_name(&fixed);
+				dns_name_getlabelsequence(
+					name, i + 1, dlabels - i - 1, fname);
+				result = dns_name_concatenate(
+					dns_wildcardname, fname, fname, NULL);
+				if (result != ISC_R_SUCCESS) {
+					MAYBE_UNLOCK(sdlz->dlzimp);
+					return (result);
+				}
+				wild = fname;
+			}
+
+			isc_buffer_init(&b, wildstr, sizeof(wildstr));
+			result = dns_name_totext(wild, true, &b);
+			if (result != ISC_R_SUCCESS) {
+				MAYBE_UNLOCK(sdlz->dlzimp);
+				return (result);
+			}
+			isc_buffer_putuint8(&b, 0);
+
+			result = sdlz->dlzimp->methods->lookup(
+				zonestr, wildstr, sdlz->dlzimp->driverarg,
+				sdlz->dbdata, node, methods, clientinfo);
+			if (result == ISC_R_SUCCESS) {
+				break;
+			}
+		}
+	}
+
+	MAYBE_UNLOCK(sdlz->dlzimp);
+
+	if (result == ISC_R_NOTFOUND && (isorigin || create)) {
+		result = ISC_R_SUCCESS;
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_decrementz(&node->references);
+		destroynode(node);
+		return (result);
+	}
+
+	if (isorigin && sdlz->dlzimp->methods->authority != NULL) {
+		MAYBE_LOCK(sdlz->dlzimp);
+		authority = sdlz->dlzimp->methods->authority;
+		result = (*authority)(zonestr, sdlz->dlzimp->driverarg,
+				      sdlz->dbdata, node);
+		MAYBE_UNLOCK(sdlz->dlzimp);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
+			isc_refcount_decrementz(&node->references);
+			destroynode(node);
+			return (result);
+		}
+	}
+
+	if (node->name == NULL) {
+		node->name = isc_mem_get(sdlz->common.mctx, sizeof(dns_name_t));
+		dns_name_init(node->name, NULL);
+		dns_name_dup(name, sdlz->common.mctx, node->name);
+	}
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findnodeext(dns_db_t *db, const dns_name_t *name, bool create,
+	    dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	    dns_dbnode_t **nodep) {
+	return (getnodedata(db, name, create, 0, methods, clientinfo, nodep));
+}
+
+static isc_result_t
+findnode(dns_db_t *db, const dns_name_t *name, bool create,
+	 dns_dbnode_t **nodep) {
+	return (getnodedata(db, name, create, 0, NULL, NULL, nodep));
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
+	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_name_t *dcname, dns_rdataset_t *rdataset,
+	    dns_rdataset_t *sigrdataset) {
+	UNUSED(db);
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(dcname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_sdlznode_t *node = (dns_sdlznode_t *)source;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	UNUSED(sdlz);
+
+	isc_refcount_increment(&node->references);
+
+	*targetp = source;
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_sdlznode_t *node;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(targetp != NULL && *targetp != NULL);
+
+	UNUSED(sdlz);
+
+	node = (dns_sdlznode_t *)(*targetp);
+	*targetp = NULL;
+
+	if (isc_refcount_decrement(&node->references) == 1) {
+		destroynode(node);
+	}
+}
+
+static isc_result_t
+expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(now);
+	UNREACHABLE();
+}
+
+static void
+printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(out);
+	return;
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, unsigned int options,
+	       dns_dbiterator_t **iteratorp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	sdlz_dbiterator_t *sdlziter;
+	isc_result_t result;
+	isc_buffer_t b;
+	char zonestr[DNS_NAME_MAXTEXT + 1];
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->allnodes == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	if ((options & DNS_DB_NSEC3ONLY) != 0 ||
+	    (options & DNS_DB_NONSEC3) != 0)
+	{
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	isc_buffer_init(&b, zonestr, sizeof(zonestr));
+	result = dns_name_totext(&sdlz->common.origin, true, &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	sdlziter = isc_mem_get(sdlz->common.mctx, sizeof(sdlz_dbiterator_t));
+
+	sdlziter->common.methods = &dbiterator_methods;
+	sdlziter->common.db = NULL;
+	dns_db_attach(db, &sdlziter->common.db);
+	sdlziter->common.relative_names = ((options & DNS_DB_RELATIVENAMES) !=
+					   0);
+	sdlziter->common.magic = DNS_DBITERATOR_MAGIC;
+	ISC_LIST_INIT(sdlziter->nodelist);
+	sdlziter->current = NULL;
+	sdlziter->origin = NULL;
+
+	/* make sure strings are always lowercase */
+	dns_sdlz_tolower(zonestr);
+
+	MAYBE_LOCK(sdlz->dlzimp);
+	result = sdlz->dlzimp->methods->allnodes(
+		zonestr, sdlz->dlzimp->driverarg, sdlz->dbdata, sdlziter);
+	MAYBE_UNLOCK(sdlz->dlzimp);
+	if (result != ISC_R_SUCCESS) {
+		dns_dbiterator_t *iter = &sdlziter->common;
+		dbiterator_destroy(&iter);
+		return (result);
+	}
+
+	if (sdlziter->origin != NULL) {
+		ISC_LIST_UNLINK(sdlziter->nodelist, sdlziter->origin, link);
+		ISC_LIST_PREPEND(sdlziter->nodelist, sdlziter->origin, link);
+	}
+
+	*iteratorp = (dns_dbiterator_t *)sdlziter;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now,
+	     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	REQUIRE(VALID_SDLZNODE(node));
+	dns_rdatalist_t *list;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)node;
+
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(covers);
+	UNUSED(now);
+	UNUSED(sigrdataset);
+
+	if (type == dns_rdatatype_sig || type == dns_rdatatype_rrsig) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	list = ISC_LIST_HEAD(sdlznode->lists);
+	while (list != NULL) {
+		if (list->type == type) {
+			break;
+		}
+		list = ISC_LIST_NEXT(list, link);
+	}
+	if (list == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	list_tordataset(list, db, node, rdataset);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findext(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+	dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	dns_dbnode_t **nodep, dns_name_t *foundname,
+	dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fname;
+	dns_rdataset_t xrdataset;
+	dns_name_t *xname;
+	unsigned int nlabels, olabels;
+	isc_result_t result;
+	unsigned int i;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(version == NULL || version == (void *)&sdlz->dummy_version ||
+		version == sdlz->future_version);
+
+	UNUSED(sdlz);
+
+	if (!dns_name_issubdomain(name, &db->origin)) {
+		return (DNS_R_NXDOMAIN);
+	}
+
+	olabels = dns_name_countlabels(&db->origin);
+	nlabels = dns_name_countlabels(name);
+
+	xname = dns_fixedname_initname(&fname);
+
+	if (rdataset == NULL) {
+		dns_rdataset_init(&xrdataset);
+		rdataset = &xrdataset;
+	}
+
+	result = DNS_R_NXDOMAIN;
+
+	/*
+	 * If we're not walking down searching for zone
+	 * cuts, we can cut straight to the chase
+	 */
+	if ((options & DNS_DBFIND_NOZONECUT) != 0) {
+		i = nlabels;
+		goto search;
+	}
+
+	for (i = olabels; i <= nlabels; i++) {
+	search:
+		/*
+		 * Look up the next label.
+		 */
+		dns_name_getlabelsequence(name, nlabels - i, i, xname);
+		result = getnodedata(db, xname, false, options, methods,
+				     clientinfo, &node);
+		if (result == ISC_R_NOTFOUND) {
+			result = DNS_R_NXDOMAIN;
+			continue;
+		} else if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Look for a DNAME at the current label, unless this is
+		 * the qname.
+		 */
+		if (i < nlabels) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_dname, 0, now,
+					      rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_DNAME;
+				break;
+			}
+		}
+
+		/*
+		 * Look for an NS at the current label, unless this is the
+		 * origin, glue is ok, or there are known to be no zone cuts.
+		 */
+		if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0 &&
+		    (options & DNS_DBFIND_NOZONECUT) == 0)
+		{
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_ns, 0, now,
+					      rdataset, sigrdataset);
+
+			if (result == ISC_R_SUCCESS && i == nlabels &&
+			    type == dns_rdatatype_any)
+			{
+				result = DNS_R_ZONECUT;
+				dns_rdataset_disassociate(rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+				{
+					dns_rdataset_disassociate(sigrdataset);
+				}
+				break;
+			} else if (result == ISC_R_SUCCESS) {
+				result = DNS_R_DELEGATION;
+				break;
+			}
+		}
+
+		/*
+		 * If the current name is not the qname, add another label
+		 * and try again.
+		 */
+		if (i < nlabels) {
+			detachnode(db, &node);
+			node = NULL;
+			continue;
+		}
+
+		/*
+		 * If we're looking for ANY, we're done.
+		 */
+		if (type == dns_rdatatype_any) {
+			result = ISC_R_SUCCESS;
+			break;
+		}
+
+		/*
+		 * Look for the qtype.
+		 */
+		result = findrdataset(db, node, version, type, 0, now, rdataset,
+				      sigrdataset);
+		if (result == ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Look for a CNAME
+		 */
+		if (type != dns_rdatatype_cname) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_cname, 0, now,
+					      rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_CNAME;
+				break;
+			}
+		}
+
+		result = DNS_R_NXRRSET;
+		break;
+	}
+
+	if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset)) {
+		dns_rdataset_disassociate(rdataset);
+	}
+
+	if (foundname != NULL) {
+		dns_name_copynf(xname, foundname);
+	}
+
+	if (nodep != NULL) {
+		*nodep = node;
+	} else if (node != NULL) {
+		detachnode(db, &node);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
+     dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+     dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
+     dns_rdataset_t *sigrdataset) {
+	return (findext(db, name, version, type, options, now, nodep, foundname,
+			NULL, NULL, rdataset, sigrdataset));
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     unsigned int options, isc_stdtime_t now,
+	     dns_rdatasetiter_t **iteratorp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	sdlz_rdatasetiter_t *iterator;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	REQUIRE(version == NULL || version == (void *)&sdlz->dummy_version ||
+		version == sdlz->future_version);
+
+	UNUSED(version);
+	UNUSED(now);
+
+	iterator = isc_mem_get(db->mctx, sizeof(sdlz_rdatasetiter_t));
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = NULL;
+	attachnode(db, node, &iterator->common.node);
+	iterator->common.version = version;
+	iterator->common.options = options;
+	iterator->common.now = now;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+modrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    dns_rdataset_t *rdataset, unsigned int options,
+	    dns_sdlzmodrdataset_t mod_function) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_master_style_t *style = NULL;
+	isc_result_t result;
+	isc_buffer_t *buffer = NULL;
+	isc_mem_t *mctx;
+	dns_sdlznode_t *sdlznode;
+	char *rdatastr = NULL;
+	char name[DNS_NAME_MAXTEXT + 1];
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (mod_function == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	sdlznode = (dns_sdlznode_t *)node;
+
+	UNUSED(options);
+
+	dns_name_format(sdlznode->name, name, sizeof(name));
+
+	mctx = sdlz->common.mctx;
+
+	isc_buffer_allocate(mctx, &buffer, 1024);
+
+	result = dns_master_stylecreate(&style, 0, 0, 0, 0, 0, 0, 1, 0xffffffff,
+					mctx);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_master_rdatasettotext(sdlznode->name, rdataset, style,
+					   NULL, buffer);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	if (isc_buffer_usedlength(buffer) < 1) {
+		result = ISC_R_BADADDRESSFORM;
+		goto cleanup;
+	}
+
+	rdatastr = isc_buffer_base(buffer);
+	if (rdatastr == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	rdatastr[isc_buffer_usedlength(buffer) - 1] = 0;
+
+	MAYBE_LOCK(sdlz->dlzimp);
+	result = mod_function(name, rdatastr, sdlz->dlzimp->driverarg,
+			      sdlz->dbdata, version);
+	MAYBE_UNLOCK(sdlz->dlzimp);
+
+cleanup:
+	isc_buffer_free(&buffer);
+	if (style != NULL) {
+		dns_master_styledestroy(&style, mctx);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	isc_result_t result;
+
+	UNUSED(now);
+	UNUSED(addedrdataset);
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->addrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	result = modrdataset(db, node, version, rdataset, options,
+			     sdlz->dlzimp->methods->addrdataset);
+	return (result);
+}
+
+static isc_result_t
+subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 dns_rdataset_t *rdataset, unsigned int options,
+		 dns_rdataset_t *newrdataset) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	isc_result_t result;
+
+	UNUSED(newrdataset);
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->subtractrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	result = modrdataset(db, node, version, rdataset, options,
+			     sdlz->dlzimp->methods->subtractrdataset);
+	return (result);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	char name[DNS_NAME_MAXTEXT + 1];
+	char b_type[DNS_RDATATYPE_FORMATSIZE];
+	dns_sdlznode_t *sdlznode;
+	isc_result_t result;
+
+	UNUSED(covers);
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->delrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	sdlznode = (dns_sdlznode_t *)node;
+	dns_name_format(sdlznode->name, name, sizeof(name));
+	dns_rdatatype_format(type, b_type, sizeof(b_type));
+
+	MAYBE_LOCK(sdlz->dlzimp);
+	result = sdlz->dlzimp->methods->delrdataset(
+		name, b_type, sdlz->dlzimp->driverarg, sdlz->dbdata, version);
+	MAYBE_UNLOCK(sdlz->dlzimp);
+
+	return (result);
+}
+
+static bool
+issecure(dns_db_t *db) {
+	UNUSED(db);
+
+	return (false);
+}
+
+static unsigned int
+nodecount(dns_db_t *db) {
+	UNUSED(db);
+
+	return (0);
+}
+
+static bool
+ispersistent(dns_db_t *db) {
+	UNUSED(db);
+	return (true);
+}
+
+static void
+overmem(dns_db_t *db, bool over) {
+	UNUSED(db);
+	UNUSED(over);
+}
+
+static void
+settask(dns_db_t *db, isc_task_t *task) {
+	UNUSED(db);
+	UNUSED(task);
+}
+
+/*
+ * getoriginnode() is used by the update code to find the
+ * dns_rdatatype_dnskey record for a zone
+ */
+static isc_result_t
+getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	isc_result_t result;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	if (sdlz->dlzimp->methods->newversion == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	result = getnodedata(db, &sdlz->common.origin, false, 0, NULL, NULL,
+			     nodep);
+	if (result != ISC_R_SUCCESS) {
+		sdlz_log(ISC_LOG_ERROR, "sdlz getoriginnode failed: %s",
+			 isc_result_totext(result));
+	}
+	return (result);
+}
+
+static dns_dbmethods_t sdlzdb_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	NULL, /* serialize */
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	findnode,
+	find,
+	findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask,
+	getoriginnode,
+	NULL, /* transfernode */
+	NULL, /* getnsec3parameters */
+	NULL, /* findnsec3node */
+	NULL, /* setsigningtime */
+	NULL, /* getsigningtime */
+	NULL, /* resigned */
+	NULL, /* isdnssec */
+	NULL, /* getrrsetstats */
+	NULL, /* rpz_attach */
+	NULL, /* rpz_ready */
+	findnodeext,
+	findext,
+	NULL, /* setcachestats */
+	NULL, /* hashsize */
+	NULL, /* nodefullname */
+	NULL, /* getsize */
+	NULL, /* setservestalettl */
+	NULL, /* getservestalettl */
+	NULL, /* setservestalerefresh */
+	NULL, /* getservestalerefresh */
+	NULL, /* setgluecachestats */
+	NULL  /* adjusthashsize */
+};
+
+/*
+ * Database Iterator Methods.  These methods were "borrowed" from the SDB
+ * driver interface.  See the SDB driver interface documentation for more info.
+ */
+
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)(*iteratorp);
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)sdlziter->common.db;
+
+	while (!ISC_LIST_EMPTY(sdlziter->nodelist)) {
+		dns_sdlznode_t *node;
+		node = ISC_LIST_HEAD(sdlziter->nodelist);
+		ISC_LIST_UNLINK(sdlziter->nodelist, node, link);
+		isc_refcount_decrementz(&node->references);
+		destroynode(node);
+	}
+
+	dns_db_detach(&sdlziter->common.db);
+	isc_mem_put(sdlz->common.mctx, sdlziter, sizeof(sdlz_dbiterator_t));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_HEAD(sdlziter->nodelist);
+	if (sdlziter->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_TAIL(sdlziter->nodelist);
+	if (sdlziter->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, const dns_name_t *name) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_HEAD(sdlziter->nodelist);
+	while (sdlziter->current != NULL) {
+		if (dns_name_equal(sdlziter->current->name, name)) {
+			return (ISC_R_SUCCESS);
+		}
+		sdlziter->current = ISC_LIST_NEXT(sdlziter->current, link);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_PREV(sdlziter->current, link);
+	if (sdlziter->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_NEXT(sdlziter->current, link);
+	if (sdlziter->current == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	attachnode(iterator->db, sdlziter->current, nodep);
+	if (name != NULL) {
+		dns_name_copynf(sdlziter->current->name, name);
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator) {
+	UNUSED(iterator);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+	UNUSED(iterator);
+	dns_name_copynf(dns_rootname, name);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Rdataset Methods. These methods were "borrowed" from the SDB driver
+ * interface.  See the SDB driver interface documentation for more info.
+ */
+
+static void
+disassociate(dns_rdataset_t *rdataset) {
+	dns_dbnode_t *node = rdataset->private5;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)node;
+	dns_db_t *db = (dns_db_t *)sdlznode->sdlz;
+
+	detachnode(db, &node);
+	isc__rdatalist_disassociate(rdataset);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_dbnode_t *node = source->private5;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)node;
+	dns_db_t *db = (dns_db_t *)sdlznode->sdlz;
+	dns_dbnode_t *tempdb = NULL;
+
+	isc__rdatalist_clone(source, target);
+	attachnode(db, node, &tempdb);
+	source->private5 = tempdb;
+}
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	disassociate,
+	isc__rdatalist_first,
+	isc__rdatalist_next,
+	isc__rdatalist_current,
+	rdataset_clone,
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname,
+	NULL, /* addclosest */
+	NULL, /* getclosest */
+	NULL, /* settrust */
+	NULL, /* expire */
+	NULL, /* clearprefetch */
+	NULL, /* setownercase */
+	NULL, /* getownercase */
+	NULL  /* addglue */
+};
+
+static void
+list_tordataset(dns_rdatalist_t *rdatalist, dns_db_t *db, dns_dbnode_t *node,
+		dns_rdataset_t *rdataset) {
+	/*
+	 * The sdlz rdataset is an rdatalist with some additions.
+	 *	- private1 & private2 are used by the rdatalist.
+	 *	- private3 & private 4 are unused.
+	 *	- private5 is the node.
+	 */
+
+	/* This should never fail. */
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
+		      ISC_R_SUCCESS);
+
+	rdataset->methods = &rdataset_methods;
+	dns_db_attachnode(db, node, &rdataset->private5);
+}
+
+/*
+ * SDLZ core methods. This is the core of the new DLZ functionality.
+ */
+
+/*%
+ * Build a 'bind' database driver structure to be returned by
+ * either the find zone or the allow zone transfer method.
+ * This method is only available in this source file, it is
+ * not made available anywhere else.
+ */
+
+static isc_result_t
+dns_sdlzcreateDBP(isc_mem_t *mctx, void *driverarg, void *dbdata,
+		  const dns_name_t *name, dns_rdataclass_t rdclass,
+		  dns_db_t **dbp) {
+	isc_result_t result;
+	dns_sdlz_db_t *sdlzdb;
+	dns_sdlzimplementation_t *imp;
+
+	/* check that things are as we expect */
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(name != NULL);
+
+	imp = (dns_sdlzimplementation_t *)driverarg;
+
+	/* allocate and zero memory for driver structure */
+	sdlzdb = isc_mem_get(mctx, sizeof(dns_sdlz_db_t));
+	memset(sdlzdb, 0, sizeof(dns_sdlz_db_t));
+
+	/* initialize and set origin */
+	dns_name_init(&sdlzdb->common.origin, NULL);
+	result = dns_name_dupwithoffsets(name, mctx, &sdlzdb->common.origin);
+	if (result != ISC_R_SUCCESS) {
+		goto mem_cleanup;
+	}
+
+	/* set the rest of the database structure attributes */
+	sdlzdb->dlzimp = imp;
+	sdlzdb->common.methods = &sdlzdb_methods;
+	sdlzdb->common.attributes = 0;
+	sdlzdb->common.rdclass = rdclass;
+	sdlzdb->common.mctx = NULL;
+	sdlzdb->dbdata = dbdata;
+	isc_refcount_init(&sdlzdb->references, 1);
+
+	/* attach to the memory context */
+	isc_mem_attach(mctx, &sdlzdb->common.mctx);
+
+	/* mark structure as valid */
+	sdlzdb->common.magic = DNS_DB_MAGIC;
+	sdlzdb->common.impmagic = SDLZDB_MAGIC;
+	*dbp = (dns_db_t *)sdlzdb;
+
+	return (result);
+mem_cleanup:
+	isc_mem_put(mctx, sdlzdb, sizeof(dns_sdlz_db_t));
+	return (result);
+}
+
+static isc_result_t
+dns_sdlzallowzonexfr(void *driverarg, void *dbdata, isc_mem_t *mctx,
+		     dns_rdataclass_t rdclass, const dns_name_t *name,
+		     const isc_sockaddr_t *clientaddr, dns_db_t **dbp) {
+	isc_buffer_t b;
+	isc_buffer_t b2;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	char clientstr[(sizeof "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255."
+			       "255") +
+		       1];
+	isc_netaddr_t netaddr;
+	isc_result_t result;
+	dns_sdlzimplementation_t *imp;
+
+	/*
+	 * Perform checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(driverarg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(clientaddr != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	imp = (dns_sdlzimplementation_t *)driverarg;
+
+	/* Convert DNS name to ascii text */
+	isc_buffer_init(&b, namestr, sizeof(namestr));
+	result = dns_name_totext(name, true, &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	/* convert client address to ascii text */
+	isc_buffer_init(&b2, clientstr, sizeof(clientstr));
+	isc_netaddr_fromsockaddr(&netaddr, clientaddr);
+	result = isc_netaddr_totext(&netaddr, &b2);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_putuint8(&b2, 0);
+
+	/* make sure strings are always lowercase */
+	dns_sdlz_tolower(namestr);
+	dns_sdlz_tolower(clientstr);
+
+	/* Call SDLZ driver's find zone method */
+	if (imp->methods->allowzonexfr != NULL) {
+		isc_result_t rresult = ISC_R_SUCCESS;
+
+		MAYBE_LOCK(imp);
+		result = imp->methods->allowzonexfr(imp->driverarg, dbdata,
+						    namestr, clientstr);
+		MAYBE_UNLOCK(imp);
+		/*
+		 * if zone is supported and transfers are (or might be)
+		 * allowed, build a 'bind' database driver
+		 */
+		if (result == ISC_R_SUCCESS || result == ISC_R_DEFAULT) {
+			rresult = dns_sdlzcreateDBP(mctx, driverarg, dbdata,
+						    name, rdclass, dbp);
+		}
+		if (rresult != ISC_R_SUCCESS) {
+			result = rresult;
+		}
+		return (result);
+	}
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+dns_sdlzcreate(isc_mem_t *mctx, const char *dlzname, unsigned int argc,
+	       char *argv[], void *driverarg, void **dbdata) {
+	dns_sdlzimplementation_t *imp;
+	isc_result_t result = ISC_R_NOTFOUND;
+
+	/* Write debugging message to log */
+	sdlz_log(ISC_LOG_DEBUG(2), "Loading SDLZ driver.");
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(driverarg != NULL);
+	REQUIRE(dlzname != NULL);
+	REQUIRE(dbdata != NULL);
+	UNUSED(mctx);
+
+	imp = driverarg;
+
+	/* If the create method exists, call it. */
+	if (imp->methods->create != NULL) {
+		MAYBE_LOCK(imp);
+		result = imp->methods->create(dlzname, argc, argv,
+					      imp->driverarg, dbdata);
+		MAYBE_UNLOCK(imp);
+	}
+
+	/* Write debugging message to log */
+	if (result == ISC_R_SUCCESS) {
+		sdlz_log(ISC_LOG_DEBUG(2), "SDLZ driver loaded successfully.");
+	} else {
+		sdlz_log(ISC_LOG_ERROR, "SDLZ driver failed to load.");
+	}
+
+	return (result);
+}
+
+static void
+dns_sdlzdestroy(void *driverdata, void **dbdata) {
+	dns_sdlzimplementation_t *imp;
+
+	/* Write debugging message to log */
+	sdlz_log(ISC_LOG_DEBUG(2), "Unloading SDLZ driver.");
+
+	imp = driverdata;
+
+	/* If the destroy method exists, call it. */
+	if (imp->methods->destroy != NULL) {
+		MAYBE_LOCK(imp);
+		imp->methods->destroy(imp->driverarg, dbdata);
+		MAYBE_UNLOCK(imp);
+	}
+}
+
+static isc_result_t
+dns_sdlzfindzone(void *driverarg, void *dbdata, isc_mem_t *mctx,
+		 dns_rdataclass_t rdclass, const dns_name_t *name,
+		 dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+		 dns_db_t **dbp) {
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	isc_result_t result;
+	dns_sdlzimplementation_t *imp;
+
+	/*
+	 * Perform checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(driverarg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	imp = (dns_sdlzimplementation_t *)driverarg;
+
+	/* Convert DNS name to ascii text */
+	isc_buffer_init(&b, namestr, sizeof(namestr));
+	result = dns_name_totext(name, true, &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	/* make sure strings are always lowercase */
+	dns_sdlz_tolower(namestr);
+
+	/* Call SDLZ driver's find zone method */
+	MAYBE_LOCK(imp);
+	result = imp->methods->findzone(imp->driverarg, dbdata, namestr,
+					methods, clientinfo);
+	MAYBE_UNLOCK(imp);
+
+	/*
+	 * if zone is supported build a 'bind' database driver
+	 * structure to return
+	 */
+	if (result == ISC_R_SUCCESS) {
+		result = dns_sdlzcreateDBP(mctx, driverarg, dbdata, name,
+					   rdclass, dbp);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dns_sdlzconfigure(void *driverarg, void *dbdata, dns_view_t *view,
+		  dns_dlzdb_t *dlzdb) {
+	isc_result_t result;
+	dns_sdlzimplementation_t *imp;
+
+	REQUIRE(driverarg != NULL);
+
+	imp = (dns_sdlzimplementation_t *)driverarg;
+
+	/* Call SDLZ driver's configure method */
+	if (imp->methods->configure != NULL) {
+		MAYBE_LOCK(imp);
+		result = imp->methods->configure(view, dlzdb, imp->driverarg,
+						 dbdata);
+		MAYBE_UNLOCK(imp);
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static bool
+dns_sdlzssumatch(const dns_name_t *signer, const dns_name_t *name,
+		 const isc_netaddr_t *tcpaddr, dns_rdatatype_t type,
+		 const dst_key_t *key, void *driverarg, void *dbdata) {
+	dns_sdlzimplementation_t *imp;
+	char b_signer[DNS_NAME_FORMATSIZE];
+	char b_name[DNS_NAME_FORMATSIZE];
+	char b_addr[ISC_NETADDR_FORMATSIZE];
+	char b_type[DNS_RDATATYPE_FORMATSIZE];
+	char b_key[DST_KEY_FORMATSIZE];
+	isc_buffer_t *tkey_token = NULL;
+	isc_region_t token_region = { NULL, 0 };
+	uint32_t token_len = 0;
+	bool ret;
+
+	REQUIRE(driverarg != NULL);
+
+	imp = (dns_sdlzimplementation_t *)driverarg;
+	if (imp->methods->ssumatch == NULL) {
+		return (false);
+	}
+
+	/*
+	 * Format the request elements. sdlz operates on strings, not
+	 * structures
+	 */
+	if (signer != NULL) {
+		dns_name_format(signer, b_signer, sizeof(b_signer));
+	} else {
+		b_signer[0] = 0;
+	}
+
+	dns_name_format(name, b_name, sizeof(b_name));
+
+	if (tcpaddr != NULL) {
+		isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
+	} else {
+		b_addr[0] = 0;
+	}
+
+	dns_rdatatype_format(type, b_type, sizeof(b_type));
+
+	if (key != NULL) {
+		dst_key_format(key, b_key, sizeof(b_key));
+		tkey_token = dst_key_tkeytoken(key);
+	} else {
+		b_key[0] = 0;
+	}
+
+	if (tkey_token != NULL) {
+		isc_buffer_region(tkey_token, &token_region);
+		token_len = token_region.length;
+	}
+
+	MAYBE_LOCK(imp);
+	ret = imp->methods->ssumatch(b_signer, b_name, b_addr, b_type, b_key,
+				     token_len,
+				     token_len != 0 ? token_region.base : NULL,
+				     imp->driverarg, dbdata);
+	MAYBE_UNLOCK(imp);
+	return (ret);
+}
+
+static dns_dlzmethods_t sdlzmethods = { dns_sdlzcreate,	   dns_sdlzdestroy,
+					dns_sdlzfindzone,  dns_sdlzallowzonexfr,
+					dns_sdlzconfigure, dns_sdlzssumatch };
+
+/*
+ * Public functions.
+ */
+
+isc_result_t
+dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
+	       const char *data) {
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	dns_rdatatype_t typeval;
+	isc_consttextregion_t r;
+	isc_buffer_t b;
+	isc_buffer_t *rdatabuf = NULL;
+	isc_lex_t *lex;
+	isc_result_t result;
+	unsigned int size;
+	isc_mem_t *mctx;
+	const dns_name_t *origin;
+
+	REQUIRE(VALID_SDLZLOOKUP(lookup));
+	REQUIRE(type != NULL);
+	REQUIRE(data != NULL);
+
+	mctx = lookup->sdlz->common.mctx;
+
+	r.base = type;
+	r.length = strlen(type);
+	result = dns_rdatatype_fromtext(&typeval, (void *)&r);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	rdatalist = ISC_LIST_HEAD(lookup->lists);
+	while (rdatalist != NULL) {
+		if (rdatalist->type == typeval) {
+			break;
+		}
+		rdatalist = ISC_LIST_NEXT(rdatalist, link);
+	}
+
+	if (rdatalist == NULL) {
+		rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t));
+		dns_rdatalist_init(rdatalist);
+		rdatalist->rdclass = lookup->sdlz->common.rdclass;
+		rdatalist->type = typeval;
+		rdatalist->ttl = ttl;
+		ISC_LIST_APPEND(lookup->lists, rdatalist, link);
+	} else if (rdatalist->ttl > ttl) {
+		/*
+		 * BIND9 doesn't enforce all RRs in an RRset
+		 * having the same TTL, as per RFC 2136,
+		 * section 7.12. If a DLZ backend has
+		 * different TTLs, then the best
+		 * we can do is return the lowest.
+		 */
+		rdatalist->ttl = ttl;
+	}
+
+	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+	dns_rdata_init(rdata);
+
+	if ((lookup->sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVERDATA) != 0) {
+		origin = &lookup->sdlz->common.origin;
+	} else {
+		origin = dns_rootname;
+	}
+
+	lex = NULL;
+	result = isc_lex_create(mctx, 64, &lex);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	size = initial_size(data);
+	do {
+		isc_buffer_constinit(&b, data, strlen(data));
+		isc_buffer_add(&b, strlen(data));
+
+		result = isc_lex_openbuffer(lex, &b);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		rdatabuf = NULL;
+		isc_buffer_allocate(mctx, &rdatabuf, size);
+
+		result = dns_rdata_fromtext(rdata, rdatalist->rdclass,
+					    rdatalist->type, lex, origin, false,
+					    mctx, rdatabuf, &lookup->callbacks);
+		if (result != ISC_R_SUCCESS) {
+			isc_buffer_free(&rdatabuf);
+		}
+		if (size >= 65535) {
+			break;
+		}
+		size *= 2;
+		if (size >= 65535) {
+			size = 65535;
+		}
+	} while (result == ISC_R_NOSPACE);
+
+	if (result != ISC_R_SUCCESS) {
+		result = DNS_R_SERVFAIL;
+		goto failure;
+	}
+
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
+
+	if (lex != NULL) {
+		isc_lex_destroy(&lex);
+	}
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (rdatabuf != NULL) {
+		isc_buffer_free(&rdatabuf);
+	}
+	if (lex != NULL) {
+		isc_lex_destroy(&lex);
+	}
+	isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+
+	return (result);
+}
+
+isc_result_t
+dns_sdlz_putnamedrr(dns_sdlzallnodes_t *allnodes, const char *name,
+		    const char *type, dns_ttl_t ttl, const char *data) {
+	dns_name_t *newname;
+	const dns_name_t *origin;
+	dns_fixedname_t fnewname;
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)allnodes->common.db;
+	dns_sdlznode_t *sdlznode;
+	isc_mem_t *mctx = sdlz->common.mctx;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	newname = dns_fixedname_initname(&fnewname);
+
+	if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVERDATA) != 0) {
+		origin = &sdlz->common.origin;
+	} else {
+		origin = dns_rootname;
+	}
+	isc_buffer_constinit(&b, name, strlen(name));
+	isc_buffer_add(&b, strlen(name));
+
+	result = dns_name_fromtext(newname, &b, origin, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (allnodes->common.relative_names) {
+		/* All names are relative to the root */
+		unsigned int nlabels = dns_name_countlabels(newname);
+		dns_name_getlabelsequence(newname, 0, nlabels - 1, newname);
+	}
+
+	sdlznode = ISC_LIST_HEAD(allnodes->nodelist);
+	if (sdlznode == NULL || !dns_name_equal(sdlznode->name, newname)) {
+		sdlznode = NULL;
+		result = createnode(sdlz, &sdlznode);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		sdlznode->name = isc_mem_get(mctx, sizeof(dns_name_t));
+		dns_name_init(sdlznode->name, NULL);
+		dns_name_dup(newname, mctx, sdlznode->name);
+		ISC_LIST_PREPEND(allnodes->nodelist, sdlznode, link);
+		if (allnodes->origin == NULL &&
+		    dns_name_equal(newname, &sdlz->common.origin))
+		{
+			allnodes->origin = sdlznode;
+		}
+	}
+	return (dns_sdlz_putrr(sdlznode, type, ttl, data));
+}
+
+isc_result_t
+dns_sdlz_putsoa(dns_sdlzlookup_t *lookup, const char *mname, const char *rname,
+		uint32_t serial) {
+	char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7];
+	int n;
+
+	REQUIRE(mname != NULL);
+	REQUIRE(rname != NULL);
+
+	n = snprintf(str, sizeof str, "%s %s %u %u %u %u %u", mname, rname,
+		     serial, SDLZ_DEFAULT_REFRESH, SDLZ_DEFAULT_RETRY,
+		     SDLZ_DEFAULT_EXPIRE, SDLZ_DEFAULT_MINIMUM);
+	if (n >= (int)sizeof(str) || n < 0) {
+		return (ISC_R_NOSPACE);
+	}
+	return (dns_sdlz_putrr(lookup, "SOA", SDLZ_DEFAULT_TTL, str));
+}
+
+isc_result_t
+dns_sdlzregister(const char *drivername, const dns_sdlzmethods_t *methods,
+		 void *driverarg, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdlzimplementation_t **sdlzimp) {
+	dns_sdlzimplementation_t *imp;
+	isc_result_t result;
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(drivername != NULL);
+	REQUIRE(methods != NULL);
+	REQUIRE(methods->findzone != NULL);
+	REQUIRE(methods->lookup != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sdlzimp != NULL && *sdlzimp == NULL);
+	REQUIRE((flags &
+		 ~(DNS_SDLZFLAG_RELATIVEOWNER | DNS_SDLZFLAG_RELATIVERDATA |
+		   DNS_SDLZFLAG_THREADSAFE)) == 0);
+
+	/* Write debugging message to log */
+	sdlz_log(ISC_LOG_DEBUG(2), "Registering SDLZ driver '%s'", drivername);
+
+	/*
+	 * Allocate memory for a sdlz_implementation object.  Error if
+	 * we cannot.
+	 */
+	imp = isc_mem_get(mctx, sizeof(dns_sdlzimplementation_t));
+
+	/* Make sure memory region is set to all 0's */
+	memset(imp, 0, sizeof(dns_sdlzimplementation_t));
+
+	/* Store the data passed into this method */
+	imp->methods = methods;
+	imp->driverarg = driverarg;
+	imp->flags = flags;
+	imp->mctx = NULL;
+
+	/* attach the new sdlz_implementation object to a memory context */
+	isc_mem_attach(mctx, &imp->mctx);
+
+	/*
+	 * initialize the driver lock, error if we cannot
+	 * (used if a driver does not support multiple threads)
+	 */
+	isc_mutex_init(&imp->driverlock);
+
+	imp->dlz_imp = NULL;
+
+	/*
+	 * register the DLZ driver.  Pass in our "extra" sdlz information as
+	 * a driverarg.  (that's why we stored the passed in driver arg in our
+	 * sdlz_implementation structure)  Also, store the dlz_implementation
+	 * structure in our sdlz_implementation.
+	 */
+	result = dns_dlzregister(drivername, &sdlzmethods, imp, mctx,
+				 &imp->dlz_imp);
+
+	/* if registration fails, cleanup and get outta here. */
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_mutex;
+	}
+
+	*sdlzimp = imp;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_mutex:
+	/* destroy the driver lock, we don't need it anymore */
+	isc_mutex_destroy(&imp->driverlock);
+
+	/*
+	 * return the memory back to the available memory pool and
+	 * remove it from the memory context.
+	 */
+	isc_mem_putanddetach(&imp->mctx, imp, sizeof(dns_sdlzimplementation_t));
+	return (result);
+}
+
+void
+dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp) {
+	dns_sdlzimplementation_t *imp;
+
+	/* Write debugging message to log */
+	sdlz_log(ISC_LOG_DEBUG(2), "Unregistering SDLZ driver.");
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(sdlzimp != NULL && *sdlzimp != NULL);
+
+	imp = *sdlzimp;
+	*sdlzimp = NULL;
+
+	/* Unregister the DLZ driver implementation */
+	dns_dlzunregister(&imp->dlz_imp);
+
+	/* destroy the driver lock, we don't need it anymore */
+	isc_mutex_destroy(&imp->driverlock);
+
+	/*
+	 * return the memory back to the available memory pool and
+	 * remove it from the memory context.
+	 */
+	isc_mem_putanddetach(&imp->mctx, imp, sizeof(dns_sdlzimplementation_t));
+}
+
+isc_result_t
+dns_sdlz_setdb(dns_dlzdb_t *dlzdatabase, dns_rdataclass_t rdclass,
+	       const dns_name_t *name, dns_db_t **dbp) {
+	isc_result_t result;
+
+	result = dns_sdlzcreateDBP(dlzdatabase->mctx,
+				   dlzdatabase->implementation->driverarg,
+				   dlzdatabase->dbdata, name, rdclass, dbp);
+	return (result);
+}
diff --git a/lib/dns/soa.c b/lib/dns/soa.c
new file mode 100644
index 0000000..ca5ca88
--- /dev/null
+++ b/lib/dns/soa.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/util.h>
+
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/soa.h>
+
+static uint32_t
+decode_uint32(unsigned char *p) {
+	return (((uint32_t)p[0] << 24) + ((uint32_t)p[1] << 16) +
+		((uint32_t)p[2] << 8) + ((uint32_t)p[3] << 0));
+}
+
+static void
+encode_uint32(uint32_t val, unsigned char *p) {
+	p[0] = (uint8_t)(val >> 24);
+	p[1] = (uint8_t)(val >> 16);
+	p[2] = (uint8_t)(val >> 8);
+	p[3] = (uint8_t)(val >> 0);
+}
+
+static uint32_t
+soa_get(dns_rdata_t *rdata, int offset) {
+	INSIST(rdata->type == dns_rdatatype_soa);
+	/*
+	 * Locate the field within the SOA RDATA based
+	 * on its position relative to the end of the data.
+	 *
+	 * This is a bit of a kludge, but the alternative approach of
+	 * using dns_rdata_tostruct() and dns_rdata_fromstruct() would
+	 * involve a lot of unnecessary work (like building domain
+	 * names and allocating temporary memory) when all we really
+	 * want to do is to get 32 bits of fixed-sized data.
+	 */
+	INSIST(rdata->length >= 20);
+	INSIST(offset >= 0 && offset <= 16);
+	return (decode_uint32(rdata->data + rdata->length - 20 + offset));
+}
+
+isc_result_t
+dns_soa_buildrdata(const dns_name_t *origin, const dns_name_t *contact,
+		   dns_rdataclass_t rdclass, uint32_t serial, uint32_t refresh,
+		   uint32_t retry, uint32_t expire, uint32_t minimum,
+		   unsigned char *buffer, dns_rdata_t *rdata) {
+	dns_rdata_soa_t soa;
+	isc_buffer_t rdatabuf;
+
+	REQUIRE(origin != NULL);
+	REQUIRE(contact != NULL);
+
+	memset(buffer, 0, DNS_SOA_BUFFERSIZE);
+	isc_buffer_init(&rdatabuf, buffer, DNS_SOA_BUFFERSIZE);
+
+	soa.common.rdtype = dns_rdatatype_soa;
+	soa.common.rdclass = rdclass;
+	soa.mctx = NULL;
+	soa.serial = serial;
+	soa.refresh = refresh;
+	soa.retry = retry;
+	soa.expire = expire;
+	soa.minimum = minimum;
+	dns_name_init(&soa.origin, NULL);
+	dns_name_clone(origin, &soa.origin);
+	dns_name_init(&soa.contact, NULL);
+	dns_name_clone(contact, &soa.contact);
+
+	return (dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_soa, &soa,
+				     &rdatabuf));
+}
+
+uint32_t
+dns_soa_getserial(dns_rdata_t *rdata) {
+	return (soa_get(rdata, 0));
+}
+uint32_t
+dns_soa_getrefresh(dns_rdata_t *rdata) {
+	return (soa_get(rdata, 4));
+}
+uint32_t
+dns_soa_getretry(dns_rdata_t *rdata) {
+	return (soa_get(rdata, 8));
+}
+uint32_t
+dns_soa_getexpire(dns_rdata_t *rdata) {
+	return (soa_get(rdata, 12));
+}
+uint32_t
+dns_soa_getminimum(dns_rdata_t *rdata) {
+	return (soa_get(rdata, 16));
+}
+
+static void
+soa_set(dns_rdata_t *rdata, uint32_t val, int offset) {
+	INSIST(rdata->type == dns_rdatatype_soa);
+	INSIST(rdata->length >= 20);
+	INSIST(offset >= 0 && offset <= 16);
+	encode_uint32(val, rdata->data + rdata->length - 20 + offset);
+}
+
+void
+dns_soa_setserial(uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 0);
+}
+void
+dns_soa_setrefresh(uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 4);
+}
+void
+dns_soa_setretry(uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 8);
+}
+void
+dns_soa_setexpire(uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 12);
+}
+void
+dns_soa_setminimum(uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 16);
+}
diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c
new file mode 100644
index 0000000..1529a61
--- /dev/null
+++ b/lib/dns/ssu.c
@@ -0,0 +1,667 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/dlz.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/ssu.h>
+
+#include <dst/dst.h>
+#include <dst/gssapi.h>
+
+#define SSUTABLEMAGIC	      ISC_MAGIC('S', 'S', 'U', 'T')
+#define VALID_SSUTABLE(table) ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
+
+#define SSURULEMAGIC	     ISC_MAGIC('S', 'S', 'U', 'R')
+#define VALID_SSURULE(table) ISC_MAGIC_VALID(table, SSURULEMAGIC)
+
+struct dns_ssurule {
+	unsigned int magic;
+	bool grant;		      /*%< is this a grant or a deny? */
+	dns_ssumatchtype_t matchtype; /*%< which type of pattern match?
+				       * */
+	dns_name_t *identity;	      /*%< the identity to match */
+	dns_name_t *name;	      /*%< the name being updated */
+	unsigned int ntypes;	      /*%< number of data types covered */
+	dns_rdatatype_t *types;	      /*%< the data types.  Can include */
+				      /*   ANY. if NULL, defaults to all */
+				      /*   types except SIG, SOA, and NS */
+	ISC_LINK(dns_ssurule_t) link;
+};
+
+struct dns_ssutable {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_refcount_t references;
+	dns_dlzdb_t *dlzdatabase;
+	ISC_LIST(dns_ssurule_t) rules;
+};
+
+isc_result_t
+dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
+	dns_ssutable_t *table;
+
+	REQUIRE(tablep != NULL && *tablep == NULL);
+	REQUIRE(mctx != NULL);
+
+	table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
+	isc_refcount_init(&table->references, 1);
+	table->mctx = NULL;
+	isc_mem_attach(mctx, &table->mctx);
+	ISC_LIST_INIT(table->rules);
+	table->magic = SSUTABLEMAGIC;
+	*tablep = table;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroy(dns_ssutable_t *table) {
+	isc_mem_t *mctx;
+
+	REQUIRE(VALID_SSUTABLE(table));
+
+	mctx = table->mctx;
+	while (!ISC_LIST_EMPTY(table->rules)) {
+		dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
+		if (rule->identity != NULL) {
+			dns_name_free(rule->identity, mctx);
+			isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
+		}
+		if (rule->name != NULL) {
+			dns_name_free(rule->name, mctx);
+			isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
+		}
+		if (rule->types != NULL) {
+			isc_mem_put(mctx, rule->types,
+				    rule->ntypes * sizeof(dns_rdatatype_t));
+		}
+		ISC_LIST_UNLINK(table->rules, rule, link);
+		rule->magic = 0;
+		isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
+	}
+	isc_refcount_destroy(&table->references);
+	table->magic = 0;
+	isc_mem_putanddetach(&table->mctx, table, sizeof(dns_ssutable_t));
+}
+
+void
+dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
+	REQUIRE(VALID_SSUTABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*targetp = source;
+}
+
+void
+dns_ssutable_detach(dns_ssutable_t **tablep) {
+	dns_ssutable_t *table;
+
+	REQUIRE(tablep != NULL);
+	table = *tablep;
+	*tablep = NULL;
+	REQUIRE(VALID_SSUTABLE(table));
+
+	if (isc_refcount_decrement(&table->references) == 1) {
+		destroy(table);
+	}
+}
+
+isc_result_t
+dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
+		     const dns_name_t *identity, dns_ssumatchtype_t matchtype,
+		     const dns_name_t *name, unsigned int ntypes,
+		     dns_rdatatype_t *types) {
+	dns_ssurule_t *rule;
+	isc_mem_t *mctx;
+
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(dns_name_isabsolute(identity));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(matchtype <= dns_ssumatchtype_max);
+	if (matchtype == dns_ssumatchtype_wildcard) {
+		REQUIRE(dns_name_iswildcard(name));
+	}
+	if (ntypes > 0) {
+		REQUIRE(types != NULL);
+	}
+
+	mctx = table->mctx;
+	rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
+
+	rule->identity = NULL;
+	rule->name = NULL;
+	rule->types = NULL;
+
+	rule->grant = grant;
+
+	rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
+	dns_name_init(rule->identity, NULL);
+	dns_name_dup(identity, mctx, rule->identity);
+
+	rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
+	dns_name_init(rule->name, NULL);
+	dns_name_dup(name, mctx, rule->name);
+
+	rule->matchtype = matchtype;
+
+	rule->ntypes = ntypes;
+	if (ntypes > 0) {
+		rule->types = isc_mem_get(mctx,
+					  ntypes * sizeof(dns_rdatatype_t));
+		memmove(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
+	} else {
+		rule->types = NULL;
+	}
+
+	rule->magic = SSURULEMAGIC;
+	ISC_LIST_INITANDAPPEND(table->rules, rule, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+isusertype(dns_rdatatype_t type) {
+	return (type != dns_rdatatype_ns && type != dns_rdatatype_soa &&
+		type != dns_rdatatype_rrsig);
+}
+
+static void
+reverse_from_address(dns_name_t *tcpself, const isc_netaddr_t *tcpaddr) {
+	char buf[16 * 4 + sizeof("IP6.ARPA.")];
+	isc_result_t result;
+	const unsigned char *ap;
+	isc_buffer_t b;
+	unsigned long l;
+
+	switch (tcpaddr->family) {
+	case AF_INET:
+		l = ntohl(tcpaddr->type.in.s_addr);
+		result = snprintf(buf, sizeof(buf),
+				  "%lu.%lu.%lu.%lu.IN-ADDR.ARPA.",
+				  (l >> 0) & 0xff, (l >> 8) & 0xff,
+				  (l >> 16) & 0xff, (l >> 24) & 0xff);
+		RUNTIME_CHECK(result < sizeof(buf));
+		break;
+	case AF_INET6:
+		ap = tcpaddr->type.in6.s6_addr;
+		result = snprintf(
+			buf, sizeof(buf),
+			"%x.%x.%x.%x.%x.%x.%x.%x."
+			"%x.%x.%x.%x.%x.%x.%x.%x."
+			"%x.%x.%x.%x.%x.%x.%x.%x."
+			"%x.%x.%x.%x.%x.%x.%x.%x."
+			"IP6.ARPA.",
+			ap[15] & 0x0f, (ap[15] >> 4) & 0x0f, ap[14] & 0x0f,
+			(ap[14] >> 4) & 0x0f, ap[13] & 0x0f,
+			(ap[13] >> 4) & 0x0f, ap[12] & 0x0f,
+			(ap[12] >> 4) & 0x0f, ap[11] & 0x0f,
+			(ap[11] >> 4) & 0x0f, ap[10] & 0x0f,
+			(ap[10] >> 4) & 0x0f, ap[9] & 0x0f, (ap[9] >> 4) & 0x0f,
+			ap[8] & 0x0f, (ap[8] >> 4) & 0x0f, ap[7] & 0x0f,
+			(ap[7] >> 4) & 0x0f, ap[6] & 0x0f, (ap[6] >> 4) & 0x0f,
+			ap[5] & 0x0f, (ap[5] >> 4) & 0x0f, ap[4] & 0x0f,
+			(ap[4] >> 4) & 0x0f, ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
+			ap[2] & 0x0f, (ap[2] >> 4) & 0x0f, ap[1] & 0x0f,
+			(ap[1] >> 4) & 0x0f, ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
+		RUNTIME_CHECK(result < sizeof(buf));
+		break;
+	default:
+		UNREACHABLE();
+	}
+	isc_buffer_init(&b, buf, strlen(buf));
+	isc_buffer_add(&b, strlen(buf));
+	result = dns_name_fromtext(tcpself, &b, dns_rootname, 0, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+}
+
+static void
+stf_from_address(dns_name_t *stfself, const isc_netaddr_t *tcpaddr) {
+	char buf[sizeof("X.X.X.X.Y.Y.Y.Y.2.0.0.2.IP6.ARPA.")];
+	isc_result_t result;
+	const unsigned char *ap;
+	isc_buffer_t b;
+	unsigned long l;
+
+	switch (tcpaddr->family) {
+	case AF_INET:
+		l = ntohl(tcpaddr->type.in.s_addr);
+		result = snprintf(buf, sizeof(buf),
+				  "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx"
+				  "2.0.0.2.IP6.ARPA.",
+				  l & 0xf, (l >> 4) & 0xf, (l >> 8) & 0xf,
+				  (l >> 12) & 0xf, (l >> 16) & 0xf,
+				  (l >> 20) & 0xf, (l >> 24) & 0xf,
+				  (l >> 28) & 0xf);
+		RUNTIME_CHECK(result < sizeof(buf));
+		break;
+	case AF_INET6:
+		ap = tcpaddr->type.in6.s6_addr;
+		result = snprintf(
+			buf, sizeof(buf),
+			"%x.%x.%x.%x.%x.%x.%x.%x."
+			"%x.%x.%x.%x.IP6.ARPA.",
+			ap[5] & 0x0f, (ap[5] >> 4) & 0x0f, ap[4] & 0x0f,
+			(ap[4] >> 4) & 0x0f, ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
+			ap[2] & 0x0f, (ap[2] >> 4) & 0x0f, ap[1] & 0x0f,
+			(ap[1] >> 4) & 0x0f, ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
+		RUNTIME_CHECK(result < sizeof(buf));
+		break;
+	default:
+		UNREACHABLE();
+	}
+	isc_buffer_init(&b, buf, strlen(buf));
+	isc_buffer_add(&b, strlen(buf));
+	result = dns_name_fromtext(stfself, &b, dns_rootname, 0, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+}
+
+bool
+dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
+			const dns_name_t *name, const isc_netaddr_t *addr,
+			bool tcp, const dns_aclenv_t *env, dns_rdatatype_t type,
+			const dst_key_t *key) {
+	dns_ssurule_t *rule;
+	unsigned int i;
+	dns_fixedname_t fixed;
+	dns_name_t *wildcard;
+	dns_name_t *tcpself;
+	dns_name_t *stfself;
+	isc_result_t result;
+	int match;
+
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(signer == NULL || dns_name_isabsolute(signer));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(addr == NULL || env != NULL);
+
+	if (signer == NULL && addr == NULL) {
+		return (false);
+	}
+
+	for (rule = ISC_LIST_HEAD(table->rules); rule != NULL;
+	     rule = ISC_LIST_NEXT(rule, link))
+	{
+		switch (rule->matchtype) {
+		case dns_ssumatchtype_name:
+		case dns_ssumatchtype_local:
+		case dns_ssumatchtype_subdomain:
+		case dns_ssumatchtype_wildcard:
+		case dns_ssumatchtype_self:
+		case dns_ssumatchtype_selfsub:
+		case dns_ssumatchtype_selfwild:
+			if (signer == NULL) {
+				continue;
+			}
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(signer,
+							      rule->identity))
+				{
+					continue;
+				}
+			} else {
+				if (!dns_name_equal(signer, rule->identity)) {
+					continue;
+				}
+			}
+			break;
+		case dns_ssumatchtype_selfkrb5:
+		case dns_ssumatchtype_selfms:
+		case dns_ssumatchtype_selfsubkrb5:
+		case dns_ssumatchtype_selfsubms:
+		case dns_ssumatchtype_subdomainkrb5:
+		case dns_ssumatchtype_subdomainms:
+			if (signer == NULL) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_tcpself:
+		case dns_ssumatchtype_6to4self:
+			if (!tcp || addr == NULL) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_external:
+		case dns_ssumatchtype_dlz:
+			break;
+		}
+
+		switch (rule->matchtype) {
+		case dns_ssumatchtype_name:
+			if (!dns_name_equal(name, rule->name)) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_subdomain:
+			if (!dns_name_issubdomain(name, rule->name)) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_local:
+			if (addr == NULL) {
+				continue;
+			}
+			if (!dns_name_issubdomain(name, rule->name)) {
+				continue;
+			}
+			dns_acl_match(addr, NULL, env->localhost, NULL, &match,
+				      NULL);
+			if (match == 0) {
+				if (signer != NULL) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_GENERAL,
+						      DNS_LOGMODULE_SSU,
+						      ISC_LOG_WARNING,
+						      "update-policy local: "
+						      "match on session "
+						      "key not from "
+						      "localhost");
+				}
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_wildcard:
+			if (!dns_name_matcheswildcard(name, rule->name)) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_self:
+			if (!dns_name_equal(signer, name)) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_selfsub:
+			if (!dns_name_issubdomain(name, signer)) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_selfwild:
+			wildcard = dns_fixedname_initname(&fixed);
+			result = dns_name_concatenate(dns_wildcardname, signer,
+						      wildcard, NULL);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+			if (!dns_name_matcheswildcard(name, wildcard)) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_selfkrb5:
+			if (dst_gssapi_identitymatchesrealmkrb5(
+				    signer, name, rule->identity, false))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_selfms:
+			if (dst_gssapi_identitymatchesrealmms(
+				    signer, name, rule->identity, false))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_selfsubkrb5:
+			if (dst_gssapi_identitymatchesrealmkrb5(
+				    signer, name, rule->identity, true))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_selfsubms:
+			if (dst_gssapi_identitymatchesrealmms(
+				    signer, name, rule->identity, true))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_subdomainkrb5:
+			if (!dns_name_issubdomain(name, rule->name)) {
+				continue;
+			}
+			if (dst_gssapi_identitymatchesrealmkrb5(
+				    signer, NULL, rule->identity, false))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_subdomainms:
+			if (!dns_name_issubdomain(name, rule->name)) {
+				continue;
+			}
+			if (dst_gssapi_identitymatchesrealmms(
+				    signer, NULL, rule->identity, false))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_tcpself:
+			tcpself = dns_fixedname_initname(&fixed);
+			reverse_from_address(tcpself, addr);
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(tcpself,
+							      rule->identity))
+				{
+					continue;
+				}
+			} else {
+				if (!dns_name_equal(tcpself, rule->identity)) {
+					continue;
+				}
+			}
+			if (!dns_name_equal(tcpself, name)) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_6to4self:
+			stfself = dns_fixedname_initname(&fixed);
+			stf_from_address(stfself, addr);
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(stfself,
+							      rule->identity))
+				{
+					continue;
+				}
+			} else {
+				if (!dns_name_equal(stfself, rule->identity)) {
+					continue;
+				}
+			}
+			if (!dns_name_equal(stfself, name)) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_external:
+			if (!dns_ssu_external_match(rule->identity, signer,
+						    name, addr, type, key,
+						    table->mctx))
+			{
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_dlz:
+			if (!dns_dlz_ssumatch(table->dlzdatabase, signer, name,
+					      addr, type, key))
+			{
+				continue;
+			}
+			break;
+		}
+
+		if (rule->ntypes == 0) {
+			/*
+			 * If this is a DLZ rule, then the DLZ ssu
+			 * checks will have already checked
+			 * the type.
+			 */
+			if (rule->matchtype != dns_ssumatchtype_dlz &&
+			    !isusertype(type))
+			{
+				continue;
+			}
+		} else {
+			for (i = 0; i < rule->ntypes; i++) {
+				if (rule->types[i] == dns_rdatatype_any ||
+				    rule->types[i] == type)
+				{
+					break;
+				}
+			}
+			if (i == rule->ntypes) {
+				continue;
+			}
+		}
+		return (rule->grant);
+	}
+
+	return (false);
+}
+
+bool
+dns_ssurule_isgrant(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->grant);
+}
+
+dns_name_t *
+dns_ssurule_identity(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->identity);
+}
+
+unsigned int
+dns_ssurule_matchtype(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->matchtype);
+}
+
+dns_name_t *
+dns_ssurule_name(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->name);
+}
+
+unsigned int
+dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) {
+	REQUIRE(VALID_SSURULE(rule));
+	REQUIRE(types != NULL && *types != NULL);
+	*types = rule->types;
+	return (rule->ntypes);
+}
+
+isc_result_t
+dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(rule != NULL && *rule == NULL);
+	*rule = ISC_LIST_HEAD(table->rules);
+	return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+isc_result_t
+dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
+	REQUIRE(VALID_SSURULE(rule));
+	REQUIRE(nextrule != NULL && *nextrule == NULL);
+	*nextrule = ISC_LIST_NEXT(rule, link);
+	return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+/*
+ * Create a specialised SSU table that points at an external DLZ database
+ */
+isc_result_t
+dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
+		       dns_dlzdb_t *dlzdatabase) {
+	isc_result_t result;
+	dns_ssurule_t *rule;
+	dns_ssutable_t *table = NULL;
+
+	REQUIRE(tablep != NULL && *tablep == NULL);
+
+	result = dns_ssutable_create(mctx, &table);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	table->dlzdatabase = dlzdatabase;
+
+	rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
+
+	rule->identity = NULL;
+	rule->name = NULL;
+	rule->types = NULL;
+	rule->grant = true;
+	rule->matchtype = dns_ssumatchtype_dlz;
+	rule->ntypes = 0;
+	rule->types = NULL;
+	rule->magic = SSURULEMAGIC;
+
+	ISC_LIST_INITANDAPPEND(table->rules, rule, link);
+	*tablep = table;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype) {
+	REQUIRE(str != NULL);
+	REQUIRE(mtype != NULL);
+
+	if (strcasecmp(str, "name") == 0) {
+		*mtype = dns_ssumatchtype_name;
+	} else if (strcasecmp(str, "subdomain") == 0) {
+		*mtype = dns_ssumatchtype_subdomain;
+	} else if (strcasecmp(str, "wildcard") == 0) {
+		*mtype = dns_ssumatchtype_wildcard;
+	} else if (strcasecmp(str, "self") == 0) {
+		*mtype = dns_ssumatchtype_self;
+	} else if (strcasecmp(str, "selfsub") == 0) {
+		*mtype = dns_ssumatchtype_selfsub;
+	} else if (strcasecmp(str, "selfwild") == 0) {
+		*mtype = dns_ssumatchtype_selfwild;
+	} else if (strcasecmp(str, "ms-self") == 0) {
+		*mtype = dns_ssumatchtype_selfms;
+	} else if (strcasecmp(str, "ms-selfsub") == 0) {
+		*mtype = dns_ssumatchtype_selfsubms;
+	} else if (strcasecmp(str, "krb5-self") == 0) {
+		*mtype = dns_ssumatchtype_selfkrb5;
+	} else if (strcasecmp(str, "krb5-selfsub") == 0) {
+		*mtype = dns_ssumatchtype_selfsubkrb5;
+	} else if (strcasecmp(str, "ms-subdomain") == 0) {
+		*mtype = dns_ssumatchtype_subdomainms;
+	} else if (strcasecmp(str, "krb5-subdomain") == 0) {
+		*mtype = dns_ssumatchtype_subdomainkrb5;
+	} else if (strcasecmp(str, "tcp-self") == 0) {
+		*mtype = dns_ssumatchtype_tcpself;
+	} else if (strcasecmp(str, "6to4-self") == 0) {
+		*mtype = dns_ssumatchtype_6to4self;
+	} else if (strcasecmp(str, "zonesub") == 0) {
+		*mtype = dns_ssumatchtype_subdomain;
+	} else if (strcasecmp(str, "external") == 0) {
+		*mtype = dns_ssumatchtype_external;
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/ssu_external.c b/lib/dns/ssu_external.c
new file mode 100644
index 0000000..d5e4715
--- /dev/null
+++ b/lib/dns/ssu_external.c
@@ -0,0 +1,260 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This implements external update-policy rules.  This allows permission
+ * to update a zone to be checked by consulting an external daemon (e.g.,
+ * kerberos).
+ */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/socket.h>
+#include <sys/un.h>
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdatatype.h>
+#include <dns/ssu.h>
+
+#include <dst/dst.h>
+
+static void
+ssu_e_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_SECURITY, DNS_LOGMODULE_ZONE,
+		       ISC_LOG_DEBUG(level), fmt, ap);
+	va_end(ap);
+}
+
+/*
+ * Connect to a UNIX domain socket.
+ */
+static int
+ux_socket_connect(const char *path) {
+	int fd = -1;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	struct sockaddr_un addr;
+
+	REQUIRE(path != NULL);
+
+	if (strlen(path) > sizeof(addr.sun_path)) {
+		ssu_e_log(3,
+			  "ssu_external: socket path '%s' "
+			  "longer than system maximum %zu",
+			  path, sizeof(addr.sun_path));
+		return (-1);
+	}
+
+	memset(&addr, 0, sizeof(addr));
+	addr.sun_family = AF_UNIX;
+	strlcpy(addr.sun_path, path, sizeof(addr.sun_path));
+
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd == -1) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to create socket - %s",
+			  strbuf);
+		return (-1);
+	}
+
+	if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3,
+			  "ssu_external: unable to connect to "
+			  "socket '%s' - %s",
+			  path, strbuf);
+		close(fd);
+		return (-1);
+	}
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	return (fd);
+}
+
+/* Change this version if you update the format of the request */
+#define SSU_EXTERNAL_VERSION 1
+
+/*
+ * Perform an update-policy rule check against an external application
+ * over a socket.
+ *
+ * This currently only supports local: for unix domain datagram sockets.
+ *
+ * Note that by using a datagram socket and creating a new socket each
+ * time we avoid the need for locking and allow for parallel access to
+ * the authorization server.
+ */
+bool
+dns_ssu_external_match(const dns_name_t *identity, const dns_name_t *signer,
+		       const dns_name_t *name, const isc_netaddr_t *tcpaddr,
+		       dns_rdatatype_t type, const dst_key_t *key,
+		       isc_mem_t *mctx) {
+	char b_identity[DNS_NAME_FORMATSIZE];
+	char b_signer[DNS_NAME_FORMATSIZE];
+	char b_name[DNS_NAME_FORMATSIZE];
+	char b_addr[ISC_NETADDR_FORMATSIZE];
+	char b_type[DNS_RDATATYPE_FORMATSIZE];
+	char b_key[DST_KEY_FORMATSIZE];
+	isc_buffer_t *tkey_token = NULL;
+	int fd;
+	const char *sock_path;
+	unsigned int req_len;
+	isc_region_t token_region = { NULL, 0 };
+	unsigned char *data;
+	isc_buffer_t buf;
+	uint32_t token_len = 0;
+	uint32_t reply;
+	ssize_t ret;
+
+	/* The identity contains local:/path/to/socket */
+	dns_name_format(identity, b_identity, sizeof(b_identity));
+
+	/* For now only local: is supported */
+	if (strncmp(b_identity, "local:", 6) != 0) {
+		ssu_e_log(3, "ssu_external: invalid socket path '%s'",
+			  b_identity);
+		return (false);
+	}
+	sock_path = &b_identity[6];
+
+	fd = ux_socket_connect(sock_path);
+	if (fd == -1) {
+		return (false);
+	}
+
+	if (key != NULL) {
+		dst_key_format(key, b_key, sizeof(b_key));
+		tkey_token = dst_key_tkeytoken(key);
+	} else {
+		b_key[0] = 0;
+	}
+
+	if (tkey_token != NULL) {
+		isc_buffer_region(tkey_token, &token_region);
+		token_len = token_region.length;
+	}
+
+	/* Format the request elements */
+	if (signer != NULL) {
+		dns_name_format(signer, b_signer, sizeof(b_signer));
+	} else {
+		b_signer[0] = 0;
+	}
+
+	dns_name_format(name, b_name, sizeof(b_name));
+
+	if (tcpaddr != NULL) {
+		isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
+	} else {
+		b_addr[0] = 0;
+	}
+
+	dns_rdatatype_format(type, b_type, sizeof(b_type));
+
+	/* Work out how big the request will be */
+	req_len = sizeof(uint32_t) +	 /* Format version */
+		  sizeof(uint32_t) +	 /* Length */
+		  strlen(b_signer) + 1 + /* Signer */
+		  strlen(b_name) + 1 +	 /* Name */
+		  strlen(b_addr) + 1 +	 /* Address */
+		  strlen(b_type) + 1 +	 /* Type */
+		  strlen(b_key) + 1 +	 /* Key */
+		  sizeof(uint32_t) +	 /* tkey_token length */
+		  token_len;		 /* tkey_token */
+
+	/* format the buffer */
+	data = isc_mem_allocate(mctx, req_len);
+
+	isc_buffer_init(&buf, data, req_len);
+	isc_buffer_putuint32(&buf, SSU_EXTERNAL_VERSION);
+	isc_buffer_putuint32(&buf, req_len);
+
+	/* Strings must be null-terminated */
+	isc_buffer_putstr(&buf, b_signer);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_name);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_addr);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_type);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_key);
+	isc_buffer_putuint8(&buf, 0);
+
+	isc_buffer_putuint32(&buf, token_len);
+	if (tkey_token && token_len != 0) {
+		isc_buffer_putmem(&buf, token_region.base, token_len);
+	}
+
+	ENSURE(isc_buffer_availablelength(&buf) == 0);
+
+	/* Send the request */
+	ret = write(fd, data, req_len);
+	isc_mem_free(mctx, data);
+	if (ret != (ssize_t)req_len) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to send request - %s",
+			  strbuf);
+		close(fd);
+		return (false);
+	}
+
+	/* Receive the reply */
+	ret = read(fd, &reply, sizeof(uint32_t));
+	if (ret != (ssize_t)sizeof(uint32_t)) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to receive reply - %s",
+			  strbuf);
+		close(fd);
+		return (false);
+	}
+
+	close(fd);
+
+	reply = ntohl(reply);
+
+	if (reply == 0) {
+		ssu_e_log(3, "ssu_external: denied external auth for '%s'",
+			  b_name);
+		return (false);
+	} else if (reply == 1) {
+		ssu_e_log(3, "ssu_external: allowed external auth for '%s'",
+			  b_name);
+		return (true);
+	}
+
+	ssu_e_log(3, "ssu_external: invalid reply 0x%08x", reply);
+
+	return (false);
+}
diff --git a/lib/dns/stats.c b/lib/dns/stats.c
new file mode 100644
index 0000000..bdd98c5
--- /dev/null
+++ b/lib/dns/stats.c
@@ -0,0 +1,653 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/refcount.h>
+#include <isc/stats.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/opcode.h>
+#include <dns/rdatatype.h>
+#include <dns/stats.h>
+
+#define DNS_STATS_MAGIC	   ISC_MAGIC('D', 's', 't', 't')
+#define DNS_STATS_VALID(x) ISC_MAGIC_VALID(x, DNS_STATS_MAGIC)
+
+/*%
+ * Statistics types.
+ */
+typedef enum {
+	dns_statstype_general = 0,
+	dns_statstype_rdtype = 1,
+	dns_statstype_rdataset = 2,
+	dns_statstype_opcode = 3,
+	dns_statstype_rcode = 4,
+	dns_statstype_dnssec = 5
+} dns_statstype_t;
+
+/*%
+ * It doesn't make sense to have 2^16 counters for all possible types since
+ * most of them won't be used.  We have counters for the first 256 types.
+ *
+ * A rdtypecounter is now 8 bits for RRtypes and 3 bits for flags:
+ *
+ *       0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15
+ *     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ *     |  |  |  |  |  |  S  |NX|         RRType        |
+ *     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ *
+ * If the 8 bits for RRtype are all zero, this is an Other RRtype.
+ */
+#define RDTYPECOUNTER_MAXTYPE 0x00ff
+
+/*
+ *
+ * Bit 7 is the NXRRSET (NX) flag and indicates whether this is a
+ * positive (0) or a negative (1) RRset.
+ */
+#define RDTYPECOUNTER_NXRRSET 0x0100
+
+/*
+ * Then bit 5 and 6 mostly tell you if this counter is for an active,
+ * stale, or ancient RRtype:
+ *
+ *     S = 0 (0b00) means Active
+ *     S = 1 (0b01) means Stale
+ *     S = 2 (0b10) means Ancient
+ *
+ * Since a counter cannot be stale and ancient at the same time, we
+ * treat S = 0b11 as a special case to deal with NXDOMAIN counters.
+ */
+#define RDTYPECOUNTER_STALE    (1 << 9)
+#define RDTYPECOUNTER_ANCIENT  (1 << 10)
+#define RDTYPECOUNTER_NXDOMAIN ((1 << 9) | (1 << 10))
+
+/*
+ * S = 0b11 indicates an NXDOMAIN counter and in this case the RRtype
+ * field signals the expiry of this cached item:
+ *
+ *     RRType = 0 (0b00) means Active
+ *     RRType = 1 (0b01) means Stale
+ *     RRType = 2 (0b02) means Ancient
+ *
+ */
+#define RDTYPECOUNTER_NXDOMAIN_STALE   1
+#define RDTYPECOUNTER_NXDOMAIN_ANCIENT 2
+
+/*
+ * The maximum value for rdtypecounter is for an ancient NXDOMAIN.
+ */
+#define RDTYPECOUNTER_MAXVAL 0x0602
+
+/*
+ * DNSSEC sign statistics.
+ *
+ * Per key we maintain 3 counters. The first is actually no counter but
+ * a key id reference. The second is the number of signatures the key created.
+ * The third is the number of signatures refreshed by the key.
+ */
+
+/* Maximum number of keys to keep track of for DNSSEC signing statistics. */
+static int dnssecsign_num_keys = 4;
+static int dnssecsign_block_size = 3;
+/* Key id mask */
+#define DNSSECSIGNSTATS_KEY_ID_MASK 0x0000FFFF
+
+struct dns_stats {
+	unsigned int magic;
+	dns_statstype_t type;
+	isc_mem_t *mctx;
+	isc_stats_t *counters;
+	isc_refcount_t references;
+};
+
+typedef struct rdatadumparg {
+	dns_rdatatypestats_dumper_t fn;
+	void *arg;
+} rdatadumparg_t;
+
+typedef struct opcodedumparg {
+	dns_opcodestats_dumper_t fn;
+	void *arg;
+} opcodedumparg_t;
+
+typedef struct rcodedumparg {
+	dns_rcodestats_dumper_t fn;
+	void *arg;
+} rcodedumparg_t;
+typedef struct dnssecsigndumparg {
+	dns_dnssecsignstats_dumper_t fn;
+	void *arg;
+} dnssecsigndumparg_t;
+
+void
+dns_stats_attach(dns_stats_t *stats, dns_stats_t **statsp) {
+	REQUIRE(DNS_STATS_VALID(stats));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	isc_refcount_increment(&stats->references);
+
+	*statsp = stats;
+}
+
+void
+dns_stats_detach(dns_stats_t **statsp) {
+	dns_stats_t *stats;
+
+	REQUIRE(statsp != NULL && DNS_STATS_VALID(*statsp));
+
+	stats = *statsp;
+	*statsp = NULL;
+
+	if (isc_refcount_decrement(&stats->references) == 1) {
+		isc_refcount_destroy(&stats->references);
+		isc_stats_detach(&stats->counters);
+		isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats));
+	}
+}
+
+/*%
+ * Create methods
+ */
+static isc_result_t
+create_stats(isc_mem_t *mctx, dns_statstype_t type, int ncounters,
+	     dns_stats_t **statsp) {
+	dns_stats_t *stats;
+	isc_result_t result;
+
+	stats = isc_mem_get(mctx, sizeof(*stats));
+
+	stats->counters = NULL;
+	isc_refcount_init(&stats->references, 1);
+
+	result = isc_stats_create(mctx, &stats->counters, ncounters);
+	if (result != ISC_R_SUCCESS) {
+		goto clean_mutex;
+	}
+
+	stats->magic = DNS_STATS_MAGIC;
+	stats->type = type;
+	stats->mctx = NULL;
+	isc_mem_attach(mctx, &stats->mctx);
+	*statsp = stats;
+
+	return (ISC_R_SUCCESS);
+
+clean_mutex:
+	isc_mem_put(mctx, stats, sizeof(*stats));
+
+	return (result);
+}
+
+isc_result_t
+dns_generalstats_create(isc_mem_t *mctx, dns_stats_t **statsp, int ncounters) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_general, ncounters, statsp));
+}
+
+isc_result_t
+dns_rdatatypestats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	/*
+	 * Create rdtype statistics for the first 255 RRtypes,
+	 * plus one additional for other RRtypes.
+	 */
+	return (create_stats(mctx, dns_statstype_rdtype,
+			     (RDTYPECOUNTER_MAXTYPE + 1), statsp));
+}
+
+isc_result_t
+dns_rdatasetstats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_rdataset,
+			     (RDTYPECOUNTER_MAXVAL + 1), statsp));
+}
+
+isc_result_t
+dns_opcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_opcode, 16, statsp));
+}
+
+isc_result_t
+dns_rcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_rcode, dns_rcode_badcookie + 1,
+			     statsp));
+}
+
+isc_result_t
+dns_dnssecsignstats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	/*
+	 * Create two counters per key, one is the key id, the other two are
+	 * the actual counters for creating and refreshing signatures.
+	 */
+	return (create_stats(mctx, dns_statstype_dnssec,
+			     dnssecsign_num_keys * dnssecsign_block_size,
+			     statsp));
+}
+
+/*%
+ * Increment/Decrement methods
+ */
+void
+dns_generalstats_increment(dns_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_general);
+
+	isc_stats_increment(stats->counters, counter);
+}
+
+static isc_statscounter_t
+rdatatype2counter(dns_rdatatype_t type) {
+	if (type > (dns_rdatatype_t)RDTYPECOUNTER_MAXTYPE) {
+		return (0);
+	}
+	return ((isc_statscounter_t)type);
+}
+
+void
+dns_rdatatypestats_increment(dns_stats_t *stats, dns_rdatatype_t type) {
+	isc_statscounter_t counter;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rdtype);
+
+	counter = rdatatype2counter(type);
+	isc_stats_increment(stats->counters, counter);
+}
+
+static void
+update_rdatasetstats(dns_stats_t *stats, dns_rdatastatstype_t rrsettype,
+		     bool increment) {
+	isc_statscounter_t counter;
+
+	if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+	     DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) != 0)
+	{
+		counter = RDTYPECOUNTER_NXDOMAIN;
+
+		/*
+		 * This is an NXDOMAIN counter, save the expiry value
+		 * (active, stale, or ancient) value in the RRtype part.
+		 */
+		if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+		     DNS_RDATASTATSTYPE_ATTR_ANCIENT) != 0)
+		{
+			counter |= RDTYPECOUNTER_NXDOMAIN_ANCIENT;
+		} else if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+			    DNS_RDATASTATSTYPE_ATTR_STALE) != 0)
+		{
+			counter += RDTYPECOUNTER_NXDOMAIN_STALE;
+		}
+	} else {
+		counter = rdatatype2counter(DNS_RDATASTATSTYPE_BASE(rrsettype));
+
+		if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+		     DNS_RDATASTATSTYPE_ATTR_NXRRSET) != 0)
+		{
+			counter |= RDTYPECOUNTER_NXRRSET;
+		}
+
+		if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+		     DNS_RDATASTATSTYPE_ATTR_ANCIENT) != 0)
+		{
+			counter |= RDTYPECOUNTER_ANCIENT;
+		} else if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+			    DNS_RDATASTATSTYPE_ATTR_STALE) != 0)
+		{
+			counter |= RDTYPECOUNTER_STALE;
+		}
+	}
+
+	if (increment) {
+		isc_stats_increment(stats->counters, counter);
+	} else {
+		isc_stats_decrement(stats->counters, counter);
+	}
+}
+
+void
+dns_rdatasetstats_increment(dns_stats_t *stats,
+			    dns_rdatastatstype_t rrsettype) {
+	REQUIRE(DNS_STATS_VALID(stats) &&
+		stats->type == dns_statstype_rdataset);
+
+	update_rdatasetstats(stats, rrsettype, true);
+}
+
+void
+dns_rdatasetstats_decrement(dns_stats_t *stats,
+			    dns_rdatastatstype_t rrsettype) {
+	REQUIRE(DNS_STATS_VALID(stats) &&
+		stats->type == dns_statstype_rdataset);
+
+	update_rdatasetstats(stats, rrsettype, false);
+}
+
+void
+dns_opcodestats_increment(dns_stats_t *stats, dns_opcode_t code) {
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_opcode);
+
+	isc_stats_increment(stats->counters, (isc_statscounter_t)code);
+}
+
+void
+dns_rcodestats_increment(dns_stats_t *stats, dns_rcode_t code) {
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rcode);
+
+	if (code <= dns_rcode_badcookie) {
+		isc_stats_increment(stats->counters, (isc_statscounter_t)code);
+	}
+}
+
+void
+dns_dnssecsignstats_increment(dns_stats_t *stats, dns_keytag_t id, uint8_t alg,
+			      dnssecsignstats_type_t operation) {
+	uint32_t kval;
+	int num_keys = isc_stats_ncounters(stats->counters) /
+		       dnssecsign_block_size;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_dnssec);
+
+	/* Shift algorithm in front of key tag, which is 16 bits */
+	kval = (uint32_t)(alg << 16 | id);
+
+	/* Look up correct counter. */
+	for (int i = 0; i < num_keys; i++) {
+		int idx = i * dnssecsign_block_size;
+		uint32_t counter = isc_stats_get_counter(stats->counters, idx);
+		if (counter == kval) {
+			/* Match */
+			isc_stats_increment(stats->counters, (idx + operation));
+			return;
+		}
+	}
+
+	/* No match found. Store key in unused slot. */
+	for (int i = 0; i < num_keys; i++) {
+		int idx = i * dnssecsign_block_size;
+		uint32_t counter = isc_stats_get_counter(stats->counters, idx);
+		if (counter == 0) {
+			isc_stats_set(stats->counters, kval, idx);
+			isc_stats_increment(stats->counters, (idx + operation));
+			return;
+		}
+	}
+
+	/* No room, grow stats storage. */
+	isc_stats_resize(&stats->counters,
+			 (num_keys * dnssecsign_block_size * 2));
+
+	/* Reset counters for new key (new index, nidx). */
+	int nidx = num_keys * dnssecsign_block_size;
+	isc_stats_set(stats->counters, kval, nidx);
+	isc_stats_set(stats->counters, 0, (nidx + dns_dnssecsignstats_sign));
+	isc_stats_set(stats->counters, 0, (nidx + dns_dnssecsignstats_refresh));
+
+	/* And increment the counter for the given operation. */
+	isc_stats_increment(stats->counters, (nidx + operation));
+}
+
+void
+dns_dnssecsignstats_clear(dns_stats_t *stats, dns_keytag_t id, uint8_t alg) {
+	uint32_t kval;
+	int num_keys = isc_stats_ncounters(stats->counters) /
+		       dnssecsign_block_size;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_dnssec);
+
+	/* Shift algorithm in front of key tag, which is 16 bits */
+	kval = (uint32_t)(alg << 16 | id);
+
+	/* Look up correct counter. */
+	for (int i = 0; i < num_keys; i++) {
+		int idx = i * dnssecsign_block_size;
+		uint32_t counter = isc_stats_get_counter(stats->counters, idx);
+		if (counter == kval) {
+			/* Match */
+			isc_stats_set(stats->counters, 0, idx);
+			isc_stats_set(stats->counters, 0,
+				      (idx + dns_dnssecsignstats_sign));
+			isc_stats_set(stats->counters, 0,
+				      (idx + dns_dnssecsignstats_refresh));
+			return;
+		}
+	}
+}
+
+/*%
+ * Dump methods
+ */
+void
+dns_generalstats_dump(dns_stats_t *stats, dns_generalstats_dumper_t dump_fn,
+		      void *arg, unsigned int options) {
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_general);
+
+	isc_stats_dump(stats->counters, (isc_stats_dumper_t)dump_fn, arg,
+		       options);
+}
+
+static void
+dump_rdentry(int rdcounter, uint64_t value, dns_rdatastatstype_t attributes,
+	     dns_rdatatypestats_dumper_t dump_fn, void *arg) {
+	dns_rdatatype_t rdtype = dns_rdatatype_none; /* sentinel */
+	dns_rdatastatstype_t type;
+
+	if ((rdcounter & RDTYPECOUNTER_MAXTYPE) == 0) {
+		attributes |= DNS_RDATASTATSTYPE_ATTR_OTHERTYPE;
+	} else {
+		rdtype = (dns_rdatatype_t)(rdcounter & RDTYPECOUNTER_MAXTYPE);
+	}
+	type = DNS_RDATASTATSTYPE_VALUE((dns_rdatastatstype_t)rdtype,
+					attributes);
+	dump_fn(type, value, arg);
+}
+
+static void
+rdatatype_dumpcb(isc_statscounter_t counter, uint64_t value, void *arg) {
+	rdatadumparg_t *rdatadumparg = arg;
+
+	dump_rdentry(counter, value, 0, rdatadumparg->fn, rdatadumparg->arg);
+}
+
+void
+dns_rdatatypestats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+			void *arg0, unsigned int options) {
+	rdatadumparg_t arg;
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rdtype);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, rdatatype_dumpcb, &arg, options);
+}
+
+static void
+rdataset_dumpcb(isc_statscounter_t counter, uint64_t value, void *arg) {
+	rdatadumparg_t *rdatadumparg = arg;
+	unsigned int attributes = 0;
+
+	if ((counter & RDTYPECOUNTER_NXDOMAIN) == RDTYPECOUNTER_NXDOMAIN) {
+		attributes |= DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
+
+		/*
+		 * This is an NXDOMAIN counter, check the RRtype part for the
+		 * expiry value (active, stale, or ancient).
+		 */
+		if ((counter & RDTYPECOUNTER_MAXTYPE) ==
+		    RDTYPECOUNTER_NXDOMAIN_STALE)
+		{
+			attributes |= DNS_RDATASTATSTYPE_ATTR_STALE;
+		} else if ((counter & RDTYPECOUNTER_MAXTYPE) ==
+			   RDTYPECOUNTER_NXDOMAIN_ANCIENT)
+		{
+			attributes |= DNS_RDATASTATSTYPE_ATTR_ANCIENT;
+		}
+	} else {
+		if ((counter & RDTYPECOUNTER_MAXTYPE) == 0) {
+			attributes |= DNS_RDATASTATSTYPE_ATTR_OTHERTYPE;
+		}
+		if ((counter & RDTYPECOUNTER_NXRRSET) != 0) {
+			attributes |= DNS_RDATASTATSTYPE_ATTR_NXRRSET;
+		}
+
+		if ((counter & RDTYPECOUNTER_STALE) != 0) {
+			attributes |= DNS_RDATASTATSTYPE_ATTR_STALE;
+		} else if ((counter & RDTYPECOUNTER_ANCIENT) != 0) {
+			attributes |= DNS_RDATASTATSTYPE_ATTR_ANCIENT;
+		}
+	}
+
+	dump_rdentry(counter, value, attributes, rdatadumparg->fn,
+		     rdatadumparg->arg);
+}
+
+void
+dns_rdatasetstats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+		       void *arg0, unsigned int options) {
+	rdatadumparg_t arg;
+
+	REQUIRE(DNS_STATS_VALID(stats) &&
+		stats->type == dns_statstype_rdataset);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, rdataset_dumpcb, &arg, options);
+}
+
+static void
+dnssec_dumpcb(isc_statscounter_t counter, uint64_t value, void *arg) {
+	dnssecsigndumparg_t *dnssecarg = arg;
+
+	dnssecarg->fn((dns_keytag_t)counter, value, dnssecarg->arg);
+}
+
+static void
+dnssec_statsdump(isc_stats_t *stats, dnssecsignstats_type_t operation,
+		 isc_stats_dumper_t dump_fn, void *arg, unsigned int options) {
+	int i, num_keys;
+
+	num_keys = isc_stats_ncounters(stats) / dnssecsign_block_size;
+	for (i = 0; i < num_keys; i++) {
+		int idx = dnssecsign_block_size * i;
+		uint32_t kval, val;
+		dns_keytag_t id;
+
+		kval = isc_stats_get_counter(stats, idx);
+		if (kval == 0) {
+			continue;
+		}
+
+		val = isc_stats_get_counter(stats, (idx + operation));
+		if ((options & ISC_STATSDUMP_VERBOSE) == 0 && val == 0) {
+			continue;
+		}
+
+		id = (dns_keytag_t)kval & DNSSECSIGNSTATS_KEY_ID_MASK;
+
+		dump_fn((isc_statscounter_t)id, val, arg);
+	}
+}
+
+void
+dns_dnssecsignstats_dump(dns_stats_t *stats, dnssecsignstats_type_t operation,
+			 dns_dnssecsignstats_dumper_t dump_fn, void *arg0,
+			 unsigned int options) {
+	dnssecsigndumparg_t arg;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_dnssec);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+
+	dnssec_statsdump(stats->counters, operation, dnssec_dumpcb, &arg,
+			 options);
+}
+
+static void
+opcode_dumpcb(isc_statscounter_t counter, uint64_t value, void *arg) {
+	opcodedumparg_t *opcodearg = arg;
+
+	opcodearg->fn((dns_opcode_t)counter, value, opcodearg->arg);
+}
+
+static void
+rcode_dumpcb(isc_statscounter_t counter, uint64_t value, void *arg) {
+	rcodedumparg_t *rcodearg = arg;
+
+	rcodearg->fn((dns_rcode_t)counter, value, rcodearg->arg);
+}
+
+void
+dns_opcodestats_dump(dns_stats_t *stats, dns_opcodestats_dumper_t dump_fn,
+		     void *arg0, unsigned int options) {
+	opcodedumparg_t arg;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_opcode);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, opcode_dumpcb, &arg, options);
+}
+
+void
+dns_rcodestats_dump(dns_stats_t *stats, dns_rcodestats_dumper_t dump_fn,
+		    void *arg0, unsigned int options) {
+	rcodedumparg_t arg;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rcode);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, rcode_dumpcb, &arg, options);
+}
+
+/***
+ *** Obsolete variables and functions follow:
+ ***/
+LIBDNS_EXTERNAL_DATA const char *dns_statscounter_names[DNS_STATS_NCOUNTERS] = {
+	"success",   "referral", "nxrrset",   "nxdomain",
+	"recursion", "failure",	 "duplicate", "dropped"
+};
+
+isc_result_t
+dns_stats_alloccounters(isc_mem_t *mctx, uint64_t **ctrp) {
+	int i;
+	uint64_t *p = isc_mem_get(mctx, DNS_STATS_NCOUNTERS * sizeof(uint64_t));
+	if (p == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	for (i = 0; i < DNS_STATS_NCOUNTERS; i++) {
+		p[i] = 0;
+	}
+	*ctrp = p;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_stats_freecounters(isc_mem_t *mctx, uint64_t **ctrp) {
+	isc_mem_put(mctx, *ctrp, DNS_STATS_NCOUNTERS * sizeof(uint64_t));
+	*ctrp = NULL;
+}
diff --git a/lib/dns/tcpmsg.c b/lib/dns/tcpmsg.c
new file mode 100644
index 0000000..44694d8
--- /dev/null
+++ b/lib/dns/tcpmsg.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/events.h>
+#include <dns/result.h>
+#include <dns/tcpmsg.h>
+
+#ifdef TCPMSG_DEBUG
+#include <stdio.h> /* Required for printf. */
+#define XDEBUG(x) printf x
+#else /* ifdef TCPMSG_DEBUG */
+#define XDEBUG(x)
+#endif /* ifdef TCPMSG_DEBUG */
+
+#define TCPMSG_MAGIC	  ISC_MAGIC('T', 'C', 'P', 'm')
+#define VALID_TCPMSG(foo) ISC_MAGIC_VALID(foo, TCPMSG_MAGIC)
+
+static void
+recv_length(isc_task_t *, isc_event_t *);
+static void
+recv_message(isc_task_t *, isc_event_t *);
+
+static void
+recv_length(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
+	isc_region_t region;
+	isc_result_t result;
+
+	INSIST(VALID_TCPMSG(tcpmsg));
+
+	dev = &tcpmsg->event;
+	tcpmsg->address = ev->address;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		tcpmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	/*
+	 * Success.
+	 */
+	tcpmsg->size = ntohs(tcpmsg->size);
+	if (tcpmsg->size == 0) {
+		tcpmsg->result = ISC_R_UNEXPECTEDEND;
+		goto send_and_free;
+	}
+	if (tcpmsg->size > tcpmsg->maxsize) {
+		tcpmsg->result = ISC_R_RANGE;
+		goto send_and_free;
+	}
+
+	region.base = isc_mem_get(tcpmsg->mctx, tcpmsg->size);
+	region.length = tcpmsg->size;
+	if (region.base == NULL) {
+		tcpmsg->result = ISC_R_NOMEMORY;
+		goto send_and_free;
+	}
+	XDEBUG(("Allocated %d bytes\n", tcpmsg->size));
+
+	isc_buffer_init(&tcpmsg->buffer, region.base, region.length);
+	result = isc_socket_recv(tcpmsg->sock, &region, 0, task, recv_message,
+				 tcpmsg);
+	if (result != ISC_R_SUCCESS) {
+		tcpmsg->result = result;
+		goto send_and_free;
+	}
+
+	isc_event_free(&ev_in);
+	return;
+
+send_and_free:
+	isc_task_send(tcpmsg->task, &dev);
+	tcpmsg->task = NULL;
+	isc_event_free(&ev_in);
+	return;
+}
+
+static void
+recv_message(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
+
+	(void)task;
+
+	INSIST(VALID_TCPMSG(tcpmsg));
+
+	dev = &tcpmsg->event;
+	tcpmsg->address = ev->address;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		tcpmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	tcpmsg->result = ISC_R_SUCCESS;
+	isc_buffer_add(&tcpmsg->buffer, ev->n);
+
+	XDEBUG(("Received %u bytes (of %d)\n", ev->n, tcpmsg->size));
+
+send_and_free:
+	isc_task_send(tcpmsg->task, &dev);
+	tcpmsg->task = NULL;
+	isc_event_free(&ev_in);
+}
+
+void
+dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(sock != NULL);
+	REQUIRE(tcpmsg != NULL);
+
+	tcpmsg->magic = TCPMSG_MAGIC;
+	tcpmsg->size = 0;
+	tcpmsg->buffer.base = NULL;
+	tcpmsg->buffer.length = 0;
+	tcpmsg->maxsize = 65535; /* Largest message possible. */
+	tcpmsg->mctx = mctx;
+	tcpmsg->sock = sock;
+	tcpmsg->task = NULL;		   /* None yet. */
+	tcpmsg->result = ISC_R_UNEXPECTED; /* None yet. */
+
+	/* Should probably initialize the event here, but it can wait. */
+}
+
+void
+dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+	REQUIRE(maxsize < 65536);
+
+	tcpmsg->maxsize = maxsize;
+}
+
+isc_result_t
+dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg, isc_task_t *task,
+		       isc_taskaction_t action, void *arg) {
+	isc_result_t result;
+	isc_region_t region;
+
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+	REQUIRE(task != NULL);
+	REQUIRE(tcpmsg->task == NULL); /* not currently in use */
+
+	if (tcpmsg->buffer.base != NULL) {
+		isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base,
+			    tcpmsg->buffer.length);
+		tcpmsg->buffer.base = NULL;
+		tcpmsg->buffer.length = 0;
+	}
+
+	tcpmsg->task = task;
+	tcpmsg->action = action;
+	tcpmsg->arg = arg;
+	tcpmsg->result = ISC_R_UNEXPECTED; /* unknown right now */
+
+	ISC_EVENT_INIT(&tcpmsg->event, sizeof(isc_event_t), 0, 0,
+		       DNS_EVENT_TCPMSG, action, arg, tcpmsg, NULL, NULL);
+
+	region.base = (unsigned char *)&tcpmsg->size;
+	region.length = 2; /* uint16_t */
+	result = isc_socket_recv(tcpmsg->sock, &region, 0, tcpmsg->task,
+				 recv_length, tcpmsg);
+
+	if (result != ISC_R_SUCCESS) {
+		tcpmsg->task = NULL;
+	}
+
+	return (result);
+}
+
+void
+dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+
+	isc_socket_cancel(tcpmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
+}
+
+void
+dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+	REQUIRE(buffer != NULL);
+
+	*buffer = tcpmsg->buffer;
+	tcpmsg->buffer.base = NULL;
+	tcpmsg->buffer.length = 0;
+}
+
+#if 0
+void
+dns_tcpmsg_freebuffer(dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+
+	if (tcpmsg->buffer.base == NULL) {
+		return;
+	}
+
+	isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base, tcpmsg->buffer.length);
+	tcpmsg->buffer.base = NULL;
+	tcpmsg->buffer.length = 0;
+}
+#endif /* if 0 */
+
+void
+dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+
+	tcpmsg->magic = 0;
+
+	if (tcpmsg->buffer.base != NULL) {
+		isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base,
+			    tcpmsg->buffer.length);
+		tcpmsg->buffer.base = NULL;
+		tcpmsg->buffer.length = 0;
+	}
+}
diff --git a/lib/dns/tests/Kdh.+002+18602.key b/lib/dns/tests/Kdh.+002+18602.key
new file mode 100644
index 0000000..09b4cf5
--- /dev/null
+++ b/lib/dns/tests/Kdh.+002+18602.key
@@ -0,0 +1 @@
+dh. IN KEY 0 2 2 AAEBAAAAYIHI/wjtOagNga9GILSoS02IVelgLilPE/TfhtvShsiDAXqb IfxQcj2JkuOnNLs5ttb2WZXWl5/jsSjIxHMwMF2XY4gwt/lwHBf/vgYH r7aIxnKXov1jk9rymTLHGKIOtg==
diff --git a/lib/dns/tests/Krsa.+008+29238.key b/lib/dns/tests/Krsa.+008+29238.key
new file mode 100644
index 0000000..8a09067
--- /dev/null
+++ b/lib/dns/tests/Krsa.+008+29238.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 29235, for rsa.
+; Created: 20160819191802 (Fri Aug 19 21:18:02 2016)
+; Publish: 20160819191802 (Fri Aug 19 21:18:02 2016)
+; Activate: 20160819191802 (Fri Aug 19 21:18:02 2016)
+rsa. IN DNSKEY 256 3 8 AwEAAdLT1R3qiqCqll3Xzh2qFMvehQ9FODsPftw5U4UjB3QwnJ/3+dph 9kZBBeaJagUBVYzoArk6XNydpp3HhSCFDcIiepL6r8XAifW3SqI1KCne OD38kSCl/Qm9P0+3CFWokGVubsSQ+3dpQZxqx5bzOXthbuzAr6X+gDUE LAyHtCQNmJ+4ktdCoj3DNYW0z/xLvrcB2Lns7H+/qWnGPL4f3hr7Vbak Oeay+4J4KGdY2LFxJUVts6QrgAA8gz4mV9YIJFP+C4B3b/Z7qgqZRxmT 0pic+fJC5+sq0l8KwavPn0n+HqVuJNvppVKMdTbsmmuk69RFGMjbFkP7 tnCiqC9Zi6s=
diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile
new file mode 100644
index 0000000..53b4686
--- /dev/null
+++ b/lib/dns/tests/Kyuafile
@@ -0,0 +1,45 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+tap_test_program{name='acl_test'}
+tap_test_program{name='db_test'}
+tap_test_program{name='dbdiff_test'}
+tap_test_program{name='dbiterator_test'}
+tap_test_program{name='dbversion_test'}
+tap_test_program{name='dh_test'}
+tap_test_program{name='dispatch_test'}
+tap_test_program{name='dnstap_test'}
+tap_test_program{name='dst_test'}
+tap_test_program{name='geoip_test'}
+tap_test_program{name='keytable_test'}
+tap_test_program{name='master_test'}
+tap_test_program{name='name_test'}
+tap_test_program{name='nsec3_test'}
+tap_test_program{name='peer_test'}
+tap_test_program{name='private_test'}
+tap_test_program{name='rbt_serialize_test', is_exclusive=true}
+tap_test_program{name='rbt_test'}
+tap_test_program{name='rbtdb_test'}
+tap_test_program{name='rdata_test'}
+tap_test_program{name='rdataset_test'}
+tap_test_program{name='rdatasetstats_test'}
+tap_test_program{name='resolver_test'}
+tap_test_program{name='result_test'}
+tap_test_program{name='rsa_test'}
+tap_test_program{name='sigs_test'}
+tap_test_program{name='time_test'}
+tap_test_program{name='tsig_test'}
+tap_test_program{name='update_test'}
+tap_test_program{name='zonemgr_test'}
+tap_test_program{name='zt_test'}
diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
new file mode 100644
index 0000000..90c1371
--- /dev/null
+++ b/lib/dns/tests/Makefile.in
@@ -0,0 +1,287 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \
+		${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
+CDEFINES =	-DTESTS="\"${top_builddir}/lib/dns/tests/\""
+
+ISCLIBS =	../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCDEPLIBS =	../../isc/libisc.@A@
+DNSLIBS =	../libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS =	../libdns.@A@
+
+LIBS =		@LIBS@ @CMOCKA_LIBS@
+
+OBJS =		dnstest.@O@
+SRCS =		acl_test.c \
+		db_test.c \
+		dbdiff_test.c \
+		dbiterator_test.c \
+		dh_test.c \
+		dispatch_test.c \
+		dnstap_test.c \
+		dst_test.c \
+		dnstest.c \
+		geoip_test.c \
+		keytable_test.c \
+		master_test.c \
+		name_test.c \
+		nsec3_test.c \
+		nsec3param_test.c \
+		peer_test.c \
+		private_test.c \
+		rbt_test.c \
+		rbt_serialize_test.c \
+		rbtdb_test.c \
+		rdata_test.c \
+		rdataset_test.c \
+		rdatasetstats_test.c \
+		resolver_test.c \
+		result_test.c \
+		rsa_test.c \
+		sigs_test.c \
+		time_test.c \
+		tsig_test.c \
+		update_test.c \
+		zonemgr_test.c \
+		zt_test.c
+
+SUBDIRS =
+TARGETS =	acl_test@EXEEXT@ \
+		db_test@EXEEXT@ \
+		dbdiff_test@EXEEXT@ \
+		dbiterator_test@EXEEXT@ \
+		dbversion_test@EXEEXT@ \
+		dh_test@EXEEXT@ \
+		dispatch_test@EXEEXT@ \
+		dnstap_test@EXEEXT@ \
+		dst_test@EXEEXT@ \
+		geoip_test@EXEEXT@ \
+		keytable_test@EXEEXT@ \
+		master_test@EXEEXT@ \
+		name_test@EXEEXT@ \
+		nsec3_test@EXEEXT@ \
+		nsec3param_test@EXEEXT@ \
+		peer_test@EXEEXT@ \
+		private_test@EXEEXT@ \
+		rbt_test@EXEEXT@ \
+		rbt_serialize_test@EXEEXT@ \
+		rbtdb_test@EXEEXT@ \
+		rdata_test@EXEEXT@ \
+		rdataset_test@EXEEXT@ \
+		rdatasetstats_test@EXEEXT@ \
+		resolver_test@EXEEXT@ \
+		result_test@EXEEXT@ \
+		rsa_test@EXEEXT@ \
+		sigs_test@EXEEXT@ \
+		time_test@EXEEXT@ \
+		tsig_test@EXEEXT@ \
+		update_test@EXEEXT@ \
+		zonemgr_test@EXEEXT@ \
+		zt_test@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+LD_WRAP_TESTS=@LD_WRAP_TESTS@
+
+acl_test@EXEEXT@: acl_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ acl_test.@O@ dnstest.@O@ ${DNSLIBS} \
+		${ISCLIBS} ${LIBS}
+
+db_test@EXEEXT@: db_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ db_test.@O@ dnstest.@O@ ${DNSLIBS} \
+		${ISCLIBS} ${LIBS}
+
+dbdiff_test@EXEEXT@: dbdiff_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ dbdiff_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dbiterator_test@EXEEXT@: dbiterator_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ dbiterator_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dbversion_test@EXEEXT@: dbversion_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ dbversion_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dh_test@EXEEXT@: dh_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ dh_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dispatch_test@EXEEXT@: dispatch_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ dispatch_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dnstap_test@EXEEXT@: dnstap_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ dnstap_test.@O@ dnstest.@O@ \
+		${FSTRM_LIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dst_test@EXEEXT@: dst_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ dst_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+geoip_test@EXEEXT@: geoip_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ geoip_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${MAXMINDDB_LIBS} ${ISCLIBS} ${LIBS}
+
+keytable_test@EXEEXT@: keytable_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ keytable_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+master_test@EXEEXT@: master_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	test -d testdata || mkdir testdata
+	test -d testdata/master || mkdir testdata/master
+	${PERL} ${srcdir}/mkraw.pl < ${srcdir}/testdata/master/master12.data.in \
+		> testdata/master/master12.data
+	${PERL} ${srcdir}/mkraw.pl < ${srcdir}/testdata/master/master13.data.in \
+		> testdata/master/master13.data
+	${PERL} ${srcdir}/mkraw.pl < ${srcdir}/testdata/master/master14.data.in \
+		> testdata/master/master14.data
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ master_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+name_test@EXEEXT@: name_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ name_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+nsec3_test@EXEEXT@: nsec3_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ nsec3_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+nsec3param_test@EXEEXT@: nsec3param_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ nsec3param_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+peer_test@EXEEXT@: peer_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ peer_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+private_test@EXEEXT@: private_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ private_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+rbt_serialize_test@EXEEXT@: rbt_serialize_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ rbt_serialize_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+rbt_test@EXEEXT@: rbt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ rbt_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+rbtdb_test@EXEEXT@: rbtdb_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ rbtdb_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+rdata_test@EXEEXT@: rdata_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ rdata_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+rdataset_test@EXEEXT@: rdataset_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ rdataset_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+rdatasetstats_test@EXEEXT@: rdatasetstats_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ rdatasetstats_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+resolver_test@EXEEXT@: resolver_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ resolver_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+result_test@EXEEXT@: result_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ result_test.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+rsa_test@EXEEXT@: rsa_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ rsa_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+sigs_test@EXEEXT@: sigs_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ sigs_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+time_test@EXEEXT@: time_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ time_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+WRAP_OPTIONS = \
+	-Wl,--wrap=isc__mem_put \
+	-Wl,--wrap=isc__mem_get \
+	-Wl,--wrap=isc_mem_attach \
+	-Wl,--wrap=isc_mem_detach \
+	-Wl,--wrap=isc__mem_putanddetach
+
+tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ tsig_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+update_test@EXEEXT@: update_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ update_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+zonemgr_test@EXEEXT@: zonemgr_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ zonemgr_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ zt_test.@O@ dnstest.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
+	rm -f testdata/master/master12.data testdata/master/master13.data \
+		testdata/master/master14.data
+	rm -f zone.bin
diff --git a/lib/dns/tests/acl_test.c b/lib/dns/tests/acl_test.c
new file mode 100644
index 0000000..21941a2
--- /dev/null
+++ b/lib/dns/tests/acl_test.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+#define BUFLEN	    255
+#define BIGBUFLEN   (70 * 1024)
+#define TEST_ORIGIN "test"
+
+/* test that dns_acl_isinsecure works */
+static void
+dns_acl_isinsecure_test(void **state) {
+	isc_result_t result;
+	dns_acl_t *any = NULL;
+	dns_acl_t *none = NULL;
+	dns_acl_t *notnone = NULL;
+	dns_acl_t *notany = NULL;
+#if defined(HAVE_GEOIP2)
+	dns_acl_t *geoip = NULL;
+	dns_acl_t *notgeoip = NULL;
+	dns_aclelement_t *de;
+#endif /* HAVE_GEOIP2 */
+
+	UNUSED(state);
+
+	result = dns_acl_any(dt_mctx, &any);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_acl_none(dt_mctx, &none);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_acl_create(dt_mctx, 1, &notnone);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_acl_create(dt_mctx, 1, &notany);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_acl_merge(notnone, none, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_acl_merge(notany, any, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+#if defined(HAVE_GEOIP2)
+	result = dns_acl_create(dt_mctx, 1, &geoip);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	de = geoip->elements;
+	assert_non_null(de);
+	strlcpy(de->geoip_elem.as_string, "AU",
+		sizeof(de->geoip_elem.as_string));
+	de->geoip_elem.subtype = dns_geoip_country_code;
+	de->type = dns_aclelementtype_geoip;
+	de->negative = false;
+	assert_true(geoip->length < geoip->alloc);
+	dns_acl_node_count(geoip)++;
+	de->node_num = dns_acl_node_count(geoip);
+	geoip->length++;
+
+	result = dns_acl_create(dt_mctx, 1, &notgeoip);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_acl_merge(notgeoip, geoip, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+#endif /* HAVE_GEOIP2 */
+
+	assert_true(dns_acl_isinsecure(any));	   /* any; */
+	assert_false(dns_acl_isinsecure(none));	   /* none; */
+	assert_false(dns_acl_isinsecure(notany));  /* !any; */
+	assert_false(dns_acl_isinsecure(notnone)); /* !none; */
+
+#if defined(HAVE_GEOIP2)
+	assert_true(dns_acl_isinsecure(geoip));	    /* geoip; */
+	assert_false(dns_acl_isinsecure(notgeoip)); /* !geoip; */
+#endif						    /* HAVE_GEOIP2 */
+
+	dns_acl_detach(&any);
+	dns_acl_detach(&none);
+	dns_acl_detach(&notany);
+	dns_acl_detach(&notnone);
+#if defined(HAVE_GEOIP2)
+	dns_acl_detach(&geoip);
+	dns_acl_detach(&notgeoip);
+#endif /* HAVE_GEOIP2 */
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(dns_acl_isinsecure_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/comparekeys/Kexample-d.+008+53461.key b/lib/dns/tests/comparekeys/Kexample-d.+008+53461.key
new file mode 100644
index 0000000..5c43165
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-d.+008+53461.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 53461, for example-d.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example-d. IN DNSKEY 256 3 8 AwEAAaKYSOPDzZvfue5sU71xPCJKJpB5kZGl4vTp3OI8W+nN1YFtmVe2 2gM666AEutDAEB7cLkyoKCOH0+4Lh1ucPr6OmdWkHfk7uZv58eH0kOAV tNz2xhEF/YHSD7cnBEU9g0knGwpWuzSJKRhGhNoaVus9g1MaAn8efptz HIduIwgAeXV3BDCUpY6HbpwjDxOGCzCUYDRgcex37kYuCyW0PvlO5FQ0 DT0LpjcgBmIBpXol7sYpmKdOKJrm4x2lwGntr4K+bCdNYI2PRPJjPqAf jlvIvJylGUaqFJasw7PSMQIkgcQ4OQXVrhE8uGLdYvP1cusLuROIjdYp Pdqc5K9lCQE=
diff --git a/lib/dns/tests/comparekeys/Kexample-d.+008+53461.private b/lib/dns/tests/comparekeys/Kexample-d.+008+53461.private
new file mode 100644
index 0000000..a693428
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-d.+008+53461.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: ophI48PNm9+57mxTvXE8IkomkHmRkaXi9Onc4jxb6c3VgW2ZV7baAzrroAS60MAQHtwuTKgoI4fT7guHW5w+vo6Z1aQd+Tu5m/nx4fSQ4BW03PbGEQX9gdIPtycERT2DSScbCla7NIkpGEaE2hpW6z2DUxoCfx5+m3Mch24jCAB5dXcEMJSljodunCMPE4YLMJRgNGBx7HfuRi4LJbQ++U7kVDQNPQumNyAGYgGleiXuximYp04omubjHaXAae2vgr5sJ01gjY9E8mM+oB+OW8i8nKUZRqoUlqzDs9IxAiSBxDg5BdWuETy4Yt1i8/Vy6wu5E4iN1ik92pzkr2UJAQ==
+PublicExponent: AQAB
+PrivateExponent: AhR3VvVoV6OGOjiiNUt728hidEMoX4PJWtHNWqinyRek5tSnqgaXeKC3NuU0mUIjDvBps9oH4lK3yNa5fBr/nodwP4wNyTd3obR/z6JcLersxJjHi4nYX2ju8vjdsBSIulNudqlrsPhLJe0+Tff3FRfClSQmQ/JtakHo4lIx8zxiOJY8aWFeHGdWJDkAf6NStt3eVYyOyAwISfv3muaGPZKShiIOfLyTvqFqzwYFgdTWmvFqTdwgjIMc5XAwqw73WP2BPCN+fdCiMtrw0fCrhWzw/gfMJBHdOPH0diUZysAJhM0vdVKQzEi/g3YOo00fahZiPzaxNtZnLNj2mA54YQ==
+Prime1: z08i0sCcEpr4MZi4TReohPWp3F5vMQYVux8B3ltmJ3kKraXEmVEVmujhWa+ZDxhJmwKoba65vNEsUbSJN6WwJd7PVyskHb2GnWGK8NtlainFEuiS5CDxwULR4o2SI+Pij9thMQoA13ZTKc9s3E57VgcvJ7vaoD/1ZtpP7tdaerE=
+Prime2: yMid465M6bCXXUfWg7oq6A4MZUULbEPKvs+qGIersdiHfrFRGJ0Lviujs8KHaPS5rt4YmbpQU9tGbJBauY17T03qr/mQOBDx5gDkAJcJ0EUHudFslwqyn50THlJsKrFOxBYl7laY0v6CGCMyuZok8qyhiPHv5dhzSc9zwKaXZ1E=
+Exponent1: iresWJOzm6uAukczw7o59EYiFChIhOhKcDyOVoiYMX+ICqvqgqDEMTT1XbrnUzdwQT4lD8ej11msKzv/uXGwDZcq7GwcrZ3dTsAvZX2ZPdGXYlCnwejde/FHWi5bBJL/Tj2AqnzEFWjCuy5l7IDDfMwv3ImSADrr7ZfVdr85dvE=
+Exponent2: aULzs4ePfvw7foXI6mpRUDL9QKI/6NRpmDtam12VH7m63yqqr1K1808BlZ4oS1fxeMGq9/z7W9sbQpMzXQ/VU7Avl24os5v+lWxmHAES/gMSl9I5Mb5EAvXgLgdb+c3W02ohHKB9ojAXl/vr/e3X7Pmf/iGIeWFOn6WIs7kiquE=
+Coefficient: HS4bN41s6Ak9+6m3vhmLzgHtWMavnLpDkmd6wTBttbtKXHfjbvxMUt4RYeF8BXRtfIqIOZqJJngais1wQfOsgVhHrKVwX+MOThyOk4SD+pvnG6g1B+qUS1czPGP7Rf+7668wK8ZxV9w0+YDbTJgPgivD0lBnLXwT+KCLprMXTe4=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample-e.+008+53973.key b/lib/dns/tests/comparekeys/Kexample-e.+008+53973.key
new file mode 100644
index 0000000..a4b0d03
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-e.+008+53973.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 53973, for example-e.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example-e. IN DNSKEY 256 3 8 BQEAAAABophI48PNm9+57mxTvXE8IkomkHmRkaXi9Onc4jxb6c3VgW2Z V7baAzrroAS60MAQHtwuTKgoI4fT7guHW5w+vo6Z1aQd+Tu5m/nx4fSQ 4BW03PbGEQX9gdIPtycERT2DSScbCla7NIkpGEaE2hpW6z2DUxoCfx5+ m3Mch24jCAB5dXcEMJSljodunCMPE4YLMJRgNGBx7HfuRi4LJbQ++U7k VDQNPQumNyAGYgGleiXuximYp04omubjHaXAae2vgr5sJ01gjY9E8mM+ oB+OW8i8nKUZRqoUlqzDs9IxAiSBxDg5BdWuETy4Yt1i8/Vy6wu5E4iN 1ik92pzkr2UJAQ==
diff --git a/lib/dns/tests/comparekeys/Kexample-e.+008+53973.private b/lib/dns/tests/comparekeys/Kexample-e.+008+53973.private
new file mode 100644
index 0000000..765ca1a
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-e.+008+53973.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: ophI48PNm9+57mxTvXE8IkomkHmRkaXi9Onc4jxb6c3VgW2ZV7baAzrroAS60MAQHtwuTKgoI4fT7guHW5w+vo6Z1aQd+Tu5m/nx4fSQ4BW03PbGEQX9gdIPtycERT2DSScbCla7NIkpGEaE2hpW6z2DUxoCfx5+m3Mch24jCAB5dXcEMJSljodunCMPE4YLMJRgNGBx7HfuRi4LJbQ++U7kVDQNPQumNyAGYgGleiXuximYp04omubjHaXAae2vgr5sJ01gjY9E8mM+oB+OW8i8nKUZRqoUlqzDs9IxAiSBxDg5BdWuETy4Yt1i8/Vy6wu5E4iN1ik92pzkr2UJAQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: lFgeQHf3klxXlfkNmczDEYHXl37i2iCgZdUsqtho/3LFdfWZrxZr6ACM040dKLHiw1UdhODy5h/Zstif4Ww3LsKKBgpbMnZUTMOI9R+eQmRrhCI96XAur5AIuJCHa+jIbCiamh8xY6g0byp/sUHQxYV02I/lcTdQSeGHSOSqX3QjB835OVa18hyW6txAxM4DVGo/NvIJw2ItSl2qwHTMDHK45t4YbnKEd6suriUiveyax5dU1JtpviwHJiAFPy+L68jMo8cfr+JCLWW2OJYkrBXb8kwqaPsV0RCGZ59sePyRdSYRgNi1brBStesctVc5UfSxH6p2A6C28LdrubcXAQ==
+Prime1: z08i0sCcEpr4MZi4TReohPWp3F5vMQYVux8B3ltmJ3kKraXEmVEVmujhWa+ZDxhJmwKoba65vNEsUbSJN6WwJd7PVyskHb2GnWGK8NtlainFEuiS5CDxwULR4o2SI+Pij9thMQoA13ZTKc9s3E57VgcvJ7vaoD/1ZtpP7tdaerE=
+Prime2: yMid465M6bCXXUfWg7oq6A4MZUULbEPKvs+qGIersdiHfrFRGJ0Lviujs8KHaPS5rt4YmbpQU9tGbJBauY17T03qr/mQOBDx5gDkAJcJ0EUHudFslwqyn50THlJsKrFOxBYl7laY0v6CGCMyuZok8qyhiPHv5dhzSc9zwKaXZ1E=
+Exponent1: iresWJOzm6uAukczw7o59EYiFChIhOhKcDyOVoiYMX+ICqvqgqDEMTT1XbrnUzdwQT4lD8ej11msKzv/uXGwDZcq7GwcrZ3dTsAvZX2ZPdGXYlCnwejde/FHWi5bBJL/Tj2AqnzEFWjCuy5l7IDDfMwv3ImSADrr7ZfVdr85dvE=
+Exponent2: aULzs4ePfvw7foXI6mpRUDL9QKI/6NRpmDtam12VH7m63yqqr1K1808BlZ4oS1fxeMGq9/z7W9sbQpMzXQ/VU7Avl24os5v+lWxmHAES/gMSl9I5Mb5EAvXgLgdb+c3W02ohHKB9ojAXl/vr/e3X7Pmf/iGIeWFOn6WIs7kiquE=
+Coefficient: HS4bN41s6Ak9+6m3vhmLzgHtWMavnLpDkmd6wTBttbtKXHfjbvxMUt4RYeF8BXRtfIqIOZqJJngais1wQfOsgVhHrKVwX+MOThyOk4SD+pvnG6g1B+qUS1czPGP7Rf+7668wK8ZxV9w0+YDbTJgPgivD0lBnLXwT+KCLprMXTe4=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample-n.+008+37464.key b/lib/dns/tests/comparekeys/Kexample-n.+008+37464.key
new file mode 100644
index 0000000..da2e16a
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-n.+008+37464.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 37464, for example-n.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example-n. IN DNSKEY 256 3 8 AwEAAbxHOF8G0xw9ekCodhL8KivuZ3o0jmGlycLiXBjBN8c5R5fjLjUh D0gy3IDbDC+kLaPhHGF/MwrSEjrgSowxZ8nrxDzsq5ZdpeUsYaNrbQEY /mqf35T/9/Ulm4v06x58v/NTugWd05Xq04aAyfm7EViyGFzmVOVfPnll h9xQtvWEWoRWPseFw+dY5/nc/+xB/IsQMihoH2rO+cek/lsP3R9DsHCG RbQ/ks/+rrp6/O+QJZyZrzsONl7mlMDXNy3Pz9J4qMW2W6Mz702LN324 7/9UsetDGGbuZfrCLMpKWXzdsJm36DOk4aMooS9111plfXaXQgQNcL5G 021utpTau+8=
diff --git a/lib/dns/tests/comparekeys/Kexample-n.+008+37464.private b/lib/dns/tests/comparekeys/Kexample-n.+008+37464.private
new file mode 100644
index 0000000..65689a2
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-n.+008+37464.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: vEc4XwbTHD16QKh2EvwqK+5nejSOYaXJwuJcGME3xzlHl+MuNSEPSDLcgNsML6Qto+EcYX8zCtISOuBKjDFnyevEPOyrll2l5Sxho2ttARj+ap/flP/39SWbi/TrHny/81O6BZ3TlerThoDJ+bsRWLIYXOZU5V8+eWWH3FC29YRahFY+x4XD51jn+dz/7EH8ixAyKGgfas75x6T+Ww/dH0OwcIZFtD+Sz/6uunr875AlnJmvOw42XuaUwNc3Lc/P0nioxbZbozPvTYs3fbjv/1Sx60MYZu5l+sIsykpZfN2wmbfoM6ThoyihL3XXWmV9dpdCBA1wvkbTbW62lNq77w==
+PublicExponent: AQAB
+PrivateExponent: lFgeQHf3klxXlfkNmczDEYHXl37i2iCgZdUsqtho/3LFdfWZrxZr6ACM040dKLHiw1UdhODy5h/Zstif4Ww3LsKKBgpbMnZUTMOI9R+eQmRrhCI96XAur5AIuJCHa+jIbCiamh8xY6g0byp/sUHQxYV02I/lcTdQSeGHSOSqX3QjB835OVa18hyW6txAxM4DVGo/NvIJw2ItSl2qwHTMDHK45t4YbnKEd6suriUiveyax5dU1JtpviwHJiAFPy+L68jMo8cfr+JCLWW2OJYkrBXb8kwqaPsV0RCGZ59sePyRdSYRgNi1brBStesctVc5UfSxH6p2A6C28LdrubcXAQ==
+Prime1: z08i0sCcEpr4MZi4TReohPWp3F5vMQYVux8B3ltmJ3kKraXEmVEVmujhWa+ZDxhJmwKoba65vNEsUbSJN6WwJd7PVyskHb2GnWGK8NtlainFEuiS5CDxwULR4o2SI+Pij9thMQoA13ZTKc9s3E57VgcvJ7vaoD/1ZtpP7tdaerE=
+Prime2: yMid465M6bCXXUfWg7oq6A4MZUULbEPKvs+qGIersdiHfrFRGJ0Lviujs8KHaPS5rt4YmbpQU9tGbJBauY17T03qr/mQOBDx5gDkAJcJ0EUHudFslwqyn50THlJsKrFOxBYl7laY0v6CGCMyuZok8qyhiPHv5dhzSc9zwKaXZ1E=
+Exponent1: iresWJOzm6uAukczw7o59EYiFChIhOhKcDyOVoiYMX+ICqvqgqDEMTT1XbrnUzdwQT4lD8ej11msKzv/uXGwDZcq7GwcrZ3dTsAvZX2ZPdGXYlCnwejde/FHWi5bBJL/Tj2AqnzEFWjCuy5l7IDDfMwv3ImSADrr7ZfVdr85dvE=
+Exponent2: aULzs4ePfvw7foXI6mpRUDL9QKI/6NRpmDtam12VH7m63yqqr1K1808BlZ4oS1fxeMGq9/z7W9sbQpMzXQ/VU7Avl24os5v+lWxmHAES/gMSl9I5Mb5EAvXgLgdb+c3W02ohHKB9ojAXl/vr/e3X7Pmf/iGIeWFOn6WIs7kiquE=
+Coefficient: HS4bN41s6Ak9+6m3vhmLzgHtWMavnLpDkmd6wTBttbtKXHfjbvxMUt4RYeF8BXRtfIqIOZqJJngais1wQfOsgVhHrKVwX+MOThyOk4SD+pvnG6g1B+qUS1czPGP7Rf+7668wK8ZxV9w0+YDbTJgPgivD0lBnLXwT+KCLprMXTe4=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample-p.+008+53461.key b/lib/dns/tests/comparekeys/Kexample-p.+008+53461.key
new file mode 100644
index 0000000..20ffcfd
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-p.+008+53461.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 53461, for example-p.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example-p. IN DNSKEY 256 3 8 AwEAAaKYSOPDzZvfue5sU71xPCJKJpB5kZGl4vTp3OI8W+nN1YFtmVe2 2gM666AEutDAEB7cLkyoKCOH0+4Lh1ucPr6OmdWkHfk7uZv58eH0kOAV tNz2xhEF/YHSD7cnBEU9g0knGwpWuzSJKRhGhNoaVus9g1MaAn8efptz HIduIwgAeXV3BDCUpY6HbpwjDxOGCzCUYDRgcex37kYuCyW0PvlO5FQ0 DT0LpjcgBmIBpXol7sYpmKdOKJrm4x2lwGntr4K+bCdNYI2PRPJjPqAf jlvIvJylGUaqFJasw7PSMQIkgcQ4OQXVrhE8uGLdYvP1cusLuROIjdYp Pdqc5K9lCQE=
diff --git a/lib/dns/tests/comparekeys/Kexample-p.+008+53461.private b/lib/dns/tests/comparekeys/Kexample-p.+008+53461.private
new file mode 100644
index 0000000..063c925
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-p.+008+53461.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: ophI48PNm9+57mxTvXE8IkomkHmRkaXi9Onc4jxb6c3VgW2ZV7baAzrroAS60MAQHtwuTKgoI4fT7guHW5w+vo6Z1aQd+Tu5m/nx4fSQ4BW03PbGEQX9gdIPtycERT2DSScbCla7NIkpGEaE2hpW6z2DUxoCfx5+m3Mch24jCAB5dXcEMJSljodunCMPE4YLMJRgNGBx7HfuRi4LJbQ++U7kVDQNPQumNyAGYgGleiXuximYp04omubjHaXAae2vgr5sJ01gjY9E8mM+oB+OW8i8nKUZRqoUlqzDs9IxAiSBxDg5BdWuETy4Yt1i8/Vy6wu5E4iN1ik92pzkr2UJAQ==
+PublicExponent: AQAB
+PrivateExponent: lFgeQHf3klxXlfkNmczDEYHXl37i2iCgZdUsqtho/3LFdfWZrxZr6ACM040dKLHiw1UdhODy5h/Zstif4Ww3LsKKBgpbMnZUTMOI9R+eQmRrhCI96XAur5AIuJCHa+jIbCiamh8xY6g0byp/sUHQxYV02I/lcTdQSeGHSOSqX3QjB835OVa18hyW6txAxM4DVGo/NvIJw2ItSl2qwHTMDHK45t4YbnKEd6suriUiveyax5dU1JtpviwHJiAFPy+L68jMo8cfr+JCLWW2OJYkrBXb8kwqaPsV0RCGZ59sePyRdSYRgNi1brBStesctVc5UfSxH6p2A6C28LdrubcXAQ==
+Prime1: 5YpfVjEtL1owW9gSFbIMx65POr+fiktxirgy1bc5fSsVqUgG6zhbaN/VpWcNZG0Zg5xd6S7C8V3djGlnJN8wZIyjIh7+Z3WWjqbOD9oY7rC1fR+W0OvbCmZiEzOpRJ5qoMOh1MzkkanhMy0/ICpaa8eQ9zEb80oTIQpFgoLn7K0=
+Prime2: yMid465M6bCXXUfWg7oq6A4MZUULbEPKvs+qGIersdiHfrFRGJ0Lviujs8KHaPS5rt4YmbpQU9tGbJBauY17T03qr/mQOBDx5gDkAJcJ0EUHudFslwqyn50THlJsKrFOxBYl7laY0v6CGCMyuZok8qyhiPHv5dhzSc9zwKaXZ1E=
+Exponent1: iresWJOzm6uAukczw7o59EYiFChIhOhKcDyOVoiYMX+ICqvqgqDEMTT1XbrnUzdwQT4lD8ej11msKzv/uXGwDZcq7GwcrZ3dTsAvZX2ZPdGXYlCnwejde/FHWi5bBJL/Tj2AqnzEFWjCuy5l7IDDfMwv3ImSADrr7ZfVdr85dvE=
+Exponent2: aULzs4ePfvw7foXI6mpRUDL9QKI/6NRpmDtam12VH7m63yqqr1K1808BlZ4oS1fxeMGq9/z7W9sbQpMzXQ/VU7Avl24os5v+lWxmHAES/gMSl9I5Mb5EAvXgLgdb+c3W02ohHKB9ojAXl/vr/e3X7Pmf/iGIeWFOn6WIs7kiquE=
+Coefficient: HS4bN41s6Ak9+6m3vhmLzgHtWMavnLpDkmd6wTBttbtKXHfjbvxMUt4RYeF8BXRtfIqIOZqJJngais1wQfOsgVhHrKVwX+MOThyOk4SD+pvnG6g1B+qUS1czPGP7Rf+7668wK8ZxV9w0+YDbTJgPgivD0lBnLXwT+KCLprMXTe4=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample-private.+002+65316.key b/lib/dns/tests/comparekeys/Kexample-private.+002+65316.key
new file mode 100644
index 0000000..7cc002d
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-private.+002+65316.key
@@ -0,0 +1 @@
+example-private. IN KEY 512 3 2 AAECAAAAgKVXnUOFKMvLvwO/VdY9bq+eOPBxrRWsDpcL9FJ9+hklVvii pcLOIhiKLeHI/u9vM2nhd8+opIW92+j2pB185MRgSrINQcC+XpI/xiDG HwE78bQ+2Ykb/memG+ctkVyrFGHtaJLCUGWrUHy1jbtvYeaKeS92jR/2 4oryt3N851u5
diff --git a/lib/dns/tests/comparekeys/Kexample-private.+002+65316.private b/lib/dns/tests/comparekeys/Kexample-private.+002+65316.private
new file mode 100644
index 0000000..1f00fa9
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-private.+002+65316.private
@@ -0,0 +1,9 @@
+Private-key-format: v1.3
+Algorithm: 2 (DH)
+Prime(p): ///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxObIlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjftawv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5lOB//////////8=
+Generator(g): Ag==
+Private_value(x): dLr0sfk/P1V0DfQ7Ke3IIaSM8nHjtrBRlMcQXRMVrLhbbKeCodvpSRtI0Nwtt38Df8dbGGtP676my2Ht2UHyL7rO0+ASv98NCysL0Xp6q2a7fn67iGFUBTg3jzXC89FYv4sYNeVLDGrKC3EjtGkalzgDVuzEC8CqRkWKeys3ufc=
+Public_value(y): pVedQ4Uoy8u/A79V1j1ur5448HGtFawOlwv0Un36GSVW+KKlws4iGIot4cj+728zaeF3z6ikhb3b6PakHXzkxGBKsg1BwL5ekj/GIMYfATvxtD7ZiRv+Z6Yb5y2RXKsUYe1oksJQZatQfLWNu29h5op5L3aNH/biivK3c3znW7k=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample-q.+008+53461.key b/lib/dns/tests/comparekeys/Kexample-q.+008+53461.key
new file mode 100644
index 0000000..5d4a0e7
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-q.+008+53461.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 53461, for example-q.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example-q. IN DNSKEY 256 3 8 AwEAAaKYSOPDzZvfue5sU71xPCJKJpB5kZGl4vTp3OI8W+nN1YFtmVe2 2gM666AEutDAEB7cLkyoKCOH0+4Lh1ucPr6OmdWkHfk7uZv58eH0kOAV tNz2xhEF/YHSD7cnBEU9g0knGwpWuzSJKRhGhNoaVus9g1MaAn8efptz HIduIwgAeXV3BDCUpY6HbpwjDxOGCzCUYDRgcex37kYuCyW0PvlO5FQ0 DT0LpjcgBmIBpXol7sYpmKdOKJrm4x2lwGntr4K+bCdNYI2PRPJjPqAf jlvIvJylGUaqFJasw7PSMQIkgcQ4OQXVrhE8uGLdYvP1cusLuROIjdYp Pdqc5K9lCQE=
diff --git a/lib/dns/tests/comparekeys/Kexample-q.+008+53461.private b/lib/dns/tests/comparekeys/Kexample-q.+008+53461.private
new file mode 100644
index 0000000..6b2e563
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample-q.+008+53461.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: ophI48PNm9+57mxTvXE8IkomkHmRkaXi9Onc4jxb6c3VgW2ZV7baAzrroAS60MAQHtwuTKgoI4fT7guHW5w+vo6Z1aQd+Tu5m/nx4fSQ4BW03PbGEQX9gdIPtycERT2DSScbCla7NIkpGEaE2hpW6z2DUxoCfx5+m3Mch24jCAB5dXcEMJSljodunCMPE4YLMJRgNGBx7HfuRi4LJbQ++U7kVDQNPQumNyAGYgGleiXuximYp04omubjHaXAae2vgr5sJ01gjY9E8mM+oB+OW8i8nKUZRqoUlqzDs9IxAiSBxDg5BdWuETy4Yt1i8/Vy6wu5E4iN1ik92pzkr2UJAQ==
+PublicExponent: AQAB
+PrivateExponent: lFgeQHf3klxXlfkNmczDEYHXl37i2iCgZdUsqtho/3LFdfWZrxZr6ACM040dKLHiw1UdhODy5h/Zstif4Ww3LsKKBgpbMnZUTMOI9R+eQmRrhCI96XAur5AIuJCHa+jIbCiamh8xY6g0byp/sUHQxYV02I/lcTdQSeGHSOSqX3QjB835OVa18hyW6txAxM4DVGo/NvIJw2ItSl2qwHTMDHK45t4YbnKEd6suriUiveyax5dU1JtpviwHJiAFPy+L68jMo8cfr+JCLWW2OJYkrBXb8kwqaPsV0RCGZ59sePyRdSYRgNi1brBStesctVc5UfSxH6p2A6C28LdrubcXAQ==
+Prime1: z08i0sCcEpr4MZi4TReohPWp3F5vMQYVux8B3ltmJ3kKraXEmVEVmujhWa+ZDxhJmwKoba65vNEsUbSJN6WwJd7PVyskHb2GnWGK8NtlainFEuiS5CDxwULR4o2SI+Pij9thMQoA13ZTKc9s3E57VgcvJ7vaoD/1ZtpP7tdaerE=
+Prime2: 0fs3ncL5/2qzq2dmPXLYcOfc1EGSuESO0VpREP8EpTkyPKeVw5LaF9TgZRqPWlRf2T0LPoZ766xLAn090u0pLQ5fWM96NMas7kS+rxtRssat6MiQo3YfoU3ysk3xuPzrMBHyn/N42CjSG+bJEToHR7V16KsCT6dBIPkI3tj/Yos=
+Exponent1: iresWJOzm6uAukczw7o59EYiFChIhOhKcDyOVoiYMX+ICqvqgqDEMTT1XbrnUzdwQT4lD8ej11msKzv/uXGwDZcq7GwcrZ3dTsAvZX2ZPdGXYlCnwejde/FHWi5bBJL/Tj2AqnzEFWjCuy5l7IDDfMwv3ImSADrr7ZfVdr85dvE=
+Exponent2: aULzs4ePfvw7foXI6mpRUDL9QKI/6NRpmDtam12VH7m63yqqr1K1808BlZ4oS1fxeMGq9/z7W9sbQpMzXQ/VU7Avl24os5v+lWxmHAES/gMSl9I5Mb5EAvXgLgdb+c3W02ohHKB9ojAXl/vr/e3X7Pmf/iGIeWFOn6WIs7kiquE=
+Coefficient: HS4bN41s6Ak9+6m3vhmLzgHtWMavnLpDkmd6wTBttbtKXHfjbvxMUt4RYeF8BXRtfIqIOZqJJngais1wQfOsgVhHrKVwX+MOThyOk4SD+pvnG6g1B+qUS1czPGP7Rf+7668wK8ZxV9w0+YDbTJgPgivD0lBnLXwT+KCLprMXTe4=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample.+002+65316.key b/lib/dns/tests/comparekeys/Kexample.+002+65316.key
new file mode 100644
index 0000000..c2f4703
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample.+002+65316.key
@@ -0,0 +1 @@
+example. IN KEY 512 3 2 AAECAAAAgKVXnUOFKMvLvwO/VdY9bq+eOPBxrRWsDpcL9FJ9+hklVvii pcLOIhiKLeHI/u9vM2nhd8+opIW92+j2pB185MRgSrINQcC+XpI/xiDG HwE78bQ+2Ykb/memG+ctkVyrFGHtaJLCUGWrUHy1jbtvYeaKeS92jR/2 4oryt3N851u5
diff --git a/lib/dns/tests/comparekeys/Kexample.+002+65316.private b/lib/dns/tests/comparekeys/Kexample.+002+65316.private
new file mode 100644
index 0000000..e872834
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample.+002+65316.private
@@ -0,0 +1,9 @@
+Private-key-format: v1.3
+Algorithm: 2 (DH)
+Prime(p): ///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxObIlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjftawv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5lOB//////////8=
+Generator(g): Ag==
+Private_value(x): bUMVaaSCAPT0NK7AkIa0JA1SSw83x8WxS+iePECQwr4xDDMnevNHWK1nIofUM2qNbpDe2KvFIt9tu+1UgZgOTLoQFipePtHKOjoRX6XsGNzKmL8WZOlw/QJw0D5RIn7l7tvmBCeNHINl9IWVgMLTi+wgzrJxSeGe406q23Jn4Uc=
+Public_value(y): pVedQ4Uoy8u/A79V1j1ur5448HGtFawOlwv0Un36GSVW+KKlws4iGIot4cj+728zaeF3z6ikhb3b6PakHXzkxGBKsg1BwL5ekj/GIMYfATvxtD7ZiRv+Z6Yb5y2RXKsUYe1oksJQZatQfLWNu29h5op5L3aNH/biivK3c3znW7k=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample.+008+53461.key b/lib/dns/tests/comparekeys/Kexample.+008+53461.key
new file mode 100644
index 0000000..33c8188
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample.+008+53461.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 53461, for example.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example. IN DNSKEY 256 3 8 AwEAAaKYSOPDzZvfue5sU71xPCJKJpB5kZGl4vTp3OI8W+nN1YFtmVe2 2gM666AEutDAEB7cLkyoKCOH0+4Lh1ucPr6OmdWkHfk7uZv58eH0kOAV tNz2xhEF/YHSD7cnBEU9g0knGwpWuzSJKRhGhNoaVus9g1MaAn8efptz HIduIwgAeXV3BDCUpY6HbpwjDxOGCzCUYDRgcex37kYuCyW0PvlO5FQ0 DT0LpjcgBmIBpXol7sYpmKdOKJrm4x2lwGntr4K+bCdNYI2PRPJjPqAf jlvIvJylGUaqFJasw7PSMQIkgcQ4OQXVrhE8uGLdYvP1cusLuROIjdYp Pdqc5K9lCQE=
diff --git a/lib/dns/tests/comparekeys/Kexample.+008+53461.private b/lib/dns/tests/comparekeys/Kexample.+008+53461.private
new file mode 100644
index 0000000..dd4d9a4
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample.+008+53461.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: ophI48PNm9+57mxTvXE8IkomkHmRkaXi9Onc4jxb6c3VgW2ZV7baAzrroAS60MAQHtwuTKgoI4fT7guHW5w+vo6Z1aQd+Tu5m/nx4fSQ4BW03PbGEQX9gdIPtycERT2DSScbCla7NIkpGEaE2hpW6z2DUxoCfx5+m3Mch24jCAB5dXcEMJSljodunCMPE4YLMJRgNGBx7HfuRi4LJbQ++U7kVDQNPQumNyAGYgGleiXuximYp04omubjHaXAae2vgr5sJ01gjY9E8mM+oB+OW8i8nKUZRqoUlqzDs9IxAiSBxDg5BdWuETy4Yt1i8/Vy6wu5E4iN1ik92pzkr2UJAQ==
+PublicExponent: AQAB
+PrivateExponent: lFgeQHf3klxXlfkNmczDEYHXl37i2iCgZdUsqtho/3LFdfWZrxZr6ACM040dKLHiw1UdhODy5h/Zstif4Ww3LsKKBgpbMnZUTMOI9R+eQmRrhCI96XAur5AIuJCHa+jIbCiamh8xY6g0byp/sUHQxYV02I/lcTdQSeGHSOSqX3QjB835OVa18hyW6txAxM4DVGo/NvIJw2ItSl2qwHTMDHK45t4YbnKEd6suriUiveyax5dU1JtpviwHJiAFPy+L68jMo8cfr+JCLWW2OJYkrBXb8kwqaPsV0RCGZ59sePyRdSYRgNi1brBStesctVc5UfSxH6p2A6C28LdrubcXAQ==
+Prime1: z08i0sCcEpr4MZi4TReohPWp3F5vMQYVux8B3ltmJ3kKraXEmVEVmujhWa+ZDxhJmwKoba65vNEsUbSJN6WwJd7PVyskHb2GnWGK8NtlainFEuiS5CDxwULR4o2SI+Pij9thMQoA13ZTKc9s3E57VgcvJ7vaoD/1ZtpP7tdaerE=
+Prime2: yMid465M6bCXXUfWg7oq6A4MZUULbEPKvs+qGIersdiHfrFRGJ0Lviujs8KHaPS5rt4YmbpQU9tGbJBauY17T03qr/mQOBDx5gDkAJcJ0EUHudFslwqyn50THlJsKrFOxBYl7laY0v6CGCMyuZok8qyhiPHv5dhzSc9zwKaXZ1E=
+Exponent1: iresWJOzm6uAukczw7o59EYiFChIhOhKcDyOVoiYMX+ICqvqgqDEMTT1XbrnUzdwQT4lD8ej11msKzv/uXGwDZcq7GwcrZ3dTsAvZX2ZPdGXYlCnwejde/FHWi5bBJL/Tj2AqnzEFWjCuy5l7IDDfMwv3ImSADrr7ZfVdr85dvE=
+Exponent2: aULzs4ePfvw7foXI6mpRUDL9QKI/6NRpmDtam12VH7m63yqqr1K1808BlZ4oS1fxeMGq9/z7W9sbQpMzXQ/VU7Avl24os5v+lWxmHAES/gMSl9I5Mb5EAvXgLgdb+c3W02ohHKB9ojAXl/vr/e3X7Pmf/iGIeWFOn6WIs7kiquE=
+Coefficient: HS4bN41s6Ak9+6m3vhmLzgHtWMavnLpDkmd6wTBttbtKXHfjbvxMUt4RYeF8BXRtfIqIOZqJJngais1wQfOsgVhHrKVwX+MOThyOk4SD+pvnG6g1B+qUS1czPGP7Rf+7668wK8ZxV9w0+YDbTJgPgivD0lBnLXwT+KCLprMXTe4=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample.+013+19786.key b/lib/dns/tests/comparekeys/Kexample.+013+19786.key
new file mode 100644
index 0000000..ccfcc97
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample.+013+19786.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 19786, for example.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example. IN DNSKEY 256 3 13 S35Z1XtGlnnU7BBahMJwAZXXff+JupyIDssNfJyrugLKq5R10TJ5tU3W r3VuP6aJNs6+uL2cMPVTVT1vr1Aqwg==
diff --git a/lib/dns/tests/comparekeys/Kexample.+013+19786.private b/lib/dns/tests/comparekeys/Kexample.+013+19786.private
new file mode 100644
index 0000000..0d72cf1
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample.+013+19786.private
@@ -0,0 +1,6 @@
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: ZYcYhR5f98vI1+BFGKLIrarZrqxJM4mRy9tvwntdYoo=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample.+015+63663.key b/lib/dns/tests/comparekeys/Kexample.+015+63663.key
new file mode 100644
index 0000000..92db9fb
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample.+015+63663.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 63663, for example.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example. IN DNSKEY 256 3 15 ZLlkI5q8XDkP3D7Zxdbmuqh4yp90mbvdcNT0xSGLDtI=
diff --git a/lib/dns/tests/comparekeys/Kexample.+015+63663.private b/lib/dns/tests/comparekeys/Kexample.+015+63663.private
new file mode 100644
index 0000000..c2c48f3
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample.+015+63663.private
@@ -0,0 +1,6 @@
+Private-key-format: v1.3
+Algorithm: 15 (ED25519)
+PrivateKey: rGYsnf8nPlg7kg7qRcIXYShPsTiMHTeWJInNrW9GwSQ=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample2.+002+19823.key b/lib/dns/tests/comparekeys/Kexample2.+002+19823.key
new file mode 100644
index 0000000..9d521f7
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample2.+002+19823.key
@@ -0,0 +1 @@
+example2. IN KEY 512 3 2 AAECAAAAgCxVfxiyTe8C83ou8KXSu9WmzGwCYWB2NkdS87Kz0PgTuBay JkDDAEeR6CIYClA6PXBp2GXUPHoYWag9zVOVU85PYu0KRZF69EN0IVsA OCtgikOcr5yD4esSMwTTPk/OQ8qW/yGf1DvdpXuiu3P/wSpzVGL8tHFQ 2XURydYytol0
diff --git a/lib/dns/tests/comparekeys/Kexample2.+002+19823.private b/lib/dns/tests/comparekeys/Kexample2.+002+19823.private
new file mode 100644
index 0000000..f6722f6
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample2.+002+19823.private
@@ -0,0 +1,9 @@
+Private-key-format: v1.3
+Algorithm: 2 (DH)
+Prime(p): ///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxObIlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjftawv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5lOB//////////8=
+Generator(g): Ag==
+Private_value(x): W0EpuIMltmMuZAKcCmRe/Ix9WsHPU/GLfqbjHKCjgYdRFzwqHyVp6z+uf8EgmHBD1bbBjwfcnRse8xfqqmt/wZIRdDzjRq/oZdKtJHqFZSO+MQZ5DKrdojKU7UEl/j44heJzVO0qFkrPvWglRt+780LP0awkfetecXDxvJT+HIw=
+Public_value(y): LFV/GLJN7wLzei7wpdK71abMbAJhYHY2R1LzsrPQ+BO4FrImQMMAR5HoIhgKUDo9cGnYZdQ8ehhZqD3NU5VTzk9i7QpFkXr0Q3QhWwA4K2CKQ5yvnIPh6xIzBNM+T85Dypb/IZ/UO92le6K7c//BKnNUYvy0cVDZdRHJ1jK2iXQ=
+Created: 20211027221355
+Publish: 20211027221355
+Activate: 20211027221355
diff --git a/lib/dns/tests/comparekeys/Kexample2.+008+37993.key b/lib/dns/tests/comparekeys/Kexample2.+008+37993.key
new file mode 100644
index 0000000..c0e09a1
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample2.+008+37993.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 37993, for example2.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example2. IN DNSKEY 256 3 8 AwEAAaSRhPf0XhYR52Kpi0RZJgEnpidvuz2Ywdyh8k5CKwal9nM15PNc 4ZoPEVGO+ize53hq0iUkVlBhAfhQE31Fhf4zU544fezBEaz33hiajEzL ZITux9N83WfoYSNnyufvSGzNcpNM6LHKdDwMr1kr9tTgNeuiTAlPv5z9 BNtfv2B25moVm1DoxMCd8WH0jYC452a2lGM+Fbd45o02OO7V8balPwJh MM2bbeWg5G+tbvCAot93KxtavyOMKV4siv3ZH639J0dIb10L8nNrN0Ge UjkX8yU3fgeWB4Oldtzx0SHxG75NWjRLnpVzBq5GeacLc4RsN+S+nhYW 4Wv2A066w70=
diff --git a/lib/dns/tests/comparekeys/Kexample2.+008+37993.private b/lib/dns/tests/comparekeys/Kexample2.+008+37993.private
new file mode 100644
index 0000000..887ad2b
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample2.+008+37993.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: pJGE9/ReFhHnYqmLRFkmASemJ2+7PZjB3KHyTkIrBqX2czXk81zhmg8RUY76LN7neGrSJSRWUGEB+FATfUWF/jNTnjh97MERrPfeGJqMTMtkhO7H03zdZ+hhI2fK5+9IbM1yk0zoscp0PAyvWSv21OA166JMCU+/nP0E21+/YHbmahWbUOjEwJ3xYfSNgLjnZraUYz4Vt3jmjTY47tXxtqU/AmEwzZtt5aDkb61u8ICi33crG1q/I4wpXiyK/dkfrf0nR0hvXQvyc2s3QZ5SORfzJTd+B5YHg6V23PHRIfEbvk1aNEuelXMGrkZ5pwtzhGw35L6eFhbha/YDTrrDvQ==
+PublicExponent: AQAB
+PrivateExponent: O/HFvYwFuYRMBGQ9lmfisAkBPNw2F/nMo9FZsafohENvwgefngX3J2bVqB+sgSuwpOxEH8NcrWqojQqeDsOES1Pm4XsyY0rwZVDkVZH2CQMNWl6f6ylQfMjomTz1bAZ9GyS612zsVdapADaeqJybDG+fNHWpvLqP0V9YpY/65efTvrA3Qu+XpDvLaJ34yjkeEGUgysNP3KkDTeJTY/ksKi6ODtdzbKpufjZS8b6BL97XcFcNGiwu/gNPCvtmm/H+tXaNYyijG7bNGPOpHFhlMCT13o8XLrR/OGty6VY6PpjaEnvlZUZnWHUwn/JmNoZRJoXAAEerk3nS+tOhRmcrAQ==
+Prime1: 2W8JHYaTn7XefxxwaDZWFrVtHnnd0vUZvBBNA1PJeRfDr+yPxyWcgYx1OBxKkJsYGiob0i992W2HXuz2KS81yBCtH/uLK1Y+mkjgme4MWZupZ0RsKA1TkgIrJs174Dv3P/yqc+/R4eiwUGt10493MS1PJFF0CmisDzgjai/JLIM=
+Prime2: wcIKikgzOsq2A2Hl7qPCeA3oKTc66eFVNvB/KH91/hNFKNm0kAvhHrNe9rSoU+JywCNbX/Fs7X6SuHHJaRs+KpSBadnqfwEIngCq2Y00nT3sbETx4VNbXFD6MPPo3MWDi61/TCyrtBujutavo5ghj2oVzNGqMT3UyhaVNrJp2r8=
+Exponent1: GsEO3hMxFvXJ6toU+r202hZ41scoBE0kXX+j+kTVBZFnAr6Y8mguWcJuqfjRM/nhfVaxFavCUH6pqYR+xZKJi5SBuO26shpqmZFeEZK48k21Cn/gzwzUu6KIrL2cAHtgcP8l+h4INUPsbfjLBr0gbWyl0FI1dRJsGXNO6EH4/wE=
+Exponent2: WrgcsUQ+4E8bS5ghzUtVeVqhkfKvHeSIPpH6J58OQukI36iXNz6op/Q6CW7qxWPocHfdh52Fb+lsjvmP4SuFPvCLa2FBvzdfroMHe5b2xIzCzqq1Sdf6lc3AZv080WmVPuf8C1F7D3hFf+yXDhTj2b9E98JPWoDlyb0rHhIJKAc=
+Coefficient: aVDpGheH0UJ8aWPRIRHyjMTCIPB8zmhfwugpV11Z/OXNb2uaNRcnVKujs1mlSydoIfFQSuFf3iPs7ytaJUfcQJ+k1QAtssJC1HXF14t0p5o99QxuQLgmNtPHD7m2aeAyFJoycF24UmDnFmOPSNm1fnJs9LrBPFZFdTBGhl8plEo=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample2.+013+16384.key b/lib/dns/tests/comparekeys/Kexample2.+013+16384.key
new file mode 100644
index 0000000..b6351ad
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample2.+013+16384.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 16384, for example2.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example2. IN DNSKEY 256 3 13 p+ohRFVh6wmdAhbU/cF2FYoE/i49FxnvKwif0Co0D7RhBui4AMFOsFYu 9AIqEBaCGurjGYl7WDYRrjRMRjWW1g==
diff --git a/lib/dns/tests/comparekeys/Kexample2.+013+16384.private b/lib/dns/tests/comparekeys/Kexample2.+013+16384.private
new file mode 100644
index 0000000..74a371c
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample2.+013+16384.private
@@ -0,0 +1,6 @@
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: ZNsU73iCEeC837TA59nT/QDtd3oYsrYDWy8jfazZQkA=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample2.+015+37529.key b/lib/dns/tests/comparekeys/Kexample2.+015+37529.key
new file mode 100644
index 0000000..9a8cf77
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample2.+015+37529.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 37529, for example2.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example2. IN DNSKEY 256 3 15 zyiLjDymEPN90rwi/y0mWXLnUm0Nq7T9Kc8VoubF2Io=
diff --git a/lib/dns/tests/comparekeys/Kexample2.+015+37529.private b/lib/dns/tests/comparekeys/Kexample2.+015+37529.private
new file mode 100644
index 0000000..aa70804
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample2.+015+37529.private
@@ -0,0 +1,6 @@
+Private-key-format: v1.3
+Algorithm: 15 (ED25519)
+PrivateKey: pUR2VLqbi4XtBNImbVDRHrjugMMmaXmy6noV0/jy/rA=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/comparekeys/Kexample3.+002+17187.key b/lib/dns/tests/comparekeys/Kexample3.+002+17187.key
new file mode 100644
index 0000000..0260293
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample3.+002+17187.key
@@ -0,0 +1 @@
+example3. IN KEY 512 3 2 AIDzVP5SeKpxZmlbok6AbdFT5aCVAg3AnQln24CKoc0IXRyTdnhmIEWw VatzRrUY0V6SSwwe3740yk46/TdSvVmZkakw52yn3M661ra5L8kouAK4 rpyM6uulsS0dyjyRzomHJg2zwOukzHBVINFheKsJ25MvdPpp9E64IVji jp/x3wABBQCAFb1Je3cKpt/4gS+KRx9hxFOF5c64ytC9tf0hp2hP4OiP YCu8o5C3qh+PexZAx58m6cSaFlzf3DZ3GGsvamDj5H8YpvP4FeRVva9V jH4VeU4/VtbdNweDUHwAguGJ77MXw+bruHhpbsFVSxHrnNg99WHghaRy YzfFzphJHKBxACo=
diff --git a/lib/dns/tests/comparekeys/Kexample3.+002+17187.private b/lib/dns/tests/comparekeys/Kexample3.+002+17187.private
new file mode 100644
index 0000000..47ef4bc
--- /dev/null
+++ b/lib/dns/tests/comparekeys/Kexample3.+002+17187.private
@@ -0,0 +1,9 @@
+Private-key-format: v1.3
+Algorithm: 2 (DH)
+Prime(p): 81T+UniqcWZpW6JOgG3RU+WglQINwJ0JZ9uAiqHNCF0ck3Z4ZiBFsFWrc0a1GNFekksMHt++NMpOOv03Ur1ZmZGpMOdsp9zOuta2uS/JKLgCuK6cjOrrpbEtHco8kc6JhyYNs8DrpMxwVSDRYXirCduTL3T6afROuCFY4o6f8d8=
+Generator(g): BQ==
+Private_value(x): ccA7JRCvjAE1ASWTtObkvO5k58oKdJ+bzcd/H3cOQsPAhItUc8Pfca2ILWYzDfs+nl+WKLfODQ9cRUabp4SUh0GKPnqJVM1UgDXwme/98NEtVFhs2VawT40wHLkcdPN9jACH11l28u1qsDVb7MRj2UXGC/oszRwQ7s3rN1UlHO8=
+Public_value(y): Fb1Je3cKpt/4gS+KRx9hxFOF5c64ytC9tf0hp2hP4OiPYCu8o5C3qh+PexZAx58m6cSaFlzf3DZ3GGsvamDj5H8YpvP4FeRVva9VjH4VeU4/VtbdNweDUHwAguGJ77MXw+bruHhpbsFVSxHrnNg99WHghaRyYzfFzphJHKBxACo=
+Created: 20211027221447
+Publish: 20211027221447
+Activate: 20211027221447
diff --git a/lib/dns/tests/db_test.c b/lib/dns/tests/db_test.c
new file mode 100644
index 0000000..5b7ba64
--- /dev/null
+++ b/lib/dns/tests/db_test.c
@@ -0,0 +1,428 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/journal.h>
+#include <dns/name.h>
+#include <dns/rdatalist.h>
+
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+#define BUFLEN	    255
+#define BIGBUFLEN   (64 * 1024)
+#define TEST_ORIGIN "test"
+
+/*
+ * Individual unit tests
+ */
+
+/* test multiple calls to dns_db_getoriginnode */
+static void
+getoriginnode_test(void **state) {
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+
+	UNUSED(state);
+
+	isc_mem_create(&mctx);
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_getoriginnode(db, &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_db_detachnode(db, &node);
+
+	result = dns_db_getoriginnode(db, &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_db_detachnode(db, &node);
+
+	dns_db_detach(&db);
+	isc_mem_detach(&mctx);
+}
+
+/* test getservestalettl and setservestalettl */
+static void
+getsetservestalettl_test(void **state) {
+	dns_db_t *db = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	dns_ttl_t ttl;
+
+	UNUSED(state);
+
+	isc_mem_create(&mctx);
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_cache,
+			       dns_rdataclass_in, 0, NULL, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	ttl = 5000;
+	result = dns_db_getservestalettl(db, &ttl);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(ttl, 0);
+
+	ttl = 6 * 3600;
+	result = dns_db_setservestalettl(db, ttl);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	ttl = 5000;
+	result = dns_db_getservestalettl(db, &ttl);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(ttl, 6 * 3600);
+
+	dns_db_detach(&db);
+	isc_mem_detach(&mctx);
+}
+
+/* check DNS_DBFIND_STALEOK works */
+static void
+dns_dbfind_staleok_test(void **state) {
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t example_fixed;
+	dns_fixedname_t found_fixed;
+	dns_name_t *example;
+	dns_name_t *found;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	int count;
+	int pass;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	unsigned char data[] = { 0x0a, 0x00, 0x00, 0x01 };
+
+	UNUSED(state);
+
+	isc_mem_create(&mctx);
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_cache,
+			       dns_rdataclass_in, 0, NULL, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	example = dns_fixedname_initname(&example_fixed);
+	found = dns_fixedname_initname(&found_fixed);
+
+	result = dns_name_fromstring(example, "example", 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Pass 0: default; no stale processing permitted.
+	 * Pass 1: stale processing for 1 second.
+	 * Pass 2: stale turned off after being on.
+	 */
+	for (pass = 0; pass < 3; pass++) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		/* 10.0.0.1 */
+		rdata.data = data;
+		rdata.length = 4;
+		rdata.rdclass = dns_rdataclass_in;
+		rdata.type = dns_rdatatype_a;
+
+		dns_rdatalist_init(&rdatalist);
+		rdatalist.ttl = 2;
+		rdatalist.type = dns_rdatatype_a;
+		rdatalist.rdclass = dns_rdataclass_in;
+		ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+
+		switch (pass) {
+		case 0:
+			/* default: stale processing off */
+			break;
+		case 1:
+			/* turn on stale processing */
+			result = dns_db_setservestalettl(db, 1);
+			assert_int_equal(result, ISC_R_SUCCESS);
+			break;
+		case 2:
+			/* turn off stale processing */
+			result = dns_db_setservestalettl(db, 0);
+			assert_int_equal(result, ISC_R_SUCCESS);
+			break;
+		}
+
+		dns_rdataset_init(&rdataset);
+		result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		result = dns_db_findnode(db, example, true, &node);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		result = dns_db_addrdataset(db, node, NULL, 0, &rdataset, 0,
+					    NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		dns_db_detachnode(db, &node);
+		dns_rdataset_disassociate(&rdataset);
+
+		result = dns_db_find(db, example, NULL, dns_rdatatype_a, 0, 0,
+				     &node, found, &rdataset, NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		/*
+		 * May loop for up to 2 seconds performing non stale lookups.
+		 */
+		count = 0;
+		do {
+			count++;
+			assert_in_range(count, 1, 21); /* loop sanity */
+			assert_int_equal(rdataset.attributes &
+						 DNS_RDATASETATTR_STALE,
+					 0);
+			assert_true(rdataset.ttl > 0);
+			dns_db_detachnode(db, &node);
+			dns_rdataset_disassociate(&rdataset);
+
+			usleep(100000); /* 100 ms */
+
+			result = dns_db_find(db, example, NULL, dns_rdatatype_a,
+					     0, 0, &node, found, &rdataset,
+					     NULL);
+		} while (result == ISC_R_SUCCESS);
+
+		assert_int_equal(result, ISC_R_NOTFOUND);
+
+		/*
+		 * Check whether we can get stale data.
+		 */
+		result = dns_db_find(db, example, NULL, dns_rdatatype_a,
+				     DNS_DBFIND_STALEOK, 0, &node, found,
+				     &rdataset, NULL);
+		switch (pass) {
+		case 0:
+			assert_int_equal(result, ISC_R_NOTFOUND);
+			break;
+		case 1:
+			/*
+			 * Should loop for 1 second with stale lookups then
+			 * stop.
+			 */
+			count = 0;
+			do {
+				count++;
+				assert_in_range(count, 0, 49); /* loop sanity */
+				assert_int_equal(result, ISC_R_SUCCESS);
+				assert_int_equal(rdataset.attributes &
+							 DNS_RDATASETATTR_STALE,
+						 DNS_RDATASETATTR_STALE);
+				dns_db_detachnode(db, &node);
+				dns_rdataset_disassociate(&rdataset);
+
+				usleep(100000); /* 100 ms */
+
+				result = dns_db_find(
+					db, example, NULL, dns_rdatatype_a,
+					DNS_DBFIND_STALEOK, 0, &node, found,
+					&rdataset, NULL);
+			} while (result == ISC_R_SUCCESS);
+			/*
+			 * usleep(100000) can be slightly less than 10ms so
+			 * allow the count to reach 11.
+			 */
+			assert_in_range(count, 1, 11);
+			assert_int_equal(result, ISC_R_NOTFOUND);
+			break;
+		case 2:
+			assert_int_equal(result, ISC_R_NOTFOUND);
+			break;
+		}
+	}
+
+	dns_db_detach(&db);
+	isc_mem_detach(&mctx);
+}
+
+/* database class */
+static void
+class_test(void **state) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	UNUSED(state);
+
+	result = dns_db_create(dt_mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_load(db, "testdata/db/data.db", dns_masterformat_text,
+			     0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_int_equal(dns_db_class(db), dns_rdataclass_in);
+
+	dns_db_detach(&db);
+}
+
+/* database type */
+static void
+dbtype_test(void **state) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	UNUSED(state);
+
+	/* DB has zone semantics */
+	result = dns_db_create(dt_mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_db_load(db, "testdata/db/data.db", dns_masterformat_text,
+			     0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(dns_db_iszone(db));
+	assert_false(dns_db_iscache(db));
+	dns_db_detach(&db);
+
+	/* DB has cache semantics */
+	result = dns_db_create(dt_mctx, "rbt", dns_rootname, dns_dbtype_cache,
+			       dns_rdataclass_in, 0, NULL, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_db_load(db, "testdata/db/data.db", dns_masterformat_text,
+			     0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(dns_db_iscache(db));
+	assert_false(dns_db_iszone(db));
+	dns_db_detach(&db);
+}
+
+/* database versions */
+static void
+version_test(void **state) {
+	isc_result_t result;
+	dns_fixedname_t fname, ffound;
+	dns_name_t *name, *foundname;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL, *new = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+
+	UNUSED(state);
+
+	result = dns_test_loaddb(&db, dns_dbtype_zone, "test.test",
+				 "testdata/db/data.db");
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Open current version for reading */
+	dns_db_currentversion(db, &ver);
+	dns_test_namefromstring("b.test.test", &fname);
+	name = dns_fixedname_name(&fname);
+	foundname = dns_fixedname_initname(&ffound);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_find(db, name, ver, dns_rdatatype_a, 0, 0, &node,
+			     foundname, &rdataset, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &ver, false);
+
+	/* Open new version for writing */
+	dns_db_currentversion(db, &ver);
+	dns_test_namefromstring("b.test.test", &fname);
+	name = dns_fixedname_name(&fname);
+	foundname = dns_fixedname_initname(&ffound);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_find(db, name, ver, dns_rdatatype_a, 0, 0, &node,
+			     foundname, &rdataset, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_newversion(db, &new);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Delete the rdataset from the new version */
+	result = dns_db_deleterdataset(db, node, new, dns_rdatatype_a, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+
+	/* This should fail now */
+	result = dns_db_find(db, name, new, dns_rdatatype_a, 0, 0, &node,
+			     foundname, &rdataset, NULL);
+	assert_int_equal(result, DNS_R_NXDOMAIN);
+
+	dns_db_closeversion(db, &new, true);
+
+	/* But this should still succeed */
+	result = dns_db_find(db, name, ver, dns_rdatatype_a, 0, 0, &node,
+			     foundname, &rdataset, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &ver, false);
+
+	dns_db_detach(&db);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(getoriginnode_test),
+		cmocka_unit_test(getsetservestalettl_test),
+		cmocka_unit_test(dns_dbfind_staleok_test),
+		cmocka_unit_test_setup_teardown(class_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(dbtype_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(version_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/dbdiff_test.c b/lib/dns/tests/dbdiff_test.c
new file mode 100644
index 0000000..05bb761
--- /dev/null
+++ b/lib/dns/tests/dbdiff_test.c
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/journal.h>
+#include <dns/name.h>
+
+#include "dnstest.h"
+
+#define BUFLEN	    255
+#define BIGBUFLEN   (64 * 1024)
+#define TEST_ORIGIN "test"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static void
+test_create(const char *oldfile, dns_db_t **old, const char *newfile,
+	    dns_db_t **newdb) {
+	isc_result_t result;
+
+	result = dns_test_loaddb(old, dns_dbtype_zone, TEST_ORIGIN, oldfile);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(newdb, dns_dbtype_zone, TEST_ORIGIN, newfile);
+	assert_int_equal(result, ISC_R_SUCCESS);
+}
+
+/* dns_db_diffx of identical content */
+static void
+diffx_same(void **state) {
+	dns_db_t *newdb = NULL, *olddb = NULL;
+	isc_result_t result;
+	dns_diff_t diff;
+
+	UNUSED(state);
+
+	test_create("testdata/diff/zone1.data", &olddb,
+		    "testdata/diff/zone1.data", &newdb);
+
+	dns_diff_init(dt_mctx, &diff);
+
+	result = dns_db_diffx(&diff, newdb, NULL, olddb, NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_true(ISC_LIST_EMPTY(diff.tuples));
+
+	dns_diff_clear(&diff);
+	dns_db_detach(&newdb);
+	dns_db_detach(&olddb);
+}
+
+/* dns_db_diffx of zone with record added */
+static void
+diffx_add(void **state) {
+	dns_db_t *newdb = NULL, *olddb = NULL;
+	dns_difftuple_t *tuple;
+	isc_result_t result;
+	dns_diff_t diff;
+	int count = 0;
+
+	UNUSED(state);
+
+	test_create("testdata/diff/zone1.data", &olddb,
+		    "testdata/diff/zone2.data", &newdb);
+
+	dns_diff_init(dt_mctx, &diff);
+
+	result = dns_db_diffx(&diff, newdb, NULL, olddb, NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_false(ISC_LIST_EMPTY(diff.tuples));
+	for (tuple = ISC_LIST_HEAD(diff.tuples); tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link))
+	{
+		assert_int_equal(tuple->op, DNS_DIFFOP_ADD);
+		count++;
+	}
+	assert_int_equal(count, 1);
+
+	dns_diff_clear(&diff);
+	dns_db_detach(&newdb);
+	dns_db_detach(&olddb);
+}
+
+/* dns_db_diffx of zone with record removed */
+static void
+diffx_remove(void **state) {
+	dns_db_t *newdb = NULL, *olddb = NULL;
+	dns_difftuple_t *tuple;
+	isc_result_t result;
+	dns_diff_t diff;
+	int count = 0;
+
+	UNUSED(state);
+
+	test_create("testdata/diff/zone1.data", &olddb,
+		    "testdata/diff/zone3.data", &newdb);
+
+	dns_diff_init(dt_mctx, &diff);
+
+	result = dns_db_diffx(&diff, newdb, NULL, olddb, NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_false(ISC_LIST_EMPTY(diff.tuples));
+	for (tuple = ISC_LIST_HEAD(diff.tuples); tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link))
+	{
+		assert_int_equal(tuple->op, DNS_DIFFOP_DEL);
+		count++;
+	}
+	assert_int_equal(count, 1);
+
+	dns_diff_clear(&diff);
+	dns_db_detach(&newdb);
+	dns_db_detach(&olddb);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(diffx_same, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(diffx_add, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(diffx_remove, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/dbiterator_test.c b/lib/dns/tests/dbiterator_test.c
new file mode 100644
index 0000000..2182672
--- /dev/null
+++ b/lib/dns/tests/dbiterator_test.c
@@ -0,0 +1,394 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/name.h>
+
+#include "dnstest.h"
+
+#define BUFLEN	    255
+#define BIGBUFLEN   (64 * 1024)
+#define TEST_ORIGIN "test"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static isc_result_t
+make_name(const char *src, dns_name_t *name) {
+	isc_buffer_t b;
+	isc_buffer_constinit(&b, src, strlen(src));
+	isc_buffer_add(&b, strlen(src));
+	return (dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+}
+
+/* create: make sure we can create a dbiterator */
+static void
+test_create(const char *filename) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+}
+
+static void
+create(void **state) {
+	UNUSED(state);
+
+	test_create("testdata/dbiterator/zone1.data");
+}
+
+static void
+create_nsec3(void **state) {
+	UNUSED(state);
+
+	test_create("testdata/dbiterator/zone2.data");
+}
+
+/* walk: walk a database */
+static void
+test_walk(const char *filename, int nodes) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_name_t *name;
+	dns_fixedname_t f;
+	int i = 0;
+
+	name = dns_fixedname_initname(&f);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	for (result = dns_dbiterator_first(iter); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(iter))
+	{
+		result = dns_dbiterator_current(iter, &node, name);
+		if (result == DNS_R_NEWORIGIN) {
+			result = ISC_R_SUCCESS;
+		}
+		assert_int_equal(result, ISC_R_SUCCESS);
+		dns_db_detachnode(db, &node);
+		i++;
+	}
+
+	assert_int_equal(i, nodes);
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+}
+
+static void
+walk(void **state) {
+	UNUSED(state);
+
+	test_walk("testdata/dbiterator/zone1.data", 12);
+}
+
+static void
+walk_nsec3(void **state) {
+	UNUSED(state);
+
+	test_walk("testdata/dbiterator/zone2.data", 33);
+}
+
+/* reverse: walk database backwards */
+static void
+test_reverse(const char *filename) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_name_t *name;
+	dns_fixedname_t f;
+	int i = 0;
+
+	name = dns_fixedname_initname(&f);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	for (result = dns_dbiterator_last(iter); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_prev(iter))
+	{
+		result = dns_dbiterator_current(iter, &node, name);
+		if (result == DNS_R_NEWORIGIN) {
+			result = ISC_R_SUCCESS;
+		}
+		assert_int_equal(result, ISC_R_SUCCESS);
+		dns_db_detachnode(db, &node);
+		i++;
+	}
+
+	assert_int_equal(i, 12);
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+}
+
+static void
+reverse(void **state) {
+	UNUSED(state);
+
+	test_reverse("testdata/dbiterator/zone1.data");
+}
+
+static void
+reverse_nsec3(void **state) {
+	UNUSED(state);
+
+	test_reverse("testdata/dbiterator/zone2.data");
+}
+
+/* seek: walk database starting at a particular node */
+static void
+test_seek_node(const char *filename, int nodes) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_name_t *name, *seekname;
+	dns_fixedname_t f1, f2;
+	int i = 0;
+
+	name = dns_fixedname_initname(&f1);
+	seekname = dns_fixedname_initname(&f2);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = make_name("c." TEST_ORIGIN, seekname);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_dbiterator_seek(iter, seekname);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(iter, &node, name);
+		if (result == DNS_R_NEWORIGIN) {
+			result = ISC_R_SUCCESS;
+		}
+		assert_int_equal(result, ISC_R_SUCCESS);
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(iter);
+		i++;
+	}
+
+	assert_int_equal(i, nodes);
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+}
+
+static void
+seek_node(void **state) {
+	UNUSED(state);
+
+	test_seek_node("testdata/dbiterator/zone1.data", 9);
+}
+
+static void
+seek_node_nsec3(void **state) {
+	UNUSED(state);
+
+	test_seek_node("testdata/dbiterator/zone2.data", 30);
+}
+
+/*
+ * seek_emty: walk database starting at an empty nonterminal node
+ * (should fail)
+ */
+static void
+test_seek_empty(const char *filename) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+	dns_name_t *seekname;
+	dns_fixedname_t f1;
+
+	seekname = dns_fixedname_initname(&f1);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = make_name("d." TEST_ORIGIN, seekname);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_dbiterator_seek(iter, seekname);
+	assert_int_equal(result, DNS_R_PARTIALMATCH);
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+}
+
+static void
+seek_empty(void **state) {
+	UNUSED(state);
+
+	test_seek_empty("testdata/dbiterator/zone1.data");
+}
+
+static void
+seek_empty_nsec3(void **state) {
+	UNUSED(state);
+
+	test_seek_empty("testdata/dbiterator/zone2.data");
+}
+
+/*
+ * seek_nx: walk database starting at a nonexistent node
+ */
+static void
+test_seek_nx(const char *filename) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+	dns_name_t *seekname;
+	dns_fixedname_t f1;
+
+	seekname = dns_fixedname_initname(&f1);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = make_name("nonexistent." TEST_ORIGIN, seekname);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_dbiterator_seek(iter, seekname);
+	assert_int_equal(result, DNS_R_PARTIALMATCH);
+
+	result = make_name("nonexistent.", seekname);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_dbiterator_seek(iter, seekname);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+}
+
+static void
+seek_nx(void **state) {
+	UNUSED(state);
+
+	test_seek_nx("testdata/dbiterator/zone1.data");
+}
+
+static void
+seek_nx_nsec3(void **state) {
+	UNUSED(state);
+
+	test_seek_nx("testdata/dbiterator/zone2.data");
+}
+
+/*
+ * XXX:
+ * dns_dbiterator API calls that are not yet part of this unit test:
+ *
+ * dns_dbiterator_pause
+ * dns_dbiterator_origin
+ * dns_dbiterator_setcleanmode
+ */
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(create, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(create_nsec3, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(walk, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(walk_nsec3, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(reverse, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(reverse_nsec3, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(seek_node, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(seek_node_nsec3, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(seek_empty, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(seek_empty_nsec3, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(seek_nx, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(seek_nx_nsec3, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/dbversion_test.c b/lib/dns/tests/dbversion_test.c
new file mode 100644
index 0000000..70a5124
--- /dev/null
+++ b/lib/dns/tests/dbversion_test.c
@@ -0,0 +1,499 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/file.h>
+#include <isc/result.h>
+#include <isc/serial.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/nsec3.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+
+#include "dnstest.h"
+
+static char tempname[11] = "dtXXXXXXXX";
+static dns_db_t *db1 = NULL, *db2 = NULL;
+static dns_dbversion_t *v1 = NULL, *v2 = NULL;
+
+/*
+ * The code below enables us to trap assertion failures for testing
+ * purposes. local_callback() is set as the callback function for
+ * isc_assertion_failed(). It calls mock_assert() so that CMOCKA
+ * will be able to see it, then returns to the calling function via
+ * longjmp() so that the abort() call in isc_assertion_failed() will
+ * never be reached. Use check_assertion() to check for assertions
+ * instead of expect_assert_failure().
+ */
+jmp_buf assertion;
+
+#define check_assertion(function_call)                        \
+	do {                                                  \
+		const int r = setjmp(assertion);              \
+		if (r == 0) {                                 \
+			expect_assert_failure(function_call); \
+		}                                             \
+	} while (false);
+
+static void
+local_callback(const char *file, int line, isc_assertiontype_t type,
+	       const char *cond) {
+	UNUSED(type);
+
+	mock_assert(1, cond, file, line);
+	longjmp(assertion, 1);
+}
+
+static int
+_setup(void **state) {
+	isc_result_t res;
+
+	UNUSED(state);
+
+	isc_assertion_setcallback(local_callback);
+
+	res = dns_test_begin(NULL, false);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	res = dns_db_create(dt_mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			    dns_rdataclass_in, 0, NULL, &db1);
+	assert_int_equal(res, ISC_R_SUCCESS);
+	dns_db_newversion(db1, &v1);
+	assert_non_null(v1);
+
+	res = dns_db_create(dt_mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			    dns_rdataclass_in, 0, NULL, &db2);
+	assert_int_equal(res, ISC_R_SUCCESS);
+	dns_db_newversion(db2, &v2);
+	assert_non_null(v1);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	if (strcmp(tempname, "dtXXXXXXXX") != 0) {
+		unlink(tempname);
+	}
+
+	if (v1 != NULL) {
+		dns_db_closeversion(db1, &v1, false);
+		assert_null(v1);
+	}
+	if (db1 != NULL) {
+		dns_db_detach(&db1);
+		assert_null(db1);
+	}
+
+	if (v2 != NULL) {
+		dns_db_closeversion(db2, &v2, false);
+		assert_null(v2);
+	}
+	if (db2 != NULL) {
+		dns_db_detach(&db2);
+		assert_null(db2);
+	}
+
+	dns_test_end();
+
+	return (0);
+}
+
+/*
+ * Check dns_db_attachversion() passes with matching db and version, and
+ * asserts with mis-matching db and version.
+ */
+static void
+attachversion(void **state) {
+	dns_dbversion_t *v = NULL;
+
+	UNUSED(state);
+
+	dns_db_attachversion(db1, v1, &v);
+	assert_ptr_equal(v, v1);
+	dns_db_closeversion(db1, &v, false);
+	assert_null(v);
+
+	check_assertion(dns_db_attachversion(db1, v2, &v));
+}
+
+/*
+ * Check dns_db_closeversion() passes with matching db and version, and
+ * asserts with mis-matching db and version.
+ */
+static void
+closeversion(void **state) {
+	UNUSED(state);
+
+	assert_non_null(v1);
+	dns_db_closeversion(db1, &v1, false);
+	assert_null(v1);
+
+	check_assertion(dns_db_closeversion(db1, &v2, false));
+}
+
+/*
+ * Check dns_db_find() passes with matching db and version, and
+ * asserts with mis-matching db and version.
+ */
+static void
+find(void **state) {
+	isc_result_t res;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	dns_name_t *name = NULL;
+
+	UNUSED(state);
+
+	name = dns_fixedname_initname(&fixed);
+
+	dns_rdataset_init(&rdataset);
+	res = dns_db_find(db1, dns_rootname, v1, dns_rdatatype_soa, 0, 0, NULL,
+			  name, &rdataset, NULL);
+	assert_int_equal(res, DNS_R_NXDOMAIN);
+
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	dns_rdataset_init(&rdataset);
+	check_assertion((void)dns_db_find(db1, dns_rootname, v2,
+					  dns_rdatatype_soa, 0, 0, NULL, name,
+					  &rdataset, NULL));
+}
+
+/*
+ * Check dns_db_allrdatasets() passes with matching db and version, and
+ * asserts with mis-matching db and version.
+ */
+static void
+allrdatasets(void **state) {
+	isc_result_t res;
+	dns_dbnode_t *node = NULL;
+	dns_rdatasetiter_t *iterator = NULL;
+
+	UNUSED(state);
+
+	res = dns_db_findnode(db1, dns_rootname, false, &node);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	res = dns_db_allrdatasets(db1, node, v1, 0, 0, &iterator);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	check_assertion(dns_db_allrdatasets(db1, node, v2, 0, 0, &iterator));
+
+	dns_rdatasetiter_destroy(&iterator);
+	assert_null(iterator);
+
+	dns_db_detachnode(db1, &node);
+	assert_null(node);
+}
+
+/*
+ * Check dns_db_findrdataset() passes with matching db and version, and
+ * asserts with mis-matching db and version.
+ */
+static void
+findrdataset(void **state) {
+	isc_result_t res;
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+
+	UNUSED(state);
+
+	res = dns_db_findnode(db1, dns_rootname, false, &node);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	dns_rdataset_init(&rdataset);
+	res = dns_db_findrdataset(db1, node, v1, dns_rdatatype_soa, 0, 0,
+				  &rdataset, NULL);
+	assert_int_equal(res, ISC_R_NOTFOUND);
+
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	dns_rdataset_init(&rdataset);
+	check_assertion(dns_db_findrdataset(db1, node, v2, dns_rdatatype_soa, 0,
+					    0, &rdataset, NULL));
+
+	dns_db_detachnode(db1, &node);
+	assert_null(node);
+}
+
+/*
+ * Check dns_db_deleterdataset() passes with matching db and version, and
+ * asserts with mis-matching db and version.
+ */
+static void
+deleterdataset(void **state) {
+	isc_result_t res;
+	dns_dbnode_t *node = NULL;
+
+	UNUSED(state);
+
+	res = dns_db_findnode(db1, dns_rootname, false, &node);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	res = dns_db_deleterdataset(db1, node, v1, dns_rdatatype_soa, 0);
+	assert_int_equal(res, DNS_R_UNCHANGED);
+
+	check_assertion(
+		dns_db_deleterdataset(db1, node, v2, dns_rdatatype_soa, 0));
+	dns_db_detachnode(db1, &node);
+	assert_null(node);
+}
+
+/*
+ * Check dns_db_subtractrdataset() passes with matching db and version, and
+ * asserts with mis-matching db and version.
+ */
+static void
+subtract(void **state) {
+	isc_result_t res;
+	dns_rdataset_t rdataset;
+	dns_rdatalist_t rdatalist;
+	dns_dbnode_t *node = NULL;
+
+	UNUSED(state);
+
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+
+	rdatalist.rdclass = dns_rdataclass_in;
+
+	res = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	res = dns_db_findnode(db1, dns_rootname, false, &node);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	res = dns_db_subtractrdataset(db1, node, v1, &rdataset, 0, NULL);
+	assert_int_equal(res, DNS_R_UNCHANGED);
+
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	dns_rdataset_init(&rdataset);
+	res = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	check_assertion(
+		dns_db_subtractrdataset(db1, node, v2, &rdataset, 0, NULL));
+
+	dns_db_detachnode(db1, &node);
+	assert_null(node);
+}
+
+/*
+ * Check dns_db_dump() passes with matching db and version, and
+ * asserts with mis-matching db and version.
+ */
+static void
+dump(void **state) {
+	isc_result_t res;
+	FILE *f = NULL;
+
+	UNUSED(state);
+
+	res = isc_file_openunique(tempname, &f);
+	fclose(f);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	res = dns_db_dump(db1, v1, tempname);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	check_assertion(dns_db_dump(db1, v2, tempname));
+}
+
+/*
+ * Check dns_db_addrdataset() passes with matching db and version, and
+ * asserts with mis-matching db and version.
+ */
+static void
+addrdataset(void **state) {
+	isc_result_t res;
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	dns_rdatalist_t rdatalist;
+
+	UNUSED(state);
+
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+
+	rdatalist.rdclass = dns_rdataclass_in;
+
+	res = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	res = dns_db_findnode(db1, dns_rootname, false, &node);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	res = dns_db_addrdataset(db1, node, v1, 0, &rdataset, 0, NULL);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	check_assertion(
+		dns_db_addrdataset(db1, node, v2, 0, &rdataset, 0, NULL));
+
+	dns_db_detachnode(db1, &node);
+	assert_null(node);
+}
+
+/*
+ * Check dns_db_getnsec3parameters() passes with matching db and version,
+ * and asserts with mis-matching db and version.
+ */
+static void
+getnsec3parameters(void **state) {
+	isc_result_t res;
+	dns_hash_t hash;
+	uint8_t flags;
+	uint16_t iterations;
+	unsigned char salt[DNS_NSEC3_SALTSIZE];
+	size_t salt_length = sizeof(salt);
+
+	UNUSED(state);
+
+	res = dns_db_getnsec3parameters(db1, v1, &hash, &flags, &iterations,
+					salt, &salt_length);
+	assert_int_equal(res, ISC_R_NOTFOUND);
+
+	check_assertion(dns_db_getnsec3parameters(
+		db1, v2, &hash, &flags, &iterations, salt, &salt_length));
+}
+
+/*
+ * Check dns_db_resigned() passes with matching db and version, and
+ * asserts with mis-matching db and version.
+ */
+static void
+resigned(void **state) {
+	isc_result_t res;
+	dns_rdataset_t rdataset, added;
+	dns_dbnode_t *node = NULL;
+	dns_rdatalist_t rdatalist;
+	dns_rdata_rrsig_t rrsig;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t b;
+	unsigned char buf[1024];
+
+	UNUSED(state);
+
+	/*
+	 * Create a dummy RRSIG record and set a resigning time.
+	 */
+	dns_rdataset_init(&added);
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+	isc_buffer_init(&b, buf, sizeof(buf));
+
+	DNS_RDATACOMMON_INIT(&rrsig, dns_rdatatype_rrsig, dns_rdataclass_in);
+	rrsig.covered = dns_rdatatype_a;
+	rrsig.algorithm = 100;
+	rrsig.labels = 0;
+	rrsig.originalttl = 0;
+	rrsig.timeexpire = 3600;
+	rrsig.timesigned = 0;
+	rrsig.keyid = 0;
+	dns_name_init(&rrsig.signer, NULL);
+	dns_name_clone(dns_rootname, &rrsig.signer);
+	rrsig.siglen = 0;
+	rrsig.signature = NULL;
+
+	res = dns_rdata_fromstruct(&rdata, dns_rdataclass_in,
+				   dns_rdatatype_rrsig, &rrsig, &b);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	rdatalist.rdclass = dns_rdataclass_in;
+	rdatalist.type = dns_rdatatype_rrsig;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+
+	res = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	rdataset.attributes |= DNS_RDATASETATTR_RESIGN;
+	rdataset.resign = 7200;
+
+	res = dns_db_findnode(db1, dns_rootname, false, &node);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	res = dns_db_addrdataset(db1, node, v1, 0, &rdataset, 0, &added);
+	assert_int_equal(res, ISC_R_SUCCESS);
+
+	dns_db_detachnode(db1, &node);
+	assert_null(node);
+
+	check_assertion(dns_db_resigned(db1, &added, v2));
+
+	dns_db_resigned(db1, &added, v1);
+
+	dns_rdataset_disassociate(&added);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(dump, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(find, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(allrdatasets, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(findrdataset, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(deleterdataset, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(subtract, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(addrdataset, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(getnsec3parameters, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(resigned, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(attachversion, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(closeversion, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/dh_test.c b/lib/dns/tests/dh_test.c
new file mode 100644
index 0000000..bd60d6d
--- /dev/null
+++ b/lib/dns/tests/dh_test.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/name.h>
+
+#include <dst/result.h>
+
+#include "../dst_internal.h"
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+/* OpenSSL DH_compute_key() failure */
+static void
+dh_computesecret(void **state) {
+	dst_key_t *key = NULL;
+	isc_buffer_t buf;
+	unsigned char array[1024];
+	isc_result_t result;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+
+	UNUSED(state);
+
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_constinit(&buf, "dh.", 3);
+	isc_buffer_add(&buf, 3);
+	result = dns_name_fromtext(name, &buf, NULL, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dst_key_fromfile(name, 18602, DST_ALG_DH,
+				  DST_TYPE_PUBLIC | DST_TYPE_KEY, "./", dt_mctx,
+				  &key);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_buffer_init(&buf, array, sizeof(array));
+	result = dst_key_computesecret(key, key, &buf);
+	assert_int_equal(result, DST_R_NOTPRIVATEKEY);
+	result = key->func->computesecret(key, key, &buf);
+	assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
+
+	dst_key_free(&key);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(dh_computesecret, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/dispatch_test.c b/lib/dns/tests/dispatch_test.c
new file mode 100644
index 0000000..9f9737b
--- /dev/null
+++ b/lib/dns/tests/dispatch_test.c
@@ -0,0 +1,360 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/refcount.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/dispatch.h>
+#include <dns/name.h>
+#include <dns/view.h>
+
+#include "dnstest.h"
+
+dns_dispatchmgr_t *dispatchmgr = NULL;
+dns_dispatchset_t *dset = NULL;
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static isc_result_t
+make_dispatchset(unsigned int ndisps) {
+	isc_result_t result;
+	isc_sockaddr_t any;
+	unsigned int attrs;
+	dns_dispatch_t *disp = NULL;
+
+	result = dns_dispatchmgr_create(dt_mctx, &dispatchmgr);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	isc_sockaddr_any(&any);
+	attrs = DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_UDP;
+	result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, &any, 512,
+				     6, 1024, 17, 19, attrs, attrs, &disp);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_dispatchset_create(dt_mctx, socketmgr, taskmgr, disp,
+					&dset, ndisps);
+	dns_dispatch_detach(&disp);
+
+	return (result);
+}
+
+static void
+reset(void) {
+	if (dset != NULL) {
+		dns_dispatchset_destroy(&dset);
+	}
+	if (dispatchmgr != NULL) {
+		dns_dispatchmgr_destroy(&dispatchmgr);
+	}
+}
+
+/* create dispatch set */
+static void
+dispatchset_create(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = make_dispatchset(1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	reset();
+
+	result = make_dispatchset(10);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	reset();
+}
+
+/* test dispatch set round-robin */
+static void
+dispatchset_get(void **state) {
+	isc_result_t result;
+	dns_dispatch_t *d1, *d2, *d3, *d4, *d5;
+
+	UNUSED(state);
+
+	result = make_dispatchset(1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	d1 = dns_dispatchset_get(dset);
+	d2 = dns_dispatchset_get(dset);
+	d3 = dns_dispatchset_get(dset);
+	d4 = dns_dispatchset_get(dset);
+	d5 = dns_dispatchset_get(dset);
+
+	assert_ptr_equal(d1, d2);
+	assert_ptr_equal(d2, d3);
+	assert_ptr_equal(d3, d4);
+	assert_ptr_equal(d4, d5);
+
+	reset();
+
+	result = make_dispatchset(4);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	d1 = dns_dispatchset_get(dset);
+	d2 = dns_dispatchset_get(dset);
+	d3 = dns_dispatchset_get(dset);
+	d4 = dns_dispatchset_get(dset);
+	d5 = dns_dispatchset_get(dset);
+
+	assert_ptr_equal(d1, d5);
+	assert_ptr_not_equal(d1, d2);
+	assert_ptr_not_equal(d2, d3);
+	assert_ptr_not_equal(d3, d4);
+	assert_ptr_not_equal(d4, d5);
+
+	reset();
+}
+
+static void
+senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socket_t *sock = event->ev_arg;
+
+	UNUSED(task);
+
+	isc_socket_detach(&sock);
+	isc_event_free(&event);
+}
+
+static void
+nameserver(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_region_t region;
+	isc_socket_t *dummy;
+	isc_socket_t *sock = event->ev_arg;
+	isc_socketevent_t *ev = (isc_socketevent_t *)event;
+	static unsigned char buf1[16];
+	static unsigned char buf2[16];
+
+	memmove(buf1, ev->region.base, 12);
+	memset(buf1 + 12, 0, 4);
+	buf1[2] |= 0x80; /* qr=1 */
+
+	memmove(buf2, ev->region.base, 12);
+	memset(buf2 + 12, 1, 4);
+	buf2[2] |= 0x80; /* qr=1 */
+
+	/*
+	 * send message to be discarded.
+	 */
+	region.base = buf1;
+	region.length = sizeof(buf1);
+	dummy = NULL;
+	isc_socket_attach(sock, &dummy);
+	result = isc_socket_sendto(sock, &region, task, senddone, sock,
+				   &ev->address, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_socket_detach(&dummy);
+	}
+
+	/*
+	 * send nextitem message.
+	 */
+	region.base = buf2;
+	region.length = sizeof(buf2);
+	dummy = NULL;
+	isc_socket_attach(sock, &dummy);
+	result = isc_socket_sendto(sock, &region, task, senddone, sock,
+				   &ev->address, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_socket_detach(&dummy);
+	}
+	isc_event_free(&event);
+}
+
+static dns_dispatch_t *dispatch = NULL;
+static dns_dispentry_t *dispentry = NULL;
+static atomic_bool first = true;
+static isc_sockaddr_t local;
+static atomic_uint_fast32_t responses;
+
+static void
+response(isc_task_t *task, isc_event_t *event) {
+	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
+	bool exp_true = true;
+
+	UNUSED(task);
+
+	atomic_fetch_add_relaxed(&responses, 1);
+	if (atomic_compare_exchange_strong(&first, &exp_true, false)) {
+		isc_result_t result = dns_dispatch_getnext(dispentry, &devent);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	} else {
+		dns_dispatch_removeresponse(&dispentry, &devent);
+		isc_app_shutdown();
+	}
+}
+
+static void
+startit(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_socket_t *sock = NULL;
+
+	isc_socket_attach(dns_dispatch_getsocket(dispatch), &sock);
+	result = isc_socket_sendto(sock, event->ev_arg, task, senddone, sock,
+				   &local, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	isc_event_free(&event);
+}
+
+/* test dispatch getnext */
+static void
+dispatch_getnext(void **state) {
+	isc_region_t region;
+	isc_result_t result;
+	isc_socket_t *sock = NULL;
+	isc_task_t *task = NULL;
+	uint16_t id;
+	struct in_addr ina;
+	unsigned char message[12];
+	unsigned int attrs;
+	unsigned char rbuf[12];
+
+	UNUSED(state);
+
+	atomic_init(&responses, 0);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_dispatchmgr_create(dt_mctx, &dispatchmgr);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	ina.s_addr = htonl(INADDR_LOOPBACK);
+	isc_sockaddr_fromin(&local, &ina, 0);
+	attrs = DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_UDP;
+	result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, &local,
+				     512, 6, 1024, 17, 19, attrs, attrs,
+				     &dispatch);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Create a local udp nameserver on the loopback.
+	 */
+	result = isc_socket_create(socketmgr, AF_INET, isc_sockettype_udp,
+				   &sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	ina.s_addr = htonl(INADDR_LOOPBACK);
+	isc_sockaddr_fromin(&local, &ina, 0);
+	result = isc_socket_bind(sock, &local, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_socket_getsockname(sock, &local);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	region.base = rbuf;
+	region.length = sizeof(rbuf);
+	result = isc_socket_recv(sock, &region, 1, task, nameserver, sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_dispatch_addresponse(dispatch, 0, &local, task, response,
+					  NULL, &id, &dispentry, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(message, 0, sizeof(message));
+	message[0] = (id >> 8) & 0xff;
+	message[1] = id & 0xff;
+
+	region.base = message;
+	region.length = sizeof(message);
+	result = isc_app_onrun(dt_mctx, task, startit, &region);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_app_run();
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_int_equal(atomic_load_acquire(&responses), 2);
+
+	/*
+	 * Shutdown nameserver.
+	 */
+	isc_socket_cancel(sock, task, ISC_SOCKCANCEL_RECV);
+	isc_socket_detach(&sock);
+	isc_task_detach(&task);
+
+	/*
+	 * Shutdown the dispatch.
+	 */
+	dns_dispatch_detach(&dispatch);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(dispatchset_create, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(dispatchset_get, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(dispatch_getnext, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/dnstap_test.c b/lib/dns/tests/dnstap_test.c
new file mode 100644
index 0000000..17addc6
--- /dev/null
+++ b/lib/dns/tests/dnstap_test.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/dnstap.h>
+#include <dns/view.h>
+
+#include "dnstest.h"
+
+#ifdef HAVE_DNSTAP
+
+#include <fstrm.h>
+
+#include <protobuf-c/protobuf-c.h>
+
+#define TAPFILE "testdata/dnstap/dnstap.file"
+#define TAPSOCK "testdata/dnstap/dnstap.sock"
+
+#define TAPSAVED "testdata/dnstap/dnstap.saved"
+#define TAPTEXT	 "testdata/dnstap/dnstap.text"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static void
+cleanup() {
+	(void)isc_file_remove(TAPFILE);
+	(void)isc_file_remove(TAPSOCK);
+}
+
+/* set up dnstap environment */
+static void
+create_test(void **state) {
+	isc_result_t result;
+	dns_dtenv_t *dtenv = NULL;
+	struct fstrm_iothr_options *fopt;
+
+	UNUSED(state);
+
+	cleanup();
+
+	fopt = fstrm_iothr_options_init();
+	assert_non_null(fopt);
+	fstrm_iothr_options_set_num_input_queues(fopt, 1);
+
+	result = dns_dt_create(dt_mctx, dns_dtmode_file, TAPFILE, &fopt, NULL,
+			       &dtenv);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	if (dtenv != NULL) {
+		dns_dt_detach(&dtenv);
+	}
+	if (fopt != NULL) {
+		fstrm_iothr_options_destroy(&fopt);
+	}
+
+	assert_true(isc_file_exists(TAPFILE));
+
+	fopt = fstrm_iothr_options_init();
+	assert_non_null(fopt);
+	fstrm_iothr_options_set_num_input_queues(fopt, 1);
+
+	result = dns_dt_create(dt_mctx, dns_dtmode_unix, TAPSOCK, &fopt, NULL,
+			       &dtenv);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	if (dtenv != NULL) {
+		dns_dt_detach(&dtenv);
+	}
+	if (fopt != NULL) {
+		fstrm_iothr_options_destroy(&fopt);
+	}
+
+	/* 'create' should succeed, but the file shouldn't exist yet */
+	assert_false(isc_file_exists(TAPSOCK));
+
+	fopt = fstrm_iothr_options_init();
+	assert_non_null(fopt);
+	fstrm_iothr_options_set_num_input_queues(fopt, 1);
+
+	result = dns_dt_create(dt_mctx, 33, TAPSOCK, &fopt, NULL, &dtenv);
+	assert_int_equal(result, ISC_R_FAILURE);
+	assert_null(dtenv);
+	if (dtenv != NULL) {
+		dns_dt_detach(&dtenv);
+	}
+	if (fopt != NULL) {
+		fstrm_iothr_options_destroy(&fopt);
+	}
+
+	cleanup();
+}
+
+/* send dnstap messages */
+static void
+send_test(void **state) {
+	isc_result_t result;
+	dns_dtenv_t *dtenv = NULL;
+	dns_dthandle_t *handle = NULL;
+	uint8_t *data;
+	size_t dsize;
+	unsigned char zone[DNS_NAME_MAXWIRE];
+	unsigned char qambuffer[4096], rambuffer[4096];
+	unsigned char qrmbuffer[4096], rrmbuffer[4096];
+	isc_buffer_t zb, qamsg, ramsg, qrmsg, rrmsg;
+	size_t qasize, qrsize, rasize, rrsize;
+	dns_fixedname_t zfname;
+	dns_name_t *zname;
+	dns_dtmsgtype_t dt;
+	dns_view_t *view = NULL;
+	dns_compress_t cctx;
+	isc_region_t zr;
+	isc_sockaddr_t qaddr;
+	isc_sockaddr_t raddr;
+	struct in_addr in;
+	isc_stdtime_t now;
+	isc_time_t p, f;
+	struct fstrm_iothr_options *fopt;
+
+	UNUSED(state);
+
+	cleanup();
+
+	result = dns_test_makeview("test", &view);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	fopt = fstrm_iothr_options_init();
+	assert_non_null(fopt);
+	fstrm_iothr_options_set_num_input_queues(fopt, 1);
+
+	result = dns_dt_create(dt_mctx, dns_dtmode_file, TAPFILE, &fopt, NULL,
+			       &dtenv);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	dns_dt_attach(dtenv, &view->dtenv);
+	view->dttypes = DNS_DTTYPE_ALL;
+
+	/*
+	 * Set up some test data
+	 */
+	zname = dns_fixedname_initname(&zfname);
+	isc_buffer_constinit(&zb, "example.com.", 12);
+	isc_buffer_add(&zb, 12);
+	result = dns_name_fromtext(zname, &zb, NULL, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(&zr, 0, sizeof(zr));
+	isc_buffer_init(&zb, zone, sizeof(zone));
+	result = dns_compress_init(&cctx, -1, dt_mctx);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE);
+	result = dns_name_towire(zname, &cctx, &zb);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_compress_invalidate(&cctx);
+	isc_buffer_usedregion(&zb, &zr);
+
+	in.s_addr = inet_addr("10.53.0.1");
+	isc_sockaddr_fromin(&qaddr, &in, 2112);
+	in.s_addr = inet_addr("10.53.0.2");
+	isc_sockaddr_fromin(&raddr, &in, 2112);
+
+	isc_stdtime_get(&now);
+	isc_time_set(&p, now - 3600, 0); /* past */
+	isc_time_set(&f, now + 3600, 0); /* future */
+
+	result = dns_test_getdata("testdata/dnstap/query.auth", qambuffer,
+				  sizeof(qambuffer), &qasize);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	isc_buffer_init(&qamsg, qambuffer, qasize);
+	isc_buffer_add(&qamsg, qasize);
+
+	result = dns_test_getdata("testdata/dnstap/response.auth", rambuffer,
+				  sizeof(rambuffer), &rasize);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	isc_buffer_init(&ramsg, rambuffer, rasize);
+	isc_buffer_add(&ramsg, rasize);
+
+	result = dns_test_getdata("testdata/dnstap/query.recursive", qrmbuffer,
+				  sizeof(qrmbuffer), &qrsize);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	isc_buffer_init(&qrmsg, qrmbuffer, qrsize);
+	isc_buffer_add(&qrmsg, qrsize);
+
+	result = dns_test_getdata("testdata/dnstap/response.recursive",
+				  rrmbuffer, sizeof(rrmbuffer), &rrsize);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	isc_buffer_init(&rrmsg, rrmbuffer, rrsize);
+	isc_buffer_add(&rrmsg, rrsize);
+
+	for (dt = DNS_DTTYPE_SQ; dt <= DNS_DTTYPE_TR; dt <<= 1) {
+		isc_buffer_t *m;
+		isc_sockaddr_t *q = &qaddr, *r = &raddr;
+
+		switch (dt) {
+		case DNS_DTTYPE_AQ:
+			m = &qamsg;
+			break;
+		case DNS_DTTYPE_AR:
+			m = &ramsg;
+			break;
+		default:
+			m = &qrmsg;
+			if ((dt & DNS_DTTYPE_RESPONSE) != 0) {
+				m = &ramsg;
+			}
+			break;
+		}
+
+		dns_dt_send(view, dt, q, r, false, &zr, &p, &f, m);
+		dns_dt_send(view, dt, q, r, false, &zr, NULL, &f, m);
+		dns_dt_send(view, dt, q, r, false, &zr, &p, NULL, m);
+		dns_dt_send(view, dt, q, r, false, &zr, NULL, NULL, m);
+		dns_dt_send(view, dt, q, r, true, &zr, &p, &f, m);
+		dns_dt_send(view, dt, q, r, true, &zr, NULL, &f, m);
+		dns_dt_send(view, dt, q, r, true, &zr, &p, NULL, m);
+		dns_dt_send(view, dt, q, r, true, &zr, NULL, NULL, m);
+	}
+
+	dns_dt_detach(&view->dtenv);
+	dns_dt_detach(&dtenv);
+	dns_view_detach(&view);
+
+	result = dns_dt_open(TAPFILE, dns_dtmode_file, dt_mctx, &handle);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	while (dns_dt_getframe(handle, &data, &dsize) == ISC_R_SUCCESS) {
+		dns_dtdata_t *dtdata = NULL;
+		isc_region_t r;
+		static dns_dtmsgtype_t expected = DNS_DTTYPE_SQ;
+		static int n = 0;
+
+		r.base = data;
+		r.length = dsize;
+
+		result = dns_dt_parse(dt_mctx, &r, &dtdata);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS) {
+			n++;
+			continue;
+		}
+
+		assert_int_equal(dtdata->type, expected);
+		if (++n % 8 == 0) {
+			expected <<= 1;
+		}
+
+		dns_dtdata_free(&dtdata);
+	}
+
+	if (fopt != NULL) {
+		fstrm_iothr_options_destroy(&fopt);
+	}
+	if (handle != NULL) {
+		dns_dt_close(&handle);
+	}
+	cleanup();
+}
+
+/* dnstap message to text */
+static void
+totext_test(void **state) {
+	isc_result_t result;
+	dns_dthandle_t *handle = NULL;
+	uint8_t *data;
+	size_t dsize;
+	FILE *fp = NULL;
+
+	UNUSED(state);
+
+	result = dns_dt_open(TAPSAVED, dns_dtmode_file, dt_mctx, &handle);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_stdio_open(TAPTEXT, "r", &fp);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	while (dns_dt_getframe(handle, &data, &dsize) == ISC_R_SUCCESS) {
+		dns_dtdata_t *dtdata = NULL;
+		isc_buffer_t *b = NULL;
+		isc_region_t r;
+		char s[BUFSIZ], *p;
+
+		r.base = data;
+		r.length = dsize;
+
+		/* read the corresponding line of text */
+		p = fgets(s, sizeof(s), fp);
+		assert_ptr_equal(p, s);
+		if (p == NULL) {
+			break;
+		}
+
+		p = strchr(p, '\n');
+		if (p != NULL) {
+			*p = '\0';
+		}
+
+		/* parse dnstap frame */
+		result = dns_dt_parse(dt_mctx, &r, &dtdata);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		isc_buffer_allocate(dt_mctx, &b, 2048);
+		assert_non_null(b);
+		if (b == NULL) {
+			break;
+		}
+
+		/* convert to text and compare */
+		result = dns_dt_datatotext(dtdata, &b);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		assert_string_equal((char *)isc_buffer_base(b), s);
+
+		dns_dtdata_free(&dtdata);
+		isc_buffer_free(&b);
+	}
+
+	if (handle != NULL) {
+		dns_dt_close(&handle);
+	}
+	cleanup();
+}
+#endif /* HAVE_DNSTAP */
+
+int
+main(void) {
+#if HAVE_DNSTAP
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(create_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(send_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(totext_test, _setup, _teardown),
+	};
+
+	/* make sure text conversion gets the right local time */
+	setenv("TZ", "PST8", 1);
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+#else  /* if HAVE_DNSTAP */
+	print_message("1..0 # Skipped: dnstap not enabled\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+#endif /* HAVE_DNSTAP */
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* HAVE_CMOCKA */
diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c
new file mode 100644
index 0000000..a8cd6b5
--- /dev/null
+++ b/lib/dns/tests/dnstest.c
@@ -0,0 +1,643 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#if HAVE_CMOCKA
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/hex.h>
+#include <isc/lex.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/result.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include "dnstest.h"
+
+#define CHECK(r)                               \
+	do {                                   \
+		result = (r);                  \
+		if (result != ISC_R_SUCCESS) { \
+			goto cleanup;          \
+		}                              \
+	} while (0)
+
+isc_mem_t *dt_mctx = NULL;
+isc_log_t *lctx = NULL;
+isc_nm_t *netmgr = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_task_t *maintask = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_socketmgr_t *socketmgr = NULL;
+dns_zonemgr_t *zonemgr = NULL;
+bool app_running = false;
+int ncpus;
+bool debug_mem_record = true;
+
+static bool dst_active = false;
+static bool test_running = false;
+
+/*
+ * Logging categories: this needs to match the list in bin/named/log.c.
+ */
+static isc_logcategory_t categories[] = { { "", 0 },
+					  { "client", 0 },
+					  { "network", 0 },
+					  { "update", 0 },
+					  { "queries", 0 },
+					  { "unmatched", 0 },
+					  { "update-security", 0 },
+					  { "query-errors", 0 },
+					  { NULL, 0 } };
+
+static void
+cleanup_managers(void) {
+	if (maintask != NULL) {
+		isc_task_shutdown(maintask);
+		isc_task_destroy(&maintask);
+	}
+
+	isc_managers_destroy(netmgr == NULL ? NULL : &netmgr,
+			     taskmgr == NULL ? NULL : &taskmgr);
+
+	if (socketmgr != NULL) {
+		isc_socketmgr_destroy(&socketmgr);
+	}
+	if (timermgr != NULL) {
+		isc_timermgr_destroy(&timermgr);
+	}
+	if (app_running) {
+		isc_app_finish();
+	}
+}
+
+static isc_result_t
+create_managers(void) {
+	isc_result_t result;
+	ncpus = isc_os_ncpus();
+
+	CHECK(isc_managers_create(dt_mctx, ncpus, 0, &netmgr, &taskmgr));
+	CHECK(isc_timermgr_create(dt_mctx, &timermgr));
+	CHECK(isc_socketmgr_create(dt_mctx, &socketmgr));
+	CHECK(isc_task_create_bound(taskmgr, 0, &maintask, 0));
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	cleanup_managers();
+	return (result);
+}
+
+isc_result_t
+dns_test_begin(FILE *logfile, bool start_managers) {
+	isc_result_t result;
+
+	INSIST(!test_running);
+	test_running = true;
+
+	if (start_managers) {
+		CHECK(isc_app_start());
+	}
+	if (debug_mem_record) {
+		isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+	}
+
+	INSIST(dt_mctx == NULL);
+	isc_mem_create(&dt_mctx);
+
+	/* Don't check the memory leaks as they hide the assertions */
+	isc_mem_setdestroycheck(dt_mctx, false);
+
+	INSIST(!dst_active);
+	CHECK(dst_lib_init(dt_mctx, NULL));
+	dst_active = true;
+
+	if (logfile != NULL) {
+		isc_logdestination_t destination;
+		isc_logconfig_t *logconfig = NULL;
+
+		INSIST(lctx == NULL);
+		isc_log_create(dt_mctx, &lctx, &logconfig);
+		isc_log_registercategories(lctx, categories);
+		isc_log_setcontext(lctx);
+		dns_log_init(lctx);
+		dns_log_setcontext(lctx);
+
+		destination.file.stream = logfile;
+		destination.file.name = NULL;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+				      ISC_LOG_DYNAMIC, &destination, 0);
+		CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL));
+	}
+
+	dns_result_register();
+
+	if (start_managers) {
+		CHECK(create_managers());
+	}
+
+	/*
+	 * The caller might run from another directory, so tests
+	 * that access test data files must first chdir to the proper
+	 * location.
+	 */
+	if (chdir(TESTS) == -1) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_test_end();
+	return (result);
+}
+
+void
+dns_test_end(void) {
+	cleanup_managers();
+
+	dst_lib_destroy();
+	dst_active = false;
+
+	if (lctx != NULL) {
+		isc_log_destroy(&lctx);
+	}
+
+	if (dt_mctx != NULL) {
+		isc_mem_destroy(&dt_mctx);
+	}
+
+	test_running = false;
+}
+
+/*
+ * Create a view.
+ */
+isc_result_t
+dns_test_makeview(const char *name, dns_view_t **viewp) {
+	isc_result_t result;
+	dns_view_t *view = NULL;
+
+	CHECK(dns_view_create(dt_mctx, dns_rdataclass_in, name, &view));
+	*viewp = view;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (view != NULL) {
+		dns_view_detach(&view);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_test_makezone(const char *name, dns_zone_t **zonep, dns_view_t *view,
+		  bool createview) {
+	dns_fixedname_t fixed_origin;
+	dns_zone_t *zone = NULL;
+	isc_result_t result;
+	dns_name_t *origin;
+
+	REQUIRE(view == NULL || !createview);
+
+	/*
+	 * Create the zone structure.
+	 */
+	result = dns_zone_create(&zone, dt_mctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Set zone type and origin.
+	 */
+	dns_zone_settype(zone, dns_zone_primary);
+	origin = dns_fixedname_initname(&fixed_origin);
+	result = dns_name_fromstring(origin, name, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto detach_zone;
+	}
+	result = dns_zone_setorigin(zone, origin);
+	if (result != ISC_R_SUCCESS) {
+		goto detach_zone;
+	}
+
+	/*
+	 * If requested, create a view.
+	 */
+	if (createview) {
+		result = dns_test_makeview("view", &view);
+		if (result != ISC_R_SUCCESS) {
+			goto detach_zone;
+		}
+	}
+
+	/*
+	 * If a view was passed as an argument or created above, attach the
+	 * created zone to it.  Otherwise, set the zone's class to IN.
+	 */
+	if (view != NULL) {
+		dns_zone_setview(zone, view);
+		dns_zone_setclass(zone, view->rdclass);
+		dns_view_addzone(view, zone);
+	} else {
+		dns_zone_setclass(zone, dns_rdataclass_in);
+	}
+
+	*zonep = zone;
+
+	return (ISC_R_SUCCESS);
+
+detach_zone:
+	dns_zone_detach(&zone);
+
+	return (result);
+}
+
+isc_result_t
+dns_test_setupzonemgr(void) {
+	isc_result_t result;
+	REQUIRE(zonemgr == NULL);
+
+	result = dns_zonemgr_create(dt_mctx, taskmgr, timermgr, socketmgr,
+				    &zonemgr);
+	return (result);
+}
+
+isc_result_t
+dns_test_managezone(dns_zone_t *zone) {
+	isc_result_t result;
+	REQUIRE(zonemgr != NULL);
+
+	result = dns_zonemgr_setsize(zonemgr, 1);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_zonemgr_managezone(zonemgr, zone);
+	return (result);
+}
+
+void
+dns_test_releasezone(dns_zone_t *zone) {
+	REQUIRE(zonemgr != NULL);
+	dns_zonemgr_releasezone(zonemgr, zone);
+}
+
+void
+dns_test_closezonemgr(void) {
+	REQUIRE(zonemgr != NULL);
+
+	dns_zonemgr_shutdown(zonemgr);
+	dns_zonemgr_detach(&zonemgr);
+}
+
+/*
+ * Sleep for 'usec' microseconds.
+ */
+void
+dns_test_nap(uint32_t usec) {
+	struct timespec ts;
+
+	ts.tv_sec = usec / 1000000;
+	ts.tv_nsec = (usec % 1000000) * 1000;
+	nanosleep(&ts, NULL);
+}
+
+isc_result_t
+dns_test_loaddb(dns_db_t **db, dns_dbtype_t dbtype, const char *origin,
+		const char *testfile) {
+	isc_result_t result;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	name = dns_fixedname_initname(&fixed);
+
+	result = dns_name_fromstring(name, origin, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_create(dt_mctx, "rbt", name, dbtype, dns_rdataclass_in,
+			       0, NULL, db);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_load(*db, testfile, dns_masterformat_text, 0);
+	return (result);
+}
+
+static int
+fromhex(char c) {
+	if (c >= '0' && c <= '9') {
+		return (c - '0');
+	} else if (c >= 'a' && c <= 'f') {
+		return (c - 'a' + 10);
+	} else if (c >= 'A' && c <= 'F') {
+		return (c - 'A' + 10);
+	}
+
+	printf("bad input format: %02x\n", c);
+	exit(3);
+}
+
+/*
+ * Format contents of given memory region as a hex string, using the buffer
+ * of length 'buflen' pointed to by 'buf'. 'buflen' must be at least three
+ * times 'len'. Always returns 'buf'.
+ */
+char *
+dns_test_tohex(const unsigned char *data, size_t len, char *buf,
+	       size_t buflen) {
+	isc_constregion_t source = { .base = data, .length = len };
+	isc_buffer_t target;
+	isc_result_t result;
+
+	memset(buf, 0, buflen);
+	isc_buffer_init(&target, buf, buflen);
+	result = isc_hex_totext((isc_region_t *)&source, 1, " ", &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (buf);
+}
+
+isc_result_t
+dns_test_getdata(const char *file, unsigned char *buf, size_t bufsiz,
+		 size_t *sizep) {
+	isc_result_t result;
+	unsigned char *bp;
+	char *rp, *wp;
+	char s[BUFSIZ];
+	size_t len, i;
+	FILE *f = NULL;
+	int n;
+
+	result = isc_stdio_open(file, "r", &f);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	bp = buf;
+	while (fgets(s, sizeof(s), f) != NULL) {
+		rp = s;
+		wp = s;
+		len = 0;
+		while (*rp != '\0') {
+			if (*rp == '#') {
+				break;
+			}
+			if (*rp != ' ' && *rp != '\t' && *rp != '\r' &&
+			    *rp != '\n')
+			{
+				*wp++ = *rp;
+				len++;
+			}
+			rp++;
+		}
+		if (len == 0U) {
+			continue;
+		}
+		if (len % 2 != 0U) {
+			CHECK(ISC_R_UNEXPECTEDEND);
+		}
+		if (len > bufsiz * 2) {
+			CHECK(ISC_R_NOSPACE);
+		}
+		rp = s;
+		for (i = 0; i < len; i += 2) {
+			n = fromhex(*rp++);
+			n *= 16;
+			n += fromhex(*rp++);
+			*bp++ = n;
+		}
+	}
+
+	*sizep = bp - buf;
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	isc_stdio_close(f);
+	return (result);
+}
+
+static void
+nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) {
+	UNUSED(cb);
+	UNUSED(fmt);
+}
+
+isc_result_t
+dns_test_rdatafromstring(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+			 dns_rdatatype_t rdtype, unsigned char *dst,
+			 size_t dstlen, const char *src, bool warnings) {
+	dns_rdatacallbacks_t callbacks;
+	isc_buffer_t source, target;
+	isc_lex_t *lex = NULL;
+	isc_lexspecials_t specials = { 0 };
+	isc_result_t result;
+	size_t length;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+	REQUIRE(dst != NULL);
+	REQUIRE(src != NULL);
+
+	/*
+	 * Set up source to hold the input string.
+	 */
+	length = strlen(src);
+	isc_buffer_constinit(&source, src, length);
+	isc_buffer_add(&source, length);
+
+	/*
+	 * Create a lexer as one is required by dns_rdata_fromtext().
+	 */
+	result = isc_lex_create(dt_mctx, 64, &lex);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Set characters which will be treated as valid multi-line RDATA
+	 * delimiters while reading the source string.  These should match
+	 * specials from lib/dns/master.c.
+	 */
+	specials[0] = 1;
+	specials['('] = 1;
+	specials[')'] = 1;
+	specials['"'] = 1;
+	isc_lex_setspecials(lex, specials);
+
+	/*
+	 * Expect DNS masterfile comments.
+	 */
+	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+
+	/*
+	 * Point lexer at source.
+	 */
+	result = isc_lex_openbuffer(lex, &source);
+	if (result != ISC_R_SUCCESS) {
+		goto destroy_lexer;
+	}
+
+	/*
+	 * Set up target for storing uncompressed wire form of provided RDATA.
+	 */
+	isc_buffer_init(&target, dst, dstlen);
+
+	/*
+	 * Set up callbacks so warnings and errors are not printed.
+	 */
+	if (!warnings) {
+		dns_rdatacallbacks_init(&callbacks);
+		callbacks.warn = callbacks.error = nullmsg;
+	}
+
+	/*
+	 * Parse input string, determining result.
+	 */
+	result = dns_rdata_fromtext(rdata, rdclass, rdtype, lex, dns_rootname,
+				    0, dt_mctx, &target, &callbacks);
+
+destroy_lexer:
+	isc_lex_destroy(&lex);
+
+	return (result);
+}
+
+void
+dns_test_namefromstring(const char *namestr, dns_fixedname_t *fname) {
+	size_t length;
+	isc_buffer_t *b = NULL;
+	isc_result_t result;
+	dns_name_t *name;
+
+	length = strlen(namestr);
+
+	name = dns_fixedname_initname(fname);
+
+	isc_buffer_allocate(dt_mctx, &b, length);
+
+	isc_buffer_putmem(b, (const unsigned char *)namestr, length);
+	result = dns_name_fromtext(name, b, dns_rootname, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_buffer_free(&b);
+}
+
+isc_result_t
+dns_test_difffromchanges(dns_diff_t *diff, const zonechange_t *changes,
+			 bool warnings) {
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned char rdata_buf[1024];
+	dns_difftuple_t *tuple = NULL;
+	isc_consttextregion_t region;
+	dns_rdatatype_t rdatatype;
+	dns_fixedname_t fixedname;
+	dns_rdata_t rdata;
+	dns_name_t *name;
+	size_t i;
+
+	REQUIRE(diff != NULL);
+	REQUIRE(changes != NULL);
+
+	dns_diff_init(dt_mctx, diff);
+
+	for (i = 0; changes[i].owner != NULL; i++) {
+		/*
+		 * Parse owner name.
+		 */
+		name = dns_fixedname_initname(&fixedname);
+		result = dns_name_fromstring(name, changes[i].owner, 0,
+					     dt_mctx);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Parse RDATA type.
+		 */
+		region.base = changes[i].type;
+		region.length = strlen(changes[i].type);
+		result = dns_rdatatype_fromtext(&rdatatype,
+						(isc_textregion_t *)&region);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Parse RDATA.
+		 */
+		dns_rdata_init(&rdata);
+		result = dns_test_rdatafromstring(
+			&rdata, dns_rdataclass_in, rdatatype, rdata_buf,
+			sizeof(rdata_buf), changes[i].rdata, warnings);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Create a diff tuple for the parsed change and append it to
+		 * the diff.
+		 */
+		result = dns_difftuple_create(dt_mctx, changes[i].op, name,
+					      changes[i].ttl, &rdata, &tuple);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		dns_diff_append(diff, &tuple);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		dns_diff_clear(diff);
+	}
+
+	return (result);
+}
+#endif /* HAVE_CMOCKA */
diff --git a/lib/dns/tests/dnstest.h b/lib/dns/tests/dnstest.h
new file mode 100644
index 0000000..f19b518
--- /dev/null
+++ b/lib/dns/tests/dnstest.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/diff.h>
+#include <dns/result.h>
+#include <dns/zone.h>
+
+typedef struct {
+	dns_diffop_t op;
+	const char *owner;
+	dns_ttl_t ttl;
+	const char *type;
+	const char *rdata;
+} zonechange_t;
+
+#define ZONECHANGE_SENTINEL            \
+	{                              \
+		0, NULL, 0, NULL, NULL \
+	}
+
+extern isc_mem_t *dt_mctx;
+extern isc_log_t *lctx;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *maintask;
+extern isc_timermgr_t *timermgr;
+extern isc_socketmgr_t *socketmgr;
+extern dns_zonemgr_t *zonemgr;
+extern bool app_running;
+extern int ncpus;
+extern bool debug_mem_record;
+
+isc_result_t
+dns_test_begin(FILE *logfile, bool create_managers);
+
+void
+dns_test_end(void);
+
+isc_result_t
+dns_test_makeview(const char *name, dns_view_t **viewp);
+
+/*%
+ * Create a zone with origin 'name', return a pointer to the zone object in
+ * 'zonep'.
+ *
+ * If 'view' is set, the returned zone will be assigned to the passed view.
+ * 'createview' must be set to false when 'view' is non-NULL.
+ *
+ * If 'view' is not set and 'createview' is true, a new view is also created
+ * and the returned zone is assigned to it.  This imposes two requirements on
+ * the caller: 1) the returned zone has to be subsequently assigned to a zone
+ * manager, otherwise its cleanup will fail, 2) the created view has to be
+ * cleaned up by the caller.
+ *
+ * If 'view' is not set and 'createview' is false, the returned zone will not
+ * be assigned to any view.
+ */
+isc_result_t
+dns_test_makezone(const char *name, dns_zone_t **zonep, dns_view_t *view,
+		  bool createview);
+
+isc_result_t
+dns_test_setupzonemgr(void);
+
+isc_result_t
+dns_test_managezone(dns_zone_t *zone);
+
+void
+dns_test_releasezone(dns_zone_t *zone);
+
+void
+dns_test_closezonemgr(void);
+
+void
+dns_test_nap(uint32_t usec);
+
+isc_result_t
+dns_test_loaddb(dns_db_t **db, dns_dbtype_t dbtype, const char *origin,
+		const char *testfile);
+
+isc_result_t
+dns_test_getdata(const char *file, unsigned char *buf, size_t bufsiz,
+		 size_t *sizep);
+
+char *
+dns_test_tohex(const unsigned char *data, size_t len, char *buf, size_t buflen);
+
+/*%
+ * Try parsing text form RDATA in "src" (of class "rdclass" and type "rdtype")
+ * into a structure representing that RDATA at "rdata", storing the
+ * uncompressed wire form of that RDATA at "dst", which is "dstlen" bytes long.
+ * Set 'warnings' to true to print logged warnings from dns_rdata_fromtext().
+ */
+isc_result_t
+dns_test_rdatafromstring(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+			 dns_rdatatype_t rdtype, unsigned char *dst,
+			 size_t dstlen, const char *src, bool warnings);
+
+void
+dns_test_namefromstring(const char *namestr, dns_fixedname_t *fname);
+
+/*%
+ * Given a pointer to an uninitialized dns_diff_t structure in 'diff', make it
+ * contain diff tuples representing zone database changes listed in 'changes'.
+ * Set 'warnings' to true to print logged warnings from dns_rdata_fromtext().
+ */
+isc_result_t
+dns_test_difffromchanges(dns_diff_t *diff, const zonechange_t *changes,
+			 bool warnings);
diff --git a/lib/dns/tests/dst_test.c b/lib/dns/tests/dst_test.c
new file mode 100644
index 0000000..f5370cc
--- /dev/null
+++ b/lib/dns/tests/dst_test.c
@@ -0,0 +1,504 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#include "../dst_internal.h"
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+/* Read sig in file at path to buf. Check signature ineffability */
+static isc_result_t
+sig_fromfile(const char *path, isc_buffer_t *buf) {
+	isc_result_t result;
+	size_t rval, len;
+	FILE *fp = NULL;
+	unsigned char val;
+	char *p, *data;
+	off_t size;
+
+	result = isc_stdio_open(path, "rb", &fp);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_file_getsizefd(fileno(fp), &size);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	data = isc_mem_get(dt_mctx, (size + 1));
+	assert_non_null(data);
+
+	len = (size_t)size;
+	p = data;
+	while (len != 0U) {
+		result = isc_stdio_read(p, 1, len, fp, &rval);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		len -= rval;
+		p += rval;
+	}
+	isc_stdio_close(fp);
+
+	p = data;
+	len = size;
+	while (len > 0U) {
+		if ((*p == '\r') || (*p == '\n')) {
+			++p;
+			--len;
+			continue;
+		} else if (len < 2U) {
+			goto err;
+		}
+		if (('0' <= *p) && (*p <= '9')) {
+			val = *p - '0';
+		} else if (('A' <= *p) && (*p <= 'F')) {
+			val = *p - 'A' + 10;
+		} else {
+			result = ISC_R_BADHEX;
+			goto err;
+		}
+		++p;
+		val <<= 4;
+		--len;
+		if (('0' <= *p) && (*p <= '9')) {
+			val |= (*p - '0');
+		} else if (('A' <= *p) && (*p <= 'F')) {
+			val |= (*p - 'A' + 10);
+		} else {
+			result = ISC_R_BADHEX;
+			goto err;
+		}
+		++p;
+		--len;
+		isc_buffer_putuint8(buf, val);
+	}
+
+	result = ISC_R_SUCCESS;
+
+err:
+	isc_mem_put(dt_mctx, data, size + 1);
+	return (result);
+}
+
+static void
+check_sig(const char *datapath, const char *sigpath, const char *keyname,
+	  dns_keytag_t id, dns_secalg_t alg, int type, bool expect) {
+	isc_result_t result;
+	size_t rval, len;
+	FILE *fp;
+	dst_key_t *key = NULL;
+	unsigned char sig[512];
+	unsigned char *p;
+	unsigned char *data;
+	off_t size;
+	isc_buffer_t b;
+	isc_buffer_t databuf, sigbuf;
+	isc_region_t datareg, sigreg;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	dst_context_t *ctx = NULL;
+
+	/*
+	 * Read data from file in a form usable by dst_verify.
+	 */
+	result = isc_stdio_open(datapath, "rb", &fp);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_file_getsizefd(fileno(fp), &size);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	data = isc_mem_get(dt_mctx, (size + 1));
+	assert_non_null(data);
+
+	p = data;
+	len = (size_t)size;
+	do {
+		result = isc_stdio_read(p, 1, len, fp, &rval);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		len -= rval;
+		p += rval;
+	} while (len);
+	isc_stdio_close(fp);
+
+	/*
+	 * Read key from file in a form usable by dst_verify.
+	 */
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_constinit(&b, keyname, strlen(keyname));
+	isc_buffer_add(&b, strlen(keyname));
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dst_key_fromfile(name, id, alg, type, "testdata/dst", dt_mctx,
+				  &key);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_buffer_init(&databuf, data, (unsigned int)size);
+	isc_buffer_add(&databuf, (unsigned int)size);
+	isc_buffer_usedregion(&databuf, &datareg);
+
+	memset(sig, 0, sizeof(sig));
+	isc_buffer_init(&sigbuf, sig, sizeof(sig));
+
+	/*
+	 * Read precomputed signature from file in a form usable by dst_verify.
+	 */
+	result = sig_fromfile(sigpath, &sigbuf);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Verify that the key signed the data.
+	 */
+	isc_buffer_remainingregion(&sigbuf, &sigreg);
+
+	result = dst_context_create(key, dt_mctx, DNS_LOGCATEGORY_GENERAL,
+				    false, 0, &ctx);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dst_context_adddata(ctx, &datareg);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dst_context_verify(ctx, &sigreg);
+
+	/*
+	 * Compute the expected signature and emit it
+	 * so the precomputed signature can be updated.
+	 * This should only be done if the covered data
+	 * is updated.
+	 */
+	if (expect && result != ISC_R_SUCCESS) {
+		isc_result_t result2;
+
+		dst_context_destroy(&ctx);
+		result2 = dst_context_create(
+			key, dt_mctx, DNS_LOGCATEGORY_GENERAL, false, 0, &ctx);
+		assert_int_equal(result2, ISC_R_SUCCESS);
+
+		result2 = dst_context_adddata(ctx, &datareg);
+		assert_int_equal(result2, ISC_R_SUCCESS);
+
+		char sigbuf2[4096];
+		isc_buffer_t sigb;
+		isc_buffer_init(&sigb, sigbuf2, sizeof(sigbuf2));
+
+		result2 = dst_context_sign(ctx, &sigb);
+		assert_int_equal(result2, ISC_R_SUCCESS);
+
+		isc_region_t r;
+		isc_buffer_usedregion(&sigb, &r);
+
+		char hexbuf[4096] = { 0 };
+		isc_buffer_t hb;
+		isc_buffer_init(&hb, hexbuf, sizeof(hexbuf));
+
+		isc_hex_totext(&r, 0, "", &hb);
+
+		fprintf(stderr, "# %s:\n# %s\n", sigpath, hexbuf);
+	}
+
+	isc_mem_put(dt_mctx, data, size + 1);
+	dst_context_destroy(&ctx);
+	dst_key_free(&key);
+
+	assert_true((expect && (result == ISC_R_SUCCESS)) ||
+		    (!expect && (result != ISC_R_SUCCESS)));
+
+	return;
+}
+
+static void
+sig_test(void **state) {
+	UNUSED(state);
+
+	struct {
+		const char *datapath;
+		const char *sigpath;
+		const char *keyname;
+		dns_keytag_t keyid;
+		dns_secalg_t alg;
+		bool expect;
+	} testcases[] = {
+		{ "testdata/dst/test1.data", "testdata/dst/test1.ecdsa256sig",
+		  "test.", 49130, DST_ALG_ECDSA256, true },
+		{ "testdata/dst/test1.data", "testdata/dst/test1.rsasha256sig",
+		  "test.", 11349, DST_ALG_RSASHA256, true },
+		{ /* wrong sig */
+		  "testdata/dst/test1.data", "testdata/dst/test1.ecdsa256sig",
+		  "test.", 11349, DST_ALG_RSASHA256, false },
+		{ /* wrong data */
+		  "testdata/dst/test2.data", "testdata/dst/test1.ecdsa256sig",
+		  "test.", 49130, DST_ALG_ECDSA256, false },
+	};
+	unsigned int i;
+
+	for (i = 0; i < (sizeof(testcases) / sizeof(testcases[0])); i++) {
+		if (!dst_algorithm_supported(testcases[i].alg)) {
+			continue;
+		}
+
+		check_sig(testcases[i].datapath, testcases[i].sigpath,
+			  testcases[i].keyname, testcases[i].keyid,
+			  testcases[i].alg, DST_TYPE_PRIVATE | DST_TYPE_PUBLIC,
+			  testcases[i].expect);
+	}
+}
+
+#if !defined(USE_PKCS11)
+static void
+check_cmp(const char *key1_name, dns_keytag_t key1_id, const char *key2_name,
+	  dns_keytag_t key2_id, dns_secalg_t alg, int type, bool expect) {
+	isc_result_t result;
+	dst_key_t *key1 = NULL;
+	dst_key_t *key2 = NULL;
+	isc_buffer_t b1;
+	isc_buffer_t b2;
+	dns_fixedname_t fname1;
+	dns_fixedname_t fname2;
+	dns_name_t *name1;
+	dns_name_t *name2;
+
+	/*
+	 * Read key1 from the file.
+	 */
+	name1 = dns_fixedname_initname(&fname1);
+	isc_buffer_constinit(&b1, key1_name, strlen(key1_name));
+	isc_buffer_add(&b1, strlen(key1_name));
+	result = dns_name_fromtext(name1, &b1, dns_rootname, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dst_key_fromfile(name1, key1_id, alg, type, "comparekeys",
+				  dt_mctx, &key1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Read key2 from the file.
+	 */
+	name2 = dns_fixedname_initname(&fname2);
+	isc_buffer_constinit(&b2, key2_name, strlen(key2_name));
+	isc_buffer_add(&b2, strlen(key2_name));
+	result = dns_name_fromtext(name2, &b2, dns_rootname, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dst_key_fromfile(name2, key2_id, alg, type, "comparekeys",
+				  dt_mctx, &key2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Compare the keys (for public-only keys).
+	 */
+	if ((type & DST_TYPE_PRIVATE) == 0) {
+		assert_true(dst_key_pubcompare(key1, key2, false) == expect);
+	}
+
+	/*
+	 * Compare the keys (for both public-only keys and keypairs).
+	 */
+	assert_true(dst_key_compare(key1, key2) == expect);
+
+	/*
+	 * Free the keys
+	 */
+	dst_key_free(&key2);
+	dst_key_free(&key1);
+
+	return;
+}
+
+static void
+cmp_test(void **state) {
+	UNUSED(state);
+
+	struct {
+		const char *key1_name;
+		dns_keytag_t key1_id;
+		const char *key2_name;
+		dns_keytag_t key2_id;
+		dns_secalg_t alg;
+		int type;
+		bool expect;
+	} testcases[] = {
+		/* RSA Keypair: self */
+		{ "example.", 53461, "example.", 53461, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, true },
+
+		/* RSA Keypair: different key */
+		{ "example.", 53461, "example2.", 37993, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, false },
+
+		/* RSA Keypair: different PublicExponent (e) */
+		{ "example.", 53461, "example-e.", 53973, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, false },
+
+		/* RSA Keypair: different Modulus (n) */
+		{ "example.", 53461, "example-n.", 37464, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, false },
+
+		/* RSA Keypair: different PrivateExponent (d) */
+		{ "example.", 53461, "example-d.", 53461, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, false },
+
+		/* RSA Keypair: different Prime1 (p) */
+		{ "example.", 53461, "example-p.", 53461, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, false },
+
+		/* RSA Keypair: different Prime2 (q) */
+		{ "example.", 53461, "example-q.", 53461, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, false },
+
+		/* RSA Public Key: self */
+		{ "example.", 53461, "example.", 53461, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC, true },
+
+		/* RSA Public Key: different key */
+		{ "example.", 53461, "example2.", 37993, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC, false },
+
+		/* RSA Public Key: different PublicExponent (e) */
+		{ "example.", 53461, "example-e.", 53973, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC, false },
+
+		/* RSA Public Key: different Modulus (n) */
+		{ "example.", 53461, "example-n.", 37464, DST_ALG_RSASHA256,
+		  DST_TYPE_PUBLIC, false },
+
+		/* ECDSA Keypair: self */
+		{ "example.", 19786, "example.", 19786, DST_ALG_ECDSA256,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, true },
+
+		/* ECDSA Keypair: different key */
+		{ "example.", 19786, "example2.", 16384, DST_ALG_ECDSA256,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, false },
+
+		/* ECDSA Public Key: self */
+		{ "example.", 19786, "example.", 19786, DST_ALG_ECDSA256,
+		  DST_TYPE_PUBLIC, true },
+
+		/* ECDSA Public Key: different key */
+		{ "example.", 19786, "example2.", 16384, DST_ALG_ECDSA256,
+		  DST_TYPE_PUBLIC, false },
+
+		/* EdDSA Keypair: self */
+		{ "example.", 63663, "example.", 63663, DST_ALG_ED25519,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, true },
+
+		/* EdDSA Keypair: different key */
+		{ "example.", 63663, "example2.", 37529, DST_ALG_ED25519,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, false },
+
+		/* EdDSA Public Key: self */
+		{ "example.", 63663, "example.", 63663, DST_ALG_ED25519,
+		  DST_TYPE_PUBLIC, true },
+
+		/* EdDSA Public Key: different key */
+		{ "example.", 63663, "example2.", 37529, DST_ALG_ED25519,
+		  DST_TYPE_PUBLIC, false },
+
+		/* DH Keypair: self */
+		{ "example.", 65316, "example.", 65316, DST_ALG_DH,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, true },
+
+		/* DH Keypair: different key */
+		{ "example.", 65316, "example2.", 19823, DST_ALG_DH,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false },
+
+		/* DH Keypair: different key (with generator=5) */
+		{ "example.", 65316, "example3.", 17187, DST_ALG_DH,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false },
+
+		/* DH Keypair: different private key */
+		{ "example.", 65316, "example-private.", 65316, DST_ALG_DH,
+		  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY, false },
+
+		/* DH Public Key: self */
+		{ "example.", 65316, "example.", 65316, DST_ALG_DH,
+		  DST_TYPE_PUBLIC | DST_TYPE_KEY, true },
+
+		/* DH Public Key: different key */
+		{ "example.", 65316, "example2.", 19823, DST_ALG_DH,
+		  DST_TYPE_PUBLIC | DST_TYPE_KEY, false },
+
+		/* DH Public Key: different key (with generator=5) */
+		{ "example.", 65316, "example3.", 17187, DST_ALG_DH,
+		  DST_TYPE_PUBLIC | DST_TYPE_KEY, false },
+	};
+	unsigned int i;
+
+	for (i = 0; i < (sizeof(testcases) / sizeof(testcases[0])); i++) {
+		if (!dst_algorithm_supported(testcases[i].alg)) {
+			continue;
+		}
+
+		check_cmp(testcases[i].key1_name, testcases[i].key1_id,
+			  testcases[i].key2_name, testcases[i].key2_id,
+			  testcases[i].alg, testcases[i].type,
+			  testcases[i].expect);
+	}
+}
+#endif /* #if !defined(USE_PKCS11) */
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(sig_test, _setup, _teardown),
+#if !defined(USE_PKCS11)
+		cmocka_unit_test_setup_teardown(cmp_test, _setup, _teardown),
+#endif /* #if !defined(USE_PKCS11) */
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/geoip_test.c b/lib/dns/tests/geoip_test.c
new file mode 100644
index 0000000..054213e
--- /dev/null
+++ b/lib/dns/tests/geoip_test.c
@@ -0,0 +1,433 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/geoip.h>
+
+#include "dnstest.h"
+
+#if defined(HAVE_GEOIP2)
+#include <maxminddb.h>
+
+#include "../geoip2.c"
+
+/* Use GeoIP2 databases from the 'geoip2' system test */
+#define TEST_GEOIP_DATA "../../../bin/tests/system/geoip2/data"
+
+static dns_geoip_databases_t geoip;
+
+static MMDB_s geoip_country, geoip_city, geoip_as, geoip_isp, geoip_domain;
+
+static void
+load_geoip(const char *dir);
+static void
+close_geoip(void);
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	close_geoip();
+
+	dns_test_end();
+
+	return (0);
+}
+
+static MMDB_s *
+open_geoip2(const char *dir, const char *dbfile, MMDB_s *mmdb) {
+	char pathbuf[PATH_MAX];
+	int ret;
+
+	snprintf(pathbuf, sizeof(pathbuf), "%s/%s", dir, dbfile);
+	ret = MMDB_open(pathbuf, MMDB_MODE_MMAP, mmdb);
+	if (ret == MMDB_SUCCESS) {
+		return (mmdb);
+	}
+
+	return (NULL);
+}
+
+static void
+load_geoip(const char *dir) {
+	geoip.country = open_geoip2(dir, "GeoIP2-Country.mmdb", &geoip_country);
+	geoip.city = open_geoip2(dir, "GeoIP2-City.mmdb", &geoip_city);
+	geoip.as = open_geoip2(dir, "GeoLite2-ASN.mmdb", &geoip_as);
+	geoip.isp = open_geoip2(dir, "GeoIP2-ISP.mmdb", &geoip_isp);
+	geoip.domain = open_geoip2(dir, "GeoIP2-Domain.mmdb", &geoip_domain);
+}
+
+static void
+close_geoip(void) {
+	MMDB_close(&geoip_country);
+	MMDB_close(&geoip_city);
+	MMDB_close(&geoip_as);
+	MMDB_close(&geoip_isp);
+	MMDB_close(&geoip_domain);
+}
+
+static bool
+/* Check if an MMDB entry of a given subtype exists for the given IP */
+entry_exists(dns_geoip_subtype_t subtype, const char *addr) {
+	struct in6_addr in6;
+	struct in_addr in4;
+	isc_netaddr_t na;
+	MMDB_s *db;
+
+	if (inet_pton(AF_INET6, addr, &in6) == 1) {
+		isc_netaddr_fromin6(&na, &in6);
+	} else if (inet_pton(AF_INET, addr, &in4) == 1) {
+		isc_netaddr_fromin(&na, &in4);
+	} else {
+		UNREACHABLE();
+	}
+
+	db = geoip2_database(&geoip, fix_subtype(&geoip, subtype));
+
+	return (db != NULL && get_entry_for(db, &na) != NULL);
+}
+
+/*
+ * Baseline test - check if get_entry_for() works as expected, i.e. that its
+ * return values are consistent with the contents of the test MMDBs found in
+ * bin/tests/system/geoip2/data/ (10.53.0.1 and fd92:7065:b8e:ffff::1 should be
+ * present in all databases, 192.0.2.128 should only be present in the country
+ * database, ::1 should be absent from all databases).
+ */
+static void
+baseline(void **state) {
+	dns_geoip_subtype_t subtype;
+
+	UNUSED(state);
+
+	subtype = dns_geoip_city_name;
+
+	assert_true(entry_exists(subtype, "10.53.0.1"));
+	assert_false(entry_exists(subtype, "192.0.2.128"));
+	assert_true(entry_exists(subtype, "fd92:7065:b8e:ffff::1"));
+	assert_false(entry_exists(subtype, "::1"));
+
+	subtype = dns_geoip_country_name;
+
+	assert_true(entry_exists(subtype, "10.53.0.1"));
+	assert_true(entry_exists(subtype, "192.0.2.128"));
+	assert_true(entry_exists(subtype, "fd92:7065:b8e:ffff::1"));
+	assert_false(entry_exists(subtype, "::1"));
+
+	subtype = dns_geoip_domain_name;
+
+	assert_true(entry_exists(subtype, "10.53.0.1"));
+	assert_false(entry_exists(subtype, "192.0.2.128"));
+	assert_true(entry_exists(subtype, "fd92:7065:b8e:ffff::1"));
+	assert_false(entry_exists(subtype, "::1"));
+
+	subtype = dns_geoip_isp_name;
+
+	assert_true(entry_exists(subtype, "10.53.0.1"));
+	assert_false(entry_exists(subtype, "192.0.2.128"));
+	assert_true(entry_exists(subtype, "fd92:7065:b8e:ffff::1"));
+	assert_false(entry_exists(subtype, "::1"));
+
+	subtype = dns_geoip_as_asnum;
+
+	assert_true(entry_exists(subtype, "10.53.0.1"));
+	assert_false(entry_exists(subtype, "192.0.2.128"));
+	assert_true(entry_exists(subtype, "fd92:7065:b8e:ffff::1"));
+	assert_false(entry_exists(subtype, "::1"));
+}
+
+static bool
+do_lookup_string(const char *addr, dns_geoip_subtype_t subtype,
+		 const char *string) {
+	dns_geoip_elem_t elt;
+	struct in_addr in4;
+	isc_netaddr_t na;
+	int n;
+
+	n = inet_pton(AF_INET, addr, &in4);
+	assert_int_equal(n, 1);
+	isc_netaddr_fromin(&na, &in4);
+
+	elt.subtype = subtype;
+	strlcpy(elt.as_string, string, sizeof(elt.as_string));
+
+	return (dns_geoip_match(&na, &geoip, &elt));
+}
+
+static bool
+do_lookup_string_v6(const char *addr, dns_geoip_subtype_t subtype,
+		    const char *string) {
+	dns_geoip_elem_t elt;
+	struct in6_addr in6;
+	isc_netaddr_t na;
+	int n;
+
+	n = inet_pton(AF_INET6, addr, &in6);
+	assert_int_equal(n, 1);
+	isc_netaddr_fromin6(&na, &in6);
+
+	elt.subtype = subtype;
+	strlcpy(elt.as_string, string, sizeof(elt.as_string));
+
+	return (dns_geoip_match(&na, &geoip, &elt));
+}
+
+/* GeoIP country matching */
+static void
+country(void **state) {
+	bool match;
+
+	UNUSED(state);
+
+	if (geoip.country == NULL) {
+		skip();
+	}
+
+	match = do_lookup_string("10.53.0.1", dns_geoip_country_code, "AU");
+	assert_true(match);
+
+	match = do_lookup_string("10.53.0.1", dns_geoip_country_name,
+				 "Australia");
+	assert_true(match);
+
+	match = do_lookup_string("192.0.2.128", dns_geoip_country_code, "O1");
+	assert_true(match);
+
+	match = do_lookup_string("192.0.2.128", dns_geoip_country_name,
+				 "Other");
+	assert_true(match);
+}
+
+/* GeoIP country (ipv6) matching */
+static void
+country_v6(void **state) {
+	bool match;
+
+	UNUSED(state);
+
+	if (geoip.country == NULL) {
+		skip();
+	}
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
+				    dns_geoip_country_code, "AU");
+	assert_true(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
+				    dns_geoip_country_name, "Australia");
+	assert_true(match);
+}
+
+/* GeoIP city (ipv4) matching */
+static void
+city(void **state) {
+	bool match;
+
+	UNUSED(state);
+
+	if (geoip.city == NULL) {
+		skip();
+	}
+
+	match = do_lookup_string("10.53.0.1", dns_geoip_city_continentcode,
+				 "NA");
+	assert_true(match);
+
+	match = do_lookup_string("10.53.0.1", dns_geoip_city_countrycode, "US");
+	assert_true(match);
+
+	match = do_lookup_string("10.53.0.1", dns_geoip_city_countryname,
+				 "United States");
+	assert_true(match);
+
+	match = do_lookup_string("10.53.0.1", dns_geoip_city_region, "CA");
+	assert_true(match);
+
+	match = do_lookup_string("10.53.0.1", dns_geoip_city_regionname,
+				 "California");
+	assert_true(match);
+
+	match = do_lookup_string("10.53.0.1", dns_geoip_city_name,
+				 "Redwood City");
+	assert_true(match);
+
+	match = do_lookup_string("10.53.0.1", dns_geoip_city_postalcode,
+				 "94063");
+	assert_true(match);
+}
+
+/* GeoIP city (ipv6) matching */
+static void
+city_v6(void **state) {
+	bool match;
+
+	UNUSED(state);
+
+	if (geoip.city == NULL) {
+		skip();
+	}
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
+				    dns_geoip_city_continentcode, "NA");
+	assert_true(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
+				    dns_geoip_city_countrycode, "US");
+	assert_true(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
+				    dns_geoip_city_countryname,
+				    "United States");
+	assert_true(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
+				    dns_geoip_city_region, "CA");
+	assert_true(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
+				    dns_geoip_city_regionname, "California");
+	assert_true(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
+				    dns_geoip_city_name, "Redwood City");
+	assert_true(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
+				    dns_geoip_city_postalcode, "94063");
+	assert_true(match);
+}
+
+/* GeoIP asnum matching */
+static void
+asnum(void **state) {
+	bool match;
+
+	UNUSED(state);
+
+	if (geoip.as == NULL) {
+		skip();
+	}
+
+	match = do_lookup_string("10.53.0.3", dns_geoip_as_asnum, "AS100003");
+	assert_true(match);
+}
+
+/* GeoIP isp matching */
+static void
+isp(void **state) {
+	bool match;
+
+	UNUSED(state);
+
+	if (geoip.isp == NULL) {
+		skip();
+	}
+
+	match = do_lookup_string("10.53.0.1", dns_geoip_isp_name,
+				 "One Systems, Inc.");
+	assert_true(match);
+}
+
+/* GeoIP org matching */
+static void
+org(void **state) {
+	bool match;
+
+	UNUSED(state);
+
+	if (geoip.as == NULL) {
+		skip();
+	}
+
+	match = do_lookup_string("10.53.0.2", dns_geoip_org_name,
+				 "Two Technology Ltd.");
+	assert_true(match);
+}
+
+/* GeoIP domain matching */
+static void
+domain(void **state) {
+	bool match;
+
+	UNUSED(state);
+
+	if (geoip.domain == NULL) {
+		skip();
+	}
+
+	match = do_lookup_string("10.53.0.5", dns_geoip_domain_name, "five.es");
+	assert_true(match);
+}
+#endif /* HAVE_GEOIP2 */
+
+int
+main(void) {
+#if defined(HAVE_GEOIP2)
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(baseline),   cmocka_unit_test(country),
+		cmocka_unit_test(country_v6), cmocka_unit_test(city),
+		cmocka_unit_test(city_v6),    cmocka_unit_test(asnum),
+		cmocka_unit_test(isp),	      cmocka_unit_test(org),
+		cmocka_unit_test(domain),
+	};
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+#else  /* if defined(HAVE_GEOIP2) */
+	print_message("1..0 # Skip GeoIP not enabled\n");
+#endif /* if defined(HAVE_GEOIP2) */
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* HAVE_CMOCKA */
diff --git a/lib/dns/tests/keytable_test.c b/lib/dns/tests/keytable_test.c
new file mode 100644
index 0000000..670b1b2
--- /dev/null
+++ b/lib/dns/tests/keytable_test.c
@@ -0,0 +1,720 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/md.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/keytable.h>
+#include <dns/name.h>
+#include <dns/nta.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatastruct.h>
+#include <dns/rootns.h>
+#include <dns/view.h>
+
+#include <dst/dst.h>
+
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+dns_keytable_t *keytable = NULL;
+dns_ntatable_t *ntatable = NULL;
+
+static const char *keystr1 = "BQEAAAABok+vaUC9neRv8yeT/"
+			     "FEGgN7svR8s7VBUVSBd8NsAiV8AlaAg "
+			     "O5FHar3JQd95i/puZos6Vi6at9/"
+			     "JBbN8qVmO2AuiXxVqfxMKxIcy+LEB "
+			     "0Vw4NaSJ3N3uaVREso6aTSs98H/"
+			     "25MjcwLOr7SFfXA7bGhZatLtYY/xu kp6Km5hMfkE=";
+
+static const char *keystr2 = "BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/"
+			     "inaJpYv7vH "
+			     "XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/"
+			     "ItBfh/hL2lm "
+			     "Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi7953"
+			     "2Qeklxh x8pXWdeAaRU=";
+
+static dns_view_t *view = NULL;
+
+/*
+ * Test utilities.  In general, these assume input parameters are valid
+ * (checking with assert_int_equal, thus aborting if not) and unlikely run time
+ * errors (such as memory allocation failure) won't happen.  This helps keep
+ * the test code concise.
+ */
+
+/*
+ * Utility to convert C-string to dns_name_t.  Return a pointer to
+ * static data, and so is not thread safe.
+ */
+static dns_name_t *
+str2name(const char *namestr) {
+	static dns_fixedname_t fname;
+	static dns_name_t *name;
+	static isc_buffer_t namebuf;
+	void *deconst_namestr;
+
+	name = dns_fixedname_initname(&fname);
+	DE_CONST(namestr, deconst_namestr); /* OK, since we don't modify it */
+	isc_buffer_init(&namebuf, deconst_namestr, strlen(deconst_namestr));
+	isc_buffer_add(&namebuf, strlen(namestr));
+	assert_int_equal(
+		dns_name_fromtext(name, &namebuf, dns_rootname, 0, NULL),
+		ISC_R_SUCCESS);
+
+	return (name);
+}
+
+static void
+create_keystruct(uint16_t flags, uint8_t proto, uint8_t alg, const char *keystr,
+		 dns_rdata_dnskey_t *keystruct) {
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf;
+	isc_region_t r;
+	const dns_rdataclass_t rdclass = dns_rdataclass_in;
+
+	keystruct->common.rdclass = rdclass;
+	keystruct->common.rdtype = dns_rdatatype_dnskey;
+	keystruct->mctx = dt_mctx;
+	ISC_LINK_INIT(&keystruct->common, link);
+	keystruct->flags = flags;
+	keystruct->protocol = proto;
+	keystruct->algorithm = alg;
+
+	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+	assert_int_equal(isc_base64_decodestring(keystr, &keydatabuf),
+			 ISC_R_SUCCESS);
+	isc_buffer_usedregion(&keydatabuf, &r);
+	keystruct->datalen = r.length;
+	keystruct->data = isc_mem_allocate(dt_mctx, r.length);
+	memmove(keystruct->data, r.base, r.length);
+}
+
+static void
+create_dsstruct(dns_name_t *name, uint16_t flags, uint8_t proto, uint8_t alg,
+		const char *keystr, unsigned char *digest,
+		dns_rdata_ds_t *dsstruct) {
+	isc_result_t result;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_dnskey_t dnskey;
+
+	/*
+	 * Populate DNSKEY rdata structure.
+	 */
+	create_keystruct(flags, proto, alg, keystr, &dnskey);
+
+	/*
+	 * Convert to wire format.
+	 */
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+	result = dns_rdata_fromstruct(&rdata, dnskey.common.rdclass,
+				      dnskey.common.rdtype, &dnskey,
+				      &rrdatabuf);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Build DS rdata struct.
+	 */
+	result = dns_ds_fromkeyrdata(name, &rdata, DNS_DSDIGEST_SHA256, digest,
+				     dsstruct);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	dns_rdata_freestruct(&dnskey);
+}
+
+/* Common setup: create a keytable and ntatable to test with a few keys */
+static void
+create_tables() {
+	isc_result_t result;
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	dns_rdata_ds_t ds;
+	dns_fixedname_t fn;
+	dns_name_t *keyname = dns_fixedname_name(&fn);
+	isc_stdtime_t now;
+
+	result = dns_test_makeview("view", &view);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_int_equal(dns_keytable_create(dt_mctx, &keytable),
+			 ISC_R_SUCCESS);
+	assert_int_equal(
+		dns_ntatable_create(view, taskmgr, timermgr, &ntatable),
+		ISC_R_SUCCESS);
+
+	/* Add a normal key */
+	dns_test_namefromstring("example.com", &fn);
+	create_dsstruct(keyname, 257, 3, 5, keystr1, digest, &ds);
+	assert_int_equal(dns_keytable_add(keytable, false, false, keyname, &ds),
+			 ISC_R_SUCCESS);
+
+	/* Add an initializing managed key */
+	dns_test_namefromstring("managed.com", &fn);
+	create_dsstruct(keyname, 257, 3, 5, keystr1, digest, &ds);
+	assert_int_equal(dns_keytable_add(keytable, true, true, keyname, &ds),
+			 ISC_R_SUCCESS);
+
+	/* Add a null key */
+	assert_int_equal(dns_keytable_marksecure(keytable, str2name("null."
+								    "example")),
+			 ISC_R_SUCCESS);
+
+	/* Add a negative trust anchor, duration 1 hour */
+	isc_stdtime_get(&now);
+	assert_int_equal(dns_ntatable_add(ntatable,
+					  str2name("insecure.example"), false,
+					  now, 3600),
+			 ISC_R_SUCCESS);
+}
+
+static void
+destroy_tables() {
+	if (ntatable != NULL) {
+		dns_ntatable_detach(&ntatable);
+	}
+	if (keytable != NULL) {
+		dns_keytable_detach(&keytable);
+	}
+
+	dns_view_detach(&view);
+}
+
+/* add keys to the keytable */
+static void
+add_test(void **state) {
+	dns_keynode_t *keynode = NULL;
+	dns_keynode_t *null_keynode = NULL;
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	dns_rdata_ds_t ds;
+	dns_fixedname_t fn;
+	dns_name_t *keyname = dns_fixedname_name(&fn);
+
+	UNUSED(state);
+
+	create_tables();
+
+	/*
+	 * Getting the keynode for the example.com key should succeed.
+	 */
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("example.com"), &keynode),
+		ISC_R_SUCCESS);
+
+	/*
+	 * Try to add the same key.  This should have no effect but
+	 * report success.
+	 */
+	dns_test_namefromstring("example.com", &fn);
+	create_dsstruct(keyname, 257, 3, 5, keystr1, digest, &ds);
+	assert_int_equal(dns_keytable_add(keytable, false, false, keyname, &ds),
+			 ISC_R_SUCCESS);
+	dns_keytable_detachkeynode(keytable, &keynode);
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("example.com"), &keynode),
+		ISC_R_SUCCESS);
+
+	/* Add another key (different keydata) */
+	dns_keytable_detachkeynode(keytable, &keynode);
+	create_dsstruct(keyname, 257, 3, 5, keystr2, digest, &ds);
+	assert_int_equal(dns_keytable_add(keytable, false, false, keyname, &ds),
+			 ISC_R_SUCCESS);
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("example.com"), &keynode),
+		ISC_R_SUCCESS);
+	dns_keytable_detachkeynode(keytable, &keynode);
+
+	/*
+	 * Get the keynode for the managed.com key. Ensure the
+	 * retrieved key is an initializing key, then mark it as trusted using
+	 * dns_keynode_trust() and ensure the latter works as expected.
+	 */
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("managed.com"), &keynode),
+		ISC_R_SUCCESS);
+	assert_int_equal(dns_keynode_initial(keynode), true);
+	dns_keynode_trust(keynode);
+	assert_int_equal(dns_keynode_initial(keynode), false);
+	dns_keytable_detachkeynode(keytable, &keynode);
+
+	/*
+	 * Add a different managed key for managed.com, marking it as an
+	 * initializing key. Since there is already a trusted key at the
+	 * node, the node should *not* be marked as initializing.
+	 */
+	dns_test_namefromstring("managed.com", &fn);
+	create_dsstruct(keyname, 257, 3, 5, keystr2, digest, &ds);
+	assert_int_equal(dns_keytable_add(keytable, true, true, keyname, &ds),
+			 ISC_R_SUCCESS);
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("managed.com"), &keynode),
+		ISC_R_SUCCESS);
+	assert_int_equal(dns_keynode_initial(keynode), false);
+	dns_keytable_detachkeynode(keytable, &keynode);
+
+	/*
+	 * Add the same managed key again, but this time mark it as a
+	 * non-initializing key.  Ensure the previously added key is upgraded
+	 * to a non-initializing key and make sure there are still two key
+	 * nodes for managed.com, both containing non-initializing keys.
+	 */
+	assert_int_equal(dns_keytable_add(keytable, true, false, keyname, &ds),
+			 ISC_R_SUCCESS);
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("managed.com"), &keynode),
+		ISC_R_SUCCESS);
+	assert_int_equal(dns_keynode_initial(keynode), false);
+	dns_keytable_detachkeynode(keytable, &keynode);
+
+	/*
+	 * Add a managed key at a new node, two.com, marking it as an
+	 * initializing key.
+	 */
+	dns_test_namefromstring("two.com", &fn);
+	create_dsstruct(keyname, 257, 3, 5, keystr1, digest, &ds);
+	assert_int_equal(dns_keytable_add(keytable, true, true, keyname, &ds),
+			 ISC_R_SUCCESS);
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("two.com"), &keynode),
+		ISC_R_SUCCESS);
+	assert_int_equal(dns_keynode_initial(keynode), true);
+	dns_keytable_detachkeynode(keytable, &keynode);
+
+	/*
+	 * Add a different managed key for two.com, marking it as a
+	 * non-initializing key. Since there is already an iniitalizing
+	 * trust anchor for two.com and we haven't run dns_keynode_trust(),
+	 * the initialization status should not change.
+	 */
+	create_dsstruct(keyname, 257, 3, 5, keystr2, digest, &ds);
+	assert_int_equal(dns_keytable_add(keytable, true, false, keyname, &ds),
+			 ISC_R_SUCCESS);
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("two.com"), &keynode),
+		ISC_R_SUCCESS);
+	assert_int_equal(dns_keynode_initial(keynode), true);
+	dns_keytable_detachkeynode(keytable, &keynode);
+
+	/*
+	 * Add a normal key to a name that has a null key.  The null key node
+	 * will be updated with the normal key.
+	 */
+	assert_int_equal(dns_keytable_find(keytable, str2name("null.example"),
+					   &null_keynode),
+			 ISC_R_SUCCESS);
+	dns_test_namefromstring("null.example", &fn);
+	create_dsstruct(keyname, 257, 3, 5, keystr2, digest, &ds);
+	assert_int_equal(dns_keytable_add(keytable, false, false, keyname, &ds),
+			 ISC_R_SUCCESS);
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("null.example"), &keynode),
+		ISC_R_SUCCESS);
+	assert_ptr_equal(keynode, null_keynode); /* should be the same node */
+	dns_keytable_detachkeynode(keytable, &null_keynode);
+
+	/*
+	 * Try to add a null key to a name that already has a key.  It's
+	 * effectively no-op, so the same key node is still there.
+	 * (Note: this and above checks confirm that if a name has a null key
+	 * that's the only key for the name).
+	 */
+	assert_int_equal(dns_keytable_marksecure(keytable, str2name("null."
+								    "example")),
+			 ISC_R_SUCCESS);
+	assert_int_equal(dns_keytable_find(keytable, str2name("null.example"),
+					   &null_keynode),
+			 ISC_R_SUCCESS);
+	assert_ptr_equal(keynode, null_keynode);
+	dns_keytable_detachkeynode(keytable, &null_keynode);
+
+	dns_keytable_detachkeynode(keytable, &keynode);
+	destroy_tables();
+}
+
+/* delete keys from the keytable */
+static void
+delete_test(void **state) {
+	UNUSED(state);
+
+	create_tables();
+
+	/* dns_keytable_delete requires exact match */
+	assert_int_equal(dns_keytable_delete(keytable, str2name("example.org")),
+			 ISC_R_NOTFOUND);
+	assert_int_equal(dns_keytable_delete(keytable, str2name("s.example."
+								"com")),
+			 ISC_R_NOTFOUND);
+	assert_int_equal(dns_keytable_delete(keytable, str2name("example.com")),
+			 ISC_R_SUCCESS);
+
+	/* works also for nodes with a null key */
+	assert_int_equal(dns_keytable_delete(keytable, str2name("null."
+								"example")),
+			 ISC_R_SUCCESS);
+
+	/* or a negative trust anchor */
+	assert_int_equal(dns_ntatable_delete(ntatable, str2name("insecure."
+								"example")),
+			 ISC_R_SUCCESS);
+
+	destroy_tables();
+}
+
+/* delete key nodes from the keytable */
+static void
+deletekey_test(void **state) {
+	dns_rdata_dnskey_t dnskey;
+	dns_fixedname_t fn;
+	dns_name_t *keyname = dns_fixedname_name(&fn);
+
+	UNUSED(state);
+
+	create_tables();
+
+	/* key name doesn't match */
+	dns_test_namefromstring("example.org", &fn);
+	create_keystruct(257, 3, 5, keystr1, &dnskey);
+	assert_int_equal(dns_keytable_deletekey(keytable, keyname, &dnskey),
+			 ISC_R_NOTFOUND);
+	dns_rdata_freestruct(&dnskey);
+
+	/* subdomain match is the same as no match */
+	dns_test_namefromstring("sub.example.org", &fn);
+	create_keystruct(257, 3, 5, keystr1, &dnskey);
+	assert_int_equal(dns_keytable_deletekey(keytable, keyname, &dnskey),
+			 ISC_R_NOTFOUND);
+	dns_rdata_freestruct(&dnskey);
+
+	/* name matches but key doesn't match (resulting in PARTIALMATCH) */
+	dns_test_namefromstring("example.com", &fn);
+	create_keystruct(257, 3, 5, keystr2, &dnskey);
+	assert_int_equal(dns_keytable_deletekey(keytable, keyname, &dnskey),
+			 DNS_R_PARTIALMATCH);
+	dns_rdata_freestruct(&dnskey);
+
+	/*
+	 * exact match: should return SUCCESS on the first try, then
+	 * PARTIALMATCH on the second (because the name existed but
+	 * not a matching key).
+	 */
+	create_keystruct(257, 3, 5, keystr1, &dnskey);
+	assert_int_equal(dns_keytable_deletekey(keytable, keyname, &dnskey),
+			 ISC_R_SUCCESS);
+	assert_int_equal(dns_keytable_deletekey(keytable, keyname, &dnskey),
+			 DNS_R_PARTIALMATCH);
+
+	/*
+	 * after deleting the node, any deletekey or delete attempt should
+	 * result in NOTFOUND.
+	 */
+	assert_int_equal(dns_keytable_delete(keytable, keyname), ISC_R_SUCCESS);
+	assert_int_equal(dns_keytable_deletekey(keytable, keyname, &dnskey),
+			 ISC_R_NOTFOUND);
+	dns_rdata_freestruct(&dnskey);
+
+	/*
+	 * A null key node for a name is not deleted when searched by key;
+	 * it must be deleted by dns_keytable_delete()
+	 */
+	dns_test_namefromstring("null.example", &fn);
+	create_keystruct(257, 3, 5, keystr1, &dnskey);
+	assert_int_equal(dns_keytable_deletekey(keytable, keyname, &dnskey),
+			 DNS_R_PARTIALMATCH);
+	assert_int_equal(dns_keytable_delete(keytable, keyname), ISC_R_SUCCESS);
+	dns_rdata_freestruct(&dnskey);
+
+	destroy_tables();
+}
+
+/* check find-variant operations */
+static void
+find_test(void **state) {
+	dns_keynode_t *keynode = NULL;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+
+	UNUSED(state);
+
+	create_tables();
+
+	/*
+	 * dns_keytable_find() requires exact name match.  It matches node
+	 * that has a null key, too.
+	 */
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("example.org"), &keynode),
+		ISC_R_NOTFOUND);
+	assert_int_equal(dns_keytable_find(keytable,
+					   str2name("sub.example.com"),
+					   &keynode),
+			 ISC_R_NOTFOUND);
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("example.com"), &keynode),
+		ISC_R_SUCCESS);
+	dns_keytable_detachkeynode(keytable, &keynode);
+	assert_int_equal(
+		dns_keytable_find(keytable, str2name("null.example"), &keynode),
+		ISC_R_SUCCESS);
+	dns_keytable_detachkeynode(keytable, &keynode);
+
+	/*
+	 * dns_keytable_finddeepestmatch() allows partial match.  Also match
+	 * nodes with a null key.
+	 */
+	name = dns_fixedname_initname(&fname);
+	assert_int_equal(dns_keytable_finddeepestmatch(
+				 keytable, str2name("example.com"), name),
+			 ISC_R_SUCCESS);
+	assert_true(dns_name_equal(name, str2name("example.com")));
+	assert_int_equal(dns_keytable_finddeepestmatch(
+				 keytable, str2name("s.example.com"), name),
+			 ISC_R_SUCCESS);
+	assert_true(dns_name_equal(name, str2name("example.com")));
+	assert_int_equal(dns_keytable_finddeepestmatch(
+				 keytable, str2name("example.org"), name),
+			 ISC_R_NOTFOUND);
+	assert_int_equal(dns_keytable_finddeepestmatch(
+				 keytable, str2name("null.example"), name),
+			 ISC_R_SUCCESS);
+	assert_true(dns_name_equal(name, str2name("null.example")));
+
+	destroy_tables();
+}
+
+/* check issecuredomain() */
+static void
+issecuredomain_test(void **state) {
+	bool issecure;
+	const char **n;
+	const char *names[] = { "example.com", "sub.example.com",
+				"null.example", "sub.null.example", NULL };
+
+	UNUSED(state);
+	create_tables();
+
+	/*
+	 * Domains that are an exact or partial match of a key name are
+	 * considered secure.  It's the case even if the key is null
+	 * (validation will then fail, but that's actually the intended effect
+	 * of installing a null key).
+	 */
+	for (n = names; *n != NULL; n++) {
+		assert_int_equal(dns_keytable_issecuredomain(keytable,
+							     str2name(*n), NULL,
+							     &issecure),
+				 ISC_R_SUCCESS);
+		assert_true(issecure);
+	}
+
+	/*
+	 * If the key table has no entry (not even a null one) for a domain or
+	 * any of its ancestors, that domain is considered insecure.
+	 */
+	assert_int_equal(dns_keytable_issecuredomain(keytable,
+						     str2name("example.org"),
+						     NULL, &issecure),
+			 ISC_R_SUCCESS);
+	assert_false(issecure);
+
+	destroy_tables();
+}
+
+/* check dns_keytable_dump() */
+static void
+dump_test(void **state) {
+	FILE *f = fopen("/dev/null", "w");
+
+	UNUSED(state);
+
+	create_tables();
+
+	/*
+	 * Right now, we only confirm the dump attempt doesn't cause disruption
+	 * (so we don't check the dump content).
+	 */
+	assert_int_equal(dns_keytable_dump(keytable, f), ISC_R_SUCCESS);
+	fclose(f);
+
+	destroy_tables();
+}
+
+/* check negative trust anchors */
+static void
+nta_test(void **state) {
+	isc_result_t result;
+	bool issecure, covered;
+	dns_fixedname_t fn;
+	dns_name_t *keyname = dns_fixedname_name(&fn);
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	dns_rdata_ds_t ds;
+	dns_view_t *myview = NULL;
+	isc_stdtime_t now;
+
+	UNUSED(state);
+
+	result = dns_test_makeview("view", &myview);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &myview->task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_view_initsecroots(myview, dt_mctx);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_view_getsecroots(myview, &keytable);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_view_initntatable(myview, taskmgr, timermgr);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_view_getntatable(myview, &ntatable);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	dns_test_namefromstring("example", &fn);
+	create_dsstruct(keyname, 257, 3, 5, keystr1, digest, &ds);
+	result = dns_keytable_add(keytable, false, false, keyname, &ds),
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_stdtime_get(&now);
+	result = dns_ntatable_add(ntatable, str2name("insecure.example"), false,
+				  now, 1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Should be secure */
+	result = dns_view_issecuredomain(myview,
+					 str2name("test.secure.example"), now,
+					 true, &covered, &issecure);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_false(covered);
+	assert_true(issecure);
+
+	/* Should not be secure */
+	result = dns_view_issecuredomain(myview,
+					 str2name("test.insecure.example"), now,
+					 true, &covered, &issecure);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(covered);
+	assert_false(issecure);
+
+	/* NTA covered */
+	covered = dns_view_ntacovers(myview, now, str2name("insecure.example"),
+				     dns_rootname);
+	assert_true(covered);
+
+	/* Not NTA covered */
+	covered = dns_view_ntacovers(myview, now, str2name("secure.example"),
+				     dns_rootname);
+	assert_false(covered);
+
+	/* As of now + 2, the NTA should be clear */
+	result = dns_view_issecuredomain(myview,
+					 str2name("test.insecure.example"),
+					 now + 2, true, &covered, &issecure);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_false(covered);
+	assert_true(issecure);
+
+	/* Now check deletion */
+	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
+					 now, true, &covered, &issecure);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_false(covered);
+	assert_true(issecure);
+
+	result = dns_ntatable_add(ntatable, str2name("new.example"), false, now,
+				  3600);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
+					 now, true, &covered, &issecure);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(covered);
+	assert_false(issecure);
+
+	result = dns_ntatable_delete(ntatable, str2name("new.example"));
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
+					 now, true, &covered, &issecure);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_false(covered);
+	assert_true(issecure);
+
+	/* Clean up */
+	dns_ntatable_detach(&ntatable);
+	dns_keytable_detach(&keytable);
+	dns_view_detach(&myview);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(add_test),
+		cmocka_unit_test(delete_test),
+		cmocka_unit_test(deletekey_test),
+		cmocka_unit_test(find_test),
+		cmocka_unit_test(issecuredomain_test),
+		cmocka_unit_test(dump_test),
+		cmocka_unit_test(nta_test),
+	};
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/master_test.c b/lib/dns/tests/master_test.c
new file mode 100644
index 0000000..c060c0d
--- /dev/null
+++ b/lib/dns/tests/master_test.c
@@ -0,0 +1,633 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/cache.h>
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static void
+nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) {
+	UNUSED(cb);
+	UNUSED(fmt);
+}
+
+#define BUFLEN	    255
+#define BIGBUFLEN   (70 * 1024)
+#define TEST_ORIGIN "test"
+
+static dns_masterrawheader_t header;
+static bool headerset;
+
+dns_name_t dns_origin;
+char origin[sizeof(TEST_ORIGIN)];
+unsigned char name_buf[BUFLEN];
+dns_rdatacallbacks_t callbacks;
+char *include_file = NULL;
+
+static void
+rawdata_callback(dns_zone_t *zone, dns_masterrawheader_t *header);
+
+static isc_result_t
+add_callback(void *arg, const dns_name_t *owner, dns_rdataset_t *dataset) {
+	char buf[BIGBUFLEN];
+	isc_buffer_t target;
+	isc_result_t result;
+
+	UNUSED(arg);
+
+	isc_buffer_init(&target, buf, BIGBUFLEN);
+	result = dns_rdataset_totext(dataset, owner, false, false, &target);
+	return (result);
+}
+
+static void
+rawdata_callback(dns_zone_t *zone, dns_masterrawheader_t *h) {
+	UNUSED(zone);
+	header = *h;
+	headerset = true;
+}
+
+static isc_result_t
+setup_master(void (*warn)(struct dns_rdatacallbacks *, const char *, ...),
+	     void (*error)(struct dns_rdatacallbacks *, const char *, ...)) {
+	isc_result_t result;
+	int len;
+	isc_buffer_t source;
+	isc_buffer_t target;
+
+	strlcpy(origin, TEST_ORIGIN, sizeof(origin));
+	len = strlen(origin);
+	isc_buffer_init(&source, origin, len);
+	isc_buffer_add(&source, len);
+	isc_buffer_setactive(&source, len);
+	isc_buffer_init(&target, name_buf, BUFLEN);
+	dns_name_init(&dns_origin, NULL);
+	dns_master_initrawheader(&header);
+
+	result = dns_name_fromtext(&dns_origin, &source, dns_rootname, 0,
+				   &target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdatacallbacks_init_stdio(&callbacks);
+	callbacks.add = add_callback;
+	callbacks.rawdata = rawdata_callback;
+	callbacks.zone = NULL;
+	if (warn != NULL) {
+		callbacks.warn = warn;
+	}
+	if (error != NULL) {
+		callbacks.error = error;
+	}
+	headerset = false;
+	return (result);
+}
+
+static isc_result_t
+test_master(const char *testfile, dns_masterformat_t format,
+	    void (*warn)(struct dns_rdatacallbacks *, const char *, ...),
+	    void (*error)(struct dns_rdatacallbacks *, const char *, ...)) {
+	isc_result_t result;
+
+	result = setup_master(warn, error);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdatacallbacks_init_stdio(&callbacks);
+	callbacks.add = add_callback;
+	callbacks.rawdata = rawdata_callback;
+	callbacks.zone = NULL;
+	if (warn != NULL) {
+		callbacks.warn = warn;
+	}
+	if (error != NULL) {
+		callbacks.error = error;
+	}
+
+	result = dns_master_loadfile(testfile, &dns_origin, &dns_origin,
+				     dns_rdataclass_in, true, 0, &callbacks,
+				     NULL, NULL, dt_mctx, format, 0);
+	return (result);
+}
+
+static void
+include_callback(const char *filename, void *arg) {
+	char **argp = (char **)arg;
+	*argp = isc_mem_strdup(dt_mctx, filename);
+}
+
+/*
+ * Successful load test:
+ * dns_master_loadfile() loads a valid master file and returns success
+ */
+static void
+load_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master1.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, ISC_R_SUCCESS);
+}
+
+/*
+ * Unexpected end of file test:
+ * dns_master_loadfile() returns DNS_R_UNEXPECTED when file ends too soon
+ */
+static void
+unexpected_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master2.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, ISC_R_UNEXPECTEDEND);
+}
+
+/*
+ * No owner test:
+ * dns_master_loadfile() accepts broken zones with no TTL for first record
+ * if it is an SOA
+ */
+static void
+noowner_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master3.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, DNS_R_NOOWNER);
+}
+
+/*
+ * No TTL test:
+ * dns_master_loadfile() returns DNS_R_NOOWNER when no owner name is
+ * specified
+ */
+static void
+nottl_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master4.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, ISC_R_SUCCESS);
+}
+
+/*
+ * Bad class test:
+ * dns_master_loadfile() returns DNS_R_BADCLASS when record class doesn't
+ * match zone class
+ */
+static void
+badclass_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master5.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, DNS_R_BADCLASS);
+}
+
+/*
+ * Too big rdata test:
+ * dns_master_loadfile() returns ISC_R_NOSPACE when record is too big
+ */
+static void
+toobig_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master15.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, ISC_R_NOSPACE);
+}
+
+/*
+ * Maximum rdata test:
+ * dns_master_loadfile() returns ISC_R_SUCCESS when record is maximum size
+ */
+static void
+maxrdata_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master16.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, ISC_R_SUCCESS);
+}
+
+/*
+ * DNSKEY test:
+ * dns_master_loadfile() understands DNSKEY with key material
+ */
+static void
+dnskey_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master6.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, ISC_R_SUCCESS);
+}
+
+/*
+ * DNSKEY with no key material test:
+ * dns_master_loadfile() understands DNSKEY with no key material
+ *
+ * RFC 4034 removed the ability to signal NOKEY, so empty key material should
+ * be rejected.
+ */
+static void
+dnsnokey_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master7.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, ISC_R_UNEXPECTEDEND);
+}
+
+/*
+ * Include test:
+ * dns_master_loadfile() understands $INCLUDE
+ */
+static void
+include_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master8.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, DNS_R_SEENINCLUDE);
+}
+
+/*
+ * Include file list test:
+ * dns_master_loadfile4() returns names of included file
+ */
+static void
+master_includelist_test(void **state) {
+	isc_result_t result;
+	char *filename = NULL;
+
+	UNUSED(state);
+
+	result = setup_master(nullmsg, nullmsg);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_master_loadfile(
+		"testdata/master/master8.data", &dns_origin, &dns_origin,
+		dns_rdataclass_in, 0, true, &callbacks, include_callback,
+		&filename, dt_mctx, dns_masterformat_text, 0);
+	assert_int_equal(result, DNS_R_SEENINCLUDE);
+	assert_non_null(filename);
+	if (filename != NULL) {
+		assert_string_equal(filename, "testdata/master/master6.data");
+		isc_mem_free(dt_mctx, filename);
+	}
+}
+
+/*
+ * Include failure test:
+ * dns_master_loadfile() understands $INCLUDE failures
+ */
+static void
+includefail_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master9.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, DNS_R_BADCLASS);
+}
+
+/*
+ * Non-empty blank lines test:
+ * dns_master_loadfile() handles non-empty blank lines
+ */
+static void
+blanklines_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master10.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, ISC_R_SUCCESS);
+}
+
+/*
+ * SOA leading zeroes test:
+ * dns_master_loadfile() allows leading zeroes in SOA
+ */
+
+static void
+leadingzero_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = test_master("testdata/master/master11.data",
+			     dns_masterformat_text, nullmsg, nullmsg);
+	assert_int_equal(result, ISC_R_SUCCESS);
+}
+
+/* masterfile totext tests */
+static void
+totext_test(void **state) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdatalist_t rdatalist;
+	isc_buffer_t target;
+	unsigned char buf[BIGBUFLEN];
+
+	UNUSED(state);
+
+	/* First, test with an empty rdataset */
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = dns_rdataclass_in;
+	rdatalist.type = dns_rdatatype_none;
+	rdatalist.covers = dns_rdatatype_none;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_buffer_init(&target, buf, BIGBUFLEN);
+	result = dns_master_rdatasettotext(dns_rootname, &rdataset,
+					   &dns_master_style_debug, NULL,
+					   &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_buffer_usedlength(&target), 0);
+
+	/*
+	 * XXX: We will also need to add tests for dumping various
+	 * rdata types, classes, etc, and comparing the results against
+	 * known-good output.
+	 */
+}
+
+/*
+ * Raw load test:
+ * dns_master_loadfile() loads a valid raw file and returns success
+ */
+static void
+loadraw_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	/* Raw format version 0 */
+	result = test_master("testdata/master/master12.data",
+			     dns_masterformat_raw, nullmsg, nullmsg);
+	assert_string_equal(isc_result_totext(result), "success");
+	assert_true(headerset);
+	assert_int_equal(header.flags, 0);
+
+	/* Raw format version 1, no source serial  */
+	result = test_master("testdata/master/master13.data",
+			     dns_masterformat_raw, nullmsg, nullmsg);
+	assert_string_equal(isc_result_totext(result), "success");
+	assert_true(headerset);
+	assert_int_equal(header.flags, 0);
+
+	/* Raw format version 1, source serial == 2011120101 */
+	result = test_master("testdata/master/master14.data",
+			     dns_masterformat_raw, nullmsg, nullmsg);
+	assert_string_equal(isc_result_totext(result), "success");
+	assert_true(headerset);
+	assert_true((header.flags & DNS_MASTERRAW_SOURCESERIALSET) != 0);
+	assert_int_equal(header.sourceserial, 2011120101);
+}
+
+/*
+ * Raw dump test:
+ * dns_master_dump*() functions dump valid raw files
+ */
+static void
+dumpraw_test(void **state) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	char myorigin[sizeof(TEST_ORIGIN)];
+	dns_name_t dnsorigin;
+	isc_buffer_t source, target;
+	unsigned char namebuf[BUFLEN];
+	int len;
+
+	UNUSED(state);
+
+	strlcpy(myorigin, TEST_ORIGIN, sizeof(myorigin));
+	len = strlen(myorigin);
+	isc_buffer_init(&source, myorigin, len);
+	isc_buffer_add(&source, len);
+	isc_buffer_setactive(&source, len);
+	isc_buffer_init(&target, namebuf, BUFLEN);
+	dns_name_init(&dnsorigin, NULL);
+	result = dns_name_fromtext(&dnsorigin, &source, dns_rootname, 0,
+				   &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_create(dt_mctx, "rbt", &dnsorigin, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_load(db, "testdata/master/master1.data",
+			     dns_masterformat_text, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	dns_db_currentversion(db, &version);
+
+	result = dns_master_dump(dt_mctx, db, version,
+				 &dns_master_style_default, "test.dump",
+				 dns_masterformat_raw, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = test_master("test.dump", dns_masterformat_raw, nullmsg,
+			     nullmsg);
+	assert_string_equal(isc_result_totext(result), "success");
+	assert_true(headerset);
+	assert_int_equal(header.flags, 0);
+
+	dns_master_initrawheader(&header);
+	header.sourceserial = 12345;
+	header.flags |= DNS_MASTERRAW_SOURCESERIALSET;
+
+	unlink("test.dump");
+	result = dns_master_dump(dt_mctx, db, version,
+				 &dns_master_style_default, "test.dump",
+				 dns_masterformat_raw, &header);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = test_master("test.dump", dns_masterformat_raw, nullmsg,
+			     nullmsg);
+	assert_string_equal(isc_result_totext(result), "success");
+	assert_true(headerset);
+	assert_true((header.flags & DNS_MASTERRAW_SOURCESERIALSET) != 0);
+	assert_int_equal(header.sourceserial, 12345);
+
+	unlink("test.dump");
+	dns_db_closeversion(db, &version, false);
+	dns_db_detach(&db);
+}
+
+static const char *warn_expect_value;
+static bool warn_expect_result;
+
+static void
+warn_expect(struct dns_rdatacallbacks *mycallbacks, const char *fmt, ...) {
+	char buf[4096];
+	va_list ap;
+
+	UNUSED(mycallbacks);
+
+	warn_expect_result = false;
+
+	va_start(ap, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, ap);
+	va_end(ap);
+
+	if (warn_expect_value != NULL && strstr(buf, warn_expect_value) != NULL)
+	{
+		warn_expect_result = true;
+	}
+}
+
+/*
+ * Origin change test:
+ * dns_master_loadfile() rejects zones with inherited name following $ORIGIN
+ */
+static void
+neworigin_test(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	warn_expect_value = "record with inherited owner";
+	result = test_master("testdata/master/master17.data",
+			     dns_masterformat_text, warn_expect, nullmsg);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(warn_expect_result);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(load_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(unexpected_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(noowner_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(nottl_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(badclass_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(dnskey_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(dnsnokey_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(include_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(master_includelist_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(includefail_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(blanklines_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(leadingzero_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(totext_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(loadraw_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(dumpraw_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(toobig_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(maxrdata_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(neworigin_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/mkraw.pl b/lib/dns/tests/mkraw.pl
new file mode 100644
index 0000000..5e0db75
--- /dev/null
+++ b/lib/dns/tests/mkraw.pl
@@ -0,0 +1,26 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Convert a hexdump to binary format.
+#
+# To convert binary data to the input format for this command,
+# use the following:
+#
+# perl -e 'while (read(STDIN, my $byte, 1)) {
+#              print unpack("H2", $byte);
+#          }
+#          print "\n";' < file > file.in
+
+use strict;
+chomp(my $line = <STDIN>);
+print pack("H*", $line);
diff --git a/lib/dns/tests/name_test.c b/lib/dns/tests/name_test.c
new file mode 100644
index 0000000..e48c64e
--- /dev/null
+++ b/lib/dns/tests/name_test.c
@@ -0,0 +1,796 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+
+#include "dnstest.h"
+
+/* Set to true (or use -v option) for verbose output */
+static bool verbose = false;
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+/* dns_name_fullcompare test */
+static void
+fullcompare_test(void **state) {
+	dns_fixedname_t fixed1;
+	dns_fixedname_t fixed2;
+	dns_name_t *name1;
+	dns_name_t *name2;
+	dns_namereln_t relation;
+	int i;
+	isc_result_t result;
+	struct {
+		const char *name1;
+		const char *name2;
+		dns_namereln_t relation;
+		int order;
+		unsigned int nlabels;
+	} data[] = {
+		/* relative */
+		{ "", "", dns_namereln_equal, 0, 0 },
+		{ "foo", "", dns_namereln_subdomain, 1, 0 },
+		{ "", "foo", dns_namereln_contains, -1, 0 },
+		{ "foo", "bar", dns_namereln_none, 4, 0 },
+		{ "bar", "foo", dns_namereln_none, -4, 0 },
+		{ "bar.foo", "foo", dns_namereln_subdomain, 1, 1 },
+		{ "foo", "bar.foo", dns_namereln_contains, -1, 1 },
+		{ "baz.bar.foo", "bar.foo", dns_namereln_subdomain, 1, 2 },
+		{ "bar.foo", "baz.bar.foo", dns_namereln_contains, -1, 2 },
+		{ "foo.example", "bar.example", dns_namereln_commonancestor, 4,
+		  1 },
+
+		/* absolute */
+		{ ".", ".", dns_namereln_equal, 0, 1 },
+		{ "foo.", "bar.", dns_namereln_commonancestor, 4, 1 },
+		{ "bar.", "foo.", dns_namereln_commonancestor, -4, 1 },
+		{ "foo.example.", "bar.example.", dns_namereln_commonancestor,
+		  4, 2 },
+		{ "bar.foo.", "foo.", dns_namereln_subdomain, 1, 2 },
+		{ "foo.", "bar.foo.", dns_namereln_contains, -1, 2 },
+		{ "baz.bar.foo.", "bar.foo.", dns_namereln_subdomain, 1, 3 },
+		{ "bar.foo.", "baz.bar.foo.", dns_namereln_contains, -1, 3 },
+		{ NULL, NULL, dns_namereln_none, 0, 0 }
+	};
+
+	UNUSED(state);
+
+	name1 = dns_fixedname_initname(&fixed1);
+	name2 = dns_fixedname_initname(&fixed2);
+	for (i = 0; data[i].name1 != NULL; i++) {
+		int order = 3000;
+		unsigned int nlabels = 3000;
+
+		if (data[i].name1[0] == 0) {
+			dns_fixedname_init(&fixed1);
+		} else {
+			result = dns_name_fromstring2(name1, data[i].name1,
+						      NULL, 0, NULL);
+			assert_int_equal(result, ISC_R_SUCCESS);
+		}
+		if (data[i].name2[0] == 0) {
+			dns_fixedname_init(&fixed2);
+		} else {
+			result = dns_name_fromstring2(name2, data[i].name2,
+						      NULL, 0, NULL);
+			assert_int_equal(result, ISC_R_SUCCESS);
+		}
+		relation = dns_name_fullcompare(name1, name1, &order, &nlabels);
+		assert_int_equal(relation, dns_namereln_equal);
+		assert_int_equal(order, 0);
+		assert_int_equal(nlabels, name1->labels);
+
+		/* Some random initializer */
+		order = 3001;
+		nlabels = 3001;
+
+		relation = dns_name_fullcompare(name1, name2, &order, &nlabels);
+		assert_int_equal(relation, data[i].relation);
+		assert_int_equal(order, data[i].order);
+		assert_int_equal(nlabels, data[i].nlabels);
+	}
+}
+
+static void
+compress_test(dns_name_t *name1, dns_name_t *name2, dns_name_t *name3,
+	      unsigned char *expected, unsigned int length,
+	      dns_compress_t *cctx, dns_decompress_t *dctx) {
+	isc_buffer_t source;
+	isc_buffer_t target;
+	dns_name_t name;
+	unsigned char buf1[1024];
+	unsigned char buf2[1024];
+
+	isc_buffer_init(&source, buf1, sizeof(buf1));
+	isc_buffer_init(&target, buf2, sizeof(buf2));
+
+	assert_int_equal(dns_name_towire(name1, cctx, &source), ISC_R_SUCCESS);
+
+	assert_int_equal(dns_name_towire(name2, cctx, &source), ISC_R_SUCCESS);
+	assert_int_equal(dns_name_towire(name2, cctx, &source), ISC_R_SUCCESS);
+	assert_int_equal(dns_name_towire(name3, cctx, &source), ISC_R_SUCCESS);
+
+	isc_buffer_setactive(&source, source.used);
+
+	dns_name_init(&name, NULL);
+	RUNTIME_CHECK(dns_name_fromwire(&name, &source, dctx, 0, &target) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_name_fromwire(&name, &source, dctx, 0, &target) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_name_fromwire(&name, &source, dctx, 0, &target) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_name_fromwire(&name, &source, dctx, 0, &target) ==
+		      ISC_R_SUCCESS);
+	dns_decompress_invalidate(dctx);
+
+	assert_int_equal(target.used, length);
+	assert_true(memcmp(target.base, expected, target.used) == 0);
+}
+
+/* name compression test */
+static void
+compression_test(void **state) {
+	unsigned int allowed;
+	dns_compress_t cctx;
+	dns_decompress_t dctx;
+	dns_name_t name1;
+	dns_name_t name2;
+	dns_name_t name3;
+	isc_region_t r;
+	unsigned char plain1[] = "\003yyy\003foo";
+	unsigned char plain2[] = "\003bar\003yyy\003foo";
+	unsigned char plain3[] = "\003xxx\003bar\003foo";
+	unsigned char plain[] = "\003yyy\003foo\0\003bar\003yyy\003foo\0\003"
+				"bar\003yyy\003foo\0\003xxx\003bar\003foo";
+
+	UNUSED(state);
+
+	dns_name_init(&name1, NULL);
+	r.base = plain1;
+	r.length = sizeof(plain1);
+	dns_name_fromregion(&name1, &r);
+
+	dns_name_init(&name2, NULL);
+	r.base = plain2;
+	r.length = sizeof(plain2);
+	dns_name_fromregion(&name2, &r);
+
+	dns_name_init(&name3, NULL);
+	r.base = plain3;
+	r.length = sizeof(plain3);
+	dns_name_fromregion(&name3, &r);
+
+	/* Test 1: NONE */
+	allowed = DNS_COMPRESS_NONE;
+	assert_int_equal(dns_compress_init(&cctx, -1, dt_mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain), &cctx,
+		      &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	/* Test2: GLOBAL14 */
+	allowed = DNS_COMPRESS_GLOBAL14;
+	assert_int_equal(dns_compress_init(&cctx, -1, dt_mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain), &cctx,
+		      &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	/* Test3: ALL */
+	allowed = DNS_COMPRESS_ALL;
+	assert_int_equal(dns_compress_init(&cctx, -1, dt_mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain), &cctx,
+		      &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	/* Test4: NONE disabled */
+	allowed = DNS_COMPRESS_NONE;
+	assert_int_equal(dns_compress_init(&cctx, -1, dt_mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_compress_disable(&cctx);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain), &cctx,
+		      &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	/* Test5: GLOBAL14 disabled */
+	allowed = DNS_COMPRESS_GLOBAL14;
+	assert_int_equal(dns_compress_init(&cctx, -1, dt_mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_compress_disable(&cctx);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain), &cctx,
+		      &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	/* Test6: ALL disabled */
+	allowed = DNS_COMPRESS_ALL;
+	assert_int_equal(dns_compress_init(&cctx, -1, dt_mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_compress_disable(&cctx);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain), &cctx,
+		      &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+}
+
+/* is trust-anchor-telemetry test */
+static void
+istat_test(void **state) {
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_result_t result;
+	size_t i;
+	struct {
+		const char *name;
+		bool istat;
+	} data[] = { { ".", false },
+		     { "_ta-", false },
+		     { "_ta-1234", true },
+		     { "_TA-1234", true },
+		     { "+TA-1234", false },
+		     { "_fa-1234", false },
+		     { "_td-1234", false },
+		     { "_ta_1234", false },
+		     { "_ta-g234", false },
+		     { "_ta-1h34", false },
+		     { "_ta-12i4", false },
+		     { "_ta-123j", false },
+		     { "_ta-1234-abcf", true },
+		     { "_ta-1234-abcf-ED89", true },
+		     { "_ta-12345-abcf-ED89", false },
+		     { "_ta-.example", false },
+		     { "_ta-1234.example", true },
+		     { "_ta-1234-abcf.example", true },
+		     { "_ta-1234-abcf-ED89.example", true },
+		     { "_ta-12345-abcf-ED89.example", false },
+		     { "_ta-1234-abcfe-ED89.example", false },
+		     { "_ta-1234-abcf-EcD89.example", false } };
+
+	UNUSED(state);
+
+	name = dns_fixedname_initname(&fixed);
+
+	for (i = 0; i < (sizeof(data) / sizeof(data[0])); i++) {
+		result = dns_name_fromstring(name, data[i].name, 0, NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		assert_int_equal(dns_name_istat(name), data[i].istat);
+	}
+}
+
+/* dns_nane_init */
+static void
+init_test(void **state) {
+	dns_name_t name;
+	unsigned char offsets[1];
+
+	UNUSED(state);
+
+	dns_name_init(&name, offsets);
+
+	assert_null(name.ndata);
+	assert_int_equal(name.length, 0);
+	assert_int_equal(name.labels, 0);
+	assert_int_equal(name.attributes, 0);
+	assert_ptr_equal(name.offsets, offsets);
+	assert_null(name.buffer);
+}
+
+/* dns_nane_invalidate */
+static void
+invalidate_test(void **state) {
+	dns_name_t name;
+	unsigned char offsets[1];
+
+	UNUSED(state);
+
+	dns_name_init(&name, offsets);
+	dns_name_invalidate(&name);
+
+	assert_null(name.ndata);
+	assert_int_equal(name.length, 0);
+	assert_int_equal(name.labels, 0);
+	assert_int_equal(name.attributes, 0);
+	assert_null(name.offsets);
+	assert_null(name.buffer);
+}
+
+/* dns_nane_setbuffer/hasbuffer */
+static void
+buffer_test(void **state) {
+	dns_name_t name;
+	unsigned char buf[BUFSIZ];
+	isc_buffer_t b;
+
+	UNUSED(state);
+
+	isc_buffer_init(&b, buf, BUFSIZ);
+	dns_name_init(&name, NULL);
+	dns_name_setbuffer(&name, &b);
+	assert_ptr_equal(name.buffer, &b);
+	assert_true(dns_name_hasbuffer(&name));
+}
+
+/* dns_nane_isabsolute */
+static void
+isabsolute_test(void **state) {
+	struct {
+		const char *namestr;
+		bool expect;
+	} testcases[] = { { "x", false },
+			  { "a.b.c.d.", true },
+			  { "x.z", false } };
+	unsigned int i;
+
+	UNUSED(state);
+
+	for (i = 0; i < (sizeof(testcases) / sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_name_t name;
+		unsigned char data[BUFSIZ];
+		isc_buffer_t b, nb;
+		size_t len;
+
+		len = strlen(testcases[i].namestr);
+		isc_buffer_constinit(&b, testcases[i].namestr, len);
+		isc_buffer_add(&b, len);
+
+		dns_name_init(&name, NULL);
+		isc_buffer_init(&nb, data, BUFSIZ);
+		dns_name_setbuffer(&name, &nb);
+		result = dns_name_fromtext(&name, &b, NULL, 0, NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		assert_int_equal(dns_name_isabsolute(&name),
+				 testcases[i].expect);
+	}
+}
+
+/* dns_nane_hash */
+static void
+hash_test(void **state) {
+	struct {
+		const char *name1;
+		const char *name2;
+		bool expect;
+		bool expecti;
+	} testcases[] = {
+		{ "a.b.c.d", "A.B.C.D", true, false },
+		{ "a.b.c.d.", "A.B.C.D.", true, false },
+		{ "a.b.c.d", "a.b.c.d", true, true },
+		{ "A.B.C.D.", "A.B.C.D.", true, false },
+		{ "x.y.z.w", "a.b.c.d", false, false },
+		{ "x.y.z.w.", "a.b.c.d.", false, false },
+	};
+	unsigned int i;
+
+	UNUSED(state);
+
+	for (i = 0; i < (sizeof(testcases) / sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_fixedname_t f1, f2;
+		dns_name_t *n1, *n2;
+		unsigned int h1, h2;
+
+		n1 = dns_fixedname_initname(&f1);
+		n2 = dns_fixedname_initname(&f2);
+
+		result = dns_name_fromstring2(n1, testcases[i].name1, NULL, 0,
+					      NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		result = dns_name_fromstring2(n2, testcases[i].name2, NULL, 0,
+					      NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		/* Check case-insensitive hashing first */
+		h1 = dns_name_hash(n1, false);
+		h2 = dns_name_hash(n2, false);
+
+		if (verbose) {
+			print_message("# %s hashes to %u, "
+				      "%s to %u, case insensitive\n",
+				      testcases[i].name1, h1,
+				      testcases[i].name2, h2);
+		}
+
+		assert_int_equal((h1 == h2), testcases[i].expect);
+
+		/* Now case-sensitive */
+		h1 = dns_name_hash(n1, false);
+		h2 = dns_name_hash(n2, false);
+
+		if (verbose) {
+			print_message("# %s hashes to %u, "
+				      "%s to %u, case sensitive\n",
+				      testcases[i].name1, h1,
+				      testcases[i].name2, h2);
+		}
+
+		assert_int_equal((h1 == h2), testcases[i].expect);
+	}
+}
+
+/* dns_nane_issubdomain */
+static void
+issubdomain_test(void **state) {
+	struct {
+		const char *name1;
+		const char *name2;
+		bool expect;
+	} testcases[] = {
+		{ "c.d", "a.b.c.d", false }, { "c.d.", "a.b.c.d.", false },
+		{ "b.c.d", "c.d", true },    { "a.b.c.d.", "c.d.", true },
+		{ "a.b.c", "a.b.c", true },  { "a.b.c.", "a.b.c.", true },
+		{ "x.y.z", "a.b.c", false }
+	};
+	unsigned int i;
+
+	UNUSED(state);
+
+	for (i = 0; i < (sizeof(testcases) / sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_fixedname_t f1, f2;
+		dns_name_t *n1, *n2;
+
+		n1 = dns_fixedname_initname(&f1);
+		n2 = dns_fixedname_initname(&f2);
+
+		result = dns_name_fromstring2(n1, testcases[i].name1, NULL, 0,
+					      NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		result = dns_name_fromstring2(n2, testcases[i].name2, NULL, 0,
+					      NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		if (verbose) {
+			print_message("# check: %s %s a subdomain of %s\n",
+				      testcases[i].name1,
+				      testcases[i].expect ? "is" : "is not",
+				      testcases[i].name2);
+		}
+
+		assert_int_equal(dns_name_issubdomain(n1, n2),
+				 testcases[i].expect);
+	}
+}
+
+/* dns_nane_countlabels */
+static void
+countlabels_test(void **state) {
+	struct {
+		const char *namestr;
+		unsigned int expect;
+	} testcases[] = {
+		{ "c.d", 2 },	  { "c.d.", 3 },  { "a.b.c.d.", 5 },
+		{ "a.b.c.d", 4 }, { "a.b.c", 3 }, { ".", 1 },
+	};
+	unsigned int i;
+
+	UNUSED(state);
+
+	for (i = 0; i < (sizeof(testcases) / sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_fixedname_t fname;
+		dns_name_t *name;
+
+		name = dns_fixedname_initname(&fname);
+
+		result = dns_name_fromstring2(name, testcases[i].namestr, NULL,
+					      0, NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		if (verbose) {
+			print_message("# %s: expect %u labels\n",
+				      testcases[i].namestr,
+				      testcases[i].expect);
+		}
+
+		assert_int_equal(dns_name_countlabels(name),
+				 testcases[i].expect);
+	}
+}
+
+/* dns_nane_getlabel */
+static void
+getlabel_test(void **state) {
+	struct {
+		const char *name1;
+		unsigned int pos1;
+		const char *name2;
+		unsigned int pos2;
+	} testcases[] = {
+		{ "c.d", 1, "a.b.c.d", 3 },
+		{ "a.b.c.d", 3, "c.d", 1 },
+		{ "a.b.c.", 3, "A.B.C.", 3 },
+	};
+	unsigned int i;
+
+	UNUSED(state);
+
+	for (i = 0; i < (sizeof(testcases) / sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_fixedname_t f1, f2;
+		dns_name_t *n1, *n2;
+		dns_label_t l1, l2;
+		unsigned int j;
+
+		n1 = dns_fixedname_initname(&f1);
+		n2 = dns_fixedname_initname(&f2);
+
+		result = dns_name_fromstring2(n1, testcases[i].name1, NULL, 0,
+					      NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		result = dns_name_fromstring2(n2, testcases[i].name2, NULL, 0,
+					      NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		dns_name_getlabel(n1, testcases[i].pos1, &l1);
+		dns_name_getlabel(n2, testcases[i].pos2, &l2);
+		assert_int_equal(l1.length, l2.length);
+
+		for (j = 0; j < l1.length; j++) {
+			assert_int_equal(l1.base[j], l2.base[j]);
+		}
+	}
+}
+
+/* dns_nane_getlabelsequence */
+static void
+getlabelsequence_test(void **state) {
+	struct {
+		const char *name1;
+		unsigned int pos1;
+		const char *name2;
+		unsigned int pos2;
+		unsigned int range;
+	} testcases[] = {
+		{ "c.d", 1, "a.b.c.d", 3, 1 },
+		{ "a.b.c.d.e", 2, "c.d", 0, 2 },
+		{ "a.b.c", 0, "a.b.c", 0, 3 },
+	};
+	unsigned int i;
+
+	UNUSED(state);
+
+	for (i = 0; i < (sizeof(testcases) / sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_name_t t1, t2;
+		dns_fixedname_t f1, f2;
+		dns_name_t *n1, *n2;
+
+		/* target names */
+		dns_name_init(&t1, NULL);
+		dns_name_init(&t2, NULL);
+
+		/* source names */
+		n1 = dns_fixedname_initname(&f1);
+		n2 = dns_fixedname_initname(&f2);
+
+		result = dns_name_fromstring2(n1, testcases[i].name1, NULL, 0,
+					      NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		result = dns_name_fromstring2(n2, testcases[i].name2, NULL, 0,
+					      NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		dns_name_getlabelsequence(n1, testcases[i].pos1,
+					  testcases[i].range, &t1);
+		dns_name_getlabelsequence(n2, testcases[i].pos2,
+					  testcases[i].range, &t2);
+
+		assert_true(dns_name_equal(&t1, &t2));
+	}
+}
+
+#ifdef DNS_BENCHMARK_TESTS
+
+/*
+ * XXXMUKS: Don't delete this code. It is useful in benchmarking the
+ * name parser, but we don't require it as part of the unit test runs.
+ */
+
+/* Benchmark dns_name_fromwire() implementation */
+
+static void *
+fromwire_thread(void *arg) {
+	unsigned int maxval = 32000000;
+	uint8_t data[] = { 3,	'w', 'w', 'w', 7,   'e', 'x',
+			   'a', 'm', 'p', 'l', 'e', 7,	 'i',
+			   'n', 'v', 'a', 'l', 'i', 'd', 0 };
+	unsigned char output_data[DNS_NAME_MAXWIRE];
+	isc_buffer_t source, target;
+	unsigned int i;
+	dns_decompress_t dctx;
+
+	UNUSED(arg);
+
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_init(&source, data, sizeof(data));
+	isc_buffer_add(&source, sizeof(data));
+	isc_buffer_init(&target, output_data, sizeof(output_data));
+
+	/* Parse 32 million names in each thread */
+	for (i = 0; i < maxval; i++) {
+		dns_name_t name;
+
+		isc_buffer_clear(&source);
+		isc_buffer_clear(&target);
+		isc_buffer_add(&source, sizeof(data));
+		isc_buffer_setactive(&source, sizeof(data));
+
+		dns_name_init(&name, NULL);
+		(void)dns_name_fromwire(&name, &source, &dctx, 0, &target);
+	}
+
+	return (NULL);
+}
+
+static void
+benchmark_test(void **state) {
+	isc_result_t result;
+	unsigned int i;
+	isc_time_t ts1, ts2;
+	double t;
+	unsigned int nthreads;
+	isc_thread_t threads[32];
+
+	UNUSED(state);
+
+	debug_mem_record = false;
+
+	result = isc_time_now(&ts1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	nthreads = ISC_MIN(isc_os_ncpus(), 32);
+	nthreads = ISC_MAX(nthreads, 1);
+	for (i = 0; i < nthreads; i++) {
+		isc_thread_create(fromwire_thread, NULL, &threads[i]);
+	}
+
+	for (i = 0; i < nthreads; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	result = isc_time_now(&ts2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	t = isc_time_microdiff(&ts2, &ts1);
+
+	printf("%u dns_name_fromwire() calls, %f seconds, %f calls/second\n",
+	       nthreads * 32000000, t / 1000000.0,
+	       (nthreads * 32000000) / (t / 1000000.0));
+}
+
+#endif /* DNS_BENCHMARK_TESTS */
+
+int
+main(int argc, char **argv) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(fullcompare_test),
+		cmocka_unit_test_setup_teardown(compression_test, _setup,
+						_teardown),
+		cmocka_unit_test(istat_test),
+		cmocka_unit_test(init_test),
+		cmocka_unit_test(invalidate_test),
+		cmocka_unit_test(buffer_test),
+		cmocka_unit_test(isabsolute_test),
+		cmocka_unit_test(hash_test),
+		cmocka_unit_test(issubdomain_test),
+		cmocka_unit_test(countlabels_test),
+		cmocka_unit_test(getlabel_test),
+		cmocka_unit_test(getlabelsequence_test),
+#ifdef DNS_BENCHMARK_TESTS
+		cmocka_unit_test_setup_teardown(benchmark_test, _setup,
+						_teardown),
+#endif /* DNS_BENCHMARK_TESTS */
+	};
+	int c;
+
+	while ((c = isc_commandline_parse(argc, argv, "v")) != -1) {
+		switch (c) {
+		case 'v':
+			verbose = true;
+			break;
+		default:
+			break;
+		}
+	}
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/nsec3_test.c b/lib/dns/tests/nsec3_test.c
new file mode 100644
index 0000000..69f4be5
--- /dev/null
+++ b/lib/dns/tests/nsec3_test.c
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/nsec3.h>
+
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static void
+iteration_test(const char *file, unsigned int expected) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	unsigned int iterations;
+
+	result = dns_test_loaddb(&db, dns_dbtype_zone, "test", file);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	iterations = dns_nsec3_maxiterations();
+
+	assert_int_equal(iterations, expected);
+
+	dns_db_detach(&db);
+}
+
+/*%
+ * Structure containing parameters for nsec3param_salttotext_test().
+ */
+typedef struct {
+	const char *nsec3param_text; /* NSEC3PARAM RDATA in text form */
+	const char *expected_salt;   /* string expected in target buffer */
+} nsec3param_salttotext_test_params_t;
+
+/*%
+ * Check whether dns_nsec3param_salttotext() handles supplied text form
+ * NSEC3PARAM RDATA correctly: test whether the result of calling the former is
+ * as expected and whether it properly checks available buffer space.
+ *
+ * Assumes supplied text form NSEC3PARAM RDATA is valid as testing handling of
+ * invalid NSEC3PARAM RDATA is out of scope of this unit test.
+ */
+static void
+nsec3param_salttotext_test(const nsec3param_salttotext_test_params_t *params) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3param_t nsec3param;
+	unsigned char buf[1024];
+	isc_result_t result;
+	char salt[64];
+	size_t length;
+
+	/*
+	 * Prepare a dns_rdata_nsec3param_t structure for testing.
+	 */
+	result = dns_test_rdatafromstring(
+		&rdata, dns_rdataclass_in, dns_rdatatype_nsec3param, buf,
+		sizeof(buf), params->nsec3param_text, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Check typical use.
+	 */
+	result = dns_nsec3param_salttotext(&nsec3param, salt, sizeof(salt));
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(salt, params->expected_salt);
+
+	/*
+	 * Ensure available space in the buffer is checked before the salt is
+	 * printed to it and that the amount of space checked for includes the
+	 * terminating NULL byte.
+	 */
+	length = strlen(params->expected_salt);
+	assert_true(length < sizeof(salt) - 1); /* prevent buffer overwrite */
+	assert_true(length > 0U);		/* prevent length underflow */
+
+	result = dns_nsec3param_salttotext(&nsec3param, salt, length - 1);
+	assert_int_equal(result, ISC_R_NOSPACE);
+
+	result = dns_nsec3param_salttotext(&nsec3param, salt, length);
+	assert_int_equal(result, ISC_R_NOSPACE);
+
+	result = dns_nsec3param_salttotext(&nsec3param, salt, length + 1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+}
+
+/*
+ * check that appropriate max iterations is returned for different
+ * key size mixes
+ */
+static void
+max_iterations(void **state) {
+	UNUSED(state);
+
+	iteration_test("testdata/nsec3/1024.db", 150);
+	iteration_test("testdata/nsec3/2048.db", 150);
+	iteration_test("testdata/nsec3/4096.db", 150);
+	iteration_test("testdata/nsec3/min-1024.db", 150);
+	iteration_test("testdata/nsec3/min-2048.db", 150);
+}
+
+/* check dns_nsec3param_salttotext() */
+static void
+nsec3param_salttotext(void **state) {
+	size_t i;
+
+	const nsec3param_salttotext_test_params_t tests[] = {
+		/*
+		 * Tests with non-empty salts.
+		 */
+		{ "0 0 10 0123456789abcdef", "0123456789ABCDEF" },
+		{ "0 1 11 0123456789abcdef", "0123456789ABCDEF" },
+		{ "1 0 12 42", "42" },
+		{ "1 1 13 42", "42" },
+		/*
+		 * Test with empty salt.
+		 */
+		{ "0 0 0 -", "-" },
+	};
+
+	UNUSED(state);
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		nsec3param_salttotext_test(&tests[i]);
+	}
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(max_iterations, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(nsec3param_salttotext, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/nsec3param_test.c b/lib/dns/tests/nsec3param_test.c
new file mode 100644
index 0000000..6fd1fc4
--- /dev/null
+++ b/lib/dns/tests/nsec3param_test.c
@@ -0,0 +1,304 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/hex.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/nsec3.h>
+#include <dns/result.h>
+
+#include "../zone_p.h"
+#include "dnstest.h"
+
+#define HASH	1
+#define FLAGS	0
+#define ITER	5
+#define SALTLEN 4
+#define SALT	"FEDCBA98"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+/*%
+ * Structures containing parameters for nsec3param_salttotext_test().
+ */
+typedef struct {
+	dns_hash_t hash;
+	unsigned char flags;
+	dns_iterations_t iterations;
+	unsigned char salt_length;
+	const char *salt;
+} nsec3param_rdata_test_params_t;
+
+typedef struct {
+	nsec3param_rdata_test_params_t lookup;
+	nsec3param_rdata_test_params_t expect;
+	bool resalt;
+	isc_result_t expected_result;
+} nsec3param_change_test_params_t;
+
+static void
+decode_salt(const char *string, unsigned char *salt, size_t saltlen) {
+	isc_buffer_t buf;
+	isc_result_t result;
+
+	isc_buffer_init(&buf, salt, saltlen);
+	result = isc_hex_decodestring(string, &buf);
+	assert_int_equal(result, ISC_R_SUCCESS);
+}
+
+static void
+copy_params(nsec3param_rdata_test_params_t from, dns_rdata_nsec3param_t *to,
+	    unsigned char *saltbuf, size_t saltlen) {
+	to->hash = from.hash;
+	to->flags = from.flags;
+	to->iterations = from.iterations;
+	to->salt_length = from.salt_length;
+	if (from.salt == NULL) {
+		to->salt = NULL;
+	} else if (strcmp(from.salt, "-") == 0) {
+		DE_CONST("-", to->salt);
+	} else {
+		decode_salt(from.salt, saltbuf, saltlen);
+		to->salt = saltbuf;
+	}
+}
+
+static nsec3param_rdata_test_params_t
+rdata_fromparams(uint8_t hash, uint8_t flags, uint16_t iter, uint8_t saltlen,
+		 const char *salt) {
+	nsec3param_rdata_test_params_t nsec3param;
+	nsec3param.hash = hash;
+	nsec3param.flags = flags;
+	nsec3param.iterations = iter;
+	nsec3param.salt_length = saltlen;
+	nsec3param.salt = salt;
+	return (nsec3param);
+}
+
+/*%
+ * Check whether zone_lookup_nsec3param() finds the correct NSEC3PARAM
+ * and sets the correct parameters to use in dns_zone_setnsec3param().
+ */
+static void
+nsec3param_change_test(const nsec3param_change_test_params_t *test) {
+	dns_zone_t *zone = NULL;
+	dns_rdata_nsec3param_t param, lookup, expect;
+	isc_result_t result;
+	unsigned char lookupsalt[255];
+	unsigned char expectsalt[255];
+	unsigned char saltbuf[255];
+
+	/*
+	 * Prepare a zone along with its signing keys.
+	 */
+	result = dns_test_makezone("nsec3", &zone, NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_zone_setfile(zone, "testdata/nsec3param/nsec3.db.signed",
+				  dns_masterformat_text,
+				  &dns_master_style_default);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_zone_load(zone, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Copy parameters.
+	 */
+	copy_params(test->lookup, &lookup, lookupsalt, sizeof(lookupsalt));
+	copy_params(test->expect, &expect, expectsalt, sizeof(expectsalt));
+
+	/*
+	 * Test dns__zone_lookup_nsec3param().
+	 */
+	result = dns__zone_lookup_nsec3param(zone, &lookup, &param, saltbuf,
+					     test->resalt);
+	assert_int_equal(result, test->expected_result);
+	assert_int_equal(param.hash, expect.hash);
+	assert_int_equal(param.flags, expect.flags);
+	assert_int_equal(param.iterations, expect.iterations);
+	assert_int_equal(param.salt_length, expect.salt_length);
+	assert_non_null(param.salt);
+	if (expect.salt != NULL) {
+		int ret = memcmp(param.salt, expect.salt, expect.salt_length);
+		assert_true(ret == 0);
+	} else {
+		/*
+		 * We don't know what the new salt is, but we can compare it
+		 * to the previous salt and test that it has changed.
+		 */
+		unsigned char salt[SALTLEN];
+		int ret;
+		decode_salt(SALT, salt, SALTLEN);
+		ret = memcmp(param.salt, salt, SALTLEN);
+		assert_false(ret == 0);
+	}
+
+	/*
+	 * Detach.
+	 */
+	dns_zone_detach(&zone);
+}
+
+static void
+nsec3param_change(void **state) {
+	size_t i;
+
+	/*
+	 * Define tests.
+	 */
+	const nsec3param_change_test_params_t tests[] = {
+		/*
+		 * 1. Change nothing (don't care about salt).
+		 * This should return ISC_R_SUCCESS because we are already
+		 * using these NSEC3 parameters.
+		 */
+		{ rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, NULL),
+		  rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, SALT), false,
+		  ISC_R_SUCCESS },
+		/*
+		 * 2. Change nothing, but force a resalt.
+		 * This should change the salt. Set 'expect.salt' to NULL to
+		 * test a new salt has been generated.
+		 */
+		{ rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, NULL),
+		  rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, NULL), true,
+		  DNS_R_NSEC3RESALT },
+		/*
+		 * 3. Change iterations.
+		 * The NSEC3 paarameters are not found, and there is no
+		 * need to resalt because an explicit salt has been set,
+		 * and resalt is not enforced.
+		 */
+		{ rdata_fromparams(HASH, FLAGS, 10, SALTLEN, SALT),
+		  rdata_fromparams(HASH, FLAGS, 10, SALTLEN, SALT), false,
+		  ISC_R_NOTFOUND },
+		/*
+		 * 4. Change iterations, don't care about the salt.
+		 * We don't care about the salt. Since we need to change the
+		 * NSEC3 parameters, we will also resalt.
+		 */
+		{ rdata_fromparams(HASH, FLAGS, 10, SALTLEN, NULL),
+		  rdata_fromparams(HASH, FLAGS, 10, SALTLEN, NULL), false,
+		  DNS_R_NSEC3RESALT },
+		/*
+		 * 5. Change salt length.
+		 * Changing salt length means we need to resalt.
+		 */
+		{ rdata_fromparams(HASH, FLAGS, ITER, 16, NULL),
+		  rdata_fromparams(HASH, FLAGS, ITER, 16, NULL), false,
+		  DNS_R_NSEC3RESALT },
+		/*
+		 * 6. Set explicit salt.
+		 * A different salt, so the NSEC3 parameters are not found.
+		 * No need to resalt because an explicit salt is available.
+		 */
+		{ rdata_fromparams(HASH, FLAGS, ITER, 4, "12345678"),
+		  rdata_fromparams(HASH, FLAGS, ITER, 4, "12345678"), false,
+		  ISC_R_NOTFOUND },
+		/*
+		 * 7. Same salt.
+		 * Nothing changed, so expect ISC_R_SUCCESS as a result.
+		 */
+		{ rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, SALT),
+		  rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, SALT), false,
+		  ISC_R_SUCCESS },
+		/*
+		 * 8. Same salt, and force resalt.
+		 * Nothing changed, but a resalt is enforced.
+		 */
+		{ rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, SALT),
+		  rdata_fromparams(HASH, FLAGS, ITER, SALTLEN, NULL), true,
+		  DNS_R_NSEC3RESALT },
+		/*
+		 * 9. No salt.
+		 * Change parameters to use no salt. These parameters are
+		 * not found, and no new salt needs to be generated.
+		 */
+		{ rdata_fromparams(HASH, FLAGS, ITER, 0, NULL),
+		  rdata_fromparams(HASH, FLAGS, ITER, 0, "-"), true,
+		  ISC_R_NOTFOUND },
+		/*
+		 * 10. No salt, explicit.
+		 * Same as above, but set no salt explicitly.
+		 */
+		{ rdata_fromparams(HASH, FLAGS, ITER, 0, "-"),
+		  rdata_fromparams(HASH, FLAGS, ITER, 0, "-"), true,
+		  ISC_R_NOTFOUND },
+	};
+
+	UNUSED(state);
+
+	/*
+	 * Run tests.
+	 */
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		nsec3param_change_test(&tests[i]);
+	}
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(nsec3param_change, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/peer_test.c b/lib/dns/tests/peer_test.c
new file mode 100644
index 0000000..69ca8bb
--- /dev/null
+++ b/lib/dns/tests/peer_test.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/util.h>
+
+#include <dns/peer.h>
+
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+/* Test DSCP set/get functions */
+static void
+dscp(void **state) {
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	struct in_addr ina;
+	dns_peer_t *peer = NULL;
+	isc_dscp_t dscp;
+
+	UNUSED(state);
+
+	/*
+	 * Create peer structure for the loopback address.
+	 */
+	ina.s_addr = INADDR_LOOPBACK;
+	isc_netaddr_fromin(&netaddr, &ina);
+	result = dns_peer_new(dt_mctx, &netaddr, &peer);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * All should be not set on creation.
+	 * 'dscp' should remain unchanged.
+	 */
+	dscp = 100;
+	result = dns_peer_getquerydscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+	assert_int_equal(dscp, 100);
+
+	result = dns_peer_getnotifydscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+	assert_int_equal(dscp, 100);
+
+	result = dns_peer_gettransferdscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+	assert_int_equal(dscp, 100);
+
+	/*
+	 * Test that setting query dscp does not affect the other
+	 * dscp values.  'dscp' should remain unchanged until
+	 * dns_peer_getquerydscp is called.
+	 */
+	dscp = 100;
+	result = dns_peer_setquerydscp(peer, 1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_peer_getnotifydscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+	assert_int_equal(dscp, 100);
+
+	result = dns_peer_gettransferdscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+	assert_int_equal(dscp, 100);
+
+	result = dns_peer_getquerydscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(dscp, 1);
+
+	/*
+	 * Test that setting notify dscp does not affect the other
+	 * dscp values.  'dscp' should remain unchanged until
+	 * dns_peer_getquerydscp is called then should change again
+	 * on dns_peer_getnotifydscp.
+	 */
+	dscp = 100;
+	result = dns_peer_setnotifydscp(peer, 2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_peer_gettransferdscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+	assert_int_equal(dscp, 100);
+
+	result = dns_peer_getquerydscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(dscp, 1);
+
+	result = dns_peer_getnotifydscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(dscp, 2);
+
+	/*
+	 * Test that setting notify dscp does not affect the other
+	 * dscp values.  Check that appropriate values are returned.
+	 */
+	dscp = 100;
+	result = dns_peer_settransferdscp(peer, 3);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_peer_getquerydscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(dscp, 1);
+
+	result = dns_peer_getnotifydscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(dscp, 2);
+
+	result = dns_peer_gettransferdscp(peer, &dscp);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(dscp, 3);
+
+	dns_peer_detach(&peer);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(dscp, _setup, _teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/private_test.c b/lib/dns/tests/private_test.c
new file mode 100644
index 0000000..92ee391
--- /dev/null
+++ b/lib/dns/tests/private_test.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/util.h>
+
+#include <dns/nsec3.h>
+#include <dns/private.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+
+#include <dst/dst.h>
+
+#include "dnstest.h"
+
+static dns_rdatatype_t privatetype = 65534;
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+typedef struct {
+	unsigned char alg;
+	dns_keytag_t keyid;
+	bool remove;
+	bool complete;
+} signing_testcase_t;
+
+typedef struct {
+	unsigned char hash;
+	unsigned char flags;
+	unsigned int iterations;
+	unsigned long salt;
+	bool remove;
+	bool pending;
+	bool nonsec;
+} nsec3_testcase_t;
+
+static void
+make_signing(signing_testcase_t *testcase, dns_rdata_t *private,
+	     unsigned char *buf, size_t len) {
+	dns_rdata_init(private);
+
+	buf[0] = testcase->alg;
+	buf[1] = (testcase->keyid & 0xff00) >> 8;
+	buf[2] = (testcase->keyid & 0xff);
+	buf[3] = testcase->remove;
+	buf[4] = testcase->complete;
+	private->data = buf;
+	private->length = len;
+	private->type = privatetype;
+	private->rdclass = dns_rdataclass_in;
+}
+
+static void
+make_nsec3(nsec3_testcase_t *testcase, dns_rdata_t *private,
+	   unsigned char *pbuf) {
+	dns_rdata_nsec3param_t params;
+	dns_rdata_t nsec3param = DNS_RDATA_INIT;
+	unsigned char bufdata[BUFSIZ];
+	isc_buffer_t buf;
+	uint32_t salt;
+	unsigned char *sp;
+	int slen = 4;
+
+	/* for simplicity, we're using a maximum salt length of 4 */
+	salt = htonl(testcase->salt);
+	sp = (unsigned char *)&salt;
+	while (slen > 0 && *sp == '\0') {
+		slen--;
+		sp++;
+	}
+
+	params.common.rdclass = dns_rdataclass_in;
+	params.common.rdtype = dns_rdatatype_nsec3param;
+	params.hash = testcase->hash;
+	params.iterations = testcase->iterations;
+	params.salt = sp;
+	params.salt_length = slen;
+
+	params.flags = testcase->flags;
+	if (testcase->remove) {
+		params.flags |= DNS_NSEC3FLAG_REMOVE;
+		if (testcase->nonsec) {
+			params.flags |= DNS_NSEC3FLAG_NONSEC;
+		}
+	} else {
+		params.flags |= DNS_NSEC3FLAG_CREATE;
+		if (testcase->pending) {
+			params.flags |= DNS_NSEC3FLAG_INITIAL;
+		}
+	}
+
+	isc_buffer_init(&buf, bufdata, sizeof(bufdata));
+	dns_rdata_fromstruct(&nsec3param, dns_rdataclass_in,
+			     dns_rdatatype_nsec3param, &params, &buf);
+
+	dns_rdata_init(private);
+
+	dns_nsec3param_toprivate(&nsec3param, private, privatetype, pbuf,
+				 DNS_NSEC3PARAM_BUFFERSIZE + 1);
+}
+
+/* convert private signing records to text */
+static void
+private_signing_totext_test(void **state) {
+	dns_rdata_t private;
+	int i;
+
+	signing_testcase_t testcases[] = { { DST_ALG_RSASHA512, 12345, 0, 0 },
+					   { DST_ALG_RSASHA256, 54321, 1, 0 },
+					   { DST_ALG_NSEC3RSASHA1, 22222, 0,
+					     1 },
+					   { DST_ALG_RSASHA1, 33333, 1, 1 } };
+	const char *results[] = { "Signing with key 12345/RSASHA512",
+				  "Removing signatures for key 54321/RSASHA256",
+				  "Done signing with key 22222/NSEC3RSASHA1",
+				  ("Done removing signatures for key "
+				   "33333/RSASHA1") };
+	int ncases = 4;
+
+	UNUSED(state);
+
+	for (i = 0; i < ncases; i++) {
+		unsigned char data[5];
+		char output[BUFSIZ];
+		isc_buffer_t buf;
+
+		isc_buffer_init(&buf, output, sizeof(output));
+
+		make_signing(&testcases[i], &private, data, sizeof(data));
+		dns_private_totext(&private, &buf);
+		assert_string_equal(output, results[i]);
+	}
+}
+
+/* convert private chain records to text */
+static void
+private_nsec3_totext_test(void **state) {
+	dns_rdata_t private;
+	int i;
+
+	nsec3_testcase_t testcases[] = {
+		{ 1, 0, 1, 0xbeef, 0, 0, 0 },
+		{ 1, 1, 10, 0xdadd, 0, 0, 0 },
+		{ 1, 0, 20, 0xbead, 0, 1, 0 },
+		{ 1, 0, 30, 0xdeaf, 1, 0, 0 },
+		{ 1, 0, 100, 0xfeedabee, 1, 0, 1 },
+	};
+	const char *results[] = { "Creating NSEC3 chain 1 0 1 BEEF",
+				  "Creating NSEC3 chain 1 1 10 DADD",
+				  "Pending NSEC3 chain 1 0 20 BEAD",
+				  ("Removing NSEC3 chain 1 0 30 DEAF / "
+				   "creating NSEC chain"),
+				  "Removing NSEC3 chain 1 0 100 FEEDABEE" };
+	int ncases = 5;
+
+	UNUSED(state);
+
+	for (i = 0; i < ncases; i++) {
+		unsigned char data[DNS_NSEC3PARAM_BUFFERSIZE + 1];
+		char output[BUFSIZ];
+		isc_buffer_t buf;
+
+		isc_buffer_init(&buf, output, sizeof(output));
+
+		make_nsec3(&testcases[i], &private, data);
+		dns_private_totext(&private, &buf);
+		assert_string_equal(output, results[i]);
+	}
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(private_signing_totext_test,
+						_setup, _teardown),
+		cmocka_unit_test_setup_teardown(private_nsec3_totext_test,
+						_setup, _teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/rbt_serialize_test.c b/lib/dns/tests/rbt_serialize_test.c
new file mode 100644
index 0000000..df56981
--- /dev/null
+++ b/lib/dns/tests/rbt_serialize_test.c
@@ -0,0 +1,489 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <fcntl.h>
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include "dnstest.h"
+
+#ifndef MAP_FILE
+#define MAP_FILE 0
+#endif /* ifndef MAP_FILE */
+
+/* Set to true (or use -v option) for verbose output */
+static bool verbose = false;
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+typedef struct data_holder {
+	int len;
+	const char *data;
+} data_holder_t;
+
+typedef struct rbt_testdata {
+	const char *name;
+	size_t name_len;
+	data_holder_t data;
+} rbt_testdata_t;
+
+#define DATA_ITEM(name)                                            \
+	{                                                          \
+		(name), sizeof(name) - 1, { sizeof(name), (name) } \
+	}
+
+rbt_testdata_t testdata[] = { DATA_ITEM("first.com."),
+			      DATA_ITEM("one.net."),
+			      DATA_ITEM("two.com."),
+			      DATA_ITEM("three.org."),
+			      DATA_ITEM("asdf.com."),
+			      DATA_ITEM("ghjkl.com."),
+			      DATA_ITEM("1.edu."),
+			      DATA_ITEM("2.edu."),
+			      DATA_ITEM("3.edu."),
+			      DATA_ITEM("123.edu."),
+			      DATA_ITEM("1236.com."),
+			      DATA_ITEM("and_so_forth.com."),
+			      DATA_ITEM("thisisalongname.com."),
+			      DATA_ITEM("a.b."),
+			      DATA_ITEM("test.net."),
+			      DATA_ITEM("whoknows.org."),
+			      DATA_ITEM("blargh.com."),
+			      DATA_ITEM("www.joe.com."),
+			      DATA_ITEM("test.com."),
+			      DATA_ITEM("isc.org."),
+			      DATA_ITEM("uiop.mil."),
+			      DATA_ITEM("last.fm."),
+			      { NULL, 0, { 0, NULL } } };
+
+static void
+delete_data(void *data, void *arg) {
+	UNUSED(arg);
+	UNUSED(data);
+}
+
+static isc_result_t
+write_data(FILE *file, unsigned char *datap, void *arg, uint64_t *crc) {
+	isc_result_t result;
+	size_t ret = 0;
+	data_holder_t *data;
+	data_holder_t temp;
+	off_t where;
+
+	UNUSED(arg);
+
+	REQUIRE(file != NULL);
+	REQUIRE(crc != NULL);
+	REQUIRE(datap != NULL);
+	data = (data_holder_t *)datap;
+	REQUIRE((data->len == 0 && data->data == NULL) ||
+		(data->len != 0 && data->data != NULL));
+
+	result = isc_stdio_tell(file, &where);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	temp = *data;
+	temp.data = (data->len == 0 ? NULL
+				    : (char *)((uintptr_t)where +
+					       sizeof(data_holder_t)));
+
+	isc_crc64_update(crc, (void *)&temp, sizeof(temp));
+	ret = fwrite(&temp, sizeof(data_holder_t), 1, file);
+	if (ret != 1) {
+		return (ISC_R_FAILURE);
+	}
+	if (data->len > 0) {
+		isc_crc64_update(crc, (const void *)data->data, data->len);
+		ret = fwrite(data->data, data->len, 1, file);
+		if (ret != 1) {
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fix_data(dns_rbtnode_t *p, void *base, size_t max, void *arg, uint64_t *crc) {
+	data_holder_t *data;
+	size_t size;
+
+	UNUSED(base);
+	UNUSED(max);
+	UNUSED(arg);
+
+	REQUIRE(crc != NULL);
+	REQUIRE(p != NULL);
+
+	data = p->data;
+
+	if (data == NULL || (data->len == 0 && data->data != NULL) ||
+	    (data->len != 0 && data->data == NULL))
+	{
+		return (ISC_R_INVALIDFILE);
+	}
+
+	size = max - ((char *)p - (char *)base);
+
+	if (data->len > (int)size || data->data > (const char *)max) {
+		return (ISC_R_INVALIDFILE);
+	}
+
+	isc_crc64_update(crc, (void *)data, sizeof(*data));
+
+	data->data = NULL;
+	if (data->len != 0) {
+		data->data = (char *)data + sizeof(data_holder_t);
+	}
+
+	if (data->len > 0) {
+		isc_crc64_update(crc, (const void *)data->data, data->len);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Load test data into the RBT.
+ */
+static void
+add_test_data(isc_mem_t *mctx, dns_rbt_t *rbt) {
+	char buffer[1024];
+	isc_buffer_t b;
+	isc_result_t result;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	dns_compress_t cctx;
+	rbt_testdata_t *testdatap = testdata;
+
+	dns_compress_init(&cctx, -1, mctx);
+
+	while (testdatap->name != NULL && testdatap->data.data != NULL) {
+		memmove(buffer, testdatap->name, testdatap->name_len);
+
+		isc_buffer_init(&b, buffer, testdatap->name_len);
+		isc_buffer_add(&b, testdatap->name_len);
+		name = dns_fixedname_initname(&fname);
+		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			testdatap++;
+			continue;
+		}
+
+		if (name != NULL) {
+			result = dns_rbt_addname(rbt, name, &testdatap->data);
+			assert_int_equal(result, ISC_R_SUCCESS);
+		}
+		testdatap++;
+	}
+
+	dns_compress_invalidate(&cctx);
+}
+
+/*
+ * Walk the tree and ensure that all the test nodes are present.
+ */
+static void
+check_test_data(dns_rbt_t *rbt) {
+	char buffer[1024];
+	char *arg;
+	dns_fixedname_t fname;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+	data_holder_t *data;
+	isc_result_t result;
+	dns_name_t *foundname;
+	rbt_testdata_t *testdatap = testdata;
+
+	foundname = dns_fixedname_initname(&fixed);
+
+	while (testdatap->name != NULL && testdatap->data.data != NULL) {
+		memmove(buffer, testdatap->name, testdatap->name_len + 1);
+		arg = buffer;
+
+		isc_buffer_init(&b, arg, testdatap->name_len);
+		isc_buffer_add(&b, testdatap->name_len);
+		name = dns_fixedname_initname(&fname);
+		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			testdatap++;
+			continue;
+		}
+
+		data = NULL;
+		result = dns_rbt_findname(rbt, name, 0, foundname,
+					  (void *)&data);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		testdatap++;
+	}
+}
+
+static void
+data_printer(FILE *out, void *datap) {
+	data_holder_t *data = (data_holder_t *)datap;
+
+	fprintf(out, "%d bytes, %s", data->len, data->data);
+}
+
+/* Test writing an rbt to file */
+static void
+serialize_test(void **state) {
+	dns_rbt_t *rbt = NULL;
+	isc_result_t result;
+	FILE *rbtfile = NULL;
+	dns_rbt_t *rbt_deserialized = NULL;
+	off_t offset;
+	int fd;
+	off_t filesize = 0;
+	char *base;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_rbt_create(dt_mctx, delete_data, NULL, &rbt);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	add_test_data(dt_mctx, rbt);
+
+	if (verbose) {
+		dns_rbt_printtext(rbt, data_printer, stdout);
+	}
+
+	/*
+	 * Serialize the tree.
+	 */
+	rbtfile = fopen("./zone.bin", "w+b");
+	assert_non_null(rbtfile);
+	result = dns_rbt_serialize_tree(rbtfile, rbt, write_data, NULL,
+					&offset);
+	assert_true(result == ISC_R_SUCCESS);
+	dns_rbt_destroy(&rbt);
+
+	/*
+	 * Deserialize the tree.
+	 * Map in the whole file in one go
+	 */
+	fd = open("zone.bin", O_RDWR);
+	assert_int_not_equal(fd, -1);
+	isc_file_getsizefd(fd, &filesize);
+	base = mmap(NULL, filesize, PROT_READ | PROT_WRITE,
+		    MAP_FILE | MAP_PRIVATE, fd, 0);
+	assert_true(base != NULL && base != MAP_FAILED);
+	close(fd);
+
+	result = dns_rbt_deserialize_tree(base, filesize, 0, dt_mctx,
+					  delete_data, NULL, fix_data, NULL,
+					  NULL, &rbt_deserialized);
+
+	/* Test to make sure we have a valid tree */
+	assert_true(result == ISC_R_SUCCESS);
+	if (rbt_deserialized == NULL) {
+		fail_msg("deserialized rbt is null!"); /* Abort execution. */
+	}
+
+	check_test_data(rbt_deserialized);
+
+	if (verbose) {
+		dns_rbt_printtext(rbt_deserialized, data_printer, stdout);
+	}
+
+	dns_rbt_destroy(&rbt_deserialized);
+	munmap(base, filesize);
+	unlink("zone.bin");
+}
+
+/* Test reading a corrupt map file */
+static void
+deserialize_corrupt_test(void **state) {
+	dns_rbt_t *rbt = NULL;
+	isc_result_t result;
+	FILE *rbtfile = NULL;
+	off_t offset;
+	int fd;
+	off_t filesize = 0;
+	char *base, *p, *q;
+	int i;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	/* Set up map file */
+	result = dns_rbt_create(dt_mctx, delete_data, NULL, &rbt);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	add_test_data(dt_mctx, rbt);
+	rbtfile = fopen("./zone.bin", "w+b");
+	assert_non_null(rbtfile);
+	result = dns_rbt_serialize_tree(rbtfile, rbt, write_data, NULL,
+					&offset);
+	assert_true(result == ISC_R_SUCCESS);
+	dns_rbt_destroy(&rbt);
+
+	/* Read back with random fuzzing */
+	for (i = 0; i < 256; i++) {
+		dns_rbt_t *rbt_deserialized = NULL;
+
+		fd = open("zone.bin", O_RDWR);
+		assert_int_not_equal(fd, -1);
+		isc_file_getsizefd(fd, &filesize);
+		base = mmap(NULL, filesize, PROT_READ | PROT_WRITE,
+			    MAP_FILE | MAP_PRIVATE, fd, 0);
+		assert_true(base != NULL && base != MAP_FAILED);
+		close(fd);
+
+		/* Randomly fuzz a portion of the memory */
+		/* cppcheck-suppress nullPointerArithmeticRedundantCheck */
+		p = base + (isc_random_uniform(filesize));
+		/* cppcheck-suppress nullPointerArithmeticRedundantCheck */
+		q = base + filesize;
+		q -= (isc_random_uniform(q - p));
+		while (p++ < q) {
+			*p = isc_random8();
+		}
+
+		result = dns_rbt_deserialize_tree(
+			base, filesize, 0, dt_mctx, delete_data, NULL, fix_data,
+			NULL, NULL, &rbt_deserialized);
+
+		/* Test to make sure we have a valid tree */
+		assert_true(result == ISC_R_SUCCESS ||
+			    result == ISC_R_INVALIDFILE);
+		if (result != ISC_R_SUCCESS) {
+			assert_null(rbt_deserialized);
+		}
+
+		if (rbt_deserialized != NULL) {
+			dns_rbt_destroy(&rbt_deserialized);
+		}
+
+		munmap(base, filesize);
+	}
+
+	unlink("zone.bin");
+}
+
+/* Test the dns_rbt_serialize_align() function */
+static void
+serialize_align_test(void **state) {
+	UNUSED(state);
+
+	assert_true(dns_rbt_serialize_align(0) == 0);
+	assert_true(dns_rbt_serialize_align(1) == 8);
+	assert_true(dns_rbt_serialize_align(2) == 8);
+	assert_true(dns_rbt_serialize_align(3) == 8);
+	assert_true(dns_rbt_serialize_align(4) == 8);
+	assert_true(dns_rbt_serialize_align(5) == 8);
+	assert_true(dns_rbt_serialize_align(6) == 8);
+	assert_true(dns_rbt_serialize_align(7) == 8);
+	assert_true(dns_rbt_serialize_align(8) == 8);
+	assert_true(dns_rbt_serialize_align(9) == 16);
+	assert_true(dns_rbt_serialize_align(0xff) == 0x100);
+	assert_true(dns_rbt_serialize_align(0x301) == 0x308);
+}
+
+int
+main(int argc, char **argv) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(serialize_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(deserialize_corrupt_test,
+						_setup, _teardown),
+		cmocka_unit_test(serialize_align_test),
+	};
+	int c;
+
+	while ((c = isc_commandline_parse(argc, argv, "v")) != -1) {
+		switch (c) {
+		case 'v':
+			verbose = true;
+			break;
+		default:
+			break;
+		}
+	}
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/rbt_test.c b/lib/dns/tests/rbt_test.c
new file mode 100644
index 0000000..e73ac09
--- /dev/null
+++ b/lib/dns/tests/rbt_test.c
@@ -0,0 +1,1390 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <ctype.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include "dnstest.h"
+
+typedef struct {
+	dns_rbt_t *rbt;
+	dns_rbt_t *rbt_distances;
+} test_context_t;
+
+/* The initial structure of domain tree will be as follows:
+ *
+ *	       .
+ *	       |
+ *	       b
+ *	     /	 \
+ *	    a	 d.e.f
+ *		/  |   \
+ *	       c   |	g.h
+ *		   |	 |
+ *		  w.y	 i
+ *		/  |  \	  \
+ *	       x   |   z   k
+ *		   |   |
+ *		   p   j
+ *		 /   \
+ *		o     q
+ */
+
+/* The full absolute names of the nodes in the tree (the tree also
+ * contains "." which is not included in this list).
+ */
+static const char *const domain_names[] = {
+	"c",	     "b",	    "a",	   "x.d.e.f",
+	"z.d.e.f",   "g.h",	    "i.g.h",	   "o.w.y.d.e.f",
+	"j.z.d.e.f", "p.w.y.d.e.f", "q.w.y.d.e.f", "k.g.h"
+};
+
+static const size_t domain_names_count =
+	(sizeof(domain_names) / sizeof(domain_names[0]));
+
+/* These are set as the node data for the tree used in distances check
+ * (for the names in domain_names[] above).
+ */
+static const int node_distances[] = { 3, 1, 2, 2, 2, 3, 1, 2, 1, 1, 2, 2 };
+
+/*
+ * The domain order should be:
+ * ., a, b, c, d.e.f, x.d.e.f, w.y.d.e.f, o.w.y.d.e.f, p.w.y.d.e.f,
+ * q.w.y.d.e.f, z.d.e.f, j.z.d.e.f, g.h, i.g.h, k.g.h
+ *	       . (no data, can't be found)
+ *	       |
+ *	       b
+ *	     /	 \
+ *	    a	 d.e.f
+ *		/  |   \
+ *	       c   |	g.h
+ *		   |	 |
+ *		  w.y	 i
+ *		/  |  \	  \
+ *	       x   |   z   k
+ *		   |   |
+ *		   p   j
+ *		 /   \
+ *		o     q
+ */
+
+static const char *const ordered_names[] = {
+	"a",	     "b",	    "c",	   "d.e.f",	  "x.d.e.f",
+	"w.y.d.e.f", "o.w.y.d.e.f", "p.w.y.d.e.f", "q.w.y.d.e.f", "z.d.e.f",
+	"j.z.d.e.f", "g.h",	    "i.g.h",	   "k.g.h"
+};
+
+static const size_t ordered_names_count =
+	(sizeof(ordered_names) / sizeof(*ordered_names));
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+static void
+delete_data(void *data, void *arg) {
+	UNUSED(arg);
+
+	isc_mem_put(dt_mctx, data, sizeof(size_t));
+}
+
+static test_context_t *
+test_context_setup(void) {
+	test_context_t *ctx;
+	isc_result_t result;
+	size_t i;
+
+	ctx = isc_mem_get(dt_mctx, sizeof(*ctx));
+	assert_non_null(ctx);
+
+	ctx->rbt = NULL;
+	result = dns_rbt_create(dt_mctx, delete_data, NULL, &ctx->rbt);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	ctx->rbt_distances = NULL;
+	result = dns_rbt_create(dt_mctx, delete_data, NULL,
+				&ctx->rbt_distances);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	for (i = 0; i < domain_names_count; i++) {
+		size_t *n;
+		dns_fixedname_t fname;
+		dns_name_t *name;
+
+		dns_test_namefromstring(domain_names[i], &fname);
+
+		name = dns_fixedname_name(&fname);
+
+		n = isc_mem_get(dt_mctx, sizeof(size_t));
+		assert_non_null(n);
+		*n = i + 1;
+		result = dns_rbt_addname(ctx->rbt, name, n);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		n = isc_mem_get(dt_mctx, sizeof(size_t));
+		assert_non_null(n);
+		*n = node_distances[i];
+		result = dns_rbt_addname(ctx->rbt_distances, name, n);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	return (ctx);
+}
+
+static void
+test_context_teardown(test_context_t *ctx) {
+	dns_rbt_destroy(&ctx->rbt);
+	dns_rbt_destroy(&ctx->rbt_distances);
+
+	isc_mem_put(dt_mctx, ctx, sizeof(*ctx));
+}
+
+/*
+ * Walk the tree and ensure that all the test nodes are present.
+ */
+static void
+check_test_data(dns_rbt_t *rbt) {
+	dns_fixedname_t fixed;
+	isc_result_t result;
+	dns_name_t *foundname;
+	size_t i;
+
+	foundname = dns_fixedname_initname(&fixed);
+
+	for (i = 0; i < domain_names_count; i++) {
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		size_t *n;
+
+		dns_test_namefromstring(domain_names[i], &fname);
+
+		name = dns_fixedname_name(&fname);
+		n = NULL;
+		result = dns_rbt_findname(rbt, name, 0, foundname, (void *)&n);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		assert_int_equal(*n, i + 1);
+	}
+}
+
+/* Test the creation of an rbt */
+static void
+rbt_create(void **state) {
+	test_context_t *ctx;
+	bool tree_ok;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	ctx = test_context_setup();
+
+	check_test_data(ctx->rbt);
+
+	tree_ok = dns__rbt_checkproperties(ctx->rbt);
+	assert_true(tree_ok);
+
+	test_context_teardown(ctx);
+}
+
+/* Test dns_rbt_nodecount() on a tree */
+static void
+rbt_nodecount(void **state) {
+	test_context_t *ctx;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	ctx = test_context_setup();
+
+	assert_int_equal(15, dns_rbt_nodecount(ctx->rbt));
+
+	test_context_teardown(ctx);
+}
+
+/* Test dns_rbtnode_get_distance() on a tree */
+static void
+rbtnode_get_distance(void **state) {
+	isc_result_t result;
+	test_context_t *ctx;
+	const char *name_str = "a";
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	dns_rbtnode_t *node = NULL;
+	dns_rbtnodechain_t chain;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	ctx = test_context_setup();
+
+	dns_test_namefromstring(name_str, &fname);
+	name = dns_fixedname_name(&fname);
+
+	dns_rbtnodechain_init(&chain);
+
+	result = dns_rbt_findnode(ctx->rbt_distances, name, NULL, &node, &chain,
+				  0, NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	while (node != NULL) {
+		const size_t *distance = (const size_t *)node->data;
+		if (distance != NULL) {
+			assert_int_equal(*distance,
+					 dns__rbtnode_getdistance(node));
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result == ISC_R_NOMORE) {
+			break;
+		}
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+	}
+
+	assert_int_equal(result, ISC_R_NOMORE);
+
+	dns_rbtnodechain_invalidate(&chain);
+
+	test_context_teardown(ctx);
+}
+
+/*
+ * Test tree balance, inserting names in random order.
+ *
+ * This test checks an important performance-related property of
+ * the red-black tree, which is important for us: the longest
+ * path from a sub-tree's root to a node is no more than
+ * 2log(n). This check verifies that the tree is balanced.
+ */
+static void
+rbt_check_distance_random(void **state) {
+	dns_rbt_t *mytree = NULL;
+	const unsigned int log_num_nodes = 16;
+	isc_result_t result;
+	bool tree_ok;
+	int i;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_rbt_create(dt_mctx, delete_data, NULL, &mytree);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Names are inserted in random order. */
+
+	/* Make a large 65536 node top-level domain tree, i.e., the
+	 * following code inserts names such as:
+	 *
+	 * savoucnsrkrqzpkqypbygwoiliawpbmz.
+	 * wkadamcbbpjtundbxcmuayuycposvngx.
+	 * wzbpznemtooxdpjecdxynsfztvnuyfao.
+	 * yueojmhyffslpvfmgyfwioxegfhepnqq.
+	 */
+	for (i = 0; i < (1 << log_num_nodes); i++) {
+		size_t *n;
+		char namebuf[34];
+
+		n = isc_mem_get(dt_mctx, sizeof(size_t));
+		assert_non_null(n);
+		*n = i + 1;
+
+		while (1) {
+			int j;
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			for (j = 0; j < 32; j++) {
+				uint32_t v = isc_random_uniform(26);
+				namebuf[j] = 'a' + v;
+			}
+			namebuf[32] = '.';
+			namebuf[33] = 0;
+
+			dns_test_namefromstring(namebuf, &fname);
+			name = dns_fixedname_name(&fname);
+
+			result = dns_rbt_addname(mytree, name, n);
+			if (result == ISC_R_SUCCESS) {
+				break;
+			}
+		}
+	}
+
+	/* 1 (root . node) + (1 << log_num_nodes) */
+	assert_int_equal(1U + (1U << log_num_nodes), dns_rbt_nodecount(mytree));
+
+	/* The distance from each node to its sub-tree root must be less
+	 * than 2 * log(n).
+	 */
+	assert_true((2U * log_num_nodes) >= dns__rbt_getheight(mytree));
+
+	/* Also check RB tree properties */
+	tree_ok = dns__rbt_checkproperties(mytree);
+	assert_true(tree_ok);
+
+	dns_rbt_destroy(&mytree);
+}
+
+/*
+ * Test tree balance, inserting names in sorted order.
+ *
+ * This test checks an important performance-related property of
+ * the red-black tree, which is important for us: the longest
+ * path from a sub-tree's root to a node is no more than
+ * 2log(n). This check verifies that the tree is balanced.
+ */
+static void
+rbt_check_distance_ordered(void **state) {
+	dns_rbt_t *mytree = NULL;
+	const unsigned int log_num_nodes = 16;
+	isc_result_t result;
+	bool tree_ok;
+	int i;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_rbt_create(dt_mctx, delete_data, NULL, &mytree);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Names are inserted in sorted order. */
+
+	/* Make a large 65536 node top-level domain tree, i.e., the
+	 * following code inserts names such as:
+	 *
+	 *   name00000000.
+	 *   name00000001.
+	 *   name00000002.
+	 *   name00000003.
+	 */
+	for (i = 0; i < (1 << log_num_nodes); i++) {
+		size_t *n;
+		char namebuf[14];
+		dns_fixedname_t fname;
+		dns_name_t *name;
+
+		n = isc_mem_get(dt_mctx, sizeof(size_t));
+		assert_non_null(n);
+		*n = i + 1;
+
+		snprintf(namebuf, sizeof(namebuf), "name%08x.", i);
+		dns_test_namefromstring(namebuf, &fname);
+		name = dns_fixedname_name(&fname);
+
+		result = dns_rbt_addname(mytree, name, n);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	/* 1 (root . node) + (1 << log_num_nodes) */
+	assert_int_equal(1U + (1U << log_num_nodes), dns_rbt_nodecount(mytree));
+
+	/* The distance from each node to its sub-tree root must be less
+	 * than 2 * log(n).
+	 */
+	assert_true((2U * log_num_nodes) >= dns__rbt_getheight(mytree));
+
+	/* Also check RB tree properties */
+	tree_ok = dns__rbt_checkproperties(mytree);
+	assert_true(tree_ok);
+
+	dns_rbt_destroy(&mytree);
+}
+
+static isc_result_t
+insert_helper(dns_rbt_t *rbt, const char *namestr, dns_rbtnode_t **node) {
+	dns_fixedname_t fname;
+	dns_name_t *name;
+
+	dns_test_namefromstring(namestr, &fname);
+	name = dns_fixedname_name(&fname);
+
+	return (dns_rbt_addnode(rbt, name, node));
+}
+
+static bool
+compare_labelsequences(dns_rbtnode_t *node, const char *labelstr) {
+	dns_name_t name;
+	isc_result_t result;
+	char *nodestr = NULL;
+	bool is_equal;
+
+	dns_name_init(&name, NULL);
+	dns_rbt_namefromnode(node, &name);
+
+	result = dns_name_tostring(&name, &nodestr, dt_mctx);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	is_equal = strcmp(labelstr, nodestr) == 0 ? true : false;
+
+	isc_mem_free(dt_mctx, nodestr);
+
+	return (is_equal);
+}
+
+/* Test insertion into a tree */
+static void
+rbt_insert(void **state) {
+	isc_result_t result;
+	test_context_t *ctx;
+	dns_rbtnode_t *node;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	ctx = test_context_setup();
+
+	/* Check node count before beginning. */
+	assert_int_equal(15, dns_rbt_nodecount(ctx->rbt));
+
+	/* Try to insert a node that already exists. */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "d.e.f", &node);
+	assert_int_equal(result, ISC_R_EXISTS);
+
+	/* Node count must not have changed. */
+	assert_int_equal(15, dns_rbt_nodecount(ctx->rbt));
+
+	/* Try to insert a node that doesn't exist. */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "0", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(compare_labelsequences(node, "0"));
+
+	/* Node count must have increased. */
+	assert_int_equal(16, dns_rbt_nodecount(ctx->rbt));
+
+	/* Another. */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "example.com", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_non_null(node);
+	assert_null(node->data);
+
+	/* Node count must have increased. */
+	assert_int_equal(17, dns_rbt_nodecount(ctx->rbt));
+
+	/* Re-adding it should return EXISTS */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "example.com", &node);
+	assert_int_equal(result, ISC_R_EXISTS);
+
+	/* Node count must not have changed. */
+	assert_int_equal(17, dns_rbt_nodecount(ctx->rbt));
+
+	/* Fission the node d.e.f */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "k.e.f", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(compare_labelsequences(node, "k"));
+
+	/* Node count must have incremented twice ("d.e.f" fissioned to
+	 * "d" and "e.f", and the newly added "k").
+	 */
+	assert_int_equal(19, dns_rbt_nodecount(ctx->rbt));
+
+	/* Fission the node "g.h" */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "h", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(compare_labelsequences(node, "h"));
+
+	/* Node count must have incremented ("g.h" fissioned to "g" and
+	 * "h").
+	 */
+	assert_int_equal(20, dns_rbt_nodecount(ctx->rbt));
+
+	/* Add child domains */
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "m.p.w.y.d.e.f", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(compare_labelsequences(node, "m"));
+	assert_int_equal(21, dns_rbt_nodecount(ctx->rbt));
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "n.p.w.y.d.e.f", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(compare_labelsequences(node, "n"));
+	assert_int_equal(22, dns_rbt_nodecount(ctx->rbt));
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "l.a", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(compare_labelsequences(node, "l"));
+	assert_int_equal(23, dns_rbt_nodecount(ctx->rbt));
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "r.d.e.f", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	node = NULL;
+	result = insert_helper(ctx->rbt, "s.d.e.f", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(25, dns_rbt_nodecount(ctx->rbt));
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "h.w.y.d.e.f", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Add more nodes one by one to cover left and right rotation
+	 * functions.
+	 */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "f", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "m", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "nm", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "om", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "k", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "l", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "fe", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "ge", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "i", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "ae", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "n", &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	test_context_teardown(ctx);
+}
+
+/*
+ * Test removal from a tree
+ *
+ * This testcase checks that after node removal, the binary-search tree is
+ * valid and all nodes that are supposed to exist are present in the
+ * correct order. It mainly tests DomainTree as a BST, and not particularly
+ * as a red-black tree. This test checks node deletion when upper nodes
+ * have data.
+ */
+static void
+rbt_remove(void **state) {
+	isc_result_t result;
+	size_t j;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	/*
+	 * Delete single nodes and check if the rest of the nodes exist.
+	 */
+	for (j = 0; j < ordered_names_count; j++) {
+		dns_rbt_t *mytree = NULL;
+		dns_rbtnode_t *node;
+		size_t i;
+		size_t *n;
+		bool tree_ok;
+		dns_rbtnodechain_t chain;
+		size_t start_node;
+
+		/* Create a tree. */
+		result = dns_rbt_create(dt_mctx, delete_data, NULL, &mytree);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		/* Insert test data into the tree. */
+		for (i = 0; i < domain_names_count; i++) {
+			node = NULL;
+			result = insert_helper(mytree, domain_names[i], &node);
+			assert_int_equal(result, ISC_R_SUCCESS);
+		}
+
+		/* Check that all names exist in order. */
+		for (i = 0; i < ordered_names_count; i++) {
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			dns_test_namefromstring(ordered_names[i], &fname);
+
+			name = dns_fixedname_name(&fname);
+			node = NULL;
+			result = dns_rbt_findnode(mytree, name, NULL, &node,
+						  NULL, DNS_RBTFIND_EMPTYDATA,
+						  NULL, NULL);
+			assert_int_equal(result, ISC_R_SUCCESS);
+
+			/* Add node data */
+			assert_non_null(node);
+			assert_null(node->data);
+
+			n = isc_mem_get(dt_mctx, sizeof(size_t));
+			assert_non_null(n);
+			*n = i;
+
+			node->data = n;
+		}
+
+		/* Now, delete the j'th node from the tree. */
+		{
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			dns_test_namefromstring(ordered_names[j], &fname);
+
+			name = dns_fixedname_name(&fname);
+
+			result = dns_rbt_deletename(mytree, name, false);
+			assert_int_equal(result, ISC_R_SUCCESS);
+		}
+
+		/* Check RB tree properties. */
+		tree_ok = dns__rbt_checkproperties(mytree);
+		assert_true(tree_ok);
+
+		dns_rbtnodechain_init(&chain);
+
+		/* Now, walk through nodes in order. */
+		if (j == 0) {
+			/*
+			 * Node for ordered_names[0] was already deleted
+			 * above. We start from node 1.
+			 */
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			dns_test_namefromstring(ordered_names[0], &fname);
+			name = dns_fixedname_name(&fname);
+			node = NULL;
+			result = dns_rbt_findnode(mytree, name, NULL, &node,
+						  NULL, 0, NULL, NULL);
+			assert_int_equal(result, ISC_R_NOTFOUND);
+
+			dns_test_namefromstring(ordered_names[1], &fname);
+			name = dns_fixedname_name(&fname);
+			node = NULL;
+			result = dns_rbt_findnode(mytree, name, NULL, &node,
+						  &chain, 0, NULL, NULL);
+			assert_int_equal(result, ISC_R_SUCCESS);
+			start_node = 1;
+		} else {
+			/* Start from node 0. */
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			dns_test_namefromstring(ordered_names[0], &fname);
+			name = dns_fixedname_name(&fname);
+			node = NULL;
+			result = dns_rbt_findnode(mytree, name, NULL, &node,
+						  &chain, 0, NULL, NULL);
+			assert_int_equal(result, ISC_R_SUCCESS);
+			start_node = 0;
+		}
+
+		/*
+		 * node and chain have been set by the code above at
+		 * this point.
+		 */
+		for (i = start_node; i < ordered_names_count; i++) {
+			dns_fixedname_t fname_j, fname_i;
+			dns_name_t *name_j, *name_i;
+
+			dns_test_namefromstring(ordered_names[j], &fname_j);
+			name_j = dns_fixedname_name(&fname_j);
+			dns_test_namefromstring(ordered_names[i], &fname_i);
+			name_i = dns_fixedname_name(&fname_i);
+
+			if (dns_name_equal(name_i, name_j)) {
+				/*
+				 * This may be true for the last node if
+				 * we seek ahead in the loop using
+				 * dns_rbtnodechain_next() below.
+				 */
+				if (node == NULL) {
+					break;
+				}
+
+				/* All ordered nodes have data
+				 * initially. If any node is empty, it
+				 * means it was removed, but an empty
+				 * node exists because it is a
+				 * super-domain. Just skip it.
+				 */
+				if (node->data == NULL) {
+					result = dns_rbtnodechain_next(
+						&chain, NULL, NULL);
+					if (result == ISC_R_NOMORE) {
+						node = NULL;
+					} else {
+						dns_rbtnodechain_current(
+							&chain, NULL, NULL,
+							&node);
+					}
+				}
+				continue;
+			}
+
+			assert_non_null(node);
+
+			n = (size_t *)node->data;
+			if (n != NULL) {
+				/* printf("n=%zu, i=%zu\n", *n, i); */
+				assert_int_equal(*n, i);
+			}
+
+			result = dns_rbtnodechain_next(&chain, NULL, NULL);
+			if (result == ISC_R_NOMORE) {
+				node = NULL;
+			} else {
+				dns_rbtnodechain_current(&chain, NULL, NULL,
+							 &node);
+			}
+		}
+
+		/* We should have reached the end of the tree. */
+		assert_null(node);
+
+		dns_rbt_destroy(&mytree);
+	}
+}
+
+static void
+insert_nodes(dns_rbt_t *mytree, char **names, size_t *names_count,
+	     uint32_t num_names) {
+	uint32_t i;
+	dns_rbtnode_t *node;
+
+	for (i = 0; i < num_names; i++) {
+		size_t *n;
+		char namebuf[34];
+
+		n = isc_mem_get(dt_mctx, sizeof(size_t));
+		assert_non_null(n);
+
+		*n = i; /* Unused value */
+
+		while (1) {
+			int j;
+			dns_fixedname_t fname;
+			dns_name_t *name;
+			isc_result_t result;
+
+			for (j = 0; j < 32; j++) {
+				uint32_t v = isc_random_uniform(26);
+				namebuf[j] = 'a' + v;
+			}
+			namebuf[32] = '.';
+			namebuf[33] = 0;
+
+			dns_test_namefromstring(namebuf, &fname);
+			name = dns_fixedname_name(&fname);
+
+			node = NULL;
+			result = dns_rbt_addnode(mytree, name, &node);
+			if (result == ISC_R_SUCCESS) {
+				node->data = n;
+				names[*names_count] = isc_mem_strdup(dt_mctx,
+								     namebuf);
+				assert_non_null(names[*names_count]);
+				*names_count += 1;
+				break;
+			}
+		}
+	}
+}
+
+static void
+remove_nodes(dns_rbt_t *mytree, char **names, size_t *names_count,
+	     uint32_t num_names) {
+	uint32_t i;
+
+	UNUSED(mytree);
+
+	for (i = 0; i < num_names; i++) {
+		uint32_t node;
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		isc_result_t result;
+
+		node = isc_random_uniform(*names_count);
+
+		dns_test_namefromstring(names[node], &fname);
+		name = dns_fixedname_name(&fname);
+
+		result = dns_rbt_deletename(mytree, name, false);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		isc_mem_free(dt_mctx, names[node]);
+		if (*names_count > 0) {
+			names[node] = names[*names_count - 1];
+			names[*names_count - 1] = NULL;
+			*names_count -= 1;
+		}
+	}
+}
+
+static void
+check_tree(dns_rbt_t *mytree, char **names, size_t names_count) {
+	bool tree_ok;
+
+	UNUSED(names);
+
+	assert_int_equal(names_count + 1, dns_rbt_nodecount(mytree));
+
+	/*
+	 * The distance from each node to its sub-tree root must be less
+	 * than 2 * log_2(1024).
+	 */
+	assert_true((2 * 10) >= dns__rbt_getheight(mytree));
+
+	/* Also check RB tree properties */
+	tree_ok = dns__rbt_checkproperties(mytree);
+	assert_true(tree_ok);
+}
+
+/*
+ * Test insert and remove in a loop.
+ *
+ * What is the best way to test our red-black tree code? It is
+ * not a good method to test every case handled in the actual
+ * code itself. This is because our approach itself may be
+ * incorrect.
+ *
+ * We test our code at the interface level here by exercising the
+ * tree randomly multiple times, checking that red-black tree
+ * properties are valid, and all the nodes that are supposed to be
+ * in the tree exist and are in order.
+ *
+ * NOTE: These tests are run within a single tree level in the
+ * forest. The number of nodes in the tree level doesn't grow
+ * over 1024.
+ */
+static void
+rbt_insert_and_remove(void **state) {
+	isc_result_t result;
+	dns_rbt_t *mytree = NULL;
+	size_t *n;
+	char *names[1024];
+	size_t names_count;
+	int i;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_rbt_create(dt_mctx, delete_data, NULL, &mytree);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	n = isc_mem_get(dt_mctx, sizeof(size_t));
+	assert_non_null(n);
+	result = dns_rbt_addname(mytree, dns_rootname, n);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(names, 0, sizeof(names));
+	names_count = 0;
+
+	/* Repeat the insert/remove test some 4096 times */
+	for (i = 0; i < 4096; i++) {
+		uint32_t num_names;
+
+		if (names_count < 1024) {
+			num_names = isc_random_uniform(1024 - names_count);
+			num_names++;
+		} else {
+			num_names = 0;
+		}
+
+		insert_nodes(mytree, names, &names_count, num_names);
+		check_tree(mytree, names, names_count);
+
+		if (names_count > 0) {
+			num_names = isc_random_uniform(names_count);
+			num_names++;
+		} else {
+			num_names = 0;
+		}
+
+		remove_nodes(mytree, names, &names_count, num_names);
+		check_tree(mytree, names, names_count);
+	}
+
+	/* Remove the rest of the nodes */
+	remove_nodes(mytree, names, &names_count, names_count);
+	check_tree(mytree, names, names_count);
+
+	for (i = 0; i < 1024; i++) {
+		if (names[i] != NULL) {
+			isc_mem_free(dt_mctx, names[i]);
+		}
+	}
+
+	result = dns_rbt_deletename(mytree, dns_rootname, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(dns_rbt_nodecount(mytree), 0);
+
+	dns_rbt_destroy(&mytree);
+}
+
+/* Test findname return values */
+static void
+rbt_findname(void **state) {
+	isc_result_t result;
+	test_context_t *ctx = NULL;
+	dns_fixedname_t fname, found;
+	dns_name_t *name = NULL, *foundname = NULL;
+	size_t *n = NULL;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	ctx = test_context_setup();
+
+	/* Try to find a name that exists. */
+	dns_test_namefromstring("d.e.f", &fname);
+	name = dns_fixedname_name(&fname);
+
+	foundname = dns_fixedname_initname(&found);
+
+	result = dns_rbt_findname(ctx->rbt, name, DNS_RBTFIND_EMPTYDATA,
+				  foundname, (void *)&n);
+	assert_true(dns_name_equal(foundname, name));
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Now without EMPTYDATA */
+	result = dns_rbt_findname(ctx->rbt, name, 0, foundname, (void *)&n);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+
+	/* Now one that partially matches */
+	dns_test_namefromstring("d.e.f.g.h.i.j", &fname);
+	name = dns_fixedname_name(&fname);
+	result = dns_rbt_findname(ctx->rbt, name, DNS_RBTFIND_EMPTYDATA,
+				  foundname, (void *)&n);
+	assert_int_equal(result, DNS_R_PARTIALMATCH);
+
+	/* Now one that doesn't match */
+	dns_test_namefromstring("1.2", &fname);
+	name = dns_fixedname_name(&fname);
+	result = dns_rbt_findname(ctx->rbt, name, DNS_RBTFIND_EMPTYDATA,
+				  foundname, (void *)&n);
+	assert_int_equal(result, DNS_R_PARTIALMATCH);
+	assert_true(dns_name_equal(foundname, dns_rootname));
+
+	test_context_teardown(ctx);
+}
+
+/* Test addname return values */
+static void
+rbt_addname(void **state) {
+	isc_result_t result;
+	test_context_t *ctx = NULL;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+	size_t *n;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	ctx = test_context_setup();
+
+	n = isc_mem_get(dt_mctx, sizeof(size_t));
+	assert_non_null(n);
+	*n = 1;
+
+	dns_test_namefromstring("d.e.f.g.h.i.j.k", &fname);
+	name = dns_fixedname_name(&fname);
+
+	/* Add a name that doesn't exist */
+	result = dns_rbt_addname(ctx->rbt, name, n);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Now add again, should get ISC_R_EXISTS */
+	n = isc_mem_get(dt_mctx, sizeof(size_t));
+	assert_non_null(n);
+	*n = 2;
+	result = dns_rbt_addname(ctx->rbt, name, n);
+	assert_int_equal(result, ISC_R_EXISTS);
+	isc_mem_put(dt_mctx, n, sizeof(size_t));
+
+	test_context_teardown(ctx);
+}
+
+/* Test deletename return values */
+static void
+rbt_deletename(void **state) {
+	isc_result_t result;
+	test_context_t *ctx = NULL;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	ctx = test_context_setup();
+
+	/* Delete a name that doesn't exist */
+	dns_test_namefromstring("z.x.y.w", &fname);
+	name = dns_fixedname_name(&fname);
+	result = dns_rbt_deletename(ctx->rbt, name, false);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+
+	/* Now one that does */
+	dns_test_namefromstring("d.e.f", &fname);
+	name = dns_fixedname_name(&fname);
+	result = dns_rbt_deletename(ctx->rbt, name, false);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+
+	test_context_teardown(ctx);
+}
+
+/* Test nodechain */
+static void
+rbt_nodechain(void **state) {
+	isc_result_t result;
+	test_context_t *ctx;
+	dns_fixedname_t fname, found, expect;
+	dns_name_t *name, *foundname, *expected;
+	dns_rbtnode_t *node = NULL;
+	dns_rbtnodechain_t chain;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	ctx = test_context_setup();
+
+	dns_rbtnodechain_init(&chain);
+
+	dns_test_namefromstring("a", &fname);
+	name = dns_fixedname_name(&fname);
+
+	result = dns_rbt_findnode(ctx->rbt, name, NULL, &node, &chain, 0, NULL,
+				  NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	foundname = dns_fixedname_initname(&found);
+
+	dns_test_namefromstring("a", &expect);
+	expected = dns_fixedname_name(&expect);
+	UNUSED(expected);
+
+	result = dns_rbtnodechain_first(&chain, ctx->rbt, foundname, NULL);
+	assert_int_equal(result, DNS_R_NEWORIGIN);
+	assert_int_equal(dns_name_countlabels(foundname), 0);
+
+	result = dns_rbtnodechain_prev(&chain, NULL, NULL);
+	assert_int_equal(result, ISC_R_NOMORE);
+
+	result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_rbtnodechain_last(&chain, ctx->rbt, NULL, NULL);
+	assert_int_equal(result, DNS_R_NEWORIGIN);
+
+	result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	assert_int_equal(result, ISC_R_NOMORE);
+
+	result = dns_rbtnodechain_last(&chain, ctx->rbt, NULL, NULL);
+	assert_int_equal(result, DNS_R_NEWORIGIN);
+
+	result = dns_rbtnodechain_prev(&chain, NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	dns_rbtnodechain_invalidate(&chain);
+
+	test_context_teardown(ctx);
+}
+
+/* Test addname return values */
+static void
+rbtnode_namelen(void **state) {
+	isc_result_t result;
+	test_context_t *ctx = NULL;
+	dns_rbtnode_t *node;
+	unsigned int len;
+
+	UNUSED(state);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	ctx = test_context_setup();
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, ".", &node);
+	len = dns__rbtnode_namelen(node);
+	assert_int_equal(result, ISC_R_EXISTS);
+	assert_int_equal(len, 1);
+	node = NULL;
+
+	result = insert_helper(ctx->rbt, "a.b.c.d.e.f.g.h.i.j.k.l.m", &node);
+	len = dns__rbtnode_namelen(node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(len, 27);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "isc.org", &node);
+	len = dns__rbtnode_namelen(node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(len, 9);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "example.com", &node);
+	len = dns__rbtnode_namelen(node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(len, 13);
+
+	test_context_teardown(ctx);
+}
+
+#if defined(DNS_BENCHMARK_TESTS) && !defined(__SANITIZE_THREAD__)
+
+/*
+ * XXXMUKS: Don't delete this code. It is useful in benchmarking the
+ * RBT, but we don't require it as part of the unit test runs.
+ */
+
+static dns_fixedname_t *fnames;
+static dns_name_t **names;
+static int *values;
+
+static void *
+find_thread(void *arg) {
+	dns_rbt_t *mytree;
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	unsigned int j, i;
+	unsigned int start = 0;
+
+	mytree = (dns_rbt_t *)arg;
+	while (start == 0) {
+		start = random() % 4000000;
+	}
+
+	/* Query 32 million random names from it in each thread */
+	for (j = 0; j < 8; j++) {
+		for (i = start; i != start - 1; i = (i + 1) % 4000000) {
+			node = NULL;
+			result = dns_rbt_findnode(mytree, names[i], NULL, &node,
+						  NULL, DNS_RBTFIND_EMPTYDATA,
+						  NULL, NULL);
+			assert_int_equal(result, ISC_R_SUCCESS);
+			assert_non_null(node);
+			assert_int_equal(values[i], (intptr_t)node->data);
+		}
+	}
+
+	return (NULL);
+}
+
+/* Benchmark RBT implementation */
+static void
+benchmark(void **state) {
+	isc_result_t result;
+	char namestr[sizeof("name18446744073709551616.example.org.")];
+	unsigned int r;
+	dns_rbt_t *mytree;
+	dns_rbtnode_t *node;
+	unsigned int i;
+	unsigned int maxvalue = 1000000;
+	isc_time_t ts1, ts2;
+	double t;
+	unsigned int nthreads;
+	isc_thread_t threads[32];
+
+	UNUSED(state);
+
+	srandom(time(NULL));
+
+	debug_mem_record = false;
+
+	fnames = (dns_fixedname_t *)malloc(4000000 * sizeof(dns_fixedname_t));
+	names = (dns_name_t **)malloc(4000000 * sizeof(dns_name_t *));
+	values = (int *)malloc(4000000 * sizeof(int));
+
+	for (i = 0; i < 4000000; i++) {
+		r = ((unsigned long)random()) % maxvalue;
+		snprintf(namestr, sizeof(namestr), "name%u.example.org.", r);
+		dns_test_namefromstring(namestr, &fnames[i]);
+		names[i] = dns_fixedname_name(&fnames[i]);
+		values[i] = r;
+	}
+
+	/* Create a tree. */
+	mytree = NULL;
+	result = dns_rbt_create(dt_mctx, NULL, NULL, &mytree);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Insert test data into the tree. */
+	for (i = 0; i < maxvalue; i++) {
+		snprintf(namestr, sizeof(namestr), "name%u.example.org.", i);
+		node = NULL;
+		result = insert_helper(mytree, namestr, &node);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		node->data = (void *)(intptr_t)i;
+	}
+
+	result = isc_time_now(&ts1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	nthreads = ISC_MIN(isc_os_ncpus(), 32);
+	nthreads = ISC_MAX(nthreads, 1);
+	for (i = 0; i < nthreads; i++) {
+		isc_thread_create(find_thread, mytree, &threads[i]);
+	}
+
+	for (i = 0; i < nthreads; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	result = isc_time_now(&ts2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	t = isc_time_microdiff(&ts2, &ts1);
+
+	printf("%u findnode calls, %f seconds, %f calls/second\n",
+	       nthreads * 8 * 4000000, t / 1000000.0,
+	       (nthreads * 8 * 4000000) / (t / 1000000.0));
+
+	free(values);
+	free(names);
+	free(fnames);
+
+	dns_rbt_destroy(&mytree);
+}
+#endif /* defined(DNS_BENCHMARK_TESTS) && !defined(__SANITIZE_THREAD__)  */
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(rbt_create, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(rbt_nodecount, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(rbtnode_get_distance, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(rbt_check_distance_random,
+						_setup, _teardown),
+		cmocka_unit_test_setup_teardown(rbt_check_distance_ordered,
+						_setup, _teardown),
+		cmocka_unit_test_setup_teardown(rbt_insert, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(rbt_remove, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(rbt_insert_and_remove, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(rbt_findname, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(rbt_addname, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(rbt_deletename, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(rbt_nodechain, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(rbtnode_namelen, _setup,
+						_teardown),
+#if defined(DNS_BENCHMARK_TESTS) && !defined(__SANITIZE_THREAD__)
+		cmocka_unit_test_setup_teardown(benchmark, _setup, _teardown),
+#endif /* defined(DNS_BENCHMARK_TESTS) && !defined(__SANITIZE_THREAD__) */
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/rbtdb_test.c b/lib/dns/tests/rbtdb_test.c
new file mode 100644
index 0000000..ac7b776
--- /dev/null
+++ b/lib/dns/tests/rbtdb_test.c
@@ -0,0 +1,423 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/rbt.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+
+#include "dnstest.h"
+
+/* Include the main file */
+
+#include "../rbtdb.c"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+const char *ownercase_vectors[12][2] = {
+	{
+		"AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz",
+		"aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz",
+	},
+	{
+		"aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz",
+		"AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ",
+	},
+	{
+		"AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ",
+		"aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz",
+	},
+	{
+		"aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ",
+		"aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz",
+	},
+	{
+		"aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVxXyYzZ",
+		"aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvxxyyzz",
+	},
+	{
+		"WwW.ExAmPlE.OrG",
+		"wWw.eXaMpLe.oRg",
+	},
+	{
+		"_SIP.tcp.example.org",
+		"_sip.TCP.example.org",
+	},
+	{
+		"bind-USERS.lists.example.org",
+		"bind-users.lists.example.org",
+	},
+	{
+		"a0123456789.example.org",
+		"A0123456789.example.org",
+	},
+	{
+		"\\000.example.org",
+		"\\000.example.org",
+	},
+	{
+		"wWw.\\000.isc.org",
+		"www.\\000.isc.org",
+	},
+	{
+		"\255.example.org",
+		"\255.example.ORG",
+	}
+};
+
+static bool
+ownercase_test_one(const char *str1, const char *str2) {
+	isc_result_t result;
+	rbtdb_nodelock_t node_locks[1];
+	dns_rbtdb_t rbtdb = { .node_locks = node_locks };
+	dns_rbtnode_t rbtnode = { .locknum = 0 };
+	rdatasetheader_t header = { 0 };
+	unsigned char *raw = (unsigned char *)(&header) + sizeof(header);
+	dns_rdataset_t rdataset = {
+		.magic = DNS_RDATASET_MAGIC,
+		.private1 = &rbtdb,
+		.private2 = &rbtnode,
+		.private3 = raw,
+		.methods = &rdataset_methods,
+	};
+
+	isc_buffer_t b;
+	dns_fixedname_t fname1, fname2;
+	dns_name_t *name1, *name2;
+
+	memset(node_locks, 0, sizeof(node_locks));
+	/* Minimal initialization of the mock objects */
+	NODE_INITLOCK(&rbtdb.node_locks[0].lock);
+
+	name1 = dns_fixedname_initname(&fname1);
+	isc_buffer_constinit(&b, str1, strlen(str1));
+	isc_buffer_add(&b, strlen(str1));
+	result = dns_name_fromtext(name1, &b, dns_rootname, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	name2 = dns_fixedname_initname(&fname2);
+	isc_buffer_constinit(&b, str2, strlen(str2));
+	isc_buffer_add(&b, strlen(str2));
+	result = dns_name_fromtext(name2, &b, dns_rootname, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Store the case from name1 */
+	dns_rdataset_setownercase(&rdataset, name1);
+
+	assert_true(CASESET(&header));
+
+	/* Retrieve the case to name2 */
+	dns_rdataset_getownercase(&rdataset, name2);
+
+	NODE_DESTROYLOCK(&rbtdb.node_locks[0].lock);
+
+	return (dns_name_caseequal(name1, name2));
+}
+
+static void
+ownercase_test(void **state) {
+	UNUSED(state);
+
+	for (size_t n = 0; n < ARRAY_SIZE(ownercase_vectors); n++) {
+		assert_true(ownercase_test_one(ownercase_vectors[n][0],
+					       ownercase_vectors[n][1]));
+	}
+
+	assert_false(ownercase_test_one("W.example.org", "\\000.example.org"));
+
+	/* Ö and ö in ISO Latin 1 */
+	assert_false(ownercase_test_one("\\216", "\\246"));
+}
+
+static void
+setownercase_test(void **state) {
+	isc_result_t result;
+	rbtdb_nodelock_t node_locks[1];
+	dns_rbtdb_t rbtdb = { .node_locks = node_locks };
+	dns_rbtnode_t rbtnode = { .locknum = 0 };
+	rdatasetheader_t header = { 0 };
+	unsigned char *raw = (unsigned char *)(&header) + sizeof(header);
+	dns_rdataset_t rdataset = {
+		.magic = DNS_RDATASET_MAGIC,
+		.private1 = &rbtdb,
+		.private2 = &rbtnode,
+		.private3 = raw,
+		.methods = &rdataset_methods,
+	};
+	const char *str1 =
+		"AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz";
+
+	isc_buffer_t b;
+	dns_fixedname_t fname1, fname2;
+	dns_name_t *name1, *name2;
+
+	UNUSED(state);
+
+	/* Minimal initialization of the mock objects */
+	memset(node_locks, 0, sizeof(node_locks));
+	NODE_INITLOCK(&rbtdb.node_locks[0].lock);
+
+	name1 = dns_fixedname_initname(&fname1);
+	isc_buffer_constinit(&b, str1, strlen(str1));
+	isc_buffer_add(&b, strlen(str1));
+	result = dns_name_fromtext(name1, &b, dns_rootname, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	name2 = dns_fixedname_initname(&fname2);
+	isc_buffer_constinit(&b, str1, strlen(str1));
+	isc_buffer_add(&b, strlen(str1));
+	result = dns_name_fromtext(name2, &b, dns_rootname, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_false(CASESET(&header));
+
+	/* Retrieve the case to name2 */
+	dns_rdataset_getownercase(&rdataset, name2);
+
+	NODE_DESTROYLOCK(&rbtdb.node_locks[0].lock);
+
+	assert_true(dns_name_caseequal(name1, name2));
+}
+
+/*
+ * No operation water() callback. We need it to cause overmem condition, but
+ * nothing has to be done in the callback.
+ */
+static void
+overmempurge_water(void *arg, int mark) {
+	UNUSED(arg);
+	UNUSED(mark);
+}
+
+/*
+ * Add to a cache DB 'db' an rdataset of type 'rtype' at a name
+ * <idx>.example.com. The rdataset would contain one data, and rdata_len is
+ * its length. 'rtype' is supposed to be some private type whose data can be
+ * arbitrary (and it doesn't matter in this test).
+ */
+static void
+overmempurge_addrdataset(dns_db_t *db, isc_stdtime_t now, int idx,
+			 dns_rdatatype_t rtype, size_t rdata_len,
+			 bool longname) {
+	isc_result_t result;
+	dns_rdata_t rdata;
+	dns_dbnode_t *node = NULL;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	unsigned char rdatabuf[65535]; /* large enough for any valid RDATA */
+
+	REQUIRE(rdata_len <= sizeof(rdatabuf));
+
+	if (longname) {
+		/*
+		 * Build a longest possible name (in wire format) that would
+		 * result in a new rbt node with the long name data.
+		 */
+		snprintf(namebuf, sizeof(namebuf),
+			 "%010d.%010dabcdef%010dabcdef%010dabcdef%010dabcde."
+			 "%010dabcdef%010dabcdef%010dabcdef%010dabcde."
+			 "%010dabcdef%010dabcdef%010dabcdef%010dabcde."
+			 "%010dabcdef%010dabcdef%010dabcdef01.",
+			 idx, idx, idx, idx, idx, idx, idx, idx, idx, idx, idx,
+			 idx, idx, idx, idx, idx);
+	} else {
+		snprintf(namebuf, sizeof(namebuf), "%d.example.com.", idx);
+	}
+
+	dns_test_namefromstring(namebuf, &fname);
+	name = dns_fixedname_name(&fname);
+
+	result = dns_db_findnode(db, name, true, &node);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_non_null(node);
+
+	dns_rdata_init(&rdata);
+	rdata.length = rdata_len;
+	rdata.data = rdatabuf;
+	rdata.rdclass = dns_rdataclass_in;
+	rdata.type = rtype;
+
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = dns_rdataclass_in;
+	rdatalist.type = rtype;
+	rdatalist.ttl = 3600;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_db_addrdataset(db, node, NULL, now, &rdataset, 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	dns_db_detachnode(db, &node);
+}
+
+static void
+overmempurge_bigrdata_test(void **state) {
+	size_t maxcache = 2097152U; /* 2MB - same as DNS_CACHE_MINSIZE */
+	size_t hiwater = maxcache - (maxcache >> 3); /* borrowed from cache.c */
+	size_t lowater = maxcache - (maxcache >> 2); /* ditto */
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	isc_mem_t *mctx2 = NULL;
+	isc_stdtime_t now;
+	size_t i;
+
+	UNUSED(state);
+
+	isc_stdtime_get(&now);
+
+	isc_mem_create(&mctx2);
+
+	result = dns_db_create(mctx2, "rbt", dns_rootname, dns_dbtype_cache,
+			       dns_rdataclass_in, 0, NULL, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_mem_setwater(mctx2, overmempurge_water, NULL, hiwater, lowater);
+
+	/*
+	 * Add cache entries with minimum size of data until 'overmem'
+	 * condition is triggered.
+	 * This should eventually happen, but we also limit the number of
+	 * iteration to avoid an infinite loop in case something gets wrong.
+	 */
+	for (i = 0; !isc_mem_isovermem(mctx2) && i < (maxcache / 10); i++) {
+		overmempurge_addrdataset(db, now, i, 50053, 0, false);
+	}
+	assert_true(isc_mem_isovermem(mctx2));
+
+	/*
+	 * Then try to add the same number of entries, each has very large data.
+	 * 'overmem purge' should keep the total cache size from not exceeding
+	 * the 'hiwater' mark too much. So we should be able to assume the
+	 * cache size doesn't reach the "max".
+	 */
+	while (i-- > 0) {
+		overmempurge_addrdataset(db, now, i, 50054, 65535, false);
+		assert_true(isc_mem_inuse(mctx2) < maxcache);
+	}
+
+	dns_db_detach(&db);
+	isc_mem_destroy(&mctx2);
+}
+
+static void
+overmempurge_longname_test(void **state) {
+	size_t maxcache = 2097152U; /* 2MB - same as DNS_CACHE_MINSIZE */
+	size_t hiwater = maxcache - (maxcache >> 3); /* borrowed from cache.c */
+	size_t lowater = maxcache - (maxcache >> 2); /* ditto */
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	isc_mem_t *mctx2 = NULL;
+	isc_stdtime_t now;
+	size_t i;
+
+	UNUSED(state);
+
+	isc_stdtime_get(&now);
+	isc_mem_create(&mctx2);
+
+	result = dns_db_create(mctx2, "rbt", dns_rootname, dns_dbtype_cache,
+			       dns_rdataclass_in, 0, NULL, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_mem_setwater(mctx2, overmempurge_water, NULL, hiwater, lowater);
+
+	/*
+	 * Add cache entries with minimum size of data until 'overmem'
+	 * condition is triggered.
+	 * This should eventually happen, but we also limit the number of
+	 * iteration to avoid an infinite loop in case something gets wrong.
+	 */
+	for (i = 0; !isc_mem_isovermem(mctx2) && i < (maxcache / 10); i++) {
+		overmempurge_addrdataset(db, now, i, 50053, 0, false);
+	}
+	assert_true(isc_mem_isovermem(mctx2));
+
+	/*
+	 * Then try to add the same number of entries, each has very large data.
+	 * 'overmem purge' should keep the total cache size from not exceeding
+	 * the 'hiwater' mark too much. So we should be able to assume the
+	 * cache size doesn't reach the "max".
+	 */
+	while (i-- > 0) {
+		overmempurge_addrdataset(db, now, i, 50054, 0, true);
+		assert_true(isc_mem_inuse(mctx2) < maxcache);
+	}
+
+	dns_db_detach(&db);
+	isc_mem_destroy(&mctx2);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(ownercase_test),
+		cmocka_unit_test(setownercase_test),
+		cmocka_unit_test(overmempurge_bigrdata_test),
+		cmocka_unit_test(overmempurge_longname_test),
+	};
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/rdata_test.c b/lib/dns/tests/rdata_test.c
new file mode 100644
index 0000000..9bcac99
--- /dev/null
+++ b/lib/dns/tests/rdata_test.c
@@ -0,0 +1,3229 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+
+#include <isc/cmocka.h>
+#include <isc/commandline.h>
+#include <isc/hex.h>
+#include <isc/lex.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/rdata.h>
+
+#include "dnstest.h"
+
+static bool debug = false;
+
+/*
+ * An array of these structures is passed to compare_ok().
+ */
+struct compare_ok {
+	const char *text1; /* text passed to fromtext_*() */
+	const char *text2; /* text passed to fromtext_*() */
+	int answer;	   /* -1, 0, 1 */
+	int lineno;	   /* source line defining this RDATA */
+};
+typedef struct compare_ok compare_ok_t;
+
+struct textvsunknown {
+	const char *text1;
+	const char *text2;
+};
+typedef struct textvsunknown textvsunknown_t;
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+/*
+ * An array of these structures is passed to check_text_ok().
+ */
+typedef struct text_ok {
+	const char *text_in;  /* text passed to fromtext_*() */
+	const char *text_out; /* text expected from totext_*();
+			       * NULL indicates text_in is invalid */
+	unsigned int loop;
+} text_ok_t;
+
+/*
+ * An array of these structures is passed to check_wire_ok().
+ */
+typedef struct wire_ok {
+	unsigned char data[512]; /* RDATA in wire format */
+	size_t len;		 /* octets of data to parse */
+	bool ok;		 /* is this RDATA valid? */
+	unsigned int loop;
+} wire_ok_t;
+
+#define COMPARE(r1, r2, answer)          \
+	{                                \
+		r1, r2, answer, __LINE__ \
+	}
+#define COMPARE_SENTINEL()              \
+	{                               \
+		NULL, NULL, 0, __LINE__ \
+	}
+
+#define TEXT_VALID_CHANGED(data_in, data_out) \
+	{                                     \
+		data_in, data_out, 0          \
+	}
+#define TEXT_VALID(data)      \
+	{                     \
+		data, data, 0 \
+	}
+#define TEXT_VALID_LOOP(loop, data) \
+	{                           \
+		data, data, loop    \
+	}
+#define TEXT_VALID_LOOPCHG(loop, data_in, data_out) \
+	{                                           \
+		data_in, data_out, loop             \
+	}
+#define TEXT_INVALID(data)    \
+	{                     \
+		data, NULL, 0 \
+	}
+#define TEXT_SENTINEL() TEXT_INVALID(NULL)
+
+#define VARGC(...) (sizeof((unsigned char[]){ __VA_ARGS__ }))
+#define WIRE_TEST(ok, loop, ...)                              \
+	{                                                     \
+		{ __VA_ARGS__ }, VARGC(__VA_ARGS__), ok, loop \
+	}
+#define WIRE_VALID(...)		   WIRE_TEST(true, 0, __VA_ARGS__)
+#define WIRE_VALID_LOOP(loop, ...) WIRE_TEST(true, loop, __VA_ARGS__)
+/*
+ * WIRE_INVALID() test cases must always have at least one octet specified to
+ * distinguish them from WIRE_SENTINEL().  Use the 'empty_ok' parameter passed
+ * to check_wire_ok() for indicating whether empty RDATA is allowed for a given
+ * RR type or not.
+ */
+#define WIRE_INVALID(FIRST, ...) WIRE_TEST(false, 0, FIRST, __VA_ARGS__)
+#define WIRE_SENTINEL()		 WIRE_TEST(false, 0)
+
+/*
+ * Call dns_rdata_fromwire() for data in 'src', which is 'srclen' octets in
+ * size and represents RDATA of given 'type' and 'class'.  Store the resulting
+ * uncompressed wire form in 'dst', which is 'dstlen' octets in size, and make
+ * 'rdata' refer to that uncompressed wire form.
+ */
+static isc_result_t
+wire_to_rdata(const unsigned char *src, size_t srclen, dns_rdataclass_t rdclass,
+	      dns_rdatatype_t type, unsigned char *dst, size_t dstlen,
+	      dns_rdata_t *rdata) {
+	isc_buffer_t source, target;
+	dns_decompress_t dctx;
+	isc_result_t result;
+
+	/*
+	 * Set up len-octet buffer pointing at data.
+	 */
+	isc_buffer_constinit(&source, src, srclen);
+	isc_buffer_add(&source, srclen);
+	isc_buffer_setactive(&source, srclen);
+
+	/*
+	 * Initialize target buffer.
+	 */
+	isc_buffer_init(&target, dst, dstlen);
+
+	/*
+	 * Try converting input data into uncompressed wire form.
+	 */
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
+	result = dns_rdata_fromwire(rdata, rdclass, type, &source, &dctx, 0,
+				    &target);
+	dns_decompress_invalidate(&dctx);
+
+	return (result);
+}
+
+/*
+ * Call dns_rdata_towire() for rdata and write to result to dst.
+ */
+static isc_result_t
+rdata_towire(dns_rdata_t *rdata, unsigned char *dst, size_t dstlen,
+	     size_t *length) {
+	isc_buffer_t target;
+	dns_compress_t cctx;
+	isc_result_t result;
+
+	/*
+	 * Initialize target buffer.
+	 */
+	isc_buffer_init(&target, dst, dstlen);
+
+	/*
+	 * Try converting input data into uncompressed wire form.
+	 */
+	dns_compress_init(&cctx, -1, dt_mctx);
+	result = dns_rdata_towire(rdata, &cctx, &target);
+	dns_compress_invalidate(&cctx);
+
+	*length = isc_buffer_usedlength(&target);
+
+	return (result);
+}
+
+static isc_result_t
+additionaldata_cb(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
+	UNUSED(arg);
+	UNUSED(name);
+	UNUSED(qtype);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * call dns_rdata_additionaldata() for rdata.
+ */
+static isc_result_t
+rdata_additionadata(dns_rdata_t *rdata) {
+	return (dns_rdata_additionaldata(rdata, additionaldata_cb, NULL));
+}
+
+/*
+ * Call dns_rdata_checknames() with various owner names chosen to
+ * match well known forms.
+ *
+ * We are currently only checking that the calls do not trigger
+ * assertion failures.
+ *
+ * XXXMPA A future extension could be to record the expected
+ * result and the expected value of 'bad'.
+ */
+static void
+rdata_checknames(dns_rdata_t *rdata) {
+	dns_fixedname_t fixed, bfixed;
+	dns_name_t *name, *bad;
+	isc_result_t result;
+
+	name = dns_fixedname_initname(&fixed);
+	bad = dns_fixedname_initname(&bfixed);
+
+	(void)dns_rdata_checknames(rdata, dns_rootname, NULL);
+	(void)dns_rdata_checknames(rdata, dns_rootname, bad);
+
+	result = dns_name_fromstring(name, "example.net", 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	(void)dns_rdata_checknames(rdata, name, NULL);
+	(void)dns_rdata_checknames(rdata, name, bad);
+
+	result = dns_name_fromstring(name, "in-addr.arpa", 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	(void)dns_rdata_checknames(rdata, name, NULL);
+	(void)dns_rdata_checknames(rdata, name, bad);
+
+	result = dns_name_fromstring(name, "ip6.arpa", 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	(void)dns_rdata_checknames(rdata, name, NULL);
+	(void)dns_rdata_checknames(rdata, name, bad);
+}
+
+/*
+ * Test whether converting rdata to a type-specific struct and then back to
+ * rdata results in the same uncompressed wire form.  This checks whether
+ * tostruct_*() and fromstruct_*() routines for given RR class and type behave
+ * consistently.
+ *
+ * This function is called for every correctly processed input RDATA, from both
+ * check_text_ok_single() and check_wire_ok_single().
+ */
+static void
+check_struct_conversions(dns_rdata_t *rdata, size_t structsize,
+			 unsigned int loop) {
+	dns_rdataclass_t rdclass = rdata->rdclass;
+	dns_rdatatype_t type = rdata->type;
+	isc_result_t result;
+	isc_buffer_t target;
+	void *rdata_struct;
+	char buf[1024];
+	unsigned int count = 0;
+
+	rdata_struct = isc_mem_allocate(dt_mctx, structsize);
+	assert_non_null(rdata_struct);
+
+	/*
+	 * Convert from uncompressed wire form into type-specific struct.
+	 */
+	result = dns_rdata_tostruct(rdata, rdata_struct, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Convert from type-specific struct into uncompressed wire form.
+	 */
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_rdata_fromstruct(NULL, rdclass, type, rdata_struct,
+				      &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Ensure results are consistent.
+	 */
+	assert_int_equal(isc_buffer_usedlength(&target), rdata->length);
+
+	assert_memory_equal(buf, rdata->data, rdata->length);
+
+	/*
+	 * Check that one can walk hip rendezvous servers and
+	 * https/svcb parameters.
+	 */
+	switch (type) {
+	case dns_rdatatype_hip: {
+		dns_rdata_hip_t *hip = rdata_struct;
+
+		for (result = dns_rdata_hip_first(hip); result == ISC_R_SUCCESS;
+		     result = dns_rdata_hip_next(hip))
+		{
+			dns_name_t name;
+			dns_name_init(&name, NULL);
+			dns_rdata_hip_current(hip, &name);
+			assert_int_not_equal(dns_name_countlabels(&name), 0);
+			assert_true(dns_name_isabsolute(&name));
+			count++;
+		}
+		assert_int_equal(result, ISC_R_NOMORE);
+		assert_int_equal(count, loop);
+		break;
+	}
+	case dns_rdatatype_https: {
+		dns_rdata_in_https_t *https = rdata_struct;
+
+		for (result = dns_rdata_in_https_first(https);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdata_in_https_next(https))
+		{
+			isc_region_t region;
+			dns_rdata_in_https_current(https, &region);
+			assert_true(region.length >= 4);
+			count++;
+		}
+		assert_int_equal(result, ISC_R_NOMORE);
+		assert_int_equal(count, loop);
+		break;
+	}
+	case dns_rdatatype_svcb: {
+		dns_rdata_in_svcb_t *svcb = rdata_struct;
+
+		for (result = dns_rdata_in_svcb_first(svcb);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdata_in_svcb_next(svcb))
+		{
+			isc_region_t region;
+			dns_rdata_in_svcb_current(svcb, &region);
+			assert_true(region.length >= 4);
+			count++;
+		}
+		assert_int_equal(result, ISC_R_NOMORE);
+		assert_int_equal(count, loop);
+		break;
+	}
+	}
+
+	isc_mem_free(dt_mctx, rdata_struct);
+}
+
+/*
+ * Check whether converting supplied text form RDATA into uncompressed wire
+ * form succeeds (tests fromtext_*()).  If so, try converting it back into text
+ * form and see if it results in the original text (tests totext_*()).
+ */
+static void
+check_text_ok_single(const text_ok_t *text_ok, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, size_t structsize) {
+	unsigned char buf_fromtext[1024], buf_fromwire[1024], buf_towire[1024];
+	dns_rdata_t rdata = DNS_RDATA_INIT, rdata2 = DNS_RDATA_INIT;
+	char buf_totext[1024] = { 0 };
+	isc_buffer_t target;
+	isc_result_t result;
+	size_t length = 0;
+
+	if (debug) {
+		fprintf(stdout, "#check_text_ok_single(%s)\n",
+			text_ok->text_in);
+	}
+	/*
+	 * Try converting text form RDATA into uncompressed wire form.
+	 */
+	result = dns_test_rdatafromstring(&rdata, rdclass, type, buf_fromtext,
+					  sizeof(buf_fromtext),
+					  text_ok->text_in, false);
+	/*
+	 * Check whether result is as expected.
+	 */
+	if (text_ok->text_out != NULL) {
+		if (debug && result != ISC_R_SUCCESS) {
+			fprintf(stdout, "# '%s'\n", text_ok->text_in);
+			fprintf(stdout, "# result=%s\n",
+				dns_result_totext(result));
+		}
+		assert_int_equal(result, ISC_R_SUCCESS);
+	} else {
+		if (debug && result == ISC_R_SUCCESS) {
+			fprintf(stdout, "#'%s'\n", text_ok->text_in);
+		}
+		assert_int_not_equal(result, ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If text form RDATA was not parsed correctly, performing any
+	 * additional checks is pointless.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	/*
+	 * Try converting uncompressed wire form RDATA back into text form and
+	 * check whether the resulting text is the same as the original one.
+	 */
+	isc_buffer_init(&target, buf_totext, sizeof(buf_totext));
+	result = dns_rdata_totext(&rdata, NULL, &target);
+	if (result != ISC_R_SUCCESS && debug) {
+		size_t i;
+		fprintf(stdout, "# dns_rdata_totext -> %s",
+			dns_result_totext(result));
+		for (i = 0; i < rdata.length; i++) {
+			if ((i % 16) == 0) {
+				fprintf(stdout, "\n#");
+			}
+			fprintf(stdout, " %02x", rdata.data[i]);
+		}
+		fprintf(stdout, "\n");
+	}
+	assert_int_equal(result, ISC_R_SUCCESS);
+	/*
+	 * Ensure buf_totext is properly NUL terminated as dns_rdata_totext()
+	 * may attempt different output formats writing into the apparently
+	 * unused part of the buffer.
+	 */
+	isc_buffer_putuint8(&target, 0);
+	if (debug && strcmp(buf_totext, text_ok->text_out) != 0) {
+		fprintf(stdout, "# '%s' != '%s'\n", buf_totext,
+			text_ok->text_out);
+	}
+	assert_string_equal(buf_totext, text_ok->text_out);
+
+	if (debug) {
+		fprintf(stdout, "#dns_rdata_totext -> '%s'\n", buf_totext);
+	}
+
+	/*
+	 * Ensure that fromtext_*() output is valid input for fromwire_*().
+	 */
+	result = wire_to_rdata(rdata.data, rdata.length, rdclass, type,
+			       buf_fromwire, sizeof(buf_fromwire), &rdata2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(rdata.length, rdata2.length);
+	assert_memory_equal(rdata.data, buf_fromwire, rdata.length);
+
+	/*
+	 * Ensure that fromtext_*() output is valid input for towire_*().
+	 */
+	result = rdata_towire(&rdata, buf_towire, sizeof(buf_towire), &length);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(rdata.length, length);
+	assert_memory_equal(rdata.data, buf_towire, length);
+
+	/*
+	 * Test that additionaldata_*() succeeded.
+	 */
+	result = rdata_additionadata(&rdata);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Exercise checknames_*().
+	 */
+	rdata_checknames(&rdata);
+
+	/*
+	 * Perform two-way conversion checks between uncompressed wire form and
+	 * type-specific struct.
+	 */
+	check_struct_conversions(&rdata, structsize, text_ok->loop);
+}
+
+/*
+ * Test whether converting rdata to text form and then parsing the result of
+ * that conversion again results in the same uncompressed wire form.  This
+ * checks whether totext_*() output is parsable by fromtext_*() for given RR
+ * class and type.
+ *
+ * This function is called for every input RDATA which is successfully parsed
+ * by check_wire_ok_single() and whose type is not a meta-type.
+ */
+static void
+check_text_conversions(dns_rdata_t *rdata) {
+	char buf_totext[1024] = { 0 };
+	unsigned char buf_fromtext[1024];
+	isc_result_t result;
+	isc_buffer_t target;
+	dns_rdata_t rdata2 = DNS_RDATA_INIT;
+
+	/*
+	 * Convert uncompressed wire form RDATA into text form.  This
+	 * conversion must succeed since input RDATA was successfully
+	 * parsed by check_wire_ok_single().
+	 */
+	isc_buffer_init(&target, buf_totext, sizeof(buf_totext));
+	result = dns_rdata_totext(rdata, NULL, &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	/*
+	 * Ensure buf_totext is properly NUL terminated as dns_rdata_totext()
+	 * may attempt different output formats writing into the apparently
+	 * unused part of the buffer.
+	 */
+	isc_buffer_putuint8(&target, 0);
+	if (debug) {
+		fprintf(stdout, "#'%s'\n", buf_totext);
+	}
+
+	/*
+	 * Try parsing text form RDATA output by dns_rdata_totext() again.
+	 */
+	result = dns_test_rdatafromstring(&rdata2, rdata->rdclass, rdata->type,
+					  buf_fromtext, sizeof(buf_fromtext),
+					  buf_totext, false);
+	if (debug && result != ISC_R_SUCCESS) {
+		fprintf(stdout, "# result = %s\n", dns_result_totext(result));
+		fprintf(stdout, "# '%s'\n", buf_fromtext);
+	}
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(rdata2.length, rdata->length);
+	assert_memory_equal(buf_fromtext, rdata->data, rdata->length);
+}
+
+/*
+ * Test whether converting rdata to multi-line text form and then parsing the
+ * result of that conversion again results in the same uncompressed wire form.
+ * This checks whether multi-line totext_*() output is parsable by fromtext_*()
+ * for given RR class and type.
+ *
+ * This function is called for every input RDATA which is successfully parsed
+ * by check_wire_ok_single() and whose type is not a meta-type.
+ */
+static void
+check_multiline_text_conversions(dns_rdata_t *rdata) {
+	char buf_totext[1024] = { 0 };
+	unsigned char buf_fromtext[1024];
+	isc_result_t result;
+	isc_buffer_t target;
+	dns_rdata_t rdata2 = DNS_RDATA_INIT;
+	unsigned int flags;
+
+	/*
+	 * Convert uncompressed wire form RDATA into multi-line text form.
+	 * This conversion must succeed since input RDATA was successfully
+	 * parsed by check_wire_ok_single().
+	 */
+	isc_buffer_init(&target, buf_totext, sizeof(buf_totext));
+	flags = dns_master_styleflags(&dns_master_style_default);
+	result = dns_rdata_tofmttext(rdata, dns_rootname, flags, 80 - 32, 4,
+				     "\n", &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	/*
+	 * Ensure buf_totext is properly NUL terminated as
+	 * dns_rdata_tofmttext() may attempt different output formats
+	 * writing into the apparently unused part of the buffer.
+	 */
+	isc_buffer_putuint8(&target, 0);
+	if (debug) {
+		fprintf(stdout, "#'%s'\n", buf_totext);
+	}
+
+	/*
+	 * Try parsing multi-line text form RDATA output by
+	 * dns_rdata_tofmttext() again.
+	 */
+	result = dns_test_rdatafromstring(&rdata2, rdata->rdclass, rdata->type,
+					  buf_fromtext, sizeof(buf_fromtext),
+					  buf_totext, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(rdata2.length, rdata->length);
+	assert_memory_equal(buf_fromtext, rdata->data, rdata->length);
+}
+
+/*
+ * Test whether supplied wire form RDATA is properly handled as being either
+ * valid or invalid for an RR of given rdclass and type.
+ */
+static void
+check_wire_ok_single(const wire_ok_t *wire_ok, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, size_t structsize) {
+	unsigned char buf[1024], buf_towire[1024];
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	size_t length = 0;
+
+	/*
+	 * Try converting wire data into uncompressed wire form.
+	 */
+	result = wire_to_rdata(wire_ok->data, wire_ok->len, rdclass, type, buf,
+			       sizeof(buf), &rdata);
+	/*
+	 * Check whether result is as expected.
+	 */
+	if (wire_ok->ok) {
+		assert_int_equal(result, ISC_R_SUCCESS);
+	} else {
+		assert_int_not_equal(result, ISC_R_SUCCESS);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	/*
+	 * If data was parsed correctly, perform two-way conversion checks
+	 * between uncompressed wire form and type-specific struct.
+	 *
+	 * If the RR type is not a meta-type, additionally perform two-way
+	 * conversion checks between:
+	 *
+	 *   - uncompressed wire form and text form,
+	 *   - uncompressed wire form and multi-line text form.
+	 */
+	check_struct_conversions(&rdata, structsize, wire_ok->loop);
+	if (!dns_rdatatype_ismeta(rdata.type)) {
+		check_text_conversions(&rdata);
+		check_multiline_text_conversions(&rdata);
+	}
+
+	/*
+	 * Ensure that fromwire_*() output is valid input for towire_*().
+	 */
+	result = rdata_towire(&rdata, buf_towire, sizeof(buf_towire), &length);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(rdata.length, length);
+	assert_memory_equal(rdata.data, buf_towire, length);
+
+	/*
+	 * Test that additionaldata_*() succeeded.
+	 */
+	result = rdata_additionadata(&rdata);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Exercise checknames_*().
+	 */
+	rdata_checknames(&rdata);
+}
+
+/*
+ * Test fromtext_*() and totext_*() routines for given RR class and type for
+ * each text form RDATA in the supplied array.  See the comment for
+ * check_text_ok_single() for an explanation of how exactly these routines are
+ * tested.
+ */
+static void
+check_text_ok(const text_ok_t *text_ok, dns_rdataclass_t rdclass,
+	      dns_rdatatype_t type, size_t structsize) {
+	size_t i;
+
+	/*
+	 * Check all entries in the supplied array.
+	 */
+	for (i = 0; text_ok[i].text_in != NULL; i++) {
+		check_text_ok_single(&text_ok[i], rdclass, type, structsize);
+	}
+}
+
+/*
+ * For each wire form RDATA in the supplied array, check whether it is properly
+ * handled as being either valid or invalid for an RR of given rdclass and
+ * type, then check whether trying to process a zero-length wire data buffer
+ * yields the expected result.  This checks whether the fromwire_*() routine
+ * for given RR class and type behaves as expected.
+ */
+static void
+check_wire_ok(const wire_ok_t *wire_ok, bool empty_ok, dns_rdataclass_t rdclass,
+	      dns_rdatatype_t type, size_t structsize) {
+	wire_ok_t empty_wire = WIRE_TEST(empty_ok, 0);
+	size_t i;
+
+	/*
+	 * Check all entries in the supplied array.
+	 */
+	for (i = 0; wire_ok[i].len != 0; i++) {
+		if (debug) {
+			fprintf(stderr, "calling check_wire_ok_single on %zu\n",
+				i);
+		}
+		check_wire_ok_single(&wire_ok[i], rdclass, type, structsize);
+	}
+
+	/*
+	 * Check empty wire data.
+	 */
+	check_wire_ok_single(&empty_wire, rdclass, type, structsize);
+}
+
+/*
+ * Check that two records compare as expected with dns_rdata_compare().
+ */
+static void
+check_compare_ok_single(const compare_ok_t *compare_ok,
+			dns_rdataclass_t rdclass, dns_rdatatype_t type) {
+	dns_rdata_t rdata1 = DNS_RDATA_INIT, rdata2 = DNS_RDATA_INIT;
+	unsigned char buf1[1024], buf2[1024];
+	isc_result_t result;
+	int answer;
+
+	result = dns_test_rdatafromstring(&rdata1, rdclass, type, buf1,
+					  sizeof(buf1), compare_ok->text1,
+					  false);
+	if (result != ISC_R_SUCCESS) {
+		fail_msg("# line %d: '%s': expected success, got failure",
+			 compare_ok->lineno, compare_ok->text1);
+	}
+
+	result = dns_test_rdatafromstring(&rdata2, rdclass, type, buf2,
+					  sizeof(buf2), compare_ok->text2,
+					  false);
+
+	if (result != ISC_R_SUCCESS) {
+		fail_msg("# line %d: '%s': expected success, got failure",
+			 compare_ok->lineno, compare_ok->text2);
+	}
+
+	answer = dns_rdata_compare(&rdata1, &rdata2);
+	if (compare_ok->answer == 0 && answer != 0) {
+		fail_msg("# line %d: dns_rdata_compare('%s', '%s'): "
+			 "expected equal, got %s",
+			 compare_ok->lineno, compare_ok->text1,
+			 compare_ok->text2,
+			 (answer > 0) ? "greater than" : "less than");
+	}
+	if (compare_ok->answer < 0 && answer >= 0) {
+		fail_msg("# line %d: dns_rdata_compare('%s', '%s'): "
+			 "expected less than, got %s",
+			 compare_ok->lineno, compare_ok->text1,
+			 compare_ok->text2,
+			 (answer == 0) ? "equal" : "greater than");
+	}
+	if (compare_ok->answer > 0 && answer <= 0) {
+		fail_msg("line %d: dns_rdata_compare('%s', '%s'): "
+			 "expected greater than, got %s",
+			 compare_ok->lineno, compare_ok->text1,
+			 compare_ok->text2,
+			 (answer == 0) ? "equal" : "less than");
+	}
+}
+
+/*
+ * Check that all the records sets in compare_ok compare as expected
+ * with dns_rdata_compare().
+ */
+static void
+check_compare_ok(const compare_ok_t *compare_ok, dns_rdataclass_t rdclass,
+		 dns_rdatatype_t type) {
+	size_t i;
+	/*
+	 * Check all entries in the supplied array.
+	 */
+	for (i = 0; compare_ok[i].text1 != NULL; i++) {
+		check_compare_ok_single(&compare_ok[i], rdclass, type);
+	}
+}
+
+/*
+ * Test whether supplied sets of text form and/or wire form RDATA are handled
+ * as expected.
+ *
+ * The empty_ok argument denotes whether an attempt to parse a zero-length wire
+ * data buffer should succeed or not (it is valid for some RR types).  There is
+ * no point in performing a similar check for empty text form RDATA, because
+ * dns_rdata_fromtext() returns ISC_R_UNEXPECTEDEND before calling fromtext_*()
+ * for the given RR class and type.
+ */
+static void
+check_rdata(const text_ok_t *text_ok, const wire_ok_t *wire_ok,
+	    const compare_ok_t *compare_ok, bool empty_ok,
+	    dns_rdataclass_t rdclass, dns_rdatatype_t type, size_t structsize) {
+	if (text_ok != NULL) {
+		check_text_ok(text_ok, rdclass, type, structsize);
+	}
+	if (wire_ok != NULL) {
+		check_wire_ok(wire_ok, empty_ok, rdclass, type, structsize);
+	}
+	if (compare_ok != NULL) {
+		check_compare_ok(compare_ok, rdclass, type);
+	}
+}
+
+/*
+ * Check presentation vs unknown format of the record.
+ */
+static void
+check_textvsunknown_single(const textvsunknown_t *textvsunknown,
+			   dns_rdataclass_t rdclass, dns_rdatatype_t type) {
+	dns_rdata_t rdata1 = DNS_RDATA_INIT, rdata2 = DNS_RDATA_INIT;
+	unsigned char buf1[1024], buf2[1024];
+	isc_result_t result;
+
+	result = dns_test_rdatafromstring(&rdata1, rdclass, type, buf1,
+					  sizeof(buf1), textvsunknown->text1,
+					  false);
+	if (debug && result != ISC_R_SUCCESS) {
+		fprintf(stdout, "# '%s'\n", textvsunknown->text1);
+		fprintf(stdout, "# result=%s\n", dns_result_totext(result));
+	}
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_test_rdatafromstring(&rdata2, rdclass, type, buf2,
+					  sizeof(buf2), textvsunknown->text2,
+					  false);
+	if (debug && result != ISC_R_SUCCESS) {
+		fprintf(stdout, "# '%s'\n", textvsunknown->text2);
+		fprintf(stdout, "# result=%s\n", dns_result_totext(result));
+	}
+	assert_int_equal(result, ISC_R_SUCCESS);
+	if (debug && rdata1.length != rdata2.length) {
+		fprintf(stdout, "# '%s'\n", textvsunknown->text1);
+		fprintf(stdout, "# rdata1.length (%u) != rdata2.length (%u)\n",
+			rdata1.length, rdata2.length);
+	}
+	assert_int_equal(rdata1.length, rdata2.length);
+	if (debug && memcmp(rdata1.data, rdata2.data, rdata1.length) != 0) {
+		unsigned int i;
+		fprintf(stdout, "# '%s'\n", textvsunknown->text1);
+		for (i = 0; i < rdata1.length; i++) {
+			if (rdata1.data[i] != rdata2.data[i]) {
+				fprintf(stderr, "# %u: %02x != %02x\n", i,
+					rdata1.data[i], rdata2.data[i]);
+			}
+		}
+	}
+	assert_memory_equal(rdata1.data, rdata2.data, rdata1.length);
+}
+
+static void
+check_textvsunknown(const textvsunknown_t *textvsunknown,
+		    dns_rdataclass_t rdclass, dns_rdatatype_t type) {
+	size_t i;
+
+	/*
+	 * Check all entries in the supplied array.
+	 */
+	for (i = 0; textvsunknown[i].text1 != NULL; i++) {
+		check_textvsunknown_single(&textvsunknown[i], rdclass, type);
+	}
+}
+
+/*
+ * Common tests for RR types based on KEY that require key data:
+ *
+ *   - CDNSKEY (RFC 7344)
+ *   - DNSKEY (RFC 4034)
+ *   - RKEY (draft-reid-dnsext-rkey-00)
+ */
+static void
+key_required(void **state, dns_rdatatype_t type, size_t size) {
+	wire_ok_t wire_ok[] = { /*
+				 * RDATA must be at least 5 octets in size:
+				 *
+				 *   - 2 octets for Flags,
+				 *   - 1 octet for Protocol,
+				 *   - 1 octet for Algorithm,
+				 *   - Public Key must not be empty.
+				 *
+				 * RFC 2535 section 3.1.2 allows the Public Key
+				 * to be empty if bits 0-1 of Flags are both
+				 * set, but that only applies to KEY records:
+				 * for the RR types tested here, the Public Key
+				 * must not be empty.
+				 */
+				WIRE_INVALID(0x00),
+				WIRE_INVALID(0x00, 0x00),
+				WIRE_INVALID(0x00, 0x00, 0x00),
+				WIRE_INVALID(0xc0, 0x00, 0x00, 0x00),
+				WIRE_INVALID(0x00, 0x00, 0x00, 0x00),
+				WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00),
+				WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(NULL, wire_ok, NULL, false, dns_rdataclass_in, type, size);
+}
+
+/* APL RDATA manipulations */
+static void
+apl(void **state) {
+	text_ok_t text_ok[] = {
+		/* empty list */
+		TEXT_VALID(""),
+		/* min,max prefix IPv4 */
+		TEXT_VALID("1:0.0.0.0/0"), TEXT_VALID("1:127.0.0.1/32"),
+		/* min,max prefix IPv6 */
+		TEXT_VALID("2:::/0"), TEXT_VALID("2:::1/128"),
+		/* negated */
+		TEXT_VALID("!1:0.0.0.0/0"), TEXT_VALID("!1:127.0.0.1/32"),
+		TEXT_VALID("!2:::/0"), TEXT_VALID("!2:::1/128"),
+		/* bits set after prefix length - not disallowed */
+		TEXT_VALID("1:127.0.0.0/0"), TEXT_VALID("2:8000::/0"),
+		/* multiple */
+		TEXT_VALID("1:0.0.0.0/0 1:127.0.0.1/32"),
+		TEXT_VALID("1:0.0.0.0/0 !1:127.0.0.1/32"),
+		/* family 0, prefix 0, positive */
+		TEXT_VALID("\\# 4 00000000"),
+		/* family 0, prefix 0, negative */
+		TEXT_VALID("\\# 4 00000080"),
+		/* prefix too long */
+		TEXT_INVALID("1:0.0.0.0/33"), TEXT_INVALID("2:::/129"),
+		/*
+		 * Sentinel.
+		 */
+		TEXT_SENTINEL()
+	};
+	wire_ok_t wire_ok[] = { /* zero length */
+				WIRE_VALID(),
+				/* prefix too big IPv4 */
+				WIRE_INVALID(0x00, 0x01, 33U, 0x00),
+				/* prefix too big IPv6 */
+				WIRE_INVALID(0x00, 0x02, 129U, 0x00),
+				/* trailing zero octet in afdpart */
+				WIRE_INVALID(0x00, 0x00, 0x00, 0x01, 0x00),
+				/*
+				 * Sentinel.
+				 */
+				WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, true, dns_rdataclass_in,
+		    dns_rdatatype_apl, sizeof(dns_rdata_in_apl_t));
+}
+
+/*
+ * http://broadband-forum.org/ftp/pub/approved-specs/af-saa-0069.000.pdf
+ *
+ * ATMA RR’s have the following RDATA format:
+ *
+ *                                           1  1  1  1  1  1
+ *             0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+ *          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ *          |          FORMAT       |                       |
+ *          +--+--+--+--+--+--+--+--+                       |
+ *          /                    ADDRESS                    /
+ *          |                                               |
+ *          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ *
+ * The fields have the following meaning:
+ *
+ * * FORMAT: One octet that indicates the format of ADDRESS. The two
+ *   possible values for FORMAT are value 0 indicating ATM End System Address
+ *   (AESA) format and value 1 indicating E.164 format.
+ *
+ * * ADDRESS: Variable length string of octets containing the ATM address of
+ *   the node to which this RR pertains.
+ *
+ * When the format value is 0, indicating that the address is in AESA format,
+ * the address is coded as described in ISO 8348/AD 2 using the preferred
+ * binary encoding of the ISO NSAP format. When the format value is 1,
+ * indicating that the address is in E.164 format, the Address/Number Digits
+ * appear in the order in which they would be entered on a numeric keypad.
+ * Digits are coded in IA5 characters with the leftmost bit of each digit set
+ * to 0.  This ATM address appears in ATM End System Address Octets field (AESA
+ * format) or the Address/Number Digits field (E.164 format) of the Called
+ * party number information element [ATMUNI3.1]. Subaddress information is
+ * intentionally not included because E.164 subaddress information is used for
+ * routing.
+ *
+ * ATMA RRs cause no additional section processing.
+ */
+static void
+atma(void **state) {
+	text_ok_t text_ok[] = { TEXT_VALID("00"),
+				TEXT_VALID_CHANGED("0.0", "00"),
+				/*
+				 * multiple consecutive periods
+				 */
+				TEXT_INVALID("0..0"),
+				/*
+				 * trailing period
+				 */
+				TEXT_INVALID("00."),
+				/*
+				 * leading period
+				 */
+				TEXT_INVALID(".00"),
+				/*
+				 * Not full octets.
+				 */
+				TEXT_INVALID("000"),
+				/*
+				 * E.164
+				 */
+				TEXT_VALID("+61200000000"),
+				/*
+				 * E.164 with periods
+				 */
+				TEXT_VALID_CHANGED("+61.2.0000.0000", "+6120000"
+								      "0000"),
+				/*
+				 * E.164 with period at end
+				 */
+				TEXT_INVALID("+61200000000."),
+				/*
+				 * E.164 with multiple consecutive periods
+				 */
+				TEXT_INVALID("+612..00000000"),
+				/*
+				 * E.164 with period before the leading digit.
+				 */
+				TEXT_INVALID("+.61200000000"),
+				/*
+				 * Sentinel.
+				 */
+				TEXT_SENTINEL() };
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Too short.
+		 */
+		WIRE_INVALID(0x00), WIRE_INVALID(0x01),
+		/*
+		 * all digits
+		 */
+		WIRE_VALID(0x01, '6', '1', '2', '0', '0', '0'),
+		/*
+		 * non digit
+		 */
+		WIRE_INVALID(0x01, '+', '6', '1', '2', '0', '0', '0'),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_atma, sizeof(dns_rdata_in_atma_t));
+}
+
+/* AMTRELAY RDATA manipulations */
+static void
+amtrelay(void **state) {
+	text_ok_t text_ok[] = {
+		TEXT_INVALID(""), TEXT_INVALID("0"), TEXT_INVALID("0 0"),
+		/* gateway type 0 */
+		TEXT_VALID("0 0 0"), TEXT_VALID("0 1 0"),
+		TEXT_INVALID("0 2 0"),	 /* discovery out of range */
+		TEXT_VALID("255 1 0"),	 /* max precedence */
+		TEXT_INVALID("256 1 0"), /* precedence out of range */
+
+		/* IPv4 gateway */
+		TEXT_INVALID("0 0 1"), /* no address */
+		TEXT_VALID("0 0 1 0.0.0.0"),
+		TEXT_INVALID("0 0 1 0.0.0.0 x"), /* extra */
+		TEXT_INVALID("0 0 1 0.0.0.0.0"), /* bad address */
+		TEXT_INVALID("0 0 1 ::"),	 /* bad address */
+		TEXT_INVALID("0 0 1 ."),	 /* bad address */
+
+		/* IPv6 gateway */
+		TEXT_INVALID("0 0 2"), /* no address */
+		TEXT_VALID("0 0 2 ::"), TEXT_INVALID("0 0 2 :: xx"), /* extra */
+		TEXT_INVALID("0 0 2 0.0.0.0"), /* bad address */
+		TEXT_INVALID("0 0 2 ."),       /* bad address */
+
+		/* hostname gateway */
+		TEXT_INVALID("0 0 3"), /* no name */
+		/* IPv4 is a valid name */
+		TEXT_VALID_CHANGED("0 0 3 0.0.0.0", "0 0 3 0.0.0.0."),
+		/* IPv6 is a valid name */
+		TEXT_VALID_CHANGED("0 0 3 ::", "0 0 3 ::."),
+		TEXT_VALID_CHANGED("0 0 3 example", "0 0 3 example."),
+		TEXT_VALID("0 0 3 example."),
+		TEXT_INVALID("0 0 3 example. x"), /* extra */
+
+		/* unknown gateway */
+		TEXT_VALID("\\# 2 0004"), TEXT_VALID("\\# 2 0084"),
+		TEXT_VALID("\\# 2 007F"), TEXT_VALID("\\# 3 000400"),
+		TEXT_VALID("\\# 3 008400"), TEXT_VALID("\\# 3 00FF00"),
+
+		/*
+		 * Sentinel.
+		 */
+		TEXT_SENTINEL()
+	};
+	wire_ok_t wire_ok[] = {
+		WIRE_INVALID(0x00), WIRE_VALID(0x00, 0x00),
+		WIRE_VALID(0x00, 0x80), WIRE_INVALID(0x00, 0x00, 0x00),
+		WIRE_INVALID(0x00, 0x80, 0x00),
+
+		WIRE_INVALID(0x00, 0x01), WIRE_INVALID(0x00, 0x01, 0x00),
+		WIRE_INVALID(0x00, 0x01, 0x00, 0x00),
+		WIRE_INVALID(0x00, 0x01, 0x00, 0x00, 0x00),
+		WIRE_VALID(0x00, 0x01, 0x00, 0x00, 0x00, 0x00),
+		WIRE_INVALID(0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00),
+
+		WIRE_INVALID(0x00, 0x02), WIRE_INVALID(0x00, 0x02, 0x00),
+		WIRE_VALID(0x00, 0x02, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
+			   0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14,
+			   0x15),
+		WIRE_INVALID(0x00, 0x02, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05,
+			     0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13,
+			     0x14, 0x15, 0x16),
+
+		WIRE_INVALID(0x00, 0x03), WIRE_VALID(0x00, 0x03, 0x00),
+		WIRE_INVALID(0x00, 0x03, 0x00, 0x00), /* extra */
+
+		WIRE_VALID(0x00, 0x04), WIRE_VALID(0x00, 0x04, 0x00),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_amtrelay, sizeof(dns_rdata_amtrelay_t));
+}
+
+static void
+cdnskey(void **state) {
+	key_required(state, dns_rdatatype_cdnskey, sizeof(dns_rdata_cdnskey_t));
+}
+
+/*
+ * CSYNC tests.
+ *
+ * RFC 7477:
+ *
+ * 2.1.  The CSYNC Resource Record Format
+ *
+ * 2.1.1.  The CSYNC Resource Record Wire Format
+ *
+ *    The CSYNC RDATA consists of the following fields:
+ *
+ *                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ *       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *      |                          SOA Serial                           |
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *      |       Flags                   |            Type Bit Map       /
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *      /                     Type Bit Map (continued)                  /
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ * 2.1.1.1.  The SOA Serial Field
+ *
+ *    The SOA Serial field contains a copy of the 32-bit SOA serial number
+ *    from the child zone.  If the soaminimum flag is set, parental agents
+ *    querying children's authoritative servers MUST NOT act on data from
+ *    zones advertising an SOA serial number less than this value.  See
+ *    [RFC1982] for properly implementing "less than" logic.  If the
+ *    soaminimum flag is not set, parental agents MUST ignore the value in
+ *    the SOA Serial field.  Clients can set the field to any value if the
+ *    soaminimum flag is unset, such as the number zero.
+ *
+ * (...)
+ *
+ * 2.1.1.2.  The Flags Field
+ *
+ *    The Flags field contains 16 bits of boolean flags that define
+ *    operations that affect the processing of the CSYNC record.  The flags
+ *    defined in this document are as follows:
+ *
+ *       0x00 0x01: "immediate"
+ *
+ *       0x00 0x02: "soaminimum"
+ *
+ *    The definitions for how the flags are to be used can be found in
+ *    Section 3.
+ *
+ *    The remaining flags are reserved for use by future specifications.
+ *    Undefined flags MUST be set to 0 by CSYNC publishers.  Parental
+ *    agents MUST NOT process a CSYNC record if it contains a 1 value for a
+ *    flag that is unknown to or unsupported by the parental agent.
+ *
+ * 2.1.1.2.1.  The Type Bit Map Field
+ *
+ *    The Type Bit Map field indicates the record types to be processed by
+ *    the parental agent, according to the procedures in Section 3.  The
+ *    Type Bit Map field is encoded in the same way as the Type Bit Map
+ *    field of the NSEC record, described in [RFC4034], Section 4.1.2.  If
+ *    a bit has been set that a parental agent implementation does not
+ *    understand, the parental agent MUST NOT act upon the record.
+ *    Specifically, a parental agent must not simply copy the data, and it
+ *    must understand the semantics associated with a bit in the Type Bit
+ *    Map field that has been set to 1.
+ */
+static void
+csync(void **state) {
+	text_ok_t text_ok[] = { TEXT_INVALID(""),
+				TEXT_INVALID("0"),
+				TEXT_VALID("0 0"),
+				TEXT_VALID("0 0 A"),
+				TEXT_VALID("0 0 NS"),
+				TEXT_VALID("0 0 AAAA"),
+				TEXT_VALID("0 0 A AAAA"),
+				TEXT_VALID("0 0 A NS AAAA"),
+				TEXT_INVALID("0 0 A NS AAAA BOGUS"),
+				TEXT_SENTINEL() };
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Serial + flags only.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Bad type map.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Bad type map.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Good type map.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+			   0x02),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_csync, sizeof(dns_rdata_csync_t));
+}
+
+static void
+dnskey(void **state) {
+	key_required(state, dns_rdatatype_dnskey, sizeof(dns_rdata_dnskey_t));
+}
+
+/*
+ * DOA tests.
+ *
+ * draft-durand-doa-over-dns-03:
+ *
+ * 3.2.  DOA RDATA Wire Format
+ *
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *     0: |                                                               |
+ *        |                        DOA-ENTERPRISE                         |
+ *        |                                                               |
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *     4: |                                                               |
+ *        |                           DOA-TYPE                            |
+ *        |                                                               |
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *     8: |         DOA-LOCATION          |         DOA-MEDIA-TYPE        /
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    10: /                                                               /
+ *        /                  DOA-MEDIA-TYPE (continued)                   /
+ *        /                                                               /
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *        /                                                               /
+ *        /                           DOA-DATA                            /
+ *        /                                                               /
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *
+ *    DOA-ENTERPRISE: a 32-bit unsigned integer in network order.
+ *
+ *    DOA-TYPE: a 32-bit unsigned integer in network order.
+ *
+ *    DOA-LOCATION: an 8-bit unsigned integer.
+ *
+ *    DOA-MEDIA-TYPE: A <character-string> (see [RFC1035]).  The first
+ *    octet of the <character-string> contains the number of characters to
+ *    follow.
+ *
+ *    DOA-DATA: A variable length blob of binary data.  The length of the
+ *    DOA-DATA is not contained within the wire format of the RR and has to
+ *    be computed from the RDLENGTH of the entire RR once other fields have
+ *    been taken into account.
+ *
+ * 3.3.  DOA RDATA Presentation Format
+ *
+ *    The DOA-ENTERPRISE field is presented as an unsigned 32-bit decimal
+ *    integer with range 0 - 4,294,967,295.
+ *
+ *    The DOA-TYPE field is presented as an unsigned 32-bit decimal integer
+ *    with range 0 - 4,294,967,295.
+ *
+ *    The DOA-LOCATION field is presented as an unsigned 8-bit decimal
+ *    integer with range 0 - 255.
+ *
+ *    The DOA-MEDIA-TYPE field is presented as a single <character-string>.
+ *
+ *    The DOA-DATA is presented as Base64 encoded data [RFC4648] unless the
+ *    DOA-DATA is empty in which case it is presented as a single dash
+ *    character ("-", ASCII 45).  White space is permitted within Base64
+ *    data.
+ */
+static void
+doa(void **state) {
+	text_ok_t text_ok[] = {
+		/*
+		 * Valid, non-empty DOA-DATA.
+		 */
+		TEXT_VALID("0 0 1 \"text/plain\" Zm9v"),
+		/*
+		 * Valid, non-empty DOA-DATA with whitespace in between.
+		 */
+		TEXT_VALID_CHANGED("0 0 1 \"text/plain\" Zm 9v", "0 0 1 "
+								 "\"text/"
+								 "plain\" "
+								 "Zm9v"),
+		/*
+		 * Valid, unquoted DOA-MEDIA-TYPE, non-empty DOA-DATA.
+		 */
+		TEXT_VALID_CHANGED("0 0 1 text/plain Zm9v", "0 0 1 "
+							    "\"text/plain\" "
+							    "Zm9v"),
+		/*
+		 * Invalid, quoted non-empty DOA-DATA.
+		 */
+		TEXT_INVALID("0 0 1 \"text/plain\" \"Zm9v\""),
+		/*
+		 * Valid, empty DOA-DATA.
+		 */
+		TEXT_VALID("0 0 1 \"text/plain\" -"),
+		/*
+		 * Invalid, quoted empty DOA-DATA.
+		 */
+		TEXT_INVALID("0 0 1 \"text/plain\" \"-\""),
+		/*
+		 * Invalid, missing "-" in empty DOA-DATA.
+		 */
+		TEXT_INVALID("0 0 1 \"text/plain\""),
+		/*
+		 * Valid, undefined DOA-LOCATION.
+		 */
+		TEXT_VALID("0 0 100 \"text/plain\" Zm9v"),
+		/*
+		 * Invalid, DOA-LOCATION too big.
+		 */
+		TEXT_INVALID("0 0 256 \"text/plain\" ZM9v"),
+		/*
+		 * Valid, empty DOA-MEDIA-TYPE, non-empty DOA-DATA.
+		 */
+		TEXT_VALID("0 0 2 \"\" aHR0cHM6Ly93d3cuaXNjLm9yZy8="),
+		/*
+		 * Valid, empty DOA-MEDIA-TYPE, empty DOA-DATA.
+		 */
+		TEXT_VALID("0 0 1 \"\" -"),
+		/*
+		 * Valid, DOA-MEDIA-TYPE with a space.
+		 */
+		TEXT_VALID("0 0 1 \"plain text\" Zm9v"),
+		/*
+		 * Invalid, missing DOA-MEDIA-TYPE.
+		 */
+		TEXT_INVALID("1234567890 1234567890 1"),
+		/*
+		 * Valid, DOA-DATA over 255 octets.
+		 */
+		TEXT_VALID("1234567890 1234567890 1 \"image/gif\" "
+			   "R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM"
+			   "/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAA"
+			   "AAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c"
+			   "3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS"
+			   "1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeF"
+			   "AgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9"
+			   "pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1"
+			   "SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7"),
+		/*
+		 * Invalid, bad Base64 in DOA-DATA.
+		 */
+		TEXT_INVALID("1234567890 1234567890 1 \"image/gif\" R0lGODl"),
+		/*
+		 * Sentinel.
+		 */
+		TEXT_SENTINEL()
+	};
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Valid, empty DOA-MEDIA-TYPE, empty DOA-DATA.
+		 */
+		WIRE_VALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78, 0x01,
+			   0x00),
+		/*
+		 * Invalid, missing DOA-MEDIA-TYPE.
+		 */
+		WIRE_INVALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
+			     0x01),
+		/*
+		 * Invalid, malformed DOA-MEDIA-TYPE length.
+		 */
+		WIRE_INVALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
+			     0x01, 0xff),
+		/*
+		 * Valid, empty DOA-DATA.
+		 */
+		WIRE_VALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78, 0x01,
+			   0x03, 0x66, 0x6f, 0x6f),
+		/*
+		 * Valid, non-empty DOA-DATA.
+		 */
+		WIRE_VALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78, 0x01,
+			   0x03, 0x66, 0x6f, 0x6f, 0x62, 0x61, 0x72),
+		/*
+		 * Valid, DOA-DATA over 255 octets.
+		 */
+		WIRE_VALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78, 0x01,
+			   0x06, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x00, 0x66,
+			   0x99, 0xff, 0xff, 0xff, 0x33, 0x99, 0xcc, 0xcc, 0xff,
+			   0xff, 0x99, 0xcc, 0xff, 0x33, 0x66, 0x99, 0x66, 0xcc,
+			   0xff, 0x99, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x00, 0x99,
+			   0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+			   0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x21, 0xf9,
+			   0x04, 0x01, 0x0a, 0x00, 0x0f, 0x00, 0x2c, 0x00, 0x00,
+			   0x00, 0x00, 0x28, 0x00, 0x19, 0x00, 0x00, 0x04, 0xc7,
+			   0xf0, 0x81, 0x49, 0x2b, 0x95, 0x36, 0x6b, 0x8d, 0xf7,
+			   0xec, 0x5e, 0x68, 0x81, 0x19, 0x29, 0x9e, 0x80, 0x89,
+			   0xae, 0x5c, 0xbb, 0x3e, 0xb0, 0x8a, 0xca, 0x1f, 0x1c,
+			   0xdc, 0x78, 0x00, 0x87, 0x34, 0xf7, 0xe4, 0xc0, 0xdb,
+			   0x6e, 0xd3, 0xbb, 0xfc, 0x82, 0x48, 0x1d, 0xb1, 0xa2,
+			   0x3a, 0x26, 0x93, 0xc5, 0x54, 0xe9, 0x49, 0x55, 0x96,
+			   0x2e, 0xa3, 0x6a, 0xd5, 0x45, 0x72, 0x6a, 0x93, 0x52,
+			   0xd7, 0x07, 0x77, 0x38, 0x0c, 0x6e, 0x83, 0x42, 0xe1,
+			   0x9c, 0x2b, 0x9b, 0x71, 0x58, 0x6c, 0xc7, 0x2b, 0x10,
+			   0x9c, 0xeb, 0x78, 0x01, 0x3a, 0x6f, 0xbf, 0x31, 0xe5,
+			   0x17, 0x39, 0x75, 0x03, 0x03, 0x83, 0x85, 0x67, 0x85,
+			   0x02, 0x04, 0x69, 0x7a, 0x7e, 0x7f, 0x52, 0x18, 0x5e,
+			   0x01, 0x83, 0x05, 0x75, 0x40, 0x78, 0x48, 0x57, 0x29,
+			   0x18, 0x41, 0x86, 0x75, 0x07, 0x82, 0x02, 0xa0, 0x41,
+			   0x2d, 0x3b, 0x92, 0x93, 0x7d, 0x04, 0x79, 0x77, 0x7d,
+			   0xa4, 0x4b, 0x00, 0x6c, 0xa1, 0xb1, 0x8c, 0x7a, 0x83,
+			   0x48, 0x4d, 0x12, 0xa7, 0xa8, 0xb1, 0x37, 0x83, 0x75,
+			   0x04, 0x99, 0x9b, 0x73, 0xb9, 0x48, 0x86, 0x6b, 0x01,
+			   0x89, 0xc8, 0x75, 0x6b, 0x03, 0xc0, 0x8e, 0x46, 0x35,
+			   0x49, 0x94, 0x7c, 0x6c, 0x95, 0xab, 0xcf, 0x7f, 0x36,
+			   0x48, 0x6a, 0x88, 0x05, 0x04, 0x05, 0x41, 0xde, 0x08,
+			   0xb1, 0x44, 0xda, 0x5f, 0xe7, 0x1e, 0xba, 0xe7, 0x4f,
+			   0x11, 0x00, 0x3b),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_doa, sizeof(dns_rdata_doa_t));
+}
+
+/*
+ * DS tests.
+ *
+ * RFC 4034:
+ *
+ * 5.1.  DS RDATA Wire Format
+ *
+ *    The RDATA for a DS RR consists of a 2 octet Key Tag field, a 1 octet
+ *    Algorithm field, a 1 octet Digest Type field, and a Digest field.
+ *
+ *                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ *     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    |           Key Tag             |  Algorithm    |  Digest Type  |
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    /                                                               /
+ *    /                            Digest                             /
+ *    /                                                               /
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ * 5.1.1.  The Key Tag Field
+ *
+ *    The Key Tag field lists the key tag of the DNSKEY RR referred to by
+ *    the DS record, in network byte order.
+ *
+ *    The Key Tag used by the DS RR is identical to the Key Tag used by
+ *    RRSIG RRs.  Appendix B describes how to compute a Key Tag.
+ *
+ * 5.1.2.  The Algorithm Field
+ *
+ *    The Algorithm field lists the algorithm number of the DNSKEY RR
+ *    referred to by the DS record.
+ *
+ *    The algorithm number used by the DS RR is identical to the algorithm
+ *    number used by RRSIG and DNSKEY RRs.  Appendix A.1 lists the
+ *    algorithm number types.
+ *
+ * 5.1.3.  The Digest Type Field
+ *
+ *    The DS RR refers to a DNSKEY RR by including a digest of that DNSKEY
+ *    RR.  The Digest Type field identifies the algorithm used to construct
+ *    the digest.  Appendix A.2 lists the possible digest algorithm types.
+ *
+ * 5.1.4.  The Digest Field
+ *
+ *    The DS record refers to a DNSKEY RR by including a digest of that
+ *    DNSKEY RR.
+ *
+ *    The digest is calculated by concatenating the canonical form of the
+ *    fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA,
+ *    and then applying the digest algorithm.
+ *
+ *      digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
+ *
+ *       "|" denotes concatenation
+ *
+ *      DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
+ *
+ *    The size of the digest may vary depending on the digest algorithm and
+ *    DNSKEY RR size.  As of the time of this writing, the only defined
+ *    digest algorithm is SHA-1, which produces a 20 octet digest.
+ */
+static void
+ds(void **state) {
+	text_ok_t text_ok[] = {
+		/*
+		 * Invalid, empty record.
+		 */
+		TEXT_INVALID(""),
+		/*
+		 * Invalid, no algorithm.
+		 */
+		TEXT_INVALID("0"),
+		/*
+		 * Invalid, no digest type.
+		 */
+		TEXT_INVALID("0 0"),
+		/*
+		 * Invalid, no digest.
+		 */
+		TEXT_INVALID("0 0 0"),
+		/*
+		 * Valid, 1-octet digest for a reserved digest type.
+		 */
+		TEXT_VALID("0 0 0 00"),
+		/*
+		 * Invalid, short SHA-1 digest.
+		 */
+		TEXT_INVALID("0 0 1 00"),
+		TEXT_INVALID("0 0 1 4FDCE83016EDD29077621FE568F8DADDB5809B"),
+		/*
+		 * Valid, 20-octet SHA-1 digest.
+		 */
+		TEXT_VALID("0 0 1 4FDCE83016EDD29077621FE568F8DADDB5809B6A"),
+		/*
+		 * Invalid, excessively long SHA-1 digest.
+		 */
+		TEXT_INVALID("0 0 1 4FDCE83016EDD29077621FE568F8DADDB5809B"
+			     "6A00"),
+		/*
+		 * Invalid, short SHA-256 digest.
+		 */
+		TEXT_INVALID("0 0 2 00"),
+		TEXT_INVALID("0 0 2 D001BD422FFDA9B745425B71DC17D007E69186"
+			     "9BD59C5F237D9BF85434C313"),
+		/*
+		 * Valid, 32-octet SHA-256 digest.
+		 */
+		TEXT_VALID_CHANGED("0 0 2 "
+				   "D001BD422FFDA9B745425B71DC17D007E691869B"
+				   "D59C5F237D9BF85434C3133F",
+				   "0 0 2 "
+				   "D001BD422FFDA9B745425B71DC17D007E691869B"
+				   "D59C5F237D9BF854 34C3133F"),
+		/*
+		 * Invalid, excessively long SHA-256 digest.
+		 */
+		TEXT_INVALID("0 0 2 D001BD422FFDA9B745425B71DC17D007E69186"
+			     "9BD59C5F237D9BF85434C3133F00"),
+		/*
+		 * Valid, GOST is no longer supported, hence no length checks.
+		 */
+		TEXT_VALID("0 0 3 00"),
+		/*
+		 * Invalid, short SHA-384 digest.
+		 */
+		TEXT_INVALID("0 0 4 00"),
+		TEXT_INVALID("0 0 4 AC748D6C5AA652904A8763D64B7DFFFFA98152"
+			     "BE12128D238BEBB4814B648F5A841E15CAA2DE348891"
+			     "A37A699F65E5"),
+		/*
+		 * Valid, 48-octet SHA-384 digest.
+		 */
+		TEXT_VALID_CHANGED("0 0 4 "
+				   "AC748D6C5AA652904A8763D64B7DFFFFA98152BE"
+				   "12128D238BEBB4814B648F5A841E15CAA2DE348891A"
+				   "37A"
+				   "699F65E54D",
+				   "0 0 4 "
+				   "AC748D6C5AA652904A8763D64B7DFFFFA98152BE"
+				   "12128D238BEBB481 "
+				   "4B648F5A841E15CAA2DE348891A37A"
+				   "699F65E54D"),
+		/*
+		 * Invalid, excessively long SHA-384 digest.
+		 */
+		TEXT_INVALID("0 0 4 AC748D6C5AA652904A8763D64B7DFFFFA98152"
+			     "BE12128D238BEBB4814B648F5A841E15CAA2DE348891"
+			     "A37A699F65E54D00"),
+		/*
+		 * Valid, 1-octet digest for an unassigned digest type.
+		 */
+		TEXT_VALID("0 0 5 00"),
+		/*
+		 * Sentinel.
+		 */
+		TEXT_SENTINEL()
+	};
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Invalid, truncated key tag.
+		 */
+		WIRE_INVALID(0x00),
+		/*
+		 * Invalid, no algorithm.
+		 */
+		WIRE_INVALID(0x00, 0x00),
+		/*
+		 * Invalid, no digest type.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00),
+		/*
+		 * Invalid, no digest.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Valid, 1-octet digest for a reserved digest type.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Invalid, short SHA-1 digest.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x01, 0x00),
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x01, 0x4F, 0xDC, 0xE8, 0x30,
+			     0x16, 0xED, 0xD2, 0x90, 0x77, 0x62, 0x1F, 0xE5,
+			     0x68, 0xF8, 0xDA, 0xDD, 0xB5, 0x80, 0x9B),
+		/*
+		 * Valid, 20-octet SHA-1 digest.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x01, 0x4F, 0xDC, 0xE8, 0x30, 0x16,
+			   0xED, 0xD2, 0x90, 0x77, 0x62, 0x1F, 0xE5, 0x68, 0xF8,
+			   0xDA, 0xDD, 0xB5, 0x80, 0x9B, 0x6A),
+		/*
+		 * Invalid, excessively long SHA-1 digest.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x01, 0x4F, 0xDC, 0xE8, 0x30,
+			     0x16, 0xED, 0xD2, 0x90, 0x77, 0x62, 0x1F, 0xE5,
+			     0x68, 0xF8, 0xDA, 0xDD, 0xB5, 0x80, 0x9B, 0x6A,
+			     0x00),
+		/*
+		 * Invalid, short SHA-256 digest.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x02, 0x00),
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x02, 0xD0, 0x01, 0xBD, 0x42,
+			     0x2F, 0xFD, 0xA9, 0xB7, 0x45, 0x42, 0x5B, 0x71,
+			     0xDC, 0x17, 0xD0, 0x07, 0xE6, 0x91, 0x86, 0x9B,
+			     0xD5, 0x9C, 0x5F, 0x23, 0x7D, 0x9B, 0xF8, 0x54,
+			     0x34, 0xC3, 0x13),
+		/*
+		 * Valid, 32-octet SHA-256 digest.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x02, 0xD0, 0x01, 0xBD, 0x42, 0x2F,
+			   0xFD, 0xA9, 0xB7, 0x45, 0x42, 0x5B, 0x71, 0xDC, 0x17,
+			   0xD0, 0x07, 0xE6, 0x91, 0x86, 0x9B, 0xD5, 0x9C, 0x5F,
+			   0x23, 0x7D, 0x9B, 0xF8, 0x54, 0x34, 0xC3, 0x13,
+			   0x3F),
+		/*
+		 * Invalid, excessively long SHA-256 digest.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x02, 0xD0, 0x01, 0xBD, 0x42,
+			     0x2F, 0xFD, 0xA9, 0xB7, 0x45, 0x42, 0x5B, 0x71,
+			     0xDC, 0x17, 0xD0, 0x07, 0xE6, 0x91, 0x86, 0x9B,
+			     0xD5, 0x9C, 0x5F, 0x23, 0x7D, 0x9B, 0xF8, 0x54,
+			     0x34, 0xC3, 0x13, 0x3F, 0x00),
+		/*
+		 * Valid, GOST is no longer supported, hence no length checks.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x03, 0x00),
+		/*
+		 * Invalid, short SHA-384 digest.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x04, 0x00),
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x04, 0xAC, 0x74, 0x8D, 0x6C,
+			     0x5A, 0xA6, 0x52, 0x90, 0x4A, 0x87, 0x63, 0xD6,
+			     0x4B, 0x7D, 0xFF, 0xFF, 0xA9, 0x81, 0x52, 0xBE,
+			     0x12, 0x12, 0x8D, 0x23, 0x8B, 0xEB, 0xB4, 0x81,
+			     0x4B, 0x64, 0x8F, 0x5A, 0x84, 0x1E, 0x15, 0xCA,
+			     0xA2, 0xDE, 0x34, 0x88, 0x91, 0xA3, 0x7A, 0x69,
+			     0x9F, 0x65, 0xE5),
+		/*
+		 * Valid, 48-octet SHA-384 digest.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x04, 0xAC, 0x74, 0x8D, 0x6C, 0x5A,
+			   0xA6, 0x52, 0x90, 0x4A, 0x87, 0x63, 0xD6, 0x4B, 0x7D,
+			   0xFF, 0xFF, 0xA9, 0x81, 0x52, 0xBE, 0x12, 0x12, 0x8D,
+			   0x23, 0x8B, 0xEB, 0xB4, 0x81, 0x4B, 0x64, 0x8F, 0x5A,
+			   0x84, 0x1E, 0x15, 0xCA, 0xA2, 0xDE, 0x34, 0x88, 0x91,
+			   0xA3, 0x7A, 0x69, 0x9F, 0x65, 0xE5, 0x4D),
+		/*
+		 * Invalid, excessively long SHA-384 digest.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x04, 0xAC, 0x74, 0x8D, 0x6C,
+			     0x5A, 0xA6, 0x52, 0x90, 0x4A, 0x87, 0x63, 0xD6,
+			     0x4B, 0x7D, 0xFF, 0xFF, 0xA9, 0x81, 0x52, 0xBE,
+			     0x12, 0x12, 0x8D, 0x23, 0x8B, 0xEB, 0xB4, 0x81,
+			     0x4B, 0x64, 0x8F, 0x5A, 0x84, 0x1E, 0x15, 0xCA,
+			     0xA2, 0xDE, 0x34, 0x88, 0x91, 0xA3, 0x7A, 0x69,
+			     0x9F, 0x65, 0xE5, 0x4D, 0x00),
+		WIRE_VALID(0x00, 0x00, 0x04, 0x00, 0x00),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_ds, sizeof(dns_rdata_ds_t));
+}
+
+/*
+ * EDNS Client Subnet tests.
+ *
+ * RFC 7871:
+ *
+ * 6.  Option Format
+ *
+ *    This protocol uses an EDNS0 [RFC6891] option to include client
+ *    address information in DNS messages.  The option is structured as
+ *    follows:
+ *
+ *                 +0 (MSB)                            +1 (LSB)
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    0: |                          OPTION-CODE                          |
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    2: |                         OPTION-LENGTH                         |
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    4: |                            FAMILY                             |
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    6: |     SOURCE PREFIX-LENGTH      |     SCOPE PREFIX-LENGTH       |
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    8: |                           ADDRESS...                          /
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *
+ *    o  (Defined in [RFC6891]) OPTION-CODE, 2 octets, for ECS is 8 (0x00
+ *       0x08).
+ *
+ *    o  (Defined in [RFC6891]) OPTION-LENGTH, 2 octets, contains the
+ *       length of the payload (everything after OPTION-LENGTH) in octets.
+ *
+ *    o  FAMILY, 2 octets, indicates the family of the address contained in
+ *       the option, using address family codes as assigned by IANA in
+ *       Address Family Numbers [Address_Family_Numbers].
+ *
+ *    The format of the address part depends on the value of FAMILY.  This
+ *    document only defines the format for FAMILY 1 (IPv4) and FAMILY 2
+ *    (IPv6), which are as follows:
+ *
+ *    o  SOURCE PREFIX-LENGTH, an unsigned octet representing the leftmost
+ *       number of significant bits of ADDRESS to be used for the lookup.
+ *       In responses, it mirrors the same value as in the queries.
+ *
+ *    o  SCOPE PREFIX-LENGTH, an unsigned octet representing the leftmost
+ *       number of significant bits of ADDRESS that the response covers.
+ *       In queries, it MUST be set to 0.
+ *
+ *    o  ADDRESS, variable number of octets, contains either an IPv4 or
+ *       IPv6 address, depending on FAMILY, which MUST be truncated to the
+ *       number of bits indicated by the SOURCE PREFIX-LENGTH field,
+ *       padding with 0 bits to pad to the end of the last octet needed.
+ *
+ *    o  A server receiving an ECS option that uses either too few or too
+ *       many ADDRESS octets, or that has non-zero ADDRESS bits set beyond
+ *       SOURCE PREFIX-LENGTH, SHOULD return FORMERR to reject the packet,
+ *       as a signal to the software developer making the request to fix
+ *       their implementation.
+ *
+ *    All fields are in network byte order ("big-endian", per [RFC1700],
+ *    Data Notation).
+ */
+static void
+edns_client_subnet(void **state) {
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Option code with no content.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 0x00),
+		/*
+		 * Option code family 0, source 0, scope 0.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Option code family 1 (IPv4), source 0, scope 0.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00),
+		/*
+		 * Option code family 2 (IPv6) , source 0, scope 0.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00),
+		/*
+		 * Extra octet.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
+			     0x00),
+		/*
+		 * Source too long for IPv4.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 8, 0x00, 0x01, 33, 0x00, 0x00,
+			     0x00, 0x00, 0x00),
+		/*
+		 * Source too long for IPv6.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 20, 0x00, 0x02, 129, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Scope too long for IPv4.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 8, 0x00, 0x01, 0x00, 33, 0x00,
+			     0x00, 0x00, 0x00),
+		/*
+		 * Scope too long for IPv6.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 20, 0x00, 0x02, 0x00, 129, 0x00,
+			     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * When family=0, source and scope should be 0.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00, 4, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * When family=0, source and scope should be 0.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 5, 0x00, 0x00, 0x01, 0x00, 0x00),
+		/*
+		 * When family=0, source and scope should be 0.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 5, 0x00, 0x00, 0x00, 0x01, 0x00),
+		/*
+		 * Length too short for source IPv4.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 7, 0x00, 0x01, 32, 0x00, 0x00,
+			     0x00, 0x00),
+		/*
+		 * Length too short for source IPv6.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 19, 0x00, 0x02, 128, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(NULL, wire_ok, NULL, true, dns_rdataclass_in,
+		    dns_rdatatype_opt, sizeof(dns_rdata_opt_t));
+}
+
+/*
+ * http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt
+ *
+ * The RDATA portion of both the NIMLOC and EID records contains
+ * uninterpreted binary data.  The representation in the text master file
+ * is an even number of hex characters (0 to 9, a to f), case is not
+ * significant.  For readability, whitespace may be included in the value
+ * field and should be ignored when reading a master file.
+ */
+static void
+eid(void **state) {
+	text_ok_t text_ok[] = { TEXT_VALID("AABBCC"),
+				TEXT_VALID_CHANGED("AA bb cc", "AABBCC"),
+				TEXT_INVALID("aab"),
+				/*
+				 * Sentinel.
+				 */
+				TEXT_SENTINEL() };
+	wire_ok_t wire_ok[] = { WIRE_VALID(0x00), WIRE_VALID(0xAA, 0xBB, 0xCC),
+				/*
+				 * Sentinel.
+				 */
+				WIRE_SENTINEL() };
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_eid, sizeof(dns_rdata_in_eid_t));
+}
+
+/*
+ * test that an oversized HIP record will be rejected
+ */
+static void
+hip(void **state) {
+	text_ok_t text_ok[] = {
+		/* RFC 8005 examples. */
+		TEXT_VALID_LOOP(0, "2 200100107B1A74DF365639CC39F1D578 "
+				   "AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cI"
+				   "vM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbW"
+				   "Iy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+b"
+				   "SRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWx"
+				   "Z48AWkskmdHaVDP4BcelrTI3rMXdXF5D"),
+		TEXT_VALID_LOOP(1, "2 200100107B1A74DF365639CC39F1D578 "
+				   "AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cI"
+				   "vM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbW"
+				   "Iy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+b"
+				   "SRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWx"
+				   "Z48AWkskmdHaVDP4BcelrTI3rMXdXF5D "
+				   "rvs1.example.com."),
+		TEXT_VALID_LOOP(2, "2 200100107B1A74DF365639CC39F1D578 "
+				   "AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cI"
+				   "vM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbW"
+				   "Iy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+b"
+				   "SRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWx"
+				   "Z48AWkskmdHaVDP4BcelrTI3rMXdXF5D "
+				   "rvs1.example.com. rvs2.example.com."),
+		/*
+		 * Sentinel.
+		 */
+		TEXT_SENTINEL()
+	};
+	unsigned char hipwire[DNS_RDATA_MAXLENGTH] = { 0x01, 0x00, 0x00, 0x01,
+						       0x00, 0x00, 0x04, 0x41,
+						       0x42, 0x43, 0x44, 0x00 };
+	unsigned char buf[1024 * 1024];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	size_t i;
+
+	UNUSED(state);
+
+	/*
+	 * Fill the rest of input buffer with compression pointers.
+	 */
+	for (i = 12; i < sizeof(hipwire) - 2; i += 2) {
+		hipwire[i] = 0xc0;
+		hipwire[i + 1] = 0x06;
+	}
+
+	result = wire_to_rdata(hipwire, sizeof(hipwire), dns_rdataclass_in,
+			       dns_rdatatype_hip, buf, sizeof(buf), &rdata);
+	assert_int_equal(result, DNS_R_FORMERR);
+	check_text_ok(text_ok, dns_rdataclass_in, dns_rdatatype_hip,
+		      sizeof(dns_rdata_hip_t));
+}
+
+/*
+ * ISDN tests.
+ *
+ * RFC 1183:
+ *
+ * 3.2. The ISDN RR
+ *
+ *    The ISDN RR is defined with mnemonic ISDN and type code 20 (decimal).
+ *
+ *    An ISDN (Integrated Service Digital Network) number is simply a
+ *    telephone number.  The intent of the members of the CCITT is to
+ *    upgrade all telephone and data network service to a common service.
+ *
+ *    The numbering plan (E.163/E.164) is the same as the familiar
+ *    international plan for POTS (an un-official acronym, meaning Plain
+ *    Old Telephone Service).  In E.166, CCITT says "An E.163/E.164
+ *    telephony subscriber may become an ISDN subscriber without a number
+ *    change."
+ *
+ *    ISDN has the following format:
+ *
+ *    <owner> <ttl> <class> ISDN <ISDN-address> <sa>
+ *
+ *    The <ISDN-address> field is required; <sa> is optional.
+ *
+ *    <ISDN-address> identifies the ISDN number of <owner> and DDI (Direct
+ *    Dial In) if any, as defined by E.164 [8] and E.163 [7], the ISDN and
+ *    PSTN (Public Switched Telephone Network) numbering plan.  E.163
+ *    defines the country codes, and E.164 the form of the addresses.  Its
+ *    format in master files is a <character-string> syntactically
+ *    identical to that used in TXT and HINFO.
+ *
+ *    <sa> specifies the subaddress (SA).  The format of <sa> in master
+ *    files is a <character-string> syntactically identical to that used in
+ *    TXT and HINFO.
+ *
+ *    The format of ISDN is class insensitive.  ISDN RRs cause no
+ *    additional section processing.
+ *
+ *    The <ISDN-address> is a string of characters, normally decimal
+ *    digits, beginning with the E.163 country code and ending with the DDI
+ *    if any.  Note that ISDN, in Q.931, permits any IA5 character in the
+ *    general case.
+ *
+ *    The <sa> is a string of hexadecimal digits.  For digits 0-9, the
+ *    concrete encoding in the Q.931 call setup information element is
+ *    identical to BCD.
+ *
+ *    For example:
+ *
+ *    Relay.Prime.COM.   IN   ISDN      150862028003217
+ *    sh.Prime.COM.      IN   ISDN      150862028003217 004
+ *
+ *    (Note: "1" is the country code for the North American Integrated
+ *    Numbering Area, i.e., the system of "area codes" familiar to people
+ *    in those countries.)
+ *
+ *    The RR data is the ASCII representation of the digits.  It is encoded
+ *    as one or two <character-string>s, i.e., count followed by
+ *    characters.
+ */
+static void
+isdn(void **state) {
+	wire_ok_t wire_ok[] = { /*
+				 * "".
+				 */
+				WIRE_VALID(0x00),
+				/*
+				 * "\001".
+				 */
+				WIRE_VALID(0x01, 0x01),
+				/*
+				 * "\001" "".
+				 */
+				WIRE_VALID(0x01, 0x01, 0x00),
+				/*
+				 * "\001" "\001".
+				 */
+				WIRE_VALID(0x01, 0x01, 0x01, 0x01),
+				/*
+				 * Sentinel.
+				 */
+				WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(NULL, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_isdn, sizeof(dns_rdata_isdn_t));
+}
+
+/*
+ * KEY tests.
+ */
+static void
+key(void **state) {
+	wire_ok_t wire_ok[] = { /*
+				 * RDATA is comprised of:
+				 *
+				 *   - 2 octets for Flags,
+				 *   - 1 octet for Protocol,
+				 *   - 1 octet for Algorithm,
+				 *   - variable number of octets for Public Key.
+				 *
+				 * RFC 2535 section 3.1.2 states that if bits
+				 * 0-1 of Flags are both set, the RR stops after
+				 * the algorithm octet and thus its length must
+				 * be 4 octets.  In any other case, though, the
+				 * Public Key part must not be empty.
+				 */
+				WIRE_INVALID(0x00),
+				WIRE_INVALID(0x00, 0x00),
+				WIRE_INVALID(0x00, 0x00, 0x00),
+				WIRE_VALID(0xc0, 0x00, 0x00, 0x00),
+				WIRE_INVALID(0xc0, 0x00, 0x00, 0x00, 0x00),
+				WIRE_INVALID(0x00, 0x00, 0x00, 0x00),
+				WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00),
+				WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(NULL, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_key, sizeof(dns_rdata_key_t));
+}
+
+/*
+ * LOC tests.
+ */
+static void
+loc(void **state) {
+	text_ok_t text_ok[] = {
+		TEXT_VALID_CHANGED("0 N 0 E 0", "0 0 0.000 N 0 0 0.000 E 0.00m "
+						"1m 10000m 10m"),
+		TEXT_VALID_CHANGED("0 S 0 W 0", "0 0 0.000 N 0 0 0.000 E 0.00m "
+						"1m 10000m 10m"),
+		TEXT_VALID_CHANGED("0 0 N 0 0 E 0", "0 0 0.000 N 0 0 0.000 E "
+						    "0.00m 1m 10000m 10m"),
+		TEXT_VALID_CHANGED("0 0 0 N 0 0 0 E 0",
+				   "0 0 0.000 N 0 0 0.000 E 0.00m 1m 10000m "
+				   "10m"),
+		TEXT_VALID_CHANGED("0 0 0 N 0 0 0 E 0",
+				   "0 0 0.000 N 0 0 0.000 E 0.00m 1m 10000m "
+				   "10m"),
+		TEXT_VALID_CHANGED("0 0 0. N 0 0 0. E 0",
+				   "0 0 0.000 N 0 0 0.000 E 0.00m 1m 10000m "
+				   "10m"),
+		TEXT_VALID_CHANGED("0 0 .0 N 0 0 .0 E 0",
+				   "0 0 0.000 N 0 0 0.000 E 0.00m 1m 10000m "
+				   "10m"),
+		TEXT_INVALID("0 North 0 East 0"),
+		TEXT_INVALID("0 South 0 West 0"),
+		TEXT_INVALID("0 0 . N 0 0 0. E 0"),
+		TEXT_INVALID("0 0 0. N 0 0 . E 0"),
+		TEXT_INVALID("0 0 0. N 0 0 0. E m"),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 ."),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 m"),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 0 ."),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 0 m"),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 0 0 ."),
+		TEXT_INVALID("0 0 0. N 0 0 0. E 0 0 0 m"),
+		TEXT_VALID_CHANGED("90 N 180 E 0", "90 0 0.000 N 180 0 0.000 E "
+						   "0.00m 1m 10000m 10m"),
+		TEXT_INVALID("90 1 N 180 E 0"),
+		TEXT_INVALID("90 0 1 N 180 E 0"),
+		TEXT_INVALID("90 N 180 1 E 0"),
+		TEXT_INVALID("90 N 180 0 1 E 0"),
+		TEXT_VALID_CHANGED("90 S 180 W 0", "90 0 0.000 S 180 0 0.000 W "
+						   "0.00m 1m 10000m 10m"),
+		TEXT_INVALID("90 1 S 180 W 0"),
+		TEXT_INVALID("90 0 1 S 180 W 0"),
+		TEXT_INVALID("90 S 180 1 W 0"),
+		TEXT_INVALID("90 S 180 0 1 W 0"),
+		TEXT_INVALID("0 0 0.000 E 0 0 0.000 E -0.95m 1m 10000m 10m"),
+		TEXT_VALID("0 0 0.000 N 0 0 0.000 E -0.95m 1m 10000m 10m"),
+		TEXT_VALID("0 0 0.000 N 0 0 0.000 E -0.05m 1m 10000m 10m"),
+		TEXT_VALID("0 0 0.000 N 0 0 0.000 E -100000.00m 1m 10000m 10m"),
+		TEXT_VALID("0 0 0.000 N 0 0 0.000 E 42849672.95m 1m 10000m "
+			   "10m"),
+		/*
+		 * Sentinel.
+		 */
+		TEXT_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, 0, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_loc, sizeof(dns_rdata_loc_t));
+}
+
+/*
+ * http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt
+ *
+ * The RDATA portion of both the NIMLOC and EID records contains
+ * uninterpreted binary data.  The representation in the text master file
+ * is an even number of hex characters (0 to 9, a to f), case is not
+ * significant.  For readability, whitespace may be included in the value
+ * field and should be ignored when reading a master file.
+ */
+static void
+nimloc(void **state) {
+	text_ok_t text_ok[] = { TEXT_VALID("AABBCC"),
+				TEXT_VALID_CHANGED("AA bb cc", "AABBCC"),
+				TEXT_INVALID("aab"),
+				/*
+				 * Sentinel.
+				 */
+				TEXT_SENTINEL() };
+	wire_ok_t wire_ok[] = { WIRE_VALID(0x00), WIRE_VALID(0xAA, 0xBB, 0xCC),
+				/*
+				 * Sentinel.
+				 */
+				WIRE_SENTINEL() };
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_nimloc, sizeof(dns_rdata_in_nimloc_t));
+}
+
+/*
+ * NSEC tests.
+ *
+ * RFC 4034:
+ *
+ * 4.1.  NSEC RDATA Wire Format
+ *
+ *   The RDATA of the NSEC RR is as shown below:
+ *
+ *                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ *     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    /                      Next Domain Name                         /
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    /                       Type Bit Maps                           /
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ * 4.1.1.  The Next Domain Name Field
+ *
+ *    The Next Domain field contains the next owner name (in the canonical
+ *    ordering of the zone) that has authoritative data or contains a
+ *    delegation point NS RRset; see Section 6.1 for an explanation of
+ *    canonical ordering.  The value of the Next Domain Name field in the
+ *    last NSEC record in the zone is the name of the zone apex (the owner
+ *    name of the zone's SOA RR).  This indicates that the owner name of
+ *    the NSEC RR is the last name in the canonical ordering of the zone.
+ *
+ *    A sender MUST NOT use DNS name compression on the Next Domain Name
+ *    field when transmitting an NSEC RR.
+ *
+ *    Owner names of RRsets for which the given zone is not authoritative
+ *    (such as glue records) MUST NOT be listed in the Next Domain Name
+ *    unless at least one authoritative RRset exists at the same owner
+ *    name.
+ *
+ * 4.1.2.  The Type Bit Maps Field
+ *
+ *    The Type Bit Maps field identifies the RRset types that exist at the
+ *    NSEC RR's owner name.
+ *
+ *    The RR type space is split into 256 window blocks, each representing
+ *    the low-order 8 bits of the 16-bit RR type space.  Each block that
+ *    has at least one active RR type is encoded using a single octet
+ *    window number (from 0 to 255), a single octet bitmap length (from 1
+ *    to 32) indicating the number of octets used for the window block's
+ *    bitmap, and up to 32 octets (256 bits) of bitmap.
+ *
+ *    Blocks are present in the NSEC RR RDATA in increasing numerical
+ *    order.
+ *
+ *       Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
+ *
+ *       where "|" denotes concatenation.
+ *
+ *    Each bitmap encodes the low-order 8 bits of RR types within the
+ *    window block, in network bit order.  The first bit is bit 0.  For
+ *    window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+ *    to RR type 2 (NS), and so forth.  For window block 1, bit 1
+ *    corresponds to RR type 257, and bit 2 to RR type 258.  If a bit is
+ *    set, it indicates that an RRset of that type is present for the NSEC
+ *    RR's owner name.  If a bit is clear, it indicates that no RRset of
+ *    that type is present for the NSEC RR's owner name.
+ *
+ *    Bits representing pseudo-types MUST be clear, as they do not appear
+ *    in zone data.  If encountered, they MUST be ignored upon being read.
+ */
+static void
+nsec(void **state) {
+	text_ok_t text_ok[] = { TEXT_INVALID(""), TEXT_INVALID("."),
+				TEXT_VALID(". RRSIG"), TEXT_SENTINEL() };
+	wire_ok_t wire_ok[] = { WIRE_INVALID(0x00), WIRE_INVALID(0x00, 0x00),
+				WIRE_INVALID(0x00, 0x00, 0x00),
+				WIRE_VALID(0x00, 0x00, 0x01, 0x02),
+				WIRE_SENTINEL() };
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_nsec, sizeof(dns_rdata_nsec_t));
+}
+
+/*
+ * NSEC3 tests.
+ *
+ * RFC 5155.
+ */
+static void
+nsec3(void **state) {
+	text_ok_t text_ok[] = { TEXT_INVALID(""),
+				TEXT_INVALID("."),
+				TEXT_INVALID(". RRSIG"),
+				TEXT_INVALID("1 0 10 76931F"),
+				TEXT_INVALID("1 0 10 76931F "
+					     "IMQ912BREQP1POLAH3RMONG&"
+					     "UED541AS"),
+				TEXT_INVALID("1 0 10 76931F "
+					     "IMQ912BREQP1POLAH3RMONGAUED541AS "
+					     "A RRSIG BADTYPE"),
+				TEXT_VALID("1 0 10 76931F "
+					   "AJHVGTICN6K0VDA53GCHFMT219SRRQLM A "
+					   "RRSIG"),
+				TEXT_VALID("1 0 10 76931F "
+					   "AJHVGTICN6K0VDA53GCHFMT219SRRQLM"),
+				TEXT_VALID("1 0 10 - "
+					   "AJHVGTICN6K0VDA53GCHFMT219SRRQLM"),
+				TEXT_SENTINEL() };
+
+	UNUSED(state);
+
+	check_rdata(text_ok, NULL, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_nsec3, sizeof(dns_rdata_nsec3_t));
+}
+
+/* NXT RDATA manipulations */
+static void
+nxt(void **state) {
+	compare_ok_t compare_ok[] = {
+		COMPARE("a. A SIG", "a. A SIG", 0),
+		/*
+		 * Records that differ only in the case of the next
+		 * name should be equal.
+		 */
+		COMPARE("A. A SIG", "a. A SIG", 0),
+		/*
+		 * Sorting on name field.
+		 */
+		COMPARE("A. A SIG", "b. A SIG", -1),
+		COMPARE("b. A SIG", "A. A SIG", 1),
+		/* bit map differs */
+		COMPARE("b. A SIG", "b. A AAAA SIG", -1),
+		/* order of bit map does not matter */
+		COMPARE("b. A SIG AAAA", "b. A AAAA SIG", 0), COMPARE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(NULL, NULL, compare_ok, false, dns_rdataclass_in,
+		    dns_rdatatype_nxt, sizeof(dns_rdata_nxt_t));
+}
+
+static void
+rkey(void **state) {
+	text_ok_t text_ok[] = { /*
+				 * Valid, flags set to 0 and a key is present.
+				 */
+				TEXT_VALID("0 0 0 aaaa"),
+				/*
+				 * Invalid, non-zero flags.
+				 */
+				TEXT_INVALID("1 0 0 aaaa"),
+				TEXT_INVALID("65535 0 0 aaaa"),
+				/*
+				 * Sentinel.
+				 */
+				TEXT_SENTINEL()
+	};
+	wire_ok_t wire_ok[] = { /*
+				 * Valid, flags set to 0 and a key is present.
+				 */
+				WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00),
+				/*
+				 * Invalid, non-zero flags.
+				 */
+				WIRE_INVALID(0x00, 0x01, 0x00, 0x00, 0x00),
+				WIRE_INVALID(0xff, 0xff, 0x00, 0x00, 0x00),
+				/*
+				 * Sentinel.
+				 */
+				WIRE_SENTINEL()
+	};
+	key_required(state, dns_rdatatype_rkey, sizeof(dns_rdata_rkey_t));
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_rkey, sizeof(dns_rdata_rkey_t));
+}
+
+/* SSHFP RDATA manipulations */
+static void
+sshfp(void **state) {
+	text_ok_t text_ok[] = { TEXT_INVALID(""),     /* too short */
+				TEXT_INVALID("0"),    /* reserved, too short */
+				TEXT_VALID("0 0"),    /* no finger print */
+				TEXT_VALID("0 0 AA"), /* reserved */
+				TEXT_INVALID("0 1 AA"), /* too short SHA 1
+							 * digest */
+				TEXT_INVALID("0 2 AA"), /* too short SHA 256
+							 * digest */
+				TEXT_VALID("0 3 AA"),	/* unknown finger print
+							 * type */
+				/* good length SHA 1 digest */
+				TEXT_VALID("1 1 "
+					   "00112233445566778899AABBCCDDEEFF171"
+					   "81920"),
+				/* good length SHA 256 digest */
+				TEXT_VALID("4 2 "
+					   "A87F1B687AC0E57D2A081A2F282672334D9"
+					   "0ED316D2B818CA9580EA3 84D92401"),
+				/*
+				 * totext splits the fingerprint into chunks and
+				 * emits uppercase hex.
+				 */
+				TEXT_VALID_CHANGED("1 2 "
+						   "00112233445566778899aabbccd"
+						   "deeff "
+						   "00112233445566778899AABBCCD"
+						   "DEEFF",
+						   "1 2 "
+						   "00112233445566778899AABBCCD"
+						   "DEEFF"
+						   "00112233445566778899AABB "
+						   "CCDDEEFF"),
+				TEXT_SENTINEL() };
+	wire_ok_t wire_ok[] = {
+		WIRE_INVALID(0x00),	      /* reserved too short */
+		WIRE_VALID(0x00, 0x00),	      /* reserved no finger print */
+		WIRE_VALID(0x00, 0x00, 0x00), /* reserved */
+
+		/* too short SHA 1 digests */
+		WIRE_INVALID(0x00, 0x01), WIRE_INVALID(0x00, 0x01, 0x00),
+		WIRE_INVALID(0x00, 0x01, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55,
+			     0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD,
+			     0xEE, 0xFF, 0x17, 0x18, 0x19),
+		/* good length SHA 1 digest */
+		WIRE_VALID(0x00, 0x01, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66,
+			   0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
+			   0x17, 0x18, 0x19, 0x20),
+		/* too long SHA 1 digest */
+		WIRE_INVALID(0x00, 0x01, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55,
+			     0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD,
+			     0xEE, 0xFF, 0x17, 0x18, 0x19, 0x20, 0x21),
+		/* too short SHA 256 digests */
+		WIRE_INVALID(0x00, 0x02), WIRE_INVALID(0x00, 0x02, 0x00),
+		WIRE_INVALID(0x00, 0x02, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55,
+			     0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD,
+			     0xEE, 0xFF, 0x17, 0x18, 0x19, 0x20, 0x21, 0x22,
+			     0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x30,
+			     0x31),
+		/* good length SHA 256 digest */
+		WIRE_VALID(0x00, 0x02, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66,
+			   0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
+			   0x17, 0x18, 0x19, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+			   0x26, 0x27, 0x28, 0x29, 0x30, 0x31, 0x32),
+		/* too long SHA 256 digest */
+		WIRE_INVALID(0x00, 0x02, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55,
+			     0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD,
+			     0xEE, 0xFF, 0x17, 0x18, 0x19, 0x20, 0x21, 0x22,
+			     0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x30,
+			     0x31, 0x32, 0x33),
+		/* unknown digest, * no fingerprint */
+		WIRE_VALID(0x00, 0x03), WIRE_VALID(0x00, 0x03, 0x00), /* unknown
+								       * digest
+								       */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_sshfp, sizeof(dns_rdata_sshfp_t));
+}
+
+/*
+ * WKS tests.
+ *
+ * RFC 1035:
+ *
+ * 3.4.2. WKS RDATA format
+ *
+ *     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ *     |                    ADDRESS                    |
+ *     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ *     |       PROTOCOL        |                       |
+ *     +--+--+--+--+--+--+--+--+                       |
+ *     |                                               |
+ *     /                   <BIT MAP>                   /
+ *     /                                               /
+ *     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ *
+ * where:
+ *
+ * ADDRESS         An 32 bit Internet address
+ *
+ * PROTOCOL        An 8 bit IP protocol number
+ *
+ * <BIT MAP>       A variable length bit map.  The bit map must be a
+ *                 multiple of 8 bits long.
+ *
+ * The WKS record is used to describe the well known services supported by
+ * a particular protocol on a particular internet address.  The PROTOCOL
+ * field specifies an IP protocol number, and the bit map has one bit per
+ * port of the specified protocol.  The first bit corresponds to port 0,
+ * the second to port 1, etc.  If the bit map does not include a bit for a
+ * protocol of interest, that bit is assumed zero.  The appropriate values
+ * and mnemonics for ports and protocols are specified in [RFC-1010].
+ *
+ * For example, if PROTOCOL=TCP (6), the 26th bit corresponds to TCP port
+ * 25 (SMTP).  If this bit is set, a SMTP server should be listening on TCP
+ * port 25; if zero, SMTP service is not supported on the specified
+ * address.
+ */
+static void
+wks(void **state) {
+	text_ok_t text_ok[] = { /*
+				 * Valid, IPv4 address in dotted-quad form.
+				 */
+				TEXT_VALID("127.0.0.1 6"),
+				/*
+				 * Invalid, IPv4 address not in dotted-quad
+				 * form.
+				 */
+				TEXT_INVALID("127.1 6"),
+				/*
+				 * Sentinel.
+				 */
+				TEXT_SENTINEL()
+	};
+	wire_ok_t wire_ok[] = { /*
+				 * Too short.
+				 */
+				WIRE_INVALID(0x00, 0x08, 0x00, 0x00),
+				/*
+				 * Minimal TCP.
+				 */
+				WIRE_VALID(0x00, 0x08, 0x00, 0x00, 6),
+				/*
+				 * Minimal UDP.
+				 */
+				WIRE_VALID(0x00, 0x08, 0x00, 0x00, 17),
+				/*
+				 * Minimal other.
+				 */
+				WIRE_VALID(0x00, 0x08, 0x00, 0x00, 1),
+				/*
+				 * Sentinel.
+				 */
+				WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_wks, sizeof(dns_rdata_in_wks_t));
+}
+
+static void
+https_svcb(void **state) {
+	/*
+	 * Known keys: mandatory, apln, no-default-alpn, port,
+	 *             ipv4hint, port, ipv6hint, dohpath.
+	 */
+	text_ok_t text_ok[] = {
+		/* unknown key invalid */
+		TEXT_INVALID("1 . unknown="),
+		/* no domain */
+		TEXT_INVALID("0"),
+		/* minimal record */
+		TEXT_VALID_LOOP(0, "0 ."),
+		/* Alias form requires SvcFieldValue to be empty */
+		TEXT_INVALID("0 . alpn=\"h2\""),
+		/* no "key" prefix */
+		TEXT_INVALID("2 svc.example.net. 0=\"2222\""),
+		/* no key value */
+		TEXT_INVALID("2 svc.example.net. key"),
+		/* no key value */
+		TEXT_INVALID("2 svc.example.net. key=\"2222\""),
+		/* zero pad invalid */
+		TEXT_INVALID("2 svc.example.net. key07=\"2222\""),
+		TEXT_VALID_LOOP(1, "2 svc.example.net. key8=\"2222\""),
+		TEXT_VALID_LOOPCHG(1, "2 svc.example.net. key8=2222",
+				   "2 svc.example.net. key8=\"2222\""),
+		TEXT_VALID_LOOPCHG(1, "2 svc.example.net. alpn=h2",
+				   "2 svc.example.net. alpn=\"h2\""),
+		TEXT_VALID_LOOPCHG(1, "2 svc.example.net. alpn=h3",
+				   "2 svc.example.net. alpn=\"h3\""),
+		/* alpn has 2 sub field "h2" and "h3" */
+		TEXT_VALID_LOOPCHG(1, "2 svc.example.net. alpn=h2,h3",
+				   "2 svc.example.net. alpn=\"h2,h3\""),
+		/* apln has 2 sub fields "h1,h2" and "h3" (comma escaped) */
+		TEXT_VALID_LOOPCHG(1, "2 svc.example.net. alpn=h1\\\\,h2,h3",
+				   "2 svc.example.net. alpn=\"h1\\\\,h2,h3\""),
+		TEXT_VALID_LOOP(1, "2 svc.example.net. port=50"),
+		/* no-default-alpn, alpn is required */
+		TEXT_INVALID("2 svc.example.net. no-default-alpn"),
+		/* no-default-alpn with alpn present */
+		TEXT_VALID_LOOPCHG(
+			2, "2 svc.example.net. no-default-alpn alpn=h2",
+			"2 svc.example.net. alpn=\"h2\" no-default-alpn"),
+		/* empty hint */
+		TEXT_INVALID("2 svc.example.net. ipv4hint="),
+		TEXT_VALID_LOOP(1, "2 svc.example.net. "
+				   "ipv4hint=10.50.0.1,10.50.0.2"),
+		/* empty hint */
+		TEXT_INVALID("2 svc.example.net. ipv6hint="),
+		TEXT_VALID_LOOP(1, "2 svc.example.net. ipv6hint=::1,2002::1"),
+		TEXT_VALID_LOOP(1, "2 svc.example.net. ech=abcdefghijkl"),
+		/* bad base64 */
+		TEXT_INVALID("2 svc.example.net. ech=abcdefghijklm"),
+		TEXT_VALID_LOOP(1, "2 svc.example.net. key8=\"2222\""),
+		/* Out of key order on input (alpn == key1). */
+		TEXT_VALID_LOOPCHG(2,
+				   "2 svc.example.net. key8=\"2222\" alpn=h2",
+				   "2 svc.example.net. alpn=\"h2\" "
+				   "key8=\"2222\""),
+		TEXT_VALID_LOOP(1, "2 svc.example.net. key65535=\"2222\""),
+		TEXT_INVALID("2 svc.example.net. key65536=\"2222\""),
+		TEXT_VALID_LOOP(1, "2 svc.example.net. key10"),
+		TEXT_VALID_LOOPCHG(1, "2 svc.example.net. key11=",
+				   "2 svc.example.net. key11"),
+		TEXT_VALID_LOOPCHG(1, "2 svc.example.net. key12=\"\"",
+				   "2 svc.example.net. key12"),
+		/* empty alpn-id sub fields */
+		TEXT_INVALID("2 svc.example.net. alpn"),
+		TEXT_INVALID("2 svc.example.net. alpn="),
+		TEXT_INVALID("2 svc.example.net. alpn=,h1"),
+		TEXT_INVALID("2 svc.example.net. alpn=h1,"),
+		TEXT_INVALID("2 svc.example.net. alpn=h1,,h2"),
+		/* mandatory */
+		TEXT_VALID_LOOP(2, "2 svc.example.net. mandatory=alpn "
+				   "alpn=\"h2\""),
+		TEXT_VALID_LOOP(3, "2 svc.example.net. mandatory=alpn,port "
+				   "alpn=\"h2\" port=443"),
+		TEXT_VALID_LOOPCHG(3,
+				   "2 svc.example.net. mandatory=port,alpn "
+				   "alpn=\"h2\" port=443",
+				   "2 svc.example.net. mandatory=alpn,port "
+				   "alpn=\"h2\" port=443"),
+		TEXT_INVALID("2 svc.example.net. mandatory=mandatory"),
+		TEXT_INVALID("2 svc.example.net. mandatory=port"),
+		TEXT_INVALID("2 svc.example.net. mandatory=,port port=433"),
+		TEXT_INVALID("2 svc.example.net. mandatory=port, port=433"),
+		TEXT_INVALID("2 svc.example.net. "
+			     "mandatory=alpn,,port alpn=h2 port=433"),
+		/* mandatory w/ unknown key values */
+		TEXT_VALID_LOOP(2, "2 svc.example.net. mandatory=key8 key8"),
+		TEXT_VALID_LOOP(3, "2 svc.example.net. mandatory=key8,key9 "
+				   "key8 key9"),
+		TEXT_VALID_LOOPCHG(
+			3, "2 svc.example.net. mandatory=key9,key8 key8 key9",
+			"2 svc.example.net. mandatory=key8,key9 key8 key9"),
+		TEXT_INVALID("2 svc.example.net. "
+			     "mandatory=key8,key8"),
+		TEXT_INVALID("2 svc.example.net. mandatory=,key8"),
+		TEXT_INVALID("2 svc.example.net. mandatory=key8,"),
+		TEXT_INVALID("2 svc.example.net. "
+			     "mandatory=key8,,key8"),
+		/* Invalid test vectors */
+		TEXT_INVALID("1 foo.example.com. ( key123=abc key123=def )"),
+		TEXT_INVALID("1 foo.example.com. mandatory"),
+		TEXT_INVALID("1 foo.example.com. alpn"),
+		TEXT_INVALID("1 foo.example.com. port"),
+		TEXT_INVALID("1 foo.example.com. ipv4hint"),
+		TEXT_INVALID("1 foo.example.com. ipv6hint"),
+		TEXT_INVALID("1 foo.example.com. no-default-alpn=abc"),
+		TEXT_INVALID("1 foo.example.com. mandatory=key123"),
+		TEXT_INVALID("1 foo.example.com. mandatory=mandatory"),
+		TEXT_INVALID("1 foo.example.com. ( mandatory=key123,key123 "
+			     "key123=abc)"),
+		/* dohpath tests */
+		TEXT_VALID_LOOPCHG(1, "1 example.net. dohpath=/{?dns}",
+				   "1 example.net. key7=\"/{?dns}\""),
+		TEXT_VALID_LOOPCHG(1, "1 example.net. dohpath=/some/path{?dns}",
+				   "1 example.net. key7=\"/some/path{?dns}\""),
+		TEXT_INVALID("1 example.com. dohpath=no-slash"),
+		TEXT_INVALID("1 example.com. dohpath=/{?notdns}"),
+		TEXT_INVALID("1 example.com. dohpath=/notvariable"),
+		TEXT_SENTINEL()
+
+	};
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Too short
+		 */
+		WIRE_INVALID(0x00, 0x00),
+		/*
+		 * Minimal length record.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00),
+		/*
+		 * Alias with non-empty SvcFieldValue (key7="").
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00),
+		/*
+		 * Bad key7= length (longer than rdata).
+		 */
+		WIRE_INVALID(0x00, 0x01, 0x00, 0x00, 0x07, 0x00, 0x01),
+		/*
+		 * Port (0x03) too small (zero and one octets).
+		 */
+		WIRE_INVALID(0x00, 0x01, 0x00, 0x00, 0x03, 0x00, 0x00),
+		WIRE_INVALID(0x00, 0x01, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00),
+		/* Valid port */
+		WIRE_VALID_LOOP(1, 0x00, 0x01, 0x00, 0x00, 0x03, 0x00, 0x02,
+				0x00, 0x00),
+		/*
+		 * Port (0x03) too big (three octets).
+		 */
+		WIRE_INVALID(0x00, 0x01, 0x00, 0x00, 0x03, 0x00, 0x03, 0x00,
+			     0x00, 0x00),
+		/*
+		 * Duplicate keys.
+		 */
+		WIRE_INVALID(0x01, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
+			     0x80, 0x00, 0x00),
+		/*
+		 * Out of order keys.
+		 */
+		WIRE_INVALID(0x01, 0x01, 0x00, 0x00, 0x81, 0x00, 0x00, 0x00,
+			     0x80, 0x00, 0x00),
+		/*
+		 * Empty of mandatory key list.
+		 */
+		WIRE_INVALID(0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * "mandatory=mandatory" is invalid
+		 */
+		WIRE_INVALID(0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
+			     0x00),
+		/*
+		 * Out of order mandatory key list.
+		 */
+		WIRE_INVALID(0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+			     0x80, 0x00, 0x71, 0x00, 0x71, 0x00, 0x00, 0x00,
+			     0x80, 0x00, 0x00),
+		/*
+		 * Alpn(0x00 0x01) (length 0x00 0x09) "h1,h2" + "h3"
+		 */
+		WIRE_VALID_LOOP(0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x09,
+				5, 'h', '1', ',', 'h', '2', 2, 'h', '3'),
+		/*
+		 * Alpn(0x00 0x01) (length 0x00 0x09) "h1\h2" + "h3"
+		 */
+		WIRE_VALID_LOOP(0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x09,
+				5, 'h', '1', '\\', 'h', '2', 2, 'h', '3'),
+		/*
+		 * no-default-alpn (0x00 0x02) without alpn, alpn is required.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0x00, 0x00),
+		/*
+		 * Alpn(0x00 0x01) with zero length elements is invalid
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x05,
+			     0x00, 0x00, 0x00, 0x00, 0x00),
+		WIRE_SENTINEL()
+	};
+	/* Test vectors from RFCXXXX */
+	textvsunknown_t textvsunknown[] = {
+		/* AliasForm */
+		{ "0 foo.example.com", "\\# 19 ( 00 00 03 66 6f 6f 07 65 78 61 "
+				       "6d 70 6c 65 03 63 6f 6d 00)" },
+		/* ServiceForm */
+		{ "1 .", "\\# 3 ( 00 01 00)" },
+		/* Port example */
+		{ "16 foo.example.com port=53",
+		  "\\# 25 ( 00 10 03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f "
+		  "6d 00 00 03 00 02 00 35 )" },
+		/* Unregistered keys with unquoted value. */
+		{ "1 foo.example.com key667=hello",
+		  "\\# 28 ( 00 01 03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f "
+		  "6d 00 02 9b 00 05 68 65 6c 6c 6f )" },
+		/*
+		 * Quoted decimal-escaped character.
+		 * 1 foo.example.com key667="hello\210qoo"
+		 */
+		{ "1 foo.example.com key667=\"hello\\210qoo\"",
+		  "\\# 32 ( 00 01 03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f "
+		  "6d 00 02 9b 00 09 68 65 6c 6c 6f d2 71 6f 6f )" },
+		/*
+		 * IPv6 hints example, quoted.
+		 * 1 foo.example.com ipv6hint="2001:db8::1,2001:db8::53:1"
+		 */
+		{ "1 foo.example.com ipv6hint=\"2001:db8::1,2001:db8::53:1\"",
+		  "\\# 55 ( 00 01 03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f "
+		  "6d 00 00 06 00 20 20 01 0d b8 00 00 00 00 00 00 00 00 00 00 "
+		  "00 01 20 01 0d b8 00 00 00 00 00 00 00 00 00 53 00 01 )" },
+		/* SvcParamValues and mandatory out of order. */
+		{ "16 foo.example.org alpn=h2,h3-19 mandatory=ipv4hint,alpn "
+		  "ipv4hint=192.0.2.1",
+		  "\\# 48 ( 00 10 03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 "
+		  "67 00 00 00 00 04 00 01 00 04 00 01 00 09 02 68 32 05 68 33 "
+		  "2d 31 39 00 04 00 04 c0 00 02 01 )" },
+		/*
+		 * Quoted ALPN with escaped comma and backslash.
+		 * 16 foo.example.org alpn="f\\\\oo\\,bar,h2"
+		 */
+		{ "16 foo.example.org alpn=\"f\\\\\\\\oo\\\\,bar,h2\"",
+		  "\\# 35 ( 00 10 03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 "
+		  "67 00 00 01 00 0c 08 66 5c 6f 6f 2c 62 61 72 02 68 32 )" },
+		/*
+		 * Unquoted ALPN with escaped comma and backslash.
+		 * 16 foo.example.org alpn=f\\\092oo\092,bar,h2
+		 */
+		{ "16 foo.example.org alpn=f\\\\\\092oo\\092,bar,h2",
+		  "\\# 35 ( 00 10 03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 "
+		  "67 00 00 01 00 0c 08 66 5c 6f 6f 2c 62 61 72 02 68 32 )" },
+		{ NULL, NULL }
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_svcb, sizeof(dns_rdata_in_svcb_t));
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_https, sizeof(dns_rdata_in_https_t));
+
+	check_textvsunknown(textvsunknown, dns_rdataclass_in,
+			    dns_rdatatype_svcb);
+	check_textvsunknown(textvsunknown, dns_rdataclass_in,
+			    dns_rdatatype_https);
+}
+
+/*
+ * ZONEMD tests.
+ *
+ * Excerpted from RFC 8976:
+ *
+ * The ZONEMD RDATA wire format is encoded as follows:
+ *
+ *                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ *     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    |                             Serial                            |
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    |    Scheme     |Hash Algorithm |                               |
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
+ *    |                             Digest                            |
+ *    /                                                               /
+ *    /                                                               /
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ * 2.2.1.  The Serial Field
+ *
+ *    The Serial field is a 32-bit unsigned integer in network byte order.
+ *    It is the serial number from the zone's SOA record ([RFC1035],
+ *    Section 3.3.13) for which the zone digest was generated.
+ *
+ *    It is included here to clearly bind the ZONEMD RR to a particular
+ *    version of the zone's content.  Without the serial number, a stand-
+ *    alone ZONEMD digest has no obvious association to any particular
+ *    instance of a zone.
+ *
+ * 2.2.2.  The Scheme Field
+ *
+ *    The Scheme field is an 8-bit unsigned integer that identifies the
+ *    methods by which data is collated and presented as input to the
+ *    hashing function.
+ *
+ *    Herein, SIMPLE, with Scheme value 1, is the only standardized Scheme
+ *    defined for ZONEMD records and it MUST be supported by
+ *    implementations.  The "ZONEMD Schemes" registry is further described
+ *    in Section 5.
+ *
+ *    Scheme values 240-254 are allocated for Private Use.
+ *
+ * 2.2.3.  The Hash Algorithm Field
+ *
+ *    The Hash Algorithm field is an 8-bit unsigned integer that identifies
+ *    the cryptographic hash algorithm used to construct the digest.
+ *
+ *    Herein, SHA384 ([RFC6234]), with Hash Algorithm value 1, is the only
+ *    standardized Hash Algorithm defined for ZONEMD records that MUST be
+ *    supported by implementations.  When SHA384 is used, the size of the
+ *    Digest field is 48 octets.  The result of the SHA384 digest algorithm
+ *    MUST NOT be truncated, and the entire 48-octet digest is published in
+ *    the ZONEMD record.
+ *
+ *    SHA512 ([RFC6234]), with Hash Algorithm value 2, is also defined for
+ *    ZONEMD records and SHOULD be supported by implementations.  When
+ *    SHA512 is used, the size of the Digest field is 64 octets.  The
+ *    result of the SHA512 digest algorithm MUST NOT be truncated, and the
+ *    entire 64-octet digest is published in the ZONEMD record.
+ *
+ *    Hash Algorithm values 240-254 are allocated for Private Use.
+ *
+ *    The "ZONEMD Hash Algorithms" registry is further described in
+ *    Section 5.
+ *
+ * 2.2.4.  The Digest Field
+ *
+ *    The Digest field is a variable-length sequence of octets containing
+ *    the output of the hash algorithm.  The length of the Digest field is
+ *    determined by deducting the fixed size of the Serial, Scheme, and
+ *    Hash Algorithm fields from the RDATA size in the ZONEMD RR header.
+ *
+ *    The Digest field MUST NOT be shorter than 12 octets.  Digests for the
+ *    SHA384 and SHA512 hash algorithms specified herein are never
+ *    truncated.  Digests for future hash algorithms MAY be truncated but
+ *    MUST NOT be truncated to a length that results in less than 96 bits
+ *    (12 octets) of equivalent strength.
+ *
+ *    Section 3 describes how to calculate the digest for a zone.
+ *    Section 4 describes how to use the digest to verify the contents of a
+ *    zone.
+ *
+ */
+
+static void
+zonemd(void **state) {
+	text_ok_t text_ok[] = {
+		TEXT_INVALID(""),
+		/* No digest scheme or digest type*/
+		TEXT_INVALID("0"),
+		/* No digest type */
+		TEXT_INVALID("0 0"),
+		/* No digest */
+		TEXT_INVALID("0 0 0"),
+		/* No digest */
+		TEXT_INVALID("99999999 0 0"),
+		/* No digest */
+		TEXT_INVALID("2019020700 0 0"),
+		/* Digest too short */
+		TEXT_INVALID("2019020700 1 1 DEADBEEF"),
+		/* Digest too short */
+		TEXT_INVALID("2019020700 1 2 DEADBEEF"),
+		/* Digest too short */
+		TEXT_INVALID("2019020700 1 3 DEADBEEFDEADBEEFDEADBE"),
+		/* Digest type unknown */
+		TEXT_VALID("2019020700 1 3 DEADBEEFDEADBEEFDEADBEEF"),
+		/* Digest type max */
+		TEXT_VALID("2019020700 1 255 DEADBEEFDEADBEEFDEADBEEF"),
+		/* Digest type too big */
+		TEXT_INVALID("2019020700 0 256 DEADBEEFDEADBEEFDEADBEEF"),
+		/* Scheme max */
+		TEXT_VALID("2019020700 255 3 DEADBEEFDEADBEEFDEADBEEF"),
+		/* Scheme too big */
+		TEXT_INVALID("2019020700 256 3 DEADBEEFDEADBEEFDEADBEEF"),
+		/* SHA384 */
+		TEXT_VALID("2019020700 1 1 "
+			   "7162D2BB75C047A53DE98767C9192BEB"
+			   "14DB01E7E2267135DAF0230A 19BA4A31"
+			   "6AF6BF64AA5C7BAE24B2992850300509"),
+		/* SHA512 */
+		TEXT_VALID("2019020700 1 2 "
+			   "08CFA1115C7B948C4163A901270395EA"
+			   "226A930CD2CBCF2FA9A5E6EB 85F37C8A"
+			   "4E114D884E66F176EAB121CB02DB7D65"
+			   "2E0CC4827E7A3204 F166B47E5613FD27"),
+		/* SHA384 too short and with private scheme */
+		TEXT_INVALID("2021042801 0 1 "
+			     "7162D2BB75C047A53DE98767C9192BEB"
+			     "6AF6BF64AA5C7BAE24B2992850300509"),
+		/* SHA512 too short and with private scheme */
+		TEXT_INVALID("2021042802 5 2 "
+			     "A897B40072ECAE9E4CA3F1F227DE8F5E"
+			     "480CDEBB16DFC64C1C349A7B5F6C71AB"
+			     "E8A88B76EF0BA1604EC25752E946BF98"),
+		TEXT_SENTINEL()
+	};
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Short 11-octet digest.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			     0x00),
+		/*
+		 * Minimal, 12-octet hash for an undefined digest type.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			   0x00),
+		/*
+		 * SHA-384 is defined, so we insist there be a digest of
+		 * the expected length.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00),
+		/*
+		 * 48-octet digest, valid for SHA-384.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa,
+			   0xce),
+		/*
+		 * 56-octet digest, too long for SHA-384.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce),
+		/*
+		 * 56-octet digest, too short for SHA-512
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad),
+		/*
+		 * 64-octet digest, just right for SHA-512
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef),
+		/*
+		 * 72-octet digest, too long for SHA-512
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad,
+			     0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+			     0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			     0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce),
+		/*
+		 * 56-octet digest, valid for an undefined digest type.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe,
+			   0xef, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce,
+			   0xde, 0xad, 0xbe, 0xef, 0xfa, 0xce),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(state);
+
+	check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_zonemd, sizeof(dns_rdata_zonemd_t));
+}
+
+static void
+atcname(void **state) {
+	unsigned int i;
+	UNUSED(state);
+#define UNR "# Unexpected result from dns_rdatatype_atcname for type %u\n"
+	for (i = 0; i < 0xffffU; i++) {
+		bool tf = dns_rdatatype_atcname((dns_rdatatype_t)i);
+		switch (i) {
+		case dns_rdatatype_nsec:
+		case dns_rdatatype_key:
+		case dns_rdatatype_rrsig:
+			if (!tf) {
+				print_message(UNR, i);
+			}
+			assert_true(tf);
+			break;
+		default:
+			if (tf) {
+				print_message(UNR, i);
+			}
+			assert_false(tf);
+			break;
+		}
+	}
+#undef UNR
+}
+
+static void
+atparent(void **state) {
+	unsigned int i;
+	UNUSED(state);
+#define UNR "# Unexpected result from dns_rdatatype_atparent for type %u\n"
+	for (i = 0; i < 0xffffU; i++) {
+		bool tf = dns_rdatatype_atparent((dns_rdatatype_t)i);
+		switch (i) {
+		case dns_rdatatype_ds:
+			if (!tf) {
+				print_message(UNR, i);
+			}
+			assert_true(tf);
+			break;
+		default:
+			if (tf) {
+				print_message(UNR, i);
+			}
+			assert_false(tf);
+			break;
+		}
+	}
+#undef UNR
+}
+
+static void
+iszonecutauth(void **state) {
+	unsigned int i;
+	UNUSED(state);
+#define UNR "# Unexpected result from dns_rdatatype_iszonecutauth for type %u\n"
+	for (i = 0; i < 0xffffU; i++) {
+		bool tf = dns_rdatatype_iszonecutauth((dns_rdatatype_t)i);
+		switch (i) {
+		case dns_rdatatype_ns:
+		case dns_rdatatype_ds:
+		case dns_rdatatype_nsec:
+		case dns_rdatatype_key:
+		case dns_rdatatype_rrsig:
+			if (!tf) {
+				print_message(UNR, i);
+			}
+			assert_true(tf);
+			break;
+		default:
+			if (tf) {
+				print_message(UNR, i);
+			}
+			assert_false(tf);
+			break;
+		}
+	}
+#undef UNR
+}
+
+int
+main(int argc, char **argv) {
+	const struct CMUnitTest tests[] = {
+		/* types */
+		cmocka_unit_test_setup_teardown(amtrelay, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(apl, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(atma, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(cdnskey, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(csync, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(dnskey, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(doa, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(ds, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(eid, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(hip, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(https_svcb, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(isdn, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(key, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(loc, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(nimloc, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(nsec, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(nsec3, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(nxt, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(rkey, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(sshfp, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(wks, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(zonemd, _setup, _teardown),
+		/* other tests */
+		cmocka_unit_test_setup_teardown(edns_client_subnet, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(atcname, NULL, NULL),
+		cmocka_unit_test_setup_teardown(atparent, NULL, NULL),
+		cmocka_unit_test_setup_teardown(iszonecutauth, NULL, NULL),
+	};
+	struct CMUnitTest selected[sizeof(tests) / sizeof(tests[0])];
+	size_t i;
+	int c;
+
+	memset(selected, 0, sizeof(selected));
+
+	while ((c = isc_commandline_parse(argc, argv, "dlt:")) != -1) {
+		switch (c) {
+		case 'd':
+			debug = true;
+			break;
+		case 'l':
+			for (i = 0; i < (sizeof(tests) / sizeof(tests[0])); i++)
+			{
+				if (tests[i].name != NULL) {
+					fprintf(stdout, "%s\n", tests[i].name);
+				}
+			}
+			return (0);
+		case 't':
+			if (!cmocka_add_test_byname(
+				    tests, isc_commandline_argument, selected))
+			{
+				fprintf(stderr, "unknown test '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		default:
+			break;
+		}
+	}
+
+	if (selected[0].name != NULL) {
+		return (cmocka_run_group_tests(selected, NULL, NULL));
+	} else {
+		return (cmocka_run_group_tests(tests, NULL, NULL));
+	}
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/rdataset_test.c b/lib/dns/tests/rdataset_test.c
new file mode 100644
index 0000000..ebdd128
--- /dev/null
+++ b/lib/dns/tests/rdataset_test.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/util.h>
+
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+/* test trimming of rdataset TTLs */
+static void
+trimttl(void **state) {
+	dns_rdataset_t rdataset, sigrdataset;
+	dns_rdata_rrsig_t rrsig;
+	isc_stdtime_t ttltimenow, ttltimeexpire;
+
+	ttltimenow = 10000000;
+	ttltimeexpire = ttltimenow + 800;
+
+	UNUSED(state);
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&sigrdataset);
+
+	rdataset.ttl = 900;
+	sigrdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimeexpire;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow, true);
+	assert_int_equal(rdataset.ttl, 800);
+	assert_int_equal(sigrdataset.ttl, 800);
+
+	rdataset.ttl = 900;
+	sigrdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimenow - 200;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow, true);
+	assert_int_equal(rdataset.ttl, 120);
+	assert_int_equal(sigrdataset.ttl, 120);
+
+	rdataset.ttl = 900;
+	sigrdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimenow - 200;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
+			     false);
+	assert_int_equal(rdataset.ttl, 0);
+	assert_int_equal(sigrdataset.ttl, 0);
+
+	sigrdataset.ttl = 900;
+	rdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimeexpire;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow, true);
+	assert_int_equal(rdataset.ttl, 800);
+	assert_int_equal(sigrdataset.ttl, 800);
+
+	sigrdataset.ttl = 900;
+	rdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimenow - 200;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow, true);
+	assert_int_equal(rdataset.ttl, 120);
+	assert_int_equal(sigrdataset.ttl, 120);
+
+	sigrdataset.ttl = 900;
+	rdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimenow - 200;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
+			     false);
+	assert_int_equal(rdataset.ttl, 0);
+	assert_int_equal(sigrdataset.ttl, 0);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(trimttl, _setup, _teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/rdatasetstats_test.c b/lib/dns/tests/rdatasetstats_test.c
new file mode 100644
index 0000000..20b333d
--- /dev/null
+++ b/lib/dns/tests/rdatasetstats_test.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/stats.h>
+
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static void
+set_typestats(dns_stats_t *stats, dns_rdatatype_t type) {
+	dns_rdatastatstype_t which;
+	unsigned int attributes;
+
+	attributes = 0;
+	which = DNS_RDATASTATSTYPE_VALUE(type, attributes);
+	dns_rdatasetstats_increment(stats, which);
+
+	attributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
+	which = DNS_RDATASTATSTYPE_VALUE(type, attributes);
+	dns_rdatasetstats_increment(stats, which);
+}
+
+static void
+set_nxdomainstats(dns_stats_t *stats) {
+	dns_rdatastatstype_t which;
+	unsigned int attributes;
+
+	attributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
+	which = DNS_RDATASTATSTYPE_VALUE(0, attributes);
+	dns_rdatasetstats_increment(stats, which);
+}
+
+static void
+mark_stale(dns_stats_t *stats, dns_rdatatype_t type, int from, int to) {
+	dns_rdatastatstype_t which;
+	unsigned int attributes;
+
+	attributes = from;
+	which = DNS_RDATASTATSTYPE_VALUE(type, attributes);
+	dns_rdatasetstats_decrement(stats, which);
+
+	attributes |= to;
+	which = DNS_RDATASTATSTYPE_VALUE(type, attributes);
+	dns_rdatasetstats_increment(stats, which);
+
+	attributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET | from;
+	which = DNS_RDATASTATSTYPE_VALUE(type, attributes);
+	dns_rdatasetstats_decrement(stats, which);
+
+	attributes |= to;
+	which = DNS_RDATASTATSTYPE_VALUE(type, attributes);
+	dns_rdatasetstats_increment(stats, which);
+}
+
+static void
+mark_nxdomain_stale(dns_stats_t *stats, int from, int to) {
+	dns_rdatastatstype_t which;
+	unsigned int attributes;
+
+	attributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN | from;
+	which = DNS_RDATASTATSTYPE_VALUE(0, attributes);
+	dns_rdatasetstats_decrement(stats, which);
+
+	attributes |= to;
+	which = DNS_RDATASTATSTYPE_VALUE(0, attributes);
+	dns_rdatasetstats_increment(stats, which);
+}
+
+#define ATTRIBUTE_SET(y) ((attributes & (y)) != 0)
+static void
+verify_active_counters(dns_rdatastatstype_t which, uint64_t value, void *arg) {
+	unsigned int attributes;
+#if debug
+	unsigned int type;
+#endif /* if debug */
+
+	UNUSED(which);
+	UNUSED(arg);
+
+	attributes = DNS_RDATASTATSTYPE_ATTR(which);
+#if debug
+	type = DNS_RDATASTATSTYPE_BASE(which);
+
+	fprintf(stderr, "%s%s%s%s%s/%u, %u\n",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) ? "O" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_NXRRSET) ? "!" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_ANCIENT) ? "~" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_STALE) ? "#" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) ? "X" : " ",
+		type, (unsigned)value);
+#endif /* if debug */
+	if ((attributes & DNS_RDATASTATSTYPE_ATTR_ANCIENT) == 0 &&
+	    (attributes & DNS_RDATASTATSTYPE_ATTR_STALE) == 0)
+	{
+		assert_int_equal(value, 1);
+	} else {
+		assert_int_equal(value, 0);
+	}
+}
+
+static void
+verify_stale_counters(dns_rdatastatstype_t which, uint64_t value, void *arg) {
+	unsigned int attributes;
+#if debug
+	unsigned int type;
+#endif /* if debug */
+
+	UNUSED(which);
+	UNUSED(arg);
+
+	attributes = DNS_RDATASTATSTYPE_ATTR(which);
+#if debug
+	type = DNS_RDATASTATSTYPE_BASE(which);
+
+	fprintf(stderr, "%s%s%s%s%s/%u, %u\n",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) ? "O" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_NXRRSET) ? "!" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_ANCIENT) ? "~" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_STALE) ? "#" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) ? "X" : " ",
+		type, (unsigned)value);
+#endif /* if debug */
+	if ((attributes & DNS_RDATASTATSTYPE_ATTR_STALE) != 0) {
+		assert_int_equal(value, 1);
+	} else {
+		assert_int_equal(value, 0);
+	}
+}
+
+static void
+verify_ancient_counters(dns_rdatastatstype_t which, uint64_t value, void *arg) {
+	unsigned int attributes;
+#if debug
+	unsigned int type;
+#endif /* if debug */
+
+	UNUSED(which);
+	UNUSED(arg);
+
+	attributes = DNS_RDATASTATSTYPE_ATTR(which);
+#if debug
+	type = DNS_RDATASTATSTYPE_BASE(which);
+
+	fprintf(stderr, "%s%s%s%s%s/%u, %u\n",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) ? "O" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_NXRRSET) ? "!" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_ANCIENT) ? "~" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_STALE) ? "#" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) ? "X" : " ",
+		type, (unsigned)value);
+#endif /* if debug */
+	if ((attributes & DNS_RDATASTATSTYPE_ATTR_ANCIENT) != 0) {
+		assert_int_equal(value, 1);
+	} else {
+		assert_int_equal(value, 0);
+	}
+}
+/*
+ * Individual unit tests
+ */
+
+/*
+ * Test that rdatasetstats counters are properly set when moving from
+ * active -> stale -> ancient.
+ */
+static void
+rdatasetstats(void **state, bool servestale) {
+	unsigned int i;
+	unsigned int from = 0;
+	dns_stats_t *stats = NULL;
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_rdatasetstats_create(dt_mctx, &stats);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* First 255 types. */
+	for (i = 1; i <= 255; i++) {
+		set_typestats(stats, (dns_rdatatype_t)i);
+	}
+	/* Specials */
+	set_typestats(stats, (dns_rdatatype_t)1000);
+	set_nxdomainstats(stats);
+
+	/* Check that all active counters are set to appropriately. */
+	dns_rdatasetstats_dump(stats, verify_active_counters, NULL, 1);
+
+	if (servestale) {
+		/* Mark stale */
+		for (i = 1; i <= 255; i++) {
+			mark_stale(stats, (dns_rdatatype_t)i, 0,
+				   DNS_RDATASTATSTYPE_ATTR_STALE);
+		}
+		mark_stale(stats, (dns_rdatatype_t)1000, 0,
+			   DNS_RDATASTATSTYPE_ATTR_STALE);
+		mark_nxdomain_stale(stats, 0, DNS_RDATASTATSTYPE_ATTR_STALE);
+
+		/* Check that all counters are set to appropriately. */
+		dns_rdatasetstats_dump(stats, verify_stale_counters, NULL, 1);
+
+		/* Set correct staleness state */
+		from = DNS_RDATASTATSTYPE_ATTR_STALE;
+	}
+
+	/* Mark ancient */
+	for (i = 1; i <= 255; i++) {
+		mark_stale(stats, (dns_rdatatype_t)i, from,
+			   DNS_RDATASTATSTYPE_ATTR_ANCIENT);
+	}
+	mark_stale(stats, (dns_rdatatype_t)1000, from,
+		   DNS_RDATASTATSTYPE_ATTR_ANCIENT);
+	mark_nxdomain_stale(stats, from, DNS_RDATASTATSTYPE_ATTR_ANCIENT);
+
+	/*
+	 * Check that all counters are set to appropriately.
+	 */
+	dns_rdatasetstats_dump(stats, verify_ancient_counters, NULL, 1);
+
+	dns_stats_detach(&stats);
+}
+
+/*
+ * Test that rdatasetstats counters are properly set when moving from
+ * active -> stale -> ancient.
+ */
+static void
+test_rdatasetstats_active_stale_ancient(void **state) {
+	rdatasetstats(state, true);
+}
+
+/*
+ * Test that rdatasetstats counters are properly set when moving from
+ * active -> ancient.
+ */
+static void
+test_rdatasetstats_active_ancient(void **state) {
+	rdatasetstats(state, false);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(
+			test_rdatasetstats_active_stale_ancient, _setup,
+			_teardown),
+		cmocka_unit_test_setup_teardown(
+			test_rdatasetstats_active_ancient, _setup, _teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/resolver_test.c b/lib/dns/tests/resolver_test.c
new file mode 100644
index 0000000..ed89d01
--- /dev/null
+++ b/lib/dns/tests/resolver_test.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/dispatch.h>
+#include <dns/name.h>
+#include <dns/resolver.h>
+#include <dns/view.h>
+
+#include "dnstest.h"
+
+static dns_dispatchmgr_t *dispatchmgr = NULL;
+static dns_dispatch_t *dispatch = NULL;
+static dns_view_t *view = NULL;
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+	isc_sockaddr_t local;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_dispatchmgr_create(dt_mctx, &dispatchmgr);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_test_makeview("view", &view);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_sockaddr_any(&local);
+	result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, &local,
+				     4096, 100, 100, 100, 500, 0, 0, &dispatch);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_dispatch_detach(&dispatch);
+	dns_view_detach(&view);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+	dns_test_end();
+
+	return (0);
+}
+
+static void
+mkres(dns_resolver_t **resolverp) {
+	isc_result_t result;
+
+	result = dns_resolver_create(view, taskmgr, 1, 1, socketmgr, timermgr,
+				     0, dispatchmgr, dispatch, NULL, resolverp);
+	assert_int_equal(result, ISC_R_SUCCESS);
+}
+
+static void
+destroy_resolver(dns_resolver_t **resolverp) {
+	dns_resolver_shutdown(*resolverp);
+	dns_resolver_detach(resolverp);
+}
+
+/* dns_resolver_create */
+static void
+create_test(void **state) {
+	dns_resolver_t *resolver = NULL;
+
+	UNUSED(state);
+
+	mkres(&resolver);
+	destroy_resolver(&resolver);
+}
+
+/* dns_resolver_gettimeout */
+static void
+gettimeout_test(void **state) {
+	dns_resolver_t *resolver = NULL;
+	unsigned int timeout;
+
+	UNUSED(state);
+
+	mkres(&resolver);
+
+	timeout = dns_resolver_gettimeout(resolver);
+	assert_true(timeout > 0);
+
+	destroy_resolver(&resolver);
+}
+
+/* dns_resolver_settimeout */
+static void
+settimeout_test(void **state) {
+	dns_resolver_t *resolver = NULL;
+	unsigned int default_timeout, timeout;
+
+	UNUSED(state);
+
+	mkres(&resolver);
+
+	default_timeout = dns_resolver_gettimeout(resolver);
+	dns_resolver_settimeout(resolver, default_timeout + 1);
+	timeout = dns_resolver_gettimeout(resolver);
+	assert_true(timeout == default_timeout + 1);
+
+	destroy_resolver(&resolver);
+}
+
+/* dns_resolver_settimeout */
+static void
+settimeout_default_test(void **state) {
+	dns_resolver_t *resolver = NULL;
+	unsigned int default_timeout, timeout;
+
+	UNUSED(state);
+
+	mkres(&resolver);
+
+	default_timeout = dns_resolver_gettimeout(resolver);
+	dns_resolver_settimeout(resolver, default_timeout + 100);
+
+	timeout = dns_resolver_gettimeout(resolver);
+	assert_int_equal(timeout, default_timeout + 100);
+
+	dns_resolver_settimeout(resolver, 0);
+	timeout = dns_resolver_gettimeout(resolver);
+	assert_int_equal(timeout, default_timeout);
+
+	destroy_resolver(&resolver);
+}
+
+/* dns_resolver_settimeout below minimum */
+static void
+settimeout_belowmin_test(void **state) {
+	dns_resolver_t *resolver = NULL;
+	unsigned int default_timeout, timeout;
+
+	UNUSED(state);
+
+	mkres(&resolver);
+
+	default_timeout = dns_resolver_gettimeout(resolver);
+	dns_resolver_settimeout(resolver, 9000);
+
+	timeout = dns_resolver_gettimeout(resolver);
+	assert_int_equal(timeout, default_timeout);
+
+	destroy_resolver(&resolver);
+}
+
+/* dns_resolver_settimeout over maximum */
+static void
+settimeout_overmax_test(void **state) {
+	dns_resolver_t *resolver = NULL;
+	unsigned int timeout;
+
+	UNUSED(state);
+
+	mkres(&resolver);
+
+	dns_resolver_settimeout(resolver, 4000000);
+	timeout = dns_resolver_gettimeout(resolver);
+	assert_in_range(timeout, 0, 3999999);
+	destroy_resolver(&resolver);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(create_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(gettimeout_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(settimeout_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(settimeout_default_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(settimeout_belowmin_test,
+						_setup, _teardown),
+		cmocka_unit_test_setup_teardown(settimeout_overmax_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/result_test.c b/lib/dns/tests/result_test.c
new file mode 100644
index 0000000..3a05c71
--- /dev/null
+++ b/lib/dns/tests/result_test.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/lib.h>
+#include <dns/result.h>
+
+#include <dst/result.h>
+
+/*
+ * Check ids array is populated.
+ */
+static void
+ids(void **state) {
+	const char *str;
+	isc_result_t result;
+
+	UNUSED(state);
+
+	dns_result_register();
+	dst_result_register();
+
+	for (result = ISC_RESULTCLASS_DNS;
+	     result < (ISC_RESULTCLASS_DNS + DNS_R_NRESULTS); result++)
+	{
+		str = isc_result_toid(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+
+		str = isc_result_totext(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+	}
+
+	str = isc_result_toid(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+
+	str = isc_result_totext(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+
+	for (result = ISC_RESULTCLASS_DST;
+	     result < (ISC_RESULTCLASS_DST + DST_R_NRESULTS); result++)
+	{
+		str = isc_result_toid(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+
+		str = isc_result_totext(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+	}
+
+	str = isc_result_toid(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+
+	str = isc_result_totext(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+
+	for (result = ISC_RESULTCLASS_DNSRCODE;
+	     result < (ISC_RESULTCLASS_DNSRCODE + DNS_R_NRCODERESULTS);
+	     result++)
+	{
+		str = isc_result_toid(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+
+		str = isc_result_totext(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+	}
+
+	str = isc_result_toid(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+
+	str = isc_result_totext(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(ids),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c
new file mode 100644
index 0000000..7d8897b
--- /dev/null
+++ b/lib/dns/tests/rsa_test.c
@@ -0,0 +1,242 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include "../dst_internal.h"
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static unsigned char d[10] = { 0xa,  0x10, 0xbb, 0,    0xfe,
+			       0x15, 0x1,  0x88, 0xcc, 0x7d };
+
+static unsigned char sigsha1[256] = {
+	0x45, 0x55, 0xd6, 0xf8, 0x05, 0xd2, 0x2e, 0x79, 0x14, 0x2b, 0x1b, 0xd1,
+	0x4b, 0xb7, 0xcd, 0xc0, 0xa2, 0xf3, 0x85, 0x32, 0x1f, 0xa3, 0xfd, 0x1f,
+	0x30, 0xe0, 0xde, 0xb2, 0x6f, 0x3c, 0x8e, 0x2b, 0x82, 0x92, 0xcd, 0x1c,
+	0x1b, 0xdf, 0xe6, 0xd5, 0x4d, 0x93, 0xe6, 0xaa, 0x40, 0x28, 0x1b, 0x7b,
+	0x2e, 0x40, 0x4d, 0xb5, 0x4d, 0x43, 0xe8, 0xfc, 0x93, 0x86, 0x68, 0xe3,
+	0xbf, 0x73, 0x9a, 0x1e, 0x6b, 0x5d, 0x52, 0xb8, 0x98, 0x1c, 0x94, 0xe1,
+	0x85, 0x8b, 0xee, 0xb1, 0x4f, 0x22, 0x71, 0xcb, 0xfd, 0xb2, 0xa8, 0x88,
+	0x64, 0xb4, 0xb1, 0x4a, 0xa1, 0x7a, 0xce, 0x52, 0x83, 0xd8, 0xf2, 0x9e,
+	0x67, 0x4c, 0xc3, 0x37, 0x74, 0xfe, 0xe0, 0x25, 0x2a, 0xfd, 0xa3, 0x09,
+	0xff, 0x8a, 0x92, 0x0d, 0xa9, 0xb3, 0x90, 0x23, 0xbe, 0x6a, 0x2c, 0x9e,
+	0x5c, 0x6d, 0xb4, 0xa7, 0xd7, 0x97, 0xdd, 0xc6, 0xb8, 0xae, 0xd4, 0x88,
+	0x64, 0x63, 0x1e, 0x85, 0x20, 0x09, 0xea, 0xc4, 0x0b, 0xca, 0xbf, 0x83,
+	0x5c, 0x89, 0xae, 0x64, 0x15, 0x76, 0x06, 0x51, 0xb6, 0xa1, 0x99, 0xb2,
+	0x3c, 0x50, 0x99, 0x86, 0x7d, 0xc7, 0xca, 0x4e, 0x1d, 0x2c, 0x17, 0xbb,
+	0x6c, 0x7a, 0xc9, 0x3f, 0x5e, 0x28, 0x57, 0x2c, 0xda, 0x01, 0x1d, 0xe8,
+	0x01, 0xf8, 0xf6, 0x37, 0xe1, 0x34, 0x56, 0xae, 0x6e, 0xb1, 0xd4, 0xa2,
+	0xc4, 0x02, 0xc1, 0xca, 0x96, 0xb0, 0x06, 0x72, 0x2a, 0x27, 0xaa, 0xc8,
+	0xd5, 0x50, 0x81, 0x49, 0x46, 0x33, 0xf8, 0xf7, 0x6b, 0xf4, 0x9c, 0x30,
+	0x90, 0x50, 0xf6, 0x16, 0x76, 0x9d, 0xc6, 0x73, 0xb5, 0xbc, 0x8a, 0xb6,
+	0x1d, 0x98, 0xcb, 0xce, 0x36, 0x6f, 0x60, 0xec, 0x96, 0x49, 0x08, 0x85,
+	0x5b, 0xc1, 0x8e, 0xb0, 0xea, 0x9e, 0x1f, 0xd6, 0x27, 0x7f, 0xb6, 0xe0,
+	0x04, 0x12, 0xd2, 0x81
+};
+
+static unsigned char sigsha256[256] = {
+	0x83, 0x53, 0x15, 0xfc, 0xca, 0xdb, 0xf6, 0x0d, 0x53, 0x24, 0x5b, 0x5a,
+	0x8e, 0xd0, 0xbe, 0x5e, 0xbc, 0xe8, 0x9e, 0x92, 0x3c, 0xfa, 0x93, 0x03,
+	0xce, 0x2f, 0xc7, 0x6d, 0xd0, 0xbb, 0x9d, 0x06, 0x83, 0xc6, 0xd3, 0xc0,
+	0xc1, 0x57, 0x9c, 0x82, 0x17, 0x7f, 0xb5, 0xf8, 0x31, 0x18, 0xda, 0x46,
+	0x05, 0x2c, 0xf8, 0xea, 0xaa, 0xcd, 0x99, 0x18, 0xff, 0x23, 0x5e, 0xef,
+	0xf0, 0x87, 0x47, 0x6e, 0x91, 0xfd, 0x19, 0x0b, 0x39, 0x19, 0x6a, 0xc8,
+	0xdf, 0x71, 0x66, 0x8e, 0xa9, 0xa0, 0x79, 0x5c, 0x2c, 0x52, 0x00, 0x61,
+	0x17, 0x86, 0x66, 0x03, 0x52, 0xad, 0xec, 0x06, 0x53, 0xd9, 0x6d, 0xe3,
+	0xe3, 0xea, 0x28, 0x15, 0xb3, 0x75, 0xf4, 0x61, 0x7d, 0xed, 0x69, 0x2c,
+	0x24, 0xf3, 0x21, 0xb1, 0x8a, 0xea, 0x60, 0xa2, 0x9e, 0x6a, 0xa6, 0x53,
+	0x12, 0xf6, 0x5c, 0xef, 0xd7, 0x49, 0x4a, 0x02, 0xe7, 0xf8, 0x64, 0x89,
+	0x13, 0xac, 0xd5, 0x1e, 0x58, 0xff, 0xa1, 0x63, 0xdd, 0xa0, 0x1f, 0x44,
+	0x99, 0x6a, 0x59, 0x7f, 0x35, 0xbd, 0xf1, 0xf3, 0x7a, 0x28, 0x44, 0xe3,
+	0x4c, 0x68, 0xb1, 0xb3, 0x97, 0x3c, 0x46, 0xe3, 0xc2, 0x12, 0x9e, 0x68,
+	0x0b, 0xa6, 0x6c, 0x8f, 0x58, 0x48, 0x44, 0xa4, 0xf7, 0xa7, 0xc2, 0x91,
+	0x8f, 0xbf, 0x00, 0xd0, 0x01, 0x35, 0xd4, 0x86, 0x6e, 0x1f, 0xea, 0x42,
+	0x60, 0xb1, 0x84, 0x27, 0xf4, 0x99, 0x36, 0x06, 0x98, 0x12, 0x83, 0x32,
+	0x9f, 0xcd, 0x50, 0x5a, 0x5e, 0xb8, 0x8e, 0xfe, 0x8d, 0x8d, 0x33, 0x2d,
+	0x45, 0xe1, 0xc9, 0xdf, 0x2a, 0xd8, 0x38, 0x1d, 0x95, 0xd4, 0x42, 0xee,
+	0x93, 0x5b, 0x0f, 0x1e, 0x07, 0x06, 0x3a, 0x92, 0xf1, 0x59, 0x1d, 0x6e,
+	0x1c, 0x31, 0xf3, 0xce, 0xa9, 0x1f, 0xad, 0x4d, 0x76, 0x4d, 0x24, 0x98,
+	0xe2, 0x0e, 0x8c, 0x35
+};
+
+static unsigned char sigsha512[512] = {
+	0x4e, 0x2f, 0x63, 0x42, 0xc5, 0xf3, 0x05, 0x4a, 0xa6, 0x3a, 0x93, 0xa0,
+	0xd9, 0x33, 0xa0, 0xd1, 0x46, 0x33, 0x42, 0xe8, 0x74, 0xeb, 0x3b, 0x10,
+	0x82, 0xd7, 0xcf, 0x39, 0x23, 0xb3, 0xe9, 0x23, 0x53, 0x87, 0x8c, 0xee,
+	0x78, 0xcb, 0xb3, 0xd9, 0xd2, 0x6d, 0x1a, 0x7c, 0x01, 0x4f, 0xed, 0x8d,
+	0xf2, 0x72, 0xe4, 0x6a, 0x00, 0x8a, 0x60, 0xa6, 0xd5, 0x9c, 0x43, 0x6c,
+	0xef, 0x38, 0x0c, 0x74, 0x82, 0x5d, 0x22, 0xaa, 0x87, 0x81, 0x90, 0x9c,
+	0x64, 0x07, 0x9b, 0x13, 0x51, 0xe0, 0xa5, 0xc2, 0x83, 0x78, 0x2b, 0x9b,
+	0xb3, 0x8a, 0x9d, 0x36, 0x33, 0xbd, 0x0d, 0x53, 0x84, 0xae, 0xe8, 0x13,
+	0x36, 0xf6, 0xdf, 0x96, 0xe9, 0xda, 0xc3, 0xd7, 0xa9, 0x2f, 0xf3, 0x5e,
+	0x5f, 0x1f, 0x7f, 0x38, 0x7e, 0x8d, 0xbe, 0x90, 0x5e, 0x13, 0xb2, 0x20,
+	0xbb, 0x9d, 0xfe, 0xe1, 0x52, 0xce, 0xe6, 0x80, 0xa7, 0x95, 0x24, 0x59,
+	0xe3, 0xac, 0x24, 0xc4, 0xfa, 0x1c, 0x44, 0x34, 0x29, 0x8d, 0xb1, 0xd0,
+	0xd9, 0x4c, 0xff, 0xc4, 0xdb, 0xca, 0xc4, 0x3f, 0x38, 0xf9, 0xe4, 0xaf,
+	0x75, 0x0a, 0x67, 0x4d, 0xa0, 0x2b, 0xb0, 0x83, 0xce, 0x53, 0xc4, 0xb9,
+	0x2e, 0x61, 0xb6, 0x64, 0xe5, 0xb5, 0xe5, 0xac, 0x9d, 0x51, 0xec, 0x58,
+	0x42, 0x90, 0x78, 0xf6, 0x46, 0x96, 0xef, 0xb6, 0x97, 0xb7, 0x54, 0x28,
+	0x1a, 0x4c, 0x29, 0xf4, 0x7a, 0x33, 0xc6, 0x07, 0xfd, 0xec, 0x97, 0x36,
+	0x1d, 0x42, 0x88, 0x94, 0x27, 0xc2, 0xa3, 0xe1, 0xd4, 0x87, 0xa1, 0x8a,
+	0x2b, 0xff, 0x47, 0x60, 0xfe, 0x1f, 0xaf, 0xc2, 0xeb, 0x17, 0xdd, 0x56,
+	0xc5, 0x94, 0x5c, 0xcb, 0x23, 0xe5, 0x49, 0x4d, 0x99, 0x06, 0x02, 0x5a,
+	0xfc, 0xfc, 0xdc, 0xee, 0x49, 0xbc, 0x47, 0x60, 0xff, 0x6a, 0x63, 0x8b,
+	0xe1, 0x2e, 0xa3, 0xa7
+};
+
+/* RSA verify */
+static void
+isc_rsa_verify_test(void **state) {
+	isc_result_t ret;
+	dns_fixedname_t fname;
+	isc_buffer_t buf;
+	dns_name_t *name;
+	dst_key_t *key = NULL;
+	dst_context_t *ctx = NULL;
+	isc_region_t r;
+
+	UNUSED(state);
+
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_constinit(&buf, "rsa.", 4);
+	isc_buffer_add(&buf, 4);
+	ret = dns_name_fromtext(name, &buf, NULL, 0, NULL);
+	assert_int_equal(ret, ISC_R_SUCCESS);
+
+	ret = dst_key_fromfile(name, 29238, DST_ALG_RSASHA256, DST_TYPE_PUBLIC,
+			       "./", dt_mctx, &key);
+	assert_int_equal(ret, ISC_R_SUCCESS);
+
+	/* RSASHA1 - May not be supported by the OS */
+	if (dst_algorithm_supported(DST_ALG_RSASHA1)) {
+		key->key_alg = DST_ALG_RSASHA1;
+
+		ret = dst_context_create(key, dt_mctx, DNS_LOGCATEGORY_DNSSEC,
+					 false, 0, &ctx);
+		assert_int_equal(ret, ISC_R_SUCCESS);
+
+		r.base = d;
+		r.length = 10;
+		ret = dst_context_adddata(ctx, &r);
+		assert_int_equal(ret, ISC_R_SUCCESS);
+
+		r.base = sigsha1;
+		r.length = 256;
+		ret = dst_context_verify(ctx, &r);
+		assert_int_equal(ret, ISC_R_SUCCESS);
+
+		dst_context_destroy(&ctx);
+	}
+
+	/* RSASHA256 */
+
+	key->key_alg = DST_ALG_RSASHA256;
+
+	ret = dst_context_create(key, dt_mctx, DNS_LOGCATEGORY_DNSSEC, false, 0,
+				 &ctx);
+	assert_int_equal(ret, ISC_R_SUCCESS);
+
+	r.base = d;
+	r.length = 10;
+	ret = dst_context_adddata(ctx, &r);
+	assert_int_equal(ret, ISC_R_SUCCESS);
+
+	r.base = sigsha256;
+	r.length = 256;
+	ret = dst_context_verify(ctx, &r);
+	assert_int_equal(ret, ISC_R_SUCCESS);
+
+	dst_context_destroy(&ctx);
+
+	/* RSASHA512 */
+
+	key->key_alg = DST_ALG_RSASHA512;
+
+	ret = dst_context_create(key, dt_mctx, DNS_LOGCATEGORY_DNSSEC, false, 0,
+				 &ctx);
+	assert_int_equal(ret, ISC_R_SUCCESS);
+
+	r.base = d;
+	r.length = 10;
+	ret = dst_context_adddata(ctx, &r);
+	assert_int_equal(ret, ISC_R_SUCCESS);
+
+	r.base = sigsha512;
+	r.length = 256;
+	ret = dst_context_verify(ctx, &r);
+	assert_int_equal(ret, ISC_R_SUCCESS);
+
+	dst_context_destroy(&ctx);
+
+	dst_key_free(&key);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(isc_rsa_verify_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* HAVE_CMOCKA */
diff --git a/lib/dns/tests/sigs_test.c b/lib/dns/tests/sigs_test.c
new file mode 100644
index 0000000..8e438cb
--- /dev/null
+++ b/lib/dns/tests/sigs_test.c
@@ -0,0 +1,462 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/list.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/stdtime.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/zone.h>
+
+#include <dst/dst.h>
+
+#include "../zone_p.h"
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+/*%
+ * Structure characterizing a single diff tuple in the dns_diff_t structure
+ * prepared by dns__zone_updatesigs().
+ */
+typedef struct {
+	dns_diffop_t op;
+	const char *owner;
+	dns_ttl_t ttl;
+	const char *type;
+} zonediff_t;
+
+#define ZONEDIFF_SENTINEL        \
+	{                        \
+		0, NULL, 0, NULL \
+	}
+
+/*%
+ * Structure defining a dns__zone_updatesigs() test.
+ */
+typedef struct {
+	const char *description;     /* test description */
+	const zonechange_t *changes; /* array of "raw" zone changes */
+	const zonediff_t *zonediff;  /* array of "processed" zone changes
+				      * */
+} updatesigs_test_params_t;
+
+/*%
+ * Check whether the 'found' tuple matches the 'expected' tuple.  'found' is
+ * the 'index'th tuple output by dns__zone_updatesigs() in test 'test'.
+ */
+static void
+compare_tuples(const zonediff_t *expected, dns_difftuple_t *found,
+	       size_t index) {
+	char found_covers[DNS_RDATATYPE_FORMATSIZE] = {};
+	char found_type[DNS_RDATATYPE_FORMATSIZE] = {};
+	char found_name[DNS_NAME_FORMATSIZE];
+	isc_consttextregion_t typeregion;
+	dns_fixedname_t expected_fname;
+	dns_rdatatype_t expected_type;
+	dns_name_t *expected_name;
+	dns_rdata_rrsig_t rrsig;
+	isc_buffer_t typebuf;
+	isc_result_t result;
+
+	REQUIRE(expected != NULL);
+	REQUIRE(found != NULL);
+	REQUIRE(index > 0);
+
+	/*
+	 * Check operation.
+	 */
+	assert_int_equal(expected->op, found->op);
+
+	/*
+	 * Check owner name.
+	 */
+	expected_name = dns_fixedname_initname(&expected_fname);
+	result = dns_name_fromstring(expected_name, expected->owner, 0,
+				     dt_mctx);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_name_format(&found->name, found_name, sizeof(found_name));
+	assert_true(dns_name_equal(expected_name, &found->name));
+
+	/*
+	 * Check TTL.
+	 */
+	assert_int_equal(expected->ttl, found->ttl);
+
+	/*
+	 * Parse expected RR type.
+	 */
+	typeregion.base = expected->type;
+	typeregion.length = strlen(expected->type);
+	result = dns_rdatatype_fromtext(&expected_type,
+					(isc_textregion_t *)&typeregion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Format found RR type for reporting purposes.
+	 */
+	isc_buffer_init(&typebuf, found_type, sizeof(found_type));
+	result = dns_rdatatype_totext(found->rdata.type, &typebuf);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Check RR type.
+	 */
+	switch (expected->op) {
+	case DNS_DIFFOP_ADDRESIGN:
+	case DNS_DIFFOP_DELRESIGN:
+		/*
+		 * Found tuple must be of type RRSIG.
+		 */
+		assert_int_equal(found->rdata.type, dns_rdatatype_rrsig);
+		if (found->rdata.type != dns_rdatatype_rrsig) {
+			break;
+		}
+		/*
+		 * The signature must cover an RRset of type 'expected->type'.
+		 */
+		result = dns_rdata_tostruct(&found->rdata, &rrsig, NULL);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		isc_buffer_init(&typebuf, found_covers, sizeof(found_covers));
+		result = dns_rdatatype_totext(rrsig.covered, &typebuf);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		assert_int_equal(expected_type, rrsig.covered);
+		break;
+	default:
+		/*
+		 * Found tuple must be of type 'expected->type'.
+		 */
+		assert_int_equal(expected_type, found->rdata.type);
+		break;
+	}
+}
+
+/*%
+ * Perform a single dns__zone_updatesigs() test defined in 'test'.  All other
+ * arguments are expected to remain constant between subsequent invocations of
+ * this function.
+ */
+static void
+updatesigs_test(const updatesigs_test_params_t *test, dns_zone_t *zone,
+		dns_db_t *db, dst_key_t *zone_keys[], unsigned int nkeys,
+		isc_stdtime_t now) {
+	size_t tuples_expected, tuples_found, index;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t raw_diff, zone_diff;
+	const zonediff_t *expected;
+	dns_difftuple_t *found;
+	isc_result_t result;
+
+	dns__zonediff_t zonediff = {
+		.diff = &zone_diff,
+		.offline = false,
+	};
+
+	REQUIRE(test != NULL);
+	REQUIRE(test->description != NULL);
+	REQUIRE(test->changes != NULL);
+	REQUIRE(zone != NULL);
+	REQUIRE(db != NULL);
+	REQUIRE(zone_keys != NULL);
+
+	/*
+	 * Create a new version of the zone's database.
+	 */
+	result = dns_db_newversion(db, &version);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Create a diff representing the supplied changes.
+	 */
+	result = dns_test_difffromchanges(&raw_diff, test->changes, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Apply the "raw" diff to the new version of the zone's database as
+	 * this is what dns__zone_updatesigs() expects to happen before it is
+	 * called.
+	 */
+	dns_diff_apply(&raw_diff, db, version);
+
+	/*
+	 * Initialize the structure dns__zone_updatesigs() will modify.
+	 */
+	dns_diff_init(dt_mctx, &zone_diff);
+
+	/*
+	 * Check whether dns__zone_updatesigs() behaves as expected.
+	 */
+	result = dns__zone_updatesigs(&raw_diff, db, version, zone_keys, nkeys,
+				      zone, now - 3600, now + 3600, 0, now,
+				      true, false, &zonediff);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(ISC_LIST_EMPTY(raw_diff.tuples));
+	assert_false(ISC_LIST_EMPTY(zone_diff.tuples));
+
+	/*
+	 * Ensure that the number of tuples in the zone diff is as expected.
+	 */
+
+	tuples_expected = 0;
+	for (expected = test->zonediff; expected->owner != NULL; expected++) {
+		tuples_expected++;
+	}
+
+	tuples_found = 0;
+	for (found = ISC_LIST_HEAD(zone_diff.tuples); found != NULL;
+	     found = ISC_LIST_NEXT(found, link))
+	{
+		tuples_found++;
+	}
+
+	assert_int_equal(tuples_expected, tuples_found);
+
+	/*
+	 * Ensure that every tuple in the zone diff matches expectations.
+	 */
+	expected = test->zonediff;
+	index = 1;
+	for (found = ISC_LIST_HEAD(zone_diff.tuples); found != NULL;
+	     found = ISC_LIST_NEXT(found, link))
+	{
+		compare_tuples(expected, found, index);
+		expected++;
+		index++;
+	}
+
+	/*
+	 * Apply changes to zone database contents and clean up.
+	 */
+	dns_db_closeversion(db, &version, true);
+	dns_diff_clear(&zone_diff);
+	dns_diff_clear(&raw_diff);
+}
+
+/* dns__zone_updatesigs() tests */
+static void
+updatesigs_next_test(void **state) {
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	dns_zone_t *zone = NULL;
+	dns_db_t *db = NULL;
+	isc_result_t result;
+	unsigned int nkeys;
+	isc_stdtime_t now;
+	size_t i;
+
+	UNUSED(state);
+
+	/*
+	 * Prepare a zone along with its signing keys.
+	 */
+
+	result = dns_test_makezone("example", &zone, NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(&db, dns_dbtype_zone, "example",
+				 "testdata/master/master18.data");
+	assert_int_equal(result, DNS_R_SEENINCLUDE);
+
+	result = dns_zone_setkeydirectory(zone, "testkeys");
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_stdtime_get(&now);
+	result = dns__zone_findkeys(zone, db, NULL, now, dt_mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(nkeys, 2);
+
+	/*
+	 * Define the tests to be run.  Note that changes to zone database
+	 * contents introduced by each test are preserved between tests.
+	 */
+
+	const zonechange_t changes_add[] = {
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT", "foo" },
+		{ DNS_DIFFOP_ADD, "bar.example", 600, "TXT", "bar" },
+		ZONECHANGE_SENTINEL,
+	};
+	const zonediff_t zonediff_add[] = {
+		{ DNS_DIFFOP_ADDRESIGN, "foo.example", 300, "TXT" },
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT" },
+		{ DNS_DIFFOP_ADDRESIGN, "bar.example", 600, "TXT" },
+		{ DNS_DIFFOP_ADD, "bar.example", 600, "TXT" },
+		ZONEDIFF_SENTINEL,
+	};
+	const updatesigs_test_params_t test_add = {
+		.description = "add new RRsets",
+		.changes = changes_add,
+		.zonediff = zonediff_add,
+	};
+
+	const zonechange_t changes_append[] = {
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT", "foo1" },
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT", "foo2" },
+		ZONECHANGE_SENTINEL,
+	};
+	const zonediff_t zonediff_append[] = {
+		{ DNS_DIFFOP_DELRESIGN, "foo.example", 300, "TXT" },
+		{ DNS_DIFFOP_ADDRESIGN, "foo.example", 300, "TXT" },
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT" },
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT" },
+		ZONEDIFF_SENTINEL,
+	};
+	const updatesigs_test_params_t test_append = {
+		.description = "append multiple RRs to an existing RRset",
+		.changes = changes_append,
+		.zonediff = zonediff_append,
+	};
+
+	const zonechange_t changes_replace[] = {
+		{ DNS_DIFFOP_DEL, "bar.example", 600, "TXT", "bar" },
+		{ DNS_DIFFOP_ADD, "bar.example", 600, "TXT", "rab" },
+		ZONECHANGE_SENTINEL,
+	};
+	const zonediff_t zonediff_replace[] = {
+		{ DNS_DIFFOP_DELRESIGN, "bar.example", 600, "TXT" },
+		{ DNS_DIFFOP_ADDRESIGN, "bar.example", 600, "TXT" },
+		{ DNS_DIFFOP_DEL, "bar.example", 600, "TXT" },
+		{ DNS_DIFFOP_ADD, "bar.example", 600, "TXT" },
+		ZONEDIFF_SENTINEL,
+	};
+	const updatesigs_test_params_t test_replace = {
+		.description = "replace an existing RRset",
+		.changes = changes_replace,
+		.zonediff = zonediff_replace,
+	};
+
+	const zonechange_t changes_delete[] = {
+		{ DNS_DIFFOP_DEL, "bar.example", 600, "TXT", "rab" },
+		ZONECHANGE_SENTINEL,
+	};
+	const zonediff_t zonediff_delete[] = {
+		{ DNS_DIFFOP_DELRESIGN, "bar.example", 600, "TXT" },
+		{ DNS_DIFFOP_DEL, "bar.example", 600, "TXT" },
+		ZONEDIFF_SENTINEL,
+	};
+	const updatesigs_test_params_t test_delete = {
+		.description = "delete an existing RRset",
+		.changes = changes_delete,
+		.zonediff = zonediff_delete,
+	};
+
+	const zonechange_t changes_mixed[] = {
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "TXT", "baz1" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "A", "127.0.0.1" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "TXT", "baz2" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "AAAA", "::1" },
+		ZONECHANGE_SENTINEL,
+	};
+	const zonediff_t zonediff_mixed[] = {
+		{ DNS_DIFFOP_ADDRESIGN, "baz.example", 900, "TXT" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "TXT" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "TXT" },
+		{ DNS_DIFFOP_ADDRESIGN, "baz.example", 900, "A" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "A" },
+		{ DNS_DIFFOP_ADDRESIGN, "baz.example", 900, "AAAA" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "AAAA" },
+		ZONEDIFF_SENTINEL,
+	};
+	const updatesigs_test_params_t test_mixed = {
+		.description = "add different RRsets with common owner name",
+		.changes = changes_mixed,
+		.zonediff = zonediff_mixed,
+	};
+
+	const updatesigs_test_params_t *tests[] = {
+		&test_add,    &test_append, &test_replace,
+		&test_delete, &test_mixed,
+	};
+
+	/*
+	 * Run tests.
+	 */
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		updatesigs_test(tests[i], zone, db, zone_keys, nkeys, now);
+	}
+
+	/*
+	 * Clean up.
+	 */
+	for (i = 0; i < nkeys; i++) {
+		dst_key_free(&zone_keys[i]);
+	}
+	dns_db_detach(&db);
+	dns_zone_detach(&zone);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(updatesigs_next_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/testdata/db/data.db b/lib/dns/tests/testdata/db/data.db
new file mode 100644
index 0000000..67a4fba
--- /dev/null
+++ b/lib/dns/tests/testdata/db/data.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+a		in	ns	ns.vix.com.
+a		in	ns	ns2.vix.com.
+a		in	ns	ns3.vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/dbiterator/zone1.data b/lib/dns/tests/testdata/dbiterator/zone1.data
new file mode 100644
index 0000000..c380d39
--- /dev/null
+++ b/lib/dns/tests/testdata/dbiterator/zone1.data
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		in	soa	localhost. postmaster.localhost. (
+				2011080901	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				600 )		;minimum
+ 		in	ns	ns
+ 		in	ns	ns2
+ns		in	a	10.0.0.1
+ns2		in	a	10.0.0.2
+
+a		in	txt	"test"
+b		in	txt	"test"
+c		in	txt	"test"
+d.e.f		in	txt	"test"
+e		in	txt	"test"
+f.g.h		in	txt	"test"
+f.g.i		in	txt	"test"
+f.g.j		in	txt	"test"
+k		in	txt	"test"
diff --git a/lib/dns/tests/testdata/dbiterator/zone2.data b/lib/dns/tests/testdata/dbiterator/zone2.data
new file mode 100644
index 0000000..7265c27
--- /dev/null
+++ b/lib/dns/tests/testdata/dbiterator/zone2.data
@@ -0,0 +1,319 @@
+; File written on Mon Aug 15 16:51:56 2011
+; dnssec_signzone version 9.7.3rc1
+test.			600	IN SOA	localhost. postmaster.localhost. (
+					2011080901 ; serial
+					3600       ; refresh (1 hour)
+					1800       ; retry (30 minutes)
+					604800     ; expire (1 week)
+					600        ; minimum (10 minutes)
+					)
+			600	RRSIG	SOA 7 1 600 20110914225156 (
+					20110815225156 39833 test.
+					IoQPcpx+Y2btVBBdM2H/9ppRMjphB1thwrdh
+					midhKH+MXDAauUIENucugi3zLsc1o2ke8LnQ
+					v3lCLd/bb5MD1otuS8vOw1GWEFhXOUBZU6wS
+					QwEIcG4BiSlz7/GvOlRa2znkOmZ3c8bD/J3Y
+					XUWDI3BEDPgrZqfxEvoMyPEWjO8= )
+			600	NS	ns.test.
+			600	NS	ns2.test.
+			600	RRSIG	NS 7 1 600 20110914225156 (
+					20110815225156 39833 test.
+					OgEimhmFIAqlH0hyQy3pTsveBHKyqs9WfO1S
+					uDPRj3DFgFEAjoY473T8GxG2C+jTVL/UMVcb
+					BTZ8wIAiUHhqKLcmr0q/1X+kNUs7tNi+6oMn
+					/jxaOuRL6c8Kf2gl2t4g6JTwQqLQhUHTfQP+
+					bEfKUr75VsVfxCQZIHlZ3/AlxZM= )
+			600	DNSKEY	256 3 7 (
+					AwEAAc0FzrE7jUiaKIGZpIaFE8E989topAJN
+					dWIQUQ7BSKabmpBP2M+SXHwIiQ/yC25iqudO
+					IxjRcK7nHB1VoP84xU2oMj6eeSqQHf/bYaji
+					Y8IfR7lgrzoDWzq+0rtnKMJc/JM8SMkcoBAS
+					llvxarDJTZheZjlrCvhpRJC+FAkBsx81
+					) ; key id = 39833
+			600	DNSKEY	257 3 7 (
+					AwEAAc55LPDhBLqfDUpjYYbBt+N63CiZtKrD
+					UDGeFAerbw0MWIUi3PgMr7yGVrj8e5Qjp9UN
+					zBUax6NdhlYVtFA8CwMTXGBjxgyqUoWpce08
+					lswxfE70BpgUA6w5efs0/mYtX9/A76etCaSI
+					oNH2vfa47BCdCPDfC1uTgyeuNuDvhszHaSiD
+					8OY7tLa/voecUlq38sdqi2raf2DvgOm7rdFa
+					reXOS/WIj7zd4XYrV1JGthxOMVlQ7zdv9rVd
+					UNUIF2d4hwCZJQr0ejhmvB3m/DuNmNOPYmnv
+					KTmLSE+IJ6baqYvKOVxwV+SaCnuJEjv+3Yrx
+					8WQYD/iS9WBhC9FUit0dy+0=
+					) ; key id = 57183
+			600	RRSIG	DNSKEY 7 1 600 20110914225156 (
+					20110815225156 39833 test.
+					xPV+bSGUlbxA5MKBeeRbwUDh3Qc+dm77+OHQ
+					BHIr1L8/kRP5o5J7MqPA37kea6nhyltYf9xM
+					RsxyiaBGUUeLyWg/q6hTtkNgAHifOPAhiDz8
+					AJDSTdSsq9RVtjdobAD0jyzz9sWnB+TPSOmj
+					Nlyd7VtPVEuSYljgawwfBBO3Kho= )
+			600	RRSIG	DNSKEY 7 1 600 20110914225156 (
+					20110815225156 57183 test.
+					S3jkC7AvyFc4ShfHt6AWgS4zpx9DzWHBK9gV
+					2H23OJzy8H1At/CjKxWVHLJ/io+ygryVnt/I
+					47Jyhh9i43TnXj8il475YsweGnXGZSorrcXA
+					3IsD2lOuRYnp3yetxe2ZrMGNDqqImE6X4x1a
+					UJI0cbE2UMZfUt8Rm5USiGzwAEgFD1OXxvMD
+					UT3flyp+Ote9FConK8gewV4wlJuBFemWT7BZ
+					lUYnoqfuAeEn2+1pIBS0iA0LNFjNBaEgtcjo
+					QeweN32yKoApau47Dl/Klw7KFT8+PLZ0QPbt
+					XAkJU7q94Q5aucDuHCSCTCc+2vZxdEnXKvRY
+					rfLuG8r/V5Kn+1iYrQ== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 1 0 20110914225156 (
+					20110815225156 39833 test.
+					kghSSeP8AZiQ/zmxgxAyG0itoUMo5adG5pxD
+					p8T3ZmbxEUSyG5acxBFkmeY39wVU0Cda8tWc
+					HHrMbB5e2GN8z6xJ0A4rVyXfKSYJSz+iKWfk
+					7sOFRjd8OLYE3di6PwIpk6ORUiRPMFLDQCH0
+					Q27hLsSoKyd50orKKI+ncjz7WzU= )
+a.test.			600	IN TXT	"test"
+			600	RRSIG	TXT 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					UEVOlnL6CDRNCfk/Xge2oaGYCV1+ewwi5zJ0
+					CX4DdwiNEkItL4HgBe8xXfxgFC3qySdsSYPE
+					1krdFyIkAclMCwHECd1UwZbGlMTEUGrE1KOB
+					8vQY+OhIV9TAhqNwnjbu7s2ZdNUv3wiUPcfk
+					hCJ4rzP6yeV2inLwZulXnhxb6Pk= )
+b.test.			600	IN TXT	"test"
+			600	RRSIG	TXT 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					HcyQlO9io6Rc5e4vVqlRmK5PacOaFQJmdERG
+					5Aobpgm1FuCLC7F+IMZ0d1XvBWnsw9iDzV43
+					UKzTGqUSmDiSBzs4QzHlacGickIW8EOV4xyJ
+					+mcJ0FZh4YNbkt6CiX+8SF6IxfCMhRMjpSsK
+					rWqJMG3LXkI6W9stShzsYAFBOzQ= )
+e.test.			600	IN TXT	"test"
+			600	RRSIG	TXT 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					jUn5FGRTL9OcFU7tvfkUnSwY8jA+8JynE0hi
+					ZJbYXDU5CiWGmR2B3yPHxUCewRqouyVCV8bc
+					xZsSuBxvcdYKryYDbjsmB83GlSEuxE9J7XZs
+					8SxUP8PobLVqzXgEZS/XRU2G+R915ZDP9/iL
+					z9oYwc9TkeyXbp8J/ZsH88tG980= )
+c.test.			600	IN TXT	"test"
+			600	RRSIG	TXT 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					cRxAj45oFDDCd8xQXxD1F0Qq8XeBWAj8EYS3
+					7nFXAgAy8sTczFvYCNGj79o7BALJwM4vc/wx
+					6rjsiO/sHgfTMEBDq6lH9Wql72uhwavI2SrL
+					/h/wBP5q4BXlQ4xp6cLhhdifOWhNTvLP+Fe5
+					U6yjvqneiKspze9SiFbcmRDiJds= )
+d.e.f.test.		600	IN TXT	"test"
+			600	RRSIG	TXT 7 4 600 20110914225156 (
+					20110815225156 39833 test.
+					ENjCzr/P9rJmj5OJLzYwWtHtBg2Uz+qJDucz
+					I97Pq9F819/c5sxNfT4hgICCw6ZfT4ffbzye
+					fFJ0JVrh2cYOzu68ozlgek/Uml1UW0pDQVdI
+					s4zEgp4XK9wXUxtWChSqp5YXMdeHegZFu32i
+					IMNTbJDudwYSwhr2FyG92ZRi8Y8= )
+f.g.h.test.		600	IN TXT	"test"
+			600	RRSIG	TXT 7 4 600 20110914225156 (
+					20110815225156 39833 test.
+					HT7iocFsfDjeX6j9RJdE3xfVGkIxhajFHgM/
+					T/mJj/al4HKV6Ajia8DhpdfDrgM2m7r+Pgcn
+					FSIstfebQsuFCnHX/gIalDND/grHKsetQnMP
+					Y7O4QLsRnTV53fdlqQ4eT+jBW6fzJdGySVN+
+					bg6kNJZS8DebjmlKtZz7tXjkP+4= )
+f.g.i.test.		600	IN TXT	"test"
+			600	RRSIG	TXT 7 4 600 20110914225156 (
+					20110815225156 39833 test.
+					kHJJeNSL1rz4QRYqOzhGMQl1yIdio7l8Lg8H
+					f0TsvFLa6BudVtwKUm+Kz2QiDn7/Lew8w0KX
+					vVHxX/Vwl3Ixk54YgMKLNogz2TEvnh/VGiS7
+					8r0oSUrg0CFd+xDfxnLeRqX5NNfMuSJap5WH
+					Aw7IVeRjXDwJFYnytMEnTrhHHHg= )
+f.g.j.test.		600	IN TXT	"test"
+			600	RRSIG	TXT 7 4 600 20110914225156 (
+					20110815225156 39833 test.
+					lIEHEhDFhOWK8W/F2xWELU2p/X77S2KTivm9
+					sY4k3RPsLNHE7p+lF8p72Lcb79rtltnoVYtE
+					pTIiaUcmgGwfaI4cwfXbeuEgnuTiLg7Xrefx
+					3GT86Q+8gfgbMXUmRA/eouWZhCOaYJN99gYz
+					urzDMiRLYmILHmLlnvo82SgXeuk= )
+k.test.			600	IN TXT	"test"
+			600	RRSIG	TXT 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					wC3zgYWsuLga8Vu3QFu/Ci8SzRbA5bvjSmDj
+					NzcpjU5cvJBxtgzatCr02AaUC94bI0JzNrEB
+					nFyWCYw55lyy+bAHU1u05UcQmz0n5yxkvmHX
+					i8ZjMyQkAvNKodJHaFQqUKKIDuSHD2EziKqg
+					eNn55YRS11ihkODehUVNl7TnYeA= )
+ns.test.		600	IN A	10.0.0.1
+			600	RRSIG	A 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					VyK/WlQ6ikXdjF/arGzyAyYhOc8IYNBp4QLW
+					gtYjvbjIcV5+9JINWmUs61VjJ14nES1sI0xb
+					9vQJuiPXTM1awUAnvOKLhaX6fbJaEiR1w6Cf
+					RT5QKBMxNBKVStqdabHcigY4DUuc1PQk1vCw
+					yMUJt3nHNVMZk+XAycNHzBeYjik= )
+ns2.test.		600	IN A	10.0.0.2
+			600	RRSIG	A 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					CX6UlZL+5NQJViKfbe/E3uIJk/wjUzoiHBhY
+					B6gS8nxZzlRPdTTXyMZoRa4etTZEbrRjnyXk
+					1rP47faCUwbh//XqukN9f7FZ4Y39NpPS2XpX
+					0Lx6M93Jz46lbzmseMFs2YmNMzzhN4uhRvl/
+					8gPtYsn9KMXnAlFfa4XrE5LNVyY= )
+1F3JQ6EANHNHOCMUPQTVNM339VDTR51C.test. 600 IN NSEC3 1 0 10 - 7QKPELF33JOK9BVJ7CKE99AHG40B0SH7 A RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					w7aS12lxLNh+G1B/2kEq1BO6IzYvyC8n/MGV
+					0jvFnapNXGZMPrPxGeO2wkw1JXepuXCv98be
+					M4SjQywaH+VP6ZMTIfjxRxtcCM+aLAFhiz0l
+					/MILEkjemmxjAfvV7emRVMwCGcoGI7qC3Xxq
+					q5g8EzJiYyTCOnI5LKRggn97wGg= )
+7QKPELF33JOK9BVJ7CKE99AHG40B0SH7.test. 600 IN NSEC3 1 0 10 - 94Q15K1V1VE5F87EI37T2B9A39EEC368 TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					J4ObL3p4eN0jWh06M+rX2SSPANQoKfnosElB
+					KcKE7fLqEjKK7N6Yh6KUlbEP25tfeZ7W6GBJ
+					b7q6Nh0Ax8fYdc/6JVvmxcwWcx5Lw1TfITGB
+					ttFntJlbp1A8lwP3pn8Ksql1X2ogh78AsgTb
+					X5kmXVukC1oEzt98EAa/V/an8QA= )
+CS8M3UVG0UJDR6USBES4U9SNUGQI2RJE.test. 600 IN NSEC3 1 0 10 - ETEQB5V431INUIIE547FKSOF7O4DJ62J A RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					Vyd/2b0S15fACJ8TiPXKtScV9A/ZztVumZAm
+					o2S6jaVJKWik+8orDW+WiJ4/PEl26PK2m1uv
+					HD2beuUCHj9EnYkN/dzL3Bsc302qr9xqsh0q
+					VFS2moznoNG415ZV3vgYR7L9DAp43ZeFuw6I
+					7sr21hLYLUeo31xBsJg7RlOL+4s= )
+ETEQB5V431INUIIE547FKSOF7O4DJ62J.test. 600 IN NSEC3 1 0 10 - F8G1MB0JUEU3FBI11CAVFIPGEA3POOIM
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					oOHs1eb3JYeOMOnzE2PS6NIXBNzSoTYPIxo/
+					P0d/ihsLKra3yNJNPTlu4kf+FZoNYAGtMK/D
+					6dZWFvtdswDdi2C5WSgsanuHqXq5Lr3A1nCe
+					cQI5PO4RrLymB+MtYg15CNKcnc0WmJO8deSR
+					WzNOarC+Iz1Xj3FkKDS4FFr+02Q= )
+94Q15K1V1VE5F87EI37T2B9A39EEC368.test. 600 IN NSEC3 1 0 10 - CS8M3UVG0UJDR6USBES4U9SNUGQI2RJE
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					K0PvN7YtHQ63x/x2yXXa2S9GBGuTNJywDZ8M
+					wyMSwytCb9mn4hnKD5mJHaXGTw3YX7usbnEO
+					ce6hiJdN/VhMfbRMOvUpgyblOj4kXiYVZY1a
+					SyycfugK/Hu1j4az7lIhhnnx58GChA6mg8Vx
+					3Uz6cNDDCSTBTl09NyeUUrKWsHQ= )
+FBH6B0LHT9PPQB1P98D228HA1H52L8PO.test. 600 IN NSEC3 1 0 10 - JGU2L7C3LKLHAKC5RHUOORTI2DCKK3KL
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					giXRE+4ZeIzDrhx1XkFSpIKGFd3UGzlrLZnO
+					Ur9nMUfwvU5A3fitEkdayo3ZDH7MQGpSotaH
+					ReiFXx3Z6Hm2NIN/RHYZQr9e0vbMYSjkANdu
+					HWBA1SrSq5SHyuy970mPd4jfTHiABCo6fJGB
+					ykGClZGou0WSaB+Ak19fMbeQ2Wo= )
+JGU2L7C3LKLHAKC5RHUOORTI2DCKK3KL.test. 600 IN NSEC3 1 0 10 - KFMJ88CKMKUQQJE59IKFBOLLLD4DF55H TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					BHTDUgZdWNLgz3xHYMqvlWK/IJ0xrXESoREc
+					6D3sO9bcLTMYPO9t80itOlipwp4AmaVOBXPt
+					cKSdgsUXDEtHqNSxtGbNr5xQ+Aqsep0GX71V
+					HkcIuiNdTUw83dkajCHMkmQCbEjp9mbdiTmS
+					haNW2EsscldfaS1aq5tYUhCT3l4= )
+L993U6VC0DUV5QJ8TRPD2IQLM8FJ7AT9.test. 600 IN NSEC3 1 0 10 - LSMRLLNBQGGK8J6V40KLM2LG5TE4FS0P
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					vE7K0Nrju4qLFDYkIyMY5bIMT0wu8MJdxL6u
+					7WVA4HepccKQcUnvVoBAcrA9+MUeteyrad8Y
+					SJvQIt7sz5t7FViWSq5IMPVPujWtW5J30LhJ
+					mOLd1KmnFWoVthJ1oFNzBM80A60seKNnEw1M
+					lV6Y+v0gNYIQensUb9w6SVMTpxE= )
+F8G1MB0JUEU3FBI11CAVFIPGEA3POOIM.test. 600 IN NSEC3 1 0 10 - FA1T7MKUUV9SD4VDBJQ3GRFK1IDTCKL7
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					DkL9ONc0vpsKdG20ol8XPAaVfLb7kf1wnKbR
+					rQUB1trGSHm/Igo06of43zm9J+56htFJg1xD
+					I2de0sCUBQYyHVBBDiBAd1g+ZvcpUlLP0w8M
+					NxMviMiG/WQAdGXHwYfUimwMWD7gNGl1m05H
+					HwYmzGs+d1bClDNBrFhdfdL2+iA= )
+LSMRLLNBQGGK8J6V40KLM2LG5TE4FS0P.test. 600 IN NSEC3 1 0 10 - LUAN2Q3I2OCVSD41MP08HNA9JP22D38K
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					ZgiWuMqodQuhwuAF6CIiJTsdRahi+poOiZAM
+					WXNP0wXfdptcG2uhbdDwy+0crhe3tuybhwcb
+					CuiaQUh0XNPhgF+qmXpGobaqBhCEvCF4K9qY
+					OCIoMfsI1pIBVbMw0+YXVarFZ8+mfNU/+6n6
+					yy2+1nCg3k4XR2Dpv4CeDBfcAuM= )
+NAL1UIEBM38NKMN6RQOKE8T781IA7UKI.test. 600 IN NSEC3 1 0 10 - OUSGP0LO9FGAROHDULQVSTI3OLQIBB39 TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					x8JiXPI+EXHz8ZO/VW0/+9wWsBNqeSMxXZIV
+					ibOnogSg7Wi7Yq1xftKC2+xEevNxSZnBibEy
+					Sgro5xKTf0n7pD9hHVBLoYmOOnbXY3QNQ2EQ
+					y3LdPT355WmwVddVOOxNpNRp2zQyqg7BhVA3
+					wxY7tyVQd4x1+95ATUQBnFditdE= )
+KFMJ88CKMKUQQJE59IKFBOLLLD4DF55H.test. 600 IN NSEC3 1 0 10 - L993U6VC0DUV5QJ8TRPD2IQLM8FJ7AT9 TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					KQPaN2Ecebifbl4Bz5Yo0x2DgGmZiVhpSydm
+					oy/5NtMjt7G472JrKlqByap+VxW0bpzo3IER
+					3P8Dsv7pfBD4/Cl5sFqwZL7wYy7RB4dQLVCi
+					Pepc/Mr3gR2XmL91fpGttMj5jGscnVQJCyFa
+					obzhsVaVImUQZFDPb0UQUHwIhOA= )
+LUAN2Q3I2OCVSD41MP08HNA9JP22D38K.test. 600 IN NSEC3 1 0 10 - NAL1UIEBM38NKMN6RQOKE8T781IA7UKI TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					NJ+X3d0qh2+fbSnG0iQPxAeDIOzX5NTmY9fS
+					x7IO/DDcgUhPvl1YYdz5J999cec1zzOKp10J
+					YbsIAzg0w/Y4D4CBUw3IkcOrUFOODb6eJQGb
+					rVFRqmp3BUP4qOAWUZvx4oQ0KG4K/h/KJMbU
+					Vcdl7PF7G5O5hMyR9UWg4zal7Sk= )
+OUSGP0LO9FGAROHDULQVSTI3OLQIBB39.test. 600 IN NSEC3 1 0 10 - PQQ28M3U2MM08GGFV3JKR76G2H9IUJPC TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					A/qxYrSE/smBGbST8j8eGPCrRnwvVa25kDha
+					IuA3nv0vzXhFvlruc9f0HRGwsq6A2pw3I5W+
+					xo2/JxsNyFOotdwaDDEBzqPkJmrzupxQS4Hm
+					rHSLnRnNw4QzvzNjAGWMYAoe3OeHC47wmAtI
+					qE91EHZTlPP28CUXOMo+7sCaOa8= )
+U0UVS2SUP89P2TM3PJO4TC1GPJ2O6519.test. 600 IN NSEC3 1 0 10 - VA2VG5BEMCKQP6MS5NHHGL18031BIA7M NS SOA RRSIG DNSKEY NSEC3PARAM
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					rahhkfiF+Rk6oqbWTdu9qcwhmj5hbDuIFdiJ
+					GmaG+cFSv5Mjp+txNVCvBK9Hq/VpW0ypen/3
+					JC0sVAugSX+HAKAgyaMKmgWCvoQZ6ZSJUh7o
+					LRPcT+oxVXQAqjovxpaV8k6sYo44tpljPdOD
+					UluWAP5SrmJKjzCxs27KGRx8MK4= )
+VA2VG5BEMCKQP6MS5NHHGL18031BIA7M.test. 600 IN NSEC3 1 0 10 - VAKOQ2TPD7S25NFBJT73J3C4OGU10RJ5 TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					XcBeZ8lo9Qo8z56+1FdGDjh6ZHCfO+MQ/wnY
+					TEUo/aWLkPTyq39nLhe0qVBJxmDpM+KQFuG9
+					cjQT5fvrlrY+lv6dedB64EBMYy4kKbIv7N5+
+					r6+sfWlvtKsfXxysLSk2+jLEm5NuLFrOdNas
+					WLVsq741D3YcWt4kM1HCyk3DNF8= )
+FA1T7MKUUV9SD4VDBJQ3GRFK1IDTCKL7.test. 600 IN NSEC3 1 0 10 - FBH6B0LHT9PPQB1P98D228HA1H52L8PO TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					jB/vLrvx4sQQD7J3ZacAAyhcFmIPh7LH3ljw
+					IAIaeLb10oX5q1/nQKYdfq976TMy5sWpBcmd
+					i91WLxd+T/gOSumyP8bC3g+SUoyZ9wxY6A6a
+					MMx1rn0QA9IKrxMqojs9M3urJ8QAeIS+KyAn
+					rbyyJuG+EVm0prqlPZtzUi28WCI= )
+PQQ28M3U2MM08GGFV3JKR76G2H9IUJPC.test. 600 IN NSEC3 1 0 10 - U0UVS2SUP89P2TM3PJO4TC1GPJ2O6519
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					asCOU9OkVWMvUU2IUpwMgdYf0faA04zPbaFf
+					qywYsv3NH01Lky6G3a0WUPAbBm7TAYx/ln8a
+					559vlpp/gpXEl9CcLrjO6wy5i0ryp8gVHtKJ
+					rQlEc/uw4SY+S5t7FuZc2rNRdAbxVMYuwrvm
+					HBsKDPblre3e06ZZFEmnGFzCgmg= )
+VAKOQ2TPD7S25NFBJT73J3C4OGU10RJ5.test. 600 IN NSEC3 1 0 10 - VNCCJH8JPOLGLAGVMV3FKS09M7RRDU47 TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					Pt4tKB1p/jsyLYab9LSt5MF1KTRT18nRTOox
+					q0IACkXkKx7W5xv6nSYXIB+nQzNp1Y1hhoXn
+					9IFi0liPnIAOp73w4vybhfIdTFiEmHPHT6O9
+					VIx5cSriqBI6Qda8GtfeIb96P8SojbUk5BDI
+					g18iYjviGhQYRgpU3tg1qd7pbcc= )
+VNCCJH8JPOLGLAGVMV3FKS09M7RRDU47.test. 600 IN NSEC3 1 0 10 - 1F3JQ6EANHNHOCMUPQTVNM339VDTR51C
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					ZMZPHawhkuzSV7C7zkgghH/jpw9CQVR1JUXq
+					pAeY2iIIWwNhfuskJaLgtu/5SuKnJtrv6D4N
+					g+lfEkBReia5xO/SCcHv8/hXEPH8vZ4xe1C9
+					6GVB6ip2hKw2g5HpyF7X18WgwZ0cqPWVg+Q+
+					xRLpXH+53391Wt5rG7qJswn5RLE= )
diff --git a/lib/dns/tests/testdata/diff/zone1.data b/lib/dns/tests/testdata/diff/zone1.data
new file mode 100644
index 0000000..8ddf669
--- /dev/null
+++ b/lib/dns/tests/testdata/diff/zone1.data
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 	0	SOA . . 0 0 0 0 0
+@	0	NS @
+@	0	A 1.2.3.4
+remove	0	A 5.6.7.8
diff --git a/lib/dns/tests/testdata/diff/zone2.data b/lib/dns/tests/testdata/diff/zone2.data
new file mode 100644
index 0000000..363af42
--- /dev/null
+++ b/lib/dns/tests/testdata/diff/zone2.data
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 	0	SOA . . 0 0 0 0 0
+@	0	NS @
+@	0	A 1.2.3.4
+remove	0	A 5.6.7.8
+added	0	A 5.6.7.8
diff --git a/lib/dns/tests/testdata/diff/zone3.data b/lib/dns/tests/testdata/diff/zone3.data
new file mode 100644
index 0000000..ae3a60e
--- /dev/null
+++ b/lib/dns/tests/testdata/diff/zone3.data
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 	0	SOA . . 0 0 0 0 0
+@	0	NS @
+@	0	A 1.2.3.4
diff --git a/lib/dns/tests/testdata/dnstap/dnstap.saved b/lib/dns/tests/testdata/dnstap/dnstap.saved
new file mode 100644
index 0000000..c657f41
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/dnstap.saved
diff --git a/lib/dns/tests/testdata/dnstap/dnstap.text b/lib/dns/tests/testdata/dnstap/dnstap.text
new file mode 100644
index 0000000..71977e4
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/dnstap.text
@@ -0,0 +1,96 @@
+03-Feb-2017 15:47:16.000 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 SR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 SR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 SR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 SR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 CR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 CR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 CR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 CR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 AR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 AR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 AR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 AR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 RR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 RR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 RR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 RR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 FR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 FR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 FR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 FR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 TR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 TR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 TR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 TR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
diff --git a/lib/dns/tests/testdata/dnstap/query.auth b/lib/dns/tests/testdata/dnstap/query.auth
new file mode 100644
index 0000000..a14f850
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/query.auth
@@ -0,0 +1,4 @@
+# authoritative query, www.isc.org/A
+8d 24 00 20 00 01 00 00 00 00 00 01 03 77 77 77
+03 69 73 63 03 6f 72 67 00 00 01 00 01 00 00 29
+10 00 00 00 00 00 00 00
diff --git a/lib/dns/tests/testdata/dnstap/query.recursive b/lib/dns/tests/testdata/dnstap/query.recursive
new file mode 100644
index 0000000..8ee705f
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/query.recursive
@@ -0,0 +1,4 @@
+# recursive query for www.isc.org/A
+bf 08 01 20 00 01 00 00 00 00 00 01 03 77 77 77
+03 69 73 63 03 6f 72 67 00 00 01 00 01 00 00 29
+10 00 00 00 00 00 00 00
diff --git a/lib/dns/tests/testdata/dnstap/response.auth b/lib/dns/tests/testdata/dnstap/response.auth
new file mode 100644
index 0000000..4d0ea81
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/response.auth
@@ -0,0 +1,19 @@
+# authoritative response, www.isc.org/A
+8d 24 84 00 00 01 00 01 00 04 00 07 03 77 77 77
+03 69 73 63 03 6f 72 67 00 00 01 00 01 c0 0c 00
+01 00 01 00 00 00 3c 00 04 95 14 40 45 c0 10 00
+02 00 01 00 00 1c 20 00 0d 03 61 6d 73 06 73 6e
+73 2d 70 62 c0 10 c0 10 00 02 00 01 00 00 1c 20
+00 07 04 73 66 62 61 c0 3d c0 10 00 02 00 01 00
+00 1c 20 00 19 02 6e 73 03 69 73 63 0b 61 66 69
+6c 69 61 73 2d 6e 73 74 04 69 6e 66 6f 00 c0 10
+00 02 00 01 00 00 1c 20 00 06 03 6f 72 64 c0 3d
+c0 39 00 01 00 01 00 00 1c 20 00 04 c7 06 01 1e
+c0 39 00 1c 00 01 00 00 1c 20 00 10 20 01 05 00
+00 60 00 00 00 00 00 00 00 00 00 30 c0 8a 00 01
+00 01 00 00 1c 20 00 04 c7 06 00 1e c0 8a 00 1c
+00 01 00 00 1c 20 00 10 20 01 05 00 00 71 00 00
+00 00 00 00 00 00 00 30 c0 52 00 01 00 01 00 00
+1c 20 00 04 95 14 40 03 c0 52 00 1c 00 01 00 00
+1c 20 00 10 20 01 04 f8 00 00 00 02 00 00 00 00
+00 00 00 19 00 00 29 10 00 00 00 00 00 00 00
diff --git a/lib/dns/tests/testdata/dnstap/response.recursive b/lib/dns/tests/testdata/dnstap/response.recursive
new file mode 100644
index 0000000..6e3a3cf
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/response.recursive
@@ -0,0 +1,19 @@
+# recursive response, www.isc.org/A
+bf 08 81 a0 00 01 00 01 00 04 00 07 03 77 77 77
+03 69 73 63 03 6f 72 67 00 00 01 00 01 c0 0c 00
+01 00 01 00 00 00 15 00 04 95 14 40 45 c0 10 00
+02 00 01 00 00 1b a6 00 0e 04 73 66 62 61 06 73
+6e 73 2d 70 62 c0 10 c0 10 00 02 00 01 00 00 1b
+a6 00 06 03 6f 72 64 c0 3e c0 10 00 02 00 01 00
+00 1b a6 00 19 02 6e 73 03 69 73 63 0b 61 66 69
+6c 69 61 73 2d 6e 73 74 04 69 6e 66 6f 00 c0 10
+00 02 00 01 00 00 1b a6 00 06 03 61 6d 73 c0 3e
+c0 8a 00 01 00 01 00 00 b1 d5 00 04 c7 06 01 1e
+c0 8a 00 1c 00 01 00 00 b1 d5 00 10 20 01 05 00
+00 60 00 00 00 00 00 00 00 00 00 30 c0 53 00 01
+00 01 00 00 b1 d5 00 04 c7 06 00 1e c0 53 00 1c
+00 01 00 00 b1 d5 00 10 20 01 05 00 00 71 00 00
+00 00 00 00 00 00 00 30 c0 39 00 01 00 01 00 00
+b1 d5 00 04 95 14 40 03 c0 39 00 1c 00 01 00 00
+b1 d5 00 10 20 01 04 f8 00 00 00 02 00 00 00 00
+00 00 00 19 00 00 29 10 00 00 00 00 00 00 00
diff --git a/lib/dns/tests/testdata/dst/Ktest.+008+11349.key b/lib/dns/tests/testdata/dst/Ktest.+008+11349.key
new file mode 100644
index 0000000..a1bd768
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+008+11349.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 11349, for test.
+; Created: 20181025090713 (Thu Oct 25 11:07:13 2018)
+; Publish: 20181025090713 (Thu Oct 25 11:07:13 2018)
+; Activate: 20181025090713 (Thu Oct 25 11:07:13 2018)
+test. IN DNSKEY 256 3 8 AwEAAdqPwPScyURzeCUzEadKNYgQW50LPDV/ir9nWIbiSn2yMkymxiby BQH+Hk1neE9qa9X4XaEnKf5YZx7o14rRikmOb2lomtOkI9ovh1K/SvLO Zd1E3e61F29g1eCq52mMY3xAdEcBNqEq+6mgEwGmwl83+mAh5anxXNHa 2rcfdG+L
diff --git a/lib/dns/tests/testdata/dst/Ktest.+008+11349.private b/lib/dns/tests/testdata/dst/Ktest.+008+11349.private
new file mode 100644
index 0000000..5dfef79
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+008+11349.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 2o/A9JzJRHN4JTMRp0o1iBBbnQs8NX+Kv2dYhuJKfbIyTKbGJvIFAf4eTWd4T2pr1fhdoScp/lhnHujXitGKSY5vaWia06Qj2i+HUr9K8s5l3UTd7rUXb2DV4KrnaYxjfEB0RwE2oSr7qaATAabCXzf6YCHlqfFc0dratx90b4s=
+PublicExponent: AQAB
+PrivateExponent: a4qmX/YxlmvWpz8spYr/MhcSbQCVPKGoLKv2RFBeZODknRDGmW0mh6d5U47hBPqRWvRdZak2oX7wJqZdQGIAT25bC09rLNMctfxXKtzwSaXFjXZGHGv+bDHcqIltvIYmRbb0pK/LinFaLZqfpVe0WOfKuT9BT03BlwSZV8GKgZE=
+Prime1: 8oZLQoVpIqsiQw7bX5pTm/O0gEUnEzNOVEoLGsfIl68Lz/1CBm9ypTp8QOB0B9IpnH8vOS+NJM1az1d0RhqKow==
+Prime2: 5rSbE6duWIb90uICkAUJn4OztHX0fkd9GKNYdsHVReFBH2poXGojVGkW6i/IaYl4NEXXr5Z89dWtR+RNH2Z9+Q==
+Exponent1: 2IcuCmYyR9Gi9Vv+YIzYuRQMw7j5+hqEhJzW7UIRxdtzIG9s03INWZet9/5tmc35eM/Uyam6ynDN8vCRz0VDIQ==
+Exponent2: vKcdVKIKWrvwXXzRaaGk79rLnZsDFiwxQG96TIpOczkyfpUNx9xHDaRtx4zRTnPKZrxiFkRx5LkZXHt1EWNHSQ==
+Coefficient: pb9dFRZA2IRXDCGCM1ikp+QCs72wNn3hgURZLRLmtcBbQcYhP/dcp80SpInviwJPNRcKrfxninqygEARzfHtqQ==
+Created: 20181025090713
+Publish: 20181025090713
+Activate: 20181025090713
diff --git a/lib/dns/tests/testdata/dst/Ktest.+013+49130.key b/lib/dns/tests/testdata/dst/Ktest.+013+49130.key
new file mode 100644
index 0000000..e3ff931
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+013+49130.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 49130, for test.
+; Created: 20181025090718 (Thu Oct 25 11:07:18 2018)
+; Publish: 20181025090718 (Thu Oct 25 11:07:18 2018)
+; Activate: 20181025090718 (Thu Oct 25 11:07:18 2018)
+test. IN DNSKEY 256 3 13 uP04fwB/DuBBqdjPLseIoFT7vgtP8Lr/be1NhRBvibwQ+Hr+3GQhIKIK XbamgOUxXJ9JDjWFAT2KXw0V3sAN9w==
diff --git a/lib/dns/tests/testdata/dst/Ktest.+013+49130.private b/lib/dns/tests/testdata/dst/Ktest.+013+49130.private
new file mode 100644
index 0000000..754d9f9
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+013+49130.private
@@ -0,0 +1,6 @@
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: feGDRABRCbcsCqssKK5B5518y95smrv/cJnz2pa/UVA=
+Created: 20181025090718
+Publish: 20181025090718
+Activate: 20181025090718
diff --git a/lib/dns/tests/testdata/dst/test1.data b/lib/dns/tests/testdata/dst/test1.data
new file mode 100644
index 0000000..cf84e9f
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/test1.data
@@ -0,0 +1,3077 @@
+Network Working Group                                     P. Mockapetris
+Request for Comments: 1035                                           ISI
+                                                           November 1987
+Obsoletes: RFCs 882, 883, 973
+
+            DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
+
+
+1. STATUS OF THIS MEMO
+
+This RFC describes the details of the domain system and protocol, and
+assumes that the reader is familiar with the concepts discussed in a
+companion RFC, "Domain Names - Concepts and Facilities" [RFC-1034].
+
+The domain system is a mixture of functions and data types which are an
+official protocol and functions and data types which are still
+experimental.  Since the domain system is intentionally extensible, new
+data types and experimental behavior should always be expected in parts
+of the system beyond the official protocol.  The official protocol parts
+include standard queries, responses and the Internet class RR data
+formats (e.g., host addresses).  Since the previous RFC set, several
+definitions have changed, so some previous definitions are obsolete.
+
+Experimental or obsolete features are clearly marked in these RFCs, and
+such information should be used with caution.
+
+The reader is especially cautioned not to depend on the values which
+appear in examples to be current or complete, since their purpose is
+primarily pedagogical.  Distribution of this memo is unlimited.
+
+                           Table of Contents
+
+  1. STATUS OF THIS MEMO                                              1
+  2. INTRODUCTION                                                     3
+      2.1. Overview                                                   3
+      2.2. Common configurations                                      4
+      2.3. Conventions                                                7
+          2.3.1. Preferred name syntax                                7
+          2.3.2. Data Transmission Order                              8
+          2.3.3. Character Case                                       9
+          2.3.4. Size limits                                         10
+  3. DOMAIN NAME SPACE AND RR DEFINITIONS                            10
+      3.1. Name space definitions                                    10
+      3.2. RR definitions                                            11
+          3.2.1. Format                                              11
+          3.2.2. TYPE values                                         12
+          3.2.3. QTYPE values                                        12
+          3.2.4. CLASS values                                        13
+
+
+
+Mockapetris                                                     [Page 1]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+          3.2.5. QCLASS values                                       13
+      3.3. Standard RRs                                              13
+          3.3.1. CNAME RDATA format                                  14
+          3.3.2. HINFO RDATA format                                  14
+          3.3.3. MB RDATA format (EXPERIMENTAL)                      14
+          3.3.4. MD RDATA format (Obsolete)                          15
+          3.3.5. MF RDATA format (Obsolete)                          15
+          3.3.6. MG RDATA format (EXPERIMENTAL)                      16
+          3.3.7. MINFO RDATA format (EXPERIMENTAL)                   16
+          3.3.8. MR RDATA format (EXPERIMENTAL)                      17
+          3.3.9. MX RDATA format                                     17
+          3.3.10. NULL RDATA format (EXPERIMENTAL)                   17
+          3.3.11. NS RDATA format                                    18
+          3.3.12. PTR RDATA format                                   18
+          3.3.13. SOA RDATA format                                   19
+          3.3.14. TXT RDATA format                                   20
+      3.4. ARPA Internet specific RRs                                20
+          3.4.1. A RDATA format                                      20
+          3.4.2. WKS RDATA format                                    21
+      3.5. IN-ADDR.ARPA domain                                       22
+      3.6. Defining new types, classes, and special namespaces       24
+  4. MESSAGES                                                        25
+      4.1. Format                                                    25
+          4.1.1. Header section format                               26
+          4.1.2. Question section format                             28
+          4.1.3. Resource record format                              29
+          4.1.4. Message compression                                 30
+      4.2. Transport                                                 32
+          4.2.1. UDP usage                                           32
+          4.2.2. TCP usage                                           32
+  5. MASTER FILES                                                    33
+      5.1. Format                                                    33
+      5.2. Use of master files to define zones                       35
+      5.3. Master file example                                       36
+  6. NAME SERVER IMPLEMENTATION                                      37
+      6.1. Architecture                                              37
+          6.1.1. Control                                             37
+          6.1.2. Database                                            37
+          6.1.3. Time                                                39
+      6.2. Standard query processing                                 39
+      6.3. Zone refresh and reload processing                        39
+      6.4. Inverse queries (Optional)                                40
+          6.4.1. The contents of inverse queries and responses       40
+          6.4.2. Inverse query and response example                  41
+          6.4.3. Inverse query processing                            42
+
+
+
+
+
+
+Mockapetris                                                     [Page 2]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+      6.5. Completion queries and responses                          42
+  7. RESOLVER IMPLEMENTATION                                         43
+      7.1. Transforming a user request into a query                  43
+      7.2. Sending the queries                                       44
+      7.3. Processing responses                                      46
+      7.4. Using the cache                                           47
+  8. MAIL SUPPORT                                                    47
+      8.1. Mail exchange binding                                     48
+      8.2. Mailbox binding (Experimental)                            48
+  9. REFERENCES and BIBLIOGRAPHY                                     50
+  Index                                                              54
+
+2. INTRODUCTION
+
+2.1. Overview
+
+The goal of domain names is to provide a mechanism for naming resources
+in such a way that the names are usable in different hosts, networks,
+protocol families, internets, and administrative organizations.
+
+From the user's point of view, domain names are useful as arguments to a
+local agent, called a resolver, which retrieves information associated
+with the domain name.  Thus a user might ask for the host address or
+mail information associated with a particular domain name.  To enable
+the user to request a particular type of information, an appropriate
+query type is passed to the resolver with the domain name.  To the user,
+the domain tree is a single information space; the resolver is
+responsible for hiding the distribution of data among name servers from
+the user.
+
+From the resolver's point of view, the database that makes up the domain
+space is distributed among various name servers.  Different parts of the
+domain space are stored in different name servers, although a particular
+data item will be stored redundantly in two or more name servers.  The
+resolver starts with knowledge of at least one name server.  When the
+resolver processes a user query it asks a known name server for the
+information; in return, the resolver either receives the desired
+information or a referral to another name server.  Using these
+referrals, resolvers learn the identities and contents of other name
+servers.  Resolvers are responsible for dealing with the distribution of
+the domain space and dealing with the effects of name server failure by
+consulting redundant databases in other servers.
+
+Name servers manage two kinds of data.  The first kind of data held in
+sets called zones; each zone is the complete database for a particular
+"pruned" subtree of the domain space.  This data is called
+authoritative.  A name server periodically checks to make sure that its
+zones are up to date, and if not, obtains a new copy of updated zones
+
+
+
+Mockapetris                                                     [Page 3]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+from master files stored locally or in another name server.  The second
+kind of data is cached data which was acquired by a local resolver.
+This data may be incomplete, but improves the performance of the
+retrieval process when non-local data is repeatedly accessed.  Cached
+data is eventually discarded by a timeout mechanism.
+
+This functional structure isolates the problems of user interface,
+failure recovery, and distribution in the resolvers and isolates the
+database update and refresh problems in the name servers.
+
+2.2. Common configurations
+
+A host can participate in the domain name system in a number of ways,
+depending on whether the host runs programs that retrieve information
+from the domain system, name servers that answer queries from other
+hosts, or various combinations of both functions.  The simplest, and
+perhaps most typical, configuration is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+    +---------+               +----------+         |  +--------+
+    |         | user queries  |          |queries  |  |        |
+    |  User   |-------------->|          |---------|->|Foreign |
+    | Program |               | Resolver |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    |         | user responses|          |responses|  |        |
+    +---------+               +----------+         |  +--------+
+                                |     A            |
+                cache additions |     | references |
+                                V     |            |
+                              +----------+         |
+                              |  cache   |         |
+                              +----------+         |
+
+User programs interact with the domain name space through resolvers; the
+format of user queries and user responses is specific to the host and
+its operating system.  User queries will typically be operating system
+calls, and the resolver and its cache will be part of the host operating
+system.  Less capable hosts may choose to implement the resolver as a
+subroutine to be linked in with every program that needs its services.
+Resolvers answer user queries with information they acquire via queries
+to foreign name servers and the local cache.
+
+Note that the resolver may have to make several queries to several
+different foreign name servers to answer a particular user query, and
+hence the resolution of a user query may involve several network
+accesses and an arbitrary amount of time.  The queries to foreign name
+servers and the corresponding responses have a standard format described
+
+
+
+Mockapetris                                                     [Page 4]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+in this memo, and may be datagrams.
+
+Depending on its capabilities, a name server could be a stand alone
+program on a dedicated machine or a process or processes on a large
+timeshared host.  A simple configuration might be:
+
+                 Local Host                        |  Foreign
+                                                   |
+      +---------+                                  |
+     /         /|                                  |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+
+Here a primary name server acquires information about one or more zones
+by reading master files from its local file system, and answers queries
+about those zones that arrive from foreign resolvers.
+
+The DNS requires that all zones be redundantly supported by more than
+one name server.  Designated secondary servers can acquire zones and
+check for updates from the primary server using the zone transfer
+protocol of the DNS.  This configuration is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+      +---------+                                  |
+     /         /|                                  |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+                                A     |maintenance |  +--------+
+                                |     +------------|->|        |
+                                |      queries     |  |Foreign |
+                                |                  |  |  Name  |
+                                +------------------|--| Server |
+                             maintenance responses |  +--------+
+
+In this configuration, the name server periodically establishes a
+virtual circuit to a foreign name server to acquire a copy of a zone or
+to check that an existing copy has not changed.  The messages sent for
+
+
+
+Mockapetris                                                     [Page 5]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+these maintenance activities follow the same form as queries and
+responses, but the message sequences are somewhat different.
+
+The information flow in a host that supports all aspects of the domain
+name system is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+    +---------+               +----------+         |  +--------+
+    |         | user queries  |          |queries  |  |        |
+    |  User   |-------------->|          |---------|->|Foreign |
+    | Program |               | Resolver |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    |         | user responses|          |responses|  |        |
+    +---------+               +----------+         |  +--------+
+                                |     A            |
+                cache additions |     | references |
+                                V     |            |
+                              +----------+         |
+                              |  Shared  |         |
+                              | database |         |
+                              +----------+         |
+                                A     |            |
+      +---------+     refreshes |     | references |
+     /         /|               |     V            |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+                                A     |maintenance |  +--------+
+                                |     +------------|->|        |
+                                |      queries     |  |Foreign |
+                                |                  |  |  Name  |
+                                +------------------|--| Server |
+                             maintenance responses |  +--------+
+
+The shared database holds domain space data for the local name server
+and resolver.  The contents of the shared database will typically be a
+mixture of authoritative data maintained by the periodic refresh
+operations of the name server and cached data from previous resolver
+requests.  The structure of the domain data and the necessity for
+synchronization between name servers and resolvers imply the general
+characteristics of this database, but the actual format is up to the
+local implementor.
+
+
+
+
+Mockapetris                                                     [Page 6]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Information flow can also be tailored so that a group of hosts act
+together to optimize activities.  Sometimes this is done to offload less
+capable hosts so that they do not have to implement a full resolver.
+This can be appropriate for PCs or hosts which want to minimize the
+amount of new network code which is required.  This scheme can also
+allow a group of hosts can share a small number of caches rather than
+maintaining a large number of separate caches, on the premise that the
+centralized caches will have a higher hit ratio.  In either case,
+resolvers are replaced with stub resolvers which act as front ends to
+resolvers located in a recursive server in one or more name servers
+known to perform that service:
+
+                   Local Hosts                     |  Foreign
+                                                   |
+    +---------+                                    |
+    |         | responses                          |
+    | Stub    |<--------------------+              |
+    | Resolver|                     |              |
+    |         |----------------+    |              |
+    +---------+ recursive      |    |              |
+                queries        |    |              |
+                               V    |              |
+    +---------+ recursive     +----------+         |  +--------+
+    |         | queries       |          |queries  |  |        |
+    | Stub    |-------------->| Recursive|---------|->|Foreign |
+    | Resolver|               | Server   |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    +---------+ responses     |          |responses|  |        |
+                              +----------+         |  +--------+
+                              |  Central |         |
+                              |   cache  |         |
+                              +----------+         |
+
+In any case, note that domain components are always replicated for
+reliability whenever possible.
+
+2.3. Conventions
+
+The domain system has several conventions dealing with low-level, but
+fundamental, issues.  While the implementor is free to violate these
+conventions WITHIN HIS OWN SYSTEM, he must observe these conventions in
+ALL behavior observed from other hosts.
+
+2.3.1. Preferred name syntax
+
+The DNS specifications attempt to be as general as possible in the rules
+for constructing domain names.  The idea is that the name of any
+existing object can be expressed as a domain name with minimal changes.
+
+
+
+Mockapetris                                                     [Page 7]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+However, when assigning a domain name for an object, the prudent user
+will select a name which satisfies both the rules of the domain system
+and any existing rules for the object, whether these rules are published
+or implied by existing programs.
+
+For example, when naming a mail domain, the user should satisfy both the
+rules of this memo and those in RFC-822.  When creating a new host name,
+the old rules for HOSTS.TXT should be followed.  This avoids problems
+when old software is converted to use domain names.
+
+The following syntax will result in fewer problems with many
+
+applications that use domain names (e.g., mail, TELNET).
+
+<domain> ::= <subdomain> | " "
+
+<subdomain> ::= <label> | <subdomain> "." <label>
+
+<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
+
+<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
+
+<let-dig-hyp> ::= <let-dig> | "-"
+
+<let-dig> ::= <letter> | <digit>
+
+<letter> ::= any one of the 52 alphabetic characters A through Z in
+upper case and a through z in lower case
+
+<digit> ::= any one of the ten digits 0 through 9
+
+Note that while upper and lower case letters are allowed in domain
+names, no significance is attached to the case.  That is, two names with
+the same spelling but different case are to be treated as if identical.
+
+The labels must follow the rules for ARPANET host names.  They must
+start with a letter, end with a letter or digit, and have as interior
+characters only letters, digits, and hyphen.  There are also some
+restrictions on the length.  Labels must be 63 characters or less.
+
+For example, the following strings identify hosts in the Internet:
+
+A.ISI.EDU XX.LCS.MIT.EDU SRI-NIC.ARPA
+
+2.3.2. Data Transmission Order
+
+The order of transmission of the header and data described in this
+document is resolved to the octet level.  Whenever a diagram shows a
+
+
+
+Mockapetris                                                     [Page 8]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+group of octets, the order of transmission of those octets is the normal
+order in which they are read in English.  For example, in the following
+diagram, the octets are transmitted in the order they are numbered.
+
+     0                   1
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       1       |       2       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       3       |       4       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       5       |       6       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Whenever an octet represents a numeric quantity, the left most bit in
+the diagram is the high order or most significant bit.  That is, the bit
+labeled 0 is the most significant bit.  For example, the following
+diagram represents the value 170 (decimal).
+
+     0 1 2 3 4 5 6 7
+    +-+-+-+-+-+-+-+-+
+    |1 0 1 0 1 0 1 0|
+    +-+-+-+-+-+-+-+-+
+
+Similarly, whenever a multi-octet field represents a numeric quantity
+the left most bit of the whole field is the most significant bit.  When
+a multi-octet quantity is transmitted the most significant octet is
+transmitted first.
+
+2.3.3. Character Case
+
+For all parts of the DNS that are part of the official protocol, all
+comparisons between character strings (e.g., labels, domain names, etc.)
+are done in a case-insensitive manner.  At present, this rule is in
+force throughout the domain system without exception.  However, future
+additions beyond current usage may need to use the full binary octet
+capabilities in names, so attempts to store domain names in 7-bit ASCII
+or use of special bytes to terminate labels, etc., should be avoided.
+
+When data enters the domain system, its original case should be
+preserved whenever possible.  In certain circumstances this cannot be
+done.  For example, if two RRs are stored in a database, one at x.y and
+one at X.Y, they are actually stored at the same place in the database,
+and hence only one casing would be preserved.  The basic rule is that
+case can be discarded only when data is used to define structure in a
+database, and two names are identical when compared in a case
+insensitive manner.
+
+
+
+
+Mockapetris                                                     [Page 9]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Loss of case sensitive data must be minimized.  Thus while data for x.y
+and X.Y may both be stored under a single location x.y or X.Y, data for
+a.x and B.X would never be stored under A.x, A.X, b.x, or b.X.  In
+general, this preserves the case of the first label of a domain name,
+but forces standardization of interior node labels.
+
+Systems administrators who enter data into the domain database should
+take care to represent the data they supply to the domain system in a
+case-consistent manner if their system is case-sensitive.  The data
+distribution system in the domain system will ensure that consistent
+representations are preserved.
+
+2.3.4. Size limits
+
+Various objects and parameters in the DNS have size limits.  They are
+listed below.  Some could be easily changed, others are more
+fundamental.
+
+labels          63 octets or less
+
+names           255 octets or less
+
+TTL             positive values of a signed 32 bit number.
+
+UDP messages    512 octets or less
+
+3. DOMAIN NAME SPACE AND RR DEFINITIONS
+
+3.1. Name space definitions
+
+Domain names in messages are expressed in terms of a sequence of labels.
+Each label is represented as a one octet length field followed by that
+number of octets.  Since every domain name ends with the null label of
+the root, a domain name is terminated by a length byte of zero.  The
+high order two bits of every length octet must be zero, and the
+remaining six bits of the length field limit the label to 63 octets or
+less.
+
+To simplify implementations, the total length of a domain name (i.e.,
+label octets and label length octets) is restricted to 255 octets or
+less.
+
+Although labels can contain any 8 bit values in octets that make up a
+label, it is strongly recommended that labels follow the preferred
+syntax described elsewhere in this memo, which is compatible with
+existing host naming conventions.  Name servers and resolvers must
+compare labels in a case-insensitive manner (i.e., A=a), assuming ASCII
+with zero parity.  Non-alphabetic codes must match exactly.
+
+
+
+Mockapetris                                                    [Page 10]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.2. RR definitions
+
+3.2.1. Format
+
+All RRs have the same top level format shown below:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                                               /
+    /                      NAME                     /
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     CLASS                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TTL                      |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                   RDLENGTH                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+    /                     RDATA                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+
+where:
+
+NAME            an owner name, i.e., the name of the node to which this
+                resource record pertains.
+
+TYPE            two octets containing one of the RR TYPE codes.
+
+CLASS           two octets containing one of the RR CLASS codes.
+
+TTL             a 32 bit signed integer that specifies the time interval
+                that the resource record may be cached before the source
+                of the information should again be consulted.  Zero
+                values are interpreted to mean that the RR can only be
+                used for the transaction in progress, and should not be
+                cached.  For example, SOA records are always distributed
+                with a zero TTL to prohibit caching.  Zero values can
+                also be used for extremely volatile data.
+
+RDLENGTH        an unsigned 16 bit integer that specifies the length in
+                octets of the RDATA field.
+
+
+
+Mockapetris                                                    [Page 11]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+RDATA           a variable length string of octets that describes the
+                resource.  The format of this information varies
+                according to the TYPE and CLASS of the resource record.
+
+3.2.2. TYPE values
+
+TYPE fields are used in resource records.  Note that these types are a
+subset of QTYPEs.
+
+TYPE            value and meaning
+
+A               1 a host address
+
+NS              2 an authoritative name server
+
+MD              3 a mail destination (Obsolete - use MX)
+
+MF              4 a mail forwarder (Obsolete - use MX)
+
+CNAME           5 the canonical name for an alias
+
+SOA             6 marks the start of a zone of authority
+
+MB              7 a mailbox domain name (EXPERIMENTAL)
+
+MG              8 a mail group member (EXPERIMENTAL)
+
+MR              9 a mail rename domain name (EXPERIMENTAL)
+
+NULL            10 a null RR (EXPERIMENTAL)
+
+WKS             11 a well known service description
+
+PTR             12 a domain name pointer
+
+HINFO           13 host information
+
+MINFO           14 mailbox or mail list information
+
+MX              15 mail exchange
+
+TXT             16 text strings
+
+3.2.3. QTYPE values
+
+QTYPE fields appear in the question part of a query.  QTYPES are a
+superset of TYPEs, hence all TYPEs are valid QTYPEs.  In addition, the
+following QTYPEs are defined:
+
+
+
+Mockapetris                                                    [Page 12]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+AXFR            252 A request for a transfer of an entire zone
+
+MAILB           253 A request for mailbox-related records (MB, MG or MR)
+
+MAILA           254 A request for mail agent RRs (Obsolete - see MX)
+
+*               255 A request for all records
+
+3.2.4. CLASS values
+
+CLASS fields appear in resource records.  The following CLASS mnemonics
+and values are defined:
+
+IN              1 the Internet
+
+CS              2 the CSNET class (Obsolete - used only for examples in
+                some obsolete RFCs)
+
+CH              3 the CHAOS class
+
+HS              4 Hesiod [Dyer 87]
+
+3.2.5. QCLASS values
+
+QCLASS fields appear in the question section of a query.  QCLASS values
+are a superset of CLASS values; every CLASS is a valid QCLASS.  In
+addition to CLASS values, the following QCLASSes are defined:
+
+*               255 any class
+
+3.3. Standard RRs
+
+The following RR definitions are expected to occur, at least
+potentially, in all classes.  In particular, NS, SOA, CNAME, and PTR
+will be used in all classes, and have the same format in all classes.
+Because their RDATA format is known, all domain names in the RDATA
+section of these RRs may be compressed.
+
+<domain-name> is a domain name represented as a series of labels, and
+terminated by a label with zero length.  <character-string> is a single
+length octet followed by that number of characters.  <character-string>
+is treated as binary information, and can be up to 256 characters in
+length (including the length octet).
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 13]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.1. CNAME RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     CNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+CNAME           A <domain-name> which specifies the canonical or primary
+                name for the owner.  The owner name is an alias.
+
+CNAME RRs cause no additional section processing, but name servers may
+choose to restart the query at the canonical name in certain cases.  See
+the description of name server logic in [RFC-1034] for details.
+
+3.3.2. HINFO RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                      CPU                      /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                       OS                      /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+CPU             A <character-string> which specifies the CPU type.
+
+OS              A <character-string> which specifies the operating
+                system type.
+
+Standard values for CPU and OS can be found in [RFC-1010].
+
+HINFO records are used to acquire general information about a host.  The
+main use is for protocols such as FTP that can use special procedures
+when talking between machines or operating systems of the same type.
+
+3.3.3. MB RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has the
+                specified mailbox.
+
+
+
+Mockapetris                                                    [Page 14]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+MB records cause additional section processing which looks up an A type
+RRs corresponding to MADNAME.
+
+3.3.4. MD RDATA format (Obsolete)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has a mail
+                agent for the domain which should be able to deliver
+                mail for the domain.
+
+MD records cause additional section processing which looks up an A type
+record corresponding to MADNAME.
+
+MD is obsolete.  See the definition of MX and [RFC-974] for details of
+the new scheme.  The recommended policy for dealing with MD RRs found in
+a master file is to reject them, or to convert them to MX RRs with a
+preference of 0.
+
+3.3.5. MF RDATA format (Obsolete)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has a mail
+                agent for the domain which will accept mail for
+                forwarding to the domain.
+
+MF records cause additional section processing which looks up an A type
+record corresponding to MADNAME.
+
+MF is obsolete.  See the definition of MX and [RFC-974] for details ofw
+the new scheme.  The recommended policy for dealing with MD RRs found in
+a master file is to reject them, or to convert them to MX RRs with a
+preference of 10.
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 15]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.6. MG RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MGMNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MGMNAME         A <domain-name> which specifies a mailbox which is a
+                member of the mail group specified by the domain name.
+
+MG records cause no additional section processing.
+
+3.3.7. MINFO RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                    RMAILBX                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                    EMAILBX                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+RMAILBX         A <domain-name> which specifies a mailbox which is
+                responsible for the mailing list or mailbox.  If this
+                domain name names the root, the owner of the MINFO RR is
+                responsible for itself.  Note that many existing mailing
+                lists use a mailbox X-request for the RMAILBX field of
+                mailing list X, e.g., Msgroup-request for Msgroup.  This
+                field provides a more general mechanism.
+
+
+EMAILBX         A <domain-name> which specifies a mailbox which is to
+                receive error messages related to the mailing list or
+                mailbox specified by the owner of the MINFO RR (similar
+                to the ERRORS-TO: field which has been proposed).  If
+                this domain name names the root, errors should be
+                returned to the sender of the message.
+
+MINFO records cause no additional section processing.  Although these
+records can be associated with a simple mailbox, they are usually used
+with a mailing list.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 16]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.8. MR RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   NEWNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NEWNAME         A <domain-name> which specifies a mailbox which is the
+                proper rename of the specified mailbox.
+
+MR records cause no additional section processing.  The main use for MR
+is as a forwarding entry for a user who has moved to a different
+mailbox.
+
+3.3.9. MX RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                  PREFERENCE                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   EXCHANGE                    /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+PREFERENCE      A 16 bit integer which specifies the preference given to
+                this RR among others at the same owner.  Lower values
+                are preferred.
+
+EXCHANGE        A <domain-name> which specifies a host willing to act as
+                a mail exchange for the owner name.
+
+MX records cause type A additional section processing for the host
+specified by EXCHANGE.  The use of MX RRs is explained in detail in
+[RFC-974].
+
+3.3.10. NULL RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                  <anything>                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+Anything at all may be in the RDATA field so long as it is 65535 octets
+or less.
+
+
+
+
+Mockapetris                                                    [Page 17]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+NULL records cause no additional section processing.  NULL RRs are not
+allowed in master files.  NULLs are used as placeholders in some
+experimental extensions of the DNS.
+
+3.3.11. NS RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   NSDNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NSDNAME         A <domain-name> which specifies a host which should be
+                authoritative for the specified class and domain.
+
+NS records cause both the usual additional section processing to locate
+a type A record, and, when used in a referral, a special search of the
+zone in which they reside for glue information.
+
+The NS RR states that the named host should be expected to have a zone
+starting at owner name of the specified class.  Note that the class may
+not indicate the protocol family which should be used to communicate
+with the host, although it is typically a strong hint.  For example,
+hosts which are name servers for either Internet (IN) or Hesiod (HS)
+class information are normally queried using IN class protocols.
+
+3.3.12. PTR RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   PTRDNAME                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+PTRDNAME        A <domain-name> which points to some location in the
+                domain name space.
+
+PTR records cause no additional section processing.  These RRs are used
+in special domains to point to some other location in the domain space.
+These records are simple data, and don't imply any special processing
+similar to that performed by CNAME, which identifies aliases.  See the
+description of the IN-ADDR.ARPA domain for an example.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 18]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.13. SOA RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     MNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     RNAME                     /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    SERIAL                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    REFRESH                    |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     RETRY                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    EXPIRE                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    MINIMUM                    |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MNAME           The <domain-name> of the name server that was the
+                original or primary source of data for this zone.
+
+RNAME           A <domain-name> which specifies the mailbox of the
+                person responsible for this zone.
+
+SERIAL          The unsigned 32 bit version number of the original copy
+                of the zone.  Zone transfers preserve this value.  This
+                value wraps and should be compared using sequence space
+                arithmetic.
+
+REFRESH         A 32 bit time interval before the zone should be
+                refreshed.
+
+RETRY           A 32 bit time interval that should elapse before a
+                failed refresh should be retried.
+
+EXPIRE          A 32 bit time value that specifies the upper limit on
+                the time interval that can elapse before the zone is no
+                longer authoritative.
+
+
+
+
+
+Mockapetris                                                    [Page 19]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+MINIMUM         The unsigned 32 bit minimum TTL field that should be
+                exported with any RR from this zone.
+
+SOA records cause no additional section processing.
+
+All times are in units of seconds.
+
+Most of these fields are pertinent only for name server maintenance
+operations.  However, MINIMUM is used in all query operations that
+retrieve RRs from a zone.  Whenever a RR is sent in a response to a
+query, the TTL field is set to the maximum of the TTL field from the RR
+and the MINIMUM field in the appropriate SOA.  Thus MINIMUM is a lower
+bound on the TTL field for all RRs in a zone.  Note that this use of
+MINIMUM should occur when the RRs are copied into the response and not
+when the zone is loaded from a master file or via a zone transfer.  The
+reason for this provison is to allow future dynamic update facilities to
+change the SOA RR with known semantics.
+
+
+3.3.14. TXT RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   TXT-DATA                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+TXT-DATA        One or more <character-string>s.
+
+TXT RRs are used to hold descriptive text.  The semantics of the text
+depends on the domain where it is found.
+
+3.4. Internet specific RRs
+
+3.4.1. A RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ADDRESS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ADDRESS         A 32 bit Internet address.
+
+Hosts that have multiple Internet addresses will have multiple A
+records.
+
+
+
+
+
+Mockapetris                                                    [Page 20]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+A records cause no additional section processing.  The RDATA section of
+an A line in a master file is an Internet address expressed as four
+decimal numbers separated by dots without any embedded spaces (e.g.,
+"10.2.0.52" or "192.0.5.6").
+
+3.4.2. WKS RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ADDRESS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |       PROTOCOL        |                       |
+    +--+--+--+--+--+--+--+--+                       |
+    |                                               |
+    /                   <BIT MAP>                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ADDRESS         An 32 bit Internet address
+
+PROTOCOL        An 8 bit IP protocol number
+
+<BIT MAP>       A variable length bit map.  The bit map must be a
+                multiple of 8 bits long.
+
+The WKS record is used to describe the well known services supported by
+a particular protocol on a particular internet address.  The PROTOCOL
+field specifies an IP protocol number, and the bit map has one bit per
+port of the specified protocol.  The first bit corresponds to port 0,
+the second to port 1, etc.  If the bit map does not include a bit for a
+protocol of interest, that bit is assumed zero.  The appropriate values
+and mnemonics for ports and protocols are specified in [RFC-1010].
+
+For example, if PROTOCOL=TCP (6), the 26th bit corresponds to TCP port
+25 (SMTP).  If this bit is set, a SMTP server should be listening on TCP
+port 25; if zero, SMTP service is not supported on the specified
+address.
+
+The purpose of WKS RRs is to provide availability information for
+servers for TCP and UDP.  If a server supports both TCP and UDP, or has
+multiple Internet addresses, then multiple WKS RRs are used.
+
+WKS RRs cause no additional section processing.
+
+In master files, both ports and protocols are expressed using mnemonics
+or decimal numbers.
+
+
+
+
+Mockapetris                                                    [Page 21]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.5. IN-ADDR.ARPA domain
+
+The Internet uses a special domain to support gateway location and
+Internet address to host mapping.  Other classes may employ a similar
+strategy in other domains.  The intent of this domain is to provide a
+guaranteed method to perform host address to host name mapping, and to
+facilitate queries to locate all gateways on a particular network in the
+Internet.
+
+Note that both of these services are similar to functions that could be
+performed by inverse queries; the difference is that this part of the
+domain name space is structured according to address, and hence can
+guarantee that the appropriate data can be located without an exhaustive
+search of the domain space.
+
+The domain begins at IN-ADDR.ARPA and has a substructure which follows
+the Internet addressing structure.
+
+Domain names in the IN-ADDR.ARPA domain are defined to have up to four
+labels in addition to the IN-ADDR.ARPA suffix.  Each label represents
+one octet of an Internet address, and is expressed as a character string
+for a decimal value in the range 0-255 (with leading zeros omitted
+except in the case of a zero octet which is represented by a single
+zero).
+
+Host addresses are represented by domain names that have all four labels
+specified.  Thus data for Internet address 10.2.0.52 is located at
+domain name 52.0.2.10.IN-ADDR.ARPA.  The reversal, though awkward to
+read, allows zones to be delegated which are exactly one network of
+address space.  For example, 10.IN-ADDR.ARPA can be a zone containing
+data for the ARPANET, while 26.IN-ADDR.ARPA can be a separate zone for
+MILNET.  Address nodes are used to hold pointers to primary host names
+in the normal domain space.
+
+Network numbers correspond to some non-terminal nodes at various depths
+in the IN-ADDR.ARPA domain, since Internet network numbers are either 1,
+2, or 3 octets.  Network nodes are used to hold pointers to the primary
+host names of gateways attached to that network.  Since a gateway is, by
+definition, on more than one network, it will typically have two or more
+network nodes which point at it.  Gateways will also have host level
+pointers at their fully qualified addresses.
+
+Both the gateway pointers at network nodes and the normal host pointers
+at full address nodes use the PTR RR to point back to the primary domain
+names of the corresponding hosts.
+
+For example, the IN-ADDR.ARPA domain will contain information about the
+ISI gateway between net 10 and 26, an MIT gateway from net 10 to MIT's
+
+
+
+Mockapetris                                                    [Page 22]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+net 18, and hosts A.ISI.EDU and MULTICS.MIT.EDU.  Assuming that ISI
+gateway has addresses 10.2.0.22 and 26.0.0.103, and a name MILNET-
+GW.ISI.EDU, and the MIT gateway has addresses 10.0.0.77 and 18.10.0.4
+and a name GW.LCS.MIT.EDU, the domain database would contain:
+
+    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+    18.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+    26.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    22.0.2.10.IN-ADDR.ARPA.    PTR MILNET-GW.ISI.EDU.
+    103.0.0.26.IN-ADDR.ARPA.   PTR MILNET-GW.ISI.EDU.
+    77.0.0.10.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
+    4.0.10.18.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
+    103.0.3.26.IN-ADDR.ARPA.   PTR A.ISI.EDU.
+    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
+
+Thus a program which wanted to locate gateways on net 10 would originate
+a query of the form QTYPE=PTR, QCLASS=IN, QNAME=10.IN-ADDR.ARPA.  It
+would receive two RRs in response:
+
+    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+
+The program could then originate QTYPE=A, QCLASS=IN queries for MILNET-
+GW.ISI.EDU. and GW.LCS.MIT.EDU. to discover the Internet addresses of
+these gateways.
+
+A resolver which wanted to find the host name corresponding to Internet
+host address 10.0.0.6 would pursue a query of the form QTYPE=PTR,
+QCLASS=IN, QNAME=6.0.0.10.IN-ADDR.ARPA, and would receive:
+
+    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
+
+Several cautions apply to the use of these services:
+   - Since the IN-ADDR.ARPA special domain and the normal domain
+     for a particular host or gateway will be in different zones,
+     the possibility exists that that the data may be inconsistent.
+
+   - Gateways will often have two names in separate domains, only
+     one of which can be primary.
+
+   - Systems that use the domain database to initialize their
+     routing tables must start with enough gateway information to
+     guarantee that they can access the appropriate name server.
+
+   - The gateway data only reflects the existence of a gateway in a
+     manner equivalent to the current HOSTS.TXT file.  It doesn't
+     replace the dynamic availability information from GGP or EGP.
+
+
+
+Mockapetris                                                    [Page 23]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.6. Defining new types, classes, and special namespaces
+
+The previously defined types and classes are the ones in use as of the
+date of this memo.  New definitions should be expected.  This section
+makes some recommendations to designers considering additions to the
+existing facilities.  The mailing list NAMEDROPPERS@SRI-NIC.ARPA is the
+forum where general discussion of design issues takes place.
+
+In general, a new type is appropriate when new information is to be
+added to the database about an existing object, or we need new data
+formats for some totally new object.  Designers should attempt to define
+types and their RDATA formats that are generally applicable to all
+classes, and which avoid duplication of information.  New classes are
+appropriate when the DNS is to be used for a new protocol, etc which
+requires new class-specific data formats, or when a copy of the existing
+name space is desired, but a separate management domain is necessary.
+
+New types and classes need mnemonics for master files; the format of the
+master files requires that the mnemonics for type and class be disjoint.
+
+TYPE and CLASS values must be a proper subset of QTYPEs and QCLASSes
+respectively.
+
+The present system uses multiple RRs to represent multiple values of a
+type rather than storing multiple values in the RDATA section of a
+single RR.  This is less efficient for most applications, but does keep
+RRs shorter.  The multiple RRs assumption is incorporated in some
+experimental work on dynamic update methods.
+
+The present system attempts to minimize the duplication of data in the
+database in order to insure consistency.  Thus, in order to find the
+address of the host for a mail exchange, you map the mail domain name to
+a host name, then the host name to addresses, rather than a direct
+mapping to host address.  This approach is preferred because it avoids
+the opportunity for inconsistency.
+
+In defining a new type of data, multiple RR types should not be used to
+create an ordering between entries or express different formats for
+equivalent bindings, instead this information should be carried in the
+body of the RR and a single type used.  This policy avoids problems with
+caching multiple types and defining QTYPEs to match multiple types.
+
+For example, the original form of mail exchange binding used two RR
+types one to represent a "closer" exchange (MD) and one to represent a
+"less close" exchange (MF).  The difficulty is that the presence of one
+RR type in a cache doesn't convey any information about the other
+because the query which acquired the cached information might have used
+a QTYPE of MF, MD, or MAILA (which matched both).  The redesigned
+
+
+
+Mockapetris                                                    [Page 24]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+service used a single type (MX) with a "preference" value in the RDATA
+section which can order different RRs.  However, if any MX RRs are found
+in the cache, then all should be there.
+
+4. MESSAGES
+
+4.1. Format
+
+All communications inside of the domain protocol are carried in a single
+format called a message.  The top level format of message is divided
+into 5 sections (some of which are empty in certain cases) shown below:
+
+    +---------------------+
+    |        Header       |
+    +---------------------+
+    |       Question      | the question for the name server
+    +---------------------+
+    |        Answer       | RRs answering the question
+    +---------------------+
+    |      Authority      | RRs pointing toward an authority
+    +---------------------+
+    |      Additional     | RRs holding additional information
+    +---------------------+
+
+The header section is always present.  The header includes fields that
+specify which of the remaining sections are present, and also specify
+whether the message is a query or a response, a standard query or some
+other opcode, etc.
+
+The names of the sections after the header are derived from their use in
+standard queries.  The question section contains fields that describe a
+question to a name server.  These fields are a query type (QTYPE), a
+query class (QCLASS), and a query domain name (QNAME).  The last three
+sections have the same format: a possibly empty list of concatenated
+resource records (RRs).  The answer section contains RRs that answer the
+question; the authority section contains RRs that point toward an
+authoritative name server; the additional records section contains RRs
+which relate to the query, but are not strictly answers for the
+question.
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 25]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+4.1.1. Header section format
+
+The header contains the following fields:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      ID                       |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    QDCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ANCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    NSCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ARCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ID              A 16 bit identifier assigned by the program that
+                generates any kind of query.  This identifier is copied
+                the corresponding reply and can be used by the requester
+                to match up replies to outstanding queries.
+
+QR              A one bit field that specifies whether this message is a
+                query (0), or a response (1).
+
+OPCODE          A four bit field that specifies kind of query in this
+                message.  This value is set by the originator of a query
+                and copied into the response.  The values are:
+
+                0               a standard query (QUERY)
+
+                1               an inverse query (IQUERY)
+
+                2               a server status request (STATUS)
+
+                3-15            reserved for future use
+
+AA              Authoritative Answer - this bit is valid in responses,
+                and specifies that the responding name server is an
+                authority for the domain name in question section.
+
+                Note that the contents of the answer section may have
+                multiple owner names because of aliases.  The AA bit
+
+
+
+Mockapetris                                                    [Page 26]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                corresponds to the name which matches the query name, or
+                the first owner name in the answer section.
+
+TC              TrunCation - specifies that this message was truncated
+                due to length greater than that permitted on the
+                transmission channel.
+
+RD              Recursion Desired - this bit may be set in a query and
+                is copied into the response.  If RD is set, it directs
+                the name server to pursue the query recursively.
+                Recursive query support is optional.
+
+RA              Recursion Available - this be is set or cleared in a
+                response, and denotes whether recursive query support is
+                available in the name server.
+
+Z               Reserved for future use.  Must be zero in all queries
+                and responses.
+
+RCODE           Response code - this 4 bit field is set as part of
+                responses.  The values have the following
+                interpretation:
+
+                0               No error condition
+
+                1               Format error - The name server was
+                                unable to interpret the query.
+
+                2               Server failure - The name server was
+                                unable to process this query due to a
+                                problem with the name server.
+
+                3               Name Error - Meaningful only for
+                                responses from an authoritative name
+                                server, this code signifies that the
+                                domain name referenced in the query does
+                                not exist.
+
+                4               Not Implemented - The name server does
+                                not support the requested kind of query.
+
+                5               Refused - The name server refuses to
+                                perform the specified operation for
+                                policy reasons.  For example, a name
+                                server may not wish to provide the
+                                information to the particular requester,
+                                or a name server may not wish to perform
+                                a particular operation (e.g., zone
+
+
+
+Mockapetris                                                    [Page 27]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                                transfer) for particular data.
+
+                6-15            Reserved for future use.
+
+QDCOUNT         an unsigned 16 bit integer specifying the number of
+                entries in the question section.
+
+ANCOUNT         an unsigned 16 bit integer specifying the number of
+                resource records in the answer section.
+
+NSCOUNT         an unsigned 16 bit integer specifying the number of name
+                server resource records in the authority records
+                section.
+
+ARCOUNT         an unsigned 16 bit integer specifying the number of
+                resource records in the additional records section.
+
+4.1.2. Question section format
+
+The question section is used to carry the "question" in most queries,
+i.e., the parameters that define what is being asked.  The section
+contains QDCOUNT (usually 1) entries, each of the following format:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                     QNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     QTYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     QCLASS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+QNAME           a domain name represented as a sequence of labels, where
+                each label consists of a length octet followed by that
+                number of octets.  The domain name terminates with the
+                zero length octet for the null label of the root.  Note
+                that this field may be an odd number of octets; no
+                padding is used.
+
+QTYPE           a two octet code which specifies the type of the query.
+                The values for this field include all codes valid for a
+                TYPE field, together with some more general codes which
+                can match more than one type of RR.
+
+
+
+Mockapetris                                                    [Page 28]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+QCLASS          a two octet code that specifies the class of the query.
+                For example, the QCLASS field is IN for the Internet.
+
+4.1.3. Resource record format
+
+The answer, authority, and additional sections all share the same
+format: a variable number of resource records, where the number of
+records is specified in the corresponding count field in the header.
+Each resource record has the following format:
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                                               /
+    /                      NAME                     /
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     CLASS                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TTL                      |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                   RDLENGTH                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+    /                     RDATA                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NAME            a domain name to which this resource record pertains.
+
+TYPE            two octets containing one of the RR type codes.  This
+                field specifies the meaning of the data in the RDATA
+                field.
+
+CLASS           two octets which specify the class of the data in the
+                RDATA field.
+
+TTL             a 32 bit unsigned integer that specifies the time
+                interval (in seconds) that the resource record may be
+                cached before it should be discarded.  Zero values are
+                interpreted to mean that the RR can only be used for the
+                transaction in progress, and should not be cached.
+
+
+
+
+
+Mockapetris                                                    [Page 29]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+RDLENGTH        an unsigned 16 bit integer that specifies the length in
+                octets of the RDATA field.
+
+RDATA           a variable length string of octets that describes the
+                resource.  The format of this information varies
+                according to the TYPE and CLASS of the resource record.
+                For example, the if the TYPE is A and the CLASS is IN,
+                the RDATA field is a 4 octet ARPA Internet address.
+
+4.1.4. Message compression
+
+In order to reduce the size of messages, the domain system utilizes a
+compression scheme which eliminates the repetition of domain names in a
+message.  In this scheme, an entire domain name or a list of labels at
+the end of a domain name is replaced with a pointer to a prior occurrence
+of the same name.
+
+The pointer takes the form of a two octet sequence:
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    | 1  1|                OFFSET                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The first two bits are ones.  This allows a pointer to be distinguished
+from a label, since the label must begin with two zero bits because
+labels are restricted to 63 octets or less.  (The 10 and 01 combinations
+are reserved for future use.)  The OFFSET field specifies an offset from
+the start of the message (i.e., the first octet of the ID field in the
+domain header).  A zero offset specifies the first byte of the ID field,
+etc.
+
+The compression scheme allows a domain name in a message to be
+represented as either:
+
+   - a sequence of labels ending in a zero octet
+
+   - a pointer
+
+   - a sequence of labels ending with a pointer
+
+Pointers can only be used for occurrences of a domain name where the
+format is not class specific.  If this were not the case, a name server
+or resolver would be required to know the format of all RRs it handled.
+As yet, there are no such cases, but they may occur in future RDATA
+formats.
+
+If a domain name is contained in a part of the message subject to a
+length field (such as the RDATA section of an RR), and compression is
+
+
+
+Mockapetris                                                    [Page 30]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+used, the length of the compressed name is used in the length
+calculation, rather than the length of the expanded name.
+
+Programs are free to avoid using pointers in messages they generate,
+although this will reduce datagram capacity, and may cause truncation.
+However all programs are required to understand arriving messages that
+contain pointers.
+
+For example, a datagram might need to use the domain names F.ISI.ARPA,
+FOO.F.ISI.ARPA, ARPA, and the root.  Ignoring the other fields of the
+message, these domain names might be represented as:
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    20 |           1           |           F           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    22 |           3           |           I           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    24 |           S           |           I           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    26 |           4           |           A           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    28 |           R           |           P           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    30 |           A           |           0           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    40 |           3           |           F           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    42 |           O           |           O           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    44 | 1  1|                20                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    64 | 1  1|                26                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    92 |           0           |                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The domain name for F.ISI.ARPA is shown at offset 20.  The domain name
+FOO.F.ISI.ARPA is shown at offset 40; this definition uses a pointer to
+concatenate a label for FOO to the previously defined F.ISI.ARPA.  The
+domain name ARPA is defined at offset 64 using a pointer to the ARPA
+component of the name F.ISI.ARPA at 20; note that this pointer relies on
+ARPA being the last label in the string at 20.  The root domain name is
+
+
+
+Mockapetris                                                    [Page 31]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+defined by a single octet of zeros at 92; the root domain name has no
+labels.
+
+4.2. Transport
+
+The DNS assumes that messages will be transmitted as datagrams or in a
+byte stream carried by a virtual circuit.  While virtual circuits can be
+used for any DNS activity, datagrams are preferred for queries due to
+their lower overhead and better performance.  Zone refresh activities
+must use virtual circuits because of the need for reliable transfer.
+
+The Internet supports name server access using TCP [RFC-793] on server
+port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
+port 53 (decimal).
+
+4.2.1. UDP usage
+
+Messages sent using UDP user server port 53 (decimal).
+
+Messages carried by UDP are restricted to 512 bytes (not counting the IP
+or UDP headers).  Longer messages are truncated and the TC bit is set in
+the header.
+
+UDP is not acceptable for zone transfers, but is the recommended method
+for standard queries in the Internet.  Queries sent using UDP may be
+lost, and hence a retransmission strategy is required.  Queries or their
+responses may be reordered by the network, or by processing in name
+servers, so resolvers should not depend on them being returned in order.
+
+The optimal UDP retransmission policy will vary with performance of the
+Internet and the needs of the client, but the following are recommended:
+
+   - The client should try other servers and server addresses
+     before repeating a query to a specific address of a server.
+
+   - The retransmission interval should be based on prior
+     statistics if possible.  Too aggressive retransmission can
+     easily slow responses for the community at large.  Depending
+     on how well connected the client is to its expected servers,
+     the minimum retransmission interval should be 2-5 seconds.
+
+More suggestions on server selection and retransmission policy can be
+found in the resolver section of this memo.
+
+4.2.2. TCP usage
+
+Messages sent over TCP connections use server port 53 (decimal).  The
+message is prefixed with a two byte length field which gives the message
+
+
+
+Mockapetris                                                    [Page 32]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+length, excluding the two byte length field.  This length field allows
+the low-level processing to assemble a complete message before beginning
+to parse it.
+
+Several connection management policies are recommended:
+
+   - The server should not block other activities waiting for TCP
+     data.
+
+   - The server should support multiple connections.
+
+   - The server should assume that the client will initiate
+     connection closing, and should delay closing its end of the
+     connection until all outstanding client requests have been
+     satisfied.
+
+   - If the server needs to close a dormant connection to reclaim
+     resources, it should wait until the connection has been idle
+     for a period on the order of two minutes.  In particular, the
+     server should allow the SOA and AXFR request sequence (which
+     begins a refresh operation) to be made on a single connection.
+     Since the server would be unable to answer queries anyway, a
+     unilateral close or reset may be used instead of a graceful
+     close.
+
+5. MASTER FILES
+
+Master files are text files that contain RRs in text form.  Since the
+contents of a zone can be expressed in the form of a list of RRs a
+master file is most often used to define a zone, though it can be used
+to list a cache's contents.  Hence, this section first discusses the
+format of RRs in a master file, and then the special considerations when
+a master file is used to create a zone in some name server.
+
+5.1. Format
+
+The format of these files is a sequence of entries.  Entries are
+predominantly line-oriented, though parentheses can be used to continue
+a list of items across a line boundary, and text literals can contain
+CRLF within the text.  Any combination of tabs and spaces act as a
+delimiter between the separate items that make up an entry.  The end of
+any line in the master file can end with a comment.  The comment starts
+with a ";" (semicolon).
+
+The following entries are defined:
+
+    <blank>[<comment>]
+
+
+
+
+Mockapetris                                                    [Page 33]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+    $ORIGIN <domain-name> [<comment>]
+
+    $INCLUDE <file-name> [<domain-name>] [<comment>]
+
+    <domain-name><rr> [<comment>]
+
+    <blank><rr> [<comment>]
+
+Blank lines, with or without comments, are allowed anywhere in the file.
+
+Two control entries are defined: $ORIGIN and $INCLUDE.  $ORIGIN is
+followed by a domain name, and resets the current origin for relative
+domain names to the stated name.  $INCLUDE inserts the named file into
+the current file, and may optionally specify a domain name that sets the
+relative domain name origin for the included file.  $INCLUDE may also
+have a comment.  Note that a $INCLUDE entry never changes the relative
+origin of the parent file, regardless of changes to the relative origin
+made within the included file.
+
+The last two forms represent RRs.  If an entry for an RR begins with a
+blank, then the RR is assumed to be owned by the last stated owner.  If
+an RR entry begins with a <domain-name>, then the owner name is reset.
+
+<rr> contents take one of the following forms:
+
+    [<TTL>] [<class>] <type> <RDATA>
+
+    [<class>] [<TTL>] <type> <RDATA>
+
+The RR begins with optional TTL and class fields, followed by a type and
+RDATA field appropriate to the type and class.  Class and type use the
+standard mnemonics, TTL is a decimal integer.  Omitted class and TTL
+values are default to the last explicitly stated values.  Since type and
+class mnemonics are disjoint, the parse is unique.  (Note that this
+order is different from the order used in examples and the order used in
+the actual RRs; the given order allows easier parsing and defaulting.)
+
+<domain-name>s make up a large share of the data in the master file.
+The labels in the domain name are expressed as character strings and
+separated by dots.  Quoting conventions allow arbitrary characters to be
+stored in domain names.  Domain names that end in a dot are called
+absolute, and are taken as complete.  Domain names which do not end in a
+dot are called relative; the actual domain name is the concatenation of
+the relative part with an origin specified in a $ORIGIN, $INCLUDE, or as
+an argument to the master file loading routine.  A relative name is an
+error when no origin is available.
+
+
+
+
+
+Mockapetris                                                    [Page 34]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+<character-string> is expressed in one or two ways: as a contiguous set
+of characters without interior spaces, or as a string beginning with a "
+and ending with a ".  Inside a " delimited string any character can
+occur, except for a " itself, which must be quoted using \ (back slash).
+
+Because these files are text files several special encodings are
+necessary to allow arbitrary data to be loaded.  In particular:
+
+                of the root.
+
+@               A free standing @ is used to denote the current origin.
+
+\X              where X is any character other than a digit (0-9), is
+                used to quote that character so that its special meaning
+                does not apply.  For example, "\." can be used to place
+                a dot character in a label.
+
+\DDD            where each D is a digit is the octet corresponding to
+                the decimal number described by DDD.  The resulting
+                octet is assumed to be text and is not checked for
+                special meaning.
+
+( )             Parentheses are used to group data that crosses a line
+                boundary.  In effect, line terminations are not
+                recognized within parentheses.
+
+;               Semicolon is used to start a comment; the remainder of
+                the line is ignored.
+
+5.2. Use of master files to define zones
+
+When a master file is used to load a zone, the operation should be
+suppressed if any errors are encountered in the master file.  The
+rationale for this is that a single error can have widespread
+consequences.  For example, suppose that the RRs defining a delegation
+have syntax errors; then the server will return authoritative name
+errors for all names in the subzone (except in the case where the
+subzone is also present on the server).
+
+Several other validity checks that should be performed in addition to
+insuring that the file is syntactically correct:
+
+   1. All RRs in the file should have the same class.
+
+   2. Exactly one SOA RR should be present at the top of the zone.
+
+   3. If delegations are present and glue information is required,
+      it should be present.
+
+
+
+Mockapetris                                                    [Page 35]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   4. Information present outside of the authoritative nodes in the
+      zone should be glue information, rather than the result of an
+      origin or similar error.
+
+5.3. Master file example
+
+The following is an example file which might be used to define the
+ISI.EDU zone.and is loaded with an origin of ISI.EDU:
+
+@   IN  SOA     VENERA      Action\.domains (
+                                 20     ; SERIAL
+                                 7200   ; REFRESH
+                                 600    ; RETRY
+                                 3600000; EXPIRE
+                                 60)    ; MINIMUM
+
+        NS      A.ISI.EDU.
+        NS      VENERA
+        NS      VAXA
+        MX      10      VENERA
+        MX      20      VAXA
+
+A       A       26.3.0.103
+
+VENERA  A       10.1.0.52
+        A       128.9.0.32
+
+VAXA    A       10.2.0.27
+        A       128.9.0.33
+
+
+$INCLUDE <SUBSYS>ISI-MAILBOXES.TXT
+
+Where the file <SUBSYS>ISI-MAILBOXES.TXT is:
+
+    MOE     MB      A.ISI.EDU.
+    LARRY   MB      A.ISI.EDU.
+    CURLEY  MB      A.ISI.EDU.
+    STOOGES MG      MOE
+            MG      LARRY
+            MG      CURLEY
+
+Note the use of the \ character in the SOA RR to specify the responsible
+person mailbox "Action.domains@E.ISI.EDU".
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 36]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+6. NAME SERVER IMPLEMENTATION
+
+6.1. Architecture
+
+The optimal structure for the name server will depend on the host
+operating system and whether the name server is integrated with resolver
+operations, either by supporting recursive service, or by sharing its
+database with a resolver.  This section discusses implementation
+considerations for a name server which shares a database with a
+resolver, but most of these concerns are present in any name server.
+
+6.1.1. Control
+
+A name server must employ multiple concurrent activities, whether they
+are implemented as separate tasks in the host's OS or multiplexing
+inside a single name server program.  It is simply not acceptable for a
+name server to block the service of UDP requests while it waits for TCP
+data for refreshing or query activities.  Similarly, a name server
+should not attempt to provide recursive service without processing such
+requests in parallel, though it may choose to serialize requests from a
+single client, or to regard identical requests from the same client as
+duplicates.  A name server should not substantially delay requests while
+it reloads a zone from master files or while it incorporates a newly
+refreshed zone into its database.
+
+6.1.2. Database
+
+While name server implementations are free to use any internal data
+structures they choose, the suggested structure consists of three major
+parts:
+
+   - A "catalog" data structure which lists the zones available to
+     this server, and a "pointer" to the zone data structure.  The
+     main purpose of this structure is to find the nearest ancestor
+     zone, if any, for arriving standard queries.
+
+   - Separate data structures for each of the zones held by the
+     name server.
+
+   - A data structure for cached data. (or perhaps separate caches
+     for different classes)
+
+All of these data structures can be implemented an identical tree
+structure format, with different data chained off the nodes in different
+parts: in the catalog the data is pointers to zones, while in the zone
+and cache data structures, the data will be RRs.  In designing the tree
+framework the designer should recognize that query processing will need
+to traverse the tree using case-insensitive label comparisons; and that
+
+
+
+Mockapetris                                                    [Page 37]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+in real data, a few nodes have a very high branching factor (100-1000 or
+more), but the vast majority have a very low branching factor (0-1).
+
+One way to solve the case problem is to store the labels for each node
+in two pieces: a standardized-case representation of the label where all
+ASCII characters are in a single case, together with a bit mask that
+denotes which characters are actually of a different case.  The
+branching factor diversity can be handled using a simple linked list for
+a node until the branching factor exceeds some threshold, and
+transitioning to a hash structure after the threshold is exceeded.  In
+any case, hash structures used to store tree sections must insure that
+hash functions and procedures preserve the casing conventions of the
+DNS.
+
+The use of separate structures for the different parts of the database
+is motivated by several factors:
+
+   - The catalog structure can be an almost static structure that
+     need change only when the system administrator changes the
+     zones supported by the server.  This structure can also be
+     used to store parameters used to control refreshing
+     activities.
+
+   - The individual data structures for zones allow a zone to be
+     replaced simply by changing a pointer in the catalog.  Zone
+     refresh operations can build a new structure and, when
+     complete, splice it into the database via a simple pointer
+     replacement.  It is very important that when a zone is
+     refreshed, queries should not use old and new data
+     simultaneously.
+
+   - With the proper search procedures, authoritative data in zones
+     will always "hide", and hence take precedence over, cached
+     data.
+
+   - Errors in zone definitions that cause overlapping zones, etc.,
+     may cause erroneous responses to queries, but problem
+     determination is simplified, and the contents of one "bad"
+     zone can't corrupt another.
+
+   - Since the cache is most frequently updated, it is most
+     vulnerable to corruption during system restarts.  It can also
+     become full of expired RR data.  In either case, it can easily
+     be discarded without disturbing zone data.
+
+A major aspect of database design is selecting a structure which allows
+the name server to deal with crashes of the name server's host.  State
+information which a name server should save across system crashes
+
+
+
+Mockapetris                                                    [Page 38]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+includes the catalog structure (including the state of refreshing for
+each zone) and the zone data itself.
+
+6.1.3. Time
+
+Both the TTL data for RRs and the timing data for refreshing activities
+depends on 32 bit timers in units of seconds.  Inside the database,
+refresh timers and TTLs for cached data conceptually "count down", while
+data in the zone stays with constant TTLs.
+
+A recommended implementation strategy is to store time in two ways:  as
+a relative increment and as an absolute time.  One way to do this is to
+use positive 32 bit numbers for one type and negative numbers for the
+other.  The RRs in zones use relative times; the refresh timers and
+cache data use absolute times.  Absolute numbers are taken with respect
+to some known origin and converted to relative values when placed in the
+response to a query.  When an absolute TTL is negative after conversion
+to relative, then the data is expired and should be ignored.
+
+6.2. Standard query processing
+
+The major algorithm for standard query processing is presented in
+[RFC-1034].
+
+When processing queries with QCLASS=*, or some other QCLASS which
+matches multiple classes, the response should never be authoritative
+unless the server can guarantee that the response covers all classes.
+
+When composing a response, RRs which are to be inserted in the
+additional section, but duplicate RRs in the answer or authority
+sections, may be omitted from the additional section.
+
+When a response is so long that truncation is required, the truncation
+should start at the end of the response and work forward in the
+datagram.  Thus if there is any data for the authority section, the
+answer section is guaranteed to be unique.
+
+The MINIMUM value in the SOA should be used to set a floor on the TTL of
+data distributed from a zone.  This floor function should be done when
+the data is copied into a response.  This will allow future dynamic
+update protocols to change the SOA MINIMUM field without ambiguous
+semantics.
+
+6.3. Zone refresh and reload processing
+
+In spite of a server's best efforts, it may be unable to load zone data
+from a master file due to syntax errors, etc., or be unable to refresh a
+zone within the its expiration parameter.  In this case, the name server
+
+
+
+Mockapetris                                                    [Page 39]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+should answer queries as if it were not supposed to possess the zone.
+
+If a master is sending a zone out via AXFR, and a new version is created
+during the transfer, the master should continue to send the old version
+if possible.  In any case, it should never send part of one version and
+part of another.  If completion is not possible, the master should reset
+the connection on which the zone transfer is taking place.
+
+6.4. Inverse queries (Optional)
+
+Inverse queries are an optional part of the DNS.  Name servers are not
+required to support any form of inverse queries.  If a name server
+receives an inverse query that it does not support, it returns an error
+response with the "Not Implemented" error set in the header.  While
+inverse query support is optional, all name servers must be at least
+able to return the error response.
+
+6.4.1. The contents of inverse queries and responses          Inverse
+queries reverse the mappings performed by standard query operations;
+while a standard query maps a domain name to a resource, an inverse
+query maps a resource to a domain name.  For example, a standard query
+might bind a domain name to a host address; the corresponding inverse
+query binds the host address to a domain name.
+
+Inverse queries take the form of a single RR in the answer section of
+the message, with an empty question section.  The owner name of the
+query RR and its TTL are not significant.  The response carries
+questions in the question section which identify all names possessing
+the query RR WHICH THE NAME SERVER KNOWS.  Since no name server knows
+about all of the domain name space, the response can never be assumed to
+be complete.  Thus inverse queries are primarily useful for database
+management and debugging activities.  Inverse queries are NOT an
+acceptable method of mapping host addresses to host names; use the IN-
+ADDR.ARPA domain instead.
+
+Where possible, name servers should provide case-insensitive comparisons
+for inverse queries.  Thus an inverse query asking for an MX RR of
+"Venera.isi.edu" should get the same response as a query for
+"VENERA.ISI.EDU"; an inverse query for HINFO RR "IBM-PC UNIX" should
+produce the same result as an inverse query for "IBM-pc unix".  However,
+this cannot be guaranteed because name servers may possess RRs that
+contain character strings but the name server does not know that the
+data is character.
+
+When a name server processes an inverse query, it either returns:
+
+   1. zero, one, or multiple domain names for the specified
+      resource as QNAMEs in the question section
+
+
+
+Mockapetris                                                    [Page 40]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   2. an error code indicating that the name server doesn't support
+      inverse mapping of the specified resource type.
+
+When the response to an inverse query contains one or more QNAMEs, the
+owner name and TTL of the RR in the answer section which defines the
+inverse query is modified to exactly match an RR found at the first
+QNAME.
+
+RRs returned in the inverse queries cannot be cached using the same
+mechanism as is used for the replies to standard queries.  One reason
+for this is that a name might have multiple RRs of the same type, and
+only one would appear.  For example, an inverse query for a single
+address of a multiply homed host might create the impression that only
+one address existed.
+
+6.4.2. Inverse query and response example          The overall structure
+of an inverse query for retrieving the domain name that corresponds to
+Internet address 10.1.0.52 is shown below:
+
+                         +-----------------------------------------+
+           Header        |          OPCODE=IQUERY, ID=997          |
+                         +-----------------------------------------+
+          Question       |                 <empty>                 |
+                         +-----------------------------------------+
+           Answer        |        <anyname> A IN 10.1.0.52         |
+                         +-----------------------------------------+
+          Authority      |                 <empty>                 |
+                         +-----------------------------------------+
+         Additional      |                 <empty>                 |
+                         +-----------------------------------------+
+
+This query asks for a question whose answer is the Internet style
+address 10.1.0.52.  Since the owner name is not known, any domain name
+can be used as a placeholder (and is ignored).  A single octet of zero,
+signifying the root, is usually used because it minimizes the length of
+the message.  The TTL of the RR is not significant.  The response to
+this query might be:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 41]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                         +-----------------------------------------+
+           Header        |         OPCODE=RESPONSE, ID=997         |
+                         +-----------------------------------------+
+          Question       |QTYPE=A, QCLASS=IN, QNAME=VENERA.ISI.EDU |
+                         +-----------------------------------------+
+           Answer        |  VENERA.ISI.EDU  A IN 10.1.0.52         |
+                         +-----------------------------------------+
+          Authority      |                 <empty>                 |
+                         +-----------------------------------------+
+         Additional      |                 <empty>                 |
+                         +-----------------------------------------+
+
+Note that the QTYPE in a response to an inverse query is the same as the
+TYPE field in the answer section of the inverse query.  Responses to
+inverse queries may contain multiple questions when the inverse is not
+unique.  If the question section in the response is not empty, then the
+RR in the answer section is modified to correspond to be an exact copy
+of an RR at the first QNAME.
+
+6.4.3. Inverse query processing
+
+Name servers that support inverse queries can support these operations
+through exhaustive searches of their databases, but this becomes
+impractical as the size of the database increases.  An alternative
+approach is to invert the database according to the search key.
+
+For name servers that support multiple zones and a large amount of data,
+the recommended approach is separate inversions for each zone.  When a
+particular zone is changed during a refresh, only its inversions need to
+be redone.
+
+Support for transfer of this type of inversion may be included in future
+versions of the domain system, but is not supported in this version.
+
+6.5. Completion queries and responses
+
+The optional completion services described in RFC-882 and RFC-883 have
+been deleted.  Redesigned services may become available in the future.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 42]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+7. RESOLVER IMPLEMENTATION
+
+The top levels of the recommended resolver algorithm are discussed in
+[RFC-1034].  This section discusses implementation details assuming the
+database structure suggested in the name server implementation section
+of this memo.
+
+7.1. Transforming a user request into a query
+
+The first step a resolver takes is to transform the client's request,
+stated in a format suitable to the local OS, into a search specification
+for RRs at a specific name which match a specific QTYPE and QCLASS.
+Where possible, the QTYPE and QCLASS should correspond to a single type
+and a single class, because this makes the use of cached data much
+simpler.  The reason for this is that the presence of data of one type
+in a cache doesn't confirm the existence or non-existence of data of
+other types, hence the only way to be sure is to consult an
+authoritative source.  If QCLASS=* is used, then authoritative answers
+won't be available.
+
+Since a resolver must be able to multiplex multiple requests if it is to
+perform its function efficiently, each pending request is usually
+represented in some block of state information.  This state block will
+typically contain:
+
+   - A timestamp indicating the time the request began.
+     The timestamp is used to decide whether RRs in the database
+     can be used or are out of date.  This timestamp uses the
+     absolute time format previously discussed for RR storage in
+     zones and caches.  Note that when an RRs TTL indicates a
+     relative time, the RR must be timely, since it is part of a
+     zone.  When the RR has an absolute time, it is part of a
+     cache, and the TTL of the RR is compared against the timestamp
+     for the start of the request.
+
+     Note that using the timestamp is superior to using a current
+     time, since it allows RRs with TTLs of zero to be entered in
+     the cache in the usual manner, but still used by the current
+     request, even after intervals of many seconds due to system
+     load, query retransmission timeouts, etc.
+
+   - Some sort of parameters to limit the amount of work which will
+     be performed for this request.
+
+     The amount of work which a resolver will do in response to a
+     client request must be limited to guard against errors in the
+     database, such as circular CNAME references, and operational
+     problems, such as network partition which prevents the
+
+
+
+Mockapetris                                                    [Page 43]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+     resolver from accessing the name servers it needs.  While
+     local limits on the number of times a resolver will retransmit
+     a particular query to a particular name server address are
+     essential, the resolver should have a global per-request
+     counter to limit work on a single request.  The counter should
+     be set to some initial value and decremented whenever the
+     resolver performs any action (retransmission timeout,
+     retransmission, etc.)  If the counter passes zero, the request
+     is terminated with a temporary error.
+
+     Note that if the resolver structure allows one request to
+     start others in parallel, such as when the need to access a
+     name server for one request causes a parallel resolve for the
+     name server's addresses, the spawned request should be started
+     with a lower counter.  This prevents circular references in
+     the database from starting a chain reaction of resolver
+     activity.
+
+   - The SLIST data structure discussed in [RFC-1034].
+
+     This structure keeps track of the state of a request if it
+     must wait for answers from foreign name servers.
+
+7.2. Sending the queries
+
+As described in [RFC-1034], the basic task of the resolver is to
+formulate a query which will answer the client's request and direct that
+query to name servers which can provide the information.  The resolver
+will usually only have very strong hints about which servers to ask, in
+the form of NS RRs, and may have to revise the query, in response to
+CNAMEs, or revise the set of name servers the resolver is asking, in
+response to delegation responses which point the resolver to name
+servers closer to the desired information.  In addition to the
+information requested by the client, the resolver may have to call upon
+its own services to determine the address of name servers it wishes to
+contact.
+
+In any case, the model used in this memo assumes that the resolver is
+multiplexing attention between multiple requests, some from the client,
+and some internally generated.  Each request is represented by some
+state information, and the desired behavior is that the resolver
+transmit queries to name servers in a way that maximizes the probability
+that the request is answered, minimizes the time that the request takes,
+and avoids excessive transmissions.  The key algorithm uses the state
+information of the request to select the next name server address to
+query, and also computes a timeout which will cause the next action
+should a response not arrive.  The next action will usually be a
+transmission to some other server, but may be a temporary error to the
+
+
+
+Mockapetris                                                    [Page 44]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+client.
+
+The resolver always starts with a list of server names to query (SLIST).
+This list will be all NS RRs which correspond to the nearest ancestor
+zone that the resolver knows about.  To avoid startup problems, the
+resolver should have a set of default servers which it will ask should
+it have no current NS RRs which are appropriate.  The resolver then adds
+to SLIST all of the known addresses for the name servers, and may start
+parallel requests to acquire the addresses of the servers when the
+resolver has the name, but no addresses, for the name servers.
+
+To complete initialization of SLIST, the resolver attaches whatever
+history information it has to the each address in SLIST.  This will
+usually consist of some sort of weighted averages for the response time
+of the address, and the batting average of the address (i.e., how often
+the address responded at all to the request).  Note that this
+information should be kept on a per address basis, rather than on a per
+name server basis, because the response time and batting average of a
+particular server may vary considerably from address to address.  Note
+also that this information is actually specific to a resolver address /
+server address pair, so a resolver with multiple addresses may wish to
+keep separate histories for each of its addresses.  Part of this step
+must deal with addresses which have no such history; in this case an
+expected round trip time of 5-10 seconds should be the worst case, with
+lower estimates for the same local network, etc.
+
+Note that whenever a delegation is followed, the resolver algorithm
+reinitializes SLIST.
+
+The information establishes a partial ranking of the available name
+server addresses.  Each time an address is chosen and the state should
+be altered to prevent its selection again until all other addresses have
+been tried.  The timeout for each transmission should be 50-100% greater
+than the average predicted value to allow for variance in response.
+
+Some fine points:
+
+   - The resolver may encounter a situation where no addresses are
+     available for any of the name servers named in SLIST, and
+     where the servers in the list are precisely those which would
+     normally be used to look up their own addresses.  This
+     situation typically occurs when the glue address RRs have a
+     smaller TTL than the NS RRs marking delegation, or when the
+     resolver caches the result of a NS search.  The resolver
+     should detect this condition and restart the search at the
+     next ancestor zone, or alternatively at the root.
+
+
+
+
+
+Mockapetris                                                    [Page 45]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   - If a resolver gets a server error or other bizarre response
+     from a name server, it should remove it from SLIST, and may
+     wish to schedule an immediate transmission to the next
+     candidate server address.
+
+7.3. Processing responses
+
+The first step in processing arriving response datagrams is to parse the
+response.  This procedure should include:
+
+   - Check the header for reasonableness.  Discard datagrams which
+     are queries when responses are expected.
+
+   - Parse the sections of the message, and insure that all RRs are
+     correctly formatted.
+
+   - As an optional step, check the TTLs of arriving data looking
+     for RRs with excessively long TTLs.  If a RR has an
+     excessively long TTL, say greater than 1 week, either discard
+     the whole response, or limit all TTLs in the response to 1
+     week.
+
+The next step is to match the response to a current resolver request.
+The recommended strategy is to do a preliminary matching using the ID
+field in the domain header, and then to verify that the question section
+corresponds to the information currently desired.  This requires that
+the transmission algorithm devote several bits of the domain ID field to
+a request identifier of some sort.  This step has several fine points:
+
+   - Some name servers send their responses from different
+     addresses than the one used to receive the query.  That is, a
+     resolver cannot rely that a response will come from the same
+     address which it sent the corresponding query to.  This name
+     server bug is typically encountered in UNIX systems.
+
+   - If the resolver retransmits a particular request to a name
+     server it should be able to use a response from any of the
+     transmissions.  However, if it is using the response to sample
+     the round trip time to access the name server, it must be able
+     to determine which transmission matches the response (and keep
+     transmission times for each outgoing message), or only
+     calculate round trip times based on initial transmissions.
+
+   - A name server will occasionally not have a current copy of a
+     zone which it should have according to some NS RRs.  The
+     resolver should simply remove the name server from the current
+     SLIST, and continue.
+
+
+
+
+Mockapetris                                                    [Page 46]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+7.4. Using the cache
+
+In general, we expect a resolver to cache all data which it receives in
+responses since it may be useful in answering future client requests.
+However, there are several types of data which should not be cached:
+
+   - When several RRs of the same type are available for a
+     particular owner name, the resolver should either cache them
+     all or none at all.  When a response is truncated, and a
+     resolver doesn't know whether it has a complete set, it should
+     not cache a possibly partial set of RRs.
+
+   - Cached data should never be used in preference to
+     authoritative data, so if caching would cause this to happen
+     the data should not be cached.
+
+   - The results of an inverse query should not be cached.
+
+   - The results of standard queries where the QNAME contains "*"
+     labels if the data might be used to construct wildcards.  The
+     reason is that the cache does not necessarily contain existing
+     RRs or zone boundary information which is necessary to
+     restrict the application of the wildcard RRs.
+
+   - RR data in responses of dubious reliability.  When a resolver
+     receives unsolicited responses or RR data other than that
+     requested, it should discard it without caching it.  The basic
+     implication is that all sanity checks on a packet should be
+     performed before any of it is cached.
+
+In a similar vein, when a resolver has a set of RRs for some name in a
+response, and wants to cache the RRs, it should check its cache for
+already existing RRs.  Depending on the circumstances, either the data
+in the response or the cache is preferred, but the two should never be
+combined.  If the data in the response is from authoritative data in the
+answer section, it is always preferred.
+
+8. MAIL SUPPORT
+
+The domain system defines a standard for mapping mailboxes into domain
+names, and two methods for using the mailbox information to derive mail
+routing information.  The first method is called mail exchange binding
+and the other method is mailbox binding.  The mailbox encoding standard
+and mail exchange binding are part of the DNS official protocol, and are
+the recommended method for mail routing in the Internet.  Mailbox
+binding is an experimental feature which is still under development and
+subject to change.
+
+
+
+
+Mockapetris                                                    [Page 47]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+The mailbox encoding standard assumes a mailbox name of the form
+"<local-part>@<mail-domain>".  While the syntax allowed in each of these
+sections varies substantially between the various mail internets, the
+preferred syntax for the ARPA Internet is given in [RFC-822].
+
+The DNS encodes the <local-part> as a single label, and encodes the
+<mail-domain> as a domain name.  The single label from the <local-part>
+is prefaced to the domain name from <mail-domain> to form the domain
+name corresponding to the mailbox.  Thus the mailbox HOSTMASTER@SRI-
+NIC.ARPA is mapped into the domain name HOSTMASTER.SRI-NIC.ARPA.  If the
+<local-part> contains dots or other special characters, its
+representation in a master file will require the use of backslash
+quoting to ensure that the domain name is properly encoded.  For
+example, the mailbox Action.domains@ISI.EDU would be represented as
+Action\.domains.ISI.EDU.
+
+8.1. Mail exchange binding
+
+Mail exchange binding uses the <mail-domain> part of a mailbox
+specification to determine where mail should be sent.  The <local-part>
+is not even consulted.  [RFC-974] specifies this method in detail, and
+should be consulted before attempting to use mail exchange support.
+
+One of the advantages of this method is that it decouples mail
+destination naming from the hosts used to support mail service, at the
+cost of another layer of indirection in the lookup function.  However,
+the addition layer should eliminate the need for complicated "%", "!",
+etc encodings in <local-part>.
+
+The essence of the method is that the <mail-domain> is used as a domain
+name to locate type MX RRs which list hosts willing to accept mail for
+<mail-domain>, together with preference values which rank the hosts
+according to an order specified by the administrators for <mail-domain>.
+
+In this memo, the <mail-domain> ISI.EDU is used in examples, together
+with the hosts VENERA.ISI.EDU and VAXA.ISI.EDU as mail exchanges for
+ISI.EDU.  If a mailer had a message for Mockapetris@ISI.EDU, it would
+route it by looking up MX RRs for ISI.EDU.  The MX RRs at ISI.EDU name
+VENERA.ISI.EDU and VAXA.ISI.EDU, and type A queries can find the host
+addresses.
+
+8.2. Mailbox binding (Experimental)
+
+In mailbox binding, the mailer uses the entire mail destination
+specification to construct a domain name.  The encoded domain name for
+the mailbox is used as the QNAME field in a QTYPE=MAILB query.
+
+Several outcomes are possible for this query:
+
+
+
+Mockapetris                                                    [Page 48]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   1. The query can return a name error indicating that the mailbox
+      does not exist as a domain name.
+
+      In the long term, this would indicate that the specified
+      mailbox doesn't exist.  However, until the use of mailbox
+      binding is universal, this error condition should be
+      interpreted to mean that the organization identified by the
+      global part does not support mailbox binding.  The
+      appropriate procedure is to revert to exchange binding at
+      this point.
+
+   2. The query can return a Mail Rename (MR) RR.
+
+      The MR RR carries new mailbox specification in its RDATA
+      field.  The mailer should replace the old mailbox with the
+      new one and retry the operation.
+
+   3. The query can return a MB RR.
+
+      The MB RR carries a domain name for a host in its RDATA
+      field.  The mailer should deliver the message to that host
+      via whatever protocol is applicable, e.g., b,SMTP.
+
+   4. The query can return one or more Mail Group (MG) RRs.
+
+      This condition means that the mailbox was actually a mailing
+      list or mail group, rather than a single mailbox.  Each MG RR
+      has a RDATA field that identifies a mailbox that is a member
+      of the group.  The mailer should deliver a copy of the
+      message to each member.
+
+   5. The query can return a MB RR as well as one or more MG RRs.
+
+      This condition means the the mailbox was actually a mailing
+      list.  The mailer can either deliver the message to the host
+      specified by the MB RR, which will in turn do the delivery to
+      all members, or the mailer can use the MG RRs to do the
+      expansion itself.
+
+In any of these cases, the response may include a Mail Information
+(MINFO) RR.  This RR is usually associated with a mail group, but is
+legal with a MB.  The MINFO RR identifies two mailboxes.  One of these
+identifies a responsible person for the original mailbox name.  This
+mailbox should be used for requests to be added to a mail group, etc.
+The second mailbox name in the MINFO RR identifies a mailbox that should
+receive error messages for mail failures.  This is particularly
+appropriate for mailing lists when errors in member names should be
+reported to a person other than the one who sends a message to the list.
+
+
+
+Mockapetris                                                    [Page 49]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+New fields may be added to this RR in the future.
+
+
+9. REFERENCES and BIBLIOGRAPHY
+
+[Dyer 87]       S. Dyer, F. Hsu, "Hesiod", Project Athena
+                Technical Plan - Name Service, April 1987, version 1.9.
+
+                Describes the fundamentals of the Hesiod name service.
+
+[IEN-116]       J. Postel, "Internet Name Server", IEN-116,
+                USC/Information Sciences Institute, August 1979.
+
+                A name service obsoleted by the Domain Name System, but
+                still in use.
+
+[Quarterman 86] J. Quarterman, and J. Hoskins, "Notable Computer Networks",
+                Communications of the ACM, October 1986, volume 29, number
+                10.
+
+[RFC-742]       K. Harrenstien, "NAME/FINGER", RFC-742, Network
+                Information Center, SRI International, December 1977.
+
+[RFC-768]       J. Postel, "User Datagram Protocol", RFC-768,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-793]       J. Postel, "Transmission Control Protocol", RFC-793,
+                USC/Information Sciences Institute, September 1981.
+
+[RFC-799]       D. Mills, "Internet Name Domains", RFC-799, COMSAT,
+                September 1981.
+
+                Suggests introduction of a hierarchy in place of a flat
+                name space for the Internet.
+
+[RFC-805]       J. Postel, "Computer Mail Meeting Notes", RFC-805,
+                USC/Information Sciences Institute, February 1982.
+
+[RFC-810]       E. Feinler, K. Harrenstien, Z. Su, and V. White, "DOD
+                Internet Host Table Specification", RFC-810, Network
+                Information Center, SRI International, March 1982.
+
+                Obsolete.  See RFC-952.
+
+[RFC-811]       K. Harrenstien, V. White, and E. Feinler, "Hostnames
+                Server", RFC-811, Network Information Center, SRI
+                International, March 1982.
+
+
+
+
+Mockapetris                                                    [Page 50]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                Obsolete.  See RFC-953.
+
+[RFC-812]       K. Harrenstien, and V. White, "NICNAME/WHOIS", RFC-812,
+                Network Information Center, SRI International, March
+                1982.
+
+[RFC-819]       Z. Su, and J. Postel, "The Domain Naming Convention for
+                Internet User Applications", RFC-819, Network
+                Information Center, SRI International, August 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-821]       J. Postel, "Simple Mail Transfer Protocol", RFC-821,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-830]       Z. Su, "A Distributed System for Internet Name Service",
+                RFC-830, Network Information Center, SRI International,
+                October 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-882]       P. Mockapetris, "Domain names - Concepts and
+                Facilities," RFC-882, USC/Information Sciences
+                Institute, November 1983.
+
+                Superseded by this memo.
+
+[RFC-883]       P. Mockapetris, "Domain names - Implementation and
+                Specification," RFC-883, USC/Information Sciences
+                Institute, November 1983.
+
+                Superseded by this memo.
+
+[RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
+                RFC-920, USC/Information Sciences Institute,
+                October 1984.
+
+                Explains the naming scheme for top level domains.
+
+[RFC-952]       K. Harrenstien, M. Stahl, E. Feinler, "DoD Internet Host
+                Table Specification", RFC-952, SRI, October 1985.
+
+                Specifies the format of HOSTS.TXT, the host/address
+                table replaced by the DNS.
+
+
+
+
+
+Mockapetris                                                    [Page 51]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+[RFC-953]       K. Harrenstien, M. Stahl, E. Feinler, "HOSTNAME Server",
+                RFC-953, SRI, October 1985.
+
+                This RFC contains the official specification of the
+                hostname server protocol, which is obsoleted by the DNS.
+                This TCP based protocol accesses information stored in
+                the RFC-952 format, and is used to obtain copies of the
+                host table.
+
+[RFC-973]       P. Mockapetris, "Domain System Changes and
+                Observations", RFC-973, USC/Information Sciences
+                Institute, January 1986.
+
+                Describes changes to RFC-882 and RFC-883 and reasons for
+                them.
+
+[RFC-974]       C. Partridge, "Mail routing and the domain system",
+                RFC-974, CSNET CIC BBN Labs, January 1986.
+
+                Describes the transition from HOSTS.TXT based mail
+                addressing to the more powerful MX system used with the
+                domain system.
+
+[RFC-1001]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Concepts and Methods",
+                RFC-1001, March 1987.
+
+                This RFC and RFC-1002 are a preliminary design for
+                NETBIOS on top of TCP/IP which proposes to base NetBIOS
+                name service on top of the DNS.
+
+[RFC-1002]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Detailed
+                Specifications", RFC-1002, March 1987.
+
+[RFC-1010]      J. Reynolds, and J. Postel, "Assigned Numbers", RFC-1010,
+                USC/Information Sciences Institute, May 1987.
+
+                Contains socket numbers and mnemonics for host names,
+                operating systems, etc.
+
+[RFC-1031]      W. Lazear, "MILNET Name Domain Transition", RFC-1031,
+                November 1987.
+
+                Describes a plan for converting the MILNET to the DNS.
+
+[RFC-1032]      M. Stahl, "Establishing a Domain - Guidelines for
+                Administrators", RFC-1032, November 1987.
+
+
+
+Mockapetris                                                    [Page 52]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                Describes the registration policies used by the NIC to
+                administer the top level domains and delegate subzones.
+
+[RFC-1033]      M. Lottor, "Domain Administrators Operations Guide",
+                RFC-1033, November 1987.
+
+                A cookbook for domain administrators.
+
+[Solomon 82]    M. Solomon, L. Landweber, and D. Neuhengen, "The CSNET
+                Name Server", Computer Networks, vol 6, nr 3, July 1982.
+
+                Describes a name service for CSNET which is independent
+                from the DNS and DNS use in the CSNET.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 53]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Index
+
+          *   13
+
+          ;   33, 35
+
+          <character-string>   35
+          <domain-name>   34
+
+          @   35
+
+          \   35
+
+          A   12
+
+          Byte order   8
+
+          CH   13
+          Character case   9
+          CLASS   11
+          CNAME   12
+          Completion   42
+          CS   13
+
+          Hesiod   13
+          HINFO   12
+          HS   13
+
+          IN   13
+          IN-ADDR.ARPA domain   22
+          Inverse queries   40
+
+          Mailbox names   47
+          MB   12
+          MD   12
+          MF   12
+          MG   12
+          MINFO   12
+          MINIMUM   20
+          MR   12
+          MX   12
+
+          NS   12
+          NULL   12
+
+          Port numbers   32
+          Primary server   5
+          PTR   12, 18
+
+
+
+Mockapetris                                                    [Page 54]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+          QCLASS   13
+          QTYPE   12
+
+          RDATA   12
+          RDLENGTH  11
+
+          Secondary server   5
+          SOA   12
+          Stub resolvers   7
+
+          TCP   32
+          TXT   12
+          TYPE   11
+
+          UDP   32
+
+          WKS   12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 55]
+
diff --git a/lib/dns/tests/testdata/dst/test1.ecdsa256sig b/lib/dns/tests/testdata/dst/test1.ecdsa256sig
new file mode 100644
index 0000000..dcae9d1
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/test1.ecdsa256sig
@@ -0,0 +1 @@
+72E0998732EECAE2BEA12A278DFDEE14DB09A43C1E646A08BB0A6EEB90C5B75F9B359BEC1580313BFA8012C1DC15D34D1B227C71AD23161E2757AEB162AE3D99
diff --git a/lib/dns/tests/testdata/dst/test1.rsasha256sig b/lib/dns/tests/testdata/dst/test1.rsasha256sig
new file mode 100644
index 0000000..36e0b09
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/test1.rsasha256sig
@@ -0,0 +1 @@
+C5CC8AB9FB5C0B4F03650456C993A868EB674ACBF2A867E023DC00F17D240CEDCADB8714981B7B48CF6CF86722632610FF312063B5E6D20EF441B89F02BC6813A35F9C6F045D017DB75C8724DBAA0C55A0D4EA850339944C75890B4DD0382AFA3E30E1CAA7B190C1B1FB17B5DD2279C0DF1049911E64198B3376070A34F38F4B
diff --git a/lib/dns/tests/testdata/dst/test2.data b/lib/dns/tests/testdata/dst/test2.data
new file mode 100644
index 0000000..a323bb3
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/test2.data
@@ -0,0 +1,3077 @@
+Network Working Group                                     P. Mockapetris
+Request for Comments: 1035                                           ISI
+                                                           November 1987
+Obsoletes: RFCs 882, 883, 973
+
+            DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
+
+
+1. STATUS OF THIS MEMO
+
+This RFC describes the details of the domain system and protocol, and
+assumes that the reader is familiar with the concepts discussed in a
+companion RFC, "Domain Names - Concepts and Facilities" [RFC-4301].
+
+The domain system is a mixture of functions and data types which are an
+official protocol and functions and data types which are still
+experimental.  Since the domain system is intentionally extensible, new
+data types and experimental behavior should always be expected in parts
+of the system beyond the official protocol.  The official protocol parts
+include standard queries, responses and the Internet class RR data
+formats (e.g., host addresses).  Since the previous RFC set, several
+definitions have changed, so some previous definitions are obsolete.
+
+Experimental or obsolete features are clearly marked in these RFCs, and
+such information should be used with caution.
+
+The reader is especially cautioned not to depend on the values which
+appear in examples to be current or complete, since their purpose is
+primarily pedagogical.  Distribution of this memo is unlimited.
+
+                           Table of Contents
+
+  1. STATUS OF THIS MEMO                                              1
+  2. INTRODUCTION                                                     3
+      2.1. Overview                                                   3
+      2.2. Common configurations                                      4
+      2.3. Conventions                                                7
+          2.3.1. Preferred name syntax                                7
+          2.3.2. Data Transmission Order                              8
+          2.3.3. Character Case                                       9
+          2.3.4. Size limits                                         10
+  3. DOMAIN NAME SPACE AND RR DEFINITIONS                            10
+      3.1. Name space definitions                                    10
+      3.2. RR definitions                                            11
+          3.2.1. Format                                              11
+          3.2.2. TYPE values                                         12
+          3.2.3. QTYPE values                                        12
+          3.2.4. CLASS values                                        13
+
+
+
+Mockapetris                                                     [Page 1]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+          3.2.5. QCLASS values                                       13
+      3.3. Standard RRs                                              13
+          3.3.1. CNAME RDATA format                                  14
+          3.3.2. HINFO RDATA format                                  14
+          3.3.3. MB RDATA format (EXPERIMENTAL)                      14
+          3.3.4. MD RDATA format (Obsolete)                          15
+          3.3.5. MF RDATA format (Obsolete)                          15
+          3.3.6. MG RDATA format (EXPERIMENTAL)                      16
+          3.3.7. MINFO RDATA format (EXPERIMENTAL)                   16
+          3.3.8. MR RDATA format (EXPERIMENTAL)                      17
+          3.3.9. MX RDATA format                                     17
+          3.3.10. NULL RDATA format (EXPERIMENTAL)                   17
+          3.3.11. NS RDATA format                                    18
+          3.3.12. PTR RDATA format                                   18
+          3.3.13. SOA RDATA format                                   19
+          3.3.14. TXT RDATA format                                   20
+      3.4. ARPA Internet specific RRs                                20
+          3.4.1. A RDATA format                                      20
+          3.4.2. WKS RDATA format                                    21
+      3.5. IN-ADDR.ARPA domain                                       22
+      3.6. Defining new types, classes, and special namespaces       24
+  4. MESSAGES                                                        25
+      4.1. Format                                                    25
+          4.1.1. Header section format                               26
+          4.1.2. Question section format                             28
+          4.1.3. Resource record format                              29
+          4.1.4. Message compression                                 30
+      4.2. Transport                                                 32
+          4.2.1. UDP usage                                           32
+          4.2.2. TCP usage                                           32
+  5. MASTER FILES                                                    33
+      5.1. Format                                                    33
+      5.2. Use of master files to define zones                       35
+      5.3. Master file example                                       36
+  6. NAME SERVER IMPLEMENTATION                                      37
+      6.1. Architecture                                              37
+          6.1.1. Control                                             37
+          6.1.2. Database                                            37
+          6.1.3. Time                                                39
+      6.2. Standard query processing                                 39
+      6.3. Zone refresh and reload processing                        39
+      6.4. Inverse queries (Optional)                                40
+          6.4.1. The contents of inverse queries and responses       40
+          6.4.2. Inverse query and response example                  41
+          6.4.3. Inverse query processing                            42
+
+
+
+
+
+
+Mockapetris                                                     [Page 2]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+      6.5. Completion queries and responses                          42
+  7. RESOLVER IMPLEMENTATION                                         43
+      7.1. Transforming a user request into a query                  43
+      7.2. Sending the queries                                       44
+      7.3. Processing responses                                      46
+      7.4. Using the cache                                           47
+  8. MAIL SUPPORT                                                    47
+      8.1. Mail exchange binding                                     48
+      8.2. Mailbox binding (Experimental)                            48
+  9. REFERENCES and BIBLIOGRAPHY                                     50
+  Index                                                              54
+
+2. INTRODUCTION
+
+2.1. Overview
+
+The goal of domain names is to provide a mechanism for naming resources
+in such a way that the names are usable in different hosts, networks,
+protocol families, internets, and administrative organizations.
+
+From the user's point of view, domain names are useful as arguments to a
+local agent, called a resolver, which retrieves information associated
+with the domain name.  Thus a user might ask for the host address or
+mail information associated with a particular domain name.  To enable
+the user to request a particular type of information, an appropriate
+query type is passed to the resolver with the domain name.  To the user,
+the domain tree is a single information space; the resolver is
+responsible for hiding the distribution of data among name servers from
+the user.
+
+From the resolver's point of view, the database that makes up the domain
+space is distributed among various name servers.  Different parts of the
+domain space are stored in different name servers, although a particular
+data item will be stored redundantly in two or more name servers.  The
+resolver starts with knowledge of at least one name server.  When the
+resolver processes a user query it asks a known name server for the
+information; in return, the resolver either receives the desired
+information or a referral to another name server.  Using these
+referrals, resolvers learn the identities and contents of other name
+servers.  Resolvers are responsible for dealing with the distribution of
+the domain space and dealing with the effects of name server failure by
+consulting redundant databases in other servers.
+
+Name servers manage two kinds of data.  The first kind of data held in
+sets called zones; each zone is the complete database for a particular
+"pruned" subtree of the domain space.  This data is called
+authoritative.  A name server periodically checks to make sure that its
+zones are up to date, and if not, obtains a new copy of updated zones
+
+
+
+Mockapetris                                                     [Page 3]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+from master files stored locally or in another name server.  The second
+kind of data is cached data which was acquired by a local resolver.
+This data may be incomplete, but improves the performance of the
+retrieval process when non-local data is repeatedly accessed.  Cached
+data is eventually discarded by a timeout mechanism.
+
+This functional structure isolates the problems of user interface,
+failure recovery, and distribution in the resolvers and isolates the
+database update and refresh problems in the name servers.
+
+2.2. Common configurations
+
+A host can participate in the domain name system in a number of ways,
+depending on whether the host runs programs that retrieve information
+from the domain system, name servers that answer queries from other
+hosts, or various combinations of both functions.  The simplest, and
+perhaps most typical, configuration is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+    +---------+               +----------+         |  +--------+
+    |         | user queries  |          |queries  |  |        |
+    |  User   |-------------->|          |---------|->|Foreign |
+    | Program |               | Resolver |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    |         | user responses|          |responses|  |        |
+    +---------+               +----------+         |  +--------+
+                                |     A            |
+                cache additions |     | references |
+                                V     |            |
+                              +----------+         |
+                              |  cache   |         |
+                              +----------+         |
+
+User programs interact with the domain name space through resolvers; the
+format of user queries and user responses is specific to the host and
+its operating system.  User queries will typically be operating system
+calls, and the resolver and its cache will be part of the host operating
+system.  Less capable hosts may choose to implement the resolver as a
+subroutine to be linked in with every program that needs its services.
+Resolvers answer user queries with information they acquire via queries
+to foreign name servers and the local cache.
+
+Note that the resolver may have to make several queries to several
+different foreign name servers to answer a particular user query, and
+hence the resolution of a user query may involve several network
+accesses and an arbitrary amount of time.  The queries to foreign name
+servers and the corresponding responses have a standard format described
+
+
+
+Mockapetris                                                     [Page 4]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+in this memo, and may be datagrams.
+
+Depending on its capabilities, a name server could be a stand alone
+program on a dedicated machine or a process or processes on a large
+timeshared host.  A simple configuration might be:
+
+                 Local Host                        |  Foreign
+                                                   |
+      +---------+                                  |
+     /         /|                                  |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+
+Here a primary name server acquires information about one or more zones
+by reading master files from its local file system, and answers queries
+about those zones that arrive from foreign resolvers.
+
+The DNS requires that all zones be redundantly supported by more than
+one name server.  Designated secondary servers can acquire zones and
+check for updates from the primary server using the zone transfer
+protocol of the DNS.  This configuration is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+      +---------+                                  |
+     /         /|                                  |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+                                A     |maintenance |  +--------+
+                                |     +------------|->|        |
+                                |      queries     |  |Foreign |
+                                |                  |  |  Name  |
+                                +------------------|--| Server |
+                             maintenance responses |  +--------+
+
+In this configuration, the name server periodically establishes a
+virtual circuit to a foreign name server to acquire a copy of a zone or
+to check that an existing copy has not changed.  The messages sent for
+
+
+
+Mockapetris                                                     [Page 5]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+these maintenance activities follow the same form as queries and
+responses, but the message sequences are somewhat different.
+
+The information flow in a host that supports all aspects of the domain
+name system is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+    +---------+               +----------+         |  +--------+
+    |         | user queries  |          |queries  |  |        |
+    |  User   |-------------->|          |---------|->|Foreign |
+    | Program |               | Resolver |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    |         | user responses|          |responses|  |        |
+    +---------+               +----------+         |  +--------+
+                                |     A            |
+                cache additions |     | references |
+                                V     |            |
+                              +----------+         |
+                              |  Shared  |         |
+                              | database |         |
+                              +----------+         |
+                                A     |            |
+      +---------+     refreshes |     | references |
+     /         /|               |     V            |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+                                A     |maintenance |  +--------+
+                                |     +------------|->|        |
+                                |      queries     |  |Foreign |
+                                |                  |  |  Name  |
+                                +------------------|--| Server |
+                             maintenance responses |  +--------+
+
+The shared database holds domain space data for the local name server
+and resolver.  The contents of the shared database will typically be a
+mixture of authoritative data maintained by the periodic refresh
+operations of the name server and cached data from previous resolver
+requests.  The structure of the domain data and the necessity for
+synchronization between name servers and resolvers imply the general
+characteristics of this database, but the actual format is up to the
+local implementor.
+
+
+
+
+Mockapetris                                                     [Page 6]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Information flow can also be tailored so that a group of hosts act
+together to optimize activities.  Sometimes this is done to offload less
+capable hosts so that they do not have to implement a full resolver.
+This can be appropriate for PCs or hosts which want to minimize the
+amount of new network code which is required.  This scheme can also
+allow a group of hosts can share a small number of caches rather than
+maintaining a large number of separate caches, on the premise that the
+centralized caches will have a higher hit ratio.  In either case,
+resolvers are replaced with stub resolvers which act as front ends to
+resolvers located in a recursive server in one or more name servers
+known to perform that service:
+
+                   Local Hosts                     |  Foreign
+                                                   |
+    +---------+                                    |
+    |         | responses                          |
+    | Stub    |<--------------------+              |
+    | Resolver|                     |              |
+    |         |----------------+    |              |
+    +---------+ recursive      |    |              |
+                queries        |    |              |
+                               V    |              |
+    +---------+ recursive     +----------+         |  +--------+
+    |         | queries       |          |queries  |  |        |
+    | Stub    |-------------->| Recursive|---------|->|Foreign |
+    | Resolver|               | Server   |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    +---------+ responses     |          |responses|  |        |
+                              +----------+         |  +--------+
+                              |  Central |         |
+                              |   cache  |         |
+                              +----------+         |
+
+In any case, note that domain components are always replicated for
+reliability whenever possible.
+
+2.3. Conventions
+
+The domain system has several conventions dealing with low-level, but
+fundamental, issues.  While the implementor is free to violate these
+conventions WITHIN HIS OWN SYSTEM, he must observe these conventions in
+ALL behavior observed from other hosts.
+
+2.3.1. Preferred name syntax
+
+The DNS specifications attempt to be as general as possible in the rules
+for constructing domain names.  The idea is that the name of any
+existing object can be expressed as a domain name with minimal changes.
+
+
+
+Mockapetris                                                     [Page 7]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+However, when assigning a domain name for an object, the prudent user
+will select a name which satisfies both the rules of the domain system
+and any existing rules for the object, whether these rules are published
+or implied by existing programs.
+
+For example, when naming a mail domain, the user should satisfy both the
+rules of this memo and those in RFC-822.  When creating a new host name,
+the old rules for HOSTS.TXT should be followed.  This avoids problems
+when old software is converted to use domain names.
+
+The following syntax will result in fewer problems with many
+
+applications that use domain names (e.g., mail, TELNET).
+
+<domain> ::= <subdomain> | " "
+
+<subdomain> ::= <label> | <subdomain> "." <label>
+
+<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
+
+<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
+
+<let-dig-hyp> ::= <let-dig> | "-"
+
+<let-dig> ::= <letter> | <digit>
+
+<letter> ::= any one of the 52 alphabetic characters A through Z in
+upper case and a through z in lower case
+
+<digit> ::= any one of the ten digits 0 through 9
+
+Note that while upper and lower case letters are allowed in domain
+names, no significance is attached to the case.  That is, two names with
+the same spelling but different case are to be treated as if identical.
+
+The labels must follow the rules for ARPANET host names.  They must
+start with a letter, end with a letter or digit, and have as interior
+characters only letters, digits, and hyphen.  There are also some
+restrictions on the length.  Labels must be 63 characters or less.
+
+For example, the following strings identify hosts in the Internet:
+
+A.ISI.EDU XX.LCS.MIT.EDU SRI-NIC.ARPA
+
+2.3.2. Data Transmission Order
+
+The order of transmission of the header and data described in this
+document is resolved to the octet level.  Whenever a diagram shows a
+
+
+
+Mockapetris                                                     [Page 8]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+group of octets, the order of transmission of those octets is the normal
+order in which they are read in English.  For example, in the following
+diagram, the octets are transmitted in the order they are numbered.
+
+     0                   1
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       1       |       2       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       3       |       4       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       5       |       6       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Whenever an octet represents a numeric quantity, the left most bit in
+the diagram is the high order or most significant bit.  That is, the bit
+labeled 0 is the most significant bit.  For example, the following
+diagram represents the value 170 (decimal).
+
+     0 1 2 3 4 5 6 7
+    +-+-+-+-+-+-+-+-+
+    |1 0 1 0 1 0 1 0|
+    +-+-+-+-+-+-+-+-+
+
+Similarly, whenever a multi-octet field represents a numeric quantity
+the left most bit of the whole field is the most significant bit.  When
+a multi-octet quantity is transmitted the most significant octet is
+transmitted first.
+
+2.3.3. Character Case
+
+For all parts of the DNS that are part of the official protocol, all
+comparisons between character strings (e.g., labels, domain names, etc.)
+are done in a case-insensitive manner.  At present, this rule is in
+force throughout the domain system without exception.  However, future
+additions beyond current usage may need to use the full binary octet
+capabilities in names, so attempts to store domain names in 7-bit ASCII
+or use of special bytes to terminate labels, etc., should be avoided.
+
+When data enters the domain system, its original case should be
+preserved whenever possible.  In certain circumstances this cannot be
+done.  For example, if two RRs are stored in a database, one at x.y and
+one at X.Y, they are actually stored at the same place in the database,
+and hence only one casing would be preserved.  The basic rule is that
+case can be discarded only when data is used to define structure in a
+database, and two names are identical when compared in a case
+insensitive manner.
+
+
+
+
+Mockapetris                                                     [Page 9]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Loss of case sensitive data must be minimized.  Thus while data for x.y
+and X.Y may both be stored under a single location x.y or X.Y, data for
+a.x and B.X would never be stored under A.x, A.X, b.x, or b.X.  In
+general, this preserves the case of the first label of a domain name,
+but forces standardization of interior node labels.
+
+Systems administrators who enter data into the domain database should
+take care to represent the data they supply to the domain system in a
+case-consistent manner if their system is case-sensitive.  The data
+distribution system in the domain system will ensure that consistent
+representations are preserved.
+
+2.3.4. Size limits
+
+Various objects and parameters in the DNS have size limits.  They are
+listed below.  Some could be easily changed, others are more
+fundamental.
+
+labels          63 octets or less
+
+names           255 octets or less
+
+TTL             positive values of a signed 32 bit number.
+
+UDP messages    512 octets or less
+
+3. DOMAIN NAME SPACE AND RR DEFINITIONS
+
+3.1. Name space definitions
+
+Domain names in messages are expressed in terms of a sequence of labels.
+Each label is represented as a one octet length field followed by that
+number of octets.  Since every domain name ends with the null label of
+the root, a domain name is terminated by a length byte of zero.  The
+high order two bits of every length octet must be zero, and the
+remaining six bits of the length field limit the label to 63 octets or
+less.
+
+To simplify implementations, the total length of a domain name (i.e.,
+label octets and label length octets) is restricted to 255 octets or
+less.
+
+Although labels can contain any 8 bit values in octets that make up a
+label, it is strongly recommended that labels follow the preferred
+syntax described elsewhere in this memo, which is compatible with
+existing host naming conventions.  Name servers and resolvers must
+compare labels in a case-insensitive manner (i.e., A=a), assuming ASCII
+with zero parity.  Non-alphabetic codes must match exactly.
+
+
+
+Mockapetris                                                    [Page 10]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.2. RR definitions
+
+3.2.1. Format
+
+All RRs have the same top level format shown below:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                                               /
+    /                      NAME                     /
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     CLASS                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TTL                      |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                   RDLENGTH                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+    /                     RDATA                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+
+where:
+
+NAME            an owner name, i.e., the name of the node to which this
+                resource record pertains.
+
+TYPE            two octets containing one of the RR TYPE codes.
+
+CLASS           two octets containing one of the RR CLASS codes.
+
+TTL             a 32 bit signed integer that specifies the time interval
+                that the resource record may be cached before the source
+                of the information should again be consulted.  Zero
+                values are interpreted to mean that the RR can only be
+                used for the transaction in progress, and should not be
+                cached.  For example, SOA records are always distributed
+                with a zero TTL to prohibit caching.  Zero values can
+                also be used for extremely volatile data.
+
+RDLENGTH        an unsigned 16 bit integer that specifies the length in
+                octets of the RDATA field.
+
+
+
+Mockapetris                                                    [Page 11]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+RDATA           a variable length string of octets that describes the
+                resource.  The format of this information varies
+                according to the TYPE and CLASS of the resource record.
+
+3.2.2. TYPE values
+
+TYPE fields are used in resource records.  Note that these types are a
+subset of QTYPEs.
+
+TYPE            value and meaning
+
+A               1 a host address
+
+NS              2 an authoritative name server
+
+MD              3 a mail destination (Obsolete - use MX)
+
+MF              4 a mail forwarder (Obsolete - use MX)
+
+CNAME           5 the canonical name for an alias
+
+SOA             6 marks the start of a zone of authority
+
+MB              7 a mailbox domain name (EXPERIMENTAL)
+
+MG              8 a mail group member (EXPERIMENTAL)
+
+MR              9 a mail rename domain name (EXPERIMENTAL)
+
+NULL            10 a null RR (EXPERIMENTAL)
+
+WKS             11 a well known service description
+
+PTR             12 a domain name pointer
+
+HINFO           13 host information
+
+MINFO           14 mailbox or mail list information
+
+MX              15 mail exchange
+
+TXT             16 text strings
+
+3.2.3. QTYPE values
+
+QTYPE fields appear in the question part of a query.  QTYPES are a
+superset of TYPEs, hence all TYPEs are valid QTYPEs.  In addition, the
+following QTYPEs are defined:
+
+
+
+Mockapetris                                                    [Page 12]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+AXFR            252 A request for a transfer of an entire zone
+
+MAILB           253 A request for mailbox-related records (MB, MG or MR)
+
+MAILA           254 A request for mail agent RRs (Obsolete - see MX)
+
+*               255 A request for all records
+
+3.2.4. CLASS values
+
+CLASS fields appear in resource records.  The following CLASS mnemonics
+and values are defined:
+
+IN              1 the Internet
+
+CS              2 the CSNET class (Obsolete - used only for examples in
+                some obsolete RFCs)
+
+CH              3 the CHAOS class
+
+HS              4 Hesiod [Dyer 87]
+
+3.2.5. QCLASS values
+
+QCLASS fields appear in the question section of a query.  QCLASS values
+are a superset of CLASS values; every CLASS is a valid QCLASS.  In
+addition to CLASS values, the following QCLASSes are defined:
+
+*               255 any class
+
+3.3. Standard RRs
+
+The following RR definitions are expected to occur, at least
+potentially, in all classes.  In particular, NS, SOA, CNAME, and PTR
+will be used in all classes, and have the same format in all classes.
+Because their RDATA format is known, all domain names in the RDATA
+section of these RRs may be compressed.
+
+<domain-name> is a domain name represented as a series of labels, and
+terminated by a label with zero length.  <character-string> is a single
+length octet followed by that number of characters.  <character-string>
+is treated as binary information, and can be up to 256 characters in
+length (including the length octet).
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 13]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.1. CNAME RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     CNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+CNAME           A <domain-name> which specifies the canonical or primary
+                name for the owner.  The owner name is an alias.
+
+CNAME RRs cause no additional section processing, but name servers may
+choose to restart the query at the canonical name in certain cases.  See
+the description of name server logic in [RFC-1034] for details.
+
+3.3.2. HINFO RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                      CPU                      /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                       OS                      /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+CPU             A <character-string> which specifies the CPU type.
+
+OS              A <character-string> which specifies the operating
+                system type.
+
+Standard values for CPU and OS can be found in [RFC-1010].
+
+HINFO records are used to acquire general information about a host.  The
+main use is for protocols such as FTP that can use special procedures
+when talking between machines or operating systems of the same type.
+
+3.3.3. MB RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has the
+                specified mailbox.
+
+
+
+Mockapetris                                                    [Page 14]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+MB records cause additional section processing which looks up an A type
+RRs corresponding to MADNAME.
+
+3.3.4. MD RDATA format (Obsolete)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has a mail
+                agent for the domain which should be able to deliver
+                mail for the domain.
+
+MD records cause additional section processing which looks up an A type
+record corresponding to MADNAME.
+
+MD is obsolete.  See the definition of MX and [RFC-974] for details of
+the new scheme.  The recommended policy for dealing with MD RRs found in
+a master file is to reject them, or to convert them to MX RRs with a
+preference of 0.
+
+3.3.5. MF RDATA format (Obsolete)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has a mail
+                agent for the domain which will accept mail for
+                forwarding to the domain.
+
+MF records cause additional section processing which looks up an A type
+record corresponding to MADNAME.
+
+MF is obsolete.  See the definition of MX and [RFC-974] for details ofw
+the new scheme.  The recommended policy for dealing with MD RRs found in
+a master file is to reject them, or to convert them to MX RRs with a
+preference of 10.
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 15]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.6. MG RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MGMNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MGMNAME         A <domain-name> which specifies a mailbox which is a
+                member of the mail group specified by the domain name.
+
+MG records cause no additional section processing.
+
+3.3.7. MINFO RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                    RMAILBX                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                    EMAILBX                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+RMAILBX         A <domain-name> which specifies a mailbox which is
+                responsible for the mailing list or mailbox.  If this
+                domain name names the root, the owner of the MINFO RR is
+                responsible for itself.  Note that many existing mailing
+                lists use a mailbox X-request for the RMAILBX field of
+                mailing list X, e.g., Msgroup-request for Msgroup.  This
+                field provides a more general mechanism.
+
+
+EMAILBX         A <domain-name> which specifies a mailbox which is to
+                receive error messages related to the mailing list or
+                mailbox specified by the owner of the MINFO RR (similar
+                to the ERRORS-TO: field which has been proposed).  If
+                this domain name names the root, errors should be
+                returned to the sender of the message.
+
+MINFO records cause no additional section processing.  Although these
+records can be associated with a simple mailbox, they are usually used
+with a mailing list.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 16]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.8. MR RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   NEWNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NEWNAME         A <domain-name> which specifies a mailbox which is the
+                proper rename of the specified mailbox.
+
+MR records cause no additional section processing.  The main use for MR
+is as a forwarding entry for a user who has moved to a different
+mailbox.
+
+3.3.9. MX RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                  PREFERENCE                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   EXCHANGE                    /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+PREFERENCE      A 16 bit integer which specifies the preference given to
+                this RR among others at the same owner.  Lower values
+                are preferred.
+
+EXCHANGE        A <domain-name> which specifies a host willing to act as
+                a mail exchange for the owner name.
+
+MX records cause type A additional section processing for the host
+specified by EXCHANGE.  The use of MX RRs is explained in detail in
+[RFC-974].
+
+3.3.10. NULL RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                  <anything>                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+Anything at all may be in the RDATA field so long as it is 65535 octets
+or less.
+
+
+
+
+Mockapetris                                                    [Page 17]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+NULL records cause no additional section processing.  NULL RRs are not
+allowed in master files.  NULLs are used as placeholders in some
+experimental extensions of the DNS.
+
+3.3.11. NS RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   NSDNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NSDNAME         A <domain-name> which specifies a host which should be
+                authoritative for the specified class and domain.
+
+NS records cause both the usual additional section processing to locate
+a type A record, and, when used in a referral, a special search of the
+zone in which they reside for glue information.
+
+The NS RR states that the named host should be expected to have a zone
+starting at owner name of the specified class.  Note that the class may
+not indicate the protocol family which should be used to communicate
+with the host, although it is typically a strong hint.  For example,
+hosts which are name servers for either Internet (IN) or Hesiod (HS)
+class information are normally queried using IN class protocols.
+
+3.3.12. PTR RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   PTRDNAME                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+PTRDNAME        A <domain-name> which points to some location in the
+                domain name space.
+
+PTR records cause no additional section processing.  These RRs are used
+in special domains to point to some other location in the domain space.
+These records are simple data, and don't imply any special processing
+similar to that performed by CNAME, which identifies aliases.  See the
+description of the IN-ADDR.ARPA domain for an example.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 18]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.13. SOA RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     MNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     RNAME                     /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    SERIAL                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    REFRESH                    |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     RETRY                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    EXPIRE                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    MINIMUM                    |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MNAME           The <domain-name> of the name server that was the
+                original or primary source of data for this zone.
+
+RNAME           A <domain-name> which specifies the mailbox of the
+                person responsible for this zone.
+
+SERIAL          The unsigned 32 bit version number of the original copy
+                of the zone.  Zone transfers preserve this value.  This
+                value wraps and should be compared using sequence space
+                arithmetic.
+
+REFRESH         A 32 bit time interval before the zone should be
+                refreshed.
+
+RETRY           A 32 bit time interval that should elapse before a
+                failed refresh should be retried.
+
+EXPIRE          A 32 bit time value that specifies the upper limit on
+                the time interval that can elapse before the zone is no
+                longer authoritative.
+
+
+
+
+
+Mockapetris                                                    [Page 19]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+MINIMUM         The unsigned 32 bit minimum TTL field that should be
+                exported with any RR from this zone.
+
+SOA records cause no additional section processing.
+
+All times are in units of seconds.
+
+Most of these fields are pertinent only for name server maintenance
+operations.  However, MINIMUM is used in all query operations that
+retrieve RRs from a zone.  Whenever a RR is sent in a response to a
+query, the TTL field is set to the maximum of the TTL field from the RR
+and the MINIMUM field in the appropriate SOA.  Thus MINIMUM is a lower
+bound on the TTL field for all RRs in a zone.  Note that this use of
+MINIMUM should occur when the RRs are copied into the response and not
+when the zone is loaded from a master file or via a zone transfer.  The
+reason for this provison is to allow future dynamic update facilities to
+change the SOA RR with known semantics.
+
+
+3.3.14. TXT RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   TXT-DATA                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+TXT-DATA        One or more <character-string>s.
+
+TXT RRs are used to hold descriptive text.  The semantics of the text
+depends on the domain where it is found.
+
+3.4. Internet specific RRs
+
+3.4.1. A RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ADDRESS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ADDRESS         A 32 bit Internet address.
+
+Hosts that have multiple Internet addresses will have multiple A
+records.
+
+
+
+
+
+Mockapetris                                                    [Page 20]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+A records cause no additional section processing.  The RDATA section of
+an A line in a master file is an Internet address expressed as four
+decimal numbers separated by dots without any embedded spaces (e.g.,
+"10.2.0.52" or "192.0.5.6").
+
+3.4.2. WKS RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ADDRESS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |       PROTOCOL        |                       |
+    +--+--+--+--+--+--+--+--+                       |
+    |                                               |
+    /                   <BIT MAP>                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ADDRESS         An 32 bit Internet address
+
+PROTOCOL        An 8 bit IP protocol number
+
+<BIT MAP>       A variable length bit map.  The bit map must be a
+                multiple of 8 bits long.
+
+The WKS record is used to describe the well known services supported by
+a particular protocol on a particular internet address.  The PROTOCOL
+field specifies an IP protocol number, and the bit map has one bit per
+port of the specified protocol.  The first bit corresponds to port 0,
+the second to port 1, etc.  If the bit map does not include a bit for a
+protocol of interest, that bit is assumed zero.  The appropriate values
+and mnemonics for ports and protocols are specified in [RFC-1010].
+
+For example, if PROTOCOL=TCP (6), the 26th bit corresponds to TCP port
+25 (SMTP).  If this bit is set, a SMTP server should be listening on TCP
+port 25; if zero, SMTP service is not supported on the specified
+address.
+
+The purpose of WKS RRs is to provide availability information for
+servers for TCP and UDP.  If a server supports both TCP and UDP, or has
+multiple Internet addresses, then multiple WKS RRs are used.
+
+WKS RRs cause no additional section processing.
+
+In master files, both ports and protocols are expressed using mnemonics
+or decimal numbers.
+
+
+
+
+Mockapetris                                                    [Page 21]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.5. IN-ADDR.ARPA domain
+
+The Internet uses a special domain to support gateway location and
+Internet address to host mapping.  Other classes may employ a similar
+strategy in other domains.  The intent of this domain is to provide a
+guaranteed method to perform host address to host name mapping, and to
+facilitate queries to locate all gateways on a particular network in the
+Internet.
+
+Note that both of these services are similar to functions that could be
+performed by inverse queries; the difference is that this part of the
+domain name space is structured according to address, and hence can
+guarantee that the appropriate data can be located without an exhaustive
+search of the domain space.
+
+The domain begins at IN-ADDR.ARPA and has a substructure which follows
+the Internet addressing structure.
+
+Domain names in the IN-ADDR.ARPA domain are defined to have up to four
+labels in addition to the IN-ADDR.ARPA suffix.  Each label represents
+one octet of an Internet address, and is expressed as a character string
+for a decimal value in the range 0-255 (with leading zeros omitted
+except in the case of a zero octet which is represented by a single
+zero).
+
+Host addresses are represented by domain names that have all four labels
+specified.  Thus data for Internet address 10.2.0.52 is located at
+domain name 52.0.2.10.IN-ADDR.ARPA.  The reversal, though awkward to
+read, allows zones to be delegated which are exactly one network of
+address space.  For example, 10.IN-ADDR.ARPA can be a zone containing
+data for the ARPANET, while 26.IN-ADDR.ARPA can be a separate zone for
+MILNET.  Address nodes are used to hold pointers to primary host names
+in the normal domain space.
+
+Network numbers correspond to some non-terminal nodes at various depths
+in the IN-ADDR.ARPA domain, since Internet network numbers are either 1,
+2, or 3 octets.  Network nodes are used to hold pointers to the primary
+host names of gateways attached to that network.  Since a gateway is, by
+definition, on more than one network, it will typically have two or more
+network nodes which point at it.  Gateways will also have host level
+pointers at their fully qualified addresses.
+
+Both the gateway pointers at network nodes and the normal host pointers
+at full address nodes use the PTR RR to point back to the primary domain
+names of the corresponding hosts.
+
+For example, the IN-ADDR.ARPA domain will contain information about the
+ISI gateway between net 10 and 26, an MIT gateway from net 10 to MIT's
+
+
+
+Mockapetris                                                    [Page 22]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+net 18, and hosts A.ISI.EDU and MULTICS.MIT.EDU.  Assuming that ISI
+gateway has addresses 10.2.0.22 and 26.0.0.103, and a name MILNET-
+GW.ISI.EDU, and the MIT gateway has addresses 10.0.0.77 and 18.10.0.4
+and a name GW.LCS.MIT.EDU, the domain database would contain:
+
+    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+    18.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+    26.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    22.0.2.10.IN-ADDR.ARPA.    PTR MILNET-GW.ISI.EDU.
+    103.0.0.26.IN-ADDR.ARPA.   PTR MILNET-GW.ISI.EDU.
+    77.0.0.10.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
+    4.0.10.18.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
+    103.0.3.26.IN-ADDR.ARPA.   PTR A.ISI.EDU.
+    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
+
+Thus a program which wanted to locate gateways on net 10 would originate
+a query of the form QTYPE=PTR, QCLASS=IN, QNAME=10.IN-ADDR.ARPA.  It
+would receive two RRs in response:
+
+    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+
+The program could then originate QTYPE=A, QCLASS=IN queries for MILNET-
+GW.ISI.EDU. and GW.LCS.MIT.EDU. to discover the Internet addresses of
+these gateways.
+
+A resolver which wanted to find the host name corresponding to Internet
+host address 10.0.0.6 would pursue a query of the form QTYPE=PTR,
+QCLASS=IN, QNAME=6.0.0.10.IN-ADDR.ARPA, and would receive:
+
+    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
+
+Several cautions apply to the use of these services:
+   - Since the IN-ADDR.ARPA special domain and the normal domain
+     for a particular host or gateway will be in different zones,
+     the possibility exists that that the data may be inconsistent.
+
+   - Gateways will often have two names in separate domains, only
+     one of which can be primary.
+
+   - Systems that use the domain database to initialize their
+     routing tables must start with enough gateway information to
+     guarantee that they can access the appropriate name server.
+
+   - The gateway data only reflects the existence of a gateway in a
+     manner equivalent to the current HOSTS.TXT file.  It doesn't
+     replace the dynamic availability information from GGP or EGP.
+
+
+
+Mockapetris                                                    [Page 23]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.6. Defining new types, classes, and special namespaces
+
+The previously defined types and classes are the ones in use as of the
+date of this memo.  New definitions should be expected.  This section
+makes some recommendations to designers considering additions to the
+existing facilities.  The mailing list NAMEDROPPERS@SRI-NIC.ARPA is the
+forum where general discussion of design issues takes place.
+
+In general, a new type is appropriate when new information is to be
+added to the database about an existing object, or we need new data
+formats for some totally new object.  Designers should attempt to define
+types and their RDATA formats that are generally applicable to all
+classes, and which avoid duplication of information.  New classes are
+appropriate when the DNS is to be used for a new protocol, etc which
+requires new class-specific data formats, or when a copy of the existing
+name space is desired, but a separate management domain is necessary.
+
+New types and classes need mnemonics for master files; the format of the
+master files requires that the mnemonics for type and class be disjoint.
+
+TYPE and CLASS values must be a proper subset of QTYPEs and QCLASSes
+respectively.
+
+The present system uses multiple RRs to represent multiple values of a
+type rather than storing multiple values in the RDATA section of a
+single RR.  This is less efficient for most applications, but does keep
+RRs shorter.  The multiple RRs assumption is incorporated in some
+experimental work on dynamic update methods.
+
+The present system attempts to minimize the duplication of data in the
+database in order to insure consistency.  Thus, in order to find the
+address of the host for a mail exchange, you map the mail domain name to
+a host name, then the host name to addresses, rather than a direct
+mapping to host address.  This approach is preferred because it avoids
+the opportunity for inconsistency.
+
+In defining a new type of data, multiple RR types should not be used to
+create an ordering between entries or express different formats for
+equivalent bindings, instead this information should be carried in the
+body of the RR and a single type used.  This policy avoids problems with
+caching multiple types and defining QTYPEs to match multiple types.
+
+For example, the original form of mail exchange binding used two RR
+types one to represent a "closer" exchange (MD) and one to represent a
+"less close" exchange (MF).  The difficulty is that the presence of one
+RR type in a cache doesn't convey any information about the other
+because the query which acquired the cached information might have used
+a QTYPE of MF, MD, or MAILA (which matched both).  The redesigned
+
+
+
+Mockapetris                                                    [Page 24]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+service used a single type (MX) with a "preference" value in the RDATA
+section which can order different RRs.  However, if any MX RRs are found
+in the cache, then all should be there.
+
+4. MESSAGES
+
+4.1. Format
+
+All communications inside of the domain protocol are carried in a single
+format called a message.  The top level format of message is divided
+into 5 sections (some of which are empty in certain cases) shown below:
+
+    +---------------------+
+    |        Header       |
+    +---------------------+
+    |       Question      | the question for the name server
+    +---------------------+
+    |        Answer       | RRs answering the question
+    +---------------------+
+    |      Authority      | RRs pointing toward an authority
+    +---------------------+
+    |      Additional     | RRs holding additional information
+    +---------------------+
+
+The header section is always present.  The header includes fields that
+specify which of the remaining sections are present, and also specify
+whether the message is a query or a response, a standard query or some
+other opcode, etc.
+
+The names of the sections after the header are derived from their use in
+standard queries.  The question section contains fields that describe a
+question to a name server.  These fields are a query type (QTYPE), a
+query class (QCLASS), and a query domain name (QNAME).  The last three
+sections have the same format: a possibly empty list of concatenated
+resource records (RRs).  The answer section contains RRs that answer the
+question; the authority section contains RRs that point toward an
+authoritative name server; the additional records section contains RRs
+which relate to the query, but are not strictly answers for the
+question.
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 25]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+4.1.1. Header section format
+
+The header contains the following fields:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      ID                       |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    QDCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ANCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    NSCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ARCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ID              A 16 bit identifier assigned by the program that
+                generates any kind of query.  This identifier is copied
+                the corresponding reply and can be used by the requester
+                to match up replies to outstanding queries.
+
+QR              A one bit field that specifies whether this message is a
+                query (0), or a response (1).
+
+OPCODE          A four bit field that specifies kind of query in this
+                message.  This value is set by the originator of a query
+                and copied into the response.  The values are:
+
+                0               a standard query (QUERY)
+
+                1               an inverse query (IQUERY)
+
+                2               a server status request (STATUS)
+
+                3-15            reserved for future use
+
+AA              Authoritative Answer - this bit is valid in responses,
+                and specifies that the responding name server is an
+                authority for the domain name in question section.
+
+                Note that the contents of the answer section may have
+                multiple owner names because of aliases.  The AA bit
+
+
+
+Mockapetris                                                    [Page 26]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                corresponds to the name which matches the query name, or
+                the first owner name in the answer section.
+
+TC              TrunCation - specifies that this message was truncated
+                due to length greater than that permitted on the
+                transmission channel.
+
+RD              Recursion Desired - this bit may be set in a query and
+                is copied into the response.  If RD is set, it directs
+                the name server to pursue the query recursively.
+                Recursive query support is optional.
+
+RA              Recursion Available - this be is set or cleared in a
+                response, and denotes whether recursive query support is
+                available in the name server.
+
+Z               Reserved for future use.  Must be zero in all queries
+                and responses.
+
+RCODE           Response code - this 4 bit field is set as part of
+                responses.  The values have the following
+                interpretation:
+
+                0               No error condition
+
+                1               Format error - The name server was
+                                unable to interpret the query.
+
+                2               Server failure - The name server was
+                                unable to process this query due to a
+                                problem with the name server.
+
+                3               Name Error - Meaningful only for
+                                responses from an authoritative name
+                                server, this code signifies that the
+                                domain name referenced in the query does
+                                not exist.
+
+                4               Not Implemented - The name server does
+                                not support the requested kind of query.
+
+                5               Refused - The name server refuses to
+                                perform the specified operation for
+                                policy reasons.  For example, a name
+                                server may not wish to provide the
+                                information to the particular requester,
+                                or a name server may not wish to perform
+                                a particular operation (e.g., zone
+
+
+
+Mockapetris                                                    [Page 27]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                                transfer) for particular data.
+
+                6-15            Reserved for future use.
+
+QDCOUNT         an unsigned 16 bit integer specifying the number of
+                entries in the question section.
+
+ANCOUNT         an unsigned 16 bit integer specifying the number of
+                resource records in the answer section.
+
+NSCOUNT         an unsigned 16 bit integer specifying the number of name
+                server resource records in the authority records
+                section.
+
+ARCOUNT         an unsigned 16 bit integer specifying the number of
+                resource records in the additional records section.
+
+4.1.2. Question section format
+
+The question section is used to carry the "question" in most queries,
+i.e., the parameters that define what is being asked.  The section
+contains QDCOUNT (usually 1) entries, each of the following format:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                     QNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     QTYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     QCLASS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+QNAME           a domain name represented as a sequence of labels, where
+                each label consists of a length octet followed by that
+                number of octets.  The domain name terminates with the
+                zero length octet for the null label of the root.  Note
+                that this field may be an odd number of octets; no
+                padding is used.
+
+QTYPE           a two octet code which specifies the type of the query.
+                The values for this field include all codes valid for a
+                TYPE field, together with some more general codes which
+                can match more than one type of RR.
+
+
+
+Mockapetris                                                    [Page 28]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+QCLASS          a two octet code that specifies the class of the query.
+                For example, the QCLASS field is IN for the Internet.
+
+4.1.3. Resource record format
+
+The answer, authority, and additional sections all share the same
+format: a variable number of resource records, where the number of
+records is specified in the corresponding count field in the header.
+Each resource record has the following format:
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                                               /
+    /                      NAME                     /
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     CLASS                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TTL                      |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                   RDLENGTH                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+    /                     RDATA                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NAME            a domain name to which this resource record pertains.
+
+TYPE            two octets containing one of the RR type codes.  This
+                field specifies the meaning of the data in the RDATA
+                field.
+
+CLASS           two octets which specify the class of the data in the
+                RDATA field.
+
+TTL             a 32 bit unsigned integer that specifies the time
+                interval (in seconds) that the resource record may be
+                cached before it should be discarded.  Zero values are
+                interpreted to mean that the RR can only be used for the
+                transaction in progress, and should not be cached.
+
+
+
+
+
+Mockapetris                                                    [Page 29]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+RDLENGTH        an unsigned 16 bit integer that specifies the length in
+                octets of the RDATA field.
+
+RDATA           a variable length string of octets that describes the
+                resource.  The format of this information varies
+                according to the TYPE and CLASS of the resource record.
+                For example, the if the TYPE is A and the CLASS is IN,
+                the RDATA field is a 4 octet ARPA Internet address.
+
+4.1.4. Message compression
+
+In order to reduce the size of messages, the domain system utilizes a
+compression scheme which eliminates the repetition of domain names in a
+message.  In this scheme, an entire domain name or a list of labels at
+the end of a domain name is replaced with a pointer to a prior occurrence
+of the same name.
+
+The pointer takes the form of a two octet sequence:
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    | 1  1|                OFFSET                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The first two bits are ones.  This allows a pointer to be distinguished
+from a label, since the label must begin with two zero bits because
+labels are restricted to 63 octets or less.  (The 10 and 01 combinations
+are reserved for future use.)  The OFFSET field specifies an offset from
+the start of the message (i.e., the first octet of the ID field in the
+domain header).  A zero offset specifies the first byte of the ID field,
+etc.
+
+The compression scheme allows a domain name in a message to be
+represented as either:
+
+   - a sequence of labels ending in a zero octet
+
+   - a pointer
+
+   - a sequence of labels ending with a pointer
+
+Pointers can only be used for occurrences of a domain name where the
+format is not class specific.  If this were not the case, a name server
+or resolver would be required to know the format of all RRs it handled.
+As yet, there are no such cases, but they may occur in future RDATA
+formats.
+
+If a domain name is contained in a part of the message subject to a
+length field (such as the RDATA section of an RR), and compression is
+
+
+
+Mockapetris                                                    [Page 30]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+used, the length of the compressed name is used in the length
+calculation, rather than the length of the expanded name.
+
+Programs are free to avoid using pointers in messages they generate,
+although this will reduce datagram capacity, and may cause truncation.
+However all programs are required to understand arriving messages that
+contain pointers.
+
+For example, a datagram might need to use the domain names F.ISI.ARPA,
+FOO.F.ISI.ARPA, ARPA, and the root.  Ignoring the other fields of the
+message, these domain names might be represented as:
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    20 |           1           |           F           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    22 |           3           |           I           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    24 |           S           |           I           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    26 |           4           |           A           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    28 |           R           |           P           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    30 |           A           |           0           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    40 |           3           |           F           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    42 |           O           |           O           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    44 | 1  1|                20                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    64 | 1  1|                26                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    92 |           0           |                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The domain name for F.ISI.ARPA is shown at offset 20.  The domain name
+FOO.F.ISI.ARPA is shown at offset 40; this definition uses a pointer to
+concatenate a label for FOO to the previously defined F.ISI.ARPA.  The
+domain name ARPA is defined at offset 64 using a pointer to the ARPA
+component of the name F.ISI.ARPA at 20; note that this pointer relies on
+ARPA being the last label in the string at 20.  The root domain name is
+
+
+
+Mockapetris                                                    [Page 31]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+defined by a single octet of zeros at 92; the root domain name has no
+labels.
+
+4.2. Transport
+
+The DNS assumes that messages will be transmitted as datagrams or in a
+byte stream carried by a virtual circuit.  While virtual circuits can be
+used for any DNS activity, datagrams are preferred for queries due to
+their lower overhead and better performance.  Zone refresh activities
+must use virtual circuits because of the need for reliable transfer.
+
+The Internet supports name server access using TCP [RFC-793] on server
+port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
+port 53 (decimal).
+
+4.2.1. UDP usage
+
+Messages sent using UDP user server port 53 (decimal).
+
+Messages carried by UDP are restricted to 512 bytes (not counting the IP
+or UDP headers).  Longer messages are truncated and the TC bit is set in
+the header.
+
+UDP is not acceptable for zone transfers, but is the recommended method
+for standard queries in the Internet.  Queries sent using UDP may be
+lost, and hence a retransmission strategy is required.  Queries or their
+responses may be reordered by the network, or by processing in name
+servers, so resolvers should not depend on them being returned in order.
+
+The optimal UDP retransmission policy will vary with performance of the
+Internet and the needs of the client, but the following are recommended:
+
+   - The client should try other servers and server addresses
+     before repeating a query to a specific address of a server.
+
+   - The retransmission interval should be based on prior
+     statistics if possible.  Too aggressive retransmission can
+     easily slow responses for the community at large.  Depending
+     on how well connected the client is to its expected servers,
+     the minimum retransmission interval should be 2-5 seconds.
+
+More suggestions on server selection and retransmission policy can be
+found in the resolver section of this memo.
+
+4.2.2. TCP usage
+
+Messages sent over TCP connections use server port 53 (decimal).  The
+message is prefixed with a two byte length field which gives the message
+
+
+
+Mockapetris                                                    [Page 32]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+length, excluding the two byte length field.  This length field allows
+the low-level processing to assemble a complete message before beginning
+to parse it.
+
+Several connection management policies are recommended:
+
+   - The server should not block other activities waiting for TCP
+     data.
+
+   - The server should support multiple connections.
+
+   - The server should assume that the client will initiate
+     connection closing, and should delay closing its end of the
+     connection until all outstanding client requests have been
+     satisfied.
+
+   - If the server needs to close a dormant connection to reclaim
+     resources, it should wait until the connection has been idle
+     for a period on the order of two minutes.  In particular, the
+     server should allow the SOA and AXFR request sequence (which
+     begins a refresh operation) to be made on a single connection.
+     Since the server would be unable to answer queries anyway, a
+     unilateral close or reset may be used instead of a graceful
+     close.
+
+5. MASTER FILES
+
+Master files are text files that contain RRs in text form.  Since the
+contents of a zone can be expressed in the form of a list of RRs a
+master file is most often used to define a zone, though it can be used
+to list a cache's contents.  Hence, this section first discusses the
+format of RRs in a master file, and then the special considerations when
+a master file is used to create a zone in some name server.
+
+5.1. Format
+
+The format of these files is a sequence of entries.  Entries are
+predominantly line-oriented, though parentheses can be used to continue
+a list of items across a line boundary, and text literals can contain
+CRLF within the text.  Any combination of tabs and spaces act as a
+delimiter between the separate items that make up an entry.  The end of
+any line in the master file can end with a comment.  The comment starts
+with a ";" (semicolon).
+
+The following entries are defined:
+
+    <blank>[<comment>]
+
+
+
+
+Mockapetris                                                    [Page 33]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+    $ORIGIN <domain-name> [<comment>]
+
+    $INCLUDE <file-name> [<domain-name>] [<comment>]
+
+    <domain-name><rr> [<comment>]
+
+    <blank><rr> [<comment>]
+
+Blank lines, with or without comments, are allowed anywhere in the file.
+
+Two control entries are defined: $ORIGIN and $INCLUDE.  $ORIGIN is
+followed by a domain name, and resets the current origin for relative
+domain names to the stated name.  $INCLUDE inserts the named file into
+the current file, and may optionally specify a domain name that sets the
+relative domain name origin for the included file.  $INCLUDE may also
+have a comment.  Note that a $INCLUDE entry never changes the relative
+origin of the parent file, regardless of changes to the relative origin
+made within the included file.
+
+The last two forms represent RRs.  If an entry for an RR begins with a
+blank, then the RR is assumed to be owned by the last stated owner.  If
+an RR entry begins with a <domain-name>, then the owner name is reset.
+
+<rr> contents take one of the following forms:
+
+    [<TTL>] [<class>] <type> <RDATA>
+
+    [<class>] [<TTL>] <type> <RDATA>
+
+The RR begins with optional TTL and class fields, followed by a type and
+RDATA field appropriate to the type and class.  Class and type use the
+standard mnemonics, TTL is a decimal integer.  Omitted class and TTL
+values are default to the last explicitly stated values.  Since type and
+class mnemonics are disjoint, the parse is unique.  (Note that this
+order is different from the order used in examples and the order used in
+the actual RRs; the given order allows easier parsing and defaulting.)
+
+<domain-name>s make up a large share of the data in the master file.
+The labels in the domain name are expressed as character strings and
+separated by dots.  Quoting conventions allow arbitrary characters to be
+stored in domain names.  Domain names that end in a dot are called
+absolute, and are taken as complete.  Domain names which do not end in a
+dot are called relative; the actual domain name is the concatenation of
+the relative part with an origin specified in a $ORIGIN, $INCLUDE, or as
+an argument to the master file loading routine.  A relative name is an
+error when no origin is available.
+
+
+
+
+
+Mockapetris                                                    [Page 34]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+<character-string> is expressed in one or two ways: as a contiguous set
+of characters without interior spaces, or as a string beginning with a "
+and ending with a ".  Inside a " delimited string any character can
+occur, except for a " itself, which must be quoted using \ (back slash).
+
+Because these files are text files several special encodings are
+necessary to allow arbitrary data to be loaded.  In particular:
+
+                of the root.
+
+@               A free standing @ is used to denote the current origin.
+
+\X              where X is any character other than a digit (0-9), is
+                used to quote that character so that its special meaning
+                does not apply.  For example, "\." can be used to place
+                a dot character in a label.
+
+\DDD            where each D is a digit is the octet corresponding to
+                the decimal number described by DDD.  The resulting
+                octet is assumed to be text and is not checked for
+                special meaning.
+
+( )             Parentheses are used to group data that crosses a line
+                boundary.  In effect, line terminations are not
+                recognized within parentheses.
+
+;               Semicolon is used to start a comment; the remainder of
+                the line is ignored.
+
+5.2. Use of master files to define zones
+
+When a master file is used to load a zone, the operation should be
+suppressed if any errors are encountered in the master file.  The
+rationale for this is that a single error can have widespread
+consequences.  For example, suppose that the RRs defining a delegation
+have syntax errors; then the server will return authoritative name
+errors for all names in the subzone (except in the case where the
+subzone is also present on the server).
+
+Several other validity checks that should be performed in addition to
+insuring that the file is syntactically correct:
+
+   1. All RRs in the file should have the same class.
+
+   2. Exactly one SOA RR should be present at the top of the zone.
+
+   3. If delegations are present and glue information is required,
+      it should be present.
+
+
+
+Mockapetris                                                    [Page 35]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   4. Information present outside of the authoritative nodes in the
+      zone should be glue information, rather than the result of an
+      origin or similar error.
+
+5.3. Master file example
+
+The following is an example file which might be used to define the
+ISI.EDU zone.and is loaded with an origin of ISI.EDU:
+
+@   IN  SOA     VENERA      Action\.domains (
+                                 20     ; SERIAL
+                                 7200   ; REFRESH
+                                 600    ; RETRY
+                                 3600000; EXPIRE
+                                 60)    ; MINIMUM
+
+        NS      A.ISI.EDU.
+        NS      VENERA
+        NS      VAXA
+        MX      10      VENERA
+        MX      20      VAXA
+
+A       A       26.3.0.103
+
+VENERA  A       10.1.0.52
+        A       128.9.0.32
+
+VAXA    A       10.2.0.27
+        A       128.9.0.33
+
+
+$INCLUDE <SUBSYS>ISI-MAILBOXES.TXT
+
+Where the file <SUBSYS>ISI-MAILBOXES.TXT is:
+
+    MOE     MB      A.ISI.EDU.
+    LARRY   MB      A.ISI.EDU.
+    CURLEY  MB      A.ISI.EDU.
+    STOOGES MG      MOE
+            MG      LARRY
+            MG      CURLEY
+
+Note the use of the \ character in the SOA RR to specify the responsible
+person mailbox "Action.domains@E.ISI.EDU".
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 36]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+6. NAME SERVER IMPLEMENTATION
+
+6.1. Architecture
+
+The optimal structure for the name server will depend on the host
+operating system and whether the name server is integrated with resolver
+operations, either by supporting recursive service, or by sharing its
+database with a resolver.  This section discusses implementation
+considerations for a name server which shares a database with a
+resolver, but most of these concerns are present in any name server.
+
+6.1.1. Control
+
+A name server must employ multiple concurrent activities, whether they
+are implemented as separate tasks in the host's OS or multiplexing
+inside a single name server program.  It is simply not acceptable for a
+name server to block the service of UDP requests while it waits for TCP
+data for refreshing or query activities.  Similarly, a name server
+should not attempt to provide recursive service without processing such
+requests in parallel, though it may choose to serialize requests from a
+single client, or to regard identical requests from the same client as
+duplicates.  A name server should not substantially delay requests while
+it reloads a zone from master files or while it incorporates a newly
+refreshed zone into its database.
+
+6.1.2. Database
+
+While name server implementations are free to use any internal data
+structures they choose, the suggested structure consists of three major
+parts:
+
+   - A "catalog" data structure which lists the zones available to
+     this server, and a "pointer" to the zone data structure.  The
+     main purpose of this structure is to find the nearest ancestor
+     zone, if any, for arriving standard queries.
+
+   - Separate data structures for each of the zones held by the
+     name server.
+
+   - A data structure for cached data. (or perhaps separate caches
+     for different classes)
+
+All of these data structures can be implemented an identical tree
+structure format, with different data chained off the nodes in different
+parts: in the catalog the data is pointers to zones, while in the zone
+and cache data structures, the data will be RRs.  In designing the tree
+framework the designer should recognize that query processing will need
+to traverse the tree using case-insensitive label comparisons; and that
+
+
+
+Mockapetris                                                    [Page 37]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+in real data, a few nodes have a very high branching factor (100-1000 or
+more), but the vast majority have a very low branching factor (0-1).
+
+One way to solve the case problem is to store the labels for each node
+in two pieces: a standardized-case representation of the label where all
+ASCII characters are in a single case, together with a bit mask that
+denotes which characters are actually of a different case.  The
+branching factor diversity can be handled using a simple linked list for
+a node until the branching factor exceeds some threshold, and
+transitioning to a hash structure after the threshold is exceeded.  In
+any case, hash structures used to store tree sections must insure that
+hash functions and procedures preserve the casing conventions of the
+DNS.
+
+The use of separate structures for the different parts of the database
+is motivated by several factors:
+
+   - The catalog structure can be an almost static structure that
+     need change only when the system administrator changes the
+     zones supported by the server.  This structure can also be
+     used to store parameters used to control refreshing
+     activities.
+
+   - The individual data structures for zones allow a zone to be
+     replaced simply by changing a pointer in the catalog.  Zone
+     refresh operations can build a new structure and, when
+     complete, splice it into the database via a simple pointer
+     replacement.  It is very important that when a zone is
+     refreshed, queries should not use old and new data
+     simultaneously.
+
+   - With the proper search procedures, authoritative data in zones
+     will always "hide", and hence take precedence over, cached
+     data.
+
+   - Errors in zone definitions that cause overlapping zones, etc.,
+     may cause erroneous responses to queries, but problem
+     determination is simplified, and the contents of one "bad"
+     zone can't corrupt another.
+
+   - Since the cache is most frequently updated, it is most
+     vulnerable to corruption during system restarts.  It can also
+     become full of expired RR data.  In either case, it can easily
+     be discarded without disturbing zone data.
+
+A major aspect of database design is selecting a structure which allows
+the name server to deal with crashes of the name server's host.  State
+information which a name server should save across system crashes
+
+
+
+Mockapetris                                                    [Page 38]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+includes the catalog structure (including the state of refreshing for
+each zone) and the zone data itself.
+
+6.1.3. Time
+
+Both the TTL data for RRs and the timing data for refreshing activities
+depends on 32 bit timers in units of seconds.  Inside the database,
+refresh timers and TTLs for cached data conceptually "count down", while
+data in the zone stays with constant TTLs.
+
+A recommended implementation strategy is to store time in two ways:  as
+a relative increment and as an absolute time.  One way to do this is to
+use positive 32 bit numbers for one type and negative numbers for the
+other.  The RRs in zones use relative times; the refresh timers and
+cache data use absolute times.  Absolute numbers are taken with respect
+to some known origin and converted to relative values when placed in the
+response to a query.  When an absolute TTL is negative after conversion
+to relative, then the data is expired and should be ignored.
+
+6.2. Standard query processing
+
+The major algorithm for standard query processing is presented in
+[RFC-1034].
+
+When processing queries with QCLASS=*, or some other QCLASS which
+matches multiple classes, the response should never be authoritative
+unless the server can guarantee that the response covers all classes.
+
+When composing a response, RRs which are to be inserted in the
+additional section, but duplicate RRs in the answer or authority
+sections, may be omitted from the additional section.
+
+When a response is so long that truncation is required, the truncation
+should start at the end of the response and work forward in the
+datagram.  Thus if there is any data for the authority section, the
+answer section is guaranteed to be unique.
+
+The MINIMUM value in the SOA should be used to set a floor on the TTL of
+data distributed from a zone.  This floor function should be done when
+the data is copied into a response.  This will allow future dynamic
+update protocols to change the SOA MINIMUM field without ambiguous
+semantics.
+
+6.3. Zone refresh and reload processing
+
+In spite of a server's best efforts, it may be unable to load zone data
+from a master file due to syntax errors, etc., or be unable to refresh a
+zone within the its expiration parameter.  In this case, the name server
+
+
+
+Mockapetris                                                    [Page 39]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+should answer queries as if it were not supposed to possess the zone.
+
+If a master is sending a zone out via AXFR, and a new version is created
+during the transfer, the master should continue to send the old version
+if possible.  In any case, it should never send part of one version and
+part of another.  If completion is not possible, the master should reset
+the connection on which the zone transfer is taking place.
+
+6.4. Inverse queries (Optional)
+
+Inverse queries are an optional part of the DNS.  Name servers are not
+required to support any form of inverse queries.  If a name server
+receives an inverse query that it does not support, it returns an error
+response with the "Not Implemented" error set in the header.  While
+inverse query support is optional, all name servers must be at least
+able to return the error response.
+
+6.4.1. The contents of inverse queries and responses          Inverse
+queries reverse the mappings performed by standard query operations;
+while a standard query maps a domain name to a resource, an inverse
+query maps a resource to a domain name.  For example, a standard query
+might bind a domain name to a host address; the corresponding inverse
+query binds the host address to a domain name.
+
+Inverse queries take the form of a single RR in the answer section of
+the message, with an empty question section.  The owner name of the
+query RR and its TTL are not significant.  The response carries
+questions in the question section which identify all names possessing
+the query RR WHICH THE NAME SERVER KNOWS.  Since no name server knows
+about all of the domain name space, the response can never be assumed to
+be complete.  Thus inverse queries are primarily useful for database
+management and debugging activities.  Inverse queries are NOT an
+acceptable method of mapping host addresses to host names; use the IN-
+ADDR.ARPA domain instead.
+
+Where possible, name servers should provide case-insensitive comparisons
+for inverse queries.  Thus an inverse query asking for an MX RR of
+"Venera.isi.edu" should get the same response as a query for
+"VENERA.ISI.EDU"; an inverse query for HINFO RR "IBM-PC UNIX" should
+produce the same result as an inverse query for "IBM-pc unix".  However,
+this cannot be guaranteed because name servers may possess RRs that
+contain character strings but the name server does not know that the
+data is character.
+
+When a name server processes an inverse query, it either returns:
+
+   1. zero, one, or multiple domain names for the specified
+      resource as QNAMEs in the question section
+
+
+
+Mockapetris                                                    [Page 40]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   2. an error code indicating that the name server doesn't support
+      inverse mapping of the specified resource type.
+
+When the response to an inverse query contains one or more QNAMEs, the
+owner name and TTL of the RR in the answer section which defines the
+inverse query is modified to exactly match an RR found at the first
+QNAME.
+
+RRs returned in the inverse queries cannot be cached using the same
+mechanism as is used for the replies to standard queries.  One reason
+for this is that a name might have multiple RRs of the same type, and
+only one would appear.  For example, an inverse query for a single
+address of a multiply homed host might create the impression that only
+one address existed.
+
+6.4.2. Inverse query and response example          The overall structure
+of an inverse query for retrieving the domain name that corresponds to
+Internet address 10.1.0.52 is shown below:
+
+                         +-----------------------------------------+
+           Header        |          OPCODE=IQUERY, ID=997          |
+                         +-----------------------------------------+
+          Question       |                 <empty>                 |
+                         +-----------------------------------------+
+           Answer        |        <anyname> A IN 10.1.0.52         |
+                         +-----------------------------------------+
+          Authority      |                 <empty>                 |
+                         +-----------------------------------------+
+         Additional      |                 <empty>                 |
+                         +-----------------------------------------+
+
+This query asks for a question whose answer is the Internet style
+address 10.1.0.52.  Since the owner name is not known, any domain name
+can be used as a placeholder (and is ignored).  A single octet of zero,
+signifying the root, is usually used because it minimizes the length of
+the message.  The TTL of the RR is not significant.  The response to
+this query might be:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 41]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                         +-----------------------------------------+
+           Header        |         OPCODE=RESPONSE, ID=997         |
+                         +-----------------------------------------+
+          Question       |QTYPE=A, QCLASS=IN, QNAME=VENERA.ISI.EDU |
+                         +-----------------------------------------+
+           Answer        |  VENERA.ISI.EDU  A IN 10.1.0.52         |
+                         +-----------------------------------------+
+          Authority      |                 <empty>                 |
+                         +-----------------------------------------+
+         Additional      |                 <empty>                 |
+                         +-----------------------------------------+
+
+Note that the QTYPE in a response to an inverse query is the same as the
+TYPE field in the answer section of the inverse query.  Responses to
+inverse queries may contain multiple questions when the inverse is not
+unique.  If the question section in the response is not empty, then the
+RR in the answer section is modified to correspond to be an exact copy
+of an RR at the first QNAME.
+
+6.4.3. Inverse query processing
+
+Name servers that support inverse queries can support these operations
+through exhaustive searches of their databases, but this becomes
+impractical as the size of the database increases.  An alternative
+approach is to invert the database according to the search key.
+
+For name servers that support multiple zones and a large amount of data,
+the recommended approach is separate inversions for each zone.  When a
+particular zone is changed during a refresh, only its inversions need to
+be redone.
+
+Support for transfer of this type of inversion may be included in future
+versions of the domain system, but is not supported in this version.
+
+6.5. Completion queries and responses
+
+The optional completion services described in RFC-882 and RFC-883 have
+been deleted.  Redesigned services may become available in the future.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 42]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+7. RESOLVER IMPLEMENTATION
+
+The top levels of the recommended resolver algorithm are discussed in
+[RFC-1034].  This section discusses implementation details assuming the
+database structure suggested in the name server implementation section
+of this memo.
+
+7.1. Transforming a user request into a query
+
+The first step a resolver takes is to transform the client's request,
+stated in a format suitable to the local OS, into a search specification
+for RRs at a specific name which match a specific QTYPE and QCLASS.
+Where possible, the QTYPE and QCLASS should correspond to a single type
+and a single class, because this makes the use of cached data much
+simpler.  The reason for this is that the presence of data of one type
+in a cache doesn't confirm the existence or non-existence of data of
+other types, hence the only way to be sure is to consult an
+authoritative source.  If QCLASS=* is used, then authoritative answers
+won't be available.
+
+Since a resolver must be able to multiplex multiple requests if it is to
+perform its function efficiently, each pending request is usually
+represented in some block of state information.  This state block will
+typically contain:
+
+   - A timestamp indicating the time the request began.
+     The timestamp is used to decide whether RRs in the database
+     can be used or are out of date.  This timestamp uses the
+     absolute time format previously discussed for RR storage in
+     zones and caches.  Note that when an RRs TTL indicates a
+     relative time, the RR must be timely, since it is part of a
+     zone.  When the RR has an absolute time, it is part of a
+     cache, and the TTL of the RR is compared against the timestamp
+     for the start of the request.
+
+     Note that using the timestamp is superior to using a current
+     time, since it allows RRs with TTLs of zero to be entered in
+     the cache in the usual manner, but still used by the current
+     request, even after intervals of many seconds due to system
+     load, query retransmission timeouts, etc.
+
+   - Some sort of parameters to limit the amount of work which will
+     be performed for this request.
+
+     The amount of work which a resolver will do in response to a
+     client request must be limited to guard against errors in the
+     database, such as circular CNAME references, and operational
+     problems, such as network partition which prevents the
+
+
+
+Mockapetris                                                    [Page 43]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+     resolver from accessing the name servers it needs.  While
+     local limits on the number of times a resolver will retransmit
+     a particular query to a particular name server address are
+     essential, the resolver should have a global per-request
+     counter to limit work on a single request.  The counter should
+     be set to some initial value and decremented whenever the
+     resolver performs any action (retransmission timeout,
+     retransmission, etc.)  If the counter passes zero, the request
+     is terminated with a temporary error.
+
+     Note that if the resolver structure allows one request to
+     start others in parallel, such as when the need to access a
+     name server for one request causes a parallel resolve for the
+     name server's addresses, the spawned request should be started
+     with a lower counter.  This prevents circular references in
+     the database from starting a chain reaction of resolver
+     activity.
+
+   - The SLIST data structure discussed in [RFC-1034].
+
+     This structure keeps track of the state of a request if it
+     must wait for answers from foreign name servers.
+
+7.2. Sending the queries
+
+As described in [RFC-1034], the basic task of the resolver is to
+formulate a query which will answer the client's request and direct that
+query to name servers which can provide the information.  The resolver
+will usually only have very strong hints about which servers to ask, in
+the form of NS RRs, and may have to revise the query, in response to
+CNAMEs, or revise the set of name servers the resolver is asking, in
+response to delegation responses which point the resolver to name
+servers closer to the desired information.  In addition to the
+information requested by the client, the resolver may have to call upon
+its own services to determine the address of name servers it wishes to
+contact.
+
+In any case, the model used in this memo assumes that the resolver is
+multiplexing attention between multiple requests, some from the client,
+and some internally generated.  Each request is represented by some
+state information, and the desired behavior is that the resolver
+transmit queries to name servers in a way that maximizes the probability
+that the request is answered, minimizes the time that the request takes,
+and avoids excessive transmissions.  The key algorithm uses the state
+information of the request to select the next name server address to
+query, and also computes a timeout which will cause the next action
+should a response not arrive.  The next action will usually be a
+transmission to some other server, but may be a temporary error to the
+
+
+
+Mockapetris                                                    [Page 44]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+client.
+
+The resolver always starts with a list of server names to query (SLIST).
+This list will be all NS RRs which correspond to the nearest ancestor
+zone that the resolver knows about.  To avoid startup problems, the
+resolver should have a set of default servers which it will ask should
+it have no current NS RRs which are appropriate.  The resolver then adds
+to SLIST all of the known addresses for the name servers, and may start
+parallel requests to acquire the addresses of the servers when the
+resolver has the name, but no addresses, for the name servers.
+
+To complete initialization of SLIST, the resolver attaches whatever
+history information it has to the each address in SLIST.  This will
+usually consist of some sort of weighted averages for the response time
+of the address, and the batting average of the address (i.e., how often
+the address responded at all to the request).  Note that this
+information should be kept on a per address basis, rather than on a per
+name server basis, because the response time and batting average of a
+particular server may vary considerably from address to address.  Note
+also that this information is actually specific to a resolver address /
+server address pair, so a resolver with multiple addresses may wish to
+keep separate histories for each of its addresses.  Part of this step
+must deal with addresses which have no such history; in this case an
+expected round trip time of 5-10 seconds should be the worst case, with
+lower estimates for the same local network, etc.
+
+Note that whenever a delegation is followed, the resolver algorithm
+reinitializes SLIST.
+
+The information establishes a partial ranking of the available name
+server addresses.  Each time an address is chosen and the state should
+be altered to prevent its selection again until all other addresses have
+been tried.  The timeout for each transmission should be 50-100% greater
+than the average predicted value to allow for variance in response.
+
+Some fine points:
+
+   - The resolver may encounter a situation where no addresses are
+     available for any of the name servers named in SLIST, and
+     where the servers in the list are precisely those which would
+     normally be used to look up their own addresses.  This
+     situation typically occurs when the glue address RRs have a
+     smaller TTL than the NS RRs marking delegation, or when the
+     resolver caches the result of a NS search.  The resolver
+     should detect this condition and restart the search at the
+     next ancestor zone, or alternatively at the root.
+
+
+
+
+
+Mockapetris                                                    [Page 45]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   - If a resolver gets a server error or other bizarre response
+     from a name server, it should remove it from SLIST, and may
+     wish to schedule an immediate transmission to the next
+     candidate server address.
+
+7.3. Processing responses
+
+The first step in processing arriving response datagrams is to parse the
+response.  This procedure should include:
+
+   - Check the header for reasonableness.  Discard datagrams which
+     are queries when responses are expected.
+
+   - Parse the sections of the message, and insure that all RRs are
+     correctly formatted.
+
+   - As an optional step, check the TTLs of arriving data looking
+     for RRs with excessively long TTLs.  If a RR has an
+     excessively long TTL, say greater than 1 week, either discard
+     the whole response, or limit all TTLs in the response to 1
+     week.
+
+The next step is to match the response to a current resolver request.
+The recommended strategy is to do a preliminary matching using the ID
+field in the domain header, and then to verify that the question section
+corresponds to the information currently desired.  This requires that
+the transmission algorithm devote several bits of the domain ID field to
+a request identifier of some sort.  This step has several fine points:
+
+   - Some name servers send their responses from different
+     addresses than the one used to receive the query.  That is, a
+     resolver cannot rely that a response will come from the same
+     address which it sent the corresponding query to.  This name
+     server bug is typically encountered in UNIX systems.
+
+   - If the resolver retransmits a particular request to a name
+     server it should be able to use a response from any of the
+     transmissions.  However, if it is using the response to sample
+     the round trip time to access the name server, it must be able
+     to determine which transmission matches the response (and keep
+     transmission times for each outgoing message), or only
+     calculate round trip times based on initial transmissions.
+
+   - A name server will occasionally not have a current copy of a
+     zone which it should have according to some NS RRs.  The
+     resolver should simply remove the name server from the current
+     SLIST, and continue.
+
+
+
+
+Mockapetris                                                    [Page 46]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+7.4. Using the cache
+
+In general, we expect a resolver to cache all data which it receives in
+responses since it may be useful in answering future client requests.
+However, there are several types of data which should not be cached:
+
+   - When several RRs of the same type are available for a
+     particular owner name, the resolver should either cache them
+     all or none at all.  When a response is truncated, and a
+     resolver doesn't know whether it has a complete set, it should
+     not cache a possibly partial set of RRs.
+
+   - Cached data should never be used in preference to
+     authoritative data, so if caching would cause this to happen
+     the data should not be cached.
+
+   - The results of an inverse query should not be cached.
+
+   - The results of standard queries where the QNAME contains "*"
+     labels if the data might be used to construct wildcards.  The
+     reason is that the cache does not necessarily contain existing
+     RRs or zone boundary information which is necessary to
+     restrict the application of the wildcard RRs.
+
+   - RR data in responses of dubious reliability.  When a resolver
+     receives unsolicited responses or RR data other than that
+     requested, it should discard it without caching it.  The basic
+     implication is that all sanity checks on a packet should be
+     performed before any of it is cached.
+
+In a similar vein, when a resolver has a set of RRs for some name in a
+response, and wants to cache the RRs, it should check its cache for
+already existing RRs.  Depending on the circumstances, either the data
+in the response or the cache is preferred, but the two should never be
+combined.  If the data in the response is from authoritative data in the
+answer section, it is always preferred.
+
+8. MAIL SUPPORT
+
+The domain system defines a standard for mapping mailboxes into domain
+names, and two methods for using the mailbox information to derive mail
+routing information.  The first method is called mail exchange binding
+and the other method is mailbox binding.  The mailbox encoding standard
+and mail exchange binding are part of the DNS official protocol, and are
+the recommended method for mail routing in the Internet.  Mailbox
+binding is an experimental feature which is still under development and
+subject to change.
+
+
+
+
+Mockapetris                                                    [Page 47]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+The mailbox encoding standard assumes a mailbox name of the form
+"<local-part>@<mail-domain>".  While the syntax allowed in each of these
+sections varies substantially between the various mail internets, the
+preferred syntax for the ARPA Internet is given in [RFC-822].
+
+The DNS encodes the <local-part> as a single label, and encodes the
+<mail-domain> as a domain name.  The single label from the <local-part>
+is prefaced to the domain name from <mail-domain> to form the domain
+name corresponding to the mailbox.  Thus the mailbox HOSTMASTER@SRI-
+NIC.ARPA is mapped into the domain name HOSTMASTER.SRI-NIC.ARPA.  If the
+<local-part> contains dots or other special characters, its
+representation in a master file will require the use of backslash
+quoting to ensure that the domain name is properly encoded.  For
+example, the mailbox Action.domains@ISI.EDU would be represented as
+Action\.domains.ISI.EDU.
+
+8.1. Mail exchange binding
+
+Mail exchange binding uses the <mail-domain> part of a mailbox
+specification to determine where mail should be sent.  The <local-part>
+is not even consulted.  [RFC-974] specifies this method in detail, and
+should be consulted before attempting to use mail exchange support.
+
+One of the advantages of this method is that it decouples mail
+destination naming from the hosts used to support mail service, at the
+cost of another layer of indirection in the lookup function.  However,
+the addition layer should eliminate the need for complicated "%", "!",
+etc encodings in <local-part>.
+
+The essence of the method is that the <mail-domain> is used as a domain
+name to locate type MX RRs which list hosts willing to accept mail for
+<mail-domain>, together with preference values which rank the hosts
+according to an order specified by the administrators for <mail-domain>.
+
+In this memo, the <mail-domain> ISI.EDU is used in examples, together
+with the hosts VENERA.ISI.EDU and VAXA.ISI.EDU as mail exchanges for
+ISI.EDU.  If a mailer had a message for Mockapetris@ISI.EDU, it would
+route it by looking up MX RRs for ISI.EDU.  The MX RRs at ISI.EDU name
+VENERA.ISI.EDU and VAXA.ISI.EDU, and type A queries can find the host
+addresses.
+
+8.2. Mailbox binding (Experimental)
+
+In mailbox binding, the mailer uses the entire mail destination
+specification to construct a domain name.  The encoded domain name for
+the mailbox is used as the QNAME field in a QTYPE=MAILB query.
+
+Several outcomes are possible for this query:
+
+
+
+Mockapetris                                                    [Page 48]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   1. The query can return a name error indicating that the mailbox
+      does not exist as a domain name.
+
+      In the long term, this would indicate that the specified
+      mailbox doesn't exist.  However, until the use of mailbox
+      binding is universal, this error condition should be
+      interpreted to mean that the organization identified by the
+      global part does not support mailbox binding.  The
+      appropriate procedure is to revert to exchange binding at
+      this point.
+
+   2. The query can return a Mail Rename (MR) RR.
+
+      The MR RR carries new mailbox specification in its RDATA
+      field.  The mailer should replace the old mailbox with the
+      new one and retry the operation.
+
+   3. The query can return a MB RR.
+
+      The MB RR carries a domain name for a host in its RDATA
+      field.  The mailer should deliver the message to that host
+      via whatever protocol is applicable, e.g., b,SMTP.
+
+   4. The query can return one or more Mail Group (MG) RRs.
+
+      This condition means that the mailbox was actually a mailing
+      list or mail group, rather than a single mailbox.  Each MG RR
+      has a RDATA field that identifies a mailbox that is a member
+      of the group.  The mailer should deliver a copy of the
+      message to each member.
+
+   5. The query can return a MB RR as well as one or more MG RRs.
+
+      This condition means the the mailbox was actually a mailing
+      list.  The mailer can either deliver the message to the host
+      specified by the MB RR, which will in turn do the delivery to
+      all members, or the mailer can use the MG RRs to do the
+      expansion itself.
+
+In any of these cases, the response may include a Mail Information
+(MINFO) RR.  This RR is usually associated with a mail group, but is
+legal with a MB.  The MINFO RR identifies two mailboxes.  One of these
+identifies a responsible person for the original mailbox name.  This
+mailbox should be used for requests to be added to a mail group, etc.
+The second mailbox name in the MINFO RR identifies a mailbox that should
+receive error messages for mail failures.  This is particularly
+appropriate for mailing lists when errors in member names should be
+reported to a person other than the one who sends a message to the list.
+
+
+
+Mockapetris                                                    [Page 49]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+New fields may be added to this RR in the future.
+
+
+9. REFERENCES and BIBLIOGRAPHY
+
+[Dyer 87]       S. Dyer, F. Hsu, "Hesiod", Project Athena
+                Technical Plan - Name Service, April 1987, version 1.9.
+
+                Describes the fundamentals of the Hesiod name service.
+
+[IEN-116]       J. Postel, "Internet Name Server", IEN-116,
+                USC/Information Sciences Institute, August 1979.
+
+                A name service obsoleted by the Domain Name System, but
+                still in use.
+
+[Quarterman 86] J. Quarterman, and J. Hoskins, "Notable Computer Networks",
+                Communications of the ACM, October 1986, volume 29, number
+                10.
+
+[RFC-742]       K. Harrenstien, "NAME/FINGER", RFC-742, Network
+                Information Center, SRI International, December 1977.
+
+[RFC-768]       J. Postel, "User Datagram Protocol", RFC-768,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-793]       J. Postel, "Transmission Control Protocol", RFC-793,
+                USC/Information Sciences Institute, September 1981.
+
+[RFC-799]       D. Mills, "Internet Name Domains", RFC-799, COMSAT,
+                September 1981.
+
+                Suggests introduction of a hierarchy in place of a flat
+                name space for the Internet.
+
+[RFC-805]       J. Postel, "Computer Mail Meeting Notes", RFC-805,
+                USC/Information Sciences Institute, February 1982.
+
+[RFC-810]       E. Feinler, K. Harrenstien, Z. Su, and V. White, "DOD
+                Internet Host Table Specification", RFC-810, Network
+                Information Center, SRI International, March 1982.
+
+                Obsolete.  See RFC-952.
+
+[RFC-811]       K. Harrenstien, V. White, and E. Feinler, "Hostnames
+                Server", RFC-811, Network Information Center, SRI
+                International, March 1982.
+
+
+
+
+Mockapetris                                                    [Page 50]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                Obsolete.  See RFC-953.
+
+[RFC-812]       K. Harrenstien, and V. White, "NICNAME/WHOIS", RFC-812,
+                Network Information Center, SRI International, March
+                1982.
+
+[RFC-819]       Z. Su, and J. Postel, "The Domain Naming Convention for
+                Internet User Applications", RFC-819, Network
+                Information Center, SRI International, August 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-821]       J. Postel, "Simple Mail Transfer Protocol", RFC-821,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-830]       Z. Su, "A Distributed System for Internet Name Service",
+                RFC-830, Network Information Center, SRI International,
+                October 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-882]       P. Mockapetris, "Domain names - Concepts and
+                Facilities," RFC-882, USC/Information Sciences
+                Institute, November 1983.
+
+                Superseded by this memo.
+
+[RFC-883]       P. Mockapetris, "Domain names - Implementation and
+                Specification," RFC-883, USC/Information Sciences
+                Institute, November 1983.
+
+                Superseded by this memo.
+
+[RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
+                RFC-920, USC/Information Sciences Institute,
+                October 1984.
+
+                Explains the naming scheme for top level domains.
+
+[RFC-952]       K. Harrenstien, M. Stahl, E. Feinler, "DoD Internet Host
+                Table Specification", RFC-952, SRI, October 1985.
+
+                Specifies the format of HOSTS.TXT, the host/address
+                table replaced by the DNS.
+
+
+
+
+
+Mockapetris                                                    [Page 51]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+[RFC-953]       K. Harrenstien, M. Stahl, E. Feinler, "HOSTNAME Server",
+                RFC-953, SRI, October 1985.
+
+                This RFC contains the official specification of the
+                hostname server protocol, which is obsoleted by the DNS.
+                This TCP based protocol accesses information stored in
+                the RFC-952 format, and is used to obtain copies of the
+                host table.
+
+[RFC-973]       P. Mockapetris, "Domain System Changes and
+                Observations", RFC-973, USC/Information Sciences
+                Institute, January 1986.
+
+                Describes changes to RFC-882 and RFC-883 and reasons for
+                them.
+
+[RFC-974]       C. Partridge, "Mail routing and the domain system",
+                RFC-974, CSNET CIC BBN Labs, January 1986.
+
+                Describes the transition from HOSTS.TXT based mail
+                addressing to the more powerful MX system used with the
+                domain system.
+
+[RFC-1001]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Concepts and Methods",
+                RFC-1001, March 1987.
+
+                This RFC and RFC-1002 are a preliminary design for
+                NETBIOS on top of TCP/IP which proposes to base NetBIOS
+                name service on top of the DNS.
+
+[RFC-1002]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Detailed
+                Specifications", RFC-1002, March 1987.
+
+[RFC-1010]      J. Reynolds, and J. Postel, "Assigned Numbers", RFC-1010,
+                USC/Information Sciences Institute, May 1987.
+
+                Contains socket numbers and mnemonics for host names,
+                operating systems, etc.
+
+[RFC-1031]      W. Lazear, "MILNET Name Domain Transition", RFC-1031,
+                November 1987.
+
+                Describes a plan for converting the MILNET to the DNS.
+
+[RFC-1032]      M. Stahl, "Establishing a Domain - Guidelines for
+                Administrators", RFC-1032, November 1987.
+
+
+
+Mockapetris                                                    [Page 52]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                Describes the registration policies used by the NIC to
+                administer the top level domains and delegate subzones.
+
+[RFC-1033]      M. Lottor, "Domain Administrators Operations Guide",
+                RFC-1033, November 1987.
+
+                A cookbook for domain administrators.
+
+[Solomon 82]    M. Solomon, L. Landweber, and D. Neuhengen, "The CSNET
+                Name Server", Computer Networks, vol 6, nr 3, July 1982.
+
+                Describes a name service for CSNET which is independent
+                from the DNS and DNS use in the CSNET.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 53]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Index
+
+          *   13
+
+          ;   33, 35
+
+          <character-string>   35
+          <domain-name>   34
+
+          @   35
+
+          \   35
+
+          A   12
+
+          Byte order   8
+
+          CH   13
+          Character case   9
+          CLASS   11
+          CNAME   12
+          Completion   42
+          CS   13
+
+          Hesiod   13
+          HINFO   12
+          HS   13
+
+          IN   13
+          IN-ADDR.ARPA domain   22
+          Inverse queries   40
+
+          Mailbox names   47
+          MB   12
+          MD   12
+          MF   12
+          MG   12
+          MINFO   12
+          MINIMUM   20
+          MR   12
+          MX   12
+
+          NS   12
+          NULL   12
+
+          Port numbers   32
+          Primary server   5
+          PTR   12, 18
+
+
+
+Mockapetris                                                    [Page 54]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+          QCLASS   13
+          QTYPE   12
+
+          RDATA   12
+          RDLENGTH  11
+
+          Secondary server   5
+          SOA   12
+          Stub resolvers   7
+
+          TCP   32
+          TXT   12
+          TYPE   11
+
+          UDP   32
+
+          WKS   12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 55]
+
diff --git a/lib/dns/tests/testdata/dstrandom/random.data b/lib/dns/tests/testdata/dstrandom/random.data
new file mode 100644
index 0000000..354add0
--- /dev/null
+++ b/lib/dns/tests/testdata/dstrandom/random.data
diff --git a/lib/dns/tests/testdata/master/master1.data b/lib/dns/tests/testdata/master/master1.data
new file mode 100644
index 0000000..030bc68
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master1.data
@@ -0,0 +1,11 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.vix.com.
+		in	ns	ns2.vix.com.
+		in	ns	ns3.vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/master/master10.data b/lib/dns/tests/testdata/master/master10.data
new file mode 100644
index 0000000..9ee052f
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master10.data
@@ -0,0 +1,7 @@
+;
+;	the following black line contains spaces
+
+;
+@	300	IN	A	10.0.0.1
+	;
+;
diff --git a/lib/dns/tests/testdata/master/master11.data b/lib/dns/tests/testdata/master/master11.data
new file mode 100644
index 0000000..0aaec25
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master11.data
@@ -0,0 +1,6 @@
+;
+;	The following serial number contains a leading 0 and a 9 so the
+;	we can catch cases where it is incorrectly treated as a octal
+;	number.
+;
+@	300	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
diff --git a/lib/dns/tests/testdata/master/master12.data.in b/lib/dns/tests/testdata/master/master12.data.in
new file mode 100644
index 0000000..3634388
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master12.data.in
@@ -0,0 +1 @@
+00000002000000004ed7306600000051000100060000000003e80000000100060474657374000035096c6f63616c686f7374000a706f73746d6173746572096c6f63616c686f73740076cb8ab100000e100000070800093a8000000e1000000046000100020000000003e8000000030006047465737400000c026e730376697803636f6d00000d036e73320376697803636f6d00000d036e73330376697803636f6d0000000022000100010000000003e80000000100080162047465737400000401020304
diff --git a/lib/dns/tests/testdata/master/master13.data.in b/lib/dns/tests/testdata/master/master13.data.in
new file mode 100644
index 0000000..d1c262f
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master13.data.in
@@ -0,0 +1 @@
+00000002000000014ed7337f00000000000000000000000000000051000100060000000003e80000000100060474657374000035096c6f63616c686f7374000a706f73746d6173746572096c6f63616c686f73740076cb8ab100000e100000070800093a8000000e1000000046000100020000000003e8000000030006047465737400000c026e730376697803636f6d00000d036e73320376697803636f6d00000d036e73330376697803636f6d0000000022000100010000000003e80000000100080162047465737400000401020304
diff --git a/lib/dns/tests/testdata/master/master14.data.in b/lib/dns/tests/testdata/master/master14.data.in
new file mode 100644
index 0000000..149a25f
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master14.data.in
@@ -0,0 +1 @@
+00000002000000014ed7337f0000000277df41e50000000000000051000100060000000003e80000000100060474657374000035096c6f63616c686f7374000a706f73746d6173746572096c6f63616c686f73740076cb8ab100000e100000070800093a8000000e1000000046000100020000000003e8000000030006047465737400000c026e730376697803636f6d00000d036e73320376697803636f6d00000d036e73330376697803636f6d0000000022000100010000000003e80000000100080162047465737400000401020304
diff --git a/lib/dns/tests/testdata/master/master15.data b/lib/dns/tests/testdata/master/master15.data
new file mode 100644
index 0000000..cf413ce
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master15.data
@@ -0,0 +1,1609 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.vix.com.
+		in	ns	ns2.vix.com.
+		in	ns	ns3.vix.com.
+b		in	a	1.2.3.4
+c		in	txt	( TOOBIGTOOBIGTOOBIGTOOBIGTOOBIGTOOBI
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890 )
diff --git a/lib/dns/tests/testdata/master/master16.data b/lib/dns/tests/testdata/master/master16.data
new file mode 100644
index 0000000..e969bd3
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master16.data
@@ -0,0 +1,1609 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.vix.com.
+		in	ns	ns2.vix.com.
+		in	ns	ns3.vix.com.
+b		in	a	1.2.3.4
+c		in	txt	( MAXSIZSEMAXSIZSEMAXSIZSEMAXSIZSMAX
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890 )
diff --git a/lib/dns/tests/testdata/master/master17.data b/lib/dns/tests/testdata/master/master17.data
new file mode 100644
index 0000000..4b2b63d
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master17.data
@@ -0,0 +1,14 @@
+$ORIGIN test.
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.test.
+		in	ns	ns2.test.
+		in	ns	ns3.test.
+b		in	a	1.2.3.4
+$ORIGIN sub.test.
+		in	a	4.3.2.1
diff --git a/lib/dns/tests/testdata/master/master18.data b/lib/dns/tests/testdata/master/master18.data
new file mode 100644
index 0000000..dddf04e
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master18.data
@@ -0,0 +1,10 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+
+$INCLUDE "testkeys/Kexample.+008+20386.key";
+$INCLUDE "testkeys/Kexample.+008+37464.key";
diff --git a/lib/dns/tests/testdata/master/master2.data b/lib/dns/tests/testdata/master/master2.data
new file mode 100644
index 0000000..b8ca38d
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master2.data
@@ -0,0 +1,11 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+a		in	ns
+a		in	ns	ns2vix.com.
+a		in	ns	ns3vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/master/master3.data b/lib/dns/tests/testdata/master/master3.data
new file mode 100644
index 0000000..7283af6
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master3.data
@@ -0,0 +1,11 @@
+$TTL 1000
+		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.vix.com
+		in	ns	ns2vix.com.
+a		in	ns	ns3vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/master/master4.data b/lib/dns/tests/testdata/master/master4.data
new file mode 100644
index 0000000..3a694ea
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master4.data
@@ -0,0 +1,11 @@
+
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+a		in	ns	ns.vix.com.
+a		in	ns	ns2vix.com.
+a		in	ns	ns3vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/master/master5.data b/lib/dns/tests/testdata/master/master5.data
new file mode 100644
index 0000000..95234bd
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master5.data
@@ -0,0 +1,11 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+a		any	ns	ns.vix.com.
+a		in	ns	ns2vix.com.
+a		in	ns	ns3vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/master/master6.data b/lib/dns/tests/testdata/master/master6.data
new file mode 100644
index 0000000..a9a37bb
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master6.data
@@ -0,0 +1,33 @@
+
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+
+secure1	3600 IN	 DNSKEY (
+		FLAG2|FLAG4|FLAG5|NTYP3|FLAG8|FLAG9|FLAG10|FLAG11|SIG15
+		3 3
+		ArT0a8FtOZWEONG2YQVl9+RA34op30JPz4NPEroCxm2yImT2
+		2OYggnPIzrgayyepgKU1PfTTypnJDTwrSrtISyEsj7tjM7/n
+		03DP8VWSn0aLwpUuc7Sx9vtM1Wi+YeiA4Bv2Oz1VB9de4qql
+		sIq+KLn8J4wz95bGnJ0mHUB7oTDJ3Hl1zeaCMdX69Kr46yAY
+		AvGJJdGGDYxYgxzx2zNdzypkYSkxpdsNqUt38tabSfdvCn12
+		pnmSWjlVJsjHhsaYnrPhouN5acOXMNbxNVbGU5LZ8Es6EYbV
+		/7YMt8VUkA8/8UCszBBT7XAJ3OFjiMO8mvxrZZFzvwJlPBQ1
+		oFq/TNZlSe+N )
+
+secure2	3600 in	 DNSKEY (
+		flag2|flag4|flag5|ntyp3|flag8|flag9|flag10|flag11|sig15
+		3 3
+		ArT0a8FtOZWEONG2YQVl9+RA34op30JPz4NPEroCxm2yImT2
+		2OYggnPIzrgayyepgKU1PfTTypnJDTwrSrtISyEsj7tjM7/n
+		03DP8VWSn0aLwpUuc7Sx9vtM1Wi+YeiA4Bv2Oz1VB9de4qql
+		sIq+KLn8J4wz95bGnJ0mHUB7oTDJ3Hl1zeaCMdX69Kr46yAY
+		AvGJJdGGDYxYgxzx2zNdzypkYSkxpdsNqUt38tabSfdvCn12
+		pnmSWjlVJsjHhsaYnrPhouN5acOXMNbxNVbGU5LZ8Es6EYbV
+		/7YMt8VUkA8/8UCszBBT7XAJ3OFjiMO8mvxrZZFzvwJlPBQ1
+		oFq/TNZlSe+N )
+
diff --git a/lib/dns/tests/testdata/master/master7.data b/lib/dns/tests/testdata/master/master7.data
new file mode 100644
index 0000000..2638b5d
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master7.data
@@ -0,0 +1,17 @@
+
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+
+secure1	3600 IN	 DNSKEY (
+		NOKEY|FLAG2|FLAG4|FLAG5|NTYP3|FLAG8|FLAG9|FLAG10|FLAG11|SIG15
+		3 3 )
+
+secure2	3600 in	 DNSKEY (
+		nokey|flag2|flag4|flag5|ntyp3|flag8|flag9|flag10|flag11|sig15
+		3 3 )
+
diff --git a/lib/dns/tests/testdata/master/master8.data b/lib/dns/tests/testdata/master/master8.data
new file mode 100644
index 0000000..d16b6f3
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master8.data
@@ -0,0 +1,4 @@
+;
+; master6.data contains a good zone file
+;
+$include testdata/master/master6.data
diff --git a/lib/dns/tests/testdata/master/master9.data b/lib/dns/tests/testdata/master/master9.data
new file mode 100644
index 0000000..b22688b
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master9.data
@@ -0,0 +1,4 @@
+;
+;	master5.data is bad
+;
+$include testdata/master/master5.data
diff --git a/lib/dns/tests/testdata/nsec3/1024.db b/lib/dns/tests/testdata/nsec3/1024.db
new file mode 100644
index 0000000..2576328
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3/1024.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+test. SOA . . 0 0 0 0 0
+test. NS .
+; 1024 bit key.
+test. IN DNSKEY 256 3 5 AwEAAd5oKx06HRE6NRrTDz49lljdRmxgp/4YB/cyMkpwUMkaLhDNCfTq hql84ab2LRbtUWLHFXGWENvxPGQzVHeleXu+3ThNfFOwIaySedxHmLGT lTtBRDhPc8iSb+2IYDemmA+ut8kwHhCVz/tDMbD/dgAswdOtmXCpQyJk Q1HqY3Xj
diff --git a/lib/dns/tests/testdata/nsec3/2048.db b/lib/dns/tests/testdata/nsec3/2048.db
new file mode 100644
index 0000000..26dd980
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3/2048.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+test. SOA . . 0 0 0 0 0
+test. NS .
+; 2048 bits
+test. IN DNSKEY 256 3 5 AwEAAcfQX59iZr9gK+XzhTZQ5KWrfCLA0iYHTqheEIhC2dXS8gUSppQS g9SmzH2129u/LSSb7gqJSoLLAsn36iinqCqUXl2BT6xzwznbSP3mn0hn N6DegsykcYhHycKH6ifjZiMN+SGGeNsi5rhoW5Cj9ptw3C3yQnrFNDbS GZCT97z5lpQU3ZcvP4RDNk7dhri7Bh3SJeaCFoqx00NgFvlBR48hosSG bGUbUKzNf58GBTkW4Us2jIWsreZx8LLLev232Hy7NU9L19k+hVq7pJOf Uvtrn5fmGSutWOzsR+8EacOnh0lwssCKjutk5MSmfdFC5P7CTZkdq58L 8he13HGmr00=
diff --git a/lib/dns/tests/testdata/nsec3/4096.db b/lib/dns/tests/testdata/nsec3/4096.db
new file mode 100644
index 0000000..d628c33
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3/4096.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+test. SOA . . 0 0 0 0 0
+test. NS .
+; 4096 bits
+test. IN DNSKEY 256 3 5 AwEAAbYlqbKxXoq9mzkqdsAaSZ3XywBVAb2sCTgrQBCExyGEYNpWw3LN +imCrLQi7jHKQW6GZIqKNgQaiFEwr3zK8nPWbwNwyKU9a2hhINv/gim1 5iA87Vu7DiiJrQ0O79ospvsGsKknBQ41zaaQMp3Q/W1S6WNe4uyh4C/f R0qmxT+8MyXEqCpTGb+e+YT6BuqpNQPuYYYvUJ1/HJltzY/lY2b9RZ+Q ZJ23Zje79YIRM0kJapqj11fDUDeynhDL1DUikYCwRfQiO/blChhOHjIa uTK1qqRY3fqanLGOufpLTr7GRpL7RxeRIMJfDzmcjFLmCsMA1AJ56Bxq jiXr3ODgn9D30vAB74Lr7lqLQSWyrSlJjoZLLhmPrEP/nnuCxEhOhDRA XJpJWpcQ4Hdu+yb5K/qldnsGLLI1Hr0GmhLTDHsxDb6BxM7/8rv8QeQY GKSGshBqD2lO1xUVT8inbi8uXI1iyN68vHX6xoFT5wsjls70PxSZPO5i F40vn6BWNsHtKWOCDqMKYx8hYwiv0zETVwxBaj58vylFwYGU+g1wIQmF Pgi2HKv4KaxgikUvdFISre5rxVoG5VrmmXWiNJcLTbwZ+tE1xujCNU1c V31CaIB5hdSnkEvQADr5V64RTxWAKuSLNMU+XUqTkaJHasSm3OPJOteo SPj2uoesuxNFYps3
diff --git a/lib/dns/tests/testdata/nsec3/min-1024.db b/lib/dns/tests/testdata/nsec3/min-1024.db
new file mode 100644
index 0000000..360c282
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3/min-1024.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+test. SOA . . 0 0 0 0 0
+test. NS .
+; 1024 bit key.
+test. IN DNSKEY 256 3 5 AwEAAd5oKx06HRE6NRrTDz49lljdRmxgp/4YB/cyMkpwUMkaLhDNCfTq hql84ab2LRbtUWLHFXGWENvxPGQzVHeleXu+3ThNfFOwIaySedxHmLGT lTtBRDhPc8iSb+2IYDemmA+ut8kwHhCVz/tDMbD/dgAswdOtmXCpQyJk Q1HqY3Xj
+; 2048 bits
+test. IN DNSKEY 256 3 5 AwEAAcfQX59iZr9gK+XzhTZQ5KWrfCLA0iYHTqheEIhC2dXS8gUSppQS g9SmzH2129u/LSSb7gqJSoLLAsn36iinqCqUXl2BT6xzwznbSP3mn0hn N6DegsykcYhHycKH6ifjZiMN+SGGeNsi5rhoW5Cj9ptw3C3yQnrFNDbS GZCT97z5lpQU3ZcvP4RDNk7dhri7Bh3SJeaCFoqx00NgFvlBR48hosSG bGUbUKzNf58GBTkW4Us2jIWsreZx8LLLev232Hy7NU9L19k+hVq7pJOf Uvtrn5fmGSutWOzsR+8EacOnh0lwssCKjutk5MSmfdFC5P7CTZkdq58L 8he13HGmr00=
+; 4096 bits
+test. IN DNSKEY 256 3 5 AwEAAbYlqbKxXoq9mzkqdsAaSZ3XywBVAb2sCTgrQBCExyGEYNpWw3LN +imCrLQi7jHKQW6GZIqKNgQaiFEwr3zK8nPWbwNwyKU9a2hhINv/gim1 5iA87Vu7DiiJrQ0O79ospvsGsKknBQ41zaaQMp3Q/W1S6WNe4uyh4C/f R0qmxT+8MyXEqCpTGb+e+YT6BuqpNQPuYYYvUJ1/HJltzY/lY2b9RZ+Q ZJ23Zje79YIRM0kJapqj11fDUDeynhDL1DUikYCwRfQiO/blChhOHjIa uTK1qqRY3fqanLGOufpLTr7GRpL7RxeRIMJfDzmcjFLmCsMA1AJ56Bxq jiXr3ODgn9D30vAB74Lr7lqLQSWyrSlJjoZLLhmPrEP/nnuCxEhOhDRA XJpJWpcQ4Hdu+yb5K/qldnsGLLI1Hr0GmhLTDHsxDb6BxM7/8rv8QeQY GKSGshBqD2lO1xUVT8inbi8uXI1iyN68vHX6xoFT5wsjls70PxSZPO5i F40vn6BWNsHtKWOCDqMKYx8hYwiv0zETVwxBaj58vylFwYGU+g1wIQmF Pgi2HKv4KaxgikUvdFISre5rxVoG5VrmmXWiNJcLTbwZ+tE1xujCNU1c V31CaIB5hdSnkEvQADr5V64RTxWAKuSLNMU+XUqTkaJHasSm3OPJOteo SPj2uoesuxNFYps3
diff --git a/lib/dns/tests/testdata/nsec3/min-2048.db b/lib/dns/tests/testdata/nsec3/min-2048.db
new file mode 100644
index 0000000..606264e
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3/min-2048.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+test. SOA . . 0 0 0 0 0
+test. NS .
+; 2048 bits
+test. IN DNSKEY 256 3 5 AwEAAcfQX59iZr9gK+XzhTZQ5KWrfCLA0iYHTqheEIhC2dXS8gUSppQS g9SmzH2129u/LSSb7gqJSoLLAsn36iinqCqUXl2BT6xzwznbSP3mn0hn N6DegsykcYhHycKH6ifjZiMN+SGGeNsi5rhoW5Cj9ptw3C3yQnrFNDbS GZCT97z5lpQU3ZcvP4RDNk7dhri7Bh3SJeaCFoqx00NgFvlBR48hosSG bGUbUKzNf58GBTkW4Us2jIWsreZx8LLLev232Hy7NU9L19k+hVq7pJOf Uvtrn5fmGSutWOzsR+8EacOnh0lwssCKjutk5MSmfdFC5P7CTZkdq58L 8he13HGmr00=
+; 4096 bits
+test. IN DNSKEY 256 3 5 AwEAAbYlqbKxXoq9mzkqdsAaSZ3XywBVAb2sCTgrQBCExyGEYNpWw3LN +imCrLQi7jHKQW6GZIqKNgQaiFEwr3zK8nPWbwNwyKU9a2hhINv/gim1 5iA87Vu7DiiJrQ0O79ospvsGsKknBQ41zaaQMp3Q/W1S6WNe4uyh4C/f R0qmxT+8MyXEqCpTGb+e+YT6BuqpNQPuYYYvUJ1/HJltzY/lY2b9RZ+Q ZJ23Zje79YIRM0kJapqj11fDUDeynhDL1DUikYCwRfQiO/blChhOHjIa uTK1qqRY3fqanLGOufpLTr7GRpL7RxeRIMJfDzmcjFLmCsMA1AJ56Bxq jiXr3ODgn9D30vAB74Lr7lqLQSWyrSlJjoZLLhmPrEP/nnuCxEhOhDRA XJpJWpcQ4Hdu+yb5K/qldnsGLLI1Hr0GmhLTDHsxDb6BxM7/8rv8QeQY GKSGshBqD2lO1xUVT8inbi8uXI1iyN68vHX6xoFT5wsjls70PxSZPO5i F40vn6BWNsHtKWOCDqMKYx8hYwiv0zETVwxBaj58vylFwYGU+g1wIQmF Pgi2HKv4KaxgikUvdFISre5rxVoG5VrmmXWiNJcLTbwZ+tE1xujCNU1c V31CaIB5hdSnkEvQADr5V64RTxWAKuSLNMU+XUqTkaJHasSm3OPJOteo SPj2uoesuxNFYps3
diff --git a/lib/dns/tests/testdata/nsec3param/nsec3.db.signed b/lib/dns/tests/testdata/nsec3param/nsec3.db.signed
new file mode 100644
index 0000000..aeced0e
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3param/nsec3.db.signed
@@ -0,0 +1,73 @@
+; File written on Mon Nov 16 16:04:21 2020
+; dnssec_signzone version 9.16.8
+nsec3.			1000	IN SOA	nsec3. postmaster.nsec3. (
+					1993050801 ; serial
+					3600       ; refresh (1 hour)
+					1800       ; retry (30 minutes)
+					604800     ; expire (1 week)
+					3600       ; minimum (1 hour)
+					)
+			1000	RRSIG	SOA 13 1 1000 (
+					20201216140421 20201116140421 40382 nsec3.
+					qh61ZPgQaNLAoIQvAoTLbR3sLBY7XATaMGSS
+					fYOssQWvgAzpAzhalmF/cSXmQ/RZQOyIdpVg
+					v3rgyTxA2vGNnA== )
+			1000	NS	ns1.nsec3.
+			1000	NS	ns2.nsec3.
+			1000	RRSIG	NS 13 1 1000 (
+					20201216140421 20201116140421 40382 nsec3.
+					4Le+e5Lu/taEvrvrmBn/z+QP4zhzUqwO6v70
+					WYrzCggUls8+fUd2unBHDPWag1oSKfNpGGWA
+					crihrs4RhMPfZA== )
+			1000	DNSKEY	257 3 13 (
+					VKkttSi/v3lAyzUYnykwdwowXfDOQ7wdN9BT
+					+eb8fVfgRApvuun9hjUBlv7ogriU/GAb60B8
+					juj9bXZADT+OGg==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 40382
+			1000	RRSIG	DNSKEY 13 1 1000 (
+					20201216140421 20201116140421 40382 nsec3.
+					ZnBqGgWvHwjjQBSIRPXe2fx6+MsQp1QQdzJ0
+					QaEyaOmud5JPatUXaV9eFRcPNCsi+2HZSZVp
+					vsAGUCge7w6u9A== )
+			0	NSEC3PARAM 1 0 5 FEDCBA98
+			0	RRSIG	NSEC3PARAM 13 1 0 (
+					20201216140421 20201116140421 40382 nsec3.
+					WPTD+5vr54YtvGqCUJHPvGdF7Wd4piZYltcs
+					cztBRfdM7FRJ/zvrDS72rt6zm0TYSXzawqt/
+					MiwOkYKv2vxfUg== )
+ns2.nsec3.		1000	IN A	1.2.3.5
+			1000	RRSIG	A 13 2 1000 (
+					20201216140421 20201116140421 40382 nsec3.
+					l9Mc2Y5JFmllSxJj3GUdH6RtEsYfhjJU39sa
+					vAVa4zxv6S9vU+vLvTA05aQ+DPLvKTX+WNH7
+					dDa+Yy5ffBs68g== )
+QVCH33BSJ0Q2C74FEDFDBCFQHO255NEB.nsec3.	3600 IN	NSEC3 1 0 5 FEDCBA98 (
+					STH5N5QDVC5DGEN5VGUC7JGALSM3R8AP
+					A RRSIG )
+			3600	RRSIG	NSEC3 13 2 3600 (
+					20201216140421 20201116140421 40382 nsec3.
+					F/wKQtv+RlBHG1WCz0CkHlTSoUiRx0z+qBI1
+					GTHoXSjgG1NSHqTI4C32AasZSMp+uuF2R8KW
+					9z4gOLucl0Xmfg== )
+STH5N5QDVC5DGEN5VGUC7JGALSM3R8AP.nsec3.	3600 IN	NSEC3 1 0 5 FEDCBA98 (
+					A084TNR6VJ2ND5K1U0AI4HO4EPVKBG4U
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+			3600	RRSIG	NSEC3 13 2 3600 (
+					20201216140421 20201116140421 40382 nsec3.
+					9TgGFGY3vwkxMFlXy3oKMgHPqvcPozKDHZzc
+					Ny6eJn3TXNX5bLhiT5rw5+CCtyOEQmn3pf0X
+					njK7jZBAcBV+5Q== )
+A084TNR6VJ2ND5K1U0AI4HO4EPVKBG4U.nsec3.	3600 IN	NSEC3 1 0 5 FEDCBA98 (
+					QVCH33BSJ0Q2C74FEDFDBCFQHO255NEB
+					A RRSIG )
+			3600	RRSIG	NSEC3 13 2 3600 (
+					20201216140421 20201116140421 40382 nsec3.
+					auf+5lrkMESIfdFK8bf4yg1a+NLGWzgUmohS
+					ydcKaJz0XcnULegatWdfE75jmZoDeqKNpwdL
+					5lQ77GF4cEh1OQ== )
+ns1.nsec3.		1000	IN A	1.2.3.4
+			1000	RRSIG	A 13 2 1000 (
+					20201216140421 20201116140421 40382 nsec3.
+					yAmr1EE8qe+Jl+wQXOdj/uSjMFUmns0D1lx6
+					zAVe9BaQwvF3wR7ZUk/u9G0RrUBchmEj0+yq
+					KEsw32Tru4Romg== )
diff --git a/lib/dns/tests/testdata/zt/zone1.db b/lib/dns/tests/testdata/zt/zone1.db
new file mode 100644
index 0000000..85e7951
--- /dev/null
+++ b/lib/dns/tests/testdata/zt/zone1.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.vix.com.
+		in	ns	ns2.vix.com.
+		in	ns	ns3.vix.com.
+a		in	a	1.2.3.4
diff --git a/lib/dns/tests/testkeys/Kexample.+008+20386.key b/lib/dns/tests/testkeys/Kexample.+008+20386.key
new file mode 100644
index 0000000..3404dca
--- /dev/null
+++ b/lib/dns/tests/testkeys/Kexample.+008+20386.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 20386, for example.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example. IN DNSKEY 257 3 8 AwEAAZd7/hBRvMooz0sepkD/2r3Bp021f8lGzDj6sZEVbg1hcqZTzURc eGkS541wyOqjvJv2KBi5qLLE2HthmexmOBycjTQ7EiKd1P9bE8RgF8Et j73X/CHLiX6YL7cb93TXWiUvbRh4E6D2URgOmxMdMOXTuCvjvDaGVCOt Jc77UUosuBeurZzP8g8t/zccAUTzu2cdRyI5/ZxOBfJaDtc9TlRdWsaN Af+nT0C14ccH7QVlKjjaYV4lXueruDW3yTTzu9bQ1ikgegsCLi/tcD/1 dWTOI9whV06szs+ouhuJkZuhIjrGDtOHCpjPjIxOOrIZceU1YSY30kAR QNVzshJqyx8=
diff --git a/lib/dns/tests/testkeys/Kexample.+008+20386.private b/lib/dns/tests/testkeys/Kexample.+008+20386.private
new file mode 100644
index 0000000..d8cff93
--- /dev/null
+++ b/lib/dns/tests/testkeys/Kexample.+008+20386.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: l3v+EFG8yijPSx6mQP/avcGnTbV/yUbMOPqxkRVuDWFyplPNRFx4aRLnjXDI6qO8m/YoGLmossTYe2GZ7GY4HJyNNDsSIp3U/1sTxGAXwS2Pvdf8IcuJfpgvtxv3dNdaJS9tGHgToPZRGA6bEx0w5dO4K+O8NoZUI60lzvtRSiy4F66tnM/yDy3/NxwBRPO7Zx1HIjn9nE4F8loO1z1OVF1axo0B/6dPQLXhxwftBWUqONphXiVe56u4NbfJNPO71tDWKSB6CwIuL+1wP/V1ZM4j3CFXTqzOz6i6G4mRm6EiOsYO04cKmM+MjE46shlx5TVhJjfSQBFA1XOyEmrLHw==
+PublicExponent: AQAB
+PrivateExponent: aSkynrGfldfuz/9e+xCjEcg2FMRDCb+UVpnyWv29gJx9sunKPgLTtF3jUVVSpVE1xi+EdmWsry3n+v8uk+YCXhpwDCpV1KItE3huqIzs8LZoaypdZjieIrwTo9JOX1aAxf++hJYXSk60zTaWgRZqs6He4Nkf99oY3wt8i8v8CrkfQy76K/qK9xUVv5GHrEZzCGLfLv77eqDab/J84ANxc0kUtQvgt2/JTHofXmcA6/YDh5PWB8KRw1PjQTck61/xIgfI6ky/yIF1riCQCYXwTv7jcmMV/QvQ+dfN+HZ2CSGp7xcH2Yxe9OhAY823ZkmkOQ2YZPjIj6dEoRMmSiaagQ==
+Prime1: x2GMnpRPwvUhM+yPRa7nh5Jjl4mbofeOtVrxe1hEVy8l2UGFh+FDZCbyoLRNUTYDji00NHpGtmcAyoY9pLdOn7ci4zqGVnNJcIY75Ie4p6J7pPfDh9d+AGtJ5NpNhr1sjD0bFncJC2FGY9vj4eC0CkatMu/Qovrd2FwZ8VpDsAk=
+Prime2: woB8MYsEfSYGD0hZGtmgK6UQ+Oo9smxdPmahLYXnLSAdqtqZbZX+ABk/kFduT+XwlHOXmp3HMmUtQTRZBaQyBrsFWfWjOGevByEsT9aLQSZOEgnqy4xrc9XNwDs4/WkrEgw/TOVnZYdaCyLxsFl4bpTX8Fj3yVqg/tJvuUMWG+c=
+Exponent1: iQO7a9rF+VcVSyZ8yslIaL0r3Z5+Kk8CbhSiMD5XMIbA/sztI5SlCDVPtSpSm8V/qfvcjVeeMokUXRjlUcV6rX1f50F3wf8V79L/Y6v1NJYPXC273CU1fLo+HJv8fOS9rJ3teIGy4HQnuEYLE1WkxA8PxRpSiT3WqHGajmaWb2k=
+Exponent2: elMWSI5Wz2KXkwr8Rz+xVWGl7/ZZwRoX9oPTQG8jeiTlo6uBrQMVUPiQGnZyQTuq96JPKYWrXs11DbofdsXSVJtQfUhYU8QZtxEs7jVPNTUjCoNEMKnqdlpz4T8d03pOBTbApNruEVNz1OcwO6m5bUqdGGLLy838zOaKL2i6wec=
+Coefficient: q2mejAmT3A4H2C0rT1hm8XQFuISHjAAEyM9t09Q8tEeQ0lHi4gMVA3bXoAn9U21eBkFQDwvyB0vqlVSGgRqHovOKx9uXAU9eoDxGcJsFlGsM0aUsUjGVXv5kVmaw8a5PHBbvYAbgAZUmKqrVF0PWD3o+/DbzP9PCmlJcqxoAulU=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/testkeys/Kexample.+008+37464.key b/lib/dns/tests/testkeys/Kexample.+008+37464.key
new file mode 100644
index 0000000..3dd0619
--- /dev/null
+++ b/lib/dns/tests/testkeys/Kexample.+008+37464.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 37464, for example.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example. IN DNSKEY 256 3 8 AwEAAbxHOF8G0xw9ekCodhL8KivuZ3o0jmGlycLiXBjBN8c5R5fjLjUh D0gy3IDbDC+kLaPhHGF/MwrSEjrgSowxZ8nrxDzsq5ZdpeUsYaNrbQEY /mqf35T/9/Ulm4v06x58v/NTugWd05Xq04aAyfm7EViyGFzmVOVfPnll h9xQtvWEWoRWPseFw+dY5/nc/+xB/IsQMihoH2rO+cek/lsP3R9DsHCG RbQ/ks/+rrp6/O+QJZyZrzsONl7mlMDXNy3Pz9J4qMW2W6Mz702LN324 7/9UsetDGGbuZfrCLMpKWXzdsJm36DOk4aMooS9111plfXaXQgQNcL5G 021utpTau+8=
diff --git a/lib/dns/tests/testkeys/Kexample.+008+37464.private b/lib/dns/tests/testkeys/Kexample.+008+37464.private
new file mode 100644
index 0000000..ecc2ad0
--- /dev/null
+++ b/lib/dns/tests/testkeys/Kexample.+008+37464.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: vEc4XwbTHD16QKh2EvwqK+5nejSOYaXJwuJcGME3xzlHl+MuNSEPSDLcgNsML6Qto+EcYX8zCtISOuBKjDFnyevEPOyrll2l5Sxho2ttARj+ap/flP/39SWbi/TrHny/81O6BZ3TlerThoDJ+bsRWLIYXOZU5V8+eWWH3FC29YRahFY+x4XD51jn+dz/7EH8ixAyKGgfas75x6T+Ww/dH0OwcIZFtD+Sz/6uunr875AlnJmvOw42XuaUwNc3Lc/P0nioxbZbozPvTYs3fbjv/1Sx60MYZu5l+sIsykpZfN2wmbfoM6ThoyihL3XXWmV9dpdCBA1wvkbTbW62lNq77w==
+PublicExponent: AQAB
+PrivateExponent: AhR3VvVoV6OGOjiiNUt728hidEMoX4PJWtHNWqinyRek5tSnqgaXeKC3NuU0mUIjDvBps9oH4lK3yNa5fBr/nodwP4wNyTd3obR/z6JcLersxJjHi4nYX2ju8vjdsBSIulNudqlrsPhLJe0+Tff3FRfClSQmQ/JtakHo4lIx8zxiOJY8aWFeHGdWJDkAf6NStt3eVYyOyAwISfv3muaGPZKShiIOfLyTvqFqzwYFgdTWmvFqTdwgjIMc5XAwqw73WP2BPCN+fdCiMtrw0fCrhWzw/gfMJBHdOPH0diUZysAJhM0vdVKQzEi/g3YOo00fahZiPzaxNtZnLNj2mA54YQ==
+Prime1: 5YpfVjEtL1owW9gSFbIMx65POr+fiktxirgy1bc5fSsVqUgG6zhbaN/VpWcNZG0Zg5xd6S7C8V3djGlnJN8wZIyjIh7+Z3WWjqbOD9oY7rC1fR+W0OvbCmZiEzOpRJ5qoMOh1MzkkanhMy0/ICpaa8eQ9zEb80oTIQpFgoLn7K0=
+Prime2: 0fs3ncL5/2qzq2dmPXLYcOfc1EGSuESO0VpREP8EpTkyPKeVw5LaF9TgZRqPWlRf2T0LPoZ766xLAn090u0pLQ5fWM96NMas7kS+rxtRssat6MiQo3YfoU3ysk3xuPzrMBHyn/N42CjSG+bJEToHR7V16KsCT6dBIPkI3tj/Yos=
+Exponent1: Bdsp44ENrg+W/EDe9T69pLqFuvH4mAaktu1MHre198OJoe/8fTPK4ToUsUuXw+Akrn7mxnQy9QV4CYUG5KHtEiOkZdJ0mx8c4DbROwZNbImFl9OefWYHCJTkG6lNwDpqbf+PuWYgzraO0EdvPNrXw7grsqLGG8bgBg/FBjdgw2E=
+Exponent2: uV1pxW0fwGhzX3aR/ODrTRCCEyYn3V84LHvsYHKfqTOKs5zFSrbSrIMR7G676ePeESogSPvzXSLlvLbO4urVlJ7BcOcHXJuegWBSbMZTItzdHUgg1wwp8/2Zp+nC36j1/aN6adVG8ptmj5b2HKz7TERWaCS+j454oiD1wbQSDu0=
+Coefficient: JO6RxBIaoEd/Z4ITcsYT8TslP1KmIuAqdhMt3FSpqeogUDut7f3FZIEyNi4wsrSK5peIQSVmO2pQLupS+eRIPHXZ1vh5kcFAsgd7XBb7Fvsg26/WSjhB4wjx+wgWzVomK0519pfdtH854fePWPkdDKtLNL2zh0APne3GjwrbNEM=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/time_test.c b/lib/dns/tests/time_test.c
new file mode 100644
index 0000000..a1e50f8
--- /dev/null
+++ b/lib/dns/tests/time_test.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/util.h>
+
+#include <dns/time.h>
+
+#include "dnstest.h"
+
+#define TEST_ORIGIN "test"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+/* value = 0xfffffffff <-> 19691231235959 */
+static void
+epoch_minus_one_test(void **state) {
+	const char *test_text = "19691231235959";
+	const uint32_t test_time = 0xffffffff;
+	isc_result_t result;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(state);
+
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(when, test_time);
+}
+
+/* value = 0x000000000 <-> 19700101000000*/
+static void
+epoch_test(void **state) {
+	const char *test_text = "19700101000000";
+	const uint32_t test_time = 0x00000000;
+	isc_result_t result;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(state);
+
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(when, test_time);
+}
+
+/* value = 0x7fffffff <-> 20380119031407 */
+static void
+half_maxint_test(void **state) {
+	const char *test_text = "20380119031407";
+	const uint32_t test_time = 0x7fffffff;
+	isc_result_t result;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(state);
+
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(when, test_time);
+}
+
+/* value = 0x80000000 <-> 20380119031408 */
+static void
+half_plus_one_test(void **state) {
+	const char *test_text = "20380119031408";
+	const uint32_t test_time = 0x80000000;
+	isc_result_t result;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(state);
+
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(when, test_time);
+}
+
+/* value = 0xef68f5d0 <-> 19610307130000 */
+static void
+fifty_before_test(void **state) {
+	isc_result_t result;
+	const char *test_text = "19610307130000";
+	const uint32_t test_time = 0xef68f5d0;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(state);
+
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(when, test_time);
+}
+
+/* value = 0x4d74d6d0 <-> 20110307130000 */
+static void
+some_ago_test(void **state) {
+	const char *test_text = "20110307130000";
+	const uint32_t test_time = 0x4d74d6d0;
+	isc_result_t result;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(state);
+
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(when, test_time);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(epoch_minus_one_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(epoch_test, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(half_maxint_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(half_plus_one_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(fifty_before_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(some_ago_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c
new file mode 100644
index 0000000..1354ef7
--- /dev/null
+++ b/lib/dns/tests/tsig_test.c
@@ -0,0 +1,605 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/tsig.h>
+
+#include "../tsig_p.h"
+#include "dnstest.h"
+
+#define CHECK(r)                               \
+	do {                                   \
+		result = (r);                  \
+		if (result != ISC_R_SUCCESS) { \
+			goto cleanup;          \
+		}                              \
+	} while (0)
+
+#define TEST_ORIGIN "test"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static int debug = 0;
+
+static isc_result_t
+add_mac(dst_context_t *tsigctx, isc_buffer_t *buf) {
+	dns_rdata_any_tsig_t tsig;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t databuf;
+	isc_region_t r;
+	isc_result_t result;
+	unsigned char tsigbuf[1024];
+
+	isc_buffer_usedregion(buf, &r);
+	dns_rdata_fromregion(&rdata, dns_rdataclass_any, dns_rdatatype_tsig,
+			     &r);
+	isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
+	CHECK(dns_rdata_tostruct(&rdata, &tsig, NULL));
+	isc_buffer_putuint16(&databuf, tsig.siglen);
+	isc_buffer_putmem(&databuf, tsig.signature, tsig.siglen);
+	isc_buffer_usedregion(&databuf, &r);
+	result = dst_context_adddata(tsigctx, &r);
+	dns_rdata_freestruct(&tsig);
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+add_tsig(dst_context_t *tsigctx, dns_tsigkey_t *key, isc_buffer_t *target) {
+	dns_compress_t cctx;
+	dns_rdata_any_tsig_t tsig;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	isc_buffer_t *dynbuf = NULL;
+	isc_buffer_t databuf;
+	isc_buffer_t sigbuf;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_stdtime_t now;
+	unsigned char tsigbuf[1024];
+	unsigned int count;
+	unsigned int sigsize = 0;
+	bool invalidate_ctx = false;
+
+	memset(&tsig, 0, sizeof(tsig));
+
+	CHECK(dns_compress_init(&cctx, -1, dt_mctx));
+	invalidate_ctx = true;
+
+	tsig.common.rdclass = dns_rdataclass_any;
+	tsig.common.rdtype = dns_rdatatype_tsig;
+	ISC_LINK_INIT(&tsig.common, link);
+	dns_name_init(&tsig.algorithm, NULL);
+	dns_name_clone(key->algorithm, &tsig.algorithm);
+
+	isc_stdtime_get(&now);
+	tsig.timesigned = now;
+	tsig.fudge = DNS_TSIG_FUDGE;
+	tsig.originalid = 50;
+	tsig.error = dns_rcode_noerror;
+	tsig.otherlen = 0;
+	tsig.other = NULL;
+
+	isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
+	isc_buffer_putuint48(&databuf, tsig.timesigned);
+	isc_buffer_putuint16(&databuf, tsig.fudge);
+	isc_buffer_usedregion(&databuf, &r);
+	CHECK(dst_context_adddata(tsigctx, &r));
+
+	CHECK(dst_key_sigsize(key->key, &sigsize));
+	tsig.signature = isc_mem_get(dt_mctx, sigsize);
+	isc_buffer_init(&sigbuf, tsig.signature, sigsize);
+	CHECK(dst_context_sign(tsigctx, &sigbuf));
+	tsig.siglen = isc_buffer_usedlength(&sigbuf);
+	assert_int_equal(sigsize, tsig.siglen);
+
+	isc_buffer_allocate(dt_mctx, &dynbuf, 512);
+	CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_any,
+				   dns_rdatatype_tsig, &tsig, dynbuf));
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = dns_rdataclass_any;
+	rdatalist.type = dns_rdatatype_tsig;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	CHECK(dns_rdataset_towire(&rdataset, &key->name, &cctx, target, 0,
+				  &count));
+
+	/*
+	 * Fixup additional record count.
+	 */
+	((unsigned char *)target->base)[11]++;
+	if (((unsigned char *)target->base)[11] == 0) {
+		((unsigned char *)target->base)[10]++;
+	}
+cleanup:
+	if (tsig.signature != NULL) {
+		isc_mem_put(dt_mctx, tsig.signature, sigsize);
+	}
+	if (dynbuf != NULL) {
+		isc_buffer_free(&dynbuf);
+	}
+	if (invalidate_ctx) {
+		dns_compress_invalidate(&cctx);
+	}
+
+	return (result);
+}
+
+static void
+printmessage(dns_message_t *msg) {
+	isc_buffer_t b;
+	char *buf = NULL;
+	int len = 1024;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (!debug) {
+		return;
+	}
+
+	do {
+		buf = isc_mem_get(dt_mctx, len);
+
+		isc_buffer_init(&b, buf, len);
+		result = dns_message_totext(msg, &dns_master_style_debug, 0,
+					    &b);
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(dt_mctx, buf, len);
+			len *= 2;
+		} else if (result == ISC_R_SUCCESS) {
+			printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf);
+		}
+	} while (result == ISC_R_NOSPACE);
+
+	if (buf != NULL) {
+		isc_mem_put(dt_mctx, buf, len);
+	}
+}
+
+static void
+render(isc_buffer_t *buf, unsigned flags, dns_tsigkey_t *key,
+       isc_buffer_t **tsigin, isc_buffer_t **tsigout, dst_context_t *tsigctx) {
+	dns_message_t *msg = NULL;
+	dns_compress_t cctx;
+	isc_result_t result;
+
+	dns_message_create(dt_mctx, DNS_MESSAGE_INTENTRENDER, &msg);
+	assert_non_null(msg);
+
+	msg->id = 50;
+	msg->rcode = dns_rcode_noerror;
+	msg->flags = flags;
+
+	/*
+	 * XXXMPA: this hack needs to be replaced with use of
+	 * dns_message_reply() at some point.
+	 */
+	if ((flags & DNS_MESSAGEFLAG_QR) != 0) {
+		msg->verified_sig = 1;
+	}
+
+	if (tsigin == tsigout) {
+		msg->tcp_continuation = 1;
+	}
+
+	if (tsigctx == NULL) {
+		result = dns_message_settsigkey(msg, key);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		result = dns_message_setquerytsig(msg, *tsigin);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	result = dns_compress_init(&cctx, -1, dt_mctx);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_message_renderbegin(msg, &cctx, buf);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_message_renderend(msg);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	if (tsigctx != NULL) {
+		isc_region_t r;
+
+		isc_buffer_usedregion(buf, &r);
+		result = dst_context_adddata(tsigctx, &r);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	} else {
+		if (tsigin == tsigout && *tsigin != NULL) {
+			isc_buffer_free(tsigin);
+		}
+
+		result = dns_message_getquerytsig(msg, dt_mctx, tsigout);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	dns_compress_invalidate(&cctx);
+	dns_message_detach(&msg);
+}
+
+/*
+ * Test tsig tcp-continuation validation:
+ * Check that a simulated three message TCP sequence where the first
+ * and last messages contain TSIGs but the intermediate message doesn't
+ * correctly verifies.
+ */
+static void
+tsig_tcp_test(void **state) {
+	const dns_name_t *tsigowner = NULL;
+	dns_fixedname_t fkeyname;
+	dns_message_t *msg = NULL;
+	dns_name_t *keyname;
+	dns_tsig_keyring_t *ring = NULL;
+	dns_tsigkey_t *key = NULL;
+	isc_buffer_t *buf = NULL;
+	isc_buffer_t *querytsig = NULL;
+	isc_buffer_t *tsigin = NULL;
+	isc_buffer_t *tsigout = NULL;
+	isc_result_t result;
+	unsigned char secret[16] = { 0 };
+	dst_context_t *tsigctx = NULL;
+	dst_context_t *outctx = NULL;
+
+	UNUSED(state);
+
+	/* isc_log_setdebuglevel(lctx, 99); */
+
+	keyname = dns_fixedname_initname(&fkeyname);
+	result = dns_name_fromstring(keyname, "test", 0, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_tsigkeyring_create(dt_mctx, &ring);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name, secret,
+				    sizeof(secret), false, NULL, 0, 0, dt_mctx,
+				    ring, &key);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_non_null(key);
+
+	/*
+	 * Create request.
+	 */
+	isc_buffer_allocate(dt_mctx, &buf, 65535);
+	render(buf, 0, key, &tsigout, &querytsig, NULL);
+	isc_buffer_free(&buf);
+
+	/*
+	 * Create response message 1.
+	 */
+	isc_buffer_allocate(dt_mctx, &buf, 65535);
+	render(buf, DNS_MESSAGEFLAG_QR, key, &querytsig, &tsigout, NULL);
+	assert_non_null(tsigout);
+
+	/*
+	 * Process response message 1.
+	 */
+	dns_message_create(dt_mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	assert_non_null(msg);
+
+	result = dns_message_settsigkey(msg, key);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_message_parse(msg, buf, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	printmessage(msg);
+
+	result = dns_message_setquerytsig(msg, querytsig);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_tsig_verify(buf, msg, NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(msg->verified_sig, 1);
+	assert_int_equal(msg->tsigstatus, dns_rcode_noerror);
+
+	/*
+	 * Check that we have a TSIG in the first message.
+	 */
+	assert_non_null(dns_message_gettsig(msg, &tsigowner));
+
+	result = dns_message_getquerytsig(msg, dt_mctx, &tsigin);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	tsigctx = msg->tsigctx;
+	msg->tsigctx = NULL;
+	isc_buffer_free(&buf);
+	dns_message_detach(&msg);
+
+	result = dst_context_create(key->key, dt_mctx, DNS_LOGCATEGORY_DNSSEC,
+				    false, 0, &outctx);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_non_null(outctx);
+
+	/*
+	 * Start digesting.
+	 */
+	result = add_mac(outctx, tsigout);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Create response message 2.
+	 */
+	isc_buffer_allocate(dt_mctx, &buf, 65535);
+
+	assert_int_equal(result, ISC_R_SUCCESS);
+	render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
+
+	/*
+	 * Process response message 2.
+	 */
+	dns_message_create(dt_mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	assert_non_null(msg);
+
+	msg->tcp_continuation = 1;
+	msg->tsigctx = tsigctx;
+	tsigctx = NULL;
+
+	result = dns_message_settsigkey(msg, key);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_message_parse(msg, buf, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	printmessage(msg);
+
+	result = dns_message_setquerytsig(msg, tsigin);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_tsig_verify(buf, msg, NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(msg->verified_sig, 0);
+	assert_int_equal(msg->tsigstatus, dns_rcode_noerror);
+
+	/*
+	 * Check that we don't have a TSIG in the second message.
+	 */
+	tsigowner = NULL;
+	assert_true(dns_message_gettsig(msg, &tsigowner) == NULL);
+
+	tsigctx = msg->tsigctx;
+	msg->tsigctx = NULL;
+	isc_buffer_free(&buf);
+	dns_message_detach(&msg);
+
+	/*
+	 * Create response message 3.
+	 */
+	isc_buffer_allocate(dt_mctx, &buf, 65535);
+	render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
+
+	result = add_tsig(outctx, key, buf);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Process response message 3.
+	 */
+	dns_message_create(dt_mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	assert_non_null(msg);
+
+	msg->tcp_continuation = 1;
+	msg->tsigctx = tsigctx;
+	tsigctx = NULL;
+
+	result = dns_message_settsigkey(msg, key);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_message_parse(msg, buf, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	printmessage(msg);
+
+	/*
+	 * Check that we had a TSIG in the third message.
+	 */
+	assert_non_null(dns_message_gettsig(msg, &tsigowner));
+
+	result = dns_message_setquerytsig(msg, tsigin);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_tsig_verify(buf, msg, NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(msg->verified_sig, 1);
+	assert_int_equal(msg->tsigstatus, dns_rcode_noerror);
+
+	if (tsigin != NULL) {
+		isc_buffer_free(&tsigin);
+	}
+
+	result = dns_message_getquerytsig(msg, dt_mctx, &tsigin);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_buffer_free(&buf);
+	dns_message_detach(&msg);
+
+	if (outctx != NULL) {
+		dst_context_destroy(&outctx);
+	}
+	if (querytsig != NULL) {
+		isc_buffer_free(&querytsig);
+	}
+	if (tsigin != NULL) {
+		isc_buffer_free(&tsigin);
+	}
+	if (tsigout != NULL) {
+		isc_buffer_free(&tsigout);
+	}
+	dns_tsigkey_detach(&key);
+	if (ring != NULL) {
+		dns_tsigkeyring_detach(&ring);
+	}
+}
+
+/* Tests the dns__tsig_algvalid function */
+static void
+algvalid_test(void **state) {
+	UNUSED(state);
+
+	assert_true(dns__tsig_algvalid(DST_ALG_HMACMD5));
+
+	assert_true(dns__tsig_algvalid(DST_ALG_HMACSHA1));
+	assert_true(dns__tsig_algvalid(DST_ALG_HMACSHA224));
+	assert_true(dns__tsig_algvalid(DST_ALG_HMACSHA256));
+	assert_true(dns__tsig_algvalid(DST_ALG_HMACSHA384));
+	assert_true(dns__tsig_algvalid(DST_ALG_HMACSHA512));
+
+	assert_false(dns__tsig_algvalid(DST_ALG_GSSAPI));
+}
+
+/* Tests the dns__tsig_algfromname function */
+static void
+algfromname_test(void **state) {
+	UNUSED(state);
+
+	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACMD5_NAME),
+			 DST_ALG_HMACMD5);
+	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA1_NAME),
+			 DST_ALG_HMACSHA1);
+	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA224_NAME),
+			 DST_ALG_HMACSHA224);
+	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA256_NAME),
+			 DST_ALG_HMACSHA256);
+	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA384_NAME),
+			 DST_ALG_HMACSHA384);
+	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA512_NAME),
+			 DST_ALG_HMACSHA512);
+
+	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_GSSAPI_NAME),
+			 DST_ALG_GSSAPI);
+	assert_int_equal(dns__tsig_algfromname(DNS_TSIG_GSSAPIMS_NAME),
+			 DST_ALG_GSSAPI);
+
+	assert_int_equal(dns__tsig_algfromname(dns_rootname), 0);
+}
+
+/* Tests the dns__tsig_algnamefromname function */
+
+/*
+ * Helper function to create a dns_name_t from a string and see if
+ * the dns__tsig_algnamefromname function can correctly match it against the
+ * static table of known algorithms.
+ */
+static void
+test_name(const char *name_string, const dns_name_t *expected) {
+	dns_name_t name;
+	dns_name_init(&name, NULL);
+	assert_int_equal(dns_name_fromstring(&name, name_string, 0, dt_mctx),
+			 ISC_R_SUCCESS);
+	assert_ptr_equal(dns__tsig_algnamefromname(&name), expected);
+	dns_name_free(&name, dt_mctx);
+}
+
+static void
+algnamefromname_test(void **state) {
+	UNUSED(state);
+
+	/* test the standard algorithms */
+	test_name("hmac-md5.sig-alg.reg.int", DNS_TSIG_HMACMD5_NAME);
+	test_name("hmac-sha1", DNS_TSIG_HMACSHA1_NAME);
+	test_name("hmac-sha224", DNS_TSIG_HMACSHA224_NAME);
+	test_name("hmac-sha256", DNS_TSIG_HMACSHA256_NAME);
+	test_name("hmac-sha384", DNS_TSIG_HMACSHA384_NAME);
+	test_name("hmac-sha512", DNS_TSIG_HMACSHA512_NAME);
+
+	test_name("gss-tsig", DNS_TSIG_GSSAPI_NAME);
+	test_name("gss.microsoft.com", DNS_TSIG_GSSAPIMS_NAME);
+
+	/* try another name that isn't a standard algorithm name */
+	assert_null(dns__tsig_algnamefromname(dns_rootname));
+}
+
+/* Tests the dns__tsig_algallocated function */
+static void
+algallocated_test(void **state) {
+	UNUSED(state);
+
+	/* test the standard algorithms */
+	assert_false(dns__tsig_algallocated(DNS_TSIG_HMACMD5_NAME));
+	assert_false(dns__tsig_algallocated(DNS_TSIG_HMACSHA1_NAME));
+	assert_false(dns__tsig_algallocated(DNS_TSIG_HMACSHA224_NAME));
+	assert_false(dns__tsig_algallocated(DNS_TSIG_HMACSHA256_NAME));
+	assert_false(dns__tsig_algallocated(DNS_TSIG_HMACSHA384_NAME));
+	assert_false(dns__tsig_algallocated(DNS_TSIG_HMACSHA512_NAME));
+
+	assert_false(dns__tsig_algallocated(DNS_TSIG_HMACSHA512_NAME));
+	assert_false(dns__tsig_algallocated(DNS_TSIG_HMACSHA512_NAME));
+
+	/* try another name that isn't a standard algorithm name */
+	assert_true(dns__tsig_algallocated(dns_rootname));
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(tsig_tcp_test, _setup,
+						_teardown),
+		cmocka_unit_test(algvalid_test),
+		cmocka_unit_test(algfromname_test),
+		cmocka_unit_test_setup_teardown(algnamefromname_test, _setup,
+						_teardown),
+		cmocka_unit_test(algallocated_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/update_test.c b/lib/dns/tests/update_test.c
new file mode 100644
index 0000000..bc792a1
--- /dev/null
+++ b/lib/dns/tests/update_test.c
@@ -0,0 +1,381 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/serial.h>
+#include <isc/stdtime.h>
+#include <isc/util.h>
+
+#include <dns/update.h>
+
+#include "dnstest.h"
+
+/*
+ * Fix the linking order problem for overridden isc_stdtime_get() by making
+ * everything local.  This also allows static functions from update.c to be
+ * tested.
+ */
+#include "../update.c"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	setenv("TZ", "", 1);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static uint32_t mystdtime;
+
+static void
+set_mystdtime(int year, int month, int day) {
+	struct tm tm;
+
+	memset(&tm, 0, sizeof(tm));
+	tm.tm_year = year - 1900;
+	tm.tm_mon = month - 1;
+	tm.tm_mday = day;
+	mystdtime = timegm(&tm);
+}
+
+/*
+ * Override isc_stdtime_get() from lib/isc/[unix/win32]/stdtime.c
+ * with our own for testing purposes.
+ */
+void
+isc_stdtime_get(isc_stdtime_t *now) {
+	*now = mystdtime;
+}
+
+/*
+ * Because update_test.o requires dns_update_*() symbols, the linker is able
+ * to resolve them using libdns.a(update.o).  That object has other symbol
+ * dependencies (dst_key_*()), so it pulls libdns.a(dst_api.o).
+ * That object file requires the isc_stdtime_tostring() symbol.
+ *
+ * Define a local version here so that we don't have to depend on
+ * libisc.a(stdtime.o).  If isc_stdtime_tostring() would be left undefined,
+ * the linker has to get the required object file, and that will result in a
+ * multiple definition error because the isc_stdtime_get() symbol exported
+ * there is already in the exported list.
+ */
+void
+isc_stdtime_tostring(isc_stdtime_t t, char *out, size_t outlen) {
+	UNUSED(t);
+	UNUSED(out);
+	UNUSED(outlen);
+}
+
+/* simple increment by 1 */
+static void
+increment_test(void **state) {
+	uint32_t old = 50;
+	uint32_t serial;
+
+	UNUSED(state);
+
+	serial = dns_update_soaserial(old, dns_updatemethod_increment, NULL);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, 51);
+}
+
+/* increment past zero, 0xfffffffff -> 1 */
+static void
+increment_past_zero_test(void **state) {
+	uint32_t old = 0xffffffffu;
+	uint32_t serial;
+
+	UNUSED(state);
+
+	serial = dns_update_soaserial(old, dns_updatemethod_increment, NULL);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, 1u);
+}
+
+/* past to unixtime */
+static void
+past_to_unix_test(void **state) {
+	uint32_t old;
+	uint32_t serial;
+
+	UNUSED(state);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime - 1;
+
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime, NULL);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, mystdtime);
+}
+
+/* now to unixtime */
+static void
+now_to_unix_test(void **state) {
+	uint32_t old;
+	uint32_t serial;
+
+	UNUSED(state);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime;
+
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime, NULL);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, old + 1);
+}
+
+/* future to unixtime */
+static void
+future_to_unix_test(void **state) {
+	uint32_t old;
+	uint32_t serial;
+
+	UNUSED(state);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime + 1;
+
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime, NULL);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, old + 1);
+}
+
+/* undefined plus 1 to unixtime */
+static void
+undefined_plus1_to_unix_test(void **state) {
+	uint32_t old;
+	uint32_t serial;
+
+	UNUSED(state);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime ^ 0x80000000u;
+	old += 1;
+
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime, NULL);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, mystdtime);
+}
+
+/* undefined minus 1 to unixtime */
+static void
+undefined_minus1_to_unix_test(void **state) {
+	uint32_t old;
+	uint32_t serial;
+
+	UNUSED(state);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime ^ 0x80000000u;
+	old -= 1;
+
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime, NULL);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, old + 1);
+}
+
+/* undefined to unixtime */
+static void
+undefined_to_unix_test(void **state) {
+	uint32_t old;
+	uint32_t serial;
+
+	UNUSED(state);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime ^ 0x80000000u;
+
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime, NULL);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, old + 1);
+}
+
+/* handle unixtime being zero */
+static void
+unixtime_zero_test(void **state) {
+	uint32_t old;
+	uint32_t serial;
+
+	UNUSED(state);
+
+	mystdtime = 0;
+	old = 0xfffffff0;
+
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime, NULL);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, old + 1);
+}
+
+/* past to date */
+static void
+past_to_date_test(void **state) {
+	uint32_t old, serial;
+	dns_updatemethod_t used = dns_updatemethod_none;
+
+	UNUSED(state);
+
+	set_mystdtime(2014, 3, 31);
+	old = dns_update_soaserial(0, dns_updatemethod_date, NULL);
+	set_mystdtime(2014, 4, 1);
+
+	serial = dns_update_soaserial(old, dns_updatemethod_date, &used);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, 2014040100);
+	assert_int_equal(dns_updatemethod_date, used);
+}
+
+/* now to date */
+static void
+now_to_date_test(void **state) {
+	uint32_t old;
+	uint32_t serial;
+	dns_updatemethod_t used = dns_updatemethod_none;
+
+	UNUSED(state);
+
+	set_mystdtime(2014, 4, 1);
+	old = dns_update_soaserial(0, dns_updatemethod_date, NULL);
+
+	serial = dns_update_soaserial(old, dns_updatemethod_date, &used);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, 2014040101);
+	assert_int_equal(dns_updatemethod_date, used);
+
+	old = 2014040198;
+	serial = dns_update_soaserial(old, dns_updatemethod_date, &used);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, 2014040199);
+	assert_int_equal(dns_updatemethod_date, used);
+
+	/*
+	 * Stealing from "tomorrow".
+	 */
+	old = 2014040199;
+	serial = dns_update_soaserial(old, dns_updatemethod_date, &used);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, 2014040200);
+	assert_int_equal(dns_updatemethod_increment, used);
+}
+
+/* future to date */
+static void
+future_to_date_test(void **state) {
+	uint32_t old;
+	uint32_t serial;
+	dns_updatemethod_t used = dns_updatemethod_none;
+
+	UNUSED(state);
+
+	set_mystdtime(2014, 4, 1);
+	old = dns_update_soaserial(0, dns_updatemethod_date, NULL);
+	set_mystdtime(2014, 3, 31);
+
+	serial = dns_update_soaserial(old, dns_updatemethod_date, &used);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, 2014040101);
+	assert_int_equal(dns_updatemethod_increment, used);
+
+	old = serial;
+	serial = dns_update_soaserial(old, dns_updatemethod_date, &used);
+	assert_true(isc_serial_lt(old, serial));
+	assert_int_not_equal(serial, 0);
+	assert_int_equal(serial, 2014040102);
+	assert_int_equal(dns_updatemethod_increment, used);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(increment_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(increment_past_zero_test,
+						_setup, _teardown),
+		cmocka_unit_test_setup_teardown(past_to_unix_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(now_to_unix_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(future_to_unix_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(undefined_to_unix_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(undefined_plus1_to_unix_test,
+						_setup, _teardown),
+		cmocka_unit_test_setup_teardown(undefined_minus1_to_unix_test,
+						_setup, _teardown),
+		cmocka_unit_test_setup_teardown(unixtime_zero_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(past_to_date_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(now_to_date_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(future_to_date_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/zonemgr_test.c b/lib/dns/tests/zonemgr_test.c
new file mode 100644
index 0000000..3424342
--- /dev/null
+++ b/lib/dns/tests/zonemgr_test.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/name.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include "dnstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+/* create zone manager */
+static void
+zonemgr_create(void **state) {
+	dns_zonemgr_t *myzonemgr = NULL;
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_zonemgr_create(dt_mctx, taskmgr, timermgr, socketmgr,
+				    &myzonemgr);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	dns_zonemgr_shutdown(myzonemgr);
+	dns_zonemgr_detach(&myzonemgr);
+	assert_null(myzonemgr);
+}
+
+/* manage and release a zone */
+static void
+zonemgr_managezone(void **state) {
+	dns_zonemgr_t *myzonemgr = NULL;
+	dns_zone_t *zone = NULL;
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_zonemgr_create(dt_mctx, taskmgr, timermgr, socketmgr,
+				    &myzonemgr);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_test_makezone("foo", &zone, NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* This should not succeed until the dns_zonemgr_setsize() is run */
+	result = dns_zonemgr_managezone(myzonemgr, zone);
+	assert_int_equal(result, ISC_R_FAILURE);
+
+	assert_int_equal(dns_zonemgr_getcount(myzonemgr, DNS_ZONESTATE_ANY), 0);
+
+	result = dns_zonemgr_setsize(myzonemgr, 1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Now it should succeed */
+	result = dns_zonemgr_managezone(myzonemgr, zone);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_int_equal(dns_zonemgr_getcount(myzonemgr, DNS_ZONESTATE_ANY), 1);
+
+	dns_zonemgr_releasezone(myzonemgr, zone);
+	dns_zone_detach(&zone);
+
+	assert_int_equal(dns_zonemgr_getcount(myzonemgr, DNS_ZONESTATE_ANY), 0);
+
+	dns_zonemgr_shutdown(myzonemgr);
+	dns_zonemgr_detach(&myzonemgr);
+	assert_null(myzonemgr);
+}
+
+/* create and release a zone */
+static void
+zonemgr_createzone(void **state) {
+	dns_zonemgr_t *myzonemgr = NULL;
+	dns_zone_t *zone = NULL;
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_zonemgr_create(dt_mctx, taskmgr, timermgr, socketmgr,
+				    &myzonemgr);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* This should not succeed until the dns_zonemgr_setsize() is run */
+	result = dns_zonemgr_createzone(myzonemgr, &zone);
+	assert_int_equal(result, ISC_R_FAILURE);
+
+	result = dns_zonemgr_setsize(myzonemgr, 1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* Now it should succeed */
+	result = dns_zonemgr_createzone(myzonemgr, &zone);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_non_null(zone);
+
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+
+	dns_zonemgr_shutdown(myzonemgr);
+	dns_zonemgr_detach(&myzonemgr);
+	assert_null(myzonemgr);
+}
+
+/* manage and release a zone */
+static void
+zonemgr_unreachable(void **state) {
+	dns_zonemgr_t *myzonemgr = NULL;
+	dns_zone_t *zone = NULL;
+	isc_sockaddr_t addr1, addr2;
+	struct in_addr in;
+	isc_result_t result;
+	isc_time_t now;
+
+	UNUSED(state);
+
+	TIME_NOW(&now);
+
+	result = dns_zonemgr_create(dt_mctx, taskmgr, timermgr, socketmgr,
+				    &myzonemgr);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_test_makezone("foo", &zone, NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_zonemgr_setsize(myzonemgr, 1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_zonemgr_managezone(myzonemgr, zone);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	in.s_addr = inet_addr("10.53.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 2112);
+	in.s_addr = inet_addr("10.53.0.2");
+	isc_sockaddr_fromin(&addr2, &in, 5150);
+	assert_false(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+	/*
+	 * We require multiple unreachableadd calls to mark a server as
+	 * unreachable.
+	 */
+	dns_zonemgr_unreachableadd(myzonemgr, &addr1, &addr2, &now);
+	assert_false(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+	dns_zonemgr_unreachableadd(myzonemgr, &addr1, &addr2, &now);
+	assert_true(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+
+	in.s_addr = inet_addr("10.53.0.3");
+	isc_sockaddr_fromin(&addr2, &in, 5150);
+	assert_false(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+	/*
+	 * We require multiple unreachableadd calls to mark a server as
+	 * unreachable.
+	 */
+	dns_zonemgr_unreachableadd(myzonemgr, &addr1, &addr2, &now);
+	dns_zonemgr_unreachableadd(myzonemgr, &addr1, &addr2, &now);
+	assert_true(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+
+	dns_zonemgr_unreachabledel(myzonemgr, &addr1, &addr2);
+	assert_false(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+
+	in.s_addr = inet_addr("10.53.0.2");
+	isc_sockaddr_fromin(&addr2, &in, 5150);
+	assert_true(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+	dns_zonemgr_unreachabledel(myzonemgr, &addr1, &addr2);
+	assert_false(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+
+	dns_zonemgr_releasezone(myzonemgr, zone);
+	dns_zone_detach(&zone);
+	dns_zonemgr_shutdown(myzonemgr);
+	dns_zonemgr_detach(&myzonemgr);
+	assert_null(myzonemgr);
+}
+
+/*
+ * XXX:
+ * dns_zonemgr API calls that are not yet part of this unit test:
+ *
+ * 	- dns_zonemgr_attach
+ * 	- dns_zonemgr_forcemaint
+ * 	- dns_zonemgr_resumexfrs
+ * 	- dns_zonemgr_shutdown
+ * 	- dns_zonemgr_setsize
+ * 	- dns_zonemgr_settransfersin
+ * 	- dns_zonemgr_getttransfersin
+ * 	- dns_zonemgr_settransfersperns
+ * 	- dns_zonemgr_getttransfersperns
+ * 	- dns_zonemgr_setiolimit
+ * 	- dns_zonemgr_getiolimit
+ * 	- dns_zonemgr_dbdestroyed
+ * 	- dns_zonemgr_setserialqueryrate
+ * 	- dns_zonemgr_getserialqueryrate
+ */
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(zonemgr_create, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(zonemgr_managezone, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(zonemgr_createzone, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(zonemgr_unreachable, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c
new file mode 100644
index 0000000..e79adb2
--- /dev/null
+++ b/lib/dns/tests/zt_test.c
@@ -0,0 +1,376 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/app.h>
+#include <isc/atomic.h>
+#include <isc/buffer.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/name.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include "dnstest.h"
+
+struct args {
+	void *arg1;
+	void *arg2;
+	bool arg3;
+};
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = dns_test_begin(NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	dns_test_end();
+
+	return (0);
+}
+
+static isc_result_t
+count_zone(dns_zone_t *zone, void *uap) {
+	int *nzones = (int *)uap;
+
+	UNUSED(zone);
+
+	*nzones += 1;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_done(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task) {
+	/* We treat zt as a pointer to a boolean for testing purposes */
+	atomic_bool *done = (atomic_bool *)zt;
+
+	UNUSED(zone);
+	UNUSED(task);
+
+	atomic_store(done, true);
+	isc_app_shutdown();
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+all_done(void *arg) {
+	atomic_bool *done = (atomic_bool *)arg;
+
+	atomic_store(done, true);
+	isc_app_shutdown();
+	return (ISC_R_SUCCESS);
+}
+
+static void
+start_zt_asyncload(isc_task_t *task, isc_event_t *event) {
+	struct args *args = (struct args *)(event->ev_arg);
+
+	UNUSED(task);
+
+	dns_zt_asyncload(args->arg1, false, all_done, args->arg2);
+
+	isc_event_free(&event);
+}
+
+static void
+start_zone_asyncload(isc_task_t *task, isc_event_t *event) {
+	struct args *args = (struct args *)(event->ev_arg);
+
+	UNUSED(task);
+
+	dns_zone_asyncload(args->arg1, args->arg3, load_done, args->arg2);
+	isc_event_free(&event);
+}
+
+/* apply a function to a zone table */
+static void
+apply(void **state) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_view_t *view = NULL;
+	int nzones = 0;
+
+	UNUSED(state);
+
+	result = dns_test_makezone("foo", &zone, NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	view = dns_zone_getview(zone);
+	assert_non_null(view->zonetable);
+
+	assert_int_equal(nzones, 0);
+	result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, false, NULL,
+			      count_zone, &nzones);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(nzones, 1);
+
+	/* These steps are necessary so the zone can be detached properly */
+	result = dns_test_setupzonemgr();
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_test_managezone(zone);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_test_releasezone(zone);
+	dns_test_closezonemgr();
+
+	/* The view was left attached in dns_test_makezone() */
+	dns_view_detach(&view);
+	dns_zone_detach(&zone);
+}
+
+/* asynchronous zone load */
+static void
+asyncload_zone(void **state) {
+	isc_result_t result;
+	int n;
+	dns_zone_t *zone = NULL;
+	dns_view_t *view = NULL;
+	dns_db_t *db = NULL;
+	FILE *zonefile, *origfile;
+	char buf[4096];
+	atomic_bool done;
+	int i = 0;
+	struct args args;
+
+	UNUSED(state);
+
+	atomic_init(&done, false);
+
+	result = dns_test_makezone("foo", &zone, NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = dns_test_setupzonemgr();
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_test_managezone(zone);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	view = dns_zone_getview(zone);
+	assert_non_null(view->zonetable);
+
+	assert_false(dns__zone_loadpending(zone));
+	assert_false(atomic_load(&done));
+	zonefile = fopen("./zone.data", "wb");
+	assert_non_null(zonefile);
+	origfile = fopen("./testdata/zt/zone1.db", "r+b");
+	assert_non_null(origfile);
+	n = fread(buf, 1, 4096, origfile);
+	fclose(origfile);
+	fwrite(buf, 1, n, zonefile);
+	fflush(zonefile);
+
+	dns_zone_setfile(zone, "./zone.data", dns_masterformat_text,
+			 &dns_master_style_default);
+
+	args.arg1 = zone;
+	args.arg2 = &done;
+	args.arg3 = false;
+	isc_app_onrun(dt_mctx, maintask, start_zone_asyncload, &args);
+
+	isc_app_run();
+	while (dns__zone_loadpending(zone) && i++ < 5000) {
+		dns_test_nap(1000);
+	}
+	assert_true(atomic_load(&done));
+	/* The zone should now be loaded; test it */
+	result = dns_zone_getdb(zone, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_db_detach(&db);
+	/*
+	 * Add something to zone file, reload zone with newonly - it should
+	 * not be reloaded.
+	 */
+	fprintf(zonefile, "\nb in b 1.2.3.4\n");
+	fflush(zonefile);
+	fclose(zonefile);
+
+	args.arg1 = zone;
+	args.arg2 = &done;
+	args.arg3 = true;
+	isc_app_onrun(dt_mctx, maintask, start_zone_asyncload, &args);
+
+	isc_app_run();
+
+	while (dns__zone_loadpending(zone) && i++ < 5000) {
+		dns_test_nap(1000);
+	}
+	assert_true(atomic_load(&done));
+	/* The zone should now be loaded; test it */
+	result = dns_zone_getdb(zone, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_db_detach(&db);
+
+	/* Now reload it without newonly - it should be reloaded */
+	args.arg1 = zone;
+	args.arg2 = &done;
+	args.arg3 = false;
+	isc_app_onrun(dt_mctx, maintask, start_zone_asyncload, &args);
+
+	isc_app_run();
+
+	while (dns__zone_loadpending(zone) && i++ < 5000) {
+		dns_test_nap(1000);
+	}
+	assert_true(atomic_load(&done));
+	/* The zone should now be loaded; test it */
+	result = dns_zone_getdb(zone, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_non_null(db);
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	dns_test_releasezone(zone);
+	dns_test_closezonemgr();
+
+	dns_zone_detach(&zone);
+	dns_view_detach(&view);
+}
+
+/* asynchronous zone table load */
+static void
+asyncload_zt(void **state) {
+	isc_result_t result;
+	dns_zone_t *zone1 = NULL, *zone2 = NULL, *zone3 = NULL;
+	dns_view_t *view;
+	dns_zt_t *zt = NULL;
+	dns_db_t *db = NULL;
+	atomic_bool done;
+	int i = 0;
+	struct args args;
+
+	UNUSED(state);
+
+	atomic_init(&done, false);
+
+	result = dns_test_makezone("foo", &zone1, NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_zone_setfile(zone1, "testdata/zt/zone1.db", dns_masterformat_text,
+			 &dns_master_style_default);
+	view = dns_zone_getview(zone1);
+
+	result = dns_test_makezone("bar", &zone2, view, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_zone_setfile(zone2, "testdata/zt/zone1.db", dns_masterformat_text,
+			 &dns_master_style_default);
+
+	/* This one will fail to load */
+	result = dns_test_makezone("fake", &zone3, view, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	dns_zone_setfile(zone3, "testdata/zt/nonexistent.db",
+			 dns_masterformat_text, &dns_master_style_default);
+
+	zt = view->zonetable;
+	assert_non_null(zt);
+
+	result = dns_test_setupzonemgr();
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_test_managezone(zone1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_test_managezone(zone2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = dns_test_managezone(zone3);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_false(dns__zone_loadpending(zone1));
+	assert_false(dns__zone_loadpending(zone2));
+	assert_false(atomic_load(&done));
+
+	args.arg1 = zt;
+	args.arg2 = &done;
+	isc_app_onrun(dt_mctx, maintask, start_zt_asyncload, &args);
+
+	isc_app_run();
+	while (!atomic_load(&done) && i++ < 5000) {
+		dns_test_nap(1000);
+	}
+	assert_true(atomic_load(&done));
+
+	/* Both zones should now be loaded; test them */
+	result = dns_zone_getdb(zone1, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_non_null(db);
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	result = dns_zone_getdb(zone2, &db);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_non_null(db);
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	dns_test_releasezone(zone3);
+	dns_test_releasezone(zone2);
+	dns_test_releasezone(zone1);
+	dns_test_closezonemgr();
+
+	dns_zone_detach(&zone1);
+	dns_zone_detach(&zone2);
+	dns_zone_detach(&zone3);
+	dns_view_detach(&view);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(apply, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(asyncload_zone, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(asyncload_zt, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/dns/time.c b/lib/dns/time.c
new file mode 100644
index 0000000..8564a95
--- /dev/null
+++ b/lib/dns/time.c
@@ -0,0 +1,216 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <time.h>
+
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/serial.h>
+#include <isc/stdtime.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/time.h>
+
+static const int days[12] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
+
+isc_result_t
+dns_time64_totext(int64_t t, isc_buffer_t *target) {
+	struct tm tm;
+	char buf[sizeof("!!!!!!YYYY!!!!!!!!MM!!!!!!!!DD!!!!!!!!HH!!!!!!!!MM!!!!"
+			"!!!!SS")];
+	int secs;
+	unsigned int l;
+	isc_region_t region;
+
+/*
+ * Warning. Do NOT use arguments with side effects with these macros.
+ */
+#define is_leap(y)	 ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
+#define year_secs(y)	 ((is_leap(y) ? 366 : 365) * 86400)
+#define month_secs(m, y) ((days[m] + ((m == 1 && is_leap(y)) ? 1 : 0)) * 86400)
+
+	tm.tm_year = 70;
+	while (t < 0) {
+		if (tm.tm_year == 0) {
+			return (ISC_R_RANGE);
+		}
+		tm.tm_year--;
+		secs = year_secs(tm.tm_year + 1900);
+		t += secs;
+	}
+	while ((secs = year_secs(tm.tm_year + 1900)) <= t) {
+		t -= secs;
+		tm.tm_year++;
+		if (tm.tm_year + 1900 > 9999) {
+			return (ISC_R_RANGE);
+		}
+	}
+	tm.tm_mon = 0;
+	while ((secs = month_secs(tm.tm_mon, tm.tm_year + 1900)) <= t) {
+		t -= secs;
+		tm.tm_mon++;
+	}
+	tm.tm_mday = 1;
+	while (86400 <= t) {
+		t -= 86400;
+		tm.tm_mday++;
+	}
+	tm.tm_hour = 0;
+	while (3600 <= t) {
+		t -= 3600;
+		tm.tm_hour++;
+	}
+	tm.tm_min = 0;
+	while (60 <= t) {
+		t -= 60;
+		tm.tm_min++;
+	}
+	tm.tm_sec = (int)t;
+	/* yyyy  mm  dd  HH  MM  SS */
+	snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02d",
+		 tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, tm.tm_hour,
+		 tm.tm_min, tm.tm_sec);
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(buf);
+
+	if (l > region.length) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(region.base, buf, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+int64_t
+dns_time64_from32(uint32_t value) {
+	isc_stdtime_t now;
+	int64_t start;
+	int64_t t;
+
+	/*
+	 * Adjust the time to the closest epoch.  This should be changed
+	 * to use a 64-bit counterpart to isc_stdtime_get() if one ever
+	 * is defined, but even the current code is good until the year
+	 * 2106.
+	 */
+	isc_stdtime_get(&now);
+	start = (int64_t)now;
+	if (isc_serial_gt(value, now)) {
+		t = start + (value - now);
+	} else {
+		t = start - (now - value);
+	}
+
+	return (t);
+}
+
+isc_result_t
+dns_time32_totext(uint32_t value, isc_buffer_t *target) {
+	return (dns_time64_totext(dns_time64_from32(value), target));
+}
+
+isc_result_t
+dns_time64_fromtext(const char *source, int64_t *target) {
+	int year, month, day, hour, minute, second;
+	int64_t value;
+	int secs;
+	int i;
+
+#define RANGE(min, max, value)                      \
+	do {                                        \
+		if (value < (min) || value > (max)) \
+			return ((ISC_R_RANGE));     \
+	} while (0)
+
+	if (strlen(source) != 14U) {
+		return (DNS_R_SYNTAX);
+	}
+	/*
+	 * Confirm the source only consists digits.  sscanf() allows some
+	 * minor exceptions.
+	 */
+	for (i = 0; i < 14; i++) {
+		if (!isdigit((unsigned char)source[i])) {
+			return (DNS_R_SYNTAX);
+		}
+	}
+	if (sscanf(source, "%4d%2d%2d%2d%2d%2d", &year, &month, &day, &hour,
+		   &minute, &second) != 6)
+	{
+		return (DNS_R_SYNTAX);
+	}
+
+	RANGE(0, 9999, year);
+	RANGE(1, 12, month);
+	RANGE(1, days[month - 1] + ((month == 2 && is_leap(year)) ? 1 : 0),
+	      day);
+#ifdef __COVERITY__
+	/*
+	 * Use a simplified range to silence Coverity warning (in
+	 * arithmetic with day below).
+	 */
+	RANGE(1, 31, day);
+#endif /* __COVERITY__ */
+
+	RANGE(0, 23, hour);
+	RANGE(0, 59, minute);
+	RANGE(0, 60, second); /* 60 == leap second. */
+
+	/*
+	 * Calculate seconds from epoch.
+	 * Note: this uses a idealized calendar.
+	 */
+	value = second + (60 * minute) + (3600 * hour) + ((day - 1) * 86400);
+	for (i = 0; i < (month - 1); i++) {
+		value += days[i] * 86400;
+	}
+	if (is_leap(year) && month > 2) {
+		value += 86400;
+	}
+	if (year < 1970) {
+		for (i = 1969; i >= year; i--) {
+			secs = (is_leap(i) ? 366 : 365) * 86400;
+			value -= secs;
+		}
+	} else {
+		for (i = 1970; i < year; i++) {
+			secs = (is_leap(i) ? 366 : 365) * 86400;
+			value += secs;
+		}
+	}
+
+	*target = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_time32_fromtext(const char *source, uint32_t *target) {
+	int64_t value64;
+	isc_result_t result;
+	result = dns_time64_fromtext(source, &value64);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	*target = (uint32_t)value64;
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/timer.c b/lib/dns/timer.c
new file mode 100644
index 0000000..ef2895d
--- /dev/null
+++ b/lib/dns/timer.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/result.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+
+#include <dns/timer.h>
+#include <dns/types.h>
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+isc_result_t
+dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
+		  unsigned int idletime, bool purge) {
+	isc_result_t result;
+	isc_interval_t maxinterval, idleinterval;
+	isc_time_t expires;
+
+	/* Compute the time of expiry. */
+	isc_interval_set(&maxinterval, maxtime, 0);
+	CHECK(isc_time_nowplusinterval(&expires, &maxinterval));
+
+	/*
+	 * Compute the idle interval, and add a spare nanosecond to
+	 * work around the silly limitation of the ISC timer interface
+	 * that you cannot specify an idle interval of zero.
+	 */
+	isc_interval_set(&idleinterval, idletime, 1);
+
+	CHECK(isc_timer_reset(timer, isc_timertype_once, &expires,
+			      &idleinterval, purge));
+failure:
+	return (result);
+}
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
new file mode 100644
index 0000000..d91ed31
--- /dev/null
+++ b/lib/dns/tkey.c
@@ -0,0 +1,1604 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/md.h>
+#include <isc/mem.h>
+#include <isc/nonce.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/tkey.h>
+#include <dns/tsig.h>
+
+#include <dst/dst.h>
+#include <dst/gssapi.h>
+
+#include "dst_internal.h"
+
+#define TEMP_BUFFER_SZ	   8192
+#define TKEY_RANDOM_AMOUNT 16
+
+#if USE_PKCS11
+#include <pk11/pk11.h>
+#endif /* if USE_PKCS11 */
+
+#define RETERR(x)                            \
+	do {                                 \
+		result = (x);                \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+static void
+tkey_log(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+static void
+tkey_log(const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_REQUEST,
+		       ISC_LOG_DEBUG(4), fmt, ap);
+	va_end(ap);
+}
+
+static void
+dumpmessage(dns_message_t *msg) {
+	isc_buffer_t outbuf;
+	unsigned char *output;
+	int len = TEMP_BUFFER_SZ;
+	isc_result_t result;
+
+	for (;;) {
+		output = isc_mem_get(msg->mctx, len);
+
+		isc_buffer_init(&outbuf, output, len);
+		result = dns_message_totext(msg, &dns_master_style_debug, 0,
+					    &outbuf);
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(msg->mctx, output, len);
+			len *= 2;
+			continue;
+		}
+
+		if (result == ISC_R_SUCCESS) {
+			tkey_log("%.*s", (int)isc_buffer_usedlength(&outbuf),
+				 (char *)isc_buffer_base(&outbuf));
+		} else {
+			tkey_log("Warning: dns_message_totext: %s",
+				 dns_result_totext(result));
+		}
+		break;
+	}
+
+	if (output != NULL) {
+		isc_mem_put(msg->mctx, output, len);
+	}
+}
+
+isc_result_t
+dns_tkeyctx_create(isc_mem_t *mctx, dns_tkeyctx_t **tctxp) {
+	dns_tkeyctx_t *tctx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(tctxp != NULL && *tctxp == NULL);
+
+	tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t));
+	tctx->mctx = NULL;
+	isc_mem_attach(mctx, &tctx->mctx);
+	tctx->dhkey = NULL;
+	tctx->domain = NULL;
+	tctx->gsscred = NULL;
+	tctx->gssapi_keytab = NULL;
+
+	*tctxp = tctx;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
+	isc_mem_t *mctx;
+	dns_tkeyctx_t *tctx;
+
+	REQUIRE(tctxp != NULL && *tctxp != NULL);
+
+	tctx = *tctxp;
+	*tctxp = NULL;
+	mctx = tctx->mctx;
+
+	if (tctx->dhkey != NULL) {
+		dst_key_free(&tctx->dhkey);
+	}
+	if (tctx->domain != NULL) {
+		if (dns_name_dynamic(tctx->domain)) {
+			dns_name_free(tctx->domain, mctx);
+		}
+		isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
+	}
+	if (tctx->gssapi_keytab != NULL) {
+		isc_mem_free(mctx, tctx->gssapi_keytab);
+	}
+	if (tctx->gsscred != NULL) {
+		dst_gssapi_releasecred(&tctx->gsscred);
+	}
+	isc_mem_putanddetach(&mctx, tctx, sizeof(dns_tkeyctx_t));
+}
+
+static isc_result_t
+add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
+		  uint32_t ttl, dns_namelist_t *namelist) {
+	isc_result_t result;
+	isc_region_t r, newr;
+	dns_rdata_t *newrdata = NULL;
+	dns_name_t *newname = NULL;
+	dns_rdatalist_t *newlist = NULL;
+	dns_rdataset_t *newset = NULL;
+	isc_buffer_t *tmprdatabuf = NULL;
+
+	RETERR(dns_message_gettemprdata(msg, &newrdata));
+
+	dns_rdata_toregion(rdata, &r);
+	isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length);
+	isc_buffer_availableregion(tmprdatabuf, &newr);
+	memmove(newr.base, r.base, r.length);
+	dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
+	dns_message_takebuffer(msg, &tmprdatabuf);
+
+	RETERR(dns_message_gettempname(msg, &newname));
+	dns_name_copynf(name, newname);
+
+	RETERR(dns_message_gettemprdatalist(msg, &newlist));
+	newlist->rdclass = newrdata->rdclass;
+	newlist->type = newrdata->type;
+	newlist->ttl = ttl;
+	ISC_LIST_APPEND(newlist->rdata, newrdata, link);
+
+	RETERR(dns_message_gettemprdataset(msg, &newset));
+	RETERR(dns_rdatalist_tordataset(newlist, newset));
+
+	ISC_LIST_INIT(newname->list);
+	ISC_LIST_APPEND(newname->list, newset, link);
+
+	ISC_LIST_APPEND(*namelist, newname, link);
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (newrdata != NULL) {
+		if (ISC_LINK_LINKED(newrdata, link)) {
+			INSIST(newlist != NULL);
+			ISC_LIST_UNLINK(newlist->rdata, newrdata, link);
+		}
+		dns_message_puttemprdata(msg, &newrdata);
+	}
+	if (newname != NULL) {
+		dns_message_puttempname(msg, &newname);
+	}
+	if (newset != NULL) {
+		dns_rdataset_disassociate(newset);
+		dns_message_puttemprdataset(msg, &newset);
+	}
+	if (newlist != NULL) {
+		dns_message_puttemprdatalist(msg, &newlist);
+	}
+	return (result);
+}
+
+static void
+free_namelist(dns_message_t *msg, dns_namelist_t *namelist) {
+	dns_name_t *name;
+	dns_rdataset_t *set;
+
+	while (!ISC_LIST_EMPTY(*namelist)) {
+		name = ISC_LIST_HEAD(*namelist);
+		ISC_LIST_UNLINK(*namelist, name, link);
+		while (!ISC_LIST_EMPTY(name->list)) {
+			set = ISC_LIST_HEAD(name->list);
+			ISC_LIST_UNLINK(name->list, set, link);
+			if (dns_rdataset_isassociated(set)) {
+				dns_rdataset_disassociate(set);
+			}
+			dns_message_puttemprdataset(msg, &set);
+		}
+		dns_message_puttempname(msg, &name);
+	}
+}
+
+static isc_result_t
+compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
+	       isc_region_t *serverrandomness, isc_buffer_t *secret) {
+	isc_md_t *md;
+	isc_region_t r, r2;
+	unsigned char digests[ISC_MAX_MD_SIZE * 2];
+	unsigned char *digest1, *digest2;
+	unsigned int digestslen, digestlen1 = 0, digestlen2 = 0;
+	unsigned int i;
+	isc_result_t result;
+
+	isc_buffer_usedregion(shared, &r);
+
+	md = isc_md_new();
+	if (md == NULL) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * MD5 ( query data | DH value ).
+	 */
+	digest1 = digests;
+
+	result = isc_md_init(md, ISC_MD_MD5);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	result = isc_md_update(md, queryrandomness->base,
+			       queryrandomness->length);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	result = isc_md_update(md, r.base, r.length);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	result = isc_md_final(md, digest1, &digestlen1);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	result = isc_md_reset(md);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	/*
+	 * MD5 ( server data | DH value ).
+	 */
+	digest2 = digests + digestlen1;
+
+	result = isc_md_init(md, ISC_MD_MD5);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	result = isc_md_update(md, serverrandomness->base,
+			       serverrandomness->length);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	result = isc_md_update(md, r.base, r.length);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	result = isc_md_final(md, digest2, &digestlen2);
+	if (result != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	isc_md_free(md);
+	md = NULL;
+
+	digestslen = digestlen1 + digestlen2;
+
+	/*
+	 * XOR ( DH value, MD5-1 | MD5-2).
+	 */
+	isc_buffer_availableregion(secret, &r);
+	isc_buffer_usedregion(shared, &r2);
+	if (r.length < digestslen || r.length < r2.length) {
+		return (ISC_R_NOSPACE);
+	}
+	if (r2.length > digestslen) {
+		memmove(r.base, r2.base, r2.length);
+		for (i = 0; i < digestslen; i++) {
+			r.base[i] ^= digests[i];
+		}
+		isc_buffer_add(secret, r2.length);
+	} else {
+		memmove(r.base, digests, digestslen);
+		for (i = 0; i < r2.length; i++) {
+			r.base[i] ^= r2.base[i];
+		}
+		isc_buffer_add(secret, digestslen);
+	}
+	result = ISC_R_SUCCESS;
+end:
+	if (md != NULL) {
+		isc_md_free(md);
+	}
+	return (result);
+}
+
+static isc_result_t
+process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
+	       dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
+	       dns_rdata_tkey_t *tkeyout, dns_tsig_keyring_t *ring,
+	       dns_namelist_t *namelist) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_name_t *keyname, ourname;
+	dns_rdataset_t *keyset = NULL;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
+	bool found_key = false, found_incompatible = false;
+	dst_key_t *pubkey = NULL;
+	isc_buffer_t ourkeybuf, *shared = NULL;
+	isc_region_t r, r2, ourkeyr;
+	unsigned char keydata[DST_KEY_MAXSIZE];
+	unsigned int sharedsize;
+	isc_buffer_t secret;
+	unsigned char *randomdata = NULL, secretdata[256];
+	dns_ttl_t ttl = 0;
+
+	if (tctx->dhkey == NULL) {
+		tkey_log("process_dhtkey: tkey-dhkey not defined");
+		tkeyout->error = dns_tsigerror_badalg;
+		return (DNS_R_REFUSED);
+	}
+
+	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
+		tkey_log("process_dhtkey: algorithms other than "
+			 "hmac-md5 are not supported");
+		tkeyout->error = dns_tsigerror_badalg;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Look for a DH KEY record that will work with ours.
+	 */
+	for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
+	     result == ISC_R_SUCCESS && !found_key;
+	     result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL))
+	{
+		keyname = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
+		keyset = NULL;
+		result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
+					      &keyset);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		for (result = dns_rdataset_first(keyset);
+		     result == ISC_R_SUCCESS && !found_key;
+		     result = dns_rdataset_next(keyset))
+		{
+			dns_rdataset_current(keyset, &keyrdata);
+			pubkey = NULL;
+			result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
+							 msg->mctx, &pubkey);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdata_reset(&keyrdata);
+				continue;
+			}
+			if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
+				if (dst_key_paramcompare(pubkey, tctx->dhkey)) {
+					found_key = true;
+					ttl = keyset->ttl;
+					break;
+				} else {
+					found_incompatible = true;
+				}
+			}
+			dst_key_free(&pubkey);
+			dns_rdata_reset(&keyrdata);
+		}
+	}
+
+	if (!found_key) {
+		if (found_incompatible) {
+			tkey_log("process_dhtkey: found an incompatible key");
+			tkeyout->error = dns_tsigerror_badkey;
+			return (ISC_R_SUCCESS);
+		} else {
+			tkey_log("process_dhtkey: failed to find a key");
+			return (DNS_R_FORMERR);
+		}
+	}
+
+	RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
+
+	isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
+	RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
+	isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
+	dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
+			     dns_rdatatype_key, &ourkeyr);
+
+	dns_name_init(&ourname, NULL);
+	dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
+
+	/*
+	 * XXXBEW The TTL should be obtained from the database, if it exists.
+	 */
+	RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
+
+	RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
+	isc_buffer_allocate(msg->mctx, &shared, sharedsize);
+
+	result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
+	if (result != ISC_R_SUCCESS) {
+		tkey_log("process_dhtkey: failed to compute shared secret: %s",
+			 isc_result_totext(result));
+		goto failure;
+	}
+	dst_key_free(&pubkey);
+
+	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
+
+	randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
+
+	isc_nonce_buf(randomdata, TKEY_RANDOM_AMOUNT);
+
+	r.base = randomdata;
+	r.length = TKEY_RANDOM_AMOUNT;
+	r2.base = tkeyin->key;
+	r2.length = tkeyin->keylen;
+	RETERR(compute_secret(shared, &r2, &r, &secret));
+	isc_buffer_free(&shared);
+
+	RETERR(dns_tsigkey_create(
+		name, &tkeyin->algorithm, isc_buffer_base(&secret),
+		isc_buffer_usedlength(&secret), true, signer, tkeyin->inception,
+		tkeyin->expire, ring->mctx, ring, NULL));
+
+	/* This key is good for a long time */
+	tkeyout->inception = tkeyin->inception;
+	tkeyout->expire = tkeyin->expire;
+
+	tkeyout->key = randomdata;
+	tkeyout->keylen = TKEY_RANDOM_AMOUNT;
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (!ISC_LIST_EMPTY(*namelist)) {
+		free_namelist(msg, namelist);
+	}
+	if (shared != NULL) {
+		isc_buffer_free(&shared);
+	}
+	if (pubkey != NULL) {
+		dst_key_free(&pubkey);
+	}
+	if (randomdata != NULL) {
+		isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
+	}
+	return (result);
+}
+
+static isc_result_t
+process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
+		dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
+		dns_tsig_keyring_t *ring) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dst_key_t *dstkey = NULL;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *principal;
+	isc_stdtime_t now;
+	isc_region_t intoken;
+	isc_buffer_t *outtoken = NULL;
+	dns_gss_ctx_id_t gss_ctx = NULL;
+
+	/*
+	 * You have to define either a gss credential (principal) to
+	 * accept with tkey-gssapi-credential, or you have to
+	 * configure a specific keytab (with tkey-gssapi-keytab) in
+	 * order to use gsstkey.
+	 */
+	if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) {
+		tkey_log("process_gsstkey(): no tkey-gssapi-credential "
+			 "or tkey-gssapi-keytab configured");
+		return (ISC_R_NOPERM);
+	}
+
+	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
+	    !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME))
+	{
+		tkeyout->error = dns_tsigerror_badalg;
+		tkey_log("process_gsstkey(): dns_tsigerror_badalg"); /* XXXSRA
+								      */
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * XXXDCL need to check for key expiry per 4.1.1
+	 * XXXDCL need a way to check fully established, perhaps w/key_flags
+	 */
+
+	intoken.base = tkeyin->key;
+	intoken.length = tkeyin->keylen;
+
+	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
+	if (result == ISC_R_SUCCESS) {
+		gss_ctx = dst_key_getgssctx(tsigkey->key);
+	}
+
+	principal = dns_fixedname_initname(&fixed);
+
+	/*
+	 * Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set
+	 */
+	result = dst_gssapi_acceptctx(tctx->gsscred, tctx->gssapi_keytab,
+				      &intoken, &outtoken, &gss_ctx, principal,
+				      tctx->mctx);
+	if (result == DNS_R_INVALIDTKEY) {
+		if (tsigkey != NULL) {
+			dns_tsigkey_detach(&tsigkey);
+		}
+		tkeyout->error = dns_tsigerror_badkey;
+		tkey_log("process_gsstkey(): dns_tsigerror_badkey"); /* XXXSRA
+								      */
+		return (ISC_R_SUCCESS);
+	}
+	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	/*
+	 * XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
+	 */
+
+	isc_stdtime_get(&now);
+
+	if (dns_name_countlabels(principal) == 0U) {
+		if (tsigkey != NULL) {
+			dns_tsigkey_detach(&tsigkey);
+		}
+	} else if (tsigkey == NULL) {
+#ifdef GSSAPI
+		OM_uint32 gret, minor, lifetime;
+#endif /* ifdef GSSAPI */
+		uint32_t expire;
+
+		RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx, &dstkey,
+					  &intoken));
+		/*
+		 * Limit keys to 1 hour or the context's lifetime whichever
+		 * is smaller.
+		 */
+		expire = now + 3600;
+#ifdef GSSAPI
+		gret = gss_context_time(&minor, gss_ctx, &lifetime);
+		if (gret == GSS_S_COMPLETE && now + lifetime < expire) {
+			expire = now + lifetime;
+		}
+#endif /* ifdef GSSAPI */
+		RETERR(dns_tsigkey_createfromkey(
+			name, &tkeyin->algorithm, dstkey, true, principal, now,
+			expire, ring->mctx, ring, &tsigkey));
+		dst_key_free(&dstkey);
+		tkeyout->inception = now;
+		tkeyout->expire = expire;
+	} else {
+		tkeyout->inception = tsigkey->inception;
+		tkeyout->expire = tsigkey->expire;
+	}
+
+	if (outtoken) {
+		tkeyout->key = isc_mem_get(tkeyout->mctx,
+					   isc_buffer_usedlength(outtoken));
+		tkeyout->keylen = isc_buffer_usedlength(outtoken);
+		memmove(tkeyout->key, isc_buffer_base(outtoken),
+			isc_buffer_usedlength(outtoken));
+		isc_buffer_free(&outtoken);
+	} else {
+		tkeyout->key = isc_mem_get(tkeyout->mctx, tkeyin->keylen);
+		tkeyout->keylen = tkeyin->keylen;
+		memmove(tkeyout->key, tkeyin->key, tkeyin->keylen);
+	}
+
+	tkeyout->error = dns_rcode_noerror;
+
+	tkey_log("process_gsstkey(): dns_tsigerror_noerror"); /* XXXSRA */
+
+	/*
+	 * We found a TKEY to respond with.  If the request is not TSIG signed,
+	 * we need to make sure the response is signed (see RFC 3645, Section
+	 * 2.2).
+	 */
+	if (tsigkey != NULL) {
+		if (msg->tsigkey == NULL && msg->sig0key == NULL) {
+			dns_message_settsigkey(msg, tsigkey);
+		}
+		dns_tsigkey_detach(&tsigkey);
+	}
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (tsigkey != NULL) {
+		dns_tsigkey_detach(&tsigkey);
+	}
+
+	if (dstkey != NULL) {
+		dst_key_free(&dstkey);
+	}
+
+	if (outtoken != NULL) {
+		isc_buffer_free(&outtoken);
+	}
+
+	tkey_log("process_gsstkey(): %s", isc_result_totext(result)); /* XXXSRA
+								       */
+
+	return (result);
+}
+
+static isc_result_t
+process_deletetkey(dns_name_t *signer, dns_name_t *name,
+		   dns_rdata_tkey_t *tkeyin, dns_rdata_tkey_t *tkeyout,
+		   dns_tsig_keyring_t *ring) {
+	isc_result_t result;
+	dns_tsigkey_t *tsigkey = NULL;
+	const dns_name_t *identity;
+
+	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
+	if (result != ISC_R_SUCCESS) {
+		tkeyout->error = dns_tsigerror_badname;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Only allow a delete if the identity that created the key is the
+	 * same as the identity that signed the message.
+	 */
+	identity = dns_tsigkey_identity(tsigkey);
+	if (identity == NULL || !dns_name_equal(identity, signer)) {
+		dns_tsigkey_detach(&tsigkey);
+		return (DNS_R_REFUSED);
+	}
+
+	/*
+	 * Set the key to be deleted when no references are left.  If the key
+	 * was not generated with TKEY and is in the config file, it may be
+	 * reloaded later.
+	 */
+	dns_tsigkey_setdeleted(tsigkey);
+
+	/* Release the reference */
+	dns_tsigkey_detach(&tsigkey);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
+		      dns_tsig_keyring_t *ring) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_tkey_t tkeyin, tkeyout;
+	bool freetkeyin = false;
+	dns_name_t *qname, *name, *keyname, *signer, tsigner;
+	dns_fixedname_t fkeyname;
+	dns_rdataset_t *tkeyset;
+	dns_rdata_t rdata;
+	dns_namelist_t namelist;
+	char tkeyoutdata[512];
+	isc_buffer_t tkeyoutbuf;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(tctx != NULL);
+	REQUIRE(ring != NULL);
+
+	ISC_LIST_INIT(namelist);
+
+	/*
+	 * Interpret the question section.
+	 */
+	result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
+	if (result != ISC_R_SUCCESS) {
+		return (DNS_R_FORMERR);
+	}
+
+	qname = NULL;
+	dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
+
+	/*
+	 * Look for a TKEY record that matches the question.
+	 */
+	tkeyset = NULL;
+	name = NULL;
+	result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
+				      dns_rdatatype_tkey, 0, &name, &tkeyset);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Try the answer section, since that's where Win2000
+		 * puts it.
+		 */
+		name = NULL;
+		if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+					 dns_rdatatype_tkey, 0, &name,
+					 &tkeyset) != ISC_R_SUCCESS)
+		{
+			result = DNS_R_FORMERR;
+			tkey_log("dns_tkey_processquery: couldn't find a TKEY "
+				 "matching the question");
+			goto failure;
+		}
+	}
+	result = dns_rdataset_first(tkeyset);
+	if (result != ISC_R_SUCCESS) {
+		result = DNS_R_FORMERR;
+		goto failure;
+	}
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(tkeyset, &rdata);
+
+	RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
+	freetkeyin = true;
+
+	if (tkeyin.error != dns_rcode_noerror) {
+		result = DNS_R_FORMERR;
+		goto failure;
+	}
+
+	/*
+	 * Before we go any farther, verify that the message was signed.
+	 * GSSAPI TKEY doesn't require a signature, the rest do.
+	 */
+	dns_name_init(&tsigner, NULL);
+	result = dns_message_signer(msg, &tsigner);
+	if (result != ISC_R_SUCCESS) {
+		if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
+		    result == ISC_R_NOTFOUND)
+		{
+			signer = NULL;
+		} else {
+			tkey_log("dns_tkey_processquery: query was not "
+				 "properly signed - rejecting");
+			result = DNS_R_FORMERR;
+			goto failure;
+		}
+	} else {
+		signer = &tsigner;
+	}
+
+	tkeyout.common.rdclass = tkeyin.common.rdclass;
+	tkeyout.common.rdtype = tkeyin.common.rdtype;
+	ISC_LINK_INIT(&tkeyout.common, link);
+	tkeyout.mctx = msg->mctx;
+
+	dns_name_init(&tkeyout.algorithm, NULL);
+	dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
+
+	tkeyout.inception = tkeyout.expire = 0;
+	tkeyout.mode = tkeyin.mode;
+	tkeyout.error = 0;
+	tkeyout.keylen = tkeyout.otherlen = 0;
+	tkeyout.key = tkeyout.other = NULL;
+
+	/*
+	 * A delete operation must have a fully specified key name.  If this
+	 * is not a delete, we do the following:
+	 * if (qname != ".")
+	 *	keyname = qname + defaultdomain
+	 * else
+	 *	keyname = <random hex> + defaultdomain
+	 */
+	if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
+		dns_tsigkey_t *tsigkey = NULL;
+
+		if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI)
+		{
+			tkey_log("dns_tkey_processquery: tkey-domain not set");
+			result = DNS_R_REFUSED;
+			goto failure;
+		}
+
+		keyname = dns_fixedname_initname(&fkeyname);
+
+		if (!dns_name_equal(qname, dns_rootname)) {
+			unsigned int n = dns_name_countlabels(qname);
+			dns_name_copynf(qname, keyname);
+			dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
+		} else {
+			static char hexdigits[16] = { '0', '1', '2', '3',
+						      '4', '5', '6', '7',
+						      '8', '9', 'A', 'B',
+						      'C', 'D', 'E', 'F' };
+			unsigned char randomdata[16];
+			char randomtext[32];
+			isc_buffer_t b;
+			unsigned int i, j;
+
+			isc_nonce_buf(randomdata, sizeof(randomdata));
+
+			for (i = 0, j = 0; i < sizeof(randomdata); i++) {
+				unsigned char val = randomdata[i];
+				randomtext[j++] = hexdigits[val >> 4];
+				randomtext[j++] = hexdigits[val & 0xF];
+			}
+			isc_buffer_init(&b, randomtext, sizeof(randomtext));
+			isc_buffer_add(&b, sizeof(randomtext));
+			result = dns_name_fromtext(keyname, &b, NULL, 0, NULL);
+			if (result != ISC_R_SUCCESS) {
+				goto failure;
+			}
+		}
+
+		if (tkeyin.mode == DNS_TKEYMODE_GSSAPI) {
+			/* Yup.  This is a hack */
+			result = dns_name_concatenate(keyname, dns_rootname,
+						      keyname, NULL);
+			if (result != ISC_R_SUCCESS) {
+				goto failure;
+			}
+		} else {
+			result = dns_name_concatenate(keyname, tctx->domain,
+						      keyname, NULL);
+			if (result != ISC_R_SUCCESS) {
+				goto failure;
+			}
+		}
+
+		result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
+
+		if (result == ISC_R_SUCCESS) {
+			tkeyout.error = dns_tsigerror_badname;
+			dns_tsigkey_detach(&tsigkey);
+			goto failure_with_tkey;
+		} else if (result != ISC_R_NOTFOUND) {
+			goto failure;
+		}
+	} else {
+		keyname = qname;
+	}
+
+	switch (tkeyin.mode) {
+	case DNS_TKEYMODE_DIFFIEHELLMAN:
+		tkeyout.error = dns_rcode_noerror;
+		RETERR(process_dhtkey(msg, signer, keyname, &tkeyin, tctx,
+				      &tkeyout, ring, &namelist));
+		break;
+	case DNS_TKEYMODE_GSSAPI:
+		tkeyout.error = dns_rcode_noerror;
+		RETERR(process_gsstkey(msg, keyname, &tkeyin, tctx, &tkeyout,
+				       ring));
+		break;
+	case DNS_TKEYMODE_DELETE:
+		tkeyout.error = dns_rcode_noerror;
+		RETERR(process_deletetkey(signer, keyname, &tkeyin, &tkeyout,
+					  ring));
+		break;
+	case DNS_TKEYMODE_SERVERASSIGNED:
+	case DNS_TKEYMODE_RESOLVERASSIGNED:
+		result = DNS_R_NOTIMP;
+		goto failure;
+	default:
+		tkeyout.error = dns_tsigerror_badmode;
+	}
+
+failure_with_tkey:
+
+	dns_rdata_init(&rdata);
+	isc_buffer_init(&tkeyoutbuf, tkeyoutdata, sizeof(tkeyoutdata));
+	result = dns_rdata_fromstruct(&rdata, tkeyout.common.rdclass,
+				      tkeyout.common.rdtype, &tkeyout,
+				      &tkeyoutbuf);
+
+	if (freetkeyin) {
+		dns_rdata_freestruct(&tkeyin);
+		freetkeyin = false;
+	}
+
+	if (tkeyout.key != NULL) {
+		isc_mem_put(tkeyout.mctx, tkeyout.key, tkeyout.keylen);
+	}
+	if (tkeyout.other != NULL) {
+		isc_mem_put(tkeyout.mctx, tkeyout.other, tkeyout.otherlen);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	RETERR(add_rdata_to_list(msg, keyname, &rdata, 0, &namelist));
+
+	RETERR(dns_message_reply(msg, true));
+
+	name = ISC_LIST_HEAD(namelist);
+	while (name != NULL) {
+		dns_name_t *next = ISC_LIST_NEXT(name, link);
+		ISC_LIST_UNLINK(namelist, name, link);
+		dns_message_addname(msg, name, DNS_SECTION_ANSWER);
+		name = next;
+	}
+
+	return (ISC_R_SUCCESS);
+
+failure:
+
+	if (freetkeyin) {
+		dns_rdata_freestruct(&tkeyin);
+	}
+	if (!ISC_LIST_EMPTY(namelist)) {
+		free_namelist(msg, &namelist);
+	}
+	return (result);
+}
+
+static isc_result_t
+buildquery(dns_message_t *msg, const dns_name_t *name, dns_rdata_tkey_t *tkey,
+	   bool win2k) {
+	dns_name_t *qname = NULL, *aname = NULL;
+	dns_rdataset_t *question = NULL, *tkeyset = NULL;
+	dns_rdatalist_t *tkeylist = NULL;
+	dns_rdata_t *rdata = NULL;
+	isc_buffer_t *dynbuf = NULL;
+	isc_result_t result;
+	unsigned int len;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(tkey != NULL);
+
+	RETERR(dns_message_gettempname(msg, &qname));
+	RETERR(dns_message_gettempname(msg, &aname));
+
+	RETERR(dns_message_gettemprdataset(msg, &question));
+	dns_rdataset_makequestion(question, dns_rdataclass_any,
+				  dns_rdatatype_tkey);
+
+	len = 16 + tkey->algorithm.length + tkey->keylen + tkey->otherlen;
+	isc_buffer_allocate(msg->mctx, &dynbuf, len);
+	RETERR(dns_message_gettemprdata(msg, &rdata));
+
+	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
+				    dns_rdatatype_tkey, tkey, dynbuf));
+	dns_message_takebuffer(msg, &dynbuf);
+
+	RETERR(dns_message_gettemprdatalist(msg, &tkeylist));
+	tkeylist->rdclass = dns_rdataclass_any;
+	tkeylist->type = dns_rdatatype_tkey;
+	ISC_LIST_APPEND(tkeylist->rdata, rdata, link);
+
+	RETERR(dns_message_gettemprdataset(msg, &tkeyset));
+	RETERR(dns_rdatalist_tordataset(tkeylist, tkeyset));
+
+	dns_name_copynf(name, qname);
+	dns_name_copynf(name, aname);
+
+	ISC_LIST_APPEND(qname->list, question, link);
+	ISC_LIST_APPEND(aname->list, tkeyset, link);
+
+	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
+
+	/*
+	 * Windows 2000 needs this in the answer section, not the additional
+	 * section where the RFC specifies.
+	 */
+	if (win2k) {
+		dns_message_addname(msg, aname, DNS_SECTION_ANSWER);
+	} else {
+		dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
+	}
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (qname != NULL) {
+		dns_message_puttempname(msg, &qname);
+	}
+	if (aname != NULL) {
+		dns_message_puttempname(msg, &aname);
+	}
+	if (question != NULL) {
+		dns_rdataset_disassociate(question);
+		dns_message_puttemprdataset(msg, &question);
+	}
+	if (dynbuf != NULL) {
+		isc_buffer_free(&dynbuf);
+	}
+	if (rdata != NULL) {
+		dns_message_puttemprdata(msg, &rdata);
+	}
+	if (tkeylist != NULL) {
+		dns_message_puttemprdatalist(msg, &tkeylist);
+	}
+	if (tkeyset != NULL) {
+		if (dns_rdataset_isassociated(tkeyset)) {
+			dns_rdataset_disassociate(tkeyset);
+		}
+		dns_message_puttemprdataset(msg, &tkeyset);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key,
+		      const dns_name_t *name, const dns_name_t *algorithm,
+		      isc_buffer_t *nonce, uint32_t lifetime) {
+	dns_rdata_tkey_t tkey;
+	dns_rdata_t *rdata = NULL;
+	isc_buffer_t *dynbuf = NULL;
+	isc_region_t r;
+	dns_name_t keyname;
+	dns_namelist_t namelist;
+	isc_result_t result;
+	isc_stdtime_t now;
+	dns_name_t *item;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
+	REQUIRE(dst_key_isprivate(key));
+	REQUIRE(name != NULL);
+	REQUIRE(algorithm != NULL);
+
+	tkey.common.rdclass = dns_rdataclass_any;
+	tkey.common.rdtype = dns_rdatatype_tkey;
+	ISC_LINK_INIT(&tkey.common, link);
+	tkey.mctx = msg->mctx;
+	dns_name_init(&tkey.algorithm, NULL);
+	dns_name_clone(algorithm, &tkey.algorithm);
+	isc_stdtime_get(&now);
+	tkey.inception = now;
+	tkey.expire = now + lifetime;
+	tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN;
+	if (nonce != NULL) {
+		isc_buffer_usedregion(nonce, &r);
+	} else {
+		r.base = NULL;
+		r.length = 0;
+	}
+	tkey.error = 0;
+	tkey.key = r.base;
+	tkey.keylen = r.length;
+	tkey.other = NULL;
+	tkey.otherlen = 0;
+
+	RETERR(buildquery(msg, name, &tkey, false));
+
+	RETERR(dns_message_gettemprdata(msg, &rdata));
+	isc_buffer_allocate(msg->mctx, &dynbuf, 1024);
+	RETERR(dst_key_todns(key, dynbuf));
+	isc_buffer_usedregion(dynbuf, &r);
+	dns_rdata_fromregion(rdata, dns_rdataclass_any, dns_rdatatype_key, &r);
+	dns_message_takebuffer(msg, &dynbuf);
+
+	dns_name_init(&keyname, NULL);
+	dns_name_clone(dst_key_name(key), &keyname);
+
+	ISC_LIST_INIT(namelist);
+	RETERR(add_rdata_to_list(msg, &keyname, rdata, 0, &namelist));
+	item = ISC_LIST_HEAD(namelist);
+	while (item != NULL) {
+		dns_name_t *next = ISC_LIST_NEXT(item, link);
+		ISC_LIST_UNLINK(namelist, item, link);
+		dns_message_addname(msg, item, DNS_SECTION_ADDITIONAL);
+		item = next;
+	}
+
+	return (ISC_R_SUCCESS);
+
+failure:
+
+	if (dynbuf != NULL) {
+		isc_buffer_free(&dynbuf);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
+		       const dns_name_t *gname, isc_buffer_t *intoken,
+		       uint32_t lifetime, dns_gss_ctx_id_t *context, bool win2k,
+		       isc_mem_t *mctx, char **err_message) {
+	dns_rdata_tkey_t tkey;
+	isc_result_t result;
+	isc_stdtime_t now;
+	isc_buffer_t token;
+	unsigned char array[TEMP_BUFFER_SZ];
+
+	UNUSED(intoken);
+
+	REQUIRE(msg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(gname != NULL);
+	REQUIRE(context != NULL);
+	REQUIRE(mctx != NULL);
+
+	isc_buffer_init(&token, array, sizeof(array));
+	result = dst_gssapi_initctx(gname, NULL, &token, context, mctx,
+				    err_message);
+	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	tkey.common.rdclass = dns_rdataclass_any;
+	tkey.common.rdtype = dns_rdatatype_tkey;
+	ISC_LINK_INIT(&tkey.common, link);
+	tkey.mctx = NULL;
+	dns_name_init(&tkey.algorithm, NULL);
+
+	if (win2k) {
+		dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
+	} else {
+		dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
+	}
+
+	isc_stdtime_get(&now);
+	tkey.inception = now;
+	tkey.expire = now + lifetime;
+	tkey.mode = DNS_TKEYMODE_GSSAPI;
+	tkey.error = 0;
+	tkey.key = isc_buffer_base(&token);
+	tkey.keylen = isc_buffer_usedlength(&token);
+	tkey.other = NULL;
+	tkey.otherlen = 0;
+
+	return (buildquery(msg, name, &tkey, win2k));
+}
+
+isc_result_t
+dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
+	dns_rdata_tkey_t tkey;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+
+	tkey.common.rdclass = dns_rdataclass_any;
+	tkey.common.rdtype = dns_rdatatype_tkey;
+	ISC_LINK_INIT(&tkey.common, link);
+	tkey.mctx = msg->mctx;
+	dns_name_init(&tkey.algorithm, NULL);
+	dns_name_clone(key->algorithm, &tkey.algorithm);
+	tkey.inception = tkey.expire = 0;
+	tkey.mode = DNS_TKEYMODE_DELETE;
+	tkey.error = 0;
+	tkey.keylen = tkey.otherlen = 0;
+	tkey.key = tkey.other = NULL;
+
+	return (buildquery(msg, &key->name, &tkey, false));
+}
+
+static isc_result_t
+find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
+	  int section) {
+	dns_rdataset_t *tkeyset;
+	isc_result_t result;
+
+	result = dns_message_firstname(msg, section);
+	while (result == ISC_R_SUCCESS) {
+		*name = NULL;
+		dns_message_currentname(msg, section, name);
+		tkeyset = NULL;
+		result = dns_message_findtype(*name, dns_rdatatype_tkey, 0,
+					      &tkeyset);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_rdataset_first(tkeyset);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+			dns_rdataset_current(tkeyset, rdata);
+			return (ISC_R_SUCCESS);
+		}
+		result = dns_message_nextname(msg, section);
+	}
+	if (result == ISC_R_NOMORE) {
+		return (ISC_R_NOTFOUND);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			   dst_key_t *key, isc_buffer_t *nonce,
+			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring) {
+	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname;
+	dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
+	dns_rdata_t theirkeyrdata = DNS_RDATA_INIT;
+	dst_key_t *theirkey = NULL;
+	dns_rdata_tkey_t qtkey, rtkey;
+	unsigned char secretdata[256];
+	unsigned int sharedsize;
+	isc_buffer_t *shared = NULL, secret;
+	isc_region_t r, r2;
+	isc_result_t result;
+	bool freertkey = false;
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
+	REQUIRE(dst_key_isprivate(key));
+	if (outkey != NULL) {
+		REQUIRE(*outkey == NULL);
+	}
+
+	if (rmsg->rcode != dns_rcode_noerror) {
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+	}
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+	freertkey = true;
+
+	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata, DNS_SECTION_ADDITIONAL));
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
+	    rtkey.mode != qtkey.mode ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
+	    rmsg->rcode != dns_rcode_noerror)
+	{
+		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
+			 "or error set(1)");
+		result = DNS_R_INVALIDTKEY;
+		dns_rdata_freestruct(&qtkey);
+		goto failure;
+	}
+
+	dns_rdata_freestruct(&qtkey);
+
+	dns_name_init(&keyname, NULL);
+	dns_name_clone(dst_key_name(key), &keyname);
+
+	ourkeyname = NULL;
+	ourkeyset = NULL;
+	RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
+				    dns_rdatatype_key, 0, &ourkeyname,
+				    &ourkeyset));
+
+	result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
+	while (result == ISC_R_SUCCESS) {
+		theirkeyname = NULL;
+		dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
+					&theirkeyname);
+		if (dns_name_equal(theirkeyname, ourkeyname)) {
+			goto next;
+		}
+		theirkeyset = NULL;
+		result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
+					      0, &theirkeyset);
+		if (result == ISC_R_SUCCESS) {
+			RETERR(dns_rdataset_first(theirkeyset));
+			break;
+		}
+	next:
+		result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
+	}
+
+	if (theirkeyset == NULL) {
+		tkey_log("dns_tkey_processdhresponse: failed to find server "
+			 "key");
+		result = ISC_R_NOTFOUND;
+		goto failure;
+	}
+
+	dns_rdataset_current(theirkeyset, &theirkeyrdata);
+	RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata, rmsg->mctx,
+				       &theirkey));
+
+	RETERR(dst_key_secretsize(key, &sharedsize));
+	isc_buffer_allocate(rmsg->mctx, &shared, sharedsize);
+
+	RETERR(dst_key_computesecret(theirkey, key, shared));
+
+	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
+
+	r.base = rtkey.key;
+	r.length = rtkey.keylen;
+	if (nonce != NULL) {
+		isc_buffer_usedregion(nonce, &r2);
+	} else {
+		r2.base = NULL;
+		r2.length = 0;
+	}
+	RETERR(compute_secret(shared, &r2, &r, &secret));
+
+	isc_buffer_usedregion(&secret, &r);
+	result = dns_tsigkey_create(tkeyname, &rtkey.algorithm, r.base,
+				    r.length, true, NULL, rtkey.inception,
+				    rtkey.expire, rmsg->mctx, ring, outkey);
+	isc_buffer_free(&shared);
+	dns_rdata_freestruct(&rtkey);
+	dst_key_free(&theirkey);
+	return (result);
+
+failure:
+	if (shared != NULL) {
+		isc_buffer_free(&shared);
+	}
+
+	if (theirkey != NULL) {
+		dst_key_free(&theirkey);
+	}
+
+	if (freertkey) {
+		dns_rdata_freestruct(&rtkey);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			    const dns_name_t *gname, dns_gss_ctx_id_t *context,
+			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
+			    dns_tsig_keyring_t *ring, char **err_message) {
+	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t *tkeyname;
+	dns_rdata_tkey_t rtkey, qtkey;
+	dst_key_t *dstkey = NULL;
+	isc_buffer_t intoken;
+	isc_result_t result;
+	unsigned char array[TEMP_BUFFER_SZ];
+
+	REQUIRE(outtoken != NULL);
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+	REQUIRE(gname != NULL);
+	REQUIRE(ring != NULL);
+	if (outkey != NULL) {
+		REQUIRE(*outkey == NULL);
+	}
+
+	if (rmsg->rcode != dns_rcode_noerror) {
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+	}
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+
+	/*
+	 * Win2k puts the item in the ANSWER section, while the RFC
+	 * specifies it should be in the ADDITIONAL section.  Check first
+	 * where it should be, and then where it may be.
+	 */
+	result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+			   DNS_SECTION_ADDITIONAL);
+	if (result == ISC_R_NOTFOUND) {
+		result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+				   DNS_SECTION_ANSWER);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm))
+	{
+		tkey_log("dns_tkey_processgssresponse: tkey mode invalid "
+			 "or error set(2) %d",
+			 rtkey.error);
+		dumpmessage(qmsg);
+		dumpmessage(rmsg);
+		result = DNS_R_INVALIDTKEY;
+		goto failure;
+	}
+
+	isc_buffer_init(outtoken, array, sizeof(array));
+	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
+	RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context,
+				  ring->mctx, err_message));
+
+	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, &dstkey,
+				  NULL));
+
+	RETERR(dns_tsigkey_createfromkey(
+		tkeyname, DNS_TSIG_GSSAPI_NAME, dstkey, false, NULL,
+		rtkey.inception, rtkey.expire, ring->mctx, ring, outkey));
+	dst_key_free(&dstkey);
+	dns_rdata_freestruct(&rtkey);
+	return (result);
+
+failure:
+	/*
+	 * XXXSRA This probably leaks memory from rtkey and qtkey.
+	 */
+	if (dstkey != NULL) {
+		dst_key_free(&dstkey);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			       dns_tsig_keyring_t *ring) {
+	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t *tkeyname, *tempname;
+	dns_rdata_tkey_t qtkey, rtkey;
+	dns_tsigkey_t *tsigkey = NULL;
+	isc_result_t result;
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+
+	if (rmsg->rcode != dns_rcode_noerror) {
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+	}
+
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+
+	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata, DNS_SECTION_ADDITIONAL));
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_DELETE || rtkey.mode != qtkey.mode ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
+	    rmsg->rcode != dns_rcode_noerror)
+	{
+		tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
+			 "or error set(3)");
+		result = DNS_R_INVALIDTKEY;
+		dns_rdata_freestruct(&qtkey);
+		dns_rdata_freestruct(&rtkey);
+		goto failure;
+	}
+
+	dns_rdata_freestruct(&qtkey);
+
+	RETERR(dns_tsigkey_find(&tsigkey, tkeyname, &rtkey.algorithm, ring));
+
+	dns_rdata_freestruct(&rtkey);
+
+	/*
+	 * Mark the key as deleted.
+	 */
+	dns_tsigkey_setdeleted(tsigkey);
+	/*
+	 * Release the reference.
+	 */
+	dns_tsigkey_detach(&tsigkey);
+
+failure:
+	return (result);
+}
+
+isc_result_t
+dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
+		      const dns_name_t *server, dns_gss_ctx_id_t *context,
+		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
+		      bool win2k, char **err_message) {
+	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t *tkeyname;
+	dns_rdata_tkey_t rtkey, qtkey, tkey;
+	isc_buffer_t intoken, outtoken;
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+	unsigned char array[TEMP_BUFFER_SZ];
+	bool freertkey = false;
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+	REQUIRE(server != NULL);
+	if (outkey != NULL) {
+		REQUIRE(*outkey == NULL);
+	}
+
+	if (rmsg->rcode != dns_rcode_noerror) {
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+	}
+
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+	freertkey = true;
+
+	if (win2k) {
+		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+				 DNS_SECTION_ANSWER));
+	} else {
+		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+				 DNS_SECTION_ADDITIONAL));
+	}
+
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm))
+	{
+		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
+			 "or error set(4)");
+		result = DNS_R_INVALIDTKEY;
+		goto failure;
+	}
+
+	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
+	isc_buffer_init(&outtoken, array, sizeof(array));
+
+	result = dst_gssapi_initctx(server, &intoken, &outtoken, context,
+				    ring->mctx, err_message);
+	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (result == DNS_R_CONTINUE) {
+		dns_fixedname_t fixed;
+
+		dns_fixedname_init(&fixed);
+		dns_name_copynf(tkeyname, dns_fixedname_name(&fixed));
+		tkeyname = dns_fixedname_name(&fixed);
+
+		tkey.common.rdclass = dns_rdataclass_any;
+		tkey.common.rdtype = dns_rdatatype_tkey;
+		ISC_LINK_INIT(&tkey.common, link);
+		tkey.mctx = NULL;
+		dns_name_init(&tkey.algorithm, NULL);
+
+		if (win2k) {
+			dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
+		} else {
+			dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
+		}
+
+		tkey.inception = qtkey.inception;
+		tkey.expire = qtkey.expire;
+		tkey.mode = DNS_TKEYMODE_GSSAPI;
+		tkey.error = 0;
+		tkey.key = isc_buffer_base(&outtoken);
+		tkey.keylen = isc_buffer_usedlength(&outtoken);
+		tkey.other = NULL;
+		tkey.otherlen = 0;
+
+		dns_message_reset(qmsg, DNS_MESSAGE_INTENTRENDER);
+		RETERR(buildquery(qmsg, tkeyname, &tkey, win2k));
+		return (DNS_R_CONTINUE);
+	}
+
+	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, &dstkey,
+				  NULL));
+
+	/*
+	 * XXXSRA This seems confused.  If we got CONTINUE from initctx,
+	 * the GSS negotiation hasn't completed yet, so we can't sign
+	 * anything yet.
+	 */
+
+	RETERR(dns_tsigkey_createfromkey(
+		tkeyname,
+		(win2k ? DNS_TSIG_GSSAPIMS_NAME : DNS_TSIG_GSSAPI_NAME), dstkey,
+		true, NULL, rtkey.inception, rtkey.expire, ring->mctx, ring,
+		outkey));
+	dst_key_free(&dstkey);
+	dns_rdata_freestruct(&rtkey);
+	return (result);
+
+failure:
+	/*
+	 * XXXSRA This probably leaks memory from qtkey.
+	 */
+	if (freertkey) {
+		dns_rdata_freestruct(&rtkey);
+	}
+	if (dstkey != NULL) {
+		dst_key_free(&dstkey);
+	}
+	return (result);
+}
diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c
new file mode 100644
index 0000000..249a2ea
--- /dev/null
+++ b/lib/dns/tsec.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/result.h>
+#include <dns/tsec.h>
+#include <dns/tsig.h>
+
+#include <dst/dst.h>
+
+#define DNS_TSEC_MAGIC	  ISC_MAGIC('T', 's', 'e', 'c')
+#define DNS_TSEC_VALID(t) ISC_MAGIC_VALID(t, DNS_TSEC_MAGIC)
+
+/*%
+ * DNS Transaction Security object.  We assume this is not shared by
+ * multiple threads, and so the structure does not contain a lock.
+ */
+struct dns_tsec {
+	unsigned int magic;
+	dns_tsectype_t type;
+	isc_mem_t *mctx;
+	union {
+		dns_tsigkey_t *tsigkey;
+		dst_key_t *key;
+	} ukey;
+};
+
+isc_result_t
+dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+		dns_tsec_t **tsecp) {
+	isc_result_t result;
+	dns_tsec_t *tsec;
+	dns_tsigkey_t *tsigkey = NULL;
+	const dns_name_t *algname;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(tsecp != NULL && *tsecp == NULL);
+
+	tsec = isc_mem_get(mctx, sizeof(*tsec));
+
+	tsec->type = type;
+	tsec->mctx = mctx;
+
+	switch (type) {
+	case dns_tsectype_tsig:
+		switch (dst_key_alg(key)) {
+		case DST_ALG_HMACMD5:
+			algname = dns_tsig_hmacmd5_name;
+			break;
+		case DST_ALG_HMACSHA1:
+			algname = dns_tsig_hmacsha1_name;
+			break;
+		case DST_ALG_HMACSHA224:
+			algname = dns_tsig_hmacsha224_name;
+			break;
+		case DST_ALG_HMACSHA256:
+			algname = dns_tsig_hmacsha256_name;
+			break;
+		case DST_ALG_HMACSHA384:
+			algname = dns_tsig_hmacsha384_name;
+			break;
+		case DST_ALG_HMACSHA512:
+			algname = dns_tsig_hmacsha512_name;
+			break;
+		default:
+			isc_mem_put(mctx, tsec, sizeof(*tsec));
+			return (DNS_R_BADALG);
+		}
+		result = dns_tsigkey_createfromkey(dst_key_name(key), algname,
+						   key, false, NULL, 0, 0, mctx,
+						   NULL, &tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, tsec, sizeof(*tsec));
+			return (result);
+		}
+		tsec->ukey.tsigkey = tsigkey;
+		break;
+	case dns_tsectype_sig0:
+		tsec->ukey.key = key;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	tsec->magic = DNS_TSEC_MAGIC;
+
+	*tsecp = tsec;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_tsec_destroy(dns_tsec_t **tsecp) {
+	dns_tsec_t *tsec;
+
+	REQUIRE(tsecp != NULL && *tsecp != NULL);
+	tsec = *tsecp;
+	*tsecp = NULL;
+	REQUIRE(DNS_TSEC_VALID(tsec));
+
+	switch (tsec->type) {
+	case dns_tsectype_tsig:
+		dns_tsigkey_detach(&tsec->ukey.tsigkey);
+		break;
+	case dns_tsectype_sig0:
+		dst_key_free(&tsec->ukey.key);
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	tsec->magic = 0;
+	isc_mem_put(tsec->mctx, tsec, sizeof(*tsec));
+}
+
+dns_tsectype_t
+dns_tsec_gettype(dns_tsec_t *tsec) {
+	REQUIRE(DNS_TSEC_VALID(tsec));
+
+	return (tsec->type);
+}
+
+void
+dns_tsec_getkey(dns_tsec_t *tsec, void *keyp) {
+	REQUIRE(DNS_TSEC_VALID(tsec));
+	REQUIRE(keyp != NULL);
+
+	switch (tsec->type) {
+	case dns_tsectype_tsig:
+		dns_tsigkey_attach(tsec->ukey.tsigkey, (dns_tsigkey_t **)keyp);
+		break;
+	case dns_tsectype_sig0:
+		*(dst_key_t **)keyp = tsec->ukey.key;
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
new file mode 100644
index 0000000..e102d09
--- /dev/null
+++ b/lib/dns/tsig.c
@@ -0,0 +1,1902 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/serial.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rbt.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#include <dst/result.h>
+
+#include "tsig_p.h"
+
+#define TSIG_MAGIC	  ISC_MAGIC('T', 'S', 'I', 'G')
+#define VALID_TSIG_KEY(x) ISC_MAGIC_VALID(x, TSIG_MAGIC)
+
+#ifndef DNS_TSIG_MAXGENERATEDKEYS
+#define DNS_TSIG_MAXGENERATEDKEYS 4096
+#endif /* ifndef DNS_TSIG_MAXGENERATEDKEYS */
+
+#define is_response(msg) ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
+
+#define BADTIMELEN 6
+
+static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
+static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
+
+static dns_name_t const hmacmd5 = DNS_NAME_INITABSOLUTE(hmacmd5_ndata,
+							hmacmd5_offsets);
+LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
+
+static unsigned char gsstsig_ndata[] = "\010gss-tsig";
+static unsigned char gsstsig_offsets[] = { 0, 9 };
+static dns_name_t const gsstsig = DNS_NAME_INITABSOLUTE(gsstsig_ndata,
+							gsstsig_offsets);
+LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_gssapi_name = &gsstsig;
+
+/*
+ * Since Microsoft doesn't follow its own standard, we will use this
+ * alternate name as a second guess.
+ */
+static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
+static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
+static dns_name_t const gsstsigms = DNS_NAME_INITABSOLUTE(gsstsigms_ndata,
+							  gsstsigms_offsets);
+LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
+
+static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
+static unsigned char hmacsha1_offsets[] = { 0, 10 };
+static dns_name_t const hmacsha1 = DNS_NAME_INITABSOLUTE(hmacsha1_ndata,
+							 hmacsha1_offsets);
+LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacsha1_name = &hmacsha1;
+
+static unsigned char hmacsha224_ndata[] = "\013hmac-sha224";
+static unsigned char hmacsha224_offsets[] = { 0, 12 };
+static dns_name_t const hmacsha224 = DNS_NAME_INITABSOLUTE(hmacsha224_ndata,
+							   hmacsha224_offsets);
+LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacsha224_name = &hmacsha224;
+
+static unsigned char hmacsha256_ndata[] = "\013hmac-sha256";
+static unsigned char hmacsha256_offsets[] = { 0, 12 };
+static dns_name_t const hmacsha256 = DNS_NAME_INITABSOLUTE(hmacsha256_ndata,
+							   hmacsha256_offsets);
+LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacsha256_name = &hmacsha256;
+
+static unsigned char hmacsha384_ndata[] = "\013hmac-sha384";
+static unsigned char hmacsha384_offsets[] = { 0, 12 };
+static dns_name_t const hmacsha384 = DNS_NAME_INITABSOLUTE(hmacsha384_ndata,
+							   hmacsha384_offsets);
+LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacsha384_name = &hmacsha384;
+
+static unsigned char hmacsha512_ndata[] = "\013hmac-sha512";
+static unsigned char hmacsha512_offsets[] = { 0, 12 };
+static dns_name_t const hmacsha512 = DNS_NAME_INITABSOLUTE(hmacsha512_ndata,
+							   hmacsha512_offsets);
+LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacsha512_name = &hmacsha512;
+
+static const struct {
+	const dns_name_t *name;
+	unsigned int dstalg;
+} known_algs[] = { { &hmacmd5, DST_ALG_HMACMD5 },
+		   { &gsstsig, DST_ALG_GSSAPI },
+		   { &gsstsigms, DST_ALG_GSSAPI },
+		   { &hmacsha1, DST_ALG_HMACSHA1 },
+		   { &hmacsha224, DST_ALG_HMACSHA224 },
+		   { &hmacsha256, DST_ALG_HMACSHA256 },
+		   { &hmacsha384, DST_ALG_HMACSHA384 },
+		   { &hmacsha512, DST_ALG_HMACSHA512 } };
+
+static isc_result_t
+tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
+
+static void
+tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+
+static void
+cleanup_ring(dns_tsig_keyring_t *ring);
+static void
+tsigkey_free(dns_tsigkey_t *key);
+
+bool
+dns__tsig_algvalid(unsigned int alg) {
+	return (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
+		alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+		alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512);
+}
+
+static void
+tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
+	va_list ap;
+	char message[4096];
+	char namestr[DNS_NAME_FORMATSIZE];
+	char creatorstr[DNS_NAME_FORMATSIZE];
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+	if (key != NULL) {
+		dns_name_format(&key->name, namestr, sizeof(namestr));
+	} else {
+		strlcpy(namestr, "<null>", sizeof(namestr));
+	}
+
+	if (key != NULL && key->generated && key->creator) {
+		dns_name_format(key->creator, creatorstr, sizeof(creatorstr));
+	} else {
+		strlcpy(creatorstr, "<null>", sizeof(creatorstr));
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+	if (key != NULL && key->generated) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_TSIG, level,
+			      "tsig key '%s' (%s): %s", namestr, creatorstr,
+			      message);
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_TSIG, level, "tsig key '%s': %s",
+			      namestr, message);
+	}
+}
+
+static void
+remove_fromring(dns_tsigkey_t *tkey) {
+	if (tkey->generated) {
+		ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
+		tkey->ring->generated--;
+	}
+	(void)dns_rbt_deletename(tkey->ring->keys, &tkey->name, false);
+}
+
+static void
+adjust_lru(dns_tsigkey_t *tkey) {
+	if (tkey->generated) {
+		RWLOCK(&tkey->ring->lock, isc_rwlocktype_write);
+		/*
+		 * We may have been removed from the LRU list between
+		 * removing the read lock and acquiring the write lock.
+		 */
+		if (ISC_LINK_LINKED(tkey, link) && tkey->ring->lru.tail != tkey)
+		{
+			ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
+			ISC_LIST_APPEND(tkey->ring->lru, tkey, link);
+		}
+		RWUNLOCK(&tkey->ring->lock, isc_rwlocktype_write);
+	}
+}
+
+/*
+ * A supplemental routine just to add a key to ring.  Note that reference
+ * counter should be counted separately because we may be adding the key
+ * as part of creation of the key, in which case the reference counter was
+ * already initialized.  Also note we don't need RWLOCK for the reference
+ * counter: it's protected by a separate lock.
+ */
+static isc_result_t
+keyring_add(dns_tsig_keyring_t *ring, const dns_name_t *name,
+	    dns_tsigkey_t *tkey) {
+	isc_result_t result;
+
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	ring->writecount++;
+
+	/*
+	 * Do on the fly cleaning.  Find some nodes we might not
+	 * want around any more.
+	 */
+	if (ring->writecount > 10) {
+		cleanup_ring(ring);
+		ring->writecount = 0;
+	}
+
+	result = dns_rbt_addname(ring->keys, name, tkey);
+	if (result == ISC_R_SUCCESS && tkey->generated) {
+		/*
+		 * Add the new key to the LRU list and remove the least
+		 * recently used key if there are too many keys on the list.
+		 */
+		ISC_LIST_APPEND(ring->lru, tkey, link);
+		if (ring->generated++ > ring->maxgenerated) {
+			remove_fromring(ISC_LIST_HEAD(ring->lru));
+		}
+	}
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm,
+			  dst_key_t *dstkey, bool generated,
+			  const dns_name_t *creator, isc_stdtime_t inception,
+			  isc_stdtime_t expire, isc_mem_t *mctx,
+			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key) {
+	dns_tsigkey_t *tkey;
+	isc_result_t ret;
+	unsigned int refs = 0;
+	unsigned int dstalg = 0;
+
+	REQUIRE(key == NULL || *key == NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(algorithm != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(key != NULL || ring != NULL);
+
+	tkey = isc_mem_get(mctx, sizeof(dns_tsigkey_t));
+
+	dns_name_init(&tkey->name, NULL);
+	dns_name_dup(name, mctx, &tkey->name);
+	(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
+
+	/* Check against known algorithm names */
+	dstalg = dns__tsig_algfromname(algorithm);
+	if (dstalg != 0) {
+		/*
+		 * 'algorithm' must be set to a static pointer
+		 * so that dns__tsig_algallocated() can compare them.
+		 */
+		tkey->algorithm = dns__tsig_algnamefromname(algorithm);
+		if (dstkey != NULL && dst_key_alg(dstkey) != dstalg) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else {
+		dns_name_t *tmpname;
+		if (dstkey != NULL) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+		tmpname = isc_mem_get(mctx, sizeof(dns_name_t));
+		dns_name_init(tmpname, NULL);
+		dns_name_dup(algorithm, mctx, tmpname);
+		(void)dns_name_downcase(tmpname, tmpname, NULL);
+		tkey->algorithm = tmpname;
+	}
+
+	if (creator != NULL) {
+		tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
+		dns_name_init(tkey->creator, NULL);
+		dns_name_dup(creator, mctx, tkey->creator);
+	} else {
+		tkey->creator = NULL;
+	}
+
+	tkey->key = NULL;
+	if (dstkey != NULL) {
+		dst_key_attach(dstkey, &tkey->key);
+	}
+	tkey->ring = ring;
+
+	if (key != NULL) {
+		refs = 1;
+	}
+	if (ring != NULL) {
+		refs++;
+	}
+
+	isc_refcount_init(&tkey->refs, refs);
+
+	tkey->generated = generated;
+	tkey->inception = inception;
+	tkey->expire = expire;
+	tkey->mctx = NULL;
+	isc_mem_attach(mctx, &tkey->mctx);
+	ISC_LINK_INIT(tkey, link);
+
+	tkey->magic = TSIG_MAGIC;
+
+	if (ring != NULL) {
+		ret = keyring_add(ring, name, tkey);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_refs;
+		}
+	}
+
+	/*
+	 * Ignore this if it's a GSS key, since the key size is meaningless.
+	 */
+	if (dstkey != NULL && dst_key_size(dstkey) < 64 &&
+	    dstalg != DST_ALG_GSSAPI)
+	{
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namestr, sizeof(namestr));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_TSIG, ISC_LOG_INFO,
+			      "the key '%s' is too short to be secure",
+			      namestr);
+	}
+
+	if (key != NULL) {
+		*key = tkey;
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup_refs:
+	tkey->magic = 0;
+	while (refs-- > 0) {
+		isc_refcount_decrement0(&tkey->refs);
+	}
+	isc_refcount_destroy(&tkey->refs);
+
+	if (tkey->key != NULL) {
+		dst_key_free(&tkey->key);
+	}
+	if (tkey->creator != NULL) {
+		dns_name_free(tkey->creator, mctx);
+		isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
+	}
+	if (dns__tsig_algallocated(tkey->algorithm)) {
+		dns_name_t *tmpname;
+		DE_CONST(tkey->algorithm, tmpname);
+		if (dns_name_dynamic(tmpname)) {
+			dns_name_free(tmpname, mctx);
+		}
+		isc_mem_put(mctx, tmpname, sizeof(dns_name_t));
+	}
+cleanup_name:
+	dns_name_free(&tkey->name, mctx);
+	isc_mem_put(mctx, tkey, sizeof(dns_tsigkey_t));
+
+	return (ret);
+}
+
+/*
+ * Find a few nodes to destroy if possible.
+ */
+static void
+cleanup_ring(dns_tsig_keyring_t *ring) {
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	isc_stdtime_t now;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+
+	/*
+	 * Start up a new iterator each time.
+	 */
+	isc_stdtime_get(&now);
+	dns_name_init(&foundname, NULL);
+	origin = dns_fixedname_initname(&fixedorigin);
+
+again:
+	dns_rbtnodechain_init(&chain);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		return;
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+		if (tkey != NULL) {
+			if (tkey->generated &&
+			    isc_refcount_current(&tkey->refs) == 1 &&
+			    tkey->inception != tkey->expire &&
+			    tkey->expire < now)
+			{
+				tsig_log(tkey, 2, "tsig expire: deleting");
+				/* delete the key */
+				dns_rbtnodechain_invalidate(&chain);
+				remove_fromring(tkey);
+				goto again;
+			}
+		}
+		result = dns_rbtnodechain_next(&chain, &foundname, origin);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			return;
+		}
+	}
+}
+
+static void
+destroyring(dns_tsig_keyring_t *ring) {
+	isc_refcount_destroy(&ring->references);
+	dns_rbt_destroy(&ring->keys);
+	isc_rwlock_destroy(&ring->lock);
+	isc_mem_putanddetach(&ring->mctx, ring, sizeof(dns_tsig_keyring_t));
+}
+
+/*
+ * Look up the DST_ALG_ constant for a given name.
+ */
+unsigned int
+dns__tsig_algfromname(const dns_name_t *algorithm) {
+	int i;
+	int n = sizeof(known_algs) / sizeof(*known_algs);
+	for (i = 0; i < n; ++i) {
+		const dns_name_t *name = known_algs[i].name;
+		if (algorithm == name || dns_name_equal(algorithm, name)) {
+			return (known_algs[i].dstalg);
+		}
+	}
+	return (0);
+}
+
+/*
+ * Convert an algorithm name into a pointer to the
+ * corresponding pre-defined dns_name_t structure.
+ */
+const dns_name_t *
+dns__tsig_algnamefromname(const dns_name_t *algorithm) {
+	int i;
+	int n = sizeof(known_algs) / sizeof(*known_algs);
+	for (i = 0; i < n; ++i) {
+		const dns_name_t *name = known_algs[i].name;
+		if (algorithm == name || dns_name_equal(algorithm, name)) {
+			return (name);
+		}
+	}
+	return (NULL);
+}
+
+/*
+ * Test whether the passed algorithm is NOT a pointer to one of the
+ * pre-defined known algorithms (and therefore one that has been
+ * dynamically allocated).
+ *
+ * This will return an incorrect result if passed a dynamically allocated
+ * dns_name_t that happens to match one of the pre-defined names.
+ */
+bool
+dns__tsig_algallocated(const dns_name_t *algorithm) {
+	int i;
+	int n = sizeof(known_algs) / sizeof(*known_algs);
+	for (i = 0; i < n; ++i) {
+		const dns_name_t *name = known_algs[i].name;
+		if (algorithm == name) {
+			return (false);
+		}
+	}
+	return (true);
+}
+
+static isc_result_t
+restore_key(dns_tsig_keyring_t *ring, isc_stdtime_t now, FILE *fp) {
+	dst_key_t *dstkey = NULL;
+	char namestr[1024];
+	char creatorstr[1024];
+	char algorithmstr[1024];
+	char keystr[4096];
+	unsigned int inception, expire;
+	int n;
+	isc_buffer_t b;
+	dns_name_t *name, *creator, *algorithm;
+	dns_fixedname_t fname, fcreator, falgorithm;
+	isc_result_t result;
+	unsigned int dstalg;
+
+	n = fscanf(fp, "%1023s %1023s %u %u %1023s %4095s\n", namestr,
+		   creatorstr, &inception, &expire, algorithmstr, keystr);
+	if (n == EOF) {
+		return (ISC_R_NOMORE);
+	}
+	if (n != 6) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (isc_serial_lt(expire, now)) {
+		return (DNS_R_EXPIRED);
+	}
+
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_init(&b, namestr, strlen(namestr));
+	isc_buffer_add(&b, strlen(namestr));
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	creator = dns_fixedname_initname(&fcreator);
+	isc_buffer_init(&b, creatorstr, strlen(creatorstr));
+	isc_buffer_add(&b, strlen(creatorstr));
+	result = dns_name_fromtext(creator, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	algorithm = dns_fixedname_initname(&falgorithm);
+	isc_buffer_init(&b, algorithmstr, strlen(algorithmstr));
+	isc_buffer_add(&b, strlen(algorithmstr));
+	result = dns_name_fromtext(algorithm, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dstalg = dns__tsig_algfromname(algorithm);
+	if (dstalg == 0) {
+		return (DNS_R_BADALG);
+	}
+
+	result = dst_key_restore(name, dstalg, DNS_KEYOWNER_ENTITY,
+				 DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
+				 ring->mctx, keystr, &dstkey);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_tsigkey_createfromkey(name, algorithm, dstkey, true,
+					   creator, inception, expire,
+					   ring->mctx, ring, NULL);
+	if (dstkey != NULL) {
+		dst_key_free(&dstkey);
+	}
+	return (result);
+}
+
+static void
+dump_key(dns_tsigkey_t *tkey, FILE *fp) {
+	char *buffer = NULL;
+	int length = 0;
+	char namestr[DNS_NAME_FORMATSIZE];
+	char creatorstr[DNS_NAME_FORMATSIZE];
+	char algorithmstr[DNS_NAME_FORMATSIZE];
+	isc_result_t result;
+
+	REQUIRE(tkey != NULL);
+	REQUIRE(fp != NULL);
+
+	dns_name_format(&tkey->name, namestr, sizeof(namestr));
+	dns_name_format(tkey->creator, creatorstr, sizeof(creatorstr));
+	dns_name_format(tkey->algorithm, algorithmstr, sizeof(algorithmstr));
+	result = dst_key_dump(tkey->key, tkey->mctx, &buffer, &length);
+	if (result == ISC_R_SUCCESS) {
+		fprintf(fp, "%s %s %u %u %s %.*s\n", namestr, creatorstr,
+			tkey->inception, tkey->expire, algorithmstr, length,
+			buffer);
+	}
+	if (buffer != NULL) {
+		isc_mem_put(tkey->mctx, buffer, length);
+	}
+}
+
+isc_result_t
+dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp) {
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	isc_stdtime_t now;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+	dns_tsig_keyring_t *ring;
+
+	REQUIRE(ringp != NULL && *ringp != NULL);
+
+	ring = *ringp;
+	*ringp = NULL;
+
+	if (isc_refcount_decrement(&ring->references) > 1) {
+		return (DNS_R_CONTINUE);
+	}
+
+	isc_stdtime_get(&now);
+	dns_name_init(&foundname, NULL);
+	origin = dns_fixedname_initname(&fixedorigin);
+	dns_rbtnodechain_init(&chain);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		goto destroy;
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+		if (tkey != NULL && tkey->generated && tkey->expire >= now) {
+			dump_key(tkey, fp);
+		}
+		result = dns_rbtnodechain_next(&chain, &foundname, origin);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			if (result == ISC_R_NOMORE) {
+				result = ISC_R_SUCCESS;
+			}
+			goto destroy;
+		}
+	}
+
+destroy:
+	destroyring(ring);
+	return (result);
+}
+
+const dns_name_t *
+dns_tsigkey_identity(const dns_tsigkey_t *tsigkey) {
+	REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
+
+	if (tsigkey == NULL) {
+		return (NULL);
+	}
+	if (tsigkey->generated) {
+		return (tsigkey->creator);
+	} else {
+		return (&tsigkey->name);
+	}
+}
+
+isc_result_t
+dns_tsigkey_create(const dns_name_t *name, const dns_name_t *algorithm,
+		   unsigned char *secret, int length, bool generated,
+		   const dns_name_t *creator, isc_stdtime_t inception,
+		   isc_stdtime_t expire, isc_mem_t *mctx,
+		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key) {
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+	unsigned int dstalg = 0;
+
+	REQUIRE(length >= 0);
+	if (length > 0) {
+		REQUIRE(secret != NULL);
+	}
+
+	dstalg = dns__tsig_algfromname(algorithm);
+	if (dns__tsig_algvalid(dstalg)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(
+				name, dstalg, DNS_KEYOWNER_ENTITY,
+				DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, &b,
+				mctx, &dstkey);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+	} else if (length > 0) {
+		return (DNS_R_BADALG);
+	}
+
+	result = dns_tsigkey_createfromkey(name, algorithm, dstkey, generated,
+					   creator, inception, expire, mctx,
+					   ring, key);
+	if (dstkey != NULL) {
+		dst_key_free(&dstkey);
+	}
+	return (result);
+}
+
+void
+dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp) {
+	REQUIRE(VALID_TSIG_KEY(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->refs);
+	*targetp = source;
+}
+
+static void
+tsigkey_free(dns_tsigkey_t *key) {
+	REQUIRE(VALID_TSIG_KEY(key));
+
+	key->magic = 0;
+	dns_name_free(&key->name, key->mctx);
+	if (dns__tsig_algallocated(key->algorithm)) {
+		dns_name_t *name;
+		DE_CONST(key->algorithm, name);
+		dns_name_free(name, key->mctx);
+		isc_mem_put(key->mctx, name, sizeof(dns_name_t));
+	}
+	if (key->key != NULL) {
+		dst_key_free(&key->key);
+	}
+	if (key->creator != NULL) {
+		dns_name_free(key->creator, key->mctx);
+		isc_mem_put(key->mctx, key->creator, sizeof(dns_name_t));
+	}
+	isc_mem_putanddetach(&key->mctx, key, sizeof(dns_tsigkey_t));
+}
+
+void
+dns_tsigkey_detach(dns_tsigkey_t **keyp) {
+	REQUIRE(keyp != NULL && VALID_TSIG_KEY(*keyp));
+	dns_tsigkey_t *key = *keyp;
+	*keyp = NULL;
+
+	if (isc_refcount_decrement(&key->refs) == 1) {
+		isc_refcount_destroy(&key->refs);
+		tsigkey_free(key);
+	}
+}
+
+void
+dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
+	REQUIRE(VALID_TSIG_KEY(key));
+	REQUIRE(key->ring != NULL);
+
+	RWLOCK(&key->ring->lock, isc_rwlocktype_write);
+	remove_fromring(key);
+	RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
+}
+
+isc_result_t
+dns_tsig_sign(dns_message_t *msg) {
+	dns_tsigkey_t *key = NULL;
+	dns_rdata_any_tsig_t tsig, querytsig;
+	unsigned char data[128];
+	isc_buffer_t databuf, sigbuf;
+	isc_buffer_t *dynbuf = NULL;
+	dns_name_t *owner = NULL;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *datalist = NULL;
+	dns_rdataset_t *dataset = NULL;
+	isc_region_t r;
+	isc_stdtime_t now;
+	isc_mem_t *mctx;
+	dst_context_t *ctx = NULL;
+	isc_result_t ret;
+	unsigned char badtimedata[BADTIMELEN];
+	unsigned int sigsize = 0;
+	bool response;
+
+	REQUIRE(msg != NULL);
+	key = dns_message_gettsigkey(msg);
+	REQUIRE(VALID_TSIG_KEY(key));
+
+	/*
+	 * If this is a response, there should be a TSIG in the query with the
+	 * the exception if this is a TKEY request (see RFC 3645, Section 2.2).
+	 */
+	response = is_response(msg);
+	if (response && msg->querytsig == NULL) {
+		if (msg->tkey != 1) {
+			return (DNS_R_EXPECTEDTSIG);
+		}
+	}
+
+	mctx = msg->mctx;
+
+	tsig.mctx = mctx;
+	tsig.common.rdclass = dns_rdataclass_any;
+	tsig.common.rdtype = dns_rdatatype_tsig;
+	ISC_LINK_INIT(&tsig.common, link);
+	dns_name_init(&tsig.algorithm, NULL);
+	dns_name_clone(key->algorithm, &tsig.algorithm);
+
+	isc_stdtime_get(&now);
+	tsig.timesigned = now + msg->timeadjust;
+	tsig.fudge = DNS_TSIG_FUDGE;
+
+	tsig.originalid = msg->id;
+
+	isc_buffer_init(&databuf, data, sizeof(data));
+
+	if (response) {
+		tsig.error = msg->querytsigstatus;
+	} else {
+		tsig.error = dns_rcode_noerror;
+	}
+
+	if (tsig.error != dns_tsigerror_badtime) {
+		tsig.otherlen = 0;
+		tsig.other = NULL;
+	} else {
+		isc_buffer_t otherbuf;
+
+		tsig.otherlen = BADTIMELEN;
+		tsig.other = badtimedata;
+		isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
+		isc_buffer_putuint48(&otherbuf, tsig.timesigned);
+	}
+
+	if ((key->key != NULL) && (tsig.error != dns_tsigerror_badsig) &&
+	    (tsig.error != dns_tsigerror_badkey))
+	{
+		unsigned char header[DNS_MESSAGE_HEADERLEN];
+		isc_buffer_t headerbuf;
+		uint16_t digestbits;
+		bool querytsig_ok = false;
+
+		/*
+		 * If it is a response, we assume that the request MAC
+		 * has validated at this point. This is why we include a
+		 * MAC length > 0 in the reply.
+		 */
+		ret = dst_context_create(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
+					 true, 0, &ctx);
+		if (ret != ISC_R_SUCCESS) {
+			return (ret);
+		}
+
+		/*
+		 * If this is a response, and if there was a TSIG in
+		 * the query, digest the request's MAC.
+		 *
+		 * (Note: querytsig should be non-NULL for all
+		 * responses except TKEY responses. Those may be signed
+		 * with the newly-negotiated TSIG key even if the query
+		 * wasn't signed.)
+		 */
+		if (response && msg->querytsig != NULL) {
+			dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
+
+			INSIST(msg->verified_sig);
+
+			ret = dns_rdataset_first(msg->querytsig);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup_context;
+			}
+			dns_rdataset_current(msg->querytsig, &querytsigrdata);
+			ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
+						 NULL);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup_context;
+			}
+			isc_buffer_putuint16(&databuf, querytsig.siglen);
+			if (isc_buffer_availablelength(&databuf) <
+			    querytsig.siglen)
+			{
+				ret = ISC_R_NOSPACE;
+				goto cleanup_context;
+			}
+			isc_buffer_putmem(&databuf, querytsig.signature,
+					  querytsig.siglen);
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup_context;
+			}
+			querytsig_ok = true;
+		}
+
+		/*
+		 * Digest the header.
+		 */
+		isc_buffer_init(&headerbuf, header, sizeof(header));
+		dns_message_renderheader(msg, &headerbuf);
+		isc_buffer_usedregion(&headerbuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		/*
+		 * Digest the remainder of the message.
+		 */
+		isc_buffer_usedregion(msg->buffer, &r);
+		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		if (msg->tcp_continuation == 0) {
+			/*
+			 * Digest the name, class, ttl, alg.
+			 */
+			dns_name_toregion(&key->name, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup_context;
+			}
+
+			isc_buffer_clear(&databuf);
+			isc_buffer_putuint16(&databuf, dns_rdataclass_any);
+			isc_buffer_putuint32(&databuf, 0); /* ttl */
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup_context;
+			}
+
+			dns_name_toregion(&tsig.algorithm, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup_context;
+			}
+		}
+		/* Digest the timesigned and fudge */
+		isc_buffer_clear(&databuf);
+		if (tsig.error == dns_tsigerror_badtime && querytsig_ok) {
+			tsig.timesigned = querytsig.timesigned;
+		}
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint16(&databuf, tsig.fudge);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		if (msg->tcp_continuation == 0) {
+			/*
+			 * Digest the error and other data length.
+			 */
+			isc_buffer_clear(&databuf);
+			isc_buffer_putuint16(&databuf, tsig.error);
+			isc_buffer_putuint16(&databuf, tsig.otherlen);
+
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup_context;
+			}
+
+			/*
+			 * Digest other data.
+			 */
+			if (tsig.otherlen > 0) {
+				r.length = tsig.otherlen;
+				r.base = tsig.other;
+				ret = dst_context_adddata(ctx, &r);
+				if (ret != ISC_R_SUCCESS) {
+					goto cleanup_context;
+				}
+			}
+		}
+
+		ret = dst_key_sigsize(key->key, &sigsize);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+		tsig.signature = isc_mem_get(mctx, sigsize);
+
+		isc_buffer_init(&sigbuf, tsig.signature, sigsize);
+		ret = dst_context_sign(ctx, &sigbuf);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_signature;
+		}
+		dst_context_destroy(&ctx);
+		digestbits = dst_key_getbits(key->key);
+		if (digestbits != 0) {
+			unsigned int bytes = (digestbits + 7) / 8;
+			if (querytsig_ok && bytes < querytsig.siglen) {
+				bytes = querytsig.siglen;
+			}
+			if (bytes > isc_buffer_usedlength(&sigbuf)) {
+				bytes = isc_buffer_usedlength(&sigbuf);
+			}
+			tsig.siglen = bytes;
+		} else {
+			tsig.siglen = isc_buffer_usedlength(&sigbuf);
+		}
+	} else {
+		tsig.siglen = 0;
+		tsig.signature = NULL;
+	}
+
+	ret = dns_message_gettemprdata(msg, &rdata);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_signature;
+	}
+	isc_buffer_allocate(msg->mctx, &dynbuf, 512);
+	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
+				   dns_rdatatype_tsig, &tsig, dynbuf);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_dynbuf;
+	}
+
+	dns_message_takebuffer(msg, &dynbuf);
+
+	if (tsig.signature != NULL) {
+		isc_mem_put(mctx, tsig.signature, sigsize);
+		tsig.signature = NULL;
+	}
+
+	ret = dns_message_gettempname(msg, &owner);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_rdata;
+	}
+	dns_name_copynf(&key->name, owner);
+
+	ret = dns_message_gettemprdatalist(msg, &datalist);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_owner;
+	}
+
+	ret = dns_message_gettemprdataset(msg, &dataset);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_rdatalist;
+	}
+	datalist->rdclass = dns_rdataclass_any;
+	datalist->type = dns_rdatatype_tsig;
+	ISC_LIST_APPEND(datalist->rdata, rdata, link);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) ==
+		      ISC_R_SUCCESS);
+	msg->tsig = dataset;
+	msg->tsigname = owner;
+
+	/* Windows does not like the tsig name being compressed. */
+	msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_rdatalist:
+	dns_message_puttemprdatalist(msg, &datalist);
+cleanup_owner:
+	dns_message_puttempname(msg, &owner);
+	goto cleanup_rdata;
+cleanup_dynbuf:
+	isc_buffer_free(&dynbuf);
+cleanup_rdata:
+	dns_message_puttemprdata(msg, &rdata);
+cleanup_signature:
+	if (tsig.signature != NULL) {
+		isc_mem_put(mctx, tsig.signature, sigsize);
+	}
+cleanup_context:
+	if (ctx != NULL) {
+		dst_context_destroy(&ctx);
+	}
+	return (ret);
+}
+
+isc_result_t
+dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2) {
+	dns_rdata_any_tsig_t tsig, querytsig;
+	isc_region_t r, source_r, header_r, sig_r;
+	isc_buffer_t databuf;
+	unsigned char data[32];
+	dns_name_t *keyname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_stdtime_t now;
+	isc_result_t ret;
+	dns_tsigkey_t *tsigkey;
+	dst_key_t *key = NULL;
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	dst_context_t *ctx = NULL;
+	isc_mem_t *mctx;
+	uint16_t addcount, id;
+	unsigned int siglen;
+	unsigned int alg;
+	bool response;
+
+	REQUIRE(source != NULL);
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	tsigkey = dns_message_gettsigkey(msg);
+	response = is_response(msg);
+
+	REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
+
+	msg->verify_attempted = 1;
+	msg->verified_sig = 0;
+	msg->tsigstatus = dns_tsigerror_badsig;
+
+	if (msg->tcp_continuation) {
+		if (tsigkey == NULL || msg->querytsig == NULL) {
+			return (DNS_R_UNEXPECTEDTSIG);
+		}
+		return (tsig_verify_tcp(source, msg));
+	}
+
+	/*
+	 * There should be a TSIG record...
+	 */
+	if (msg->tsig == NULL) {
+		return (DNS_R_EXPECTEDTSIG);
+	}
+
+	/*
+	 * If this is a response and there's no key or query TSIG, there
+	 * shouldn't be one on the response.
+	 */
+	if (response && (tsigkey == NULL || msg->querytsig == NULL)) {
+		return (DNS_R_UNEXPECTEDTSIG);
+	}
+
+	mctx = msg->mctx;
+
+	/*
+	 * If we're here, we know the message is well formed and contains a
+	 * TSIG record.
+	 */
+
+	keyname = msg->tsigname;
+	ret = dns_rdataset_first(msg->tsig);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+	dns_rdataset_current(msg->tsig, &rdata);
+	ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+	dns_rdata_reset(&rdata);
+	if (response) {
+		ret = dns_rdataset_first(msg->querytsig);
+		if (ret != ISC_R_SUCCESS) {
+			return (ret);
+		}
+		dns_rdataset_current(msg->querytsig, &rdata);
+		ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
+		if (ret != ISC_R_SUCCESS) {
+			return (ret);
+		}
+	}
+
+	/*
+	 * Do the key name and algorithm match that of the query?
+	 */
+	if (response &&
+	    (!dns_name_equal(keyname, &tsigkey->name) ||
+	     !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)))
+	{
+		msg->tsigstatus = dns_tsigerror_badkey;
+		tsig_log(msg->tsigkey, 2,
+			 "key name and algorithm do not match");
+		return (DNS_R_TSIGVERIFYFAILURE);
+	}
+
+	/*
+	 * Get the current time.
+	 */
+	isc_stdtime_get(&now);
+
+	/*
+	 * Find dns_tsigkey_t based on keyname.
+	 */
+	if (tsigkey == NULL) {
+		ret = ISC_R_NOTFOUND;
+		if (ring1 != NULL) {
+			ret = dns_tsigkey_find(&tsigkey, keyname,
+					       &tsig.algorithm, ring1);
+		}
+		if (ret == ISC_R_NOTFOUND && ring2 != NULL) {
+			ret = dns_tsigkey_find(&tsigkey, keyname,
+					       &tsig.algorithm, ring2);
+		}
+		if (ret != ISC_R_SUCCESS) {
+			msg->tsigstatus = dns_tsigerror_badkey;
+			ret = dns_tsigkey_create(keyname, &tsig.algorithm, NULL,
+						 0, false, NULL, now, now, mctx,
+						 NULL, &msg->tsigkey);
+			if (ret != ISC_R_SUCCESS) {
+				return (ret);
+			}
+			tsig_log(msg->tsigkey, 2, "unknown key");
+			return (DNS_R_TSIGVERIFYFAILURE);
+		}
+		msg->tsigkey = tsigkey;
+	}
+
+	key = tsigkey->key;
+
+	/*
+	 * Check digest length.
+	 */
+	alg = dst_key_alg(key);
+	ret = dst_key_sigsize(key, &siglen);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+	if (dns__tsig_algvalid(alg)) {
+		if (tsig.siglen > siglen) {
+			tsig_log(msg->tsigkey, 2, "signature length too big");
+			return (DNS_R_FORMERR);
+		}
+		if (tsig.siglen > 0 &&
+		    (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2)))
+		{
+			tsig_log(msg->tsigkey, 2,
+				 "signature length below minimum");
+			return (DNS_R_FORMERR);
+		}
+	}
+
+	if (tsig.siglen > 0) {
+		uint16_t addcount_n;
+
+		sig_r.base = tsig.signature;
+		sig_r.length = tsig.siglen;
+
+		ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+					 false, 0, &ctx);
+		if (ret != ISC_R_SUCCESS) {
+			return (ret);
+		}
+
+		if (response) {
+			isc_buffer_init(&databuf, data, sizeof(data));
+			isc_buffer_putuint16(&databuf, querytsig.siglen);
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup_context;
+			}
+			if (querytsig.siglen > 0) {
+				r.length = querytsig.siglen;
+				r.base = querytsig.signature;
+				ret = dst_context_adddata(ctx, &r);
+				if (ret != ISC_R_SUCCESS) {
+					goto cleanup_context;
+				}
+			}
+		}
+
+		/*
+		 * Extract the header.
+		 */
+		isc_buffer_usedregion(source, &r);
+		memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
+		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+
+		/*
+		 * Decrement the additional field counter.
+		 */
+		memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
+		addcount_n = ntohs(addcount);
+		addcount = htons((uint16_t)(addcount_n - 1));
+		memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
+
+		/*
+		 * Put in the original id.
+		 */
+		id = htons(tsig.originalid);
+		memmove(&header[0], &id, 2);
+
+		/*
+		 * Digest the modified header.
+		 */
+		header_r.base = (unsigned char *)header;
+		header_r.length = DNS_MESSAGE_HEADERLEN;
+		ret = dst_context_adddata(ctx, &header_r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		/*
+		 * Digest all non-TSIG records.
+		 */
+		isc_buffer_usedregion(source, &source_r);
+		r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
+		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		/*
+		 * Digest the key name.
+		 */
+		dns_name_toregion(&tsigkey->name, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		isc_buffer_init(&databuf, data, sizeof(data));
+		isc_buffer_putuint16(&databuf, tsig.common.rdclass);
+		isc_buffer_putuint32(&databuf, msg->tsig->ttl);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		/*
+		 * Digest the key algorithm.
+		 */
+		dns_name_toregion(tsigkey->algorithm, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		isc_buffer_clear(&databuf);
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint16(&databuf, tsig.fudge);
+		isc_buffer_putuint16(&databuf, tsig.error);
+		isc_buffer_putuint16(&databuf, tsig.otherlen);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		if (tsig.otherlen > 0) {
+			r.base = tsig.other;
+			r.length = tsig.otherlen;
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup_context;
+			}
+		}
+
+		ret = dst_context_verify(ctx, &sig_r);
+		if (ret == DST_R_VERIFYFAILURE) {
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			tsig_log(msg->tsigkey, 2,
+				 "signature failed to verify(1)");
+			goto cleanup_context;
+		} else if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+		msg->verified_sig = 1;
+	} else if (!response || (tsig.error != dns_tsigerror_badsig &&
+				 tsig.error != dns_tsigerror_badkey))
+	{
+		tsig_log(msg->tsigkey, 2, "signature was empty");
+		return (DNS_R_TSIGVERIFYFAILURE);
+	}
+
+	/*
+	 * Here at this point, the MAC has been verified. Even if any of
+	 * the following code returns a TSIG error, the reply will be
+	 * signed and WILL always include the request MAC in the digest
+	 * computation.
+	 */
+
+	/*
+	 * Is the time ok?
+	 */
+	if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+		msg->tsigstatus = dns_tsigerror_badtime;
+		tsig_log(msg->tsigkey, 2, "signature has expired");
+		ret = DNS_R_CLOCKSKEW;
+		goto cleanup_context;
+	} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
+		msg->tsigstatus = dns_tsigerror_badtime;
+		tsig_log(msg->tsigkey, 2, "signature is in the future");
+		ret = DNS_R_CLOCKSKEW;
+		goto cleanup_context;
+	}
+
+	if (dns__tsig_algvalid(alg)) {
+		uint16_t digestbits = dst_key_getbits(key);
+
+		if (tsig.siglen > 0 && digestbits != 0 &&
+		    tsig.siglen < ((digestbits + 7) / 8))
+		{
+			msg->tsigstatus = dns_tsigerror_badtrunc;
+			tsig_log(msg->tsigkey, 2,
+				 "truncated signature length too small");
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			goto cleanup_context;
+		}
+		if (tsig.siglen > 0 && digestbits == 0 && tsig.siglen < siglen)
+		{
+			msg->tsigstatus = dns_tsigerror_badtrunc;
+			tsig_log(msg->tsigkey, 2, "signature length too small");
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			goto cleanup_context;
+		}
+	}
+
+	if (response && tsig.error != dns_rcode_noerror) {
+		msg->tsigstatus = tsig.error;
+		if (tsig.error == dns_tsigerror_badtime) {
+			ret = DNS_R_CLOCKSKEW;
+		} else {
+			ret = DNS_R_TSIGERRORSET;
+		}
+		goto cleanup_context;
+	}
+
+	msg->tsigstatus = dns_rcode_noerror;
+	ret = ISC_R_SUCCESS;
+
+cleanup_context:
+	if (ctx != NULL) {
+		dst_context_destroy(&ctx);
+	}
+
+	return (ret);
+}
+
+static isc_result_t
+tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+	dns_rdata_any_tsig_t tsig, querytsig;
+	isc_region_t r, source_r, header_r, sig_r;
+	isc_buffer_t databuf;
+	unsigned char data[32];
+	dns_name_t *keyname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_stdtime_t now;
+	isc_result_t ret;
+	dns_tsigkey_t *tsigkey;
+	dst_key_t *key = NULL;
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	uint16_t addcount, id;
+	bool has_tsig = false;
+	isc_mem_t *mctx;
+	unsigned int siglen;
+	unsigned int alg;
+
+	REQUIRE(source != NULL);
+	REQUIRE(msg != NULL);
+	REQUIRE(dns_message_gettsigkey(msg) != NULL);
+	REQUIRE(msg->tcp_continuation == 1);
+	REQUIRE(msg->querytsig != NULL);
+
+	msg->verified_sig = 0;
+	msg->tsigstatus = dns_tsigerror_badsig;
+
+	if (!is_response(msg)) {
+		return (DNS_R_EXPECTEDRESPONSE);
+	}
+
+	mctx = msg->mctx;
+
+	tsigkey = dns_message_gettsigkey(msg);
+	key = tsigkey->key;
+
+	/*
+	 * Extract and parse the previous TSIG
+	 */
+	ret = dns_rdataset_first(msg->querytsig);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+	dns_rdataset_current(msg->querytsig, &rdata);
+	ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+	dns_rdata_reset(&rdata);
+
+	/*
+	 * If there is a TSIG in this message, do some checks.
+	 */
+	if (msg->tsig != NULL) {
+		has_tsig = true;
+
+		keyname = msg->tsigname;
+		ret = dns_rdataset_first(msg->tsig);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_querystruct;
+		}
+		dns_rdataset_current(msg->tsig, &rdata);
+		ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_querystruct;
+		}
+
+		/*
+		 * Do the key name and algorithm match that of the query?
+		 */
+		if (!dns_name_equal(keyname, &tsigkey->name) ||
+		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
+		{
+			msg->tsigstatus = dns_tsigerror_badkey;
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			tsig_log(msg->tsigkey, 2,
+				 "key name and algorithm do not match");
+			goto cleanup_querystruct;
+		}
+
+		/*
+		 * Check digest length.
+		 */
+		alg = dst_key_alg(key);
+		ret = dst_key_sigsize(key, &siglen);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_querystruct;
+		}
+		if (dns__tsig_algvalid(alg)) {
+			if (tsig.siglen > siglen) {
+				tsig_log(tsigkey, 2,
+					 "signature length too big");
+				ret = DNS_R_FORMERR;
+				goto cleanup_querystruct;
+			}
+			if (tsig.siglen > 0 &&
+			    (tsig.siglen < 10 ||
+			     tsig.siglen < ((siglen + 1) / 2)))
+			{
+				tsig_log(tsigkey, 2,
+					 "signature length below minimum");
+				ret = DNS_R_FORMERR;
+				goto cleanup_querystruct;
+			}
+		}
+	}
+
+	if (msg->tsigctx == NULL) {
+		ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+					 false, 0, &msg->tsigctx);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_querystruct;
+		}
+
+		/*
+		 * Digest the length of the query signature
+		 */
+		isc_buffer_init(&databuf, data, sizeof(data));
+		isc_buffer_putuint16(&databuf, querytsig.siglen);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(msg->tsigctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		/*
+		 * Digest the data of the query signature
+		 */
+		if (querytsig.siglen > 0) {
+			r.length = querytsig.siglen;
+			r.base = querytsig.signature;
+			ret = dst_context_adddata(msg->tsigctx, &r);
+			if (ret != ISC_R_SUCCESS) {
+				goto cleanup_context;
+			}
+		}
+	}
+
+	/*
+	 * Extract the header.
+	 */
+	isc_buffer_usedregion(source, &r);
+	memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
+	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+
+	/*
+	 * Decrement the additional field counter if necessary.
+	 */
+	if (has_tsig) {
+		uint16_t addcount_n;
+
+		memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
+		addcount_n = ntohs(addcount);
+		addcount = htons((uint16_t)(addcount_n - 1));
+		memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
+
+		/*
+		 * Put in the original id.
+		 *
+		 * XXX Can TCP transfers be forwarded?  How would that
+		 * work?
+		 */
+		/* cppcheck-suppress uninitStructMember
+		 * symbolName=tsig.originalid */
+		id = htons(tsig.originalid);
+		memmove(&header[0], &id, 2);
+	}
+
+	/*
+	 * Digest the modified header.
+	 */
+	header_r.base = (unsigned char *)header;
+	header_r.length = DNS_MESSAGE_HEADERLEN;
+	ret = dst_context_adddata(msg->tsigctx, &header_r);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_context;
+	}
+
+	/*
+	 * Digest all non-TSIG records.
+	 */
+	isc_buffer_usedregion(source, &source_r);
+	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
+	if (has_tsig) {
+		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
+	} else {
+		r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
+	}
+	ret = dst_context_adddata(msg->tsigctx, &r);
+	if (ret != ISC_R_SUCCESS) {
+		goto cleanup_context;
+	}
+
+	/*
+	 * Digest the time signed and fudge.
+	 */
+	if (has_tsig) {
+		isc_buffer_init(&databuf, data, sizeof(data));
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint16(&databuf, tsig.fudge);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(msg->tsigctx, &r);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+
+		sig_r.base = tsig.signature;
+		sig_r.length = tsig.siglen;
+		if (tsig.siglen == 0) {
+			if (tsig.error != dns_rcode_noerror) {
+				msg->tsigstatus = tsig.error;
+				if (tsig.error == dns_tsigerror_badtime) {
+					ret = DNS_R_CLOCKSKEW;
+				} else {
+					ret = DNS_R_TSIGERRORSET;
+				}
+			} else {
+				tsig_log(msg->tsigkey, 2, "signature is empty");
+				ret = DNS_R_TSIGVERIFYFAILURE;
+			}
+			goto cleanup_context;
+		}
+
+		ret = dst_context_verify(msg->tsigctx, &sig_r);
+		if (ret == DST_R_VERIFYFAILURE) {
+			tsig_log(msg->tsigkey, 2,
+				 "signature failed to verify(2)");
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			goto cleanup_context;
+		} else if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+		msg->verified_sig = 1;
+
+		/*
+		 * Here at this point, the MAC has been verified. Even
+		 * if any of the following code returns a TSIG error,
+		 * the reply will be signed and WILL always include the
+		 * request MAC in the digest computation.
+		 */
+
+		/*
+		 * Is the time ok?
+		 */
+		isc_stdtime_get(&now);
+
+		if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+			msg->tsigstatus = dns_tsigerror_badtime;
+			tsig_log(msg->tsigkey, 2, "signature has expired");
+			ret = DNS_R_CLOCKSKEW;
+			goto cleanup_context;
+		} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge)
+		{
+			msg->tsigstatus = dns_tsigerror_badtime;
+			tsig_log(msg->tsigkey, 2, "signature is in the future");
+			ret = DNS_R_CLOCKSKEW;
+			goto cleanup_context;
+		}
+
+		alg = dst_key_alg(key);
+		ret = dst_key_sigsize(key, &siglen);
+		if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+		if (dns__tsig_algvalid(alg)) {
+			uint16_t digestbits = dst_key_getbits(key);
+
+			if (tsig.siglen > 0 && digestbits != 0 &&
+			    tsig.siglen < ((digestbits + 7) / 8))
+			{
+				msg->tsigstatus = dns_tsigerror_badtrunc;
+				tsig_log(msg->tsigkey, 2,
+					 "truncated signature length "
+					 "too small");
+				ret = DNS_R_TSIGVERIFYFAILURE;
+				goto cleanup_context;
+			}
+			if (tsig.siglen > 0 && digestbits == 0 &&
+			    tsig.siglen < siglen)
+			{
+				msg->tsigstatus = dns_tsigerror_badtrunc;
+				tsig_log(msg->tsigkey, 2,
+					 "signature length too small");
+				ret = DNS_R_TSIGVERIFYFAILURE;
+				goto cleanup_context;
+			}
+		}
+
+		if (tsig.error != dns_rcode_noerror) {
+			msg->tsigstatus = tsig.error;
+			if (tsig.error == dns_tsigerror_badtime) {
+				ret = DNS_R_CLOCKSKEW;
+			} else {
+				ret = DNS_R_TSIGERRORSET;
+			}
+			goto cleanup_context;
+		}
+	}
+
+	msg->tsigstatus = dns_rcode_noerror;
+	ret = ISC_R_SUCCESS;
+
+cleanup_context:
+	/*
+	 * Except in error conditions, don't destroy the DST context
+	 * for unsigned messages; it is a running sum till the next
+	 * TSIG signed message.
+	 */
+	if ((ret != ISC_R_SUCCESS || has_tsig) && msg->tsigctx != NULL) {
+		dst_context_destroy(&msg->tsigctx);
+	}
+
+cleanup_querystruct:
+	dns_rdata_freestruct(&querytsig);
+
+	return (ret);
+}
+
+isc_result_t
+dns_tsigkey_find(dns_tsigkey_t **tsigkey, const dns_name_t *name,
+		 const dns_name_t *algorithm, dns_tsig_keyring_t *ring) {
+	dns_tsigkey_t *key;
+	isc_stdtime_t now;
+	isc_result_t result;
+
+	REQUIRE(tsigkey != NULL);
+	REQUIRE(*tsigkey == NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(ring != NULL);
+
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	cleanup_ring(ring);
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+	isc_stdtime_get(&now);
+	RWLOCK(&ring->lock, isc_rwlocktype_read);
+	key = NULL;
+	result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key);
+	if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		return (ISC_R_NOTFOUND);
+	}
+	if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) {
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		return (ISC_R_NOTFOUND);
+	}
+	if (key->inception != key->expire && isc_serial_lt(key->expire, now)) {
+		/*
+		 * The key has expired.
+		 */
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		RWLOCK(&ring->lock, isc_rwlocktype_write);
+		remove_fromring(key);
+		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+		return (ISC_R_NOTFOUND);
+	}
+#if 0
+	/*
+	 * MPAXXX We really should look at the inception time.
+	 */
+	if (key->inception != key->expire &&
+	    isc_serial_lt(key->inception, now)) {
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		adjust_lru(key);
+		return (ISC_R_NOTFOUND);
+	}
+#endif /* if 0 */
+	isc_refcount_increment(&key->refs);
+	RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+	adjust_lru(key);
+	*tsigkey = key;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+free_tsignode(void *node, void *_unused) {
+	dns_tsigkey_t *key;
+
+	REQUIRE(node != NULL);
+
+	UNUSED(_unused);
+
+	key = node;
+	if (key->generated) {
+		if (ISC_LINK_LINKED(key, link)) {
+			ISC_LIST_UNLINK(key->ring->lru, key, link);
+		}
+	}
+	dns_tsigkey_detach(&key);
+}
+
+isc_result_t
+dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
+	isc_result_t result;
+	dns_tsig_keyring_t *ring;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ringp != NULL);
+	REQUIRE(*ringp == NULL);
+
+	ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t));
+
+	isc_rwlock_init(&ring->lock, 0, 0);
+	ring->keys = NULL;
+	result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys);
+	if (result != ISC_R_SUCCESS) {
+		isc_rwlock_destroy(&ring->lock);
+		isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
+		return (result);
+	}
+
+	ring->writecount = 0;
+	ring->mctx = NULL;
+	ring->generated = 0;
+	ring->maxgenerated = DNS_TSIG_MAXGENERATEDKEYS;
+	ISC_LIST_INIT(ring->lru);
+	isc_mem_attach(mctx, &ring->mctx);
+	isc_refcount_init(&ring->references, 1);
+
+	*ringp = ring;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_tsigkeyring_add(dns_tsig_keyring_t *ring, const dns_name_t *name,
+		    dns_tsigkey_t *tkey) {
+	isc_result_t result;
+
+	result = keyring_add(ring, name, tkey);
+	if (result == ISC_R_SUCCESS) {
+		isc_refcount_increment(&tkey->refs);
+	}
+
+	return (result);
+}
+
+void
+dns_tsigkeyring_attach(dns_tsig_keyring_t *source,
+		       dns_tsig_keyring_t **target) {
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*target = source;
+}
+
+void
+dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp) {
+	dns_tsig_keyring_t *ring;
+
+	REQUIRE(ringp != NULL);
+	REQUIRE(*ringp != NULL);
+
+	ring = *ringp;
+	*ringp = NULL;
+
+	if (isc_refcount_decrement(&ring->references) == 1) {
+		destroyring(ring);
+	}
+}
+
+void
+dns_keyring_restore(dns_tsig_keyring_t *ring, FILE *fp) {
+	isc_stdtime_t now;
+	isc_result_t result;
+
+	isc_stdtime_get(&now);
+	do {
+		result = restore_key(ring, now, fp);
+		if (result == ISC_R_NOMORE) {
+			return;
+		}
+		if (result == DNS_R_BADALG || result == DNS_R_EXPIRED) {
+			result = ISC_R_SUCCESS;
+		}
+	} while (result == ISC_R_SUCCESS);
+}
diff --git a/lib/dns/tsig_p.h b/lib/dns/tsig_p.h
new file mode 100644
index 0000000..7cd9774
--- /dev/null
+++ b/lib/dns/tsig_p.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_TSIG_P_H
+#define DNS_TSIG_P_H
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/result.h>
+
+#include <dns/types.h>
+
+/*%
+ *     These functions must not be used outside this module and
+ *     its associated unit tests.
+ */
+
+ISC_LANG_BEGINDECLS
+
+bool
+dns__tsig_algvalid(unsigned int alg);
+unsigned int
+dns__tsig_algfromname(const dns_name_t *algorithm);
+const dns_name_t *
+dns__tsig_algnamefromname(const dns_name_t *algorithm);
+bool
+dns__tsig_algallocated(const dns_name_t *algorithm);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TSIG_P_H */
diff --git a/lib/dns/ttl.c b/lib/dns/ttl.c
new file mode 100644
index 0000000..86c0372
--- /dev/null
+++ b/lib/dns/ttl.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/ttl.h>
+
+#define RETERR(x)                        \
+	do {                             \
+		isc_result_t _r = (x);   \
+		if (_r != ISC_R_SUCCESS) \
+			return ((_r));   \
+	} while (0)
+
+static isc_result_t
+bind_ttl(isc_textregion_t *source, uint32_t *ttl);
+
+/*
+ * Helper for dns_ttl_totext().
+ */
+static isc_result_t
+ttlfmt(unsigned int t, const char *s, bool verbose, bool space,
+       isc_buffer_t *target) {
+	char tmp[60];
+	unsigned int len;
+	isc_region_t region;
+
+	if (verbose) {
+		len = snprintf(tmp, sizeof(tmp), "%s%u %s%s", space ? " " : "",
+			       t, s, t == 1 ? "" : "s");
+	} else {
+		len = snprintf(tmp, sizeof(tmp), "%u%c", t, s[0]);
+	}
+
+	INSIST(len + 1 <= sizeof(tmp));
+	isc_buffer_availableregion(target, &region);
+	if (len > region.length) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(region.base, tmp, len);
+	isc_buffer_add(target, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Derived from bind8 ns_format_ttl().
+ */
+isc_result_t
+dns_ttl_totext(uint32_t src, bool verbose, bool upcase, isc_buffer_t *target) {
+	unsigned secs, mins, hours, days, weeks, x;
+
+	secs = src % 60;
+	src /= 60;
+	mins = src % 60;
+	src /= 60;
+	hours = src % 24;
+	src /= 24;
+	days = src % 7;
+	src /= 7;
+	weeks = src;
+	src = 0;
+	POST(src);
+
+	x = 0;
+	if (weeks != 0) {
+		RETERR(ttlfmt(weeks, "week", verbose, (x > 0), target));
+		x++;
+	}
+	if (days != 0) {
+		RETERR(ttlfmt(days, "day", verbose, (x > 0), target));
+		x++;
+	}
+	if (hours != 0) {
+		RETERR(ttlfmt(hours, "hour", verbose, (x > 0), target));
+		x++;
+	}
+	if (mins != 0) {
+		RETERR(ttlfmt(mins, "minute", verbose, (x > 0), target));
+		x++;
+	}
+	if (secs != 0 || (weeks == 0 && days == 0 && hours == 0 && mins == 0)) {
+		RETERR(ttlfmt(secs, "second", verbose, (x > 0), target));
+		x++;
+	}
+	INSIST(x > 0);
+	/*
+	 * If only a single unit letter is printed, print it
+	 * in upper case. (Why?  Because BIND 8 does that.
+	 * Presumably it has a reason.)
+	 */
+	if (x == 1 && upcase && !verbose) {
+		isc_region_t region;
+		/*
+		 * The unit letter is the last character in the
+		 * used region of the buffer.
+		 *
+		 * toupper() does not need its argument to be masked of cast
+		 * here because region.base is type unsigned char *.
+		 */
+		isc_buffer_usedregion(target, &region);
+		region.base[region.length - 1] =
+			toupper(region.base[region.length - 1]);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_counter_fromtext(isc_textregion_t *source, uint32_t *ttl) {
+	return (bind_ttl(source, ttl));
+}
+
+isc_result_t
+dns_ttl_fromtext(isc_textregion_t *source, uint32_t *ttl) {
+	isc_result_t result;
+
+	result = bind_ttl(source, ttl);
+	if (result != ISC_R_SUCCESS && result != ISC_R_RANGE) {
+		result = DNS_R_BADTTL;
+	}
+	return (result);
+}
+
+static isc_result_t
+bind_ttl(isc_textregion_t *source, uint32_t *ttl) {
+	uint64_t tmp = 0ULL;
+	uint32_t n;
+	char *s;
+	char buf[64];
+	char nbuf[64]; /* Number buffer */
+
+	/*
+	 * Copy the buffer as it may not be NULL terminated.
+	 * No legal counter / ttl is longer that 63 characters.
+	 */
+	if (source->length > sizeof(buf) - 1) {
+		return (DNS_R_SYNTAX);
+	}
+	/* Copy source->length bytes and NUL terminate. */
+	snprintf(buf, sizeof(buf), "%.*s", (int)source->length, source->base);
+	s = buf;
+
+	do {
+		isc_result_t result;
+
+		char *np = nbuf;
+		while (*s != '\0' && isdigit((unsigned char)*s)) {
+			*np++ = *s++;
+		}
+		*np++ = '\0';
+		INSIST(np - nbuf <= (int)sizeof(nbuf));
+		result = isc_parse_uint32(&n, nbuf, 10);
+		if (result != ISC_R_SUCCESS) {
+			return (DNS_R_SYNTAX);
+		}
+		switch (*s) {
+		case 'w':
+		case 'W':
+			tmp += (uint64_t)n * 7 * 24 * 3600;
+			s++;
+			break;
+		case 'd':
+		case 'D':
+			tmp += (uint64_t)n * 24 * 3600;
+			s++;
+			break;
+		case 'h':
+		case 'H':
+			tmp += (uint64_t)n * 3600;
+			s++;
+			break;
+		case 'm':
+		case 'M':
+			tmp += (uint64_t)n * 60;
+			s++;
+			break;
+		case 's':
+		case 'S':
+			tmp += (uint64_t)n;
+			s++;
+			break;
+		case '\0':
+			/* Plain number? */
+			if (tmp != 0ULL) {
+				return (DNS_R_SYNTAX);
+			}
+			tmp = n;
+			break;
+		default:
+			return (DNS_R_SYNTAX);
+		}
+	} while (*s != '\0');
+
+	if (tmp > 0xffffffffULL) {
+		return (ISC_R_RANGE);
+	}
+
+	*ttl = (uint32_t)(tmp & 0xffffffffUL);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/update.c b/lib/dns/update.c
new file mode 100644
index 0000000..9d71238
--- /dev/null
+++ b/lib/dns/update.c
@@ -0,0 +1,2280 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <time.h>
+
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/serial.h>
+#include <isc/stats.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/taskpool.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/journal.h>
+#include <dns/kasp.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/private.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/ssu.h>
+#include <dns/stats.h>
+#include <dns/tsig.h>
+#include <dns/update.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+/**************************************************************************/
+
+#define STATE_MAGIC	       ISC_MAGIC('S', 'T', 'T', 'E')
+#define DNS_STATE_VALID(state) ISC_MAGIC_VALID(state, STATE_MAGIC)
+
+/*%
+ * Log level for tracing dynamic update protocol requests.
+ */
+#define LOGLEVEL_PROTOCOL ISC_LOG_INFO
+
+/*%
+ * Log level for low-level debug tracing.
+ */
+#define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8)
+
+/*%
+ * Check an operation for failure.  These macros all assume that
+ * the function using them has a 'result' variable and a 'failure'
+ * label.
+ */
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+/*%
+ * Fail unconditionally with result 'code', which must not
+ * be ISC_R_SUCCESS.  The reason for failure presumably has
+ * been logged already.
+ *
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+
+#define FAIL(code)                           \
+	do {                                 \
+		result = (code);             \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+/*%
+ * Fail unconditionally and log as a client error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAILC(code, msg)                                                       \
+	do {                                                                   \
+		const char *_what = "failed";                                  \
+		result = (code);                                               \
+		switch (result) {                                              \
+		case DNS_R_NXDOMAIN:                                           \
+		case DNS_R_YXDOMAIN:                                           \
+		case DNS_R_YXRRSET:                                            \
+		case DNS_R_NXRRSET:                                            \
+			_what = "unsuccessful";                                \
+		}                                                              \
+		update_log(log, zone, LOGLEVEL_PROTOCOL, "update %s: %s (%s)", \
+			   _what, msg, isc_result_totext(result));             \
+		if (result != ISC_R_SUCCESS)                                   \
+			goto failure;                                          \
+	} while (0)
+
+#define FAILN(code, name, msg)                                             \
+	do {                                                               \
+		const char *_what = "failed";                              \
+		result = (code);                                           \
+		switch (result) {                                          \
+		case DNS_R_NXDOMAIN:                                       \
+		case DNS_R_YXDOMAIN:                                       \
+		case DNS_R_YXRRSET:                                        \
+		case DNS_R_NXRRSET:                                        \
+			_what = "unsuccessful";                            \
+		}                                                          \
+		if (isc_log_wouldlog(dns_lctx, LOGLEVEL_PROTOCOL)) {       \
+			char _nbuf[DNS_NAME_FORMATSIZE];                   \
+			dns_name_format(name, _nbuf, sizeof(_nbuf));       \
+			update_log(log, zone, LOGLEVEL_PROTOCOL,           \
+				   "update %s: %s: %s (%s)", _what, _nbuf, \
+				   msg, isc_result_totext(result));        \
+		}                                                          \
+		if (result != ISC_R_SUCCESS)                               \
+			goto failure;                                      \
+	} while (0)
+
+#define FAILNT(code, name, type, msg)                                         \
+	do {                                                                  \
+		const char *_what = "failed";                                 \
+		result = (code);                                              \
+		switch (result) {                                             \
+		case DNS_R_NXDOMAIN:                                          \
+		case DNS_R_YXDOMAIN:                                          \
+		case DNS_R_YXRRSET:                                           \
+		case DNS_R_NXRRSET:                                           \
+			_what = "unsuccessful";                               \
+		}                                                             \
+		if (isc_log_wouldlog(dns_lctx, LOGLEVEL_PROTOCOL)) {          \
+			char _nbuf[DNS_NAME_FORMATSIZE];                      \
+			char _tbuf[DNS_RDATATYPE_FORMATSIZE];                 \
+			dns_name_format(name, _nbuf, sizeof(_nbuf));          \
+			dns_rdatatype_format(type, _tbuf, sizeof(_tbuf));     \
+			update_log(log, zone, LOGLEVEL_PROTOCOL,              \
+				   "update %s: %s/%s: %s (%s)", _what, _nbuf, \
+				   _tbuf, msg, isc_result_totext(result));    \
+		}                                                             \
+		if (result != ISC_R_SUCCESS)                                  \
+			goto failure;                                         \
+	} while (0)
+
+/*%
+ * Fail unconditionally and log as a server error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAILS(code, msg)                                                       \
+	do {                                                                   \
+		result = (code);                                               \
+		update_log(log, zone, LOGLEVEL_PROTOCOL, "error: %s: %s", msg, \
+			   isc_result_totext(result));                         \
+		if (result != ISC_R_SUCCESS)                                   \
+			goto failure;                                          \
+	} while (0)
+
+/**************************************************************************/
+
+typedef struct rr rr_t;
+
+struct rr {
+	/* dns_name_t name; */
+	uint32_t ttl;
+	dns_rdata_t rdata;
+};
+
+typedef struct update_event update_event_t;
+
+/**************************************************************************/
+
+static void
+update_log(dns_update_log_t *callback, dns_zone_t *zone, int level,
+	   const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
+
+static void
+update_log(dns_update_log_t *callback, dns_zone_t *zone, int level,
+	   const char *fmt, ...) {
+	va_list ap;
+	char message[4096];
+
+	if (callback == NULL) {
+		return;
+	}
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+
+	(callback->func)(callback->arg, zone, level, message);
+}
+
+/*%
+ * Update a single RR in version 'ver' of 'db' and log the
+ * update in 'diff'.
+ *
+ * Ensures:
+ * \li	'*tuple' == NULL.  Either the tuple is freed, or its
+ *	ownership has been transferred to the diff.
+ */
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff) {
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+	      dns_rdata_t *rdata) {
+	dns_difftuple_t *tuple = NULL;
+	isc_result_t result;
+	result = dns_difftuple_create(diff->mctx, op, name, ttl, rdata, &tuple);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	return (do_one_tuple(&tuple, db, ver, diff));
+}
+
+/**************************************************************************/
+/*
+ * Callback-style iteration over rdatasets and rdatas.
+ *
+ * foreach_rrset() can be used to iterate over the RRsets
+ * of a name and call a callback function with each
+ * one.  Similarly, foreach_rr() can be used to iterate
+ * over the individual RRs at name, optionally restricted
+ * to RRs of a given type.
+ *
+ * The callback functions are called "actions" and take
+ * two arguments: a void pointer for passing arbitrary
+ * context information, and a pointer to the current RRset
+ * or RR.  By convention, their names end in "_action".
+ */
+
+/*
+ * XXXRTH  We might want to make this public somewhere in libdns.
+ */
+
+/*%
+ * Function type for foreach_rrset() iterator actions.
+ */
+typedef isc_result_t
+rrset_func(void *data, dns_rdataset_t *rrset);
+
+/*%
+ * Function type for foreach_rr() iterator actions.
+ */
+typedef isc_result_t
+rr_func(void *data, rr_t *rr);
+
+/*%
+ * Internal context struct for foreach_node_rr().
+ */
+typedef struct {
+	rr_func *rr_action;
+	void *rr_action_data;
+} foreach_node_rr_ctx_t;
+
+/*%
+ * Internal helper function for foreach_node_rr().
+ */
+static isc_result_t
+foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	foreach_node_rr_ctx_t *ctx = data;
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		rr_t rr = { 0, DNS_RDATA_INIT };
+
+		dns_rdataset_current(rdataset, &rr.rdata);
+		rr.ttl = rdataset->ttl;
+		result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * For each rdataset of 'name' in 'ver' of 'db', call 'action'
+ * with the rdataset and 'action_data' as arguments.  If the name
+ * does not exist, do nothing.
+ *
+ * If 'action' returns an error, abort iteration and return the error.
+ */
+static isc_result_t
+foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	      rrset_func *action, void *action_data) {
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdatasetiter_t *iter;
+
+	node = NULL;
+	result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	iter = NULL;
+	result = dns_db_allrdatasets(db, node, ver, 0, (isc_stdtime_t)0, &iter);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_node;
+	}
+
+	for (result = dns_rdatasetiter_first(iter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(iter, &rdataset);
+
+		result = (*action)(action_data, &rdataset);
+
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_iterator;
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup_iterator:
+	dns_rdatasetiter_destroy(&iter);
+
+cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/*%
+ * For each RR of 'name' in 'ver' of 'db', call 'action'
+ * with the RR and 'action_data' as arguments.  If the name
+ * does not exist, do nothing.
+ *
+ * If 'action' returns an error, abort iteration
+ * and return the error.
+ */
+static isc_result_t
+foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+		rr_func *rr_action, void *rr_action_data) {
+	foreach_node_rr_ctx_t ctx;
+	ctx.rr_action = rr_action;
+	ctx.rr_action_data = rr_action_data;
+	return (foreach_rrset(db, ver, name, foreach_node_rr_action, &ctx));
+}
+
+/*%
+ * For each of the RRs specified by 'db', 'ver', 'name', 'type',
+ * (which can be dns_rdatatype_any to match any type), and 'covers', call
+ * 'action' with the RR and 'action_data' as arguments. If the name
+ * does not exist, or if no RRset of the given type exists at the name,
+ * do nothing.
+ *
+ * If 'action' returns an error, abort iteration and return the error.
+ */
+static isc_result_t
+foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	   dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action,
+	   void *rr_action_data) {
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdataset_t rdataset;
+
+	if (type == dns_rdatatype_any) {
+		return (foreach_node_rr(db, ver, name, rr_action,
+					rr_action_data));
+	}
+
+	node = NULL;
+	if (type == dns_rdatatype_nsec3 ||
+	    (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3))
+	{
+		result = dns_db_findnsec3node(db, name, false, &node);
+	} else {
+		result = dns_db_findnode(db, name, false, &node);
+	}
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, type, covers,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto cleanup_node;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_node;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		rr_t rr = { 0, DNS_RDATA_INIT };
+		dns_rdataset_current(&rdataset, &rr.rdata);
+		rr.ttl = rdataset.ttl;
+		result = (*rr_action)(rr_action_data, &rr);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_rdataset;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup_rdataset;
+	}
+	result = ISC_R_SUCCESS;
+
+cleanup_rdataset:
+	dns_rdataset_disassociate(&rdataset);
+cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Various tests on the database contents (for prerequisites, etc).
+ */
+
+/*%
+ * Function type for predicate functions that compare a database RR 'db_rr'
+ * against an update RR 'update_rr'.
+ */
+typedef bool
+rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
+
+/*%
+ * Helper function for rrset_exists().
+ */
+static isc_result_t
+rrset_exists_action(void *data, rr_t *rr) {
+	UNUSED(data);
+	UNUSED(rr);
+	return (ISC_R_EXISTS);
+}
+
+/*%
+ * Utility macro for RR existence checking functions.
+ *
+ * If the variable 'result' has the value ISC_R_EXISTS or
+ * ISC_R_SUCCESS, set *exists to true or false,
+ * respectively, and return success.
+ *
+ * If 'result' has any other value, there was a failure.
+ * Return the failure result code and do not set *exists.
+ *
+ * This would be more readable as "do { if ... } while(0)",
+ * but that form generates tons of warnings on Solaris 2.6.
+ */
+#define RETURN_EXISTENCE_FLAG                                         \
+	return ((result == ISC_R_EXISTS)                              \
+			? (*exists = true, ISC_R_SUCCESS)             \
+			: ((result == ISC_R_SUCCESS)                  \
+				   ? (*exists = false, ISC_R_SUCCESS) \
+				   : result))
+
+/*%
+ * Set '*exists' to true iff an rrset of the given type exists,
+ * to false otherwise.
+ */
+static isc_result_t
+rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	     dns_rdatatype_t type, dns_rdatatype_t covers, bool *exists) {
+	isc_result_t result;
+	result = foreach_rr(db, ver, name, type, covers, rrset_exists_action,
+			    NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/*%
+ * Set '*visible' to true if the RRset exists and is part of the
+ * visible zone.  Otherwise '*visible' is set to false unless a
+ * error occurs.
+ */
+static isc_result_t
+rrset_visible(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	      dns_rdatatype_t type, bool *visible) {
+	isc_result_t result;
+	dns_fixedname_t fixed;
+
+	dns_fixedname_init(&fixed);
+	result = dns_db_find(db, name, ver, type, DNS_DBFIND_NOWILD,
+			     (isc_stdtime_t)0, NULL, dns_fixedname_name(&fixed),
+			     NULL, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		*visible = true;
+		break;
+	/*
+	 * Glue, obscured, deleted or replaced records.
+	 */
+	case DNS_R_DELEGATION:
+	case DNS_R_DNAME:
+	case DNS_R_CNAME:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NXRRSET:
+	case DNS_R_EMPTYNAME:
+	case DNS_R_COVERINGNSEC:
+		*visible = false;
+		result = ISC_R_SUCCESS;
+		break;
+	default:
+		*visible = false; /* silence false compiler warning */
+		break;
+	}
+	return (result);
+}
+
+/*%
+ * Context struct and helper function for name_exists().
+ */
+
+static isc_result_t
+name_exists_action(void *data, dns_rdataset_t *rrset) {
+	UNUSED(data);
+	UNUSED(rrset);
+	return (ISC_R_EXISTS);
+}
+
+/*%
+ * Set '*exists' to true iff the given name exists, to false otherwise.
+ */
+static isc_result_t
+name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	    bool *exists) {
+	isc_result_t result;
+	result = foreach_rrset(db, ver, name, name_exists_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/**************************************************************************/
+/*
+ * Checking of "RRset exists (value dependent)" prerequisites.
+ *
+ * In the RFC2136 section 3.2.5, this is the pseudocode involving
+ * a variable called "temp", a mapping of <name, type> tuples to rrsets.
+ *
+ * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t"
+ * where each tuple has op==DNS_DIFFOP_EXISTS.
+ */
+
+/*%
+ * A comparison function defining the sorting order for the entries
+ * in the "temp" data structure.  The major sort key is the owner name,
+ * followed by the type and rdata.
+ */
+static int
+temp_order(const void *av, const void *bv) {
+	dns_difftuple_t const *const *ap = av;
+	dns_difftuple_t const *const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	int r;
+	r = dns_name_compare(&a->name, &b->name);
+	if (r != 0) {
+		return (r);
+	}
+	r = (b->rdata.type - a->rdata.type);
+	if (r != 0) {
+		return (r);
+	}
+	r = dns_rdata_casecompare(&a->rdata, &b->rdata);
+	return (r);
+}
+
+/**************************************************************************/
+/*
+ * Conditional deletion of RRs.
+ */
+
+/*%
+ * Context structure for delete_if().
+ */
+
+typedef struct {
+	rr_predicate *predicate;
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	dns_diff_t *diff;
+	dns_name_t *name;
+	dns_rdata_t *update_rr;
+} conditional_delete_ctx_t;
+
+/*%
+ * Predicate functions for delete_if().
+ */
+
+/*%
+ * Return true always.
+ */
+static bool
+true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	UNUSED(update_rr);
+	UNUSED(db_rr);
+	return (true);
+}
+
+/*%
+ * Return true if the record is a RRSIG.
+ */
+static bool
+rrsig_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	UNUSED(update_rr);
+	return ((db_rr->type == dns_rdatatype_rrsig) ? true : false);
+}
+
+/*%
+ * Internal helper function for delete_if().
+ */
+static isc_result_t
+delete_if_action(void *data, rr_t *rr) {
+	conditional_delete_ctx_t *ctx = data;
+	if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) {
+		isc_result_t result;
+		result = update_one_rr(ctx->db, ctx->ver, ctx->diff,
+				       DNS_DIFFOP_DEL, ctx->name, rr->ttl,
+				       &rr->rdata);
+		return (result);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+/*%
+ * Conditionally delete RRs.  Apply 'predicate' to the RRs
+ * specified by 'db', 'ver', 'name', and 'type' (which can
+ * be dns_rdatatype_any to match any type).  Delete those
+ * RRs for which the predicate returns true, and log the
+ * deletions in 'diff'.
+ */
+static isc_result_t
+delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver,
+	  dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
+	  dns_rdata_t *update_rr, dns_diff_t *diff) {
+	conditional_delete_ctx_t ctx;
+	ctx.predicate = predicate;
+	ctx.db = db;
+	ctx.ver = ver;
+	ctx.diff = diff;
+	ctx.name = name;
+	ctx.update_rr = update_rr;
+	return (foreach_rr(db, ver, name, type, covers, delete_if_action,
+			   &ctx));
+}
+
+/**************************************************************************/
+/*
+ * Incremental updating of NSECs and RRSIGs.
+ */
+
+/*%
+ * We abuse the dns_diff_t type to represent a set of domain names
+ * affected by the update.
+ */
+static isc_result_t
+namelist_append_name(dns_diff_t *list, dns_name_t *name) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	static dns_rdata_t dummy_rdata = DNS_RDATA_INIT;
+
+	CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0,
+				   &dummy_rdata, &tuple));
+	dns_diff_append(list, &tuple);
+failure:
+	return (result);
+}
+
+static isc_result_t
+namelist_append_subdomain(dns_db_t *db, dns_name_t *name,
+			  dns_diff_t *affected) {
+	isc_result_t result;
+	dns_fixedname_t fixedname;
+	dns_name_t *child;
+	dns_dbiterator_t *dbit = NULL;
+
+	child = dns_fixedname_initname(&fixedname);
+
+	CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
+
+	for (result = dns_dbiterator_seek(dbit, name); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbit))
+	{
+		dns_dbnode_t *node = NULL;
+		CHECK(dns_dbiterator_current(dbit, &node, child));
+		dns_db_detachnode(db, &node);
+		if (!dns_name_issubdomain(child, name)) {
+			break;
+		}
+		CHECK(namelist_append_name(affected, child));
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+failure:
+	if (dbit != NULL) {
+		dns_dbiterator_destroy(&dbit);
+	}
+	return (result);
+}
+
+/*%
+ * Helper function for non_nsec_rrset_exists().
+ */
+static isc_result_t
+is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
+	UNUSED(data);
+	if (!(rrset->type == dns_rdatatype_nsec ||
+	      rrset->type == dns_rdatatype_nsec3 ||
+	      (rrset->type == dns_rdatatype_rrsig &&
+	       (rrset->covers == dns_rdatatype_nsec ||
+		rrset->covers == dns_rdatatype_nsec3))))
+	{
+		return (ISC_R_EXISTS);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Check whether there is an rrset other than a NSEC or RRSIG NSEC,
+ * i.e., anything that justifies the continued existence of a name
+ * after a secure update.
+ *
+ * If such an rrset exists, set '*exists' to true.
+ * Otherwise, set it to false.
+ */
+static isc_result_t
+non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+		      bool *exists) {
+	isc_result_t result;
+	result = foreach_rrset(db, ver, name, is_non_nsec_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/*%
+ * A comparison function for sorting dns_diff_t:s by name.
+ */
+static int
+name_order(const void *av, const void *bv) {
+	dns_difftuple_t const *const *ap = av;
+	dns_difftuple_t const *const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	return (dns_name_compare(&a->name, &b->name));
+}
+
+static isc_result_t
+uniqify_name_list(dns_diff_t *list) {
+	isc_result_t result;
+	dns_difftuple_t *p, *q;
+
+	CHECK(dns_diff_sort(list, name_order));
+
+	p = ISC_LIST_HEAD(list->tuples);
+	while (p != NULL) {
+		do {
+			q = ISC_LIST_NEXT(p, link);
+			if (q == NULL || !dns_name_equal(&p->name, &q->name)) {
+				break;
+			}
+			ISC_LIST_UNLINK(list->tuples, q, link);
+			dns_difftuple_free(&q);
+		} while (1);
+		p = ISC_LIST_NEXT(p, link);
+	}
+failure:
+	return (result);
+}
+
+static isc_result_t
+is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, bool *flag,
+	  bool *cut, bool *unsecure) {
+	isc_result_t result;
+	dns_fixedname_t foundname;
+	dns_fixedname_init(&foundname);
+	result = dns_db_find(db, name, ver, dns_rdatatype_any,
+			     DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
+			     (isc_stdtime_t)0, NULL,
+			     dns_fixedname_name(&foundname), NULL, NULL);
+	if (result == ISC_R_SUCCESS || result == DNS_R_EMPTYNAME) {
+		*flag = true;
+		*cut = false;
+		if (unsecure != NULL) {
+			*unsecure = false;
+		}
+		return (ISC_R_SUCCESS);
+	} else if (result == DNS_R_ZONECUT) {
+		*flag = true;
+		*cut = true;
+		if (unsecure != NULL) {
+			/*
+			 * We are at the zonecut.  Check to see if there
+			 * is a DS RRset.
+			 */
+			if (dns_db_find(db, name, ver, dns_rdatatype_ds, 0,
+					(isc_stdtime_t)0, NULL,
+					dns_fixedname_name(&foundname), NULL,
+					NULL) == DNS_R_NXRRSET)
+			{
+				*unsecure = true;
+			} else {
+				*unsecure = false;
+			}
+		}
+		return (ISC_R_SUCCESS);
+	} else if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
+		   result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN)
+	{
+		*flag = false;
+		*cut = false;
+		if (unsecure != NULL) {
+			*unsecure = false;
+		}
+		return (ISC_R_SUCCESS);
+	} else {
+		/*
+		 * Silence compiler.
+		 */
+		*flag = false;
+		*cut = false;
+		if (unsecure != NULL) {
+			*unsecure = false;
+		}
+		return (result);
+	}
+}
+
+/*%
+ * Find the next/previous name that has a NSEC record.
+ * In other words, skip empty database nodes and names that
+ * have had their NSECs removed because they are obscured by
+ * a zone cut.
+ */
+static isc_result_t
+next_active(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+	    dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname,
+	    bool forward) {
+	isc_result_t result;
+	dns_dbiterator_t *dbit = NULL;
+	bool has_nsec = false;
+	unsigned int wraps = 0;
+	bool secure = dns_db_issecure(db);
+
+	CHECK(dns_db_createiterator(db, 0, &dbit));
+
+	CHECK(dns_dbiterator_seek(dbit, oldname));
+	do {
+		dns_dbnode_t *node = NULL;
+
+		if (forward) {
+			result = dns_dbiterator_next(dbit);
+		} else {
+			result = dns_dbiterator_prev(dbit);
+		}
+		if (result == ISC_R_NOMORE) {
+			/*
+			 * Wrap around.
+			 */
+			if (forward) {
+				CHECK(dns_dbiterator_first(dbit));
+			} else {
+				CHECK(dns_dbiterator_last(dbit));
+			}
+			wraps++;
+			if (wraps == 2) {
+				update_log(log, zone, ISC_LOG_ERROR,
+					   "secure zone with no NSECs");
+				result = DNS_R_BADZONE;
+				goto failure;
+			}
+		}
+		CHECK(dns_dbiterator_current(dbit, &node, newname));
+		dns_db_detachnode(db, &node);
+
+		/*
+		 * The iterator may hold the tree lock, and
+		 * rrset_exists() calls dns_db_findnode() which
+		 * may try to reacquire it.  To avoid deadlock
+		 * we must pause the iterator first.
+		 */
+		CHECK(dns_dbiterator_pause(dbit));
+		if (secure) {
+			CHECK(rrset_exists(db, ver, newname, dns_rdatatype_nsec,
+					   0, &has_nsec));
+		} else {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			found = dns_fixedname_initname(&ffound);
+			result = dns_db_find(
+				db, newname, ver, dns_rdatatype_soa,
+				DNS_DBFIND_NOWILD, 0, NULL, found, NULL, NULL);
+			if (result == ISC_R_SUCCESS ||
+			    result == DNS_R_EMPTYNAME ||
+			    result == DNS_R_NXRRSET || result == DNS_R_CNAME ||
+			    (result == DNS_R_DELEGATION &&
+			     dns_name_equal(newname, found)))
+			{
+				has_nsec = true;
+				result = ISC_R_SUCCESS;
+			} else if (result != DNS_R_NXDOMAIN) {
+				break;
+			}
+		}
+	} while (!has_nsec);
+failure:
+	if (dbit != NULL) {
+		dns_dbiterator_destroy(&dbit);
+	}
+
+	return (result);
+}
+
+/*%
+ * Add a NSEC record for "name", recording the change in "diff".
+ * The existing NSEC is removed.
+ */
+static isc_result_t
+add_nsec(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+	 dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl,
+	 dns_diff_t *diff) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	unsigned char buffer[DNS_NSEC_BUFFERSIZE];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixedname;
+	dns_name_t *target;
+
+	target = dns_fixedname_initname(&fixedname);
+
+	/*
+	 * Find the successor name, aka NSEC target.
+	 */
+	CHECK(next_active(log, zone, db, ver, name, target, true));
+
+	/*
+	 * Create the NSEC RDATA.
+	 */
+	CHECK(dns_db_findnode(db, name, false, &node));
+	dns_rdata_init(&rdata);
+	CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
+	dns_db_detachnode(db, &node);
+
+	/*
+	 * Delete the old NSEC and record the change.
+	 */
+	CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0, NULL,
+			diff));
+	/*
+	 * Add the new NSEC and record the change.
+	 */
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, nsecttl,
+				   &rdata, &tuple));
+	CHECK(do_one_tuple(&tuple, db, ver, diff));
+	INSIST(tuple == NULL);
+
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+/*%
+ * Add a placeholder NSEC record for "name", recording the change in "diff".
+ */
+static isc_result_t
+add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+		     dns_diff_t *diff) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	isc_region_t r;
+	unsigned char data[1] = { 0 }; /* The root domain, no bits. */
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	r.base = data;
+	r.length = sizeof(data);
+	dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0, &rdata,
+				   &tuple));
+	CHECK(do_one_tuple(&tuple, db, ver, diff));
+failure:
+	return (result);
+}
+
+static isc_result_t
+find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	       isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys,
+	       unsigned int *nkeys) {
+	isc_result_t result;
+	isc_stdtime_t now;
+	dns_dbnode_t *node = NULL;
+	const char *directory = dns_zone_getkeydirectory(zone);
+
+	CHECK(dns_db_findnode(db, dns_db_origin(db), false, &node));
+	isc_stdtime_get(&now);
+
+	dns_zone_lock_keyfiles(zone);
+	result = dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db),
+					 directory, now, mctx, maxkeys, keys,
+					 nkeys);
+	dns_zone_unlock_keyfiles(zone);
+
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+/*%
+ * Add RRSIG records for an RRset, recording the change in "diff".
+ */
+static isc_result_t
+add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+	 dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
+	 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
+	 isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk,
+	 bool keyset_kskonly) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_kasp_t *kasp = dns_zone_getkasp(zone);
+	dns_rdataset_t rdataset;
+	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
+	dns_stats_t *dnssecsignstats = dns_zone_getdnssecsignstats(zone);
+	isc_buffer_t buffer;
+	unsigned char data[1024]; /* XXX */
+	unsigned int i, j;
+	bool added_sig = false;
+	bool use_kasp = false;
+	isc_mem_t *mctx = diff->mctx;
+
+	if (kasp != NULL) {
+		check_ksk = false;
+		keyset_kskonly = true;
+		use_kasp = true;
+	}
+
+	dns_rdataset_init(&rdataset);
+	isc_buffer_init(&buffer, data, sizeof(data));
+
+	/* Get the rdataset to sign. */
+	if (type == dns_rdatatype_nsec3) {
+		CHECK(dns_db_findnsec3node(db, name, false, &node));
+	} else {
+		CHECK(dns_db_findnode(db, name, false, &node));
+	}
+	CHECK(dns_db_findrdataset(db, node, ver, type, 0, (isc_stdtime_t)0,
+				  &rdataset, NULL));
+	dns_db_detachnode(db, &node);
+
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x)	  ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
+#define ID(x)	  dst_key_id(x)
+#define ALG(x)	  dst_key_alg(x)
+
+	/*
+	 * If we are honoring KSK flags then we need to check that we
+	 * have both KSK and non-KSK keys that are not revoked per
+	 * algorithm.
+	 */
+	for (i = 0; i < nkeys; i++) {
+		bool both = false;
+
+		/* Don't add signatures for offline or inactive keys */
+		if (!dst_key_isprivate(keys[i])) {
+			continue;
+		}
+		if (dst_key_inactive(keys[i])) {
+			continue;
+		}
+
+		if (check_ksk && !REVOKE(keys[i])) {
+			bool have_ksk, have_nonksk;
+			if (KSK(keys[i])) {
+				have_ksk = true;
+				have_nonksk = false;
+			} else {
+				have_ksk = false;
+				have_nonksk = true;
+			}
+			for (j = 0; j < nkeys; j++) {
+				if (j == i || ALG(keys[i]) != ALG(keys[j])) {
+					continue;
+				}
+
+				/* Don't consider inactive keys, however
+				 * the KSK may be temporary offline, so do
+				 * consider KSKs which private key files are
+				 * unavailable.
+				 */
+				if (dst_key_inactive(keys[j])) {
+					continue;
+				}
+
+				if (REVOKE(keys[j])) {
+					continue;
+				}
+				if (KSK(keys[j])) {
+					have_ksk = true;
+				} else if (dst_key_isprivate(keys[j])) {
+					have_nonksk = true;
+				}
+				both = have_ksk && have_nonksk;
+				if (both) {
+					break;
+				}
+			}
+		}
+
+		if (use_kasp) {
+			/*
+			 * A dnssec-policy is found. Check what RRsets this
+			 * key should sign.
+			 */
+			isc_stdtime_t when;
+			isc_result_t kresult;
+			bool ksk = false;
+			bool zsk = false;
+
+			kresult = dst_key_getbool(keys[i], DST_BOOL_KSK, &ksk);
+			if (kresult != ISC_R_SUCCESS) {
+				if (KSK(keys[i])) {
+					ksk = true;
+				}
+			}
+			kresult = dst_key_getbool(keys[i], DST_BOOL_ZSK, &zsk);
+			if (kresult != ISC_R_SUCCESS) {
+				if (!KSK(keys[i])) {
+					zsk = true;
+				}
+			}
+
+			if (type == dns_rdatatype_dnskey ||
+			    type == dns_rdatatype_cdnskey ||
+			    type == dns_rdatatype_cds)
+			{
+				/*
+				 * DNSKEY RRset is signed with KSK.
+				 * CDS and CDNSKEY RRsets too (RFC 7344, 4.1).
+				 */
+				if (!ksk) {
+					continue;
+				}
+			} else if (!zsk) {
+				/*
+				 * Other RRsets are signed with ZSK.
+				 */
+				continue;
+			} else if (zsk &&
+				   !dst_key_is_signing(keys[i], DST_BOOL_ZSK,
+						       inception, &when))
+			{
+				/*
+				 * This key is not active for zone-signing.
+				 */
+				continue;
+			}
+
+			/*
+			 * If this key is revoked, it may only sign the
+			 * DNSKEY RRset.
+			 */
+			if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
+				continue;
+			}
+		} else if (both) {
+			/*
+			 * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
+			 */
+			if (type == dns_rdatatype_dnskey ||
+			    type == dns_rdatatype_cdnskey ||
+			    type == dns_rdatatype_cds)
+			{
+				if (!KSK(keys[i]) && keyset_kskonly) {
+					continue;
+				}
+			} else if (KSK(keys[i])) {
+				continue;
+			}
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
+			continue;
+		}
+
+		/* Calculate the signature, creating a RRSIG RDATA. */
+		CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception,
+				      &expire, mctx, &buffer, &sig_rdata));
+
+		/* Update the database and journal with the RRSIG. */
+		/* XXX inefficient - will cause dataset merging */
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name,
+				    rdataset.ttl, &sig_rdata));
+		dns_rdata_reset(&sig_rdata);
+		isc_buffer_init(&buffer, data, sizeof(data));
+		added_sig = true;
+		/* Update DNSSEC sign statistics. */
+		if (dnssecsignstats != NULL) {
+			dns_dnssecsignstats_increment(dnssecsignstats,
+						      ID(keys[i]),
+						      (uint8_t)ALG(keys[i]),
+						      dns_dnssecsignstats_sign);
+		}
+	}
+	if (!added_sig) {
+		update_log(log, zone, ISC_LOG_ERROR,
+			   "found no active private keys, "
+			   "unable to generate any signatures");
+		result = ISC_R_NOTFOUND;
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+/*
+ * Delete expired RRsigs and any RRsigs we are about to re-sign.
+ * See also zone.c:del_sigs().
+ */
+static isc_result_t
+del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	    dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int i;
+	dns_rdata_rrsig_t rrsig;
+	bool found;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig,
+				     dns_rdatatype_dnskey, (isc_stdtime_t)0,
+				     &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		found = false;
+		for (i = 0; i < nkeys; i++) {
+			if (rrsig.keyid == dst_key_id(keys[i])) {
+				found = true;
+				if (!dst_key_isprivate(keys[i]) &&
+				    !dst_key_inactive(keys[i]))
+				{
+					/*
+					 * The re-signing code in zone.c
+					 * will mark this as offline.
+					 * Just skip the record for now.
+					 */
+					break;
+				}
+				result = update_one_rr(db, ver, diff,
+						       DNS_DIFFOP_DEL, name,
+						       rdataset.ttl, &rdata);
+				break;
+			}
+		}
+		/*
+		 * If there is not a matching DNSKEY then delete the RRSIG.
+		 */
+		if (!found) {
+			result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+					       name, rdataset.ttl, &rdata);
+		}
+		dns_rdata_reset(&rdata);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+static isc_result_t
+add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+		 dns_dbversion_t *ver, dns_name_t *name, bool cut,
+		 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
+		 isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk,
+		 bool keyset_kskonly, unsigned int *sigs) {
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdatasetiter_t *iter;
+
+	node = NULL;
+	result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	iter = NULL;
+	result = dns_db_allrdatasets(db, node, ver, 0, (isc_stdtime_t)0, &iter);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_node;
+	}
+
+	for (result = dns_rdatasetiter_first(iter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+		dns_rdatatype_t type;
+		bool flag;
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(iter, &rdataset);
+		type = rdataset.type;
+		dns_rdataset_disassociate(&rdataset);
+
+		/*
+		 * We don't need to sign unsigned NSEC records at the cut
+		 * as they are handled elsewhere.
+		 */
+		if ((type == dns_rdatatype_rrsig) ||
+		    (cut && type != dns_rdatatype_ds))
+		{
+			continue;
+		}
+		result = rrset_exists(db, ver, name, dns_rdatatype_rrsig, type,
+				      &flag);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_iterator;
+		}
+		if (flag) {
+			continue;
+		}
+		result = add_sigs(log, zone, db, ver, name, type, diff, keys,
+				  nkeys, inception, expire, check_ksk,
+				  keyset_kskonly);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_iterator;
+		}
+		(*sigs)++;
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup_iterator:
+	dns_rdatasetiter_destroy(&iter);
+
+cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/*%
+ * Update RRSIG, NSEC and NSEC3 records affected by an update.  The original
+ * update, including the SOA serial update but excluding the RRSIG & NSEC
+ * changes, is in "diff" and has already been applied to "newver" of "db".
+ * The database version prior to the update is "oldver".
+ *
+ * The necessary RRSIG, NSEC and NSEC3 changes will be applied to "newver"
+ * and added (as a minimal diff) to "diff".
+ *
+ * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds.
+ */
+isc_result_t
+dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+		      dns_dbversion_t *oldver, dns_dbversion_t *newver,
+		      dns_diff_t *diff, uint32_t sigvalidityinterval) {
+	return (dns_update_signaturesinc(log, zone, db, oldver, newver, diff,
+					 sigvalidityinterval, NULL));
+}
+
+struct dns_update_state {
+	unsigned int magic;
+	dns_diff_t diffnames;
+	dns_diff_t affected;
+	dns_diff_t sig_diff;
+	dns_diff_t nsec_diff;
+	dns_diff_t nsec_mindiff;
+	dns_diff_t work;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	unsigned int nkeys;
+	isc_stdtime_t inception, expire, soaexpire, keyexpire;
+	dns_ttl_t nsecttl;
+	bool check_ksk, keyset_kskonly, build_nsec3;
+	enum {
+		sign_updates,
+		remove_orphaned,
+		build_chain,
+		process_nsec,
+		sign_nsec,
+		update_nsec3,
+		process_nsec3,
+		sign_nsec3
+	} state;
+};
+
+static uint32_t
+dns__jitter_expire(dns_zone_t *zone, uint32_t sigvalidityinterval) {
+	/* Spread out signatures over time */
+	if (sigvalidityinterval >= 3600U) {
+		uint32_t expiryinterval =
+			dns_zone_getsigresigninginterval(zone);
+
+		if (sigvalidityinterval < 7200U) {
+			expiryinterval = 1200;
+		} else if (expiryinterval > sigvalidityinterval) {
+			expiryinterval = sigvalidityinterval;
+		} else {
+			expiryinterval = sigvalidityinterval - expiryinterval;
+		}
+		uint32_t jitter = isc_random_uniform(expiryinterval);
+		sigvalidityinterval -= jitter;
+	}
+	return (sigvalidityinterval);
+}
+
+isc_result_t
+dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+			 dns_dbversion_t *oldver, dns_dbversion_t *newver,
+			 dns_diff_t *diff, uint32_t sigvalidityinterval,
+			 dns_update_state_t **statep) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_update_state_t mystate, *state;
+
+	dns_difftuple_t *t, *next;
+	bool flag, build_nsec;
+	unsigned int i;
+	isc_stdtime_t now;
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	bool unsecure;
+	bool cut;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+	unsigned int sigs = 0;
+	unsigned int maxsigs = dns_zone_getsignatures(zone);
+
+	if (statep == NULL || *statep == NULL) {
+		if (statep == NULL) {
+			state = &mystate;
+		} else {
+			state = isc_mem_get(diff->mctx, sizeof(*state));
+		}
+
+		dns_diff_init(diff->mctx, &state->diffnames);
+		dns_diff_init(diff->mctx, &state->affected);
+		dns_diff_init(diff->mctx, &state->sig_diff);
+		dns_diff_init(diff->mctx, &state->nsec_diff);
+		dns_diff_init(diff->mctx, &state->nsec_mindiff);
+		dns_diff_init(diff->mctx, &state->work);
+		state->nkeys = 0;
+		state->build_nsec3 = false;
+
+		result = find_zone_keys(zone, db, newver, diff->mctx,
+					DNS_MAXZONEKEYS, state->zone_keys,
+					&state->nkeys);
+		if (result != ISC_R_SUCCESS) {
+			update_log(log, zone, ISC_LOG_ERROR,
+				   "could not get zone keys for secure "
+				   "dynamic update");
+			goto failure;
+		}
+
+		isc_stdtime_get(&now);
+		state->inception = now - 3600; /* Allow for some clock skew. */
+		state->expire = now +
+				dns__jitter_expire(zone, sigvalidityinterval);
+		state->soaexpire = now + sigvalidityinterval;
+		state->keyexpire = dns_zone_getkeyvalidityinterval(zone);
+		if (state->keyexpire == 0) {
+			state->keyexpire = state->expire;
+		} else {
+			state->keyexpire += now;
+		}
+
+		/*
+		 * Do we look at the KSK flag on the DNSKEY to determining which
+		 * keys sign which RRsets?  First check the zone option then
+		 * check the keys flags to make sure at least one has a ksk set
+		 * and one doesn't.
+		 */
+		state->check_ksk = ((dns_zone_getoptions(zone) &
+				     DNS_ZONEOPT_UPDATECHECKKSK) != 0);
+		state->keyset_kskonly = ((dns_zone_getoptions(zone) &
+					  DNS_ZONEOPT_DNSKEYKSKONLY) != 0);
+
+		/*
+		 * Calculate the NSEC/NSEC3 TTL as a minimum of the SOA TTL and
+		 * MINIMUM field.
+		 */
+		CHECK(dns_db_findnode(db, dns_db_origin(db), false, &node));
+		dns_rdataset_init(&rdataset);
+		CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa,
+					  0, (isc_stdtime_t)0, &rdataset,
+					  NULL));
+		CHECK(dns_rdataset_first(&rdataset));
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
+		state->nsecttl = ISC_MIN(rdataset.ttl, soa.minimum);
+		dns_rdataset_disassociate(&rdataset);
+		dns_db_detachnode(db, &node);
+
+		/*
+		 * Find all RRsets directly affected by the update, and
+		 * update their RRSIGs.  Also build a list of names affected
+		 * by the update in "diffnames".
+		 */
+		CHECK(dns_diff_sort(diff, temp_order));
+		state->state = sign_updates;
+		state->magic = STATE_MAGIC;
+		if (statep != NULL) {
+			*statep = state;
+		}
+	} else {
+		REQUIRE(DNS_STATE_VALID(*statep));
+		state = *statep;
+	}
+
+next_state:
+	switch (state->state) {
+	case sign_updates:
+		t = ISC_LIST_HEAD(diff->tuples);
+		while (t != NULL) {
+			dns_name_t *name = &t->name;
+			/*
+			 * Now "name" is a new, unique name affected by the
+			 * update.
+			 */
+
+			CHECK(namelist_append_name(&state->diffnames, name));
+
+			while (t != NULL && dns_name_equal(&t->name, name)) {
+				dns_rdatatype_t type;
+				type = t->rdata.type;
+
+				/*
+				 * Now "name" and "type" denote a new unique
+				 * RRset affected by the update.
+				 */
+
+				/* Don't sign RRSIGs. */
+				if (type == dns_rdatatype_rrsig) {
+					goto skip;
+				}
+
+				/*
+				 * Delete all old RRSIGs covering this type,
+				 * since they are all invalid when the signed
+				 * RRset has changed.  We may not be able to
+				 * recreate all of them - tough.
+				 * Special case changes to the zone's DNSKEY
+				 * records to support offline KSKs.
+				 */
+				if (type == dns_rdatatype_dnskey) {
+					del_keysigs(db, newver, name,
+						    &state->sig_diff,
+						    state->zone_keys,
+						    state->nkeys);
+				} else {
+					CHECK(delete_if(
+						true_p, db, newver, name,
+						dns_rdatatype_rrsig, type, NULL,
+						&state->sig_diff));
+				}
+
+				/*
+				 * If this RRset is still visible after the
+				 * update, add a new signature for it.
+				 */
+				CHECK(rrset_visible(db, newver, name, type,
+						    &flag));
+				if (flag) {
+					isc_stdtime_t exp;
+					if (type == dns_rdatatype_dnskey ||
+					    type == dns_rdatatype_cdnskey ||
+					    type == dns_rdatatype_cds)
+					{
+						exp = state->keyexpire;
+					} else if (type == dns_rdatatype_soa) {
+						exp = state->soaexpire;
+					} else {
+						exp = state->expire;
+					}
+
+					CHECK(add_sigs(
+						log, zone, db, newver, name,
+						type, &state->sig_diff,
+						state->zone_keys, state->nkeys,
+						state->inception, exp,
+						state->check_ksk,
+						state->keyset_kskonly));
+					sigs++;
+				}
+			skip:
+				/* Skip any other updates to the same RRset. */
+				while (t != NULL &&
+				       dns_name_equal(&t->name, name) &&
+				       t->rdata.type == type)
+				{
+					next = ISC_LIST_NEXT(t, link);
+					ISC_LIST_UNLINK(diff->tuples, t, link);
+					ISC_LIST_APPEND(state->work.tuples, t,
+							link);
+					t = next;
+				}
+			}
+			if (state != &mystate && sigs > maxsigs) {
+				return (DNS_R_CONTINUE);
+			}
+		}
+		ISC_LIST_APPENDLIST(diff->tuples, state->work.tuples, link);
+
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "updated data signatures");
+		FALLTHROUGH;
+	case remove_orphaned:
+		state->state = remove_orphaned;
+
+		/* Remove orphaned NSECs and RRSIG NSECs. */
+		for (t = ISC_LIST_HEAD(state->diffnames.tuples); t != NULL;
+		     t = ISC_LIST_NEXT(t, link))
+		{
+			CHECK(non_nsec_rrset_exists(db, newver, &t->name,
+						    &flag));
+			if (!flag) {
+				CHECK(delete_if(true_p, db, newver, &t->name,
+						dns_rdatatype_any, 0, NULL,
+						&state->sig_diff));
+			}
+		}
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "removed any orphaned NSEC records");
+
+		/*
+		 * See if we need to build NSEC or NSEC3 chains.
+		 */
+		CHECK(dns_private_chains(db, newver, privatetype, &build_nsec,
+					 &state->build_nsec3));
+		if (!build_nsec) {
+			state->state = update_nsec3;
+			goto next_state;
+		}
+
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "rebuilding NSEC chain");
+
+		FALLTHROUGH;
+	case build_chain:
+		state->state = build_chain;
+		/*
+		 * When a name is created or deleted, its predecessor needs to
+		 * have its NSEC updated.
+		 */
+		for (t = ISC_LIST_HEAD(state->diffnames.tuples); t != NULL;
+		     t = ISC_LIST_NEXT(t, link))
+		{
+			bool existed, exists;
+			dns_fixedname_t fixedname;
+			dns_name_t *prevname;
+
+			prevname = dns_fixedname_initname(&fixedname);
+
+			if (oldver != NULL) {
+				CHECK(name_exists(db, oldver, &t->name,
+						  &existed));
+			} else {
+				existed = false;
+			}
+			CHECK(name_exists(db, newver, &t->name, &exists));
+			if (exists == existed) {
+				continue;
+			}
+
+			/*
+			 * Find the predecessor.
+			 * When names become obscured or unobscured in this
+			 * update transaction, we may find the wrong
+			 * predecessor because the NSECs have not yet been
+			 * updated to reflect the delegation change.  This
+			 * should not matter because in this case, the correct
+			 * predecessor is either the delegation node or a
+			 * newly unobscured node, and those nodes are on the
+			 * "affected" list in any case.
+			 */
+			CHECK(next_active(log, zone, db, newver, &t->name,
+					  prevname, false));
+			CHECK(namelist_append_name(&state->affected, prevname));
+		}
+
+		/*
+		 * Find names potentially affected by delegation changes
+		 * (obscured by adding an NS or DNAME, or unobscured by
+		 * removing one).
+		 */
+		for (t = ISC_LIST_HEAD(state->diffnames.tuples); t != NULL;
+		     t = ISC_LIST_NEXT(t, link))
+		{
+			bool ns_existed, dname_existed;
+			bool ns_exists, dname_exists;
+
+			if (oldver != NULL) {
+				CHECK(rrset_exists(db, oldver, &t->name,
+						   dns_rdatatype_ns, 0,
+						   &ns_existed));
+			} else {
+				ns_existed = false;
+			}
+			if (oldver != NULL) {
+				CHECK(rrset_exists(db, oldver, &t->name,
+						   dns_rdatatype_dname, 0,
+						   &dname_existed));
+			} else {
+				dname_existed = false;
+			}
+			CHECK(rrset_exists(db, newver, &t->name,
+					   dns_rdatatype_ns, 0, &ns_exists));
+			CHECK(rrset_exists(db, newver, &t->name,
+					   dns_rdatatype_dname, 0,
+					   &dname_exists));
+			if ((ns_exists || dname_exists) ==
+			    (ns_existed || dname_existed))
+			{
+				continue;
+			}
+			/*
+			 * There was a delegation change.  Mark all subdomains
+			 * of t->name as potentially needing a NSEC update.
+			 */
+			CHECK(namelist_append_subdomain(db, &t->name,
+							&state->affected));
+		}
+		ISC_LIST_APPENDLIST(state->affected.tuples,
+				    state->diffnames.tuples, link);
+		INSIST(ISC_LIST_EMPTY(state->diffnames.tuples));
+
+		CHECK(uniqify_name_list(&state->affected));
+
+		FALLTHROUGH;
+	case process_nsec:
+		state->state = process_nsec;
+
+		/*
+		 * Determine which names should have NSECs, and delete/create
+		 * NSECs to make it so.  We don't know the final NSEC targets
+		 * yet, so we just create placeholder NSECs with arbitrary
+		 * contents to indicate that their respective owner names
+		 * should be part of the NSEC chain.
+		 */
+		while ((t = ISC_LIST_HEAD(state->affected.tuples)) != NULL) {
+			bool exists;
+			dns_name_t *name = &t->name;
+
+			CHECK(name_exists(db, newver, name, &exists));
+			if (!exists) {
+				goto unlink;
+			}
+			CHECK(is_active(db, newver, name, &flag, &cut, NULL));
+			if (!flag) {
+				/*
+				 * This name is obscured.  Delete any
+				 * existing NSEC record.
+				 */
+				CHECK(delete_if(true_p, db, newver, name,
+						dns_rdatatype_nsec, 0, NULL,
+						&state->nsec_diff));
+				CHECK(delete_if(rrsig_p, db, newver, name,
+						dns_rdatatype_any, 0, NULL,
+						diff));
+			} else {
+				/*
+				 * This name is not obscured.  It needs to have
+				 * a NSEC unless it is the at the origin, in
+				 * which case it should already exist if there
+				 * is a complete NSEC chain and if there isn't
+				 * a complete NSEC chain we don't want to add
+				 * one as that would signal that there is a
+				 * complete NSEC chain.
+				 */
+				if (!dns_name_equal(name, dns_db_origin(db))) {
+					CHECK(rrset_exists(db, newver, name,
+							   dns_rdatatype_nsec,
+							   0, &flag));
+					if (!flag) {
+						CHECK(add_placeholder_nsec(
+							db, newver, name,
+							diff));
+					}
+				}
+				CHECK(add_exposed_sigs(
+					log, zone, db, newver, name, cut,
+					&state->sig_diff, state->zone_keys,
+					state->nkeys, state->inception,
+					state->expire, state->check_ksk,
+					state->keyset_kskonly, &sigs));
+			}
+		unlink:
+			ISC_LIST_UNLINK(state->affected.tuples, t, link);
+			ISC_LIST_APPEND(state->work.tuples, t, link);
+			if (state != &mystate && sigs > maxsigs) {
+				return (DNS_R_CONTINUE);
+			}
+		}
+		ISC_LIST_APPENDLIST(state->affected.tuples, state->work.tuples,
+				    link);
+
+		/*
+		 * Now we know which names are part of the NSEC chain.
+		 * Make them all point at their correct targets.
+		 */
+		for (t = ISC_LIST_HEAD(state->affected.tuples); t != NULL;
+		     t = ISC_LIST_NEXT(t, link))
+		{
+			CHECK(rrset_exists(db, newver, &t->name,
+					   dns_rdatatype_nsec, 0, &flag));
+			if (flag) {
+				/*
+				 * There is a NSEC, but we don't know if it
+				 * is correct. Delete it and create a correct
+				 * one to be sure. If the update was
+				 * unnecessary, the diff minimization
+				 * will take care of eliminating it from the
+				 * journal, IXFRs, etc.
+				 *
+				 * The RRSIG bit should always be set in the
+				 * NSECs we generate, because they will all
+				 * get RRSIG NSECs.
+				 * (XXX what if the zone keys are missing?).
+				 * Because the RRSIG NSECs have not necessarily
+				 * been created yet, the correctness of the
+				 * bit mask relies on the assumption that NSECs
+				 * are only created if there is other data, and
+				 * if there is other data, there are other
+				 * RRSIGs.
+				 */
+				CHECK(add_nsec(log, zone, db, newver, &t->name,
+					       state->nsecttl,
+					       &state->nsec_diff));
+			}
+		}
+
+		/*
+		 * Minimize the set of NSEC updates so that we don't
+		 * have to regenerate the RRSIG NSECs for NSECs that were
+		 * replaced with identical ones.
+		 */
+		while ((t = ISC_LIST_HEAD(state->nsec_diff.tuples)) != NULL) {
+			ISC_LIST_UNLINK(state->nsec_diff.tuples, t, link);
+			dns_diff_appendminimal(&state->nsec_mindiff, &t);
+		}
+
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "signing rebuilt NSEC chain");
+
+		FALLTHROUGH;
+	case sign_nsec:
+		state->state = sign_nsec;
+		/* Update RRSIG NSECs. */
+		while ((t = ISC_LIST_HEAD(state->nsec_mindiff.tuples)) != NULL)
+		{
+			if (t->op == DNS_DIFFOP_DEL) {
+				CHECK(delete_if(true_p, db, newver, &t->name,
+						dns_rdatatype_rrsig,
+						dns_rdatatype_nsec, NULL,
+						&state->sig_diff));
+			} else if (t->op == DNS_DIFFOP_ADD) {
+				CHECK(add_sigs(log, zone, db, newver, &t->name,
+					       dns_rdatatype_nsec,
+					       &state->sig_diff,
+					       state->zone_keys, state->nkeys,
+					       state->inception, state->expire,
+					       state->check_ksk,
+					       state->keyset_kskonly));
+				sigs++;
+			} else {
+				UNREACHABLE();
+			}
+			ISC_LIST_UNLINK(state->nsec_mindiff.tuples, t, link);
+			ISC_LIST_APPEND(state->work.tuples, t, link);
+			if (state != &mystate && sigs > maxsigs) {
+				return (DNS_R_CONTINUE);
+			}
+		}
+		ISC_LIST_APPENDLIST(state->nsec_mindiff.tuples,
+				    state->work.tuples, link);
+		FALLTHROUGH;
+	case update_nsec3:
+		state->state = update_nsec3;
+
+		/* Record our changes for the journal. */
+		while ((t = ISC_LIST_HEAD(state->sig_diff.tuples)) != NULL) {
+			ISC_LIST_UNLINK(state->sig_diff.tuples, t, link);
+			dns_diff_appendminimal(diff, &t);
+		}
+		while ((t = ISC_LIST_HEAD(state->nsec_mindiff.tuples)) != NULL)
+		{
+			ISC_LIST_UNLINK(state->nsec_mindiff.tuples, t, link);
+			dns_diff_appendminimal(diff, &t);
+		}
+
+		INSIST(ISC_LIST_EMPTY(state->sig_diff.tuples));
+		INSIST(ISC_LIST_EMPTY(state->nsec_diff.tuples));
+		INSIST(ISC_LIST_EMPTY(state->nsec_mindiff.tuples));
+
+		if (!state->build_nsec3) {
+			update_log(log, zone, ISC_LOG_DEBUG(3),
+				   "no NSEC3 chains to rebuild");
+			goto failure;
+		}
+
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "rebuilding NSEC3 chains");
+
+		dns_diff_clear(&state->diffnames);
+		dns_diff_clear(&state->affected);
+
+		CHECK(dns_diff_sort(diff, temp_order));
+
+		/*
+		 * Find names potentially affected by delegation changes
+		 * (obscured by adding an NS or DNAME, or unobscured by
+		 * removing one).
+		 */
+		t = ISC_LIST_HEAD(diff->tuples);
+		while (t != NULL) {
+			dns_name_t *name = &t->name;
+
+			bool ns_existed, dname_existed;
+			bool ns_exists, dname_exists;
+			bool exists, existed;
+
+			if (t->rdata.type == dns_rdatatype_nsec ||
+			    t->rdata.type == dns_rdatatype_rrsig)
+			{
+				t = ISC_LIST_NEXT(t, link);
+				continue;
+			}
+
+			CHECK(namelist_append_name(&state->affected, name));
+
+			if (oldver != NULL) {
+				CHECK(rrset_exists(db, oldver, name,
+						   dns_rdatatype_ns, 0,
+						   &ns_existed));
+			} else {
+				ns_existed = false;
+			}
+			if (oldver != NULL) {
+				CHECK(rrset_exists(db, oldver, name,
+						   dns_rdatatype_dname, 0,
+						   &dname_existed));
+			} else {
+				dname_existed = false;
+			}
+			CHECK(rrset_exists(db, newver, name, dns_rdatatype_ns,
+					   0, &ns_exists));
+			CHECK(rrset_exists(db, newver, name,
+					   dns_rdatatype_dname, 0,
+					   &dname_exists));
+
+			exists = ns_exists || dname_exists;
+			existed = ns_existed || dname_existed;
+			if (exists == existed) {
+				goto nextname;
+			}
+			/*
+			 * There was a delegation change.  Mark all subdomains
+			 * of t->name as potentially needing a NSEC3 update.
+			 */
+			CHECK(namelist_append_subdomain(db, name,
+							&state->affected));
+
+		nextname:
+			while (t != NULL && dns_name_equal(&t->name, name)) {
+				t = ISC_LIST_NEXT(t, link);
+			}
+		}
+
+		FALLTHROUGH;
+	case process_nsec3:
+		state->state = process_nsec3;
+		while ((t = ISC_LIST_HEAD(state->affected.tuples)) != NULL) {
+			dns_name_t *name = &t->name;
+
+			unsecure = false; /* Silence compiler warning. */
+			CHECK(is_active(db, newver, name, &flag, &cut,
+					&unsecure));
+
+			if (!flag) {
+				CHECK(delete_if(rrsig_p, db, newver, name,
+						dns_rdatatype_any, 0, NULL,
+						diff));
+				CHECK(dns_nsec3_delnsec3sx(db, newver, name,
+							   privatetype,
+							   &state->nsec_diff));
+			} else {
+				CHECK(add_exposed_sigs(
+					log, zone, db, newver, name, cut,
+					&state->sig_diff, state->zone_keys,
+					state->nkeys, state->inception,
+					state->expire, state->check_ksk,
+					state->keyset_kskonly, &sigs));
+				CHECK(dns_nsec3_addnsec3sx(
+					db, newver, name, state->nsecttl,
+					unsecure, privatetype,
+					&state->nsec_diff));
+			}
+			ISC_LIST_UNLINK(state->affected.tuples, t, link);
+			ISC_LIST_APPEND(state->work.tuples, t, link);
+			if (state != &mystate && sigs > maxsigs) {
+				return (DNS_R_CONTINUE);
+			}
+		}
+		ISC_LIST_APPENDLIST(state->affected.tuples, state->work.tuples,
+				    link);
+
+		/*
+		 * Minimize the set of NSEC3 updates so that we don't
+		 * have to regenerate the RRSIG NSEC3s for NSEC3s that were
+		 * replaced with identical ones.
+		 */
+		while ((t = ISC_LIST_HEAD(state->nsec_diff.tuples)) != NULL) {
+			ISC_LIST_UNLINK(state->nsec_diff.tuples, t, link);
+			dns_diff_appendminimal(&state->nsec_mindiff, &t);
+		}
+
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "signing rebuilt NSEC3 chain");
+
+		FALLTHROUGH;
+	case sign_nsec3:
+		state->state = sign_nsec3;
+		/* Update RRSIG NSEC3s. */
+		while ((t = ISC_LIST_HEAD(state->nsec_mindiff.tuples)) != NULL)
+		{
+			if (t->op == DNS_DIFFOP_DEL) {
+				CHECK(delete_if(true_p, db, newver, &t->name,
+						dns_rdatatype_rrsig,
+						dns_rdatatype_nsec3, NULL,
+						&state->sig_diff));
+			} else if (t->op == DNS_DIFFOP_ADD) {
+				CHECK(add_sigs(log, zone, db, newver, &t->name,
+					       dns_rdatatype_nsec3,
+					       &state->sig_diff,
+					       state->zone_keys, state->nkeys,
+					       state->inception, state->expire,
+					       state->check_ksk,
+					       state->keyset_kskonly));
+				sigs++;
+			} else {
+				UNREACHABLE();
+			}
+			ISC_LIST_UNLINK(state->nsec_mindiff.tuples, t, link);
+			ISC_LIST_APPEND(state->work.tuples, t, link);
+			if (state != &mystate && sigs > maxsigs) {
+				return (DNS_R_CONTINUE);
+			}
+		}
+		ISC_LIST_APPENDLIST(state->nsec_mindiff.tuples,
+				    state->work.tuples, link);
+
+		/* Record our changes for the journal. */
+		while ((t = ISC_LIST_HEAD(state->sig_diff.tuples)) != NULL) {
+			ISC_LIST_UNLINK(state->sig_diff.tuples, t, link);
+			dns_diff_appendminimal(diff, &t);
+		}
+		while ((t = ISC_LIST_HEAD(state->nsec_mindiff.tuples)) != NULL)
+		{
+			ISC_LIST_UNLINK(state->nsec_mindiff.tuples, t, link);
+			dns_diff_appendminimal(diff, &t);
+		}
+
+		INSIST(ISC_LIST_EMPTY(state->sig_diff.tuples));
+		INSIST(ISC_LIST_EMPTY(state->nsec_diff.tuples));
+		INSIST(ISC_LIST_EMPTY(state->nsec_mindiff.tuples));
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+
+	dns_diff_clear(&state->sig_diff);
+	dns_diff_clear(&state->nsec_diff);
+	dns_diff_clear(&state->nsec_mindiff);
+
+	dns_diff_clear(&state->affected);
+	dns_diff_clear(&state->diffnames);
+	dns_diff_clear(&state->work);
+
+	for (i = 0; i < state->nkeys; i++) {
+		dst_key_free(&state->zone_keys[i]);
+	}
+
+	if (state != &mystate) {
+		*statep = NULL;
+		state->magic = 0;
+		isc_mem_put(diff->mctx, state, sizeof(*state));
+	}
+
+	return (result);
+}
+
+static isc_stdtime_t
+epoch_to_yyyymmdd(time_t when) {
+	struct tm t, *tm = localtime_r(&when, &t);
+	if (tm == NULL) {
+		return (0);
+	}
+	return (((tm->tm_year + 1900) * 10000) + ((tm->tm_mon + 1) * 100) +
+		tm->tm_mday);
+}
+
+static uint32_t
+dns__update_soaserial(uint32_t serial, dns_updatemethod_t method) {
+	isc_stdtime_t now;
+
+	switch (method) {
+	case dns_updatemethod_none:
+		return (serial);
+	case dns_updatemethod_unixtime:
+		isc_stdtime_get(&now);
+		return (now);
+	case dns_updatemethod_date:
+		isc_stdtime_get(&now);
+		return (epoch_to_yyyymmdd((time_t)now) * 100);
+	case dns_updatemethod_increment:
+		/* RFC1982 */
+		serial = (serial + 1) & 0xFFFFFFFF;
+		if (serial == 0) {
+			return (1);
+		}
+		return (serial);
+	default:
+		UNREACHABLE();
+	}
+}
+
+uint32_t
+dns_update_soaserial(uint32_t serial, dns_updatemethod_t method,
+		     dns_updatemethod_t *used) {
+	uint32_t new_serial = dns__update_soaserial(serial, method);
+	switch (method) {
+	case dns_updatemethod_none:
+	case dns_updatemethod_increment:
+		break;
+	case dns_updatemethod_unixtime:
+	case dns_updatemethod_date:
+		if (!(new_serial != 0 && isc_serial_gt(new_serial, serial))) {
+			/*
+			 * If the new date serial following YYYYMMDD00 is equal
+			 * to or smaller than the current serial, but YYYYMMDD99
+			 * would be larger, pretend we have used the
+			 * "dns_updatemethod_date" method.
+			 */
+			if (method == dns_updatemethod_unixtime ||
+			    !isc_serial_gt(new_serial + 99, serial))
+			{
+				method = dns_updatemethod_increment;
+			}
+			new_serial = dns__update_soaserial(
+				serial, dns_updatemethod_increment);
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	if (used != NULL) {
+		*used = method;
+	}
+
+	return (new_serial);
+}
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
new file mode 100644
index 0000000..6cf717f
--- /dev/null
+++ b/lib/dns/validator.c
@@ -0,0 +1,3394 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/base32.h>
+#include <isc/md.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/db.h>
+#include <dns/dnssec.h>
+#include <dns/ds.h>
+#include <dns/events.h>
+#include <dns/keytable.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/validator.h>
+#include <dns/view.h>
+
+/*! \file
+ * \brief
+ * Basic processing sequences:
+ *
+ * \li When called with rdataset and sigrdataset:
+ *     validator_start -> validate_answer -> proveunsecure
+ *     validator_start -> validate_answer -> validate_nx (if secure wildcard)
+ *
+ * \li When called with rdataset but no sigrdataset:
+ *     validator_start -> proveunsecure
+ *
+ * \li When called with no rdataset or sigrdataset:
+ *     validator_start -> validate_nx-> proveunsecure
+ *
+ * validator_start:   determine what type of validation to do.
+ * validate_answer:   attempt to perform a positive validation.
+ * proveunsecure:     attempt to prove the answer comes from an unsecure zone.
+ * validate_nx:       attempt to prove a negative response.
+ */
+
+#define VALIDATOR_MAGIC	   ISC_MAGIC('V', 'a', 'l', '?')
+#define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
+
+#define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */
+#define VALATTR_CANCELED 0x0002 /*%< Canceled. */
+#define VALATTR_TRIEDVERIFY                                    \
+	0x0004			  /*%< We have found a key and \
+				   * have attempted a verify. */
+#define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */
+
+/*!
+ * NSEC proofs to be looked for.
+ */
+#define VALATTR_NEEDNOQNAME    0x00000100
+#define VALATTR_NEEDNOWILDCARD 0x00000200
+#define VALATTR_NEEDNODATA     0x00000400
+
+/*!
+ * NSEC proofs that have been found.
+ */
+#define VALATTR_FOUNDNOQNAME	0x00001000
+#define VALATTR_FOUNDNOWILDCARD 0x00002000
+#define VALATTR_FOUNDNODATA	0x00004000
+#define VALATTR_FOUNDCLOSEST	0x00008000
+#define VALATTR_FOUNDOPTOUT	0x00010000
+#define VALATTR_FOUNDUNKNOWN	0x00020000
+
+#define NEEDNODATA(val)	     ((val->attributes & VALATTR_NEEDNODATA) != 0)
+#define NEEDNOQNAME(val)     ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
+#define NEEDNOWILDCARD(val)  ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
+#define FOUNDNODATA(val)     ((val->attributes & VALATTR_FOUNDNODATA) != 0)
+#define FOUNDNOQNAME(val)    ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)
+#define FOUNDNOWILDCARD(val) ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)
+#define FOUNDCLOSEST(val)    ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)
+#define FOUNDOPTOUT(val)     ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
+
+#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
+#define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
+
+#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+
+static void
+destroy(dns_validator_t *val);
+
+static isc_result_t
+select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset);
+
+static isc_result_t
+validate_answer(dns_validator_t *val, bool resume);
+
+static isc_result_t
+validate_dnskey(dns_validator_t *val);
+
+static isc_result_t
+validate_nx(dns_validator_t *val, bool resume);
+
+static isc_result_t
+proveunsecure(dns_validator_t *val, bool have_ds, bool resume);
+
+static void
+validator_logv(dns_validator_t *val, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+	ISC_FORMAT_PRINTF(5, 0);
+
+static void
+validator_log(void *val, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+
+static void
+validator_logcreate(dns_validator_t *val, dns_name_t *name,
+		    dns_rdatatype_t type, const char *caller,
+		    const char *operation);
+
+/*%
+ * Ensure the validator's rdatasets are marked as expired.
+ */
+static void
+expire_rdatasets(dns_validator_t *val) {
+	if (dns_rdataset_isassociated(&val->frdataset)) {
+		dns_rdataset_expire(&val->frdataset);
+	}
+	if (dns_rdataset_isassociated(&val->fsigrdataset)) {
+		dns_rdataset_expire(&val->fsigrdataset);
+	}
+}
+
+/*%
+ * Ensure the validator's rdatasets are disassociated.
+ */
+static void
+disassociate_rdatasets(dns_validator_t *val) {
+	if (dns_rdataset_isassociated(&val->fdsset)) {
+		dns_rdataset_disassociate(&val->fdsset);
+	}
+	if (dns_rdataset_isassociated(&val->frdataset)) {
+		dns_rdataset_disassociate(&val->frdataset);
+	}
+	if (dns_rdataset_isassociated(&val->fsigrdataset)) {
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	}
+}
+
+/*%
+ * Mark the rdatasets in val->event with trust level "answer",
+ * indicating that they did not validate, but could be cached as insecure.
+ *
+ * If we are validating a name that is marked as "must be secure", log a
+ * warning and return DNS_R_MUSTBESECURE instead.
+ */
+static isc_result_t
+markanswer(dns_validator_t *val, const char *where, const char *mbstext) {
+	if (val->mustbesecure && mbstext != NULL) {
+		validator_log(val, ISC_LOG_WARNING,
+			      "must be secure failure, %s", mbstext);
+		return (DNS_R_MUSTBESECURE);
+	}
+
+	validator_log(val, ISC_LOG_DEBUG(3), "marking as answer (%s)", where);
+	if (val->event->rdataset != NULL) {
+		dns_rdataset_settrust(val->event->rdataset, dns_trust_answer);
+	}
+	if (val->event->sigrdataset != NULL) {
+		dns_rdataset_settrust(val->event->sigrdataset,
+				      dns_trust_answer);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Mark the RRsets in val->event with trust level secure.
+ */
+static void
+marksecure(dns_validatorevent_t *event) {
+	dns_rdataset_settrust(event->rdataset, dns_trust_secure);
+	if (event->sigrdataset != NULL) {
+		dns_rdataset_settrust(event->sigrdataset, dns_trust_secure);
+	}
+	event->secure = true;
+}
+
+/*
+ * Validator 'val' is finished; send the completion event to the task
+ * that called dns_validator_create(), with result `result`.
+ */
+static void
+validator_done(dns_validator_t *val, isc_result_t result) {
+	isc_task_t *task;
+
+	if (val->event == NULL) {
+		return;
+	}
+
+	/*
+	 * Caller must be holding the lock.
+	 */
+
+	val->event->result = result;
+	task = val->event->ev_sender;
+	val->event->ev_sender = val;
+	val->event->ev_type = DNS_EVENT_VALIDATORDONE;
+	val->event->ev_action = val->action;
+	val->event->ev_arg = val->arg;
+	isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
+}
+
+/*
+ * Called when deciding whether to destroy validator 'val'.
+ */
+static bool
+exit_check(dns_validator_t *val) {
+	/*
+	 * Caller must be holding the lock.
+	 */
+	if (!SHUTDOWN(val)) {
+		return (false);
+	}
+
+	INSIST(val->event == NULL);
+
+	if (val->fetch != NULL || val->subvalidator != NULL) {
+		return (false);
+	}
+
+	return (true);
+}
+
+/*%
+ * Look in the NSEC record returned from a DS query to see if there is
+ * a NS RRset at this name.  If it is found we are at a delegation point.
+ */
+static bool
+isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
+	     isc_result_t dbresult) {
+	dns_fixedname_t fixed;
+	dns_label_t hashlabel;
+	dns_name_t nsec3name;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t set;
+	int order;
+	int scope;
+	bool found;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
+	unsigned int length;
+
+	REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
+
+	dns_rdataset_init(&set);
+	if (dbresult == DNS_R_NXRRSET) {
+		dns_rdataset_clone(rdataset, &set);
+	} else {
+		result = dns_ncache_getrdataset(rdataset, name,
+						dns_rdatatype_nsec, &set);
+		if (result == ISC_R_NOTFOUND) {
+			goto trynsec3;
+		}
+		if (result != ISC_R_SUCCESS) {
+			return (false);
+		}
+	}
+
+	INSIST(set.type == dns_rdatatype_nsec);
+
+	found = false;
+	result = dns_rdataset_first(&set);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&set, &rdata);
+		found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&set);
+	return (found);
+
+trynsec3:
+	/*
+	 * Iterate over the ncache entry.
+	 */
+	found = false;
+	dns_name_init(&nsec3name, NULL);
+	dns_fixedname_init(&fixed);
+	dns_name_downcase(name, dns_fixedname_name(&fixed), NULL);
+	name = dns_fixedname_name(&fixed);
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_ncache_current(rdataset, &nsec3name, &set);
+		if (set.type != dns_rdatatype_nsec3) {
+			dns_rdataset_disassociate(&set);
+			continue;
+		}
+		dns_name_getlabel(&nsec3name, 0, &hashlabel);
+		isc_region_consume(&hashlabel, 1);
+		isc_buffer_init(&buffer, owner, sizeof(owner));
+		result = isc_base32hexnp_decoderegion(&hashlabel, &buffer);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&set);
+			continue;
+		}
+		for (result = dns_rdataset_first(&set); result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&set))
+		{
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&set, &rdata);
+			(void)dns_rdata_tostruct(&rdata, &nsec3, NULL);
+			if (nsec3.hash != 1) {
+				continue;
+			}
+			length = isc_iterated_hash(
+				hash, nsec3.hash, nsec3.iterations, nsec3.salt,
+				nsec3.salt_length, name->ndata, name->length);
+			if (length != isc_buffer_usedlength(&buffer)) {
+				continue;
+			}
+			order = memcmp(hash, owner, length);
+			if (order == 0) {
+				found = dns_nsec3_typepresent(&rdata,
+							      dns_rdatatype_ns);
+				dns_rdataset_disassociate(&set);
+				return (found);
+			}
+			if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) {
+				continue;
+			}
+			/*
+			 * Does this optout span cover the name?
+			 */
+			scope = memcmp(owner, nsec3.next, nsec3.next_length);
+			if ((scope < 0 && order > 0 &&
+			     memcmp(hash, nsec3.next, length) < 0) ||
+			    (scope >= 0 &&
+			     (order > 0 ||
+			      memcmp(hash, nsec3.next, length) < 0)))
+			{
+				dns_rdataset_disassociate(&set);
+				return (true);
+			}
+		}
+		dns_rdataset_disassociate(&set);
+	}
+	return (found);
+}
+
+/*%
+ * We have been asked to look for a key.
+ * If found, resume the validation process.
+ * If not found, fail the validation process.
+ */
+static void
+fetch_callback_dnskey(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	bool want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+	isc_result_t saved_result;
+	dns_fetch_t *fetch;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = &val->frdataset;
+	eresult = devent->result;
+
+	/* Free resources which are not of interest. */
+	if (devent->node != NULL) {
+		dns_db_detachnode(devent->db, &devent->node);
+	}
+	if (devent->db != NULL) {
+		dns_db_detach(&devent->db);
+	}
+	if (dns_rdataset_isassociated(&val->fsigrdataset)) {
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	}
+	isc_event_free(&event);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_dnskey");
+	LOCK(&val->lock);
+	fetch = val->fetch;
+	val->fetch = NULL;
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NCACHENXRRSET) {
+		/*
+		 * We have an answer to our DNSKEY query.  Either the DNSKEY
+		 * RRset or a NODATA response.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
+			      eresult == ISC_R_SUCCESS ? "keyset"
+						       : "NCACHENXRRSET",
+			      dns_trust_totext(rdataset->trust));
+		/*
+		 * Only extract the dst key if the keyset exists and is secure.
+		 */
+		if (eresult == ISC_R_SUCCESS &&
+		    rdataset->trust >= dns_trust_secure)
+		{
+			result = select_signing_key(val, rdataset);
+			if (result == ISC_R_SUCCESS) {
+				val->keyset = &val->frdataset;
+			}
+		}
+		result = validate_answer(val, true);
+		if (result == DNS_R_NOVALIDSIG &&
+		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
+		{
+			saved_result = result;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "falling back to insecurity proof");
+			result = proveunsecure(val, false, false);
+			if (result == DNS_R_NOTINSECURE) {
+				result = saved_result;
+			}
+		}
+		if (result != DNS_R_WAIT) {
+			validator_done(val, result);
+		}
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "fetch_callback_dnskey: got %s",
+			      isc_result_totext(eresult));
+		if (eresult == ISC_R_CANCELED) {
+			validator_done(val, eresult);
+		} else {
+			validator_done(val, DNS_R_BROKENCHAIN);
+		}
+	}
+
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+
+	if (fetch != NULL) {
+		dns_resolver_destroyfetch(&fetch);
+	}
+
+	if (want_destroy) {
+		destroy(val);
+	}
+}
+
+/*%
+ * We have been asked to look for a DS. This may be part of
+ * walking a trust chain, or an insecurity proof.
+ */
+static void
+fetch_callback_ds(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	bool want_destroy, trustchain;
+	isc_result_t result;
+	isc_result_t eresult;
+	dns_fetch_t *fetch;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = &val->frdataset;
+	eresult = devent->result;
+
+	/*
+	 * Set 'trustchain' to true if we're walking a chain of
+	 * trust; false if we're attempting to prove insecurity.
+	 */
+	trustchain = ((val->attributes & VALATTR_INSECURITY) == 0);
+
+	/* Free resources which are not of interest. */
+	if (devent->node != NULL) {
+		dns_db_detachnode(devent->db, &devent->node);
+	}
+	if (devent->db != NULL) {
+		dns_db_detach(&devent->db);
+	}
+	if (dns_rdataset_isassociated(&val->fsigrdataset)) {
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	}
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_ds");
+	LOCK(&val->lock);
+	fetch = val->fetch;
+	val->fetch = NULL;
+
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+		goto done;
+	}
+
+	switch (eresult) {
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NCACHENXDOMAIN:
+		/*
+		 * These results only make sense if we're attempting
+		 * an insecurity proof, not when walking a chain of trust.
+		 */
+		if (trustchain) {
+			goto unexpected;
+		}
+
+		FALLTHROUGH;
+	case ISC_R_SUCCESS:
+		if (trustchain) {
+			/*
+			 * We looked for a DS record as part of
+			 * following a key chain upwards; resume following
+			 * the chain.
+			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "dsset with trust %s",
+				      dns_trust_totext(rdataset->trust));
+			val->dsset = &val->frdataset;
+			result = validate_dnskey(val);
+			if (result != DNS_R_WAIT) {
+				validator_done(val, result);
+			}
+		} else {
+			/*
+			 * There is a DS which may or may not be a zone cut.
+			 * In either case we are still in a secure zone,
+			 * so keep looking for the break in the chain
+			 * of trust.
+			 */
+			result = proveunsecure(val, (eresult == ISC_R_SUCCESS),
+					       true);
+			if (result != DNS_R_WAIT) {
+				validator_done(val, result);
+			}
+		}
+		break;
+	case DNS_R_CNAME:
+	case DNS_R_NXRRSET:
+	case DNS_R_NCACHENXRRSET:
+	case DNS_R_SERVFAIL: /* RFC 1034 parent? */
+		if (trustchain) {
+			/*
+			 * Failed to find a DS while following the
+			 * chain of trust; now we need to prove insecurity.
+			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "falling back to insecurity proof (%s)",
+				      dns_result_totext(eresult));
+			result = proveunsecure(val, false, false);
+			if (result != DNS_R_WAIT) {
+				validator_done(val, result);
+			}
+		} else if (eresult == DNS_R_SERVFAIL) {
+			goto unexpected;
+		} else if (eresult != DNS_R_CNAME &&
+			   isdelegation(dns_fixedname_name(&devent->foundname),
+					&val->frdataset, eresult))
+		{
+			/*
+			 * Failed to find a DS while trying to prove
+			 * insecurity. If this is a zone cut, that
+			 * means we're insecure.
+			 */
+			result = markanswer(val, "fetch_callback_ds",
+					    "no DS and this is a delegation");
+			validator_done(val, result);
+		} else {
+			/*
+			 * Not a zone cut, so we have to keep looking for
+			 * the break point in the chain of trust.
+			 */
+			result = proveunsecure(val, false, true);
+			if (result != DNS_R_WAIT) {
+				validator_done(val, result);
+			}
+		}
+		break;
+
+	default:
+	unexpected:
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "fetch_callback_ds: got %s",
+			      isc_result_totext(eresult));
+		if (eresult == ISC_R_CANCELED) {
+			validator_done(val, eresult);
+		} else {
+			validator_done(val, DNS_R_BROKENCHAIN);
+		}
+	}
+done:
+
+	isc_event_free(&event);
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+
+	if (fetch != NULL) {
+		dns_resolver_destroyfetch(&fetch);
+	}
+
+	if (want_destroy) {
+		destroy(val);
+	}
+}
+
+/*%
+ * Callback from when a DNSKEY RRset has been validated.
+ *
+ * Resumes the stalled validation process.
+ */
+static void
+validator_callback_dnskey(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	bool want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+	isc_result_t saved_result;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_dnskey");
+	LOCK(&val->lock);
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
+		/*
+		 * Only extract the dst key if the keyset is secure.
+		 */
+		if (val->frdataset.trust >= dns_trust_secure) {
+			(void)select_signing_key(val, &val->frdataset);
+		}
+		result = validate_answer(val, true);
+		if (result == DNS_R_NOVALIDSIG &&
+		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
+		{
+			saved_result = result;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "falling back to insecurity proof");
+			result = proveunsecure(val, false, false);
+			if (result == DNS_R_NOTINSECURE) {
+				result = saved_result;
+			}
+		}
+		if (result != DNS_R_WAIT) {
+			validator_done(val, result);
+		}
+	} else {
+		if (eresult != DNS_R_BROKENCHAIN) {
+			expire_rdatasets(val);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "validator_callback_dnskey: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, DNS_R_BROKENCHAIN);
+	}
+
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy) {
+		destroy(val);
+	}
+}
+
+/*%
+ * Callback when the DS record has been validated.
+ *
+ * Resumes validation of the zone key or the unsecure zone proof.
+ */
+static void
+validator_callback_ds(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	bool want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_ds");
+	LOCK(&val->lock);
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == ISC_R_SUCCESS) {
+		bool have_dsset;
+		dns_name_t *name;
+		validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
+			      val->frdataset.type == dns_rdatatype_ds ? "dsset"
+								      : "ds "
+									"non-"
+									"existe"
+									"nce",
+			      dns_trust_totext(val->frdataset.trust));
+		have_dsset = (val->frdataset.type == dns_rdatatype_ds);
+		name = dns_fixedname_name(&val->fname);
+		if ((val->attributes & VALATTR_INSECURITY) != 0 &&
+		    val->frdataset.covers == dns_rdatatype_ds &&
+		    NEGATIVE(&val->frdataset) &&
+		    isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET))
+		{
+			result = markanswer(val, "validator_callback_ds",
+					    "no DS and this is a delegation");
+		} else if ((val->attributes & VALATTR_INSECURITY) != 0) {
+			result = proveunsecure(val, have_dsset, true);
+		} else {
+			result = validate_dnskey(val);
+		}
+		if (result != DNS_R_WAIT) {
+			validator_done(val, result);
+		}
+	} else {
+		if (eresult != DNS_R_BROKENCHAIN) {
+			expire_rdatasets(val);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "validator_callback_ds: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, DNS_R_BROKENCHAIN);
+	}
+
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy) {
+		destroy(val);
+	}
+}
+
+/*%
+ * Callback when the CNAME record has been validated.
+ *
+ * Resumes validation of the unsecure zone proof.
+ */
+static void
+validator_callback_cname(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	bool want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+	INSIST((val->attributes & VALATTR_INSECURITY) != 0);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_cname");
+	LOCK(&val->lock);
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
+		result = proveunsecure(val, false, true);
+		if (result != DNS_R_WAIT) {
+			validator_done(val, result);
+		}
+	} else {
+		if (eresult != DNS_R_BROKENCHAIN) {
+			expire_rdatasets(val);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "validator_callback_cname: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, DNS_R_BROKENCHAIN);
+	}
+
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy) {
+		destroy(val);
+	}
+}
+
+/*%
+ * Callback for when NSEC records have been validated.
+ *
+ * Looks for NOQNAME, NODATA and OPTOUT proofs.
+ *
+ * Resumes the negative response validation by calling validate_nx().
+ */
+static void
+validator_callback_nsec(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	bool want_destroy;
+	isc_result_t result;
+	bool exists, data;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	rdataset = devent->rdataset;
+	val = devent->ev_arg;
+	result = devent->result;
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_nsec");
+	LOCK(&val->lock);
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "validator_callback_nsec: got %s",
+			      isc_result_totext(result));
+		if (result == DNS_R_BROKENCHAIN) {
+			val->authfail++;
+		}
+		if (result == ISC_R_CANCELED) {
+			validator_done(val, result);
+		} else {
+			result = validate_nx(val, true);
+			if (result != DNS_R_WAIT) {
+				validator_done(val, result);
+			}
+		}
+	} else {
+		dns_name_t **proofs = val->event->proofs;
+		dns_name_t *wild = dns_fixedname_name(&val->wild);
+
+		if (rdataset->type == dns_rdatatype_nsec &&
+		    rdataset->trust == dns_trust_secure &&
+		    (NEEDNODATA(val) || NEEDNOQNAME(val)) &&
+		    !FOUNDNODATA(val) && !FOUNDNOQNAME(val) &&
+		    dns_nsec_noexistnodata(val->event->type, val->event->name,
+					   devent->name, rdataset, &exists,
+					   &data, wild, validator_log,
+					   val) == ISC_R_SUCCESS)
+		{
+			if (exists && !data) {
+				val->attributes |= VALATTR_FOUNDNODATA;
+				if (NEEDNODATA(val)) {
+					proofs[DNS_VALIDATOR_NODATAPROOF] =
+						devent->name;
+				}
+			}
+			if (!exists) {
+				dns_name_t *closest;
+				unsigned int clabels;
+
+				val->attributes |= VALATTR_FOUNDNOQNAME;
+
+				closest = dns_fixedname_name(&val->closest);
+				clabels = dns_name_countlabels(closest);
+				/*
+				 * If we are validating a wildcard response
+				 * clabels will not be zero.  We then need
+				 * to check if the generated wildcard from
+				 * dns_nsec_noexistnodata is consistent with
+				 * the wildcard used to generate the response.
+				 */
+				if (clabels == 0 ||
+				    dns_name_countlabels(wild) == clabels + 1)
+				{
+					val->attributes |= VALATTR_FOUNDCLOSEST;
+				}
+				/*
+				 * The NSEC noqname proof also contains
+				 * the closest encloser.
+				 */
+				if (NEEDNOQNAME(val)) {
+					proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
+						devent->name;
+				}
+			}
+		}
+
+		result = validate_nx(val, true);
+		if (result != DNS_R_WAIT) {
+			validator_done(val, result);
+		}
+	}
+
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy) {
+		destroy(val);
+	}
+
+	/*
+	 * Free stuff from the event.
+	 */
+	isc_event_free(&event);
+}
+
+/*%
+ * Looks for the requested name and type in the view (zones and cache).
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOTFOUND
+ * \li	DNS_R_NCACHENXDOMAIN
+ * \li	DNS_R_NCACHENXRRSET
+ * \li	DNS_R_NXRRSET
+ * \li	DNS_R_NXDOMAIN
+ * \li	DNS_R_BROKENCHAIN
+ */
+static isc_result_t
+view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
+	dns_fixedname_t fixedname;
+	dns_name_t *foundname;
+	isc_result_t result;
+	unsigned int options;
+	isc_time_t now;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+	disassociate_rdatasets(val);
+
+	if (isc_time_now(&now) == ISC_R_SUCCESS &&
+	    dns_resolver_getbadcache(val->view->resolver, name, type, &now))
+	{
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+		validator_log(val, ISC_LOG_INFO, "bad cache hit (%s/%s)",
+			      namebuf, typebuf);
+		return (DNS_R_BROKENCHAIN);
+	}
+
+	options = DNS_DBFIND_PENDINGOK;
+	foundname = dns_fixedname_initname(&fixedname);
+	result = dns_view_find(val->view, name, type, 0, options, false, false,
+			       NULL, NULL, foundname, &val->frdataset,
+			       &val->fsigrdataset);
+
+	if (result == DNS_R_NXDOMAIN) {
+		goto notfound;
+	} else if (result != ISC_R_SUCCESS && result != DNS_R_NCACHENXDOMAIN &&
+		   result != DNS_R_NCACHENXRRSET && result != DNS_R_EMPTYNAME &&
+		   result != DNS_R_NXRRSET && result != ISC_R_NOTFOUND)
+	{
+		result = ISC_R_NOTFOUND;
+		goto notfound;
+	}
+
+	return (result);
+
+notfound:
+	disassociate_rdatasets(val);
+
+	return (result);
+}
+
+/*%
+ * Checks to make sure we are not going to loop.  As we use a SHARED fetch
+ * the validation process will stall if looping was to occur.
+ */
+static bool
+check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	dns_validator_t *parent;
+
+	for (parent = val; parent != NULL; parent = parent->parent) {
+		if (parent->event != NULL && parent->event->type == type &&
+		    dns_name_equal(parent->event->name, name) &&
+		    /*
+		     * As NSEC3 records are meta data you sometimes
+		     * need to prove a NSEC3 record which says that
+		     * itself doesn't exist.
+		     */
+		    (parent->event->type != dns_rdatatype_nsec3 ||
+		     rdataset == NULL || sigrdataset == NULL ||
+		     parent->event->message == NULL ||
+		     parent->event->rdataset != NULL ||
+		     parent->event->sigrdataset != NULL))
+		{
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "continuing validation would lead to "
+				      "deadlock: aborting validation");
+			return (true);
+		}
+	}
+	return (false);
+}
+
+/*%
+ * Start a fetch for the requested name and type.
+ */
+static isc_result_t
+create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+	     isc_taskaction_t callback, const char *caller) {
+	unsigned int fopts = 0;
+
+	disassociate_rdatasets(val);
+
+	if (check_deadlock(val, name, type, NULL, NULL)) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "deadlock found (create_fetch)");
+		return (DNS_R_NOVALIDSIG);
+	}
+
+	if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0) {
+		fopts |= DNS_FETCHOPT_NOCDFLAG;
+	}
+
+	if ((val->options & DNS_VALIDATOR_NONTA) != 0) {
+		fopts |= DNS_FETCHOPT_NONTA;
+	}
+
+	validator_logcreate(val, name, type, caller, "fetch");
+	return (dns_resolver_createfetch(
+		val->view->resolver, name, type, NULL, NULL, NULL, NULL, 0,
+		fopts, 0, NULL, val->event->ev_sender, callback, val,
+		&val->frdataset, &val->fsigrdataset, &val->fetch));
+}
+
+/*%
+ * Start a subvalidation process.
+ */
+static isc_result_t
+create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		 isc_taskaction_t action, const char *caller) {
+	isc_result_t result;
+	unsigned int vopts = 0;
+	dns_rdataset_t *sig = NULL;
+
+	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
+		sig = sigrdataset;
+	}
+
+	if (check_deadlock(val, name, type, rdataset, sig)) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "deadlock found (create_validator)");
+		return (DNS_R_NOVALIDSIG);
+	}
+
+	/* OK to clear other options, but preserve NOCDFLAG and NONTA. */
+	vopts |= (val->options &
+		  (DNS_VALIDATOR_NOCDFLAG | DNS_VALIDATOR_NONTA));
+
+	validator_logcreate(val, name, type, caller, "validator");
+	result = dns_validator_create(val->view, name, type, rdataset, sig,
+				      NULL, vopts, val->task, action, val,
+				      &val->subvalidator);
+	if (result == ISC_R_SUCCESS) {
+		val->subvalidator->parent = val;
+		val->subvalidator->depth = val->depth + 1;
+	}
+	return (result);
+}
+
+/*%
+ * Try to find a key that could have signed val->siginfo among those in
+ * 'rdataset'.  If found, build a dst_key_t for it and point val->key at
+ * it.
+ *
+ * If val->key is already non-NULL, locate it in the rdataset and then
+ * search past it for the *next* key that could have signed 'siginfo', then
+ * set val->key to that.
+ *
+ * Returns ISC_R_SUCCESS if a possible matching key has been found,
+ * ISC_R_NOTFOUND if not. Any other value indicates error.
+ */
+static isc_result_t
+select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_rdata_rrsig_t *siginfo = val->siginfo;
+	isc_buffer_t b;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dst_key_t *oldkey = val->key;
+	bool foundold;
+
+	if (oldkey == NULL) {
+		foundold = true;
+	} else {
+		foundold = false;
+		val->key = NULL;
+	}
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	do {
+		dns_rdataset_current(rdataset, &rdata);
+
+		isc_buffer_init(&b, rdata.data, rdata.length);
+		isc_buffer_add(&b, rdata.length);
+		INSIST(val->key == NULL);
+		result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
+					 val->view->mctx, &val->key);
+		if (result == ISC_R_SUCCESS) {
+			if (siginfo->algorithm ==
+				    (dns_secalg_t)dst_key_alg(val->key) &&
+			    siginfo->keyid ==
+				    (dns_keytag_t)dst_key_id(val->key) &&
+			    dst_key_iszonekey(val->key))
+			{
+				if (foundold) {
+					/*
+					 * This is the key we're looking for.
+					 */
+					return (ISC_R_SUCCESS);
+				} else if (dst_key_compare(oldkey, val->key)) {
+					foundold = true;
+					dst_key_free(&oldkey);
+				}
+			}
+			dst_key_free(&val->key);
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_NOTFOUND;
+	}
+
+failure:
+	if (oldkey != NULL) {
+		dst_key_free(&oldkey);
+	}
+
+	return (result);
+}
+
+/*%
+ * Get the key that generated the signature in val->siginfo.
+ */
+static isc_result_t
+seek_dnskey(dns_validator_t *val) {
+	isc_result_t result;
+	dns_rdata_rrsig_t *siginfo = val->siginfo;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+
+	/*
+	 * Is the signer name appropriate for this signature?
+	 *
+	 * The signer name must be at the same level as the owner name
+	 * or closer to the DNS root.
+	 */
+	namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
+					&order, &nlabels);
+	if (namereln != dns_namereln_subdomain &&
+	    namereln != dns_namereln_equal)
+	{
+		return (DNS_R_CONTINUE);
+	}
+
+	if (namereln == dns_namereln_equal) {
+		/*
+		 * If this is a self-signed keyset, it must not be a zone key
+		 * (since seek_dnskey is not called from validate_dnskey).
+		 */
+		if (val->event->rdataset->type == dns_rdatatype_dnskey) {
+			return (DNS_R_CONTINUE);
+		}
+
+		/*
+		 * Records appearing in the parent zone at delegation
+		 * points cannot be self-signed.
+		 */
+		if (dns_rdatatype_atparent(val->event->rdataset->type)) {
+			return (DNS_R_CONTINUE);
+		}
+	} else {
+		/*
+		 * SOA and NS RRsets can only be signed by a key with
+		 * the same name.
+		 */
+		if (val->event->rdataset->type == dns_rdatatype_soa ||
+		    val->event->rdataset->type == dns_rdatatype_ns)
+		{
+			const char *type;
+
+			if (val->event->rdataset->type == dns_rdatatype_soa) {
+				type = "SOA";
+			} else {
+				type = "NS";
+			}
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "%s signer mismatch", type);
+			return (DNS_R_CONTINUE);
+		}
+	}
+
+	/*
+	 * Do we know about this key?
+	 */
+	result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		/*
+		 * We have an rrset for the given keyname.
+		 */
+		val->keyset = &val->frdataset;
+		if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
+		     DNS_TRUST_ANSWER(val->frdataset.trust)) &&
+		    dns_rdataset_isassociated(&val->fsigrdataset))
+		{
+			/*
+			 * We know the key but haven't validated it yet or
+			 * we have a key of trust answer but a DS
+			 * record for the zone may have been added.
+			 */
+			result = create_validator(
+				val, &siginfo->signer, dns_rdatatype_dnskey,
+				&val->frdataset, &val->fsigrdataset,
+				validator_callback_dnskey, "seek_dnskey");
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+			return (DNS_R_WAIT);
+		} else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
+			/*
+			 * Having a pending key with no signature means that
+			 * something is broken.
+			 */
+			result = DNS_R_CONTINUE;
+		} else if (val->frdataset.trust < dns_trust_secure) {
+			/*
+			 * The key is legitimately insecure.  There's no
+			 * point in even attempting verification.
+			 */
+			val->key = NULL;
+			result = ISC_R_SUCCESS;
+		} else {
+			/*
+			 * See if we've got the key used in the signature.
+			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "keyset with trust %s",
+				      dns_trust_totext(val->frdataset.trust));
+			result = select_signing_key(val, val->keyset);
+			if (result != ISC_R_SUCCESS) {
+				/*
+				 * Either the key we're looking for is not
+				 * in the rrset, or something bad happened.
+				 * Give up.
+				 */
+				result = DNS_R_CONTINUE;
+			}
+		}
+		break;
+
+	case ISC_R_NOTFOUND:
+		/*
+		 * We don't know anything about this key.
+		 */
+		result = create_fetch(val, &siginfo->signer,
+				      dns_rdatatype_dnskey,
+				      fetch_callback_dnskey, "seek_dnskey");
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		return (DNS_R_WAIT);
+
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+	case DNS_R_EMPTYNAME:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NXRRSET:
+		/*
+		 * This key doesn't exist.
+		 */
+		result = DNS_R_CONTINUE;
+		break;
+
+	case DNS_R_BROKENCHAIN:
+		return (result);
+
+	default:
+		break;
+	}
+
+	if (dns_rdataset_isassociated(&val->frdataset) &&
+	    val->keyset != &val->frdataset)
+	{
+		dns_rdataset_disassociate(&val->frdataset);
+	}
+	if (dns_rdataset_isassociated(&val->fsigrdataset)) {
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	}
+
+	return (result);
+}
+
+/*
+ * Compute the tag for a key represented in a DNSKEY rdata.
+ */
+static dns_keytag_t
+compute_keytag(dns_rdata_t *rdata) {
+	isc_region_t r;
+
+	dns_rdata_toregion(rdata, &r);
+	return (dst_region_computeid(&r));
+}
+
+/*%
+ * Is the DNSKEY rrset in val->event->rdataset self-signed?
+ */
+static bool
+selfsigned_dnskey(dns_validator_t *val) {
+	dns_rdataset_t *rdataset = val->event->rdataset;
+	dns_rdataset_t *sigrdataset = val->event->sigrdataset;
+	dns_name_t *name = val->event->name;
+	isc_result_t result;
+	isc_mem_t *mctx = val->view->mctx;
+	bool answer = false;
+
+	if (rdataset->type != dns_rdatatype_dnskey) {
+		return (false);
+	}
+
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_t keyrdata = DNS_RDATA_INIT;
+		dns_rdata_t sigrdata = DNS_RDATA_INIT;
+		dns_rdata_dnskey_t key;
+		dns_rdata_rrsig_t sig;
+		dns_keytag_t keytag;
+
+		dns_rdata_reset(&keyrdata);
+		dns_rdataset_current(rdataset, &keyrdata);
+		result = dns_rdata_tostruct(&keyrdata, &key, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		keytag = compute_keytag(&keyrdata);
+
+		for (result = dns_rdataset_first(sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(sigrdataset))
+		{
+			dst_key_t *dstkey = NULL;
+
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(sigrdataset, &sigrdata);
+			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			if (sig.algorithm != key.algorithm ||
+			    sig.keyid != keytag ||
+			    !dns_name_equal(name, &sig.signer))
+			{
+				continue;
+			}
+
+			/*
+			 * If the REVOKE bit is not set we have a
+			 * theoretically self signed DNSKEY RRset.
+			 * This will be verified later.
+			 */
+			if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
+				answer = true;
+				continue;
+			}
+
+			result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx,
+							 &dstkey);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+
+			/*
+			 * If this RRset is pending and it is trusted,
+			 * see if it was self signed by this DNSKEY.
+			 */
+			if (DNS_TRUST_PENDING(rdataset->trust) &&
+			    dns_view_istrusted(val->view, name, &key))
+			{
+				result = dns_dnssec_verify(
+					name, rdataset, dstkey, true,
+					val->view->maxbits, mctx, &sigrdata,
+					NULL);
+				if (result == ISC_R_SUCCESS) {
+					/*
+					 * The key with the REVOKE flag has
+					 * self signed the RRset so it is no
+					 * good.
+					 */
+					dns_view_untrust(val->view, name, &key);
+				}
+			} else if (rdataset->trust >= dns_trust_secure) {
+				/*
+				 * We trust this RRset so if the key is
+				 * marked revoked remove it.
+				 */
+				dns_view_untrust(val->view, name, &key);
+			}
+
+			dst_key_free(&dstkey);
+		}
+	}
+
+	return (answer);
+}
+
+/*%
+ * Attempt to verify the rdataset using the given key and rdata (RRSIG).
+ * The signature was good and from a wildcard record and the QNAME does
+ * not match the wildcard we need to look for a NOQNAME proof.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS if the verification succeeds.
+ * \li	Others if the verification fails.
+ */
+static isc_result_t
+verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
+       uint16_t keyid) {
+	isc_result_t result;
+	dns_fixedname_t fixed;
+	bool ignore = false;
+	dns_name_t *wild;
+
+	val->attributes |= VALATTR_TRIEDVERIFY;
+	wild = dns_fixedname_initname(&fixed);
+again:
+	result = dns_dnssec_verify(val->event->name, val->event->rdataset, key,
+				   ignore, val->view->maxbits, val->view->mctx,
+				   rdata, wild);
+	if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
+	    val->view->acceptexpired)
+	{
+		ignore = true;
+		goto again;
+	}
+
+	if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
+	{
+		validator_log(val, ISC_LOG_INFO,
+			      "accepted expired %sRRSIG (keyid=%u)",
+			      (result == DNS_R_FROMWILDCARD) ? "wildcard " : "",
+			      keyid);
+	} else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) {
+		validator_log(val, ISC_LOG_INFO,
+			      "verify failed due to bad signature (keyid=%u): "
+			      "%s",
+			      keyid, isc_result_totext(result));
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "verify rdataset (keyid=%u): %s", keyid,
+			      isc_result_totext(result));
+	}
+	if (result == DNS_R_FROMWILDCARD) {
+		if (!dns_name_equal(val->event->name, wild)) {
+			dns_name_t *closest;
+			unsigned int labels;
+
+			/*
+			 * Compute the closest encloser in case we need it
+			 * for the NSEC3 NOQNAME proof.
+			 */
+			closest = dns_fixedname_name(&val->closest);
+			dns_name_copynf(wild, closest);
+			labels = dns_name_countlabels(closest) - 1;
+			dns_name_getlabelsequence(closest, 1, labels, closest);
+			val->attributes |= VALATTR_NEEDNOQNAME;
+		}
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+/*%
+ * Attempts positive response validation of a normal RRset.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS	Validation completed successfully
+ * \li	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ * \li	Other return codes are possible and all indicate failure.
+ */
+static isc_result_t
+validate_answer(dns_validator_t *val, bool resume) {
+	isc_result_t result, vresult = DNS_R_NOVALIDSIG;
+	dns_validatorevent_t *event;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Caller must be holding the validator lock.
+	 */
+
+	event = val->event;
+
+	if (resume) {
+		/*
+		 * We already have a sigrdataset.
+		 */
+		result = ISC_R_SUCCESS;
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
+	} else {
+		result = dns_rdataset_first(event->sigrdataset);
+	}
+
+	for (; result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(event->sigrdataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(event->sigrdataset, &rdata);
+		if (val->siginfo == NULL) {
+			val->siginfo = isc_mem_get(val->view->mctx,
+						   sizeof(*val->siginfo));
+		}
+		result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		/*
+		 * At this point we could check that the signature algorithm
+		 * was known and "sufficiently good".
+		 */
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      event->name,
+						      val->siginfo->algorithm))
+		{
+			resume = false;
+			continue;
+		}
+
+		if (!resume) {
+			result = seek_dnskey(val);
+			if (result == DNS_R_CONTINUE) {
+				continue; /* Try the next SIG RR. */
+			}
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+
+		/*
+		 * There isn't a secure DNSKEY for this signature so move
+		 * onto the next RRSIG.
+		 */
+		if (val->key == NULL) {
+			resume = false;
+			continue;
+		}
+
+		do {
+			isc_result_t tresult;
+			vresult = verify(val, val->key, &rdata,
+					 val->siginfo->keyid);
+			if (vresult == ISC_R_SUCCESS) {
+				break;
+			}
+
+			tresult = select_signing_key(val, val->keyset);
+			if (tresult != ISC_R_SUCCESS) {
+				break;
+			}
+		} while (1);
+		if (vresult != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "failed to verify rdataset");
+		} else {
+			dns_rdataset_trimttl(event->rdataset,
+					     event->sigrdataset, val->siginfo,
+					     val->start,
+					     val->view->acceptexpired);
+		}
+
+		if (val->key != NULL) {
+			dst_key_free(&val->key);
+		}
+		if (val->keyset != NULL) {
+			dns_rdataset_disassociate(val->keyset);
+			val->keyset = NULL;
+		}
+		val->key = NULL;
+		if (NEEDNOQNAME(val)) {
+			if (val->event->message == NULL) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "no message available "
+					      "for noqname proof");
+				return (DNS_R_NOVALIDSIG);
+			}
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "looking for noqname proof");
+			return (validate_nx(val, false));
+		} else if (vresult == ISC_R_SUCCESS) {
+			marksecure(event);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "marking as secure, "
+				      "noqname proof not needed");
+			return (ISC_R_SUCCESS);
+		} else {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "verify failure: %s",
+				      isc_result_totext(result));
+			resume = false;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "failed to iterate signatures: %s",
+			      isc_result_totext(result));
+		return (result);
+	}
+
+	validator_log(val, ISC_LOG_INFO, "no valid signature found");
+	return (vresult);
+}
+
+/*%
+ * Check whether this DNSKEY (keyrdata) signed the DNSKEY RRset
+ * (val->event->rdataset).
+ */
+static isc_result_t
+check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
+	     dns_secalg_t algorithm) {
+	dns_rdata_rrsig_t sig;
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(val->event->sigrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->event->sigrdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(val->event->sigrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (keyid != sig.keyid || algorithm != sig.algorithm) {
+			continue;
+		}
+		if (dstkey == NULL) {
+			result = dns_dnssec_keyfromrdata(
+				val->event->name, keyrdata, val->view->mctx,
+				&dstkey);
+			if (result != ISC_R_SUCCESS) {
+				/*
+				 * This really shouldn't happen, but...
+				 */
+				continue;
+			}
+		}
+		result = verify(val, dstkey, &rdata, sig.keyid);
+		if (result == ISC_R_SUCCESS) {
+			break;
+		}
+	}
+
+	if (dstkey != NULL) {
+		dst_key_free(&dstkey);
+	}
+
+	return (result);
+}
+
+/*
+ * get_dsset() is called to look up a DS RRset corresponding to the name
+ * of a DNSKEY record, either in the cache or, if necessary, by starting a
+ * fetch. This is done in the context of validating a zone key to build a
+ * trust chain.
+ *
+ * Returns:
+ * \li	ISC_R_COMPLETE		a DS has not been found; the caller should
+ *				stop trying to validate the zone key and
+ *				return the result code in '*resp'.
+ * \li	DNS_R_CONTINUE		a DS has been found and the caller may
+ * 				continue the zone key validation.
+ */
+static isc_result_t
+get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) {
+	isc_result_t result;
+
+	result = view_find(val, tname, dns_rdatatype_ds);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		/*
+		 * We have a DS RRset.
+		 */
+		val->dsset = &val->frdataset;
+		if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
+		     DNS_TRUST_ANSWER(val->frdataset.trust)) &&
+		    dns_rdataset_isassociated(&val->fsigrdataset))
+		{
+			/*
+			 * ... which is signed but not yet validated.
+			 */
+			result = create_validator(
+				val, tname, dns_rdatatype_ds, &val->frdataset,
+				&val->fsigrdataset, validator_callback_ds,
+				"validate_dnskey");
+			*resp = DNS_R_WAIT;
+			if (result != ISC_R_SUCCESS) {
+				*resp = result;
+			}
+			return (ISC_R_COMPLETE);
+		} else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
+			/*
+			 * There should never be an unsigned DS.
+			 */
+			disassociate_rdatasets(val);
+			validator_log(val, ISC_LOG_DEBUG(2),
+				      "unsigned DS record");
+			*resp = DNS_R_NOVALIDSIG;
+			return (ISC_R_COMPLETE);
+		}
+		break;
+
+	case ISC_R_NOTFOUND:
+		/*
+		 * We don't have the DS.  Find it.
+		 */
+		result = create_fetch(val, tname, dns_rdatatype_ds,
+				      fetch_callback_ds, "validate_dnskey");
+		*resp = DNS_R_WAIT;
+		if (result != ISC_R_SUCCESS) {
+			*resp = result;
+		}
+		return (ISC_R_COMPLETE);
+
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+	case DNS_R_EMPTYNAME:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NXRRSET:
+	case DNS_R_CNAME:
+		/*
+		 * The DS does not exist.
+		 */
+		disassociate_rdatasets(val);
+		validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
+		*resp = DNS_R_NOVALIDSIG;
+		return (ISC_R_COMPLETE);
+
+	case DNS_R_BROKENCHAIN:
+		*resp = result;
+		return (ISC_R_COMPLETE);
+
+	default:
+		break;
+	}
+
+	return (DNS_R_CONTINUE);
+}
+
+/*%
+ * Attempts positive response validation of an RRset containing zone keys
+ * (i.e. a DNSKEY rrset).
+ *
+ * Caller must be holding the validator lock.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS	Validation completed successfully
+ * \li	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ * \li	Other return codes are possible and all indicate failure.
+ */
+static isc_result_t
+validate_dnskey(dns_validator_t *val) {
+	isc_result_t result;
+	dns_rdata_t dsrdata = DNS_RDATA_INIT;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT;
+	dns_keynode_t *keynode = NULL;
+	dns_rdata_ds_t ds;
+	bool supported_algorithm;
+	char digest_types[256];
+
+	/*
+	 * If we don't already have a DS RRset, check to see if there's
+	 * a DS style trust anchor configured for this key.
+	 */
+	if (val->dsset == NULL) {
+		result = dns_keytable_find(val->keytable, val->event->name,
+					   &keynode);
+		if (result == ISC_R_SUCCESS) {
+			if (dns_keynode_dsset(keynode, &val->fdsset)) {
+				val->dsset = &val->fdsset;
+			}
+			dns_keytable_detachkeynode(val->keytable, &keynode);
+		}
+	}
+
+	/*
+	 * No trust anchor for this name, so we look up the DS at the parent.
+	 */
+	if (val->dsset == NULL) {
+		isc_result_t tresult = ISC_R_SUCCESS;
+
+		/*
+		 * If this is the root name and there was no trust anchor,
+		 * we can give up now, since there's no DS at the root.
+		 */
+		if (dns_name_equal(val->event->name, dns_rootname)) {
+			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "root key failed to validate");
+			} else {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "no trusted root key");
+			}
+			result = DNS_R_NOVALIDSIG;
+			goto cleanup;
+		}
+
+		/*
+		 * Look up the DS RRset for this name.
+		 */
+		result = get_dsset(val, val->event->name, &tresult);
+		if (result == ISC_R_COMPLETE) {
+			result = tresult;
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * We have a DS set.
+	 */
+	INSIST(val->dsset != NULL);
+
+	if (val->dsset->trust < dns_trust_secure) {
+		result = markanswer(val, "validate_dnskey (2)", "insecure DS");
+		goto cleanup;
+	}
+
+	/*
+	 * Look through the DS record and find the keys that can sign the
+	 * key set and the matching signature.  For each such key, attempt
+	 * verification.
+	 */
+
+	supported_algorithm = false;
+
+	/*
+	 * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
+	 * are required to prefer it over DNS_DSDIGEST_SHA1.  This in
+	 * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
+	 * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
+	 */
+	memset(digest_types, 1, sizeof(digest_types));
+	for (result = dns_rdataset_first(val->dsset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dsset))
+	{
+		dns_rdata_reset(&dsrdata);
+		dns_rdataset_current(val->dsset, &dsrdata);
+		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!dns_resolver_ds_digest_supported(val->view->resolver,
+						      val->event->name,
+						      ds.digest_type))
+		{
+			continue;
+		}
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      ds.algorithm))
+		{
+			continue;
+		}
+
+		if ((ds.digest_type == DNS_DSDIGEST_SHA256 &&
+		     ds.length == ISC_SHA256_DIGESTLENGTH) ||
+		    (ds.digest_type == DNS_DSDIGEST_SHA384 &&
+		     ds.length == ISC_SHA384_DIGESTLENGTH))
+		{
+			digest_types[DNS_DSDIGEST_SHA1] = 0;
+			break;
+		}
+	}
+
+	for (result = dns_rdataset_first(val->dsset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dsset))
+	{
+		dns_rdata_reset(&dsrdata);
+		dns_rdataset_current(val->dsset, &dsrdata);
+		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (digest_types[ds.digest_type] == 0) {
+			continue;
+		}
+
+		if (!dns_resolver_ds_digest_supported(val->view->resolver,
+						      val->event->name,
+						      ds.digest_type))
+		{
+			continue;
+		}
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      ds.algorithm))
+		{
+			continue;
+		}
+
+		supported_algorithm = true;
+
+		/*
+		 * Find the DNSKEY matching the DS...
+		 */
+		result = dns_dnssec_matchdskey(val->event->name, &dsrdata,
+					       val->event->rdataset, &keyrdata);
+		if (result != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no DNSKEY matching DS");
+			continue;
+		}
+
+		/*
+		 * ... and check that it signed the DNSKEY RRset.
+		 */
+		result = check_signer(val, &keyrdata, ds.key_tag, ds.algorithm);
+		if (result == ISC_R_SUCCESS) {
+			break;
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no RRSIG matching DS key");
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		marksecure(val->event);
+		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");
+	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no supported algorithm/digest (DS)");
+		result = markanswer(val, "validate_dnskey (3)",
+				    "no supported algorithm/digest (DS)");
+	} else {
+		validator_log(val, ISC_LOG_INFO,
+			      "no valid signature found (DS)");
+		result = DNS_R_NOVALIDSIG;
+	}
+
+cleanup:
+	if (val->dsset == &val->fdsset) {
+		val->dsset = NULL;
+		dns_rdataset_disassociate(&val->fdsset);
+	}
+
+	return (result);
+}
+
+/*%
+ * val_rdataset_first and val_rdataset_next provide iteration methods
+ * that hide whether we are iterating across the AUTHORITY section of
+ * a message, or a negative cache rdataset.
+ */
+static isc_result_t
+val_rdataset_first(dns_validator_t *val, dns_name_t **namep,
+		   dns_rdataset_t **rdatasetp) {
+	dns_message_t *message = val->event->message;
+	isc_result_t result;
+
+	REQUIRE(rdatasetp != NULL);
+	REQUIRE(namep != NULL);
+	if (message == NULL) {
+		REQUIRE(*rdatasetp != NULL);
+		REQUIRE(*namep != NULL);
+	} else {
+		REQUIRE(*rdatasetp == NULL);
+		REQUIRE(*namep == NULL);
+	}
+
+	if (message != NULL) {
+		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, namep);
+		*rdatasetp = ISC_LIST_HEAD((*namep)->list);
+		INSIST(*rdatasetp != NULL);
+	} else {
+		result = dns_rdataset_first(val->event->rdataset);
+		if (result == ISC_R_SUCCESS) {
+			dns_ncache_current(val->event->rdataset, *namep,
+					   *rdatasetp);
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+val_rdataset_next(dns_validator_t *val, dns_name_t **namep,
+		  dns_rdataset_t **rdatasetp) {
+	dns_message_t *message = val->event->message;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rdatasetp != NULL && *rdatasetp != NULL);
+	REQUIRE(namep != NULL && *namep != NULL);
+
+	if (message != NULL) {
+		dns_rdataset_t *rdataset = *rdatasetp;
+		rdataset = ISC_LIST_NEXT(rdataset, link);
+		if (rdataset == NULL) {
+			*namep = NULL;
+			result = dns_message_nextname(message,
+						      DNS_SECTION_AUTHORITY);
+			if (result == ISC_R_SUCCESS) {
+				dns_message_currentname(
+					message, DNS_SECTION_AUTHORITY, namep);
+				rdataset = ISC_LIST_HEAD((*namep)->list);
+				INSIST(rdataset != NULL);
+			}
+		}
+		*rdatasetp = rdataset;
+	} else {
+		dns_rdataset_disassociate(*rdatasetp);
+		result = dns_rdataset_next(val->event->rdataset);
+		if (result == ISC_R_SUCCESS) {
+			dns_ncache_current(val->event->rdataset, *namep,
+					   *rdatasetp);
+		}
+	}
+	return (result);
+}
+
+/*%
+ * Look for NODATA at the wildcard and NOWILDCARD proofs in the
+ * previously validated NSEC records.  As these proofs are mutually
+ * exclusive we stop when one is found.
+ *
+ * Returns
+ * \li	ISC_R_SUCCESS
+ */
+static isc_result_t
+checkwildcard(dns_validator_t *val, dns_rdatatype_t type,
+	      dns_name_t *zonename) {
+	dns_name_t *name, *wild, tname;
+	isc_result_t result;
+	bool exists, data;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_rdataset_t *rdataset, trdataset;
+
+	dns_name_init(&tname, NULL);
+	dns_rdataset_init(&trdataset);
+	wild = dns_fixedname_name(&val->wild);
+
+	if (dns_name_countlabels(wild) == 0) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "in checkwildcard: no wildcard to check");
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_name_format(wild, namebuf, sizeof(namebuf));
+	validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
+
+	if (val->event->message == NULL) {
+		name = &tname;
+		rdataset = &trdataset;
+	} else {
+		name = NULL;
+		rdataset = NULL;
+	}
+
+	for (result = val_rdataset_first(val, &name, &rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = val_rdataset_next(val, &name, &rdataset))
+	{
+		if (rdataset->type != type ||
+		    rdataset->trust != dns_trust_secure)
+		{
+			continue;
+		}
+
+		if (rdataset->type == dns_rdatatype_nsec &&
+		    (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
+		    !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
+		    dns_nsec_noexistnodata(val->event->type, wild, name,
+					   rdataset, &exists, &data, NULL,
+					   validator_log, val) == ISC_R_SUCCESS)
+		{
+			dns_name_t **proofs = val->event->proofs;
+			if (exists && !data) {
+				val->attributes |= VALATTR_FOUNDNODATA;
+			}
+			if (exists && !data && NEEDNODATA(val)) {
+				proofs[DNS_VALIDATOR_NODATAPROOF] = name;
+			}
+			if (!exists) {
+				val->attributes |= VALATTR_FOUNDNOWILDCARD;
+			}
+			if (!exists && NEEDNOQNAME(val)) {
+				proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = name;
+			}
+			if (dns_rdataset_isassociated(&trdataset)) {
+				dns_rdataset_disassociate(&trdataset);
+			}
+			return (ISC_R_SUCCESS);
+		}
+
+		if (rdataset->type == dns_rdatatype_nsec3 &&
+		    (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
+		    !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
+		    dns_nsec3_noexistnodata(
+			    val->event->type, wild, name, rdataset, zonename,
+			    &exists, &data, NULL, NULL, NULL, NULL, NULL, NULL,
+			    validator_log, val) == ISC_R_SUCCESS)
+		{
+			dns_name_t **proofs = val->event->proofs;
+			if (exists && !data) {
+				val->attributes |= VALATTR_FOUNDNODATA;
+			}
+			if (exists && !data && NEEDNODATA(val)) {
+				proofs[DNS_VALIDATOR_NODATAPROOF] = name;
+			}
+			if (!exists) {
+				val->attributes |= VALATTR_FOUNDNOWILDCARD;
+			}
+			if (!exists && NEEDNOQNAME(val)) {
+				proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = name;
+			}
+			if (dns_rdataset_isassociated(&trdataset)) {
+				dns_rdataset_disassociate(&trdataset);
+			}
+			return (ISC_R_SUCCESS);
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+	if (dns_rdataset_isassociated(&trdataset)) {
+		dns_rdataset_disassociate(&trdataset);
+	}
+	return (result);
+}
+
+/*
+ * Look for the needed proofs for a negative or wildcard response
+ * from a zone using NSEC3, and set flags in the validator as they
+ * are found.
+ */
+static isc_result_t
+findnsec3proofs(dns_validator_t *val) {
+	dns_name_t *name, tname;
+	isc_result_t result;
+	bool exists, data, optout, unknown;
+	bool setclosest, setnearest, *setclosestp;
+	dns_fixedname_t fclosest, fnearest, fzonename;
+	dns_name_t *closest, *nearest, *zonename, *closestp;
+	dns_name_t **proofs = val->event->proofs;
+	dns_rdataset_t *rdataset, trdataset;
+
+	dns_name_init(&tname, NULL);
+	dns_rdataset_init(&trdataset);
+	closest = dns_fixedname_initname(&fclosest);
+	nearest = dns_fixedname_initname(&fnearest);
+	zonename = dns_fixedname_initname(&fzonename);
+
+	if (val->event->message == NULL) {
+		name = &tname;
+		rdataset = &trdataset;
+	} else {
+		name = NULL;
+		rdataset = NULL;
+	}
+
+	for (result = val_rdataset_first(val, &name, &rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = val_rdataset_next(val, &name, &rdataset))
+	{
+		if (rdataset->type != dns_rdatatype_nsec3 ||
+		    rdataset->trust != dns_trust_secure)
+		{
+			continue;
+		}
+
+		result = dns_nsec3_noexistnodata(
+			val->event->type, val->event->name, name, rdataset,
+			zonename, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+			NULL, validator_log, val);
+		if (result != ISC_R_IGNORE && result != ISC_R_SUCCESS) {
+			if (dns_rdataset_isassociated(&trdataset)) {
+				dns_rdataset_disassociate(&trdataset);
+			}
+			return (result);
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+	POST(result);
+
+	if (dns_name_countlabels(zonename) == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If the val->closest is set then we want to use it otherwise
+	 * we need to discover it.
+	 */
+	if (dns_name_countlabels(dns_fixedname_name(&val->closest)) != 0) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(dns_fixedname_name(&val->closest), namebuf,
+				sizeof(namebuf));
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "closest encloser from wildcard signature '%s'",
+			      namebuf);
+		dns_name_copynf(dns_fixedname_name(&val->closest), closest);
+		closestp = NULL;
+		setclosestp = NULL;
+	} else {
+		closestp = closest;
+		setclosestp = &setclosest;
+	}
+
+	for (result = val_rdataset_first(val, &name, &rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = val_rdataset_next(val, &name, &rdataset))
+	{
+		if (rdataset->type != dns_rdatatype_nsec3 ||
+		    rdataset->trust != dns_trust_secure)
+		{
+			continue;
+		}
+
+		/*
+		 * We process all NSEC3 records to find the closest
+		 * encloser and nearest name to the closest encloser.
+		 */
+		setclosest = setnearest = false;
+		optout = false;
+		unknown = false;
+		result = dns_nsec3_noexistnodata(
+			val->event->type, val->event->name, name, rdataset,
+			zonename, &exists, &data, &optout, &unknown,
+			setclosestp, &setnearest, closestp, nearest,
+			validator_log, val);
+		if (unknown) {
+			val->attributes |= VALATTR_FOUNDUNKNOWN;
+		}
+		if (result == DNS_R_NSEC3ITERRANGE) {
+			/*
+			 * We don't really know which NSEC3 record provides
+			 * which proof.  Just populate them.
+			 */
+			if (NEEDNOQNAME(val) &&
+			    proofs[DNS_VALIDATOR_NOQNAMEPROOF] == NULL)
+			{
+				proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name;
+			} else if (setclosest) {
+				proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
+			} else if (NEEDNODATA(val) &&
+				   proofs[DNS_VALIDATOR_NODATAPROOF] == NULL)
+			{
+				proofs[DNS_VALIDATOR_NODATAPROOF] = name;
+			} else if (NEEDNOWILDCARD(val) &&
+				   proofs[DNS_VALIDATOR_NOWILDCARDPROOF] ==
+					   NULL)
+			{
+				proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = name;
+			}
+			return (result);
+		}
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		if (setclosest) {
+			proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
+		}
+		if (exists && !data && NEEDNODATA(val)) {
+			val->attributes |= VALATTR_FOUNDNODATA;
+			proofs[DNS_VALIDATOR_NODATAPROOF] = name;
+		}
+		if (!exists && setnearest) {
+			val->attributes |= VALATTR_FOUNDNOQNAME;
+			proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name;
+			if (optout) {
+				val->attributes |= VALATTR_FOUNDOPTOUT;
+			}
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	/*
+	 * To know we have a valid noqname and optout proofs we need to also
+	 * have a valid closest encloser.  Otherwise we could still be looking
+	 * at proofs from the parent zone.
+	 */
+	if (dns_name_countlabels(closest) > 0 &&
+	    dns_name_countlabels(nearest) ==
+		    dns_name_countlabels(closest) + 1 &&
+	    dns_name_issubdomain(nearest, closest))
+	{
+		val->attributes |= VALATTR_FOUNDCLOSEST;
+		result = dns_name_concatenate(dns_wildcardname, closest,
+					      dns_fixedname_name(&val->wild),
+					      NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	} else {
+		val->attributes &= ~VALATTR_FOUNDNOQNAME;
+		val->attributes &= ~VALATTR_FOUNDOPTOUT;
+		proofs[DNS_VALIDATOR_NOQNAMEPROOF] = NULL;
+	}
+
+	/*
+	 * Do we need to check for the wildcard?
+	 */
+	if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
+	    ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val)))
+	{
+		result = checkwildcard(val, dns_rdatatype_nsec3, zonename);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	return (result);
+}
+
+/*
+ * Start a validator for negative response data.
+ *
+ * Returns:
+ * \li	DNS_R_CONTINUE	Validation skipped, continue
+ * \li	DNS_R_WAIT	Validation is in progress
+ *
+ * \li	Other return codes indicate failure.
+ */
+static isc_result_t
+validate_neg_rrset(dns_validator_t *val, dns_name_t *name,
+		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	isc_result_t result;
+
+	/*
+	 * If a signed zone is missing the zone key, bad
+	 * things could happen.  A query for data in the zone
+	 * would lead to a query for the zone key, which
+	 * would return a negative answer, which would contain
+	 * an SOA and an NSEC signed by the missing key, which
+	 * would trigger another query for the DNSKEY (since
+	 * the first one is still in progress), and go into an
+	 * infinite loop.  Avoid that.
+	 */
+	if (val->event->type == dns_rdatatype_dnskey &&
+	    rdataset->type == dns_rdatatype_nsec &&
+	    dns_name_equal(name, val->event->name))
+	{
+		dns_rdata_t nsec = DNS_RDATA_INIT;
+
+		result = dns_rdataset_first(rdataset);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dns_rdataset_current(rdataset, &nsec);
+		if (dns_nsec_typepresent(&nsec, dns_rdatatype_soa)) {
+			return (DNS_R_CONTINUE);
+		}
+	}
+
+	val->currentset = rdataset;
+	result = create_validator(val, name, rdataset->type, rdataset,
+				  sigrdataset, validator_callback_nsec,
+				  "validate_neg_rrset");
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	val->authcount++;
+	return (DNS_R_WAIT);
+}
+
+/*%
+ * Validate the authority section records.
+ */
+static isc_result_t
+validate_authority(dns_validator_t *val, bool resume) {
+	dns_name_t *name;
+	dns_message_t *message = val->event->message;
+	isc_result_t result;
+
+	if (!resume) {
+		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+	for (; result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
+	{
+		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		if (resume) {
+			rdataset = ISC_LIST_NEXT(val->currentset, link);
+			val->currentset = NULL;
+			resume = false;
+		} else {
+			rdataset = ISC_LIST_HEAD(name->list);
+		}
+
+		for (; rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->type == dns_rdatatype_rrsig) {
+				continue;
+			}
+
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+			{
+				if (sigrdataset->type == dns_rdatatype_rrsig &&
+				    sigrdataset->covers == rdataset->type)
+				{
+					break;
+				}
+			}
+
+			result = validate_neg_rrset(val, name, rdataset,
+						    sigrdataset);
+			if (result != DNS_R_CONTINUE) {
+				return (result);
+			}
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+/*%
+ * Validate negative cache elements.
+ */
+static isc_result_t
+validate_ncache(dns_validator_t *val, bool resume) {
+	dns_name_t *name;
+	isc_result_t result;
+
+	if (!resume) {
+		result = dns_rdataset_first(val->event->rdataset);
+	} else {
+		result = dns_rdataset_next(val->event->rdataset);
+	}
+
+	for (; result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->event->rdataset))
+	{
+		dns_rdataset_t *rdataset, *sigrdataset = NULL;
+
+		disassociate_rdatasets(val);
+
+		name = dns_fixedname_initname(&val->fname);
+		rdataset = &val->frdataset;
+		dns_ncache_current(val->event->rdataset, name, rdataset);
+
+		if (val->frdataset.type == dns_rdatatype_rrsig) {
+			continue;
+		}
+
+		result = dns_ncache_getsigrdataset(val->event->rdataset, name,
+						   rdataset->type,
+						   &val->fsigrdataset);
+		if (result == ISC_R_SUCCESS) {
+			sigrdataset = &val->fsigrdataset;
+		}
+
+		result = validate_neg_rrset(val, name, rdataset, sigrdataset);
+		if (result == DNS_R_CONTINUE) {
+			continue;
+		}
+
+		return (result);
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+/*%
+ * Prove a negative answer is good or that there is a NOQNAME when the
+ * answer is from a wildcard.
+ *
+ * Loop through the authority section looking for NODATA, NOWILDCARD
+ * and NOQNAME proofs in the NSEC records by calling
+ * validator_callback_nsec().
+ *
+ * If the required proofs are found we are done.
+ *
+ * If the proofs are not found attempt to prove this is an unsecure
+ * response.
+ */
+static isc_result_t
+validate_nx(dns_validator_t *val, bool resume) {
+	isc_result_t result;
+
+	if (resume) {
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming validate_nx");
+	}
+
+	if (val->event->message == NULL) {
+		result = validate_ncache(val, resume);
+	} else {
+		result = validate_authority(val, resume);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Do we only need to check for NOQNAME?  To get here we must have
+	 * had a secure wildcard answer.
+	 */
+	if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
+		if (!FOUNDNOQNAME(val)) {
+			result = findnsec3proofs(val);
+			if (result == DNS_R_NSEC3ITERRANGE) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "too many iterations");
+				markanswer(val, "validate_nx (3)", NULL);
+				return (ISC_R_SUCCESS);
+			}
+		}
+
+		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val))
+		{
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "marking as secure, noqname proof found");
+			marksecure(val->event);
+			return (ISC_R_SUCCESS);
+		} else if (FOUNDOPTOUT(val) &&
+			   dns_name_countlabels(
+				   dns_fixedname_name(&val->wild)) != 0)
+		{
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "optout proof found");
+			val->event->optout = true;
+			markanswer(val, "validate_nx (1)", NULL);
+			return (ISC_R_SUCCESS);
+		} else if ((val->attributes & VALATTR_FOUNDUNKNOWN) != 0) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "unknown NSEC3 hash algorithm found");
+			markanswer(val, "validate_nx (2)", NULL);
+			return (ISC_R_SUCCESS);
+		}
+
+		validator_log(val, ISC_LOG_DEBUG(3), "noqname proof not found");
+		return (DNS_R_NOVALIDNSEC);
+	}
+
+	if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val)) {
+		result = findnsec3proofs(val);
+		if (result == DNS_R_NSEC3ITERRANGE) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "too many iterations");
+			markanswer(val, "validate_nx (4)", NULL);
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	/*
+	 * Do we need to check for the wildcard?
+	 */
+	if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
+	    ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val)))
+	{
+		result = checkwildcard(val, dns_rdatatype_nsec, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if ((NEEDNODATA(val) && (FOUNDNODATA(val) || FOUNDOPTOUT(val))) ||
+	    (NEEDNOQNAME(val) && FOUNDNOQNAME(val) && NEEDNOWILDCARD(val) &&
+	     FOUNDNOWILDCARD(val) && FOUNDCLOSEST(val)))
+	{
+		if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0) {
+			val->event->optout = true;
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "nonexistence proof(s) found");
+		if (val->event->message == NULL) {
+			marksecure(val->event);
+		} else {
+			val->event->secure = true;
+		}
+		return (ISC_R_SUCCESS);
+	}
+
+	if (val->authfail != 0 && val->authcount == val->authfail) {
+		return (DNS_R_BROKENCHAIN);
+	}
+
+	validator_log(val, ISC_LOG_DEBUG(3), "nonexistence proof(s) not found");
+	return (proveunsecure(val, false, false));
+}
+
+/*%
+ * Check that DS rdataset has at least one record with
+ * a supported algorithm and digest.
+ */
+static bool
+check_ds_algs(dns_validator_t *val, dns_name_t *name,
+	      dns_rdataset_t *rdataset) {
+	dns_rdata_t dsrdata = DNS_RDATA_INIT;
+	dns_rdata_ds_t ds;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdataset_current(rdataset, &dsrdata);
+		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (dns_resolver_ds_digest_supported(val->view->resolver, name,
+						     ds.digest_type) &&
+		    dns_resolver_algorithm_supported(val->view->resolver, name,
+						     ds.algorithm))
+		{
+			dns_rdata_reset(&dsrdata);
+			return (true);
+		}
+		dns_rdata_reset(&dsrdata);
+	}
+	return (false);
+}
+
+/*%
+ * seek_ds is called to look up DS rrsets at the label of val->event->name
+ * indicated by val->labels. This is done while building an insecurity
+ * proof, and so it will attempt validation of NXDOMAIN, NXRRSET or CNAME
+ * responses.
+ *
+ * Returns:
+ * \li	ISC_R_COMPLETE		a result has been determined and copied
+ * 				into `*resp`; ISC_R_SUCCESS indicates that
+ * 				the name has been proven insecure and any
+ * 				other result indicates failure.
+ * \li	DNS_R_CONTINUE		result is indeterminate; caller should
+ * 				continue walking down labels.
+ */
+static isc_result_t
+seek_ds(dns_validator_t *val, isc_result_t *resp) {
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixedfound;
+	dns_name_t *found = dns_fixedname_initname(&fixedfound);
+	dns_name_t *tname = dns_fixedname_initname(&val->fname);
+
+	if (val->labels == dns_name_countlabels(val->event->name)) {
+		dns_name_copynf(val->event->name, tname);
+	} else {
+		dns_name_split(val->event->name, val->labels, NULL, tname);
+	}
+
+	dns_name_format(tname, namebuf, sizeof(namebuf));
+	validator_log(val, ISC_LOG_DEBUG(3), "checking existence of DS at '%s'",
+		      namebuf);
+
+	result = view_find(val, tname, dns_rdatatype_ds);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		/*
+		 * There is a DS here.  If it's already been
+		 * validated, continue walking down labels.
+		 */
+		if (val->frdataset.trust >= dns_trust_secure) {
+			if (!check_ds_algs(val, tname, &val->frdataset)) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "no supported algorithm/"
+					      "digest (%s/DS)",
+					      namebuf);
+				*resp = markanswer(val, "proveunsecure (5)",
+						   "no supported "
+						   "algorithm/digest (DS)");
+				return (ISC_R_COMPLETE);
+			}
+
+			break;
+		}
+
+		/*
+		 * Otherwise, try to validate it now.
+		 */
+		if (dns_rdataset_isassociated(&val->fsigrdataset)) {
+			result = create_validator(
+				val, tname, dns_rdatatype_ds, &val->frdataset,
+				&val->fsigrdataset, validator_callback_ds,
+				"proveunsecure");
+			*resp = DNS_R_WAIT;
+			if (result != ISC_R_SUCCESS) {
+				*resp = result;
+			}
+		} else {
+			/*
+			 * There should never be an unsigned DS.
+			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "unsigned DS record");
+			*resp = DNS_R_NOVALIDSIG;
+		}
+
+		return (ISC_R_COMPLETE);
+
+	case ISC_R_NOTFOUND:
+		/*
+		 * We don't know anything about the DS.  Find it.
+		 */
+		*resp = DNS_R_WAIT;
+		result = create_fetch(val, tname, dns_rdatatype_ds,
+				      fetch_callback_ds, "proveunsecure");
+		if (result != ISC_R_SUCCESS) {
+			*resp = result;
+		}
+		return (ISC_R_COMPLETE);
+
+	case DNS_R_NXRRSET:
+	case DNS_R_NCACHENXRRSET:
+		/*
+		 * There is no DS.  If this is a delegation,
+		 * we may be done.
+		 *
+		 * If we have "trust == answer" then this namespace
+		 * has switched from insecure to should be secure.
+		 */
+		if (DNS_TRUST_PENDING(val->frdataset.trust) ||
+		    DNS_TRUST_ANSWER(val->frdataset.trust))
+		{
+			result = create_validator(
+				val, tname, dns_rdatatype_ds, &val->frdataset,
+				&val->fsigrdataset, validator_callback_ds,
+				"proveunsecure");
+			*resp = DNS_R_WAIT;
+			if (result != ISC_R_SUCCESS) {
+				*resp = result;
+			}
+			return (ISC_R_COMPLETE);
+		}
+
+		/*
+		 * Zones using NSEC3 don't return a NSEC RRset so
+		 * we need to use dns_view_findzonecut2 to find
+		 * the zone cut.
+		 */
+		if (result == DNS_R_NXRRSET &&
+		    !dns_rdataset_isassociated(&val->frdataset) &&
+		    dns_view_findzonecut(val->view, tname, found, NULL, 0, 0,
+					 false, false, NULL,
+					 NULL) == ISC_R_SUCCESS &&
+		    dns_name_equal(tname, found))
+		{
+			*resp = markanswer(val, "proveunsecure (3)",
+					   "no DS at zone cut");
+			return (ISC_R_COMPLETE);
+		}
+
+		if (val->frdataset.trust < dns_trust_secure) {
+			/*
+			 * This shouldn't happen, since the negative
+			 * response should have been validated.  Since
+			 * there's no way of validating existing
+			 * negative response blobs, give up.
+			 */
+			validator_log(val, ISC_LOG_WARNING,
+				      "can't validate existing "
+				      "negative responses (no DS)");
+			*resp = DNS_R_MUSTBESECURE;
+			return (ISC_R_COMPLETE);
+		}
+
+		if (isdelegation(tname, &val->frdataset, result)) {
+			*resp = markanswer(val, "proveunsecure (4)",
+					   "this is a delegation");
+			return (ISC_R_COMPLETE);
+		}
+
+		break;
+
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NCACHENXDOMAIN:
+		/*
+		 * This is not a zone cut. Assuming things are
+		 * as expected, continue.
+		 */
+		if (!dns_rdataset_isassociated(&val->frdataset)) {
+			/*
+			 * There should be an NSEC here, since we
+			 * are still in a secure zone.
+			 */
+			*resp = DNS_R_NOVALIDNSEC;
+			return (ISC_R_COMPLETE);
+		} else if (DNS_TRUST_PENDING(val->frdataset.trust) ||
+			   DNS_TRUST_ANSWER(val->frdataset.trust))
+		{
+			/*
+			 * If we have "trust == answer" then this
+			 * namespace has switched from insecure to
+			 * should be secure.
+			 */
+			*resp = DNS_R_WAIT;
+			result = create_validator(
+				val, tname, dns_rdatatype_ds, &val->frdataset,
+				&val->fsigrdataset, validator_callback_ds,
+				"proveunsecure");
+			if (result != ISC_R_SUCCESS) {
+				*resp = result;
+			}
+			return (ISC_R_COMPLETE);
+		} else if (val->frdataset.trust < dns_trust_secure) {
+			/*
+			 * This shouldn't happen, since the negative
+			 * response should have been validated.  Since
+			 * there's no way of validating existing
+			 * negative response blobs, give up.
+			 */
+			validator_log(val, ISC_LOG_WARNING,
+				      "can't validate existing "
+				      "negative responses "
+				      "(not a zone cut)");
+			*resp = DNS_R_NOVALIDSIG;
+			return (ISC_R_COMPLETE);
+		}
+
+		break;
+
+	case DNS_R_CNAME:
+		if (DNS_TRUST_PENDING(val->frdataset.trust) ||
+		    DNS_TRUST_ANSWER(val->frdataset.trust))
+		{
+			result = create_validator(
+				val, tname, dns_rdatatype_cname,
+				&val->frdataset, &val->fsigrdataset,
+				validator_callback_cname,
+				"proveunsecure "
+				"(cname)");
+			*resp = DNS_R_WAIT;
+			if (result != ISC_R_SUCCESS) {
+				*resp = result;
+			}
+			return (ISC_R_COMPLETE);
+		}
+
+		break;
+
+	default:
+		*resp = result;
+		return (ISC_R_COMPLETE);
+	}
+
+	/*
+	 * No definite answer yet; continue walking down labels.
+	 */
+	return (DNS_R_CONTINUE);
+}
+
+/*%
+ * proveunsecure walks down, label by label, from the closest enclosing
+ * trust anchor to the name that is being validated, looking for an
+ * endpoint in the chain of trust.  That occurs when we can prove that
+ * a DS record does not exist at a delegation point, or that a DS exists
+ * at a delegation point but we don't support its algorithm/digest.  If
+ * no such endpoint is found, then the response should have been secure.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS		val->event->name is in an unsecure zone
+ * \li	DNS_R_WAIT		validation is in progress.
+ * \li	DNS_R_MUSTBESECURE	val->event->name is supposed to be secure
+ *				(policy) but we proved that it is unsecure.
+ * \li	DNS_R_NOVALIDSIG
+ * \li	DNS_R_NOVALIDNSEC
+ * \li	DNS_R_NOTINSECURE
+ * \li	DNS_R_BROKENCHAIN
+ */
+static isc_result_t
+proveunsecure(dns_validator_t *val, bool have_ds, bool resume) {
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixedsecroot;
+	dns_name_t *secroot = dns_fixedname_initname(&fixedsecroot);
+	unsigned int labels;
+
+	/*
+	 * We're attempting to prove insecurity.
+	 */
+	val->attributes |= VALATTR_INSECURITY;
+
+	dns_name_copynf(val->event->name, secroot);
+
+	/*
+	 * If this is a response to a DS query, we need to look in
+	 * the parent zone for the trust anchor.
+	 */
+	labels = dns_name_countlabels(secroot);
+	if (val->event->type == dns_rdatatype_ds && labels > 1U) {
+		dns_name_getlabelsequence(secroot, 1, labels - 1, secroot);
+	}
+
+	result = dns_keytable_finddeepestmatch(val->keytable, secroot, secroot);
+	if (result == ISC_R_NOTFOUND) {
+		validator_log(val, ISC_LOG_DEBUG(3), "not beneath secure root");
+		return (markanswer(val, "proveunsecure (1)",
+				   "not beneath secure root"));
+	} else if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (!resume) {
+		/*
+		 * We are looking for interruptions in the chain of trust.
+		 * That can only happen *below* the trust anchor, so we
+		 * start looking at the next label down.
+		 */
+		val->labels = dns_name_countlabels(secroot) + 1;
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
+
+		/*
+		 * If we have a DS rdataset and it is secure, check whether
+		 * it has a supported algorithm combination.  If not, this is
+		 * an insecure delegation as far as this resolver is concerned.
+		 */
+		if (have_ds && val->frdataset.trust >= dns_trust_secure &&
+		    !check_ds_algs(val, dns_fixedname_name(&val->fname),
+				   &val->frdataset))
+		{
+			dns_name_format(dns_fixedname_name(&val->fname),
+					namebuf, sizeof(namebuf));
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no supported algorithm/digest (%s/DS)",
+				      namebuf);
+			result = markanswer(val, "proveunsecure (2)", namebuf);
+			goto out;
+		}
+		val->labels++;
+	}
+
+	/*
+	 * Walk down through each of the remaining labels in the name,
+	 * looking for DS records.
+	 */
+	while (val->labels <= dns_name_countlabels(val->event->name)) {
+		isc_result_t tresult;
+
+		result = seek_ds(val, &tresult);
+		if (result == ISC_R_COMPLETE) {
+			result = tresult;
+			goto out;
+		}
+
+		INSIST(result == DNS_R_CONTINUE);
+		val->labels++;
+	}
+
+	/* Couldn't complete insecurity proof. */
+	validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed: %s",
+		      isc_result_totext(result));
+	return (DNS_R_NOTINSECURE);
+
+out:
+	if (result != DNS_R_WAIT) {
+		disassociate_rdatasets(val);
+	}
+	return (result);
+}
+
+/*%
+ * Start the validation process.
+ *
+ * Attempt to validate the answer based on the category it appears to
+ * fall in.
+ * \li	1. secure positive answer.
+ * \li	2. unsecure positive answer.
+ * \li	3. a negative answer (secure or unsecure).
+ *
+ * Note an answer that appears to be a secure positive answer may actually
+ * be an unsecure positive answer.
+ */
+static void
+validator_start(isc_task_t *task, isc_event_t *event) {
+	dns_validator_t *val;
+	dns_validatorevent_t *vevent;
+	bool want_destroy = false;
+	isc_result_t result = ISC_R_FAILURE;
+
+	UNUSED(task);
+	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
+	vevent = (dns_validatorevent_t *)event;
+	val = vevent->validator;
+
+	/* If the validator has been canceled, val->event == NULL */
+	if (val->event == NULL) {
+		return;
+	}
+
+	validator_log(val, ISC_LOG_DEBUG(3), "starting");
+
+	LOCK(&val->lock);
+
+	if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) {
+		isc_result_t saved_result;
+
+		/*
+		 * This looks like a simple validation.  We say "looks like"
+		 * because it might end up requiring an insecurity proof.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting positive response validation");
+
+		INSIST(dns_rdataset_isassociated(val->event->rdataset));
+		INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
+		if (selfsigned_dnskey(val)) {
+			result = validate_dnskey(val);
+		} else {
+			result = validate_answer(val, false);
+		}
+		if (result == DNS_R_NOVALIDSIG &&
+		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
+		{
+			saved_result = result;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "falling back to insecurity proof");
+			result = proveunsecure(val, false, false);
+			if (result == DNS_R_NOTINSECURE) {
+				result = saved_result;
+			}
+		}
+	} else if (val->event->rdataset != NULL &&
+		   val->event->rdataset->type != 0)
+	{
+		/*
+		 * This is either an unsecure subdomain or a response
+		 * from a broken server.
+		 */
+		INSIST(dns_rdataset_isassociated(val->event->rdataset));
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting insecurity proof");
+
+		result = proveunsecure(val, false, false);
+		if (result == DNS_R_NOTINSECURE) {
+			validator_log(val, ISC_LOG_INFO,
+				      "got insecure response; "
+				      "parent indicates it should be secure");
+		}
+	} else if ((val->event->rdataset == NULL &&
+		    val->event->sigrdataset == NULL))
+	{
+		/*
+		 * This is a validation of a negative response.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting negative response validation "
+			      "from message");
+
+		if (val->event->message->rcode == dns_rcode_nxdomain) {
+			val->attributes |= VALATTR_NEEDNOQNAME;
+			val->attributes |= VALATTR_NEEDNOWILDCARD;
+		} else {
+			val->attributes |= VALATTR_NEEDNODATA;
+		}
+
+		result = validate_nx(val, false);
+	} else if ((val->event->rdataset != NULL &&
+		    NEGATIVE(val->event->rdataset)))
+	{
+		/*
+		 * This is a delayed validation of a negative cache entry.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting negative response validation "
+			      "from cache");
+
+		if (NXDOMAIN(val->event->rdataset)) {
+			val->attributes |= VALATTR_NEEDNOQNAME;
+			val->attributes |= VALATTR_NEEDNOWILDCARD;
+		} else {
+			val->attributes |= VALATTR_NEEDNODATA;
+		}
+
+		result = validate_nx(val, false);
+	} else {
+		UNREACHABLE();
+	}
+
+	if (result != DNS_R_WAIT) {
+		want_destroy = exit_check(val);
+		validator_done(val, result);
+	}
+
+	UNLOCK(&val->lock);
+	if (want_destroy) {
+		destroy(val);
+	}
+}
+
+isc_result_t
+dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_message_t *message, unsigned int options,
+		     isc_task_t *task, isc_taskaction_t action, void *arg,
+		     dns_validator_t **validatorp) {
+	isc_result_t result = ISC_R_FAILURE;
+	dns_validator_t *val;
+	isc_task_t *tclone = NULL;
+	dns_validatorevent_t *event;
+
+	REQUIRE(name != NULL);
+	REQUIRE(rdataset != NULL ||
+		(rdataset == NULL && sigrdataset == NULL && message != NULL));
+	REQUIRE(validatorp != NULL && *validatorp == NULL);
+
+	event = (dns_validatorevent_t *)isc_event_allocate(
+		view->mctx, task, DNS_EVENT_VALIDATORSTART, validator_start,
+		NULL, sizeof(dns_validatorevent_t));
+
+	isc_task_attach(task, &tclone);
+	event->result = ISC_R_FAILURE;
+	event->name = name;
+	event->type = type;
+	event->rdataset = rdataset;
+	event->sigrdataset = sigrdataset;
+	event->message = message;
+	memset(event->proofs, 0, sizeof(event->proofs));
+	event->optout = false;
+	event->secure = false;
+
+	val = isc_mem_get(view->mctx, sizeof(*val));
+	*val = (dns_validator_t){ .event = event,
+				  .options = options,
+				  .task = task,
+				  .action = action,
+				  .arg = arg };
+
+	dns_view_weakattach(view, &val->view);
+	isc_mutex_init(&val->lock);
+
+	result = dns_view_getsecroots(val->view, &val->keytable);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
+	dns_rdataset_init(&val->fdsset);
+	dns_rdataset_init(&val->frdataset);
+	dns_rdataset_init(&val->fsigrdataset);
+	dns_fixedname_init(&val->wild);
+	dns_fixedname_init(&val->closest);
+	isc_stdtime_get(&val->start);
+	ISC_LINK_INIT(val, link);
+	val->magic = VALIDATOR_MAGIC;
+
+	event->validator = val;
+
+	if ((options & DNS_VALIDATOR_DEFER) == 0) {
+		isc_task_send(task, ISC_EVENT_PTR(&event));
+	}
+
+	*validatorp = val;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	isc_mutex_destroy(&val->lock);
+
+	isc_task_detach(&tclone);
+	isc_event_free(ISC_EVENT_PTR(&event));
+
+	dns_view_weakdetach(&val->view);
+	isc_mem_put(view->mctx, val, sizeof(*val));
+
+	return (result);
+}
+
+void
+dns_validator_send(dns_validator_t *validator) {
+	isc_event_t *event;
+	REQUIRE(VALID_VALIDATOR(validator));
+
+	LOCK(&validator->lock);
+
+	INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
+	event = (isc_event_t *)validator->event;
+	validator->options &= ~DNS_VALIDATOR_DEFER;
+	UNLOCK(&validator->lock);
+
+	isc_task_send(validator->task, ISC_EVENT_PTR(&event));
+}
+
+void
+dns_validator_cancel(dns_validator_t *validator) {
+	dns_fetch_t *fetch = NULL;
+
+	REQUIRE(VALID_VALIDATOR(validator));
+
+	LOCK(&validator->lock);
+
+	validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
+
+	if ((validator->attributes & VALATTR_CANCELED) == 0) {
+		validator->attributes |= VALATTR_CANCELED;
+		if (validator->event != NULL) {
+			fetch = validator->fetch;
+			validator->fetch = NULL;
+
+			if (validator->subvalidator != NULL) {
+				dns_validator_cancel(validator->subvalidator);
+			}
+			if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
+				validator->options &= ~DNS_VALIDATOR_DEFER;
+				validator_done(validator, ISC_R_CANCELED);
+			}
+		}
+	}
+	UNLOCK(&validator->lock);
+
+	/* Need to cancel and destroy the fetch outside validator lock */
+	if (fetch != NULL) {
+		dns_resolver_cancelfetch(fetch);
+		dns_resolver_destroyfetch(&fetch);
+	}
+}
+
+static void
+destroy(dns_validator_t *val) {
+	isc_mem_t *mctx;
+
+	REQUIRE(SHUTDOWN(val));
+	REQUIRE(val->event == NULL);
+	REQUIRE(val->fetch == NULL);
+
+	val->magic = 0;
+	if (val->key != NULL) {
+		dst_key_free(&val->key);
+	}
+	if (val->keytable != NULL) {
+		dns_keytable_detach(&val->keytable);
+	}
+	if (val->subvalidator != NULL) {
+		dns_validator_destroy(&val->subvalidator);
+	}
+	disassociate_rdatasets(val);
+	mctx = val->view->mctx;
+	if (val->siginfo != NULL) {
+		isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
+	}
+	isc_mutex_destroy(&val->lock);
+	dns_view_weakdetach(&val->view);
+	isc_mem_put(mctx, val, sizeof(*val));
+}
+
+void
+dns_validator_destroy(dns_validator_t **validatorp) {
+	dns_validator_t *val;
+	bool want_destroy = false;
+
+	REQUIRE(validatorp != NULL);
+	val = *validatorp;
+	*validatorp = NULL;
+	REQUIRE(VALID_VALIDATOR(val));
+
+	LOCK(&val->lock);
+
+	val->attributes |= VALATTR_SHUTDOWN;
+	validator_log(val, ISC_LOG_DEBUG(4), "dns_validator_destroy");
+
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy) {
+		destroy(val);
+	}
+}
+
+static void
+validator_logv(dns_validator_t *val, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt,
+	       va_list ap) {
+	char msgbuf[2048];
+	static const char spaces[] = "        *";
+	int depth = val->depth * 2;
+	const char *viewname, *sep1, *sep2;
+
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+
+	if ((unsigned int)depth >= sizeof spaces) {
+		depth = sizeof spaces - 1;
+	}
+
+	/*
+	 * Log the view name unless it's:
+	 * * "_default/IN" (which means there's only one view
+	 *   configured in the server), or
+	 * * "_dnsclient/IN" (which means this is being called
+	 *   from an application using dns/client.c).
+	 */
+	if (val->view->rdclass == dns_rdataclass_in &&
+	    (strcmp(val->view->name, "_default") == 0 ||
+	     strcmp(val->view->name, DNS_CLIENTVIEW_NAME) == 0))
+	{
+		sep1 = viewname = sep2 = "";
+	} else {
+		sep1 = "view ";
+		viewname = val->view->name;
+		sep2 = ": ";
+	}
+
+	if (val->event != NULL && val->event->name != NULL) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+		dns_name_format(val->event->name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(val->event->type, typebuf,
+				     sizeof(typebuf));
+		isc_log_write(dns_lctx, category, module, level,
+			      "%s%s%s%.*svalidating %s/%s: %s", sep1, viewname,
+			      sep2, depth, spaces, namebuf, typebuf, msgbuf);
+	} else {
+		isc_log_write(dns_lctx, category, module, level,
+			      "%s%s%s%.*svalidator @%p: %s", sep1, viewname,
+			      sep2, depth, spaces, val, msgbuf);
+	}
+}
+
+static void
+validator_log(void *val, int level, const char *fmt, ...) {
+	va_list ap;
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+
+	validator_logv(val, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_VALIDATOR,
+		       level, fmt, ap);
+	va_end(ap);
+}
+
+static void
+validator_logcreate(dns_validator_t *val, dns_name_t *name,
+		    dns_rdatatype_t type, const char *caller,
+		    const char *operation) {
+	char namestr[DNS_NAME_FORMATSIZE];
+	char typestr[DNS_RDATATYPE_FORMATSIZE];
+
+	dns_name_format(name, namestr, sizeof(namestr));
+	dns_rdatatype_format(type, typestr, sizeof(typestr));
+	validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
+		      caller, operation, namestr, typestr);
+}
diff --git a/lib/dns/version.c b/lib/dns/version.c
new file mode 100644
index 0000000..2be1656
--- /dev/null
+++ b/lib/dns/version.c
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <dns/version.h>
+
+const char dns_version[] = VERSION;
+const char dns_major[] = MAJOR;
+const char dns_mapapi[] = MAPAPI;
diff --git a/lib/dns/view.c b/lib/dns/view.c
new file mode 100644
index 0000000..a67dd73
--- /dev/null
+++ b/lib/dns/view.c
@@ -0,0 +1,2642 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+
+#ifdef HAVE_LMDB
+#include <lmdb.h>
+
+#include <dns/lmdb.h>
+#endif /* HAVE_LMDB */
+
+#include <isc/atomic.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/lex.h>
+#include <isc/print.h>
+#include <isc/stats.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/adb.h>
+#include <dns/badcache.h>
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/dlz.h>
+#include <dns/dns64.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/forward.h>
+#include <dns/keytable.h>
+#include <dns/keyvalues.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/nta.h>
+#include <dns/order.h>
+#include <dns/peer.h>
+#include <dns/rbt.h>
+#include <dns/rdataset.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/rpz.h>
+#include <dns/rrl.h>
+#include <dns/stats.h>
+#include <dns/time.h>
+#include <dns/tsig.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+#define RESSHUTDOWN(v) \
+	((atomic_load(&(v)->attributes) & DNS_VIEWATTR_RESSHUTDOWN) != 0)
+#define ADBSHUTDOWN(v) \
+	((atomic_load(&(v)->attributes) & DNS_VIEWATTR_ADBSHUTDOWN) != 0)
+#define REQSHUTDOWN(v) \
+	((atomic_load(&(v)->attributes) & DNS_VIEWATTR_REQSHUTDOWN) != 0)
+
+#define DNS_VIEW_DELONLYHASH   111
+#define DNS_VIEW_FAILCACHESIZE 1021
+
+static void
+resolver_shutdown(isc_task_t *task, isc_event_t *event);
+static void
+adb_shutdown(isc_task_t *task, isc_event_t *event);
+static void
+req_shutdown(isc_task_t *task, isc_event_t *event);
+
+isc_result_t
+dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, const char *name,
+		dns_view_t **viewp) {
+	dns_view_t *view;
+	isc_result_t result;
+	char buffer[1024];
+
+	/*
+	 * Create a view.
+	 */
+
+	REQUIRE(name != NULL);
+	REQUIRE(viewp != NULL && *viewp == NULL);
+
+	view = isc_mem_get(mctx, sizeof(*view));
+
+	view->nta_file = NULL;
+	view->mctx = NULL;
+	isc_mem_attach(mctx, &view->mctx);
+	view->name = isc_mem_strdup(mctx, name);
+
+	result = isc_file_sanitize(NULL, view->name, "nta", buffer,
+				   sizeof(buffer));
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_name;
+	}
+	view->nta_file = isc_mem_strdup(mctx, buffer);
+
+	isc_mutex_init(&view->lock);
+
+	view->zonetable = NULL;
+	result = dns_zt_create(mctx, rdclass, &view->zonetable);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_zt_create() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_mutex;
+	}
+
+	view->secroots_priv = NULL;
+	view->ntatable_priv = NULL;
+	view->fwdtable = NULL;
+	result = dns_fwdtable_create(mctx, &view->fwdtable);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_fwdtable_create() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_zt;
+	}
+
+	view->cache = NULL;
+	view->cachedb = NULL;
+	ISC_LIST_INIT(view->dlz_searched);
+	ISC_LIST_INIT(view->dlz_unsearched);
+	view->hints = NULL;
+	view->resolver = NULL;
+	view->adb = NULL;
+	view->requestmgr = NULL;
+	view->rdclass = rdclass;
+	view->frozen = false;
+	view->task = NULL;
+	isc_refcount_init(&view->references, 1);
+	isc_refcount_init(&view->weakrefs, 1);
+	atomic_init(&view->attributes,
+		    (DNS_VIEWATTR_RESSHUTDOWN | DNS_VIEWATTR_ADBSHUTDOWN |
+		     DNS_VIEWATTR_REQSHUTDOWN));
+	view->statickeys = NULL;
+	view->dynamickeys = NULL;
+	view->matchclients = NULL;
+	view->matchdestinations = NULL;
+	view->matchrecursiveonly = false;
+	result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_weakrefs;
+	}
+	view->peers = NULL;
+	view->order = NULL;
+	view->delonly = NULL;
+	view->rootdelonly = false;
+	view->rootexclude = NULL;
+	view->adbstats = NULL;
+	view->resstats = NULL;
+	view->resquerystats = NULL;
+	view->cacheshared = false;
+	ISC_LIST_INIT(view->dns64);
+	view->dns64cnt = 0;
+
+	/*
+	 * Initialize configuration data with default values.
+	 */
+	view->recursion = true;
+	view->qminimization = false;
+	view->qmin_strict = false;
+	view->auth_nxdomain = false; /* Was true in BIND 8 */
+	view->enablevalidation = true;
+	view->acceptexpired = false;
+	view->use_glue_cache = false;
+	view->minimal_any = false;
+	view->minimalresponses = dns_minimal_no;
+	view->transfer_format = dns_one_answer;
+	view->cacheacl = NULL;
+	view->cacheonacl = NULL;
+	view->checknames = false;
+	view->queryacl = NULL;
+	view->queryonacl = NULL;
+	view->recursionacl = NULL;
+	view->recursiononacl = NULL;
+	view->sortlist = NULL;
+	view->transferacl = NULL;
+	view->notifyacl = NULL;
+	view->updateacl = NULL;
+	view->upfwdacl = NULL;
+	view->denyansweracl = NULL;
+	view->nocasecompress = NULL;
+	view->msgcompression = true;
+	view->answeracl_exclude = NULL;
+	view->denyanswernames = NULL;
+	view->answernames_exclude = NULL;
+	view->rrl = NULL;
+	view->provideixfr = true;
+	view->maxcachettl = 7 * 24 * 3600;
+	view->maxncachettl = 3 * 3600;
+	view->mincachettl = 0;
+	view->minncachettl = 0;
+	view->nta_lifetime = 0;
+	view->nta_recheck = 0;
+	view->prefetch_eligible = 0;
+	view->prefetch_trigger = 0;
+	view->dstport = 53;
+	view->preferred_glue = 0;
+	view->flush = false;
+	view->maxudp = 0;
+	view->staleanswerttl = 1;
+	view->staleanswersok = dns_stale_answer_conf;
+	view->staleanswersenable = false;
+	view->nocookieudp = 0;
+	view->padding = 0;
+	view->pad_acl = NULL;
+	view->maxbits = 0;
+	view->rpzs = NULL;
+	view->catzs = NULL;
+	view->managed_keys = NULL;
+	view->redirect = NULL;
+	view->redirectzone = NULL;
+	dns_fixedname_init(&view->redirectfixed);
+	view->requestnsid = false;
+	view->sendcookie = true;
+	view->requireservercookie = false;
+	view->synthfromdnssec = true;
+	view->trust_anchor_telemetry = true;
+	view->root_key_sentinel = true;
+	view->new_zone_dir = NULL;
+	view->new_zone_file = NULL;
+	view->new_zone_db = NULL;
+	view->new_zone_dbenv = NULL;
+	view->new_zone_mapsize = 0ULL;
+	view->new_zone_config = NULL;
+	view->cfg_destroy = NULL;
+	view->fail_ttl = 0;
+	view->failcache = NULL;
+	result = dns_badcache_init(view->mctx, DNS_VIEW_FAILCACHESIZE,
+				   &view->failcache);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_dynkeys;
+	}
+	view->v6bias = 0;
+	view->dtenv = NULL;
+	view->dttypes = 0;
+
+	view->plugins = NULL;
+	view->plugins_free = NULL;
+	view->hooktable = NULL;
+	view->hooktable_free = NULL;
+
+	isc_mutex_init(&view->new_zone_lock);
+
+	result = dns_order_create(view->mctx, &view->order);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_new_zone_lock;
+	}
+
+	result = dns_peerlist_new(view->mctx, &view->peers);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_order;
+	}
+
+	result = dns_aclenv_init(view->mctx, &view->aclenv);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_peerlist;
+	}
+
+	ISC_LINK_INIT(view, link);
+	ISC_EVENT_INIT(&view->resevent, sizeof(view->resevent), 0, NULL,
+		       DNS_EVENT_VIEWRESSHUTDOWN, resolver_shutdown, view, NULL,
+		       NULL, NULL);
+	ISC_EVENT_INIT(&view->adbevent, sizeof(view->adbevent), 0, NULL,
+		       DNS_EVENT_VIEWADBSHUTDOWN, adb_shutdown, view, NULL,
+		       NULL, NULL);
+	ISC_EVENT_INIT(&view->reqevent, sizeof(view->reqevent), 0, NULL,
+		       DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown, view, NULL,
+		       NULL, NULL);
+	view->viewlist = NULL;
+	view->magic = DNS_VIEW_MAGIC;
+
+	*viewp = view;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_peerlist:
+	if (view->peers != NULL) {
+		dns_peerlist_detach(&view->peers);
+	}
+
+cleanup_order:
+	if (view->order != NULL) {
+		dns_order_detach(&view->order);
+	}
+
+cleanup_new_zone_lock:
+	isc_mutex_destroy(&view->new_zone_lock);
+
+	dns_badcache_destroy(&view->failcache);
+
+cleanup_dynkeys:
+	if (view->dynamickeys != NULL) {
+		dns_tsigkeyring_detach(&view->dynamickeys);
+	}
+
+cleanup_weakrefs:
+	isc_refcount_decrementz(&view->weakrefs);
+	isc_refcount_destroy(&view->weakrefs);
+
+	isc_refcount_decrementz(&view->references);
+	isc_refcount_destroy(&view->references);
+
+	if (view->fwdtable != NULL) {
+		dns_fwdtable_destroy(&view->fwdtable);
+	}
+
+cleanup_zt:
+	if (view->zonetable != NULL) {
+		dns_zt_detach(&view->zonetable);
+	}
+
+cleanup_mutex:
+	isc_mutex_destroy(&view->lock);
+
+	if (view->nta_file != NULL) {
+		isc_mem_free(mctx, view->nta_file);
+	}
+
+cleanup_name:
+	isc_mem_free(mctx, view->name);
+	isc_mem_putanddetach(&view->mctx, view, sizeof(*view));
+
+	return (result);
+}
+
+static void
+destroy(dns_view_t *view) {
+	dns_dns64_t *dns64;
+	dns_dlzdb_t *dlzdb;
+
+	REQUIRE(!ISC_LINK_LINKED(view, link));
+	REQUIRE(RESSHUTDOWN(view));
+	REQUIRE(ADBSHUTDOWN(view));
+	REQUIRE(REQSHUTDOWN(view));
+
+	isc_refcount_destroy(&view->references);
+	isc_refcount_destroy(&view->weakrefs);
+
+	if (view->order != NULL) {
+		dns_order_detach(&view->order);
+	}
+	if (view->peers != NULL) {
+		dns_peerlist_detach(&view->peers);
+	}
+
+	if (view->dynamickeys != NULL) {
+		isc_result_t result;
+		char template[PATH_MAX];
+		char keyfile[PATH_MAX];
+		FILE *fp = NULL;
+
+		result = isc_file_mktemplate(NULL, template, sizeof(template));
+		if (result == ISC_R_SUCCESS) {
+			(void)isc_file_openuniqueprivate(template, &fp);
+		}
+		if (fp == NULL) {
+			dns_tsigkeyring_detach(&view->dynamickeys);
+		} else {
+			result = dns_tsigkeyring_dumpanddetach(
+				&view->dynamickeys, fp);
+			if (result == ISC_R_SUCCESS) {
+				if (fclose(fp) == 0) {
+					result = isc_file_sanitize(
+						NULL, view->name, "tsigkeys",
+						keyfile, sizeof(keyfile));
+					if (result == ISC_R_SUCCESS) {
+						result = isc_file_rename(
+							template, keyfile);
+					}
+				}
+				if (result != ISC_R_SUCCESS) {
+					(void)remove(template);
+				}
+			} else {
+				(void)fclose(fp);
+				(void)remove(template);
+			}
+		}
+	}
+	if (view->statickeys != NULL) {
+		dns_tsigkeyring_detach(&view->statickeys);
+	}
+	if (view->adb != NULL) {
+		dns_adb_detach(&view->adb);
+	}
+	if (view->resolver != NULL) {
+		dns_resolver_detach(&view->resolver);
+	}
+	dns_rrl_view_destroy(view);
+	if (view->rpzs != NULL) {
+		dns_rpz_detach_rpzs(&view->rpzs);
+	}
+	if (view->catzs != NULL) {
+		dns_catz_catzs_detach(&view->catzs);
+	}
+	for (dlzdb = ISC_LIST_HEAD(view->dlz_searched); dlzdb != NULL;
+	     dlzdb = ISC_LIST_HEAD(view->dlz_searched))
+	{
+		ISC_LIST_UNLINK(view->dlz_searched, dlzdb, link);
+		dns_dlzdestroy(&dlzdb);
+	}
+	for (dlzdb = ISC_LIST_HEAD(view->dlz_unsearched); dlzdb != NULL;
+	     dlzdb = ISC_LIST_HEAD(view->dlz_unsearched))
+	{
+		ISC_LIST_UNLINK(view->dlz_unsearched, dlzdb, link);
+		dns_dlzdestroy(&dlzdb);
+	}
+	if (view->requestmgr != NULL) {
+		dns_requestmgr_detach(&view->requestmgr);
+	}
+	if (view->task != NULL) {
+		isc_task_detach(&view->task);
+	}
+	if (view->hints != NULL) {
+		dns_db_detach(&view->hints);
+	}
+	if (view->cachedb != NULL) {
+		dns_db_detach(&view->cachedb);
+	}
+	if (view->cache != NULL) {
+		dns_cache_detach(&view->cache);
+	}
+	if (view->nocasecompress != NULL) {
+		dns_acl_detach(&view->nocasecompress);
+	}
+	if (view->matchclients != NULL) {
+		dns_acl_detach(&view->matchclients);
+	}
+	if (view->matchdestinations != NULL) {
+		dns_acl_detach(&view->matchdestinations);
+	}
+	if (view->cacheacl != NULL) {
+		dns_acl_detach(&view->cacheacl);
+	}
+	if (view->cacheonacl != NULL) {
+		dns_acl_detach(&view->cacheonacl);
+	}
+	if (view->queryacl != NULL) {
+		dns_acl_detach(&view->queryacl);
+	}
+	if (view->queryonacl != NULL) {
+		dns_acl_detach(&view->queryonacl);
+	}
+	if (view->recursionacl != NULL) {
+		dns_acl_detach(&view->recursionacl);
+	}
+	if (view->recursiononacl != NULL) {
+		dns_acl_detach(&view->recursiononacl);
+	}
+	if (view->sortlist != NULL) {
+		dns_acl_detach(&view->sortlist);
+	}
+	if (view->transferacl != NULL) {
+		dns_acl_detach(&view->transferacl);
+	}
+	if (view->notifyacl != NULL) {
+		dns_acl_detach(&view->notifyacl);
+	}
+	if (view->updateacl != NULL) {
+		dns_acl_detach(&view->updateacl);
+	}
+	if (view->upfwdacl != NULL) {
+		dns_acl_detach(&view->upfwdacl);
+	}
+	if (view->denyansweracl != NULL) {
+		dns_acl_detach(&view->denyansweracl);
+	}
+	if (view->pad_acl != NULL) {
+		dns_acl_detach(&view->pad_acl);
+	}
+	if (view->answeracl_exclude != NULL) {
+		dns_rbt_destroy(&view->answeracl_exclude);
+	}
+	if (view->denyanswernames != NULL) {
+		dns_rbt_destroy(&view->denyanswernames);
+	}
+	if (view->answernames_exclude != NULL) {
+		dns_rbt_destroy(&view->answernames_exclude);
+	}
+	if (view->delonly != NULL) {
+		dns_name_t *name;
+		int i;
+
+		for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
+			name = ISC_LIST_HEAD(view->delonly[i]);
+			while (name != NULL) {
+				ISC_LIST_UNLINK(view->delonly[i], name, link);
+				dns_name_free(name, view->mctx);
+				isc_mem_put(view->mctx, name, sizeof(*name));
+				name = ISC_LIST_HEAD(view->delonly[i]);
+			}
+		}
+		isc_mem_put(view->mctx, view->delonly,
+			    sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
+		view->delonly = NULL;
+	}
+	if (view->rootexclude != NULL) {
+		dns_name_t *name;
+		int i;
+
+		for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
+			name = ISC_LIST_HEAD(view->rootexclude[i]);
+			while (name != NULL) {
+				ISC_LIST_UNLINK(view->rootexclude[i], name,
+						link);
+				dns_name_free(name, view->mctx);
+				isc_mem_put(view->mctx, name, sizeof(*name));
+				name = ISC_LIST_HEAD(view->rootexclude[i]);
+			}
+		}
+		isc_mem_put(view->mctx, view->rootexclude,
+			    sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
+		view->rootexclude = NULL;
+	}
+	if (view->adbstats != NULL) {
+		isc_stats_detach(&view->adbstats);
+	}
+	if (view->resstats != NULL) {
+		isc_stats_detach(&view->resstats);
+	}
+	if (view->resquerystats != NULL) {
+		dns_stats_detach(&view->resquerystats);
+	}
+	if (view->secroots_priv != NULL) {
+		dns_keytable_detach(&view->secroots_priv);
+	}
+	if (view->ntatable_priv != NULL) {
+		dns_ntatable_detach(&view->ntatable_priv);
+	}
+	for (dns64 = ISC_LIST_HEAD(view->dns64); dns64 != NULL;
+	     dns64 = ISC_LIST_HEAD(view->dns64))
+	{
+		dns_dns64_unlink(&view->dns64, dns64);
+		dns_dns64_destroy(&dns64);
+	}
+	if (view->managed_keys != NULL) {
+		dns_zone_detach(&view->managed_keys);
+	}
+	if (view->redirect != NULL) {
+		dns_zone_detach(&view->redirect);
+	}
+#ifdef HAVE_DNSTAP
+	if (view->dtenv != NULL) {
+		dns_dt_detach(&view->dtenv);
+	}
+#endif /* HAVE_DNSTAP */
+	dns_view_setnewzones(view, false, NULL, NULL, 0ULL);
+	if (view->new_zone_file != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_file);
+		view->new_zone_file = NULL;
+	}
+	if (view->new_zone_dir != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_dir);
+		view->new_zone_dir = NULL;
+	}
+#ifdef HAVE_LMDB
+	if (view->new_zone_dbenv != NULL) {
+		mdb_env_close((MDB_env *)view->new_zone_dbenv);
+		view->new_zone_dbenv = NULL;
+	}
+	if (view->new_zone_db != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_db);
+		view->new_zone_db = NULL;
+	}
+#endif /* HAVE_LMDB */
+	dns_fwdtable_destroy(&view->fwdtable);
+	dns_aclenv_destroy(&view->aclenv);
+	if (view->failcache != NULL) {
+		dns_badcache_destroy(&view->failcache);
+	}
+	isc_mutex_destroy(&view->new_zone_lock);
+	isc_mutex_destroy(&view->lock);
+	isc_refcount_destroy(&view->references);
+	isc_refcount_destroy(&view->weakrefs);
+	isc_mem_free(view->mctx, view->nta_file);
+	isc_mem_free(view->mctx, view->name);
+	if (view->hooktable != NULL && view->hooktable_free != NULL) {
+		view->hooktable_free(view->mctx, &view->hooktable);
+	}
+	if (view->plugins != NULL && view->plugins_free != NULL) {
+		view->plugins_free(view->mctx, &view->plugins);
+	}
+	isc_mem_putanddetach(&view->mctx, view, sizeof(*view));
+}
+
+void
+dns_view_attach(dns_view_t *source, dns_view_t **targetp) {
+	REQUIRE(DNS_VIEW_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*targetp = source;
+}
+
+static void
+view_flushanddetach(dns_view_t **viewp, bool flush) {
+	REQUIRE(viewp != NULL && DNS_VIEW_VALID(*viewp));
+	dns_view_t *view = *viewp;
+	*viewp = NULL;
+
+	if (flush) {
+		view->flush = flush;
+	}
+
+	if (isc_refcount_decrement(&view->references) == 1) {
+		dns_zone_t *mkzone = NULL, *rdzone = NULL;
+
+		isc_refcount_destroy(&view->references);
+		if (!RESSHUTDOWN(view)) {
+			dns_resolver_shutdown(view->resolver);
+		}
+		if (!ADBSHUTDOWN(view)) {
+			dns_adb_shutdown(view->adb);
+		}
+		if (!REQSHUTDOWN(view)) {
+			dns_requestmgr_shutdown(view->requestmgr);
+		}
+		LOCK(&view->lock);
+		if (view->zonetable != NULL) {
+			if (view->flush) {
+				dns_zt_flushanddetach(&view->zonetable);
+			} else {
+				dns_zt_detach(&view->zonetable);
+			}
+		}
+		if (view->managed_keys != NULL) {
+			mkzone = view->managed_keys;
+			view->managed_keys = NULL;
+			if (view->flush) {
+				dns_zone_flush(mkzone);
+			}
+		}
+		if (view->redirect != NULL) {
+			rdzone = view->redirect;
+			view->redirect = NULL;
+			if (view->flush) {
+				dns_zone_flush(rdzone);
+			}
+		}
+		if (view->catzs != NULL) {
+			dns_catz_catzs_detach(&view->catzs);
+		}
+		if (view->ntatable_priv != NULL) {
+			dns_ntatable_shutdown(view->ntatable_priv);
+		}
+		UNLOCK(&view->lock);
+
+		/* Need to detach zones outside view lock */
+		if (mkzone != NULL) {
+			dns_zone_detach(&mkzone);
+		}
+
+		if (rdzone != NULL) {
+			dns_zone_detach(&rdzone);
+		}
+
+		dns_view_weakdetach(&view);
+	}
+}
+
+void
+dns_view_flushanddetach(dns_view_t **viewp) {
+	view_flushanddetach(viewp, true);
+}
+
+void
+dns_view_detach(dns_view_t **viewp) {
+	view_flushanddetach(viewp, false);
+}
+
+static isc_result_t
+dialup(dns_zone_t *zone, void *dummy) {
+	UNUSED(dummy);
+	dns_zone_dialup(zone);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_view_dialup(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->zonetable != NULL);
+
+	(void)dns_zt_apply(view->zonetable, isc_rwlocktype_read, false, NULL,
+			   dialup, NULL);
+}
+
+void
+dns_view_weakattach(dns_view_t *source, dns_view_t **targetp) {
+	REQUIRE(DNS_VIEW_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->weakrefs);
+
+	*targetp = source;
+}
+
+void
+dns_view_weakdetach(dns_view_t **viewp) {
+	dns_view_t *view;
+
+	REQUIRE(viewp != NULL);
+	view = *viewp;
+	*viewp = NULL;
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (isc_refcount_decrement(&view->weakrefs) == 1) {
+		destroy(view);
+	}
+}
+
+static void
+resolver_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_view_t *view = event->ev_arg;
+
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWRESSHUTDOWN);
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->task == task);
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	atomic_fetch_or(&view->attributes, DNS_VIEWATTR_RESSHUTDOWN);
+	dns_view_weakdetach(&view);
+}
+
+static void
+adb_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_view_t *view = event->ev_arg;
+
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWADBSHUTDOWN);
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->task == task);
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	atomic_fetch_or(&view->attributes, DNS_VIEWATTR_ADBSHUTDOWN);
+
+	dns_view_weakdetach(&view);
+}
+
+static void
+req_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_view_t *view = event->ev_arg;
+
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWREQSHUTDOWN);
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->task == task);
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	atomic_fetch_or(&view->attributes, DNS_VIEWATTR_REQSHUTDOWN);
+
+	dns_view_weakdetach(&view);
+}
+
+isc_result_t
+dns_view_createzonetable(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->zonetable == NULL);
+
+	return (dns_zt_create(view->mctx, view->rdclass, &view->zonetable));
+}
+
+isc_result_t
+dns_view_createresolver(dns_view_t *view, isc_taskmgr_t *taskmgr,
+			unsigned int ntasks, unsigned int ndisp,
+			isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+			unsigned int options, dns_dispatchmgr_t *dispatchmgr,
+			dns_dispatch_t *dispatchv4,
+			dns_dispatch_t *dispatchv6) {
+	isc_result_t result;
+	isc_event_t *event;
+	isc_mem_t *mctx = NULL;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->resolver == NULL);
+
+	result = isc_task_create(taskmgr, 0, &view->task);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_task_setname(view->task, "view", view);
+
+	result = dns_resolver_create(view, taskmgr, ntasks, ndisp, socketmgr,
+				     timermgr, options, dispatchmgr, dispatchv4,
+				     dispatchv6, &view->resolver);
+	if (result != ISC_R_SUCCESS) {
+		isc_task_detach(&view->task);
+		return (result);
+	}
+	event = &view->resevent;
+	dns_resolver_whenshutdown(view->resolver, view->task, &event);
+	atomic_fetch_and(&view->attributes, ~DNS_VIEWATTR_RESSHUTDOWN);
+	isc_refcount_increment(&view->weakrefs);
+
+	isc_mem_create(&mctx);
+
+	result = dns_adb_create(mctx, view, timermgr, taskmgr, &view->adb);
+	isc_mem_setname(mctx, "ADB", NULL);
+	isc_mem_detach(&mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_resolver_shutdown(view->resolver);
+		return (result);
+	}
+	event = &view->adbevent;
+	dns_adb_whenshutdown(view->adb, view->task, &event);
+	atomic_fetch_and(&view->attributes, ~DNS_VIEWATTR_ADBSHUTDOWN);
+	isc_refcount_increment(&view->weakrefs);
+
+	result = dns_requestmgr_create(view->mctx, timermgr, socketmgr,
+				       dns_resolver_taskmgr(view->resolver),
+				       dns_resolver_dispatchmgr(view->resolver),
+				       dispatchv4, dispatchv6,
+				       &view->requestmgr);
+	if (result != ISC_R_SUCCESS) {
+		dns_adb_shutdown(view->adb);
+		dns_resolver_shutdown(view->resolver);
+		return (result);
+	}
+	event = &view->reqevent;
+	dns_requestmgr_whenshutdown(view->requestmgr, view->task, &event);
+	atomic_fetch_and(&view->attributes, ~DNS_VIEWATTR_REQSHUTDOWN);
+	isc_refcount_increment(&view->weakrefs);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_view_setcache(dns_view_t *view, dns_cache_t *cache, bool shared) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+
+	view->cacheshared = shared;
+	if (view->cache != NULL) {
+		dns_db_detach(&view->cachedb);
+		dns_cache_detach(&view->cache);
+	}
+	dns_cache_attach(cache, &view->cache);
+	dns_cache_attachdb(cache, &view->cachedb);
+	INSIST(DNS_DB_VALID(view->cachedb));
+}
+
+bool
+dns_view_iscacheshared(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	return (view->cacheshared);
+}
+
+void
+dns_view_sethints(dns_view_t *view, dns_db_t *hints) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->hints == NULL);
+	REQUIRE(dns_db_iszone(hints));
+
+	dns_db_attach(hints, &view->hints);
+}
+
+void
+dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ring != NULL);
+	if (view->statickeys != NULL) {
+		dns_tsigkeyring_detach(&view->statickeys);
+	}
+	dns_tsigkeyring_attach(ring, &view->statickeys);
+}
+
+void
+dns_view_setdynamickeyring(dns_view_t *view, dns_tsig_keyring_t *ring) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ring != NULL);
+	if (view->dynamickeys != NULL) {
+		dns_tsigkeyring_detach(&view->dynamickeys);
+	}
+	dns_tsigkeyring_attach(ring, &view->dynamickeys);
+}
+
+void
+dns_view_getdynamickeyring(dns_view_t *view, dns_tsig_keyring_t **ringp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ringp != NULL && *ringp == NULL);
+	if (view->dynamickeys != NULL) {
+		dns_tsigkeyring_attach(view->dynamickeys, ringp);
+	}
+}
+
+void
+dns_view_restorekeyring(dns_view_t *view) {
+	FILE *fp;
+	char keyfile[PATH_MAX];
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->dynamickeys != NULL) {
+		result = isc_file_sanitize(NULL, view->name, "tsigkeys",
+					   keyfile, sizeof(keyfile));
+		if (result == ISC_R_SUCCESS) {
+			fp = fopen(keyfile, "r");
+			if (fp != NULL) {
+				dns_keyring_restore(view->dynamickeys, fp);
+				(void)fclose(fp);
+			}
+		}
+	}
+}
+
+void
+dns_view_setdstport(dns_view_t *view, in_port_t dstport) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	view->dstport = dstport;
+}
+
+void
+dns_view_freeze(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+
+	if (view->resolver != NULL) {
+		INSIST(view->cachedb != NULL);
+		dns_resolver_freeze(view->resolver);
+	}
+	view->frozen = true;
+}
+
+void
+dns_view_thaw(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->frozen);
+
+	view->frozen = false;
+}
+
+isc_result_t
+dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->zonetable != NULL);
+
+	result = dns_zt_mount(view->zonetable, zone);
+
+	return (result);
+}
+
+isc_result_t
+dns_view_findzone(dns_view_t *view, const dns_name_t *name,
+		  dns_zone_t **zonep) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	LOCK(&view->lock);
+	if (view->zonetable != NULL) {
+		result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
+		if (result == DNS_R_PARTIALMATCH) {
+			dns_zone_detach(zonep);
+			result = ISC_R_NOTFOUND;
+		}
+	} else {
+		result = ISC_R_NOTFOUND;
+	}
+	UNLOCK(&view->lock);
+
+	return (result);
+}
+
+isc_result_t
+dns_view_find(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
+	      isc_stdtime_t now, unsigned int options, bool use_hints,
+	      bool use_static_stub, dns_db_t **dbp, dns_dbnode_t **nodep,
+	      dns_name_t *foundname, dns_rdataset_t *rdataset,
+	      dns_rdataset_t *sigrdataset) {
+	isc_result_t result;
+	dns_db_t *db, *zdb;
+	dns_dbnode_t *node, *znode;
+	bool is_cache, is_staticstub_zone;
+	dns_rdataset_t zrdataset, zsigrdataset;
+	dns_zone_t *zone;
+
+	/*
+	 * Find an rdataset whose owner name is 'name', and whose type is
+	 * 'type'.
+	 */
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->frozen);
+	REQUIRE(type != dns_rdatatype_rrsig);
+	REQUIRE(rdataset != NULL); /* XXXBEW - remove this */
+	REQUIRE(nodep == NULL || *nodep == NULL);
+
+	/*
+	 * Initialize.
+	 */
+	dns_rdataset_init(&zrdataset);
+	dns_rdataset_init(&zsigrdataset);
+	zdb = NULL;
+	znode = NULL;
+
+	/*
+	 * Find a database to answer the query.
+	 */
+	db = NULL;
+	node = NULL;
+	is_staticstub_zone = false;
+	zone = NULL;
+	LOCK(&view->lock);
+	if (view->zonetable != NULL) {
+		result = dns_zt_find(view->zonetable, name, DNS_ZTFIND_MIRROR,
+				     NULL, &zone);
+	} else {
+		result = ISC_R_NOTFOUND;
+	}
+	UNLOCK(&view->lock);
+	if (zone != NULL && dns_zone_gettype(zone) == dns_zone_staticstub &&
+	    !use_static_stub)
+	{
+		result = ISC_R_NOTFOUND;
+	}
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		result = dns_zone_getdb(zone, &db);
+		if (result != ISC_R_SUCCESS && view->cachedb != NULL) {
+			dns_db_attach(view->cachedb, &db);
+		} else if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		if (dns_zone_gettype(zone) == dns_zone_staticstub &&
+		    dns_name_equal(name, dns_zone_getorigin(zone)))
+		{
+			is_staticstub_zone = true;
+		}
+	} else if (result == ISC_R_NOTFOUND && view->cachedb != NULL) {
+		dns_db_attach(view->cachedb, &db);
+	} else {
+		goto cleanup;
+	}
+
+	is_cache = dns_db_iscache(db);
+
+db_find:
+	/*
+	 * Now look for an answer in the database.
+	 */
+	result = dns_db_find(db, name, NULL, type, options, now, &node,
+			     foundname, rdataset, sigrdataset);
+
+	if (result == DNS_R_DELEGATION || result == ISC_R_NOTFOUND) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+		{
+			dns_rdataset_disassociate(sigrdataset);
+		}
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+		if (!is_cache) {
+			dns_db_detach(&db);
+			if (view->cachedb != NULL && !is_staticstub_zone) {
+				/*
+				 * Either the answer is in the cache, or we
+				 * don't know it.
+				 * Note that if the result comes from a
+				 * static-stub zone we stop the search here
+				 * (see the function description in view.h).
+				 */
+				is_cache = true;
+				dns_db_attach(view->cachedb, &db);
+				goto db_find;
+			}
+		} else {
+			/*
+			 * We don't have the data in the cache.  If we've got
+			 * glue from the zone, use it.
+			 */
+			if (dns_rdataset_isassociated(&zrdataset)) {
+				dns_rdataset_clone(&zrdataset, rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(&zsigrdataset))
+				{
+					dns_rdataset_clone(&zsigrdataset,
+							   sigrdataset);
+				}
+				result = DNS_R_GLUE;
+				if (db != NULL) {
+					dns_db_detach(&db);
+				}
+				dns_db_attach(zdb, &db);
+				dns_db_attachnode(db, znode, &node);
+				goto cleanup;
+			}
+		}
+		/*
+		 * We don't know the answer.
+		 */
+		result = ISC_R_NOTFOUND;
+	} else if (result == DNS_R_GLUE) {
+		if (view->cachedb != NULL && !is_staticstub_zone) {
+			/*
+			 * We found an answer, but the cache may be better.
+			 * Remember what we've got and go look in the cache.
+			 */
+			is_cache = true;
+			dns_rdataset_clone(rdataset, &zrdataset);
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset))
+			{
+				dns_rdataset_clone(sigrdataset, &zsigrdataset);
+				dns_rdataset_disassociate(sigrdataset);
+			}
+			dns_db_attach(db, &zdb);
+			dns_db_attachnode(zdb, node, &znode);
+			dns_db_detachnode(db, &node);
+			dns_db_detach(&db);
+			dns_db_attach(view->cachedb, &db);
+			goto db_find;
+		}
+		/*
+		 * Otherwise, the glue is the best answer.
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	if (result == ISC_R_NOTFOUND && use_hints && view->hints != NULL) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+		{
+			dns_rdataset_disassociate(sigrdataset);
+		}
+		if (db != NULL) {
+			if (node != NULL) {
+				dns_db_detachnode(db, &node);
+			}
+			dns_db_detach(&db);
+		}
+		result = dns_db_find(view->hints, name, NULL, type, options,
+				     now, &node, foundname, rdataset,
+				     sigrdataset);
+		if (result == ISC_R_SUCCESS || result == DNS_R_GLUE) {
+			/*
+			 * We just used a hint.  Let the resolver know it
+			 * should consider priming.
+			 */
+			dns_resolver_prime(view->resolver);
+			dns_db_attach(view->hints, &db);
+			result = DNS_R_HINT;
+		} else if (result == DNS_R_NXRRSET) {
+			dns_db_attach(view->hints, &db);
+			result = DNS_R_HINTNXRRSET;
+		} else if (result == DNS_R_NXDOMAIN) {
+			result = ISC_R_NOTFOUND;
+		}
+
+		/*
+		 * Cleanup if non-standard hints are used.
+		 */
+		if (db == NULL && node != NULL) {
+			dns_db_detachnode(view->hints, &node);
+		}
+	}
+
+cleanup:
+	if (dns_rdataset_isassociated(&zrdataset)) {
+		dns_rdataset_disassociate(&zrdataset);
+		if (dns_rdataset_isassociated(&zsigrdataset)) {
+			dns_rdataset_disassociate(&zsigrdataset);
+		}
+	}
+
+	if (zdb != NULL) {
+		if (znode != NULL) {
+			dns_db_detachnode(zdb, &znode);
+		}
+		dns_db_detach(&zdb);
+	}
+
+	if (db != NULL) {
+		if (node != NULL) {
+			if (nodep != NULL) {
+				*nodep = node;
+			} else {
+				dns_db_detachnode(db, &node);
+			}
+		}
+		if (dbp != NULL) {
+			*dbp = db;
+		} else {
+			dns_db_detach(&db);
+		}
+	} else {
+		INSIST(node == NULL);
+	}
+
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_view_simplefind(dns_view_t *view, const dns_name_t *name,
+		    dns_rdatatype_t type, isc_stdtime_t now,
+		    unsigned int options, bool use_hints,
+		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	isc_result_t result;
+	dns_fixedname_t foundname;
+
+	dns_fixedname_init(&foundname);
+	result = dns_view_find(view, name, type, now, options, use_hints, false,
+			       NULL, NULL, dns_fixedname_name(&foundname),
+			       rdataset, sigrdataset);
+	if (result == DNS_R_NXDOMAIN) {
+		/*
+		 * The rdataset and sigrdataset of the relevant NSEC record
+		 * may be returned, but the caller cannot use them because
+		 * foundname is not returned by this simplified API.  We
+		 * disassociate them here to prevent any misuse by the caller.
+		 */
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+		{
+			dns_rdataset_disassociate(sigrdataset);
+		}
+	} else if (result != ISC_R_SUCCESS && result != DNS_R_GLUE &&
+		   result != DNS_R_HINT && result != DNS_R_NCACHENXDOMAIN &&
+		   result != DNS_R_NCACHENXRRSET && result != DNS_R_NXRRSET &&
+		   result != DNS_R_HINTNXRRSET && result != ISC_R_NOTFOUND)
+	{
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+		{
+			dns_rdataset_disassociate(sigrdataset);
+		}
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_view_findzonecut(dns_view_t *view, const dns_name_t *name,
+		     dns_name_t *fname, dns_name_t *dcname, isc_stdtime_t now,
+		     unsigned int options, bool use_hints, bool use_cache,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	isc_result_t result;
+	dns_db_t *db;
+	bool is_cache, use_zone, try_hints;
+	dns_zone_t *zone;
+	dns_name_t *zfname;
+	dns_rdataset_t zrdataset, zsigrdataset;
+	dns_fixedname_t zfixedname;
+	unsigned int ztoptions = DNS_ZTFIND_MIRROR;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->frozen);
+
+	db = NULL;
+	use_zone = false;
+	try_hints = false;
+	zfname = NULL;
+
+	/*
+	 * Initialize.
+	 */
+	dns_fixedname_init(&zfixedname);
+	dns_rdataset_init(&zrdataset);
+	dns_rdataset_init(&zsigrdataset);
+
+	/*
+	 * Find the right database.
+	 */
+	zone = NULL;
+	LOCK(&view->lock);
+	if (view->zonetable != NULL) {
+		if ((options & DNS_DBFIND_NOEXACT) != 0) {
+			ztoptions |= DNS_ZTFIND_NOEXACT;
+		}
+		result = dns_zt_find(view->zonetable, name, ztoptions, NULL,
+				     &zone);
+	} else {
+		result = ISC_R_NOTFOUND;
+	}
+	UNLOCK(&view->lock);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		result = dns_zone_getdb(zone, &db);
+	}
+	if (result == ISC_R_NOTFOUND) {
+		/*
+		 * We're not directly authoritative for this query name, nor
+		 * is it a subdomain of any zone for which we're
+		 * authoritative.
+		 */
+		if (use_cache && view->cachedb != NULL) {
+			/*
+			 * We have a cache; try it.
+			 */
+			dns_db_attach(view->cachedb, &db);
+		} else if (use_hints && view->hints != NULL) {
+			/*
+			 * Maybe we have hints...
+			 */
+			try_hints = true;
+			goto finish;
+		} else {
+			result = DNS_R_NXDOMAIN;
+			goto cleanup;
+		}
+	} else if (result != ISC_R_SUCCESS) {
+		/*
+		 * Something is broken.
+		 */
+		goto cleanup;
+	}
+	is_cache = dns_db_iscache(db);
+
+db_find:
+	/*
+	 * Look for the zonecut.
+	 */
+	if (!is_cache) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_ns, options,
+				     now, NULL, fname, rdataset, sigrdataset);
+		if (result == DNS_R_DELEGATION) {
+			result = ISC_R_SUCCESS;
+		} else if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		if (use_cache && view->cachedb != NULL && db != view->hints) {
+			/*
+			 * We found an answer, but the cache may be better.
+			 */
+			zfname = dns_fixedname_name(&zfixedname);
+			dns_name_copynf(fname, zfname);
+			dns_rdataset_clone(rdataset, &zrdataset);
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset))
+			{
+				dns_rdataset_clone(sigrdataset, &zsigrdataset);
+				dns_rdataset_disassociate(sigrdataset);
+			}
+			dns_db_detach(&db);
+			dns_db_attach(view->cachedb, &db);
+			is_cache = true;
+			goto db_find;
+		}
+	} else {
+		result = dns_db_findzonecut(db, name, options, now, NULL, fname,
+					    dcname, rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS) {
+			if (zfname != NULL &&
+			    (!dns_name_issubdomain(fname, zfname) ||
+			     (dns_zone_gettype(zone) == dns_zone_staticstub &&
+			      dns_name_equal(fname, zfname))))
+			{
+				/*
+				 * We found a zonecut in the cache, but our
+				 * zone delegation is better.
+				 */
+				use_zone = true;
+			}
+		} else if (result == ISC_R_NOTFOUND) {
+			if (zfname != NULL) {
+				/*
+				 * We didn't find anything in the cache, but we
+				 * have a zone delegation, so use it.
+				 */
+				use_zone = true;
+				result = ISC_R_SUCCESS;
+			} else if (use_hints && view->hints != NULL) {
+				/*
+				 * Maybe we have hints...
+				 */
+				try_hints = true;
+				result = ISC_R_SUCCESS;
+			} else {
+				result = DNS_R_NXDOMAIN;
+			}
+		} else {
+			/*
+			 * Something bad happened.
+			 */
+			goto cleanup;
+		}
+	}
+
+finish:
+	if (use_zone) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset))
+			{
+				dns_rdataset_disassociate(sigrdataset);
+			}
+		}
+		dns_name_copynf(zfname, fname);
+		if (dcname != NULL) {
+			dns_name_copynf(zfname, dcname);
+		}
+		dns_rdataset_clone(&zrdataset, rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(&zrdataset))
+		{
+			dns_rdataset_clone(&zsigrdataset, sigrdataset);
+		}
+	} else if (try_hints) {
+		/*
+		 * We've found nothing so far, but we have hints.
+		 */
+		result = dns_db_find(view->hints, dns_rootname, NULL,
+				     dns_rdatatype_ns, 0, now, NULL, fname,
+				     rdataset, NULL);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * We can't even find the hints for the root
+			 * nameservers!
+			 */
+			if (dns_rdataset_isassociated(rdataset)) {
+				dns_rdataset_disassociate(rdataset);
+			}
+			result = ISC_R_NOTFOUND;
+		} else if (dcname != NULL) {
+			dns_name_copynf(fname, dcname);
+		}
+	}
+
+cleanup:
+	if (dns_rdataset_isassociated(&zrdataset)) {
+		dns_rdataset_disassociate(&zrdataset);
+		if (dns_rdataset_isassociated(&zsigrdataset)) {
+			dns_rdataset_disassociate(&zsigrdataset);
+		}
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_viewlist_find(dns_viewlist_t *list, const char *name,
+		  dns_rdataclass_t rdclass, dns_view_t **viewp) {
+	dns_view_t *view;
+
+	REQUIRE(list != NULL);
+
+	for (view = ISC_LIST_HEAD(*list); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (strcmp(view->name, name) == 0 && view->rdclass == rdclass) {
+			break;
+		}
+	}
+	if (view == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	dns_view_attach(view, viewp);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_viewlist_findzone(dns_viewlist_t *list, const dns_name_t *name,
+		      bool allclasses, dns_rdataclass_t rdclass,
+		      dns_zone_t **zonep) {
+	dns_view_t *view;
+	isc_result_t result;
+	dns_zone_t *zone1 = NULL, *zone2 = NULL;
+	dns_zone_t **zp = NULL;
+
+	REQUIRE(list != NULL);
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	for (view = ISC_LIST_HEAD(*list); view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (!allclasses && view->rdclass != rdclass) {
+			continue;
+		}
+
+		/*
+		 * If the zone is defined in more than one view,
+		 * treat it as not found.
+		 */
+		zp = (zone1 == NULL) ? &zone1 : &zone2;
+		LOCK(&view->lock);
+		if (view->zonetable != NULL) {
+			result = dns_zt_find(view->zonetable, name, 0, NULL,
+					     zp);
+		} else {
+			result = ISC_R_NOTFOUND;
+		}
+		UNLOCK(&view->lock);
+		INSIST(result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND ||
+		       result == DNS_R_PARTIALMATCH);
+
+		/* Treat a partial match as no match */
+		if (result == DNS_R_PARTIALMATCH) {
+			dns_zone_detach(zp);
+			result = ISC_R_NOTFOUND;
+			POST(result);
+		}
+
+		if (zone2 != NULL) {
+			dns_zone_detach(&zone1);
+			dns_zone_detach(&zone2);
+			return (ISC_R_MULTIPLE);
+		}
+	}
+
+	if (zone1 != NULL) {
+		dns_zone_attach(zone1, zonep);
+		dns_zone_detach(&zone1);
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_view_load(dns_view_t *view, bool stop, bool newonly) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->zonetable != NULL);
+
+	return (dns_zt_load(view->zonetable, stop, newonly));
+}
+
+isc_result_t
+dns_view_asyncload(dns_view_t *view, bool newonly, dns_zt_allloaded_t callback,
+		   void *arg) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->zonetable != NULL);
+
+	return (dns_zt_asyncload(view->zonetable, newonly, callback, arg));
+}
+
+isc_result_t
+dns_view_gettsig(dns_view_t *view, const dns_name_t *keyname,
+		 dns_tsigkey_t **keyp) {
+	isc_result_t result;
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	result = dns_tsigkey_find(keyp, keyname, NULL, view->statickeys);
+	if (result == ISC_R_NOTFOUND) {
+		result = dns_tsigkey_find(keyp, keyname, NULL,
+					  view->dynamickeys);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_view_getpeertsig(dns_view_t *view, const isc_netaddr_t *peeraddr,
+		     dns_tsigkey_t **keyp) {
+	isc_result_t result;
+	dns_name_t *keyname = NULL;
+	dns_peer_t *peer = NULL;
+
+	result = dns_peerlist_peerbyaddr(view->peers, peeraddr, &peer);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_peer_getkey(peer, &keyname);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_view_gettsig(view, keyname, keyp);
+	return ((result == ISC_R_NOTFOUND) ? ISC_R_FAILURE : result);
+}
+
+isc_result_t
+dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(source != NULL);
+
+	return (dns_tsig_verify(source, msg, view->statickeys,
+				view->dynamickeys));
+}
+
+isc_result_t
+dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	(void)fprintf(fp, ";\n; Cache dump of view '%s'\n;\n", view->name);
+	result = dns_master_dumptostream(view->mctx, view->cachedb, NULL,
+					 &dns_master_style_cache,
+					 dns_masterformat_text, NULL, fp);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	dns_adb_dump(view->adb, fp);
+	dns_resolver_printbadcache(view->resolver, fp);
+	dns_badcache_print(view->failcache, "SERVFAIL cache", fp);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_flushcache(dns_view_t *view, bool fixuponly) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->cachedb == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+	if (!fixuponly) {
+		result = dns_cache_flush(view->cache);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	dns_db_detach(&view->cachedb);
+	dns_cache_attachdb(view->cache, &view->cachedb);
+	if (view->resolver != NULL) {
+		dns_resolver_flushbadcache(view->resolver, NULL);
+	}
+	if (view->failcache != NULL) {
+		dns_badcache_flush(view->failcache);
+	}
+
+	dns_adb_flush(view->adb);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_flushname(dns_view_t *view, const dns_name_t *name) {
+	return (dns_view_flushnode(view, name, false));
+}
+
+isc_result_t
+dns_view_flushnode(dns_view_t *view, const dns_name_t *name, bool tree) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (tree) {
+		if (view->adb != NULL) {
+			dns_adb_flushnames(view->adb, name);
+		}
+		if (view->resolver != NULL) {
+			dns_resolver_flushbadnames(view->resolver, name);
+		}
+		if (view->failcache != NULL) {
+			dns_badcache_flushtree(view->failcache, name);
+		}
+	} else {
+		if (view->adb != NULL) {
+			dns_adb_flushname(view->adb, name);
+		}
+		if (view->resolver != NULL) {
+			dns_resolver_flushbadcache(view->resolver, name);
+		}
+		if (view->failcache != NULL) {
+			dns_badcache_flushname(view->failcache, name);
+		}
+	}
+
+	if (view->cache != NULL) {
+		result = dns_cache_flushnode(view->cache, name, tree);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_view_adddelegationonly(dns_view_t *view, const dns_name_t *name) {
+	dns_name_t *item;
+	unsigned int hash;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->delonly == NULL) {
+		view->delonly = isc_mem_get(view->mctx,
+					    sizeof(dns_namelist_t) *
+						    DNS_VIEW_DELONLYHASH);
+		for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++) {
+			ISC_LIST_INIT(view->delonly[hash]);
+		}
+	}
+	hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
+	item = ISC_LIST_HEAD(view->delonly[hash]);
+	while (item != NULL && !dns_name_equal(item, name)) {
+		item = ISC_LIST_NEXT(item, link);
+	}
+	if (item != NULL) {
+		return (ISC_R_SUCCESS);
+	}
+	item = isc_mem_get(view->mctx, sizeof(*item));
+	dns_name_init(item, NULL);
+	dns_name_dup(name, view->mctx, item);
+	ISC_LIST_APPEND(view->delonly[hash], item, link);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_excludedelegationonly(dns_view_t *view, const dns_name_t *name) {
+	dns_name_t *item;
+	unsigned int hash;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->rootexclude == NULL) {
+		view->rootexclude = isc_mem_get(view->mctx,
+						sizeof(dns_namelist_t) *
+							DNS_VIEW_DELONLYHASH);
+		for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++) {
+			ISC_LIST_INIT(view->rootexclude[hash]);
+		}
+	}
+	hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
+	item = ISC_LIST_HEAD(view->rootexclude[hash]);
+	while (item != NULL && !dns_name_equal(item, name)) {
+		item = ISC_LIST_NEXT(item, link);
+	}
+	if (item != NULL) {
+		return (ISC_R_SUCCESS);
+	}
+	item = isc_mem_get(view->mctx, sizeof(*item));
+	dns_name_init(item, NULL);
+	dns_name_dup(name, view->mctx, item);
+	ISC_LIST_APPEND(view->rootexclude[hash], item, link);
+	return (ISC_R_SUCCESS);
+}
+
+bool
+dns_view_isdelegationonly(dns_view_t *view, const dns_name_t *name) {
+	dns_name_t *item;
+	unsigned int hash;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (!view->rootdelonly && view->delonly == NULL) {
+		return (false);
+	}
+
+	hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
+	if (view->rootdelonly && dns_name_countlabels(name) <= 2) {
+		if (view->rootexclude == NULL) {
+			return (true);
+		}
+		item = ISC_LIST_HEAD(view->rootexclude[hash]);
+		while (item != NULL && !dns_name_equal(item, name)) {
+			item = ISC_LIST_NEXT(item, link);
+		}
+		if (item == NULL) {
+			return (true);
+		}
+	}
+
+	if (view->delonly == NULL) {
+		return (false);
+	}
+
+	item = ISC_LIST_HEAD(view->delonly[hash]);
+	while (item != NULL && !dns_name_equal(item, name)) {
+		item = ISC_LIST_NEXT(item, link);
+	}
+	if (item == NULL) {
+		return (false);
+	}
+	return (true);
+}
+
+void
+dns_view_setrootdelonly(dns_view_t *view, bool value) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	view->rootdelonly = value;
+}
+
+bool
+dns_view_getrootdelonly(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	return (view->rootdelonly);
+}
+
+isc_result_t
+dns_view_freezezones(dns_view_t *view, bool value) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->zonetable != NULL);
+
+	return (dns_zt_freezezones(view->zonetable, view, value));
+}
+
+void
+dns_view_setadbstats(dns_view_t *view, isc_stats_t *stats) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->adbstats == NULL);
+
+	isc_stats_attach(stats, &view->adbstats);
+}
+
+void
+dns_view_getadbstats(dns_view_t *view, isc_stats_t **statsp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	if (view->adbstats != NULL) {
+		isc_stats_attach(view->adbstats, statsp);
+	}
+}
+
+void
+dns_view_setresstats(dns_view_t *view, isc_stats_t *stats) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->resstats == NULL);
+
+	isc_stats_attach(stats, &view->resstats);
+}
+
+void
+dns_view_getresstats(dns_view_t *view, isc_stats_t **statsp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	if (view->resstats != NULL) {
+		isc_stats_attach(view->resstats, statsp);
+	}
+}
+
+void
+dns_view_setresquerystats(dns_view_t *view, dns_stats_t *stats) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->resquerystats == NULL);
+
+	dns_stats_attach(stats, &view->resquerystats);
+}
+
+void
+dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	if (view->resquerystats != NULL) {
+		dns_stats_attach(view->resquerystats, statsp);
+	}
+}
+
+isc_result_t
+dns_view_initntatable(dns_view_t *view, isc_taskmgr_t *taskmgr,
+		      isc_timermgr_t *timermgr) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	if (view->ntatable_priv != NULL) {
+		dns_ntatable_detach(&view->ntatable_priv);
+	}
+	return (dns_ntatable_create(view, taskmgr, timermgr,
+				    &view->ntatable_priv));
+}
+
+isc_result_t
+dns_view_getntatable(dns_view_t *view, dns_ntatable_t **ntp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ntp != NULL && *ntp == NULL);
+	if (view->ntatable_priv == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	dns_ntatable_attach(view->ntatable_priv, ntp);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	if (view->secroots_priv != NULL) {
+		dns_keytable_detach(&view->secroots_priv);
+	}
+	return (dns_keytable_create(mctx, &view->secroots_priv));
+}
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ktp != NULL && *ktp == NULL);
+	if (view->secroots_priv == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	dns_keytable_attach(view->secroots_priv, ktp);
+	return (ISC_R_SUCCESS);
+}
+
+bool
+dns_view_ntacovers(dns_view_t *view, isc_stdtime_t now, const dns_name_t *name,
+		   const dns_name_t *anchor) {
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->ntatable_priv == NULL) {
+		return (false);
+	}
+
+	return (dns_ntatable_covered(view->ntatable_priv, now, name, anchor));
+}
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name,
+			isc_stdtime_t now, bool checknta, bool *ntap,
+			bool *secure_domain) {
+	isc_result_t result;
+	bool secure = false;
+	dns_fixedname_t fn;
+	dns_name_t *anchor;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->secroots_priv == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	anchor = dns_fixedname_initname(&fn);
+
+	result = dns_keytable_issecuredomain(view->secroots_priv, name, anchor,
+					     &secure);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (ntap != NULL) {
+		*ntap = false;
+	}
+	if (checknta && secure && view->ntatable_priv != NULL &&
+	    dns_ntatable_covered(view->ntatable_priv, now, name, anchor))
+	{
+		if (ntap != NULL) {
+			*ntap = true;
+		}
+		secure = false;
+	}
+
+	*secure_domain = secure;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_view_untrust(dns_view_t *view, const dns_name_t *keyname,
+		 const dns_rdata_dnskey_t *dnskey) {
+	isc_result_t result;
+	dns_keytable_t *sr = NULL;
+	dns_rdata_dnskey_t tmpkey;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(keyname != NULL);
+	REQUIRE(dnskey != NULL);
+
+	result = dns_view_getsecroots(view, &sr);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	/*
+	 * Clear the revoke bit, if set, so that the key will match what's
+	 * in secroots now.
+	 */
+	tmpkey = *dnskey;
+	tmpkey.flags &= ~DNS_KEYFLAG_REVOKE;
+
+	result = dns_keytable_deletekey(sr, keyname, &tmpkey);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * If key was found in secroots, then it was a
+		 * configured trust anchor, and we want to fail
+		 * secure. If there are no other configured keys,
+		 * then leave a null key so that we can't validate
+		 * anymore.
+		 */
+		dns_keytable_marksecure(sr, keyname);
+	}
+
+	dns_keytable_detach(&sr);
+}
+
+bool
+dns_view_istrusted(dns_view_t *view, const dns_name_t *keyname,
+		   const dns_rdata_dnskey_t *dnskey) {
+	isc_result_t result;
+	dns_keytable_t *sr = NULL;
+	dns_keynode_t *knode = NULL;
+	bool answer = false;
+	dns_rdataset_t dsset;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(keyname != NULL);
+	REQUIRE(dnskey != NULL);
+
+	result = dns_view_getsecroots(view, &sr);
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+
+	dns_rdataset_init(&dsset);
+	result = dns_keytable_find(sr, keyname, &knode);
+	if (result == ISC_R_SUCCESS) {
+		if (dns_keynode_dsset(knode, &dsset)) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			unsigned char data[4096], digest[DNS_DS_BUFFERSIZE];
+			dns_rdata_dnskey_t tmpkey = *dnskey;
+			dns_rdata_ds_t ds;
+			isc_buffer_t b;
+			dns_rdataclass_t rdclass = tmpkey.common.rdclass;
+
+			/*
+			 * Clear the revoke bit, if set, so that the key
+			 * will match what's in secroots now.
+			 */
+			tmpkey.flags &= ~DNS_KEYFLAG_REVOKE;
+
+			isc_buffer_init(&b, data, sizeof(data));
+			result = dns_rdata_fromstruct(&rdata, rdclass,
+						      dns_rdatatype_dnskey,
+						      &tmpkey, &b);
+			if (result != ISC_R_SUCCESS) {
+				goto finish;
+			}
+
+			result = dns_ds_fromkeyrdata(keyname, &rdata,
+						     DNS_DSDIGEST_SHA256,
+						     digest, &ds);
+			if (result != ISC_R_SUCCESS) {
+				goto finish;
+			}
+
+			dns_rdata_reset(&rdata);
+			isc_buffer_init(&b, data, sizeof(data));
+			result = dns_rdata_fromstruct(
+				&rdata, rdclass, dns_rdatatype_ds, &ds, &b);
+			if (result != ISC_R_SUCCESS) {
+				goto finish;
+			}
+
+			result = dns_rdataset_first(&dsset);
+			while (result == ISC_R_SUCCESS) {
+				dns_rdata_t this = DNS_RDATA_INIT;
+				dns_rdataset_current(&dsset, &this);
+				if (dns_rdata_compare(&rdata, &this) == 0) {
+					answer = true;
+					break;
+				}
+				result = dns_rdataset_next(&dsset);
+			}
+		}
+	}
+
+finish:
+	if (dns_rdataset_isassociated(&dsset)) {
+		dns_rdataset_disassociate(&dsset);
+	}
+	if (knode != NULL) {
+		dns_keytable_detachkeynode(sr, &knode);
+	}
+	dns_keytable_detach(&sr);
+	return (answer);
+}
+
+/*
+ * Create path to a directory and a filename constructed from viewname.
+ * This is a front-end to isc_file_sanitize(), allowing backward
+ * compatibility to older versions when a file couldn't be expected
+ * to be in the specified directory but might be in the current working
+ * directory instead.
+ *
+ * It first tests for the existence of a file <viewname>.<suffix> in
+ * 'directory'. If the file does not exist, it checks again in the
+ * current working directory. If it does not exist there either,
+ * return the path inside the directory.
+ *
+ * Returns ISC_R_SUCCESS if a path to an existing file is found or
+ * a new path is created; returns ISC_R_NOSPACE if the path won't
+ * fit in 'buflen'.
+ */
+
+static isc_result_t
+nz_legacy(const char *directory, const char *viewname, const char *suffix,
+	  char *buffer, size_t buflen) {
+	isc_result_t result;
+	char newbuf[PATH_MAX];
+
+	result = isc_file_sanitize(directory, viewname, suffix, buffer, buflen);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	} else if (directory == NULL || isc_file_exists(buffer)) {
+		return (ISC_R_SUCCESS);
+	} else {
+		/* Save buffer */
+		strlcpy(newbuf, buffer, sizeof(newbuf));
+	}
+
+	/*
+	 * It isn't in the specified directory; check CWD.
+	 */
+	result = isc_file_sanitize(NULL, viewname, suffix, buffer, buflen);
+	if (result != ISC_R_SUCCESS || isc_file_exists(buffer)) {
+		return (result);
+	}
+
+	/*
+	 * File does not exist in either 'directory' or CWD,
+	 * so use the path in 'directory'.
+	 */
+	strlcpy(buffer, newbuf, buflen);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_setnewzones(dns_view_t *view, bool allow, void *cfgctx,
+		     void (*cfg_destroy)(void **), uint64_t mapsize) {
+	isc_result_t result = ISC_R_SUCCESS;
+	char buffer[1024];
+#ifdef HAVE_LMDB
+	MDB_env *env = NULL;
+	int status;
+#endif /* ifdef HAVE_LMDB */
+
+#ifndef HAVE_LMDB
+	UNUSED(mapsize);
+#endif /* ifndef HAVE_LMDB */
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE((cfgctx != NULL && cfg_destroy != NULL) || !allow);
+
+	if (view->new_zone_file != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_file);
+		view->new_zone_file = NULL;
+	}
+
+#ifdef HAVE_LMDB
+	if (view->new_zone_dbenv != NULL) {
+		mdb_env_close((MDB_env *)view->new_zone_dbenv);
+		view->new_zone_dbenv = NULL;
+	}
+
+	if (view->new_zone_db != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_db);
+		view->new_zone_db = NULL;
+	}
+#endif /* HAVE_LMDB */
+
+	if (view->new_zone_config != NULL) {
+		view->cfg_destroy(&view->new_zone_config);
+		view->cfg_destroy = NULL;
+	}
+
+	if (!allow) {
+		return (ISC_R_SUCCESS);
+	}
+
+	CHECK(nz_legacy(view->new_zone_dir, view->name, "nzf", buffer,
+			sizeof(buffer)));
+
+	view->new_zone_file = isc_mem_strdup(view->mctx, buffer);
+
+#ifdef HAVE_LMDB
+	CHECK(nz_legacy(view->new_zone_dir, view->name, "nzd", buffer,
+			sizeof(buffer)));
+
+	view->new_zone_db = isc_mem_strdup(view->mctx, buffer);
+
+	status = mdb_env_create(&env);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_OTHER, ISC_LOG_ERROR,
+			      "mdb_env_create failed: %s",
+			      mdb_strerror(status));
+		CHECK(ISC_R_FAILURE);
+	}
+
+	if (mapsize != 0ULL) {
+		status = mdb_env_set_mapsize(env, mapsize);
+		if (status != MDB_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_OTHER, ISC_LOG_ERROR,
+				      "mdb_env_set_mapsize failed: %s",
+				      mdb_strerror(status));
+			CHECK(ISC_R_FAILURE);
+		}
+		view->new_zone_mapsize = mapsize;
+	}
+
+	status = mdb_env_open(env, view->new_zone_db, DNS_LMDB_FLAGS, 0600);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_OTHER, ISC_LOG_ERROR,
+			      "mdb_env_open of '%s' failed: %s",
+			      view->new_zone_db, mdb_strerror(status));
+		CHECK(ISC_R_FAILURE);
+	}
+
+	view->new_zone_dbenv = env;
+	env = NULL;
+#endif /* HAVE_LMDB */
+
+	view->new_zone_config = cfgctx;
+	view->cfg_destroy = cfg_destroy;
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		if (view->new_zone_file != NULL) {
+			isc_mem_free(view->mctx, view->new_zone_file);
+			view->new_zone_file = NULL;
+		}
+
+#ifdef HAVE_LMDB
+		if (view->new_zone_db != NULL) {
+			isc_mem_free(view->mctx, view->new_zone_db);
+			view->new_zone_db = NULL;
+		}
+		if (env != NULL) {
+			mdb_env_close(env);
+		}
+#endif /* HAVE_LMDB */
+		view->new_zone_config = NULL;
+		view->cfg_destroy = NULL;
+	}
+
+	return (result);
+}
+
+void
+dns_view_setnewzonedir(dns_view_t *view, const char *dir) {
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->new_zone_dir != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_dir);
+		view->new_zone_dir = NULL;
+	}
+
+	if (dir == NULL) {
+		return;
+	}
+
+	view->new_zone_dir = isc_mem_strdup(view->mctx, dir);
+}
+
+const char *
+dns_view_getnewzonedir(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	return (view->new_zone_dir);
+}
+
+isc_result_t
+dns_view_searchdlz(dns_view_t *view, const dns_name_t *name,
+		   unsigned int minlabels, dns_clientinfomethods_t *methods,
+		   dns_clientinfo_t *clientinfo, dns_db_t **dbp) {
+	dns_fixedname_t fname;
+	dns_name_t *zonename;
+	unsigned int namelabels;
+	unsigned int i;
+	isc_result_t result;
+	dns_dlzfindzone_t findzone;
+	dns_dlzdb_t *dlzdb;
+	dns_db_t *db, *best = NULL;
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(name != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	/* setup a "fixed" dns name */
+	zonename = dns_fixedname_initname(&fname);
+
+	/* count the number of labels in the name */
+	namelabels = dns_name_countlabels(name);
+
+	for (dlzdb = ISC_LIST_HEAD(view->dlz_searched); dlzdb != NULL;
+	     dlzdb = ISC_LIST_NEXT(dlzdb, link))
+	{
+		REQUIRE(DNS_DLZ_VALID(dlzdb));
+
+		/*
+		 * loop through starting with the longest domain name and
+		 * trying shorter names portions of the name until we find a
+		 * match, have an error, or are below the 'minlabels'
+		 * threshold.  minlabels is 0, if neither the standard
+		 * database nor any previous DLZ database had a zone name
+		 * match. Otherwise minlabels is the number of labels
+		 * in that name.  We need to beat that for a "better"
+		 * match for this DLZ database to be authoritative.
+		 */
+		for (i = namelabels; i > minlabels && i > 1; i--) {
+			if (i == namelabels) {
+				dns_name_copynf(name, zonename);
+			} else {
+				dns_name_split(name, i, NULL, zonename);
+			}
+
+			/* ask SDLZ driver if the zone is supported */
+			db = NULL;
+			findzone = dlzdb->implementation->methods->findzone;
+			result = (*findzone)(dlzdb->implementation->driverarg,
+					     dlzdb->dbdata, dlzdb->mctx,
+					     view->rdclass, zonename, methods,
+					     clientinfo, &db);
+
+			if (result != ISC_R_NOTFOUND) {
+				if (best != NULL) {
+					dns_db_detach(&best);
+				}
+				if (result == ISC_R_SUCCESS) {
+					INSIST(db != NULL);
+					dns_db_attach(db, &best);
+					dns_db_detach(&db);
+					minlabels = i;
+				} else {
+					if (db != NULL) {
+						dns_db_detach(&db);
+					}
+					break;
+				}
+			} else if (db != NULL) {
+				dns_db_detach(&db);
+			}
+		}
+	}
+
+	if (best != NULL) {
+		dns_db_attach(best, dbp);
+		dns_db_detach(&best);
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+uint32_t
+dns_view_getfailttl(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	return (view->fail_ttl);
+}
+
+void
+dns_view_setfailttl(dns_view_t *view, uint32_t fail_ttl) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	view->fail_ttl = fail_ttl;
+}
+
+isc_result_t
+dns_view_saventa(dns_view_t *view) {
+	isc_result_t result;
+	bool removefile = false;
+	dns_ntatable_t *ntatable = NULL;
+	FILE *fp = NULL;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->nta_lifetime == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Open NTA save file for overwrite. */
+	CHECK(isc_stdio_open(view->nta_file, "w", &fp));
+
+	result = dns_view_getntatable(view, &ntatable);
+	if (result == ISC_R_NOTFOUND) {
+		removefile = true;
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	} else {
+		CHECK(result);
+	}
+
+	result = dns_ntatable_save(ntatable, fp);
+	if (result == ISC_R_NOTFOUND) {
+		removefile = true;
+		result = ISC_R_SUCCESS;
+	} else if (result == ISC_R_SUCCESS) {
+		result = isc_stdio_close(fp);
+		fp = NULL;
+	}
+
+cleanup:
+	if (ntatable != NULL) {
+		dns_ntatable_detach(&ntatable);
+	}
+
+	if (fp != NULL) {
+		(void)isc_stdio_close(fp);
+	}
+
+	/* Don't leave half-baked NTA save files lying around. */
+	if (result != ISC_R_SUCCESS || removefile) {
+		(void)isc_file_remove(view->nta_file);
+	}
+
+	return (result);
+}
+
+#define TSTR(t) ((t).value.as_textregion.base)
+#define TLEN(t) ((t).value.as_textregion.length)
+
+isc_result_t
+dns_view_loadnta(dns_view_t *view) {
+	isc_result_t result;
+	dns_ntatable_t *ntatable = NULL;
+	isc_lex_t *lex = NULL;
+	isc_token_t token;
+	isc_stdtime_t now;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->nta_lifetime == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	CHECK(isc_lex_create(view->mctx, 1025, &lex));
+	CHECK(isc_lex_openfile(lex, view->nta_file));
+	CHECK(dns_view_getntatable(view, &ntatable));
+	isc_stdtime_get(&now);
+
+	for (;;) {
+		int options = (ISC_LEXOPT_EOL | ISC_LEXOPT_EOF);
+		char *name, *type, *timestamp;
+		size_t len;
+		dns_fixedname_t fn;
+		const dns_name_t *ntaname;
+		isc_buffer_t b;
+		isc_stdtime_t t;
+		bool forced;
+
+		CHECK(isc_lex_gettoken(lex, options, &token));
+		if (token.type == isc_tokentype_eof) {
+			break;
+		} else if (token.type != isc_tokentype_string) {
+			CHECK(ISC_R_UNEXPECTEDTOKEN);
+		}
+		name = TSTR(token);
+		len = TLEN(token);
+
+		if (strcmp(name, ".") == 0) {
+			ntaname = dns_rootname;
+		} else {
+			dns_name_t *fname;
+			fname = dns_fixedname_initname(&fn);
+
+			isc_buffer_init(&b, name, (unsigned int)len);
+			isc_buffer_add(&b, (unsigned int)len);
+			CHECK(dns_name_fromtext(fname, &b, dns_rootname, 0,
+						NULL));
+			ntaname = fname;
+		}
+
+		CHECK(isc_lex_gettoken(lex, options, &token));
+		if (token.type != isc_tokentype_string) {
+			CHECK(ISC_R_UNEXPECTEDTOKEN);
+		}
+		type = TSTR(token);
+
+		if (strcmp(type, "regular") == 0) {
+			forced = false;
+		} else if (strcmp(type, "forced") == 0) {
+			forced = true;
+		} else {
+			CHECK(ISC_R_UNEXPECTEDTOKEN);
+		}
+
+		CHECK(isc_lex_gettoken(lex, options, &token));
+		if (token.type != isc_tokentype_string) {
+			CHECK(ISC_R_UNEXPECTEDTOKEN);
+		}
+		timestamp = TSTR(token);
+		CHECK(dns_time32_fromtext(timestamp, &t));
+
+		CHECK(isc_lex_gettoken(lex, options, &token));
+		if (token.type != isc_tokentype_eol &&
+		    token.type != isc_tokentype_eof)
+		{
+			CHECK(ISC_R_UNEXPECTEDTOKEN);
+		}
+
+		if (now <= t) {
+			if (t > (now + 604800)) {
+				t = now + 604800;
+			}
+
+			(void)dns_ntatable_add(ntatable, ntaname, forced, 0, t);
+		} else {
+			char nb[DNS_NAME_FORMATSIZE];
+			dns_name_format(ntaname, nb, sizeof(nb));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_NTA, ISC_LOG_INFO,
+				      "ignoring expired NTA at %s", nb);
+		}
+	}
+
+cleanup:
+	if (ntatable != NULL) {
+		dns_ntatable_detach(&ntatable);
+	}
+
+	if (lex != NULL) {
+		isc_lex_close(lex);
+		isc_lex_destroy(&lex);
+	}
+
+	return (result);
+}
+
+void
+dns_view_setviewcommit(dns_view_t *view) {
+	dns_zone_t *redirect = NULL, *managed_keys = NULL;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	LOCK(&view->lock);
+
+	if (view->redirect != NULL) {
+		dns_zone_attach(view->redirect, &redirect);
+	}
+	if (view->managed_keys != NULL) {
+		dns_zone_attach(view->managed_keys, &managed_keys);
+	}
+	if (view->zonetable != NULL) {
+		dns_zt_setviewcommit(view->zonetable);
+	}
+
+	UNLOCK(&view->lock);
+
+	if (redirect != NULL) {
+		dns_zone_setviewcommit(redirect);
+		dns_zone_detach(&redirect);
+	}
+	if (managed_keys != NULL) {
+		dns_zone_setviewcommit(managed_keys);
+		dns_zone_detach(&managed_keys);
+	}
+}
+
+void
+dns_view_setviewrevert(dns_view_t *view) {
+	dns_zone_t *redirect = NULL, *managed_keys = NULL;
+	dns_zt_t *zonetable;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	/*
+	 * dns_zt_setviewrevert() attempts to lock this view, so we must
+	 * release the lock.
+	 */
+	LOCK(&view->lock);
+	if (view->redirect != NULL) {
+		dns_zone_attach(view->redirect, &redirect);
+	}
+	if (view->managed_keys != NULL) {
+		dns_zone_attach(view->managed_keys, &managed_keys);
+	}
+	zonetable = view->zonetable;
+	UNLOCK(&view->lock);
+
+	if (redirect != NULL) {
+		dns_zone_setviewrevert(redirect);
+		dns_zone_detach(&redirect);
+	}
+	if (managed_keys != NULL) {
+		dns_zone_setviewrevert(managed_keys);
+		dns_zone_detach(&managed_keys);
+	}
+	if (zonetable != NULL) {
+		dns_zt_setviewrevert(zonetable);
+	}
+}
+
+bool
+dns_view_staleanswerenabled(dns_view_t *view) {
+	uint32_t stale_ttl = 0;
+	bool result = false;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (dns_db_getservestalettl(view->cachedb, &stale_ttl) != ISC_R_SUCCESS)
+	{
+		return (false);
+	}
+	if (stale_ttl > 0) {
+		if (view->staleanswersok == dns_stale_answer_yes) {
+			result = true;
+		} else if (view->staleanswersok == dns_stale_answer_conf) {
+			result = view->staleanswersenable;
+		}
+	}
+
+	return (result);
+}
diff --git a/lib/dns/win32/DLLMain.c b/lib/dns/win32/DLLMain.c
new file mode 100644
index 0000000..62c6e53
--- /dev/null
+++ b/lib/dns/win32/DLLMain.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <signal.h>
+#include <windows.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI
+	DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
diff --git a/lib/dns/win32/gen.vcxproj.filters.in b/lib/dns/win32/gen.vcxproj.filters.in
new file mode 100644
index 0000000..f6b3bb0
--- /dev/null
+++ b/lib/dns/win32/gen.vcxproj.filters.in
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\gen.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\gen-win32.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/dns/win32/gen.vcxproj.in b/lib/dns/win32/gen.vcxproj.in
new file mode 100644
index 0000000..ea3adc3
--- /dev/null
+++ b/lib/dns/win32/gen.vcxproj.in
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@BUILD_PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@BUILD_PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@BUILD_PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@BUILD_PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>gen</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@BUILD_PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@BUILD_PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@BUILD_PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@BUILD_PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@BUILD_PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@BUILD_PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@BUILD_PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+    <PostBuildEvent>
+      <Command>cd ..
+gen -s . -t &gt; include\dns\enumtype.h
+gen -s . -c &gt; include\dns\enumclass.h
+gen -s . -i -P ./rdata/rdatastructpre.h -S ./rdata/rdatastructsuf.h &gt; include\dns\rdatastruct.h
+gen -s . &gt; code.h
+</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@BUILD_PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+    <PostBuildEvent>
+      <Command>cd ..
+gen -s . -t &gt; include\dns\enumtype.h
+gen -s . -c &gt; include\dns\enumclass.h
+gen -s . -i -P ./rdata/rdatastructpre.h -S ./rdata/rdatastructsuf.h &gt; include\dns\rdatastruct.h
+gen -s . &gt; code.h
+</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\gen.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\gen-win32.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/dns/win32/gen.vcxproj.user b/lib/dns/win32/gen.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/lib/dns/win32/gen.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
new file mode 100644
index 0000000..5c0ba7c
--- /dev/null
+++ b/lib/dns/win32/libdns.def.in
@@ -0,0 +1,1548 @@
+LIBRARY libdns
+
+; Exported Functions
+EXPORTS
+
+; test only
+dns__rbt_checkproperties
+dns__rbt_getheight
+dns__rbtnode_getdistance
+dns__rbtnode_namelen
+dns__zone_findkeys
+dns__zone_loadpending
+dns__zone_updatesigs
+
+dns_acl_allowed
+dns_acl_any
+dns_acl_attach
+dns_acl_create
+dns_acl_detach
+dns_acl_isany
+dns_acl_isinsecure
+dns_acl_isnone
+dns_acl_match
+dns_acl_merge
+dns_acl_none
+dns_aclelement_match
+dns_aclenv_copy
+dns_aclenv_destroy
+dns_aclenv_init
+dns_adb_adjustsrtt
+dns_adb_agesrtt
+dns_adb_attach
+dns_adb_beginudpfetch
+dns_adb_cancelfind
+dns_adb_changeflags
+dns_adb_create
+dns_adb_createfind
+dns_adb_destroyfind
+dns_adb_detach
+dns_adb_dump
+dns_adb_dumpfind
+dns_adb_ednsto
+dns_adb_endudpfetch
+dns_adb_findaddrinfo
+dns_adb_flush
+dns_adb_flushname
+dns_adb_flushnames
+dns_adb_freeaddrinfo
+dns_adb_getcookie
+dns_adb_getudpsize
+dns_adb_marklame
+dns_adb_noedns
+dns_adb_plainresponse
+dns_adb_probesize
+dns_adb_setadbsize
+dns_adb_setcookie
+dns_adb_setquota
+dns_adb_setudpsize
+dns_adb_shutdown
+dns_adb_timeout
+dns_adb_whenshutdown
+dns_adbentry_overquota
+dns_badcache_add
+dns_badcache_destroy
+dns_badcache_find
+dns_badcache_flush
+dns_badcache_flushname
+dns_badcache_flushtree
+dns_badcache_init
+dns_badcache_print
+dns_byaddr_cancel
+dns_byaddr_create
+dns_byaddr_createptrname
+dns_byaddr_destroy
+dns_cache_attach
+dns_cache_attachdb
+dns_cache_clean
+dns_cache_create
+dns_cache_detach
+dns_cache_dump
+dns_cache_dumpstats
+dns_cache_flush
+dns_cache_flushname
+dns_cache_flushnode
+dns_cache_getcachesize
+dns_cache_getname
+dns_cache_getservestalerefresh
+dns_cache_getservestalettl
+dns_cache_getstats
+dns_cache_load
+@IF NOTYET
+dns_cache_renderjson
+@END NOTYET
+@IF LIBXML2
+dns_cache_renderxml
+@END LIBXML2
+dns_cache_setcachesize
+dns_cache_setfilename
+dns_cache_setservestalerefresh
+dns_cache_setservestalettl
+dns_cache_updatestats
+dns_catz_add_zone
+dns_catz_catzs_attach
+dns_catz_catzs_detach
+dns_catz_catzs_set_view
+dns_catz_dbupdate_callback
+dns_catz_entry_attach
+dns_catz_entry_cmp
+dns_catz_entry_copy
+dns_catz_entry_detach
+dns_catz_entry_getname
+dns_catz_entry_new
+dns_catz_entry_validate
+dns_catz_generate_masterfilename
+dns_catz_generate_zonecfg
+dns_catz_get_iterator
+dns_catz_get_zone
+dns_catz_new_zone
+dns_catz_new_zones
+dns_catz_options_copy
+dns_catz_options_free
+dns_catz_options_init
+dns_catz_options_setdefault
+dns_catz_postreconfig
+dns_catz_prereconfig
+dns_catz_update_from_db
+dns_catz_update_process
+dns_catz_update_taskaction
+dns_catz_zone_attach
+dns_catz_zone_detach
+dns_catz_zone_getdefoptions
+dns_catz_zone_getname
+dns_catz_zone_resetdefoptions
+dns_catz_zones_merge
+dns_cert_fromtext
+dns_cert_totext
+dns_client_addtrustedkey
+dns_client_cancelresolve
+dns_client_clearservers
+dns_client_create
+dns_client_destroy
+dns_client_destroyrestrans
+dns_client_freeresanswer
+dns_client_resolve
+dns_client_setservers
+dns_client_startresolve
+dns_clientinfo_init
+dns_clientinfomethods_init
+dns_compress_add
+dns_compress_disable
+dns_compress_findglobal
+dns_compress_getedns
+dns_compress_getmethods
+dns_compress_getsensitive
+dns_compress_init
+dns_compress_invalidate
+dns_compress_rollback
+dns_compress_setmethods
+dns_compress_setsensitive
+dns_counter_fromtext
+dns_db_addrdataset
+dns_db_adjusthashsize
+dns_db_allrdatasets
+dns_db_attach
+dns_db_attachnode
+dns_db_attachversion
+dns_db_beginload
+dns_db_class
+dns_db_closeversion
+dns_db_create
+dns_db_createiterator
+dns_db_createsoatuple
+dns_db_currentversion
+dns_db_deleterdataset
+dns_db_detach
+dns_db_detachnode
+dns_db_diff
+dns_db_diffx
+dns_db_dump
+dns_db_endload
+dns_db_expirenode
+dns_db_find
+dns_db_findext
+dns_db_findnode
+dns_db_findnodeext
+dns_db_findnsec3node
+dns_db_findrdataset
+dns_db_findzonecut
+dns_db_getnsec3parameters
+dns_db_getoriginnode
+dns_db_getrrsetstats
+dns_db_getservestalettl
+dns_db_getservestalerefresh
+dns_db_getsigningtime
+dns_db_getsize
+dns_db_getsoaserial
+dns_db_hashsize
+dns_db_iscache
+dns_db_isdnssec
+dns_db_ispersistent
+dns_db_issecure
+dns_db_isstub
+dns_db_iszone
+dns_db_load
+dns_db_newversion
+dns_db_nodecount
+dns_db_nodefullname
+dns_db_origin
+dns_db_overmem
+dns_db_printnode
+dns_db_register
+dns_db_resigned
+dns_db_rpz_attach
+dns_db_rpz_ready
+dns_db_serialize
+dns_db_setcachestats
+dns_db_setgluecachestats
+dns_db_setservestalettl
+dns_db_setservestalerefresh
+dns_db_setsigningtime
+dns_db_settask
+dns_db_subtractrdataset
+dns_db_transfernode
+dns_db_unregister
+dns_db_updatenotify_register
+dns_db_updatenotify_unregister
+dns_dbiterator_current
+dns_dbiterator_destroy
+dns_dbiterator_first
+dns_dbiterator_last
+dns_dbiterator_next
+dns_dbiterator_origin
+dns_dbiterator_pause
+dns_dbiterator_prev
+dns_dbiterator_seek
+dns_dbiterator_setcleanmode
+dns_dbtable_add
+dns_dbtable_adddefault
+dns_dbtable_attach
+dns_dbtable_create
+dns_dbtable_detach
+dns_dbtable_find
+dns_dbtable_getdefault
+dns_dbtable_remove
+dns_dbtable_removedefault
+dns_decompress_edns
+dns_decompress_getmethods
+dns_decompress_init
+dns_decompress_invalidate
+dns_decompress_setmethods
+dns_decompress_type
+dns_diff_append
+dns_diff_appendminimal
+dns_diff_apply
+dns_diff_applysilently
+dns_diff_clear
+dns_diff_init
+dns_diff_load
+dns_diff_print
+dns_diff_sort
+dns_difftuple_copy
+dns_difftuple_create
+dns_difftuple_free
+dns_dispatch_addresponse
+dns_dispatch_attach
+dns_dispatch_cancel
+dns_dispatch_changeattributes
+dns_dispatch_createtcp
+dns_dispatch_detach
+dns_dispatch_getattributes
+dns_dispatch_getdscp
+dns_dispatch_getentrysocket
+dns_dispatch_getlocaladdress
+dns_dispatch_getnext
+dns_dispatch_getsocket
+dns_dispatch_gettcp
+dns_dispatch_getudp
+dns_dispatch_getudp_dup
+dns_dispatch_importrecv
+dns_dispatch_removeresponse
+dns_dispatch_setdscp
+dns_dispatch_starttcp
+dns_dispatchmgr_create
+dns_dispatchmgr_destroy
+dns_dispatchmgr_getblackhole
+dns_dispatchmgr_getblackportlist
+dns_dispatchmgr_setavailports
+dns_dispatchmgr_setblackhole
+dns_dispatchmgr_setblackportlist
+dns_dispatchmgr_setstats
+dns_dispatchset_cancelall
+dns_dispatchset_create
+dns_dispatchset_destroy
+dns_dispatchset_get
+dns_dlz_ssumatch
+dns_dlz_writeablezone
+dns_dlzallowzonexfr
+dns_dlzconfigure
+dns_dlzcreate
+dns_dlzdestroy
+dns_dlzregister
+dns_dlzstrtoargv
+dns_dlzunregister
+dns_dns64_aaaafroma
+dns_dns64_aaaaok
+dns_dns64_append
+dns_dns64_create
+dns_dns64_destroy
+dns_dns64_next
+dns_dns64_unlink
+@IF NOTYET
+dns_dnsrps_2policy
+dns_dnsrps_trig2type
+dns_dnsrps_type2trig
+dns_dnsrps_server_create
+dns_dnsrps_server_destroy
+dns_dnsrps_view_init
+dns_dnsrps_connect
+dns_dnsrps_rewrite_init
+@END NOTYET
+@IF NOTYET
+dns_resolver_setfuzzing
+@END NOTYET
+dns_dnssec_findmatchingkeys
+dns_dnssec_findzonekeys
+dns_dnssec_get_hints
+dns_dnssec_keyactive
+dns_dnssec_keyfromrdata
+dns_dnssec_keylistfromrdataset
+dns_dnssec_matchdskey
+dns_dnssec_selfsigns
+dns_dnssec_sign
+dns_dnssec_signmessage
+dns_dnssec_signs
+dns_dnssec_syncdelete
+dns_dnssec_syncupdate
+dns_dnssec_updatekeys
+dns_dnssec_verify
+dns_dnssec_verifymessage
+dns_dnsseckey_create
+dns_dnsseckey_destroy
+dns_dnssecsignstats_clear
+dns_dnssecsignstats_create
+dns_dnssecsignstats_dump
+dns_dnssecsignstats_increment
+dns_ds_buildrdata
+dns_ds_fromkeyrdata
+dns_dsdigest_format
+dns_dsdigest_fromtext
+dns_dsdigest_totext
+@IF NOTYET
+dns_dt_attach
+dns_dt_close
+dns_dt_create
+dns_dt_datatotext
+dns_dt_detach
+dns_dt_getframe
+dns_dt_getstats
+dns_dt_open
+dns_dt_parse
+dns_dt_reopen
+dns_dt_send
+dns_dt_setidentity
+dns_dt_setupfile
+dns_dt_setversion
+dns_dtdata_free
+@END NOTYET
+dns_dumpctx_attach
+dns_dumpctx_cancel
+dns_dumpctx_db
+dns_dumpctx_detach
+dns_dumpctx_version
+dns_dyndb_load
+dns_dyndb_cleanup
+dns_dyndb_createctx
+dns_dyndb_destroyctx
+dns_ecdb_register
+dns_ecdb_unregister
+dns_ecs_equals
+dns_ecs_init
+dns_ecs_format
+dns_fixedname_init
+dns_fixedname_invalidate
+dns_fixedname_name
+dns_fixedname_initname
+dns_fwdtable_add
+dns_fwdtable_addfwd
+dns_fwdtable_create
+dns_fwdtable_delete
+dns_fwdtable_destroy
+dns_fwdtable_find
+dns_generalstats_create
+dns_generalstats_dump
+dns_generalstats_increment
+@IF GEOIP
+dns_geoip_match
+@END GEOIP
+dns_hashalg_fromtext
+dns_ipkeylist_clear
+dns_ipkeylist_copy
+dns_ipkeylist_init
+dns_ipkeylist_resize
+dns_iptable_addprefix
+dns_iptable_attach
+dns_iptable_create
+dns_iptable_detach
+dns_iptable_merge
+dns_journal_begin_transaction
+dns_journal_commit
+dns_journal_compact
+dns_journal_current_rr
+dns_journal_destroy
+dns_journal_empty
+dns_journal_first_rr
+dns_journal_first_serial
+dns_journal_get_sourceserial
+dns_journal_iter_init
+dns_journal_last_serial
+dns_journal_next_rr
+dns_journal_open
+dns_journal_print
+dns_journal_recovered
+dns_journal_rollforward
+dns_journal_set_sourceserial
+dns_journal_write_transaction
+dns_journal_writediff
+dns_kasp_addkey
+dns_kasp_attach
+dns_kasp_create
+dns_kasp_detach
+dns_kasp_dnskeyttl
+dns_kasp_dsttl
+dns_kasp_freeze
+dns_kasp_getname
+dns_kasp_key_algorithm
+dns_kasp_key_create
+dns_kasp_key_destroy
+dns_kasp_key_ksk
+dns_kasp_key_lifetime
+dns_kasp_key_size
+dns_kasp_key_zsk
+dns_kasp_keylist_empty
+dns_kasp_keys
+dns_kasp_nsec3
+dns_kasp_nsec3flags
+dns_kasp_nsec3iter
+dns_kasp_nsec3saltlen
+dns_kasp_parentpropagationdelay
+dns_kasp_publishsafety
+dns_kasp_purgekeys
+dns_kasp_retiresafety
+dns_kasp_setdnskeyttl
+dns_kasp_setdsttl
+dns_kasp_setnsec3
+dns_kasp_setnsec3param
+dns_kasp_setparentpropagationdelay
+dns_kasp_setpublishsafety
+dns_kasp_setpurgekeys
+dns_kasp_setretiresafety
+dns_kasp_setsigrefresh
+dns_kasp_setsigvalidity
+dns_kasp_setsigvalidity_dnskey
+dns_kasp_setzonemaxttl
+dns_kasp_setzonepropagationdelay
+dns_kasp_signdelay
+dns_kasp_sigrefresh
+dns_kasp_sigvalidity
+dns_kasp_sigvalidity_dnskey
+dns_kasp_thaw
+dns_kasp_zonemaxttl
+dns_kasp_zonepropagationdelay
+dns_kasplist_find
+dns_keydata_fromdnskey
+dns_keydata_todnskey
+dns_keyflags_fromtext
+dns_keymgr_checkds
+dns_keymgr_checkds_id
+dns_keymgr_rollover
+dns_keymgr_run
+dns_keymgr_status
+dns_keynode_dsset
+dns_keynode_initial
+dns_keynode_managed
+dns_keynode_trust
+dns_keyring_restore
+dns_keytable_add
+dns_keytable_attach
+dns_keytable_create
+dns_keytable_delete
+dns_keytable_deletekey
+dns_keytable_detach
+dns_keytable_detachkeynode
+dns_keytable_dump
+dns_keytable_find
+dns_keytable_finddeepestmatch
+dns_keytable_forall
+dns_keytable_issecuredomain
+dns_keytable_marksecure
+dns_keytable_totext
+dns_lib_init
+dns_lib_shutdown
+dns_loadctx_attach
+dns_loadctx_cancel
+dns_loadctx_detach
+dns_log_init
+dns_log_setcontext
+dns_lookup_cancel
+dns_lookup_create
+dns_lookup_destroy
+dns_master_dump
+dns_master_dumpasync
+dns_master_dumpnode
+dns_master_dumpnodetostream
+dns_master_dumptostream
+dns_master_dumptostreamasync
+dns_master_initrawheader
+dns_master_loadbuffer
+dns_master_loadbufferinc
+dns_master_loadfile
+dns_master_loadfileinc
+dns_master_loadlexer
+dns_master_loadlexerinc
+dns_master_loadstream
+dns_master_loadstreaminc
+dns_master_questiontotext
+dns_master_rdatasettotext
+dns_master_stylecreate
+dns_master_styledestroy
+dns_master_styleflags
+dns_message_addname
+dns_message_attach
+dns_message_buildopt
+dns_message_checksig
+dns_message_clonebuffer
+dns_message_create
+dns_message_currentname
+dns_message_detach
+dns_message_find
+dns_message_findname
+dns_message_findtype
+dns_message_firstname
+dns_message_getopt
+dns_message_getquerytsig
+dns_message_getrawmessage
+dns_message_getsig0
+dns_message_getsig0key
+dns_message_gettempname
+dns_message_gettemprdata
+dns_message_gettemprdatalist
+dns_message_gettemprdataset
+dns_message_gettimeadjust
+dns_message_gettsig
+dns_message_gettsigkey
+dns_message_headertotext
+dns_message_logfmtpacket
+dns_message_logpacket
+dns_message_movename
+dns_message_nextname
+dns_message_parse
+dns_message_peekheader
+dns_message_pseudosectiontotext
+dns_message_puttempname
+dns_message_puttemprdata
+dns_message_puttemprdatalist
+dns_message_puttemprdataset
+dns_message_rechecksig
+dns_message_removename
+dns_message_renderbegin
+dns_message_renderchangebuffer
+dns_message_renderend
+dns_message_renderheader
+dns_message_renderrelease
+dns_message_renderreserve
+dns_message_renderreset
+dns_message_rendersection
+dns_message_reply
+dns_message_reset
+dns_message_resetsig
+dns_message_sectiontotext
+dns_message_setclass
+dns_message_setopt
+dns_message_setpadding
+dns_message_setquerytsig
+dns_message_setsig0key
+dns_message_setsortorder
+dns_message_settimeadjust
+dns_message_settsigkey
+dns_message_signer
+dns_message_takebuffer
+dns_message_totext
+dns_name_caseequal
+dns_name_clone
+dns_name_compare
+dns_name_concatenate
+dns_name_copy
+dns_name_copynf
+dns_name_countlabels
+dns_name_digest
+dns_name_downcase
+dns_name_dup
+dns_name_dupwithoffsets
+dns_name_dynamic
+dns_name_equal
+dns_name_format
+dns_name_free
+dns_name_fromregion
+dns_name_fromstring
+dns_name_fromstring2
+dns_name_fromtext
+dns_name_fromwire
+dns_name_fullcompare
+dns_name_fullhash
+dns_name_getlabel
+dns_name_getlabelsequence
+dns_name_hasbuffer
+dns_name_hash
+dns_name_init
+dns_name_internalwildcard
+dns_name_invalidate
+dns_name_isabsolute
+dns_name_isdnssd
+dns_name_ishostname
+dns_name_ismailbox
+dns_name_isrfc1918
+dns_name_issubdomain
+dns_name_istat
+dns_name_isula
+dns_name_isvalid
+dns_name_iswildcard
+dns_name_matcheswildcard
+dns_name_print
+dns_name_rdatacompare
+dns_name_reset
+dns_name_setbuffer
+dns_name_settotextfilter
+dns_name_split
+dns_name_tofilenametext
+dns_name_toprincipal
+dns_name_toregion
+dns_name_tostring
+dns_name_totext
+dns_name_totext2
+dns_name_towire
+dns_name_towire2
+dns_ncache_add
+dns_ncache_addoptout
+dns_ncache_current
+dns_ncache_getrdataset
+dns_ncache_getsigrdataset
+dns_ncache_towire
+dns_nsec3_active
+dns_nsec3_activex
+dns_nsec3_addnsec3
+dns_nsec3_addnsec3s
+dns_nsec3_addnsec3sx
+dns_nsec3_buildrdata
+dns_nsec3_delnsec3
+dns_nsec3_delnsec3s
+dns_nsec3_delnsec3sx
+dns_nsec3_generate_salt
+dns_nsec3_hashlength
+dns_nsec3_hashname
+dns_nsec3_maxiterations
+dns_nsec3_noexistnodata
+dns_nsec3_supportedhash
+dns_nsec3_typepresent
+dns_nsec3param_deletechains
+dns_nsec3param_fromprivate
+dns_nsec3param_salttotext
+dns_nsec3param_toprivate
+dns_nsec_build
+dns_nsec_buildrdata
+dns_nsec_compressbitmap
+dns_nsec_isset
+dns_nsec_noexistnodata
+dns_nsec_nseconly
+dns_nsec_setbit
+dns_nsec_typepresent
+dns_ntatable_add
+dns_ntatable_attach
+dns_ntatable_covered
+dns_ntatable_create
+dns_ntatable_delete
+dns_ntatable_detach
+dns_ntatable_dump
+dns_ntatable_save
+dns_ntatable_shutdown
+dns_ntatable_totext
+dns_opcode_totext
+dns_opcodestats_create
+dns_opcodestats_dump
+dns_opcodestats_increment
+dns_order_add
+dns_order_attach
+dns_order_create
+dns_order_detach
+dns_order_find
+dns_peer_attach
+dns_peer_detach
+dns_peer_getbogus
+dns_peer_getednsversion
+dns_peer_getforcetcp
+dns_peer_getkey
+dns_peer_getmaxudp
+dns_peer_getnotifydscp
+dns_peer_getnotifysource
+dns_peer_getpadding
+dns_peer_getprovideixfr
+dns_peer_getquerydscp
+dns_peer_getquerysource
+dns_peer_getrequestexpire
+dns_peer_getrequestixfr
+dns_peer_getrequestnsid
+dns_peer_getsendcookie
+dns_peer_getsupportedns
+dns_peer_gettcpkeepalive
+dns_peer_gettransferdscp
+dns_peer_gettransferformat
+dns_peer_gettransfers
+dns_peer_gettransfersource
+dns_peer_getudpsize
+dns_peer_new
+dns_peer_newprefix
+dns_peer_setbogus
+dns_peer_setednsversion
+dns_peer_setforcetcp
+dns_peer_setkey
+dns_peer_setkeybycharp
+dns_peer_setmaxudp
+dns_peer_setnotifydscp
+dns_peer_setnotifysource
+dns_peer_setpadding
+dns_peer_setprovideixfr
+dns_peer_setquerydscp
+dns_peer_setquerysource
+dns_peer_setrequestexpire
+dns_peer_setrequestixfr
+dns_peer_setrequestnsid
+dns_peer_setsendcookie
+dns_peer_setsupportedns
+dns_peer_settcpkeepalive
+dns_peer_settransferdscp
+dns_peer_settransferformat
+dns_peer_settransfers
+dns_peer_settransfersource
+dns_peer_setudpsize
+dns_peerlist_addpeer
+dns_peerlist_attach
+dns_peerlist_currpeer
+dns_peerlist_detach
+dns_peerlist_new
+dns_peerlist_peerbyaddr
+dns_portlist_add
+dns_portlist_attach
+dns_portlist_create
+dns_portlist_detach
+dns_portlist_match
+dns_portlist_remove
+dns_private_chains
+dns_private_totext
+dns_rbt_addname
+dns_rbt_addnode
+dns_rbt_adjusthashsize
+dns_rbt_create
+dns_rbt_deletename
+dns_rbt_deletenode
+dns_rbt_deserialize_tree
+dns_rbt_destroy
+dns_rbt_destroy2
+dns_rbt_findname
+dns_rbt_findnode
+dns_rbt_formatnodename
+dns_rbt_fullnamefromnode
+dns_rbt_hashsize
+dns_rbt_namefromnode
+dns_rbt_nodecount
+dns_rbt_printdot
+dns_rbt_printnodeinfo
+dns_rbt_printtext
+dns_rbt_serialize_align
+dns_rbt_serialize_tree
+dns_rbtnodechain_current
+dns_rbtnodechain_down
+dns_rbtnodechain_first
+dns_rbtnodechain_init
+dns_rbtnodechain_invalidate
+dns_rbtnodechain_last
+dns_rbtnodechain_next
+dns_rbtnodechain_nextflat
+dns_rbtnodechain_prev
+dns_rbtnodechain_reset
+dns_rcode_fromtext
+dns_rcode_totext
+dns_rcodestats_create
+dns_rcodestats_dump
+dns_rcodestats_increment
+dns_rdata_additionaldata
+dns_rdata_apl_current
+dns_rdata_apl_first
+dns_rdata_apl_next
+dns_rdata_casecompare
+dns_rdata_checknames
+dns_rdata_checkowner
+dns_rdata_clone
+dns_rdata_compare
+dns_rdata_covers
+dns_rdata_deleterrset
+dns_rdata_digest
+dns_rdata_exists
+dns_rdata_freestruct
+dns_rdata_fromregion
+dns_rdata_fromstruct
+dns_rdata_fromtext
+dns_rdata_fromwire
+dns_rdata_hip_current
+dns_rdata_hip_first
+dns_rdata_hip_next
+dns_rdata_init
+dns_rdata_makedelete
+dns_rdata_notexist
+dns_rdata_opt_current
+dns_rdata_opt_first
+dns_rdata_opt_next
+dns_rdata_reset
+dns_rdata_tofmttext
+dns_rdata_toregion
+dns_rdata_tostruct
+dns_rdata_totext
+dns_rdata_towire
+dns_rdata_txt_current
+dns_rdata_txt_first
+dns_rdata_txt_next
+dns_rdata_updateop
+dns_rdatacallbacks_init
+dns_rdatacallbacks_init_stdio
+dns_rdataclass_format
+dns_rdataclass_fromtext
+dns_rdataclass_ismeta
+dns_rdataclass_totext
+dns_rdataclass_tounknowntext
+dns_rdatalist_fromrdataset
+dns_rdatalist_init
+dns_rdatalist_tordataset
+dns_rdataset_addclosest
+dns_rdataset_addglue
+dns_rdataset_additionaldata
+dns_rdataset_addnoqname
+dns_rdataset_clearprefetch
+dns_rdataset_clone
+dns_rdataset_count
+dns_rdataset_current
+dns_rdataset_disassociate
+dns_rdataset_expire
+dns_rdataset_first
+dns_rdataset_getclosest
+dns_rdataset_getnoqname
+dns_rdataset_getownercase
+dns_rdataset_init
+dns_rdataset_invalidate
+dns_rdataset_isassociated
+dns_rdataset_makequestion
+dns_rdataset_next
+dns_rdataset_setownercase
+dns_rdataset_settrust
+dns_rdataset_totext
+dns_rdataset_towire
+dns_rdataset_towirepartial
+dns_rdataset_towiresorted
+dns_rdataset_trimttl
+dns_rdatasetiter_current
+dns_rdatasetiter_destroy
+dns_rdatasetiter_first
+dns_rdatasetiter_next
+dns_rdatasetstats_create
+dns_rdatasetstats_decrement
+dns_rdatasetstats_dump
+dns_rdatasetstats_increment
+dns_rdataslab_count
+dns_rdataslab_equal
+dns_rdataslab_equalx
+dns_rdataslab_fromrdataset
+dns_rdataslab_merge
+dns_rdataslab_rdatasize
+dns_rdataslab_size
+dns_rdataslab_subtract
+dns_rdatatype_atcname
+dns_rdatatype_atparent
+dns_rdatatype_attributes
+dns_rdatatype_followadditional
+dns_rdatatype_format
+dns_rdatatype_fromtext
+dns_rdatatype_isdnssec
+dns_rdatatype_isknown
+dns_rdatatype_ismeta
+dns_rdatatype_issingleton
+dns_rdatatype_iszonecutauth
+dns_rdatatype_notquestion
+dns_rdatatype_questiononly
+dns_rdatatype_totext
+dns_rdatatype_tounknowntext
+dns_rdatatypestats_create
+dns_rdatatypestats_dump
+dns_rdatatypestats_increment
+dns_request_cancel
+dns_request_create
+dns_request_createraw
+dns_request_createvia
+dns_request_destroy
+dns_request_getanswer
+dns_request_getresponse
+dns_request_usedtcp
+dns_requestmgr_attach
+dns_requestmgr_create
+dns_requestmgr_detach
+dns_requestmgr_shutdown
+dns_requestmgr_whenshutdown
+dns_resolver_addalternate
+dns_resolver_addbadcache
+dns_resolver_algorithm_supported
+dns_resolver_attach
+dns_resolver_cancelfetch
+dns_resolver_create
+dns_resolver_createfetch
+dns_resolver_destroyfetch
+dns_resolver_detach
+dns_resolver_disable_algorithm
+dns_resolver_disable_ds_digest
+dns_resolver_dispatchmgr
+dns_resolver_dispatchv4
+dns_resolver_dispatchv6
+dns_resolver_ds_digest_supported
+dns_resolver_dumpfetches
+dns_resolver_flushbadcache
+dns_resolver_flushbadnames
+dns_resolver_freeze
+dns_resolver_getbadcache
+dns_resolver_getclientsperquery
+dns_resolver_getlamettl
+dns_resolver_getmaxdepth
+dns_resolver_getmaxqueries
+dns_resolver_getmustbesecure
+dns_resolver_getnonbackofftries
+dns_resolver_getoptions
+dns_resolver_getquerydscp4
+dns_resolver_getquerydscp6
+dns_resolver_getquotaresponse
+dns_resolver_getretryinterval
+dns_resolver_gettimeout
+dns_resolver_getudpsize
+dns_resolver_getzeronosoattl
+dns_resolver_logfetch
+dns_resolver_prime
+dns_resolver_printbadcache
+dns_resolver_reset_algorithms
+dns_resolver_reset_ds_digests
+dns_resolver_resetmustbesecure
+dns_resolver_setclientsperquery
+dns_resolver_setfetchesperzone
+dns_resolver_setlamettl
+dns_resolver_setmaxdepth
+dns_resolver_setmaxqueries
+dns_resolver_setmustbesecure
+dns_resolver_setnonbackofftries
+dns_resolver_setquerydscp4
+dns_resolver_setquerydscp6
+dns_resolver_setquotaresponse
+dns_resolver_setretryinterval
+dns_resolver_settimeout
+dns_resolver_setudpsize
+dns_resolver_setzeronosoattl
+dns_resolver_shutdown
+dns_resolver_socketmgr
+dns_resolver_taskmgr
+dns_resolver_whenshutdown
+dns_result_register
+dns_result_torcode
+dns_result_totext
+dns_root_checkhints
+dns_rootns_create
+dns_rpz_add
+dns_rpz_attach_rpzs
+dns_rpz_beginload
+dns_rpz_dbupdate_callback
+dns_rpz_decode_cname
+dns_rpz_delete
+dns_rpz_detach_rpzs
+dns_rpz_find_ip
+dns_rpz_find_name
+dns_rpz_new_zone
+dns_rpz_new_zones
+dns_rpz_policy2str
+dns_rpz_ready
+dns_rpz_str2policy
+dns_rpz_type2str
+dns_rriterator_current
+dns_rriterator_destroy
+dns_rriterator_first
+dns_rriterator_init
+dns_rriterator_next
+dns_rriterator_nextrrset
+dns_rriterator_pause
+dns_rrl
+dns_rrl_init
+dns_rrl_view_destroy
+dns_sdb_putnamedrdata
+dns_sdb_putnamedrr
+dns_sdb_putrdata
+dns_sdb_putrr
+dns_sdb_putsoa
+dns_sdb_register
+dns_sdb_unregister
+dns_sdlz_putnamedrr
+dns_sdlz_putrr
+dns_sdlz_putsoa
+dns_sdlz_setdb
+dns_sdlzregister
+dns_sdlzunregister
+dns_secalg_format
+dns_secalg_fromtext
+dns_secalg_totext
+dns_secproto_fromtext
+dns_secproto_totext
+dns_soa_buildrdata
+dns_soa_getexpire
+dns_soa_getminimum
+dns_soa_getrefresh
+dns_soa_getretry
+dns_soa_getserial
+dns_soa_setexpire
+dns_soa_setminimum
+dns_soa_setrefresh
+dns_soa_setretry
+dns_soa_setserial
+dns_ssu_external_match
+dns_ssu_mtypefromstring
+dns_ssurule_isgrant
+dns_ssurule_identity
+dns_ssurule_matchtype
+dns_ssurule_name
+dns_ssurule_types
+dns_ssutable_firstrule
+dns_ssutable_nextrule
+dns_ssutable_addrule
+dns_ssutable_attach
+dns_ssutable_checkrules
+dns_ssutable_create
+dns_ssutable_createdlz
+dns_ssutable_detach
+dns_stats_alloccounters
+dns_stats_attach
+dns_stats_detach
+dns_stats_freecounters
+dns_tcpmsg_cancelread
+dns_tcpmsg_init
+dns_tcpmsg_invalidate
+dns_tcpmsg_keepbuffer
+dns_tcpmsg_readmessage
+dns_tcpmsg_setmaxsize
+dns_time32_fromtext
+dns_time32_totext
+dns_time64_from32
+dns_time64_fromtext
+dns_time64_totext
+dns_timer_setidle
+dns_tkey_builddeletequery
+dns_tkey_builddhquery
+dns_tkey_buildgssquery
+dns_tkey_gssnegotiate
+dns_tkey_processdeleteresponse
+dns_tkey_processdhresponse
+dns_tkey_processgssresponse
+dns_tkey_processquery
+dns_tkeyctx_create
+dns_tkeyctx_destroy
+dns_trust_totext
+dns_tsec_create
+dns_tsec_destroy
+dns_tsec_getkey
+dns_tsec_gettype
+dns_tsig_sign
+dns_tsig_verify
+dns_tsigkey_attach
+dns_tsigkey_create
+dns_tsigkey_createfromkey
+dns_tsigkey_detach
+dns_tsigkey_find
+dns_tsigkey_identity
+dns_tsigkey_setdeleted
+dns_tsigkeyring_add
+dns_tsigkeyring_attach
+dns_tsigkeyring_create
+dns_tsigkeyring_detach
+dns_tsigkeyring_dumpanddetach
+dns_tsigrcode_fromtext
+dns_tsigrcode_totext
+dns_ttl_fromtext
+dns_ttl_totext
+dns_update_signatures
+dns_update_signaturesinc
+dns_update_soaserial
+dns_validator_cancel
+dns_validator_create
+dns_validator_destroy
+dns_validator_send
+dns_view_adddelegationonly
+dns_view_addzone
+dns_view_asyncload
+dns_view_attach
+dns_view_checksig
+dns_view_create
+dns_view_createresolver
+dns_view_createzonetable
+dns_view_detach
+dns_view_dialup
+dns_view_dumpdbtostream
+dns_view_excludedelegationonly
+dns_view_find
+dns_view_findzone
+dns_view_findzonecut
+dns_view_flushanddetach
+dns_view_flushcache
+dns_view_flushname
+dns_view_flushnode
+dns_view_freeze
+dns_view_freezezones
+dns_view_getadbstats
+dns_view_getdynamickeyring
+dns_view_getfailttl
+dns_view_getnewzonedir
+dns_view_getntatable
+dns_view_getpeertsig
+dns_view_getresquerystats
+dns_view_getresstats
+dns_view_getrootdelonly
+dns_view_getsecroots
+dns_view_gettsig
+dns_view_initntatable
+dns_view_initsecroots
+dns_view_iscacheshared
+dns_view_isdelegationonly
+dns_view_issecuredomain
+dns_view_istrusted
+dns_view_load
+dns_view_loadnta
+dns_view_ntacovers
+dns_view_restorekeyring
+dns_view_saventa
+dns_view_searchdlz
+dns_view_setadbstats
+dns_view_setcache
+dns_view_setdstport
+dns_view_setdynamickeyring
+dns_view_setfailttl
+dns_view_sethints
+dns_view_setkeyring
+dns_view_setnewzonedir
+dns_view_setnewzones
+dns_view_setresquerystats
+dns_view_setresstats
+dns_view_setrootdelonly
+dns_view_setviewcommit
+dns_view_setviewrevert
+dns_view_simplefind
+dns_view_staleanswerenabled
+dns_view_thaw
+dns_view_untrust
+dns_view_weakattach
+dns_view_weakdetach
+dns_viewlist_find
+dns_viewlist_findzone
+dns_xfrin_attach
+dns_xfrin_create
+dns_xfrin_detach
+dns_xfrin_shutdown
+dns_zone_addnsec3chain
+dns_zone_asyncload
+dns_zone_attach
+dns_zone_catz_disable
+dns_zone_catz_enable
+dns_zone_catz_enable_db
+dns_zone_catz_is_enabled
+dns_zone_cdscheck
+dns_zone_checknames
+dns_zone_clearforwardacl
+dns_zone_clearnotifyacl
+dns_zone_clearqueryacl
+dns_zone_clearqueryonacl
+dns_zone_clearupdateacl
+dns_zone_clearxfracl
+dns_zone_create
+dns_zone_detach
+dns_zone_dialup
+dns_zone_dlzpostload
+dns_zone_dump
+dns_zone_dumptostream
+dns_zone_expire
+dns_zone_first
+dns_zone_flush
+dns_zone_forcereload
+dns_zone_forwardupdate
+dns_zone_get_parentcatz
+dns_zone_get_rpz_num
+dns_zone_getadded
+dns_zone_getaltxfrsource4
+dns_zone_getaltxfrsource4dscp
+dns_zone_getaltxfrsource6
+dns_zone_getaltxfrsource6dscp
+dns_zone_getautomatic
+dns_zone_getchecknames
+dns_zone_getclass
+dns_zone_getdb
+dns_zone_getdbtype
+dns_zone_getdnsseckeys
+dns_zone_getdnssecsignstats
+dns_zone_getexpiretime
+dns_zone_getfile
+dns_zone_getforwardacl
+dns_zone_getgluecachestats
+dns_zone_getidlein
+dns_zone_getidleout
+dns_zone_getincludes
+dns_zone_getixfrratio
+dns_zone_getjournal
+dns_zone_getjournalsize
+dns_zone_getkasp
+dns_zone_getkeydirectory
+dns_zone_getkeyopts
+dns_zone_getkeyvalidityinterval
+dns_zone_getloadtime
+dns_zone_getmaxrecords
+dns_zone_getmaxttl
+dns_zone_getmaxxfrin
+dns_zone_getmaxxfrout
+dns_zone_getmctx
+dns_zone_getmgr
+dns_zone_getnotifyacl
+dns_zone_getnotifydelay
+dns_zone_getnotifysrc4
+dns_zone_getnotifysrc4dscp
+dns_zone_getnotifysrc6
+dns_zone_getnotifysrc6dscp
+dns_zone_getoptions
+dns_zone_getorigin
+dns_zone_getparentalsrc4
+dns_zone_getparentalsrc4dscp
+dns_zone_getparentalsrc6
+dns_zone_getparentalsrc6dscp
+dns_zone_getprivatetype
+dns_zone_getqueryacl
+dns_zone_getqueryonacl
+dns_zone_getraw
+dns_zone_getrcvquerystats
+dns_zone_getredirecttype
+dns_zone_getrefreshkeytime
+dns_zone_getrefreshtime
+dns_zone_getrequestexpire
+dns_zone_getrequestixfr
+dns_zone_getrequeststats
+dns_zone_getserial
+dns_zone_getserialupdatemethod
+dns_zone_getsignatures
+dns_zone_getsigresigninginterval
+dns_zone_getsigvalidityinterval
+dns_zone_getssutable
+dns_zone_getstatlevel
+dns_zone_getstatscounters
+dns_zone_gettask
+dns_zone_gettype
+dns_zone_getupdateacl
+dns_zone_getupdatedisabled
+dns_zone_getview
+dns_zone_getxfracl
+dns_zone_getxfrsource4
+dns_zone_getxfrsource4dscp
+dns_zone_getxfrsource6
+dns_zone_getxfrsource6dscp
+dns_zone_getzeronosoattl
+dns_zone_iattach
+dns_zone_idetach
+dns_zone_isdynamic
+dns_zone_isforced
+dns_zone_isloaded
+dns_zone_keydone
+dns_zone_link
+dns_zone_load
+dns_zone_loadandthaw
+dns_zone_lock_keyfiles
+dns_zone_log
+dns_zone_logc
+dns_zone_logv
+dns_zone_maintenance
+dns_zone_markdirty
+dns_zone_name
+dns_zone_nameonly
+dns_zone_next
+dns_zone_notify
+dns_zone_notifyreceive
+dns_zone_nscheck
+dns_zone_refresh
+dns_zone_rekey
+dns_zone_replacedb
+dns_zone_rpz_enable
+dns_zone_rpz_enable_db
+dns_zone_set_parentcatz
+dns_zone_setadded
+dns_zone_setalsonotify
+dns_zone_setalsonotifydscpkeys
+dns_zone_setalsonotifywithkeys
+dns_zone_setaltxfrsource4
+dns_zone_setaltxfrsource4dscp
+dns_zone_setaltxfrsource6
+dns_zone_setaltxfrsource6dscp
+dns_zone_setautomatic
+dns_zone_setcheckmx
+dns_zone_setchecknames
+dns_zone_setcheckns
+dns_zone_setchecksrv
+dns_zone_setclass
+dns_zone_setdb
+dns_zone_setdbtype
+dns_zone_setdialup
+dns_zone_setdnssecsignstats
+dns_zone_setfile
+dns_zone_setforwardacl
+dns_zone_setidlein
+dns_zone_setidleout
+dns_zone_setisself
+dns_zone_setixfrratio
+dns_zone_setjournal
+dns_zone_setjournalsize
+dns_zone_setkasp
+dns_zone_setkeydirectory
+dns_zone_setkeyopt
+dns_zone_setkeyvalidityinterval
+dns_zone_setmaxrecords
+dns_zone_setmaxrefreshtime
+dns_zone_setmaxretrytime
+dns_zone_setmaxttl
+dns_zone_setmaxxfrin
+dns_zone_setmaxxfrout
+dns_zone_setminrefreshtime
+dns_zone_setminretrytime
+dns_zone_setnodes
+dns_zone_setnotifyacl
+dns_zone_setnotifydelay
+dns_zone_setnotifysrc4
+dns_zone_setnotifysrc4dscp
+dns_zone_setnotifysrc6
+dns_zone_setnotifysrc6dscp
+dns_zone_setnotifytype
+dns_zone_setnsec3param
+dns_zone_setoption
+dns_zone_setorigin
+dns_zone_setparentals
+dns_zone_setparentalsrc4
+dns_zone_setparentalsrc4dscp
+dns_zone_setparentalsrc6
+dns_zone_setparentalsrc6dscp
+dns_zone_setprimaries
+dns_zone_setprimarieswithkeys
+dns_zone_setprivatetype
+dns_zone_setqueryacl
+dns_zone_setqueryonacl
+dns_zone_setrawdata
+dns_zone_setrcvquerystats
+dns_zone_setrefreshkeyinterval
+dns_zone_setrequestexpire
+dns_zone_setrequestixfr
+dns_zone_setrequeststats
+dns_zone_setserial
+dns_zone_setserialupdatemethod
+dns_zone_setsignatures
+dns_zone_setsigresigninginterval
+dns_zone_setsigvalidityinterval
+dns_zone_setssutable
+dns_zone_setstatistics
+dns_zone_setstatlevel
+dns_zone_setstats
+dns_zone_settask
+dns_zone_settype
+dns_zone_setupdateacl
+dns_zone_setupdatedisabled
+dns_zone_setview
+dns_zone_setviewcommit
+dns_zone_setviewrevert
+dns_zone_setxfracl
+dns_zone_setxfrsource4
+dns_zone_setxfrsource4dscp
+dns_zone_setxfrsource6
+dns_zone_setxfrsource6dscp
+dns_zone_setzeronosoattl
+dns_zone_signwithkey
+dns_zone_synckeyzone
+dns_zone_unload
+dns_zone_unlock_keyfiles
+dns_zone_verifydb
+dns_zonekey_iszonekey
+dns_zonemgr_attach
+dns_zonemgr_create
+dns_zonemgr_createzone
+dns_zonemgr_detach
+dns_zonemgr_forcemaint
+dns_zonemgr_getcount
+dns_zonemgr_getiolimit
+dns_zonemgr_getnotifyrate
+dns_zonemgr_getserialqueryrate
+dns_zonemgr_getstartupnotifyrate
+dns_zonemgr_gettaskmgr
+dns_zonemgr_getttransfersin
+dns_zonemgr_getttransfersperns
+dns_zonemgr_managezone
+dns_zonemgr_releasezone
+dns_zonemgr_resumexfrs
+dns_zonemgr_setcheckdsrate
+dns_zonemgr_setiolimit
+dns_zonemgr_setnotifyrate
+dns_zonemgr_setserialqueryrate
+dns_zonemgr_setsize
+dns_zonemgr_setstartupnotifyrate
+dns_zonemgr_settransfersin
+dns_zonemgr_settransfersperns
+dns_zonemgr_shutdown
+dns_zonemgr_unreachable
+dns_zonemgr_unreachableadd
+dns_zonemgr_unreachabledel
+dns_zonetype_name
+dns_zoneverify_dnssec
+dns_zt_apply
+dns_zt_asyncload
+dns_zt_attach
+dns_zt_create
+dns_zt_detach
+dns_zt_find
+dns_zt_flushanddetach
+dns_zt_freezezones
+dns_zt_load
+dns_zt_mount
+dns_zt_setviewcommit
+dns_zt_setviewrevert
+dns_zt_unmount
+dst_algorithm_supported
+dst_context_adddata
+dst_context_create
+dst_context_destroy
+dst_context_sign
+dst_context_verify
+dst_context_verify2
+dst_ds_digest_supported
+dst_gssapi_acceptctx
+dst_gssapi_acquirecred
+dst_gssapi_deletectx
+dst_gssapi_identitymatchesrealmkrb5
+dst_gssapi_identitymatchesrealmms
+dst_gssapi_initctx
+dst_gssapi_releasecred
+dst_key_alg
+dst_key_attach
+dst_key_buildfilename
+dst_key_buildinternal
+dst_key_class
+dst_key_copy_metadata
+dst_key_compare
+dst_key_computesecret
+dst_key_dump
+dst_key_flags
+dst_key_format
+dst_key_free
+dst_key_frombuffer
+dst_key_fromdns
+dst_key_fromfile
+dst_key_fromgssapi
+dst_key_fromlabel
+dst_key_fromnamedfile
+dst_key_generate
+dst_key_getbits
+dst_key_getbool
+dst_key_getfilename
+dst_key_getgssctx
+dst_key_getnum
+dst_key_getprivateformat
+dst_key_getstate
+dst_key_gettime
+dst_key_getttl
+dst_key_goal
+dst_key_haskasp
+dst_key_id
+dst_key_is_active
+dst_key_is_published
+dst_key_is_removed
+dst_key_is_revoked
+dst_key_is_signing
+dst_key_is_unused
+dst_key_inactive
+dst_key_isexternal
+dst_key_ismodified
+dst_key_isnullkey
+dst_key_isprivate
+dst_key_iszonekey
+dst_key_name
+dst_key_paramcompare
+dst_key_privatefrombuffer
+dst_key_proto
+dst_key_pubcompare
+dst_key_read_public
+dst_key_read_state
+dst_key_restore
+dst_key_rid
+dst_key_role
+dst_key_secretsize
+dst_key_setbits
+dst_key_setbool
+dst_key_setexternal
+dst_key_setflags
+dst_key_setinactive
+dst_key_setmodified
+dst_key_setnum
+dst_key_setprivateformat
+dst_key_setstate
+dst_key_settime
+dst_key_setttl
+dst_key_sigsize
+dst_key_size
+dst_key_tkeytoken
+dst_key_tobuffer
+dst_key_todns
+dst_key_tofile
+dst_key_unsetbool
+dst_key_unsetnum
+dst_key_unsetstate
+dst_key_unsettime
+dst_lib_destroy
+dst_lib_init
+dst_region_computeid
+dst_region_computerid
+dst_result_register
+dst_result_totext
+@IF NOLONGER
+; Exported Data
+
+EXPORTS
+
+dns_pps			DATA
+dns_master_style_full	DATA
+dns_tsig_hmacmd5_name	DATA
+dns_zone_mkey_day	DATA
+dns_zone_mkey_hour	DATA
+dns_zone_mkey_month	DATA
+@END NOLONGER
diff --git a/lib/dns/win32/libdns.vcxproj.filters.in b/lib/dns/win32/libdns.vcxproj.filters.in
new file mode 100644
index 0000000..7bbda41
--- /dev/null
+++ b/lib/dns/win32/libdns.vcxproj.filters.in
@@ -0,0 +1,668 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Library Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Dst Header Files">
+      <UniqueIdentifier>{c76276a2-cee5-4b70-bf37-e0f2ef1ae4d6}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Dst Source Files">
+      <UniqueIdentifier>{ae84c9c7-5da5-4c0e-9e53-bfc34a5825ae}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Library Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libdns.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\acl.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\adb.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\badcache.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\byaddr.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\cache.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\callbacks.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\catz.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\client.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\clientinfo.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\compress.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\db.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dbiterator.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dbtable.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\diff.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dispatch.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dlz.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dns64.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dnssec.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ds.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dyndb.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ecdb.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ecs.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\fixedname.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\forward.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+@IF GEOIP
+    <ClCompile Include="..\geoip2.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+@END GEOIP
+    <ClCompile Include="..\ipkeylist.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\iptable.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\journal.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\kasp.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\keydata.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\keymgr.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\keytable.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lib.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\log.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lookup.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\master.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\masterdump.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\message.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\name.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ncache.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\nsec.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\nsec3.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\nta.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\order.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\peer.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\portlist.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\private.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rbt.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rbtdb.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rcode.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rdata.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rdatalist.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rdataset.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rdatasetiter.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rdataslab.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\request.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\resolver.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\result.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rootns.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rpz.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rriterator.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rrl.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sdb.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sdlz.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\soa.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ssu.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ssu_external.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\stats.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tcpmsg.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\time.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\timer.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tkey.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tsec.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tsig.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ttl.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\update.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\validator.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\view.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\xfrin.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\zone.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\zonekey.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\zoneverify.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\zt.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dst_api.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dst_parse.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dst_result.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\gssapi_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\gssapictx.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\hmac_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\key.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\openssl_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\openssldh_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\opensslecdsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\openssleddsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\opensslrsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+@IF PKCS11
+    <ClCompile Include="..\pkcs11.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pkcs11ecdsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pkcs11eddsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pkcs11rsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+@END PKCS11
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\code.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\rbtdb.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\rdatalist_p.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\acl.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\adb.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\badcache.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\bit.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\byaddr.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\cache.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\callbacks.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\catz.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\cert.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\client.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\clientinfo.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\compress.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\db.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dbiterator.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dbtable.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\diff.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dispatch.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dlz.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dns64.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dnssec.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dnstap.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ds.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dsdigest.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dyndb.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ecdb.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ecs.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\edns.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\enumclass.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\enumtype.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\events.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\fixedname.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\forward.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+@IF GEOIP
+    <ClInclude Include="..\include\dns\geoip.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+@END GEOIP
+    <ClInclude Include="..\include\dns\ipkeylist.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\iptable.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\journal.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\kasp.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\keydata.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\keyflags.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\keymgr.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\keytable.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\keyvalues.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\lib.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\log.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\lookup.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\master.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\masterdump.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\message.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\name.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ncache.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\nsec.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\nsec3.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\nta.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\opcode.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\order.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\peer.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\portlist.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\private.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rbt.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rcode.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdata.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdataclass.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdatalist.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdataset.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdatasetiter.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdataslab.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdatastruct.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdatatype.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\request.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\resolver.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\result.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rootns.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rpz.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rriterator.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rrl.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\sdb.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\sdlz.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\secalg.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\secproto.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\soa.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ssu.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\stats.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\tcpmsg.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\time.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\timer.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\tkey.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\tsec.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\tsig.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ttl.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\types.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\update.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\validator.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\version.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\view.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\xfrin.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\zone.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\zonekey.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\zoneverify.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\zt.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dst\dst.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dst\gssapi.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dst\result.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\dst_internal.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\dst_openssl.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\dst_parse.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+@IF PKCS11
+    <ClInclude Include="..\dst_pkcs11.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+@END PKCS11
+  </ItemGroup>
+</Project>
diff --git a/lib/dns/win32/libdns.vcxproj.in b/lib/dns/win32/libdns.vcxproj.in
new file mode 100644
index 0000000..27fc3a0
--- /dev/null
+++ b/lib/dns/win32/libdns.vcxproj.in
@@ -0,0 +1,345 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libdns</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>BIND9;WIN32;@USE_GSSAPI@_DEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;@LIBXML2_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>BIND9;WIN32;@USE_GSSAPI@NDEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;@LIBXML2_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libdns.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\acl.c" />
+    <ClCompile Include="..\adb.c" />
+    <ClCompile Include="..\badcache.c" />
+    <ClCompile Include="..\byaddr.c" />
+    <ClCompile Include="..\cache.c" />
+    <ClCompile Include="..\callbacks.c" />
+    <ClCompile Include="..\catz.c" />
+    <ClCompile Include="..\client.c" />
+    <ClCompile Include="..\clientinfo.c" />
+    <ClCompile Include="..\compress.c" />
+    <ClCompile Include="..\db.c" />
+    <ClCompile Include="..\dbiterator.c" />
+    <ClCompile Include="..\dbtable.c" />
+    <ClCompile Include="..\diff.c" />
+    <ClCompile Include="..\dispatch.c" />
+    <ClCompile Include="..\dlz.c" />
+    <ClCompile Include="..\dns64.c" />
+    <ClCompile Include="..\dnssec.c" />
+    <ClCompile Include="..\ds.c" />
+    <ClCompile Include="..\dst_api.c" />
+    <ClCompile Include="..\dst_parse.c" />
+    <ClCompile Include="..\dst_result.c" />
+    <ClCompile Include="..\dyndb.c" />
+    <ClCompile Include="..\ecdb.c" />
+    <ClCompile Include="..\ecs.c" />
+    <ClCompile Include="..\fixedname.c" />
+    <ClCompile Include="..\forward.c" />
+@IF GEOIP
+    <ClCompile Include="..\geoip2.c" />
+@END GEOIP
+    <ClCompile Include="..\gssapictx.c" />
+    <ClCompile Include="..\gssapi_link.c" />
+    <ClCompile Include="..\hmac_link.c" />
+    <ClCompile Include="..\ipkeylist.c" />
+    <ClCompile Include="..\iptable.c" />
+    <ClCompile Include="..\journal.c" />
+    <ClCompile Include="..\kasp.c" />
+    <ClCompile Include="..\key.c" />
+    <ClCompile Include="..\keymgr.c" />
+    <ClCompile Include="..\keydata.c" />
+    <ClCompile Include="..\keytable.c" />
+    <ClCompile Include="..\lib.c" />
+    <ClCompile Include="..\log.c" />
+    <ClCompile Include="..\lookup.c" />
+    <ClCompile Include="..\master.c" />
+    <ClCompile Include="..\masterdump.c" />
+    <ClCompile Include="..\message.c" />
+    <ClCompile Include="..\name.c" />
+    <ClCompile Include="..\ncache.c" />
+    <ClCompile Include="..\nsec.c" />
+    <ClCompile Include="..\nsec3.c" />
+    <ClCompile Include="..\nta.c" />
+    <ClCompile Include="..\openssldh_link.c" />
+    <ClCompile Include="..\opensslecdsa_link.c" />
+    <ClCompile Include="..\openssleddsa_link.c" />
+    <ClCompile Include="..\opensslrsa_link.c" />
+    <ClCompile Include="..\openssl_link.c" />
+    <ClCompile Include="..\order.c" />
+    <ClCompile Include="..\peer.c" />
+@IF PKCS11
+    <ClCompile Include="..\pkcs11.c" />
+    <ClCompile Include="..\pkcs11ecdsa_link.c" />
+    <ClCompile Include="..\pkcs11eddsa_link.c" />
+    <ClCompile Include="..\pkcs11rsa_link.c" />
+@END PKCS11
+    <ClCompile Include="..\portlist.c" />
+    <ClCompile Include="..\private.c" />
+    <ClCompile Include="..\rbt.c" />
+    <ClCompile Include="..\rbtdb.c" />
+    <ClCompile Include="..\rcode.c" />
+    <ClCompile Include="..\rdata.c" />
+    <ClCompile Include="..\rdatalist.c" />
+    <ClCompile Include="..\rdataset.c" />
+    <ClCompile Include="..\rdatasetiter.c" />
+    <ClCompile Include="..\rdataslab.c" />
+    <ClCompile Include="..\request.c" />
+    <ClCompile Include="..\resolver.c" />
+    <ClCompile Include="..\result.c" />
+    <ClCompile Include="..\rootns.c" />
+    <ClCompile Include="..\rpz.c" />
+    <ClCompile Include="..\rriterator.c" />
+    <ClCompile Include="..\rrl.c" />
+    <ClCompile Include="..\sdb.c" />
+    <ClCompile Include="..\sdlz.c" />
+    <ClCompile Include="..\soa.c" />
+    <ClCompile Include="..\ssu.c" />
+    <ClCompile Include="..\ssu_external.c" />
+    <ClCompile Include="..\stats.c" />
+    <ClCompile Include="..\tcpmsg.c" />
+    <ClCompile Include="..\time.c" />
+    <ClCompile Include="..\timer.c" />
+    <ClCompile Include="..\tkey.c" />
+    <ClCompile Include="..\tsec.c" />
+    <ClCompile Include="..\tsig.c" />
+    <ClCompile Include="..\ttl.c" />
+    <ClCompile Include="..\update.c" />
+    <ClCompile Include="..\validator.c" />
+    <ClCompile Include="..\view.c" />
+    <ClCompile Include="..\xfrin.c" />
+    <ClCompile Include="..\zone.c" />
+    <ClCompile Include="..\zonekey.c" />
+    <ClCompile Include="..\zoneverify.c" />
+    <ClCompile Include="..\zt.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\code.h" />
+    <ClInclude Include="..\dst_internal.h" />
+    <ClInclude Include="..\dst_openssl.h" />
+    <ClInclude Include="..\dst_parse.h" />
+@IF PKCS11
+    <ClInclude Include="..\dst_pkcs11.h" />
+@END PKCS11
+    <ClInclude Include="..\include\dns\acl.h" />
+    <ClInclude Include="..\include\dns\adb.h" />
+    <ClInclude Include="..\include\dns\badcache.h" />
+    <ClInclude Include="..\include\dns\bit.h" />
+    <ClInclude Include="..\include\dns\byaddr.h" />
+    <ClInclude Include="..\include\dns\cache.h" />
+    <ClInclude Include="..\include\dns\callbacks.h" />
+    <ClInclude Include="..\include\dns\catz.h" />
+    <ClInclude Include="..\include\dns\cert.h" />
+    <ClInclude Include="..\include\dns\client.h" />
+    <ClInclude Include="..\include\dns\clientinfo.h" />
+    <ClInclude Include="..\include\dns\compress.h" />
+    <ClInclude Include="..\include\dns\db.h" />
+    <ClInclude Include="..\include\dns\dbiterator.h" />
+    <ClInclude Include="..\include\dns\dbtable.h" />
+    <ClInclude Include="..\include\dns\diff.h" />
+    <ClInclude Include="..\include\dns\dispatch.h" />
+    <ClInclude Include="..\include\dns\dlz.h" />
+    <ClInclude Include="..\include\dns\dns64.h" />
+    <ClInclude Include="..\include\dns\dnssec.h" />
+    <ClInclude Include="..\include\dns\dnstap.h" />
+    <ClInclude Include="..\include\dns\ds.h" />
+    <ClInclude Include="..\include\dns\dsdigest.h" />
+    <ClInclude Include="..\include\dns\dyndb.h" />
+    <ClInclude Include="..\include\dns\ecdb.h" />
+    <ClInclude Include="..\include\dns\ecs.h" />
+    <ClInclude Include="..\include\dns\edns.h" />
+    <ClInclude Include="..\include\dns\enumclass.h" />
+    <ClInclude Include="..\include\dns\enumtype.h" />
+    <ClInclude Include="..\include\dns\events.h" />
+    <ClInclude Include="..\include\dns\fixedname.h" />
+    <ClInclude Include="..\include\dns\forward.h" />
+@IF GEOIP
+    <ClInclude Include="..\include\dns\geoip.h" />
+@END GEOIP
+    <ClInclude Include="..\include\dns\ipkeylist.h" />
+    <ClInclude Include="..\include\dns\iptable.h" />
+    <ClInclude Include="..\include\dns\journal.h" />
+    <ClInclude Include="..\include\dns\kasp.h" />
+    <ClInclude Include="..\include\dns\keydata.h" />
+    <ClInclude Include="..\include\dns\keyflags.h" />
+    <ClInclude Include="..\include\dns\keymgr.h" />
+    <ClInclude Include="..\include\dns\keytable.h" />
+    <ClInclude Include="..\include\dns\keyvalues.h" />
+    <ClInclude Include="..\include\dns\lib.h" />
+    <ClInclude Include="..\include\dns\log.h" />
+    <ClInclude Include="..\include\dns\lookup.h" />
+    <ClInclude Include="..\include\dns\master.h" />
+    <ClInclude Include="..\include\dns\masterdump.h" />
+    <ClInclude Include="..\include\dns\message.h" />
+    <ClInclude Include="..\include\dns\name.h" />
+    <ClInclude Include="..\include\dns\ncache.h" />
+    <ClInclude Include="..\include\dns\nsec.h" />
+    <ClInclude Include="..\include\dns\nsec3.h" />
+    <ClInclude Include="..\include\dns\nta.h" />
+    <ClInclude Include="..\include\dns\opcode.h" />
+    <ClInclude Include="..\include\dns\order.h" />
+    <ClInclude Include="..\include\dns\peer.h" />
+    <ClInclude Include="..\include\dns\portlist.h" />
+    <ClInclude Include="..\include\dns\private.h" />
+    <ClInclude Include="..\include\dns\rbt.h" />
+    <ClInclude Include="..\include\dns\rcode.h" />
+    <ClInclude Include="..\include\dns\rdata.h" />
+    <ClInclude Include="..\include\dns\rdataclass.h" />
+    <ClInclude Include="..\include\dns\rdatalist.h" />
+    <ClInclude Include="..\include\dns\rdataset.h" />
+    <ClInclude Include="..\include\dns\rdatasetiter.h" />
+    <ClInclude Include="..\include\dns\rdataslab.h" />
+    <ClInclude Include="..\include\dns\rdatastruct.h" />
+    <ClInclude Include="..\include\dns\rdatatype.h" />
+    <ClInclude Include="..\include\dns\request.h" />
+    <ClInclude Include="..\include\dns\resolver.h" />
+    <ClInclude Include="..\include\dns\result.h" />
+    <ClInclude Include="..\include\dns\rootns.h" />
+    <ClInclude Include="..\include\dns\rpz.h" />
+    <ClInclude Include="..\include\dns\rriterator.h" />
+    <ClInclude Include="..\include\dns\rrl.h" />
+    <ClInclude Include="..\include\dns\sdb.h" />
+    <ClInclude Include="..\include\dns\sdlz.h" />
+    <ClInclude Include="..\include\dns\secalg.h" />
+    <ClInclude Include="..\include\dns\secproto.h" />
+    <ClInclude Include="..\include\dns\soa.h" />
+    <ClInclude Include="..\include\dns\ssu.h" />
+    <ClInclude Include="..\include\dns\stats.h" />
+    <ClInclude Include="..\include\dns\tcpmsg.h" />
+    <ClInclude Include="..\include\dns\time.h" />
+    <ClInclude Include="..\include\dns\timer.h" />
+    <ClInclude Include="..\include\dns\tkey.h" />
+    <ClInclude Include="..\include\dns\tsec.h" />
+    <ClInclude Include="..\include\dns\tsig.h" />
+    <ClInclude Include="..\include\dns\ttl.h" />
+    <ClInclude Include="..\include\dns\types.h" />
+    <ClInclude Include="..\include\dns\update.h" />
+    <ClInclude Include="..\include\dns\validator.h" />
+    <ClInclude Include="..\include\dns\version.h" />
+    <ClInclude Include="..\include\dns\view.h" />
+    <ClInclude Include="..\include\dns\xfrin.h" />
+    <ClInclude Include="..\include\dns\zone.h" />
+    <ClInclude Include="..\include\dns\zonekey.h" />
+    <ClInclude Include="..\include\dns\zoneverify.h" />
+    <ClInclude Include="..\include\dns\zt.h" />
+    <ClInclude Include="..\include\dst\dst.h" />
+    <ClInclude Include="..\include\dst\gssapi.h" />
+    <ClInclude Include="..\include\dst\result.h" />
+    <ClInclude Include="..\rbtdb.h" />
+    <ClInclude Include="..\rdatalist_p.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/dns/win32/libdns.vcxproj.user b/lib/dns/win32/libdns.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/lib/dns/win32/libdns.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/lib/dns/win32/version.c b/lib/dns/win32/version.c
new file mode 100644
index 0000000..031042b
--- /dev/null
+++ b/lib/dns/win32/version.c
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <versions.h>
+
+#include <dns/version.h>
+
+LIBDNS_EXTERNAL_DATA const char dns_version[] = VERSION;
+LIBDNS_EXTERNAL_DATA const char dns_major[] = MAJOR;
+LIBDNS_EXTERNAL_DATA const char dns_mapapi[] = MAPAPI;
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
new file mode 100644
index 0000000..a54d0d8
--- /dev/null
+++ b/lib/dns/xfrin.c
@@ -0,0 +1,1704 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/catz.h>
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/events.h>
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/tcpmsg.h>
+#include <dns/timer.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+#include <dns/xfrin.h>
+#include <dns/zone.h>
+
+#include <dst/dst.h>
+
+/*
+ * Incoming AXFR and IXFR.
+ */
+
+/*%
+ * It would be non-sensical (or at least obtuse) to use FAIL() with an
+ * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAIL(code)                           \
+	do {                                 \
+		result = (code);             \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+/*%
+ * The states of the *XFR state machine.  We handle both IXFR and AXFR
+ * with a single integrated state machine because they cannot be distinguished
+ * immediately - an AXFR response to an IXFR request can only be detected
+ * when the first two (2) response RRs have already been received.
+ */
+typedef enum {
+	XFRST_SOAQUERY,
+	XFRST_GOTSOA,
+	XFRST_INITIALSOA,
+	XFRST_FIRSTDATA,
+	XFRST_IXFR_DELSOA,
+	XFRST_IXFR_DEL,
+	XFRST_IXFR_ADDSOA,
+	XFRST_IXFR_ADD,
+	XFRST_IXFR_END,
+	XFRST_AXFR,
+	XFRST_AXFR_END
+} xfrin_state_t;
+
+/*%
+ * Incoming zone transfer context.
+ */
+
+struct dns_xfrin_ctx {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	dns_zone_t *zone;
+
+	int refcount;
+
+	isc_task_t *task;
+	isc_timer_t *timer;
+	isc_socketmgr_t *socketmgr;
+
+	int connects; /*%< Connect in progress */
+	int sends;    /*%< Send in progress */
+	int recvs;    /*%< Receive in progress */
+	bool shuttingdown;
+	isc_result_t shutdown_result;
+
+	dns_name_t name; /*%< Name of zone to transfer */
+	dns_rdataclass_t rdclass;
+
+	bool checkid, logit;
+	dns_messageid_t id;
+
+	/*%
+	 * Requested transfer type (dns_rdatatype_axfr or
+	 * dns_rdatatype_ixfr).  The actual transfer type
+	 * may differ due to IXFR->AXFR fallback.
+	 */
+	dns_rdatatype_t reqtype;
+	isc_dscp_t dscp;
+
+	isc_sockaddr_t masteraddr;
+	isc_sockaddr_t sourceaddr;
+	isc_socket_t *socket;
+
+	/*% Buffer for IXFR/AXFR request message */
+	isc_buffer_t qbuffer;
+	unsigned char qbuffer_data[512];
+
+	/*% Incoming reply TCP message */
+	dns_tcpmsg_t tcpmsg;
+	bool tcpmsg_valid;
+
+	/*%
+	 * Whether the zone originally had a database attached at the time this
+	 * transfer context was created.  Used by maybe_free() when making
+	 * logging decisions.
+	 */
+	bool zone_had_db;
+
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	dns_diff_t diff; /*%< Pending database changes */
+	int difflen;	 /*%< Number of pending tuples */
+
+	xfrin_state_t state;
+	uint32_t end_serial;
+	bool is_ixfr;
+
+	unsigned int nmsg;  /*%< Number of messages recvd */
+	unsigned int nrecs; /*%< Number of records recvd */
+	uint64_t nbytes;    /*%< Number of bytes received */
+
+	unsigned int maxrecords; /*%< The maximum number of
+				  *   records set for the zone */
+
+	isc_time_t start; /*%< Start time of the transfer */
+	isc_time_t end;	  /*%< End time of the transfer */
+
+	dns_tsigkey_t *tsigkey; /*%< Key used to create TSIG */
+	isc_buffer_t *lasttsig; /*%< The last TSIG */
+	dst_context_t *tsigctx; /*%< TSIG verification context */
+	unsigned int sincetsig; /*%< recvd since the last TSIG */
+	dns_xfrindone_t done;
+
+	/*%
+	 * AXFR- and IXFR-specific data.  Only one is used at a time
+	 * according to the is_ixfr flag, so this could be a union,
+	 * but keeping them separate makes it a bit simpler to clean
+	 * things up when destroying the context.
+	 */
+	dns_rdatacallbacks_t axfr;
+
+	struct {
+		uint32_t request_serial;
+		uint32_t current_serial;
+		dns_journal_t *journal;
+	} ixfr;
+
+	dns_rdata_t firstsoa;
+	unsigned char *firstsoa_data;
+};
+
+#define XFRIN_MAGIC    ISC_MAGIC('X', 'f', 'r', 'I')
+#define VALID_XFRIN(x) ISC_MAGIC_VALID(x, XFRIN_MAGIC)
+
+/**************************************************************************/
+/*
+ * Forward declarations.
+ */
+
+static isc_result_t
+xfrin_create(isc_mem_t *mctx, dns_zone_t *zone, dns_db_t *db, isc_task_t *task,
+	     isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+	     dns_name_t *zonename, dns_rdataclass_t rdclass,
+	     dns_rdatatype_t reqtype, const isc_sockaddr_t *masteraddr,
+	     const isc_sockaddr_t *sourceaddr, isc_dscp_t dscp,
+	     dns_tsigkey_t *tsigkey, dns_xfrin_ctx_t **xfrp);
+
+static isc_result_t
+axfr_init(dns_xfrin_ctx_t *xfr);
+static isc_result_t
+axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp);
+static isc_result_t
+axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op, dns_name_t *name,
+	     dns_ttl_t ttl, dns_rdata_t *rdata);
+static isc_result_t
+axfr_apply(dns_xfrin_ctx_t *xfr);
+static isc_result_t
+axfr_commit(dns_xfrin_ctx_t *xfr);
+static isc_result_t
+axfr_finalize(dns_xfrin_ctx_t *xfr);
+
+static isc_result_t
+ixfr_init(dns_xfrin_ctx_t *xfr);
+static isc_result_t
+ixfr_apply(dns_xfrin_ctx_t *xfr);
+static isc_result_t
+ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op, dns_name_t *name,
+	     dns_ttl_t ttl, dns_rdata_t *rdata);
+static isc_result_t
+ixfr_commit(dns_xfrin_ctx_t *xfr);
+
+static isc_result_t
+xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
+       dns_rdata_t *rdata);
+
+static isc_result_t
+xfrin_start(dns_xfrin_ctx_t *xfr);
+
+static void
+xfrin_connect_done(isc_task_t *task, isc_event_t *event);
+static isc_result_t
+xfrin_send_request(dns_xfrin_ctx_t *xfr);
+static void
+xfrin_send_done(isc_task_t *task, isc_event_t *event);
+static void
+xfrin_recv_done(isc_task_t *task, isc_event_t *event);
+static void
+xfrin_timeout(isc_task_t *task, isc_event_t *event);
+
+static void
+maybe_free(dns_xfrin_ctx_t *xfr);
+
+static void
+xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg);
+static isc_result_t
+render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf);
+
+static void
+xfrin_logv(int level, const char *zonetext, const isc_sockaddr_t *masteraddr,
+	   const char *fmt, va_list ap) ISC_FORMAT_PRINTF(4, 0);
+
+static void
+xfrin_log1(int level, const char *zonetext, const isc_sockaddr_t *masteraddr,
+	   const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
+
+static void
+xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+
+/**************************************************************************/
+/*
+ * AXFR handling
+ */
+
+static isc_result_t
+axfr_init(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	xfr->is_ixfr = false;
+
+	if (xfr->db != NULL) {
+		dns_db_detach(&xfr->db);
+	}
+
+	CHECK(axfr_makedb(xfr, &xfr->db));
+	dns_rdatacallbacks_init(&xfr->axfr);
+	CHECK(dns_db_beginload(xfr->db, &xfr->axfr));
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+static isc_result_t
+axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) {
+	isc_result_t result;
+
+	result = dns_db_create(xfr->mctx, /* XXX */
+			       "rbt",	  /* XXX guess */
+			       &xfr->name, dns_dbtype_zone, xfr->rdclass, 0,
+			       NULL, /* XXX guess */
+			       dbp);
+	if (result == ISC_R_SUCCESS) {
+		dns_zone_rpz_enable_db(xfr->zone, *dbp);
+		dns_zone_catz_enable_db(xfr->zone, *dbp);
+	}
+	return (result);
+}
+
+static isc_result_t
+axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op, dns_name_t *name,
+	     dns_ttl_t ttl, dns_rdata_t *rdata) {
+	isc_result_t result;
+
+	dns_difftuple_t *tuple = NULL;
+
+	if (rdata->rdclass != xfr->rdclass) {
+		return (DNS_R_BADCLASS);
+	}
+
+	CHECK(dns_zone_checknames(xfr->zone, name, rdata));
+	CHECK(dns_difftuple_create(xfr->diff.mctx, op, name, ttl, rdata,
+				   &tuple));
+	dns_diff_append(&xfr->diff, &tuple);
+	if (++xfr->difflen > 100) {
+		CHECK(axfr_apply(xfr));
+	}
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+/*
+ * Store a set of AXFR RRs in the database.
+ */
+static isc_result_t
+axfr_apply(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	uint64_t records;
+
+	CHECK(dns_diff_load(&xfr->diff, xfr->axfr.add, xfr->axfr.add_private));
+	xfr->difflen = 0;
+	dns_diff_clear(&xfr->diff);
+	if (xfr->maxrecords != 0U) {
+		result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL);
+		if (result == ISC_R_SUCCESS && records > xfr->maxrecords) {
+			result = DNS_R_TOOMANYRECORDS;
+			goto failure;
+		}
+	}
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+static isc_result_t
+axfr_commit(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	CHECK(axfr_apply(xfr));
+	CHECK(dns_db_endload(xfr->db, &xfr->axfr));
+	CHECK(dns_zone_verifydb(xfr->zone, xfr->db, NULL));
+
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+static isc_result_t
+axfr_finalize(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	CHECK(dns_zone_replacedb(xfr->zone, xfr->db, true));
+
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * IXFR handling
+ */
+
+static isc_result_t
+ixfr_init(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	char *journalfile;
+
+	if (xfr->reqtype != dns_rdatatype_ixfr) {
+		xfrin_log(xfr, ISC_LOG_ERROR,
+			  "got incremental response to AXFR request");
+		return (DNS_R_FORMERR);
+	}
+
+	xfr->is_ixfr = true;
+	INSIST(xfr->db != NULL);
+	xfr->difflen = 0;
+
+	journalfile = dns_zone_getjournal(xfr->zone);
+	if (journalfile != NULL) {
+		CHECK(dns_journal_open(xfr->mctx, journalfile,
+				       DNS_JOURNAL_CREATE, &xfr->ixfr.journal));
+	}
+
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+static isc_result_t
+ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op, dns_name_t *name,
+	     dns_ttl_t ttl, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+
+	if (rdata->rdclass != xfr->rdclass) {
+		return (DNS_R_BADCLASS);
+	}
+
+	if (op == DNS_DIFFOP_ADD) {
+		CHECK(dns_zone_checknames(xfr->zone, name, rdata));
+	}
+	CHECK(dns_difftuple_create(xfr->diff.mctx, op, name, ttl, rdata,
+				   &tuple));
+	dns_diff_append(&xfr->diff, &tuple);
+	if (++xfr->difflen > 100) {
+		CHECK(ixfr_apply(xfr));
+	}
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+/*
+ * Apply a set of IXFR changes to the database.
+ */
+static isc_result_t
+ixfr_apply(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	uint64_t records;
+
+	if (xfr->ver == NULL) {
+		CHECK(dns_db_newversion(xfr->db, &xfr->ver));
+		if (xfr->ixfr.journal != NULL) {
+			CHECK(dns_journal_begin_transaction(xfr->ixfr.journal));
+		}
+	}
+	CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver));
+	if (xfr->maxrecords != 0U) {
+		result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL);
+		if (result == ISC_R_SUCCESS && records > xfr->maxrecords) {
+			result = DNS_R_TOOMANYRECORDS;
+			goto failure;
+		}
+	}
+	if (xfr->ixfr.journal != NULL) {
+		result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+	}
+	dns_diff_clear(&xfr->diff);
+	xfr->difflen = 0;
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+static isc_result_t
+ixfr_commit(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	CHECK(ixfr_apply(xfr));
+	if (xfr->ver != NULL) {
+		CHECK(dns_zone_verifydb(xfr->zone, xfr->db, xfr->ver));
+		/* XXX enter ready-to-commit state here */
+		if (xfr->ixfr.journal != NULL) {
+			CHECK(dns_journal_commit(xfr->ixfr.journal));
+		}
+		dns_db_closeversion(xfr->db, &xfr->ver, true);
+		dns_zone_markdirty(xfr->zone);
+	}
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Common AXFR/IXFR protocol code
+ */
+
+/*
+ * Handle a single incoming resource record according to the current
+ * state.
+ */
+static isc_result_t
+xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
+       dns_rdata_t *rdata) {
+	isc_result_t result;
+
+	xfr->nrecs++;
+
+	if (rdata->type == dns_rdatatype_none ||
+	    dns_rdatatype_ismeta(rdata->type))
+	{
+		FAIL(DNS_R_FORMERR);
+	}
+
+	/*
+	 * Immediately reject the entire transfer if the RR that is currently
+	 * being processed is an SOA record that is not placed at the zone
+	 * apex.
+	 */
+	if (rdata->type == dns_rdatatype_soa &&
+	    !dns_name_equal(&xfr->name, name))
+	{
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+			  namebuf);
+		FAIL(DNS_R_NOTZONETOP);
+	}
+
+redo:
+	switch (xfr->state) {
+	case XFRST_SOAQUERY:
+		if (rdata->type != dns_rdatatype_soa) {
+			xfrin_log(xfr, ISC_LOG_ERROR,
+				  "non-SOA response to SOA query");
+			FAIL(DNS_R_FORMERR);
+		}
+		xfr->end_serial = dns_soa_getserial(rdata);
+		if (!DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial) &&
+		    !dns_zone_isforced(xfr->zone))
+		{
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "requested serial %u, "
+				  "master has %u, not updating",
+				  xfr->ixfr.request_serial, xfr->end_serial);
+			FAIL(DNS_R_UPTODATE);
+		}
+		xfr->state = XFRST_GOTSOA;
+		break;
+
+	case XFRST_GOTSOA:
+		/*
+		 * Skip other records in the answer section.
+		 */
+		break;
+
+	case XFRST_INITIALSOA:
+		if (rdata->type != dns_rdatatype_soa) {
+			xfrin_log(xfr, ISC_LOG_ERROR,
+				  "first RR in zone transfer must be SOA");
+			FAIL(DNS_R_FORMERR);
+		}
+		/*
+		 * Remember the serial number in the initial SOA.
+		 * We need it to recognize the end of an IXFR.
+		 */
+		xfr->end_serial = dns_soa_getserial(rdata);
+		if (xfr->reqtype == dns_rdatatype_ixfr &&
+		    !DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial) &&
+		    !dns_zone_isforced(xfr->zone))
+		{
+			/*
+			 * This must be the single SOA record that is
+			 * sent when the current version on the master
+			 * is not newer than the version in the request.
+			 */
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "requested serial %u, "
+				  "master has %u, not updating",
+				  xfr->ixfr.request_serial, xfr->end_serial);
+			FAIL(DNS_R_UPTODATE);
+		}
+		if (xfr->reqtype == dns_rdatatype_axfr) {
+			xfr->checkid = false;
+		}
+		xfr->firstsoa = *rdata;
+		if (xfr->firstsoa_data != NULL) {
+			isc_mem_free(xfr->mctx, xfr->firstsoa_data);
+		}
+		xfr->firstsoa_data = isc_mem_allocate(xfr->mctx, rdata->length);
+		memcpy(xfr->firstsoa_data, rdata->data, rdata->length);
+		xfr->firstsoa.data = xfr->firstsoa_data;
+		xfr->state = XFRST_FIRSTDATA;
+		break;
+
+	case XFRST_FIRSTDATA:
+		/*
+		 * If the transfer begins with one SOA record, it is an AXFR,
+		 * if it begins with two SOAs, it is an IXFR.
+		 */
+		if (xfr->reqtype == dns_rdatatype_ixfr &&
+		    rdata->type == dns_rdatatype_soa &&
+		    xfr->ixfr.request_serial == dns_soa_getserial(rdata))
+		{
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "got incremental response");
+			CHECK(ixfr_init(xfr));
+			xfr->state = XFRST_IXFR_DELSOA;
+		} else {
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "got nonincremental response");
+			CHECK(axfr_init(xfr));
+			xfr->state = XFRST_AXFR;
+		}
+		goto redo;
+
+	case XFRST_IXFR_DELSOA:
+		INSIST(rdata->type == dns_rdatatype_soa);
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
+		xfr->state = XFRST_IXFR_DEL;
+		break;
+
+	case XFRST_IXFR_DEL:
+		if (rdata->type == dns_rdatatype_soa) {
+			uint32_t soa_serial = dns_soa_getserial(rdata);
+			xfr->state = XFRST_IXFR_ADDSOA;
+			xfr->ixfr.current_serial = soa_serial;
+			goto redo;
+		}
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
+		break;
+
+	case XFRST_IXFR_ADDSOA:
+		INSIST(rdata->type == dns_rdatatype_soa);
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
+		xfr->state = XFRST_IXFR_ADD;
+		break;
+
+	case XFRST_IXFR_ADD:
+		if (rdata->type == dns_rdatatype_soa) {
+			uint32_t soa_serial = dns_soa_getserial(rdata);
+			if (soa_serial == xfr->end_serial) {
+				CHECK(ixfr_commit(xfr));
+				xfr->state = XFRST_IXFR_END;
+				break;
+			} else if (soa_serial != xfr->ixfr.current_serial) {
+				xfrin_log(xfr, ISC_LOG_ERROR,
+					  "IXFR out of sync: "
+					  "expected serial %u, got %u",
+					  xfr->ixfr.current_serial, soa_serial);
+				FAIL(DNS_R_FORMERR);
+			} else {
+				CHECK(ixfr_commit(xfr));
+				xfr->state = XFRST_IXFR_DELSOA;
+				goto redo;
+			}
+		}
+		if (rdata->type == dns_rdatatype_ns &&
+		    dns_name_iswildcard(name))
+		{
+			FAIL(DNS_R_INVALIDNS);
+		}
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
+		break;
+
+	case XFRST_AXFR:
+		/*
+		 * Old BINDs sent cross class A records for non IN classes.
+		 */
+		if (rdata->type == dns_rdatatype_a &&
+		    rdata->rdclass != xfr->rdclass &&
+		    xfr->rdclass != dns_rdataclass_in)
+		{
+			break;
+		}
+		CHECK(axfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
+		if (rdata->type == dns_rdatatype_soa) {
+			/*
+			 * Use dns_rdata_compare instead of memcmp to
+			 * allow for case differences.
+			 */
+			if (dns_rdata_compare(rdata, &xfr->firstsoa) != 0) {
+				xfrin_log(xfr, ISC_LOG_ERROR,
+					  "start and ending SOA records "
+					  "mismatch");
+				FAIL(DNS_R_FORMERR);
+			}
+			CHECK(axfr_commit(xfr));
+			xfr->state = XFRST_AXFR_END;
+			break;
+		}
+		break;
+	case XFRST_AXFR_END:
+	case XFRST_IXFR_END:
+		FAIL(DNS_R_EXTRADATA);
+		FALLTHROUGH;
+	default:
+		UNREACHABLE();
+	}
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+isc_result_t
+dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		 const isc_sockaddr_t *masteraddr,
+		 const isc_sockaddr_t *sourceaddr, isc_dscp_t dscp,
+		 dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
+		 isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		 isc_task_t *task, dns_xfrindone_t done,
+		 dns_xfrin_ctx_t **xfrp) {
+	dns_name_t *zonename = dns_zone_getorigin(zone);
+	dns_xfrin_ctx_t *xfr = NULL;
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	REQUIRE(xfrp != NULL && *xfrp == NULL);
+
+	(void)dns_zone_getdb(zone, &db);
+
+	if (xfrtype == dns_rdatatype_soa || xfrtype == dns_rdatatype_ixfr) {
+		REQUIRE(db != NULL);
+	}
+
+	CHECK(xfrin_create(mctx, zone, db, task, timermgr, socketmgr, zonename,
+			   dns_zone_getclass(zone), xfrtype, masteraddr,
+			   sourceaddr, dscp, tsigkey, &xfr));
+
+	if (db != NULL) {
+		xfr->zone_had_db = true;
+	}
+
+	CHECK(xfrin_start(xfr));
+
+	xfr->done = done;
+	if (xfr->done != NULL) {
+		xfr->refcount++;
+	}
+	*xfrp = xfr;
+
+failure:
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	if (result != ISC_R_SUCCESS) {
+		char zonetext[DNS_NAME_MAXTEXT + 32];
+		dns_zone_name(zone, zonetext, sizeof(zonetext));
+		xfrin_log1(ISC_LOG_ERROR, zonetext, masteraddr,
+			   "zone transfer setup failed");
+	}
+	return (result);
+}
+
+void
+dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr) {
+	if (!xfr->shuttingdown) {
+		xfrin_fail(xfr, ISC_R_CANCELED, "shut down");
+	}
+}
+
+void
+dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target) {
+	REQUIRE(target != NULL && *target == NULL);
+	source->refcount++;
+	*target = source;
+}
+
+void
+dns_xfrin_detach(dns_xfrin_ctx_t **xfrp) {
+	dns_xfrin_ctx_t *xfr = *xfrp;
+	*xfrp = NULL;
+	INSIST(xfr->refcount > 0);
+	xfr->refcount--;
+	maybe_free(xfr);
+}
+
+static void
+xfrin_cancelio(dns_xfrin_ctx_t *xfr) {
+	if (xfr->connects > 0) {
+		isc_socket_cancel(xfr->socket, xfr->task,
+				  ISC_SOCKCANCEL_CONNECT);
+	} else if (xfr->recvs > 0) {
+		dns_tcpmsg_cancelread(&xfr->tcpmsg);
+	} else if (xfr->sends > 0) {
+		isc_socket_cancel(xfr->socket, xfr->task, ISC_SOCKCANCEL_SEND);
+	}
+}
+
+static void
+xfrin_reset(dns_xfrin_ctx_t *xfr) {
+	REQUIRE(VALID_XFRIN(xfr));
+
+	xfrin_log(xfr, ISC_LOG_INFO, "resetting");
+
+	xfrin_cancelio(xfr);
+
+	if (xfr->socket != NULL) {
+		isc_socket_detach(&xfr->socket);
+	}
+
+	if (xfr->lasttsig != NULL) {
+		isc_buffer_free(&xfr->lasttsig);
+	}
+
+	dns_diff_clear(&xfr->diff);
+	xfr->difflen = 0;
+
+	if (xfr->ixfr.journal != NULL) {
+		dns_journal_destroy(&xfr->ixfr.journal);
+	}
+
+	if (xfr->axfr.add_private != NULL) {
+		(void)dns_db_endload(xfr->db, &xfr->axfr);
+	}
+
+	if (xfr->tcpmsg_valid) {
+		dns_tcpmsg_invalidate(&xfr->tcpmsg);
+		xfr->tcpmsg_valid = false;
+	}
+
+	if (xfr->ver != NULL) {
+		dns_db_closeversion(xfr->db, &xfr->ver, false);
+	}
+}
+
+static void
+xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) {
+	if (result != DNS_R_UPTODATE && result != DNS_R_TOOMANYRECORDS) {
+		xfrin_log(xfr, ISC_LOG_ERROR, "%s: %s", msg,
+			  isc_result_totext(result));
+		if (xfr->is_ixfr) {
+			/* Pass special result code to force AXFR retry */
+			result = DNS_R_BADIXFR;
+		}
+	}
+	xfrin_cancelio(xfr);
+	/*
+	 * Close the journal.
+	 */
+	if (xfr->ixfr.journal != NULL) {
+		dns_journal_destroy(&xfr->ixfr.journal);
+	}
+	if (xfr->done != NULL) {
+		(xfr->done)(xfr->zone, result);
+		xfr->done = NULL;
+	}
+	xfr->shuttingdown = true;
+	xfr->shutdown_result = result;
+	maybe_free(xfr);
+}
+
+static isc_result_t
+xfrin_create(isc_mem_t *mctx, dns_zone_t *zone, dns_db_t *db, isc_task_t *task,
+	     isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+	     dns_name_t *zonename, dns_rdataclass_t rdclass,
+	     dns_rdatatype_t reqtype, const isc_sockaddr_t *masteraddr,
+	     const isc_sockaddr_t *sourceaddr, isc_dscp_t dscp,
+	     dns_tsigkey_t *tsigkey, dns_xfrin_ctx_t **xfrp) {
+	dns_xfrin_ctx_t *xfr = NULL;
+	isc_result_t result;
+
+	xfr = isc_mem_get(mctx, sizeof(*xfr));
+	xfr->mctx = NULL;
+	isc_mem_attach(mctx, &xfr->mctx);
+	xfr->refcount = 0;
+	xfr->zone = NULL;
+	dns_zone_iattach(zone, &xfr->zone);
+	xfr->task = NULL;
+	isc_task_attach(task, &xfr->task);
+	xfr->timer = NULL;
+	xfr->socketmgr = socketmgr;
+	xfr->done = NULL;
+
+	xfr->connects = 0;
+	xfr->sends = 0;
+	xfr->recvs = 0;
+	xfr->shuttingdown = false;
+	xfr->shutdown_result = ISC_R_UNSET;
+
+	dns_name_init(&xfr->name, NULL);
+	xfr->rdclass = rdclass;
+	xfr->checkid = true;
+	xfr->logit = true;
+	xfr->id = (dns_messageid_t)isc_random16();
+	xfr->reqtype = reqtype;
+	xfr->dscp = dscp;
+
+	/* sockaddr */
+	xfr->socket = NULL;
+	/* qbuffer */
+	/* qbuffer_data */
+	/* tcpmsg */
+	xfr->tcpmsg_valid = false;
+
+	xfr->zone_had_db = false;
+	xfr->db = NULL;
+	if (db != NULL) {
+		dns_db_attach(db, &xfr->db);
+	}
+	xfr->ver = NULL;
+	dns_diff_init(xfr->mctx, &xfr->diff);
+	xfr->difflen = 0;
+
+	if (reqtype == dns_rdatatype_soa) {
+		xfr->state = XFRST_SOAQUERY;
+	} else {
+		xfr->state = XFRST_INITIALSOA;
+	}
+	/* end_serial */
+
+	xfr->nmsg = 0;
+	xfr->nrecs = 0;
+	xfr->nbytes = 0;
+	xfr->maxrecords = dns_zone_getmaxrecords(zone);
+	isc_time_now(&xfr->start);
+
+	xfr->tsigkey = NULL;
+	if (tsigkey != NULL) {
+		dns_tsigkey_attach(tsigkey, &xfr->tsigkey);
+	}
+	xfr->lasttsig = NULL;
+	xfr->tsigctx = NULL;
+	xfr->sincetsig = 0;
+	xfr->is_ixfr = false;
+
+	/* ixfr.request_serial */
+	/* ixfr.current_serial */
+	xfr->ixfr.journal = NULL;
+
+	xfr->axfr.add = NULL;
+	xfr->axfr.add_private = NULL;
+	dns_rdata_init(&xfr->firstsoa);
+	xfr->firstsoa_data = NULL;
+
+	dns_name_dup(zonename, mctx, &xfr->name);
+
+	CHECK(isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
+			       task, xfrin_timeout, xfr, &xfr->timer));
+	CHECK(dns_timer_setidle(xfr->timer, dns_zone_getmaxxfrin(xfr->zone),
+				dns_zone_getidlein(xfr->zone), false));
+
+	xfr->masteraddr = *masteraddr;
+
+	INSIST(isc_sockaddr_pf(masteraddr) == isc_sockaddr_pf(sourceaddr));
+	xfr->sourceaddr = *sourceaddr;
+	isc_sockaddr_setport(&xfr->sourceaddr, 0);
+
+	/*
+	 * Reserve 2 bytes for TCP length at the beginning of the buffer.
+	 */
+	isc_buffer_init(&xfr->qbuffer, &xfr->qbuffer_data[2],
+			sizeof(xfr->qbuffer_data) - 2);
+
+	xfr->magic = XFRIN_MAGIC;
+	*xfrp = xfr;
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (xfr->timer != NULL) {
+		isc_timer_destroy(&xfr->timer);
+	}
+	if (dns_name_dynamic(&xfr->name)) {
+		dns_name_free(&xfr->name, xfr->mctx);
+	}
+	if (xfr->tsigkey != NULL) {
+		dns_tsigkey_detach(&xfr->tsigkey);
+	}
+	if (xfr->db != NULL) {
+		dns_db_detach(&xfr->db);
+	}
+	isc_task_detach(&xfr->task);
+	dns_zone_idetach(&xfr->zone);
+	isc_mem_putanddetach(&xfr->mctx, xfr, sizeof(*xfr));
+
+	return (result);
+}
+
+static isc_result_t
+xfrin_start(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	CHECK(isc_socket_create(xfr->socketmgr,
+				isc_sockaddr_pf(&xfr->sourceaddr),
+				isc_sockettype_tcp, &xfr->socket));
+	isc_socket_setname(xfr->socket, "xfrin", NULL);
+#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
+	CHECK(isc_socket_bind(xfr->socket, &xfr->sourceaddr,
+			      ISC_SOCKET_REUSEADDRESS));
+#endif /* ifndef BROKEN_TCP_BIND_BEFORE_CONNECT */
+	isc_socket_dscp(xfr->socket, xfr->dscp);
+	CHECK(isc_socket_connect(xfr->socket, &xfr->masteraddr, xfr->task,
+				 xfrin_connect_done, xfr));
+	xfr->connects++;
+	return (ISC_R_SUCCESS);
+failure:
+	xfrin_fail(xfr, result, "failed setting up socket");
+	return (result);
+}
+
+/* XXX the resolver could use this, too */
+
+static isc_result_t
+render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf) {
+	dns_compress_t cctx;
+	bool cleanup_cctx = false;
+	isc_result_t result;
+
+	CHECK(dns_compress_init(&cctx, -1, mctx));
+	cleanup_cctx = true;
+	CHECK(dns_message_renderbegin(msg, &cctx, buf));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_AUTHORITY, 0));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_ADDITIONAL, 0));
+	CHECK(dns_message_renderend(msg));
+	result = ISC_R_SUCCESS;
+failure:
+	if (cleanup_cctx) {
+		dns_compress_invalidate(&cctx);
+	}
+	return (result);
+}
+
+/*
+ * A connection has been established.
+ */
+static void
+xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
+	isc_socket_connev_t *cev = (isc_socket_connev_t *)event;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *)event->ev_arg;
+	isc_result_t result = cev->result;
+	char sourcetext[ISC_SOCKADDR_FORMATSIZE];
+	char signerbuf[DNS_NAME_FORMATSIZE];
+	const char *signer = "", *sep = "";
+	isc_sockaddr_t sockaddr;
+	dns_zonemgr_t *zmgr;
+	isc_time_t now;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	isc_event_free(&event);
+
+	xfr->connects--;
+	if (xfr->shuttingdown) {
+		maybe_free(xfr);
+		return;
+	}
+
+	zmgr = dns_zone_getmgr(xfr->zone);
+	if (zmgr != NULL) {
+		if (result != ISC_R_SUCCESS) {
+			TIME_NOW(&now);
+			dns_zonemgr_unreachableadd(zmgr, &xfr->masteraddr,
+						   &xfr->sourceaddr, &now);
+			goto failure;
+		} else {
+			dns_zonemgr_unreachabledel(zmgr, &xfr->masteraddr,
+						   &xfr->sourceaddr);
+		}
+	}
+
+	result = isc_socket_getsockname(xfr->socket, &sockaddr);
+	if (result == ISC_R_SUCCESS) {
+		isc_sockaddr_format(&sockaddr, sourcetext, sizeof(sourcetext));
+	} else {
+		strlcpy(sourcetext, "<UNKNOWN>", sizeof(sourcetext));
+	}
+
+	if (xfr->tsigkey != NULL && xfr->tsigkey->key != NULL) {
+		dns_name_format(dst_key_name(xfr->tsigkey->key), signerbuf,
+				sizeof(signerbuf));
+		sep = " TSIG ";
+		signer = signerbuf;
+	}
+
+	xfrin_log(xfr, ISC_LOG_INFO, "connected using %s%s%s", sourcetext, sep,
+		  signer);
+
+	dns_tcpmsg_init(xfr->mctx, xfr->socket, &xfr->tcpmsg);
+	xfr->tcpmsg_valid = true;
+
+	CHECK(xfrin_send_request(xfr));
+failure:
+	if (result != ISC_R_SUCCESS) {
+		xfrin_fail(xfr, result, "failed to connect");
+	}
+}
+
+/*
+ * Convert a tuple into a dns_name_t suitable for inserting
+ * into the given dns_message_t.
+ */
+static isc_result_t
+tuple2msgname(dns_difftuple_t *tuple, dns_message_t *msg, dns_name_t **target) {
+	isc_result_t result;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *rdl = NULL;
+	dns_rdataset_t *rds = NULL;
+	dns_name_t *name = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	CHECK(dns_message_gettemprdata(msg, &rdata));
+	dns_rdata_init(rdata);
+	dns_rdata_clone(&tuple->rdata, rdata);
+
+	CHECK(dns_message_gettemprdatalist(msg, &rdl));
+	dns_rdatalist_init(rdl);
+	rdl->type = tuple->rdata.type;
+	rdl->rdclass = tuple->rdata.rdclass;
+	rdl->ttl = tuple->ttl;
+	ISC_LIST_APPEND(rdl->rdata, rdata, link);
+
+	CHECK(dns_message_gettemprdataset(msg, &rds));
+	CHECK(dns_rdatalist_tordataset(rdl, rds));
+
+	CHECK(dns_message_gettempname(msg, &name));
+	dns_name_clone(&tuple->name, name);
+	ISC_LIST_APPEND(name->list, rds, link);
+
+	*target = name;
+	return (ISC_R_SUCCESS);
+
+failure:
+
+	if (rds != NULL) {
+		dns_rdataset_disassociate(rds);
+		dns_message_puttemprdataset(msg, &rds);
+	}
+	if (rdl != NULL) {
+		ISC_LIST_UNLINK(rdl->rdata, rdata, link);
+		dns_message_puttemprdatalist(msg, &rdl);
+	}
+	if (rdata != NULL) {
+		dns_message_puttemprdata(msg, &rdata);
+	}
+
+	return (result);
+}
+
+/*
+ * Build an *XFR request and send its length prefix.
+ */
+static isc_result_t
+xfrin_send_request(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	isc_region_t region;
+	dns_rdataset_t *qrdataset = NULL;
+	dns_message_t *msg = NULL;
+	dns_difftuple_t *soatuple = NULL;
+	dns_name_t *qname = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_name_t *msgsoaname = NULL;
+
+	/* Create the request message */
+	dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTRENDER, &msg);
+	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
+
+	/* Create a name for the question section. */
+	CHECK(dns_message_gettempname(msg, &qname));
+	dns_name_clone(&xfr->name, qname);
+
+	/* Formulate the question and attach it to the question name. */
+	CHECK(dns_message_gettemprdataset(msg, &qrdataset));
+	dns_rdataset_makequestion(qrdataset, xfr->rdclass, xfr->reqtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	qrdataset = NULL;
+
+	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
+	qname = NULL;
+
+	if (xfr->reqtype == dns_rdatatype_ixfr) {
+		/* Get the SOA and add it to the authority section. */
+		/* XXX is using the current version the right thing? */
+		dns_db_currentversion(xfr->db, &ver);
+		CHECK(dns_db_createsoatuple(xfr->db, ver, xfr->mctx,
+					    DNS_DIFFOP_EXISTS, &soatuple));
+		xfr->ixfr.request_serial = dns_soa_getserial(&soatuple->rdata);
+		xfr->ixfr.current_serial = xfr->ixfr.request_serial;
+		xfrin_log(xfr, ISC_LOG_DEBUG(3),
+			  "requesting IXFR for serial %u",
+			  xfr->ixfr.request_serial);
+
+		CHECK(tuple2msgname(soatuple, msg, &msgsoaname));
+		dns_message_addname(msg, msgsoaname, DNS_SECTION_AUTHORITY);
+	} else if (xfr->reqtype == dns_rdatatype_soa) {
+		CHECK(dns_db_getsoaserial(xfr->db, NULL,
+					  &xfr->ixfr.request_serial));
+	}
+
+	xfr->checkid = true;
+	xfr->logit = true;
+	xfr->id++;
+	xfr->nmsg = 0;
+	xfr->nrecs = 0;
+	xfr->nbytes = 0;
+	isc_time_now(&xfr->start);
+	msg->id = xfr->id;
+	if (xfr->tsigctx != NULL) {
+		dst_context_destroy(&xfr->tsigctx);
+	}
+
+	CHECK(render(msg, xfr->mctx, &xfr->qbuffer));
+
+	/*
+	 * Free the last tsig, if there is one.
+	 */
+	if (xfr->lasttsig != NULL) {
+		isc_buffer_free(&xfr->lasttsig);
+	}
+
+	/*
+	 * Save the query TSIG and don't let message_destroy free it.
+	 */
+	CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
+
+	isc_buffer_usedregion(&xfr->qbuffer, &region);
+	INSIST(region.length <= 65535);
+
+	/*
+	 * Record message length and adjust region to include TCP
+	 * length field.
+	 */
+	xfr->qbuffer_data[0] = (region.length >> 8) & 0xff;
+	xfr->qbuffer_data[1] = region.length & 0xff;
+	region.base -= 2;
+	region.length += 2;
+	CHECK(isc_socket_send(xfr->socket, &region, xfr->task, xfrin_send_done,
+			      xfr));
+	xfr->sends++;
+
+failure:
+	if (qname != NULL) {
+		dns_message_puttempname(msg, &qname);
+	}
+	if (qrdataset != NULL) {
+		dns_message_puttemprdataset(msg, &qrdataset);
+	}
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	if (soatuple != NULL) {
+		dns_difftuple_free(&soatuple);
+	}
+	if (ver != NULL) {
+		dns_db_closeversion(xfr->db, &ver, false);
+	}
+	return (result);
+}
+
+static void
+xfrin_send_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sev = (isc_socketevent_t *)event;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *)event->ev_arg;
+	isc_result_t result;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+
+	xfr->sends--;
+	xfrin_log(xfr, ISC_LOG_DEBUG(3), "sent request data");
+	CHECK(sev->result);
+
+	CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task, xfrin_recv_done,
+				     xfr));
+	xfr->recvs++;
+failure:
+	isc_event_free(&event);
+	if (result != ISC_R_SUCCESS) {
+		xfrin_fail(xfr, result, "failed sending request data");
+	}
+}
+
+static void
+xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *)ev->ev_arg;
+	isc_result_t result;
+	dns_message_t *msg = NULL;
+	dns_name_t *name;
+	dns_tcpmsg_t *tcpmsg;
+	const dns_name_t *tsigowner = NULL;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(ev->ev_type == DNS_EVENT_TCPMSG);
+	tcpmsg = ev->ev_sender;
+	isc_event_free(&ev);
+
+	xfr->recvs--;
+	if (xfr->shuttingdown) {
+		maybe_free(xfr);
+		return;
+	}
+
+	CHECK(tcpmsg->result);
+
+	xfrin_log(xfr, ISC_LOG_DEBUG(7), "received %u bytes",
+		  tcpmsg->buffer.used);
+
+	CHECK(isc_timer_touch(xfr->timer));
+
+	dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+
+	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
+	CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
+
+	msg->tsigctx = xfr->tsigctx;
+	xfr->tsigctx = NULL;
+
+	dns_message_setclass(msg, xfr->rdclass);
+
+	if (xfr->nmsg > 0) {
+		msg->tcp_continuation = 1;
+	}
+
+	result = dns_message_parse(msg, &tcpmsg->buffer,
+				   DNS_MESSAGEPARSE_PRESERVEORDER);
+
+	if (result == ISC_R_SUCCESS) {
+		dns_message_logpacket(msg, "received message from",
+				      &tcpmsg->address, DNS_LOGCATEGORY_XFER_IN,
+				      DNS_LOGMODULE_XFER_IN, ISC_LOG_DEBUG(10),
+				      xfr->mctx);
+	} else {
+		xfrin_log(xfr, ISC_LOG_DEBUG(10), "dns_message_parse: %s",
+			  dns_result_totext(result));
+	}
+
+	if (result != ISC_R_SUCCESS || msg->rcode != dns_rcode_noerror ||
+	    msg->opcode != dns_opcode_query || msg->rdclass != xfr->rdclass ||
+	    (xfr->checkid && msg->id != xfr->id))
+	{
+		if (result == ISC_R_SUCCESS && msg->rcode != dns_rcode_noerror)
+		{
+			result = ISC_RESULTCLASS_DNSRCODE + msg->rcode; /*XXX*/
+		} else if (result == ISC_R_SUCCESS &&
+			   msg->opcode != dns_opcode_query)
+		{
+			result = DNS_R_UNEXPECTEDOPCODE;
+		} else if (result == ISC_R_SUCCESS &&
+			   msg->rdclass != xfr->rdclass)
+		{
+			result = DNS_R_BADCLASS;
+		} else if (result == ISC_R_SUCCESS || result == DNS_R_NOERROR) {
+			result = DNS_R_UNEXPECTEDID;
+		}
+		if (xfr->reqtype == dns_rdatatype_axfr ||
+		    xfr->reqtype == dns_rdatatype_soa)
+		{
+			goto failure;
+		}
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "got %s, retrying with AXFR",
+			  isc_result_totext(result));
+	try_axfr:
+		dns_message_detach(&msg);
+		xfrin_reset(xfr);
+		xfr->reqtype = dns_rdatatype_soa;
+		xfr->state = XFRST_SOAQUERY;
+		(void)xfrin_start(xfr);
+		return;
+	} else if (!xfr->checkid && msg->id != xfr->id && xfr->logit) {
+		xfrin_log(xfr, ISC_LOG_WARNING,
+			  "detected message ID mismatch on incoming AXFR "
+			  "stream, transfer will fail in BIND 9.17.2 and "
+			  "later if AXFR source is not fixed");
+		xfr->logit = false;
+	}
+
+	/*
+	 * Does the server know about IXFR?  If it doesn't we will get
+	 * a message with a empty answer section or a potentially a CNAME /
+	 * DNAME, the later is handled by xfr_rr() which will return FORMERR
+	 * if the first RR in the answer section is not a SOA record.
+	 */
+	if (xfr->reqtype == dns_rdatatype_ixfr &&
+	    xfr->state == XFRST_INITIALSOA &&
+	    msg->counts[DNS_SECTION_ANSWER] == 0)
+	{
+		xfrin_log(xfr, ISC_LOG_DEBUG(3),
+			  "empty answer section, retrying with AXFR");
+		goto try_axfr;
+	}
+
+	if (xfr->reqtype == dns_rdatatype_soa &&
+	    (msg->flags & DNS_MESSAGEFLAG_AA) == 0)
+	{
+		FAIL(DNS_R_NOTAUTHORITATIVE);
+	}
+
+	result = dns_message_checksig(msg, dns_zone_getview(xfr->zone));
+	if (result != ISC_R_SUCCESS) {
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "TSIG check failed: %s",
+			  isc_result_totext(result));
+		goto failure;
+	}
+
+	for (result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(msg, DNS_SECTION_ANSWER))
+	{
+		dns_rdataset_t *rds;
+
+		name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+		for (rds = ISC_LIST_HEAD(name->list); rds != NULL;
+		     rds = ISC_LIST_NEXT(rds, link))
+		{
+			for (result = dns_rdataset_first(rds);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rds))
+			{
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(rds, &rdata);
+				CHECK(xfr_rr(xfr, name, rds->ttl, &rdata));
+			}
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+
+	if (dns_message_gettsig(msg, &tsigowner) != NULL) {
+		/*
+		 * Reset the counter.
+		 */
+		xfr->sincetsig = 0;
+
+		/*
+		 * Free the last tsig, if there is one.
+		 */
+		if (xfr->lasttsig != NULL) {
+			isc_buffer_free(&xfr->lasttsig);
+		}
+
+		/*
+		 * Update the last tsig pointer.
+		 */
+		CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
+	} else if (dns_message_gettsigkey(msg) != NULL) {
+		xfr->sincetsig++;
+		if (xfr->sincetsig > 100 || xfr->nmsg == 0 ||
+		    xfr->state == XFRST_AXFR_END ||
+		    xfr->state == XFRST_IXFR_END)
+		{
+			result = DNS_R_EXPECTEDTSIG;
+			goto failure;
+		}
+	}
+
+	/*
+	 * Update the number of messages received.
+	 */
+	xfr->nmsg++;
+
+	/*
+	 * Update the number of bytes received.
+	 */
+	xfr->nbytes += tcpmsg->buffer.used;
+
+	/*
+	 * Take the context back.
+	 */
+	INSIST(xfr->tsigctx == NULL);
+	xfr->tsigctx = msg->tsigctx;
+	msg->tsigctx = NULL;
+
+	dns_message_detach(&msg);
+
+	switch (xfr->state) {
+	case XFRST_GOTSOA:
+		xfr->reqtype = dns_rdatatype_axfr;
+		xfr->state = XFRST_INITIALSOA;
+		CHECK(xfrin_send_request(xfr));
+		break;
+	case XFRST_AXFR_END:
+		CHECK(axfr_finalize(xfr));
+		FALLTHROUGH;
+	case XFRST_IXFR_END:
+		/*
+		 * Close the journal.
+		 */
+		if (xfr->ixfr.journal != NULL) {
+			dns_journal_destroy(&xfr->ixfr.journal);
+		}
+
+		/*
+		 * Inform the caller we succeeded.
+		 */
+		if (xfr->done != NULL) {
+			(xfr->done)(xfr->zone, ISC_R_SUCCESS);
+			xfr->done = NULL;
+		}
+		/*
+		 * We should have no outstanding events at this
+		 * point, thus maybe_free() should succeed.
+		 */
+		xfr->shuttingdown = true;
+		xfr->shutdown_result = ISC_R_SUCCESS;
+		maybe_free(xfr);
+		break;
+	default:
+		/*
+		 * Read the next message.
+		 */
+		CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task,
+					     xfrin_recv_done, xfr));
+		xfr->recvs++;
+	}
+	return;
+
+failure:
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	if (result != ISC_R_SUCCESS) {
+		xfrin_fail(xfr, result, "failed while receiving responses");
+	}
+}
+
+static void
+xfrin_timeout(isc_task_t *task, isc_event_t *event) {
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *)event->ev_arg;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+	/*
+	 * This will log "giving up: timeout".
+	 */
+	xfrin_fail(xfr, ISC_R_TIMEDOUT, "giving up");
+}
+
+static void
+maybe_free(dns_xfrin_ctx_t *xfr) {
+	uint64_t msecs;
+	uint64_t persec;
+	const char *result_str;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	if (!xfr->shuttingdown || xfr->refcount != 0 || xfr->connects != 0 ||
+	    xfr->sends != 0 || xfr->recvs != 0)
+	{
+		return;
+	}
+
+	INSIST(!xfr->shuttingdown || xfr->shutdown_result != ISC_R_UNSET);
+
+	/* If we're called through dns_xfrin_detach() and are not
+	 * shutting down, we can't know what the transfer status is as
+	 * we are only called when the last reference is lost.
+	 */
+	result_str = (xfr->shuttingdown
+			      ? isc_result_totext(xfr->shutdown_result)
+			      : "unknown");
+	xfrin_log(xfr, ISC_LOG_INFO, "Transfer status: %s", result_str);
+
+	/*
+	 * Calculate the length of time the transfer took,
+	 * and print a log message with the bytes and rate.
+	 */
+	isc_time_now(&xfr->end);
+	msecs = isc_time_microdiff(&xfr->end, &xfr->start) / 1000;
+	if (msecs == 0) {
+		msecs = 1;
+	}
+	persec = (xfr->nbytes * 1000) / msecs;
+	xfrin_log(xfr, ISC_LOG_INFO,
+		  "Transfer completed: %d messages, %d records, "
+		  "%" PRIu64 " bytes, "
+		  "%u.%03u secs (%u bytes/sec) (serial %u)",
+		  xfr->nmsg, xfr->nrecs, xfr->nbytes,
+		  (unsigned int)(msecs / 1000), (unsigned int)(msecs % 1000),
+		  (unsigned int)persec, xfr->end_serial);
+
+	if (xfr->socket != NULL) {
+		isc_socket_detach(&xfr->socket);
+	}
+
+	if (xfr->timer != NULL) {
+		isc_timer_destroy(&xfr->timer);
+	}
+
+	if (xfr->task != NULL) {
+		isc_task_detach(&xfr->task);
+	}
+
+	if (xfr->tsigkey != NULL) {
+		dns_tsigkey_detach(&xfr->tsigkey);
+	}
+
+	if (xfr->lasttsig != NULL) {
+		isc_buffer_free(&xfr->lasttsig);
+	}
+
+	dns_diff_clear(&xfr->diff);
+
+	if (xfr->ixfr.journal != NULL) {
+		dns_journal_destroy(&xfr->ixfr.journal);
+	}
+
+	if (xfr->axfr.add_private != NULL) {
+		(void)dns_db_endload(xfr->db, &xfr->axfr);
+	}
+
+	if (xfr->tcpmsg_valid) {
+		dns_tcpmsg_invalidate(&xfr->tcpmsg);
+	}
+
+	if (xfr->tsigctx != NULL) {
+		dst_context_destroy(&xfr->tsigctx);
+	}
+
+	if ((xfr->name.attributes & DNS_NAMEATTR_DYNAMIC) != 0) {
+		dns_name_free(&xfr->name, xfr->mctx);
+	}
+
+	if (xfr->ver != NULL) {
+		dns_db_closeversion(xfr->db, &xfr->ver, false);
+	}
+
+	if (xfr->db != NULL) {
+		dns_db_detach(&xfr->db);
+	}
+
+	if (xfr->zone != NULL) {
+		if (!xfr->zone_had_db && xfr->shuttingdown &&
+		    xfr->shutdown_result == ISC_R_SUCCESS &&
+		    dns_zone_gettype(xfr->zone) == dns_zone_mirror)
+		{
+			dns_zone_log(xfr->zone, ISC_LOG_INFO,
+				     "mirror zone is now in use");
+		}
+		xfrin_log(xfr, ISC_LOG_DEBUG(99), "freeing transfer context");
+		/*
+		 * xfr->zone must not be detached before xfrin_log() is called.
+		 */
+		dns_zone_idetach(&xfr->zone);
+	}
+
+	if (xfr->firstsoa_data != NULL) {
+		isc_mem_free(xfr->mctx, xfr->firstsoa_data);
+	}
+
+	isc_mem_putanddetach(&xfr->mctx, xfr, sizeof(*xfr));
+}
+
+/*
+ * Log incoming zone transfer messages in a format like
+ * transfer of <zone> from <address>: <message>
+ */
+static void
+xfrin_logv(int level, const char *zonetext, const isc_sockaddr_t *masteraddr,
+	   const char *fmt, va_list ap) {
+	char mastertext[ISC_SOCKADDR_FORMATSIZE];
+	char msgtext[2048];
+
+	isc_sockaddr_format(masteraddr, mastertext, sizeof(mastertext));
+	vsnprintf(msgtext, sizeof(msgtext), fmt, ap);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_XFER_IN, DNS_LOGMODULE_XFER_IN,
+		      level, "transfer of '%s' from %s: %s", zonetext,
+		      mastertext, msgtext);
+}
+
+/*
+ * Logging function for use when a xfrin_ctx_t has not yet been created.
+ */
+
+static void
+xfrin_log1(int level, const char *zonetext, const isc_sockaddr_t *masteraddr,
+	   const char *fmt, ...) {
+	va_list ap;
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	xfrin_logv(level, zonetext, masteraddr, fmt, ap);
+	va_end(ap);
+}
+
+/*
+ * Logging function for use when there is a xfrin_ctx_t.
+ */
+
+static void
+xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...) {
+	va_list ap;
+	char zonetext[DNS_NAME_MAXTEXT + 32];
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	dns_zone_name(xfr->zone, zonetext, sizeof(zonetext));
+
+	va_start(ap, fmt);
+	xfrin_logv(level, zonetext, &xfr->masteraddr, fmt, ap);
+	va_end(ap);
+}
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
new file mode 100644
index 0000000..73da12e
--- /dev/null
+++ b/lib/dns/zone.c
@@ -0,0 +1,23609 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/atomic.h>
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/md.h>
+#include <isc/mutex.h>
+#include <isc/pool.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/ratelimiter.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/serial.h>
+#include <isc/stats.h>
+#include <isc/stdtime.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/taskpool.h>
+#include <isc/thread.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/adb.h>
+#include <dns/callbacks.h>
+#include <dns/catz.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dlz.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/journal.h>
+#include <dns/kasp.h>
+#include <dns/keydata.h>
+#include <dns/keymgr.h>
+#include <dns/keytable.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/opcode.h>
+#include <dns/peer.h>
+#include <dns/private.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/rriterator.h>
+#include <dns/soa.h>
+#include <dns/ssu.h>
+#include <dns/stats.h>
+#include <dns/time.h>
+#include <dns/tsig.h>
+#include <dns/update.h>
+#include <dns/xfrin.h>
+#include <dns/zone.h>
+#include <dns/zoneverify.h>
+#include <dns/zt.h>
+
+#include <dst/dst.h>
+
+#include "zone_p.h"
+
+#define ZONE_MAGIC	     ISC_MAGIC('Z', 'O', 'N', 'E')
+#define DNS_ZONE_VALID(zone) ISC_MAGIC_VALID(zone, ZONE_MAGIC)
+
+#define NOTIFY_MAGIC		 ISC_MAGIC('N', 't', 'f', 'y')
+#define DNS_NOTIFY_VALID(notify) ISC_MAGIC_VALID(notify, NOTIFY_MAGIC)
+
+#define CHECKDS_MAGIC		   ISC_MAGIC('C', 'h', 'D', 'S')
+#define DNS_CHECKDS_VALID(checkds) ISC_MAGIC_VALID(checkds, CHECKDS_MAGIC)
+
+#define STUB_MAGIC	     ISC_MAGIC('S', 't', 'u', 'b')
+#define DNS_STUB_VALID(stub) ISC_MAGIC_VALID(stub, STUB_MAGIC)
+
+#define ZONEMGR_MAGIC		ISC_MAGIC('Z', 'm', 'g', 'r')
+#define DNS_ZONEMGR_VALID(stub) ISC_MAGIC_VALID(stub, ZONEMGR_MAGIC)
+
+#define LOAD_MAGIC	     ISC_MAGIC('L', 'o', 'a', 'd')
+#define DNS_LOAD_VALID(load) ISC_MAGIC_VALID(load, LOAD_MAGIC)
+
+#define FORWARD_MAGIC		ISC_MAGIC('F', 'o', 'r', 'w')
+#define DNS_FORWARD_VALID(load) ISC_MAGIC_VALID(load, FORWARD_MAGIC)
+
+#define IO_MAGIC	   ISC_MAGIC('Z', 'm', 'I', 'O')
+#define DNS_IO_VALID(load) ISC_MAGIC_VALID(load, IO_MAGIC)
+
+#define KEYMGMT_MAGIC		ISC_MAGIC('M', 'g', 'm', 't')
+#define DNS_KEYMGMT_VALID(load) ISC_MAGIC_VALID(load, KEYMGMT_MAGIC)
+
+#define KEYFILEIO_MAGIC		  ISC_MAGIC('K', 'y', 'I', 'O')
+#define DNS_KEYFILEIO_VALID(kfio) ISC_MAGIC_VALID(kfio, KEYFILEIO_MAGIC)
+
+/*%
+ * Ensure 'a' is at least 'min' but not more than 'max'.
+ */
+#define RANGE(a, min, max) (((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max)))
+
+#define NSEC3REMOVE(x) (((x)&DNS_NSEC3FLAG_REMOVE) != 0)
+
+/*%
+ * Key flags
+ */
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x)	  ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
+#define ID(x)	  dst_key_id(x)
+#define ALG(x)	  dst_key_alg(x)
+
+/*%
+ * KASP flags
+ */
+#define KASP_LOCK(k)                  \
+	if ((k) != NULL) {            \
+		LOCK((&((k)->lock))); \
+	}
+
+#define KASP_UNLOCK(k)                  \
+	if ((k) != NULL) {              \
+		UNLOCK((&((k)->lock))); \
+	}
+
+/*
+ * Default values.
+ */
+#define DNS_DEFAULT_IDLEIN  3600       /*%< 1 hour */
+#define DNS_DEFAULT_IDLEOUT 3600       /*%< 1 hour */
+#define MAX_XFER_TIME	    (2 * 3600) /*%< Documented default is 2 hours */
+#define RESIGN_DELAY	    3600       /*%< 1 hour */
+
+#ifndef DNS_MAX_EXPIRE
+#define DNS_MAX_EXPIRE 14515200 /*%< 24 weeks */
+#endif				/* ifndef DNS_MAX_EXPIRE */
+
+#ifndef DNS_DUMP_DELAY
+#define DNS_DUMP_DELAY 900 /*%< 15 minutes */
+#endif			   /* ifndef DNS_DUMP_DELAY */
+
+typedef struct dns_notify dns_notify_t;
+typedef struct dns_checkds dns_checkds_t;
+typedef struct dns_stub dns_stub_t;
+typedef struct dns_load dns_load_t;
+typedef struct dns_forward dns_forward_t;
+typedef ISC_LIST(dns_forward_t) dns_forwardlist_t;
+typedef struct dns_io dns_io_t;
+typedef ISC_LIST(dns_io_t) dns_iolist_t;
+typedef struct dns_keymgmt dns_keymgmt_t;
+typedef struct dns_signing dns_signing_t;
+typedef ISC_LIST(dns_signing_t) dns_signinglist_t;
+typedef struct dns_nsec3chain dns_nsec3chain_t;
+typedef ISC_LIST(dns_nsec3chain_t) dns_nsec3chainlist_t;
+typedef struct dns_keyfetch dns_keyfetch_t;
+typedef struct dns_asyncload dns_asyncload_t;
+typedef struct dns_include dns_include_t;
+
+#define DNS_ZONE_CHECKLOCK
+#ifdef DNS_ZONE_CHECKLOCK
+#define LOCK_ZONE(z)                  \
+	do {                          \
+		LOCK(&(z)->lock);     \
+		INSIST(!(z)->locked); \
+		(z)->locked = true;   \
+	} while (0)
+#define UNLOCK_ZONE(z)               \
+	do {                         \
+		(z)->locked = false; \
+		UNLOCK(&(z)->lock);  \
+	} while (0)
+#define LOCKED_ZONE(z) ((z)->locked)
+#define TRYLOCK_ZONE(result, z)                         \
+	do {                                            \
+		result = isc_mutex_trylock(&(z)->lock); \
+		if (result == ISC_R_SUCCESS) {          \
+			INSIST(!(z)->locked);           \
+			(z)->locked = true;             \
+		}                                       \
+	} while (0)
+#else /* ifdef DNS_ZONE_CHECKLOCK */
+#define LOCK_ZONE(z)   LOCK(&(z)->lock)
+#define UNLOCK_ZONE(z) UNLOCK(&(z)->lock)
+#define LOCKED_ZONE(z) true
+#define TRYLOCK_ZONE(result, z)                         \
+	do {                                            \
+		result = isc_mutex_trylock(&(z)->lock); \
+	} while (0)
+#endif /* ifdef DNS_ZONE_CHECKLOCK */
+
+#define ZONEDB_INITLOCK(l)    isc_rwlock_init((l), 0, 0)
+#define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l)
+#define ZONEDB_LOCK(l, t)     RWLOCK((l), (t))
+#define ZONEDB_UNLOCK(l, t)   RWUNLOCK((l), (t))
+
+#ifdef ENABLE_AFL
+extern bool dns_fuzzing_resolver;
+#endif /* ifdef ENABLE_AFL */
+
+/*%
+ *	Hold key file IO locks.
+ */
+typedef struct dns_keyfileio {
+	unsigned int magic;
+	struct dns_keyfileio *next;
+	uint32_t hashval;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_refcount_t references;
+	isc_mutex_t lock;
+} dns_keyfileio_t;
+
+struct dns_keymgmt {
+	unsigned int magic;
+	isc_rwlock_t lock;
+	isc_mem_t *mctx;
+
+	dns_keyfileio_t **table;
+
+	atomic_uint_fast32_t count;
+
+	uint32_t bits;
+};
+
+struct dns_zone {
+	/* Unlocked */
+	unsigned int magic;
+	isc_mutex_t lock;
+#ifdef DNS_ZONE_CHECKLOCK
+	bool locked;
+#endif /* ifdef DNS_ZONE_CHECKLOCK */
+	isc_mem_t *mctx;
+	isc_refcount_t erefs;
+
+	isc_rwlock_t dblock;
+	dns_db_t *db; /* Locked by dblock */
+
+	/* Locked */
+	dns_zonemgr_t *zmgr;
+	ISC_LINK(dns_zone_t) link; /* Used by zmgr. */
+	isc_timer_t *timer;
+	isc_refcount_t irefs;
+	dns_name_t origin;
+	char *masterfile;
+	ISC_LIST(dns_include_t) includes;    /* Include files */
+	ISC_LIST(dns_include_t) newincludes; /* Loading */
+	unsigned int nincludes;
+	dns_masterformat_t masterformat;
+	const dns_master_style_t *masterstyle;
+	char *journal;
+	int32_t journalsize;
+	dns_rdataclass_t rdclass;
+	dns_zonetype_t type;
+	atomic_uint_fast64_t flags;
+	atomic_uint_fast64_t options;
+	unsigned int db_argc;
+	char **db_argv;
+	isc_time_t expiretime;
+	isc_time_t refreshtime;
+	isc_time_t dumptime;
+	isc_time_t loadtime;
+	isc_time_t notifytime;
+	isc_time_t resigntime;
+	isc_time_t keywarntime;
+	isc_time_t signingtime;
+	isc_time_t nsec3chaintime;
+	isc_time_t refreshkeytime;
+	uint32_t refreshkeyinterval;
+	uint32_t refreshkeycount;
+	uint32_t refresh;
+	uint32_t retry;
+	uint32_t expire;
+	uint32_t minimum;
+	isc_stdtime_t key_expiry;
+	isc_stdtime_t log_key_expired_timer;
+	char *keydirectory;
+	dns_keyfileio_t *kfio;
+
+	uint32_t maxrefresh;
+	uint32_t minrefresh;
+	uint32_t maxretry;
+	uint32_t minretry;
+
+	uint32_t maxrecords;
+
+	isc_sockaddr_t *masters;
+	isc_dscp_t *masterdscps;
+	dns_name_t **masterkeynames;
+	bool *mastersok;
+	unsigned int masterscnt;
+	unsigned int curmaster;
+	isc_sockaddr_t masteraddr;
+
+	isc_sockaddr_t *parentals;
+	isc_dscp_t *parentaldscps;
+	dns_name_t **parentalkeynames;
+	dns_dnsseckeylist_t checkds_ok;
+	unsigned int parentalscnt;
+	isc_sockaddr_t parentaladdr;
+
+	dns_notifytype_t notifytype;
+	isc_sockaddr_t *notify;
+	dns_name_t **notifykeynames;
+	isc_dscp_t *notifydscp;
+	unsigned int notifycnt;
+	isc_sockaddr_t notifyfrom;
+	isc_task_t *task;
+	isc_task_t *loadtask;
+	isc_sockaddr_t notifysrc4;
+	isc_sockaddr_t notifysrc6;
+	isc_sockaddr_t parentalsrc4;
+	isc_sockaddr_t parentalsrc6;
+	isc_sockaddr_t xfrsource4;
+	isc_sockaddr_t xfrsource6;
+	isc_sockaddr_t altxfrsource4;
+	isc_sockaddr_t altxfrsource6;
+	isc_sockaddr_t sourceaddr;
+	isc_dscp_t notifysrc4dscp;
+	isc_dscp_t notifysrc6dscp;
+	isc_dscp_t parentalsrc4dscp;
+	isc_dscp_t parentalsrc6dscp;
+	isc_dscp_t xfrsource4dscp;
+	isc_dscp_t xfrsource6dscp;
+	isc_dscp_t altxfrsource4dscp;
+	isc_dscp_t altxfrsource6dscp;
+	dns_xfrin_ctx_t *xfr;	/* task locked */
+	dns_tsigkey_t *tsigkey; /* key used for xfr */
+	/* Access Control Lists */
+	dns_acl_t *update_acl;
+	dns_acl_t *forward_acl;
+	dns_acl_t *notify_acl;
+	dns_acl_t *query_acl;
+	dns_acl_t *queryon_acl;
+	dns_acl_t *xfr_acl;
+	bool update_disabled;
+	bool zero_no_soa_ttl;
+	dns_severity_t check_names;
+	ISC_LIST(dns_notify_t) notifies;
+	ISC_LIST(dns_checkds_t) checkds_requests;
+	dns_request_t *request;
+	dns_loadctx_t *lctx;
+	dns_io_t *readio;
+	dns_dumpctx_t *dctx;
+	dns_io_t *writeio;
+	uint32_t maxxfrin;
+	uint32_t maxxfrout;
+	uint32_t idlein;
+	uint32_t idleout;
+	isc_event_t ctlevent;
+	dns_ssutable_t *ssutable;
+	uint32_t sigvalidityinterval;
+	uint32_t keyvalidityinterval;
+	uint32_t sigresigninginterval;
+	dns_view_t *view;
+	dns_view_t *prev_view;
+	dns_kasp_t *kasp;
+	dns_checkmxfunc_t checkmx;
+	dns_checksrvfunc_t checksrv;
+	dns_checknsfunc_t checkns;
+	/*%
+	 * Zones in certain states such as "waiting for zone transfer"
+	 * or "zone transfer in progress" are kept on per-state linked lists
+	 * in the zone manager using the 'statelink' field.  The 'statelist'
+	 * field points at the list the zone is currently on.  It the zone
+	 * is not on any such list, statelist is NULL.
+	 */
+	ISC_LINK(dns_zone_t) statelink;
+	dns_zonelist_t *statelist;
+	/*%
+	 * Statistics counters about zone management.
+	 */
+	isc_stats_t *stats;
+	/*%
+	 * Optional per-zone statistics counters.  Counted outside of this
+	 * module.
+	 */
+	dns_zonestat_level_t statlevel;
+	bool requeststats_on;
+	isc_stats_t *requeststats;
+	dns_stats_t *rcvquerystats;
+	dns_stats_t *dnssecsignstats;
+	uint32_t notifydelay;
+	dns_isselffunc_t isself;
+	void *isselfarg;
+
+	char *strnamerd;
+	char *strname;
+	char *strrdclass;
+	char *strviewname;
+
+	/*%
+	 * Serial number for deferred journal compaction.
+	 */
+	uint32_t compact_serial;
+	/*%
+	 * Keys that are signing the zone for the first time.
+	 */
+	dns_signinglist_t signing;
+	dns_nsec3chainlist_t nsec3chain;
+	/*%
+	 * List of outstanding NSEC3PARAM change requests.
+	 */
+	isc_eventlist_t setnsec3param_queue;
+	/*%
+	 * Signing / re-signing quantum stopping parameters.
+	 */
+	uint32_t signatures;
+	uint32_t nodes;
+	dns_rdatatype_t privatetype;
+
+	/*%
+	 * Autosigning/key-maintenance options
+	 */
+	atomic_uint_fast64_t keyopts;
+
+	/*%
+	 * True if added by "rndc addzone"
+	 */
+	bool added;
+
+	/*%
+	 * True if added by automatically by named.
+	 */
+	bool automatic;
+
+	/*%
+	 * response policy data to be relayed to the database
+	 */
+	dns_rpz_zones_t *rpzs;
+	dns_rpz_num_t rpz_num;
+
+	/*%
+	 * catalog zone data
+	 */
+	dns_catz_zones_t *catzs;
+
+	/*%
+	 * parent catalog zone
+	 */
+	dns_catz_zone_t *parentcatz;
+
+	/*%
+	 * Serial number update method.
+	 */
+	dns_updatemethod_t updatemethod;
+
+	/*%
+	 * whether ixfr is requested
+	 */
+	bool requestixfr;
+	uint32_t ixfr_ratio;
+
+	/*%
+	 * whether EDNS EXPIRE is requested
+	 */
+	bool requestexpire;
+
+	/*%
+	 * Outstanding forwarded UPDATE requests.
+	 */
+	dns_forwardlist_t forwards;
+
+	dns_zone_t *raw;
+	dns_zone_t *secure;
+
+	bool sourceserialset;
+	uint32_t sourceserial;
+
+	/*%
+	 * soa and maximum zone ttl
+	 */
+	dns_ttl_t soattl;
+	dns_ttl_t maxttl;
+
+	/*
+	 * Inline zone signing state.
+	 */
+	dns_diff_t rss_diff;
+	isc_eventlist_t rss_events;
+	isc_eventlist_t rss_post;
+	dns_dbversion_t *rss_newver;
+	dns_dbversion_t *rss_oldver;
+	dns_db_t *rss_db;
+	dns_zone_t *rss_raw;
+	isc_event_t *rss_event;
+	dns_update_state_t *rss_state;
+
+	isc_stats_t *gluecachestats;
+};
+
+#define zonediff_init(z, d)                \
+	do {                               \
+		dns__zonediff_t *_z = (z); \
+		(_z)->diff = (d);          \
+		(_z)->offline = false;     \
+	} while (0)
+
+#define DNS_ZONE_FLAG(z, f)    ((atomic_load_relaxed(&(z)->flags) & (f)) != 0)
+#define DNS_ZONE_SETFLAG(z, f) atomic_fetch_or(&(z)->flags, (f))
+#define DNS_ZONE_CLRFLAG(z, f) atomic_fetch_and(&(z)->flags, ~(f))
+typedef enum {
+	DNS_ZONEFLG_REFRESH = 0x00000001U,     /*%< refresh check in progress */
+	DNS_ZONEFLG_NEEDDUMP = 0x00000002U,    /*%< zone need consolidation */
+	DNS_ZONEFLG_USEVC = 0x00000004U,       /*%< use tcp for refresh query */
+	DNS_ZONEFLG_DUMPING = 0x00000008U,     /*%< a dump is in progress */
+	DNS_ZONEFLG_HASINCLUDE = 0x00000010U,  /*%< $INCLUDE in zone file */
+	DNS_ZONEFLG_LOADED = 0x00000020U,      /*%< database has loaded */
+	DNS_ZONEFLG_EXITING = 0x00000040U,     /*%< zone is being destroyed */
+	DNS_ZONEFLG_EXPIRED = 0x00000080U,     /*%< zone has expired */
+	DNS_ZONEFLG_NEEDREFRESH = 0x00000100U, /*%< refresh check needed */
+	DNS_ZONEFLG_UPTODATE = 0x00000200U,    /*%< zone contents are
+						* up-to-date */
+	DNS_ZONEFLG_NEEDNOTIFY = 0x00000400U,  /*%< need to send out notify
+						* messages */
+	DNS_ZONEFLG_FIXJOURNAL = 0x00000800U,  /*%< journal file had
+						* recoverable error,
+						* needs rewriting */
+	DNS_ZONEFLG_NOMASTERS = 0x00001000U,   /*%< an attempt to refresh a
+						* zone with no primaries
+						* occurred */
+	DNS_ZONEFLG_LOADING = 0x00002000U,     /*%< load from disk in progress*/
+	DNS_ZONEFLG_HAVETIMERS = 0x00004000U,  /*%< timer values have been set
+						* from SOA (if not set, we
+						* are still using
+						* default timer values) */
+	DNS_ZONEFLG_FORCEXFER = 0x00008000U,   /*%< Force a zone xfer */
+	DNS_ZONEFLG_NOREFRESH = 0x00010000U,
+	DNS_ZONEFLG_DIALNOTIFY = 0x00020000U,
+	DNS_ZONEFLG_DIALREFRESH = 0x00040000U,
+	DNS_ZONEFLG_SHUTDOWN = 0x00080000U,
+	DNS_ZONEFLG_NOIXFR = 0x00100000U, /*%< IXFR failed, force AXFR */
+	DNS_ZONEFLG_FLUSH = 0x00200000U,
+	DNS_ZONEFLG_NOEDNS = 0x00400000U,
+	DNS_ZONEFLG_USEALTXFRSRC = 0x00800000U,
+	DNS_ZONEFLG_SOABEFOREAXFR = 0x01000000U,
+	DNS_ZONEFLG_NEEDCOMPACT = 0x02000000U,
+	DNS_ZONEFLG_REFRESHING = 0x04000000U, /*%< Refreshing keydata */
+	DNS_ZONEFLG_THAW = 0x08000000U,
+	DNS_ZONEFLG_LOADPENDING = 0x10000000U, /*%< Loading scheduled */
+	DNS_ZONEFLG_NODELAY = 0x20000000U,
+	DNS_ZONEFLG_SENDSECURE = 0x40000000U,
+	DNS_ZONEFLG_NEEDSTARTUPNOTIFY = 0x80000000U, /*%< need to send out
+						      * notify due to the zone
+						      * just being loaded for
+						      * the first time. */
+	/*
+	 * DO NOT add any new zone flags here until all platforms
+	 * support 64-bit enum values. Currently they fail on
+	 * Windows.
+	 */
+	DNS_ZONEFLG___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
+} dns_zoneflg_t;
+
+#define DNS_ZONE_OPTION(z, o)	 ((atomic_load_relaxed(&(z)->options) & (o)) != 0)
+#define DNS_ZONE_SETOPTION(z, o) atomic_fetch_or(&(z)->options, (o))
+#define DNS_ZONE_CLROPTION(z, o) atomic_fetch_and(&(z)->options, ~(o))
+
+#define DNS_ZONEKEY_OPTION(z, o) \
+	((atomic_load_relaxed(&(z)->keyopts) & (o)) != 0)
+#define DNS_ZONEKEY_SETOPTION(z, o) atomic_fetch_or(&(z)->keyopts, (o))
+#define DNS_ZONEKEY_CLROPTION(z, o) atomic_fetch_and(&(z)->keyopts, ~(o))
+
+/* Flags for zone_load() */
+typedef enum {
+	DNS_ZONELOADFLAG_NOSTAT = 0x00000001U, /* Do not stat() master files */
+	DNS_ZONELOADFLAG_THAW = 0x00000002U,   /* Thaw the zone on successful
+						* load. */
+} dns_zoneloadflag_t;
+
+#define UNREACH_CACHE_SIZE 10U
+#define UNREACH_HOLD_TIME  600 /* 10 minutes */
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+struct dns_unreachable {
+	isc_sockaddr_t remote;
+	isc_sockaddr_t local;
+	atomic_uint_fast32_t expire;
+	atomic_uint_fast32_t last;
+	uint32_t count;
+};
+
+struct dns_zonemgr {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_refcount_t refs;
+	isc_taskmgr_t *taskmgr;
+	isc_timermgr_t *timermgr;
+	isc_socketmgr_t *socketmgr;
+	isc_taskpool_t *zonetasks;
+	isc_taskpool_t *loadtasks;
+	isc_task_t *task;
+	isc_pool_t *mctxpool;
+	isc_ratelimiter_t *checkdsrl;
+	isc_ratelimiter_t *notifyrl;
+	isc_ratelimiter_t *refreshrl;
+	isc_ratelimiter_t *startupnotifyrl;
+	isc_ratelimiter_t *startuprefreshrl;
+	isc_rwlock_t rwlock;
+	isc_mutex_t iolock;
+	isc_rwlock_t urlock;
+
+	/* Locked by rwlock. */
+	dns_zonelist_t zones;
+	dns_zonelist_t waiting_for_xfrin;
+	dns_zonelist_t xfrin_in_progress;
+
+	/* Configuration data. */
+	uint32_t transfersin;
+	uint32_t transfersperns;
+	unsigned int checkdsrate;
+	unsigned int notifyrate;
+	unsigned int startupnotifyrate;
+	unsigned int serialqueryrate;
+	unsigned int startupserialqueryrate;
+
+	/* Locked by iolock */
+	uint32_t iolimit;
+	uint32_t ioactive;
+	dns_iolist_t high;
+	dns_iolist_t low;
+
+	/* Locked by urlock. */
+	/* LRU cache */
+	struct dns_unreachable unreachable[UNREACH_CACHE_SIZE];
+
+	dns_keymgmt_t *keymgmt;
+};
+
+/*%
+ * Hold notify state.
+ */
+struct dns_notify {
+	unsigned int magic;
+	unsigned int flags;
+	isc_mem_t *mctx;
+	dns_zone_t *zone;
+	dns_adbfind_t *find;
+	dns_request_t *request;
+	dns_name_t ns;
+	isc_sockaddr_t dst;
+	dns_tsigkey_t *key;
+	isc_dscp_t dscp;
+	ISC_LINK(dns_notify_t) link;
+	isc_event_t *event;
+};
+
+#define DNS_NOTIFY_NOSOA   0x0001U
+#define DNS_NOTIFY_STARTUP 0x0002U
+
+/*%
+ * Hold checkds state.
+ */
+struct dns_checkds {
+	unsigned int magic;
+	unsigned int flags;
+	isc_mem_t *mctx;
+	dns_zone_t *zone;
+	dns_request_t *request;
+	isc_sockaddr_t dst;
+	dns_tsigkey_t *key;
+	isc_dscp_t dscp;
+	ISC_LINK(dns_checkds_t) link;
+	isc_event_t *event;
+};
+
+/*%
+ *	dns_stub holds state while performing a 'stub' transfer.
+ *	'db' is the zone's 'db' or a new one if this is the initial
+ *	transfer.
+ */
+
+struct dns_stub {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	dns_zone_t *zone;
+	dns_db_t *db;
+	dns_dbversion_t *version;
+	atomic_uint_fast32_t pending_requests;
+};
+
+/*%
+ *	Hold load state.
+ */
+struct dns_load {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	dns_zone_t *zone;
+	dns_db_t *db;
+	isc_time_t loadtime;
+	dns_rdatacallbacks_t callbacks;
+};
+
+/*%
+ *	Hold forward state.
+ */
+struct dns_forward {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	dns_zone_t *zone;
+	isc_buffer_t *msgbuf;
+	dns_request_t *request;
+	uint32_t which;
+	isc_sockaddr_t addr;
+	dns_updatecallback_t callback;
+	void *callback_arg;
+	unsigned int options;
+	ISC_LINK(dns_forward_t) link;
+};
+
+/*%
+ *	Hold IO request state.
+ */
+struct dns_io {
+	unsigned int magic;
+	dns_zonemgr_t *zmgr;
+	bool high;
+	isc_task_t *task;
+	ISC_LINK(dns_io_t) link;
+	isc_event_t *event;
+};
+
+/*%
+ *	Hold state for when we are signing a zone with a new
+ *	DNSKEY as result of an update.
+ */
+struct dns_signing {
+	unsigned int magic;
+	dns_db_t *db;
+	dns_dbiterator_t *dbiterator;
+	dns_secalg_t algorithm;
+	uint16_t keyid;
+	bool deleteit;
+	bool done;
+	ISC_LINK(dns_signing_t) link;
+};
+
+struct dns_nsec3chain {
+	unsigned int magic;
+	dns_db_t *db;
+	dns_dbiterator_t *dbiterator;
+	dns_rdata_nsec3param_t nsec3param;
+	unsigned char salt[255];
+	bool done;
+	bool seen_nsec;
+	bool delete_nsec;
+	bool save_delete_nsec;
+	ISC_LINK(dns_nsec3chain_t) link;
+};
+
+/*%<
+ * 'dbiterator' contains a iterator for the database.  If we are creating
+ * a NSEC3 chain only the non-NSEC3 nodes will be iterated.  If we are
+ * removing a NSEC3 chain then both NSEC3 and non-NSEC3 nodes will be
+ * iterated.
+ *
+ * 'nsec3param' contains the parameters of the NSEC3 chain being created
+ * or removed.
+ *
+ * 'salt' is buffer space and is referenced via 'nsec3param.salt'.
+ *
+ * 'seen_nsec' will be set to true if, while iterating the zone to create a
+ * NSEC3 chain, a NSEC record is seen.
+ *
+ * 'delete_nsec' will be set to true if, at the completion of the creation
+ * of a NSEC3 chain, 'seen_nsec' is true.  If 'delete_nsec' is true then we
+ * are in the process of deleting the NSEC chain.
+ *
+ * 'save_delete_nsec' is used to store the initial state of 'delete_nsec'
+ * so it can be recovered in the event of a error.
+ */
+
+struct dns_keyfetch {
+	isc_mem_t *mctx;
+	dns_fixedname_t name;
+	dns_rdataset_t keydataset;
+	dns_rdataset_t dnskeyset;
+	dns_rdataset_t dnskeysigset;
+	dns_zone_t *zone;
+	dns_db_t *db;
+	dns_fetch_t *fetch;
+};
+
+/*%
+ * Hold state for an asynchronous load
+ */
+struct dns_asyncload {
+	dns_zone_t *zone;
+	unsigned int flags;
+	dns_zt_zoneloaded_t loaded;
+	void *loaded_arg;
+};
+
+/*%
+ * Reference to an include file encountered during loading
+ */
+struct dns_include {
+	char *name;
+	isc_time_t filetime;
+	ISC_LINK(dns_include_t) link;
+};
+
+/*
+ * These can be overridden by the -T mkeytimers option on the command
+ * line, so that we can test with shorter periods than specified in
+ * RFC 5011.
+ */
+#define HOUR  3600
+#define DAY   (24 * HOUR)
+#define MONTH (30 * DAY)
+LIBDNS_EXTERNAL_DATA unsigned int dns_zone_mkey_hour = HOUR;
+LIBDNS_EXTERNAL_DATA unsigned int dns_zone_mkey_day = DAY;
+LIBDNS_EXTERNAL_DATA unsigned int dns_zone_mkey_month = MONTH;
+
+#define SEND_BUFFER_SIZE 2048
+
+static void
+zone_settimer(dns_zone_t *, isc_time_t *);
+static void
+cancel_refresh(dns_zone_t *);
+static void
+zone_debuglog(dns_zone_t *zone, const char *, int debuglevel, const char *msg,
+	      ...) ISC_FORMAT_PRINTF(4, 5);
+static void
+notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+static void
+dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+static void
+queue_xfrin(dns_zone_t *zone);
+static isc_result_t
+update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+	      dns_rdata_t *rdata);
+static void
+zone_unload(dns_zone_t *zone);
+static void
+zone_expire(dns_zone_t *zone);
+static void
+zone_iattach(dns_zone_t *source, dns_zone_t **target);
+static void
+zone_idetach(dns_zone_t **zonep);
+static isc_result_t
+zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump);
+static void
+zone_attachdb(dns_zone_t *zone, dns_db_t *db);
+static void
+zone_detachdb(dns_zone_t *zone);
+static void
+zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
+static void
+zone_catz_disable(dns_zone_t *zone);
+static isc_result_t
+default_journal(dns_zone_t *zone);
+static void
+zone_xfrdone(dns_zone_t *zone, isc_result_t result);
+static isc_result_t
+zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
+	      isc_result_t result);
+static void
+zone_needdump(dns_zone_t *zone, unsigned int delay);
+static void
+zone_shutdown(isc_task_t *, isc_event_t *);
+static void
+zone_loaddone(void *arg, isc_result_t result);
+static isc_result_t
+zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime);
+static void
+zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void
+zone_name_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void
+zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void
+zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length);
+static isc_result_t
+zone_send_secureserial(dns_zone_t *zone, uint32_t serial);
+static void
+refresh_callback(isc_task_t *, isc_event_t *);
+static void
+stub_callback(isc_task_t *, isc_event_t *);
+static void
+queue_soa_query(dns_zone_t *zone);
+static void
+soa_query(isc_task_t *, isc_event_t *);
+static void
+ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub);
+static int
+message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type);
+static void
+checkds_cancel(dns_zone_t *zone);
+static void
+checkds_send(dns_zone_t *zone);
+static isc_result_t
+checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep);
+static void
+checkds_done(isc_task_t *task, isc_event_t *event);
+static void
+checkds_send_toaddr(isc_task_t *task, isc_event_t *event);
+static void
+notify_cancel(dns_zone_t *zone);
+static void
+notify_find_address(dns_notify_t *notify);
+static void
+notify_send(dns_notify_t *notify);
+static isc_result_t
+notify_createmessage(dns_zone_t *zone, unsigned int flags,
+		     dns_message_t **messagep);
+static void
+notify_done(isc_task_t *task, isc_event_t *event);
+static void
+notify_send_toaddr(isc_task_t *task, isc_event_t *event);
+static isc_result_t
+zone_dump(dns_zone_t *, bool);
+static void
+got_transfer_quota(isc_task_t *task, isc_event_t *event);
+static isc_result_t
+zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone);
+static void
+zmgr_resume_xfrs(dns_zonemgr_t *zmgr, bool multi);
+static void
+zonemgr_free(dns_zonemgr_t *zmgr);
+static isc_result_t
+zonemgr_getio(dns_zonemgr_t *zmgr, bool high, isc_task_t *task,
+	      isc_taskaction_t action, void *arg, dns_io_t **iop);
+static void
+zonemgr_putio(dns_io_t **iop);
+static void
+zonemgr_cancelio(dns_io_t *io);
+static void
+rss_post(dns_zone_t *, isc_event_t *);
+
+static isc_result_t
+zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
+		 unsigned int *soacount, uint32_t *soattl, uint32_t *serial,
+		 uint32_t *refresh, uint32_t *retry, uint32_t *expire,
+		 uint32_t *minimum, unsigned int *errors);
+
+static void
+zone_freedbargs(dns_zone_t *zone);
+static void
+forward_callback(isc_task_t *task, isc_event_t *event);
+static void
+zone_saveunique(dns_zone_t *zone, const char *path, const char *templat);
+static void
+zone_maintenance(dns_zone_t *zone);
+static void
+zone_notify(dns_zone_t *zone, isc_time_t *now);
+static void
+dump_done(void *arg, isc_result_t result);
+static isc_result_t
+zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
+		 bool deleteit);
+static isc_result_t
+delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+	    dns_name_t *name, dns_diff_t *diff);
+static void
+zone_rekey(dns_zone_t *zone);
+static isc_result_t
+zone_send_securedb(dns_zone_t *zone, dns_db_t *db);
+static dns_ttl_t
+zone_nsecttl(dns_zone_t *zone);
+static void
+setrl(isc_ratelimiter_t *rl, unsigned int *rate, unsigned int value);
+static void
+zone_journal_compact(dns_zone_t *zone, dns_db_t *db, uint32_t serial);
+static isc_result_t
+zone_journal_rollforward(dns_zone_t *zone, dns_db_t *db, bool *needdump,
+			 bool *fixjournal);
+
+#define ENTER zone_debuglog(zone, me, 1, "enter")
+
+static const unsigned int dbargc_default = 1;
+static const char *dbargv_default[] = { "rbt" };
+
+#define DNS_ZONE_JITTER_ADD(a, b, c)                                         \
+	do {                                                                 \
+		isc_interval_t _i;                                           \
+		uint32_t _j;                                                 \
+		_j = (b)-isc_random_uniform((b) / 4);                        \
+		isc_interval_set(&_i, _j, 0);                                \
+		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) {          \
+			dns_zone_log(zone, ISC_LOG_WARNING,                  \
+				     "epoch approaching: upgrade required: " \
+				     "now + %s failed",                      \
+				     #b);                                    \
+			isc_interval_set(&_i, _j / 2, 0);                    \
+			(void)isc_time_add((a), &_i, (c));                   \
+		}                                                            \
+	} while (0)
+
+#define DNS_ZONE_TIME_ADD(a, b, c)                                           \
+	do {                                                                 \
+		isc_interval_t _i;                                           \
+		isc_interval_set(&_i, (b), 0);                               \
+		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) {          \
+			dns_zone_log(zone, ISC_LOG_WARNING,                  \
+				     "epoch approaching: upgrade required: " \
+				     "now + %s failed",                      \
+				     #b);                                    \
+			isc_interval_set(&_i, (b) / 2, 0);                   \
+			(void)isc_time_add((a), &_i, (c));                   \
+		}                                                            \
+	} while (0)
+
+typedef struct nsec3param nsec3param_t;
+struct nsec3param {
+	dns_rdata_nsec3param_t rdata;
+	unsigned char data[DNS_NSEC3PARAM_BUFFERSIZE + 1];
+	unsigned int length;
+	bool nsec;
+	bool replace;
+	bool resalt;
+	bool lookup;
+	ISC_LINK(nsec3param_t) link;
+};
+typedef ISC_LIST(nsec3param_t) nsec3paramlist_t;
+struct np3event {
+	isc_event_t event;
+	nsec3param_t params;
+};
+
+struct ssevent {
+	isc_event_t event;
+	uint32_t serial;
+};
+
+struct stub_cb_args {
+	dns_stub_t *stub;
+	dns_tsigkey_t *tsig_key;
+	isc_dscp_t dscp;
+	uint16_t udpsize;
+	int timeout;
+	bool reqnsid;
+};
+
+struct stub_glue_request {
+	dns_request_t *request;
+	dns_name_t name;
+	struct stub_cb_args *args;
+	bool ipv4;
+};
+
+/*%
+ * Increment resolver-related statistics counters.  Zone must be locked.
+ */
+static void
+inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
+	if (zone->stats != NULL) {
+		isc_stats_increment(zone->stats, counter);
+	}
+}
+
+/***
+ ***	Public functions.
+ ***/
+
+isc_result_t
+dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
+	isc_result_t result;
+	isc_time_t now;
+	dns_zone_t *zone = NULL;
+	dns_zone_t z = { .masterformat = dns_masterformat_none,
+			 .journalsize = -1,
+			 .rdclass = dns_rdataclass_none,
+			 .type = dns_zone_none,
+			 .refresh = DNS_ZONE_DEFAULTREFRESH,
+			 .retry = DNS_ZONE_DEFAULTRETRY,
+			 .maxrefresh = DNS_ZONE_MAXREFRESH,
+			 .minrefresh = DNS_ZONE_MINREFRESH,
+			 .maxretry = DNS_ZONE_MAXRETRY,
+			 .minretry = DNS_ZONE_MINRETRY,
+			 .notifytype = dns_notifytype_yes,
+			 .zero_no_soa_ttl = true,
+			 .check_names = dns_severity_ignore,
+			 .idlein = DNS_DEFAULT_IDLEIN,
+			 .idleout = DNS_DEFAULT_IDLEOUT,
+			 .notifysrc4dscp = -1,
+			 .notifysrc6dscp = -1,
+			 .parentalsrc4dscp = -1,
+			 .parentalsrc6dscp = -1,
+			 .xfrsource4dscp = -1,
+			 .xfrsource6dscp = -1,
+			 .altxfrsource4dscp = -1,
+			 .altxfrsource6dscp = -1,
+			 .maxxfrin = MAX_XFER_TIME,
+			 .maxxfrout = MAX_XFER_TIME,
+			 .sigvalidityinterval = 30 * 24 * 3600,
+			 .sigresigninginterval = 7 * 24 * 3600,
+			 .statlevel = dns_zonestat_none,
+			 .notifydelay = 5,
+			 .signatures = 10,
+			 .nodes = 100,
+			 .privatetype = (dns_rdatatype_t)0xffffU,
+			 .rpz_num = DNS_RPZ_INVALID_NUM,
+			 .requestixfr = true,
+			 .ixfr_ratio = 100,
+			 .requestexpire = true,
+			 .updatemethod = dns_updatemethod_increment,
+			 .magic = ZONE_MAGIC };
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+	REQUIRE(mctx != NULL);
+
+	TIME_NOW(&now);
+	zone = isc_mem_get(mctx, sizeof(*zone));
+	*zone = z;
+
+	zone->mctx = NULL;
+	isc_mem_attach(mctx, &zone->mctx);
+	isc_mutex_init(&zone->lock);
+	ZONEDB_INITLOCK(&zone->dblock);
+	/* XXX MPA check that all elements are initialised */
+#ifdef DNS_ZONE_CHECKLOCK
+	zone->locked = false;
+#endif /* ifdef DNS_ZONE_CHECKLOCK */
+
+	zone->notifytime = now;
+
+	ISC_LINK_INIT(zone, link);
+	isc_refcount_init(&zone->erefs, 1);
+	isc_refcount_init(&zone->irefs, 0);
+	dns_name_init(&zone->origin, NULL);
+	ISC_LIST_INIT(zone->includes);
+	ISC_LIST_INIT(zone->newincludes);
+	atomic_init(&zone->flags, 0);
+	atomic_init(&zone->options, 0);
+	atomic_init(&zone->keyopts, 0);
+	isc_time_settoepoch(&zone->expiretime);
+	isc_time_settoepoch(&zone->refreshtime);
+	isc_time_settoepoch(&zone->dumptime);
+	isc_time_settoepoch(&zone->loadtime);
+	isc_time_settoepoch(&zone->resigntime);
+	isc_time_settoepoch(&zone->keywarntime);
+	isc_time_settoepoch(&zone->signingtime);
+	isc_time_settoepoch(&zone->nsec3chaintime);
+	isc_time_settoepoch(&zone->refreshkeytime);
+	ISC_LIST_INIT(zone->notifies);
+	ISC_LIST_INIT(zone->checkds_requests);
+	isc_sockaddr_any(&zone->notifysrc4);
+	isc_sockaddr_any6(&zone->notifysrc6);
+	isc_sockaddr_any(&zone->parentalsrc4);
+	isc_sockaddr_any6(&zone->parentalsrc6);
+	isc_sockaddr_any(&zone->xfrsource4);
+	isc_sockaddr_any6(&zone->xfrsource6);
+	isc_sockaddr_any(&zone->altxfrsource4);
+	isc_sockaddr_any6(&zone->altxfrsource6);
+	ISC_LINK_INIT(zone, statelink);
+	ISC_LIST_INIT(zone->signing);
+	ISC_LIST_INIT(zone->nsec3chain);
+	ISC_LIST_INIT(zone->setnsec3param_queue);
+	ISC_LIST_INIT(zone->forwards);
+	ISC_LIST_INIT(zone->rss_events);
+	ISC_LIST_INIT(zone->rss_post);
+
+	result = isc_stats_create(mctx, &zone->gluecachestats,
+				  dns_gluecachestatscounter_max);
+	if (result != ISC_R_SUCCESS) {
+		goto free_refs;
+	}
+
+	/* Must be after magic is set. */
+	dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
+
+	ISC_EVENT_INIT(&zone->ctlevent, sizeof(zone->ctlevent), 0, NULL,
+		       DNS_EVENT_ZONECONTROL, zone_shutdown, zone, zone, NULL,
+		       NULL);
+	*zonep = zone;
+	return (ISC_R_SUCCESS);
+
+free_refs:
+	isc_refcount_decrement0(&zone->erefs);
+	isc_refcount_destroy(&zone->erefs);
+	isc_refcount_destroy(&zone->irefs);
+	ZONEDB_DESTROYLOCK(&zone->dblock);
+	isc_mutex_destroy(&zone->lock);
+	isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
+	return (result);
+}
+
+static void
+clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) {
+	dns_dnsseckey_t *key;
+	while (!ISC_LIST_EMPTY(*list)) {
+		key = ISC_LIST_HEAD(*list);
+		ISC_LIST_UNLINK(*list, key, link);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+}
+
+/*
+ * Free a zone.  Because we require that there be no more
+ * outstanding events or references, no locking is necessary.
+ */
+static void
+zone_free(dns_zone_t *zone) {
+	dns_signing_t *signing;
+	dns_nsec3chain_t *nsec3chain;
+	isc_event_t *event;
+	dns_include_t *include;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	isc_refcount_destroy(&zone->erefs);
+	isc_refcount_destroy(&zone->irefs);
+	REQUIRE(!LOCKED_ZONE(zone));
+	REQUIRE(zone->timer == NULL);
+	REQUIRE(zone->zmgr == NULL);
+
+	/*
+	 * Managed objects.  Order is important.
+	 */
+	if (zone->request != NULL) {
+		dns_request_destroy(&zone->request); /* XXXMPA */
+	}
+	INSIST(zone->readio == NULL);
+	INSIST(zone->statelist == NULL);
+	INSIST(zone->writeio == NULL);
+	INSIST(zone->view == NULL);
+	INSIST(zone->prev_view == NULL);
+
+	if (zone->task != NULL) {
+		isc_task_detach(&zone->task);
+	}
+	if (zone->loadtask != NULL) {
+		isc_task_detach(&zone->loadtask);
+	}
+
+	/* Unmanaged objects */
+	while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) {
+		event = ISC_LIST_HEAD(zone->setnsec3param_queue);
+		ISC_LIST_UNLINK(zone->setnsec3param_queue, event, ev_link);
+		isc_event_free(&event);
+	}
+	while (!ISC_LIST_EMPTY(zone->rss_post)) {
+		event = ISC_LIST_HEAD(zone->rss_post);
+		ISC_LIST_UNLINK(zone->rss_post, event, ev_link);
+		isc_event_free(&event);
+	}
+	for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL;
+	     signing = ISC_LIST_HEAD(zone->signing))
+	{
+		ISC_LIST_UNLINK(zone->signing, signing, link);
+		dns_db_detach(&signing->db);
+		dns_dbiterator_destroy(&signing->dbiterator);
+		isc_mem_put(zone->mctx, signing, sizeof *signing);
+	}
+	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL;
+	     nsec3chain = ISC_LIST_HEAD(zone->nsec3chain))
+	{
+		ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
+		dns_db_detach(&nsec3chain->db);
+		dns_dbiterator_destroy(&nsec3chain->dbiterator);
+		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+	}
+	for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
+	     include = ISC_LIST_HEAD(zone->includes))
+	{
+		ISC_LIST_UNLINK(zone->includes, include, link);
+		isc_mem_free(zone->mctx, include->name);
+		isc_mem_put(zone->mctx, include, sizeof *include);
+	}
+	for (include = ISC_LIST_HEAD(zone->newincludes); include != NULL;
+	     include = ISC_LIST_HEAD(zone->newincludes))
+	{
+		ISC_LIST_UNLINK(zone->newincludes, include, link);
+		isc_mem_free(zone->mctx, include->name);
+		isc_mem_put(zone->mctx, include, sizeof *include);
+	}
+	if (zone->masterfile != NULL) {
+		isc_mem_free(zone->mctx, zone->masterfile);
+	}
+	zone->masterfile = NULL;
+	if (zone->keydirectory != NULL) {
+		isc_mem_free(zone->mctx, zone->keydirectory);
+	}
+	zone->keydirectory = NULL;
+	if (zone->kasp != NULL) {
+		dns_kasp_detach(&zone->kasp);
+	}
+	if (!ISC_LIST_EMPTY(zone->checkds_ok)) {
+		clear_keylist(&zone->checkds_ok, zone->mctx);
+	}
+
+	zone->journalsize = -1;
+	if (zone->journal != NULL) {
+		isc_mem_free(zone->mctx, zone->journal);
+	}
+	zone->journal = NULL;
+	if (zone->stats != NULL) {
+		isc_stats_detach(&zone->stats);
+	}
+	if (zone->requeststats != NULL) {
+		isc_stats_detach(&zone->requeststats);
+	}
+	if (zone->rcvquerystats != NULL) {
+		dns_stats_detach(&zone->rcvquerystats);
+	}
+	if (zone->dnssecsignstats != NULL) {
+		dns_stats_detach(&zone->dnssecsignstats);
+	}
+	if (zone->db != NULL) {
+		zone_detachdb(zone);
+	}
+	if (zone->rpzs != NULL) {
+		REQUIRE(zone->rpz_num < zone->rpzs->p.num_zones);
+		dns_rpz_detach_rpzs(&zone->rpzs);
+		zone->rpz_num = DNS_RPZ_INVALID_NUM;
+	}
+	if (zone->catzs != NULL) {
+		dns_catz_catzs_detach(&zone->catzs);
+	}
+	zone_freedbargs(zone);
+
+	RUNTIME_CHECK(dns_zone_setparentals(zone, NULL, NULL, 0) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_zone_setprimarieswithkeys(zone, NULL, NULL, 0) ==
+		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_zone_setalsonotify(zone, NULL, 0) == ISC_R_SUCCESS);
+	zone->check_names = dns_severity_ignore;
+	if (zone->update_acl != NULL) {
+		dns_acl_detach(&zone->update_acl);
+	}
+	if (zone->forward_acl != NULL) {
+		dns_acl_detach(&zone->forward_acl);
+	}
+	if (zone->notify_acl != NULL) {
+		dns_acl_detach(&zone->notify_acl);
+	}
+	if (zone->query_acl != NULL) {
+		dns_acl_detach(&zone->query_acl);
+	}
+	if (zone->queryon_acl != NULL) {
+		dns_acl_detach(&zone->queryon_acl);
+	}
+	if (zone->xfr_acl != NULL) {
+		dns_acl_detach(&zone->xfr_acl);
+	}
+	if (dns_name_dynamic(&zone->origin)) {
+		dns_name_free(&zone->origin, zone->mctx);
+	}
+	if (zone->strnamerd != NULL) {
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	}
+	if (zone->strname != NULL) {
+		isc_mem_free(zone->mctx, zone->strname);
+	}
+	if (zone->strrdclass != NULL) {
+		isc_mem_free(zone->mctx, zone->strrdclass);
+	}
+	if (zone->strviewname != NULL) {
+		isc_mem_free(zone->mctx, zone->strviewname);
+	}
+	if (zone->ssutable != NULL) {
+		dns_ssutable_detach(&zone->ssutable);
+	}
+	if (zone->gluecachestats != NULL) {
+		isc_stats_detach(&zone->gluecachestats);
+	}
+
+	/* last stuff */
+	ZONEDB_DESTROYLOCK(&zone->dblock);
+	isc_mutex_destroy(&zone->lock);
+	zone->magic = 0;
+	isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
+}
+
+/*
+ * Returns true iff this the signed side of an inline-signing zone.
+ * Caller should hold zone lock.
+ */
+static bool
+inline_secure(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	if (zone->raw != NULL) {
+		return (true);
+	}
+	return (false);
+}
+
+/*
+ * Returns true iff this the unsigned side of an inline-signing zone
+ * Caller should hold zone lock.
+ */
+static bool
+inline_raw(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	if (zone->secure != NULL) {
+		return (true);
+	}
+	return (false);
+}
+
+/*
+ *	Single shot.
+ */
+void
+dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
+	char namebuf[1024];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(rdclass != dns_rdataclass_none);
+
+	/*
+	 * Test and set.
+	 */
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	REQUIRE(zone->rdclass == dns_rdataclass_none ||
+		zone->rdclass == rdclass);
+	zone->rdclass = rdclass;
+
+	if (zone->strnamerd != NULL) {
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	}
+	if (zone->strrdclass != NULL) {
+		isc_mem_free(zone->mctx, zone->strrdclass);
+	}
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_rdclass_tostr(zone, namebuf, sizeof namebuf);
+	zone->strrdclass = isc_mem_strdup(zone->mctx, namebuf);
+
+	if (inline_secure(zone)) {
+		dns_zone_setclass(zone->raw, rdclass);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+dns_rdataclass_t
+dns_zone_getclass(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->rdclass);
+}
+
+void
+dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifytype = notifytype;
+	UNLOCK_ZONE(zone);
+}
+
+isc_result_t
+dns_zone_getserial(dns_zone_t *zone, uint32_t *serialp) {
+	isc_result_t result;
+	unsigned int soacount;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(serialp != NULL);
+
+	LOCK_ZONE(zone);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
+					  serialp, NULL, NULL, NULL, NULL,
+					  NULL);
+		if (result == ISC_R_SUCCESS && soacount == 0) {
+			result = ISC_R_FAILURE;
+		}
+	} else {
+		result = DNS_R_NOTLOADED;
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+/*
+ *	Single shot.
+ */
+void
+dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
+	char namebuf[1024];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(type != dns_zone_none);
+
+	/*
+	 * Test and set.
+	 */
+	LOCK_ZONE(zone);
+	REQUIRE(zone->type == dns_zone_none || zone->type == type);
+	zone->type = type;
+
+	if (zone->strnamerd != NULL) {
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	}
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+zone_freedbargs(dns_zone_t *zone) {
+	unsigned int i;
+
+	/* Free the old database argument list. */
+	if (zone->db_argv != NULL) {
+		for (i = 0; i < zone->db_argc; i++) {
+			isc_mem_free(zone->mctx, zone->db_argv[i]);
+		}
+		isc_mem_put(zone->mctx, zone->db_argv,
+			    zone->db_argc * sizeof(*zone->db_argv));
+	}
+	zone->db_argc = 0;
+	zone->db_argv = NULL;
+}
+
+isc_result_t
+dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
+	size_t size = 0;
+	unsigned int i;
+	isc_result_t result = ISC_R_SUCCESS;
+	void *mem;
+	char **tmp, *tmp2, *base;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(argv != NULL && *argv == NULL);
+
+	LOCK_ZONE(zone);
+	size = (zone->db_argc + 1) * sizeof(char *);
+	for (i = 0; i < zone->db_argc; i++) {
+		size += strlen(zone->db_argv[i]) + 1;
+	}
+	mem = isc_mem_allocate(mctx, size);
+	{
+		tmp = mem;
+		tmp2 = mem;
+		base = mem;
+		tmp2 += (zone->db_argc + 1) * sizeof(char *);
+		for (i = 0; i < zone->db_argc; i++) {
+			*tmp++ = tmp2;
+			strlcpy(tmp2, zone->db_argv[i], size - (tmp2 - base));
+			tmp2 += strlen(tmp2) + 1;
+		}
+		*tmp = NULL;
+	}
+	UNLOCK_ZONE(zone);
+	*argv = mem;
+	return (result);
+}
+
+void
+dns_zone_setdbtype(dns_zone_t *zone, unsigned int dbargc,
+		   const char *const *dbargv) {
+	char **argv = NULL;
+	unsigned int i;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(dbargc >= 1);
+	REQUIRE(dbargv != NULL);
+
+	LOCK_ZONE(zone);
+
+	/* Set up a new database argument list. */
+	argv = isc_mem_get(zone->mctx, dbargc * sizeof(*argv));
+	for (i = 0; i < dbargc; i++) {
+		argv[i] = NULL;
+	}
+	for (i = 0; i < dbargc; i++) {
+		argv[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
+	}
+
+	/* Free the old list. */
+	zone_freedbargs(zone);
+
+	zone->db_argc = dbargc;
+	zone->db_argv = argv;
+
+	UNLOCK_ZONE(zone);
+}
+
+static void
+dns_zone_setview_helper(dns_zone_t *zone, dns_view_t *view) {
+	char namebuf[1024];
+
+	if (zone->prev_view == NULL && zone->view != NULL) {
+		dns_view_weakattach(zone->view, &zone->prev_view);
+	}
+
+	INSIST(zone != zone->raw);
+	if (zone->view != NULL) {
+		dns_view_weakdetach(&zone->view);
+	}
+	dns_view_weakattach(view, &zone->view);
+
+	if (zone->strviewname != NULL) {
+		isc_mem_free(zone->mctx, zone->strviewname);
+	}
+	if (zone->strnamerd != NULL) {
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	}
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_viewname_tostr(zone, namebuf, sizeof namebuf);
+	zone->strviewname = isc_mem_strdup(zone->mctx, namebuf);
+
+	if (inline_secure(zone)) {
+		dns_zone_setview(zone->raw, view);
+	}
+}
+
+void
+dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	dns_zone_setview_helper(zone, view);
+	UNLOCK_ZONE(zone);
+}
+
+dns_view_t *
+dns_zone_getview(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->view);
+}
+
+void
+dns_zone_setviewcommit(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->prev_view != NULL) {
+		dns_view_weakdetach(&zone->prev_view);
+	}
+	if (inline_secure(zone)) {
+		dns_zone_setviewcommit(zone->raw);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setviewrevert(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->prev_view != NULL) {
+		dns_zone_setview_helper(zone, zone->prev_view);
+		dns_view_weakdetach(&zone->prev_view);
+	}
+	if (zone->catzs != NULL) {
+		zone_catz_enable(zone, zone->catzs);
+	}
+	if (inline_secure(zone)) {
+		dns_zone_setviewrevert(zone->raw);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+isc_result_t
+dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
+	isc_result_t result = ISC_R_SUCCESS;
+	char namebuf[1024];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(origin != NULL);
+
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	if (dns_name_dynamic(&zone->origin)) {
+		dns_name_free(&zone->origin, zone->mctx);
+		dns_name_init(&zone->origin, NULL);
+	}
+	dns_name_dup(origin, zone->mctx, &zone->origin);
+
+	if (zone->strnamerd != NULL) {
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	}
+	if (zone->strname != NULL) {
+		isc_mem_free(zone->mctx, zone->strname);
+	}
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_name_tostr(zone, namebuf, sizeof namebuf);
+	zone->strname = isc_mem_strdup(zone->mctx, namebuf);
+
+	if (inline_secure(zone)) {
+		result = dns_zone_setorigin(zone->raw, origin);
+	}
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+static isc_result_t
+dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
+	char *copy;
+
+	if (value != NULL) {
+		copy = isc_mem_strdup(zone->mctx, value);
+	} else {
+		copy = NULL;
+	}
+
+	if (*field != NULL) {
+		isc_mem_free(zone->mctx, *field);
+	}
+
+	*field = copy;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_setfile(dns_zone_t *zone, const char *file, dns_masterformat_t format,
+		 const dns_master_style_t *style) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->masterfile, file);
+	if (result == ISC_R_SUCCESS) {
+		zone->masterformat = format;
+		if (format == dns_masterformat_text) {
+			zone->masterstyle = style;
+		}
+		result = default_journal(zone);
+	}
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+const char *
+dns_zone_getfile(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->masterfile);
+}
+
+dns_ttl_t
+dns_zone_getmaxttl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->maxttl);
+}
+
+void
+dns_zone_setmaxttl(dns_zone_t *zone, dns_ttl_t maxttl) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (maxttl != 0) {
+		DNS_ZONE_SETOPTION(zone, DNS_ZONEOPT_CHECKTTL);
+	} else {
+		DNS_ZONE_CLROPTION(zone, DNS_ZONEOPT_CHECKTTL);
+	}
+	zone->maxttl = maxttl;
+	UNLOCK_ZONE(zone);
+
+	return;
+}
+
+static isc_result_t
+default_journal(dns_zone_t *zone) {
+	isc_result_t result;
+	char *journal;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (zone->masterfile != NULL) {
+		/* Calculate string length including '\0'. */
+		int len = strlen(zone->masterfile) + sizeof(".jnl");
+		journal = isc_mem_allocate(zone->mctx, len);
+		strlcpy(journal, zone->masterfile, len);
+		strlcat(journal, ".jnl", len);
+	} else {
+		journal = NULL;
+	}
+	result = dns_zone_setstring(zone, &zone->journal, journal);
+	if (journal != NULL) {
+		isc_mem_free(zone->mctx, journal);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_zone_setjournal(dns_zone_t *zone, const char *myjournal) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->journal, myjournal);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+char *
+dns_zone_getjournal(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->journal);
+}
+
+/*
+ * Return true iff the zone is "dynamic", in the sense that the zone's
+ * master file (if any) is written by the server, rather than being
+ * updated manually and read by the server.
+ *
+ * This is true for slave zones, mirror zones, stub zones, key zones,
+ * and zones that allow dynamic updates either by having an update
+ * policy ("ssutable") or an "allow-update" ACL with a value other than
+ * exactly "{ none; }".
+ */
+bool
+dns_zone_isdynamic(dns_zone_t *zone, bool ignore_freeze) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
+	    zone->type == dns_zone_stub || zone->type == dns_zone_key ||
+	    (zone->type == dns_zone_redirect && zone->masters != NULL))
+	{
+		return (true);
+	}
+
+	/* Inline zones are always dynamic. */
+	if (zone->type == dns_zone_primary && zone->raw != NULL) {
+		return (true);
+	}
+
+	/* If !ignore_freeze, we need check whether updates are disabled.  */
+	if (zone->type == dns_zone_primary &&
+	    (!zone->update_disabled || ignore_freeze) &&
+	    ((zone->ssutable != NULL) ||
+	     (zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl))))
+	{
+		return (true);
+	}
+
+	return (false);
+}
+
+/*
+ * Set the response policy index and information for a zone.
+ */
+isc_result_t
+dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
+		    dns_rpz_num_t rpz_num) {
+	/*
+	 * Only RBTDB zones can be used for response policy zones,
+	 * because only they have the code to create the summary data.
+	 * Only zones that are loaded instead of mmap()ed create the
+	 * summary data and so can be policy zones.
+	 */
+	if (strcmp(zone->db_argv[0], "rbt") != 0 &&
+	    strcmp(zone->db_argv[0], "rbt64") != 0)
+	{
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	if (zone->masterformat == dns_masterformat_map) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	/*
+	 * This must happen only once or be redundant.
+	 */
+	LOCK_ZONE(zone);
+	if (zone->rpzs != NULL) {
+		REQUIRE(zone->rpzs == rpzs && zone->rpz_num == rpz_num);
+	} else {
+		REQUIRE(zone->rpz_num == DNS_RPZ_INVALID_NUM);
+		dns_rpz_attach_rpzs(rpzs, &zone->rpzs);
+		zone->rpz_num = rpz_num;
+	}
+	rpzs->defined |= DNS_RPZ_ZBIT(rpz_num);
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+dns_rpz_num_t
+dns_zone_get_rpz_num(dns_zone_t *zone) {
+	return (zone->rpz_num);
+}
+
+/*
+ * If a zone is a response policy zone, mark its new database.
+ */
+void
+dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) {
+	isc_result_t result;
+	if (zone->rpz_num == DNS_RPZ_INVALID_NUM) {
+		return;
+	}
+	REQUIRE(zone->rpzs != NULL);
+	result = dns_db_updatenotify_register(db, dns_rpz_dbupdate_callback,
+					      zone->rpzs->zones[zone->rpz_num]);
+	REQUIRE(result == ISC_R_SUCCESS);
+}
+
+static void
+dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) {
+	if (zone->rpz_num == DNS_RPZ_INVALID_NUM) {
+		return;
+	}
+	REQUIRE(zone->rpzs != NULL);
+	(void)dns_db_updatenotify_unregister(db, dns_rpz_dbupdate_callback,
+					     zone->rpzs->zones[zone->rpz_num]);
+}
+
+/*
+ * If a zone is a catalog zone, attach it to update notification in database.
+ */
+void
+dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(db != NULL);
+
+	if (zone->catzs != NULL) {
+		dns_db_updatenotify_register(db, dns_catz_dbupdate_callback,
+					     zone->catzs);
+	}
+}
+
+static void
+dns_zone_catz_disable_db(dns_zone_t *zone, dns_db_t *db) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(db != NULL);
+
+	if (zone->catzs != NULL) {
+		dns_db_updatenotify_unregister(db, dns_catz_dbupdate_callback,
+					       zone->catzs);
+	}
+}
+
+static void
+zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(catzs != NULL);
+
+	INSIST(zone->catzs == NULL || zone->catzs == catzs);
+	dns_catz_catzs_set_view(catzs, zone->view);
+	if (zone->catzs == NULL) {
+		dns_catz_catzs_attach(catzs, &zone->catzs);
+	}
+}
+
+void
+dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone_catz_enable(zone, catzs);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+zone_catz_disable(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (zone->catzs != NULL) {
+		if (zone->db != NULL) {
+			dns_zone_catz_disable_db(zone, zone->db);
+		}
+		dns_catz_catzs_detach(&zone->catzs);
+	}
+}
+
+void
+dns_zone_catz_disable(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone_catz_disable(zone);
+	UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_catz_is_enabled(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->catzs != NULL);
+}
+
+/*
+ * Set catalog zone ownership of the zone
+ */
+void
+dns_zone_set_parentcatz(dns_zone_t *zone, dns_catz_zone_t *catz) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(catz != NULL);
+	LOCK_ZONE(zone);
+	INSIST(zone->parentcatz == NULL || zone->parentcatz == catz);
+	zone->parentcatz = catz;
+	UNLOCK_ZONE(zone);
+}
+
+dns_catz_zone_t *
+dns_zone_get_parentcatz(const dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->parentcatz);
+}
+
+static bool
+zone_touched(dns_zone_t *zone) {
+	isc_result_t result;
+	isc_time_t modtime;
+	dns_include_t *include;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	result = isc_file_getmodtime(zone->masterfile, &modtime);
+	if (result != ISC_R_SUCCESS ||
+	    isc_time_compare(&modtime, &zone->loadtime) > 0)
+	{
+		return (true);
+	}
+
+	for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
+	     include = ISC_LIST_NEXT(include, link))
+	{
+		result = isc_file_getmodtime(include->name, &modtime);
+		if (result != ISC_R_SUCCESS ||
+		    isc_time_compare(&modtime, &include->filetime) > 0)
+		{
+			return (true);
+		}
+	}
+
+	return (false);
+}
+
+/*
+ * Note: when dealing with inline-signed zones, external callers will always
+ * call zone_load() for the secure zone; zone_load() calls itself recursively
+ * in order to load the raw zone.
+ */
+static isc_result_t
+zone_load(dns_zone_t *zone, unsigned int flags, bool locked) {
+	isc_result_t result;
+	isc_time_t now;
+	isc_time_t loadtime;
+	dns_db_t *db = NULL;
+	bool rbt, hasraw, is_dynamic;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (!locked) {
+		LOCK_ZONE(zone);
+	}
+
+	INSIST(zone != zone->raw);
+	hasraw = inline_secure(zone);
+	if (hasraw) {
+		/*
+		 * We are trying to load an inline-signed zone.  First call
+		 * self recursively to try loading the raw version of the zone.
+		 * Assuming the raw zone file is readable, there are two
+		 * possibilities:
+		 *
+		 *  a) the raw zone was not yet loaded and thus it will be
+		 *     loaded now, synchronously; if this succeeds, a
+		 *     subsequent attempt to load the signed zone file will
+		 *     take place and thus zone_postload() will be called
+		 *     twice: first for the raw zone and then for the secure
+		 *     zone; the latter call will take care of syncing the raw
+		 *     version with the secure version,
+		 *
+		 *  b) the raw zone was already loaded and we are trying to
+		 *     reload it, which will happen asynchronously; this means
+		 *     zone_postload() will only be called for the raw zone
+		 *     because "result" returned by the zone_load() call below
+		 *     will not be ISC_R_SUCCESS but rather DNS_R_CONTINUE;
+		 *     zone_postload() called for the raw zone will take care
+		 *     of syncing the raw version with the secure version.
+		 */
+		result = zone_load(zone->raw, flags, false);
+		if (result != ISC_R_SUCCESS) {
+			if (!locked) {
+				UNLOCK_ZONE(zone);
+			}
+			return (result);
+		}
+		LOCK_ZONE(zone->raw);
+	}
+
+	TIME_NOW(&now);
+
+	INSIST(zone->type != dns_zone_none);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
+		if ((flags & DNS_ZONELOADFLAG_THAW) != 0) {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
+		}
+		result = DNS_R_CONTINUE;
+		goto cleanup;
+	}
+
+	INSIST(zone->db_argc >= 1);
+
+	rbt = strcmp(zone->db_argv[0], "rbt") == 0 ||
+	      strcmp(zone->db_argv[0], "rbt64") == 0;
+
+	if (zone->db != NULL && zone->masterfile == NULL && rbt) {
+		/*
+		 * The zone has no master file configured.
+		 */
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	is_dynamic = dns_zone_isdynamic(zone, false);
+	if (zone->db != NULL && is_dynamic) {
+		/*
+		 * This is a slave, stub, or dynamically updated zone being
+		 * reloaded.  Do nothing - the database we already
+		 * have is guaranteed to be up-to-date.
+		 */
+		if (zone->type == dns_zone_primary && !hasraw) {
+			result = DNS_R_DYNAMIC;
+		} else {
+			result = ISC_R_SUCCESS;
+		}
+		goto cleanup;
+	}
+
+	/*
+	 * Store the current time before the zone is loaded, so that if the
+	 * file changes between the time of the load and the time that
+	 * zone->loadtime is set, then the file will still be reloaded
+	 * the next time dns_zone_load is called.
+	 */
+	TIME_NOW(&loadtime);
+
+	/*
+	 * Don't do the load if the file that stores the zone is older
+	 * than the last time the zone was loaded.  If the zone has not
+	 * been loaded yet, zone->loadtime will be the epoch.
+	 */
+	if (zone->masterfile != NULL) {
+		isc_time_t filetime;
+
+		/*
+		 * The file is already loaded.	If we are just doing a
+		 * "rndc reconfig", we are done.
+		 */
+		if (!isc_time_isepoch(&zone->loadtime) &&
+		    (flags & DNS_ZONELOADFLAG_NOSTAT) != 0)
+		{
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+		    !zone_touched(zone))
+		{
+			dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+				      ISC_LOG_DEBUG(1),
+				      "skipping load: master file "
+				      "older than last load");
+			result = DNS_R_UPTODATE;
+			goto cleanup;
+		}
+
+		/*
+		 * If the file modification time is in the past
+		 * set loadtime to that value.
+		 */
+		result = isc_file_getmodtime(zone->masterfile, &filetime);
+		if (result == ISC_R_SUCCESS &&
+		    isc_time_compare(&loadtime, &filetime) > 0)
+		{
+			loadtime = filetime;
+		}
+	}
+
+	/*
+	 * Built in zones (with the exception of empty zones) don't need
+	 * to be reloaded.
+	 */
+	if (zone->type == dns_zone_primary &&
+	    strcmp(zone->db_argv[0], "_builtin") == 0 &&
+	    (zone->db_argc < 2 || strcmp(zone->db_argv[1], "empty") != 0) &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+	{
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/*
+	 * Zones associated with a DLZ don't need to be loaded either,
+	 * but we need to associate the database with the zone object.
+	 */
+	if (strcmp(zone->db_argv[0], "dlz") == 0) {
+		dns_dlzdb_t *dlzdb;
+		dns_dlzfindzone_t findzone;
+
+		for (dlzdb = ISC_LIST_HEAD(zone->view->dlz_unsearched);
+		     dlzdb != NULL; dlzdb = ISC_LIST_NEXT(dlzdb, link))
+		{
+			INSIST(DNS_DLZ_VALID(dlzdb));
+			if (strcmp(zone->db_argv[1], dlzdb->dlzname) == 0) {
+				break;
+			}
+		}
+
+		if (dlzdb == NULL) {
+			dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+				      ISC_LOG_ERROR,
+				      "DLZ %s does not exist or is set "
+				      "to 'search yes;'",
+				      zone->db_argv[1]);
+			result = ISC_R_NOTFOUND;
+			goto cleanup;
+		}
+
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+		/* ask SDLZ driver if the zone is supported */
+		findzone = dlzdb->implementation->methods->findzone;
+		result = (*findzone)(dlzdb->implementation->driverarg,
+				     dlzdb->dbdata, dlzdb->mctx,
+				     zone->view->rdclass, &zone->origin, NULL,
+				     NULL, &db);
+		if (result != ISC_R_NOTFOUND) {
+			if (zone->db != NULL) {
+				zone_detachdb(zone);
+			}
+			zone_attachdb(zone, db);
+			dns_db_detach(&db);
+			result = ISC_R_SUCCESS;
+		}
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+
+		if (result == ISC_R_SUCCESS) {
+			if (dlzdb->configure_callback == NULL) {
+				goto cleanup;
+			}
+
+			result = (*dlzdb->configure_callback)(zone->view, dlzdb,
+							      zone);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+					      ISC_LOG_ERROR,
+					      "DLZ configuration callback: %s",
+					      isc_result_totext(result));
+			}
+		}
+		goto cleanup;
+	}
+
+	if ((zone->type == dns_zone_secondary ||
+	     zone->type == dns_zone_mirror || zone->type == dns_zone_stub ||
+	     (zone->type == dns_zone_redirect && zone->masters != NULL)) &&
+	    rbt)
+	{
+		if (zone->masterfile == NULL ||
+		    !isc_file_exists(zone->masterfile))
+		{
+			if (zone->masterfile != NULL) {
+				dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+					      ISC_LOG_DEBUG(1),
+					      "no master file");
+			}
+			zone->refreshtime = now;
+			if (zone->task != NULL) {
+				zone_settimer(zone, &now);
+			}
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+	}
+
+	dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
+		      "starting load");
+
+	result = dns_db_create(zone->mctx, zone->db_argv[0], &zone->origin,
+			       (zone->type == dns_zone_stub) ? dns_dbtype_stub
+							     : dns_dbtype_zone,
+			       zone->rdclass, zone->db_argc - 1,
+			       zone->db_argv + 1, &db);
+
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
+			      "loading zone: creating database: %s",
+			      isc_result_totext(result));
+		goto cleanup;
+	}
+	dns_db_settask(db, zone->task);
+
+	if (zone->type == dns_zone_primary ||
+	    zone->type == dns_zone_secondary || zone->type == dns_zone_mirror)
+	{
+		result = dns_db_setgluecachestats(db, zone->gluecachestats);
+		if (result == ISC_R_NOTIMPLEMENTED) {
+			result = ISC_R_SUCCESS;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	if (!dns_db_ispersistent(db)) {
+		if (zone->masterfile != NULL) {
+			result = zone_startload(db, zone, loadtime);
+		} else {
+			result = DNS_R_NOMASTERFILE;
+			if (zone->type == dns_zone_primary ||
+			    (zone->type == dns_zone_redirect &&
+			     zone->masters == NULL))
+			{
+				dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+					      ISC_LOG_ERROR,
+					      "loading zone: "
+					      "no master file configured");
+				goto cleanup;
+			}
+			dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+				      ISC_LOG_INFO,
+				      "loading zone: "
+				      "no master file configured: continuing");
+		}
+	}
+
+	if (result == DNS_R_CONTINUE) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING);
+		if ((flags & DNS_ZONELOADFLAG_THAW) != 0) {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
+		}
+		goto cleanup;
+	}
+
+	result = zone_postload(zone, db, loadtime, result);
+
+cleanup:
+	if (hasraw) {
+		UNLOCK_ZONE(zone->raw);
+	}
+	if (!locked) {
+		UNLOCK_ZONE(zone);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_zone_load(dns_zone_t *zone, bool newonly) {
+	return (zone_load(zone, newonly ? DNS_ZONELOADFLAG_NOSTAT : 0, false));
+}
+
+static void
+zone_asyncload(isc_task_t *task, isc_event_t *event) {
+	dns_asyncload_t *asl = event->ev_arg;
+	dns_zone_t *zone = asl->zone;
+	isc_result_t result;
+
+	UNUSED(task);
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	isc_event_free(&event);
+
+	LOCK_ZONE(zone);
+	result = zone_load(zone, asl->flags, true);
+	if (result != DNS_R_CONTINUE) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	}
+	UNLOCK_ZONE(zone);
+
+	/* Inform the zone table we've finished loading */
+	if (asl->loaded != NULL) {
+		(asl->loaded)(asl->loaded_arg, zone, task);
+	}
+
+	/* Reduce the quantum */
+	isc_task_setquantum(zone->loadtask, 1);
+
+	isc_mem_put(zone->mctx, asl, sizeof(*asl));
+	dns_zone_idetach(&zone);
+}
+
+isc_result_t
+dns_zone_asyncload(dns_zone_t *zone, bool newonly, dns_zt_zoneloaded_t done,
+		   void *arg) {
+	isc_event_t *e;
+	dns_asyncload_t *asl = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (zone->zmgr == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/* If we already have a load pending, stop now */
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING)) {
+		UNLOCK_ZONE(zone);
+		return (ISC_R_ALREADYRUNNING);
+	}
+
+	asl = isc_mem_get(zone->mctx, sizeof(*asl));
+
+	asl->zone = NULL;
+	asl->flags = newonly ? DNS_ZONELOADFLAG_NOSTAT : 0;
+	asl->loaded = done;
+	asl->loaded_arg = arg;
+
+	e = isc_event_allocate(zone->zmgr->mctx, zone->zmgr, DNS_EVENT_ZONELOAD,
+			       zone_asyncload, asl, sizeof(isc_event_t));
+
+	zone_iattach(zone, &asl->zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	isc_task_send(zone->loadtask, &e);
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+bool
+dns__zone_loadpending(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING));
+}
+
+isc_result_t
+dns_zone_loadandthaw(dns_zone_t *zone) {
+	isc_result_t result;
+
+	if (inline_raw(zone)) {
+		result = zone_load(zone->secure, DNS_ZONELOADFLAG_THAW, false);
+	} else {
+		/*
+		 * When thawing a zone, we don't know what changes
+		 * have been made. If we do DNSSEC maintenance on this
+		 * zone, schedule a full sign for this zone.
+		 */
+		if (zone->type == dns_zone_primary &&
+		    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
+		{
+			DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
+		}
+		result = zone_load(zone, DNS_ZONELOADFLAG_THAW, false);
+	}
+
+	switch (result) {
+	case DNS_R_CONTINUE:
+		/* Deferred thaw. */
+		break;
+	case DNS_R_UPTODATE:
+	case ISC_R_SUCCESS:
+	case DNS_R_SEENINCLUDE:
+		zone->update_disabled = false;
+		break;
+	case DNS_R_NOMASTERFILE:
+		zone->update_disabled = false;
+		break;
+	default:
+		/* Error, remain in disabled state. */
+		break;
+	}
+	return (result);
+}
+
+static unsigned int
+get_master_options(dns_zone_t *zone) {
+	unsigned int options;
+
+	options = DNS_MASTER_ZONE | DNS_MASTER_RESIGN;
+	if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
+	    (zone->type == dns_zone_redirect && zone->masters == NULL))
+	{
+		options |= DNS_MASTER_SLAVE;
+	}
+	if (zone->type == dns_zone_key) {
+		options |= DNS_MASTER_KEY;
+	}
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS)) {
+		options |= DNS_MASTER_CHECKNS;
+	}
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS)) {
+		options |= DNS_MASTER_FATALNS;
+	}
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES)) {
+		options |= DNS_MASTER_CHECKNAMES;
+	}
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) {
+		options |= DNS_MASTER_CHECKNAMESFAIL;
+	}
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX)) {
+		options |= DNS_MASTER_CHECKMX;
+	}
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) {
+		options |= DNS_MASTER_CHECKMXFAIL;
+	}
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD)) {
+		options |= DNS_MASTER_CHECKWILDCARD;
+	}
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKTTL)) {
+		options |= DNS_MASTER_CHECKTTL;
+	}
+
+	return (options);
+}
+
+static void
+zone_registerinclude(const char *filename, void *arg) {
+	isc_result_t result;
+	dns_zone_t *zone = (dns_zone_t *)arg;
+	dns_include_t *inc = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (filename == NULL) {
+		return;
+	}
+
+	/*
+	 * Suppress duplicates.
+	 */
+	for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
+	     inc = ISC_LIST_NEXT(inc, link))
+	{
+		if (strcmp(filename, inc->name) == 0) {
+			return;
+		}
+	}
+
+	inc = isc_mem_get(zone->mctx, sizeof(dns_include_t));
+	inc->name = isc_mem_strdup(zone->mctx, filename);
+	ISC_LINK_INIT(inc, link);
+
+	result = isc_file_getmodtime(filename, &inc->filetime);
+	if (result != ISC_R_SUCCESS) {
+		isc_time_settoepoch(&inc->filetime);
+	}
+
+	ISC_LIST_APPEND(zone->newincludes, inc, link);
+}
+
+static void
+zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
+	dns_load_t *load = event->ev_arg;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int options;
+
+	REQUIRE(DNS_LOAD_VALID(load));
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0) {
+		result = ISC_R_CANCELED;
+	}
+	isc_event_free(&event);
+	if (result == ISC_R_CANCELED) {
+		goto fail;
+	}
+
+	options = get_master_options(load->zone);
+
+	result = dns_master_loadfileinc(
+		load->zone->masterfile, dns_db_origin(load->db),
+		dns_db_origin(load->db), load->zone->rdclass, options, 0,
+		&load->callbacks, task, zone_loaddone, load, &load->zone->lctx,
+		zone_registerinclude, load->zone, load->zone->mctx,
+		load->zone->masterformat, load->zone->maxttl);
+	if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE &&
+	    result != DNS_R_SEENINCLUDE)
+	{
+		goto fail;
+	}
+	return;
+
+fail:
+	zone_loaddone(load, result);
+}
+
+static void
+get_raw_serial(dns_zone_t *raw, dns_masterrawheader_t *rawdata) {
+	isc_result_t result;
+	unsigned int soacount;
+
+	LOCK(&raw->lock);
+	if (raw->db != NULL) {
+		result = zone_get_from_db(raw, raw->db, NULL, &soacount, NULL,
+					  &rawdata->sourceserial, NULL, NULL,
+					  NULL, NULL, NULL);
+		if (result == ISC_R_SUCCESS && soacount > 0U) {
+			rawdata->flags |= DNS_MASTERRAW_SOURCESERIALSET;
+		}
+	}
+	UNLOCK(&raw->lock);
+}
+
+static void
+zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "zone_gotwritehandle";
+	dns_zone_t *zone = event->ev_arg;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_dbversion_t *version = NULL;
+	dns_masterrawheader_t rawdata;
+	dns_db_t *db = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	INSIST(task == zone->task);
+	ENTER;
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0) {
+		result = ISC_R_CANCELED;
+	}
+	isc_event_free(&event);
+	if (result == ISC_R_CANCELED) {
+		goto fail;
+	}
+
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db != NULL) {
+		const dns_master_style_t *output_style;
+		dns_db_currentversion(db, &version);
+		dns_master_initrawheader(&rawdata);
+		if (inline_secure(zone)) {
+			get_raw_serial(zone->raw, &rawdata);
+		}
+		if (zone->type == dns_zone_key) {
+			output_style = &dns_master_style_keyzone;
+		} else if (zone->masterstyle != NULL) {
+			output_style = zone->masterstyle;
+		} else {
+			output_style = &dns_master_style_default;
+		}
+		result = dns_master_dumpasync(
+			zone->mctx, db, version, output_style, zone->masterfile,
+			zone->task, dump_done, zone, &zone->dctx,
+			zone->masterformat, &rawdata);
+		dns_db_closeversion(db, &version, false);
+	} else {
+		result = ISC_R_CANCELED;
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	UNLOCK_ZONE(zone);
+	if (result != DNS_R_CONTINUE) {
+		goto fail;
+	}
+	return;
+
+fail:
+	dump_done(zone, result);
+}
+
+/*
+ * Save the raw serial number for inline-signing zones.
+ * (XXX: Other information from the header will be used
+ * for other purposes in the future, but for now this is
+ * all we're interested in.)
+ */
+static void
+zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
+	if ((header->flags & DNS_MASTERRAW_SOURCESERIALSET) == 0) {
+		return;
+	}
+
+	zone->sourceserial = header->sourceserial;
+	zone->sourceserialset = true;
+}
+
+void
+dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
+	if (zone == NULL) {
+		return;
+	}
+
+	LOCK_ZONE(zone);
+	zone_setrawdata(zone, header);
+	UNLOCK_ZONE(zone);
+}
+
+static isc_result_t
+zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
+	const char me[] = "zone_startload";
+	dns_load_t *load;
+	isc_result_t result;
+	isc_result_t tresult;
+	unsigned int options;
+
+	ENTER;
+
+	dns_zone_rpz_enable_db(zone, db);
+	dns_zone_catz_enable_db(zone, db);
+
+	options = get_master_options(zone);
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) {
+		options |= DNS_MASTER_MANYERRORS;
+	}
+
+	if (zone->zmgr != NULL && zone->db != NULL && zone->loadtask != NULL) {
+		load = isc_mem_get(zone->mctx, sizeof(*load));
+
+		load->mctx = NULL;
+		load->zone = NULL;
+		load->db = NULL;
+		load->loadtime = loadtime;
+		load->magic = LOAD_MAGIC;
+
+		isc_mem_attach(zone->mctx, &load->mctx);
+		zone_iattach(zone, &load->zone);
+		dns_db_attach(db, &load->db);
+		dns_rdatacallbacks_init(&load->callbacks);
+		load->callbacks.rawdata = zone_setrawdata;
+		zone_iattach(zone, &load->callbacks.zone);
+		result = dns_db_beginload(db, &load->callbacks);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		result = zonemgr_getio(zone->zmgr, true, zone->loadtask,
+				       zone_gotreadhandle, load, &zone->readio);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * We can't report multiple errors so ignore
+			 * the result of dns_db_endload().
+			 */
+			(void)dns_db_endload(load->db, &load->callbacks);
+			goto cleanup;
+		} else {
+			result = DNS_R_CONTINUE;
+		}
+	} else {
+		dns_rdatacallbacks_t callbacks;
+
+		dns_rdatacallbacks_init(&callbacks);
+		callbacks.rawdata = zone_setrawdata;
+		zone_iattach(zone, &callbacks.zone);
+		result = dns_db_beginload(db, &callbacks);
+		if (result != ISC_R_SUCCESS) {
+			zone_idetach(&callbacks.zone);
+			return (result);
+		}
+		result = dns_master_loadfile(
+			zone->masterfile, &zone->origin, &zone->origin,
+			zone->rdclass, options, 0, &callbacks,
+			zone_registerinclude, zone, zone->mctx,
+			zone->masterformat, zone->maxttl);
+		tresult = dns_db_endload(db, &callbacks);
+		if (result == ISC_R_SUCCESS) {
+			result = tresult;
+		}
+		zone_idetach(&callbacks.zone);
+	}
+
+	return (result);
+
+cleanup:
+	load->magic = 0;
+	dns_db_detach(&load->db);
+	zone_idetach(&load->zone);
+	zone_idetach(&load->callbacks.zone);
+	isc_mem_detach(&load->mctx);
+	isc_mem_put(zone->mctx, load, sizeof(*load));
+	return (result);
+}
+
+static bool
+zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
+	      dns_name_t *owner) {
+	isc_result_t result;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	int level;
+
+	/*
+	 * "." means the services does not exist.
+	 */
+	if (dns_name_equal(name, dns_rootname)) {
+		return (true);
+	}
+
+	/*
+	 * Outside of zone.
+	 */
+	if (!dns_name_issubdomain(name, &zone->origin)) {
+		if (zone->checkmx != NULL) {
+			return ((zone->checkmx)(zone, name, owner));
+		}
+		return (true);
+	}
+
+	if (zone->type == dns_zone_primary) {
+		level = ISC_LOG_ERROR;
+	} else {
+		level = ISC_LOG_WARNING;
+	}
+
+	foundname = dns_fixedname_initname(&fixed);
+
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL,
+			     foundname, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		return (true);
+	}
+
+	if (result == DNS_R_NXRRSET) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa, 0, 0,
+				     NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS) {
+			return (true);
+		}
+	}
+
+	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME)
+	{
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) {
+			level = ISC_LOG_WARNING;
+		}
+		dns_zone_log(zone, level,
+			     "%s/MX '%s' has no address records (A or AAAA)",
+			     ownerbuf, namebuf);
+		return ((level == ISC_LOG_WARNING) ? true : false);
+	}
+
+	if (result == DNS_R_CNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
+		{
+			level = ISC_LOG_WARNING;
+		}
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
+			dns_zone_log(zone, level,
+				     "%s/MX '%s' is a CNAME (illegal)",
+				     ownerbuf, namebuf);
+		}
+		return ((level == ISC_LOG_WARNING) ? true : false);
+	}
+
+	if (result == DNS_R_DNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
+		{
+			level = ISC_LOG_WARNING;
+		}
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			dns_zone_log(zone, level,
+				     "%s/MX '%s' is below a DNAME"
+				     " '%s' (illegal)",
+				     ownerbuf, namebuf, altbuf);
+		}
+		return ((level == ISC_LOG_WARNING) ? true : false);
+	}
+
+	if (zone->checkmx != NULL && result == DNS_R_DELEGATION) {
+		return ((zone->checkmx)(zone, name, owner));
+	}
+
+	return (true);
+}
+
+static bool
+zone_check_srv(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
+	       dns_name_t *owner) {
+	isc_result_t result;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	int level;
+
+	/*
+	 * "." means the services does not exist.
+	 */
+	if (dns_name_equal(name, dns_rootname)) {
+		return (true);
+	}
+
+	/*
+	 * Outside of zone.
+	 */
+	if (!dns_name_issubdomain(name, &zone->origin)) {
+		if (zone->checksrv != NULL) {
+			return ((zone->checksrv)(zone, name, owner));
+		}
+		return (true);
+	}
+
+	if (zone->type == dns_zone_primary) {
+		level = ISC_LOG_ERROR;
+	} else {
+		level = ISC_LOG_WARNING;
+	}
+
+	foundname = dns_fixedname_initname(&fixed);
+
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL,
+			     foundname, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		return (true);
+	}
+
+	if (result == DNS_R_NXRRSET) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa, 0, 0,
+				     NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS) {
+			return (true);
+		}
+	}
+
+	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME)
+	{
+		dns_zone_log(zone, level,
+			     "%s/SRV '%s' has no address records (A or AAAA)",
+			     ownerbuf, namebuf);
+		/* XXX950 make fatal for 9.5.0. */
+		return (true);
+	}
+
+	if (result == DNS_R_CNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
+		{
+			level = ISC_LOG_WARNING;
+		}
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
+			dns_zone_log(zone, level,
+				     "%s/SRV '%s' is a CNAME (illegal)",
+				     ownerbuf, namebuf);
+		}
+		return ((level == ISC_LOG_WARNING) ? true : false);
+	}
+
+	if (result == DNS_R_DNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
+		{
+			level = ISC_LOG_WARNING;
+		}
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			dns_zone_log(zone, level,
+				     "%s/SRV '%s' is below a "
+				     "DNAME '%s' (illegal)",
+				     ownerbuf, namebuf, altbuf);
+		}
+		return ((level == ISC_LOG_WARNING) ? true : false);
+	}
+
+	if (zone->checksrv != NULL && result == DNS_R_DELEGATION) {
+		return ((zone->checksrv)(zone, name, owner));
+	}
+
+	return (true);
+}
+
+static bool
+zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
+		dns_name_t *owner) {
+	bool answer = true;
+	isc_result_t result, tresult;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	dns_rdataset_t a;
+	dns_rdataset_t aaaa;
+	int level;
+
+	/*
+	 * Outside of zone.
+	 */
+	if (!dns_name_issubdomain(name, &zone->origin)) {
+		if (zone->checkns != NULL) {
+			return ((zone->checkns)(zone, name, owner, NULL, NULL));
+		}
+		return (true);
+	}
+
+	if (zone->type == dns_zone_primary) {
+		level = ISC_LOG_ERROR;
+	} else {
+		level = ISC_LOG_WARNING;
+	}
+
+	foundname = dns_fixedname_initname(&fixed);
+	dns_rdataset_init(&a);
+	dns_rdataset_init(&aaaa);
+
+	/*
+	 * Perform a regular lookup to catch DNAME records then look
+	 * for glue.
+	 */
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL,
+			     foundname, &a, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_DNAME:
+	case DNS_R_CNAME:
+		break;
+	default:
+		if (dns_rdataset_isassociated(&a)) {
+			dns_rdataset_disassociate(&a);
+		}
+		result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+				     DNS_DBFIND_GLUEOK, 0, NULL, foundname, &a,
+				     NULL);
+	}
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&a);
+		return (true);
+	} else if (result == DNS_R_DELEGATION) {
+		dns_rdataset_disassociate(&a);
+	}
+
+	if (result == DNS_R_NXRRSET || result == DNS_R_DELEGATION ||
+	    result == DNS_R_GLUE)
+	{
+		tresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+				      DNS_DBFIND_GLUEOK, 0, NULL, foundname,
+				      &aaaa, NULL);
+		if (tresult == ISC_R_SUCCESS) {
+			if (dns_rdataset_isassociated(&a)) {
+				dns_rdataset_disassociate(&a);
+			}
+			dns_rdataset_disassociate(&aaaa);
+			return (true);
+		}
+		if (tresult == DNS_R_DELEGATION || tresult == DNS_R_DNAME) {
+			dns_rdataset_disassociate(&aaaa);
+		}
+		if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
+			/*
+			 * Check glue against child zone.
+			 */
+			if (zone->checkns != NULL) {
+				answer = (zone->checkns)(zone, name, owner, &a,
+							 &aaaa);
+			}
+			if (dns_rdataset_isassociated(&a)) {
+				dns_rdataset_disassociate(&a);
+			}
+			if (dns_rdataset_isassociated(&aaaa)) {
+				dns_rdataset_disassociate(&aaaa);
+			}
+			return (answer);
+		}
+	}
+
+	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME || result == DNS_R_DELEGATION)
+	{
+		const char *what;
+		bool required = false;
+		if (dns_name_issubdomain(name, owner)) {
+			what = "REQUIRED GLUE ";
+			required = true;
+		} else if (result == DNS_R_DELEGATION) {
+			what = "SIBLING GLUE ";
+		} else {
+			what = "";
+		}
+
+		if (result != DNS_R_DELEGATION || required ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSIBLING))
+		{
+			dns_zone_log(zone, level,
+				     "%s/NS '%s' has no %s"
+				     "address records (A or AAAA)",
+				     ownerbuf, namebuf, what);
+			/*
+			 * Log missing address record.
+			 */
+			if (result == DNS_R_DELEGATION && zone->checkns != NULL)
+			{
+				(void)(zone->checkns)(zone, name, owner, &a,
+						      &aaaa);
+			}
+			/* XXX950 make fatal for 9.5.0. */
+			/* answer = false; */
+		}
+	} else if (result == DNS_R_CNAME) {
+		dns_zone_log(zone, level, "%s/NS '%s' is a CNAME (illegal)",
+			     ownerbuf, namebuf);
+		/* XXX950 make fatal for 9.5.0. */
+		/* answer = false; */
+	} else if (result == DNS_R_DNAME) {
+		dns_name_format(foundname, altbuf, sizeof altbuf);
+		dns_zone_log(zone, level,
+			     "%s/NS '%s' is below a DNAME '%s' (illegal)",
+			     ownerbuf, namebuf, altbuf);
+		/* XXX950 make fatal for 9.5.0. */
+		/* answer = false; */
+	}
+
+	if (dns_rdataset_isassociated(&a)) {
+		dns_rdataset_disassociate(&a);
+	}
+	if (dns_rdataset_isassociated(&aaaa)) {
+		dns_rdataset_disassociate(&aaaa);
+	}
+	return (answer);
+}
+
+static bool
+zone_rrset_check_dup(dns_zone_t *zone, dns_name_t *owner,
+		     dns_rdataset_t *rdataset) {
+	dns_rdataset_t tmprdataset;
+	isc_result_t result;
+	bool answer = true;
+	bool format = true;
+	int level = ISC_LOG_WARNING;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	unsigned int count1 = 0;
+
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRRFAIL)) {
+		level = ISC_LOG_ERROR;
+	}
+
+	dns_rdataset_init(&tmprdataset);
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		unsigned int count2 = 0;
+
+		count1++;
+		dns_rdataset_current(rdataset, &rdata1);
+		dns_rdataset_clone(rdataset, &tmprdataset);
+		for (result = dns_rdataset_first(&tmprdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&tmprdataset))
+		{
+			dns_rdata_t rdata2 = DNS_RDATA_INIT;
+			count2++;
+			if (count1 >= count2) {
+				continue;
+			}
+			dns_rdataset_current(&tmprdataset, &rdata2);
+			if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) {
+				if (format) {
+					dns_name_format(owner, ownerbuf,
+							sizeof ownerbuf);
+					dns_rdatatype_format(rdata1.type,
+							     typebuf,
+							     sizeof(typebuf));
+					format = false;
+				}
+				dns_zone_log(zone, level,
+					     "%s/%s has "
+					     "semantically identical records",
+					     ownerbuf, typebuf);
+				if (level == ISC_LOG_ERROR) {
+					answer = false;
+				}
+				break;
+			}
+		}
+		dns_rdataset_disassociate(&tmprdataset);
+		if (!format) {
+			break;
+		}
+	}
+	return (answer);
+}
+
+static bool
+zone_check_dup(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbiterator_t *dbiterator = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsit = NULL;
+	bool ok = true;
+	isc_result_t result;
+
+	name = dns_fixedname_initname(&fixed);
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_createiterator(db, 0, &dbiterator);
+	if (result != ISC_R_SUCCESS) {
+		return (true);
+	}
+
+	for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiterator))
+	{
+		result = dns_dbiterator_current(dbiterator, &node, name);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		result = dns_db_allrdatasets(db, node, NULL, 0, 0, &rdsit);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		for (result = dns_rdatasetiter_first(rdsit);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsit))
+		{
+			dns_rdatasetiter_current(rdsit, &rdataset);
+			if (!zone_rrset_check_dup(zone, name, &rdataset)) {
+				ok = false;
+			}
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&rdsit);
+		dns_db_detachnode(db, &node);
+	}
+
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	dns_dbiterator_destroy(&dbiterator);
+
+	return (ok);
+}
+
+static bool
+isspf(const dns_rdata_t *rdata) {
+	char buf[1024];
+	const unsigned char *data = rdata->data;
+	unsigned int rdl = rdata->length, i = 0, tl, len;
+
+	while (rdl > 0U) {
+		len = tl = *data;
+		++data;
+		--rdl;
+		INSIST(tl <= rdl);
+		if (len > sizeof(buf) - i - 1) {
+			len = sizeof(buf) - i - 1;
+		}
+		memmove(buf + i, data, len);
+		i += len;
+		data += tl;
+		rdl -= tl;
+	}
+
+	if (i < 6U) {
+		return (false);
+	}
+
+	buf[i] = 0;
+	if (strncmp(buf, "v=spf1", 6) == 0 && (buf[6] == 0 || buf[6] == ' ')) {
+		return (true);
+	}
+	return (false);
+}
+
+static bool
+integrity_checks(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbiterator_t *dbiterator = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fixedbottom;
+	dns_rdata_mx_t mx;
+	dns_rdata_ns_t ns;
+	dns_rdata_in_srv_t srv;
+	dns_rdata_t rdata;
+	dns_name_t *name;
+	dns_name_t *bottom;
+	isc_result_t result;
+	bool ok = true, have_spf, have_txt;
+
+	name = dns_fixedname_initname(&fixed);
+	bottom = dns_fixedname_initname(&fixedbottom);
+	dns_rdataset_init(&rdataset);
+	dns_rdata_init(&rdata);
+
+	result = dns_db_createiterator(db, 0, &dbiterator);
+	if (result != ISC_R_SUCCESS) {
+		return (true);
+	}
+
+	result = dns_dbiterator_first(dbiterator);
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(dbiterator, &node, name);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		/*
+		 * Is this name visible in the zone?
+		 */
+		if (!dns_name_issubdomain(name, &zone->origin) ||
+		    (dns_name_countlabels(bottom) > 0 &&
+		     dns_name_issubdomain(name, bottom)))
+		{
+			goto next;
+		}
+
+		dns_dbiterator_pause(dbiterator);
+
+		/*
+		 * Don't check the NS records at the origin.
+		 */
+		if (dns_name_equal(name, &zone->origin)) {
+			goto checkfordname;
+		}
+
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto checkfordname;
+		}
+		/*
+		 * Remember bottom of zone due to NS.
+		 */
+		dns_name_copynf(name, bottom);
+
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &ns, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (!zone_check_glue(zone, db, &ns.name, name)) {
+				ok = false;
+			}
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		goto next;
+
+	checkfordname:
+		result = dns_db_findrdataset(db, node, NULL,
+					     dns_rdatatype_dname, 0, 0,
+					     &rdataset, NULL);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * Remember bottom of zone due to DNAME.
+			 */
+			dns_name_copynf(name, bottom);
+			dns_rdataset_disassociate(&rdataset);
+		}
+
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_mx,
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto checksrv;
+		}
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &mx, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (!zone_check_mx(zone, db, &mx.mx, name)) {
+				ok = false;
+			}
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+	checksrv:
+		if (zone->rdclass != dns_rdataclass_in) {
+			goto next;
+		}
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_srv,
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto checkspf;
+		}
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &srv, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (!zone_check_srv(zone, db, &srv.target, name)) {
+				ok = false;
+			}
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+	checkspf:
+		/*
+		 * Check if there is a type SPF record without an
+		 * SPF-formatted type TXT record also being present.
+		 */
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSPF)) {
+			goto next;
+		}
+		if (zone->rdclass != dns_rdataclass_in) {
+			goto next;
+		}
+		have_spf = have_txt = false;
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_spf,
+					     0, 0, &rdataset, NULL);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&rdataset);
+			have_spf = true;
+		}
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_txt,
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto notxt;
+		}
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			have_txt = isspf(&rdata);
+			dns_rdata_reset(&rdata);
+			if (have_txt) {
+				break;
+			}
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+	notxt:
+		if (have_spf && !have_txt) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "'%s' found type "
+				     "SPF record but no SPF TXT record found, "
+				     "add matching type TXT record",
+				     namebuf);
+		}
+
+	next:
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(dbiterator);
+	}
+
+cleanup:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	dns_dbiterator_destroy(&dbiterator);
+
+	return (ok);
+}
+
+/*
+ * OpenSSL verification of RSA keys with exponent 3 is known to be
+ * broken prior OpenSSL 0.9.8c/0.9.7k.	Look for such keys and warn
+ * if they are in use.
+ */
+static void
+zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dns_db_currentversion(db, &version);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+
+		/*
+		 * RFC 3110, section 4: Performance Considerations:
+		 *
+		 * A public exponent of 3 minimizes the effort needed to verify
+		 * a signature.  Use of 3 as the public exponent is weak for
+		 * confidentiality uses since, if the same data can be collected
+		 * encrypted under three different keys with an exponent of 3
+		 * then, using the Chinese Remainder Theorem [NETSEC], the
+		 * original plain text can be easily recovered.  If a key is
+		 * known to be used only for authentication, as is the case with
+		 * DNSSEC, then an exponent of 3 is acceptable.  However other
+		 * applications in the future may wish to leverage DNS
+		 * distributed keys for applications that do require
+		 * confidentiality.  For keys which might have such other uses,
+		 * a more conservative choice would be 65537 (F4, the fourth
+		 * fermat number).
+		 */
+		if (dnskey.datalen > 1 && dnskey.data[0] == 1 &&
+		    dnskey.data[1] == 3 &&
+		    (dnskey.algorithm == DNS_KEYALG_RSAMD5 ||
+		     dnskey.algorithm == DNS_KEYALG_RSASHA1 ||
+		     dnskey.algorithm == DNS_KEYALG_NSEC3RSASHA1 ||
+		     dnskey.algorithm == DNS_KEYALG_RSASHA256 ||
+		     dnskey.algorithm == DNS_KEYALG_RSASHA512))
+		{
+			char algorithm[DNS_SECALG_FORMATSIZE];
+			isc_region_t r;
+
+			dns_rdata_toregion(&rdata, &r);
+			dns_secalg_format(dnskey.algorithm, algorithm,
+					  sizeof(algorithm));
+
+			dnssec_log(zone, ISC_LOG_WARNING,
+				   "weak %s (%u) key found (exponent=3, id=%u)",
+				   algorithm, dnskey.algorithm,
+				   dst_region_computeid(&r));
+		}
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+cleanup:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+	}
+}
+
+static void
+resume_signingwithkey(dns_zone_t *zone) {
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		goto cleanup;
+	}
+
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dns_db_currentversion(db, &version);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, zone->privatetype,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto cleanup;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		if (rdata.length != 5 || rdata.data[0] == 0 ||
+		    rdata.data[4] != 0)
+		{
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		result = zone_signwithkey(zone, rdata.data[0],
+					  (rdata.data[1] << 8) | rdata.data[2],
+					  rdata.data[3]);
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "zone_signwithkey failed: %s",
+				   dns_result_totext(result));
+		}
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+cleanup:
+	if (db != NULL) {
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+		if (version != NULL) {
+			dns_db_closeversion(db, &version, false);
+		}
+		dns_db_detach(&db);
+	}
+}
+
+/*
+ * Initiate adding/removing NSEC3 records belonging to the chain defined by the
+ * supplied NSEC3PARAM RDATA.
+ *
+ * Zone must be locked by caller.
+ */
+static isc_result_t
+zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
+	dns_nsec3chain_t *nsec3chain, *current;
+	dns_dbversion_t *version = NULL;
+	bool nseconly = false, nsec3ok = false;
+	isc_result_t result;
+	isc_time_t now;
+	unsigned int options = 0;
+	char saltbuf[255 * 2 + 1];
+	char flags[sizeof("INITIAL|REMOVE|CREATE|NONSEC|OPTOUT")];
+	dns_db_t *db = NULL;
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	if (db == NULL) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/*
+	 * If this zone is not NSEC3-capable, attempting to remove any NSEC3
+	 * chain from it is pointless as it would not be possible for the
+	 * latter to exist in the first place.
+	 */
+	dns_db_currentversion(db, &version);
+	result = dns_nsec_nseconly(db, version, &nseconly);
+	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
+	dns_db_closeversion(db, &version, false);
+	if (!nsec3ok && (nsec3param->flags & DNS_NSEC3FLAG_REMOVE) == 0) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/*
+	 * Allocate and initialize structure preserving state of
+	 * adding/removing records belonging to this NSEC3 chain between
+	 * separate zone_nsec3chain() calls.
+	 */
+	nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
+
+	nsec3chain->magic = 0;
+	nsec3chain->done = false;
+	nsec3chain->db = NULL;
+	nsec3chain->dbiterator = NULL;
+	nsec3chain->nsec3param.common.rdclass = nsec3param->common.rdclass;
+	nsec3chain->nsec3param.common.rdtype = nsec3param->common.rdtype;
+	nsec3chain->nsec3param.hash = nsec3param->hash;
+	nsec3chain->nsec3param.iterations = nsec3param->iterations;
+	nsec3chain->nsec3param.flags = nsec3param->flags;
+	nsec3chain->nsec3param.salt_length = nsec3param->salt_length;
+	memmove(nsec3chain->salt, nsec3param->salt, nsec3param->salt_length);
+	nsec3chain->nsec3param.salt = nsec3chain->salt;
+	nsec3chain->seen_nsec = false;
+	nsec3chain->delete_nsec = false;
+	nsec3chain->save_delete_nsec = false;
+
+	/*
+	 * Log NSEC3 parameters defined by supplied NSEC3PARAM RDATA.
+	 */
+	if (nsec3param->flags == 0) {
+		strlcpy(flags, "NONE", sizeof(flags));
+	} else {
+		flags[0] = '\0';
+		if ((nsec3param->flags & DNS_NSEC3FLAG_REMOVE) != 0) {
+			strlcat(flags, "REMOVE", sizeof(flags));
+		}
+		if ((nsec3param->flags & DNS_NSEC3FLAG_INITIAL) != 0) {
+			if (flags[0] == '\0') {
+				strlcpy(flags, "INITIAL", sizeof(flags));
+			} else {
+				strlcat(flags, "|INITIAL", sizeof(flags));
+			}
+		}
+		if ((nsec3param->flags & DNS_NSEC3FLAG_CREATE) != 0) {
+			if (flags[0] == '\0') {
+				strlcpy(flags, "CREATE", sizeof(flags));
+			} else {
+				strlcat(flags, "|CREATE", sizeof(flags));
+			}
+		}
+		if ((nsec3param->flags & DNS_NSEC3FLAG_NONSEC) != 0) {
+			if (flags[0] == '\0') {
+				strlcpy(flags, "NONSEC", sizeof(flags));
+			} else {
+				strlcat(flags, "|NONSEC", sizeof(flags));
+			}
+		}
+		if ((nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) != 0) {
+			if (flags[0] == '\0') {
+				strlcpy(flags, "OPTOUT", sizeof(flags));
+			} else {
+				strlcat(flags, "|OPTOUT", sizeof(flags));
+			}
+		}
+	}
+	result = dns_nsec3param_salttotext(nsec3param, saltbuf,
+					   sizeof(saltbuf));
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dnssec_log(zone, ISC_LOG_INFO, "zone_addnsec3chain(%u,%s,%u,%s)",
+		   nsec3param->hash, flags, nsec3param->iterations, saltbuf);
+
+	/*
+	 * If the NSEC3 chain defined by the supplied NSEC3PARAM RDATA is
+	 * currently being processed, interrupt its processing to avoid
+	 * simultaneously adding and removing records for the same NSEC3 chain.
+	 */
+	for (current = ISC_LIST_HEAD(zone->nsec3chain); current != NULL;
+	     current = ISC_LIST_NEXT(current, link))
+	{
+		if ((current->db == db) &&
+		    (current->nsec3param.hash == nsec3param->hash) &&
+		    (current->nsec3param.iterations ==
+		     nsec3param->iterations) &&
+		    (current->nsec3param.salt_length ==
+		     nsec3param->salt_length) &&
+		    memcmp(current->nsec3param.salt, nsec3param->salt,
+			   nsec3param->salt_length) == 0)
+		{
+			current->done = true;
+		}
+	}
+
+	/*
+	 * Attach zone database to the structure initialized above and create
+	 * an iterator for it with appropriate options in order to avoid
+	 * creating NSEC3 records for NSEC3 records.
+	 */
+	dns_db_attach(db, &nsec3chain->db);
+	if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0) {
+		options = DNS_DB_NONSEC3;
+	}
+	result = dns_db_createiterator(nsec3chain->db, options,
+				       &nsec3chain->dbiterator);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_first(nsec3chain->dbiterator);
+	}
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Database iterator initialization succeeded.  We are now
+		 * ready to kick off adding/removing records belonging to this
+		 * NSEC3 chain.  Append the structure initialized above to the
+		 * "nsec3chain" list for the zone and set the appropriate zone
+		 * timer so that zone_nsec3chain() is called as soon as
+		 * possible.
+		 */
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		ISC_LIST_INITANDAPPEND(zone->nsec3chain, nsec3chain, link);
+		nsec3chain = NULL;
+		if (isc_time_isepoch(&zone->nsec3chaintime)) {
+			TIME_NOW(&now);
+			zone->nsec3chaintime = now;
+			if (zone->task != NULL) {
+				zone_settimer(zone, &now);
+			}
+		}
+	}
+
+	if (nsec3chain != NULL) {
+		if (nsec3chain->db != NULL) {
+			dns_db_detach(&nsec3chain->db);
+		}
+		if (nsec3chain->dbiterator != NULL) {
+			dns_dbiterator_destroy(&nsec3chain->dbiterator);
+		}
+		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+	}
+
+cleanup:
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	return (result);
+}
+
+/*
+ * Find private-type records at the zone apex which signal that an NSEC3 chain
+ * should be added or removed.  For each such record, extract NSEC3PARAM RDATA
+ * and pass it to zone_addnsec3chain().
+ *
+ * Zone must be locked by caller.
+ */
+static void
+resume_addnsec3chain(dns_zone_t *zone) {
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	dns_rdata_nsec3param_t nsec3param;
+	bool nseconly = false, nsec3ok = false;
+	dns_db_t *db = NULL;
+
+	INSIST(LOCKED_ZONE(zone));
+
+	if (zone->privatetype == 0) {
+		return;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		goto cleanup;
+	}
+
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dns_db_currentversion(db, &version);
+
+	/*
+	 * In order to create NSEC3 chains we need the DNSKEY RRset at zone
+	 * apex to exist and contain no keys using NSEC-only algorithms.
+	 */
+	result = dns_nsec_nseconly(db, version, &nseconly);
+	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
+
+	/*
+	 * Get the RRset containing all private-type records at the zone apex.
+	 */
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, zone->privatetype,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto cleanup;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &private);
+		/*
+		 * Try extracting NSEC3PARAM RDATA from this private-type
+		 * record.  Failure means this private-type record does not
+		 * represent an NSEC3PARAM record, so skip it.
+		 */
+		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+						sizeof(buf)))
+		{
+			continue;
+		}
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) ||
+		    ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 && nsec3ok))
+		{
+			/*
+			 * Pass the NSEC3PARAM RDATA contained in this
+			 * private-type record to zone_addnsec3chain() so that
+			 * it can kick off adding or removing NSEC3 records.
+			 */
+			result = zone_addnsec3chain(zone, &nsec3param);
+			if (result != ISC_R_SUCCESS) {
+				dnssec_log(zone, ISC_LOG_ERROR,
+					   "zone_addnsec3chain failed: %s",
+					   dns_result_totext(result));
+			}
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+cleanup:
+	if (db != NULL) {
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+		if (version != NULL) {
+			dns_db_closeversion(db, &version, false);
+		}
+		dns_db_detach(&db);
+	}
+}
+
+static void
+set_resigntime(dns_zone_t *zone) {
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	unsigned int resign;
+	isc_result_t result;
+	uint32_t nanosecs;
+	dns_db_t *db = NULL;
+
+	INSIST(LOCKED_ZONE(zone));
+
+	/* We only re-sign zones that can be dynamically updated */
+	if (zone->update_disabled) {
+		return;
+	}
+
+	if (!inline_secure(zone) &&
+	    (zone->type != dns_zone_primary ||
+	     (zone->ssutable == NULL &&
+	      (zone->update_acl == NULL || dns_acl_isnone(zone->update_acl)))))
+	{
+		return;
+	}
+
+	dns_rdataset_init(&rdataset);
+	dns_fixedname_init(&fixed);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		isc_time_settoepoch(&zone->resigntime);
+		return;
+	}
+
+	result = dns_db_getsigningtime(db, &rdataset,
+				       dns_fixedname_name(&fixed));
+	if (result != ISC_R_SUCCESS) {
+		isc_time_settoepoch(&zone->resigntime);
+		goto cleanup;
+	}
+
+	resign = rdataset.resign - dns_zone_getsigresigninginterval(zone);
+	dns_rdataset_disassociate(&rdataset);
+	nanosecs = isc_random_uniform(1000000000);
+	isc_time_set(&zone->resigntime, resign, nanosecs);
+
+cleanup:
+	dns_db_detach(&db);
+	return;
+}
+
+static isc_result_t
+check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
+	bool ok = false;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	bool dynamic = (zone->type == dns_zone_primary)
+			       ? dns_zone_isdynamic(zone, false)
+			       : false;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "nsec3param lookup failure: %s",
+			     dns_result_totext(result));
+		return (result);
+	}
+	dns_db_currentversion(db, &version);
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "nsec3param lookup failure: %s",
+			     dns_result_totext(result));
+		goto cleanup;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		/*
+		 * For dynamic zones we must support every algorithm so we
+		 * can regenerate all the NSEC3 chains.
+		 * For non-dynamic zones we only need to find a supported
+		 * algorithm.
+		 */
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NSEC3TESTZONE) &&
+		    nsec3param.hash == DNS_NSEC3_UNKNOWNALG && !dynamic)
+		{
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "nsec3 test \"unknown\" hash algorithm "
+				     "found: %u",
+				     nsec3param.hash);
+			ok = true;
+		} else if (!dns_nsec3_supportedhash(nsec3param.hash)) {
+			if (dynamic) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "unsupported nsec3 hash algorithm"
+					     " in dynamic zone: %u",
+					     nsec3param.hash);
+				result = DNS_R_BADZONE;
+				/* Stop second error message. */
+				ok = true;
+				break;
+			} else {
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "unsupported nsec3 hash "
+					     "algorithm: %u",
+					     nsec3param.hash);
+			}
+		} else {
+			ok = true;
+		}
+
+		/*
+		 * Warn if the zone has excessive NSEC3 iterations.
+		 */
+		if (nsec3param.iterations > dns_nsec3_maxiterations()) {
+			dnssec_log(zone, ISC_LOG_WARNING,
+				   "excessive NSEC3PARAM iterations %u > %u",
+				   nsec3param.iterations,
+				   dns_nsec3_maxiterations());
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	if (!ok) {
+		result = DNS_R_BADZONE;
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "no supported nsec3 hash algorithm");
+	}
+
+cleanup:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	dns_db_closeversion(db, &version, false);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Set the timer for refreshing the key zone to the soonest future time
+ * of the set (current timer, keydata->refresh, keydata->addhd,
+ * keydata->removehd).
+ */
+static void
+set_refreshkeytimer(dns_zone_t *zone, dns_rdata_keydata_t *key,
+		    isc_stdtime_t now, bool force) {
+	const char me[] = "set_refreshkeytimer";
+	isc_stdtime_t then;
+	isc_time_t timenow, timethen;
+	char timebuf[80];
+
+	ENTER;
+	then = key->refresh;
+	if (force) {
+		then = now;
+	}
+	if (key->addhd > now && key->addhd < then) {
+		then = key->addhd;
+	}
+	if (key->removehd > now && key->removehd < then) {
+		then = key->removehd;
+	}
+
+	TIME_NOW(&timenow);
+	if (then > now) {
+		DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
+	} else {
+		timethen = timenow;
+	}
+	if (isc_time_compare(&zone->refreshkeytime, &timenow) < 0 ||
+	    isc_time_compare(&timethen, &zone->refreshkeytime) < 0)
+	{
+		zone->refreshkeytime = timethen;
+	}
+
+	isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "next key refresh: %s", timebuf);
+	zone_settimer(zone, &timenow);
+}
+
+/*
+ * If keynode references a key or a DS rdataset, and if the key
+ * zone does not contain a KEYDATA record for the corresponding name,
+ * then create an empty KEYDATA and push it into the zone as a placeholder,
+ * then schedule a key refresh immediately. This new KEYDATA record will be
+ * updated during the refresh.
+ *
+ * If the key zone is changed, set '*changed' to true.
+ */
+static isc_result_t
+create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	       dns_diff_t *diff, dns_keynode_t *keynode, dns_name_t *keyname,
+	       bool *changed) {
+	const char me[] = "create_keydata";
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_keydata_t kd;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_stdtime_t now;
+
+	REQUIRE(keynode != NULL);
+
+	ENTER;
+	isc_stdtime_get(&now);
+
+	/*
+	 * If the keynode has no trust anchor set, we shouldn't be here.
+	 */
+	if (!dns_keynode_dsset(keynode, NULL)) {
+		return (ISC_R_FAILURE);
+	}
+
+	memset(&kd, 0, sizeof(kd));
+	kd.common.rdclass = zone->rdclass;
+	kd.common.rdtype = dns_rdatatype_keydata;
+	ISC_LINK_INIT(&kd.common, link);
+
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+
+	CHECK(dns_rdata_fromstruct(&rdata, zone->rdclass, dns_rdatatype_keydata,
+				   &kd, &rrdatabuf));
+	/* Add rdata to zone. */
+	CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, keyname, 0, &rdata));
+	*changed = true;
+
+	/* Refresh new keys from the zone apex as soon as possible. */
+	set_refreshkeytimer(zone, &kd, now, true);
+	return (ISC_R_SUCCESS);
+
+failure:
+	return (result);
+}
+
+/*
+ * Remove from the key zone all the KEYDATA records found in rdataset.
+ */
+static isc_result_t
+delete_keydata(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	       dns_name_t *name, dns_rdataset_t *rdataset) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result, uresult;
+
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		uresult = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name, 0,
+					&rdata);
+		if (uresult != ISC_R_SUCCESS) {
+			return (uresult);
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+/*
+ * Compute the DNSSEC key ID for a DNSKEY record.
+ */
+static isc_result_t
+compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
+	    dns_keytag_t *tag) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[4096];
+	isc_buffer_t buffer;
+	dst_key_t *dstkey = NULL;
+
+	isc_buffer_init(&buffer, data, sizeof(data));
+	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
+			     dns_rdatatype_dnskey, dnskey, &buffer);
+
+	result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
+	if (result == ISC_R_SUCCESS) {
+		*tag = dst_key_id(dstkey);
+		dst_key_free(&dstkey);
+	}
+
+	return (result);
+}
+
+/*
+ * Add key to the security roots.
+ */
+static void
+trust_key(dns_zone_t *zone, dns_name_t *keyname, dns_rdata_dnskey_t *dnskey,
+	  bool initial) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[4096], digest[ISC_MAX_MD_SIZE];
+	isc_buffer_t buffer;
+	dns_keytable_t *sr = NULL;
+	dns_rdata_ds_t ds;
+
+	result = dns_view_getsecroots(zone->view, &sr);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	/* Build DS record for key. */
+	isc_buffer_init(&buffer, data, sizeof(data));
+	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
+			     dns_rdatatype_dnskey, dnskey, &buffer);
+	CHECK(dns_ds_fromkeyrdata(keyname, &rdata, DNS_DSDIGEST_SHA256, digest,
+				  &ds));
+	CHECK(dns_keytable_add(sr, true, initial, keyname, &ds));
+
+	dns_keytable_detach(&sr);
+
+failure:
+	if (sr != NULL) {
+		dns_keytable_detach(&sr);
+	}
+	return;
+}
+
+/*
+ * Add a null key to the security roots for so that all queries
+ * to the zone will fail.
+ */
+static void
+fail_secure(dns_zone_t *zone, dns_name_t *keyname) {
+	isc_result_t result;
+	dns_keytable_t *sr = NULL;
+
+	result = dns_view_getsecroots(zone->view, &sr);
+	if (result == ISC_R_SUCCESS) {
+		dns_keytable_marksecure(sr, keyname);
+		dns_keytable_detach(&sr);
+	}
+}
+
+/*
+ * Scan a set of KEYDATA records from the key zone.  The ones that are
+ * valid (i.e., the add holddown timer has expired) become trusted keys.
+ */
+static void
+load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_keydata_t keydata;
+	dns_rdata_dnskey_t dnskey;
+	int trusted = 0, revoked = 0, pending = 0;
+	isc_stdtime_t now;
+	dns_keytable_t *sr = NULL;
+
+	isc_stdtime_get(&now);
+
+	result = dns_view_getsecroots(zone->view, &sr);
+	if (result == ISC_R_SUCCESS) {
+		dns_keytable_delete(sr, name);
+		dns_keytable_detach(&sr);
+	}
+
+	/* Now insert all the accepted trust anchors from this keydata set. */
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+
+		/* Convert rdata to keydata. */
+		result = dns_rdata_tostruct(&rdata, &keydata, NULL);
+		if (result == ISC_R_UNEXPECTEDEND) {
+			continue;
+		}
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		/* Set the key refresh timer to force a fast refresh. */
+		set_refreshkeytimer(zone, &keydata, now, true);
+
+		/* If the removal timer is nonzero, this key was revoked. */
+		if (keydata.removehd != 0) {
+			revoked++;
+			continue;
+		}
+
+		/*
+		 * If the add timer is still pending, this key is not
+		 * trusted yet.
+		 */
+		if (now < keydata.addhd) {
+			pending++;
+			continue;
+		}
+
+		/* Convert keydata to dnskey. */
+		dns_keydata_todnskey(&keydata, &dnskey, NULL);
+
+		/* Add to keytables. */
+		trusted++;
+		trust_key(zone, name, &dnskey, (keydata.addhd == 0));
+	}
+
+	if (trusted == 0 && pending != 0) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namebuf, sizeof namebuf);
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "No valid trust anchors for '%s'!", namebuf);
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "%d key(s) revoked, %d still pending", revoked,
+			   pending);
+		dnssec_log(zone, ISC_LOG_ERROR, "All queries to '%s' will fail",
+			   namebuf);
+		fail_secure(zone, name);
+	}
+}
+
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff) {
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+	      dns_rdata_t *rdata) {
+	dns_difftuple_t *tuple = NULL;
+	isc_result_t result;
+	result = dns_difftuple_create(diff->mctx, op, name, ttl, rdata, &tuple);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	return (do_one_tuple(&tuple, db, ver, diff));
+}
+
+static isc_result_t
+update_soa_serial(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		  dns_diff_t *diff, isc_mem_t *mctx,
+		  dns_updatemethod_t method) {
+	dns_difftuple_t *deltuple = NULL;
+	dns_difftuple_t *addtuple = NULL;
+	uint32_t serial;
+	isc_result_t result;
+	dns_updatemethod_t used = dns_updatemethod_none;
+
+	INSIST(method != dns_updatemethod_none);
+
+	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
+	CHECK(dns_difftuple_copy(deltuple, &addtuple));
+	addtuple->op = DNS_DIFFOP_ADD;
+
+	serial = dns_soa_getserial(&addtuple->rdata);
+	serial = dns_update_soaserial(serial, method, &used);
+	if (method != used) {
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "update_soa_serial:new serial would be lower than "
+			     "old serial, using increment method instead");
+	}
+	dns_soa_setserial(serial, &addtuple->rdata);
+	CHECK(do_one_tuple(&deltuple, db, ver, diff));
+	CHECK(do_one_tuple(&addtuple, db, ver, diff));
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (addtuple != NULL) {
+		dns_difftuple_free(&addtuple);
+	}
+	if (deltuple != NULL) {
+		dns_difftuple_free(&deltuple);
+	}
+	return (result);
+}
+
+/*
+ * Write all transactions in 'diff' to the zone journal file.
+ */
+static isc_result_t
+zone_journal(dns_zone_t *zone, dns_diff_t *diff, uint32_t *sourceserial,
+	     const char *caller) {
+	const char me[] = "zone_journal";
+	const char *journalfile;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_journal_t *journal = NULL;
+	unsigned int mode = DNS_JOURNAL_CREATE | DNS_JOURNAL_WRITE;
+
+	ENTER;
+	journalfile = dns_zone_getjournal(zone);
+	if (journalfile != NULL) {
+		result = dns_journal_open(zone->mctx, journalfile, mode,
+					  &journal);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s:dns_journal_open -> %s", caller,
+				     dns_result_totext(result));
+			return (result);
+		}
+
+		if (sourceserial != NULL) {
+			dns_journal_set_sourceserial(journal, *sourceserial);
+		}
+
+		result = dns_journal_write_transaction(journal, diff);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s:dns_journal_write_transaction -> %s",
+				     caller, dns_result_totext(result));
+		}
+		dns_journal_destroy(&journal);
+	}
+
+	return (result);
+}
+
+/*
+ * Create an SOA record for a newly-created zone
+ */
+static isc_result_t
+add_soa(dns_zone_t *zone, dns_db_t *db) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char buf[DNS_SOA_BUFFERSIZE];
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating SOA");
+
+	dns_diff_init(zone->mctx, &diff);
+	result = dns_db_newversion(db, &ver);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "add_soa:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/* Build SOA record */
+	result = dns_soa_buildrdata(&zone->origin, dns_rootname, zone->rdclass,
+				    0, 0, 0, 0, 0, buf, &rdata);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "add_soa:dns_soa_buildrdata -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD, &zone->origin, 0,
+			       &rdata);
+
+failure:
+	dns_diff_clear(&diff);
+	if (ver != NULL) {
+		dns_db_closeversion(db, &ver, (result == ISC_R_SUCCESS));
+	}
+
+	INSIST(ver == NULL);
+
+	return (result);
+}
+
+struct addifmissing_arg {
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	dns_diff_t *diff;
+	dns_zone_t *zone;
+	bool *changed;
+	isc_result_t result;
+};
+
+static void
+addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode,
+	     dns_name_t *keyname, void *arg) {
+	dns_db_t *db = ((struct addifmissing_arg *)arg)->db;
+	dns_dbversion_t *ver = ((struct addifmissing_arg *)arg)->ver;
+	dns_diff_t *diff = ((struct addifmissing_arg *)arg)->diff;
+	dns_zone_t *zone = ((struct addifmissing_arg *)arg)->zone;
+	bool *changed = ((struct addifmissing_arg *)arg)->changed;
+	isc_result_t result;
+	dns_fixedname_t fname;
+
+	UNUSED(keytable);
+
+	if (((struct addifmissing_arg *)arg)->result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	if (!dns_keynode_managed(keynode)) {
+		return;
+	}
+
+	/*
+	 * If the keynode has no trust anchor set, return.
+	 */
+	if (!dns_keynode_dsset(keynode, NULL)) {
+		return;
+	}
+
+	/*
+	 * Check whether there's already a KEYDATA entry for this name;
+	 * if so, we don't need to add another.
+	 */
+	dns_fixedname_init(&fname);
+	result = dns_db_find(db, keyname, ver, dns_rdatatype_keydata,
+			     DNS_DBFIND_NOWILD, 0, NULL,
+			     dns_fixedname_name(&fname), NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		return;
+	}
+
+	/*
+	 * Create the keydata.
+	 */
+	result = create_keydata(zone, db, ver, diff, keynode, keyname, changed);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE) {
+		((struct addifmissing_arg *)arg)->result = result;
+	}
+}
+
+/*
+ * Synchronize the set of initializing keys found in managed-keys {}
+ * statements with the set of trust anchors found in the managed-keys.bind
+ * zone.  If a domain is no longer named in managed-keys, delete all keys
+ * from that domain from the key zone.	If a domain is configured as an
+ * initial-key in trust-anchors, but there are no references to it in the
+ * key zone, load the key zone with the initializing key(s) for that
+ * domain and schedule a key refresh. If a domain is configured as
+ * an initial-ds in trust-anchors, fetch the DNSKEY RRset, load the key
+ * zone with the matching key, and schedule a key refresh.
+ */
+static isc_result_t
+sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool changed = false;
+	bool commit = false;
+	dns_keynode_t *keynode = NULL;
+	dns_view_t *view = zone->view;
+	dns_keytable_t *sr = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	dns_rriterator_t rrit;
+	struct addifmissing_arg arg;
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "synchronizing trusted keys");
+
+	dns_diff_init(zone->mctx, &diff);
+
+	CHECK(dns_view_getsecroots(view, &sr));
+
+	result = dns_db_newversion(db, &ver);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "sync_keyzone:dns_db_newversion -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Walk the zone DB.  If we find any keys whose names are no longer
+	 * in trust-anchors, or which have been changed from initial to static,
+	 * (meaning they are permanent and not RFC5011-maintained), delete
+	 * them from the zone.  Otherwise call load_secroots(), which
+	 * loads keys into secroots as appropriate.
+	 */
+	dns_rriterator_init(&rrit, db, ver, 0);
+	for (result = dns_rriterator_first(&rrit); result == ISC_R_SUCCESS;
+	     result = dns_rriterator_nextrrset(&rrit))
+	{
+		dns_rdataset_t *rdataset = NULL;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_keydata_t keydata;
+		isc_stdtime_t now;
+		bool load = true;
+		dns_name_t *rrname = NULL;
+		uint32_t ttl;
+
+		isc_stdtime_get(&now);
+
+		dns_rriterator_current(&rrit, &rrname, &ttl, &rdataset, NULL);
+		if (!dns_rdataset_isassociated(rdataset)) {
+			dns_rriterator_destroy(&rrit);
+			goto failure;
+		}
+
+		if (rdataset->type != dns_rdatatype_keydata) {
+			continue;
+		}
+
+		/*
+		 * The managed-keys zone can contain a placeholder instead of
+		 * legitimate data, in which case we will not use it, and we
+		 * will try to refresh it.
+		 */
+		for (result = dns_rdataset_first(rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(rdataset))
+		{
+			isc_result_t iresult;
+
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(rdataset, &rdata);
+
+			iresult = dns_rdata_tostruct(&rdata, &keydata, NULL);
+			/* Do we have a valid placeholder KEYDATA record? */
+			if (iresult == ISC_R_SUCCESS && keydata.flags == 0 &&
+			    keydata.protocol == 0 && keydata.algorithm == 0)
+			{
+				set_refreshkeytimer(zone, &keydata, now, true);
+				load = false;
+			}
+		}
+
+		/*
+		 * Release db wrlock to prevent LOR reports against
+		 * dns_keytable_forall() call below.
+		 */
+		dns_rriterator_pause(&rrit);
+		result = dns_keytable_find(sr, rrname, &keynode);
+		if (result != ISC_R_SUCCESS || !dns_keynode_managed(keynode)) {
+			CHECK(delete_keydata(db, ver, &diff, rrname, rdataset));
+			changed = true;
+		} else if (load) {
+			load_secroots(zone, rrname, rdataset);
+		}
+
+		if (keynode != NULL) {
+			dns_keytable_detachkeynode(sr, &keynode);
+		}
+	}
+	dns_rriterator_destroy(&rrit);
+
+	/*
+	 * Walk secroots to find any initial keys that aren't in
+	 * the zone.  If we find any, add them to the zone directly.
+	 * If any DS-style initial keys are found, refresh the key
+	 * zone so that they'll be looked up.
+	 */
+	arg.db = db;
+	arg.ver = ver;
+	arg.result = ISC_R_SUCCESS;
+	arg.diff = &diff;
+	arg.zone = zone;
+	arg.changed = &changed;
+	dns_keytable_forall(sr, addifmissing, &arg);
+	result = arg.result;
+	if (changed) {
+		/* Write changes to journal file. */
+		CHECK(update_soa_serial(zone, db, ver, &diff, zone->mctx,
+					zone->updatemethod));
+		CHECK(zone_journal(zone, &diff, NULL, "sync_keyzone"));
+
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+		commit = true;
+	}
+
+failure:
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "unable to synchronize managed keys: %s",
+			   dns_result_totext(result));
+		isc_time_settoepoch(&zone->refreshkeytime);
+	}
+	if (keynode != NULL) {
+		dns_keytable_detachkeynode(sr, &keynode);
+	}
+	if (sr != NULL) {
+		dns_keytable_detach(&sr);
+	}
+	if (ver != NULL) {
+		dns_db_closeversion(db, &ver, commit);
+	}
+	dns_diff_clear(&diff);
+
+	INSIST(ver == NULL);
+
+	return (result);
+}
+
+isc_result_t
+dns_zone_synckeyzone(dns_zone_t *zone) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	if (zone->type != dns_zone_key) {
+		return (DNS_R_BADZONE);
+	}
+
+	CHECK(dns_zone_getdb(zone, &db));
+
+	LOCK_ZONE(zone);
+	result = sync_keyzone(zone, db);
+	UNLOCK_ZONE(zone);
+
+failure:
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	return (result);
+}
+
+static void
+maybe_send_secure(dns_zone_t *zone) {
+	isc_result_t result;
+
+	/*
+	 * We've finished loading, or else failed to load, an inline-signing
+	 * 'secure' zone.  We now need information about the status of the
+	 * 'raw' zone.  If we failed to load, then we need it to send a
+	 * copy of its database; if we succeeded, we need it to send its
+	 * serial number so that we can sync with it.  If it has not yet
+	 * loaded, we set a flag so that it will send the necessary
+	 * information when it has finished loading.
+	 */
+	if (zone->raw->db != NULL) {
+		if (zone->db != NULL) {
+			uint32_t serial;
+			unsigned int soacount;
+
+			result = zone_get_from_db(
+				zone->raw, zone->raw->db, NULL, &soacount, NULL,
+				&serial, NULL, NULL, NULL, NULL, NULL);
+			if (result == ISC_R_SUCCESS && soacount > 0U) {
+				zone_send_secureserial(zone->raw, serial);
+			}
+		} else {
+			zone_send_securedb(zone->raw, zone->raw->db);
+		}
+	} else {
+		DNS_ZONE_SETFLAG(zone->raw, DNS_ZONEFLG_SENDSECURE);
+	}
+}
+
+static bool
+zone_unchanged(dns_db_t *db1, dns_db_t *db2, isc_mem_t *mctx) {
+	isc_result_t result;
+	bool answer = false;
+	dns_diff_t diff;
+
+	dns_diff_init(mctx, &diff);
+	result = dns_db_diffx(&diff, db1, NULL, db2, NULL, NULL);
+	if (result == ISC_R_SUCCESS && ISC_LIST_EMPTY(diff.tuples)) {
+		answer = true;
+	}
+	dns_diff_clear(&diff);
+	return (answer);
+}
+
+/*
+ * The zone is presumed to be locked.
+ * If this is a inline_raw zone the secure version is also locked.
+ */
+static isc_result_t
+zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
+	      isc_result_t result) {
+	unsigned int soacount = 0;
+	unsigned int nscount = 0;
+	unsigned int errors = 0;
+	uint32_t serial, oldserial, refresh, retry, expire, minimum, soattl;
+	isc_time_t now;
+	bool needdump = false;
+	bool fixjournal = false;
+	bool hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+	bool nomaster = false;
+	bool had_db = false;
+	dns_include_t *inc;
+	bool is_dynamic = false;
+
+	INSIST(LOCKED_ZONE(zone));
+	if (inline_raw(zone)) {
+		INSIST(LOCKED_ZONE(zone->secure));
+	}
+
+	TIME_NOW(&now);
+
+	/*
+	 * Initiate zone transfer?  We may need a error code that
+	 * indicates that the "permanent" form does not exist.
+	 * XXX better error feedback to log.
+	 */
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+		if (zone->type == dns_zone_secondary ||
+		    zone->type == dns_zone_mirror ||
+		    zone->type == dns_zone_stub ||
+		    (zone->type == dns_zone_redirect && zone->masters == NULL))
+		{
+			if (result == ISC_R_FILENOTFOUND) {
+				dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+					      ISC_LOG_DEBUG(1),
+					      "no master file");
+			} else if (result != DNS_R_NOMASTERFILE) {
+				dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+					      ISC_LOG_ERROR,
+					      "loading from master file %s "
+					      "failed: %s",
+					      zone->masterfile,
+					      dns_result_totext(result));
+			}
+		} else if (zone->type == dns_zone_primary &&
+			   inline_secure(zone) && result == ISC_R_FILENOTFOUND)
+		{
+			dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+				      ISC_LOG_DEBUG(1),
+				      "no master file, requesting db");
+			maybe_send_secure(zone);
+		} else {
+			int level = ISC_LOG_ERROR;
+			if (zone->type == dns_zone_key &&
+			    result == ISC_R_FILENOTFOUND)
+			{
+				level = ISC_LOG_DEBUG(1);
+			}
+			dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, level,
+				      "loading from master file %s failed: %s",
+				      zone->masterfile,
+				      dns_result_totext(result));
+			nomaster = true;
+		}
+
+		if (zone->type != dns_zone_key) {
+			goto cleanup;
+		}
+	}
+
+	dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(2),
+		      "number of nodes in database: %u", dns_db_nodecount(db));
+
+	if (result == DNS_R_SEENINCLUDE) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+	} else {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+	}
+
+	/*
+	 * If there's no master file for a key zone, then the zone is new:
+	 * create an SOA record.  (We do this now, instead of later, so that
+	 * if there happens to be a journal file, we can roll forward from
+	 * a sane starting point.)
+	 */
+	if (nomaster && zone->type == dns_zone_key) {
+		result = add_soa(zone, db);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Apply update log, if any, on initial load.
+	 */
+	if (zone->journal != NULL &&
+	    !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+	{
+		result = zone_journal_rollforward(zone, db, &needdump,
+						  &fixjournal);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Obtain ns, soa and cname counts for top of zone.
+	 */
+	INSIST(db != NULL);
+	result = zone_get_from_db(zone, db, &nscount, &soacount, &soattl,
+				  &serial, &refresh, &retry, &expire, &minimum,
+				  &errors);
+	if (result != ISC_R_SUCCESS && zone->type != dns_zone_key) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
+			      "could not find NS and/or SOA records");
+	}
+
+	/*
+	 * Process any queued NSEC3PARAM change requests. Only for dynamic
+	 * zones, an inline-signing zone will perform this action when
+	 * receiving the secure db (receive_secure_db).
+	 */
+	is_dynamic = dns_zone_isdynamic(zone, true);
+	if (is_dynamic) {
+		isc_event_t *setnsec3param_event;
+		dns_zone_t *dummy;
+
+		while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) {
+			setnsec3param_event =
+				ISC_LIST_HEAD(zone->setnsec3param_queue);
+			ISC_LIST_UNLINK(zone->setnsec3param_queue,
+					setnsec3param_event, ev_link);
+			dummy = NULL;
+			zone_iattach(zone, &dummy);
+			isc_task_send(zone->task, &setnsec3param_event);
+		}
+	}
+
+	/*
+	 * Check to make sure the journal is up to date, and remove the
+	 * journal file if it isn't, as we wouldn't be able to apply
+	 * updates otherwise.
+	 */
+	if (zone->journal != NULL && is_dynamic &&
+	    !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS))
+	{
+		uint32_t jserial;
+		dns_journal_t *journal = NULL;
+		bool empty = false;
+
+		result = dns_journal_open(zone->mctx, zone->journal,
+					  DNS_JOURNAL_READ, &journal);
+		if (result == ISC_R_SUCCESS) {
+			jserial = dns_journal_last_serial(journal);
+			empty = dns_journal_empty(journal);
+			dns_journal_destroy(&journal);
+		} else {
+			jserial = serial;
+			result = ISC_R_SUCCESS;
+		}
+
+		if (jserial != serial) {
+			if (!empty) {
+				dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+					      ISC_LOG_INFO,
+					      "journal file is out of date: "
+					      "removing journal file");
+			}
+			if (remove(zone->journal) < 0 && errno != ENOENT) {
+				char strbuf[ISC_STRERRORSIZE];
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ZONE,
+					      ISC_LOG_WARNING,
+					      "unable to remove journal "
+					      "'%s': '%s'",
+					      zone->journal, strbuf);
+			}
+		}
+	}
+
+	dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
+		      "loaded; checking validity");
+
+	/*
+	 * Master / Slave / Mirror / Stub zones require both NS and SOA records
+	 * at the top of the zone.
+	 */
+
+	switch (zone->type) {
+	case dns_zone_dlz:
+	case dns_zone_primary:
+	case dns_zone_secondary:
+	case dns_zone_mirror:
+	case dns_zone_stub:
+	case dns_zone_redirect:
+		if (soacount != 1) {
+			dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+				      ISC_LOG_ERROR, "has %d SOA records",
+				      soacount);
+			result = DNS_R_BADZONE;
+		}
+		if (nscount == 0) {
+			dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+				      ISC_LOG_ERROR, "has no NS records");
+			result = DNS_R_BADZONE;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		if (zone->type == dns_zone_primary && errors != 0) {
+			result = DNS_R_BADZONE;
+			goto cleanup;
+		}
+		if (zone->type != dns_zone_stub &&
+		    zone->type != dns_zone_redirect)
+		{
+			result = check_nsec3param(zone, db);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
+		if (zone->type == dns_zone_primary &&
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) &&
+		    !integrity_checks(zone, db))
+		{
+			result = DNS_R_BADZONE;
+			goto cleanup;
+		}
+		if (zone->type == dns_zone_primary &&
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRR) &&
+		    !zone_check_dup(zone, db))
+		{
+			result = DNS_R_BADZONE;
+			goto cleanup;
+		}
+
+		if (zone->type == dns_zone_primary) {
+			result = dns_zone_cdscheck(zone, db, NULL);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "CDS/CDNSKEY consistency checks "
+					     "failed");
+				goto cleanup;
+			}
+		}
+
+		result = dns_zone_verifydb(zone, db, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		if (zone->db != NULL) {
+			unsigned int oldsoacount;
+
+			/*
+			 * This is checked in zone_replacedb() for slave zones
+			 * as they don't reload from disk.
+			 */
+			result = zone_get_from_db(
+				zone, zone->db, NULL, &oldsoacount, NULL,
+				&oldserial, NULL, NULL, NULL, NULL, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			RUNTIME_CHECK(oldsoacount > 0U);
+			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
+			    !isc_serial_gt(serial, oldserial))
+			{
+				uint32_t serialmin, serialmax;
+
+				INSIST(zone->type == dns_zone_primary);
+				INSIST(zone->raw == NULL);
+
+				if (serial == oldserial &&
+				    zone_unchanged(zone->db, db, zone->mctx))
+				{
+					dns_zone_logc(zone,
+						      DNS_LOGCATEGORY_ZONELOAD,
+						      ISC_LOG_INFO,
+						      "ixfr-from-differences: "
+						      "unchanged");
+					zone->loadtime = loadtime;
+					goto done;
+				}
+
+				serialmin = (oldserial + 1) & 0xffffffffU;
+				serialmax = (oldserial + 0x7fffffffU) &
+					    0xffffffffU;
+				dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+					      ISC_LOG_ERROR,
+					      "ixfr-from-differences: "
+					      "new serial (%u) out of range "
+					      "[%u - %u]",
+					      serial, serialmin, serialmax);
+				result = DNS_R_BADZONE;
+				goto cleanup;
+			} else if (!isc_serial_ge(serial, oldserial)) {
+				dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+					      ISC_LOG_ERROR,
+					      "zone serial (%u/%u) has gone "
+					      "backwards",
+					      serial, oldserial);
+			} else if (serial == oldserial && !hasinclude &&
+				   strcmp(zone->db_argv[0], "_builtin") != 0)
+			{
+				dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+					      ISC_LOG_ERROR,
+					      "zone serial (%u) unchanged. "
+					      "zone may fail to transfer "
+					      "to slaves.",
+					      serial);
+			}
+		}
+
+		if (zone->type == dns_zone_primary &&
+		    (zone->update_acl != NULL || zone->ssutable != NULL) &&
+		    dns_zone_getsigresigninginterval(zone) < (3 * refresh) &&
+		    dns_db_issecure(db))
+		{
+			dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+				      ISC_LOG_WARNING,
+				      "sig-re-signing-interval less than "
+				      "3 * refresh.");
+		}
+
+		zone->refresh = RANGE(refresh, zone->minrefresh,
+				      zone->maxrefresh);
+		zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
+		zone->expire = RANGE(expire, zone->refresh + zone->retry,
+				     DNS_MAX_EXPIRE);
+		zone->soattl = soattl;
+		zone->minimum = minimum;
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+
+		if (zone->type == dns_zone_secondary ||
+		    zone->type == dns_zone_mirror ||
+		    zone->type == dns_zone_stub ||
+		    (zone->type == dns_zone_redirect && zone->masters != NULL))
+		{
+			isc_time_t t;
+			uint32_t delay;
+
+			result = isc_file_getmodtime(zone->journal, &t);
+			if (result != ISC_R_SUCCESS) {
+				result = isc_file_getmodtime(zone->masterfile,
+							     &t);
+			}
+			if (result == ISC_R_SUCCESS) {
+				DNS_ZONE_TIME_ADD(&t, zone->expire,
+						  &zone->expiretime);
+			} else {
+				DNS_ZONE_TIME_ADD(&now, zone->retry,
+						  &zone->expiretime);
+			}
+
+			delay = (zone->retry -
+				 isc_random_uniform((zone->retry * 3) / 4));
+			DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);
+			if (isc_time_compare(&zone->refreshtime,
+					     &zone->expiretime) >= 0)
+			{
+				zone->refreshtime = now;
+			}
+		}
+
+		break;
+
+	case dns_zone_key:
+		/* Nothing needs to be done now */
+		break;
+
+	default:
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "unexpected zone type %d",
+				 zone->type);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	/*
+	 * Check for weak DNSKEY's.
+	 */
+	if (zone->type == dns_zone_primary) {
+		zone_check_dnskeys(zone, db);
+	}
+
+	/*
+	 * Schedule DNSSEC key refresh.
+	 */
+	if (zone->type == dns_zone_primary &&
+	    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
+	{
+		zone->refreshkeytime = now;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	if (zone->db != NULL) {
+		had_db = true;
+		result = zone_replacedb(zone, db, false);
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	} else {
+		zone_attachdb(zone, db);
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED |
+					       DNS_ZONEFLG_NEEDSTARTUPNOTIFY);
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SENDSECURE) &&
+		    inline_raw(zone))
+		{
+			if (zone->secure->db == NULL) {
+				zone_send_securedb(zone, db);
+			} else {
+				zone_send_secureserial(zone, serial);
+			}
+		}
+	}
+
+	/*
+	 * Finished loading inline-signing zone; need to get status
+	 * from the raw side now.
+	 */
+	if (zone->type == dns_zone_primary && inline_secure(zone)) {
+		maybe_send_secure(zone);
+	}
+
+	result = ISC_R_SUCCESS;
+
+	if (fixjournal) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FIXJOURNAL);
+		zone_journal_compact(zone, zone->db, 0);
+	}
+	if (needdump) {
+		if (zone->type == dns_zone_key) {
+			zone_needdump(zone, 30);
+		} else {
+			zone_needdump(zone, DNS_DUMP_DELAY);
+		}
+	}
+
+	if (zone->task != NULL) {
+		if (zone->type == dns_zone_primary) {
+			set_resigntime(zone);
+			resume_signingwithkey(zone);
+			resume_addnsec3chain(zone);
+		}
+
+		is_dynamic = dns_zone_isdynamic(zone, false);
+		if (zone->type == dns_zone_primary &&
+		    !DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN) &&
+		    is_dynamic && dns_db_issecure(db))
+		{
+			dns_name_t *name;
+			dns_fixedname_t fixed;
+			dns_rdataset_t next;
+
+			dns_rdataset_init(&next);
+			name = dns_fixedname_initname(&fixed);
+
+			result = dns_db_getsigningtime(db, &next, name);
+			if (result == ISC_R_SUCCESS) {
+				isc_stdtime_t timenow;
+				char namebuf[DNS_NAME_FORMATSIZE];
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+				isc_stdtime_get(&timenow);
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				dns_rdatatype_format(next.covers, typebuf,
+						     sizeof(typebuf));
+				dnssec_log(
+					zone, ISC_LOG_DEBUG(3),
+					"next resign: %s/%s "
+					"in %d seconds",
+					namebuf, typebuf,
+					next.resign - timenow -
+						dns_zone_getsigresigninginterval(
+							zone));
+				dns_rdataset_disassociate(&next);
+			} else {
+				dnssec_log(zone, ISC_LOG_WARNING,
+					   "signed dynamic zone has no "
+					   "resign event scheduled");
+			}
+		}
+
+		zone_settimer(zone, &now);
+	}
+
+	/*
+	 * Clear old include list.
+	 */
+	for (inc = ISC_LIST_HEAD(zone->includes); inc != NULL;
+	     inc = ISC_LIST_HEAD(zone->includes))
+	{
+		ISC_LIST_UNLINK(zone->includes, inc, link);
+		isc_mem_free(zone->mctx, inc->name);
+		isc_mem_put(zone->mctx, inc, sizeof(*inc));
+	}
+	zone->nincludes = 0;
+
+	/*
+	 * Transfer new include list.
+	 */
+	for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
+	     inc = ISC_LIST_HEAD(zone->newincludes))
+	{
+		ISC_LIST_UNLINK(zone->newincludes, inc, link);
+		ISC_LIST_APPEND(zone->includes, inc, link);
+		zone->nincludes++;
+	}
+
+	if (!dns_db_ispersistent(db)) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_INFO,
+			      "loaded serial %u%s", serial,
+			      dns_db_issecure(db) ? " (DNSSEC signed)" : "");
+	}
+
+	if (!had_db && zone->type == dns_zone_mirror) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_INFO,
+			      "mirror zone is now in use");
+	}
+
+	zone->loadtime = loadtime;
+	goto done;
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_rpz_disable_db(zone, db);
+		dns_zone_catz_disable_db(zone, db);
+	}
+
+	for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
+	     inc = ISC_LIST_HEAD(zone->newincludes))
+	{
+		ISC_LIST_UNLINK(zone->newincludes, inc, link);
+		isc_mem_free(zone->mctx, inc->name);
+		isc_mem_put(zone->mctx, inc, sizeof(*inc));
+	}
+	if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
+	    zone->type == dns_zone_stub || zone->type == dns_zone_key ||
+	    (zone->type == dns_zone_redirect && zone->masters != NULL))
+	{
+		if (result != ISC_R_NOMEMORY) {
+			if (zone->journal != NULL) {
+				zone_saveunique(zone, zone->journal,
+						"jn-XXXXXXXX");
+			}
+			if (zone->masterfile != NULL) {
+				zone_saveunique(zone, zone->masterfile,
+						"db-XXXXXXXX");
+			}
+		}
+
+		/* Mark the zone for immediate refresh. */
+		zone->refreshtime = now;
+		if (zone->task != NULL) {
+			zone_settimer(zone, &now);
+		}
+		result = ISC_R_SUCCESS;
+	} else if (zone->type == dns_zone_primary ||
+		   zone->type == dns_zone_redirect)
+	{
+		if (!(inline_secure(zone) && result == ISC_R_FILENOTFOUND)) {
+			dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+				      ISC_LOG_ERROR,
+				      "not loaded due to errors.");
+		} else if (zone->type == dns_zone_primary) {
+			result = ISC_R_SUCCESS;
+		}
+	}
+
+done:
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	/*
+	 * If this is an inline-signed zone and we were called for the raw
+	 * zone, we need to clear DNS_ZONEFLG_LOADPENDING for the secure zone
+	 * as well, but only if this is a reload, not an initial zone load: in
+	 * the former case, zone_postload() will not be run for the secure
+	 * zone; in the latter case, it will be.  Check which case we are
+	 * dealing with by consulting the DNS_ZONEFLG_LOADED flag for the
+	 * secure zone: if it is set, this must be a reload.
+	 */
+	if (inline_raw(zone) && DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED))
+	{
+		DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
+		/*
+		 * Re-start zone maintenance if it had been stalled
+		 * due to DNS_ZONEFLG_LOADPENDING being set when
+		 * zone_maintenance was called.
+		 */
+		if (zone->secure->task != NULL) {
+			zone_settimer(zone->secure, &now);
+		}
+	}
+
+	zone_debuglog(zone, "zone_postload", 99, "done");
+
+	return (result);
+}
+
+static bool
+exit_check(dns_zone_t *zone) {
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN) &&
+	    isc_refcount_current(&zone->irefs) == 0)
+	{
+		/*
+		 * DNS_ZONEFLG_SHUTDOWN can only be set if erefs == 0.
+		 */
+		INSIST(isc_refcount_current(&zone->erefs) == 0);
+		return (true);
+	}
+	return (false);
+}
+
+static bool
+zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+	      dns_name_t *name, bool logit) {
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	int level;
+
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOCHECKNS)) {
+		return (true);
+	}
+
+	if (zone->type == dns_zone_primary) {
+		level = ISC_LOG_ERROR;
+	} else {
+		level = ISC_LOG_WARNING;
+	}
+
+	foundname = dns_fixedname_initname(&fixed);
+
+	result = dns_db_find(db, name, version, dns_rdatatype_a, 0, 0, NULL,
+			     foundname, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		return (true);
+	}
+
+	if (result == DNS_R_NXRRSET) {
+		result = dns_db_find(db, name, version, dns_rdatatype_aaaa, 0,
+				     0, NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS) {
+			return (true);
+		}
+	}
+
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME)
+	{
+		if (logit) {
+			dns_name_format(name, namebuf, sizeof namebuf);
+			dns_zone_log(zone, level,
+				     "NS '%s' has no address "
+				     "records (A or AAAA)",
+				     namebuf);
+		}
+		return (false);
+	}
+
+	if (result == DNS_R_CNAME) {
+		if (logit) {
+			dns_name_format(name, namebuf, sizeof namebuf);
+			dns_zone_log(zone, level,
+				     "NS '%s' is a CNAME "
+				     "(illegal)",
+				     namebuf);
+		}
+		return (false);
+	}
+
+	if (result == DNS_R_DNAME) {
+		if (logit) {
+			dns_name_format(name, namebuf, sizeof namebuf);
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			dns_zone_log(zone, level,
+				     "NS '%s' is below a DNAME "
+				     "'%s' (illegal)",
+				     namebuf, altbuf);
+		}
+		return (false);
+	}
+
+	return (true);
+}
+
+static isc_result_t
+zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
+		 dns_dbversion_t *version, unsigned int *nscount,
+		 unsigned int *errors, bool logit) {
+	isc_result_t result;
+	unsigned int count = 0;
+	unsigned int ecount = 0;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata;
+	dns_rdata_ns_t ns;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto success;
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto invalidate_rdataset;
+	}
+
+	result = dns_rdataset_first(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		if (errors != NULL && zone->rdclass == dns_rdataclass_in &&
+		    (zone->type == dns_zone_primary ||
+		     zone->type == dns_zone_secondary ||
+		     zone->type == dns_zone_mirror))
+		{
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &ns, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (dns_name_issubdomain(&ns.name, &zone->origin) &&
+			    !zone_check_ns(zone, db, version, &ns.name, logit))
+			{
+				ecount++;
+			}
+		}
+		count++;
+		result = dns_rdataset_next(&rdataset);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+success:
+	if (nscount != NULL) {
+		*nscount = count;
+	}
+	if (errors != NULL) {
+		*errors = ecount;
+	}
+
+	result = ISC_R_SUCCESS;
+
+invalidate_rdataset:
+	dns_rdataset_invalidate(&rdataset);
+
+	return (result);
+}
+
+#define SET_IF_NOT_NULL(obj, val) \
+	if (obj != NULL) {        \
+		*obj = val;       \
+	}
+
+#define SET_SOA_VALUES(soattl_v, serial_v, refresh_v, retry_v, expire_v, \
+		       minimum_v)                                        \
+	{                                                                \
+		SET_IF_NOT_NULL(soattl, soattl_v);                       \
+		SET_IF_NOT_NULL(serial, serial_v);                       \
+		SET_IF_NOT_NULL(refresh, refresh_v);                     \
+		SET_IF_NOT_NULL(retry, retry_v);                         \
+		SET_IF_NOT_NULL(expire, expire_v);                       \
+		SET_IF_NOT_NULL(minimum, minimum_v);                     \
+	}
+
+#define CLR_SOA_VALUES()                          \
+	{                                         \
+		SET_SOA_VALUES(0, 0, 0, 0, 0, 0); \
+	}
+
+static isc_result_t
+zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 unsigned int *soacount, uint32_t *soattl, uint32_t *serial,
+		 uint32_t *refresh, uint32_t *retry, uint32_t *expire,
+		 uint32_t *minimum) {
+	isc_result_t result;
+	unsigned int count = 0;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		result = ISC_R_SUCCESS;
+		goto invalidate_rdataset;
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto invalidate_rdataset;
+	}
+
+	result = dns_rdataset_first(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		count++;
+		if (count == 1) {
+			dns_rdata_soa_t soa;
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			SET_SOA_VALUES(rdataset.ttl, soa.serial, soa.refresh,
+				       soa.retry, soa.expire, soa.minimum);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
+
+		result = dns_rdataset_next(&rdataset);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+	result = ISC_R_SUCCESS;
+
+invalidate_rdataset:
+	SET_IF_NOT_NULL(soacount, count);
+	if (count == 0) {
+		CLR_SOA_VALUES();
+	}
+
+	dns_rdataset_invalidate(&rdataset);
+
+	return (result);
+}
+
+/*
+ * zone must be locked.
+ */
+static isc_result_t
+zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
+		 unsigned int *soacount, uint32_t *soattl, uint32_t *serial,
+		 uint32_t *refresh, uint32_t *retry, uint32_t *expire,
+		 uint32_t *minimum, unsigned int *errors) {
+	isc_result_t result;
+	isc_result_t answer = ISC_R_SUCCESS;
+	dns_dbversion_t *version = NULL;
+	dns_dbnode_t *node;
+
+	REQUIRE(db != NULL);
+	REQUIRE(zone != NULL);
+
+	dns_db_currentversion(db, &version);
+
+	SET_IF_NOT_NULL(nscount, 0);
+	SET_IF_NOT_NULL(soacount, 0);
+	SET_IF_NOT_NULL(errors, 0);
+	CLR_SOA_VALUES();
+
+	node = NULL;
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		answer = result;
+		goto closeversion;
+	}
+
+	if (nscount != NULL || errors != NULL) {
+		result = zone_count_ns_rr(zone, db, node, version, nscount,
+					  errors, true);
+		if (result != ISC_R_SUCCESS) {
+			answer = result;
+		}
+	}
+
+	if (soacount != NULL || soattl != NULL || serial != NULL ||
+	    refresh != NULL || retry != NULL || expire != NULL ||
+	    minimum != NULL)
+	{
+		result = zone_load_soa_rr(db, node, version, soacount, soattl,
+					  serial, refresh, retry, expire,
+					  minimum);
+		if (result != ISC_R_SUCCESS) {
+			answer = result;
+		}
+	}
+
+	dns_db_detachnode(db, &node);
+closeversion:
+	dns_db_closeversion(db, &version, false);
+
+	return (answer);
+}
+
+void
+dns_zone_attach(dns_zone_t *source, dns_zone_t **target) {
+	REQUIRE(DNS_ZONE_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	isc_refcount_increment(&source->erefs);
+	*target = source;
+}
+
+void
+dns_zone_detach(dns_zone_t **zonep) {
+	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
+
+	dns_zone_t *zone = *zonep;
+	*zonep = NULL;
+
+	if (isc_refcount_decrement(&zone->erefs) == 1) {
+		isc_event_t *ev = &zone->ctlevent;
+
+		isc_refcount_destroy(&zone->erefs);
+
+		/*
+		 * Stop things being restarted after we cancel them below.
+		 */
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXITING);
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "final reference detached");
+		if (zone->task != NULL) {
+			/*
+			 * This zone has a task; it can clean
+			 * itself up asynchronously.
+			 */
+			isc_task_send(zone->task, &ev);
+			return;
+		}
+
+		/*
+		 * This zone is unmanaged; we're probably running in
+		 * named-checkzone or a unit test. There's no task,
+		 * so we need to free it immediately.
+		 *
+		 * Unmanaged zones must not have null views; we have no way
+		 * of detaching from the view here without causing deadlock
+		 * because this code is called with the view already
+		 * locked.
+		 */
+		INSIST(zone->view == NULL);
+
+		zone_shutdown(zone->task, ev);
+		ev = NULL;
+	}
+}
+
+void
+dns_zone_iattach(dns_zone_t *source, dns_zone_t **target) {
+	REQUIRE(DNS_ZONE_VALID(source));
+
+	LOCK_ZONE(source);
+	zone_iattach(source, target);
+	UNLOCK_ZONE(source);
+}
+
+static void
+zone_iattach(dns_zone_t *source, dns_zone_t **target) {
+	REQUIRE(DNS_ZONE_VALID(source));
+	REQUIRE(LOCKED_ZONE(source));
+	REQUIRE(target != NULL && *target == NULL);
+	INSIST(isc_refcount_increment0(&source->irefs) +
+		       isc_refcount_current(&source->erefs) >
+	       0);
+	*target = source;
+}
+
+static void
+zone_idetach(dns_zone_t **zonep) {
+	dns_zone_t *zone;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
+	REQUIRE(LOCKED_ZONE(*zonep));
+
+	zone = *zonep;
+	*zonep = NULL;
+
+	INSIST(isc_refcount_decrement(&zone->irefs) - 1 +
+		       isc_refcount_current(&zone->erefs) >
+	       0);
+}
+
+void
+dns_zone_idetach(dns_zone_t **zonep) {
+	dns_zone_t *zone;
+
+	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
+
+	zone = *zonep;
+	*zonep = NULL;
+
+	if (isc_refcount_decrement(&zone->irefs) == 1) {
+		bool free_needed;
+		LOCK_ZONE(zone);
+		free_needed = exit_check(zone);
+		UNLOCK_ZONE(zone);
+		if (free_needed) {
+			zone_free(zone);
+		}
+	}
+}
+
+isc_mem_t *
+dns_zone_getmctx(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->mctx);
+}
+
+dns_zonemgr_t *
+dns_zone_getmgr(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->zmgr);
+}
+
+void
+dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->kasp != NULL) {
+		dns_kasp_detach(&zone->kasp);
+	}
+	if (kasp != NULL) {
+		dns_kasp_attach(kasp, &zone->kasp);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+dns_kasp_t *
+dns_zone_getkasp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->kasp);
+}
+
+void
+dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (value) {
+		DNS_ZONE_SETOPTION(zone, option);
+	} else {
+		DNS_ZONE_CLROPTION(zone, option);
+	}
+}
+
+dns_zoneopt_t
+dns_zone_getoptions(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (atomic_load_relaxed(&zone->options));
+}
+
+void
+dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, bool value) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (value) {
+		DNS_ZONEKEY_SETOPTION(zone, keyopt);
+	} else {
+		DNS_ZONEKEY_CLROPTION(zone, keyopt);
+	}
+}
+
+unsigned int
+dns_zone_getkeyopts(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (atomic_load_relaxed(&zone->keyopts));
+}
+
+isc_result_t
+dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->xfrsource4 = *xfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getxfrsource4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->xfrsource4);
+}
+
+isc_result_t
+dns_zone_setxfrsource4dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->xfrsource4dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getxfrsource4dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->xfrsource4dscp);
+}
+
+isc_result_t
+dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->xfrsource6 = *xfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getxfrsource6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->xfrsource6);
+}
+
+isc_dscp_t
+dns_zone_getxfrsource6dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->xfrsource6dscp);
+}
+
+isc_result_t
+dns_zone_setxfrsource6dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->xfrsource6dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource4(dns_zone_t *zone,
+			  const isc_sockaddr_t *altxfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource4 = *altxfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getaltxfrsource4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->altxfrsource4);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource4dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource4dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getaltxfrsource4dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->altxfrsource4dscp);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource6(dns_zone_t *zone,
+			  const isc_sockaddr_t *altxfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource6 = *altxfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getaltxfrsource6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->altxfrsource6);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource6dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource6dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getaltxfrsource6dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->altxfrsource6dscp);
+}
+
+isc_result_t
+dns_zone_setparentalsrc4(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->parentalsrc4 = *parentalsrc;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getparentalsrc4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->parentalsrc4);
+}
+
+isc_result_t
+dns_zone_setparentalsrc4dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->parentalsrc4dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getparentalsrc4dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->parentalsrc4dscp);
+}
+
+isc_result_t
+dns_zone_setparentalsrc6(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->parentalsrc6 = *parentalsrc;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getparentalsrc6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->parentalsrc6);
+}
+
+isc_result_t
+dns_zone_setparentalsrc6dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->parentalsrc6dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getparentalsrc6dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->parentalsrc6dscp);
+}
+
+isc_result_t
+dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc4 = *notifysrc;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->notifysrc4);
+}
+
+isc_result_t
+dns_zone_setnotifysrc4dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc4dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getnotifysrc4dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->notifysrc4dscp);
+}
+
+isc_result_t
+dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc6 = *notifysrc;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->notifysrc6);
+}
+
+isc_result_t
+dns_zone_setnotifysrc6dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc6dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getnotifysrc6dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->notifysrc6dscp);
+}
+
+static bool
+same_addrs(isc_sockaddr_t const *oldlist, isc_sockaddr_t const *newlist,
+	   uint32_t count) {
+	unsigned int i;
+
+	for (i = 0; i < count; i++) {
+		if (!isc_sockaddr_equal(&oldlist[i], &newlist[i])) {
+			return (false);
+		}
+	}
+	return (true);
+}
+
+static bool
+same_keynames(dns_name_t *const *oldlist, dns_name_t *const *newlist,
+	      uint32_t count) {
+	unsigned int i;
+
+	if (oldlist == NULL && newlist == NULL) {
+		return (true);
+	}
+	if (oldlist == NULL || newlist == NULL) {
+		return (false);
+	}
+
+	for (i = 0; i < count; i++) {
+		if (oldlist[i] == NULL && newlist[i] == NULL) {
+			continue;
+		}
+		if (oldlist[i] == NULL || newlist[i] == NULL ||
+		    !dns_name_equal(oldlist[i], newlist[i]))
+		{
+			return (false);
+		}
+	}
+	return (true);
+}
+
+static void
+clear_serverslist(isc_sockaddr_t **addrsp, isc_dscp_t **dscpsp,
+		  dns_name_t ***keynamesp, unsigned int *countp,
+		  isc_mem_t *mctx) {
+	unsigned int count;
+	isc_sockaddr_t *addrs;
+	isc_dscp_t *dscps;
+	dns_name_t **keynames;
+
+	REQUIRE(countp != NULL && addrsp != NULL && dscpsp != NULL &&
+		keynamesp != NULL);
+
+	count = *countp;
+	*countp = 0;
+	addrs = *addrsp;
+	*addrsp = NULL;
+	dscps = *dscpsp;
+	*dscpsp = NULL;
+	keynames = *keynamesp;
+	*keynamesp = NULL;
+
+	if (addrs != NULL) {
+		isc_mem_put(mctx, addrs, count * sizeof(isc_sockaddr_t));
+	}
+
+	if (dscps != NULL) {
+		isc_mem_put(mctx, dscps, count * sizeof(isc_dscp_t));
+	}
+
+	if (keynames != NULL) {
+		unsigned int i;
+		for (i = 0; i < count; i++) {
+			if (keynames[i] != NULL) {
+				dns_name_free(keynames[i], mctx);
+				isc_mem_put(mctx, keynames[i],
+					    sizeof(dns_name_t));
+				keynames[i] = NULL;
+			}
+		}
+		isc_mem_put(mctx, keynames, count * sizeof(dns_name_t *));
+	}
+}
+
+static isc_result_t
+set_serverslist(unsigned int count, const isc_sockaddr_t *addrs,
+		isc_sockaddr_t **newaddrsp, const isc_dscp_t *dscp,
+		isc_dscp_t **newdscpp, dns_name_t **names,
+		dns_name_t ***newnamesp, isc_mem_t *mctx) {
+	isc_sockaddr_t *newaddrs = NULL;
+	isc_dscp_t *newdscp = NULL;
+	dns_name_t **newnames = NULL;
+	unsigned int i;
+
+	REQUIRE(newaddrsp != NULL && *newaddrsp == NULL);
+	REQUIRE(newdscpp != NULL && *newdscpp == NULL);
+	REQUIRE(newnamesp != NULL && *newnamesp == NULL);
+
+	newaddrs = isc_mem_get(mctx, count * sizeof(*newaddrs));
+	memmove(newaddrs, addrs, count * sizeof(*newaddrs));
+
+	if (dscp != NULL) {
+		newdscp = isc_mem_get(mctx, count * sizeof(*newdscp));
+		memmove(newdscp, dscp, count * sizeof(*newdscp));
+	} else {
+		newdscp = NULL;
+	}
+
+	if (names != NULL) {
+		newnames = isc_mem_get(mctx, count * sizeof(*newnames));
+		for (i = 0; i < count; i++) {
+			newnames[i] = NULL;
+		}
+		for (i = 0; i < count; i++) {
+			if (names[i] != NULL) {
+				newnames[i] = isc_mem_get(mctx,
+							  sizeof(dns_name_t));
+				dns_name_init(newnames[i], NULL);
+				dns_name_dup(names[i], mctx, newnames[i]);
+			}
+		}
+	} else {
+		newnames = NULL;
+	}
+
+	*newdscpp = newdscp;
+	*newaddrsp = newaddrs;
+	*newnamesp = newnames;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
+		       uint32_t count) {
+	return (dns_zone_setalsonotifydscpkeys(zone, notify, NULL, NULL,
+					       count));
+}
+
+isc_result_t
+dns_zone_setalsonotifywithkeys(dns_zone_t *zone, const isc_sockaddr_t *notify,
+			       dns_name_t **keynames, uint32_t count) {
+	return (dns_zone_setalsonotifydscpkeys(zone, notify, NULL, keynames,
+					       count));
+}
+
+isc_result_t
+dns_zone_setalsonotifydscpkeys(dns_zone_t *zone, const isc_sockaddr_t *notify,
+			       const isc_dscp_t *dscps, dns_name_t **keynames,
+			       uint32_t count) {
+	isc_result_t result;
+	isc_sockaddr_t *newaddrs = NULL;
+	isc_dscp_t *newdscps = NULL;
+	dns_name_t **newnames = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(count == 0 || notify != NULL);
+	if (keynames != NULL) {
+		REQUIRE(count != 0);
+	}
+
+	LOCK_ZONE(zone);
+
+	if (count == zone->notifycnt &&
+	    same_addrs(zone->notify, notify, count) &&
+	    same_keynames(zone->notifykeynames, keynames, count))
+	{
+		goto unlock;
+	}
+
+	clear_serverslist(&zone->notify, &zone->notifydscp,
+			  &zone->notifykeynames, &zone->notifycnt, zone->mctx);
+
+	if (count == 0) {
+		goto unlock;
+	}
+
+	/*
+	 * Set up the notify and notifykey lists
+	 */
+	result = set_serverslist(count, notify, &newaddrs, dscps, &newdscps,
+				 keynames, &newnames, zone->mctx);
+	if (result != ISC_R_SUCCESS) {
+		goto unlock;
+	}
+
+	/*
+	 * Everything is ok so attach to the zone.
+	 */
+	zone->notify = newaddrs;
+	zone->notifydscp = newdscps;
+	zone->notifykeynames = newnames;
+	zone->notifycnt = count;
+unlock:
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_setprimaries(dns_zone_t *zone, const isc_sockaddr_t *masters,
+		      uint32_t count) {
+	isc_result_t result;
+
+	result = dns_zone_setprimarieswithkeys(zone, masters, NULL, count);
+	return (result);
+}
+
+isc_result_t
+dns_zone_setprimarieswithkeys(dns_zone_t *zone, const isc_sockaddr_t *masters,
+			      dns_name_t **keynames, uint32_t count) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_sockaddr_t *newaddrs = NULL;
+	isc_dscp_t *newdscps = NULL;
+	dns_name_t **newnames = NULL;
+	bool *newok;
+	unsigned int i;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(count == 0 || masters != NULL);
+	if (keynames != NULL) {
+		REQUIRE(count != 0);
+	}
+
+	LOCK_ZONE(zone);
+	/*
+	 * The refresh code assumes that 'primaries' wouldn't change under it.
+	 * If it will change then kill off any current refresh in progress
+	 * and update the primaries info.  If it won't change then we can just
+	 * unlock and exit.
+	 */
+	if (count != zone->masterscnt ||
+	    !same_addrs(zone->masters, masters, count) ||
+	    !same_keynames(zone->masterkeynames, keynames, count))
+	{
+		if (zone->request != NULL) {
+			dns_request_cancel(zone->request);
+		}
+	} else {
+		goto unlock;
+	}
+
+	/*
+	 * This needs to happen before clear_addresskeylist() sets
+	 * zone->masterscnt to 0:
+	 */
+	if (zone->mastersok != NULL) {
+		isc_mem_put(zone->mctx, zone->mastersok,
+			    zone->masterscnt * sizeof(bool));
+		zone->mastersok = NULL;
+	}
+	clear_serverslist(&zone->masters, &zone->masterdscps,
+			  &zone->masterkeynames, &zone->masterscnt, zone->mctx);
+	/*
+	 * If count == 0, don't allocate any space for masters, mastersok or
+	 * keynames so internally, those pointers are NULL if count == 0
+	 */
+	if (count == 0) {
+		goto unlock;
+	}
+
+	/*
+	 * mastersok must contain count elements
+	 */
+	newok = isc_mem_get(zone->mctx, count * sizeof(*newok));
+	for (i = 0; i < count; i++) {
+		newok[i] = false;
+	}
+
+	/*
+	 * Now set up the primaries and primary key lists
+	 */
+	result = set_serverslist(count, masters, &newaddrs, NULL, &newdscps,
+				 keynames, &newnames, zone->mctx);
+	INSIST(newdscps == NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(zone->mctx, newok, count * sizeof(*newok));
+		goto unlock;
+	}
+
+	/*
+	 * Everything is ok so attach to the zone.
+	 */
+	zone->curmaster = 0;
+	zone->mastersok = newok;
+	zone->masters = newaddrs;
+	zone->masterdscps = newdscps;
+	zone->masterkeynames = newnames;
+	zone->masterscnt = count;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOMASTERS);
+
+unlock:
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+isc_result_t
+dns_zone_setparentals(dns_zone_t *zone, const isc_sockaddr_t *parentals,
+		      dns_name_t **keynames, uint32_t count) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_sockaddr_t *newaddrs = NULL;
+	isc_dscp_t *newdscps = NULL;
+	dns_name_t **newkeynames = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(count == 0 || parentals != NULL);
+	if (keynames != NULL) {
+		REQUIRE(count != 0);
+	}
+
+	LOCK_ZONE(zone);
+
+	clear_serverslist(&zone->parentals, &zone->parentaldscps,
+			  &zone->parentalkeynames, &zone->parentalscnt,
+			  zone->mctx);
+	/*
+	 * If count == 0, don't allocate any space for parentals, or keynames
+	 * so internally, those pointers are NULL if count == 0
+	 */
+	if (count == 0) {
+		goto unlock;
+	}
+
+	/*
+	 * Now set up the parentals and parental key lists
+	 */
+	result = set_serverslist(count, parentals, &newaddrs, NULL, &newdscps,
+				 keynames, &newkeynames, zone->mctx);
+	INSIST(newdscps == NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto unlock;
+	}
+
+	/*
+	 * Everything is ok so attach to the zone.
+	 */
+	zone->parentals = newaddrs;
+	zone->parentaldscps = newdscps;
+	zone->parentalkeynames = newkeynames;
+	zone->parentalscnt = count;
+
+	dns_zone_log(zone, ISC_LOG_NOTICE, "checkds: set %u parentals", count);
+
+unlock:
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+isc_result_t
+dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db == NULL) {
+		result = DNS_R_NOTLOADED;
+	} else {
+		dns_db_attach(zone->db, dpb);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_zone_setdb(dns_zone_t *zone, dns_db_t *db) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(zone->type == dns_zone_staticstub);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	REQUIRE(zone->db == NULL);
+	dns_db_attach(db, &zone->db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+}
+
+/*
+ * Coordinates the starting of routine jobs.
+ */
+void
+dns_zone_maintenance(dns_zone_t *zone) {
+	const char me[] = "dns_zone_maintenance";
+	isc_time_t now;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
+
+	LOCK_ZONE(zone);
+	TIME_NOW(&now);
+	zone_settimer(zone, &now);
+	UNLOCK_ZONE(zone);
+}
+
+static bool
+was_dumping(dns_zone_t *zone) {
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+		return (true);
+	}
+
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+	isc_time_settoepoch(&zone->dumptime);
+	return (false);
+}
+
+/*%
+ * Find up to 'maxkeys' DNSSEC keys used for signing version 'ver' of database
+ * 'db' for zone 'zone' in its key directory, then load these keys into 'keys'.
+ * Only load the public part of a given key if it is not active at timestamp
+ * 'now'.  Store the number of keys found in 'nkeys'.
+ */
+isc_result_t
+dns__zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		   isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys,
+		   dst_key_t **keys, unsigned int *nkeys) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	const char *directory = dns_zone_getkeydirectory(zone);
+
+	CHECK(dns_db_findnode(db, dns_db_origin(db), false, &node));
+	memset(keys, 0, sizeof(*keys) * maxkeys);
+
+	dns_zone_lock_keyfiles(zone);
+
+	result = dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db),
+					 directory, now, mctx, maxkeys, keys,
+					 nkeys);
+
+	dns_zone_unlock_keyfiles(zone);
+
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+/*%
+ * Find DNSSEC keys used for signing zone with dnssec-policy. Load these keys
+ * into 'keys'. Requires KASP to be locked.
+ */
+isc_result_t
+dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		       isc_stdtime_t now, dns_dnsseckeylist_t *keys) {
+	isc_result_t result;
+	const char *dir = dns_zone_getkeydirectory(zone);
+	dns_dbnode_t *node = NULL;
+	dns_dnsseckey_t *key, *key_next;
+	dns_dnsseckeylist_t dnskeys;
+	dns_name_t *origin = dns_zone_getorigin(zone);
+	dns_kasp_t *kasp = dns_zone_getkasp(zone);
+	dns_rdataset_t keyset;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(kasp != NULL);
+
+	ISC_LIST_INIT(dnskeys);
+
+	dns_rdataset_init(&keyset);
+
+	CHECK(dns_db_findnode(db, origin, false, &node));
+
+	/* Get keys from private key files. */
+	dns_zone_lock_keyfiles(zone);
+	result = dns_dnssec_findmatchingkeys(origin, dir, now,
+					     dns_zone_getmctx(zone), keys);
+	dns_zone_unlock_keyfiles(zone);
+
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+
+	/* Get public keys (dnskeys). */
+	dns_rdataset_init(&keyset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &keyset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		CHECK(dns_dnssec_keylistfromrdataset(
+			origin, dir, dns_zone_getmctx(zone), &keyset, NULL,
+			NULL, false, false, &dnskeys));
+	} else if (result != ISC_R_NOTFOUND) {
+		CHECK(result);
+	}
+
+	/* Add new 'dnskeys' to 'keys'. */
+	for (dns_dnsseckey_t *k1 = ISC_LIST_HEAD(dnskeys); k1 != NULL;
+	     k1 = key_next)
+	{
+		dns_dnsseckey_t *k2 = NULL;
+		key_next = ISC_LIST_NEXT(k1, link);
+
+		for (k2 = ISC_LIST_HEAD(*keys); k2 != NULL;
+		     k2 = ISC_LIST_NEXT(k2, link))
+		{
+			if (dst_key_compare(k1->key, k2->key)) {
+				break;
+			}
+		}
+		/* No match found, add the new key. */
+		if (k2 == NULL) {
+			ISC_LIST_UNLINK(dnskeys, k1, link);
+			ISC_LIST_APPEND(*keys, k1, link);
+		}
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&keyset)) {
+		dns_rdataset_disassociate(&keyset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	while (!ISC_LIST_EMPTY(dnskeys)) {
+		key = ISC_LIST_HEAD(dnskeys);
+		ISC_LIST_UNLINK(dnskeys, key, link);
+		dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
+	}
+	return (result);
+}
+
+static isc_result_t
+offline(dns_db_t *db, dns_dbversion_t *ver, dns__zonediff_t *zonediff,
+	dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) {
+	isc_result_t result;
+
+	if ((rdata->flags & DNS_RDATA_OFFLINE) != 0) {
+		return (ISC_R_SUCCESS);
+	}
+	result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_DELRESIGN,
+			       name, ttl, rdata);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	rdata->flags |= DNS_RDATA_OFFLINE;
+	result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_ADDRESIGN,
+			       name, ttl, rdata);
+	zonediff->offline = true;
+	return (result);
+}
+
+static void
+set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when,
+		       isc_stdtime_t now) {
+	unsigned int delta;
+	char timebuf[80];
+
+	LOCK_ZONE(zone);
+	zone->key_expiry = when;
+	if (when <= now) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "DNSKEY RRSIG(s) have expired");
+		isc_time_settoepoch(&zone->keywarntime);
+	} else if (when < now + 7 * 24 * 3600) {
+		isc_time_t t;
+		isc_time_set(&t, when, 0);
+		isc_time_formattimestamp(&t, timebuf, 80);
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "DNSKEY RRSIG(s) will expire within 7 days: %s",
+			     timebuf);
+		delta = when - now;
+		delta--;	    /* loop prevention */
+		delta /= 24 * 3600; /* to whole days */
+		delta *= 24 * 3600; /* to seconds */
+		isc_time_set(&zone->keywarntime, when - delta, 0);
+	} else {
+		isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0);
+		isc_time_formattimestamp(&zone->keywarntime, timebuf, 80);
+		dns_zone_log(zone, ISC_LOG_NOTICE, "setting keywarntime to %s",
+			     timebuf);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+/*
+ * Helper function to del_sigs(). We don't want to delete RRSIGs that
+ * have no new key.
+ */
+static bool
+delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys,
+	  bool kasp, bool *warn) {
+	unsigned int i = 0;
+	isc_result_t ret;
+	bool have_ksk = false, have_zsk = false;
+	bool have_pksk = false, have_pzsk = false;
+
+	for (i = 0; i < nkeys; i++) {
+		bool ksk, zsk;
+
+		if (have_pksk && have_ksk && have_pzsk && have_zsk) {
+			break;
+		}
+
+		if (rrsig_ptr->algorithm != dst_key_alg(keys[i])) {
+			continue;
+		}
+
+		ret = dst_key_getbool(keys[i], DST_BOOL_KSK, &ksk);
+		if (ret != ISC_R_SUCCESS) {
+			ksk = KSK(keys[i]);
+		}
+		ret = dst_key_getbool(keys[i], DST_BOOL_ZSK, &zsk);
+		if (ret != ISC_R_SUCCESS) {
+			zsk = !KSK(keys[i]);
+		}
+
+		if (ksk) {
+			have_ksk = true;
+			if (dst_key_isprivate(keys[i])) {
+				have_pksk = true;
+			}
+		}
+		if (zsk) {
+			have_zsk = true;
+			if (dst_key_isprivate(keys[i])) {
+				have_pzsk = true;
+			}
+		}
+	}
+
+	if (have_zsk && have_ksk && !have_pzsk) {
+		*warn = true;
+	}
+
+	if (have_pksk && have_pzsk) {
+		return (true);
+	}
+
+	/*
+	 * Deleting the SOA RRSIG is always okay.
+	 */
+	if (rrsig_ptr->covered == dns_rdatatype_soa) {
+		return (true);
+	}
+
+	/*
+	 * It's okay to delete a signature if there is an active key with the
+	 * same algorithm to replace it, unless that violates the DNSSEC
+	 * policy.
+	 */
+	if (have_pksk || have_pzsk) {
+		if (kasp && have_pzsk) {
+			return (true);
+		}
+		return (!kasp);
+	}
+
+	/*
+	 * Failing that, it is *not* okay to delete a signature
+	 * if the associated public key is still in the DNSKEY RRset
+	 */
+	for (i = 0; i < nkeys; i++) {
+		if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
+		    (rrsig_ptr->keyid == dst_key_id(keys[i])))
+		{
+			return (false);
+		}
+	}
+
+	/*
+	 * But if the key is gone, then go ahead.
+	 */
+	return (true);
+}
+
+/*
+ * Delete expired RRsigs and any RRsigs we are about to re-sign.
+ * See also update.c:del_keysigs().
+ */
+static isc_result_t
+del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	 dns_rdatatype_t type, dns__zonediff_t *zonediff, dst_key_t **keys,
+	 unsigned int nkeys, isc_stdtime_t now, bool incremental) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	unsigned int i;
+	dns_rdata_rrsig_t rrsig;
+	bool kasp = (dns_zone_getkasp(zone) != NULL);
+	bool found;
+	int64_t timewarn = 0, timemaybe = 0;
+
+	dns_rdataset_init(&rdataset);
+
+	if (type == dns_rdatatype_nsec3) {
+		result = dns_db_findnsec3node(db, name, false, &node);
+	} else {
+		result = dns_db_findnode(db, name, false, &node);
+	}
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig, type,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (type != dns_rdatatype_dnskey && type != dns_rdatatype_cds &&
+		    type != dns_rdatatype_cdnskey)
+		{
+			bool warn = false, deleted = false;
+			if (delsig_ok(&rrsig, keys, nkeys, kasp, &warn)) {
+				result = update_one_rr(db, ver, zonediff->diff,
+						       DNS_DIFFOP_DELRESIGN,
+						       name, rdataset.ttl,
+						       &rdata);
+				if (result != ISC_R_SUCCESS) {
+					break;
+				}
+				deleted = true;
+			}
+			if (warn && !deleted) {
+				/*
+				 * At this point, we've got an RRSIG,
+				 * which is signed by an inactive key.
+				 * An administrator needs to provide a new
+				 * key/alg, but until that time, we want to
+				 * keep the old RRSIG.  Marking the key as
+				 * offline will prevent us spinning waiting
+				 * for the private part.
+				 */
+				if (incremental) {
+					result = offline(db, ver, zonediff,
+							 name, rdataset.ttl,
+							 &rdata);
+					if (result != ISC_R_SUCCESS) {
+						break;
+					}
+				}
+
+				/*
+				 * Log the key id and algorithm of
+				 * the inactive key with no replacement
+				 */
+				if (zone->log_key_expired_timer <= now) {
+					char origin[DNS_NAME_FORMATSIZE];
+					char algbuf[DNS_NAME_FORMATSIZE];
+					dns_name_format(&zone->origin, origin,
+							sizeof(origin));
+					dns_secalg_format(rrsig.algorithm,
+							  algbuf,
+							  sizeof(algbuf));
+					dns_zone_log(zone, ISC_LOG_WARNING,
+						     "Key %s/%s/%d "
+						     "missing or inactive "
+						     "and has no replacement: "
+						     "retaining signatures.",
+						     origin, algbuf,
+						     rrsig.keyid);
+					zone->log_key_expired_timer = now +
+								      3600;
+				}
+			}
+			continue;
+		}
+
+		/*
+		 * KSK RRSIGs requires special processing.
+		 */
+		found = false;
+		for (i = 0; i < nkeys; i++) {
+			if (rrsig.algorithm == dst_key_alg(keys[i]) &&
+			    rrsig.keyid == dst_key_id(keys[i]))
+			{
+				found = true;
+				/*
+				 * Mark offline DNSKEY.
+				 * We want the earliest offline expire time
+				 * iff there is a new offline signature.
+				 */
+				if (!dst_key_inactive(keys[i]) &&
+				    !dst_key_isprivate(keys[i]))
+				{
+					int64_t timeexpire = dns_time64_from32(
+						rrsig.timeexpire);
+					if (timewarn != 0 &&
+					    timewarn > timeexpire)
+					{
+						timewarn = timeexpire;
+					}
+					if (rdata.flags & DNS_RDATA_OFFLINE) {
+						if (timemaybe == 0 ||
+						    timemaybe > timeexpire)
+						{
+							timemaybe = timeexpire;
+						}
+						break;
+					}
+					if (timewarn == 0) {
+						timewarn = timemaybe;
+					}
+					if (timewarn == 0 ||
+					    timewarn > timeexpire)
+					{
+						timewarn = timeexpire;
+					}
+					result = offline(db, ver, zonediff,
+							 name, rdataset.ttl,
+							 &rdata);
+					break;
+				}
+				result = update_one_rr(db, ver, zonediff->diff,
+						       DNS_DIFFOP_DELRESIGN,
+						       name, rdataset.ttl,
+						       &rdata);
+				break;
+			}
+		}
+
+		/*
+		 * If there is not a matching DNSKEY then
+		 * delete the RRSIG.
+		 */
+		if (!found) {
+			result = update_one_rr(db, ver, zonediff->diff,
+					       DNS_DIFFOP_DELRESIGN, name,
+					       rdataset.ttl, &rdata);
+		}
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+	}
+
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+	if (timewarn > 0) {
+		isc_stdtime_t stdwarn = (isc_stdtime_t)timewarn;
+		if (timewarn == stdwarn) {
+			set_key_expiry_warning(zone, (isc_stdtime_t)timewarn,
+					       now);
+		} else {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "key expiry warning time out of range");
+		}
+	}
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+static isc_result_t
+add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
+	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
+	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
+	 isc_stdtime_t expire, bool check_ksk, bool keyset_kskonly) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_stats_t *dnssecsignstats;
+	dns_rdataset_t rdataset;
+	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
+	unsigned char data[1024]; /* XXX */
+	isc_buffer_t buffer;
+	unsigned int i, j;
+	bool use_kasp = false;
+
+	if (dns_zone_getkasp(zone) != NULL) {
+		check_ksk = false;
+		keyset_kskonly = true;
+		use_kasp = true;
+	}
+
+	dns_rdataset_init(&rdataset);
+	isc_buffer_init(&buffer, data, sizeof(data));
+
+	if (type == dns_rdatatype_nsec3) {
+		result = dns_db_findnsec3node(db, name, false, &node);
+	} else {
+		result = dns_db_findnode(db, name, false, &node);
+	}
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	result = dns_db_findrdataset(db, node, ver, type, 0, (isc_stdtime_t)0,
+				     &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto failure;
+	}
+
+	for (i = 0; i < nkeys; i++) {
+		bool both = false;
+
+		/* Don't add signatures for offline or inactive keys */
+		if (!dst_key_isprivate(keys[i])) {
+			continue;
+		}
+		if (dst_key_inactive(keys[i])) {
+			continue;
+		}
+
+		if (check_ksk && !REVOKE(keys[i])) {
+			bool have_ksk, have_nonksk;
+			if (KSK(keys[i])) {
+				have_ksk = true;
+				have_nonksk = false;
+			} else {
+				have_ksk = false;
+				have_nonksk = true;
+			}
+
+			for (j = 0; j < nkeys; j++) {
+				if (j == i || ALG(keys[i]) != ALG(keys[j])) {
+					continue;
+				}
+
+				/*
+				 * Don't consider inactive keys, however
+				 * the KSK may be temporary offline, so do
+				 * consider keys which private key files are
+				 * unavailable.
+				 */
+				if (dst_key_inactive(keys[j])) {
+					continue;
+				}
+
+				if (REVOKE(keys[j])) {
+					continue;
+				}
+				if (KSK(keys[j])) {
+					have_ksk = true;
+				} else if (dst_key_isprivate(keys[j])) {
+					have_nonksk = true;
+				}
+				both = have_ksk && have_nonksk;
+				if (both) {
+					break;
+				}
+			}
+		}
+		if (use_kasp) {
+			/*
+			 * A dnssec-policy is found. Check what RRsets this
+			 * key should sign.
+			 */
+			isc_result_t kresult;
+			isc_stdtime_t when;
+			bool ksk = false;
+			bool zsk = false;
+			bool have_ksk = false;
+			bool have_zsk = false;
+
+			kresult = dst_key_getbool(keys[i], DST_BOOL_KSK, &ksk);
+			if (kresult != ISC_R_SUCCESS) {
+				if (KSK(keys[i])) {
+					ksk = true;
+				}
+			}
+			kresult = dst_key_getbool(keys[i], DST_BOOL_ZSK, &zsk);
+			if (kresult != ISC_R_SUCCESS) {
+				if (!KSK(keys[i])) {
+					zsk = true;
+				}
+			}
+
+			have_ksk = ksk;
+			have_zsk = zsk;
+			both = have_ksk && have_zsk;
+
+			for (j = 0; j < nkeys; j++) {
+				if (both) {
+					break;
+				}
+
+				if (j == i || ALG(keys[i]) != ALG(keys[j])) {
+					continue;
+				}
+
+				/*
+				 * Don't consider inactive keys or offline keys.
+				 */
+				if (!dst_key_isprivate(keys[j])) {
+					continue;
+				}
+				if (dst_key_inactive(keys[j])) {
+					continue;
+				}
+
+				if (REVOKE(keys[j])) {
+					continue;
+				}
+
+				if (!have_ksk) {
+					kresult = dst_key_getbool(keys[j],
+								  DST_BOOL_KSK,
+								  &have_ksk);
+					if (kresult != ISC_R_SUCCESS) {
+						if (KSK(keys[j])) {
+							have_ksk = true;
+						}
+					}
+				}
+				if (!have_zsk) {
+					kresult = dst_key_getbool(keys[j],
+								  DST_BOOL_ZSK,
+								  &have_zsk);
+					if (kresult != ISC_R_SUCCESS) {
+						if (!KSK(keys[j])) {
+							have_zsk = true;
+						}
+					}
+				}
+				both = have_ksk && have_zsk;
+			}
+
+			if (type == dns_rdatatype_dnskey ||
+			    type == dns_rdatatype_cdnskey ||
+			    type == dns_rdatatype_cds)
+			{
+				/*
+				 * DNSKEY RRset is signed with KSK.
+				 * CDS and CDNSKEY RRsets too (RFC 7344, 4.1).
+				 */
+				if (!ksk) {
+					continue;
+				}
+			} else if (!zsk) {
+				/*
+				 * Other RRsets are signed with ZSK.
+				 */
+				if (type != dns_rdatatype_soa &&
+				    type != zone->privatetype)
+				{
+					continue;
+				}
+				if (have_zsk) {
+					continue;
+				}
+			} else if (!dst_key_is_signing(keys[i], DST_BOOL_ZSK,
+						       inception, &when))
+			{
+				/*
+				 * This key is not active for zone-signing.
+				 */
+				continue;
+			}
+
+			/*
+			 * If this key is revoked, it may only sign the
+			 * DNSKEY RRset.
+			 */
+			if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
+				continue;
+			}
+		} else if (both) {
+			/*
+			 * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
+			 */
+			if (type == dns_rdatatype_dnskey ||
+			    type == dns_rdatatype_cdnskey ||
+			    type == dns_rdatatype_cds)
+			{
+				if (!KSK(keys[i]) && keyset_kskonly) {
+					continue;
+				}
+			} else if (KSK(keys[i])) {
+				continue;
+			}
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
+			continue;
+		}
+
+		/* Calculate the signature, creating a RRSIG RDATA. */
+		isc_buffer_clear(&buffer);
+		CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception,
+				      &expire, mctx, &buffer, &sig_rdata));
+
+		/* Update the database and journal with the RRSIG. */
+		/* XXX inefficient - will cause dataset merging */
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name,
+				    rdataset.ttl, &sig_rdata));
+		dns_rdata_reset(&sig_rdata);
+		isc_buffer_init(&buffer, data, sizeof(data));
+
+		/* Update DNSSEC sign statistics. */
+		dnssecsignstats = dns_zone_getdnssecsignstats(zone);
+		if (dnssecsignstats != NULL) {
+			/* Generated a new signature. */
+			dns_dnssecsignstats_increment(dnssecsignstats,
+						      ID(keys[i]),
+						      (uint8_t)ALG(keys[i]),
+						      dns_dnssecsignstats_sign);
+			/* This is a refresh. */
+			dns_dnssecsignstats_increment(
+				dnssecsignstats, ID(keys[i]),
+				(uint8_t)ALG(keys[i]),
+				dns_dnssecsignstats_refresh);
+		}
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+static void
+zone_resigninc(dns_zone_t *zone) {
+	const char *me = "zone_resigninc";
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t _sig_diff;
+	dns__zonediff_t zonediff;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdataset_t rdataset;
+	dns_rdatatype_t covers;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	bool check_ksk, keyset_kskonly = false;
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire, expire, fullexpire, stop;
+	uint32_t sigvalidityinterval, expiryinterval;
+	unsigned int i;
+	unsigned int nkeys = 0;
+	unsigned int resign;
+
+	ENTER;
+
+	dns_rdataset_init(&rdataset);
+	dns_diff_init(zone->mctx, &_sig_diff);
+	zonediff_init(&zonediff, &_sig_diff);
+
+	/*
+	 * Zone is frozen or automatic resigning is disabled.
+	 * Pause for 5 minutes.
+	 */
+	if (zone->update_disabled ||
+	    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN))
+	{
+		result = ISC_R_FAILURE;
+		goto failure;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		result = ISC_R_FAILURE;
+		goto failure;
+	}
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+
+	result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:dns__zone_findkeys -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
+	inception = now - 3600; /* Allow for clock skew. */
+	soaexpire = now + sigvalidityinterval;
+	expiryinterval = dns_zone_getsigresigninginterval(zone);
+	if (expiryinterval > sigvalidityinterval) {
+		expiryinterval = sigvalidityinterval;
+	} else {
+		expiryinterval = sigvalidityinterval - expiryinterval;
+	}
+
+	/*
+	 * Spread out signatures over time if they happen to be
+	 * clumped.  We don't do this for each add_sigs() call as
+	 * we still want some clustering to occur.  In normal operations
+	 * the records should be re-signed as they fall due and they should
+	 * already be spread out.  However if the server is off for a
+	 * period we need to ensure that the clusters don't become
+	 * synchronised by using the full jitter range.
+	 */
+	if (sigvalidityinterval >= 3600U) {
+		uint32_t normaljitter, fulljitter;
+		if (sigvalidityinterval > 7200U) {
+			normaljitter = isc_random_uniform(3600);
+			fulljitter = isc_random_uniform(expiryinterval);
+		} else {
+			normaljitter = fulljitter = isc_random_uniform(1200);
+		}
+		expire = soaexpire - normaljitter - 1;
+		fullexpire = soaexpire - fulljitter - 1;
+	} else {
+		expire = fullexpire = soaexpire - 1;
+	}
+	stop = now + 5;
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
+	name = dns_fixedname_initname(&fixed);
+	result = dns_db_getsigningtime(db, &rdataset, name);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:dns_db_getsigningtime -> %s",
+			     dns_result_totext(result));
+	}
+
+	i = 0;
+	while (result == ISC_R_SUCCESS) {
+		resign = rdataset.resign -
+			 dns_zone_getsigresigninginterval(zone);
+		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+
+		/*
+		 * Stop if we hit the SOA as that means we have walked the
+		 * entire zone.  The SOA record should always be the most
+		 * recent signature.
+		 */
+		/* XXXMPA increase number of RRsets signed pre call */
+		if ((covers == dns_rdatatype_soa &&
+		     dns_name_equal(name, &zone->origin)) ||
+		    i++ > zone->signatures || resign > stop)
+		{
+			break;
+		}
+
+		result = del_sigs(zone, db, version, name, covers, &zonediff,
+				  zone_keys, nkeys, now, true);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_resigninc:del_sigs -> %s",
+				     dns_result_totext(result));
+			break;
+		}
+
+		/*
+		 * If re-signing is over 5 minutes late use 'fullexpire'
+		 * to redistribute the signature over the complete
+		 * re-signing window, otherwise only add a small amount
+		 * of jitter.
+		 */
+		result = add_sigs(db, version, name, zone, covers,
+				  zonediff.diff, zone_keys, nkeys, zone->mctx,
+				  inception,
+				  resign > (now - 300) ? expire : fullexpire,
+				  check_ksk, keyset_kskonly);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_resigninc:add_sigs -> %s",
+				     dns_result_totext(result));
+			break;
+		}
+		result = dns_db_getsigningtime(db, &rdataset, name);
+		if (nkeys == 0 && result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+			break;
+		}
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_resigninc:dns_db_getsigningtime -> "
+				     "%s",
+				     dns_result_totext(result));
+		}
+	}
+
+	if (result != ISC_R_NOMORE && result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
+			  &zonediff, zone_keys, nkeys, now, true);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:del_sigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Did we change anything in the zone?
+	 */
+	if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
+		/*
+		 * Commit the changes if any key has been marked as offline.
+		 */
+		if (zonediff.offline) {
+			dns_db_closeversion(db, &version, true);
+		}
+		goto failure;
+	}
+
+	/* Increment SOA serial if we have made changes */
+	result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx,
+				   zone->updatemethod);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:update_soa_serial -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Generate maximum life time signatures so that the above loop
+	 * termination is sensible.
+	 */
+	result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
+			  zonediff.diff, zone_keys, nkeys, zone->mctx,
+			  inception, soaexpire, check_ksk, keyset_kskonly);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:add_sigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/* Write changes to journal file. */
+	CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_resigninc"));
+
+	/* Everything has succeeded. Commit the changes. */
+	dns_db_closeversion(db, &version, true);
+
+failure:
+	dns_diff_clear(&_sig_diff);
+	for (i = 0; i < nkeys; i++) {
+		dst_key_free(&zone_keys[i]);
+	}
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+		dns_db_detach(&db);
+	} else if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	LOCK_ZONE(zone);
+	if (result == ISC_R_SUCCESS) {
+		set_resigntime(zone);
+		zone_needdump(zone, DNS_DUMP_DELAY);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+	} else {
+		/*
+		 * Something failed.  Retry in 5 minutes.
+		 */
+		isc_interval_t ival;
+		isc_interval_set(&ival, 300, 0);
+		isc_time_nowplusinterval(&zone->resigntime, &ival);
+	}
+	UNLOCK_ZONE(zone);
+
+	INSIST(version == NULL);
+}
+
+static isc_result_t
+next_active(dns_db_t *db, dns_dbversion_t *version, dns_name_t *oldname,
+	    dns_name_t *newname, bool bottom) {
+	isc_result_t result;
+	dns_dbiterator_t *dbit = NULL;
+	dns_rdatasetiter_t *rdsit = NULL;
+	dns_dbnode_t *node = NULL;
+
+	CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
+	CHECK(dns_dbiterator_seek(dbit, oldname));
+	do {
+		result = dns_dbiterator_next(dbit);
+		if (result == ISC_R_NOMORE) {
+			CHECK(dns_dbiterator_first(dbit));
+		}
+		CHECK(dns_dbiterator_current(dbit, &node, newname));
+		if (bottom && dns_name_issubdomain(newname, oldname) &&
+		    !dns_name_equal(newname, oldname))
+		{
+			dns_db_detachnode(db, &node);
+			continue;
+		}
+		/*
+		 * Is this node empty?
+		 */
+		CHECK(dns_db_allrdatasets(db, node, version, 0, 0, &rdsit));
+		result = dns_rdatasetiter_first(rdsit);
+		dns_db_detachnode(db, &node);
+		dns_rdatasetiter_destroy(&rdsit);
+		if (result != ISC_R_NOMORE) {
+			break;
+		}
+	} while (1);
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (dbit != NULL) {
+		dns_dbiterator_destroy(&dbit);
+	}
+	return (result);
+}
+
+static bool
+signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
+		     dns_dbversion_t *version, dns_rdatatype_t type,
+		     dst_key_t *key) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t rrsig;
+	int count = 0;
+	dns_kasp_t *kasp = dns_zone_getkasp(zone);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_rrsig,
+				     type, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		return (false);
+	}
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+		if (rrsig.algorithm == dst_key_alg(key) &&
+		    rrsig.keyid == dst_key_id(key))
+		{
+			dns_rdataset_disassociate(&rdataset);
+			return (true);
+		}
+		if (rrsig.algorithm == dst_key_alg(key)) {
+			count++;
+		}
+		dns_rdata_reset(&rdata);
+	}
+
+	if (dns_zone_getkasp(zone) != NULL) {
+		dns_kasp_key_t *kkey;
+		int zsk_count = 0;
+		bool approved;
+
+		KASP_LOCK(kasp);
+		for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
+		     kkey = ISC_LIST_NEXT(kkey, link))
+		{
+			if (dns_kasp_key_algorithm(kkey) != dst_key_alg(key)) {
+				continue;
+			}
+			if (dns_kasp_key_zsk(kkey)) {
+				zsk_count++;
+			}
+		}
+		KASP_UNLOCK(kasp);
+
+		if (type == dns_rdatatype_dnskey ||
+		    type == dns_rdatatype_cdnskey || type == dns_rdatatype_cds)
+		{
+			/*
+			 * CDS and CDNSKEY are signed with KSK like DNSKEY.
+			 * (RFC 7344, section 4.1 specifies that they must
+			 * be signed with a key in the current DS RRset,
+			 * which would only include KSK's.)
+			 */
+			approved = false;
+		} else {
+			approved = (zsk_count == count);
+		}
+
+		dns_rdataset_disassociate(&rdataset);
+		return (approved);
+	}
+
+	dns_rdataset_disassociate(&rdataset);
+	return (false);
+}
+
+static isc_result_t
+add_nsec(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	 dns_dbnode_t *node, dns_ttl_t ttl, bool bottom, dns_diff_t *diff) {
+	dns_fixedname_t fixed;
+	dns_name_t *next;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE];
+
+	next = dns_fixedname_initname(&fixed);
+
+	CHECK(next_active(db, version, name, next, bottom));
+	CHECK(dns_nsec_buildrdata(db, version, node, next, nsecbuffer, &rdata));
+	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, ttl,
+			    &rdata));
+failure:
+	return (result);
+}
+
+static isc_result_t
+check_if_bottom_of_zone(dns_db_t *db, dns_dbnode_t *node,
+			dns_dbversion_t *version, bool *is_bottom_of_zone) {
+	isc_result_t result;
+	dns_rdatasetiter_t *iterator = NULL;
+	dns_rdataset_t rdataset;
+	bool seen_soa = false, seen_ns = false, seen_dname = false;
+
+	REQUIRE(is_bottom_of_zone != NULL);
+
+	result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iterator))
+	{
+		dns_rdatasetiter_current(iterator, &rdataset);
+		switch (rdataset.type) {
+		case dns_rdatatype_soa:
+			seen_soa = true;
+			break;
+		case dns_rdatatype_ns:
+			seen_ns = true;
+			break;
+		case dns_rdatatype_dname:
+			seen_dname = true;
+			break;
+		}
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+	if ((seen_ns && !seen_soa) || seen_dname) {
+		*is_bottom_of_zone = true;
+	}
+	result = ISC_R_SUCCESS;
+
+failure:
+	dns_rdatasetiter_destroy(&iterator);
+
+	return (result);
+}
+
+static isc_result_t
+sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
+	    dns_dbnode_t *node, dns_dbversion_t *version, bool build_nsec3,
+	    bool build_nsec, dst_key_t *key, isc_stdtime_t inception,
+	    isc_stdtime_t expire, dns_ttl_t nsecttl, bool is_ksk, bool is_zsk,
+	    bool keyset_kskonly, bool is_bottom_of_zone, dns_diff_t *diff,
+	    int32_t *signatures, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_rdatasetiter_t *iterator = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_stats_t *dnssecsignstats;
+
+	isc_buffer_t buffer;
+	unsigned char data[1024];
+	bool seen_soa, seen_ns, seen_rr, seen_nsec, seen_nsec3, seen_ds;
+
+	result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	isc_buffer_init(&buffer, data, sizeof(data));
+	seen_rr = seen_soa = seen_ns = seen_nsec = seen_nsec3 = seen_ds = false;
+	for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iterator))
+	{
+		dns_rdatasetiter_current(iterator, &rdataset);
+		if (rdataset.type == dns_rdatatype_soa) {
+			seen_soa = true;
+		} else if (rdataset.type == dns_rdatatype_ns) {
+			seen_ns = true;
+		} else if (rdataset.type == dns_rdatatype_ds) {
+			seen_ds = true;
+		} else if (rdataset.type == dns_rdatatype_nsec) {
+			seen_nsec = true;
+		} else if (rdataset.type == dns_rdatatype_nsec3) {
+			seen_nsec3 = true;
+		}
+		if (rdataset.type != dns_rdatatype_rrsig) {
+			seen_rr = true;
+		}
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+	/*
+	 * Going from insecure to NSEC3.
+	 * Don't generate NSEC3 records for NSEC3 records.
+	 */
+	if (build_nsec3 && !seen_nsec3 && seen_rr) {
+		bool unsecure = !seen_ds && seen_ns && !seen_soa;
+		CHECK(dns_nsec3_addnsec3s(db, version, name, nsecttl, unsecure,
+					  diff));
+		(*signatures)--;
+	}
+	/*
+	 * Going from insecure to NSEC.
+	 * Don't generate NSEC records for NSEC3 records.
+	 */
+	if (build_nsec && !seen_nsec3 && !seen_nsec && seen_rr) {
+		/*
+		 * Build a NSEC record except at the origin.
+		 */
+		if (!dns_name_equal(name, dns_db_origin(db))) {
+			CHECK(add_nsec(db, version, name, node, nsecttl,
+				       is_bottom_of_zone, diff));
+			/* Count a NSEC generation as a signature generation. */
+			(*signatures)--;
+		}
+	}
+	result = dns_rdatasetiter_first(iterator);
+	while (result == ISC_R_SUCCESS) {
+		isc_stdtime_t when;
+
+		dns_rdatasetiter_current(iterator, &rdataset);
+		if (rdataset.type == dns_rdatatype_soa ||
+		    rdataset.type == dns_rdatatype_rrsig)
+		{
+			goto next_rdataset;
+		}
+		if (rdataset.type == dns_rdatatype_dnskey ||
+		    rdataset.type == dns_rdatatype_cdnskey ||
+		    rdataset.type == dns_rdatatype_cds)
+		{
+			/*
+			 * CDS and CDNSKEY are signed with KSK like DNSKEY.
+			 * (RFC 7344, section 4.1 specifies that they must
+			 * be signed with a key in the current DS RRset,
+			 * which would only include KSK's.)
+			 */
+			if (!is_ksk && keyset_kskonly) {
+				goto next_rdataset;
+			}
+		} else if (!is_zsk) {
+			goto next_rdataset;
+		} else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK,
+							 inception, &when))
+		{
+			/* Only applies to dnssec-policy. */
+			if (dns_zone_getkasp(zone) != NULL) {
+				goto next_rdataset;
+			}
+		}
+
+		if (seen_ns && !seen_soa && rdataset.type != dns_rdatatype_ds &&
+		    rdataset.type != dns_rdatatype_nsec)
+		{
+			goto next_rdataset;
+		}
+		if (signed_with_good_key(zone, db, node, version, rdataset.type,
+					 key))
+		{
+			goto next_rdataset;
+		}
+
+		/* Calculate the signature, creating a RRSIG RDATA. */
+		isc_buffer_clear(&buffer);
+		CHECK(dns_dnssec_sign(name, &rdataset, key, &inception, &expire,
+				      mctx, &buffer, &rdata));
+		/* Update the database and journal with the RRSIG. */
+		/* XXX inefficient - will cause dataset merging */
+		CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN,
+				    name, rdataset.ttl, &rdata));
+		dns_rdata_reset(&rdata);
+
+		/* Update DNSSEC sign statistics. */
+		dnssecsignstats = dns_zone_getdnssecsignstats(zone);
+		if (dnssecsignstats != NULL) {
+			/* Generated a new signature. */
+			dns_dnssecsignstats_increment(dnssecsignstats, ID(key),
+						      ALG(key),
+						      dns_dnssecsignstats_sign);
+			/* This is a refresh. */
+			dns_dnssecsignstats_increment(
+				dnssecsignstats, ID(key), ALG(key),
+				dns_dnssecsignstats_refresh);
+		}
+
+		(*signatures)--;
+	next_rdataset:
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(iterator);
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (iterator != NULL) {
+		dns_rdatasetiter_destroy(&iterator);
+	}
+	return (result);
+}
+
+/*
+ * If 'update_only' is set then don't create a NSEC RRset if it doesn't exist.
+ */
+static isc_result_t
+updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	     dns_ttl_t nsecttl, bool update_only, dns_diff_t *diff) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+
+	CHECK(dns_db_getoriginnode(db, &node));
+	if (update_only) {
+		dns_rdataset_init(&rdataset);
+		result = dns_db_findrdataset(
+			db, node, version, dns_rdatatype_nsec,
+			dns_rdatatype_none, 0, &rdataset, NULL);
+		if (dns_rdataset_isassociated(&rdataset)) {
+			dns_rdataset_disassociate(&rdataset);
+		}
+		if (result == ISC_R_NOTFOUND) {
+			goto success;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+	}
+	CHECK(delete_nsec(db, version, node, name, diff));
+	CHECK(add_nsec(db, version, name, node, nsecttl, false, diff));
+success:
+	result = ISC_R_SUCCESS;
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+static isc_result_t
+updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
+		  dns_dbversion_t *version, bool build_nsec3, dns_ttl_t nsecttl,
+		  dns_diff_t *diff) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[5];
+	bool seen_done = false;
+	bool have_rr = false;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_getoriginnode(signing->db, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	result = dns_db_findrdataset(signing->db, node, version,
+				     zone->privatetype, dns_rdatatype_none, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto failure;
+	}
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		/*
+		 * If we don't match the algorithm or keyid skip the record.
+		 */
+		if (rdata.length != 5 || rdata.data[0] != signing->algorithm ||
+		    rdata.data[1] != ((signing->keyid >> 8) & 0xff) ||
+		    rdata.data[2] != (signing->keyid & 0xff))
+		{
+			have_rr = true;
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+		/*
+		 * We have a match.  If we were signing (!signing->deleteit)
+		 * and we already have a record indicating that we have
+		 * finished signing (rdata.data[4] != 0) then keep it.
+		 * Otherwise it needs to be deleted as we have removed all
+		 * the signatures (signing->deleteit), so any record indicating
+		 * completion is now out of date, or we have finished signing
+		 * with the new record so we no longer need to remember that
+		 * we need to sign the zone with the matching key across a
+		 * nameserver re-start.
+		 */
+		if (!signing->deleteit && rdata.data[4] != 0) {
+			seen_done = true;
+			have_rr = true;
+		} else {
+			CHECK(update_one_rr(signing->db, version, diff,
+					    DNS_DIFFOP_DEL, &zone->origin,
+					    rdataset.ttl, &rdata));
+		}
+		dns_rdata_reset(&rdata);
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+	if (!signing->deleteit && !seen_done) {
+		/*
+		 * If we were signing then we need to indicate that we have
+		 * finished signing the zone with this key.  If it is already
+		 * there we don't need to add it a second time.
+		 */
+		data[0] = signing->algorithm;
+		data[1] = (signing->keyid >> 8) & 0xff;
+		data[2] = signing->keyid & 0xff;
+		data[3] = 0;
+		data[4] = 1;
+		rdata.length = sizeof(data);
+		rdata.data = data;
+		rdata.type = zone->privatetype;
+		rdata.rdclass = dns_db_class(signing->db);
+		CHECK(update_one_rr(signing->db, version, diff, DNS_DIFFOP_ADD,
+				    &zone->origin, rdataset.ttl, &rdata));
+	} else if (!have_rr) {
+		dns_name_t *origin = dns_db_origin(signing->db);
+		/*
+		 * Rebuild the NSEC/NSEC3 record for the origin as we no
+		 * longer have any private records.
+		 */
+		if (build_nsec3) {
+			CHECK(dns_nsec3_addnsec3s(signing->db, version, origin,
+						  nsecttl, false, diff));
+		}
+		CHECK(updatesecure(signing->db, version, origin, nsecttl, true,
+				   diff));
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(signing->db, &node);
+	}
+	return (result);
+}
+
+/*
+ * Called from zone_nsec3chain() in order to update zone records indicating
+ * processing status of given NSEC3 chain:
+ *
+ *   - If the supplied dns_nsec3chain_t structure has been fully processed
+ *     (which is indicated by "active" being set to false):
+ *
+ *       - remove all NSEC3PARAM records matching the relevant NSEC3 chain,
+ *
+ *       - remove all private-type records containing NSEC3PARAM RDATA matching
+ *         the relevant NSEC3 chain.
+ *
+ *   - If the supplied dns_nsec3chain_t structure has not been fully processed
+ *     (which is indicated by "active" being set to true), only remove the
+ *     NSEC3PARAM record which matches the relevant NSEC3 chain and has the
+ *     "flags" field set to 0.
+ *
+ *   - If given NSEC3 chain is being added, add an NSEC3PARAM record contained
+ *     in the relevant private-type record, but with the "flags" field set to
+ *     0, indicating that this NSEC3 chain is now complete for this zone.
+ *
+ * Note that this function is called at different processing stages for NSEC3
+ * chain additions vs. removals and needs to handle all cases properly.
+ */
+static isc_result_t
+fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
+		 bool active, dns_rdatatype_t privatetype, dns_diff_t *diff) {
+	dns_dbnode_t *node = NULL;
+	dns_name_t *name = dns_db_origin(db);
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3param_t nsec3param;
+	isc_result_t result;
+	isc_buffer_t buffer;
+	unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
+	dns_ttl_t ttl = 0;
+	bool nseconly = false, nsec3ok = false;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
+				     0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		goto try_private;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	/*
+	 * Preserve the existing ttl.
+	 */
+	ttl = rdataset.ttl;
+
+	/*
+	 * Delete all NSEC3PARAM records which match that in nsec3chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.hash != chain->nsec3param.hash ||
+		    (active && nsec3param.flags != 0) ||
+		    nsec3param.iterations != chain->nsec3param.iterations ||
+		    nsec3param.salt_length != chain->nsec3param.salt_length ||
+		    memcmp(nsec3param.salt, chain->nsec3param.salt,
+			   nsec3param.salt_length))
+		{
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
+				    rdataset.ttl, &rdata));
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+
+	dns_rdataset_disassociate(&rdataset);
+
+try_private:
+
+	if (active) {
+		goto add;
+	}
+
+	result = dns_nsec_nseconly(db, ver, &nseconly);
+	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
+
+	/*
+	 * Delete all private records which match that in nsec3chain.
+	 */
+	result = dns_db_findrdataset(db, node, ver, privatetype, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		goto add;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t private = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+						sizeof(buf)))
+		{
+			continue;
+		}
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if ((!nsec3ok &&
+		     (nsec3param.flags & DNS_NSEC3FLAG_INITIAL) != 0) ||
+		    nsec3param.hash != chain->nsec3param.hash ||
+		    nsec3param.iterations != chain->nsec3param.iterations ||
+		    nsec3param.salt_length != chain->nsec3param.salt_length ||
+		    memcmp(nsec3param.salt, chain->nsec3param.salt,
+			   nsec3param.salt_length))
+		{
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
+				    rdataset.ttl, &private));
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+
+add:
+	if ((chain->nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	/*
+	 * Add a NSEC3PARAM record which matches that in nsec3chain but
+	 * with all flags bits cleared.
+	 *
+	 * Note: we do not clear chain->nsec3param.flags as this change
+	 * may be reversed.
+	 */
+	isc_buffer_init(&buffer, &parambuf, sizeof(parambuf));
+	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db),
+				   dns_rdatatype_nsec3param, &chain->nsec3param,
+				   &buffer));
+	rdata.data[1] = 0; /* Clear flag bits. */
+	CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name, ttl, &rdata));
+
+failure:
+	dns_db_detachnode(db, &node);
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	return (result);
+}
+
+static isc_result_t
+delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+	    dns_name_t *name, dns_diff_t *diff) {
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
+				    rdataset.ttl, &rdata));
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+failure:
+	dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+deletematchingnsec3(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+		    dns_name_t *name, const dns_rdata_nsec3param_t *param,
+		    dns_diff_t *diff) {
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3_t nsec3;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
+		if (nsec3.hash != param->hash ||
+		    nsec3.iterations != param->iterations ||
+		    nsec3.salt_length != param->salt_length ||
+		    memcmp(nsec3.salt, param->salt, nsec3.salt_length))
+		{
+			continue;
+		}
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
+				    rdataset.ttl, &rdata));
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+failure:
+	dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
+		const dns_rdata_nsec3param_t *param, bool *answer) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3param_t myparam;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	*answer = false;
+
+	result = dns_db_getoriginnode(db, &node);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&rdataset);
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+	if (result != ISC_R_NOTFOUND) {
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
+				     0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*answer = true;
+		dns_db_detachnode(db, &node);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &myparam, NULL));
+		dns_rdata_reset(&rdata);
+		/*
+		 * Ignore any NSEC3PARAM removals.
+		 */
+		if (NSEC3REMOVE(myparam.flags)) {
+			continue;
+		}
+		/*
+		 * Ignore the chain that we are in the process of deleting.
+		 */
+		if (myparam.hash == param->hash &&
+		    myparam.iterations == param->iterations &&
+		    myparam.salt_length == param->salt_length &&
+		    !memcmp(myparam.salt, param->salt, myparam.salt_length))
+		{
+			continue;
+		}
+		/*
+		 * Found an active NSEC3 chain.
+		 */
+		break;
+	}
+	if (result == ISC_R_NOMORE) {
+		*answer = true;
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*%
+ * Given a tuple which is part of a diff, return a pointer to the next tuple in
+ * that diff which has the same name and type (or NULL if no such tuple is
+ * found).
+ */
+static dns_difftuple_t *
+find_next_matching_tuple(dns_difftuple_t *cur) {
+	dns_difftuple_t *next = cur;
+
+	while ((next = ISC_LIST_NEXT(next, link)) != NULL) {
+		if (cur->rdata.type == next->rdata.type &&
+		    dns_name_equal(&cur->name, &next->name))
+		{
+			return (next);
+		}
+	}
+
+	return (NULL);
+}
+
+/*%
+ * Remove all tuples with the same name and type as 'cur' from 'src' and append
+ * them to 'dst'.
+ */
+static void
+move_matching_tuples(dns_difftuple_t *cur, dns_diff_t *src, dns_diff_t *dst) {
+	do {
+		dns_difftuple_t *next = find_next_matching_tuple(cur);
+		ISC_LIST_UNLINK(src->tuples, cur, link);
+		dns_diff_appendminimal(dst, &cur);
+		cur = next;
+	} while (cur != NULL);
+}
+
+/*%
+ * Add/remove DNSSEC signatures for the list of "raw" zone changes supplied in
+ * 'diff'.  Gradually remove tuples from 'diff' and append them to 'zonediff'
+ * along with tuples representing relevant signature changes.
+ */
+isc_result_t
+dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
+		     dst_key_t *zone_keys[], unsigned int nkeys,
+		     dns_zone_t *zone, isc_stdtime_t inception,
+		     isc_stdtime_t expire, isc_stdtime_t keyexpire,
+		     isc_stdtime_t now, bool check_ksk, bool keyset_kskonly,
+		     dns__zonediff_t *zonediff) {
+	dns_difftuple_t *tuple;
+	isc_result_t result;
+
+	while ((tuple = ISC_LIST_HEAD(diff->tuples)) != NULL) {
+		isc_stdtime_t exp = expire;
+
+		if (keyexpire != 0 &&
+		    (tuple->rdata.type == dns_rdatatype_dnskey ||
+		     tuple->rdata.type == dns_rdatatype_cdnskey ||
+		     tuple->rdata.type == dns_rdatatype_cds))
+		{
+			exp = keyexpire;
+		}
+
+		result = del_sigs(zone, db, version, &tuple->name,
+				  tuple->rdata.type, zonediff, zone_keys, nkeys,
+				  now, false);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "dns__zone_updatesigs:del_sigs -> %s",
+				     dns_result_totext(result));
+			return (result);
+		}
+		result = add_sigs(db, version, &tuple->name, zone,
+				  tuple->rdata.type, zonediff->diff, zone_keys,
+				  nkeys, zone->mctx, inception, exp, check_ksk,
+				  keyset_kskonly);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "dns__zone_updatesigs:add_sigs -> %s",
+				     dns_result_totext(result));
+			return (result);
+		}
+
+		/*
+		 * Signature changes for all RRs with name tuple->name and type
+		 * tuple->rdata.type were appended to zonediff->diff.  Now we
+		 * remove all the "raw" changes with the same name and type
+		 * from diff (so that they are not processed by this loop
+		 * again) and append them to zonediff so that they get applied.
+		 */
+		move_matching_tuples(tuple, diff, zonediff->diff);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Incrementally build and sign a new NSEC3 chain using the parameters
+ * requested.
+ */
+static void
+zone_nsec3chain(dns_zone_t *zone) {
+	const char *me = "zone_nsec3chain";
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t _sig_diff;
+	dns_diff_t nsec_diff;
+	dns_diff_t nsec3_diff;
+	dns_diff_t param_diff;
+	dns__zonediff_t zonediff;
+	dns_fixedname_t fixed;
+	dns_fixedname_t nextfixed;
+	dns_name_t *name, *nextname;
+	dns_rdataset_t rdataset;
+	dns_nsec3chain_t *nsec3chain = NULL, *nextnsec3chain;
+	dns_nsec3chainlist_t cleanup;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	int32_t signatures;
+	bool check_ksk, keyset_kskonly;
+	bool delegation;
+	bool first;
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire, expire;
+	uint32_t jitter, sigvalidityinterval, expiryinterval;
+	unsigned int i;
+	unsigned int nkeys = 0;
+	uint32_t nodes;
+	bool unsecure = false;
+	bool seen_soa, seen_ns, seen_dname, seen_ds;
+	bool seen_nsec, seen_nsec3, seen_rr;
+	dns_rdatasetiter_t *iterator = NULL;
+	bool buildnsecchain;
+	bool updatensec = false;
+	dns_rdatatype_t privatetype = zone->privatetype;
+
+	ENTER;
+
+	dns_rdataset_init(&rdataset);
+	name = dns_fixedname_initname(&fixed);
+	nextname = dns_fixedname_initname(&nextfixed);
+	dns_diff_init(zone->mctx, &param_diff);
+	dns_diff_init(zone->mctx, &nsec3_diff);
+	dns_diff_init(zone->mctx, &nsec_diff);
+	dns_diff_init(zone->mctx, &_sig_diff);
+	zonediff_init(&zonediff, &_sig_diff);
+	ISC_LIST_INIT(cleanup);
+
+	/*
+	 * Updates are disabled.  Pause for 5 minutes.
+	 */
+	if (zone->update_disabled) {
+		result = ISC_R_FAILURE;
+		goto failure;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	/*
+	 * This function is called when zone timer fires, after the latter gets
+	 * set by zone_addnsec3chain().  If the action triggering the call to
+	 * zone_addnsec3chain() is closely followed by a zone deletion request,
+	 * it might turn out that the timer thread will not be woken up until
+	 * after the zone is deleted by rmzone(), which calls dns_db_detach()
+	 * for zone->db, causing the latter to become NULL.  Return immediately
+	 * if that happens.
+	 */
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		return;
+	}
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_nsec3chain:dns_db_newversion -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+
+	result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_nsec3chain:dns__zone_findkeys -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
+	inception = now - 3600; /* Allow for clock skew. */
+	soaexpire = now + sigvalidityinterval;
+	expiryinterval = dns_zone_getsigresigninginterval(zone);
+	if (expiryinterval > sigvalidityinterval) {
+		expiryinterval = sigvalidityinterval;
+	} else {
+		expiryinterval = sigvalidityinterval - expiryinterval;
+	}
+
+	/*
+	 * Spread out signatures over time if they happen to be
+	 * clumped.  We don't do this for each add_sigs() call as
+	 * we still want some clustering to occur.
+	 */
+	if (sigvalidityinterval >= 3600U) {
+		if (sigvalidityinterval > 7200U) {
+			jitter = isc_random_uniform(expiryinterval);
+		} else {
+			jitter = isc_random_uniform(1200);
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
+	/*
+	 * We keep pulling nodes off each iterator in turn until
+	 * we have no more nodes to pull off or we reach the limits
+	 * for this quantum.
+	 */
+	nodes = zone->nodes;
+	signatures = zone->signatures;
+	LOCK_ZONE(zone);
+	nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	UNLOCK_ZONE(zone);
+	first = true;
+
+	if (nsec3chain != NULL) {
+		nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
+	}
+	/*
+	 * Generate new NSEC3 chains first.
+	 *
+	 * The following while loop iterates over nodes in the zone database,
+	 * updating the NSEC3 chain by calling dns_nsec3_addnsec3() for each of
+	 * them.  Once all nodes are processed, the "delete_nsec" field is
+	 * consulted to check whether we are supposed to remove NSEC records
+	 * from the zone database; if so, the database iterator is reset to
+	 * point to the first node and the loop traverses all of them again,
+	 * this time removing NSEC records.  If we hit a node which is obscured
+	 * by a delegation or a DNAME, nodes are skipped over until we find one
+	 * that is not obscured by the same obscuring name and then normal
+	 * processing is resumed.
+	 *
+	 * The above is repeated until all requested NSEC3 chain changes are
+	 * applied or when we reach the limits for this quantum, whichever
+	 * happens first.
+	 *
+	 * Note that the "signatures" variable is only used here to limit the
+	 * amount of work performed.  Actual DNSSEC signatures are only
+	 * generated by dns__zone_updatesigs() calls later in this function.
+	 */
+	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+
+		LOCK_ZONE(zone);
+		nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
+
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (nsec3chain->done || nsec3chain->db != zone->db) {
+			ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
+			ISC_LIST_APPEND(cleanup, nsec3chain, link);
+		}
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+		UNLOCK_ZONE(zone);
+		if (ISC_LIST_TAIL(cleanup) == nsec3chain) {
+			goto next_addchain;
+		}
+
+		/*
+		 * Possible future db.
+		 */
+		if (nsec3chain->db != db) {
+			goto next_addchain;
+		}
+
+		if (NSEC3REMOVE(nsec3chain->nsec3param.flags)) {
+			goto next_addchain;
+		}
+
+		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
+
+		if (nsec3chain->delete_nsec) {
+			delegation = false;
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			CHECK(delete_nsec(db, version, node, name, &nsec_diff));
+			goto next_addnode;
+		}
+		/*
+		 * On the first pass we need to check if the current node
+		 * has not been obscured.
+		 */
+		delegation = false;
+		unsecure = false;
+		if (first) {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			found = dns_fixedname_initname(&ffound);
+			result = dns_db_find(
+				db, name, version, dns_rdatatype_soa,
+				DNS_DBFIND_NOWILD, 0, NULL, found, NULL, NULL);
+			if ((result == DNS_R_DELEGATION ||
+			     result == DNS_R_DNAME) &&
+			    !dns_name_equal(name, found))
+			{
+				/*
+				 * Remember the obscuring name so that
+				 * we skip all obscured names.
+				 */
+				dns_name_copynf(found, name);
+				delegation = true;
+				goto next_addnode;
+			}
+		}
+
+		/*
+		 * Check to see if this is a bottom of zone node.
+		 */
+		result = dns_db_allrdatasets(db, node, version, 0, 0,
+					     &iterator);
+		if (result == ISC_R_NOTFOUND) {
+			/* Empty node? */
+			goto next_addnode;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec = false;
+		for (result = dns_rdatasetiter_first(iterator);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(iterator))
+		{
+			dns_rdatasetiter_current(iterator, &rdataset);
+			INSIST(rdataset.type != dns_rdatatype_nsec3);
+			if (rdataset.type == dns_rdatatype_soa) {
+				seen_soa = true;
+			} else if (rdataset.type == dns_rdatatype_ns) {
+				seen_ns = true;
+			} else if (rdataset.type == dns_rdatatype_dname) {
+				seen_dname = true;
+			} else if (rdataset.type == dns_rdatatype_ds) {
+				seen_ds = true;
+			} else if (rdataset.type == dns_rdatatype_nsec) {
+				seen_nsec = true;
+			}
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&iterator);
+		/*
+		 * Is there a NSEC chain than needs to be cleaned up?
+		 */
+		if (seen_nsec) {
+			nsec3chain->seen_nsec = true;
+		}
+		if (seen_ns && !seen_soa && !seen_ds) {
+			unsecure = true;
+		}
+		if ((seen_ns && !seen_soa) || seen_dname) {
+			delegation = true;
+		}
+
+		/*
+		 * Process one node.
+		 */
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		result = dns_nsec3_addnsec3(
+			db, version, name, &nsec3chain->nsec3param,
+			zone_nsecttl(zone), unsecure, &nsec3_diff);
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "zone_nsec3chain:"
+				   "dns_nsec3_addnsec3 -> %s",
+				   dns_result_totext(result));
+			goto failure;
+		}
+
+		/*
+		 * Treat each call to dns_nsec3_addnsec3() as if it's cost is
+		 * two signatures.  Additionally there will, in general, be
+		 * two signature generated below.
+		 *
+		 * If we are only changing the optout flag the cost is half
+		 * that of the cost of generating a completely new chain.
+		 */
+		signatures -= 4;
+
+		/*
+		 * Go onto next node.
+		 */
+	next_addnode:
+		first = false;
+		dns_db_detachnode(db, &node);
+		do {
+			result = dns_dbiterator_next(nsec3chain->dbiterator);
+
+			if (result == ISC_R_NOMORE && nsec3chain->delete_nsec) {
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+				CHECK(fixup_nsec3param(db, version, nsec3chain,
+						       false, privatetype,
+						       &param_diff));
+				LOCK_ZONE(zone);
+				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
+						link);
+				UNLOCK_ZONE(zone);
+				ISC_LIST_APPEND(cleanup, nsec3chain, link);
+				goto next_addchain;
+			}
+			if (result == ISC_R_NOMORE) {
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+				if (nsec3chain->seen_nsec) {
+					CHECK(fixup_nsec3param(
+						db, version, nsec3chain, true,
+						privatetype, &param_diff));
+					nsec3chain->delete_nsec = true;
+					goto same_addchain;
+				}
+				CHECK(fixup_nsec3param(db, version, nsec3chain,
+						       false, privatetype,
+						       &param_diff));
+				LOCK_ZONE(zone);
+				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
+						link);
+				UNLOCK_ZONE(zone);
+				ISC_LIST_APPEND(cleanup, nsec3chain, link);
+				goto next_addchain;
+			} else if (result != ISC_R_SUCCESS) {
+				dnssec_log(zone, ISC_LOG_ERROR,
+					   "zone_nsec3chain:"
+					   "dns_dbiterator_next -> %s",
+					   dns_result_totext(result));
+				goto failure;
+			} else if (delegation) {
+				dns_dbiterator_current(nsec3chain->dbiterator,
+						       &node, nextname);
+				dns_db_detachnode(db, &node);
+				if (!dns_name_issubdomain(nextname, name)) {
+					break;
+				}
+			} else {
+				break;
+			}
+		} while (1);
+		continue;
+
+	same_addchain:
+		CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
+		first = true;
+		continue;
+
+	next_addchain:
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		nsec3chain = nextnsec3chain;
+		first = true;
+		if (nsec3chain != NULL) {
+			nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
+		}
+	}
+
+	if (nsec3chain != NULL) {
+		goto skip_removals;
+	}
+
+	/*
+	 * Process removals.
+	 *
+	 * This is a counterpart of the above while loop which takes care of
+	 * removing an NSEC3 chain.  It starts with determining whether the
+	 * zone needs to switch from NSEC3 to NSEC; if so, it first builds an
+	 * NSEC chain by iterating over all nodes in the zone database and only
+	 * then goes on to remove NSEC3 records be iterating over all nodes
+	 * again and calling deletematchingnsec3() for each of them; otherwise,
+	 * it starts removing NSEC3 records immediately.  Rules for processing
+	 * obscured nodes and interrupting work are the same as for the while
+	 * loop above.
+	 */
+	LOCK_ZONE(zone);
+	nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	UNLOCK_ZONE(zone);
+	first = true;
+	buildnsecchain = false;
+	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+
+		LOCK_ZONE(zone);
+		nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
+		UNLOCK_ZONE(zone);
+
+		if (nsec3chain->db != db) {
+			goto next_removechain;
+		}
+
+		if (!NSEC3REMOVE(nsec3chain->nsec3param.flags)) {
+			goto next_removechain;
+		}
+
+		/*
+		 * Work out if we need to build a NSEC chain as a consequence
+		 * of removing this NSEC3 chain.
+		 */
+		if (first && !updatensec &&
+		    (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0)
+		{
+			result = need_nsec_chain(db, version,
+						 &nsec3chain->nsec3param,
+						 &buildnsecchain);
+			if (result != ISC_R_SUCCESS) {
+				dnssec_log(zone, ISC_LOG_ERROR,
+					   "zone_nsec3chain:"
+					   "need_nsec_chain -> %s",
+					   dns_result_totext(result));
+				goto failure;
+			}
+		}
+
+		if (first) {
+			dnssec_log(zone, ISC_LOG_DEBUG(3),
+				   "zone_nsec3chain:buildnsecchain = %u\n",
+				   buildnsecchain);
+		}
+
+		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		delegation = false;
+
+		if (!buildnsecchain) {
+			/*
+			 * Delete the NSEC3PARAM record matching this chain.
+			 */
+			if (first) {
+				result = fixup_nsec3param(
+					db, version, nsec3chain, true,
+					privatetype, &param_diff);
+				if (result != ISC_R_SUCCESS) {
+					dnssec_log(zone, ISC_LOG_ERROR,
+						   "zone_nsec3chain:"
+						   "fixup_nsec3param -> %s",
+						   dns_result_totext(result));
+					goto failure;
+				}
+			}
+
+			/*
+			 * Delete the NSEC3 records.
+			 */
+			result = deletematchingnsec3(db, version, node, name,
+						     &nsec3chain->nsec3param,
+						     &nsec3_diff);
+			if (result != ISC_R_SUCCESS) {
+				dnssec_log(zone, ISC_LOG_ERROR,
+					   "zone_nsec3chain:"
+					   "deletematchingnsec3 -> %s",
+					   dns_result_totext(result));
+				goto failure;
+			}
+			goto next_removenode;
+		}
+
+		if (first) {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			found = dns_fixedname_initname(&ffound);
+			result = dns_db_find(
+				db, name, version, dns_rdatatype_soa,
+				DNS_DBFIND_NOWILD, 0, NULL, found, NULL, NULL);
+			if ((result == DNS_R_DELEGATION ||
+			     result == DNS_R_DNAME) &&
+			    !dns_name_equal(name, found))
+			{
+				/*
+				 * Remember the obscuring name so that
+				 * we skip all obscured names.
+				 */
+				dns_name_copynf(found, name);
+				delegation = true;
+				goto next_removenode;
+			}
+		}
+
+		/*
+		 * Check to see if this is a bottom of zone node.
+		 */
+		result = dns_db_allrdatasets(db, node, version, 0, 0,
+					     &iterator);
+		if (result == ISC_R_NOTFOUND) {
+			/* Empty node? */
+			goto next_removenode;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+
+		seen_soa = seen_ns = seen_dname = seen_nsec3 = seen_nsec =
+			seen_rr = false;
+		for (result = dns_rdatasetiter_first(iterator);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(iterator))
+		{
+			dns_rdatasetiter_current(iterator, &rdataset);
+			if (rdataset.type == dns_rdatatype_soa) {
+				seen_soa = true;
+			} else if (rdataset.type == dns_rdatatype_ns) {
+				seen_ns = true;
+			} else if (rdataset.type == dns_rdatatype_dname) {
+				seen_dname = true;
+			} else if (rdataset.type == dns_rdatatype_nsec) {
+				seen_nsec = true;
+			} else if (rdataset.type == dns_rdatatype_nsec3) {
+				seen_nsec3 = true;
+			} else if (rdataset.type != dns_rdatatype_rrsig) {
+				seen_rr = true;
+			}
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&iterator);
+
+		if (!seen_rr || seen_nsec3 || seen_nsec) {
+			goto next_removenode;
+		}
+		if ((seen_ns && !seen_soa) || seen_dname) {
+			delegation = true;
+		}
+
+		/*
+		 * Add a NSEC record except at the origin.
+		 */
+		if (!dns_name_equal(name, dns_db_origin(db))) {
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			CHECK(add_nsec(db, version, name, node,
+				       zone_nsecttl(zone), delegation,
+				       &nsec_diff));
+			signatures--;
+		}
+
+	next_removenode:
+		first = false;
+		dns_db_detachnode(db, &node);
+		do {
+			result = dns_dbiterator_next(nsec3chain->dbiterator);
+			if (result == ISC_R_NOMORE && buildnsecchain) {
+				/*
+				 * The NSEC chain should now be built.
+				 * We can now remove the NSEC3 chain.
+				 */
+				updatensec = true;
+				goto same_removechain;
+			}
+			if (result == ISC_R_NOMORE) {
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+				LOCK_ZONE(zone);
+				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
+						link);
+				UNLOCK_ZONE(zone);
+				ISC_LIST_APPEND(cleanup, nsec3chain, link);
+				result = fixup_nsec3param(
+					db, version, nsec3chain, false,
+					privatetype, &param_diff);
+				if (result != ISC_R_SUCCESS) {
+					dnssec_log(zone, ISC_LOG_ERROR,
+						   "zone_nsec3chain:"
+						   "fixup_nsec3param -> %s",
+						   dns_result_totext(result));
+					goto failure;
+				}
+				goto next_removechain;
+			} else if (result != ISC_R_SUCCESS) {
+				dnssec_log(zone, ISC_LOG_ERROR,
+					   "zone_nsec3chain:"
+					   "dns_dbiterator_next -> %s",
+					   dns_result_totext(result));
+				goto failure;
+			} else if (delegation) {
+				dns_dbiterator_current(nsec3chain->dbiterator,
+						       &node, nextname);
+				dns_db_detachnode(db, &node);
+				if (!dns_name_issubdomain(nextname, name)) {
+					break;
+				}
+			} else {
+				break;
+			}
+		} while (1);
+		continue;
+
+	same_removechain:
+		CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
+		buildnsecchain = false;
+		first = true;
+		continue;
+
+	next_removechain:
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		nsec3chain = nextnsec3chain;
+		first = true;
+	}
+
+skip_removals:
+	/*
+	 * We may need to update the NSEC/NSEC3 records for the zone apex.
+	 */
+	if (!ISC_LIST_EMPTY(param_diff.tuples)) {
+		bool rebuild_nsec = false, rebuild_nsec3 = false;
+		result = dns_db_getoriginnode(db, &node);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = dns_db_allrdatasets(db, node, version, 0, 0,
+					     &iterator);
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "zone_nsec3chain:dns_db_allrdatasets -> %s",
+				   dns_result_totext(result));
+			goto failure;
+		}
+		for (result = dns_rdatasetiter_first(iterator);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(iterator))
+		{
+			dns_rdatasetiter_current(iterator, &rdataset);
+			if (rdataset.type == dns_rdatatype_nsec) {
+				rebuild_nsec = true;
+			} else if (rdataset.type == dns_rdatatype_nsec3param) {
+				rebuild_nsec3 = true;
+			}
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&iterator);
+		dns_db_detachnode(db, &node);
+
+		if (rebuild_nsec) {
+			if (nsec3chain != NULL) {
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+			}
+
+			result = updatesecure(db, version, &zone->origin,
+					      zone_nsecttl(zone), true,
+					      &nsec_diff);
+			if (result != ISC_R_SUCCESS) {
+				dnssec_log(zone, ISC_LOG_ERROR,
+					   "zone_nsec3chain:updatesecure -> %s",
+					   dns_result_totext(result));
+				goto failure;
+			}
+		}
+
+		if (rebuild_nsec3) {
+			if (nsec3chain != NULL) {
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+			}
+
+			result = dns_nsec3_addnsec3s(
+				db, version, dns_db_origin(db),
+				zone_nsecttl(zone), false, &nsec3_diff);
+			if (result != ISC_R_SUCCESS) {
+				dnssec_log(zone, ISC_LOG_ERROR,
+					   "zone_nsec3chain:"
+					   "dns_nsec3_addnsec3s -> %s",
+					   dns_result_totext(result));
+				goto failure;
+			}
+		}
+	}
+
+	/*
+	 * Add / update signatures for the NSEC3 records.
+	 */
+	if (nsec3chain != NULL) {
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+	}
+	result = dns__zone_updatesigs(&nsec3_diff, db, version, zone_keys,
+				      nkeys, zone, inception, expire, 0, now,
+				      check_ksk, keyset_kskonly, &zonediff);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_nsec3chain:dns__zone_updatesigs -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * We have changed the NSEC3PARAM or private RRsets
+	 * above so we need to update the signatures.
+	 */
+	result = dns__zone_updatesigs(&param_diff, db, version, zone_keys,
+				      nkeys, zone, inception, expire, 0, now,
+				      check_ksk, keyset_kskonly, &zonediff);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_nsec3chain:dns__zone_updatesigs -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	if (updatensec) {
+		result = updatesecure(db, version, &zone->origin,
+				      zone_nsecttl(zone), false, &nsec_diff);
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "zone_nsec3chain:updatesecure -> %s",
+				   dns_result_totext(result));
+			goto failure;
+		}
+	}
+
+	result = dns__zone_updatesigs(&nsec_diff, db, version, zone_keys, nkeys,
+				      zone, inception, expire, 0, now,
+				      check_ksk, keyset_kskonly, &zonediff);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_nsec3chain:dns__zone_updatesigs -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * If we made no effective changes to the zone then we can just
+	 * cleanup otherwise we need to increment the serial.
+	 */
+	if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
+		/*
+		 * No need to call dns_db_closeversion() here as it is
+		 * called with commit = true below.
+		 */
+		goto done;
+	}
+
+	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
+			  &zonediff, zone_keys, nkeys, now, false);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_nsec3chain:del_sigs -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx,
+				   zone->updatemethod);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_nsec3chain:update_soa_serial -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
+			  zonediff.diff, zone_keys, nkeys, zone->mctx,
+			  inception, soaexpire, check_ksk, keyset_kskonly);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_nsec3chain:add_sigs -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	/* Write changes to journal file. */
+	CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_nsec3chain"));
+
+	LOCK_ZONE(zone);
+	zone_needdump(zone, DNS_DUMP_DELAY);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+	UNLOCK_ZONE(zone);
+
+done:
+	/*
+	 * Pause all iterators so that dns_db_closeversion() can succeed.
+	 */
+	LOCK_ZONE(zone);
+	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL;
+	     nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
+	{
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+	}
+	UNLOCK_ZONE(zone);
+
+	/*
+	 * Everything has succeeded. Commit the changes.
+	 * Unconditionally commit as zonediff.offline not checked above.
+	 */
+	dns_db_closeversion(db, &version, true);
+
+	/*
+	 * Everything succeeded so we can clean these up now.
+	 */
+	nsec3chain = ISC_LIST_HEAD(cleanup);
+	while (nsec3chain != NULL) {
+		ISC_LIST_UNLINK(cleanup, nsec3chain, link);
+		dns_db_detach(&nsec3chain->db);
+		dns_dbiterator_destroy(&nsec3chain->dbiterator);
+		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+		nsec3chain = ISC_LIST_HEAD(cleanup);
+	}
+
+	LOCK_ZONE(zone);
+	set_resigntime(zone);
+	UNLOCK_ZONE(zone);
+
+failure:
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s",
+			   dns_result_totext(result));
+	}
+
+	/*
+	 * On error roll back the current nsec3chain.
+	 */
+	if (result != ISC_R_SUCCESS && nsec3chain != NULL) {
+		if (nsec3chain->done) {
+			dns_db_detach(&nsec3chain->db);
+			dns_dbiterator_destroy(&nsec3chain->dbiterator);
+			isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+		} else {
+			result = dns_dbiterator_first(nsec3chain->dbiterator);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
+		}
+	}
+
+	/*
+	 * Rollback the cleanup list.
+	 */
+	nsec3chain = ISC_LIST_TAIL(cleanup);
+	while (nsec3chain != NULL) {
+		ISC_LIST_UNLINK(cleanup, nsec3chain, link);
+		if (nsec3chain->done) {
+			dns_db_detach(&nsec3chain->db);
+			dns_dbiterator_destroy(&nsec3chain->dbiterator);
+			isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+		} else {
+			LOCK_ZONE(zone);
+			ISC_LIST_PREPEND(zone->nsec3chain, nsec3chain, link);
+			UNLOCK_ZONE(zone);
+			result = dns_dbiterator_first(nsec3chain->dbiterator);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
+		}
+		nsec3chain = ISC_LIST_TAIL(cleanup);
+	}
+
+	LOCK_ZONE(zone);
+	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL;
+	     nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
+	{
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+	}
+	UNLOCK_ZONE(zone);
+
+	dns_diff_clear(&param_diff);
+	dns_diff_clear(&nsec3_diff);
+	dns_diff_clear(&nsec_diff);
+	dns_diff_clear(&_sig_diff);
+
+	if (iterator != NULL) {
+		dns_rdatasetiter_destroy(&iterator);
+	}
+
+	for (i = 0; i < nkeys; i++) {
+		dst_key_free(&zone_keys[i]);
+	}
+
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+		dns_db_detach(&db);
+	} else if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	LOCK_ZONE(zone);
+	if (ISC_LIST_HEAD(zone->nsec3chain) != NULL) {
+		isc_interval_t interval;
+		if (zone->update_disabled || result != ISC_R_SUCCESS) {
+			isc_interval_set(&interval, 60, 0); /* 1 minute */
+		} else {
+			isc_interval_set(&interval, 0, 10000000); /* 10 ms */
+		}
+		isc_time_nowplusinterval(&zone->nsec3chaintime, &interval);
+	} else {
+		isc_time_settoepoch(&zone->nsec3chaintime);
+	}
+	UNLOCK_ZONE(zone);
+
+	INSIST(version == NULL);
+}
+
+/*%
+ * Delete all RRSIG records with the given algorithm and keyid.
+ * Remove the NSEC record and RRSIGs if nkeys is zero.
+ * If all remaining RRsets are signed with the given algorithm
+ * set *has_algp to true.
+ */
+static isc_result_t
+del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	dns_dbnode_t *node, unsigned int nkeys, dns_secalg_t algorithm,
+	uint16_t keyid, bool *has_algp, dns_diff_t *diff) {
+	dns_rdata_rrsig_t rrsig;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *iterator = NULL;
+	isc_result_t result;
+	bool alg_missed = false;
+	bool alg_found = false;
+
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_name_format(name, namebuf, sizeof(namebuf));
+
+	result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iterator))
+	{
+		bool has_alg = false;
+		dns_rdatasetiter_current(iterator, &rdataset);
+		if (nkeys == 0 && rdataset.type == dns_rdatatype_nsec) {
+			for (result = dns_rdataset_first(&rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(&rdataset))
+			{
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(&rdataset, &rdata);
+				CHECK(update_one_rr(db, version, diff,
+						    DNS_DIFFOP_DEL, name,
+						    rdataset.ttl, &rdata));
+			}
+			if (result != ISC_R_NOMORE) {
+				goto failure;
+			}
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		if (rdataset.type != dns_rdatatype_rrsig) {
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		for (result = dns_rdataset_first(&rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rdataset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &rdata);
+			CHECK(dns_rdata_tostruct(&rdata, &rrsig, NULL));
+			if (nkeys != 0 && (rrsig.algorithm != algorithm ||
+					   rrsig.keyid != keyid))
+			{
+				if (rrsig.algorithm == algorithm) {
+					has_alg = true;
+				}
+				continue;
+			}
+			CHECK(update_one_rr(db, version, diff,
+					    DNS_DIFFOP_DELRESIGN, name,
+					    rdataset.ttl, &rdata));
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_NOMORE) {
+			break;
+		}
+
+		/*
+		 * After deleting, if there's still a signature for
+		 * 'algorithm', set alg_found; if not, set alg_missed.
+		 */
+		if (has_alg) {
+			alg_found = true;
+		} else {
+			alg_missed = true;
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+	/*
+	 * Set `has_algp` if the algorithm was found in every RRset:
+	 * i.e., found in at least one, and not missing from any.
+	 */
+	*has_algp = (alg_found && !alg_missed);
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	dns_rdatasetiter_destroy(&iterator);
+	return (result);
+}
+
+/*
+ * Incrementally sign the zone using the keys requested.
+ * Builds the NSEC chain if required.
+ */
+static void
+zone_sign(dns_zone_t *zone) {
+	const char *me = "zone_sign";
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t _sig_diff;
+	dns_diff_t post_diff;
+	dns__zonediff_t zonediff;
+	dns_fixedname_t fixed;
+	dns_fixedname_t nextfixed;
+	dns_kasp_t *kasp;
+	dns_name_t *name, *nextname;
+	dns_rdataset_t rdataset;
+	dns_signing_t *signing, *nextsigning;
+	dns_signinglist_t cleanup;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	int32_t signatures;
+	bool check_ksk, keyset_kskonly, is_ksk, is_zsk;
+	bool with_ksk, with_zsk;
+	bool commit = false;
+	bool is_bottom_of_zone;
+	bool build_nsec = false;
+	bool build_nsec3 = false;
+	bool use_kasp = false;
+	bool first;
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire, expire;
+	uint32_t jitter, sigvalidityinterval, expiryinterval;
+	unsigned int i, j;
+	unsigned int nkeys = 0;
+	uint32_t nodes;
+
+	ENTER;
+
+	dns_rdataset_init(&rdataset);
+	name = dns_fixedname_initname(&fixed);
+	nextname = dns_fixedname_initname(&nextfixed);
+	dns_diff_init(zone->mctx, &_sig_diff);
+	dns_diff_init(zone->mctx, &post_diff);
+	zonediff_init(&zonediff, &_sig_diff);
+	ISC_LIST_INIT(cleanup);
+
+	/*
+	 * Updates are disabled.  Pause for 1 minute.
+	 */
+	if (zone->update_disabled) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_sign:dns_db_newversion -> %s",
+			   dns_result_totext(result));
+		goto cleanup;
+	}
+
+	isc_stdtime_get(&now);
+
+	result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_sign:dns__zone_findkeys -> %s",
+			   dns_result_totext(result));
+		goto cleanup;
+	}
+
+	kasp = dns_zone_getkasp(zone);
+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
+	inception = now - 3600; /* Allow for clock skew. */
+	soaexpire = now + sigvalidityinterval;
+	expiryinterval = dns_zone_getsigresigninginterval(zone);
+	if (expiryinterval > sigvalidityinterval) {
+		expiryinterval = sigvalidityinterval;
+	} else {
+		expiryinterval = sigvalidityinterval - expiryinterval;
+	}
+
+	/*
+	 * Spread out signatures over time if they happen to be
+	 * clumped.  We don't do this for each add_sigs() call as
+	 * we still want some clustering to occur.
+	 */
+	if (sigvalidityinterval >= 3600U) {
+		if (sigvalidityinterval > 7200U) {
+			jitter = isc_random_uniform(expiryinterval);
+		} else {
+			jitter = isc_random_uniform(1200);
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
+
+	/*
+	 * We keep pulling nodes off each iterator in turn until
+	 * we have no more nodes to pull off or we reach the limits
+	 * for this quantum.
+	 */
+	nodes = zone->nodes;
+	signatures = zone->signatures;
+	signing = ISC_LIST_HEAD(zone->signing);
+	first = true;
+
+	if (dns_zone_getkasp(zone) != NULL) {
+		check_ksk = false;
+		keyset_kskonly = true;
+		use_kasp = true;
+	} else {
+		check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+		keyset_kskonly = DNS_ZONE_OPTION(zone,
+						 DNS_ZONEOPT_DNSKEYKSKONLY);
+	}
+	dnssec_log(zone, ISC_LOG_DEBUG(3), "zone_sign:use kasp -> %s",
+		   use_kasp ? "yes" : "no");
+
+	/* Determine which type of chain to build */
+	CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec,
+				 &build_nsec3));
+	if (!build_nsec && !build_nsec3) {
+		if (use_kasp) {
+			build_nsec3 = dns_kasp_nsec3(kasp);
+			build_nsec = !build_nsec3;
+		} else {
+			/* If neither chain is found, default to NSEC */
+			build_nsec = true;
+		}
+	}
+
+	while (signing != NULL && nodes-- > 0 && signatures > 0) {
+		bool has_alg = false;
+
+		dns_dbiterator_pause(signing->dbiterator);
+		nextsigning = ISC_LIST_NEXT(signing, link);
+
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (signing->done || signing->db != zone->db) {
+			/*
+			 * The zone has been reloaded.	We will have to
+			 * created new signings as part of the reload
+			 * process so we can destroy this one.
+			 */
+			ISC_LIST_UNLINK(zone->signing, signing, link);
+			ISC_LIST_APPEND(cleanup, signing, link);
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+			goto next_signing;
+		}
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+		if (signing->db != db) {
+			goto next_signing;
+		}
+
+		is_bottom_of_zone = false;
+
+		if (first && signing->deleteit) {
+			/*
+			 * Remove the key we are deleting from consideration.
+			 */
+			for (i = 0, j = 0; i < nkeys; i++) {
+				/*
+				 * Find the key we want to remove.
+				 */
+				if (ALG(zone_keys[i]) == signing->algorithm &&
+				    dst_key_id(zone_keys[i]) == signing->keyid)
+				{
+					bool ksk = false;
+					isc_result_t ret = dst_key_getbool(
+						zone_keys[i], DST_BOOL_KSK,
+						&ksk);
+					if (ret != ISC_R_SUCCESS) {
+						ksk = KSK(zone_keys[i]);
+					}
+					if (ksk) {
+						dst_key_free(&zone_keys[i]);
+					}
+					continue;
+				}
+				zone_keys[j] = zone_keys[i];
+				j++;
+			}
+			for (i = j; i < nkeys; i++) {
+				zone_keys[i] = NULL;
+			}
+			nkeys = j;
+		}
+
+		dns_dbiterator_current(signing->dbiterator, &node, name);
+
+		if (signing->deleteit) {
+			dns_dbiterator_pause(signing->dbiterator);
+			CHECK(del_sig(db, version, name, node, nkeys,
+				      signing->algorithm, signing->keyid,
+				      &has_alg, zonediff.diff));
+		}
+
+		/*
+		 * On the first pass we need to check if the current node
+		 * has not been obscured.
+		 */
+		if (first) {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			found = dns_fixedname_initname(&ffound);
+			result = dns_db_find(
+				db, name, version, dns_rdatatype_soa,
+				DNS_DBFIND_NOWILD, 0, NULL, found, NULL, NULL);
+			if ((result == DNS_R_DELEGATION ||
+			     result == DNS_R_DNAME) &&
+			    !dns_name_equal(name, found))
+			{
+				/*
+				 * Remember the obscuring name so that
+				 * we skip all obscured names.
+				 */
+				dns_name_copynf(found, name);
+				is_bottom_of_zone = true;
+				goto next_node;
+			}
+		}
+
+		/*
+		 * Process one node.
+		 */
+		with_ksk = false;
+		with_zsk = false;
+		dns_dbiterator_pause(signing->dbiterator);
+
+		CHECK(check_if_bottom_of_zone(db, node, version,
+					      &is_bottom_of_zone));
+
+		for (i = 0; !has_alg && i < nkeys; i++) {
+			bool both = false;
+
+			/*
+			 * Find the keys we want to sign with.
+			 */
+			if (!dst_key_isprivate(zone_keys[i])) {
+				continue;
+			}
+			if (dst_key_inactive(zone_keys[i])) {
+				continue;
+			}
+
+			/*
+			 * When adding look for the specific key.
+			 */
+			if (!signing->deleteit &&
+			    (dst_key_alg(zone_keys[i]) != signing->algorithm ||
+			     dst_key_id(zone_keys[i]) != signing->keyid))
+			{
+				continue;
+			}
+
+			/*
+			 * When deleting make sure we are properly signed
+			 * with the algorithm that was being removed.
+			 */
+			if (signing->deleteit &&
+			    ALG(zone_keys[i]) != signing->algorithm)
+			{
+				continue;
+			}
+
+			/*
+			 * Do we do KSK processing?
+			 */
+			if (check_ksk && !REVOKE(zone_keys[i])) {
+				bool have_ksk, have_nonksk;
+				if (KSK(zone_keys[i])) {
+					have_ksk = true;
+					have_nonksk = false;
+				} else {
+					have_ksk = false;
+					have_nonksk = true;
+				}
+				for (j = 0; j < nkeys; j++) {
+					if (j == i || (ALG(zone_keys[i]) !=
+						       ALG(zone_keys[j])))
+					{
+						continue;
+					}
+					/*
+					 * Don't consider inactive keys, however
+					 * the key may be temporary offline, so
+					 * do consider KSKs which private key
+					 * files are unavailable.
+					 */
+					if (dst_key_inactive(zone_keys[j])) {
+						continue;
+					}
+					if (REVOKE(zone_keys[j])) {
+						continue;
+					}
+					if (KSK(zone_keys[j])) {
+						have_ksk = true;
+					} else if (dst_key_isprivate(
+							   zone_keys[j]))
+					{
+						have_nonksk = true;
+					}
+					both = have_ksk && have_nonksk;
+					if (both) {
+						break;
+					}
+				}
+			}
+			if (use_kasp) {
+				/*
+				 * A dnssec-policy is found. Check what
+				 * RRsets this key can sign.
+				 */
+				isc_result_t kresult;
+				is_ksk = false;
+				kresult = dst_key_getbool(
+					zone_keys[i], DST_BOOL_KSK, &is_ksk);
+				if (kresult != ISC_R_SUCCESS) {
+					if (KSK(zone_keys[i])) {
+						is_ksk = true;
+					}
+				}
+
+				is_zsk = false;
+				kresult = dst_key_getbool(
+					zone_keys[i], DST_BOOL_ZSK, &is_zsk);
+				if (kresult != ISC_R_SUCCESS) {
+					if (!KSK(zone_keys[i])) {
+						is_zsk = true;
+					}
+				}
+				/* Treat as if we have both KSK and ZSK. */
+				both = true;
+			} else if (both || REVOKE(zone_keys[i])) {
+				is_ksk = KSK(zone_keys[i]);
+				is_zsk = !KSK(zone_keys[i]);
+			} else {
+				is_ksk = false;
+				is_zsk = true;
+			}
+
+			/*
+			 * If deleting signatures, we need to ensure that
+			 * the RRset is still signed at least once by a
+			 * KSK and a ZSK.
+			 */
+			if (signing->deleteit && is_zsk && with_zsk) {
+				continue;
+			}
+
+			if (signing->deleteit && is_ksk && with_ksk) {
+				continue;
+			}
+
+			CHECK(sign_a_node(
+				db, zone, name, node, version, build_nsec3,
+				build_nsec, zone_keys[i], inception, expire,
+				zone_nsecttl(zone), is_ksk, is_zsk,
+				(both && keyset_kskonly), is_bottom_of_zone,
+				zonediff.diff, &signatures, zone->mctx));
+			/*
+			 * If we are adding we are done.  Look for other keys
+			 * of the same algorithm if deleting.
+			 */
+			if (!signing->deleteit) {
+				break;
+			}
+			if (is_zsk) {
+				with_zsk = true;
+			}
+			if (is_ksk) {
+				with_ksk = true;
+			}
+		}
+
+		/*
+		 * Go onto next node.
+		 */
+	next_node:
+		first = false;
+		dns_db_detachnode(db, &node);
+		do {
+			result = dns_dbiterator_next(signing->dbiterator);
+			if (result == ISC_R_NOMORE) {
+				ISC_LIST_UNLINK(zone->signing, signing, link);
+				ISC_LIST_APPEND(cleanup, signing, link);
+				dns_dbiterator_pause(signing->dbiterator);
+				if (nkeys != 0 && build_nsec) {
+					/*
+					 * We have finished regenerating the
+					 * zone with a zone signing key.
+					 * The NSEC chain is now complete and
+					 * there is a full set of signatures
+					 * for the zone.  We can now clear the
+					 * OPT bit from the NSEC record.
+					 */
+					result = updatesecure(
+						db, version, &zone->origin,
+						zone_nsecttl(zone), false,
+						&post_diff);
+					if (result != ISC_R_SUCCESS) {
+						dnssec_log(zone, ISC_LOG_ERROR,
+							   "updatesecure -> %s",
+							   dns_result_totext(
+								   result));
+						goto cleanup;
+					}
+				}
+				result = updatesignwithkey(
+					zone, signing, version, build_nsec3,
+					zone_nsecttl(zone), &post_diff);
+				if (result != ISC_R_SUCCESS) {
+					dnssec_log(zone, ISC_LOG_ERROR,
+						   "updatesignwithkey -> %s",
+						   dns_result_totext(result));
+					goto cleanup;
+				}
+				build_nsec = false;
+				goto next_signing;
+			} else if (result != ISC_R_SUCCESS) {
+				dnssec_log(zone, ISC_LOG_ERROR,
+					   "zone_sign:"
+					   "dns_dbiterator_next -> %s",
+					   dns_result_totext(result));
+				goto cleanup;
+			} else if (is_bottom_of_zone) {
+				dns_dbiterator_current(signing->dbiterator,
+						       &node, nextname);
+				dns_db_detachnode(db, &node);
+				if (!dns_name_issubdomain(nextname, name)) {
+					break;
+				}
+			} else {
+				break;
+			}
+		} while (1);
+		continue;
+
+	next_signing:
+		dns_dbiterator_pause(signing->dbiterator);
+		signing = nextsigning;
+		first = true;
+	}
+
+	if (ISC_LIST_HEAD(post_diff.tuples) != NULL) {
+		result = dns__zone_updatesigs(&post_diff, db, version,
+					      zone_keys, nkeys, zone, inception,
+					      expire, 0, now, check_ksk,
+					      keyset_kskonly, &zonediff);
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "zone_sign:dns__zone_updatesigs -> %s",
+				   dns_result_totext(result));
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Have we changed anything?
+	 */
+	if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
+		if (zonediff.offline) {
+			commit = true;
+		}
+		result = ISC_R_SUCCESS;
+		goto pauseall;
+	}
+
+	commit = true;
+
+	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
+			  &zonediff, zone_keys, nkeys, now, false);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:del_sigs -> %s",
+			   dns_result_totext(result));
+		goto cleanup;
+	}
+
+	result = update_soa_serial(zone, db, version, zonediff.diff, zone->mctx,
+				   zone->updatemethod);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "zone_sign:update_soa_serial -> %s",
+			   dns_result_totext(result));
+		goto cleanup;
+	}
+
+	/*
+	 * Generate maximum life time signatures so that the above loop
+	 * termination is sensible.
+	 */
+	result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
+			  zonediff.diff, zone_keys, nkeys, zone->mctx,
+			  inception, soaexpire, check_ksk, keyset_kskonly);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s",
+			   dns_result_totext(result));
+		goto cleanup;
+	}
+
+	/*
+	 * Write changes to journal file.
+	 */
+	CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_sign"));
+
+pauseall:
+	/*
+	 * Pause all iterators so that dns_db_closeversion() can succeed.
+	 */
+	for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL;
+	     signing = ISC_LIST_NEXT(signing, link))
+	{
+		dns_dbiterator_pause(signing->dbiterator);
+	}
+
+	for (signing = ISC_LIST_HEAD(cleanup); signing != NULL;
+	     signing = ISC_LIST_NEXT(signing, link))
+	{
+		dns_dbiterator_pause(signing->dbiterator);
+	}
+
+	/*
+	 * Everything has succeeded. Commit the changes.
+	 */
+	dns_db_closeversion(db, &version, commit);
+
+	/*
+	 * Everything succeeded so we can clean these up now.
+	 */
+	signing = ISC_LIST_HEAD(cleanup);
+	while (signing != NULL) {
+		ISC_LIST_UNLINK(cleanup, signing, link);
+		dns_db_detach(&signing->db);
+		dns_dbiterator_destroy(&signing->dbiterator);
+		isc_mem_put(zone->mctx, signing, sizeof *signing);
+		signing = ISC_LIST_HEAD(cleanup);
+	}
+
+	LOCK_ZONE(zone);
+	set_resigntime(zone);
+	if (commit) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	}
+	UNLOCK_ZONE(zone);
+
+failure:
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR, "zone_sign: failed: %s",
+			   dns_result_totext(result));
+	}
+
+cleanup:
+	/*
+	 * Pause all dbiterators.
+	 */
+	for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL;
+	     signing = ISC_LIST_NEXT(signing, link))
+	{
+		dns_dbiterator_pause(signing->dbiterator);
+	}
+
+	/*
+	 * Rollback the cleanup list.
+	 */
+	signing = ISC_LIST_HEAD(cleanup);
+	while (signing != NULL) {
+		ISC_LIST_UNLINK(cleanup, signing, link);
+		ISC_LIST_PREPEND(zone->signing, signing, link);
+		dns_dbiterator_first(signing->dbiterator);
+		dns_dbiterator_pause(signing->dbiterator);
+		signing = ISC_LIST_HEAD(cleanup);
+	}
+
+	dns_diff_clear(&_sig_diff);
+
+	for (i = 0; i < nkeys; i++) {
+		dst_key_free(&zone_keys[i]);
+	}
+
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+		dns_db_detach(&db);
+	} else if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	LOCK_ZONE(zone);
+	if (ISC_LIST_HEAD(zone->signing) != NULL) {
+		isc_interval_t interval;
+		if (zone->update_disabled || result != ISC_R_SUCCESS) {
+			isc_interval_set(&interval, 60, 0); /* 1 minute */
+		} else {
+			isc_interval_set(&interval, 0, 10000000); /* 10 ms */
+		}
+		isc_time_nowplusinterval(&zone->signingtime, &interval);
+	} else {
+		isc_time_settoepoch(&zone->signingtime);
+	}
+	UNLOCK_ZONE(zone);
+
+	INSIST(version == NULL);
+}
+
+static isc_result_t
+normalize_key(dns_rdata_t *rr, dns_rdata_t *target, unsigned char *data,
+	      int size) {
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_keydata_t keydata;
+	isc_buffer_t buf;
+	isc_result_t result;
+
+	dns_rdata_reset(target);
+	isc_buffer_init(&buf, data, size);
+
+	switch (rr->type) {
+	case dns_rdatatype_dnskey:
+		result = dns_rdata_tostruct(rr, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dnskey.flags &= ~DNS_KEYFLAG_REVOKE;
+		dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
+				     &dnskey, &buf);
+		break;
+	case dns_rdatatype_keydata:
+		result = dns_rdata_tostruct(rr, &keydata, NULL);
+		if (result == ISC_R_UNEXPECTEDEND) {
+			return (result);
+		}
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_keydata_todnskey(&keydata, &dnskey, NULL);
+		dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
+				     &dnskey, &buf);
+		break;
+	default:
+		UNREACHABLE();
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * 'rdset' contains either a DNSKEY rdataset from the zone apex, or
+ * a KEYDATA rdataset from the key zone.
+ *
+ * 'rr' contains either a DNSKEY record, or a KEYDATA record
+ *
+ * After normalizing keys to the same format (DNSKEY, with revoke bit
+ * cleared), return true if a key that matches 'rr' is found in
+ * 'rdset', or false if not.
+ */
+
+static bool
+matchkey(dns_rdataset_t *rdset, dns_rdata_t *rr) {
+	unsigned char data1[4096], data2[4096];
+	dns_rdata_t rdata, rdata1, rdata2;
+	isc_result_t result;
+
+	dns_rdata_init(&rdata);
+	dns_rdata_init(&rdata1);
+	dns_rdata_init(&rdata2);
+
+	result = normalize_key(rr, &rdata1, data1, sizeof(data1));
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+
+	for (result = dns_rdataset_first(rdset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdset, &rdata);
+		result = normalize_key(&rdata, &rdata2, data2, sizeof(data2));
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		if (dns_rdata_compare(&rdata1, &rdata2) == 0) {
+			return (true);
+		}
+	}
+
+	return (false);
+}
+
+/*
+ * Calculate the refresh interval for a keydata zone, per
+ * RFC5011: MAX(1 hr,
+ *		MIN(15 days,
+ *		    1/2 * OrigTTL,
+ *		    1/2 * RRSigExpirationInterval))
+ * or for retries: MAX(1 hr,
+ *		       MIN(1 day,
+ *			   1/10 * OrigTTL,
+ *			   1/10 * RRSigExpirationInterval))
+ */
+static isc_stdtime_t
+refresh_time(dns_keyfetch_t *kfetch, bool retry) {
+	isc_result_t result;
+	uint32_t t;
+	dns_rdataset_t *rdset;
+	dns_rdata_t sigrr = DNS_RDATA_INIT;
+	dns_rdata_sig_t sig;
+	isc_stdtime_t now;
+
+	isc_stdtime_get(&now);
+
+	if (dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
+		rdset = &kfetch->dnskeysigset;
+	} else {
+		return (now + dns_zone_mkey_hour);
+	}
+
+	result = dns_rdataset_first(rdset);
+	if (result != ISC_R_SUCCESS) {
+		return (now + dns_zone_mkey_hour);
+	}
+
+	dns_rdataset_current(rdset, &sigrr);
+	result = dns_rdata_tostruct(&sigrr, &sig, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	if (!retry) {
+		t = sig.originalttl / 2;
+
+		if (isc_serial_gt(sig.timeexpire, now)) {
+			uint32_t exp = (sig.timeexpire - now) / 2;
+			if (t > exp) {
+				t = exp;
+			}
+		}
+
+		if (t > (15 * dns_zone_mkey_day)) {
+			t = (15 * dns_zone_mkey_day);
+		}
+
+		if (t < dns_zone_mkey_hour) {
+			t = dns_zone_mkey_hour;
+		}
+	} else {
+		t = sig.originalttl / 10;
+
+		if (isc_serial_gt(sig.timeexpire, now)) {
+			uint32_t exp = (sig.timeexpire - now) / 10;
+			if (t > exp) {
+				t = exp;
+			}
+		}
+
+		if (t > dns_zone_mkey_day) {
+			t = dns_zone_mkey_day;
+		}
+
+		if (t < dns_zone_mkey_hour) {
+			t = dns_zone_mkey_hour;
+		}
+	}
+
+	return (now + t);
+}
+
+/*
+ * This routine is called when no changes are needed in a KEYDATA
+ * record except to simply update the refresh timer.  Caller should
+ * hold zone lock.
+ */
+static isc_result_t
+minimal_update(dns_keyfetch_t *kfetch, dns_dbversion_t *ver, dns_diff_t *diff) {
+	isc_result_t result;
+	isc_buffer_t keyb;
+	unsigned char key_buf[4096];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_keydata_t keydata;
+	dns_name_t *name;
+	dns_zone_t *zone = kfetch->zone;
+	isc_stdtime_t now;
+
+	name = dns_fixedname_name(&kfetch->name);
+	isc_stdtime_get(&now);
+
+	for (result = dns_rdataset_first(&kfetch->keydataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->keydataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&kfetch->keydataset, &rdata);
+
+		/* Delete old version */
+		CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_DEL, name,
+				    0, &rdata));
+
+		/* Update refresh timer */
+		result = dns_rdata_tostruct(&rdata, &keydata, NULL);
+		if (result == ISC_R_UNEXPECTEDEND) {
+			continue;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+		keydata.refresh = refresh_time(kfetch, true);
+		set_refreshkeytimer(zone, &keydata, now, false);
+
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+		CHECK(dns_rdata_fromstruct(&rdata, zone->rdclass,
+					   dns_rdatatype_keydata, &keydata,
+					   &keyb));
+
+		/* Insert updated version */
+		CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_ADD, name,
+				    0, &rdata));
+	}
+	result = ISC_R_SUCCESS;
+failure:
+	return (result);
+}
+
+/*
+ * Verify that DNSKEY set is signed by the key specified in 'keydata'.
+ */
+static bool
+revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) {
+	isc_result_t result;
+	dns_name_t *keyname;
+	isc_mem_t *mctx;
+	dns_rdata_t sigrr = DNS_RDATA_INIT;
+	dns_rdata_t rr = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_dnskey_t dnskey;
+	dst_key_t *dstkey = NULL;
+	unsigned char key_buf[4096];
+	isc_buffer_t keyb;
+	bool answer = false;
+
+	REQUIRE(kfetch != NULL && keydata != NULL);
+	REQUIRE(dns_rdataset_isassociated(&kfetch->dnskeysigset));
+
+	keyname = dns_fixedname_name(&kfetch->name);
+	mctx = kfetch->zone->view->mctx;
+
+	/* Generate a key from keydata */
+	isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+	dns_keydata_todnskey(keydata, &dnskey, NULL);
+	dns_rdata_fromstruct(&rr, keydata->common.rdclass, dns_rdatatype_dnskey,
+			     &dnskey, &keyb);
+	result = dns_dnssec_keyfromrdata(keyname, &rr, mctx, &dstkey);
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+
+	/* See if that key generated any of the signatures */
+	for (result = dns_rdataset_first(&kfetch->dnskeysigset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->dnskeysigset))
+	{
+		dns_fixedname_t fixed;
+		dns_fixedname_init(&fixed);
+
+		dns_rdata_reset(&sigrr);
+		dns_rdataset_current(&kfetch->dnskeysigset, &sigrr);
+		result = dns_rdata_tostruct(&sigrr, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (dst_key_alg(dstkey) == sig.algorithm &&
+		    dst_key_rid(dstkey) == sig.keyid)
+		{
+			result = dns_dnssec_verify(
+				keyname, &kfetch->dnskeyset, dstkey, false, 0,
+				mctx, &sigrr, dns_fixedname_name(&fixed));
+
+			dnssec_log(kfetch->zone, ISC_LOG_DEBUG(3),
+				   "Confirm revoked DNSKEY is self-signed: %s",
+				   dns_result_totext(result));
+
+			if (result == ISC_R_SUCCESS) {
+				answer = true;
+				break;
+			}
+		}
+	}
+
+	dst_key_free(&dstkey);
+	return (answer);
+}
+
+/*
+ * A DNSKEY set has been fetched from the zone apex of a zone whose trust
+ * anchors are being managed; scan the keyset, and update the key zone and the
+ * local trust anchors according to RFC5011.
+ */
+static void
+keyfetch_done(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result, eresult;
+	dns_fetchevent_t *devent;
+	dns_keyfetch_t *kfetch;
+	dns_zone_t *zone;
+	isc_mem_t *mctx = NULL;
+	dns_keytable_t *secroots = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	bool alldone = false;
+	bool commit = false;
+	dns_name_t *keyname = NULL;
+	dns_rdata_t sigrr = DNS_RDATA_INIT;
+	dns_rdata_t dnskeyrr = DNS_RDATA_INIT;
+	dns_rdata_t keydatarr = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_keydata_t keydata;
+	bool initializing;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	unsigned char key_buf[4096];
+	isc_buffer_t keyb;
+	dst_key_t *dstkey = NULL;
+	isc_stdtime_t now;
+	int pending = 0;
+	bool secure = false, initial = false;
+	bool free_needed;
+	dns_keynode_t *keynode = NULL;
+	dns_rdataset_t *dnskeys = NULL, *dnskeysigs = NULL;
+	dns_rdataset_t *keydataset = NULL, dsset;
+
+	UNUSED(task);
+	INSIST(event != NULL && event->ev_type == DNS_EVENT_FETCHDONE);
+	INSIST(event->ev_arg != NULL);
+
+	kfetch = event->ev_arg;
+	zone = kfetch->zone;
+	mctx = kfetch->mctx;
+	keyname = dns_fixedname_name(&kfetch->name);
+	dnskeys = &kfetch->dnskeyset;
+	dnskeysigs = &kfetch->dnskeysigset;
+	keydataset = &kfetch->keydataset;
+
+	devent = (dns_fetchevent_t *)event;
+	eresult = devent->result;
+
+	/* Free resources which are not of interest */
+	if (devent->node != NULL) {
+		dns_db_detachnode(devent->db, &devent->node);
+	}
+	if (devent->db != NULL) {
+		dns_db_detach(&devent->db);
+	}
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&kfetch->fetch);
+
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) {
+		goto cleanup;
+	}
+
+	isc_stdtime_get(&now);
+	dns_name_format(keyname, namebuf, sizeof(namebuf));
+
+	result = dns_view_getsecroots(zone->view, &secroots);
+	INSIST(result == ISC_R_SUCCESS);
+
+	dns_diff_init(mctx, &diff);
+
+	CHECK(dns_db_newversion(kfetch->db, &ver));
+
+	zone->refreshkeycount--;
+	alldone = (zone->refreshkeycount == 0);
+
+	if (alldone) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
+	}
+
+	dnssec_log(zone, ISC_LOG_DEBUG(3),
+		   "Returned from key fetch in keyfetch_done() for '%s': %s",
+		   namebuf, dns_result_totext(eresult));
+
+	/* Fetch failed */
+	if (eresult != ISC_R_SUCCESS || !dns_rdataset_isassociated(dnskeys)) {
+		dnssec_log(zone, ISC_LOG_WARNING,
+			   "Unable to fetch DNSKEY set '%s': %s", namebuf,
+			   dns_result_totext(eresult));
+		CHECK(minimal_update(kfetch, ver, &diff));
+		goto done;
+	}
+
+	/* No RRSIGs found */
+	if (!dns_rdataset_isassociated(dnskeysigs)) {
+		dnssec_log(zone, ISC_LOG_WARNING,
+			   "No DNSKEY RRSIGs found for '%s': %s", namebuf,
+			   dns_result_totext(eresult));
+		CHECK(minimal_update(kfetch, ver, &diff));
+		goto done;
+	}
+
+	/*
+	 * Clear any cached trust level, as we need to run validation
+	 * over again; trusted keys might have changed.
+	 */
+	dnskeys->trust = dnskeysigs->trust = dns_trust_none;
+
+	/* Look up the trust anchor */
+	result = dns_keytable_find(secroots, keyname, &keynode);
+	if (result != ISC_R_SUCCESS) {
+		goto anchors_done;
+	}
+
+	/*
+	 * If the keynode has a DS trust anchor, use it for verification.
+	 */
+	dns_rdataset_init(&dsset);
+	if (dns_keynode_dsset(keynode, &dsset)) {
+		for (result = dns_rdataset_first(dnskeysigs);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(dnskeysigs))
+		{
+			isc_result_t tresult;
+			dns_rdata_t keyrdata = DNS_RDATA_INIT;
+
+			dns_rdata_reset(&sigrr);
+			dns_rdataset_current(dnskeysigs, &sigrr);
+			result = dns_rdata_tostruct(&sigrr, &sig, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			for (tresult = dns_rdataset_first(&dsset);
+			     tresult == ISC_R_SUCCESS;
+			     tresult = dns_rdataset_next(&dsset))
+			{
+				dns_rdata_t dsrdata = DNS_RDATA_INIT;
+				dns_rdata_ds_t ds;
+
+				dns_rdata_reset(&dsrdata);
+				dns_rdataset_current(&dsset, &dsrdata);
+				tresult = dns_rdata_tostruct(&dsrdata, &ds,
+							     NULL);
+				RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
+
+				if (ds.key_tag != sig.keyid ||
+				    ds.algorithm != sig.algorithm)
+				{
+					continue;
+				}
+
+				result = dns_dnssec_matchdskey(
+					keyname, &dsrdata, dnskeys, &keyrdata);
+				if (result == ISC_R_SUCCESS) {
+					break;
+				}
+			}
+
+			if (tresult == ISC_R_NOMORE) {
+				continue;
+			}
+
+			result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
+							 mctx, &dstkey);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+
+			result = dns_dnssec_verify(keyname, dnskeys, dstkey,
+						   false, 0, mctx, &sigrr,
+						   NULL);
+			dst_key_free(&dstkey);
+
+			dnssec_log(zone, ISC_LOG_DEBUG(3),
+				   "Verifying DNSKEY set for zone "
+				   "'%s' using DS %d/%d: %s",
+				   namebuf, sig.keyid, sig.algorithm,
+				   dns_result_totext(result));
+
+			if (result == ISC_R_SUCCESS) {
+				dnskeys->trust = dns_trust_secure;
+				dnskeysigs->trust = dns_trust_secure;
+				initial = dns_keynode_initial(keynode);
+				dns_keynode_trust(keynode);
+				secure = true;
+				break;
+			}
+		}
+		dns_rdataset_disassociate(&dsset);
+	}
+
+anchors_done:
+	if (keynode != NULL) {
+		dns_keytable_detachkeynode(secroots, &keynode);
+	}
+
+	/*
+	 * If we were not able to verify the answer using the current
+	 * trusted keys then all we can do is look at any revoked keys.
+	 */
+	if (!secure) {
+		dnssec_log(zone, ISC_LOG_INFO,
+			   "DNSKEY set for zone '%s' could not be verified "
+			   "with current keys",
+			   namebuf);
+	}
+
+	/*
+	 * First scan keydataset to find keys that are not in dnskeyset
+	 *   - Missing keys which are not scheduled for removal,
+	 *     log a warning
+	 *   - Missing keys which are scheduled for removal and
+	 *     the remove hold-down timer has completed should
+	 *     be removed from the key zone
+	 *   - Missing keys whose acceptance timers have not yet
+	 *     completed, log a warning and reset the acceptance
+	 *     timer to 30 days in the future
+	 *   - All keys not being removed have their refresh timers
+	 *     updated
+	 */
+	initializing = true;
+	for (result = dns_rdataset_first(keydataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(keydataset))
+	{
+		dns_keytag_t keytag;
+
+		dns_rdata_reset(&keydatarr);
+		dns_rdataset_current(keydataset, &keydatarr);
+		result = dns_rdata_tostruct(&keydatarr, &keydata, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		dns_keydata_todnskey(&keydata, &dnskey, NULL);
+		result = compute_tag(keyname, &dnskey, mctx, &keytag);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Skip if we cannot compute the key tag.
+			 * This may happen if the algorithm is unsupported
+			 */
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "Cannot compute tag for key in zone %s: "
+				     "%s "
+				     "(skipping)",
+				     namebuf, dns_result_totext(result));
+			continue;
+		}
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		/*
+		 * If any keydata record has a nonzero add holddown, then
+		 * there was a pre-existing trust anchor for this domain;
+		 * that means we are *not* initializing it and shouldn't
+		 * automatically trust all the keys we find at the zone apex.
+		 */
+		initializing = initializing && (keydata.addhd == 0);
+
+		if (!matchkey(dnskeys, &keydatarr)) {
+			bool deletekey = false;
+
+			if (!secure) {
+				if (keydata.removehd != 0 &&
+				    keydata.removehd <= now)
+				{
+					deletekey = true;
+				}
+			} else if (keydata.addhd == 0) {
+				deletekey = true;
+			} else if (keydata.addhd > now) {
+				dnssec_log(zone, ISC_LOG_INFO,
+					   "Pending key %d for zone %s "
+					   "unexpectedly missing "
+					   "restarting 30-day acceptance "
+					   "timer",
+					   keytag, namebuf);
+				if (keydata.addhd < now + dns_zone_mkey_month) {
+					keydata.addhd = now +
+							dns_zone_mkey_month;
+				}
+				keydata.refresh = refresh_time(kfetch, false);
+			} else if (keydata.removehd == 0) {
+				dnssec_log(zone, ISC_LOG_INFO,
+					   "Active key %d for zone %s "
+					   "unexpectedly missing",
+					   keytag, namebuf);
+				keydata.refresh = now + dns_zone_mkey_hour;
+			} else if (keydata.removehd <= now) {
+				deletekey = true;
+				dnssec_log(zone, ISC_LOG_INFO,
+					   "Revoked key %d for zone %s "
+					   "missing: deleting from "
+					   "managed keys database",
+					   keytag, namebuf);
+			} else {
+				keydata.refresh = refresh_time(kfetch, false);
+			}
+
+			if (secure || deletekey) {
+				/* Delete old version */
+				CHECK(update_one_rr(kfetch->db, ver, &diff,
+						    DNS_DIFFOP_DEL, keyname, 0,
+						    &keydatarr));
+			}
+
+			if (!secure || deletekey) {
+				continue;
+			}
+
+			dns_rdata_reset(&keydatarr);
+			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
+					     dns_rdatatype_keydata, &keydata,
+					     &keyb);
+
+			/* Insert updated version */
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_ADD, keyname, 0,
+					    &keydatarr));
+
+			set_refreshkeytimer(zone, &keydata, now, false);
+		}
+	}
+
+	/*
+	 * Next scan dnskeyset:
+	 *   - If new keys are found (i.e., lacking a match in keydataset)
+	 *     add them to the key zone and set the acceptance timer
+	 *     to 30 days in the future (or to immediately if we've
+	 *     determined that we're initializing the zone for the
+	 *     first time)
+	 *   - Previously-known keys that have been revoked
+	 *     must be scheduled for removal from the key zone (or,
+	 *     if they hadn't been accepted as trust anchors yet
+	 *     anyway, removed at once)
+	 *   - Previously-known unrevoked keys whose acceptance timers
+	 *     have completed are promoted to trust anchors
+	 *   - All keys not being removed have their refresh
+	 *     timers updated
+	 */
+	for (result = dns_rdataset_first(dnskeys); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(dnskeys))
+	{
+		bool revoked = false;
+		bool newkey = false;
+		bool updatekey = false;
+		bool deletekey = false;
+		bool trustkey = false;
+		dns_keytag_t keytag;
+
+		dns_rdata_reset(&dnskeyrr);
+		dns_rdataset_current(dnskeys, &dnskeyrr);
+		result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		/* Skip ZSK's */
+		if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0) {
+			continue;
+		}
+
+		result = compute_tag(keyname, &dnskey, mctx, &keytag);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Skip if we cannot compute the key tag.
+			 * This may happen if the algorithm is unsupported
+			 */
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "Cannot compute tag for key in zone %s: "
+				     "%s "
+				     "(skipping)",
+				     namebuf, dns_result_totext(result));
+			continue;
+		}
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0);
+
+		if (matchkey(keydataset, &dnskeyrr)) {
+			dns_rdata_reset(&keydatarr);
+			dns_rdataset_current(keydataset, &keydatarr);
+			result = dns_rdata_tostruct(&keydatarr, &keydata, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			if (revoked && revocable(kfetch, &keydata)) {
+				if (keydata.addhd > now) {
+					/*
+					 * Key wasn't trusted yet, and now
+					 * it's been revoked?  Just remove it
+					 */
+					deletekey = true;
+					dnssec_log(zone, ISC_LOG_INFO,
+						   "Pending key %d for "
+						   "zone %s is now revoked: "
+						   "deleting from the "
+						   "managed keys database",
+						   keytag, namebuf);
+				} else if (keydata.removehd == 0) {
+					/*
+					 * Remove key from secroots.
+					 */
+					dns_view_untrust(zone->view, keyname,
+							 &dnskey);
+
+					/* If initializing, delete now */
+					if (keydata.addhd == 0) {
+						deletekey = true;
+					} else {
+						keydata.removehd =
+							now +
+							dns_zone_mkey_month;
+						keydata.flags |=
+							DNS_KEYFLAG_REVOKE;
+					}
+
+					dnssec_log(zone, ISC_LOG_INFO,
+						   "Trusted key %d for "
+						   "zone %s is now revoked",
+						   keytag, namebuf);
+				} else if (keydata.removehd < now) {
+					/* Scheduled for removal */
+					deletekey = true;
+
+					dnssec_log(zone, ISC_LOG_INFO,
+						   "Revoked key %d for "
+						   "zone %s removal timer "
+						   "complete: deleting from "
+						   "the managed keys database",
+						   keytag, namebuf);
+				}
+			} else if (revoked && keydata.removehd == 0) {
+				dnssec_log(zone, ISC_LOG_WARNING,
+					   "Active key %d for zone "
+					   "%s is revoked but "
+					   "did not self-sign; "
+					   "ignoring",
+					   keytag, namebuf);
+				continue;
+			} else if (secure) {
+				if (keydata.removehd != 0) {
+					/*
+					 * Key isn't revoked--but it
+					 * seems it used to be.
+					 * Remove it now and add it
+					 * back as if it were a fresh key,
+					 * with a 30-day acceptance timer.
+					 */
+					deletekey = true;
+					newkey = true;
+					keydata.removehd = 0;
+					keydata.addhd = now +
+							dns_zone_mkey_month;
+
+					dnssec_log(zone, ISC_LOG_INFO,
+						   "Revoked key %d for "
+						   "zone %s has returned: "
+						   "starting 30-day "
+						   "acceptance timer",
+						   keytag, namebuf);
+				} else if (keydata.addhd > now) {
+					pending++;
+				} else if (keydata.addhd == 0) {
+					keydata.addhd = now;
+				}
+
+				if (keydata.addhd <= now) {
+					trustkey = true;
+					dnssec_log(zone, ISC_LOG_INFO,
+						   "Key %d for zone %s "
+						   "is now trusted (%s)",
+						   keytag, namebuf,
+						   initial ? "initializing key "
+							     "verified"
+							   : "acceptance timer "
+							     "complete");
+				}
+			} else if (keydata.addhd > now) {
+				/*
+				 * Not secure, and key is pending:
+				 * reset the acceptance timer
+				 */
+				pending++;
+				keydata.addhd = now + dns_zone_mkey_month;
+				dnssec_log(zone, ISC_LOG_INFO,
+					   "Pending key %d "
+					   "for zone %s was "
+					   "not validated: restarting "
+					   "30-day acceptance timer",
+					   keytag, namebuf);
+			}
+
+			if (!deletekey && !newkey) {
+				updatekey = true;
+			}
+		} else if (secure) {
+			/*
+			 * Key wasn't in the key zone but it's
+			 * revoked now anyway, so just skip it
+			 */
+			if (revoked) {
+				continue;
+			}
+
+			/* Key wasn't in the key zone: add it */
+			newkey = true;
+
+			if (initializing) {
+				dnssec_log(zone, ISC_LOG_WARNING,
+					   "Initializing automatic trust "
+					   "anchor management for zone '%s'; "
+					   "DNSKEY ID %d is now trusted, "
+					   "waiving the normal 30-day "
+					   "waiting period.",
+					   namebuf, keytag);
+				trustkey = true;
+			} else {
+				dnssec_log(zone, ISC_LOG_INFO,
+					   "New key %d observed "
+					   "for zone '%s': "
+					   "starting 30-day "
+					   "acceptance timer",
+					   keytag, namebuf);
+			}
+		} else {
+			/*
+			 * No previously known key, and the key is not
+			 * secure, so skip it.
+			 */
+			continue;
+		}
+
+		/* Delete old version */
+		if (deletekey || !newkey) {
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_DEL, keyname, 0,
+					    &keydatarr));
+		}
+
+		if (updatekey) {
+			/* Set refresh timer */
+			keydata.refresh = refresh_time(kfetch, false);
+			dns_rdata_reset(&keydatarr);
+			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
+					     dns_rdatatype_keydata, &keydata,
+					     &keyb);
+
+			/* Insert updated version */
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_ADD, keyname, 0,
+					    &keydatarr));
+		} else if (newkey) {
+			/* Convert DNSKEY to KEYDATA */
+			result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_keydata_fromdnskey(&keydata, &dnskey, 0, 0, 0,
+					       NULL);
+			keydata.addhd = initializing
+						? now
+						: now + dns_zone_mkey_month;
+			keydata.refresh = refresh_time(kfetch, false);
+			dns_rdata_reset(&keydatarr);
+			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
+					     dns_rdatatype_keydata, &keydata,
+					     &keyb);
+
+			/* Insert into key zone */
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_ADD, keyname, 0,
+					    &keydatarr));
+		}
+
+		if (trustkey) {
+			/* Trust this key. */
+			result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			trust_key(zone, keyname, &dnskey, false);
+		}
+
+		if (secure && !deletekey) {
+			INSIST(newkey || updatekey);
+			set_refreshkeytimer(zone, &keydata, now, false);
+		}
+	}
+
+	/*
+	 * RFC5011 says, "A trust point that has all of its trust anchors
+	 * revoked is considered deleted and is treated as if the trust
+	 * point was never configured."  But if someone revoked their
+	 * active key before the standby was trusted, that would mean the
+	 * zone would suddenly be nonsecured.  We avoid this by checking to
+	 * see if there's pending keydata.  If so, we put a null key in
+	 * the security roots; then all queries to the zone will fail.
+	 */
+	if (pending != 0) {
+		fail_secure(zone, keyname);
+	}
+
+done:
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		/* Write changes to journal file. */
+		CHECK(update_soa_serial(zone, kfetch->db, ver, &diff, mctx,
+					zone->updatemethod));
+		CHECK(zone_journal(zone, &diff, NULL, "keyfetch_done"));
+		commit = true;
+
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+	} else if (result == ISC_R_NOMORE) {
+		/*
+		 * If "updatekey" was true for all keys found in the DNSKEY
+		 * response and the previous update of those keys happened
+		 * during the same second (only possible if a key refresh was
+		 * externally triggered), it may happen that all relevant
+		 * update_one_rr() calls will return ISC_R_SUCCESS, but
+		 * diff.tuples will remain empty.  Reset result to
+		 * ISC_R_SUCCESS to prevent a bogus warning from being logged.
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "error during managed-keys processing (%s): "
+			   "DNSSEC validation may be at risk",
+			   isc_result_totext(result));
+	}
+	dns_diff_clear(&diff);
+	if (ver != NULL) {
+		dns_db_closeversion(kfetch->db, &ver, commit);
+	}
+
+cleanup:
+	dns_db_detach(&kfetch->db);
+
+	/* The zone must be managed */
+	INSIST(kfetch->zone->task != NULL);
+	isc_refcount_decrement(&zone->irefs);
+
+	if (dns_rdataset_isassociated(keydataset)) {
+		dns_rdataset_disassociate(keydataset);
+	}
+	if (dns_rdataset_isassociated(dnskeys)) {
+		dns_rdataset_disassociate(dnskeys);
+	}
+	if (dns_rdataset_isassociated(dnskeysigs)) {
+		dns_rdataset_disassociate(dnskeysigs);
+	}
+
+	dns_name_free(keyname, mctx);
+	isc_mem_putanddetach(&kfetch->mctx, kfetch, sizeof(dns_keyfetch_t));
+
+	if (secroots != NULL) {
+		dns_keytable_detach(&secroots);
+	}
+
+	free_needed = exit_check(zone);
+	UNLOCK_ZONE(zone);
+
+	if (free_needed) {
+		zone_free(zone);
+	}
+
+	INSIST(ver == NULL);
+}
+
+static void
+retry_keyfetch(dns_keyfetch_t *kfetch, dns_name_t *kname) {
+	isc_time_t timenow, timethen;
+	dns_zone_t *zone = kfetch->zone;
+	bool free_needed;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(kname, namebuf, sizeof(namebuf));
+	dnssec_log(zone, ISC_LOG_WARNING,
+		   "Failed to create fetch for %s DNSKEY update", namebuf);
+
+	/*
+	 * Error during a key fetch; cancel and retry in an hour.
+	 */
+	LOCK_ZONE(zone);
+	zone->refreshkeycount--;
+	isc_refcount_decrement(&zone->irefs);
+	dns_db_detach(&kfetch->db);
+	dns_rdataset_disassociate(&kfetch->keydataset);
+	dns_name_free(kname, zone->mctx);
+	isc_mem_putanddetach(&kfetch->mctx, kfetch, sizeof(*kfetch));
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		/* Don't really retry if we are exiting */
+		char timebuf[80];
+
+		TIME_NOW(&timenow);
+		DNS_ZONE_TIME_ADD(&timenow, dns_zone_mkey_hour, &timethen);
+		zone->refreshkeytime = timethen;
+		zone_settimer(zone, &timenow);
+
+		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+		dnssec_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
+			   timebuf);
+	}
+
+	free_needed = exit_check(zone);
+	UNLOCK_ZONE(zone);
+
+	if (free_needed) {
+		zone_free(zone);
+	}
+}
+
+static void
+do_keyfetch(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_keyfetch_t *kfetch = (dns_keyfetch_t *)event->ev_arg;
+	dns_name_t *kname = dns_fixedname_name(&kfetch->name);
+	dns_zone_t *zone = kfetch->zone;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		retry_keyfetch(kfetch, kname);
+		return;
+	}
+
+	/*
+	 * Use of DNS_FETCHOPT_NOCACHED is essential here.  If it is not
+	 * set and the cache still holds a non-expired, validated version
+	 * of the RRset being queried for by the time the response is
+	 * received, the cached RRset will be passed to keyfetch_done()
+	 * instead of the one received in the response as the latter will
+	 * have a lower trust level due to not being validated until
+	 * keyfetch_done() is called.
+	 */
+	result = dns_resolver_createfetch(
+		zone->view->resolver, kname, dns_rdatatype_dnskey, NULL, NULL,
+		NULL, NULL, 0,
+		DNS_FETCHOPT_NOVALIDATE | DNS_FETCHOPT_UNSHARED |
+			DNS_FETCHOPT_NOCACHED,
+		0, NULL, zone->task, keyfetch_done, kfetch, &kfetch->dnskeyset,
+		&kfetch->dnskeysigset, &kfetch->fetch);
+
+	if (result != ISC_R_SUCCESS) {
+		retry_keyfetch(kfetch, kname);
+	}
+}
+
+/*
+ * Refresh the data in the key zone.  Initiate a fetch to look up
+ * DNSKEY records at the trust anchor name.
+ */
+static void
+zone_refreshkeys(dns_zone_t *zone) {
+	const char me[] = "zone_refreshkeys";
+	isc_result_t result;
+	dns_rriterator_t rrit;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_keydata_t kd;
+	isc_stdtime_t now;
+	bool commit = false;
+	bool fetching = false;
+	bool timerset = false;
+
+	ENTER;
+	REQUIRE(zone->db != NULL);
+
+	isc_stdtime_get(&now);
+
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		isc_time_settoepoch(&zone->refreshkeytime);
+		UNLOCK_ZONE(zone);
+		return;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	dns_diff_init(zone->mctx, &diff);
+
+	CHECK(dns_db_newversion(db, &ver));
+
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING);
+
+	dns_rriterator_init(&rrit, db, ver, 0);
+	for (result = dns_rriterator_first(&rrit); result == ISC_R_SUCCESS;
+	     result = dns_rriterator_nextrrset(&rrit))
+	{
+		isc_stdtime_t timer = 0xffffffff;
+		dns_name_t *name = NULL, *kname = NULL;
+		dns_rdataset_t *kdset = NULL;
+		uint32_t ttl;
+
+		dns_rriterator_current(&rrit, &name, &ttl, &kdset, NULL);
+		if (kdset == NULL || kdset->type != dns_rdatatype_keydata ||
+		    !dns_rdataset_isassociated(kdset))
+		{
+			continue;
+		}
+
+		/*
+		 * Scan the stored keys looking for ones that need
+		 * removal or refreshing
+		 */
+		for (result = dns_rdataset_first(kdset);
+		     result == ISC_R_SUCCESS; result = dns_rdataset_next(kdset))
+		{
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(kdset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &kd, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			/* Removal timer expired? */
+			if (kd.removehd != 0 && kd.removehd < now) {
+				dns_rriterator_pause(&rrit);
+				CHECK(update_one_rr(db, ver, &diff,
+						    DNS_DIFFOP_DEL, name, ttl,
+						    &rdata));
+				continue;
+			}
+
+			/* Acceptance timer expired? */
+			if (kd.addhd <= now) {
+				timer = kd.addhd;
+			}
+
+			/* Or do we just need to refresh the keyset? */
+			if (timer > kd.refresh) {
+				timer = kd.refresh;
+			}
+
+			dns_rriterator_pause(&rrit);
+			set_refreshkeytimer(zone, &kd, now, false);
+			timerset = true;
+		}
+
+		if (timer > now) {
+			continue;
+		}
+
+		dns_rriterator_pause(&rrit);
+
+#ifdef ENABLE_AFL
+		if (!dns_fuzzing_resolver) {
+#endif /* ifdef ENABLE_AFL */
+			dns_keyfetch_t *kfetch = NULL;
+			isc_event_t *e;
+
+			kfetch = isc_mem_get(zone->mctx,
+					     sizeof(dns_keyfetch_t));
+			*kfetch = (dns_keyfetch_t){ .zone = zone };
+			isc_mem_attach(zone->mctx, &kfetch->mctx);
+
+			zone->refreshkeycount++;
+			isc_refcount_increment0(&zone->irefs);
+			kname = dns_fixedname_initname(&kfetch->name);
+			dns_name_dup(name, zone->mctx, kname);
+			dns_rdataset_init(&kfetch->dnskeyset);
+			dns_rdataset_init(&kfetch->dnskeysigset);
+			dns_rdataset_init(&kfetch->keydataset);
+			dns_rdataset_clone(kdset, &kfetch->keydataset);
+			dns_db_attach(db, &kfetch->db);
+
+			if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				dns_name_format(kname, namebuf,
+						sizeof(namebuf));
+				dnssec_log(zone, ISC_LOG_DEBUG(3),
+					   "Creating key fetch in "
+					   "zone_refreshkeys() for '%s'",
+					   namebuf);
+			}
+
+			e = isc_event_allocate(zone->mctx, NULL, DNS_EVENT_ZONE,
+					       do_keyfetch, kfetch,
+					       sizeof(isc_event_t));
+			isc_task_send(zone->task, &e);
+			fetching = true;
+#ifdef ENABLE_AFL
+		}
+#endif /* ifdef ENABLE_AFL */
+	}
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		CHECK(update_soa_serial(zone, db, ver, &diff, zone->mctx,
+					zone->updatemethod));
+		CHECK(zone_journal(zone, &diff, NULL, "zone_refreshkeys"));
+		commit = true;
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+	}
+
+failure:
+	if (!timerset) {
+		isc_time_settoepoch(&zone->refreshkeytime);
+	}
+
+	if (!fetching) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
+	}
+
+	dns_diff_clear(&diff);
+	if (ver != NULL) {
+		dns_rriterator_destroy(&rrit);
+		dns_db_closeversion(db, &ver, commit);
+	}
+	dns_db_detach(&db);
+
+	UNLOCK_ZONE(zone);
+
+	INSIST(ver == NULL);
+}
+
+static void
+zone_maintenance(dns_zone_t *zone) {
+	const char me[] = "zone_maintenance";
+	isc_time_t now;
+	isc_result_t result;
+	bool dumping, load_pending, exiting, viewok;
+	bool need_notify;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
+
+	/*
+	 * Are we pending load/reload, exiting, or unconfigured
+	 * (e.g. because of a syntax failure in the config file)?
+	 * If so, don't attempt maintenance.
+	 */
+	LOCK_ZONE(zone);
+	load_pending = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	exiting = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING);
+	viewok = (zone->view != NULL && zone->view->adb != NULL);
+	UNLOCK_ZONE(zone);
+
+	if (load_pending || exiting || !viewok) {
+		return;
+	}
+
+	TIME_NOW(&now);
+
+	/*
+	 * Expire check.
+	 */
+	switch (zone->type) {
+	case dns_zone_redirect:
+		if (zone->masters == NULL) {
+			break;
+		}
+		FALLTHROUGH;
+	case dns_zone_secondary:
+	case dns_zone_mirror:
+	case dns_zone_stub:
+		LOCK_ZONE(zone);
+		if (isc_time_compare(&now, &zone->expiretime) >= 0 &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+		{
+			zone_expire(zone);
+			zone->refreshtime = now;
+		}
+		UNLOCK_ZONE(zone);
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Up to date check.
+	 */
+	switch (zone->type) {
+	case dns_zone_redirect:
+		if (zone->masters == NULL) {
+			break;
+		}
+		FALLTHROUGH;
+	case dns_zone_secondary:
+	case dns_zone_mirror:
+	case dns_zone_stub:
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
+		    isc_time_compare(&now, &zone->refreshtime) >= 0)
+		{
+			dns_zone_refresh(zone);
+		}
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Secondaries send notifies before backing up to disk,
+	 * primaries after.
+	 */
+	LOCK_ZONE(zone);
+	need_notify = (zone->type == dns_zone_secondary ||
+		       zone->type == dns_zone_mirror) &&
+		      (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
+		       DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) &&
+		      (isc_time_compare(&now, &zone->notifytime) >= 0);
+	UNLOCK_ZONE(zone);
+
+	if (need_notify) {
+		zone_notify(zone, &now);
+	}
+
+	/*
+	 * Do we need to consolidate the backing store?
+	 */
+	switch (zone->type) {
+	case dns_zone_primary:
+	case dns_zone_secondary:
+	case dns_zone_mirror:
+	case dns_zone_key:
+	case dns_zone_redirect:
+	case dns_zone_stub:
+		LOCK_ZONE(zone);
+		if (zone->masterfile != NULL &&
+		    isc_time_compare(&now, &zone->dumptime) >= 0 &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP))
+		{
+			dumping = was_dumping(zone);
+		} else {
+			dumping = true;
+		}
+		UNLOCK_ZONE(zone);
+		if (!dumping) {
+			result = zone_dump(zone, true); /* task locked */
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "dump failed: %s",
+					     dns_result_totext(result));
+			}
+		}
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Master/redirect zones send notifies now, if needed
+	 */
+	switch (zone->type) {
+	case dns_zone_primary:
+	case dns_zone_redirect:
+		if ((DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
+		     DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) &&
+		    isc_time_compare(&now, &zone->notifytime) >= 0)
+		{
+			zone_notify(zone, &now);
+		}
+	default:
+		break;
+	}
+
+	/*
+	 * Do we need to refresh keys?
+	 */
+	switch (zone->type) {
+	case dns_zone_key:
+		if (isc_time_compare(&now, &zone->refreshkeytime) >= 0) {
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING))
+			{
+				zone_refreshkeys(zone);
+			}
+		}
+		break;
+	case dns_zone_primary:
+		if (!isc_time_isepoch(&zone->refreshkeytime) &&
+		    isc_time_compare(&now, &zone->refreshkeytime) >= 0 &&
+		    zone->rss_event == NULL)
+		{
+			zone_rekey(zone);
+		}
+	default:
+		break;
+	}
+
+	switch (zone->type) {
+	case dns_zone_primary:
+	case dns_zone_redirect:
+	case dns_zone_secondary:
+		/*
+		 * Do we need to sign/resign some RRsets?
+		 */
+		if (zone->rss_event != NULL) {
+			break;
+		}
+		if (!isc_time_isepoch(&zone->signingtime) &&
+		    isc_time_compare(&now, &zone->signingtime) >= 0)
+		{
+			zone_sign(zone);
+		} else if (!isc_time_isepoch(&zone->resigntime) &&
+			   isc_time_compare(&now, &zone->resigntime) >= 0)
+		{
+			zone_resigninc(zone);
+		} else if (!isc_time_isepoch(&zone->nsec3chaintime) &&
+			   isc_time_compare(&now, &zone->nsec3chaintime) >= 0)
+		{
+			zone_nsec3chain(zone);
+		}
+		/*
+		 * Do we need to issue a key expiry warning?
+		 */
+		if (!isc_time_isepoch(&zone->keywarntime) &&
+		    isc_time_compare(&now, &zone->keywarntime) >= 0)
+		{
+			set_key_expiry_warning(zone, zone->key_expiry,
+					       isc_time_seconds(&now));
+		}
+		break;
+
+	default:
+		break;
+	}
+	LOCK_ZONE(zone);
+	zone_settimer(zone, &now);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_markdirty(dns_zone_t *zone) {
+	uint32_t serial;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_zone_t *secure = NULL;
+
+	/*
+	 * Obtaining a lock on the zone->secure (see zone_send_secureserial)
+	 * could result in a deadlock due to a LOR so we will spin if we
+	 * can't obtain the both locks.
+	 */
+again:
+	LOCK_ZONE(zone);
+	if (zone->type == dns_zone_primary) {
+		if (inline_raw(zone)) {
+			unsigned int soacount;
+			secure = zone->secure;
+			INSIST(secure != zone);
+			TRYLOCK_ZONE(result, secure);
+			if (result != ISC_R_SUCCESS) {
+				UNLOCK_ZONE(zone);
+				secure = NULL;
+				isc_thread_yield();
+				goto again;
+			}
+
+			ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+			if (zone->db != NULL) {
+				result = zone_get_from_db(
+					zone, zone->db, NULL, &soacount, NULL,
+					&serial, NULL, NULL, NULL, NULL, NULL);
+			} else {
+				result = DNS_R_NOTLOADED;
+			}
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+			if (result == ISC_R_SUCCESS && soacount > 0U) {
+				zone_send_secureserial(zone, serial);
+			}
+		}
+
+		/* XXXMPA make separate call back */
+		if (result == ISC_R_SUCCESS) {
+			set_resigntime(zone);
+			if (zone->task != NULL) {
+				isc_time_t now;
+				TIME_NOW(&now);
+				zone_settimer(zone, &now);
+			}
+		}
+	}
+	if (secure != NULL) {
+		UNLOCK_ZONE(secure);
+	}
+	zone_needdump(zone, DNS_DUMP_DELAY);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_expire(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone_expire(zone);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+zone_expire(dns_zone_t *zone) {
+	dns_db_t *db = NULL;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	dns_zone_log(zone, ISC_LOG_WARNING, "expired");
+
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXPIRED);
+	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
+	zone->retry = DNS_ZONE_DEFAULTRETRY;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+
+	/*
+	 * An RPZ zone has expired; before unloading it, we must
+	 * first remove it from the RPZ summary database. The
+	 * easiest way to do this is "update" it with an empty
+	 * database so that the update callback synchronizes
+	 * the diff automatically.
+	 */
+	if (zone->rpzs != NULL && zone->rpz_num != DNS_RPZ_INVALID_NUM) {
+		isc_result_t result;
+		dns_rpz_zone_t *rpz = zone->rpzs->zones[zone->rpz_num];
+
+		CHECK(dns_db_create(zone->mctx, "rbt", &zone->origin,
+				    dns_dbtype_zone, zone->rdclass, 0, NULL,
+				    &db));
+		CHECK(dns_rpz_dbupdate_callback(db, rpz));
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "response-policy zone expired; "
+			     "policies unloaded");
+	}
+
+failure:
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	zone_unload(zone);
+}
+
+void
+dns_zone_refresh(dns_zone_t *zone) {
+	isc_interval_t i;
+	uint32_t oldflags;
+	unsigned int j;
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		return;
+	}
+
+	/*
+	 * Set DNS_ZONEFLG_REFRESH so that there is only one refresh operation
+	 * in progress at a time.
+	 */
+
+	LOCK_ZONE(zone);
+	oldflags = atomic_load(&zone->flags);
+	if (zone->masterscnt == 0) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOMASTERS);
+		if ((oldflags & DNS_ZONEFLG_NOMASTERS) == 0) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "cannot refresh: no primaries");
+		}
+		goto unlock;
+	}
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+	if ((oldflags & (DNS_ZONEFLG_REFRESH | DNS_ZONEFLG_LOADING)) != 0) {
+		goto unlock;
+	}
+
+	/*
+	 * Set the next refresh time as if refresh check has failed.
+	 * Setting this to the retry time will do that.  XXXMLG
+	 * If we are successful it will be reset using zone->refresh.
+	 */
+	isc_interval_set(&i, zone->retry - isc_random_uniform(zone->retry / 4),
+			 0);
+	result = isc_time_nowplusinterval(&zone->refreshtime, &i);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "isc_time_nowplusinterval() failed: %s",
+			     dns_result_totext(result));
+	}
+
+	/*
+	 * When lacking user-specified timer values from the SOA,
+	 * do exponential backoff of the retry time up to a
+	 * maximum of six hours.
+	 */
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS)) {
+		zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600);
+	}
+
+	zone->curmaster = 0;
+	for (j = 0; j < zone->masterscnt; j++) {
+		zone->mastersok[j] = false;
+	}
+	/* initiate soa query */
+	queue_soa_query(zone);
+unlock:
+	UNLOCK_ZONE(zone);
+}
+
+static isc_result_t
+zone_journal_rollforward(dns_zone_t *zone, dns_db_t *db, bool *needdump,
+			 bool *fixjournal) {
+	dns_journal_t *journal = NULL;
+	unsigned int options;
+	isc_result_t result;
+
+	if (zone->type == dns_zone_primary &&
+	    (inline_secure(zone) ||
+	     (zone->update_acl != NULL || zone->ssutable != NULL)))
+	{
+		options = DNS_JOURNALOPT_RESIGN;
+	} else {
+		options = 0;
+	}
+
+	result = dns_journal_open(zone->mctx, zone->journal, DNS_JOURNAL_READ,
+				  &journal);
+	if (result == ISC_R_NOTFOUND) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(3),
+			      "no journal file, but that's OK ");
+		return (ISC_R_SUCCESS);
+	} else if (result != ISC_R_SUCCESS) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
+			      "journal open failed: %s",
+			      dns_result_totext(result));
+		return (result);
+	}
+
+	if (dns_journal_empty(journal)) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
+			      "journal empty");
+		dns_journal_destroy(&journal);
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_journal_rollforward(journal, db, options);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		*needdump = true;
+		FALLTHROUGH;
+	case DNS_R_UPTODATE:
+		if (dns_journal_recovered(journal)) {
+			*fixjournal = true;
+			dns_zone_logc(
+				zone, DNS_LOGCATEGORY_ZONELOAD,
+				ISC_LOG_DEBUG(1),
+				"journal rollforward completed successfully "
+				"using old journal format: %s",
+				dns_result_totext(result));
+		} else {
+			dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
+				      ISC_LOG_DEBUG(1),
+				      "journal rollforward completed "
+				      "successfully: %s",
+				      dns_result_totext(result));
+		}
+
+		dns_journal_destroy(&journal);
+		return (ISC_R_SUCCESS);
+	case ISC_R_NOTFOUND:
+	case ISC_R_RANGE:
+		dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
+			      "journal rollforward failed: journal out of sync "
+			      "with zone");
+		dns_journal_destroy(&journal);
+		return (result);
+	default:
+		dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
+			      "journal rollforward failed: %s",
+			      dns_result_totext(result));
+		dns_journal_destroy(&journal);
+		return (result);
+	}
+}
+
+static void
+zone_journal_compact(dns_zone_t *zone, dns_db_t *db, uint32_t serial) {
+	isc_result_t result;
+	int32_t journalsize;
+	dns_dbversion_t *ver = NULL;
+	uint64_t dbsize;
+	uint32_t options = 0;
+
+	INSIST(LOCKED_ZONE(zone));
+	if (inline_raw(zone)) {
+		INSIST(LOCKED_ZONE(zone->secure));
+	}
+
+	journalsize = zone->journalsize;
+	if (journalsize == -1) {
+		journalsize = DNS_JOURNAL_SIZE_MAX;
+		dns_db_currentversion(db, &ver);
+		result = dns_db_getsize(db, ver, NULL, &dbsize);
+		dns_db_closeversion(db, &ver, false);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_journal_compact: "
+				     "could not get zone size: %s",
+				     isc_result_totext(result));
+		} else if (dbsize < DNS_JOURNAL_SIZE_MAX / 2) {
+			journalsize = (int32_t)dbsize * 2;
+		}
+	}
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FIXJOURNAL)) {
+		options |= DNS_JOURNAL_COMPACTALL;
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FIXJOURNAL);
+		zone_debuglog(zone, "zone_journal_compact", 1,
+			      "repair full journal");
+	} else {
+		zone_debuglog(zone, "zone_journal_compact", 1,
+			      "target journal size %d", journalsize);
+	}
+	result = dns_journal_compact(zone->mctx, zone->journal, serial, options,
+				     journalsize);
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case ISC_R_NOSPACE:
+	case ISC_R_NOTFOUND:
+		dns_zone_log(zone, ISC_LOG_DEBUG(3), "dns_journal_compact: %s",
+			     dns_result_totext(result));
+		break;
+	default:
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "dns_journal_compact failed: %s",
+			     dns_result_totext(result));
+		break;
+	}
+}
+
+isc_result_t
+dns_zone_flush(dns_zone_t *zone) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool dumping;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FLUSH);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+	    zone->masterfile != NULL)
+	{
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
+		result = ISC_R_ALREADYRUNNING;
+		dumping = was_dumping(zone);
+	} else {
+		dumping = true;
+	}
+	UNLOCK_ZONE(zone);
+	if (!dumping) {
+		result = zone_dump(zone, true); /* Unknown task. */
+	}
+	return (result);
+}
+
+isc_result_t
+dns_zone_dump(dns_zone_t *zone) {
+	isc_result_t result = ISC_R_ALREADYRUNNING;
+	bool dumping;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	dumping = was_dumping(zone);
+	UNLOCK_ZONE(zone);
+	if (!dumping) {
+		result = zone_dump(zone, false); /* Unknown task. */
+	}
+	return (result);
+}
+
+static void
+zone_needdump(dns_zone_t *zone, unsigned int delay) {
+	const char me[] = "zone_needdump";
+	isc_time_t dumptime;
+	isc_time_t now;
+
+	/*
+	 * 'zone' locked by caller
+	 */
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+	ENTER;
+
+	/*
+	 * Do we have a place to dump to and are we loaded?
+	 */
+	if (zone->masterfile == NULL ||
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
+	{
+		return;
+	}
+
+	TIME_NOW(&now);
+	/* add some noise */
+	DNS_ZONE_JITTER_ADD(&now, delay, &dumptime);
+
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+	if (isc_time_isepoch(&zone->dumptime) ||
+	    isc_time_compare(&zone->dumptime, &dumptime) > 0)
+	{
+		zone->dumptime = dumptime;
+	}
+	if (zone->task != NULL) {
+		zone_settimer(zone, &now);
+	}
+}
+
+static void
+dump_done(void *arg, isc_result_t result) {
+	const char me[] = "dump_done";
+	dns_zone_t *zone = arg;
+	dns_zone_t *secure = NULL;
+	dns_db_t *db;
+	dns_dbversion_t *version;
+	bool again = false;
+	bool compact = false;
+	uint32_t serial;
+	isc_result_t tresult;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	if (result == ISC_R_SUCCESS && zone->journal != NULL) {
+		/*
+		 * We don't own these, zone->dctx must stay valid.
+		 */
+		db = dns_dumpctx_db(zone->dctx);
+		version = dns_dumpctx_version(zone->dctx);
+		tresult = dns_db_getsoaserial(db, version, &serial);
+
+		/*
+		 * Handle lock order inversion.
+		 */
+	again:
+		LOCK_ZONE(zone);
+		if (inline_raw(zone)) {
+			secure = zone->secure;
+			INSIST(secure != zone);
+			TRYLOCK_ZONE(result, secure);
+			if (result != ISC_R_SUCCESS) {
+				UNLOCK_ZONE(zone);
+				secure = NULL;
+				isc_thread_yield();
+				goto again;
+			}
+		}
+
+		/*
+		 * If there is a secure version of this zone
+		 * use its serial if it is less than ours.
+		 */
+		if (tresult == ISC_R_SUCCESS && secure != NULL) {
+			uint32_t sserial;
+			isc_result_t mresult;
+
+			ZONEDB_LOCK(&secure->dblock, isc_rwlocktype_read);
+			if (secure->db != NULL) {
+				mresult = dns_db_getsoaserial(zone->secure->db,
+							      NULL, &sserial);
+				if (mresult == ISC_R_SUCCESS &&
+				    isc_serial_lt(sserial, serial))
+				{
+					serial = sserial;
+				}
+			}
+			ZONEDB_UNLOCK(&secure->dblock, isc_rwlocktype_read);
+		}
+		if (tresult == ISC_R_SUCCESS && zone->xfr == NULL) {
+			dns_db_t *zdb = NULL;
+			if (dns_zone_getdb(zone, &zdb) == ISC_R_SUCCESS) {
+				zone_journal_compact(zone, zdb, serial);
+				dns_db_detach(&zdb);
+			}
+		} else if (tresult == ISC_R_SUCCESS) {
+			compact = true;
+			zone->compact_serial = serial;
+		}
+		if (secure != NULL) {
+			UNLOCK_ZONE(secure);
+		}
+		UNLOCK_ZONE(zone);
+	}
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
+	if (compact) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
+	}
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN)) {
+		/*
+		 * If DNS_ZONEFLG_SHUTDOWN is set, all external references to
+		 * the zone are gone, which means it is in the process of being
+		 * cleaned up, so do not reschedule dumping.
+		 *
+		 * Detach from the raw version of the zone in case this
+		 * operation has been deferred in zone_shutdown().
+		 */
+		if (zone->raw != NULL) {
+			dns_zone_detach(&zone->raw);
+		}
+		if (result == ISC_R_SUCCESS) {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
+		}
+	} else if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) {
+		/*
+		 * Try again in a short while.
+		 */
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	} else if (result == ISC_R_SUCCESS &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+	{
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
+		isc_time_settoepoch(&zone->dumptime);
+		again = true;
+	} else if (result == ISC_R_SUCCESS) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
+	}
+
+	if (zone->dctx != NULL) {
+		dns_dumpctx_detach(&zone->dctx);
+	}
+	zonemgr_putio(&zone->writeio);
+	UNLOCK_ZONE(zone);
+	if (again) {
+		(void)zone_dump(zone, false);
+	}
+	dns_zone_idetach(&zone);
+}
+
+static isc_result_t
+zone_dump(dns_zone_t *zone, bool compact) {
+	const char me[] = "zone_dump";
+	isc_result_t result;
+	dns_dbversion_t *version = NULL;
+	bool again;
+	dns_db_t *db = NULL;
+	char *masterfile = NULL;
+	dns_masterformat_t masterformat = dns_masterformat_none;
+
+	/*
+	 * 'compact' MUST only be set if we are task locked.
+	 */
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
+
+redo:
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	LOCK_ZONE(zone);
+	if (zone->masterfile != NULL) {
+		masterfile = isc_mem_strdup(zone->mctx, zone->masterfile);
+		masterformat = zone->masterformat;
+	}
+	UNLOCK_ZONE(zone);
+	if (db == NULL) {
+		result = DNS_R_NOTLOADED;
+		goto fail;
+	}
+	if (masterfile == NULL) {
+		result = DNS_R_NOMASTERFILE;
+		goto fail;
+	}
+
+	if (compact && zone->type != dns_zone_stub) {
+		dns_zone_t *dummy = NULL;
+		LOCK_ZONE(zone);
+		zone_iattach(zone, &dummy);
+		result = zonemgr_getio(zone->zmgr, false, zone->task,
+				       zone_gotwritehandle, zone,
+				       &zone->writeio);
+		if (result != ISC_R_SUCCESS) {
+			zone_idetach(&dummy);
+		} else {
+			result = DNS_R_CONTINUE;
+		}
+		UNLOCK_ZONE(zone);
+	} else {
+		const dns_master_style_t *output_style;
+
+		dns_masterrawheader_t rawdata;
+		dns_db_currentversion(db, &version);
+		dns_master_initrawheader(&rawdata);
+		if (inline_secure(zone)) {
+			get_raw_serial(zone->raw, &rawdata);
+		}
+		if (zone->type == dns_zone_key) {
+			output_style = &dns_master_style_keyzone;
+		} else {
+			output_style = &dns_master_style_default;
+		}
+		result = dns_master_dump(zone->mctx, db, version, output_style,
+					 masterfile, masterformat, &rawdata);
+		dns_db_closeversion(db, &version, false);
+	}
+fail:
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	if (masterfile != NULL) {
+		isc_mem_free(zone->mctx, masterfile);
+	}
+	masterfile = NULL;
+
+	if (result == DNS_R_CONTINUE) {
+		return (ISC_R_SUCCESS); /* XXXMPA */
+	}
+
+	again = false;
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Try again in a short while.
+		 */
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+	{
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
+		isc_time_settoepoch(&zone->dumptime);
+		again = true;
+	} else {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
+	}
+	UNLOCK_ZONE(zone);
+	if (again) {
+		goto redo;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style,
+	     dns_masterformat_t format, const uint32_t rawversion) {
+	isc_result_t result;
+	dns_dbversion_t *version = NULL;
+	dns_db_t *db = NULL;
+	dns_masterrawheader_t rawdata;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		return (DNS_R_NOTLOADED);
+	}
+
+	dns_db_currentversion(db, &version);
+	dns_master_initrawheader(&rawdata);
+	if (rawversion == 0) {
+		rawdata.flags |= DNS_MASTERRAW_COMPAT;
+	} else if (inline_secure(zone)) {
+		get_raw_serial(zone->raw, &rawdata);
+	} else if (zone->sourceserialset) {
+		rawdata.flags = DNS_MASTERRAW_SOURCESERIALSET;
+		rawdata.sourceserial = zone->sourceserial;
+	}
+	result = dns_master_dumptostream(zone->mctx, db, version, style, format,
+					 &rawdata, fd);
+	dns_db_closeversion(db, &version, false);
+	dns_db_detach(&db);
+	return (result);
+}
+
+isc_result_t
+dns_zone_dumptostream(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
+		      const dns_master_style_t *style,
+		      const uint32_t rawversion) {
+	return (dumptostream(zone, fd, style, format, rawversion));
+}
+
+void
+dns_zone_unload(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone_unload(zone);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+notify_cancel(dns_zone_t *zone) {
+	dns_notify_t *notify;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	for (notify = ISC_LIST_HEAD(zone->notifies); notify != NULL;
+	     notify = ISC_LIST_NEXT(notify, link))
+	{
+		if (notify->find != NULL) {
+			dns_adb_cancelfind(notify->find);
+		}
+		if (notify->request != NULL) {
+			dns_request_cancel(notify->request);
+		}
+	}
+}
+
+static void
+checkds_cancel(dns_zone_t *zone) {
+	dns_checkds_t *checkds;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	for (checkds = ISC_LIST_HEAD(zone->checkds_requests); checkds != NULL;
+	     checkds = ISC_LIST_NEXT(checkds, link))
+	{
+		if (checkds->request != NULL) {
+			dns_request_cancel(checkds->request);
+		}
+	}
+}
+
+static void
+forward_cancel(dns_zone_t *zone) {
+	dns_forward_t *forward;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	for (forward = ISC_LIST_HEAD(zone->forwards); forward != NULL;
+	     forward = ISC_LIST_NEXT(forward, link))
+	{
+		if (forward->request != NULL) {
+			dns_request_cancel(forward->request);
+		}
+	}
+}
+
+static void
+zone_unload(dns_zone_t *zone) {
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
+	{
+		if (zone->writeio != NULL) {
+			zonemgr_cancelio(zone->writeio);
+		}
+
+		if (zone->dctx != NULL) {
+			dns_dumpctx_cancel(zone->dctx);
+		}
+	}
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	zone_detachdb(zone);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+
+	if (zone->type == dns_zone_mirror) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "mirror zone is no longer in use; "
+			     "reverting to normal recursion");
+	}
+}
+
+void
+dns_zone_setminrefreshtime(dns_zone_t *zone, uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->minrefresh = val;
+}
+
+void
+dns_zone_setmaxrefreshtime(dns_zone_t *zone, uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->maxrefresh = val;
+}
+
+void
+dns_zone_setminretrytime(dns_zone_t *zone, uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->minretry = val;
+}
+
+void
+dns_zone_setmaxretrytime(dns_zone_t *zone, uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->maxretry = val;
+}
+
+uint32_t
+dns_zone_getmaxrecords(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->maxrecords);
+}
+
+void
+dns_zone_setmaxrecords(dns_zone_t *zone, uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->maxrecords = val;
+}
+
+static bool
+notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name,
+		isc_sockaddr_t *addr, dns_tsigkey_t *key) {
+	dns_notify_t *notify;
+	dns_zonemgr_t *zmgr;
+	isc_result_t result;
+
+	for (notify = ISC_LIST_HEAD(zone->notifies); notify != NULL;
+	     notify = ISC_LIST_NEXT(notify, link))
+	{
+		if (notify->request != NULL) {
+			continue;
+		}
+		if (name != NULL && dns_name_dynamic(&notify->ns) &&
+		    dns_name_equal(name, &notify->ns))
+		{
+			goto requeue;
+		}
+		if (addr != NULL && isc_sockaddr_equal(addr, &notify->dst) &&
+		    notify->key == key)
+		{
+			goto requeue;
+		}
+	}
+	return (false);
+
+requeue:
+	/*
+	 * If we are enqueued on the startup ratelimiter and this is
+	 * not a startup notify, re-enqueue on the normal notify
+	 * ratelimiter.
+	 */
+	if (notify->event != NULL && (flags & DNS_NOTIFY_STARTUP) == 0 &&
+	    (notify->flags & DNS_NOTIFY_STARTUP) != 0)
+	{
+		zmgr = notify->zone->zmgr;
+		result = isc_ratelimiter_dequeue(zmgr->startupnotifyrl,
+						 notify->event);
+		if (result != ISC_R_SUCCESS) {
+			return (true);
+		}
+
+		notify->flags &= ~DNS_NOTIFY_STARTUP;
+		result = isc_ratelimiter_enqueue(notify->zone->zmgr->notifyrl,
+						 notify->zone->task,
+						 &notify->event);
+		if (result != ISC_R_SUCCESS) {
+			isc_event_free(&notify->event);
+			return (false);
+		}
+	}
+
+	return (true);
+}
+
+static bool
+notify_isself(dns_zone_t *zone, isc_sockaddr_t *dst) {
+	dns_tsigkey_t *key = NULL;
+	isc_sockaddr_t src;
+	isc_sockaddr_t any;
+	bool isself;
+	isc_netaddr_t dstaddr;
+	isc_result_t result;
+
+	if (zone->view == NULL || zone->isself == NULL) {
+		return (false);
+	}
+
+	switch (isc_sockaddr_pf(dst)) {
+	case PF_INET:
+		src = zone->notifysrc4;
+		isc_sockaddr_any(&any);
+		break;
+	case PF_INET6:
+		src = zone->notifysrc6;
+		isc_sockaddr_any6(&any);
+		break;
+	default:
+		return (false);
+	}
+
+	/*
+	 * When sending from any the kernel will assign a source address
+	 * that matches the destination address.
+	 */
+	if (isc_sockaddr_eqaddr(&any, &src)) {
+		src = *dst;
+	}
+
+	isc_netaddr_fromsockaddr(&dstaddr, dst);
+	result = dns_view_getpeertsig(zone->view, &dstaddr, &key);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		return (false);
+	}
+	isself = (zone->isself)(zone->view, key, &src, dst, zone->rdclass,
+				zone->isselfarg);
+	if (key != NULL) {
+		dns_tsigkey_detach(&key);
+	}
+	return (isself);
+}
+
+static void
+notify_destroy(dns_notify_t *notify, bool locked) {
+	isc_mem_t *mctx;
+
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+
+	if (notify->zone != NULL) {
+		if (!locked) {
+			LOCK_ZONE(notify->zone);
+		}
+		REQUIRE(LOCKED_ZONE(notify->zone));
+		if (ISC_LINK_LINKED(notify, link)) {
+			ISC_LIST_UNLINK(notify->zone->notifies, notify, link);
+		}
+		if (!locked) {
+			UNLOCK_ZONE(notify->zone);
+		}
+		if (locked) {
+			zone_idetach(&notify->zone);
+		} else {
+			dns_zone_idetach(&notify->zone);
+		}
+	}
+	if (notify->find != NULL) {
+		dns_adb_destroyfind(&notify->find);
+	}
+	if (notify->request != NULL) {
+		dns_request_destroy(&notify->request);
+	}
+	if (dns_name_dynamic(&notify->ns)) {
+		dns_name_free(&notify->ns, notify->mctx);
+	}
+	if (notify->key != NULL) {
+		dns_tsigkey_detach(&notify->key);
+	}
+	mctx = notify->mctx;
+	isc_mem_put(notify->mctx, notify, sizeof(*notify));
+	isc_mem_detach(&mctx);
+}
+
+static isc_result_t
+notify_create(isc_mem_t *mctx, unsigned int flags, dns_notify_t **notifyp) {
+	dns_notify_t *notify;
+
+	REQUIRE(notifyp != NULL && *notifyp == NULL);
+
+	notify = isc_mem_get(mctx, sizeof(*notify));
+
+	notify->mctx = NULL;
+	isc_mem_attach(mctx, &notify->mctx);
+	notify->flags = flags;
+	notify->zone = NULL;
+	notify->find = NULL;
+	notify->request = NULL;
+	notify->key = NULL;
+	notify->event = NULL;
+	isc_sockaddr_any(&notify->dst);
+	dns_name_init(&notify->ns, NULL);
+	ISC_LINK_INIT(notify, link);
+	notify->magic = NOTIFY_MAGIC;
+	*notifyp = notify;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * XXXAG should check for DNS_ZONEFLG_EXITING
+ */
+static void
+process_adb_event(isc_task_t *task, isc_event_t *ev) {
+	dns_notify_t *notify;
+	isc_eventtype_t result;
+
+	UNUSED(task);
+
+	notify = ev->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	INSIST(task == notify->zone->task);
+	result = ev->ev_type;
+	isc_event_free(&ev);
+	if (result == DNS_EVENT_ADBMOREADDRESSES) {
+		dns_adb_destroyfind(&notify->find);
+		notify_find_address(notify);
+		return;
+	}
+	if (result == DNS_EVENT_ADBNOMOREADDRESSES) {
+		LOCK_ZONE(notify->zone);
+		notify_send(notify);
+		UNLOCK_ZONE(notify->zone);
+	}
+	notify_destroy(notify, false);
+}
+
+static void
+notify_find_address(dns_notify_t *notify) {
+	isc_result_t result;
+	unsigned int options;
+
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET | DNS_ADBFIND_INET6 |
+		  DNS_ADBFIND_RETURNLAME;
+
+	if (notify->zone->view->adb == NULL) {
+		goto destroy;
+	}
+
+	result = dns_adb_createfind(
+		notify->zone->view->adb, notify->zone->task, process_adb_event,
+		notify, &notify->ns, dns_rootname, 0, options, 0, NULL,
+		notify->zone->view->dstport, 0, NULL, &notify->find);
+
+	/* Something failed? */
+	if (result != ISC_R_SUCCESS) {
+		goto destroy;
+	}
+
+	/* More addresses pending? */
+	if ((notify->find->options & DNS_ADBFIND_WANTEVENT) != 0) {
+		return;
+	}
+
+	/* We have as many addresses as we can get. */
+	LOCK_ZONE(notify->zone);
+	notify_send(notify);
+	UNLOCK_ZONE(notify->zone);
+
+destroy:
+	notify_destroy(notify, false);
+}
+
+static isc_result_t
+notify_send_queue(dns_notify_t *notify, bool startup) {
+	isc_event_t *e;
+	isc_result_t result;
+
+	INSIST(notify->event == NULL);
+	e = isc_event_allocate(notify->mctx, NULL, DNS_EVENT_NOTIFYSENDTOADDR,
+			       notify_send_toaddr, notify, sizeof(isc_event_t));
+	if (startup) {
+		notify->event = e;
+	}
+	e->ev_arg = notify;
+	e->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(
+		startup ? notify->zone->zmgr->startupnotifyrl
+			: notify->zone->zmgr->notifyrl,
+		notify->zone->task, &e);
+	if (result != ISC_R_SUCCESS) {
+		isc_event_free(&e);
+		notify->event = NULL;
+	}
+	return (result);
+}
+
+static void
+notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
+	dns_notify_t *notify;
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_netaddr_t dstip;
+	dns_tsigkey_t *key = NULL;
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t src;
+	unsigned int options, timeout;
+	bool have_notifysource = false;
+	bool have_notifydscp = false;
+	isc_dscp_t dscp = -1;
+
+	notify = event->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+
+	UNUSED(task);
+
+	LOCK_ZONE(notify->zone);
+
+	notify->event = NULL;
+
+	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_LOADED) == 0) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0 ||
+	    DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING) ||
+	    notify->zone->view->requestmgr == NULL || notify->zone->db == NULL)
+	{
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	/*
+	 * The raw IPv4 address should also exist.  Don't send to the
+	 * mapped form.
+	 */
+	if (isc_sockaddr_pf(&notify->dst) == PF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&notify->dst.type.sin6.sin6_addr))
+	{
+		isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+		notify_log(notify->zone, ISC_LOG_DEBUG(3),
+			   "notify: ignoring IPv6 mapped IPV4 address: %s",
+			   addrbuf);
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	result = notify_createmessage(notify->zone, notify->flags, &message);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+	if (notify->key != NULL) {
+		/* Transfer ownership of key */
+		key = notify->key;
+		notify->key = NULL;
+	} else {
+		isc_netaddr_fromsockaddr(&dstip, &notify->dst);
+		result = dns_view_getpeertsig(notify->zone->view, &dstip, &key);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+			notify_log(notify->zone, ISC_LOG_ERROR,
+				   "NOTIFY to %s not sent. "
+				   "Peer TSIG key lookup failure.",
+				   addrbuf);
+			goto cleanup_message;
+		}
+	}
+
+	if (key != NULL) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(&key->name, namebuf, sizeof(namebuf));
+		notify_log(notify->zone, ISC_LOG_DEBUG(3),
+			   "sending notify to %s : TSIG (%s)", addrbuf,
+			   namebuf);
+	} else {
+		notify_log(notify->zone, ISC_LOG_DEBUG(3),
+			   "sending notify to %s", addrbuf);
+	}
+	options = 0;
+	if (notify->zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		bool usetcp = false;
+		result = dns_peerlist_peerbyaddr(notify->zone->view->peers,
+						 &dstip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getnotifysource(peer, &src);
+			if (result == ISC_R_SUCCESS) {
+				have_notifysource = true;
+			}
+			dns_peer_getnotifydscp(peer, &dscp);
+			if (dscp != -1) {
+				have_notifydscp = true;
+			}
+			result = dns_peer_getforcetcp(peer, &usetcp);
+			if (result == ISC_R_SUCCESS && usetcp) {
+				options |= DNS_FETCHOPT_TCP;
+			}
+		}
+	}
+	switch (isc_sockaddr_pf(&notify->dst)) {
+	case PF_INET:
+		if (!have_notifysource) {
+			src = notify->zone->notifysrc4;
+		}
+		if (!have_notifydscp) {
+			dscp = notify->zone->notifysrc4dscp;
+		}
+		break;
+	case PF_INET6:
+		if (!have_notifysource) {
+			src = notify->zone->notifysrc6;
+		}
+		if (!have_notifydscp) {
+			dscp = notify->zone->notifysrc6dscp;
+		}
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup_key;
+	}
+	timeout = 15;
+	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY)) {
+		timeout = 30;
+	}
+	result = dns_request_createvia(
+		notify->zone->view->requestmgr, message, &src, &notify->dst,
+		dscp, options, key, timeout * 3, timeout, 0, notify->zone->task,
+		notify_done, notify, &notify->request);
+	if (result == ISC_R_SUCCESS) {
+		if (isc_sockaddr_pf(&notify->dst) == AF_INET) {
+			inc_stats(notify->zone,
+				  dns_zonestatscounter_notifyoutv4);
+		} else {
+			inc_stats(notify->zone,
+				  dns_zonestatscounter_notifyoutv6);
+		}
+	}
+
+cleanup_key:
+	if (key != NULL) {
+		dns_tsigkey_detach(&key);
+	}
+cleanup_message:
+	dns_message_detach(&message);
+cleanup:
+	UNLOCK_ZONE(notify->zone);
+	isc_event_free(&event);
+	if (result != ISC_R_SUCCESS) {
+		notify_destroy(notify, false);
+	}
+}
+
+static void
+notify_send(dns_notify_t *notify) {
+	dns_adbaddrinfo_t *ai;
+	isc_sockaddr_t dst;
+	isc_result_t result;
+	dns_notify_t *newnotify = NULL;
+	unsigned int flags;
+	bool startup;
+
+	/*
+	 * Zone lock held by caller.
+	 */
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	REQUIRE(LOCKED_ZONE(notify->zone));
+
+	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING)) {
+		return;
+	}
+
+	for (ai = ISC_LIST_HEAD(notify->find->list); ai != NULL;
+	     ai = ISC_LIST_NEXT(ai, publink))
+	{
+		dst = ai->sockaddr;
+		if (notify_isqueued(notify->zone, notify->flags, NULL, &dst,
+				    NULL))
+		{
+			continue;
+		}
+		if (notify_isself(notify->zone, &dst)) {
+			continue;
+		}
+		newnotify = NULL;
+		flags = notify->flags & DNS_NOTIFY_NOSOA;
+		result = notify_create(notify->mctx, flags, &newnotify);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		zone_iattach(notify->zone, &newnotify->zone);
+		ISC_LIST_APPEND(newnotify->zone->notifies, newnotify, link);
+		newnotify->dst = dst;
+		startup = ((notify->flags & DNS_NOTIFY_STARTUP) != 0);
+		result = notify_send_queue(newnotify, startup);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		newnotify = NULL;
+	}
+
+cleanup:
+	if (newnotify != NULL) {
+		notify_destroy(newnotify, true);
+	}
+}
+
+void
+dns_zone_notify(dns_zone_t *zone) {
+	isc_time_t now;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+
+	TIME_NOW(&now);
+	zone_settimer(zone, &now);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+zone_notify(dns_zone_t *zone, isc_time_t *now) {
+	dns_dbnode_t *node = NULL;
+	dns_db_t *zonedb = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_name_t *origin = NULL;
+	dns_name_t master;
+	dns_rdata_ns_t ns;
+	dns_rdata_soa_t soa;
+	uint32_t serial;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t nsrdset;
+	dns_rdataset_t soardset;
+	isc_result_t result;
+	unsigned int i;
+	isc_sockaddr_t dst;
+	bool isqueued;
+	dns_notifytype_t notifytype;
+	unsigned int flags = 0;
+	bool loggednotify = false;
+	bool startup;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	startup = !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY);
+	notifytype = zone->notifytype;
+	DNS_ZONE_TIME_ADD(now, zone->notifydelay, &zone->notifytime);
+	UNLOCK_ZONE(zone);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+	{
+		return;
+	}
+
+	if (notifytype == dns_notifytype_no) {
+		return;
+	}
+
+	if (notifytype == dns_notifytype_masteronly &&
+	    zone->type != dns_zone_primary)
+	{
+		return;
+	}
+
+	origin = &zone->origin;
+
+	/*
+	 * If the zone is dialup we are done as we don't want to send
+	 * the current soa so as to force a refresh query.
+	 */
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY)) {
+		flags |= DNS_NOTIFY_NOSOA;
+	}
+
+	/*
+	 * Record that this was a notify due to starting up.
+	 */
+	if (startup) {
+		flags |= DNS_NOTIFY_STARTUP;
+	}
+
+	/*
+	 * Get SOA RRset.
+	 */
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &zonedb);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zonedb == NULL) {
+		return;
+	}
+	dns_db_currentversion(zonedb, &version);
+	result = dns_db_findnode(zonedb, origin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup1;
+	}
+
+	dns_rdataset_init(&soardset);
+	result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &soardset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup2;
+	}
+
+	/*
+	 * Find serial and master server's name.
+	 */
+	dns_name_init(&master, NULL);
+	result = dns_rdataset_first(&soardset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup3;
+	}
+	dns_rdataset_current(&soardset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdata_reset(&rdata);
+	dns_name_dup(&soa.origin, zone->mctx, &master);
+	serial = soa.serial;
+	dns_rdataset_disassociate(&soardset);
+
+	/*
+	 * Enqueue notify requests for 'also-notify' servers.
+	 */
+	LOCK_ZONE(zone);
+	for (i = 0; i < zone->notifycnt; i++) {
+		dns_tsigkey_t *key = NULL;
+		dns_notify_t *notify = NULL;
+
+		if ((zone->notifykeynames != NULL) &&
+		    (zone->notifykeynames[i] != NULL))
+		{
+			dns_view_t *view = dns_zone_getview(zone);
+			dns_name_t *keyname = zone->notifykeynames[i];
+			(void)dns_view_gettsig(view, keyname, &key);
+		}
+
+		dst = zone->notify[i];
+		if (notify_isqueued(zone, flags, NULL, &dst, key)) {
+			if (key != NULL) {
+				dns_tsigkey_detach(&key);
+			}
+			continue;
+		}
+
+		result = notify_create(zone->mctx, flags, &notify);
+		if (result != ISC_R_SUCCESS) {
+			if (key != NULL) {
+				dns_tsigkey_detach(&key);
+			}
+			continue;
+		}
+
+		zone_iattach(zone, &notify->zone);
+		notify->dst = dst;
+
+		INSIST(notify->key == NULL);
+
+		if (key != NULL) {
+			notify->key = key;
+			key = NULL;
+		}
+
+		ISC_LIST_APPEND(zone->notifies, notify, link);
+		result = notify_send_queue(notify, startup);
+		if (result != ISC_R_SUCCESS) {
+			notify_destroy(notify, true);
+		}
+		if (!loggednotify) {
+			notify_log(zone, ISC_LOG_INFO,
+				   "sending notifies (serial %u)", serial);
+			loggednotify = true;
+		}
+	}
+	UNLOCK_ZONE(zone);
+
+	if (notifytype == dns_notifytype_explicit) {
+		goto cleanup3;
+	}
+
+	/*
+	 * Process NS RRset to generate notifies.
+	 */
+
+	dns_rdataset_init(&nsrdset);
+	result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_ns,
+				     dns_rdatatype_none, 0, &nsrdset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup3;
+	}
+
+	result = dns_rdataset_first(&nsrdset);
+	while (result == ISC_R_SUCCESS) {
+		dns_notify_t *notify = NULL;
+
+		dns_rdataset_current(&nsrdset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+		/*
+		 * Don't notify the master server unless explicitly
+		 * configured to do so.
+		 */
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOTIFYTOSOA) &&
+		    dns_name_compare(&master, &ns.name) == 0)
+		{
+			result = dns_rdataset_next(&nsrdset);
+			continue;
+		}
+
+		if (!loggednotify) {
+			notify_log(zone, ISC_LOG_INFO,
+				   "sending notifies (serial %u)", serial);
+			loggednotify = true;
+		}
+
+		LOCK_ZONE(zone);
+		isqueued = notify_isqueued(zone, flags, &ns.name, NULL, NULL);
+		UNLOCK_ZONE(zone);
+		if (isqueued) {
+			result = dns_rdataset_next(&nsrdset);
+			continue;
+		}
+		result = notify_create(zone->mctx, flags, &notify);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		dns_zone_iattach(zone, &notify->zone);
+		dns_name_dup(&ns.name, zone->mctx, &notify->ns);
+		LOCK_ZONE(zone);
+		ISC_LIST_APPEND(zone->notifies, notify, link);
+		UNLOCK_ZONE(zone);
+		notify_find_address(notify);
+		result = dns_rdataset_next(&nsrdset);
+	}
+	dns_rdataset_disassociate(&nsrdset);
+
+cleanup3:
+	if (dns_name_dynamic(&master)) {
+		dns_name_free(&master, zone->mctx);
+	}
+cleanup2:
+	dns_db_detachnode(zonedb, &node);
+cleanup1:
+	dns_db_closeversion(zonedb, &version, false);
+	dns_db_detach(&zonedb);
+}
+
+/***
+ *** Private
+ ***/
+static isc_result_t
+create_query(dns_zone_t *zone, dns_rdatatype_t rdtype, dns_name_t *name,
+	     dns_message_t **messagep) {
+	dns_message_t *message = NULL;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+
+	dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER, &message);
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = zone->rdclass;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * Make question.
+	 */
+	dns_name_clone(name, qname);
+	dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	*messagep = message;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (qname != NULL) {
+		dns_message_puttempname(message, &qname);
+	}
+	if (qrdataset != NULL) {
+		dns_message_puttemprdataset(message, &qrdataset);
+	}
+	dns_message_detach(&message);
+	return (result);
+}
+
+static isc_result_t
+add_opt(dns_message_t *message, uint16_t udpsize, bool reqnsid,
+	bool reqexpire) {
+	isc_result_t result;
+	dns_rdataset_t *rdataset = NULL;
+	dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS];
+	int count = 0;
+
+	/* Set EDNS options if applicable. */
+	if (reqnsid) {
+		INSIST(count < DNS_EDNSOPTIONS);
+		ednsopts[count].code = DNS_OPT_NSID;
+		ednsopts[count].length = 0;
+		ednsopts[count].value = NULL;
+		count++;
+	}
+	if (reqexpire) {
+		INSIST(count < DNS_EDNSOPTIONS);
+		ednsopts[count].code = DNS_OPT_EXPIRE;
+		ednsopts[count].length = 0;
+		ednsopts[count].value = NULL;
+		count++;
+	}
+	result = dns_message_buildopt(message, &rdataset, 0, udpsize, 0,
+				      ednsopts, count);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	return (dns_message_setopt(message, rdataset));
+}
+
+/*
+ * Called when stub zone update is finished.
+ * Update zone refresh, retry, expire values accordingly with
+ * SOA received from master, sync database to file, restart
+ * zone management timer.
+ */
+static void
+stub_finish_zone_update(dns_stub_t *stub, isc_time_t now) {
+	uint32_t refresh, retry, expire;
+	isc_result_t result;
+	isc_interval_t i;
+	unsigned int soacount;
+	dns_zone_t *zone = stub->zone;
+
+	/*
+	 * Tidy up.
+	 */
+	dns_db_closeversion(stub->db, &stub->version, true);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	if (zone->db == NULL) {
+		zone_attachdb(zone, stub->db);
+	}
+	result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL, NULL,
+				  &refresh, &retry, &expire, NULL, NULL);
+	if (result == ISC_R_SUCCESS && soacount > 0U) {
+		zone->refresh = RANGE(refresh, zone->minrefresh,
+				      zone->maxrefresh);
+		zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
+		zone->expire = RANGE(expire, zone->refresh + zone->retry,
+				     DNS_MAX_EXPIRE);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+	dns_db_detach(&stub->db);
+
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+	DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
+	isc_interval_set(&i, zone->expire, 0);
+	DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
+
+	if (zone->masterfile != NULL) {
+		zone_needdump(zone, 0);
+	}
+
+	zone_settimer(zone, &now);
+}
+
+/*
+ * Process answers for A and AAAA queries when
+ * resolving nameserver addresses for which glue
+ * was missing in a previous answer for a NS query.
+ */
+static void
+stub_glue_response_cb(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "stub_glue_response_cb";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_stub_t *stub = NULL;
+	dns_message_t *msg = NULL;
+	dns_zone_t *zone = NULL;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	uint32_t addr_count, cnamecnt;
+	isc_result_t result;
+	isc_time_t now;
+	struct stub_glue_request *request;
+	struct stub_cb_args *cb_args;
+	dns_rdataset_t *addr_rdataset = NULL;
+	dns_dbnode_t *node = NULL;
+
+	UNUSED(task);
+
+	request = revent->ev_arg;
+	cb_args = request->args;
+	stub = cb_args->stub;
+	INSIST(DNS_STUB_VALID(stub));
+
+	zone = stub->zone;
+
+	ENTER;
+
+	TIME_NOW(&now);
+
+	LOCK_ZONE(zone);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		zone_debuglog(zone, me, 1, "exiting");
+		goto cleanup;
+	}
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+
+	if (revent->result != ISC_R_SUCCESS) {
+		dns_zonemgr_unreachableadd(zone->zmgr, &zone->masteraddr,
+					   &zone->sourceaddr, &now);
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "could not refresh stub from master %s"
+			     " (source %s): %s",
+			     master, source, dns_result_totext(revent->result));
+		goto cleanup;
+	}
+
+	dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	result = dns_request_getresponse(revent->request, msg, 0);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unable to parse response (%s)",
+			     isc_result_totext(result));
+		goto cleanup;
+	}
+
+	/*
+	 * Unexpected opcode.
+	 */
+	if (msg->opcode != dns_opcode_query) {
+		char opcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, opcode, sizeof(opcode));
+		(void)dns_opcode_totext(msg->opcode, &rb);
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "unexpected opcode (%.*s) from %s (source %s)",
+			     (int)rb.used, opcode, master, source);
+		goto cleanup;
+	}
+
+	/*
+	 * Unexpected rcode.
+	 */
+	if (msg->rcode != dns_rcode_noerror) {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "unexpected rcode (%.*s) from %s (source %s)",
+			     (int)rb.used, rcode, master, source);
+		goto cleanup;
+	}
+
+	/*
+	 * We need complete messages.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		if (dns_request_usedtcp(revent->request)) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: truncated TCP "
+				     "response from master %s (source %s)",
+				     master, source);
+		}
+		goto cleanup;
+	}
+
+	/*
+	 * If non-auth log.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "non-authoritative answer from "
+			     "master %s (source %s)",
+			     master, source);
+		goto cleanup;
+	}
+
+	/*
+	 * Sanity checks.
+	 */
+	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
+	addr_count = message_count(msg, DNS_SECTION_ANSWER,
+				   request->ipv4 ? dns_rdatatype_a
+						 : dns_rdatatype_aaaa);
+
+	if (cnamecnt != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unexpected CNAME response "
+			     "from master %s (source %s)",
+			     master, source);
+		goto cleanup;
+	}
+
+	if (addr_count == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: no %s records in response "
+			     "from master %s (source %s)",
+			     request->ipv4 ? "A" : "AAAA", master, source);
+		goto cleanup;
+	}
+	/*
+	 * Extract A or AAAA RRset from message.
+	 */
+	result = dns_message_findname(msg, DNS_SECTION_ANSWER, &request->name,
+				      request->ipv4 ? dns_rdatatype_a
+						    : dns_rdatatype_aaaa,
+				      dns_rdatatype_none, NULL, &addr_rdataset);
+	if (result != ISC_R_SUCCESS) {
+		if (result != DNS_R_NXDOMAIN && result != DNS_R_NXRRSET) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(&request->name, namebuf,
+					sizeof(namebuf));
+			dns_zone_log(
+				zone, ISC_LOG_INFO,
+				"refreshing stub: dns_message_findname(%s/%s) "
+				"failed (%s)",
+				namebuf, request->ipv4 ? "A" : "AAAA",
+				isc_result_totext(result));
+		}
+		goto cleanup;
+	}
+
+	result = dns_db_findnode(stub->db, &request->name, true, &node);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "dns_db_findnode() failed: %s",
+			     dns_result_totext(result));
+		goto cleanup;
+	}
+
+	result = dns_db_addrdataset(stub->db, node, stub->version, 0,
+				    addr_rdataset, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "dns_db_addrdataset() failed: %s",
+			     dns_result_totext(result));
+	}
+	dns_db_detachnode(stub->db, &node);
+
+cleanup:
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	isc_event_free(&event);
+	dns_name_free(&request->name, zone->mctx);
+	dns_request_destroy(&request->request);
+	isc_mem_put(zone->mctx, request, sizeof(*request));
+
+	/* If last request, release all related resources */
+	if (atomic_fetch_sub_release(&stub->pending_requests, 1) == 1) {
+		isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
+		stub_finish_zone_update(stub, now);
+		UNLOCK_ZONE(zone);
+		stub->magic = 0;
+		dns_zone_idetach(&stub->zone);
+		INSIST(stub->db == NULL);
+		INSIST(stub->version == NULL);
+		isc_mem_put(stub->mctx, stub, sizeof(*stub));
+	} else {
+		UNLOCK_ZONE(zone);
+	}
+}
+
+/*
+ * Create and send an A or AAAA query to the master
+ * server of the stub zone given.
+ */
+static isc_result_t
+stub_request_nameserver_address(struct stub_cb_args *args, bool ipv4,
+				const dns_name_t *name) {
+	dns_message_t *message = NULL;
+	dns_zone_t *zone;
+	isc_result_t result;
+	struct stub_glue_request *request;
+
+	zone = args->stub->zone;
+	request = isc_mem_get(zone->mctx, sizeof(*request));
+	request->request = NULL;
+	request->args = args;
+	request->name = (dns_name_t)DNS_NAME_INITEMPTY;
+	request->ipv4 = ipv4;
+	dns_name_dup(name, zone->mctx, &request->name);
+
+	result = create_query(zone, ipv4 ? dns_rdatatype_a : dns_rdatatype_aaaa,
+			      &request->name, &message);
+	INSIST(result == ISC_R_SUCCESS);
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+		result = add_opt(message, args->udpsize, args->reqnsid, false);
+		if (result != ISC_R_SUCCESS) {
+			zone_debuglog(zone, "stub_send_query", 1,
+				      "unable to add opt record: %s",
+				      dns_result_totext(result));
+			goto fail;
+		}
+	}
+
+	atomic_fetch_add_release(&args->stub->pending_requests, 1);
+
+	result = dns_request_createvia(
+		zone->view->requestmgr, message, &zone->sourceaddr,
+		&zone->masteraddr, args->dscp, DNS_REQUESTOPT_TCP,
+		args->tsig_key, args->timeout * 3, args->timeout, 0, zone->task,
+		stub_glue_response_cb, request, &request->request);
+
+	if (result != ISC_R_SUCCESS) {
+		INSIST(atomic_fetch_sub_release(&args->stub->pending_requests,
+						1) > 1);
+		zone_debuglog(zone, "stub_send_query", 1,
+			      "dns_request_createvia() failed: %s",
+			      dns_result_totext(result));
+		goto fail;
+	}
+
+	dns_message_detach(&message);
+
+	return (ISC_R_SUCCESS);
+
+fail:
+	dns_name_free(&request->name, zone->mctx);
+	isc_mem_put(zone->mctx, request, sizeof(*request));
+
+	if (message != NULL) {
+		dns_message_detach(&message);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+save_nsrrset(dns_message_t *message, dns_name_t *name,
+	     struct stub_cb_args *cb_args, dns_db_t *db,
+	     dns_dbversion_t *version) {
+	dns_rdataset_t *nsrdataset = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdata_ns_t ns;
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	bool has_glue = false;
+	dns_name_t *ns_name;
+	/*
+	 * List of NS entries in answer, keep names that will be used
+	 * to resolve missing A/AAAA glue for each entry.
+	 */
+	dns_namelist_t ns_list;
+	ISC_LIST_INIT(ns_list);
+
+	/*
+	 * Extract NS RRset from message.
+	 */
+	result = dns_message_findname(message, DNS_SECTION_ANSWER, name,
+				      dns_rdatatype_ns, dns_rdatatype_none,
+				      NULL, &nsrdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto done;
+	}
+
+	/*
+	 * Add NS rdataset.
+	 */
+	result = dns_db_findnode(db, name, true, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto done;
+	}
+	result = dns_db_addrdataset(db, node, version, 0, nsrdataset, 0, NULL);
+	dns_db_detachnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto done;
+	}
+	/*
+	 * Add glue rdatasets.
+	 */
+	for (result = dns_rdataset_first(nsrdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(nsrdataset))
+	{
+		dns_rdataset_current(nsrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+
+		if (!dns_name_issubdomain(&ns.name, name)) {
+			continue;
+		}
+		rdataset = NULL;
+		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
+					      &ns.name, dns_rdatatype_aaaa,
+					      dns_rdatatype_none, NULL,
+					      &rdataset);
+		if (result == ISC_R_SUCCESS) {
+			has_glue = true;
+			result = dns_db_findnode(db, &ns.name, true, &node);
+			if (result != ISC_R_SUCCESS) {
+				goto done;
+			}
+			result = dns_db_addrdataset(db, node, version, 0,
+						    rdataset, 0, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS) {
+				goto done;
+			}
+		}
+
+		rdataset = NULL;
+		result = dns_message_findname(
+			message, DNS_SECTION_ADDITIONAL, &ns.name,
+			dns_rdatatype_a, dns_rdatatype_none, NULL, &rdataset);
+		if (result == ISC_R_SUCCESS) {
+			has_glue = true;
+			result = dns_db_findnode(db, &ns.name, true, &node);
+			if (result != ISC_R_SUCCESS) {
+				goto done;
+			}
+			result = dns_db_addrdataset(db, node, version, 0,
+						    rdataset, 0, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS) {
+				goto done;
+			}
+		}
+
+		/*
+		 * If no glue is found so far, we add the name to the list to
+		 * resolve the A/AAAA glue later. If any glue is found in any
+		 * iteration step, this list will be discarded and only the glue
+		 * provided in this message will be used.
+		 */
+		if (!has_glue && dns_name_issubdomain(&ns.name, name)) {
+			dns_name_t *tmp_name;
+			tmp_name = isc_mem_get(cb_args->stub->mctx,
+					       sizeof(*tmp_name));
+			dns_name_init(tmp_name, NULL);
+			dns_name_dup(&ns.name, cb_args->stub->mctx, tmp_name);
+			ISC_LIST_APPEND(ns_list, tmp_name, link);
+		}
+	}
+
+	if (result != ISC_R_NOMORE) {
+		goto done;
+	}
+
+	/*
+	 * If no glue records were found, we attempt to resolve A/AAAA
+	 * for each NS entry found in the answer.
+	 */
+	if (!has_glue) {
+		for (ns_name = ISC_LIST_HEAD(ns_list); ns_name != NULL;
+		     ns_name = ISC_LIST_NEXT(ns_name, link))
+		{
+			/*
+			 * Resolve NS IPv4 address/A.
+			 */
+			result = stub_request_nameserver_address(cb_args, true,
+								 ns_name);
+			if (result != ISC_R_SUCCESS) {
+				goto done;
+			}
+			/*
+			 * Resolve NS IPv6 address/AAAA.
+			 */
+			result = stub_request_nameserver_address(cb_args, false,
+								 ns_name);
+			if (result != ISC_R_SUCCESS) {
+				goto done;
+			}
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+done:
+	while ((ns_name = ISC_LIST_HEAD(ns_list)) != NULL) {
+		ISC_LIST_UNLINK(ns_list, ns_name, link);
+		dns_name_free(ns_name, cb_args->stub->mctx);
+		isc_mem_put(cb_args->stub->mctx, ns_name, sizeof(*ns_name));
+	}
+	return (result);
+}
+
+static void
+stub_callback(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "stub_callback";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_stub_t *stub = NULL;
+	dns_message_t *msg = NULL;
+	dns_zone_t *zone = NULL;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	uint32_t nscnt, cnamecnt;
+	isc_result_t result;
+	isc_time_t now;
+	bool exiting = false;
+	unsigned int j;
+	struct stub_cb_args *cb_args;
+
+	cb_args = revent->ev_arg;
+	stub = cb_args->stub;
+	INSIST(DNS_STUB_VALID(stub));
+
+	UNUSED(task);
+
+	zone = stub->zone;
+
+	ENTER;
+
+	TIME_NOW(&now);
+
+	LOCK_ZONE(zone);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		zone_debuglog(zone, me, 1, "exiting");
+		exiting = true;
+		goto next_master;
+	}
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+
+	if (revent->result != ISC_R_SUCCESS) {
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS))
+		{
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refreshing stub: timeout retrying "
+				     " without EDNS master %s (source %s)",
+				     master, source);
+			goto same_master;
+		}
+		dns_zonemgr_unreachableadd(zone->zmgr, &zone->masteraddr,
+					   &zone->sourceaddr, &now);
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "could not refresh stub from master %s"
+			     " (source %s): %s",
+			     master, source, dns_result_totext(revent->result));
+		goto next_master;
+	}
+
+	dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+
+	result = dns_request_getresponse(revent->request, msg, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto next_master;
+	}
+
+	/*
+	 * Unexpected opcode.
+	 */
+	if (msg->opcode != dns_opcode_query) {
+		char opcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, opcode, sizeof(opcode));
+		(void)dns_opcode_totext(msg->opcode, &rb);
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "unexpected opcode (%.*s) from %s (source %s)",
+			     (int)rb.used, opcode, master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Unexpected rcode.
+	 */
+	if (msg->rcode != dns_rcode_noerror) {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
+		    (msg->rcode == dns_rcode_servfail ||
+		     msg->rcode == dns_rcode_notimp ||
+		     msg->rcode == dns_rcode_formerr))
+		{
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refreshing stub: rcode (%.*s) retrying "
+				     "without EDNS master %s (source %s)",
+				     (int)rb.used, rcode, master, source);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			goto same_master;
+		}
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "unexpected rcode (%.*s) from %s (source %s)",
+			     (int)rb.used, rcode, master, source);
+		goto next_master;
+	}
+
+	/*
+	 * We need complete messages.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		if (dns_request_usedtcp(revent->request)) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: truncated TCP "
+				     "response from master %s (source %s)",
+				     master, source);
+			goto next_master;
+		}
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
+		goto same_master;
+	}
+
+	/*
+	 * If non-auth log and next master.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "non-authoritative answer from "
+			     "master %s (source %s)",
+			     master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Sanity checks.
+	 */
+	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
+	nscnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_ns);
+
+	if (cnamecnt != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unexpected CNAME response "
+			     "from master %s (source %s)",
+			     master, source);
+		goto next_master;
+	}
+
+	if (nscnt == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: no NS records in response "
+			     "from master %s (source %s)",
+			     master, source);
+		goto next_master;
+	}
+
+	atomic_fetch_add(&stub->pending_requests, 1);
+
+	/*
+	 * Save answer.
+	 */
+	result = save_nsrrset(msg, &zone->origin, cb_args, stub->db,
+			      stub->version);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unable to save NS records "
+			     "from master %s (source %s)",
+			     master, source);
+		goto next_master;
+	}
+
+	dns_message_detach(&msg);
+	isc_event_free(&event);
+	dns_request_destroy(&zone->request);
+
+	/*
+	 * Check to see if there are no outstanding requests and
+	 * finish off if that is so.
+	 */
+	if (atomic_fetch_sub(&stub->pending_requests, 1) == 1) {
+		isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
+		stub_finish_zone_update(stub, now);
+		goto free_stub;
+	}
+
+	UNLOCK_ZONE(zone);
+	return;
+
+next_master:
+	isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
+	if (stub->version != NULL) {
+		dns_db_closeversion(stub->db, &stub->version, false);
+	}
+	if (stub->db != NULL) {
+		dns_db_detach(&stub->db);
+	}
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	isc_event_free(&event);
+	dns_request_destroy(&zone->request);
+	/*
+	 * Skip to next failed / untried master.
+	 */
+	do {
+		zone->curmaster++;
+	} while (zone->curmaster < zone->masterscnt &&
+		 zone->mastersok[zone->curmaster]);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
+	if (exiting || zone->curmaster >= zone->masterscnt) {
+		bool done = true;
+		if (!exiting &&
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
+		{
+			/*
+			 * Did we get a good answer from all the primaries?
+			 */
+			for (j = 0; j < zone->masterscnt; j++) {
+				if (!zone->mastersok[j]) {
+					{
+						done = false;
+						break;
+					}
+				}
+			}
+		} else {
+			done = true;
+		}
+		if (!done) {
+			zone->curmaster = 0;
+			/*
+			 * Find the next failed master.
+			 */
+			while (zone->curmaster < zone->masterscnt &&
+			       zone->mastersok[zone->curmaster])
+			{
+				zone->curmaster++;
+			}
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+		} else {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+
+			zone_settimer(zone, &now);
+			goto free_stub;
+		}
+	}
+	queue_soa_query(zone);
+	goto free_stub;
+
+same_master:
+	isc_mem_put(zone->mctx, cb_args, sizeof(*cb_args));
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	isc_event_free(&event);
+	dns_request_destroy(&zone->request);
+	ns_query(zone, NULL, stub);
+	UNLOCK_ZONE(zone);
+	goto done;
+
+free_stub:
+	UNLOCK_ZONE(zone);
+	stub->magic = 0;
+	dns_zone_idetach(&stub->zone);
+	INSIST(stub->db == NULL);
+	INSIST(stub->version == NULL);
+	isc_mem_put(stub->mctx, stub, sizeof(*stub));
+
+done:
+	INSIST(event == NULL);
+	return;
+}
+
+/*
+ * Get the EDNS EXPIRE option from the response and if it exists trim
+ * expire to be not more than it.
+ */
+static void
+get_edns_expire(dns_zone_t *zone, dns_message_t *message, uint32_t *expirep) {
+	isc_result_t result;
+	uint32_t expire;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t optbuf;
+	uint16_t optcode;
+	uint16_t optlen;
+
+	REQUIRE(expirep != NULL);
+	REQUIRE(message != NULL);
+
+	if (message->opt == NULL) {
+		return;
+	}
+
+	result = dns_rdataset_first(message->opt);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(message->opt, &rdata);
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) >= 4) {
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+			/*
+			 * A EDNS EXPIRE response has a length of 4.
+			 */
+			if (optcode != DNS_OPT_EXPIRE || optlen != 4) {
+				isc_buffer_forward(&optbuf, optlen);
+				continue;
+			}
+			expire = isc_buffer_getuint32(&optbuf);
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "got EDNS EXPIRE of %u", expire);
+			/*
+			 * Trim *expirep?
+			 */
+			if (expire < *expirep) {
+				*expirep = expire;
+			}
+			break;
+		}
+	}
+}
+
+/*
+ * Set the file modification time zone->expire seconds before expiretime.
+ */
+static void
+setmodtime(dns_zone_t *zone, isc_time_t *expiretime) {
+	isc_result_t result;
+	isc_time_t when;
+	isc_interval_t i;
+
+	isc_interval_set(&i, zone->expire, 0);
+	result = isc_time_subtract(expiretime, &i, &when);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	result = ISC_R_FAILURE;
+	if (zone->journal != NULL) {
+		result = isc_file_settime(zone->journal, &when);
+	}
+	if (result == ISC_R_SUCCESS &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
+	{
+		result = isc_file_settime(zone->masterfile, &when);
+	} else if (result != ISC_R_SUCCESS) {
+		result = isc_file_settime(zone->masterfile, &when);
+	}
+
+	/*
+	 * Someone removed the file from underneath us!
+	 */
+	if (result == ISC_R_FILENOTFOUND) {
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	} else if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "refresh: could not set "
+			     "file modification time of '%s': %s",
+			     zone->masterfile, dns_result_totext(result));
+	}
+}
+
+/*
+ * An SOA query has finished (successfully or not).
+ */
+static void
+refresh_callback(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "refresh_callback";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_zone_t *zone;
+	dns_message_t *msg = NULL;
+	uint32_t soacnt, cnamecnt, soacount, nscount;
+	isc_time_t now;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	isc_result_t result;
+	uint32_t serial, oldserial = 0;
+	unsigned int j;
+	bool do_queue_xfrin = false;
+
+	zone = revent->ev_arg;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	UNUSED(task);
+
+	ENTER;
+
+	TIME_NOW(&now);
+
+	LOCK_ZONE(zone);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		isc_event_free(&event);
+		dns_request_destroy(&zone->request);
+		goto detach;
+	}
+
+	/*
+	 * if timeout log and next master;
+	 */
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+
+	if (revent->result != ISC_R_SUCCESS) {
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS))
+		{
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refresh: timeout retrying without EDNS "
+				     "master %s (source %s)",
+				     master, source);
+			goto same_master;
+		}
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !dns_request_usedtcp(revent->request))
+		{
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: retry limit for "
+				     "master %s exceeded (source %s)",
+				     master, source);
+			/* Try with slave with TCP. */
+			if ((zone->type == dns_zone_secondary ||
+			     zone->type == dns_zone_mirror ||
+			     zone->type == dns_zone_redirect) &&
+			    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH))
+			{
+				if (!dns_zonemgr_unreachable(
+					    zone->zmgr, &zone->masteraddr,
+					    &zone->sourceaddr, &now))
+				{
+					DNS_ZONE_SETFLAG(
+						zone,
+						DNS_ZONEFLG_SOABEFOREAXFR);
+					goto tcp_transfer;
+				}
+				dns_zone_log(zone, ISC_LOG_DEBUG(1),
+					     "refresh: skipped tcp fallback "
+					     "as master %s (source %s) is "
+					     "unreachable (cached)",
+					     master, source);
+			}
+		} else {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: failure trying master "
+				     "%s (source %s): %s",
+				     master, source,
+				     dns_result_totext(revent->result));
+		}
+		goto next_master;
+	}
+
+	dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	result = dns_request_getresponse(revent->request, msg, 0);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: failure trying master "
+			     "%s (source %s): %s",
+			     master, source, dns_result_totext(result));
+		goto next_master;
+	}
+
+	/*
+	 * Unexpected opcode.
+	 */
+	if (msg->opcode != dns_opcode_query) {
+		char opcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, opcode, sizeof(opcode));
+		(void)dns_opcode_totext(msg->opcode, &rb);
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: "
+			     "unexpected opcode (%.*s) from %s (source %s)",
+			     (int)rb.used, opcode, master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Unexpected rcode.
+	 */
+	if (msg->rcode != dns_rcode_noerror) {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
+		    (msg->rcode == dns_rcode_servfail ||
+		     msg->rcode == dns_rcode_notimp ||
+		     msg->rcode == dns_rcode_formerr))
+		{
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refresh: rcode (%.*s) retrying without "
+				     "EDNS master %s (source %s)",
+				     (int)rb.used, rcode, master, source);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			goto same_master;
+		}
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
+		    msg->rcode == dns_rcode_badvers)
+		{
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refresh: rcode (%.*s) retrying without "
+				     "EDNS EXPIRE OPTION master %s (source %s)",
+				     (int)rb.used, rcode, master, source);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			goto same_master;
+		}
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: unexpected rcode (%.*s) from "
+			     "master %s (source %s)",
+			     (int)rb.used, rcode, master, source);
+		/*
+		 * Perhaps AXFR/IXFR is allowed even if SOA queries aren't.
+		 */
+		if (msg->rcode == dns_rcode_refused &&
+		    (zone->type == dns_zone_secondary ||
+		     zone->type == dns_zone_mirror ||
+		     zone->type == dns_zone_redirect))
+		{
+			goto tcp_transfer;
+		}
+		goto next_master;
+	}
+
+	/*
+	 * If truncated punt to zone transfer which will query again.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		if (zone->type == dns_zone_secondary ||
+		    zone->type == dns_zone_mirror ||
+		    zone->type == dns_zone_redirect)
+		{
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: truncated UDP answer, "
+				     "initiating TCP zone xfer "
+				     "for master %s (source %s)",
+				     master, source);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
+			goto tcp_transfer;
+		} else {
+			INSIST(zone->type == dns_zone_stub);
+			if (dns_request_usedtcp(revent->request)) {
+				dns_zone_log(zone, ISC_LOG_INFO,
+					     "refresh: truncated TCP response "
+					     "from master %s (source %s)",
+					     master, source);
+				goto next_master;
+			}
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
+			goto same_master;
+		}
+	}
+
+	/*
+	 * if non-auth log and next master;
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: non-authoritative answer from "
+			     "master %s (source %s)",
+			     master, source);
+		goto next_master;
+	}
+
+	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
+	soacnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_soa);
+	nscount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_ns);
+	soacount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_soa);
+
+	/*
+	 * There should not be a CNAME record at top of zone.
+	 */
+	if (cnamecnt != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: CNAME at top of zone "
+			     "in master %s (source %s)",
+			     master, source);
+		goto next_master;
+	}
+
+	/*
+	 * if referral log and next master;
+	 */
+	if (soacnt == 0 && soacount == 0 && nscount != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: referral response "
+			     "from master %s (source %s)",
+			     master, source);
+		goto next_master;
+	}
+
+	/*
+	 * if nodata log and next master;
+	 */
+	if (soacnt == 0 && (nscount == 0 || soacount != 0)) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: NODATA response "
+			     "from master %s (source %s)",
+			     master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Only one soa at top of zone.
+	 */
+	if (soacnt != 1) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: answer SOA count (%d) != 1 "
+			     "from master %s (source %s)",
+			     soacnt, master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Extract serial
+	 */
+	rdataset = NULL;
+	result = dns_message_findname(msg, DNS_SECTION_ANSWER, &zone->origin,
+				      dns_rdatatype_soa, dns_rdatatype_none,
+				      NULL, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: unable to get SOA record "
+			     "from master %s (source %s)",
+			     master, source);
+		goto next_master;
+	}
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: dns_rdataset_first() failed");
+		goto next_master;
+	}
+
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	serial = soa.serial;
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		unsigned int dbsoacount;
+		result = zone_get_from_db(zone, zone->db, NULL, &dbsoacount,
+					  NULL, &oldserial, NULL, NULL, NULL,
+					  NULL, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		RUNTIME_CHECK(dbsoacount > 0U);
+		zone_debuglog(zone, me, 1, "serial: new %u, old %u", serial,
+			      oldserial);
+	} else {
+		zone_debuglog(zone, me, 1, "serial: new %u, old not loaded",
+			      serial);
+	}
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
+	    isc_serial_gt(serial, oldserial))
+	{
+		if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
+					    &zone->sourceaddr, &now))
+		{
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: skipping %s as master %s "
+				     "(source %s) is unreachable (cached)",
+				     (zone->type == dns_zone_secondary ||
+				      zone->type == dns_zone_mirror ||
+				      zone->type == dns_zone_redirect)
+					     ? "zone transfer"
+					     : "NS query",
+				     master, source);
+			goto next_master;
+		}
+	tcp_transfer:
+		isc_event_free(&event);
+		dns_request_destroy(&zone->request);
+		if (zone->type == dns_zone_secondary ||
+		    zone->type == dns_zone_mirror ||
+		    zone->type == dns_zone_redirect)
+		{
+			do_queue_xfrin = true;
+		} else {
+			INSIST(zone->type == dns_zone_stub);
+			ns_query(zone, rdataset, NULL);
+		}
+		if (msg != NULL) {
+			dns_message_detach(&msg);
+		}
+	} else if (isc_serial_eq(soa.serial, oldserial)) {
+		isc_time_t expiretime;
+		uint32_t expire;
+
+		/*
+		 * Compute the new expire time based on this response.
+		 */
+		expire = zone->expire;
+		get_edns_expire(zone, msg, &expire);
+		DNS_ZONE_TIME_ADD(&now, expire, &expiretime);
+
+		/*
+		 * Has the expire time improved?
+		 */
+		if (isc_time_compare(&expiretime, &zone->expiretime) > 0) {
+			zone->expiretime = expiretime;
+			if (zone->masterfile != NULL) {
+				setmodtime(zone, &expiretime);
+			}
+		}
+
+		DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
+		zone->mastersok[zone->curmaster] = true;
+		goto next_master;
+	} else {
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER)) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "serial number (%u) "
+				     "received from master %s < ours (%u)",
+				     soa.serial, master, oldserial);
+		} else {
+			zone_debuglog(zone, me, 1, "ahead");
+		}
+		zone->mastersok[zone->curmaster] = true;
+		goto next_master;
+	}
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	goto detach;
+
+next_master:
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	isc_event_free(&event);
+	dns_request_destroy(&zone->request);
+	/*
+	 * Skip to next failed / untried master.
+	 */
+	do {
+		zone->curmaster++;
+	} while (zone->curmaster < zone->masterscnt &&
+		 zone->mastersok[zone->curmaster]);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
+	if (zone->curmaster >= zone->masterscnt) {
+		bool done = true;
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
+		{
+			/*
+			 * Did we get a good answer from all the primaries?
+			 */
+			for (j = 0; j < zone->masterscnt; j++) {
+				if (!zone->mastersok[j]) {
+					{
+						done = false;
+						break;
+					}
+				}
+			}
+		} else {
+			done = true;
+		}
+		if (!done) {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+			zone->curmaster = 0;
+			/*
+			 * Find the next failed master.
+			 */
+			while (zone->curmaster < zone->masterscnt &&
+			       zone->mastersok[zone->curmaster])
+			{
+				zone->curmaster++;
+			}
+			goto requeue;
+		}
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
+			zone->refreshtime = now;
+		}
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+		zone_settimer(zone, &now);
+		goto detach;
+	}
+
+requeue:
+	queue_soa_query(zone);
+	goto detach;
+
+same_master:
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	isc_event_free(&event);
+	dns_request_destroy(&zone->request);
+	queue_soa_query(zone);
+
+detach:
+	UNLOCK_ZONE(zone);
+	if (do_queue_xfrin) {
+		queue_xfrin(zone);
+	}
+	dns_zone_idetach(&zone);
+	return;
+}
+
+static void
+queue_soa_query(dns_zone_t *zone) {
+	const char me[] = "queue_soa_query";
+	isc_event_t *e;
+	dns_zone_t *dummy = NULL;
+	isc_result_t result;
+
+	ENTER;
+	/*
+	 * Locked by caller
+	 */
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		cancel_refresh(zone);
+		return;
+	}
+
+	e = isc_event_allocate(zone->mctx, NULL, DNS_EVENT_ZONE, soa_query,
+			       zone, sizeof(isc_event_t));
+
+	/*
+	 * Attach so that we won't clean up
+	 * until the event is delivered.
+	 */
+	zone_iattach(zone, &dummy);
+
+	e->ev_arg = zone;
+	e->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(zone->zmgr->refreshrl, zone->task, &e);
+	if (result != ISC_R_SUCCESS) {
+		zone_idetach(&dummy);
+		isc_event_free(&e);
+		cancel_refresh(zone);
+	}
+}
+
+static void
+soa_query(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "soa_query";
+	isc_result_t result = ISC_R_FAILURE;
+	dns_message_t *message = NULL;
+	dns_zone_t *zone = event->ev_arg;
+	dns_zone_t *dummy = NULL;
+	isc_netaddr_t masterip;
+	dns_tsigkey_t *key = NULL;
+	uint32_t options;
+	bool cancel = true;
+	int timeout;
+	bool have_xfrsource, have_xfrdscp, reqnsid, reqexpire;
+	uint16_t udpsize = SEND_BUFFER_SIZE;
+	isc_dscp_t dscp = -1;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	UNUSED(task);
+
+	ENTER;
+
+	LOCK_ZONE(zone);
+	if (((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0) ||
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
+	    zone->view->requestmgr == NULL)
+	{
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+			cancel = false;
+		}
+		goto cleanup;
+	}
+
+again:
+	result = create_query(zone, dns_rdatatype_soa, &zone->origin, &message);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	INSIST(zone->masterscnt > 0);
+	INSIST(zone->curmaster < zone->masterscnt);
+
+	zone->masteraddr = zone->masters[zone->curmaster];
+
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	/*
+	 * First, look for a tsig key in the master statement, then
+	 * try for a server key.
+	 */
+	if ((zone->masterkeynames != NULL) &&
+	    (zone->masterkeynames[zone->curmaster] != NULL))
+	{
+		dns_view_t *view = dns_zone_getview(zone);
+		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
+		result = dns_view_gettsig(view, keyname, &key);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(keyname, namebuf, sizeof(namebuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "unable to find key: %s", namebuf);
+			goto skip_master;
+		}
+	}
+	if (key == NULL) {
+		result = dns_view_getpeertsig(zone->view, &masterip, &key);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+			char addrbuf[ISC_NETADDR_FORMATSIZE];
+			isc_netaddr_format(&masterip, addrbuf, sizeof(addrbuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "unable to find TSIG key for %s", addrbuf);
+			goto skip_master;
+		}
+	}
+
+	options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ? DNS_REQUESTOPT_TCP
+							 : 0;
+	have_xfrsource = have_xfrdscp = false;
+	reqnsid = zone->view->requestnsid;
+	reqexpire = zone->requestexpire;
+	if (zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		bool edns, usetcp;
+		result = dns_peerlist_peerbyaddr(zone->view->peers, &masterip,
+						 &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getsupportedns(peer, &edns);
+			if (result == ISC_R_SUCCESS && !edns) {
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			}
+			result = dns_peer_gettransfersource(peer,
+							    &zone->sourceaddr);
+			if (result == ISC_R_SUCCESS) {
+				have_xfrsource = true;
+			}
+			(void)dns_peer_gettransferdscp(peer, &dscp);
+			if (dscp != -1) {
+				have_xfrdscp = true;
+			}
+			if (zone->view->resolver != NULL) {
+				udpsize = dns_resolver_getudpsize(
+					zone->view->resolver);
+			}
+			(void)dns_peer_getudpsize(peer, &udpsize);
+			(void)dns_peer_getrequestnsid(peer, &reqnsid);
+			(void)dns_peer_getrequestexpire(peer, &reqexpire);
+			result = dns_peer_getforcetcp(peer, &usetcp);
+			if (result == ISC_R_SUCCESS && usetcp) {
+				options |= DNS_REQUESTOPT_TCP;
+			}
+		}
+	}
+
+	switch (isc_sockaddr_pf(&zone->masteraddr)) {
+	case PF_INET:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			if (isc_sockaddr_equal(&zone->altxfrsource4,
+					       &zone->xfrsource4))
+			{
+				goto skip_master;
+			}
+			zone->sourceaddr = zone->altxfrsource4;
+			if (!have_xfrdscp) {
+				dscp = zone->altxfrsource4dscp;
+			}
+		} else if (!have_xfrsource) {
+			zone->sourceaddr = zone->xfrsource4;
+			if (!have_xfrdscp) {
+				dscp = zone->xfrsource4dscp;
+			}
+		}
+		break;
+	case PF_INET6:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			if (isc_sockaddr_equal(&zone->altxfrsource6,
+					       &zone->xfrsource6))
+			{
+				goto skip_master;
+			}
+			zone->sourceaddr = zone->altxfrsource6;
+			if (!have_xfrdscp) {
+				dscp = zone->altxfrsource6dscp;
+			}
+		} else if (!have_xfrsource) {
+			zone->sourceaddr = zone->xfrsource6;
+			if (!have_xfrdscp) {
+				dscp = zone->xfrsource6dscp;
+			}
+		}
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup;
+	}
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+		result = add_opt(message, udpsize, reqnsid, reqexpire);
+		if (result != ISC_R_SUCCESS) {
+			zone_debuglog(zone, me, 1,
+				      "unable to add opt record: %s",
+				      dns_result_totext(result));
+		}
+	}
+
+	zone_iattach(zone, &dummy);
+	timeout = 15;
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) {
+		timeout = 30;
+	}
+	result = dns_request_createvia(
+		zone->view->requestmgr, message, &zone->sourceaddr,
+		&zone->masteraddr, dscp, options, key, timeout * 3, timeout, 0,
+		zone->task, refresh_callback, zone, &zone->request);
+	if (result != ISC_R_SUCCESS) {
+		zone_idetach(&dummy);
+		zone_debuglog(zone, me, 1,
+			      "dns_request_createvia4() failed: %s",
+			      dns_result_totext(result));
+		goto skip_master;
+	} else {
+		if (isc_sockaddr_pf(&zone->masteraddr) == PF_INET) {
+			inc_stats(zone, dns_zonestatscounter_soaoutv4);
+		} else {
+			inc_stats(zone, dns_zonestatscounter_soaoutv6);
+		}
+	}
+	cancel = false;
+
+cleanup:
+	if (key != NULL) {
+		dns_tsigkey_detach(&key);
+	}
+	if (result != ISC_R_SUCCESS) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	}
+	if (message != NULL) {
+		dns_message_detach(&message);
+	}
+	if (cancel) {
+		cancel_refresh(zone);
+	}
+	isc_event_free(&event);
+	UNLOCK_ZONE(zone);
+	dns_zone_idetach(&zone);
+	return;
+
+skip_master:
+	if (key != NULL) {
+		dns_tsigkey_detach(&key);
+	}
+	dns_message_detach(&message);
+	/*
+	 * Skip to next failed / untried master.
+	 */
+	do {
+		zone->curmaster++;
+	} while (zone->curmaster < zone->masterscnt &&
+		 zone->mastersok[zone->curmaster]);
+	if (zone->curmaster < zone->masterscnt) {
+		goto again;
+	}
+	zone->curmaster = 0;
+	goto cleanup;
+}
+
+static void
+ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
+	const char me[] = "ns_query";
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_netaddr_t masterip;
+	dns_tsigkey_t *key = NULL;
+	dns_dbnode_t *node = NULL;
+	int timeout;
+	bool have_xfrsource = false, have_xfrdscp = false;
+	bool reqnsid;
+	uint16_t udpsize = SEND_BUFFER_SIZE;
+	isc_dscp_t dscp = -1;
+	struct stub_cb_args *cb_args;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+	REQUIRE((soardataset != NULL && stub == NULL) ||
+		(soardataset == NULL && stub != NULL));
+	REQUIRE(stub == NULL || DNS_STUB_VALID(stub));
+
+	ENTER;
+
+	if (stub == NULL) {
+		stub = isc_mem_get(zone->mctx, sizeof(*stub));
+		stub->magic = STUB_MAGIC;
+		stub->mctx = zone->mctx;
+		stub->zone = NULL;
+		stub->db = NULL;
+		stub->version = NULL;
+		atomic_init(&stub->pending_requests, 0);
+
+		/*
+		 * Attach so that the zone won't disappear from under us.
+		 */
+		zone_iattach(zone, &stub->zone);
+
+		/*
+		 * If a db exists we will update it, otherwise we create a
+		 * new one and attach it to the zone once we have the NS
+		 * RRset and glue.
+		 */
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (zone->db != NULL) {
+			dns_db_attach(zone->db, &stub->db);
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+		} else {
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+			INSIST(zone->db_argc >= 1);
+			result = dns_db_create(zone->mctx, zone->db_argv[0],
+					       &zone->origin, dns_dbtype_stub,
+					       zone->rdclass, zone->db_argc - 1,
+					       zone->db_argv + 1, &stub->db);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "refreshing stub: "
+					     "could not create "
+					     "database: %s",
+					     dns_result_totext(result));
+				goto cleanup;
+			}
+			dns_db_settask(stub->db, zone->task);
+		}
+
+		result = dns_db_newversion(stub->db, &stub->version);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: "
+				     "dns_db_newversion() failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+		}
+
+		/*
+		 * Update SOA record.
+		 */
+		result = dns_db_findnode(stub->db, &zone->origin, true, &node);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: "
+				     "dns_db_findnode() failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+		}
+
+		result = dns_db_addrdataset(stub->db, node, stub->version, 0,
+					    soardataset, 0, NULL);
+		dns_db_detachnode(stub->db, &node);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: "
+				     "dns_db_addrdataset() failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * XXX Optimisation: Create message when zone is setup and reuse.
+	 */
+	result = create_query(zone, dns_rdatatype_ns, &zone->origin, &message);
+	INSIST(result == ISC_R_SUCCESS);
+
+	INSIST(zone->masterscnt > 0);
+	INSIST(zone->curmaster < zone->masterscnt);
+	zone->masteraddr = zone->masters[zone->curmaster];
+
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	/*
+	 * First, look for a tsig key in the master statement, then
+	 * try for a server key.
+	 */
+	if ((zone->masterkeynames != NULL) &&
+	    (zone->masterkeynames[zone->curmaster] != NULL))
+	{
+		dns_view_t *view = dns_zone_getview(zone);
+		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
+		result = dns_view_gettsig(view, keyname, &key);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(keyname, namebuf, sizeof(namebuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "unable to find key: %s", namebuf);
+		}
+	}
+	if (key == NULL) {
+		(void)dns_view_getpeertsig(zone->view, &masterip, &key);
+	}
+
+	reqnsid = zone->view->requestnsid;
+	if (zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		bool edns;
+		result = dns_peerlist_peerbyaddr(zone->view->peers, &masterip,
+						 &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getsupportedns(peer, &edns);
+			if (result == ISC_R_SUCCESS && !edns) {
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			}
+			result = dns_peer_gettransfersource(peer,
+							    &zone->sourceaddr);
+			if (result == ISC_R_SUCCESS) {
+				have_xfrsource = true;
+			}
+			result = dns_peer_gettransferdscp(peer, &dscp);
+			if (result == ISC_R_SUCCESS && dscp != -1) {
+				have_xfrdscp = true;
+			}
+			if (zone->view->resolver != NULL) {
+				udpsize = dns_resolver_getudpsize(
+					zone->view->resolver);
+			}
+			(void)dns_peer_getudpsize(peer, &udpsize);
+			(void)dns_peer_getrequestnsid(peer, &reqnsid);
+		}
+	}
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+		result = add_opt(message, udpsize, reqnsid, false);
+		if (result != ISC_R_SUCCESS) {
+			zone_debuglog(zone, me, 1,
+				      "unable to add opt record: %s",
+				      dns_result_totext(result));
+		}
+	}
+
+	/*
+	 * Always use TCP so that we shouldn't truncate in additional section.
+	 */
+	switch (isc_sockaddr_pf(&zone->masteraddr)) {
+	case PF_INET:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			zone->sourceaddr = zone->altxfrsource4;
+			if (!have_xfrdscp) {
+				dscp = zone->altxfrsource4dscp;
+			}
+		} else if (!have_xfrsource) {
+			zone->sourceaddr = zone->xfrsource4;
+			if (!have_xfrdscp) {
+				dscp = zone->xfrsource4dscp;
+			}
+		}
+		break;
+	case PF_INET6:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			zone->sourceaddr = zone->altxfrsource6;
+			if (!have_xfrdscp) {
+				dscp = zone->altxfrsource6dscp;
+			}
+		} else if (!have_xfrsource) {
+			zone->sourceaddr = zone->xfrsource6;
+			if (!have_xfrdscp) {
+				dscp = zone->xfrsource6dscp;
+			}
+		}
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		POST(result);
+		goto cleanup;
+	}
+	timeout = 15;
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH)) {
+		timeout = 30;
+	}
+
+	/*
+	 * Save request parameters so we can reuse them later on
+	 * for resolving missing glue A/AAAA records.
+	 */
+	cb_args = isc_mem_get(zone->mctx, sizeof(*cb_args));
+	cb_args->stub = stub;
+	cb_args->tsig_key = key;
+	cb_args->dscp = dscp;
+	cb_args->udpsize = udpsize;
+	cb_args->timeout = timeout;
+	cb_args->reqnsid = reqnsid;
+
+	result = dns_request_createvia(
+		zone->view->requestmgr, message, &zone->sourceaddr,
+		&zone->masteraddr, dscp, DNS_REQUESTOPT_TCP, key, timeout * 3,
+		timeout, 0, zone->task, stub_callback, cb_args, &zone->request);
+	if (result != ISC_R_SUCCESS) {
+		zone_debuglog(zone, me, 1, "dns_request_createvia() failed: %s",
+			      dns_result_totext(result));
+		goto cleanup;
+	}
+	dns_message_detach(&message);
+	goto unlock;
+
+cleanup:
+	cancel_refresh(zone);
+	stub->magic = 0;
+	if (stub->version != NULL) {
+		dns_db_closeversion(stub->db, &stub->version, false);
+	}
+	if (stub->db != NULL) {
+		dns_db_detach(&stub->db);
+	}
+	if (stub->zone != NULL) {
+		zone_idetach(&stub->zone);
+	}
+	isc_mem_put(stub->mctx, stub, sizeof(*stub));
+	if (message != NULL) {
+		dns_message_detach(&message);
+	}
+unlock:
+	if (key != NULL) {
+		dns_tsigkey_detach(&key);
+	}
+	return;
+}
+
+/*
+ * Shut the zone down.
+ */
+static void
+zone_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_zone_t *zone = (dns_zone_t *)event->ev_arg;
+	bool free_needed, linked = false;
+	dns_zone_t *raw = NULL, *secure = NULL;
+	dns_view_t *view = NULL, *prev_view = NULL;
+
+	UNUSED(task);
+	REQUIRE(DNS_ZONE_VALID(zone));
+	INSIST(event->ev_type == DNS_EVENT_ZONECONTROL);
+	INSIST(isc_refcount_current(&zone->erefs) == 0);
+
+	zone_debuglog(zone, "zone_shutdown", 3, "shutting down");
+
+	/*
+	 * If we were waiting for xfrin quota, step out of
+	 * the queue.
+	 * If there's no zone manager, we can't be waiting for the
+	 * xfrin quota
+	 */
+	if (zone->zmgr != NULL) {
+		RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+		if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
+			ISC_LIST_UNLINK(zone->zmgr->waiting_for_xfrin, zone,
+					statelink);
+			linked = true;
+			zone->statelist = NULL;
+		}
+		if (zone->statelist == &zone->zmgr->xfrin_in_progress) {
+			ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone,
+					statelink);
+			zone->statelist = NULL;
+			zmgr_resume_xfrs(zone->zmgr, false);
+		}
+		RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+	}
+
+	/*
+	 * In task context, no locking required.  See zone_xfrdone().
+	 */
+	if (zone->xfr != NULL) {
+		dns_xfrin_shutdown(zone->xfr);
+	}
+
+	/* Safe to release the zone now */
+	if (zone->zmgr != NULL) {
+		dns_zonemgr_releasezone(zone->zmgr, zone);
+	}
+
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+
+	/*
+	 * Detach the views early, we don't need them anymore.  However, we need
+	 * to detach them outside of the zone lock to break the lock loop
+	 * between view, adb and zone locks.
+	 */
+	view = zone->view;
+	zone->view = NULL;
+	prev_view = zone->prev_view;
+	zone->prev_view = NULL;
+
+	if (linked) {
+		isc_refcount_decrement(&zone->irefs);
+	}
+	if (zone->request != NULL) {
+		dns_request_cancel(zone->request);
+	}
+
+	if (zone->readio != NULL) {
+		zonemgr_cancelio(zone->readio);
+	}
+
+	if (zone->lctx != NULL) {
+		dns_loadctx_cancel(zone->lctx);
+	}
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
+	{
+		if (zone->writeio != NULL) {
+			zonemgr_cancelio(zone->writeio);
+		}
+
+		if (zone->dctx != NULL) {
+			dns_dumpctx_cancel(zone->dctx);
+		}
+	}
+
+	checkds_cancel(zone);
+
+	notify_cancel(zone);
+
+	forward_cancel(zone);
+
+	if (zone->timer != NULL) {
+		isc_timer_destroy(&zone->timer);
+		isc_refcount_decrement(&zone->irefs);
+	}
+
+	/*
+	 * We have now canceled everything set the flag to allow exit_check()
+	 * to succeed.	We must not unlock between setting this flag and
+	 * calling exit_check().
+	 */
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SHUTDOWN);
+	free_needed = exit_check(zone);
+	/*
+	 * If a dump is in progress for the secure zone, defer detaching from
+	 * the raw zone as it may prevent the unsigned serial number from being
+	 * stored in the raw-format dump of the secure zone.  In this scenario,
+	 * dump_done() takes care of cleaning up the zone->raw reference.
+	 */
+	if (inline_secure(zone) && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+		raw = zone->raw;
+		zone->raw = NULL;
+	}
+	if (inline_raw(zone)) {
+		secure = zone->secure;
+		zone->secure = NULL;
+	}
+	UNLOCK_ZONE(zone);
+
+	if (view != NULL) {
+		dns_view_weakdetach(&view);
+	}
+	if (prev_view != NULL) {
+		dns_view_weakdetach(&prev_view);
+	}
+
+	if (raw != NULL) {
+		dns_zone_detach(&raw);
+	}
+	if (secure != NULL) {
+		dns_zone_idetach(&secure);
+	}
+	if (free_needed) {
+		zone_free(zone);
+	}
+}
+
+static void
+zone_timer(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "zone_timer";
+	dns_zone_t *zone = (dns_zone_t *)event->ev_arg;
+
+	UNUSED(task);
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	zone_maintenance(zone);
+
+	isc_event_free(&event);
+}
+
+static void
+zone_settimer(dns_zone_t *zone, isc_time_t *now) {
+	const char me[] = "zone_settimer";
+	isc_time_t next;
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+	ENTER;
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		return;
+	}
+
+	isc_time_settoepoch(&next);
+
+	switch (zone->type) {
+	case dns_zone_redirect:
+		if (zone->masters != NULL) {
+			goto treat_as_slave;
+		}
+		FALLTHROUGH;
+	case dns_zone_primary:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY))
+		{
+			next = zone->notifytime;
+		}
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
+		{
+			INSIST(!isc_time_isepoch(&zone->dumptime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->dumptime, &next) < 0)
+			{
+				next = zone->dumptime;
+			}
+		}
+		if (zone->type == dns_zone_redirect) {
+			break;
+		}
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING) &&
+		    !isc_time_isepoch(&zone->refreshkeytime))
+		{
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->refreshkeytime, &next) < 0)
+			{
+				next = zone->refreshkeytime;
+			}
+		}
+		if (!isc_time_isepoch(&zone->resigntime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->resigntime, &next) < 0)
+			{
+				next = zone->resigntime;
+			}
+		}
+		if (!isc_time_isepoch(&zone->keywarntime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->keywarntime, &next) < 0)
+			{
+				next = zone->keywarntime;
+			}
+		}
+		if (!isc_time_isepoch(&zone->signingtime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->signingtime, &next) < 0)
+			{
+				next = zone->signingtime;
+			}
+		}
+		if (!isc_time_isepoch(&zone->nsec3chaintime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->nsec3chaintime, &next) < 0)
+			{
+				next = zone->nsec3chaintime;
+			}
+		}
+		break;
+
+	case dns_zone_secondary:
+	case dns_zone_mirror:
+	treat_as_slave:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY))
+		{
+			next = zone->notifytime;
+		}
+		FALLTHROUGH;
+	case dns_zone_stub:
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOMASTERS) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING) &&
+		    !isc_time_isepoch(&zone->refreshtime) &&
+		    (isc_time_isepoch(&next) ||
+		     isc_time_compare(&zone->refreshtime, &next) < 0))
+		{
+			next = zone->refreshtime;
+		}
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+		    !isc_time_isepoch(&zone->expiretime))
+		{
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->expiretime, &next) < 0)
+			{
+				next = zone->expiretime;
+			}
+		}
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
+		{
+			INSIST(!isc_time_isepoch(&zone->dumptime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->dumptime, &next) < 0)
+			{
+				next = zone->dumptime;
+			}
+		}
+		break;
+
+	case dns_zone_key:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING))
+		{
+			INSIST(!isc_time_isepoch(&zone->dumptime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->dumptime, &next) < 0)
+			{
+				next = zone->dumptime;
+			}
+		}
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
+			if (isc_time_isepoch(&next) ||
+			    (!isc_time_isepoch(&zone->refreshkeytime) &&
+			     isc_time_compare(&zone->refreshkeytime, &next) <
+				     0))
+			{
+				next = zone->refreshkeytime;
+			}
+		}
+		break;
+
+	default:
+		break;
+	}
+
+	if (isc_time_isepoch(&next)) {
+		zone_debuglog(zone, me, 10, "settimer inactive");
+		result = isc_timer_reset(zone->timer, isc_timertype_inactive,
+					 NULL, NULL, true);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "could not deactivate zone timer: %s",
+				     isc_result_totext(result));
+		}
+	} else {
+		if (isc_time_compare(&next, now) <= 0) {
+			next = *now;
+		}
+		result = isc_timer_reset(zone->timer, isc_timertype_once, &next,
+					 NULL, true);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "could not reset zone timer: %s",
+				     isc_result_totext(result));
+		}
+	}
+}
+
+static void
+cancel_refresh(dns_zone_t *zone) {
+	const char me[] = "cancel_refresh";
+	isc_time_t now;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+
+	ENTER;
+
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	TIME_NOW(&now);
+	zone_settimer(zone, &now);
+}
+
+static isc_result_t
+notify_createmessage(dns_zone_t *zone, unsigned int flags,
+		     dns_message_t **messagep) {
+	dns_db_t *zonedb = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_message_t *message = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	dns_name_t *tempname = NULL;
+	dns_rdata_t *temprdata = NULL;
+	dns_rdatalist_t *temprdatalist = NULL;
+	dns_rdataset_t *temprdataset = NULL;
+
+	isc_result_t result;
+	isc_region_t r;
+	isc_buffer_t *b = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(messagep != NULL && *messagep == NULL);
+
+	dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER, &message);
+
+	message->opcode = dns_opcode_notify;
+	message->flags |= DNS_MESSAGEFLAG_AA;
+	message->rdclass = zone->rdclass;
+
+	result = dns_message_gettempname(message, &tempname);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_message_gettemprdataset(message, &temprdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * Make question.
+	 */
+	dns_name_clone(&zone->origin, tempname);
+	dns_rdataset_makequestion(temprdataset, zone->rdclass,
+				  dns_rdatatype_soa);
+	ISC_LIST_APPEND(tempname->list, temprdataset, link);
+	dns_message_addname(message, tempname, DNS_SECTION_QUESTION);
+	tempname = NULL;
+	temprdataset = NULL;
+
+	if ((flags & DNS_NOTIFY_NOSOA) != 0) {
+		goto done;
+	}
+
+	result = dns_message_gettempname(message, &tempname);
+	if (result != ISC_R_SUCCESS) {
+		goto soa_cleanup;
+	}
+	result = dns_message_gettemprdata(message, &temprdata);
+	if (result != ISC_R_SUCCESS) {
+		goto soa_cleanup;
+	}
+	result = dns_message_gettemprdataset(message, &temprdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto soa_cleanup;
+	}
+	result = dns_message_gettemprdatalist(message, &temprdatalist);
+	if (result != ISC_R_SUCCESS) {
+		goto soa_cleanup;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	INSIST(zone->db != NULL); /* XXXJT: is this assumption correct? */
+	dns_db_attach(zone->db, &zonedb);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	dns_name_clone(&zone->origin, tempname);
+	dns_db_currentversion(zonedb, &version);
+	result = dns_db_findnode(zonedb, tempname, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto soa_cleanup;
+	}
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto soa_cleanup;
+	}
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto soa_cleanup;
+	}
+	dns_rdataset_current(&rdataset, &rdata);
+	dns_rdata_toregion(&rdata, &r);
+	isc_buffer_allocate(zone->mctx, &b, r.length);
+	isc_buffer_putmem(b, r.base, r.length);
+	isc_buffer_usedregion(b, &r);
+	dns_rdata_init(temprdata);
+	dns_rdata_fromregion(temprdata, rdata.rdclass, rdata.type, &r);
+	dns_message_takebuffer(message, &b);
+	result = dns_rdataset_next(&rdataset);
+	dns_rdataset_disassociate(&rdataset);
+	if (result != ISC_R_NOMORE) {
+		goto soa_cleanup;
+	}
+	temprdatalist->rdclass = rdata.rdclass;
+	temprdatalist->type = rdata.type;
+	temprdatalist->ttl = rdataset.ttl;
+	ISC_LIST_APPEND(temprdatalist->rdata, temprdata, link);
+
+	result = dns_rdatalist_tordataset(temprdatalist, temprdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto soa_cleanup;
+	}
+
+	ISC_LIST_APPEND(tempname->list, temprdataset, link);
+	dns_message_addname(message, tempname, DNS_SECTION_ANSWER);
+	temprdatalist = NULL;
+	temprdataset = NULL;
+	temprdata = NULL;
+	tempname = NULL;
+
+soa_cleanup:
+	if (node != NULL) {
+		dns_db_detachnode(zonedb, &node);
+	}
+	if (version != NULL) {
+		dns_db_closeversion(zonedb, &version, false);
+	}
+	if (zonedb != NULL) {
+		dns_db_detach(&zonedb);
+	}
+	if (tempname != NULL) {
+		dns_message_puttempname(message, &tempname);
+	}
+	if (temprdata != NULL) {
+		dns_message_puttemprdata(message, &temprdata);
+	}
+	if (temprdataset != NULL) {
+		dns_message_puttemprdataset(message, &temprdataset);
+	}
+	if (temprdatalist != NULL) {
+		dns_message_puttemprdatalist(message, &temprdatalist);
+	}
+
+done:
+	*messagep = message;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (tempname != NULL) {
+		dns_message_puttempname(message, &tempname);
+	}
+	if (temprdataset != NULL) {
+		dns_message_puttemprdataset(message, &temprdataset);
+	}
+	dns_message_detach(&message);
+	return (result);
+}
+
+isc_result_t
+dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
+		       isc_sockaddr_t *to, dns_message_t *msg) {
+	unsigned int i;
+	dns_rdata_soa_t soa;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	char fromtext[ISC_SOCKADDR_FORMATSIZE];
+	int match = 0;
+	isc_netaddr_t netaddr;
+	uint32_t serial = 0;
+	bool have_serial = false;
+	dns_tsigkey_t *tsigkey;
+	const dns_name_t *tsig;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	/*
+	 * If type != T_SOA return DNS_R_NOTIMP.  We don't yet support
+	 * ROLLOVER.
+	 *
+	 * SOA:	RFC1996
+	 * Check that 'from' is a valid notify source, (zone->masters).
+	 *	Return DNS_R_REFUSED if not.
+	 *
+	 * If the notify message contains a serial number check it
+	 * against the zones serial and return if <= current serial
+	 *
+	 * If a refresh check is progress, if so just record the
+	 * fact we received a NOTIFY and from where and return.
+	 * We will perform a new refresh check when the current one
+	 * completes. Return ISC_R_SUCCESS.
+	 *
+	 * Otherwise initiate a refresh check using 'from' as the
+	 * first address to check.  Return ISC_R_SUCCESS.
+	 */
+
+	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
+
+	/*
+	 * Notify messages are processed by the raw zone.
+	 */
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	if (inline_secure(zone)) {
+		result = dns_zone_notifyreceive(zone->raw, from, to, msg);
+		UNLOCK_ZONE(zone);
+		return (result);
+	}
+	/*
+	 *  We only handle NOTIFY (SOA) at the present.
+	 */
+	if (isc_sockaddr_pf(from) == PF_INET) {
+		inc_stats(zone, dns_zonestatscounter_notifyinv4);
+	} else {
+		inc_stats(zone, dns_zonestatscounter_notifyinv6);
+	}
+	if (msg->counts[DNS_SECTION_QUESTION] == 0 ||
+	    dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin,
+				 dns_rdatatype_soa, dns_rdatatype_none, NULL,
+				 NULL) != ISC_R_SUCCESS)
+	{
+		UNLOCK_ZONE(zone);
+		if (msg->counts[DNS_SECTION_QUESTION] == 0) {
+			dns_zone_log(zone, ISC_LOG_NOTICE,
+				     "NOTIFY with no "
+				     "question section from: %s",
+				     fromtext);
+			return (DNS_R_FORMERR);
+		}
+		dns_zone_log(zone, ISC_LOG_NOTICE,
+			     "NOTIFY zone does not match");
+		return (DNS_R_NOTIMP);
+	}
+
+	/*
+	 * If we are a master zone just succeed.
+	 */
+	if (zone->type == dns_zone_primary) {
+		UNLOCK_ZONE(zone);
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_netaddr_fromsockaddr(&netaddr, from);
+	for (i = 0; i < zone->masterscnt; i++) {
+		if (isc_sockaddr_eqaddr(from, &zone->masters[i])) {
+			break;
+		}
+		if (zone->view->aclenv.match_mapped &&
+		    IN6_IS_ADDR_V4MAPPED(&from->type.sin6.sin6_addr) &&
+		    isc_sockaddr_pf(&zone->masters[i]) == AF_INET)
+		{
+			isc_netaddr_t na1, na2;
+			isc_netaddr_fromv4mapped(&na1, &netaddr);
+			isc_netaddr_fromsockaddr(&na2, &zone->masters[i]);
+			if (isc_netaddr_equal(&na1, &na2)) {
+				break;
+			}
+		}
+	}
+
+	/*
+	 * Accept notify requests from non masters if they are on
+	 * 'zone->notify_acl'.
+	 */
+	tsigkey = dns_message_gettsigkey(msg);
+	tsig = dns_tsigkey_identity(tsigkey);
+	if (i >= zone->masterscnt && zone->notify_acl != NULL &&
+	    (dns_acl_match(&netaddr, tsig, zone->notify_acl,
+			   &zone->view->aclenv, &match,
+			   NULL) == ISC_R_SUCCESS) &&
+	    match > 0)
+	{
+		/* Accept notify. */
+	} else if (i >= zone->masterscnt) {
+		UNLOCK_ZONE(zone);
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refused notify from non-master: %s", fromtext);
+		inc_stats(zone, dns_zonestatscounter_notifyrej);
+		return (DNS_R_REFUSED);
+	}
+
+	/*
+	 * If the zone is loaded and there are answers check the serial
+	 * to see if we need to do a refresh.  Do not worry about this
+	 * check if we are a dialup zone as we use the notify request
+	 * to trigger a refresh check.
+	 */
+	if (msg->counts[DNS_SECTION_ANSWER] > 0 &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH))
+	{
+		result = dns_message_findname(
+			msg, DNS_SECTION_ANSWER, &zone->origin,
+			dns_rdatatype_soa, dns_rdatatype_none, NULL, &rdataset);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_rdataset_first(rdataset);
+		}
+		if (result == ISC_R_SUCCESS) {
+			uint32_t oldserial;
+			unsigned int soacount;
+
+			dns_rdataset_current(rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			serial = soa.serial;
+			have_serial = true;
+			/*
+			 * The following should safely be performed without DB
+			 * lock and succeed in this context.
+			 */
+			result = zone_get_from_db(zone, zone->db, NULL,
+						  &soacount, NULL, &oldserial,
+						  NULL, NULL, NULL, NULL, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			RUNTIME_CHECK(soacount > 0U);
+			if (isc_serial_le(serial, oldserial)) {
+				dns_zone_log(zone, ISC_LOG_INFO,
+					     "notify from %s: "
+					     "zone is up to date",
+					     fromtext);
+				UNLOCK_ZONE(zone);
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+
+	/*
+	 * If we got this far and there was a refresh in progress just
+	 * let it complete.  Record where we got the notify from so we
+	 * can perform a refresh check when the current one completes
+	 */
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
+		zone->notifyfrom = *from;
+		UNLOCK_ZONE(zone);
+		if (have_serial) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "notify from %s: serial %u: refresh in "
+				     "progress, refresh check queued",
+				     fromtext, serial);
+		} else {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "notify from %s: refresh in progress, "
+				     "refresh check queued",
+				     fromtext);
+		}
+		return (ISC_R_SUCCESS);
+	}
+	if (have_serial) {
+		dns_zone_log(zone, ISC_LOG_INFO, "notify from %s: serial %u",
+			     fromtext, serial);
+	} else {
+		dns_zone_log(zone, ISC_LOG_INFO, "notify from %s: no serial",
+			     fromtext);
+	}
+	zone->notifyfrom = *from;
+	UNLOCK_ZONE(zone);
+
+	if (to != NULL) {
+		dns_zonemgr_unreachabledel(zone->zmgr, from, to);
+	}
+	dns_zone_refresh(zone);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->notify_acl != NULL) {
+		dns_acl_detach(&zone->notify_acl);
+	}
+	dns_acl_attach(acl, &zone->notify_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->query_acl != NULL) {
+		dns_acl_detach(&zone->query_acl);
+	}
+	dns_acl_attach(acl, &zone->query_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->queryon_acl != NULL) {
+		dns_acl_detach(&zone->queryon_acl);
+	}
+	dns_acl_attach(acl, &zone->queryon_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->update_acl != NULL) {
+		dns_acl_detach(&zone->update_acl);
+	}
+	dns_acl_attach(acl, &zone->update_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->forward_acl != NULL) {
+		dns_acl_detach(&zone->forward_acl);
+	}
+	dns_acl_attach(acl, &zone->forward_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->xfr_acl != NULL) {
+		dns_acl_detach(&zone->xfr_acl);
+	}
+	dns_acl_attach(acl, &zone->xfr_acl);
+	UNLOCK_ZONE(zone);
+}
+
+dns_acl_t *
+dns_zone_getnotifyacl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->notify_acl);
+}
+
+dns_acl_t *
+dns_zone_getqueryacl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->query_acl);
+}
+
+dns_acl_t *
+dns_zone_getqueryonacl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->queryon_acl);
+}
+
+dns_acl_t *
+dns_zone_getupdateacl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->update_acl);
+}
+
+dns_acl_t *
+dns_zone_getforwardacl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->forward_acl);
+}
+
+dns_acl_t *
+dns_zone_getxfracl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->xfr_acl);
+}
+
+void
+dns_zone_clearupdateacl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->update_acl != NULL) {
+		dns_acl_detach(&zone->update_acl);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearforwardacl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->forward_acl != NULL) {
+		dns_acl_detach(&zone->forward_acl);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearnotifyacl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->notify_acl != NULL) {
+		dns_acl_detach(&zone->notify_acl);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearqueryacl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->query_acl != NULL) {
+		dns_acl_detach(&zone->query_acl);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearqueryonacl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->queryon_acl != NULL) {
+		dns_acl_detach(&zone->queryon_acl);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearxfracl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->xfr_acl != NULL) {
+		dns_acl_detach(&zone->xfr_acl);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_getupdatedisabled(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->update_disabled);
+}
+
+void
+dns_zone_setupdatedisabled(dns_zone_t *zone, bool state) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->update_disabled = state;
+}
+
+bool
+dns_zone_getzeronosoattl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->zero_no_soa_ttl);
+}
+
+void
+dns_zone_setzeronosoattl(dns_zone_t *zone, bool state) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->zero_no_soa_ttl = state;
+}
+
+void
+dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->check_names = severity;
+}
+
+dns_severity_t
+dns_zone_getchecknames(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->check_names);
+}
+
+void
+dns_zone_setjournalsize(dns_zone_t *zone, int32_t size) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->journalsize = size;
+}
+
+int32_t
+dns_zone_getjournalsize(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->journalsize);
+}
+
+static void
+zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_result_t result = ISC_R_FAILURE;
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
+	if (zone->type != dns_zone_redirect && zone->type != dns_zone_key) {
+		if (dns_name_dynamic(&zone->origin)) {
+			result = dns_name_totext(&zone->origin, true, &buffer);
+		}
+		if (result != ISC_R_SUCCESS &&
+		    isc_buffer_availablelength(&buffer) >=
+			    (sizeof("<UNKNOWN>") - 1))
+		{
+			isc_buffer_putstr(&buffer, "<UNKNOWN>");
+		}
+
+		if (isc_buffer_availablelength(&buffer) > 0) {
+			isc_buffer_putstr(&buffer, "/");
+		}
+		(void)dns_rdataclass_totext(zone->rdclass, &buffer);
+	}
+
+	if (zone->view != NULL && strcmp(zone->view->name, "_bind") != 0 &&
+	    strcmp(zone->view->name, "_default") != 0 &&
+	    strlen(zone->view->name) < isc_buffer_availablelength(&buffer))
+	{
+		isc_buffer_putstr(&buffer, "/");
+		isc_buffer_putstr(&buffer, zone->view->name);
+	}
+	if (inline_secure(zone) && 9U < isc_buffer_availablelength(&buffer)) {
+		isc_buffer_putstr(&buffer, " (signed)");
+	}
+	if (inline_raw(zone) && 11U < isc_buffer_availablelength(&buffer)) {
+		isc_buffer_putstr(&buffer, " (unsigned)");
+	}
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+static void
+zone_name_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_result_t result = ISC_R_FAILURE;
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
+	if (dns_name_dynamic(&zone->origin)) {
+		result = dns_name_totext(&zone->origin, true, &buffer);
+	}
+	if (result != ISC_R_SUCCESS &&
+	    isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
+	{
+		isc_buffer_putstr(&buffer, "<UNKNOWN>");
+	}
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+static void
+zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
+	(void)dns_rdataclass_totext(zone->rdclass, &buffer);
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+static void
+zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
+
+	if (zone->view == NULL) {
+		isc_buffer_putstr(&buffer, "_none");
+	} else if (strlen(zone->view->name) <
+		   isc_buffer_availablelength(&buffer))
+	{
+		isc_buffer_putstr(&buffer, zone->view->name);
+	} else {
+		isc_buffer_putstr(&buffer, "_toolong");
+	}
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+void
+dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(buf != NULL);
+
+	LOCK_ZONE(zone);
+	zone_namerd_tostr(zone, buf, length);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_nameonly(dns_zone_t *zone, char *buf, size_t length) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(buf != NULL);
+	zone_name_tostr(zone, buf, length);
+}
+
+void
+dns_zone_logv(dns_zone_t *zone, isc_logcategory_t *category, int level,
+	      const char *prefix, const char *fmt, va_list ap) {
+	char message[4096];
+	const char *zstr;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	vsnprintf(message, sizeof(message), fmt, ap);
+
+	switch (zone->type) {
+	case dns_zone_key:
+		zstr = "managed-keys-zone";
+		break;
+	case dns_zone_redirect:
+		zstr = "redirect-zone";
+		break;
+	default:
+		zstr = "zone ";
+	}
+
+	isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE, level,
+		      "%s%s%s%s: %s", (prefix != NULL ? prefix : ""),
+		      (prefix != NULL ? ": " : ""), zstr, zone->strnamerd,
+		      message);
+}
+
+static void
+notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	dns_zone_logv(zone, DNS_LOGCATEGORY_NOTIFY, level, NULL, fmt, ap);
+	va_end(ap);
+}
+
+void
+dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level,
+	      const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	dns_zone_logv(zone, category, level, NULL, fmt, ap);
+	va_end(ap);
+}
+
+void
+dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	dns_zone_logv(zone, DNS_LOGCATEGORY_GENERAL, level, NULL, fmt, ap);
+	va_end(ap);
+}
+
+static void
+zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel, const char *fmt,
+	      ...) {
+	int level = ISC_LOG_DEBUG(debuglevel);
+	va_list ap;
+
+	va_start(ap, fmt);
+	dns_zone_logv(zone, DNS_LOGCATEGORY_GENERAL, level, me, fmt, ap);
+	va_end(ap);
+}
+
+static void
+dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	dns_zone_logv(zone, DNS_LOGCATEGORY_DNSSEC, level, NULL, fmt, ap);
+	va_end(ap);
+}
+
+static int
+message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdataset_t *curr;
+	int count = 0;
+
+	result = dns_message_firstname(msg, section);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+
+		for (curr = ISC_LIST_TAIL(name->list); curr != NULL;
+		     curr = ISC_LIST_PREV(curr, link))
+		{
+			if (curr->type == type) {
+				count++;
+			}
+		}
+		result = dns_message_nextname(msg, section);
+	}
+
+	return (count);
+}
+
+void
+dns_zone_setmaxxfrin(dns_zone_t *zone, uint32_t maxxfrin) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->maxxfrin = maxxfrin;
+}
+
+uint32_t
+dns_zone_getmaxxfrin(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->maxxfrin);
+}
+
+void
+dns_zone_setmaxxfrout(dns_zone_t *zone, uint32_t maxxfrout) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->maxxfrout = maxxfrout;
+}
+
+uint32_t
+dns_zone_getmaxxfrout(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->maxxfrout);
+}
+
+dns_zonetype_t
+dns_zone_gettype(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->type);
+}
+
+const char *
+dns_zonetype_name(dns_zonetype_t type) {
+	switch (type) {
+	case dns_zone_none:
+		return ("none");
+	case dns_zone_primary:
+		return ("primary");
+	case dns_zone_secondary:
+		return ("secondary");
+	case dns_zone_mirror:
+		return ("mirror");
+	case dns_zone_stub:
+		return ("stub");
+	case dns_zone_staticstub:
+		return ("static-stub");
+	case dns_zone_key:
+		return ("key");
+	case dns_zone_dlz:
+		return ("dlz");
+	case dns_zone_redirect:
+		return ("redirect");
+	default:
+		return ("unknown");
+	}
+}
+
+dns_zonetype_t
+dns_zone_getredirecttype(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(zone->type == dns_zone_redirect);
+
+	return (zone->masters == NULL ? dns_zone_primary : dns_zone_secondary);
+}
+
+dns_name_t *
+dns_zone_getorigin(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (&zone->origin);
+}
+
+void
+dns_zone_settask(dns_zone_t *zone, isc_task_t *task) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->task != NULL) {
+		isc_task_detach(&zone->task);
+	}
+	isc_task_attach(task, &zone->task);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_settask(zone->db, zone->task);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_gettask(dns_zone_t *zone, isc_task_t **target) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	isc_task_attach(zone->task, target);
+}
+
+void
+dns_zone_setidlein(dns_zone_t *zone, uint32_t idlein) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (idlein == 0) {
+		idlein = DNS_DEFAULT_IDLEIN;
+	}
+	zone->idlein = idlein;
+}
+
+uint32_t
+dns_zone_getidlein(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->idlein);
+}
+
+void
+dns_zone_setidleout(dns_zone_t *zone, uint32_t idleout) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->idleout = idleout;
+}
+
+uint32_t
+dns_zone_getidleout(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->idleout);
+}
+
+static void
+notify_done(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_notify_t *notify;
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_buffer_t buf;
+	char rcode[128];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	UNUSED(task);
+
+	notify = event->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	INSIST(task == notify->zone->task);
+
+	isc_buffer_init(&buf, rcode, sizeof(rcode));
+	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+	dns_message_create(notify->zone->mctx, DNS_MESSAGE_INTENTPARSE,
+			   &message);
+
+	result = revent->result;
+	if (result == ISC_R_SUCCESS) {
+		result =
+			dns_request_getresponse(revent->request, message,
+						DNS_MESSAGEPARSE_PRESERVEORDER);
+	}
+	if (result == ISC_R_SUCCESS) {
+		result = dns_rcode_totext(message->rcode, &buf);
+	}
+	if (result == ISC_R_SUCCESS) {
+		notify_log(notify->zone, ISC_LOG_DEBUG(3),
+			   "notify response from %s: %.*s", addrbuf,
+			   (int)buf.used, rcode);
+	} else {
+		notify_log(notify->zone, ISC_LOG_DEBUG(2),
+			   "notify to %s failed: %s", addrbuf,
+			   dns_result_totext(result));
+	}
+
+	/*
+	 * Old bind's return formerr if they see a soa record.	Retry w/o
+	 * the soa if we see a formerr and had sent a SOA.
+	 */
+	isc_event_free(&event);
+	if (message->rcode == dns_rcode_formerr &&
+	    (notify->flags & DNS_NOTIFY_NOSOA) == 0)
+	{
+		bool startup;
+
+		notify->flags |= DNS_NOTIFY_NOSOA;
+		dns_request_destroy(&notify->request);
+		startup = (notify->flags & DNS_NOTIFY_STARTUP);
+		result = notify_send_queue(notify, startup);
+		if (result != ISC_R_SUCCESS) {
+			notify_destroy(notify, false);
+		}
+	} else {
+		if (result == ISC_R_TIMEDOUT) {
+			notify_log(notify->zone, ISC_LOG_DEBUG(1),
+				   "notify to %s: retries exceeded", addrbuf);
+		}
+		notify_destroy(notify, false);
+	}
+	dns_message_detach(&message);
+}
+
+struct secure_event {
+	isc_event_t e;
+	dns_db_t *db;
+	uint32_t serial;
+};
+
+static void
+update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) {
+	UNUSED(arg);
+	dns_zone_log(zone, level, "%s", message);
+}
+
+static isc_result_t
+sync_secure_journal(dns_zone_t *zone, dns_zone_t *raw, dns_journal_t *journal,
+		    uint32_t start, uint32_t end, dns_difftuple_t **soatuplep,
+		    dns_diff_t *diff) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	dns_diffop_t op = DNS_DIFFOP_ADD;
+	int n_soa = 0;
+
+	REQUIRE(soatuplep != NULL);
+
+	if (start == end) {
+		return (DNS_R_UNCHANGED);
+	}
+
+	CHECK(dns_journal_iter_init(journal, start, end, NULL));
+	for (result = dns_journal_first_rr(journal); result == ISC_R_SUCCESS;
+	     result = dns_journal_next_rr(journal))
+	{
+		dns_name_t *name = NULL;
+		uint32_t ttl;
+		dns_rdata_t *rdata = NULL;
+		dns_journal_current_rr(journal, &name, &ttl, &rdata);
+
+		if (rdata->type == dns_rdatatype_soa) {
+			n_soa++;
+			if (n_soa == 2) {
+				/*
+				 * Save the latest raw SOA record.
+				 */
+				if (*soatuplep != NULL) {
+					dns_difftuple_free(soatuplep);
+				}
+				CHECK(dns_difftuple_create(
+					diff->mctx, DNS_DIFFOP_ADD, name, ttl,
+					rdata, soatuplep));
+			}
+			if (n_soa == 3) {
+				n_soa = 1;
+			}
+			continue;
+		}
+
+		/* Sanity. */
+		if (n_soa == 0) {
+			dns_zone_log(raw, ISC_LOG_ERROR,
+				     "corrupt journal file: '%s'\n",
+				     raw->journal);
+			return (ISC_R_FAILURE);
+		}
+
+		if (zone->privatetype != 0 && rdata->type == zone->privatetype)
+		{
+			continue;
+		}
+
+		if (rdata->type == dns_rdatatype_nsec ||
+		    rdata->type == dns_rdatatype_rrsig ||
+		    rdata->type == dns_rdatatype_nsec3 ||
+		    rdata->type == dns_rdatatype_dnskey ||
+		    rdata->type == dns_rdatatype_nsec3param)
+		{
+			continue;
+		}
+
+		op = (n_soa == 1) ? DNS_DIFFOP_DEL : DNS_DIFFOP_ADD;
+
+		CHECK(dns_difftuple_create(diff->mctx, op, name, ttl, rdata,
+					   &tuple));
+		dns_diff_appendminimal(diff, &tuple);
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	return (result);
+}
+
+static isc_result_t
+sync_secure_db(dns_zone_t *seczone, dns_zone_t *raw, dns_db_t *secdb,
+	       dns_dbversion_t *secver, dns_difftuple_t **soatuple,
+	       dns_diff_t *diff) {
+	isc_result_t result;
+	dns_db_t *rawdb = NULL;
+	dns_dbversion_t *rawver = NULL;
+	dns_difftuple_t *tuple = NULL, *next;
+	dns_difftuple_t *oldtuple = NULL, *newtuple = NULL;
+	dns_rdata_soa_t oldsoa, newsoa;
+
+	REQUIRE(DNS_ZONE_VALID(seczone));
+	REQUIRE(soatuple != NULL && *soatuple == NULL);
+
+	if (!seczone->sourceserialset) {
+		return (DNS_R_UNCHANGED);
+	}
+
+	dns_db_attach(raw->db, &rawdb);
+	dns_db_currentversion(rawdb, &rawver);
+	result = dns_db_diffx(diff, rawdb, rawver, secdb, secver, NULL);
+	dns_db_closeversion(rawdb, &rawver, false);
+	dns_db_detach(&rawdb);
+
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) {
+		next = ISC_LIST_NEXT(tuple, link);
+		if (tuple->rdata.type == dns_rdatatype_nsec ||
+		    tuple->rdata.type == dns_rdatatype_rrsig ||
+		    tuple->rdata.type == dns_rdatatype_dnskey ||
+		    tuple->rdata.type == dns_rdatatype_nsec3 ||
+		    tuple->rdata.type == dns_rdatatype_nsec3param)
+		{
+			ISC_LIST_UNLINK(diff->tuples, tuple, link);
+			dns_difftuple_free(&tuple);
+			continue;
+		}
+		if (tuple->rdata.type == dns_rdatatype_soa) {
+			if (tuple->op == DNS_DIFFOP_DEL) {
+				INSIST(oldtuple == NULL);
+				oldtuple = tuple;
+			}
+			if (tuple->op == DNS_DIFFOP_ADD) {
+				INSIST(newtuple == NULL);
+				newtuple = tuple;
+			}
+		}
+	}
+
+	if (oldtuple != NULL && newtuple != NULL) {
+		result = dns_rdata_tostruct(&oldtuple->rdata, &oldsoa, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		result = dns_rdata_tostruct(&newtuple->rdata, &newsoa, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		/*
+		 * If the SOA records are the same except for the serial
+		 * remove them from the diff.
+		 */
+		if (oldtuple->ttl == newtuple->ttl &&
+		    oldsoa.refresh == newsoa.refresh &&
+		    oldsoa.retry == newsoa.retry &&
+		    oldsoa.minimum == newsoa.minimum &&
+		    oldsoa.expire == newsoa.expire &&
+		    dns_name_equal(&oldsoa.origin, &newsoa.origin) &&
+		    dns_name_equal(&oldsoa.contact, &newsoa.contact))
+		{
+			ISC_LIST_UNLINK(diff->tuples, oldtuple, link);
+			dns_difftuple_free(&oldtuple);
+			ISC_LIST_UNLINK(diff->tuples, newtuple, link);
+			dns_difftuple_free(&newtuple);
+		}
+	}
+
+	if (ISC_LIST_EMPTY(diff->tuples)) {
+		return (DNS_R_UNCHANGED);
+	}
+
+	/*
+	 * If there are still SOA records in the diff they can now be removed
+	 * saving the new SOA record.
+	 */
+	if (oldtuple != NULL) {
+		ISC_LIST_UNLINK(diff->tuples, oldtuple, link);
+		dns_difftuple_free(&oldtuple);
+	}
+
+	if (newtuple != NULL) {
+		ISC_LIST_UNLINK(diff->tuples, newtuple, link);
+		*soatuple = newtuple;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+receive_secure_serial(isc_task_t *task, isc_event_t *event) {
+	static char me[] = "receive_secure_serial";
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_journal_t *rjournal = NULL;
+	dns_journal_t *sjournal = NULL;
+	uint32_t start, end;
+	dns_zone_t *zone;
+	dns_difftuple_t *tuple = NULL, *soatuple = NULL;
+	dns_update_log_t log = { update_log_cb, NULL };
+	uint32_t newserial = 0, desired = 0;
+	isc_time_t timenow;
+	int level = ISC_LOG_ERROR;
+
+	UNUSED(task);
+
+	zone = event->ev_arg;
+	end = ((struct secure_event *)event)->serial;
+
+	ENTER;
+
+	LOCK_ZONE(zone);
+
+	/*
+	 * If we are already processing a receive secure serial event
+	 * for the zone, just queue the new one and exit.
+	 */
+	if (zone->rss_event != NULL && zone->rss_event != event) {
+		ISC_LIST_APPEND(zone->rss_events, event, ev_link);
+		UNLOCK_ZONE(zone);
+		return;
+	}
+
+nextevent:
+	if (zone->rss_event != NULL) {
+		INSIST(zone->rss_event == event);
+		UNLOCK_ZONE(zone);
+	} else {
+		zone->rss_event = event;
+		dns_diff_init(zone->mctx, &zone->rss_diff);
+
+		/*
+		 * zone->db may be NULL, if the load from disk failed.
+		 */
+		result = ISC_R_SUCCESS;
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (zone->db != NULL) {
+			dns_db_attach(zone->db, &zone->rss_db);
+		} else {
+			result = ISC_R_FAILURE;
+		}
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+		if (result == ISC_R_SUCCESS && zone->raw != NULL) {
+			dns_zone_attach(zone->raw, &zone->rss_raw);
+		} else {
+			result = ISC_R_FAILURE;
+		}
+
+		UNLOCK_ZONE(zone);
+
+		CHECK(result);
+
+		/*
+		 * We first attempt to sync the raw zone to the secure zone
+		 * by using the raw zone's journal, applying all the deltas
+		 * from the latest source-serial of the secure zone up to
+		 * the current serial number of the raw zone.
+		 *
+		 * If that fails, then we'll fall back to a direct comparison
+		 * between raw and secure zones.
+		 */
+		CHECK(dns_journal_open(zone->rss_raw->mctx,
+				       zone->rss_raw->journal,
+				       DNS_JOURNAL_WRITE, &rjournal));
+
+		result = dns_journal_open(zone->mctx, zone->journal,
+					  DNS_JOURNAL_READ, &sjournal);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+			goto failure;
+		}
+
+		if (!dns_journal_get_sourceserial(rjournal, &start)) {
+			start = dns_journal_first_serial(rjournal);
+			dns_journal_set_sourceserial(rjournal, start);
+		}
+		if (sjournal != NULL) {
+			uint32_t serial;
+			/*
+			 * We read the secure journal first, if that
+			 * exists use its value provided it is greater
+			 * that from the raw journal.
+			 */
+			if (dns_journal_get_sourceserial(sjournal, &serial)) {
+				if (isc_serial_gt(serial, start)) {
+					start = serial;
+				}
+			}
+			dns_journal_destroy(&sjournal);
+		}
+
+		dns_db_currentversion(zone->rss_db, &zone->rss_oldver);
+		CHECK(dns_db_newversion(zone->rss_db, &zone->rss_newver));
+
+		/*
+		 * Try to apply diffs from the raw zone's journal to the secure
+		 * zone.  If that fails, we recover by syncing up the databases
+		 * directly.
+		 */
+		result = sync_secure_journal(zone, zone->rss_raw, rjournal,
+					     start, end, &soatuple,
+					     &zone->rss_diff);
+		if (result == DNS_R_UNCHANGED) {
+			level = ISC_LOG_INFO;
+			goto failure;
+		} else if (result != ISC_R_SUCCESS) {
+			CHECK(sync_secure_db(zone, zone->rss_raw, zone->rss_db,
+					     zone->rss_oldver, &soatuple,
+					     &zone->rss_diff));
+		}
+
+		CHECK(dns_diff_apply(&zone->rss_diff, zone->rss_db,
+				     zone->rss_newver));
+
+		if (soatuple != NULL) {
+			uint32_t oldserial;
+
+			CHECK(dns_db_createsoatuple(
+				zone->rss_db, zone->rss_oldver,
+				zone->rss_diff.mctx, DNS_DIFFOP_DEL, &tuple));
+			oldserial = dns_soa_getserial(&tuple->rdata);
+			newserial = desired =
+				dns_soa_getserial(&soatuple->rdata);
+			if (!isc_serial_gt(newserial, oldserial)) {
+				newserial = oldserial + 1;
+				if (newserial == 0) {
+					newserial++;
+				}
+				dns_soa_setserial(newserial, &soatuple->rdata);
+			}
+			CHECK(do_one_tuple(&tuple, zone->rss_db,
+					   zone->rss_newver, &zone->rss_diff));
+			CHECK(do_one_tuple(&soatuple, zone->rss_db,
+					   zone->rss_newver, &zone->rss_diff));
+		} else {
+			CHECK(update_soa_serial(zone, zone->rss_db,
+						zone->rss_newver,
+						&zone->rss_diff, zone->mctx,
+						zone->updatemethod));
+		}
+	}
+	result = dns_update_signaturesinc(
+		&log, zone, zone->rss_db, zone->rss_oldver, zone->rss_newver,
+		&zone->rss_diff, zone->sigvalidityinterval, &zone->rss_state);
+	if (result == DNS_R_CONTINUE) {
+		if (rjournal != NULL) {
+			dns_journal_destroy(&rjournal);
+		}
+		isc_task_send(task, &event);
+		return;
+	}
+	/*
+	 * If something went wrong while trying to update the secure zone and
+	 * the latter was already signed before, do not apply raw zone deltas
+	 * to it as that would break existing DNSSEC signatures.  However, if
+	 * the secure zone was not yet signed (e.g. because no signing keys
+	 * were created for it), commence applying raw zone deltas to it so
+	 * that contents of the raw zone and the secure zone are kept in sync.
+	 */
+	if (result != ISC_R_SUCCESS && dns_db_issecure(zone->rss_db)) {
+		goto failure;
+	}
+
+	if (rjournal == NULL) {
+		CHECK(dns_journal_open(zone->rss_raw->mctx,
+				       zone->rss_raw->journal,
+				       DNS_JOURNAL_WRITE, &rjournal));
+	}
+	CHECK(zone_journal(zone, &zone->rss_diff, &end,
+			   "receive_secure_serial"));
+
+	dns_journal_set_sourceserial(rjournal, end);
+	dns_journal_commit(rjournal);
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+
+	zone->sourceserial = end;
+	zone->sourceserialset = true;
+	zone_needdump(zone, DNS_DUMP_DELAY);
+
+	/*
+	 * Set resign time to make sure it is set to the earliest
+	 * signature expiration.
+	 */
+	set_resigntime(zone);
+	TIME_NOW(&timenow);
+	zone_settimer(zone, &timenow);
+	UNLOCK_ZONE(zone);
+
+	dns_db_closeversion(zone->rss_db, &zone->rss_oldver, false);
+	dns_db_closeversion(zone->rss_db, &zone->rss_newver, true);
+
+	if (newserial != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO, "serial %u (unsigned %u)",
+			     newserial, desired);
+	}
+
+failure:
+	isc_event_free(&zone->rss_event);
+	event = ISC_LIST_HEAD(zone->rss_events);
+
+	if (zone->rss_raw != NULL) {
+		dns_zone_detach(&zone->rss_raw);
+	}
+	if (result != ISC_R_SUCCESS) {
+		LOCK_ZONE(zone);
+		set_resigntime(zone);
+		TIME_NOW(&timenow);
+		zone_settimer(zone, &timenow);
+		UNLOCK_ZONE(zone);
+		dns_zone_log(zone, level, "receive_secure_serial: %s",
+			     dns_result_totext(result));
+	}
+	if (tuple != NULL) {
+		dns_difftuple_free(&tuple);
+	}
+	if (soatuple != NULL) {
+		dns_difftuple_free(&soatuple);
+	}
+	if (zone->rss_db != NULL) {
+		if (zone->rss_oldver != NULL) {
+			dns_db_closeversion(zone->rss_db, &zone->rss_oldver,
+					    false);
+		}
+		if (zone->rss_newver != NULL) {
+			dns_db_closeversion(zone->rss_db, &zone->rss_newver,
+					    false);
+		}
+		dns_db_detach(&zone->rss_db);
+	}
+	INSIST(zone->rss_oldver == NULL);
+	INSIST(zone->rss_newver == NULL);
+	if (rjournal != NULL) {
+		dns_journal_destroy(&rjournal);
+	}
+	dns_diff_clear(&zone->rss_diff);
+
+	if (event != NULL) {
+		LOCK_ZONE(zone);
+		isc_refcount_decrement(&zone->irefs);
+		ISC_LIST_UNLINK(zone->rss_events, event, ev_link);
+		goto nextevent;
+	}
+
+	event = ISC_LIST_HEAD(zone->rss_post);
+	while (event != NULL) {
+		ISC_LIST_UNLINK(zone->rss_post, event, ev_link);
+		rss_post(zone, event);
+		event = ISC_LIST_HEAD(zone->rss_post);
+	}
+
+	dns_zone_idetach(&zone);
+}
+
+static isc_result_t
+zone_send_secureserial(dns_zone_t *zone, uint32_t serial) {
+	isc_event_t *e;
+	dns_zone_t *dummy = NULL;
+
+	e = isc_event_allocate(zone->secure->mctx, zone,
+			       DNS_EVENT_ZONESECURESERIAL,
+			       receive_secure_serial, zone->secure,
+			       sizeof(struct secure_event));
+	((struct secure_event *)e)->serial = serial;
+	INSIST(LOCKED_ZONE(zone->secure));
+	zone_iattach(zone->secure, &dummy);
+	isc_task_send(zone->secure->task, &e);
+
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+checkandaddsoa(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdataset_t *rdataset, uint32_t oldserial) {
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t temprdatalist;
+	dns_rdataset_t temprdataset;
+	isc_buffer_t b;
+	isc_result_t result;
+	unsigned char buf[DNS_SOA_BUFFERSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	result = dns_rdataset_first(rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	if (isc_serial_gt(soa.serial, oldserial)) {
+		return (dns_db_addrdataset(db, node, version, 0, rdataset, 0,
+					   NULL));
+	}
+	/*
+	 * Always bump the serial.
+	 */
+	oldserial++;
+	if (oldserial == 0) {
+		oldserial++;
+	}
+	soa.serial = oldserial;
+
+	/*
+	 * Construct a replacement rdataset.
+	 */
+	dns_rdata_reset(&rdata);
+	isc_buffer_init(&b, buf, sizeof(buf));
+	result = dns_rdata_fromstruct(&rdata, rdataset->rdclass,
+				      dns_rdatatype_soa, &soa, &b);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdatalist_init(&temprdatalist);
+	temprdatalist.rdclass = rdata.rdclass;
+	temprdatalist.type = rdata.type;
+	temprdatalist.ttl = rdataset->ttl;
+	ISC_LIST_APPEND(temprdatalist.rdata, &rdata, link);
+
+	dns_rdataset_init(&temprdataset);
+	result = dns_rdatalist_tordataset(&temprdatalist, &temprdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	name = dns_fixedname_initname(&fixed);
+	result = dns_db_nodefullname(db, node, name);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdataset_getownercase(rdataset, name);
+	dns_rdataset_setownercase(&temprdataset, name);
+	return (dns_db_addrdataset(db, node, version, 0, &temprdataset, 0,
+				   NULL));
+}
+
+/*
+ * This function should populate an nsec3paramlist_t with the
+ * nsecparam_t data from a zone.
+ */
+static isc_result_t
+save_nsec3param(dns_zone_t *zone, nsec3paramlist_t *nsec3list) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset, prdataset;
+	dns_dbversion_t *version = NULL;
+	nsec3param_t *nsec3param = NULL;
+	nsec3param_t *nsec3p = NULL;
+	nsec3param_t *next;
+	dns_db_t *db = NULL;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(nsec3list != NULL);
+	REQUIRE(ISC_LIST_EMPTY(*nsec3list));
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&prdataset);
+
+	dns_db_attach(zone->db, &db);
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	dns_db_currentversion(db, &version);
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+
+	if (result != ISC_R_SUCCESS) {
+		goto getprivate;
+	}
+
+	/*
+	 * Walk nsec3param rdataset making a list of parameters (note that
+	 * multiple simultaneous nsec3 chains are annoyingly legal -- this
+	 * is why we use an nsec3list, even though we will usually only
+	 * have one).
+	 */
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+			      "looping through nsec3param data");
+		nsec3param = isc_mem_get(zone->mctx, sizeof(nsec3param_t));
+		ISC_LINK_INIT(nsec3param, link);
+
+		/*
+		 * now transfer the data from the rdata to
+		 * the nsec3param
+		 */
+		dns_nsec3param_toprivate(&rdata, &private, zone->privatetype,
+					 nsec3param->data,
+					 sizeof(nsec3param->data));
+		nsec3param->length = private.length;
+		ISC_LIST_APPEND(*nsec3list, nsec3param, link);
+	}
+
+getprivate:
+	result = dns_db_findrdataset(db, node, version, zone->privatetype,
+				     dns_rdatatype_none, 0, &prdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto done;
+	}
+
+	/*
+	 * walk private type records, converting them to nsec3 parameters
+	 * using dns_nsec3param_fromprivate(), do the right thing based on
+	 * CREATE and REMOVE flags
+	 */
+	for (result = dns_rdataset_first(&prdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&prdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&prdataset, &private);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+			      "looping through nsec3param private data");
+
+		/*
+		 * Do we have a valid private record?
+		 */
+		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+						sizeof(buf)))
+		{
+			continue;
+		}
+
+		/*
+		 * Remove any NSEC3PARAM records scheduled to be removed.
+		 */
+		if (NSEC3REMOVE(rdata.data[1])) {
+			/*
+			 * Zero out the flags.
+			 */
+			rdata.data[1] = 0;
+
+			for (nsec3p = ISC_LIST_HEAD(*nsec3list); nsec3p != NULL;
+			     nsec3p = next)
+			{
+				next = ISC_LIST_NEXT(nsec3p, link);
+
+				if (nsec3p->length == rdata.length + 1 &&
+				    memcmp(rdata.data, nsec3p->data + 1,
+					   nsec3p->length - 1) == 0)
+				{
+					ISC_LIST_UNLINK(*nsec3list, nsec3p,
+							link);
+					isc_mem_put(zone->mctx, nsec3p,
+						    sizeof(nsec3param_t));
+				}
+			}
+			continue;
+		}
+
+		nsec3param = isc_mem_get(zone->mctx, sizeof(nsec3param_t));
+		ISC_LINK_INIT(nsec3param, link);
+
+		/*
+		 * Copy the remaining private records so the nsec/nsec3
+		 * chain gets created.
+		 */
+		INSIST(private.length <= sizeof(nsec3param->data));
+		memmove(nsec3param->data, private.data, private.length);
+		nsec3param->length = private.length;
+		ISC_LIST_APPEND(*nsec3list, nsec3param, link);
+	}
+
+done:
+	if (result == ISC_R_NOMORE || result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (dns_rdataset_isassociated(&prdataset)) {
+		dns_rdataset_disassociate(&prdataset);
+	}
+	return (result);
+}
+
+/*
+ * Populate new zone db with private type records found by save_nsec3param().
+ */
+static isc_result_t
+restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		   nsec3paramlist_t *nsec3list) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_diff_t diff;
+	dns_rdata_t rdata;
+	nsec3param_t *nsec3p = NULL;
+	nsec3param_t *next;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(!ISC_LIST_EMPTY(*nsec3list));
+
+	dns_diff_init(zone->mctx, &diff);
+
+	/*
+	 * Loop through the list of private-type records, set the INITIAL
+	 * and CREATE flags, and the add the record to the apex of the tree
+	 * in db.
+	 */
+	for (nsec3p = ISC_LIST_HEAD(*nsec3list); nsec3p != NULL; nsec3p = next)
+	{
+		next = ISC_LIST_NEXT(nsec3p, link);
+		dns_rdata_init(&rdata);
+		nsec3p->data[2] = DNS_NSEC3FLAG_CREATE | DNS_NSEC3FLAG_INITIAL;
+		rdata.length = nsec3p->length;
+		rdata.data = nsec3p->data;
+		rdata.type = zone->privatetype;
+		rdata.rdclass = zone->rdclass;
+		result = update_one_rr(db, version, &diff, DNS_DIFFOP_ADD,
+				       &zone->origin, 0, &rdata);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+	}
+
+	dns_diff_clear(&diff);
+	return (result);
+}
+
+static isc_result_t
+copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb,
+			dns_dbiterator_t *dbiterator, unsigned int *oldserial) {
+	dns_dbnode_t *rawnode = NULL, *node = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name = dns_fixedname_initname(&fixed);
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsit = NULL;
+	isc_result_t result;
+
+	result = dns_dbiterator_current(dbiterator, &rawnode, name);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_dbiterator_pause(dbiterator);
+
+	result = dns_db_findnode(db, name, true, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_db_allrdatasets(rawdb, rawnode, NULL, 0, 0, &rdsit);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dns_rdataset_init(&rdataset);
+
+	for (result = dns_rdatasetiter_first(rdsit); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsit))
+	{
+		dns_rdatasetiter_current(rdsit, &rdataset);
+		if (rdataset.type == dns_rdatatype_nsec ||
+		    rdataset.type == dns_rdatatype_rrsig ||
+		    rdataset.type == dns_rdatatype_nsec3 ||
+		    rdataset.type == dns_rdatatype_dnskey ||
+		    rdataset.type == dns_rdatatype_nsec3param)
+		{
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) {
+			result = checkandaddsoa(db, node, version, &rdataset,
+						*oldserial);
+		} else {
+			result = dns_db_addrdataset(db, node, version, 0,
+						    &rdataset, 0, NULL);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup:
+	if (rdsit != NULL) {
+		dns_rdatasetiter_destroy(&rdsit);
+	}
+	if (rawnode) {
+		dns_db_detachnode(rawdb, &rawnode);
+	}
+	if (node) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+static void
+receive_secure_db(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_zone_t *zone;
+	dns_db_t *rawdb, *db = NULL;
+	dns_dbiterator_t *dbiterator = NULL;
+	dns_dbversion_t *version = NULL;
+	isc_time_t loadtime;
+	unsigned int oldserial = 0, *oldserialp = NULL;
+	nsec3paramlist_t nsec3list;
+	isc_event_t *setnsec3param_event;
+	dns_zone_t *dummy;
+
+	UNUSED(task);
+
+	ISC_LIST_INIT(nsec3list);
+
+	zone = event->ev_arg;
+	rawdb = ((struct secure_event *)event)->db;
+	isc_event_free(&event);
+
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || !inline_secure(zone)) {
+		result = ISC_R_SHUTTINGDOWN;
+		goto failure;
+	}
+
+	TIME_NOW(&loadtime);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		result = dns_db_getsoaserial(zone->db, NULL, &oldserial);
+		if (result == ISC_R_SUCCESS) {
+			oldserialp = &oldserial;
+		}
+
+		/*
+		 * assemble nsec3parameters from the old zone, and set a flag
+		 * if any are found
+		 */
+		result = save_nsec3param(zone, &nsec3list);
+		if (result != ISC_R_SUCCESS) {
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+			goto failure;
+		}
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	result = dns_db_create(zone->mctx, zone->db_argv[0], &zone->origin,
+			       dns_dbtype_zone, zone->rdclass,
+			       zone->db_argc - 1, zone->db_argv + 1, &db);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	result = dns_db_setgluecachestats(db, zone->gluecachestats);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
+		goto failure;
+	}
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	result = dns_db_createiterator(rawdb, 0, &dbiterator);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiterator))
+	{
+		result = copy_non_dnssec_records(db, version, rawdb, dbiterator,
+						 oldserialp);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+	}
+	dns_dbiterator_destroy(&dbiterator);
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+
+	/*
+	 * Call restore_nsec3param() to create private-type records from
+	 * the old nsec3 parameters and insert them into db
+	 */
+	if (!ISC_LIST_EMPTY(nsec3list)) {
+		result = restore_nsec3param(zone, db, version, &nsec3list);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+	}
+
+	dns_db_closeversion(db, &version, true);
+
+	/*
+	 * Lock hierarchy: zmgr, zone, raw.
+	 */
+	INSIST(zone != zone->raw);
+	LOCK_ZONE(zone->raw);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+	result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
+	zone_needdump(zone, 0); /* XXXMPA */
+	UNLOCK_ZONE(zone->raw);
+
+	/*
+	 * Process any queued NSEC3PARAM change requests.
+	 */
+	while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) {
+		setnsec3param_event = ISC_LIST_HEAD(zone->setnsec3param_queue);
+		ISC_LIST_UNLINK(zone->setnsec3param_queue, setnsec3param_event,
+				ev_link);
+		dummy = NULL;
+		zone_iattach(zone, &dummy);
+		isc_task_send(zone->task, &setnsec3param_event);
+	}
+
+failure:
+	UNLOCK_ZONE(zone);
+	if (dbiterator != NULL) {
+		dns_dbiterator_destroy(&dbiterator);
+	}
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_db: %s",
+			     dns_result_totext(result));
+	}
+
+	while (!ISC_LIST_EMPTY(nsec3list)) {
+		nsec3param_t *nsec3p;
+		nsec3p = ISC_LIST_HEAD(nsec3list);
+		ISC_LIST_UNLINK(nsec3list, nsec3p, link);
+		isc_mem_put(zone->mctx, nsec3p, sizeof(nsec3param_t));
+	}
+	if (db != NULL) {
+		if (version != NULL) {
+			dns_db_closeversion(db, &version, false);
+		}
+		dns_db_detach(&db);
+	}
+	dns_db_detach(&rawdb);
+	dns_zone_idetach(&zone);
+
+	INSIST(version == NULL);
+}
+
+static isc_result_t
+zone_send_securedb(dns_zone_t *zone, dns_db_t *db) {
+	isc_event_t *e;
+	dns_db_t *dummy = NULL;
+	dns_zone_t *secure = NULL;
+
+	e = isc_event_allocate(zone->secure->mctx, zone, DNS_EVENT_ZONESECUREDB,
+			       receive_secure_db, zone->secure,
+			       sizeof(struct secure_event));
+	dns_db_attach(db, &dummy);
+	((struct secure_event *)e)->db = dummy;
+	INSIST(LOCKED_ZONE(zone->secure));
+	zone_iattach(zone->secure, &secure);
+	isc_task_send(zone->secure->task, &e);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) {
+	isc_result_t result;
+	dns_zone_t *secure = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+again:
+	LOCK_ZONE(zone);
+	if (inline_raw(zone)) {
+		secure = zone->secure;
+		INSIST(secure != zone);
+		TRYLOCK_ZONE(result, secure);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK_ZONE(zone);
+			secure = NULL;
+			isc_thread_yield();
+			goto again;
+		}
+	}
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	result = zone_replacedb(zone, db, dump);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+	if (secure != NULL) {
+		UNLOCK_ZONE(secure);
+	}
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+static isc_result_t
+zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) {
+	dns_dbversion_t *ver;
+	isc_result_t result;
+	unsigned int soacount = 0;
+	unsigned int nscount = 0;
+
+	/*
+	 * 'zone' and 'zone->db' locked by caller.
+	 */
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+	if (inline_raw(zone)) {
+		REQUIRE(LOCKED_ZONE(zone->secure));
+	}
+
+	result = zone_get_from_db(zone, db, &nscount, &soacount, NULL, NULL,
+				  NULL, NULL, NULL, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		if (soacount != 1) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "has %d SOA records",
+				     soacount);
+			result = DNS_R_BADZONE;
+		}
+		if (nscount == 0 && zone->type != dns_zone_key) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "has no NS records");
+			result = DNS_R_BADZONE;
+		}
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	} else {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "retrieving SOA and NS records failed: %s",
+			     dns_result_totext(result));
+		return (result);
+	}
+
+	result = check_nsec3param(zone, db);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	ver = NULL;
+	dns_db_currentversion(db, &ver);
+
+	/*
+	 * The initial version of a slave zone is always dumped;
+	 * subsequent versions may be journaled instead if this
+	 * is enabled in the configuration.
+	 */
+	if (zone->db != NULL && zone->journal != NULL &&
+	    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER))
+	{
+		uint32_t serial, oldserial;
+
+		dns_zone_log(zone, ISC_LOG_DEBUG(3), "generating diffs");
+
+		result = dns_db_getsoaserial(db, ver, &serial);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "ixfr-from-differences: unable to get "
+				     "new serial");
+			goto fail;
+		}
+
+		/*
+		 * This is checked in zone_postload() for master zones.
+		 */
+		result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
+					  &oldserial, NULL, NULL, NULL, NULL,
+					  NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		RUNTIME_CHECK(soacount > 0U);
+		if ((zone->type == dns_zone_secondary ||
+		     (zone->type == dns_zone_redirect &&
+		      zone->masters != NULL)) &&
+		    !isc_serial_gt(serial, oldserial))
+		{
+			uint32_t serialmin, serialmax;
+			serialmin = (oldserial + 1) & 0xffffffffU;
+			serialmax = (oldserial + 0x7fffffffU) & 0xffffffffU;
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "ixfr-from-differences: failed: "
+				     "new serial (%u) out of range [%u - %u]",
+				     serial, serialmin, serialmax);
+			result = ISC_R_RANGE;
+			goto fail;
+		}
+
+		result = dns_db_diff(zone->mctx, db, ver, zone->db, NULL,
+				     zone->journal);
+		if (result != ISC_R_SUCCESS) {
+			char strbuf[ISC_STRERRORSIZE];
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "ixfr-from-differences: failed: "
+				     "%s",
+				     strbuf);
+			goto fallback;
+		}
+		if (dump) {
+			zone_needdump(zone, DNS_DUMP_DELAY);
+		} else {
+			zone_journal_compact(zone, zone->db, serial);
+		}
+		if (zone->type == dns_zone_primary && inline_raw(zone)) {
+			zone_send_secureserial(zone, serial);
+		}
+	} else {
+	fallback:
+		if (dump && zone->masterfile != NULL) {
+			/*
+			 * If DNS_ZONEFLG_FORCEXFER was set we don't want
+			 * to keep the old masterfile.
+			 */
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) &&
+			    remove(zone->masterfile) < 0 && errno != ENOENT)
+			{
+				char strbuf[ISC_STRERRORSIZE];
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ZONE,
+					      ISC_LOG_WARNING,
+					      "unable to remove masterfile "
+					      "'%s': '%s'",
+					      zone->masterfile, strbuf);
+			}
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0) {
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NODELAY);
+			} else {
+				zone_needdump(zone, 0);
+			}
+		}
+		if (dump && zone->journal != NULL) {
+			/*
+			 * The in-memory database just changed, and
+			 * because 'dump' is set, it didn't change by
+			 * being loaded from disk.  Also, we have not
+			 * journaled diffs for this change.
+			 * Therefore, the on-disk journal is missing
+			 * the deltas for this change.	Since it can
+			 * no longer be used to bring the zone
+			 * up-to-date, it is useless and should be
+			 * removed.
+			 */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+				      "removing journal file");
+			if (remove(zone->journal) < 0 && errno != ENOENT) {
+				char strbuf[ISC_STRERRORSIZE];
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ZONE,
+					      ISC_LOG_WARNING,
+					      "unable to remove journal "
+					      "'%s': '%s'",
+					      zone->journal, strbuf);
+			}
+		}
+
+		if (inline_raw(zone)) {
+			zone_send_securedb(zone, db);
+		}
+	}
+
+	dns_db_closeversion(db, &ver, false);
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "replacing zone database");
+
+	if (zone->db != NULL) {
+		zone_detachdb(zone);
+	}
+	zone_attachdb(zone, db);
+	dns_db_settask(zone->db, zone->task);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY);
+	return (ISC_R_SUCCESS);
+
+fail:
+	dns_db_closeversion(db, &ver, false);
+	return (result);
+}
+
+/* The caller must hold the dblock as a writer. */
+static void
+zone_attachdb(dns_zone_t *zone, dns_db_t *db) {
+	REQUIRE(zone->db == NULL && db != NULL);
+
+	dns_db_attach(db, &zone->db);
+}
+
+/* The caller must hold the dblock as a writer. */
+static void
+zone_detachdb(dns_zone_t *zone) {
+	REQUIRE(zone->db != NULL);
+
+	dns_zone_rpz_disable_db(zone, zone->db);
+	dns_zone_catz_disable_db(zone, zone->db);
+	dns_db_detach(&zone->db);
+}
+
+static void
+zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
+	isc_time_t now;
+	bool again = false;
+	unsigned int soacount;
+	unsigned int nscount;
+	uint32_t serial, refresh, retry, expire, minimum, soattl;
+	isc_result_t xfrresult = result;
+	bool free_needed;
+	dns_zone_t *secure = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
+		      "zone transfer finished: %s", dns_result_totext(result));
+
+	/*
+	 * Obtaining a lock on the zone->secure (see zone_send_secureserial)
+	 * could result in a deadlock due to a LOR so we will spin if we
+	 * can't obtain the both locks.
+	 */
+again:
+	LOCK_ZONE(zone);
+	if (inline_raw(zone)) {
+		secure = zone->secure;
+		INSIST(secure != zone);
+		TRYLOCK_ZONE(result, secure);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK_ZONE(zone);
+			secure = NULL;
+			isc_thread_yield();
+			goto again;
+		}
+	}
+
+	INSIST(DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH));
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
+
+	TIME_NOW(&now);
+	switch (xfrresult) {
+	case ISC_R_SUCCESS:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+		FALLTHROUGH;
+	case DNS_R_UPTODATE:
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER);
+		/*
+		 * Has the zone expired underneath us?
+		 */
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (zone->db == NULL) {
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+			goto same_master;
+		}
+
+		/*
+		 * Update the zone structure's data from the actual
+		 * SOA received.
+		 */
+		nscount = 0;
+		soacount = 0;
+		INSIST(zone->db != NULL);
+		result = zone_get_from_db(zone, zone->db, &nscount, &soacount,
+					  &soattl, &serial, &refresh, &retry,
+					  &expire, &minimum, NULL);
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+		if (result == ISC_R_SUCCESS) {
+			if (soacount != 1) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "transferred zone "
+					     "has %d SOA records",
+					     soacount);
+				if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
+				{
+					zone->refresh = DNS_ZONE_DEFAULTREFRESH;
+					zone->retry = DNS_ZONE_DEFAULTRETRY;
+				}
+				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+				zone_unload(zone);
+				goto next_master;
+			}
+			if (nscount == 0) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "transferred zone "
+					     "has no NS records");
+				if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
+				{
+					zone->refresh = DNS_ZONE_DEFAULTREFRESH;
+					zone->retry = DNS_ZONE_DEFAULTRETRY;
+				}
+				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+				zone_unload(zone);
+				goto next_master;
+			}
+			zone->refresh = RANGE(refresh, zone->minrefresh,
+					      zone->maxrefresh);
+			zone->retry = RANGE(retry, zone->minretry,
+					    zone->maxretry);
+			zone->expire = RANGE(expire,
+					     zone->refresh + zone->retry,
+					     DNS_MAX_EXPIRE);
+			zone->soattl = soattl;
+			zone->minimum = minimum;
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+		}
+
+		/*
+		 * Set our next update/expire times.
+		 */
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
+			zone->refreshtime = now;
+			DNS_ZONE_TIME_ADD(&now, zone->expire,
+					  &zone->expiretime);
+		} else {
+			DNS_ZONE_JITTER_ADD(&now, zone->refresh,
+					    &zone->refreshtime);
+			DNS_ZONE_TIME_ADD(&now, zone->expire,
+					  &zone->expiretime);
+		}
+		if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS) {
+			char buf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
+			if (zone->tsigkey != NULL) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				dns_name_format(&zone->tsigkey->name, namebuf,
+						sizeof(namebuf));
+				snprintf(buf, sizeof(buf), ": TSIG '%s'",
+					 namebuf);
+			} else {
+				buf[0] = '\0';
+			}
+			dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
+				      ISC_LOG_INFO, "transferred serial %u%s",
+				      serial, buf);
+			if (inline_raw(zone)) {
+				zone_send_secureserial(zone, serial);
+			}
+		}
+
+		/*
+		 * This is not necessary if we just performed a AXFR
+		 * however it is necessary for an IXFR / UPTODATE and
+		 * won't hurt with an AXFR.
+		 */
+		if (zone->masterfile != NULL || zone->journal != NULL) {
+			unsigned int delay = DNS_DUMP_DELAY;
+
+			result = ISC_R_FAILURE;
+			if (zone->journal != NULL) {
+				result = isc_file_settime(zone->journal, &now);
+			}
+			if (result != ISC_R_SUCCESS && zone->masterfile != NULL)
+			{
+				result = isc_file_settime(zone->masterfile,
+							  &now);
+			}
+
+			if ((DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NODELAY) != 0) ||
+			    result == ISC_R_FILENOTFOUND)
+			{
+				delay = 0;
+			}
+
+			if ((result == ISC_R_SUCCESS ||
+			     result == ISC_R_FILENOTFOUND) &&
+			    zone->masterfile != NULL)
+			{
+				zone_needdump(zone, delay);
+			} else if (result != ISC_R_SUCCESS) {
+				dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
+					      ISC_LOG_ERROR,
+					      "transfer: could not set file "
+					      "modification time of '%s': %s",
+					      zone->masterfile,
+					      dns_result_totext(result));
+			}
+		}
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NODELAY);
+		inc_stats(zone, dns_zonestatscounter_xfrsuccess);
+		break;
+
+	case DNS_R_BADIXFR:
+		/* Force retry with AXFR. */
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOIXFR);
+		goto same_master;
+
+	case DNS_R_TOOMANYRECORDS:
+	case DNS_R_VERIFYFAILURE:
+		DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
+		inc_stats(zone, dns_zonestatscounter_xfrfail);
+		break;
+
+	default:
+	next_master:
+		/*
+		 * Skip to next failed / untried master.
+		 */
+		do {
+			zone->curmaster++;
+		} while (zone->curmaster < zone->masterscnt &&
+			 zone->mastersok[zone->curmaster]);
+	same_master:
+		if (zone->curmaster >= zone->masterscnt) {
+			zone->curmaster = 0;
+			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
+			{
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+				DNS_ZONE_SETFLAG(zone,
+						 DNS_ZONEFLG_USEALTXFRSRC);
+				while (zone->curmaster < zone->masterscnt &&
+				       zone->mastersok[zone->curmaster])
+				{
+					zone->curmaster++;
+				}
+				again = true;
+			} else {
+				DNS_ZONE_CLRFLAG(zone,
+						 DNS_ZONEFLG_USEALTXFRSRC);
+			}
+		} else {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+			again = true;
+		}
+		inc_stats(zone, dns_zonestatscounter_xfrfail);
+		break;
+	}
+	zone_settimer(zone, &now);
+
+	/*
+	 * If creating the transfer object failed, zone->xfr is NULL.
+	 * Otherwise, we are called as the done callback of a zone
+	 * transfer object that just entered its shutting-down
+	 * state.  Since we are no longer responsible for shutting
+	 * it down, we can detach our reference.
+	 */
+	if (zone->xfr != NULL) {
+		dns_xfrin_detach(&zone->xfr);
+	}
+
+	if (zone->tsigkey != NULL) {
+		dns_tsigkey_detach(&zone->tsigkey);
+	}
+
+	/*
+	 * Handle any deferred journal compaction.
+	 */
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDCOMPACT)) {
+		dns_db_t *db = NULL;
+		if (dns_zone_getdb(zone, &db) == ISC_R_SUCCESS) {
+			zone_journal_compact(zone, db, zone->compact_serial);
+			dns_db_detach(&db);
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
+		}
+	}
+
+	if (secure != NULL) {
+		UNLOCK_ZONE(secure);
+	}
+	/*
+	 * This transfer finishing freed up a transfer quota slot.
+	 * Let any other zones waiting for quota have it.
+	 */
+	if (zone->zmgr != NULL &&
+	    zone->statelist == &zone->zmgr->xfrin_in_progress)
+	{
+		UNLOCK_ZONE(zone);
+		RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+		ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
+		zone->statelist = NULL;
+		zmgr_resume_xfrs(zone->zmgr, false);
+		RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+		LOCK_ZONE(zone);
+	}
+
+	/*
+	 * Retry with a different server if necessary.
+	 */
+	if (again && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		queue_soa_query(zone);
+	}
+
+	isc_refcount_decrement(&zone->irefs);
+	free_needed = exit_check(zone);
+	UNLOCK_ZONE(zone);
+	if (free_needed) {
+		zone_free(zone);
+	}
+}
+
+static void
+zone_loaddone(void *arg, isc_result_t result) {
+	static char me[] = "zone_loaddone";
+	dns_load_t *load = arg;
+	dns_zone_t *zone;
+	isc_result_t tresult;
+	dns_zone_t *secure = NULL;
+
+	REQUIRE(DNS_LOAD_VALID(load));
+	zone = load->zone;
+
+	ENTER;
+
+	/*
+	 * If zone loading failed, remove the update db callbacks prior
+	 * to calling the list of callbacks in the zone load structure.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_rpz_disable_db(zone, load->db);
+		dns_zone_catz_disable_db(zone, load->db);
+	}
+
+	tresult = dns_db_endload(load->db, &load->callbacks);
+	if (tresult != ISC_R_SUCCESS &&
+	    (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
+	{
+		result = tresult;
+	}
+
+	/*
+	 * Lock hierarchy: zmgr, zone, raw.
+	 */
+again:
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	if (inline_secure(zone)) {
+		LOCK_ZONE(zone->raw);
+	} else if (inline_raw(zone)) {
+		secure = zone->secure;
+		TRYLOCK_ZONE(tresult, secure);
+		if (tresult != ISC_R_SUCCESS) {
+			UNLOCK_ZONE(zone);
+			secure = NULL;
+			isc_thread_yield();
+			goto again;
+		}
+	}
+	(void)zone_postload(zone, load->db, load->loadtime, result);
+	zonemgr_putio(&zone->readio);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADING);
+	zone_idetach(&load->callbacks.zone);
+	/*
+	 * Leave the zone frozen if the reload fails.
+	 */
+	if ((result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE) &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_THAW))
+	{
+		zone->update_disabled = false;
+	}
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_THAW);
+	if (inline_secure(zone)) {
+		UNLOCK_ZONE(zone->raw);
+	} else if (secure != NULL) {
+		UNLOCK_ZONE(secure);
+	}
+	UNLOCK_ZONE(zone);
+
+	load->magic = 0;
+	dns_db_detach(&load->db);
+	if (load->zone->lctx != NULL) {
+		dns_loadctx_detach(&load->zone->lctx);
+	}
+	dns_zone_idetach(&load->zone);
+	isc_mem_putanddetach(&load->mctx, load, sizeof(*load));
+}
+
+void
+dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(table != NULL);
+	REQUIRE(*table == NULL);
+
+	LOCK_ZONE(zone);
+	if (zone->ssutable != NULL) {
+		dns_ssutable_attach(zone->ssutable, table);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->ssutable != NULL) {
+		dns_ssutable_detach(&zone->ssutable);
+	}
+	if (table != NULL) {
+		dns_ssutable_attach(table, &zone->ssutable);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setsigvalidityinterval(dns_zone_t *zone, uint32_t interval) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->sigvalidityinterval = interval;
+}
+
+uint32_t
+dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->sigvalidityinterval);
+}
+
+void
+dns_zone_setkeyvalidityinterval(dns_zone_t *zone, uint32_t interval) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->keyvalidityinterval = interval;
+}
+
+uint32_t
+dns_zone_getkeyvalidityinterval(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->keyvalidityinterval);
+}
+
+void
+dns_zone_setsigresigninginterval(dns_zone_t *zone, uint32_t interval) {
+	isc_time_t now;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->sigresigninginterval = interval;
+	set_resigntime(zone);
+	if (zone->task != NULL) {
+		TIME_NOW(&now);
+		zone_settimer(zone, &now);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+uint32_t
+dns_zone_getsigresigninginterval(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->sigresigninginterval);
+}
+
+static void
+queue_xfrin(dns_zone_t *zone) {
+	const char me[] = "queue_xfrin";
+	isc_result_t result;
+	dns_zonemgr_t *zmgr = zone->zmgr;
+
+	ENTER;
+
+	INSIST(zone->statelist == NULL);
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	ISC_LIST_APPEND(zmgr->waiting_for_xfrin, zone, statelink);
+	isc_refcount_increment0(&zone->irefs);
+	zone->statelist = &zmgr->waiting_for_xfrin;
+	result = zmgr_start_xfrin_ifquota(zmgr, zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+
+	if (result == ISC_R_QUOTA) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
+			      "zone transfer deferred due to quota");
+	} else if (result != ISC_R_SUCCESS) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
+			      "starting zone transfer: %s",
+			      isc_result_totext(result));
+	}
+}
+
+/*
+ * This event callback is called when a zone has received
+ * any necessary zone transfer quota.  This is the time
+ * to go ahead and start the transfer.
+ */
+static void
+got_transfer_quota(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_peer_t *peer = NULL;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	dns_rdatatype_t xfrtype;
+	dns_zone_t *zone = event->ev_arg;
+	isc_netaddr_t masterip;
+	isc_sockaddr_t sourceaddr;
+	isc_sockaddr_t masteraddr;
+	isc_time_t now;
+	const char *soa_before = "";
+	isc_dscp_t dscp = -1;
+	bool loaded;
+
+	UNUSED(task);
+
+	INSIST(task == zone->task);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	TIME_NOW(&now);
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
+				    &zone->sourceaddr, &now))
+	{
+		isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
+			      "got_transfer_quota: skipping zone transfer as "
+			      "master %s (source %s) is unreachable (cached)",
+			      master, source);
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	(void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) {
+		soa_before = "SOA before ";
+	}
+	/*
+	 * Decide whether we should request IXFR or AXFR.
+	 */
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	loaded = (zone->db != NULL);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	if (!loaded) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
+			      "no database exists yet, requesting AXFR of "
+			      "initial version from %s",
+			      master);
+		xfrtype = dns_rdatatype_axfr;
+	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
+			      "forced reload, requesting AXFR of "
+			      "initial version from %s",
+			      master);
+		xfrtype = dns_rdatatype_axfr;
+	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOIXFR)) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_DEBUG(1),
+			      "retrying with AXFR from %s due to "
+			      "previous IXFR failure",
+			      master);
+		xfrtype = dns_rdatatype_axfr;
+		LOCK_ZONE(zone);
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOIXFR);
+		UNLOCK_ZONE(zone);
+	} else {
+		bool use_ixfr = true;
+		if (peer != NULL) {
+			result = dns_peer_getrequestixfr(peer, &use_ixfr);
+		}
+		if (peer == NULL || result != ISC_R_SUCCESS) {
+			use_ixfr = zone->requestixfr;
+		}
+		if (!use_ixfr) {
+			dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
+				      ISC_LOG_DEBUG(1),
+				      "IXFR disabled, "
+				      "requesting %sAXFR from %s",
+				      soa_before, master);
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR)) {
+				xfrtype = dns_rdatatype_soa;
+			} else {
+				xfrtype = dns_rdatatype_axfr;
+			}
+		} else {
+			dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
+				      ISC_LOG_DEBUG(1),
+				      "requesting IXFR from %s", master);
+			xfrtype = dns_rdatatype_ixfr;
+		}
+	}
+
+	/*
+	 * Determine if we should attempt to sign the request with TSIG.
+	 */
+	result = ISC_R_NOTFOUND;
+
+	/*
+	 * First, look for a tsig key in the master statement, then
+	 * try for a server key.
+	 */
+	if ((zone->masterkeynames != NULL) &&
+	    (zone->masterkeynames[zone->curmaster] != NULL))
+	{
+		dns_view_t *view = dns_zone_getview(zone);
+		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
+		result = dns_view_gettsig(view, keyname, &zone->tsigkey);
+	}
+	if (zone->tsigkey == NULL) {
+		result = dns_view_getpeertsig(zone->view, &masterip,
+					      &zone->tsigkey);
+	}
+
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
+			      "could not get TSIG key for zone transfer: %s",
+			      isc_result_totext(result));
+	}
+
+	if (zone->masterdscps != NULL) {
+		dscp = zone->masterdscps[zone->curmaster];
+	}
+
+	LOCK_ZONE(zone);
+	masteraddr = zone->masteraddr;
+	sourceaddr = zone->sourceaddr;
+	switch (isc_sockaddr_pf(&masteraddr)) {
+	case PF_INET:
+		if (dscp == -1) {
+			dscp = zone->xfrsource4dscp;
+		}
+		break;
+	case PF_INET6:
+		if (dscp == -1) {
+			dscp = zone->xfrsource6dscp;
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+	UNLOCK_ZONE(zone);
+	INSIST(isc_sockaddr_pf(&masteraddr) == isc_sockaddr_pf(&sourceaddr));
+	result = dns_xfrin_create(zone, xfrtype, &masteraddr, &sourceaddr, dscp,
+				  zone->tsigkey, zone->mctx,
+				  zone->zmgr->timermgr, zone->zmgr->socketmgr,
+				  zone->task, zone_xfrdone, &zone->xfr);
+	if (result == ISC_R_SUCCESS) {
+		LOCK_ZONE(zone);
+		if (xfrtype == dns_rdatatype_axfr) {
+			if (isc_sockaddr_pf(&masteraddr) == PF_INET) {
+				inc_stats(zone, dns_zonestatscounter_axfrreqv4);
+			} else {
+				inc_stats(zone, dns_zonestatscounter_axfrreqv6);
+			}
+		} else if (xfrtype == dns_rdatatype_ixfr) {
+			if (isc_sockaddr_pf(&masteraddr) == PF_INET) {
+				inc_stats(zone, dns_zonestatscounter_ixfrreqv4);
+			} else {
+				inc_stats(zone, dns_zonestatscounter_ixfrreqv6);
+			}
+		}
+		UNLOCK_ZONE(zone);
+	}
+cleanup:
+	/*
+	 * Any failure in this function is handled like a failed
+	 * zone transfer.  This ensures that we get removed from
+	 * zmgr->xfrin_in_progress.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		zone_xfrdone(zone, result);
+	}
+
+	isc_event_free(&event);
+}
+
+/*
+ * Update forwarding support.
+ */
+
+static void
+forward_destroy(dns_forward_t *forward) {
+	forward->magic = 0;
+	if (forward->request != NULL) {
+		dns_request_destroy(&forward->request);
+	}
+	if (forward->msgbuf != NULL) {
+		isc_buffer_free(&forward->msgbuf);
+	}
+	if (forward->zone != NULL) {
+		LOCK(&forward->zone->lock);
+		if (ISC_LINK_LINKED(forward, link)) {
+			ISC_LIST_UNLINK(forward->zone->forwards, forward, link);
+		}
+		UNLOCK(&forward->zone->lock);
+		dns_zone_idetach(&forward->zone);
+	}
+	isc_mem_putanddetach(&forward->mctx, forward, sizeof(*forward));
+}
+
+static isc_result_t
+sendtomaster(dns_forward_t *forward) {
+	isc_result_t result;
+	isc_sockaddr_t src;
+	isc_dscp_t dscp = -1;
+
+	LOCK_ZONE(forward->zone);
+
+	if (DNS_ZONE_FLAG(forward->zone, DNS_ZONEFLG_EXITING)) {
+		UNLOCK_ZONE(forward->zone);
+		return (ISC_R_CANCELED);
+	}
+
+	if (forward->which >= forward->zone->masterscnt) {
+		UNLOCK_ZONE(forward->zone);
+		return (ISC_R_NOMORE);
+	}
+
+	forward->addr = forward->zone->masters[forward->which];
+	/*
+	 * Always use TCP regardless of whether the original update
+	 * used TCP.
+	 * XXX The timeout may but a bit small if we are far down a
+	 * transfer graph and the master has to try several masters.
+	 */
+	switch (isc_sockaddr_pf(&forward->addr)) {
+	case PF_INET:
+		src = forward->zone->xfrsource4;
+		dscp = forward->zone->xfrsource4dscp;
+		break;
+	case PF_INET6:
+		src = forward->zone->xfrsource6;
+		dscp = forward->zone->xfrsource6dscp;
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto unlock;
+	}
+	result = dns_request_createraw(forward->zone->view->requestmgr,
+				       forward->msgbuf, &src, &forward->addr,
+				       dscp, forward->options, 15 /* XXX */, 0,
+				       0, forward->zone->task, forward_callback,
+				       forward, &forward->request);
+	if (result == ISC_R_SUCCESS) {
+		if (!ISC_LINK_LINKED(forward, link)) {
+			ISC_LIST_APPEND(forward->zone->forwards, forward, link);
+		}
+	}
+
+unlock:
+	UNLOCK_ZONE(forward->zone);
+	return (result);
+}
+
+static void
+forward_callback(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "forward_callback";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_message_t *msg = NULL;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	isc_result_t result;
+	dns_forward_t *forward;
+	dns_zone_t *zone;
+
+	UNUSED(task);
+
+	forward = revent->ev_arg;
+	INSIST(DNS_FORWARD_VALID(forward));
+	zone = forward->zone;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	isc_sockaddr_format(&forward->addr, master, sizeof(master));
+
+	if (revent->result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "could not forward dynamic update to %s: %s",
+			     master, dns_result_totext(revent->result));
+		goto next_master;
+	}
+
+	dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+
+	result = dns_request_getresponse(revent->request, msg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER |
+						 DNS_MESSAGEPARSE_CLONEBUFFER);
+	if (result != ISC_R_SUCCESS) {
+		goto next_master;
+	}
+
+	/*
+	 * Unexpected opcode.
+	 */
+	if (msg->opcode != dns_opcode_update) {
+		char opcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, opcode, sizeof(opcode));
+		(void)dns_opcode_totext(msg->opcode, &rb);
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "forwarding dynamic update: "
+			     "unexpected opcode (%.*s) from %s",
+			     (int)rb.used, opcode, master);
+		goto next_master;
+	}
+
+	switch (msg->rcode) {
+	/*
+	 * Pass these rcodes back to client.
+	 */
+	case dns_rcode_noerror:
+	case dns_rcode_yxdomain:
+	case dns_rcode_yxrrset:
+	case dns_rcode_nxrrset:
+	case dns_rcode_refused:
+	case dns_rcode_nxdomain: {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "forwarded dynamic update: "
+			     "master %s returned: %.*s",
+			     master, (int)rb.used, rcode);
+		break;
+	}
+
+	/* These should not occur if the primaries/zone are valid. */
+	case dns_rcode_notzone:
+	case dns_rcode_notauth: {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "forwarding dynamic update: "
+			     "unexpected response: master %s returned: %.*s",
+			     master, (int)rb.used, rcode);
+		goto next_master;
+	}
+
+	/* Try another server for these rcodes. */
+	case dns_rcode_formerr:
+	case dns_rcode_servfail:
+	case dns_rcode_notimp:
+	case dns_rcode_badvers:
+	default:
+		goto next_master;
+	}
+
+	/* call callback */
+	(forward->callback)(forward->callback_arg, ISC_R_SUCCESS, msg);
+	msg = NULL;
+	dns_request_destroy(&forward->request);
+	forward_destroy(forward);
+	isc_event_free(&event);
+	return;
+
+next_master:
+	if (msg != NULL) {
+		dns_message_detach(&msg);
+	}
+	isc_event_free(&event);
+	forward->which++;
+	dns_request_destroy(&forward->request);
+	result = sendtomaster(forward);
+	if (result != ISC_R_SUCCESS) {
+		/* call callback */
+		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			     "exhausted dynamic update forwarder list");
+		(forward->callback)(forward->callback_arg, result, NULL);
+		forward_destroy(forward);
+	}
+}
+
+isc_result_t
+dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
+		       dns_updatecallback_t callback, void *callback_arg) {
+	dns_forward_t *forward;
+	isc_result_t result;
+	isc_region_t *mr;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(msg != NULL);
+	REQUIRE(callback != NULL);
+
+	forward = isc_mem_get(zone->mctx, sizeof(*forward));
+
+	forward->request = NULL;
+	forward->zone = NULL;
+	forward->msgbuf = NULL;
+	forward->which = 0;
+	forward->mctx = 0;
+	forward->callback = callback;
+	forward->callback_arg = callback_arg;
+	ISC_LINK_INIT(forward, link);
+	forward->magic = FORWARD_MAGIC;
+	forward->options = DNS_REQUESTOPT_TCP;
+	/*
+	 * If we have a SIG(0) signed message we need to preserve the
+	 * query id as that is included in the SIG(0) computation.
+	 */
+	if (msg->sig0 != NULL) {
+		forward->options |= DNS_REQUESTOPT_FIXEDID;
+	}
+
+	mr = dns_message_getrawmessage(msg);
+	if (mr == NULL) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto cleanup;
+	}
+
+	isc_buffer_allocate(zone->mctx, &forward->msgbuf, mr->length);
+	result = isc_buffer_copyregion(forward->msgbuf, mr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	isc_mem_attach(zone->mctx, &forward->mctx);
+	dns_zone_iattach(zone, &forward->zone);
+	result = sendtomaster(forward);
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		forward_destroy(forward);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_zone_next(dns_zone_t *zone, dns_zone_t **next) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(next != NULL && *next == NULL);
+
+	*next = ISC_LIST_NEXT(zone, link);
+	if (*next == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+isc_result_t
+dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(first != NULL && *first == NULL);
+
+	*first = ISC_LIST_HEAD(zmgr->zones);
+	if (*first == NULL) {
+		return (ISC_R_NOMORE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+/***
+ ***	Zone manager.
+ ***/
+
+#define KEYMGMT_OVERCOMMIT 3
+#define KEYMGMT_BITS_MIN   2U
+#define KEYMGMT_BITS_MAX   32U
+
+/*
+ * WMM: Static hash functions copied from lib/dns/rbtdb.c. Should be moved to
+ * lib/isc/hash.c when we refactor the hash table code.
+ */
+#define GOLDEN_RATIO_32 0x61C88647
+#define HASHSIZE(bits)	(UINT64_C(1) << (bits))
+
+static uint32_t
+hash_index(uint32_t val, uint32_t bits) {
+	return (val * GOLDEN_RATIO_32 >> (32 - bits));
+}
+
+static uint32_t
+hash_bits_grow(uint32_t bits, uint32_t count) {
+	uint32_t newbits = bits;
+	while (count >= HASHSIZE(newbits) && newbits < KEYMGMT_BITS_MAX) {
+		newbits++;
+	}
+	return (newbits);
+}
+
+static uint32_t
+hash_bits_shrink(uint32_t bits, uint32_t count) {
+	uint32_t newbits = bits;
+	while (count <= HASHSIZE(newbits) && newbits > KEYMGMT_BITS_MIN) {
+		newbits--;
+	}
+	return (newbits);
+}
+
+static void
+zonemgr_keymgmt_init(dns_zonemgr_t *zmgr) {
+	dns_keymgmt_t *mgmt = isc_mem_get(zmgr->mctx, sizeof(*mgmt));
+	uint32_t size;
+
+	*mgmt = (dns_keymgmt_t){
+		.bits = KEYMGMT_BITS_MIN,
+	};
+	isc_mem_attach(zmgr->mctx, &mgmt->mctx);
+	isc_rwlock_init(&mgmt->lock, 0, 0);
+
+	size = HASHSIZE(mgmt->bits);
+	mgmt->table = isc_mem_get(mgmt->mctx, sizeof(*mgmt->table) * size);
+	memset(mgmt->table, 0, size * sizeof(mgmt->table[0]));
+
+	atomic_init(&mgmt->count, 0);
+	mgmt->magic = KEYMGMT_MAGIC;
+
+	zmgr->keymgmt = mgmt;
+}
+
+static void
+zonemgr_keymgmt_destroy(dns_zonemgr_t *zmgr) {
+	dns_keymgmt_t *mgmt = zmgr->keymgmt;
+	uint32_t size;
+
+	REQUIRE(DNS_KEYMGMT_VALID(mgmt));
+
+	size = HASHSIZE(mgmt->bits);
+
+	RWLOCK(&mgmt->lock, isc_rwlocktype_write);
+	INSIST(mgmt->count == 0);
+	RWUNLOCK(&mgmt->lock, isc_rwlocktype_write);
+
+	mgmt->magic = 0;
+	isc_rwlock_destroy(&mgmt->lock);
+	isc_mem_put(mgmt->mctx, mgmt->table, size * sizeof(mgmt->table[0]));
+	isc_mem_putanddetach(&mgmt->mctx, mgmt, sizeof(dns_keymgmt_t));
+}
+
+static void
+zonemgr_keymgmt_resize(dns_zonemgr_t *zmgr) {
+	dns_keyfileio_t **newtable;
+	dns_keymgmt_t *mgmt = zmgr->keymgmt;
+	uint32_t bits, newbits, count, size, newsize;
+	bool grow;
+
+	REQUIRE(DNS_KEYMGMT_VALID(mgmt));
+
+	RWLOCK(&mgmt->lock, isc_rwlocktype_read);
+	count = atomic_load_relaxed(&mgmt->count);
+	bits = mgmt->bits;
+	RWUNLOCK(&mgmt->lock, isc_rwlocktype_read);
+
+	size = HASHSIZE(bits);
+	INSIST(size > 0);
+
+	if (count >= (size * KEYMGMT_OVERCOMMIT)) {
+		grow = true;
+	} else if (count < (size / 2)) {
+		grow = false;
+	} else {
+		/* No need to resize. */
+		return;
+	}
+
+	if (grow) {
+		newbits = hash_bits_grow(bits, count);
+	} else {
+		newbits = hash_bits_shrink(bits, count);
+	}
+
+	if (newbits == bits) {
+		/*
+		 * Bit values may stay the same if maximum or minimum is
+		 * reached.
+		 */
+		return;
+	}
+
+	newsize = HASHSIZE(newbits);
+	INSIST(newsize > 0);
+
+	RWLOCK(&mgmt->lock, isc_rwlocktype_write);
+
+	newtable = isc_mem_get(mgmt->mctx, sizeof(dns_keyfileio_t *) * newsize);
+	memset(newtable, 0, sizeof(dns_keyfileio_t *) * newsize);
+
+	for (unsigned int i = 0; i < size; i++) {
+		dns_keyfileio_t *kfio, *next;
+		for (kfio = mgmt->table[i]; kfio != NULL; kfio = next) {
+			uint32_t hash = hash_index(kfio->hashval, newbits);
+			next = kfio->next;
+			kfio->next = newtable[hash];
+			newtable[hash] = kfio;
+		}
+		mgmt->table[i] = NULL;
+	}
+
+	isc_mem_put(mgmt->mctx, mgmt->table, sizeof(*mgmt->table) * size);
+	mgmt->bits = newbits;
+	mgmt->table = newtable;
+
+	RWUNLOCK(&mgmt->lock, isc_rwlocktype_write);
+}
+
+static void
+zonemgr_keymgmt_add(dns_zonemgr_t *zmgr, dns_zone_t *zone,
+		    dns_keyfileio_t **added) {
+	dns_keymgmt_t *mgmt = zmgr->keymgmt;
+	uint32_t hashval, hash;
+	dns_keyfileio_t *kfio, *next;
+
+	REQUIRE(DNS_KEYMGMT_VALID(mgmt));
+	REQUIRE(added != NULL && *added == NULL);
+
+	RWLOCK(&mgmt->lock, isc_rwlocktype_write);
+
+	hashval = dns_name_hash(&zone->origin, false);
+	hash = hash_index(hashval, mgmt->bits);
+
+	for (kfio = mgmt->table[hash]; kfio != NULL; kfio = next) {
+		next = kfio->next;
+		if (dns_name_equal(kfio->name, &zone->origin)) {
+			/* Already in table, increment the counter. */
+			isc_refcount_increment(&kfio->references);
+			break;
+		}
+	}
+
+	if (kfio == NULL) {
+		/* No entry found, add it. */
+		kfio = isc_mem_get(mgmt->mctx, sizeof(*kfio));
+		*kfio = (dns_keyfileio_t){
+			.hashval = hashval,
+			.next = mgmt->table[hash],
+			.magic = KEYFILEIO_MAGIC,
+		};
+
+		isc_refcount_init(&kfio->references, 1);
+
+		kfio->name = dns_fixedname_initname(&kfio->fname);
+		dns_name_copynf(&zone->origin, kfio->name);
+
+		isc_mutex_init(&kfio->lock);
+
+		mgmt->table[hash] = kfio;
+
+		atomic_fetch_add_relaxed(&mgmt->count, 1);
+	}
+
+	RWUNLOCK(&mgmt->lock, isc_rwlocktype_write);
+
+	*added = kfio;
+
+	/*
+	 * Call resize, that function will also check if resize is necessary.
+	 */
+	zonemgr_keymgmt_resize(zmgr);
+}
+
+static void
+zonemgr_keymgmt_delete(dns_zonemgr_t *zmgr, dns_zone_t *zone,
+		       dns_keyfileio_t **deleted) {
+	dns_keymgmt_t *mgmt = zmgr->keymgmt;
+	uint32_t hashval, hash;
+	dns_keyfileio_t *kfio, *prev, *next;
+
+	REQUIRE(DNS_KEYMGMT_VALID(mgmt));
+	REQUIRE(deleted != NULL && DNS_KEYFILEIO_VALID(*deleted));
+
+	RWLOCK(&mgmt->lock, isc_rwlocktype_write);
+
+	hashval = dns_name_hash(&zone->origin, false);
+	hash = hash_index(hashval, mgmt->bits);
+
+	prev = NULL;
+	for (kfio = mgmt->table[hash]; kfio != NULL; kfio = next) {
+		next = kfio->next;
+		if (dns_name_equal(kfio->name, &zone->origin)) {
+			INSIST(kfio == *deleted);
+			*deleted = NULL;
+
+			if (isc_refcount_decrement(&kfio->references) == 1) {
+				if (prev == NULL) {
+					mgmt->table[hash] = kfio->next;
+				} else {
+					prev->next = kfio->next;
+				}
+
+				isc_refcount_destroy(&kfio->references);
+				isc_mutex_destroy(&kfio->lock);
+				isc_mem_put(mgmt->mctx, kfio, sizeof(*kfio));
+
+				atomic_fetch_sub_relaxed(&mgmt->count, 1);
+			}
+			break;
+		}
+
+		prev = kfio;
+	}
+
+	RWUNLOCK(&mgmt->lock, isc_rwlocktype_write);
+
+	/*
+	 * Call resize, that function will also check if resize is necessary.
+	 */
+	zonemgr_keymgmt_resize(zmgr);
+}
+
+isc_result_t
+dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		   dns_zonemgr_t **zmgrp) {
+	dns_zonemgr_t *zmgr;
+	isc_result_t result;
+
+	zmgr = isc_mem_get(mctx, sizeof(*zmgr));
+	zmgr->mctx = NULL;
+	isc_refcount_init(&zmgr->refs, 1);
+	isc_mem_attach(mctx, &zmgr->mctx);
+	zmgr->taskmgr = taskmgr;
+	zmgr->timermgr = timermgr;
+	zmgr->socketmgr = socketmgr;
+	zmgr->zonetasks = NULL;
+	zmgr->loadtasks = NULL;
+	zmgr->mctxpool = NULL;
+	zmgr->task = NULL;
+	zmgr->checkdsrl = NULL;
+	zmgr->notifyrl = NULL;
+	zmgr->refreshrl = NULL;
+	zmgr->startupnotifyrl = NULL;
+	zmgr->startuprefreshrl = NULL;
+	ISC_LIST_INIT(zmgr->zones);
+	ISC_LIST_INIT(zmgr->waiting_for_xfrin);
+	ISC_LIST_INIT(zmgr->xfrin_in_progress);
+	memset(zmgr->unreachable, 0, sizeof(zmgr->unreachable));
+	for (size_t i = 0; i < UNREACH_CACHE_SIZE; i++) {
+		atomic_init(&zmgr->unreachable[i].expire, 0);
+	}
+	isc_rwlock_init(&zmgr->rwlock, 0, 0);
+
+	zmgr->transfersin = 10;
+	zmgr->transfersperns = 2;
+
+	/* Unreachable lock. */
+	isc_rwlock_init(&zmgr->urlock, 0, 0);
+
+	/* Create a single task for queueing of SOA queries. */
+	result = isc_task_create(taskmgr, 1, &zmgr->task);
+	if (result != ISC_R_SUCCESS) {
+		goto free_urlock;
+	}
+
+	isc_task_setname(zmgr->task, "zmgr", zmgr);
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->checkdsrl);
+	if (result != ISC_R_SUCCESS) {
+		goto free_task;
+	}
+
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->notifyrl);
+	if (result != ISC_R_SUCCESS) {
+		goto free_checkdsrl;
+	}
+
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->refreshrl);
+	if (result != ISC_R_SUCCESS) {
+		goto free_notifyrl;
+	}
+
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->startupnotifyrl);
+	if (result != ISC_R_SUCCESS) {
+		goto free_refreshrl;
+	}
+
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->startuprefreshrl);
+	if (result != ISC_R_SUCCESS) {
+		goto free_startupnotifyrl;
+	}
+
+	/* Key file I/O locks. */
+	zonemgr_keymgmt_init(zmgr);
+
+	/* Default to 20 refresh queries / notifies / checkds per second. */
+	setrl(zmgr->checkdsrl, &zmgr->checkdsrate, 20);
+	setrl(zmgr->notifyrl, &zmgr->notifyrate, 20);
+	setrl(zmgr->startupnotifyrl, &zmgr->startupnotifyrate, 20);
+	setrl(zmgr->refreshrl, &zmgr->serialqueryrate, 20);
+	setrl(zmgr->startuprefreshrl, &zmgr->startupserialqueryrate, 20);
+	isc_ratelimiter_setpushpop(zmgr->startupnotifyrl, true);
+	isc_ratelimiter_setpushpop(zmgr->startuprefreshrl, true);
+
+	zmgr->iolimit = 1;
+	zmgr->ioactive = 0;
+	ISC_LIST_INIT(zmgr->high);
+	ISC_LIST_INIT(zmgr->low);
+
+	isc_mutex_init(&zmgr->iolock);
+
+	zmgr->magic = ZONEMGR_MAGIC;
+
+	*zmgrp = zmgr;
+	return (ISC_R_SUCCESS);
+
+#if 0
+ free_iolock:
+	isc_mutex_destroy(&zmgr->iolock);
+#endif /* if 0 */
+free_startupnotifyrl:
+	isc_ratelimiter_detach(&zmgr->startupnotifyrl);
+free_refreshrl:
+	isc_ratelimiter_detach(&zmgr->refreshrl);
+free_notifyrl:
+	isc_ratelimiter_detach(&zmgr->notifyrl);
+free_checkdsrl:
+	isc_ratelimiter_detach(&zmgr->checkdsrl);
+free_task:
+	isc_task_detach(&zmgr->task);
+free_urlock:
+	isc_rwlock_destroy(&zmgr->urlock);
+	isc_rwlock_destroy(&zmgr->rwlock);
+	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
+	isc_mem_detach(&mctx);
+	return (result);
+}
+
+isc_result_t
+dns_zonemgr_createzone(dns_zonemgr_t *zmgr, dns_zone_t **zonep) {
+	isc_result_t result;
+	isc_mem_t *mctx = NULL;
+	dns_zone_t *zone = NULL;
+	void *item;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	if (zmgr->mctxpool == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	item = isc_pool_get(zmgr->mctxpool);
+	if (item == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	isc_mem_attach((isc_mem_t *)item, &mctx);
+	result = dns_zone_create(&zone, mctx);
+	isc_mem_detach(&mctx);
+
+	if (result == ISC_R_SUCCESS) {
+		*zonep = zone;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	if (zmgr->zonetasks == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	LOCK_ZONE(zone);
+	REQUIRE(zone->task == NULL);
+	REQUIRE(zone->timer == NULL);
+	REQUIRE(zone->zmgr == NULL);
+
+	isc_taskpool_gettask(zmgr->zonetasks, &zone->task);
+	isc_taskpool_gettask(zmgr->loadtasks, &zone->loadtask);
+
+	/*
+	 * Set the task name.  The tag will arbitrarily point to one
+	 * of the zones sharing the task (in practice, the one
+	 * to be managed last).
+	 */
+	isc_task_setname(zone->task, "zone", zone);
+	isc_task_setname(zone->loadtask, "loadzone", zone);
+
+	result = isc_timer_create(zmgr->timermgr, isc_timertype_inactive, NULL,
+				  NULL, zone->task, zone_timer, zone,
+				  &zone->timer);
+
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_tasks;
+	}
+
+	/*
+	 * The timer "holds" a iref.
+	 */
+	isc_refcount_increment0(&zone->irefs);
+
+	zonemgr_keymgmt_add(zmgr, zone, &zone->kfio);
+	INSIST(zone->kfio != NULL);
+
+	ISC_LIST_APPEND(zmgr->zones, zone, link);
+	zone->zmgr = zmgr;
+	isc_refcount_increment(&zmgr->refs);
+
+	goto unlock;
+
+cleanup_tasks:
+	isc_task_detach(&zone->loadtask);
+	isc_task_detach(&zone->task);
+
+unlock:
+	UNLOCK_ZONE(zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	return (result);
+}
+
+void
+dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(zone->zmgr == zmgr);
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	LOCK_ZONE(zone);
+
+	ISC_LIST_UNLINK(zmgr->zones, zone, link);
+
+	if (zone->kfio != NULL) {
+		zonemgr_keymgmt_delete(zmgr, zone, &zone->kfio);
+		ENSURE(zone->kfio == NULL);
+	}
+
+	/* Detach below, outside of the write lock. */
+	zone->zmgr = NULL;
+
+	UNLOCK_ZONE(zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+
+	dns_zonemgr_detach(&zmgr);
+}
+
+void
+dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target) {
+	REQUIRE(DNS_ZONEMGR_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_refcount_increment(&source->refs);
+
+	*target = source;
+}
+
+void
+dns_zonemgr_detach(dns_zonemgr_t **zmgrp) {
+	dns_zonemgr_t *zmgr;
+
+	REQUIRE(zmgrp != NULL);
+	zmgr = *zmgrp;
+	*zmgrp = NULL;
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	if (isc_refcount_decrement(&zmgr->refs) == 1) {
+		zonemgr_free(zmgr);
+	}
+}
+
+isc_result_t
+dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr) {
+	dns_zone_t *p;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+	for (p = ISC_LIST_HEAD(zmgr->zones); p != NULL;
+	     p = ISC_LIST_NEXT(p, link))
+	{
+		dns_zone_maintenance(p);
+	}
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+
+	/*
+	 * Recent configuration changes may have increased the
+	 * amount of available transfers quota.  Make sure any
+	 * transfers currently blocked on quota get started if
+	 * possible.
+	 */
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	zmgr_resume_xfrs(zmgr, true);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	zmgr_resume_xfrs(zmgr, true);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+}
+
+void
+dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) {
+	dns_zone_t *zone;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	isc_ratelimiter_shutdown(zmgr->checkdsrl);
+	isc_ratelimiter_shutdown(zmgr->notifyrl);
+	isc_ratelimiter_shutdown(zmgr->refreshrl);
+	isc_ratelimiter_shutdown(zmgr->startupnotifyrl);
+	isc_ratelimiter_shutdown(zmgr->startuprefreshrl);
+
+	if (zmgr->task != NULL) {
+		isc_task_destroy(&zmgr->task);
+	}
+	if (zmgr->zonetasks != NULL) {
+		isc_taskpool_destroy(&zmgr->zonetasks);
+	}
+	if (zmgr->loadtasks != NULL) {
+		isc_taskpool_destroy(&zmgr->loadtasks);
+	}
+	if (zmgr->mctxpool != NULL) {
+		isc_pool_destroy(&zmgr->mctxpool);
+	}
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+	for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
+	     zone = ISC_LIST_NEXT(zone, link))
+	{
+		LOCK_ZONE(zone);
+		forward_cancel(zone);
+		UNLOCK_ZONE(zone);
+	}
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+}
+
+static isc_result_t
+mctxinit(void **target, void *arg) {
+	isc_mem_t *mctx = NULL;
+
+	UNUSED(arg);
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_mem_create(&mctx);
+	isc_mem_setname(mctx, "zonemgr-pool", NULL);
+
+	*target = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+mctxfree(void **target) {
+	isc_mem_t *mctx = *(isc_mem_t **)target;
+	isc_mem_detach(&mctx);
+	*target = NULL;
+}
+
+#define ZONES_PER_TASK 100
+#define ZONES_PER_MCTX 1000
+
+isc_result_t
+dns_zonemgr_setsize(dns_zonemgr_t *zmgr, int num_zones) {
+	isc_result_t result;
+	int ntasks = num_zones / ZONES_PER_TASK;
+	int nmctx = num_zones / ZONES_PER_MCTX;
+	isc_taskpool_t *pool = NULL;
+	isc_pool_t *mctxpool = NULL;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	/*
+	 * For anything fewer than 1000 zones we use 10 tasks in
+	 * the task pools.  More than that, and we'll scale at one
+	 * task per 100 zones.  Similarly, for anything smaller than
+	 * 2000 zones we use 2 memory contexts, then scale at 1:1000.
+	 */
+	if (ntasks < 10) {
+		ntasks = 10;
+	}
+	if (nmctx < 2) {
+		nmctx = 2;
+	}
+
+	/* Create or resize the zone task pools. */
+	if (zmgr->zonetasks == NULL) {
+		result = isc_taskpool_create(zmgr->taskmgr, zmgr->mctx, ntasks,
+					     2, false, &pool);
+	} else {
+		result = isc_taskpool_expand(&zmgr->zonetasks, ntasks, false,
+					     &pool);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		zmgr->zonetasks = pool;
+	}
+
+	pool = NULL;
+	if (zmgr->loadtasks == NULL) {
+		result = isc_taskpool_create(zmgr->taskmgr, zmgr->mctx, ntasks,
+					     UINT_MAX, true, &pool);
+	} else {
+		result = isc_taskpool_expand(&zmgr->loadtasks, ntasks, true,
+					     &pool);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		zmgr->loadtasks = pool;
+	}
+
+	/* Create or resize the zone memory context pool. */
+	if (zmgr->mctxpool == NULL) {
+		result = isc_pool_create(zmgr->mctx, nmctx, mctxfree, mctxinit,
+					 NULL, &mctxpool);
+	} else {
+		result = isc_pool_expand(&zmgr->mctxpool, nmctx, &mctxpool);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		zmgr->mctxpool = mctxpool;
+	}
+
+	return (result);
+}
+
+static void
+zonemgr_free(dns_zonemgr_t *zmgr) {
+	isc_mem_t *mctx;
+
+	INSIST(ISC_LIST_EMPTY(zmgr->zones));
+
+	zmgr->magic = 0;
+
+	isc_refcount_destroy(&zmgr->refs);
+	isc_mutex_destroy(&zmgr->iolock);
+	isc_ratelimiter_detach(&zmgr->checkdsrl);
+	isc_ratelimiter_detach(&zmgr->notifyrl);
+	isc_ratelimiter_detach(&zmgr->refreshrl);
+	isc_ratelimiter_detach(&zmgr->startupnotifyrl);
+	isc_ratelimiter_detach(&zmgr->startuprefreshrl);
+
+	isc_rwlock_destroy(&zmgr->urlock);
+	isc_rwlock_destroy(&zmgr->rwlock);
+
+	zonemgr_keymgmt_destroy(zmgr);
+
+	mctx = zmgr->mctx;
+	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
+	isc_mem_detach(&mctx);
+}
+
+void
+dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, uint32_t value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	zmgr->transfersin = value;
+}
+
+uint32_t
+dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->transfersin);
+}
+
+void
+dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, uint32_t value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	zmgr->transfersperns = value;
+}
+
+uint32_t
+dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->transfersperns);
+}
+
+isc_taskmgr_t *
+dns_zonemgr_gettaskmgr(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->taskmgr);
+}
+
+/*
+ * Try to start a new incoming zone transfer to fill a quota
+ * slot that was just vacated.
+ *
+ * Requires:
+ *	The zone manager is locked by the caller.
+ */
+static void
+zmgr_resume_xfrs(dns_zonemgr_t *zmgr, bool multi) {
+	dns_zone_t *zone;
+	dns_zone_t *next;
+
+	for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin); zone != NULL;
+	     zone = next)
+	{
+		isc_result_t result;
+		next = ISC_LIST_NEXT(zone, statelink);
+		result = zmgr_start_xfrin_ifquota(zmgr, zone);
+		if (result == ISC_R_SUCCESS) {
+			if (multi) {
+				continue;
+			}
+			/*
+			 * We successfully filled the slot.  We're done.
+			 */
+			break;
+		} else if (result == ISC_R_QUOTA) {
+			/*
+			 * Not enough quota.  This is probably the per-server
+			 * quota, because we usually get called when a unit of
+			 * global quota has just been freed.  Try the next
+			 * zone, it may succeed if it uses another master.
+			 */
+			continue;
+		} else {
+			dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN,
+				      ISC_LOG_DEBUG(1),
+				      "starting zone transfer: %s",
+				      isc_result_totext(result));
+			break;
+		}
+	}
+}
+
+/*
+ * Try to start an incoming zone transfer for 'zone', quota permitting.
+ *
+ * Requires:
+ *	The zone manager is locked by the caller.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	There was enough quota and we attempted to
+ *			start a transfer.  zone_xfrdone() has been or will
+ *			be called.
+ *	ISC_R_QUOTA	Not enough quota.
+ *	Others		Failure.
+ */
+static isc_result_t
+zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	dns_peer_t *peer = NULL;
+	isc_netaddr_t masterip;
+	uint32_t nxfrsin, nxfrsperns;
+	dns_zone_t *x;
+	uint32_t maxtransfersin, maxtransfersperns;
+	isc_event_t *e;
+
+	/*
+	 * If we are exiting just pretend we got quota so the zone will
+	 * be cleaned up in the zone's task context.
+	 */
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		UNLOCK_ZONE(zone);
+		goto gotquota;
+	}
+
+	/*
+	 * Find any configured information about the server we'd
+	 * like to transfer this zone from.
+	 */
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	(void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer);
+	UNLOCK_ZONE(zone);
+
+	/*
+	 * Determine the total maximum number of simultaneous
+	 * transfers allowed, and the maximum for this specific
+	 * master.
+	 */
+	maxtransfersin = zmgr->transfersin;
+	maxtransfersperns = zmgr->transfersperns;
+	if (peer != NULL) {
+		(void)dns_peer_gettransfers(peer, &maxtransfersperns);
+	}
+
+	/*
+	 * Count the total number of transfers that are in progress,
+	 * and the number of transfers in progress from this master.
+	 * We linearly scan a list of all transfers; if this turns
+	 * out to be too slow, we could hash on the master address.
+	 */
+	nxfrsin = nxfrsperns = 0;
+	for (x = ISC_LIST_HEAD(zmgr->xfrin_in_progress); x != NULL;
+	     x = ISC_LIST_NEXT(x, statelink))
+	{
+		isc_netaddr_t xip;
+
+		LOCK_ZONE(x);
+		isc_netaddr_fromsockaddr(&xip, &x->masteraddr);
+		UNLOCK_ZONE(x);
+
+		nxfrsin++;
+		if (isc_netaddr_equal(&xip, &masterip)) {
+			nxfrsperns++;
+		}
+	}
+
+	/* Enforce quota. */
+	if (nxfrsin >= maxtransfersin) {
+		return (ISC_R_QUOTA);
+	}
+
+	if (nxfrsperns >= maxtransfersperns) {
+		return (ISC_R_QUOTA);
+	}
+
+gotquota:
+	/*
+	 * We have sufficient quota.  Move the zone to the "xfrin_in_progress"
+	 * list and send it an event to let it start the actual transfer in the
+	 * context of its own task.
+	 */
+	e = isc_event_allocate(zmgr->mctx, zmgr, DNS_EVENT_ZONESTARTXFRIN,
+			       got_transfer_quota, zone, sizeof(isc_event_t));
+
+	LOCK_ZONE(zone);
+	INSIST(zone->statelist == &zmgr->waiting_for_xfrin);
+	ISC_LIST_UNLINK(zmgr->waiting_for_xfrin, zone, statelink);
+	ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink);
+	zone->statelist = &zmgr->xfrin_in_progress;
+	isc_task_send(zone->task, &e);
+	dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
+		      "Transfer started.");
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, uint32_t iolimit) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(iolimit > 0);
+
+	zmgr->iolimit = iolimit;
+}
+
+uint32_t
+dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->iolimit);
+}
+
+/*
+ * Get permission to request a file handle from the OS.
+ * An event will be sent to action when one is available.
+ * There are two queues available (high and low), the high
+ * queue will be serviced before the low one.
+ *
+ * zonemgr_putio() must be called after the event is delivered to
+ * 'action'.
+ */
+
+static isc_result_t
+zonemgr_getio(dns_zonemgr_t *zmgr, bool high, isc_task_t *task,
+	      isc_taskaction_t action, void *arg, dns_io_t **iop) {
+	dns_io_t *io;
+	bool queue;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(iop != NULL && *iop == NULL);
+
+	io = isc_mem_get(zmgr->mctx, sizeof(*io));
+
+	io->event = isc_event_allocate(zmgr->mctx, task, DNS_EVENT_IOREADY,
+				       action, arg, sizeof(*io->event));
+
+	io->zmgr = zmgr;
+	io->high = high;
+	io->task = NULL;
+	isc_task_attach(task, &io->task);
+	ISC_LINK_INIT(io, link);
+	io->magic = IO_MAGIC;
+
+	LOCK(&zmgr->iolock);
+	zmgr->ioactive++;
+	queue = (zmgr->ioactive > zmgr->iolimit);
+	if (queue) {
+		if (io->high) {
+			ISC_LIST_APPEND(zmgr->high, io, link);
+		} else {
+			ISC_LIST_APPEND(zmgr->low, io, link);
+		}
+	}
+	UNLOCK(&zmgr->iolock);
+	*iop = io;
+
+	if (!queue) {
+		isc_task_send(io->task, &io->event);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static void
+zonemgr_putio(dns_io_t **iop) {
+	dns_io_t *io;
+	dns_io_t *next;
+	dns_zonemgr_t *zmgr;
+
+	REQUIRE(iop != NULL);
+	io = *iop;
+	*iop = NULL;
+	REQUIRE(DNS_IO_VALID(io));
+
+	INSIST(!ISC_LINK_LINKED(io, link));
+	INSIST(io->event == NULL);
+
+	zmgr = io->zmgr;
+	isc_task_detach(&io->task);
+	io->magic = 0;
+	isc_mem_put(zmgr->mctx, io, sizeof(*io));
+
+	LOCK(&zmgr->iolock);
+	INSIST(zmgr->ioactive > 0);
+	zmgr->ioactive--;
+	next = HEAD(zmgr->high);
+	if (next == NULL) {
+		next = HEAD(zmgr->low);
+	}
+	if (next != NULL) {
+		if (next->high) {
+			ISC_LIST_UNLINK(zmgr->high, next, link);
+		} else {
+			ISC_LIST_UNLINK(zmgr->low, next, link);
+		}
+		INSIST(next->event != NULL);
+	}
+	UNLOCK(&zmgr->iolock);
+	if (next != NULL) {
+		isc_task_send(next->task, &next->event);
+	}
+}
+
+static void
+zonemgr_cancelio(dns_io_t *io) {
+	bool send_event = false;
+
+	REQUIRE(DNS_IO_VALID(io));
+
+	/*
+	 * If we are queued to be run then dequeue.
+	 */
+	LOCK(&io->zmgr->iolock);
+	if (ISC_LINK_LINKED(io, link)) {
+		if (io->high) {
+			ISC_LIST_UNLINK(io->zmgr->high, io, link);
+		} else {
+			ISC_LIST_UNLINK(io->zmgr->low, io, link);
+		}
+
+		send_event = true;
+		INSIST(io->event != NULL);
+	}
+	UNLOCK(&io->zmgr->iolock);
+	if (send_event) {
+		io->event->ev_attributes |= ISC_EVENTATTR_CANCELED;
+		isc_task_send(io->task, &io->event);
+	}
+}
+
+static void
+zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) {
+	char *buf;
+	int buflen;
+	isc_result_t result;
+
+	buflen = strlen(path) + strlen(templat) + 2;
+
+	buf = isc_mem_get(zone->mctx, buflen);
+
+	result = isc_file_template(path, templat, buf, buflen);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = isc_file_renameunique(path, buf);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dns_zone_log(zone, ISC_LOG_WARNING,
+		     "unable to load from '%s'; "
+		     "renaming file to '%s' for failure analysis and "
+		     "retransferring.",
+		     path, buf);
+
+cleanup:
+	isc_mem_put(zone->mctx, buf, buflen);
+}
+
+static void
+setrl(isc_ratelimiter_t *rl, unsigned int *rate, unsigned int value) {
+	isc_interval_t interval;
+	uint32_t s, ns;
+	uint32_t pertic;
+	isc_result_t result;
+
+	if (value == 0) {
+		value = 1;
+	}
+
+	if (value == 1) {
+		s = 1;
+		ns = 0;
+		pertic = 1;
+	} else if (value <= 10) {
+		s = 0;
+		ns = 1000000000 / value;
+		pertic = 1;
+	} else {
+		s = 0;
+		ns = (1000000000 / value) * 10;
+		pertic = 10;
+	}
+
+	isc_interval_set(&interval, s, ns);
+
+	result = isc_ratelimiter_setinterval(rl, &interval);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_ratelimiter_setpertic(rl, pertic);
+
+	*rate = value;
+}
+
+void
+dns_zonemgr_setcheckdsrate(dns_zonemgr_t *zmgr, unsigned int value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	setrl(zmgr->checkdsrl, &zmgr->checkdsrate, value);
+}
+
+void
+dns_zonemgr_setnotifyrate(dns_zonemgr_t *zmgr, unsigned int value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	setrl(zmgr->notifyrl, &zmgr->notifyrate, value);
+}
+
+void
+dns_zonemgr_setstartupnotifyrate(dns_zonemgr_t *zmgr, unsigned int value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	setrl(zmgr->startupnotifyrl, &zmgr->startupnotifyrate, value);
+}
+
+void
+dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	setrl(zmgr->refreshrl, &zmgr->serialqueryrate, value);
+	/* XXXMPA separate out once we have the code to support this. */
+	setrl(zmgr->startuprefreshrl, &zmgr->startupserialqueryrate, value);
+}
+
+unsigned int
+dns_zonemgr_getnotifyrate(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->notifyrate);
+}
+
+unsigned int
+dns_zonemgr_getstartupnotifyrate(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->startupnotifyrate);
+}
+
+unsigned int
+dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->serialqueryrate);
+}
+
+bool
+dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			isc_sockaddr_t *local, isc_time_t *now) {
+	unsigned int i;
+	uint32_t seconds = isc_time_seconds(now);
+	uint32_t count = 0;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->urlock, isc_rwlocktype_read);
+	for (i = 0; i < UNREACH_CACHE_SIZE; i++) {
+		if (atomic_load(&zmgr->unreachable[i].expire) >= seconds &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
+		{
+			atomic_store_relaxed(&zmgr->unreachable[i].last,
+					     seconds);
+			count = zmgr->unreachable[i].count;
+			break;
+		}
+	}
+	RWUNLOCK(&zmgr->urlock, isc_rwlocktype_read);
+	return (i < UNREACH_CACHE_SIZE && count > 1U);
+}
+
+void
+dns_zonemgr_unreachabledel(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local) {
+	unsigned int i;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(remote, master, sizeof(master));
+	isc_sockaddr_format(local, source, sizeof(source));
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->urlock, isc_rwlocktype_read);
+	for (i = 0; i < UNREACH_CACHE_SIZE; i++) {
+		if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
+		{
+			atomic_store_relaxed(&zmgr->unreachable[i].expire, 0);
+			break;
+		}
+	}
+	RWUNLOCK(&zmgr->urlock, isc_rwlocktype_read);
+}
+
+void
+dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local, isc_time_t *now) {
+	uint32_t seconds = isc_time_seconds(now);
+	uint32_t expire = 0, last = seconds;
+	unsigned int slot = UNREACH_CACHE_SIZE, oldest = 0;
+	bool update_entry = true;
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->urlock, isc_rwlocktype_write);
+	for (unsigned int i = 0; i < UNREACH_CACHE_SIZE; i++) {
+		/* Existing entry? */
+		if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
+		{
+			update_entry = false;
+			slot = i;
+			expire = atomic_load_relaxed(
+				&zmgr->unreachable[i].expire);
+			break;
+		}
+		/* Pick first empty slot? */
+		if (atomic_load_relaxed(&zmgr->unreachable[i].expire) < seconds)
+		{
+			slot = i;
+			break;
+		}
+		/* The worst case, least recently used slot? */
+		if (atomic_load_relaxed(&zmgr->unreachable[i].last) < last) {
+			last = atomic_load_relaxed(&zmgr->unreachable[i].last);
+			oldest = i;
+		}
+	}
+
+	/* We haven't found any existing or free slots, use the oldest */
+	if (slot == UNREACH_CACHE_SIZE) {
+		slot = oldest;
+	}
+
+	if (expire < seconds) {
+		/* Expired or new entry, reset count to 1 */
+		zmgr->unreachable[slot].count = 1;
+	} else {
+		zmgr->unreachable[slot].count++;
+	}
+	atomic_store_relaxed(&zmgr->unreachable[slot].expire,
+			     seconds + UNREACH_HOLD_TIME);
+	atomic_store_relaxed(&zmgr->unreachable[slot].last, seconds);
+	if (update_entry) {
+		zmgr->unreachable[slot].remote = *remote;
+		zmgr->unreachable[slot].local = *local;
+	}
+
+	RWUNLOCK(&zmgr->urlock, isc_rwlocktype_write);
+}
+
+void
+dns_zone_forcereload(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (zone->type == dns_zone_primary ||
+	    (zone->type == dns_zone_redirect && zone->masters == NULL))
+	{
+		return;
+	}
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FORCEXFER);
+	UNLOCK_ZONE(zone);
+	dns_zone_refresh(zone);
+}
+
+bool
+dns_zone_isforced(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER));
+}
+
+isc_result_t
+dns_zone_setstatistics(dns_zone_t *zone, bool on) {
+	/*
+	 * This function is obsoleted.
+	 */
+	UNUSED(zone);
+	UNUSED(on);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+uint64_t *
+dns_zone_getstatscounters(dns_zone_t *zone) {
+	/*
+	 * This function is obsoleted.
+	 */
+	UNUSED(zone);
+	return (NULL);
+}
+
+void
+dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(zone->stats == NULL);
+
+	LOCK_ZONE(zone);
+	zone->stats = NULL;
+	isc_stats_attach(stats, &zone->stats);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->requeststats_on && stats == NULL) {
+		zone->requeststats_on = false;
+	} else if (!zone->requeststats_on && stats != NULL) {
+		if (zone->requeststats == NULL) {
+			isc_stats_attach(stats, &zone->requeststats);
+		}
+		zone->requeststats_on = true;
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setrcvquerystats(dns_zone_t *zone, dns_stats_t *stats) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->requeststats_on && stats != NULL) {
+		if (zone->rcvquerystats == NULL) {
+			dns_stats_attach(stats, &zone->rcvquerystats);
+			zone->requeststats_on = true;
+		}
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setdnssecsignstats(dns_zone_t *zone, dns_stats_t *stats) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (stats != NULL && zone->dnssecsignstats == NULL) {
+		dns_stats_attach(stats, &zone->dnssecsignstats);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+dns_stats_t *
+dns_zone_getdnssecsignstats(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->dnssecsignstats);
+}
+
+isc_stats_t *
+dns_zone_getrequeststats(dns_zone_t *zone) {
+	/*
+	 * We don't lock zone for efficiency reason.  This is not catastrophic
+	 * because requeststats must always be valid when requeststats_on is
+	 * true.
+	 * Some counters may be incremented while requeststats_on is becoming
+	 * false, or some cannot be incremented just after the statistics are
+	 * installed, but it shouldn't matter much in practice.
+	 */
+	if (zone->requeststats_on) {
+		return (zone->requeststats);
+	} else {
+		return (NULL);
+	}
+}
+
+/*
+ * Return the received query stats bucket
+ * see note from dns_zone_getrequeststats()
+ */
+dns_stats_t *
+dns_zone_getrcvquerystats(dns_zone_t *zone) {
+	if (zone->requeststats_on) {
+		return (zone->rcvquerystats);
+	} else {
+		return (NULL);
+	}
+}
+
+void
+dns_zone_dialup(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone_debuglog(zone, "dns_zone_dialup", 3, "notify = %d, refresh = %d",
+		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY),
+		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY)) {
+		dns_zone_notify(zone);
+	}
+	if (zone->type != dns_zone_primary && zone->masters != NULL &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
+	{
+		dns_zone_refresh(zone);
+	}
+}
+
+void
+dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY |
+				       DNS_ZONEFLG_DIALREFRESH |
+				       DNS_ZONEFLG_NOREFRESH);
+	switch (dialup) {
+	case dns_dialuptype_no:
+		break;
+	case dns_dialuptype_yes:
+		DNS_ZONE_SETFLAG(zone, (DNS_ZONEFLG_DIALNOTIFY |
+					DNS_ZONEFLG_DIALREFRESH |
+					DNS_ZONEFLG_NOREFRESH));
+		break;
+	case dns_dialuptype_notify:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
+		break;
+	case dns_dialuptype_notifypassive:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
+		break;
+	case dns_dialuptype_refresh:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
+		break;
+	case dns_dialuptype_passive:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
+		break;
+	default:
+		UNREACHABLE();
+	}
+	UNLOCK_ZONE(zone);
+}
+
+isc_result_t
+dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->keydirectory, directory);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+const char *
+dns_zone_getkeydirectory(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->keydirectory);
+}
+
+unsigned int
+dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
+	dns_zone_t *zone;
+	unsigned int count = 0;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+	switch (state) {
+	case DNS_ZONESTATE_XFERRUNNING:
+		for (zone = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
+		     zone != NULL; zone = ISC_LIST_NEXT(zone, statelink))
+		{
+			count++;
+		}
+		break;
+	case DNS_ZONESTATE_XFERDEFERRED:
+		for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
+		     zone != NULL; zone = ISC_LIST_NEXT(zone, statelink))
+		{
+			count++;
+		}
+		break;
+	case DNS_ZONESTATE_SOAQUERY:
+		for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, link))
+		{
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
+				count++;
+			}
+		}
+		break;
+	case DNS_ZONESTATE_ANY:
+		for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, link))
+		{
+			dns_view_t *view = zone->view;
+			if (view != NULL && strcmp(view->name, "_bind") == 0) {
+				continue;
+			}
+			count++;
+		}
+		break;
+	case DNS_ZONESTATE_AUTOMATIC:
+		for (zone = ISC_LIST_HEAD(zmgr->zones); zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, link))
+		{
+			dns_view_t *view = zone->view;
+			if (view != NULL && strcmp(view->name, "_bind") == 0) {
+				continue;
+			}
+			if (zone->automatic) {
+				count++;
+			}
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+
+	return (count);
+}
+
+void
+dns_zone_lock_keyfiles(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (zone->kasp == NULL) {
+		/* No need to lock, nothing is writing key files. */
+		return;
+	}
+
+	REQUIRE(DNS_KEYFILEIO_VALID(zone->kfio));
+	isc_mutex_lock(&zone->kfio->lock);
+}
+
+void
+dns_zone_unlock_keyfiles(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (zone->kasp == NULL) {
+		/* No need to lock, nothing is writing key files. */
+		return;
+	}
+
+	REQUIRE(DNS_KEYFILEIO_VALID(zone->kfio));
+	isc_mutex_unlock(&zone->kfio->lock);
+}
+
+isc_result_t
+dns_zone_checknames(dns_zone_t *zone, const dns_name_t *name,
+		    dns_rdata_t *rdata) {
+	bool ok = true;
+	bool fail = false;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char namebuf2[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	int level = ISC_LOG_WARNING;
+	dns_name_t bad;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES) &&
+	    rdata->type != dns_rdatatype_nsec3)
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL) ||
+	    rdata->type == dns_rdatatype_nsec3)
+	{
+		level = ISC_LOG_ERROR;
+		fail = true;
+	}
+
+	ok = dns_rdata_checkowner(name, rdata->rdclass, rdata->type, true);
+	if (!ok) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+		dns_zone_log(zone, level, "%s/%s: %s", namebuf, typebuf,
+			     dns_result_totext(DNS_R_BADOWNERNAME));
+		if (fail) {
+			return (DNS_R_BADOWNERNAME);
+		}
+	}
+
+	dns_name_init(&bad, NULL);
+	ok = dns_rdata_checknames(rdata, name, &bad);
+	if (!ok) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_name_format(&bad, namebuf2, sizeof(namebuf2));
+		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+		dns_zone_log(zone, level, "%s/%s: %s: %s ", namebuf, typebuf,
+			     namebuf2, dns_result_totext(DNS_R_BADNAME));
+		if (fail) {
+			return (DNS_R_BADNAME);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->checkmx = checkmx;
+}
+
+void
+dns_zone_setchecksrv(dns_zone_t *zone, dns_checksrvfunc_t checksrv) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->checksrv = checksrv;
+}
+
+void
+dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->checkns = checkns;
+}
+
+void
+dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->isself = isself;
+	zone->isselfarg = arg;
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setnotifydelay(dns_zone_t *zone, uint32_t delay) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifydelay = delay;
+	UNLOCK_ZONE(zone);
+}
+
+uint32_t
+dns_zone_getnotifydelay(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->notifydelay);
+}
+
+isc_result_t
+dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
+		     bool deleteit) {
+	isc_result_t result;
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	dnssec_log(zone, ISC_LOG_NOTICE,
+		   "dns_zone_signwithkey(algorithm=%u, keyid=%u)", algorithm,
+		   keyid);
+	LOCK_ZONE(zone);
+	result = zone_signwithkey(zone, algorithm, keyid, deleteit);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+/*
+ * Called when a dynamic update for an NSEC3PARAM record is received.
+ *
+ * If set, transform the NSEC3 salt into human-readable form so that it can be
+ * logged.  Then call zone_addnsec3chain(), passing NSEC3PARAM RDATA to it.
+ */
+isc_result_t
+dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
+	isc_result_t result;
+	char salt[255 * 2 + 1];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	result = dns_nsec3param_salttotext(nsec3param, salt, sizeof(salt));
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dnssec_log(zone, ISC_LOG_NOTICE,
+		   "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
+		   nsec3param->hash, nsec3param->iterations, salt);
+	LOCK_ZONE(zone);
+	result = zone_addnsec3chain(zone, nsec3param);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+void
+dns_zone_setnodes(dns_zone_t *zone, uint32_t nodes) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (nodes == 0) {
+		nodes = 1;
+	}
+	zone->nodes = nodes;
+}
+
+void
+dns_zone_setsignatures(dns_zone_t *zone, uint32_t signatures) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	/*
+	 * We treat signatures as a signed value so explicitly
+	 * limit its range here.
+	 */
+	if (signatures > INT32_MAX) {
+		signatures = INT32_MAX;
+	} else if (signatures == 0) {
+		signatures = 1;
+	}
+	zone->signatures = signatures;
+}
+
+uint32_t
+dns_zone_getsignatures(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->signatures);
+}
+
+void
+dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->privatetype = type;
+}
+
+dns_rdatatype_t
+dns_zone_getprivatetype(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->privatetype);
+}
+
+static isc_result_t
+zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
+		 bool deleteit) {
+	dns_signing_t *signing;
+	dns_signing_t *current;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_time_t now;
+	dns_db_t *db = NULL;
+
+	signing = isc_mem_get(zone->mctx, sizeof *signing);
+
+	signing->magic = 0;
+	signing->db = NULL;
+	signing->dbiterator = NULL;
+	signing->algorithm = algorithm;
+	signing->keyid = keyid;
+	signing->deleteit = deleteit;
+	signing->done = false;
+
+	TIME_NOW(&now);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	if (db == NULL) {
+		result = ISC_R_NOTFOUND;
+		goto cleanup;
+	}
+
+	dns_db_attach(db, &signing->db);
+
+	for (current = ISC_LIST_HEAD(zone->signing); current != NULL;
+	     current = ISC_LIST_NEXT(current, link))
+	{
+		if (current->db == signing->db &&
+		    current->algorithm == signing->algorithm &&
+		    current->keyid == signing->keyid)
+		{
+			if (current->deleteit != signing->deleteit) {
+				current->done = true;
+			} else {
+				goto cleanup;
+			}
+		}
+	}
+
+	result = dns_db_createiterator(signing->db, 0, &signing->dbiterator);
+
+	if (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_first(signing->dbiterator);
+	}
+	if (result == ISC_R_SUCCESS) {
+		dns_dbiterator_pause(signing->dbiterator);
+		ISC_LIST_INITANDAPPEND(zone->signing, signing, link);
+		signing = NULL;
+		if (isc_time_isepoch(&zone->signingtime)) {
+			zone->signingtime = now;
+			if (zone->task != NULL) {
+				zone_settimer(zone, &now);
+			}
+		}
+	}
+
+cleanup:
+	if (signing != NULL) {
+		if (signing->db != NULL) {
+			dns_db_detach(&signing->db);
+		}
+		if (signing->dbiterator != NULL) {
+			dns_dbiterator_destroy(&signing->dbiterator);
+		}
+		isc_mem_put(zone->mctx, signing, sizeof *signing);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	return (result);
+}
+
+/* Called once; *timep should be set to the current time. */
+static isc_result_t
+next_keyevent(dst_key_t *key, isc_stdtime_t *timep) {
+	isc_result_t result;
+	isc_stdtime_t now, then = 0, event;
+	int i;
+
+	now = *timep;
+
+	for (i = 0; i <= DST_MAX_TIMES; i++) {
+		result = dst_key_gettime(key, i, &event);
+		if (result == ISC_R_SUCCESS && event > now &&
+		    (then == 0 || event < then))
+		{
+			then = event;
+		}
+	}
+
+	if (then != 0) {
+		*timep = then;
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  const dns_rdata_t *rdata, bool *flag) {
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	if (rdata->type == dns_rdatatype_nsec3) {
+		CHECK(dns_db_findnsec3node(db, name, false, &node));
+	} else {
+		CHECK(dns_db_findnode(db, name, false, &node));
+	}
+	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*flag = false;
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t myrdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &myrdata);
+		if (!dns_rdata_compare(&myrdata, rdata)) {
+			break;
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*flag = true;
+	} else if (result == ISC_R_NOMORE) {
+		*flag = false;
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+/*
+ * Add records to signal the state of signing or of key removal.
+ */
+static isc_result_t
+add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
+		    dns_dbversion_t *ver, dns_diff_t *diff, bool sign_all) {
+	dns_difftuple_t *tuple, *newtuple = NULL;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	bool flag;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	uint16_t keyid;
+	unsigned char buf[5];
+	dns_name_t *name = dns_db_origin(db);
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link))
+	{
+		if (tuple->rdata.type != dns_rdatatype_dnskey) {
+			continue;
+		}
+
+		result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK |
+				     DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE)
+		{
+			continue;
+		}
+
+		dns_rdata_toregion(&tuple->rdata, &r);
+
+		keyid = dst_region_computeid(&r);
+
+		buf[0] = dnskey.algorithm;
+		buf[1] = (keyid & 0xff00) >> 8;
+		buf[2] = (keyid & 0xff);
+		buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
+		buf[4] = 0;
+		rdata.data = buf;
+		rdata.length = sizeof(buf);
+		rdata.type = privatetype;
+		rdata.rdclass = tuple->rdata.rdclass;
+
+		if (sign_all || tuple->op == DNS_DIFFOP_DEL) {
+			CHECK(rr_exists(db, ver, name, &rdata, &flag));
+			if (flag) {
+				continue;
+			}
+
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   name, 0, &rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			INSIST(newtuple == NULL);
+		}
+
+		/*
+		 * Remove any record which says this operation has already
+		 * completed.
+		 */
+		buf[4] = 1;
+		CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		if (flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
+						   name, 0, &rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			INSIST(newtuple == NULL);
+		}
+	}
+failure:
+	return (result);
+}
+
+/*
+ * See if dns__zone_updatesigs() will update signature for RRset 'rrtype' at
+ * the apex, and if not tickle them and cause to sign so that newly activated
+ * keys are used.
+ */
+static isc_result_t
+tickle_apex_rrset(dns_rdatatype_t rrtype, dns_zone_t *zone, dns_db_t *db,
+		  dns_dbversion_t *ver, isc_stdtime_t now, dns_diff_t *diff,
+		  dns__zonediff_t *zonediff, dst_key_t **keys,
+		  unsigned int nkeys, isc_stdtime_t inception,
+		  isc_stdtime_t keyexpire, bool check_ksk,
+		  bool keyset_kskonly) {
+	dns_difftuple_t *tuple;
+	isc_result_t result;
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link))
+	{
+		if (tuple->rdata.type == rrtype &&
+		    dns_name_equal(&tuple->name, &zone->origin))
+		{
+			break;
+		}
+	}
+
+	if (tuple == NULL) {
+		result = del_sigs(zone, db, ver, &zone->origin, rrtype,
+				  zonediff, keys, nkeys, now, false);
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "sign_apex:del_sigs -> %s",
+				   dns_result_totext(result));
+			return (result);
+		}
+		result = add_sigs(db, ver, &zone->origin, zone, rrtype,
+				  zonediff->diff, keys, nkeys, zone->mctx,
+				  inception, keyexpire, check_ksk,
+				  keyset_kskonly);
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "sign_apex:add_sigs -> %s",
+				   dns_result_totext(result));
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	  isc_stdtime_t now, dns_diff_t *diff, dns__zonediff_t *zonediff) {
+	isc_result_t result;
+	isc_stdtime_t inception, soaexpire, keyexpire;
+	bool check_ksk, keyset_kskonly;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	unsigned int nkeys = 0, i;
+
+	result = dns__zone_findkeys(zone, db, ver, now, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "sign_apex:dns__zone_findkeys -> %s",
+			   dns_result_totext(result));
+		return (result);
+	}
+
+	inception = now - 3600; /* Allow for clock skew. */
+	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+
+	keyexpire = dns_zone_getkeyvalidityinterval(zone);
+	if (keyexpire == 0) {
+		keyexpire = soaexpire - 1;
+	} else {
+		keyexpire += now;
+	}
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
+	/*
+	 * See if dns__zone_updatesigs() will update DNSKEY/CDS/CDNSKEY
+	 * signature and if not cause them to sign so that newly activated
+	 * keys are used.
+	 */
+	result = tickle_apex_rrset(dns_rdatatype_dnskey, zone, db, ver, now,
+				   diff, zonediff, zone_keys, nkeys, inception,
+				   keyexpire, check_ksk, keyset_kskonly);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	result = tickle_apex_rrset(dns_rdatatype_cds, zone, db, ver, now, diff,
+				   zonediff, zone_keys, nkeys, inception,
+				   keyexpire, check_ksk, keyset_kskonly);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+	result = tickle_apex_rrset(dns_rdatatype_cdnskey, zone, db, ver, now,
+				   diff, zonediff, zone_keys, nkeys, inception,
+				   keyexpire, check_ksk, keyset_kskonly);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	result = dns__zone_updatesigs(diff, db, ver, zone_keys, nkeys, zone,
+				      inception, soaexpire, keyexpire, now,
+				      check_ksk, keyset_kskonly, zonediff);
+
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "sign_apex:dns__zone_updatesigs -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+failure:
+	for (i = 0; i < nkeys; i++) {
+		dst_key_free(&zone_keys[i]);
+	}
+	return (result);
+}
+
+/*
+ * Prevent the zone entering a inconsistent state where
+ * NSEC only DNSKEYs are present with NSEC3 chains.
+ * See update.c:check_dnssec()
+ */
+static bool
+dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	    dns_diff_t *diff) {
+	isc_result_t result;
+	dns_difftuple_t *tuple;
+	bool nseconly = false, nsec3 = false;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+
+	/* Scan the tuples for an NSEC-only DNSKEY */
+	for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link))
+	{
+		uint8_t alg;
+		if (tuple->rdata.type != dns_rdatatype_dnskey ||
+		    tuple->op != DNS_DIFFOP_ADD)
+		{
+			continue;
+		}
+
+		alg = tuple->rdata.data[3];
+		if (alg == DST_ALG_RSASHA1) {
+			nseconly = true;
+			break;
+		}
+	}
+
+	/* Check existing DB for NSEC-only DNSKEY */
+	if (!nseconly) {
+		result = dns_nsec_nseconly(db, ver, &nseconly);
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
+		CHECK(result);
+	}
+
+	/* Check existing DB for NSEC3 */
+	if (!nsec3) {
+		CHECK(dns_nsec3_activex(db, ver, false, privatetype, &nsec3));
+	}
+
+	/* Refuse to allow NSEC3 with NSEC-only keys */
+	if (nseconly && nsec3) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
+		goto failure;
+	}
+
+	return (true);
+
+failure:
+	return (false);
+}
+
+static isc_result_t
+clean_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		 dns_diff_t *diff) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+
+	result = dns_nsec3param_deletechains(db, ver, zone, true, diff);
+
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+/*
+ * Given an RRSIG rdataset and an algorithm, determine whether there
+ * are any signatures using that algorithm.
+ */
+static bool
+signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t rrsig;
+	isc_result_t result;
+
+	REQUIRE(rdataset == NULL || rdataset->type == dns_rdatatype_rrsig);
+	if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) {
+		return (false);
+	}
+
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+		if (rrsig.algorithm == alg) {
+			return (true);
+		}
+	}
+
+	return (false);
+}
+
+static isc_result_t
+add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	   dns_diff_t *diff) {
+	dns_name_t *origin;
+	bool build_nsec3;
+	isc_result_t result;
+
+	origin = dns_db_origin(db);
+	CHECK(dns_private_chains(db, ver, zone->privatetype, NULL,
+				 &build_nsec3));
+	if (build_nsec3) {
+		CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone_nsecttl(zone),
+					   false, zone->privatetype, diff));
+	}
+	CHECK(updatesecure(db, ver, origin, zone_nsecttl(zone), true, diff));
+
+failure:
+	return (result);
+}
+
+static void
+dnssec_report(const char *format, ...) {
+	va_list args;
+	va_start(args, format);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_ZONE,
+		       ISC_LOG_INFO, format, args);
+	va_end(args);
+}
+
+static void
+checkds_destroy(dns_checkds_t *checkds, bool locked) {
+	isc_mem_t *mctx;
+
+	REQUIRE(DNS_CHECKDS_VALID(checkds));
+
+	dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
+		     "checkds: destroy DS query");
+
+	if (checkds->zone != NULL) {
+		if (!locked) {
+			LOCK_ZONE(checkds->zone);
+		}
+		REQUIRE(LOCKED_ZONE(checkds->zone));
+		if (ISC_LINK_LINKED(checkds, link)) {
+			ISC_LIST_UNLINK(checkds->zone->checkds_requests,
+					checkds, link);
+		}
+		if (!locked) {
+			UNLOCK_ZONE(checkds->zone);
+		}
+		if (locked) {
+			zone_idetach(&checkds->zone);
+		} else {
+			dns_zone_idetach(&checkds->zone);
+		}
+	}
+	if (checkds->request != NULL) {
+		dns_request_destroy(&checkds->request);
+	}
+	if (checkds->key != NULL) {
+		dns_tsigkey_detach(&checkds->key);
+	}
+	mctx = checkds->mctx;
+	isc_mem_put(checkds->mctx, checkds, sizeof(*checkds));
+	isc_mem_detach(&mctx);
+}
+
+static isc_result_t
+make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
+	    dns_rdata_t *target) {
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+
+	isc_buffer_init(&b, buf, bufsize);
+	result = dst_key_todns(key, &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdata_reset(target);
+	isc_buffer_usedregion(&b, &r);
+	dns_rdata_fromregion(target, dst_key_class(key), dns_rdatatype_dnskey,
+			     &r);
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+do_checkds(dns_zone_t *zone, dst_key_t *key, isc_stdtime_t now,
+	   bool dspublish) {
+	dns_kasp_t *kasp = dns_zone_getkasp(zone);
+	const char *dir = dns_zone_getkeydirectory(zone);
+	isc_result_t result;
+	uint32_t count = 0;
+
+	if (dspublish) {
+		(void)dst_key_getnum(key, DST_NUM_DSPUBCOUNT, &count);
+		count += 1;
+		dst_key_setnum(key, DST_NUM_DSPUBCOUNT, count);
+		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			     "checkds: %u DS published "
+			     "for key %u",
+			     count, dst_key_id(key));
+
+		if (count != zone->parentalscnt) {
+			return false;
+		}
+	} else {
+		(void)dst_key_getnum(key, DST_NUM_DSDELCOUNT, &count);
+		count += 1;
+		dst_key_setnum(key, DST_NUM_DSDELCOUNT, count);
+		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			     "checkds: %u DS withdrawn "
+			     "for key %u",
+			     count, dst_key_id(key));
+
+		if (count != zone->parentalscnt) {
+			return false;
+		}
+	}
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(3),
+		     "checkds: checkds %s for key "
+		     "%u",
+		     dspublish ? "published" : "withdrawn", dst_key_id(key));
+
+	dns_zone_lock_keyfiles(zone);
+	result = dns_keymgr_checkds_id(kasp, &zone->checkds_ok, dir, now, now,
+				       dspublish, dst_key_id(key),
+				       dst_key_alg(key));
+	dns_zone_unlock_keyfiles(zone);
+
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "checkds: checkds for key %u failed: %s",
+			     dst_key_id(key), isc_result_totext(result));
+		return false;
+	}
+
+	return true;
+}
+
+static isc_result_t
+validate_ds(dns_zone_t *zone, dns_message_t *message) {
+	UNUSED(zone);
+	UNUSED(message);
+
+	/* Get closest trust anchor */
+
+	/* Check that trust anchor is (grand)parent of zone. */
+
+	/* Find the DNSKEY signing the message. */
+
+	/* Check that DNSKEY is in chain of trust. */
+
+	/* Validate DS RRset. */
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+checkds_done(isc_task_t *task, isc_event_t *event) {
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	char rcode[128];
+	dns_checkds_t *checkds;
+	dns_zone_t *zone;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_dnsseckey_t *key;
+	dns_dnsseckeylist_t keys;
+	dns_kasp_t *kasp = NULL;
+	dns_message_t *message = NULL;
+	dns_rdataset_t *ds_rrset = NULL;
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	isc_buffer_t buf;
+	isc_result_t result;
+	isc_stdtime_t now;
+	isc_time_t timenow;
+	bool rekey = false;
+	bool empty = false;
+
+	UNUSED(task);
+
+	checkds = event->ev_arg;
+	REQUIRE(DNS_CHECKDS_VALID(checkds));
+
+	zone = checkds->zone;
+	INSIST(task == zone->task);
+
+	ISC_LIST_INIT(keys);
+
+	kasp = zone->kasp;
+	INSIST(kasp != NULL);
+
+	isc_buffer_init(&buf, rcode, sizeof(rcode));
+	isc_sockaddr_format(&checkds->dst, addrbuf, sizeof(addrbuf));
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "checkds: DS query to %s: done",
+		     addrbuf);
+
+	dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &message);
+	INSIST(message != NULL);
+
+	CHECK(revent->result);
+	CHECK(dns_request_getresponse(revent->request, message,
+				      DNS_MESSAGEPARSE_PRESERVEORDER));
+	CHECK(dns_rcode_totext(message->rcode, &buf));
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(3),
+		     "checkds: DS response from %s: %.*s", addrbuf,
+		     (int)buf.used, rcode);
+
+	/* Validate response. */
+	CHECK(validate_ds(zone, message));
+
+	if (message->rcode != dns_rcode_noerror) {
+		dns_zone_log(zone, ISC_LOG_NOTICE,
+			     "checkds: bad DS response from %s: %.*s", addrbuf,
+			     (int)buf.used, rcode);
+		goto failure;
+	}
+
+	/* Lookup DS RRset. */
+	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+	while (result == ISC_R_SUCCESS) {
+		dns_name_t *name = NULL;
+		dns_rdataset_t *rdataset;
+
+		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+		if (dns_name_compare(&zone->origin, name) != 0) {
+			goto next;
+		}
+
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->type != dns_rdatatype_ds) {
+				goto next;
+			}
+
+			ds_rrset = rdataset;
+			break;
+		}
+
+		if (ds_rrset != NULL) {
+			break;
+		}
+
+	next:
+		result = dns_message_nextname(message, DNS_SECTION_ANSWER);
+	}
+
+	if (ds_rrset == NULL) {
+		empty = true;
+		dns_zone_log(zone, ISC_LOG_NOTICE,
+			     "checkds: empty DS response from %s", addrbuf);
+	}
+
+	TIME_NOW(&timenow);
+	now = isc_time_seconds(&timenow);
+
+	CHECK(dns_zone_getdb(zone, &db));
+	dns_db_currentversion(db, &version);
+
+	KASP_LOCK(kasp);
+	LOCK_ZONE(zone);
+	for (key = ISC_LIST_HEAD(zone->checkds_ok); key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		bool alldone = false, found = false;
+		bool checkdspub = false, checkdsdel = false, ksk = false;
+		dst_key_state_t ds_state = DST_KEY_STATE_NA;
+		isc_stdtime_t published = 0, withdrawn = 0;
+		isc_result_t ret = ISC_R_SUCCESS;
+
+		/* Is this key have the KSK role? */
+		(void)dst_key_role(key->key, &ksk, NULL);
+		if (!ksk) {
+			continue;
+		}
+
+		/* Do we need to check the DS RRset for this key? */
+		(void)dst_key_getstate(key->key, DST_KEY_DS, &ds_state);
+		(void)dst_key_gettime(key->key, DST_TIME_DSPUBLISH, &published);
+		(void)dst_key_gettime(key->key, DST_TIME_DSDELETE, &withdrawn);
+
+		if (ds_state == DST_KEY_STATE_RUMOURED && published == 0) {
+			checkdspub = true;
+		} else if (ds_state == DST_KEY_STATE_UNRETENTIVE &&
+			   withdrawn == 0)
+		{
+			checkdsdel = true;
+		}
+		if (!checkdspub && !checkdsdel) {
+			continue;
+		}
+
+		if (empty) {
+			goto dswithdrawn;
+		}
+
+		/* Find the appropriate DS record. */
+		ret = dns_rdataset_first(ds_rrset);
+		while (ret == ISC_R_SUCCESS) {
+			dns_rdata_ds_t ds;
+			dns_rdata_t dnskey = DNS_RDATA_INIT;
+			dns_rdata_t dsrdata = DNS_RDATA_INIT;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			isc_result_t r;
+			unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+			unsigned char keybuf[DST_KEY_MAXSIZE];
+
+			dns_rdataset_current(ds_rrset, &rdata);
+			r = dns_rdata_tostruct(&rdata, &ds, NULL);
+			if (r != ISC_R_SUCCESS) {
+				goto nextds;
+			}
+			/* Check key tag and algorithm. */
+			if (dst_key_id(key->key) != ds.key_tag) {
+				goto nextds;
+			}
+			if (dst_key_alg(key->key) != ds.algorithm) {
+				goto nextds;
+			}
+			/* Derive DS from DNSKEY, see if the rdata is equal. */
+			make_dnskey(key->key, keybuf, sizeof(keybuf), &dnskey);
+			r = dns_ds_buildrdata(&zone->origin, &dnskey,
+					      ds.digest_type, dsbuf, &dsrdata);
+			if (r != ISC_R_SUCCESS) {
+				goto nextds;
+			}
+			if (dns_rdata_compare(&rdata, &dsrdata) == 0) {
+				found = true;
+				if (checkdspub) {
+					/* DS Published. */
+					alldone = do_checkds(zone, key->key,
+							     now, true);
+					if (alldone) {
+						rekey = true;
+					}
+				}
+			}
+
+		nextds:
+			ret = dns_rdataset_next(ds_rrset);
+		}
+
+	dswithdrawn:
+		/* DS withdrawn. */
+		if (checkdsdel && !found) {
+			alldone = do_checkds(zone, key->key, now, false);
+			if (alldone) {
+				rekey = true;
+			}
+		}
+	}
+	UNLOCK_ZONE(zone);
+	KASP_UNLOCK(kasp);
+
+	/* Rekey after checkds. */
+	if (rekey) {
+		dns_zone_rekey(zone, false);
+	}
+
+failure:
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			     "checkds: DS request failed: %s",
+			     isc_result_totext(result));
+	}
+
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	while (!ISC_LIST_EMPTY(keys)) {
+		key = ISC_LIST_HEAD(keys);
+		ISC_LIST_UNLINK(keys, key, link);
+		dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
+	}
+
+	isc_event_free(&event);
+	checkds_destroy(checkds, false);
+	dns_message_detach(&message);
+}
+
+static bool
+checkds_isqueued(dns_zone_t *zone, isc_sockaddr_t *addr, dns_tsigkey_t *key) {
+	dns_checkds_t *checkds;
+
+	for (checkds = ISC_LIST_HEAD(zone->checkds_requests); checkds != NULL;
+	     checkds = ISC_LIST_NEXT(checkds, link))
+	{
+		if (checkds->request != NULL) {
+			continue;
+		}
+		if (addr != NULL && isc_sockaddr_equal(addr, &checkds->dst) &&
+		    checkds->key == key)
+		{
+			return (true);
+		}
+	}
+	return (false);
+}
+
+static isc_result_t
+checkds_create(isc_mem_t *mctx, unsigned int flags, dns_checkds_t **checkdsp) {
+	dns_checkds_t *checkds;
+
+	REQUIRE(checkdsp != NULL && *checkdsp == NULL);
+
+	checkds = isc_mem_get(mctx, sizeof(*checkds));
+	*checkds = (dns_checkds_t){
+		.flags = flags,
+	};
+
+	isc_mem_attach(mctx, &checkds->mctx);
+	isc_sockaddr_any(&checkds->dst);
+	ISC_LINK_INIT(checkds, link);
+	checkds->magic = CHECKDS_MAGIC;
+	*checkdsp = checkds;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep) {
+	dns_message_t *message = NULL;
+
+	dns_name_t *tempname = NULL;
+	dns_rdataset_t *temprdataset = NULL;
+
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(messagep != NULL && *messagep == NULL);
+
+	dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER, &message);
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = zone->rdclass;
+
+	result = dns_message_gettempname(message, &tempname);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_message_gettemprdataset(message, &temprdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * Make question.
+	 */
+	dns_name_init(tempname, NULL);
+	dns_name_clone(&zone->origin, tempname);
+	dns_rdataset_makequestion(temprdataset, zone->rdclass,
+				  dns_rdatatype_ds);
+	ISC_LIST_APPEND(tempname->list, temprdataset, link);
+	dns_message_addname(message, tempname, DNS_SECTION_QUESTION);
+	tempname = NULL;
+	temprdataset = NULL;
+
+	*messagep = message;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (tempname != NULL) {
+		dns_message_puttempname(message, &tempname);
+	}
+	if (temprdataset != NULL) {
+		dns_message_puttemprdataset(message, &temprdataset);
+	}
+	dns_message_detach(&message);
+	return (result);
+}
+
+static void
+checkds_send_toaddr(isc_task_t *task, isc_event_t *event) {
+	dns_checkds_t *checkds;
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_netaddr_t dstip;
+	dns_tsigkey_t *key = NULL;
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t src;
+	unsigned int options, timeout;
+	bool have_checkdssource = false;
+	bool have_checkdsdscp = false;
+	isc_dscp_t dscp = -1;
+
+	checkds = event->ev_arg;
+	REQUIRE(DNS_CHECKDS_VALID(checkds));
+
+	UNUSED(task);
+
+	LOCK_ZONE(checkds->zone);
+
+	checkds->event = NULL;
+
+	if (DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_LOADED) == 0) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0 ||
+	    DNS_ZONE_FLAG(checkds->zone, DNS_ZONEFLG_EXITING) ||
+	    checkds->zone->view->requestmgr == NULL ||
+	    checkds->zone->db == NULL)
+	{
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	/*
+	 * The raw IPv4 address should also exist.  Don't send to the
+	 * mapped form.
+	 */
+	if (isc_sockaddr_pf(&checkds->dst) == PF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&checkds->dst.type.sin6.sin6_addr))
+	{
+		isc_sockaddr_format(&checkds->dst, addrbuf, sizeof(addrbuf));
+		dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
+			     "checkds: ignoring IPv6 mapped IPV4 address: %s",
+			     addrbuf);
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	result = checkds_createmessage(checkds->zone, &message);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	isc_sockaddr_format(&checkds->dst, addrbuf, sizeof(addrbuf));
+	if (checkds->key != NULL) {
+		/* Transfer ownership of key */
+		key = checkds->key;
+		checkds->key = NULL;
+	} else {
+		isc_netaddr_fromsockaddr(&dstip, &checkds->dst);
+		result = dns_view_getpeertsig(checkds->zone->view, &dstip,
+					      &key);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+			dns_zone_log(checkds->zone, ISC_LOG_ERROR,
+				     "checkds: DS query to %s not sent. "
+				     "Peer TSIG key lookup failure.",
+				     addrbuf);
+			goto cleanup_message;
+		}
+	}
+
+	if (key != NULL) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(&key->name, namebuf, sizeof(namebuf));
+		dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
+			     "checkds: sending DS query to %s : TSIG (%s)",
+			     addrbuf, namebuf);
+	} else {
+		dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
+			     "checkds: sending DS query to %s", addrbuf);
+	}
+	options = 0;
+	if (checkds->zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		bool usetcp = false;
+		result = dns_peerlist_peerbyaddr(checkds->zone->view->peers,
+						 &dstip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getquerysource(peer, &src);
+			if (result == ISC_R_SUCCESS) {
+				have_checkdssource = true;
+			}
+			dns_peer_getquerydscp(peer, &dscp);
+			if (dscp != -1) {
+				have_checkdsdscp = true;
+			}
+			result = dns_peer_getforcetcp(peer, &usetcp);
+			if (result == ISC_R_SUCCESS && usetcp) {
+				options |= DNS_FETCHOPT_TCP;
+			}
+		}
+	}
+	switch (isc_sockaddr_pf(&checkds->dst)) {
+	case PF_INET:
+		if (!have_checkdssource) {
+			src = checkds->zone->parentalsrc4;
+		}
+		if (!have_checkdsdscp) {
+			dscp = checkds->zone->parentalsrc4dscp;
+		}
+		break;
+	case PF_INET6:
+		if (!have_checkdssource) {
+			src = checkds->zone->parentalsrc6;
+		}
+		if (!have_checkdsdscp) {
+			dscp = checkds->zone->parentalsrc6dscp;
+		}
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup_key;
+	}
+
+	dns_zone_log(checkds->zone, ISC_LOG_DEBUG(3),
+		     "checkds: create request for DS query to %s", addrbuf);
+
+	timeout = 15;
+	options |= DNS_REQUESTOPT_TCP;
+	result = dns_request_createvia(
+		checkds->zone->view->requestmgr, message, &src, &checkds->dst,
+		dscp, options, key, timeout * 3, timeout, 0,
+		checkds->zone->task, checkds_done, checkds, &checkds->request);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(
+			checkds->zone, ISC_LOG_DEBUG(3),
+			"checkds: dns_request_createvia() to %s failed: %s",
+			addrbuf, dns_result_totext(result));
+	}
+
+cleanup_key:
+	if (key != NULL) {
+		dns_tsigkey_detach(&key);
+	}
+cleanup_message:
+	dns_message_detach(&message);
+cleanup:
+	UNLOCK_ZONE(checkds->zone);
+	isc_event_free(&event);
+	if (result != ISC_R_SUCCESS) {
+		checkds_destroy(checkds, false);
+	}
+}
+
+static isc_result_t
+checkds_send_queue(dns_checkds_t *checkds) {
+	isc_event_t *e;
+	isc_result_t result;
+
+	INSIST(checkds->event == NULL);
+	e = isc_event_allocate(checkds->mctx, NULL, DNS_EVENT_CHECKDSSENDTOADDR,
+			       checkds_send_toaddr, checkds,
+			       sizeof(isc_event_t));
+	e->ev_arg = checkds;
+	e->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(checkds->zone->zmgr->checkdsrl,
+					 checkds->zone->task, &e);
+	if (result != ISC_R_SUCCESS) {
+		isc_event_free(&e);
+		checkds->event = NULL;
+	}
+	return (result);
+}
+
+static void
+checkds_send(dns_zone_t *zone) {
+	dns_view_t *view = dns_zone_getview(zone);
+	isc_result_t result;
+	unsigned int flags = 0;
+
+	/*
+	 * Zone lock held by caller.
+	 */
+	REQUIRE(LOCKED_ZONE(zone));
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(3),
+		     "checkds: start sending DS queries to %u parentals",
+		     zone->parentalscnt);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			     "checkds: abort, named exiting");
+		return;
+	}
+
+	for (unsigned int i = 0; i < zone->parentalscnt; i++) {
+		dns_tsigkey_t *key = NULL;
+		isc_sockaddr_t dst;
+		dns_checkds_t *checkds = NULL;
+
+		if ((zone->parentalkeynames != NULL) &&
+		    (zone->parentalkeynames[i] != NULL))
+		{
+			dns_name_t *keyname = zone->parentalkeynames[i];
+			(void)dns_view_gettsig(view, keyname, &key);
+		}
+
+		dst = zone->parentals[i];
+
+		if (checkds_isqueued(zone, &dst, key)) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(3),
+				     "checkds: DS query to parent "
+				     "%d is queued",
+				     i);
+			if (key != NULL) {
+				dns_tsigkey_detach(&key);
+			}
+			continue;
+		}
+
+		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			     "checkds: create DS query for "
+			     "parent %d",
+			     i);
+
+		result = checkds_create(zone->mctx, flags, &checkds);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(3),
+				     "checkds: create DS query for "
+				     "parent %d failed",
+				     i);
+			continue;
+		}
+		zone_iattach(zone, &checkds->zone);
+		checkds->dst = dst;
+
+		INSIST(checkds->key == NULL);
+		if (key != NULL) {
+			checkds->key = key;
+			key = NULL;
+		}
+
+		ISC_LIST_APPEND(zone->checkds_requests, checkds, link);
+		result = checkds_send_queue(checkds);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(3),
+				     "checkds: send DS query to "
+				     "parent %d failed",
+				     i);
+			checkds_destroy(checkds, true);
+		}
+	}
+}
+
+static void
+zone_checkds(dns_zone_t *zone) {
+	bool cdscheck = false;
+
+	for (dns_dnsseckey_t *key = ISC_LIST_HEAD(zone->checkds_ok);
+	     key != NULL; key = ISC_LIST_NEXT(key, link))
+	{
+		dst_key_state_t ds_state = DST_KEY_STATE_NA;
+		bool ksk = false;
+		isc_stdtime_t published = 0, withdrawn = 0;
+
+		/* Is this key have the KSK role? */
+		(void)dst_key_role(key->key, &ksk, NULL);
+		if (!ksk) {
+			continue;
+		}
+
+		/* Do we need to check the DS RRset? */
+		(void)dst_key_getstate(key->key, DST_KEY_DS, &ds_state);
+		(void)dst_key_gettime(key->key, DST_TIME_DSPUBLISH, &published);
+		(void)dst_key_gettime(key->key, DST_TIME_DSDELETE, &withdrawn);
+
+		if (ds_state == DST_KEY_STATE_RUMOURED && published == 0) {
+			dst_key_setnum(key->key, DST_NUM_DSPUBCOUNT, 0);
+			cdscheck = true;
+		} else if (ds_state == DST_KEY_STATE_UNRETENTIVE &&
+			   withdrawn == 0)
+		{
+			dst_key_setnum(key->key, DST_NUM_DSDELCOUNT, 0);
+			cdscheck = true;
+		}
+	}
+
+	if (cdscheck) {
+		/* Request the DS RRset. */
+		LOCK_ZONE(zone);
+		checkds_send(zone);
+		UNLOCK_ZONE(zone);
+	}
+}
+
+static void
+zone_rekey(dns_zone_t *zone) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_rdataset_t cdsset, soaset, soasigs, keyset, keysigs, cdnskeyset;
+	dns_dnsseckeylist_t dnskeys, keys, rmkeys;
+	dns_dnsseckey_t *key = NULL;
+	dns_diff_t diff, _sig_diff;
+	dns_kasp_t *kasp;
+	dns__zonediff_t zonediff;
+	bool commit = false, newactive = false;
+	bool newalg = false;
+	bool fullsign;
+	dns_ttl_t ttl = 3600;
+	const char *dir = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_stdtime_t now, nexttime = 0;
+	isc_time_t timenow;
+	isc_interval_t ival;
+	char timebuf[80];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ISC_LIST_INIT(dnskeys);
+	ISC_LIST_INIT(keys);
+	ISC_LIST_INIT(rmkeys);
+	dns_rdataset_init(&soaset);
+	dns_rdataset_init(&soasigs);
+	dns_rdataset_init(&keyset);
+	dns_rdataset_init(&keysigs);
+	dns_rdataset_init(&cdsset);
+	dns_rdataset_init(&cdnskeyset);
+	dir = dns_zone_getkeydirectory(zone);
+	mctx = zone->mctx;
+	dns_diff_init(mctx, &diff);
+	dns_diff_init(mctx, &_sig_diff);
+	zonediff_init(&zonediff, &_sig_diff);
+
+	CHECK(dns_zone_getdb(zone, &db));
+	CHECK(dns_db_newversion(db, &ver));
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	TIME_NOW(&timenow);
+	now = isc_time_seconds(&timenow);
+
+	kasp = dns_zone_getkasp(zone);
+
+	dnssec_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
+
+	/* Get the SOA record's TTL */
+	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
+				  dns_rdatatype_none, 0, &soaset, &soasigs));
+	ttl = soaset.ttl;
+	dns_rdataset_disassociate(&soaset);
+
+	/* Get the DNSKEY rdataset */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &keyset, &keysigs);
+	if (result == ISC_R_SUCCESS) {
+		ttl = keyset.ttl;
+
+		dns_zone_lock_keyfiles(zone);
+
+		result = dns_dnssec_keylistfromrdataset(
+			&zone->origin, dir, mctx, &keyset, &keysigs, &soasigs,
+			false, false, &dnskeys);
+
+		dns_zone_unlock_keyfiles(zone);
+
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+	} else if (result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+
+	/* Get the CDS rdataset */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cds,
+				     dns_rdatatype_none, 0, &cdsset, NULL);
+	if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdsset)) {
+		dns_rdataset_disassociate(&cdsset);
+	}
+
+	/* Get the CDNSKEY rdataset */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cdnskey,
+				     dns_rdatatype_none, 0, &cdnskeyset, NULL);
+	if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdnskeyset)) {
+		dns_rdataset_disassociate(&cdnskeyset);
+	}
+
+	/*
+	 * True when called from "rndc sign".  Indicates the zone should be
+	 * fully signed now.
+	 */
+	fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
+
+	KASP_LOCK(kasp);
+
+	dns_zone_lock_keyfiles(zone);
+	result = dns_dnssec_findmatchingkeys(&zone->origin, dir, now, mctx,
+					     &keys);
+	dns_zone_unlock_keyfiles(zone);
+
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_DEBUG(1),
+			   "zone_rekey:dns_dnssec_findmatchingkeys failed: %s",
+			   isc_result_totext(result));
+	}
+
+	if (kasp != NULL) {
+		/*
+		 * Check DS at parental agents. Clear ongoing checks.
+		 */
+		LOCK_ZONE(zone);
+		checkds_cancel(zone);
+		clear_keylist(&zone->checkds_ok, zone->mctx);
+		ISC_LIST_INIT(zone->checkds_ok);
+		UNLOCK_ZONE(zone);
+
+		result = dns_zone_getdnsseckeys(zone, db, ver, now,
+						&zone->checkds_ok);
+
+		if (result == ISC_R_SUCCESS) {
+			zone_checkds(zone);
+		} else {
+			dnssec_log(zone,
+				   (result == ISC_R_NOTFOUND) ? ISC_LOG_DEBUG(1)
+							      : ISC_LOG_ERROR,
+				   "zone_rekey:dns_zone_getdnsseckeys failed: "
+				   "%s",
+				   isc_result_totext(result));
+		}
+
+		if (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND) {
+			dns_zone_lock_keyfiles(zone);
+			result = dns_keymgr_run(&zone->origin, zone->rdclass,
+						dir, mctx, &keys, &dnskeys,
+						kasp, now, &nexttime);
+			dns_zone_unlock_keyfiles(zone);
+
+			if (result != ISC_R_SUCCESS) {
+				dnssec_log(zone, ISC_LOG_ERROR,
+					   "zone_rekey:dns_dnssec_keymgr "
+					   "failed: %s",
+					   isc_result_totext(result));
+				KASP_UNLOCK(kasp);
+				goto failure;
+			}
+		}
+	}
+
+	KASP_UNLOCK(kasp);
+
+	if (result == ISC_R_SUCCESS) {
+		bool cdsdel = false;
+		bool cdnskeydel = false;
+		isc_stdtime_t when;
+
+		/*
+		 * Publish CDS/CDNSKEY DELETE records if the zone is
+		 * transitioning from secure to insecure.
+		 */
+		if (kasp != NULL) {
+			if (strcmp(dns_kasp_getname(kasp), "insecure") == 0) {
+				cdsdel = true;
+				cdnskeydel = true;
+			}
+		} else {
+			/* Check if there is a CDS DELETE record. */
+			if (dns_rdataset_isassociated(&cdsset)) {
+				for (result = dns_rdataset_first(&cdsset);
+				     result == ISC_R_SUCCESS;
+				     result = dns_rdataset_next(&cdsset))
+				{
+					dns_rdata_t crdata = DNS_RDATA_INIT;
+					dns_rdataset_current(&cdsset, &crdata);
+					/*
+					 * CDS deletion record has this form
+					 * "0 0 0 00" which is 5 zero octets.
+					 */
+					if (crdata.length == 5U &&
+					    memcmp(crdata.data,
+						   (unsigned char[5]){ 0, 0, 0,
+								       0, 0 },
+						   5) == 0)
+					{
+						cdsdel = true;
+						break;
+					}
+				}
+			}
+
+			/* Check if there is a CDNSKEY DELETE record. */
+			if (dns_rdataset_isassociated(&cdnskeyset)) {
+				for (result = dns_rdataset_first(&cdnskeyset);
+				     result == ISC_R_SUCCESS;
+				     result = dns_rdataset_next(&cdnskeyset))
+				{
+					dns_rdata_t crdata = DNS_RDATA_INIT;
+					dns_rdataset_current(&cdnskeyset,
+							     &crdata);
+					/*
+					 * CDNSKEY deletion record has this form
+					 * "0 3 0 AA==" which is 2 zero octets,
+					 * a 3, and 2 zero octets.
+					 */
+					if (crdata.length == 5U &&
+					    memcmp(crdata.data,
+						   (unsigned char[5]){ 0, 0, 3,
+								       0, 0 },
+						   5) == 0)
+					{
+						cdnskeydel = true;
+						break;
+					}
+				}
+			}
+		}
+
+		/*
+		 * Only update DNSKEY TTL if we have a policy.
+		 */
+		if (kasp != NULL) {
+			ttl = dns_kasp_dnskeyttl(kasp);
+		}
+
+		result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
+					       &zone->origin, ttl, &diff, mctx,
+					       dnssec_report);
+		/*
+		 * Keys couldn't be updated for some reason;
+		 * try again later.
+		 */
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "zone_rekey:couldn't update zone keys: %s",
+				   isc_result_totext(result));
+			goto failure;
+		}
+
+		/*
+		 * Update CDS / CDNSKEY records.
+		 */
+		result = dns_dnssec_syncupdate(&dnskeys, &rmkeys, &cdsset,
+					       &cdnskeyset, now, ttl, &diff,
+					       mctx);
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "zone_rekey:couldn't update CDS/CDNSKEY: %s",
+				   isc_result_totext(result));
+			goto failure;
+		}
+
+		if (cdsdel || cdnskeydel) {
+			/*
+			 * Only publish CDS/CDNSKEY DELETE records if there is
+			 * a KSK that can be used to verify the RRset. This
+			 * means there must be a key with the KSK role that is
+			 * published and is used for signing.
+			 */
+			bool allow = false;
+			for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
+			     key = ISC_LIST_NEXT(key, link))
+			{
+				dst_key_t *dstk = key->key;
+
+				if (dst_key_is_published(dstk, now, &when) &&
+				    dst_key_is_signing(dstk, DST_BOOL_KSK, now,
+						       &when))
+				{
+					allow = true;
+					break;
+				}
+			}
+			if (cdsdel) {
+				cdsdel = allow;
+			}
+			if (cdnskeydel) {
+				cdnskeydel = allow;
+			}
+		}
+		result = dns_dnssec_syncdelete(
+			&cdsset, &cdnskeyset, &zone->origin, zone->rdclass, ttl,
+			&diff, mctx, cdsdel, cdnskeydel);
+		if (result != ISC_R_SUCCESS) {
+			dnssec_log(zone, ISC_LOG_ERROR,
+				   "zone_rekey:couldn't update CDS/CDNSKEY "
+				   "DELETE records: %s",
+				   isc_result_totext(result));
+			goto failure;
+		}
+
+		/*
+		 * See if any pre-existing keys have newly become active;
+		 * also, see if any new key is for a new algorithm, as in that
+		 * event, we need to sign the zone fully.  (If there's a new
+		 * key, but it's for an already-existing algorithm, then
+		 * the zone signing can be handled incrementally.)
+		 */
+		for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
+		     key = ISC_LIST_NEXT(key, link))
+		{
+			if (!key->first_sign) {
+				continue;
+			}
+
+			newactive = true;
+
+			if (!dns_rdataset_isassociated(&keysigs)) {
+				newalg = true;
+				break;
+			}
+
+			if (signed_with_alg(&keysigs, dst_key_alg(key->key))) {
+				/*
+				 * This isn't a new algorithm; clear
+				 * first_sign so we won't sign the
+				 * whole zone with this key later.
+				 */
+				key->first_sign = false;
+			} else {
+				newalg = true;
+				break;
+			}
+		}
+
+		if ((newactive || fullsign || !ISC_LIST_EMPTY(diff.tuples)) &&
+		    dnskey_sane(zone, db, ver, &diff))
+		{
+			CHECK(dns_diff_apply(&diff, db, ver));
+			CHECK(clean_nsec3param(zone, db, ver, &diff));
+			CHECK(add_signing_records(db, zone->privatetype, ver,
+						  &diff, (newalg || fullsign)));
+			CHECK(update_soa_serial(zone, db, ver, &diff, mctx,
+						zone->updatemethod));
+			CHECK(add_chains(zone, db, ver, &diff));
+			CHECK(sign_apex(zone, db, ver, now, &diff, &zonediff));
+			CHECK(zone_journal(zone, zonediff.diff, NULL,
+					   "zone_rekey"));
+			commit = true;
+		}
+	}
+
+	dns_db_closeversion(db, &ver, true);
+
+	LOCK_ZONE(zone);
+
+	if (commit) {
+		dns_difftuple_t *tuple;
+		dns_stats_t *dnssecsignstats =
+			dns_zone_getdnssecsignstats(zone);
+
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+
+		zone_needdump(zone, DNS_DUMP_DELAY);
+
+		zone_settimer(zone, &timenow);
+
+		/* Remove any signatures from removed keys.  */
+		if (!ISC_LIST_EMPTY(rmkeys)) {
+			for (key = ISC_LIST_HEAD(rmkeys); key != NULL;
+			     key = ISC_LIST_NEXT(key, link))
+			{
+				result = zone_signwithkey(
+					zone, dst_key_alg(key->key),
+					dst_key_id(key->key), true);
+				if (result != ISC_R_SUCCESS) {
+					dnssec_log(zone, ISC_LOG_ERROR,
+						   "zone_signwithkey failed: "
+						   "%s",
+						   dns_result_totext(result));
+				}
+
+				/* Clear DNSSEC sign statistics. */
+				if (dnssecsignstats != NULL) {
+					dns_dnssecsignstats_clear(
+						dnssecsignstats,
+						dst_key_id(key->key),
+						dst_key_alg(key->key));
+					/*
+					 * Also clear the dnssec-sign
+					 * statistics of the revoked key id.
+					 */
+					dns_dnssecsignstats_clear(
+						dnssecsignstats,
+						dst_key_rid(key->key),
+						dst_key_alg(key->key));
+				}
+			}
+		}
+
+		if (fullsign) {
+			/*
+			 * "rndc sign" was called, so we now sign the zone
+			 * with all active keys, whether they're new or not.
+			 */
+			for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
+			     key = ISC_LIST_NEXT(key, link))
+			{
+				if (!key->force_sign && !key->hint_sign) {
+					continue;
+				}
+
+				result = zone_signwithkey(
+					zone, dst_key_alg(key->key),
+					dst_key_id(key->key), false);
+				if (result != ISC_R_SUCCESS) {
+					dnssec_log(zone, ISC_LOG_ERROR,
+						   "zone_signwithkey failed: "
+						   "%s",
+						   dns_result_totext(result));
+				}
+			}
+		} else if (newalg) {
+			/*
+			 * We haven't been told to sign fully, but a new
+			 * algorithm was added to the DNSKEY.  We sign
+			 * the full zone, but only with newly active
+			 * keys.
+			 */
+			for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
+			     key = ISC_LIST_NEXT(key, link))
+			{
+				if (!key->first_sign) {
+					continue;
+				}
+
+				result = zone_signwithkey(
+					zone, dst_key_alg(key->key),
+					dst_key_id(key->key), false);
+				if (result != ISC_R_SUCCESS) {
+					dnssec_log(zone, ISC_LOG_ERROR,
+						   "zone_signwithkey failed: "
+						   "%s",
+						   dns_result_totext(result));
+				}
+			}
+		}
+
+		/*
+		 * Clear fullsign flag, if it was set, so we don't do
+		 * another full signing next time.
+		 */
+		DNS_ZONEKEY_CLROPTION(zone, DNS_ZONEKEY_FULLSIGN);
+
+		/*
+		 * Cause the zone to add/delete NSEC3 chains for the
+		 * deferred NSEC3PARAM changes.
+		 */
+		for (tuple = ISC_LIST_HEAD(zonediff.diff->tuples);
+		     tuple != NULL; tuple = ISC_LIST_NEXT(tuple, link))
+		{
+			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdata_nsec3param_t nsec3param;
+
+			if (tuple->rdata.type != zone->privatetype ||
+			    tuple->op != DNS_DIFFOP_ADD)
+			{
+				continue;
+			}
+
+			if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
+							buf, sizeof(buf)))
+			{
+				continue;
+			}
+
+			result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (nsec3param.flags == 0) {
+				continue;
+			}
+
+			result = zone_addnsec3chain(zone, &nsec3param);
+			if (result != ISC_R_SUCCESS) {
+				dnssec_log(zone, ISC_LOG_ERROR,
+					   "zone_addnsec3chain failed: %s",
+					   dns_result_totext(result));
+			}
+		}
+
+		/*
+		 * Activate any NSEC3 chain updates that may have
+		 * been scheduled before this rekey.
+		 */
+		if (fullsign || newalg) {
+			resume_addnsec3chain(zone);
+		}
+
+		/*
+		 * Schedule the next resigning event
+		 */
+		set_resigntime(zone);
+	}
+
+	isc_time_settoepoch(&zone->refreshkeytime);
+
+	/*
+	 * If keymgr provided a next time, use the calculated next rekey time.
+	 */
+	if (kasp != NULL) {
+		isc_time_t timenext;
+		uint32_t nexttime_seconds;
+
+		/*
+		 * Set the key refresh timer to the next scheduled key event
+		 * or to 'dnssec-loadkeys-interval' seconds in the future
+		 * if no next key event is scheduled (nexttime == 0).
+		 */
+		if (nexttime > 0) {
+			nexttime_seconds = nexttime - now;
+		} else {
+			nexttime_seconds = zone->refreshkeyinterval;
+		}
+
+		DNS_ZONE_TIME_ADD(&timenow, nexttime_seconds, &timenext);
+		zone->refreshkeytime = timenext;
+		zone_settimer(zone, &timenow);
+		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+
+		dnssec_log(zone, ISC_LOG_DEBUG(3),
+			   "next key event in %u seconds", nexttime_seconds);
+		dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
+	}
+	/*
+	 * If we're doing key maintenance, set the key refresh timer to
+	 * the next scheduled key event or to 'dnssec-loadkeys-interval'
+	 * seconds in the future, whichever is sooner.
+	 */
+	else if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
+	{
+		isc_time_t timethen;
+		isc_stdtime_t then;
+
+		DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval,
+				  &timethen);
+		zone->refreshkeytime = timethen;
+
+		for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
+		     key = ISC_LIST_NEXT(key, link))
+		{
+			then = now;
+			result = next_keyevent(key->key, &then);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+
+			DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
+			if (isc_time_compare(&timethen, &zone->refreshkeytime) <
+			    0)
+			{
+				zone->refreshkeytime = timethen;
+			}
+		}
+
+		zone_settimer(zone, &timenow);
+
+		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+		dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
+	}
+	UNLOCK_ZONE(zone);
+
+	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+		for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
+		     key = ISC_LIST_NEXT(key, link))
+		{
+			/* This debug log is used in the kasp system test */
+			char algbuf[DNS_SECALG_FORMATSIZE];
+			dns_secalg_format(dst_key_alg(key->key), algbuf,
+					  sizeof(algbuf));
+			dnssec_log(zone, ISC_LOG_DEBUG(3),
+				   "zone_rekey done: key %d/%s",
+				   dst_key_id(key->key), algbuf);
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	LOCK_ZONE(zone);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Something went wrong; try again in ten minutes or
+		 * after a key refresh interval, whichever is shorter.
+		 */
+		dnssec_log(zone, ISC_LOG_DEBUG(3),
+			   "zone_rekey failure: %s (retry in %u seconds)",
+			   isc_result_totext(result),
+			   ISC_MIN(zone->refreshkeyinterval, 600));
+		isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600),
+				 0);
+		isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
+	}
+	UNLOCK_ZONE(zone);
+
+	dns_diff_clear(&diff);
+	dns_diff_clear(&_sig_diff);
+
+	clear_keylist(&dnskeys, mctx);
+	clear_keylist(&keys, mctx);
+	clear_keylist(&rmkeys, mctx);
+
+	if (ver != NULL) {
+		dns_db_closeversion(db, &ver, false);
+	}
+	if (dns_rdataset_isassociated(&cdsset)) {
+		dns_rdataset_disassociate(&cdsset);
+	}
+	if (dns_rdataset_isassociated(&keyset)) {
+		dns_rdataset_disassociate(&keyset);
+	}
+	if (dns_rdataset_isassociated(&keysigs)) {
+		dns_rdataset_disassociate(&keysigs);
+	}
+	if (dns_rdataset_isassociated(&soasigs)) {
+		dns_rdataset_disassociate(&soasigs);
+	}
+	if (dns_rdataset_isassociated(&cdnskeyset)) {
+		dns_rdataset_disassociate(&cdnskeyset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	INSIST(ver == NULL);
+}
+
+void
+dns_zone_rekey(dns_zone_t *zone, bool fullsign) {
+	isc_time_t now;
+
+	if (zone->type == dns_zone_primary && zone->task != NULL) {
+		LOCK_ZONE(zone);
+
+		if (fullsign) {
+			DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
+		}
+
+		TIME_NOW(&now);
+		zone->refreshkeytime = now;
+		zone_settimer(zone, &now);
+
+		UNLOCK_ZONE(zone);
+	}
+}
+
+isc_result_t
+dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		 unsigned int *errors) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(errors != NULL);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	result = zone_count_ns_rr(zone, db, node, version, NULL, errors, false);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+isc_result_t
+dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t dnskey, cds, cdnskey;
+	unsigned char algorithms[256];
+	unsigned int i;
+	bool empty = false;
+
+	enum { notexpected = 0, expected = 1, found = 2 };
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdataset_init(&cds);
+	dns_rdataset_init(&dnskey);
+	dns_rdataset_init(&cdnskey);
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_cds,
+				     dns_rdatatype_none, 0, &cds, NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_cdnskey,
+				     dns_rdatatype_none, 0, &cdnskey, NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto failure;
+	}
+
+	if (!dns_rdataset_isassociated(&cds) &&
+	    !dns_rdataset_isassociated(&cdnskey))
+	{
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &dnskey, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		empty = true;
+	} else if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	/*
+	 * For each DNSSEC algorithm in the CDS RRset there must be
+	 * a matching DNSKEY record with the exception of a CDS deletion
+	 * record which must be by itself.
+	 */
+	if (dns_rdataset_isassociated(&cds)) {
+		bool delete = false;
+		memset(algorithms, notexpected, sizeof(algorithms));
+		for (result = dns_rdataset_first(&cds); result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&cds))
+		{
+			dns_rdata_t crdata = DNS_RDATA_INIT;
+			dns_rdata_cds_t structcds;
+
+			dns_rdataset_current(&cds, &crdata);
+			/*
+			 * CDS deletion record has this form "0 0 0 00" which
+			 * is 5 zero octets.
+			 */
+			if (crdata.length == 5U &&
+			    memcmp(crdata.data,
+				   (unsigned char[5]){ 0, 0, 0, 0, 0 }, 5) == 0)
+			{
+				delete = true;
+				continue;
+			}
+
+			if (empty) {
+				result = DNS_R_BADCDS;
+				goto failure;
+			}
+
+			CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL));
+			if (algorithms[structcds.algorithm] == 0) {
+				algorithms[structcds.algorithm] = expected;
+			}
+			for (result = dns_rdataset_first(&dnskey);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(&dnskey))
+			{
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdata_dnskey_t structdnskey;
+
+				dns_rdataset_current(&dnskey, &rdata);
+				CHECK(dns_rdata_tostruct(&rdata, &structdnskey,
+							 NULL));
+
+				if (structdnskey.algorithm ==
+				    structcds.algorithm)
+				{
+					algorithms[structcds.algorithm] = found;
+				}
+			}
+			if (result != ISC_R_NOMORE) {
+				goto failure;
+			}
+		}
+		for (i = 0; i < sizeof(algorithms); i++) {
+			if (delete) {
+				if (algorithms[i] != notexpected) {
+					result = DNS_R_BADCDS;
+					goto failure;
+				}
+			} else if (algorithms[i] == expected) {
+				result = DNS_R_BADCDS;
+				goto failure;
+			}
+		}
+	}
+
+	/*
+	 * For each DNSSEC algorithm in the CDNSKEY RRset there must be
+	 * a matching DNSKEY record with the exception of a CDNSKEY deletion
+	 * record which must be by itself.
+	 */
+	if (dns_rdataset_isassociated(&cdnskey)) {
+		bool delete = false;
+		memset(algorithms, notexpected, sizeof(algorithms));
+		for (result = dns_rdataset_first(&cdnskey);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&cdnskey))
+		{
+			dns_rdata_t crdata = DNS_RDATA_INIT;
+			dns_rdata_cdnskey_t structcdnskey;
+
+			dns_rdataset_current(&cdnskey, &crdata);
+			/*
+			 * CDNSKEY deletion record has this form
+			 * "0 3 0 AA==" which is 2 zero octets, a 3,
+			 * and 2 zero octets.
+			 */
+			if (crdata.length == 5U &&
+			    memcmp(crdata.data,
+				   (unsigned char[5]){ 0, 0, 3, 0, 0 }, 5) == 0)
+			{
+				delete = true;
+				continue;
+			}
+
+			if (empty) {
+				result = DNS_R_BADCDNSKEY;
+				goto failure;
+			}
+
+			CHECK(dns_rdata_tostruct(&crdata, &structcdnskey,
+						 NULL));
+			if (algorithms[structcdnskey.algorithm] == 0) {
+				algorithms[structcdnskey.algorithm] = expected;
+			}
+			for (result = dns_rdataset_first(&dnskey);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(&dnskey))
+			{
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdata_dnskey_t structdnskey;
+
+				dns_rdataset_current(&dnskey, &rdata);
+				CHECK(dns_rdata_tostruct(&rdata, &structdnskey,
+							 NULL));
+
+				if (structdnskey.algorithm ==
+				    structcdnskey.algorithm)
+				{
+					algorithms[structcdnskey.algorithm] =
+						found;
+				}
+			}
+			if (result != ISC_R_NOMORE) {
+				goto failure;
+			}
+		}
+		for (i = 0; i < sizeof(algorithms); i++) {
+			if (delete) {
+				if (algorithms[i] != notexpected) {
+					result = DNS_R_BADCDNSKEY;
+					goto failure;
+				}
+			} else if (algorithms[i] == expected) {
+				result = DNS_R_BADCDNSKEY;
+				goto failure;
+			}
+		}
+	}
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (dns_rdataset_isassociated(&cds)) {
+		dns_rdataset_disassociate(&cds);
+	}
+	if (dns_rdataset_isassociated(&dnskey)) {
+		dns_rdataset_disassociate(&dnskey);
+	}
+	if (dns_rdataset_isassociated(&cdnskey)) {
+		dns_rdataset_disassociate(&cdnskey);
+	}
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+void
+dns_zone_setautomatic(dns_zone_t *zone, bool automatic) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->automatic = automatic;
+	UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_getautomatic(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->automatic);
+}
+
+void
+dns_zone_setadded(dns_zone_t *zone, bool added) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->added = added;
+	UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_getadded(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->added);
+}
+
+isc_result_t
+dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db) {
+	isc_time_t loadtime;
+	isc_result_t result;
+	dns_zone_t *secure = NULL;
+
+	TIME_NOW(&loadtime);
+
+	/*
+	 * Lock hierarchy: zmgr, zone, raw.
+	 */
+again:
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	if (inline_secure(zone)) {
+		LOCK_ZONE(zone->raw);
+	} else if (inline_raw(zone)) {
+		secure = zone->secure;
+		TRYLOCK_ZONE(result, secure);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK_ZONE(zone);
+			secure = NULL;
+			isc_thread_yield();
+			goto again;
+		}
+	}
+	result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
+	if (inline_secure(zone)) {
+		UNLOCK_ZONE(zone->raw);
+	} else if (secure != NULL) {
+		UNLOCK_ZONE(secure);
+	}
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+isc_result_t
+dns_zone_setrefreshkeyinterval(dns_zone_t *zone, uint32_t interval) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	if (interval == 0) {
+		return (ISC_R_RANGE);
+	}
+	/* Maximum value: 24 hours (3600 minutes) */
+	if (interval > (24 * 60)) {
+		interval = (24 * 60);
+	}
+	/* Multiply by 60 for seconds */
+	zone->refreshkeyinterval = interval * 60;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zone_setrequestixfr(dns_zone_t *zone, bool flag) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->requestixfr = flag;
+}
+
+bool
+dns_zone_getrequestixfr(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->requestixfr);
+}
+
+void
+dns_zone_setixfrratio(dns_zone_t *zone, uint32_t ratio) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->ixfr_ratio = ratio;
+}
+
+uint32_t
+dns_zone_getixfrratio(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->ixfr_ratio);
+}
+
+void
+dns_zone_setrequestexpire(dns_zone_t *zone, bool flag) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->requestexpire = flag;
+}
+
+bool
+dns_zone_getrequestexpire(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->requestexpire);
+}
+
+void
+dns_zone_setserialupdatemethod(dns_zone_t *zone, dns_updatemethod_t method) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->updatemethod = method;
+}
+
+dns_updatemethod_t
+dns_zone_getserialupdatemethod(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->updatemethod);
+}
+
+/*
+ * Lock hierarchy: zmgr, zone, raw.
+ */
+isc_result_t
+dns_zone_link(dns_zone_t *zone, dns_zone_t *raw) {
+	isc_result_t result;
+	dns_zonemgr_t *zmgr;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(zone->zmgr != NULL);
+	REQUIRE(zone->task != NULL);
+	REQUIRE(zone->loadtask != NULL);
+	REQUIRE(zone->raw == NULL);
+
+	REQUIRE(DNS_ZONE_VALID(raw));
+	REQUIRE(raw->zmgr == NULL);
+	REQUIRE(raw->task == NULL);
+	REQUIRE(raw->loadtask == NULL);
+	REQUIRE(raw->secure == NULL);
+
+	REQUIRE(zone != raw);
+
+	/*
+	 * Lock hierarchy: zmgr, zone, raw.
+	 */
+	zmgr = zone->zmgr;
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	LOCK_ZONE(zone);
+	LOCK_ZONE(raw);
+
+	result = isc_timer_create(zmgr->timermgr, isc_timertype_inactive, NULL,
+				  NULL, zone->task, zone_timer, raw,
+				  &raw->timer);
+	if (result != ISC_R_SUCCESS) {
+		goto unlock;
+	}
+
+	/*
+	 * The timer "holds" a iref.
+	 */
+	isc_refcount_increment0(&raw->irefs);
+
+	/* dns_zone_attach(raw, &zone->raw); */
+	isc_refcount_increment(&raw->erefs);
+	zone->raw = raw;
+
+	/* dns_zone_iattach(zone,  &raw->secure); */
+	zone_iattach(zone, &raw->secure);
+
+	isc_task_attach(zone->task, &raw->task);
+	isc_task_attach(zone->loadtask, &raw->loadtask);
+
+	ISC_LIST_APPEND(zmgr->zones, raw, link);
+	raw->zmgr = zmgr;
+	isc_refcount_increment(&zmgr->refs);
+
+unlock:
+	UNLOCK_ZONE(raw);
+	UNLOCK_ZONE(zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	return (result);
+}
+
+void
+dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(raw != NULL && *raw == NULL);
+
+	LOCK(&zone->lock);
+	INSIST(zone != zone->raw);
+	if (zone->raw != NULL) {
+		dns_zone_attach(zone->raw, raw);
+	}
+	UNLOCK(&zone->lock);
+}
+
+struct keydone {
+	isc_event_t event;
+	bool all;
+	unsigned char data[5];
+};
+
+#define PENDINGFLAGS (DNS_NSEC3FLAG_CREATE | DNS_NSEC3FLAG_INITIAL)
+
+static void
+keydone(isc_task_t *task, isc_event_t *event) {
+	const char *me = "keydone";
+	bool commit = false;
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_dbversion_t *oldver = NULL, *newver = NULL;
+	dns_zone_t *zone;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_diff_t diff;
+	struct keydone *kd = (struct keydone *)event;
+	dns_update_log_t log = { update_log_cb, NULL };
+	bool clear_pending = false;
+
+	UNUSED(task);
+
+	zone = event->ev_arg;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	dns_rdataset_init(&rdataset);
+	dns_diff_init(zone->mctx, &diff);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		goto failure;
+	}
+
+	dns_db_currentversion(db, &oldver);
+	result = dns_db_newversion(db, &newver);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "keydone:dns_db_newversion -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	result = dns_db_findrdataset(db, node, newver, zone->privatetype,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto failure;
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		bool found = false;
+
+		dns_rdataset_current(&rdataset, &rdata);
+
+		if (kd->all) {
+			if (rdata.length == 5 && rdata.data[0] != 0 &&
+			    rdata.data[3] == 0 && rdata.data[4] == 1)
+			{
+				found = true;
+			} else if (rdata.data[0] == 0 &&
+				   (rdata.data[2] & PENDINGFLAGS) != 0)
+			{
+				found = true;
+				clear_pending = true;
+			}
+		} else if (rdata.length == 5 &&
+			   memcmp(rdata.data, kd->data, 5) == 0)
+		{
+			found = true;
+		}
+
+		if (found) {
+			CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_DEL,
+					    &zone->origin, rdataset.ttl,
+					    &rdata));
+		}
+		dns_rdata_reset(&rdata);
+	}
+
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		/* Write changes to journal file. */
+		CHECK(update_soa_serial(zone, db, newver, &diff, zone->mctx,
+					zone->updatemethod));
+
+		result = dns_update_signatures(&log, zone, db, oldver, newver,
+					       &diff,
+					       zone->sigvalidityinterval);
+		if (!clear_pending) {
+			CHECK(result);
+		}
+
+		CHECK(zone_journal(zone, &diff, NULL, "keydone"));
+		commit = true;
+
+		LOCK_ZONE(zone);
+		DNS_ZONE_SETFLAG(zone,
+				 DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY);
+		zone_needdump(zone, 30);
+		UNLOCK_ZONE(zone);
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (db != NULL) {
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+		if (oldver != NULL) {
+			dns_db_closeversion(db, &oldver, false);
+		}
+		if (newver != NULL) {
+			dns_db_closeversion(db, &newver, commit);
+		}
+		dns_db_detach(&db);
+	}
+	dns_diff_clear(&diff);
+	isc_event_free(&event);
+	dns_zone_idetach(&zone);
+
+	INSIST(oldver == NULL);
+	INSIST(newver == NULL);
+}
+
+isc_result_t
+dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_event_t *e;
+	isc_buffer_t b;
+	dns_zone_t *dummy = NULL;
+	struct keydone *kd;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+
+	e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_KEYDONE, keydone,
+			       zone, sizeof(struct keydone));
+
+	kd = (struct keydone *)e;
+	if (strcasecmp(keystr, "all") == 0) {
+		kd->all = true;
+	} else {
+		isc_textregion_t r;
+		const char *algstr;
+		dns_keytag_t keyid;
+		dns_secalg_t alg;
+		size_t n;
+
+		kd->all = false;
+
+		n = sscanf(keystr, "%hu/", &keyid);
+		if (n == 0U) {
+			CHECK(ISC_R_FAILURE);
+		}
+
+		algstr = strchr(keystr, '/');
+		if (algstr != NULL) {
+			algstr++;
+		} else {
+			CHECK(ISC_R_FAILURE);
+		}
+
+		n = sscanf(algstr, "%hhu", &alg);
+		if (n == 0U) {
+			DE_CONST(algstr, r.base);
+			r.length = strlen(algstr);
+			CHECK(dns_secalg_fromtext(&alg, &r));
+		}
+
+		/* construct a private-type rdata */
+		isc_buffer_init(&b, kd->data, sizeof(kd->data));
+		isc_buffer_putuint8(&b, alg);
+		isc_buffer_putuint8(&b, (keyid & 0xff00) >> 8);
+		isc_buffer_putuint8(&b, (keyid & 0xff));
+		isc_buffer_putuint8(&b, 0);
+		isc_buffer_putuint8(&b, 1);
+	}
+
+	zone_iattach(zone, &dummy);
+	isc_task_send(zone->task, &e);
+
+failure:
+	if (e != NULL) {
+		isc_event_free(&e);
+	}
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+/*
+ * Called from the zone task's queue after the relevant event is posted by
+ * dns_zone_setnsec3param().
+ */
+static void
+setnsec3param(isc_task_t *task, isc_event_t *event) {
+	const char *me = "setnsec3param";
+	dns_zone_t *zone = event->ev_arg;
+	bool loadpending;
+
+	INSIST(DNS_ZONE_VALID(zone));
+
+	UNUSED(task);
+
+	ENTER;
+
+	LOCK_ZONE(zone);
+	loadpending = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	UNLOCK_ZONE(zone);
+
+	/*
+	 * If receive_secure_serial is still processing or we have a
+	 * queued event append rss_post queue.
+	 */
+	if (zone->rss_newver != NULL || ISC_LIST_HEAD(zone->rss_post) != NULL) {
+		/*
+		 * Wait for receive_secure_serial() to finish processing.
+		 */
+		ISC_LIST_APPEND(zone->rss_post, event, ev_link);
+	} else {
+		bool rescheduled = false;
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		/*
+		 * The zone is not yet fully loaded. Reschedule the event to
+		 * be picked up later. This turns this function into a busy
+		 * wait, but it only happens at startup.
+		 */
+		if (zone->db == NULL && loadpending) {
+			rescheduled = true;
+			isc_task_send(task, &event);
+		}
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+		if (rescheduled) {
+			return;
+		}
+
+		rss_post(zone, event);
+	}
+	dns_zone_idetach(&zone);
+}
+
+static void
+salt2text(unsigned char *salt, uint8_t saltlen, unsigned char *text,
+	  unsigned int textlen) {
+	isc_region_t r;
+	isc_buffer_t buf;
+	isc_result_t result;
+
+	r.base = salt;
+	r.length = (unsigned int)saltlen;
+
+	isc_buffer_init(&buf, text, textlen);
+	result = isc_hex_totext(&r, 2, "", &buf);
+	if (result == ISC_R_SUCCESS) {
+		text[saltlen * 2] = 0;
+	} else {
+		text[0] = 0;
+	}
+}
+
+/*
+ * Check whether NSEC3 chain addition or removal specified by the private-type
+ * record passed with the event was already queued (or even fully performed).
+ * If not, modify the relevant private-type records at the zone apex and call
+ * resume_addnsec3chain().
+ */
+static void
+rss_post(dns_zone_t *zone, isc_event_t *event) {
+	const char *me = "rss_post";
+	bool commit = false;
+	isc_result_t result;
+	dns_dbversion_t *oldver = NULL, *newver = NULL;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t prdataset, nrdataset;
+	dns_diff_t diff;
+	struct np3event *npe = (struct np3event *)event;
+	nsec3param_t *np;
+	dns_update_log_t log = { update_log_cb, NULL };
+	dns_rdata_t rdata;
+	bool nseconly;
+	bool exists = false;
+
+	ENTER;
+
+	np = &npe->params;
+
+	dns_rdataset_init(&prdataset);
+	dns_rdataset_init(&nrdataset);
+	dns_diff_init(zone->mctx, &diff);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		goto failure;
+	}
+
+	dns_db_currentversion(db, &oldver);
+	result = dns_db_newversion(db, &newver);
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR,
+			   "setnsec3param:dns_db_newversion -> %s",
+			   dns_result_totext(result));
+		goto failure;
+	}
+
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	/*
+	 * Do we need to look up the NSEC3 parameters?
+	 */
+	if (np->lookup) {
+		dns_rdata_nsec3param_t param;
+		dns_rdata_t nrdata = DNS_RDATA_INIT;
+		dns_rdata_t prdata = DNS_RDATA_INIT;
+		unsigned char nbuf[DNS_NSEC3PARAM_BUFFERSIZE];
+		unsigned char saltbuf[255];
+		isc_buffer_t b;
+
+		param.salt = NULL;
+		result = dns__zone_lookup_nsec3param(zone, &np->rdata, &param,
+						     saltbuf, np->resalt);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * Success because the NSEC3PARAM already exists, but
+			 * function returns void, so goto failure to clean up.
+			 */
+			goto failure;
+		}
+		if (result != DNS_R_NSEC3RESALT && result != ISC_R_NOTFOUND) {
+			dnssec_log(zone, ISC_LOG_DEBUG(3),
+				   "setnsec3param:lookup nsec3param -> %s",
+				   isc_result_totext(result));
+			goto failure;
+		}
+
+		INSIST(param.salt != NULL);
+
+		/* Update NSEC3 parameters. */
+		np->rdata.hash = param.hash;
+		np->rdata.flags = param.flags;
+		np->rdata.iterations = param.iterations;
+		np->rdata.salt_length = param.salt_length;
+		np->rdata.salt = param.salt;
+
+		isc_buffer_init(&b, nbuf, sizeof(nbuf));
+		CHECK(dns_rdata_fromstruct(&nrdata, zone->rdclass,
+					   dns_rdatatype_nsec3param, &np->rdata,
+					   &b));
+		dns_nsec3param_toprivate(&nrdata, &prdata, zone->privatetype,
+					 np->data, sizeof(np->data));
+		np->length = prdata.length;
+		np->nsec = false;
+	}
+
+	/*
+	 * Does a private-type record already exist for this chain?
+	 */
+	result = dns_db_findrdataset(db, node, newver, zone->privatetype,
+				     dns_rdatatype_none, 0, &prdataset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		for (result = dns_rdataset_first(&prdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&prdataset))
+		{
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(&prdataset, &rdata);
+
+			if (np->length == rdata.length &&
+			    memcmp(rdata.data, np->data, np->length) == 0)
+			{
+				exists = true;
+				break;
+			}
+		}
+	} else if (result != ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&prdataset));
+		goto failure;
+	}
+
+	/*
+	 * Does the chain already exist?
+	 */
+	result = dns_db_findrdataset(db, node, newver, dns_rdatatype_nsec3param,
+				     dns_rdatatype_none, 0, &nrdataset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		for (result = dns_rdataset_first(&nrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&nrdataset))
+		{
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(&nrdataset, &rdata);
+
+			if (np->length == (rdata.length + 1) &&
+			    memcmp(rdata.data, np->data + 1, np->length - 1) ==
+				    0)
+			{
+				exists = true;
+				break;
+			}
+		}
+	} else if (result != ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&nrdataset));
+		goto failure;
+	}
+
+	/*
+	 * We need to remove any existing NSEC3 chains if the supplied NSEC3
+	 * parameters are supposed to replace the current ones or if we are
+	 * switching to NSEC.
+	 */
+	if (!exists && np->replace && (np->length != 0 || np->nsec)) {
+		CHECK(dns_nsec3param_deletechains(db, newver, zone, !np->nsec,
+						  &diff));
+	}
+
+	if (!exists && np->length != 0) {
+		/*
+		 * We're creating an NSEC3 chain.  Add the private-type record
+		 * passed in the event handler's argument to the zone apex.
+		 *
+		 * If the zone is not currently capable of supporting an NSEC3
+		 * chain (due to the DNSKEY RRset at the zone apex not existing
+		 * or containing at least one key using an NSEC-only
+		 * algorithm), add the INITIAL flag, so these parameters can be
+		 * used later when NSEC3 becomes available.
+		 */
+		dns_rdata_init(&rdata);
+
+		np->data[2] |= DNS_NSEC3FLAG_CREATE;
+		result = dns_nsec_nseconly(db, newver, &nseconly);
+		if (result == ISC_R_NOTFOUND || nseconly) {
+			np->data[2] |= DNS_NSEC3FLAG_INITIAL;
+		}
+
+		rdata.length = np->length;
+		rdata.data = np->data;
+		rdata.type = zone->privatetype;
+		rdata.rdclass = zone->rdclass;
+		CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_ADD,
+				    &zone->origin, 0, &rdata));
+	}
+
+	/*
+	 * If we changed anything in the zone, write changes to journal file
+	 * and set commit to true so that resume_addnsec3chain() will be
+	 * called below in order to kick off adding/removing relevant NSEC3
+	 * records.
+	 */
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		CHECK(update_soa_serial(zone, db, newver, &diff, zone->mctx,
+					zone->updatemethod));
+		result = dns_update_signatures(&log, zone, db, oldver, newver,
+					       &diff,
+					       zone->sigvalidityinterval);
+		if (result != ISC_R_NOTFOUND) {
+			CHECK(result);
+		}
+		CHECK(zone_journal(zone, &diff, NULL, "setnsec3param"));
+		commit = true;
+
+		LOCK_ZONE(zone);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+		UNLOCK_ZONE(zone);
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&prdataset)) {
+		dns_rdataset_disassociate(&prdataset);
+	}
+	if (dns_rdataset_isassociated(&nrdataset)) {
+		dns_rdataset_disassociate(&nrdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (oldver != NULL) {
+		dns_db_closeversion(db, &oldver, false);
+	}
+	if (newver != NULL) {
+		dns_db_closeversion(db, &newver, commit);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	if (commit) {
+		LOCK_ZONE(zone);
+		resume_addnsec3chain(zone);
+		UNLOCK_ZONE(zone);
+	}
+	dns_diff_clear(&diff);
+	isc_event_free(&event);
+
+	INSIST(oldver == NULL);
+	INSIST(newver == NULL);
+}
+
+/*
+ * Check if zone has NSEC3PARAM (and thus a chain) with the right parameters.
+ *
+ * If 'salt' is NULL, a match is found if the salt has the requested length,
+ * otherwise the NSEC3 salt must match the requested salt value too.
+ *
+ * Returns  ISC_R_SUCCESS, if a match is found, or an error if no match is
+ * found, or if the db lookup failed.
+ */
+isc_result_t
+dns__zone_lookup_nsec3param(dns_zone_t *zone, dns_rdata_nsec3param_t *lookup,
+			    dns_rdata_nsec3param_t *param,
+			    unsigned char saltbuf[255], bool resalt) {
+	isc_result_t result = ISC_R_UNEXPECTED;
+	dns_dbnode_t *node = NULL;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	dns_rdataset_init(&rdataset);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		result = ISC_R_FAILURE;
+		goto setparam;
+	}
+
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "dns__zone_lookup_nsec3param:"
+			     "dns_db_findnode -> %s",
+			     dns_result_totext(result));
+		result = ISC_R_FAILURE;
+		goto setparam;
+	}
+	dns_db_currentversion(db, &version);
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		if (result != ISC_R_NOTFOUND) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "dns__zone_lookup_nsec3param:"
+				     "dns_db_findrdataset -> %s",
+				     dns_result_totext(result));
+		}
+		goto setparam;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+
+		/* Check parameters. */
+		if (nsec3param.hash != lookup->hash) {
+			continue;
+		}
+		if (nsec3param.iterations != lookup->iterations) {
+			continue;
+		}
+		if (nsec3param.salt_length != lookup->salt_length) {
+			continue;
+		}
+		if (lookup->salt != NULL) {
+			if (memcmp(nsec3param.salt, lookup->salt,
+				   lookup->salt_length) != 0)
+			{
+				continue;
+			}
+		}
+		/* Found a match. */
+		result = ISC_R_SUCCESS;
+		param->hash = nsec3param.hash;
+		param->flags = nsec3param.flags;
+		param->iterations = nsec3param.iterations;
+		param->salt_length = nsec3param.salt_length;
+		param->salt = nsec3param.salt;
+		break;
+	}
+
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_NOTFOUND;
+	}
+
+setparam:
+	if (result != ISC_R_SUCCESS) {
+		/* Found no match. */
+		param->hash = lookup->hash;
+		param->flags = lookup->flags;
+		param->iterations = lookup->iterations;
+		param->salt_length = lookup->salt_length;
+		param->salt = lookup->salt;
+	}
+
+	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	if (param->salt_length == 0) {
+		DE_CONST("-", param->salt);
+	} else if (resalt || param->salt == NULL) {
+		unsigned char *newsalt;
+		unsigned char salttext[255 * 2 + 1];
+		do {
+			/* Generate a new salt. */
+			result = dns_nsec3_generate_salt(saltbuf,
+							 param->salt_length);
+			if (result != ISC_R_SUCCESS) {
+				break;
+			}
+			newsalt = saltbuf;
+			salt2text(newsalt, param->salt_length, salttext,
+				  sizeof(salttext));
+			dnssec_log(zone, ISC_LOG_INFO, "generated salt: %s",
+				   salttext);
+			/* Check for salt conflict. */
+			if (param->salt != NULL &&
+			    memcmp(newsalt, param->salt, param->salt_length) ==
+				    0)
+			{
+				result = ISC_R_SUCCESS;
+			} else {
+				param->salt = newsalt;
+				result = DNS_R_NSEC3RESALT;
+			}
+		} while (result == ISC_R_SUCCESS);
+
+		INSIST(result != ISC_R_SUCCESS);
+	}
+
+failure:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	return (result);
+}
+
+/*
+ * Called when an "rndc signing -nsec3param ..." command is received, or the
+ * 'dnssec-policy' has changed.
+ *
+ * Allocate and prepare an nsec3param_t structure which holds information about
+ * the NSEC3 changes requested for the zone:
+ *
+ *   - if NSEC3 is to be disabled ("-nsec3param none"), only set the "nsec"
+ *     field of the structure to true and the "replace" field to the value
+ *     of the "replace" argument, leaving other fields initialized to zeros, to
+ *     signal that the zone should be signed using NSEC instead of NSEC3,
+ *
+ *   - otherwise, prepare NSEC3PARAM RDATA that will eventually be inserted at
+ *     the zone apex, convert it to a private-type record and store the latter
+ *     in the "data" field of the nsec3param_t structure.
+ *
+ * Once the nsec3param_t structure is prepared, post an event to the zone's
+ * task which will cause setnsec3param() to be called with the prepared
+ * structure passed as an argument.
+ */
+isc_result_t
+dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
+		       uint16_t iter, uint8_t saltlen, unsigned char *salt,
+		       bool replace, bool resalt) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_nsec3param_t param, lookup;
+	dns_rdata_t nrdata = DNS_RDATA_INIT;
+	dns_rdata_t prdata = DNS_RDATA_INIT;
+	unsigned char nbuf[DNS_NSEC3PARAM_BUFFERSIZE];
+	unsigned char saltbuf[255];
+	struct np3event *npe;
+	nsec3param_t *np;
+	dns_zone_t *dummy = NULL;
+	isc_buffer_t b;
+	isc_event_t *e = NULL;
+	bool do_lookup = false;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+
+	/*
+	 * First check if the requested NSEC3 parameters are already set,
+	 * if so, no need to set again.
+	 */
+	if (hash != 0) {
+		lookup.hash = hash;
+		lookup.flags = flags;
+		lookup.iterations = iter;
+		lookup.salt_length = saltlen;
+		lookup.salt = salt;
+		param.salt = NULL;
+		result = dns__zone_lookup_nsec3param(zone, &lookup, &param,
+						     saltbuf, resalt);
+		if (result == ISC_R_SUCCESS) {
+			UNLOCK_ZONE(zone);
+			return (ISC_R_SUCCESS);
+		}
+		/*
+		 * Schedule lookup if lookup above failed (may happen if zone
+		 * db is NULL for example).
+		 */
+		do_lookup = (param.salt == NULL) ? true : false;
+	}
+
+	e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_SETNSEC3PARAM,
+			       setnsec3param, zone, sizeof(struct np3event));
+
+	npe = (struct np3event *)e;
+	np = &npe->params;
+	np->replace = replace;
+	np->resalt = resalt;
+	np->lookup = do_lookup;
+	if (hash == 0) {
+		np->length = 0;
+		np->nsec = true;
+		dnssec_log(zone, ISC_LOG_DEBUG(3), "setnsec3param:nsec");
+	} else {
+		param.common.rdclass = zone->rdclass;
+		param.common.rdtype = dns_rdatatype_nsec3param;
+		ISC_LINK_INIT(&param.common, link);
+		param.mctx = NULL;
+		/* nsec3 specific param set in dns__zone_lookup_nsec3param() */
+		isc_buffer_init(&b, nbuf, sizeof(nbuf));
+
+		if (param.salt != NULL) {
+			CHECK(dns_rdata_fromstruct(&nrdata, zone->rdclass,
+						   dns_rdatatype_nsec3param,
+						   &param, &b));
+			dns_nsec3param_toprivate(&nrdata, &prdata,
+						 zone->privatetype, np->data,
+						 sizeof(np->data));
+			np->length = prdata.length;
+		}
+
+		np->rdata = param;
+		np->nsec = false;
+
+		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+			unsigned char salttext[255 * 2 + 1];
+			if (param.salt != NULL) {
+				salt2text(param.salt, param.salt_length,
+					  salttext, sizeof(salttext));
+			}
+			dnssec_log(zone, ISC_LOG_DEBUG(3),
+				   "setnsec3param:nsec3 %u %u %u %u:%s",
+				   param.hash, param.flags, param.iterations,
+				   param.salt_length,
+				   param.salt == NULL ? "unknown"
+						      : (char *)salttext);
+		}
+	}
+
+	/*
+	 * setnsec3param() will silently return early if the zone does not yet
+	 * have a database.  Prevent that by queueing the event up if zone->db
+	 * is NULL.  All events queued here are subsequently processed by
+	 * receive_secure_db() if it ever gets called or simply freed by
+	 * zone_free() otherwise.
+	 */
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		zone_iattach(zone, &dummy);
+		isc_task_send(zone->task, &e);
+	} else {
+		ISC_LIST_APPEND(zone->setnsec3param_queue, e, ev_link);
+		e = NULL;
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (e != NULL) {
+		isc_event_free(&e);
+	}
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+isc_result_t
+dns_zone_getloadtime(dns_zone_t *zone, isc_time_t *loadtime) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(loadtime != NULL);
+
+	LOCK_ZONE(zone);
+	*loadtime = zone->loadtime;
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_getexpiretime(dns_zone_t *zone, isc_time_t *expiretime) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(expiretime != NULL);
+
+	LOCK_ZONE(zone);
+	*expiretime = zone->expiretime;
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_getrefreshtime(dns_zone_t *zone, isc_time_t *refreshtime) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(refreshtime != NULL);
+
+	LOCK_ZONE(zone);
+	*refreshtime = zone->refreshtime;
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_getrefreshkeytime(dns_zone_t *zone, isc_time_t *refreshkeytime) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(refreshkeytime != NULL);
+
+	LOCK_ZONE(zone);
+	*refreshkeytime = zone->refreshkeytime;
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+unsigned int
+dns_zone_getincludes(dns_zone_t *zone, char ***includesp) {
+	dns_include_t *include;
+	char **array = NULL;
+	unsigned int n = 0;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(includesp != NULL && *includesp == NULL);
+
+	LOCK_ZONE(zone);
+	if (zone->nincludes == 0) {
+		goto done;
+	}
+
+	array = isc_mem_allocate(zone->mctx, sizeof(char *) * zone->nincludes);
+	for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
+	     include = ISC_LIST_NEXT(include, link))
+	{
+		INSIST(n < zone->nincludes);
+		array[n++] = isc_mem_strdup(zone->mctx, include->name);
+	}
+	INSIST(n == zone->nincludes);
+	*includesp = array;
+
+done:
+	UNLOCK_ZONE(zone);
+	return (n);
+}
+
+void
+dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->statlevel = level;
+}
+
+dns_zonestat_level_t
+dns_zone_getstatlevel(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->statlevel);
+}
+
+static void
+setserial(isc_task_t *task, isc_event_t *event) {
+	uint32_t oldserial, desired;
+	const char *me = "setserial";
+	bool commit = false;
+	isc_result_t result;
+	dns_dbversion_t *oldver = NULL, *newver = NULL;
+	dns_zone_t *zone;
+	dns_db_t *db = NULL;
+	dns_diff_t diff;
+	struct ssevent *sse = (struct ssevent *)event;
+	dns_update_log_t log = { update_log_cb, NULL };
+	dns_difftuple_t *oldtuple = NULL, *newtuple = NULL;
+
+	UNUSED(task);
+
+	zone = event->ev_arg;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	if (zone->update_disabled) {
+		goto disabled;
+	}
+
+	desired = sse->serial;
+
+	dns_diff_init(zone->mctx, &diff);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		goto failure;
+	}
+
+	dns_db_currentversion(db, &oldver);
+	result = dns_db_newversion(db, &newver);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "setserial:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	CHECK(dns_db_createsoatuple(db, oldver, diff.mctx, DNS_DIFFOP_DEL,
+				    &oldtuple));
+	CHECK(dns_difftuple_copy(oldtuple, &newtuple));
+	newtuple->op = DNS_DIFFOP_ADD;
+
+	oldserial = dns_soa_getserial(&oldtuple->rdata);
+	if (desired == 0U) {
+		desired = 1;
+	}
+	if (!isc_serial_gt(desired, oldserial)) {
+		if (desired != oldserial) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "setserial: desired serial (%u) "
+				     "out of range (%u-%u)",
+				     desired, oldserial + 1,
+				     (oldserial + 0x7fffffff));
+		}
+		goto failure;
+	}
+
+	dns_soa_setserial(desired, &newtuple->rdata);
+	CHECK(do_one_tuple(&oldtuple, db, newver, &diff));
+	CHECK(do_one_tuple(&newtuple, db, newver, &diff));
+	result = dns_update_signatures(&log, zone, db, oldver, newver, &diff,
+				       zone->sigvalidityinterval);
+	if (result != ISC_R_NOTFOUND) {
+		CHECK(result);
+	}
+
+	/* Write changes to journal file. */
+	CHECK(zone_journal(zone, &diff, NULL, "setserial"));
+	commit = true;
+
+	LOCK_ZONE(zone);
+	zone_needdump(zone, 30);
+	UNLOCK_ZONE(zone);
+
+failure:
+	if (oldtuple != NULL) {
+		dns_difftuple_free(&oldtuple);
+	}
+	if (newtuple != NULL) {
+		dns_difftuple_free(&newtuple);
+	}
+	if (oldver != NULL) {
+		dns_db_closeversion(db, &oldver, false);
+	}
+	if (newver != NULL) {
+		dns_db_closeversion(db, &newver, commit);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	dns_diff_clear(&diff);
+
+disabled:
+	isc_event_free(&event);
+	dns_zone_idetach(&zone);
+
+	INSIST(oldver == NULL);
+	INSIST(newver == NULL);
+}
+
+isc_result_t
+dns_zone_setserial(dns_zone_t *zone, uint32_t serial) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_zone_t *dummy = NULL;
+	isc_event_t *e = NULL;
+	struct ssevent *sse;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+
+	if (!inline_secure(zone)) {
+		if (!dns_zone_isdynamic(zone, true)) {
+			result = DNS_R_NOTDYNAMIC;
+			goto failure;
+		}
+	}
+
+	if (zone->update_disabled) {
+		result = DNS_R_FROZEN;
+		goto failure;
+	}
+
+	e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_SETSERIAL, setserial,
+			       zone, sizeof(struct ssevent));
+
+	sse = (struct ssevent *)e;
+	sse->serial = serial;
+
+	zone_iattach(zone, &dummy);
+	isc_task_send(zone->task, &e);
+
+failure:
+	if (e != NULL) {
+		isc_event_free(&e);
+	}
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+isc_stats_t *
+dns_zone_getgluecachestats(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->gluecachestats);
+}
+
+bool
+dns_zone_isloaded(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED));
+}
+
+isc_result_t
+dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
+	dns_dbversion_t *version = NULL;
+	dns_keytable_t *secroots = NULL;
+	isc_result_t result;
+	dns_name_t *origin;
+
+	const char me[] = "dns_zone_verifydb";
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(db != NULL);
+
+	ENTER;
+
+	if (dns_zone_gettype(zone) != dns_zone_mirror) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (ver == NULL) {
+		dns_db_currentversion(db, &version);
+	} else {
+		version = ver;
+	}
+
+	if (zone->view != NULL) {
+		result = dns_view_getsecroots(zone->view, &secroots);
+		if (result != ISC_R_SUCCESS) {
+			goto done;
+		}
+	}
+
+	origin = dns_db_origin(db);
+	result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
+				       zone->mctx, true, false, dnssec_report);
+
+done:
+	if (secroots != NULL) {
+		dns_keytable_detach(&secroots);
+	}
+
+	if (ver == NULL) {
+		dns_db_closeversion(db, &version, false);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		dnssec_log(zone, ISC_LOG_ERROR, "zone verification failed: %s",
+			   isc_result_totext(result));
+		result = DNS_R_VERIFYFAILURE;
+	}
+
+	return (result);
+}
+
+static dns_ttl_t
+zone_nsecttl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (ISC_MIN(zone->minimum, zone->soattl));
+}
diff --git a/lib/dns/zone_p.h b/lib/dns/zone_p.h
new file mode 100644
index 0000000..67b6028
--- /dev/null
+++ b/lib/dns/zone_p.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ZONE_P_H
+#define DNS_ZONE_P_H
+
+#include <stdbool.h>
+
+/*! \file */
+
+/*%
+ *     Types and functions below not be used outside this module and its
+ *     associated unit tests.
+ */
+
+ISC_LANG_BEGINDECLS
+
+typedef struct {
+	dns_diff_t *diff;
+	bool offline;
+} dns__zonediff_t;
+
+isc_result_t
+dns__zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		   isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys,
+		   dst_key_t **keys, unsigned int *nkeys);
+
+isc_result_t
+dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
+		     dst_key_t *zone_keys[], unsigned int nkeys,
+		     dns_zone_t *zone, isc_stdtime_t inception,
+		     isc_stdtime_t expire, isc_stdtime_t keyxpire,
+		     isc_stdtime_t now, bool check_ksk, bool keyset_kskonly,
+		     dns__zonediff_t *zonediff);
+
+isc_result_t
+dns__zone_lookup_nsec3param(dns_zone_t *zone, dns_rdata_nsec3param_t *lookup,
+			    dns_rdata_nsec3param_t *param,
+			    unsigned char saltbuf[255], bool resalt);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ZONE_P_H */
diff --git a/lib/dns/zonekey.c b/lib/dns/zonekey.c
new file mode 100644
index 0000000..f86c2ca
--- /dev/null
+++ b/lib/dns/zonekey.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+#include <dns/zonekey.h>
+
+bool
+dns_zonekey_iszonekey(dns_rdata_t *keyrdata) {
+	isc_result_t result;
+	dns_rdata_dnskey_t key;
+	bool iszonekey = true;
+
+	REQUIRE(keyrdata != NULL);
+
+	result = dns_rdata_tostruct(keyrdata, &key, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+
+	if ((key.flags & DNS_KEYTYPE_NOAUTH) != 0) {
+		iszonekey = false;
+	}
+	if ((key.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
+		iszonekey = false;
+	}
+	if (key.protocol != DNS_KEYPROTO_DNSSEC &&
+	    key.protocol != DNS_KEYPROTO_ANY)
+	{
+		iszonekey = false;
+	}
+
+	return (iszonekey);
+}
diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
new file mode 100644
index 0000000..19ecdc0
--- /dev/null
+++ b/lib/dns/zoneverify.c
@@ -0,0 +1,2038 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/heap.h>
+#include <isc/iterated_hash.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keytable.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/types.h>
+#include <dns/zone.h>
+#include <dns/zoneverify.h>
+
+#include <dst/dst.h>
+
+typedef struct vctx {
+	isc_mem_t *mctx;
+	dns_zone_t *zone;
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	dns_name_t *origin;
+	dns_keytable_t *secroots;
+	bool goodksk;
+	bool goodzsk;
+	dns_rdataset_t keyset;
+	dns_rdataset_t keysigs;
+	dns_rdataset_t soaset;
+	dns_rdataset_t soasigs;
+	dns_rdataset_t nsecset;
+	dns_rdataset_t nsecsigs;
+	dns_rdataset_t nsec3paramset;
+	dns_rdataset_t nsec3paramsigs;
+	unsigned char revoked_ksk[256];
+	unsigned char revoked_zsk[256];
+	unsigned char standby_ksk[256];
+	unsigned char standby_zsk[256];
+	unsigned char ksk_algorithms[256];
+	unsigned char zsk_algorithms[256];
+	unsigned char bad_algorithms[256];
+	unsigned char act_algorithms[256];
+	isc_heap_t *expected_chains;
+	isc_heap_t *found_chains;
+} vctx_t;
+
+struct nsec3_chain_fixed {
+	uint8_t hash;
+	uint8_t salt_length;
+	uint8_t next_length;
+	uint16_t iterations;
+	/*
+	 * The following non-fixed-length data is stored in memory after the
+	 * fields declared above for each NSEC3 chain element:
+	 *
+	 * unsigned char	salt[salt_length];
+	 * unsigned char	owner[next_length];
+	 * unsigned char	next[next_length];
+	 */
+};
+
+/*
+ * Helper function used to calculate length of variable-length
+ * data section in object pointed to by 'chain'.
+ */
+static size_t
+chain_length(struct nsec3_chain_fixed *chain) {
+	return (chain->salt_length + 2 * chain->next_length);
+}
+
+/*%
+ * Log a zone verification error described by 'fmt' and the variable arguments
+ * following it.  Either use dns_zone_logv() or print to stderr, depending on
+ * whether the function was invoked from within named or by a standalone tool,
+ * respectively.
+ */
+static void
+zoneverify_log_error(const vctx_t *vctx, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (vctx->zone != NULL) {
+		dns_zone_logv(vctx->zone, DNS_LOGCATEGORY_GENERAL,
+			      ISC_LOG_ERROR, NULL, fmt, ap);
+	} else {
+		vfprintf(stderr, fmt, ap);
+		fprintf(stderr, "\n");
+	}
+	va_end(ap);
+}
+
+static bool
+is_delegation(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
+	      uint32_t *ttlp) {
+	dns_rdataset_t nsset;
+	isc_result_t result;
+
+	if (dns_name_equal(name, vctx->origin)) {
+		return (false);
+	}
+
+	dns_rdataset_init(&nsset);
+	result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+				     dns_rdatatype_ns, 0, 0, &nsset, NULL);
+	if (dns_rdataset_isassociated(&nsset)) {
+		if (ttlp != NULL) {
+			*ttlp = nsset.ttl;
+		}
+		dns_rdataset_disassociate(&nsset);
+	}
+
+	return ((result == ISC_R_SUCCESS));
+}
+
+/*%
+ * Return true if version 'ver' of database 'db' contains a DNAME RRset at
+ * 'node'; return false otherwise.
+ */
+static bool
+has_dname(const vctx_t *vctx, dns_dbnode_t *node) {
+	dns_rdataset_t dnameset;
+	isc_result_t result;
+
+	dns_rdataset_init(&dnameset);
+	result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+				     dns_rdatatype_dname, 0, 0, &dnameset,
+				     NULL);
+	if (dns_rdataset_isassociated(&dnameset)) {
+		dns_rdataset_disassociate(&dnameset);
+	}
+
+	return ((result == ISC_R_SUCCESS));
+}
+
+static bool
+goodsig(const vctx_t *vctx, dns_rdata_t *sigrdata, const dns_name_t *name,
+	dst_key_t **dstkeys, size_t nkeys, dns_rdataset_t *rdataset) {
+	dns_rdata_rrsig_t sig;
+	isc_result_t result;
+
+	result = dns_rdata_tostruct(sigrdata, &sig, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	for (size_t key = 0; key < nkeys; key++) {
+		if (sig.algorithm != dst_key_alg(dstkeys[key]) ||
+		    sig.keyid != dst_key_id(dstkeys[key]) ||
+		    !dns_name_equal(&sig.signer, vctx->origin))
+		{
+			continue;
+		}
+		result = dns_dnssec_verify(name, rdataset, dstkeys[key], false,
+					   0, vctx->mctx, sigrdata, NULL);
+		if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+static bool
+nsec_bitmap_equal(dns_rdata_nsec_t *nsec, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_rdata_nsec_t tmpnsec;
+
+	result = dns_rdata_tostruct(rdata, &tmpnsec, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	if (nsec->len != tmpnsec.len ||
+	    memcmp(nsec->typebits, tmpnsec.typebits, nsec->len) != 0)
+	{
+		return (false);
+	}
+	return (true);
+}
+
+static isc_result_t
+verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
+	   const dns_name_t *nextname, isc_result_t *vresult) {
+	unsigned char buffer[DNS_NSEC_BUFFERSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char nextbuf[DNS_NAME_FORMATSIZE];
+	char found[DNS_NAME_FORMATSIZE];
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_t tmprdata = DNS_RDATA_INIT;
+	dns_rdata_nsec_t nsec;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+				     dns_rdatatype_nsec, 0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		zoneverify_log_error(vctx, "Missing NSEC record for %s",
+				     namebuf);
+		*vresult = ISC_R_FAILURE;
+		result = ISC_R_SUCCESS;
+		goto done;
+	}
+
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_rdataset_first(): %s",
+				     isc_result_totext(result));
+		goto done;
+	}
+
+	dns_rdataset_current(&rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/* Check next name is consistent */
+	if (!dns_name_equal(&nsec.next, nextname)) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_name_format(nextname, nextbuf, sizeof(nextbuf));
+		dns_name_format(&nsec.next, found, sizeof(found));
+		zoneverify_log_error(vctx,
+				     "Bad NSEC record for %s, next name "
+				     "mismatch (expected:%s, found:%s)",
+				     namebuf, nextbuf, found);
+		*vresult = ISC_R_FAILURE;
+		goto done;
+	}
+
+	/* Check bit map is consistent */
+	result = dns_nsec_buildrdata(vctx->db, vctx->ver, node, nextname,
+				     buffer, &tmprdata);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_nsec_buildrdata(): %s",
+				     isc_result_totext(result));
+		goto done;
+	}
+	if (!nsec_bitmap_equal(&nsec, &tmprdata)) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		zoneverify_log_error(vctx,
+				     "Bad NSEC record for %s, bit map "
+				     "mismatch",
+				     namebuf);
+		*vresult = ISC_R_FAILURE;
+		goto done;
+	}
+
+	result = dns_rdataset_next(&rdataset);
+	if (result != ISC_R_NOMORE) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		zoneverify_log_error(vctx, "Multiple NSEC records for %s",
+				     namebuf);
+		*vresult = ISC_R_FAILURE;
+		goto done;
+	}
+
+	*vresult = ISC_R_SUCCESS;
+	result = ISC_R_SUCCESS;
+
+done:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+check_no_rrsig(const vctx_t *vctx, const dns_rdataset_t *rdataset,
+	       const dns_name_t *name, dns_dbnode_t *node) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	dns_rdataset_t sigrdataset;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&sigrdataset);
+	result = dns_db_allrdatasets(vctx->db, node, vctx->ver, 0, 0, &rdsiter);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_db_allrdatasets(): %s",
+				     isc_result_totext(result));
+		return (result);
+	}
+	for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdatasetiter_current(rdsiter, &sigrdataset);
+		if (sigrdataset.type == dns_rdatatype_rrsig &&
+		    sigrdataset.covers == rdataset->type)
+		{
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			zoneverify_log_error(
+				vctx,
+				"Warning: Found unexpected signatures "
+				"for %s/%s",
+				namebuf, typebuf);
+			break;
+		}
+		dns_rdataset_disassociate(&sigrdataset);
+	}
+	if (dns_rdataset_isassociated(&sigrdataset)) {
+		dns_rdataset_disassociate(&sigrdataset);
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+chain_compare(void *arg1, void *arg2) {
+	struct nsec3_chain_fixed *e1 = arg1, *e2 = arg2;
+	/*
+	 * Do each element in turn to get a stable sort.
+	 */
+	if (e1->hash < e2->hash) {
+		return (true);
+	}
+	if (e1->hash > e2->hash) {
+		return (false);
+	}
+	if (e1->iterations < e2->iterations) {
+		return (true);
+	}
+	if (e1->iterations > e2->iterations) {
+		return (false);
+	}
+	if (e1->salt_length < e2->salt_length) {
+		return (true);
+	}
+	if (e1->salt_length > e2->salt_length) {
+		return (false);
+	}
+	if (e1->next_length < e2->next_length) {
+		return (true);
+	}
+	if (e1->next_length > e2->next_length) {
+		return (false);
+	}
+	if (memcmp(e1 + 1, e2 + 1, chain_length(e1)) < 0) {
+		return (true);
+	}
+	return (false);
+}
+
+static bool
+chain_equal(const struct nsec3_chain_fixed *e1,
+	    const struct nsec3_chain_fixed *e2, size_t data_length) {
+	if (e1->hash != e2->hash) {
+		return (false);
+	}
+	if (e1->iterations != e2->iterations) {
+		return (false);
+	}
+	if (e1->salt_length != e2->salt_length) {
+		return (false);
+	}
+	if (e1->next_length != e2->next_length) {
+		return (false);
+	}
+
+	return (memcmp(e1 + 1, e2 + 1, data_length) == 0);
+}
+
+static void
+record_nsec3(const vctx_t *vctx, const unsigned char *rawhash,
+	     const dns_rdata_nsec3_t *nsec3, isc_heap_t *chains) {
+	struct nsec3_chain_fixed *element = NULL;
+	unsigned char *cp = NULL;
+	size_t len;
+
+	len = sizeof(*element) + nsec3->next_length * 2 + nsec3->salt_length;
+
+	element = isc_mem_get(vctx->mctx, len);
+	memset(element, 0, len);
+	element->hash = nsec3->hash;
+	element->salt_length = nsec3->salt_length;
+	element->next_length = nsec3->next_length;
+	element->iterations = nsec3->iterations;
+	cp = (unsigned char *)(element + 1);
+	memmove(cp, nsec3->salt, nsec3->salt_length);
+	cp += nsec3->salt_length;
+	memmove(cp, rawhash, nsec3->next_length);
+	cp += nsec3->next_length;
+	memmove(cp, nsec3->next, nsec3->next_length);
+	isc_heap_insert(chains, element);
+}
+
+/*
+ * Check whether any NSEC3 within 'rdataset' matches the parameters in
+ * 'nsec3param'.
+ */
+static isc_result_t
+find_nsec3_match(const dns_rdata_nsec3param_t *nsec3param,
+		 dns_rdataset_t *rdataset, size_t rhsize,
+		 dns_rdata_nsec3_t *nsec3_match) {
+	isc_result_t result;
+
+	/*
+	 * Find matching NSEC3 record.
+	 */
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, nsec3_match, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (nsec3_match->hash == nsec3param->hash &&
+		    nsec3_match->next_length == rhsize &&
+		    nsec3_match->iterations == nsec3param->iterations &&
+		    nsec3_match->salt_length == nsec3param->salt_length &&
+		    memcmp(nsec3_match->salt, nsec3param->salt,
+			   nsec3param->salt_length) == 0)
+		{
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (result);
+}
+
+static isc_result_t
+match_nsec3(const vctx_t *vctx, const dns_name_t *name,
+	    const dns_rdata_nsec3param_t *nsec3param, dns_rdataset_t *rdataset,
+	    const unsigned char types[8192], unsigned int maxtype,
+	    const unsigned char *rawhash, size_t rhsize,
+	    isc_result_t *vresult) {
+	unsigned char cbm[8244];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_rdata_nsec3_t nsec3;
+	isc_result_t result;
+	unsigned int len;
+
+	result = find_nsec3_match(nsec3param, rdataset, rhsize, &nsec3);
+	if (result != ISC_R_SUCCESS) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		zoneverify_log_error(vctx, "Missing NSEC3 record for %s",
+				     namebuf);
+		*vresult = result;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Check the type list.
+	 */
+	len = dns_nsec_compressbitmap(cbm, types, maxtype);
+	if (nsec3.len != len || memcmp(cbm, nsec3.typebits, len) != 0) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		zoneverify_log_error(vctx,
+				     "Bad NSEC3 record for %s, bit map "
+				     "mismatch",
+				     namebuf);
+		*vresult = ISC_R_FAILURE;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Record chain.
+	 */
+	record_nsec3(vctx, rawhash, &nsec3, vctx->expected_chains);
+
+	/*
+	 * Make sure there is only one NSEC3 record with this set of
+	 * parameters.
+	 */
+	for (result = dns_rdataset_next(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (nsec3.hash == nsec3param->hash &&
+		    nsec3.iterations == nsec3param->iterations &&
+		    nsec3.salt_length == nsec3param->salt_length &&
+		    memcmp(nsec3.salt, nsec3param->salt, nsec3.salt_length) ==
+			    0)
+		{
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			zoneverify_log_error(vctx,
+					     "Multiple NSEC3 records with the "
+					     "same parameter set for %s",
+					     namebuf);
+			*vresult = DNS_R_DUPLICATE;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+
+	*vresult = ISC_R_SUCCESS;
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+innsec3params(const dns_rdata_nsec3_t *nsec3, dns_rdataset_t *nsec3paramset) {
+	dns_rdata_nsec3param_t nsec3param;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(nsec3paramset);
+	     result == ISC_R_SUCCESS; result = dns_rdataset_next(nsec3paramset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(nsec3paramset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (nsec3param.flags == 0 && nsec3param.hash == nsec3->hash &&
+		    nsec3param.iterations == nsec3->iterations &&
+		    nsec3param.salt_length == nsec3->salt_length &&
+		    memcmp(nsec3param.salt, nsec3->salt, nsec3->salt_length) ==
+			    0)
+		{
+			return (true);
+		}
+	}
+	return (false);
+}
+
+static isc_result_t
+record_found(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
+	     dns_rdataset_t *nsec3paramset) {
+	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
+	dns_rdata_nsec3_t nsec3;
+	dns_rdataset_t rdataset;
+	dns_label_t hashlabel;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	if (nsec3paramset == NULL || !dns_rdataset_isassociated(nsec3paramset))
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+				     dns_rdatatype_nsec3, 0, 0, &rdataset,
+				     NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_name_getlabel(name, 0, &hashlabel);
+	isc_region_consume(&hashlabel, 1);
+	isc_buffer_init(&b, owner, sizeof(owner));
+	result = isc_base32hex_decoderegion(&hashlabel, &b);
+	if (result != ISC_R_SUCCESS) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (nsec3.next_length != isc_buffer_usedlength(&b)) {
+			continue;
+		}
+
+		/*
+		 * We only care about NSEC3 records that match a NSEC3PARAM
+		 * record.
+		 */
+		if (!innsec3params(&nsec3, nsec3paramset)) {
+			continue;
+		}
+
+		/*
+		 * Record chain.
+		 */
+		record_nsec3(vctx, owner, &nsec3, vctx->found_chains);
+	}
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+isoptout(const vctx_t *vctx, const dns_rdata_nsec3param_t *nsec3param,
+	 bool *optout) {
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3_t nsec3;
+	dns_fixedname_t fixed;
+	dns_name_t *hashname;
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
+	size_t rhsize = sizeof(rawhash);
+
+	dns_fixedname_init(&fixed);
+	result = dns_nsec3_hashname(&fixed, rawhash, &rhsize, vctx->origin,
+				    vctx->origin, nsec3param->hash,
+				    nsec3param->iterations, nsec3param->salt,
+				    nsec3param->salt_length);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_nsec3_hashname(): %s",
+				     isc_result_totext(result));
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	hashname = dns_fixedname_name(&fixed);
+	result = dns_db_findnsec3node(vctx->db, hashname, false, &node);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+					     dns_rdatatype_nsec3, 0, 0,
+					     &rdataset, NULL);
+	}
+	if (result != ISC_R_SUCCESS) {
+		*optout = false;
+		result = ISC_R_SUCCESS;
+		goto done;
+	}
+
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_rdataset_first(): %s",
+				     isc_result_totext(result));
+		goto done;
+	}
+
+	dns_rdataset_current(&rdataset, &rdata);
+
+	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	*optout = ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
+
+done:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(vctx->db, &node);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+verifynsec3(const vctx_t *vctx, const dns_name_t *name,
+	    const dns_rdata_t *rdata, bool delegation, bool empty,
+	    const unsigned char types[8192], unsigned int maxtype,
+	    isc_result_t *vresult) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char hashbuf[DNS_NAME_FORMATSIZE];
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_fixedname_t fixed;
+	dns_name_t *hashname;
+	isc_result_t result, tvresult = ISC_R_UNSET;
+	dns_dbnode_t *node = NULL;
+	unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
+	size_t rhsize = sizeof(rawhash);
+	bool optout = false;
+
+	result = dns_rdata_tostruct(rdata, &nsec3param, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	if (nsec3param.flags != 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (!dns_nsec3_supportedhash(nsec3param.hash)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (nsec3param.iterations > DNS_NSEC3_MAXITERATIONS) {
+		result = DNS_R_NSEC3ITERRANGE;
+		zoneverify_log_error(vctx, "verifynsec3: %s",
+				     isc_result_totext(result));
+		return (result);
+	}
+
+	result = isoptout(vctx, &nsec3param, &optout);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_fixedname_init(&fixed);
+	result = dns_nsec3_hashname(
+		&fixed, rawhash, &rhsize, name, vctx->origin, nsec3param.hash,
+		nsec3param.iterations, nsec3param.salt, nsec3param.salt_length);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_nsec3_hashname(): %s",
+				     isc_result_totext(result));
+		return (result);
+	}
+
+	/*
+	 * We don't use dns_db_find() here as it works with the chosen
+	 * nsec3 chain and we may also be called with uncommitted data
+	 * from dnssec-signzone so the secure status of the zone may not
+	 * be up to date.
+	 */
+	dns_rdataset_init(&rdataset);
+	hashname = dns_fixedname_name(&fixed);
+	result = dns_db_findnsec3node(vctx->db, hashname, false, &node);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+					     dns_rdatatype_nsec3, 0, 0,
+					     &rdataset, NULL);
+	}
+	if (result != ISC_R_SUCCESS &&
+	    (!delegation || (empty && !optout) ||
+	     (!empty && dns_nsec_isset(types, dns_rdatatype_ds))))
+	{
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_name_format(hashname, hashbuf, sizeof(hashbuf));
+		zoneverify_log_error(vctx, "Missing NSEC3 record for %s (%s)",
+				     namebuf, hashbuf);
+	} else if (result == ISC_R_NOTFOUND && delegation && (!empty || optout))
+	{
+		result = ISC_R_SUCCESS;
+	} else if (result == ISC_R_SUCCESS) {
+		result = match_nsec3(vctx, name, &nsec3param, &rdataset, types,
+				     maxtype, rawhash, rhsize, &tvresult);
+		if (result != ISC_R_SUCCESS) {
+			goto done;
+		}
+		result = tvresult;
+	}
+
+	*vresult = result;
+	result = ISC_R_SUCCESS;
+
+done:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(vctx->db, &node);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+verifynsec3s(const vctx_t *vctx, const dns_name_t *name,
+	     dns_rdataset_t *nsec3paramset, bool delegation, bool empty,
+	     const unsigned char types[8192], unsigned int maxtype,
+	     isc_result_t *vresult) {
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(nsec3paramset);
+	     result == ISC_R_SUCCESS; result = dns_rdataset_next(nsec3paramset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(nsec3paramset, &rdata);
+		result = verifynsec3(vctx, name, &rdata, delegation, empty,
+				     types, maxtype, vresult);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		if (*vresult != ISC_R_SUCCESS) {
+			break;
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+static isc_result_t
+verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, const dns_name_t *name,
+	  dns_dbnode_t *node, dst_key_t **dstkeys, size_t nkeys) {
+	unsigned char set_algorithms[256] = { 0 };
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char algbuf[DNS_SECALG_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	dns_rdataset_t sigrdataset;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&sigrdataset);
+	result = dns_db_allrdatasets(vctx->db, node, vctx->ver, 0, 0, &rdsiter);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_db_allrdatasets(): %s",
+				     isc_result_totext(result));
+		return (result);
+	}
+	for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdatasetiter_current(rdsiter, &sigrdataset);
+		if (sigrdataset.type == dns_rdatatype_rrsig &&
+		    sigrdataset.covers == rdataset->type)
+		{
+			break;
+		}
+		dns_rdataset_disassociate(&sigrdataset);
+	}
+	if (result != ISC_R_SUCCESS) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
+		zoneverify_log_error(vctx, "No signatures for %s/%s", namebuf,
+				     typebuf);
+		for (size_t i = 0; i < ARRAY_SIZE(set_algorithms); i++) {
+			if (vctx->act_algorithms[i] != 0) {
+				vctx->bad_algorithms[i] = 1;
+			}
+		}
+		result = ISC_R_SUCCESS;
+		goto done;
+	}
+
+	for (result = dns_rdataset_first(&sigrdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&sigrdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_rrsig_t sig;
+
+		dns_rdataset_current(&sigrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (rdataset->ttl != sig.originalttl) {
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			zoneverify_log_error(vctx,
+					     "TTL mismatch for "
+					     "%s %s keytag %u",
+					     namebuf, typebuf, sig.keyid);
+			continue;
+		}
+		if ((set_algorithms[sig.algorithm] != 0) ||
+		    (vctx->act_algorithms[sig.algorithm] == 0))
+		{
+			continue;
+		}
+		if (goodsig(vctx, &rdata, name, dstkeys, nkeys, rdataset)) {
+			dns_rdataset_settrust(rdataset, dns_trust_secure);
+			dns_rdataset_settrust(&sigrdataset, dns_trust_secure);
+			set_algorithms[sig.algorithm] = 1;
+		}
+	}
+	result = ISC_R_SUCCESS;
+
+	if (memcmp(set_algorithms, vctx->act_algorithms,
+		   sizeof(set_algorithms)) != 0)
+	{
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
+		for (size_t i = 0; i < ARRAY_SIZE(set_algorithms); i++) {
+			if ((vctx->act_algorithms[i] != 0) &&
+			    (set_algorithms[i] == 0))
+			{
+				dns_secalg_format(i, algbuf, sizeof(algbuf));
+				zoneverify_log_error(vctx,
+						     "No correct %s signature "
+						     "for %s %s",
+						     algbuf, namebuf, typebuf);
+				vctx->bad_algorithms[i] = 1;
+			}
+		}
+	}
+
+done:
+	if (dns_rdataset_isassociated(&sigrdataset)) {
+		dns_rdataset_disassociate(&sigrdataset);
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	return (result);
+}
+
+static isc_result_t
+verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
+	   bool delegation, dst_key_t **dstkeys, size_t nkeys,
+	   dns_rdataset_t *nsecset, dns_rdataset_t *nsec3paramset,
+	   const dns_name_t *nextname, isc_result_t *vresult) {
+	unsigned char types[8192] = { 0 };
+	unsigned int maxtype = 0;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result, tvresult = ISC_R_UNSET;
+
+	REQUIRE(vresult != NULL || (nsecset == NULL && nsec3paramset == NULL));
+
+	result = dns_db_allrdatasets(vctx->db, node, vctx->ver, 0, 0, &rdsiter);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_db_allrdatasets(): %s",
+				     isc_result_totext(result));
+		return (result);
+	}
+
+	result = dns_rdatasetiter_first(rdsiter);
+	dns_rdataset_init(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		/*
+		 * If we are not at a delegation then everything should be
+		 * signed.  If we are at a delegation then only the DS set
+		 * is signed.  The NS set is not signed at a delegation but
+		 * its existence is recorded in the bit map.  Anything else
+		 * other than NSEC and DS is not signed at a delegation.
+		 */
+		if (rdataset.type != dns_rdatatype_rrsig &&
+		    rdataset.type != dns_rdatatype_dnskey &&
+		    (!delegation || rdataset.type == dns_rdatatype_ds ||
+		     rdataset.type == dns_rdatatype_nsec))
+		{
+			result = verifyset(vctx, &rdataset, name, node, dstkeys,
+					   nkeys);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdataset_disassociate(&rdataset);
+				dns_rdatasetiter_destroy(&rdsiter);
+				return (result);
+			}
+			dns_nsec_setbit(types, rdataset.type, 1);
+			if (rdataset.type > maxtype) {
+				maxtype = rdataset.type;
+			}
+		} else if (rdataset.type != dns_rdatatype_rrsig &&
+			   rdataset.type != dns_rdatatype_dnskey)
+		{
+			if (rdataset.type == dns_rdatatype_ns) {
+				dns_nsec_setbit(types, rdataset.type, 1);
+			}
+			result = check_no_rrsig(vctx, &rdataset, name, node);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdataset_disassociate(&rdataset);
+				dns_rdatasetiter_destroy(&rdsiter);
+				return (result);
+			}
+		} else {
+			dns_nsec_setbit(types, rdataset.type, 1);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+	if (result != ISC_R_NOMORE) {
+		zoneverify_log_error(vctx, "rdataset iteration failed: %s",
+				     isc_result_totext(result));
+		return (result);
+	}
+
+	if (vresult == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	*vresult = ISC_R_SUCCESS;
+
+	if (nsecset != NULL && dns_rdataset_isassociated(nsecset)) {
+		result = verifynsec(vctx, name, node, nextname, &tvresult);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		*vresult = tvresult;
+	}
+
+	if (nsec3paramset != NULL && dns_rdataset_isassociated(nsec3paramset)) {
+		result = verifynsec3s(vctx, name, nsec3paramset, delegation,
+				      false, types, maxtype, &tvresult);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		if (*vresult == ISC_R_SUCCESS) {
+			*vresult = tvresult;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+is_empty(const vctx_t *vctx, dns_dbnode_t *node, bool *empty) {
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result;
+
+	result = dns_db_allrdatasets(vctx->db, node, vctx->ver, 0, 0, &rdsiter);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_db_allrdatasets(): %s",
+				     isc_result_totext(result));
+		return (result);
+	}
+	result = dns_rdatasetiter_first(rdsiter);
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	*empty = (result == ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+check_no_nsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node) {
+	bool nsec_exists = false;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+				     dns_rdatatype_nsec, 0, 0, &rdataset, NULL);
+	if (result != ISC_R_NOTFOUND) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		zoneverify_log_error(vctx, "unexpected NSEC RRset at %s",
+				     namebuf);
+		nsec_exists = true;
+	}
+
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	return (nsec_exists ? ISC_R_FAILURE : ISC_R_SUCCESS);
+}
+
+static void
+free_element(isc_mem_t *mctx, struct nsec3_chain_fixed *e) {
+	size_t len;
+
+	len = sizeof(*e) + e->salt_length + 2 * e->next_length;
+	isc_mem_put(mctx, e, len);
+}
+
+static void
+free_element_heap(void *element, void *uap) {
+	struct nsec3_chain_fixed *e = (struct nsec3_chain_fixed *)element;
+	isc_mem_t *mctx = (isc_mem_t *)uap;
+
+	free_element(mctx, e);
+}
+
+static bool
+_checknext(const vctx_t *vctx, const struct nsec3_chain_fixed *first,
+	   const struct nsec3_chain_fixed *e) {
+	char buf[512];
+	const unsigned char *d1 = (const unsigned char *)(first + 1);
+	const unsigned char *d2 = (const unsigned char *)(e + 1);
+	isc_buffer_t b;
+	isc_region_t sr;
+
+	d1 += first->salt_length + first->next_length;
+	d2 += e->salt_length;
+
+	if (memcmp(d1, d2, first->next_length) == 0) {
+		return (true);
+	}
+
+	DE_CONST(d1 - first->next_length, sr.base);
+	sr.length = first->next_length;
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_base32hex_totext(&sr, 1, "", &b);
+	zoneverify_log_error(vctx, "Break in NSEC3 chain at: %.*s",
+			     (int)isc_buffer_usedlength(&b), buf);
+
+	DE_CONST(d1, sr.base);
+	sr.length = first->next_length;
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_base32hex_totext(&sr, 1, "", &b);
+	zoneverify_log_error(vctx, "Expected: %.*s",
+			     (int)isc_buffer_usedlength(&b), buf);
+
+	DE_CONST(d2, sr.base);
+	sr.length = first->next_length;
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_base32hex_totext(&sr, 1, "", &b);
+	zoneverify_log_error(vctx, "Found: %.*s",
+			     (int)isc_buffer_usedlength(&b), buf);
+
+	return (false);
+}
+
+static bool
+checknext(isc_mem_t *mctx, const vctx_t *vctx,
+	  const struct nsec3_chain_fixed *first, struct nsec3_chain_fixed *prev,
+	  const struct nsec3_chain_fixed *cur) {
+	bool result = _checknext(vctx, prev, cur);
+
+	if (prev != first) {
+		free_element(mctx, prev);
+	}
+
+	return (result);
+}
+
+static bool
+checklast(isc_mem_t *mctx, const vctx_t *vctx, struct nsec3_chain_fixed *first,
+	  struct nsec3_chain_fixed *prev) {
+	bool result = _checknext(vctx, prev, first);
+	if (prev != first) {
+		free_element(mctx, prev);
+	}
+	free_element(mctx, first);
+
+	return (result);
+}
+
+static isc_result_t
+verify_nsec3_chains(const vctx_t *vctx, isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	struct nsec3_chain_fixed *e, *f = NULL;
+	struct nsec3_chain_fixed *first = NULL, *prev = NULL;
+
+	while ((e = isc_heap_element(vctx->expected_chains, 1)) != NULL) {
+		isc_heap_delete(vctx->expected_chains, 1);
+		if (f == NULL) {
+			f = isc_heap_element(vctx->found_chains, 1);
+		}
+		if (f != NULL) {
+			isc_heap_delete(vctx->found_chains, 1);
+
+			/*
+			 * Check that they match.
+			 */
+			if (chain_equal(e, f, chain_length(e))) {
+				free_element(mctx, f);
+				f = NULL;
+			} else {
+				if (result == ISC_R_SUCCESS) {
+					zoneverify_log_error(vctx, "Expected "
+								   "and found "
+								   "NSEC3 "
+								   "chains not "
+								   "equal");
+				}
+				result = ISC_R_FAILURE;
+				/*
+				 * Attempt to resync found_chain.
+				 */
+				while (f != NULL && !chain_compare(e, f)) {
+					free_element(mctx, f);
+					f = isc_heap_element(vctx->found_chains,
+							     1);
+					if (f != NULL) {
+						isc_heap_delete(
+							vctx->found_chains, 1);
+					}
+					if (f != NULL &&
+					    chain_equal(e, f, chain_length(e)))
+					{
+						free_element(mctx, f);
+						f = NULL;
+						break;
+					}
+				}
+			}
+		} else if (result == ISC_R_SUCCESS) {
+			zoneverify_log_error(vctx, "Expected and found NSEC3 "
+						   "chains "
+						   "not equal");
+			result = ISC_R_FAILURE;
+		}
+
+		if (first == NULL) {
+			prev = first = e;
+		} else if (!chain_equal(first, e, first->salt_length)) {
+			if (!checklast(mctx, vctx, first, prev)) {
+				result = ISC_R_FAILURE;
+			}
+
+			prev = first = e;
+		} else {
+			if (!checknext(mctx, vctx, first, prev, e)) {
+				result = ISC_R_FAILURE;
+			}
+
+			prev = e;
+		}
+	}
+	if (prev != NULL) {
+		if (!checklast(mctx, vctx, first, prev)) {
+			result = ISC_R_FAILURE;
+		}
+	}
+	do {
+		if (f != NULL) {
+			if (result == ISC_R_SUCCESS) {
+				zoneverify_log_error(vctx, "Expected and found "
+							   "NSEC3 chains not "
+							   "equal");
+				result = ISC_R_FAILURE;
+			}
+			free_element(mctx, f);
+		}
+		f = isc_heap_element(vctx->found_chains, 1);
+		if (f != NULL) {
+			isc_heap_delete(vctx->found_chains, 1);
+		}
+	} while (f != NULL);
+
+	return (result);
+}
+
+static isc_result_t
+verifyemptynodes(const vctx_t *vctx, const dns_name_t *name,
+		 const dns_name_t *prevname, bool isdelegation,
+		 dns_rdataset_t *nsec3paramset, isc_result_t *vresult) {
+	dns_namereln_t reln;
+	int order;
+	unsigned int labels, nlabels, i;
+	dns_name_t suffix;
+	isc_result_t result, tvresult = ISC_R_UNSET;
+
+	*vresult = ISC_R_SUCCESS;
+
+	reln = dns_name_fullcompare(prevname, name, &order, &labels);
+	if (order >= 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	nlabels = dns_name_countlabels(name);
+
+	if (reln == dns_namereln_commonancestor ||
+	    reln == dns_namereln_contains)
+	{
+		dns_name_init(&suffix, NULL);
+		for (i = labels + 1; i < nlabels; i++) {
+			dns_name_getlabelsequence(name, nlabels - i, i,
+						  &suffix);
+			if (nsec3paramset != NULL &&
+			    dns_rdataset_isassociated(nsec3paramset))
+			{
+				result = verifynsec3s(
+					vctx, &suffix, nsec3paramset,
+					isdelegation, true, NULL, 0, &tvresult);
+				if (result != ISC_R_SUCCESS) {
+					return (result);
+				}
+				if (*vresult == ISC_R_SUCCESS) {
+					*vresult = tvresult;
+				}
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+vctx_init(vctx_t *vctx, isc_mem_t *mctx, dns_zone_t *zone, dns_db_t *db,
+	  dns_dbversion_t *ver, dns_name_t *origin, dns_keytable_t *secroots) {
+	memset(vctx, 0, sizeof(*vctx));
+
+	vctx->mctx = mctx;
+	vctx->zone = zone;
+	vctx->db = db;
+	vctx->ver = ver;
+	vctx->origin = origin;
+	vctx->secroots = secroots;
+	vctx->goodksk = false;
+	vctx->goodzsk = false;
+
+	dns_rdataset_init(&vctx->keyset);
+	dns_rdataset_init(&vctx->keysigs);
+	dns_rdataset_init(&vctx->soaset);
+	dns_rdataset_init(&vctx->soasigs);
+	dns_rdataset_init(&vctx->nsecset);
+	dns_rdataset_init(&vctx->nsecsigs);
+	dns_rdataset_init(&vctx->nsec3paramset);
+	dns_rdataset_init(&vctx->nsec3paramsigs);
+
+	vctx->expected_chains = NULL;
+	isc_heap_create(mctx, chain_compare, NULL, 1024,
+			&vctx->expected_chains);
+
+	vctx->found_chains = NULL;
+	isc_heap_create(mctx, chain_compare, NULL, 1024, &vctx->found_chains);
+}
+
+static void
+vctx_destroy(vctx_t *vctx) {
+	if (dns_rdataset_isassociated(&vctx->keyset)) {
+		dns_rdataset_disassociate(&vctx->keyset);
+	}
+	if (dns_rdataset_isassociated(&vctx->keysigs)) {
+		dns_rdataset_disassociate(&vctx->keysigs);
+	}
+	if (dns_rdataset_isassociated(&vctx->soaset)) {
+		dns_rdataset_disassociate(&vctx->soaset);
+	}
+	if (dns_rdataset_isassociated(&vctx->soasigs)) {
+		dns_rdataset_disassociate(&vctx->soasigs);
+	}
+	if (dns_rdataset_isassociated(&vctx->nsecset)) {
+		dns_rdataset_disassociate(&vctx->nsecset);
+	}
+	if (dns_rdataset_isassociated(&vctx->nsecsigs)) {
+		dns_rdataset_disassociate(&vctx->nsecsigs);
+	}
+	if (dns_rdataset_isassociated(&vctx->nsec3paramset)) {
+		dns_rdataset_disassociate(&vctx->nsec3paramset);
+	}
+	if (dns_rdataset_isassociated(&vctx->nsec3paramsigs)) {
+		dns_rdataset_disassociate(&vctx->nsec3paramsigs);
+	}
+	isc_heap_foreach(vctx->expected_chains, free_element_heap, vctx->mctx);
+	isc_heap_destroy(&vctx->expected_chains);
+	isc_heap_foreach(vctx->found_chains, free_element_heap, vctx->mctx);
+	isc_heap_destroy(&vctx->found_chains);
+}
+
+static isc_result_t
+check_apex_rrsets(vctx_t *vctx) {
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+
+	result = dns_db_findnode(vctx->db, vctx->origin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx,
+				     "failed to find the zone's origin: %s",
+				     isc_result_totext(result));
+		return (result);
+	}
+
+	result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+				     dns_rdatatype_dnskey, 0, 0, &vctx->keyset,
+				     &vctx->keysigs);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "Zone contains no DNSSEC keys");
+		goto done;
+	}
+
+	result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+				     dns_rdatatype_soa, 0, 0, &vctx->soaset,
+				     &vctx->soasigs);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "Zone contains no SOA record");
+		goto done;
+	}
+
+	result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+				     dns_rdatatype_nsec, 0, 0, &vctx->nsecset,
+				     &vctx->nsecsigs);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		zoneverify_log_error(vctx, "NSEC lookup failed");
+		goto done;
+	}
+
+	result = dns_db_findrdataset(
+		vctx->db, node, vctx->ver, dns_rdatatype_nsec3param, 0, 0,
+		&vctx->nsec3paramset, &vctx->nsec3paramsigs);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		zoneverify_log_error(vctx, "NSEC3PARAM lookup failed");
+		goto done;
+	}
+
+	if (!dns_rdataset_isassociated(&vctx->keysigs)) {
+		zoneverify_log_error(vctx, "DNSKEY is not signed "
+					   "(keys offline or inactive?)");
+		result = ISC_R_FAILURE;
+		goto done;
+	}
+
+	if (!dns_rdataset_isassociated(&vctx->soasigs)) {
+		zoneverify_log_error(vctx, "SOA is not signed "
+					   "(keys offline or inactive?)");
+		result = ISC_R_FAILURE;
+		goto done;
+	}
+
+	if (dns_rdataset_isassociated(&vctx->nsecset) &&
+	    !dns_rdataset_isassociated(&vctx->nsecsigs))
+	{
+		zoneverify_log_error(vctx, "NSEC is not signed "
+					   "(keys offline or inactive?)");
+		result = ISC_R_FAILURE;
+		goto done;
+	}
+
+	if (dns_rdataset_isassociated(&vctx->nsec3paramset) &&
+	    !dns_rdataset_isassociated(&vctx->nsec3paramsigs))
+	{
+		zoneverify_log_error(vctx, "NSEC3PARAM is not signed "
+					   "(keys offline or inactive?)");
+		result = ISC_R_FAILURE;
+		goto done;
+	}
+
+	if (!dns_rdataset_isassociated(&vctx->nsecset) &&
+	    !dns_rdataset_isassociated(&vctx->nsec3paramset))
+	{
+		zoneverify_log_error(vctx, "No valid NSEC/NSEC3 chain for "
+					   "testing");
+		result = ISC_R_FAILURE;
+		goto done;
+	}
+
+	result = ISC_R_SUCCESS;
+
+done:
+	dns_db_detachnode(vctx->db, &node);
+
+	return (result);
+}
+
+/*%
+ * Update 'vctx' tables tracking active and standby key algorithms used in the
+ * verified zone based on the signatures made using 'dnskey' (prepared from
+ * 'rdata') found at zone apex.  Set 'vctx->goodksk' or 'vctx->goodzsk' to true
+ * if 'dnskey' correctly signs the DNSKEY RRset at zone apex and either
+ * 'vctx->secroots' is NULL or 'dnskey' is present in 'vctx->secroots'.
+ *
+ * The variables to update are chosen based on 'is_ksk', which is true when
+ * 'dnskey' is a KSK and false otherwise.
+ */
+static void
+check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
+		  dns_rdata_t *keyrdata, bool is_ksk) {
+	unsigned char *active_keys = NULL, *standby_keys = NULL;
+	dns_keynode_t *keynode = NULL;
+	bool *goodkey = NULL;
+	dst_key_t *key = NULL;
+	isc_result_t result;
+	dns_rdataset_t dsset;
+
+	active_keys = (is_ksk ? vctx->ksk_algorithms : vctx->zsk_algorithms);
+	standby_keys = (is_ksk ? vctx->standby_ksk : vctx->standby_zsk);
+	goodkey = (is_ksk ? &vctx->goodksk : &vctx->goodzsk);
+
+	/*
+	 * First, does this key sign the DNSKEY rrset?
+	 */
+	if (!dns_dnssec_selfsigns(keyrdata, vctx->origin, &vctx->keyset,
+				  &vctx->keysigs, false, vctx->mctx))
+	{
+		if (!is_ksk &&
+		    dns_dnssec_signs(keyrdata, vctx->origin, &vctx->soaset,
+				     &vctx->soasigs, false, vctx->mctx))
+		{
+			if (active_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
+				active_keys[dnskey->algorithm]++;
+			}
+		} else {
+			if (standby_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
+				standby_keys[dnskey->algorithm]++;
+			}
+		}
+		return;
+	}
+
+	if (active_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
+		active_keys[dnskey->algorithm]++;
+	}
+
+	/*
+	 * If a trust anchor table was not supplied, a correctly self-signed
+	 * DNSKEY RRset is good enough.
+	 */
+	if (vctx->secroots == NULL) {
+		*goodkey = true;
+		return;
+	}
+
+	/*
+	 * Convert the supplied key rdata to dst_key_t. (If this
+	 * fails we can't go further.)
+	 */
+	result = dns_dnssec_keyfromrdata(vctx->origin, keyrdata, vctx->mctx,
+					 &key);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/*
+	 * Look up the supplied key in the trust anchor table.
+	 * If we don't find an exact match, or if the keynode data
+	 * is NULL, then we have neither a DNSKEY nor a DS format
+	 * trust anchor, and can give up.
+	 */
+	result = dns_keytable_find(vctx->secroots, vctx->origin, &keynode);
+	if (result != ISC_R_SUCCESS) {
+		/* No such trust anchor */
+		goto cleanup;
+	}
+
+	/*
+	 * If the keynode has any DS format trust anchors, that means
+	 * it doesn't have any DNSKEY ones. So, we can check for a DS
+	 * match and then stop.
+	 */
+	dns_rdataset_init(&dsset);
+	if (dns_keynode_dsset(keynode, &dsset)) {
+		for (result = dns_rdataset_first(&dsset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&dsset))
+		{
+			dns_rdata_t dsrdata = DNS_RDATA_INIT;
+			dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+			unsigned char buf[DNS_DS_BUFFERSIZE];
+			dns_rdata_ds_t ds;
+
+			dns_rdata_reset(&dsrdata);
+			dns_rdataset_current(&dsset, &dsrdata);
+			result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			if (ds.key_tag != dst_key_id(key) ||
+			    ds.algorithm != dst_key_alg(key))
+			{
+				continue;
+			}
+
+			result = dns_ds_buildrdata(vctx->origin, keyrdata,
+						   ds.digest_type, buf,
+						   &newdsrdata);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
+
+			if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0) {
+				dns_rdataset_settrust(&vctx->keyset,
+						      dns_trust_secure);
+				dns_rdataset_settrust(&vctx->keysigs,
+						      dns_trust_secure);
+				*goodkey = true;
+				break;
+			}
+		}
+		dns_rdataset_disassociate(&dsset);
+
+		goto cleanup;
+	}
+
+cleanup:
+	if (keynode != NULL) {
+		dns_keytable_detachkeynode(vctx->secroots, &keynode);
+	}
+	if (key != NULL) {
+		dst_key_free(&key);
+	}
+}
+
+/*%
+ * Check that the DNSKEY RR has at least one self signing KSK and one ZSK per
+ * algorithm in it (or, if -x was used, one self-signing KSK).
+ */
+static isc_result_t
+check_dnskey(vctx_t *vctx) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_dnskey_t dnskey;
+	isc_result_t result;
+	bool is_ksk;
+
+	for (result = dns_rdataset_first(&vctx->keyset);
+	     result == ISC_R_SUCCESS; result = dns_rdataset_next(&vctx->keyset))
+	{
+		dns_rdataset_current(&vctx->keyset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		is_ksk = ((dnskey.flags & DNS_KEYFLAG_KSK) != 0);
+
+		if ((dnskey.flags & DNS_KEYOWNER_ZONE) != 0 &&
+		    (dnskey.flags & DNS_KEYFLAG_REVOKE) != 0)
+		{
+			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
+			    !dns_dnssec_selfsigns(&rdata, vctx->origin,
+						  &vctx->keyset, &vctx->keysigs,
+						  false, vctx->mctx))
+			{
+				char namebuf[DNS_NAME_FORMATSIZE];
+				char buffer[1024];
+				isc_buffer_t buf;
+
+				dns_name_format(vctx->origin, namebuf,
+						sizeof(namebuf));
+				isc_buffer_init(&buf, buffer, sizeof(buffer));
+				result = dns_rdata_totext(&rdata, NULL, &buf);
+				if (result != ISC_R_SUCCESS) {
+					zoneverify_log_error(
+						vctx, "dns_rdata_totext: %s",
+						isc_result_totext(result));
+					return (ISC_R_FAILURE);
+				}
+				zoneverify_log_error(
+					vctx,
+					"revoked KSK is not self signed:\n"
+					"%s DNSKEY %.*s",
+					namebuf,
+					(int)isc_buffer_usedlength(&buf),
+					buffer);
+				return (ISC_R_FAILURE);
+			}
+			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
+			    vctx->revoked_ksk[dnskey.algorithm] !=
+				    DNS_KEYALG_MAX)
+			{
+				vctx->revoked_ksk[dnskey.algorithm]++;
+			} else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
+				   vctx->revoked_zsk[dnskey.algorithm] !=
+					   DNS_KEYALG_MAX)
+			{
+				vctx->revoked_zsk[dnskey.algorithm]++;
+			}
+		} else {
+			check_dnskey_sigs(vctx, &dnskey, &rdata, is_ksk);
+		}
+		dns_rdata_freestruct(&dnskey);
+		dns_rdata_reset(&rdata);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+determine_active_algorithms(vctx_t *vctx, bool ignore_kskflag,
+			    bool keyset_kskonly,
+			    void (*report)(const char *, ...)) {
+	char algbuf[DNS_SECALG_FORMATSIZE];
+
+	report("Verifying the zone using the following algorithms:");
+
+	for (size_t i = 0; i < ARRAY_SIZE(vctx->act_algorithms); i++) {
+		if (ignore_kskflag) {
+			vctx->act_algorithms[i] = (vctx->ksk_algorithms[i] !=
+							   0 ||
+						   vctx->zsk_algorithms[i] != 0)
+							  ? 1
+							  : 0;
+		} else {
+			vctx->act_algorithms[i] = vctx->ksk_algorithms[i] != 0
+							  ? 1
+							  : 0;
+		}
+		if (vctx->act_algorithms[i] != 0) {
+			dns_secalg_format(i, algbuf, sizeof(algbuf));
+			report("- %s", algbuf);
+		}
+	}
+
+	if (ignore_kskflag || keyset_kskonly) {
+		return;
+	}
+
+	for (size_t i = 0; i < ARRAY_SIZE(vctx->ksk_algorithms); i++) {
+		/*
+		 * The counts should both be zero or both be non-zero.  Mark
+		 * the algorithm as bad if this is not met.
+		 */
+		if ((vctx->ksk_algorithms[i] != 0) ==
+		    (vctx->zsk_algorithms[i] != 0))
+		{
+			continue;
+		}
+		dns_secalg_format(i, algbuf, sizeof(algbuf));
+		zoneverify_log_error(vctx, "Missing %s for algorithm %s",
+				     (vctx->ksk_algorithms[i] != 0) ? "ZSK"
+								    : "self-"
+								      "signed "
+								      "KSK",
+				     algbuf);
+		vctx->bad_algorithms[i] = 1;
+	}
+}
+
+/*%
+ * Check that all the records not yet verified were signed by keys that are
+ * present in the DNSKEY RRset.
+ */
+static isc_result_t
+verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
+	dns_fixedname_t fname, fnextname, fprevname, fzonecut;
+	dns_name_t *name, *nextname, *prevname, *zonecut;
+	dns_dbnode_t *node = NULL, *nextnode;
+	dns_dbiterator_t *dbiter = NULL;
+	dst_key_t **dstkeys;
+	size_t count, nkeys = 0;
+	bool done = false;
+	isc_result_t tvresult = ISC_R_UNSET;
+	isc_result_t result;
+
+	name = dns_fixedname_initname(&fname);
+	nextname = dns_fixedname_initname(&fnextname);
+	dns_fixedname_init(&fprevname);
+	prevname = NULL;
+	dns_fixedname_init(&fzonecut);
+	zonecut = NULL;
+
+	count = dns_rdataset_count(&vctx->keyset);
+	dstkeys = isc_mem_get(vctx->mctx, sizeof(*dstkeys) * count);
+
+	for (result = dns_rdataset_first(&vctx->keyset);
+	     result == ISC_R_SUCCESS; result = dns_rdataset_next(&vctx->keyset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&vctx->keyset, &rdata);
+		dstkeys[nkeys] = NULL;
+		result = dns_dnssec_keyfromrdata(vctx->origin, &rdata,
+						 vctx->mctx, &dstkeys[nkeys]);
+		if (result == ISC_R_SUCCESS) {
+			nkeys++;
+		}
+	}
+
+	result = dns_db_createiterator(vctx->db, DNS_DB_NONSEC3, &dbiter);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_db_createiterator(): %s",
+				     isc_result_totext(result));
+		goto done;
+	}
+
+	result = dns_dbiterator_first(dbiter);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_dbiterator_first(): %s",
+				     isc_result_totext(result));
+		goto done;
+	}
+
+	while (!done) {
+		bool isdelegation = false;
+
+		result = dns_dbiterator_current(dbiter, &node, name);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			zoneverify_log_error(vctx,
+					     "dns_dbiterator_current(): %s",
+					     isc_result_totext(result));
+			goto done;
+		}
+		if (!dns_name_issubdomain(name, vctx->origin)) {
+			result = check_no_nsec(vctx, name, node);
+			if (result != ISC_R_SUCCESS) {
+				dns_db_detachnode(vctx->db, &node);
+				goto done;
+			}
+			dns_db_detachnode(vctx->db, &node);
+			result = dns_dbiterator_next(dbiter);
+			if (result == ISC_R_NOMORE) {
+				done = true;
+			} else if (result != ISC_R_SUCCESS) {
+				zoneverify_log_error(vctx,
+						     "dns_dbiterator_next(): "
+						     "%s",
+						     isc_result_totext(result));
+				goto done;
+			}
+			continue;
+		}
+		if (is_delegation(vctx, name, node, NULL)) {
+			zonecut = dns_fixedname_name(&fzonecut);
+			dns_name_copynf(name, zonecut);
+			isdelegation = true;
+		} else if (has_dname(vctx, node)) {
+			zonecut = dns_fixedname_name(&fzonecut);
+			dns_name_copynf(name, zonecut);
+		}
+		nextnode = NULL;
+		result = dns_dbiterator_next(dbiter);
+		while (result == ISC_R_SUCCESS) {
+			bool empty;
+			result = dns_dbiterator_current(dbiter, &nextnode,
+							nextname);
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_NEWORIGIN)
+			{
+				zoneverify_log_error(vctx,
+						     "dns_dbiterator_current():"
+						     " %s",
+						     isc_result_totext(result));
+				dns_db_detachnode(vctx->db, &node);
+				goto done;
+			}
+			if (!dns_name_issubdomain(nextname, vctx->origin) ||
+			    (zonecut != NULL &&
+			     dns_name_issubdomain(nextname, zonecut)))
+			{
+				result = check_no_nsec(vctx, nextname,
+						       nextnode);
+				if (result != ISC_R_SUCCESS) {
+					dns_db_detachnode(vctx->db, &node);
+					dns_db_detachnode(vctx->db, &nextnode);
+					goto done;
+				}
+				dns_db_detachnode(vctx->db, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			result = is_empty(vctx, nextnode, &empty);
+			dns_db_detachnode(vctx->db, &nextnode);
+			if (result != ISC_R_SUCCESS) {
+				dns_db_detachnode(vctx->db, &node);
+				goto done;
+			}
+			if (empty) {
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			break;
+		}
+		if (result == ISC_R_NOMORE) {
+			done = true;
+			nextname = vctx->origin;
+		} else if (result != ISC_R_SUCCESS) {
+			zoneverify_log_error(vctx,
+					     "iterating through the database "
+					     "failed: %s",
+					     isc_result_totext(result));
+			dns_db_detachnode(vctx->db, &node);
+			goto done;
+		}
+		result = verifynode(vctx, name, node, isdelegation, dstkeys,
+				    nkeys, &vctx->nsecset, &vctx->nsec3paramset,
+				    nextname, &tvresult);
+		if (result != ISC_R_SUCCESS) {
+			dns_db_detachnode(vctx->db, &node);
+			goto done;
+		}
+		if (*vresult == ISC_R_UNSET) {
+			*vresult = ISC_R_SUCCESS;
+		}
+		if (*vresult == ISC_R_SUCCESS) {
+			*vresult = tvresult;
+		}
+		if (prevname != NULL) {
+			result = verifyemptynodes(
+				vctx, name, prevname, isdelegation,
+				&vctx->nsec3paramset, &tvresult);
+			if (result != ISC_R_SUCCESS) {
+				dns_db_detachnode(vctx->db, &node);
+				goto done;
+			}
+		} else {
+			prevname = dns_fixedname_name(&fprevname);
+		}
+		dns_name_copynf(name, prevname);
+		if (*vresult == ISC_R_SUCCESS) {
+			*vresult = tvresult;
+		}
+		dns_db_detachnode(vctx->db, &node);
+	}
+
+	dns_dbiterator_destroy(&dbiter);
+
+	result = dns_db_createiterator(vctx->db, DNS_DB_NSEC3ONLY, &dbiter);
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_db_createiterator(): %s",
+				     isc_result_totext(result));
+		return (result);
+	}
+
+	for (result = dns_dbiterator_first(dbiter); result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter))
+	{
+		result = dns_dbiterator_current(dbiter, &node, name);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			zoneverify_log_error(vctx,
+					     "dns_dbiterator_current(): %s",
+					     isc_result_totext(result));
+			goto done;
+		}
+		result = verifynode(vctx, name, node, false, dstkeys, nkeys,
+				    NULL, NULL, NULL, NULL);
+		if (result != ISC_R_SUCCESS) {
+			zoneverify_log_error(vctx, "verifynode: %s",
+					     isc_result_totext(result));
+			dns_db_detachnode(vctx->db, &node);
+			goto done;
+		}
+		result = record_found(vctx, name, node, &vctx->nsec3paramset);
+		dns_db_detachnode(vctx->db, &node);
+		if (result != ISC_R_SUCCESS) {
+			goto done;
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+done:
+	while (nkeys-- > 0U) {
+		dst_key_free(&dstkeys[nkeys]);
+	}
+	isc_mem_put(vctx->mctx, dstkeys, sizeof(*dstkeys) * count);
+	if (dbiter != NULL) {
+		dns_dbiterator_destroy(&dbiter);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+check_bad_algorithms(const vctx_t *vctx, void (*report)(const char *, ...)) {
+	char algbuf[DNS_SECALG_FORMATSIZE];
+	bool first = true;
+
+	for (size_t i = 0; i < ARRAY_SIZE(vctx->bad_algorithms); i++) {
+		if (vctx->bad_algorithms[i] == 0) {
+			continue;
+		}
+		if (first) {
+			report("The zone is not fully signed "
+			       "for the following algorithms:");
+		}
+		dns_secalg_format(i, algbuf, sizeof(algbuf));
+		report(" %s", algbuf);
+		first = false;
+	}
+
+	if (!first) {
+		report(".");
+	}
+
+	return (first ? ISC_R_SUCCESS : ISC_R_FAILURE);
+}
+
+static void
+print_summary(const vctx_t *vctx, bool keyset_kskonly,
+	      void (*report)(const char *, ...)) {
+	char algbuf[DNS_SECALG_FORMATSIZE];
+
+	report("Zone fully signed:");
+	for (size_t i = 0; i < ARRAY_SIZE(vctx->ksk_algorithms); i++) {
+		if ((vctx->ksk_algorithms[i] == 0) &&
+		    (vctx->standby_ksk[i] == 0) &&
+		    (vctx->revoked_ksk[i] == 0) &&
+		    (vctx->zsk_algorithms[i] == 0) &&
+		    (vctx->standby_zsk[i] == 0) && (vctx->revoked_zsk[i] == 0))
+		{
+			continue;
+		}
+		dns_secalg_format(i, algbuf, sizeof(algbuf));
+		report("Algorithm: %s: KSKs: "
+		       "%u active, %u stand-by, %u revoked",
+		       algbuf, vctx->ksk_algorithms[i], vctx->standby_ksk[i],
+		       vctx->revoked_ksk[i]);
+		report("%*sZSKs: "
+		       "%u active, %u %s, %u revoked",
+		       (int)strlen(algbuf) + 13, "", vctx->zsk_algorithms[i],
+		       vctx->standby_zsk[i],
+		       keyset_kskonly ? "present" : "stand-by",
+		       vctx->revoked_zsk[i]);
+	}
+}
+
+isc_result_t
+dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		      dns_name_t *origin, dns_keytable_t *secroots,
+		      isc_mem_t *mctx, bool ignore_kskflag, bool keyset_kskonly,
+		      void (*report)(const char *, ...)) {
+	const char *keydesc = (secroots == NULL ? "self-signed" : "trusted");
+	isc_result_t result, vresult = ISC_R_UNSET;
+	vctx_t vctx;
+
+	vctx_init(&vctx, mctx, zone, db, ver, origin, secroots);
+
+	result = check_apex_rrsets(&vctx);
+	if (result != ISC_R_SUCCESS) {
+		goto done;
+	}
+
+	result = check_dnskey(&vctx);
+	if (result != ISC_R_SUCCESS) {
+		goto done;
+	}
+
+	if (ignore_kskflag) {
+		if (!vctx.goodksk && !vctx.goodzsk) {
+			zoneverify_log_error(&vctx, "No %s DNSKEY found",
+					     keydesc);
+			result = ISC_R_FAILURE;
+			goto done;
+		}
+	} else if (!vctx.goodksk) {
+		zoneverify_log_error(&vctx, "No %s KSK DNSKEY found", keydesc);
+		result = ISC_R_FAILURE;
+		goto done;
+	}
+
+	determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly,
+				    report);
+
+	result = verify_nodes(&vctx, &vresult);
+	if (result != ISC_R_SUCCESS) {
+		goto done;
+	}
+
+	result = verify_nsec3_chains(&vctx, mctx);
+	if (vresult == ISC_R_UNSET) {
+		vresult = ISC_R_SUCCESS;
+	}
+	if (result != ISC_R_SUCCESS && vresult == ISC_R_SUCCESS) {
+		vresult = result;
+	}
+
+	result = check_bad_algorithms(&vctx, report);
+	if (result != ISC_R_SUCCESS) {
+		report("DNSSEC completeness test failed.");
+		goto done;
+	}
+
+	result = vresult;
+	if (result != ISC_R_SUCCESS) {
+		report("DNSSEC completeness test failed (%s).",
+		       dns_result_totext(result));
+		goto done;
+	}
+
+	if (vctx.goodksk || ignore_kskflag) {
+		print_summary(&vctx, keyset_kskonly, report);
+	}
+
+done:
+	vctx_destroy(&vctx);
+
+	return (result);
+}
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
new file mode 100644
index 0000000..7728c15
--- /dev/null
+++ b/lib/dns/zt.c
@@ -0,0 +1,617 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/atomic.h>
+#include <isc/file.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rbt.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+struct zt_load_params {
+	dns_zt_zoneloaded_t dl;
+	bool newonly;
+};
+
+struct dns_zt {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	dns_rdataclass_t rdclass;
+	isc_rwlock_t rwlock;
+	dns_zt_allloaded_t loaddone;
+	void *loaddone_arg;
+	struct zt_load_params *loadparams;
+
+	/* Atomic */
+	atomic_bool flush;
+	isc_refcount_t references;
+	isc_refcount_t loads_pending;
+
+	/* Locked by lock. */
+	dns_rbt_t *table;
+};
+
+struct zt_freeze_params {
+	dns_view_t *view;
+	bool freeze;
+};
+
+#define ZTMAGIC	     ISC_MAGIC('Z', 'T', 'b', 'l')
+#define VALID_ZT(zt) ISC_MAGIC_VALID(zt, ZTMAGIC)
+
+static void
+auto_detach(void *, void *);
+
+static isc_result_t
+load(dns_zone_t *zone, void *uap);
+
+static isc_result_t
+asyncload(dns_zone_t *zone, void *callback);
+
+static isc_result_t
+freezezones(dns_zone_t *zone, void *uap);
+
+static isc_result_t
+doneloading(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task);
+
+isc_result_t
+dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
+	dns_zt_t *zt;
+	isc_result_t result;
+
+	REQUIRE(ztp != NULL && *ztp == NULL);
+
+	zt = isc_mem_get(mctx, sizeof(*zt));
+
+	zt->table = NULL;
+	result = dns_rbt_create(mctx, auto_detach, zt, &zt->table);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_zt;
+	}
+
+	isc_rwlock_init(&zt->rwlock, 0, 0);
+	zt->mctx = NULL;
+	isc_mem_attach(mctx, &zt->mctx);
+	isc_refcount_init(&zt->references, 1);
+	atomic_init(&zt->flush, false);
+	zt->rdclass = rdclass;
+	zt->magic = ZTMAGIC;
+	zt->loaddone = NULL;
+	zt->loaddone_arg = NULL;
+	zt->loadparams = NULL;
+	isc_refcount_init(&zt->loads_pending, 0);
+	*ztp = zt;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_zt:
+	isc_mem_put(mctx, zt, sizeof(*zt));
+
+	return (result);
+}
+
+isc_result_t
+dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone) {
+	isc_result_t result;
+	dns_zone_t *dummy = NULL;
+	dns_name_t *name;
+
+	REQUIRE(VALID_ZT(zt));
+
+	name = dns_zone_getorigin(zone);
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	result = dns_rbt_addname(zt->table, name, zone);
+	if (result == ISC_R_SUCCESS) {
+		dns_zone_attach(zone, &dummy);
+	}
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone) {
+	isc_result_t result;
+	dns_name_t *name;
+
+	REQUIRE(VALID_ZT(zt));
+
+	name = dns_zone_getorigin(zone);
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	result = dns_rbt_deletename(zt->table, name, false);
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_zt_find(dns_zt_t *zt, const dns_name_t *name, unsigned int options,
+	    dns_name_t *foundname, dns_zone_t **zonep) {
+	isc_result_t result;
+	dns_zone_t *dummy = NULL;
+	unsigned int rbtoptions = 0;
+
+	REQUIRE(VALID_ZT(zt));
+
+	if ((options & DNS_ZTFIND_NOEXACT) != 0) {
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+	}
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+
+	result = dns_rbt_findname(zt->table, name, rbtoptions, foundname,
+				  (void **)(void *)&dummy);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		/*
+		 * If DNS_ZTFIND_MIRROR is set and the zone which was
+		 * determined to be the deepest match for the supplied name is
+		 * a mirror zone which is expired or not yet loaded, treat it
+		 * as non-existent.  This will trigger a fallback to recursion
+		 * instead of returning a SERVFAIL.
+		 *
+		 * Note that currently only the deepest match in the zone table
+		 * is checked.  Consider a server configured with two mirror
+		 * zones: "bar" and its child, "foo.bar".  If zone data is
+		 * available for "bar" but not for "foo.bar", a query with
+		 * QNAME equal to or below "foo.bar" will cause ISC_R_NOTFOUND
+		 * to be returned, not DNS_R_PARTIALMATCH, despite zone data
+		 * being available for "bar".  This is considered to be an edge
+		 * case, handling which more appropriately is possible, but
+		 * arguably not worth the added complexity.
+		 */
+		if ((options & DNS_ZTFIND_MIRROR) != 0 &&
+		    dns_zone_gettype(dummy) == dns_zone_mirror &&
+		    !dns_zone_isloaded(dummy))
+		{
+			result = ISC_R_NOTFOUND;
+		} else {
+			dns_zone_attach(dummy, zonep);
+		}
+	}
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp) {
+	REQUIRE(VALID_ZT(zt));
+	REQUIRE(ztp != NULL && *ztp == NULL);
+
+	isc_refcount_increment(&zt->references);
+
+	*ztp = zt;
+}
+
+static isc_result_t
+flush(dns_zone_t *zone, void *uap) {
+	UNUSED(uap);
+	return (dns_zone_flush(zone));
+}
+
+static void
+zt_destroy(dns_zt_t *zt) {
+	if (atomic_load_acquire(&zt->flush)) {
+		(void)dns_zt_apply(zt, isc_rwlocktype_none, false, NULL, flush,
+				   NULL);
+	}
+	dns_rbt_destroy(&zt->table);
+	isc_rwlock_destroy(&zt->rwlock);
+	zt->magic = 0;
+	isc_mem_putanddetach(&zt->mctx, zt, sizeof(*zt));
+}
+
+static void
+zt_flushanddetach(dns_zt_t **ztp, bool need_flush) {
+	dns_zt_t *zt;
+
+	REQUIRE(ztp != NULL && VALID_ZT(*ztp));
+
+	zt = *ztp;
+	*ztp = NULL;
+
+	if (need_flush) {
+		atomic_store_release(&zt->flush, true);
+	}
+
+	if (isc_refcount_decrement(&zt->references) == 1) {
+		zt_destroy(zt);
+	}
+}
+
+void
+dns_zt_flushanddetach(dns_zt_t **ztp) {
+	zt_flushanddetach(ztp, true);
+}
+
+void
+dns_zt_detach(dns_zt_t **ztp) {
+	zt_flushanddetach(ztp, false);
+}
+
+isc_result_t
+dns_zt_load(dns_zt_t *zt, bool stop, bool newonly) {
+	isc_result_t result;
+	struct zt_load_params params;
+	REQUIRE(VALID_ZT(zt));
+	params.newonly = newonly;
+	result = dns_zt_apply(zt, isc_rwlocktype_read, stop, NULL, load,
+			      &params);
+	return (result);
+}
+
+static isc_result_t
+load(dns_zone_t *zone, void *paramsv) {
+	isc_result_t result;
+	struct zt_load_params *params = (struct zt_load_params *)paramsv;
+	result = dns_zone_load(zone, params->newonly);
+	if (result == DNS_R_CONTINUE || result == DNS_R_UPTODATE ||
+	    result == DNS_R_DYNAMIC)
+	{
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+static void
+call_loaddone(dns_zt_t *zt) {
+	dns_zt_allloaded_t loaddone = zt->loaddone;
+	void *loaddone_arg = zt->loaddone_arg;
+
+	/*
+	 * Set zt->loaddone, zt->loaddone_arg and zt->loadparams to NULL
+	 * before calling loaddone.
+	 */
+	zt->loaddone = NULL;
+	zt->loaddone_arg = NULL;
+
+	isc_mem_put(zt->mctx, zt->loadparams, sizeof(struct zt_load_params));
+	zt->loadparams = NULL;
+
+	/*
+	 * Call the callback last.
+	 */
+	if (loaddone != NULL) {
+		loaddone(loaddone_arg);
+	}
+}
+
+isc_result_t
+dns_zt_asyncload(dns_zt_t *zt, bool newonly, dns_zt_allloaded_t alldone,
+		 void *arg) {
+	isc_result_t result;
+	uint_fast32_t loads_pending;
+
+	REQUIRE(VALID_ZT(zt));
+
+	/*
+	 * Obtain a reference to zt->loads_pending so that asyncload can
+	 * safely decrement both zt->references and zt->loads_pending
+	 * without going to zero.
+	 */
+	loads_pending = isc_refcount_increment0(&zt->loads_pending);
+	INSIST(loads_pending == 0);
+
+	/*
+	 * Only one dns_zt_asyncload call at a time should be active so
+	 * these pointers should be NULL.  They are set back to NULL
+	 * before the zt->loaddone (alldone) is called in call_loaddone.
+	 */
+	INSIST(zt->loadparams == NULL);
+	INSIST(zt->loaddone == NULL);
+	INSIST(zt->loaddone_arg == NULL);
+
+	zt->loadparams = isc_mem_get(zt->mctx, sizeof(struct zt_load_params));
+	zt->loadparams->dl = doneloading;
+	zt->loadparams->newonly = newonly;
+	zt->loaddone = alldone;
+	zt->loaddone_arg = arg;
+
+	result = dns_zt_apply(zt, isc_rwlocktype_read, false, NULL, asyncload,
+			      zt);
+
+	/*
+	 * Have all the loads completed?
+	 */
+	if (isc_refcount_decrement(&zt->loads_pending) == 1) {
+		call_loaddone(zt);
+	}
+
+	return (result);
+}
+
+/*
+ * Initiates asynchronous loading of zone 'zone'.  'callback' is a
+ * pointer to a function which will be used to inform the caller when
+ * the zone loading is complete.
+ */
+static isc_result_t
+asyncload(dns_zone_t *zone, void *zt_) {
+	isc_result_t result;
+	struct dns_zt *zt = (dns_zt_t *)zt_;
+	REQUIRE(zone != NULL);
+
+	isc_refcount_increment(&zt->references);
+	isc_refcount_increment(&zt->loads_pending);
+
+	result = dns_zone_asyncload(zone, zt->loadparams->newonly,
+				    *zt->loadparams->dl, zt);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Caller is holding a reference to zt->loads_pending
+		 * and zt->references so these can't decrement to zero.
+		 */
+		isc_refcount_decrement1(&zt->references);
+		isc_refcount_decrement1(&zt->loads_pending);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zt_freezezones(dns_zt_t *zt, dns_view_t *view, bool freeze) {
+	isc_result_t result, tresult;
+	struct zt_freeze_params params = { view, freeze };
+
+	REQUIRE(VALID_ZT(zt));
+
+	result = dns_zt_apply(zt, isc_rwlocktype_read, false, &tresult,
+			      freezezones, &params);
+	if (tresult == ISC_R_NOTFOUND) {
+		tresult = ISC_R_SUCCESS;
+	}
+	return ((result == ISC_R_SUCCESS) ? tresult : result);
+}
+
+static isc_result_t
+freezezones(dns_zone_t *zone, void *uap) {
+	struct zt_freeze_params *params = uap;
+	bool frozen;
+	isc_result_t result = ISC_R_SUCCESS;
+	char classstr[DNS_RDATACLASS_FORMATSIZE];
+	char zonename[DNS_NAME_FORMATSIZE];
+	dns_zone_t *raw = NULL;
+	dns_view_t *view;
+	const char *vname;
+	const char *sep;
+	int level;
+
+	dns_zone_getraw(zone, &raw);
+	if (raw != NULL) {
+		zone = raw;
+	}
+	if (params->view != dns_zone_getview(zone)) {
+		if (raw != NULL) {
+			dns_zone_detach(&raw);
+		}
+		return (ISC_R_SUCCESS);
+	}
+	if (dns_zone_gettype(zone) != dns_zone_primary) {
+		if (raw != NULL) {
+			dns_zone_detach(&raw);
+		}
+		return (ISC_R_SUCCESS);
+	}
+	if (!dns_zone_isdynamic(zone, true)) {
+		if (raw != NULL) {
+			dns_zone_detach(&raw);
+		}
+		return (ISC_R_SUCCESS);
+	}
+
+	frozen = dns_zone_getupdatedisabled(zone);
+	if (params->freeze) {
+		if (frozen) {
+			result = DNS_R_FROZEN;
+		}
+		if (result == ISC_R_SUCCESS) {
+			result = dns_zone_flush(zone);
+		}
+		if (result == ISC_R_SUCCESS) {
+			dns_zone_setupdatedisabled(zone, params->freeze);
+		}
+	} else {
+		if (frozen) {
+			result = dns_zone_loadandthaw(zone);
+			if (result == DNS_R_CONTINUE ||
+			    result == DNS_R_UPTODATE)
+			{
+				result = ISC_R_SUCCESS;
+			}
+		}
+	}
+	view = dns_zone_getview(zone);
+	if (strcmp(view->name, "_bind") == 0 || strcmp(view->name, "_defaul"
+								   "t") == 0)
+	{
+		vname = "";
+		sep = "";
+	} else {
+		vname = view->name;
+		sep = " ";
+	}
+	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
+			      sizeof(classstr));
+	dns_name_format(dns_zone_getorigin(zone), zonename, sizeof(zonename));
+	level = (result != ISC_R_SUCCESS) ? ISC_LOG_ERROR : ISC_LOG_DEBUG(1);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
+		      level, "%s zone '%s/%s'%s%s: %s",
+		      params->freeze ? "freezing" : "thawing", zonename,
+		      classstr, sep, vname, isc_result_totext(result));
+	if (raw != NULL) {
+		dns_zone_detach(&raw);
+	}
+	return (result);
+}
+
+void
+dns_zt_setviewcommit(dns_zt_t *zt) {
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_result_t result;
+
+	REQUIRE(VALID_ZT(zt));
+
+	dns_rbtnodechain_init(&chain);
+
+	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		result = dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (result == ISC_R_SUCCESS && node->data != NULL) {
+			dns_zone_setviewcommit(node->data);
+		}
+
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+
+	dns_rbtnodechain_invalidate(&chain);
+}
+
+void
+dns_zt_setviewrevert(dns_zt_t *zt) {
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_result_t result;
+
+	REQUIRE(VALID_ZT(zt));
+
+	dns_rbtnodechain_init(&chain);
+
+	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		result = dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (result == ISC_R_SUCCESS && node->data != NULL) {
+			dns_zone_setviewrevert(node->data);
+		}
+
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+
+	dns_rbtnodechain_invalidate(&chain);
+}
+
+isc_result_t
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
+	     isc_result_t (*action)(dns_zone_t *, void *), void *uap) {
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_result_t result, tresult = ISC_R_SUCCESS;
+	dns_zone_t *zone;
+
+	REQUIRE(VALID_ZT(zt));
+	REQUIRE(action != NULL);
+
+	if (lock != isc_rwlocktype_none) {
+		RWLOCK(&zt->rwlock, lock);
+	}
+
+	dns_rbtnodechain_init(&chain);
+	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		/*
+		 * The tree is empty.
+		 */
+		tresult = result;
+		result = ISC_R_NOMORE;
+	}
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		result = dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (result == ISC_R_SUCCESS) {
+			zone = node->data;
+			if (zone != NULL) {
+				result = (action)(zone, uap);
+			}
+			if (result != ISC_R_SUCCESS && stop) {
+				tresult = result;
+				goto cleanup; /* don't break */
+			} else if (result != ISC_R_SUCCESS &&
+				   tresult == ISC_R_SUCCESS)
+			{
+				tresult = result;
+			}
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	if (sub != NULL) {
+		*sub = tresult;
+	}
+
+	if (lock != isc_rwlocktype_none) {
+		RWUNLOCK(&zt->rwlock, lock);
+	}
+
+	return (result);
+}
+
+/*
+ * Decrement the loads_pending counter; when counter reaches
+ * zero, call the loaddone callback that was initially set by
+ * dns_zt_asyncload().
+ */
+static isc_result_t
+doneloading(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task) {
+	UNUSED(zone);
+	UNUSED(task);
+
+	REQUIRE(VALID_ZT(zt));
+
+	if (isc_refcount_decrement(&zt->loads_pending) == 1) {
+		call_loaddone(zt);
+	}
+
+	if (isc_refcount_decrement(&zt->references) == 1) {
+		zt_destroy(zt);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/***
+ *** Private
+ ***/
+
+static void
+auto_detach(void *data, void *arg) {
+	dns_zone_t *zone = data;
+
+	UNUSED(arg);
+	dns_zone_detach(&zone);
+}
diff --git a/lib/irs/Kyuafile b/lib/irs/Kyuafile
new file mode 100644
index 0000000..c796010
--- /dev/null
+++ b/lib/irs/Kyuafile
@@ -0,0 +1,15 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/irs/Makefile.in b/lib/irs/Makefile.in
new file mode 100644
index 0000000..6152e9a
--- /dev/null
+++ b/lib/irs/Makefile.in
@@ -0,0 +1,90 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -I./include -I${srcdir}/include \
+		${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${ISCCFG_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+
+LIBS =		@LIBS@
+
+# Alphabetically
+OBJS =		context.@O@ \
+		dnsconf.@O@ \
+		gai_strerror.@O@ getaddrinfo.@O@ getnameinfo.@O@ \
+		resconf.@O@
+
+# Alphabetically
+SRCS =		context.c \
+		dnsconf.c \
+		gai_strerror.c getaddrinfo.c getnameinfo.c \
+		resconf.c
+
+SUBDIRS =	include
+TESTDIRS =	@UNITTESTS@
+TARGETS =	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/version.c
+
+libirs.@SA@: ${OBJS} version.@O@
+	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
+	${RANLIB} $@
+
+libirs.la: ${OBJS} version.@O@
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la -rpath ${libdir} \
+		-release "${VERSION}" \
+		${OBJS} version.@O@ ${ISCLIBS} ${DNSLIBS} ${ISCCFGLIBS} ${LIBS}
+
+timestamp: libirs.@A@
+	touch timestamp
+
+testdirs: libirs.@A@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libirs.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libirs.@A@
+
+clean distclean::
+	rm -f libirs.@A@ libirs.la timestamp
diff --git a/lib/irs/context.c b/lib/irs/context.c
new file mode 100644
index 0000000..e783358
--- /dev/null
+++ b/lib/irs/context.c
@@ -0,0 +1,334 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+
+#include <isc/app.h>
+#include <isc/lib.h>
+#include <isc/magic.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/once.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/lib.h>
+
+#include <irs/context.h>
+#include <irs/dnsconf.h>
+#include <irs/resconf.h>
+
+#define IRS_CONTEXT_MAGIC    ISC_MAGIC('I', 'R', 'S', 'c')
+#define IRS_CONTEXT_VALID(c) ISC_MAGIC_VALID(c, IRS_CONTEXT_MAGIC)
+
+#ifndef RESOLV_CONF
+/*% location of resolve.conf */
+#define RESOLV_CONF "/etc/resolv.conf"
+#endif /* ifndef RESOLV_CONF */
+
+#ifndef DNS_CONF
+/*% location of dns.conf */
+#define DNS_CONF "/etc/dns.conf"
+#endif /* ifndef DNS_CONF */
+
+ISC_THREAD_LOCAL irs_context_t *irs_context = NULL;
+
+struct irs_context {
+	/*
+	 * An IRS context is a thread-specific object, and does not need to
+	 * be locked.
+	 */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_appctx_t *actx;
+	isc_nm_t *netmgr;
+	isc_taskmgr_t *taskmgr;
+	isc_task_t *task;
+	isc_socketmgr_t *socketmgr;
+	isc_timermgr_t *timermgr;
+	dns_client_t *dnsclient;
+	irs_resconf_t *resconf;
+	irs_dnsconf_t *dnsconf;
+};
+
+static void
+ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp, isc_nm_t **netmgrp,
+	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	     isc_timermgr_t **timermgrp) {
+	isc_managers_destroy(netmgrp == NULL ? NULL : netmgrp,
+			     taskmgrp == NULL ? NULL : taskmgrp);
+
+	if (timermgrp != NULL) {
+		isc_timermgr_destroy(timermgrp);
+	}
+
+	if (socketmgrp != NULL) {
+		isc_socketmgr_destroy(socketmgrp);
+	}
+
+	if (actxp != NULL) {
+		isc_appctx_destroy(actxp);
+	}
+
+	if (mctxp != NULL) {
+		isc_mem_destroy(mctxp);
+	}
+}
+
+static isc_result_t
+ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp, isc_nm_t **netmgrp,
+	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	  isc_timermgr_t **timermgrp) {
+	isc_result_t result;
+
+	isc_mem_create(mctxp);
+
+	result = isc_appctx_create(*mctxp, actxp);
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+
+	result = isc_managers_create(*mctxp, 1, 0, netmgrp, taskmgrp);
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+
+	result = isc_socketmgr_create(*mctxp, socketmgrp);
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+
+	result = isc_timermgr_create(*mctxp, timermgrp);
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+
+	return (ISC_R_SUCCESS);
+
+fail:
+	ctxs_destroy(mctxp, actxp, netmgrp, taskmgrp, socketmgrp, timermgrp);
+
+	return (result);
+}
+
+isc_result_t
+irs_context_get(irs_context_t **contextp) {
+	isc_result_t result;
+
+	REQUIRE(contextp != NULL && *contextp == NULL);
+
+	if (irs_context == NULL) {
+		result = irs_context_create(&irs_context);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	*contextp = irs_context;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+irs_context_create(irs_context_t **contextp) {
+	isc_result_t result;
+	irs_context_t *context;
+	isc_appctx_t *actx = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_nm_t *netmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	dns_client_t *client = NULL;
+	isc_sockaddrlist_t *nameservers;
+	irs_dnsconf_dnskeylist_t *trustedkeys;
+	irs_dnsconf_dnskey_t *trustedkey;
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = ctxs_init(&mctx, &actx, &netmgr, &taskmgr, &socketmgr,
+			   &timermgr);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = isc_app_ctxstart(actx);
+	if (result != ISC_R_SUCCESS) {
+		ctxs_destroy(&mctx, &actx, &netmgr, &taskmgr, &socketmgr,
+			     &timermgr);
+		return (result);
+	}
+
+	context = isc_mem_get(mctx, sizeof(*context));
+
+	context->mctx = mctx;
+	context->actx = actx;
+	context->taskmgr = taskmgr;
+	context->socketmgr = socketmgr;
+	context->timermgr = timermgr;
+	context->resconf = NULL;
+	context->dnsconf = NULL;
+	context->task = NULL;
+	result = isc_task_create(taskmgr, 0, &context->task);
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+
+	/* Create a DNS client object */
+	result = dns_client_create(mctx, actx, taskmgr, socketmgr, timermgr, 0,
+				   &client, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+	context->dnsclient = client;
+
+	/* Read resolver configuration file */
+	result = irs_resconf_load(mctx, RESOLV_CONF, &context->resconf);
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+	/* Set nameservers */
+	nameservers = irs_resconf_getnameservers(context->resconf);
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       nameservers);
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+
+	/* Read advanced DNS configuration (if any) */
+	result = irs_dnsconf_load(mctx, DNS_CONF, &context->dnsconf);
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+	trustedkeys = irs_dnsconf_gettrustedkeys(context->dnsconf);
+	for (trustedkey = ISC_LIST_HEAD(*trustedkeys); trustedkey != NULL;
+	     trustedkey = ISC_LIST_NEXT(trustedkey, link))
+	{
+		result = dns_client_addtrustedkey(
+			client, dns_rdataclass_in, dns_rdatatype_dnskey,
+			trustedkey->keyname, trustedkey->keydatabuf);
+		if (result != ISC_R_SUCCESS) {
+			goto fail;
+		}
+	}
+
+	context->magic = IRS_CONTEXT_MAGIC;
+	*contextp = context;
+
+	return (ISC_R_SUCCESS);
+
+fail:
+	if (context->task != NULL) {
+		isc_task_detach(&context->task);
+	}
+	if (context->resconf != NULL) {
+		irs_resconf_destroy(&context->resconf);
+	}
+	if (context->dnsconf != NULL) {
+		irs_dnsconf_destroy(&context->dnsconf);
+	}
+	if (client != NULL) {
+		dns_client_destroy(&client);
+	}
+	ctxs_destroy(NULL, &actx, &netmgr, &taskmgr, &socketmgr, &timermgr);
+	isc_mem_putanddetach(&mctx, context, sizeof(*context));
+
+	return (result);
+}
+
+void
+irs_context_destroy(irs_context_t **contextp) {
+	irs_context_t *context;
+
+	REQUIRE(contextp != NULL);
+	context = *contextp;
+	REQUIRE(IRS_CONTEXT_VALID(context));
+	*contextp = irs_context = NULL;
+
+	isc_task_detach(&context->task);
+	irs_dnsconf_destroy(&context->dnsconf);
+	irs_resconf_destroy(&context->resconf);
+	dns_client_destroy(&context->dnsclient);
+
+	ctxs_destroy(NULL, &context->actx, &context->netmgr, &context->taskmgr,
+		     &context->socketmgr, &context->timermgr);
+
+	context->magic = 0;
+
+	isc_mem_putanddetach(&context->mctx, context, sizeof(*context));
+}
+
+isc_mem_t *
+irs_context_getmctx(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->mctx);
+}
+
+isc_appctx_t *
+irs_context_getappctx(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->actx);
+}
+
+isc_taskmgr_t *
+irs_context_gettaskmgr(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->taskmgr);
+}
+
+isc_timermgr_t *
+irs_context_gettimermgr(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->timermgr);
+}
+
+isc_task_t *
+irs_context_gettask(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->task);
+}
+
+dns_client_t *
+irs_context_getdnsclient(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->dnsclient);
+}
+
+irs_resconf_t *
+irs_context_getresconf(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->resconf);
+}
+
+irs_dnsconf_t *
+irs_context_getdnsconf(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->dnsconf);
+}
diff --git a/lib/irs/dnsconf.c b/lib/irs/dnsconf.c
new file mode 100644
index 0000000..a1421d2
--- /dev/null
+++ b/lib/irs/dnsconf.c
@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+
+#include <isccfg/dnsconf.h>
+
+#include <irs/dnsconf.h>
+
+#define IRS_DNSCONF_MAGIC    ISC_MAGIC('D', 'c', 'f', 'g')
+#define IRS_DNSCONF_VALID(c) ISC_MAGIC_VALID(c, IRS_DNSCONF_MAGIC)
+
+/*!
+ * configuration data structure
+ */
+
+struct irs_dnsconf {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	irs_dnsconf_dnskeylist_t trusted_keylist;
+};
+
+static isc_result_t
+configure_key(isc_mem_t *mctx, const cfg_obj_t *key, irs_dnsconf_t *conf,
+	      dns_rdataclass_t rdclass) {
+	isc_result_t result;
+	uint32_t flags, proto, alg;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname_base = NULL, *keyname = NULL;
+	const char *keystr = NULL, *keynamestr = NULL;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf_base, *keydatabuf = NULL;
+	dns_rdata_dnskey_t keystruct;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_region_t r;
+	isc_buffer_t namebuf;
+	irs_dnsconf_dnskey_t *keyent = NULL;
+
+	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
+	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
+	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
+
+	keystruct.common.rdclass = rdclass;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
+	keystruct.mctx = NULL;
+	ISC_LINK_INIT(&keystruct.common, link);
+
+	if (flags > 0xffff) {
+		return (ISC_R_RANGE);
+	}
+	if (proto > 0xff) {
+		return (ISC_R_RANGE);
+	}
+	if (alg > 0xff) {
+		return (ISC_R_RANGE);
+	}
+	keystruct.flags = (uint16_t)flags;
+	keystruct.protocol = (uint8_t)proto;
+	keystruct.algorithm = (uint8_t)alg;
+
+	isc_buffer_init(&keydatabuf_base, keydata, sizeof(keydata));
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+
+	/* Configure key value */
+	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+	result = isc_base64_decodestring(keystr, &keydatabuf_base);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_usedregion(&keydatabuf_base, &r);
+	keystruct.datalen = r.length;
+	keystruct.data = r.base;
+
+	result = dns_rdata_fromstruct(NULL, keystruct.common.rdclass,
+				      keystruct.common.rdtype, &keystruct,
+				      &rrdatabuf);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_usedregion(&rrdatabuf, &r);
+	isc_buffer_allocate(mctx, &keydatabuf, r.length);
+	result = isc_buffer_copyregion(keydatabuf, &r);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/* Configure key name */
+	keyname_base = dns_fixedname_initname(&fkeyname);
+	isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr));
+	isc_buffer_add(&namebuf, strlen(keynamestr));
+	result = dns_name_fromtext(keyname_base, &namebuf, dns_rootname, 0,
+				   NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	keyname = isc_mem_get(mctx, sizeof(*keyname));
+	dns_name_init(keyname, NULL);
+	dns_name_dup(keyname_base, mctx, keyname);
+
+	/* Add the key data to the list */
+	keyent = isc_mem_get(mctx, sizeof(*keyent));
+	keyent->keyname = keyname;
+	keyent->keydatabuf = keydatabuf;
+
+	ISC_LIST_APPEND(conf->trusted_keylist, keyent, link);
+
+cleanup:
+	if (keydatabuf != NULL) {
+		isc_buffer_free(&keydatabuf);
+	}
+	if (keyname != NULL) {
+		isc_mem_put(mctx, keyname, sizeof(*keyname));
+	}
+
+	return (result);
+}
+
+static isc_result_t
+configure_keygroup(irs_dnsconf_t *conf, const cfg_obj_t *keys,
+		   dns_rdataclass_t rdclass) {
+	isc_result_t result;
+	const cfg_obj_t *key, *keylist;
+	const cfg_listelt_t *element, *element2;
+	isc_mem_t *mctx = conf->mctx;
+
+	for (element = cfg_list_first(keys); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist); element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			key = cfg_listelt_value(element2);
+			result = configure_key(mctx, key, conf, rdclass);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
+		     dns_rdataclass_t rdclass) {
+	isc_result_t result;
+	const cfg_obj_t *keys = NULL;
+
+	cfg_map_get(cfgobj, "trusted-keys", &keys);
+	if (keys == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = configure_keygroup(conf, keys, rdclass);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	keys = NULL;
+	cfg_map_get(cfgobj, "trust-anchors", &keys);
+	if (keys == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = configure_keygroup(conf, keys, rdclass);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	keys = NULL;
+	cfg_map_get(cfgobj, "managed-keys", &keys);
+	if (keys == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = configure_keygroup(conf, keys, rdclass);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+irs_dnsconf_load(isc_mem_t *mctx, const char *filename, irs_dnsconf_t **confp) {
+	irs_dnsconf_t *conf;
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *cfgobj = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(confp != NULL && *confp == NULL);
+
+	conf = isc_mem_get(mctx, sizeof(*conf));
+
+	conf->mctx = mctx;
+	ISC_LIST_INIT(conf->trusted_keylist);
+
+	/*
+	 * If the specified file does not exist, we'll simply with an empty
+	 * configuration.
+	 */
+	if (!isc_file_exists(filename)) {
+		goto cleanup;
+	}
+
+	result = cfg_parser_create(mctx, NULL, &parser);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = cfg_parse_file(parser, filename, &cfg_type_dnsconf, &cfgobj);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = configure_dnsseckeys(conf, cfgobj, dns_rdataclass_in);
+
+cleanup:
+	if (parser != NULL) {
+		if (cfgobj != NULL) {
+			cfg_obj_destroy(parser, &cfgobj);
+		}
+		cfg_parser_destroy(&parser);
+	}
+
+	conf->magic = IRS_DNSCONF_MAGIC;
+
+	if (result == ISC_R_SUCCESS) {
+		*confp = conf;
+	} else {
+		irs_dnsconf_destroy(&conf);
+	}
+
+	return (result);
+}
+
+void
+irs_dnsconf_destroy(irs_dnsconf_t **confp) {
+	irs_dnsconf_t *conf;
+	irs_dnsconf_dnskey_t *keyent;
+
+	REQUIRE(confp != NULL);
+	conf = *confp;
+	*confp = NULL;
+	REQUIRE(IRS_DNSCONF_VALID(conf));
+
+	while ((keyent = ISC_LIST_HEAD(conf->trusted_keylist)) != NULL) {
+		ISC_LIST_UNLINK(conf->trusted_keylist, keyent, link);
+
+		isc_buffer_free(&keyent->keydatabuf);
+		dns_name_free(keyent->keyname, conf->mctx);
+		isc_mem_put(conf->mctx, keyent->keyname, sizeof(dns_name_t));
+		isc_mem_put(conf->mctx, keyent, sizeof(*keyent));
+	}
+
+	isc_mem_put(conf->mctx, conf, sizeof(*conf));
+}
+
+irs_dnsconf_dnskeylist_t *
+irs_dnsconf_gettrustedkeys(irs_dnsconf_t *conf) {
+	REQUIRE(IRS_DNSCONF_VALID(conf));
+
+	return (&conf->trusted_keylist);
+}
diff --git a/lib/irs/gai_strerror.c b/lib/irs/gai_strerror.c
new file mode 100644
index 0000000..a2b989f
--- /dev/null
+++ b/lib/irs/gai_strerror.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file gai_strerror.c
+ * gai_strerror() returns an error message corresponding to an
+ * error code returned by getaddrinfo() and getnameinfo(). The following error
+ * codes and their meaning are defined in
+ * \link netdb.h include/irs/netdb.h.\endlink
+ * This implementation is almost an exact copy of lwres/gai_sterror.c except
+ * that it catches up the latest API standard, RFC3493.
+ *
+ * \li #EAI_ADDRFAMILY address family for hostname not supported
+ * \li #EAI_AGAIN temporary failure in name resolution
+ * \li #EAI_BADFLAGS invalid value for ai_flags
+ * \li #EAI_FAIL non-recoverable failure in name resolution
+ * \li #EAI_FAMILY ai_family not supported
+ * \li #EAI_MEMORY memory allocation failure
+ * \li #EAI_NODATA no address associated with hostname (obsoleted in RFC3493)
+ * \li #EAI_NONAME hostname nor servname provided, or not known
+ * \li #EAI_SERVICE servname not supported for ai_socktype
+ * \li #EAI_SOCKTYPE ai_socktype not supported
+ * \li #EAI_SYSTEM system error returned in errno
+ * \li #EAI_BADHINTS Invalid value for hints (non-standard)
+ * \li #EAI_PROTOCOL Resolved protocol is unknown (non-standard)
+ * \li #EAI_OVERFLOW Argument buffer overflow
+ * \li #EAI_INSECUREDATA Insecure Data (experimental)
+ *
+ * The message invalid error code is returned if ecode is out of range.
+ *
+ * ai_flags, ai_family and ai_socktype are elements of the struct
+ * addrinfo used by lwres_getaddrinfo().
+ *
+ * \section gai_strerror_see See Also
+ *
+ * strerror(), getaddrinfo(), getnameinfo(), RFC3493.
+ */
+
+#include <isc/net.h>
+
+#include <irs/netdb.h>
+
+/*% Text of error messages. */
+static const char *gai_messages[] = { "no error",
+				      "address family for hostname not "
+				      "supported",
+				      "temporary failure in name resolution",
+				      "invalid value for ai_flags",
+				      "non-recoverable failure in name "
+				      "resolution",
+				      "ai_family not supported",
+				      "memory allocation failure",
+				      "no address associated with hostname",
+				      "hostname nor servname provided, or not "
+				      "known",
+				      "servname not supported for ai_socktype",
+				      "ai_socktype not supported",
+				      "system error returned in errno",
+				      "bad hints",
+				      "bad protocol",
+				      "argument buffer overflow",
+				      "insecure data provided" };
+
+/*%
+ * Returns an error message corresponding to an error code returned by
+ * getaddrinfo() and getnameinfo()
+ */
+#if defined _WIN32
+char *
+#else  /* if defined _WIN32 */
+const char *
+#endif /* if defined _WIN32 */
+gai_strerror(int ecode) {
+	union {
+		const char *const_ptr;
+		char *deconst_ptr;
+	} ptr;
+
+	if ((ecode < 0) ||
+	    (ecode >= (int)(sizeof(gai_messages) / sizeof(*gai_messages))))
+	{
+		ptr.const_ptr = "invalid error code";
+	} else {
+		ptr.const_ptr = gai_messages[ecode];
+	}
+	return (ptr.deconst_ptr);
+}
diff --git a/lib/irs/getaddrinfo.c b/lib/irs/getaddrinfo.c
new file mode 100644
index 0000000..f450a55
--- /dev/null
+++ b/lib/irs/getaddrinfo.c
@@ -0,0 +1,1365 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/**
+ *    getaddrinfo() is used to get a list of IP addresses and port
+ *    numbers for host hostname and service servname as defined in RFC3493.
+ *    hostname and servname are pointers to null-terminated strings
+ *    or NULL. hostname is either a host name or a numeric host address
+ *    string: a dotted decimal IPv4 address or an IPv6 address. servname is
+ *    either a decimal port number or a service name as listed in
+ *    /etc/services.
+ *
+ *    If the operating system does not provide a struct addrinfo, the
+ *    following structure is used:
+ *
+ * \code
+ * struct  addrinfo {
+ *         int             ai_flags;       // AI_PASSIVE, AI_CANONNAME
+ *         int             ai_family;      // PF_xxx
+ *         int             ai_socktype;    // SOCK_xxx
+ *         int             ai_protocol;    // 0 or IPPROTO_xxx for IPv4 and IPv6
+ *         size_t          ai_addrlen;     // length of ai_addr
+ *         char            *ai_canonname;  // canonical name for hostname
+ *         struct sockaddr *ai_addr;       // binary address
+ *         struct addrinfo *ai_next;       // next structure in linked list
+ * };
+ * \endcode
+ *
+ *
+ *    hints is an optional pointer to a struct addrinfo. This structure can
+ *    be used to provide hints concerning the type of socket that the caller
+ *    supports or wishes to use. The caller can supply the following
+ *    structure elements in *hints:
+ *
+ * <ul>
+ *    <li>ai_family:
+ *           The protocol family that should be used. When ai_family is set
+ *           to PF_UNSPEC, it means the caller will accept any protocol
+ *           family supported by the operating system.</li>
+ *
+ *    <li>ai_socktype:
+ *           denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
+ *           SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
+ *           will accept any socket type.</li>
+ *
+ *    <li>ai_protocol:
+ *           indicates which transport protocol is wanted: IPPROTO_UDP or
+ *           IPPROTO_TCP. If ai_protocol is zero the caller will accept any
+ *           protocol.</li>
+ *
+ *    <li>ai_flags:
+ *           Flag bits. If the AI_CANONNAME bit is set, a successful call to
+ *           getaddrinfo() will return a null-terminated string
+ *           containing the canonical name of the specified hostname in
+ *           ai_canonname of the first addrinfo structure returned. Setting
+ *           the AI_PASSIVE bit indicates that the returned socket address
+ *           structure is intended for used in a call to bind(2). In this
+ *           case, if the hostname argument is a NULL pointer, then the IP
+ *           address portion of the socket address structure will be set to
+ *           INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
+ *           address.<br /><br />
+ *
+ *           When ai_flags does not set the AI_PASSIVE bit, the returned
+ *           socket address structure will be ready for use in a call to
+ *           connect(2) for a connection-oriented protocol or connect(2),
+ *           sendto(2), or sendmsg(2) if a connectionless protocol was
+ *           chosen. The IP address portion of the socket address structure
+ *           will be set to the loopback address if hostname is a NULL
+ *           pointer and AI_PASSIVE is not set in ai_flags.<br /><br />
+ *
+ *           If ai_flags is set to AI_NUMERICHOST it indicates that hostname
+ *           should be treated as a numeric string defining an IPv4 or IPv6
+ *           address and no name resolution should be attempted.
+ * </li></ul>
+ *
+ *    All other elements of the struct addrinfo passed via hints must be
+ *    zero.
+ *
+ *    A hints of NULL is treated as if the caller provided a struct addrinfo
+ *    initialized to zero with ai_familyset to PF_UNSPEC.
+ *
+ *    After a successful call to getaddrinfo(), *res is a pointer to a
+ *    linked list of one or more addrinfo structures. Each struct addrinfo
+ *    in this list cn be processed by following the ai_next pointer, until a
+ *    NULL pointer is encountered. The three members ai_family, ai_socktype,
+ *    and ai_protocol in each returned addrinfo structure contain the
+ *    corresponding arguments for a call to socket(2). For each addrinfo
+ *    structure in the list, the ai_addr member points to a filled-in socket
+ *    address structure of length ai_addrlen.
+ *
+ *    All of the information returned by getaddrinfo() is dynamically
+ *    allocated: the addrinfo structures, and the socket address structures
+ *    and canonical host name strings pointed to by the addrinfostructures.
+ *    Memory allocated for the dynamically allocated structures created by a
+ *    successful call to getaddrinfo() is released by freeaddrinfo().
+ *    ai is a pointer to a struct addrinfo created by a call to getaddrinfo().
+ *
+ * \section irsreturn RETURN VALUES
+ *
+ *    getaddrinfo() returns zero on success or one of the error codes
+ *    listed in gai_strerror() if an error occurs. If both hostname and
+ *    servname are NULL getaddrinfo() returns #EAI_NONAME.
+ *
+ * \section irssee SEE ALSO
+ *
+ *    getaddrinfo(), freeaddrinfo(),
+ *    gai_strerror(), RFC3493, getservbyname(3), connect(2),
+ *    sendto(2), sendmsg(2), socket(2).
+ */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef _WIN32
+#include <windows.h>
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#endif /* ifdef _WIN32 */
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#include <irs/context.h>
+#include <irs/netdb.h>
+#include <irs/resconf.h>
+
+#define SA(addr)     ((struct sockaddr *)(addr))
+#define SIN(addr)    ((struct sockaddr_in *)(addr))
+#define SIN6(addr)   ((struct sockaddr_in6 *)(addr))
+#define SLOCAL(addr) ((struct sockaddr_un *)(addr))
+
+/*! \struct addrinfo
+ */
+static struct addrinfo *
+ai_concat(struct addrinfo *ai1, struct addrinfo *ai2),
+	*ai_reverse(struct addrinfo *oai),
+	*ai_clone(struct addrinfo *oai, int family),
+	*ai_alloc(int family, int addrlen);
+#ifdef AF_LOCAL
+static int
+get_local(const char *name, int socktype, struct addrinfo **res);
+#endif /* ifdef AF_LOCAL */
+
+static int
+resolve_name(int family, const char *hostname, int flags, struct addrinfo **aip,
+	     int socktype, int port);
+
+static int
+add_ipv4(const char *hostname, int flags, struct addrinfo **aip, int socktype,
+	 int port);
+static int
+add_ipv6(const char *hostname, int flags, struct addrinfo **aip, int socktype,
+	 int port);
+static void
+set_order(int, int (**)(const char *, int, struct addrinfo **, int, int));
+static void
+_freeaddrinfo(struct addrinfo *ai);
+
+#define FOUND_IPV4 0x1
+#define FOUND_IPV6 0x2
+#define FOUND_MAX  2
+
+/*%
+ * Try converting the scope identifier in 'src' to a network interface index.
+ * Upon success, return true and store the resulting index in 'dst'.  Upon
+ * failure, return false.
+ */
+static bool
+parse_scopeid(const char *src, uint32_t *dst) {
+	uint32_t scopeid = 0;
+
+	REQUIRE(src != NULL);
+	REQUIRE(dst != NULL);
+
+#ifdef HAVE_IF_NAMETOINDEX
+	/*
+	 * Try using if_nametoindex() first if it is available.  As it does not
+	 * handle numeric scopes, we do not simply return if it fails.
+	 */
+	scopeid = (uint32_t)if_nametoindex(src);
+#endif /* ifdef HAVE_IF_NAMETOINDEX */
+
+	/*
+	 * Fall back to numeric scope processing if if_nametoindex() either
+	 * fails or is unavailable.
+	 */
+	if (scopeid == 0) {
+		char *endptr = NULL;
+		scopeid = (uint32_t)strtoul(src, &endptr, 10);
+		/*
+		 * The scope identifier must not be empty and no trailing
+		 * characters are allowed after it.
+		 */
+		if (src == endptr || endptr == NULL || *endptr != '\0') {
+			return (false);
+		}
+	}
+
+	*dst = scopeid;
+
+	return (true);
+}
+
+#define ISC_AI_MASK (AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST)
+/*%
+ * Get a list of IP addresses and port numbers for host hostname and
+ * service servname.
+ */
+int
+getaddrinfo(const char *hostname, const char *servname,
+	    const struct addrinfo *hints, struct addrinfo **res) {
+	struct servent *sp;
+	const char *proto;
+	int family, socktype, flags, protocol;
+	struct addrinfo *ai, *ai_list;
+	int err = 0;
+	int port, i;
+	int (*net_order[FOUND_MAX + 1])(const char *, int, struct addrinfo **,
+					int, int);
+
+	if (hostname == NULL && servname == NULL) {
+		return (EAI_NONAME);
+	}
+
+	proto = NULL;
+	if (hints != NULL) {
+		if ((hints->ai_flags & ~(ISC_AI_MASK)) != 0) {
+			return (EAI_BADFLAGS);
+		}
+		if (hints->ai_addrlen || hints->ai_canonname ||
+		    hints->ai_addr || hints->ai_next)
+		{
+			errno = EINVAL;
+			return (EAI_SYSTEM);
+		}
+		family = hints->ai_family;
+		socktype = hints->ai_socktype;
+		protocol = hints->ai_protocol;
+		flags = hints->ai_flags;
+		switch (family) {
+		case AF_UNSPEC:
+			switch (hints->ai_socktype) {
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			}
+			break;
+		case AF_INET:
+		case AF_INET6:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			case SOCK_RAW:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#ifdef AF_LOCAL
+		case AF_LOCAL:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				break;
+			case SOCK_DGRAM:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#endif /* ifdef AF_LOCAL */
+		default:
+			return (EAI_FAMILY);
+		}
+	} else {
+		protocol = 0;
+		family = 0;
+		socktype = 0;
+		flags = 0;
+	}
+
+#ifdef AF_LOCAL
+	/*!
+	 * First, deal with AF_LOCAL.  If the family was not set,
+	 * then assume AF_LOCAL if the first character of the
+	 * hostname/servname is '/'.
+	 */
+
+	if (hostname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *hostname == '/')))
+	{
+		return (get_local(hostname, socktype, res));
+	}
+
+	if (servname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *servname == '/')))
+	{
+		return (get_local(servname, socktype, res));
+	}
+#endif /* ifdef AF_LOCAL */
+
+	/*
+	 * Ok, only AF_INET and AF_INET6 left.
+	 */
+	ai_list = NULL;
+
+	/*
+	 * First, look up the service name (port) if it was
+	 * requested.  If the socket type wasn't specified, then
+	 * try and figure it out.
+	 */
+	if (servname != NULL) {
+		char *e;
+
+		port = strtol(servname, &e, 10);
+		if (*e == '\0') {
+			if (socktype == 0) {
+				return (EAI_SOCKTYPE);
+			}
+			if (port < 0 || port > 65535) {
+				return (EAI_SERVICE);
+			}
+			port = htons((unsigned short)port);
+		} else {
+#ifdef _WIN32
+			WORD wVersionRequested;
+			WSADATA wsaData;
+
+			wVersionRequested = MAKEWORD(2, 0);
+
+			err = WSAStartup(wVersionRequested, &wsaData);
+			if (err != 0) {
+				return (EAI_FAIL);
+			}
+#endif /* ifdef _WIN32 */
+			sp = getservbyname(servname, proto);
+			if (sp != NULL) {
+				port = sp->s_port;
+			}
+#ifdef _WIN32
+			WSACleanup();
+#endif /* ifdef _WIN32 */
+			if (sp == NULL) {
+				return (EAI_SERVICE);
+			}
+			if (socktype == 0) {
+				if (strcmp(sp->s_proto, "tcp") == 0) {
+					socktype = SOCK_STREAM;
+				} else if (strcmp(sp->s_proto, "udp") == 0) {
+					socktype = SOCK_DGRAM;
+				}
+			}
+		}
+	} else {
+		port = 0;
+	}
+
+	/*
+	 * Next, deal with just a service name, and no hostname.
+	 * (we verified that one of them was non-null up above).
+	 */
+	if (hostname == NULL && (flags & AI_PASSIVE) != 0) {
+		if (family == AF_INET || family == 0) {
+			ai = ai_alloc(AF_INET, sizeof(struct sockaddr_in));
+			if (ai == NULL) {
+				return (EAI_MEMORY);
+			}
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN(ai->ai_addr)->sin_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		if (family == AF_INET6 || family == 0) {
+			ai = ai_alloc(AF_INET6, sizeof(struct sockaddr_in6));
+			if (ai == NULL) {
+				_freeaddrinfo(ai_list);
+				return (EAI_MEMORY);
+			}
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN6(ai->ai_addr)->sin6_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		*res = ai_list;
+		return (0);
+	}
+
+	/*
+	 * If the family isn't specified or AI_NUMERICHOST specified, check
+	 * first to see if it is a numeric address.
+	 * Though the gethostbyname2() routine will recognize numeric addresses,
+	 * it will only recognize the format that it is being called for.  Thus,
+	 * a numeric AF_INET address will be treated by the AF_INET6 call as
+	 * a domain name, and vice versa.  Checking for both numerics here
+	 * avoids that.
+	 */
+	if (hostname != NULL && (family == 0 || (flags & AI_NUMERICHOST) != 0))
+	{
+		char abuf[sizeof(struct in6_addr)];
+		char nbuf[NI_MAXHOST];
+		int addrsize, addroff;
+		char ntmp[NI_MAXHOST];
+		uint32_t scopeid = 0;
+
+		/*
+		 * Scope identifier portion.
+		 */
+		ntmp[0] = '\0';
+		if (strchr(hostname, '%') != NULL) {
+			char *p;
+			strlcpy(ntmp, hostname, sizeof(ntmp));
+			p = strchr(ntmp, '%');
+
+			if (p != NULL && parse_scopeid(p + 1, &scopeid)) {
+				*p = '\0';
+			} else {
+				ntmp[0] = '\0';
+			}
+		}
+
+		if (inet_pton(AF_INET, hostname, (struct in_addr *)abuf) == 1) {
+			if (family == AF_INET6) {
+				/*
+				 * Convert to a V4 mapped address.
+				 */
+				struct in6_addr *a6 = (struct in6_addr *)abuf;
+				memmove(&a6->s6_addr[12], &a6->s6_addr[0], 4);
+				memset(&a6->s6_addr[10], 0xff, 2);
+				memset(&a6->s6_addr[0], 0, 10);
+				goto inet6_addr;
+			}
+			addrsize = sizeof(struct in_addr);
+			addroff = offsetof(struct sockaddr_in, sin_addr);
+			family = AF_INET;
+			goto common;
+		} else if (ntmp[0] != '\0' &&
+			   inet_pton(AF_INET6, ntmp, abuf) == 1)
+		{
+			if (family && family != AF_INET6) {
+				return (EAI_NONAME);
+			}
+			addrsize = sizeof(struct in6_addr);
+			addroff = offsetof(struct sockaddr_in6, sin6_addr);
+			family = AF_INET6;
+			goto common;
+		} else if (inet_pton(AF_INET6, hostname, abuf) == 1) {
+			if (family != 0 && family != AF_INET6) {
+				return (EAI_NONAME);
+			}
+		inet6_addr:
+			addrsize = sizeof(struct in6_addr);
+			addroff = offsetof(struct sockaddr_in6, sin6_addr);
+			family = AF_INET6;
+
+		common:
+			ai = ai_alloc(family,
+				      ((family == AF_INET6)
+					       ? sizeof(struct sockaddr_in6)
+					       : sizeof(struct sockaddr_in)));
+			if (ai == NULL) {
+				return (EAI_MEMORY);
+			}
+			ai_list = ai;
+			ai->ai_socktype = socktype;
+			SIN(ai->ai_addr)->sin_port = port;
+			memmove((char *)ai->ai_addr + addroff, abuf, addrsize);
+			if (ai->ai_family == AF_INET6) {
+				SIN6(ai->ai_addr)->sin6_scope_id = scopeid;
+			}
+			if ((flags & AI_CANONNAME) != 0) {
+				if (getnameinfo(ai->ai_addr,
+						(socklen_t)ai->ai_addrlen, nbuf,
+						sizeof(nbuf), NULL, 0,
+						NI_NUMERICHOST) == 0)
+				{
+					ai->ai_canonname = strdup(nbuf);
+					if (ai->ai_canonname == NULL) {
+						_freeaddrinfo(ai);
+						return (EAI_MEMORY);
+					}
+				} else {
+					/* XXX raise error? */
+					ai->ai_canonname = NULL;
+				}
+			}
+			goto done;
+		} else if ((flags & AI_NUMERICHOST) != 0) {
+			return (EAI_NONAME);
+		}
+	}
+
+	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
+		set_order(family, net_order);
+		for (i = 0; i < FOUND_MAX; i++) {
+			if (net_order[i] == NULL) {
+				break;
+			}
+			err = (net_order[i])(hostname, flags, &ai_list,
+					     socktype, port);
+			if (err != 0) {
+				if (ai_list != NULL) {
+					_freeaddrinfo(ai_list);
+					ai_list = NULL;
+				}
+				break;
+			}
+		}
+	} else {
+		err = resolve_name(family, hostname, flags, &ai_list, socktype,
+				   port);
+	}
+
+	if (ai_list == NULL) {
+		if (err == 0) {
+			err = EAI_NONAME;
+		}
+		return (err);
+	}
+
+done:
+	ai_list = ai_reverse(ai_list);
+
+	*res = ai_list;
+	return (0);
+}
+
+typedef struct gai_restrans {
+	dns_clientrestrans_t *xid;
+	bool is_inprogress;
+	int error;
+	struct addrinfo ai_sentinel;
+	struct gai_resstate *resstate;
+} gai_restrans_t;
+
+typedef struct gai_resstate {
+	isc_mem_t *mctx;
+	struct gai_statehead *head;
+	dns_fixedname_t fixedname;
+	dns_name_t *qname;
+	gai_restrans_t *trans4;
+	gai_restrans_t *trans6;
+	ISC_LINK(struct gai_resstate) link;
+} gai_resstate_t;
+
+typedef struct gai_statehead {
+	int ai_family;
+	int ai_flags;
+	int ai_socktype;
+	int ai_port;
+	isc_appctx_t *actx;
+	dns_client_t *dnsclient;
+	isc_mutex_t list_lock;
+	ISC_LIST(struct gai_resstate) resstates;
+	unsigned int activestates;
+} gai_statehead_t;
+
+static isc_result_t
+make_resstate(isc_mem_t *mctx, gai_statehead_t *head, const char *hostname,
+	      const char *domain, gai_resstate_t **statep) {
+	isc_result_t result;
+	gai_resstate_t *state;
+	dns_fixedname_t fixeddomain;
+	dns_name_t *qdomain;
+	unsigned int namelen;
+	isc_buffer_t b;
+	bool need_v4 = false;
+	bool need_v6 = false;
+
+	state = isc_mem_get(mctx, sizeof(*state));
+
+	/* Construct base domain name */
+	namelen = strlen(domain);
+	isc_buffer_constinit(&b, domain, namelen);
+	isc_buffer_add(&b, namelen);
+	qdomain = dns_fixedname_initname(&fixeddomain);
+	result = dns_name_fromtext(qdomain, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, state, sizeof(*state));
+		return (result);
+	}
+
+	/* Construct query name */
+	namelen = strlen(hostname);
+	isc_buffer_constinit(&b, hostname, namelen);
+	isc_buffer_add(&b, namelen);
+	state->qname = dns_fixedname_initname(&state->fixedname);
+	result = dns_name_fromtext(state->qname, &b, qdomain, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, state, sizeof(*state));
+		return (result);
+	}
+
+	if (head->ai_family == AF_UNSPEC || head->ai_family == AF_INET) {
+		need_v4 = true;
+	}
+	if (head->ai_family == AF_UNSPEC || head->ai_family == AF_INET6) {
+		need_v6 = true;
+	}
+
+	state->trans6 = NULL;
+	state->trans4 = NULL;
+	if (need_v4) {
+		state->trans4 = isc_mem_get(mctx, sizeof(gai_restrans_t));
+		state->trans4->error = 0;
+		state->trans4->xid = NULL;
+		state->trans4->resstate = state;
+		state->trans4->is_inprogress = true;
+		state->trans4->ai_sentinel.ai_next = NULL;
+	}
+	if (need_v6) {
+		state->trans6 = isc_mem_get(mctx, sizeof(gai_restrans_t));
+		state->trans6->error = 0;
+		state->trans6->xid = NULL;
+		state->trans6->resstate = state;
+		state->trans6->is_inprogress = true;
+		state->trans6->ai_sentinel.ai_next = NULL;
+	}
+
+	state->mctx = mctx;
+	state->head = head;
+	ISC_LINK_INIT(state, link);
+
+	*statep = state;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+make_resstates(isc_mem_t *mctx, const char *hostname, gai_statehead_t *head,
+	       irs_resconf_t *resconf) {
+	isc_result_t result;
+	irs_resconf_searchlist_t *searchlist;
+	irs_resconf_search_t *searchent;
+	gai_resstate_t *resstate, *resstate0;
+
+	resstate0 = NULL;
+	result = make_resstate(mctx, head, hostname, ".", &resstate0);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	searchlist = irs_resconf_getsearchlist(resconf);
+	for (searchent = ISC_LIST_HEAD(*searchlist); searchent != NULL;
+	     searchent = ISC_LIST_NEXT(searchent, link))
+	{
+		resstate = NULL;
+		result = make_resstate(mctx, head, hostname,
+				       (const char *)searchent->domain,
+				       &resstate);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		ISC_LIST_APPEND(head->resstates, resstate, link);
+		head->activestates++;
+	}
+
+	/*
+	 * Insert the original hostname either at the head or the tail of the
+	 * state list, depending on the number of labels contained in the
+	 * original name and the 'ndots' configuration parameter.
+	 */
+	if (dns_name_countlabels(resstate0->qname) >
+	    irs_resconf_getndots(resconf) + 1)
+	{
+		ISC_LIST_PREPEND(head->resstates, resstate0, link);
+	} else {
+		ISC_LIST_APPEND(head->resstates, resstate0, link);
+	}
+	head->activestates++;
+
+	if (result != ISC_R_SUCCESS) {
+		while ((resstate = ISC_LIST_HEAD(head->resstates)) != NULL) {
+			ISC_LIST_UNLINK(head->resstates, resstate, link);
+			if (resstate->trans4 != NULL) {
+				isc_mem_put(mctx, resstate->trans4,
+					    sizeof(*resstate->trans4));
+			}
+			if (resstate->trans6 != NULL) {
+				isc_mem_put(mctx, resstate->trans6,
+					    sizeof(*resstate->trans6));
+			}
+
+			isc_mem_put(mctx, resstate, sizeof(*resstate));
+		}
+	}
+
+	return (result);
+}
+
+static void
+process_answer(isc_task_t *task, isc_event_t *event) {
+	int error = 0, family;
+	gai_restrans_t *trans = event->ev_arg;
+	gai_resstate_t *resstate;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_rdatatype_t qtype;
+	dns_name_t *name;
+	bool wantcname;
+
+	REQUIRE(trans != NULL);
+	resstate = trans->resstate;
+	REQUIRE(resstate != NULL);
+	REQUIRE(task != NULL);
+
+	if (trans == resstate->trans4) {
+		family = AF_INET;
+		qtype = dns_rdatatype_a;
+	} else {
+		INSIST(trans == resstate->trans6);
+		family = AF_INET6;
+		qtype = dns_rdatatype_aaaa;
+	}
+
+	INSIST(trans->is_inprogress);
+	trans->is_inprogress = false;
+
+	switch (rev->result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_NCACHENXDOMAIN: /* treat this as a fatal error? */
+	case DNS_R_NCACHENXRRSET:
+		break;
+	default:
+		switch (rev->vresult) {
+		case DNS_R_SIGINVALID:
+		case DNS_R_SIGEXPIRED:
+		case DNS_R_SIGFUTURE:
+		case DNS_R_KEYUNAUTHORIZED:
+		case DNS_R_MUSTBESECURE:
+		case DNS_R_COVERINGNSEC:
+		case DNS_R_NOTAUTHORITATIVE:
+		case DNS_R_NOVALIDKEY:
+		case DNS_R_NOVALIDDS:
+		case DNS_R_NOVALIDSIG:
+			error = EAI_INSECUREDATA;
+			break;
+		default:
+			error = EAI_FAIL;
+		}
+		goto done;
+	}
+
+	wantcname = ((resstate->head->ai_flags & AI_CANONNAME) != 0);
+
+	/* Parse the response and construct the addrinfo chain */
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link))
+	{
+		isc_result_t result;
+		dns_rdataset_t *rdataset;
+		char cname[1024];
+
+		if (wantcname) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, cname, sizeof(cname));
+			result = dns_name_totext(name, true, &b);
+			if (result != ISC_R_SUCCESS) {
+				error = EAI_FAIL;
+				goto done;
+			}
+			isc_buffer_putuint8(&b, '\0');
+		}
+
+		for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (!dns_rdataset_isassociated(rdataset)) {
+				continue;
+			}
+			if (rdataset->type != qtype) {
+				continue;
+			}
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset))
+			{
+				struct addrinfo *ai;
+				dns_rdata_t rdata;
+				dns_rdata_in_a_t rdata_a;
+				dns_rdata_in_aaaa_t rdata_aaaa;
+
+				ai = ai_alloc(
+					family,
+					((family == AF_INET6)
+						 ? sizeof(struct sockaddr_in6)
+						 : sizeof(struct sockaddr_in)));
+				if (ai == NULL) {
+					error = EAI_MEMORY;
+					goto done;
+				}
+				ai->ai_socktype = resstate->head->ai_socktype;
+				ai->ai_next = trans->ai_sentinel.ai_next;
+				trans->ai_sentinel.ai_next = ai;
+
+				/*
+				 * Set AF-specific parameters
+				 * (IPv4/v6 address/port)
+				 */
+				dns_rdata_init(&rdata);
+				switch (family) {
+				case AF_INET:
+					dns_rdataset_current(rdataset, &rdata);
+					result = dns_rdata_tostruct(
+						&rdata, &rdata_a, NULL);
+					RUNTIME_CHECK(result == ISC_R_SUCCESS);
+					SIN(ai->ai_addr)->sin_port =
+						resstate->head->ai_port;
+					memmove(&SIN(ai->ai_addr)->sin_addr,
+						&rdata_a.in_addr, 4);
+					dns_rdata_freestruct(&rdata_a);
+					break;
+				case AF_INET6:
+					dns_rdataset_current(rdataset, &rdata);
+					result = dns_rdata_tostruct(
+						&rdata, &rdata_aaaa, NULL);
+					RUNTIME_CHECK(result == ISC_R_SUCCESS);
+					SIN6(ai->ai_addr)->sin6_port =
+						resstate->head->ai_port;
+					memmove(&SIN6(ai->ai_addr)->sin6_addr,
+						&rdata_aaaa.in6_addr, 16);
+					dns_rdata_freestruct(&rdata_aaaa);
+					break;
+				}
+
+				if (wantcname) {
+					ai->ai_canonname = strdup(cname);
+					if (ai->ai_canonname == NULL) {
+						error = EAI_MEMORY;
+						goto done;
+					}
+				}
+			}
+		}
+	}
+
+done:
+	dns_client_freeresanswer(resstate->head->dnsclient, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->xid);
+
+	isc_event_free(&event);
+
+	/* Make sure that error == 0 iff we have a non-empty list */
+	if (error == 0) {
+		if (trans->ai_sentinel.ai_next == NULL) {
+			error = EAI_NONAME;
+		}
+	} else {
+		if (trans->ai_sentinel.ai_next != NULL) {
+			_freeaddrinfo(trans->ai_sentinel.ai_next);
+			trans->ai_sentinel.ai_next = NULL;
+		}
+	}
+	trans->error = error;
+
+	/* Check whether we are done */
+	if ((resstate->trans4 == NULL || !resstate->trans4->is_inprogress) &&
+	    (resstate->trans6 == NULL || !resstate->trans6->is_inprogress))
+	{
+		/*
+		 * We're done for this state.  If there is no other outstanding
+		 * state, we can exit.
+		 */
+		resstate->head->activestates--;
+		if (resstate->head->activestates == 0) {
+			isc_app_ctxsuspend(resstate->head->actx);
+			return;
+		}
+
+		/*
+		 * There are outstanding states, but if we are at the head
+		 * of the state list (i.e., at the highest search priority)
+		 * and have any answer, we can stop now by canceling the
+		 * others.
+		 */
+		LOCK(&resstate->head->list_lock);
+		if (resstate == ISC_LIST_HEAD(resstate->head->resstates)) {
+			if ((resstate->trans4 != NULL &&
+			     resstate->trans4->ai_sentinel.ai_next != NULL) ||
+			    (resstate->trans6 != NULL &&
+			     resstate->trans6->ai_sentinel.ai_next != NULL))
+			{
+				gai_resstate_t *rest;
+
+				for (rest = ISC_LIST_NEXT(resstate, link);
+				     rest != NULL;
+				     rest = ISC_LIST_NEXT(rest, link))
+				{
+					if (rest->trans4 != NULL &&
+					    rest->trans4->xid != NULL)
+					{
+						dns_client_cancelresolve(
+							rest->trans4->xid);
+					}
+					if (rest->trans6 != NULL &&
+					    rest->trans6->xid != NULL)
+					{
+						dns_client_cancelresolve(
+							rest->trans6->xid);
+					}
+				}
+			} else {
+				/*
+				 * This search fails, so we move to the tail
+				 * of the list so that the next entry will
+				 * have the highest priority.
+				 */
+				ISC_LIST_UNLINK(resstate->head->resstates,
+						resstate, link);
+				ISC_LIST_APPEND(resstate->head->resstates,
+						resstate, link);
+			}
+		}
+		UNLOCK(&resstate->head->list_lock);
+	}
+}
+
+static int
+resolve_name(int family, const char *hostname, int flags, struct addrinfo **aip,
+	     int socktype, int port) {
+	isc_result_t result;
+	irs_context_t *irsctx;
+	irs_resconf_t *conf;
+	isc_mem_t *mctx;
+	isc_appctx_t *actx;
+	isc_task_t *task;
+	int terror = 0;
+	int error = 0;
+	dns_client_t *client;
+	gai_resstate_t *resstate;
+	gai_statehead_t head;
+	bool all_fail = true;
+
+	/* get IRS context and the associated parameters */
+	irsctx = NULL;
+	result = irs_context_get(&irsctx);
+	if (result != ISC_R_SUCCESS) {
+		return (EAI_FAIL);
+	}
+	actx = irs_context_getappctx(irsctx);
+
+	mctx = irs_context_getmctx(irsctx);
+	task = irs_context_gettask(irsctx);
+	conf = irs_context_getresconf(irsctx);
+	client = irs_context_getdnsclient(irsctx);
+
+	/* construct resolution states */
+	head.activestates = 0;
+	head.ai_family = family;
+	head.ai_socktype = socktype;
+	head.ai_flags = flags;
+	head.ai_port = port;
+	head.actx = actx;
+	head.dnsclient = client;
+	isc_mutex_init(&head.list_lock);
+
+	ISC_LIST_INIT(head.resstates);
+	result = make_resstates(mctx, hostname, &head, conf);
+	if (result != ISC_R_SUCCESS) {
+		isc_mutex_destroy(&head.list_lock);
+		return (EAI_FAIL);
+	}
+
+	LOCK(&head.list_lock);
+	for (resstate = ISC_LIST_HEAD(head.resstates); resstate != NULL;
+	     resstate = ISC_LIST_NEXT(resstate, link))
+	{
+		if (resstate->trans4 != NULL) {
+			result = dns_client_startresolve(
+				client, resstate->qname, dns_rdataclass_in,
+				dns_rdatatype_a, 0, task, process_answer,
+				resstate->trans4, &resstate->trans4->xid);
+			if (result == ISC_R_SUCCESS) {
+				resstate->trans4->is_inprogress = true;
+				all_fail = false;
+			} else {
+				resstate->trans4->is_inprogress = false;
+			}
+		}
+		if (resstate->trans6 != NULL) {
+			result = dns_client_startresolve(
+				client, resstate->qname, dns_rdataclass_in,
+				dns_rdatatype_aaaa, 0, task, process_answer,
+				resstate->trans6, &resstate->trans6->xid);
+			if (result == ISC_R_SUCCESS) {
+				resstate->trans6->is_inprogress = true;
+				all_fail = false;
+			} else {
+				resstate->trans6->is_inprogress = false;
+			}
+		}
+	}
+	UNLOCK(&head.list_lock);
+
+	if (!all_fail) {
+		/* Start all the events */
+		isc_app_ctxrun(actx);
+	} else {
+		error = EAI_FAIL;
+	}
+
+	/* Cleanup */
+	while ((resstate = ISC_LIST_HEAD(head.resstates)) != NULL) {
+		int terror4 = 0, terror6 = 0;
+
+		ISC_LIST_UNLINK(head.resstates, resstate, link);
+
+		if (*aip == NULL) {
+			struct addrinfo *sentinel4 = NULL;
+			struct addrinfo *sentinel6 = NULL;
+
+			if (resstate->trans4 != NULL) {
+				sentinel4 =
+					resstate->trans4->ai_sentinel.ai_next;
+				resstate->trans4->ai_sentinel.ai_next = NULL;
+			}
+			if (resstate->trans6 != NULL) {
+				sentinel6 =
+					resstate->trans6->ai_sentinel.ai_next;
+				resstate->trans6->ai_sentinel.ai_next = NULL;
+			}
+			*aip = ai_concat(sentinel4, sentinel6);
+		}
+
+		if (resstate->trans4 != NULL) {
+			INSIST(resstate->trans4->xid == NULL);
+			terror4 = resstate->trans4->error;
+			isc_mem_put(mctx, resstate->trans4,
+				    sizeof(*resstate->trans4));
+		}
+		if (resstate->trans6 != NULL) {
+			INSIST(resstate->trans6->xid == NULL);
+			terror6 = resstate->trans6->error;
+			isc_mem_put(mctx, resstate->trans6,
+				    sizeof(*resstate->trans6));
+		}
+
+		/*
+		 * If the entire lookup fails, we need to choose an appropriate
+		 * error code from individual codes.  We'll try to provide as
+		 * specific a code as possible.  In general, we are going to
+		 * find an error code other than EAI_NONAME (which is too
+		 * generic and may actually not be problematic in some cases).
+		 * EAI_NONAME will be set below if no better code is found.
+		 */
+		if (terror == 0 || terror == EAI_NONAME) {
+			if (terror4 != 0 && terror4 != EAI_NONAME) {
+				terror = terror4;
+			} else if (terror6 != 0 && terror6 != EAI_NONAME) {
+				terror = terror6;
+			}
+		}
+
+		isc_mem_put(mctx, resstate, sizeof(*resstate));
+	}
+
+	if (*aip == NULL) {
+		error = terror;
+		if (error == 0) {
+			error = EAI_NONAME;
+		}
+	}
+
+#if 1 /*  XXX: enabled for finding leaks.  should be cleaned up later. */
+	isc_app_ctxfinish(actx);
+	irs_context_destroy(&irsctx);
+#endif /* if 1 */
+
+	isc_mutex_destroy(&head.list_lock);
+	return (error);
+}
+
+static void
+set_order(int family,
+	  int (**net_order)(const char *, int, struct addrinfo **, int, int)) {
+	char *order, *tok, *last;
+	int found;
+
+	if (family) {
+		switch (family) {
+		case AF_INET:
+			*net_order++ = add_ipv4;
+			break;
+		case AF_INET6:
+			*net_order++ = add_ipv6;
+			break;
+		}
+	} else {
+		order = getenv("NET_ORDER");
+		found = 0;
+		if (order != NULL) {
+			last = NULL;
+			for (tok = strtok_r(order, ":", &last); tok;
+			     tok = strtok_r(NULL, ":", &last))
+			{
+				if (strcasecmp(tok, "inet6") == 0) {
+					if ((found & FOUND_IPV6) == 0) {
+						*net_order++ = add_ipv6;
+					}
+					found |= FOUND_IPV6;
+				} else if (strcasecmp(tok, "inet") == 0 ||
+					   strcasecmp(tok, "inet4") == 0)
+				{
+					if ((found & FOUND_IPV4) == 0) {
+						*net_order++ = add_ipv4;
+					}
+					found |= FOUND_IPV4;
+				}
+			}
+		}
+
+		/*
+		 * Add in anything that we didn't find.
+		 */
+		if ((found & FOUND_IPV4) == 0) {
+			*net_order++ = add_ipv4;
+		}
+		if ((found & FOUND_IPV6) == 0) {
+			*net_order++ = add_ipv6;
+		}
+	}
+	*net_order = NULL;
+	return;
+}
+
+static char v4_loop[4] = { 127, 0, 0, 1 };
+
+static int
+add_ipv4(const char *hostname, int flags, struct addrinfo **aip, int socktype,
+	 int port) {
+	struct addrinfo *ai;
+
+	UNUSED(hostname);
+	UNUSED(flags);
+
+	ai = ai_clone(*aip, AF_INET); /* don't use ai_clone() */
+	if (ai == NULL) {
+		return (EAI_MEMORY);
+	}
+
+	*aip = ai;
+	ai->ai_socktype = socktype;
+	SIN(ai->ai_addr)->sin_port = port;
+	memmove(&SIN(ai->ai_addr)->sin_addr, v4_loop, 4);
+
+	return (0);
+}
+
+static char v6_loop[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
+
+static int
+add_ipv6(const char *hostname, int flags, struct addrinfo **aip, int socktype,
+	 int port) {
+	struct addrinfo *ai;
+
+	UNUSED(hostname);
+	UNUSED(flags);
+
+	ai = ai_clone(*aip, AF_INET6); /* don't use ai_clone() */
+	if (ai == NULL) {
+		return (EAI_MEMORY);
+	}
+
+	*aip = ai;
+	ai->ai_socktype = socktype;
+	SIN6(ai->ai_addr)->sin6_port = port;
+	memmove(&SIN6(ai->ai_addr)->sin6_addr, v6_loop, 16);
+
+	return (0);
+}
+
+/*% Free address info. */
+void
+freeaddrinfo(struct addrinfo *ai) {
+	_freeaddrinfo(ai);
+}
+
+static void
+_freeaddrinfo(struct addrinfo *ai) {
+	struct addrinfo *ai_next;
+
+	while (ai != NULL) {
+		ai_next = ai->ai_next;
+		if (ai->ai_addr != NULL) {
+			free(ai->ai_addr);
+		}
+		if (ai->ai_canonname) {
+			free(ai->ai_canonname);
+		}
+		free(ai);
+		ai = ai_next;
+	}
+}
+
+#ifdef AF_LOCAL
+static int
+get_local(const char *name, int socktype, struct addrinfo **res) {
+	struct addrinfo *ai;
+	struct sockaddr_un *slocal;
+
+	if (socktype == 0) {
+		return (EAI_SOCKTYPE);
+	}
+
+	ai = ai_alloc(AF_LOCAL, sizeof(*slocal));
+	if (ai == NULL) {
+		return (EAI_MEMORY);
+	}
+
+	slocal = SLOCAL(ai->ai_addr);
+	strlcpy(slocal->sun_path, name, sizeof(slocal->sun_path));
+
+	ai->ai_socktype = socktype;
+	/*
+	 * ai->ai_flags, ai->ai_protocol, ai->ai_canonname,
+	 * and ai->ai_next were initialized to zero.
+	 */
+
+	*res = ai;
+	return (0);
+}
+#endif /* ifdef AF_LOCAL */
+
+/*!
+ * Allocate an addrinfo structure, and a sockaddr structure
+ * of the specified length.  We initialize:
+ *	ai_addrlen
+ *	ai_family
+ *	ai_addr
+ *	ai_addr->sa_family
+ *	ai_addr->sa_len	(IRS_PLATFORM_HAVESALEN)
+ * and everything else is initialized to zero.
+ */
+static struct addrinfo *
+ai_alloc(int family, int addrlen) {
+	struct addrinfo *ai;
+
+	ai = (struct addrinfo *)calloc(1, sizeof(*ai));
+	if (ai == NULL) {
+		return (NULL);
+	}
+
+	ai->ai_addr = SA(calloc(1, addrlen));
+	if (ai->ai_addr == NULL) {
+		free(ai);
+		return (NULL);
+	}
+	ai->ai_addrlen = addrlen;
+	ai->ai_family = family;
+	ai->ai_addr->sa_family = family;
+#ifdef IRS_PLATFORM_HAVESALEN
+	ai->ai_addr->sa_len = addrlen;
+#endif /* ifdef IRS_PLATFORM_HAVESALEN */
+	return (ai);
+}
+
+static struct addrinfo *
+ai_clone(struct addrinfo *oai, int family) {
+	struct addrinfo *ai;
+
+	ai = ai_alloc(family,
+		      ((family == AF_INET6) ? sizeof(struct sockaddr_in6)
+					    : sizeof(struct sockaddr_in)));
+
+	if (ai == NULL) {
+		return (NULL);
+	}
+	if (oai == NULL) {
+		return (ai);
+	}
+
+	ai->ai_flags = oai->ai_flags;
+	ai->ai_socktype = oai->ai_socktype;
+	ai->ai_protocol = oai->ai_protocol;
+	ai->ai_canonname = NULL;
+	ai->ai_next = oai;
+	return (ai);
+}
+
+static struct addrinfo *
+ai_reverse(struct addrinfo *oai) {
+	struct addrinfo *nai, *tai;
+
+	nai = NULL;
+
+	while (oai != NULL) {
+		/*
+		 * Grab one off the old list.
+		 */
+		tai = oai;
+		oai = oai->ai_next;
+		/*
+		 * Put it on the front of the new list.
+		 */
+		tai->ai_next = nai;
+		nai = tai;
+	}
+	return (nai);
+}
+
+static struct addrinfo *
+ai_concat(struct addrinfo *ai1, struct addrinfo *ai2) {
+	struct addrinfo *ai_tmp;
+
+	if (ai1 == NULL) {
+		return (ai2);
+	} else if (ai2 == NULL) {
+		return (ai1);
+	}
+
+	for (ai_tmp = ai1; ai_tmp != NULL && ai_tmp->ai_next != NULL;
+	     ai_tmp = ai_tmp->ai_next)
+	{
+	}
+
+	ai_tmp->ai_next = ai2;
+
+	return (ai1);
+}
diff --git a/lib/irs/getnameinfo.c b/lib/irs/getnameinfo.c
new file mode 100644
index 0000000..62c7cea
--- /dev/null
+++ b/lib/irs/getnameinfo.c
@@ -0,0 +1,438 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/**
+ *    getnameinfo() returns the hostname for the struct sockaddr sa which is
+ *    salen bytes long. The hostname is of length hostlen and is returned via
+ *    *host. The maximum length of the hostname is 1025 bytes: #NI_MAXHOST.
+ *
+ *    The name of the service associated with the port number in sa is
+ *    returned in *serv. It is servlen bytes long. The maximum length of the
+ *    service name is #NI_MAXSERV - 32 bytes.
+ *
+ *    The flags argument sets the following bits:
+ *
+ * \li   #NI_NOFQDN:
+ *           A fully qualified domain name is not required for local hosts.
+ *           The local part of the fully qualified domain name is returned
+ *           instead.
+ *
+ * \li   #NI_NUMERICHOST
+ *           Return the address in numeric form, as if calling inet_ntop(),
+ *           instead of a host name.
+ *
+ * \li   #NI_NAMEREQD
+ *           A name is required. If the hostname cannot be found in the DNS
+ *           and this flag is set, a non-zero error code is returned. If the
+ *           hostname is not found and the flag is not set, the address is
+ *           returned in numeric form.
+ *
+ * \li   #NI_NUMERICSERV
+ *           The service name is returned as a digit string representing the
+ *           port number.
+ *
+ * \li   #NI_DGRAM
+ *           Specifies that the service being looked up is a datagram
+ *           service, and causes getservbyport() to be called with a second
+ *           argument of "udp" instead of its default of "tcp". This is
+ *           required for the few ports (512-514) that have different
+ *           services for UDP and TCP.
+ *
+ * \section getnameinfo_return Return Values
+ *
+ *    getnameinfo() returns 0 on success or a non-zero error code if
+ *    an error occurs.
+ *
+ * \section getname_see See Also
+ *
+ *    RFC3493, getservbyport(),
+ *    getnamebyaddr(). inet_ntop().
+ */
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#include <irs/context.h>
+#include <irs/netdb.h>
+
+#define SUCCESS 0
+
+/*% afd structure definition */
+static struct afd {
+	int a_af;
+	size_t a_addrlen;
+	size_t a_socklen;
+} afdl[] = {
+	/*!
+	 * First entry is linked last...
+	 */
+	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
+	{ AF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6) },
+	{ 0, 0, 0 },
+};
+
+/*!
+ * The test against 0 is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define ERR(code)                     \
+	do {                          \
+		result = (code);      \
+		if (result != 0)      \
+			goto cleanup; \
+	} while (0)
+
+#ifdef _WIN32
+int
+getnameinfo(const struct sockaddr *sa, socklen_t salen, char *host,
+	    DWORD hostlen, char *serv, DWORD servlen, int flags) {
+#else
+int
+getnameinfo(const struct sockaddr *sa, socklen_t salen, char *host,
+	    socklen_t hostlen, char *serv, socklen_t servlen, int flags) {
+#endif
+	struct afd *afd = NULL;
+	struct servent *sp;
+	unsigned short port = 0;
+#ifdef IRS_PLATFORM_HAVESALEN
+	size_t len;
+#endif /* ifdef IRS_PLATFORM_HAVESALEN */
+	int family, i;
+	const void *addr = NULL;
+	char *p;
+#if 0
+	unsigned long v4a;
+	unsigned char pfx;
+#endif /* if 0 */
+	char numserv[sizeof("65000")];
+	char numaddr[sizeof("abcd:abcd:abcd:abcd:abcd:abcd:255.255.255.255") +
+		     1 + sizeof("4294967295")];
+	const char *proto;
+	int result = SUCCESS;
+
+	if (sa == NULL) {
+		ERR(EAI_FAIL);
+	}
+
+#ifdef IRS_PLATFORM_HAVESALEN
+	len = sa->sa_len;
+	if (len != salen) {
+		ERR(EAI_FAIL);
+	}
+#endif /* ifdef IRS_PLATFORM_HAVESALEN */
+
+	family = sa->sa_family;
+	for (i = 0; afdl[i].a_af; i++) {
+		if (afdl[i].a_af == family) {
+			{
+				afd = &afdl[i];
+				goto found;
+			}
+		}
+	}
+	ERR(EAI_FAMILY);
+
+found:
+	if (salen != afd->a_socklen) {
+		ERR(EAI_FAIL);
+	}
+
+	switch (family) {
+	case AF_INET:
+		port = ((const struct sockaddr_in *)sa)->sin_port;
+		addr = &((const struct sockaddr_in *)sa)->sin_addr.s_addr;
+		break;
+
+	case AF_INET6:
+		port = ((const struct sockaddr_in6 *)sa)->sin6_port;
+		addr = ((const struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
+		break;
+
+	default:
+		UNREACHABLE();
+	}
+	proto = ((flags & NI_DGRAM) != 0) ? "udp" : "tcp";
+
+	if (serv == NULL || servlen == 0U) {
+		/*
+		 * Caller does not want service.
+		 */
+	} else if ((flags & NI_NUMERICSERV) != 0 ||
+		   (sp = getservbyport(port, proto)) == NULL)
+	{
+		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
+		if ((strlen(numserv) + 1) > servlen) {
+			ERR(EAI_OVERFLOW);
+		}
+		strlcpy(serv, numserv, servlen);
+	} else {
+		if ((strlen(sp->s_name) + 1) > servlen) {
+			ERR(EAI_OVERFLOW);
+		}
+		strlcpy(serv, sp->s_name, servlen);
+	}
+
+#if 0
+	switch (sa->sa_family) {
+	case AF_INET:
+		v4a = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
+		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a)) {
+			flags |= NI_NUMERICHOST;
+		}
+		v4a >>= IN_CLASSA_NSHIFT;
+		if (v4a == 0 || v4a == IN_LOOPBACKNET) {
+			flags |= NI_NUMERICHOST;
+		}
+		break;
+
+	case AF_INET6:
+		pfx = ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[0];
+		if (pfx == 0 || pfx == 0xfe || pfx == 0xff) {
+			flags |= NI_NUMERICHOST;
+		}
+		break;
+	}
+#endif /* if 0 */
+
+	if (host == NULL || hostlen == 0U) {
+		/*
+		 * do nothing in this case.
+		 * in case you are wondering if "&&" is more correct than
+		 * "||" here: RFC3493 says that host == NULL or hostlen == 0
+		 * means that the caller does not want the result.
+		 */
+	} else if ((flags & NI_NUMERICHOST) != 0) {
+		if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr)) ==
+		    NULL)
+		{
+			ERR(EAI_SYSTEM);
+		}
+#if defined(IRS_HAVE_SIN6_SCOPE_ID)
+		if (afd->a_af == AF_INET6 &&
+		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id)
+		{
+			char *p = numaddr + strlen(numaddr);
+			const char *stringscope = NULL;
+#ifdef VENDOR_SPECIFIC
+			/*
+			 * Vendors may want to add support for
+			 * non-numeric scope identifier.
+			 */
+			stringscope = foo;
+#endif /* ifdef VENDOR_SPECIFIC */
+			if (stringscope == NULL) {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+					 "%%%u",
+					 ((const struct sockaddr_in6 *)sa)
+						 ->sin6_scope_id);
+			} else {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+					 "%%%s", stringscope);
+			}
+		}
+#endif /* if defined(IRS_HAVE_SIN6_SCOPE_ID) */
+		if (strlen(numaddr) + 1 > hostlen) {
+			ERR(EAI_OVERFLOW);
+		}
+		strlcpy(host, numaddr, hostlen);
+	} else {
+		isc_netaddr_t netaddr;
+		dns_fixedname_t ptrfname;
+		dns_name_t *ptrname;
+		irs_context_t *irsctx = NULL;
+		dns_client_t *client;
+		bool found = false;
+		dns_namelist_t answerlist;
+		dns_rdataset_t *rdataset;
+		isc_region_t hostregion;
+		char hoststr[1024]; /* is this enough? */
+		isc_result_t iresult;
+
+		/* Get IRS context and the associated DNS client object */
+		iresult = irs_context_get(&irsctx);
+		if (iresult != ISC_R_SUCCESS) {
+			ERR(EAI_FAIL);
+		}
+		client = irs_context_getdnsclient(irsctx);
+
+		/* Make query name */
+		isc_netaddr_fromsockaddr(&netaddr, (const isc_sockaddr_t *)sa);
+		ptrname = dns_fixedname_initname(&ptrfname);
+		iresult = dns_byaddr_createptrname(&netaddr, 0, ptrname);
+		if (iresult != ISC_R_SUCCESS) {
+			ERR(EAI_FAIL);
+		}
+
+		/* Get the PTR RRset */
+		ISC_LIST_INIT(answerlist);
+		iresult = dns_client_resolve(client, ptrname, dns_rdataclass_in,
+					     dns_rdatatype_ptr, 0, &answerlist);
+		switch (iresult) {
+		case ISC_R_SUCCESS:
+		/*
+		 * a 'non-existent' error is not necessarily fatal for
+		 * getnameinfo().
+		 */
+		case DNS_R_NCACHENXDOMAIN:
+		case DNS_R_NCACHENXRRSET:
+			break;
+		case DNS_R_SIGINVALID:
+		case DNS_R_SIGEXPIRED:
+		case DNS_R_SIGFUTURE:
+		case DNS_R_KEYUNAUTHORIZED:
+		case DNS_R_MUSTBESECURE:
+		case DNS_R_COVERINGNSEC:
+		case DNS_R_NOTAUTHORITATIVE:
+		case DNS_R_NOVALIDKEY:
+		case DNS_R_NOVALIDDS:
+		case DNS_R_NOVALIDSIG:
+			/*
+			 * Don't use ERR as GCC 7 wants to raise a
+			 * warning with ERR about possible falling
+			 * through which is impossible.
+			 */
+			result = EAI_INSECUREDATA;
+			goto cleanup;
+		default:
+			ERR(EAI_FAIL);
+		}
+
+		/* Parse the answer for the hostname */
+		for (ptrname = ISC_LIST_HEAD(answerlist); ptrname != NULL;
+		     ptrname = ISC_LIST_NEXT(ptrname, link))
+		{
+			for (rdataset = ISC_LIST_HEAD(ptrname->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (!dns_rdataset_isassociated(rdataset)) {
+					continue;
+				}
+				if (rdataset->type != dns_rdatatype_ptr) {
+					continue;
+				}
+
+				for (iresult = dns_rdataset_first(rdataset);
+				     iresult == ISC_R_SUCCESS;
+				     iresult = dns_rdataset_next(rdataset))
+				{
+					dns_rdata_t rdata;
+					dns_rdata_ptr_t rdata_ptr;
+					isc_buffer_t b;
+
+					dns_rdata_init(&rdata);
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_ptr,
+							   NULL);
+
+					isc_buffer_init(&b, hoststr,
+							sizeof(hoststr));
+					iresult = dns_name_totext(
+						&rdata_ptr.ptr, true, &b);
+					dns_rdata_freestruct(&rdata_ptr);
+					if (iresult == ISC_R_SUCCESS) {
+						/*
+						 * We ignore the rest of the
+						 * answer.  After all,
+						 * getnameinfo() can return
+						 * at most one hostname.
+						 */
+						found = true;
+						isc_buffer_usedregion(
+							&b, &hostregion);
+						goto ptrfound;
+					}
+				}
+			}
+		}
+	ptrfound:
+		dns_client_freeresanswer(client, &answerlist);
+		if (found) {
+			if ((flags & NI_NOFQDN) != 0) {
+				p = strchr(hoststr, '.');
+				if (p) {
+					*p = '\0';
+				}
+			}
+			if (hostregion.length + 1 > hostlen) {
+				ERR(EAI_OVERFLOW);
+			}
+			snprintf(host, hostlen, "%.*s", (int)hostregion.length,
+				 (char *)hostregion.base);
+		} else {
+			if ((flags & NI_NAMEREQD) != 0) {
+				ERR(EAI_NONAME);
+			}
+			if (inet_ntop(afd->a_af, addr, numaddr,
+				      sizeof(numaddr)) == NULL)
+			{
+				ERR(EAI_SYSTEM);
+			}
+			if ((strlen(numaddr) + 1) > hostlen) {
+				ERR(EAI_OVERFLOW);
+			}
+			strlcpy(host, numaddr, hostlen);
+		}
+	}
+	result = SUCCESS;
+
+cleanup:
+	return (result);
+}
diff --git a/lib/irs/include/.clang-format b/lib/irs/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/lib/irs/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/irs/include/Makefile.in b/lib/irs/include/Makefile.in
new file mode 100644
index 0000000..53a5348
--- /dev/null
+++ b/lib/irs/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	irs
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/irs/include/irs/Makefile.in b/lib/irs/include/irs/Makefile.in
new file mode 100644
index 0000000..fb37979
--- /dev/null
+++ b/lib/irs/include/irs/Makefile.in
@@ -0,0 +1,46 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	context.h dnsconf.h resconf.h types.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/irs
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/irs || exit 1; \
+	done
+	${INSTALL_DATA} netdb.h ${DESTDIR}${includedir}/irs
+	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/irs
+
+uninstall::
+	rm -f ${DESTDIR}${includedir}/irs/platform.h
+	rm -f ${DESTDIR}${includedir}/irs/netdb.h
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/irs/$$i || exit 1; \
+	done
+
+distclean::
+	rm -f netdb.h platform.h
diff --git a/lib/irs/include/irs/context.h b/lib/irs/include/irs/context.h
new file mode 100644
index 0000000..c2d800a
--- /dev/null
+++ b/lib/irs/include/irs/context.h
@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IRS_CONTEXT_H
+#define IRS_CONTEXT_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS context module provides an abstract interface to the DNS library
+ * with an application.  An IRS context object initializes and holds various
+ * resources used in the DNS library.
+ */
+
+#include <dns/types.h>
+
+#include <irs/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_context_create(irs_context_t **contextp);
+/*%<
+ * Create an IRS context.  It internally initializes the ISC and DNS libraries
+ * (if not yet), creates a DNS client object and initializes the client using
+ * the configuration files parsed via the 'resconf' and 'dnsconf' IRS modules.
+ * Some of the internally initialized objects can be used by the application
+ * via irs_context_getxxx() functions (see below).
+ *
+ * Requires:
+ *
+ *\li	contextp != NULL && *contextp == NULL.
+ */
+
+isc_result_t
+irs_context_get(irs_context_t **contextp);
+/*%<
+ * Return an IRS context for the calling thread.  If no IRS context is
+ * associated to the thread, this function creates a new one by calling
+ * irs_context_create(), and associates it with the thread as a thread specific
+ * data value.  This function is provided for standard libraries that are
+ * expected to be thread-safe but do not accept an appropriate IRS context
+ * as a library parameter, e.g., getaddrinfo().
+ *
+ * Requires:
+ *
+ *\li	contextp != NULL && *contextp == NULL.
+ */
+
+void
+irs_context_destroy(irs_context_t **contextp);
+/*%<
+ * Destroy an IRS context.
+ *
+ * Requires:
+ *
+ *\li	'*contextp' is a valid IRS context.
+ *
+ * Ensures:
+ *\li	'*contextp' == NULL.
+ */
+
+isc_mem_t *
+irs_context_getmctx(irs_context_t *context);
+/*%<
+ * Return the memory context held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_appctx_t *
+irs_context_getappctx(irs_context_t *context);
+/*%<
+ * Return the application context held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_taskmgr_t *
+irs_context_gettaskmgr(irs_context_t *context);
+/*%<
+ * Return the task manager held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_timermgr_t *
+irs_context_gettimermgr(irs_context_t *context);
+/*%<
+ * Return the timer manager held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_task_t *
+irs_context_gettask(irs_context_t *context);
+/*%<
+ * Return the task object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+dns_client_t *
+irs_context_getdnsclient(irs_context_t *context);
+/*%<
+ * Return the DNS client object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+irs_resconf_t *
+irs_context_getresconf(irs_context_t *context);
+/*%<
+ * Return the resolver configuration object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+irs_dnsconf_t *
+irs_context_getdnsconf(irs_context_t *context);
+/*%<
+ * Return the advanced DNS configuration object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_CONTEXT_H */
diff --git a/lib/irs/include/irs/dnsconf.h b/lib/irs/include/irs/dnsconf.h
new file mode 100644
index 0000000..7456b89
--- /dev/null
+++ b/lib/irs/include/irs/dnsconf.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IRS_DNSCONF_H
+#define IRS_DNSCONF_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS dnsconf module parses an "advanced" configuration file related to
+ * the DNS library, such as trust anchors for DNSSEC validation, and creates
+ * the corresponding configuration objects for the DNS library modules.
+ *
+ * Notes:
+ * This module is very experimental and the configuration syntax or library
+ * interfaces may change in future versions.  Currently, only static
+ * key configuration is supported; "trusted-keys" and "trust-anchors"/
+ * "managed-keys" statements will be parsed exactly as they are in
+ * named.conf, except that "trust-anchors" and "managed-keys" entries will
+ * be treated as if they were configured with "static-key", even if they
+ * were actually configured with "initial-key".
+ */
+
+#include <irs/types.h>
+
+/*%
+ * A compound structure storing DNS key information mainly for DNSSEC
+ * validation.  A dns_key_t object will be created using the 'keyname' and
+ * 'keydatabuf' members with the dst_key_fromdns() function.
+ */
+typedef struct irs_dnsconf_dnskey {
+	dns_name_t   *keyname;
+	isc_buffer_t *keydatabuf;
+	ISC_LINK(struct irs_dnsconf_dnskey) link;
+} irs_dnsconf_dnskey_t;
+
+typedef ISC_LIST(irs_dnsconf_dnskey_t) irs_dnsconf_dnskeylist_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_dnsconf_load(isc_mem_t *mctx, const char *filename, irs_dnsconf_t **confp);
+/*%<
+ * Load the "advanced" DNS configuration file 'filename' in the "dns.conf"
+ * format, and create a new irs_dnsconf_t object from the configuration.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'filename' != NULL
+ *
+ *\li	'confp' != NULL && '*confp' == NULL
+ */
+
+void
+irs_dnsconf_destroy(irs_dnsconf_t **confp);
+/*%<
+ * Destroy the dnsconf object.
+ *
+ * Requires:
+ *
+ *\li	'*confp' is a valid dnsconf object.
+ *
+ * Ensures:
+ *
+ *\li	*confp == NULL
+ */
+
+irs_dnsconf_dnskeylist_t *
+irs_dnsconf_gettrustedkeys(irs_dnsconf_t *conf);
+/*%<
+ * Return a list of key information stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid dnsconf object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_DNSCONF_H */
diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in
new file mode 100644
index 0000000..c3b4dae
--- /dev/null
+++ b/lib/irs/include/irs/netdb.h.in
@@ -0,0 +1,193 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifndef IRS_NETDB_H
+#define IRS_NETDB_H 1
+
+#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
+#include <netdb.h>	/* Contractual provision. */
+
+/*
+ * Undefine all #defines we are interested in as <netdb.h> may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef	NETDB_INTERNAL
+#undef	NETDB_SUCCESS
+#undef	HOST_NOT_FOUND
+#undef	TRY_AGAIN
+#undef	NO_RECOVERY
+#undef	NO_DATA
+#undef	NO_ADDRESS
+
+#define	NETDB_INTERNAL	-1	/* see errno */
+#define	NETDB_SUCCESS	0	/* no problem */
+#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /* Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo().  EAI_INSECUREDATA is our own extension
+ * and it's very unlikely to be already defined, but undef it just in case; it
+ * at least doesn't do any harm.
+ */
+
+#undef	EAI_ADDRFAMILY
+#undef	EAI_AGAIN
+#undef	EAI_BADFLAGS
+#undef	EAI_FAIL
+#undef	EAI_FAMILY
+#undef	EAI_MEMORY
+#undef	EAI_NODATA
+#undef	EAI_NONAME
+#undef	EAI_SERVICE
+#undef	EAI_SOCKTYPE
+#undef	EAI_SYSTEM
+#undef	EAI_BADHINTS
+#undef	EAI_PROTOCOL
+#undef	EAI_OVERFLOW
+#undef	EAI_INSECUREDATA
+#undef	EAI_MAX
+
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_OVERFLOW	14
+#define EAI_INSECUREDATA 15
+#define EAI_MAX		16
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef	AI_PASSIVE
+#undef	AI_CANONNAME
+#undef	AI_NUMERICHOST
+
+#define	AI_PASSIVE	0x00000001
+#define	AI_CANONNAME	0x00000002
+#define AI_NUMERICHOST	0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED	0x00000008
+#define AI_ALL		0x00000010
+#define AI_ADDRCONFIG	0x00000020
+#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
+
+/*
+ * Constants for getnameinfo()
+ */
+#undef	NI_MAXHOST
+#undef	NI_MAXSERV
+
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for getnameinfo()
+ */
+#undef	NI_NOFQDN
+#undef	NI_NUMERICHOST
+#undef	NI_NAMEREQD
+#undef	NI_NUMERICSERV
+#undef	NI_DGRAM
+#undef	NI_NUMERICSCOPE
+
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+
+/*
+ * Define to map into irs_ namespace.
+ */
+
+#define IRS_NAMESPACE
+
+#ifdef IRS_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo irs_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo irs_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo irs_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror irs_gai_strerror
+
+int
+getaddrinfo(const char *hostname, const char *servname,
+	    const struct addrinfo *hints, struct addrinfo **res);
+
+int
+getnameinfo(const struct sockaddr *sa, socklen_t salen,
+	    char *host, socklen_t hostlen,
+	    char *serv, socklen_t servlen,
+	    int flags);
+
+void freeaddrinfo (struct addrinfo *ai);
+
+const char *
+gai_strerror(int ecode);
+
+#endif /* IRS_NAMESPACE */
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_NETDB_H */
diff --git a/lib/irs/include/irs/platform.h.in b/lib/irs/include/irs/platform.h.in
new file mode 100644
index 0000000..54bae37
--- /dev/null
+++ b/lib/irs/include/irs/platform.h.in
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifndef IRS_PLATFORM_H
+#define IRS_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+#define LIBIRS_EXTERNAL_DATA
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_PLATFORM_H */
diff --git a/lib/irs/include/irs/resconf.h b/lib/irs/include/irs/resconf.h
new file mode 100644
index 0000000..424b795
--- /dev/null
+++ b/lib/irs/include/irs/resconf.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IRS_RESCONF_H
+#define IRS_RESCONF_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS resconf module parses the legacy "/etc/resolv.conf" file and
+ * creates the corresponding configuration objects for the DNS library
+ * modules.
+ */
+
+#include <irs/types.h>
+
+/*%
+ * A DNS search list specified in the 'domain' or 'search' statements
+ * in the "resolv.conf" file.
+ */
+typedef struct irs_resconf_search {
+	char *domain;
+	ISC_LINK(struct irs_resconf_search) link;
+} irs_resconf_search_t;
+
+typedef ISC_LIST(irs_resconf_search_t) irs_resconf_searchlist_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp);
+/*%<
+ * Load the resolver configuration file 'filename' in the "resolv.conf" format,
+ * and create a new irs_resconf_t object from the configuration.  If the file
+ * is not found ISC_R_FILENOTFOUND is returned with the structure initialized
+ * as if file contained only:
+ *
+ *	nameserver ::1
+ *	nameserver 127.0.0.1
+ *
+ * Notes:
+ *
+ *\li	Currently, only the following options are supported:
+ *	nameserver, domain, search, sortlist, ndots, and options.
+ *	In addition, 'sortlist' is not actually effective; it's parsed, but
+ *	the application cannot use the configuration.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS on success
+ * \li  ISC_R_FILENOTFOUND if the file was not found. *confp will be valid.
+ * \li  other on error.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'filename' != NULL
+ *
+ *\li	'confp' != NULL && '*confp' == NULL
+ */
+
+void
+irs_resconf_destroy(irs_resconf_t **confp);
+/*%<
+ * Destroy the resconf object.
+ *
+ * Requires:
+ *
+ *\li	'*confp' is a valid resconf object.
+ *
+ * Ensures:
+ *
+ *\li	*confp == NULL
+ */
+
+isc_sockaddrlist_t *
+irs_resconf_getnameservers(irs_resconf_t *conf);
+/*%<
+ * Return a list of name server addresses stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+irs_resconf_searchlist_t *
+irs_resconf_getsearchlist(irs_resconf_t *conf);
+/*%<
+ * Return the search list stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+unsigned int
+irs_resconf_getndots(irs_resconf_t *conf);
+/*%<
+ * Return the 'ndots' value stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_RESCONF_H */
diff --git a/lib/irs/include/irs/types.h b/lib/irs/include/irs/types.h
new file mode 100644
index 0000000..54153f8
--- /dev/null
+++ b/lib/irs/include/irs/types.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IRS_TYPES_H
+#define IRS_TYPES_H 1
+
+/* Core Types.  Alphabetized by defined type. */
+
+/*%< per-thread IRS context */
+typedef struct irs_context irs_context_t;
+/*%< resolv.conf configuration information */
+typedef struct irs_resconf irs_resconf_t;
+/*%< advanced DNS-related configuration information */
+typedef struct irs_dnsconf irs_dnsconf_t;
+
+#endif /* IRS_TYPES_H */
diff --git a/lib/irs/include/irs/version.h b/lib/irs/include/irs/version.h
new file mode 100644
index 0000000..75ba926
--- /dev/null
+++ b/lib/irs/include/irs/version.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <irs/platform.h>
+
+LIBIRS_EXTERNAL_DATA extern const char irs_version[];
diff --git a/lib/irs/resconf.c b/lib/irs/resconf.c
new file mode 100644
index 0000000..f3b7be5
--- /dev/null
+++ b/lib/irs/resconf.c
@@ -0,0 +1,689 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file resconf.c */
+
+/**
+ * Module for parsing resolv.conf files (largely derived from lwconfig.c).
+ *
+ *    irs_resconf_load() opens the file filename and parses it to initialize
+ *    the configuration structure.
+ *
+ * \section lwconfig_return Return Values
+ *
+ *    irs_resconf_load() returns #IRS_R_SUCCESS if it successfully read and
+ *    parsed filename. It returns a non-0 error code if filename could not be
+ *    opened or contained incorrect resolver statements.
+ *
+ * \section lwconfig_see See Also
+ *
+ *    stdio(3), \link resolver resolver \endlink
+ *
+ * \section files Files
+ *
+ *    /etc/resolv.conf
+ */
+
+#ifndef WIN32
+#include <netdb.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#endif /* ifndef WIN32 */
+
+#include <ctype.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <irs/netdb.h>
+#include <irs/resconf.h>
+
+#define IRS_RESCONF_MAGIC    ISC_MAGIC('R', 'E', 'S', 'c')
+#define IRS_RESCONF_VALID(c) ISC_MAGIC_VALID(c, IRS_RESCONF_MAGIC)
+
+/*!
+ * protocol constants
+ */
+
+#if !defined(NS_INADDRSZ)
+#define NS_INADDRSZ 4
+#endif /* if !defined(NS_INADDRSZ) */
+
+#if !defined(NS_IN6ADDRSZ)
+#define NS_IN6ADDRSZ 16
+#endif /* if !defined(NS_IN6ADDRSZ) */
+
+/*!
+ * resolv.conf parameters
+ */
+
+#define RESCONFMAXNAMESERVERS 3U   /*%< max 3 "nameserver" entries */
+#define RESCONFMAXSEARCH      8U   /*%< max 8 domains in "search" entry */
+#define RESCONFMAXLINELEN     256U /*%< max size of a line */
+#define RESCONFMAXSORTLIST    10U  /*%< max 10 */
+
+/*!
+ * configuration data structure
+ */
+
+struct irs_resconf {
+	/*
+	 * The configuration data is a thread-specific object, and does not
+	 * need to be locked.
+	 */
+	unsigned int magic;
+	isc_mem_t *mctx;
+
+	isc_sockaddrlist_t nameservers;
+	unsigned int numns; /*%< number of configured servers
+			     * */
+
+	char *domainname;
+	char *search[RESCONFMAXSEARCH];
+	uint8_t searchnxt; /*%< index for next free slot
+			    * */
+
+	irs_resconf_searchlist_t searchlist;
+
+	struct {
+		isc_netaddr_t addr;
+		/*% mask has a non-zero 'family' if set */
+		isc_netaddr_t mask;
+	} sortlist[RESCONFMAXSORTLIST];
+	uint8_t sortlistnxt;
+
+	/*%< non-zero if 'options debug' set */
+	uint8_t resdebug;
+	/*%< set to n in 'options ndots:n' */
+	uint8_t ndots;
+};
+
+static isc_result_t
+resconf_parsenameserver(irs_resconf_t *conf, FILE *fp);
+static isc_result_t
+resconf_parsedomain(irs_resconf_t *conf, FILE *fp);
+static isc_result_t
+resconf_parsesearch(irs_resconf_t *conf, FILE *fp);
+static isc_result_t
+resconf_parsesortlist(irs_resconf_t *conf, FILE *fp);
+static isc_result_t
+resconf_parseoption(irs_resconf_t *ctx, FILE *fp);
+
+#if HAVE_GET_WIN32_NAMESERVERS
+static isc_result_t
+get_win32_nameservers(irs_resconf_t *conf);
+#endif /* if HAVE_GET_WIN32_NAMESERVERS */
+
+/*!
+ * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
+ */
+static int
+eatline(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF) {
+		ch = fgetc(fp);
+	}
+
+	return (ch);
+}
+
+/*!
+ * Eats white space up to next newline or non-whitespace character (of
+ * EOF). Returns the last character read. Comments are considered white
+ * space.
+ */
+static int
+eatwhite(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch)) {
+		ch = fgetc(fp);
+	}
+
+	if (ch == ';' || ch == '#') {
+		ch = eatline(fp);
+	}
+
+	return (ch);
+}
+
+/*!
+ * Skip over any leading whitespace and then read in the next sequence of
+ * non-whitespace characters. In this context newline is not considered
+ * whitespace. Returns EOF on end-of-file, or the character
+ * that caused the reading to stop.
+ */
+static int
+getword(FILE *fp, char *buffer, size_t size) {
+	int ch;
+	char *p;
+
+	REQUIRE(buffer != NULL);
+	REQUIRE(size > 0U);
+
+	p = buffer;
+	*p = '\0';
+
+	ch = eatwhite(fp);
+
+	if (ch == EOF) {
+		return (EOF);
+	}
+
+	do {
+		*p = '\0';
+
+		if (ch == EOF || isspace((unsigned char)ch)) {
+			break;
+		} else if ((size_t)(p - buffer) == size - 1) {
+			return (EOF); /* Not enough space. */
+		}
+
+		*p++ = (char)ch;
+		ch = fgetc(fp);
+	} while (1);
+
+	return (ch);
+}
+
+static isc_result_t
+add_server(isc_mem_t *mctx, const char *address_str,
+	   isc_sockaddrlist_t *nameservers) {
+	int error;
+	isc_sockaddr_t *address = NULL;
+	struct addrinfo hints, *res;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	res = NULL;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+	hints.ai_flags = AI_NUMERICHOST;
+	error = getaddrinfo(address_str, "53", &hints, &res);
+	if (error != 0) {
+		return (ISC_R_BADADDRESSFORM);
+	}
+
+	/* XXX: special case: treat all-0 IPv4 address as loopback */
+	if (res->ai_family == AF_INET) {
+		struct in_addr *v4;
+		unsigned char zeroaddress[] = { 0, 0, 0, 0 };
+		unsigned char loopaddress[] = { 127, 0, 0, 1 };
+
+		v4 = &((struct sockaddr_in *)res->ai_addr)->sin_addr;
+		if (memcmp(v4, zeroaddress, 4) == 0) {
+			memmove(v4, loopaddress, 4);
+		}
+	}
+
+	address = isc_mem_get(mctx, sizeof(*address));
+	if (res->ai_addrlen > sizeof(address->type)) {
+		isc_mem_put(mctx, address, sizeof(*address));
+		result = ISC_R_RANGE;
+		goto cleanup;
+	}
+	address->length = (unsigned int)res->ai_addrlen;
+	memmove(&address->type.ss, res->ai_addr, res->ai_addrlen);
+	ISC_LINK_INIT(address, link);
+	ISC_LIST_APPEND(*nameservers, address, link);
+
+cleanup:
+	freeaddrinfo(res);
+
+	return (result);
+}
+
+static isc_result_t
+create_addr(const char *buffer, isc_netaddr_t *addr, int convert_zero) {
+	struct in_addr v4;
+	struct in6_addr v6;
+
+	if (inet_pton(AF_INET, buffer, &v4) == 1) {
+		if (convert_zero) {
+			unsigned char zeroaddress[] = { 0, 0, 0, 0 };
+			unsigned char loopaddress[] = { 127, 0, 0, 1 };
+			if (memcmp(&v4, zeroaddress, 4) == 0) {
+				memmove(&v4, loopaddress, 4);
+			}
+		}
+		addr->family = AF_INET;
+		memmove(&addr->type.in, &v4, NS_INADDRSZ);
+		addr->zone = 0;
+	} else if (inet_pton(AF_INET6, buffer, &v6) == 1) {
+		addr->family = AF_INET6;
+		memmove(&addr->type.in6, &v6, NS_IN6ADDRSZ);
+		addr->zone = 0;
+	} else {
+		return (ISC_R_BADADDRESSFORM); /* Unrecognised format. */
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsenameserver(irs_resconf_t *conf, FILE *fp) {
+	char word[RESCONFMAXLINELEN];
+	int cp;
+	isc_result_t result;
+
+	cp = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U) {
+		return (ISC_R_UNEXPECTEDEND); /* Nothing on line. */
+	} else if (cp == ' ' || cp == '\t') {
+		cp = eatwhite(fp);
+	}
+
+	if (cp != EOF && cp != '\n') {
+		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
+	}
+
+	if (conf->numns == RESCONFMAXNAMESERVERS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = add_server(conf->mctx, word, &conf->nameservers);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	conf->numns++;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsedomain(irs_resconf_t *conf, FILE *fp) {
+	char word[RESCONFMAXLINELEN];
+	int res;
+	unsigned int i;
+
+	res = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U) {
+		return (ISC_R_UNEXPECTEDEND); /* Nothing else on line. */
+	} else if (res == ' ' || res == '\t') {
+		res = eatwhite(fp);
+	}
+
+	if (res != EOF && res != '\n') {
+		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
+	}
+
+	if (conf->domainname != NULL) {
+		isc_mem_free(conf->mctx, conf->domainname);
+	}
+
+	/*
+	 * Search and domain are mutually exclusive.
+	 */
+	for (i = 0; i < RESCONFMAXSEARCH; i++) {
+		if (conf->search[i] != NULL) {
+			isc_mem_free(conf->mctx, conf->search[i]);
+			conf->search[i] = NULL;
+		}
+	}
+	conf->searchnxt = 0;
+
+	conf->domainname = isc_mem_strdup(conf->mctx, word);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsesearch(irs_resconf_t *conf, FILE *fp) {
+	int delim;
+	unsigned int idx;
+	char word[RESCONFMAXLINELEN];
+
+	if (conf->domainname != NULL) {
+		/*
+		 * Search and domain are mutually exclusive.
+		 */
+		isc_mem_free(conf->mctx, conf->domainname);
+		conf->domainname = NULL;
+	}
+
+	/*
+	 * Remove any previous search definitions.
+	 */
+	for (idx = 0; idx < RESCONFMAXSEARCH; idx++) {
+		if (conf->search[idx] != NULL) {
+			isc_mem_free(conf->mctx, conf->search[idx]);
+			conf->search[idx] = NULL;
+		}
+	}
+	conf->searchnxt = 0;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U) {
+		return (ISC_R_UNEXPECTEDEND); /* Nothing else on line. */
+	}
+
+	idx = 0;
+	while (strlen(word) > 0U) {
+		if (conf->searchnxt == RESCONFMAXSEARCH) {
+			goto ignore; /* Too many domains. */
+		}
+
+		INSIST(idx < sizeof(conf->search) / sizeof(conf->search[0]));
+		conf->search[idx] = isc_mem_strdup(conf->mctx, word);
+		idx++;
+		conf->searchnxt++;
+
+	ignore:
+		if (delim == EOF || delim == '\n') {
+			break;
+		} else {
+			delim = getword(fp, word, sizeof(word));
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsesortlist(irs_resconf_t *conf, FILE *fp) {
+	int delim, res;
+	unsigned int idx;
+	char word[RESCONFMAXLINELEN];
+	char *p;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U) {
+		return (ISC_R_UNEXPECTEDEND); /* Empty line after keyword. */
+	}
+
+	while (strlen(word) > 0U) {
+		if (conf->sortlistnxt == RESCONFMAXSORTLIST) {
+			return (ISC_R_QUOTA); /* Too many values. */
+		}
+
+		p = strchr(word, '/');
+		if (p != NULL) {
+			*p++ = '\0';
+		}
+
+		idx = conf->sortlistnxt;
+		INSIST(idx <
+		       sizeof(conf->sortlist) / sizeof(conf->sortlist[0]));
+		res = create_addr(word, &conf->sortlist[idx].addr, 1);
+		if (res != ISC_R_SUCCESS) {
+			return (res);
+		}
+
+		if (p != NULL) {
+			res = create_addr(p, &conf->sortlist[idx].mask, 0);
+			if (res != ISC_R_SUCCESS) {
+				return (res);
+			}
+		} else {
+			/*
+			 * Make up a mask. (XXX: is this correct?)
+			 */
+			conf->sortlist[idx].mask = conf->sortlist[idx].addr;
+			memset(&conf->sortlist[idx].mask.type, 0xff,
+			       sizeof(conf->sortlist[idx].mask.type));
+		}
+
+		conf->sortlistnxt++;
+
+		if (delim == EOF || delim == '\n') {
+			break;
+		} else {
+			delim = getword(fp, word, sizeof(word));
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parseoption(irs_resconf_t *conf, FILE *fp) {
+	int delim;
+	long ndots;
+	char *p;
+	char word[RESCONFMAXLINELEN];
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U) {
+		return (ISC_R_UNEXPECTEDEND); /* Empty line after keyword. */
+	}
+
+	while (strlen(word) > 0U) {
+		if (strcmp("debug", word) == 0) {
+			conf->resdebug = 1;
+		} else if (strncmp("ndots:", word, 6) == 0) {
+			ndots = strtol(word + 6, &p, 10);
+			if (*p != '\0') { /* Bad string. */
+				return (ISC_R_UNEXPECTEDTOKEN);
+			}
+			if (ndots < 0 || ndots > 0xff) { /* Out of range. */
+				return (ISC_R_RANGE);
+			}
+			conf->ndots = (uint8_t)ndots;
+		}
+
+		if (delim == EOF || delim == '\n') {
+			break;
+		} else {
+			delim = getword(fp, word, sizeof(word));
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_search(irs_resconf_t *conf, char *domain) {
+	irs_resconf_search_t *entry;
+
+	entry = isc_mem_get(conf->mctx, sizeof(*entry));
+
+	entry->domain = domain;
+	ISC_LINK_INIT(entry, link);
+	ISC_LIST_APPEND(conf->searchlist, entry, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*% parses a file and fills in the data structure. */
+isc_result_t
+irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp) {
+	FILE *fp = NULL;
+	char word[256];
+	isc_result_t rval, ret = ISC_R_SUCCESS;
+	irs_resconf_t *conf;
+	unsigned int i;
+	int stopchar;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(filename != NULL);
+	REQUIRE(strlen(filename) > 0U);
+	REQUIRE(confp != NULL && *confp == NULL);
+
+	conf = isc_mem_get(mctx, sizeof(*conf));
+
+	conf->mctx = mctx;
+	ISC_LIST_INIT(conf->nameservers);
+	ISC_LIST_INIT(conf->searchlist);
+	conf->numns = 0;
+	conf->domainname = NULL;
+	conf->searchnxt = 0;
+	conf->sortlistnxt = 0;
+	conf->resdebug = 0;
+	conf->ndots = 1;
+	for (i = 0; i < RESCONFMAXSEARCH; i++) {
+		conf->search[i] = NULL;
+	}
+
+	errno = 0;
+	if ((fp = fopen(filename, "r")) != NULL) {
+		do {
+			stopchar = getword(fp, word, sizeof(word));
+			if (stopchar == EOF) {
+				rval = ISC_R_SUCCESS;
+				POST(rval);
+				break;
+			}
+
+			if (strlen(word) == 0U) {
+				rval = ISC_R_SUCCESS;
+			} else if (strcmp(word, "nameserver") == 0) {
+				rval = resconf_parsenameserver(conf, fp);
+			} else if (strcmp(word, "domain") == 0) {
+				rval = resconf_parsedomain(conf, fp);
+			} else if (strcmp(word, "search") == 0) {
+				rval = resconf_parsesearch(conf, fp);
+			} else if (strcmp(word, "sortlist") == 0) {
+				rval = resconf_parsesortlist(conf, fp);
+			} else if (strcmp(word, "options") == 0) {
+				rval = resconf_parseoption(conf, fp);
+			} else {
+				/* unrecognised word. Ignore entire line */
+				rval = ISC_R_SUCCESS;
+				stopchar = eatline(fp);
+				if (stopchar == EOF) {
+					break;
+				}
+			}
+			if (ret == ISC_R_SUCCESS && rval != ISC_R_SUCCESS) {
+				ret = rval;
+			}
+		} while (1);
+
+		fclose(fp);
+	} else {
+		switch (errno) {
+		case ENOENT:
+			break;
+		default:
+			isc_mem_put(mctx, conf, sizeof(*conf));
+			return (ISC_R_INVALIDFILE);
+		}
+	}
+
+	if (ret != ISC_R_SUCCESS) {
+		goto error;
+	}
+
+	/*
+	 * Construct unified search list from domain or configured
+	 * search list
+	 */
+	if (conf->domainname != NULL) {
+		ret = add_search(conf, conf->domainname);
+	} else if (conf->searchnxt > 0) {
+		for (i = 0; i < conf->searchnxt; i++) {
+			ret = add_search(conf, conf->search[i]);
+			if (ret != ISC_R_SUCCESS) {
+				break;
+			}
+		}
+	}
+
+#if HAVE_GET_WIN32_NAMESERVERS
+	ret = get_win32_nameservers(conf);
+	if (ret != ISC_R_SUCCESS) {
+		goto error;
+	}
+#endif /* if HAVE_GET_WIN32_NAMESERVERS */
+
+	/* If we don't find a nameserver fall back to localhost */
+	if (conf->numns == 0U) {
+		INSIST(ISC_LIST_EMPTY(conf->nameservers));
+
+		/* XXX: should we catch errors? */
+		(void)add_server(conf->mctx, "::1", &conf->nameservers);
+		(void)add_server(conf->mctx, "127.0.0.1", &conf->nameservers);
+	}
+
+error:
+	conf->magic = IRS_RESCONF_MAGIC;
+
+	if (ret != ISC_R_SUCCESS) {
+		irs_resconf_destroy(&conf);
+	} else {
+		if (fp == NULL) {
+			ret = ISC_R_FILENOTFOUND;
+		}
+		*confp = conf;
+	}
+
+	return (ret);
+}
+
+void
+irs_resconf_destroy(irs_resconf_t **confp) {
+	irs_resconf_t *conf;
+	isc_sockaddr_t *address;
+	irs_resconf_search_t *searchentry;
+	unsigned int i;
+
+	REQUIRE(confp != NULL);
+	conf = *confp;
+	*confp = NULL;
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	while ((searchentry = ISC_LIST_HEAD(conf->searchlist)) != NULL) {
+		ISC_LIST_UNLINK(conf->searchlist, searchentry, link);
+		isc_mem_put(conf->mctx, searchentry, sizeof(*searchentry));
+	}
+
+	while ((address = ISC_LIST_HEAD(conf->nameservers)) != NULL) {
+		ISC_LIST_UNLINK(conf->nameservers, address, link);
+		isc_mem_put(conf->mctx, address, sizeof(*address));
+	}
+
+	if (conf->domainname != NULL) {
+		isc_mem_free(conf->mctx, conf->domainname);
+	}
+
+	for (i = 0; i < RESCONFMAXSEARCH; i++) {
+		if (conf->search[i] != NULL) {
+			isc_mem_free(conf->mctx, conf->search[i]);
+		}
+	}
+
+	isc_mem_put(conf->mctx, conf, sizeof(*conf));
+}
+
+isc_sockaddrlist_t *
+irs_resconf_getnameservers(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return (&conf->nameservers);
+}
+
+irs_resconf_searchlist_t *
+irs_resconf_getsearchlist(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return (&conf->searchlist);
+}
+
+unsigned int
+irs_resconf_getndots(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return ((unsigned int)conf->ndots);
+}
diff --git a/lib/irs/tests/Kyuafile b/lib/irs/tests/Kyuafile
new file mode 100644
index 0000000..a203172
--- /dev/null
+++ b/lib/irs/tests/Kyuafile
@@ -0,0 +1,15 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+tap_test_program{name='resconf_test'}
diff --git a/lib/irs/tests/Makefile.in b/lib/irs/tests/Makefile.in
new file mode 100644
index 0000000..327d31d
--- /dev/null
+++ b/lib/irs/tests/Makefile.in
@@ -0,0 +1,51 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude -I../include ${ISC_INCLUDES} ${IRS_INCLUDES} @CMOCKA_CFLAGS@
+CDEFINES =	-DTESTS="\"${top_builddir}/lib/irs/tests/\""
+
+CFGLIBS =	../../isccfg/libisccfg.@A@
+CFGDEPLIBS =	../../isccfg/libisccfg.@A@
+DNSLIBS =	../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS =	../../dns/libdns.@A@
+ISCLIBS =	../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCDEPLIBS =	../../isc/libisc.@A@
+IRSLIBS =	../libirs.@A@
+IRSDEPLIBS =	../libirs.@A@
+
+LIBS =		${IRSLIBS} ${CFGLIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@ @CMOCKA_LIBS@
+
+OBJS =
+SRCS =		resconf_test.c
+
+SUBDIRS =
+TARGETS =	resconf_test@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+resconf_test@EXEEXT@: resconf_test.@O@ ${CFGDEPLIBS} ${DNSDEPLIBS} ${IRSDEPLIBS} ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ resconf_test.@O@ ${LIBS}
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
diff --git a/lib/irs/tests/resconf_test.c b/lib/irs/tests/resconf_test.c
new file mode 100644
index 0000000..6951758
--- /dev/null
+++ b/lib/irs/tests/resconf_test.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <irs/resconf.h>
+#include <irs/types.h>
+
+static isc_mem_t *mctx = NULL;
+
+static void
+setup_test() {
+	isc_mem_create(&mctx);
+
+	/*
+	 * the caller might run from another directory, but tests
+	 * that access test data files must first chdir to the proper
+	 * location.
+	 */
+	assert_return_code(chdir(TESTS), 0);
+}
+
+/* test irs_resconf_load() */
+static void
+irs_resconf_load_test(void **state) {
+	isc_result_t result;
+	irs_resconf_t *resconf = NULL;
+	unsigned int i;
+	struct {
+		const char *file;
+		isc_result_t loadres;
+		isc_result_t (*check)(irs_resconf_t *resconf);
+		isc_result_t checkres;
+	} tests[] = {
+		{ "testdata/domain.conf", ISC_R_SUCCESS, NULL, ISC_R_SUCCESS },
+		{ "testdata/nameserver-v4.conf", ISC_R_SUCCESS, NULL,
+		  ISC_R_SUCCESS },
+		{ "testdata/nameserver-v6.conf", ISC_R_SUCCESS, NULL,
+		  ISC_R_SUCCESS },
+		{ "testdata/nameserver-v6-scoped.conf", ISC_R_SUCCESS, NULL,
+		  ISC_R_SUCCESS },
+		{ "testdata/options-debug.conf", ISC_R_SUCCESS, NULL,
+		  ISC_R_SUCCESS },
+		{ "testdata/options-ndots.conf", ISC_R_SUCCESS, NULL,
+		  ISC_R_SUCCESS },
+		{ "testdata/options-timeout.conf", ISC_R_SUCCESS, NULL,
+		  ISC_R_SUCCESS },
+		{ "testdata/options-unknown.conf", ISC_R_SUCCESS, NULL,
+		  ISC_R_SUCCESS },
+		{ "testdata/options.conf", ISC_R_SUCCESS, NULL, ISC_R_SUCCESS },
+		{ "testdata/options-bad-ndots.conf", ISC_R_RANGE, NULL,
+		  ISC_R_SUCCESS },
+		{ "testdata/options-empty.conf", ISC_R_UNEXPECTEDEND, NULL,
+		  ISC_R_SUCCESS },
+		{ "testdata/port.conf", ISC_R_SUCCESS, NULL, ISC_R_SUCCESS },
+		{ "testdata/resolv.conf", ISC_R_SUCCESS, NULL, ISC_R_SUCCESS },
+		{ "testdata/search.conf", ISC_R_SUCCESS, NULL, ISC_R_SUCCESS },
+		{ "testdata/sortlist-v4.conf", ISC_R_SUCCESS, NULL,
+		  ISC_R_SUCCESS },
+		{ "testdata/timeout.conf", ISC_R_SUCCESS, NULL, ISC_R_SUCCESS },
+		{ "testdata/unknown.conf", ISC_R_SUCCESS, NULL, ISC_R_SUCCESS }
+	};
+
+	UNUSED(state);
+
+	setup_test();
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[1]); i++) {
+		result = irs_resconf_load(mctx, tests[i].file, &resconf);
+		if (result != tests[i].loadres) {
+			fail_msg("# unexpected result %s loading %s",
+				 isc_result_totext(result), tests[i].file);
+		}
+
+		if (result == ISC_R_SUCCESS && resconf == NULL) {
+			fail_msg("# NULL on success loading %s", tests[i].file);
+		} else if (result != ISC_R_SUCCESS && resconf != NULL) {
+			fail_msg("# non-NULL on failure loading %s",
+				 tests[i].file);
+		}
+
+		if (resconf != NULL && tests[i].check != NULL) {
+			result = (tests[i].check)(resconf);
+			if (result != tests[i].checkres) {
+				fail_msg("# unexpected result %s loading %s",
+					 isc_result_totext(result),
+					 tests[i].file);
+			}
+		}
+		if (resconf != NULL) {
+			irs_resconf_destroy(&resconf);
+		}
+	}
+
+	isc_mem_detach(&mctx);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(irs_resconf_load_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/irs/tests/testdata/domain.conf b/lib/irs/tests/testdata/domain.conf
new file mode 100644
index 0000000..ee43f5c
--- /dev/null
+++ b/lib/irs/tests/testdata/domain.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+domain example.com
diff --git a/lib/irs/tests/testdata/nameserver-v4.conf b/lib/irs/tests/testdata/nameserver-v4.conf
new file mode 100644
index 0000000..5054de0
--- /dev/null
+++ b/lib/irs/tests/testdata/nameserver-v4.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+nameserver 10.0.0.1
diff --git a/lib/irs/tests/testdata/nameserver-v6-scoped.conf b/lib/irs/tests/testdata/nameserver-v6-scoped.conf
new file mode 100644
index 0000000..d5bd97f
--- /dev/null
+++ b/lib/irs/tests/testdata/nameserver-v6-scoped.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+nameserver fe80::1%1
diff --git a/lib/irs/tests/testdata/nameserver-v6.conf b/lib/irs/tests/testdata/nameserver-v6.conf
new file mode 100644
index 0000000..b9ed093
--- /dev/null
+++ b/lib/irs/tests/testdata/nameserver-v6.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+nameserver 2001:DB8::1
diff --git a/lib/irs/tests/testdata/options-bad-ndots.conf b/lib/irs/tests/testdata/options-bad-ndots.conf
new file mode 100644
index 0000000..18d3f8b
--- /dev/null
+++ b/lib/irs/tests/testdata/options-bad-ndots.conf
@@ -0,0 +1,13 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+search example.com example.net
+options ndots:256
diff --git a/lib/irs/tests/testdata/options-debug.conf b/lib/irs/tests/testdata/options-debug.conf
new file mode 100644
index 0000000..04bcf2e
--- /dev/null
+++ b/lib/irs/tests/testdata/options-debug.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+options debug
diff --git a/lib/irs/tests/testdata/options-empty.conf b/lib/irs/tests/testdata/options-empty.conf
new file mode 100644
index 0000000..0b1dc9e
--- /dev/null
+++ b/lib/irs/tests/testdata/options-empty.conf
@@ -0,0 +1,13 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+domain example.com
+options
diff --git a/lib/irs/tests/testdata/options-ndots.conf b/lib/irs/tests/testdata/options-ndots.conf
new file mode 100644
index 0000000..5d18d26
--- /dev/null
+++ b/lib/irs/tests/testdata/options-ndots.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+option ndots:2
diff --git a/lib/irs/tests/testdata/options-timeout.conf b/lib/irs/tests/testdata/options-timeout.conf
new file mode 100644
index 0000000..96787c4
--- /dev/null
+++ b/lib/irs/tests/testdata/options-timeout.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+options timeout:1
diff --git a/lib/irs/tests/testdata/options-unknown.conf b/lib/irs/tests/testdata/options-unknown.conf
new file mode 100644
index 0000000..fdf82b4
--- /dev/null
+++ b/lib/irs/tests/testdata/options-unknown.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+options unknown
diff --git a/lib/irs/tests/testdata/options.conf b/lib/irs/tests/testdata/options.conf
new file mode 100644
index 0000000..7a8d5f3
--- /dev/null
+++ b/lib/irs/tests/testdata/options.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+options unknown debug timeout:1 ndots:2
diff --git a/lib/irs/tests/testdata/port.conf b/lib/irs/tests/testdata/port.conf
new file mode 100644
index 0000000..54e2094
--- /dev/null
+++ b/lib/irs/tests/testdata/port.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+port 5300
diff --git a/lib/irs/tests/testdata/resolv.conf b/lib/irs/tests/testdata/resolv.conf
new file mode 100644
index 0000000..3c14408
--- /dev/null
+++ b/lib/irs/tests/testdata/resolv.conf
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+port 5300
+nameserver 10.0.0.1
+nameserver 2001:DB8::1
+search example.com example.net
+sortlist 130.155.160.0/255.255.240.0 130.155.0.0
+timeout 10
+unknown directive
+options unknown debug timeout:1 ndots:2
diff --git a/lib/irs/tests/testdata/search.conf b/lib/irs/tests/testdata/search.conf
new file mode 100644
index 0000000..f019ab9
--- /dev/null
+++ b/lib/irs/tests/testdata/search.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+search example.com example.net
diff --git a/lib/irs/tests/testdata/sortlist-v4.conf b/lib/irs/tests/testdata/sortlist-v4.conf
new file mode 100644
index 0000000..3f4d54a
--- /dev/null
+++ b/lib/irs/tests/testdata/sortlist-v4.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+sortlist 130.155.160.0/255.255.240.0 130.155.0.0
diff --git a/lib/irs/tests/testdata/timeout.conf b/lib/irs/tests/testdata/timeout.conf
new file mode 100644
index 0000000..2ccb92d
--- /dev/null
+++ b/lib/irs/tests/testdata/timeout.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+timeout 10
diff --git a/lib/irs/tests/testdata/unknown.conf b/lib/irs/tests/testdata/unknown.conf
new file mode 100644
index 0000000..0eafb76
--- /dev/null
+++ b/lib/irs/tests/testdata/unknown.conf
@@ -0,0 +1,12 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+unknown directive
diff --git a/lib/irs/version.c b/lib/irs/version.c
new file mode 100644
index 0000000..b0b4fd9
--- /dev/null
+++ b/lib/irs/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <irs/version.h>
+
+const char irs_version[] = VERSION;
diff --git a/lib/irs/win32/DLLMain.c b/lib/irs/win32/DLLMain.c
new file mode 100644
index 0000000..62c6e53
--- /dev/null
+++ b/lib/irs/win32/DLLMain.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <signal.h>
+#include <windows.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI
+	DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
diff --git a/lib/irs/win32/Makefile.in b/lib/irs/win32/Makefile.in
new file mode 100644
index 0000000..5641e1a
--- /dev/null
+++ b/lib/irs/win32/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/irs/win32/include/.clang-format b/lib/irs/win32/include/.clang-format
new file mode 120000
index 0000000..e919bba
--- /dev/null
+++ b/lib/irs/win32/include/.clang-format
@@ -0,0 +1 @@
+../../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/irs/win32/include/Makefile.in b/lib/irs/win32/include/Makefile.in
new file mode 100644
index 0000000..53a5348
--- /dev/null
+++ b/lib/irs/win32/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	irs
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/irs/win32/include/irs/Makefile.in b/lib/irs/win32/include/irs/Makefile.in
new file mode 100644
index 0000000..6d87432
--- /dev/null
+++ b/lib/irs/win32/include/irs/Makefile.in
@@ -0,0 +1,28 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+HEADERS =
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/irs
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/irs || exit 1; \
+	done
diff --git a/lib/irs/win32/include/irs/netdb.h b/lib/irs/win32/include/irs/netdb.h
new file mode 100644
index 0000000..3e3e5d3
--- /dev/null
+++ b/lib/irs/win32/include/irs/netdb.h
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifndef IRS_NETDB_H
+#define IRS_NETDB_H 1
+
+#include <stddef.h> /* Required on FreeBSD (and  others?) for size_t. */
+
+/*
+ * Define if <netdb.h> does not declare struct addrinfo.
+ */
+#undef ISC_IRS_NEEDADDRINFO
+
+#ifdef ISC_IRS_NEEDADDRINFO
+struct addrinfo {
+	int ai_flags;		       /* AI_PASSIVE, AI_CANONNAME */
+	int ai_family;		       /* PF_xxx */
+	int ai_socktype;	       /* SOCK_xxx */
+	int ai_protocol;	       /* 0 or IPPROTO_xxx for IPv4 and
+					* IPv6 */
+	size_t		 ai_addrlen;   /* Length of ai_addr */
+	char		*ai_canonname; /* Canonical name for hostname */
+	struct sockaddr *ai_addr;      /* Binary address */
+	struct addrinfo *ai_next;      /* Next structure in linked list */
+};
+#endif /* ifdef ISC_IRS_NEEDADDRINFO */
+
+/*
+ * Undefine all #defines we are interested in as <netdb.h> may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef NETDB_INTERNAL
+#undef NETDB_SUCCESS
+#undef HOST_NOT_FOUND
+#undef TRY_AGAIN
+#undef NO_RECOVERY
+#undef NO_DATA
+#undef NO_ADDRESS
+
+#define NETDB_INTERNAL -1 /* see errno */
+#define NETDB_SUCCESS  0  /* no problem */
+#define HOST_NOT_FOUND 1  /* Authoritative Answer Host not found */
+#define TRY_AGAIN      2  /* Non-Authoritive Host not found, or SERVERFAIL */
+#define NO_RECOVERY    3  /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define NO_DATA	       4  /* Valid name, no data record of requested type */
+#define NO_ADDRESS     NO_DATA /* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo().  EAI_INSECUREDATA is our own extension
+ * and it's very unlikely to be already defined, but undef it just in case; it
+ * at least doesn't do any harm.
+ */
+
+#undef EAI_ADDRFAMILY
+#undef EAI_AGAIN
+#undef EAI_BADFLAGS
+#undef EAI_FAIL
+#undef EAI_FAMILY
+#undef EAI_MEMORY
+#undef EAI_NODATA
+#undef EAI_NONAME
+#undef EAI_SERVICE
+#undef EAI_SOCKTYPE
+#undef EAI_SYSTEM
+#undef EAI_BADHINTS
+#undef EAI_PROTOCOL
+#undef EAI_OVERFLOW
+#undef EAI_INSECUREDATA
+#undef EAI_MAX
+
+#define EAI_ADDRFAMILY	 1  /* address family for hostname not supported */
+#define EAI_AGAIN	 2  /* temporary failure in name resolution */
+#define EAI_BADFLAGS	 3  /* invalid value for ai_flags */
+#define EAI_FAIL	 4  /* non-recoverable failure in name resolution */
+#define EAI_FAMILY	 5  /* ai_family not supported */
+#define EAI_MEMORY	 6  /* memory allocation failure */
+#define EAI_NODATA	 7  /* no address associated with hostname */
+#define EAI_NONAME	 8  /* hostname nor servname provided, or not known */
+#define EAI_SERVICE	 9  /* servname not supported for ai_socktype */
+#define EAI_SOCKTYPE	 10 /* ai_socktype not supported */
+#define EAI_SYSTEM	 11 /* system error returned in errno */
+#define EAI_BADHINTS	 12
+#define EAI_PROTOCOL	 13
+#define EAI_OVERFLOW	 14
+#define EAI_INSECUREDATA 15
+#define EAI_MAX		 16
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef AI_PASSIVE
+#undef AI_CANONNAME
+#undef AI_NUMERICHOST
+
+#define AI_PASSIVE     0x00000001
+#define AI_CANONNAME   0x00000002
+#define AI_NUMERICHOST 0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED   0x00000008
+#define AI_ALL	      0x00000010
+#define AI_ADDRCONFIG 0x00000020
+#define AI_DEFAULT    (AI_V4MAPPED | AI_ADDRCONFIG)
+
+/*
+ * Constants for getnameinfo()
+ */
+#undef NI_MAXHOST
+#undef NI_MAXSERV
+
+#define NI_MAXHOST 1025
+#define NI_MAXSERV 32
+
+/*
+ * Flag values for getnameinfo()
+ */
+#undef NI_NOFQDN
+#undef NI_NUMERICHOST
+#undef NI_NAMEREQD
+#undef NI_NUMERICSERV
+#undef NI_DGRAM
+#undef NI_NUMERICSCOPE
+
+#define NI_NOFQDN      0x00000001
+#define NI_NUMERICHOST 0x00000002
+#define NI_NAMEREQD    0x00000004
+#define NI_NUMERICSERV 0x00000008
+#define NI_DGRAM       0x00000010
+
+/*
+ * Define to map into irs_ namespace.
+ */
+
+#define IRS_NAMESPACE
+
+#ifdef IRS_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif /* ifdef getnameinfo */
+#define getnameinfo irs_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif /* ifdef getaddrinfo */
+#define getaddrinfo irs_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif /* ifdef freeaddrinfo */
+#define freeaddrinfo irs_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif /* ifdef gai_strerror */
+#define gai_strerror irs_gai_strerror
+
+#endif /* ifdef IRS_NAMESPACE */
+
+int
+getaddrinfo(const char *, const char *, const struct addrinfo *,
+	    struct addrinfo **);
+int
+getnameinfo(const struct sockaddr *, socklen_t, char *, DWORD, char *, DWORD,
+	    int);
+void
+freeaddrinfo(struct addrinfo *);
+char *
+gai_strerror(int);
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_NETDB_H */
diff --git a/lib/irs/win32/include/irs/platform.h b/lib/irs/win32/include/irs/platform.h
new file mode 100644
index 0000000..2f0cced
--- /dev/null
+++ b/lib/irs/win32/include/irs/platform.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifndef IRS_PLATFORM_H
+#define IRS_PLATFORM_H 1
+
+/*****
+***** Platform-dependent defines.
+*****/
+
+#ifdef LIBIRS_EXPORTS
+#define LIBIRS_EXTERNAL_DATA __declspec(dllexport)
+#else /* ifdef LIBIRS_EXPORTS */
+#define LIBIRS_EXTERNAL_DATA __declspec(dllimport)
+#endif /* ifdef LIBIRS_EXPORTS */
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_PLATFORM_H */
diff --git a/lib/irs/win32/libirs.def b/lib/irs/win32/libirs.def
new file mode 100644
index 0000000..d4e9f6f
--- /dev/null
+++ b/lib/irs/win32/libirs.def
@@ -0,0 +1,27 @@
+LIBRARY libirs
+
+; Exported Functions
+EXPORTS
+irs_context_create
+irs_context_destroy
+irs_context_get
+irs_context_getappctx
+irs_context_getdnsclient
+irs_context_getdnsconf
+irs_context_getmctx
+irs_context_getresconf
+irs_context_gettask
+irs_context_gettaskmgr
+irs_context_gettimermgr
+irs_dnsconf_destroy
+irs_dnsconf_gettrustedkeys
+irs_dnsconf_load
+irs_freeaddrinfo
+irs_gai_strerror
+irs_getaddrinfo
+irs_getnameinfo
+irs_resconf_destroy
+irs_resconf_getnameservers
+irs_resconf_getndots
+irs_resconf_getsearchlist
+irs_resconf_load
diff --git a/lib/irs/win32/libirs.vcxproj.filters.in b/lib/irs/win32/libirs.vcxproj.filters.in
new file mode 100644
index 0000000..0ffbc07
--- /dev/null
+++ b/lib/irs/win32/libirs.vcxproj.filters.in
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libirs.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\context.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dnsconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\gai_strerror.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\getaddrinfo.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\getnameinfo.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="resconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\irs\context.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\dnsconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\netdb.h.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\platform.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\resconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\types.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
diff --git a/lib/irs/win32/libirs.vcxproj.in b/lib/irs/win32/libirs.vcxproj.in
new file mode 100644
index 0000000..078ec92
--- /dev/null
+++ b/lib/irs/win32/libirs.vcxproj.in
@@ -0,0 +1,142 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libirs</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBIRS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\isccfg\include;..\..\dns\include;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;iphlpapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>.\libirs.def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;LIBIRS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\isccfg\include;..\..\dns\include;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;iphlpapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>.\libirs.def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libirs.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\context.c" />
+    <ClCompile Include="..\dnsconf.c" />
+    <ClCompile Include="..\gai_strerror.c" />
+    <ClCompile Include="..\getaddrinfo.c" />
+    <ClCompile Include="..\getnameinfo.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="resconf.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\irs\context.h" />
+    <ClInclude Include="..\include\irs\dnsconf.h" />
+    <ClInclude Include="..\include\irs\netdb.h" />
+    <ClInclude Include="..\include\irs\platform.h" />
+    <ClInclude Include="..\include\irs\resconf.h" />
+    <ClInclude Include="..\include\irs\types.h" />
+    <ClInclude Include="..\include\irs\version.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/irs/win32/libirs.vcxproj.user b/lib/irs/win32/libirs.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/lib/irs/win32/libirs.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/lib/irs/win32/resconf.c b/lib/irs/win32/resconf.c
new file mode 100644
index 0000000..3b46b8e
--- /dev/null
+++ b/lib/irs/win32/resconf.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Note that on Win32 there is normally no resolv.conf since all information
+ * is stored in the registry. Therefore there is no ordering like the
+ * contents of resolv.conf. Since the "search" or "domain" keyword, on
+ * Win32 if a search list is found it is used, otherwise the domain name
+ * is used since they are mutually exclusive. The search list can be entered
+ * in the DNS tab of the "Advanced TCP/IP settings" window under the same place
+ * that you add your nameserver list.
+ */
+
+#define HAVE_GET_WIN32_NAMESERVERS 1
+
+#include "../resconf.c"
+#include <iphlpapi.h>
+
+#define TCPIP_SUBKEY "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters"
+
+isc_result_t
+get_win32_searchlist(irs_resconf_t *conf) {
+	isc_result_t result = ISC_R_SUCCESS;
+	HKEY hKey;
+	char searchlist[MAX_PATH];
+	DWORD searchlen = MAX_PATH;
+	LSTATUS status;
+	char *cp;
+
+	REQUIRE(conf != NULL);
+
+	memset(searchlist, 0, MAX_PATH);
+	status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TCPIP_SUBKEY, 0, KEY_READ,
+			      &hKey);
+	if (status != ERROR_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	status = RegQueryValueEx(hKey, "SearchList", NULL, NULL,
+				 (LPBYTE)searchlist, &searchlen);
+	RegCloseKey(hKey);
+	if (status != ERROR_SUCCESS) {
+		return (ISC_R_SUCCESS);
+	}
+
+	cp = strtok((char *)searchlist, ", \0");
+	while (cp != NULL) {
+		result = add_search(conf, cp);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		cp = strtok(NULL, ", \0");
+	}
+	return (result);
+}
+
+isc_result_t
+get_win32_nameservers(irs_resconf_t *conf) {
+	isc_result_t result;
+	FIXED_INFO *FixedInfo;
+	ULONG BufLen = sizeof(FIXED_INFO);
+	DWORD dwRetVal;
+	IP_ADDR_STRING *pIPAddr;
+
+	REQUIRE(conf != NULL);
+
+	FixedInfo = (FIXED_INFO *)GlobalAlloc(GPTR, BufLen);
+	if (FixedInfo == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	dwRetVal = GetNetworkParams(FixedInfo, &BufLen);
+	if (dwRetVal == ERROR_BUFFER_OVERFLOW) {
+		GlobalFree(FixedInfo);
+		FixedInfo = GlobalAlloc(GPTR, BufLen);
+		if (FixedInfo == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
+		dwRetVal = GetNetworkParams(FixedInfo, &BufLen);
+	}
+	if (dwRetVal != ERROR_SUCCESS) {
+		GlobalFree(FixedInfo);
+		return (ISC_R_FAILURE);
+	}
+
+	result = get_win32_searchlist(conf);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	if (ISC_LIST_EMPTY(conf->searchlist) &&
+	    strlen(FixedInfo->DomainName) > 0)
+	{
+		result = add_search(conf, FixedInfo->DomainName);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	/* Get the list of nameservers */
+	pIPAddr = &FixedInfo->DnsServerList;
+	while (pIPAddr) {
+		if (conf->numns >= RESCONFMAXNAMESERVERS) {
+			break;
+		}
+
+		result = add_server(conf->mctx, pIPAddr->IpAddress.String,
+				    &conf->nameservers);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		conf->numns++;
+		pIPAddr = pIPAddr->Next;
+	}
+
+cleanup:
+	if (FixedInfo != NULL) {
+		GlobalFree(FixedInfo);
+	}
+	return (result);
+}
diff --git a/lib/irs/win32/version.c b/lib/irs/win32/version.c
new file mode 100644
index 0000000..3c635ad
--- /dev/null
+++ b/lib/irs/win32/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <versions.h>
+
+#include <irs/version.h>
+
+LIBIRS_EXTERNAL_DATA const char irs_version[] = VERSION;
diff --git a/lib/isc/Kyuafile b/lib/isc/Kyuafile
new file mode 100644
index 0000000..c796010
--- /dev/null
+++ b/lib/isc/Kyuafile
@@ -0,0 +1,15 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
new file mode 100644
index 0000000..08f1281
--- /dev/null
+++ b/lib/isc/Makefile.in
@@ -0,0 +1,144 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/unix/include \
+		-I${srcdir}/pthreads/include \
+		-I./include \
+		-I${srcdir}/include \
+		-I${srcdir} \
+		${DNS_INCLUDES} \
+		${OPENSSL_CFLAGS} \
+		${JSON_C_CFLAGS} \
+		${LIBXML2_CFLAGS} \
+		${LIBUV_CFLAGS} \
+		${ZLIB_CFLAGS}
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+UNIXOBJS =	unix/pk11_api.@O@ \
+		unix/dir.@O@ unix/errno.@O@ \
+		unix/errno2result.@O@ unix/file.@O@ unix/fsaccess.@O@ \
+		unix/interfaceiter.@O@ unix/meminfo.@O@ \
+		unix/net.@O@ unix/os.@O@ unix/resource.@O@ unix/socket.@O@ \
+		unix/stdio.@O@ unix/stdtime.@O@ \
+		unix/syslog.@O@ unix/time.@O@
+
+THREADOBJS =	pthreads/condition.@O@ pthreads/mutex.@O@ pthreads/thread.@O@
+
+WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/errno.@O@ \
+		win32/file.@O@ win32/fsaccess.@O@ \
+		win32/meminfo.@O@ win32/once.@O@ \
+		win32/stdtime.@O@ win32/thread.@O@ win32/time.@O@
+
+# Alphabetically
+OBJS =		pk11.@O@ pk11_result.@O@ \
+		aes.@O@ app.@O@ assertions.@O@ astack.@O@ \
+		backtrace.@O@ base32.@O@ base64.@O@ \
+		bind9.@O@ buffer.@O@ bufferlist.@O@ \
+		commandline.@O@ counter.@O@ crc64.@O@ error.@O@ entropy.@O@ \
+		event.@O@ hash.@O@ ht.@O@ heap.@O@ hex.@O@ \
+		hmac.@O@ httpd.@O@ iterated_hash.@O@ \
+		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \
+		managers.@O@ md.@O@ mem.@O@ mutexblock.@O@ \
+		netmgr/netmgr.@O@ netmgr/tcp.@O@ netmgr/udp.@O@ \
+		netmgr/tcpdns.@O@ \
+		netmgr/uverr2result.@O@ netmgr/uv-compat.@O@ \
+		netaddr.@O@ netscope.@O@ nonce.@O@ openssl_shim.@O@ pool.@O@ \
+		parseint.@O@ portset.@O@ quota.@O@ \
+		radix.@O@ random.@O@ ratelimiter.@O@ \
+		region.@O@ regex.@O@ result.@O@ rwlock.@O@ \
+		safe.@O@ serial.@O@ siphash.@O@ sockaddr.@O@ stats.@O@ \
+		string.@O@ symtab.@O@ task.@O@ taskpool.@O@ tls.@O@ \
+		trampoline.@O@ \
+		url.@O@ utf8.@O@ tm.@O@ timer.@O@ version.@O@ \
+		${UNIXOBJS} ${THREADOBJS}
+SYMTBLOBJS =	backtrace-emptytbl.@O@
+
+# Alphabetically
+SRCS =		pk11.c pk11_result.c \
+		aes.c app.c assertions.c astack.c \
+		backtrace.c base32.c base64.c bind9.c \
+		buffer.c bufferlist.c commandline.c counter.c crc64.c \
+		entropy.c error.c event.c hash.c ht.c heap.c \
+		hex.c hmac.c httpd.c iterated_hash.c \
+		lex.c lfsr.c lib.c log.c \
+		managers.c md.c mem.c mutexblock.c \
+		netaddr.c netscope.c nonce.c openssl_shim.c pool.c \
+		parseint.c portset.c quota.c radix.c random.c \
+		ratelimiter.c region.c regex.c result.c rwlock.c \
+		safe.c serial.c siphash.c sockaddr.c stats.c string.c \
+		symtab.c task.c taskpool.c timer.c tls.c \
+		trampoline.c \
+		url.c utf8.c tm.c version.c
+
+LIBS =		${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBUV_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS} @LIBS@
+
+# Note: the order of SUBDIRS is important.
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+SUBDIRS =	include netmgr unix pthreads
+TARGETS =	timestamp
+TESTDIRS =	@UNITTESTS@
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/version.c
+
+libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
+	${RANLIB} $@
+
+libisc-nosymtbl.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisc.la: ${OBJS} ${SYMTBLOBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
+		-release "${VERSION}" \
+		${OBJS} ${SYMTBLOBJS} ${LIBS}
+
+libisc-nosymtbl.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
+		-release "${VERSION}" \
+		${OBJS} ${LIBS}
+
+timestamp: libisc.@A@ libisc-nosymtbl.@A@
+	touch timestamp
+
+testdirs: libisc.@A@ libisc-nosymtbl.@A@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@
+
+clean distclean::
+	rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
+	libisc-nosymtbl.la timestamp
diff --git a/lib/isc/aes.c b/lib/isc/aes.c
new file mode 100644
index 0000000..a0e23c5
--- /dev/null
+++ b/lib/isc/aes.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/aes.c */
+
+#include <openssl/evp.h>
+#include <openssl/opensslv.h>
+
+#include <isc/aes.h>
+#include <isc/assertions.h>
+#include <isc/platform.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+void
+isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out) {
+	EVP_CIPHER_CTX *c;
+	int len;
+
+	c = EVP_CIPHER_CTX_new();
+	RUNTIME_CHECK(c != NULL);
+	RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_128_ecb(), key, NULL) == 1);
+	EVP_CIPHER_CTX_set_padding(c, 0);
+	RUNTIME_CHECK(
+		EVP_EncryptUpdate(c, out, &len, in, ISC_AES_BLOCK_LENGTH) == 1);
+	RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
+	EVP_CIPHER_CTX_free(c);
+}
+
+void
+isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out) {
+	EVP_CIPHER_CTX *c;
+	int len;
+
+	c = EVP_CIPHER_CTX_new();
+	RUNTIME_CHECK(c != NULL);
+	RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_192_ecb(), key, NULL) == 1);
+	EVP_CIPHER_CTX_set_padding(c, 0);
+	RUNTIME_CHECK(
+		EVP_EncryptUpdate(c, out, &len, in, ISC_AES_BLOCK_LENGTH) == 1);
+	RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
+	EVP_CIPHER_CTX_free(c);
+}
+
+void
+isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out) {
+	EVP_CIPHER_CTX *c;
+	int len;
+
+	c = EVP_CIPHER_CTX_new();
+	RUNTIME_CHECK(c != NULL);
+	RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_256_ecb(), key, NULL) == 1);
+	EVP_CIPHER_CTX_set_padding(c, 0);
+	RUNTIME_CHECK(
+		EVP_EncryptUpdate(c, out, &len, in, ISC_AES_BLOCK_LENGTH) == 1);
+	RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
+	EVP_CIPHER_CTX_free(c);
+}
diff --git a/lib/isc/app.c b/lib/isc/app.c
new file mode 100644
index 0000000..a3cc7f6
--- /dev/null
+++ b/lib/isc/app.c
@@ -0,0 +1,544 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#ifndef WIN32
+#include <inttypes.h>
+#include <signal.h>
+#include <sys/time.h>
+#endif /* WIN32 */
+
+#include <isc/app.h>
+#include <isc/atomic.h>
+#include <isc/condition.h>
+#include <isc/event.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#ifdef WIN32
+#include <process.h>
+#else /* WIN32 */
+#include <pthread.h>
+#endif /* WIN32 */
+
+/*%
+ * For BIND9 internal applications built with threads, we use a single app
+ * context and let multiple worker, I/O, timer threads do actual jobs.
+ */
+
+static isc_thread_t blockedthread;
+static atomic_bool is_running = 0;
+
+#ifdef WIN32
+/*
+ * We need to remember which thread is the main thread...
+ */
+static isc_thread_t main_thread;
+#endif /* ifdef WIN32 */
+
+/*
+ * The application context of this module.
+ */
+#define APPCTX_MAGIC	ISC_MAGIC('A', 'p', 'c', 'x')
+#define VALID_APPCTX(c) ISC_MAGIC_VALID(c, APPCTX_MAGIC)
+
+#ifdef WIN32
+#define NUM_EVENTS 2
+
+enum { RELOAD_EVENT, SHUTDOWN_EVENT };
+#endif /* WIN32 */
+
+struct isc_appctx {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_mutex_t lock;
+	isc_eventlist_t on_run;
+	atomic_bool shutdown_requested;
+	atomic_bool running;
+	atomic_bool want_shutdown;
+	atomic_bool want_reload;
+	atomic_bool blocked;
+#ifdef WIN32
+	HANDLE hEvents[NUM_EVENTS];
+#else  /* WIN32 */
+	isc_mutex_t readylock;
+	isc_condition_t ready;
+#endif /* WIN32 */
+};
+
+static isc_appctx_t isc_g_appctx;
+
+#ifndef WIN32
+static void
+handle_signal(int sig, void (*handler)(int)) {
+	struct sigaction sa;
+
+	memset(&sa, 0, sizeof(sa));
+	sa.sa_handler = handler;
+
+	if (sigfillset(&sa.sa_mask) != 0 || sigaction(sig, &sa, NULL) < 0) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_error_fatal(__FILE__, __LINE__,
+				"handle_signal() %d setup: %s", sig, strbuf);
+	}
+}
+#endif /* ifndef WIN32 */
+
+isc_result_t
+isc_app_ctxstart(isc_appctx_t *ctx) {
+	REQUIRE(VALID_APPCTX(ctx));
+
+	/*
+	 * Start an ISC library application.
+	 */
+
+	isc_mutex_init(&ctx->lock);
+
+#ifndef WIN32
+	isc_mutex_init(&ctx->readylock);
+	isc_condition_init(&ctx->ready);
+#endif /* WIN32 */
+
+	ISC_LIST_INIT(ctx->on_run);
+
+	atomic_init(&ctx->shutdown_requested, false);
+	atomic_init(&ctx->running, false);
+	atomic_init(&ctx->want_shutdown, false);
+	atomic_init(&ctx->want_reload, false);
+	atomic_init(&ctx->blocked, false);
+
+#ifdef WIN32
+	main_thread = GetCurrentThread();
+
+	/* Create the reload event in a non-signaled state */
+	ctx->hEvents[RELOAD_EVENT] = CreateEvent(NULL, FALSE, FALSE, NULL);
+
+	/* Create the shutdown event in a non-signaled state */
+	ctx->hEvents[SHUTDOWN_EVENT] = CreateEvent(NULL, FALSE, FALSE, NULL);
+#else /* WIN32 */
+	int presult;
+	sigset_t sset;
+	char strbuf[ISC_STRERRORSIZE];
+
+	/*
+	 * Always ignore SIGPIPE.
+	 */
+	handle_signal(SIGPIPE, SIG_IGN);
+
+	handle_signal(SIGHUP, SIG_DFL);
+	handle_signal(SIGTERM, SIG_DFL);
+	handle_signal(SIGINT, SIG_DFL);
+
+	/*
+	 * Block SIGHUP, SIGINT, SIGTERM.
+	 *
+	 * If isc_app_start() is called from the main thread before any other
+	 * threads have been created, then the pthread_sigmask() call below
+	 * will result in all threads having SIGHUP, SIGINT and SIGTERM
+	 * blocked by default, ensuring that only the thread that calls
+	 * sigwait() for them will get those signals.
+	 */
+	if (sigemptyset(&sset) != 0 || sigaddset(&sset, SIGHUP) != 0 ||
+	    sigaddset(&sset, SIGINT) != 0 || sigaddset(&sset, SIGTERM) != 0)
+	{
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_error_fatal(__FILE__, __LINE__,
+				"isc_app_start() sigsetops: %s", strbuf);
+	}
+	presult = pthread_sigmask(SIG_BLOCK, &sset, NULL);
+	if (presult != 0) {
+		strerror_r(presult, strbuf, sizeof(strbuf));
+		isc_error_fatal(__FILE__, __LINE__,
+				"isc_app_start() pthread_sigmask: %s", strbuf);
+	}
+
+#endif /* WIN32 */
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_app_start(void) {
+	isc_g_appctx.magic = APPCTX_MAGIC;
+	isc_g_appctx.mctx = NULL;
+	/* The remaining members will be initialized in ctxstart() */
+
+	return (isc_app_ctxstart(&isc_g_appctx));
+}
+
+isc_result_t
+isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
+	      void *arg) {
+	return (isc_app_ctxonrun(&isc_g_appctx, mctx, task, action, arg));
+}
+
+isc_result_t
+isc_app_ctxonrun(isc_appctx_t *ctx, isc_mem_t *mctx, isc_task_t *task,
+		 isc_taskaction_t action, void *arg) {
+	isc_event_t *event;
+	isc_task_t *cloned_task = NULL;
+
+	if (atomic_load_acquire(&ctx->running)) {
+		return (ISC_R_ALREADYRUNNING);
+	}
+
+	/*
+	 * Note that we store the task to which we're going to send the event
+	 * in the event's "sender" field.
+	 */
+	isc_task_attach(task, &cloned_task);
+	event = isc_event_allocate(mctx, cloned_task, ISC_APPEVENT_SHUTDOWN,
+				   action, arg, sizeof(*event));
+
+	LOCK(&ctx->lock);
+	ISC_LINK_INIT(event, ev_link);
+	ISC_LIST_APPEND(ctx->on_run, event, ev_link);
+	UNLOCK(&ctx->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_app_ctxrun(isc_appctx_t *ctx) {
+	isc_event_t *event, *next_event;
+	isc_task_t *task;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+#ifdef WIN32
+	REQUIRE(main_thread == GetCurrentThread());
+#endif /* ifdef WIN32 */
+
+	if (atomic_compare_exchange_strong_acq_rel(&ctx->running,
+						   &(bool){ false }, true))
+	{
+		/*
+		 * Post any on-run events (in FIFO order).
+		 */
+		LOCK(&ctx->lock);
+		for (event = ISC_LIST_HEAD(ctx->on_run); event != NULL;
+		     event = next_event)
+		{
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			ISC_LIST_UNLINK(ctx->on_run, event, ev_link);
+			task = event->ev_sender;
+			event->ev_sender = NULL;
+			isc_task_sendanddetach(&task, &event);
+		}
+		UNLOCK(&ctx->lock);
+	}
+
+#ifndef WIN32
+	/*
+	 * BIND9 internal tools using multiple contexts do not
+	 * rely on signal. */
+	if (isc_bind9 && ctx != &isc_g_appctx) {
+		return (ISC_R_SUCCESS);
+	}
+#endif /* WIN32 */
+
+	/*
+	 * There is no danger if isc_app_shutdown() is called before we
+	 * wait for signals.  Signals are blocked, so any such signal will
+	 * simply be made pending and we will get it when we call
+	 * sigwait().
+	 */
+	while (!atomic_load_acquire(&ctx->want_shutdown)) {
+#ifdef WIN32
+		DWORD dwWaitResult = WaitForMultipleObjects(
+			NUM_EVENTS, ctx->hEvents, FALSE, INFINITE);
+
+		/* See why we returned */
+
+		if (WaitSucceeded(dwWaitResult, NUM_EVENTS)) {
+			/*
+			 * The return was due to one of the events
+			 * being signaled
+			 */
+			switch (WaitSucceededIndex(dwWaitResult)) {
+			case RELOAD_EVENT:
+				atomic_store_release(&ctx->want_reload, true);
+
+				break;
+
+			case SHUTDOWN_EVENT:
+				atomic_store_release(&ctx->want_shutdown, true);
+				break;
+			}
+		}
+#else  /* WIN32 */
+		if (isc_bind9) {
+			sigset_t sset;
+			int sig;
+			/*
+			 * BIND9 internal; single context:
+			 * Wait for SIGHUP, SIGINT, or SIGTERM.
+			 */
+			if (sigemptyset(&sset) != 0 ||
+			    sigaddset(&sset, SIGHUP) != 0 ||
+			    sigaddset(&sset, SIGINT) != 0 ||
+			    sigaddset(&sset, SIGTERM) != 0)
+			{
+				char strbuf[ISC_STRERRORSIZE];
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				isc_error_fatal(__FILE__, __LINE__,
+						"isc_app_run() sigsetops: %s",
+						strbuf);
+			}
+
+			if (sigwait(&sset, &sig) == 0) {
+				switch (sig) {
+				case SIGINT:
+				case SIGTERM:
+					atomic_store_release(
+						&ctx->want_shutdown, true);
+					break;
+				case SIGHUP:
+					atomic_store_release(&ctx->want_reload,
+							     true);
+					break;
+				default:
+					UNREACHABLE();
+				}
+			}
+		} else {
+			/*
+			 * External, or BIND9 using multiple contexts:
+			 * wait until woken up.
+			 */
+			if (atomic_load_acquire(&ctx->want_shutdown)) {
+				break;
+			}
+			if (!atomic_load_acquire(&ctx->want_reload)) {
+				LOCK(&ctx->readylock);
+				WAIT(&ctx->ready, &ctx->readylock);
+				UNLOCK(&ctx->readylock);
+			}
+		}
+#endif /* WIN32 */
+		if (atomic_compare_exchange_strong_acq_rel(
+			    &ctx->want_reload, &(bool){ true }, false))
+		{
+			return (ISC_R_RELOAD);
+		}
+
+		if (atomic_load_acquire(&ctx->want_shutdown) &&
+		    atomic_load_acquire(&ctx->blocked))
+		{
+			exit(1);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_app_run(void) {
+	isc_result_t result;
+
+	REQUIRE(atomic_compare_exchange_strong_acq_rel(&is_running,
+						       &(bool){ false }, true));
+	result = isc_app_ctxrun(&isc_g_appctx);
+	atomic_store_release(&is_running, false);
+
+	return (result);
+}
+
+bool
+isc_app_isrunning() {
+	return (atomic_load_acquire(&is_running));
+}
+
+void
+isc_app_ctxshutdown(isc_appctx_t *ctx) {
+	REQUIRE(VALID_APPCTX(ctx));
+
+	REQUIRE(atomic_load_acquire(&ctx->running));
+
+	/* If ctx->shutdown_requested == true, we are already shutting
+	 * down and we want to just bail out.
+	 */
+	if (atomic_compare_exchange_strong_acq_rel(&ctx->shutdown_requested,
+						   &(bool){ false }, true))
+	{
+#ifdef WIN32
+		SetEvent(ctx->hEvents[SHUTDOWN_EVENT]);
+#else  /* WIN32 */
+		if (isc_bind9 && ctx != &isc_g_appctx) {
+			/* BIND9 internal, but using multiple contexts */
+			atomic_store_release(&ctx->want_shutdown, true);
+		} else if (isc_bind9) {
+			/* BIND9 internal, single context */
+			if (kill(getpid(), SIGTERM) < 0) {
+				char strbuf[ISC_STRERRORSIZE];
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				isc_error_fatal(__FILE__, __LINE__,
+						"isc_app_shutdown() "
+						"kill: %s",
+						strbuf);
+			}
+		} else {
+			/* External, multiple contexts */
+			atomic_store_release(&ctx->want_shutdown, true);
+			SIGNAL(&ctx->ready);
+		}
+#endif /* WIN32 */
+	}
+}
+
+void
+isc_app_shutdown(void) {
+	isc_app_ctxshutdown(&isc_g_appctx);
+}
+
+void
+isc_app_ctxsuspend(isc_appctx_t *ctx) {
+	REQUIRE(VALID_APPCTX(ctx));
+
+	REQUIRE(atomic_load(&ctx->running));
+
+	/*
+	 * Don't send the reload signal if we're shutting down.
+	 */
+	if (!atomic_load_acquire(&ctx->shutdown_requested)) {
+#ifdef WIN32
+		SetEvent(ctx->hEvents[RELOAD_EVENT]);
+#else  /* WIN32 */
+		if (isc_bind9 && ctx != &isc_g_appctx) {
+			/* BIND9 internal, but using multiple contexts */
+			atomic_store_release(&ctx->want_reload, true);
+		} else if (isc_bind9) {
+			/* BIND9 internal, single context */
+			if (kill(getpid(), SIGHUP) < 0) {
+				char strbuf[ISC_STRERRORSIZE];
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				isc_error_fatal(__FILE__, __LINE__,
+						"isc_app_reload() "
+						"kill: %s",
+						strbuf);
+			}
+		} else {
+			/* External, multiple contexts */
+			atomic_store_release(&ctx->want_reload, true);
+			SIGNAL(&ctx->ready);
+		}
+#endif /* WIN32 */
+	}
+}
+
+void
+isc_app_reload(void) {
+	isc_app_ctxsuspend(&isc_g_appctx);
+}
+
+void
+isc_app_ctxfinish(isc_appctx_t *ctx) {
+	REQUIRE(VALID_APPCTX(ctx));
+
+	isc_mutex_destroy(&ctx->lock);
+#ifndef WIN32
+	isc_mutex_destroy(&ctx->readylock);
+	isc_condition_destroy(&ctx->ready);
+#endif /* WIN32 */
+}
+
+void
+isc_app_finish(void) {
+	isc_app_ctxfinish(&isc_g_appctx);
+}
+
+void
+isc_app_block(void) {
+	REQUIRE(atomic_load_acquire(&isc_g_appctx.running));
+	REQUIRE(atomic_compare_exchange_strong_acq_rel(&isc_g_appctx.blocked,
+						       &(bool){ false }, true));
+
+#ifdef WIN32
+	blockedthread = GetCurrentThread();
+#else  /* WIN32 */
+	sigset_t sset;
+	blockedthread = pthread_self();
+	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
+		      sigaddset(&sset, SIGINT) == 0 &&
+		      sigaddset(&sset, SIGTERM) == 0);
+	RUNTIME_CHECK(pthread_sigmask(SIG_UNBLOCK, &sset, NULL) == 0);
+#endif /* WIN32 */
+}
+
+void
+isc_app_unblock(void) {
+	REQUIRE(atomic_load_acquire(&isc_g_appctx.running));
+	REQUIRE(atomic_compare_exchange_strong_acq_rel(&isc_g_appctx.blocked,
+						       &(bool){ true }, false));
+
+#ifdef WIN32
+	REQUIRE(blockedthread == GetCurrentThread());
+#else  /* WIN32 */
+	REQUIRE(blockedthread == pthread_self());
+
+	sigset_t sset;
+	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
+		      sigaddset(&sset, SIGINT) == 0 &&
+		      sigaddset(&sset, SIGTERM) == 0);
+	RUNTIME_CHECK(pthread_sigmask(SIG_BLOCK, &sset, NULL) == 0);
+#endif /* WIN32 */
+}
+
+isc_result_t
+isc_appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp) {
+	isc_appctx_t *ctx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ctxp != NULL && *ctxp == NULL);
+
+	ctx = isc_mem_get(mctx, sizeof(*ctx));
+
+	ctx->magic = APPCTX_MAGIC;
+
+	ctx->mctx = NULL;
+	isc_mem_attach(mctx, &ctx->mctx);
+
+	*ctxp = ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_appctx_destroy(isc_appctx_t **ctxp) {
+	isc_appctx_t *ctx;
+
+	REQUIRE(ctxp != NULL);
+	ctx = *ctxp;
+	*ctxp = NULL;
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->magic = 0;
+
+	isc_mem_putanddetach(&ctx->mctx, ctx, sizeof(*ctx));
+}
diff --git a/lib/isc/assertions.c b/lib/isc/assertions.c
new file mode 100644
index 0000000..1f16fb3
--- /dev/null
+++ b/lib/isc/assertions.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/assertions.h>
+#include <isc/backtrace.h>
+#include <isc/print.h>
+#include <isc/result.h>
+
+/*
+ * The maximum number of stack frames to dump on assertion failure.
+ */
+#ifndef BACKTRACE_MAXFRAME
+#define BACKTRACE_MAXFRAME 128
+#endif /* ifndef BACKTRACE_MAXFRAME */
+
+/*%
+ * Forward.
+ */
+static void
+default_callback(const char *, int, isc_assertiontype_t, const char *);
+
+static isc_assertioncallback_t isc_assertion_failed_cb = default_callback;
+
+/*%
+ * Public.
+ */
+
+/*% assertion failed handler */
+/* coverity[+kill] */
+void
+isc_assertion_failed(const char *file, int line, isc_assertiontype_t type,
+		     const char *cond) {
+	isc_assertion_failed_cb(file, line, type, cond);
+	abort();
+}
+
+/*% Set callback. */
+void
+isc_assertion_setcallback(isc_assertioncallback_t cb) {
+	if (cb == NULL) {
+		isc_assertion_failed_cb = default_callback;
+	} else {
+		isc_assertion_failed_cb = cb;
+	}
+}
+
+/*% Type to Text */
+const char *
+isc_assertion_typetotext(isc_assertiontype_t type) {
+	const char *result;
+
+	/*
+	 * These strings have purposefully not been internationalized
+	 * because they are considered to essentially be keywords of
+	 * the ISC development environment.
+	 */
+	switch (type) {
+	case isc_assertiontype_require:
+		result = "REQUIRE";
+		break;
+	case isc_assertiontype_ensure:
+		result = "ENSURE";
+		break;
+	case isc_assertiontype_insist:
+		result = "INSIST";
+		break;
+	case isc_assertiontype_invariant:
+		result = "INVARIANT";
+		break;
+	default:
+		result = "UNKNOWN";
+	}
+	return (result);
+}
+
+/*
+ * Private.
+ */
+
+static void
+default_callback(const char *file, int line, isc_assertiontype_t type,
+		 const char *cond) {
+	void *tracebuf[BACKTRACE_MAXFRAME];
+	int i, nframes;
+	const char *logsuffix = ".";
+	const char *fname;
+	isc_result_t result;
+
+	result = isc_backtrace_gettrace(tracebuf, BACKTRACE_MAXFRAME, &nframes);
+	if (result == ISC_R_SUCCESS && nframes > 0) {
+		logsuffix = ", back trace";
+	}
+
+	fprintf(stderr, "%s:%d: %s(%s) failed%s\n", file, line,
+		isc_assertion_typetotext(type), cond, logsuffix);
+
+	if (result == ISC_R_SUCCESS) {
+		for (i = 0; i < nframes; i++) {
+			unsigned long offset;
+
+			fname = NULL;
+			result = isc_backtrace_getsymbol(tracebuf[i], &fname,
+							 &offset);
+			if (result == ISC_R_SUCCESS) {
+				fprintf(stderr, "#%d %p in %s()+0x%lx\n", i,
+					tracebuf[i], fname, offset);
+			} else {
+				fprintf(stderr, "#%d %p in ??\n", i,
+					tracebuf[i]);
+			}
+		}
+	}
+	fflush(stderr);
+}
diff --git a/lib/isc/astack.c b/lib/isc/astack.c
new file mode 100644
index 0000000..484ef26
--- /dev/null
+++ b/lib/isc/astack.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/astack.h>
+#include <isc/atomic.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+struct isc_astack {
+	isc_mem_t *mctx;
+	size_t size;
+	size_t pos;
+	isc_mutex_t lock;
+	uintptr_t nodes[];
+};
+
+isc_astack_t *
+isc_astack_new(isc_mem_t *mctx, size_t size) {
+	isc_astack_t *stack = isc_mem_get(
+		mctx, sizeof(isc_astack_t) + size * sizeof(uintptr_t));
+
+	*stack = (isc_astack_t){
+		.size = size,
+	};
+	isc_mem_attach(mctx, &stack->mctx);
+	memset(stack->nodes, 0, size * sizeof(uintptr_t));
+	isc_mutex_init(&stack->lock);
+	return (stack);
+}
+
+bool
+isc_astack_trypush(isc_astack_t *stack, void *obj) {
+	if (!isc_mutex_trylock(&stack->lock)) {
+		if (stack->pos >= stack->size) {
+			UNLOCK(&stack->lock);
+			return (false);
+		}
+		stack->nodes[stack->pos++] = (uintptr_t)obj;
+		UNLOCK(&stack->lock);
+		return (true);
+	} else {
+		return (false);
+	}
+}
+
+void *
+isc_astack_pop(isc_astack_t *stack) {
+	LOCK(&stack->lock);
+	uintptr_t rv;
+	if (stack->pos == 0) {
+		rv = 0;
+	} else {
+		rv = stack->nodes[--stack->pos];
+	}
+	UNLOCK(&stack->lock);
+	return ((void *)rv);
+}
+
+void
+isc_astack_destroy(isc_astack_t *stack) {
+	LOCK(&stack->lock);
+	REQUIRE(stack->pos == 0);
+	UNLOCK(&stack->lock);
+
+	isc_mutex_destroy(&stack->lock);
+
+	isc_mem_putanddetach(&stack->mctx, stack,
+			     sizeof(struct isc_astack) +
+				     stack->size * sizeof(uintptr_t));
+}
diff --git a/lib/isc/backtrace-emptytbl.c b/lib/isc/backtrace-emptytbl.c
new file mode 100644
index 0000000..0c6f61f
--- /dev/null
+++ b/lib/isc/backtrace-emptytbl.c
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/*
+ * This file defines an empty (default) symbol table used in backtrace.c
+ * If the application wants to have a complete symbol table, it should redefine
+ * isc__backtrace_symtable with the complete table in some way, and link the
+ * version of the library not including this definition
+ * (e.g. libisc-nosymbol.a).
+ */
+
+#include <isc/backtrace.h>
+
+LIBISC_EXTERNAL_DATA const int isc__backtrace_nsymbols = 0;
+LIBISC_EXTERNAL_DATA const isc_backtrace_symmap_t isc__backtrace_symtable[] = {
+	{ NULL, "" }
+};
diff --git a/lib/isc/backtrace.c b/lib/isc/backtrace.c
new file mode 100644
index 0000000..69488de
--- /dev/null
+++ b/lib/isc/backtrace.c
@@ -0,0 +1,304 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_LIBCTRACE
+#include <execinfo.h>
+#endif /* ifdef HAVE_LIBCTRACE */
+
+#include <isc/backtrace.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#ifdef USE_BACKTRACE
+/*
+ * Getting a back trace of a running process is tricky and highly platform
+ * dependent.  Our current approach is as follows:
+ * 1. If the system library supports the "backtrace()" function, use it.
+ * 2. Otherwise, if the compiler is gcc and the architecture is x86_64 or IA64,
+ *    then use gcc's (hidden) Unwind_Backtrace() function.  Note that this
+ *    function doesn't work for C programs on many other architectures.
+ * 3. Otherwise, if the architecture x86 or x86_64, try to unwind the stack
+ *    frame following frame pointers.  This assumes the executable binary
+ *    compiled with frame pointers; this is not always true for x86_64 (rather,
+ *    compiler optimizations often disable frame pointers).  The validation
+ *    checks in getnextframeptr() hopefully rejects bogus values stored in
+ *    the RBP register in such a case.  If the backtrace function itself crashes
+ *    due to this problem, the whole package should be rebuilt with
+ *    --disable-backtrace.
+ */
+#ifdef HAVE_LIBCTRACE
+#define BACKTRACE_LIBC
+#elif defined(HAVE_UNWIND_BACKTRACE)
+#define BACKTRACE_GCC
+#elif defined(WIN32)
+#define BACKTRACE_WIN32
+#elif defined(__x86_64__) || defined(__i386__)
+#define BACKTRACE_X86STACK
+#else /* ifdef HAVE_LIBCTRACE */
+#define BACKTRACE_DISABLED
+#endif /* HAVE_LIBCTRACE */
+#else  /* USE_BACKTRACE */
+#define BACKTRACE_DISABLED
+#endif /* USE_BACKTRACE */
+
+#ifdef BACKTRACE_LIBC
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	int n;
+
+	/*
+	 * Validate the arguments: intentionally avoid using REQUIRE().
+	 * See notes in backtrace.h.
+	 */
+	if (addrs == NULL || nframes == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * backtrace(3) includes this function itself in the address array,
+	 * which should be eliminated from the returned sequence.
+	 */
+	n = backtrace(addrs, maxaddrs);
+	if (n < 2) {
+		return (ISC_R_NOTFOUND);
+	}
+	n--;
+	memmove(addrs, &addrs[1], sizeof(void *) * n);
+	*nframes = n;
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_GCC)
+extern int
+_Unwind_Backtrace(void *fn, void *a);
+extern void *
+_Unwind_GetIP(void *ctx);
+
+typedef struct {
+	void **result;
+	int max_depth;
+	int skip_count;
+	int count;
+} trace_arg_t;
+
+static int
+btcallback(void *uc, void *opq) {
+	trace_arg_t *arg = (trace_arg_t *)opq;
+
+	if (arg->skip_count > 0) {
+		arg->skip_count--;
+	} else {
+		arg->result[arg->count++] = (void *)_Unwind_GetIP(uc);
+	}
+	if (arg->count == arg->max_depth) {
+		return (5); /* _URC_END_OF_STACK */
+	}
+	return (0); /* _URC_NO_REASON */
+}
+
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	trace_arg_t arg;
+
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	arg.skip_count = 1;
+	arg.result = addrs;
+	arg.max_depth = maxaddrs;
+	arg.count = 0;
+	_Unwind_Backtrace(btcallback, &arg);
+
+	*nframes = arg.count;
+
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_WIN32)
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	unsigned long ftc = (unsigned long)maxaddrs;
+
+	*nframes = (int)CaptureStackBackTrace(1, ftc, addrs, NULL);
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_X86STACK)
+#ifdef __x86_64__
+static unsigned long
+getrbp(void) {
+	unsigned long rbp;
+	__asm("movq %%rbp, %0\n" : "=r"(rbp));
+	return rbp;
+}
+#endif /* ifdef __x86_64__ */
+
+static void **
+getnextframeptr(void **sp) {
+	void **newsp = (void **)*sp;
+
+	/*
+	 * Perform sanity check for the new frame pointer, derived from
+	 * google glog.  This can actually be bogus depending on compiler.
+	 */
+
+	/* prohibit the stack frames from growing downwards */
+	if (newsp <= sp) {
+		return (NULL);
+	}
+
+	/* A heuristics to reject "too large" frame: this actually happened. */
+	if ((char *)newsp - (char *)sp > 100000) {
+		return (NULL);
+	}
+
+	/*
+	 * Not sure if other checks used in glog are needed at this moment.
+	 * For our purposes we don't have to consider non-contiguous frames,
+	 * for example.
+	 */
+
+	return (newsp);
+}
+
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	int i = 0;
+	void **sp;
+
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+#ifdef __x86_64__
+	sp = (void **)getrbp();
+	if (sp == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	/*
+	 * sp is the frame ptr of this function itself due to the call to
+	 * getrbp(), so need to unwind one frame for consistency.
+	 */
+	sp = getnextframeptr(sp);
+#else  /* ifdef __x86_64__ */
+	/*
+	 * i386: the frame pointer is stored 2 words below the address for the
+	 * first argument.  Note that the body of this function cannot be
+	 * inlined since it depends on the address of the function argument.
+	 */
+	sp = (void **)&addrs - 2;
+#endif /* ifdef __x86_64__ */
+
+	while (sp != NULL && i < maxaddrs) {
+		addrs[i++] = *(sp + 1);
+		sp = getnextframeptr(sp);
+	}
+
+	*nframes = i;
+
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_DISABLED)
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	UNUSED(maxaddrs);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+#endif /* ifdef BACKTRACE_LIBC */
+
+isc_result_t
+isc_backtrace_getsymbolfromindex(int idx, const void **addrp,
+				 const char **symbolp) {
+	REQUIRE(addrp != NULL && *addrp == NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	if (idx < 0 || idx >= isc__backtrace_nsymbols) {
+		return (ISC_R_RANGE);
+	}
+
+	*addrp = isc__backtrace_symtable[idx].addr;
+	*symbolp = isc__backtrace_symtable[idx].symbol;
+	return (ISC_R_SUCCESS);
+}
+
+static int
+symtbl_compare(const void *addr, const void *entryarg) {
+	const isc_backtrace_symmap_t *entry = entryarg;
+	const isc_backtrace_symmap_t *end =
+		&isc__backtrace_symtable[isc__backtrace_nsymbols - 1];
+
+	if (isc__backtrace_nsymbols == 1 || entry == end) {
+		if (addr >= entry->addr) {
+			/*
+			 * If addr is equal to or larger than that of the last
+			 * entry of the table, we cannot be sure if this is
+			 * within a valid range so we consider it valid.
+			 */
+			return (0);
+		}
+		return (-1);
+	}
+
+	/* entry + 1 is a valid entry from now on. */
+	if (addr < entry->addr) {
+		return (-1);
+	} else if (addr >= (entry + 1)->addr) {
+		return (1);
+	}
+	return (0);
+}
+
+isc_result_t
+isc_backtrace_getsymbol(const void *addr, const char **symbolp,
+			unsigned long *offsetp) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_backtrace_symmap_t *found;
+
+	/*
+	 * Validate the arguments: intentionally avoid using REQUIRE().
+	 * See notes in backtrace.h.
+	 */
+	if (symbolp == NULL || *symbolp != NULL || offsetp == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (isc__backtrace_nsymbols < 1) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * Search the table for the entry that meets:
+	 * entry.addr <= addr < next_entry.addr.
+	 */
+	found = bsearch(addr, isc__backtrace_symtable, isc__backtrace_nsymbols,
+			sizeof(isc__backtrace_symtable[0]), symtbl_compare);
+	if (found == NULL) {
+		result = ISC_R_NOTFOUND;
+	} else {
+		*symbolp = found->symbol;
+		*offsetp = (unsigned long)((const char *)addr -
+					   (char *)found->addr);
+	}
+
+	return (result);
+}
diff --git a/lib/isc/base32.c b/lib/isc/base32.c
new file mode 100644
index 0000000..90c37c7
--- /dev/null
+++ b/lib/isc/base32.c
@@ -0,0 +1,443 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define RETERR(x)                        \
+	do {                             \
+		isc_result_t _r = (x);   \
+		if (_r != ISC_R_SUCCESS) \
+			return ((_r));   \
+	} while (0)
+
+/*@{*/
+/*!
+ * These static functions are also present in lib/dns/rdata.c.  I'm not
+ * sure where they should go. -- bwelling
+ */
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+/*@}*/
+
+static const char base32[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567="
+			     "abcdefghijklmnopqrstuvwxyz234567";
+static const char base32hex[] = "0123456789ABCDEFGHIJKLMNOPQRSTUV="
+				"0123456789abcdefghijklmnopqrstuv";
+
+static isc_result_t
+base32_totext(isc_region_t *source, int wordlength, const char *wordbreak,
+	      isc_buffer_t *target, const char base[], char pad) {
+	char buf[9];
+	unsigned int loops = 0;
+
+	if (wordlength >= 0 && wordlength < 8) {
+		wordlength = 8;
+	}
+
+	memset(buf, 0, sizeof(buf));
+	while (source->length > 0) {
+		buf[0] = base[((source->base[0] >> 3) & 0x1f)]; /* 5 + */
+		if (source->length == 1) {
+			buf[1] = base[(source->base[0] << 2) & 0x1c];
+			buf[2] = buf[3] = buf[4] = pad;
+			buf[5] = buf[6] = buf[7] = pad;
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[1] = base[((source->base[0] << 2) & 0x1c) | /* 3 = 8 */
+			      ((source->base[1] >> 6) & 0x03)]; /* 2 + */
+		buf[2] = base[((source->base[1] >> 1) & 0x1f)]; /* 5 + */
+		if (source->length == 2) {
+			buf[3] = base[(source->base[1] << 4) & 0x10];
+			buf[4] = buf[5] = buf[6] = buf[7] = pad;
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[3] = base[((source->base[1] << 4) & 0x10) | /* 1 = 8 */
+			      ((source->base[2] >> 4) & 0x0f)]; /* 4 + */
+		if (source->length == 3) {
+			buf[4] = base[(source->base[2] << 1) & 0x1e];
+			buf[5] = buf[6] = buf[7] = pad;
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[4] = base[((source->base[2] << 1) & 0x1e) | /* 4 = 8 */
+			      ((source->base[3] >> 7) & 0x01)]; /* 1 + */
+		buf[5] = base[((source->base[3] >> 2) & 0x1f)]; /* 5 + */
+		if (source->length == 4) {
+			buf[6] = base[(source->base[3] << 3) & 0x18];
+			buf[7] = pad;
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[6] = base[((source->base[3] << 3) & 0x18) | /* 2 = 8 */
+			      ((source->base[4] >> 5) & 0x07)]; /* 3 + */
+		buf[7] = base[source->base[4] & 0x1f];		/* 5 = 8 */
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 5);
+
+		loops++;
+		if (source->length != 0 && wordlength >= 0 &&
+		    (int)((loops + 1) * 8) >= wordlength)
+		{
+			loops = 0;
+			RETERR(str_totext(wordbreak, target));
+		}
+	}
+	if (source->length > 0) {
+		isc_region_consume(source, source->length);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_totext(isc_region_t *source, int wordlength, const char *wordbreak,
+		  isc_buffer_t *target) {
+	return (base32_totext(source, wordlength, wordbreak, target, base32,
+			      '='));
+}
+
+isc_result_t
+isc_base32hex_totext(isc_region_t *source, int wordlength,
+		     const char *wordbreak, isc_buffer_t *target) {
+	return (base32_totext(source, wordlength, wordbreak, target, base32hex,
+			      '='));
+}
+
+isc_result_t
+isc_base32hexnp_totext(isc_region_t *source, int wordlength,
+		       const char *wordbreak, isc_buffer_t *target) {
+	return (base32_totext(source, wordlength, wordbreak, target, base32hex,
+			      0));
+}
+
+/*%
+ * State of a base32 decoding process in progress.
+ */
+typedef struct {
+	int length;	      /*%< Desired length of binary data or -1 */
+	isc_buffer_t *target; /*%< Buffer for resulting binary data */
+	int digits;	      /*%< Number of buffered base32 digits */
+	bool seen_end;	      /*%< True if "=" end marker seen */
+	int val[8];
+	const char *base; /*%< Which encoding we are using */
+	int seen_32;	  /*%< Number of significant bytes if non
+			   * zero */
+	bool pad;	  /*%< Expect padding */
+} base32_decode_ctx_t;
+
+static void
+base32_decode_init(base32_decode_ctx_t *ctx, int length, const char base[],
+		   bool pad, isc_buffer_t *target) {
+	ctx->digits = 0;
+	ctx->seen_end = false;
+	ctx->seen_32 = 0;
+	ctx->length = length;
+	ctx->target = target;
+	ctx->base = base;
+	ctx->pad = pad;
+}
+
+static isc_result_t
+base32_decode_char(base32_decode_ctx_t *ctx, int c) {
+	const char *s;
+	unsigned int last;
+
+	if (ctx->seen_end) {
+		return (ISC_R_BADBASE32);
+	}
+	if ((s = strchr(ctx->base, c)) == NULL) {
+		return (ISC_R_BADBASE32);
+	}
+	last = (unsigned int)(s - ctx->base);
+
+	/*
+	 * Handle lower case.
+	 */
+	if (last > 32) {
+		last -= 33;
+	}
+
+	/*
+	 * Check that padding is contiguous.
+	 */
+	if (last != 32 && ctx->seen_32 != 0) {
+		return (ISC_R_BADBASE32);
+	}
+
+	/*
+	 * If padding is not permitted flag padding as a error.
+	 */
+	if (last == 32 && !ctx->pad) {
+		return (ISC_R_BADBASE32);
+	}
+
+	/*
+	 * Check that padding starts at the right place and that
+	 * bits that should be zero are.
+	 * Record how many significant bytes in answer (seen_32).
+	 */
+	if (last == 32 && ctx->seen_32 == 0) {
+		switch (ctx->digits) {
+		case 0:
+		case 1:
+			return (ISC_R_BADBASE32);
+		case 2:
+			if ((ctx->val[1] & 0x03) != 0) {
+				return (ISC_R_BADBASE32);
+			}
+			ctx->seen_32 = 1;
+			break;
+		case 3:
+			return (ISC_R_BADBASE32);
+		case 4:
+			if ((ctx->val[3] & 0x0f) != 0) {
+				return (ISC_R_BADBASE32);
+			}
+			ctx->seen_32 = 2;
+			break;
+		case 5:
+			if ((ctx->val[4] & 0x01) != 0) {
+				return (ISC_R_BADBASE32);
+			}
+			ctx->seen_32 = 3;
+			break;
+		case 6:
+			return (ISC_R_BADBASE32);
+		case 7:
+			if ((ctx->val[6] & 0x07) != 0) {
+				return (ISC_R_BADBASE32);
+			}
+			ctx->seen_32 = 4;
+			break;
+		}
+	}
+
+	/*
+	 * Zero fill pad values.
+	 */
+	ctx->val[ctx->digits++] = (last == 32) ? 0 : last;
+
+	if (ctx->digits == 8) {
+		int n = 5;
+		unsigned char buf[5];
+
+		if (ctx->seen_32 != 0) {
+			ctx->seen_end = true;
+			n = ctx->seen_32;
+		}
+		buf[0] = (ctx->val[0] << 3) | (ctx->val[1] >> 2);
+		buf[1] = (ctx->val[1] << 6) | (ctx->val[2] << 1) |
+			 (ctx->val[3] >> 4);
+		buf[2] = (ctx->val[3] << 4) | (ctx->val[4] >> 1);
+		buf[3] = (ctx->val[4] << 7) | (ctx->val[5] << 2) |
+			 (ctx->val[6] >> 3);
+		buf[4] = (ctx->val[6] << 5) | (ctx->val[7]);
+		RETERR(mem_tobuffer(ctx->target, buf, n));
+		if (ctx->length >= 0) {
+			if (n > ctx->length) {
+				return (ISC_R_BADBASE32);
+			} else {
+				ctx->length -= n;
+			}
+		}
+		ctx->digits = 0;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+base32_decode_finish(base32_decode_ctx_t *ctx) {
+	if (ctx->length > 0) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	/*
+	 * Add missing padding if required.
+	 */
+	if (!ctx->pad && ctx->digits != 0) {
+		ctx->pad = true;
+		do {
+			RETERR(base32_decode_char(ctx, '='));
+		} while (ctx->digits != 0);
+	}
+	if (ctx->digits != 0) {
+		return (ISC_R_BADBASE32);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+base32_tobuffer(isc_lex_t *lexer, const char base[], bool pad,
+		isc_buffer_t *target, int length) {
+	unsigned int before, after;
+	base32_decode_ctx_t ctx;
+	isc_textregion_t *tr;
+	isc_token_t token;
+	bool eol;
+
+	REQUIRE(length >= -2);
+
+	base32_decode_init(&ctx, length, base, pad, target);
+
+	before = isc_buffer_usedlength(target);
+	while (!ctx.seen_end && (ctx.length != 0)) {
+		unsigned int i;
+
+		if (length > 0) {
+			eol = false;
+		} else {
+			eol = true;
+		}
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, eol));
+		if (token.type != isc_tokentype_string) {
+			break;
+		}
+		tr = &token.value.as_textregion;
+		for (i = 0; i < tr->length; i++) {
+			RETERR(base32_decode_char(&ctx, tr->base[i]));
+		}
+	}
+	after = isc_buffer_usedlength(target);
+	if (ctx.length < 0 && !ctx.seen_end) {
+		isc_lex_ungettoken(lexer, &token);
+	}
+	RETERR(base32_decode_finish(&ctx));
+	if (length == -2 && before == after) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	return (base32_tobuffer(lexer, base32, true, target, length));
+}
+
+isc_result_t
+isc_base32hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	return (base32_tobuffer(lexer, base32hex, true, target, length));
+}
+
+isc_result_t
+isc_base32hexnp_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	return (base32_tobuffer(lexer, base32hex, false, target, length));
+}
+
+static isc_result_t
+base32_decodestring(const char *cstr, const char base[], bool pad,
+		    isc_buffer_t *target) {
+	base32_decode_ctx_t ctx;
+
+	base32_decode_init(&ctx, -1, base, pad, target);
+	for (;;) {
+		int c = *cstr++;
+		if (c == '\0') {
+			break;
+		}
+		if (c == ' ' || c == '\t' || c == '\n' || c == '\r') {
+			continue;
+		}
+		RETERR(base32_decode_char(&ctx, c));
+	}
+	RETERR(base32_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_decodestring(const char *cstr, isc_buffer_t *target) {
+	return (base32_decodestring(cstr, base32, true, target));
+}
+
+isc_result_t
+isc_base32hex_decodestring(const char *cstr, isc_buffer_t *target) {
+	return (base32_decodestring(cstr, base32hex, true, target));
+}
+
+isc_result_t
+isc_base32hexnp_decodestring(const char *cstr, isc_buffer_t *target) {
+	return (base32_decodestring(cstr, base32hex, false, target));
+}
+
+static isc_result_t
+base32_decoderegion(isc_region_t *source, const char base[], bool pad,
+		    isc_buffer_t *target) {
+	base32_decode_ctx_t ctx;
+
+	base32_decode_init(&ctx, -1, base, pad, target);
+	while (source->length != 0) {
+		int c = *source->base;
+		RETERR(base32_decode_char(&ctx, c));
+		isc_region_consume(source, 1);
+	}
+	RETERR(base32_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_decoderegion(isc_region_t *source, isc_buffer_t *target) {
+	return (base32_decoderegion(source, base32, true, target));
+}
+
+isc_result_t
+isc_base32hex_decoderegion(isc_region_t *source, isc_buffer_t *target) {
+	return (base32_decoderegion(source, base32hex, true, target));
+}
+
+isc_result_t
+isc_base32hexnp_decoderegion(isc_region_t *source, isc_buffer_t *target) {
+	return (base32_decoderegion(source, base32hex, false, target));
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/base64.c b/lib/isc/base64.c
new file mode 100644
index 0000000..958ef4f
--- /dev/null
+++ b/lib/isc/base64.c
@@ -0,0 +1,270 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define RETERR(x)                        \
+	do {                             \
+		isc_result_t _r = (x);   \
+		if (_r != ISC_R_SUCCESS) \
+			return ((_r));   \
+	} while (0)
+
+/*@{*/
+/*!
+ * These static functions are also present in lib/dns/rdata.c.  I'm not
+ * sure where they should go. -- bwelling
+ */
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+static const char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw"
+			     "xyz0123456789+/=";
+/*@}*/
+
+isc_result_t
+isc_base64_totext(isc_region_t *source, int wordlength, const char *wordbreak,
+		  isc_buffer_t *target) {
+	char buf[5];
+	unsigned int loops = 0;
+
+	if (wordlength < 4) {
+		wordlength = 4;
+	}
+
+	memset(buf, 0, sizeof(buf));
+	while (source->length > 2) {
+		buf[0] = base64[(source->base[0] >> 2) & 0x3f];
+		buf[1] = base64[((source->base[0] << 4) & 0x30) |
+				((source->base[1] >> 4) & 0x0f)];
+		buf[2] = base64[((source->base[1] << 2) & 0x3c) |
+				((source->base[2] >> 6) & 0x03)];
+		buf[3] = base64[source->base[2] & 0x3f];
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 3);
+
+		loops++;
+		if (source->length != 0 && (int)((loops + 1) * 4) >= wordlength)
+		{
+			loops = 0;
+			RETERR(str_totext(wordbreak, target));
+		}
+	}
+	if (source->length == 2) {
+		buf[0] = base64[(source->base[0] >> 2) & 0x3f];
+		buf[1] = base64[((source->base[0] << 4) & 0x30) |
+				((source->base[1] >> 4) & 0x0f)];
+		buf[2] = base64[((source->base[1] << 2) & 0x3c)];
+		buf[3] = '=';
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 2);
+	} else if (source->length == 1) {
+		buf[0] = base64[(source->base[0] >> 2) & 0x3f];
+		buf[1] = base64[((source->base[0] << 4) & 0x30)];
+		buf[2] = buf[3] = '=';
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 1);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * State of a base64 decoding process in progress.
+ */
+typedef struct {
+	int length;	      /*%< Desired length of binary data or -1 */
+	isc_buffer_t *target; /*%< Buffer for resulting binary data */
+	int digits;	      /*%< Number of buffered base64 digits */
+	bool seen_end;	      /*%< True if "=" end marker seen */
+	int val[4];
+} base64_decode_ctx_t;
+
+static void
+base64_decode_init(base64_decode_ctx_t *ctx, int length, isc_buffer_t *target) {
+	ctx->digits = 0;
+	ctx->seen_end = false;
+	ctx->length = length;
+	ctx->target = target;
+}
+
+static isc_result_t
+base64_decode_char(base64_decode_ctx_t *ctx, int c) {
+	const char *s;
+
+	if (ctx->seen_end) {
+		return (ISC_R_BADBASE64);
+	}
+	if ((s = strchr(base64, c)) == NULL) {
+		return (ISC_R_BADBASE64);
+	}
+	ctx->val[ctx->digits++] = (int)(s - base64);
+	if (ctx->digits == 4) {
+		int n;
+		unsigned char buf[3];
+		if (ctx->val[0] == 64 || ctx->val[1] == 64) {
+			return (ISC_R_BADBASE64);
+		}
+		if (ctx->val[2] == 64 && ctx->val[3] != 64) {
+			return (ISC_R_BADBASE64);
+		}
+		/*
+		 * Check that bits that should be zero are.
+		 */
+		if (ctx->val[2] == 64 && (ctx->val[1] & 0xf) != 0) {
+			return (ISC_R_BADBASE64);
+		}
+		/*
+		 * We don't need to test for ctx->val[2] != 64 as
+		 * the bottom two bits of 64 are zero.
+		 */
+		if (ctx->val[3] == 64 && (ctx->val[2] & 0x3) != 0) {
+			return (ISC_R_BADBASE64);
+		}
+		n = (ctx->val[2] == 64) ? 1 : (ctx->val[3] == 64) ? 2 : 3;
+		if (n != 3) {
+			ctx->seen_end = true;
+			if (ctx->val[2] == 64) {
+				ctx->val[2] = 0;
+			}
+			if (ctx->val[3] == 64) {
+				ctx->val[3] = 0;
+			}
+		}
+		buf[0] = (ctx->val[0] << 2) | (ctx->val[1] >> 4);
+		buf[1] = (ctx->val[1] << 4) | (ctx->val[2] >> 2);
+		buf[2] = (ctx->val[2] << 6) | (ctx->val[3]);
+		RETERR(mem_tobuffer(ctx->target, buf, n));
+		if (ctx->length >= 0) {
+			if (n > ctx->length) {
+				return (ISC_R_BADBASE64);
+			} else {
+				ctx->length -= n;
+			}
+		}
+		ctx->digits = 0;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+base64_decode_finish(base64_decode_ctx_t *ctx) {
+	if (ctx->length > 0) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	if (ctx->digits != 0) {
+		return (ISC_R_BADBASE64);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	unsigned int before, after;
+	base64_decode_ctx_t ctx;
+	isc_textregion_t *tr;
+	isc_token_t token;
+	bool eol;
+
+	REQUIRE(length >= -2);
+
+	base64_decode_init(&ctx, length, target);
+
+	before = isc_buffer_usedlength(target);
+	while (!ctx.seen_end && (ctx.length != 0)) {
+		unsigned int i;
+
+		if (length > 0) {
+			eol = false;
+		} else {
+			eol = true;
+		}
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, eol));
+		if (token.type != isc_tokentype_string) {
+			break;
+		}
+		tr = &token.value.as_textregion;
+		for (i = 0; i < tr->length; i++) {
+			RETERR(base64_decode_char(&ctx, tr->base[i]));
+		}
+	}
+	after = isc_buffer_usedlength(target);
+	if (ctx.length < 0 && !ctx.seen_end) {
+		isc_lex_ungettoken(lexer, &token);
+	}
+	RETERR(base64_decode_finish(&ctx));
+	if (length == -2 && before == after) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base64_decodestring(const char *cstr, isc_buffer_t *target) {
+	base64_decode_ctx_t ctx;
+
+	base64_decode_init(&ctx, -1, target);
+	for (;;) {
+		int c = *cstr++;
+		if (c == '\0') {
+			break;
+		}
+		if (c == ' ' || c == '\t' || c == '\n' || c == '\r') {
+			continue;
+		}
+		RETERR(base64_decode_char(&ctx, c));
+	}
+	RETERR(base64_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/bind9.c b/lib/isc/bind9.c
new file mode 100644
index 0000000..2b6f474
--- /dev/null
+++ b/lib/isc/bind9.c
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/bind9.h>
+
+/*
+ * This determines whether we are using the libisc/libdns libraries
+ * in BIND9 or in some other application. It is initialized to true
+ * and remains unchanged for BIND9 and related tools; export library
+ * clients will run isc_lib_register(), which sets it to false,
+ * overriding certain BIND9 behaviors.
+ */
+LIBISC_EXTERNAL_DATA bool isc_bind9 = true;
diff --git a/lib/isc/buffer.c b/lib/isc/buffer.c
new file mode 100644
index 0000000..b284840
--- /dev/null
+++ b/lib/isc/buffer.c
@@ -0,0 +1,542 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdarg.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+void
+isc__buffer_init(isc_buffer_t *b, void *base, unsigned int length) {
+	/*
+	 * Make 'b' refer to the 'length'-byte region starting at 'base'.
+	 * XXXDCL see the comment in buffer.h about base being const.
+	 */
+	ISC__BUFFER_INIT(b, base, length);
+}
+
+void
+isc__buffer_initnull(isc_buffer_t *b) {
+	/*
+	 * Initialize a new buffer which has no backing store.  This can
+	 * later be grown as needed and swapped in place.
+	 */
+	ISC__BUFFER_INIT(b, NULL, 0);
+}
+
+void
+isc_buffer_reinit(isc_buffer_t *b, void *base, unsigned int length) {
+	/*
+	 * Re-initialize the buffer enough to reconfigure the base of the
+	 * buffer.  We will swap in the new buffer, after copying any
+	 * data we contain into the new buffer and adjusting all of our
+	 * internal pointers.
+	 *
+	 * The buffer must not be smaller than the length of the original
+	 * buffer.
+	 */
+	REQUIRE(b->length <= length);
+	REQUIRE(base != NULL);
+	REQUIRE(!b->autore);
+
+	if (b->length > 0U) {
+		(void)memmove(base, b->base, b->length);
+	}
+
+	b->base = base;
+	b->length = length;
+}
+
+void
+isc__buffer_invalidate(isc_buffer_t *b) {
+	/*
+	 * Make 'b' an invalid buffer.
+	 */
+	ISC__BUFFER_INVALIDATE(b);
+}
+
+void
+isc_buffer_setautorealloc(isc_buffer_t *b, bool enable) {
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->mctx != NULL);
+	b->autore = enable;
+}
+
+void
+isc__buffer_region(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the region of 'b'.
+	 */
+	ISC__BUFFER_REGION(b, r);
+}
+
+void
+isc__buffer_usedregion(const isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the used region of 'b'.
+	 */
+	ISC__BUFFER_USEDREGION(b, r);
+}
+
+void
+isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the available region of 'b'.
+	 */
+	ISC__BUFFER_AVAILABLEREGION(b, r);
+}
+
+void
+isc__buffer_add(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Increase the 'used' region of 'b' by 'n' bytes.
+	 */
+	ISC__BUFFER_ADD(b, n);
+}
+
+void
+isc__buffer_subtract(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Decrease the 'used' region of 'b' by 'n' bytes.
+	 */
+	ISC__BUFFER_SUBTRACT(b, n);
+}
+
+void
+isc__buffer_clear(isc_buffer_t *b) {
+	/*
+	 * Make the used region empty.
+	 */
+	ISC__BUFFER_CLEAR(b);
+}
+
+void
+isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the consumed region of 'b'.
+	 */
+	ISC__BUFFER_CONSUMEDREGION(b, r);
+}
+
+void
+isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the remaining region of 'b'.
+	 */
+	ISC__BUFFER_REMAININGREGION(b, r);
+}
+
+void
+isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the active region of 'b'.
+	 */
+	ISC__BUFFER_ACTIVEREGION(b, r);
+}
+
+void
+isc__buffer_setactive(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Sets the end of the active region 'n' bytes after current.
+	 */
+	ISC__BUFFER_SETACTIVE(b, n);
+}
+
+void
+isc__buffer_first(isc_buffer_t *b) {
+	/*
+	 * Make the consumed region empty.
+	 */
+	ISC__BUFFER_FIRST(b);
+}
+
+void
+isc__buffer_forward(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Increase the 'consumed' region of 'b' by 'n' bytes.
+	 */
+	ISC__BUFFER_FORWARD(b, n);
+}
+
+void
+isc__buffer_back(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Decrease the 'consumed' region of 'b' by 'n' bytes.
+	 */
+	ISC__BUFFER_BACK(b, n);
+}
+
+void
+isc_buffer_compact(isc_buffer_t *b) {
+	unsigned int length;
+	void *src;
+
+	/*
+	 * Compact the used region by moving the remaining region so it occurs
+	 * at the start of the buffer.  The used region is shrunk by the size
+	 * of the consumed region, and the consumed region is then made empty.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+
+	src = isc_buffer_current(b);
+	length = isc_buffer_remaininglength(b);
+	if (length > 0U) {
+		(void)memmove(b->base, src, (size_t)length);
+	}
+
+	if (b->active > b->current) {
+		b->active -= b->current;
+	} else {
+		b->active = 0;
+	}
+	b->current = 0;
+	b->used = length;
+}
+
+uint8_t
+isc_buffer_getuint8(isc_buffer_t *b) {
+	unsigned char *cp;
+	uint8_t result;
+
+	/*
+	 * Read an unsigned 8-bit integer from 'b' and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 1);
+
+	cp = isc_buffer_current(b);
+	b->current += 1;
+	result = ((uint8_t)(cp[0]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint8(isc_buffer_t *b, uint8_t val) {
+	ISC__BUFFER_PUTUINT8(b, val);
+}
+
+uint16_t
+isc_buffer_getuint16(isc_buffer_t *b) {
+	unsigned char *cp;
+	uint16_t result;
+
+	/*
+	 * Read an unsigned 16-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 2);
+
+	cp = isc_buffer_current(b);
+	b->current += 2;
+	result = ((unsigned int)(cp[0])) << 8;
+	result |= ((unsigned int)(cp[1]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint16(isc_buffer_t *b, uint16_t val) {
+	ISC__BUFFER_PUTUINT16(b, val);
+}
+
+void
+isc__buffer_putuint24(isc_buffer_t *b, uint32_t val) {
+	ISC__BUFFER_PUTUINT24(b, val);
+}
+
+uint32_t
+isc_buffer_getuint32(isc_buffer_t *b) {
+	unsigned char *cp;
+	uint32_t result;
+
+	/*
+	 * Read an unsigned 32-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 4);
+
+	cp = isc_buffer_current(b);
+	b->current += 4;
+	result = ((unsigned int)(cp[0])) << 24;
+	result |= ((unsigned int)(cp[1])) << 16;
+	result |= ((unsigned int)(cp[2])) << 8;
+	result |= ((unsigned int)(cp[3]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint32(isc_buffer_t *b, uint32_t val) {
+	ISC__BUFFER_PUTUINT32(b, val);
+}
+
+uint64_t
+isc_buffer_getuint48(isc_buffer_t *b) {
+	unsigned char *cp;
+	uint64_t result;
+
+	/*
+	 * Read an unsigned 48-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 6);
+
+	cp = isc_buffer_current(b);
+	b->current += 6;
+	result = ((int64_t)(cp[0])) << 40;
+	result |= ((int64_t)(cp[1])) << 32;
+	result |= ((int64_t)(cp[2])) << 24;
+	result |= ((int64_t)(cp[3])) << 16;
+	result |= ((int64_t)(cp[4])) << 8;
+	result |= ((int64_t)(cp[5]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint48(isc_buffer_t *b, uint64_t val) {
+	isc_result_t result;
+	uint16_t valhi;
+	uint32_t vallo;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, 6);
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+	REQUIRE(isc_buffer_availablelength(b) >= 6);
+
+	valhi = (uint16_t)(val >> 32);
+	vallo = (uint32_t)(val & 0xFFFFFFFF);
+	ISC__BUFFER_PUTUINT16(b, valhi);
+	ISC__BUFFER_PUTUINT32(b, vallo);
+}
+
+void
+isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
+		   unsigned int length) {
+	ISC__BUFFER_PUTMEM(b, base, length);
+}
+
+void
+isc__buffer_putstr(isc_buffer_t *b, const char *source) {
+	ISC__BUFFER_PUTSTR(b, source);
+}
+
+void
+isc_buffer_putdecint(isc_buffer_t *b, int64_t v) {
+	unsigned int l = 0;
+	unsigned char *cp;
+	char buf[21];
+	isc_result_t result;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+
+	/* xxxwpk do it more low-level way ? */
+	l = snprintf(buf, 21, "%" PRId64, v);
+	RUNTIME_CHECK(l <= 21);
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, l);
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+	REQUIRE(isc_buffer_availablelength(b) >= l);
+
+	cp = isc_buffer_used(b);
+	memmove(cp, buf, l);
+	b->used += l;
+}
+
+isc_result_t
+isc_buffer_dup(isc_mem_t *mctx, isc_buffer_t **dstp, const isc_buffer_t *src) {
+	isc_buffer_t *dst = NULL;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(dstp != NULL && *dstp == NULL);
+	REQUIRE(ISC_BUFFER_VALID(src));
+
+	isc_buffer_usedregion(src, &region);
+
+	isc_buffer_allocate(mctx, &dst, region.length);
+
+	result = isc_buffer_copyregion(dst, &region);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS); /* NOSPACE is impossible */
+	*dstp = dst;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r) {
+	isc_result_t result;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, r->length);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if (r->length > isc_buffer_availablelength(b)) {
+		return (ISC_R_NOSPACE);
+	}
+
+	if (r->length > 0U) {
+		memmove(isc_buffer_used(b), r->base, r->length);
+		b->used += r->length;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
+		    unsigned int length) {
+	REQUIRE(dynbuffer != NULL && *dynbuffer == NULL);
+
+	isc_buffer_t *dbuf = isc_mem_get(mctx, sizeof(isc_buffer_t));
+	unsigned char *bdata = isc_mem_get(mctx, length);
+
+	isc_buffer_init(dbuf, bdata, length);
+
+	ENSURE(ISC_BUFFER_VALID(dbuf));
+
+	dbuf->mctx = mctx;
+
+	*dynbuffer = dbuf;
+}
+
+isc_result_t
+isc_buffer_reserve(isc_buffer_t **dynbuffer, unsigned int size) {
+	unsigned char *bdata;
+	uint64_t len;
+
+	REQUIRE(dynbuffer != NULL);
+	REQUIRE(ISC_BUFFER_VALID(*dynbuffer));
+
+	len = (*dynbuffer)->length;
+	if ((len - (*dynbuffer)->used) >= size) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if ((*dynbuffer)->mctx == NULL) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/* Round to nearest buffer size increment */
+	len = size + (*dynbuffer)->used;
+	len = (len + ISC_BUFFER_INCR - 1 - ((len - 1) % ISC_BUFFER_INCR));
+
+	/* Cap at UINT_MAX */
+	if (len > UINT_MAX) {
+		len = UINT_MAX;
+	}
+
+	if ((len - (*dynbuffer)->used) < size) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * XXXMUKS: This is far more expensive than plain realloc() as
+	 * it doesn't remap pages, but does ordinary copy. So is
+	 * isc_mem_reallocate(), which has additional issues.
+	 */
+	bdata = isc_mem_get((*dynbuffer)->mctx, (unsigned int)len);
+
+	memmove(bdata, (*dynbuffer)->base, (*dynbuffer)->length);
+	isc_mem_put((*dynbuffer)->mctx, (*dynbuffer)->base,
+		    (*dynbuffer)->length);
+
+	(*dynbuffer)->base = bdata;
+	(*dynbuffer)->length = (unsigned int)len;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_buffer_free(isc_buffer_t **dynbuffer) {
+	isc_buffer_t *dbuf;
+	isc_mem_t *mctx;
+
+	REQUIRE(dynbuffer != NULL);
+	REQUIRE(ISC_BUFFER_VALID(*dynbuffer));
+	REQUIRE((*dynbuffer)->mctx != NULL);
+
+	dbuf = *dynbuffer;
+	*dynbuffer = NULL; /* destroy external reference */
+	mctx = dbuf->mctx;
+	dbuf->mctx = NULL;
+
+	isc_mem_put(mctx, dbuf->base, dbuf->length);
+	isc_buffer_invalidate(dbuf);
+	isc_mem_put(mctx, dbuf, sizeof(isc_buffer_t));
+}
+
+isc_result_t
+isc_buffer_printf(isc_buffer_t *b, const char *format, ...) {
+	va_list ap;
+	int n;
+	isc_result_t result;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+
+	va_start(ap, format);
+	n = vsnprintf(NULL, 0, format, ap);
+	va_end(ap);
+
+	if (n < 0) {
+		return (ISC_R_FAILURE);
+	}
+
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, n + 1);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if (isc_buffer_availablelength(b) < (unsigned int)n + 1) {
+		return (ISC_R_NOSPACE);
+	}
+
+	va_start(ap, format);
+	n = vsnprintf(isc_buffer_used(b), n + 1, format, ap);
+	va_end(ap);
+
+	if (n < 0) {
+		return (ISC_R_FAILURE);
+	}
+
+	b->used += n;
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/bufferlist.c b/lib/isc/bufferlist.c
new file mode 100644
index 0000000..e5f2583
--- /dev/null
+++ b/lib/isc/bufferlist.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stddef.h>
+
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+#include <isc/util.h>
+
+unsigned int
+isc_bufferlist_usedcount(isc_bufferlist_t *bl) {
+	isc_buffer_t *buffer;
+	unsigned int length;
+
+	REQUIRE(bl != NULL);
+
+	length = 0;
+	buffer = ISC_LIST_HEAD(*bl);
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		length += isc_buffer_usedlength(buffer);
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	return (length);
+}
+
+unsigned int
+isc_bufferlist_availablecount(isc_bufferlist_t *bl) {
+	isc_buffer_t *buffer;
+	unsigned int length;
+
+	REQUIRE(bl != NULL);
+
+	length = 0;
+	buffer = ISC_LIST_HEAD(*bl);
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		length += isc_buffer_availablelength(buffer);
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	return (length);
+}
diff --git a/lib/isc/commandline.c b/lib/isc/commandline.c
new file mode 100644
index 0000000..dfe7023
--- /dev/null
+++ b/lib/isc/commandline.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND BSD-3-Clause
+
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright (C) 1987, 1993, 1994 The Regents of the University of California.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ * This file was adapted from the NetBSD project's source tree, RCS ID:
+ *    NetBSD: getopt.c,v 1.15 1999/09/20 04:39:37 lukem Exp
+ *
+ * The primary change has been to rename items to the ISC namespace
+ * and format in the ISC coding style.
+ */
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*% Index into parent argv vector. */
+LIBISC_EXTERNAL_DATA int isc_commandline_index = 1;
+/*% Character checked for validity. */
+LIBISC_EXTERNAL_DATA int isc_commandline_option;
+/*% Argument associated with option. */
+LIBISC_EXTERNAL_DATA char *isc_commandline_argument;
+/*% For printing error messages. */
+LIBISC_EXTERNAL_DATA char *isc_commandline_progname;
+/*% Print error messages. */
+LIBISC_EXTERNAL_DATA bool isc_commandline_errprint = true;
+/*% Reset processing. */
+LIBISC_EXTERNAL_DATA bool isc_commandline_reset = true;
+
+static char endopt = '\0';
+
+#define BADOPT '?'
+#define BADARG ':'
+#define ENDOPT &endopt
+
+/*!
+ * getopt --
+ *	Parse argc/argv argument vector.
+ */
+int
+isc_commandline_parse(int argc, char *const *argv, const char *options) {
+	static char *place = ENDOPT;
+	const char *option; /* Index into *options of option. */
+
+	REQUIRE(argc >= 0 && argv != NULL && options != NULL);
+
+	/*
+	 * Update scanning pointer, either because a reset was requested or
+	 * the previous argv was finished.
+	 */
+	if (isc_commandline_reset || *place == '\0') {
+		if (isc_commandline_reset) {
+			isc_commandline_index = 1;
+			isc_commandline_reset = false;
+		}
+
+		if (isc_commandline_progname == NULL) {
+			isc_commandline_progname = argv[0];
+		}
+
+		if (isc_commandline_index >= argc ||
+		    *(place = argv[isc_commandline_index]) != '-')
+		{
+			/*
+			 * Index out of range or points to non-option.
+			 */
+			place = ENDOPT;
+			return (-1);
+		}
+
+		if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
+			/*
+			 * Found '--' to signal end of options.  Advance
+			 * index to next argv, the first non-option.
+			 */
+			isc_commandline_index++;
+			place = ENDOPT;
+			return (-1);
+		}
+	}
+
+	isc_commandline_option = *place++;
+	option = strchr(options, isc_commandline_option);
+
+	/*
+	 * Ensure valid option has been passed as specified by options string.
+	 * '-:' is never a valid command line option because it could not
+	 * distinguish ':' from the argument specifier in the options string.
+	 */
+	if (isc_commandline_option == ':' || option == NULL) {
+		if (*place == '\0') {
+			isc_commandline_index++;
+		}
+
+		if (isc_commandline_errprint && *options != ':') {
+			fprintf(stderr, "%s: illegal option -- %c\n",
+				isc_commandline_progname,
+				isc_commandline_option);
+		}
+
+		return (BADOPT);
+	}
+
+	if (*++option != ':') {
+		/*
+		 * Option does not take an argument.
+		 */
+		isc_commandline_argument = NULL;
+
+		/*
+		 * Skip to next argv if at the end of the current argv.
+		 */
+		if (*place == '\0') {
+			++isc_commandline_index;
+		}
+	} else {
+		/*
+		 * Option needs an argument.
+		 */
+		if (*place != '\0') {
+			/*
+			 * Option is in this argv, -D1 style.
+			 */
+			isc_commandline_argument = place;
+		} else if (argc > ++isc_commandline_index) {
+			/*
+			 * Option is next argv, -D 1 style.
+			 */
+			isc_commandline_argument = argv[isc_commandline_index];
+		} else {
+			/*
+			 * Argument needed, but no more argv.
+			 */
+			place = ENDOPT;
+
+			/*
+			 * Silent failure with "missing argument" return
+			 * when ':' starts options string, per historical spec.
+			 */
+			if (*options == ':') {
+				return (BADARG);
+			}
+
+			if (isc_commandline_errprint) {
+				fprintf(stderr,
+					"%s: option requires an argument -- "
+					"%c\n",
+					isc_commandline_progname,
+					isc_commandline_option);
+			}
+
+			return (BADOPT);
+		}
+
+		place = ENDOPT;
+
+		/*
+		 * Point to argv that follows argument.
+		 */
+		isc_commandline_index++;
+	}
+
+	return (isc_commandline_option);
+}
+
+isc_result_t
+isc_commandline_strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp,
+			  char ***argvp, unsigned int n) {
+	isc_result_t result;
+
+restart:
+	/* Discard leading whitespace. */
+	while (*s == ' ' || *s == '\t') {
+		s++;
+	}
+
+	if (*s == '\0') {
+		/* We have reached the end of the string. */
+		*argcp = n;
+		*argvp = isc_mem_get(mctx, n * sizeof(char *));
+	} else {
+		char *p = s;
+		while (*p != ' ' && *p != '\t' && *p != '\0' && *p != '{') {
+			if (*p == '\n') {
+				*p = ' ';
+				goto restart;
+			}
+			p++;
+		}
+
+		/* do "grouping", items between { and } are one arg */
+		if (*p == '{') {
+			char *t = p;
+			/*
+			 * shift all characters to left by 1 to get rid of '{'
+			 */
+			while (*t != '\0') {
+				t++;
+				*(t - 1) = *t;
+			}
+			while (*p != '\0' && *p != '}') {
+				p++;
+			}
+			/* get rid of '}' character */
+			if (*p == '}') {
+				*p = '\0';
+				p++;
+			}
+			/* normal case, no "grouping" */
+		} else if (*p != '\0') {
+			*p++ = '\0';
+		}
+
+		result = isc_commandline_strtoargv(mctx, p, argcp, argvp,
+						   n + 1);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		(*argvp)[n] = s;
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/counter.c b/lib/isc/counter.c
new file mode 100644
index 0000000..0c0ccd6
--- /dev/null
+++ b/lib/isc/counter.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+#include <stddef.h>
+
+#include <isc/atomic.h>
+#include <isc/counter.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/refcount.h>
+#include <isc/util.h>
+
+#define COUNTER_MAGIC	 ISC_MAGIC('C', 'n', 't', 'r')
+#define VALID_COUNTER(r) ISC_MAGIC_VALID(r, COUNTER_MAGIC)
+
+struct isc_counter {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_refcount_t references;
+	atomic_uint_fast32_t limit;
+	atomic_uint_fast32_t used;
+};
+
+isc_result_t
+isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp) {
+	isc_counter_t *counter;
+
+	REQUIRE(counterp != NULL && *counterp == NULL);
+
+	counter = isc_mem_get(mctx, sizeof(*counter));
+
+	counter->mctx = NULL;
+	isc_mem_attach(mctx, &counter->mctx);
+
+	isc_refcount_init(&counter->references, 1);
+	atomic_init(&counter->limit, limit);
+	atomic_init(&counter->used, 0);
+
+	counter->magic = COUNTER_MAGIC;
+	*counterp = counter;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_counter_increment(isc_counter_t *counter) {
+	uint32_t used = atomic_fetch_add_relaxed(&counter->used, 1) + 1;
+	uint32_t limit = atomic_load_acquire(&counter->limit);
+
+	if (limit != 0 && used >= limit) {
+		return (ISC_R_QUOTA);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+unsigned int
+isc_counter_used(isc_counter_t *counter) {
+	REQUIRE(VALID_COUNTER(counter));
+
+	return (atomic_load_acquire(&counter->used));
+}
+
+void
+isc_counter_setlimit(isc_counter_t *counter, int limit) {
+	REQUIRE(VALID_COUNTER(counter));
+
+	atomic_store(&counter->limit, limit);
+}
+
+void
+isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp) {
+	REQUIRE(VALID_COUNTER(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*targetp = source;
+}
+
+static void
+destroy(isc_counter_t *counter) {
+	isc_refcount_destroy(&counter->references);
+	counter->magic = 0;
+	isc_mem_putanddetach(&counter->mctx, counter, sizeof(*counter));
+}
+
+void
+isc_counter_detach(isc_counter_t **counterp) {
+	isc_counter_t *counter;
+
+	REQUIRE(counterp != NULL && *counterp != NULL);
+	counter = *counterp;
+	*counterp = NULL;
+	REQUIRE(VALID_COUNTER(counter));
+
+	if (isc_refcount_decrement(&counter->references) == 1) {
+		destroy(counter);
+	}
+}
diff --git a/lib/isc/crc64.c b/lib/isc/crc64.c
new file mode 100644
index 0000000..4b6c213
--- /dev/null
+++ b/lib/isc/crc64.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+
+#include <isc/assertions.h>
+#include <isc/crc64.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+/*%<
+ * ECMA-182 CRC64 polynomial.
+ */
+static const uint64_t crc64_table[256] = {
+	0x0000000000000000ULL, 0x42F0E1EBA9EA3693ULL, 0x85E1C3D753D46D26ULL,
+	0xC711223CFA3E5BB5ULL, 0x493366450E42ECDFULL, 0x0BC387AEA7A8DA4CULL,
+	0xCCD2A5925D9681F9ULL, 0x8E224479F47CB76AULL, 0x9266CC8A1C85D9BEULL,
+	0xD0962D61B56FEF2DULL, 0x17870F5D4F51B498ULL, 0x5577EEB6E6BB820BULL,
+	0xDB55AACF12C73561ULL, 0x99A54B24BB2D03F2ULL, 0x5EB4691841135847ULL,
+	0x1C4488F3E8F96ED4ULL, 0x663D78FF90E185EFULL, 0x24CD9914390BB37CULL,
+	0xE3DCBB28C335E8C9ULL, 0xA12C5AC36ADFDE5AULL, 0x2F0E1EBA9EA36930ULL,
+	0x6DFEFF5137495FA3ULL, 0xAAEFDD6DCD770416ULL, 0xE81F3C86649D3285ULL,
+	0xF45BB4758C645C51ULL, 0xB6AB559E258E6AC2ULL, 0x71BA77A2DFB03177ULL,
+	0x334A9649765A07E4ULL, 0xBD68D2308226B08EULL, 0xFF9833DB2BCC861DULL,
+	0x388911E7D1F2DDA8ULL, 0x7A79F00C7818EB3BULL, 0xCC7AF1FF21C30BDEULL,
+	0x8E8A101488293D4DULL, 0x499B3228721766F8ULL, 0x0B6BD3C3DBFD506BULL,
+	0x854997BA2F81E701ULL, 0xC7B97651866BD192ULL, 0x00A8546D7C558A27ULL,
+	0x4258B586D5BFBCB4ULL, 0x5E1C3D753D46D260ULL, 0x1CECDC9E94ACE4F3ULL,
+	0xDBFDFEA26E92BF46ULL, 0x990D1F49C77889D5ULL, 0x172F5B3033043EBFULL,
+	0x55DFBADB9AEE082CULL, 0x92CE98E760D05399ULL, 0xD03E790CC93A650AULL,
+	0xAA478900B1228E31ULL, 0xE8B768EB18C8B8A2ULL, 0x2FA64AD7E2F6E317ULL,
+	0x6D56AB3C4B1CD584ULL, 0xE374EF45BF6062EEULL, 0xA1840EAE168A547DULL,
+	0x66952C92ECB40FC8ULL, 0x2465CD79455E395BULL, 0x3821458AADA7578FULL,
+	0x7AD1A461044D611CULL, 0xBDC0865DFE733AA9ULL, 0xFF3067B657990C3AULL,
+	0x711223CFA3E5BB50ULL, 0x33E2C2240A0F8DC3ULL, 0xF4F3E018F031D676ULL,
+	0xB60301F359DBE0E5ULL, 0xDA050215EA6C212FULL, 0x98F5E3FE438617BCULL,
+	0x5FE4C1C2B9B84C09ULL, 0x1D14202910527A9AULL, 0x93366450E42ECDF0ULL,
+	0xD1C685BB4DC4FB63ULL, 0x16D7A787B7FAA0D6ULL, 0x5427466C1E109645ULL,
+	0x4863CE9FF6E9F891ULL, 0x0A932F745F03CE02ULL, 0xCD820D48A53D95B7ULL,
+	0x8F72ECA30CD7A324ULL, 0x0150A8DAF8AB144EULL, 0x43A04931514122DDULL,
+	0x84B16B0DAB7F7968ULL, 0xC6418AE602954FFBULL, 0xBC387AEA7A8DA4C0ULL,
+	0xFEC89B01D3679253ULL, 0x39D9B93D2959C9E6ULL, 0x7B2958D680B3FF75ULL,
+	0xF50B1CAF74CF481FULL, 0xB7FBFD44DD257E8CULL, 0x70EADF78271B2539ULL,
+	0x321A3E938EF113AAULL, 0x2E5EB66066087D7EULL, 0x6CAE578BCFE24BEDULL,
+	0xABBF75B735DC1058ULL, 0xE94F945C9C3626CBULL, 0x676DD025684A91A1ULL,
+	0x259D31CEC1A0A732ULL, 0xE28C13F23B9EFC87ULL, 0xA07CF2199274CA14ULL,
+	0x167FF3EACBAF2AF1ULL, 0x548F120162451C62ULL, 0x939E303D987B47D7ULL,
+	0xD16ED1D631917144ULL, 0x5F4C95AFC5EDC62EULL, 0x1DBC74446C07F0BDULL,
+	0xDAAD56789639AB08ULL, 0x985DB7933FD39D9BULL, 0x84193F60D72AF34FULL,
+	0xC6E9DE8B7EC0C5DCULL, 0x01F8FCB784FE9E69ULL, 0x43081D5C2D14A8FAULL,
+	0xCD2A5925D9681F90ULL, 0x8FDAB8CE70822903ULL, 0x48CB9AF28ABC72B6ULL,
+	0x0A3B7B1923564425ULL, 0x70428B155B4EAF1EULL, 0x32B26AFEF2A4998DULL,
+	0xF5A348C2089AC238ULL, 0xB753A929A170F4ABULL, 0x3971ED50550C43C1ULL,
+	0x7B810CBBFCE67552ULL, 0xBC902E8706D82EE7ULL, 0xFE60CF6CAF321874ULL,
+	0xE224479F47CB76A0ULL, 0xA0D4A674EE214033ULL, 0x67C58448141F1B86ULL,
+	0x253565A3BDF52D15ULL, 0xAB1721DA49899A7FULL, 0xE9E7C031E063ACECULL,
+	0x2EF6E20D1A5DF759ULL, 0x6C0603E6B3B7C1CAULL, 0xF6FAE5C07D3274CDULL,
+	0xB40A042BD4D8425EULL, 0x731B26172EE619EBULL, 0x31EBC7FC870C2F78ULL,
+	0xBFC9838573709812ULL, 0xFD39626EDA9AAE81ULL, 0x3A28405220A4F534ULL,
+	0x78D8A1B9894EC3A7ULL, 0x649C294A61B7AD73ULL, 0x266CC8A1C85D9BE0ULL,
+	0xE17DEA9D3263C055ULL, 0xA38D0B769B89F6C6ULL, 0x2DAF4F0F6FF541ACULL,
+	0x6F5FAEE4C61F773FULL, 0xA84E8CD83C212C8AULL, 0xEABE6D3395CB1A19ULL,
+	0x90C79D3FEDD3F122ULL, 0xD2377CD44439C7B1ULL, 0x15265EE8BE079C04ULL,
+	0x57D6BF0317EDAA97ULL, 0xD9F4FB7AE3911DFDULL, 0x9B041A914A7B2B6EULL,
+	0x5C1538ADB04570DBULL, 0x1EE5D94619AF4648ULL, 0x02A151B5F156289CULL,
+	0x4051B05E58BC1E0FULL, 0x87409262A28245BAULL, 0xC5B073890B687329ULL,
+	0x4B9237F0FF14C443ULL, 0x0962D61B56FEF2D0ULL, 0xCE73F427ACC0A965ULL,
+	0x8C8315CC052A9FF6ULL, 0x3A80143F5CF17F13ULL, 0x7870F5D4F51B4980ULL,
+	0xBF61D7E80F251235ULL, 0xFD913603A6CF24A6ULL, 0x73B3727A52B393CCULL,
+	0x31439391FB59A55FULL, 0xF652B1AD0167FEEAULL, 0xB4A25046A88DC879ULL,
+	0xA8E6D8B54074A6ADULL, 0xEA16395EE99E903EULL, 0x2D071B6213A0CB8BULL,
+	0x6FF7FA89BA4AFD18ULL, 0xE1D5BEF04E364A72ULL, 0xA3255F1BE7DC7CE1ULL,
+	0x64347D271DE22754ULL, 0x26C49CCCB40811C7ULL, 0x5CBD6CC0CC10FAFCULL,
+	0x1E4D8D2B65FACC6FULL, 0xD95CAF179FC497DAULL, 0x9BAC4EFC362EA149ULL,
+	0x158E0A85C2521623ULL, 0x577EEB6E6BB820B0ULL, 0x906FC95291867B05ULL,
+	0xD29F28B9386C4D96ULL, 0xCEDBA04AD0952342ULL, 0x8C2B41A1797F15D1ULL,
+	0x4B3A639D83414E64ULL, 0x09CA82762AAB78F7ULL, 0x87E8C60FDED7CF9DULL,
+	0xC51827E4773DF90EULL, 0x020905D88D03A2BBULL, 0x40F9E43324E99428ULL,
+	0x2CFFE7D5975E55E2ULL, 0x6E0F063E3EB46371ULL, 0xA91E2402C48A38C4ULL,
+	0xEBEEC5E96D600E57ULL, 0x65CC8190991CB93DULL, 0x273C607B30F68FAEULL,
+	0xE02D4247CAC8D41BULL, 0xA2DDA3AC6322E288ULL, 0xBE992B5F8BDB8C5CULL,
+	0xFC69CAB42231BACFULL, 0x3B78E888D80FE17AULL, 0x7988096371E5D7E9ULL,
+	0xF7AA4D1A85996083ULL, 0xB55AACF12C735610ULL, 0x724B8ECDD64D0DA5ULL,
+	0x30BB6F267FA73B36ULL, 0x4AC29F2A07BFD00DULL, 0x08327EC1AE55E69EULL,
+	0xCF235CFD546BBD2BULL, 0x8DD3BD16FD818BB8ULL, 0x03F1F96F09FD3CD2ULL,
+	0x41011884A0170A41ULL, 0x86103AB85A2951F4ULL, 0xC4E0DB53F3C36767ULL,
+	0xD8A453A01B3A09B3ULL, 0x9A54B24BB2D03F20ULL, 0x5D45907748EE6495ULL,
+	0x1FB5719CE1045206ULL, 0x919735E51578E56CULL, 0xD367D40EBC92D3FFULL,
+	0x1476F63246AC884AULL, 0x568617D9EF46BED9ULL, 0xE085162AB69D5E3CULL,
+	0xA275F7C11F7768AFULL, 0x6564D5FDE549331AULL, 0x279434164CA30589ULL,
+	0xA9B6706FB8DFB2E3ULL, 0xEB46918411358470ULL, 0x2C57B3B8EB0BDFC5ULL,
+	0x6EA7525342E1E956ULL, 0x72E3DAA0AA188782ULL, 0x30133B4B03F2B111ULL,
+	0xF7021977F9CCEAA4ULL, 0xB5F2F89C5026DC37ULL, 0x3BD0BCE5A45A6B5DULL,
+	0x79205D0E0DB05DCEULL, 0xBE317F32F78E067BULL, 0xFCC19ED95E6430E8ULL,
+	0x86B86ED5267CDBD3ULL, 0xC4488F3E8F96ED40ULL, 0x0359AD0275A8B6F5ULL,
+	0x41A94CE9DC428066ULL, 0xCF8B0890283E370CULL, 0x8D7BE97B81D4019FULL,
+	0x4A6ACB477BEA5A2AULL, 0x089A2AACD2006CB9ULL, 0x14DEA25F3AF9026DULL,
+	0x562E43B4931334FEULL, 0x913F6188692D6F4BULL, 0xD3CF8063C0C759D8ULL,
+	0x5DEDC41A34BBEEB2ULL, 0x1F1D25F19D51D821ULL, 0xD80C07CD676F8394ULL,
+	0x9AFCE626CE85B507ULL
+};
+
+void
+isc_crc64_init(uint64_t *crc) {
+	REQUIRE(crc != NULL);
+
+	*crc = 0xffffffffffffffffULL;
+}
+
+void
+isc_crc64_update(uint64_t *crc, const void *data, size_t len) {
+	const unsigned char *p = data;
+	int i;
+
+	REQUIRE(crc != NULL);
+	REQUIRE(data != NULL);
+
+	while (len-- > 0U) {
+		i = ((int)(*crc >> 56) ^ *p++) & 0xff;
+		*crc = crc64_table[i] ^ (*crc << 8);
+	}
+}
+
+void
+isc_crc64_final(uint64_t *crc) {
+	REQUIRE(crc != NULL);
+
+	*crc ^= 0xffffffffffffffffULL;
+}
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
new file mode 100644
index 0000000..ce79ba2
--- /dev/null
+++ b/lib/isc/entropy.c
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include "entropy_private.h"
+
+void
+isc_entropy_get(void *buf, size_t buflen) {
+	if (RAND_bytes(buf, buflen) < 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "RAND_bytes(): %s",
+			    ERR_error_string(ERR_get_error(), NULL));
+	}
+}
diff --git a/lib/isc/entropy_private.h b/lib/isc/entropy_private.h
new file mode 100644
index 0000000..df9a382
--- /dev/null
+++ b/lib/isc/entropy_private.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <stdlib.h>
+
+#include <isc/lang.h>
+
+/*! \file isc/entropy_private.h
+ * \brief Implements wrapper around CSPRNG cryptographic library calls
+ * for getting cryptographically secure pseudo-random numbers.
+ *
+ * - If OpenSSL is used, it uses RAND_bytes()
+ * - If PKCS#11 is used, it uses pkcs_C_GenerateRandom()
+ *
+ */
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_entropy_get(void *buf, size_t buflen);
+/*!<
+ * \brief Get cryptographically-secure pseudo-random data.
+ */
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/error.c b/lib/isc/error.c
new file mode 100644
index 0000000..336be84
--- /dev/null
+++ b/lib/isc/error.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/error.h>
+#include <isc/print.h>
+
+/*% Default unexpected callback. */
+static void
+default_unexpected_callback(const char *, int, const char *, va_list)
+	ISC_FORMAT_PRINTF(3, 0);
+
+/*% Default fatal callback. */
+static void
+default_fatal_callback(const char *, int, const char *, va_list)
+	ISC_FORMAT_PRINTF(3, 0);
+
+/*% unexpected_callback */
+static isc_errorcallback_t unexpected_callback = default_unexpected_callback;
+static isc_errorcallback_t fatal_callback = default_fatal_callback;
+
+void
+isc_error_setunexpected(isc_errorcallback_t cb) {
+	if (cb == NULL) {
+		unexpected_callback = default_unexpected_callback;
+	} else {
+		unexpected_callback = cb;
+	}
+}
+
+void
+isc_error_setfatal(isc_errorcallback_t cb) {
+	if (cb == NULL) {
+		fatal_callback = default_fatal_callback;
+	} else {
+		fatal_callback = cb;
+	}
+}
+
+void
+isc_error_unexpected(const char *file, int line, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	(unexpected_callback)(file, line, format, args);
+	va_end(args);
+}
+
+void
+isc_error_fatal(const char *file, int line, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	(fatal_callback)(file, line, format, args);
+	va_end(args);
+	abort();
+}
+
+void
+isc_error_runtimecheck(const char *file, int line, const char *expression) {
+	isc_error_fatal(file, line, "RUNTIME_CHECK(%s) failed", expression);
+}
+
+static void
+default_unexpected_callback(const char *file, int line, const char *format,
+			    va_list args) {
+	fprintf(stderr, "%s:%d: ", file, line);
+	vfprintf(stderr, format, args);
+	fprintf(stderr, "\n");
+	fflush(stderr);
+}
+
+static void
+default_fatal_callback(const char *file, int line, const char *format,
+		       va_list args) {
+	fprintf(stderr, "%s:%d: fatal error: ", file, line);
+	vfprintf(stderr, format, args);
+	fprintf(stderr, "\n");
+	fflush(stderr);
+}
diff --git a/lib/isc/event.c b/lib/isc/event.c
new file mode 100644
index 0000000..4849d01
--- /dev/null
+++ b/lib/isc/event.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*!
+ * \file
+ */
+
+#include <isc/event.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+/***
+ *** Events.
+ ***/
+
+static void
+destroy(isc_event_t *event) {
+	isc_mem_t *mctx = event->ev_destroy_arg;
+
+	isc_mem_put(mctx, event, event->ev_size);
+}
+
+isc_event_t *
+isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
+		   isc_taskaction_t action, void *arg, size_t size) {
+	isc_event_t *event;
+
+	REQUIRE(size >= sizeof(struct isc_event));
+	REQUIRE(action != NULL);
+
+	event = isc_mem_get(mctx, size);
+
+	ISC_EVENT_INIT(event, size, 0, NULL, type, action, arg, sender, destroy,
+		       mctx);
+
+	return (event);
+}
+
+isc_event_t *
+isc_event_constallocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
+			isc_taskaction_t action, const void *arg, size_t size) {
+	isc_event_t *event;
+	void *deconst_arg;
+
+	REQUIRE(size >= sizeof(struct isc_event));
+	REQUIRE(action != NULL);
+
+	event = isc_mem_get(mctx, size);
+
+	/*
+	 * Removing the const attribute from "arg" is the best of two
+	 * evils here.  If the event->ev_arg member is made const, then
+	 * it affects a great many users of the task/event subsystem
+	 * which are not passing in an "arg" which starts its life as
+	 * const.  Changing isc_event_allocate() and isc_task_onshutdown()
+	 * to not have "arg" prototyped as const (which is quite legitimate,
+	 * because neither of those functions modify arg) can cause
+	 * compiler whining anytime someone does want to use a const
+	 * arg that they themselves never modify, such as with
+	 * gcc -Wwrite-strings and using a string "arg".
+	 */
+	DE_CONST(arg, deconst_arg);
+
+	ISC_EVENT_INIT(event, size, 0, NULL, type, action, deconst_arg, sender,
+		       destroy, mctx);
+
+	return (event);
+}
+
+void
+isc_event_free(isc_event_t **eventp) {
+	isc_event_t *event;
+
+	REQUIRE(eventp != NULL);
+	event = *eventp;
+	*eventp = NULL;
+	REQUIRE(event != NULL);
+
+	REQUIRE(!ISC_LINK_LINKED(event, ev_link));
+	REQUIRE(!ISC_LINK_LINKED(event, ev_ratelink));
+
+	if (event->ev_destroy != NULL) {
+		(event->ev_destroy)(event);
+	}
+}
diff --git a/lib/isc/fsaccess.c b/lib/isc/fsaccess.c
new file mode 100644
index 0000000..54bf38a
--- /dev/null
+++ b/lib/isc/fsaccess.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ * \brief
+ * This file contains the OS-independent functionality of the API.
+ */
+#include <stdbool.h>
+
+#include <isc/fsaccess.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+/*!
+ * Shorthand.  Maybe ISC__FSACCESS_PERMISSIONBITS should not even be in
+ * <isc/fsaccess.h>.  Could check consistency with sizeof(isc_fsaccess_t)
+ * and the number of bits in each function.
+ */
+#define STEP  (ISC__FSACCESS_PERMISSIONBITS)
+#define GROUP (STEP)
+#define OTHER (STEP * 2)
+
+void
+isc_fsaccess_add(int trustee, int permission, isc_fsaccess_t *access) {
+	REQUIRE(trustee <= 0x7);
+	REQUIRE(permission <= 0xFF);
+
+	if ((trustee & ISC_FSACCESS_OWNER) != 0) {
+		*access |= permission;
+	}
+
+	if ((trustee & ISC_FSACCESS_GROUP) != 0) {
+		*access |= (permission << GROUP);
+	}
+
+	if ((trustee & ISC_FSACCESS_OTHER) != 0) {
+		*access |= (permission << OTHER);
+	}
+}
+
+void
+isc_fsaccess_remove(int trustee, int permission, isc_fsaccess_t *access) {
+	REQUIRE(trustee <= 0x7);
+	REQUIRE(permission <= 0xFF);
+
+	if ((trustee & ISC_FSACCESS_OWNER) != 0) {
+		*access &= ~permission;
+	}
+
+	if ((trustee & ISC_FSACCESS_GROUP) != 0) {
+		*access &= ~(permission << GROUP);
+	}
+
+	if ((trustee & ISC_FSACCESS_OTHER) != 0) {
+		*access &= ~(permission << OTHER);
+	}
+}
+
+static isc_result_t
+check_bad_bits(isc_fsaccess_t access, bool is_dir) {
+	isc_fsaccess_t bits;
+
+	/*
+	 * Check for disallowed user bits.
+	 */
+	if (is_dir) {
+		bits = ISC_FSACCESS_READ | ISC_FSACCESS_WRITE |
+		       ISC_FSACCESS_EXECUTE;
+	} else {
+		bits = ISC_FSACCESS_CREATECHILD | ISC_FSACCESS_ACCESSCHILD |
+		       ISC_FSACCESS_DELETECHILD | ISC_FSACCESS_LISTDIRECTORY;
+	}
+
+	/*
+	 * Set group bad bits.
+	 */
+	bits |= bits << STEP;
+	/*
+	 * Set other bad bits.
+	 */
+	bits |= bits << STEP;
+
+	if ((access & bits) != 0) {
+		if (is_dir) {
+			return (ISC_R_NOTFILE);
+		} else {
+			return (ISC_R_NOTDIRECTORY);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/hash.c b/lib/isc/hash.c
new file mode 100644
index 0000000..b3fb97a
--- /dev/null
+++ b/lib/isc/hash.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stddef.h>
+#if defined(WIN32) || defined(WIN64)
+#include <malloc.h>
+#endif /* if defined(WIN32) || defined(WIN64) */
+
+#include "entropy_private.h"
+#include "isc/hash.h" /* IWYU pragma: keep */
+#include "isc/likely.h"
+#include "isc/once.h"
+#include "isc/random.h"
+#include "isc/result.h"
+#include "isc/siphash.h"
+#include "isc/string.h"
+#include "isc/types.h"
+#include "isc/util.h"
+
+static uint8_t isc_hash_key[16];
+static uint8_t isc_hash32_key[8];
+static bool hash_initialized = false;
+static isc_once_t isc_hash_once = ISC_ONCE_INIT;
+
+static void
+isc_hash_initialize(void) {
+	/*
+	 * Set a constant key to help in problem reproduction should
+	 * fuzzing find a crash or a hang.
+	 */
+	uint64_t key[2] = { 0, 1 };
+#if !FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+	isc_entropy_get(key, sizeof(key));
+#endif /* if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
+	memmove(isc_hash_key, key, sizeof(isc_hash_key));
+#if !FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+	isc_entropy_get(key, sizeof(key));
+#endif /* if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
+	memmove(isc_hash32_key, key, sizeof(isc_hash32_key));
+	hash_initialized = true;
+}
+
+static uint8_t maptolower[] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+	0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
+	0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
+	0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73,
+	0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+	0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83,
+	0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b,
+	0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3,
+	0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb,
+	0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3,
+	0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb,
+	0xfc, 0xfd, 0xfe, 0xff
+};
+
+const void *
+isc_hash_get_initializer(void) {
+	if (ISC_UNLIKELY(!hash_initialized)) {
+		RUNTIME_CHECK(
+			isc_once_do(&isc_hash_once, isc_hash_initialize) ==
+			ISC_R_SUCCESS);
+	}
+
+	return (isc_hash_key);
+}
+
+void
+isc_hash_set_initializer(const void *initializer) {
+	REQUIRE(initializer != NULL);
+
+	/*
+	 * Ensure that isc_hash_initialize() is not called after
+	 * isc_hash_set_initializer() is called.
+	 */
+	if (ISC_UNLIKELY(!hash_initialized)) {
+		RUNTIME_CHECK(
+			isc_once_do(&isc_hash_once, isc_hash_initialize) ==
+			ISC_R_SUCCESS);
+	}
+
+	memmove(isc_hash_key, initializer, sizeof(isc_hash_key));
+}
+
+uint64_t
+isc_hash64(const void *data, const size_t length, const bool case_sensitive) {
+	uint64_t hval;
+
+	REQUIRE(length == 0 || data != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&isc_hash_once, isc_hash_initialize) ==
+		      ISC_R_SUCCESS);
+
+	if (case_sensitive) {
+		isc_siphash24(isc_hash_key, data, length, (uint8_t *)&hval);
+	} else {
+		uint8_t input[1024];
+		REQUIRE(length <= 1024);
+		for (unsigned int i = 0; i < length; i++) {
+			input[i] = maptolower[((const uint8_t *)data)[i]];
+		}
+		isc_siphash24(isc_hash_key, input, length, (uint8_t *)&hval);
+	}
+
+	return (hval);
+}
+
+uint32_t
+isc_hash32(const void *data, const size_t length, const bool case_sensitive) {
+	uint32_t hval;
+
+	REQUIRE(length == 0 || data != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&isc_hash_once, isc_hash_initialize) ==
+		      ISC_R_SUCCESS);
+
+	if (case_sensitive) {
+		isc_halfsiphash24(isc_hash_key, data, length, (uint8_t *)&hval);
+	} else {
+		uint8_t input[1024];
+		REQUIRE(length <= 1024);
+		for (unsigned int i = 0; i < length; i++) {
+			input[i] = maptolower[((const uint8_t *)data)[i]];
+		}
+		isc_halfsiphash24(isc_hash_key, input, length,
+				  (uint8_t *)&hval);
+	}
+
+	return (hval);
+}
diff --git a/lib/isc/heap.c b/lib/isc/heap.c
new file mode 100644
index 0000000..7b0cc28
--- /dev/null
+++ b/lib/isc/heap.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ * Heap implementation of priority queues adapted from the following:
+ *
+ *	\li "Introduction to Algorithms," Cormen, Leiserson, and Rivest,
+ *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 7.
+ *
+ *	\li "Algorithms," Second Edition, Sedgewick, Addison-Wesley, 1988,
+ *	ISBN 0-201-06673-4, chapter 11.
+ */
+
+#include <stdbool.h>
+
+#include <isc/heap.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h> /* Required for memmove. */
+#include <isc/util.h>
+
+/*@{*/
+/*%
+ * Note: to make heap_parent and heap_left easy to compute, the first
+ * element of the heap array is not used; i.e. heap subscripts are 1-based,
+ * not 0-based.  The parent is index/2, and the left-child is index*2.
+ * The right child is index*2+1.
+ */
+#define heap_parent(i) ((i) >> 1)
+#define heap_left(i)   ((i) << 1)
+/*@}*/
+
+#define SIZE_INCREMENT 1024
+
+#define HEAP_MAGIC    ISC_MAGIC('H', 'E', 'A', 'P')
+#define VALID_HEAP(h) ISC_MAGIC_VALID(h, HEAP_MAGIC)
+
+/*%
+ * When the heap is in a consistent state, the following invariant
+ * holds true: for every element i > 1, heap_parent(i) has a priority
+ * higher than or equal to that of i.
+ */
+#define HEAPCONDITION(i) \
+	((i) == 1 ||     \
+	 !heap->compare(heap->array[(i)], heap->array[heap_parent(i)]))
+
+/*% ISC heap structure. */
+struct isc_heap {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	unsigned int size;
+	unsigned int size_increment;
+	unsigned int last;
+	void **array;
+	isc_heapcompare_t compare;
+	isc_heapindex_t index;
+};
+
+#ifdef ISC_HEAP_CHECK
+static void
+heap_check(isc_heap_t *heap) {
+	unsigned int i;
+	for (i = 1; i <= heap->last; i++) {
+		INSIST(HEAPCONDITION(i));
+	}
+}
+#else /* ifdef ISC_HEAP_CHECK */
+#define heap_check(x) (void)0
+#endif /* ifdef ISC_HEAP_CHECK */
+
+void
+isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare, isc_heapindex_t idx,
+		unsigned int size_increment, isc_heap_t **heapp) {
+	isc_heap_t *heap;
+
+	REQUIRE(heapp != NULL && *heapp == NULL);
+	REQUIRE(compare != NULL);
+
+	heap = isc_mem_get(mctx, sizeof(*heap));
+	heap->magic = HEAP_MAGIC;
+	heap->size = 0;
+	heap->mctx = NULL;
+	isc_mem_attach(mctx, &heap->mctx);
+	if (size_increment == 0) {
+		heap->size_increment = SIZE_INCREMENT;
+	} else {
+		heap->size_increment = size_increment;
+	}
+	heap->last = 0;
+	heap->array = NULL;
+	heap->compare = compare;
+	heap->index = idx;
+
+	*heapp = heap;
+}
+
+void
+isc_heap_destroy(isc_heap_t **heapp) {
+	isc_heap_t *heap;
+
+	REQUIRE(heapp != NULL);
+	heap = *heapp;
+	*heapp = NULL;
+	REQUIRE(VALID_HEAP(heap));
+
+	if (heap->array != NULL) {
+		isc_mem_put(heap->mctx, heap->array,
+			    heap->size * sizeof(void *));
+	}
+	heap->magic = 0;
+	isc_mem_putanddetach(&heap->mctx, heap, sizeof(*heap));
+}
+
+static void
+resize(isc_heap_t *heap) {
+	void **new_array;
+	unsigned int new_size;
+
+	REQUIRE(VALID_HEAP(heap));
+
+	new_size = heap->size + heap->size_increment;
+	new_array = isc_mem_get(heap->mctx, new_size * sizeof(void *));
+	if (heap->array != NULL) {
+		memmove(new_array, heap->array, heap->size * sizeof(void *));
+		isc_mem_put(heap->mctx, heap->array,
+			    heap->size * sizeof(void *));
+	}
+	heap->size = new_size;
+	heap->array = new_array;
+}
+
+static void
+float_up(isc_heap_t *heap, unsigned int i, void *elt) {
+	unsigned int p;
+
+	for (p = heap_parent(i); i > 1 && heap->compare(elt, heap->array[p]);
+	     i = p, p = heap_parent(i))
+	{
+		heap->array[i] = heap->array[p];
+		if (heap->index != NULL) {
+			(heap->index)(heap->array[i], i);
+		}
+	}
+	heap->array[i] = elt;
+	if (heap->index != NULL) {
+		(heap->index)(heap->array[i], i);
+	}
+
+	INSIST(HEAPCONDITION(i));
+	heap_check(heap);
+}
+
+static void
+sink_down(isc_heap_t *heap, unsigned int i, void *elt) {
+	unsigned int j, size, half_size;
+	size = heap->last;
+	half_size = size / 2;
+	while (i <= half_size) {
+		/* Find the smallest of the (at most) two children. */
+		j = heap_left(i);
+		if (j < size &&
+		    heap->compare(heap->array[j + 1], heap->array[j]))
+		{
+			j++;
+		}
+		if (heap->compare(elt, heap->array[j])) {
+			break;
+		}
+		heap->array[i] = heap->array[j];
+		if (heap->index != NULL) {
+			(heap->index)(heap->array[i], i);
+		}
+		i = j;
+	}
+	heap->array[i] = elt;
+	if (heap->index != NULL) {
+		(heap->index)(heap->array[i], i);
+	}
+
+	INSIST(HEAPCONDITION(i));
+	heap_check(heap);
+}
+
+void
+isc_heap_insert(isc_heap_t *heap, void *elt) {
+	unsigned int new_last;
+
+	REQUIRE(VALID_HEAP(heap));
+
+	heap_check(heap);
+	new_last = heap->last + 1;
+	RUNTIME_CHECK(new_last > 0); /* overflow check */
+	if (new_last >= heap->size) {
+		resize(heap);
+	}
+	heap->last = new_last;
+
+	float_up(heap, new_last, elt);
+}
+
+void
+isc_heap_delete(isc_heap_t *heap, unsigned int idx) {
+	void *elt;
+	bool less;
+
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(idx >= 1 && idx <= heap->last);
+
+	heap_check(heap);
+	if (heap->index != NULL) {
+		(heap->index)(heap->array[idx], 0);
+	}
+	if (idx == heap->last) {
+		heap->array[heap->last] = NULL;
+		heap->last--;
+		heap_check(heap);
+	} else {
+		elt = heap->array[heap->last];
+		heap->array[heap->last] = NULL;
+		heap->last--;
+
+		less = heap->compare(elt, heap->array[idx]);
+		heap->array[idx] = elt;
+		if (less) {
+			float_up(heap, idx, heap->array[idx]);
+		} else {
+			sink_down(heap, idx, heap->array[idx]);
+		}
+	}
+}
+
+void
+isc_heap_increased(isc_heap_t *heap, unsigned int idx) {
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(idx >= 1 && idx <= heap->last);
+
+	float_up(heap, idx, heap->array[idx]);
+}
+
+void
+isc_heap_decreased(isc_heap_t *heap, unsigned int idx) {
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(idx >= 1 && idx <= heap->last);
+
+	sink_down(heap, idx, heap->array[idx]);
+}
+
+void *
+isc_heap_element(isc_heap_t *heap, unsigned int idx) {
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(idx >= 1);
+
+	heap_check(heap);
+	if (idx <= heap->last) {
+		return (heap->array[idx]);
+	}
+	return (NULL);
+}
+
+void
+isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap) {
+	unsigned int i;
+
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(action != NULL);
+
+	for (i = 1; i <= heap->last; i++) {
+		(action)(heap->array[i], uap);
+	}
+}
diff --git a/lib/isc/hex.c b/lib/isc/hex.c
new file mode 100644
index 0000000..be67f03
--- /dev/null
+++ b/lib/isc/hex.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/lex.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define RETERR(x)                        \
+	do {                             \
+		isc_result_t _r = (x);   \
+		if (_r != ISC_R_SUCCESS) \
+			return ((_r));   \
+	} while (0)
+
+/*
+ * BEW: These static functions are copied from lib/dns/rdata.c.
+ */
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+static const char hex[] = "0123456789ABCDEF";
+
+isc_result_t
+isc_hex_totext(isc_region_t *source, int wordlength, const char *wordbreak,
+	       isc_buffer_t *target) {
+	char buf[3];
+	unsigned int loops = 0;
+
+	if (wordlength < 2) {
+		wordlength = 2;
+	}
+
+	memset(buf, 0, sizeof(buf));
+	while (source->length > 0) {
+		buf[0] = hex[(source->base[0] >> 4) & 0xf];
+		buf[1] = hex[(source->base[0]) & 0xf];
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 1);
+
+		loops++;
+		if (source->length != 0 && (int)((loops + 1) * 2) >= wordlength)
+		{
+			loops = 0;
+			RETERR(str_totext(wordbreak, target));
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * State of a hex decoding process in progress.
+ */
+typedef struct {
+	int length;	      /*%< Desired length of binary data or -1 */
+	isc_buffer_t *target; /*%< Buffer for resulting binary data */
+	int digits;	      /*%< Number of buffered hex digits */
+	int val[2];
+} hex_decode_ctx_t;
+
+static void
+hex_decode_init(hex_decode_ctx_t *ctx, int length, isc_buffer_t *target) {
+	ctx->digits = 0;
+	ctx->length = length;
+	ctx->target = target;
+}
+
+static isc_result_t
+hex_decode_char(hex_decode_ctx_t *ctx, int c) {
+	const char *s;
+
+	if ((s = strchr(hex, toupper(c))) == NULL) {
+		return (ISC_R_BADHEX);
+	}
+	ctx->val[ctx->digits++] = (int)(s - hex);
+	if (ctx->digits == 2) {
+		unsigned char num;
+
+		num = (ctx->val[0] << 4) + (ctx->val[1]);
+		RETERR(mem_tobuffer(ctx->target, &num, 1));
+		if (ctx->length >= 0) {
+			if (ctx->length == 0) {
+				return (ISC_R_BADHEX);
+			} else {
+				ctx->length -= 1;
+			}
+		}
+		ctx->digits = 0;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hex_decode_finish(hex_decode_ctx_t *ctx) {
+	if (ctx->length > 0) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	if (ctx->digits != 0) {
+		return (ISC_R_BADHEX);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	unsigned int before, after;
+	hex_decode_ctx_t ctx;
+	isc_textregion_t *tr;
+	isc_token_t token;
+	bool eol;
+
+	REQUIRE(length >= -2);
+
+	hex_decode_init(&ctx, length, target);
+
+	before = isc_buffer_usedlength(target);
+	while (ctx.length != 0) {
+		unsigned int i;
+
+		if (length > 0) {
+			eol = false;
+		} else {
+			eol = true;
+		}
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, eol));
+		if (token.type != isc_tokentype_string) {
+			break;
+		}
+		tr = &token.value.as_textregion;
+		for (i = 0; i < tr->length; i++) {
+			RETERR(hex_decode_char(&ctx, tr->base[i]));
+		}
+	}
+	after = isc_buffer_usedlength(target);
+	if (ctx.length < 0) {
+		isc_lex_ungettoken(lexer, &token);
+	}
+	RETERR(hex_decode_finish(&ctx));
+	if (length == -2 && before == after) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hex_decodestring(const char *cstr, isc_buffer_t *target) {
+	hex_decode_ctx_t ctx;
+
+	hex_decode_init(&ctx, -1, target);
+	for (;;) {
+		int c = *cstr++;
+		if (c == '\0') {
+			break;
+		}
+		if (c == ' ' || c == '\t' || c == '\n' || c == '\r') {
+			continue;
+		}
+		RETERR(hex_decode_char(&ctx, c));
+	}
+	RETERR(hex_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/hmac.c b/lib/isc/hmac.c
new file mode 100644
index 0000000..442ae7f
--- /dev/null
+++ b/lib/isc/hmac.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <openssl/hmac.h>
+#include <openssl/opensslv.h>
+
+#include <isc/assertions.h>
+#include <isc/hmac.h>
+#include <isc/md.h>
+#include <isc/platform.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include "openssl_shim.h"
+
+isc_hmac_t *
+isc_hmac_new(void) {
+	HMAC_CTX *hmac = HMAC_CTX_new();
+	RUNTIME_CHECK(hmac != NULL);
+	return ((struct hmac *)hmac);
+}
+
+void
+isc_hmac_free(isc_hmac_t *hmac) {
+	if (ISC_UNLIKELY(hmac == NULL)) {
+		return;
+	}
+
+	HMAC_CTX_free(hmac);
+}
+
+isc_result_t
+isc_hmac_init(isc_hmac_t *hmac, const void *key, size_t keylen,
+	      const isc_md_type_t *md_type) {
+	REQUIRE(hmac != NULL);
+	REQUIRE(key != NULL);
+
+	if (md_type == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	if (HMAC_Init_ex(hmac, key, keylen, md_type, NULL) != 1) {
+		return (ISC_R_CRYPTOFAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hmac_reset(isc_hmac_t *hmac) {
+	REQUIRE(hmac != NULL);
+
+	if (HMAC_CTX_reset(hmac) != 1) {
+		return (ISC_R_CRYPTOFAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hmac_update(isc_hmac_t *hmac, const unsigned char *buf, const size_t len) {
+	REQUIRE(hmac != NULL);
+
+	if (ISC_UNLIKELY(buf == NULL || len == 0)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (HMAC_Update(hmac, buf, len) != 1) {
+		return (ISC_R_CRYPTOFAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hmac_final(isc_hmac_t *hmac, unsigned char *digest,
+	       unsigned int *digestlen) {
+	REQUIRE(hmac != NULL);
+	REQUIRE(digest != NULL);
+
+	if (HMAC_Final(hmac, digest, digestlen) != 1) {
+		return (ISC_R_CRYPTOFAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+const isc_md_type_t *
+isc_hmac_get_md_type(isc_hmac_t *hmac) {
+	REQUIRE(hmac != NULL);
+
+	return (HMAC_CTX_get_md(hmac));
+}
+
+size_t
+isc_hmac_get_size(isc_hmac_t *hmac) {
+	REQUIRE(hmac != NULL);
+
+	return ((size_t)EVP_MD_size(HMAC_CTX_get_md(hmac)));
+}
+
+int
+isc_hmac_get_block_size(isc_hmac_t *hmac) {
+	REQUIRE(hmac != NULL);
+
+	return (EVP_MD_block_size(HMAC_CTX_get_md(hmac)));
+}
+
+isc_result_t
+isc_hmac(const isc_md_type_t *type, const void *key, const int keylen,
+	 const unsigned char *buf, const size_t len, unsigned char *digest,
+	 unsigned int *digestlen) {
+	isc_result_t res;
+	isc_hmac_t *hmac = isc_hmac_new();
+
+	res = isc_hmac_init(hmac, key, keylen, type);
+	if (res != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	res = isc_hmac_update(hmac, buf, len);
+	if (res != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	res = isc_hmac_final(hmac, digest, digestlen);
+	if (res != ISC_R_SUCCESS) {
+		goto end;
+	}
+end:
+	isc_hmac_free(hmac);
+
+	return (res);
+}
diff --git a/lib/isc/ht.c b/lib/isc/ht.c
new file mode 100644
index 0000000..07a36b4
--- /dev/null
+++ b/lib/isc/ht.c
@@ -0,0 +1,342 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/hash.h>
+#include <isc/ht.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+typedef struct isc_ht_node isc_ht_node_t;
+
+#define ISC_HT_MAGIC	 ISC_MAGIC('H', 'T', 'a', 'b')
+#define ISC_HT_VALID(ht) ISC_MAGIC_VALID(ht, ISC_HT_MAGIC)
+
+struct isc_ht_node {
+	void *value;
+	isc_ht_node_t *next;
+	size_t keysize;
+	unsigned char key[FLEXIBLE_ARRAY_MEMBER];
+};
+
+struct isc_ht {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	size_t size;
+	size_t mask;
+	unsigned int count;
+	isc_ht_node_t **table;
+};
+
+struct isc_ht_iter {
+	isc_ht_t *ht;
+	size_t i;
+	isc_ht_node_t *cur;
+};
+
+void
+isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits) {
+	isc_ht_t *ht = NULL;
+	size_t i;
+
+	REQUIRE(htp != NULL && *htp == NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(bits >= 1 && bits <= (sizeof(size_t) * 8 - 1));
+
+	ht = isc_mem_get(mctx, sizeof(struct isc_ht));
+
+	ht->mctx = NULL;
+	isc_mem_attach(mctx, &ht->mctx);
+
+	ht->size = ((size_t)1 << bits);
+	ht->mask = ((size_t)1 << bits) - 1;
+	ht->count = 0;
+
+	ht->table = isc_mem_get(ht->mctx, ht->size * sizeof(isc_ht_node_t *));
+
+	for (i = 0; i < ht->size; i++) {
+		ht->table[i] = NULL;
+	}
+
+	ht->magic = ISC_HT_MAGIC;
+
+	*htp = ht;
+}
+
+void
+isc_ht_destroy(isc_ht_t **htp) {
+	isc_ht_t *ht;
+	size_t i;
+
+	REQUIRE(htp != NULL);
+
+	ht = *htp;
+	*htp = NULL;
+
+	REQUIRE(ISC_HT_VALID(ht));
+
+	ht->magic = 0;
+
+	for (i = 0; i < ht->size; i++) {
+		isc_ht_node_t *node = ht->table[i];
+		while (node != NULL) {
+			isc_ht_node_t *next = node->next;
+			ht->count--;
+			isc_mem_put(ht->mctx, node,
+				    offsetof(isc_ht_node_t, key) +
+					    node->keysize);
+			node = next;
+		}
+	}
+
+	INSIST(ht->count == 0);
+
+	isc_mem_put(ht->mctx, ht->table, ht->size * sizeof(isc_ht_node_t *));
+	isc_mem_putanddetach(&ht->mctx, ht, sizeof(struct isc_ht));
+}
+
+isc_result_t
+isc_ht_add(isc_ht_t *ht, const unsigned char *key, uint32_t keysize,
+	   void *value) {
+	isc_ht_node_t *node;
+	uint32_t hash;
+
+	REQUIRE(ISC_HT_VALID(ht));
+	REQUIRE(key != NULL && keysize > 0);
+
+	hash = isc_hash_function(key, keysize, true);
+	node = ht->table[hash & ht->mask];
+	while (node != NULL) {
+		if (keysize == node->keysize &&
+		    memcmp(key, node->key, keysize) == 0)
+		{
+			return (ISC_R_EXISTS);
+		}
+		node = node->next;
+	}
+
+	node = isc_mem_get(ht->mctx, offsetof(isc_ht_node_t, key) + keysize);
+
+	memmove(node->key, key, keysize);
+	node->keysize = keysize;
+	node->next = ht->table[hash & ht->mask];
+	node->value = value;
+
+	ht->count++;
+	ht->table[hash & ht->mask] = node;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_ht_find(const isc_ht_t *ht, const unsigned char *key, uint32_t keysize,
+	    void **valuep) {
+	isc_ht_node_t *node;
+	uint32_t hash;
+
+	REQUIRE(ISC_HT_VALID(ht));
+	REQUIRE(key != NULL && keysize > 0);
+	REQUIRE(valuep == NULL || *valuep == NULL);
+
+	hash = isc_hash_function(key, keysize, true);
+	node = ht->table[hash & ht->mask];
+	while (node != NULL) {
+		if (keysize == node->keysize &&
+		    memcmp(key, node->key, keysize) == 0)
+		{
+			if (valuep != NULL) {
+				*valuep = node->value;
+			}
+			return (ISC_R_SUCCESS);
+		}
+		node = node->next;
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+isc_ht_delete(isc_ht_t *ht, const unsigned char *key, uint32_t keysize) {
+	isc_ht_node_t *node, *prev;
+	uint32_t hash;
+
+	REQUIRE(ISC_HT_VALID(ht));
+	REQUIRE(key != NULL && keysize > 0);
+
+	prev = NULL;
+	hash = isc_hash_function(key, keysize, true);
+	node = ht->table[hash & ht->mask];
+	while (node != NULL) {
+		if (keysize == node->keysize &&
+		    memcmp(key, node->key, keysize) == 0)
+		{
+			if (prev == NULL) {
+				ht->table[hash & ht->mask] = node->next;
+			} else {
+				prev->next = node->next;
+			}
+			isc_mem_put(ht->mctx, node,
+				    offsetof(isc_ht_node_t, key) +
+					    node->keysize);
+			ht->count--;
+
+			return (ISC_R_SUCCESS);
+		}
+
+		prev = node;
+		node = node->next;
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+void
+isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp) {
+	isc_ht_iter_t *it;
+
+	REQUIRE(ISC_HT_VALID(ht));
+	REQUIRE(itp != NULL && *itp == NULL);
+
+	it = isc_mem_get(ht->mctx, sizeof(isc_ht_iter_t));
+
+	it->ht = ht;
+	it->i = 0;
+	it->cur = NULL;
+
+	*itp = it;
+}
+
+void
+isc_ht_iter_destroy(isc_ht_iter_t **itp) {
+	isc_ht_iter_t *it;
+	isc_ht_t *ht;
+
+	REQUIRE(itp != NULL && *itp != NULL);
+
+	it = *itp;
+	*itp = NULL;
+	ht = it->ht;
+	isc_mem_put(ht->mctx, it, sizeof(isc_ht_iter_t));
+}
+
+isc_result_t
+isc_ht_iter_first(isc_ht_iter_t *it) {
+	REQUIRE(it != NULL);
+
+	it->i = 0;
+	while (it->i < it->ht->size && it->ht->table[it->i] == NULL) {
+		it->i++;
+	}
+
+	if (it->i == it->ht->size) {
+		return (ISC_R_NOMORE);
+	}
+
+	it->cur = it->ht->table[it->i];
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_ht_iter_next(isc_ht_iter_t *it) {
+	REQUIRE(it != NULL);
+	REQUIRE(it->cur != NULL);
+
+	it->cur = it->cur->next;
+	if (it->cur == NULL) {
+		do {
+			it->i++;
+		} while (it->i < it->ht->size && it->ht->table[it->i] == NULL);
+		if (it->i >= it->ht->size) {
+			return (ISC_R_NOMORE);
+		}
+		it->cur = it->ht->table[it->i];
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_ht_iter_delcurrent_next(isc_ht_iter_t *it) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_ht_node_t *to_delete = NULL;
+	isc_ht_node_t *prev = NULL;
+	isc_ht_node_t *node = NULL;
+	uint32_t hash;
+	isc_ht_t *ht;
+	REQUIRE(it != NULL);
+	REQUIRE(it->cur != NULL);
+	to_delete = it->cur;
+	ht = it->ht;
+
+	it->cur = it->cur->next;
+	if (it->cur == NULL) {
+		do {
+			it->i++;
+		} while (it->i < ht->size && ht->table[it->i] == NULL);
+		if (it->i >= ht->size) {
+			result = ISC_R_NOMORE;
+		} else {
+			it->cur = ht->table[it->i];
+		}
+	}
+
+	hash = isc_hash_function(to_delete->key, to_delete->keysize, true);
+	node = ht->table[hash & ht->mask];
+	while (node != to_delete) {
+		prev = node;
+		node = node->next;
+		INSIST(node != NULL);
+	}
+
+	if (prev == NULL) {
+		ht->table[hash & ht->mask] = node->next;
+	} else {
+		prev->next = node->next;
+	}
+	isc_mem_put(ht->mctx, node,
+		    offsetof(isc_ht_node_t, key) + node->keysize);
+	ht->count--;
+
+	return (result);
+}
+
+void
+isc_ht_iter_current(isc_ht_iter_t *it, void **valuep) {
+	REQUIRE(it != NULL);
+	REQUIRE(it->cur != NULL);
+	REQUIRE(valuep != NULL && *valuep == NULL);
+
+	*valuep = it->cur->value;
+}
+
+void
+isc_ht_iter_currentkey(isc_ht_iter_t *it, unsigned char **key,
+		       size_t *keysize) {
+	REQUIRE(it != NULL);
+	REQUIRE(it->cur != NULL);
+	REQUIRE(key != NULL && *key == NULL);
+
+	*key = it->cur->key;
+	*keysize = it->cur->keysize;
+}
+
+unsigned int
+isc_ht_count(isc_ht_t *ht) {
+	REQUIRE(ISC_HT_VALID(ht));
+
+	return (ht->count);
+}
diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
new file mode 100644
index 0000000..b5ac5e4
--- /dev/null
+++ b/lib/isc/httpd.c
@@ -0,0 +1,1347 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/httpd.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#ifdef HAVE_ZLIB
+#include <zlib.h>
+#endif /* ifdef HAVE_ZLIB */
+
+/*%
+ * TODO:
+ *
+ *  o  Make the URL processing external functions which will fill-in a buffer
+ *     structure we provide, or return an error and we will render a generic
+ *     page and close the client.
+ */
+
+#define MSHUTTINGDOWN(cm)    ((cm->flags & ISC_HTTPDMGR_FLAGSHUTTINGDOWN) != 0)
+#define MSETSHUTTINGDOWN(cm) (cm->flags |= ISC_HTTPDMGR_FLAGSHUTTINGDOWN)
+
+#define HTTP_RECVLEN	 1024
+#define HTTP_SENDGROW	 1024
+#define HTTP_SEND_MAXLEN 10240
+
+#define HTTPD_CLOSE	     0x0001 /* Got a Connection: close header */
+#define HTTPD_FOUNDHOST	     0x0002 /* Got a Host: header */
+#define HTTPD_KEEPALIVE	     0x0004 /* Got a Connection: Keep-Alive */
+#define HTTPD_ACCEPT_DEFLATE 0x0008
+
+#define HTTPD_MAGIC    ISC_MAGIC('H', 't', 'p', 'd')
+#define VALID_HTTPD(m) ISC_MAGIC_VALID(m, HTTPD_MAGIC)
+
+#define HTTPDMGR_MAGIC	  ISC_MAGIC('H', 'p', 'd', 'm')
+#define VALID_HTTPDMGR(m) ISC_MAGIC_VALID(m, HTTPDMGR_MAGIC)
+
+/*% http client */
+struct isc_httpd {
+	unsigned int magic; /* HTTPD_MAGIC */
+	isc_refcount_t references;
+	isc_httpdmgr_t *mgr; /*%< our parent */
+	ISC_LINK(isc_httpd_t) link;
+	unsigned int state;
+	isc_socket_t *sock;
+
+	/*%
+	 * Received data state.
+	 */
+	char recvbuf[HTTP_RECVLEN]; /*%< receive buffer */
+	uint32_t recvlen;	    /*%< length recv'd */
+	char *headers;		    /*%< set in process_request() */
+	unsigned int method;
+	char *url;
+	char *querystring;
+	char *protocol;
+
+	/*
+	 * Flags on the httpd client.
+	 */
+	int flags;
+
+	/*%
+	 * Transmit data state.
+	 *
+	 * This is the data buffer we will transmit.
+	 *
+	 * This free function pointer is filled in by the rendering function
+	 * we call.  The free function is called after the data is transmitted
+	 * to the client.
+	 *
+	 * The bufflist is the list of buffers we are currently transmitting.
+	 * The headerbuffer is where we render our headers to.  If we run out
+	 * of space when rendering a header, we will change the size of our
+	 * buffer.  We will not free it until we are finished, and will
+	 * allocate an additional HTTP_SENDGROW bytes per header space grow.
+	 *
+	 * We currently use three buffers total, one for the headers (which
+	 * we manage), another for the client to fill in (which it manages,
+	 * it provides the space for it, etc) -- we will pass that buffer
+	 * structure back to the caller, who is responsible for managing the
+	 * space it may have allocated as backing store for it.  This second
+	 * buffer is bodybuffer, and we only allocate the buffer itself, not
+	 * the backing store.
+	 * The third buffer is compbuffer, managed by us, that contains the
+	 * compressed HTTP data, if compression is used.
+	 *
+	 */
+	isc_buffer_t headerbuffer;
+	isc_buffer_t compbuffer;
+	isc_buffer_t *sendbuffer;
+
+	const char *mimetype;
+	unsigned int retcode;
+	const char *retmsg;
+	isc_buffer_t bodybuffer;
+	isc_httpdfree_t *freecb;
+	void *freecb_arg;
+};
+
+/*% lightweight socket manager for httpd output */
+struct isc_httpdmgr {
+	unsigned int magic; /* HTTPDMGR_MAGIC */
+	isc_refcount_t references;
+	isc_mem_t *mctx;
+	isc_socket_t *sock; /*%< listening socket */
+	isc_task_t *task;   /*%< owning task */
+	isc_timermgr_t *timermgr;
+
+	isc_httpdclientok_t *client_ok;	 /*%< client validator */
+	isc_httpdondestroy_t *ondestroy; /*%< cleanup callback */
+	void *cb_arg;			 /*%< argument for the above */
+
+	unsigned int flags;
+	ISC_LIST(isc_httpd_t) running; /*%< running clients */
+
+	isc_mutex_t lock;
+
+	ISC_LIST(isc_httpdurl_t) urls; /*%< urls we manage */
+	isc_httpdaction_t *render_404;
+	isc_httpdaction_t *render_500;
+};
+
+/*%
+ * HTTP methods.
+ */
+#define ISC_HTTPD_METHODUNKNOWN 0
+#define ISC_HTTPD_METHODGET	1
+#define ISC_HTTPD_METHODPOST	2
+
+/*%
+ * Client states.
+ *
+ * _IDLE	The client is not doing anything at all.  This state should
+ *		only occur just after creation, and just before being
+ *		destroyed.
+ *
+ * _RECV	The client is waiting for data after issuing a socket recv().
+ *
+ * _RECVDONE	Data has been received, and is being processed.
+ *
+ * _SEND	All data for a response has completed, and a reply was
+ *		sent via a socket send() call.
+ *
+ * _SENDDONE	Send is completed.
+ *
+ * Badly formatted state table:
+ *
+ *	IDLE -> RECV when client has a recv() queued.
+ *
+ *	RECV -> RECVDONE when recvdone event received.
+ *
+ *	RECVDONE -> SEND if the data for a reply is at hand.
+ *
+ *	SEND -> RECV when a senddone event was received.
+ *
+ *	At any time -> RECV on error.  If RECV fails, the client will
+ *	self-destroy, closing the socket and freeing memory.
+ */
+#define ISC_HTTPD_STATEIDLE	0
+#define ISC_HTTPD_STATERECV	1
+#define ISC_HTTPD_STATERECVDONE 2
+#define ISC_HTTPD_STATESEND	3
+#define ISC_HTTPD_STATESENDDONE 4
+
+#define ISC_HTTPD_ISRECV(c)	((c)->state == ISC_HTTPD_STATERECV)
+#define ISC_HTTPD_ISRECVDONE(c) ((c)->state == ISC_HTTPD_STATERECVDONE)
+#define ISC_HTTPD_ISSEND(c)	((c)->state == ISC_HTTPD_STATESEND)
+#define ISC_HTTPD_ISSENDDONE(c) ((c)->state == ISC_HTTPD_STATESENDDONE)
+
+/*%
+ * Overall magic test that means we're not idle.
+ */
+#define ISC_HTTPD_SETRECV(c)	 ((c)->state = ISC_HTTPD_STATERECV)
+#define ISC_HTTPD_SETRECVDONE(c) ((c)->state = ISC_HTTPD_STATERECVDONE)
+#define ISC_HTTPD_SETSEND(c)	 ((c)->state = ISC_HTTPD_STATESEND)
+#define ISC_HTTPD_SETSENDDONE(c) ((c)->state = ISC_HTTPD_STATESENDDONE)
+
+static void
+isc_httpd_accept(isc_task_t *, isc_event_t *);
+static void
+isc_httpd_recvdone(isc_task_t *, isc_event_t *);
+static void
+isc_httpd_senddone(isc_task_t *, isc_event_t *);
+static isc_result_t
+process_request(isc_httpd_t *, int);
+static isc_result_t
+grow_headerspace(isc_httpd_t *);
+static void
+reset_client(isc_httpd_t *httpd);
+
+static isc_httpdaction_t render_404;
+static isc_httpdaction_t render_500;
+
+#if ENABLE_AFL
+static void (*finishhook)(void) = NULL;
+#endif /* ENABLE_AFL */
+
+static void
+maybe_destroy_httpd(isc_httpd_t *);
+static void
+destroy_httpd(isc_httpd_t *);
+static void
+maybe_destroy_httpdmgr(isc_httpdmgr_t *);
+static void
+destroy_httpdmgr(isc_httpdmgr_t *);
+
+static void
+isc_httpdmgr_attach(isc_httpdmgr_t *, isc_httpdmgr_t **);
+static void
+isc_httpdmgr_detach(isc_httpdmgr_t **);
+
+static void
+maybe_destroy_httpd(isc_httpd_t *httpd) {
+	if (isc_refcount_decrement(&httpd->references) == 1) {
+		destroy_httpd(httpd);
+	}
+}
+
+static void
+free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) {
+	isc_region_t r;
+
+	isc_buffer_region(buffer, &r);
+	if (r.length > 0) {
+		isc_mem_put(mctx, r.base, r.length);
+	}
+
+	isc_buffer_initnull(buffer);
+}
+
+static void
+destroy_httpd(isc_httpd_t *httpd) {
+	isc_httpdmgr_t *httpdmgr;
+
+	REQUIRE(VALID_HTTPD(httpd));
+
+	httpdmgr = httpd->mgr;
+	REQUIRE(VALID_HTTPDMGR(httpdmgr));
+
+	/*
+	 * Unlink before calling isc_socket_detach so
+	 * isc_httpdmgr_shutdown does not dereference a NULL pointer
+	 * when calling isc_socket_cancel().
+	 */
+	LOCK(&httpdmgr->lock);
+	ISC_LIST_UNLINK(httpdmgr->running, httpd, link);
+	UNLOCK(&httpdmgr->lock);
+
+	httpd->magic = 0;
+	isc_refcount_destroy(&httpd->references);
+	isc_socket_detach(&httpd->sock);
+
+	free_buffer(httpdmgr->mctx, &httpd->headerbuffer);
+	free_buffer(httpdmgr->mctx, &httpd->compbuffer);
+
+	isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
+
+#if ENABLE_AFL
+	if (finishhook != NULL) {
+		finishhook();
+	}
+#endif /* ENABLE_AFL */
+
+	isc_httpdmgr_detach(&httpdmgr);
+}
+
+static isc_result_t
+httpdmgr_socket_accept(isc_task_t *task, isc_httpdmgr_t *httpdmgr) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	/* decremented in isc_httpd_accept */
+	isc_refcount_increment(&httpdmgr->references);
+	result = isc_socket_accept(httpdmgr->sock, task, isc_httpd_accept,
+				   httpdmgr);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(isc_refcount_decrement(&httpdmgr->references) > 1);
+	}
+	return (result);
+}
+
+static void
+httpd_socket_recv(isc_httpd_t *httpd, isc_region_t *region, isc_task_t *task) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	/* decremented in isc_httpd_recvdone */
+	(void)isc_refcount_increment(&httpd->references);
+	result = isc_socket_recv(httpd->sock, region, 1, task,
+				 isc_httpd_recvdone, httpd);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(isc_refcount_decrement(&httpd->references) > 1);
+	}
+}
+
+static void
+httpd_socket_send(isc_httpd_t *httpd, isc_region_t *region, isc_task_t *task) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	/* decremented in isc_httpd_senddone */
+	(void)isc_refcount_increment(&httpd->references);
+	result = isc_socket_send(httpd->sock, region, task, isc_httpd_senddone,
+				 httpd);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(isc_refcount_decrement(&httpd->references) > 1);
+	}
+}
+
+isc_result_t
+isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
+		    isc_httpdclientok_t *client_ok,
+		    isc_httpdondestroy_t *ondestroy, void *cb_arg,
+		    isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdmgrp) {
+	isc_result_t result;
+	isc_httpdmgr_t *httpdmgr;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(sock != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(tmgr != NULL);
+	REQUIRE(httpdmgrp != NULL && *httpdmgrp == NULL);
+
+	httpdmgr = isc_mem_get(mctx, sizeof(isc_httpdmgr_t));
+
+	*httpdmgr = (isc_httpdmgr_t){ .timermgr = tmgr, /* XXXMLG no attach
+							 * function? */
+				      .client_ok = client_ok,
+				      .ondestroy = ondestroy,
+				      .cb_arg = cb_arg,
+				      .render_404 = render_404,
+				      .render_500 = render_500 };
+
+	isc_mutex_init(&httpdmgr->lock);
+	isc_mem_attach(mctx, &httpdmgr->mctx);
+	isc_socket_attach(sock, &httpdmgr->sock);
+	isc_task_attach(task, &httpdmgr->task);
+
+	ISC_LIST_INIT(httpdmgr->running);
+	ISC_LIST_INIT(httpdmgr->urls);
+
+	isc_refcount_init(&httpdmgr->references, 1);
+
+	/* XXXMLG ignore errors on isc_socket_listen() */
+	result = isc_socket_listen(sock, SOMAXCONN);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socket_listen() failed: %s",
+				 isc_result_totext(result));
+		goto cleanup;
+	}
+
+	(void)isc_socket_filter(sock, "httpready");
+
+	httpdmgr->magic = HTTPDMGR_MAGIC;
+
+	result = httpdmgr_socket_accept(task, httpdmgr);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	*httpdmgrp = httpdmgr;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	httpdmgr->magic = 0;
+	isc_refcount_decrementz(&httpdmgr->references);
+	isc_refcount_destroy(&httpdmgr->references);
+	isc_task_detach(&httpdmgr->task);
+	isc_socket_detach(&httpdmgr->sock);
+	isc_mem_detach(&httpdmgr->mctx);
+	isc_mutex_destroy(&httpdmgr->lock);
+	isc_mem_put(mctx, httpdmgr, sizeof(isc_httpdmgr_t));
+	return (result);
+}
+
+static void
+isc_httpdmgr_attach(isc_httpdmgr_t *source, isc_httpdmgr_t **targetp) {
+	REQUIRE(VALID_HTTPDMGR(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*targetp = source;
+}
+
+static void
+isc_httpdmgr_detach(isc_httpdmgr_t **httpdmgrp) {
+	REQUIRE(httpdmgrp != NULL && VALID_HTTPDMGR(*httpdmgrp));
+	isc_httpdmgr_t *httpdmgr = *httpdmgrp;
+	*httpdmgrp = NULL;
+
+	maybe_destroy_httpdmgr(httpdmgr);
+}
+
+static void
+maybe_destroy_httpdmgr(isc_httpdmgr_t *httpdmgr) {
+	if (isc_refcount_decrement(&httpdmgr->references) == 1) {
+		destroy_httpdmgr(httpdmgr);
+	}
+}
+
+static void
+destroy_httpdmgr(isc_httpdmgr_t *httpdmgr) {
+	isc_httpdurl_t *url;
+
+	isc_refcount_destroy(&httpdmgr->references);
+
+	LOCK(&httpdmgr->lock);
+
+	httpdmgr->magic = 0;
+
+	INSIST(MSHUTTINGDOWN(httpdmgr));
+	INSIST(ISC_LIST_EMPTY(httpdmgr->running));
+
+	isc_socket_detach(&httpdmgr->sock);
+	isc_task_detach(&httpdmgr->task);
+	httpdmgr->timermgr = NULL;
+
+	/*
+	 * Clear out the list of all actions we know about.  Just free the
+	 * memory.
+	 */
+	url = ISC_LIST_HEAD(httpdmgr->urls);
+	while (url != NULL) {
+		isc_mem_free(httpdmgr->mctx, url->url);
+		ISC_LIST_UNLINK(httpdmgr->urls, url, link);
+		isc_mem_put(httpdmgr->mctx, url, sizeof(isc_httpdurl_t));
+		url = ISC_LIST_HEAD(httpdmgr->urls);
+	}
+
+	UNLOCK(&httpdmgr->lock);
+	isc_mutex_destroy(&httpdmgr->lock);
+
+	if (httpdmgr->ondestroy != NULL) {
+		(httpdmgr->ondestroy)(httpdmgr->cb_arg);
+	}
+	isc_mem_putanddetach(&httpdmgr->mctx, httpdmgr, sizeof(isc_httpdmgr_t));
+}
+
+#define LENGTHOK(s) (httpd->recvbuf - (s) < (int)httpd->recvlen)
+#define BUFLENOK(s) (httpd->recvbuf - (s) < HTTP_RECVLEN)
+
+/*
+ * Look for the given header in headers.
+ * If value is specified look for it terminated with a character in eov.
+ */
+static bool
+have_header(isc_httpd_t *httpd, const char *header, const char *value,
+	    const char *eov) {
+	char *cr, *nl, *h;
+	size_t hlen, vlen = 0;
+
+	h = httpd->headers;
+	hlen = strlen(header);
+	if (value != NULL) {
+		INSIST(eov != NULL);
+		vlen = strlen(value);
+	}
+
+	for (;;) {
+		if (strncasecmp(h, header, hlen) != 0) {
+			/*
+			 * Skip to next line;
+			 */
+			cr = strchr(h, '\r');
+			if (cr != NULL && cr[1] == '\n') {
+				cr++;
+			}
+			nl = strchr(h, '\n');
+
+			/* last header? */
+			h = cr;
+			if (h == NULL || (nl != NULL && nl < h)) {
+				h = nl;
+			}
+			if (h == NULL) {
+				return (false);
+			}
+			h++;
+			continue;
+		}
+
+		if (value == NULL) {
+			return (true);
+		}
+
+		/*
+		 * Skip optional leading white space.
+		 */
+		h += hlen;
+		while (*h == ' ' || *h == '\t') {
+			h++;
+		}
+		/*
+		 * Terminate token search on NULL or EOL.
+		 */
+		while (*h != 0 && *h != '\r' && *h != '\n') {
+			if (strncasecmp(h, value, vlen) == 0) {
+				if (strchr(eov, h[vlen]) != NULL) {
+					return (true);
+					/*
+					 * Skip to next token.
+					 */
+				}
+			}
+			/*
+			 * Skip to next token.
+			 */
+			h += strcspn(h, eov);
+			if (h[0] == '\r' && h[1] == '\n') {
+				h++;
+			}
+			if (h[0] != 0) {
+				h++;
+			}
+		}
+		return (false);
+	}
+}
+
+static isc_result_t
+process_request(isc_httpd_t *httpd, int length) {
+	char *s;
+	char *p;
+	int delim;
+
+	httpd->recvlen += length;
+
+	httpd->recvbuf[httpd->recvlen] = 0;
+	httpd->headers = NULL;
+
+	/*
+	 * If we don't find a blank line in our buffer, return that we need
+	 * more data.
+	 */
+	s = strstr(httpd->recvbuf, "\r\n\r\n");
+	delim = 2;
+	if (s == NULL) {
+		s = strstr(httpd->recvbuf, "\n\n");
+		delim = 1;
+	}
+	if (s == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * NUL terminate request at the blank line.
+	 */
+	s[delim] = 0;
+
+	/*
+	 * Determine if this is a POST or GET method.  Any other values will
+	 * cause an error to be returned.
+	 */
+	if (strncmp(httpd->recvbuf, "GET ", 4) == 0) {
+		httpd->method = ISC_HTTPD_METHODGET;
+		p = httpd->recvbuf + 4;
+	} else if (strncmp(httpd->recvbuf, "POST ", 5) == 0) {
+		httpd->method = ISC_HTTPD_METHODPOST;
+		p = httpd->recvbuf + 5;
+	} else {
+		return (ISC_R_RANGE);
+	}
+
+	/*
+	 * From now on, p is the start of our buffer.
+	 */
+
+	/*
+	 * Extract the URL.
+	 */
+	s = p;
+	while (LENGTHOK(s) && BUFLENOK(s) &&
+	       (*s != '\n' && *s != '\r' && *s != '\0' && *s != ' '))
+	{
+		s++;
+	}
+	if (!LENGTHOK(s)) {
+		return (ISC_R_NOTFOUND);
+	}
+	if (!BUFLENOK(s)) {
+		return (ISC_R_NOMEMORY);
+	}
+	*s = 0;
+
+	/*
+	 * Make the URL relative.
+	 */
+	if ((strncmp(p, "http:/", 6) == 0) || (strncmp(p, "https:/", 7) == 0)) {
+		/* Skip first / */
+		while (*p != '/' && *p != 0) {
+			p++;
+		}
+		if (*p == 0) {
+			return (ISC_R_RANGE);
+		}
+		p++;
+		/* Skip second / */
+		while (*p != '/' && *p != 0) {
+			p++;
+		}
+		if (*p == 0) {
+			return (ISC_R_RANGE);
+		}
+		p++;
+		/* Find third / */
+		while (*p != '/' && *p != 0) {
+			p++;
+		}
+		if (*p == 0) {
+			p--;
+			*p = '/';
+		}
+	}
+
+	httpd->url = p;
+	p = s + 1;
+	s = p;
+
+	/*
+	 * Now, see if there is a ? mark in the URL.  If so, this is
+	 * part of the query string, and we will split it from the URL.
+	 */
+	httpd->querystring = strchr(httpd->url, '?');
+	if (httpd->querystring != NULL) {
+		*(httpd->querystring) = 0;
+		httpd->querystring++;
+	}
+
+	/*
+	 * Extract the HTTP/1.X protocol.  We will bounce on anything but
+	 * HTTP/1.0 or HTTP/1.1 for now.
+	 */
+	while (LENGTHOK(s) && BUFLENOK(s) &&
+	       (*s != '\n' && *s != '\r' && *s != '\0'))
+	{
+		s++;
+	}
+	if (!LENGTHOK(s)) {
+		return (ISC_R_NOTFOUND);
+	}
+	if (!BUFLENOK(s)) {
+		return (ISC_R_NOMEMORY);
+	}
+	/*
+	 * Check that we have the expected eol delimiter.
+	 */
+	if (strncmp(s, delim == 1 ? "\n" : "\r\n", delim) != 0) {
+		return (ISC_R_RANGE);
+	}
+	*s = 0;
+	if ((strncmp(p, "HTTP/1.0", 8) != 0) &&
+	    (strncmp(p, "HTTP/1.1", 8) != 0))
+	{
+		return (ISC_R_RANGE);
+	}
+	httpd->protocol = p;
+	p = s + delim; /* skip past eol */
+	s = p;
+
+	httpd->headers = s;
+
+	if (have_header(httpd, "Connection:", "close", ", \t\r\n")) {
+		httpd->flags |= HTTPD_CLOSE;
+	}
+
+	if (have_header(httpd, "Host:", NULL, NULL)) {
+		httpd->flags |= HTTPD_FOUNDHOST;
+	}
+
+	if (strncmp(httpd->protocol, "HTTP/1.0", 8) == 0) {
+		if (have_header(httpd, "Connection:", "Keep-Alive", ", \t\r\n"))
+		{
+			httpd->flags |= HTTPD_KEEPALIVE;
+		} else {
+			httpd->flags |= HTTPD_CLOSE;
+		}
+	}
+
+	/*
+	 * Check for Accept-Encoding:
+	 */
+#ifdef HAVE_ZLIB
+	if (have_header(httpd, "Accept-Encoding:", "deflate", ";, \t\r\n")) {
+		httpd->flags |= HTTPD_ACCEPT_DEFLATE;
+	}
+#endif /* ifdef HAVE_ZLIB */
+
+	/*
+	 * Standards compliance hooks here.
+	 */
+	if (strcmp(httpd->protocol, "HTTP/1.1") == 0 &&
+	    ((httpd->flags & HTTPD_FOUNDHOST) == 0))
+	{
+		return (ISC_R_RANGE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+isc_httpd_create(isc_httpdmgr_t *httpdmgr, isc_socket_t *sock,
+		 isc_httpd_t **httpdp) {
+	isc_httpd_t *httpd;
+	char *headerdata;
+
+	REQUIRE(VALID_HTTPDMGR(httpdmgr));
+	REQUIRE(httpdp != NULL && *httpdp == NULL);
+
+	httpd = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpd_t));
+
+	*httpd = (isc_httpd_t){ .sock = sock };
+
+	isc_httpdmgr_attach(httpdmgr, &httpd->mgr);
+
+	isc_refcount_init(&httpd->references, 1);
+	ISC_HTTPD_SETRECV(httpd);
+	isc_socket_setname(httpd->sock, "httpd", NULL);
+
+	/*
+	 * Initialize the buffer for our headers.
+	 */
+	headerdata = isc_mem_get(httpdmgr->mctx, HTTP_SENDGROW);
+	isc_buffer_init(&httpd->headerbuffer, headerdata, HTTP_SENDGROW);
+
+	isc_buffer_initnull(&httpd->compbuffer);
+	isc_buffer_initnull(&httpd->bodybuffer);
+	reset_client(httpd);
+
+	ISC_LINK_INIT(httpd, link);
+	ISC_LIST_APPEND(httpdmgr->running, httpd, link);
+
+	httpd->magic = HTTPD_MAGIC;
+
+	*httpdp = httpd;
+}
+
+static void
+isc_httpd_accept(isc_task_t *task, isc_event_t *ev) {
+	isc_httpdmgr_t *httpdmgr = ev->ev_arg;
+	isc_httpd_t *httpd = NULL;
+	isc_region_t r;
+	isc_socket_newconnev_t *nev = (isc_socket_newconnev_t *)ev;
+	isc_sockaddr_t peeraddr;
+
+	REQUIRE(VALID_HTTPDMGR(httpdmgr));
+
+	LOCK(&httpdmgr->lock);
+	if (MSHUTTINGDOWN(httpdmgr)) {
+		goto out;
+	}
+
+	if (nev->result == ISC_R_CANCELED) {
+		goto out;
+	}
+
+	if (nev->result != ISC_R_SUCCESS) {
+		/* XXXMLG log failure */
+		goto requeue;
+	}
+
+	(void)isc_socket_getpeername(nev->newsocket, &peeraddr);
+	if (httpdmgr->client_ok != NULL &&
+	    !(httpdmgr->client_ok)(&peeraddr, httpdmgr->cb_arg))
+	{
+		isc_socket_detach(&nev->newsocket);
+		goto requeue;
+	}
+
+	isc_httpd_create(httpdmgr, nev->newsocket, &httpd);
+
+	r.base = (unsigned char *)httpd->recvbuf;
+	r.length = HTTP_RECVLEN - 1;
+
+	httpd_socket_recv(httpd, &r, task);
+
+requeue:
+	(void)httpdmgr_socket_accept(task, httpdmgr);
+
+out:
+	UNLOCK(&httpdmgr->lock);
+
+	if (httpd != NULL) {
+		maybe_destroy_httpd(httpd);
+	}
+	maybe_destroy_httpdmgr(httpdmgr);
+
+	isc_event_free(&ev);
+}
+
+static isc_result_t
+render_404(const char *url, isc_httpdurl_t *urlinfo, const char *querystring,
+	   const char *headers, void *arg, unsigned int *retcode,
+	   const char **retmsg, const char **mimetype, isc_buffer_t *b,
+	   isc_httpdfree_t **freecb, void **freecb_args) {
+	static char msg[] = "No such URL.\r\n";
+
+	UNUSED(url);
+	UNUSED(urlinfo);
+	UNUSED(querystring);
+	UNUSED(headers);
+	UNUSED(arg);
+
+	*retcode = 404;
+	*retmsg = "No such URL";
+	*mimetype = "text/plain";
+	isc_buffer_reinit(b, msg, strlen(msg));
+	isc_buffer_add(b, strlen(msg));
+	*freecb = NULL;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+render_500(const char *url, isc_httpdurl_t *urlinfo, const char *querystring,
+	   const char *headers, void *arg, unsigned int *retcode,
+	   const char **retmsg, const char **mimetype, isc_buffer_t *b,
+	   isc_httpdfree_t **freecb, void **freecb_args) {
+	static char msg[] = "Internal server failure.\r\n";
+
+	UNUSED(url);
+	UNUSED(urlinfo);
+	UNUSED(querystring);
+	UNUSED(headers);
+	UNUSED(arg);
+
+	*retcode = 500;
+	*retmsg = "Internal server failure";
+	*mimetype = "text/plain";
+	isc_buffer_reinit(b, msg, strlen(msg));
+	isc_buffer_add(b, strlen(msg));
+	*freecb = NULL;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef HAVE_ZLIB
+/*%<
+ * Reallocates compbuffer to size, does nothing if compbuffer is already
+ * larger than size.
+ *
+ * Requires:
+ *\li	httpd a valid isc_httpd_t object
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOMEMORY		-- not enough memory to extend buffer
+ */
+static isc_result_t
+alloc_compspace(isc_httpd_t *httpd, unsigned int size) {
+	char *newspace;
+	isc_region_t r;
+
+	isc_buffer_region(&httpd->compbuffer, &r);
+	if (size < r.length) {
+		return (ISC_R_SUCCESS);
+	}
+
+	newspace = isc_mem_get(httpd->mgr->mctx, size);
+	isc_buffer_reinit(&httpd->compbuffer, newspace, size);
+
+	if (r.base != NULL) {
+		isc_mem_put(httpd->mgr->mctx, r.base, r.length);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%<
+ * Tries to compress httpd->bodybuffer to httpd->compbuffer, extending it
+ * if necessary.
+ *
+ * Requires:
+ *\li	httpd a valid isc_httpd_t object
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	  -- all is well.
+ *\li	#ISC_R_NOMEMORY	  -- not enough memory to compress data
+ *\li	#ISC_R_FAILURE	  -- error during compression or compressed
+ *			     data would be larger than input data
+ */
+static isc_result_t
+isc_httpd_compress(isc_httpd_t *httpd) {
+	z_stream zstr;
+	isc_region_t r;
+	isc_result_t result;
+	int ret;
+	int inputlen;
+
+	inputlen = isc_buffer_usedlength(&httpd->bodybuffer);
+	result = alloc_compspace(httpd, inputlen);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	isc_buffer_clear(&httpd->compbuffer);
+	isc_buffer_region(&httpd->compbuffer, &r);
+
+	/*
+	 * We're setting output buffer size to input size so it fails if the
+	 * compressed data size would be bigger than the input size.
+	 */
+	memset(&zstr, 0, sizeof(zstr));
+	zstr.total_in = zstr.avail_in = zstr.total_out = zstr.avail_out =
+		inputlen;
+
+	zstr.next_in = isc_buffer_base(&httpd->bodybuffer);
+	zstr.next_out = r.base;
+
+	ret = deflateInit(&zstr, Z_DEFAULT_COMPRESSION);
+	if (ret == Z_OK) {
+		ret = deflate(&zstr, Z_FINISH);
+	}
+	deflateEnd(&zstr);
+	if (ret == Z_STREAM_END) {
+		isc_buffer_add(&httpd->compbuffer, inputlen - zstr.avail_out);
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_FAILURE);
+	}
+}
+#endif /* ifdef HAVE_ZLIB */
+
+static void
+isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) {
+	isc_result_t result;
+	isc_httpd_t *httpd = ev->ev_arg;
+	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
+	isc_buffer_t *databuffer;
+	isc_httpdurl_t *url;
+	isc_time_t now;
+	isc_region_t r;
+	bool is_compressed = false;
+	char datebuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+
+	REQUIRE(VALID_HTTPD(httpd));
+
+	INSIST(ISC_HTTPD_ISRECV(httpd));
+
+	if (sev->result != ISC_R_SUCCESS) {
+		goto out;
+	}
+
+	result = process_request(httpd, sev->n);
+	if (result == ISC_R_NOTFOUND) {
+		if (httpd->recvlen >= HTTP_RECVLEN - 1) {
+			goto out;
+		}
+		r.base = (unsigned char *)httpd->recvbuf + httpd->recvlen;
+		r.length = HTTP_RECVLEN - httpd->recvlen - 1;
+
+		httpd_socket_recv(httpd, &r, task);
+		goto out;
+	} else if (result != ISC_R_SUCCESS) {
+		goto out;
+	}
+
+	ISC_HTTPD_SETSEND(httpd);
+
+	/*
+	 * XXXMLG Call function here.  Provide an add-header function
+	 * which will append the common headers to a response we generate.
+	 */
+	isc_buffer_initnull(&httpd->bodybuffer);
+	isc_time_now(&now);
+	isc_time_formathttptimestamp(&now, datebuf, sizeof(datebuf));
+	LOCK(&httpd->mgr->lock);
+	url = ISC_LIST_HEAD(httpd->mgr->urls);
+	while (url != NULL) {
+		if (strcmp(httpd->url, url->url) == 0) {
+			break;
+		}
+		url = ISC_LIST_NEXT(url, link);
+	}
+	UNLOCK(&httpd->mgr->lock);
+
+	if (url == NULL) {
+		result = httpd->mgr->render_404(
+			httpd->url, NULL, httpd->querystring, NULL, NULL,
+			&httpd->retcode, &httpd->retmsg, &httpd->mimetype,
+			&httpd->bodybuffer, &httpd->freecb, &httpd->freecb_arg);
+	} else {
+		result = url->action(httpd->url, url, httpd->querystring,
+				     httpd->headers, url->action_arg,
+				     &httpd->retcode, &httpd->retmsg,
+				     &httpd->mimetype, &httpd->bodybuffer,
+				     &httpd->freecb, &httpd->freecb_arg);
+	}
+	if (result != ISC_R_SUCCESS) {
+		result = httpd->mgr->render_500(
+			httpd->url, url, httpd->querystring, NULL, NULL,
+			&httpd->retcode, &httpd->retmsg, &httpd->mimetype,
+			&httpd->bodybuffer, &httpd->freecb, &httpd->freecb_arg);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+
+#ifdef HAVE_ZLIB
+	if ((httpd->flags & HTTPD_ACCEPT_DEFLATE) != 0) {
+		result = isc_httpd_compress(httpd);
+		if (result == ISC_R_SUCCESS) {
+			is_compressed = true;
+		}
+	}
+#endif /* ifdef HAVE_ZLIB */
+
+	isc_httpd_response(httpd);
+	if ((httpd->flags & HTTPD_KEEPALIVE) != 0) {
+		isc_httpd_addheader(httpd, "Connection", "Keep-Alive");
+	}
+	isc_httpd_addheader(httpd, "Content-Type", httpd->mimetype);
+	isc_httpd_addheader(httpd, "Date", datebuf);
+	isc_httpd_addheader(httpd, "Expires", datebuf);
+
+	if (url != NULL && url->isstatic) {
+		char loadbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+		isc_time_formathttptimestamp(&url->loadtime, loadbuf,
+					     sizeof(loadbuf));
+		isc_httpd_addheader(httpd, "Last-Modified", loadbuf);
+		isc_httpd_addheader(httpd, "Cache-Control: public", NULL);
+	} else {
+		isc_httpd_addheader(httpd, "Last-Modified", datebuf);
+		isc_httpd_addheader(httpd, "Pragma: no-cache", NULL);
+		isc_httpd_addheader(httpd, "Cache-Control: no-cache", NULL);
+	}
+
+	isc_httpd_addheader(httpd, "Server: libisc", NULL);
+
+	if (is_compressed) {
+		isc_httpd_addheader(httpd, "Content-Encoding", "deflate");
+		isc_httpd_addheaderuint(
+			httpd, "Content-Length",
+			isc_buffer_usedlength(&httpd->compbuffer));
+	} else {
+		isc_httpd_addheaderuint(
+			httpd, "Content-Length",
+			isc_buffer_usedlength(&httpd->bodybuffer));
+	}
+
+	isc_httpd_endheaders(httpd); /* done */
+
+	/*
+	 * Append either the compressed or the non-compressed response body to
+	 * the response headers and store the result in httpd->sendbuffer.
+	 */
+	isc_buffer_dup(httpd->mgr->mctx, &httpd->sendbuffer,
+		       &httpd->headerbuffer);
+	isc_buffer_setautorealloc(httpd->sendbuffer, true);
+	databuffer = (is_compressed ? &httpd->compbuffer : &httpd->bodybuffer);
+	isc_buffer_usedregion(databuffer, &r);
+	result = isc_buffer_copyregion(httpd->sendbuffer, &r);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	/*
+	 * Determine total response size.
+	 */
+	isc_buffer_usedregion(httpd->sendbuffer, &r);
+
+	httpd_socket_send(httpd, &r, task);
+
+out:
+	maybe_destroy_httpd(httpd);
+	isc_event_free(&ev);
+}
+
+void
+isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdmgrp) {
+	isc_httpdmgr_t *httpdmgr;
+	isc_httpd_t *httpd;
+
+	REQUIRE(httpdmgrp != NULL);
+	httpdmgr = *httpdmgrp;
+	*httpdmgrp = NULL;
+	REQUIRE(VALID_HTTPDMGR(httpdmgr));
+
+	LOCK(&httpdmgr->lock);
+
+	MSETSHUTTINGDOWN(httpdmgr);
+
+	isc_socket_cancel(httpdmgr->sock, httpdmgr->task, ISC_SOCKCANCEL_ALL);
+
+	httpd = ISC_LIST_HEAD(httpdmgr->running);
+	while (httpd != NULL) {
+		isc_socket_cancel(httpd->sock, httpdmgr->task,
+				  ISC_SOCKCANCEL_ALL);
+		httpd = ISC_LIST_NEXT(httpd, link);
+	}
+
+	UNLOCK(&httpdmgr->lock);
+
+	maybe_destroy_httpdmgr(httpdmgr);
+}
+
+static isc_result_t
+grow_headerspace(isc_httpd_t *httpd) {
+	char *newspace;
+	unsigned int newlen;
+	isc_region_t r;
+
+	isc_buffer_region(&httpd->headerbuffer, &r);
+	newlen = r.length + HTTP_SENDGROW;
+	if (newlen > HTTP_SEND_MAXLEN) {
+		return (ISC_R_NOSPACE);
+	}
+
+	newspace = isc_mem_get(httpd->mgr->mctx, newlen);
+
+	isc_buffer_reinit(&httpd->headerbuffer, newspace, newlen);
+
+	isc_mem_put(httpd->mgr->mctx, r.base, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_response(isc_httpd_t *httpd) {
+	isc_result_t result;
+	unsigned int needlen;
+
+	REQUIRE(VALID_HTTPD(httpd));
+
+	needlen = strlen(httpd->protocol) + 1; /* protocol + space */
+	needlen += 3 + 1; /* room for response code, always 3 bytes */
+	needlen += strlen(httpd->retmsg) + 2; /* return msg + CRLF */
+
+	while (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	return (isc_buffer_printf(&httpd->headerbuffer, "%s %03u %s\r\n",
+				  httpd->protocol, httpd->retcode,
+				  httpd->retmsg));
+}
+
+isc_result_t
+isc_httpd_addheader(isc_httpd_t *httpd, const char *name, const char *val) {
+	isc_result_t result;
+	unsigned int needlen;
+
+	REQUIRE(VALID_HTTPD(httpd));
+
+	needlen = strlen(name); /* name itself */
+	if (val != NULL) {
+		needlen += 2 + strlen(val); /* :<space> and val */
+	}
+	needlen += 2; /* CRLF */
+
+	while (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	if (val != NULL) {
+		return (isc_buffer_printf(&httpd->headerbuffer, "%s: %s\r\n",
+					  name, val));
+	} else {
+		return (isc_buffer_printf(&httpd->headerbuffer, "%s\r\n",
+					  name));
+	}
+}
+
+isc_result_t
+isc_httpd_endheaders(isc_httpd_t *httpd) {
+	isc_result_t result;
+
+	REQUIRE(VALID_HTTPD(httpd));
+
+	while (isc_buffer_availablelength(&httpd->headerbuffer) < 2) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	return (isc_buffer_printf(&httpd->headerbuffer, "\r\n"));
+}
+
+isc_result_t
+isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val) {
+	isc_result_t result;
+	unsigned int needlen;
+	char buf[sizeof "18446744073709551616"];
+
+	REQUIRE(VALID_HTTPD(httpd));
+
+	snprintf(buf, sizeof(buf), "%d", val);
+
+	needlen = strlen(name);	    /* name itself */
+	needlen += 2 + strlen(buf); /* :<space> and val */
+	needlen += 2;		    /* CRLF */
+
+	while (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	return (isc_buffer_printf(&httpd->headerbuffer, "%s: %s\r\n", name,
+				  buf));
+}
+
+static void
+isc_httpd_senddone(isc_task_t *task, isc_event_t *ev) {
+	isc_httpd_t *httpd = ev->ev_arg;
+	isc_region_t r;
+	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
+
+	REQUIRE(VALID_HTTPD(httpd));
+
+	INSIST(ISC_HTTPD_ISSEND(httpd));
+
+	isc_buffer_free(&httpd->sendbuffer);
+
+	/*
+	 * We will always want to clean up our receive buffer, even if we
+	 * got an error on send or we are shutting down.
+	 *
+	 * We will pass in the buffer only if there is data in it.  If
+	 * there is no data, we will pass in a NULL.
+	 */
+	if (httpd->freecb != NULL) {
+		isc_buffer_t *b = NULL;
+		if (isc_buffer_length(&httpd->bodybuffer) > 0) {
+			b = &httpd->bodybuffer;
+			httpd->freecb(b, httpd->freecb_arg);
+		}
+	}
+
+	if (sev->result != ISC_R_SUCCESS) {
+		goto out;
+	}
+
+	if ((httpd->flags & HTTPD_CLOSE) != 0) {
+		goto out;
+	}
+
+	ISC_HTTPD_SETRECV(httpd);
+
+	reset_client(httpd);
+
+	r.base = (unsigned char *)httpd->recvbuf;
+	r.length = HTTP_RECVLEN - 1;
+
+	httpd_socket_recv(httpd, &r, task);
+
+out:
+	maybe_destroy_httpd(httpd);
+	isc_event_free(&ev);
+}
+
+static void
+reset_client(isc_httpd_t *httpd) {
+	/*
+	 * Catch errors here.  We MUST be in RECV mode, and we MUST NOT have
+	 * any outstanding buffers.  If we have buffers, we have a leak.
+	 */
+	INSIST(ISC_HTTPD_ISRECV(httpd));
+	INSIST(!ISC_LINK_LINKED(&httpd->headerbuffer, link));
+	INSIST(!ISC_LINK_LINKED(&httpd->bodybuffer, link));
+
+	httpd->recvbuf[0] = 0;
+	httpd->recvlen = 0;
+	httpd->headers = NULL;
+	httpd->method = ISC_HTTPD_METHODUNKNOWN;
+	httpd->url = NULL;
+	httpd->querystring = NULL;
+	httpd->protocol = NULL;
+	httpd->flags = 0;
+
+	isc_buffer_clear(&httpd->headerbuffer);
+	isc_buffer_clear(&httpd->compbuffer);
+	isc_buffer_invalidate(&httpd->bodybuffer);
+}
+
+isc_result_t
+isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
+		    isc_httpdaction_t *func, void *arg) {
+	/* REQUIRE(VALID_HTTPDMGR(httpdmgr)); Dummy function */
+
+	return (isc_httpdmgr_addurl2(httpdmgr, url, false, func, arg));
+}
+
+isc_result_t
+isc_httpdmgr_addurl2(isc_httpdmgr_t *httpdmgr, const char *url, bool isstatic,
+		     isc_httpdaction_t *func, void *arg) {
+	isc_httpdurl_t *item;
+
+	REQUIRE(VALID_HTTPDMGR(httpdmgr));
+
+	if (url == NULL) {
+		httpdmgr->render_404 = func;
+		return (ISC_R_SUCCESS);
+	}
+
+	item = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpdurl_t));
+
+	item->url = isc_mem_strdup(httpdmgr->mctx, url);
+
+	item->action = func;
+	item->action_arg = arg;
+	item->isstatic = isstatic;
+	isc_time_now(&item->loadtime);
+
+	ISC_LINK_INIT(item, link);
+
+	LOCK(&httpdmgr->lock);
+	ISC_LIST_APPEND(httpdmgr->urls, item, link);
+	UNLOCK(&httpdmgr->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_httpd_setfinishhook(void (*fn)(void)) {
+#if ENABLE_AFL
+	finishhook = fn;
+#else  /* ENABLE_AFL */
+	UNUSED(fn);
+#endif /* ENABLE_AFL */
+}
diff --git a/lib/isc/include/.clang-format b/lib/isc/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/lib/isc/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/isc/include/Makefile.in b/lib/isc/include/Makefile.in
new file mode 100644
index 0000000..b052e73
--- /dev/null
+++ b/lib/isc/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc pk11 pkcs11
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/include/isc/Makefile.in b/lib/isc/include/isc/Makefile.in
new file mode 100644
index 0000000..a42c9e0
--- /dev/null
+++ b/lib/isc/include/isc/Makefile.in
@@ -0,0 +1,63 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	aes.h app.h assertions.h astack.h atomic.h backtrace.h \
+		barrier.h base32.h base64.h bind9.h buffer.h bufferlist.h \
+		cmocka.h commandline.h counter.h crc64.h deprecated.h \
+		endian.h errno.h error.h event.h eventclass.h \
+		file.h formatcheck.h fsaccess.h fuzz.h \
+		hash.h heap.h hex.h hmac.h ht.h httpd.h \
+		interfaceiter.h iterated_hash.h \
+		lang.h lex.h lfsr.h lib.h likely.h list.h log.h \
+		magic.h managers.h md.h mem.h meminfo.h \
+		mutexblock.h \
+		netaddr.h netmgr.h netscope.h nonce.h os.h parseint.h \
+		pool.h portset.h print.h quota.h \
+		radix.h random.h ratelimiter.h refcount.h regex.h \
+		region.h resource.h result.h resultclass.h rwlock.h \
+		safe.h serial.h siphash.h sockaddr.h socket.h \
+		stats.h stdio.h strerr.h string.h symtab.h \
+		task.h taskpool.h timer.h tm.h types.h \
+		url.h utf8.h util.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/isc
+
+uninstall::
+	rm -f ${DESTDIR}${includedir}/isc/platform.h
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
+
+distclean::
+	rm -f platform.h
diff --git a/lib/isc/include/isc/aes.h b/lib/isc/include/isc/aes.h
new file mode 100644
index 0000000..00449b5
--- /dev/null
+++ b/lib/isc/include/isc/aes.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/aes.h */
+
+#ifndef ISC_AES_H
+#define ISC_AES_H 1
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#define ISC_AES128_KEYLENGTH 16U
+#define ISC_AES192_KEYLENGTH 24U
+#define ISC_AES256_KEYLENGTH 32U
+#define ISC_AES_BLOCK_LENGTH 16U
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out);
+
+void
+isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out);
+
+void
+isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_AES_H */
diff --git a/lib/isc/include/isc/app.h b/lib/isc/include/isc/app.h
new file mode 100644
index 0000000..9e8140b
--- /dev/null
+++ b/lib/isc/include/isc/app.h
@@ -0,0 +1,283 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_APP_H
+#define ISC_APP_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/app.h
+ * \brief ISC Application Support
+ *
+ * Dealing with program termination can be difficult, especially in a
+ * multithreaded program.  The routines in this module help coordinate
+ * the shutdown process.  They are used as follows by the initial (main)
+ * thread of the application:
+ *
+ *\li		isc_app_start();	Call very early in main(), before
+ *					any other threads have been created.
+ *
+ *\li		isc_app_run();		This will post any on-run events,
+ *					and then block until application
+ *					shutdown is requested.  A shutdown
+ *					request is made by calling
+ *					isc_app_shutdown(), or by sending
+ *					SIGINT or SIGTERM to the process.
+ *					After isc_app_run() returns, the
+ *					application should shutdown itself.
+ *
+ *\li		isc_app_finish();	Call very late in main().
+ *
+ * Applications that want to use SIGHUP/isc_app_reload() to trigger reloading
+ * should check the result of isc_app_run() and call the reload routine if
+ * the result is ISC_R_RELOAD.  They should then call isc_app_run() again
+ * to resume waiting for reload or termination.
+ *
+ * Use of this module is not required.  In particular, isc_app_start() is
+ * NOT an ISC library initialization routine.
+ *
+ * This module also supports per-thread 'application contexts'.  With this
+ * mode, a thread-based application will have a separate context, in which
+ * it uses other ISC library services such as tasks or timers.  Signals are
+ * not caught in this mode, so that the application can handle the signals
+ * in its preferred way.
+ *
+ * \li MP:
+ *	Clients must ensure that isc_app_start(), isc_app_run(), and
+ *	isc_app_finish() are called at most once.  isc_app_shutdown()
+ *	is safe to use by any thread (provided isc_app_start() has been
+ *	called previously).
+ *
+ *	The same note applies to isc_app_ctxXXX() functions, but in this case
+ *	it's a per-thread restriction.  For example, a thread with an
+ *	application context must ensure that isc_app_ctxstart() with the
+ *	context is called at most once.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	None.
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+#include <stdbool.h>
+
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/result.h>
+
+/***
+ *** Types
+ ***/
+
+typedef isc_event_t isc_appevent_t;
+
+#define ISC_APPEVENT_FIRSTEVENT (ISC_EVENTCLASS_APP + 0)
+#define ISC_APPEVENT_SHUTDOWN	(ISC_EVENTCLASS_APP + 1)
+#define ISC_APPEVENT_LASTEVENT	(ISC_EVENTCLASS_APP + 65535)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_app_ctxstart(isc_appctx_t *ctx);
+
+isc_result_t
+isc_app_start(void);
+/*!<
+ * \brief Start an ISC library application.
+ *
+ * Notes:
+ *	This call should be made before any other ISC library call, and as
+ *	close to the beginning of the application as possible.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context (for app_ctxstart()).
+ */
+
+isc_result_t
+isc_app_ctxonrun(isc_appctx_t *ctx, isc_mem_t *mctx, isc_task_t *task,
+		 isc_taskaction_t action, void *arg);
+isc_result_t
+isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
+	      void *arg);
+/*!<
+ * \brief Request delivery of an event when the application is run.
+ *
+ * Requires:
+ *\li	isc_app_start() has been called.
+ *\li	'ctx' is a valid application context (for app_ctxonrun()).
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+isc_app_ctxrun(isc_appctx_t *ctx);
+
+isc_result_t
+isc_app_run(void);
+/*!<
+ * \brief Run an ISC library application.
+ *
+ * Notes:
+ *\li	The caller (typically the initial thread of an application) will
+ *	block until shutdown is requested.  When the call returns, the
+ *	caller should start shutting down the application.
+ *
+ * Requires:
+ *\li	isc_app_[ctx]start() has been called.
+ *
+ * Ensures:
+ *\li	Any events requested via isc_app_onrun() will have been posted (in
+ *	FIFO order) before isc_app_run() blocks.
+ *\li	'ctx' is a valid application context (for app_ctxrun()).
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			Shutdown has been requested.
+ *\li	ISC_R_RELOAD			Reload has been requested.
+ */
+
+bool
+isc_app_isrunning(void);
+/*!<
+ * \brief Return if the ISC library application is running.
+ *
+ * Returns:
+ *\li	true    App is running.
+ *\li	false   App is not running.
+ */
+
+void
+isc_app_ctxshutdown(isc_appctx_t *ctx);
+
+void
+isc_app_shutdown(void);
+/*!<
+ * \brief Request application shutdown.
+ *
+ * Notes:
+ *\li	It is safe to call isc_app_shutdown() multiple times.  Shutdown will
+ *	only be triggered once.
+ *
+ * Requires:
+ *\li	isc_app_[ctx]run() has been called.
+ *\li	'ctx' is a valid application context (for app_ctxshutdown()).
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_UNEXPECTED
+ */
+
+void
+isc_app_ctxsuspend(isc_appctx_t *ctx);
+/*!<
+ * \brief This has the same behavior as isc_app_ctxsuspend().
+ */
+
+void
+isc_app_reload(void);
+/*!<
+ * \brief Request application reload.
+ *
+ * Requires:
+ *\li	isc_app_run() has been called.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_UNEXPECTED
+ */
+
+void
+isc_app_ctxfinish(isc_appctx_t *ctx);
+
+void
+isc_app_finish(void);
+/*!<
+ * \brief Finish an ISC library application.
+ *
+ * Notes:
+ *\li	This call should be made at or near the end of main().
+ *
+ * Requires:
+ *\li	isc_app_start() has been called.
+ *\li	'ctx' is a valid application context (for app_ctxfinish()).
+ *
+ * Ensures:
+ *\li	Any resources allocated by isc_app_start() have been released.
+ */
+
+void
+isc_app_block(void);
+/*!<
+ * \brief Indicate that a blocking operation will be performed.
+ *
+ * Notes:
+ *\li	If a blocking operation is in process, a call to isc_app_shutdown()
+ *	or an external signal will abort the program, rather than allowing
+ *	clean shutdown.  This is primarily useful for reading user input.
+ *
+ * Requires:
+ * \li	isc_app_start() has been called.
+ * \li	No other blocking operations are in progress.
+ */
+
+void
+isc_app_unblock(void);
+/*!<
+ * \brief Indicate that a blocking operation is complete.
+ *
+ * Notes:
+ * \li	When a blocking operation has completed, return the program to a
+ * 	state where a call to isc_app_shutdown() or an external signal will
+ * 	shutdown normally.
+ *
+ * Requires:
+ * \li	isc_app_start() has been called.
+ * \li	isc_app_block() has been called by the same thread.
+ */
+
+isc_result_t
+isc_appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp);
+/*!<
+ * \brief Create an application context.
+ *
+ * Requires:
+ *\li	'mctx' is a valid memory context.
+ *\li	'ctxp' != NULL && *ctxp == NULL.
+ */
+
+void
+isc_appctx_destroy(isc_appctx_t **ctxp);
+/*!<
+ * \brief Destroy an application context.
+ *
+ * Requires:
+ *\li	'*ctxp' is a valid application context.
+ *
+ * Ensures:
+ *\li	*ctxp == NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_APP_H */
diff --git a/lib/isc/include/isc/assertions.h b/lib/isc/include/isc/assertions.h
new file mode 100644
index 0000000..e68adfa
--- /dev/null
+++ b/lib/isc/include/isc/assertions.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/assertions.h
+ */
+
+#ifndef ISC_ASSERTIONS_H
+#define ISC_ASSERTIONS_H 1
+
+#include <isc/lang.h>
+#include <isc/likely.h>
+#include <isc/platform.h>
+
+ISC_LANG_BEGINDECLS
+
+/*% isc assertion type */
+typedef enum {
+	isc_assertiontype_require,
+	isc_assertiontype_ensure,
+	isc_assertiontype_insist,
+	isc_assertiontype_invariant
+} isc_assertiontype_t;
+
+typedef void (*isc_assertioncallback_t)(const char *, int, isc_assertiontype_t,
+					const char *);
+
+/* coverity[+kill] */
+ISC_PLATFORM_NORETURN_PRE
+void
+isc_assertion_failed(const char *, int, isc_assertiontype_t,
+		     const char *) ISC_PLATFORM_NORETURN_POST;
+
+void isc_assertion_setcallback(isc_assertioncallback_t);
+
+const char *
+isc_assertion_typetotext(isc_assertiontype_t type);
+
+#define ISC_REQUIRE(cond)                                                  \
+	((void)(ISC_LIKELY(cond) ||                                        \
+		((isc_assertion_failed)(__FILE__, __LINE__,                \
+					isc_assertiontype_require, #cond), \
+		 0)))
+
+#define ISC_ENSURE(cond)                                                  \
+	((void)(ISC_LIKELY(cond) ||                                       \
+		((isc_assertion_failed)(__FILE__, __LINE__,               \
+					isc_assertiontype_ensure, #cond), \
+		 0)))
+
+#define ISC_INSIST(cond)                                                  \
+	((void)(ISC_LIKELY(cond) ||                                       \
+		((isc_assertion_failed)(__FILE__, __LINE__,               \
+					isc_assertiontype_insist, #cond), \
+		 0)))
+
+#define ISC_INVARIANT(cond)                                                  \
+	((void)(ISC_LIKELY(cond) ||                                          \
+		((isc_assertion_failed)(__FILE__, __LINE__,                  \
+					isc_assertiontype_invariant, #cond), \
+		 0)))
+
+#define ISC_UNREACHABLE()                                                   \
+	(isc_assertion_failed(__FILE__, __LINE__, isc_assertiontype_insist, \
+			      "unreachable"),                               \
+	 __builtin_unreachable())
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ASSERTIONS_H */
diff --git a/lib/isc/include/isc/astack.h b/lib/isc/include/isc/astack.h
new file mode 100644
index 0000000..a4f6762
--- /dev/null
+++ b/lib/isc/include/isc/astack.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <inttypes.h>
+
+#include <isc/mem.h>
+#include <isc/types.h>
+
+isc_astack_t *
+isc_astack_new(isc_mem_t *mctx, size_t size);
+/*%<
+ * Allocate and initialize a new array stack of size 'size'.
+ */
+
+void
+isc_astack_destroy(isc_astack_t *stack);
+/*%<
+ * Free an array stack 'stack'.
+ *
+ * Requires:
+ * \li	'stack' is empty.
+ */
+
+bool
+isc_astack_trypush(isc_astack_t *stack, void *obj);
+/*%<
+ * Try to push 'obj' onto array stack 'astack'. On failure, either
+ * because the stack size limit has been reached or because another
+ * thread has already changed the stack pointer, return 'false'.
+ */
+
+void *
+isc_astack_pop(isc_astack_t *stack);
+/*%<
+ * Pop an object off of array stack 'stack'. If the stack is empty,
+ * return NULL.
+ */
diff --git a/lib/isc/include/isc/atomic.h b/lib/isc/include/isc/atomic.h
new file mode 100644
index 0000000..fd29202
--- /dev/null
+++ b/lib/isc/include/isc/atomic.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#if HAVE_STDATOMIC_H
+#include <stdatomic.h>
+#else /* if HAVE_STDATOMIC_H */
+#include <isc/stdatomic.h>
+#endif /* if HAVE_STDATOMIC_H */
+
+/*
+ * We define a few additional macros to make things easier
+ */
+
+/* Relaxed Memory Ordering */
+
+#define atomic_store_relaxed(o, v) \
+	atomic_store_explicit((o), (v), memory_order_relaxed)
+#define atomic_load_relaxed(o) atomic_load_explicit((o), memory_order_relaxed)
+#define atomic_fetch_add_relaxed(o, v) \
+	atomic_fetch_add_explicit((o), (v), memory_order_relaxed)
+#define atomic_fetch_sub_relaxed(o, v) \
+	atomic_fetch_sub_explicit((o), (v), memory_order_relaxed)
+#define atomic_fetch_or_relaxed(o, v) \
+	atomic_fetch_or_explicit((o), (v), memory_order_relaxed)
+#define atomic_fetch_and_relaxed(o, v) \
+	atomic_fetch_and_explicit((o), (v), memory_order_relaxed)
+#define atomic_exchange_relaxed(o, v) \
+	atomic_exchange_explicit((o), (v), memory_order_relaxed)
+#define atomic_compare_exchange_weak_relaxed(o, e, d) \
+	atomic_compare_exchange_weak_explicit(        \
+		(o), (e), (d), memory_order_relaxed, memory_order_relaxed)
+#define atomic_compare_exchange_strong_relaxed(o, e, d) \
+	atomic_compare_exchange_strong_explicit(        \
+		(o), (e), (d), memory_order_relaxed, memory_order_relaxed)
+#define atomic_compare_exchange_strong_acq_rel(o, e, d) \
+	atomic_compare_exchange_strong_explicit(        \
+		(o), (e), (d), memory_order_acq_rel, memory_order_acquire)
+
+/* Acquire-Release Memory Ordering */
+
+#define atomic_store_release(o, v) \
+	atomic_store_explicit((o), (v), memory_order_release)
+#define atomic_load_acquire(o) atomic_load_explicit((o), memory_order_acquire)
+#define atomic_fetch_add_release(o, v) \
+	atomic_fetch_add_explicit((o), (v), memory_order_release)
+#define atomic_fetch_sub_release(o, v) \
+	atomic_fetch_sub_explicit((o), (v), memory_order_release)
+#define atomic_fetch_and_release(o, v) \
+	atomic_fetch_and_explicit((o), (v), memory_order_release)
+#define atomic_fetch_or_release(o, v) \
+	atomic_fetch_or_explicit((o), (v), memory_order_release)
+#define atomic_exchange_acq_rel(o, v) \
+	atomic_exchange_explicit((o), (v), memory_order_acq_rel)
+#define atomic_fetch_sub_acq_rel(o, v) \
+	atomic_fetch_sub_explicit((o), (v), memory_order_acq_rel)
+#define atomic_compare_exchange_weak_acq_rel(o, e, d) \
+	atomic_compare_exchange_weak_explicit(        \
+		(o), (e), (d), memory_order_acq_rel, memory_order_acquire)
+#define atomic_compare_exchange_strong_acq_rel(o, e, d) \
+	atomic_compare_exchange_strong_explicit(        \
+		(o), (e), (d), memory_order_acq_rel, memory_order_acquire)
diff --git a/lib/isc/include/isc/backtrace.h b/lib/isc/include/isc/backtrace.h
new file mode 100644
index 0000000..d32748a
--- /dev/null
+++ b/lib/isc/include/isc/backtrace.h
@@ -0,0 +1,127 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/backtrace.h
+ * \brief provide a back trace of the running process to help debug problems.
+ *
+ * This module tries to get a back trace of the process using some platform
+ * dependent way when available.  It also manages an internal symbol table
+ * that maps function addresses used in the process to their textual symbols.
+ * This module is expected to be used to help debug when some fatal error
+ * happens.
+ *
+ * IMPORTANT NOTE: since the (major) intended use case of this module is
+ * dumping a back trace on a fatal error, normally followed by self termination,
+ * functions defined in this module generally doesn't employ assertion checks
+ * (if it did, a program bug could cause infinite recursive calls to a
+ * backtrace function).  These functions still perform minimal checks and return
+ * ISC_R_FAILURE if they detect an error, but the caller should therefore be
+ * very careful about the use of these functions, and generally discouraged to
+ * use them except in an exit path.  The exception is
+ * isc_backtrace_getsymbolfromindex(), which is expected to be used in a
+ * non-error-handling context and validates arguments with assertion checks.
+ */
+
+#ifndef ISC_BACKTRACE_H
+#define ISC_BACKTRACE_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/types.h>
+
+/***
+ *** Types
+ ***/
+struct isc_backtrace_symmap {
+	void	   *addr;
+	const char *symbol;
+};
+
+LIBISC_EXTERNAL_DATA extern const int isc__backtrace_nsymbols;
+LIBISC_EXTERNAL_DATA extern const isc_backtrace_symmap_t
+	isc__backtrace_symtable[];
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes);
+/*%<
+ * Get a back trace of the running process above this function itself.  On
+ * success, addrs[i] will store the address of the call point of the i-th
+ * stack frame (addrs[0] is the caller of this function).  *nframes will store
+ * the total number of frames.
+ *
+ * Requires (note that these are not ensured by assertion checks, see above):
+ *
+ *\li	'addrs' is a valid array containing at least 'maxaddrs' void * entries.
+ *
+ *\li	'nframes' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_FAILURE
+ *\li	#ISC_R_NOTFOUND
+ *\li	#ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+isc_backtrace_getsymbolfromindex(int index, const void **addrp,
+				 const char **symbolp);
+/*%<
+ * Returns the content of the internal symbol table of the given index.
+ * On success, *addrsp and *symbolp point to the address and the symbol of
+ * the 'index'th entry of the table, respectively.  If 'index' is not in the
+ * range of the symbol table, ISC_R_RANGE will be returned.
+ *
+ * Requires
+ *
+ *\li	'addrp' must be non NULL && '*addrp' == NULL.
+ *
+ *\li	'symbolp' must be non NULL && '*symbolp' == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_RANGE
+ */
+
+isc_result_t
+isc_backtrace_getsymbol(const void *addr, const char **symbolp,
+			unsigned long *offsetp);
+/*%<
+ * Searches the internal symbol table for the symbol that most matches the
+ * given 'addr'.  On success, '*symbolp' will point to the name of function
+ * to which the address 'addr' belong, and '*offsetp' will store the offset
+ * from the function's entry address to 'addr'.
+ *
+ * Requires (note that these are not ensured by assertion checks, see above):
+ *
+ *\li	'symbolp' must be non NULL && '*symbolp' == NULL.
+ *
+ *\li	'offsetp' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_FAILURE
+ *\li	#ISC_R_NOTFOUND
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BACKTRACE_H */
diff --git a/lib/isc/include/isc/barrier.h b/lib/isc/include/isc/barrier.h
new file mode 100644
index 0000000..1a2a90b
--- /dev/null
+++ b/lib/isc/include/isc/barrier.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <isc/util.h>
+
+#if __SANITIZE_THREAD__ && !defined(WIN32)
+
+#include <pthread.h>
+
+#define isc_barrier_t pthread_barrier_t
+
+#define isc_barrier_init(barrier, count) \
+	pthread_barrier_init(barrier, NULL, count)
+#define isc_barrier_destroy(barrier) pthread_barrier_destroy(barrier)
+#define isc_barrier_wait(barrier)    pthread_barrier_wait(barrier)
+
+#else
+
+#include <uv.h>
+
+#define isc_barrier_t uv_barrier_t
+
+#define isc_barrier_init(barrier, count) uv_barrier_init(barrier, count)
+#define isc_barrier_destroy(barrier)	 uv_barrier_destroy(barrier)
+#define isc_barrier_wait(barrier)	 uv_barrier_wait(barrier)
+
+#endif /* __SANITIZE_THREAD__ */
diff --git a/lib/isc/include/isc/base32.h b/lib/isc/include/isc/base32.h
new file mode 100644
index 0000000..befe047
--- /dev/null
+++ b/lib/isc/include/isc/base32.h
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_BASE32_H
+#define ISC_BASE32_H 1
+
+/*! \file */
+
+/*
+ * Routines for manipulating base 32 and base 32 hex encoded data.
+ * Based on RFC 4648.
+ *
+ * Base 32 hex preserves the sort order of data when it is encoded /
+ * decoded.
+ *
+ * Base 32 hex "np" is base 32 hex but no padding is produced or accepted.
+ */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_base32_totext(isc_region_t *source, int wordlength, const char *wordbreak,
+		  isc_buffer_t *target);
+isc_result_t
+isc_base32hex_totext(isc_region_t *source, int wordlength,
+		     const char *wordbreak, isc_buffer_t *target);
+isc_result_t
+isc_base32hexnp_totext(isc_region_t *source, int wordlength,
+		       const char *wordbreak, isc_buffer_t *target);
+/*!<
+ * \brief Convert data into base32 encoded text.
+ *
+ * Notes:
+ *\li	The base32 encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *\li	'source' is a region containing binary data
+ *\li	'target' is a text buffer containing available space
+ *\li	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters
+ *
+ * Ensures:
+ *\li	target will contain the base32 encoded version of the data
+ *	in source.  The 'used' pointer in target will be advanced as
+ *	necessary.
+ */
+
+isc_result_t
+isc_base32_decodestring(const char *cstr, isc_buffer_t *target);
+isc_result_t
+isc_base32hex_decodestring(const char *cstr, isc_buffer_t *target);
+isc_result_t
+isc_base32hexnp_decodestring(const char *cstr, isc_buffer_t *target);
+/*!<
+ * \brief Decode a null-terminated string in base32, base32hex, or
+ * base32hex non-padded.
+ *
+ * Requires:
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *\li	#ISC_R_BADBASE32 -- 'cstr' is not a valid base32 encoding.
+ *
+ * 	Other error returns are any possible error code from:
+ *\li		isc_lex_create(),
+ *\li		isc_lex_openbuffer(),
+ *\li		isc_base32_tobuffer().
+ */
+
+isc_result_t
+isc_base32_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+isc_result_t
+isc_base32hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+isc_result_t
+isc_base32hexnp_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+/*!<
+ * \brief Convert text encoded in base32, base32hex, or base32hex
+ * non-padded from a lexer context into `target`. If 'length' is
+ * non-negative, it is the expected number of encoded octets to convert.
+ *
+ * If 'length' is -1 then 0 or more encoded octets are expected.
+ * If 'length' is -2 then 1 or more encoded octets are expected.
+ *
+ * Returns:
+ *\li	#ISC_R_BADBASE32 -- invalid base32 encoding.
+ *\li	#ISC_R_UNEXPECTEDEND: the text does not contain the expected
+ *			      number of encoded octets.
+ *
+ * Requires:
+ *\li	'lexer' is a valid lexer context
+ *\li	'target' is a buffer containing binary data
+ *\li	'length' is -2, -1, or non-negative
+ *
+ * Ensures:
+ *\li	target will contain the data represented by the base32 encoded
+ *	string parsed by the lexer.  No more than `length` octets will
+ *	be read, if `length` is non-negative.  The 'used' pointer in
+ *	'target' will be advanced as necessary.
+ */
+
+isc_result_t
+isc_base32_decoderegion(isc_region_t *source, isc_buffer_t *target);
+isc_result_t
+isc_base32hex_decoderegion(isc_region_t *source, isc_buffer_t *target);
+isc_result_t
+isc_base32hexnp_decoderegion(isc_region_t *source, isc_buffer_t *target);
+/*!<
+ * \brief Decode a packed (no white space permitted) region in
+ * base32, base32hex or base32hex non-padded.
+ *
+ * Requires:
+ *\li   'source' is a valid region.
+ *\li   'target' is a valid buffer.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  -- the entire decoded representation of 'cstring'
+ *                         fit in 'target'.
+ *\li   #ISC_R_BADBASE32 -- 'source' is not a valid base32 encoding.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BASE32_H */
diff --git a/lib/isc/include/isc/base64.h b/lib/isc/include/isc/base64.h
new file mode 100644
index 0000000..057eabb
--- /dev/null
+++ b/lib/isc/include/isc/base64.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_BASE64_H
+#define ISC_BASE64_H 1
+
+/*! \file isc/base64.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_base64_totext(isc_region_t *source, int wordlength, const char *wordbreak,
+		  isc_buffer_t *target);
+/*!<
+ * \brief Convert data into base64 encoded text.
+ *
+ * Notes:
+ *\li	The base64 encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *\li	'source' is a region containing binary data
+ *\li	'target' is a text buffer containing available space
+ *\li	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters
+ *
+ * Ensures:
+ *\li	target will contain the base64 encoded version of the data
+ *	in source.  The 'used' pointer in target will be advanced as
+ *	necessary.
+ */
+
+isc_result_t
+isc_base64_decodestring(const char *cstr, isc_buffer_t *target);
+/*!<
+ * \brief Decode a null-terminated base64 string.
+ *
+ * Requires:
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *\li	#ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
+ *
+ * 	Other error returns are any possible error code from:
+ *\li		isc_lex_create(),
+ *\li		isc_lex_openbuffer(),
+ *\li		isc_base64_tobuffer().
+ */
+
+isc_result_t
+isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+/*!<
+ * \brief Convert base64 encoded text from a lexer context into
+ * `target`. If 'length' is non-negative, it is the expected number of
+ * encoded octets to convert.
+ *
+ * If 'length' is -1 then 0 or more encoded octets are expected.
+ * If 'length' is -2 then 1 or more encoded octets are expected.
+ *
+ * Returns:
+ *\li	#ISC_R_BADBASE64 -- invalid base64 encoding.
+ *\li	#ISC_R_UNEXPECTEDEND: the text does not contain the expected
+ *			      number of encoded octets.
+ *
+ * Requires:
+ *\li	'lexer' is a valid lexer context
+ *\li	'target' is a buffer containing binary data
+ *\li	'length' is -2, -1, or non-negative
+ *
+ * Ensures:
+ *\li	target will contain the data represented by the base64 encoded
+ *	string parsed by the lexer.  No more than `length` octets will
+ *	be read, if `length` is non-negative.  The 'used' pointer in
+ *	'target' will be advanced as necessary.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BASE64_H */
diff --git a/lib/isc/include/isc/bind9.h b/lib/isc/include/isc/bind9.h
new file mode 100644
index 0000000..3c25a76
--- /dev/null
+++ b/lib/isc/include/isc/bind9.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_BIND9_H
+#define ISC_BIND9_H 1
+
+#include <stdbool.h>
+
+#include <isc/platform.h>
+
+/*
+ * This determines whether we are using the libisc/libdns libraries
+ * in BIND9 or in some other application.  For BIND9 (named and related
+ * tools) it must be set to true at runtime.  Export library clients
+ * will call isc_lib_register(), which will set it to false.
+ */
+LIBISC_EXTERNAL_DATA extern bool isc_bind9;
+
+#endif /* ISC_BIND9_H */
diff --git a/lib/isc/include/isc/buffer.h b/lib/isc/include/isc/buffer.h
new file mode 100644
index 0000000..f3becae
--- /dev/null
+++ b/lib/isc/include/isc/buffer.h
@@ -0,0 +1,1103 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_BUFFER_H
+#define ISC_BUFFER_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/buffer.h
+ *
+ * \brief A buffer is a region of memory, together with a set of related
+ * subregions. Buffers are used for parsing and I/O operations.
+ *
+ * The 'used region' and the 'available region' are disjoint, and their
+ * union is the buffer's region.  The used region extends from the beginning
+ * of the buffer region to the last used byte.  The available region
+ * extends from one byte greater than the last used byte to the end of the
+ * buffer's region.  The size of the used region can be changed using various
+ * buffer commands.  Initially, the used region is empty.
+ *
+ * The used region is further subdivided into two disjoint regions: the
+ * 'consumed region' and the 'remaining region'.  The union of these two
+ * regions is the used region.  The consumed region extends from the beginning
+ * of the used region to the byte before the 'current' offset (if any).  The
+ * 'remaining' region extends from the current offset to the end of the used
+ * region.  The size of the consumed region can be changed using various
+ * buffer commands.  Initially, the consumed region is empty.
+ *
+ * The 'active region' is an (optional) subregion of the remaining region.
+ * It extends from the current offset to an offset in the remaining region
+ * that is selected with isc_buffer_setactive().  Initially, the active region
+ * is empty.  If the current offset advances beyond the chosen offset, the
+ * active region will also be empty.
+ *
+ * \verbatim
+ *  /------------entire length---------------\
+ *  /----- used region -----\/-- available --\
+ *  +----------------------------------------+
+ *  | consumed  | remaining |                |
+ *  +----------------------------------------+
+ *  a           b     c     d                e
+ *
+ * a == base of buffer.
+ * b == current pointer.  Can be anywhere between a and d.
+ * c == active pointer.  Meaningful between b and d.
+ * d == used pointer.
+ * e == length of buffer.
+ *
+ * a-e == entire length of buffer.
+ * a-d == used region.
+ * a-b == consumed region.
+ * b-d == remaining region.
+ * b-c == optional active region.
+ *\endverbatim
+ *
+ * The following invariants are maintained by all routines:
+ *
+ *\code
+ *	length > 0
+ *
+ *	base is a valid pointer to length bytes of memory
+ *
+ *	0 <= used <= length
+ *
+ *	0 <= current <= used
+ *
+ *	0 <= active <= used
+ *	(although active < current implies empty active region)
+ *\endcode
+ *
+ * \li MP:
+ *	Buffers have no synchronization.  Clients must ensure exclusive
+ *	access.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	Memory: 1 pointer + 6 unsigned integers per buffer.
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/assertions.h>
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/likely.h>
+#include <isc/list.h>
+#include <isc/magic.h>
+#include <isc/types.h>
+
+/*!
+ * To make many functions be inline macros (via \#define) define this.
+ * If it is undefined, a function will be used.
+ */
+/* #define ISC_BUFFER_USEINLINE */
+
+ISC_LANG_BEGINDECLS
+
+/*@{*/
+/*!
+ *** Magic numbers
+ ***/
+#define ISC_BUFFER_MAGIC    0x42756621U /* Buf!. */
+#define ISC_BUFFER_VALID(b) ISC_MAGIC_VALID(b, ISC_BUFFER_MAGIC)
+/*@}*/
+
+/*!
+ * Size granularity for dynamically resizable buffers; when reserving
+ * space in a buffer, we round the allocated buffer length up to the
+ * nearest * multiple of this value.
+ */
+#define ISC_BUFFER_INCR 2048
+
+/*
+ * The following macros MUST be used only on valid buffers.  It is the
+ * caller's responsibility to ensure this by using the ISC_BUFFER_VALID
+ * check above, or by calling another isc_buffer_*() function (rather than
+ * another macro.)
+ */
+
+/*@{*/
+/*!
+ * Fundamental buffer elements.  (A through E in the introductory comment.)
+ */
+#define isc_buffer_base(b) ((void *)(b)->base) /*a*/
+#define isc_buffer_current(b) \
+	((void *)((unsigned char *)(b)->base + (b)->current)) /*b*/
+#define isc_buffer_active(b) \
+	((void *)((unsigned char *)(b)->base + (b)->active)) /*c*/
+#define isc_buffer_used(b) \
+	((void *)((unsigned char *)(b)->base + (b)->used)) /*d*/
+#define isc_buffer_length(b) ((b)->length)		   /*e*/
+/*@}*/
+
+/*@{*/
+/*!
+ * Derived lengths.  (Described in the introductory comment.)
+ */
+#define isc_buffer_usedlength(b)      ((b)->used)		   /* d-a */
+#define isc_buffer_consumedlength(b)  ((b)->current)		   /* b-a */
+#define isc_buffer_remaininglength(b) ((b)->used - (b)->current)   /* d-b */
+#define isc_buffer_activelength(b)    ((b)->active - (b)->current) /* c-b */
+#define isc_buffer_availablelength(b) ((b)->length - (b)->used)	   /* e-d */
+/*@}*/
+
+/*!
+ * Note that the buffer structure is public.  This is principally so buffer
+ * operations can be implemented using macros.  Applications are strongly
+ * discouraged from directly manipulating the structure.
+ */
+
+struct isc_buffer {
+	unsigned int magic;
+	void	    *base;
+	/*@{*/
+	/*! The following integers are byte offsets from 'base'. */
+	unsigned int length;
+	unsigned int used;
+	unsigned int current;
+	unsigned int active;
+	/*@}*/
+	/*! linkable */
+	ISC_LINK(isc_buffer_t) link;
+	/*! private internal elements */
+	isc_mem_t *mctx;
+	/* automatically realloc buffer at put* */
+	bool autore;
+};
+
+/***
+ *** Functions
+ ***/
+
+void
+isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
+		    unsigned int length);
+/*!<
+ * \brief Allocate a dynamic linkable buffer which has "length" bytes in the
+ * data region.
+ *
+ * Requires:
+ *\li	"mctx" is valid.
+ *
+ *\li	"dynbuffer" is non-NULL, and "*dynbuffer" is NULL.
+ *
+ * Note:
+ *\li	Changing the buffer's length field is not permitted.
+ */
+
+isc_result_t
+isc_buffer_reserve(isc_buffer_t **dynbuffer, unsigned int size);
+/*!<
+ * \brief Make "size" bytes of space available in the buffer. The buffer
+ * pointer may move when you call this function.
+ *
+ * Requires:
+ *\li	"dynbuffer" is not NULL.
+ *
+ *\li	"*dynbuffer" is a valid dynamic buffer.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS		- success
+ *\li	ISC_R_NOMEMORY		- no memory available
+ *
+ * Ensures:
+ *\li	"*dynbuffer" will be valid on return and will contain all the
+ *	original data. However, the buffer pointer may be moved during
+ *	reallocation.
+ */
+
+void
+isc_buffer_free(isc_buffer_t **dynbuffer);
+/*!<
+ * \brief Release resources allocated for a dynamic buffer.
+ *
+ * Requires:
+ *\li	"dynbuffer" is not NULL.
+ *
+ *\li	"*dynbuffer" is a valid dynamic buffer.
+ *
+ * Ensures:
+ *\li	"*dynbuffer" will be NULL on return, and all memory associated with
+ *	the dynamic buffer is returned to the memory context used in
+ *	isc_buffer_allocate().
+ */
+
+void
+isc__buffer_init(isc_buffer_t *b, void *base, unsigned int length);
+/*!<
+ * \brief Make 'b' refer to the 'length'-byte region starting at base.
+ *
+ * Requires:
+ *
+ *\li	'length' > 0
+ *
+ *\li	'base' is a pointer to a sequence of 'length' bytes.
+ *
+ */
+
+void
+isc__buffer_initnull(isc_buffer_t *b);
+/*!<
+ *\brief Initialize a buffer 'b' with a null data and zero length/
+ */
+
+void
+isc_buffer_reinit(isc_buffer_t *b, void *base, unsigned int length);
+/*!<
+ * \brief Make 'b' refer to the 'length'-byte region starting at base.
+ * Any existing data will be copied.
+ *
+ * Requires:
+ *
+ *\li	'length' > 0 AND length >= previous length
+ *
+ *\li	'base' is a pointer to a sequence of 'length' bytes.
+ *
+ */
+
+void
+isc__buffer_invalidate(isc_buffer_t *b);
+/*!<
+ * \brief Make 'b' an invalid buffer.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ * Ensures:
+ *\li	If assertion checking is enabled, future attempts to use 'b' without
+ *	calling isc_buffer_init() on it will cause an assertion failure.
+ */
+
+void
+isc_buffer_setautorealloc(isc_buffer_t *b, bool enable);
+/*!<
+ * \brief Enable or disable autoreallocation on 'b'.
+ *
+ * Requires:
+ *\li	'b' is a valid dynamic buffer (b->mctx != NULL).
+ *
+ */
+
+void
+isc__buffer_region(isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_usedregion(const isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the used region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the available region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_add(isc_buffer_t *b, unsigned int n);
+/*!<
+ * \brief Increase the 'used' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ *\li	used + n <= length
+ *
+ */
+
+void
+isc__buffer_subtract(isc_buffer_t *b, unsigned int n);
+/*!<
+ * \brief Decrease the 'used' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ *\li	used >= n
+ *
+ */
+
+void
+isc__buffer_clear(isc_buffer_t *b);
+/*!<
+ * \brief Make the used region empty.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *\li	used = 0
+ *
+ */
+
+void
+isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the consumed region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the remaining region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the active region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_setactive(isc_buffer_t *b, unsigned int n);
+/*!<
+ * \brief Sets the end of the active region 'n' bytes after current.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	current + n <= used
+ */
+
+void
+isc__buffer_first(isc_buffer_t *b);
+/*!<
+ * \brief Make the consumed region empty.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *\li	current == 0
+ *
+ */
+
+void
+isc__buffer_forward(isc_buffer_t *b, unsigned int n);
+/*!<
+ * \brief Increase the 'consumed' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ *\li	current + n <= used
+ *
+ */
+
+void
+isc__buffer_back(isc_buffer_t *b, unsigned int n);
+/*!<
+ * \brief Decrease the 'consumed' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ *\li	n <= current
+ *
+ */
+
+void
+isc_buffer_compact(isc_buffer_t *b);
+/*!<
+ * \brief Compact the used region by moving the remaining region so it occurs
+ * at the start of the buffer.  The used region is shrunk by the size of
+ * the consumed region, and the consumed region is then made empty.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *\li	current == 0
+ *
+ *\li	The size of the used region is now equal to the size of the remaining
+ *	region (as it was before the call).  The contents of the used region
+ *	are those of the remaining region (as it was before the call).
+ */
+
+uint8_t
+isc_buffer_getuint8(isc_buffer_t *b);
+/*!<
+ * \brief Read an unsigned 8-bit integer from 'b' and return it.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the remaining region of 'b' is at least 1.
+ *
+ * Ensures:
+ *
+ *\li	The current pointer in 'b' is advanced by 1.
+ *
+ * Returns:
+ *
+ *\li	A 8-bit unsigned integer.
+ */
+
+void
+isc__buffer_putuint8(isc_buffer_t *b, uint8_t val);
+/*!<
+ * \brief Store an unsigned 8-bit integer from 'val' into 'b'.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 1
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 1.
+ */
+
+uint16_t
+isc_buffer_getuint16(isc_buffer_t *b);
+/*!<
+ * \brief Read an unsigned 16-bit integer in network byte order from 'b',
+ * convert it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the remaining region of 'b' is at least 2.
+ *
+ * Ensures:
+ *
+ *\li	The current pointer in 'b' is advanced by 2.
+ *
+ * Returns:
+ *
+ *\li	A 16-bit unsigned integer.
+ */
+
+void
+isc__buffer_putuint16(isc_buffer_t *b, uint16_t val);
+/*!<
+ * \brief Store an unsigned 16-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 2
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 2.
+ */
+
+uint32_t
+isc_buffer_getuint32(isc_buffer_t *b);
+/*!<
+ * \brief Read an unsigned 32-bit integer in network byte order from 'b',
+ * convert it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the remaining region of 'b' is at least 4.
+ *
+ * Ensures:
+ *
+ *\li	The current pointer in 'b' is advanced by 4.
+ *
+ * Returns:
+ *
+ *\li	A 32-bit unsigned integer.
+ */
+
+void
+isc__buffer_putuint32(isc_buffer_t *b, uint32_t val);
+/*!<
+ * \brief Store an unsigned 32-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 4
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 4.
+ */
+
+uint64_t
+isc_buffer_getuint48(isc_buffer_t *b);
+/*!<
+ * \brief Read an unsigned 48-bit integer in network byte order from 'b',
+ * convert it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the remaining region of 'b' is at least 6.
+ *
+ * Ensures:
+ *
+ *\li	The current pointer in 'b' is advanced by 6.
+ *
+ * Returns:
+ *
+ *\li	A 48-bit unsigned integer (stored in a 64-bit integer).
+ */
+
+void
+isc__buffer_putuint48(isc_buffer_t *b, uint64_t val);
+/*!<
+ * \brief Store an unsigned 48-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 6
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 6.
+ */
+
+void
+isc__buffer_putuint24(isc_buffer_t *b, uint32_t val);
+/*!<
+ * Store an unsigned 24-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 3
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 3.
+ */
+
+void
+isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
+		   unsigned int length);
+/*!<
+ * \brief Copy 'length' bytes of memory at 'base' into 'b'.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'base' points to 'length' bytes of valid memory.
+ *
+ *\li	The length of the available region of 'b' is at least 'length'
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 'length'.
+ */
+
+void
+isc__buffer_putstr(isc_buffer_t *b, const char *source);
+/*!<
+ * \brief Copy 'source' into 'b', not including terminating NUL.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'source' is a valid NULL terminated string.
+ *
+ *\li	The length of the available region of 'b' is at least strlen('source')
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by strlen('source').
+ */
+
+void
+isc_buffer_putdecint(isc_buffer_t *b, int64_t v);
+/*!<
+ * \brief Put decimal representation of 'v' in b
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least strlen(dec('v'))
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by strlen(dec('v')).
+ */
+
+isc_result_t
+isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r);
+/*!<
+ * \brief Copy the contents of 'r' into 'b'.
+ *
+ * Notes:
+ *\li	If 'b' has autoreallocation enabled, and the length of 'r' is greater
+ *	than the length of the available region of 'b', 'b' is reallocated.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' is a valid region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOSPACE			The available region of 'b' is not
+ *					big enough.
+ */
+
+isc_result_t
+isc_buffer_dup(isc_mem_t *mctx, isc_buffer_t **dstp, const isc_buffer_t *src);
+/*!<
+ * \brief Allocate 'dst' and copy used contents of 'src' into it.
+ *
+ * Requires:
+ *\li	'dstp' is not NULL and *dst is NULL.
+ *\li	'src' is a valid buffer.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ */
+
+isc_result_t
+isc_buffer_printf(isc_buffer_t *b, const char *format, ...)
+	ISC_FORMAT_PRINTF(2, 3);
+/*!<
+ * \brief Append a formatted string to the used region of 'b'.
+ *
+ * Notes:
+ *
+ *\li	The 'format' argument is a printf(3) string, with additional arguments
+ *	as necessary.
+ *
+ *\li	If 'b' has autoreallocation enabled, and the length of the formatted
+ *	string is greater than the length of the available region of 'b', 'b'
+ *	is reallocated.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ * Ensures:
+ *
+ *\li	The used pointer in 'b' is advanced by the number of bytes appended
+ *	(excluding the terminating NULL byte).
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS	Operation succeeded.
+ *\li	#ISC_R_NOSPACE	'b' does not allow reallocation and appending the
+ *			formatted string to it would cause it to overflow.
+ *\li	#ISC_R_NOMEMORY	Reallocation failed.
+ *\li	#ISC_R_FAILURE	Other error occurred.
+ */
+
+ISC_LANG_ENDDECLS
+
+/*
+ * Inline macro versions of the functions.  These should never be called
+ * directly by an application, but will be used by the functions within
+ * buffer.c.  The callers should always use "isc_buffer_*()" names, never
+ * ones beginning with "isc__"
+ */
+
+/*! \note
+ * XXXDCL Something more could be done with initializing buffers that
+ * point to const data.  For example, isc_buffer_constinit() could
+ * set a new boolean flag in the buffer structure indicating whether
+ * the buffer was initialized with that function.  * Then if the
+ * boolean were true, the isc_buffer_put* functions could assert a
+ * contractual requirement for a non-const buffer.
+ *
+ * One drawback is that the isc_buffer_* functions (macros) that return
+ * pointers would still need to return non-const pointers to avoid compiler
+ * warnings, so it would be up to code that uses them to have to deal
+ * with the possibility that the buffer was initialized as const --
+ * a problem that they *already* have to deal with but have absolutely
+ * no ability to.  With a new isc_buffer_isconst() function returning
+ * true/false, they could at least assert a contractual requirement for
+ * non-const buffers when needed.
+ */
+#define ISC__BUFFER_INIT(_b, _base, _length)    \
+	do {                                    \
+		ISC_REQUIRE((_b) != NULL);      \
+		(_b)->base = _base;             \
+		(_b)->length = (_length);       \
+		(_b)->used = 0;                 \
+		(_b)->current = 0;              \
+		(_b)->active = 0;               \
+		(_b)->mctx = NULL;              \
+		ISC_LINK_INIT(_b, link);        \
+		(_b)->magic = ISC_BUFFER_MAGIC; \
+		(_b)->autore = false;           \
+	} while (0)
+
+#define ISC__BUFFER_INITNULL(_b) ISC__BUFFER_INIT(_b, NULL, 0)
+
+#define ISC__BUFFER_INVALIDATE(_b)                         \
+	do {                                               \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));         \
+		ISC_REQUIRE(!ISC_LINK_LINKED((_b), link)); \
+		ISC_REQUIRE((_b)->mctx == NULL);           \
+		(_b)->magic = 0;                           \
+		(_b)->base = NULL;                         \
+		(_b)->length = 0;                          \
+		(_b)->used = 0;                            \
+		(_b)->current = 0;                         \
+		(_b)->active = 0;                          \
+	} while (0)
+
+#define ISC__BUFFER_REGION(_b, _r)                 \
+	do {                                       \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b)); \
+		ISC_REQUIRE((_r) != NULL);         \
+		(_r)->base = (_b)->base;           \
+		(_r)->length = (_b)->length;       \
+	} while (0)
+
+#define ISC__BUFFER_USEDREGION(_b, _r)             \
+	do {                                       \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b)); \
+		ISC_REQUIRE((_r) != NULL);         \
+		(_r)->base = (_b)->base;           \
+		(_r)->length = (_b)->used;         \
+	} while (0)
+
+#define ISC__BUFFER_AVAILABLEREGION(_b, _r)                    \
+	do {                                                   \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));             \
+		ISC_REQUIRE((_r) != NULL);                     \
+		(_r)->base = isc_buffer_used(_b);              \
+		(_r)->length = isc_buffer_availablelength(_b); \
+	} while (0)
+
+#define ISC__BUFFER_ADD(_b, _n)                                 \
+	do {                                                    \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));              \
+		ISC_REQUIRE((_b)->used + (_n) <= (_b)->length); \
+		(_b)->used += (_n);                             \
+	} while (0)
+
+#define ISC__BUFFER_SUBTRACT(_b, _n)                \
+	do {                                        \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));  \
+		ISC_REQUIRE((_b)->used >= (_n));    \
+		(_b)->used -= (_n);                 \
+		if ((_b)->current > (_b)->used)     \
+			(_b)->current = (_b)->used; \
+		if ((_b)->active > (_b)->used)      \
+			(_b)->active = (_b)->used;  \
+	} while (0)
+
+#define ISC__BUFFER_CLEAR(_b)                      \
+	do {                                       \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b)); \
+		(_b)->used = 0;                    \
+		(_b)->current = 0;                 \
+		(_b)->active = 0;                  \
+	} while (0)
+
+#define ISC__BUFFER_CONSUMEDREGION(_b, _r)         \
+	do {                                       \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b)); \
+		ISC_REQUIRE((_r) != NULL);         \
+		(_r)->base = (_b)->base;           \
+		(_r)->length = (_b)->current;      \
+	} while (0)
+
+#define ISC__BUFFER_REMAININGREGION(_b, _r)                    \
+	do {                                                   \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));             \
+		ISC_REQUIRE((_r) != NULL);                     \
+		(_r)->base = isc_buffer_current(_b);           \
+		(_r)->length = isc_buffer_remaininglength(_b); \
+	} while (0)
+
+#define ISC__BUFFER_ACTIVEREGION(_b, _r)                            \
+	do {                                                        \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));                  \
+		ISC_REQUIRE((_r) != NULL);                          \
+		if ((_b)->current < (_b)->active) {                 \
+			(_r)->base = isc_buffer_current(_b);        \
+			(_r)->length = isc_buffer_activelength(_b); \
+		} else {                                            \
+			(_r)->base = NULL;                          \
+			(_r)->length = 0;                           \
+		}                                                   \
+	} while (0)
+
+#define ISC__BUFFER_SETACTIVE(_b, _n)                            \
+	do {                                                     \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));               \
+		ISC_REQUIRE((_b)->current + (_n) <= (_b)->used); \
+		(_b)->active = (_b)->current + (_n);             \
+	} while (0)
+
+#define ISC__BUFFER_FIRST(_b)                      \
+	do {                                       \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b)); \
+		(_b)->current = 0;                 \
+	} while (0)
+
+#define ISC__BUFFER_FORWARD(_b, _n)                              \
+	do {                                                     \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));               \
+		ISC_REQUIRE((_b)->current + (_n) <= (_b)->used); \
+		(_b)->current += (_n);                           \
+	} while (0)
+
+#define ISC__BUFFER_BACK(_b, _n)                    \
+	do {                                        \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));  \
+		ISC_REQUIRE((_n) <= (_b)->current); \
+		(_b)->current -= (_n);              \
+	} while (0)
+
+#define ISC__BUFFER_PUTMEM(_b, _base, _length)                            \
+	do {                                                              \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));                        \
+		if (ISC_UNLIKELY((_b)->autore)) {                         \
+			isc_buffer_t *_tmp = _b;                          \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, _length) == \
+				    ISC_R_SUCCESS);                       \
+		}                                                         \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >=             \
+			    (unsigned int)_length);                       \
+		if (_length > 0U) {                                       \
+			memmove(isc_buffer_used(_b), (_base), (_length)); \
+			(_b)->used += (_length);                          \
+		}                                                         \
+	} while (0)
+
+#define ISC__BUFFER_PUTSTR(_b, _source)                                   \
+	do {                                                              \
+		unsigned int   _length;                                   \
+		unsigned char *_cp;                                       \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));                        \
+		ISC_REQUIRE((_source) != NULL);                           \
+		_length = (unsigned int)strlen(_source);                  \
+		if (ISC_UNLIKELY((_b)->autore)) {                         \
+			isc_buffer_t *_tmp = _b;                          \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, _length) == \
+				    ISC_R_SUCCESS);                       \
+		}                                                         \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= _length);   \
+		_cp = isc_buffer_used(_b);                                \
+		memmove(_cp, (_source), _length);                         \
+		(_b)->used += (_length);                                  \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT8(_b, _val)                              \
+	do {                                                        \
+		unsigned char *_cp;                                 \
+		/* evaluate (_val) only once */                     \
+		uint8_t _val2 = (_val);                             \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));                  \
+		if (ISC_UNLIKELY((_b)->autore)) {                   \
+			isc_buffer_t *_tmp = _b;                    \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, 1) == \
+				    ISC_R_SUCCESS);                 \
+		}                                                   \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= 1U);  \
+		_cp = isc_buffer_used(_b);                          \
+		(_b)->used++;                                       \
+		_cp[0] = _val2;                                     \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT16(_b, _val)                             \
+	do {                                                        \
+		unsigned char *_cp;                                 \
+		/* evaluate (_val) only once */                     \
+		uint16_t _val2 = (_val);                            \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));                  \
+		if (ISC_UNLIKELY((_b)->autore)) {                   \
+			isc_buffer_t *_tmp = _b;                    \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, 2) == \
+				    ISC_R_SUCCESS);                 \
+		}                                                   \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= 2U);  \
+		_cp = isc_buffer_used(_b);                          \
+		(_b)->used += 2;                                    \
+		_cp[0] = (unsigned char)(_val2 >> 8);               \
+		_cp[1] = (unsigned char)_val2;                      \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT24(_b, _val)                             \
+	do {                                                        \
+		unsigned char *_cp;                                 \
+		/* evaluate (_val) only once */                     \
+		uint32_t _val2 = (_val);                            \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));                  \
+		if (ISC_UNLIKELY((_b)->autore)) {                   \
+			isc_buffer_t *_tmp = _b;                    \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, 3) == \
+				    ISC_R_SUCCESS);                 \
+		}                                                   \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= 3U);  \
+		_cp = isc_buffer_used(_b);                          \
+		(_b)->used += 3;                                    \
+		_cp[0] = (unsigned char)(_val2 >> 16);              \
+		_cp[1] = (unsigned char)(_val2 >> 8);               \
+		_cp[2] = (unsigned char)_val2;                      \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT32(_b, _val)                             \
+	do {                                                        \
+		unsigned char *_cp;                                 \
+		/* evaluate (_val) only once */                     \
+		uint32_t _val2 = (_val);                            \
+		ISC_REQUIRE(ISC_BUFFER_VALID(_b));                  \
+		if (ISC_UNLIKELY((_b)->autore)) {                   \
+			isc_buffer_t *_tmp = _b;                    \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, 4) == \
+				    ISC_R_SUCCESS);                 \
+		}                                                   \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= 4U);  \
+		_cp = isc_buffer_used(_b);                          \
+		(_b)->used += 4;                                    \
+		_cp[0] = (unsigned char)(_val2 >> 24);              \
+		_cp[1] = (unsigned char)(_val2 >> 16);              \
+		_cp[2] = (unsigned char)(_val2 >> 8);               \
+		_cp[3] = (unsigned char)_val2;                      \
+	} while (0)
+
+#if defined(ISC_BUFFER_USEINLINE)
+#define isc_buffer_init		   ISC__BUFFER_INIT
+#define isc_buffer_initnull	   ISC__BUFFER_INITNULL
+#define isc_buffer_invalidate	   ISC__BUFFER_INVALIDATE
+#define isc_buffer_region	   ISC__BUFFER_REGION
+#define isc_buffer_usedregion	   ISC__BUFFER_USEDREGION
+#define isc_buffer_availableregion ISC__BUFFER_AVAILABLEREGION
+#define isc_buffer_add		   ISC__BUFFER_ADD
+#define isc_buffer_subtract	   ISC__BUFFER_SUBTRACT
+#define isc_buffer_clear	   ISC__BUFFER_CLEAR
+#define isc_buffer_consumedregion  ISC__BUFFER_CONSUMEDREGION
+#define isc_buffer_remainingregion ISC__BUFFER_REMAININGREGION
+#define isc_buffer_activeregion	   ISC__BUFFER_ACTIVEREGION
+#define isc_buffer_setactive	   ISC__BUFFER_SETACTIVE
+#define isc_buffer_first	   ISC__BUFFER_FIRST
+#define isc_buffer_forward	   ISC__BUFFER_FORWARD
+#define isc_buffer_back		   ISC__BUFFER_BACK
+#define isc_buffer_putmem	   ISC__BUFFER_PUTMEM
+#define isc_buffer_putstr	   ISC__BUFFER_PUTSTR
+#define isc_buffer_putuint8	   ISC__BUFFER_PUTUINT8
+#define isc_buffer_putuint16	   ISC__BUFFER_PUTUINT16
+#define isc_buffer_putuint24	   ISC__BUFFER_PUTUINT24
+#define isc_buffer_putuint32	   ISC__BUFFER_PUTUINT32
+#else /* if defined(ISC_BUFFER_USEINLINE) */
+#define isc_buffer_init		   isc__buffer_init
+#define isc_buffer_initnull	   isc__buffer_initnull
+#define isc_buffer_invalidate	   isc__buffer_invalidate
+#define isc_buffer_region	   isc__buffer_region
+#define isc_buffer_usedregion	   isc__buffer_usedregion
+#define isc_buffer_availableregion isc__buffer_availableregion
+#define isc_buffer_add		   isc__buffer_add
+#define isc_buffer_subtract	   isc__buffer_subtract
+#define isc_buffer_clear	   isc__buffer_clear
+#define isc_buffer_consumedregion  isc__buffer_consumedregion
+#define isc_buffer_remainingregion isc__buffer_remainingregion
+#define isc_buffer_activeregion	   isc__buffer_activeregion
+#define isc_buffer_setactive	   isc__buffer_setactive
+#define isc_buffer_first	   isc__buffer_first
+#define isc_buffer_forward	   isc__buffer_forward
+#define isc_buffer_back		   isc__buffer_back
+#define isc_buffer_putmem	   isc__buffer_putmem
+#define isc_buffer_putstr	   isc__buffer_putstr
+#define isc_buffer_putuint8	   isc__buffer_putuint8
+#define isc_buffer_putuint16	   isc__buffer_putuint16
+#define isc_buffer_putuint24	   isc__buffer_putuint24
+#define isc_buffer_putuint32	   isc__buffer_putuint32
+#endif /* if defined(ISC_BUFFER_USEINLINE) */
+
+#define isc_buffer_constinit(_b, _d, _l)                    \
+	do {                                                \
+		union {                                     \
+			void	   *_var;                   \
+			const void *_const;                 \
+		} _deconst;                                 \
+		_deconst._const = (_d);                     \
+		isc_buffer_init((_b), _deconst._var, (_l)); \
+	} while (0)
+
+/*
+ * No inline method for this one (yet).
+ */
+#define isc_buffer_putuint48 isc__buffer_putuint48
+
+#endif /* ISC_BUFFER_H */
diff --git a/lib/isc/include/isc/bufferlist.h b/lib/isc/include/isc/bufferlist.h
new file mode 100644
index 0000000..95ad3ef
--- /dev/null
+++ b/lib/isc/include/isc/bufferlist.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_BUFFERLIST_H
+#define ISC_BUFFERLIST_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/bufferlist.h
+ *
+ *
+ *\brief	Buffer lists have no synchronization.  Clients must ensure
+ * exclusive *	access.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+unsigned int
+isc_bufferlist_usedcount(isc_bufferlist_t *bl);
+/*!<
+ * \brief Return the length of the sum of all used regions of all buffers in
+ * the buffer list 'bl'
+ *
+ * Requires:
+ *
+ *\li	'bl' is not NULL.
+ *
+ * Returns:
+ *\li	sum of all used regions' lengths.
+ */
+
+unsigned int
+isc_bufferlist_availablecount(isc_bufferlist_t *bl);
+/*!<
+ * \brief Return the length of the sum of all available regions of all buffers
+ * in the buffer list 'bl'
+ *
+ * Requires:
+ *
+ *\li	'bl' is not NULL.
+ *
+ * Returns:
+ *\li	sum of all available regions' lengths.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BUFFERLIST_H */
diff --git a/lib/isc/include/isc/cmocka.h b/lib/isc/include/isc/cmocka.h
new file mode 100644
index 0000000..de86d5a
--- /dev/null
+++ b/lib/isc/include/isc/cmocka.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/cmocka.h */
+
+#pragma once
+
+#include <cmocka.h>
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Copy the test identified by 'name' from 'tests' to 'selected'.
+ */
+#define cmocka_add_test_byname(tests, name, selected)                          \
+	_cmocka_add_test_byname(tests, sizeof(tests) / sizeof(tests[0]), name, \
+				selected,                                      \
+				sizeof(selected) / sizeof(selected[0]))
+
+static inline bool
+_cmocka_add_test_byname(const struct CMUnitTest *tests, size_t ntests,
+			const char *name, struct CMUnitTest *selected,
+			size_t nselected) {
+	size_t i, j;
+
+	for (i = 0; i < ntests && tests[i].name != NULL; i++) {
+		if (strcmp(tests[i].name, name) != 0) {
+			continue;
+		}
+		for (j = 0; j < nselected && selected[j].name != NULL; j++) {
+			if (strcmp(tests[j].name, name) == 0) {
+				break;
+			}
+		}
+		if (j < nselected && selected[j].name == NULL) {
+			selected[j] = tests[i];
+		}
+		return (true);
+	}
+	return (false);
+}
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/commandline.h b/lib/isc/include/isc/commandline.h
new file mode 100644
index 0000000..69143ce
--- /dev/null
+++ b/lib/isc/include/isc/commandline.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_COMMANDLINE_H
+#define ISC_COMMANDLINE_H 1
+
+/*! \file isc/commandline.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/result.h>
+
+/*% Index into parent argv vector. */
+LIBISC_EXTERNAL_DATA extern int isc_commandline_index;
+/*% Character checked for validity. */
+LIBISC_EXTERNAL_DATA extern int isc_commandline_option;
+/*% Argument associated with option. */
+LIBISC_EXTERNAL_DATA extern char *isc_commandline_argument;
+/*% For printing error messages. */
+LIBISC_EXTERNAL_DATA extern char *isc_commandline_progname;
+/*% Print error message. */
+LIBISC_EXTERNAL_DATA extern bool isc_commandline_errprint;
+/*% Reset getopt. */
+LIBISC_EXTERNAL_DATA extern bool isc_commandline_reset;
+
+ISC_LANG_BEGINDECLS
+
+int
+isc_commandline_parse(int argc, char *const *argv, const char *options);
+/*%<
+ * Parse a command line (similar to getopt())
+ */
+
+isc_result_t
+isc_commandline_strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp,
+			  char ***argvp, unsigned int n);
+/*%<
+ * Tokenize the string "s" into whitespace-separated words,
+ * returning the number of words in '*argcp' and an array
+ * of pointers to the words in '*argvp'.  The caller
+ * must free the array using isc_mem_free().  The string
+ * is modified in-place.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_COMMANDLINE_H */
diff --git a/lib/isc/include/isc/counter.h b/lib/isc/include/isc/counter.h
new file mode 100644
index 0000000..f61a55b
--- /dev/null
+++ b/lib/isc/include/isc/counter.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_COUNTER_H
+#define ISC_COUNTER_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/counter.h
+ *
+ * \brief The isc_counter_t object is a simplified version of the
+ * isc_quota_t object; it tracks the consumption of limited
+ * resources, returning an error condition when the quota is
+ * exceeded.  However, unlike isc_quota_t, attaching and detaching
+ * from a counter object does not increment or decrement the counter.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/types.h>
+
+/*****
+***** Types.
+*****/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp);
+/*%<
+ * Allocate and initialize a counter object.
+ */
+
+isc_result_t
+isc_counter_increment(isc_counter_t *counter);
+/*%<
+ * Increment the counter.
+ *
+ * If the counter limit is nonzero and has been reached, then
+ * return ISC_R_QUOTA, otherwise ISC_R_SUCCESS. (The counter is
+ * incremented regardless of return value.)
+ */
+
+unsigned int
+isc_counter_used(isc_counter_t *counter);
+/*%<
+ * Return the current counter value.
+ */
+
+void
+isc_counter_setlimit(isc_counter_t *counter, int limit);
+/*%<
+ * Set the counter limit.
+ */
+
+void
+isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp);
+/*%<
+ * Attach to a counter object, increasing its reference counter.
+ */
+
+void
+isc_counter_detach(isc_counter_t **counterp);
+/*%<
+ * Detach (and destroy if reference counter has dropped to zero)
+ * a counter object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_COUNTER_H */
diff --git a/lib/isc/include/isc/crc64.h b/lib/isc/include/isc/crc64.h
new file mode 100644
index 0000000..a3fdfb4
--- /dev/null
+++ b/lib/isc/include/isc/crc64.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_CRC64_H
+#define ISC_CRC64_H 1
+
+/*! \file isc/crc64.h
+ * \brief CRC64 in C
+ */
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_crc64_init(uint64_t *crc);
+/*%
+ * Initialize a new CRC.
+ *
+ * Requires:
+ * * 'crc' is not NULL.
+ */
+
+void
+isc_crc64_update(uint64_t *crc, const void *data, size_t len);
+/*%
+ * Add data to the CRC.
+ *
+ * Requires:
+ * * 'crc' is not NULL.
+ * * 'data' is not NULL.
+ */
+
+void
+isc_crc64_final(uint64_t *crc);
+/*%
+ * Finalize the CRC.
+ *
+ * Requires:
+ * * 'crc' is not NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_CRC64_H */
diff --git a/lib/isc/include/isc/deprecated.h b/lib/isc/include/isc/deprecated.h
new file mode 100644
index 0000000..73ce584
--- /dev/null
+++ b/lib/isc/include/isc/deprecated.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_DEPRECATED_H
+#define ISC_DEPRECATED_H
+
+#if (__GNUC__ + 0) > 3
+#define ISC_DEPRECATED __attribute__((deprecated))
+#else		       /* if (__GNUC__ + 0) > 3 */
+#define ISC_DEPRECATED /* none */
+#endif		       /* __GNUC__ > 3*/
+
+#endif /* ifndef ISC_DEPRECATED_H */
diff --git a/lib/isc/include/isc/endian.h b/lib/isc/include/isc/endian.h
new file mode 100644
index 0000000..e598a7b
--- /dev/null
+++ b/lib/isc/include/isc/endian.h
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#if defined(__DragonFly__) || defined(__FreeBSD__) || defined(__NetBSD__) || \
+	defined(__OpenBSD__) || defined(__bsdi__)
+
+#include <sys/endian.h>
+
+/*
+ * Recent BSDs should have [bl]e{16,32,64}toh() defined in <sys/endian.h>.
+ * Older ones might not, but these should have the alternatively named
+ * [bl]etoh{16,32,64}() functions defined.
+ */
+#ifndef be16toh
+#define be16toh(x) betoh16(x)
+#define le16toh(x) letoh16(x)
+#define be32toh(x) betoh32(x)
+#define le32toh(x) letoh32(x)
+#define be64toh(x) betoh64(x)
+#define le64toh(x) letoh64(x)
+#endif /* !be16toh */
+
+#elif defined(_WIN32)
+
+/*
+ * Windows is always little-endian and has its own byte-swapping routines, so
+ * use these.
+ */
+
+#include <stdlib.h>
+
+#define htobe16(x) _byteswap_ushort(x)
+#define htole16(x) (x)
+#define be16toh(x) _byteswap_ushort(x)
+#define le16toh(x) (x)
+
+#define htobe32(x) _byteswap_ulong(x)
+#define htole32(x) (x)
+#define be32toh(x) _byteswap_ulong(x)
+#define le32toh(x) (x)
+
+#define htobe64(x) _byteswap_uint64(x)
+#define htole64(x) (x)
+#define be64toh(x) _byteswap_uint64(x)
+#define le64toh(x) (x)
+
+#elif defined __APPLE__
+
+/*
+ * macOS has its own byte-swapping routines, so use these.
+ */
+
+#include <libkern/OSByteOrder.h>
+
+#define htobe16(x) OSSwapHostToBigInt16(x)
+#define htole16(x) OSSwapHostToLittleInt16(x)
+#define be16toh(x) OSSwapBigToHostInt16(x)
+#define le16toh(x) OSSwapLittleToHostInt16(x)
+
+#define htobe32(x) OSSwapHostToBigInt32(x)
+#define htole32(x) OSSwapHostToLittleInt32(x)
+#define be32toh(x) OSSwapBigToHostInt32(x)
+#define le32toh(x) OSSwapLittleToHostInt32(x)
+
+#define htobe64(x) OSSwapHostToBigInt64(x)
+#define htole64(x) OSSwapHostToLittleInt64(x)
+#define be64toh(x) OSSwapBigToHostInt64(x)
+#define le64toh(x) OSSwapLittleToHostInt64(x)
+
+#elif defined(sun) || defined(__sun) || defined(__SVR4)
+
+/*
+ * For Solaris, rely on the fallback definitions below, though use
+ * Solaris-specific versions of bswap_{16,32,64}().
+ */
+
+#include <sys/byteorder.h>
+
+#define bswap_16(x) BSWAP_16(x)
+#define bswap_32(x) BSWAP_32(x)
+#define bswap_64(x) BSWAP_64(x)
+
+#elif defined(__ANDROID__) || defined(__CYGWIN__) || defined(__GNUC__) || \
+	defined(__GNU__)
+
+#include <byteswap.h>
+#include <endian.h>
+
+#else /* if defined(__DragonFly__) || defined(__FreeBSD__) || \
+       * defined(__NetBSD__) || defined(__OpenBSD__) || defined(__bsdi__) */
+
+#endif /* Specific platform support */
+
+/*
+ * Fallback definitions.
+ */
+
+#include <inttypes.h>
+
+#ifndef bswap_16
+#define bswap_16(x)                                 \
+	((uint16_t)((((uint16_t)(x)&0xff00) >> 8) | \
+		    (((uint16_t)(x)&0x00ff) << 8)))
+#endif /* !bswap_16 */
+
+#ifndef bswap_32
+#define bswap_32(x)                                      \
+	((uint32_t)((((uint32_t)(x)&0xff000000) >> 24) | \
+		    (((uint32_t)(x)&0x00ff0000) >> 8) |  \
+		    (((uint32_t)(x)&0x0000ff00) << 8) |  \
+		    (((uint32_t)(x)&0x000000ff) << 24)))
+#endif /* !bswap_32 */
+
+#ifndef bswap_64
+#define bswap_64(x)                                                 \
+	((uint64_t)((((uint64_t)(x)&0xff00000000000000ULL) >> 56) | \
+		    (((uint64_t)(x)&0x00ff000000000000ULL) >> 40) | \
+		    (((uint64_t)(x)&0x0000ff0000000000ULL) >> 24) | \
+		    (((uint64_t)(x)&0x000000ff00000000ULL) >> 8) |  \
+		    (((uint64_t)(x)&0x00000000ff000000ULL) << 8) |  \
+		    (((uint64_t)(x)&0x0000000000ff0000ULL) << 24) | \
+		    (((uint64_t)(x)&0x000000000000ff00ULL) << 40) | \
+		    (((uint64_t)(x)&0x00000000000000ffULL) << 56)))
+#endif /* !bswap_64 */
+
+#ifndef htobe16
+#if WORDS_BIGENDIAN
+
+#define htobe16(x) (x)
+#define htole16(x) bswap_16(x)
+#define be16toh(x) (x)
+#define le16toh(x) bswap_16(x)
+
+#else /* WORDS_BIGENDIAN */
+
+#define htobe16(x) bswap_16(x)
+#define htole16(x) (x)
+#define be16toh(x) bswap_16(x)
+#define le16toh(x) (x)
+
+#endif /* WORDS_BIGENDIAN */
+#endif /* !htobe16 */
+
+#ifndef htobe32
+#if WORDS_BIGENDIAN
+
+#define htobe32(x) (x)
+#define htole32(x) bswap_32(x)
+#define be32toh(x) (x)
+#define le32toh(x) bswap_32(x)
+
+#else /* WORDS_BIGENDIAN */
+
+#define htobe32(x) bswap_32(x)
+#define htole32(x) (x)
+#define be32toh(x) bswap_32(x)
+#define le32toh(x) (x)
+
+#endif /* WORDS_BIGENDIAN */
+#endif /* !htobe32 */
+
+#ifndef htobe64
+#if WORDS_BIGENDIAN
+
+#define htobe64(x) (x)
+#define htole64(x) bswap_64(x)
+#define be64toh(x) (x)
+#define le64toh(x) bswap_64(x)
+
+#else /* WORDS_BIGENDIAN */
+
+#define htobe64(x) bswap_64(x)
+#define htole64(x) (x)
+#define be64toh(x) bswap_64(x)
+#define le64toh(x) (x)
+
+#endif /* WORDS_BIGENDIAN */
+#endif /* !htobe64 */
diff --git a/lib/isc/include/isc/errno.h b/lib/isc/include/isc/errno.h
new file mode 100644
index 0000000..1b058dd
--- /dev/null
+++ b/lib/isc/include/isc/errno.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_ERRNO_H
+#define ISC_ERRNO_H 1
+
+/*! \file isc/file.h */
+
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_errno_toresult(int err);
+/*!<
+ * \brief Convert a POSIX errno value to an ISC result code.
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ERRNO_H */
diff --git a/lib/isc/include/isc/error.h b/lib/isc/include/isc/error.h
new file mode 100644
index 0000000..4f6fba3
--- /dev/null
+++ b/lib/isc/include/isc/error.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_ERROR_H
+#define ISC_ERROR_H 1
+
+/*! \file isc/error.h */
+
+#include <stdarg.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/likely.h>
+#include <isc/platform.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef void (*isc_errorcallback_t)(const char *, int, const char *, va_list);
+
+/*% set unexpected error */
+void isc_error_setunexpected(isc_errorcallback_t);
+
+/*% set fatal error */
+void isc_error_setfatal(isc_errorcallback_t);
+
+/*% unexpected error */
+void
+isc_error_unexpected(const char *, int, const char *, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+
+/*% fatal error */
+ISC_PLATFORM_NORETURN_PRE void
+isc_error_fatal(const char *, int, const char *, ...)
+	ISC_FORMAT_PRINTF(3, 4) ISC_PLATFORM_NORETURN_POST;
+
+/*% runtimecheck error */
+ISC_PLATFORM_NORETURN_PRE void
+isc_error_runtimecheck(const char *, int,
+		       const char *) ISC_PLATFORM_NORETURN_POST;
+
+#define ISC_ERROR_RUNTIMECHECK(cond) \
+	((void)(ISC_LIKELY(cond) ||  \
+		((isc_error_runtimecheck)(__FILE__, __LINE__, #cond), 0)))
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ERROR_H */
diff --git a/lib/isc/include/isc/event.h b/lib/isc/include/isc/event.h
new file mode 100644
index 0000000..e79a8d8
--- /dev/null
+++ b/lib/isc/include/isc/event.h
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_EVENT_H
+#define ISC_EVENT_H 1
+
+/*! \file isc/event.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*****
+***** Events.
+*****/
+
+typedef void (*isc_eventdestructor_t)(isc_event_t *);
+
+#define ISC_EVENT_COMMON(ltype)               \
+	size_t		      ev_size;        \
+	unsigned int	      ev_attributes;  \
+	void		     *ev_tag;         \
+	isc_eventtype_t	      ev_type;        \
+	isc_taskaction_t      ev_action;      \
+	void		     *ev_arg;         \
+	void		     *ev_sender;      \
+	isc_eventdestructor_t ev_destroy;     \
+	void		     *ev_destroy_arg; \
+	ISC_LINK(ltype) ev_link;              \
+	ISC_LINK(ltype) ev_ratelink
+
+/*%
+ * Attributes matching a mask of 0x000000ff are reserved for the task library's
+ * definition.  Attributes of 0xffffff00 may be used by the application
+ * or non-ISC libraries.
+ */
+#define ISC_EVENTATTR_NOPURGE 0x00000001
+
+/*%
+ * The ISC_EVENTATTR_CANCELED attribute is intended to indicate
+ * that an event is delivered as a result of a canceled operation
+ * rather than successful completion, by mutual agreement
+ * between the sender and receiver.  It is not set or used by
+ * the task system.
+ */
+#define ISC_EVENTATTR_CANCELED 0x00000002
+
+#define ISC_EVENT_INIT(event, sz, at, ta, ty, ac, ar, sn, df, da) \
+	do {                                                      \
+		(event)->ev_size = (sz);                          \
+		(event)->ev_attributes = (at);                    \
+		(event)->ev_tag = (ta);                           \
+		(event)->ev_type = (ty);                          \
+		(event)->ev_action = (ac);                        \
+		(event)->ev_arg = (ar);                           \
+		(event)->ev_sender = (sn);                        \
+		(event)->ev_destroy = (df);                       \
+		(event)->ev_destroy_arg = (da);                   \
+		ISC_LINK_INIT((event), ev_link);                  \
+		ISC_LINK_INIT((event), ev_ratelink);              \
+	} while (0)
+
+/*%
+ * This structure is public because "subclassing" it may be useful when
+ * defining new event types.
+ */
+struct isc_event {
+	ISC_EVENT_COMMON(struct isc_event);
+};
+
+#define ISC_EVENTTYPE_FIRSTEVENT 0x00000000
+#define ISC_EVENTTYPE_LASTEVENT	 0xffffffff
+
+#define ISC_EVENT_PTR(p) ((isc_event_t **)(void *)(p))
+
+ISC_LANG_BEGINDECLS
+
+isc_event_t *
+isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
+		   isc_taskaction_t action, void *arg, size_t size);
+isc_event_t *
+isc_event_constallocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
+			isc_taskaction_t action, const void *arg, size_t size);
+/*%<
+ * Allocate an event structure.
+ *
+ * Allocate and initialize in a structure with initial elements
+ * defined by:
+ *
+ * \code
+ *	struct {
+ *		ISC_EVENT_COMMON(struct isc_event);
+ *		...
+ *	};
+ * \endcode
+ *
+ * Requires:
+ *\li	'size' >= sizeof(struct isc_event)
+ *\li	'action' to be non NULL
+ *
+ * Returns:
+ *\li	a pointer to a initialized structure of the requested size.
+ *\li	NULL if unable to allocate memory.
+ */
+
+void
+isc_event_free(isc_event_t **);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_EVENT_H */
diff --git a/lib/isc/include/isc/eventclass.h b/lib/isc/include/isc/eventclass.h
new file mode 100644
index 0000000..300848a
--- /dev/null
+++ b/lib/isc/include/isc/eventclass.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_EVENTCLASS_H
+#define ISC_EVENTCLASS_H 1
+
+/*! \file isc/eventclass.h
+ ***** Registry of Predefined Event Type Classes
+ *****/
+
+/*%
+ * An event class is an unsigned 16 bit number.  Each class may contain up
+ * to 65536 events.  An event type is formed by adding the event number
+ * within the class to the class number.
+ *
+ */
+
+#define ISC_EVENTCLASS(eclass) ((eclass) << 16)
+
+/*@{*/
+/*!
+ * Classes < 1024 are reserved for ISC use.
+ * Event classes >= 1024 and <= 65535 are reserved for application use.
+ */
+
+#define ISC_EVENTCLASS_TASK	   ISC_EVENTCLASS(0)
+#define ISC_EVENTCLASS_TIMER	   ISC_EVENTCLASS(1)
+#define ISC_EVENTCLASS_SOCKET	   ISC_EVENTCLASS(2)
+#define ISC_EVENTCLASS_FILE	   ISC_EVENTCLASS(3)
+#define ISC_EVENTCLASS_DNS	   ISC_EVENTCLASS(4)
+#define ISC_EVENTCLASS_APP	   ISC_EVENTCLASS(5)
+#define ISC_EVENTCLASS_OMAPI	   ISC_EVENTCLASS(6)
+#define ISC_EVENTCLASS_RATELIMITER ISC_EVENTCLASS(7)
+#define ISC_EVENTCLASS_ISCCC	   ISC_EVENTCLASS(8)
+#define ISC_EVENTCLASS_NS	   ISC_EVENTCLASS(9)
+/*@}*/
+
+#endif /* ISC_EVENTCLASS_H */
diff --git a/lib/isc/include/isc/file.h b/lib/isc/include/isc/file.h
new file mode 100644
index 0000000..6ef2a39
--- /dev/null
+++ b/lib/isc/include/isc/file.h
@@ -0,0 +1,400 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_FILE_H
+#define ISC_FILE_H 1
+
+/*! \file isc/file.h */
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/stat.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_file_settime(const char *file, isc_time_t *time);
+
+isc_result_t
+isc_file_mode(const char *file, mode_t *modep);
+
+isc_result_t
+isc_file_getmodtime(const char *file, isc_time_t *time);
+/*!<
+ * \brief Get the time of last modification of a file.
+ *
+ * Notes:
+ *\li	The time that is set is relative to the (OS-specific) epoch, as are
+ *	all isc_time_t structures.
+ *
+ * Requires:
+ *\li	file != NULL.
+ *\li	time != NULL.
+ *
+ * Ensures:
+ *\li	If the file could not be accessed, 'time' is unchanged.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *		Success.
+ *\li	#ISC_R_NOTFOUND
+ *		No such file exists.
+ *\li	#ISC_R_INVALIDFILE
+ *		The path specified was not usable by the operating system.
+ *\li	#ISC_R_NOPERM
+ *		The file's metainformation could not be retrieved because
+ *		permission was denied to some part of the file's path.
+ *\li	#ISC_R_IOERROR
+ *		Hardware error interacting with the filesystem.
+ *\li	#ISC_R_UNEXPECTED
+ *		Something totally unexpected happened.
+ *
+ */
+
+isc_result_t
+isc_file_mktemplate(const char *path, char *buf, size_t buflen);
+/*!<
+ * \brief Generate a template string suitable for use with
+ * isc_file_openunique().
+ *
+ * Notes:
+ *\li	This function is intended to make creating temporary files
+ *	portable between different operating systems.
+ *
+ *\li	The path is prepended to an implementation-defined string and
+ *	placed into buf.  The string has no path characters in it,
+ *	and its maximum length is 14 characters plus a NUL.  Thus
+ *	buflen should be at least strlen(path) + 15 characters or
+ *	an error will be returned.
+ *
+ * Requires:
+ *\li	buf != NULL.
+ *
+ * Ensures:
+ *\li	If result == #ISC_R_SUCCESS:
+ *		buf contains a string suitable for use as the template argument
+ *		to isc_file_openunique().
+ *
+ *\li	If result != #ISC_R_SUCCESS:
+ *		buf is unchanged.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS 	Success.
+ *\li	#ISC_R_NOSPACE	buflen indicates buf is too small for the catenation
+ *				of the path with the internal template string.
+ */
+
+isc_result_t
+isc_file_openunique(char *templet, FILE **fp);
+isc_result_t
+isc_file_openuniqueprivate(char *templet, FILE **fp);
+isc_result_t
+isc_file_openuniquemode(char *templet, int mode, FILE **fp);
+isc_result_t
+isc_file_bopenunique(char *templet, FILE **fp);
+isc_result_t
+isc_file_bopenuniqueprivate(char *templet, FILE **fp);
+isc_result_t
+isc_file_bopenuniquemode(char *templet, int mode, FILE **fp);
+/*!<
+ * \brief Create and open a file with a unique name based on 'templet'.
+ *	isc_file_bopen*() open the file in binary mode in Windows.
+ *	isc_file_open*() open the file in text mode in Windows.
+ *
+ * Notes:
+ *\li	'template' is a reserved work in C++.  If you want to complain
+ *	about the spelling of 'templet', first look it up in the
+ *	Merriam-Webster English dictionary. (http://www.m-w.com/)
+ *
+ *\li	This function works by using the template to generate file names.
+ *	The template must be a writable string, as it is modified in place.
+ *	Trailing X characters in the file name (full file name on Unix,
+ *	basename on Win32 -- eg, tmp-XXXXXX vs XXXXXX.tmp, respectively)
+ *	are replaced with ASCII characters until a non-existent filename
+ *	is found.  If the template does not include pathname information,
+ *	the files in the working directory of the program are searched.
+ *
+ *\li	isc_file_mktemplate is a good, portable way to get a template.
+ *
+ * Requires:
+ *\li	'fp' is non-NULL and '*fp' is NULL.
+ *
+ *\li	'template' is non-NULL, and of a form suitable for use by
+ *	the system as described above.
+ *
+ * Ensures:
+ *\li	If result is #ISC_R_SUCCESS:
+ *		*fp points to an stream opening in stdio's "w+" mode.
+ *
+ *\li	If result is not #ISC_R_SUCCESS:
+ *		*fp is NULL.
+ *
+ *		No file is open.  Even if one was created (but unable
+ *		to be reopened as a stdio FILE pointer) then it has been
+ *		removed.
+ *
+ *\li	This function does *not* ensure that the template string has not been
+ *	modified, even if the operation was unsuccessful.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *		Success.
+ *\li	#ISC_R_EXISTS
+ *		No file with a unique name could be created based on the
+ *		template.
+ *\li	#ISC_R_INVALIDFILE
+ *		The path specified was not usable by the operating system.
+ *\li	#ISC_R_NOPERM
+ *		The file could not be created because permission was denied
+ *		to some part of the file's path.
+ *\li	#ISC_R_IOERROR
+ *		Hardware error interacting with the filesystem.
+ *\li	#ISC_R_UNEXPECTED
+ *		Something totally unexpected happened.
+ */
+
+isc_result_t
+isc_file_remove(const char *filename);
+/*!<
+ * \brief Remove the file named by 'filename'.
+ */
+
+isc_result_t
+isc_file_rename(const char *oldname, const char *newname);
+/*!<
+ * \brief Rename the file 'oldname' to 'newname'.
+ */
+
+bool
+isc_file_exists(const char *pathname);
+/*!<
+ * \brief Return #true if the calling process can tell that the given file
+ * exists. Will not return true if the calling process has insufficient
+ * privileges to search the entire path.
+ */
+
+bool
+isc_file_isabsolute(const char *filename);
+/*!<
+ * \brief Return #true if the given file name is absolute.
+ */
+
+isc_result_t
+isc_file_isplainfile(const char *name);
+
+isc_result_t
+isc_file_isplainfilefd(int fd);
+/*!<
+ * \brief Check that the file is a plain file
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *		Success. The file is a plain file.
+ *\li	#ISC_R_INVALIDFILE
+ *		The path specified was not usable by the operating system.
+ *\li	#ISC_R_FILENOTFOUND
+ *		The file does not exist. This return code comes from
+ *		errno=ENOENT when stat returns -1. This code is mentioned
+ *		here, because in logconf.c, it is the one rcode that is
+ *		permitted in addition to ISC_R_SUCCESS. This is done since
+ *		the next call in logconf.c is to isc_stdio_open(), which
+ *		will create the file if it can.
+ *\li	other ISC_R_* errors translated from errno
+ *		These occur when stat returns -1 and an errno.
+ */
+
+isc_result_t
+isc_file_isdirectory(const char *name);
+/*!<
+ * \brief Check that 'name' exists and is a directory.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *		Success, file is a directory.
+ *\li	#ISC_R_INVALIDFILE
+ *		File is not a directory.
+ *\li	#ISC_R_FILENOTFOUND
+ *		File does not exist.
+ *\li	other ISC_R_* errors translated from errno
+ *		These occur when stat returns -1 and an errno.
+ */
+
+bool
+isc_file_iscurrentdir(const char *filename);
+/*!<
+ * \brief Return #true if the given file name is the current directory (".").
+ */
+
+bool
+isc_file_ischdiridempotent(const char *filename);
+/*%<
+ * Return #true if calling chdir(filename) multiple times will give
+ * the same result as calling it once.
+ */
+
+const char *
+isc_file_basename(const char *filename);
+/*%<
+ * Return the final component of the path in the file name.
+ */
+
+isc_result_t
+isc_file_progname(const char *filename, char *buf, size_t buflen);
+/*!<
+ * \brief Given an operating system specific file name "filename"
+ * referring to a program, return the canonical program name.
+ *
+ * Any directory prefix or executable file name extension (if
+ * used on the OS in case) is stripped.  On systems where program
+ * names are case insensitive, the name is canonicalized to all
+ * lower case.  The name is written to 'buf', an array of 'buflen'
+ * chars, and null terminated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE 	The name did not fit in 'buf'.
+ */
+
+isc_result_t
+isc_file_template(const char *path, const char *templet, char *buf,
+		  size_t buflen);
+/*%<
+ * Create an OS specific template using 'path' to define the directory
+ * 'templet' to describe the filename and store the result in 'buf'
+ * such that path can be renamed to buf atomically.
+ */
+
+isc_result_t
+isc_file_renameunique(const char *file, char *templet);
+/*%<
+ * Rename 'file' using 'templet' as a template for the new file name.
+ */
+
+isc_result_t
+isc_file_absolutepath(const char *filename, char *path, size_t pathlen);
+/*%<
+ * Given a file name, return the fully qualified path to the file.
+ */
+
+/*
+ * XXX We should also have a isc_file_writeeopen() function
+ * for safely open a file in a publicly writable directory
+ * (see write_open() in BIND 8's ns_config.c).
+ */
+
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size);
+/*%<
+ * Truncate/extend the file specified to 'size' bytes.
+ */
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp);
+/*%<
+ * Open 'filename' for writing, truncating if necessary.  Ensure that
+ * if it existed it was a normal file.  If creating the file, ensure
+ * that only the owner can read/write it.
+ */
+
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, const char *path, char **dirname,
+		   char const **basename);
+/*%<
+ * Split a path into dirname and basename.  If 'path' contains no slash
+ * (or, on windows, backslash), then '*dirname' is set to ".".
+ *
+ * Allocates memory for '*dirname', which can be freed with isc_mem_free().
+ *
+ * Returns:
+ * - ISC_R_SUCCESS on success
+ * - ISC_R_INVALIDFILE if 'path' is empty or ends with '/'
+ * - ISC_R_NOMEMORY if unable to allocate memory
+ */
+
+isc_result_t
+isc_file_getsize(const char *file, off_t *size);
+/*%<
+ * Return the size of the file (stored in the parameter pointed
+ * to by 'size') in bytes.
+ *
+ * Returns:
+ * - ISC_R_SUCCESS on success
+ */
+
+isc_result_t
+isc_file_getsizefd(int fd, off_t *size);
+/*%<
+ * Return the size of the file (stored in the parameter pointed
+ * to by 'size') in bytes.
+ *
+ * Returns:
+ * - ISC_R_SUCCESS on success
+ */
+
+void *
+isc_file_mmap(void *addr, size_t len, int prot, int flags, int fd,
+	      off_t offset);
+/*%<
+ * Portable front-end to mmap().  If mmap() is not defined on this
+ * platform, then we simulate it by calling malloc() and read().
+ * (In this event, the addr, prot, and flags parameters are ignored).
+ */
+
+int
+isc_file_munmap(void *addr, size_t len);
+/*%<
+ * Portable front-end to munmap().  If munmap() is not defined on
+ * this platform, then we simply free the memory.
+ */
+
+isc_result_t
+isc_file_sanitize(const char *dir, const char *base, const char *ext,
+		  char *path, size_t length);
+/*%<
+ * Generate a sanitized filename, such as for MKEYS or NZF files.
+ *
+ * Historically, MKEYS and NZF files used SHA256 hashes of the view
+ * name for the filename; this was to deal with the possibility of
+ * forbidden characters such as "/" being in a view name, and to
+ * avoid problems with case-insensitive file systems.
+ *
+ * Given a basename 'base' and an extension 'ext', this function checks
+ * for the existence of file using the old-style name format in directory
+ * 'dir'. If found, it returns the path to that file.  If there is no
+ * file already in place, a new pathname is generated; if the basename
+ * contains any excluded characters, then a truncated SHA256 hash is
+ * used, otherwise the basename is used.  The path name is copied
+ * into 'path', which must point to a buffer of at least 'length'
+ * bytes.
+ *
+ * Requires:
+ * - base != NULL
+ * - path != NULL
+ *
+ * Returns:
+ * - ISC_R_SUCCESS on success
+ * - ISC_R_NOSPACE if the resulting path would be longer than 'length'
+ */
+
+bool
+isc_file_isdirwritable(const char *path);
+/*%<
+ *	Return true if the path is a directory and is writable
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_FILE_H */
diff --git a/lib/isc/include/isc/formatcheck.h b/lib/isc/include/isc/formatcheck.h
new file mode 100644
index 0000000..28bd573
--- /dev/null
+++ b/lib/isc/include/isc/formatcheck.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_FORMATCHECK_H
+#define ISC_FORMATCHECK_H 1
+
+/*! \file isc/formatcheck.h */
+
+/*%
+ * ISC_FORMAT_PRINTF().
+ *
+ * \li fmt is the location of the format string parameter.
+ * \li args is the location of the first argument (or 0 for no argument
+ * checking).
+ *
+ * Note:
+ * \li The first parameter is 1, not 0.
+ */
+#ifdef __GNUC__
+#define ISC_FORMAT_PRINTF(fmt, args) \
+	__attribute__((__format__(__printf__, fmt, args)))
+#else /* ifdef __GNUC__ */
+#define ISC_FORMAT_PRINTF(fmt, args)
+#endif /* ifdef __GNUC__ */
+
+#endif /* ISC_FORMATCHECK_H */
diff --git a/lib/isc/include/isc/fsaccess.h b/lib/isc/include/isc/fsaccess.h
new file mode 100644
index 0000000..46c8774
--- /dev/null
+++ b/lib/isc/include/isc/fsaccess.h
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_FSACCESS_H
+#define ISC_FSACCESS_H 1
+
+/*! \file isc/fsaccess.h
+ * \brief The ISC filesystem access module encapsulates the setting of file
+ * and directory access permissions into one API that is meant to be
+ * portable to multiple operating systems.
+ *
+ * The two primary operating system flavors that are initially accommodated
+ * are POSIX and Windows NT 4.0 and later.  The Windows NT access model is
+ * considerable more flexible than POSIX's model (as much as I am loathe to
+ * admit it), and so the ISC API has a higher degree of complexity than would
+ * be needed to simply address POSIX's needs.
+ *
+ * The full breadth of NT's flexibility is not available either, for the
+ * present time.  Much of it is to provide compatibility with what Unix
+ * programmers are expecting.  This is also due to not yet really needing all
+ * of the functionality of an NT system (or, for that matter, a POSIX system)
+ * in BIND9, and so resolving how to handle the various incompatibilities has
+ * been a purely theoretical exercise with no operational experience to
+ * indicate how flawed the thinking may be.
+ *
+ * Some of the more notable dumbing down of NT for this API includes:
+ *
+ *\li   Each of FILE_READ_DATA and FILE_READ_EA are set with #ISC_FSACCESS_READ.
+ *
+ * \li  All of FILE_WRITE_DATA, FILE_WRITE_EA and FILE_APPEND_DATA are
+ *     set with #ISC_FSACCESS_WRITE.  FILE_WRITE_ATTRIBUTES is not set
+ *     so as to be consistent with Unix, where only the owner of the file
+ *     or the superuser can change the attributes/mode of a file.
+ *
+ * \li  Both of FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY are set with
+ *     #ISC_FSACCESS_CREATECHILD.  This is similar to setting the WRITE
+ *     permission on a Unix directory.
+ *
+ * \li  SYNCHRONIZE is always set for files and directories, unless someone
+ *     can give me a reason why this is a bad idea.
+ *
+ * \li  READ_CONTROL and FILE_READ_ATTRIBUTES are always set; this is
+ *     consistent with Unix, where any file or directory can be stat()'d
+ *     unless the directory path disallows complete access somewhere along
+ *     the way.
+ *
+ * \li  WRITE_DAC is only set for the owner.  This too is consistent with
+ *     Unix, and is tighter security than allowing anyone else to be
+ *     able to set permissions.
+ *
+ * \li  DELETE is only set for the owner.  On Unix the ability to delete
+ *     a file is controlled by the directory permissions, but it isn't
+ *     currently clear to me what happens on NT if the directory has
+ *     FILE_DELETE_CHILD set but a file within it does not have DELETE
+ *     set.  Always setting DELETE on the file/directory for the owner
+ *     gives maximum flexibility to the owner without exposing the
+ *     file to deletion by others.
+ *
+ * \li  WRITE_OWNER is never set.  This too is consistent with Unix,
+ *     and is also tighter security than allowing anyone to change the
+ *     ownership of the file apart from the superu..ahem, Administrator.
+ *
+ * \li  Inheritance is set to NO_INHERITANCE.
+ *
+ * Unix's dumbing down includes:
+ *
+ * \li  The sticky bit cannot be set.
+ *
+ * \li  setuid and setgid cannot be set.
+ *
+ * \li  Only regular files and directories can be set.
+ *
+ * The rest of this comment discusses a few of the incompatibilities
+ * between the two systems that need more thought if this API is to
+ * be extended to accommodate them.
+ *
+ * The Windows standard access right "DELETE" doesn't have a direct
+ * equivalent in the Unix world, so it isn't clear what should be done
+ * with it.
+ *
+ * The Unix sticky bit is not supported.  While NT does have a concept
+ * of allowing users to create files in a directory but not delete or
+ * rename them, it does not have a concept of allowing them to be deleted
+ * if they are owned by the user trying to delete/rename.  While it is
+ * probable that something could be cobbled together in NT 5 with inheritance,
+ * it can't really be done in NT 4 as a single property that you could
+ * set on a directory.  You'd need to coordinate something with file creation
+ * so that every file created had DELETE set for the owner but no one else.
+ *
+ * On Unix systems, setting #ISC_FSACCESS_LISTDIRECTORY sets READ.
+ * ... setting either #ISC_FSACCESS_CREATECHILD or #ISC_FSACCESS_DELETECHILD
+ *      sets WRITE.
+ * ... setting #ISC_FSACCESS_ACCESSCHILD sets EXECUTE.
+ *
+ * On NT systems, setting #ISC_FSACCESS_LISTDIRECTORY sets FILE_LIST_DIRECTORY.
+ * ... setting #ISC_FSACCESS_CREATECHILD sets FILE_CREATE_CHILD independently.
+ * ... setting #ISC_FSACCESS_DELETECHILD sets FILE_DELETE_CHILD independently.
+ * ... setting #ISC_FSACCESS_ACCESSCHILD sets FILE_TRAVERSE.
+ *
+ * Unresolved:							XXXDCL
+ * \li  What NT access right controls the ability to rename a file?
+ * \li  How does DELETE work?  If a directory has FILE_DELETE_CHILD but a
+ *      file or directory within it does not have DELETE, is that file
+ *	or directory deletable?
+ * \li  To implement isc_fsaccess_get(), mapping an existing Unix permission
+ * 	mode_t back to an isc_fsaccess_t is pretty trivial; however, mapping
+ *	an NT DACL could be impossible to do in a responsible way.
+ * \li  Similarly, trying to implement the functionality of being able to
+ *	say "add group writability to whatever permissions already exist"
+ *	could be tricky on NT because of the order-of-entry issue combined
+ *	with possibly having one or more matching ACEs already explicitly
+ *	granting or denying access.  Because this functionality is
+ *	not yet needed by the ISC, no code has been written to try to
+ * 	solve this problem.
+ */
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*
+ * Trustees.
+ */
+#define ISC_FSACCESS_OWNER 0x1 /*%< User account. */
+#define ISC_FSACCESS_GROUP 0x2 /*%< Primary group owner. */
+#define ISC_FSACCESS_OTHER 0x4 /*%< Not the owner or the group owner. */
+#define ISC_FSACCESS_WORLD 0x7 /*%< User, Group, Other. */
+
+/*
+ * Types of permission.
+ */
+#define ISC_FSACCESS_READ	   0x00000001 /*%< File only. */
+#define ISC_FSACCESS_WRITE	   0x00000002 /*%< File only. */
+#define ISC_FSACCESS_EXECUTE	   0x00000004 /*%< File only. */
+#define ISC_FSACCESS_CREATECHILD   0x00000008 /*%< Dir only. */
+#define ISC_FSACCESS_DELETECHILD   0x00000010 /*%< Dir only. */
+#define ISC_FSACCESS_LISTDIRECTORY 0x00000020 /*%< Dir only. */
+#define ISC_FSACCESS_ACCESSCHILD   0x00000040 /*%< Dir only. */
+
+/*%
+ * Adding any permission bits beyond 0x200 would mean typedef'ing
+ * isc_fsaccess_t as uint64_t, and redefining this value to
+ * reflect the new range of permission types, Probably to 21 for
+ * maximum flexibility.  The number of bits has to accommodate all of
+ * the permission types, and three full sets of them have to fit
+ * within an isc_fsaccess_t.
+ */
+#define ISC__FSACCESS_PERMISSIONBITS 10
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_fsaccess_add(int trustee, int permission, isc_fsaccess_t *access);
+
+void
+isc_fsaccess_remove(int trustee, int permission, isc_fsaccess_t *access);
+
+isc_result_t
+isc_fsaccess_set(const char *path, isc_fsaccess_t access);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_FSACCESS_H */
diff --git a/lib/isc/include/isc/fuzz.h b/lib/isc/include/isc/fuzz.h
new file mode 100644
index 0000000..207728e
--- /dev/null
+++ b/lib/isc/include/isc/fuzz.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_FUZZ_H
+#define ISC_FUZZ_H
+
+typedef enum {
+	isc_fuzz_none,
+	isc_fuzz_client,
+	isc_fuzz_tcpclient,
+	isc_fuzz_resolver,
+	isc_fuzz_http,
+	isc_fuzz_rndc
+} isc_fuzztype_t;
+
+#endif /* ISC_FUZZ_H */
diff --git a/lib/isc/include/isc/hash.h b/lib/isc/include/isc/hash.h
new file mode 100644
index 0000000..62ba186
--- /dev/null
+++ b/lib/isc/include/isc/hash.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_HASH_H
+#define ISC_HASH_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include "isc/lang.h"
+#include "isc/types.h"
+
+/***
+ *** Functions
+ ***/
+ISC_LANG_BEGINDECLS
+
+const void *
+isc_hash_get_initializer(void);
+
+void
+isc_hash_set_initializer(const void *initializer);
+
+#define isc_hash_function isc_hash64
+
+uint32_t
+isc_hash32(const void *data, const size_t length, const bool case_sensitive);
+uint64_t
+isc_hash64(const void *data, const size_t length, const bool case_sensitive);
+/*!<
+ * \brief Calculate a hash over data.
+ *
+ * This hash function is useful for hashtables. The hash function is
+ * opaque and not important to the caller. The returned hash values are
+ * non-deterministic and will have different mapping every time a
+ * process using this library is run, but will have uniform
+ * distribution.
+ *
+ * isc_hash_32/64() calculates the hash from start to end over the
+ * input data.
+ *
+ * 'data' is the data to be hashed.
+ *
+ * 'length' is the size of the data to be hashed.
+ *
+ * 'case_sensitive' specifies whether the hash key should be treated as
+ * case_sensitive values.  It should typically be false if the hash key
+ * is a DNS name.
+ *
+ * Returns:
+ * \li 32 or 64-bit hash value
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HASH_H */
diff --git a/lib/isc/include/isc/heap.h b/lib/isc/include/isc/heap.h
new file mode 100644
index 0000000..d492c60
--- /dev/null
+++ b/lib/isc/include/isc/heap.h
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_HEAP_H
+#define ISC_HEAP_H 1
+
+/*! \file isc/heap.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * The comparison function returns true if the first argument has
+ * higher priority than the second argument, and false otherwise.
+ */
+typedef bool (*isc_heapcompare_t)(void *, void *);
+
+/*%
+ * The index function allows the client of the heap to receive a callback
+ * when an item's index number changes.  This allows it to maintain
+ * sync with its external state, but still delete itself, since deletions
+ * from the heap require the index be provided.
+ */
+typedef void (*isc_heapindex_t)(void *, unsigned int);
+
+/*%
+ * The heapaction function is used when iterating over the heap.
+ *
+ * NOTE:  The heap structure CANNOT BE MODIFIED during the call to
+ * isc_heap_foreach().
+ */
+typedef void (*isc_heapaction_t)(void *, void *);
+
+typedef struct isc_heap isc_heap_t;
+
+void
+isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
+		isc_heapindex_t index, unsigned int size_increment,
+		isc_heap_t **heapp);
+/*!<
+ * \brief Create a new heap.  The heap is implemented using a space-efficient
+ * storage method.  When the heap elements are deleted space is not freed
+ * but will be reused when new elements are inserted.
+ *
+ * Heap elements are indexed from 1.
+ *
+ * Requires:
+ *\li	"mctx" is valid.
+ *\li	"compare" is a function which takes two void * arguments and
+ *	returns true if the first argument has a higher priority than
+ *	the second, and false otherwise.
+ *\li	"index" is a function which takes a void *, and an unsigned int
+ *	argument.  This function will be called whenever an element's
+ *	index value changes, so it may continue to delete itself from the
+ *	heap.  This option may be NULL if this functionality is unneeded.
+ *\li	"size_increment" is a hint about how large the heap should grow
+ *	when resizing is needed.  If this is 0, a default size will be
+ *	used, which is currently 1024, allowing space for an additional 1024
+ *	heap elements to be inserted before adding more space.
+ *\li	"heapp" is not NULL, and "*heap" is NULL.
+ */
+
+void
+isc_heap_destroy(isc_heap_t **heapp);
+/*!<
+ * \brief Destroys a heap.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ */
+
+void
+isc_heap_insert(isc_heap_t *heap, void *elt);
+/*!<
+ * \brief Inserts a new element into a heap.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ */
+
+void
+isc_heap_delete(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Deletes an element from a heap, by element index.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void
+isc_heap_increased(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Indicates to the heap that an element's priority has increased.
+ * This function MUST be called whenever an element has increased in priority.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void
+isc_heap_decreased(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Indicates to the heap that an element's priority has decreased.
+ * This function MUST be called whenever an element has decreased in priority.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void *
+isc_heap_element(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Returns the element for a specific element index.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ *
+ * Returns:
+ *\li	A pointer to the element for the element index.
+ */
+
+void
+isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap);
+/*!<
+ * \brief Iterate over the heap, calling an action for each element.  The
+ * order of iteration is not sorted.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"action" is not NULL, and is a function which takes two arguments.
+ *	The first is a void *, representing the element, and the second is
+ *	"uap" as provided to isc_heap_foreach.
+ *\li	"uap" is a caller-provided argument, and may be NULL.
+ *
+ * Note:
+ *\li	The heap structure CANNOT be modified during this iteration.  The only
+ *	safe function to call while iterating the heap is isc_heap_element().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HEAP_H */
diff --git a/lib/isc/include/isc/hex.h b/lib/isc/include/isc/hex.h
new file mode 100644
index 0000000..a0e5e39
--- /dev/null
+++ b/lib/isc/include/isc/hex.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_HEX_H
+#define ISC_HEX_H 1
+
+/*! \file isc/hex.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_hex_totext(isc_region_t *source, int wordlength, const char *wordbreak,
+	       isc_buffer_t *target);
+/*!<
+ * \brief Convert data into hex encoded text.
+ *
+ * Notes:
+ *\li	The hex encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *\li	'source' is a region containing binary data
+ *\li	'target' is a text buffer containing available space
+ *\li	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters
+ *
+ * Ensures:
+ *\li	target will contain the hex encoded version of the data
+ *	in source.  The 'used' pointer in target will be advanced as
+ *	necessary.
+ */
+
+isc_result_t
+isc_hex_decodestring(const char *cstr, isc_buffer_t *target);
+/*!<
+ * \brief Decode a null-terminated hex string.
+ *
+ * Requires:
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *\li	#ISC_R_BADHEX -- 'cstr' is not a valid hex encoding.
+ *
+ * 	Other error returns are any possible error code from:
+ *		isc_lex_create(),
+ *		isc_lex_openbuffer(),
+ *		isc_hex_tobuffer().
+ */
+
+isc_result_t
+isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+/*!<
+ * \brief Convert hex-encoded text from a lexer context into
+ * `target`. If 'length' is non-negative, it is the expected number of
+ * encoded octets to convert.
+ *
+ * If 'length' is -1 then 0 or more encoded octets are expected.
+ * If 'length' is -2 then 1 or more encoded octets are expected.
+ *
+ * Returns:
+ *\li	#ISC_R_BADHEX -- invalid hex encoding
+ *\li	#ISC_R_UNEXPECTEDEND: the text does not contain the expected
+ *			      number of encoded octets.
+ *
+ * Requires:
+ *\li	'lexer' is a valid lexer context
+ *\li	'target' is a buffer containing binary data
+ *\li	'length' is -2, -1, or non-negative
+ *
+ * Ensures:
+ *\li	target will contain the data represented by the hex encoded
+ *	string parsed by the lexer.  No more than `length` octets will
+ *	be read, if `length` is non-negative.  The 'used' pointer in
+ *	'target' will be advanced as necessary.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HEX_H */
diff --git a/lib/isc/include/isc/hmac.h b/lib/isc/include/isc/hmac.h
new file mode 100644
index 0000000..3d0e741
--- /dev/null
+++ b/lib/isc/include/isc/hmac.h
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*!
+ * \file isc/hmac.h
+ * \brief This is the header for for message authentication code.
+ */
+
+#pragma once
+
+#include <isc/lang.h>
+#include <isc/md.h>
+#include <isc/platform.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+typedef void isc_hmac_t;
+
+/**
+ * isc_hmac:
+ * @type: the digest type
+ * @key: the key
+ * @keylen: the length of the key
+ * @buf: data to hash
+ * @len: length of the data to hash
+ * @digest: the output buffer
+ * @digestlen: the length of the data written to @digest
+ *
+ * This function computes the message authentication code using a digest type
+ * @type with key @key which is @keylen bytes long from data in @buf which is
+ * @len bytes long, and places the output into @digest, which must have space
+ * for the hash function output (use ISC_MAX_MD_SIZE if unsure).  If the
+ * @digestlen parameter is not NULL then the number of bytes of data written
+ * (i.e. the length of the digest) will be written to the @digestlen.
+ */
+isc_result_t
+isc_hmac(const isc_md_type_t *type, const void *key, const int keylen,
+	 const unsigned char *buf, const size_t len, unsigned char *digest,
+	 unsigned int *digestlen);
+
+/**
+ * isc_hmac_new:
+ *
+ * This function allocates, initializes and returns HMAC context.
+ */
+isc_hmac_t *
+isc_hmac_new(void);
+
+/**
+ * isc_hmac_free:
+ * @md: HMAC context
+ *
+ * This function cleans up HMAC context and frees up the space allocated to it.
+ */
+void
+isc_hmac_free(isc_hmac_t *hmac);
+
+/**
+ * isc_hmac_init:
+ * @md: HMAC context
+ * @key: HMAC key
+ * @keylen: HMAC key length
+ * @type: digest type
+ *
+ * This function sets up HMAC context to use a hash function of @type and key
+ * @key which is @keylen bytes long.
+ */
+
+isc_result_t
+isc_hmac_init(isc_hmac_t *hmac, const void *key, size_t keylen,
+	      const isc_md_type_t *type);
+
+/**
+ * isc_hmac_reset:
+ * @hmac: HMAC context
+ *
+ * This function resets the HMAC context.  This can be used to reuse an already
+ * existing context.
+ */
+isc_result_t
+isc_hmac_reset(isc_hmac_t *hmac);
+
+/**
+ * isc_hmac_update:
+ * @hmac: HMAC context
+ * @buf: data to hash
+ * @len: length of the data to hash
+ *
+ * This function can be called repeatedly with chunks of the message @buf to be
+ * authenticated which is @len bytes long.
+ */
+isc_result_t
+isc_hmac_update(isc_hmac_t *hmac, const unsigned char *buf, const size_t len);
+
+/**
+ * isc_hmac_final:
+ * @hmac: HMAC context
+ * @digest: the output buffer
+ * @digestlen: the length of the data written to @digest
+ *
+ * This function retrieves the message authentication code from @hmac and places
+ * it in @digest, which must have space for the hash function output.  If the
+ * @digestlen parameter is not NULL then the number of bytes of data written
+ * (i.e. the length of the digest) will be written to the @digestlen.  After
+ * calling this function no additional calls to isc_hmac_update() can be made.
+ */
+isc_result_t
+isc_hmac_final(isc_hmac_t *hmac, unsigned char *digest,
+	       unsigned int *digestlen);
+
+/**
+ * isc_hmac_md_type:
+ * @hmac: HMAC context
+ *
+ * This function return the isc_md_type_t previously set for the supplied
+ * HMAC context or NULL if no isc_md_type_t has been set.
+ */
+const isc_md_type_t *
+isc_hmac_get_md_type(isc_hmac_t *hmac);
+
+/**
+ * isc_hmac_get_size:
+ *
+ * This function return the size of the message digest when passed an isc_hmac_t
+ * structure, i.e. the size of the hash.
+ */
+size_t
+isc_hmac_get_size(isc_hmac_t *hmac);
+
+/**
+ * isc_hmac_get_block_size:
+ *
+ * This function return the block size of the message digest when passed an
+ * isc_hmac_t structure.
+ */
+int
+isc_hmac_get_block_size(isc_hmac_t *hmac);
diff --git a/lib/isc/include/isc/ht.h b/lib/isc/include/isc/ht.h
new file mode 100644
index 0000000..f1386bb
--- /dev/null
+++ b/lib/isc/include/isc/ht.h
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#ifndef ISC_HT_H
+#define ISC_HT_H 1
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/result.h>
+#include <isc/types.h>
+
+typedef struct isc_ht	   isc_ht_t;
+typedef struct isc_ht_iter isc_ht_iter_t;
+
+/*%
+ * Initialize hashtable at *htp, using memory context and size of (1<<bits)
+ *
+ * Requires:
+ *\li	'htp' is not NULL and '*htp' is NULL.
+ *\li	'mctx' is a valid memory context.
+ *\li	'bits' >=1 and 'bits' <=32
+ *
+ */
+void
+isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits);
+
+/*%
+ * Destroy hashtable, freeing everything
+ *
+ * Requires:
+ * \li	'*htp' is valid hashtable
+ */
+void
+isc_ht_destroy(isc_ht_t **htp);
+
+/*%
+ * Add a node to hashtable, pointed by binary key 'key' of size 'keysize';
+ * set its value to 'value'
+ *
+ * Requires:
+ *\li	'ht' is a valid hashtable
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY		-- not enough memory to create pool
+ *\li	#ISC_R_EXISTS		-- node of the same key already exists
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ */
+isc_result_t
+isc_ht_add(isc_ht_t *ht, const unsigned char *key, uint32_t keysize,
+	   void *value);
+
+/*%
+ * Find a node matching 'key'/'keysize' in hashtable 'ht';
+ * if found, set '*valuep' to its value. (If 'valuep' is NULL,
+ * then simply return SUCCESS or NOTFOUND to indicate whether the
+ * key exists in the hashtable.)
+ *
+ * Requires:
+ * \li	'ht' is a valid hashtable
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS		-- success
+ * \li	#ISC_R_NOTFOUND		-- key not found
+ */
+isc_result_t
+isc_ht_find(const isc_ht_t *ht, const unsigned char *key, uint32_t keysize,
+	    void **valuep);
+
+/*%
+ * Delete node from hashtable
+ *
+ * Requires:
+ *\li	ht is a valid hashtable
+ *
+ * Returns:
+ *\li	#ISC_R_NOTFOUND		-- key not found
+ *\li	#ISC_R_SUCCESS		-- all is well
+ */
+isc_result_t
+isc_ht_delete(isc_ht_t *ht, const unsigned char *key, uint32_t keysize);
+
+/*%
+ * Create an iterator for the hashtable; point '*itp' to it.
+ *
+ * Requires:
+ *\li	'ht' is a valid hashtable
+ *\li	'itp' is non NULL and '*itp' is NULL.
+ */
+void
+isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp);
+
+/*%
+ * Destroy the iterator '*itp', set it to NULL
+ *
+ * Requires:
+ *\li	'itp' is non NULL and '*itp' is non NULL.
+ */
+void
+isc_ht_iter_destroy(isc_ht_iter_t **itp);
+
+/*%
+ * Set an iterator to the first entry.
+ *
+ * Requires:
+ *\li	'it' is non NULL.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS	-- success
+ * \li	#ISC_R_NOMORE	-- no data in the hashtable
+ */
+isc_result_t
+isc_ht_iter_first(isc_ht_iter_t *it);
+
+/*%
+ * Set an iterator to the next entry.
+ *
+ * Requires:
+ *\li	'it' is non NULL.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS	-- success
+ * \li	#ISC_R_NOMORE	-- end of hashtable reached
+ */
+isc_result_t
+isc_ht_iter_next(isc_ht_iter_t *it);
+
+/*%
+ * Delete current entry and set an iterator to the next entry.
+ *
+ * Requires:
+ *\li	'it' is non NULL.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS	-- success
+ * \li	#ISC_R_NOMORE	-- end of hashtable reached
+ */
+isc_result_t
+isc_ht_iter_delcurrent_next(isc_ht_iter_t *it);
+
+/*%
+ * Set 'value' to the current value under the iterator
+ *
+ * Requires:
+ *\li	'it' is non NULL.
+ *\li   'valuep' is non NULL and '*valuep' is NULL.
+ */
+void
+isc_ht_iter_current(isc_ht_iter_t *it, void **valuep);
+
+/*%
+ * Set 'key' and 'keysize to the current key and keysize for the value
+ * under the iterator
+ *
+ * Requires:
+ *\li	'it' is non NULL.
+ *\li   'key' is non NULL and '*key' is NULL.
+ *\li	'keysize' is non NULL.
+ */
+void
+isc_ht_iter_currentkey(isc_ht_iter_t *it, unsigned char **key, size_t *keysize);
+
+/*%
+ * Returns the number of items in the hashtable.
+ *
+ * Requires:
+ *\li	'ht' is a valid hashtable
+ */
+unsigned int
+isc_ht_count(isc_ht_t *ht);
+#endif /* ifndef ISC_HT_H */
diff --git a/lib/isc/include/isc/httpd.h b/lib/isc/include/isc/httpd.h
new file mode 100644
index 0000000..7b66049
--- /dev/null
+++ b/lib/isc/include/isc/httpd.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_HTTPD_H
+#define ISC_HTTPD_H 1
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/mutex.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/types.h>
+
+/*%
+ * HTTP urls.  These are the URLs we manage, and the function to call to
+ * provide the data for it.  We pass in the base url (so the same function
+ * can handle multiple requests), and a structure to fill in to return a
+ * result to the client.  We also pass in a pointer to be filled in for
+ * the data cleanup function.
+ */
+struct isc_httpdurl {
+	char		  *url;
+	isc_httpdaction_t *action;
+	void		  *action_arg;
+	bool		   isstatic;
+	isc_time_t	   loadtime;
+	ISC_LINK(isc_httpdurl_t) link;
+};
+
+#define HTTPD_EVENTCLASS ISC_EVENTCLASS(4300)
+#define HTTPD_SHUTDOWN	 (HTTPD_EVENTCLASS + 0x0001)
+
+#define ISC_HTTPDMGR_FLAGSHUTTINGDOWN 0x00000001
+
+/*
+ * Create a new http daemon which will send, once every time period,
+ * a http-like header followed by HTTP data.
+ */
+isc_result_t
+isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
+		    isc_httpdclientok_t	 *client_ok,
+		    isc_httpdondestroy_t *ondestory, void *cb_arg,
+		    isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdp);
+
+void
+isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdp);
+
+isc_result_t
+isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
+		    isc_httpdaction_t *func, void *arg);
+
+isc_result_t
+isc_httpdmgr_addurl2(isc_httpdmgr_t *httpdmgr, const char *url, bool isstatic,
+		     isc_httpdaction_t *func, void *arg);
+
+isc_result_t
+isc_httpd_response(isc_httpd_t *httpd);
+
+isc_result_t
+isc_httpd_addheader(isc_httpd_t *httpd, const char *name, const char *val);
+
+isc_result_t
+isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val);
+
+isc_result_t
+isc_httpd_endheaders(isc_httpd_t *httpd);
+
+void
+isc_httpd_setfinishhook(void (*fn)(void));
+
+#endif /* ISC_HTTPD_H */
diff --git a/lib/isc/include/isc/interfaceiter.h b/lib/isc/include/isc/interfaceiter.h
new file mode 100644
index 0000000..5f6cbe2
--- /dev/null
+++ b/lib/isc/include/isc/interfaceiter.h
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_INTERFACEITER_H
+#define ISC_INTERFACEITER_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/interfaceiter.h
+ * \brief Iterates over the list of network interfaces.
+ *
+ * Interfaces whose address family is not supported are ignored and never
+ * returned by the iterator.  Interfaces whose netmask, interface flags,
+ * or similar cannot be obtained are also ignored, and the failure is logged.
+ *
+ * Standards:
+ *	The API for scanning varies greatly among operating systems.
+ *	This module attempts to hide the differences.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/netaddr.h>
+#include <isc/types.h>
+
+/*!
+ * \brief Public structure describing a network interface.
+ */
+
+struct isc_interface {
+	char	      name[32];	  /*%< Interface name, null-terminated. */
+	unsigned int  af;	  /*%< Address family. */
+	isc_netaddr_t address;	  /*%< Local address. */
+	isc_netaddr_t netmask;	  /*%< Network mask. */
+	isc_netaddr_t dstaddress; /*%< Destination address
+				   * (point-to-point
+				   * only). */
+	uint32_t flags;		  /*%< Flags; see INTERFACE flags. */
+};
+
+/*@{*/
+/*! Interface flags. */
+
+#define INTERFACE_F_UP		 0x00000001U
+#define INTERFACE_F_POINTTOPOINT 0x00000002U
+#define INTERFACE_F_LOOPBACK	 0x00000004U
+/*@}*/
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp);
+/*!<
+ * \brief Create an iterator for traversing the operating system's list
+ * of network interfaces.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *\li	Various network-related errors
+ */
+
+isc_result_t
+isc_interfaceiter_first(isc_interfaceiter_t *iter);
+/*!<
+ * \brief Position the iterator on the first interface.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOMORE		There are no interfaces.
+ */
+
+isc_result_t
+isc_interfaceiter_current(isc_interfaceiter_t *iter, isc_interface_t *ifdata);
+/*!<
+ * \brief Get information about the interface the iterator is currently
+ * positioned at and store it at *ifdata.
+ *
+ * Requires:
+ *\li 	The iterator has been successfully positioned using
+ * 	isc_interface_iter_first() / isc_interface_iter_next().
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success.
+ */
+
+isc_result_t
+isc_interfaceiter_next(isc_interfaceiter_t *iter);
+/*!<
+ * \brief Position the iterator on the next interface.
+ *
+ * Requires:
+ * \li	The iterator has been successfully positioned using
+ * 	isc_interface_iter_first() / isc_interface_iter_next().
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOMORE		There are no more interfaces.
+ */
+
+void
+isc_interfaceiter_destroy(isc_interfaceiter_t **iterp);
+/*!<
+ * \brief Destroy the iterator.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_INTERFACEITER_H */
diff --git a/lib/isc/include/isc/iterated_hash.h b/lib/isc/include/isc/iterated_hash.h
new file mode 100644
index 0000000..b5d6ab6
--- /dev/null
+++ b/lib/isc/include/isc/iterated_hash.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <isc/lang.h>
+
+/*
+ * The maximal hash length that can be encoded in a name
+ * using base32hex.  floor(255/8)*5
+ */
+#define NSEC3_MAX_HASH_LENGTH 155
+
+/*
+ * The maximum has that can be encoded in a single label using
+ * base32hex.  floor(63/8)*5
+ */
+#define NSEC3_MAX_LABEL_HASH 35
+
+ISC_LANG_BEGINDECLS
+
+int
+isc_iterated_hash(unsigned char *out, const unsigned int hashalg,
+		  const int iterations, const unsigned char *salt,
+		  const int saltlength, const unsigned char *in,
+		  const int inlength);
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/lang.h b/lib/isc/include/isc/lang.h
new file mode 100644
index 0000000..35346db
--- /dev/null
+++ b/lib/isc/include/isc/lang.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_LANG_H
+#define ISC_LANG_H 1
+
+/*! \file isc/lang.h */
+
+#ifdef __cplusplus
+#define ISC_LANG_BEGINDECLS extern "C" {
+#define ISC_LANG_ENDDECLS   }
+#else /* ifdef __cplusplus */
+#define ISC_LANG_BEGINDECLS
+#define ISC_LANG_ENDDECLS
+#endif /* ifdef __cplusplus */
+
+#endif /* ISC_LANG_H */
diff --git a/lib/isc/include/isc/lex.h b/lib/isc/include/isc/lex.h
new file mode 100644
index 0000000..0209cbe
--- /dev/null
+++ b/lib/isc/include/isc/lex.h
@@ -0,0 +1,447 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_LEX_H
+#define ISC_LEX_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/lex.h
+ * \brief The "lex" module provides a lightweight tokenizer.  It can operate
+ * on files or buffers, and can handle "include".  It is designed for
+ * parsing of DNS master files and the BIND configuration file, but
+ * should be general enough to tokenize other things, e.g. HTTP.
+ *
+ * \li MP:
+ *	No synchronization is provided.  Clients must ensure exclusive
+ *	access.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ * 	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/region.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Options
+ ***/
+
+/*@{*/
+/*!
+ * Various options for isc_lex_gettoken().
+ */
+
+#define ISC_LEXOPT_EOL	     0x0001 /*%< Want end-of-line token. */
+#define ISC_LEXOPT_EOF	     0x0002 /*%< Want end-of-file token. */
+#define ISC_LEXOPT_INITIALWS 0x0004 /*%< Want initial whitespace. */
+#define ISC_LEXOPT_NUMBER    0x0008 /*%< Recognize numbers. */
+#define ISC_LEXOPT_QSTRING   0x0010 /*%< Recognize qstrings. */
+/*@}*/
+
+/*@{*/
+/*!
+ * The ISC_LEXOPT_DNSMULTILINE option handles the processing of '(' and ')' in
+ * the DNS master file format.  If this option is set, then the
+ * ISC_LEXOPT_INITIALWS and ISC_LEXOPT_EOL options will be ignored when
+ * the paren count is > 0.  To use this option, '(' and ')' must be special
+ * characters.
+ */
+#define ISC_LEXOPT_DNSMULTILINE 0x0020 /*%< Handle '(' and ')'. */
+#define ISC_LEXOPT_NOMORE	0x0040 /*%< Want "no more" token. */
+
+#define ISC_LEXOPT_CNUMBER	    0x0080 /*%< Recognize octal and hex. */
+#define ISC_LEXOPT_ESCAPE	    0x0100 /*%< Recognize escapes. */
+#define ISC_LEXOPT_QSTRINGMULTILINE 0x0200 /*%< Allow multiline "" strings */
+#define ISC_LEXOPT_OCTAL	    0x0400 /*%< Expect a octal number. */
+#define ISC_LEXOPT_BTEXT	    0x0800 /*%< Bracketed text. */
+#define ISC_LEXOPT_VPAIR	    0x1000 /*%< Recognize value pair. */
+#define ISC_LEXOPT_QVPAIR	    0x2000 /*%< Recognize quoted value pair. */
+/*@}*/
+/*@{*/
+/*!
+ * Various commenting styles, which may be changed at any time with
+ * isc_lex_setcomments().
+ */
+
+#define ISC_LEXCOMMENT_C	     0x01
+#define ISC_LEXCOMMENT_CPLUSPLUS     0x02
+#define ISC_LEXCOMMENT_SHELL	     0x04
+#define ISC_LEXCOMMENT_DNSMASTERFILE 0x08
+/*@}*/
+
+/***
+ *** Types
+ ***/
+
+/*! Lex */
+
+typedef char isc_lexspecials_t[256];
+
+/* Tokens */
+
+typedef enum {
+	isc_tokentype_unknown = 0,
+	isc_tokentype_string = 1,
+	isc_tokentype_number = 2,
+	isc_tokentype_qstring = 3,
+	isc_tokentype_eol = 4,
+	isc_tokentype_eof = 5,
+	isc_tokentype_initialws = 6,
+	isc_tokentype_special = 7,
+	isc_tokentype_nomore = 8,
+	isc_tokentype_btext = 9,
+	isc_tokentype_vpair = 10,
+	isc_tokentype_qvpair = 11,
+} isc_tokentype_t;
+
+typedef union {
+	char		 as_char;
+	unsigned long	 as_ulong;
+	isc_region_t	 as_region;
+	isc_textregion_t as_textregion;
+	void		*as_pointer;
+} isc_tokenvalue_t;
+
+typedef struct isc_token {
+	isc_tokentype_t	 type;
+	isc_tokenvalue_t value;
+} isc_token_t;
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp);
+/*%<
+ * Create a lexer.
+ *
+ * 'max_token' is a hint of the number of bytes in the largest token.
+ *
+ * Requires:
+ *\li	'*lexp' is a valid lexer.
+ *
+ * Ensures:
+ *\li	On success, *lexp is attached to the newly created lexer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+void
+isc_lex_destroy(isc_lex_t **lexp);
+/*%<
+ * Destroy the lexer.
+ *
+ * Requires:
+ *\li	'*lexp' is a valid lexer.
+ *
+ * Ensures:
+ *\li	*lexp == NULL
+ */
+
+unsigned int
+isc_lex_getcomments(isc_lex_t *lex);
+/*%<
+ * Return the current lexer commenting styles.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ * Returns:
+ *\li	The commenting styles which are currently allowed.
+ */
+
+void
+isc_lex_setcomments(isc_lex_t *lex, unsigned int comments);
+/*%<
+ * Set allowed lexer commenting styles.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'comments' has meaningful values.
+ */
+
+void
+isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials);
+/*%<
+ * Put the current list of specials into 'specials'.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ */
+
+void
+isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials);
+/*!<
+ * The characters in 'specials' are returned as tokens.  Along with
+ * whitespace, they delimit strings and numbers.
+ *
+ * Note:
+ *\li	Comment processing takes precedence over special character
+ *	recognition.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ */
+
+isc_result_t
+isc_lex_openfile(isc_lex_t *lex, const char *filename);
+/*%<
+ * Open 'filename' and make it the current input source for 'lex'.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	filename is a valid C string.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY			Out of memory
+ *\li	#ISC_R_NOTFOUND			File not found
+ *\li	#ISC_R_NOPERM			No permission to open file
+ *\li	#ISC_R_FAILURE			Couldn't open file, not sure why
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_lex_openstream(isc_lex_t *lex, FILE *stream);
+/*%<
+ * Make 'stream' the current input source for 'lex'.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'stream' is a valid C stream.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY			Out of memory
+ */
+
+isc_result_t
+isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer);
+/*%<
+ * Make 'buffer' the current input source for 'lex'.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'buffer' is a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY			Out of memory
+ */
+
+isc_result_t
+isc_lex_close(isc_lex_t *lex);
+/*%<
+ * Close the most recently opened object (i.e. file or buffer).
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			No more input sources
+ */
+
+isc_result_t
+isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp);
+/*%<
+ * Get the next token.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'lex' has an input source.
+ *
+ *\li	'options' contains valid options.
+ *
+ *\li	'*tokenp' is a valid pointer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTEDEND
+ *\li	#ISC_R_NOMEMORY
+ *
+ *	These two results are returned only if their corresponding lexer
+ *	options are not set.
+ *
+ *\li	#ISC_R_EOF			End of input source
+ *\li	#ISC_R_NOMORE			No more input sources
+ */
+
+isc_result_t
+isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
+		       isc_tokentype_t expect, bool eol);
+/*%<
+ * Get the next token from a DNS master file type stream.  This is a
+ * convenience function that sets appropriate options and handles quoted
+ * strings and end of line correctly for master files.  It also ungets
+ * unexpected tokens.  If `eol` is set then expect end-of-line otherwise
+ * eol is a error.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'token' is a valid pointer
+ *
+ * Returns:
+ *
+ * \li	any return code from isc_lex_gettoken().
+ */
+
+isc_result_t
+isc_lex_getoctaltoken(isc_lex_t *lex, isc_token_t *token, bool eol);
+/*%<
+ * Get the next token from a DNS master file type stream.  This is a
+ * convenience function that sets appropriate options and handles end
+ * of line correctly for master files.  It also ungets unexpected tokens.
+ * If `eol` is set then expect end-of-line otherwise eol is a error.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'token' is a valid pointer
+ *
+ * Returns:
+ *
+ * \li	any return code from isc_lex_gettoken().
+ */
+
+void
+isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp);
+/*%<
+ * Unget the current token.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'lex' has an input source.
+ *
+ *\li	'tokenp' points to a valid token.
+ *
+ *\li	There is no ungotten token already.
+ */
+
+void
+isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r);
+/*%<
+ * Returns a region containing the text of the last token returned.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'lex' has an input source.
+ *
+ *\li	'tokenp' points to a valid token.
+ *
+ *\li	A token has been gotten and not ungotten.
+ */
+
+char *
+isc_lex_getsourcename(isc_lex_t *lex);
+/*%<
+ * Return the input source name.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ * Returns:
+ * \li	source name or NULL if no current source.
+ *\li	result valid while current input source exists.
+ */
+
+unsigned long
+isc_lex_getsourceline(isc_lex_t *lex);
+/*%<
+ * Return the input source line number.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ * Returns:
+ *\li 	Current line number or 0 if no current source.
+ */
+
+isc_result_t
+isc_lex_setsourcename(isc_lex_t *lex, const char *name);
+/*%<
+ * Assigns a new name to the input source.
+ *
+ * Requires:
+ *
+ * \li	'lex' is a valid lexer.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ * \li	#ISC_R_NOTFOUND - there are no sources.
+ */
+
+isc_result_t
+isc_lex_setsourceline(isc_lex_t *lex, unsigned long line);
+/*%<
+ * Assigns a new line number to the input source. This can be used
+ * when parsing a buffer that's been excerpted from the middle a file,
+ * allowing logged messages to display the correct line number,
+ * rather than the line number within the buffer.
+ *
+ * Requires:
+ *
+ * \li	'lex' is a valid lexer.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - there are no sources.
+ */
+
+bool
+isc_lex_isfile(isc_lex_t *lex);
+/*%<
+ * Return whether the current input source is a file.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ * Returns:
+ * \li	#true if the current input is a file,
+ *\li	#false otherwise.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LEX_H */
diff --git a/lib/isc/include/isc/lfsr.h b/lib/isc/include/isc/lfsr.h
new file mode 100644
index 0000000..0e4f7f2
--- /dev/null
+++ b/lib/isc/include/isc/lfsr.h
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_LFSR_H
+#define ISC_LFSR_H 1
+
+/*! \file isc/lfsr.h */
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+typedef struct isc_lfsr isc_lfsr_t;
+
+/*%
+ * This function is called when reseeding is needed.  It is allowed to
+ * modify any state in the LFSR in any way it sees fit OTHER THAN "bits".
+ *
+ * It MUST set "count" to a new value or the lfsr will never reseed again.
+ *
+ * Also, a reseed will never occur in the middle of an extraction.  This
+ * is purely an optimization, and is probably what one would want.
+ */
+typedef void (*isc_lfsrreseed_t)(isc_lfsr_t *, void *);
+
+/*%
+ * The members of this structure can be used by the application, but care
+ * needs to be taken to not change state once the lfsr is in operation.
+ */
+struct isc_lfsr {
+	uint32_t	 state;	 /*%< previous state */
+	unsigned int	 bits;	 /*%< length */
+	uint32_t	 tap;	 /*%< bit taps */
+	unsigned int	 count;	 /*%< reseed count (in BITS!) */
+	isc_lfsrreseed_t reseed; /*%< reseed function */
+	void		*arg;	 /*%< reseed function argument */
+};
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_lfsr_init(isc_lfsr_t *lfsr, uint32_t state, unsigned int bits, uint32_t tap,
+	      unsigned int count, isc_lfsrreseed_t reseed, void *arg);
+/*%<
+ * Initialize an LFSR.
+ *
+ * Note:
+ *
+ *\li	Putting untrusted values into this function will cause the LFSR to
+ *	generate (perhaps) non-maximal length sequences.
+ *
+ * Requires:
+ *
+ *\li	lfsr != NULL
+ *
+ *\li	8 <= bits <= 32
+ *
+ *\li	tap != 0
+ */
+
+void
+isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count);
+/*%<
+ * Returns "count" bytes of data from the LFSR.
+ *
+ * Requires:
+ *
+ *\li	lfsr be valid.
+ *
+ *\li	data != NULL.
+ *
+ *\li	count > 0.
+ */
+
+void
+isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip);
+/*%<
+ * Skip "skip" states.
+ *
+ * Requires:
+ *
+ *\li	lfsr be valid.
+ */
+
+uint32_t
+isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2);
+/*%<
+ * Given two LFSRs, use the current state from each to skip entries in the
+ * other.  The next states are then xor'd together and returned.
+ *
+ * WARNING:
+ *
+ *\li	This function is used only for very, very low security data, such
+ *	as DNS message IDs where it is desired to have an unpredictable
+ *	stream of bytes that are harder to predict than a simple flooding
+ *	attack.
+ *
+ * Notes:
+ *
+ *\li	Since the current state from each of the LFSRs is used to skip
+ *	state in the other, it is important that no state be leaked
+ *	from either LFSR.
+ *
+ * Requires:
+ *
+ *\li	lfsr1 and lfsr2 be valid.
+ *
+ *\li	1 <= skipbits <= 31
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LFSR_H */
diff --git a/lib/isc/include/isc/lib.h b/lib/isc/include/isc/lib.h
new file mode 100644
index 0000000..60d638d
--- /dev/null
+++ b/lib/isc/include/isc/lib.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file isc/lib.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_lib_register(void);
+/*!<
+ * \brief Register the ISC library implementations for some base services
+ * such as memory or event management and handling socket or timer events.
+ * An external application that wants to use the ISC library must call this
+ * function very early in main().
+ */
+
+#ifdef WIN32
+int
+isc_lib_ntservice(int(WINAPI *mainfunc)(int argc, char *argv[]), int argc,
+		  char *argv[]);
+/*!<
+ * \brief Execute a special routine needed when running as a Windows Service.
+ */
+#endif /* ifdef WIN32 */
+
+extern void
+isc_enable_constructors(void);
+/*!<
+ * \brief Enable constructor linkage in non-libtool static builds.
+ */
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/likely.h b/lib/isc/include/isc/likely.h
new file mode 100644
index 0000000..360c383
--- /dev/null
+++ b/lib/isc/include/isc/likely.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_LIKELY_H
+#define ISC_LIKELY_H 1
+
+/*%
+ * Performance
+ */
+#ifdef CPPCHECK
+#define ISC_LIKELY(x)	(x)
+#define ISC_UNLIKELY(x) (x)
+#else /* ifdef CPPCHECK */
+#ifdef HAVE_BUILTIN_EXPECT
+#define ISC_LIKELY(x)	__builtin_expect(!!(x), 1)
+#define ISC_UNLIKELY(x) __builtin_expect(!!(x), 0)
+#else /* ifdef HAVE_BUILTIN_EXPECT */
+#define ISC_LIKELY(x)	(x)
+#define ISC_UNLIKELY(x) (x)
+#endif /* ifdef HAVE_BUILTIN_EXPECT */
+#endif /* ifdef CPPCHECK */
+
+#endif /* ISC_LIKELY_H */
diff --git a/lib/isc/include/isc/list.h b/lib/isc/include/isc/list.h
new file mode 100644
index 0000000..2cf4437
--- /dev/null
+++ b/lib/isc/include/isc/list.h
@@ -0,0 +1,229 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <isc/assertions.h>
+
+#define ISC_LINK_TOMBSTONE(type) ((type *)-1)
+
+#define ISC_LIST_INITIALIZER                \
+	{                                   \
+		.head = NULL, .tail = NULL, \
+	}
+#define ISC_LINK_INITIALIZER_TYPE(type)           \
+	{                                         \
+		.prev = ISC_LINK_TOMBSTONE(type), \
+		.next = ISC_LINK_TOMBSTONE(type), \
+	}
+#define ISC_LINK_INITIALIZER ISC_LINK_INITIALIZER_TYPE(void)
+
+#ifdef ISC_LIST_CHECKINIT
+#define ISC_LINK_INSIST(x) ISC_INSIST(x)
+#else /* ifdef ISC_LIST_CHECKINIT */
+#define ISC_LINK_INSIST(x)
+#endif /* ifdef ISC_LIST_CHECKINIT */
+
+#define ISC_LIST(type)             \
+	struct {                   \
+		type *head, *tail; \
+	}
+#define ISC_LIST_INIT(list)         \
+	do {                        \
+		(list).head = NULL; \
+		(list).tail = NULL; \
+	} while (0)
+
+#define ISC_LINK(type)             \
+	struct {                   \
+		type *prev, *next; \
+	}
+#define ISC_LINK_INIT_TYPE(elt, link, type)                  \
+	do {                                                 \
+		(elt)->link.prev = ISC_LINK_TOMBSTONE(type); \
+		(elt)->link.next = ISC_LINK_TOMBSTONE(type); \
+	} while (0)
+#define ISC_LINK_INIT(elt, link) ISC_LINK_INIT_TYPE(elt, link, void)
+#define ISC_LINK_LINKED_TYPE(elt, link, type) \
+	((type *)((elt)->link.prev) != ISC_LINK_TOMBSTONE(type))
+#define ISC_LINK_LINKED(elt, link) ISC_LINK_LINKED_TYPE(elt, link, void)
+
+#define ISC_LIST_HEAD(list)  ((list).head)
+#define ISC_LIST_TAIL(list)  ((list).tail)
+#define ISC_LIST_EMPTY(list) ((list).head == NULL)
+
+#define __ISC_LIST_PREPENDUNSAFE(list, elt, link)       \
+	do {                                            \
+		if ((list).head != NULL) {              \
+			(list).head->link.prev = (elt); \
+		} else {                                \
+			(list).tail = (elt);            \
+		}                                       \
+		(elt)->link.prev = NULL;                \
+		(elt)->link.next = (list).head;         \
+		(list).head = (elt);                    \
+	} while (0)
+
+#define ISC_LIST_PREPEND(list, elt, link)                     \
+	do {                                                  \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_PREPENDUNSAFE(list, elt, link);    \
+	} while (0)
+
+#define ISC_LIST_INITANDPREPEND(list, elt, link) \
+	__ISC_LIST_PREPENDUNSAFE(list, elt, link)
+
+#define __ISC_LIST_APPENDUNSAFE(list, elt, link)        \
+	do {                                            \
+		if ((list).tail != NULL) {              \
+			(list).tail->link.next = (elt); \
+		} else {                                \
+			(list).head = (elt);            \
+		}                                       \
+		(elt)->link.prev = (list).tail;         \
+		(elt)->link.next = NULL;                \
+		(list).tail = (elt);                    \
+	} while (0)
+
+#define ISC_LIST_APPEND(list, elt, link)                      \
+	do {                                                  \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_APPENDUNSAFE(list, elt, link);     \
+	} while (0)
+
+#define ISC_LIST_INITANDAPPEND(list, elt, link) \
+	__ISC_LIST_APPENDUNSAFE(list, elt, link)
+
+#define __ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type)             \
+	do {                                                            \
+		if ((elt)->link.next != NULL) {                         \
+			(elt)->link.next->link.prev = (elt)->link.prev; \
+		} else {                                                \
+			ISC_INSIST((list).tail == (elt));               \
+			(list).tail = (elt)->link.prev;                 \
+		}                                                       \
+		if ((elt)->link.prev != NULL) {                         \
+			(elt)->link.prev->link.next = (elt)->link.next; \
+		} else {                                                \
+			ISC_INSIST((list).head == (elt));               \
+			(list).head = (elt)->link.next;                 \
+		}                                                       \
+		(elt)->link.prev = ISC_LINK_TOMBSTONE(type);            \
+		(elt)->link.next = ISC_LINK_TOMBSTONE(type);            \
+		ISC_INSIST((list).head != (elt));                       \
+		ISC_INSIST((list).tail != (elt));                       \
+	} while (0)
+
+#define __ISC_LIST_UNLINKUNSAFE(list, elt, link) \
+	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, void)
+
+#define ISC_LIST_UNLINK_TYPE(list, elt, link, type)                  \
+	do {                                                         \
+		ISC_LINK_INSIST(ISC_LINK_LINKED(elt, link));         \
+		__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type); \
+	} while (0)
+#define ISC_LIST_UNLINK(list, elt, link) \
+	ISC_LIST_UNLINK_TYPE(list, elt, link, void)
+
+#define ISC_LIST_PREV(elt, link) ((elt)->link.prev)
+#define ISC_LIST_NEXT(elt, link) ((elt)->link.next)
+
+#define __ISC_LIST_INSERTBEFOREUNSAFE(list, before, elt, link)  \
+	do {                                                    \
+		if ((before)->link.prev == NULL) {              \
+			ISC_LIST_PREPEND(list, elt, link);      \
+		} else {                                        \
+			(elt)->link.prev = (before)->link.prev; \
+			(before)->link.prev = (elt);            \
+			(elt)->link.prev->link.next = (elt);    \
+			(elt)->link.next = (before);            \
+		}                                               \
+	} while (0)
+
+#define ISC_LIST_INSERTBEFORE(list, before, elt, link)                  \
+	do {                                                            \
+		ISC_LINK_INSIST(ISC_LINK_LINKED(before, link));         \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link));           \
+		__ISC_LIST_INSERTBEFOREUNSAFE(list, before, elt, link); \
+	} while (0)
+
+#define __ISC_LIST_INSERTAFTERUNSAFE(list, after, elt, link)   \
+	do {                                                   \
+		if ((after)->link.next == NULL) {              \
+			ISC_LIST_APPEND(list, elt, link);      \
+		} else {                                       \
+			(elt)->link.next = (after)->link.next; \
+			(after)->link.next = (elt);            \
+			(elt)->link.next->link.prev = (elt);   \
+			(elt)->link.prev = (after);            \
+		}                                              \
+	} while (0)
+
+#define ISC_LIST_INSERTAFTER(list, after, elt, link)                  \
+	do {                                                          \
+		ISC_LINK_INSIST(ISC_LINK_LINKED(after, link));        \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link));         \
+		__ISC_LIST_INSERTAFTERUNSAFE(list, after, elt, link); \
+	} while (0)
+
+#define ISC_LIST_APPENDLIST(list1, list2, link)                 \
+	do {                                                    \
+		if (ISC_LIST_EMPTY(list1)) {                    \
+			(list1) = (list2);                      \
+		} else if (!ISC_LIST_EMPTY(list2)) {            \
+			(list1).tail->link.next = (list2).head; \
+			(list2).head->link.prev = (list1).tail; \
+			(list1).tail = (list2).tail;            \
+		}                                               \
+		(list2).head = NULL;                            \
+		(list2).tail = NULL;                            \
+	} while (0)
+
+#define ISC_LIST_PREPENDLIST(list1, list2, link)                \
+	do {                                                    \
+		if (ISC_LIST_EMPTY(list1)) {                    \
+			(list1) = (list2);                      \
+		} else if (!ISC_LIST_EMPTY(list2)) {            \
+			(list2).tail->link.next = (list1).head; \
+			(list1).head->link.prev = (list2).tail; \
+			(list1).head = (list2).head;            \
+		}                                               \
+		(list2).head = NULL;                            \
+		(list2).tail = NULL;                            \
+	} while (0)
+
+#define ISC_LIST_ENQUEUE(list, elt, link) ISC_LIST_APPEND(list, elt, link)
+#define __ISC_LIST_ENQUEUEUNSAFE(list, elt, link) \
+	__ISC_LIST_APPENDUNSAFE(list, elt, link)
+#define ISC_LIST_DEQUEUE(list, elt, link) \
+	ISC_LIST_UNLINK_TYPE(list, elt, link, void)
+#define ISC_LIST_DEQUEUE_TYPE(list, elt, link, type) \
+	ISC_LIST_UNLINK_TYPE(list, elt, link, type)
+#define __ISC_LIST_DEQUEUEUNSAFE(list, elt, link) \
+	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, void)
+#define __ISC_LIST_DEQUEUEUNSAFE_TYPE(list, elt, link, type) \
+	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type)
+
+#define ISC_LIST_MOVEUNSAFE(dest, src)    \
+	{                                 \
+		(dest).head = (src).head; \
+		(dest).tail = (src).tail; \
+		(src).head = NULL;        \
+		(src).tail = NULL;        \
+	}
+
+#define ISC_LIST_MOVE(dest, src)                \
+	{                                       \
+		INSIST(ISC_LIST_EMPTY(dest));   \
+		ISC_LIST_MOVEUNSAFE(dest, src); \
+	}
diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h
new file mode 100644
index 0000000..289cbd7
--- /dev/null
+++ b/lib/isc/include/isc/log.h
@@ -0,0 +1,848 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_LOG_H
+#define ISC_LOG_H 1
+
+/*! \file isc/log.h */
+
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <syslog.h> /* XXXDCL NT */
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+/*@{*/
+/*!
+ * \brief Severity levels, patterned after Unix's syslog levels.
+ *
+ */
+#define ISC_LOG_DEBUG(level) (level)
+/*!
+ * #ISC_LOG_DYNAMIC can only be used for defining channels with
+ * isc_log_createchannel(), not to specify a level in isc_log_write().
+ */
+#define ISC_LOG_DYNAMIC	 0
+#define ISC_LOG_INFO	 (-1)
+#define ISC_LOG_NOTICE	 (-2)
+#define ISC_LOG_WARNING	 (-3)
+#define ISC_LOG_ERROR	 (-4)
+#define ISC_LOG_CRITICAL (-5)
+/*@}*/
+
+/*@{*/
+/*!
+ * \brief Destinations.
+ */
+#define ISC_LOG_TONULL	   1
+#define ISC_LOG_TOSYSLOG   2
+#define ISC_LOG_TOFILE	   3
+#define ISC_LOG_TOFILEDESC 4
+/*@}*/
+
+/*@{*/
+/*%
+ * Channel flags.
+ */
+#define ISC_LOG_PRINTTIME     0x00001
+#define ISC_LOG_PRINTLEVEL    0x00002
+#define ISC_LOG_PRINTCATEGORY 0x00004
+#define ISC_LOG_PRINTMODULE   0x00008
+#define ISC_LOG_PRINTTAG      0x00010 /* tag and ":" */
+#define ISC_LOG_PRINTPREFIX   0x00020 /* tag only, no colon */
+#define ISC_LOG_PRINTALL      0x0003F
+#define ISC_LOG_BUFFERED      0x00040
+#define ISC_LOG_DEBUGONLY     0x01000
+#define ISC_LOG_OPENERR	      0x08000 /* internal */
+#define ISC_LOG_ISO8601	      0x10000 /* if PRINTTIME, use ISO8601 */
+#define ISC_LOG_UTC	      0x20000 /* if PRINTTIME, use UTC */
+/*@}*/
+
+/*@{*/
+/*!
+ * \brief Other options.
+ *
+ * XXXDCL INFINITE doesn't yet work.  Arguably it isn't needed, but
+ *   since I am intend to make large number of versions work efficiently,
+ *   INFINITE is going to be trivial to add to that.
+ */
+#define ISC_LOG_ROLLINFINITE (-1)
+#define ISC_LOG_ROLLNEVER    (-2)
+#define ISC_LOG_MAX_VERSIONS 256
+/*@}*/
+
+/*@{*/
+/*!
+ * \brief Type of suffix used on rolled log files.
+ */
+typedef enum {
+	isc_log_rollsuffix_increment,
+	isc_log_rollsuffix_timestamp
+} isc_log_rollsuffix_t;
+/*@}*/
+
+/*!
+ * \brief Used to name the categories used by a library.
+ *
+ * An array of isc_logcategory
+ * structures names each category, and the id value is initialized by calling
+ * isc_log_registercategories.
+ */
+struct isc_logcategory {
+	const char  *name;
+	unsigned int id;
+};
+
+/*%
+ * Similar to isc_logcategory, but for all the modules a library defines.
+ */
+struct isc_logmodule {
+	const char  *name;
+	unsigned int id;
+};
+
+/*%
+ * The isc_logfile structure is initialized as part of an isc_logdestination
+ * before calling isc_log_createchannel().
+ *
+ * When defining an #ISC_LOG_TOFILE
+ * channel the name, versions and maximum_size should be set before calling
+ * isc_log_createchannel().  To define an #ISC_LOG_TOFILEDESC channel set only
+ * the stream before the call.
+ *
+ * Setting maximum_size to zero implies no maximum.
+ */
+typedef struct isc_logfile {
+	FILE *stream;	      /*%< Initialized to NULL for
+			       * #ISC_LOG_TOFILE. */
+	const char *name;     /*%< NULL for #ISC_LOG_TOFILEDESC. */
+	int	    versions; /* >= 0, #ISC_LOG_ROLLNEVER,
+			       * #ISC_LOG_ROLLINFINITE. */
+	isc_log_rollsuffix_t suffix;
+	/*%
+	 * stdio's ftell is standardized to return a long, which may well not
+	 * be big enough for the largest file supportable by the operating
+	 * system (though it is _probably_ big enough for the largest log
+	 * anyone would want).  st_size returned by fstat should be typedef'd
+	 * to a size large enough for the largest possible file on a system.
+	 */
+	isc_offset_t maximum_size;
+	bool	     maximum_reached; /*%< Private. */
+} isc_logfile_t;
+
+/*%
+ * Passed to isc_log_createchannel to define the attributes of either
+ * a stdio or a syslog log.
+ */
+typedef union isc_logdestination {
+	isc_logfile_t file;
+	int	      facility; /* XXXDCL NT */
+} isc_logdestination_t;
+
+/*@{*/
+/*%
+ * The built-in categories of libisc.
+ *
+ * Each library registering categories should provide library_LOGCATEGORY_name
+ * definitions with indexes into its isc_logcategory structure corresponding to
+ * the order of the names.
+ */
+LIBISC_EXTERNAL_DATA extern isc_logcategory_t isc_categories[];
+LIBISC_EXTERNAL_DATA extern isc_log_t	     *isc_lctx;
+LIBISC_EXTERNAL_DATA extern isc_logmodule_t   isc_modules[];
+/*@}*/
+
+/*@{*/
+/*%
+ * Do not log directly to DEFAULT.  Use another category.  When in doubt,
+ * use GENERAL.
+ */
+#define ISC_LOGCATEGORY_DEFAULT (&isc_categories[0])
+#define ISC_LOGCATEGORY_GENERAL (&isc_categories[1])
+/*@}*/
+
+#define ISC_LOGMODULE_SOCKET	(&isc_modules[0])
+#define ISC_LOGMODULE_TIME	(&isc_modules[1])
+#define ISC_LOGMODULE_INTERFACE (&isc_modules[2])
+#define ISC_LOGMODULE_TIMER	(&isc_modules[3])
+#define ISC_LOGMODULE_FILE	(&isc_modules[4])
+#define ISC_LOGMODULE_NETMGR	(&isc_modules[5])
+#define ISC_LOGMODULE_OTHER	(&isc_modules[6])
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp);
+/*%<
+ * Establish a new logging context, with default channels.
+ *
+ * Notes:
+ *\li	isc_log_create() calls isc_logconfig_create(), so see its comment
+ *	below for more information.
+ *
+ * Requires:
+ *\li	mctx is a valid memory context.
+ *\li	lctxp is not null and *lctxp is null.
+ *\li	lcfgp is null or lcfgp is not null and *lcfgp is null.
+ *
+ * Ensures:
+ *\li	*lctxp will point to a valid logging context if all of the necessary
+ *	memory was allocated, or NULL otherwise.
+ *\li	*lcfgp will point to a valid logging configuration if all of the
+ *	necessary memory was allocated, or NULL otherwise.
+ *\li	On failure, no additional memory is allocated.
+ */
+
+void
+isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp);
+/*%<
+ * Create the data structure that holds all of the configurable information
+ * about where messages are actually supposed to be sent -- the information
+ * that could changed based on some configuration file, as opposed to the
+ * the category/module specification of isc_log_[v]write[1] that is compiled
+ * into a program, or the debug_level which is dynamic state information.
+ *
+ * Notes:
+ *\li	It is necessary to specify the logging context the configuration
+ * 	will be used with because the number of categories and modules
+ *	needs to be known in order to set the configuration.  However,
+ *	the configuration is not used by the logging context until the
+ *	isc_logconfig_use function is called.
+ *
+ *\li	The memory context used for operations that allocate memory for
+ *	the configuration is that of the logging context, as specified
+ *	in the isc_log_create call.
+ *
+ *\li	Four default channels are established:
+ *\verbatim
+ *	    	default_syslog
+ *		 - log to syslog's daemon facility #ISC_LOG_INFO or higher
+ *		default_stderr
+ *		 - log to stderr #ISC_LOG_INFO or higher
+ *		default_debug
+ *		 - log to stderr #ISC_LOG_DEBUG dynamically
+ *		null
+ *		 - log nothing
+ *\endverbatim
+ *
+ * Requires:
+ *\li 	lctx is a valid logging context.
+ *\li	lcftp is not null and *lcfgp is null.
+ *
+ * Ensures:
+ *\li	*lcfgp will point to a valid logging context if all of the necessary
+ *	memory was allocated, or NULL otherwise.
+ *\li	On failure, no additional memory is allocated.
+ */
+
+void
+isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg);
+/*%<
+ * Associate a new configuration with a logging context.
+ *
+ * Notes:
+ *\li	This is thread safe.  The logging context will lock a mutex
+ *	before attempting to swap in the new configuration, and isc_log_doit
+ *	(the internal function used by all of isc_log_[v]write[1]) locks
+ *	the same lock for the duration of its use of the configuration.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *\li	lcfg is a valid logging configuration.
+ *\li	lctx is the same configuration given to isc_logconfig_create
+ *		when the configuration was created.
+ *
+ * Ensures:
+ *\li	Future calls to isc_log_write will use the new configuration.
+ */
+
+void
+isc_log_destroy(isc_log_t **lctxp);
+/*%<
+ * Deallocate the memory associated with a logging context.
+ *
+ * Requires:
+ *\li	*lctx is a valid logging context.
+ *
+ * Ensures:
+ *\li	All of the memory associated with the logging context is returned
+ *	to the free memory pool.
+ *
+ *\li	Any open files are closed.
+ *
+ *\li	The logging context is marked as invalid.
+ */
+
+void
+isc_logconfig_destroy(isc_logconfig_t **lcfgp);
+/*%<
+ * Destroy a logging configuration.
+ *
+ * Requires:
+ *\li	lcfgp is not null and *lcfgp is a valid logging configuration.
+ *\li	The logging configuration is not in use by an existing logging context.
+ *
+ * Ensures:
+ *\li	All memory allocated for the configuration is freed.
+ *
+ *\li	The configuration is marked as invalid.
+ */
+
+void
+isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]);
+/*%<
+ * Identify logging categories a library will use.
+ *
+ * Notes:
+ *\li	A category should only be registered once, but no mechanism enforces
+ *	this rule.
+ *
+ *\li	The end of the categories array is identified by a NULL name.
+ *
+ *\li	Because the name is used by #ISC_LOG_PRINTCATEGORY, it should not
+ *	be altered or destroyed after isc_log_registercategories().
+ *
+ *\li	Because each element of the categories array is used by
+ *	isc_log_categorybyname, it should not be altered or destroyed
+ *	after registration.
+ *
+ *\li	The value of the id integer in each structure is overwritten
+ *	by this function, and so id need not be initialized to any particular
+ *	value prior to the function call.
+ *
+ *\li	A subsequent call to isc_log_registercategories with the same
+ *	logging context (but new categories) will cause the last
+ *	element of the categories array from the prior call to have
+ *	its "name" member changed from NULL to point to the new
+ *	categories array, and its "id" member set to UINT_MAX.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *\li	categories != NULL.
+ *\li	categories[0].name != NULL.
+ *
+ * Ensures:
+ * \li	There are references to each category in the logging context,
+ * 	so they can be used with isc_log_usechannel() and isc_log_write().
+ */
+
+void
+isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]);
+/*%<
+ * Identify logging categories a library will use.
+ *
+ * Notes:
+ *\li	A module should only be registered once, but no mechanism enforces
+ *	this rule.
+ *
+ *\li	The end of the modules array is identified by a NULL name.
+ *
+ *\li	Because the name is used by #ISC_LOG_PRINTMODULE, it should not
+ *	be altered or destroyed after isc_log_registermodules().
+ *
+ *\li	Because each element of the modules array is used by
+ *	isc_log_modulebyname, it should not be altered or destroyed
+ *	after registration.
+ *
+ *\li	The value of the id integer in each structure is overwritten
+ *	by this function, and so id need not be initialized to any particular
+ *	value prior to the function call.
+ *
+ *\li	A subsequent call to isc_log_registermodules with the same
+ *	logging context (but new modules) will cause the last
+ *	element of the modules array from the prior call to have
+ *	its "name" member changed from NULL to point to the new
+ *	modules array, and its "id" member set to UINT_MAX.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *\li	modules != NULL.
+ *\li	modules[0].name != NULL;
+ *
+ * Ensures:
+ *\li	Each module has a reference in the logging context, so they can be
+ *	used with isc_log_usechannel() and isc_log_write().
+ */
+
+void
+isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
+		      unsigned int type, int level,
+		      const isc_logdestination_t *destination,
+		      unsigned int		  flags);
+/*%<
+ * Specify the parameters of a logging channel.
+ *
+ * Notes:
+ *\li	The name argument is copied to memory in the logging context, so
+ *	it can be altered or destroyed after isc_log_createchannel().
+ *
+ *\li	Defining a very large number of channels will have a performance
+ *	impact on isc_log_usechannel(), since the names are searched
+ *	linearly until a match is made.  This same issue does not affect
+ *	isc_log_write, however.
+ *
+ *\li	Channel names can be redefined; this is primarily useful for programs
+ *	that want their own definition of default_syslog, default_debug
+ *	and default_stderr.
+ *
+ *\li	Any channel that is redefined will not affect logging that was
+ *	already directed to its original definition, _except_ for the
+ *	default_stderr channel.  This case is handled specially so that
+ *	the default logging category can be changed by redefining
+ *	default_stderr.  (XXXDCL Though now that I think of it, the default
+ *	logging category can be changed with only one additional function
+ *	call by defining a new channel and then calling isc_log_usechannel()
+ *	for #ISC_LOGCATEGORY_DEFAULT.)
+ *
+ *\li	Specifying #ISC_LOG_PRINTTIME or #ISC_LOG_PRINTTAG for syslog is
+ *	allowed, but probably not what you wanted to do.
+ *
+ *	#ISC_LOG_DEBUGONLY will mark the channel as usable only when the
+ *	debug level of the logging context (see isc_log_setdebuglevel)
+ *	is non-zero.
+ *
+ * Requires:
+ *\li	lcfg is a valid logging configuration.
+ *
+ *\li	name is not NULL.
+ *
+ *\li	type is #ISC_LOG_TOSYSLOG, #ISC_LOG_TOFILE, #ISC_LOG_TOFILEDESC or
+ *		#ISC_LOG_TONULL.
+ *
+ *\li	destination is not NULL unless type is #ISC_LOG_TONULL.
+ *
+ *\li	level is >= #ISC_LOG_CRITICAL (the most negative logging level).
+ *
+ *\li	flags does not include any bits aside from the ISC_LOG_PRINT* bits,
+ *	#ISC_LOG_DEBUGONLY or #ISC_LOG_BUFFERED.
+ *
+ * Ensures:
+ *\li	#ISC_R_SUCCESS
+ *		A channel with the given name is usable with
+ *		isc_log_usechannel().
+ *
+ *\li	#ISC_R_NOMEMORY or #ISC_R_UNEXPECTED
+ *		No additional memory is being used by the logging context.
+ *		Any channel that previously existed with the given name
+ *		is not redefined.
+ */
+
+isc_result_t
+isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
+		   const isc_logcategory_t *category,
+		   const isc_logmodule_t   *module);
+/*%<
+ * Associate a named logging channel with a category and module that
+ * will use it.
+ *
+ * Notes:
+ *\li	The name is searched for linearly in the set of known channel names
+ *	until a match is found.  (Note the performance impact of a very large
+ *	number of named channels.)  When multiple channels of the same
+ *	name are defined, the most recent definition is found.
+ *
+ *\li	Specifying a very large number of channels for a category will have
+ *	a moderate impact on performance in isc_log_write(), as each
+ *	call looks up the category for the start of a linked list, which
+ *	it follows all the way to the end to find matching modules.  The
+ *	test for matching modules is  integral, though.
+ *
+ *\li	If category is NULL, then the channel is associated with the indicated
+ *	module for all known categories (including the "default" category).
+ *
+ *\li	If module is NULL, then the channel is associated with every module
+ *	that uses that category.
+ *
+ *\li	Passing both category and module as NULL would make every log message
+ *	use the indicated channel.
+ *
+ * \li	Specifying a channel that is #ISC_LOG_TONULL for a category/module pair
+ *	has no effect on any other channels associated with that pair,
+ *	regardless of ordering.  Thus you cannot use it to "mask out" one
+ *	category/module pair when you have specified some other channel that
+ * 	is also used by that category/module pair.
+ *
+ * Requires:
+ *\li	lcfg is a valid logging configuration.
+ *
+ *\li	category is NULL or has an id that is in the range of known ids.
+ *
+ *	module is NULL or has an id that is in the range of known ids.
+ *
+ * Ensures:
+ *\li	#ISC_R_SUCCESS
+ *		The channel will be used by the indicated category/module
+ *		arguments.
+ *
+ *\li	#ISC_R_NOMEMORY
+ *		If assignment for a specific category has been requested,
+ *		the channel has not been associated with the indicated
+ *		category/module arguments and no additional memory is
+ *		used by the logging context.
+ *		If assignment for all categories has been requested
+ *		then _some_ may have succeeded (starting with category
+ *		"default" and progressing through the order of categories
+ *		passed to isc_log_registercategories()) and additional memory
+ *		is being used by whatever assignments succeeded.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_NOMEMORY	Resource limit: Out of memory
+ */
+
+/* Attention: next four comments PRECEDE code */
+/*!
+ *   \brief
+ * Write a message to the log channels.
+ *
+ * Notes:
+ *\li	lctx can be NULL; this is allowed so that programs which use
+ *	libraries that use the ISC logging system are not required to
+ *	also use it.
+ *
+ *\li	The format argument is a printf(3) string, with additional arguments
+ *	as necessary.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ *\li	The category and module arguments must have ids that are in the
+ *	range of known ids, as established by isc_log_registercategories()
+ *	and isc_log_registermodules().
+ *
+ *\li	level != #ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
+ *	channels, and explicit debugging level must be identified for
+ *	isc_log_write() via ISC_LOG_DEBUG(level).
+ *
+ *\li	format != NULL.
+ *
+ * Ensures:
+ *\li	The log message is written to every channel associated with the
+ *	indicated category/module pair.
+ *
+ * Returns:
+ *\li	Nothing.  Failure to log a message is not construed as a
+ *	meaningful error.
+ */
+void
+isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level, const char *format, ...)
+
+	ISC_FORMAT_PRINTF(5, 6);
+
+/*%
+ * Write a message to the log channels.
+ *
+ * Notes:
+ *\li	lctx can be NULL; this is allowed so that programs which use
+ *	libraries that use the ISC logging system are not required to
+ *	also use it.
+ *
+ *\li	The format argument is a printf(3) string, with additional arguments
+ *	as necessary.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ *\li	The category and module arguments must have ids that are in the
+ *	range of known ids, as established by isc_log_registercategories()
+ *	and isc_log_registermodules().
+ *
+ *\li	level != #ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
+ *	channels, and explicit debugging level must be identified for
+ *	isc_log_write() via ISC_LOG_DEBUG(level).
+ *
+ *\li	format != NULL.
+ *
+ * Ensures:
+ *\li	The log message is written to every channel associated with the
+ *	indicated category/module pair.
+ *
+ * Returns:
+ *\li	Nothing.  Failure to log a message is not construed as a
+ *	meaningful error.
+ */
+void
+isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *format,
+	       va_list args)
+
+	ISC_FORMAT_PRINTF(5, 0);
+
+/*%
+ * Write a message to the log channels, pruning duplicates that occur within
+ * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
+ * This function is otherwise identical to isc_log_write().
+ */
+void
+isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *format, ...)
+
+	ISC_FORMAT_PRINTF(5, 6);
+
+/*%
+ * Write a message to the log channels, pruning duplicates that occur within
+ * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
+ * This function is otherwise identical to isc_log_vwrite().
+ */
+void
+isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level, const char *format,
+		va_list args)
+
+	ISC_FORMAT_PRINTF(5, 0);
+
+void
+isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level);
+/*%<
+ * Set the debugging level used for logging.
+ *
+ * Notes:
+ *\li	Setting the debugging level to 0 disables debugging log messages.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ * Ensures:
+ *\li	The debugging level is set to the requested value.
+ */
+
+unsigned int
+isc_log_getdebuglevel(isc_log_t *lctx);
+/*%<
+ * Get the current debugging level.
+ *
+ * Notes:
+ *\li	This is provided so that a program can have a notion of
+ *	"increment debugging level" or "decrement debugging level"
+ *	without needing to keep track of what the current level is.
+ *
+ *\li	A return value of 0 indicates that debugging messages are disabled.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ * Ensures:
+ *\li	The current logging debugging level is returned.
+ */
+
+bool
+isc_log_wouldlog(isc_log_t *lctx, int level);
+/*%<
+ * Determine whether logging something to 'lctx' at 'level' would
+ * actually cause something to be logged somewhere.
+ *
+ * If #false is returned, it is guaranteed that nothing would
+ * be logged, allowing the caller to omit unnecessary
+ * isc_log_write() calls and possible message preformatting.
+ */
+
+void
+isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval);
+/*%<
+ * Set the interval over which duplicate log messages will be ignored
+ * by isc_log_[v]write1(), in seconds.
+ *
+ * Notes:
+ *\li	Increasing the duplicate interval from X to Y will not necessarily
+ *	filter out duplicates of messages logged in Y - X seconds since the
+ *	increase.  (Example: Message1 is logged at midnight.  Message2
+ *	is logged at 00:01:00, when the interval is only 30 seconds, causing
+ *	Message1 to be expired from the log message history.  Then the interval
+ *	is increased to 3000 (five minutes) and at 00:04:00 Message1 is logged
+ *	again.  It will appear the second time even though less than five
+ *	passed since the first occurrence.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ */
+
+unsigned int
+isc_log_getduplicateinterval(isc_logconfig_t *lcfg);
+/*%<
+ * Get the current duplicate filtering interval.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ * Returns:
+ *\li	The current duplicate filtering interval.
+ */
+
+void
+isc_log_settag(isc_logconfig_t *lcfg, const char *tag);
+/*%<
+ * Set the program name or other identifier for #ISC_LOG_PRINTTAG.
+ *
+ * Requires:
+ *\li	lcfg is a valid logging configuration.
+ *
+ * Notes:
+ *\li	If this function has not set the tag to a non-NULL, non-empty value,
+ *	then the #ISC_LOG_PRINTTAG channel flag will not print anything.
+ *	Unlike some implementations of syslog on Unix systems, you *must* set
+ *	the tag in order to get it logged.  It is not implicitly derived from
+ *	the program name (which is pretty impossible to infer portably).
+ *
+ *\li	Setting the tag to NULL or the empty string will also cause the
+ *	#ISC_LOG_PRINTTAG channel flag to not print anything.  If tag equals the
+ *	empty string, calls to isc_log_gettag will return NULL.
+ *
+ * XXXDCL when creating a new isc_logconfig_t, it might be nice if the tag
+ * of the currently active isc_logconfig_t was inherited.  this does not
+ * currently happen.
+ */
+
+char *
+isc_log_gettag(isc_logconfig_t *lcfg);
+/*%<
+ * Get the current identifier printed with #ISC_LOG_PRINTTAG.
+ *
+ * Requires:
+ *\li	lcfg is a valid logging configuration.
+ *
+ * Notes:
+ *\li	Since isc_log_settag() will not associate a zero-length string
+ *	with the logging configuration, attempts to do so will cause
+ *	this function to return NULL.  However, a determined programmer
+ *	will observe that (currently) a tag of length greater than zero
+ *	could be set, and then modified to be zero length.
+ *
+ * Returns:
+ *\li	A pointer to the current identifier, or NULL if none has been set.
+ */
+
+void
+isc_log_opensyslog(const char *tag, int options, int facility);
+/*%<
+ * Initialize syslog logging.
+ *
+ * Notes:
+ *\li	XXXDCL NT
+ *	This is currently equivalent to openlog(), but is not going to remain
+ *	that way.  In the meantime, the arguments are all identical to
+ *	those used by openlog(3), as follows:
+ *
+ * \code
+ *		tag: The string to use in the position of the program
+ *			name in syslog messages.  Most (all?) syslogs
+ *			will use basename(argv[0]) if tag is NULL.
+ *
+ *		options: LOG_CONS, LOG_PID, LOG_NDELAY ... whatever your
+ *			syslog supports.
+ *
+ *		facility: The default syslog facility.  This is irrelevant
+ *			since isc_log_write will ALWAYS use the channel's
+ *			declared facility.
+ * \endcode
+ *
+ *\li	Zero effort has been made (yet) to accommodate systems with openlog()
+ *	that only takes two arguments, or to identify valid syslog
+ *	facilities or options for any given architecture.
+ *
+ *\li	It is necessary to call isc_log_opensyslog() to initialize
+ *	syslogging on machines which do not support network connections to
+ *	syslogd because they require a Unix domain socket to be used.  Since
+ *	this is a chore to determine at run-time, it is suggested that it
+ *	always be called by programs using the ISC logging system.
+ *
+ * Requires:
+ *\li	Nothing.
+ *
+ * Ensures:
+ *\li	openlog() is called to initialize the syslog system.
+ */
+
+void
+isc_log_closefilelogs(isc_log_t *lctx);
+/*%<
+ * Close all open files used by #ISC_LOG_TOFILE channels.
+ *
+ * Notes:
+ *\li	This function is provided for programs that want to use their own
+ *	log rolling mechanism rather than the one provided internally.
+ *	For example, a program that wanted to keep daily logs would define
+ *	a channel which used #ISC_LOG_ROLLNEVER, then once a day would
+ *	rename the log file and call isc_log_closefilelogs().
+ *
+ *\li	#ISC_LOG_TOFILEDESC channels are unaffected.
+ *
+ * Requires:
+ *\li	lctx is a valid context.
+ *
+ * Ensures:
+ *\li	The open files are closed and will be reopened when they are
+ *	next needed.
+ */
+
+isc_logcategory_t *
+isc_log_categorybyname(isc_log_t *lctx, const char *name);
+/*%<
+ * Find a category by its name.
+ *
+ * Notes:
+ *\li	The string name of a category is not required to be unique.
+ *
+ * Requires:
+ *\li	lctx is a valid context.
+ *\li	name is not NULL.
+ *
+ * Returns:
+ *\li	A pointer to the _first_ isc_logcategory_t structure used by "name".
+ *
+ *\li	NULL if no category exists by that name.
+ */
+
+isc_logmodule_t *
+isc_log_modulebyname(isc_log_t *lctx, const char *name);
+/*%<
+ * Find a module by its name.
+ *
+ * Notes:
+ *\li	The string name of a module is not required to be unique.
+ *
+ * Requires:
+ *\li	lctx is a valid context.
+ *\li	name is not NULL.
+ *
+ * Returns:
+ *\li	A pointer to the _first_ isc_logmodule_t structure used by "name".
+ *
+ *\li	NULL if no module exists by that name.
+ */
+
+void
+isc_log_setcontext(isc_log_t *lctx);
+/*%<
+ * Sets the context used by the libisc for logging.
+ *
+ * Requires:
+ *\li	lctx be a valid context.
+ */
+
+isc_result_t
+isc_logfile_roll(isc_logfile_t *file);
+/*%<
+ * Roll a logfile.
+ *
+ * Requires:
+ *\li	file is not NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LOG_H */
diff --git a/lib/isc/include/isc/magic.h b/lib/isc/include/isc/magic.h
new file mode 100644
index 0000000..1dc9fc2
--- /dev/null
+++ b/lib/isc/include/isc/magic.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_MAGIC_H
+#define ISC_MAGIC_H 1
+
+#include <isc/likely.h>
+
+/*! \file isc/magic.h */
+
+typedef struct {
+	unsigned int magic;
+} isc__magic_t;
+
+/*%
+ * To use this macro the magic number MUST be the first thing in the
+ * structure, and MUST be of type "unsigned int".
+ * The intent of this is to allow magic numbers to be checked even though
+ * the object is otherwise opaque.
+ */
+#define ISC_MAGIC_VALID(a, b)       \
+	(ISC_LIKELY((a) != NULL) && \
+	 ISC_LIKELY(((const isc__magic_t *)(a))->magic == (b)))
+
+#define ISC_MAGIC(a, b, c, d) ((a) << 24 | (b) << 16 | (c) << 8 | (d))
+
+#endif /* ISC_MAGIC_H */
diff --git a/lib/isc/include/isc/managers.h b/lib/isc/include/isc/managers.h
new file mode 100644
index 0000000..0ed17ff
--- /dev/null
+++ b/lib/isc/include/isc/managers.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <isc/netmgr.h>
+#include <isc/result.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+
+typedef struct isc_managers isc_managers_t;
+
+isc_result_t
+isc_managers_create(isc_mem_t *mctx, size_t workers, size_t quantum,
+		    isc_nm_t **netmgrp, isc_taskmgr_t **taskmgrp);
+
+void
+isc_managers_destroy(isc_nm_t **netmgrp, isc_taskmgr_t **taskmgrp);
diff --git a/lib/isc/include/isc/md.h b/lib/isc/include/isc/md.h
new file mode 100644
index 0000000..eb9c863
--- /dev/null
+++ b/lib/isc/include/isc/md.h
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*!
+ * \file isc/md.h
+ * \brief This is the header file for message digest algorithms.
+ */
+
+#pragma once
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+typedef void isc_md_t;
+
+/**
+ * isc_md_type_t:
+ * @ISC_MD_MD5: MD5
+ * @ISC_MD_SHA1: SHA-1
+ * @ISC_MD_SHA224: SHA-224
+ * @ISC_MD_SHA256: SHA-256
+ * @ISC_MD_SHA384: SHA-384
+ * @ISC_MD_SHA512: SHA-512
+ *
+ * Enumeration of supported message digest algorithms.
+ */
+typedef void isc_md_type_t;
+
+#define ISC_MD_MD5    isc__md_md5()
+#define ISC_MD_SHA1   isc__md_sha1()
+#define ISC_MD_SHA224 isc__md_sha224()
+#define ISC_MD_SHA256 isc__md_sha256()
+#define ISC_MD_SHA384 isc__md_sha384()
+#define ISC_MD_SHA512 isc__md_sha512()
+
+const isc_md_type_t *
+isc__md_md5(void);
+const isc_md_type_t *
+isc__md_sha1(void);
+const isc_md_type_t *
+isc__md_sha224(void);
+const isc_md_type_t *
+isc__md_sha256(void);
+const isc_md_type_t *
+isc__md_sha384(void);
+const isc_md_type_t *
+isc__md_sha512(void);
+
+#define ISC_MD5_DIGESTLENGTH	isc_md_type_get_size(ISC_MD_MD5)
+#define ISC_MD5_BLOCK_LENGTH	isc_md_type_get_block_size(ISC_MD_MD5)
+#define ISC_SHA1_DIGESTLENGTH	isc_md_type_get_size(ISC_MD_SHA1)
+#define ISC_SHA1_BLOCK_LENGTH	isc_md_type_get_block_size(ISC_MD_SHA1)
+#define ISC_SHA224_DIGESTLENGTH isc_md_type_get_size(ISC_MD_SHA224)
+#define ISC_SHA224_BLOCK_LENGTH isc_md_type_get_block_size(ISC_MD_SHA224)
+#define ISC_SHA256_DIGESTLENGTH isc_md_type_get_size(ISC_MD_SHA256)
+#define ISC_SHA256_BLOCK_LENGTH isc_md_type_get_block_size(ISC_MD_SHA256)
+#define ISC_SHA384_DIGESTLENGTH isc_md_type_get_size(ISC_MD_SHA384)
+#define ISC_SHA384_BLOCK_LENGTH isc_md_type_get_block_size(ISC_MD_SHA384)
+#define ISC_SHA512_DIGESTLENGTH isc_md_type_get_size(ISC_MD_SHA512)
+#define ISC_SHA512_BLOCK_LENGTH isc_md_type_get_block_size(ISC_MD_SHA512)
+
+#define ISC_MAX_MD_SIZE	   64U	/* EVP_MAX_MD_SIZE */
+#define ISC_MAX_BLOCK_SIZE 128U /* ISC_SHA512_BLOCK_LENGTH */
+
+/**
+ * isc_md:
+ * @type: the digest type
+ * @buf: the data to hash
+ * @len: the length of the data to hash
+ * @digest: the output buffer
+ * @digestlen: the length of the data written to @digest
+ *
+ * This function hashes @len bytes of data at @buf and places the result in
+ * @digest.  If the @digestlen parameter is not NULL then the number of bytes of
+ * data written (i.e. the length of the digest) will be written to the integer
+ * at @digestlen, at most ISC_MAX_MD_SIZE bytes will be written.
+ */
+isc_result_t
+isc_md(const isc_md_type_t *type, const unsigned char *buf, const size_t len,
+       unsigned char *digest, unsigned int *digestlen);
+
+/**
+ * isc_md_new:
+ *
+ * This function allocates, initializes and returns a digest context.
+ */
+isc_md_t *
+isc_md_new(void);
+
+/**
+ * isc_md_free:
+ * @md: message digest context
+ *
+ * This function cleans up digest context ctx and frees up the space allocated
+ * to it.
+ */
+void
+isc_md_free(isc_md_t *);
+
+/**
+ * isc_md_init:
+ * @md: message digest context
+ * @type: digest type
+ *
+ * This function sets up digest context @md to use a digest @type. @md must be
+ * initialized before calling this function.
+ */
+isc_result_t
+isc_md_init(isc_md_t *, const isc_md_type_t *md_type);
+
+/**
+ * isc_md_reset:
+ * @md: message digest context
+ *
+ * This function resets the digest context ctx. This can be used to reuse an
+ * already existing context.
+ */
+isc_result_t
+isc_md_reset(isc_md_t *md);
+
+/**
+ * isc_md_update:
+ * @md: message digest context
+ * @buf: data to hash
+ * @len: length of the data to hash
+ *
+ * This function hashes @len bytes of data at @buf into the digest context @md.
+ * This function can be called several times on the same @md to hash additional
+ * data.
+ */
+isc_result_t
+isc_md_update(isc_md_t *md, const unsigned char *buf, const size_t len);
+
+/**
+ * isc_md_final:
+ * @md: message digest context
+ * @digest: the output buffer
+ * @digestlen: the length of the data written to @digest
+ *
+ * This function retrieves the digest value from @md and places it in @digest.
+ * If the @digestlen parameter is not NULL then the number of bytes of data
+ * written (i.e. the length of the digest) will be written to the integer at
+ * @digestlen, at most ISC_MAX_MD_SIZE bytes will be written.  After calling
+ * this function no additional calls to isc_md_update() can be made.
+ */
+isc_result_t
+isc_md_final(isc_md_t *md, unsigned char *digest, unsigned int *digestlen);
+
+/**
+ * isc_md_get_type:
+ * @md: message digest contezt
+ *
+ * This function return the isc_md_type_t previously set for the supplied
+ * message digest context or NULL if no isc_md_type_t has been set.
+ */
+const isc_md_type_t *
+isc_md_get_md_type(isc_md_t *md);
+
+/**
+ * isc_md_size:
+ *
+ * This function return the size of the message digest when passed an isc_md_t
+ * structure, i.e. the size of the hash.
+ */
+size_t
+isc_md_get_size(isc_md_t *md);
+
+/**
+ * isc_md_block_size:
+ *
+ * This function return the block size of the message digest when passed an
+ * isc_md_t structure.
+ */
+size_t
+isc_md_get_block_size(isc_md_t *md);
+
+/**
+ * isc_md_size:
+ *
+ * This function return the size of the message digest when passed an
+ * isc_md_type_t , i.e. the size of the hash.
+ */
+size_t
+isc_md_type_get_size(const isc_md_type_t *md_type);
+
+/**
+ * isc_md_block_size:
+ *
+ * This function return the block size of the message digest when passed an
+ * isc_md_type_t.
+ */
+size_t
+isc_md_type_get_block_size(const isc_md_type_t *md_type);
diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
new file mode 100644
index 0000000..1542edd
--- /dev/null
+++ b/lib/isc/include/isc/mem.h
@@ -0,0 +1,633 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_MEM_H
+#define ISC_MEM_H 1
+
+/*! \file isc/mem.h */
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+ISC_LANG_BEGINDECLS
+
+#define ISC_MEM_LOWATER 0
+#define ISC_MEM_HIWATER 1
+typedef void (*isc_mem_water_t)(void *, int);
+
+/*%
+ * Define ISC_MEM_TRACKLINES=1 to turn on detailed tracing of memory
+ * allocation and freeing by file and line number.
+ */
+#ifndef ISC_MEM_TRACKLINES
+#define ISC_MEM_TRACKLINES 1
+#endif /* ifndef ISC_MEM_TRACKLINES */
+
+/*%
+ * Define ISC_MEM_CHECKOVERRUN=1 to turn on checks for using memory outside
+ * the requested space.  This will increase the size of each allocation.
+ *
+ * If we are performing a Coverity static analysis then ISC_MEM_CHECKOVERRUN
+ * can hide bugs that would otherwise discovered so force to zero.
+ */
+#ifdef __COVERITY__
+#undef ISC_MEM_CHECKOVERRUN
+#define ISC_MEM_CHECKOVERRUN 0
+#endif /* ifdef __COVERITY__ */
+#ifndef ISC_MEM_CHECKOVERRUN
+#define ISC_MEM_CHECKOVERRUN 1
+#endif /* ifndef ISC_MEM_CHECKOVERRUN */
+
+/*%
+ * Define ISC_MEMPOOL_NAMES=1 to make memory pools store a symbolic
+ * name so that the leaking pool can be more readily identified in
+ * case of a memory leak.
+ */
+#ifndef ISC_MEMPOOL_NAMES
+#define ISC_MEMPOOL_NAMES 1
+#endif /* ifndef ISC_MEMPOOL_NAMES */
+
+LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
+LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_defaultflags;
+
+/*@{*/
+#define ISC_MEM_DEBUGTRACE  0x00000001U
+#define ISC_MEM_DEBUGRECORD 0x00000002U
+#define ISC_MEM_DEBUGUSAGE  0x00000004U
+#define ISC_MEM_DEBUGSIZE   0x00000008U
+#define ISC_MEM_DEBUGCTX    0x00000010U
+#define ISC_MEM_DEBUGALL    0x0000001FU
+/*!<
+ * The variable isc_mem_debugging holds a set of flags for
+ * turning certain memory debugging options on or off at
+ * runtime.  It is initialized to the value ISC_MEM_DEGBUGGING,
+ * which is 0 by default but may be overridden at compile time.
+ * The following flags can be specified:
+ *
+ * \li #ISC_MEM_DEBUGTRACE
+ *	Log each allocation and free to isc_lctx.
+ *
+ * \li #ISC_MEM_DEBUGRECORD
+ *	Remember each allocation, and match them up on free.
+ *	Crash if a free doesn't match an allocation.
+ *
+ * \li #ISC_MEM_DEBUGUSAGE
+ *	If a hi_water mark is set, print the maximum inuse memory
+ *	every time it is raised once it exceeds the hi_water mark.
+ *
+ * \li #ISC_MEM_DEBUGSIZE
+ *	Check the size argument being passed to isc_mem_put() matches
+ *	that passed to isc_mem_get().
+ *
+ * \li #ISC_MEM_DEBUGCTX
+ *	Check the mctx argument being passed to isc_mem_put() matches
+ *	that passed to isc_mem_get().
+ */
+/*@}*/
+
+#if ISC_MEM_TRACKLINES
+#define _ISC_MEM_FILELINE , __FILE__, __LINE__
+#define _ISC_MEM_FLARG	  , const char *, unsigned int
+#else /* if ISC_MEM_TRACKLINES */
+#define _ISC_MEM_FILELINE
+#define _ISC_MEM_FLARG
+#endif /* if ISC_MEM_TRACKLINES */
+
+/*!
+ * Define ISC_MEM_USE_INTERNAL_MALLOC=1 to use the internal malloc()
+ * implementation in preference to the system one.  The internal malloc()
+ * is very space-efficient, and quite fast on uniprocessor systems.  It
+ * performs poorly on multiprocessor machines.
+ * JT: we can overcome the performance issue on multiprocessor machines
+ * by carefully separating memory contexts.
+ */
+
+#if !defined(ISC_MEM_USE_INTERNAL_MALLOC) && !__SANITIZE_ADDRESS__
+#define ISC_MEM_USE_INTERNAL_MALLOC 0
+#endif /* ifndef ISC_MEM_USE_INTERNAL_MALLOC */
+
+/*
+ * Flags for isc_mem_create() calls.
+ */
+#define ISC_MEMFLAG_RESERVED 0x00000001 /* reserved, obsoleted, don't use */
+#define ISC_MEMFLAG_INTERNAL 0x00000002 /* use internal malloc */
+#define ISC_MEMFLAG_FILL \
+	0x00000004 /* fill with pattern after alloc and frees */
+
+/*%
+ * Define ISC_MEM_DEFAULTFILL=1 to turn filling the memory with pattern
+ * after alloc and free.
+ */
+#if !ISC_MEM_USE_INTERNAL_MALLOC
+
+#if ISC_MEM_DEFAULTFILL
+#define ISC_MEMFLAG_DEFAULT ISC_MEMFLAG_FILL
+#else /* if ISC_MEM_DEFAULTFILL */
+#define ISC_MEMFLAG_DEFAULT 0
+#endif /* if ISC_MEM_DEFAULTFILL */
+
+#else /* if !ISC_MEM_USE_INTERNAL_MALLOC */
+
+#if ISC_MEM_DEFAULTFILL
+#define ISC_MEMFLAG_DEFAULT ISC_MEMFLAG_INTERNAL | ISC_MEMFLAG_FILL
+#else /* if ISC_MEM_DEFAULTFILL */
+#define ISC_MEMFLAG_DEFAULT ISC_MEMFLAG_INTERNAL
+#endif /* if ISC_MEM_DEFAULTFILL */
+
+#endif /* if !ISC_MEM_USE_INTERNAL_MALLOC */
+
+/*%
+ * isc_mem_putanddetach() is a convenience function for use where you
+ * have a structure with an attached memory context.
+ *
+ * Given:
+ *
+ * \code
+ * struct {
+ *	...
+ *	isc_mem_t *mctx;
+ *	...
+ * } *ptr;
+ *
+ * isc_mem_t *mctx;
+ *
+ * isc_mem_putanddetach(&ptr->mctx, ptr, sizeof(*ptr));
+ * \endcode
+ *
+ * is the equivalent of:
+ *
+ * \code
+ * mctx = NULL;
+ * isc_mem_attach(ptr->mctx, &mctx);
+ * isc_mem_detach(&ptr->mctx);
+ * isc_mem_put(mctx, ptr, sizeof(*ptr));
+ * isc_mem_detach(&mctx);
+ * \endcode
+ */
+
+/*% memory and memory pool methods */
+typedef struct isc_memmethods {
+	void *(*memget)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
+	void (*memput)(isc_mem_t *mctx, void *ptr, size_t size _ISC_MEM_FLARG);
+	void (*memputanddetach)(isc_mem_t **mctxp, void *ptr,
+				size_t size _ISC_MEM_FLARG);
+	void *(*memallocate)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
+	void *(*memreallocate)(isc_mem_t *mctx, void *ptr,
+			       size_t size _ISC_MEM_FLARG);
+	char *(*memstrdup)(isc_mem_t *mctx, const char *s _ISC_MEM_FLARG);
+	char *(*memstrndup)(isc_mem_t *mctx, const char *s,
+			    size_t size _ISC_MEM_FLARG);
+	void (*memfree)(isc_mem_t *mctx, void *ptr _ISC_MEM_FLARG);
+} isc_memmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a memory context
+ * implementation's version of an isc_mem_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  mctx implementations
+ * may change the structure.  'magic' must be ISCAPI_MCTX_MAGIC for any of the
+ * isc_mem_ routines to work.  mctx implementations must maintain all mctx
+ * invariants.
+ */
+struct isc_mem {
+	unsigned int	  impmagic;
+	unsigned int	  magic;
+	isc_memmethods_t *methods;
+};
+
+#define ISCAPI_MCTX_MAGIC    ISC_MAGIC('A', 'm', 'c', 'x')
+#define ISCAPI_MCTX_VALID(m) ((m) != NULL && (m)->magic == ISCAPI_MCTX_MAGIC)
+
+/*%
+ * This is the common prefix of a memory pool context.  The same note as
+ * that for the mem structure applies.
+ */
+struct isc_mempool {
+	unsigned int impmagic;
+	unsigned int magic;
+};
+
+#define ISCAPI_MPOOL_MAGIC ISC_MAGIC('A', 'm', 'p', 'l')
+#define ISCAPI_MPOOL_VALID(mp) \
+	((mp) != NULL && (mp)->magic == ISCAPI_MPOOL_MAGIC)
+
+/*%
+ * These functions are actually implemented in isc__mem_<function>
+ * (two underscores). The single-underscore macros are used to pass
+ * __FILE__ and __LINE__, and in the case of the put functions, to
+ * set the pointer being freed to NULL in the calling function.
+ *
+ * Many of these functions have a further isc___mem_<function>
+ * (three underscores) implementation, which is called indirectly
+ * via the isc_memmethods structure in the mctx so that dynamically
+ * loaded modules can use them even if named is statically linked.
+ */
+
+#define ISCMEMFUNC(sfx)	    isc__mem_##sfx
+#define ISCMEMPOOLFUNC(sfx) isc__mempool_##sfx
+
+#define isc_mem_get(c, s)      ISCMEMFUNC(get)((c), (s)_ISC_MEM_FILELINE)
+#define isc_mem_allocate(c, s) ISCMEMFUNC(allocate)((c), (s)_ISC_MEM_FILELINE)
+#define isc_mem_reallocate(c, p, s) \
+	ISCMEMFUNC(reallocate)((c), (p), (s)_ISC_MEM_FILELINE)
+#define isc_mem_strdup(c, p) ISCMEMFUNC(strdup)((c), (p)_ISC_MEM_FILELINE)
+#define isc_mem_strndup(c, p, s) \
+	ISCMEMFUNC(strndup)((c), (p), (s)_ISC_MEM_FILELINE)
+#define isc_mempool_get(c) ISCMEMPOOLFUNC(get)((c)_ISC_MEM_FILELINE)
+
+#define isc_mem_put(c, p, s)                                     \
+	do {                                                     \
+		ISCMEMFUNC(put)((c), (p), (s)_ISC_MEM_FILELINE); \
+		(p) = NULL;                                      \
+	} while (0)
+#define isc_mem_putanddetach(c, p, s)                                     \
+	do {                                                              \
+		ISCMEMFUNC(putanddetach)((c), (p), (s)_ISC_MEM_FILELINE); \
+		(p) = NULL;                                               \
+	} while (0)
+#define isc_mem_free(c, p)                                   \
+	do {                                                 \
+		ISCMEMFUNC(free)((c), (p)_ISC_MEM_FILELINE); \
+		(p) = NULL;                                  \
+	} while (0)
+#define isc_mempool_put(c, p)                                   \
+	do {                                                    \
+		ISCMEMPOOLFUNC(put)((c), (p)_ISC_MEM_FILELINE); \
+		(p) = NULL;                                     \
+	} while (0)
+
+/*@{*/
+void
+isc_mem_create(isc_mem_t **mctxp);
+
+/*!<
+ * \brief Create a memory context.
+ *
+ * Requires:
+ * mctxp != NULL && *mctxp == NULL */
+/*@}*/
+
+/*@{*/
+void
+isc_mem_attach(isc_mem_t *, isc_mem_t **);
+void
+isc_mem_detach(isc_mem_t **);
+/*!<
+ * \brief Attach to / detach from a memory context.
+ *
+ * This is intended for applications that use multiple memory contexts
+ * in such a way that it is not obvious when the last allocations from
+ * a given context has been freed and destroying the context is safe.
+ *
+ * Most applications do not need to call these functions as they can
+ * simply create a single memory context at the beginning of main()
+ * and destroy it at the end of main(), thereby guaranteeing that it
+ * is not destroyed while there are outstanding allocations.
+ */
+/*@}*/
+
+void
+isc_mem_destroy(isc_mem_t **);
+/*%<
+ * Destroy a memory context.
+ */
+
+void
+isc_mem_stats(isc_mem_t *mctx, FILE *out);
+/*%<
+ * Print memory usage statistics for 'mctx' on the stream 'out'.
+ */
+
+void
+isc_mem_setdestroycheck(isc_mem_t *mctx, bool on);
+/*%<
+ * If 'on' is true, 'mctx' will check for memory leaks when
+ * destroyed and abort the program if any are present.
+ */
+
+size_t
+isc_mem_inuse(isc_mem_t *mctx);
+/*%<
+ * Get an estimate of the amount of memory in use in 'mctx', in bytes.
+ * This includes quantization overhead, but does not include memory
+ * allocated from the system but not yet used.
+ */
+
+size_t
+isc_mem_maxinuse(isc_mem_t *mctx);
+/*%<
+ * Get an estimate of the largest amount of memory that has been in
+ * use in 'mctx' at any time.
+ */
+
+size_t
+isc_mem_total(isc_mem_t *mctx);
+/*%<
+ * Get the total amount of memory in 'mctx', in bytes, including memory
+ * not yet used.
+ */
+
+bool
+isc_mem_isovermem(isc_mem_t *mctx);
+/*%<
+ * Return true iff the memory context is in "over memory" state, i.e.,
+ * a hiwater mark has been set and the used amount of memory has exceeds
+ * the mark.
+ */
+
+void
+isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
+		 size_t hiwater, size_t lowater);
+/*%<
+ * Set high and low water marks for this memory context.
+ *
+ * When the memory usage of 'mctx' exceeds 'hiwater',
+ * '(water)(water_arg, #ISC_MEM_HIWATER)' will be called.  'water' needs to
+ * call isc_mem_waterack() with #ISC_MEM_HIWATER to acknowledge the state
+ * change.  'water' may be called multiple times.
+ *
+ * When the usage drops below 'lowater', 'water' will again be called, this
+ * time with #ISC_MEM_LOWATER.  'water' need to calls isc_mem_waterack() with
+ * #ISC_MEM_LOWATER to acknowledge the change.
+ *
+ *	static void
+ *	water(void *arg, int mark) {
+ *		struct foo *foo = arg;
+ *
+ *		LOCK(&foo->marklock);
+ *		if (foo->mark != mark) {
+ * 			foo->mark = mark;
+ *			....
+ *			isc_mem_waterack(foo->mctx, mark);
+ *		}
+ *		UNLOCK(&foo->marklock);
+ *	}
+ *
+ * If 'water' is NULL then 'water_arg', 'hi_water' and 'lo_water' are
+ * ignored and the state is reset.
+ *
+ * Requires:
+ *
+ *	'water' is not NULL.
+ *	hi_water >= lo_water
+ */
+
+void
+isc_mem_waterack(isc_mem_t *ctx, int mark);
+/*%<
+ * Called to acknowledge changes in signaled by calls to 'water'.
+ */
+
+void
+isc_mem_checkdestroyed(FILE *file);
+/*%<
+ * Check that all memory contexts have been destroyed.
+ * Prints out those that have not been.
+ * Fatally fails if there are still active contexts.
+ */
+
+unsigned int
+isc_mem_references(isc_mem_t *ctx);
+/*%<
+ * Return the current reference count.
+ */
+
+void
+isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag);
+/*%<
+ * Name 'ctx'.
+ *
+ * Notes:
+ *
+ *\li	Only the first 15 characters of 'name' will be copied.
+ *
+ *\li	'tag' is for debugging purposes only.
+ *
+ * Requires:
+ *
+ *\li	'ctx' is a valid ctx.
+ */
+
+const char *
+isc_mem_getname(isc_mem_t *ctx);
+/*%<
+ * Get the name of 'ctx', as previously set using isc_mem_setname().
+ *
+ * Requires:
+ *\li	'ctx' is a valid ctx.
+ *
+ * Returns:
+ *\li	A non-NULL pointer to a null-terminated string.
+ * 	If the ctx has not been named, the string is
+ * 	empty.
+ */
+
+void *
+isc_mem_gettag(isc_mem_t *ctx);
+/*%<
+ * Get the tag value for  'task', as previously set using isc_mem_setname().
+ *
+ * Requires:
+ *\li	'ctx' is a valid ctx.
+ *
+ * Notes:
+ *\li	This function is for debugging purposes only.
+ *
+ * Requires:
+ *\li	'ctx' is a valid task.
+ */
+
+#ifdef HAVE_LIBXML2
+int
+isc_mem_renderxml(void *writer0);
+/*%<
+ * Render all contexts' statistics and status in XML for writer.
+ */
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+isc_result_t
+isc_mem_renderjson(void *memobj0);
+/*%<
+ * Render all contexts' statistics and status in JSON.
+ */
+#endif /* HAVE_JSON_C */
+
+/*
+ * Memory pools
+ */
+
+void
+isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
+/*%<
+ * Create a memory pool.
+ *
+ * Requires:
+ *\li	mctx is a valid memory context.
+ *\li	size > 0
+ *\li	mpctxp != NULL and *mpctxp == NULL
+ *
+ * Defaults:
+ *\li	maxalloc = UINT_MAX
+ *\li	freemax = 1
+ *\li	fillcount = 1
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY		-- not enough memory to create pool
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ */
+
+void
+isc_mempool_destroy(isc_mempool_t **mpctxp);
+/*%<
+ * Destroy a memory pool.
+ *
+ * Requires:
+ *\li	mpctxp != NULL && *mpctxp is a valid pool.
+ *\li	The pool has no un"put" allocations outstanding
+ */
+
+void
+isc_mempool_setname(isc_mempool_t *mpctx, const char *name);
+/*%<
+ * Associate a name with a memory pool.  At most 15 characters may be used.
+ *
+ * Requires:
+ *\li	mpctx is a valid pool.
+ *\li	name != NULL;
+ */
+
+/*
+ * The following functions get/set various parameters.  Note that due to
+ * the unlocked nature of pools these are potentially random values unless
+ * the imposed externally provided locking protocols are followed.
+ *
+ * Also note that the quota limits will not always take immediate effect.
+ * For instance, setting "maxalloc" to a number smaller than the currently
+ * allocated count is permitted.  New allocations will be refused until
+ * the count drops below this threshold.
+ *
+ * All functions require (in addition to other requirements):
+ *	mpctx is a valid memory pool
+ */
+
+unsigned int
+isc_mempool_getfreemax(isc_mempool_t *mpctx);
+/*%<
+ * Returns the maximum allowed size of the free list.
+ */
+
+void
+isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
+/*%<
+ * Sets the maximum allowed size of the free list.
+ */
+
+unsigned int
+isc_mempool_getfreecount(isc_mempool_t *mpctx);
+/*%<
+ * Returns current size of the free list.
+ */
+
+unsigned int
+isc_mempool_getmaxalloc(isc_mempool_t *mpctx);
+/*!<
+ * Returns the maximum allowed number of allocations.
+ */
+
+void
+isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
+/*%<
+ * Sets the maximum allowed number of allocations.
+ *
+ * Additional requirements:
+ *\li	limit > 0
+ */
+
+unsigned int
+isc_mempool_getallocated(isc_mempool_t *mpctx);
+/*%<
+ * Returns the number of items allocated from this pool.
+ */
+
+unsigned int
+isc_mempool_getfillcount(isc_mempool_t *mpctx);
+/*%<
+ * Returns the number of items allocated as a block from the parent memory
+ * context when the free list is empty.
+ */
+
+void
+isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
+/*%<
+ * Sets the fillcount.
+ *
+ * Additional requirements:
+ *\li	limit > 0
+ */
+
+#if defined(UNIT_TESTING) && defined(malloc)
+/*
+ * cmocka.h redefined malloc as a macro, we #undef it
+ * to avoid replacing ISC_ATTR_MALLOC with garbage.
+ */
+#pragma push_macro("malloc")
+#undef malloc
+#define POP_MALLOC_MACRO 1
+#endif
+
+/*
+ * Pseudo-private functions for use via macros.  Do not call directly.
+ */
+void ISCMEMFUNC(putanddetach)(isc_mem_t **, void *, size_t _ISC_MEM_FLARG);
+void ISCMEMFUNC(put)(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+void ISCMEMFUNC(free)(isc_mem_t *, void *_ISC_MEM_FLARG);
+
+ISC_ATTR_RETURNS_NONNULL
+ISC_ATTR_MALLOC_DEALLOCATOR_IDX(ISCMEMFUNC(put), 2)
+void *ISCMEMFUNC(get)(isc_mem_t *, size_t _ISC_MEM_FLARG);
+
+ISC_ATTR_RETURNS_NONNULL
+ISC_ATTR_MALLOC_DEALLOCATOR_IDX(ISCMEMFUNC(free), 2)
+void *ISCMEMFUNC(allocate)(isc_mem_t *, size_t _ISC_MEM_FLARG);
+
+ISC_ATTR_RETURNS_NONNULL
+ISC_ATTR_DEALLOCATOR_IDX(ISCMEMFUNC(free), 2)
+void *ISCMEMFUNC(reallocate)(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+
+ISC_ATTR_RETURNS_NONNULL
+ISC_ATTR_MALLOC_DEALLOCATOR_IDX(ISCMEMFUNC(free), 2)
+char *ISCMEMFUNC(strdup)(isc_mem_t *, const char *_ISC_MEM_FLARG);
+char *ISCMEMFUNC(strndup)(isc_mem_t *, const char *, size_t _ISC_MEM_FLARG);
+
+ISC_ATTR_MALLOC_DEALLOCATOR_IDX(ISCMEMPOOLFUNC(put), 2)
+void *ISCMEMPOOLFUNC(get)(isc_mempool_t *_ISC_MEM_FLARG);
+
+void ISCMEMPOOLFUNC(put)(isc_mempool_t *, void *_ISC_MEM_FLARG);
+
+#ifdef POP_MALLOC_MACRO
+/*
+ * Restore cmocka.h macro for malloc.
+ */
+#pragma pop_macro("malloc")
+#endif
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MEM_H */
diff --git a/lib/isc/include/isc/meminfo.h b/lib/isc/include/isc/meminfo.h
new file mode 100644
index 0000000..3cda5b2
--- /dev/null
+++ b/lib/isc/include/isc/meminfo.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_MEMINFO_H
+#define ISC_MEMINFO_H 1
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+uint64_t
+isc_meminfo_totalphys(void);
+/*%<
+ * Return total available physical memory in bytes, or 0 if this cannot
+ * be determined
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MEMINFO_H */
diff --git a/lib/isc/include/isc/mutexblock.h b/lib/isc/include/isc/mutexblock.h
new file mode 100644
index 0000000..d2144e1
--- /dev/null
+++ b/lib/isc/include/isc/mutexblock.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_MUTEXBLOCK_H
+#define ISC_MUTEXBLOCK_H 1
+
+/*! \file isc/mutexblock.h */
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_mutexblock_init(isc_mutex_t *block, unsigned int count);
+/*%<
+ * Initialize a block of locks.  If an error occurs all initialized locks
+ * will be destroyed, if possible.
+ *
+ * Requires:
+ *
+ *\li	block != NULL
+ *
+ *\li	count > 0
+ *
+ */
+
+void
+isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count);
+/*%<
+ * Destroy a block of locks.
+ *
+ * Requires:
+ *
+ *\li	block != NULL
+ *
+ *\li	count > 0
+ *
+ *\li	Each lock in the block be initialized via isc_mutex_init() or
+ * 	the whole block was initialized via isc_mutex_initblock().
+ *
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MUTEXBLOCK_H */
diff --git a/lib/isc/include/isc/netaddr.h b/lib/isc/include/isc/netaddr.h
new file mode 100644
index 0000000..519aec7
--- /dev/null
+++ b/lib/isc/include/isc/netaddr.h
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_NETADDR_H
+#define ISC_NETADDR_H 1
+
+/*! \file isc/netaddr.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/types.h>
+#include <sys/un.h>
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Any updates to this structure should also be applied in
+ * contrib/modules/dlz/dlz_minmal.h.
+ */
+struct isc_netaddr {
+	unsigned int family;
+	union {
+		struct in_addr	in;
+		struct in6_addr in6;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		char un[sizeof(((struct sockaddr_un *)0)->sun_path)];
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	} type;
+	uint32_t zone;
+};
+
+bool
+isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b);
+
+/*%<
+ * Compare network addresses 'a' and 'b'.  Return #true if
+ * they are equal, #false if not.
+ */
+
+bool
+isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
+		     unsigned int prefixlen);
+/*%<
+ * Compare the 'prefixlen' most significant bits of the network
+ * addresses 'a' and 'b'.  If 'b''s scope is zero then 'a''s scope is
+ * ignored.  Return #true if they are equal, #false if not.
+ */
+
+isc_result_t
+isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp);
+/*%<
+ * Convert a netmask in 's' into a prefix length in '*lenp'.
+ * The mask should consist of zero or more '1' bits in the
+ * most significant part of the address, followed by '0' bits.
+ * If this is not the case, #ISC_R_MASKNONCONTIG is returned.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_MASKNONCONTIG
+ */
+
+isc_result_t
+isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target);
+/*%<
+ * Append a text representation of 'sockaddr' to the buffer 'target'.
+ * The text is NOT null terminated.  Handles IPv4 and IPv6 addresses.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE	The text or the null termination did not fit.
+ *\li	#ISC_R_FAILURE	Unspecified failure
+ */
+
+void
+isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size);
+/*%<
+ * Format a human-readable representation of the network address '*na'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+#define ISC_NETADDR_FORMATSIZE \
+	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX%SSSSSSSSSS")
+/*%<
+ * Minimum size of array to pass to isc_netaddr_format().
+ */
+
+void
+isc_netaddr_fromsockaddr(isc_netaddr_t *netaddr, const isc_sockaddr_t *source);
+
+void
+isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina);
+
+void
+isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6);
+
+isc_result_t
+isc_netaddr_frompath(isc_netaddr_t *netaddr, const char *path);
+
+void
+isc_netaddr_setzone(isc_netaddr_t *netaddr, uint32_t zone);
+
+uint32_t
+isc_netaddr_getzone(const isc_netaddr_t *netaddr);
+
+void
+isc_netaddr_any(isc_netaddr_t *netaddr);
+/*%<
+ * Return the IPv4 wildcard address.
+ */
+
+void
+isc_netaddr_any6(isc_netaddr_t *netaddr);
+/*%<
+ * Return the IPv6 wildcard address.
+ */
+
+void
+isc_netaddr_unspec(isc_netaddr_t *netaddr);
+/*%<
+ * Initialize as AF_UNSPEC address.
+ */
+
+bool
+isc_netaddr_ismulticast(const isc_netaddr_t *na);
+/*%<
+ * Returns true if the address is a multicast address.
+ */
+
+bool
+isc_netaddr_isexperimental(const isc_netaddr_t *na);
+/*%<
+ * Returns true if the address is a experimental (CLASS E) address.
+ */
+
+bool
+isc_netaddr_islinklocal(const isc_netaddr_t *na);
+/*%<
+ * Returns #true if the address is a link local address.
+ */
+
+bool
+isc_netaddr_issitelocal(const isc_netaddr_t *na);
+/*%<
+ * Returns #true if the address is a site local address.
+ */
+
+bool
+isc_netaddr_isnetzero(const isc_netaddr_t *na);
+/*%<
+ * Returns #true if the address is in net zero.
+ */
+
+void
+isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s);
+/*%<
+ * Convert an IPv6 v4mapped address into an IPv4 address.
+ */
+
+isc_result_t
+isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen);
+/*
+ * Test whether the netaddr 'na' and 'prefixlen' are consistent.
+ * e.g. prefixlen within range.
+ *      na does not have bits set which are not covered by the prefixlen.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_RANGE		prefixlen out of range
+ *	ISC_R_NOTIMPLEMENTED	unsupported family
+ *	ISC_R_FAILURE		extra bits.
+ */
+
+bool
+isc_netaddr_isloopback(const isc_netaddr_t *na);
+/*
+ * Test whether the netaddr 'na' is a loopback IPv4 or IPv6 address (in
+ * 127.0.0.0/8 or ::1).
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NETADDR_H */
diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h
new file mode 100644
index 0000000..f1747be
--- /dev/null
+++ b/lib/isc/include/isc/netmgr.h
@@ -0,0 +1,540 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <unistd.h>
+
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#ifndef _WIN32
+#include <sys/socket.h>
+#include <sys/types.h>
+#endif
+
+#if defined(SO_REUSEPORT_LB) || (defined(SO_REUSEPORT) && defined(__linux__))
+#define HAVE_SO_REUSEPORT_LB 1
+#endif
+
+/*
+ * Replacement for isc_sockettype_t provided by socket.h.
+ */
+typedef enum {
+	isc_socktype_tcp = 1,
+	isc_socktype_udp = 2,
+	isc_socktype_unix = 3,
+	isc_socktype_raw = 4
+} isc_socktype_t;
+
+typedef void (*isc_nm_recv_cb_t)(isc_nmhandle_t *handle, isc_result_t eresult,
+				 isc_region_t *region, void *cbarg);
+/*%<
+ * Callback function to be used when receiving a packet.
+ *
+ * 'handle' the handle that can be used to send back the answer.
+ * 'eresult' the result of the event.
+ * 'region' contains the received data, if any. It will be freed
+ *          after return by caller.
+ * 'cbarg'  the callback argument passed to isc_nm_listenudp(),
+ *          isc_nm_listentcpdns(), or isc_nm_read().
+ */
+typedef isc_result_t (*isc_nm_accept_cb_t)(isc_nmhandle_t *handle,
+					   isc_result_t result, void *cbarg);
+/*%<
+ * Callback function to be used when accepting a connection. (This differs
+ * from isc_nm_cb_t below in that it returns a result code.)
+ *
+ * 'handle' the handle that can be used to send back the answer.
+ * 'eresult' the result of the event.
+ * 'cbarg'  the callback argument passed to isc_nm_listentcp() or
+ * isc_nm_listentcpdns().
+ */
+
+typedef void (*isc_nm_cb_t)(isc_nmhandle_t *handle, isc_result_t result,
+			    void *cbarg);
+/*%<
+ * Callback function for other network completion events (send, connect).
+ *
+ * 'handle' the handle on which the event took place.
+ * 'eresult' the result of the event.
+ * 'cbarg'  the callback argument passed to isc_nm_send(),
+ *          isc_nm_tcp_connect(), or isc_nm_listentcp()
+ */
+
+typedef void (*isc_nm_opaquecb_t)(void *arg);
+/*%<
+ * Opaque callback function, used for isc_nmhandle 'reset' and 'free'
+ * callbacks.
+ */
+
+typedef void (*isc_nm_workcb_t)(void *arg);
+typedef void (*isc_nm_after_workcb_t)(void *arg, isc_result_t result);
+/*%<
+ * Callback functions for libuv threadpool work (see uv_work_t)
+ */
+
+void
+isc_nm_attach(isc_nm_t *mgr, isc_nm_t **dst);
+void
+isc_nm_detach(isc_nm_t **mgr0);
+/*%<
+ * Attach/detach a network manager. When all references have been
+ * released, the network manager is shut down, freeing all resources.
+ * Destroy is working the same way as detach, but it actively waits
+ * for all other references to be gone.
+ */
+
+/* Return thread ID of current thread, or ISC_NETMGR_TID_UNKNOWN */
+int
+isc_nm_tid(void);
+
+void
+isc_nmsocket_close(isc_nmsocket_t **sockp);
+/*%<
+ * isc_nmsocket_close() detaches a listening socket that was
+ * created by isc_nm_listenudp(), isc_nm_listentcp(), or
+ * isc_nm_listentcpdns(). Once there are no remaining child
+ * sockets with active handles, the socket will be closed.
+ */
+
+#ifdef NETMGR_TRACE
+#define isc_nmhandle_attach(handle, dest) \
+	isc__nmhandle_attach(handle, dest, __FILE__, __LINE__, __func__)
+#define isc_nmhandle_detach(handlep) \
+	isc__nmhandle_detach(handlep, __FILE__, __LINE__, __func__)
+#define FLARG , const char *file, unsigned int line, const char *func
+#else
+#define isc_nmhandle_attach(handle, dest) isc__nmhandle_attach(handle, dest)
+#define isc_nmhandle_detach(handlep)	  isc__nmhandle_detach(handlep)
+#define FLARG
+#endif
+
+void
+isc__nmhandle_attach(isc_nmhandle_t *handle, isc_nmhandle_t **dest FLARG);
+void
+isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG);
+/*%<
+ * Increment/decrement the reference counter in a netmgr handle,
+ * but (unlike the attach/detach functions) do not change the pointer
+ * value. If reference counters drop to zero, the handle can be
+ * marked inactive, possibly triggering deletion of its associated
+ * socket.
+ *
+ * (This will be used to prevent a client from being cleaned up when
+ * it's passed to an isc_task event handler. The libuv code would not
+ * otherwise know that the handle was in use and might free it, along
+ * with the client.)
+ */
+#undef FLARG
+
+void *
+isc_nmhandle_getdata(isc_nmhandle_t *handle);
+
+void *
+isc_nmhandle_getextra(isc_nmhandle_t *handle);
+
+bool
+isc_nmhandle_is_stream(isc_nmhandle_t *handle);
+
+void
+isc_nmhandle_setdata(isc_nmhandle_t *handle, void *arg,
+		     isc_nm_opaquecb_t doreset, isc_nm_opaquecb_t dofree);
+/*%<
+ * isc_nmhandle_t has a void* opaque field (for example, ns_client_t).
+ * We reuse handle and `opaque` can also be reused between calls.
+ * This function sets this field and two callbacks:
+ * - doreset resets the `opaque` to initial state
+ * - dofree frees everything associated with `opaque`
+ */
+
+void
+isc_nmhandle_settimeout(isc_nmhandle_t *handle, uint32_t timeout);
+void
+isc_nmhandle_cleartimeout(isc_nmhandle_t *handle);
+/*%<
+ * Set/clear the read/recv timeout for the socket connected to 'handle'
+ * to 'timeout' (in milliseconds), and reset the timer.
+ *
+ * When this is called on a 'wrapper' socket handle (for example,
+ * a TCPDNS socket wrapping a TCP connection), the timer is set for
+ * both socket layers.
+ */
+
+void
+isc_nmhandle_keepalive(isc_nmhandle_t *handle, bool value);
+/*%<
+ * Enable/disable keepalive on this connection by setting it to 'value'.
+ *
+ * When keepalive is active, we switch to using the keepalive timeout
+ * to determine when to close a connection, rather than the idle timeout.
+ *
+ * This applies only to TCP-based DNS connections (i.e., TCPDNS).
+ * On other types of connection it has no effect.
+ */
+
+isc_sockaddr_t
+isc_nmhandle_peeraddr(isc_nmhandle_t *handle);
+/*%<
+ * Return the peer address for the given handle.
+ */
+isc_sockaddr_t
+isc_nmhandle_localaddr(isc_nmhandle_t *handle);
+/*%<
+ * Return the local address for the given handle.
+ */
+
+isc_nm_t *
+isc_nmhandle_netmgr(isc_nmhandle_t *handle);
+/*%<
+ * Return a pointer to the netmgr object for the given handle.
+ */
+
+isc_result_t
+isc_nm_listenudp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nm_recv_cb_t cb,
+		 void *cbarg, size_t extrasize, isc_nmsocket_t **sockp);
+/*%<
+ * Start listening for UDP packets on interface 'iface' using net manager
+ * 'mgr'.
+ *
+ * On success, 'sockp' will be updated to contain a new listening UDP socket.
+ *
+ * When a packet is received on the socket, 'cb' will be called with 'cbarg'
+ * as its argument.
+ *
+ * When handles are allocated for the socket, 'extrasize' additional bytes
+ * can be allocated along with the handle for an associated object, which
+ * can then be freed automatically when the handle is destroyed.
+ */
+
+void
+isc_nm_udpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
+		  isc_nm_cb_t cb, void *cbarg, unsigned int timeout,
+		  size_t extrahandlesize);
+/*%<
+ * Open a UDP socket, bind to 'local' and connect to 'peer', and
+ * immediately call 'cb' with a handle so that the caller can begin
+ * sending packets over UDP.
+ *
+ * When handles are allocated for the socket, 'extrasize' additional bytes
+ * can be allocated along with the handle for an associated object, which
+ * can then be freed automatically when the handle is destroyed.
+ *
+ * 'timeout' specifies the timeout interval in milliseconds.
+ *
+ * The connected socket can only be accessed via the handle passed to
+ * 'cb'.
+ */
+
+void
+isc_nm_stoplistening(isc_nmsocket_t *sock);
+/*%<
+ * Stop listening on socket 'sock'.
+ */
+
+void
+isc_nm_pause(isc_nm_t *mgr);
+/*%<
+ * Pause all processing, equivalent to taskmgr exclusive tasks.
+ * It won't return until all workers have been paused.
+ */
+
+void
+isc_nm_resume(isc_nm_t *mgr);
+/*%<
+ * Resume paused processing. It will return immediately after signalling
+ * workers to resume.
+ */
+
+void
+isc_nm_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg);
+/*
+ * Begin (or continue) reading on the socket associated with 'handle', and
+ * update its recv callback to 'cb', which will be called as soon as there
+ * is data to process.
+ */
+
+void
+isc_nm_pauseread(isc_nmhandle_t *handle);
+/*%<
+ * Pause reading on this handle's socket, but remember the callback.
+ *
+ * Requires:
+ * \li	'handle' is a valid netmgr handle.
+ */
+
+void
+isc_nm_cancelread(isc_nmhandle_t *handle);
+/*%<
+ * Cancel reading on a connected socket. Calls the read/recv callback on
+ * active handles with a result code of ISC_R_CANCELED.
+ *
+ * Requires:
+ * \li	'sock' is a valid netmgr socket
+ * \li	...for which a read/recv callback has been defined.
+ */
+
+void
+isc_nm_resumeread(isc_nmhandle_t *handle);
+/*%<
+ * Resume reading on the handle's socket.
+ *
+ * Requires:
+ * \li	'handle' is a valid netmgr handle.
+ * \li	...for a socket with a defined read/recv callback.
+ */
+
+void
+isc_nm_send(isc_nmhandle_t *handle, isc_region_t *region, isc_nm_cb_t cb,
+	    void *cbarg);
+/*%<
+ * Send the data in 'region' via 'handle'. Afterward, the callback 'cb' is
+ * called with the argument 'cbarg'.
+ *
+ * 'region' is not copied; it has to be allocated beforehand and freed
+ * in 'cb'.
+ */
+
+isc_result_t
+isc_nm_listentcp(isc_nm_t *mgr, isc_sockaddr_t *iface,
+		 isc_nm_accept_cb_t accept_cb, void *accept_cbarg,
+		 size_t extrahandlesize, int backlog, isc_quota_t *quota,
+		 isc_nmsocket_t **sockp);
+/*%<
+ * Start listening for raw messages over the TCP interface 'iface', using
+ * net manager 'mgr'.
+ *
+ * On success, 'sockp' will be updated to contain a new listening TCP
+ * socket.
+ *
+ * When connection is accepted on the socket, 'accept_cb' will be called with
+ * 'accept_cbarg' as its argument. The callback is expected to start a read.
+ *
+ * When handles are allocated for the socket, 'extrasize' additional bytes
+ * will be allocated along with the handle for an associated object.
+ *
+ * If 'quota' is not NULL, then the socket is attached to the specified
+ * quota. This allows us to enforce TCP client quota limits.
+ *
+ */
+
+void
+isc_nm_tcpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
+		  isc_nm_cb_t cb, void *cbarg, unsigned int timeout,
+		  size_t extrahandlesize);
+/*%<
+ * Create a socket using netmgr 'mgr', bind it to the address 'local',
+ * and connect it to the address 'peer'.
+ *
+ * When the connection is complete or has timed out, call 'cb' with
+ * argument 'cbarg'. Allocate 'extrahandlesize' additional bytes along
+ * with the handle to use for an associated object.
+ *
+ * 'timeout' specifies the timeout interval in milliseconds.
+ *
+ * The connected socket can only be accessed via the handle passed to
+ * 'cb'.
+ */
+
+isc_result_t
+isc_nm_listentcpdns(isc_nm_t *mgr, isc_sockaddr_t *iface,
+		    isc_nm_recv_cb_t recv_cb, void *recv_cbarg,
+		    isc_nm_accept_cb_t accept_cb, void *accept_cbarg,
+		    size_t extrahandlesize, int backlog, isc_quota_t *quota,
+		    isc_nmsocket_t **sockp);
+/*%<
+ * Start listening for DNS messages over the TCP interface 'iface', using
+ * net manager 'mgr'.
+ *
+ * On success, 'sockp' will be updated to contain a new listening TCPDNS
+ * socket. This is a wrapper around a raw TCP socket, which sends and
+ * receives DNS messages via that socket. It handles message buffering
+ * and pipelining, and automatically prepends messages with a two-byte
+ * length field.
+ *
+ * When a complete DNS message is received on the socket, 'cb' will be
+ * called with 'cbarg' as its argument.
+ *
+ * When a new TCPDNS connection is accepted, 'accept_cb' will be called
+ * with 'accept_cbarg' as its argument.
+ *
+ * When handles are allocated for the socket, 'extrasize' additional bytes
+ * will be allocated along with the handle for an associated object
+ * (typically ns_client).
+ *
+ * 'quota' is passed to isc_nm_listentcp() when opening the raw TCP socket.
+ */
+
+void
+isc_nm_tcpdns_sequential(isc_nmhandle_t *handle);
+/*%<
+ * Disable pipelining on this connection. Each DNS packet will be only
+ * processed after the previous completes.
+ *
+ * The socket must be unpaused after the query is processed.  This is done
+ * the response is sent, or if we're dropping the query, it will be done
+ * when a handle is fully dereferenced by calling the socket's
+ * closehandle_cb callback.
+ *
+ * Note: This can only be run while a message is being processed; if it is
+ * run before any messages are read, no messages will be read.
+ *
+ * Also note: once this has been set, it cannot be reversed for a given
+ * connection.
+ */
+
+void
+isc_nm_tcpdns_keepalive(isc_nmhandle_t *handle, bool value);
+/*%<
+ * Enable/disable keepalive on this connection by setting it to 'value'.
+ *
+ * When keepalive is active, we switch to using the keepalive timeout
+ * to determine when to close a connection, rather than the idle timeout.
+ */
+
+void
+isc_nm_settimeouts(isc_nm_t *mgr, uint32_t init, uint32_t idle,
+		   uint32_t keepalive, uint32_t advertised);
+/*%<
+ * Sets the initial, idle, and keepalive timeout values (in milliseconds) to use
+ * for TCP connections, and the timeout value to advertise in responses using
+ * the EDNS TCP Keepalive option (which should ordinarily be the same
+ * as 'keepalive'), in milliseconds.
+ *
+ * Requires:
+ * \li	'mgr' is a valid netmgr.
+ */
+
+bool
+isc_nm_getloadbalancesockets(isc_nm_t *mgr);
+void
+isc_nm_setloadbalancesockets(isc_nm_t *mgr, bool enabled);
+/*%<
+ * Get and set value of load balancing of the sockets.
+ *
+ * Requires:
+ * \li	'mgr' is a valid netmgr.
+ */
+
+void
+isc_nm_gettimeouts(isc_nm_t *mgr, uint32_t *initial, uint32_t *idle,
+		   uint32_t *keepalive, uint32_t *advertised);
+/*%<
+ * Gets the initial, idle, keepalive, or advertised timeout values,
+ * in milliseconds.
+ *
+ * Any integer pointer parameter not set to NULL will be updated to
+ * contain the corresponding timeout value.
+ *
+ * Requires:
+ * \li	'mgr' is a valid netmgr.
+ */
+
+void
+isc_nm_maxudp(isc_nm_t *mgr, uint32_t maxudp);
+/*%<
+ * Simulate a broken firewall that blocks UDP messages larger than a given
+ * size.
+ */
+
+void
+isc_nm_setstats(isc_nm_t *mgr, isc_stats_t *stats);
+/*%<
+ * Set a socket statistics counter set 'stats' for 'mgr'.
+ *
+ * Requires:
+ *\li	'mgr' is valid and doesn't have stats already set.
+ *
+ *\li	stats is a valid set of statistics counters supporting the
+ *	full range of socket-related stats counter numbers.
+ */
+
+void
+isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
+		     isc_nm_cb_t cb, void *cbarg, unsigned int timeout,
+		     size_t extrahandlesize);
+/*%<
+ * Establish a DNS client connection via a TCP connection, bound to
+ * the address 'local' and connected to the address 'peer'.
+ *
+ * When the connection is complete or has timed out, call 'cb' with
+ * argument 'cbarg'. Allocate 'extrahandlesize' additional bytes along
+ * with the handle to use for an associated object.
+ *
+ * 'timeout' specifies the timeout interval in milliseconds.
+ *
+ * The connected socket can only be accessed via the handle passed to
+ * 'cb'.
+ */
+
+void
+isc_nm_task_enqueue(isc_nm_t *mgr, isc_task_t *task, int threadid);
+/*%<
+ * Enqueue the 'task' onto the netmgr ievents queue.
+ *
+ * Requires:
+ * \li 'mgr' is a valid netmgr object
+ * \li 'task' is a valid task
+ * \li 'threadid' is either the preferred netmgr tid or -1, in which case
+ *     tid will be picked randomly. The threadid is capped (by modulo) to
+ *     maximum number of 'workers' as specifed in isc_nm_start()
+ */
+
+void
+isc_nm_work_offload(isc_nm_t *mgr, isc_nm_workcb_t work_cb,
+		    isc_nm_after_workcb_t after_work_cb, void *data);
+/*%<
+ * Schedules a job to be handled by the libuv thread pool (see uv_work_t).
+ * The function specified in `work_cb` will be run by a thread in the
+ * thread pool; when complete, the `after_work_cb` function will run.
+ *
+ * Requires:
+ * \li 'mgr' is a valid netmgr object.
+ * \li We are currently running in a network manager thread.
+ */
+
+void
+isc__nm_force_tid(int tid);
+/*%<
+ * Force the thread ID to 'tid'. This is STRICTLY for use in unit
+ * tests and should not be used in any production code.
+ */
+
+void
+isc_nmhandle_setwritetimeout(isc_nmhandle_t *handle, uint64_t write_timeout);
+
+/*
+ * Timer related functions
+ */
+
+typedef struct isc_nm_timer isc_nm_timer_t;
+
+typedef void (*isc_nm_timer_cb)(void *, isc_result_t);
+
+void
+isc_nm_timer_create(isc_nmhandle_t *, isc_nm_timer_cb, void *,
+		    isc_nm_timer_t **);
+
+void
+isc_nm_timer_attach(isc_nm_timer_t *, isc_nm_timer_t **);
+
+void
+isc_nm_timer_detach(isc_nm_timer_t **);
+
+void
+isc_nm_timer_start(isc_nm_timer_t *, uint64_t);
+
+void
+isc_nm_timer_stop(isc_nm_timer_t *);
diff --git a/lib/isc/include/isc/netscope.h b/lib/isc/include/isc/netscope.h
new file mode 100644
index 0000000..0622548
--- /dev/null
+++ b/lib/isc/include/isc/netscope.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_NETSCOPE_H
+#define ISC_NETSCOPE_H 1
+
+/*! \file isc/netscope.h */
+
+#include <inttypes.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * Convert a string of an IPv6 scope zone to zone index.  If the conversion
+ * succeeds, 'zoneid' will store the index value.
+ *
+ * XXXJT: when a standard interface for this purpose is defined,
+ * we should use it.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS: conversion succeeds
+ * \li	ISC_R_FAILURE: conversion fails
+ */
+isc_result_t
+isc_netscope_pton(int af, char *scopename, void *addr, uint32_t *zoneid);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NETSCOPE_H */
diff --git a/lib/isc/include/isc/nonce.h b/lib/isc/include/isc/nonce.h
new file mode 100644
index 0000000..b593e41
--- /dev/null
+++ b/lib/isc/include/isc/nonce.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <stdlib.h>
+
+#include <isc/lang.h>
+
+/*! \file isc/nonce.h
+ * \brief Provides a function for generating an arbitrarily long nonce.
+ */
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_nonce_buf(void *buf, size_t buflen);
+/*!<
+ * Fill 'buf', up to 'buflen' bytes, with random data from the
+ * crypto provider's random function.
+ */
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/os.h b/lib/isc/include/isc/os.h
new file mode 100644
index 0000000..585abc0
--- /dev/null
+++ b/lib/isc/include/isc/os.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_OS_H
+#define ISC_OS_H 1
+
+/*! \file isc/os.h */
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+unsigned int
+isc_os_ncpus(void);
+/*%<
+ * Return the number of CPUs available on the system, or 1 if this cannot
+ * be determined.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_OS_H */
diff --git a/lib/isc/include/isc/parseint.h b/lib/isc/include/isc/parseint.h
new file mode 100644
index 0000000..d41c57e
--- /dev/null
+++ b/lib/isc/include/isc/parseint.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_PARSEINT_H
+#define ISC_PARSEINT_H 1
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*! \file isc/parseint.h
+ * \brief Parse integers, in a saner way than atoi() or strtoul() do.
+ */
+
+/***
+ ***	Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_parse_uint32(uint32_t *uip, const char *string, int base);
+
+isc_result_t
+isc_parse_uint16(uint16_t *uip, const char *string, int base);
+
+isc_result_t
+isc_parse_uint8(uint8_t *uip, const char *string, int base);
+/*%<
+ * Parse the null-terminated string 'string' containing a base 'base'
+ * integer, storing the result in '*uip'.
+ * The base is interpreted
+ * as in strtoul().  Unlike strtoul(), leading whitespace, minus or
+ * plus signs are not accepted, and all errors (including overflow)
+ * are reported uniformly through the return value.
+ *
+ * Requires:
+ *\li	'string' points to a null-terminated string
+ *\li	0 <= 'base' <= 36
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_BADNUMBER   The string is not numeric (in the given base)
+ *\li	#ISC_R_RANGE	  The number is not representable as the requested type.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_PARSEINT_H */
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
new file mode 100644
index 0000000..85b468c
--- /dev/null
+++ b/lib/isc/include/isc/platform.h.in
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_PLATFORM_H
+#define ISC_PLATFORM_H 1
+
+/*! \file */
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+/***
+ *** Default strerror_r buffer size
+ ***/
+
+#define ISC_STRERRORSIZE 128
+
+/***
+ *** System limitations
+ ***/
+
+#include <limits.h>
+
+#ifndef NAME_MAX
+#define NAME_MAX 256
+#endif
+
+#ifndef PATH_MAX
+#define PATH_MAX 1024
+#endif
+
+#ifndef IOV_MAX
+#define IOV_MAX 1024
+#endif
+
+/***
+ *** Miscellaneous.
+ ***/
+
+/*
+ * Defined to <gssapi.h> or <gssapi/gssapi.h> for how to include
+ * the GSSAPI header.
+ */
+@ISC_PLATFORM_GSSAPIHEADER@
+
+/*
+ * Defined to <gssapi_krb5.h> or <gssapi/gssapi_krb5.h> for how to
+ * include the GSSAPI KRB5 header.
+ */
+@ISC_PLATFORM_GSSAPI_KRB5_HEADER@
+
+/*
+ * Defined to <krb5.h> or <krb5/krb5.h> for how to include
+ * the KRB5 header.
+ */
+@ISC_PLATFORM_KRB5HEADER@
+
+/*
+ * Define if the platform has <sys/un.h>.
+ */
+@ISC_PLATFORM_HAVESYSUNH@
+
+/*
+ * Defines for the noreturn attribute.
+ */
+@ISC_PLATFORM_NORETURN_PRE@
+@ISC_PLATFORM_NORETURN_POST@
+
+/***
+ ***	Windows dll support.
+ ***/
+
+#define LIBISC_EXTERNAL_DATA
+#define LIBDNS_EXTERNAL_DATA
+#define LIBISCCC_EXTERNAL_DATA
+#define LIBISCCFG_EXTERNAL_DATA
+#define LIBNS_EXTERNAL_DATA
+#define LIBBIND9_EXTERNAL_DATA
+#define LIBTESTS_EXTERNAL_DATA
+
+/*
+ * Tell emacs to use C mode for this file.
+ *
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* ISC_PLATFORM_H */
diff --git a/lib/isc/include/isc/pool.h b/lib/isc/include/isc/pool.h
new file mode 100644
index 0000000..b354c18
--- /dev/null
+++ b/lib/isc/include/isc/pool.h
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_OBJPOOL_H
+#define ISC_OBJPOOL_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/pool.h
+ * \brief An object pool is a mechanism for sharing a small pool of
+ * fungible objects among a large number of objects that depend on them.
+ *
+ * This is useful, for example, when it causes performance problems for
+ * large number of zones to share a single memory context or task object,
+ * but it would create a different set of problems for them each to have an
+ * independent task or memory context.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isc/mem.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+***** Types.
+*****/
+
+typedef void (*isc_pooldeallocator_t)(void **object);
+
+typedef isc_result_t (*isc_poolinitializer_t)(void **target, void *arg);
+
+typedef struct isc_pool isc_pool_t;
+
+/*****
+***** Functions.
+*****/
+
+isc_result_t
+isc_pool_create(isc_mem_t *mctx, unsigned int count, isc_pooldeallocator_t free,
+		isc_poolinitializer_t init, void *initarg, isc_pool_t **poolp);
+/*%<
+ * Create a pool of "count" object pointers. If 'free' is not NULL,
+ * it points to a function that will detach the objects.  'init'
+ * points to a function that will initialize the arguments, and
+ * 'arg' to an argument to be passed into that function (for example,
+ * a relevant manager or context object).
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	init != NULL
+ *
+ *\li	poolp != NULL && *poolp == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, '*poolp' points to the new object pool.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+void *
+isc_pool_get(isc_pool_t *pool);
+/*%<
+ * Returns a pointer to an object from the pool. Currently the object
+ * is chosen from the pool at random.  (This may be changed in the future
+ * to something that guaratees balance.)
+ */
+
+int
+isc_pool_count(isc_pool_t *pool);
+/*%<
+ * Returns the number of objcts in the pool 'pool'.
+ */
+
+isc_result_t
+isc_pool_expand(isc_pool_t **sourcep, unsigned int count, isc_pool_t **targetp);
+
+/*%<
+ * If 'size' is larger than the number of objects in the pool pointed to by
+ * 'sourcep', then a new pool of size 'count' is allocated, the existing
+ * objects are copied into it, additional ones created to bring the
+ * total number up to 'count', and the resulting pool is attached to
+ * 'targetp'.
+ *
+ * If 'count' is less than or equal to the number of objects in 'source', then
+ * 'sourcep' is attached to 'targetp' without any other action being taken.
+ *
+ * In either case, 'sourcep' is detached.
+ *
+ * Requires:
+ *
+ * \li	'sourcep' is not NULL and '*source' is not NULL
+ * \li	'targetp' is not NULL and '*source' is NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, '*targetp' points to a valid task pool.
+ * \li	On success, '*sourcep' points to NULL.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+void
+isc_pool_destroy(isc_pool_t **poolp);
+/*%<
+ * Destroy a task pool.  The tasks in the pool are detached but not
+ * shut down.
+ *
+ * Requires:
+ * \li	'*poolp' is a valid task pool.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_OBJPOOL_H */
diff --git a/lib/isc/include/isc/portset.h b/lib/isc/include/isc/portset.h
new file mode 100644
index 0000000..fbdde82
--- /dev/null
+++ b/lib/isc/include/isc/portset.h
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/portset.h
+ * \brief Transport Protocol Port Manipulation Module
+ *
+ * This module provides simple utilities to handle a set of transport protocol
+ * (UDP or TCP) port numbers, e.g., for creating an ACL list.  An isc_portset_t
+ * object is an opaque instance of a port set, for which the user can add or
+ * remove a specific port or a range of consecutive ports.  This object is
+ * expected to be used as a temporary work space only, and does not protect
+ * simultaneous access from multiple threads.  Therefore it must not be stored
+ * in a place that can be accessed from multiple threads.
+ */
+
+#ifndef ISC_PORTSET_H
+#define ISC_PORTSET_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/net.h>
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_portset_create(isc_mem_t *mctx, isc_portset_t **portsetp);
+/*%<
+ * Create a port set and initialize it as an empty set.
+ *
+ * Requires:
+ *\li	'mctx' to be valid.
+ *\li	'portsetp' to be non NULL and '*portsetp' to be NULL;
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+void
+isc_portset_destroy(isc_mem_t *mctx, isc_portset_t **portsetp);
+/*%<
+ * Destroy a port set.
+ *
+ * Requires:
+ *\li	'mctx' to be valid and must be the same context given when the port set
+ *       was created.
+ *\li	'*portsetp' to be a valid set.
+ */
+
+bool
+isc_portset_isset(isc_portset_t *portset, in_port_t port);
+/*%<
+ * Test whether the given port is stored in the portset.
+ *
+ * Requires:
+ *\li	'portset' to be a valid set.
+ *
+ * Returns
+ * \li	#true if the port is found, false otherwise.
+ */
+
+unsigned int
+isc_portset_nports(isc_portset_t *portset);
+/*%<
+ * Provides the number of ports stored in the given portset.
+ *
+ * Requires:
+ *\li	'portset' to be a valid set.
+ *
+ * Returns
+ * \li	the number of ports stored in portset.
+ */
+
+void
+isc_portset_add(isc_portset_t *portset, in_port_t port);
+/*%<
+ * Add the given port to the portset.  The port may or may not be stored in
+ * the portset.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ */
+
+void
+isc_portset_remove(isc_portset_t *portset, in_port_t port);
+/*%<
+ * Remove the given port to the portset.  The port may or may not be stored in
+ * the portset.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ */
+
+void
+isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo,
+		     in_port_t port_hi);
+/*%<
+ * Add a subset of [port_lo, port_hi] (inclusive) to the portset.  Ports in the
+ * subset may or may not be stored in portset.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	port_lo <= port_hi
+ */
+
+void
+isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo,
+			in_port_t port_hi);
+/*%<
+ * Subtract a subset of [port_lo, port_hi] (inclusive) from the portset.  Ports
+ * in the subset may or may not be stored in portset.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	port_lo <= port_hi
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_PORTSET_H */
diff --git a/lib/isc/include/isc/print.h b/lib/isc/include/isc/print.h
new file mode 100644
index 0000000..b3ae7fd
--- /dev/null
+++ b/lib/isc/include/isc/print.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_PRINT_H
+#define ISC_PRINT_H 1
+
+/*! \file isc/print.h */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/formatcheck.h> /* Required for ISC_FORMAT_PRINTF() macro. */
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+/***
+ *** Functions
+ ***/
+
+#include <stdio.h>
+
+#endif /* ISC_PRINT_H */
diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
new file mode 100644
index 0000000..b9f9a24
--- /dev/null
+++ b/lib/isc/include/isc/quota.h
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_QUOTA_H
+#define ISC_QUOTA_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/quota.h
+ *
+ * \brief The isc_quota_t object is a simple helper object for implementing
+ * quotas on things like the number of simultaneous connections to
+ * a server.  It keeps track of the amount of quota in use, and
+ * encapsulates the locking necessary to allow multiple tasks to
+ * share a quota.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/atomic.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/types.h>
+
+/*****
+***** Types.
+*****/
+
+ISC_LANG_BEGINDECLS
+
+/*% isc_quota_cb - quota callback structure */
+typedef struct isc_quota_cb isc_quota_cb_t;
+typedef void (*isc_quota_cb_func_t)(isc_quota_t *quota, void *data);
+struct isc_quota_cb {
+	int		    magic;
+	isc_quota_cb_func_t cb_func;
+	void		   *data;
+	ISC_LINK(isc_quota_cb_t) link;
+};
+
+/*% isc_quota structure */
+struct isc_quota {
+	int		     magic;
+	atomic_uint_fast32_t max;
+	atomic_uint_fast32_t used;
+	atomic_uint_fast32_t soft;
+	atomic_uint_fast32_t waiting;
+	isc_mutex_t	     cblock;
+	ISC_LIST(isc_quota_cb_t) cbs;
+};
+
+void
+isc_quota_init(isc_quota_t *quota, unsigned int max);
+/*%<
+ * Initialize a quota object.
+ */
+
+void
+isc_quota_destroy(isc_quota_t *quota);
+/*%<
+ * Destroy a quota object.
+ */
+
+void
+isc_quota_soft(isc_quota_t *quota, unsigned int soft);
+/*%<
+ * Set a soft quota.
+ */
+
+void
+isc_quota_max(isc_quota_t *quota, unsigned int max);
+/*%<
+ * Re-set a maximum quota.
+ */
+
+unsigned int
+isc_quota_getmax(isc_quota_t *quota);
+/*%<
+ * Get the maximum quota.
+ */
+
+unsigned int
+isc_quota_getsoft(isc_quota_t *quota);
+/*%<
+ * Get the soft quota.
+ */
+
+unsigned int
+isc_quota_getused(isc_quota_t *quota);
+/*%<
+ * Get the current usage of quota.
+ */
+
+isc_result_t
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
+/*%<
+ *
+ * Attempt to reserve one unit of 'quota', and also attaches '*p' to the quota
+ * if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS		Success
+ * \li	#ISC_R_SOFTQUOTA	Success soft quota reached
+ * \li	#ISC_R_QUOTA		Quota is full
+ */
+
+isc_result_t
+isc_quota_attach_cb(isc_quota_t *quota, isc_quota_t **p, isc_quota_cb_t *cb);
+/*%<
+ *
+ * Like isc_quota_attach(), but if there's no quota left then cb->cb_func will
+ * be called when we are attached to quota.
+ *
+ * Note: It's the caller's responsibility to make sure that we don't end up
+ * with a huge number of callbacks waiting, making it easy to create a
+ * resource exhaustion attack. For example, in the case of TCP listening,
+ * we simply don't accept new connections when the quota is exceeded, so
+ * the number of callbacks waiting in the queue will be limited by the
+ * listen() backlog.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS		Success
+ * \li	#ISC_R_SOFTQUOTA	Success soft quota reached
+ * \li	#ISC_R_QUOTA		Quota is full
+ */
+
+void
+isc_quota_cb_init(isc_quota_cb_t *cb, isc_quota_cb_func_t cb_func, void *data);
+/*%<
+ * Initialize isc_quota_cb_t - setup the list, set the callback and data.
+ */
+
+void
+isc_quota_detach(isc_quota_t **p);
+/*%<
+ * Release one unit of quota, and also detaches '*p' from the quota.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_QUOTA_H */
diff --git a/lib/isc/include/isc/radix.h b/lib/isc/include/isc/radix.h
new file mode 100644
index 0000000..7c004e9
--- /dev/null
+++ b/lib/isc/include/isc/radix.h
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef _RADIX_H
+#define _RADIX_H
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/refcount.h>
+#include <isc/types.h>
+
+#define NETADDR_TO_PREFIX_T(na, pt, bits)                                \
+	do {                                                             \
+		const void *p = na;                                      \
+		memset(&(pt), 0, sizeof(pt));                            \
+		if (p != NULL) {                                         \
+			(pt).family = (na)->family;                      \
+			(pt).bitlen = (bits);                            \
+			if ((pt).family == AF_INET6) {                   \
+				memmove(&(pt).add.sin6, &(na)->type.in6, \
+					((bits) + 7) / 8);               \
+			} else                                           \
+				memmove(&(pt).add.sin, &(na)->type.in,   \
+					((bits) + 7) / 8);               \
+		} else {                                                 \
+			(pt).family = AF_UNSPEC;                         \
+			(pt).bitlen = 0;                                 \
+		}                                                        \
+		isc_refcount_init(&(pt).refcount, 0);                    \
+	} while (0)
+
+typedef struct isc_prefix {
+	isc_mem_t   *mctx;
+	unsigned int family;   /* AF_INET | AF_INET6, or AF_UNSPEC for
+				* "any" */
+	unsigned int   bitlen; /* 0 for "any" */
+	isc_refcount_t refcount;
+	union {
+		struct in_addr	sin;
+		struct in6_addr sin6;
+	} add;
+} isc_prefix_t;
+
+typedef void (*isc_radix_destroyfunc_t)(void *);
+typedef void (*isc_radix_processfunc_t)(isc_prefix_t *, void **);
+
+#define isc_prefix_tochar(prefix)  ((char *)&(prefix)->add.sin)
+#define isc_prefix_touchar(prefix) ((u_char *)&(prefix)->add.sin)
+
+/*
+ * We need "first match" when we search the radix tree to preserve
+ * compatibility with the existing ACL implementation. Radix trees
+ * naturally lend themselves to "best match". In order to get "first match"
+ * behavior, we keep track of the order in which entries are added to the
+ * tree--and when a search is made, we find all matching entries, and
+ * return the one that was added first.
+ *
+ * An IPv4 prefix and an IPv6 prefix may share a radix tree node if they
+ * have the same length and bit pattern (e.g., 127/8 and 7f::/8).  To
+ * disambiguate between them, node_num and data are two-element arrays:
+ *
+ *   - node_num[0] and data[0] are used for IPv4 client addresses
+ *   - node_num[1] and data[1] are used for IPv6 client addresses
+ *
+ * A prefix of 0/0 (aka "any" or "none"), is always stored as IPv4,
+ * but matches all IPv6 addresses too.
+ */
+
+#define RADIX_V4       0
+#define RADIX_V6       1
+#define RADIX_FAMILIES 2
+
+#define ISC_RADIX_FAMILY(p) (((p)->family == AF_INET6) ? RADIX_V6 : RADIX_V4)
+
+typedef struct isc_radix_node {
+	isc_mem_t	      *mctx;
+	uint32_t	       bit;    /* bit length of the prefix */
+	isc_prefix_t	      *prefix; /* who we are in radix tree */
+	struct isc_radix_node *l, *r;  /* left and right children */
+	struct isc_radix_node *parent; /* may be used */
+	void		      *data[RADIX_FAMILIES]; /* pointers to IPv4
+						      * and IPV6 data */
+	int node_num[RADIX_FAMILIES];		     /* which node
+						      * this was in
+						      * the tree,
+						      * or -1 for glue
+						      * nodes */
+} isc_radix_node_t;
+
+#define RADIX_TREE_MAGIC    ISC_MAGIC('R', 'd', 'x', 'T');
+#define RADIX_TREE_VALID(a) ISC_MAGIC_VALID(a, RADIX_TREE_MAGIC);
+
+typedef struct isc_radix_tree {
+	unsigned int	  magic;
+	isc_mem_t	 *mctx;
+	isc_radix_node_t *head;
+	uint32_t	  maxbits;	   /* for IP, 32 bit addresses */
+	int		  num_active_node; /* for debugging purposes */
+	int		  num_added_node;  /* total number of nodes */
+} isc_radix_tree_t;
+
+isc_result_t
+isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_prefix_t *prefix);
+/*%<
+ * Search 'radix' for the best match to 'prefix'.
+ * Return the node found in '*target'.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'target' is not NULL and "*target" is NULL.
+ * \li	'prefix' to be valid.
+ *
+ * Returns:
+ * \li	ISC_R_NOTFOUND
+ * \li	ISC_R_SUCCESS
+ */
+
+isc_result_t
+isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_radix_node_t *source, isc_prefix_t *prefix);
+/*%<
+ * Insert 'source' or 'prefix' into the radix tree 'radix'.
+ * Return the node added in 'target'.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'target' is not NULL and "*target" is NULL.
+ * \li	'prefix' to be valid or 'source' to be non NULL and contain
+ *	a valid prefix.
+ *
+ * Returns:
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_SUCCESS
+ */
+
+void
+isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node);
+/*%<
+ * Remove the node 'node' from the radix tree 'radix'.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'node' to be valid.
+ */
+
+isc_result_t
+isc_radix_create(isc_mem_t *mctx, isc_radix_tree_t **target, int maxbits);
+/*%<
+ * Create a radix tree with a maximum depth of 'maxbits';
+ *
+ * Requires:
+ * \li	'mctx' to be valid.
+ * \li	'target' to be non NULL and '*target' to be NULL.
+ * \li	'maxbits' to be less than or equal to RADIX_MAXBITS.
+ *
+ * Returns:
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_SUCCESS
+ */
+
+void
+isc_radix_destroy(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func);
+/*%<
+ * Destroy a radix tree optionally calling 'func' to clean up node data.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ */
+
+void
+isc_radix_process(isc_radix_tree_t *radix, isc_radix_processfunc_t func);
+/*%<
+ * Walk a radix tree calling 'func' to process node data.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'func' to point to a function.
+ */
+
+#define RADIX_MAXBITS  128
+#define RADIX_NBIT(x)  (0x80 >> ((x)&0x7f))
+#define RADIX_NBYTE(x) ((x) >> 3)
+
+#define RADIX_WALK(Xhead, Xnode)                              \
+	do {                                                  \
+		isc_radix_node_t  *Xstack[RADIX_MAXBITS + 1]; \
+		isc_radix_node_t **Xsp = Xstack;              \
+		isc_radix_node_t  *Xrn = (Xhead);             \
+		while ((Xnode = Xrn)) {                       \
+			if (Xnode->prefix)
+
+#define RADIX_WALK_END                       \
+	if (Xrn->l) {                        \
+		if (Xrn->r) {                \
+			*Xsp++ = Xrn->r;     \
+		}                            \
+		Xrn = Xrn->l;                \
+	} else if (Xrn->r) {                 \
+		Xrn = Xrn->r;                \
+	} else if (Xsp != Xstack) {          \
+		Xrn = *(--Xsp);              \
+	} else {                             \
+		Xrn = (isc_radix_node_t *)0; \
+	}                                    \
+	}                                    \
+	}                                    \
+	while (0)
+
+#endif /* _RADIX_H */
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
new file mode 100644
index 0000000..1e30d0c
--- /dev/null
+++ b/lib/isc/include/isc/random.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <inttypes.h>
+#include <stdlib.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*! \file isc/random.h
+ * \brief Implements wrapper around a non-cryptographically secure
+ * pseudo-random number generator.
+ *
+ */
+
+ISC_LANG_BEGINDECLS
+
+uint8_t
+isc_random8(void);
+/*!<
+ * \brief Returns a single 8-bit random value.
+ */
+
+uint16_t
+isc_random16(void);
+/*!<
+ * \brief Returns a single 16-bit random value.
+ */
+
+uint32_t
+isc_random32(void);
+/*!<
+ * \brief Returns a single 32-bit random value.
+ */
+
+void
+isc_random_buf(void *buf, size_t buflen);
+/*!<
+ * \brief Fills the region buf of length buflen with random data.
+ */
+
+uint32_t
+isc_random_uniform(uint32_t upper_bound);
+/*!<
+ * \brief Will return a single 32-bit value, uniformly distributed but
+ *        less than upper_bound.  This is recommended over
+ *        constructions like ``isc_random() % upper_bound'' as it
+ *        avoids "modulo bias" when the upper bound is not a power of
+ *        two.  In the worst case, this function may require multiple
+ *        iterations to ensure uniformity.
+ */
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/ratelimiter.h b/lib/isc/include/isc/ratelimiter.h
new file mode 100644
index 0000000..08862dc
--- /dev/null
+++ b/lib/isc/include/isc/ratelimiter.h
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_RATELIMITER_H
+#define ISC_RATELIMITER_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/ratelimiter.h
+ * \brief A rate limiter is a mechanism for dispatching events at a limited
+ * rate.  This is intended to be used when sending zone maintenance
+ * SOA queries, NOTIFY messages, etc.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+***** Functions.
+*****/
+
+isc_result_t
+isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp);
+/*%<
+ * Create a rate limiter.  The execution interval is initially undefined.
+ */
+
+isc_result_t
+isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval);
+/*!<
+ * Set the minimum interval between event executions.
+ * The interval value is copied, so the caller need not preserve it.
+ *
+ * Requires:
+ *	'*interval' is a nonzero interval.
+ */
+
+void
+isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, uint32_t perint);
+/*%<
+ * Set the number of events processed per interval timer tick.
+ * If 'perint' is zero it is treated as 1.
+ */
+
+void
+isc_ratelimiter_setpushpop(isc_ratelimiter_t *rl, bool pushpop);
+/*%<
+ * Set / clear the ratelimiter to from push pop mode rather
+ * first in - first out mode (default).
+ */
+
+isc_result_t
+isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
+			isc_event_t **eventp);
+/*%<
+ * Queue an event for rate-limited execution.
+ *
+ * This is similar
+ * to doing an isc_task_send() to the 'task', except that the
+ * execution may be delayed to achieve the desired rate of
+ * execution.
+ *
+ * '(*eventp)->ev_sender' is used to hold the task.  The caller
+ * must ensure that the task exists until the event is delivered.
+ *
+ * Requires:
+ *\li	An interval has been set by calling
+ *	isc_ratelimiter_setinterval().
+ *
+ *\li	'task' to be non NULL.
+ *\li	'(*eventp)->ev_sender' to be NULL.
+ */
+
+isc_result_t
+isc_ratelimiter_dequeue(isc_ratelimiter_t *rl, isc_event_t *event);
+/*
+ * Dequeue a event off the ratelimiter queue.
+ *
+ * Returns:
+ * \li	ISC_R_NOTFOUND if the event is no longer linked to the rate limiter.
+ * \li	ISC_R_SUCCESS
+ */
+
+void
+isc_ratelimiter_shutdown(isc_ratelimiter_t *ratelimiter);
+/*%<
+ * Shut down a rate limiter.
+ *
+ * Ensures:
+ *\li	All events that have not yet been
+ * 	dispatched to the task are dispatched immediately with
+ *	the #ISC_EVENTATTR_CANCELED bit set in ev_attributes.
+ *
+ *\li	Further attempts to enqueue events will fail with
+ * 	#ISC_R_SHUTTINGDOWN.
+ *
+ *\li	The rate limiter is no longer attached to its task.
+ */
+
+void
+isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target);
+/*%<
+ * Attach to a rate limiter.
+ */
+
+void
+isc_ratelimiter_detach(isc_ratelimiter_t **ratelimiterp);
+/*%<
+ * Detach from a rate limiter.
+ */
+
+isc_result_t
+isc_ratelimiter_stall(isc_ratelimiter_t *rl);
+/*%<
+ * Stall event processing.
+ */
+
+isc_result_t
+isc_ratelimiter_release(isc_ratelimiter_t *rl);
+/*%<
+ * Release a stalled rate limiter.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RATELIMITER_H */
diff --git a/lib/isc/include/isc/refcount.h b/lib/isc/include/isc/refcount.h
new file mode 100644
index 0000000..68e512c
--- /dev/null
+++ b/lib/isc/include/isc/refcount.h
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <inttypes.h>
+
+#include <isc/assertions.h>
+#include <isc/atomic.h>
+#include <isc/error.h>
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+/*! \file isc/refcount.h
+ * \brief Implements a locked reference counter.
+ *
+ * These macros uses C11(-like) atomic functions to implement reference
+ * counting.  The isc_refcount_t type must not be accessed directly.
+ */
+
+ISC_LANG_BEGINDECLS
+
+typedef atomic_uint_fast32_t isc_refcount_t;
+
+/** \def isc_refcount_init(ref, n)
+ *  \brief Initialize the reference counter.
+ *  \param[in] ref pointer to reference counter.
+ *  \param[in] n an initial number of references.
+ *  \return nothing.
+ *
+ *  \warning No memory barrier are being imposed here.
+ */
+#define isc_refcount_init(target, value) atomic_init(target, value)
+
+/** \def isc_refcount_current(ref)
+ *  \brief Returns current number of references.
+ *  \param[in] ref pointer to reference counter.
+ *  \returns current value of reference counter.
+ *
+ *   Undo implicit promotion to 64 bits in our Windows implementation of
+ *   atomic_load_explicit() by casting to uint_fast32_t.
+ */
+
+#define isc_refcount_current(target) (uint_fast32_t) atomic_load_acquire(target)
+
+/** \def isc_refcount_destroy(ref)
+ *  \brief a destructor that makes sure that all references were cleared.
+ *  \param[in] ref pointer to reference counter.
+ *  \returns nothing.
+ */
+#define isc_refcount_destroy(target) \
+	ISC_REQUIRE(isc_refcount_current(target) == 0)
+
+/** \def isc_refcount_increment0(ref)
+ *  \brief increases reference counter by 1.
+ *  \param[in] ref pointer to reference counter.
+ *  \returns previous value of reference counter.
+ */
+#if _MSC_VER
+static inline uint_fast32_t
+isc_refcount_increment0(isc_refcount_t *target) {
+	uint_fast32_t __v;
+	__v = (uint_fast32_t)atomic_fetch_add_relaxed(target, 1);
+	INSIST(__v < UINT32_MAX);
+	return (__v);
+}
+#else /* _MSC_VER */
+#define isc_refcount_increment0(target)                    \
+	({                                                 \
+		/* cppcheck-suppress shadowVariable */     \
+		uint_fast32_t __v;                         \
+		__v = atomic_fetch_add_relaxed(target, 1); \
+		INSIST(__v < UINT32_MAX);                  \
+		__v;                                       \
+	})
+#endif /* _MSC_VER */
+
+/** \def isc_refcount_increment(ref)
+ *  \brief increases reference counter by 1.
+ *  \param[in] ref pointer to reference counter.
+ *  \returns previous value of reference counter.
+ */
+#if _MSC_VER
+static inline uint_fast32_t
+isc_refcount_increment(isc_refcount_t *target) {
+	uint_fast32_t __v;
+	__v = (uint_fast32_t)atomic_fetch_add_relaxed(target, 1);
+	INSIST(__v > 0 && __v < UINT32_MAX);
+	return (__v);
+}
+#else /* _MSC_VER */
+#define isc_refcount_increment(target)                     \
+	({                                                 \
+		/* cppcheck-suppress shadowVariable */     \
+		uint_fast32_t __v;                         \
+		__v = atomic_fetch_add_relaxed(target, 1); \
+		INSIST(__v > 0 && __v < UINT32_MAX);       \
+		__v;                                       \
+	})
+#endif /* _MSC_VER */
+
+/** \def isc_refcount_decrement(ref)
+ *  \brief decreases reference counter by 1.
+ *  \param[in] ref pointer to reference counter.
+ *  \returns previous value of reference counter.
+ */
+#if _MSC_VER
+static inline uint_fast32_t
+isc_refcount_decrement(isc_refcount_t *target) {
+	uint_fast32_t __v;
+	__v = (uint_fast32_t)atomic_fetch_sub_acq_rel(target, 1);
+	INSIST(__v > 0);
+	return (__v);
+}
+#else /* _MSC_VER */
+#define isc_refcount_decrement(target)                     \
+	({                                                 \
+		/* cppcheck-suppress shadowVariable */     \
+		uint_fast32_t __v;                         \
+		__v = atomic_fetch_sub_acq_rel(target, 1); \
+		INSIST(__v > 0);                           \
+		__v;                                       \
+	})
+#endif /* _MSC_VER */
+
+#define isc_refcount_decrementz(target)                               \
+	do {                                                          \
+		uint_fast32_t _refs = isc_refcount_decrement(target); \
+		ISC_INSIST(_refs == 1);                               \
+	} while (0)
+
+#define isc_refcount_decrement1(target)                               \
+	do {                                                          \
+		uint_fast32_t _refs = isc_refcount_decrement(target); \
+		ISC_INSIST(_refs > 1);                                \
+	} while (0)
+
+#define isc_refcount_decrement0(target)                               \
+	do {                                                          \
+		uint_fast32_t _refs = isc_refcount_decrement(target); \
+		ISC_INSIST(_refs > 0);                                \
+	} while (0)
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/regex.h b/lib/isc/include/isc/regex.h
new file mode 100644
index 0000000..f288d86
--- /dev/null
+++ b/lib/isc/include/isc/regex.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_REGEX_H
+#define ISC_REGEX_H 1
+
+/*! \file isc/regex.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+int
+isc_regex_validate(const char *expression);
+/*%<
+ * Check a regular expression for syntactic correctness.
+ *
+ * Returns:
+ *\li	 -1 on error.
+ *\li	 the number of groups in the expression.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_REGEX_H */
diff --git a/lib/isc/include/isc/region.h b/lib/isc/include/isc/region.h
new file mode 100644
index 0000000..c386617
--- /dev/null
+++ b/lib/isc/include/isc/region.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_REGION_H
+#define ISC_REGION_H 1
+
+/*! \file isc/region.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+struct isc_region {
+	unsigned char *base;
+	unsigned int   length;
+};
+
+struct isc_textregion {
+	char	    *base;
+	unsigned int length;
+};
+
+/* XXXDCL questionable ... bears discussion.  we have been putting off
+ * discussing the region api.
+ */
+struct isc_constregion {
+	const void  *base;
+	unsigned int length;
+};
+
+struct isc_consttextregion {
+	const char  *base;
+	unsigned int length;
+};
+
+/*@{*/
+/*!
+ * The region structure is not opaque, and is usually directly manipulated.
+ * Some macros are defined below for convenience.
+ */
+
+#define isc_region_consume(r, l)          \
+	do {                              \
+		isc_region_t *_r = (r);   \
+		unsigned int  _l = (l);   \
+		INSIST(_r->length >= _l); \
+		_r->base += _l;           \
+		_r->length -= _l;         \
+	} while (0)
+
+#define isc_textregion_consume(r, l)        \
+	do {                                \
+		isc_textregion_t *_r = (r); \
+		unsigned int	  _l = (l); \
+		INSIST(_r->length >= _l);   \
+		_r->base += _l;             \
+		_r->length -= _l;           \
+	} while (0)
+
+#define isc_constregion_consume(r, l)        \
+	do {                                 \
+		isc_constregion_t *_r = (r); \
+		unsigned int	   _l = (l); \
+		INSIST(_r->length >= _l);    \
+		_r->base += _l;              \
+		_r->length -= _l;            \
+	} while (0)
+/*@}*/
+
+ISC_LANG_BEGINDECLS
+
+int
+isc_region_compare(isc_region_t *r1, isc_region_t *r2);
+/*%<
+ * Compares the contents of two regions
+ *
+ * Requires:
+ *\li	'r1' is a valid region
+ *\li	'r2' is a valid region
+ *
+ * Returns:
+ *\li	 < 0 if r1 is lexicographically less than r2
+ *\li	 = 0 if r1 is lexicographically identical to r2
+ *\li	 > 0 if r1 is lexicographically greater than r2
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_REGION_H */
diff --git a/lib/isc/include/isc/resource.h b/lib/isc/include/isc/resource.h
new file mode 100644
index 0000000..f9e6e20
--- /dev/null
+++ b/lib/isc/include/isc/resource.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_RESOURCE_H
+#define ISC_RESOURCE_H 1
+
+/*! \file isc/resource.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#define ISC_RESOURCE_UNLIMITED ((isc_resourcevalue_t)UINT64_MAX)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value);
+/*%<
+ * Set the maximum limit for a system resource.
+ *
+ * Notes:
+ *\li	If 'value' exceeds the maximum possible on the operating system,
+ *	it is silently limited to that maximum -- or to "infinity", if
+ *	the operating system has that concept.  #ISC_RESOURCE_UNLIMITED
+ *	can be used to explicitly ask for the maximum.
+ *
+ * Requires:
+ *\li	'resource' is a valid member of the isc_resource_t enumeration.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	Success.
+ *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
+ *\li	#ISC_R_NOPERM	The calling process did not have adequate permission
+ *			to change the resource limit.
+ */
+
+isc_result_t
+isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value);
+/*%<
+ * Get the maximum limit for a system resource.
+ *
+ * Notes:
+ *\li	'value' is set to the maximum limit.
+ *
+ *\li	#ISC_RESOURCE_UNLIMITED is the maximum value of isc_resourcevalue_t.
+ *
+ *\li	On many (all?) Unix systems, RLIM_INFINITY is a valid value that is
+ *	significantly less than #ISC_RESOURCE_UNLIMITED, but which in practice
+ *	behaves the same.
+ *
+ *\li	The current ISC libdns configuration file parser assigns a value
+ *	of UINT32_MAX for a size_spec of "unlimited" and ISC_UNIT32_MAX - 1
+ *	for "default", the latter of which is supposed to represent "the
+ *	limit that was in force when the server started".  Since these are
+ *	valid values in the middle of the range of isc_resourcevalue_t,
+ *	there is the possibility for confusion over what exactly those
+ *	particular values are supposed to represent in a particular context --
+ *	discrete integral values or generalized concepts.
+ *
+ * Requires:
+ *\li	'resource' is a valid member of the isc_resource_t enumeration.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
+ */
+
+isc_result_t
+isc_resource_getcurlimit(isc_resource_t resource, isc_resourcevalue_t *value);
+/*%<
+ * Same as isc_resource_getlimit(), but returns the current (soft) limit.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RESOURCE_H */
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
new file mode 100644
index 0000000..11ff7f6
--- /dev/null
+++ b/lib/isc/include/isc/result.h
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_RESULT_H
+#define ISC_RESULT_H 1
+
+/*! \file isc/result.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#define ISC_R_SUCCESS	       0	    /*%< success */
+#define ISC_R_NOMEMORY	       1	    /*%< out of memory */
+#define ISC_R_TIMEDOUT	       2	    /*%< timed out */
+#define ISC_R_NOTHREADS	       3	    /*%< no available threads */
+#define ISC_R_ADDRNOTAVAIL     4	    /*%< address not available */
+#define ISC_R_ADDRINUSE	       5	    /*%< address in use */
+#define ISC_R_NOPERM	       6	    /*%< permission denied */
+#define ISC_R_NOCONN	       7	    /*%< no pending connections */
+#define ISC_R_NETUNREACH       8	    /*%< network unreachable */
+#define ISC_R_HOSTUNREACH      9	    /*%< host unreachable */
+#define ISC_R_NETDOWN	       10	    /*%< network down */
+#define ISC_R_HOSTDOWN	       11	    /*%< host down */
+#define ISC_R_CONNREFUSED      12	    /*%< connection refused */
+#define ISC_R_NORESOURCES      13	    /*%< not enough free resources */
+#define ISC_R_EOF	       14	    /*%< end of file */
+#define ISC_R_BOUND	       15	    /*%< socket already bound */
+#define ISC_R_RELOAD	       16	    /*%< reload */
+#define ISC_R_SUSPEND	       ISC_R_RELOAD /*%< alias of 'reload' */
+#define ISC_R_LOCKBUSY	       17	    /*%< lock busy */
+#define ISC_R_EXISTS	       18	    /*%< already exists */
+#define ISC_R_NOSPACE	       19	    /*%< ran out of space */
+#define ISC_R_CANCELED	       20	    /*%< operation canceled */
+#define ISC_R_NOTBOUND	       21	    /*%< socket is not bound */
+#define ISC_R_SHUTTINGDOWN     22	    /*%< shutting down */
+#define ISC_R_NOTFOUND	       23	    /*%< not found */
+#define ISC_R_UNEXPECTEDEND    24	    /*%< unexpected end of input */
+#define ISC_R_FAILURE	       25	    /*%< generic failure */
+#define ISC_R_IOERROR	       26	    /*%< I/O error */
+#define ISC_R_NOTIMPLEMENTED   27	    /*%< not implemented */
+#define ISC_R_UNBALANCED       28	    /*%< unbalanced parentheses */
+#define ISC_R_NOMORE	       29	    /*%< no more */
+#define ISC_R_INVALIDFILE      30	    /*%< invalid file */
+#define ISC_R_BADBASE64	       31	    /*%< bad base64 encoding */
+#define ISC_R_UNEXPECTEDTOKEN  32	    /*%< unexpected token */
+#define ISC_R_QUOTA	       33	    /*%< quota reached */
+#define ISC_R_UNEXPECTED       34	    /*%< unexpected error */
+#define ISC_R_ALREADYRUNNING   35	    /*%< already running */
+#define ISC_R_IGNORE	       36	    /*%< ignore */
+#define ISC_R_MASKNONCONTIG    37	    /*%< addr mask not contiguous */
+#define ISC_R_FILENOTFOUND     38	    /*%< file not found */
+#define ISC_R_FILEEXISTS       39	    /*%< file already exists */
+#define ISC_R_NOTCONNECTED     40	    /*%< socket is not connected */
+#define ISC_R_RANGE	       41	    /*%< out of range */
+#define ISC_R_NOENTROPY	       42	    /*%< out of entropy */
+#define ISC_R_MULTICAST	       43	    /*%< invalid use of multicast */
+#define ISC_R_NOTFILE	       44	    /*%< not a file */
+#define ISC_R_NOTDIRECTORY     45	    /*%< not a directory */
+#define ISC_R_EMPTY	       46	    /*%< queue is empty */
+#define ISC_R_FAMILYMISMATCH   47	    /*%< address family mismatch */
+#define ISC_R_FAMILYNOSUPPORT  48	    /*%< AF not supported */
+#define ISC_R_BADHEX	       49	    /*%< bad hex encoding */
+#define ISC_R_TOOMANYOPENFILES 50	    /*%< too many open files */
+#define ISC_R_NOTBLOCKING      51	    /*%< not blocking */
+#define ISC_R_UNBALANCEDQUOTES 52	    /*%< unbalanced quotes */
+#define ISC_R_INPROGRESS       53	    /*%< operation in progress */
+#define ISC_R_CONNECTIONRESET  54	    /*%< connection reset */
+#define ISC_R_SOFTQUOTA	       55	    /*%< soft quota reached */
+#define ISC_R_BADNUMBER	       56	    /*%< not a valid number */
+#define ISC_R_DISABLED	       57	    /*%< disabled */
+#define ISC_R_MAXSIZE	       58	    /*%< max size */
+#define ISC_R_BADADDRESSFORM   59	    /*%< invalid address format */
+#define ISC_R_BADBASE32	       60	    /*%< bad base32 encoding */
+#define ISC_R_UNSET	       61	    /*%< unset */
+#define ISC_R_MULTIPLE	       62	    /*%< multiple */
+#define ISC_R_WOULDBLOCK       63	    /*%< would block */
+#define ISC_R_COMPLETE	       64	    /*%< complete */
+#define ISC_R_CRYPTOFAILURE    65	    /*%< cryptography library failure */
+#define ISC_R_DISCQUOTA	       66	    /*%< disc quota */
+#define ISC_R_DISCFULL	       67	    /*%< disc full */
+#define ISC_R_DEFAULT	       68	    /*%< default */
+#define ISC_R_IPV4PREFIX       69	    /*%< IPv4 prefix */
+#define ISC_R_TLSERROR	       70	    /*%< TLS error */
+#define ISC_R_HTTP2ALPNERROR   71	    /*%< ALPN for HTTP/2 failed */
+
+/*% Not a result code: the number of results. */
+#define ISC_R_NRESULTS 72
+
+ISC_LANG_BEGINDECLS
+
+const char *isc_result_totext(isc_result_t);
+/*%<
+ * Convert an isc_result_t into a string message describing the result.
+ */
+
+const char *isc_result_toid(isc_result_t);
+/*%<
+ * Convert an isc_result_t into a string identifier such as
+ * "ISC_R_SUCCESS".
+ */
+
+isc_result_t
+isc_result_register(unsigned int base, unsigned int nresults, const char **text,
+		    int set);
+
+isc_result_t
+isc_result_registerids(unsigned int base, unsigned int nresults,
+		       const char **ids, int set);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RESULT_H */
diff --git a/lib/isc/include/isc/resultclass.h b/lib/isc/include/isc/resultclass.h
new file mode 100644
index 0000000..a3a5079
--- /dev/null
+++ b/lib/isc/include/isc/resultclass.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_RESULTCLASS_H
+#define ISC_RESULTCLASS_H 1
+
+/*! \file isc/resultclass.h
+ * \brief Registry of Predefined Result Type Classes
+ *
+ * A result class number is an unsigned 16 bit number.  Each class may
+ * contain up to 65536 results.  A result code is formed by adding the
+ * result number within the class to the class number multiplied by 65536.
+ *
+ * Classes < 1024 are reserved for ISC use.
+ * Result classes >= 1024 and <= 65535 are reserved for application use.
+ */
+
+#define ISC_RESULTCLASS_FROMNUM(num)  ((num) << 16)
+#define ISC_RESULTCLASS_TONUM(rclass) ((rclass) >> 16)
+#define ISC_RESULTCLASS_SIZE	      65536
+#define ISC_RESULTCLASS_INCLASS(rclass, result) \
+	((rclass) == ((result)&0xFFFF0000))
+
+#define ISC_RESULTCLASS_ISC	 ISC_RESULTCLASS_FROMNUM(0)
+#define ISC_RESULTCLASS_DNS	 ISC_RESULTCLASS_FROMNUM(1)
+#define ISC_RESULTCLASS_DST	 ISC_RESULTCLASS_FROMNUM(2)
+#define ISC_RESULTCLASS_DNSRCODE ISC_RESULTCLASS_FROMNUM(3)
+#define ISC_RESULTCLASS_OMAPI	 ISC_RESULTCLASS_FROMNUM(4)
+#define ISC_RESULTCLASS_ISCCC	 ISC_RESULTCLASS_FROMNUM(5)
+#define ISC_RESULTCLASS_DHCP	 ISC_RESULTCLASS_FROMNUM(6)
+#define ISC_RESULTCLASS_PK11	 ISC_RESULTCLASS_FROMNUM(7)
+
+#endif /* ISC_RESULTCLASS_H */
diff --git a/lib/isc/include/isc/rwlock.h b/lib/isc/include/isc/rwlock.h
new file mode 100644
index 0000000..3309d71
--- /dev/null
+++ b/lib/isc/include/isc/rwlock.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_RWLOCK_H
+#define ISC_RWLOCK_H 1
+
+#include <inttypes.h>
+
+/*! \file isc/rwlock.h */
+
+#include <isc/atomic.h>
+#include <isc/condition.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef enum {
+	isc_rwlocktype_none = 0,
+	isc_rwlocktype_read,
+	isc_rwlocktype_write
+} isc_rwlocktype_t;
+
+#if USE_PTHREAD_RWLOCK
+#include <pthread.h>
+
+struct isc_rwlock {
+	pthread_rwlock_t rwlock;
+	atomic_bool	 downgrade;
+};
+
+#else /* USE_PTHREAD_RWLOCK */
+
+struct isc_rwlock {
+	/* Unlocked. */
+	unsigned int	    magic;
+	isc_mutex_t	    lock;
+	atomic_int_fast32_t spins;
+
+	/*
+	 * When some atomic instructions with hardware assistance are
+	 * available, rwlock will use those so that concurrent readers do not
+	 * interfere with each other through mutex as long as no writers
+	 * appear, massively reducing the lock overhead in the typical case.
+	 *
+	 * The basic algorithm of this approach is the "simple
+	 * writer-preference lock" shown in the following URL:
+	 * http://www.cs.rochester.edu/u/scott/synchronization/pseudocode/rw.html
+	 * but our implementation does not rely on the spin lock unlike the
+	 * original algorithm to be more portable as a user space application.
+	 */
+
+	/* Read or modified atomically. */
+	atomic_int_fast32_t write_requests;
+	atomic_int_fast32_t write_completions;
+	atomic_int_fast32_t cnt_and_flag;
+
+	/* Locked by lock. */
+	isc_condition_t readable;
+	isc_condition_t writeable;
+	unsigned int	readers_waiting;
+
+	/* Locked by rwlock itself. */
+	atomic_uint_fast32_t write_granted;
+
+	/* Unlocked. */
+	unsigned int write_quota;
+};
+
+#endif /* USE_PTHREAD_RWLOCK */
+
+void
+isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
+		unsigned int write_quota);
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl);
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl);
+
+void
+isc_rwlock_destroy(isc_rwlock_t *rwl);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RWLOCK_H */
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
new file mode 100644
index 0000000..f5bad62
--- /dev/null
+++ b/lib/isc/include/isc/safe.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_SAFE_H
+#define ISC_SAFE_H 1
+
+/*! \file isc/safe.h */
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+int
+isc_safe_memequal(const void *, const void *, size_t);
+
+/*%<
+ * Returns true iff. two blocks of memory are equal, otherwise
+ * false.
+ *
+ */
+
+void
+isc_safe_memwipe(void *, size_t);
+
+/*%<
+ * Clear the memory of length `len` pointed to by `ptr`.
+ *
+ * Some crypto code calls memset() on stack allocated buffers just
+ * before return so that they are wiped. Such memset() calls can be
+ * optimized away by the compiler. We provide this external non-inline C
+ * function to perform the memset operation so that the compiler cannot
+ * infer about what the function does and optimize the call away.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SAFE_H */
diff --git a/lib/isc/include/isc/serial.h b/lib/isc/include/isc/serial.h
new file mode 100644
index 0000000..e2d5225
--- /dev/null
+++ b/lib/isc/include/isc/serial.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_SERIAL_H
+#define ISC_SERIAL_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*! \file isc/serial.h
+ *	\brief Implement 32 bit serial space arithmetic comparison functions.
+ *	Note: Undefined results are returned as false.
+ */
+
+/***
+ ***	Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+bool
+isc_serial_lt(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' < 'b' otherwise false.
+ */
+
+bool
+isc_serial_gt(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' > 'b' otherwise false.
+ */
+
+bool
+isc_serial_le(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' <= 'b' otherwise false.
+ */
+
+bool
+isc_serial_ge(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' >= 'b' otherwise false.
+ */
+
+bool
+isc_serial_eq(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' == 'b' otherwise false.
+ */
+
+bool
+isc_serial_ne(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' != 'b' otherwise false.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SERIAL_H */
diff --git a/lib/isc/include/isc/siphash.h b/lib/isc/include/isc/siphash.h
new file mode 100644
index 0000000..3974c6f
--- /dev/null
+++ b/lib/isc/include/isc/siphash.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/siphash.h */
+
+#pragma once
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#define ISC_SIPHASH24_KEY_LENGTH 128 / 8
+#define ISC_SIPHASH24_TAG_LENGTH 64 / 8
+
+#define ISC_HALFSIPHASH24_KEY_LENGTH 64 / 8
+#define ISC_HALFSIPHASH24_TAG_LENGTH 32 / 8
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_siphash24(const uint8_t *key, const uint8_t *in, const size_t inlen,
+	      uint8_t *out);
+void
+isc_halfsiphash24(const uint8_t *key, const uint8_t *in, const size_t inlen,
+		  uint8_t *out);
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
new file mode 100644
index 0000000..b776bb3
--- /dev/null
+++ b/lib/isc/include/isc/sockaddr.h
@@ -0,0 +1,254 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_SOCKADDR_H
+#define ISC_SOCKADDR_H 1
+
+/*! \file isc/sockaddr.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/un.h>
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+
+/*
+ * Any updates to this structure should also be applied in
+ * contrib/modules/dlz/dlz_minmal.h.
+ */
+struct isc_sockaddr {
+	union {
+		struct sockaddr		sa;
+		struct sockaddr_in	sin;
+		struct sockaddr_in6	sin6;
+		struct sockaddr_storage ss;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		struct sockaddr_un sunix;
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	} type;
+	unsigned int length; /* XXXRTH beginning? */
+	ISC_LINK(struct isc_sockaddr) link;
+};
+
+#define ISC_SOCKADDR_CMPADDR            \
+	0x0001 /*%< compare the address \
+		*   sin_addr/sin6_addr */
+#define ISC_SOCKADDR_CMPPORT         \
+	0x0002 /*%< compare the port \
+		*   sin_port/sin6_port */
+#define ISC_SOCKADDR_CMPSCOPE         \
+	0x0004 /*%< compare the scope \
+		*   sin6_scope */
+#define ISC_SOCKADDR_CMPSCOPEZERO         \
+	0x0008 /*%< when comparing scopes \
+		*   zero scopes always match */
+
+ISC_LANG_BEGINDECLS
+
+bool
+isc_sockaddr_compare(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+		     unsigned int flags);
+/*%<
+ * Compare the elements of the two address ('a' and 'b') as specified
+ * by 'flags' and report if they are equal or not.
+ *
+ * 'flags' is set from ISC_SOCKADDR_CMP*.
+ */
+
+bool
+isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
+/*%<
+ * Return true iff the socket addresses 'a' and 'b' are equal.
+ */
+
+bool
+isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
+/*%<
+ * Return true iff the address parts of the socket addresses
+ * 'a' and 'b' are equal, ignoring the ports.
+ */
+
+bool
+isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+			  unsigned int prefixlen);
+/*%<
+ * Return true iff the most significant 'prefixlen' bits of the
+ * socket addresses 'a' and 'b' are equal, ignoring the ports.
+ * If 'b''s scope is zero then 'a''s scope will be ignored.
+ */
+
+unsigned int
+isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, bool address_only);
+/*%<
+ * Return a hash value for the socket address 'sockaddr'.  If 'address_only'
+ * is true, the hash value will not depend on the port.
+ *
+ * IPv6 addresses containing mapped IPv4 addresses generate the same hash
+ * value as the equivalent IPv4 address.
+ */
+
+void
+isc_sockaddr_any(isc_sockaddr_t *sockaddr);
+/*%<
+ * Return the IPv4 wildcard address.
+ */
+
+void
+isc_sockaddr_any6(isc_sockaddr_t *sockaddr);
+/*%<
+ * Return the IPv6 wildcard address.
+ */
+
+void
+isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int family);
+/*%<
+ * Set '*sockaddr' to the wildcard address of protocol family
+ * 'family'.
+ *
+ * Requires:
+ * \li	'family' is AF_INET or AF_INET6.
+ */
+
+void
+isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		    in_port_t port);
+/*%<
+ * Construct an isc_sockaddr_t from an IPv4 address and port.
+ */
+
+void
+isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
+		     in_port_t port);
+/*%<
+ * Construct an isc_sockaddr_t from an IPv6 address and port.
+ */
+
+void
+isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		      in_port_t port);
+/*%<
+ * Construct an IPv6 isc_sockaddr_t representing a mapped IPv4 address.
+ */
+
+void
+isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
+			 in_port_t port);
+/*%<
+ * Construct an isc_sockaddr_t from an isc_netaddr_t and port.
+ */
+
+int
+isc_sockaddr_pf(const isc_sockaddr_t *sockaddr);
+/*%<
+ * Get the protocol family of 'sockaddr'.
+ *
+ * Requires:
+ *
+ *\li	'sockaddr' is a valid sockaddr with an address family of AF_INET
+ *	or AF_INET6.
+ *
+ * Returns:
+ *
+ *\li	The protocol family of 'sockaddr', e.g. PF_INET or PF_INET6.
+ */
+
+void
+isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port);
+/*%<
+ * Set the port of 'sockaddr' to 'port'.
+ */
+
+in_port_t
+isc_sockaddr_getport(const isc_sockaddr_t *sockaddr);
+/*%<
+ * Get the port stored in 'sockaddr'.
+ */
+
+isc_result_t
+isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target);
+/*%<
+ * Append a text representation of 'sockaddr' to the buffer 'target'.
+ * The text will include both the IP address (v4 or v6) and the port.
+ * The text is null terminated, but the terminating null is not
+ * part of the buffer's used region.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOSPACE	The text or the null termination did not fit.
+ */
+
+void
+isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
+/*%<
+ * Format a human-readable representation of the socket address '*sa'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+bool
+isc_sockaddr_ismulticast(const isc_sockaddr_t *sa);
+/*%<
+ * Returns #true if the address is a multicast address.
+ */
+
+bool
+isc_sockaddr_isexperimental(const isc_sockaddr_t *sa);
+/*
+ * Returns true if the address is a experimental (CLASS E) address.
+ */
+
+bool
+isc_sockaddr_islinklocal(const isc_sockaddr_t *sa);
+/*%<
+ * Returns true if the address is a link local address.
+ */
+
+bool
+isc_sockaddr_issitelocal(const isc_sockaddr_t *sa);
+/*%<
+ * Returns true if the address is a sitelocal address.
+ */
+
+bool
+isc_sockaddr_isnetzero(const isc_sockaddr_t *sa);
+/*%<
+ * Returns true if the address is in net zero.
+ */
+
+isc_result_t
+isc_sockaddr_frompath(isc_sockaddr_t *sockaddr, const char *path);
+/*
+ *  Create a UNIX domain sockaddr that refers to path.
+ *
+ * Returns:
+ * \li	ISC_R_NOSPACE
+ * \li	ISC_R_NOTIMPLEMENTED
+ * \li	ISC_R_SUCCESS
+ */
+
+isc_result_t
+isc_sockaddr_fromsockaddr(isc_sockaddr_t *isa, const struct sockaddr *sa);
+
+#define ISC_SOCKADDR_FORMATSIZE                                            \
+	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX%SSSSSSSSSS#" \
+	       "YYYYY")
+/*%<
+ * Minimum size of array to pass to isc_sockaddr_format().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SOCKADDR_H */
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
new file mode 100644
index 0000000..dc39a3f
--- /dev/null
+++ b/lib/isc/include/isc/socket.h
@@ -0,0 +1,914 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_SOCKET_H
+#define ISC_SOCKET_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/socket.h
+ * \brief Provides TCP and UDP sockets for network I/O.  The sockets are event
+ * sources in the task system.
+ *
+ * When I/O completes, a completion event for the socket is posted to the
+ * event queue of the task which requested the I/O.
+ *
+ * \li MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *	Clients of this module must not be holding a socket's task's lock when
+ *	making a call that affects that socket.  Failure to follow this rule
+ *	can result in deadlock.
+ *	The caller must ensure that isc_socketmgr_destroy() is called only
+ *	once for a given manager.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/time.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Constants
+ ***/
+
+/*%
+ * Maximum number of buffers in a scatter/gather read/write.  The operating
+ * system in use must support at least this number (plus one on some.)
+ */
+#define ISC_SOCKET_MAXSCATTERGATHER 8
+
+/*@{*/
+/*!
+ * Socket options:
+ *
+ * _REUSEADDRESS:	Set SO_REUSEADDR prior to calling bind(),
+ * 			if a non-zero port is specified (applies to
+ * 			AF_INET and AF_INET6).
+ */
+typedef enum {
+	ISC_SOCKET_REUSEADDRESS = 0x01U,
+} isc_socket_options_t;
+/*@}*/
+
+/*@{*/
+/*!
+ * _ATTACHED:	Internal use only.
+ * _TRUNC:	Packet was truncated on receive.
+ * _CTRUNC:	Packet control information was truncated.  This can
+ *		indicate that the packet is not complete, even though
+ *		all the data is valid.
+ * _TIMESTAMP:	The timestamp member is valid.
+ * _PKTINFO:	The pktinfo member is valid.
+ * _MULTICAST:	The UDP packet was received via a multicast transmission.
+ * _DSCP:	The UDP DSCP value is valid.
+ * _USEMINMTU:	Set the per packet IPV6_USE_MIN_MTU flag.
+ */
+typedef enum {
+	ISC_SOCKEVENTATTR_ATTACHED = 0x10000000U,  /* internal */
+	ISC_SOCKEVENTATTR_TRUNC = 0x00800000U,	   /* public */
+	ISC_SOCKEVENTATTR_CTRUNC = 0x00400000U,	   /* public */
+	ISC_SOCKEVENTATTR_TIMESTAMP = 0x00200000U, /* public */
+	ISC_SOCKEVENTATTR_PKTINFO = 0x00100000U,   /* public */
+	ISC_SOCKEVENTATTR_MULTICAST = 0x00080000U, /* public */
+	ISC_SOCKEVENTATTR_DSCP = 0x00040000U,	   /* public */
+	ISC_SOCKEVENTATTR_USEMINMTU = 0x00020000U  /* public */
+} isc_sockeventattr_t;
+/*@}*/
+
+/***
+ *** Types
+ ***/
+
+struct isc_socketevent {
+	ISC_EVENT_COMMON(isc_socketevent_t);
+	isc_result_t	    result;	/*%< OK, EOF, whatever else */
+	unsigned int	    minimum;	/*%< minimum i/o for event */
+	unsigned int	    n;		/*%< bytes read or written */
+	unsigned int	    offset;	/*%< offset into buffer list */
+	isc_region_t	    region;	/*%< for single-buffer i/o */
+	isc_sockaddr_t	    address;	/*%< source address */
+	isc_time_t	    timestamp;	/*%< timestamp of packet recv */
+	struct in6_pktinfo  pktinfo;	/*%< ipv6 pktinfo */
+	isc_sockeventattr_t attributes; /*%< see isc_sockeventattr_t
+					 *   enum */
+	isc_eventdestructor_t destroy;	/*%< original destructor */
+	unsigned int	      dscp;	/*%< UDP dscp value */
+};
+
+typedef struct isc_socket_newconnev isc_socket_newconnev_t;
+struct isc_socket_newconnev {
+	ISC_EVENT_COMMON(isc_socket_newconnev_t);
+	isc_socket_t  *newsocket;
+	isc_result_t   result;	/*%< OK, EOF, whatever else */
+	isc_sockaddr_t address; /*%< source address */
+};
+
+typedef struct isc_socket_connev isc_socket_connev_t;
+struct isc_socket_connev {
+	ISC_EVENT_COMMON(isc_socket_connev_t);
+	isc_result_t result; /*%< OK, EOF, whatever else */
+};
+
+#define ISC_SOCKEVENT_ANYEVENT (0)
+#define ISC_SOCKEVENT_RECVDONE (ISC_EVENTCLASS_SOCKET + 1)
+#define ISC_SOCKEVENT_SENDDONE (ISC_EVENTCLASS_SOCKET + 2)
+#define ISC_SOCKEVENT_NEWCONN  (ISC_EVENTCLASS_SOCKET + 3)
+#define ISC_SOCKEVENT_CONNECT  (ISC_EVENTCLASS_SOCKET + 4)
+
+/*
+ * Internal events.
+ */
+#define ISC_SOCKEVENT_INTR (ISC_EVENTCLASS_SOCKET + 256)
+#define ISC_SOCKEVENT_INTW (ISC_EVENTCLASS_SOCKET + 257)
+
+typedef enum {
+	isc_sockettype_udp = 1,
+	isc_sockettype_tcp = 2,
+	isc_sockettype_unix = 3,
+	isc_sockettype_raw = 4
+} isc_sockettype_t;
+
+/*@{*/
+/*!
+ * How a socket should be shutdown in isc_socket_shutdown() calls.
+ */
+#define ISC_SOCKSHUT_RECV 0x00000001 /*%< close read side */
+#define ISC_SOCKSHUT_SEND 0x00000002 /*%< close write side */
+#define ISC_SOCKSHUT_ALL  0x00000003 /*%< close them all */
+/*@}*/
+
+/*@{*/
+/*!
+ * What I/O events to cancel in isc_socket_cancel() calls.
+ */
+#define ISC_SOCKCANCEL_RECV    0x00000001 /*%< cancel recv */
+#define ISC_SOCKCANCEL_SEND    0x00000002 /*%< cancel send */
+#define ISC_SOCKCANCEL_ACCEPT  0x00000004 /*%< cancel accept */
+#define ISC_SOCKCANCEL_CONNECT 0x00000008 /*%< cancel connect */
+#define ISC_SOCKCANCEL_ALL     0x0000000f /*%< cancel everything */
+/*@}*/
+
+/*@{*/
+/*!
+ * Flags for isc_socket_send() and isc_socket_recv() calls.
+ */
+#define ISC_SOCKFLAG_IMMEDIATE 0x00000001 /*%< send event only if needed */
+#define ISC_SOCKFLAG_NORETRY   0x00000002 /*%< drop failed UDP sends */
+/*@}*/
+
+/***
+ *** Socket and Socket Manager Functions
+ ***
+ *** Note: all Ensures conditions apply only if the result is success for
+ *** those functions which return an isc_result.
+ ***/
+
+isc_result_t
+isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+		  isc_socket_t **socketp);
+/*%<
+ * Create a new 'type' socket managed by 'manager'.
+ *
+ * Note:
+ *
+ *\li	'pf' is the desired protocol family, e.g. PF_INET or PF_INET6.
+ *
+ * Requires:
+ *
+ *\li	'manager' is a valid manager
+ *
+ *\li	'socketp' is a valid pointer, and *socketp == NULL
+ *
+ * Ensures:
+ *
+ *	'*socketp' is attached to the newly created socket
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_NORESOURCES
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_dup(isc_socket_t *sock0, isc_socket_t **socketp);
+/*%<
+ * Duplicate an existing socket, reusing its file descriptor.
+ */
+
+void
+isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how);
+/*%<
+ * Cancel pending I/O of the type specified by "how".
+ *
+ * Note: if "task" is NULL, then the cancel applies to all tasks using the
+ * socket.
+ *
+ * Requires:
+ *
+ * \li	"socket" is a valid socket
+ *
+ * \li	"task" is NULL or a valid task
+ *
+ * "how" is a bitmask describing the type of cancellation to perform.
+ * The type ISC_SOCKCANCEL_ALL will cancel all pending I/O on this
+ * socket.
+ *
+ * \li ISC_SOCKCANCEL_RECV:
+ *	Cancel pending isc_socket_recv() calls.
+ *
+ * \li ISC_SOCKCANCEL_SEND:
+ *	Cancel pending isc_socket_send() and isc_socket_sendto() calls.
+ *
+ * \li ISC_SOCKCANCEL_ACCEPT:
+ *	Cancel pending isc_socket_accept() calls.
+ *
+ * \li ISC_SOCKCANCEL_CONNECT:
+ *	Cancel pending isc_socket_connect() call.
+ */
+
+void
+isc_socket_shutdown(isc_socket_t *sock, unsigned int how);
+/*%<
+ * Shutdown 'socket' according to 'how'.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid socket.
+ *
+ * \li	'task' is NULL or is a valid task.
+ *
+ * \li	If 'how' is 'ISC_SOCKSHUT_RECV' or 'ISC_SOCKSHUT_ALL' then
+ *
+ *		The read queue must be empty.
+ *
+ *		No further read requests may be made.
+ *
+ * \li	If 'how' is 'ISC_SOCKSHUT_SEND' or 'ISC_SOCKSHUT_ALL' then
+ *
+ *		The write queue must be empty.
+ *
+ *		No further write requests may be made.
+ */
+
+void
+isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp);
+/*%<
+ * Attach *socketp to socket.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid socket.
+ *
+ * \li	'socketp' points to a NULL socket.
+ *
+ * Ensures:
+ *
+ * \li	*socketp is attached to socket.
+ */
+
+void
+isc_socket_detach(isc_socket_t **socketp);
+/*%<
+ * Detach *socketp from its socket.
+ *
+ * Requires:
+ *
+ * \li	'socketp' points to a valid socket.
+ *
+ * \li	If '*socketp' is the last reference to the socket,
+ *	then:
+ *
+ *		There must be no pending I/O requests.
+ *
+ * Ensures:
+ *
+ * \li	*socketp is NULL.
+ *
+ * \li	If '*socketp' is the last reference to the socket,
+ *	then:
+ *
+ *		The socket will be shutdown (both reading and writing)
+ *		for all tasks.
+ *
+ *		All resources used by the socket have been freed
+ */
+
+isc_result_t
+isc_socket_open(isc_socket_t *sock);
+/*%<
+ * Open a new socket file descriptor of the given socket structure.  It simply
+ * opens a new descriptor; all of the other parameters including the socket
+ * type are inherited from the existing socket.  This function is provided to
+ * avoid overhead of destroying and creating sockets when many short-lived
+ * sockets are frequently opened and closed.  When the efficiency is not an
+ * issue, it should be safer to detach the unused socket and re-create a new
+ * one.  This optimization may not be available for some systems, in which
+ * case this function will return ISC_R_NOTIMPLEMENTED and must not be used.
+ *
+ * Requires:
+ *
+ * \li	there must be no other reference to this socket.
+ *
+ * \li	'socket' is a valid and previously closed by isc_socket_close()
+ *
+ * Returns:
+ *	Same as isc_socket_create().
+ * \li	ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+isc_socket_close(isc_socket_t *sock);
+/*%<
+ * Close a socket file descriptor of the given socket structure.  This function
+ * is provided as an alternative to destroying an unused socket when overhead
+ * destroying/re-creating sockets can be significant, and is expected to be
+ * used with isc_socket_open().  This optimization may not be available for some
+ * systems, in which case this function will return ISC_R_NOTIMPLEMENTED and
+ * must not be used.
+ *
+ * Requires:
+ *
+ * \li	The socket must have a valid descriptor.
+ *
+ * \li	There must be no other reference to this socket.
+ *
+ * \li	There must be no pending I/O requests.
+ *
+ * Returns:
+ * \li	#ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+isc_socket_bind(isc_socket_t *sock, const isc_sockaddr_t *addressp,
+		isc_socket_options_t options);
+/*%<
+ * Bind 'socket' to '*addressp'.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid socket
+ *
+ * \li	'addressp' points to a valid isc_sockaddr.
+ *
+ * Returns:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOPERM
+ * \li	ISC_R_ADDRNOTAVAIL
+ * \li	ISC_R_ADDRINUSE
+ * \li	ISC_R_BOUND
+ * \li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_filter(isc_socket_t *sock, const char *filter);
+/*%<
+ * Inform the kernel that it should perform accept filtering.
+ * If filter is NULL the current filter will be removed.
+ */
+
+isc_result_t
+isc_socket_listen(isc_socket_t *sock, unsigned int backlog);
+/*%<
+ * Set listen mode on the socket.  After this call, the only function that
+ * can be used (other than attach and detach) is isc_socket_accept().
+ *
+ * Notes:
+ *
+ * \li	'backlog' is as in the UNIX system call listen() and may be
+ *	ignored by non-UNIX implementations.
+ *
+ * \li	If 'backlog' is zero, a reasonable system default is used, usually
+ *	SOMAXCONN.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid, bound TCP socket or a valid, bound UNIX socket.
+ *
+ * Returns:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_accept(isc_socket_t *sock, isc_task_t *task, isc_taskaction_t action,
+		  void *arg);
+/*%<
+ * Queue accept event.  When a new connection is received, the task will
+ * get an ISC_SOCKEVENT_NEWCONN event with the sender set to the listen
+ * socket.  The new socket structure is sent inside the isc_socket_newconnev_t
+ * event type, and is attached to the task 'task'.
+ *
+ * REQUIRES:
+ * \li	'socket' is a valid TCP socket that isc_socket_listen() was called
+ *	on.
+ *
+ * \li	'task' is a valid task
+ *
+ * \li	'action' is a valid action
+ *
+ * RETURNS:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_connect(isc_socket_t *sock, const isc_sockaddr_t *addressp,
+		   isc_task_t *task, isc_taskaction_t action, void *arg);
+/*%<
+ * Connect 'socket' to peer with address *saddr.  When the connection
+ * succeeds, or when an error occurs, a CONNECT event with action 'action'
+ * and arg 'arg' will be posted to the event queue for 'task'.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid TCP socket
+ *
+ * \li	'addressp' points to a valid isc_sockaddr
+ *
+ * \li	'task' is a valid task
+ *
+ * \li	'action' is a valid action
+ *
+ * Returns:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_UNEXPECTED
+ *
+ * Posted event's result code:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_TIMEDOUT
+ * \li	ISC_R_CONNREFUSED
+ * \li	ISC_R_NETUNREACH
+ * \li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp);
+/*%<
+ * Get the name of the peer connected to 'socket'.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid TCP socket.
+ *
+ * Returns:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_TOOSMALL
+ * \li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp);
+/*%<
+ * Get the name of 'socket'.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid socket.
+ *
+ * Returns:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_TOOSMALL
+ * \li	ISC_R_UNEXPECTED
+ */
+
+/*@{*/
+isc_result_t
+isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
+		isc_task_t *task, isc_taskaction_t action, void *arg);
+
+isc_result_t
+isc_socket_recv2(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
+		 isc_task_t *task, isc_socketevent_t *event,
+		 unsigned int flags);
+
+/*!
+ * Receive from 'socket', storing the results in region.
+ *
+ * Notes:
+ *
+ *\li	Let 'length' refer to the length of 'region' or to the sum of all
+ *	available regions in the list of buffers '*buflist'.
+ *
+ *\li	If 'minimum' is non-zero and at least that many bytes are read,
+ *	the completion event will be posted to the task 'task.'  If minimum
+ *	is zero, the exact number of bytes requested in the region must
+ * 	be read for an event to be posted.  This only makes sense for TCP
+ *	connections, and is always set to 1 byte for UDP.
+ *
+ *\li	The read will complete when the desired number of bytes have been
+ *	read, if end-of-input occurs, or if an error occurs.  A read done
+ *	event with the given 'action' and 'arg' will be posted to the
+ *	event queue of 'task'.
+ *
+ *\li	The caller may not modify 'region', the buffers which are passed
+ *	into this function, or any data they refer to until the completion
+ *	event is received.
+ *
+ *\li	For isc_socket_recv2():
+ *	'event' is not NULL, and the non-socket specific fields are
+ *	expected to be initialized.
+ *
+ *\li	For isc_socket_recv2():
+ *	The only defined value for 'flags' is ISC_SOCKFLAG_IMMEDIATE.  If
+ *	set and the operation completes, the return value will be
+ *	ISC_R_SUCCESS and the event will be filled in and not sent.  If the
+ *	operation does not complete, the return value will be
+ *	ISC_R_INPROGRESS and the event will be sent when the operation
+ *	completes.
+ *
+ * Requires:
+ *
+ *\li	'socket' is a valid, bound socket.
+ *
+ *\li	For isc_socket_recv():
+ *	'region' is a valid region
+ *
+ *\li	For isc_socket_recvv():
+ *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
+ *
+ *\li	'task' is a valid task
+ *
+ *\li	For isc_socket_recv() and isc_socket_recvv():
+ *	action != NULL and is a valid action
+ *
+ *\li	For isc_socket_recv2():
+ *	event != NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_INPROGRESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *
+ * Event results:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTED
+ *\li	XXX needs other net-type errors
+ */
+/*@}*/
+
+/*@{*/
+isc_result_t
+isc_socket_send(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		isc_taskaction_t action, void *arg);
+isc_result_t
+isc_socket_sendto(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		  isc_taskaction_t action, void *arg,
+		  const isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+isc_result_t
+isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		   const isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		   isc_socketevent_t *event, unsigned int flags);
+
+/*!
+ * Send the contents of 'region' to the socket's peer.
+ *
+ * Notes:
+ *
+ *\li	Shutting down the requestor's task *may* result in any
+ *	still pending writes being dropped or completed, depending on the
+ *	underlying OS implementation.
+ *
+ *\li	If 'action' is NULL, then no completion event will be posted.
+ *
+ *\li	The caller may not modify 'region', the buffers which are passed
+ *	into this function, or any data they refer to until the completion
+ *	event is received.
+ *
+ *\li	For isc_socket_sendto2():
+ *	'event' is not NULL, and the non-socket specific fields are
+ *	expected to be initialized.
+ *
+ *\li	For isc_socket_sendto2():
+ *	The only defined values for 'flags' are ISC_SOCKFLAG_IMMEDIATE
+ *	and ISC_SOCKFLAG_NORETRY.
+ *
+ *\li	If ISC_SOCKFLAG_IMMEDIATE is set and the operation completes, the
+ *	return value will be ISC_R_SUCCESS and the event will be filled
+ *	in and not sent.  If the operation does not complete, the return
+ *	value will be ISC_R_INPROGRESS and the event will be sent when
+ *	the operation completes.
+ *
+ *\li	ISC_SOCKFLAG_NORETRY can only be set for UDP sockets.  If set
+ *	and the send operation fails due to a transient error, the send
+ *	will not be retried and the error will be indicated in the event.
+ *	Using this option along with ISC_SOCKFLAG_IMMEDIATE allows the caller
+ *	to specify a region that is allocated on the stack.
+ *
+ * Requires:
+ *
+ *\li	'socket' is a valid, bound socket.
+ *
+ *\li	For isc_socket_send():
+ *	'region' is a valid region
+ *
+ *\li	For isc_socket_sendv() and isc_socket_sendtov():
+ *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
+ *
+ *\li	'task' is a valid task
+ *
+ *\li	For isc_socket_sendv(), isc_socket_sendtov(), isc_socket_send(), and
+ *	isc_socket_sendto():
+ *	action == NULL or is a valid action
+ *
+ *\li	For isc_socket_sendto2():
+ *	event != NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_INPROGRESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *
+ * Event results:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTED
+ *\li	XXX needs other net-type errors
+ */
+/*@}*/
+
+isc_result_t
+isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
+
+isc_result_t
+isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		      unsigned int maxsocks, int nthreads);
+/*%<
+ * Create a socket manager.  If "maxsocks" is non-zero, it specifies the
+ * maximum number of sockets that the created manager should handle.
+ * isc_socketmgr_create() is equivalent of isc_socketmgr_create2() with
+ * "maxsocks" being zero.
+ *
+ * Notes:
+ *
+ *\li	All memory will be allocated in memory context 'mctx'.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'managerp' points to a NULL isc_socketmgr_t.
+ *
+ *\li	'actx' is a valid application context (for createinctx()).
+ *
+ * Ensures:
+ *
+ *\li	'*managerp' is a valid isc_socketmgr_t.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *\li	#ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp);
+/*%<
+ * Returns in "*nsockp" the maximum number of sockets this manager may open.
+ *
+ * Requires:
+ *
+ *\li	'*manager' is a valid isc_socketmgr_t.
+ *\li	'nsockp' is not NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTIMPLEMENTED
+ */
+
+void
+isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats);
+/*%<
+ * Set a general socket statistics counter set 'stats' for 'manager'.
+ *
+ * Requires:
+ * \li	'manager' is valid, hasn't opened any socket, and doesn't have
+ *	stats already set.
+ *
+ *\li	stats is a valid statistics supporting socket statistics counters
+ *	(see above).
+ */
+
+void
+isc_socketmgr_destroy(isc_socketmgr_t **managerp);
+/*%<
+ * Destroy a socket manager.
+ *
+ * Notes:
+ *
+ *\li	This routine blocks until there are no sockets left in the manager,
+ *	so if the caller holds any socket references using the manager, it
+ *	must detach them before calling isc_socketmgr_destroy() or it will
+ *	block forever.
+ *
+ * Requires:
+ *
+ *\li	'*managerp' is a valid isc_socketmgr_t.
+ *
+ *\li	All sockets managed by this manager are fully detached.
+ *
+ * Ensures:
+ *
+ *\li	*managerp == NULL
+ *
+ *\li	All resources used by the manager have been freed.
+ */
+
+isc_sockettype_t
+isc_socket_gettype(isc_socket_t *sock);
+/*%<
+ * Returns the socket type for "sock."
+ *
+ * Requires:
+ *
+ *\li	"sock" is a valid socket.
+ */
+
+/*@{*/
+void
+isc_socket_ipv6only(isc_socket_t *sock, bool yes);
+/*%<
+ * If the socket is an IPv6 socket set/clear the IPV6_IPV6ONLY socket
+ * option if the host OS supports this option.
+ *
+ * Requires:
+ *\li	'sock' is a valid socket.
+ */
+/*@}*/
+
+void
+isc_socket_dscp(isc_socket_t *sock, isc_dscp_t dscp);
+/*%<
+ * Sets the Differentiated Services Code Point (DSCP) field for packets
+ * transmitted on this socket.  If 'dscp' is -1, return immediately.
+ *
+ * Requires:
+ *\li	'sock' is a valid socket.
+ */
+
+isc_socketevent_t *
+isc_socket_socketevent(isc_mem_t *mctx, void *sender, isc_eventtype_t eventtype,
+		       isc_taskaction_t action, void *arg);
+/*%<
+ * Get a isc_socketevent_t to be used with isc_socket_sendto2(), etc.
+ */
+
+void
+isc_socket_cleanunix(const isc_sockaddr_t *addr, bool active);
+
+/*%<
+ * Cleanup UNIX domain sockets in the file-system.  If 'active' is true
+ * then just unlink the socket.  If 'active' is false try to determine
+ * if there is a listener of the socket or not.  If no listener is found
+ * then unlink socket.
+ *
+ * Prior to unlinking the path is tested to see if it a socket.
+ *
+ * Note: there are a number of race conditions which cannot be avoided
+ *       both in the filesystem and any application using UNIX domain
+ *	 sockets (e.g. socket is tested between bind() and listen(),
+ *	 the socket is deleted and replaced in the file-system between
+ *	 stat() and unlink()).
+ */
+
+isc_result_t
+isc_socket_permunix(const isc_sockaddr_t *sockaddr, uint32_t perm,
+		    uint32_t owner, uint32_t group);
+/*%<
+ * Set ownership and file permissions on the UNIX domain socket.
+ *
+ * Note: On Solaris this secures the directory containing
+ *       the socket as Solaris do not honour the filesystem
+ *	 permissions on the socket.
+ *
+ * Requires:
+ * \li	'sockaddr' to be a valid UNIX domain sockaddr.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE
+ */
+
+void
+isc_socket_setname(isc_socket_t *socket, const char *name, void *tag);
+/*%<
+ * Set the name and optional tag for a socket.  This allows tracking of the
+ * owner or purpose for this socket, and is useful for tracing and statistics
+ * reporting.
+ */
+
+const char *
+isc_socket_getname(isc_socket_t *socket);
+/*%<
+ * Get the name associated with a socket, if any.
+ */
+
+void *
+isc_socket_gettag(isc_socket_t *socket);
+/*%<
+ * Get the tag associated with a socket, if any.
+ */
+
+int
+isc_socket_getfd(isc_socket_t *socket);
+/*%<
+ * Get the file descriptor associated with a socket
+ */
+
+void
+isc_socketmgr_setreserved(isc_socketmgr_t *mgr, uint32_t);
+/*%<
+ * Temporary.  For use by named only.
+ */
+
+void
+isc_socketmgr_maxudp(isc_socketmgr_t *mgr, unsigned int maxudp);
+/*%<
+ * Test interface. Drop UDP packet > 'maxudp'.
+ */
+
+bool
+isc_socket_hasreuseport(void);
+/*%<
+ * Return true if there is SO_REUSEPORT support
+ */
+
+#ifdef HAVE_LIBXML2
+int
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr, void *writer0);
+/*%<
+ * Render internal statistics and other state into the XML document.
+ */
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+isc_result_t
+isc_socketmgr_renderjson(isc_socketmgr_t *mgr, void *stats0);
+/*%<
+ * Render internal statistics and other state into JSON format.
+ */
+#endif /* HAVE_JSON_C */
+
+/*%<
+ * See isc_socketmgr_create() above.
+ */
+typedef isc_result_t (*isc_socketmgrcreatefunc_t)(isc_mem_t	   *mctx,
+						  isc_socketmgr_t **managerp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SOCKET_H */
diff --git a/lib/isc/include/isc/stats.h b/lib/isc/include/isc/stats.h
new file mode 100644
index 0000000..5e25bac
--- /dev/null
+++ b/lib/isc/include/isc/stats.h
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_STATS_H
+#define ISC_STATS_H 1
+
+/*! \file isc/stats.h */
+
+#include <inttypes.h>
+
+#include <isc/types.h>
+
+/*%
+ * Statistics counters.  Used as isc_statscounter_t values.
+ */
+enum {
+	/*%
+	 * Socket statistics counters.
+	 */
+	isc_sockstatscounter_udp4open = 0,
+	isc_sockstatscounter_udp6open = 1,
+	isc_sockstatscounter_tcp4open = 2,
+	isc_sockstatscounter_tcp6open = 3,
+	isc_sockstatscounter_unixopen = 4,
+
+	isc_sockstatscounter_udp4openfail = 5,
+	isc_sockstatscounter_udp6openfail = 6,
+	isc_sockstatscounter_tcp4openfail = 7,
+	isc_sockstatscounter_tcp6openfail = 8,
+	isc_sockstatscounter_unixopenfail = 9,
+
+	isc_sockstatscounter_udp4close = 10,
+	isc_sockstatscounter_udp6close = 11,
+	isc_sockstatscounter_tcp4close = 12,
+	isc_sockstatscounter_tcp6close = 13,
+	isc_sockstatscounter_unixclose = 14,
+	isc_sockstatscounter_fdwatchclose = 15,
+
+	isc_sockstatscounter_udp4bindfail = 16,
+	isc_sockstatscounter_udp6bindfail = 17,
+	isc_sockstatscounter_tcp4bindfail = 18,
+	isc_sockstatscounter_tcp6bindfail = 19,
+	isc_sockstatscounter_unixbindfail = 20,
+	isc_sockstatscounter_fdwatchbindfail = 21,
+
+	isc_sockstatscounter_udp4connect = 22,
+	isc_sockstatscounter_udp6connect = 23,
+	isc_sockstatscounter_tcp4connect = 24,
+	isc_sockstatscounter_tcp6connect = 25,
+	isc_sockstatscounter_unixconnect = 26,
+	isc_sockstatscounter_fdwatchconnect = 27,
+
+	isc_sockstatscounter_udp4connectfail = 28,
+	isc_sockstatscounter_udp6connectfail = 29,
+	isc_sockstatscounter_tcp4connectfail = 30,
+	isc_sockstatscounter_tcp6connectfail = 31,
+	isc_sockstatscounter_unixconnectfail = 32,
+	isc_sockstatscounter_fdwatchconnectfail = 33,
+
+	isc_sockstatscounter_tcp4accept = 34,
+	isc_sockstatscounter_tcp6accept = 35,
+	isc_sockstatscounter_unixaccept = 36,
+
+	isc_sockstatscounter_tcp4acceptfail = 37,
+	isc_sockstatscounter_tcp6acceptfail = 38,
+	isc_sockstatscounter_unixacceptfail = 39,
+
+	isc_sockstatscounter_udp4sendfail = 40,
+	isc_sockstatscounter_udp6sendfail = 41,
+	isc_sockstatscounter_tcp4sendfail = 42,
+	isc_sockstatscounter_tcp6sendfail = 43,
+	isc_sockstatscounter_unixsendfail = 44,
+	isc_sockstatscounter_fdwatchsendfail = 45,
+
+	isc_sockstatscounter_udp4recvfail = 46,
+	isc_sockstatscounter_udp6recvfail = 47,
+	isc_sockstatscounter_tcp4recvfail = 48,
+	isc_sockstatscounter_tcp6recvfail = 49,
+	isc_sockstatscounter_unixrecvfail = 50,
+	isc_sockstatscounter_fdwatchrecvfail = 51,
+
+	isc_sockstatscounter_udp4active = 52,
+	isc_sockstatscounter_udp6active = 53,
+	isc_sockstatscounter_tcp4active = 54,
+	isc_sockstatscounter_tcp6active = 55,
+	isc_sockstatscounter_unixactive = 56,
+
+	isc_sockstatscounter_rawopen = 57,
+	isc_sockstatscounter_rawopenfail = 58,
+	isc_sockstatscounter_rawclose = 59,
+	isc_sockstatscounter_rawrecvfail = 60,
+	isc_sockstatscounter_rawactive = 61,
+
+	isc_sockstatscounter_max = 62
+};
+
+ISC_LANG_BEGINDECLS
+
+/*%<
+ * Flag(s) for isc_stats_dump().
+ */
+#define ISC_STATSDUMP_VERBOSE 0x00000001 /*%< dump 0-value counters */
+
+/*%<
+ * Dump callback type.
+ */
+typedef void (*isc_stats_dumper_t)(isc_statscounter_t, uint64_t, void *);
+
+isc_result_t
+isc_stats_create(isc_mem_t *mctx, isc_stats_t **statsp, int ncounters);
+/*%<
+ * Create a statistics counter structure of general type.  It counts a general
+ * set of counters indexed by an ID between 0 and ncounters -1.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+void
+isc_stats_attach(isc_stats_t *stats, isc_stats_t **statsp);
+/*%<
+ * Attach to a statistics set.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL
+ */
+
+void
+isc_stats_detach(isc_stats_t **statsp);
+/*%<
+ * Detaches from the statistics set.
+ *
+ * Requires:
+ *\li	'statsp' != NULL and '*statsp' is a valid isc_stats_t.
+ */
+
+int
+isc_stats_ncounters(isc_stats_t *stats);
+/*%<
+ * Returns the number of counters contained in stats.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ */
+
+void
+isc_stats_increment(isc_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Increment the counter-th counter of stats.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ *\li	counter is less than the maximum available ID for the stats specified
+ *	on creation.
+ */
+
+void
+isc_stats_decrement(isc_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Decrement the counter-th counter of stats.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ */
+
+void
+isc_stats_dump(isc_stats_t *stats, isc_stats_dumper_t dump_fn, void *arg,
+	       unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with its current value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ */
+
+void
+isc_stats_set(isc_stats_t *stats, uint64_t val, isc_statscounter_t counter);
+/*%<
+ * Set the given counter to the specified value.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ */
+
+void
+isc_stats_set(isc_stats_t *stats, uint64_t val, isc_statscounter_t counter);
+/*%<
+ * Set the given counter to the specified value.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ */
+
+void
+isc_stats_update_if_greater(isc_stats_t *stats, isc_statscounter_t counter,
+			    isc_statscounter_t value);
+/*%<
+ * Atomically assigns 'value' to 'counter' if value > counter.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ *\li	counter is less than the maximum available ID for the stats specified
+ *	on creation.
+ */
+
+isc_statscounter_t
+isc_stats_get_counter(isc_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Returns value currently stored in counter.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ *\li	counter is less than the maximum available ID for the stats specified
+ *	on creation.
+ */
+
+void
+isc_stats_resize(isc_stats_t **stats, int ncounters);
+/*%<
+ * Resize a statistics counter structure of general type. The new set of
+ * counters are indexed by an ID between 0 and ncounters -1.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *\li	'ncounters' is a non-zero positive number.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STATS_H */
diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
new file mode 100644
index 0000000..2c391d7
--- /dev/null
+++ b/lib/isc/include/isc/stdio.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_STDIO_H
+#define ISC_STDIO_H 1
+
+/*! \file isc/stdio.h */
+
+/*%
+ * These functions are wrappers around the corresponding stdio functions.
+ *
+ * They return a detailed error code in the form of an an isc_result_t.  ANSI C
+ * does not guarantee that stdio functions set errno, hence these functions
+ * must use platform dependent methods (e.g., the POSIX errno) to construct the
+ * error code.
+ */
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+/*% Open */
+isc_result_t
+isc_stdio_open(const char *filename, const char *mode, FILE **fp);
+
+/*% Close */
+isc_result_t
+isc_stdio_close(FILE *f);
+
+/*% Seek */
+isc_result_t
+isc_stdio_seek(FILE *f, off_t offset, int whence);
+
+/*% Tell */
+isc_result_t
+isc_stdio_tell(FILE *f, off_t *offsetp);
+
+/*% Read */
+isc_result_t
+isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f, size_t *nret);
+
+/*% Write */
+isc_result_t
+isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
+		size_t *nret);
+
+/*% Flush */
+isc_result_t
+isc_stdio_flush(FILE *f);
+
+isc_result_t
+isc_stdio_sync(FILE *f);
+/*%<
+ * Invoke fsync() on the file descriptor underlying an stdio stream, or an
+ * equivalent system-dependent operation.  Note that this function has no
+ * direct counterpart in the stdio library.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STDIO_H */
diff --git a/lib/isc/include/isc/strerr.h b/lib/isc/include/isc/strerr.h
new file mode 100644
index 0000000..ce093b0
--- /dev/null
+++ b/lib/isc/include/isc/strerr.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file isc/strerr.h */
+
+#include <isc/string.h>
+
+#if defined(strerror_r)
+#undef strerror_r
+#endif /* if defined(strerror_r) */
+#define strerror_r isc_string_strerror_r
diff --git a/lib/isc/include/isc/string.h b/lib/isc/include/isc/string.h
new file mode 100644
index 0000000..1bc5693
--- /dev/null
+++ b/lib/isc/include/isc/string.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file isc/string.h */
+
+#include <string.h>
+
+#include "isc/lang.h"
+#include "isc/platform.h"
+
+ISC_LANG_BEGINDECLS
+
+#if !defined(HAVE_STRLCPY)
+size_t
+strlcpy(char *dst, const char *src, size_t size);
+#endif /* !defined(HAVE_STRLCPY) */
+
+#if !defined(HAVE_STRLCAT)
+size_t
+strlcat(char *dst, const char *src, size_t size);
+#endif /* if !defined(HAVE_STRLCAT) */
+
+#if !defined(HAVE_STRNSTR)
+char *
+strnstr(const char *s, const char *find, size_t slen);
+#endif /* if !defined(HAVE_STRNSTR) */
+
+int
+isc_string_strerror_r(int errnum, char *buf, size_t buflen);
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
new file mode 100644
index 0000000..9ec8564
--- /dev/null
+++ b/lib/isc/include/isc/symtab.h
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_SYMTAB_H
+#define ISC_SYMTAB_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/symtab.h
+ * \brief Provides a simple memory-based symbol table.
+ *
+ * Keys are C strings, and key comparisons are case-insensitive.  A type may
+ * be specified when looking up, defining, or undefining.  A type value of
+ * 0 means "match any type"; any other value will only match the given
+ * type.
+ *
+ * It's possible that a client will attempt to define a <key, type, value>
+ * tuple when a tuple with the given key and type already exists in the table.
+ * What to do in this case is specified by the client.  Possible policies are:
+ *
+ *\li	#isc_symexists_reject	Disallow the define, returning #ISC_R_EXISTS
+ *\li	#isc_symexists_replace	Replace the old value with the new.  The
+ *				undefine action (if provided) will be called
+ *				with the old <key, type, value> tuple.
+ *\li	#isc_symexists_add	Add the new tuple, leaving the old tuple in
+ *				the table.  Subsequent lookups will retrieve
+ *				the most-recently-defined tuple.
+ *
+ * A lookup of a key using type 0 will return the most-recently defined
+ * symbol with that key.  An undefine of a key using type 0 will undefine the
+ * most-recently defined symbol with that key.  Trying to define a key with
+ * type 0 is illegal.
+ *
+ * The symbol table library does not make a copy the key field, so the
+ * caller must ensure that any key it passes to isc_symtab_define() will not
+ * change until it calls isc_symtab_undefine() or isc_symtab_destroy().
+ *
+ * A user-specified action will be called (if provided) when a symbol is
+ * undefined.  It can be used to free memory associated with keys and/or
+ * values.
+ *
+ * A symbol table is implemented as a hash table of lists; the size of the
+ * hash table is set by the 'size' parameter to isc_symtbl_create().  When
+ * the number of entries in the symbol table reaches three quarters of this
+ * value, the hash table is reallocated with size doubled, in order to
+ * optimize lookup performance.  This has a negative effect on insertion
+ * performance, which can be mitigated by sizing the table appropriately
+ * when creating it.
+ *
+ * \li MP:
+ *	The callers of this module must ensure any required synchronization.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*
+ *** Symbol Tables.
+ ***/
+/*% Symbol table value. */
+typedef union isc_symvalue {
+	void	    *as_pointer;
+	const void  *as_cpointer;
+	int	     as_integer;
+	unsigned int as_uinteger;
+} isc_symvalue_t;
+
+typedef void (*isc_symtabaction_t)(char *key, unsigned int type,
+				   isc_symvalue_t value, void *userarg);
+/*% Symbol table exists. */
+typedef enum {
+	isc_symexists_reject = 0,  /*%< Disallow the define */
+	isc_symexists_replace = 1, /*%< Replace the old value with the new */
+	isc_symexists_add = 2	   /*%< Add the new tuple */
+} isc_symexists_t;
+
+ISC_LANG_BEGINDECLS
+
+/*% Create a symbol table. */
+isc_result_t
+isc_symtab_create(isc_mem_t *mctx, unsigned int size,
+		  isc_symtabaction_t undefine_action, void *undefine_arg,
+		  bool case_sensitive, isc_symtab_t **symtabp);
+
+/*% Destroy a symbol table. */
+void
+isc_symtab_destroy(isc_symtab_t **symtabp);
+
+/*% Lookup a symbol table. */
+isc_result_t
+isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t *value);
+
+/*% Define a symbol table. */
+isc_result_t
+isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t value, isc_symexists_t exists_policy);
+
+/*% Undefine a symbol table. */
+isc_result_t
+isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type);
+
+/*% Return the number of items in a symbol table. */
+unsigned int
+isc_symtab_count(isc_symtab_t *symtab);
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SYMTAB_H */
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
new file mode 100644
index 0000000..810552d
--- /dev/null
+++ b/lib/isc/include/isc/task.h
@@ -0,0 +1,721 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/task.h
+ * \brief The task system provides a lightweight execution context, which is
+ * basically an event queue.
+ *
+ * When a task's event queue is non-empty, the
+ * task is runnable.  A small work crew of threads, typically one per CPU,
+ * execute runnable tasks by dispatching the events on the tasks' event
+ * queues.  Context switching between tasks is fast.
+ *
+ * \li MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *	The caller must ensure that isc_taskmgr_destroy() is called only
+ *	once for a given manager.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ *
+ * \section purge Purging and Unsending
+ *
+ * Events which have been queued for a task but not delivered may be removed
+ * from the task's event queue by purging or unsending.
+ *
+ * With both types, the caller specifies a matching pattern that selects
+ * events based upon their sender, type, and tag.
+ *
+ * Purging calls isc_event_free() on the matching events.
+ *
+ * Unsending returns a list of events that matched the pattern.
+ * The caller is then responsible for them.
+ *
+ * Consumers of events should purge, not unsend.
+ *
+ * Producers of events often want to remove events when the caller indicates
+ * it is no longer interested in the object, e.g. by canceling a timer.
+ * Sometimes this can be done by purging, but for some event types, the
+ * calls to isc_event_free() cause deadlock because the event free routine
+ * wants to acquire a lock the caller is already holding.  Unsending instead
+ * of purging solves this problem.  As a general rule, producers should only
+ * unsend events which they have sent.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+#include <isc/netmgr.h>
+#include <isc/stdtime.h>
+#include <isc/types.h>
+
+#define ISC_TASKEVENT_FIRSTEVENT (ISC_EVENTCLASS_TASK + 0)
+#define ISC_TASKEVENT_SHUTDOWN	 (ISC_EVENTCLASS_TASK + 1)
+#define ISC_TASKEVENT_TEST	 (ISC_EVENTCLASS_TASK + 1)
+#define ISC_TASKEVENT_LASTEVENT	 (ISC_EVENTCLASS_TASK + 65535)
+
+/*****
+ ***** Tasks.
+ *****/
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+typedef enum {
+	isc_taskmgrmode_normal = 0,
+	isc_taskmgrmode_privileged
+} isc_taskmgrmode_t;
+
+isc_result_t
+isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
+		isc_task_t **taskp);
+isc_result_t
+isc_task_create_bound(isc_taskmgr_t *manager, unsigned int quantum,
+		      isc_task_t **taskp, int threadid);
+/*%<
+ * Create a task, optionally bound to a particular threadid.
+ *
+ * Notes:
+ *
+ *\li	If 'quantum' is non-zero, then only that many events can be dispatched
+ *	before the task must yield to other tasks waiting to execute.  If
+ *	quantum is zero, then the default quantum of the task manager will
+ *	be used.
+ *
+ *\li	The 'quantum' option may be removed from isc_task_create() in the
+ *	future.  If this happens, isc_task_getquantum() and
+ *	isc_task_setquantum() will be provided.
+ *
+ * Requires:
+ *
+ *\li	'manager' is a valid task manager.
+ *
+ *\li	taskp != NULL && *taskp == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, '*taskp' is bound to the new task.
+ *
+ * Returns:
+ *
+ *\li   #ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *\li	#ISC_R_SHUTTINGDOWN
+ */
+
+void
+isc_task_ready(isc_task_t *task);
+/*%<
+ * Enqueue the task onto netmgr queue.
+ */
+
+isc_result_t
+isc_task_run(isc_task_t *task);
+/*%<
+ * Run all the queued events for the 'task', returning
+ * when the queue is empty or the number of events executed
+ * exceeds the 'quantum' specified when the task was created.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_QUOTA
+ */
+
+void
+isc_task_attach(isc_task_t *source, isc_task_t **targetp);
+/*%<
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid task.
+ *
+ *\li	'targetp' points to a NULL isc_task_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ */
+
+void
+isc_task_detach(isc_task_t **taskp);
+/*%<
+ * Detach *taskp from its task.
+ *
+ * Requires:
+ *
+ *\li	'*taskp' is a valid task.
+ *
+ * Ensures:
+ *
+ *\li	*taskp is NULL.
+ *
+ *\li	If '*taskp' is the last reference to the task, the task is idle (has
+ *	an empty event queue), and has not been shutdown, the task will be
+ *	shutdown.
+ *
+ *\li	If '*taskp' is the last reference to the task and
+ *	the task has been shutdown,
+ *		all resources used by the task will be freed.
+ */
+
+void
+isc_task_send(isc_task_t *task, isc_event_t **eventp);
+
+void
+isc_task_sendto(isc_task_t *task, isc_event_t **eventp, int c);
+/*%<
+ * Send '*event' to 'task', if task is idle try starting it on cpu 'c'
+ * If 'c' is smaller than 0 then cpu is selected randomly.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *\li	eventp != NULL && *eventp != NULL.
+ *
+ * Ensures:
+ *
+ *\li	*eventp == NULL.
+ */
+
+void
+isc_task_sendtoanddetach(isc_task_t **taskp, isc_event_t **eventp, int c);
+
+void
+isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp);
+/*%<
+ * Send '*event' to '*taskp' and then detach '*taskp' from its
+ * task. If task is idle try starting it on cpu 'c'
+ * If 'c' is smaller than 0 then cpu is selected randomly.
+ *
+ * Requires:
+ *
+ *\li	'*taskp' is a valid task.
+ *\li	eventp != NULL && *eventp != NULL.
+ *
+ * Ensures:
+ *
+ *\li	*eventp == NULL.
+ *
+ *\li	*taskp == NULL.
+ *
+ *\li	If '*taskp' is the last reference to the task, the task is
+ *	idle (has an empty event queue), and has not been shutdown,
+ *	the task will be shutdown.
+ *
+ *\li	If '*taskp' is the last reference to the task and
+ *	the task has been shutdown,
+ *		all resources used by the task will be freed.
+ */
+
+unsigned int
+isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		    isc_eventtype_t last, void *tag);
+/*%<
+ * Purge events from a task's event queue.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	last >= first
+ *
+ * Ensures:
+ *
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is >= first and <= last, and whose tag is 'tag' will be purged,
+ *	unless they are marked as unpurgable.
+ *
+ *\li	A sender of NULL will match any sender.  A NULL tag matches any
+ *	tag.
+ *
+ * Returns:
+ *
+ *\li	The number of events purged.
+ */
+
+unsigned int
+isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type, void *tag);
+/*%<
+ * Purge events from a task's event queue.
+ *
+ * Notes:
+ *
+ *\li	This function is equivalent to
+ *
+ *\code
+ *		isc_task_purgerange(task, sender, type, type, tag);
+ *\endcode
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ * Ensures:
+ *
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is 'type', and whose tag is 'tag' will be purged, unless they
+ *	are marked as unpurgable.
+ *
+ *\li	A sender of NULL will match any sender.  A NULL tag matches any
+ *	tag.
+ *
+ * Returns:
+ *
+ *\li	The number of events purged.
+ */
+
+bool
+isc_task_purgeevent(isc_task_t *task, isc_event_t *event);
+/*%<
+ * Purge 'event' from a task's event queue.
+ *
+ * XXXRTH:  WARNING:  This method may be removed before beta.
+ *
+ * Notes:
+ *
+ *\li	If 'event' is on the task's event queue, it will be purged,
+ * 	unless it is marked as unpurgeable.  'event' does not have to be
+ *	on the task's event queue; in fact, it can even be an invalid
+ *	pointer.  Purging only occurs if the event is actually on the task's
+ *	event queue.
+ *
+ * \li	Purging never changes the state of the task.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ * Ensures:
+ *
+ *\li	'event' is not in the event queue for 'task'.
+ *
+ * Returns:
+ *
+ *\li	#true			The event was purged.
+ *\li	#false			The event was not in the event queue,
+ *					or was marked unpurgeable.
+ */
+
+unsigned int
+isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag, isc_eventlist_t *events);
+/*%<
+ * Remove events from a task's event queue.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	last >= first.
+ *
+ *\li	*events is a valid list.
+ *
+ * Ensures:
+ *
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is >= first and <= last, and whose tag is 'tag' will be dequeued
+ *	and appended to *events.
+ *
+ *\li	A sender of NULL will match any sender.  A NULL tag matches any
+ *	tag.
+ *
+ * Returns:
+ *
+ *\li	The number of events unsent.
+ */
+
+unsigned int
+isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type, void *tag,
+		isc_eventlist_t *events);
+/*%<
+ * Remove events from a task's event queue.
+ *
+ * Notes:
+ *
+ *\li  This function is equivalent to
+ *
+ *\code
+ *             isc_task_unsendrange(task, sender, type, type, tag, events);
+ *\endcode
+ *
+ * Requires:
+ *
+ *\li  'task' is a valid task.
+ *
+ *\li  *events is a valid list.
+ *
+ * Ensures:
+ *
+ *\li  Events in the event queue of 'task' whose sender is 'sender', whose
+ *     type is 'type', and whose tag is 'tag' will be dequeued and appended
+ *     to *events.
+ *
+ * Returns:
+ *
+ *\li  The number of events unsent.
+ */
+
+isc_result_t
+isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, void *arg);
+/*%<
+ * Send a shutdown event with action 'action' and argument 'arg' when
+ * 'task' is shutdown.
+ *
+ * Notes:
+ *
+ *\li	Shutdown events are posted in LIFO order.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'action' is a valid task action.
+ *
+ * Ensures:
+ *
+ *\li	When the task is shutdown, shutdown events requested with
+ *	isc_task_onshutdown() will be appended to the task's event queue.
+ *
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SHUTTINGDOWN			Task is shutting down.
+ */
+
+void
+isc_task_shutdown(isc_task_t *task);
+/*%<
+ * Shutdown 'task'.
+ *
+ * Notes:
+ *
+ *\li	Shutting down a task causes any shutdown events requested with
+ *	isc_task_onshutdown() to be posted (in LIFO order).  The task
+ *	moves into a "shutting down" mode which prevents further calls
+ *	to isc_task_onshutdown().
+ *
+ *\li	Trying to shutdown a task that has already been shutdown has no
+ *	effect.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ * Ensures:
+ *
+ *\li	Any shutdown events requested with isc_task_onshutdown() have been
+ *	posted (in LIFO order).
+ */
+
+void
+isc_task_destroy(isc_task_t **taskp);
+/*%<
+ * Destroy '*taskp'.
+ *
+ * Notes:
+ *
+ *\li	This call is equivalent to:
+ *
+ *\code
+ *		isc_task_shutdown(*taskp);
+ *		isc_task_detach(taskp);
+ *\endcode
+ *
+ * Requires:
+ *
+ *	'*taskp' is a valid task.
+ *
+ * Ensures:
+ *
+ *\li	Any shutdown events requested with isc_task_onshutdown() have been
+ *	posted (in LIFO order).
+ *
+ *\li	*taskp == NULL
+ *
+ *\li	If '*taskp' is the last reference to the task,
+ *		all resources used by the task will be freed.
+ */
+
+void
+isc_task_setname(isc_task_t *task, const char *name, void *tag);
+/*%<
+ * Name 'task'.
+ *
+ * Notes:
+ *
+ *\li	Only the first 15 characters of 'name' will be copied.
+ *
+ *\li	Naming a task is currently only useful for debugging purposes.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ */
+
+const char *
+isc_task_getname(isc_task_t *task);
+/*%<
+ * Get the name of 'task', as previously set using isc_task_setname().
+ *
+ * Notes:
+ *\li	This function is for debugging purposes only.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ *
+ * Returns:
+ *\li	A non-NULL pointer to a null-terminated string.
+ * 	If the task has not been named, the string is
+ * 	empty.
+ *
+ */
+
+isc_nm_t *
+isc_task_getnetmgr(isc_task_t *task);
+
+void *
+isc_task_gettag(isc_task_t *task);
+/*%<
+ * Get the tag value for  'task', as previously set using isc_task_settag().
+ *
+ * Notes:
+ *\li	This function is for debugging purposes only.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ */
+
+void
+isc_task_setquantum(isc_task_t *task, unsigned int quantum);
+/*%<
+ * Set future 'task' quantum to 'quantum'.  The current 'task' quantum will be
+ * kept for the current isc_task_run() loop, and will be changed for the next
+ * run.  Therefore, the function is safe to use from the event callback as it
+ * will not affect the current event loop processing.
+ */
+
+isc_result_t
+isc_task_beginexclusive(isc_task_t *task);
+/*%<
+ * Request exclusive access for 'task', which must be the calling
+ * task.  Waits for any other concurrently executing tasks to finish their
+ * current event, and prevents any new events from executing in any of the
+ * tasks sharing a task manager with 'task'.
+ * It also pauses processing of network events in netmgr if it was provided
+ * when taskmgr was created.
+ *
+ * The exclusive access must be relinquished by calling
+ * isc_task_endexclusive() before returning from the current event handler.
+ *
+ * Requires:
+ *\li	'task' is the calling task.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		The current task now has exclusive access.
+ *\li	#ISC_R_LOCKBUSY		Another task has already requested exclusive
+ *				access.
+ */
+
+void
+isc_task_endexclusive(isc_task_t *task);
+/*%<
+ * Relinquish the exclusive access obtained by isc_task_beginexclusive(),
+ * allowing other tasks to execute.
+ *
+ * Requires:
+ *\li	'task' is the calling task, and has obtained
+ *		exclusive access by calling isc_task_spl().
+ */
+
+void
+isc_task_pause(isc_task_t *task0);
+void
+isc_task_unpause(isc_task_t *task0);
+/*%<
+ * Pause/unpause this task. Pausing a task removes it from the ready
+ * queue if it is present there; this ensures that the task will not
+ * run again until unpaused. This is necessary when the libuv network
+ * thread executes a function which schedules task manager events; this
+ * prevents the task manager from executing the next event in a task
+ * before the network thread has finished.
+ *
+ * Requires:
+ *\li	'task' is a valid task, and is not already paused or shutting down.
+ */
+
+void
+isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t);
+void
+isc_task_getcurrenttimex(isc_task_t *task, isc_time_t *t);
+/*%<
+ * Provide the most recent timestamp on the task.  The timestamp is considered
+ * as the "current time".
+ *
+ * isc_task_getcurrentime() returns the time in one-second granularity;
+ * isc_task_getcurrentimex() returns it in nanosecond granularity.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ *\li	't' is a valid non NULL pointer.
+ *
+ * Ensures:
+ *\li	'*t' has the "current time".
+ */
+
+bool
+isc_task_exiting(isc_task_t *t);
+/*%<
+ * Returns true if the task is in the process of shutting down,
+ * false otherwise.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ */
+
+void
+isc_task_setprivilege(isc_task_t *task, bool priv);
+/*%<
+ * Set or unset the task's "privileged" flag depending on the value of
+ * 'priv'.
+ *
+ * Under normal circumstances this flag has no effect on the task behavior,
+ * but when the task manager has been set to privileged execution mode via
+ * isc_taskmgr_setmode(), only tasks with the flag set will be executed,
+ * and all other tasks will wait until they're done.  Once all privileged
+ * tasks have finished executing, the task manager resumes running
+ * non-privileged tasks.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ */
+
+bool
+isc_task_getprivilege(isc_task_t *task);
+/*%<
+ * Returns the current value of the task's privilege flag.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ */
+
+bool
+isc_task_privileged(isc_task_t *task);
+/*%<
+ * Returns true if the task's privilege flag is set *and* the task
+ * manager is currently in privileged mode.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ */
+
+/*****
+ ***** Task Manager.
+ *****/
+
+void
+isc_taskmgr_attach(isc_taskmgr_t *, isc_taskmgr_t **);
+void
+isc_taskmgr_detach(isc_taskmgr_t **);
+/*%<
+ * Attach/detach the task manager.
+ */
+
+void
+isc_taskmgr_setmode(isc_taskmgr_t *manager, isc_taskmgrmode_t mode);
+isc_taskmgrmode_t
+isc_taskmgr_mode(isc_taskmgr_t *manager);
+/*%<
+ * Set/get the operating mode of the task manager. Valid modes are:
+ *
+ *\li	isc_taskmgrmode_normal
+ *\li	isc_taskmgrmode_privileged
+ *
+ * In privileged execution mode, only tasks that have had the "privilege"
+ * flag set via isc_task_setprivilege() can be executed. When all such
+ * tasks are complete, non-privileged tasks resume running. The task calling
+ * this function should be in task-exclusive mode; the privileged tasks
+ * will be run after isc_task_endexclusive() is called.
+ *
+ * Requires:
+ *
+ *\li	'manager' is a valid task manager.
+ */
+
+void
+isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task);
+/*%<
+ * Set a task which will be used for all task-exclusive operations.
+ *
+ * Requires:
+ *\li	'manager' is a valid task manager.
+ *
+ *\li	'task' is a valid task.
+ */
+
+isc_result_t
+isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp);
+/*%<
+ * Attach '*taskp' to the task set by isc_taskmgr_getexcltask().
+ * This task should be used whenever running in task-exclusive mode,
+ * so as to prevent deadlock between two exclusive tasks.
+ *
+ * Requires:
+ *\li	'manager' is a valid task manager.
+ *
+ *\li	taskp != NULL && *taskp == NULL
+ */
+
+#ifdef HAVE_LIBXML2
+int
+isc_taskmgr_renderxml(isc_taskmgr_t *mgr, void *writer0);
+#endif /* ifdef HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+isc_result_t
+isc_taskmgr_renderjson(isc_taskmgr_t *mgr, void *tasksobj0);
+#endif /* HAVE_JSON_C */
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/taskpool.h b/lib/isc/include/isc/taskpool.h
new file mode 100644
index 0000000..ea4c569
--- /dev/null
+++ b/lib/isc/include/isc/taskpool.h
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_TASKPOOL_H
+#define ISC_TASKPOOL_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/taskpool.h
+ * \brief A task pool is a mechanism for sharing a small number of tasks
+ * among a large number of objects such that each object is
+ * assigned a unique task, but each task may be shared by several
+ * objects.
+ *
+ * Task pools are used to let objects that can exist in large
+ * numbers (e.g., zones) use tasks for synchronization without
+ * the memory overhead and unfair scheduling competition that
+ * could result from creating a separate task for each object.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/task.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+***** Types.
+*****/
+
+typedef struct isc_taskpool isc_taskpool_t;
+
+/*****
+***** Functions.
+*****/
+
+isc_result_t
+isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx, unsigned int ntasks,
+		    unsigned int quantum, bool priv, isc_taskpool_t **poolp);
+/*%<
+ * Create a task pool of "ntasks" tasks, each with quantum
+ * "quantum".
+ *
+ * Requires:
+ *
+ *\li	'tmgr' is a valid task manager.
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	poolp != NULL && *poolp == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, '*taskp' points to the new task pool.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+void
+isc_taskpool_gettask(isc_taskpool_t *pool, isc_task_t **targetp);
+/*%<
+ * Attach to a task from the pool.  Currently the next task is chosen
+ * from the pool at random.  (This may be changed in the future to
+ * something that guaratees balance.)
+ */
+
+int
+isc_taskpool_size(isc_taskpool_t *pool);
+/*%<
+ * Returns the number of tasks in the task pool 'pool'.
+ */
+
+isc_result_t
+isc_taskpool_expand(isc_taskpool_t **sourcep, unsigned int size, bool priv,
+		    isc_taskpool_t **targetp);
+
+/*%<
+ * If 'size' is larger than the number of tasks in the pool pointed to by
+ * 'sourcep', then a new taskpool of size 'size' is allocated, the existing
+ * tasks from are moved into it, additional tasks are created to bring the
+ * total number up to 'size', and the resulting pool is attached to
+ * 'targetp'.
+ *
+ * If 'size' is less than or equal to the tasks in pool 'source', then
+ * 'sourcep' is attached to 'targetp' without any other action being taken.
+ *
+ * In either case, 'sourcep' is detached.
+ *
+ * Requires:
+ *
+ * \li	'sourcep' is not NULL and '*source' is not NULL
+ * \li	'targetp' is not NULL and '*source' is NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, '*targetp' points to a valid task pool.
+ * \li	On success, '*sourcep' points to NULL.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+void
+isc_taskpool_destroy(isc_taskpool_t **poolp);
+/*%<
+ * Destroy a task pool.  The tasks in the pool are detached but not
+ * shut down.
+ *
+ * Requires:
+ * \li	'*poolp' is a valid task pool.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TASKPOOL_H */
diff --git a/lib/isc/include/isc/timer.h b/lib/isc/include/isc/timer.h
new file mode 100644
index 0000000..4814a65
--- /dev/null
+++ b/lib/isc/include/isc/timer.h
@@ -0,0 +1,323 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_TIMER_H
+#define ISC_TIMER_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isc/timer.h
+ * \brief Provides timers which are event sources in the task system.
+ *
+ * Three types of timers are supported:
+ *
+ *\li	'ticker' timers generate a periodic tick event.
+ *
+ *\li	'once' timers generate an idle timeout event if they are idle for too
+ *	long, and generate a life timeout event if their lifetime expires.
+ *	They are used to implement both (possibly expiring) idle timers and
+ *	'one-shot' timers.
+ *
+ *\li	'limited' timers generate a periodic tick event until they reach
+ *	their lifetime when they generate a life timeout event.
+ *
+ *\li	'inactive' timers generate no events.
+ *
+ * Timers can change type.  It is typical to create a timer as
+ * an 'inactive' timer and then change it into a 'ticker' or
+ * 'once' timer.
+ *
+ *\li MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *	Clients of this module must not be holding a timer's task's lock when
+ *	making a call that affects that timer.  Failure to follow this rule
+ *	can result in deadlock.
+ *	The caller must ensure that isc_timermgr_destroy() is called only
+ *	once for a given manager.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+#include <isc/time.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*% Timer Type */
+typedef enum {
+	isc_timertype_undefined = -1, /*%< Undefined */
+	isc_timertype_ticker = 0,     /*%< Ticker */
+	isc_timertype_once = 1,	      /*%< Once */
+	isc_timertype_limited = 2,    /*%< Limited */
+	isc_timertype_inactive = 3    /*%< Inactive */
+} isc_timertype_t;
+
+typedef struct isc_timerevent isc_timerevent_t;
+
+struct isc_timerevent {
+	struct isc_event common;
+	isc_time_t	 due;
+	ISC_LINK(isc_timerevent_t) ev_timerlink;
+};
+
+#define ISC_TIMEREVENT_FIRSTEVENT (ISC_EVENTCLASS_TIMER + 0)
+#define ISC_TIMEREVENT_TICK	  (ISC_EVENTCLASS_TIMER + 1)
+#define ISC_TIMEREVENT_IDLE	  (ISC_EVENTCLASS_TIMER + 2)
+#define ISC_TIMEREVENT_LIFE	  (ISC_EVENTCLASS_TIMER + 3)
+#define ISC_TIMEREVENT_LASTEVENT  (ISC_EVENTCLASS_TIMER + 65535)
+
+/***
+ *** Timer and Timer Manager Functions
+ ***
+ *** Note: all Ensures conditions apply only if the result is success for
+ *** those functions which return an isc_result_t.
+ ***/
+
+isc_result_t
+isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
+		 const isc_time_t *expires, const isc_interval_t *interval,
+		 isc_task_t *task, isc_taskaction_t action, void *arg,
+		 isc_timer_t **timerp);
+/*%<
+ * Create a new 'type' timer managed by 'manager'.  The timers parameters
+ * are specified by 'expires' and 'interval'.  Events will be posted to
+ * 'task' and when dispatched 'action' will be called with 'arg' as the
+ * arg value.  The new timer is returned in 'timerp'.
+ *
+ * Notes:
+ *
+ *\li	For ticker timers, the timer will generate a 'tick' event every
+ *	'interval' seconds.  The value of 'expires' is ignored.
+ *
+ *\li	For once timers, 'expires' specifies the time when a life timeout
+ *	event should be generated.  If 'expires' is 0 (the epoch), then no life
+ *	timeout will be generated.  'interval' specifies how long the timer
+ *	can be idle before it generates an idle timeout.  If 0, then no
+ *	idle timeout will be generated.
+ *
+ *\li	If 'expires' is NULL, the epoch will be used.
+ *
+ *	If 'interval' is NULL, the zero interval will be used.
+ *
+ * Requires:
+ *
+ *\li	'manager' is a valid manager
+ *
+ *\li	'task' is a valid task
+ *
+ *\li	'action' is a valid action
+ *
+ *\li	'expires' points to a valid time, or is NULL.
+ *
+ *\li	'interval' points to a valid interval, or is NULL.
+ *
+ *\li	type == isc_timertype_inactive ||
+ *	('expires' and 'interval' are not both 0)
+ *
+ *\li	'timerp' is a valid pointer, and *timerp == NULL
+ *
+ * Ensures:
+ *
+ *\li	'*timerp' is attached to the newly created timer
+ *
+ *\li	The timer is attached to the task
+ *
+ *\li	An idle timeout will not be generated until at least Now + the
+ *	timer's interval if 'timer' is a once timer with a non-zero
+ *	interval.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	No memory
+ *\li	Unexpected error
+ */
+
+isc_result_t
+isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
+		const isc_time_t *expires, const isc_interval_t *interval,
+		bool purge);
+/*%<
+ * Change the timer's type, expires, and interval values to the given
+ * values.  If 'purge' is TRUE, any pending events from this timer
+ * are purged from its task's event queue.
+ *
+ * Notes:
+ *
+ *\li	If 'expires' is NULL, the epoch will be used.
+ *
+ *\li	If 'interval' is NULL, the zero interval will be used.
+ *
+ * Requires:
+ *
+ *\li	'timer' is a valid timer
+ *
+ *\li	The same requirements that isc_timer_create() imposes on 'type',
+ *	'expires' and 'interval' apply.
+ *
+ * Ensures:
+ *
+ *\li	An idle timeout will not be generated until at least Now + the
+ *	timer's interval if 'timer' is a once timer with a non-zero
+ *	interval.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	No memory
+ *\li	Unexpected error
+ */
+
+isc_result_t
+isc_timer_touch(isc_timer_t *timer);
+/*%<
+ * Set the last-touched time of 'timer' to the current time.
+ *
+ * Requires:
+ *
+ *\li	'timer' is a valid once timer.
+ *
+ * Ensures:
+ *
+ *\li	An idle timeout will not be generated until at least Now + the
+ *	timer's interval if 'timer' is a once timer with a non-zero
+ *	interval.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	Unexpected error
+ */
+
+void
+isc_timer_destroy(isc_timer_t **timerp);
+/*%<
+ * Destroy *timerp.
+ *
+ * Requires:
+ *
+ *\li	'timerp' points to a valid timer.
+ *
+ * Ensures:
+ *
+ *\li	*timerp is NULL.
+ *
+ *\code
+ *		The timer will be shutdown
+ *
+ *		The timer will detach from its task
+ *
+ *		All resources used by the timer have been freed
+ *
+ *		Any events already posted by the timer will be purged.
+ *		Therefore, if isc_timer_destroy() is called in the context
+ *		of the timer's task, it is guaranteed that no more
+ *		timer event callbacks will run after the call.
+ *
+ *		If this function is called from the timer event callback
+ *		the event itself must be destroyed before the timer
+ *		itself.
+ *\endcode
+ */
+
+isc_timertype_t
+isc_timer_gettype(isc_timer_t *timer);
+/*%<
+ * Return the timer type.
+ *
+ * Requires:
+ *
+ *\li	'timer' to be a valid timer.
+ */
+
+isc_result_t
+isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
+/*%<
+ * Create a timer manager.
+ *
+ * Notes:
+ *
+ *\li	All memory will be allocated in memory context 'mctx'.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'managerp' points to a NULL isc_timermgr_t.
+ *
+ * Ensures:
+ *
+ *\li	'*managerp' is a valid isc_timermgr_t.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	No memory
+ *\li	Unexpected error
+ */
+
+void
+isc_timermgr_destroy(isc_timermgr_t **managerp);
+/*%<
+ * Destroy a timer manager.
+ *
+ * Notes:
+ *
+ *\li	This routine blocks until there are no timers left in the manager,
+ *	so if the caller holds any timer references using the manager, it
+ *	must detach them before calling isc_timermgr_destroy() or it will
+ *	block forever.
+ *
+ * Requires:
+ *
+ *\li	'*managerp' is a valid isc_timermgr_t.
+ *
+ * Ensures:
+ *
+ *\li	*managerp == NULL
+ *
+ *\li	All resources used by the manager have been freed.
+ */
+
+void
+isc_timermgr_poke(isc_timermgr_t *m);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TIMER_H */
diff --git a/lib/isc/include/isc/tm.h b/lib/isc/include/isc/tm.h
new file mode 100644
index 0000000..dd13448
--- /dev/null
+++ b/lib/isc/include/isc/tm.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_TM_H
+#define ISC_TM_H 1
+
+/*! \file isc/tm.h
+ * Provides portable conversion routines for struct tm.
+ */
+#include <time.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+time_t
+isc_tm_timegm(struct tm *tm);
+/*
+ * Convert a tm structure to time_t, using UTC rather than the local
+ * time zone.
+ */
+
+char *
+isc_tm_strptime(const char *buf, const char *fmt, struct tm *tm);
+/*
+ * Parse a formatted date string into struct tm.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TIMER_H */
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
new file mode 100644
index 0000000..60e7114
--- /dev/null
+++ b/lib/isc/include/isc/types.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_TYPES_H
+#define ISC_TYPES_H 1
+
+#include <isc/bind9.h>
+
+/*! \file isc/types.h
+ * \brief
+ * OS-specific types, from the OS-specific include directories.
+ */
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/offset.h>
+
+/*
+ * XXXDCL This is just for ISC_LIST and ISC_LINK, but gets all of the other
+ * list macros too.
+ */
+#include <isc/list.h>
+
+/* Core Types.  Alphabetized by defined type. */
+
+typedef struct isc_astack	    isc_astack_t; /*%< Array-based fast stack */
+typedef struct isc_appctx	    isc_appctx_t; /*%< Application context */
+typedef struct isc_backtrace_symmap isc_backtrace_symmap_t; /*%< Symbol Table
+							     * Entry */
+typedef struct isc_buffer isc_buffer_t;			    /*%< Buffer */
+typedef ISC_LIST(isc_buffer_t) isc_bufferlist_t;	    /*%< Buffer List */
+typedef struct isc_constregion	   isc_constregion_t;	    /*%< Const region */
+typedef struct isc_consttextregion isc_consttextregion_t; /*%< Const Text Region
+							   */
+typedef struct isc_counter isc_counter_t;		  /*%< Counter */
+typedef int16_t		   isc_dscp_t;	       /*%< Diffserv code point */
+typedef struct isc_event   isc_event_t;	       /*%< Event */
+typedef ISC_LIST(isc_event_t) isc_eventlist_t; /*%< Event List */
+typedef unsigned int	 isc_eventtype_t;      /*%< Event Type */
+typedef uint32_t	 isc_fsaccess_t;       /*%< FS Access */
+typedef struct isc_hash	 isc_hash_t;	       /*%< Hash */
+typedef struct isc_httpd isc_httpd_t;	       /*%< HTTP client */
+typedef void(isc_httpdfree_t)(isc_buffer_t *, void *); /*%< HTTP free function
+							*/
+typedef struct isc_httpdmgr isc_httpdmgr_t;	       /*%< HTTP manager */
+typedef struct isc_httpdurl isc_httpdurl_t;	       /*%< HTTP URL */
+typedef void(isc_httpdondestroy_t)(void *); /*%< Callback on destroying httpd */
+typedef struct isc_interface	 isc_interface_t;     /*%< Interface */
+typedef struct isc_interfaceiter isc_interfaceiter_t; /*%< Interface Iterator */
+typedef struct isc_interval	 isc_interval_t;      /*%< Interval */
+typedef struct isc_lex		 isc_lex_t;	      /*%< Lex */
+typedef struct isc_log		 isc_log_t;	      /*%< Log */
+typedef struct isc_logcategory	 isc_logcategory_t;   /*%< Log Category */
+typedef struct isc_logconfig	 isc_logconfig_t;     /*%< Log Configuration */
+typedef struct isc_logmodule	 isc_logmodule_t;     /*%< Log Module */
+typedef struct isc_mem		 isc_mem_t;	      /*%< Memory */
+typedef struct isc_mempool	 isc_mempool_t;	      /*%< Memory Pool */
+typedef struct isc_netaddr	 isc_netaddr_t;	      /*%< Net Address */
+typedef struct isc_nm		 isc_nm_t;	      /*%< Network manager */
+typedef struct isc_nmsocket	 isc_nmsocket_t; /*%< Network manager socket */
+typedef struct isc_nmhandle	 isc_nmhandle_t; /*%< Network manager handle */
+typedef struct isc_portset	 isc_portset_t;	 /*%< Port Set */
+typedef struct isc_quota	 isc_quota_t;	 /*%< Quota */
+typedef struct isc_ratelimiter	 isc_ratelimiter_t;   /*%< Rate Limiter */
+typedef struct isc_region	 isc_region_t;	      /*%< Region */
+typedef uint64_t		 isc_resourcevalue_t; /*%< Resource Value */
+typedef unsigned int		 isc_result_t;	      /*%< Result */
+typedef struct isc_rwlock	 isc_rwlock_t;	      /*%< Read Write Lock */
+typedef struct isc_sockaddr	 isc_sockaddr_t;      /*%< Socket Address */
+typedef ISC_LIST(isc_sockaddr_t) isc_sockaddrlist_t;  /*%< Socket Address List
+						       * */
+typedef struct isc_socket      isc_socket_t;	      /*%< Socket */
+typedef struct isc_socketevent isc_socketevent_t;     /*%< Socket Event */
+typedef struct isc_socketmgr   isc_socketmgr_t;	      /*%< Socket Manager */
+typedef struct isc_stats       isc_stats_t;	      /*%< Statistics */
+#if defined(_WIN32) && !defined(_WIN64)
+typedef int_fast32_t isc_statscounter_t; /*%< Statistics Counter */
+#else  /* if defined(_WIN32) && !defined(_WIN64) */
+typedef int_fast64_t isc_statscounter_t;
+#endif /* if defined(_WIN32) && !defined(_WIN64) */
+typedef struct isc_symtab isc_symtab_t;		/*%< Symbol Table */
+typedef struct isc_task	  isc_task_t;		/*%< Task */
+typedef ISC_LIST(isc_task_t) isc_tasklist_t;	/*%< Task List */
+typedef struct isc_taskmgr    isc_taskmgr_t;	/*%< Task Manager */
+typedef struct isc_textregion isc_textregion_t; /*%< Text Region */
+typedef struct isc_time	      isc_time_t;	/*%< Time */
+typedef struct isc_timer      isc_timer_t;	/*%< Timer */
+typedef struct isc_timermgr   isc_timermgr_t;	/*%< Timer Manager */
+
+typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
+typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
+
+/* The following cannot be listed alphabetically due to forward reference */
+typedef isc_result_t(isc_httpdaction_t)(
+	const char *url, isc_httpdurl_t *urlinfo, const char *querystring,
+	const char *headers, void *arg, unsigned int *retcode,
+	const char **retmsg, const char **mimetype, isc_buffer_t *body,
+	isc_httpdfree_t **freecb, void **freecb_args);
+typedef bool(isc_httpdclientok_t)(const isc_sockaddr_t *, void *);
+
+/*% Resource */
+typedef enum {
+	isc_resource_coresize = 1,
+	isc_resource_cputime,
+	isc_resource_datasize,
+	isc_resource_filesize,
+	isc_resource_lockedmemory,
+	isc_resource_openfiles,
+	isc_resource_processes,
+	isc_resource_residentsize,
+	isc_resource_stacksize
+} isc_resource_t;
+
+/*% Statistics formats (text file or XML) */
+typedef enum {
+	isc_statsformat_file,
+	isc_statsformat_xml,
+	isc_statsformat_json
+} isc_statsformat_t;
+
+#endif /* ISC_TYPES_H */
diff --git a/lib/isc/include/isc/url.h b/lib/isc/include/isc/url.h
new file mode 100644
index 0000000..4894a45
--- /dev/null
+++ b/lib/isc/include/isc/url.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and MIT
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright Joyent, Inc. and other Node contributors. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#include <stdbool.h>
+#include <stdint.h>
+
+#include <isc/result.h>
+
+/*
+ * Compile with -DHTTP_PARSER_STRICT=0 to make less checks, but run
+ * faster
+ */
+#ifndef HTTP_PARSER_STRICT
+#define HTTP_PARSER_STRICT 1
+#endif
+
+typedef enum {
+	ISC_UF_SCHEMA = 0,
+	ISC_UF_HOST = 1,
+	ISC_UF_PORT = 2,
+	ISC_UF_PATH = 3,
+	ISC_UF_QUERY = 4,
+	ISC_UF_FRAGMENT = 5,
+	ISC_UF_USERINFO = 6,
+	ISC_UF_MAX = 7
+} isc_url_field_t;
+
+/* Result structure for isc_url_parse().
+ *
+ * Callers should index into field_data[] with UF_* values iff field_set
+ * has the relevant (1 << UF_*) bit set. As a courtesy to clients (and
+ * because we probably have padding left over), we convert any port to
+ * a uint16_t.
+ */
+typedef struct {
+	uint16_t field_set; /* Bitmask of (1 << UF_*) values */
+	uint16_t port;	    /* Converted UF_PORT string */
+
+	struct {
+		uint16_t off; /* Offset into buffer in which field starts */
+		uint16_t len; /* Length of run in buffer */
+	} field_data[ISC_UF_MAX];
+} isc_url_parser_t;
+
+isc_result_t
+isc_url_parse(const char *buf, size_t buflen, bool is_connect,
+	      isc_url_parser_t *up);
+/*%<
+ * Parse a URL; return nonzero on failure
+ */
diff --git a/lib/isc/include/isc/utf8.h b/lib/isc/include/isc/utf8.h
new file mode 100644
index 0000000..5643c5d
--- /dev/null
+++ b/lib/isc/include/isc/utf8.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/utf8.h */
+
+#pragma once
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+bool
+isc_utf8_bom(const unsigned char *buf, size_t len);
+/*<
+ * Returns 'true' if the string of bytes in 'buf' starts
+ * with an UTF-8 Byte Order Mark.
+ *
+ * Requires:
+ *\li 	'buf' != NULL
+ */
+
+bool
+isc_utf8_valid(const unsigned char *buf, size_t len);
+/*<
+ * Returns 'true' if the string of bytes in 'buf' is a valid UTF-8
+ * byte sequence otherwise 'false' is returned.
+ *
+ * Requires:
+ *\li 	'buf' != NULL
+ */
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
new file mode 100644
index 0000000..3396559
--- /dev/null
+++ b/lib/isc/include/isc/util.h
@@ -0,0 +1,445 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_UTIL_H
+#define ISC_UTIL_H 1
+
+#include <inttypes.h>
+
+/*! \file isc/util.h
+ * NOTE:
+ *
+ * This file is not to be included from any <isc/???.h> (or other) library
+ * files.
+ *
+ * \brief
+ * Including this file puts several macros in your name space that are
+ * not protected (as all the other ISC functions/macros do) by prepending
+ * ISC_ or isc_ to the name.
+ */
+
+/***
+ *** Clang Compatibility Macros
+ ***/
+
+#if !defined(__has_attribute)
+#define __has_attribute(x) 0
+#endif /* if !defined(__has_attribute) */
+
+#if !defined(__has_c_attribute)
+#define __has_c_attribute(x) 0
+#endif /* if !defined(__has_c_attribute) */
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif /* if !defined(__has_feature) */
+
+/***
+ *** General Macros.
+ ***/
+
+/*%
+ * Use this to hide unused function arguments.
+ * \code
+ * int
+ * foo(char *bar)
+ * {
+ *	UNUSED(bar);
+ * }
+ * \endcode
+ */
+#define UNUSED(x) (void)(x)
+
+#if __GNUC__ >= 8 && !defined(__clang__)
+#define ISC_NONSTRING __attribute__((nonstring))
+#else /* if __GNUC__ >= 8 && !defined(__clang__) */
+#define ISC_NONSTRING
+#endif /* __GNUC__ */
+
+#if __has_c_attribute(fallthrough)
+#define FALLTHROUGH [[fallthrough]]
+#elif __GNUC__ >= 7 && !defined(__clang__)
+#define FALLTHROUGH __attribute__((fallthrough))
+#else
+/* clang-format off */
+#define FALLTHROUGH do {} while (0) /* FALLTHROUGH */
+/* clang-format on */
+#endif
+
+#if HAVE_FUNC_ATTRIBUTE_CONSTRUCTOR && HAVE_FUNC_ATTRIBUTE_DESTRUCTOR
+#define ISC_CONSTRUCTOR __attribute__((constructor))
+#define ISC_DESTRUCTOR	__attribute__((destructor))
+#elif WIN32
+#define ISC_CONSTRUCTOR
+#define ISC_DESTRUCTOR
+#endif
+
+/*%
+ * The opposite: silent warnings about stored values which are never read.
+ */
+#define POST(x) (void)(x)
+
+#define ISC_MAX(a, b) ((a) > (b) ? (a) : (b))
+#define ISC_MIN(a, b) ((a) < (b) ? (a) : (b))
+
+#define ISC_CLAMP(v, x, y) ((v) < (x) ? (x) : ((v) > (y) ? (y) : (v)))
+
+/*%
+ * Use this to remove the const qualifier of a variable to assign it to
+ * a non-const variable or pass it as a non-const function argument ...
+ * but only when you are sure it won't then be changed!
+ * This is necessary to sometimes shut up some compilers
+ * (as with gcc -Wcast-qual) when there is just no other good way to avoid the
+ * situation.
+ */
+#define DE_CONST(konst, var)           \
+	do {                           \
+		union {                \
+			const void *k; \
+			void	   *v; \
+		} _u;                  \
+		_u.k = konst;          \
+		var = _u.v;            \
+	} while (0)
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof(x[0]))
+
+/*%
+ * Use this in translation units that would otherwise be empty, to
+ * suppress compiler warnings.
+ */
+#define EMPTY_TRANSLATION_UNIT extern int isc__empty;
+
+/*%
+ * We use macros instead of calling the routines directly because
+ * the capital letters make the locking stand out.
+ * We RUNTIME_CHECK for success since in general there's no way
+ * for us to continue if they fail.
+ */
+
+#ifdef ISC_UTIL_TRACEON
+#define ISC_UTIL_TRACE(a) a
+#include <stdio.h> /* Required for fprintf/stderr when tracing. */
+#else		   /* ifdef ISC_UTIL_TRACEON */
+#define ISC_UTIL_TRACE(a)
+#endif /* ifdef ISC_UTIL_TRACEON */
+
+#include <isc/result.h> /* Contractual promise. */
+
+#define LOCK(lp)                                                           \
+	do {                                                               \
+		ISC_UTIL_TRACE(fprintf(stderr, "LOCKING %p %s %d\n", (lp), \
+				       __FILE__, __LINE__));               \
+		RUNTIME_CHECK(isc_mutex_lock((lp)) == ISC_R_SUCCESS);      \
+		ISC_UTIL_TRACE(fprintf(stderr, "LOCKED %p %s %d\n", (lp),  \
+				       __FILE__, __LINE__));               \
+	} while (0)
+#define UNLOCK(lp)                                                          \
+	do {                                                                \
+		RUNTIME_CHECK(isc_mutex_unlock((lp)) == ISC_R_SUCCESS);     \
+		ISC_UTIL_TRACE(fprintf(stderr, "UNLOCKED %p %s %d\n", (lp), \
+				       __FILE__, __LINE__));                \
+	} while (0)
+
+#define BROADCAST(cvp)                                                        \
+	do {                                                                  \
+		ISC_UTIL_TRACE(fprintf(stderr, "BROADCAST %p %s %d\n", (cvp), \
+				       __FILE__, __LINE__));                  \
+		RUNTIME_CHECK(isc_condition_broadcast((cvp)) ==               \
+			      ISC_R_SUCCESS);                                 \
+	} while (0)
+#define SIGNAL(cvp)                                                          \
+	do {                                                                 \
+		ISC_UTIL_TRACE(fprintf(stderr, "SIGNAL %p %s %d\n", (cvp),   \
+				       __FILE__, __LINE__));                 \
+		RUNTIME_CHECK(isc_condition_signal((cvp)) == ISC_R_SUCCESS); \
+	} while (0)
+#define WAIT(cvp, lp)                                                         \
+	do {                                                                  \
+		ISC_UTIL_TRACE(fprintf(stderr, "WAIT %p LOCK %p %s %d\n",     \
+				       (cvp), (lp), __FILE__, __LINE__));     \
+		RUNTIME_CHECK(isc_condition_wait((cvp), (lp)) ==              \
+			      ISC_R_SUCCESS);                                 \
+		ISC_UTIL_TRACE(fprintf(stderr, "WAITED %p LOCKED %p %s %d\n", \
+				       (cvp), (lp), __FILE__, __LINE__));     \
+	} while (0)
+
+/*
+ * isc_condition_waituntil can return ISC_R_TIMEDOUT, so we
+ * don't RUNTIME_CHECK the result.
+ *
+ *  XXX Also, can't really debug this then...
+ */
+
+#define WAITUNTIL(cvp, lp, tp) isc_condition_waituntil((cvp), (lp), (tp))
+
+#define RWLOCK(lp, t)                                                         \
+	do {                                                                  \
+		ISC_UTIL_TRACE(fprintf(stderr, "RWLOCK %p, %d %s %d\n", (lp), \
+				       (t), __FILE__, __LINE__));             \
+		RUNTIME_CHECK(isc_rwlock_lock((lp), (t)) == ISC_R_SUCCESS);   \
+		ISC_UTIL_TRACE(fprintf(stderr, "RWLOCKED %p, %d %s %d\n",     \
+				       (lp), (t), __FILE__, __LINE__));       \
+	} while (0)
+#define RWUNLOCK(lp, t)                                                       \
+	do {                                                                  \
+		ISC_UTIL_TRACE(fprintf(stderr, "RWUNLOCK %p, %d %s %d\n",     \
+				       (lp), (t), __FILE__, __LINE__));       \
+		RUNTIME_CHECK(isc_rwlock_unlock((lp), (t)) == ISC_R_SUCCESS); \
+	} while (0)
+
+/*
+ * List Macros.
+ */
+#include <isc/list.h> /* Contractual promise. */
+
+#define LIST(type)		       ISC_LIST(type)
+#define INIT_LIST(type)		       ISC_LIST_INIT(type)
+#define LINK(type)		       ISC_LINK(type)
+#define INIT_LINK(elt, link)	       ISC_LINK_INIT(elt, link)
+#define HEAD(list)		       ISC_LIST_HEAD(list)
+#define TAIL(list)		       ISC_LIST_TAIL(list)
+#define EMPTY(list)		       ISC_LIST_EMPTY(list)
+#define PREV(elt, link)		       ISC_LIST_PREV(elt, link)
+#define NEXT(elt, link)		       ISC_LIST_NEXT(elt, link)
+#define APPEND(list, elt, link)	       ISC_LIST_APPEND(list, elt, link)
+#define PREPEND(list, elt, link)       ISC_LIST_PREPEND(list, elt, link)
+#define UNLINK(list, elt, link)	       ISC_LIST_UNLINK(list, elt, link)
+#define ENQUEUE(list, elt, link)       ISC_LIST_APPEND(list, elt, link)
+#define DEQUEUE(list, elt, link)       ISC_LIST_UNLINK(list, elt, link)
+#define INSERTBEFORE(li, b, e, ln)     ISC_LIST_INSERTBEFORE(li, b, e, ln)
+#define INSERTAFTER(li, a, e, ln)      ISC_LIST_INSERTAFTER(li, a, e, ln)
+#define APPENDLIST(list1, list2, link) ISC_LIST_APPENDLIST(list1, list2, link)
+
+/*%
+ * Performance
+ */
+#include <isc/likely.h>
+
+/* GCC defines __SANITIZE_ADDRESS__, so reuse the macro for clang */
+#if __has_feature(address_sanitizer)
+#define __SANITIZE_ADDRESS__ 1
+#endif /* if __has_feature(address_sanitizer) */
+
+#if __has_feature(thread_sanitizer)
+#define __SANITIZE_THREAD__ 1
+#endif /* if __has_feature(thread_sanitizer) */
+
+#if __SANITIZE_THREAD__
+#define ISC_NO_SANITIZE_THREAD __attribute__((no_sanitize("thread")))
+#else /* if __SANITIZE_THREAD__ */
+#define ISC_NO_SANITIZE_THREAD
+#endif /* if __SANITIZE_THREAD__ */
+
+#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR >= 6)
+#define STATIC_ASSERT(cond, msg) _Static_assert(cond, msg)
+#elif __has_feature(c_static_assert)
+#define STATIC_ASSERT(cond, msg) _Static_assert(cond, msg)
+#else /* if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR >= 6) */
+#define STATIC_ASSERT(cond, msg) INSIST(cond)
+#endif /* if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR >= 6) */
+
+#ifdef UNIT_TESTING
+extern void
+mock_assert(const int result, const char *const expression,
+	    const char *const file, const int line);
+/*
+ *	Allow clang to determine that the following code is not reached
+ *	by calling abort() if the condition fails.  The abort() will
+ *	never be executed as mock_assert() and _assert_true() longjmp
+ *	or exit if the condition is false.
+ */
+#define REQUIRE(expression)                                                   \
+	((!(expression))                                                      \
+		 ? (mock_assert(0, #expression, __FILE__, __LINE__), abort()) \
+		 : (void)0)
+#define ENSURE(expression)                                                    \
+	((!(int)(expression))                                                 \
+		 ? (mock_assert(0, #expression, __FILE__, __LINE__), abort()) \
+		 : (void)0)
+#define INSIST(expression)                                                    \
+	((!(expression))                                                      \
+		 ? (mock_assert(0, #expression, __FILE__, __LINE__), abort()) \
+		 : (void)0)
+#define INVARIANT(expression)                                                 \
+	((!(expression))                                                      \
+		 ? (mock_assert(0, #expression, __FILE__, __LINE__), abort()) \
+		 : (void)0)
+#define UNREACHABLE() \
+	(mock_assert(0, "unreachable", __FILE__, __LINE__), abort())
+#define _assert_true(c, e, f, l) \
+	((c) ? (void)0 : (_assert_true(0, e, f, l), abort()))
+#define _assert_int_equal(a, b, f, l) \
+	(((a) == (b)) ? (void)0 : (_assert_int_equal(a, b, f, l), abort()))
+#define _assert_int_not_equal(a, b, f, l) \
+	(((a) != (b)) ? (void)0 : (_assert_int_not_equal(a, b, f, l), abort()))
+#else /* UNIT_TESTING */
+
+#ifndef CPPCHECK
+
+/*
+ * Assertions
+ */
+#include <isc/assertions.h> /* Contractual promise. */
+
+/*% Require Assertion */
+#define REQUIRE(e)   ISC_REQUIRE(e)
+/*% Ensure Assertion */
+#define ENSURE(e)    ISC_ENSURE(e)
+/*% Insist Assertion */
+#define INSIST(e)    ISC_INSIST(e)
+/*% Invariant Assertion */
+#define INVARIANT(e) ISC_INVARIANT(e)
+
+#define UNREACHABLE() ISC_UNREACHABLE()
+
+#else /* CPPCHECK */
+
+/*% Require Assertion */
+#define REQUIRE(e) \
+	if (!(e))  \
+	abort()
+/*% Ensure Assertion */
+#define ENSURE(e) \
+	if (!(e)) \
+	abort()
+/*% Insist Assertion */
+#define INSIST(e) \
+	if (!(e)) \
+	abort()
+/*% Invariant Assertion */
+#define INVARIANT(e) \
+	if (!(e))    \
+	abort()
+
+#define UNREACHABLE() abort()
+
+#endif /* CPPCHECK */
+
+#endif /* UNIT_TESTING */
+
+/*
+ * Errors
+ */
+#include <isc/error.h> /* Contractual promise. */
+
+/*% Unexpected Error */
+#define UNEXPECTED_ERROR isc_error_unexpected
+/*% Fatal Error */
+#define FATAL_ERROR isc_error_fatal
+
+#ifdef UNIT_TESTING
+
+#define RUNTIME_CHECK(expression)                                             \
+	((!(expression))                                                      \
+		 ? (mock_assert(0, #expression, __FILE__, __LINE__), abort()) \
+		 : (void)0)
+
+#else /* UNIT_TESTING */
+
+#ifndef CPPCHECK
+/*% Runtime Check */
+#define RUNTIME_CHECK(cond) ISC_ERROR_RUNTIMECHECK(cond)
+#else /* ifndef CPPCHECK */
+#define RUNTIME_CHECK(e) \
+	if (!(e))        \
+	abort()
+#endif /* ifndef CPPCHECK */
+
+#endif /* UNIT_TESTING */
+
+/*%
+ * Time
+ */
+#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
+#define TIME_NOW_HIRES(tp) \
+	RUNTIME_CHECK(isc_time_now_hires((tp)) == ISC_R_SUCCESS)
+
+/*%
+ * Alignment
+ */
+#ifdef __GNUC__
+#define ISC_ALIGN(x, a) (((x) + (a)-1) & ~((typeof(x))(a)-1))
+#else /* ifdef __GNUC__ */
+#define ISC_ALIGN(x, a) (((x) + (a)-1) & ~((uintmax_t)(a)-1))
+#endif /* ifdef __GNUC__ */
+
+#if HAVE_FUNC_ATTRIBUTE_RETURNS_NONNULL
+#define ISC_ATTR_RETURNS_NONNULL __attribute__((returns_nonnull))
+#else
+#define ISC_ATTR_RETURNS_NONNULL
+#endif
+
+/*
+ * Support for malloc attributes.
+ */
+#ifdef HAVE_FUNC_ATTRIBUTE_MALLOC
+/*
+ * Indicates that a function is malloc-like, i.e., that the
+ * pointer P returned by the function cannot alias any other
+ * pointer valid when the function returns.
+ */
+#define ISC_ATTR_MALLOC __attribute__((malloc))
+#if HAVE_MALLOC_EXT_ATTR
+/*
+ * Associates deallocator as a suitable deallocation function
+ * for pointers returned from the function marked with the attribute.
+ */
+#define ISC_ATTR_DEALLOCATOR(deallocator) __attribute__((malloc(deallocator)))
+/*
+ * Similar to ISC_ATTR_DEALLOCATOR, but allows to speficy an index "idx",
+ * which denotes the positional argument to which when the pointer is passed
+ * in calls to deallocator has the effect of deallocating it.
+ */
+#define ISC_ATTR_DEALLOCATOR_IDX(deallocator, idx) \
+	__attribute__((malloc(deallocator, idx)))
+/*
+ * Combines both ISC_ATTR_MALLOC and ISC_ATTR_DEALLOCATOR attributes.
+ */
+#define ISC_ATTR_MALLOC_DEALLOCATOR(deallocator) \
+	__attribute__((malloc, malloc(deallocator)))
+/*
+ * Similar to ISC_ATTR_MALLOC_DEALLOCATOR, but allows to speficy an index "idx",
+ * which denotes the positional argument to which when the pointer is passed
+ * in calls to deallocator has the effect of deallocating it.
+ */
+#define ISC_ATTR_MALLOC_DEALLOCATOR_IDX(deallocator, idx) \
+	__attribute__((malloc, malloc(deallocator, idx)))
+#else /* #ifdef HAVE_MALLOC_EXT_ATTR */
+/*
+ * There is support for malloc attribute but not for
+ * extended attributes, so macros that combine attribute malloc
+ * with a deallocator will only expand to malloc attribute.
+ */
+#define ISC_ATTR_DEALLOCATOR(deallocator)
+#define ISC_ATTR_DEALLOCATOR_IDX(deallocator, idx)
+#define ISC_ATTR_MALLOC_DEALLOCATOR(deallocator)	  ISC_ATTR_MALLOC
+#define ISC_ATTR_MALLOC_DEALLOCATOR_IDX(deallocator, idx) ISC_ATTR_MALLOC
+#endif
+#else /* #ifdef HAVE_FUNC_ATTRIBUTE_MALLOC */
+/*
+ * There is no support for malloc attribute.
+ */
+#define ISC_ATTR_MALLOC
+#define ISC_ATTR_DEALLOCATOR(deallocator)
+#define ISC_ATTR_DEALLOCATOR_IDX(deallocator, idx)
+#define ISC_ATTR_MALLOC_DEALLOCATOR(deallocator)
+#define ISC_ATTR_MALLOC_DEALLOCATOR_IDX(deallocator, idx)
+#endif /* HAVE_FUNC_ATTRIBUTE_MALLOC */
+
+/*%
+ * Misc
+ */
+#include <isc/deprecated.h>
+
+#endif /* ISC_UTIL_H */
diff --git a/lib/isc/include/isc/version.h b/lib/isc/include/isc/version.h
new file mode 100644
index 0000000..4b81e44
--- /dev/null
+++ b/lib/isc/include/isc/version.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/version.h */
+
+#include <isc/platform.h>
+
+LIBISC_EXTERNAL_DATA extern const char isc_version[];
diff --git a/lib/isc/include/pk11/Makefile.in b/lib/isc/include/pk11/Makefile.in
new file mode 100644
index 0000000..3ba0c1f
--- /dev/null
+++ b/lib/isc/include/pk11/Makefile.in
@@ -0,0 +1,40 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	constants.h internal.h pk11.h result.h site.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pk11
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/pk11 || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/pk11/$$i || exit 1; \
+	done
diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h
new file mode 100644
index 0000000..c682053
--- /dev/null
+++ b/lib/isc/include/pk11/constants.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <inttypes.h>
+
+/*! \file pk11/constants.h */
+
+/*%
+ * Static arrays of data used for key template initialization
+ */
+#define PK11_ECC_PRIME256V1                                                \
+	(uint8_t[]) {                                                      \
+		0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 \
+	}
+#define PK11_ECC_SECP384R1 \
+	(uint8_t[]) { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 }
+#define PK11_ECX_ED25519                                                     \
+	(uint8_t[]) {                                                        \
+		0x13, 0xc, 'e', 'd', 'w', 'a', 'r', 'd', 's', '2', '5', '5', \
+			'1', '9'                                             \
+	}
+#define PK11_ECX_ED448                                                      \
+	(uint8_t[]) {                                                       \
+		0x13, 0xa, 'e', 'd', 'w', 'a', 'r', 'd', 's', '4', '4', '8' \
+	}
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
new file mode 100644
index 0000000..38bd751
--- /dev/null
+++ b/lib/isc/include/pk11/internal.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef PK11_INTERNAL_H
+#define PK11_INTERNAL_H 1
+
+/*! \file pk11/internal.h */
+
+#include <pk11/pk11.h>
+
+ISC_LANG_BEGINDECLS
+
+const char *
+pk11_get_lib_name(void);
+
+void *
+pk11_mem_get(size_t size);
+
+void
+pk11_mem_put(void *ptr, size_t size);
+
+CK_SLOT_ID
+pk11_get_best_token(pk11_optype_t optype);
+
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
+
+CK_ATTRIBUTE *
+pk11_attribute_first(const pk11_object_t *obj);
+
+CK_ATTRIBUTE *
+pk11_attribute_next(const pk11_object_t *obj, CK_ATTRIBUTE *attr);
+
+CK_ATTRIBUTE *
+pk11_attribute_bytype(const pk11_object_t *obj, CK_ATTRIBUTE_TYPE type);
+
+ISC_LANG_ENDDECLS
+
+#endif /* PK11_INTERNAL_H */
diff --git a/lib/isc/include/pk11/pk11.h b/lib/isc/include/pk11/pk11.h
new file mode 100644
index 0000000..076c119
--- /dev/null
+++ b/lib/isc/include/pk11/pk11.h
@@ -0,0 +1,290 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef PK11_PK11_H
+#define PK11_PK11_H 1
+
+/*! \file pk11/pk11.h */
+
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/types.h>
+
+#define PK11_FATALCHECK(func, args)              \
+	((void)(((rv = (func)args) == CKR_OK) || \
+		((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0)))
+
+#include <pk11/site.h>
+#include <pkcs11/pkcs11.h>
+
+ISC_LANG_BEGINDECLS
+
+#define SES_MAGIC ISC_MAGIC('P', 'K', 'S', 'S')
+#define TOK_MAGIC ISC_MAGIC('P', 'K', 'T', 'K')
+
+#define VALID_SES(x) ISC_MAGIC_VALID(x, SES_MAGIC)
+#define VALID_TOK(x) ISC_MAGIC_VALID(x, TOK_MAGIC)
+
+typedef struct pk11_context pk11_context_t;
+
+struct pk11_object {
+	CK_OBJECT_HANDLE object;
+	CK_SLOT_ID	 slot;
+	CK_BBOOL	 ontoken;
+	CK_BBOOL	 reqlogon;
+	CK_BYTE		 attrcnt;
+	CK_ATTRIBUTE	*repr;
+};
+
+struct pk11_context {
+	void		 *handle;
+	CK_SESSION_HANDLE session;
+	CK_BBOOL	  ontoken;
+	CK_OBJECT_HANDLE  object;
+};
+
+typedef struct pk11_object pk11_object_t;
+
+typedef enum {
+	OP_ANY = 0,
+	OP_RSA = 1,
+	OP_DH = 3,
+	OP_ECDSA = 4,
+	OP_EDDSA = 5,
+	OP_MAX = 6
+} pk11_optype_t;
+
+/*%
+ * Global flag to make choose_slots() verbose
+ */
+LIBISC_EXTERNAL_DATA extern bool pk11_verbose_init;
+
+/*%
+ * Function prototypes
+ */
+
+void
+pk11_set_lib_name(const char *lib_name);
+/*%<
+ * Set the PKCS#11 provider (aka library) path/name.
+ */
+
+isc_result_t
+pk11_initialize(isc_mem_t *mctx, const char *engine);
+/*%<
+ * Initialize PKCS#11 device
+ *
+ * mctx:   memory context to attach to pk11_mctx.
+ * engine: PKCS#11 provider (aka library) path/name.
+ *
+ * returns:
+ *         ISC_R_SUCCESS
+ *         PK11_R_NOPROVIDER: can't load the provider
+ *         PK11_R_INITFAILED: C_Initialize() failed
+ *         PK11_R_NORANDOMSERVICE: can't find required random service
+ *         PK11_R_NODIGESTSERVICE: can't find required digest service
+ *         PK11_R_NOAESSERVICE: can't find required AES service
+ */
+
+isc_result_t
+pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, bool need_services,
+		 bool rw, bool logon, const char *pin, CK_SLOT_ID slot);
+/*%<
+ * Initialize PKCS#11 device and acquire a session.
+ *
+ * need_services:
+ * 	  if true, this session requires full PKCS#11 API
+ * 	  support including random and digest services, and
+ * 	  the lack of these services will cause the session not
+ * 	  to be initialized.  If false, the function will return
+ * 	  an error code indicating the missing service, but the
+ * 	  session will be usable for other purposes.
+ * rw:    if true, session will be read/write (useful for
+ *        generating or destroying keys); otherwise read-only.
+ * login: indicates whether to log in to the device
+ * pin:   optional PIN, overriding any PIN currently associated
+ *        with the
+ * slot:  device slot ID
+ */
+
+void
+pk11_return_session(pk11_context_t *ctx);
+/*%<
+ * Release an active PKCS#11 session for reuse.
+ */
+
+isc_result_t
+pk11_finalize(void);
+/*%<
+ * Shut down PKCS#11 device and free all sessions.
+ */
+
+isc_result_t
+pk11_parse_uri(pk11_object_t *obj, const char *label, isc_mem_t *mctx,
+	       pk11_optype_t optype);
+
+ISC_PLATFORM_NORETURN_PRE void
+pk11_error_fatalcheck(const char *file, int line, const char *funcname,
+		      CK_RV rv) ISC_PLATFORM_NORETURN_POST;
+
+void
+pk11_dump_tokens(void);
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved);
+
+char *
+pk11_get_load_error_message(void);
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved);
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
+		   CK_ULONG_PTR pulCount);
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+			CK_MECHANISM_INFO_PTR pInfo);
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication,
+		   CK_RV (*Notify)(CK_SESSION_HANDLE hSession,
+				   CK_NOTIFICATION   event,
+				   CK_VOID_PTR	     pApplication),
+		   CK_SESSION_HANDLE_PTR phSession);
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+	     CK_CHAR_PTR pPin, CK_ULONG usPinLen);
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject);
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+			 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+			 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+		       CK_ULONG usCount);
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
+		   CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount);
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		   CK_OBJECT_HANDLE hKey);
+
+CK_RV
+pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+	       CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
+	       CK_ULONG_PTR pulEncryptedDataLen);
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism);
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		    CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+		   CK_ULONG_PTR pulDigestLen);
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		CK_OBJECT_HANDLE hKey);
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
+	    CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen);
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		  CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+		 CK_ULONG_PTR pulSignatureLen);
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		  CK_OBJECT_HANDLE hKey);
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
+	      CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen);
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		    CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+		   CK_ULONG ulSignatureLen);
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		   CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+		   CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		       CK_ATTRIBUTE_PTR	    pPublicKeyTemplate,
+		       CK_ULONG		    usPublicKeyAttributeCount,
+		       CK_ATTRIBUTE_PTR	    pPrivateKeyTemplate,
+		       CK_ULONG		    usPrivateKeyAttributeCount,
+		       CK_OBJECT_HANDLE_PTR phPrivateKey,
+		       CK_OBJECT_HANDLE_PTR phPublicKey);
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		 CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
+		 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+		  CK_ULONG ulSeedLen);
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
+		      CK_ULONG ulRandomLen);
+
+ISC_LANG_ENDDECLS
+
+#endif /* PK11_PK11_H */
diff --git a/lib/isc/include/pk11/result.h b/lib/isc/include/pk11/result.h
new file mode 100644
index 0000000..d92b15d
--- /dev/null
+++ b/lib/isc/include/pk11/result.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef PK11_RESULT_H
+#define PK11_RESULT_H 1
+
+/*! \file pk11/result.h */
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+#include <isc/types.h>
+
+/*
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * PK11 result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
+ */
+#include <isc/result.h> /* Contractual promise. */
+
+#define PK11_R_INITFAILED      (ISC_RESULTCLASS_PK11 + 0)
+#define PK11_R_NOPROVIDER      (ISC_RESULTCLASS_PK11 + 1)
+#define PK11_R_NORANDOMSERVICE (ISC_RESULTCLASS_PK11 + 2)
+#define PK11_R_NODIGESTSERVICE (ISC_RESULTCLASS_PK11 + 3)
+#define PK11_R_NOAESSERVICE    (ISC_RESULTCLASS_PK11 + 4)
+
+#define PK11_R_NRESULTS 5 /* Number of results */
+
+ISC_LANG_BEGINDECLS
+
+const char *pk11_result_totext(isc_result_t);
+
+void
+pk11_result_register(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* PK11_RESULT_H */
diff --git a/lib/isc/include/pk11/site.h b/lib/isc/include/pk11/site.h
new file mode 100644
index 0000000..ceebb59
--- /dev/null
+++ b/lib/isc/include/pk11/site.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file pk11/site.h */
diff --git a/lib/isc/include/pkcs11/Makefile.in b/lib/isc/include/pkcs11/Makefile.in
new file mode 100644
index 0000000..8822f5a
--- /dev/null
+++ b/lib/isc/include/pkcs11/Makefile.in
@@ -0,0 +1,40 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	pkcs11.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/pkcs11 || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/pkcs11/$$i || exit 1; \
+	done
diff --git a/lib/isc/include/pkcs11/pkcs11.h b/lib/isc/include/pkcs11/pkcs11.h
new file mode 100644
index 0000000..30228d2
--- /dev/null
+++ b/lib/isc/include/pkcs11/pkcs11.h
@@ -0,0 +1,1655 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ * Copyright 2006 Andreas Jellinghaus
+ * Copyright 2006, 2007 g10 Code GmbH
+ * Copyright 2017 Red Hat, Inc.
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* Please submit any changes back to the p11-kit project at
+ * https://github.com/p11-glue/p11-kit/, so that
+ * they can be picked up by other projects from there as well.  */
+
+/* This file is a modified implementation of the PKCS #11 standard by
+ * OASIS group.  It is mostly a drop-in replacement, with the
+ * following change:
+ *
+ * This header file does not require any macro definitions by the user
+ * (like CK_DEFINE_FUNCTION etc).  In fact, it defines those macros
+ * for you (if useful, some are missing, let me know if you need
+ * more).
+ *
+ * There is an additional API available that does comply better to the
+ * GNU coding standard.  It can be switched on by defining
+ * CRYPTOKI_GNU before including this header file.  For this, the
+ * following changes are made to the specification:
+ *
+ * All structure types are changed to a "struct ck_foo" where CK_FOO
+ * is the type name in PKCS #11.
+ *
+ * All non-structure types are changed to ck_foo_t where CK_FOO is the
+ * lowercase version of the type name in PKCS #11.  The basic types
+ * (CK_ULONG et al.) are removed without substitute.
+ *
+ * All members of structures are modified in the following way: Type
+ * indication prefixes are removed, and underscore characters are
+ * inserted before words.  Then the result is lowercased.
+ *
+ * Note that function names are still in the original case, as they
+ * need for ABI compatibility.
+ *
+ * CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute.  Use
+ * <stdbool.h>.
+ *
+ * If CRYPTOKI_COMPAT is defined before including this header file,
+ * then none of the API changes above take place, and the API is the
+ * one defined by the PKCS #11 standard.  */
+
+#ifndef PKCS11_H
+#define PKCS11_H 1
+
+#if defined(__cplusplus)
+extern "C" {
+#endif /* if defined(__cplusplus) */
+
+/* The version of cryptoki we implement.  The revision is changed with
+ * each modification of this file.  */
+#define CRYPTOKI_VERSION_MAJOR		  2
+#define CRYPTOKI_VERSION_MINOR		  40
+#define P11_KIT_CRYPTOKI_VERSION_REVISION 0
+
+/* Compatibility interface is default, unless CRYPTOKI_GNU is
+ * given.  */
+#ifndef CRYPTOKI_GNU
+#ifndef CRYPTOKI_COMPAT
+#define CRYPTOKI_COMPAT 1
+#endif /* ifndef CRYPTOKI_COMPAT */
+#endif /* ifndef CRYPTOKI_GNU */
+
+/* System dependencies.  */
+
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+
+/* There is a matching pop below.  */
+#pragma pack(push, cryptoki, 1)
+
+#ifdef CRYPTOKI_EXPORTS
+#define CK_SPEC __declspec(dllexport)
+#else /* ifdef CRYPTOKI_EXPORTS */
+#define CK_SPEC __declspec(dllimport)
+#endif /* ifdef CRYPTOKI_EXPORTS */
+
+#else /* if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) */
+
+#define CK_SPEC
+
+#endif /* if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) */
+
+#ifdef CRYPTOKI_COMPAT
+/* If we are in compatibility mode, switch all exposed names to the
+ * PKCS #11 variant.  There are corresponding #undefs below.  */
+
+#define ck_flags_t CK_FLAGS
+#define ck_version _CK_VERSION
+
+#define ck_info		    _CK_INFO
+#define cryptoki_version    cryptokiVersion
+#define manufacturer_id	    manufacturerID
+#define library_description libraryDescription
+#define library_version	    libraryVersion
+
+#define ck_notification_t CK_NOTIFICATION
+#define ck_slot_id_t	  CK_SLOT_ID
+
+#define ck_slot_info	 _CK_SLOT_INFO
+#define slot_description slotDescription
+#define hardware_version hardwareVersion
+#define firmware_version firmwareVersion
+
+#define ck_token_info	     _CK_TOKEN_INFO
+#define serial_number	     serialNumber
+#define max_session_count    ulMaxSessionCount
+#define session_count	     ulSessionCount
+#define max_rw_session_count ulMaxRwSessionCount
+#define rw_session_count     ulRwSessionCount
+#define max_pin_len	     ulMaxPinLen
+#define min_pin_len	     ulMinPinLen
+#define total_public_memory  ulTotalPublicMemory
+#define free_public_memory   ulFreePublicMemory
+#define total_private_memory ulTotalPrivateMemory
+#define free_private_memory  ulFreePrivateMemory
+#define utc_time	     utcTime
+
+#define ck_session_handle_t CK_SESSION_HANDLE
+#define ck_user_type_t	    CK_USER_TYPE
+#define ck_state_t	    CK_STATE
+
+#define ck_session_info _CK_SESSION_INFO
+#define slot_id		slotID
+#define device_error	ulDeviceError
+
+#define ck_object_handle_t    CK_OBJECT_HANDLE
+#define ck_object_class_t     CK_OBJECT_CLASS
+#define ck_hw_feature_type_t  CK_HW_FEATURE_TYPE
+#define ck_key_type_t	      CK_KEY_TYPE
+#define ck_certificate_type_t CK_CERTIFICATE_TYPE
+#define ck_attribute_type_t   CK_ATTRIBUTE_TYPE
+
+#define ck_attribute _CK_ATTRIBUTE
+#define value	     pValue
+#define value_len    ulValueLen
+
+#define count ulCount
+
+#define ck_date _CK_DATE
+
+#define ck_mechanism_type_t CK_MECHANISM_TYPE
+
+#define ck_mechanism  _CK_MECHANISM
+#define parameter     pParameter
+#define parameter_len ulParameterLen
+
+#define params pParams
+
+#define ck_mechanism_info _CK_MECHANISM_INFO
+#define min_key_size	  ulMinKeySize
+#define max_key_size	  ulMaxKeySize
+
+#define ck_param_type	      CK_PARAM_TYPE
+#define ck_otp_param	      CK_OTP_PARAM
+#define ck_otp_params	      CK_OTP_PARAMS
+#define ck_otp_signature_info CK_OTP_SIGNATURE_INFO
+
+#define ck_rv_t	    CK_RV
+#define ck_notify_t CK_NOTIFY
+
+#define ck_function_list _CK_FUNCTION_LIST
+
+#define ck_createmutex_t  CK_CREATEMUTEX
+#define ck_destroymutex_t CK_DESTROYMUTEX
+#define ck_lockmutex_t	  CK_LOCKMUTEX
+#define ck_unlockmutex_t  CK_UNLOCKMUTEX
+
+#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
+#define create_mutex	     CreateMutex
+#define destroy_mutex	     DestroyMutex
+#define lock_mutex	     LockMutex
+#define unlock_mutex	     UnlockMutex
+#define reserved	     pReserved
+
+#define ck_rsa_pkcs_mgf_type_t	       CK_RSA_PKCS_MGF_TYPE
+#define ck_rsa_pkcs_oaep_source_type_t CK_RSA_PKCS_OAEP_SOURCE_TYPE
+#define hash_alg		       hashAlg
+#define s_len			       sLen
+#define source_data		       pSourceData
+#define source_data_len		       ulSourceDataLen
+
+#define counter_bits	ulCounterBits
+#define iv_ptr		pIv
+#define iv_len		ulIvLen
+#define iv_bits		ulIvBits
+#define aad_ptr		pAAD
+#define aad_len		ulAADLen
+#define tag_bits	ulTagBits
+#define shared_data_len ulSharedDataLen
+#define shared_data	pSharedData
+#define public_data_len ulPublicDataLen
+#define public_data	pPublicData
+#define string_data	pData
+#define string_data_len ulLen
+#define data_params	pData
+#endif /* CRYPTOKI_COMPAT */
+
+typedef unsigned long ck_flags_t;
+
+struct ck_version {
+	unsigned char major;
+	unsigned char minor;
+};
+
+struct ck_info {
+	struct ck_version cryptoki_version;
+	unsigned char	  manufacturer_id[32];
+	ck_flags_t	  flags;
+	unsigned char	  library_description[32];
+	struct ck_version library_version;
+};
+
+typedef unsigned long ck_notification_t;
+
+#define CKN_SURRENDER (0UL)
+
+typedef unsigned long ck_slot_id_t;
+
+struct ck_slot_info {
+	unsigned char	  slot_description[64];
+	unsigned char	  manufacturer_id[32];
+	ck_flags_t	  flags;
+	struct ck_version hardware_version;
+	struct ck_version firmware_version;
+};
+
+#define CKF_TOKEN_PRESENT    (1UL << 0)
+#define CKF_REMOVABLE_DEVICE (1UL << 1)
+#define CKF_HW_SLOT	     (1UL << 2)
+#define CKF_ARRAY_ATTRIBUTE  (1UL << 30)
+
+struct ck_token_info {
+	unsigned char	  label[32];
+	unsigned char	  manufacturer_id[32];
+	unsigned char	  model[16];
+	unsigned char	  serial_number[16];
+	ck_flags_t	  flags;
+	unsigned long	  max_session_count;
+	unsigned long	  session_count;
+	unsigned long	  max_rw_session_count;
+	unsigned long	  rw_session_count;
+	unsigned long	  max_pin_len;
+	unsigned long	  min_pin_len;
+	unsigned long	  total_public_memory;
+	unsigned long	  free_public_memory;
+	unsigned long	  total_private_memory;
+	unsigned long	  free_private_memory;
+	struct ck_version hardware_version;
+	struct ck_version firmware_version;
+	unsigned char	  utc_time[16];
+};
+
+#define CKF_RNG				  (1UL << 0)
+#define CKF_WRITE_PROTECTED		  (1UL << 1)
+#define CKF_LOGIN_REQUIRED		  (1UL << 2)
+#define CKF_USER_PIN_INITIALIZED	  (1UL << 3)
+#define CKF_RESTORE_KEY_NOT_NEEDED	  (1UL << 5)
+#define CKF_CLOCK_ON_TOKEN		  (1UL << 6)
+#define CKF_PROTECTED_AUTHENTICATION_PATH (1UL << 8)
+#define CKF_DUAL_CRYPTO_OPERATIONS	  (1UL << 9)
+#define CKF_TOKEN_INITIALIZED		  (1UL << 10)
+#define CKF_SECONDARY_AUTHENTICATION	  (1UL << 11)
+#define CKF_USER_PIN_COUNT_LOW		  (1UL << 16)
+#define CKF_USER_PIN_FINAL_TRY		  (1UL << 17)
+#define CKF_USER_PIN_LOCKED		  (1UL << 18)
+#define CKF_USER_PIN_TO_BE_CHANGED	  (1UL << 19)
+#define CKF_SO_PIN_COUNT_LOW		  (1UL << 20)
+#define CKF_SO_PIN_FINAL_TRY		  (1UL << 21)
+#define CKF_SO_PIN_LOCKED		  (1UL << 22)
+#define CKF_SO_PIN_TO_BE_CHANGED	  (1UL << 23)
+
+#define CK_UNAVAILABLE_INFORMATION ((unsigned long)-1L)
+#define CK_EFFECTIVELY_INFINITE	   (0UL)
+
+typedef unsigned long ck_session_handle_t;
+
+#define CK_INVALID_HANDLE (0UL)
+
+typedef unsigned long ck_user_type_t;
+
+#define CKU_SO		     (0UL)
+#define CKU_USER	     (1UL)
+#define CKU_CONTEXT_SPECIFIC (2UL)
+
+typedef unsigned long ck_state_t;
+
+#define CKS_RO_PUBLIC_SESSION (0UL)
+#define CKS_RO_USER_FUNCTIONS (1UL)
+#define CKS_RW_PUBLIC_SESSION (2UL)
+#define CKS_RW_USER_FUNCTIONS (3UL)
+#define CKS_RW_SO_FUNCTIONS   (4UL)
+
+struct ck_session_info {
+	ck_slot_id_t  slot_id;
+	ck_state_t    state;
+	ck_flags_t    flags;
+	unsigned long device_error;
+};
+
+#define CKF_RW_SESSION	   (1UL << 1)
+#define CKF_SERIAL_SESSION (1UL << 2)
+
+typedef unsigned long ck_object_handle_t;
+
+typedef unsigned long ck_object_class_t;
+
+#define CKO_DATA	      (0UL)
+#define CKO_CERTIFICATE	      (1UL)
+#define CKO_PUBLIC_KEY	      (2UL)
+#define CKO_PRIVATE_KEY	      (3UL)
+#define CKO_SECRET_KEY	      (4UL)
+#define CKO_HW_FEATURE	      (5UL)
+#define CKO_DOMAIN_PARAMETERS (6UL)
+#define CKO_MECHANISM	      (7UL)
+#define CKO_OTP_KEY	      (8UL)
+#define CKO_VENDOR_DEFINED    ((unsigned long)(1UL << 31))
+
+typedef unsigned long ck_hw_feature_type_t;
+
+#define CKH_MONOTONIC_COUNTER (1UL)
+#define CKH_CLOCK	      (2UL)
+#define CKH_USER_INTERFACE    (3UL)
+#define CKH_VENDOR_DEFINED    ((unsigned long)(1UL << 31))
+
+typedef unsigned long ck_key_type_t;
+
+#define CKK_RSA		   (0UL)
+#define CKK_DSA		   (1UL)
+#define CKK_DH		   (2UL)
+#define CKK_ECDSA	   (3UL)
+#define CKK_EC		   (3UL)
+#define CKK_X9_42_DH	   (4UL)
+#define CKK_KEA		   (5UL)
+#define CKK_GENERIC_SECRET (0x10UL)
+#define CKK_RC2		   (0x11UL)
+#define CKK_RC4		   (0x12UL)
+#define CKK_DES		   (0x13UL)
+#define CKK_DES2	   (0x14UL)
+#define CKK_DES3	   (0x15UL)
+#define CKK_CAST	   (0x16UL)
+#define CKK_CAST3	   (0x17UL)
+#define CKK_CAST128	   (0x18UL)
+#define CKK_RC5		   (0x19UL)
+#define CKK_IDEA	   (0x1aUL)
+#define CKK_SKIPJACK	   (0x1bUL)
+#define CKK_BATON	   (0x1cUL)
+#define CKK_JUNIPER	   (0x1dUL)
+#define CKK_CDMF	   (0x1eUL)
+#define CKK_AES		   (0x1fUL)
+#define CKK_BLOWFISH	   (0x20UL)
+#define CKK_TWOFISH	   (0x21UL)
+#define CKK_SECURID	   (0x22UL)
+#define CKK_HOTP	   (0x23UL)
+#define CKK_ACTI	   (0x24UL)
+#define CKK_CAMELLIA	   (0x25UL)
+#define CKK_ARIA	   (0x26UL)
+#define CKK_MD5_HMAC	   (0x27UL)
+#define CKK_SHA_1_HMAC	   (0x28UL)
+#define CKK_RIPEMD128_HMAC (0x29UL)
+#define CKK_RIPEMD160_HMAC (0x2aUL)
+#define CKK_SHA256_HMAC	   (0x2bUL)
+#define CKK_SHA384_HMAC	   (0x2cUL)
+#define CKK_SHA512_HMAC	   (0x2dUL)
+#define CKK_SHA224_HMAC	   (0x2eUL)
+#define CKK_SEED	   (0x2fUL)
+#define CKK_GOSTR3410	   (0x30UL)
+#define CKK_GOSTR3411	   (0x31UL)
+#define CKK_GOST28147	   (0x32UL)
+#define CKK_EC_EDWARDS	   (0x40UL)
+#define CKK_VENDOR_DEFINED ((unsigned long)(1UL << 31))
+
+typedef unsigned long ck_certificate_type_t;
+
+#define CKC_X_509	    (0UL)
+#define CKC_X_509_ATTR_CERT (1UL)
+#define CKC_WTLS	    (2UL)
+#define CKC_VENDOR_DEFINED  ((unsigned long)(1UL << 31))
+
+#define CKC_OPENPGP (CKC_VENDOR_DEFINED | 0x504750UL)
+
+typedef unsigned long ck_attribute_type_t;
+
+#define CKA_CLASS		       (0UL)
+#define CKA_TOKEN		       (1UL)
+#define CKA_PRIVATE		       (2UL)
+#define CKA_LABEL		       (3UL)
+#define CKA_APPLICATION		       (0x10UL)
+#define CKA_VALUE		       (0x11UL)
+#define CKA_OBJECT_ID		       (0x12UL)
+#define CKA_CERTIFICATE_TYPE	       (0x80UL)
+#define CKA_ISSUER		       (0x81UL)
+#define CKA_SERIAL_NUMBER	       (0x82UL)
+#define CKA_AC_ISSUER		       (0x83UL)
+#define CKA_OWNER		       (0x84UL)
+#define CKA_ATTR_TYPES		       (0x85UL)
+#define CKA_TRUSTED		       (0x86UL)
+#define CKA_CERTIFICATE_CATEGORY       (0x87UL)
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN  (0x88UL)
+#define CKA_URL			       (0x89UL)
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY (0x8aUL)
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY  (0x8bUL)
+#define CKA_NAME_HASH_ALGORITHM	       (0x8cUL)
+#define CKA_CHECK_VALUE		       (0x90UL)
+#define CKA_KEY_TYPE		       (0x100UL)
+#define CKA_SUBJECT		       (0x101UL)
+#define CKA_ID			       (0x102UL)
+#define CKA_SENSITIVE		       (0x103UL)
+#define CKA_ENCRYPT		       (0x104UL)
+#define CKA_DECRYPT		       (0x105UL)
+#define CKA_WRAP		       (0x106UL)
+#define CKA_UNWRAP		       (0x107UL)
+#define CKA_SIGN		       (0x108UL)
+#define CKA_SIGN_RECOVER	       (0x109UL)
+#define CKA_VERIFY		       (0x10aUL)
+#define CKA_VERIFY_RECOVER	       (0x10bUL)
+#define CKA_DERIVE		       (0x10cUL)
+#define CKA_START_DATE		       (0x110UL)
+#define CKA_END_DATE		       (0x111UL)
+#define CKA_MODULUS		       (0x120UL)
+#define CKA_MODULUS_BITS	       (0x121UL)
+#define CKA_PUBLIC_EXPONENT	       (0x122UL)
+#define CKA_PRIVATE_EXPONENT	       (0x123UL)
+#define CKA_PRIME_1		       (0x124UL)
+#define CKA_PRIME_2		       (0x125UL)
+#define CKA_EXPONENT_1		       (0x126UL)
+#define CKA_EXPONENT_2		       (0x127UL)
+#define CKA_COEFFICIENT		       (0x128UL)
+#define CKA_PUBLIC_KEY_INFO	       (0x129UL)
+#define CKA_PRIME		       (0x130UL)
+#define CKA_SUBPRIME		       (0x131UL)
+#define CKA_BASE		       (0x132UL)
+#define CKA_PRIME_BITS		       (0x133UL)
+#define CKA_SUB_PRIME_BITS	       (0x134UL)
+#define CKA_VALUE_BITS		       (0x160UL)
+#define CKA_VALUE_LEN		       (0x161UL)
+#define CKA_EXTRACTABLE		       (0x162UL)
+#define CKA_LOCAL		       (0x163UL)
+#define CKA_NEVER_EXTRACTABLE	       (0x164UL)
+#define CKA_ALWAYS_SENSITIVE	       (0x165UL)
+#define CKA_KEY_GEN_MECHANISM	       (0x166UL)
+#define CKA_MODIFIABLE		       (0x170UL)
+#define CKA_COPYABLE		       (0x171UL)
+#define CKA_DESTROYABLE		       (0x172UL)
+#define CKA_ECDSA_PARAMS	       (0x180UL)
+#define CKA_EC_PARAMS		       (0x180UL)
+#define CKA_EC_POINT		       (0x181UL)
+#define CKA_SECONDARY_AUTH	       (0x200UL)
+#define CKA_AUTH_PIN_FLAGS	       (0x201UL)
+#define CKA_ALWAYS_AUTHENTICATE	       (0x202UL)
+#define CKA_WRAP_WITH_TRUSTED	       (0x210UL)
+#define CKA_OTP_FORMAT		       (0x220UL)
+#define CKA_OTP_LENGTH		       (0x221UL)
+#define CKA_OTP_TIME_INTERVAL	       (0x222UL)
+#define CKA_OTP_USER_FRIENDLY_MODE     (0x223UL)
+#define CKA_OTP_CHALLENGE_REQUIREMENT  (0x224UL)
+#define CKA_OTP_TIME_REQUIREMENT       (0x225UL)
+#define CKA_OTP_COUNTER_REQUIREMENT    (0x226UL)
+#define CKA_OTP_PIN_REQUIREMENT	       (0x227UL)
+#define CKA_OTP_USER_IDENTIFIER	       (0x22AUL)
+#define CKA_OTP_SERVICE_IDENTIFIER     (0x22BUL)
+#define CKA_OTP_SERVICE_LOGO	       (0x22CUL)
+#define CKA_OTP_SERVICE_LOGO_TYPE      (0x22DUL)
+#define CKA_OTP_COUNTER		       (0x22EUL)
+#define CKA_OTP_TIME		       (0x22FUL)
+#define CKA_GOSTR3410_PARAMS	       (0x250UL)
+#define CKA_GOSTR3411_PARAMS	       (0x251UL)
+#define CKA_GOST28147_PARAMS	       (0x252UL)
+#define CKA_HW_FEATURE_TYPE	       (0x300UL)
+#define CKA_RESET_ON_INIT	       (0x301UL)
+#define CKA_HAS_RESET		       (0x302UL)
+#define CKA_PIXEL_X		       (0x400UL)
+#define CKA_PIXEL_Y		       (0x401UL)
+#define CKA_RESOLUTION		       (0x402UL)
+#define CKA_CHAR_ROWS		       (0x403UL)
+#define CKA_CHAR_COLUMNS	       (0x404UL)
+#define CKA_COLOR		       (0x405UL)
+#define CKA_BITS_PER_PIXEL	       (0x406UL)
+#define CKA_CHAR_SETS		       (0x480UL)
+#define CKA_ENCODING_METHODS	       (0x481UL)
+#define CKA_MIME_TYPES		       (0x482UL)
+#define CKA_MECHANISM_TYPE	       (0x500UL)
+#define CKA_REQUIRED_CMS_ATTRIBUTES    (0x501UL)
+#define CKA_DEFAULT_CMS_ATTRIBUTES     (0x502UL)
+#define CKA_SUPPORTED_CMS_ATTRIBUTES   (0x503UL)
+#define CKA_WRAP_TEMPLATE	       (CKF_ARRAY_ATTRIBUTE | 0x211UL)
+#define CKA_UNWRAP_TEMPLATE	       (CKF_ARRAY_ATTRIBUTE | 0x212UL)
+#define CKA_DERIVE_TEMPLATE	       (CKF_ARRAY_ATTRIBUTE | 0x213UL)
+#define CKA_ALLOWED_MECHANISMS	       (CKF_ARRAY_ATTRIBUTE | 0x600UL)
+#define CKA_VENDOR_DEFINED	       ((unsigned long)(1UL << 31))
+
+struct ck_attribute {
+	ck_attribute_type_t type;
+	void		   *value;
+	unsigned long	    value_len;
+};
+
+struct ck_date {
+	unsigned char year[4];
+	unsigned char month[2];
+	unsigned char day[2];
+};
+
+typedef unsigned long ck_mechanism_type_t;
+
+#define CKM_RSA_PKCS_KEY_PAIR_GEN	   (0UL)
+#define CKM_RSA_PKCS			   (1UL)
+#define CKM_RSA_9796			   (2UL)
+#define CKM_RSA_X_509			   (3UL)
+#define CKM_MD2_RSA_PKCS		   (4UL)
+#define CKM_MD5_RSA_PKCS		   (5UL)
+#define CKM_SHA1_RSA_PKCS		   (6UL)
+#define CKM_RIPEMD128_RSA_PKCS		   (7UL)
+#define CKM_RIPEMD160_RSA_PKCS		   (8UL)
+#define CKM_RSA_PKCS_OAEP		   (9UL)
+#define CKM_RSA_X9_31_KEY_PAIR_GEN	   (0xaUL)
+#define CKM_RSA_X9_31			   (0xbUL)
+#define CKM_SHA1_RSA_X9_31		   (0xcUL)
+#define CKM_RSA_PKCS_PSS		   (0xdUL)
+#define CKM_SHA1_RSA_PKCS_PSS		   (0xeUL)
+#define CKM_DSA_KEY_PAIR_GEN		   (0x10UL)
+#define CKM_DSA				   (0x11UL)
+#define CKM_DSA_SHA1			   (0x12UL)
+#define CKM_DSA_SHA224			   (0x13UL)
+#define CKM_DSA_SHA256			   (0x14UL)
+#define CKM_DSA_SHA384			   (0x15UL)
+#define CKM_DSA_SHA512			   (0x16UL)
+#define CKM_DH_PKCS_KEY_PAIR_GEN	   (0x20UL)
+#define CKM_DH_PKCS_DERIVE		   (0x21UL)
+#define CKM_X9_42_DH_KEY_PAIR_GEN	   (0x30UL)
+#define CKM_X9_42_DH_DERIVE		   (0x31UL)
+#define CKM_X9_42_DH_HYBRID_DERIVE	   (0x32UL)
+#define CKM_X9_42_MQV_DERIVE		   (0x33UL)
+#define CKM_SHA256_RSA_PKCS		   (0x40UL)
+#define CKM_SHA384_RSA_PKCS		   (0x41UL)
+#define CKM_SHA512_RSA_PKCS		   (0x42UL)
+#define CKM_SHA256_RSA_PKCS_PSS		   (0x43UL)
+#define CKM_SHA384_RSA_PKCS_PSS		   (0x44UL)
+#define CKM_SHA512_RSA_PKCS_PSS		   (0x45UL)
+#define CKM_SHA512_224			   (0x48UL)
+#define CKM_SHA512_224_HMAC		   (0x49UL)
+#define CKM_SHA512_224_HMAC_GENERAL	   (0x4aUL)
+#define CKM_SHA512_224_KEY_DERIVATION	   (0x4bUL)
+#define CKM_SHA512_256			   (0x4cUL)
+#define CKM_SHA512_256_HMAC		   (0x4dUL)
+#define CKM_SHA512_256_HMAC_GENERAL	   (0x4eUL)
+#define CKM_SHA512_256_KEY_DERIVATION	   (0x4fUL)
+#define CKM_SHA512_T			   (0x50UL)
+#define CKM_SHA512_T_HMAC		   (0x51UL)
+#define CKM_SHA512_T_HMAC_GENERAL	   (0x52UL)
+#define CKM_SHA512_T_KEY_DERIVATION	   (0x53UL)
+#define CKM_RC2_KEY_GEN			   (0x100UL)
+#define CKM_RC2_ECB			   (0x101UL)
+#define CKM_RC2_CBC			   (0x102UL)
+#define CKM_RC2_MAC			   (0x103UL)
+#define CKM_RC2_MAC_GENERAL		   (0x104UL)
+#define CKM_RC2_CBC_PAD			   (0x105UL)
+#define CKM_RC4_KEY_GEN			   (0x110UL)
+#define CKM_RC4				   (0x111UL)
+#define CKM_DES_KEY_GEN			   (0x120UL)
+#define CKM_DES_ECB			   (0x121UL)
+#define CKM_DES_CBC			   (0x122UL)
+#define CKM_DES_MAC			   (0x123UL)
+#define CKM_DES_MAC_GENERAL		   (0x124UL)
+#define CKM_DES_CBC_PAD			   (0x125UL)
+#define CKM_DES2_KEY_GEN		   (0x130UL)
+#define CKM_DES3_KEY_GEN		   (0x131UL)
+#define CKM_DES3_ECB			   (0x132UL)
+#define CKM_DES3_CBC			   (0x133UL)
+#define CKM_DES3_MAC			   (0x134UL)
+#define CKM_DES3_MAC_GENERAL		   (0x135UL)
+#define CKM_DES3_CBC_PAD		   (0x136UL)
+#define CKM_DES3_CMAC_GENERAL		   (0x137UL)
+#define CKM_DES3_CMAC			   (0x138UL)
+#define CKM_CDMF_KEY_GEN		   (0x140UL)
+#define CKM_CDMF_ECB			   (0x141UL)
+#define CKM_CDMF_CBC			   (0x142UL)
+#define CKM_CDMF_MAC			   (0x143UL)
+#define CKM_CDMF_MAC_GENERAL		   (0x144UL)
+#define CKM_CDMF_CBC_PAD		   (0x145UL)
+#define CKM_DES_OFB64			   (0x150UL)
+#define CKM_DES_OFB8			   (0x151UL)
+#define CKM_DES_CFB64			   (0x152UL)
+#define CKM_DES_CFB8			   (0x153UL)
+#define CKM_MD2				   (0x200UL)
+#define CKM_MD2_HMAC			   (0x201UL)
+#define CKM_MD2_HMAC_GENERAL		   (0x202UL)
+#define CKM_MD5				   (0x210UL)
+#define CKM_MD5_HMAC			   (0x211UL)
+#define CKM_MD5_HMAC_GENERAL		   (0x212UL)
+#define CKM_SHA_1			   (0x220UL)
+#define CKM_SHA_1_HMAC			   (0x221UL)
+#define CKM_SHA_1_HMAC_GENERAL		   (0x222UL)
+#define CKM_RIPEMD128			   (0x230UL)
+#define CKM_RIPEMD128_HMAC		   (0x231UL)
+#define CKM_RIPEMD128_HMAC_GENERAL	   (0x232UL)
+#define CKM_RIPEMD160			   (0x240UL)
+#define CKM_RIPEMD160_HMAC		   (0x241UL)
+#define CKM_RIPEMD160_HMAC_GENERAL	   (0x242UL)
+#define CKM_SHA256			   (0x250UL)
+#define CKM_SHA256_HMAC			   (0x251UL)
+#define CKM_SHA256_HMAC_GENERAL		   (0x252UL)
+#define CKM_SHA384			   (0x260UL)
+#define CKM_SHA384_HMAC			   (0x261UL)
+#define CKM_SHA384_HMAC_GENERAL		   (0x262UL)
+#define CKM_SHA512			   (0x270UL)
+#define CKM_SHA512_HMAC			   (0x271UL)
+#define CKM_SHA512_HMAC_GENERAL		   (0x272UL)
+#define CKM_SECURID_KEY_GEN		   (0x280UL)
+#define CKM_SECURID			   (0x282UL)
+#define CKM_HOTP_KEY_GEN		   (0x290UL)
+#define CKM_HOTP			   (0x291UL)
+#define CKM_ACTI			   (0x2a0UL)
+#define CKM_ACTI_KEY_GEN		   (0x2a1UL)
+#define CKM_CAST_KEY_GEN		   (0x300UL)
+#define CKM_CAST_ECB			   (0x301UL)
+#define CKM_CAST_CBC			   (0x302UL)
+#define CKM_CAST_MAC			   (0x303UL)
+#define CKM_CAST_MAC_GENERAL		   (0x304UL)
+#define CKM_CAST_CBC_PAD		   (0x305UL)
+#define CKM_CAST3_KEY_GEN		   (0x310UL)
+#define CKM_CAST3_ECB			   (0x311UL)
+#define CKM_CAST3_CBC			   (0x312UL)
+#define CKM_CAST3_MAC			   (0x313UL)
+#define CKM_CAST3_MAC_GENERAL		   (0x314UL)
+#define CKM_CAST3_CBC_PAD		   (0x315UL)
+#define CKM_CAST5_KEY_GEN		   (0x320UL)
+#define CKM_CAST128_KEY_GEN		   (0x320UL)
+#define CKM_CAST5_ECB			   (0x321UL)
+#define CKM_CAST128_ECB			   (0x321UL)
+#define CKM_CAST5_CBC			   (0x322UL)
+#define CKM_CAST128_CBC			   (0x322UL)
+#define CKM_CAST5_MAC			   (0x323UL)
+#define CKM_CAST128_MAC			   (0x323UL)
+#define CKM_CAST5_MAC_GENERAL		   (0x324UL)
+#define CKM_CAST128_MAC_GENERAL		   (0x324UL)
+#define CKM_CAST5_CBC_PAD		   (0x325UL)
+#define CKM_CAST128_CBC_PAD		   (0x325UL)
+#define CKM_RC5_KEY_GEN			   (0x330UL)
+#define CKM_RC5_ECB			   (0x331UL)
+#define CKM_RC5_CBC			   (0x332UL)
+#define CKM_RC5_MAC			   (0x333UL)
+#define CKM_RC5_MAC_GENERAL		   (0x334UL)
+#define CKM_RC5_CBC_PAD			   (0x335UL)
+#define CKM_IDEA_KEY_GEN		   (0x340UL)
+#define CKM_IDEA_ECB			   (0x341UL)
+#define CKM_IDEA_CBC			   (0x342UL)
+#define CKM_IDEA_MAC			   (0x343UL)
+#define CKM_IDEA_MAC_GENERAL		   (0x344UL)
+#define CKM_IDEA_CBC_PAD		   (0x345UL)
+#define CKM_GENERIC_SECRET_KEY_GEN	   (0x350UL)
+#define CKM_CONCATENATE_BASE_AND_KEY	   (0x360UL)
+#define CKM_CONCATENATE_BASE_AND_DATA	   (0x362UL)
+#define CKM_CONCATENATE_DATA_AND_BASE	   (0x363UL)
+#define CKM_XOR_BASE_AND_DATA		   (0x364UL)
+#define CKM_EXTRACT_KEY_FROM_KEY	   (0x365UL)
+#define CKM_SSL3_PRE_MASTER_KEY_GEN	   (0x370UL)
+#define CKM_SSL3_MASTER_KEY_DERIVE	   (0x371UL)
+#define CKM_SSL3_KEY_AND_MAC_DERIVE	   (0x372UL)
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH	   (0x373UL)
+#define CKM_TLS_PRE_MASTER_KEY_GEN	   (0x374UL)
+#define CKM_TLS_MASTER_KEY_DERIVE	   (0x375UL)
+#define CKM_TLS_KEY_AND_MAC_DERIVE	   (0x376UL)
+#define CKM_TLS_MASTER_KEY_DERIVE_DH	   (0x377UL)
+#define CKM_TLS_PRF			   (0x378UL)
+#define CKM_SSL3_MD5_MAC		   (0x380UL)
+#define CKM_SSL3_SHA1_MAC		   (0x381UL)
+#define CKM_MD5_KEY_DERIVATION		   (0x390UL)
+#define CKM_MD2_KEY_DERIVATION		   (0x391UL)
+#define CKM_SHA1_KEY_DERIVATION		   (0x392UL)
+#define CKM_SHA256_KEY_DERIVATION	   (0x393UL)
+#define CKM_SHA384_KEY_DERIVATION	   (0x394UL)
+#define CKM_SHA512_KEY_DERIVATION	   (0x395UL)
+#define CKM_PBE_MD2_DES_CBC		   (0x3a0UL)
+#define CKM_PBE_MD5_DES_CBC		   (0x3a1UL)
+#define CKM_PBE_MD5_CAST_CBC		   (0x3a2UL)
+#define CKM_PBE_MD5_CAST3_CBC		   (0x3a3UL)
+#define CKM_PBE_MD5_CAST5_CBC		   (0x3a4UL)
+#define CKM_PBE_MD5_CAST128_CBC		   (0x3a4UL)
+#define CKM_PBE_SHA1_CAST5_CBC		   (0x3a5UL)
+#define CKM_PBE_SHA1_CAST128_CBC	   (0x3a5UL)
+#define CKM_PBE_SHA1_RC4_128		   (0x3a6UL)
+#define CKM_PBE_SHA1_RC4_40		   (0x3a7UL)
+#define CKM_PBE_SHA1_DES3_EDE_CBC	   (0x3a8UL)
+#define CKM_PBE_SHA1_DES2_EDE_CBC	   (0x3a9UL)
+#define CKM_PBE_SHA1_RC2_128_CBC	   (0x3aaUL)
+#define CKM_PBE_SHA1_RC2_40_CBC		   (0x3abUL)
+#define CKM_PKCS5_PBKD2			   (0x3b0UL)
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC	   (0x3c0UL)
+#define CKM_WTLS_PRE_MASTER_KEY_GEN	   (0x3d0UL)
+#define CKM_WTLS_MASTER_KEY_DERIVE	   (0x3d1UL)
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC  (0x3d2UL)
+#define CKM_WTLS_PRF			   (0x3d3UL)
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE (0x3d4UL)
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE (0x3d5UL)
+#define CKM_TLS10_MAC_SERVER		   (0x3d6UL)
+#define CKM_TLS10_MAC_CLIENT		   (0x3d7UL)
+#define CKM_TLS12_MAC			   (0x3d8UL)
+#define CKM_TLS12_KDF			   (0x3d9UL)
+#define CKM_TLS12_MASTER_KEY_DERIVE	   (0x3e0UL)
+#define CKM_TLS12_KEY_AND_MAC_DERIVE	   (0x3e1UL)
+#define CKM_TLS12_MASTER_KEY_DERIVE_DH	   (0x3e2UL)
+#define CKM_TLS12_KEY_SAFE_DERIVE	   (0x3e3UL)
+#define CKM_TLS_MAC			   (0x3e4UL)
+#define CKM_TLS_KDF			   (0x3e5UL)
+#define CKM_KEY_WRAP_LYNKS		   (0x400UL)
+#define CKM_KEY_WRAP_SET_OAEP		   (0x401UL)
+#define CKM_CMS_SIG			   (0x500UL)
+#define CKM_KIP_DERIVE			   (0x510UL)
+#define CKM_KIP_WRAP			   (0x511UL)
+#define CKM_KIP_MAC			   (0x512UL)
+#define CKM_ARIA_KEY_GEN		   (0x560UL)
+#define CKM_ARIA_ECB			   (0x561UL)
+#define CKM_ARIA_CBC			   (0x562UL)
+#define CKM_ARIA_MAC			   (0x563UL)
+#define CKM_ARIA_MAC_GENERAL		   (0x564UL)
+#define CKM_ARIA_CBC_PAD		   (0x565UL)
+#define CKM_ARIA_ECB_ENCRYPT_DATA	   (0x566UL)
+#define CKM_ARIA_CBC_ENCRYPT_DATA	   (0x567UL)
+#define CKM_SEED_KEY_GEN		   (0x650UL)
+#define CKM_SEED_ECB			   (0x651UL)
+#define CKM_SEED_CBC			   (0x652UL)
+#define CKM_SEED_MAC			   (0x653UL)
+#define CKM_SEED_MAC_GENERAL		   (0x654UL)
+#define CKM_SEED_CBC_PAD		   (0x655UL)
+#define CKM_SEED_ECB_ENCRYPT_DATA	   (0x656UL)
+#define CKM_SEED_CBC_ENCRYPT_DATA	   (0x657UL)
+#define CKM_SKIPJACK_KEY_GEN		   (0x1000UL)
+#define CKM_SKIPJACK_ECB64		   (0x1001UL)
+#define CKM_SKIPJACK_CBC64		   (0x1002UL)
+#define CKM_SKIPJACK_OFB64		   (0x1003UL)
+#define CKM_SKIPJACK_CFB64		   (0x1004UL)
+#define CKM_SKIPJACK_CFB32		   (0x1005UL)
+#define CKM_SKIPJACK_CFB16		   (0x1006UL)
+#define CKM_SKIPJACK_CFB8		   (0x1007UL)
+#define CKM_SKIPJACK_WRAP		   (0x1008UL)
+#define CKM_SKIPJACK_PRIVATE_WRAP	   (0x1009UL)
+#define CKM_SKIPJACK_RELAYX		   (0x100aUL)
+#define CKM_KEA_KEY_PAIR_GEN		   (0x1010UL)
+#define CKM_KEA_KEY_DERIVE		   (0x1011UL)
+#define CKM_FORTEZZA_TIMESTAMP		   (0x1020UL)
+#define CKM_BATON_KEY_GEN		   (0x1030UL)
+#define CKM_BATON_ECB128		   (0x1031UL)
+#define CKM_BATON_ECB96			   (0x1032UL)
+#define CKM_BATON_CBC128		   (0x1033UL)
+#define CKM_BATON_COUNTER		   (0x1034UL)
+#define CKM_BATON_SHUFFLE		   (0x1035UL)
+#define CKM_BATON_WRAP			   (0x1036UL)
+#define CKM_ECDSA_KEY_PAIR_GEN		   (0x1040UL)
+#define CKM_EC_KEY_PAIR_GEN		   (0x1040UL)
+#define CKM_ECDSA			   (0x1041UL)
+#define CKM_ECDSA_SHA1			   (0x1042UL)
+#define CKM_ECDSA_SHA224		   (0x1043UL)
+#define CKM_ECDSA_SHA256		   (0x1044UL)
+#define CKM_ECDSA_SHA384		   (0x1045UL)
+#define CKM_ECDSA_SHA512		   (0x1046UL)
+#define CKM_ECDH1_DERIVE		   (0x1050UL)
+#define CKM_ECDH1_COFACTOR_DERIVE	   (0x1051UL)
+#define CKM_ECMQV_DERIVE		   (0x1052UL)
+#define CKM_ECDH_AES_KEY_WRAP		   (0x1053UL)
+#define CKM_RSA_AES_KEY_WRAP		   (0x1054UL)
+#define CKM_JUNIPER_KEY_GEN		   (0x1060UL)
+#define CKM_JUNIPER_ECB128		   (0x1061UL)
+#define CKM_JUNIPER_CBC128		   (0x1062UL)
+#define CKM_JUNIPER_COUNTER		   (0x1063UL)
+#define CKM_JUNIPER_SHUFFLE		   (0x1064UL)
+#define CKM_JUNIPER_WRAP		   (0x1065UL)
+#define CKM_FASTHASH			   (0x1070UL)
+#define CKM_AES_KEY_GEN			   (0x1080UL)
+#define CKM_AES_ECB			   (0x1081UL)
+#define CKM_AES_CBC			   (0x1082UL)
+#define CKM_AES_MAC			   (0x1083UL)
+#define CKM_AES_MAC_GENERAL		   (0x1084UL)
+#define CKM_AES_CBC_PAD			   (0x1085UL)
+#define CKM_AES_CTR			   (0x1086UL)
+#define CKM_AES_GCM			   (0x1087UL)
+#define CKM_AES_CCM			   (0x1088UL)
+#define CKM_AES_CTS			   (0x1089UL)
+#define CKM_AES_CMAC			   (0x108aUL)
+#define CKM_AES_CMAC_GENERAL		   (0x108bUL)
+#define CKM_AES_XCBC_MAC		   (0x108cUL)
+#define CKM_AES_XCBC_MAC_96		   (0x108dUL)
+#define CKM_AES_GMAC			   (0x108eUL)
+#define CKM_BLOWFISH_KEY_GEN		   (0x1090UL)
+#define CKM_BLOWFISH_CBC		   (0x1091UL)
+#define CKM_TWOFISH_KEY_GEN		   (0x1092UL)
+#define CKM_TWOFISH_CBC			   (0x1093UL)
+#define CKM_BLOWFISH_CBC_PAD		   (0x1094UL)
+#define CKM_TWOFISH_CBC_PAD		   (0x1095UL)
+#define CKM_DES_ECB_ENCRYPT_DATA	   (0x1100UL)
+#define CKM_DES_CBC_ENCRYPT_DATA	   (0x1101UL)
+#define CKM_DES3_ECB_ENCRYPT_DATA	   (0x1102UL)
+#define CKM_DES3_CBC_ENCRYPT_DATA	   (0x1103UL)
+#define CKM_AES_ECB_ENCRYPT_DATA	   (0x1104UL)
+#define CKM_AES_CBC_ENCRYPT_DATA	   (0x1105UL)
+#define CKM_GOSTR3410_KEY_PAIR_GEN	   (0x1200UL)
+#define CKM_GOSTR3410			   (0x1201UL)
+#define CKM_GOSTR3410_WITH_GOSTR3411	   (0x1202UL)
+#define CKM_GOSTR3410_KEY_WRAP		   (0x1203UL)
+#define CKM_GOSTR3410_DERIVE		   (0x1204UL)
+#define CKM_GOSTR3411			   (0x1210UL)
+#define CKM_GOSTR3411_HMAC		   (0x1211UL)
+#define CKM_GOST28147_KEY_GEN		   (0x1220UL)
+#define CKM_GOST28147_ECB		   (0x1221UL)
+#define CKM_GOST28147			   (0x1222UL)
+#define CKM_GOST28147_MAC		   (0x1223UL)
+#define CKM_GOST28147_KEY_WRAP		   (0x1224UL)
+#define CKM_DSA_PARAMETER_GEN		   (0x2000UL)
+#define CKM_DH_PKCS_PARAMETER_GEN	   (0x2001UL)
+#define CKM_X9_42_DH_PARAMETER_GEN	   (0x2002UL)
+#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN (0x2003UL)
+#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN (0x2004UL)
+#define CKM_AES_OFB			   (0x2104UL)
+#define CKM_AES_CFB64			   (0x2105UL)
+#define CKM_AES_CFB8			   (0x2106UL)
+#define CKM_AES_CFB128			   (0x2107UL)
+#define CKM_AES_CFB1			   (0x2108UL)
+
+#define CKM_VENDOR_DEFINED ((unsigned long)(1UL << 31))
+
+/* Amendments */
+#define CKM_SHA224		  (0x255UL)
+#define CKM_SHA224_HMAC		  (0x256UL)
+#define CKM_SHA224_HMAC_GENERAL	  (0x257UL)
+#define CKM_SHA224_RSA_PKCS	  (0x46UL)
+#define CKM_SHA224_RSA_PKCS_PSS	  (0x47UL)
+#define CKM_SHA224_KEY_DERIVATION (0x396UL)
+
+#define CKM_CAMELLIA_KEY_GEN	      (0x550UL)
+#define CKM_CAMELLIA_ECB	      (0x551UL)
+#define CKM_CAMELLIA_CBC	      (0x552UL)
+#define CKM_CAMELLIA_MAC	      (0x553UL)
+#define CKM_CAMELLIA_MAC_GENERAL      (0x554UL)
+#define CKM_CAMELLIA_CBC_PAD	      (0x555UL)
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA (0x556UL)
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA (0x557UL)
+#define CKM_CAMELLIA_CTR	      (0x558UL)
+
+#define CKM_AES_KEY_WRAP     (0x2109UL)
+#define CKM_AES_KEY_WRAP_PAD (0x210aUL)
+
+#define CKM_RSA_PKCS_TPM_1_1	  (0x4001UL)
+#define CKM_RSA_PKCS_OAEP_TPM_1_1 (0x4002UL)
+
+/* From version 3.0 */
+#define CKM_EC_EDWARDS_KEY_PAIR_GEN (0x1055UL)
+#define CKM_EDDSA		    (0x1057UL)
+
+/* Attribute and other constants related to OTP */
+#define CK_OTP_FORMAT_DECIMAL	   (0UL)
+#define CK_OTP_FORMAT_HEXADECIMAL  (1UL)
+#define CK_OTP_FORMAT_ALPHANUMERIC (2UL)
+#define CK_OTP_FORMAT_BINARY	   (3UL)
+#define CK_OTP_PARAM_IGNORED	   (0UL)
+#define CK_OTP_PARAM_OPTIONAL	   (1UL)
+#define CK_OTP_PARAM_MANDATORY	   (2UL)
+
+#define CK_OTP_VALUE	     (0UL)
+#define CK_OTP_PIN	     (1UL)
+#define CK_OTP_CHALLENGE     (2UL)
+#define CK_OTP_TIME	     (3UL)
+#define CK_OTP_COUNTER	     (4UL)
+#define CK_OTP_FLAGS	     (5UL)
+#define CK_OTP_OUTPUT_LENGTH (6UL)
+#define CK_OTP_FORMAT	     (7UL)
+
+/* OTP mechanism flags */
+#define CKF_NEXT_OTP	      (0x01UL)
+#define CKF_EXCLUDE_TIME      (0x02UL)
+#define CKF_EXCLUDE_COUNTER   (0x04UL)
+#define CKF_EXCLUDE_CHALLENGE (0x08UL)
+#define CKF_EXCLUDE_PIN	      (0x10UL)
+#define CKF_USER_FRIENDLY_OTP (0x20UL)
+
+#define CKN_OTP_CHANGED (0x01UL)
+
+struct ck_mechanism {
+	ck_mechanism_type_t mechanism;
+	void		   *parameter;
+	unsigned long	    parameter_len;
+};
+
+struct ck_mechanism_info {
+	unsigned long min_key_size;
+	unsigned long max_key_size;
+	ck_flags_t    flags;
+};
+
+typedef unsigned long ck_param_type;
+
+typedef struct ck_otp_param {
+	ck_param_type type;
+	void	     *value;
+	unsigned long value_len;
+} ck_otp_param;
+
+typedef struct ck_otp_params {
+	struct ck_otp_param *params;
+	unsigned long	     count;
+} ck_otp_params;
+
+typedef struct ck_otp_signature_info {
+	struct ck_otp_param *params;
+	unsigned long	     count;
+} ck_otp_signature_info;
+
+#define CKG_MGF1_SHA1	0x00000001UL
+#define CKG_MGF1_SHA224 0x00000005UL
+#define CKG_MGF1_SHA256 0x00000002UL
+#define CKG_MGF1_SHA384 0x00000003UL
+#define CKG_MGF1_SHA512 0x00000004UL
+
+typedef unsigned long ck_rsa_pkcs_mgf_type_t;
+
+struct ck_rsa_pkcs_pss_params {
+	ck_mechanism_type_t    hash_alg;
+	ck_rsa_pkcs_mgf_type_t mgf;
+	unsigned long	       s_len;
+};
+
+typedef unsigned long ck_rsa_pkcs_oaep_source_type_t;
+
+struct ck_rsa_pkcs_oaep_params {
+	ck_mechanism_type_t	       hash_alg;
+	ck_rsa_pkcs_mgf_type_t	       mgf;
+	ck_rsa_pkcs_oaep_source_type_t source;
+	void			      *source_data;
+	unsigned long		       source_data_len;
+};
+
+struct ck_aes_ctr_params {
+	unsigned long counter_bits;
+	unsigned char cb[16];
+};
+
+struct ck_gcm_params {
+	unsigned char *iv_ptr;
+	unsigned long  iv_len;
+	unsigned long  iv_bits;
+	unsigned char *aad_ptr;
+	unsigned long  aad_len;
+	unsigned long  tag_bits;
+};
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL     (0x01UL)
+#define CKD_SHA1_KDF (0x02UL)
+
+/* The following X9.42 DH key derivation functions are defined */
+#define CKD_SHA1_KDF_ASN1	 (0x03UL)
+#define CKD_SHA1_KDF_CONCATENATE (0x04UL)
+#define CKD_SHA224_KDF		 (0x05UL)
+#define CKD_SHA256_KDF		 (0x06UL)
+#define CKD_SHA384_KDF		 (0x07UL)
+#define CKD_SHA512_KDF		 (0x08UL)
+#define CKD_CPDIVERSIFY_KDF	 (0x09UL)
+
+typedef unsigned long ck_ec_kdf_t;
+
+struct ck_ecdh1_derive_params {
+	ck_ec_kdf_t    kdf;
+	unsigned long  shared_data_len;
+	unsigned char *shared_data;
+	unsigned long  public_data_len;
+	unsigned char *public_data;
+};
+
+struct ck_key_derivation_string_data {
+	unsigned char *string_data;
+	unsigned long  string_data_len;
+};
+
+struct ck_des_cbc_encrypt_data_params {
+	unsigned char  iv[8];
+	unsigned char *data_params;
+	unsigned long  length;
+};
+
+struct ck_aes_cbc_encrypt_data_params {
+	unsigned char  iv[16];
+	unsigned char *data_params;
+	unsigned long  length;
+};
+
+#define CKF_HW		      (1UL << 0)
+#define CKF_ENCRYPT	      (1UL << 8)
+#define CKF_DECRYPT	      (1UL << 9)
+#define CKF_DIGEST	      (1UL << 10)
+#define CKF_SIGN	      (1UL << 11)
+#define CKF_SIGN_RECOVER      (1UL << 12)
+#define CKF_VERIFY	      (1UL << 13)
+#define CKF_VERIFY_RECOVER    (1UL << 14)
+#define CKF_GENERATE	      (1UL << 15)
+#define CKF_GENERATE_KEY_PAIR (1UL << 16)
+#define CKF_WRAP	      (1UL << 17)
+#define CKF_UNWRAP	      (1UL << 18)
+#define CKF_DERIVE	      (1UL << 19)
+#define CKF_EXTENSION	      ((unsigned long)(1UL << 31))
+
+#define CKF_EC_F_P	  (1UL << 20)
+#define CKF_EC_NAMEDCURVE (1UL << 23)
+#define CKF_EC_UNCOMPRESS (1UL << 24)
+#define CKF_EC_COMPRESS	  (1UL << 25)
+
+/* Flags for C_WaitForSlotEvent.  */
+#define CKF_DONT_BLOCK (1UL)
+
+typedef unsigned long ck_rv_t;
+
+typedef ck_rv_t (*ck_notify_t)(ck_session_handle_t session,
+			       ck_notification_t event, void *application);
+
+/* Forward reference.  */
+struct ck_function_list;
+
+#define _CK_DECLARE_FUNCTION(name, args)  \
+	typedef ck_rv_t(*CK_##name) args; \
+	ck_rv_t CK_SPEC name args
+
+_CK_DECLARE_FUNCTION(C_Initialize, (void *init_args));
+_CK_DECLARE_FUNCTION(C_Finalize, (void *reserved));
+_CK_DECLARE_FUNCTION(C_GetInfo, (struct ck_info * info));
+_CK_DECLARE_FUNCTION(C_GetFunctionList,
+		     (struct ck_function_list * *function_list));
+
+_CK_DECLARE_FUNCTION(C_GetSlotList,
+		     (unsigned char token_present, ck_slot_id_t *slot_list,
+		      unsigned long *count));
+_CK_DECLARE_FUNCTION(C_GetSlotInfo,
+		     (ck_slot_id_t slot_id, struct ck_slot_info *info));
+_CK_DECLARE_FUNCTION(C_GetTokenInfo,
+		     (ck_slot_id_t slot_id, struct ck_token_info *info));
+_CK_DECLARE_FUNCTION(C_WaitForSlotEvent,
+		     (ck_flags_t flags, ck_slot_id_t *slot, void *reserved));
+_CK_DECLARE_FUNCTION(C_GetMechanismList,
+		     (ck_slot_id_t slot_id, ck_mechanism_type_t *mechanism_list,
+		      unsigned long *count));
+_CK_DECLARE_FUNCTION(C_GetMechanismInfo,
+		     (ck_slot_id_t slot_id, ck_mechanism_type_t type,
+		      struct ck_mechanism_info *info));
+_CK_DECLARE_FUNCTION(C_InitToken,
+		     (ck_slot_id_t slot_id, unsigned char *pin,
+		      unsigned long pin_len, unsigned char *label));
+_CK_DECLARE_FUNCTION(C_InitPIN, (ck_session_handle_t session,
+				 unsigned char *pin, unsigned long pin_len));
+_CK_DECLARE_FUNCTION(C_SetPIN, (ck_session_handle_t session,
+				unsigned char *old_pin, unsigned long old_len,
+				unsigned char *new_pin, unsigned long new_len));
+
+_CK_DECLARE_FUNCTION(C_OpenSession,
+		     (ck_slot_id_t slot_id, ck_flags_t flags, void *application,
+		      ck_notify_t notify, ck_session_handle_t *session));
+_CK_DECLARE_FUNCTION(C_CloseSession, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION(C_CloseAllSessions, (ck_slot_id_t slot_id));
+_CK_DECLARE_FUNCTION(C_GetSessionInfo, (ck_session_handle_t	session,
+					struct ck_session_info *info));
+_CK_DECLARE_FUNCTION(C_GetOperationState, (ck_session_handle_t session,
+					   unsigned char      *operation_state,
+					   unsigned long *operation_state_len));
+_CK_DECLARE_FUNCTION(C_SetOperationState,
+		     (ck_session_handle_t session,
+		      unsigned char	 *operation_state,
+		      unsigned long	  operation_state_len,
+		      ck_object_handle_t  encryption_key,
+		      ck_object_handle_t  authentiation_key));
+_CK_DECLARE_FUNCTION(C_Login,
+		     (ck_session_handle_t session, ck_user_type_t user_type,
+		      unsigned char *pin, unsigned long pin_len));
+_CK_DECLARE_FUNCTION(C_Logout, (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION(C_CreateObject,
+		     (ck_session_handle_t session, struct ck_attribute *templ,
+		      unsigned long count, ck_object_handle_t *object));
+_CK_DECLARE_FUNCTION(C_CopyObject,
+		     (ck_session_handle_t session, ck_object_handle_t object,
+		      struct ck_attribute *templ, unsigned long count,
+		      ck_object_handle_t *new_object));
+_CK_DECLARE_FUNCTION(C_DestroyObject,
+		     (ck_session_handle_t session, ck_object_handle_t object));
+_CK_DECLARE_FUNCTION(C_GetObjectSize,
+		     (ck_session_handle_t session, ck_object_handle_t object,
+		      unsigned long *size));
+_CK_DECLARE_FUNCTION(C_GetAttributeValue,
+		     (ck_session_handle_t session, ck_object_handle_t object,
+		      struct ck_attribute *templ, unsigned long count));
+_CK_DECLARE_FUNCTION(C_SetAttributeValue,
+		     (ck_session_handle_t session, ck_object_handle_t object,
+		      struct ck_attribute *templ, unsigned long count));
+_CK_DECLARE_FUNCTION(C_FindObjectsInit,
+		     (ck_session_handle_t session, struct ck_attribute *templ,
+		      unsigned long count));
+_CK_DECLARE_FUNCTION(C_FindObjects,
+		     (ck_session_handle_t session, ck_object_handle_t *object,
+		      unsigned long  max_object_count,
+		      unsigned long *object_count));
+_CK_DECLARE_FUNCTION(C_FindObjectsFinal, (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION(C_EncryptInit,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION(C_Encrypt,
+		     (ck_session_handle_t session, unsigned char *data,
+		      unsigned long data_len, unsigned char *encrypted_data,
+		      unsigned long *encrypted_data_len));
+_CK_DECLARE_FUNCTION(C_EncryptUpdate,
+		     (ck_session_handle_t session, unsigned char *part,
+		      unsigned long part_len, unsigned char *encrypted_part,
+		      unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION(C_EncryptFinal, (ck_session_handle_t session,
+				      unsigned char	 *last_encrypted_part,
+				      unsigned long *last_encrypted_part_len));
+
+_CK_DECLARE_FUNCTION(C_DecryptInit,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION(C_Decrypt, (ck_session_handle_t session,
+				 unsigned char	    *encrypted_data,
+				 unsigned long	     encrypted_data_len,
+				 unsigned char *data, unsigned long *data_len));
+_CK_DECLARE_FUNCTION(C_DecryptUpdate,
+		     (ck_session_handle_t session,
+		      unsigned char	 *encrypted_part,
+		      unsigned long encrypted_part_len, unsigned char *part,
+		      unsigned long *part_len));
+_CK_DECLARE_FUNCTION(C_DecryptFinal,
+		     (ck_session_handle_t session, unsigned char *last_part,
+		      unsigned long *last_part_len));
+
+_CK_DECLARE_FUNCTION(C_DigestInit, (ck_session_handle_t	 session,
+				    struct ck_mechanism *mechanism));
+_CK_DECLARE_FUNCTION(C_Digest,
+		     (ck_session_handle_t session, unsigned char *data,
+		      unsigned long data_len, unsigned char *digest,
+		      unsigned long *digest_len));
+_CK_DECLARE_FUNCTION(C_DigestUpdate,
+		     (ck_session_handle_t session, unsigned char *part,
+		      unsigned long part_len));
+_CK_DECLARE_FUNCTION(C_DigestKey,
+		     (ck_session_handle_t session, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION(C_DigestFinal,
+		     (ck_session_handle_t session, unsigned char *digest,
+		      unsigned long *digest_len));
+
+_CK_DECLARE_FUNCTION(C_SignInit,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION(C_Sign, (ck_session_handle_t session, unsigned char *data,
+			      unsigned long data_len, unsigned char *signature,
+			      unsigned long *signature_len));
+_CK_DECLARE_FUNCTION(C_SignUpdate,
+		     (ck_session_handle_t session, unsigned char *part,
+		      unsigned long part_len));
+_CK_DECLARE_FUNCTION(C_SignFinal,
+		     (ck_session_handle_t session, unsigned char *signature,
+		      unsigned long *signature_len));
+_CK_DECLARE_FUNCTION(C_SignRecoverInit,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION(C_SignRecover,
+		     (ck_session_handle_t session, unsigned char *data,
+		      unsigned long data_len, unsigned char *signature,
+		      unsigned long *signature_len));
+
+_CK_DECLARE_FUNCTION(C_VerifyInit,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION(C_Verify,
+		     (ck_session_handle_t session, unsigned char *data,
+		      unsigned long data_len, unsigned char *signature,
+		      unsigned long signature_len));
+_CK_DECLARE_FUNCTION(C_VerifyUpdate,
+		     (ck_session_handle_t session, unsigned char *part,
+		      unsigned long part_len));
+_CK_DECLARE_FUNCTION(C_VerifyFinal,
+		     (ck_session_handle_t session, unsigned char *signature,
+		      unsigned long signature_len));
+_CK_DECLARE_FUNCTION(C_VerifyRecoverInit,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION(C_VerifyRecover,
+		     (ck_session_handle_t session, unsigned char *signature,
+		      unsigned long signature_len, unsigned char *data,
+		      unsigned long *data_len));
+
+_CK_DECLARE_FUNCTION(C_DigestEncryptUpdate,
+		     (ck_session_handle_t session, unsigned char *part,
+		      unsigned long part_len, unsigned char *encrypted_part,
+		      unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION(C_DecryptDigestUpdate,
+		     (ck_session_handle_t session,
+		      unsigned char	 *encrypted_part,
+		      unsigned long encrypted_part_len, unsigned char *part,
+		      unsigned long *part_len));
+_CK_DECLARE_FUNCTION(C_SignEncryptUpdate,
+		     (ck_session_handle_t session, unsigned char *part,
+		      unsigned long part_len, unsigned char *encrypted_part,
+		      unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION(C_DecryptVerifyUpdate,
+		     (ck_session_handle_t session,
+		      unsigned char	 *encrypted_part,
+		      unsigned long encrypted_part_len, unsigned char *part,
+		      unsigned long *part_len));
+
+_CK_DECLARE_FUNCTION(C_GenerateKey,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism,
+		      struct ck_attribute *templ, unsigned long count,
+		      ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION(C_GenerateKeyPair,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism,
+		      struct ck_attribute *public_key_template,
+		      unsigned long	   public_key_attribute_count,
+		      struct ck_attribute *private_key_template,
+		      unsigned long	   private_key_attribute_count,
+		      ck_object_handle_t  *public_key,
+		      ck_object_handle_t  *private_key));
+_CK_DECLARE_FUNCTION(C_WrapKey,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism,
+		      ck_object_handle_t wrapping_key, ck_object_handle_t key,
+		      unsigned char *wrapped_key,
+		      unsigned long *wrapped_key_len));
+_CK_DECLARE_FUNCTION(C_UnwrapKey,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism,
+		      ck_object_handle_t   unwrapping_key,
+		      unsigned char *wrapped_key, unsigned long wrapped_key_len,
+		      struct ck_attribute *templ, unsigned long attribute_count,
+		      ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION(C_DeriveKey,
+		     (ck_session_handle_t  session,
+		      struct ck_mechanism *mechanism,
+		      ck_object_handle_t base_key, struct ck_attribute *templ,
+		      unsigned long attribute_count, ck_object_handle_t *key));
+
+_CK_DECLARE_FUNCTION(C_SeedRandom,
+		     (ck_session_handle_t session, unsigned char *seed,
+		      unsigned long seed_len));
+_CK_DECLARE_FUNCTION(C_GenerateRandom,
+		     (ck_session_handle_t session, unsigned char *random_data,
+		      unsigned long random_len));
+
+_CK_DECLARE_FUNCTION(C_GetFunctionStatus, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION(C_CancelFunction, (ck_session_handle_t session));
+
+struct ck_function_list {
+	struct ck_version	 version;
+	CK_C_Initialize		 C_Initialize;
+	CK_C_Finalize		 C_Finalize;
+	CK_C_GetInfo		 C_GetInfo;
+	CK_C_GetFunctionList	 C_GetFunctionList;
+	CK_C_GetSlotList	 C_GetSlotList;
+	CK_C_GetSlotInfo	 C_GetSlotInfo;
+	CK_C_GetTokenInfo	 C_GetTokenInfo;
+	CK_C_GetMechanismList	 C_GetMechanismList;
+	CK_C_GetMechanismInfo	 C_GetMechanismInfo;
+	CK_C_InitToken		 C_InitToken;
+	CK_C_InitPIN		 C_InitPIN;
+	CK_C_SetPIN		 C_SetPIN;
+	CK_C_OpenSession	 C_OpenSession;
+	CK_C_CloseSession	 C_CloseSession;
+	CK_C_CloseAllSessions	 C_CloseAllSessions;
+	CK_C_GetSessionInfo	 C_GetSessionInfo;
+	CK_C_GetOperationState	 C_GetOperationState;
+	CK_C_SetOperationState	 C_SetOperationState;
+	CK_C_Login		 C_Login;
+	CK_C_Logout		 C_Logout;
+	CK_C_CreateObject	 C_CreateObject;
+	CK_C_CopyObject		 C_CopyObject;
+	CK_C_DestroyObject	 C_DestroyObject;
+	CK_C_GetObjectSize	 C_GetObjectSize;
+	CK_C_GetAttributeValue	 C_GetAttributeValue;
+	CK_C_SetAttributeValue	 C_SetAttributeValue;
+	CK_C_FindObjectsInit	 C_FindObjectsInit;
+	CK_C_FindObjects	 C_FindObjects;
+	CK_C_FindObjectsFinal	 C_FindObjectsFinal;
+	CK_C_EncryptInit	 C_EncryptInit;
+	CK_C_Encrypt		 C_Encrypt;
+	CK_C_EncryptUpdate	 C_EncryptUpdate;
+	CK_C_EncryptFinal	 C_EncryptFinal;
+	CK_C_DecryptInit	 C_DecryptInit;
+	CK_C_Decrypt		 C_Decrypt;
+	CK_C_DecryptUpdate	 C_DecryptUpdate;
+	CK_C_DecryptFinal	 C_DecryptFinal;
+	CK_C_DigestInit		 C_DigestInit;
+	CK_C_Digest		 C_Digest;
+	CK_C_DigestUpdate	 C_DigestUpdate;
+	CK_C_DigestKey		 C_DigestKey;
+	CK_C_DigestFinal	 C_DigestFinal;
+	CK_C_SignInit		 C_SignInit;
+	CK_C_Sign		 C_Sign;
+	CK_C_SignUpdate		 C_SignUpdate;
+	CK_C_SignFinal		 C_SignFinal;
+	CK_C_SignRecoverInit	 C_SignRecoverInit;
+	CK_C_SignRecover	 C_SignRecover;
+	CK_C_VerifyInit		 C_VerifyInit;
+	CK_C_Verify		 C_Verify;
+	CK_C_VerifyUpdate	 C_VerifyUpdate;
+	CK_C_VerifyFinal	 C_VerifyFinal;
+	CK_C_VerifyRecoverInit	 C_VerifyRecoverInit;
+	CK_C_VerifyRecover	 C_VerifyRecover;
+	CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
+	CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
+	CK_C_SignEncryptUpdate	 C_SignEncryptUpdate;
+	CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
+	CK_C_GenerateKey	 C_GenerateKey;
+	CK_C_GenerateKeyPair	 C_GenerateKeyPair;
+	CK_C_WrapKey		 C_WrapKey;
+	CK_C_UnwrapKey		 C_UnwrapKey;
+	CK_C_DeriveKey		 C_DeriveKey;
+	CK_C_SeedRandom		 C_SeedRandom;
+	CK_C_GenerateRandom	 C_GenerateRandom;
+	CK_C_GetFunctionStatus	 C_GetFunctionStatus;
+	CK_C_CancelFunction	 C_CancelFunction;
+	CK_C_WaitForSlotEvent	 C_WaitForSlotEvent;
+};
+
+typedef ck_rv_t (*ck_createmutex_t)(void **mutex);
+typedef ck_rv_t (*ck_destroymutex_t)(void *mutex);
+typedef ck_rv_t (*ck_lockmutex_t)(void *mutex);
+typedef ck_rv_t (*ck_unlockmutex_t)(void *mutex);
+
+struct ck_c_initialize_args {
+	ck_createmutex_t  create_mutex;
+	ck_destroymutex_t destroy_mutex;
+	ck_lockmutex_t	  lock_mutex;
+	ck_unlockmutex_t  unlock_mutex;
+	ck_flags_t	  flags;
+	void		 *reserved;
+};
+
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1UL << 0)
+#define CKF_OS_LOCKING_OK		   (1UL << 1)
+
+#define CKR_OK				     (0UL)
+#define CKR_CANCEL			     (1UL)
+#define CKR_HOST_MEMORY			     (2UL)
+#define CKR_SLOT_ID_INVALID		     (3UL)
+#define CKR_GENERAL_ERROR		     (5UL)
+#define CKR_FUNCTION_FAILED		     (6UL)
+#define CKR_ARGUMENTS_BAD		     (7UL)
+#define CKR_NO_EVENT			     (8UL)
+#define CKR_NEED_TO_CREATE_THREADS	     (9UL)
+#define CKR_CANT_LOCK			     (0xaUL)
+#define CKR_ATTRIBUTE_READ_ONLY		     (0x10UL)
+#define CKR_ATTRIBUTE_SENSITIVE		     (0x11UL)
+#define CKR_ATTRIBUTE_TYPE_INVALID	     (0x12UL)
+#define CKR_ATTRIBUTE_VALUE_INVALID	     (0x13UL)
+#define CKR_ACTION_PROHIBITED		     (0x1BUL)
+#define CKR_DATA_INVALID		     (0x20UL)
+#define CKR_DATA_LEN_RANGE		     (0x21UL)
+#define CKR_DEVICE_ERROR		     (0x30UL)
+#define CKR_DEVICE_MEMORY		     (0x31UL)
+#define CKR_DEVICE_REMOVED		     (0x32UL)
+#define CKR_ENCRYPTED_DATA_INVALID	     (0x40UL)
+#define CKR_ENCRYPTED_DATA_LEN_RANGE	     (0x41UL)
+#define CKR_FUNCTION_CANCELED		     (0x50UL)
+#define CKR_FUNCTION_NOT_PARALLEL	     (0x51UL)
+#define CKR_FUNCTION_NOT_SUPPORTED	     (0x54UL)
+#define CKR_KEY_HANDLE_INVALID		     (0x60UL)
+#define CKR_KEY_SIZE_RANGE		     (0x62UL)
+#define CKR_KEY_TYPE_INCONSISTENT	     (0x63UL)
+#define CKR_KEY_NOT_NEEDED		     (0x64UL)
+#define CKR_KEY_CHANGED			     (0x65UL)
+#define CKR_KEY_NEEDED			     (0x66UL)
+#define CKR_KEY_INDIGESTIBLE		     (0x67UL)
+#define CKR_KEY_FUNCTION_NOT_PERMITTED	     (0x68UL)
+#define CKR_KEY_NOT_WRAPPABLE		     (0x69UL)
+#define CKR_KEY_UNEXTRACTABLE		     (0x6aUL)
+#define CKR_MECHANISM_INVALID		     (0x70UL)
+#define CKR_MECHANISM_PARAM_INVALID	     (0x71UL)
+#define CKR_OBJECT_HANDLE_INVALID	     (0x82UL)
+#define CKR_OPERATION_ACTIVE		     (0x90UL)
+#define CKR_OPERATION_NOT_INITIALIZED	     (0x91UL)
+#define CKR_PIN_INCORRECT		     (0xa0UL)
+#define CKR_PIN_INVALID			     (0xa1UL)
+#define CKR_PIN_LEN_RANGE		     (0xa2UL)
+#define CKR_PIN_EXPIRED			     (0xa3UL)
+#define CKR_PIN_LOCKED			     (0xa4UL)
+#define CKR_SESSION_CLOSED		     (0xb0UL)
+#define CKR_SESSION_COUNT		     (0xb1UL)
+#define CKR_SESSION_HANDLE_INVALID	     (0xb3UL)
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED   (0xb4UL)
+#define CKR_SESSION_READ_ONLY		     (0xb5UL)
+#define CKR_SESSION_EXISTS		     (0xb6UL)
+#define CKR_SESSION_READ_ONLY_EXISTS	     (0xb7UL)
+#define CKR_SESSION_READ_WRITE_SO_EXISTS     (0xb8UL)
+#define CKR_SIGNATURE_INVALID		     (0xc0UL)
+#define CKR_SIGNATURE_LEN_RANGE		     (0xc1UL)
+#define CKR_TEMPLATE_INCOMPLETE		     (0xd0UL)
+#define CKR_TEMPLATE_INCONSISTENT	     (0xd1UL)
+#define CKR_TOKEN_NOT_PRESENT		     (0xe0UL)
+#define CKR_TOKEN_NOT_RECOGNIZED	     (0xe1UL)
+#define CKR_TOKEN_WRITE_PROTECTED	     (0xe2UL)
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID    (0xf0UL)
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE	     (0xf1UL)
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT (0xf2UL)
+#define CKR_USER_ALREADY_LOGGED_IN	     (0x100UL)
+#define CKR_USER_NOT_LOGGED_IN		     (0x101UL)
+#define CKR_USER_PIN_NOT_INITIALIZED	     (0x102UL)
+#define CKR_USER_TYPE_INVALID		     (0x103UL)
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN   (0x104UL)
+#define CKR_USER_TOO_MANY_TYPES		     (0x105UL)
+#define CKR_WRAPPED_KEY_INVALID		     (0x110UL)
+#define CKR_WRAPPED_KEY_LEN_RANGE	     (0x112UL)
+#define CKR_WRAPPING_KEY_HANDLE_INVALID	     (0x113UL)
+#define CKR_WRAPPING_KEY_SIZE_RANGE	     (0x114UL)
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT   (0x115UL)
+#define CKR_RANDOM_SEED_NOT_SUPPORTED	     (0x120UL)
+#define CKR_RANDOM_NO_RNG		     (0x121UL)
+#define CKR_DOMAIN_PARAMS_INVALID	     (0x130UL)
+#define CKR_BUFFER_TOO_SMALL		     (0x150UL)
+#define CKR_SAVED_STATE_INVALID		     (0x160UL)
+#define CKR_INFORMATION_SENSITIVE	     (0x170UL)
+#define CKR_STATE_UNSAVEABLE		     (0x180UL)
+#define CKR_CRYPTOKI_NOT_INITIALIZED	     (0x190UL)
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED     (0x191UL)
+#define CKR_MUTEX_BAD			     (0x1a0UL)
+#define CKR_MUTEX_NOT_LOCKED		     (0x1a1UL)
+#define CKR_NEW_PIN_MODE		     (0x1b0UL)
+#define CKR_NEXT_OTP			     (0x1b1UL)
+#define CKR_EXCEEDED_MAX_ITERATIONS	     (0x1c0UL)
+#define CKR_FIPS_SELF_TEST_FAILED	     (0x1c1UL)
+#define CKR_LIBRARY_LOAD_FAILED		     (0x1c2UL)
+#define CKR_PIN_TOO_WEAK		     (0x1c3UL)
+#define CKR_PUBLIC_KEY_INVALID		     (0x1c4UL)
+#define CKR_FUNCTION_REJECTED		     (0x200UL)
+#define CKR_VENDOR_DEFINED		     ((unsigned long)(1UL << 31))
+
+#define CKZ_DATA_SPECIFIED (0x01UL)
+
+/* Compatibility layer.  */
+
+#ifdef CRYPTOKI_COMPAT
+
+#undef CK_DEFINE_FUNCTION
+#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
+
+/* For NULL.  */
+#include <stddef.h>
+
+typedef unsigned char	  CK_BYTE;
+typedef unsigned char	  CK_CHAR;
+typedef unsigned char	  CK_UTF8CHAR;
+typedef unsigned char	  CK_BBOOL;
+typedef unsigned long int CK_ULONG;
+typedef long int	  CK_LONG;
+typedef CK_BYTE		 *CK_BYTE_PTR;
+typedef CK_CHAR		 *CK_CHAR_PTR;
+typedef CK_UTF8CHAR	 *CK_UTF8CHAR_PTR;
+typedef CK_ULONG	 *CK_ULONG_PTR;
+typedef void		 *CK_VOID_PTR;
+typedef void		**CK_VOID_PTR_PTR;
+#define CK_FALSE 0
+#define CK_TRUE	 1
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE 0
+#endif /* ifndef FALSE */
+#ifndef TRUE
+#define TRUE 1
+#endif /* ifndef TRUE */
+#endif /* ifndef CK_DISABLE_TRUE_FALSE */
+
+typedef struct ck_version  CK_VERSION;
+typedef struct ck_version *CK_VERSION_PTR;
+
+typedef struct ck_info	CK_INFO;
+typedef struct ck_info *CK_INFO_PTR;
+
+typedef ck_slot_id_t *CK_SLOT_ID_PTR;
+
+typedef struct ck_slot_info  CK_SLOT_INFO;
+typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
+
+typedef struct ck_token_info  CK_TOKEN_INFO;
+typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
+
+typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
+
+typedef struct ck_session_info	CK_SESSION_INFO;
+typedef struct ck_session_info *CK_SESSION_INFO_PTR;
+
+typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
+
+typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
+
+typedef struct ck_attribute  CK_ATTRIBUTE;
+typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
+
+typedef struct ck_date	CK_DATE;
+typedef struct ck_date *CK_DATE_PTR;
+
+typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
+
+typedef struct ck_mechanism  CK_MECHANISM;
+typedef struct ck_mechanism *CK_MECHANISM_PTR;
+
+typedef struct ck_mechanism_info  CK_MECHANISM_INFO;
+typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
+
+typedef struct ck_otp_mechanism_info  CK_OTP_MECHANISM_INFO;
+typedef struct ck_otp_mechanism_info *CK_OTP_MECHANISM_INFO_PTR;
+
+typedef struct ck_function_list	  CK_FUNCTION_LIST;
+typedef struct ck_function_list	 *CK_FUNCTION_LIST_PTR;
+typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
+
+typedef struct ck_c_initialize_args  CK_C_INITIALIZE_ARGS;
+typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
+
+typedef struct ck_rsa_pkcs_pss_params  CK_RSA_PKCS_PSS_PARAMS;
+typedef struct ck_rsa_pkcs_pss_params *CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+typedef struct ck_rsa_pkcs_oaep_params	CK_RSA_PKCS_OAEP_PARAMS;
+typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+typedef struct ck_aes_ctr_params  CK_AES_CTR_PARAMS;
+typedef struct ck_aes_ctr_params *CK_AES_CTR_PARAMS_PTR;
+
+typedef struct ck_gcm_params  CK_GCM_PARAMS;
+typedef struct ck_gcm_params *CK_GCM_PARAMS_PTR;
+
+typedef struct ck_ecdh1_derive_params  CK_ECDH1_DERIVE_PARAMS;
+typedef struct ck_ecdh1_derive_params *CK_ECDH1_DERIVE_PARAMS_PTR;
+
+typedef struct ck_key_derivation_string_data  CK_KEY_DERIVATION_STRING_DATA;
+typedef struct ck_key_derivation_string_data *CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+typedef struct ck_des_cbc_encrypt_data_params CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+typedef struct ck_des_cbc_encrypt_data_params
+	*CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct ck_aes_cbc_encrypt_data_params CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+typedef struct ck_aes_cbc_encrypt_data_params
+	*CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+#ifndef NULL_PTR
+#define NULL_PTR NULL
+#endif /* ifndef NULL_PTR */
+
+/* Delete the helper macros defined at the top of the file.  */
+#undef ck_flags_t
+#undef ck_version
+
+#undef ck_info
+#undef cryptoki_version
+#undef manufacturer_id
+#undef library_description
+#undef library_version
+
+#undef ck_notification_t
+#undef ck_slot_id_t
+
+#undef ck_slot_info
+#undef slot_description
+#undef hardware_version
+#undef firmware_version
+
+#undef ck_token_info
+#undef serial_number
+#undef max_session_count
+#undef session_count
+#undef max_rw_session_count
+#undef rw_session_count
+#undef max_pin_len
+#undef min_pin_len
+#undef total_public_memory
+#undef free_public_memory
+#undef total_private_memory
+#undef free_private_memory
+#undef utc_time
+
+#undef ck_session_handle_t
+#undef ck_user_type_t
+#undef ck_state_t
+
+#undef ck_session_info
+#undef slot_id
+#undef device_error
+
+#undef ck_object_handle_t
+#undef ck_object_class_t
+#undef ck_hw_feature_type_t
+#undef ck_key_type_t
+#undef ck_certificate_type_t
+#undef ck_attribute_type_t
+
+#undef ck_attribute
+#undef value
+#undef value_len
+
+#undef params
+#undef count
+
+#undef ck_date
+
+#undef ck_mechanism_type_t
+
+#undef ck_mechanism
+#undef parameter
+#undef parameter_len
+
+#undef ck_mechanism_info
+
+#undef ck_param_type
+#undef ck_otp_param
+#undef ck_otp_params
+#undef ck_otp_signature_info
+
+#undef min_key_size
+#undef max_key_size
+
+#undef ck_rv_t
+#undef ck_notify_t
+
+#undef ck_function_list
+
+#undef ck_createmutex_t
+#undef ck_destroymutex_t
+#undef ck_lockmutex_t
+#undef ck_unlockmutex_t
+
+#undef ck_c_initialize_args
+#undef create_mutex
+#undef destroy_mutex
+#undef lock_mutex
+#undef unlock_mutex
+#undef reserved
+
+#endif /* CRYPTOKI_COMPAT */
+
+/* System dependencies.  */
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+#pragma pack(pop, cryptoki)
+#endif /* if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32) */
+
+#if defined(__cplusplus)
+}
+#endif /* if defined(__cplusplus) */
+
+#endif /* PKCS11_H */
diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c
new file mode 100644
index 0000000..1f95353
--- /dev/null
+++ b/lib/isc/iterated_hash.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+
+#include <openssl/opensslv.h>
+#include <openssl/sha.h>
+
+#include <isc/iterated_hash.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+int
+isc_iterated_hash(unsigned char *out, const unsigned int hashalg,
+		  const int iterations, const unsigned char *salt,
+		  const int saltlength, const unsigned char *in,
+		  const int inlength) {
+	REQUIRE(out != NULL);
+
+	int n = 0;
+	size_t len;
+	const unsigned char *buf;
+	SHA_CTX ctx;
+
+	if (hashalg != 1) {
+		return (0);
+	}
+
+	buf = in;
+	len = inlength;
+
+	do {
+		if (SHA1_Init(&ctx) != 1) {
+			return (0);
+		}
+
+		if (SHA1_Update(&ctx, buf, len) != 1) {
+			return (0);
+		}
+
+		if (SHA1_Update(&ctx, salt, saltlength) != 1) {
+			return (0);
+		}
+
+		if (SHA1_Final(out, &ctx) != 1) {
+			return (0);
+		}
+
+		buf = out;
+		len = SHA_DIGEST_LENGTH;
+	} while (n++ < iterations);
+
+	return (SHA_DIGEST_LENGTH);
+}
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
new file mode 100644
index 0000000..5878d53
--- /dev/null
+++ b/lib/isc/lex.c
@@ -0,0 +1,1133 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+typedef struct inputsource {
+	isc_result_t result;
+	bool is_file;
+	bool need_close;
+	bool at_eof;
+	bool last_was_eol;
+	isc_buffer_t *pushback;
+	unsigned int ignored;
+	void *input;
+	char *name;
+	unsigned long line;
+	unsigned long saved_line;
+	ISC_LINK(struct inputsource) link;
+} inputsource;
+
+#define LEX_MAGIC    ISC_MAGIC('L', 'e', 'x', '!')
+#define VALID_LEX(l) ISC_MAGIC_VALID(l, LEX_MAGIC)
+
+struct isc_lex {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	size_t max_token;
+	char *data;
+	unsigned int comments;
+	bool comment_ok;
+	bool last_was_eol;
+	unsigned int brace_count;
+	unsigned int paren_count;
+	unsigned int saved_paren_count;
+	isc_lexspecials_t specials;
+	LIST(struct inputsource) sources;
+};
+
+static isc_result_t
+grow_data(isc_lex_t *lex, size_t *remainingp, char **currp, char **prevp) {
+	char *tmp;
+
+	tmp = isc_mem_get(lex->mctx, lex->max_token * 2 + 1);
+	memmove(tmp, lex->data, lex->max_token + 1);
+	*currp = tmp + (*currp - lex->data);
+	if (*prevp != NULL) {
+		*prevp = tmp + (*prevp - lex->data);
+	}
+	isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
+	lex->data = tmp;
+	*remainingp += lex->max_token;
+	lex->max_token *= 2;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp) {
+	isc_lex_t *lex;
+
+	/*
+	 * Create a lexer.
+	 */
+	REQUIRE(lexp != NULL && *lexp == NULL);
+
+	if (max_token == 0U) {
+		max_token = 1;
+	}
+
+	lex = isc_mem_get(mctx, sizeof(*lex));
+	lex->data = isc_mem_get(mctx, max_token + 1);
+	lex->mctx = mctx;
+	lex->max_token = max_token;
+	lex->comments = 0;
+	lex->comment_ok = true;
+	lex->last_was_eol = true;
+	lex->brace_count = 0;
+	lex->paren_count = 0;
+	lex->saved_paren_count = 0;
+	memset(lex->specials, 0, 256);
+	INIT_LIST(lex->sources);
+	lex->magic = LEX_MAGIC;
+
+	*lexp = lex;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_lex_destroy(isc_lex_t **lexp) {
+	isc_lex_t *lex;
+
+	/*
+	 * Destroy the lexer.
+	 */
+
+	REQUIRE(lexp != NULL);
+	lex = *lexp;
+	*lexp = NULL;
+	REQUIRE(VALID_LEX(lex));
+
+	while (!EMPTY(lex->sources)) {
+		RUNTIME_CHECK(isc_lex_close(lex) == ISC_R_SUCCESS);
+	}
+	if (lex->data != NULL) {
+		isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
+	}
+	lex->magic = 0;
+	isc_mem_put(lex->mctx, lex, sizeof(*lex));
+}
+
+unsigned int
+isc_lex_getcomments(isc_lex_t *lex) {
+	/*
+	 * Return the current lexer commenting styles.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	return (lex->comments);
+}
+
+void
+isc_lex_setcomments(isc_lex_t *lex, unsigned int comments) {
+	/*
+	 * Set allowed lexer commenting styles.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	lex->comments = comments;
+}
+
+void
+isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials) {
+	/*
+	 * Put the current list of specials into 'specials'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	memmove(specials, lex->specials, 256);
+}
+
+void
+isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials) {
+	/*
+	 * The characters in 'specials' are returned as tokens.  Along with
+	 * whitespace, they delimit strings and numbers.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	memmove(lex->specials, specials, 256);
+}
+
+static isc_result_t
+new_source(isc_lex_t *lex, bool is_file, bool need_close, void *input,
+	   const char *name) {
+	inputsource *source;
+
+	source = isc_mem_get(lex->mctx, sizeof(*source));
+	source->result = ISC_R_SUCCESS;
+	source->is_file = is_file;
+	source->need_close = need_close;
+	source->at_eof = false;
+	source->last_was_eol = lex->last_was_eol;
+	source->input = input;
+	source->name = isc_mem_strdup(lex->mctx, name);
+	source->pushback = NULL;
+	isc_buffer_allocate(lex->mctx, &source->pushback,
+			    (unsigned int)lex->max_token);
+	source->ignored = 0;
+	source->line = 1;
+	ISC_LIST_INITANDPREPEND(lex->sources, source, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_openfile(isc_lex_t *lex, const char *filename) {
+	isc_result_t result;
+	FILE *stream = NULL;
+
+	/*
+	 * Open 'filename' and make it the current input source for 'lex'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	result = isc_stdio_open(filename, "r", &stream);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = new_source(lex, true, true, stream, filename);
+	if (result != ISC_R_SUCCESS) {
+		(void)fclose(stream);
+	}
+	return (result);
+}
+
+isc_result_t
+isc_lex_openstream(isc_lex_t *lex, FILE *stream) {
+	char name[128];
+
+	/*
+	 * Make 'stream' the current input source for 'lex'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	snprintf(name, sizeof(name), "stream-%p", stream);
+
+	return (new_source(lex, true, false, stream, name));
+}
+
+isc_result_t
+isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer) {
+	char name[128];
+
+	/*
+	 * Make 'buffer' the current input source for 'lex'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	snprintf(name, sizeof(name), "buffer-%p", buffer);
+
+	return (new_source(lex, false, false, buffer, name));
+}
+
+isc_result_t
+isc_lex_close(isc_lex_t *lex) {
+	inputsource *source;
+
+	/*
+	 * Close the most recently opened object (i.e. file or buffer).
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	source = HEAD(lex->sources);
+	if (source == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	ISC_LIST_UNLINK(lex->sources, source, link);
+	lex->last_was_eol = source->last_was_eol;
+	if (source->is_file) {
+		if (source->need_close) {
+			(void)fclose((FILE *)(source->input));
+		}
+	}
+	isc_mem_free(lex->mctx, source->name);
+	isc_buffer_free(&source->pushback);
+	isc_mem_put(lex->mctx, source, sizeof(*source));
+
+	return (ISC_R_SUCCESS);
+}
+
+typedef enum {
+	lexstate_start,
+	lexstate_crlf,
+	lexstate_string,
+	lexstate_number,
+	lexstate_maybecomment,
+	lexstate_ccomment,
+	lexstate_ccommentend,
+	lexstate_eatline,
+	lexstate_qstring,
+	lexstate_btext,
+	lexstate_vpair,
+	lexstate_vpairstart,
+	lexstate_qvpair,
+} lexstate;
+
+#define IWSEOL (ISC_LEXOPT_INITIALWS | ISC_LEXOPT_EOL)
+
+static void
+pushback(inputsource *source, int c) {
+	REQUIRE(source->pushback->current > 0);
+	if (c == EOF) {
+		source->at_eof = false;
+		return;
+	}
+	source->pushback->current--;
+	if (c == '\n') {
+		source->line--;
+	}
+}
+
+static isc_result_t
+pushandgrow(isc_lex_t *lex, inputsource *source, int c) {
+	if (isc_buffer_availablelength(source->pushback) == 0) {
+		isc_buffer_t *tbuf = NULL;
+		unsigned int oldlen;
+		isc_region_t used;
+		isc_result_t result;
+
+		oldlen = isc_buffer_length(source->pushback);
+		isc_buffer_allocate(lex->mctx, &tbuf, oldlen * 2);
+		isc_buffer_usedregion(source->pushback, &used);
+		result = isc_buffer_copyregion(tbuf, &used);
+		INSIST(result == ISC_R_SUCCESS);
+		tbuf->current = source->pushback->current;
+		isc_buffer_free(&source->pushback);
+		source->pushback = tbuf;
+	}
+	isc_buffer_putuint8(source->pushback, (uint8_t)c);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
+	inputsource *source;
+	int c;
+	bool done = false;
+	bool no_comments = false;
+	bool escaped = false;
+	lexstate state = lexstate_start;
+	lexstate saved_state = lexstate_start;
+	isc_buffer_t *buffer;
+	FILE *stream;
+	char *curr, *prev;
+	size_t remaining;
+	uint32_t as_ulong;
+	unsigned int saved_options;
+	isc_result_t result;
+
+	/*
+	 * Get the next token.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+	REQUIRE(tokenp != NULL);
+
+	if (source == NULL) {
+		if ((options & ISC_LEXOPT_NOMORE) != 0) {
+			tokenp->type = isc_tokentype_nomore;
+			return (ISC_R_SUCCESS);
+		}
+		return (ISC_R_NOMORE);
+	}
+
+	if (source->result != ISC_R_SUCCESS) {
+		return (source->result);
+	}
+
+	lex->saved_paren_count = lex->paren_count;
+	source->saved_line = source->line;
+
+	if (isc_buffer_remaininglength(source->pushback) == 0 && source->at_eof)
+	{
+		if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 &&
+		    lex->paren_count != 0)
+		{
+			lex->paren_count = 0;
+			return (ISC_R_UNBALANCED);
+		}
+		if ((options & ISC_LEXOPT_BTEXT) != 0 && lex->brace_count != 0)
+		{
+			lex->brace_count = 0;
+			return (ISC_R_UNBALANCED);
+		}
+		if ((options & ISC_LEXOPT_EOF) != 0) {
+			tokenp->type = isc_tokentype_eof;
+			return (ISC_R_SUCCESS);
+		}
+		return (ISC_R_EOF);
+	}
+
+	isc_buffer_compact(source->pushback);
+
+	saved_options = options;
+	if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 && lex->paren_count > 0) {
+		options &= ~IWSEOL;
+	}
+
+	curr = lex->data;
+	*curr = '\0';
+
+	prev = NULL;
+	remaining = lex->max_token;
+
+#ifdef HAVE_FLOCKFILE
+	if (source->is_file) {
+		flockfile(source->input);
+	}
+#endif /* ifdef HAVE_FLOCKFILE */
+
+	do {
+		if (isc_buffer_remaininglength(source->pushback) == 0) {
+			if (source->is_file) {
+				stream = source->input;
+
+#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED)
+				c = getc_unlocked(stream);
+#else  /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
+				c = getc(stream);
+#endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
+				if (c == EOF) {
+					if (ferror(stream)) {
+						source->result = ISC_R_IOERROR;
+						result = source->result;
+						goto done;
+					}
+					source->at_eof = true;
+				}
+			} else {
+				buffer = source->input;
+
+				if (buffer->current == buffer->used) {
+					c = EOF;
+					source->at_eof = true;
+				} else {
+					c = *((unsigned char *)buffer->base +
+					      buffer->current);
+					buffer->current++;
+				}
+			}
+			if (c != EOF) {
+				source->result = pushandgrow(lex, source, c);
+				if (source->result != ISC_R_SUCCESS) {
+					result = source->result;
+					goto done;
+				}
+			}
+		}
+
+		if (!source->at_eof) {
+			if (state == lexstate_start) {
+				/* Token has not started yet. */
+				source->ignored = isc_buffer_consumedlength(
+					source->pushback);
+			}
+			c = isc_buffer_getuint8(source->pushback);
+		} else {
+			c = EOF;
+		}
+
+		if (c == '\n') {
+			source->line++;
+		}
+
+		if (lex->comment_ok && !no_comments) {
+			if (!escaped && c == ';' &&
+			    ((lex->comments & ISC_LEXCOMMENT_DNSMASTERFILE) !=
+			     0))
+			{
+				saved_state = state;
+				state = lexstate_eatline;
+				no_comments = true;
+				continue;
+			} else if (c == '/' &&
+				   (lex->comments &
+				    (ISC_LEXCOMMENT_C |
+				     ISC_LEXCOMMENT_CPLUSPLUS)) != 0)
+			{
+				saved_state = state;
+				state = lexstate_maybecomment;
+				no_comments = true;
+				continue;
+			} else if (c == '#' && ((lex->comments &
+						 ISC_LEXCOMMENT_SHELL) != 0))
+			{
+				saved_state = state;
+				state = lexstate_eatline;
+				no_comments = true;
+				continue;
+			}
+		}
+
+	no_read:
+		/* INSIST(c == EOF || (c >= 0 && c <= 255)); */
+		switch (state) {
+		case lexstate_start:
+			if (c == EOF) {
+				lex->last_was_eol = false;
+				if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 &&
+				    lex->paren_count != 0)
+				{
+					lex->paren_count = 0;
+					result = ISC_R_UNBALANCED;
+					goto done;
+				}
+				if ((options & ISC_LEXOPT_BTEXT) != 0 &&
+				    lex->brace_count != 0)
+				{
+					lex->brace_count = 0;
+					result = ISC_R_UNBALANCED;
+					goto done;
+				}
+				if ((options & ISC_LEXOPT_EOF) == 0) {
+					result = ISC_R_EOF;
+					goto done;
+				}
+				tokenp->type = isc_tokentype_eof;
+				done = true;
+			} else if (c == ' ' || c == '\t') {
+				if (lex->last_was_eol &&
+				    (options & ISC_LEXOPT_INITIALWS) != 0)
+				{
+					lex->last_was_eol = false;
+					tokenp->type = isc_tokentype_initialws;
+					tokenp->value.as_char = c;
+					done = true;
+				}
+			} else if (c == '\n') {
+				if ((options & ISC_LEXOPT_EOL) != 0) {
+					tokenp->type = isc_tokentype_eol;
+					done = true;
+				}
+				lex->last_was_eol = true;
+			} else if (c == '\r') {
+				if ((options & ISC_LEXOPT_EOL) != 0) {
+					state = lexstate_crlf;
+				}
+			} else if (c == '"' &&
+				   (options & ISC_LEXOPT_QSTRING) != 0)
+			{
+				lex->last_was_eol = false;
+				no_comments = true;
+				state = lexstate_qstring;
+			} else if (lex->specials[c]) {
+				lex->last_was_eol = false;
+				if ((c == '(' || c == ')') &&
+				    (options & ISC_LEXOPT_DNSMULTILINE) != 0)
+				{
+					if (c == '(') {
+						if (lex->paren_count == 0) {
+							options &= ~IWSEOL;
+						}
+						lex->paren_count++;
+					} else {
+						if (lex->paren_count == 0) {
+							result =
+								ISC_R_UNBALANCED;
+							goto done;
+						}
+						lex->paren_count--;
+						if (lex->paren_count == 0) {
+							options = saved_options;
+						}
+					}
+					continue;
+				} else if (c == '{' &&
+					   (options & ISC_LEXOPT_BTEXT) != 0)
+				{
+					if (lex->brace_count != 0) {
+						result = ISC_R_UNBALANCED;
+						goto done;
+					}
+					lex->brace_count++;
+					options &= ~IWSEOL;
+					state = lexstate_btext;
+					no_comments = true;
+					continue;
+				}
+				tokenp->type = isc_tokentype_special;
+				tokenp->value.as_char = c;
+				done = true;
+			} else if (isdigit((unsigned char)c) &&
+				   (options & ISC_LEXOPT_NUMBER) != 0)
+			{
+				lex->last_was_eol = false;
+				if ((options & ISC_LEXOPT_OCTAL) != 0 &&
+				    (c == '8' || c == '9'))
+				{
+					state = lexstate_string;
+				} else {
+					state = lexstate_number;
+				}
+				goto no_read;
+			} else {
+				lex->last_was_eol = false;
+				state = lexstate_string;
+				goto no_read;
+			}
+			break;
+		case lexstate_crlf:
+			if (c != '\n') {
+				pushback(source, c);
+			}
+			tokenp->type = isc_tokentype_eol;
+			done = true;
+			lex->last_was_eol = true;
+			break;
+		case lexstate_number:
+			if (c == EOF || !isdigit((unsigned char)c)) {
+				if (c == ' ' || c == '\t' || c == '\r' ||
+				    c == '\n' || c == EOF || lex->specials[c])
+				{
+					int base;
+					if ((options & ISC_LEXOPT_OCTAL) != 0) {
+						base = 8;
+					} else if ((options &
+						    ISC_LEXOPT_CNUMBER) != 0)
+					{
+						base = 0;
+					} else {
+						base = 10;
+					}
+					pushback(source, c);
+
+					result = isc_parse_uint32(
+						&as_ulong, lex->data, base);
+					if (result == ISC_R_SUCCESS) {
+						tokenp->type =
+							isc_tokentype_number;
+						tokenp->value.as_ulong =
+							as_ulong;
+					} else if (result == ISC_R_BADNUMBER) {
+						isc_tokenvalue_t *v;
+
+						tokenp->type =
+							isc_tokentype_string;
+						v = &(tokenp->value);
+						v->as_textregion.base =
+							lex->data;
+						v->as_textregion.length =
+							(unsigned int)(lex->max_token -
+								       remaining);
+					} else {
+						goto done;
+					}
+					done = true;
+					continue;
+				} else if ((options & ISC_LEXOPT_CNUMBER) ==
+						   0 ||
+					   ((c != 'x' && c != 'X') ||
+					    (curr != &lex->data[1]) ||
+					    (lex->data[0] != '0')))
+				{
+					/* Above test supports hex numbers */
+					state = lexstate_string;
+				}
+			} else if ((options & ISC_LEXOPT_OCTAL) != 0 &&
+				   (c == '8' || c == '9'))
+			{
+				state = lexstate_string;
+			}
+			if (remaining == 0U) {
+				result = grow_data(lex, &remaining, &curr,
+						   &prev);
+				if (result != ISC_R_SUCCESS) {
+					goto done;
+				}
+			}
+			INSIST(remaining > 0U);
+			*curr++ = c;
+			*curr = '\0';
+			remaining--;
+			break;
+		case lexstate_string:
+			if (!escaped && c == '=' &&
+			    (options & ISC_LEXOPT_VPAIR) != 0)
+			{
+				if (remaining == 0U) {
+					result = grow_data(lex, &remaining,
+							   &curr, &prev);
+					if (result != ISC_R_SUCCESS) {
+						goto done;
+					}
+				}
+				INSIST(remaining > 0U);
+				*curr++ = c;
+				*curr = '\0';
+				remaining--;
+				state = lexstate_vpairstart;
+				break;
+			}
+			FALLTHROUGH;
+		case lexstate_vpairstart:
+			if (state == lexstate_vpairstart) {
+				if (c == '"' &&
+				    (options & ISC_LEXOPT_QVPAIR) != 0)
+				{
+					no_comments = true;
+					state = lexstate_qvpair;
+					break;
+				}
+				state = lexstate_vpair;
+			}
+			FALLTHROUGH;
+		case lexstate_vpair:
+			/*
+			 * EOF needs to be checked before lex->specials[c]
+			 * as lex->specials[EOF] is not a good idea.
+			 */
+			if (c == '\r' || c == '\n' || c == EOF ||
+			    (!escaped &&
+			     (c == ' ' || c == '\t' || lex->specials[c])))
+			{
+				pushback(source, c);
+				if (source->result != ISC_R_SUCCESS) {
+					result = source->result;
+					goto done;
+				}
+				if (escaped && c == EOF) {
+					result = ISC_R_UNEXPECTEDEND;
+					goto done;
+				}
+				tokenp->type = (state == lexstate_string)
+						       ? isc_tokentype_string
+						       : isc_tokentype_vpair;
+				tokenp->value.as_textregion.base = lex->data;
+				tokenp->value.as_textregion.length =
+					(unsigned int)(lex->max_token -
+						       remaining);
+				done = true;
+				continue;
+			}
+			if ((options & ISC_LEXOPT_ESCAPE) != 0) {
+				escaped = (!escaped && c == '\\') ? true
+								  : false;
+			}
+			if (remaining == 0U) {
+				result = grow_data(lex, &remaining, &curr,
+						   &prev);
+				if (result != ISC_R_SUCCESS) {
+					goto done;
+				}
+			}
+			INSIST(remaining > 0U);
+			*curr++ = c;
+			*curr = '\0';
+			remaining--;
+			break;
+		case lexstate_maybecomment:
+			if (c == '*' && (lex->comments & ISC_LEXCOMMENT_C) != 0)
+			{
+				state = lexstate_ccomment;
+				continue;
+			} else if (c == '/' && (lex->comments &
+						ISC_LEXCOMMENT_CPLUSPLUS) != 0)
+			{
+				state = lexstate_eatline;
+				continue;
+			}
+			pushback(source, c);
+			c = '/';
+			no_comments = false;
+			state = saved_state;
+			goto no_read;
+		case lexstate_ccomment:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '*') {
+				state = lexstate_ccommentend;
+			}
+			break;
+		case lexstate_ccommentend:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '/') {
+				/*
+				 * C-style comments become a single space.
+				 * We do this to ensure that a comment will
+				 * act as a delimiter for strings and
+				 * numbers.
+				 */
+				c = ' ';
+				no_comments = false;
+				state = saved_state;
+				goto no_read;
+			} else if (c != '*') {
+				state = lexstate_ccomment;
+			}
+			break;
+		case lexstate_eatline:
+			if ((c == '\n') || (c == EOF)) {
+				no_comments = false;
+				state = saved_state;
+				goto no_read;
+			}
+			break;
+		case lexstate_qstring:
+		case lexstate_qvpair:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '"') {
+				if (escaped) {
+					escaped = false;
+					/*
+					 * Overwrite the preceding backslash.
+					 */
+					INSIST(prev != NULL);
+					*prev = '"';
+				} else {
+					tokenp->type =
+						(state == lexstate_qstring)
+							? isc_tokentype_qstring
+							: isc_tokentype_qvpair;
+					tokenp->value.as_textregion.base =
+						lex->data;
+					tokenp->value.as_textregion.length =
+						(unsigned int)(lex->max_token -
+							       remaining);
+					no_comments = false;
+					done = true;
+				}
+			} else {
+				if (c == '\n' && !escaped &&
+				    (options & ISC_LEXOPT_QSTRINGMULTILINE) ==
+					    0)
+				{
+					pushback(source, c);
+					result = ISC_R_UNBALANCEDQUOTES;
+					goto done;
+				}
+				if (c == '\\' && !escaped) {
+					escaped = true;
+				} else {
+					escaped = false;
+				}
+				if (remaining == 0U) {
+					result = grow_data(lex, &remaining,
+							   &curr, &prev);
+					if (result != ISC_R_SUCCESS) {
+						goto done;
+					}
+				}
+				INSIST(remaining > 0U);
+				prev = curr;
+				*curr++ = c;
+				*curr = '\0';
+				remaining--;
+			}
+			break;
+		case lexstate_btext:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '{') {
+				if (escaped) {
+					escaped = false;
+				} else {
+					lex->brace_count++;
+				}
+			} else if (c == '}') {
+				if (escaped) {
+					escaped = false;
+				} else {
+					INSIST(lex->brace_count > 0);
+					lex->brace_count--;
+				}
+
+				if (lex->brace_count == 0) {
+					tokenp->type = isc_tokentype_btext;
+					tokenp->value.as_textregion.base =
+						lex->data;
+					tokenp->value.as_textregion.length =
+						(unsigned int)(lex->max_token -
+							       remaining);
+					no_comments = false;
+					done = true;
+					break;
+				}
+			}
+
+			if (c == '\\' && !escaped) {
+				escaped = true;
+			} else {
+				escaped = false;
+			}
+
+			if (remaining == 0U) {
+				result = grow_data(lex, &remaining, &curr,
+						   &prev);
+				if (result != ISC_R_SUCCESS) {
+					goto done;
+				}
+			}
+			INSIST(remaining > 0U);
+			prev = curr;
+			*curr++ = c;
+			*curr = '\0';
+			remaining--;
+			break;
+		default:
+			FATAL_ERROR(__FILE__, __LINE__, "Unexpected state %d",
+				    state);
+		}
+	} while (!done);
+
+	result = ISC_R_SUCCESS;
+done:
+#ifdef HAVE_FLOCKFILE
+	if (source->is_file) {
+		funlockfile(source->input);
+	}
+#endif /* ifdef HAVE_FLOCKFILE */
+	return (result);
+}
+
+isc_result_t
+isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
+		       isc_tokentype_t expect, bool eol) {
+	unsigned int options = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
+			       ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
+	isc_result_t result;
+
+	if (expect == isc_tokentype_vpair) {
+		options |= ISC_LEXOPT_VPAIR;
+	} else if (expect == isc_tokentype_qvpair) {
+		options |= ISC_LEXOPT_VPAIR;
+		options |= ISC_LEXOPT_QVPAIR;
+	} else if (expect == isc_tokentype_qstring) {
+		options |= ISC_LEXOPT_QSTRING;
+	} else if (expect == isc_tokentype_number) {
+		options |= ISC_LEXOPT_NUMBER;
+	}
+	result = isc_lex_gettoken(lex, options, token);
+	if (result == ISC_R_RANGE) {
+		isc_lex_ungettoken(lex, token);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (eol && ((token->type == isc_tokentype_eol) ||
+		    (token->type == isc_tokentype_eof)))
+	{
+		return (ISC_R_SUCCESS);
+	}
+	if (token->type == isc_tokentype_string &&
+	    (expect == isc_tokentype_qstring || expect == isc_tokentype_qvpair))
+	{
+		return (ISC_R_SUCCESS);
+	}
+	if (token->type == isc_tokentype_vpair &&
+	    expect == isc_tokentype_qvpair)
+	{
+		return (ISC_R_SUCCESS);
+	}
+	if (token->type != expect) {
+		isc_lex_ungettoken(lex, token);
+		if (token->type == isc_tokentype_eol ||
+		    token->type == isc_tokentype_eof)
+		{
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		if (expect == isc_tokentype_number) {
+			return (ISC_R_BADNUMBER);
+		}
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_getoctaltoken(isc_lex_t *lex, isc_token_t *token, bool eol) {
+	unsigned int options = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
+			       ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE |
+			       ISC_LEXOPT_NUMBER | ISC_LEXOPT_OCTAL;
+	isc_result_t result;
+
+	result = isc_lex_gettoken(lex, options, token);
+	if (result == ISC_R_RANGE) {
+		isc_lex_ungettoken(lex, token);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (eol && ((token->type == isc_tokentype_eol) ||
+		    (token->type == isc_tokentype_eof)))
+	{
+		return (ISC_R_SUCCESS);
+	}
+	if (token->type != isc_tokentype_number) {
+		isc_lex_ungettoken(lex, token);
+		if (token->type == isc_tokentype_eol ||
+		    token->type == isc_tokentype_eof)
+		{
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		return (ISC_R_BADNUMBER);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp) {
+	inputsource *source;
+	/*
+	 * Unget the current token.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+	REQUIRE(source != NULL);
+	REQUIRE(tokenp != NULL);
+	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
+		tokenp->type == isc_tokentype_eof);
+
+	UNUSED(tokenp);
+
+	isc_buffer_first(source->pushback);
+	lex->paren_count = lex->saved_paren_count;
+	source->line = source->saved_line;
+	source->at_eof = false;
+}
+
+void
+isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+	REQUIRE(source != NULL);
+	REQUIRE(tokenp != NULL);
+	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
+		tokenp->type == isc_tokentype_eof);
+
+	UNUSED(tokenp);
+
+	INSIST(source->ignored <= isc_buffer_consumedlength(source->pushback));
+	r->base = (unsigned char *)isc_buffer_base(source->pushback) +
+		  source->ignored;
+	r->length = isc_buffer_consumedlength(source->pushback) -
+		    source->ignored;
+}
+
+char *
+isc_lex_getsourcename(isc_lex_t *lex) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL) {
+		return (NULL);
+	}
+
+	return (source->name);
+}
+
+unsigned long
+isc_lex_getsourceline(isc_lex_t *lex) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL) {
+		return (0);
+	}
+
+	return (source->line);
+}
+
+isc_result_t
+isc_lex_setsourcename(isc_lex_t *lex, const char *name) {
+	inputsource *source;
+	char *newname;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	newname = isc_mem_strdup(lex->mctx, name);
+	isc_mem_free(lex->mctx, source->name);
+	source->name = newname;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_setsourceline(isc_lex_t *lex, unsigned long line) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	source->line = line;
+	return (ISC_R_SUCCESS);
+}
+
+bool
+isc_lex_isfile(isc_lex_t *lex) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+
+	source = HEAD(lex->sources);
+
+	if (source == NULL) {
+		return (false);
+	}
+
+	return (source->is_file);
+}
diff --git a/lib/isc/lfsr.c b/lib/isc/lfsr.c
new file mode 100644
index 0000000..633b4a9
--- /dev/null
+++ b/lib/isc/lfsr.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stddef.h>
+#include <stdlib.h>
+
+#include <isc/assertions.h>
+#include <isc/lfsr.h>
+#include <isc/util.h>
+
+#define VALID_LFSR(x) (x != NULL)
+
+void
+isc_lfsr_init(isc_lfsr_t *lfsr, uint32_t state, unsigned int bits, uint32_t tap,
+	      unsigned int count, isc_lfsrreseed_t reseed, void *arg) {
+	REQUIRE(VALID_LFSR(lfsr));
+	REQUIRE(8 <= bits && bits <= 32);
+	REQUIRE(tap != 0);
+
+	lfsr->state = state;
+	lfsr->bits = bits;
+	lfsr->tap = tap;
+	lfsr->count = count;
+	lfsr->reseed = reseed;
+	lfsr->arg = arg;
+
+	if (count == 0 && reseed != NULL) {
+		reseed(lfsr, arg);
+	}
+	if (lfsr->state == 0) {
+		lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
+	}
+}
+
+/*!
+ * Return the next state of the lfsr.
+ */
+static uint32_t
+lfsr_generate(isc_lfsr_t *lfsr) {
+	/*
+	 * If the previous state is zero, we must fill it with something
+	 * here, or we will begin to generate an extremely predictable output.
+	 *
+	 * First, give the reseed function a crack at it.  If the state is
+	 * still 0, set it to all ones.
+	 */
+	if (lfsr->state == 0) {
+		if (lfsr->reseed != NULL) {
+			lfsr->reseed(lfsr, lfsr->arg);
+		}
+		if (lfsr->state == 0) {
+			lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
+		}
+	}
+
+	if (lfsr->state & 0x01) {
+		lfsr->state = (lfsr->state >> 1) ^ lfsr->tap;
+		return (1);
+	} else {
+		lfsr->state >>= 1;
+		return (0);
+	}
+}
+
+void
+isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count) {
+	unsigned char *p;
+	unsigned int bit;
+	unsigned int byte;
+
+	REQUIRE(VALID_LFSR(lfsr));
+	REQUIRE(data != NULL);
+	REQUIRE(count > 0);
+
+	p = data;
+	byte = count;
+
+	while (byte--) {
+		*p = 0;
+		for (bit = 0; bit < 7; bit++) {
+			*p |= lfsr_generate(lfsr);
+			*p <<= 1;
+		}
+		*p |= lfsr_generate(lfsr);
+		p++;
+	}
+
+	if (lfsr->count != 0 && lfsr->reseed != NULL) {
+		if (lfsr->count <= count * 8) {
+			lfsr->reseed(lfsr, lfsr->arg);
+		} else {
+			lfsr->count -= (count * 8);
+		}
+	}
+}
+
+static uint32_t
+lfsr_skipgenerate(isc_lfsr_t *lfsr, unsigned int skip) {
+	while (skip--) {
+		(void)lfsr_generate(lfsr);
+	}
+
+	(void)lfsr_generate(lfsr);
+
+	return (lfsr->state);
+}
+
+/*
+ * Skip "skip" states in "lfsr".
+ */
+void
+isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip) {
+	REQUIRE(VALID_LFSR(lfsr));
+
+	while (skip--) {
+		(void)lfsr_generate(lfsr);
+	}
+}
+
+/*
+ * Skip states in lfsr1 and lfsr2 using the other's current state.
+ * Return the final state of lfsr1 ^ lfsr2.
+ */
+uint32_t
+isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2) {
+	uint32_t state1, state2;
+	uint32_t skip1, skip2;
+
+	REQUIRE(VALID_LFSR(lfsr1));
+	REQUIRE(VALID_LFSR(lfsr2));
+
+	skip1 = lfsr1->state & 0x01;
+	skip2 = lfsr2->state & 0x01;
+
+	/* cross-skip. */
+	state1 = lfsr_skipgenerate(lfsr1, skip2);
+	state2 = lfsr_skipgenerate(lfsr2, skip1);
+
+	return (state1 ^ state2);
+}
diff --git a/lib/isc/lib.c b/lib/isc/lib.c
new file mode 100644
index 0000000..848ed58
--- /dev/null
+++ b/lib/isc/lib.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/bind9.h>
+#include <isc/iterated_hash.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include "config.h"
+#include "mem_p.h"
+#include "tls_p.h"
+#include "trampoline_p.h"
+
+#ifndef ISC_CONSTRUCTOR
+#error Either __attribute__((constructor|destructor))__ or DllMain support needed to compile BIND 9.
+#endif
+
+/***
+ *** Functions
+ ***/
+
+void
+isc_lib_register(void) {
+	isc_bind9 = false;
+}
+
+#ifdef WIN32
+int
+isc_lib_ntservice(int(WINAPI *mainfunc)(int argc, char *argv[]), int argc,
+		  char *argv[]) {
+	isc__trampoline_t *trampoline = isc__trampoline_get(NULL, NULL);
+	int r;
+
+	isc__trampoline_attach(trampoline);
+
+	r = mainfunc(argc, argv);
+
+	isc__trampoline_detach(trampoline);
+
+	return (r);
+}
+#endif /* ifdef WIN32 */
+
+void
+isc__initialize(void) ISC_CONSTRUCTOR;
+void
+isc__shutdown(void) ISC_DESTRUCTOR;
+
+void
+isc__initialize(void) {
+	isc__mem_initialize();
+	isc__tls_initialize();
+	isc__trampoline_initialize();
+}
+
+void
+isc__shutdown(void) {
+	isc__trampoline_shutdown();
+	isc__tls_shutdown();
+	isc__mem_shutdown();
+}
+
+/*
+ * This is a workaround for situation when libisc is statically linked.  Under
+ * normal situation, the linker throws out all symbols from compilation unit
+ * when no symbols are used in the final binary.  This empty function must be
+ * called at least once from different compilation unit (mem.c in this case).
+ */
+void
+isc_enable_constructors() {
+	/* do nothing */
+}
diff --git a/lib/isc/lib_p.h b/lib/isc/lib_p.h
new file mode 100644
index 0000000..56bbbe3
--- /dev/null
+++ b/lib/isc/lib_p.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+void
+isc__initialize(void);
+
+void
+isc__shutdown(void);
diff --git a/lib/isc/log.c b/lib/isc/log.c
new file mode 100644
index 0000000..b15d66a
--- /dev/null
+++ b/lib/isc/log.c
@@ -0,0 +1,1896 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/types.h> /* dev_t FreeBSD 2.1 */
+#include <time.h>
+
+#include <isc/atomic.h>
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/stat.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#define LCTX_MAGIC	    ISC_MAGIC('L', 'c', 't', 'x')
+#define VALID_CONTEXT(lctx) ISC_MAGIC_VALID(lctx, LCTX_MAGIC)
+
+#define LCFG_MAGIC	   ISC_MAGIC('L', 'c', 'f', 'g')
+#define VALID_CONFIG(lcfg) ISC_MAGIC_VALID(lcfg, LCFG_MAGIC)
+
+#define RDLOCK(lp)   RWLOCK(lp, isc_rwlocktype_read);
+#define WRLOCK(lp)   RWLOCK(lp, isc_rwlocktype_write);
+#define RDUNLOCK(lp) RWUNLOCK(lp, isc_rwlocktype_read);
+#define WRUNLOCK(lp) RWUNLOCK(lp, isc_rwlocktype_write);
+
+/*
+ * XXXDCL make dynamic?
+ */
+#define LOG_BUFFER_SIZE (8 * 1024)
+
+/*!
+ * This is the structure that holds each named channel.  A simple linked
+ * list chains all of the channels together, so an individual channel is
+ * found by doing strcmp()s with the names down the list.  Their should
+ * be no performance penalty from this as it is expected that the number
+ * of named channels will be no more than a dozen or so, and name lookups
+ * from the head of the list are only done when isc_log_usechannel() is
+ * called, which should also be very infrequent.
+ */
+typedef struct isc_logchannel isc_logchannel_t;
+
+struct isc_logchannel {
+	char *name;
+	unsigned int type;
+	int level;
+	unsigned int flags;
+	isc_logdestination_t destination;
+	ISC_LINK(isc_logchannel_t) link;
+};
+
+/*!
+ * The logchannellist structure associates categories and modules with
+ * channels.  First the appropriate channellist is found based on the
+ * category, and then each structure in the linked list is checked for
+ * a matching module.  It is expected that the number of channels
+ * associated with any given category will be very short, no more than
+ * three or four in the more unusual cases.
+ */
+typedef struct isc_logchannellist isc_logchannellist_t;
+
+struct isc_logchannellist {
+	const isc_logmodule_t *module;
+	isc_logchannel_t *channel;
+	ISC_LINK(isc_logchannellist_t) link;
+};
+
+/*!
+ * This structure is used to remember messages for pruning via
+ * isc_log_[v]write1().
+ */
+typedef struct isc_logmessage isc_logmessage_t;
+
+struct isc_logmessage {
+	char *text;
+	isc_time_t time;
+	ISC_LINK(isc_logmessage_t) link;
+};
+
+/*!
+ * The isc_logconfig structure is used to store the configurable information
+ * about where messages are actually supposed to be sent -- the information
+ * that could changed based on some configuration file, as opposed to the
+ * the category/module specification of isc_log_[v]write[1] that is compiled
+ * into a program, or the debug_level which is dynamic state information.
+ */
+struct isc_logconfig {
+	unsigned int magic;
+	isc_log_t *lctx;
+	ISC_LIST(isc_logchannel_t) channels;
+	ISC_LIST(isc_logchannellist_t) * channellists;
+	unsigned int channellist_count;
+	unsigned int duplicate_interval;
+	int_fast32_t highest_level;
+	char *tag;
+	bool dynamic;
+};
+
+/*!
+ * This isc_log structure provides the context for the isc_log functions.
+ * The log context locks itself in isc_log_doit, the internal backend to
+ * isc_log_write.  The locking is necessary both to provide exclusive access
+ * to the buffer into which the message is formatted and to guard against
+ * competing threads trying to write to the same syslog resource.  (On
+ * some systems, such as BSD/OS, stdio is thread safe but syslog is not.)
+ * Unfortunately, the lock cannot guard against a _different_ logging
+ * context in the same program competing for syslog's attention.  Thus
+ * There Can Be Only One, but this is not enforced.
+ * XXXDCL enforce it?
+ *
+ * Note that the category and module information is not locked.
+ * This is because in the usual case, only one isc_log_t is ever created
+ * in a program, and the category/module registration happens only once.
+ * XXXDCL it might be wise to add more locking overall.
+ */
+struct isc_log {
+	/* Not locked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_logcategory_t *categories;
+	unsigned int category_count;
+	isc_logmodule_t *modules;
+	unsigned int module_count;
+	atomic_int_fast32_t debug_level;
+	isc_rwlock_t lcfg_rwl;
+	/* Locked by isc_log lcfg_rwl */
+	isc_logconfig_t *logconfig;
+	isc_mutex_t lock;
+	/* Locked by isc_log lock. */
+	char buffer[LOG_BUFFER_SIZE];
+	ISC_LIST(isc_logmessage_t) messages;
+	atomic_bool dynamic;
+	atomic_int_fast32_t highest_level;
+};
+
+/*!
+ * Used when ISC_LOG_PRINTLEVEL is enabled for a channel.
+ */
+static const char *log_level_strings[] = { "debug",   "info",  "notice",
+					   "warning", "error", "critical" };
+
+/*!
+ * Used to convert ISC_LOG_* priorities into syslog priorities.
+ * XXXDCL This will need modification for NT.
+ */
+static const int syslog_map[] = { LOG_DEBUG,   LOG_INFO, LOG_NOTICE,
+				  LOG_WARNING, LOG_ERR,	 LOG_CRIT };
+
+/*!
+ * When adding new categories, a corresponding ISC_LOGCATEGORY_foo
+ * definition needs to be added to <isc/log.h>.
+ *
+ * The default category is provided so that the internal default can
+ * be overridden.  Since the default is always looked up as the first
+ * channellist in the log context, it must come first in isc_categories[].
+ */
+LIBISC_EXTERNAL_DATA isc_logcategory_t isc_categories[] = { { "default",
+							      0 }, /* "default
+								      must come
+								      first. */
+							    { "general", 0 },
+							    { NULL, 0 } };
+
+/*!
+ * See above comment for categories on LIBISC_EXTERNAL_DATA, and apply it to
+ * modules.
+ */
+LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
+	{ "socket", 0 }, { "time", 0 },	  { "interface", 0 }, { "timer", 0 },
+	{ "file", 0 },	 { "netmgr", 0 }, { "other", 0 },     { NULL, 0 }
+};
+
+/*!
+ * This essentially constant structure must be filled in at run time,
+ * because its channel member is pointed to a channel that is created
+ * dynamically with isc_log_createchannel.
+ */
+static isc_logchannellist_t default_channel;
+
+/*!
+ * libisc logs to this context.
+ */
+LIBISC_EXTERNAL_DATA isc_log_t *isc_lctx = NULL;
+
+/*!
+ * Forward declarations.
+ */
+static void
+assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
+	      const isc_logmodule_t *module, isc_logchannel_t *channel);
+
+static void
+sync_channellist(isc_logconfig_t *lcfg);
+
+static void
+sync_highest_level(isc_log_t *lctx, isc_logconfig_t *lcfg);
+
+static isc_result_t
+greatest_version(isc_logfile_t *file, int versions, int *greatest);
+
+static void
+isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
+	     isc_logmodule_t *module, int level, bool write_once,
+	     const char *format, va_list args) ISC_FORMAT_PRINTF(6, 0);
+
+/*@{*/
+/*!
+ * Convenience macros.
+ */
+
+#define FACILITY(channel)	 (channel->destination.facility)
+#define FILE_NAME(channel)	 (channel->destination.file.name)
+#define FILE_STREAM(channel)	 (channel->destination.file.stream)
+#define FILE_VERSIONS(channel)	 (channel->destination.file.versions)
+#define FILE_SUFFIX(channel)	 (channel->destination.file.suffix)
+#define FILE_MAXSIZE(channel)	 (channel->destination.file.maximum_size)
+#define FILE_MAXREACHED(channel) (channel->destination.file.maximum_reached)
+
+/*@}*/
+/****
+**** Public interfaces.
+****/
+
+/*
+ * Establish a new logging context, with default channels.
+ */
+void
+isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp) {
+	isc_log_t *lctx;
+	isc_logconfig_t *lcfg = NULL;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(lctxp != NULL && *lctxp == NULL);
+	REQUIRE(lcfgp == NULL || *lcfgp == NULL);
+
+	lctx = isc_mem_get(mctx, sizeof(*lctx));
+	lctx->mctx = NULL;
+	isc_mem_attach(mctx, &lctx->mctx);
+	lctx->categories = NULL;
+	lctx->category_count = 0;
+	lctx->modules = NULL;
+	lctx->module_count = 0;
+	atomic_init(&lctx->debug_level, 0);
+
+	ISC_LIST_INIT(lctx->messages);
+
+	isc_mutex_init(&lctx->lock);
+	isc_rwlock_init(&lctx->lcfg_rwl, 0, 0);
+
+	/*
+	 * Normally setting the magic number is the last step done
+	 * in a creation function, but a valid log context is needed
+	 * by isc_log_registercategories and isc_logconfig_create.
+	 * If either fails, the lctx is destroyed and not returned
+	 * to the caller.
+	 */
+	lctx->magic = LCTX_MAGIC;
+
+	isc_log_registercategories(lctx, isc_categories);
+	isc_log_registermodules(lctx, isc_modules);
+	isc_logconfig_create(lctx, &lcfg);
+
+	sync_channellist(lcfg);
+
+	lctx->logconfig = lcfg;
+
+	atomic_init(&lctx->highest_level, lcfg->highest_level);
+	atomic_init(&lctx->dynamic, lcfg->dynamic);
+
+	*lctxp = lctx;
+	if (lcfgp != NULL) {
+		*lcfgp = lcfg;
+	}
+}
+
+void
+isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp) {
+	isc_logconfig_t *lcfg;
+	isc_logdestination_t destination;
+	int level = ISC_LOG_INFO;
+
+	REQUIRE(lcfgp != NULL && *lcfgp == NULL);
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	lcfg = isc_mem_get(lctx->mctx, sizeof(*lcfg));
+
+	lcfg->lctx = lctx;
+	lcfg->channellists = NULL;
+	lcfg->channellist_count = 0;
+	lcfg->duplicate_interval = 0;
+	lcfg->highest_level = level;
+	lcfg->tag = NULL;
+	lcfg->dynamic = false;
+	ISC_LIST_INIT(lcfg->channels);
+	lcfg->magic = LCFG_MAGIC;
+
+	/*
+	 * Create the default channels:
+	 *      default_syslog, default_stderr, default_debug and null.
+	 */
+	destination.facility = LOG_DAEMON;
+	isc_log_createchannel(lcfg, "default_syslog", ISC_LOG_TOSYSLOG, level,
+			      &destination, 0);
+
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.suffix = isc_log_rollsuffix_increment;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(lcfg, "default_stderr", ISC_LOG_TOFILEDESC, level,
+			      &destination, ISC_LOG_PRINTTIME);
+
+	/*
+	 * Set the default category's channel to default_stderr,
+	 * which is at the head of the channels list because it was
+	 * just created.
+	 */
+	default_channel.channel = ISC_LIST_HEAD(lcfg->channels);
+
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.suffix = isc_log_rollsuffix_increment;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(lcfg, "default_debug", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, ISC_LOG_PRINTTIME);
+
+	isc_log_createchannel(lcfg, "null", ISC_LOG_TONULL, ISC_LOG_DYNAMIC,
+			      NULL, 0);
+
+	*lcfgp = lcfg;
+}
+
+void
+isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg) {
+	isc_logconfig_t *old_cfg;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(VALID_CONFIG(lcfg));
+	REQUIRE(lcfg->lctx == lctx);
+
+	/*
+	 * Ensure that lcfg->channellist_count == lctx->category_count.
+	 * They won't be equal if isc_log_usechannel has not been called
+	 * since any call to isc_log_registercategories.
+	 */
+	sync_channellist(lcfg);
+
+	WRLOCK(&lctx->lcfg_rwl);
+	old_cfg = lctx->logconfig;
+	lctx->logconfig = lcfg;
+	sync_highest_level(lctx, lcfg);
+	WRUNLOCK(&lctx->lcfg_rwl);
+
+	isc_logconfig_destroy(&old_cfg);
+}
+
+void
+isc_log_destroy(isc_log_t **lctxp) {
+	isc_log_t *lctx;
+	isc_logconfig_t *lcfg;
+	isc_mem_t *mctx;
+	isc_logmessage_t *message;
+
+	REQUIRE(lctxp != NULL && VALID_CONTEXT(*lctxp));
+
+	lctx = *lctxp;
+	*lctxp = NULL;
+	mctx = lctx->mctx;
+
+	/* Stop the logging as a first thing */
+	atomic_store_release(&lctx->debug_level, 0);
+	atomic_store_release(&lctx->highest_level, 0);
+	atomic_store_release(&lctx->dynamic, false);
+
+	WRLOCK(&lctx->lcfg_rwl);
+	lcfg = lctx->logconfig;
+	lctx->logconfig = NULL;
+	WRUNLOCK(&lctx->lcfg_rwl);
+
+	if (lcfg != NULL) {
+		isc_logconfig_destroy(&lcfg);
+	}
+
+	isc_rwlock_destroy(&lctx->lcfg_rwl);
+	isc_mutex_destroy(&lctx->lock);
+
+	while ((message = ISC_LIST_HEAD(lctx->messages)) != NULL) {
+		ISC_LIST_UNLINK(lctx->messages, message, link);
+
+		isc_mem_put(mctx, message,
+			    sizeof(*message) + strlen(message->text) + 1);
+	}
+
+	lctx->buffer[0] = '\0';
+	lctx->categories = NULL;
+	lctx->category_count = 0;
+	lctx->modules = NULL;
+	lctx->module_count = 0;
+	lctx->mctx = NULL;
+	lctx->magic = 0;
+
+	isc_mem_putanddetach(&mctx, lctx, sizeof(*lctx));
+}
+
+void
+isc_logconfig_destroy(isc_logconfig_t **lcfgp) {
+	isc_logconfig_t *lcfg;
+	isc_mem_t *mctx;
+	isc_logchannel_t *channel;
+	char *filename;
+	unsigned int i;
+
+	REQUIRE(lcfgp != NULL && VALID_CONFIG(*lcfgp));
+
+	lcfg = *lcfgp;
+	*lcfgp = NULL;
+
+	/*
+	 * This function cannot be called with a logconfig that is in
+	 * use by a log context.
+	 */
+	REQUIRE(lcfg->lctx != NULL);
+
+	RDLOCK(&lcfg->lctx->lcfg_rwl);
+	REQUIRE(lcfg->lctx->logconfig != lcfg);
+	RDUNLOCK(&lcfg->lctx->lcfg_rwl);
+
+	mctx = lcfg->lctx->mctx;
+
+	while ((channel = ISC_LIST_HEAD(lcfg->channels)) != NULL) {
+		ISC_LIST_UNLINK(lcfg->channels, channel, link);
+
+		if (channel->type == ISC_LOG_TOFILE) {
+			/*
+			 * The filename for the channel may have ultimately
+			 * started its life in user-land as a const string,
+			 * but in isc_log_createchannel it gets copied
+			 * into writable memory and is not longer truly const.
+			 */
+			DE_CONST(FILE_NAME(channel), filename);
+			isc_mem_free(mctx, filename);
+
+			if (FILE_STREAM(channel) != NULL) {
+				(void)fclose(FILE_STREAM(channel));
+			}
+		}
+
+		isc_mem_free(mctx, channel->name);
+		isc_mem_put(mctx, channel, sizeof(*channel));
+	}
+
+	for (i = 0; i < lcfg->channellist_count; i++) {
+		isc_logchannellist_t *item;
+		while ((item = ISC_LIST_HEAD(lcfg->channellists[i])) != NULL) {
+			ISC_LIST_UNLINK(lcfg->channellists[i], item, link);
+			isc_mem_put(mctx, item, sizeof(*item));
+		}
+	}
+
+	if (lcfg->channellist_count > 0) {
+		isc_mem_put(mctx, lcfg->channellists,
+			    lcfg->channellist_count *
+				    sizeof(ISC_LIST(isc_logchannellist_t)));
+	}
+
+	lcfg->dynamic = false;
+	if (lcfg->tag != NULL) {
+		isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
+	}
+	lcfg->tag = NULL;
+	lcfg->highest_level = 0;
+	lcfg->duplicate_interval = 0;
+	lcfg->magic = 0;
+
+	isc_mem_put(mctx, lcfg, sizeof(*lcfg));
+}
+
+void
+isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]) {
+	isc_logcategory_t *catp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(categories != NULL && categories[0].name != NULL);
+
+	/*
+	 * XXXDCL This somewhat sleazy situation of using the last pointer
+	 * in one category array to point to the next array exists because
+	 * this registration function returns void and I didn't want to have
+	 * change everything that used it by making it return an isc_result_t.
+	 * It would need to do that if it had to allocate memory to store
+	 * pointers to each array passed in.
+	 */
+	if (lctx->categories == NULL) {
+		lctx->categories = categories;
+	} else {
+		/*
+		 * Adjust the last (NULL) pointer of the already registered
+		 * categories to point to the incoming array.
+		 */
+		for (catp = lctx->categories; catp->name != NULL;) {
+			if (catp->id == UINT_MAX) {
+				/*
+				 * The name pointer points to the next array.
+				 * Ick.
+				 */
+				DE_CONST(catp->name, catp);
+			} else {
+				catp++;
+			}
+		}
+
+		catp->name = (void *)categories;
+		catp->id = UINT_MAX;
+	}
+
+	/*
+	 * Update the id number of the category with its new global id.
+	 */
+	for (catp = categories; catp->name != NULL; catp++) {
+		catp->id = lctx->category_count++;
+	}
+}
+
+isc_logcategory_t *
+isc_log_categorybyname(isc_log_t *lctx, const char *name) {
+	isc_logcategory_t *catp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(name != NULL);
+
+	for (catp = lctx->categories; catp->name != NULL;) {
+		if (catp->id == UINT_MAX) {
+			/*
+			 * catp is neither modified nor returned to the
+			 * caller, so removing its const qualifier is ok.
+			 */
+			DE_CONST(catp->name, catp);
+		} else {
+			if (strcmp(catp->name, name) == 0) {
+				return (catp);
+			}
+			catp++;
+		}
+	}
+
+	return (NULL);
+}
+
+void
+isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]) {
+	isc_logmodule_t *modp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(modules != NULL && modules[0].name != NULL);
+
+	/*
+	 * XXXDCL This somewhat sleazy situation of using the last pointer
+	 * in one category array to point to the next array exists because
+	 * this registration function returns void and I didn't want to have
+	 * change everything that used it by making it return an isc_result_t.
+	 * It would need to do that if it had to allocate memory to store
+	 * pointers to each array passed in.
+	 */
+	if (lctx->modules == NULL) {
+		lctx->modules = modules;
+	} else {
+		/*
+		 * Adjust the last (NULL) pointer of the already registered
+		 * modules to point to the incoming array.
+		 */
+		for (modp = lctx->modules; modp->name != NULL;) {
+			if (modp->id == UINT_MAX) {
+				/*
+				 * The name pointer points to the next array.
+				 * Ick.
+				 */
+				DE_CONST(modp->name, modp);
+			} else {
+				modp++;
+			}
+		}
+
+		modp->name = (void *)modules;
+		modp->id = UINT_MAX;
+	}
+
+	/*
+	 * Update the id number of the module with its new global id.
+	 */
+	for (modp = modules; modp->name != NULL; modp++) {
+		modp->id = lctx->module_count++;
+	}
+}
+
+isc_logmodule_t *
+isc_log_modulebyname(isc_log_t *lctx, const char *name) {
+	isc_logmodule_t *modp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(name != NULL);
+
+	for (modp = lctx->modules; modp->name != NULL;) {
+		if (modp->id == UINT_MAX) {
+			/*
+			 * modp is neither modified nor returned to the
+			 * caller, so removing its const qualifier is ok.
+			 */
+			DE_CONST(modp->name, modp);
+		} else {
+			if (strcmp(modp->name, name) == 0) {
+				return (modp);
+			}
+			modp++;
+		}
+	}
+
+	return (NULL);
+}
+
+void
+isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
+		      unsigned int type, int level,
+		      const isc_logdestination_t *destination,
+		      unsigned int flags) {
+	isc_logchannel_t *channel;
+	isc_mem_t *mctx;
+	unsigned int permitted = ISC_LOG_PRINTALL | ISC_LOG_DEBUGONLY |
+				 ISC_LOG_BUFFERED | ISC_LOG_ISO8601 |
+				 ISC_LOG_UTC;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+	REQUIRE(name != NULL);
+	REQUIRE(type == ISC_LOG_TOSYSLOG || type == ISC_LOG_TOFILE ||
+		type == ISC_LOG_TOFILEDESC || type == ISC_LOG_TONULL);
+	REQUIRE(destination != NULL || type == ISC_LOG_TONULL);
+	REQUIRE(level >= ISC_LOG_CRITICAL);
+	REQUIRE((flags & ~permitted) == 0);
+
+	/* XXXDCL find duplicate names? */
+
+	mctx = lcfg->lctx->mctx;
+
+	channel = isc_mem_get(mctx, sizeof(*channel));
+
+	channel->name = isc_mem_strdup(mctx, name);
+
+	channel->type = type;
+	channel->level = level;
+	channel->flags = flags;
+	ISC_LINK_INIT(channel, link);
+
+	switch (type) {
+	case ISC_LOG_TOSYSLOG:
+		FACILITY(channel) = destination->facility;
+		break;
+
+	case ISC_LOG_TOFILE:
+		/*
+		 * The file name is copied because greatest_version wants
+		 * to scribble on it, so it needs to be definitely in
+		 * writable memory.
+		 */
+		FILE_NAME(channel) = isc_mem_strdup(mctx,
+						    destination->file.name);
+		FILE_STREAM(channel) = NULL;
+		FILE_VERSIONS(channel) = destination->file.versions;
+		FILE_SUFFIX(channel) = destination->file.suffix;
+		FILE_MAXSIZE(channel) = destination->file.maximum_size;
+		FILE_MAXREACHED(channel) = false;
+		break;
+
+	case ISC_LOG_TOFILEDESC:
+		FILE_NAME(channel) = NULL;
+		FILE_STREAM(channel) = destination->file.stream;
+		FILE_MAXSIZE(channel) = 0;
+		FILE_VERSIONS(channel) = ISC_LOG_ROLLNEVER;
+		FILE_SUFFIX(channel) = isc_log_rollsuffix_increment;
+		break;
+
+	case ISC_LOG_TONULL:
+		/* Nothing. */
+		break;
+
+	default:
+		UNREACHABLE();
+	}
+
+	ISC_LIST_PREPEND(lcfg->channels, channel, link);
+
+	/*
+	 * If default_stderr was redefined, make the default category
+	 * point to the new default_stderr.
+	 */
+	if (strcmp(name, "default_stderr") == 0) {
+		default_channel.channel = channel;
+	}
+}
+
+isc_result_t
+isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
+		   const isc_logcategory_t *category,
+		   const isc_logmodule_t *module) {
+	isc_log_t *lctx;
+	isc_logchannel_t *channel;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+	REQUIRE(name != NULL);
+
+	lctx = lcfg->lctx;
+
+	REQUIRE(category == NULL || category->id < lctx->category_count);
+	REQUIRE(module == NULL || module->id < lctx->module_count);
+
+	for (channel = ISC_LIST_HEAD(lcfg->channels); channel != NULL;
+	     channel = ISC_LIST_NEXT(channel, link))
+	{
+		if (strcmp(name, channel->name) == 0) {
+			break;
+		}
+	}
+
+	if (channel == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (category != NULL) {
+		assignchannel(lcfg, category->id, module, channel);
+	} else {
+		/*
+		 * Assign to all categories.  Note that this includes
+		 * the default channel.
+		 */
+		for (size_t i = 0; i < lctx->category_count; i++) {
+			assignchannel(lcfg, i, module, channel);
+		}
+	}
+
+	/*
+	 * Update the highest logging level, if the current lcfg is in use.
+	 */
+	if (lcfg->lctx->logconfig == lcfg) {
+		sync_highest_level(lctx, lcfg);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level, const char *format, ...) {
+	va_list args;
+
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+
+	va_start(args, format);
+	isc_log_doit(lctx, category, module, level, false, format, args);
+	va_end(args);
+}
+
+void
+isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *format,
+	       va_list args) {
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+	isc_log_doit(lctx, category, module, level, false, format, args);
+}
+
+void
+isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *format, ...) {
+	va_list args;
+
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+
+	va_start(args, format);
+	isc_log_doit(lctx, category, module, level, true, format, args);
+	va_end(args);
+}
+
+void
+isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level, const char *format,
+		va_list args) {
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+	isc_log_doit(lctx, category, module, level, true, format, args);
+}
+
+void
+isc_log_setcontext(isc_log_t *lctx) {
+	isc_lctx = lctx;
+}
+
+void
+isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level) {
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	atomic_store_release(&lctx->debug_level, level);
+	/*
+	 * Close ISC_LOG_DEBUGONLY channels if level is zero.
+	 */
+	if (level == 0) {
+		RDLOCK(&lctx->lcfg_rwl);
+		isc_logconfig_t *lcfg = lctx->logconfig;
+		if (lcfg != NULL) {
+			LOCK(&lctx->lock);
+			for (isc_logchannel_t *channel =
+				     ISC_LIST_HEAD(lcfg->channels);
+			     channel != NULL;
+			     channel = ISC_LIST_NEXT(channel, link))
+			{
+				if (channel->type == ISC_LOG_TOFILE &&
+				    (channel->flags & ISC_LOG_DEBUGONLY) != 0 &&
+				    FILE_STREAM(channel) != NULL)
+				{
+					(void)fclose(FILE_STREAM(channel));
+					FILE_STREAM(channel) = NULL;
+				}
+			}
+			UNLOCK(&lctx->lock);
+		}
+		RDUNLOCK(&lctx->lcfg_rwl);
+	}
+}
+
+unsigned int
+isc_log_getdebuglevel(isc_log_t *lctx) {
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	return (atomic_load_acquire(&lctx->debug_level));
+}
+
+void
+isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval) {
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	lcfg->duplicate_interval = interval;
+}
+
+unsigned int
+isc_log_getduplicateinterval(isc_logconfig_t *lcfg) {
+	REQUIRE(VALID_CONTEXT(lcfg));
+
+	return (lcfg->duplicate_interval);
+}
+
+void
+isc_log_settag(isc_logconfig_t *lcfg, const char *tag) {
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	if (tag != NULL && *tag != '\0') {
+		if (lcfg->tag != NULL) {
+			isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
+		}
+		lcfg->tag = isc_mem_strdup(lcfg->lctx->mctx, tag);
+	} else {
+		if (lcfg->tag != NULL) {
+			isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
+		}
+		lcfg->tag = NULL;
+	}
+}
+
+char *
+isc_log_gettag(isc_logconfig_t *lcfg) {
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	return (lcfg->tag);
+}
+
+/* XXXDCL NT  -- This interface will assuredly be changing. */
+void
+isc_log_opensyslog(const char *tag, int options, int facility) {
+	(void)openlog(tag, options, facility);
+}
+
+void
+isc_log_closefilelogs(isc_log_t *lctx) {
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	RDLOCK(&lctx->lcfg_rwl);
+	isc_logconfig_t *lcfg = lctx->logconfig;
+	if (lcfg != NULL) {
+		LOCK(&lctx->lock);
+		for (isc_logchannel_t *channel = ISC_LIST_HEAD(lcfg->channels);
+		     channel != NULL; channel = ISC_LIST_NEXT(channel, link))
+		{
+			if (channel->type == ISC_LOG_TOFILE &&
+			    FILE_STREAM(channel) != NULL)
+			{
+				(void)fclose(FILE_STREAM(channel));
+				FILE_STREAM(channel) = NULL;
+			}
+		}
+		UNLOCK(&lctx->lock);
+	}
+	RDUNLOCK(&lctx->lcfg_rwl);
+}
+
+/****
+**** Internal functions
+****/
+
+static void
+assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
+	      const isc_logmodule_t *module, isc_logchannel_t *channel) {
+	isc_logchannellist_t *new_item;
+	isc_log_t *lctx;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	lctx = lcfg->lctx;
+
+	REQUIRE(category_id < lctx->category_count);
+	REQUIRE(module == NULL || module->id < lctx->module_count);
+	REQUIRE(channel != NULL);
+
+	/*
+	 * Ensure lcfg->channellist_count == lctx->category_count.
+	 */
+	sync_channellist(lcfg);
+
+	new_item = isc_mem_get(lctx->mctx, sizeof(*new_item));
+
+	new_item->channel = channel;
+	new_item->module = module;
+	ISC_LIST_INITANDPREPEND(lcfg->channellists[category_id], new_item,
+				link);
+
+	/*
+	 * Remember the highest logging level set by any channel in the
+	 * logging config, so isc_log_doit() can quickly return if the
+	 * message is too high to be logged by any channel.
+	 */
+	if (channel->type != ISC_LOG_TONULL) {
+		if (lcfg->highest_level < channel->level) {
+			lcfg->highest_level = channel->level;
+		}
+		if (channel->level == ISC_LOG_DYNAMIC) {
+			lcfg->dynamic = true;
+		}
+	}
+}
+
+/*
+ * This would ideally be part of isc_log_registercategories(), except then
+ * that function would have to return isc_result_t instead of void.
+ */
+static void
+sync_channellist(isc_logconfig_t *lcfg) {
+	unsigned int bytes;
+	isc_log_t *lctx;
+	void *lists;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	lctx = lcfg->lctx;
+
+	REQUIRE(lctx->category_count != 0);
+
+	if (lctx->category_count == lcfg->channellist_count) {
+		return;
+	}
+
+	bytes = lctx->category_count * sizeof(ISC_LIST(isc_logchannellist_t));
+
+	lists = isc_mem_get(lctx->mctx, bytes);
+
+	memset(lists, 0, bytes);
+
+	if (lcfg->channellist_count != 0) {
+		bytes = lcfg->channellist_count *
+			sizeof(ISC_LIST(isc_logchannellist_t));
+		memmove(lists, lcfg->channellists, bytes);
+		isc_mem_put(lctx->mctx, lcfg->channellists, bytes);
+	}
+
+	lcfg->channellists = lists;
+	lcfg->channellist_count = lctx->category_count;
+}
+
+static void
+sync_highest_level(isc_log_t *lctx, isc_logconfig_t *lcfg) {
+	atomic_store(&lctx->highest_level, lcfg->highest_level);
+	atomic_store(&lctx->dynamic, lcfg->dynamic);
+}
+
+static isc_result_t
+greatest_version(isc_logfile_t *file, int versions, int *greatestp) {
+	char *bname, *digit_end;
+	const char *dirname;
+	int version, greatest = -1;
+	size_t bnamelen;
+	isc_dir_t dir;
+	isc_result_t result;
+	char sep = '/';
+#ifdef _WIN32
+	char *bname2;
+#endif /* ifdef _WIN32 */
+
+	/*
+	 * It is safe to DE_CONST the file.name because it was copied
+	 * with isc_mem_strdup().
+	 */
+	bname = strrchr(file->name, sep);
+#ifdef _WIN32
+	bname2 = strrchr(file->name, '\\');
+	if ((bname != NULL && bname2 != NULL && bname2 > bname) ||
+	    (bname == NULL && bname2 != NULL))
+	{
+		bname = bname2;
+		sep = '\\';
+	}
+#endif /* ifdef _WIN32 */
+	if (bname != NULL) {
+		*bname++ = '\0';
+		dirname = file->name;
+	} else {
+		DE_CONST(file->name, bname);
+		dirname = ".";
+	}
+	bnamelen = strlen(bname);
+
+	isc_dir_init(&dir);
+	result = isc_dir_open(&dir, dirname);
+
+	/*
+	 * Replace the file separator if it was taken out.
+	 */
+	if (bname != file->name) {
+		*(bname - 1) = sep;
+	}
+
+	/*
+	 * Return if the directory open failed.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
+		if (dir.entry.length > bnamelen &&
+		    strncmp(dir.entry.name, bname, bnamelen) == 0 &&
+		    dir.entry.name[bnamelen] == '.')
+		{
+			version = strtol(&dir.entry.name[bnamelen + 1],
+					 &digit_end, 10);
+			/*
+			 * Remove any backup files that exceed versions.
+			 */
+			if (*digit_end == '\0' && version >= versions) {
+				result = isc_file_remove(dir.entry.name);
+				if (result != ISC_R_SUCCESS &&
+				    result != ISC_R_FILENOTFOUND)
+				{
+					syslog(LOG_ERR,
+					       "unable to remove "
+					       "log file '%s': %s",
+					       dir.entry.name,
+					       isc_result_totext(result));
+				}
+			} else if (*digit_end == '\0' && version > greatest) {
+				greatest = version;
+			}
+		}
+	}
+	isc_dir_close(&dir);
+
+	*greatestp = greatest;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+insert_sort(int64_t to_keep[], int64_t versions, int64_t version) {
+	int i = 0;
+	while (i < versions && version < to_keep[i]) {
+		i++;
+	}
+	if (i == versions) {
+		return;
+	}
+	if (i < versions - 1) {
+		memmove(&to_keep[i + 1], &to_keep[i],
+			sizeof(to_keep[0]) * (versions - i - 1));
+	}
+	to_keep[i] = version;
+}
+
+static int64_t
+last_to_keep(int64_t versions, isc_dir_t *dirp, char *bname, size_t bnamelen) {
+	int64_t to_keep[ISC_LOG_MAX_VERSIONS] = { 0 };
+	int64_t version = 0;
+
+	if (versions <= 0) {
+		return (INT64_MAX);
+	}
+
+	if (versions > ISC_LOG_MAX_VERSIONS) {
+		versions = ISC_LOG_MAX_VERSIONS;
+	}
+	/*
+	 * First we fill 'to_keep' structure using insertion sort
+	 */
+	memset(to_keep, 0, sizeof(to_keep));
+	while (isc_dir_read(dirp) == ISC_R_SUCCESS) {
+		char *digit_end = NULL;
+		char *ename = NULL;
+
+		if (dirp->entry.length <= bnamelen ||
+		    strncmp(dirp->entry.name, bname, bnamelen) != 0 ||
+		    dirp->entry.name[bnamelen] != '.')
+		{
+			continue;
+		}
+
+		ename = &dirp->entry.name[bnamelen + 1];
+		version = strtoull(ename, &digit_end, 10);
+		if (*digit_end == '\0') {
+			insert_sort(to_keep, versions, version);
+		}
+	}
+
+	isc_dir_reset(dirp);
+
+	/*
+	 * to_keep[versions - 1] is the last one we want to keep
+	 */
+	return (to_keep[versions - 1]);
+}
+
+static isc_result_t
+remove_old_tsversions(isc_logfile_t *file, int versions) {
+	isc_result_t result;
+	char *bname = NULL, *digit_end = NULL;
+	const char *dirname = NULL;
+	int64_t version, last = INT64_MAX;
+	size_t bnamelen;
+	isc_dir_t dir;
+	char sep = '/';
+#ifdef _WIN32
+	char *bname2;
+#endif /* ifdef _WIN32 */
+	/*
+	 * It is safe to DE_CONST the file.name because it was copied
+	 * with isc_mem_strdup().
+	 */
+	bname = strrchr(file->name, sep);
+#ifdef _WIN32
+	bname2 = strrchr(file->name, '\\');
+	if ((bname != NULL && bname2 != NULL && bname2 > bname) ||
+	    (bname == NULL && bname2 != NULL))
+	{
+		bname = bname2;
+		sep = '\\';
+	}
+#endif /* ifdef _WIN32 */
+	if (bname != NULL) {
+		*bname++ = '\0';
+		dirname = file->name;
+	} else {
+		DE_CONST(file->name, bname);
+		dirname = ".";
+	}
+	bnamelen = strlen(bname);
+
+	isc_dir_init(&dir);
+	result = isc_dir_open(&dir, dirname);
+
+	/*
+	 * Replace the file separator if it was taken out.
+	 */
+	if (bname != file->name) {
+		*(bname - 1) = sep;
+	}
+
+	/*
+	 * Return if the directory open failed.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	last = last_to_keep(versions, &dir, bname, bnamelen);
+
+	/*
+	 * Then we remove all files that we don't want to_keep
+	 */
+	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
+		if (dir.entry.length > bnamelen &&
+		    strncmp(dir.entry.name, bname, bnamelen) == 0 &&
+		    dir.entry.name[bnamelen] == '.')
+		{
+			char *ename = &dir.entry.name[bnamelen + 1];
+			version = strtoull(ename, &digit_end, 10);
+			/*
+			 * Remove any backup files that exceed versions.
+			 */
+			if (*digit_end == '\0' && version < last) {
+				result = isc_file_remove(dir.entry.name);
+				if (result != ISC_R_SUCCESS &&
+				    result != ISC_R_FILENOTFOUND)
+				{
+					syslog(LOG_ERR,
+					       "unable to remove "
+					       "log file '%s': %s",
+					       dir.entry.name,
+					       isc_result_totext(result));
+				}
+			}
+		}
+	}
+
+	isc_dir_close(&dir);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+roll_increment(isc_logfile_t *file) {
+	int i, n, greatest;
+	char current[PATH_MAX + 1];
+	char newpath[PATH_MAX + 1];
+	const char *path;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(file != NULL);
+	REQUIRE(file->versions != 0);
+
+	path = file->name;
+
+	if (file->versions == ISC_LOG_ROLLINFINITE) {
+		/*
+		 * Find the first missing entry in the log file sequence.
+		 */
+		for (greatest = 0; greatest < INT_MAX; greatest++) {
+			n = snprintf(current, sizeof(current), "%s.%u", path,
+				     (unsigned)greatest);
+			if (n >= (int)sizeof(current) || n < 0 ||
+			    !isc_file_exists(current))
+			{
+				break;
+			}
+		}
+	} else {
+		/*
+		 * Get the largest existing version and remove any
+		 * version greater than the permitted version.
+		 */
+		result = greatest_version(file, file->versions, &greatest);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		/*
+		 * Increment if greatest is not the actual maximum value.
+		 */
+		if (greatest < file->versions - 1) {
+			greatest++;
+		}
+	}
+
+	for (i = greatest; i > 0; i--) {
+		result = ISC_R_SUCCESS;
+		n = snprintf(current, sizeof(current), "%s.%u", path,
+			     (unsigned)(i - 1));
+		if (n >= (int)sizeof(current) || n < 0) {
+			result = ISC_R_NOSPACE;
+		}
+		if (result == ISC_R_SUCCESS) {
+			n = snprintf(newpath, sizeof(newpath), "%s.%u", path,
+				     (unsigned)i);
+			if (n >= (int)sizeof(newpath) || n < 0) {
+				result = ISC_R_NOSPACE;
+			}
+		}
+		if (result == ISC_R_SUCCESS) {
+			result = isc_file_rename(current, newpath);
+		}
+		if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+			syslog(LOG_ERR,
+			       "unable to rename log file '%s.%u' to "
+			       "'%s.%u': %s",
+			       path, i - 1, path, i, isc_result_totext(result));
+		}
+	}
+
+	n = snprintf(newpath, sizeof(newpath), "%s.0", path);
+	if (n >= (int)sizeof(newpath) || n < 0) {
+		result = ISC_R_NOSPACE;
+	} else {
+		result = isc_file_rename(path, newpath);
+	}
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		syslog(LOG_ERR, "unable to rename log file '%s' to '%s.0': %s",
+		       path, path, isc_result_totext(result));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+roll_timestamp(isc_logfile_t *file) {
+	int n;
+	char newts[PATH_MAX + 1];
+	char newpath[PATH_MAX + 1];
+	const char *path;
+	isc_time_t now;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(file != NULL);
+	REQUIRE(file->versions != 0);
+
+	path = file->name;
+
+	/*
+	 * First find all the logfiles and remove the oldest ones
+	 * Save one fewer than file->versions because we'll be renaming
+	 * the existing file to a timestamped version after this.
+	 */
+	if (file->versions != ISC_LOG_ROLLINFINITE) {
+		remove_old_tsversions(file, file->versions - 1);
+	}
+
+	/* Then just rename the current logfile */
+	isc_time_now(&now);
+	isc_time_formatshorttimestamp(&now, newts, PATH_MAX + 1);
+	n = snprintf(newpath, sizeof(newpath), "%s.%s", path, newts);
+	if (n >= (int)sizeof(newpath) || n < 0) {
+		result = ISC_R_NOSPACE;
+	} else {
+		result = isc_file_rename(path, newpath);
+	}
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		syslog(LOG_ERR, "unable to rename log file '%s' to '%s.0': %s",
+		       path, path, isc_result_totext(result));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_logfile_roll(isc_logfile_t *file) {
+	isc_result_t result;
+
+	REQUIRE(file != NULL);
+
+	/*
+	 * Do nothing (not even excess version trimming) if ISC_LOG_ROLLNEVER
+	 * is specified.  Apparently complete external control over the log
+	 * files is desired.
+	 */
+	if (file->versions == ISC_LOG_ROLLNEVER) {
+		return (ISC_R_SUCCESS);
+	} else if (file->versions == 0) {
+		result = isc_file_remove(file->name);
+		if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+			syslog(LOG_ERR, "unable to remove log file '%s': %s",
+			       file->name, isc_result_totext(result));
+		}
+		return (ISC_R_SUCCESS);
+	}
+
+	switch (file->suffix) {
+	case isc_log_rollsuffix_increment:
+		return (roll_increment(file));
+	case isc_log_rollsuffix_timestamp:
+		return (roll_timestamp(file));
+	default:
+		return (ISC_R_UNEXPECTED);
+	}
+}
+
+static isc_result_t
+isc_log_open(isc_logchannel_t *channel) {
+	struct stat statbuf;
+	bool regular_file;
+	bool roll = false;
+	isc_result_t result = ISC_R_SUCCESS;
+	const char *path;
+
+	REQUIRE(channel->type == ISC_LOG_TOFILE);
+	REQUIRE(FILE_STREAM(channel) == NULL);
+
+	path = FILE_NAME(channel);
+
+	REQUIRE(path != NULL && *path != '\0');
+
+	/*
+	 * Determine type of file; only regular files will be
+	 * version renamed, and only if the base file exists
+	 * and either has no size limit or has reached its size limit.
+	 */
+	if (stat(path, &statbuf) == 0) {
+		regular_file = S_ISREG(statbuf.st_mode) ? true : false;
+		/* XXXDCL if not regular_file complain? */
+		if ((FILE_MAXSIZE(channel) == 0 &&
+		     FILE_VERSIONS(channel) != ISC_LOG_ROLLNEVER) ||
+		    (FILE_MAXSIZE(channel) > 0 &&
+		     statbuf.st_size >= FILE_MAXSIZE(channel)))
+		{
+			roll = regular_file;
+		}
+	} else if (errno == ENOENT) {
+		regular_file = true;
+		POST(regular_file);
+	} else {
+		result = ISC_R_INVALIDFILE;
+	}
+
+	/*
+	 * Version control.
+	 */
+	if (result == ISC_R_SUCCESS && roll) {
+		if (FILE_VERSIONS(channel) == ISC_LOG_ROLLNEVER) {
+			return (ISC_R_MAXSIZE);
+		}
+		result = isc_logfile_roll(&channel->destination.file);
+		if (result != ISC_R_SUCCESS) {
+			if ((channel->flags & ISC_LOG_OPENERR) == 0) {
+				syslog(LOG_ERR,
+				       "isc_log_open: isc_logfile_roll '%s' "
+				       "failed: %s",
+				       FILE_NAME(channel),
+				       isc_result_totext(result));
+				channel->flags |= ISC_LOG_OPENERR;
+			}
+			return (result);
+		}
+	}
+
+	result = isc_stdio_open(path, "a", &FILE_STREAM(channel));
+
+	return (result);
+}
+
+ISC_NO_SANITIZE_THREAD bool
+isc_log_wouldlog(isc_log_t *lctx, int level) {
+	/*
+	 * Try to avoid locking the mutex for messages which can't
+	 * possibly be logged to any channels -- primarily debugging
+	 * messages that the debug level is not high enough to print.
+	 *
+	 * If the level is (mathematically) less than or equal to the
+	 * highest_level, or if there is a dynamic channel and the level is
+	 * less than or equal to the debug level, the main loop must be
+	 * entered to see if the message should really be output.
+	 */
+	if (lctx == NULL) {
+		return (false);
+	}
+
+	int highest_level = atomic_load_acquire(&lctx->highest_level);
+	if (level <= highest_level) {
+		return (true);
+	}
+	if (atomic_load_acquire(&lctx->dynamic)) {
+		int debug_level = atomic_load_acquire(&lctx->debug_level);
+		if (level <= debug_level) {
+			return (true);
+		}
+	}
+
+	return (false);
+}
+
+static void
+isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
+	     isc_logmodule_t *module, int level, bool write_once,
+	     const char *format, va_list args) {
+	int syslog_level;
+	const char *time_string;
+	char local_time[64];
+	char iso8601z_string[64];
+	char iso8601l_string[64];
+	char level_string[24] = { 0 };
+	struct stat statbuf;
+	bool matched = false;
+	bool printtime, iso8601, utc, printtag, printcolon;
+	bool printcategory, printmodule, printlevel, buffered;
+	isc_logchannel_t *channel;
+	isc_logchannellist_t *category_channels;
+	isc_result_t result;
+
+	REQUIRE(lctx == NULL || VALID_CONTEXT(lctx));
+	REQUIRE(category != NULL);
+	REQUIRE(module != NULL);
+	REQUIRE(level != ISC_LOG_DYNAMIC);
+	REQUIRE(format != NULL);
+
+	/*
+	 * Programs can use libraries that use this logging code without
+	 * wanting to do any logging, thus the log context is allowed to
+	 * be non-existent.
+	 */
+	if (lctx == NULL) {
+		return;
+	}
+
+	REQUIRE(category->id < lctx->category_count);
+	REQUIRE(module->id < lctx->module_count);
+
+	if (!isc_log_wouldlog(lctx, level)) {
+		return;
+	}
+
+	local_time[0] = '\0';
+	iso8601l_string[0] = '\0';
+	iso8601z_string[0] = '\0';
+
+	RDLOCK(&lctx->lcfg_rwl);
+	LOCK(&lctx->lock);
+
+	lctx->buffer[0] = '\0';
+
+	isc_logconfig_t *lcfg = lctx->logconfig;
+
+	category_channels = ISC_LIST_HEAD(lcfg->channellists[category->id]);
+
+	/*
+	 * XXXDCL add duplicate filtering? (To not write multiple times
+	 * to the same source via various channels).
+	 */
+	do {
+		/*
+		 * If the channel list end was reached and a match was
+		 * made, everything is finished.
+		 */
+		if (category_channels == NULL && matched) {
+			break;
+		}
+
+		if (category_channels == NULL && !matched &&
+		    category_channels != ISC_LIST_HEAD(lcfg->channellists[0]))
+		{
+			/*
+			 * No category/module pair was explicitly
+			 * configured. Try the category named "default".
+			 */
+			category_channels =
+				ISC_LIST_HEAD(lcfg->channellists[0]);
+		}
+
+		if (category_channels == NULL && !matched) {
+			/*
+			 * No matching module was explicitly configured
+			 * for the category named "default".  Use the
+			 * internal default channel.
+			 */
+			category_channels = &default_channel;
+		}
+
+		if (category_channels->module != NULL &&
+		    category_channels->module != module)
+		{
+			category_channels = ISC_LIST_NEXT(category_channels,
+							  link);
+			continue;
+		}
+
+		matched = true;
+
+		channel = category_channels->channel;
+		category_channels = ISC_LIST_NEXT(category_channels, link);
+
+		int_fast32_t dlevel = atomic_load_acquire(&lctx->debug_level);
+		if (((channel->flags & ISC_LOG_DEBUGONLY) != 0) && dlevel == 0)
+		{
+			continue;
+		}
+
+		if (channel->level == ISC_LOG_DYNAMIC) {
+			if (dlevel < level) {
+				continue;
+			}
+		} else if (channel->level < level) {
+			continue;
+		}
+
+		if ((channel->flags & ISC_LOG_PRINTTIME) != 0 &&
+		    local_time[0] == '\0')
+		{
+			isc_time_t isctime;
+
+			TIME_NOW(&isctime);
+
+			isc_time_formattimestamp(&isctime, local_time,
+						 sizeof(local_time));
+			isc_time_formatISO8601ms(&isctime, iso8601z_string,
+						 sizeof(iso8601z_string));
+			isc_time_formatISO8601Lms(&isctime, iso8601l_string,
+						  sizeof(iso8601l_string));
+		}
+
+		if ((channel->flags & ISC_LOG_PRINTLEVEL) != 0 &&
+		    level_string[0] == '\0')
+		{
+			if (level < ISC_LOG_CRITICAL) {
+				snprintf(level_string, sizeof(level_string),
+					 "level %d: ", level);
+			} else if (level > ISC_LOG_DYNAMIC) {
+				snprintf(level_string, sizeof(level_string),
+					 "%s %d: ", log_level_strings[0],
+					 level);
+			} else {
+				snprintf(level_string, sizeof(level_string),
+					 "%s: ", log_level_strings[-level]);
+			}
+		}
+
+		/*
+		 * Only format the message once.
+		 */
+		if (lctx->buffer[0] == '\0') {
+			(void)vsnprintf(lctx->buffer, sizeof(lctx->buffer),
+					format, args);
+
+			/*
+			 * Check for duplicates.
+			 */
+			if (write_once) {
+				isc_logmessage_t *message, *next;
+				isc_time_t oldest;
+				isc_interval_t interval;
+				size_t size;
+
+				isc_interval_set(&interval,
+						 lcfg->duplicate_interval, 0);
+
+				/*
+				 * 'oldest' is the age of the oldest
+				 * messages which fall within the
+				 * duplicate_interval range.
+				 */
+				TIME_NOW(&oldest);
+				if (isc_time_subtract(&oldest, &interval,
+						      &oldest) != ISC_R_SUCCESS)
+				{
+					/*
+					 * Can't effectively do the
+					 * checking without having a
+					 * valid time.
+					 */
+					message = NULL;
+				} else {
+					message = ISC_LIST_HEAD(lctx->messages);
+				}
+
+				while (message != NULL) {
+					if (isc_time_compare(&message->time,
+							     &oldest) < 0)
+					{
+						/*
+						 * This message is older
+						 * than the
+						 * duplicate_interval,
+						 * so it should be
+						 * dropped from the
+						 * history.
+						 *
+						 * Setting the interval
+						 * to be to be longer
+						 * will obviously not
+						 * cause the expired
+						 * message to spring
+						 * back into existence.
+						 */
+						next = ISC_LIST_NEXT(message,
+								     link);
+
+						ISC_LIST_UNLINK(lctx->messages,
+								message, link);
+
+						isc_mem_put(
+							lctx->mctx, message,
+							sizeof(*message) + 1 +
+								strlen(message->text));
+
+						message = next;
+						continue;
+					}
+
+					/*
+					 * This message is in the
+					 * duplicate filtering interval
+					 * ...
+					 */
+					if (strcmp(lctx->buffer,
+						   message->text) == 0)
+					{
+						/*
+						 * ... and it is a
+						 * duplicate. Unlock the
+						 * mutex and get the
+						 * hell out of Dodge.
+						 */
+						goto unlock;
+					}
+
+					message = ISC_LIST_NEXT(message, link);
+				}
+
+				/*
+				 * It wasn't in the duplicate interval,
+				 * so add it to the message list.
+				 */
+				size = sizeof(isc_logmessage_t) +
+				       strlen(lctx->buffer) + 1;
+				message = isc_mem_get(lctx->mctx, size);
+				message->text = (char *)(message + 1);
+				size -= sizeof(isc_logmessage_t);
+				strlcpy(message->text, lctx->buffer, size);
+				TIME_NOW(&message->time);
+				ISC_LINK_INIT(message, link);
+				ISC_LIST_APPEND(lctx->messages, message, link);
+			}
+		}
+
+		utc = ((channel->flags & ISC_LOG_UTC) != 0);
+		iso8601 = ((channel->flags & ISC_LOG_ISO8601) != 0);
+		printtime = ((channel->flags & ISC_LOG_PRINTTIME) != 0);
+		printtag = ((channel->flags &
+			     (ISC_LOG_PRINTTAG | ISC_LOG_PRINTPREFIX)) != 0 &&
+			    lcfg->tag != NULL);
+		printcolon = ((channel->flags & ISC_LOG_PRINTTAG) != 0 &&
+			      lcfg->tag != NULL);
+		printcategory = ((channel->flags & ISC_LOG_PRINTCATEGORY) != 0);
+		printmodule = ((channel->flags & ISC_LOG_PRINTMODULE) != 0);
+		printlevel = ((channel->flags & ISC_LOG_PRINTLEVEL) != 0);
+		buffered = ((channel->flags & ISC_LOG_BUFFERED) != 0);
+
+		if (printtime) {
+			if (iso8601) {
+				if (utc) {
+					time_string = iso8601z_string;
+				} else {
+					time_string = iso8601l_string;
+				}
+			} else {
+				time_string = local_time;
+			}
+		} else {
+			time_string = "";
+		}
+
+		switch (channel->type) {
+		case ISC_LOG_TOFILE:
+			if (FILE_MAXREACHED(channel)) {
+				/*
+				 * If the file can be rolled, OR
+				 * If the file no longer exists, OR
+				 * If the file is less than the maximum
+				 * size, (such as if it had been renamed
+				 * and a new one touched, or it was
+				 * truncated in place)
+				 * ... then close it to trigger
+				 * reopening.
+				 */
+				if (FILE_VERSIONS(channel) !=
+					    ISC_LOG_ROLLNEVER ||
+				    (stat(FILE_NAME(channel), &statbuf) != 0 &&
+				     errno == ENOENT) ||
+				    statbuf.st_size < FILE_MAXSIZE(channel))
+				{
+					(void)fclose(FILE_STREAM(channel));
+					FILE_STREAM(channel) = NULL;
+					FILE_MAXREACHED(channel) = false;
+				} else {
+					/*
+					 * Eh, skip it.
+					 */
+					break;
+				}
+			}
+
+			if (FILE_STREAM(channel) == NULL) {
+				result = isc_log_open(channel);
+				if (result != ISC_R_SUCCESS &&
+				    result != ISC_R_MAXSIZE &&
+				    (channel->flags & ISC_LOG_OPENERR) == 0)
+				{
+					syslog(LOG_ERR,
+					       "isc_log_open '%s' "
+					       "failed: %s",
+					       FILE_NAME(channel),
+					       isc_result_totext(result));
+					channel->flags |= ISC_LOG_OPENERR;
+				}
+				if (result != ISC_R_SUCCESS) {
+					break;
+				}
+				channel->flags &= ~ISC_LOG_OPENERR;
+			}
+			FALLTHROUGH;
+
+		case ISC_LOG_TOFILEDESC:
+			fprintf(FILE_STREAM(channel), "%s%s%s%s%s%s%s%s%s%s\n",
+				printtime ? time_string : "",
+				printtime ? " " : "", printtag ? lcfg->tag : "",
+				printcolon ? ": " : "",
+				printcategory ? category->name : "",
+				printcategory ? ": " : "",
+				printmodule ? (module != NULL ? module->name
+							      : "no_module")
+					    : "",
+				printmodule ? ": " : "",
+				printlevel ? level_string : "", lctx->buffer);
+
+			if (!buffered) {
+				fflush(FILE_STREAM(channel));
+			}
+
+			/*
+			 * If the file now exceeds its maximum size
+			 * threshold, note it so that it will not be
+			 * logged to any more.
+			 */
+			if (FILE_MAXSIZE(channel) > 0) {
+				INSIST(channel->type == ISC_LOG_TOFILE);
+
+				/* XXXDCL NT fstat/fileno */
+				/* XXXDCL complain if fstat fails? */
+				if (fstat(fileno(FILE_STREAM(channel)),
+					  &statbuf) >= 0 &&
+				    statbuf.st_size > FILE_MAXSIZE(channel))
+				{
+					FILE_MAXREACHED(channel) = true;
+				}
+			}
+
+			break;
+
+		case ISC_LOG_TOSYSLOG:
+			if (level > 0) {
+				syslog_level = LOG_DEBUG;
+			} else if (level < ISC_LOG_CRITICAL) {
+				syslog_level = LOG_CRIT;
+			} else {
+				syslog_level = syslog_map[-level];
+			}
+
+			(void)syslog(
+				FACILITY(channel) | syslog_level,
+				"%s%s%s%s%s%s%s%s%s%s",
+				printtime ? time_string : "",
+				printtime ? " " : "", printtag ? lcfg->tag : "",
+				printcolon ? ": " : "",
+				printcategory ? category->name : "",
+				printcategory ? ": " : "",
+				printmodule ? (module != NULL ? module->name
+							      : "no_module")
+					    : "",
+				printmodule ? ": " : "",
+				printlevel ? level_string : "", lctx->buffer);
+			break;
+
+		case ISC_LOG_TONULL:
+			break;
+		}
+	} while (1);
+
+unlock:
+	UNLOCK(&lctx->lock);
+	RDUNLOCK(&lctx->lcfg_rwl);
+}
diff --git a/lib/isc/managers.c b/lib/isc/managers.c
new file mode 100644
index 0000000..ba4b21d
--- /dev/null
+++ b/lib/isc/managers.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/managers.h>
+#include <isc/util.h>
+
+#include "netmgr_p.h"
+#include "task_p.h"
+
+isc_result_t
+isc_managers_create(isc_mem_t *mctx, size_t workers, size_t quantum,
+		    isc_nm_t **netmgrp, isc_taskmgr_t **taskmgrp) {
+	isc_result_t result;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_nm_t *netmgr = NULL;
+
+	REQUIRE(netmgrp != NULL && *netmgrp == NULL);
+	isc__netmgr_create(mctx, workers, &netmgr);
+	*netmgrp = netmgr;
+	INSIST(netmgr != NULL);
+
+	REQUIRE(taskmgrp == NULL || *taskmgrp == NULL);
+	if (taskmgrp != NULL) {
+		INSIST(netmgr != NULL);
+		result = isc__taskmgr_create(mctx, quantum, netmgr, &taskmgr);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_managers_create() failed: %s",
+					 isc_result_totext(result));
+			goto fail;
+		}
+		*taskmgrp = taskmgr;
+	}
+
+	return (ISC_R_SUCCESS);
+fail:
+	isc_managers_destroy(netmgrp, taskmgrp);
+
+	return (result);
+}
+
+void
+isc_managers_destroy(isc_nm_t **netmgrp, isc_taskmgr_t **taskmgrp) {
+	/*
+	 * If we have a taskmgr to clean up, then we must also have a netmgr.
+	 */
+	REQUIRE(taskmgrp != NULL || netmgrp == NULL);
+
+	/*
+	 * The sequence of operations here is important:
+	 *
+	 * 1. Initiate shutdown of the taskmgr, sending shutdown events to
+	 * all tasks that are not already shutting down.
+	 */
+	if (taskmgrp != NULL) {
+		INSIST(*taskmgrp != NULL);
+		isc__taskmgr_shutdown(*taskmgrp);
+	}
+
+	/*
+	 * 2. Initiate shutdown of the network manager, freeing clients
+	 * and other resources and preventing new connections, but do
+	 * not stop processing of existing events.
+	 */
+	if (netmgrp != NULL) {
+		INSIST(*netmgrp != NULL);
+		isc__netmgr_shutdown(*netmgrp);
+	}
+
+	/*
+	 * 3. Finish destruction of the task manager when all tasks
+	 * have completed.
+	 */
+	if (taskmgrp != NULL) {
+		isc__taskmgr_destroy(taskmgrp);
+	}
+
+	/*
+	 * 4. Finish destruction of the netmgr, and wait until all
+	 * references have been released.
+	 */
+	if (netmgrp != NULL) {
+		isc__netmgr_destroy(netmgrp);
+	}
+}
diff --git a/lib/isc/md.c b/lib/isc/md.c
new file mode 100644
index 0000000..0c6a70d
--- /dev/null
+++ b/lib/isc/md.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/opensslv.h>
+
+#include <isc/md.h>
+#include <isc/util.h>
+
+#include "openssl_shim.h"
+
+isc_md_t *
+isc_md_new(void) {
+	isc_md_t *md = EVP_MD_CTX_new();
+	RUNTIME_CHECK(md != NULL);
+	return (md);
+}
+
+void
+isc_md_free(isc_md_t *md) {
+	if (ISC_UNLIKELY(md == NULL)) {
+		return;
+	}
+
+	EVP_MD_CTX_free(md);
+}
+
+isc_result_t
+isc_md_init(isc_md_t *md, const isc_md_type_t *md_type) {
+	REQUIRE(md != NULL);
+
+	if (md_type == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	if (EVP_DigestInit_ex(md, md_type, NULL) != 1) {
+		return (ISC_R_CRYPTOFAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_md_reset(isc_md_t *md) {
+	REQUIRE(md != NULL);
+
+	if (EVP_MD_CTX_reset(md) != 1) {
+		return (ISC_R_CRYPTOFAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_md_update(isc_md_t *md, const unsigned char *buf, const size_t len) {
+	REQUIRE(md != NULL);
+
+	if (ISC_UNLIKELY(buf == NULL || len == 0)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (EVP_DigestUpdate(md, buf, len) != 1) {
+		return (ISC_R_CRYPTOFAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_md_final(isc_md_t *md, unsigned char *digest, unsigned int *digestlen) {
+	REQUIRE(md != NULL);
+	REQUIRE(digest != NULL);
+
+	if (EVP_DigestFinal_ex(md, digest, digestlen) != 1) {
+		return (ISC_R_CRYPTOFAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+const isc_md_type_t *
+isc_md_get_md_type(isc_md_t *md) {
+	REQUIRE(md != NULL);
+
+	return (EVP_MD_CTX_md(md));
+}
+
+size_t
+isc_md_get_size(isc_md_t *md) {
+	REQUIRE(md != NULL);
+
+	return (EVP_MD_CTX_size(md));
+}
+
+size_t
+isc_md_get_block_size(isc_md_t *md) {
+	REQUIRE(md != NULL);
+
+	return (EVP_MD_CTX_block_size(md));
+}
+
+size_t
+isc_md_type_get_size(const isc_md_type_t *md_type) {
+	STATIC_ASSERT(ISC_MAX_MD_SIZE >= EVP_MAX_MD_SIZE,
+		      "Change ISC_MAX_MD_SIZE to be greater than or equal to "
+		      "EVP_MAX_MD_SIZE");
+	if (md_type != NULL) {
+		return ((size_t)EVP_MD_size(md_type));
+	}
+
+	return (ISC_MAX_MD_SIZE);
+}
+
+size_t
+isc_md_type_get_block_size(const isc_md_type_t *md_type) {
+	STATIC_ASSERT(ISC_MAX_MD_SIZE >= EVP_MAX_MD_SIZE,
+		      "Change ISC_MAX_MD_SIZE to be greater than or equal to "
+		      "EVP_MAX_MD_SIZE");
+	if (md_type != NULL) {
+		return ((size_t)EVP_MD_block_size(md_type));
+	}
+
+	return (ISC_MAX_MD_SIZE);
+}
+
+isc_result_t
+isc_md(const isc_md_type_t *md_type, const unsigned char *buf, const size_t len,
+       unsigned char *digest, unsigned int *digestlen) {
+	isc_md_t *md;
+	isc_result_t res;
+
+	md = isc_md_new();
+
+	res = isc_md_init(md, md_type);
+	if (res != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	res = isc_md_update(md, buf, len);
+	if (res != ISC_R_SUCCESS) {
+		goto end;
+	}
+
+	res = isc_md_final(md, digest, digestlen);
+	if (res != ISC_R_SUCCESS) {
+		goto end;
+	}
+end:
+	isc_md_free(md);
+
+	return (res);
+}
+
+#define md_register_algorithm(alg) \
+	const isc_md_type_t *isc__md_##alg(void) { return (EVP_##alg()); }
+
+md_register_algorithm(md5);
+md_register_algorithm(sha1);
+md_register_algorithm(sha224);
+md_register_algorithm(sha256);
+md_register_algorithm(sha384);
+md_register_algorithm(sha512);
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
new file mode 100644
index 0000000..21b2d86
--- /dev/null
+++ b/lib/isc/mem.c
@@ -0,0 +1,2450 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/bind9.h>
+#include <isc/hash.h>
+#include <isc/lib.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#ifdef HAVE_LIBXML2
+#include <libxml/xmlwriter.h>
+#define ISC_XMLCHAR (const xmlChar *)
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+#include <json_object.h>
+#endif /* HAVE_JSON_C */
+
+#include "mem_p.h"
+
+#define MCTXLOCK(m)   LOCK(&m->lock)
+#define MCTXUNLOCK(m) UNLOCK(&m->lock)
+
+#ifndef ISC_MEM_DEBUGGING
+#define ISC_MEM_DEBUGGING 0
+#endif /* ifndef ISC_MEM_DEBUGGING */
+LIBISC_EXTERNAL_DATA unsigned int isc_mem_debugging = ISC_MEM_DEBUGGING;
+LIBISC_EXTERNAL_DATA unsigned int isc_mem_defaultflags = ISC_MEMFLAG_DEFAULT;
+
+/*
+ * Constants.
+ */
+
+#define DEF_MAX_SIZE   1100
+#define DEF_MEM_TARGET 4096
+#define ALIGNMENT_SIZE \
+	8U /*%< must be a power of 2, also update lib/dns/rbt.c */
+#define NUM_BASIC_BLOCKS  64 /*%< must be > 1 */
+#define TABLE_INCREMENT	  1024
+#define DEBUG_TABLE_COUNT 512U
+
+/*
+ * Types.
+ */
+typedef struct isc__mem isc__mem_t;
+typedef struct isc__mempool isc__mempool_t;
+
+#if ISC_MEM_TRACKLINES
+typedef struct debuglink debuglink_t;
+struct debuglink {
+	ISC_LINK(debuglink_t) link;
+	const void *ptr;
+	size_t size;
+	const char *file;
+	unsigned int line;
+};
+
+typedef ISC_LIST(debuglink_t) debuglist_t;
+
+#define FLARG_PASS , file, line
+#define FLARG	   , const char *file, unsigned int line
+#else /* if ISC_MEM_TRACKLINES */
+#define FLARG_PASS
+#define FLARG
+#endif /* if ISC_MEM_TRACKLINES */
+
+typedef struct element element;
+struct element {
+	element *next;
+};
+
+typedef struct {
+	/*!
+	 * This structure must be ALIGNMENT_SIZE bytes.
+	 */
+	union {
+		size_t size;
+		isc__mem_t *ctx;
+		char bytes[ALIGNMENT_SIZE];
+	} u;
+} size_info;
+
+struct stats {
+	unsigned long gets;
+	unsigned long totalgets;
+	unsigned long blocks;
+	unsigned long freefrags;
+};
+
+#define MEM_MAGIC	 ISC_MAGIC('M', 'e', 'm', 'C')
+#define VALID_CONTEXT(c) ISC_MAGIC_VALID(c, MEM_MAGIC)
+
+/* List of all active memory contexts. */
+
+static ISC_LIST(isc__mem_t) contexts;
+
+static isc_once_t init_once = ISC_ONCE_INIT;
+static isc_once_t shut_once = ISC_ONCE_INIT;
+static isc_mutex_t contextslock;
+
+/*%
+ * Total size of lost memory due to a bug of external library.
+ * Locked by the global lock.
+ */
+static uint64_t totallost;
+
+/*%
+ * Memory allocation and free function definitions.
+ * isc__memalloc_t must deal with memory allocation failure
+ * and must never return NULL.
+ */
+typedef void *(*isc__memalloc_t)(size_t);
+typedef void (*isc__memfree_t)(void *);
+
+struct isc__mem {
+	isc_mem_t common;
+	unsigned int flags;
+	isc_mutex_t lock;
+	isc__memalloc_t memalloc;
+	isc__memfree_t memfree;
+	size_t max_size;
+	bool checkfree;
+	struct stats *stats;
+	isc_refcount_t references;
+	char name[16];
+	void *tag;
+	size_t total;
+	size_t inuse;
+	size_t maxinuse;
+	size_t malloced;
+	size_t maxmalloced;
+	size_t hi_water;
+	size_t lo_water;
+	bool hi_called;
+	bool is_overmem;
+	isc_mem_water_t water;
+	void *water_arg;
+	ISC_LIST(isc__mempool_t) pools;
+	unsigned int poolcnt;
+
+	/*  ISC_MEMFLAG_INTERNAL */
+	size_t mem_target;
+	element **freelists;
+	element *basic_blocks;
+	unsigned char **basic_table;
+	unsigned int basic_table_count;
+	unsigned int basic_table_size;
+	unsigned char *lowest;
+	unsigned char *highest;
+
+#if ISC_MEM_TRACKLINES
+	debuglist_t *debuglist;
+	size_t debuglistcnt;
+#endif /* if ISC_MEM_TRACKLINES */
+
+	ISC_LINK(isc__mem_t) link;
+};
+
+#define MEMPOOL_MAGIC	 ISC_MAGIC('M', 'E', 'M', 'p')
+#define VALID_MEMPOOL(c) ISC_MAGIC_VALID(c, MEMPOOL_MAGIC)
+
+struct isc__mempool {
+	/* always unlocked */
+	isc_mempool_t common;	       /*%< common header of mempool's */
+	isc__mem_t *mctx;	       /*%< our memory context */
+	ISC_LINK(isc__mempool_t) link; /*%< next pool in this mem context */
+	element *items;		       /*%< low water item list */
+	size_t size;		       /*%< size of each item on this pool */
+	unsigned int maxalloc;	       /*%< max number of items allowed */
+	unsigned int allocated;	       /*%< # of items currently given out */
+	unsigned int freecount;	       /*%< # of items on reserved list */
+	unsigned int freemax;	       /*%< # of items allowed on free list */
+	unsigned int fillcount;	       /*%< # of items to fetch on each fill */
+	/*%< Stats only. */
+	unsigned int gets; /*%< # of requests to this pool */
+			   /*%< Debugging only. */
+#if ISC_MEMPOOL_NAMES
+	char name[16]; /*%< printed name in stats reports */
+#endif		       /* if ISC_MEMPOOL_NAMES */
+};
+
+/*
+ * Private Inline-able.
+ */
+
+#if !ISC_MEM_TRACKLINES
+#define ADD_TRACE(a, b, c, d, e)
+#define DELETE_TRACE(a, b, c, d, e)
+#define ISC_MEMFUNC_SCOPE
+#else /* if !ISC_MEM_TRACKLINES */
+#define TRACE_OR_RECORD (ISC_MEM_DEBUGTRACE | ISC_MEM_DEBUGRECORD)
+#define ADD_TRACE(a, b, c, d, e)                                               \
+	do {                                                                   \
+		if (ISC_UNLIKELY((isc_mem_debugging & TRACE_OR_RECORD) != 0 && \
+				 b != NULL))                                   \
+			add_trace_entry(a, b, c, d, e);                        \
+	} while (0)
+#define DELETE_TRACE(a, b, c, d, e)                                            \
+	do {                                                                   \
+		if (ISC_UNLIKELY((isc_mem_debugging & TRACE_OR_RECORD) != 0 && \
+				 b != NULL))                                   \
+			delete_trace_entry(a, b, c, d, e);                     \
+	} while (0)
+
+static void
+print_active(isc__mem_t *ctx, FILE *out);
+
+#endif /* ISC_MEM_TRACKLINES */
+
+static void *
+isc___mem_get(isc_mem_t *ctx, size_t size FLARG);
+static void
+isc___mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG);
+static void
+isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG);
+static void *
+isc___mem_allocate(isc_mem_t *ctx, size_t size FLARG);
+static void *
+isc___mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG);
+static char *
+isc___mem_strdup(isc_mem_t *mctx, const char *s FLARG);
+static char *
+isc___mem_strndup(isc_mem_t *mctx0, const char *s, size_t size FLARG);
+static void
+isc___mem_free(isc_mem_t *ctx, void *ptr FLARG);
+
+static isc_memmethods_t memmethods = {
+	isc___mem_get,	    isc___mem_put,	  isc___mem_putanddetach,
+	isc___mem_allocate, isc___mem_reallocate, isc___mem_strdup,
+	isc___mem_strndup,  isc___mem_free,
+};
+
+#if ISC_MEM_TRACKLINES
+/*!
+ * mctx must be locked.
+ */
+static void
+add_trace_entry(isc__mem_t *mctx, const void *ptr, size_t size FLARG) {
+	debuglink_t *dl;
+	uint32_t hash;
+	uint32_t idx;
+
+	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0) {
+		fprintf(stderr, "add %p size %zu file %s line %u mctx %p\n",
+			ptr, size, file, line, mctx);
+	}
+
+	if (mctx->debuglist == NULL) {
+		return;
+	}
+
+#ifdef __COVERITY__
+	/*
+	 * Use simple conversion from pointer to hash to avoid
+	 * tainting 'ptr' due to byte swap in isc_hash_function.
+	 */
+	hash = (uintptr_t)ptr >> 3;
+#else
+	hash = isc_hash_function(&ptr, sizeof(ptr), true);
+#endif
+	idx = hash % DEBUG_TABLE_COUNT;
+
+	dl = malloc(sizeof(debuglink_t));
+	INSIST(dl != NULL);
+	mctx->malloced += sizeof(debuglink_t);
+	if (mctx->malloced > mctx->maxmalloced) {
+		mctx->maxmalloced = mctx->malloced;
+	}
+
+	ISC_LINK_INIT(dl, link);
+	dl->ptr = ptr;
+	dl->size = size;
+	dl->file = file;
+	dl->line = line;
+
+	ISC_LIST_PREPEND(mctx->debuglist[idx], dl, link);
+	mctx->debuglistcnt++;
+}
+
+static void
+delete_trace_entry(isc__mem_t *mctx, const void *ptr, size_t size,
+		   const char *file, unsigned int line) {
+	debuglink_t *dl;
+	uint32_t hash;
+	uint32_t idx;
+
+	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0) {
+		fprintf(stderr, "del %p size %zu file %s line %u mctx %p\n",
+			ptr, size, file, line, mctx);
+	}
+
+	if (mctx->debuglist == NULL) {
+		return;
+	}
+
+#ifdef __COVERITY__
+	/*
+	 * Use simple conversion from pointer to hash to avoid
+	 * tainting 'ptr' due to byte swap in isc_hash_function.
+	 */
+	hash = (uintptr_t)ptr >> 3;
+#else
+	hash = isc_hash_function(&ptr, sizeof(ptr), true);
+#endif
+	idx = hash % DEBUG_TABLE_COUNT;
+
+	dl = ISC_LIST_HEAD(mctx->debuglist[idx]);
+	while (ISC_LIKELY(dl != NULL)) {
+		if (ISC_UNLIKELY(dl->ptr == ptr)) {
+			ISC_LIST_UNLINK(mctx->debuglist[idx], dl, link);
+			mctx->malloced -= sizeof(*dl);
+			free(dl);
+			return;
+		}
+		dl = ISC_LIST_NEXT(dl, link);
+	}
+
+	/*
+	 * If we get here, we didn't find the item on the list.  We're
+	 * screwed.
+	 */
+	UNREACHABLE();
+}
+#endif /* ISC_MEM_TRACKLINES */
+
+static size_t
+rmsize(size_t size) {
+	/*
+	 * round down to ALIGNMENT_SIZE
+	 */
+	return (size & (~(ALIGNMENT_SIZE - 1)));
+}
+
+static size_t
+quantize(size_t size) {
+	/*!
+	 * Round up the result in order to get a size big
+	 * enough to satisfy the request and be aligned on ALIGNMENT_SIZE
+	 * byte boundaries.
+	 */
+
+	if (size == 0U) {
+		return (ALIGNMENT_SIZE);
+	}
+	return ((size + ALIGNMENT_SIZE - 1) & (~(ALIGNMENT_SIZE - 1)));
+}
+
+static void
+more_basic_blocks(isc__mem_t *ctx) {
+	void *tmp;
+	unsigned char *curr, *next;
+	unsigned char *first, *last;
+	unsigned char **table;
+	unsigned int table_size;
+
+	/* Require: we hold the context lock. */
+
+	INSIST(ctx->basic_table_count <= ctx->basic_table_size);
+	if (ctx->basic_table_count == ctx->basic_table_size) {
+		table_size = ctx->basic_table_size + TABLE_INCREMENT;
+		table = (ctx->memalloc)(table_size * sizeof(unsigned char *));
+		ctx->malloced += table_size * sizeof(unsigned char *);
+		if (ctx->malloced > ctx->maxmalloced) {
+			ctx->maxmalloced = ctx->malloced;
+		}
+		if (ctx->basic_table_size != 0) {
+			memmove(table, ctx->basic_table,
+				ctx->basic_table_size *
+					sizeof(unsigned char *));
+			(ctx->memfree)(ctx->basic_table);
+			ctx->malloced -= ctx->basic_table_size *
+					 sizeof(unsigned char *);
+		}
+		ctx->basic_table = table;
+		ctx->basic_table_size = table_size;
+	}
+
+	tmp = (ctx->memalloc)(NUM_BASIC_BLOCKS * ctx->mem_target);
+	ctx->total += NUM_BASIC_BLOCKS * ctx->mem_target;
+	ctx->basic_table[ctx->basic_table_count] = tmp;
+	ctx->basic_table_count++;
+	ctx->malloced += NUM_BASIC_BLOCKS * ctx->mem_target;
+	if (ctx->malloced > ctx->maxmalloced) {
+		ctx->maxmalloced = ctx->malloced;
+	}
+
+	curr = tmp;
+	next = curr + ctx->mem_target;
+	for (int i = 0; i < (NUM_BASIC_BLOCKS - 1); i++) {
+		((element *)curr)->next = (element *)next;
+		curr = next;
+		next += ctx->mem_target;
+	}
+	/*
+	 * curr is now pointing at the last block in the
+	 * array.
+	 */
+	((element *)curr)->next = NULL;
+	first = tmp;
+	last = first + NUM_BASIC_BLOCKS * ctx->mem_target - 1;
+	if (first < ctx->lowest || ctx->lowest == NULL) {
+		ctx->lowest = first;
+	}
+	if (last > ctx->highest) {
+		ctx->highest = last;
+	}
+	ctx->basic_blocks = tmp;
+}
+
+static void
+more_frags(isc__mem_t *ctx, size_t new_size) {
+	int frags;
+	size_t total_size;
+	void *tmp;
+	unsigned char *curr, *next;
+
+	/*!
+	 * Try to get more fragments by chopping up a basic block.
+	 */
+
+	if (ctx->basic_blocks == NULL) {
+		more_basic_blocks(ctx);
+	}
+	INSIST(ctx->basic_blocks != NULL);
+
+	total_size = ctx->mem_target;
+	tmp = ctx->basic_blocks;
+	ctx->basic_blocks = ctx->basic_blocks->next;
+	frags = (int)(total_size / new_size);
+	ctx->stats[new_size].blocks++;
+	ctx->stats[new_size].freefrags += frags;
+	/*
+	 * Set up a linked-list of blocks of size
+	 * "new_size".
+	 */
+	curr = tmp;
+	next = curr + new_size;
+	total_size -= new_size;
+	for (int i = 0; i < (frags - 1); i++) {
+		((element *)curr)->next = (element *)next;
+		curr = next;
+		next += new_size;
+		total_size -= new_size;
+	}
+	/*
+	 * Add the remaining fragment of the basic block to a free list.
+	 */
+	total_size = rmsize(total_size);
+	if (total_size > 0U) {
+		((element *)next)->next = ctx->freelists[total_size];
+		ctx->freelists[total_size] = (element *)next;
+		ctx->stats[total_size].freefrags++;
+	}
+	/*
+	 * curr is now pointing at the last block in the
+	 * array.
+	 */
+	((element *)curr)->next = NULL;
+	ctx->freelists[new_size] = tmp;
+}
+
+static void *
+mem_getunlocked(isc__mem_t *ctx, size_t size) {
+	size_t new_size = quantize(size);
+	void *ret;
+
+	if (new_size >= ctx->max_size) {
+		/*
+		 * memget() was called on something beyond our upper limit.
+		 */
+		ret = (ctx->memalloc)(size);
+		ctx->total += size;
+		ctx->inuse += size;
+		ctx->stats[ctx->max_size].gets++;
+		ctx->stats[ctx->max_size].totalgets++;
+		ctx->malloced += size;
+		if (ctx->malloced > ctx->maxmalloced) {
+			ctx->maxmalloced = ctx->malloced;
+		}
+		/*
+		 * If we don't set new_size to size, then the
+		 * ISC_MEMFLAG_FILL code might write over bytes we don't
+		 * own.
+		 */
+		new_size = size;
+		goto done;
+	}
+	/*
+	 * If there are no blocks in the free list for this size, get a chunk
+	 * of memory and then break it up into "new_size"-sized blocks, adding
+	 * them to the free list.
+	 */
+	if (ctx->freelists[new_size] == NULL) {
+		more_frags(ctx, new_size);
+	}
+	INSIST(ctx->freelists[new_size] != NULL);
+
+	/*
+	 * The free list uses the "rounded-up" size "new_size".
+	 */
+
+	ret = ctx->freelists[new_size];
+	ctx->freelists[new_size] = ctx->freelists[new_size]->next;
+
+	/*
+	 * The stats[] uses the _actual_ "size" requested by the
+	 * caller, with the caveat (in the code above) that "size" >= the
+	 * max. size (max_size) ends up getting recorded as a call to
+	 * max_size.
+	 */
+	ctx->stats[size].gets++;
+	ctx->stats[size].totalgets++;
+	ctx->stats[new_size].freefrags--;
+	ctx->inuse += new_size;
+
+done:
+	if (ISC_UNLIKELY((ctx->flags & ISC_MEMFLAG_FILL) != 0) &&
+	    ISC_LIKELY(ret != NULL))
+	{
+		memset(ret, 0xbe, new_size); /* Mnemonic for "beef". */
+	}
+
+	return (ret);
+}
+
+#if ISC_MEM_CHECKOVERRUN
+static void
+check_overrun(void *mem, size_t size, size_t new_size) {
+	unsigned char *cp;
+
+	cp = (unsigned char *)mem;
+	cp += size;
+	while (size < new_size) {
+		INSIST(*cp == 0xbe);
+		cp++;
+		size++;
+	}
+}
+#endif /* if ISC_MEM_CHECKOVERRUN */
+
+/* coverity[+free : arg-1] */
+static void
+mem_putunlocked(isc__mem_t *ctx, void *mem, size_t size) {
+	size_t new_size = quantize(size);
+
+	if (new_size >= ctx->max_size) {
+		/*
+		 * memput() called on something beyond our upper limit.
+		 */
+		if (ISC_UNLIKELY((ctx->flags & ISC_MEMFLAG_FILL) != 0)) {
+			memset(mem, 0xde, size); /* Mnemonic for "dead". */
+		}
+
+		(ctx->memfree)(mem);
+		INSIST(ctx->stats[ctx->max_size].gets != 0U);
+		ctx->stats[ctx->max_size].gets--;
+		INSIST(size <= ctx->inuse);
+		ctx->inuse -= size;
+		ctx->malloced -= size;
+		return;
+	}
+
+	if (ISC_UNLIKELY((ctx->flags & ISC_MEMFLAG_FILL) != 0)) {
+#if ISC_MEM_CHECKOVERRUN
+		check_overrun(mem, size, new_size);
+#endif					     /* if ISC_MEM_CHECKOVERRUN */
+		memset(mem, 0xde, new_size); /* Mnemonic for "dead". */
+	}
+
+	/*
+	 * The free list uses the "rounded-up" size "new_size".
+	 */
+	((element *)mem)->next = ctx->freelists[new_size];
+	ctx->freelists[new_size] = (element *)mem;
+
+	/*
+	 * The stats[] uses the _actual_ "size" requested by the
+	 * caller, with the caveat (in the code above) that "size" >= the
+	 * max. size (max_size) ends up getting recorded as a call to
+	 * max_size.
+	 */
+	INSIST(ctx->stats[size].gets != 0U);
+	ctx->stats[size].gets--;
+	ctx->stats[new_size].freefrags++;
+	ctx->inuse -= new_size;
+}
+
+/*!
+ * Perform a malloc, doing memory filling and overrun detection as necessary.
+ */
+static void *
+mem_get(isc__mem_t *ctx, size_t size) {
+	char *ret;
+
+#if ISC_MEM_CHECKOVERRUN
+	size += 1;
+#endif /* if ISC_MEM_CHECKOVERRUN */
+	ret = (ctx->memalloc)(size);
+
+	if (ISC_UNLIKELY((ctx->flags & ISC_MEMFLAG_FILL) != 0)) {
+		if (ISC_LIKELY(ret != NULL)) {
+			memset(ret, 0xbe, size); /* Mnemonic for "beef". */
+		}
+	}
+#if ISC_MEM_CHECKOVERRUN
+	else
+	{
+		if (ISC_LIKELY(ret != NULL)) {
+			ret[size - 1] = 0xbe;
+		}
+	}
+#endif /* if ISC_MEM_CHECKOVERRUN */
+
+	return (ret);
+}
+
+/*!
+ * Perform a free, doing memory filling and overrun detection as necessary.
+ */
+/* coverity[+free : arg-1] */
+static void
+mem_put(isc__mem_t *ctx, void *mem, size_t size) {
+#if ISC_MEM_CHECKOVERRUN
+	INSIST(((unsigned char *)mem)[size] == 0xbe);
+	size += 1;
+#endif /* if ISC_MEM_CHECKOVERRUN */
+	if (ISC_UNLIKELY((ctx->flags & ISC_MEMFLAG_FILL) != 0)) {
+		memset(mem, 0xde, size); /* Mnemonic for "dead". */
+	}
+	(ctx->memfree)(mem);
+}
+
+/*!
+ * Update internal counters after a memory get.
+ */
+static void
+mem_getstats(isc__mem_t *ctx, size_t size) {
+	ctx->total += size;
+	ctx->inuse += size;
+
+	if (size > ctx->max_size) {
+		ctx->stats[ctx->max_size].gets++;
+		ctx->stats[ctx->max_size].totalgets++;
+	} else {
+		ctx->stats[size].gets++;
+		ctx->stats[size].totalgets++;
+	}
+
+#if ISC_MEM_CHECKOVERRUN
+	size += 1;
+#endif /* if ISC_MEM_CHECKOVERRUN */
+	ctx->malloced += size;
+	if (ctx->malloced > ctx->maxmalloced) {
+		ctx->maxmalloced = ctx->malloced;
+	}
+}
+
+/*!
+ * Update internal counters after a memory put.
+ */
+static void
+mem_putstats(isc__mem_t *ctx, void *ptr, size_t size) {
+	UNUSED(ptr);
+
+	INSIST(ctx->inuse >= size);
+	ctx->inuse -= size;
+
+	if (size > ctx->max_size) {
+		INSIST(ctx->stats[ctx->max_size].gets > 0U);
+		ctx->stats[ctx->max_size].gets--;
+	} else {
+		INSIST(ctx->stats[size].gets > 0U);
+		ctx->stats[size].gets--;
+	}
+#if ISC_MEM_CHECKOVERRUN
+	size += 1;
+#endif /* if ISC_MEM_CHECKOVERRUN */
+	ctx->malloced -= size;
+}
+
+/*
+ * Private.
+ */
+
+static void *
+default_memalloc(size_t size) {
+	void *ptr;
+
+	ptr = malloc(size);
+
+	/*
+	 * If the space cannot be allocated, a null pointer is returned. If the
+	 * size of the space requested is zero, the behavior is
+	 * implementation-defined: either a null pointer is returned, or the
+	 * behavior is as if the size were some nonzero value, except that the
+	 * returned pointer shall not be used to access an object.
+	 * [ISO9899 § 7.22.3]
+	 *
+	 * [ISO9899]
+	 *   ISO/IEC WG 9899:2011: Programming languages - C.
+	 *   International Organization for Standardization, Geneva,
+	 * Switzerland.
+	 *   http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1570.pdf
+	 */
+
+	if (ptr == NULL && size != 0) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_error_fatal(__FILE__, __LINE__, "malloc failed: %s",
+				strbuf);
+	}
+
+	return (ptr);
+}
+
+static void
+default_memfree(void *ptr) {
+	free(ptr);
+}
+
+static void
+mem_initialize(void) {
+	isc_mutex_init(&contextslock);
+	ISC_LIST_INIT(contexts);
+	totallost = 0;
+}
+
+void
+isc__mem_initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&init_once, mem_initialize) == ISC_R_SUCCESS);
+}
+
+static void
+mem_shutdown(void) {
+	isc__mem_checkdestroyed();
+
+	isc_mutex_destroy(&contextslock);
+}
+
+void
+isc__mem_shutdown(void) {
+	RUNTIME_CHECK(isc_once_do(&shut_once, mem_shutdown) == ISC_R_SUCCESS);
+}
+
+static void
+mem_create(isc_mem_t **ctxp, unsigned int flags) {
+	REQUIRE(ctxp != NULL && *ctxp == NULL);
+#if __SANITIZE_ADDRESS__
+	REQUIRE((flags & ISC_MEMFLAG_INTERNAL) == 0);
+#endif
+
+	isc__mem_t *ctx;
+
+	isc_enable_constructors();
+
+	STATIC_ASSERT((ALIGNMENT_SIZE & (ALIGNMENT_SIZE - 1)) == 0,
+		      "wrong alignment size");
+
+	ctx = (default_memalloc)(sizeof(*ctx));
+
+	isc_mutex_init(&ctx->lock);
+
+	ctx->max_size = DEF_MAX_SIZE;
+	ctx->flags = flags;
+	isc_refcount_init(&ctx->references, 1);
+	memset(ctx->name, 0, sizeof(ctx->name));
+	ctx->tag = NULL;
+	ctx->total = 0;
+	ctx->inuse = 0;
+	ctx->maxinuse = 0;
+	ctx->malloced = sizeof(*ctx);
+	ctx->maxmalloced = sizeof(*ctx);
+	ctx->hi_water = 0;
+	ctx->lo_water = 0;
+	ctx->hi_called = false;
+	ctx->is_overmem = false;
+	ctx->water = NULL;
+	ctx->water_arg = NULL;
+	ctx->common.impmagic = MEM_MAGIC;
+	ctx->common.magic = ISCAPI_MCTX_MAGIC;
+	ctx->common.methods = (isc_memmethods_t *)&memmethods;
+	ctx->memalloc = default_memalloc;
+	ctx->memfree = default_memfree;
+	ctx->stats = NULL;
+	ctx->checkfree = true;
+#if ISC_MEM_TRACKLINES
+	ctx->debuglist = NULL;
+	ctx->debuglistcnt = 0;
+#endif /* if ISC_MEM_TRACKLINES */
+	ISC_LIST_INIT(ctx->pools);
+	ctx->poolcnt = 0;
+	ctx->freelists = NULL;
+	ctx->basic_blocks = NULL;
+	ctx->basic_table = NULL;
+	ctx->basic_table_count = 0;
+	ctx->basic_table_size = 0;
+	ctx->lowest = NULL;
+	ctx->highest = NULL;
+
+	ctx->stats =
+		(ctx->memalloc)((ctx->max_size + 1) * sizeof(struct stats));
+
+	memset(ctx->stats, 0, (ctx->max_size + 1) * sizeof(struct stats));
+	ctx->malloced += (ctx->max_size + 1) * sizeof(struct stats);
+	ctx->maxmalloced += (ctx->max_size + 1) * sizeof(struct stats);
+
+	if ((flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		ctx->mem_target = DEF_MEM_TARGET;
+		ctx->freelists =
+			(ctx->memalloc)(ctx->max_size * sizeof(element *));
+		memset(ctx->freelists, 0, ctx->max_size * sizeof(element *));
+		ctx->malloced += ctx->max_size * sizeof(element *);
+		ctx->maxmalloced += ctx->max_size * sizeof(element *);
+	}
+
+#if ISC_MEM_TRACKLINES
+	if (ISC_UNLIKELY((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0)) {
+		unsigned int i;
+
+		ctx->debuglist = (ctx->memalloc)(
+			(DEBUG_TABLE_COUNT * sizeof(debuglist_t)));
+		for (i = 0; i < DEBUG_TABLE_COUNT; i++) {
+			ISC_LIST_INIT(ctx->debuglist[i]);
+		}
+		ctx->malloced += DEBUG_TABLE_COUNT * sizeof(debuglist_t);
+		ctx->maxmalloced += DEBUG_TABLE_COUNT * sizeof(debuglist_t);
+	}
+#endif /* if ISC_MEM_TRACKLINES */
+
+	LOCK(&contextslock);
+	ISC_LIST_INITANDAPPEND(contexts, ctx, link);
+	UNLOCK(&contextslock);
+
+	*ctxp = (isc_mem_t *)ctx;
+}
+
+/*
+ * Public.
+ */
+
+static void
+destroy(isc__mem_t *ctx) {
+	unsigned int i;
+
+	LOCK(&contextslock);
+	ISC_LIST_UNLINK(contexts, ctx, link);
+	totallost += ctx->inuse;
+	UNLOCK(&contextslock);
+
+	ctx->common.impmagic = 0;
+	ctx->common.magic = 0;
+
+	INSIST(ISC_LIST_EMPTY(ctx->pools));
+
+#if ISC_MEM_TRACKLINES
+	if (ISC_UNLIKELY(ctx->debuglist != NULL)) {
+		debuglink_t *dl;
+		for (i = 0; i < DEBUG_TABLE_COUNT; i++) {
+			for (dl = ISC_LIST_HEAD(ctx->debuglist[i]); dl != NULL;
+			     dl = ISC_LIST_HEAD(ctx->debuglist[i]))
+			{
+				if (ctx->checkfree && dl->ptr != NULL) {
+					print_active(ctx, stderr);
+				}
+				INSIST(!ctx->checkfree || dl->ptr == NULL);
+
+				ISC_LIST_UNLINK(ctx->debuglist[i], dl, link);
+				free(dl);
+				ctx->malloced -= sizeof(*dl);
+			}
+		}
+
+		(ctx->memfree)(ctx->debuglist);
+		ctx->malloced -= DEBUG_TABLE_COUNT * sizeof(debuglist_t);
+	}
+#endif /* if ISC_MEM_TRACKLINES */
+
+	if (ctx->checkfree) {
+		for (i = 0; i <= ctx->max_size; i++) {
+			if (ctx->stats[i].gets != 0U) {
+				fprintf(stderr,
+					"Failing assertion due to probable "
+					"leaked memory in context %p (\"%s\") "
+					"(stats[%u].gets == %lu).\n",
+					ctx, ctx->name, i, ctx->stats[i].gets);
+#if ISC_MEM_TRACKLINES
+				print_active(ctx, stderr);
+#endif /* if ISC_MEM_TRACKLINES */
+				INSIST(ctx->stats[i].gets == 0U);
+			}
+		}
+	}
+
+	(ctx->memfree)(ctx->stats);
+	ctx->malloced -= (ctx->max_size + 1) * sizeof(struct stats);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		for (i = 0; i < ctx->basic_table_count; i++) {
+			(ctx->memfree)(ctx->basic_table[i]);
+			ctx->malloced -= NUM_BASIC_BLOCKS * ctx->mem_target;
+		}
+		(ctx->memfree)(ctx->freelists);
+		ctx->malloced -= ctx->max_size * sizeof(element *);
+		if (ctx->basic_table != NULL) {
+			(ctx->memfree)(ctx->basic_table);
+			ctx->malloced -= ctx->basic_table_size *
+					 sizeof(unsigned char *);
+		}
+	}
+
+	isc_mutex_destroy(&ctx->lock);
+
+	ctx->malloced -= sizeof(*ctx);
+	if (ctx->checkfree) {
+		INSIST(ctx->malloced == 0);
+	}
+	(ctx->memfree)(ctx);
+}
+
+void
+isc_mem_attach(isc_mem_t *source0, isc_mem_t **targetp) {
+	REQUIRE(VALID_CONTEXT(source0));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc__mem_t *source = (isc__mem_t *)source0;
+
+	isc_refcount_increment(&source->references);
+
+	*targetp = (isc_mem_t *)source;
+}
+
+void
+isc_mem_detach(isc_mem_t **ctxp) {
+	REQUIRE(ctxp != NULL && VALID_CONTEXT(*ctxp));
+
+	isc__mem_t *ctx = (isc__mem_t *)*ctxp;
+	*ctxp = NULL;
+
+	if (isc_refcount_decrement(&ctx->references) == 1) {
+		isc_refcount_destroy(&ctx->references);
+		destroy(ctx);
+	}
+}
+
+/*
+ * isc_mem_putanddetach() is the equivalent of:
+ *
+ * mctx = NULL;
+ * isc_mem_attach(ptr->mctx, &mctx);
+ * isc_mem_detach(&ptr->mctx);
+ * isc_mem_put(mctx, ptr, sizeof(*ptr);
+ * isc_mem_detach(&mctx);
+ */
+
+void
+isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
+	REQUIRE(ctxp != NULL && VALID_CONTEXT(*ctxp));
+	REQUIRE(ptr != NULL);
+
+	isc__mem_t *ctx = (isc__mem_t *)*ctxp;
+	*ctxp = NULL;
+
+	if (ISC_UNLIKELY((isc_mem_debugging &
+			  (ISC_MEM_DEBUGSIZE | ISC_MEM_DEBUGCTX)) != 0))
+	{
+		if ((isc_mem_debugging & ISC_MEM_DEBUGSIZE) != 0) {
+			size_info *si = &(((size_info *)ptr)[-1]);
+			size_t oldsize = si->u.size - ALIGNMENT_SIZE;
+			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
+				oldsize -= ALIGNMENT_SIZE;
+			}
+			INSIST(oldsize == size);
+		}
+		isc__mem_free((isc_mem_t *)ctx, ptr FLARG_PASS);
+
+		goto destroy;
+	}
+
+	MCTXLOCK(ctx);
+
+	DELETE_TRACE(ctx, ptr, size, file, line);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		mem_putunlocked(ctx, ptr, size);
+	} else {
+		mem_putstats(ctx, ptr, size);
+		mem_put(ctx, ptr, size);
+	}
+	MCTXUNLOCK(ctx);
+
+destroy:
+	if (isc_refcount_decrement(&ctx->references) == 1) {
+		isc_refcount_destroy(&ctx->references);
+		destroy(ctx);
+	}
+}
+
+void
+isc_mem_destroy(isc_mem_t **ctxp) {
+	/*
+	 * This routine provides legacy support for callers who use mctxs
+	 * without attaching/detaching.
+	 */
+
+	REQUIRE(ctxp != NULL && VALID_CONTEXT(*ctxp));
+
+	isc__mem_t *ctx = (isc__mem_t *)*ctxp;
+
+#if ISC_MEM_TRACKLINES
+	if (isc_refcount_decrement(&ctx->references) > 1) {
+		print_active(ctx, stderr);
+	}
+#else  /* if ISC_MEM_TRACKLINES */
+	isc_refcount_decrementz(&ctx->references);
+#endif /* if ISC_MEM_TRACKLINES */
+	isc_refcount_destroy(&ctx->references);
+	destroy(ctx);
+
+	*ctxp = NULL;
+}
+
+void *
+isc___mem_get(isc_mem_t *ctx0, size_t size FLARG) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	void *ptr;
+	bool call_water = false;
+
+	if (ISC_UNLIKELY((isc_mem_debugging &
+			  (ISC_MEM_DEBUGSIZE | ISC_MEM_DEBUGCTX)) != 0))
+	{
+		return (isc__mem_allocate(ctx0, size FLARG_PASS));
+	}
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		MCTXLOCK(ctx);
+		ptr = mem_getunlocked(ctx, size);
+	} else {
+		ptr = mem_get(ctx, size);
+		MCTXLOCK(ctx);
+		if (ptr != NULL) {
+			mem_getstats(ctx, size);
+		}
+	}
+
+	ADD_TRACE(ctx, ptr, size, file, line);
+
+	if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water) {
+		ctx->is_overmem = true;
+		if (!ctx->hi_called) {
+			call_water = true;
+		}
+	}
+	if (ctx->inuse > ctx->maxinuse) {
+		ctx->maxinuse = ctx->inuse;
+		if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
+		    (isc_mem_debugging & ISC_MEM_DEBUGUSAGE) != 0)
+		{
+			fprintf(stderr, "maxinuse = %lu\n",
+				(unsigned long)ctx->inuse);
+		}
+	}
+	MCTXUNLOCK(ctx);
+
+	if (call_water && (ctx->water != NULL)) {
+		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
+	}
+
+	return (ptr);
+}
+
+void
+isc___mem_put(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+	REQUIRE(ptr != NULL);
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	bool call_water = false;
+	size_info *si;
+	size_t oldsize;
+
+	if (ISC_UNLIKELY((isc_mem_debugging &
+			  (ISC_MEM_DEBUGSIZE | ISC_MEM_DEBUGCTX)) != 0))
+	{
+		if ((isc_mem_debugging & ISC_MEM_DEBUGSIZE) != 0) {
+			si = &(((size_info *)ptr)[-1]);
+			oldsize = si->u.size - ALIGNMENT_SIZE;
+			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
+				oldsize -= ALIGNMENT_SIZE;
+			}
+			INSIST(oldsize == size);
+		}
+		isc__mem_free((isc_mem_t *)ctx, ptr FLARG_PASS);
+		return;
+	}
+
+	MCTXLOCK(ctx);
+
+	DELETE_TRACE(ctx, ptr, size, file, line);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		mem_putunlocked(ctx, ptr, size);
+	} else {
+		mem_putstats(ctx, ptr, size);
+		mem_put(ctx, ptr, size);
+	}
+
+	/*
+	 * The check against ctx->lo_water == 0 is for the condition
+	 * when the context was pushed over hi_water but then had
+	 * isc_mem_setwater() called with 0 for hi_water and lo_water.
+	 */
+	if ((ctx->inuse < ctx->lo_water) || (ctx->lo_water == 0U)) {
+		ctx->is_overmem = false;
+		if (ctx->hi_called) {
+			call_water = true;
+		}
+	}
+
+	MCTXUNLOCK(ctx);
+
+	if (call_water && (ctx->water != NULL)) {
+		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
+	}
+}
+
+void
+isc_mem_waterack(isc_mem_t *ctx0, int flag) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	MCTXLOCK(ctx);
+	if (flag == ISC_MEM_LOWATER) {
+		ctx->hi_called = false;
+	} else if (flag == ISC_MEM_HIWATER) {
+		ctx->hi_called = true;
+	}
+	MCTXUNLOCK(ctx);
+}
+
+#if ISC_MEM_TRACKLINES
+static void
+print_active(isc__mem_t *mctx, FILE *out) {
+	if (mctx->debuglist != NULL) {
+		debuglink_t *dl;
+		unsigned int i;
+		bool found;
+
+		fputs("Dump of all outstanding memory allocations:\n", out);
+		found = false;
+		for (i = 0; i < DEBUG_TABLE_COUNT; i++) {
+			dl = ISC_LIST_HEAD(mctx->debuglist[i]);
+
+			if (dl != NULL) {
+				found = true;
+			}
+
+			while (dl != NULL) {
+				if (dl->ptr != NULL) {
+					fprintf(out,
+						"\tptr %p size %zu file %s "
+						"line %u\n",
+						dl->ptr, dl->size, dl->file,
+						dl->line);
+				}
+				dl = ISC_LIST_NEXT(dl, link);
+			}
+		}
+
+		if (!found) {
+			fputs("\tNone.\n", out);
+		}
+	}
+}
+#endif /* if ISC_MEM_TRACKLINES */
+
+/*
+ * Print the stats[] on the stream "out" with suitable formatting.
+ */
+void
+isc_mem_stats(isc_mem_t *ctx0, FILE *out) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_t i;
+	const struct stats *s;
+	const isc__mempool_t *pool;
+
+	MCTXLOCK(ctx);
+
+	for (i = 0; i <= ctx->max_size; i++) {
+		s = &ctx->stats[i];
+
+		if (s->totalgets == 0U && s->gets == 0U) {
+			continue;
+		}
+		fprintf(out, "%s%5lu: %11lu gets, %11lu rem",
+			(i == ctx->max_size) ? ">=" : "  ", (unsigned long)i,
+			s->totalgets, s->gets);
+		if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0 &&
+		    (s->blocks != 0U || s->freefrags != 0U))
+		{
+			fprintf(out, " (%lu bl, %lu ff)", s->blocks,
+				s->freefrags);
+		}
+		fputc('\n', out);
+	}
+
+	/*
+	 * Note that since a pool can be locked now, these stats might be
+	 * somewhat off if the pool is in active use at the time the stats
+	 * are dumped.  The link fields are protected by the isc_mem_t's
+	 * lock, however, so walking this list and extracting integers from
+	 * stats fields is always safe.
+	 */
+	pool = ISC_LIST_HEAD(ctx->pools);
+	if (pool != NULL) {
+		fputs("[Pool statistics]\n", out);
+		fprintf(out, "%15s %10s %10s %10s %10s %10s %10s %10s %1s\n",
+			"name", "size", "maxalloc", "allocated", "freecount",
+			"freemax", "fillcount", "gets", "L");
+	}
+	while (pool != NULL) {
+		fprintf(out, "%15s %10lu %10u %10u %10u %10u %10u %10u %s\n",
+#if ISC_MEMPOOL_NAMES
+			pool->name,
+#else  /* if ISC_MEMPOOL_NAMES */
+			"(not tracked)",
+#endif /* if ISC_MEMPOOL_NAMES */
+			(unsigned long)pool->size, pool->maxalloc,
+			pool->allocated, pool->freecount, pool->freemax,
+			pool->fillcount, pool->gets, "N");
+		pool = ISC_LIST_NEXT(pool, link);
+	}
+
+#if ISC_MEM_TRACKLINES
+	print_active(ctx, out);
+#endif /* if ISC_MEM_TRACKLINES */
+
+	MCTXUNLOCK(ctx);
+}
+
+/*
+ * Replacements for malloc() and free() -- they implicitly remember the
+ * size of the object allocated (with some additional overhead).
+ */
+
+static void *
+mem_allocateunlocked(isc_mem_t *ctx0, size_t size) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_info *si;
+
+	size += ALIGNMENT_SIZE;
+	if (ISC_UNLIKELY((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)) {
+		size += ALIGNMENT_SIZE;
+	}
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		si = mem_getunlocked(ctx, size);
+	} else {
+		si = mem_get(ctx, size);
+	}
+
+	if (ISC_UNLIKELY((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)) {
+		si->u.ctx = ctx;
+		si++;
+	}
+	si->u.size = size;
+	return (&si[1]);
+}
+
+void *
+isc___mem_allocate(isc_mem_t *ctx0, size_t size FLARG) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_info *si;
+	bool call_water = false;
+
+	MCTXLOCK(ctx);
+	si = mem_allocateunlocked((isc_mem_t *)ctx, size);
+	if (((ctx->flags & ISC_MEMFLAG_INTERNAL) == 0)) {
+		mem_getstats(ctx, si[-1].u.size);
+	}
+
+	ADD_TRACE(ctx, si, si[-1].u.size, file, line);
+	if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
+	    !ctx->is_overmem)
+	{
+		ctx->is_overmem = true;
+	}
+
+	if (ctx->hi_water != 0U && !ctx->hi_called &&
+	    ctx->inuse > ctx->hi_water)
+	{
+		ctx->hi_called = true;
+		call_water = true;
+	}
+	if (ctx->inuse > ctx->maxinuse) {
+		ctx->maxinuse = ctx->inuse;
+		if (ISC_UNLIKELY(ctx->hi_water != 0U &&
+				 ctx->inuse > ctx->hi_water &&
+				 (isc_mem_debugging & ISC_MEM_DEBUGUSAGE) != 0))
+		{
+			fprintf(stderr, "maxinuse = %lu\n",
+				(unsigned long)ctx->inuse);
+		}
+	}
+	MCTXUNLOCK(ctx);
+
+	if (call_water) {
+		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
+	}
+
+	return (si);
+}
+
+void *
+isc___mem_reallocate(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	void *new_ptr = NULL;
+	size_t oldsize, copysize;
+
+	/*
+	 * This function emulates the realloc(3) standard library function:
+	 * - if size > 0, allocate new memory; and if ptr is non NULL, copy
+	 *   as much of the old contents to the new buffer and free the old one.
+	 *   Note that when allocation fails the original pointer is intact;
+	 *   the caller must free it.
+	 * - if size is 0 and ptr is non NULL, simply free the given ptr.
+	 * - this function returns:
+	 *     pointer to the newly allocated memory, or
+	 *     NULL if allocation fails or doesn't happen.
+	 */
+	if (size > 0U) {
+		new_ptr = isc__mem_allocate(ctx0, size FLARG_PASS);
+		if (new_ptr != NULL && ptr != NULL) {
+			oldsize = (((size_info *)ptr)[-1]).u.size;
+			INSIST(oldsize >= ALIGNMENT_SIZE);
+			oldsize -= ALIGNMENT_SIZE;
+			if (ISC_UNLIKELY((isc_mem_debugging &
+					  ISC_MEM_DEBUGCTX) != 0))
+			{
+				INSIST(oldsize >= ALIGNMENT_SIZE);
+				oldsize -= ALIGNMENT_SIZE;
+			}
+			copysize = (oldsize > size) ? size : oldsize;
+			memmove(new_ptr, ptr, copysize);
+			isc__mem_free(ctx0, ptr FLARG_PASS);
+		}
+	} else if (ptr != NULL) {
+		isc__mem_free(ctx0, ptr FLARG_PASS);
+	}
+
+	return (new_ptr);
+}
+
+void
+isc___mem_free(isc_mem_t *ctx0, void *ptr FLARG) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+	REQUIRE(ptr != NULL);
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_info *si;
+	size_t size;
+	bool call_water = false;
+
+	if (ISC_UNLIKELY((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)) {
+		si = &(((size_info *)ptr)[-2]);
+		REQUIRE(si->u.ctx == ctx);
+		size = si[1].u.size;
+	} else {
+		si = &(((size_info *)ptr)[-1]);
+		size = si->u.size;
+	}
+
+	MCTXLOCK(ctx);
+
+	DELETE_TRACE(ctx, ptr, size, file, line);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		mem_putunlocked(ctx, si, size);
+	} else {
+		mem_putstats(ctx, si, size);
+		mem_put(ctx, si, size);
+	}
+
+	/*
+	 * The check against ctx->lo_water == 0 is for the condition
+	 * when the context was pushed over hi_water but then had
+	 * isc_mem_setwater() called with 0 for hi_water and lo_water.
+	 */
+	if (ctx->is_overmem &&
+	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U))
+	{
+		ctx->is_overmem = false;
+	}
+
+	if (ctx->hi_called &&
+	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U))
+	{
+		ctx->hi_called = false;
+
+		if (ctx->water != NULL) {
+			call_water = true;
+		}
+	}
+	MCTXUNLOCK(ctx);
+
+	if (call_water) {
+		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
+	}
+}
+
+/*
+ * Other useful things.
+ */
+
+char *
+isc___mem_strdup(isc_mem_t *mctx0, const char *s FLARG) {
+	REQUIRE(VALID_CONTEXT(mctx0));
+	REQUIRE(s != NULL);
+
+	isc__mem_t *mctx = (isc__mem_t *)mctx0;
+	size_t len;
+	char *ns;
+
+	len = strlen(s) + 1;
+
+	ns = isc__mem_allocate((isc_mem_t *)mctx, len FLARG_PASS);
+
+	if (ns != NULL) {
+		strlcpy(ns, s, len);
+	}
+
+	return (ns);
+}
+
+char *
+isc___mem_strndup(isc_mem_t *mctx0, const char *s, size_t size FLARG) {
+	REQUIRE(VALID_CONTEXT(mctx0));
+	REQUIRE(s != NULL);
+
+	isc__mem_t *mctx = (isc__mem_t *)mctx0;
+	size_t len;
+	char *ns;
+
+	len = strlen(s) + 1;
+	if (len > size) {
+		len = size;
+	}
+
+	ns = isc__mem_allocate((isc_mem_t *)mctx, len FLARG_PASS);
+
+	if (ns != NULL) {
+		strlcpy(ns, s, len);
+	}
+
+	return (ns);
+}
+
+void
+isc_mem_setdestroycheck(isc_mem_t *ctx0, bool flag) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	MCTXLOCK(ctx);
+
+	ctx->checkfree = flag;
+
+	MCTXUNLOCK(ctx);
+}
+
+size_t
+isc_mem_inuse(isc_mem_t *ctx0) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_t inuse;
+
+	MCTXLOCK(ctx);
+
+	inuse = ctx->inuse;
+
+	MCTXUNLOCK(ctx);
+
+	return (inuse);
+}
+
+size_t
+isc_mem_maxinuse(isc_mem_t *ctx0) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_t maxinuse;
+
+	MCTXLOCK(ctx);
+
+	maxinuse = ctx->maxinuse;
+
+	MCTXUNLOCK(ctx);
+
+	return (maxinuse);
+}
+
+size_t
+isc_mem_total(isc_mem_t *ctx0) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_t total;
+
+	MCTXLOCK(ctx);
+
+	total = ctx->total;
+
+	MCTXUNLOCK(ctx);
+
+	return (total);
+}
+
+void
+isc_mem_setwater(isc_mem_t *ctx0, isc_mem_water_t water, void *water_arg,
+		 size_t hiwater, size_t lowater) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+	REQUIRE(hiwater >= lowater);
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	bool callwater = false;
+	isc_mem_water_t oldwater;
+	void *oldwater_arg;
+
+	MCTXLOCK(ctx);
+	oldwater = ctx->water;
+	oldwater_arg = ctx->water_arg;
+	if (water == NULL) {
+		callwater = ctx->hi_called;
+		ctx->water = NULL;
+		ctx->water_arg = NULL;
+		ctx->hi_water = 0;
+		ctx->lo_water = 0;
+	} else {
+		if (ctx->hi_called &&
+		    (ctx->water != water || ctx->water_arg != water_arg ||
+		     ctx->inuse < lowater || lowater == 0U))
+		{
+			callwater = true;
+		}
+		ctx->water = water;
+		ctx->water_arg = water_arg;
+		ctx->hi_water = hiwater;
+		ctx->lo_water = lowater;
+	}
+	MCTXUNLOCK(ctx);
+
+	if (callwater && oldwater != NULL) {
+		(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
+	}
+}
+
+ISC_NO_SANITIZE_THREAD bool
+isc_mem_isovermem(isc_mem_t *ctx0) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	/*
+	 * We don't bother to lock the context because 100% accuracy isn't
+	 * necessary (and even if we locked the context the returned value
+	 * could be different from the actual state when it's used anyway)
+	 */
+	return (ctx->is_overmem);
+}
+
+void
+isc_mem_setname(isc_mem_t *ctx0, const char *name, void *tag) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	LOCK(&ctx->lock);
+	strlcpy(ctx->name, name, sizeof(ctx->name));
+	ctx->tag = tag;
+	UNLOCK(&ctx->lock);
+}
+
+const char *
+isc_mem_getname(isc_mem_t *ctx0) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	if (ctx->name[0] == 0) {
+		return ("");
+	}
+
+	return (ctx->name);
+}
+
+void *
+isc_mem_gettag(isc_mem_t *ctx0) {
+	REQUIRE(VALID_CONTEXT(ctx0));
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	return (ctx->tag);
+}
+
+/*
+ * Memory pool stuff
+ */
+
+void
+isc_mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
+	REQUIRE(VALID_CONTEXT(mctx0));
+	REQUIRE(size > 0U);
+	REQUIRE(mpctxp != NULL && *mpctxp == NULL);
+
+	isc__mem_t *mctx = (isc__mem_t *)mctx0;
+	isc__mempool_t *mpctx;
+
+	/*
+	 * Allocate space for this pool, initialize values, and if all works
+	 * well, attach to the memory context.
+	 */
+	mpctx = isc_mem_get((isc_mem_t *)mctx, sizeof(isc__mempool_t));
+
+	mpctx->common.impmagic = MEMPOOL_MAGIC;
+	mpctx->common.magic = ISCAPI_MPOOL_MAGIC;
+	mpctx->mctx = NULL;
+	isc_mem_attach((isc_mem_t *)mctx, (isc_mem_t **)&mpctx->mctx);
+	/*
+	 * Mempools are stored as a linked list of element.
+	 */
+	if (size < sizeof(element)) {
+		size = sizeof(element);
+	}
+	mpctx->size = size;
+	mpctx->maxalloc = UINT_MAX;
+	mpctx->allocated = 0;
+	mpctx->freecount = 0;
+	mpctx->freemax = 1;
+	mpctx->fillcount = 1;
+	mpctx->gets = 0;
+#if ISC_MEMPOOL_NAMES
+	mpctx->name[0] = 0;
+#endif /* if ISC_MEMPOOL_NAMES */
+	mpctx->items = NULL;
+
+	*mpctxp = (isc_mempool_t *)mpctx;
+
+	MCTXLOCK(mctx);
+	ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
+	mctx->poolcnt++;
+	MCTXUNLOCK(mctx);
+}
+
+void
+isc_mempool_setname(isc_mempool_t *mpctx0, const char *name) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+	REQUIRE(name != NULL);
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+#if ISC_MEMPOOL_NAMES
+	strlcpy(mpctx->name, name, sizeof(mpctx->name));
+#else  /* if ISC_MEMPOOL_NAMES */
+	UNUSED(mpctx);
+	UNUSED(name);
+#endif /* if ISC_MEMPOOL_NAMES */
+}
+
+void
+isc_mempool_destroy(isc_mempool_t **mpctxp) {
+	REQUIRE(mpctxp != NULL);
+	REQUIRE(VALID_MEMPOOL(*mpctxp));
+
+	isc__mempool_t *mpctx;
+	isc__mem_t *mctx;
+	element *item;
+
+	mpctx = (isc__mempool_t *)*mpctxp;
+#if ISC_MEMPOOL_NAMES
+	if (mpctx->allocated > 0) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mempool_destroy(): mempool %s "
+				 "leaked memory",
+				 mpctx->name);
+	}
+#endif /* if ISC_MEMPOOL_NAMES */
+	REQUIRE(mpctx->allocated == 0);
+
+	mctx = mpctx->mctx;
+
+	/*
+	 * Return any items on the free list
+	 */
+	MCTXLOCK(mctx);
+	while (mpctx->items != NULL) {
+		INSIST(mpctx->freecount > 0);
+		mpctx->freecount--;
+		item = mpctx->items;
+		mpctx->items = item->next;
+		mem_putstats(mctx, item, mpctx->size);
+		mem_put(mctx, item, mpctx->size);
+	}
+	MCTXUNLOCK(mctx);
+
+	/*
+	 * Remove our linked list entry from the memory context.
+	 */
+	MCTXLOCK(mctx);
+	ISC_LIST_UNLINK(mctx->pools, mpctx, link);
+	mctx->poolcnt--;
+	MCTXUNLOCK(mctx);
+
+	mpctx->common.impmagic = 0;
+	mpctx->common.magic = 0;
+
+	isc_mem_putanddetach((isc_mem_t **)&mpctx->mctx, mpctx,
+			     sizeof(isc__mempool_t));
+
+	*mpctxp = NULL;
+}
+
+#if __SANITIZE_ADDRESS__
+void *
+isc__mempool_get(isc_mempool_t *mpctx0 FLARG) {
+	void *item = NULL;
+
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc_mem_t *mctx = (isc_mem_t *)mpctx->mctx;
+
+	/*
+	 * Don't let the caller go over quota
+	 */
+	if (ISC_UNLIKELY(mpctx->allocated >= mpctx->maxalloc)) {
+		goto out;
+	}
+
+	item = isc__mem_get(mctx, mpctx->size FLARG_PASS);
+	mpctx->gets++;
+	mpctx->allocated++;
+
+out:
+	return (item);
+}
+
+void
+isc__mempool_put(isc_mempool_t *mpctx0, void *mem FLARG) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc_mem_t *mctx = (isc_mem_t *)mpctx->mctx;
+
+	REQUIRE(mem != NULL);
+
+	INSIST(mpctx->allocated > 0);
+	mpctx->allocated--;
+
+	isc__mem_put(mctx, mem, mpctx->size FLARG_PASS);
+}
+
+#else /* __SANITIZE_ADDRESS__ */
+void *
+isc__mempool_get(isc_mempool_t *mpctx0 FLARG) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	element *item;
+	isc__mem_t *mctx;
+	unsigned int i;
+
+	mctx = mpctx->mctx;
+
+	/*
+	 * Don't let the caller go over quota
+	 */
+	if (ISC_UNLIKELY(mpctx->allocated >= mpctx->maxalloc)) {
+		item = NULL;
+		goto out;
+	}
+
+	if (ISC_UNLIKELY(mpctx->items == NULL)) {
+		/*
+		 * We need to dip into the well.  Lock the memory context
+		 * here and fill up our free list.
+		 */
+		MCTXLOCK(mctx);
+		for (i = 0; i < mpctx->fillcount; i++) {
+			item = mem_get(mctx, mpctx->size);
+			mem_getstats(mctx, mpctx->size);
+			item->next = mpctx->items;
+			mpctx->items = item;
+			mpctx->freecount++;
+		}
+		MCTXUNLOCK(mctx);
+	}
+
+	/*
+	 * If we didn't get any items, return NULL.
+	 */
+	item = mpctx->items;
+	if (ISC_UNLIKELY(item == NULL)) {
+		goto out;
+	}
+
+	mpctx->items = item->next;
+	INSIST(mpctx->freecount > 0);
+	mpctx->freecount--;
+	mpctx->gets++;
+	mpctx->allocated++;
+
+out:
+#if ISC_MEM_TRACKLINES
+	if (ISC_UNLIKELY(((isc_mem_debugging & TRACE_OR_RECORD) != 0) &&
+			 item != NULL))
+	{
+		MCTXLOCK(mctx);
+		ADD_TRACE(mctx, item, mpctx->size, file, line);
+		MCTXUNLOCK(mctx);
+	}
+#endif /* ISC_MEM_TRACKLINES */
+
+	return (item);
+}
+
+/* coverity[+free : arg-1] */
+void
+isc__mempool_put(isc_mempool_t *mpctx0, void *mem FLARG) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+	REQUIRE(mem != NULL);
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mem_t *mctx = mpctx->mctx;
+	element *item;
+
+	INSIST(mpctx->allocated > 0);
+	mpctx->allocated--;
+
+#if ISC_MEM_TRACKLINES
+	if (ISC_UNLIKELY((isc_mem_debugging & TRACE_OR_RECORD) != 0)) {
+		MCTXLOCK(mctx);
+		DELETE_TRACE(mctx, mem, mpctx->size, file, line);
+		MCTXUNLOCK(mctx);
+	}
+#endif /* ISC_MEM_TRACKLINES */
+
+	/*
+	 * If our free list is full, return this to the mctx directly.
+	 */
+	if (mpctx->freecount >= mpctx->freemax) {
+		MCTXLOCK(mctx);
+		mem_putstats(mctx, mem, mpctx->size);
+		mem_put(mctx, mem, mpctx->size);
+		MCTXUNLOCK(mctx);
+		return;
+	}
+
+	/*
+	 * Otherwise, attach it to our free list and bump the counter.
+	 */
+	mpctx->freecount++;
+	item = (element *)mem;
+	item->next = mpctx->items;
+	mpctx->items = item;
+}
+
+#endif /* __SANITIZE_ADDRESS__ */
+
+/*
+ * Quotas
+ */
+
+void
+isc_mempool_setfreemax(isc_mempool_t *mpctx0, unsigned int limit) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	mpctx->freemax = limit;
+}
+
+unsigned int
+isc_mempool_getfreemax(isc_mempool_t *mpctx0) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	return (mpctx->freemax);
+}
+
+unsigned int
+isc_mempool_getfreecount(isc_mempool_t *mpctx0) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	return (mpctx->freecount);
+}
+
+void
+isc_mempool_setmaxalloc(isc_mempool_t *mpctx0, unsigned int limit) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+	REQUIRE(limit > 0);
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	mpctx->maxalloc = limit;
+}
+
+unsigned int
+isc_mempool_getmaxalloc(isc_mempool_t *mpctx0) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	return (mpctx->maxalloc);
+}
+
+unsigned int
+isc_mempool_getallocated(isc_mempool_t *mpctx0) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	return (mpctx->allocated);
+}
+
+void
+isc_mempool_setfillcount(isc_mempool_t *mpctx0, unsigned int limit) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+	REQUIRE(limit > 0);
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	mpctx->fillcount = limit;
+}
+
+unsigned int
+isc_mempool_getfillcount(isc_mempool_t *mpctx0) {
+	REQUIRE(VALID_MEMPOOL(mpctx0));
+
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	return (mpctx->fillcount);
+}
+
+/*
+ * Requires contextslock to be held by caller.
+ */
+static void
+print_contexts(FILE *file) {
+	isc__mem_t *ctx;
+
+	for (ctx = ISC_LIST_HEAD(contexts); ctx != NULL;
+	     ctx = ISC_LIST_NEXT(ctx, link))
+	{
+		fprintf(file, "context: %p (%s): %" PRIuFAST32 " references\n",
+			ctx, ctx->name[0] == 0 ? "<unknown>" : ctx->name,
+			isc_refcount_current(&ctx->references));
+		print_active(ctx, file);
+	}
+	fflush(file);
+}
+
+static atomic_uintptr_t checkdestroyed = 0;
+
+void
+isc_mem_checkdestroyed(FILE *file) {
+	atomic_store_release(&checkdestroyed, (uintptr_t)file);
+}
+
+void
+isc__mem_checkdestroyed(void) {
+	FILE *file = (FILE *)atomic_load_acquire(&checkdestroyed);
+
+	if (file == NULL) {
+		return;
+	}
+
+	LOCK(&contextslock);
+	if (!ISC_LIST_EMPTY(contexts)) {
+#if ISC_MEM_TRACKLINES
+		if (ISC_UNLIKELY((isc_mem_debugging & TRACE_OR_RECORD) != 0)) {
+			print_contexts(file);
+		}
+#endif /* if ISC_MEM_TRACKLINES */
+		UNREACHABLE();
+	}
+	UNLOCK(&contextslock);
+}
+
+unsigned int
+isc_mem_references(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	return (isc_refcount_current(&ctx->references));
+}
+
+typedef struct summarystat {
+	uint64_t total;
+	uint64_t inuse;
+	uint64_t malloced;
+	uint64_t blocksize;
+	uint64_t contextsize;
+} summarystat_t;
+
+#ifdef HAVE_LIBXML2
+#define TRY0(a)                     \
+	do {                        \
+		xmlrc = (a);        \
+		if (xmlrc < 0)      \
+			goto error; \
+	} while (0)
+static int
+xml_renderctx(isc__mem_t *ctx, summarystat_t *summary,
+	      xmlTextWriterPtr writer) {
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	int xmlrc;
+
+	MCTXLOCK(ctx);
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "context"));
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%p", ctx));
+	TRY0(xmlTextWriterEndElement(writer)); /* id */
+
+	if (ctx->name[0] != 0) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%s", ctx->name));
+		TRY0(xmlTextWriterEndElement(writer)); /* name */
+	}
+
+	summary->contextsize += sizeof(*ctx) +
+				(ctx->max_size + 1) * sizeof(struct stats) +
+				ctx->max_size * sizeof(element *) +
+				ctx->basic_table_count * sizeof(char *);
+#if ISC_MEM_TRACKLINES
+	if (ctx->debuglist != NULL) {
+		summary->contextsize += DEBUG_TABLE_COUNT *
+						sizeof(debuglist_t) +
+					ctx->debuglistcnt * sizeof(debuglink_t);
+	}
+#endif /* if ISC_MEM_TRACKLINES */
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "references"));
+	TRY0(xmlTextWriterWriteFormatString(
+		writer, "%" PRIuFAST32,
+		isc_refcount_current(&ctx->references)));
+	TRY0(xmlTextWriterEndElement(writer)); /* references */
+
+	summary->total += ctx->total;
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "total"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    (uint64_t)ctx->total));
+	TRY0(xmlTextWriterEndElement(writer)); /* total */
+
+	summary->inuse += ctx->inuse;
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "inuse"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    (uint64_t)ctx->inuse));
+	TRY0(xmlTextWriterEndElement(writer)); /* inuse */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "maxinuse"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    (uint64_t)ctx->maxinuse));
+	TRY0(xmlTextWriterEndElement(writer)); /* maxinuse */
+
+	summary->malloced += ctx->malloced;
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "malloced"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    (uint64_t)ctx->malloced));
+	TRY0(xmlTextWriterEndElement(writer)); /* malloced */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "maxmalloced"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    (uint64_t)ctx->maxmalloced));
+	TRY0(xmlTextWriterEndElement(writer)); /* maxmalloced */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "blocksize"));
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		summary->blocksize += ctx->basic_table_count *
+				      NUM_BASIC_BLOCKS * ctx->mem_target;
+		TRY0(xmlTextWriterWriteFormatString(
+			writer, "%" PRIu64 "",
+			(uint64_t)ctx->basic_table_count * NUM_BASIC_BLOCKS *
+				ctx->mem_target));
+	} else {
+		TRY0(xmlTextWriterWriteFormatString(writer, "%s", "-"));
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* blocksize */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "pools"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%u", ctx->poolcnt));
+	TRY0(xmlTextWriterEndElement(writer)); /* pools */
+	summary->contextsize += ctx->poolcnt * sizeof(isc_mempool_t);
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "hiwater"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    (uint64_t)ctx->hi_water));
+	TRY0(xmlTextWriterEndElement(writer)); /* hiwater */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "lowater"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    (uint64_t)ctx->lo_water));
+	TRY0(xmlTextWriterEndElement(writer)); /* lowater */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* context */
+
+error:
+	MCTXUNLOCK(ctx);
+
+	return (xmlrc);
+}
+
+int
+isc_mem_renderxml(void *writer0) {
+	isc__mem_t *ctx;
+	summarystat_t summary;
+	uint64_t lost;
+	int xmlrc;
+	xmlTextWriterPtr writer = (xmlTextWriterPtr)writer0;
+
+	memset(&summary, 0, sizeof(summary));
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "contexts"));
+
+	LOCK(&contextslock);
+	lost = totallost;
+	for (ctx = ISC_LIST_HEAD(contexts); ctx != NULL;
+	     ctx = ISC_LIST_NEXT(ctx, link))
+	{
+		xmlrc = xml_renderctx(ctx, &summary, writer);
+		if (xmlrc < 0) {
+			UNLOCK(&contextslock);
+			goto error;
+		}
+	}
+	UNLOCK(&contextslock);
+
+	TRY0(xmlTextWriterEndElement(writer)); /* contexts */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "summary"));
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "TotalUse"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    summary.total));
+	TRY0(xmlTextWriterEndElement(writer)); /* TotalUse */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "InUse"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    summary.inuse));
+	TRY0(xmlTextWriterEndElement(writer)); /* InUse */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "Malloced"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    summary.malloced));
+	TRY0(xmlTextWriterEndElement(writer)); /* InUse */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "BlockSize"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    summary.blocksize));
+	TRY0(xmlTextWriterEndElement(writer)); /* BlockSize */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "ContextSize"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "",
+					    summary.contextsize));
+	TRY0(xmlTextWriterEndElement(writer)); /* ContextSize */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "Lost"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%" PRIu64 "", lost));
+	TRY0(xmlTextWriterEndElement(writer)); /* Lost */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* summary */
+error:
+	return (xmlrc);
+}
+
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+#define CHECKMEM(m) RUNTIME_CHECK(m != NULL)
+
+static isc_result_t
+json_renderctx(isc__mem_t *ctx, summarystat_t *summary, json_object *array) {
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(summary != NULL);
+	REQUIRE(array != NULL);
+
+	json_object *ctxobj, *obj;
+	char buf[1024];
+
+	MCTXLOCK(ctx);
+
+	summary->contextsize += sizeof(*ctx) +
+				(ctx->max_size + 1) * sizeof(struct stats) +
+				ctx->max_size * sizeof(element *) +
+				ctx->basic_table_count * sizeof(char *);
+	summary->total += ctx->total;
+	summary->inuse += ctx->inuse;
+	summary->malloced += ctx->malloced;
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		summary->blocksize += ctx->basic_table_count *
+				      NUM_BASIC_BLOCKS * ctx->mem_target;
+	}
+#if ISC_MEM_TRACKLINES
+	if (ctx->debuglist != NULL) {
+		summary->contextsize += DEBUG_TABLE_COUNT *
+						sizeof(debuglist_t) +
+					ctx->debuglistcnt * sizeof(debuglink_t);
+	}
+#endif /* if ISC_MEM_TRACKLINES */
+
+	ctxobj = json_object_new_object();
+	CHECKMEM(ctxobj);
+
+	snprintf(buf, sizeof(buf), "%p", ctx);
+	obj = json_object_new_string(buf);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "id", obj);
+
+	if (ctx->name[0] != 0) {
+		obj = json_object_new_string(ctx->name);
+		CHECKMEM(obj);
+		json_object_object_add(ctxobj, "name", obj);
+	}
+
+	obj = json_object_new_int64(isc_refcount_current(&ctx->references));
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "references", obj);
+
+	obj = json_object_new_int64(ctx->total);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "total", obj);
+
+	obj = json_object_new_int64(ctx->inuse);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "inuse", obj);
+
+	obj = json_object_new_int64(ctx->maxinuse);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "maxinuse", obj);
+
+	obj = json_object_new_int64(ctx->malloced);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "malloced", obj);
+
+	obj = json_object_new_int64(ctx->maxmalloced);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "maxmalloced", obj);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		uint64_t blocksize;
+		blocksize = ctx->basic_table_count * NUM_BASIC_BLOCKS *
+			    ctx->mem_target;
+		obj = json_object_new_int64(blocksize);
+		CHECKMEM(obj);
+		json_object_object_add(ctxobj, "blocksize", obj);
+	}
+
+	obj = json_object_new_int64(ctx->poolcnt);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "pools", obj);
+
+	summary->contextsize += ctx->poolcnt * sizeof(isc_mempool_t);
+
+	obj = json_object_new_int64(ctx->hi_water);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "hiwater", obj);
+
+	obj = json_object_new_int64(ctx->lo_water);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "lowater", obj);
+
+	MCTXUNLOCK(ctx);
+	json_object_array_add(array, ctxobj);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_mem_renderjson(void *memobj0) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc__mem_t *ctx;
+	summarystat_t summary;
+	uint64_t lost;
+	json_object *ctxarray, *obj;
+	json_object *memobj = (json_object *)memobj0;
+
+	memset(&summary, 0, sizeof(summary));
+
+	ctxarray = json_object_new_array();
+	CHECKMEM(ctxarray);
+
+	LOCK(&contextslock);
+	lost = totallost;
+	for (ctx = ISC_LIST_HEAD(contexts); ctx != NULL;
+	     ctx = ISC_LIST_NEXT(ctx, link))
+	{
+		result = json_renderctx(ctx, &summary, ctxarray);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK(&contextslock);
+			goto error;
+		}
+	}
+	UNLOCK(&contextslock);
+
+	obj = json_object_new_int64(summary.total);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "TotalUse", obj);
+
+	obj = json_object_new_int64(summary.inuse);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "InUse", obj);
+
+	obj = json_object_new_int64(summary.malloced);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "Malloced", obj);
+
+	obj = json_object_new_int64(summary.blocksize);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "BlockSize", obj);
+
+	obj = json_object_new_int64(summary.contextsize);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "ContextSize", obj);
+
+	obj = json_object_new_int64(lost);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "Lost", obj);
+
+	json_object_object_add(memobj, "contexts", ctxarray);
+	return (ISC_R_SUCCESS);
+
+error:
+	if (ctxarray != NULL) {
+		json_object_put(ctxarray);
+	}
+	return (result);
+}
+#endif /* HAVE_JSON_C */
+
+void
+isc_mem_create(isc_mem_t **mctxp) {
+	mem_create(mctxp, isc_mem_defaultflags);
+}
+
+void *
+isc__mem_get(isc_mem_t *mctx, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memget(mctx, size FLARG_PASS));
+}
+
+void
+isc__mem_put(isc_mem_t *mctx, void *ptr, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	mctx->methods->memput(mctx, ptr, size FLARG_PASS);
+}
+
+void
+isc__mem_putanddetach(isc_mem_t **mctxp, void *ptr, size_t size FLARG) {
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
+
+	(*mctxp)->methods->memputanddetach(mctxp, ptr, size FLARG_PASS);
+}
+
+void *
+isc__mem_allocate(isc_mem_t *mctx, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memallocate(mctx, size FLARG_PASS));
+}
+
+void *
+isc__mem_reallocate(isc_mem_t *mctx, void *ptr, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memreallocate(mctx, ptr, size FLARG_PASS));
+}
+
+char *
+isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memstrdup(mctx, s FLARG_PASS));
+}
+
+char *
+isc__mem_strndup(isc_mem_t *mctx, const char *s, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memstrndup(mctx, s, size FLARG_PASS));
+}
+
+void
+isc__mem_free(isc_mem_t *mctx, void *ptr FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	mctx->methods->memfree(mctx, ptr FLARG_PASS);
+}
+
+void
+isc__mem_printactive(isc_mem_t *ctx0, FILE *file) {
+#if ISC_MEM_TRACKLINES
+	REQUIRE(VALID_CONTEXT(ctx0));
+	REQUIRE(file != NULL);
+
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	print_active(ctx, file);
+#else  /* if ISC_MEM_TRACKLINES */
+	UNUSED(ctx0);
+	UNUSED(file);
+#endif /* if ISC_MEM_TRACKLINES */
+}
diff --git a/lib/isc/mem_p.h b/lib/isc/mem_p.h
new file mode 100644
index 0000000..611a025
--- /dev/null
+++ b/lib/isc/mem_p.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <stdio.h>
+
+#include <isc/mem.h>
+
+/*! \file */
+
+void
+isc__mem_printactive(isc_mem_t *mctx, FILE *file);
+/*%<
+ * For use by unit tests, prints active memory blocks for
+ * a single memory context.
+ */
+
+void
+isc__mem_checkdestroyed(void);
+
+void
+isc__mem_initialize(void);
+
+void
+isc__mem_shutdown(void);
diff --git a/lib/isc/mutexblock.c b/lib/isc/mutexblock.c
new file mode 100644
index 0000000..56a2985
--- /dev/null
+++ b/lib/isc/mutexblock.c
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/mutexblock.h>
+#include <isc/util.h>
+
+void
+isc_mutexblock_init(isc_mutex_t *block, unsigned int count) {
+	unsigned int i;
+
+	for (i = 0; i < count; i++) {
+		isc_mutex_init(&block[i]);
+	}
+}
+
+void
+isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count) {
+	unsigned int i;
+
+	for (i = 0; i < count; i++) {
+		isc_mutex_destroy(&block[i]);
+	}
+}
diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c
new file mode 100644
index 0000000..39aaae6
--- /dev/null
+++ b/lib/isc/netaddr.c
@@ -0,0 +1,479 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/buffer.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+bool
+isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b) {
+	REQUIRE(a != NULL && b != NULL);
+
+	if (a->family != b->family) {
+		return (false);
+	}
+
+	if (a->zone != b->zone) {
+		return (false);
+	}
+
+	switch (a->family) {
+	case AF_INET:
+		if (a->type.in.s_addr != b->type.in.s_addr) {
+			return (false);
+		}
+		break;
+	case AF_INET6:
+		if (memcmp(&a->type.in6, &b->type.in6, sizeof(a->type.in6)) !=
+			    0 ||
+		    a->zone != b->zone)
+		{
+			return (false);
+		}
+		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		if (strcmp(a->type.un, b->type.un) != 0) {
+			return (false);
+		}
+		break;
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	default:
+		return (false);
+	}
+	return (true);
+}
+
+bool
+isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
+		     unsigned int prefixlen) {
+	const unsigned char *pa = NULL, *pb = NULL;
+	unsigned int ipabytes = 0; /* Length of whole IP address in bytes */
+	unsigned int nbytes;	   /* Number of significant whole bytes */
+	unsigned int nbits;	   /* Number of significant leftover bits */
+
+	REQUIRE(a != NULL && b != NULL);
+
+	if (a->family != b->family) {
+		return (false);
+	}
+
+	if (a->zone != b->zone && b->zone != 0) {
+		return (false);
+	}
+
+	switch (a->family) {
+	case AF_INET:
+		pa = (const unsigned char *)&a->type.in;
+		pb = (const unsigned char *)&b->type.in;
+		ipabytes = 4;
+		break;
+	case AF_INET6:
+		pa = (const unsigned char *)&a->type.in6;
+		pb = (const unsigned char *)&b->type.in6;
+		ipabytes = 16;
+		break;
+	default:
+		return (false);
+	}
+
+	/*
+	 * Don't crash if we get a pattern like 10.0.0.1/9999999.
+	 */
+	if (prefixlen > ipabytes * 8) {
+		prefixlen = ipabytes * 8;
+	}
+
+	nbytes = prefixlen / 8;
+	nbits = prefixlen % 8;
+
+	if (nbytes > 0) {
+		if (memcmp(pa, pb, nbytes) != 0) {
+			return (false);
+		}
+	}
+	if (nbits > 0) {
+		unsigned int bytea, byteb, mask;
+		INSIST(nbytes < ipabytes);
+		INSIST(nbits < 8);
+		bytea = pa[nbytes];
+		byteb = pb[nbytes];
+		mask = (0xFF << (8 - nbits)) & 0xFF;
+		if ((bytea & mask) != (byteb & mask)) {
+			return (false);
+		}
+	}
+	return (true);
+}
+
+isc_result_t
+isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target) {
+	char abuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")];
+	char zbuf[sizeof("%4294967295")];
+	unsigned int alen;
+	int zlen;
+	const char *r;
+	const void *type;
+
+	REQUIRE(netaddr != NULL);
+
+	switch (netaddr->family) {
+	case AF_INET:
+		type = &netaddr->type.in;
+		break;
+	case AF_INET6:
+		type = &netaddr->type.in6;
+		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		alen = strlen(netaddr->type.un);
+		if (alen > isc_buffer_availablelength(target)) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putmem(target,
+				  (const unsigned char *)(netaddr->type.un),
+				  alen);
+		return (ISC_R_SUCCESS);
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	default:
+		return (ISC_R_FAILURE);
+	}
+	r = inet_ntop(netaddr->family, type, abuf, sizeof(abuf));
+	if (r == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	alen = strlen(abuf);
+	INSIST(alen < sizeof(abuf));
+
+	zlen = 0;
+	if (netaddr->family == AF_INET6 && netaddr->zone != 0) {
+		zlen = snprintf(zbuf, sizeof(zbuf), "%%%u", netaddr->zone);
+		if (zlen < 0) {
+			return (ISC_R_FAILURE);
+		}
+		INSIST((unsigned int)zlen < sizeof(zbuf));
+	}
+
+	if (alen + zlen > isc_buffer_availablelength(target)) {
+		return (ISC_R_NOSPACE);
+	}
+
+	isc_buffer_putmem(target, (unsigned char *)abuf, alen);
+	isc_buffer_putmem(target, (unsigned char *)zbuf, (unsigned int)zlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	isc_buffer_init(&buf, array, size);
+	result = isc_netaddr_totext(na, &buf);
+
+	if (size == 0) {
+		return;
+	}
+
+	/*
+	 * Null terminate.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(&buf) >= 1) {
+			isc_buffer_putuint8(&buf, 0);
+		} else {
+			result = ISC_R_NOSPACE;
+		}
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		snprintf(array, size, "<unknown address, family %u>",
+			 na->family);
+		array[size - 1] = '\0';
+	}
+}
+
+isc_result_t
+isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen) {
+	static const unsigned char zeros[16];
+	unsigned int nbits, nbytes, ipbytes = 0;
+	const unsigned char *p;
+
+	switch (na->family) {
+	case AF_INET:
+		p = (const unsigned char *)&na->type.in;
+		ipbytes = 4;
+		if (prefixlen > 32) {
+			return (ISC_R_RANGE);
+		}
+		break;
+	case AF_INET6:
+		p = (const unsigned char *)&na->type.in6;
+		ipbytes = 16;
+		if (prefixlen > 128) {
+			return (ISC_R_RANGE);
+		}
+		break;
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	nbytes = prefixlen / 8;
+	nbits = prefixlen % 8;
+	if (nbits != 0) {
+		INSIST(nbytes < ipbytes);
+		if ((p[nbytes] & (0xff >> nbits)) != 0U) {
+			return (ISC_R_FAILURE);
+		}
+		nbytes++;
+	}
+	if (nbytes < ipbytes &&
+	    memcmp(p + nbytes, zeros, ipbytes - nbytes) != 0)
+	{
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp) {
+	unsigned int nbits = 0, nbytes = 0, ipbytes = 0, i;
+	const unsigned char *p;
+
+	switch (s->family) {
+	case AF_INET:
+		p = (const unsigned char *)&s->type.in;
+		ipbytes = 4;
+		break;
+	case AF_INET6:
+		p = (const unsigned char *)&s->type.in6;
+		ipbytes = 16;
+		break;
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	for (i = 0; i < ipbytes; i++) {
+		if (p[i] != 0xFF) {
+			break;
+		}
+	}
+	nbytes = i;
+	if (i < ipbytes) {
+		unsigned int c = p[nbytes];
+		while ((c & 0x80) != 0 && nbits < 8) {
+			c <<= 1;
+			nbits++;
+		}
+		if ((c & 0xFF) != 0) {
+			return (ISC_R_MASKNONCONTIG);
+		}
+		i++;
+	}
+	for (; i < ipbytes; i++) {
+		if (p[i] != 0) {
+			return (ISC_R_MASKNONCONTIG);
+		}
+	}
+	*lenp = nbytes * 8 + nbits;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET;
+	netaddr->type.in = *ina;
+}
+
+void
+isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET6;
+	netaddr->type.in6 = *ina6;
+}
+
+isc_result_t
+isc_netaddr_frompath(isc_netaddr_t *netaddr, const char *path) {
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	if (strlen(path) > sizeof(netaddr->type.un) - 1) {
+		return (ISC_R_NOSPACE);
+	}
+
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_UNIX;
+	strlcpy(netaddr->type.un, path, sizeof(netaddr->type.un));
+	netaddr->zone = 0;
+	return (ISC_R_SUCCESS);
+#else  /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	UNUSED(netaddr);
+	UNUSED(path);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+}
+
+void
+isc_netaddr_setzone(isc_netaddr_t *netaddr, uint32_t zone) {
+	/* we currently only support AF_INET6. */
+	REQUIRE(netaddr->family == AF_INET6);
+
+	netaddr->zone = zone;
+}
+
+uint32_t
+isc_netaddr_getzone(const isc_netaddr_t *netaddr) {
+	return (netaddr->zone);
+}
+
+void
+isc_netaddr_fromsockaddr(isc_netaddr_t *t, const isc_sockaddr_t *s) {
+	int family = s->type.sa.sa_family;
+	t->family = family;
+	switch (family) {
+	case AF_INET:
+		t->type.in = s->type.sin.sin_addr;
+		t->zone = 0;
+		break;
+	case AF_INET6:
+		memmove(&t->type.in6, &s->type.sin6.sin6_addr, 16);
+		t->zone = s->type.sin6.sin6_scope_id;
+		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		memmove(t->type.un, s->type.sunix.sun_path, sizeof(t->type.un));
+		t->zone = 0;
+		break;
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	default:
+		UNREACHABLE();
+	}
+}
+
+void
+isc_netaddr_any(isc_netaddr_t *netaddr) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET;
+	netaddr->type.in.s_addr = INADDR_ANY;
+}
+
+void
+isc_netaddr_any6(isc_netaddr_t *netaddr) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET6;
+	netaddr->type.in6 = in6addr_any;
+}
+
+void
+isc_netaddr_unspec(isc_netaddr_t *netaddr) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_UNSPEC;
+}
+
+bool
+isc_netaddr_ismulticast(const isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_IPADDR_ISMULTICAST(na->type.in.s_addr));
+	case AF_INET6:
+		return (IN6_IS_ADDR_MULTICAST(&na->type.in6));
+	default:
+		return (false); /* XXXMLG ? */
+	}
+}
+
+bool
+isc_netaddr_isexperimental(const isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_IPADDR_ISEXPERIMENTAL(na->type.in.s_addr));
+	default:
+		return (false); /* XXXMLG ? */
+	}
+}
+
+bool
+isc_netaddr_islinklocal(const isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (false);
+	case AF_INET6:
+		return (IN6_IS_ADDR_LINKLOCAL(&na->type.in6));
+	default:
+		return (false);
+	}
+}
+
+bool
+isc_netaddr_issitelocal(const isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (false);
+	case AF_INET6:
+		return (IN6_IS_ADDR_SITELOCAL(&na->type.in6));
+	default:
+		return (false);
+	}
+}
+
+#define ISC_IPADDR_ISNETZERO(i) \
+	(((uint32_t)(i)&ISC__IPADDR(0xff000000)) == ISC__IPADDR(0x00000000))
+
+bool
+isc_netaddr_isnetzero(const isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_IPADDR_ISNETZERO(na->type.in.s_addr));
+	case AF_INET6:
+		return (false);
+	default:
+		return (false);
+	}
+}
+
+void
+isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s) {
+	isc_netaddr_t *src;
+
+	DE_CONST(s, src); /* Must come before IN6_IS_ADDR_V4MAPPED. */
+
+	REQUIRE(s->family == AF_INET6);
+	REQUIRE(IN6_IS_ADDR_V4MAPPED(&src->type.in6));
+
+	memset(t, 0, sizeof(*t));
+	t->family = AF_INET;
+	memmove(&t->type.in, (char *)&src->type.in6 + 12, 4);
+	return;
+}
+
+bool
+isc_netaddr_isloopback(const isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (((ntohl(na->type.in.s_addr) & 0xff000000U) ==
+			 0x7f000000U));
+	case AF_INET6:
+		return (IN6_IS_ADDR_LOOPBACK(&na->type.in6));
+	default:
+		return (false);
+	}
+}
diff --git a/lib/isc/netmgr/Makefile.in b/lib/isc/netmgr/Makefile.in
new file mode 100644
index 0000000..1806cb4
--- /dev/null
+++ b/lib/isc/netmgr/Makefile.in
@@ -0,0 +1,41 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../unix/include \
+		-I${srcdir}/../pthreads/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/.. \
+		${OPENSSL_CFLAGS} \
+		${JSON_C_CFLAGS} \
+		${LIBUV_CFLAGS} \
+		${LIBXML2_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		netmgr.@O@ tcp.@O@ udp.@O@ \
+		tcpdns.@O@ \
+		uverr2result.@O@ uv-compat.@O@
+
+# Alphabetically
+SRCS =		netmgr.c tcp.c udp.c tcpdns.c \
+		uverr2result.c uv-compat.c
+
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
new file mode 100644
index 0000000..05fde1a
--- /dev/null
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -0,0 +1,1615 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <unistd.h>
+#include <uv.h>
+
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#include <isc/astack.h>
+#include <isc/atomic.h>
+#include <isc/barrier.h>
+#include <isc/buffer.h>
+#include <isc/condition.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/quota.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/rwlock.h>
+#include <isc/sockaddr.h>
+#include <isc/stats.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "uv-compat.h"
+
+#define ISC_NETMGR_TID_UNKNOWN -1
+
+/* Must be different from ISC_NETMGR_TID_UNKNOWN */
+#define ISC_NETMGR_NON_INTERLOCKED -2
+
+/*
+ * Receive buffers
+ */
+#if HAVE_DECL_UV_UDP_MMSG_CHUNK
+/*
+ * The value 20 here is UV__MMSG_MAXWIDTH taken from the current libuv source,
+ * libuv will not receive more that 20 datagrams in a single recvmmsg call.
+ */
+#define ISC_NETMGR_UDP_RECVBUF_SIZE (20 * UINT16_MAX)
+#else
+/*
+ * A single DNS message size
+ */
+#define ISC_NETMGR_UDP_RECVBUF_SIZE UINT16_MAX
+#endif
+
+/*
+ * The TCP receive buffer can fit one maximum sized DNS message plus its size,
+ * the receive buffer here affects TCP, DoT and DoH.
+ */
+#define ISC_NETMGR_TCP_RECVBUF_SIZE (sizeof(uint16_t) + UINT16_MAX)
+
+/* Pick the larger buffer */
+#define ISC_NETMGR_RECVBUF_SIZE                                     \
+	(ISC_NETMGR_UDP_RECVBUF_SIZE >= ISC_NETMGR_TCP_RECVBUF_SIZE \
+		 ? ISC_NETMGR_UDP_RECVBUF_SIZE                      \
+		 : ISC_NETMGR_TCP_RECVBUF_SIZE)
+
+/*
+ * Send buffer
+ */
+#define ISC_NETMGR_SENDBUF_SIZE (sizeof(uint16_t) + UINT16_MAX)
+
+/*%
+ * Regular TCP buffer size.
+ */
+#define NM_REG_BUF 4096
+
+/*%
+ * Larger buffer for when the regular one isn't enough; this will
+ * hold two full DNS packets with lengths.  netmgr receives 64k at
+ * most in TCPDNS connections, so there's no risk of overrun
+ * when using a buffer this size.
+ */
+#define NM_BIG_BUF ISC_NETMGR_TCP_RECVBUF_SIZE * 2
+
+/*
+ * Define NETMGR_TRACE to activate tracing of handles and sockets.
+ * This will impair performance but enables us to quickly determine,
+ * if netmgr resources haven't been cleaned up on shutdown, which ones
+ * are still in use.
+ */
+#ifdef NETMGR_TRACE
+#define TRACE_SIZE 8
+
+void
+isc__nm_dump_active(isc_nm_t *nm);
+
+#if defined(__linux__)
+#include <syscall.h>
+#define gettid() (uint32_t) syscall(SYS_gettid)
+#elif defined(_WIN32)
+#define gettid() (uint32_t) GetCurrentThreadId()
+#else
+#define gettid() (uint32_t) pthread_self()
+#endif
+
+#ifdef NETMGR_TRACE_VERBOSE
+#define NETMGR_TRACE_LOG(format, ...)                                \
+	fprintf(stderr, "%" PRIu32 ":%d:%s:%u:%s:" format, gettid(), \
+		isc_nm_tid(), file, line, func, __VA_ARGS__)
+#else
+#define NETMGR_TRACE_LOG(format, ...) \
+	(void)file;                   \
+	(void)line;                   \
+	(void)func;
+#endif
+
+#define FLARG_PASS , file, line, func
+#define FLARG                                              \
+	, const char *file __attribute__((unused)),        \
+		unsigned int line __attribute__((unused)), \
+		const char *func __attribute__((unused))
+#define FLARG_IEVENT(ievent)              \
+	const char *file = ievent->file;  \
+	unsigned int line = ievent->line; \
+	const char *func = ievent->func;
+#define FLARG_IEVENT_PASS(ievent) \
+	ievent->file = file;      \
+	ievent->line = line;      \
+	ievent->func = func;
+#define isc__nm_uvreq_get(req, sock) \
+	isc___nm_uvreq_get(req, sock, __FILE__, __LINE__, __func__)
+#define isc__nm_uvreq_put(req, sock) \
+	isc___nm_uvreq_put(req, sock, __FILE__, __LINE__, __func__)
+#define isc__nmsocket_init(sock, mgr, type, iface)                      \
+	isc___nmsocket_init(sock, mgr, type, iface, __FILE__, __LINE__, \
+			    __func__)
+#define isc__nmsocket_put(sockp) \
+	isc___nmsocket_put(sockp, __FILE__, __LINE__, __func__)
+#define isc__nmsocket_attach(sock, target) \
+	isc___nmsocket_attach(sock, target, __FILE__, __LINE__, __func__)
+#define isc__nmsocket_detach(socketp) \
+	isc___nmsocket_detach(socketp, __FILE__, __LINE__, __func__)
+#define isc__nmsocket_close(socketp) \
+	isc___nmsocket_close(socketp, __FILE__, __LINE__, __func__)
+#define isc__nmhandle_get(sock, peer, local) \
+	isc___nmhandle_get(sock, peer, local, __FILE__, __LINE__, __func__)
+#define isc__nmsocket_prep_destroy(sock) \
+	isc___nmsocket_prep_destroy(sock, __FILE__, __LINE__, __func__)
+#else
+#define NETMGR_TRACE_LOG(format, ...)
+
+#define FLARG_PASS
+#define FLARG
+#define FLARG_IEVENT(ievent)
+#define FLARG_IEVENT_PASS(ievent)
+#define isc__nm_uvreq_get(req, sock) isc___nm_uvreq_get(req, sock)
+#define isc__nm_uvreq_put(req, sock) isc___nm_uvreq_put(req, sock)
+#define isc__nmsocket_init(sock, mgr, type, iface) \
+	isc___nmsocket_init(sock, mgr, type, iface)
+#define isc__nmsocket_put(sockp)	   isc___nmsocket_put(sockp)
+#define isc__nmsocket_attach(sock, target) isc___nmsocket_attach(sock, target)
+#define isc__nmsocket_detach(socketp)	   isc___nmsocket_detach(socketp)
+#define isc__nmsocket_close(socketp)	   isc___nmsocket_close(socketp)
+#define isc__nmhandle_get(sock, peer, local) \
+	isc___nmhandle_get(sock, peer, local)
+#define isc__nmsocket_prep_destroy(sock) isc___nmsocket_prep_destroy(sock)
+#endif
+
+/*
+ * Queue types in the order of processing priority.
+ */
+typedef enum {
+	NETIEVENT_PRIORITY = 0,
+	NETIEVENT_PRIVILEGED = 1,
+	NETIEVENT_TASK = 2,
+	NETIEVENT_NORMAL = 3,
+	NETIEVENT_MAX = 4,
+} netievent_type_t;
+
+typedef struct isc__nm_uvreq isc__nm_uvreq_t;
+typedef struct isc__netievent isc__netievent_t;
+
+typedef ISC_LIST(isc__netievent_t) isc__netievent_list_t;
+
+typedef struct ievent {
+	isc_mutex_t lock;
+	isc_condition_t cond;
+	isc__netievent_list_t list;
+} ievent_t;
+
+/*
+ * Single network event loop worker.
+ */
+typedef struct isc__networker {
+	isc_nm_t *mgr;
+	int id;		  /* thread id */
+	uv_loop_t loop;	  /* libuv loop structure */
+	uv_async_t async; /* async channel to send
+			   * data to this networker */
+	bool paused;
+	bool finished;
+	isc_thread_t thread;
+	ievent_t ievents[NETIEVENT_MAX];
+
+	isc_refcount_t references;
+	atomic_int_fast64_t pktcount;
+	char *recvbuf;
+	char *sendbuf;
+	bool recvbuf_inuse;
+} isc__networker_t;
+
+/*
+ * A general handle for a connection bound to a networker.  For UDP
+ * connections we have peer address here, so both TCP and UDP can be
+ * handled with a simple send-like function
+ */
+#define NMHANDLE_MAGIC ISC_MAGIC('N', 'M', 'H', 'D')
+#define VALID_NMHANDLE(t)                      \
+	(ISC_MAGIC_VALID(t, NMHANDLE_MAGIC) && \
+	 atomic_load(&(t)->references) > 0)
+
+typedef void (*isc__nm_closecb)(isc_nmhandle_t *);
+
+struct isc_nmhandle {
+	int magic;
+	isc_refcount_t references;
+
+	/*
+	 * The socket is not 'attached' in the traditional
+	 * reference-counting sense. Instead, we keep all handles in an
+	 * array in the socket object.  This way, we don't have circular
+	 * dependencies and we can close all handles when we're destroying
+	 * the socket.
+	 */
+	isc_nmsocket_t *sock;
+
+	isc_sockaddr_t peer;
+	isc_sockaddr_t local;
+	isc_nm_opaquecb_t doreset; /* reset extra callback, external */
+	isc_nm_opaquecb_t dofree;  /* free extra callback, external */
+#ifdef NETMGR_TRACE
+	void *backtrace[TRACE_SIZE];
+	int backtrace_size;
+	LINK(isc_nmhandle_t) active_link;
+#endif
+	void *opaque;
+	char extra[];
+};
+
+typedef enum isc__netievent_type {
+	netievent_udpconnect,
+	netievent_udpclose,
+	netievent_udpsend,
+	netievent_udpread,
+	netievent_udpcancel,
+
+	netievent_tcpconnect,
+	netievent_tcpclose,
+	netievent_tcpsend,
+	netievent_tcpstartread,
+	netievent_tcppauseread,
+	netievent_tcpaccept,
+	netievent_tcpcancel,
+
+	netievent_tcpdnsaccept,
+	netievent_tcpdnsconnect,
+	netievent_tcpdnsclose,
+	netievent_tcpdnssend,
+	netievent_tcpdnsread,
+	netievent_tcpdnscancel,
+
+	netievent_shutdown,
+	netievent_stop,
+	netievent_pause,
+
+	netievent_connectcb,
+	netievent_readcb,
+	netievent_sendcb,
+
+	netievent_detach,
+	netievent_close,
+
+	netievent_task,
+	netievent_privilegedtask,
+
+	/*
+	 * event type values higher than this will be treated
+	 * as high-priority events, which can be processed
+	 * while the netmgr is pausing or paused.
+	 */
+	netievent_prio = 0xff,
+
+	netievent_udplisten,
+	netievent_udpstop,
+	netievent_tcplisten,
+	netievent_tcpstop,
+	netievent_tcpdnslisten,
+	netievent_tcpdnsstop,
+
+	netievent_resume,
+} isc__netievent_type;
+
+typedef union {
+	isc_nm_recv_cb_t recv;
+	isc_nm_cb_t send;
+	isc_nm_cb_t connect;
+	isc_nm_accept_cb_t accept;
+} isc__nm_cb_t;
+
+/*
+ * Wrapper around uv_req_t with 'our' fields in it.  req->data should
+ * always point to its parent.  Note that we always allocate more than
+ * sizeof(struct) because we make room for different req types;
+ */
+#define UVREQ_MAGIC    ISC_MAGIC('N', 'M', 'U', 'R')
+#define VALID_UVREQ(t) ISC_MAGIC_VALID(t, UVREQ_MAGIC)
+
+typedef struct isc__nm_uvreq isc__nm_uvreq_t;
+struct isc__nm_uvreq {
+	int magic;
+	isc_nmsocket_t *sock;
+	isc_nmhandle_t *handle;
+	char tcplen[2];	       /* The TCP DNS message length */
+	uv_buf_t uvbuf;	       /* translated isc_region_t, to be
+				* sent or received */
+	isc_sockaddr_t local;  /* local address */
+	isc_sockaddr_t peer;   /* peer address */
+	isc__nm_cb_t cb;       /* callback */
+	void *cbarg;	       /* callback argument */
+	isc_nm_timer_t *timer; /* TCP write timer */
+
+	union {
+		uv_handle_t handle;
+		uv_req_t req;
+		uv_getaddrinfo_t getaddrinfo;
+		uv_getnameinfo_t getnameinfo;
+		uv_shutdown_t shutdown;
+		uv_write_t write;
+		uv_connect_t connect;
+		uv_udp_send_t udp_send;
+		uv_fs_t fs;
+		uv_work_t work;
+	} uv_req;
+	ISC_LINK(isc__nm_uvreq_t) link;
+};
+
+struct isc_nm_timer {
+	isc_refcount_t references;
+	uv_timer_t timer;
+	isc_nmhandle_t *handle;
+	isc_nm_timer_cb cb;
+	void *cbarg;
+};
+
+void *
+isc__nm_get_netievent(isc_nm_t *mgr, isc__netievent_type type);
+/*%<
+ * Allocate an ievent and set the type.
+ */
+void
+isc__nm_put_netievent(isc_nm_t *mgr, void *ievent);
+
+/*
+ * The macros here are used to simulate the "inheritance" in C, there's the base
+ * netievent structure that contains just its own type and socket, and there are
+ * extended netievent types that also have handles or requests or other data.
+ *
+ * The macros here ensure that:
+ *
+ *   1. every netievent type has matching definition, declaration and
+ *      implementation
+ *
+ *   2. we handle all the netievent types of same subclass the same, e.g. if the
+ *      extended netievent contains handle, we always attach to the handle in
+ *      the ctor and detach from the handle in dtor.
+ *
+ * There are three macros here for each netievent subclass:
+ *
+ *   1. NETIEVENT_*_TYPE(type) creates the typedef for each type; used below in
+ *   this header
+ *
+ *   2. NETIEVENT_*_DECL(type) generates the declaration of the get and put
+ *      functions (isc__nm_get_netievent_* and isc__nm_put_netievent_*); used
+ *      below in this header
+ *
+ *   3. NETIEVENT_*_DEF(type) generates the definition of the functions; used
+ *   either in netmgr.c or matching protocol file (e.g. udp.c, tcp.c, etc.)
+ */
+
+#define NETIEVENT__SOCKET                \
+	isc__netievent_type type;        \
+	ISC_LINK(isc__netievent_t) link; \
+	isc_nmsocket_t *sock;            \
+	const char *file;                \
+	unsigned int line;               \
+	const char *func
+
+typedef struct isc__netievent__socket {
+	NETIEVENT__SOCKET;
+} isc__netievent__socket_t;
+
+#define NETIEVENT_SOCKET_TYPE(type) \
+	typedef isc__netievent__socket_t isc__netievent_##type##_t;
+
+#define NETIEVENT_SOCKET_DECL(type)                              \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type( \
+		isc_nm_t *nm, isc_nmsocket_t *sock);             \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,          \
+					  isc__netievent_##type##_t *ievent);
+
+#define NETIEVENT_SOCKET_DEF(type)                                             \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(               \
+		isc_nm_t *nm, isc_nmsocket_t *sock) {                          \
+		isc__netievent_##type##_t *ievent =                            \
+			isc__nm_get_netievent(nm, netievent_##type);           \
+		isc__nmsocket_attach(sock, &ievent->sock);                     \
+                                                                               \
+		return (ievent);                                               \
+	}                                                                      \
+                                                                               \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                        \
+					  isc__netievent_##type##_t *ievent) { \
+		isc__nmsocket_detach(&ievent->sock);                           \
+		isc__nm_put_netievent(nm, ievent);                             \
+	}
+
+typedef struct isc__netievent__socket_req {
+	NETIEVENT__SOCKET;
+	isc__nm_uvreq_t *req;
+} isc__netievent__socket_req_t;
+
+#define NETIEVENT_SOCKET_REQ_TYPE(type) \
+	typedef isc__netievent__socket_req_t isc__netievent_##type##_t;
+
+#define NETIEVENT_SOCKET_REQ_DECL(type)                                    \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(           \
+		isc_nm_t *nm, isc_nmsocket_t *sock, isc__nm_uvreq_t *req); \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                    \
+					  isc__netievent_##type##_t *ievent);
+
+#define NETIEVENT_SOCKET_REQ_DEF(type)                                         \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(               \
+		isc_nm_t *nm, isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {    \
+		isc__netievent_##type##_t *ievent =                            \
+			isc__nm_get_netievent(nm, netievent_##type);           \
+		isc__nmsocket_attach(sock, &ievent->sock);                     \
+		ievent->req = req;                                             \
+                                                                               \
+		return (ievent);                                               \
+	}                                                                      \
+                                                                               \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                        \
+					  isc__netievent_##type##_t *ievent) { \
+		isc__nmsocket_detach(&ievent->sock);                           \
+		isc__nm_put_netievent(nm, ievent);                             \
+	}
+
+typedef struct isc__netievent__socket_req_result {
+	NETIEVENT__SOCKET;
+	isc__nm_uvreq_t *req;
+	isc_result_t result;
+} isc__netievent__socket_req_result_t;
+
+#define NETIEVENT_SOCKET_REQ_RESULT_TYPE(type) \
+	typedef isc__netievent__socket_req_result_t isc__netievent_##type##_t;
+
+#define NETIEVENT_SOCKET_REQ_RESULT_DECL(type)                            \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(          \
+		isc_nm_t *nm, isc_nmsocket_t *sock, isc__nm_uvreq_t *req, \
+		isc_result_t result);                                     \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                   \
+					  isc__netievent_##type##_t *ievent);
+
+#define NETIEVENT_SOCKET_REQ_RESULT_DEF(type)                                  \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(               \
+		isc_nm_t *nm, isc_nmsocket_t *sock, isc__nm_uvreq_t *req,      \
+		isc_result_t result) {                                         \
+		isc__netievent_##type##_t *ievent =                            \
+			isc__nm_get_netievent(nm, netievent_##type);           \
+		isc__nmsocket_attach(sock, &ievent->sock);                     \
+		ievent->req = req;                                             \
+		ievent->result = result;                                       \
+                                                                               \
+		return (ievent);                                               \
+	}                                                                      \
+                                                                               \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                        \
+					  isc__netievent_##type##_t *ievent) { \
+		isc__nmsocket_detach(&ievent->sock);                           \
+		isc__nm_put_netievent(nm, ievent);                             \
+	}
+
+typedef struct isc__netievent__socket_handle {
+	NETIEVENT__SOCKET;
+	isc_nmhandle_t *handle;
+} isc__netievent__socket_handle_t;
+
+#define NETIEVENT_SOCKET_HANDLE_TYPE(type) \
+	typedef isc__netievent__socket_handle_t isc__netievent_##type##_t;
+
+#define NETIEVENT_SOCKET_HANDLE_DECL(type)                                   \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(             \
+		isc_nm_t *nm, isc_nmsocket_t *sock, isc_nmhandle_t *handle); \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                      \
+					  isc__netievent_##type##_t *ievent);
+
+#define NETIEVENT_SOCKET_HANDLE_DEF(type)                                      \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(               \
+		isc_nm_t *nm, isc_nmsocket_t *sock, isc_nmhandle_t *handle) {  \
+		isc__netievent_##type##_t *ievent =                            \
+			isc__nm_get_netievent(nm, netievent_##type);           \
+		isc__nmsocket_attach(sock, &ievent->sock);                     \
+		isc_nmhandle_attach(handle, &ievent->handle);                  \
+                                                                               \
+		return (ievent);                                               \
+	}                                                                      \
+                                                                               \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                        \
+					  isc__netievent_##type##_t *ievent) { \
+		isc__nmsocket_detach(&ievent->sock);                           \
+		isc_nmhandle_detach(&ievent->handle);                          \
+		isc__nm_put_netievent(nm, ievent);                             \
+	}
+
+typedef struct isc__netievent__socket_quota {
+	NETIEVENT__SOCKET;
+	isc_quota_t *quota;
+} isc__netievent__socket_quota_t;
+
+#define NETIEVENT_SOCKET_QUOTA_TYPE(type) \
+	typedef isc__netievent__socket_quota_t isc__netievent_##type##_t;
+
+#define NETIEVENT_SOCKET_QUOTA_DECL(type)                                \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(         \
+		isc_nm_t *nm, isc_nmsocket_t *sock, isc_quota_t *quota); \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                  \
+					  isc__netievent_##type##_t *ievent);
+
+#define NETIEVENT_SOCKET_QUOTA_DEF(type)                                       \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(               \
+		isc_nm_t *nm, isc_nmsocket_t *sock, isc_quota_t *quota) {      \
+		isc__netievent_##type##_t *ievent =                            \
+			isc__nm_get_netievent(nm, netievent_##type);           \
+		isc__nmsocket_attach(sock, &ievent->sock);                     \
+		ievent->quota = quota;                                         \
+                                                                               \
+		return (ievent);                                               \
+	}                                                                      \
+                                                                               \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                        \
+					  isc__netievent_##type##_t *ievent) { \
+		isc__nmsocket_detach(&ievent->sock);                           \
+		isc__nm_put_netievent(nm, ievent);                             \
+	}
+
+typedef struct isc__netievent__task {
+	isc__netievent_type type;
+	ISC_LINK(isc__netievent_t) link;
+	isc_task_t *task;
+} isc__netievent__task_t;
+
+#define NETIEVENT_TASK_TYPE(type) \
+	typedef isc__netievent__task_t isc__netievent_##type##_t;
+
+#define NETIEVENT_TASK_DECL(type)                                \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type( \
+		isc_nm_t *nm, isc_task_t *task);                 \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,          \
+					  isc__netievent_##type##_t *ievent);
+
+#define NETIEVENT_TASK_DEF(type)                                               \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(               \
+		isc_nm_t *nm, isc_task_t *task) {                              \
+		isc__netievent_##type##_t *ievent =                            \
+			isc__nm_get_netievent(nm, netievent_##type);           \
+		ievent->task = task;                                           \
+                                                                               \
+		return (ievent);                                               \
+	}                                                                      \
+                                                                               \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                        \
+					  isc__netievent_##type##_t *ievent) { \
+		ievent->task = NULL;                                           \
+		isc__nm_put_netievent(nm, ievent);                             \
+	}
+
+typedef struct isc__netievent_udpsend {
+	NETIEVENT__SOCKET;
+	isc_sockaddr_t peer;
+	isc__nm_uvreq_t *req;
+} isc__netievent_udpsend_t;
+
+typedef struct isc__netievent {
+	isc__netievent_type type;
+	ISC_LINK(isc__netievent_t) link;
+} isc__netievent_t;
+
+#define NETIEVENT_TYPE(type) typedef isc__netievent_t isc__netievent_##type##_t;
+
+#define NETIEVENT_DECL(type)                                                   \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(isc_nm_t *nm); \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                        \
+					  isc__netievent_##type##_t *ievent);
+
+#define NETIEVENT_DEF(type)                                                    \
+	isc__netievent_##type##_t *isc__nm_get_netievent_##type(               \
+		isc_nm_t *nm) {                                                \
+		isc__netievent_##type##_t *ievent =                            \
+			isc__nm_get_netievent(nm, netievent_##type);           \
+                                                                               \
+		return (ievent);                                               \
+	}                                                                      \
+                                                                               \
+	void isc__nm_put_netievent_##type(isc_nm_t *nm,                        \
+					  isc__netievent_##type##_t *ievent) { \
+		isc__nm_put_netievent(nm, ievent);                             \
+	}
+
+typedef union {
+	isc__netievent_t ni;
+	isc__netievent__socket_t nis;
+	isc__netievent__socket_req_t nisr;
+	isc__netievent_udpsend_t nius;
+	isc__netievent__socket_quota_t nisq;
+} isc__netievent_storage_t;
+
+/*
+ * Work item for a uv_work threadpool.
+ */
+typedef struct isc__nm_work {
+	isc_nm_t *netmgr;
+	uv_work_t req;
+	isc_nm_workcb_t cb;
+	isc_nm_after_workcb_t after_cb;
+	void *data;
+} isc__nm_work_t;
+
+/*
+ * Network manager
+ */
+#define NM_MAGIC    ISC_MAGIC('N', 'E', 'T', 'M')
+#define VALID_NM(t) ISC_MAGIC_VALID(t, NM_MAGIC)
+
+struct isc_nm {
+	int magic;
+	isc_refcount_t references;
+	isc_mem_t *mctx;
+	int nworkers;
+	isc_mutex_t lock;
+	isc_condition_t wkstatecond;
+	isc_condition_t wkpausecond;
+	isc__networker_t *workers;
+
+	isc_stats_t *stats;
+
+	uint_fast32_t workers_running;
+	atomic_uint_fast32_t workers_paused;
+	atomic_uint_fast32_t maxudp;
+
+	bool load_balance_sockets;
+
+	atomic_bool paused;
+
+	/*
+	 * Active connections are being closed and new connections are
+	 * no longer allowed.
+	 */
+	atomic_bool closing;
+
+	/*
+	 * A worker is actively waiting for other workers, for example to
+	 * stop listening; that means no other thread can do the same thing
+	 * or pause, or we'll deadlock. We have to either re-enqueue our
+	 * event or wait for the other one to finish if we want to pause.
+	 */
+	atomic_int interlocked;
+
+	/*
+	 * Timeout values for TCP connections, corresponding to
+	 * tcp-intiial-timeout, tcp-idle-timeout, tcp-keepalive-timeout,
+	 * and tcp-advertised-timeout. Note that these are stored in
+	 * milliseconds so they can be used directly with the libuv timer,
+	 * but they are configured in tenths of seconds.
+	 */
+	atomic_uint_fast32_t init;
+	atomic_uint_fast32_t idle;
+	atomic_uint_fast32_t keepalive;
+	atomic_uint_fast32_t advertised;
+
+	isc_barrier_t pausing;
+	isc_barrier_t resuming;
+
+#ifdef NETMGR_TRACE
+	ISC_LIST(isc_nmsocket_t) active_sockets;
+#endif
+};
+
+typedef enum isc_nmsocket_type {
+	isc_nm_udpsocket,
+	isc_nm_udplistener, /* Aggregate of nm_udpsocks */
+	isc_nm_tcpsocket,
+	isc_nm_tcplistener,
+	isc_nm_tcpdnslistener,
+	isc_nm_tcpdnssocket,
+} isc_nmsocket_type;
+
+/*%
+ * A universal structure for either a single socket or a group of
+ * dup'd/SO_REUSE_PORT-using sockets listening on the same interface.
+ */
+#define NMSOCK_MAGIC	ISC_MAGIC('N', 'M', 'S', 'K')
+#define VALID_NMSOCK(t) ISC_MAGIC_VALID(t, NMSOCK_MAGIC)
+
+/*%
+ * Index into socket stat counter arrays.
+ */
+enum {
+	STATID_OPEN = 0,
+	STATID_OPENFAIL = 1,
+	STATID_CLOSE = 2,
+	STATID_BINDFAIL = 3,
+	STATID_CONNECTFAIL = 4,
+	STATID_CONNECT = 5,
+	STATID_ACCEPTFAIL = 6,
+	STATID_ACCEPT = 7,
+	STATID_SENDFAIL = 8,
+	STATID_RECVFAIL = 9,
+	STATID_ACTIVE = 10
+};
+
+typedef void (*isc_nm_closehandlecb_t)(void *arg);
+/*%<
+ * Opaque callback function, used for isc_nmhandle 'reset' and 'free'
+ * callbacks.
+ */
+
+struct isc_nmsocket {
+	/*% Unlocked, RO */
+	int magic;
+	int tid;
+	isc_nmsocket_type type;
+	isc_nm_t *mgr;
+
+	/*% Parent socket for multithreaded listeners */
+	isc_nmsocket_t *parent;
+	/*% Listener socket this connection was accepted on */
+	isc_nmsocket_t *listener;
+	/*% Self socket */
+	isc_nmsocket_t *self;
+
+	isc_barrier_t startlistening;
+	isc_barrier_t stoplistening;
+
+	/*%
+	 * quota is the TCP client, attached when a TCP connection
+	 * is established. pquota is a non-attached pointer to the
+	 * TCP client quota, stored in listening sockets but only
+	 * attached in connected sockets.
+	 */
+	isc_quota_t *quota;
+	isc_quota_t *pquota;
+	isc_quota_cb_t quotacb;
+
+	/*%
+	 * Socket statistics
+	 */
+	const isc_statscounter_t *statsindex;
+
+	/*%
+	 * TCP read/connect timeout timers.
+	 */
+	uv_timer_t read_timer;
+	uint64_t read_timeout;
+	uint64_t connect_timeout;
+
+	/*%
+	 * TCP write timeout timer.
+	 */
+	uint64_t write_timeout;
+
+	/*% outer socket is for 'wrapped' sockets - e.g. tcpdns in tcp */
+	isc_nmsocket_t *outer;
+
+	/*% server socket for connections */
+	isc_nmsocket_t *server;
+
+	/*% Child sockets for multi-socket setups */
+	isc_nmsocket_t *children;
+	uint_fast32_t nchildren;
+	isc_sockaddr_t iface;
+	isc_nmhandle_t *statichandle;
+	isc_nmhandle_t *outerhandle;
+
+	/*% Extra data allocated at the end of each isc_nmhandle_t */
+	size_t extrahandlesize;
+
+	/*% TCP backlog */
+	int backlog;
+
+	/*% libuv data */
+	uv_os_sock_t fd;
+	union uv_any_handle uv_handle;
+
+	/*% Peer address */
+	isc_sockaddr_t peer;
+
+	/* Atomic */
+	/*% Number of running (e.g. listening) child sockets */
+	atomic_uint_fast32_t rchildren;
+
+	/*%
+	 * Socket is active if it's listening, working, etc. If it's
+	 * closing, then it doesn't make a sense, for example, to
+	 * push handles or reqs for reuse.
+	 */
+	atomic_bool active;
+	atomic_bool destroying;
+
+	/*%
+	 * Socket is closed if it's not active and all the possible
+	 * callbacks were fired, there are no active handles, etc.
+	 * If active==false but closed==false, that means the socket
+	 * is closing.
+	 */
+	atomic_bool closing;
+	atomic_bool closed;
+	atomic_bool listening;
+	atomic_bool connecting;
+	atomic_bool connected;
+	bool accepting;
+	bool reading;
+	atomic_bool timedout;
+	isc_refcount_t references;
+
+	/*%
+	 * Established an outgoing connection, as client not server.
+	 */
+	atomic_bool client;
+
+	/*%
+	 * TCPDNS socket has been set not to pipeline.
+	 */
+	atomic_bool sequential;
+
+	/*%
+	 * The socket is processing read callback, this is guard to not read
+	 * data before the readcb is back.
+	 */
+	bool processing;
+
+	/*%
+	 * A TCP socket has had isc_nm_pauseread() called.
+	 */
+	atomic_bool readpaused;
+
+	/*%
+	 * A TCP or TCPDNS socket has been set to use the keepalive
+	 * timeout instead of the default idle timeout.
+	 */
+	atomic_bool keepalive;
+
+	/*%
+	 * 'spare' handles for that can be reused to avoid allocations,
+	 * for UDP.
+	 */
+	isc_astack_t *inactivehandles;
+	isc_astack_t *inactivereqs;
+
+	/*%
+	 * Used to wait for TCP listening events to complete, and
+	 * for the number of running children to reach zero during
+	 * shutdown.
+	 *
+	 * We use two condition variables to prevent the race where the netmgr
+	 * threads would be able to finish and destroy the socket before it's
+	 * unlocked by the isc_nm_listen<proto>() function.  So, the flow is as
+	 * follows:
+	 *
+	 *   1. parent thread creates all children sockets and passes then to
+	 *      netthreads, looks at the signaling variable and WAIT(cond) until
+	 *      the childrens are done initializing
+	 *
+	 *   2. the events get picked by netthreads, calls the libuv API (and
+	 *      either succeeds or fails) and WAIT(scond) until all other
+	 *      children sockets in netthreads are initialized and the listening
+	 *      socket lock is unlocked
+	 *
+	 *   3. the control is given back to the parent thread which now either
+	 *      returns success or shutdowns the listener if an error has
+	 *      occured in the children netthread
+	 *
+	 * NOTE: The other approach would be doing an extra attach to the parent
+	 * listening socket, and then detach it in the parent thread, but that
+	 * breaks the promise that once the libuv socket is initialized on the
+	 * nmsocket, the nmsocket needs to be handled only by matching
+	 * netthread, so in fact that would add a complexity in a way that
+	 * isc__nmsocket_detach would have to be converted to use an
+	 * asynchrounous netievent.
+	 */
+	isc_mutex_t lock;
+	isc_condition_t cond;
+	isc_condition_t scond;
+
+	/*%
+	 * Used to pass a result back from listen or connect events.
+	 */
+	isc_result_t result;
+
+	/*%
+	 * Current number of active handles.
+	 */
+	atomic_int_fast32_t ah;
+
+	/*% Buffer for TCPDNS processing */
+	size_t buf_size;
+	size_t buf_len;
+	unsigned char *buf;
+
+	/*%
+	 * This function will be called with handle->sock
+	 * as the argument whenever a handle's references drop
+	 * to zero, after its reset callback has been called.
+	 */
+	isc_nm_closehandlecb_t closehandle_cb;
+
+	isc_nmhandle_t *recv_handle;
+	isc_nm_recv_cb_t recv_cb;
+	void *recv_cbarg;
+	bool recv_read;
+
+	isc_nm_cb_t connect_cb;
+	void *connect_cbarg;
+
+	isc_nm_accept_cb_t accept_cb;
+	void *accept_cbarg;
+
+	atomic_int_fast32_t active_child_connections;
+
+#ifdef NETMGR_TRACE
+	void *backtrace[TRACE_SIZE];
+	int backtrace_size;
+	LINK(isc_nmsocket_t) active_link;
+	ISC_LIST(isc_nmhandle_t) active_handles;
+#endif
+};
+
+bool
+isc__nm_in_netthread(void);
+/*%
+ * Returns 'true' if we're in the network thread.
+ */
+
+void
+isc__nm_maybe_enqueue_ievent(isc__networker_t *worker, isc__netievent_t *event);
+/*%<
+ * If the caller is already in the matching nmthread, process the netievent
+ * directly, if not enqueue using isc__nm_enqueue_ievent().
+ */
+
+void
+isc__nm_enqueue_ievent(isc__networker_t *worker, isc__netievent_t *event);
+/*%<
+ * Enqueue an ievent onto a specific worker queue. (This the only safe
+ * way to use an isc__networker_t from another thread.)
+ */
+
+void
+isc__nm_free_uvbuf(isc_nmsocket_t *sock, const uv_buf_t *buf);
+/*%<
+ * Free a buffer allocated for a receive operation.
+ *
+ * Note that as currently implemented, this doesn't actually
+ * free anything, marks the isc__networker's UDP receive buffer
+ * as "not in use".
+ */
+
+isc_nmhandle_t *
+isc___nmhandle_get(isc_nmsocket_t *sock, isc_sockaddr_t *peer,
+		   isc_sockaddr_t *local FLARG);
+/*%<
+ * Get a handle for the socket 'sock', allocating a new one
+ * if there isn't one available in 'sock->inactivehandles'.
+ *
+ * If 'peer' is not NULL, set the handle's peer address to 'peer',
+ * otherwise set it to 'sock->peer'.
+ *
+ * If 'local' is not NULL, set the handle's local address to 'local',
+ * otherwise set it to 'sock->iface->addr'.
+ *
+ * 'sock' will be attached to 'handle->sock'. The caller may need
+ * to detach the socket afterward.
+ */
+
+isc__nm_uvreq_t *
+isc___nm_uvreq_get(isc_nm_t *mgr, isc_nmsocket_t *sock FLARG);
+/*%<
+ * Get a UV request structure for the socket 'sock', allocating a
+ * new one if there isn't one available in 'sock->inactivereqs'.
+ */
+
+void
+isc___nm_uvreq_put(isc__nm_uvreq_t **req, isc_nmsocket_t *sock FLARG);
+/*%<
+ * Completes the use of a UV request structure, setting '*req' to NULL.
+ *
+ * The UV request is pushed onto the 'sock->inactivereqs' stack or,
+ * if that doesn't work, freed.
+ */
+
+void
+isc___nmsocket_init(isc_nmsocket_t *sock, isc_nm_t *mgr, isc_nmsocket_type type,
+		    isc_sockaddr_t *iface FLARG);
+/*%<
+ * Initialize socket 'sock', attach it to 'mgr', and set it to type 'type'
+ * and its interface to 'iface'.
+ */
+
+void
+isc___nmsocket_attach(isc_nmsocket_t *sock, isc_nmsocket_t **target FLARG);
+/*%<
+ * Attach to a socket, increasing refcount
+ */
+
+void
+isc___nmsocket_detach(isc_nmsocket_t **socketp FLARG);
+/*%<
+ * Detach from socket, decreasing refcount and possibly destroying the
+ * socket if it's no longer referenced.
+ */
+
+void
+isc___nmsocket_prep_destroy(isc_nmsocket_t *sock FLARG);
+/*%<
+ * Market 'sock' as inactive, close it if necessary, and destroy it
+ * if there are no remaining references or active handles.
+ */
+
+void
+isc__nmsocket_shutdown(isc_nmsocket_t *sock);
+/*%<
+ * Initiate the socket shutdown which actively calls the active
+ * callbacks.
+ */
+
+bool
+isc__nmsocket_active(isc_nmsocket_t *sock);
+/*%<
+ * Determine whether 'sock' is active by checking 'sock->active'
+ * or, for child sockets, 'sock->parent->active'.
+ */
+
+bool
+isc__nmsocket_deactivate(isc_nmsocket_t *sock);
+/*%<
+ * @brief Deactivate active socket
+ *
+ * Atomically deactive the socket by setting @p sock->active or, for child
+ * sockets, @p sock->parent->active to @c false
+ *
+ * @param[in] sock - valid nmsocket
+ * @return @c false if the socket was already inactive, @c true otherwise
+ */
+
+void
+isc__nmsocket_clearcb(isc_nmsocket_t *sock);
+/*%<
+ * Clear the recv and accept callbacks in 'sock'.
+ */
+
+void
+isc__nmsocket_timer_stop(isc_nmsocket_t *sock);
+void
+isc__nmsocket_timer_start(isc_nmsocket_t *sock);
+void
+isc__nmsocket_timer_restart(isc_nmsocket_t *sock);
+bool
+isc__nmsocket_timer_running(isc_nmsocket_t *sock);
+/*%<
+ * Start/stop/restart/check the timeout on the socket
+ */
+
+void
+isc__nm_connectcb(isc_nmsocket_t *sock, isc__nm_uvreq_t *uvreq,
+		  isc_result_t eresult, bool async);
+
+void
+isc__nm_async_connectcb(isc__networker_t *worker, isc__netievent_t *ev0);
+/*%<
+ * Issue a connect callback on the socket, used to call the callback
+ */
+
+void
+isc__nm_readcb(isc_nmsocket_t *sock, isc__nm_uvreq_t *uvreq,
+	       isc_result_t eresult);
+void
+isc__nm_async_readcb(isc__networker_t *worker, isc__netievent_t *ev0);
+
+/*%<
+ * Issue a read callback on the socket, used to call the callback
+ * on failed conditions when the event can't be scheduled on the uv loop.
+ *
+ */
+
+void
+isc__nm_sendcb(isc_nmsocket_t *sock, isc__nm_uvreq_t *uvreq,
+	       isc_result_t eresult, bool async);
+void
+isc__nm_async_sendcb(isc__networker_t *worker, isc__netievent_t *ev0);
+/*%<
+ * Issue a write callback on the socket, used to call the callback
+ * on failed conditions when the event can't be scheduled on the uv loop.
+ */
+
+void
+isc__nm_async_shutdown(isc__networker_t *worker, isc__netievent_t *ev0);
+/*%<
+ * Walk through all uv handles, get the underlying sockets and issue
+ * close on them.
+ */
+
+void
+isc__nm_udp_send(isc_nmhandle_t *handle, const isc_region_t *region,
+		 isc_nm_cb_t cb, void *cbarg);
+/*%<
+ * Back-end implementation of isc_nm_send() for UDP handles.
+ */
+
+void
+isc__nm_udp_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg);
+/*
+ * Back-end implementation of isc_nm_read() for UDP handles.
+ */
+
+void
+isc__nm_udp_close(isc_nmsocket_t *sock);
+/*%<
+ * Close a UDP socket.
+ */
+
+void
+isc__nm_udp_cancelread(isc_nmhandle_t *handle);
+/*%<
+ * Stop reading on a connected UDP handle.
+ */
+
+void
+isc__nm_udp_shutdown(isc_nmsocket_t *sock);
+/*%<
+ * Called during the shutdown process to close and clean up connected
+ * sockets.
+ */
+
+void
+isc__nm_udp_stoplistening(isc_nmsocket_t *sock);
+/*%<
+ * Stop listening on 'sock'.
+ */
+
+void
+isc__nm_udp_settimeout(isc_nmhandle_t *handle, uint32_t timeout);
+/*%<
+ * Set or clear the recv timeout for the UDP socket associated with 'handle'.
+ */
+
+void
+isc__nm_async_udplisten(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_udpconnect(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_udpstop(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_udpsend(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_udpread(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_udpcancel(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_udpclose(isc__networker_t *worker, isc__netievent_t *ev0);
+/*%<
+ * Callback handlers for asynchronous UDP events (listen, stoplisten, send).
+ */
+
+void
+isc__nm_tcp_send(isc_nmhandle_t *handle, const isc_region_t *region,
+		 isc_nm_cb_t cb, void *cbarg);
+/*%<
+ * Back-end implementation of isc_nm_send() for TCP handles.
+ */
+
+void
+isc__nm_tcp_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg);
+/*
+ * Back-end implementation of isc_nm_read() for TCP handles.
+ */
+
+void
+isc__nm_tcp_close(isc_nmsocket_t *sock);
+/*%<
+ * Close a TCP socket.
+ */
+void
+isc__nm_tcp_pauseread(isc_nmhandle_t *handle);
+/*%<
+ * Pause reading on this handle, while still remembering the callback.
+ */
+
+void
+isc__nm_tcp_resumeread(isc_nmhandle_t *handle);
+/*%<
+ * Resume reading from socket.
+ *
+ */
+
+void
+isc__nm_tcp_shutdown(isc_nmsocket_t *sock);
+/*%<
+ * Called during the shutdown process to close and clean up connected
+ * sockets.
+ */
+
+void
+isc__nm_tcp_cancelread(isc_nmhandle_t *handle);
+/*%<
+ * Stop reading on a connected TCP handle.
+ */
+
+void
+isc__nm_tcp_stoplistening(isc_nmsocket_t *sock);
+/*%<
+ * Stop listening on 'sock'.
+ */
+
+int_fast32_t
+isc__nm_tcp_listener_nactive(isc_nmsocket_t *sock);
+/*%<
+ * Returns the number of active connections for the TCP listener socket.
+ */
+
+void
+isc__nm_tcp_settimeout(isc_nmhandle_t *handle, uint32_t timeout);
+/*%<
+ * Set the read timeout for the TCP socket associated with 'handle'.
+ */
+
+void
+isc__nm_async_tcpconnect(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcplisten(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpaccept(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpstop(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpsend(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_startread(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_pauseread(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpstartread(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcppauseread(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpcancel(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpclose(isc__networker_t *worker, isc__netievent_t *ev0);
+/*%<
+ * Callback handlers for asynchronous TCP events (connect, listen,
+ * stoplisten, send, read, pause, close).
+ */
+
+void
+isc__nm_async_tcpdnsaccept(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpdnsconnect(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpdnslisten(isc__networker_t *worker, isc__netievent_t *ev0);
+
+void
+isc__nm_tcpdns_send(isc_nmhandle_t *handle, isc_region_t *region,
+		    isc_nm_cb_t cb, void *cbarg);
+/*%<
+ * Back-end implementation of isc_nm_send() for TCPDNS handles.
+ */
+
+void
+isc__nm_tcpdns_shutdown(isc_nmsocket_t *sock);
+
+void
+isc__nm_tcpdns_close(isc_nmsocket_t *sock);
+/*%<
+ * Close a TCPDNS socket.
+ */
+
+void
+isc__nm_tcpdns_stoplistening(isc_nmsocket_t *sock);
+/*%<
+ * Stop listening on 'sock'.
+ */
+
+void
+isc__nm_tcpdns_settimeout(isc_nmhandle_t *handle, uint32_t timeout);
+/*%<
+ * Set the read timeout and reset the timer for the TCPDNS socket
+ * associated with 'handle', and the TCP socket it wraps around.
+ */
+
+void
+isc__nm_async_tcpdnsaccept(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpdnsconnect(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpdnslisten(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpdnscancel(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpdnsclose(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpdnssend(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpdnsstop(isc__networker_t *worker, isc__netievent_t *ev0);
+void
+isc__nm_async_tcpdnsread(isc__networker_t *worker, isc__netievent_t *ev0);
+/*%<
+ * Callback handlers for asynchronous TCPDNS events.
+ */
+
+void
+isc__nm_tcpdns_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg);
+/*
+ * Back-end implementation of isc_nm_read() for TCPDNS handles.
+ */
+
+void
+isc__nm_tcpdns_cancelread(isc_nmhandle_t *handle);
+/*%<
+ * Stop reading on a connected TCPDNS handle.
+ */
+
+#define isc__nm_uverr2result(x) \
+	isc___nm_uverr2result(x, true, __FILE__, __LINE__, __func__)
+isc_result_t
+isc___nm_uverr2result(int uverr, bool dolog, const char *file,
+		      unsigned int line, const char *func);
+/*%<
+ * Convert a libuv error value into an isc_result_t.  The
+ * list of supported error values is not complete; new users
+ * of this function should add any expected errors that are
+ * not already there.
+ */
+
+bool
+isc__nm_acquire_interlocked(isc_nm_t *mgr);
+/*%<
+ * Try to acquire interlocked state; return true if successful.
+ */
+
+void
+isc__nm_drop_interlocked(isc_nm_t *mgr);
+/*%<
+ * Drop interlocked state; signal waiters.
+ */
+
+void
+isc__nm_acquire_interlocked_force(isc_nm_t *mgr);
+/*%<
+ * Actively wait for interlocked state.
+ */
+
+void
+isc__nm_incstats(isc_nm_t *mgr, isc_statscounter_t counterid);
+/*%<
+ * Increment socket-related statistics counters.
+ */
+
+void
+isc__nm_decstats(isc_nm_t *mgr, isc_statscounter_t counterid);
+/*%<
+ * Decrement socket-related statistics counters.
+ */
+
+isc_result_t
+isc__nm_socket(int domain, int type, int protocol, uv_os_sock_t *sockp);
+/*%<
+ * Platform independent socket() version
+ */
+
+void
+isc__nm_closesocket(uv_os_sock_t sock);
+/*%<
+ * Platform independent closesocket() version
+ */
+
+isc_result_t
+isc__nm_socket_freebind(uv_os_sock_t fd, sa_family_t sa_family);
+/*%<
+ * Set the IP_FREEBIND (or equivalent) socket option on the uv_handle
+ */
+
+isc_result_t
+isc__nm_socket_reuse(uv_os_sock_t fd);
+/*%<
+ * Set the SO_REUSEADDR or SO_REUSEPORT (or equivalent) socket option on the fd
+ */
+
+isc_result_t
+isc__nm_socket_reuse_lb(uv_os_sock_t fd);
+/*%<
+ * Set the SO_REUSEPORT_LB (or equivalent) socket option on the fd
+ */
+
+isc_result_t
+isc__nm_socket_incoming_cpu(uv_os_sock_t fd);
+/*%<
+ * Set the SO_INCOMING_CPU socket option on the fd if available
+ */
+
+isc_result_t
+isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_family_t sa_family);
+/*%<
+ * Disable the Path MTU Discovery, either by disabling IP(V6)_DONTFRAG socket
+ * option, or setting the IP(V6)_MTU_DISCOVER socket option to IP_PMTUDISC_OMIT
+ */
+
+isc_result_t
+isc__nm_socket_connectiontimeout(uv_os_sock_t fd, int timeout_ms);
+/*%<
+ * Set the connection timeout in milliseconds, on non-Linux platforms,
+ * the minimum value must be at least 1000 (1 second).
+ */
+
+isc_result_t
+isc__nm_socket_tcp_nodelay(uv_os_sock_t fd);
+/*%<
+ * Disables Nagle's algorithm on a TCP socket (sets TCP_NODELAY).
+ */
+
+/*
+ * typedef all the netievent types
+ */
+
+NETIEVENT_SOCKET_TYPE(close);
+NETIEVENT_SOCKET_TYPE(tcpclose);
+NETIEVENT_SOCKET_TYPE(tcplisten);
+NETIEVENT_SOCKET_TYPE(tcppauseread);
+NETIEVENT_SOCKET_TYPE(tcpstop);
+NETIEVENT_SOCKET_TYPE(udpclose);
+NETIEVENT_SOCKET_TYPE(udplisten);
+NETIEVENT_SOCKET_TYPE(udpread);
+/* NETIEVENT_SOCKET_TYPE(udpsend); */ /* unique type, defined independently */
+NETIEVENT_SOCKET_TYPE(udpstop);
+
+NETIEVENT_SOCKET_TYPE(tcpdnsclose);
+NETIEVENT_SOCKET_TYPE(tcpdnsread);
+NETIEVENT_SOCKET_TYPE(tcpdnsstop);
+NETIEVENT_SOCKET_TYPE(tcpdnslisten);
+NETIEVENT_SOCKET_REQ_TYPE(tcpdnsconnect);
+NETIEVENT_SOCKET_REQ_TYPE(tcpdnssend);
+NETIEVENT_SOCKET_HANDLE_TYPE(tcpdnscancel);
+NETIEVENT_SOCKET_QUOTA_TYPE(tcpdnsaccept);
+
+NETIEVENT_SOCKET_REQ_TYPE(tcpconnect);
+NETIEVENT_SOCKET_REQ_TYPE(tcpsend);
+NETIEVENT_SOCKET_TYPE(tcpstartread);
+NETIEVENT_SOCKET_REQ_TYPE(udpconnect);
+
+NETIEVENT_SOCKET_REQ_RESULT_TYPE(connectcb);
+NETIEVENT_SOCKET_REQ_RESULT_TYPE(readcb);
+NETIEVENT_SOCKET_REQ_RESULT_TYPE(sendcb);
+
+NETIEVENT_SOCKET_HANDLE_TYPE(detach);
+NETIEVENT_SOCKET_HANDLE_TYPE(tcpcancel);
+NETIEVENT_SOCKET_HANDLE_TYPE(udpcancel);
+
+NETIEVENT_SOCKET_QUOTA_TYPE(tcpaccept);
+
+NETIEVENT_TYPE(pause);
+NETIEVENT_TYPE(resume);
+NETIEVENT_TYPE(shutdown);
+NETIEVENT_TYPE(stop);
+
+NETIEVENT_TASK_TYPE(task);
+NETIEVENT_TASK_TYPE(privilegedtask);
+
+/* Now declared the helper functions */
+
+NETIEVENT_SOCKET_DECL(close);
+NETIEVENT_SOCKET_DECL(tcpclose);
+NETIEVENT_SOCKET_DECL(tcplisten);
+NETIEVENT_SOCKET_DECL(tcppauseread);
+NETIEVENT_SOCKET_DECL(tcpstartread);
+NETIEVENT_SOCKET_DECL(tcpstop);
+NETIEVENT_SOCKET_DECL(udpclose);
+NETIEVENT_SOCKET_DECL(udplisten);
+NETIEVENT_SOCKET_DECL(udpread);
+NETIEVENT_SOCKET_DECL(udpsend);
+NETIEVENT_SOCKET_DECL(udpstop);
+
+NETIEVENT_SOCKET_DECL(tcpdnsclose);
+NETIEVENT_SOCKET_DECL(tcpdnsread);
+NETIEVENT_SOCKET_DECL(tcpdnsstop);
+NETIEVENT_SOCKET_DECL(tcpdnslisten);
+NETIEVENT_SOCKET_REQ_DECL(tcpdnsconnect);
+NETIEVENT_SOCKET_REQ_DECL(tcpdnssend);
+NETIEVENT_SOCKET_HANDLE_DECL(tcpdnscancel);
+NETIEVENT_SOCKET_QUOTA_DECL(tcpdnsaccept);
+
+NETIEVENT_SOCKET_REQ_DECL(tcpconnect);
+NETIEVENT_SOCKET_REQ_DECL(tcpsend);
+NETIEVENT_SOCKET_REQ_DECL(udpconnect);
+
+NETIEVENT_SOCKET_REQ_RESULT_DECL(connectcb);
+NETIEVENT_SOCKET_REQ_RESULT_DECL(readcb);
+NETIEVENT_SOCKET_REQ_RESULT_DECL(sendcb);
+
+NETIEVENT_SOCKET_HANDLE_DECL(udpcancel);
+NETIEVENT_SOCKET_HANDLE_DECL(tcpcancel);
+NETIEVENT_SOCKET_DECL(detach);
+
+NETIEVENT_SOCKET_QUOTA_DECL(tcpaccept);
+
+NETIEVENT_DECL(pause);
+NETIEVENT_DECL(resume);
+NETIEVENT_DECL(shutdown);
+NETIEVENT_DECL(stop);
+
+NETIEVENT_TASK_DECL(task);
+NETIEVENT_TASK_DECL(privilegedtask);
+
+void
+isc__nm_udp_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result);
+void
+isc__nm_tcp_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result);
+void
+isc__nm_tcpdns_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result);
+
+isc_result_t
+isc__nm_tcpdns_processbuffer(isc_nmsocket_t *sock);
+
+isc__nm_uvreq_t *
+isc__nm_get_read_req(isc_nmsocket_t *sock, isc_sockaddr_t *sockaddr);
+
+void
+isc__nm_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf);
+
+void
+isc__nm_udp_read_cb(uv_udp_t *handle, ssize_t nrecv, const uv_buf_t *buf,
+		    const struct sockaddr *addr, unsigned flags);
+void
+isc__nm_tcp_read_cb(uv_stream_t *stream, ssize_t nread, const uv_buf_t *buf);
+void
+isc__nm_tcpdns_read_cb(uv_stream_t *stream, ssize_t nread, const uv_buf_t *buf);
+
+isc_result_t
+isc__nm_start_reading(isc_nmsocket_t *sock);
+void
+isc__nm_stop_reading(isc_nmsocket_t *sock);
+isc_result_t
+isc__nm_process_sock_buffer(isc_nmsocket_t *sock);
+void
+isc__nm_resume_processing(void *arg);
+bool
+isc__nmsocket_closing(isc_nmsocket_t *sock);
+bool
+isc__nm_closing(isc_nmsocket_t *sock);
+
+void
+isc__nm_alloc_dnsbuf(isc_nmsocket_t *sock, size_t len);
+
+void
+isc__nm_failed_send_cb(isc_nmsocket_t *sock, isc__nm_uvreq_t *req,
+		       isc_result_t eresult);
+void
+isc__nm_failed_accept_cb(isc_nmsocket_t *sock, isc_result_t eresult);
+void
+isc__nm_failed_connect_cb(isc_nmsocket_t *sock, isc__nm_uvreq_t *req,
+			  isc_result_t eresult, bool async);
+void
+isc__nm_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result, bool async);
+
+void
+isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota);
+
+/*
+ * Timeout callbacks
+ */
+void
+isc__nmsocket_connecttimeout_cb(uv_timer_t *timer);
+void
+isc__nmsocket_readtimeout_cb(uv_timer_t *timer);
+void
+isc__nmsocket_writetimeout_cb(void *data, isc_result_t eresult);
+
+/*%<
+ *
+ * Maximum number of simultaneous handles in flight supported for a single
+ * connected TCPDNS socket. This value was chosen arbitrarily, and may be
+ * changed in the future.
+ */
+#define STREAM_CLIENTS_PER_CONN 23
+
+#define UV_RUNTIME_CHECK(func, ret)                                           \
+	if (ret != 0) {                                                       \
+		isc_error_fatal(__FILE__, __LINE__, "%s failed: %s\n", #func, \
+				uv_strerror(ret));                            \
+	}
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
new file mode 100644
index 0000000..6f42ec9
--- /dev/null
+++ b/lib/isc/netmgr/netmgr.c
@@ -0,0 +1,3396 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <unistd.h>
+#include <uv.h>
+#ifdef HAVE_LIBCTRACE
+#include <execinfo.h>
+#endif /* ifdef HAVE_LIBCTRACE */
+
+#include <isc/atomic.h>
+#include <isc/barrier.h>
+#include <isc/buffer.h>
+#include <isc/condition.h>
+#include <isc/errno.h>
+#include <isc/list.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/print.h>
+#include <isc/quota.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/stats.h>
+#include <isc/strerr.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "netmgr-int.h"
+#include "netmgr_p.h"
+#include "openssl_shim.h"
+#include "trampoline_p.h"
+#include "uv-compat.h"
+
+/*%
+ * How many isc_nmhandles and isc_nm_uvreqs will we be
+ * caching for reuse in a socket.
+ */
+#define ISC_NM_HANDLES_STACK_SIZE 600
+#define ISC_NM_REQS_STACK_SIZE	  600
+
+/*%
+ * Shortcut index arrays to get access to statistics counters.
+ */
+
+static const isc_statscounter_t udp4statsindex[] = {
+	isc_sockstatscounter_udp4open,
+	isc_sockstatscounter_udp4openfail,
+	isc_sockstatscounter_udp4close,
+	isc_sockstatscounter_udp4bindfail,
+	isc_sockstatscounter_udp4connectfail,
+	isc_sockstatscounter_udp4connect,
+	-1,
+	-1,
+	isc_sockstatscounter_udp4sendfail,
+	isc_sockstatscounter_udp4recvfail,
+	isc_sockstatscounter_udp4active
+};
+
+static const isc_statscounter_t udp6statsindex[] = {
+	isc_sockstatscounter_udp6open,
+	isc_sockstatscounter_udp6openfail,
+	isc_sockstatscounter_udp6close,
+	isc_sockstatscounter_udp6bindfail,
+	isc_sockstatscounter_udp6connectfail,
+	isc_sockstatscounter_udp6connect,
+	-1,
+	-1,
+	isc_sockstatscounter_udp6sendfail,
+	isc_sockstatscounter_udp6recvfail,
+	isc_sockstatscounter_udp6active
+};
+
+static const isc_statscounter_t tcp4statsindex[] = {
+	isc_sockstatscounter_tcp4open,	      isc_sockstatscounter_tcp4openfail,
+	isc_sockstatscounter_tcp4close,	      isc_sockstatscounter_tcp4bindfail,
+	isc_sockstatscounter_tcp4connectfail, isc_sockstatscounter_tcp4connect,
+	isc_sockstatscounter_tcp4acceptfail,  isc_sockstatscounter_tcp4accept,
+	isc_sockstatscounter_tcp4sendfail,    isc_sockstatscounter_tcp4recvfail,
+	isc_sockstatscounter_tcp4active
+};
+
+static const isc_statscounter_t tcp6statsindex[] = {
+	isc_sockstatscounter_tcp6open,	      isc_sockstatscounter_tcp6openfail,
+	isc_sockstatscounter_tcp6close,	      isc_sockstatscounter_tcp6bindfail,
+	isc_sockstatscounter_tcp6connectfail, isc_sockstatscounter_tcp6connect,
+	isc_sockstatscounter_tcp6acceptfail,  isc_sockstatscounter_tcp6accept,
+	isc_sockstatscounter_tcp6sendfail,    isc_sockstatscounter_tcp6recvfail,
+	isc_sockstatscounter_tcp6active
+};
+
+#if 0
+/* XXX: not currently used */
+static const isc_statscounter_t unixstatsindex[] = {
+	isc_sockstatscounter_unixopen,
+	isc_sockstatscounter_unixopenfail,
+	isc_sockstatscounter_unixclose,
+	isc_sockstatscounter_unixbindfail,
+	isc_sockstatscounter_unixconnectfail,
+	isc_sockstatscounter_unixconnect,
+	isc_sockstatscounter_unixacceptfail,
+	isc_sockstatscounter_unixaccept,
+	isc_sockstatscounter_unixsendfail,
+	isc_sockstatscounter_unixrecvfail,
+	isc_sockstatscounter_unixactive
+};
+#endif /* if 0 */
+
+/*
+ * libuv is not thread safe, but has mechanisms to pass messages
+ * between threads. Each socket is owned by a thread. For UDP
+ * sockets we have a set of sockets for each interface and we can
+ * choose a sibling and send the message directly. For TCP, or if
+ * we're calling from a non-networking thread, we need to pass the
+ * request using async_cb.
+ */
+
+#if defined(HAVE_THREAD_LOCAL)
+#include <threads.h>
+static thread_local int isc__nm_tid_v = ISC_NETMGR_TID_UNKNOWN;
+#elif defined(HAVE___THREAD)
+static __thread int isc__nm_tid_v = ISC_NETMGR_TID_UNKNOWN;
+#elif HAVE___DECLSPEC_THREAD
+__declspec(thread) int isc__nm_tid_v = ISC_NETMGR_TID_UNKNOWN;
+#endif /* if defined(HAVE_THREAD_LOCAL) */
+
+static void
+nmsocket_maybe_destroy(isc_nmsocket_t *sock FLARG);
+static void
+nmhandle_free(isc_nmsocket_t *sock, isc_nmhandle_t *handle);
+static isc_threadresult_t
+nm_thread(isc_threadarg_t worker0);
+static void
+async_cb(uv_async_t *handle);
+
+static bool
+process_netievent(isc__networker_t *worker, isc__netievent_t *ievent);
+static isc_result_t
+process_queue(isc__networker_t *worker, netievent_type_t type);
+static void
+wait_for_priority_queue(isc__networker_t *worker);
+static void
+drain_queue(isc__networker_t *worker, netievent_type_t type);
+
+static void
+isc__nm_async_stop(isc__networker_t *worker, isc__netievent_t *ev0);
+static void
+isc__nm_async_pause(isc__networker_t *worker, isc__netievent_t *ev0);
+static void
+isc__nm_async_resume(isc__networker_t *worker, isc__netievent_t *ev0);
+static void
+isc__nm_async_detach(isc__networker_t *worker, isc__netievent_t *ev0);
+static void
+isc__nm_async_close(isc__networker_t *worker, isc__netievent_t *ev0);
+
+static void
+isc__nm_threadpool_initialize(uint32_t workers);
+static void
+isc__nm_work_cb(uv_work_t *req);
+static void
+isc__nm_after_work_cb(uv_work_t *req, int status);
+
+void
+isc__nmsocket_reset(isc_nmsocket_t *sock);
+
+/*%<
+ * Issue a 'handle closed' callback on the socket.
+ */
+
+static void
+nmhandle_detach_cb(isc_nmhandle_t **handlep FLARG);
+
+int
+isc_nm_tid(void) {
+	return (isc__nm_tid_v);
+}
+
+bool
+isc__nm_in_netthread(void) {
+	return (isc__nm_tid_v >= 0);
+}
+
+#ifdef WIN32
+static void
+isc__nm_winsock_initialize(void) {
+	WORD wVersionRequested = MAKEWORD(2, 2);
+	WSADATA wsaData;
+	int result;
+
+	result = WSAStartup(wVersionRequested, &wsaData);
+	if (result != 0) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(result, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "WSAStartup() failed with error code %lu: %s",
+				 result, strbuf);
+	}
+
+	/*
+	 * Confirm that the WinSock DLL supports version 2.2.  Note that if the
+	 * DLL supports versions greater than 2.2 in addition to 2.2, it will
+	 * still return 2.2 in wVersion since that is the version we requested.
+	 */
+	if (LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 2) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "Unusable WinSock DLL version: %u.%u",
+				 LOBYTE(wsaData.wVersion),
+				 HIBYTE(wsaData.wVersion));
+	}
+}
+
+static void
+isc__nm_winsock_destroy(void) {
+	WSACleanup();
+}
+#endif /* WIN32 */
+
+static void
+isc__nm_threadpool_initialize(uint32_t workers) {
+	char buf[11];
+	int r = uv_os_getenv("UV_THREADPOOL_SIZE", buf,
+			     &(size_t){ sizeof(buf) });
+	if (r == UV_ENOENT) {
+		snprintf(buf, sizeof(buf), "%" PRIu32, workers);
+		uv_os_setenv("UV_THREADPOOL_SIZE", buf);
+	}
+}
+
+#if HAVE_DECL_UV_UDP_MMSG_FREE
+#define MINIMAL_UV_VERSION UV_VERSION(1, 40, 0)
+#elif HAVE_DECL_UV_UDP_RECVMMSG
+#define MAXIMAL_UV_VERSION UV_VERSION(1, 39, 99)
+#define MINIMAL_UV_VERSION UV_VERSION(1, 37, 0)
+#elif _WIN32
+#define MINIMAL_UV_VERSION UV_VERSION(1, 0, 0)
+#else
+#define MAXIMAL_UV_VERSION UV_VERSION(1, 34, 99)
+#define MINIMAL_UV_VERSION UV_VERSION(1, 0, 0)
+#endif
+
+void
+isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) {
+	isc_nm_t *mgr = NULL;
+	char name[32];
+
+	REQUIRE(workers > 0);
+
+#ifdef MAXIMAL_UV_VERSION
+	if (uv_version() > MAXIMAL_UV_VERSION) {
+		isc_error_fatal(__FILE__, __LINE__,
+				"libuv version too new: running with libuv %s "
+				"when compiled with libuv %s will lead to "
+				"libuv failures",
+				uv_version_string(), UV_VERSION_STRING);
+	}
+#endif /* MAXIMAL_UV_VERSION */
+
+	if (uv_version() < MINIMAL_UV_VERSION) {
+		isc_error_fatal(__FILE__, __LINE__,
+				"libuv version too old: running with libuv %s "
+				"when compiled with libuv %s will lead to "
+				"libuv failures",
+				uv_version_string(), UV_VERSION_STRING);
+	}
+
+#ifdef WIN32
+	isc__nm_winsock_initialize();
+#endif /* WIN32 */
+
+	isc__nm_threadpool_initialize(workers);
+
+	mgr = isc_mem_get(mctx, sizeof(*mgr));
+	*mgr = (isc_nm_t){ .nworkers = workers };
+
+	isc_mem_attach(mctx, &mgr->mctx);
+	isc_mutex_init(&mgr->lock);
+	isc_condition_init(&mgr->wkstatecond);
+	isc_condition_init(&mgr->wkpausecond);
+	isc_refcount_init(&mgr->references, 1);
+	atomic_init(&mgr->maxudp, 0);
+	atomic_init(&mgr->interlocked, ISC_NETMGR_NON_INTERLOCKED);
+	atomic_init(&mgr->workers_paused, 0);
+	atomic_init(&mgr->paused, false);
+	atomic_init(&mgr->closing, false);
+#if HAVE_SO_REUSEPORT_LB
+	mgr->load_balance_sockets = true;
+#else
+	mgr->load_balance_sockets = false;
+#endif
+
+#ifdef NETMGR_TRACE
+	ISC_LIST_INIT(mgr->active_sockets);
+#endif
+
+	/*
+	 * Default TCP timeout values.
+	 * May be updated by isc_nm_tcptimeouts().
+	 */
+	atomic_init(&mgr->init, 30000);
+	atomic_init(&mgr->idle, 30000);
+	atomic_init(&mgr->keepalive, 30000);
+	atomic_init(&mgr->advertised, 30000);
+
+	isc_barrier_init(&mgr->pausing, workers);
+	isc_barrier_init(&mgr->resuming, workers);
+
+	mgr->workers = isc_mem_get(mctx, workers * sizeof(isc__networker_t));
+	for (size_t i = 0; i < workers; i++) {
+		isc__networker_t *worker = &mgr->workers[i];
+		int r;
+
+		*worker = (isc__networker_t){
+			.mgr = mgr,
+			.id = i,
+		};
+
+		r = uv_loop_init(&worker->loop);
+		UV_RUNTIME_CHECK(uv_loop_init, r);
+
+		worker->loop.data = &mgr->workers[i];
+
+		r = uv_async_init(&worker->loop, &worker->async, async_cb);
+		UV_RUNTIME_CHECK(uv_async_init, r);
+
+		for (size_t type = 0; type < NETIEVENT_MAX; type++) {
+			isc_mutex_init(&worker->ievents[type].lock);
+			isc_condition_init(&worker->ievents[type].cond);
+			ISC_LIST_INIT(worker->ievents[type].list);
+		}
+
+		worker->recvbuf = isc_mem_get(mctx, ISC_NETMGR_RECVBUF_SIZE);
+		worker->sendbuf = isc_mem_get(mctx, ISC_NETMGR_SENDBUF_SIZE);
+
+		/*
+		 * We need to do this here and not in nm_thread to avoid a
+		 * race - we could exit isc_nm_start, launch nm_destroy,
+		 * and nm_thread would still not be up.
+		 */
+		mgr->workers_running++;
+		isc_thread_create(nm_thread, &mgr->workers[i], &worker->thread);
+
+		snprintf(name, sizeof(name), "isc-net-%04zu", i);
+		isc_thread_setname(worker->thread, name);
+	}
+
+	mgr->magic = NM_MAGIC;
+	*netmgrp = mgr;
+}
+
+/*
+ * Free the resources of the network manager.
+ */
+static void
+nm_destroy(isc_nm_t **mgr0) {
+	REQUIRE(VALID_NM(*mgr0));
+	REQUIRE(!isc__nm_in_netthread());
+
+	isc_nm_t *mgr = *mgr0;
+	*mgr0 = NULL;
+
+	isc_refcount_destroy(&mgr->references);
+
+	mgr->magic = 0;
+
+	for (int i = 0; i < mgr->nworkers; i++) {
+		isc__networker_t *worker = &mgr->workers[i];
+		isc__netievent_t *event = isc__nm_get_netievent_stop(mgr);
+		isc__nm_enqueue_ievent(worker, event);
+	}
+
+	LOCK(&mgr->lock);
+	while (mgr->workers_running > 0) {
+		WAIT(&mgr->wkstatecond, &mgr->lock);
+	}
+	UNLOCK(&mgr->lock);
+
+	for (int i = 0; i < mgr->nworkers; i++) {
+		isc__networker_t *worker = &mgr->workers[i];
+		int r;
+
+		r = uv_loop_close(&worker->loop);
+		UV_RUNTIME_CHECK(uv_loop_close, r);
+
+		for (size_t type = 0; type < NETIEVENT_MAX; type++) {
+			INSIST(ISC_LIST_EMPTY(worker->ievents[type].list));
+			isc_condition_destroy(&worker->ievents[type].cond);
+			isc_mutex_destroy(&worker->ievents[type].lock);
+		}
+
+		isc_mem_put(mgr->mctx, worker->sendbuf,
+			    ISC_NETMGR_SENDBUF_SIZE);
+		isc_mem_put(mgr->mctx, worker->recvbuf,
+			    ISC_NETMGR_RECVBUF_SIZE);
+		isc_thread_join(worker->thread, NULL);
+	}
+
+	if (mgr->stats != NULL) {
+		isc_stats_detach(&mgr->stats);
+	}
+
+	isc_barrier_destroy(&mgr->resuming);
+	isc_barrier_destroy(&mgr->pausing);
+
+	isc_condition_destroy(&mgr->wkstatecond);
+	isc_condition_destroy(&mgr->wkpausecond);
+	isc_mutex_destroy(&mgr->lock);
+
+	isc_mem_put(mgr->mctx, mgr->workers,
+		    mgr->nworkers * sizeof(isc__networker_t));
+	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
+
+#ifdef WIN32
+	isc__nm_winsock_destroy();
+#endif /* WIN32 */
+}
+
+static void
+enqueue_pause(isc__networker_t *worker) {
+	isc__netievent_pause_t *event =
+		isc__nm_get_netievent_pause(worker->mgr);
+	isc__nm_enqueue_ievent(worker, (isc__netievent_t *)event);
+}
+
+static void
+isc__nm_async_pause(isc__networker_t *worker, isc__netievent_t *ev0) {
+	UNUSED(ev0);
+	REQUIRE(worker->paused == false);
+
+	worker->paused = true;
+	uv_stop(&worker->loop);
+}
+
+void
+isc_nm_pause(isc_nm_t *mgr) {
+	REQUIRE(VALID_NM(mgr));
+	REQUIRE(!atomic_load(&mgr->paused));
+
+	isc__nm_acquire_interlocked_force(mgr);
+
+	if (isc__nm_in_netthread()) {
+		REQUIRE(isc_nm_tid() == 0);
+	}
+
+	for (int i = 0; i < mgr->nworkers; i++) {
+		isc__networker_t *worker = &mgr->workers[i];
+		if (i == isc_nm_tid()) {
+			isc__nm_async_pause(worker, NULL);
+		} else {
+			enqueue_pause(worker);
+		}
+	}
+
+	if (isc__nm_in_netthread()) {
+		atomic_fetch_add(&mgr->workers_paused, 1);
+		isc_barrier_wait(&mgr->pausing);
+	}
+
+	LOCK(&mgr->lock);
+	while (atomic_load(&mgr->workers_paused) != mgr->workers_running) {
+		WAIT(&mgr->wkstatecond, &mgr->lock);
+	}
+	UNLOCK(&mgr->lock);
+
+	REQUIRE(atomic_compare_exchange_strong(&mgr->paused, &(bool){ false },
+					       true));
+}
+
+static void
+enqueue_resume(isc__networker_t *worker) {
+	isc__netievent_resume_t *event =
+		isc__nm_get_netievent_resume(worker->mgr);
+	isc__nm_enqueue_ievent(worker, (isc__netievent_t *)event);
+}
+
+static void
+isc__nm_async_resume(isc__networker_t *worker, isc__netievent_t *ev0) {
+	UNUSED(ev0);
+	REQUIRE(worker->paused == true);
+
+	worker->paused = false;
+}
+
+void
+isc_nm_resume(isc_nm_t *mgr) {
+	REQUIRE(VALID_NM(mgr));
+	REQUIRE(atomic_load(&mgr->paused));
+
+	if (isc__nm_in_netthread()) {
+		REQUIRE(isc_nm_tid() == 0);
+		drain_queue(&mgr->workers[isc_nm_tid()], NETIEVENT_PRIORITY);
+	}
+
+	for (int i = 0; i < mgr->nworkers; i++) {
+		isc__networker_t *worker = &mgr->workers[i];
+		if (i == isc_nm_tid()) {
+			isc__nm_async_resume(worker, NULL);
+		} else {
+			enqueue_resume(worker);
+		}
+	}
+
+	if (isc__nm_in_netthread()) {
+		drain_queue(&mgr->workers[isc_nm_tid()], NETIEVENT_PRIVILEGED);
+
+		atomic_fetch_sub(&mgr->workers_paused, 1);
+		isc_barrier_wait(&mgr->resuming);
+	}
+
+	LOCK(&mgr->lock);
+	while (atomic_load(&mgr->workers_paused) != 0) {
+		WAIT(&mgr->wkstatecond, &mgr->lock);
+	}
+	UNLOCK(&mgr->lock);
+
+	REQUIRE(atomic_compare_exchange_strong(&mgr->paused, &(bool){ true },
+					       false));
+
+	isc__nm_drop_interlocked(mgr);
+}
+
+void
+isc_nm_attach(isc_nm_t *mgr, isc_nm_t **dst) {
+	REQUIRE(VALID_NM(mgr));
+	REQUIRE(dst != NULL && *dst == NULL);
+
+	isc_refcount_increment(&mgr->references);
+
+	*dst = mgr;
+}
+
+void
+isc_nm_detach(isc_nm_t **mgr0) {
+	isc_nm_t *mgr = NULL;
+
+	REQUIRE(mgr0 != NULL);
+	REQUIRE(VALID_NM(*mgr0));
+
+	mgr = *mgr0;
+	*mgr0 = NULL;
+
+	if (isc_refcount_decrement(&mgr->references) == 1) {
+		nm_destroy(&mgr);
+	}
+}
+
+void
+isc__netmgr_shutdown(isc_nm_t *mgr) {
+	REQUIRE(VALID_NM(mgr));
+
+	atomic_store(&mgr->closing, true);
+	for (int i = 0; i < mgr->nworkers; i++) {
+		isc__netievent_t *event = NULL;
+		event = isc__nm_get_netievent_shutdown(mgr);
+		isc__nm_enqueue_ievent(&mgr->workers[i], event);
+	}
+}
+
+void
+isc__netmgr_destroy(isc_nm_t **netmgrp) {
+	isc_nm_t *mgr = NULL;
+	int counter = 0;
+
+	REQUIRE(VALID_NM(*netmgrp));
+
+	mgr = *netmgrp;
+
+	/*
+	 * Close active connections.
+	 */
+	isc__netmgr_shutdown(mgr);
+
+	/*
+	 * Wait for the manager to be dereferenced elsewhere.
+	 */
+	while (isc_refcount_current(&mgr->references) > 1 && counter++ < 1000) {
+		uv_sleep(10);
+	}
+
+#ifdef NETMGR_TRACE
+	if (isc_refcount_current(&mgr->references) > 1) {
+		isc__nm_dump_active(mgr);
+		UNREACHABLE();
+	}
+#endif
+
+	/*
+	 * Now just patiently wait
+	 */
+	while (isc_refcount_current(&mgr->references) > 1) {
+		uv_sleep(10);
+	}
+
+	/*
+	 * Detach final reference.
+	 */
+	isc_nm_detach(netmgrp);
+}
+
+void
+isc_nm_maxudp(isc_nm_t *mgr, uint32_t maxudp) {
+	REQUIRE(VALID_NM(mgr));
+
+	atomic_store(&mgr->maxudp, maxudp);
+}
+
+void
+isc_nmhandle_setwritetimeout(isc_nmhandle_t *handle, uint64_t write_timeout) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	handle->sock->write_timeout = write_timeout;
+}
+
+void
+isc_nm_settimeouts(isc_nm_t *mgr, uint32_t init, uint32_t idle,
+		   uint32_t keepalive, uint32_t advertised) {
+	REQUIRE(VALID_NM(mgr));
+
+	atomic_store(&mgr->init, init);
+	atomic_store(&mgr->idle, idle);
+	atomic_store(&mgr->keepalive, keepalive);
+	atomic_store(&mgr->advertised, advertised);
+}
+
+bool
+isc_nm_getloadbalancesockets(isc_nm_t *mgr) {
+	REQUIRE(VALID_NM(mgr));
+
+	return (mgr->load_balance_sockets);
+}
+
+void
+isc_nm_setloadbalancesockets(isc_nm_t *mgr, bool enabled) {
+	REQUIRE(VALID_NM(mgr));
+
+#if HAVE_SO_REUSEPORT_LB
+	mgr->load_balance_sockets = enabled;
+#else
+	UNUSED(enabled);
+#endif
+}
+
+void
+isc_nm_gettimeouts(isc_nm_t *mgr, uint32_t *initial, uint32_t *idle,
+		   uint32_t *keepalive, uint32_t *advertised) {
+	REQUIRE(VALID_NM(mgr));
+
+	if (initial != NULL) {
+		*initial = atomic_load(&mgr->init);
+	}
+
+	if (idle != NULL) {
+		*idle = atomic_load(&mgr->idle);
+	}
+
+	if (keepalive != NULL) {
+		*keepalive = atomic_load(&mgr->keepalive);
+	}
+
+	if (advertised != NULL) {
+		*advertised = atomic_load(&mgr->advertised);
+	}
+}
+
+/*
+ * nm_thread is a single worker thread, that runs uv_run event loop
+ * until asked to stop.
+ *
+ * There are four queues for asynchronous events:
+ *
+ * 1. priority queue - netievents on the priority queue are run even when
+ *    the taskmgr enters exclusive mode and the netmgr is paused.  This
+ *    is needed to properly start listening on the interfaces, free
+ *    resources on shutdown, or resume from a pause.
+ *
+ * 2. privileged task queue - only privileged tasks are queued here and
+ *    this is the first queue that gets processed when network manager
+ *    is unpaused using isc_nm_resume().  All netmgr workers need to
+ *    clean the privileged task queue before they all proceed to normal
+ *    operation.  Both task queues are processed when the workers are
+ *    shutting down.
+ *
+ * 3. task queue - only (traditional) tasks are scheduled here, and this
+ *    queue and the privileged task queue are both processed when the
+ *    netmgr workers are finishing.  This is needed to process the task
+ *    shutdown events.
+ *
+ * 4. normal queue - this is the queue with netmgr events, e.g. reading,
+ *    sending, callbacks, etc.
+ */
+
+static isc_threadresult_t
+nm_thread(isc_threadarg_t worker0) {
+	isc__networker_t *worker = (isc__networker_t *)worker0;
+	isc_nm_t *mgr = worker->mgr;
+
+	isc__nm_tid_v = worker->id;
+
+	while (true) {
+		/*
+		 * uv_run() runs async_cb() in a loop, which processes
+		 * all four event queues until a "pause" or "stop" event
+		 * is encountered. On pause, we process only priority and
+		 * privileged events until resuming.
+		 */
+		int r = uv_run(&worker->loop, UV_RUN_DEFAULT);
+		INSIST(r > 0 || worker->finished);
+
+		if (worker->paused) {
+			INSIST(atomic_load(&mgr->interlocked) != isc_nm_tid());
+
+			atomic_fetch_add(&mgr->workers_paused, 1);
+			if (isc_barrier_wait(&mgr->pausing) != 0) {
+				LOCK(&mgr->lock);
+				SIGNAL(&mgr->wkstatecond);
+				UNLOCK(&mgr->lock);
+			}
+
+			while (worker->paused) {
+				wait_for_priority_queue(worker);
+			}
+
+			/*
+			 * All workers must drain the privileged event
+			 * queue before we resume from pause.
+			 */
+			drain_queue(worker, NETIEVENT_PRIVILEGED);
+
+			atomic_fetch_sub(&mgr->workers_paused, 1);
+			if (isc_barrier_wait(&mgr->resuming) != 0) {
+				LOCK(&mgr->lock);
+				SIGNAL(&mgr->wkstatecond);
+				UNLOCK(&mgr->lock);
+			}
+		}
+
+		if (r == 0) {
+			INSIST(worker->finished);
+			break;
+		}
+
+		INSIST(!worker->finished);
+	}
+
+	/*
+	 * We are shutting down.  Drain the queues.
+	 */
+	drain_queue(worker, NETIEVENT_PRIVILEGED);
+	drain_queue(worker, NETIEVENT_TASK);
+
+	for (size_t type = 0; type < NETIEVENT_MAX; type++) {
+		LOCK(&worker->ievents[type].lock);
+		INSIST(ISC_LIST_EMPTY(worker->ievents[type].list));
+		UNLOCK(&worker->ievents[type].lock);
+	}
+
+	LOCK(&mgr->lock);
+	mgr->workers_running--;
+	SIGNAL(&mgr->wkstatecond);
+	UNLOCK(&mgr->lock);
+
+	return ((isc_threadresult_t)0);
+}
+
+static bool
+process_all_queues(isc__networker_t *worker) {
+	bool reschedule = false;
+	/*
+	 * The queue processing functions will return false when the
+	 * system is pausing or stopping and we don't want to process
+	 * the other queues in such case, but we need the async event
+	 * to be rescheduled in the next uv_run().
+	 */
+	for (size_t type = 0; type < NETIEVENT_MAX; type++) {
+		isc_result_t result = process_queue(worker, type);
+		switch (result) {
+		case ISC_R_SUSPEND:
+			reschedule = true;
+			break;
+		case ISC_R_EMPTY:
+			/* empty queue */
+			break;
+		case ISC_R_SUCCESS:
+			reschedule = true;
+			break;
+		default:
+			UNREACHABLE();
+		}
+	}
+
+	return (reschedule);
+}
+
+/*
+ * async_cb() is a universal callback for 'async' events sent to event loop.
+ * It's the only way to safely pass data to the libuv event loop. We use a
+ * single async event and a set of lockless queues of 'isc__netievent_t'
+ * structures passed from other threads.
+ */
+static void
+async_cb(uv_async_t *handle) {
+	isc__networker_t *worker = (isc__networker_t *)handle->loop->data;
+
+	if (process_all_queues(worker)) {
+		/*
+		 * If we didn't process all the events, we need to enqueue
+		 * async_cb to be run in the next iteration of the uv_loop
+		 */
+		uv_async_send(handle);
+	}
+}
+
+static void
+isc__nm_async_stop(isc__networker_t *worker, isc__netievent_t *ev0) {
+	UNUSED(ev0);
+	worker->finished = true;
+	/* Close the async handler */
+	uv_close((uv_handle_t *)&worker->async, NULL);
+}
+
+void
+isc_nm_task_enqueue(isc_nm_t *nm, isc_task_t *task, int threadid) {
+	isc__netievent_t *event = NULL;
+	int tid;
+	isc__networker_t *worker = NULL;
+
+	if (threadid == -1) {
+		tid = (int)isc_random_uniform(nm->nworkers);
+	} else {
+		tid = threadid % nm->nworkers;
+	}
+
+	worker = &nm->workers[tid];
+
+	if (isc_task_privileged(task)) {
+		event = (isc__netievent_t *)
+			isc__nm_get_netievent_privilegedtask(nm, task);
+	} else {
+		event = (isc__netievent_t *)isc__nm_get_netievent_task(nm,
+								       task);
+	}
+
+	isc__nm_enqueue_ievent(worker, event);
+}
+
+#define isc__nm_async_privilegedtask(worker, ev0) \
+	isc__nm_async_task(worker, ev0)
+
+static void
+isc__nm_async_task(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_task_t *ievent = (isc__netievent_task_t *)ev0;
+	isc_result_t result;
+
+	UNUSED(worker);
+
+	result = isc_task_run(ievent->task);
+
+	switch (result) {
+	case ISC_R_QUOTA:
+		isc_task_ready(ievent->task);
+		return;
+	case ISC_R_SUCCESS:
+		return;
+	default:
+		UNREACHABLE();
+	}
+}
+
+static void
+wait_for_priority_queue(isc__networker_t *worker) {
+	isc_condition_t *cond = &worker->ievents[NETIEVENT_PRIORITY].cond;
+	isc_mutex_t *lock = &worker->ievents[NETIEVENT_PRIORITY].lock;
+	isc__netievent_list_t *list =
+		&(worker->ievents[NETIEVENT_PRIORITY].list);
+
+	LOCK(lock);
+	while (ISC_LIST_EMPTY(*list)) {
+		WAIT(cond, lock);
+	}
+	UNLOCK(lock);
+
+	drain_queue(worker, NETIEVENT_PRIORITY);
+}
+
+static void
+drain_queue(isc__networker_t *worker, netievent_type_t type) {
+	bool empty = false;
+	while (!empty) {
+		if (process_queue(worker, type) == ISC_R_EMPTY) {
+			LOCK(&worker->ievents[type].lock);
+			empty = ISC_LIST_EMPTY(worker->ievents[type].list);
+			UNLOCK(&worker->ievents[type].lock);
+		}
+	}
+}
+
+/*
+ * The two macros here generate the individual cases for the process_netievent()
+ * function.  The NETIEVENT_CASE(type) macro is the common case, and
+ * NETIEVENT_CASE_NOMORE(type) is a macro that causes the loop in the
+ * process_queue() to stop, e.g. it's only used for the netievent that
+ * stops/pauses processing the enqueued netievents.
+ */
+#define NETIEVENT_CASE(type)                                               \
+	case netievent_##type: {                                           \
+		isc__nm_async_##type(worker, ievent);                      \
+		isc__nm_put_netievent_##type(                              \
+			worker->mgr, (isc__netievent_##type##_t *)ievent); \
+		return (true);                                             \
+	}
+
+#define NETIEVENT_CASE_NOMORE(type)                                \
+	case netievent_##type: {                                   \
+		isc__nm_async_##type(worker, ievent);              \
+		isc__nm_put_netievent_##type(worker->mgr, ievent); \
+		return (false);                                    \
+	}
+
+static bool
+process_netievent(isc__networker_t *worker, isc__netievent_t *ievent) {
+	REQUIRE(worker->id == isc_nm_tid());
+
+	switch (ievent->type) {
+		/* Don't process more ievents when we are stopping */
+		NETIEVENT_CASE_NOMORE(stop);
+
+		NETIEVENT_CASE(privilegedtask);
+		NETIEVENT_CASE(task);
+
+		NETIEVENT_CASE(udpconnect);
+		NETIEVENT_CASE(udplisten);
+		NETIEVENT_CASE(udpstop);
+		NETIEVENT_CASE(udpsend);
+		NETIEVENT_CASE(udpread);
+		NETIEVENT_CASE(udpcancel);
+		NETIEVENT_CASE(udpclose);
+
+		NETIEVENT_CASE(tcpaccept);
+		NETIEVENT_CASE(tcpconnect);
+		NETIEVENT_CASE(tcplisten);
+		NETIEVENT_CASE(tcpstartread);
+		NETIEVENT_CASE(tcppauseread);
+		NETIEVENT_CASE(tcpsend);
+		NETIEVENT_CASE(tcpstop);
+		NETIEVENT_CASE(tcpcancel);
+		NETIEVENT_CASE(tcpclose);
+
+		NETIEVENT_CASE(tcpdnsaccept);
+		NETIEVENT_CASE(tcpdnslisten);
+		NETIEVENT_CASE(tcpdnsconnect);
+		NETIEVENT_CASE(tcpdnssend);
+		NETIEVENT_CASE(tcpdnscancel);
+		NETIEVENT_CASE(tcpdnsclose);
+		NETIEVENT_CASE(tcpdnsread);
+		NETIEVENT_CASE(tcpdnsstop);
+
+		NETIEVENT_CASE(connectcb);
+		NETIEVENT_CASE(readcb);
+		NETIEVENT_CASE(sendcb);
+
+		NETIEVENT_CASE(close);
+		NETIEVENT_CASE(detach);
+
+		NETIEVENT_CASE(shutdown);
+		NETIEVENT_CASE(resume);
+		NETIEVENT_CASE_NOMORE(pause);
+	default:
+		UNREACHABLE();
+	}
+	return (true);
+}
+
+static isc_result_t
+process_queue(isc__networker_t *worker, netievent_type_t type) {
+	isc__netievent_t *ievent = NULL;
+	isc__netievent_list_t list;
+
+	ISC_LIST_INIT(list);
+
+	LOCK(&worker->ievents[type].lock);
+	ISC_LIST_MOVE(list, worker->ievents[type].list);
+	UNLOCK(&worker->ievents[type].lock);
+
+	ievent = ISC_LIST_HEAD(list);
+	if (ievent == NULL) {
+		/* There's nothing scheduled */
+		return (ISC_R_EMPTY);
+	}
+
+	while (ievent != NULL) {
+		isc__netievent_t *next = ISC_LIST_NEXT(ievent, link);
+		ISC_LIST_DEQUEUE(list, ievent, link);
+
+		if (!process_netievent(worker, ievent)) {
+			/* The netievent told us to stop */
+			if (!ISC_LIST_EMPTY(list)) {
+				/*
+				 * Reschedule the rest of the unprocessed
+				 * events.
+				 */
+				LOCK(&worker->ievents[type].lock);
+				ISC_LIST_PREPENDLIST(worker->ievents[type].list,
+						     list, link);
+				UNLOCK(&worker->ievents[type].lock);
+			}
+			return (ISC_R_SUSPEND);
+		}
+
+		ievent = next;
+	}
+
+	/* We processed at least one */
+	return (ISC_R_SUCCESS);
+}
+
+void *
+isc__nm_get_netievent(isc_nm_t *mgr, isc__netievent_type type) {
+	isc__netievent_storage_t *event = isc_mem_get(mgr->mctx,
+						      sizeof(*event));
+
+	*event = (isc__netievent_storage_t){ .ni.type = type };
+	ISC_LINK_INIT(&(event->ni), link);
+	return (event);
+}
+
+void
+isc__nm_put_netievent(isc_nm_t *mgr, void *ievent) {
+	isc_mem_put(mgr->mctx, ievent, sizeof(isc__netievent_storage_t));
+}
+
+NETIEVENT_SOCKET_DEF(tcpclose);
+NETIEVENT_SOCKET_DEF(tcplisten);
+NETIEVENT_SOCKET_DEF(tcppauseread);
+NETIEVENT_SOCKET_DEF(tcpstartread);
+NETIEVENT_SOCKET_DEF(tcpstop);
+NETIEVENT_SOCKET_DEF(udpclose);
+NETIEVENT_SOCKET_DEF(udplisten);
+NETIEVENT_SOCKET_DEF(udpread);
+NETIEVENT_SOCKET_DEF(udpsend);
+NETIEVENT_SOCKET_DEF(udpstop);
+
+NETIEVENT_SOCKET_DEF(tcpdnsclose);
+NETIEVENT_SOCKET_DEF(tcpdnsread);
+NETIEVENT_SOCKET_DEF(tcpdnsstop);
+NETIEVENT_SOCKET_DEF(tcpdnslisten);
+NETIEVENT_SOCKET_REQ_DEF(tcpdnsconnect);
+NETIEVENT_SOCKET_REQ_DEF(tcpdnssend);
+NETIEVENT_SOCKET_HANDLE_DEF(tcpdnscancel);
+NETIEVENT_SOCKET_QUOTA_DEF(tcpdnsaccept);
+
+NETIEVENT_SOCKET_REQ_DEF(tcpconnect);
+NETIEVENT_SOCKET_REQ_DEF(tcpsend);
+NETIEVENT_SOCKET_REQ_DEF(udpconnect);
+NETIEVENT_SOCKET_REQ_RESULT_DEF(connectcb);
+NETIEVENT_SOCKET_REQ_RESULT_DEF(readcb);
+NETIEVENT_SOCKET_REQ_RESULT_DEF(sendcb);
+
+NETIEVENT_SOCKET_DEF(detach);
+NETIEVENT_SOCKET_HANDLE_DEF(tcpcancel);
+NETIEVENT_SOCKET_HANDLE_DEF(udpcancel);
+
+NETIEVENT_SOCKET_QUOTA_DEF(tcpaccept);
+
+NETIEVENT_SOCKET_DEF(close);
+NETIEVENT_DEF(pause);
+NETIEVENT_DEF(resume);
+NETIEVENT_DEF(shutdown);
+NETIEVENT_DEF(stop);
+
+NETIEVENT_TASK_DEF(task);
+NETIEVENT_TASK_DEF(privilegedtask);
+
+void
+isc__nm_maybe_enqueue_ievent(isc__networker_t *worker,
+			     isc__netievent_t *event) {
+	/*
+	 * If we are already in the matching nmthread, process the ievent
+	 * directly.
+	 */
+	if (worker->id == isc_nm_tid()) {
+		process_netievent(worker, event);
+		return;
+	}
+
+	isc__nm_enqueue_ievent(worker, event);
+}
+
+void
+isc__nm_enqueue_ievent(isc__networker_t *worker, isc__netievent_t *event) {
+	netievent_type_t type;
+
+	if (event->type > netievent_prio) {
+		type = NETIEVENT_PRIORITY;
+	} else {
+		switch (event->type) {
+		case netievent_prio:
+			UNREACHABLE();
+			break;
+		case netievent_privilegedtask:
+			type = NETIEVENT_PRIVILEGED;
+			break;
+		case netievent_task:
+			type = NETIEVENT_TASK;
+			break;
+		default:
+			type = NETIEVENT_NORMAL;
+			break;
+		}
+	}
+
+	/*
+	 * We need to make sure this signal will be delivered and
+	 * the queue will be processed.
+	 */
+	LOCK(&worker->ievents[type].lock);
+	ISC_LIST_ENQUEUE(worker->ievents[type].list, event, link);
+	if (type == NETIEVENT_PRIORITY) {
+		SIGNAL(&worker->ievents[type].cond);
+	}
+	UNLOCK(&worker->ievents[type].lock);
+
+	uv_async_send(&worker->async);
+}
+
+bool
+isc__nmsocket_active(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	if (sock->parent != NULL) {
+		return (atomic_load(&sock->parent->active));
+	}
+
+	return (atomic_load(&sock->active));
+}
+
+bool
+isc__nmsocket_deactivate(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+
+	if (sock->parent != NULL) {
+		return (atomic_compare_exchange_strong(&sock->parent->active,
+						       &(bool){ true }, false));
+	}
+
+	return (atomic_compare_exchange_strong(&sock->active, &(bool){ true },
+					       false));
+}
+
+void
+isc___nmsocket_attach(isc_nmsocket_t *sock, isc_nmsocket_t **target FLARG) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_nmsocket_t *rsock = NULL;
+
+	if (sock->parent != NULL) {
+		rsock = sock->parent;
+		INSIST(rsock->parent == NULL); /* sanity check */
+	} else {
+		rsock = sock;
+	}
+
+	NETMGR_TRACE_LOG("isc__nmsocket_attach():%p->references = %" PRIuFAST32
+			 "\n",
+			 rsock, isc_refcount_current(&rsock->references) + 1);
+
+	isc_refcount_increment0(&rsock->references);
+
+	*target = sock;
+}
+
+/*
+ * Free all resources inside a socket (including its children if any).
+ */
+static void
+nmsocket_cleanup(isc_nmsocket_t *sock, bool dofree FLARG) {
+	isc_nmhandle_t *handle = NULL;
+	isc__nm_uvreq_t *uvreq = NULL;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(!isc__nmsocket_active(sock));
+
+	NETMGR_TRACE_LOG("nmsocket_cleanup():%p->references = %" PRIuFAST32
+			 "\n",
+			 sock, isc_refcount_current(&sock->references));
+
+	atomic_store(&sock->destroying, true);
+
+	if (sock->parent == NULL && sock->children != NULL) {
+		/*
+		 * We shouldn't be here unless there are no active handles,
+		 * so we can clean up and free the children.
+		 */
+		for (size_t i = 0; i < sock->nchildren; i++) {
+			if (!atomic_load(&sock->children[i].destroying)) {
+				nmsocket_cleanup(&sock->children[i],
+						 false FLARG_PASS);
+			}
+		}
+
+		/*
+		 * This was a parent socket: destroy the listening
+		 * barriers that synchronized the children.
+		 */
+		isc_barrier_destroy(&sock->startlistening);
+		isc_barrier_destroy(&sock->stoplistening);
+
+		/*
+		 * Now free them.
+		 */
+		isc_mem_put(sock->mgr->mctx, sock->children,
+			    sock->nchildren * sizeof(*sock));
+		sock->children = NULL;
+		sock->nchildren = 0;
+	}
+	if (sock->statsindex != NULL) {
+		isc__nm_decstats(sock->mgr, sock->statsindex[STATID_ACTIVE]);
+	}
+
+	sock->statichandle = NULL;
+
+	if (sock->outerhandle != NULL) {
+		isc__nmhandle_detach(&sock->outerhandle FLARG_PASS);
+	}
+
+	if (sock->outer != NULL) {
+		isc___nmsocket_detach(&sock->outer FLARG_PASS);
+	}
+
+	while ((handle = isc_astack_pop(sock->inactivehandles)) != NULL) {
+		nmhandle_free(sock, handle);
+	}
+
+	if (sock->buf != NULL) {
+		isc_mem_free(sock->mgr->mctx, sock->buf);
+	}
+
+	if (sock->quota != NULL) {
+		isc_quota_detach(&sock->quota);
+	}
+
+	sock->pquota = NULL;
+
+	isc_astack_destroy(sock->inactivehandles);
+
+	while ((uvreq = isc_astack_pop(sock->inactivereqs)) != NULL) {
+		isc_mem_put(sock->mgr->mctx, uvreq, sizeof(*uvreq));
+	}
+
+	isc_astack_destroy(sock->inactivereqs);
+	sock->magic = 0;
+
+	isc_condition_destroy(&sock->scond);
+	isc_condition_destroy(&sock->cond);
+	isc_mutex_destroy(&sock->lock);
+#ifdef NETMGR_TRACE
+	LOCK(&sock->mgr->lock);
+	ISC_LIST_UNLINK(sock->mgr->active_sockets, sock, active_link);
+	UNLOCK(&sock->mgr->lock);
+#endif
+	if (dofree) {
+		isc_nm_t *mgr = sock->mgr;
+		isc_mem_put(mgr->mctx, sock, sizeof(*sock));
+		isc_nm_detach(&mgr);
+	} else {
+		isc_nm_detach(&sock->mgr);
+	}
+}
+
+static void
+nmsocket_maybe_destroy(isc_nmsocket_t *sock FLARG) {
+	int active_handles;
+	bool destroy = false;
+
+	NETMGR_TRACE_LOG("%s():%p->references = %" PRIuFAST32 "\n", __func__,
+			 sock, isc_refcount_current(&sock->references));
+
+	if (sock->parent != NULL) {
+		/*
+		 * This is a child socket and cannot be destroyed except
+		 * as a side effect of destroying the parent, so let's go
+		 * see if the parent is ready to be destroyed.
+		 */
+		nmsocket_maybe_destroy(sock->parent FLARG_PASS);
+		return;
+	}
+
+	/*
+	 * This is a parent socket (or a standalone). See whether the
+	 * children have active handles before deciding whether to
+	 * accept destruction.
+	 */
+	LOCK(&sock->lock);
+	if (atomic_load(&sock->active) || atomic_load(&sock->destroying) ||
+	    !atomic_load(&sock->closed) || atomic_load(&sock->references) != 0)
+	{
+		UNLOCK(&sock->lock);
+		return;
+	}
+
+	active_handles = atomic_load(&sock->ah);
+	if (sock->children != NULL) {
+		for (size_t i = 0; i < sock->nchildren; i++) {
+			LOCK(&sock->children[i].lock);
+			active_handles += atomic_load(&sock->children[i].ah);
+			UNLOCK(&sock->children[i].lock);
+		}
+	}
+
+	if (active_handles == 0 || sock->statichandle != NULL) {
+		destroy = true;
+	}
+
+	NETMGR_TRACE_LOG("%s:%p->active_handles = %d, .statichandle = %p\n",
+			 __func__, sock, active_handles, sock->statichandle);
+
+	if (destroy) {
+		atomic_store(&sock->destroying, true);
+		UNLOCK(&sock->lock);
+		nmsocket_cleanup(sock, true FLARG_PASS);
+	} else {
+		UNLOCK(&sock->lock);
+	}
+}
+
+void
+isc___nmsocket_prep_destroy(isc_nmsocket_t *sock FLARG) {
+	REQUIRE(sock->parent == NULL);
+
+	NETMGR_TRACE_LOG("isc___nmsocket_prep_destroy():%p->references = "
+			 "%" PRIuFAST32 "\n",
+			 sock, isc_refcount_current(&sock->references));
+
+	/*
+	 * The final external reference to the socket is gone. We can try
+	 * destroying the socket, but we have to wait for all the inflight
+	 * handles to finish first.
+	 */
+	atomic_store(&sock->active, false);
+
+	/*
+	 * If the socket has children, they'll need to be marked inactive
+	 * so they can be cleaned up too.
+	 */
+	if (sock->children != NULL) {
+		for (size_t i = 0; i < sock->nchildren; i++) {
+			atomic_store(&sock->children[i].active, false);
+		}
+	}
+
+	/*
+	 * If we're here then we already stopped listening; otherwise
+	 * we'd have a hanging reference from the listening process.
+	 *
+	 * If it's a regular socket we may need to close it.
+	 */
+	if (!atomic_load(&sock->closed)) {
+		switch (sock->type) {
+		case isc_nm_udpsocket:
+			isc__nm_udp_close(sock);
+			return;
+		case isc_nm_tcpsocket:
+			isc__nm_tcp_close(sock);
+			return;
+		case isc_nm_tcpdnssocket:
+			isc__nm_tcpdns_close(sock);
+			return;
+		default:
+			break;
+		}
+	}
+
+	nmsocket_maybe_destroy(sock FLARG_PASS);
+}
+
+void
+isc___nmsocket_detach(isc_nmsocket_t **sockp FLARG) {
+	REQUIRE(sockp != NULL && *sockp != NULL);
+	REQUIRE(VALID_NMSOCK(*sockp));
+
+	isc_nmsocket_t *sock = *sockp, *rsock = NULL;
+	*sockp = NULL;
+
+	/*
+	 * If the socket is a part of a set (a child socket) we are
+	 * counting references for the whole set at the parent.
+	 */
+	if (sock->parent != NULL) {
+		rsock = sock->parent;
+		INSIST(rsock->parent == NULL); /* Sanity check */
+	} else {
+		rsock = sock;
+	}
+
+	NETMGR_TRACE_LOG("isc__nmsocket_detach():%p->references = %" PRIuFAST32
+			 "\n",
+			 rsock, isc_refcount_current(&rsock->references) - 1);
+
+	if (isc_refcount_decrement(&rsock->references) == 1) {
+		isc___nmsocket_prep_destroy(rsock FLARG_PASS);
+	}
+}
+
+void
+isc_nmsocket_close(isc_nmsocket_t **sockp) {
+	REQUIRE(sockp != NULL);
+	REQUIRE(VALID_NMSOCK(*sockp));
+	REQUIRE((*sockp)->type == isc_nm_udplistener ||
+		(*sockp)->type == isc_nm_tcplistener ||
+		(*sockp)->type == isc_nm_tcpdnslistener);
+
+	isc__nmsocket_detach(sockp);
+}
+
+void
+isc___nmsocket_init(isc_nmsocket_t *sock, isc_nm_t *mgr, isc_nmsocket_type type,
+		    isc_sockaddr_t *iface FLARG) {
+	uint16_t family;
+
+	REQUIRE(sock != NULL);
+	REQUIRE(mgr != NULL);
+	REQUIRE(iface != NULL);
+
+	family = iface->type.sa.sa_family;
+
+	*sock = (isc_nmsocket_t){ .type = type,
+				  .iface = *iface,
+				  .fd = -1,
+				  .inactivehandles = isc_astack_new(
+					  mgr->mctx, ISC_NM_HANDLES_STACK_SIZE),
+				  .inactivereqs = isc_astack_new(
+					  mgr->mctx, ISC_NM_REQS_STACK_SIZE) };
+
+#if NETMGR_TRACE
+	sock->backtrace_size = backtrace(sock->backtrace, TRACE_SIZE);
+	ISC_LINK_INIT(sock, active_link);
+	ISC_LIST_INIT(sock->active_handles);
+	LOCK(&mgr->lock);
+	ISC_LIST_APPEND(mgr->active_sockets, sock, active_link);
+	UNLOCK(&mgr->lock);
+#endif
+
+	isc_nm_attach(mgr, &sock->mgr);
+	sock->uv_handle.handle.data = sock;
+
+	ISC_LINK_INIT(&sock->quotacb, link);
+
+	switch (type) {
+	case isc_nm_udpsocket:
+	case isc_nm_udplistener:
+		if (family == AF_INET) {
+			sock->statsindex = udp4statsindex;
+		} else {
+			sock->statsindex = udp6statsindex;
+		}
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_ACTIVE]);
+		break;
+	case isc_nm_tcpsocket:
+	case isc_nm_tcplistener:
+	case isc_nm_tcpdnssocket:
+	case isc_nm_tcpdnslistener:
+		if (family == AF_INET) {
+			sock->statsindex = tcp4statsindex;
+		} else {
+			sock->statsindex = tcp6statsindex;
+		}
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_ACTIVE]);
+		break;
+	default:
+		break;
+	}
+
+	isc_mutex_init(&sock->lock);
+	isc_condition_init(&sock->cond);
+	isc_condition_init(&sock->scond);
+	isc_refcount_init(&sock->references, 1);
+
+	NETMGR_TRACE_LOG("isc__nmsocket_init():%p->references = %" PRIuFAST32
+			 "\n",
+			 sock, isc_refcount_current(&sock->references));
+
+	atomic_init(&sock->active, true);
+	atomic_init(&sock->sequential, false);
+	atomic_init(&sock->readpaused, false);
+	atomic_init(&sock->closing, false);
+	atomic_init(&sock->listening, 0);
+	atomic_init(&sock->closed, 0);
+	atomic_init(&sock->destroying, 0);
+	atomic_init(&sock->ah, 0);
+	atomic_init(&sock->client, 0);
+	atomic_init(&sock->connecting, false);
+	atomic_init(&sock->keepalive, false);
+	atomic_init(&sock->connected, false);
+	atomic_init(&sock->timedout, false);
+
+	atomic_init(&sock->active_child_connections, 0);
+
+	sock->magic = NMSOCK_MAGIC;
+}
+
+void
+isc__nmsocket_clearcb(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(!isc__nm_in_netthread() || sock->tid == isc_nm_tid());
+
+	sock->recv_cb = NULL;
+	sock->recv_cbarg = NULL;
+	sock->accept_cb = NULL;
+	sock->accept_cbarg = NULL;
+	sock->connect_cb = NULL;
+	sock->connect_cbarg = NULL;
+}
+
+void
+isc__nm_free_uvbuf(isc_nmsocket_t *sock, const uv_buf_t *buf) {
+	isc__networker_t *worker = NULL;
+
+	REQUIRE(VALID_NMSOCK(sock));
+
+	worker = &sock->mgr->workers[sock->tid];
+	REQUIRE(buf->base == worker->recvbuf);
+
+	worker->recvbuf_inuse = false;
+}
+
+static isc_nmhandle_t *
+alloc_handle(isc_nmsocket_t *sock) {
+	isc_nmhandle_t *handle =
+		isc_mem_get(sock->mgr->mctx,
+			    sizeof(isc_nmhandle_t) + sock->extrahandlesize);
+
+	*handle = (isc_nmhandle_t){ .magic = NMHANDLE_MAGIC };
+#ifdef NETMGR_TRACE
+	ISC_LINK_INIT(handle, active_link);
+#endif
+	isc_refcount_init(&handle->references, 1);
+
+	return (handle);
+}
+
+isc_nmhandle_t *
+isc___nmhandle_get(isc_nmsocket_t *sock, isc_sockaddr_t *peer,
+		   isc_sockaddr_t *local FLARG) {
+	isc_nmhandle_t *handle = NULL;
+
+	REQUIRE(VALID_NMSOCK(sock));
+
+	handle = isc_astack_pop(sock->inactivehandles);
+
+	if (handle == NULL) {
+		handle = alloc_handle(sock);
+	} else {
+		isc_refcount_init(&handle->references, 1);
+		INSIST(VALID_NMHANDLE(handle));
+	}
+
+	NETMGR_TRACE_LOG(
+		"isc__nmhandle_get():handle %p->references = %" PRIuFAST32 "\n",
+		handle, isc_refcount_current(&handle->references));
+
+	isc___nmsocket_attach(sock, &handle->sock FLARG_PASS);
+
+#if NETMGR_TRACE
+	handle->backtrace_size = backtrace(handle->backtrace, TRACE_SIZE);
+#endif
+
+	if (peer != NULL) {
+		handle->peer = *peer;
+	} else {
+		handle->peer = sock->peer;
+	}
+
+	if (local != NULL) {
+		handle->local = *local;
+	} else {
+		handle->local = sock->iface;
+	}
+
+	(void)atomic_fetch_add(&sock->ah, 1);
+
+#ifdef NETMGR_TRACE
+	LOCK(&sock->lock);
+	ISC_LIST_APPEND(sock->active_handles, handle, active_link);
+	UNLOCK(&sock->lock);
+#endif
+
+	switch (sock->type) {
+	case isc_nm_udpsocket:
+	case isc_nm_tcpdnssocket:
+		if (!atomic_load(&sock->client)) {
+			break;
+		}
+		FALLTHROUGH;
+	case isc_nm_tcpsocket:
+		INSIST(sock->statichandle == NULL);
+
+		/*
+		 * statichandle must be assigned, not attached;
+		 * otherwise, if a handle was detached elsewhere
+		 * it could never reach 0 references, and the
+		 * handle and socket would never be freed.
+		 */
+		sock->statichandle = handle;
+		break;
+	default:
+		break;
+	}
+
+	return (handle);
+}
+
+void
+isc__nmhandle_attach(isc_nmhandle_t *handle, isc_nmhandle_t **handlep FLARG) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(handlep != NULL && *handlep == NULL);
+
+	NETMGR_TRACE_LOG("isc__nmhandle_attach():handle %p->references = "
+			 "%" PRIuFAST32 "\n",
+			 handle, isc_refcount_current(&handle->references) + 1);
+
+	isc_refcount_increment(&handle->references);
+	*handlep = handle;
+}
+
+bool
+isc_nmhandle_is_stream(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	return (handle->sock->type == isc_nm_tcpsocket ||
+		handle->sock->type == isc_nm_tcpdnssocket);
+}
+
+static void
+nmhandle_free(isc_nmsocket_t *sock, isc_nmhandle_t *handle) {
+	size_t extra = sock->extrahandlesize;
+
+	isc_refcount_destroy(&handle->references);
+
+	if (handle->dofree != NULL) {
+		handle->dofree(handle->opaque);
+	}
+
+	*handle = (isc_nmhandle_t){ .magic = 0 };
+
+	isc_mem_put(sock->mgr->mctx, handle, sizeof(isc_nmhandle_t) + extra);
+}
+
+static void
+nmhandle_deactivate(isc_nmsocket_t *sock, isc_nmhandle_t *handle) {
+	bool reuse = false;
+
+	/*
+	 * We do all of this under lock to avoid races with socket
+	 * destruction.  We have to do this now, because at this point the
+	 * socket is either unused or still attached to event->sock.
+	 */
+	LOCK(&sock->lock);
+
+#ifdef NETMGR_TRACE
+	ISC_LIST_UNLINK(sock->active_handles, handle, active_link);
+#endif
+
+	INSIST(atomic_fetch_sub(&sock->ah, 1) > 0);
+
+#if !__SANITIZE_ADDRESS__ && !__SANITIZE_THREAD__
+	if (atomic_load(&sock->active)) {
+		reuse = isc_astack_trypush(sock->inactivehandles, handle);
+	}
+#endif /* !__SANITIZE_ADDRESS__ && !__SANITIZE_THREAD__ */
+	if (!reuse) {
+		nmhandle_free(sock, handle);
+	}
+	UNLOCK(&sock->lock);
+}
+
+void
+isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) {
+	isc_nmsocket_t *sock = NULL;
+	isc_nmhandle_t *handle = NULL;
+
+	REQUIRE(handlep != NULL);
+	REQUIRE(VALID_NMHANDLE(*handlep));
+
+	handle = *handlep;
+	*handlep = NULL;
+
+	/*
+	 * If the closehandle_cb is set, it needs to run asynchronously to
+	 * ensure correct ordering of the isc__nm_process_sock_buffer().
+	 */
+	sock = handle->sock;
+	if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) {
+		nmhandle_detach_cb(&handle FLARG_PASS);
+	} else {
+		isc__netievent_detach_t *event =
+			isc__nm_get_netievent_detach(sock->mgr, sock);
+		/*
+		 * we are using implicit "attach" as the last reference
+		 * need to be destroyed explicitly in the async callback
+		 */
+		event->handle = handle;
+		FLARG_IEVENT_PASS(event);
+		isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				       (isc__netievent_t *)event);
+	}
+}
+
+void
+isc__nmsocket_shutdown(isc_nmsocket_t *sock);
+
+static void
+nmhandle_detach_cb(isc_nmhandle_t **handlep FLARG) {
+	isc_nmsocket_t *sock = NULL;
+	isc_nmhandle_t *handle = NULL;
+
+	REQUIRE(handlep != NULL);
+	REQUIRE(VALID_NMHANDLE(*handlep));
+
+	handle = *handlep;
+	*handlep = NULL;
+
+	NETMGR_TRACE_LOG("isc__nmhandle_detach():%p->references = %" PRIuFAST32
+			 "\n",
+			 handle, isc_refcount_current(&handle->references) - 1);
+
+	if (isc_refcount_decrement(&handle->references) > 1) {
+		return;
+	}
+
+	/* We need an acquire memory barrier here */
+	(void)isc_refcount_current(&handle->references);
+
+	sock = handle->sock;
+	handle->sock = NULL;
+
+	if (handle->doreset != NULL) {
+		handle->doreset(handle->opaque);
+	}
+
+	nmhandle_deactivate(sock, handle);
+
+	/*
+	 * The handle is gone now. If the socket has a callback configured
+	 * for that (e.g., to perform cleanup after request processing),
+	 * call it now, or schedule it to run asynchronously.
+	 */
+	if (sock->closehandle_cb != NULL) {
+		if (sock->tid == isc_nm_tid()) {
+			sock->closehandle_cb(sock);
+		} else {
+			isc__netievent_close_t *event =
+				isc__nm_get_netievent_close(sock->mgr, sock);
+			isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+					       (isc__netievent_t *)event);
+		}
+	}
+
+	if (handle == sock->statichandle) {
+		/* statichandle is assigned, not attached. */
+		sock->statichandle = NULL;
+	}
+
+	isc___nmsocket_detach(&sock FLARG_PASS);
+}
+
+void *
+isc_nmhandle_getdata(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	return (handle->opaque);
+}
+
+void
+isc_nmhandle_setdata(isc_nmhandle_t *handle, void *arg,
+		     isc_nm_opaquecb_t doreset, isc_nm_opaquecb_t dofree) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	handle->opaque = arg;
+	handle->doreset = doreset;
+	handle->dofree = dofree;
+}
+
+void
+isc__nm_alloc_dnsbuf(isc_nmsocket_t *sock, size_t len) {
+	REQUIRE(len <= NM_BIG_BUF);
+
+	if (sock->buf == NULL) {
+		/* We don't have the buffer at all */
+		size_t alloc_len = len < NM_REG_BUF ? NM_REG_BUF : NM_BIG_BUF;
+		sock->buf = isc_mem_allocate(sock->mgr->mctx, alloc_len);
+		sock->buf_size = alloc_len;
+	} else {
+		/* We have the buffer but it's too small */
+		sock->buf = isc_mem_reallocate(sock->mgr->mctx, sock->buf,
+					       NM_BIG_BUF);
+		sock->buf_size = NM_BIG_BUF;
+	}
+}
+
+void
+isc__nm_failed_send_cb(isc_nmsocket_t *sock, isc__nm_uvreq_t *req,
+		       isc_result_t eresult) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(req));
+
+	if (req->cb.send != NULL) {
+		isc__nm_sendcb(sock, req, eresult, true);
+	} else {
+		isc__nm_uvreq_put(&req, sock);
+	}
+}
+
+void
+isc__nm_failed_accept_cb(isc_nmsocket_t *sock, isc_result_t eresult) {
+	REQUIRE(sock->accepting);
+	REQUIRE(sock->server);
+
+	/*
+	 * Detach the quota early to make room for other connections;
+	 * otherwise it'd be detached later asynchronously, and clog
+	 * the quota unnecessarily.
+	 */
+	if (sock->quota != NULL) {
+		isc_quota_detach(&sock->quota);
+	}
+
+	isc__nmsocket_detach(&sock->server);
+
+	sock->accepting = false;
+
+	switch (eresult) {
+	case ISC_R_NOTCONNECTED:
+		/* IGNORE: The client disconnected before we could accept */
+		break;
+	default:
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
+			      "Accepting TCP connection failed: %s",
+			      isc_result_totext(eresult));
+	}
+}
+
+void
+isc__nm_failed_connect_cb(isc_nmsocket_t *sock, isc__nm_uvreq_t *req,
+			  isc_result_t eresult, bool async) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(req));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(req->cb.connect != NULL);
+
+	isc__nmsocket_timer_stop(sock);
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+
+	INSIST(atomic_compare_exchange_strong(&sock->connecting,
+					      &(bool){ true }, false));
+
+	isc__nmsocket_clearcb(sock);
+	isc__nm_connectcb(sock, req, eresult, async);
+
+	isc__nmsocket_prep_destroy(sock);
+}
+
+void
+isc__nm_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result, bool async) {
+	REQUIRE(VALID_NMSOCK(sock));
+	UNUSED(async);
+
+	switch (sock->type) {
+	case isc_nm_udpsocket:
+		isc__nm_udp_failed_read_cb(sock, result);
+		return;
+	case isc_nm_tcpsocket:
+		isc__nm_tcp_failed_read_cb(sock, result);
+		return;
+	case isc_nm_tcpdnssocket:
+		isc__nm_tcpdns_failed_read_cb(sock, result);
+		return;
+	default:
+		UNREACHABLE();
+	}
+}
+
+void
+isc__nmsocket_connecttimeout_cb(uv_timer_t *timer) {
+	uv_connect_t *uvreq = uv_handle_get_data((uv_handle_t *)timer);
+	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)uvreq->handle);
+	isc__nm_uvreq_t *req = uv_handle_get_data((uv_handle_t *)uvreq);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(atomic_load(&sock->connecting));
+	REQUIRE(VALID_UVREQ(req));
+	REQUIRE(VALID_NMHANDLE(req->handle));
+
+	isc__nmsocket_timer_stop(sock);
+
+	/*
+	 * Mark the connection as timed out and shutdown the socket.
+	 */
+
+	INSIST(atomic_compare_exchange_strong(&sock->timedout, &(bool){ false },
+					      true));
+	isc__nmsocket_clearcb(sock);
+	isc__nmsocket_shutdown(sock);
+}
+
+void
+isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) {
+	int level;
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case ISC_R_NOCONN:
+		return;
+	case ISC_R_QUOTA:
+	case ISC_R_SOFTQUOTA:
+		if (!can_log_quota) {
+			return;
+		}
+		level = ISC_LOG_INFO;
+		break;
+	case ISC_R_NOTCONNECTED:
+		level = ISC_LOG_INFO;
+		break;
+	default:
+		level = ISC_LOG_ERROR;
+	}
+
+	isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
+		      level, "Accepting TCP connection failed: %s",
+		      isc_result_totext(result));
+}
+
+void
+isc__nmsocket_writetimeout_cb(void *data, isc_result_t eresult) {
+	isc__nm_uvreq_t *req = data;
+	isc_nmsocket_t *sock = NULL;
+
+	REQUIRE(eresult == ISC_R_TIMEDOUT);
+	REQUIRE(VALID_UVREQ(req));
+	REQUIRE(VALID_NMSOCK(req->sock));
+
+	sock = req->sock;
+
+	isc__nmsocket_reset(sock);
+}
+
+void
+isc__nmsocket_readtimeout_cb(uv_timer_t *timer) {
+	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->reading);
+
+	if (atomic_load(&sock->client)) {
+		uv_timer_stop(timer);
+
+		if (sock->recv_cb != NULL) {
+			isc__nm_uvreq_t *req = isc__nm_get_read_req(sock, NULL);
+			isc__nm_readcb(sock, req, ISC_R_TIMEDOUT);
+		}
+
+		if (!isc__nmsocket_timer_running(sock)) {
+			isc__nmsocket_clearcb(sock);
+			isc__nm_failed_read_cb(sock, ISC_R_CANCELED, false);
+		}
+	} else {
+		isc__nm_failed_read_cb(sock, ISC_R_TIMEDOUT, false);
+	}
+}
+
+void
+isc__nmsocket_timer_restart(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+
+	if (atomic_load(&sock->connecting)) {
+		int r;
+
+		if (sock->connect_timeout == 0) {
+			return;
+		}
+
+		r = uv_timer_start(&sock->read_timer,
+				   isc__nmsocket_connecttimeout_cb,
+				   sock->connect_timeout + 10, 0);
+		UV_RUNTIME_CHECK(uv_timer_start, r);
+
+	} else {
+		int r;
+
+		if (sock->read_timeout == 0) {
+			return;
+		}
+
+		r = uv_timer_start(&sock->read_timer,
+				   isc__nmsocket_readtimeout_cb,
+				   sock->read_timeout, 0);
+		UV_RUNTIME_CHECK(uv_timer_start, r);
+	}
+}
+
+bool
+isc__nmsocket_timer_running(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+
+	return (uv_is_active((uv_handle_t *)&sock->read_timer));
+}
+
+void
+isc__nmsocket_timer_start(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+
+	if (isc__nmsocket_timer_running(sock)) {
+		return;
+	}
+
+	isc__nmsocket_timer_restart(sock);
+}
+
+void
+isc__nmsocket_timer_stop(isc_nmsocket_t *sock) {
+	int r;
+
+	REQUIRE(VALID_NMSOCK(sock));
+
+	/* uv_timer_stop() is idempotent, no need to check if running */
+
+	r = uv_timer_stop(&sock->read_timer);
+	UV_RUNTIME_CHECK(uv_timer_stop, r);
+}
+
+isc__nm_uvreq_t *
+isc__nm_get_read_req(isc_nmsocket_t *sock, isc_sockaddr_t *sockaddr) {
+	isc__nm_uvreq_t *req = NULL;
+
+	req = isc__nm_uvreq_get(sock->mgr, sock);
+	req->cb.recv = sock->recv_cb;
+	req->cbarg = sock->recv_cbarg;
+
+	switch (sock->type) {
+	case isc_nm_tcpsocket:
+		isc_nmhandle_attach(sock->statichandle, &req->handle);
+		break;
+	default:
+		if (atomic_load(&sock->client)) {
+			isc_nmhandle_attach(sock->statichandle, &req->handle);
+		} else {
+			req->handle = isc__nmhandle_get(sock, sockaddr, NULL);
+		}
+		break;
+	}
+
+	return (req);
+}
+
+/*%<
+ * Allocator callback for read operations.
+ *
+ * Note this doesn't actually allocate anything, it just assigns the
+ * worker's receive buffer to a socket, and marks it as "in use".
+ */
+void
+isc__nm_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+	isc__networker_t *worker = NULL;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(isc__nm_in_netthread());
+	/*
+	 * The size provided by libuv is only suggested size, and it always
+	 * defaults to 64 * 1024 in the current versions of libuv (see
+	 * src/unix/udp.c and src/unix/stream.c).
+	 */
+	UNUSED(size);
+
+	worker = &sock->mgr->workers[sock->tid];
+	INSIST(!worker->recvbuf_inuse);
+	INSIST(worker->recvbuf != NULL);
+
+	switch (sock->type) {
+	case isc_nm_udpsocket:
+		buf->len = ISC_NETMGR_UDP_RECVBUF_SIZE;
+		break;
+	case isc_nm_tcpsocket:
+	case isc_nm_tcpdnssocket:
+		buf->len = ISC_NETMGR_TCP_RECVBUF_SIZE;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	REQUIRE(buf->len <= ISC_NETMGR_RECVBUF_SIZE);
+	buf->base = worker->recvbuf;
+
+	worker->recvbuf_inuse = true;
+}
+
+isc_result_t
+isc__nm_start_reading(isc_nmsocket_t *sock) {
+	isc_result_t result = ISC_R_SUCCESS;
+	int r;
+
+	if (sock->reading) {
+		return (ISC_R_SUCCESS);
+	}
+
+	switch (sock->type) {
+	case isc_nm_udpsocket:
+		r = uv_udp_recv_start(&sock->uv_handle.udp, isc__nm_alloc_cb,
+				      isc__nm_udp_read_cb);
+		break;
+	case isc_nm_tcpsocket:
+		r = uv_read_start(&sock->uv_handle.stream, isc__nm_alloc_cb,
+				  isc__nm_tcp_read_cb);
+		break;
+	case isc_nm_tcpdnssocket:
+		r = uv_read_start(&sock->uv_handle.stream, isc__nm_alloc_cb,
+				  isc__nm_tcpdns_read_cb);
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	if (r != 0) {
+		result = isc__nm_uverr2result(r);
+	} else {
+		sock->reading = true;
+	}
+
+	return (result);
+}
+
+void
+isc__nm_stop_reading(isc_nmsocket_t *sock) {
+	int r;
+
+	if (!sock->reading) {
+		return;
+	}
+
+	switch (sock->type) {
+	case isc_nm_udpsocket:
+		r = uv_udp_recv_stop(&sock->uv_handle.udp);
+		UV_RUNTIME_CHECK(uv_udp_recv_stop, r);
+		break;
+	case isc_nm_tcpsocket:
+	case isc_nm_tcpdnssocket:
+		r = uv_read_stop(&sock->uv_handle.stream);
+		UV_RUNTIME_CHECK(uv_read_stop, r);
+		break;
+	default:
+		UNREACHABLE();
+	}
+	sock->reading = false;
+}
+
+bool
+isc__nm_closing(isc_nmsocket_t *sock) {
+	return (atomic_load(&sock->mgr->closing));
+}
+
+bool
+isc__nmsocket_closing(isc_nmsocket_t *sock) {
+	return (!isc__nmsocket_active(sock) || atomic_load(&sock->closing) ||
+		atomic_load(&sock->mgr->closing) ||
+		(sock->server != NULL && !isc__nmsocket_active(sock->server)));
+}
+
+static isc_result_t
+processbuffer(isc_nmsocket_t *sock) {
+	switch (sock->type) {
+	case isc_nm_tcpdnssocket:
+		return (isc__nm_tcpdns_processbuffer(sock));
+	default:
+		UNREACHABLE();
+	}
+}
+
+/*
+ * Process a DNS message.
+ *
+ * If we only have an incomplete DNS message, we don't touch any
+ * timers. If we do have a full message, reset the timer.
+ *
+ * Stop reading if this is a client socket, or if the server socket
+ * has been set to sequential mode, or the number of queries we are
+ * processing simultaneously has reached the clients-per-connection
+ * limit. In this case we'll be called again by resume_processing()
+ * later.
+ */
+isc_result_t
+isc__nm_process_sock_buffer(isc_nmsocket_t *sock) {
+	for (;;) {
+		int_fast32_t ah = atomic_load(&sock->ah);
+		isc_result_t result = processbuffer(sock);
+		switch (result) {
+		case ISC_R_NOMORE:
+			/*
+			 * Don't reset the timer until we have a
+			 * full DNS message.
+			 */
+			result = isc__nm_start_reading(sock);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+			/*
+			 * Start the timer only if there are no externally used
+			 * active handles, there's always one active handle
+			 * attached internally to sock->recv_handle in
+			 * accept_connection()
+			 */
+			if (ah == 1) {
+				isc__nmsocket_timer_start(sock);
+			}
+			goto done;
+		case ISC_R_CANCELED:
+			isc__nmsocket_timer_stop(sock);
+			isc__nm_stop_reading(sock);
+			goto done;
+		case ISC_R_SUCCESS:
+			/*
+			 * Stop the timer on the successful message read, this
+			 * also allows to restart the timer when we have no more
+			 * data.
+			 */
+			isc__nmsocket_timer_stop(sock);
+
+			if (atomic_load(&sock->client) ||
+			    atomic_load(&sock->sequential) ||
+			    ah >= STREAM_CLIENTS_PER_CONN)
+			{
+				isc__nm_stop_reading(sock);
+				goto done;
+			}
+			break;
+		default:
+			UNREACHABLE();
+		}
+	}
+done:
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__nm_resume_processing(void *arg) {
+	isc_nmsocket_t *sock = (isc_nmsocket_t *)arg;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(!atomic_load(&sock->client));
+
+	if (isc__nmsocket_closing(sock)) {
+		return;
+	}
+
+	isc__nm_process_sock_buffer(sock);
+}
+
+void
+isc_nmhandle_cleartimeout(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	switch (handle->sock->type) {
+	default:
+		handle->sock->read_timeout = 0;
+
+		if (uv_is_active((uv_handle_t *)&handle->sock->read_timer)) {
+			isc__nmsocket_timer_stop(handle->sock);
+		}
+	}
+}
+
+void
+isc_nmhandle_settimeout(isc_nmhandle_t *handle, uint32_t timeout) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	switch (handle->sock->type) {
+	default:
+		handle->sock->read_timeout = timeout;
+		isc__nmsocket_timer_restart(handle->sock);
+	}
+}
+
+void
+isc_nmhandle_keepalive(isc_nmhandle_t *handle, bool value) {
+	isc_nmsocket_t *sock = NULL;
+
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	sock = handle->sock;
+
+	switch (sock->type) {
+	case isc_nm_tcpsocket:
+	case isc_nm_tcpdnssocket:
+		atomic_store(&sock->keepalive, value);
+		sock->read_timeout = value ? atomic_load(&sock->mgr->keepalive)
+					   : atomic_load(&sock->mgr->idle);
+		sock->write_timeout = value ? atomic_load(&sock->mgr->keepalive)
+					    : atomic_load(&sock->mgr->idle);
+		break;
+	default:
+		/*
+		 * For any other protocol, this is a no-op.
+		 */
+		return;
+	}
+}
+
+void *
+isc_nmhandle_getextra(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	return (handle->extra);
+}
+
+isc_sockaddr_t
+isc_nmhandle_peeraddr(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	return (handle->peer);
+}
+
+isc_sockaddr_t
+isc_nmhandle_localaddr(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	return (handle->local);
+}
+
+isc_nm_t *
+isc_nmhandle_netmgr(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	return (handle->sock->mgr);
+}
+
+isc__nm_uvreq_t *
+isc___nm_uvreq_get(isc_nm_t *mgr, isc_nmsocket_t *sock FLARG) {
+	isc__nm_uvreq_t *req = NULL;
+
+	REQUIRE(VALID_NM(mgr));
+	REQUIRE(VALID_NMSOCK(sock));
+
+	if (sock != NULL && isc__nmsocket_active(sock)) {
+		/* Try to reuse one */
+		req = isc_astack_pop(sock->inactivereqs);
+	}
+
+	if (req == NULL) {
+		req = isc_mem_get(mgr->mctx, sizeof(*req));
+	}
+
+	*req = (isc__nm_uvreq_t){ .magic = 0 };
+	ISC_LINK_INIT(req, link);
+	req->uv_req.req.data = req;
+	isc___nmsocket_attach(sock, &req->sock FLARG_PASS);
+	req->magic = UVREQ_MAGIC;
+
+	return (req);
+}
+
+void
+isc___nm_uvreq_put(isc__nm_uvreq_t **req0, isc_nmsocket_t *sock FLARG) {
+	isc__nm_uvreq_t *req = NULL;
+	isc_nmhandle_t *handle = NULL;
+
+	REQUIRE(req0 != NULL);
+	REQUIRE(VALID_UVREQ(*req0));
+
+	req = *req0;
+	*req0 = NULL;
+
+	INSIST(sock == req->sock);
+
+	req->magic = 0;
+
+	/*
+	 * We need to save this first to make sure that handle,
+	 * sock, and the netmgr won't all disappear.
+	 */
+	handle = req->handle;
+	req->handle = NULL;
+
+#if !__SANITIZE_ADDRESS__ && !__SANITIZE_THREAD__
+	if (!isc__nmsocket_active(sock) ||
+	    !isc_astack_trypush(sock->inactivereqs, req))
+	{
+		isc_mem_put(sock->mgr->mctx, req, sizeof(*req));
+	}
+#else  /* !__SANITIZE_ADDRESS__ && !__SANITIZE_THREAD__ */
+	isc_mem_put(sock->mgr->mctx, req, sizeof(*req));
+#endif /* !__SANITIZE_ADDRESS__ && !__SANITIZE_THREAD__ */
+
+	if (handle != NULL) {
+		isc__nmhandle_detach(&handle FLARG_PASS);
+	}
+
+	isc___nmsocket_detach(&sock FLARG_PASS);
+}
+
+void
+isc_nm_send(isc_nmhandle_t *handle, isc_region_t *region, isc_nm_cb_t cb,
+	    void *cbarg) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	switch (handle->sock->type) {
+	case isc_nm_udpsocket:
+	case isc_nm_udplistener:
+		isc__nm_udp_send(handle, region, cb, cbarg);
+		break;
+	case isc_nm_tcpsocket:
+		isc__nm_tcp_send(handle, region, cb, cbarg);
+		break;
+	case isc_nm_tcpdnssocket:
+		isc__nm_tcpdns_send(handle, region, cb, cbarg);
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+void
+isc_nm_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	/*
+	 * This is always called via callback (from accept or connect), and
+	 * caller must attach to the handle, so the references always need to be
+	 * at least 2.
+	 */
+	REQUIRE(isc_refcount_current(&handle->references) >= 2);
+
+	switch (handle->sock->type) {
+	case isc_nm_udpsocket:
+		isc__nm_udp_read(handle, cb, cbarg);
+		break;
+	case isc_nm_tcpsocket:
+		isc__nm_tcp_read(handle, cb, cbarg);
+		break;
+	case isc_nm_tcpdnssocket:
+		isc__nm_tcpdns_read(handle, cb, cbarg);
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+void
+isc_nm_cancelread(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	switch (handle->sock->type) {
+	case isc_nm_udpsocket:
+		isc__nm_udp_cancelread(handle);
+		break;
+	case isc_nm_tcpsocket:
+		isc__nm_tcp_cancelread(handle);
+		break;
+	case isc_nm_tcpdnssocket:
+		isc__nm_tcpdns_cancelread(handle);
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+void
+isc_nm_pauseread(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	isc_nmsocket_t *sock = handle->sock;
+
+	switch (sock->type) {
+	case isc_nm_tcpsocket:
+		isc__nm_tcp_pauseread(handle);
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+void
+isc_nm_resumeread(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	isc_nmsocket_t *sock = handle->sock;
+
+	switch (sock->type) {
+	case isc_nm_tcpsocket:
+		isc__nm_tcp_resumeread(handle);
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+void
+isc_nm_stoplistening(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+
+	switch (sock->type) {
+	case isc_nm_udplistener:
+		isc__nm_udp_stoplistening(sock);
+		break;
+	case isc_nm_tcpdnslistener:
+		isc__nm_tcpdns_stoplistening(sock);
+		break;
+	case isc_nm_tcplistener:
+		isc__nm_tcp_stoplistening(sock);
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+void
+isc__nm_connectcb(isc_nmsocket_t *sock, isc__nm_uvreq_t *uvreq,
+		  isc_result_t eresult, bool async) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(uvreq));
+	REQUIRE(VALID_NMHANDLE(uvreq->handle));
+
+	if (!async) {
+		isc__netievent_connectcb_t ievent = { .sock = sock,
+						      .req = uvreq,
+						      .result = eresult };
+		isc__nm_async_connectcb(NULL, (isc__netievent_t *)&ievent);
+	} else {
+		isc__netievent_connectcb_t *ievent =
+			isc__nm_get_netievent_connectcb(sock->mgr, sock, uvreq,
+							eresult);
+		isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				       (isc__netievent_t *)ievent);
+	}
+}
+
+void
+isc__nm_async_connectcb(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_connectcb_t *ievent = (isc__netievent_connectcb_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc__nm_uvreq_t *uvreq = ievent->req;
+	isc_result_t eresult = ievent->result;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(uvreq));
+	REQUIRE(VALID_NMHANDLE(uvreq->handle));
+	REQUIRE(ievent->sock->tid == isc_nm_tid());
+	REQUIRE(uvreq->cb.connect != NULL);
+
+	uvreq->cb.connect(uvreq->handle, eresult, uvreq->cbarg);
+
+	isc__nm_uvreq_put(&uvreq, sock);
+}
+
+void
+isc__nm_readcb(isc_nmsocket_t *sock, isc__nm_uvreq_t *uvreq,
+	       isc_result_t eresult) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(uvreq));
+	REQUIRE(VALID_NMHANDLE(uvreq->handle));
+
+	if (eresult == ISC_R_SUCCESS || eresult == ISC_R_TIMEDOUT) {
+		isc__netievent_readcb_t ievent = { .sock = sock,
+						   .req = uvreq,
+						   .result = eresult };
+
+		isc__nm_async_readcb(NULL, (isc__netievent_t *)&ievent);
+	} else {
+		isc__netievent_readcb_t *ievent = isc__nm_get_netievent_readcb(
+			sock->mgr, sock, uvreq, eresult);
+		isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				       (isc__netievent_t *)ievent);
+	}
+}
+
+void
+isc__nm_async_readcb(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_readcb_t *ievent = (isc__netievent_readcb_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc__nm_uvreq_t *uvreq = ievent->req;
+	isc_result_t eresult = ievent->result;
+	isc_region_t region;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(uvreq));
+	REQUIRE(VALID_NMHANDLE(uvreq->handle));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	region.base = (unsigned char *)uvreq->uvbuf.base;
+	region.length = uvreq->uvbuf.len;
+
+	uvreq->cb.recv(uvreq->handle, eresult, &region, uvreq->cbarg);
+
+	isc__nm_uvreq_put(&uvreq, sock);
+}
+
+void
+isc__nm_sendcb(isc_nmsocket_t *sock, isc__nm_uvreq_t *uvreq,
+	       isc_result_t eresult, bool async) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(uvreq));
+	REQUIRE(VALID_NMHANDLE(uvreq->handle));
+
+	if (!async) {
+		isc__netievent_sendcb_t ievent = { .sock = sock,
+						   .req = uvreq,
+						   .result = eresult };
+		isc__nm_async_sendcb(NULL, (isc__netievent_t *)&ievent);
+		return;
+	}
+
+	isc__netievent_sendcb_t *ievent =
+		isc__nm_get_netievent_sendcb(sock->mgr, sock, uvreq, eresult);
+	isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+			       (isc__netievent_t *)ievent);
+}
+
+void
+isc__nm_async_sendcb(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_sendcb_t *ievent = (isc__netievent_sendcb_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc__nm_uvreq_t *uvreq = ievent->req;
+	isc_result_t eresult = ievent->result;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(uvreq));
+	REQUIRE(VALID_NMHANDLE(uvreq->handle));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	uvreq->cb.send(uvreq->handle, eresult, uvreq->cbarg);
+
+	isc__nm_uvreq_put(&uvreq, sock);
+}
+
+static void
+isc__nm_async_close(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_close_t *ievent = (isc__netievent_close_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+
+	REQUIRE(VALID_NMSOCK(ievent->sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->closehandle_cb != NULL);
+
+	UNUSED(worker);
+
+	ievent->sock->closehandle_cb(sock);
+}
+
+void
+isc__nm_async_detach(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_detach_t *ievent = (isc__netievent_detach_t *)ev0;
+	FLARG_IEVENT(ievent);
+
+	REQUIRE(VALID_NMSOCK(ievent->sock));
+	REQUIRE(VALID_NMHANDLE(ievent->handle));
+	REQUIRE(ievent->sock->tid == isc_nm_tid());
+
+	UNUSED(worker);
+
+	nmhandle_detach_cb(&ievent->handle FLARG_PASS);
+}
+
+static void
+reset_shutdown(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+
+	isc__nmsocket_shutdown(sock);
+	isc__nmsocket_detach(&sock);
+}
+
+void
+isc__nmsocket_reset(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+
+	switch (sock->type) {
+	case isc_nm_tcpsocket:
+	case isc_nm_tcpdnssocket:
+		/*
+		 * This can be called from the TCP write timeout.
+		 */
+		REQUIRE(sock->parent == NULL);
+		break;
+	default:
+		UNREACHABLE();
+		break;
+	}
+
+	if (!uv_is_closing(&sock->uv_handle.handle) &&
+	    uv_is_active(&sock->uv_handle.handle))
+	{
+		/*
+		 * The real shutdown will be handled in the respective
+		 * close functions.
+		 */
+		isc__nmsocket_attach(sock, &(isc_nmsocket_t *){ NULL });
+		int r = uv_tcp_close_reset(&sock->uv_handle.tcp,
+					   reset_shutdown);
+		UV_RUNTIME_CHECK(uv_tcp_close_reset, r);
+	} else {
+		isc__nmsocket_shutdown(sock);
+	}
+}
+
+void
+isc__nmsocket_shutdown(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	switch (sock->type) {
+	case isc_nm_udpsocket:
+		isc__nm_udp_shutdown(sock);
+		break;
+	case isc_nm_tcpsocket:
+		isc__nm_tcp_shutdown(sock);
+		break;
+	case isc_nm_tcpdnssocket:
+		isc__nm_tcpdns_shutdown(sock);
+		break;
+	case isc_nm_udplistener:
+	case isc_nm_tcplistener:
+	case isc_nm_tcpdnslistener:
+		return;
+	default:
+		UNREACHABLE();
+	}
+}
+
+static void
+shutdown_walk_cb(uv_handle_t *handle, void *arg) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+	UNUSED(arg);
+
+	if (uv_is_closing(handle)) {
+		return;
+	}
+
+	switch (handle->type) {
+	case UV_UDP:
+		isc__nmsocket_shutdown(sock);
+		return;
+	case UV_TCP:
+		switch (sock->type) {
+		case isc_nm_tcpsocket:
+		case isc_nm_tcpdnssocket:
+			if (sock->parent == NULL) {
+				/* Reset the TCP connections on shutdown */
+				isc__nmsocket_reset(sock);
+				return;
+			}
+			FALLTHROUGH;
+		default:
+			isc__nmsocket_shutdown(sock);
+		}
+
+		return;
+	default:
+		return;
+	}
+}
+
+void
+isc__nm_async_shutdown(isc__networker_t *worker, isc__netievent_t *ev0) {
+	UNUSED(ev0);
+
+	uv_walk(&worker->loop, shutdown_walk_cb, NULL);
+}
+
+bool
+isc__nm_acquire_interlocked(isc_nm_t *mgr) {
+	if (!isc__nm_in_netthread()) {
+		return (false);
+	}
+
+	LOCK(&mgr->lock);
+	bool success = atomic_compare_exchange_strong(
+		&mgr->interlocked, &(int){ ISC_NETMGR_NON_INTERLOCKED },
+		isc_nm_tid());
+
+	UNLOCK(&mgr->lock);
+	return (success);
+}
+
+void
+isc__nm_drop_interlocked(isc_nm_t *mgr) {
+	if (!isc__nm_in_netthread()) {
+		return;
+	}
+
+	LOCK(&mgr->lock);
+	int tid = atomic_exchange(&mgr->interlocked,
+				  ISC_NETMGR_NON_INTERLOCKED);
+	INSIST(tid != ISC_NETMGR_NON_INTERLOCKED);
+	BROADCAST(&mgr->wkstatecond);
+	UNLOCK(&mgr->lock);
+}
+
+void
+isc__nm_acquire_interlocked_force(isc_nm_t *mgr) {
+	if (!isc__nm_in_netthread()) {
+		return;
+	}
+
+	LOCK(&mgr->lock);
+	while (!atomic_compare_exchange_strong(
+		&mgr->interlocked, &(int){ ISC_NETMGR_NON_INTERLOCKED },
+		isc_nm_tid()))
+	{
+		WAIT(&mgr->wkstatecond, &mgr->lock);
+	}
+	UNLOCK(&mgr->lock);
+}
+
+void
+isc_nm_setstats(isc_nm_t *mgr, isc_stats_t *stats) {
+	REQUIRE(VALID_NM(mgr));
+	REQUIRE(mgr->stats == NULL);
+	REQUIRE(isc_stats_ncounters(stats) == isc_sockstatscounter_max);
+
+	isc_stats_attach(stats, &mgr->stats);
+}
+
+void
+isc__nm_incstats(isc_nm_t *mgr, isc_statscounter_t counterid) {
+	REQUIRE(VALID_NM(mgr));
+	REQUIRE(counterid != -1);
+
+	if (mgr->stats != NULL) {
+		isc_stats_increment(mgr->stats, counterid);
+	}
+}
+
+void
+isc__nm_decstats(isc_nm_t *mgr, isc_statscounter_t counterid) {
+	REQUIRE(VALID_NM(mgr));
+	REQUIRE(counterid != -1);
+
+	if (mgr->stats != NULL) {
+		isc_stats_decrement(mgr->stats, counterid);
+	}
+}
+
+isc_result_t
+isc__nm_socket(int domain, int type, int protocol, uv_os_sock_t *sockp) {
+#ifdef WIN32
+	SOCKET sock;
+	sock = socket(domain, type, protocol);
+	if (sock == INVALID_SOCKET) {
+		char strbuf[ISC_STRERRORSIZE];
+		DWORD socket_errno = WSAGetLastError();
+		switch (socket_errno) {
+		case WSAEMFILE:
+		case WSAENOBUFS:
+			return (ISC_R_NORESOURCES);
+
+		case WSAEPROTONOSUPPORT:
+		case WSAEPFNOSUPPORT:
+		case WSAEAFNOSUPPORT:
+			return (ISC_R_FAMILYNOSUPPORT);
+		default:
+			strerror_r(socket_errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(
+				__FILE__, __LINE__,
+				"socket() failed with error code %lu: %s",
+				socket_errno, strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+#else
+	int sock = socket(domain, type, protocol);
+	if (sock < 0) {
+		return (isc_errno_toresult(errno));
+	}
+#endif
+	*sockp = (uv_os_sock_t)sock;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__nm_closesocket(uv_os_sock_t sock) {
+#ifdef WIN32
+	closesocket(sock);
+#else
+	close(sock);
+#endif
+}
+
+#define setsockopt_on(socket, level, name) \
+	setsockopt(socket, level, name, &(int){ 1 }, sizeof(int))
+
+#define setsockopt_off(socket, level, name) \
+	setsockopt(socket, level, name, &(int){ 0 }, sizeof(int))
+
+isc_result_t
+isc__nm_socket_freebind(uv_os_sock_t fd, sa_family_t sa_family) {
+	/*
+	 * Set the IP_FREEBIND (or equivalent option) on the uv_handle.
+	 */
+#ifdef IP_FREEBIND
+	UNUSED(sa_family);
+	if (setsockopt_on(fd, IPPROTO_IP, IP_FREEBIND) == -1) {
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+#elif defined(IP_BINDANY) || defined(IPV6_BINDANY)
+	if (sa_family == AF_INET) {
+#if defined(IP_BINDANY)
+		if (setsockopt_on(fd, IPPROTO_IP, IP_BINDANY) == -1) {
+			return (ISC_R_FAILURE);
+		}
+		return (ISC_R_SUCCESS);
+#endif
+	} else if (sa_family == AF_INET6) {
+#if defined(IPV6_BINDANY)
+		if (setsockopt_on(fd, IPPROTO_IPV6, IPV6_BINDANY) == -1) {
+			return (ISC_R_FAILURE);
+		}
+		return (ISC_R_SUCCESS);
+#endif
+	}
+	return (ISC_R_NOTIMPLEMENTED);
+#elif defined(SO_BINDANY)
+	UNUSED(sa_family);
+	if (setsockopt_on(fd, SOL_SOCKET, SO_BINDANY) == -1) {
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+#else
+	UNUSED(fd);
+	UNUSED(sa_family);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_result_t
+isc__nm_socket_reuse(uv_os_sock_t fd) {
+	/*
+	 * Generally, the SO_REUSEADDR socket option allows reuse of
+	 * local addresses.
+	 *
+	 * On the BSDs, SO_REUSEPORT implies SO_REUSEADDR but with some
+	 * additional refinements for programs that use multicast.
+	 *
+	 * On Linux, SO_REUSEPORT has different semantics: it _shares_ the port
+	 * rather than steal it from the current listener, so we don't use it
+	 * here, but rather in isc__nm_socket_reuse_lb().
+	 *
+	 * On Windows, it also allows a socket to forcibly bind to a port in use
+	 * by another socket.
+	 */
+
+#if defined(SO_REUSEPORT) && !defined(__linux__)
+	if (setsockopt_on(fd, SOL_SOCKET, SO_REUSEPORT) == -1) {
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+#elif defined(SO_REUSEADDR)
+	if (setsockopt_on(fd, SOL_SOCKET, SO_REUSEADDR) == -1) {
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+#else
+	UNUSED(fd);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_result_t
+isc__nm_socket_reuse_lb(uv_os_sock_t fd) {
+	/*
+	 * On FreeBSD 12+, SO_REUSEPORT_LB socket option allows sockets to be
+	 * bound to an identical socket address. For UDP sockets, the use of
+	 * this option can provide better distribution of incoming datagrams to
+	 * multiple processes (or threads) as compared to the traditional
+	 * technique of having multiple processes compete to receive datagrams
+	 * on the same socket.
+	 *
+	 * On Linux, the same thing is achieved simply with SO_REUSEPORT.
+	 */
+#if defined(SO_REUSEPORT_LB)
+	if (setsockopt_on(fd, SOL_SOCKET, SO_REUSEPORT_LB) == -1) {
+		return (ISC_R_FAILURE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+#elif defined(SO_REUSEPORT) && defined(__linux__)
+	if (setsockopt_on(fd, SOL_SOCKET, SO_REUSEPORT) == -1) {
+		return (ISC_R_FAILURE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+#else
+	UNUSED(fd);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_result_t
+isc__nm_socket_incoming_cpu(uv_os_sock_t fd) {
+#ifdef SO_INCOMING_CPU
+	if (setsockopt_on(fd, SOL_SOCKET, SO_INCOMING_CPU) == -1) {
+		return (ISC_R_FAILURE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+#else
+	UNUSED(fd);
+#endif
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_family_t sa_family) {
+	/*
+	 * Disable the Path MTU Discovery on IP packets
+	 */
+	if (sa_family == AF_INET6) {
+#if defined(IPV6_DONTFRAG)
+		if (setsockopt_off(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
+			return (ISC_R_FAILURE);
+		} else {
+			return (ISC_R_SUCCESS);
+		}
+#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
+		if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
+			       &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
+		{
+			return (ISC_R_FAILURE);
+		} else {
+			return (ISC_R_SUCCESS);
+		}
+#else
+		UNUSED(fd);
+#endif
+	} else if (sa_family == AF_INET) {
+#if defined(IP_DONTFRAG)
+		if (setsockopt_off(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
+			return (ISC_R_FAILURE);
+		} else {
+			return (ISC_R_SUCCESS);
+		}
+#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
+		if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
+			       &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
+		{
+			return (ISC_R_FAILURE);
+		} else {
+			return (ISC_R_SUCCESS);
+		}
+#else
+		UNUSED(fd);
+#endif
+	} else {
+		return (ISC_R_FAMILYNOSUPPORT);
+	}
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+#if defined(_WIN32)
+#define TIMEOUT_TYPE	DWORD
+#define TIMEOUT_DIV	1000
+#define TIMEOUT_OPTNAME TCP_MAXRT
+#elif defined(TCP_CONNECTIONTIMEOUT)
+#define TIMEOUT_TYPE	int
+#define TIMEOUT_DIV	1000
+#define TIMEOUT_OPTNAME TCP_CONNECTIONTIMEOUT
+#elif defined(TCP_RXT_CONNDROPTIME)
+#define TIMEOUT_TYPE	int
+#define TIMEOUT_DIV	1000
+#define TIMEOUT_OPTNAME TCP_RXT_CONNDROPTIME
+#elif defined(TCP_USER_TIMEOUT)
+#define TIMEOUT_TYPE	unsigned int
+#define TIMEOUT_DIV	1
+#define TIMEOUT_OPTNAME TCP_USER_TIMEOUT
+#elif defined(TCP_KEEPINIT)
+#define TIMEOUT_TYPE	int
+#define TIMEOUT_DIV	1000
+#define TIMEOUT_OPTNAME TCP_KEEPINIT
+#endif
+
+isc_result_t
+isc__nm_socket_connectiontimeout(uv_os_sock_t fd, int timeout_ms) {
+#if defined(TIMEOUT_OPTNAME)
+	TIMEOUT_TYPE timeout = timeout_ms / TIMEOUT_DIV;
+
+	if (timeout == 0) {
+		timeout = 1;
+	}
+
+	if (setsockopt(fd, IPPROTO_TCP, TIMEOUT_OPTNAME, &timeout,
+		       sizeof(timeout)) == -1)
+	{
+		return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+#else
+	UNUSED(fd);
+	UNUSED(timeout_ms);
+
+	return (ISC_R_SUCCESS);
+#endif
+}
+
+isc_result_t
+isc__nm_socket_tcp_nodelay(uv_os_sock_t fd) {
+#ifdef TCP_NODELAY
+	if (setsockopt_on(fd, IPPROTO_TCP, TCP_NODELAY) == -1) {
+		return (ISC_R_FAILURE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+#else
+	UNUSED(fd);
+	return (ISC_R_SUCCESS);
+#endif
+}
+
+static isc_threadresult_t
+isc__nm_work_run(isc_threadarg_t arg) {
+	isc__nm_work_t *work = (isc__nm_work_t *)arg;
+
+	work->cb(work->data);
+
+	return ((isc_threadresult_t)0);
+}
+
+static void
+isc__nm_work_cb(uv_work_t *req) {
+	isc__nm_work_t *work = uv_req_get_data((uv_req_t *)req);
+
+	if (isc_tid_v == SIZE_MAX) {
+		isc__trampoline_t *trampoline_arg =
+			isc__trampoline_get(isc__nm_work_run, work);
+		(void)isc__trampoline_run(trampoline_arg);
+	} else {
+		(void)isc__nm_work_run((isc_threadarg_t)work);
+	}
+}
+
+static void
+isc__nm_after_work_cb(uv_work_t *req, int status) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc__nm_work_t *work = uv_req_get_data((uv_req_t *)req);
+	isc_nm_t *netmgr = work->netmgr;
+
+	if (status != 0) {
+		result = isc__nm_uverr2result(status);
+	}
+
+	work->after_cb(work->data, result);
+
+	isc_mem_put(netmgr->mctx, work, sizeof(*work));
+
+	isc_nm_detach(&netmgr);
+}
+
+void
+isc_nm_work_offload(isc_nm_t *netmgr, isc_nm_workcb_t work_cb,
+		    isc_nm_after_workcb_t after_work_cb, void *data) {
+	isc__networker_t *worker = NULL;
+	isc__nm_work_t *work = NULL;
+	int r;
+
+	REQUIRE(isc__nm_in_netthread());
+	REQUIRE(VALID_NM(netmgr));
+
+	worker = &netmgr->workers[isc_nm_tid()];
+
+	work = isc_mem_get(netmgr->mctx, sizeof(*work));
+	*work = (isc__nm_work_t){
+		.cb = work_cb,
+		.after_cb = after_work_cb,
+		.data = data,
+	};
+
+	isc_nm_attach(netmgr, &work->netmgr);
+
+	uv_req_set_data((uv_req_t *)&work->req, work);
+
+	r = uv_queue_work(&worker->loop, &work->req, isc__nm_work_cb,
+			  isc__nm_after_work_cb);
+	UV_RUNTIME_CHECK(uv_queue_work, r);
+}
+
+void
+isc_nm_timer_create(isc_nmhandle_t *handle, isc_nm_timer_cb cb, void *cbarg,
+		    isc_nm_timer_t **timerp) {
+	isc__networker_t *worker = NULL;
+	isc_nmsocket_t *sock = NULL;
+	isc_nm_timer_t *timer = NULL;
+	int r;
+
+	REQUIRE(isc__nm_in_netthread());
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	sock = handle->sock;
+	worker = &sock->mgr->workers[isc_nm_tid()];
+
+	timer = isc_mem_get(sock->mgr->mctx, sizeof(*timer));
+	*timer = (isc_nm_timer_t){ .cb = cb, .cbarg = cbarg };
+	isc_refcount_init(&timer->references, 1);
+	isc_nmhandle_attach(handle, &timer->handle);
+
+	r = uv_timer_init(&worker->loop, &timer->timer);
+	UV_RUNTIME_CHECK(uv_timer_init, r);
+
+	uv_handle_set_data((uv_handle_t *)&timer->timer, timer);
+
+	*timerp = timer;
+}
+
+void
+isc_nm_timer_attach(isc_nm_timer_t *timer, isc_nm_timer_t **timerp) {
+	REQUIRE(timer != NULL);
+	REQUIRE(timerp != NULL && *timerp == NULL);
+
+	isc_refcount_increment(&timer->references);
+	*timerp = timer;
+}
+
+static void
+timer_destroy(uv_handle_t *uvhandle) {
+	isc_nm_timer_t *timer = uv_handle_get_data(uvhandle);
+	isc_nmhandle_t *handle = timer->handle;
+	isc_mem_t *mctx = timer->handle->sock->mgr->mctx;
+
+	isc_mem_put(mctx, timer, sizeof(*timer));
+
+	isc_nmhandle_detach(&handle);
+}
+
+void
+isc_nm_timer_detach(isc_nm_timer_t **timerp) {
+	isc_nm_timer_t *timer = NULL;
+	isc_nmhandle_t *handle = NULL;
+
+	REQUIRE(timerp != NULL && *timerp != NULL);
+
+	timer = *timerp;
+	*timerp = NULL;
+
+	handle = timer->handle;
+
+	REQUIRE(isc__nm_in_netthread());
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	if (isc_refcount_decrement(&timer->references) == 1) {
+		int r = uv_timer_stop(&timer->timer);
+		UV_RUNTIME_CHECK(uv_timer_stop, r);
+		uv_close((uv_handle_t *)&timer->timer, timer_destroy);
+	}
+}
+
+static void
+timer_cb(uv_timer_t *uvtimer) {
+	isc_nm_timer_t *timer = uv_handle_get_data((uv_handle_t *)uvtimer);
+
+	REQUIRE(timer->cb != NULL);
+
+	timer->cb(timer->cbarg, ISC_R_TIMEDOUT);
+}
+
+void
+isc_nm_timer_start(isc_nm_timer_t *timer, uint64_t timeout) {
+	int r = uv_timer_start(&timer->timer, timer_cb, timeout, 0);
+	UV_RUNTIME_CHECK(uv_timer_start, r);
+}
+
+void
+isc_nm_timer_stop(isc_nm_timer_t *timer) {
+	int r = uv_timer_stop(&timer->timer);
+	UV_RUNTIME_CHECK(uv_timer_stop, r);
+}
+
+#ifdef NETMGR_TRACE
+/*
+ * Dump all active sockets in netmgr. We output to stderr
+ * as the logger might be already shut down.
+ */
+
+static const char *
+nmsocket_type_totext(isc_nmsocket_type type) {
+	switch (type) {
+	case isc_nm_udpsocket:
+		return ("isc_nm_udpsocket");
+	case isc_nm_udplistener:
+		return ("isc_nm_udplistener");
+	case isc_nm_tcpsocket:
+		return ("isc_nm_tcpsocket");
+	case isc_nm_tcplistener:
+		return ("isc_nm_tcplistener");
+	case isc_nm_tcpdnslistener:
+		return ("isc_nm_tcpdnslistener");
+	case isc_nm_tcpdnssocket:
+		return ("isc_nm_tcpdnssocket");
+	default:
+		UNREACHABLE();
+	}
+}
+
+static void
+nmhandle_dump(isc_nmhandle_t *handle) {
+	fprintf(stderr, "Active handle %p, refs %" PRIuFAST32 "\n", handle,
+		isc_refcount_current(&handle->references));
+	fprintf(stderr, "Created by:\n");
+	backtrace_symbols_fd(handle->backtrace, handle->backtrace_size,
+			     STDERR_FILENO);
+	fprintf(stderr, "\n\n");
+}
+
+static void
+nmsocket_dump(isc_nmsocket_t *sock) {
+	isc_nmhandle_t *handle = NULL;
+
+	LOCK(&sock->lock);
+	fprintf(stderr, "\n=================\n");
+	fprintf(stderr, "Active %s socket %p, type %s, refs %" PRIuFAST32 "\n",
+		atomic_load(&sock->client) ? "client" : "server", sock,
+		nmsocket_type_totext(sock->type),
+		isc_refcount_current(&sock->references));
+	fprintf(stderr,
+		"Parent %p, listener %p, server %p, statichandle = "
+		"%p\n",
+		sock->parent, sock->listener, sock->server, sock->statichandle);
+	fprintf(stderr, "Flags:%s%s%s%s%s\n",
+		atomic_load(&sock->active) ? " active" : "",
+		atomic_load(&sock->closing) ? " closing" : "",
+		atomic_load(&sock->destroying) ? " destroying" : "",
+		atomic_load(&sock->connecting) ? " connecting" : "",
+		sock->accepting ? " accepting" : "");
+	fprintf(stderr, "Created by:\n");
+	backtrace_symbols_fd(sock->backtrace, sock->backtrace_size,
+			     STDERR_FILENO);
+	fprintf(stderr, "\n");
+
+	for (handle = ISC_LIST_HEAD(sock->active_handles); handle != NULL;
+	     handle = ISC_LIST_NEXT(handle, active_link))
+	{
+		static bool first = true;
+		if (first) {
+			fprintf(stderr, "Active handles:\n");
+			first = false;
+		}
+		nmhandle_dump(handle);
+	}
+
+	fprintf(stderr, "\n");
+	UNLOCK(&sock->lock);
+}
+
+void
+isc__nm_dump_active(isc_nm_t *nm) {
+	isc_nmsocket_t *sock = NULL;
+
+	REQUIRE(VALID_NM(nm));
+
+	LOCK(&nm->lock);
+	for (sock = ISC_LIST_HEAD(nm->active_sockets); sock != NULL;
+	     sock = ISC_LIST_NEXT(sock, active_link))
+	{
+		static bool first = true;
+		if (first) {
+			fprintf(stderr, "Outstanding sockets\n");
+			first = false;
+		}
+		nmsocket_dump(sock);
+	}
+	UNLOCK(&nm->lock);
+}
+#endif
diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
new file mode 100644
index 0000000..821d6c4
--- /dev/null
+++ b/lib/isc/netmgr/tcp.c
@@ -0,0 +1,1456 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <libgen.h>
+#include <unistd.h>
+#include <uv.h>
+
+#include <isc/atomic.h>
+#include <isc/barrier.h>
+#include <isc/buffer.h>
+#include <isc/condition.h>
+#include <isc/errno.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/quota.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/stdtime.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "netmgr-int.h"
+#include "uv-compat.h"
+
+static atomic_uint_fast32_t last_tcpquota_log = 0;
+
+static bool
+can_log_tcp_quota(void) {
+	isc_stdtime_t now, last;
+
+	isc_stdtime_get(&now);
+	last = atomic_exchange_relaxed(&last_tcpquota_log, now);
+	if (now != last) {
+		return (true);
+	}
+
+	return (false);
+}
+
+static isc_result_t
+tcp_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req);
+
+static void
+tcp_close_direct(isc_nmsocket_t *sock);
+
+static isc_result_t
+tcp_send_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req);
+static void
+tcp_connect_cb(uv_connect_t *uvreq, int status);
+
+static void
+tcp_connection_cb(uv_stream_t *server, int status);
+
+static void
+tcp_close_cb(uv_handle_t *uvhandle);
+
+static isc_result_t
+accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota);
+
+static void
+quota_accept_cb(isc_quota_t *quota, void *sock0);
+
+static void
+failed_accept_cb(isc_nmsocket_t *sock, isc_result_t eresult);
+
+static void
+stop_tcp_parent(isc_nmsocket_t *sock);
+static void
+stop_tcp_child(isc_nmsocket_t *sock);
+
+static void
+failed_accept_cb(isc_nmsocket_t *sock, isc_result_t eresult) {
+	REQUIRE(sock->accepting);
+	REQUIRE(sock->server);
+
+	/*
+	 * Detach the quota early to make room for other connections;
+	 * otherwise it'd be detached later asynchronously, and clog
+	 * the quota unnecessarily.
+	 */
+	if (sock->quota != NULL) {
+		isc_quota_detach(&sock->quota);
+	}
+
+	isc__nmsocket_detach(&sock->server);
+
+	sock->accepting = false;
+
+	switch (eresult) {
+	case ISC_R_NOTCONNECTED:
+		/* IGNORE: The client disconnected before we could accept */
+		break;
+	default:
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
+			      "Accepting TCP connection failed: %s",
+			      isc_result_totext(eresult));
+	}
+}
+
+static isc_result_t
+tcp_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
+	isc__networker_t *worker = NULL;
+	isc_result_t result = ISC_R_UNSET;
+	int r;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(req));
+
+	REQUIRE(isc__nm_in_netthread());
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	worker = &sock->mgr->workers[sock->tid];
+
+	atomic_store(&sock->connecting, true);
+
+	/* 2 minute timeout */
+	result = isc__nm_socket_connectiontimeout(sock->fd, 120 * 1000);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	r = uv_tcp_init(&worker->loop, &sock->uv_handle.tcp);
+	UV_RUNTIME_CHECK(uv_tcp_init, r);
+	uv_handle_set_data(&sock->uv_handle.handle, sock);
+
+	r = uv_timer_init(&worker->loop, &sock->read_timer);
+	UV_RUNTIME_CHECK(uv_timer_init, r);
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+
+	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
+	if (r != 0) {
+		isc__nm_closesocket(sock->fd);
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPENFAIL]);
+		goto done;
+	}
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPEN]);
+
+	if (req->local.length != 0) {
+		r = uv_tcp_bind(&sock->uv_handle.tcp, &req->local.type.sa, 0);
+		if (r != 0) {
+			isc__nm_incstats(sock->mgr,
+					 sock->statsindex[STATID_BINDFAIL]);
+			goto done;
+		}
+	}
+
+	uv_handle_set_data(&req->uv_req.handle, req);
+	r = uv_tcp_connect(&req->uv_req.connect, &sock->uv_handle.tcp,
+			   &req->peer.type.sa, tcp_connect_cb);
+	if (r != 0) {
+		isc__nm_incstats(sock->mgr,
+				 sock->statsindex[STATID_CONNECTFAIL]);
+		goto done;
+	}
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CONNECT]);
+
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer,
+			   &req->uv_req.connect);
+	isc__nmsocket_timer_start(sock);
+
+	atomic_store(&sock->connected, true);
+
+done:
+	result = isc__nm_uverr2result(r);
+	LOCK(&sock->lock);
+	sock->result = result;
+	SIGNAL(&sock->cond);
+	if (!atomic_load(&sock->active)) {
+		WAIT(&sock->scond, &sock->lock);
+	}
+	INSIST(atomic_load(&sock->active));
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+void
+isc__nm_async_tcpconnect(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpconnect_t *ievent =
+		(isc__netievent_tcpconnect_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc__nm_uvreq_t *req = ievent->req;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_tcpsocket);
+	REQUIRE(sock->parent == NULL);
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	result = tcp_connect_direct(sock, req);
+	if (result != ISC_R_SUCCESS) {
+		atomic_store(&sock->active, false);
+		if (sock->fd != (uv_os_sock_t)(-1)) {
+			isc__nm_tcp_close(sock);
+		}
+		isc__nm_connectcb(sock, req, result, true);
+	}
+
+	/*
+	 * The sock is now attached to the handle.
+	 */
+	isc__nmsocket_detach(&sock);
+}
+
+static void
+tcp_connect_cb(uv_connect_t *uvreq, int status) {
+	isc_result_t result;
+	isc__nm_uvreq_t *req = NULL;
+	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)uvreq->handle);
+	struct sockaddr_storage ss;
+	int r;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	isc__nmsocket_timer_stop(sock);
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+
+	req = uv_handle_get_data((uv_handle_t *)uvreq);
+
+	REQUIRE(VALID_UVREQ(req));
+	REQUIRE(VALID_NMHANDLE(req->handle));
+
+	if (atomic_load(&sock->timedout)) {
+		result = ISC_R_TIMEDOUT;
+		goto error;
+	}
+
+	if (!atomic_load(&sock->connecting)) {
+		/*
+		 * The connect was cancelled from timeout; just clean up
+		 * the req.
+		 */
+		isc__nm_uvreq_put(&req, sock);
+		return;
+	} else if (isc__nmsocket_closing(sock)) {
+		/* Socket was closed midflight by isc__nm_tcp_shutdown() */
+		result = ISC_R_CANCELED;
+		goto error;
+	} else if (status == UV_ETIMEDOUT) {
+		/* Timeout status code here indicates hard error */
+		result = ISC_R_TIMEDOUT;
+		goto error;
+	} else if (status != 0) {
+		result = isc__nm_uverr2result(status);
+		goto error;
+	}
+
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CONNECT]);
+	r = uv_tcp_getpeername(&sock->uv_handle.tcp, (struct sockaddr *)&ss,
+			       &(int){ sizeof(ss) });
+	if (r != 0) {
+		result = isc__nm_uverr2result(r);
+		goto error;
+	}
+
+	atomic_store(&sock->connecting, false);
+
+	result = isc_sockaddr_fromsockaddr(&sock->peer, (struct sockaddr *)&ss);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	isc__nm_connectcb(sock, req, ISC_R_SUCCESS, false);
+
+	return;
+
+error:
+	isc__nm_failed_connect_cb(sock, req, result, false);
+}
+
+void
+isc_nm_tcpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
+		  isc_nm_cb_t cb, void *cbarg, unsigned int timeout,
+		  size_t extrahandlesize) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *sock = NULL;
+	isc__netievent_tcpconnect_t *ievent = NULL;
+	isc__nm_uvreq_t *req = NULL;
+	sa_family_t sa_family;
+
+	REQUIRE(VALID_NM(mgr));
+	REQUIRE(local != NULL);
+	REQUIRE(peer != NULL);
+
+	sa_family = peer->type.sa.sa_family;
+
+	sock = isc_mem_get(mgr->mctx, sizeof(*sock));
+	isc__nmsocket_init(sock, mgr, isc_nm_tcpsocket, local);
+
+	sock->extrahandlesize = extrahandlesize;
+	sock->connect_timeout = timeout;
+	sock->result = ISC_R_UNSET;
+	sock->fd = (uv_os_sock_t)-1;
+	atomic_init(&sock->client, true);
+
+	req = isc__nm_uvreq_get(mgr, sock);
+	req->cb.connect = cb;
+	req->cbarg = cbarg;
+	req->peer = *peer;
+	req->local = *local;
+	req->handle = isc__nmhandle_get(sock, &req->peer, &sock->iface);
+
+	result = isc__nm_socket(sa_family, SOCK_STREAM, 0, &sock->fd);
+	if (result != ISC_R_SUCCESS) {
+		if (isc__nm_in_netthread()) {
+			sock->tid = isc_nm_tid();
+			isc__nmsocket_clearcb(sock);
+			isc__nm_connectcb(sock, req, result, false);
+		} else {
+			isc__nmsocket_clearcb(sock);
+			sock->tid = isc_random_uniform(mgr->nworkers);
+			isc__nm_connectcb(sock, req, result, true);
+		}
+		atomic_store(&sock->closed, true);
+		isc__nmsocket_detach(&sock);
+		return;
+	}
+
+	ievent = isc__nm_get_netievent_tcpconnect(mgr, sock, req);
+
+	if (isc__nm_in_netthread()) {
+		atomic_store(&sock->active, true);
+		sock->tid = isc_nm_tid();
+		isc__nm_async_tcpconnect(&mgr->workers[sock->tid],
+					 (isc__netievent_t *)ievent);
+		isc__nm_put_netievent_tcpconnect(mgr, ievent);
+	} else {
+		atomic_init(&sock->active, false);
+		sock->tid = isc_random_uniform(mgr->nworkers);
+		isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
+				       (isc__netievent_t *)ievent);
+	}
+	LOCK(&sock->lock);
+	while (sock->result == ISC_R_UNSET) {
+		WAIT(&sock->cond, &sock->lock);
+	}
+	atomic_store(&sock->active, true);
+	BROADCAST(&sock->scond);
+	UNLOCK(&sock->lock);
+}
+
+static uv_os_sock_t
+isc__nm_tcp_lb_socket(isc_nm_t *mgr, sa_family_t sa_family) {
+	isc_result_t result;
+	uv_os_sock_t sock;
+
+	result = isc__nm_socket(sa_family, SOCK_STREAM, 0, &sock);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	(void)isc__nm_socket_incoming_cpu(sock);
+
+	/* FIXME: set mss */
+
+	result = isc__nm_socket_reuse(sock);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+#ifndef _WIN32
+	if (mgr->load_balance_sockets) {
+		result = isc__nm_socket_reuse_lb(sock);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+#endif
+
+	return (sock);
+}
+
+static void
+start_tcp_child(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nmsocket_t *sock,
+		uv_os_sock_t fd, int tid) {
+	isc__netievent_tcplisten_t *ievent = NULL;
+	isc_nmsocket_t *csock = &sock->children[tid];
+
+	isc__nmsocket_init(csock, mgr, isc_nm_tcpsocket, iface);
+	csock->parent = sock;
+	csock->accept_cb = sock->accept_cb;
+	csock->accept_cbarg = sock->accept_cbarg;
+	csock->extrahandlesize = sock->extrahandlesize;
+	csock->backlog = sock->backlog;
+	csock->tid = tid;
+	/*
+	 * We don't attach to quota, just assign - to avoid
+	 * increasing quota unnecessarily.
+	 */
+	csock->pquota = sock->pquota;
+	isc_quota_cb_init(&csock->quotacb, quota_accept_cb, csock);
+
+#ifdef _WIN32
+	UNUSED(fd);
+	csock->fd = isc__nm_tcp_lb_socket(mgr, iface->type.sa.sa_family);
+#else
+	if (mgr->load_balance_sockets) {
+		UNUSED(fd);
+		csock->fd = isc__nm_tcp_lb_socket(mgr,
+						  iface->type.sa.sa_family);
+	} else {
+		csock->fd = dup(fd);
+	}
+#endif
+	REQUIRE(csock->fd >= 0);
+
+	ievent = isc__nm_get_netievent_tcplisten(mgr, csock);
+	isc__nm_maybe_enqueue_ievent(&mgr->workers[tid],
+				     (isc__netievent_t *)ievent);
+}
+
+static void
+enqueue_stoplistening(isc_nmsocket_t *sock) {
+	isc__netievent_tcpstop_t *ievent =
+		isc__nm_get_netievent_tcpstop(sock->mgr, sock);
+	isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+			       (isc__netievent_t *)ievent);
+}
+
+isc_result_t
+isc_nm_listentcp(isc_nm_t *mgr, isc_sockaddr_t *iface,
+		 isc_nm_accept_cb_t accept_cb, void *accept_cbarg,
+		 size_t extrahandlesize, int backlog, isc_quota_t *quota,
+		 isc_nmsocket_t **sockp) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *sock = NULL;
+	size_t children_size = 0;
+	uv_os_sock_t fd = -1;
+
+	REQUIRE(VALID_NM(mgr));
+
+	sock = isc_mem_get(mgr->mctx, sizeof(*sock));
+	isc__nmsocket_init(sock, mgr, isc_nm_tcplistener, iface);
+
+	atomic_init(&sock->rchildren, 0);
+#if defined(WIN32)
+	sock->nchildren = 1;
+#else
+	sock->nchildren = mgr->nworkers;
+#endif
+	children_size = sock->nchildren * sizeof(sock->children[0]);
+	sock->children = isc_mem_get(mgr->mctx, children_size);
+	memset(sock->children, 0, children_size);
+
+	sock->result = ISC_R_UNSET;
+
+	sock->accept_cb = accept_cb;
+	sock->accept_cbarg = accept_cbarg;
+	sock->extrahandlesize = extrahandlesize;
+	sock->backlog = backlog;
+	sock->pquota = quota;
+
+	sock->tid = 0;
+	sock->fd = -1;
+
+#ifndef _WIN32
+	if (!mgr->load_balance_sockets) {
+		fd = isc__nm_tcp_lb_socket(mgr, iface->type.sa.sa_family);
+	}
+#endif
+
+	isc_barrier_init(&sock->startlistening, sock->nchildren);
+
+	for (size_t i = 0; i < sock->nchildren; i++) {
+		if ((int)i == isc_nm_tid()) {
+			continue;
+		}
+		start_tcp_child(mgr, iface, sock, fd, i);
+	}
+
+	if (isc__nm_in_netthread()) {
+		start_tcp_child(mgr, iface, sock, fd, isc_nm_tid());
+	}
+
+#ifndef _WIN32
+	if (!mgr->load_balance_sockets) {
+		isc__nm_closesocket(fd);
+	}
+#endif
+
+	LOCK(&sock->lock);
+	while (atomic_load(&sock->rchildren) != sock->nchildren) {
+		WAIT(&sock->cond, &sock->lock);
+	}
+	result = sock->result;
+	atomic_store(&sock->active, true);
+	UNLOCK(&sock->lock);
+
+	INSIST(result != ISC_R_UNSET);
+
+	if (result == ISC_R_SUCCESS) {
+		REQUIRE(atomic_load(&sock->rchildren) == sock->nchildren);
+		*sockp = sock;
+	} else {
+		atomic_store(&sock->active, false);
+		enqueue_stoplistening(sock);
+		isc_nmsocket_close(&sock);
+	}
+
+	return (result);
+}
+
+void
+isc__nm_async_tcplisten(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcplisten_t *ievent = (isc__netievent_tcplisten_t *)ev0;
+	sa_family_t sa_family;
+	int r;
+	int flags = 0;
+	isc_nmsocket_t *sock = NULL;
+	isc_result_t result;
+	isc_nm_t *mgr;
+
+	REQUIRE(VALID_NMSOCK(ievent->sock));
+	REQUIRE(ievent->sock->tid == isc_nm_tid());
+	REQUIRE(VALID_NMSOCK(ievent->sock->parent));
+
+	sock = ievent->sock;
+	sa_family = sock->iface.type.sa.sa_family;
+	mgr = sock->mgr;
+
+	REQUIRE(sock->type == isc_nm_tcpsocket);
+	REQUIRE(sock->parent != NULL);
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	/* TODO: set min mss */
+
+	r = uv_tcp_init(&worker->loop, &sock->uv_handle.tcp);
+	UV_RUNTIME_CHECK(uv_tcp_init, r);
+
+	uv_handle_set_data(&sock->uv_handle.handle, sock);
+	/* This keeps the socket alive after everything else is gone */
+	isc__nmsocket_attach(sock, &(isc_nmsocket_t *){ NULL });
+
+	r = uv_timer_init(&worker->loop, &sock->read_timer);
+	UV_RUNTIME_CHECK(uv_timer_init, r);
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+
+	LOCK(&sock->parent->lock);
+
+	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
+	if (r < 0) {
+		isc__nm_closesocket(sock->fd);
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPENFAIL]);
+		goto done;
+	}
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPEN]);
+
+	if (sa_family == AF_INET6) {
+		flags = UV_TCP_IPV6ONLY;
+	}
+
+#ifdef _WIN32
+	r = isc_uv_tcp_freebind(&sock->uv_handle.tcp, &sock->iface.type.sa,
+				flags);
+	if (r < 0) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_BINDFAIL]);
+		goto done;
+	}
+#else
+	if (mgr->load_balance_sockets) {
+		r = isc_uv_tcp_freebind(&sock->uv_handle.tcp,
+					&sock->iface.type.sa, flags);
+		if (r < 0) {
+			isc__nm_incstats(sock->mgr,
+					 sock->statsindex[STATID_BINDFAIL]);
+			goto done;
+		}
+	} else {
+		if (sock->parent->fd == -1) {
+			r = isc_uv_tcp_freebind(&sock->uv_handle.tcp,
+						&sock->iface.type.sa, flags);
+			if (r < 0) {
+				isc__nm_incstats(sock->mgr, STATID_BINDFAIL);
+				goto done;
+			}
+			sock->parent->uv_handle.tcp.flags =
+				sock->uv_handle.tcp.flags;
+			sock->parent->fd = sock->fd;
+		} else {
+			/* The socket is already bound, just copy the flags */
+			sock->uv_handle.tcp.flags =
+				sock->parent->uv_handle.tcp.flags;
+		}
+	}
+#endif
+
+	/*
+	 * The callback will run in the same thread uv_listen() was called
+	 * from, so a race with tcp_connection_cb() isn't possible.
+	 */
+	r = uv_listen((uv_stream_t *)&sock->uv_handle.tcp, sock->backlog,
+		      tcp_connection_cb);
+	if (r != 0) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
+			      "uv_listen failed: %s",
+			      isc_result_totext(isc__nm_uverr2result(r)));
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_BINDFAIL]);
+		goto done;
+	}
+
+	atomic_store(&sock->listening, true);
+
+done:
+	result = isc__nm_uverr2result(r);
+	if (result != ISC_R_SUCCESS) {
+		sock->pquota = NULL;
+	}
+
+	atomic_fetch_add(&sock->parent->rchildren, 1);
+	if (sock->parent->result == ISC_R_UNSET) {
+		sock->parent->result = result;
+	}
+	SIGNAL(&sock->parent->cond);
+	UNLOCK(&sock->parent->lock);
+
+	isc_barrier_wait(&sock->parent->startlistening);
+}
+
+static void
+tcp_connection_cb(uv_stream_t *server, int status) {
+	isc_nmsocket_t *ssock = uv_handle_get_data((uv_handle_t *)server);
+	isc_result_t result;
+	isc_quota_t *quota = NULL;
+
+	if (status != 0) {
+		result = isc__nm_uverr2result(status);
+		goto done;
+	}
+
+	REQUIRE(VALID_NMSOCK(ssock));
+	REQUIRE(ssock->tid == isc_nm_tid());
+
+	if (isc__nmsocket_closing(ssock)) {
+		result = ISC_R_CANCELED;
+		goto done;
+	}
+
+	if (ssock->pquota != NULL) {
+		result = isc_quota_attach_cb(ssock->pquota, &quota,
+					     &ssock->quotacb);
+		if (result == ISC_R_QUOTA) {
+			isc__nm_incstats(ssock->mgr,
+					 ssock->statsindex[STATID_ACCEPTFAIL]);
+			goto done;
+		}
+	}
+
+	result = accept_connection(ssock, quota);
+done:
+	isc__nm_accept_connection_log(result, can_log_tcp_quota());
+}
+
+void
+isc__nm_tcp_stoplistening(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_tcplistener);
+
+	if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
+					    true))
+	{
+		UNREACHABLE();
+	}
+
+	if (!isc__nm_in_netthread()) {
+		enqueue_stoplistening(sock);
+	} else {
+		stop_tcp_parent(sock);
+	}
+}
+
+void
+isc__nm_async_tcpstop(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpstop_t *ievent = (isc__netievent_tcpstop_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (sock->parent != NULL) {
+		stop_tcp_child(sock);
+		return;
+	}
+
+	stop_tcp_parent(sock);
+}
+
+void
+isc__nm_tcp_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(result != ISC_R_SUCCESS);
+
+	isc__nmsocket_timer_stop(sock);
+	isc__nm_stop_reading(sock);
+
+	if (!sock->recv_read) {
+		goto destroy;
+	}
+	sock->recv_read = false;
+
+	if (sock->recv_cb != NULL) {
+		isc__nm_uvreq_t *req = isc__nm_get_read_req(sock, NULL);
+		isc__nmsocket_clearcb(sock);
+		isc__nm_readcb(sock, req, result);
+	}
+
+destroy:
+	isc__nmsocket_prep_destroy(sock);
+
+	/*
+	 * We need to detach from quota after the read callback function had a
+	 * chance to be executed.
+	 */
+	if (sock->quota != NULL) {
+		isc_quota_detach(&sock->quota);
+	}
+}
+
+void
+isc__nm_tcp_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	isc_nmsocket_t *sock = handle->sock;
+	isc__netievent_tcpstartread_t *ievent = NULL;
+
+	REQUIRE(sock->type == isc_nm_tcpsocket);
+	REQUIRE(sock->statichandle == handle);
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(!sock->recv_read);
+
+	sock->recv_cb = cb;
+	sock->recv_cbarg = cbarg;
+	sock->recv_read = true;
+	if (sock->read_timeout == 0) {
+		sock->read_timeout =
+			(atomic_load(&sock->keepalive)
+				 ? atomic_load(&sock->mgr->keepalive)
+				 : atomic_load(&sock->mgr->idle));
+	}
+
+	ievent = isc__nm_get_netievent_tcpstartread(sock->mgr, sock);
+
+	/*
+	 * This MUST be done asynchronously, no matter which thread we're
+	 * in. The callback function for isc_nm_read() often calls
+	 * isc_nm_read() again; if we tried to do that synchronously
+	 * we'd clash in processbuffer() and grow the stack indefinitely.
+	 */
+	isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+			       (isc__netievent_t *)ievent);
+
+	return;
+}
+
+void
+isc__nm_async_tcpstartread(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpstartread_t *ievent =
+		(isc__netievent_tcpstartread_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc_result_t result;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	UNUSED(worker);
+
+	if (isc__nmsocket_closing(sock)) {
+		result = ISC_R_CANCELED;
+	} else {
+		result = isc__nm_start_reading(sock);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		sock->reading = true;
+		isc__nm_tcp_failed_read_cb(sock, result);
+		return;
+	}
+
+	isc__nmsocket_timer_start(sock);
+}
+
+void
+isc__nm_tcp_pauseread(isc_nmhandle_t *handle) {
+	isc__netievent_tcppauseread_t *ievent = NULL;
+	isc_nmsocket_t *sock = NULL;
+
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	sock = handle->sock;
+
+	REQUIRE(VALID_NMSOCK(sock));
+
+	if (!atomic_compare_exchange_strong(&sock->readpaused, &(bool){ false },
+					    true))
+	{
+		return;
+	}
+
+	ievent = isc__nm_get_netievent_tcppauseread(sock->mgr, sock);
+
+	isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				     (isc__netievent_t *)ievent);
+
+	return;
+}
+
+void
+isc__nm_async_tcppauseread(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcppauseread_t *ievent =
+		(isc__netievent_tcppauseread_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	UNUSED(worker);
+
+	isc__nmsocket_timer_stop(sock);
+	isc__nm_stop_reading(sock);
+}
+
+void
+isc__nm_tcp_resumeread(isc_nmhandle_t *handle) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	isc__netievent_tcpstartread_t *ievent = NULL;
+	isc_nmsocket_t *sock = handle->sock;
+
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (sock->recv_cb == NULL) {
+		/* We are no longer reading */
+		return;
+	}
+
+	if (!isc__nmsocket_active(sock)) {
+		sock->reading = true;
+		isc__nm_tcp_failed_read_cb(sock, ISC_R_CANCELED);
+		return;
+	}
+
+	if (!atomic_compare_exchange_strong(&sock->readpaused, &(bool){ true },
+					    false))
+	{
+		return;
+	}
+
+	ievent = isc__nm_get_netievent_tcpstartread(sock->mgr, sock);
+
+	isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				     (isc__netievent_t *)ievent);
+}
+
+void
+isc__nm_tcp_read_cb(uv_stream_t *stream, ssize_t nread, const uv_buf_t *buf) {
+	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)stream);
+	isc__nm_uvreq_t *req = NULL;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->reading);
+	REQUIRE(buf != NULL);
+
+	if (isc__nmsocket_closing(sock)) {
+		isc__nm_tcp_failed_read_cb(sock, ISC_R_CANCELED);
+		goto free;
+	}
+
+	if (nread < 0) {
+		if (nread != UV_EOF) {
+			isc__nm_incstats(sock->mgr,
+					 sock->statsindex[STATID_RECVFAIL]);
+		}
+
+		isc__nm_tcp_failed_read_cb(sock, isc__nm_uverr2result(nread));
+
+		goto free;
+	}
+
+	req = isc__nm_get_read_req(sock, NULL);
+
+	/*
+	 * The callback will be called synchronously because the
+	 * result is ISC_R_SUCCESS, so we don't need to retain
+	 * the buffer
+	 */
+	req->uvbuf.base = buf->base;
+	req->uvbuf.len = nread;
+
+	if (!atomic_load(&sock->client)) {
+		sock->read_timeout =
+			(atomic_load(&sock->keepalive)
+				 ? atomic_load(&sock->mgr->keepalive)
+				 : atomic_load(&sock->mgr->idle));
+	}
+
+	isc__nm_readcb(sock, req, ISC_R_SUCCESS);
+
+	/* The readcb could have paused the reading */
+	if (sock->reading) {
+		/* The timer will be updated */
+		isc__nmsocket_timer_restart(sock);
+	}
+
+free:
+	if (nread < 0) {
+		/*
+		 * The buffer may be a null buffer on error.
+		 */
+		if (buf->base == NULL && buf->len == 0) {
+			return;
+		}
+	}
+
+	isc__nm_free_uvbuf(sock, buf);
+}
+
+static void
+quota_accept_cb(isc_quota_t *quota, void *sock0) {
+	isc_nmsocket_t *sock = (isc_nmsocket_t *)sock0;
+	isc__netievent_tcpaccept_t *ievent = NULL;
+
+	REQUIRE(VALID_NMSOCK(sock));
+
+	/*
+	 * Create a tcpaccept event and pass it using the async channel.
+	 */
+	ievent = isc__nm_get_netievent_tcpaccept(sock->mgr, sock, quota);
+	isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				     (isc__netievent_t *)ievent);
+}
+
+/*
+ * This is called after we get a quota_accept_cb() callback.
+ */
+void
+isc__nm_async_tcpaccept(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpaccept_t *ievent = (isc__netievent_tcpaccept_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc_result_t result;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	result = accept_connection(sock, ievent->quota);
+	isc__nm_accept_connection_log(result, can_log_tcp_quota());
+}
+
+static isc_result_t
+accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota) {
+	isc_nmsocket_t *csock = NULL;
+	isc__networker_t *worker = NULL;
+	int r;
+	isc_result_t result;
+	struct sockaddr_storage ss;
+	isc_sockaddr_t local;
+	isc_nmhandle_t *handle = NULL;
+
+	REQUIRE(VALID_NMSOCK(ssock));
+	REQUIRE(ssock->tid == isc_nm_tid());
+
+	if (isc__nmsocket_closing(ssock)) {
+		if (quota != NULL) {
+			isc_quota_detach(&quota);
+		}
+		return (ISC_R_CANCELED);
+	}
+
+	csock = isc_mem_get(ssock->mgr->mctx, sizeof(isc_nmsocket_t));
+	isc__nmsocket_init(csock, ssock->mgr, isc_nm_tcpsocket, &ssock->iface);
+	csock->tid = ssock->tid;
+	csock->extrahandlesize = ssock->extrahandlesize;
+	isc__nmsocket_attach(ssock, &csock->server);
+	csock->recv_cb = ssock->recv_cb;
+	csock->recv_cbarg = ssock->recv_cbarg;
+	csock->quota = quota;
+	csock->accepting = true;
+
+	worker = &csock->mgr->workers[isc_nm_tid()];
+
+	r = uv_tcp_init(&worker->loop, &csock->uv_handle.tcp);
+	UV_RUNTIME_CHECK(uv_tcp_init, r);
+	uv_handle_set_data(&csock->uv_handle.handle, csock);
+
+	r = uv_timer_init(&worker->loop, &csock->read_timer);
+	UV_RUNTIME_CHECK(uv_timer_init, r);
+	uv_handle_set_data((uv_handle_t *)&csock->read_timer, csock);
+
+	r = uv_accept(&ssock->uv_handle.stream, &csock->uv_handle.stream);
+	if (r != 0) {
+		result = isc__nm_uverr2result(r);
+		goto failure;
+	}
+
+	r = uv_tcp_getpeername(&csock->uv_handle.tcp, (struct sockaddr *)&ss,
+			       &(int){ sizeof(ss) });
+	if (r != 0) {
+		result = isc__nm_uverr2result(r);
+		goto failure;
+	}
+
+	result = isc_sockaddr_fromsockaddr(&csock->peer,
+					   (struct sockaddr *)&ss);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	r = uv_tcp_getsockname(&csock->uv_handle.tcp, (struct sockaddr *)&ss,
+			       &(int){ sizeof(ss) });
+	if (r != 0) {
+		result = isc__nm_uverr2result(r);
+		goto failure;
+	}
+
+	result = isc_sockaddr_fromsockaddr(&local, (struct sockaddr *)&ss);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	handle = isc__nmhandle_get(csock, NULL, &local);
+
+	result = ssock->accept_cb(handle, ISC_R_SUCCESS, ssock->accept_cbarg);
+	if (result != ISC_R_SUCCESS) {
+		isc_nmhandle_detach(&handle);
+		goto failure;
+	}
+
+	csock->accepting = false;
+
+	isc__nm_incstats(csock->mgr, csock->statsindex[STATID_ACCEPT]);
+
+	csock->read_timeout = atomic_load(&csock->mgr->init);
+
+	atomic_fetch_add(&ssock->parent->active_child_connections, 1);
+
+	/*
+	 * The acceptcb needs to attach to the handle if it wants to keep the
+	 * connection alive
+	 */
+	isc_nmhandle_detach(&handle);
+
+	/*
+	 * sock is now attached to the handle.
+	 */
+	isc__nmsocket_detach(&csock);
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	atomic_store(&csock->active, false);
+
+	failed_accept_cb(csock, result);
+
+	isc__nmsocket_prep_destroy(csock);
+
+	isc__nmsocket_detach(&csock);
+
+	return (result);
+}
+
+void
+isc__nm_tcp_send(isc_nmhandle_t *handle, const isc_region_t *region,
+		 isc_nm_cb_t cb, void *cbarg) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	isc_nmsocket_t *sock = handle->sock;
+	isc__netievent_tcpsend_t *ievent = NULL;
+	isc__nm_uvreq_t *uvreq = NULL;
+
+	REQUIRE(sock->type == isc_nm_tcpsocket);
+
+	uvreq = isc__nm_uvreq_get(sock->mgr, sock);
+	uvreq->uvbuf.base = (char *)region->base;
+	uvreq->uvbuf.len = region->length;
+
+	isc_nmhandle_attach(handle, &uvreq->handle);
+
+	uvreq->cb.send = cb;
+	uvreq->cbarg = cbarg;
+
+	ievent = isc__nm_get_netievent_tcpsend(sock->mgr, sock, uvreq);
+	isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				     (isc__netievent_t *)ievent);
+
+	return;
+}
+
+static void
+tcp_send_cb(uv_write_t *req, int status) {
+	isc__nm_uvreq_t *uvreq = (isc__nm_uvreq_t *)req->data;
+	isc_nmsocket_t *sock = NULL;
+
+	REQUIRE(VALID_UVREQ(uvreq));
+	REQUIRE(VALID_NMSOCK(uvreq->sock));
+
+	sock = uvreq->sock;
+
+	isc_nm_timer_stop(uvreq->timer);
+	isc_nm_timer_detach(&uvreq->timer);
+
+	if (status < 0) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
+		isc__nm_failed_send_cb(sock, uvreq,
+				       isc__nm_uverr2result(status));
+		return;
+	}
+
+	isc__nm_sendcb(sock, uvreq, ISC_R_SUCCESS, false);
+}
+
+/*
+ * Handle 'tcpsend' async event - send a packet on the socket
+ */
+void
+isc__nm_async_tcpsend(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc_result_t result;
+	isc__netievent_tcpsend_t *ievent = (isc__netievent_tcpsend_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc__nm_uvreq_t *uvreq = ievent->req;
+
+	REQUIRE(sock->type == isc_nm_tcpsocket);
+	REQUIRE(sock->tid == isc_nm_tid());
+	UNUSED(worker);
+
+	if (sock->write_timeout == 0) {
+		sock->write_timeout =
+			(atomic_load(&sock->keepalive)
+				 ? atomic_load(&sock->mgr->keepalive)
+				 : atomic_load(&sock->mgr->idle));
+	}
+
+	result = tcp_send_direct(sock, uvreq);
+	if (result != ISC_R_SUCCESS) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
+		isc__nm_failed_send_cb(sock, uvreq, result);
+	}
+}
+
+static isc_result_t
+tcp_send_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(req));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->type == isc_nm_tcpsocket);
+
+	int r;
+
+	if (isc__nmsocket_closing(sock)) {
+		return (ISC_R_CANCELED);
+	}
+
+	r = uv_write(&req->uv_req.write, &sock->uv_handle.stream, &req->uvbuf,
+		     1, tcp_send_cb);
+	if (r < 0) {
+		return (isc__nm_uverr2result(r));
+	}
+
+	isc_nm_timer_create(req->handle, isc__nmsocket_writetimeout_cb, req,
+			    &req->timer);
+	if (sock->write_timeout > 0) {
+		isc_nm_timer_start(req->timer, sock->write_timeout);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+tcp_stop_cb(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+	uv_handle_set_data(handle, NULL);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(atomic_load(&sock->closing));
+
+	if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false },
+					    true))
+	{
+		UNREACHABLE();
+	}
+
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]);
+
+	atomic_store(&sock->listening, false);
+
+	isc__nmsocket_detach(&sock);
+}
+
+static void
+tcp_close_sock(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(atomic_load(&sock->closing));
+
+	if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false },
+					    true))
+	{
+		UNREACHABLE();
+	}
+
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]);
+
+	if (sock->server != NULL) {
+		isc__nmsocket_detach(&sock->server);
+	}
+
+	atomic_store(&sock->connected, false);
+
+	isc__nmsocket_prep_destroy(sock);
+}
+
+static void
+tcp_close_cb(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+	uv_handle_set_data(handle, NULL);
+
+	tcp_close_sock(sock);
+}
+
+static void
+read_timer_close_cb(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+	uv_handle_set_data(handle, NULL);
+
+	if (sock->parent) {
+		uv_close(&sock->uv_handle.handle, tcp_stop_cb);
+	} else if (uv_is_closing(&sock->uv_handle.handle)) {
+		tcp_close_sock(sock);
+	} else {
+		uv_close(&sock->uv_handle.handle, tcp_close_cb);
+	}
+}
+
+static void
+stop_tcp_child(isc_nmsocket_t *sock) {
+	REQUIRE(sock->type == isc_nm_tcpsocket);
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
+					    true))
+	{
+		return;
+	}
+
+	tcp_close_direct(sock);
+
+	atomic_fetch_sub(&sock->parent->rchildren, 1);
+
+	isc_barrier_wait(&sock->parent->stoplistening);
+}
+
+static void
+stop_tcp_parent(isc_nmsocket_t *sock) {
+	isc_nmsocket_t *csock = NULL;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->type == isc_nm_tcplistener);
+
+	isc_barrier_init(&sock->stoplistening, sock->nchildren);
+
+	for (size_t i = 0; i < sock->nchildren; i++) {
+		csock = &sock->children[i];
+		REQUIRE(VALID_NMSOCK(csock));
+
+		if ((int)i == isc_nm_tid()) {
+			/*
+			 * We need to schedule closing the other sockets first
+			 */
+			continue;
+		}
+
+		atomic_store(&csock->active, false);
+		enqueue_stoplistening(csock);
+	}
+
+	csock = &sock->children[isc_nm_tid()];
+	atomic_store(&csock->active, false);
+	stop_tcp_child(csock);
+
+	atomic_store(&sock->closed, true);
+	isc__nmsocket_prep_destroy(sock);
+}
+
+static void
+tcp_close_direct(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(atomic_load(&sock->closing));
+
+	if (sock->server != NULL) {
+		REQUIRE(VALID_NMSOCK(sock->server));
+		REQUIRE(VALID_NMSOCK(sock->server->parent));
+		if (sock->server->parent != NULL) {
+			atomic_fetch_sub(
+				&sock->server->parent->active_child_connections,
+				1);
+		}
+	}
+
+	if (sock->quota != NULL) {
+		isc_quota_detach(&sock->quota);
+	}
+
+	isc__nmsocket_timer_stop(sock);
+	isc__nm_stop_reading(sock);
+
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
+}
+
+void
+isc__nm_tcp_close(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_tcpsocket);
+	REQUIRE(!isc__nmsocket_active(sock));
+
+	if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
+					    true))
+	{
+		return;
+	}
+
+	if (sock->tid == isc_nm_tid()) {
+		tcp_close_direct(sock);
+	} else {
+		/*
+		 * We need to create an event and pass it using async channel
+		 */
+		isc__netievent_tcpclose_t *ievent =
+			isc__nm_get_netievent_tcpclose(sock->mgr, sock);
+
+		isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				       (isc__netievent_t *)ievent);
+	}
+}
+
+void
+isc__nm_async_tcpclose(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpclose_t *ievent = (isc__netievent_tcpclose_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	UNUSED(worker);
+
+	tcp_close_direct(sock);
+}
+
+static void
+tcp_close_connect_cb(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+
+	REQUIRE(VALID_NMSOCK(sock));
+
+	REQUIRE(isc__nm_in_netthread());
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	isc__nmsocket_prep_destroy(sock);
+	isc__nmsocket_detach(&sock);
+}
+
+void
+isc__nm_tcp_shutdown(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->type == isc_nm_tcpsocket);
+
+	/*
+	 * If the socket is active, mark it inactive and
+	 * continue. If it isn't active, stop now.
+	 */
+	if (!isc__nmsocket_deactivate(sock)) {
+		return;
+	}
+
+	if (sock->accepting) {
+		return;
+	}
+
+	if (atomic_load(&sock->connecting)) {
+		isc_nmsocket_t *tsock = NULL;
+		isc__nmsocket_attach(sock, &tsock);
+		uv_close(&sock->uv_handle.handle, tcp_close_connect_cb);
+		return;
+	}
+
+	if (sock->statichandle != NULL) {
+		isc__nm_tcp_failed_read_cb(sock, ISC_R_CANCELED);
+		return;
+	}
+
+	/*
+	 * Otherwise, we just send the socket to abyss...
+	 */
+	if (sock->parent == NULL) {
+		isc__nmsocket_prep_destroy(sock);
+	}
+}
+
+void
+isc__nm_tcp_cancelread(isc_nmhandle_t *handle) {
+	isc_nmsocket_t *sock = NULL;
+	isc__netievent_tcpcancel_t *ievent = NULL;
+
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	sock = handle->sock;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_tcpsocket);
+
+	ievent = isc__nm_get_netievent_tcpcancel(sock->mgr, sock, handle);
+	isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+			       (isc__netievent_t *)ievent);
+}
+
+void
+isc__nm_async_tcpcancel(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpcancel_t *ievent = (isc__netievent_tcpcancel_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	UNUSED(worker);
+
+	uv_timer_stop(&sock->read_timer);
+
+	isc__nm_tcp_failed_read_cb(sock, ISC_R_EOF);
+}
+
+int_fast32_t
+isc__nm_tcp_listener_nactive(isc_nmsocket_t *listener) {
+	int_fast32_t nactive;
+
+	REQUIRE(VALID_NMSOCK(listener));
+
+	nactive = atomic_load(&listener->active_child_connections);
+	INSIST(nactive >= 0);
+	return (nactive);
+}
diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
new file mode 100644
index 0000000..bd593eb
--- /dev/null
+++ b/lib/isc/netmgr/tcpdns.c
@@ -0,0 +1,1505 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <libgen.h>
+#include <unistd.h>
+#include <uv.h>
+
+#include <isc/atomic.h>
+#include <isc/barrier.h>
+#include <isc/buffer.h>
+#include <isc/condition.h>
+#include <isc/errno.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/quota.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/stdtime.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "netmgr-int.h"
+#include "uv-compat.h"
+
+static atomic_uint_fast32_t last_tcpdnsquota_log = 0;
+
+static bool
+can_log_tcpdns_quota(void) {
+	isc_stdtime_t now, last;
+
+	isc_stdtime_get(&now);
+	last = atomic_exchange_relaxed(&last_tcpdnsquota_log, now);
+	if (now != last) {
+		return (true);
+	}
+
+	return (false);
+}
+
+static isc_result_t
+tcpdns_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req);
+
+static void
+tcpdns_close_direct(isc_nmsocket_t *sock);
+
+static void
+tcpdns_connect_cb(uv_connect_t *uvreq, int status);
+
+static void
+tcpdns_connection_cb(uv_stream_t *server, int status);
+
+static void
+tcpdns_close_cb(uv_handle_t *uvhandle);
+
+static isc_result_t
+accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota);
+
+static void
+quota_accept_cb(isc_quota_t *quota, void *sock0);
+
+static void
+stop_tcpdns_parent(isc_nmsocket_t *sock);
+static void
+stop_tcpdns_child(isc_nmsocket_t *sock);
+
+static isc_result_t
+tcpdns_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
+	isc__networker_t *worker = NULL;
+	isc_result_t result = ISC_R_UNSET;
+	int r;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(req));
+
+	REQUIRE(isc__nm_in_netthread());
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	worker = &sock->mgr->workers[sock->tid];
+
+	atomic_store(&sock->connecting, true);
+
+	r = uv_tcp_init(&worker->loop, &sock->uv_handle.tcp);
+	UV_RUNTIME_CHECK(uv_tcp_init, r);
+	uv_handle_set_data(&sock->uv_handle.handle, sock);
+
+	r = uv_timer_init(&worker->loop, &sock->read_timer);
+	UV_RUNTIME_CHECK(uv_timer_init, r);
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+
+	if (isc__nm_closing(sock)) {
+		result = ISC_R_CANCELED;
+		goto error;
+	}
+
+	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
+	if (r != 0) {
+		isc__nm_closesocket(sock->fd);
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPENFAIL]);
+		goto done;
+	}
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPEN]);
+
+	if (req->local.length != 0) {
+		r = uv_tcp_bind(&sock->uv_handle.tcp, &req->local.type.sa, 0);
+		/*
+		 * In case of shared socket UV_EINVAL will be returned and needs
+		 * to be ignored
+		 */
+		if (r != 0 && r != UV_EINVAL) {
+			isc__nm_incstats(sock->mgr,
+					 sock->statsindex[STATID_BINDFAIL]);
+			goto done;
+		}
+	}
+
+	uv_handle_set_data(&req->uv_req.handle, req);
+	r = uv_tcp_connect(&req->uv_req.connect, &sock->uv_handle.tcp,
+			   &req->peer.type.sa, tcpdns_connect_cb);
+	if (r != 0) {
+		isc__nm_incstats(sock->mgr,
+				 sock->statsindex[STATID_CONNECTFAIL]);
+		goto done;
+	}
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CONNECT]);
+
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer,
+			   &req->uv_req.connect);
+	isc__nmsocket_timer_start(sock);
+
+	atomic_store(&sock->connected, true);
+
+done:
+	result = isc__nm_uverr2result(r);
+error:
+	LOCK(&sock->lock);
+	sock->result = result;
+	SIGNAL(&sock->cond);
+	if (!atomic_load(&sock->active)) {
+		WAIT(&sock->scond, &sock->lock);
+	}
+	INSIST(atomic_load(&sock->active));
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+void
+isc__nm_async_tcpdnsconnect(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpdnsconnect_t *ievent =
+		(isc__netievent_tcpdnsconnect_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc__nm_uvreq_t *req = ievent->req;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_tcpdnssocket);
+	REQUIRE(sock->parent == NULL);
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	result = tcpdns_connect_direct(sock, req);
+	if (result != ISC_R_SUCCESS) {
+		isc__nmsocket_clearcb(sock);
+		isc__nm_connectcb(sock, req, result, true);
+		atomic_store(&sock->active, false);
+		isc__nm_tcpdns_close(sock);
+	}
+
+	/*
+	 * The sock is now attached to the handle.
+	 */
+	isc__nmsocket_detach(&sock);
+}
+
+static void
+tcpdns_connect_cb(uv_connect_t *uvreq, int status) {
+	isc_result_t result;
+	isc__nm_uvreq_t *req = NULL;
+	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)uvreq->handle);
+	struct sockaddr_storage ss;
+	int r;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	isc__nmsocket_timer_stop(sock);
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+
+	req = uv_handle_get_data((uv_handle_t *)uvreq);
+
+	REQUIRE(VALID_UVREQ(req));
+	REQUIRE(VALID_NMHANDLE(req->handle));
+
+	if (atomic_load(&sock->timedout)) {
+		result = ISC_R_TIMEDOUT;
+		goto error;
+	}
+
+	if (isc__nmsocket_closing(sock)) {
+		/* Socket was closed midflight by isc__nm_tcpdns_shutdown() */
+		result = ISC_R_CANCELED;
+		goto error;
+	} else if (status == UV_ETIMEDOUT) {
+		/* Timeout status code here indicates hard error */
+		result = ISC_R_TIMEDOUT;
+		goto error;
+	} else if (status != 0) {
+		result = isc__nm_uverr2result(status);
+		goto error;
+	}
+
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CONNECT]);
+	r = uv_tcp_getpeername(&sock->uv_handle.tcp, (struct sockaddr *)&ss,
+			       &(int){ sizeof(ss) });
+	if (r != 0) {
+		result = isc__nm_uverr2result(r);
+		goto error;
+	}
+
+	atomic_store(&sock->connecting, false);
+
+	result = isc_sockaddr_fromsockaddr(&sock->peer, (struct sockaddr *)&ss);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	isc__nm_connectcb(sock, req, ISC_R_SUCCESS, false);
+
+	return;
+
+error:
+	isc__nm_failed_connect_cb(sock, req, result, false);
+}
+
+void
+isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
+		     isc_nm_cb_t cb, void *cbarg, unsigned int timeout,
+		     size_t extrahandlesize) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *sock = NULL;
+	isc__netievent_tcpdnsconnect_t *ievent = NULL;
+	isc__nm_uvreq_t *req = NULL;
+	sa_family_t sa_family;
+
+	REQUIRE(VALID_NM(mgr));
+	REQUIRE(local != NULL);
+	REQUIRE(peer != NULL);
+
+	sa_family = peer->type.sa.sa_family;
+
+	sock = isc_mem_get(mgr->mctx, sizeof(*sock));
+	isc__nmsocket_init(sock, mgr, isc_nm_tcpdnssocket, local);
+
+	sock->extrahandlesize = extrahandlesize;
+	sock->connect_timeout = timeout;
+	sock->result = ISC_R_UNSET;
+	atomic_init(&sock->client, true);
+
+	req = isc__nm_uvreq_get(mgr, sock);
+	req->cb.connect = cb;
+	req->cbarg = cbarg;
+	req->peer = *peer;
+	req->local = *local;
+	req->handle = isc__nmhandle_get(sock, &req->peer, &sock->iface);
+
+	result = isc__nm_socket(sa_family, SOCK_STREAM, 0, &sock->fd);
+	if (result != ISC_R_SUCCESS) {
+		if (isc__nm_in_netthread()) {
+			sock->tid = isc_nm_tid();
+		}
+		isc__nmsocket_clearcb(sock);
+		isc__nm_connectcb(sock, req, result, true);
+		atomic_store(&sock->closed, true);
+		isc__nmsocket_detach(&sock);
+		return;
+	}
+
+	/* 2 minute timeout */
+	result = isc__nm_socket_connectiontimeout(sock->fd, 120 * 1000);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	ievent = isc__nm_get_netievent_tcpdnsconnect(mgr, sock, req);
+
+	if (isc__nm_in_netthread()) {
+		atomic_store(&sock->active, true);
+		sock->tid = isc_nm_tid();
+		isc__nm_async_tcpdnsconnect(&mgr->workers[sock->tid],
+					    (isc__netievent_t *)ievent);
+		isc__nm_put_netievent_tcpdnsconnect(mgr, ievent);
+	} else {
+		atomic_init(&sock->active, false);
+		sock->tid = isc_random_uniform(mgr->nworkers);
+		isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
+				       (isc__netievent_t *)ievent);
+	}
+
+	LOCK(&sock->lock);
+	while (sock->result == ISC_R_UNSET) {
+		WAIT(&sock->cond, &sock->lock);
+	}
+	atomic_store(&sock->active, true);
+	BROADCAST(&sock->scond);
+	UNLOCK(&sock->lock);
+}
+
+static uv_os_sock_t
+isc__nm_tcpdns_lb_socket(isc_nm_t *mgr, sa_family_t sa_family) {
+	isc_result_t result;
+	uv_os_sock_t sock;
+
+	result = isc__nm_socket(sa_family, SOCK_STREAM, 0, &sock);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	(void)isc__nm_socket_incoming_cpu(sock);
+
+	/* FIXME: set mss */
+
+	result = isc__nm_socket_reuse(sock);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+#ifndef _WIN32
+	if (mgr->load_balance_sockets) {
+		result = isc__nm_socket_reuse_lb(sock);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+#endif
+
+	return (sock);
+}
+
+static void
+enqueue_stoplistening(isc_nmsocket_t *sock) {
+	isc__netievent_tcpdnsstop_t *ievent =
+		isc__nm_get_netievent_tcpdnsstop(sock->mgr, sock);
+	isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+			       (isc__netievent_t *)ievent);
+}
+
+static void
+start_tcpdns_child(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nmsocket_t *sock,
+		   uv_os_sock_t fd, int tid) {
+	isc__netievent_tcpdnslisten_t *ievent = NULL;
+	isc_nmsocket_t *csock = &sock->children[tid];
+
+	isc__nmsocket_init(csock, mgr, isc_nm_tcpdnssocket, iface);
+	csock->parent = sock;
+	csock->accept_cb = sock->accept_cb;
+	csock->accept_cbarg = sock->accept_cbarg;
+	csock->recv_cb = sock->recv_cb;
+	csock->recv_cbarg = sock->recv_cbarg;
+	csock->extrahandlesize = sock->extrahandlesize;
+	csock->backlog = sock->backlog;
+	csock->tid = tid;
+	/*
+	 * We don't attach to quota, just assign - to avoid
+	 * increasing quota unnecessarily.
+	 */
+	csock->pquota = sock->pquota;
+	isc_quota_cb_init(&csock->quotacb, quota_accept_cb, csock);
+
+#ifdef _WIN32
+	UNUSED(fd);
+	csock->fd = isc__nm_tcpdns_lb_socket(mgr, iface->type.sa.sa_family);
+#else
+	if (mgr->load_balance_sockets) {
+		UNUSED(fd);
+		csock->fd = isc__nm_tcpdns_lb_socket(mgr,
+						     iface->type.sa.sa_family);
+	} else {
+		csock->fd = dup(fd);
+	}
+#endif
+	REQUIRE(csock->fd >= 0);
+
+	ievent = isc__nm_get_netievent_tcpdnslisten(mgr, csock);
+	isc__nm_maybe_enqueue_ievent(&mgr->workers[tid],
+				     (isc__netievent_t *)ievent);
+}
+isc_result_t
+isc_nm_listentcpdns(isc_nm_t *mgr, isc_sockaddr_t *iface,
+		    isc_nm_recv_cb_t recv_cb, void *recv_cbarg,
+		    isc_nm_accept_cb_t accept_cb, void *accept_cbarg,
+		    size_t extrahandlesize, int backlog, isc_quota_t *quota,
+		    isc_nmsocket_t **sockp) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *sock = NULL;
+	size_t children_size = 0;
+	uv_os_sock_t fd = -1;
+
+	REQUIRE(VALID_NM(mgr));
+
+	sock = isc_mem_get(mgr->mctx, sizeof(*sock));
+	isc__nmsocket_init(sock, mgr, isc_nm_tcpdnslistener, iface);
+
+	atomic_init(&sock->rchildren, 0);
+#if defined(WIN32)
+	sock->nchildren = 1;
+#else
+	sock->nchildren = mgr->nworkers;
+#endif
+	children_size = sock->nchildren * sizeof(sock->children[0]);
+	sock->children = isc_mem_get(mgr->mctx, children_size);
+	memset(sock->children, 0, children_size);
+
+	sock->result = ISC_R_UNSET;
+	sock->accept_cb = accept_cb;
+	sock->accept_cbarg = accept_cbarg;
+	sock->recv_cb = recv_cb;
+	sock->recv_cbarg = recv_cbarg;
+	sock->extrahandlesize = extrahandlesize;
+	sock->backlog = backlog;
+	sock->pquota = quota;
+
+	sock->tid = 0;
+	sock->fd = -1;
+
+#ifndef _WIN32
+	if (!mgr->load_balance_sockets) {
+		fd = isc__nm_tcpdns_lb_socket(mgr, iface->type.sa.sa_family);
+	}
+#endif
+
+	isc_barrier_init(&sock->startlistening, sock->nchildren);
+
+	for (size_t i = 0; i < sock->nchildren; i++) {
+		if ((int)i == isc_nm_tid()) {
+			continue;
+		}
+		start_tcpdns_child(mgr, iface, sock, fd, i);
+	}
+
+	if (isc__nm_in_netthread()) {
+		start_tcpdns_child(mgr, iface, sock, fd, isc_nm_tid());
+	}
+
+#ifndef _WIN32
+	if (!mgr->load_balance_sockets) {
+		isc__nm_closesocket(fd);
+	}
+#endif
+
+	LOCK(&sock->lock);
+	while (atomic_load(&sock->rchildren) != sock->nchildren) {
+		WAIT(&sock->cond, &sock->lock);
+	}
+	result = sock->result;
+	atomic_store(&sock->active, true);
+	UNLOCK(&sock->lock);
+
+	INSIST(result != ISC_R_UNSET);
+
+	if (result == ISC_R_SUCCESS) {
+		REQUIRE(atomic_load(&sock->rchildren) == sock->nchildren);
+		*sockp = sock;
+	} else {
+		atomic_store(&sock->active, false);
+		enqueue_stoplistening(sock);
+		isc_nmsocket_close(&sock);
+	}
+
+	return (result);
+}
+
+void
+isc__nm_async_tcpdnslisten(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpdnslisten_t *ievent =
+		(isc__netievent_tcpdnslisten_t *)ev0;
+	sa_family_t sa_family;
+	int r;
+	int flags = 0;
+	isc_nmsocket_t *sock = NULL;
+	isc_result_t result = ISC_R_UNSET;
+	isc_nm_t *mgr = NULL;
+
+	REQUIRE(VALID_NMSOCK(ievent->sock));
+	REQUIRE(ievent->sock->tid == isc_nm_tid());
+	REQUIRE(VALID_NMSOCK(ievent->sock->parent));
+
+	sock = ievent->sock;
+	sa_family = sock->iface.type.sa.sa_family;
+	mgr = sock->mgr;
+
+	REQUIRE(sock->type == isc_nm_tcpdnssocket);
+	REQUIRE(sock->parent != NULL);
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	/* TODO: set min mss */
+
+	r = uv_tcp_init(&worker->loop, &sock->uv_handle.tcp);
+	UV_RUNTIME_CHECK(uv_tcp_init, r);
+	uv_handle_set_data(&sock->uv_handle.handle, sock);
+	/* This keeps the socket alive after everything else is gone */
+	isc__nmsocket_attach(sock, &(isc_nmsocket_t *){ NULL });
+
+	r = uv_timer_init(&worker->loop, &sock->read_timer);
+	UV_RUNTIME_CHECK(uv_timer_init, r);
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+
+	LOCK(&sock->parent->lock);
+
+	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
+	if (r < 0) {
+		isc__nm_closesocket(sock->fd);
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPENFAIL]);
+		goto done;
+	}
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPEN]);
+
+	if (sa_family == AF_INET6) {
+		flags = UV_TCP_IPV6ONLY;
+	}
+
+#ifdef _WIN32
+	r = isc_uv_tcp_freebind(&sock->uv_handle.tcp, &sock->iface.type.sa,
+				flags);
+	if (r < 0) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_BINDFAIL]);
+		goto done;
+	}
+#else
+	if (mgr->load_balance_sockets) {
+		r = isc_uv_tcp_freebind(&sock->uv_handle.tcp,
+					&sock->iface.type.sa, flags);
+		if (r < 0) {
+			isc__nm_incstats(sock->mgr,
+					 sock->statsindex[STATID_BINDFAIL]);
+			goto done;
+		}
+	} else {
+		if (sock->parent->fd == -1) {
+			r = isc_uv_tcp_freebind(&sock->uv_handle.tcp,
+						&sock->iface.type.sa, flags);
+			if (r < 0) {
+				isc__nm_incstats(sock->mgr, STATID_BINDFAIL);
+				goto done;
+			}
+			sock->parent->uv_handle.tcp.flags =
+				sock->uv_handle.tcp.flags;
+			sock->parent->fd = sock->fd;
+		} else {
+			/* The socket is already bound, just copy the flags */
+			sock->uv_handle.tcp.flags =
+				sock->parent->uv_handle.tcp.flags;
+		}
+	}
+#endif
+
+	/*
+	 * The callback will run in the same thread uv_listen() was called
+	 * from, so a race with tcpdns_connection_cb() isn't possible.
+	 */
+	r = uv_listen((uv_stream_t *)&sock->uv_handle.tcp, sock->backlog,
+		      tcpdns_connection_cb);
+	if (r != 0) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
+			      "uv_listen failed: %s",
+			      isc_result_totext(isc__nm_uverr2result(r)));
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_BINDFAIL]);
+		goto done;
+	}
+
+	atomic_store(&sock->listening, true);
+
+done:
+	result = isc__nm_uverr2result(r);
+	if (result != ISC_R_SUCCESS) {
+		sock->pquota = NULL;
+	}
+
+	atomic_fetch_add(&sock->parent->rchildren, 1);
+	if (sock->parent->result == ISC_R_UNSET) {
+		sock->parent->result = result;
+	}
+	SIGNAL(&sock->parent->cond);
+	UNLOCK(&sock->parent->lock);
+
+	isc_barrier_wait(&sock->parent->startlistening);
+}
+
+static void
+tcpdns_connection_cb(uv_stream_t *server, int status) {
+	isc_nmsocket_t *ssock = uv_handle_get_data((uv_handle_t *)server);
+	isc_result_t result;
+	isc_quota_t *quota = NULL;
+
+	if (status != 0) {
+		result = isc__nm_uverr2result(status);
+		goto done;
+	}
+
+	REQUIRE(VALID_NMSOCK(ssock));
+	REQUIRE(ssock->tid == isc_nm_tid());
+
+	if (isc__nmsocket_closing(ssock)) {
+		result = ISC_R_CANCELED;
+		goto done;
+	}
+
+	if (ssock->pquota != NULL) {
+		result = isc_quota_attach_cb(ssock->pquota, &quota,
+					     &ssock->quotacb);
+		if (result == ISC_R_QUOTA) {
+			isc__nm_incstats(ssock->mgr,
+					 ssock->statsindex[STATID_ACCEPTFAIL]);
+			goto done;
+		}
+	}
+
+	result = accept_connection(ssock, quota);
+done:
+	isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
+}
+
+void
+isc__nm_tcpdns_stoplistening(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_tcpdnslistener);
+
+	if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
+					    true))
+	{
+		UNREACHABLE();
+	}
+
+	if (!isc__nm_in_netthread()) {
+		enqueue_stoplistening(sock);
+	} else {
+		stop_tcpdns_parent(sock);
+	}
+}
+
+void
+isc__nm_async_tcpdnsstop(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpdnsstop_t *ievent =
+		(isc__netievent_tcpdnsstop_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (sock->parent != NULL) {
+		stop_tcpdns_child(sock);
+		return;
+	}
+
+	stop_tcpdns_parent(sock);
+}
+
+void
+isc__nm_tcpdns_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(result != ISC_R_SUCCESS);
+
+	isc__nmsocket_timer_stop(sock);
+	isc__nm_stop_reading(sock);
+
+	if (!sock->recv_read) {
+		goto destroy;
+	}
+	sock->recv_read = false;
+
+	if (sock->recv_cb != NULL) {
+		isc__nm_uvreq_t *req = isc__nm_get_read_req(sock, NULL);
+		isc__nmsocket_clearcb(sock);
+		isc__nm_readcb(sock, req, result);
+	}
+
+destroy:
+	isc__nmsocket_prep_destroy(sock);
+
+	/*
+	 * We need to detach from quota after the read callback function had a
+	 * chance to be executed.
+	 */
+	if (sock->quota != NULL) {
+		isc_quota_detach(&sock->quota);
+	}
+}
+
+void
+isc__nm_tcpdns_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	isc_nmsocket_t *sock = handle->sock;
+	isc__netievent_tcpdnsread_t *ievent = NULL;
+
+	REQUIRE(sock->type == isc_nm_tcpdnssocket);
+	REQUIRE(sock->statichandle == handle);
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(!sock->recv_read);
+
+	sock->recv_cb = cb;
+	sock->recv_cbarg = cbarg;
+	sock->recv_read = true;
+	if (sock->read_timeout == 0) {
+		sock->read_timeout =
+			(atomic_load(&sock->keepalive)
+				 ? atomic_load(&sock->mgr->keepalive)
+				 : atomic_load(&sock->mgr->idle));
+	}
+
+	ievent = isc__nm_get_netievent_tcpdnsread(sock->mgr, sock);
+
+	/*
+	 * This MUST be done asynchronously, no matter which thread we're
+	 * in. The callback function for isc_nm_read() often calls
+	 * isc_nm_read() again; if we tried to do that synchronously
+	 * we'd clash in processbuffer() and grow the stack indefinitely.
+	 */
+	isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+			       (isc__netievent_t *)ievent);
+
+	return;
+}
+
+void
+isc__nm_async_tcpdnsread(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpdnsread_t *ievent =
+		(isc__netievent_tcpdnsread_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc_result_t result;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (isc__nmsocket_closing(sock)) {
+		result = ISC_R_CANCELED;
+	} else {
+		result = isc__nm_process_sock_buffer(sock);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		sock->reading = true;
+		isc__nm_failed_read_cb(sock, result, false);
+	}
+}
+
+/*
+ * Process a single packet from the incoming buffer.
+ *
+ * Return ISC_R_SUCCESS and attach 'handlep' to a handle if something
+ * was processed; return ISC_R_NOMORE if there isn't a full message
+ * to be processed.
+ *
+ * The caller will need to unreference the handle.
+ */
+isc_result_t
+isc__nm_tcpdns_processbuffer(isc_nmsocket_t *sock) {
+	size_t len;
+	isc__nm_uvreq_t *req = NULL;
+	isc_nmhandle_t *handle = NULL;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (isc__nmsocket_closing(sock)) {
+		return (ISC_R_CANCELED);
+	}
+
+	/*
+	 * If we don't even have the length yet, we can't do
+	 * anything.
+	 */
+	if (sock->buf_len < 2) {
+		return (ISC_R_NOMORE);
+	}
+
+	/*
+	 * Process the first packet from the buffer, leaving
+	 * the rest (if any) for later.
+	 */
+	len = ntohs(*(uint16_t *)sock->buf);
+	if (len > sock->buf_len - 2) {
+		return (ISC_R_NOMORE);
+	}
+
+	req = isc__nm_get_read_req(sock, NULL);
+	REQUIRE(VALID_UVREQ(req));
+
+	/*
+	 * We need to launch the resume_processing after the buffer has
+	 * been consumed, thus we need to delay the detaching the handle.
+	 */
+	isc_nmhandle_attach(req->handle, &handle);
+
+	/*
+	 * The callback will be called synchronously because the
+	 * result is ISC_R_SUCCESS, so we don't need to have
+	 * the buffer on the heap
+	 */
+	req->uvbuf.base = (char *)sock->buf + 2;
+	req->uvbuf.len = len;
+
+	/*
+	 * If isc__nm_tcpdns_read() was called, it will be satisfied by single
+	 * DNS message in the next call.
+	 */
+	sock->recv_read = false;
+
+	/*
+	 * The assertion failure here means that there's a errnoneous extra
+	 * nmhandle detach happening in the callback and resume_processing gets
+	 * called while we are still processing the buffer.
+	 */
+	REQUIRE(sock->processing == false);
+	sock->processing = true;
+	isc__nm_readcb(sock, req, ISC_R_SUCCESS);
+	sock->processing = false;
+
+	len += 2;
+	sock->buf_len -= len;
+	if (sock->buf_len > 0) {
+		memmove(sock->buf, sock->buf + len, sock->buf_len);
+	}
+
+	isc_nmhandle_detach(&handle);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__nm_tcpdns_read_cb(uv_stream_t *stream, ssize_t nread,
+		       const uv_buf_t *buf) {
+	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)stream);
+	uint8_t *base = NULL;
+	size_t len;
+	isc_result_t result;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->reading);
+	REQUIRE(buf != NULL);
+
+	if (isc__nmsocket_closing(sock)) {
+		isc__nm_failed_read_cb(sock, ISC_R_CANCELED, true);
+		goto free;
+	}
+
+	if (nread < 0) {
+		if (nread != UV_EOF) {
+			isc__nm_incstats(sock->mgr,
+					 sock->statsindex[STATID_RECVFAIL]);
+		}
+
+		isc__nm_failed_read_cb(sock, isc__nm_uverr2result(nread), true);
+		goto free;
+	}
+
+	base = (uint8_t *)buf->base;
+	len = nread;
+
+	/*
+	 * FIXME: We can avoid the memmove here if we know we have received full
+	 * packet; e.g. we should be smarter, a.s. there are just few situations
+	 *
+	 * The tcp_alloc_buf should be smarter and point the uv_read_start to
+	 * the position where previous read has ended in the sock->buf, that way
+	 * the data could be read directly into sock->buf.
+	 */
+
+	if (sock->buf_len + len > sock->buf_size) {
+		isc__nm_alloc_dnsbuf(sock, sock->buf_len + len);
+	}
+	memmove(sock->buf + sock->buf_len, base, len);
+	sock->buf_len += len;
+
+	if (!atomic_load(&sock->client)) {
+		sock->read_timeout = atomic_load(&sock->mgr->idle);
+	}
+
+	result = isc__nm_process_sock_buffer(sock);
+	if (result != ISC_R_SUCCESS) {
+		isc__nm_failed_read_cb(sock, result, true);
+	}
+free:
+	if (nread < 0) {
+		/*
+		 * The buffer may be a null buffer on error.
+		 */
+		if (buf->base == NULL && buf->len == 0) {
+			return;
+		}
+	}
+
+	isc__nm_free_uvbuf(sock, buf);
+}
+
+static void
+quota_accept_cb(isc_quota_t *quota, void *sock0) {
+	isc_nmsocket_t *sock = (isc_nmsocket_t *)sock0;
+
+	REQUIRE(VALID_NMSOCK(sock));
+
+	/*
+	 * Create a tcpdnsaccept event and pass it using the async channel.
+	 */
+
+	isc__netievent_tcpdnsaccept_t *ievent =
+		isc__nm_get_netievent_tcpdnsaccept(sock->mgr, sock, quota);
+	isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				     (isc__netievent_t *)ievent);
+}
+
+/*
+ * This is called after we get a quota_accept_cb() callback.
+ */
+void
+isc__nm_async_tcpdnsaccept(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpdnsaccept_t *ievent =
+		(isc__netievent_tcpdnsaccept_t *)ev0;
+	isc_result_t result;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(ievent->sock));
+	REQUIRE(ievent->sock->tid == isc_nm_tid());
+
+	result = accept_connection(ievent->sock, ievent->quota);
+	isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
+}
+
+static isc_result_t
+accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota) {
+	isc_nmsocket_t *csock = NULL;
+	isc__networker_t *worker = NULL;
+	int r;
+	isc_result_t result;
+	struct sockaddr_storage peer_ss;
+	struct sockaddr_storage local_ss;
+	isc_sockaddr_t local;
+	isc_nmhandle_t *handle = NULL;
+
+	REQUIRE(VALID_NMSOCK(ssock));
+	REQUIRE(ssock->tid == isc_nm_tid());
+
+	if (isc__nmsocket_closing(ssock)) {
+		if (quota != NULL) {
+			isc_quota_detach(&quota);
+		}
+		return (ISC_R_CANCELED);
+	}
+
+	REQUIRE(ssock->accept_cb != NULL);
+
+	csock = isc_mem_get(ssock->mgr->mctx, sizeof(isc_nmsocket_t));
+	isc__nmsocket_init(csock, ssock->mgr, isc_nm_tcpdnssocket,
+			   &ssock->iface);
+	csock->tid = ssock->tid;
+	csock->extrahandlesize = ssock->extrahandlesize;
+	isc__nmsocket_attach(ssock, &csock->server);
+	csock->recv_cb = ssock->recv_cb;
+	csock->recv_cbarg = ssock->recv_cbarg;
+	csock->quota = quota;
+	csock->accepting = true;
+
+	worker = &csock->mgr->workers[csock->tid];
+
+	r = uv_tcp_init(&worker->loop, &csock->uv_handle.tcp);
+	UV_RUNTIME_CHECK(uv_tcp_init, r);
+	uv_handle_set_data(&csock->uv_handle.handle, csock);
+
+	r = uv_timer_init(&worker->loop, &csock->read_timer);
+	UV_RUNTIME_CHECK(uv_timer_init, r);
+	uv_handle_set_data((uv_handle_t *)&csock->read_timer, csock);
+
+	r = uv_accept(&ssock->uv_handle.stream, &csock->uv_handle.stream);
+	if (r != 0) {
+		result = isc__nm_uverr2result(r);
+		goto failure;
+	}
+
+	r = uv_tcp_getpeername(&csock->uv_handle.tcp,
+			       (struct sockaddr *)&peer_ss,
+			       &(int){ sizeof(peer_ss) });
+	if (r != 0) {
+		result = isc__nm_uverr2result(r);
+		goto failure;
+	}
+
+	result = isc_sockaddr_fromsockaddr(&csock->peer,
+					   (struct sockaddr *)&peer_ss);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	r = uv_tcp_getsockname(&csock->uv_handle.tcp,
+			       (struct sockaddr *)&local_ss,
+			       &(int){ sizeof(local_ss) });
+	if (r != 0) {
+		result = isc__nm_uverr2result(r);
+		goto failure;
+	}
+
+	result = isc_sockaddr_fromsockaddr(&local,
+					   (struct sockaddr *)&local_ss);
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	/*
+	 * The handle will be either detached on acceptcb failure or in the
+	 * readcb.
+	 */
+	handle = isc__nmhandle_get(csock, NULL, &local);
+
+	result = ssock->accept_cb(handle, ISC_R_SUCCESS, ssock->accept_cbarg);
+	if (result != ISC_R_SUCCESS) {
+		isc_nmhandle_detach(&handle);
+		goto failure;
+	}
+
+	csock->accepting = false;
+
+	isc__nm_incstats(csock->mgr, csock->statsindex[STATID_ACCEPT]);
+
+	csock->read_timeout = atomic_load(&csock->mgr->init);
+
+	csock->closehandle_cb = isc__nm_resume_processing;
+
+	/*
+	 * We need to keep the handle alive until we fail to read or connection
+	 * is closed by the other side, it will be detached via
+	 * prep_destroy()->tcpdns_close_direct().
+	 */
+	isc_nmhandle_attach(handle, &csock->recv_handle);
+	result = isc__nm_process_sock_buffer(csock);
+	if (result != ISC_R_SUCCESS) {
+		isc_nmhandle_detach(&csock->recv_handle);
+		isc_nmhandle_detach(&handle);
+		goto failure;
+	}
+
+	/*
+	 * The initial timer has been set, update the read timeout for the next
+	 * reads.
+	 */
+	csock->read_timeout = (atomic_load(&csock->keepalive)
+				       ? atomic_load(&csock->mgr->keepalive)
+				       : atomic_load(&csock->mgr->idle));
+
+	isc_nmhandle_detach(&handle);
+
+	/*
+	 * sock is now attached to the handle.
+	 */
+	isc__nmsocket_detach(&csock);
+
+	return (ISC_R_SUCCESS);
+
+failure:
+
+	atomic_store(&csock->active, false);
+
+	isc__nm_failed_accept_cb(csock, result);
+
+	isc__nmsocket_prep_destroy(csock);
+
+	isc__nmsocket_detach(&csock);
+
+	return (result);
+}
+
+void
+isc__nm_tcpdns_send(isc_nmhandle_t *handle, isc_region_t *region,
+		    isc_nm_cb_t cb, void *cbarg) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	isc_nmsocket_t *sock = handle->sock;
+	isc__netievent_tcpdnssend_t *ievent = NULL;
+	isc__nm_uvreq_t *uvreq = NULL;
+
+	REQUIRE(sock->type == isc_nm_tcpdnssocket);
+
+	uvreq = isc__nm_uvreq_get(sock->mgr, sock);
+	*(uint16_t *)uvreq->tcplen = htons(region->length);
+	uvreq->uvbuf.base = (char *)region->base;
+	uvreq->uvbuf.len = region->length;
+
+	isc_nmhandle_attach(handle, &uvreq->handle);
+
+	uvreq->cb.send = cb;
+	uvreq->cbarg = cbarg;
+
+	ievent = isc__nm_get_netievent_tcpdnssend(sock->mgr, sock, uvreq);
+	isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				     (isc__netievent_t *)ievent);
+
+	return;
+}
+
+static void
+tcpdns_send_cb(uv_write_t *req, int status) {
+	isc__nm_uvreq_t *uvreq = (isc__nm_uvreq_t *)req->data;
+	isc_nmsocket_t *sock = NULL;
+
+	REQUIRE(VALID_UVREQ(uvreq));
+	REQUIRE(VALID_NMSOCK(uvreq->sock));
+
+	sock = uvreq->sock;
+
+	isc_nm_timer_stop(uvreq->timer);
+	isc_nm_timer_detach(&uvreq->timer);
+
+	if (status < 0) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
+		isc__nm_failed_send_cb(sock, uvreq,
+				       isc__nm_uverr2result(status));
+		return;
+	}
+
+	isc__nm_sendcb(sock, uvreq, ISC_R_SUCCESS, false);
+}
+
+/*
+ * Handle 'tcpsend' async event - send a packet on the socket
+ */
+void
+isc__nm_async_tcpdnssend(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpdnssend_t *ievent =
+		(isc__netievent_tcpdnssend_t *)ev0;
+
+	REQUIRE(VALID_UVREQ(ievent->req));
+	REQUIRE(VALID_NMSOCK(ievent->sock));
+	REQUIRE(ievent->sock->type == isc_nm_tcpdnssocket);
+	REQUIRE(ievent->sock->tid == isc_nm_tid());
+
+	isc_result_t result;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc__nm_uvreq_t *uvreq = ievent->req;
+
+	if (sock->write_timeout == 0) {
+		sock->write_timeout =
+			(atomic_load(&sock->keepalive)
+				 ? atomic_load(&sock->mgr->keepalive)
+				 : atomic_load(&sock->mgr->idle));
+	}
+
+	uv_buf_t bufs[2] = { { .base = uvreq->tcplen, .len = 2 },
+			     { .base = uvreq->uvbuf.base,
+			       .len = uvreq->uvbuf.len } };
+	int nbufs = 2;
+	int r;
+
+	UNUSED(worker);
+
+	if (isc__nmsocket_closing(sock)) {
+		result = ISC_R_CANCELED;
+		goto fail;
+	}
+
+	r = uv_try_write(&sock->uv_handle.stream, bufs, nbufs);
+
+	if (r == (int)(bufs[0].len + bufs[1].len)) {
+		/* Wrote everything */
+		isc__nm_sendcb(sock, uvreq, ISC_R_SUCCESS, true);
+		return;
+	}
+
+	if (r == 1) {
+		/* Partial write of DNSMSG length */
+		bufs[0].base = uvreq->tcplen + 1;
+		bufs[0].len = 1;
+	} else if (r > 0) {
+		/* Partial write of DNSMSG */
+		nbufs = 1;
+		bufs[0].base = uvreq->uvbuf.base + (r - 2);
+		bufs[0].len = uvreq->uvbuf.len - (r - 2);
+	} else if (r == UV_ENOSYS || r == UV_EAGAIN) {
+		/* uv_try_write not supported, send asynchronously */
+	} else {
+		/* error sending data */
+		result = isc__nm_uverr2result(r);
+		goto fail;
+	}
+
+	r = uv_write(&uvreq->uv_req.write, &sock->uv_handle.stream, bufs, nbufs,
+		     tcpdns_send_cb);
+	if (r < 0) {
+		result = isc__nm_uverr2result(r);
+		goto fail;
+	}
+
+	isc_nm_timer_create(uvreq->handle, isc__nmsocket_writetimeout_cb, uvreq,
+			    &uvreq->timer);
+	if (sock->write_timeout > 0) {
+		isc_nm_timer_start(uvreq->timer, sock->write_timeout);
+	}
+
+	return;
+fail:
+	if (result != ISC_R_SUCCESS) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
+		isc__nm_failed_send_cb(sock, uvreq, result);
+	}
+}
+
+static void
+tcpdns_stop_cb(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(atomic_load(&sock->closing));
+
+	uv_handle_set_data(handle, NULL);
+
+	if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false },
+					    true))
+	{
+		UNREACHABLE();
+	}
+
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]);
+
+	atomic_store(&sock->listening, false);
+
+	isc__nmsocket_detach(&sock);
+}
+
+static void
+tcpdns_close_sock(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(atomic_load(&sock->closing));
+
+	if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false },
+					    true))
+	{
+		UNREACHABLE();
+	}
+
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]);
+
+	if (sock->server != NULL) {
+		isc__nmsocket_detach(&sock->server);
+	}
+
+	atomic_store(&sock->connected, false);
+
+	isc__nmsocket_prep_destroy(sock);
+}
+
+static void
+tcpdns_close_cb(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+
+	uv_handle_set_data(handle, NULL);
+
+	tcpdns_close_sock(sock);
+}
+
+static void
+read_timer_close_cb(uv_handle_t *timer) {
+	isc_nmsocket_t *sock = uv_handle_get_data(timer);
+	uv_handle_set_data(timer, NULL);
+
+	REQUIRE(VALID_NMSOCK(sock));
+
+	if (sock->parent) {
+		uv_close(&sock->uv_handle.handle, tcpdns_stop_cb);
+	} else if (uv_is_closing(&sock->uv_handle.handle)) {
+		tcpdns_close_sock(sock);
+	} else {
+		uv_close(&sock->uv_handle.handle, tcpdns_close_cb);
+	}
+}
+
+static void
+stop_tcpdns_child(isc_nmsocket_t *sock) {
+	REQUIRE(sock->type == isc_nm_tcpdnssocket);
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
+					    true))
+	{
+		return;
+	}
+
+	tcpdns_close_direct(sock);
+
+	atomic_fetch_sub(&sock->parent->rchildren, 1);
+
+	isc_barrier_wait(&sock->parent->stoplistening);
+}
+
+static void
+stop_tcpdns_parent(isc_nmsocket_t *sock) {
+	isc_nmsocket_t *csock = NULL;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->type == isc_nm_tcpdnslistener);
+
+	isc_barrier_init(&sock->stoplistening, sock->nchildren);
+
+	for (size_t i = 0; i < sock->nchildren; i++) {
+		csock = &sock->children[i];
+		REQUIRE(VALID_NMSOCK(csock));
+
+		if ((int)i == isc_nm_tid()) {
+			/*
+			 * We need to schedule closing the other sockets first
+			 */
+			continue;
+		}
+
+		atomic_store(&csock->active, false);
+		enqueue_stoplistening(csock);
+	}
+
+	csock = &sock->children[isc_nm_tid()];
+	atomic_store(&csock->active, false);
+	stop_tcpdns_child(csock);
+
+	atomic_store(&sock->closed, true);
+	isc__nmsocket_prep_destroy(sock);
+}
+
+static void
+tcpdns_close_direct(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(atomic_load(&sock->closing));
+
+	if (sock->quota != NULL) {
+		isc_quota_detach(&sock->quota);
+	}
+
+	if (sock->recv_handle != NULL) {
+		isc_nmhandle_detach(&sock->recv_handle);
+	}
+
+	isc__nmsocket_timer_stop(sock);
+	isc__nm_stop_reading(sock);
+
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
+}
+
+void
+isc__nm_tcpdns_close(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_tcpdnssocket);
+	REQUIRE(!isc__nmsocket_active(sock));
+
+	if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
+					    true))
+	{
+		return;
+	}
+
+	if (sock->tid == isc_nm_tid()) {
+		tcpdns_close_direct(sock);
+	} else {
+		/*
+		 * We need to create an event and pass it using async channel
+		 */
+		isc__netievent_tcpdnsclose_t *ievent =
+			isc__nm_get_netievent_tcpdnsclose(sock->mgr, sock);
+
+		isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				       (isc__netievent_t *)ievent);
+	}
+}
+
+void
+isc__nm_async_tcpdnsclose(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpdnsclose_t *ievent =
+		(isc__netievent_tcpdnsclose_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	tcpdns_close_direct(sock);
+}
+
+static void
+tcpdns_close_connect_cb(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+
+	REQUIRE(VALID_NMSOCK(sock));
+
+	REQUIRE(isc__nm_in_netthread());
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	isc__nmsocket_prep_destroy(sock);
+	isc__nmsocket_detach(&sock);
+}
+
+void
+isc__nm_tcpdns_shutdown(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->type == isc_nm_tcpdnssocket);
+
+	/*
+	 * If the socket is active, mark it inactive and
+	 * continue. If it isn't active, stop now.
+	 */
+	if (!isc__nmsocket_deactivate(sock)) {
+		return;
+	}
+
+	if (sock->accepting) {
+		return;
+	}
+
+	if (atomic_load(&sock->connecting)) {
+		isc_nmsocket_t *tsock = NULL;
+		isc__nmsocket_attach(sock, &tsock);
+		uv_close(&sock->uv_handle.handle, tcpdns_close_connect_cb);
+		return;
+	}
+
+	if (sock->statichandle != NULL) {
+		isc__nm_failed_read_cb(sock, ISC_R_CANCELED, false);
+		return;
+	}
+
+	/*
+	 * Otherwise, we just send the socket to abyss...
+	 */
+	if (sock->parent == NULL) {
+		isc__nmsocket_prep_destroy(sock);
+	}
+}
+
+void
+isc__nm_tcpdns_cancelread(isc_nmhandle_t *handle) {
+	isc_nmsocket_t *sock = NULL;
+	isc__netievent_tcpdnscancel_t *ievent = NULL;
+
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	sock = handle->sock;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_tcpdnssocket);
+
+	ievent = isc__nm_get_netievent_tcpdnscancel(sock->mgr, sock, handle);
+	isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+			       (isc__netievent_t *)ievent);
+}
+
+void
+isc__nm_async_tcpdnscancel(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_tcpdnscancel_t *ievent =
+		(isc__netievent_tcpdnscancel_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	isc__nm_failed_read_cb(sock, ISC_R_EOF, false);
+}
+
+void
+isc_nm_tcpdns_sequential(isc_nmhandle_t *handle) {
+	isc_nmsocket_t *sock = NULL;
+
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+	REQUIRE(handle->sock->type == isc_nm_tcpdnssocket);
+
+	sock = handle->sock;
+
+	/*
+	 * We don't want pipelining on this connection. That means
+	 * that we need to pause after reading each request, and
+	 * resume only after the request has been processed. This
+	 * is done in resume_processing(), which is the socket's
+	 * closehandle_cb callback, called whenever a handle
+	 * is released.
+	 */
+
+	isc__nmsocket_timer_stop(sock);
+	isc__nm_stop_reading(sock);
+	atomic_store(&sock->sequential, true);
+}
diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c
new file mode 100644
index 0000000..00f9d40
--- /dev/null
+++ b/lib/isc/netmgr/udp.c
@@ -0,0 +1,1211 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <unistd.h>
+#include <uv.h>
+
+#include <isc/atomic.h>
+#include <isc/barrier.h>
+#include <isc/buffer.h>
+#include <isc/condition.h>
+#include <isc/errno.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "netmgr-int.h"
+#include "uv-compat.h"
+
+static isc_result_t
+udp_send_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req,
+		isc_sockaddr_t *peer);
+
+static void
+udp_recv_cb(uv_udp_t *handle, ssize_t nrecv, const uv_buf_t *buf,
+	    const struct sockaddr *addr, unsigned flags);
+
+static void
+udp_send_cb(uv_udp_send_t *req, int status);
+
+static void
+udp_close_cb(uv_handle_t *handle);
+
+static void
+read_timer_close_cb(uv_handle_t *handle);
+
+static void
+udp_close_direct(isc_nmsocket_t *sock);
+
+static void
+stop_udp_parent(isc_nmsocket_t *sock);
+static void
+stop_udp_child(isc_nmsocket_t *sock);
+
+static uv_os_sock_t
+isc__nm_udp_lb_socket(isc_nm_t *mgr, sa_family_t sa_family) {
+	isc_result_t result;
+	uv_os_sock_t sock;
+
+	result = isc__nm_socket(sa_family, SOCK_DGRAM, 0, &sock);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	(void)isc__nm_socket_incoming_cpu(sock);
+	(void)isc__nm_socket_disable_pmtud(sock, sa_family);
+
+	result = isc__nm_socket_reuse(sock);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+#ifndef _WIN32
+	if (mgr->load_balance_sockets) {
+		result = isc__nm_socket_reuse_lb(sock);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+#endif
+
+	return (sock);
+}
+
+static void
+start_udp_child(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nmsocket_t *sock,
+		uv_os_sock_t fd, int tid) {
+	isc_nmsocket_t *csock;
+	isc__netievent_udplisten_t *ievent = NULL;
+
+	csock = &sock->children[tid];
+
+	isc__nmsocket_init(csock, mgr, isc_nm_udpsocket, iface);
+	csock->parent = sock;
+	csock->iface = sock->iface;
+	csock->reading = true;
+	csock->recv_cb = sock->recv_cb;
+	csock->recv_cbarg = sock->recv_cbarg;
+	csock->extrahandlesize = sock->extrahandlesize;
+	csock->tid = tid;
+
+#ifdef _WIN32
+	UNUSED(fd);
+	csock->fd = isc__nm_udp_lb_socket(mgr, iface->type.sa.sa_family);
+#else
+	if (mgr->load_balance_sockets) {
+		UNUSED(fd);
+		csock->fd = isc__nm_udp_lb_socket(mgr,
+						  iface->type.sa.sa_family);
+	} else {
+		csock->fd = dup(fd);
+	}
+#endif
+	REQUIRE(csock->fd >= 0);
+
+	ievent = isc__nm_get_netievent_udplisten(mgr, csock);
+	isc__nm_maybe_enqueue_ievent(&mgr->workers[tid],
+				     (isc__netievent_t *)ievent);
+}
+
+static void
+enqueue_stoplistening(isc_nmsocket_t *sock) {
+	isc__netievent_udpstop_t *ievent =
+		isc__nm_get_netievent_udpstop(sock->mgr, sock);
+	isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+			       (isc__netievent_t *)ievent);
+}
+
+isc_result_t
+isc_nm_listenudp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nm_recv_cb_t cb,
+		 void *cbarg, size_t extrahandlesize, isc_nmsocket_t **sockp) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *sock = NULL;
+	size_t children_size = 0;
+	REQUIRE(VALID_NM(mgr));
+	uv_os_sock_t fd = -1;
+
+	/*
+	 * We are creating mgr->nworkers duplicated sockets, one
+	 * socket for each worker thread.
+	 */
+	sock = isc_mem_get(mgr->mctx, sizeof(isc_nmsocket_t));
+	isc__nmsocket_init(sock, mgr, isc_nm_udplistener, iface);
+
+	atomic_init(&sock->rchildren, 0);
+#if defined(WIN32)
+	sock->nchildren = 1;
+#else
+	sock->nchildren = mgr->nworkers;
+#endif
+
+	children_size = sock->nchildren * sizeof(sock->children[0]);
+	sock->children = isc_mem_get(mgr->mctx, children_size);
+	memset(sock->children, 0, children_size);
+
+	sock->recv_cb = cb;
+	sock->recv_cbarg = cbarg;
+	sock->extrahandlesize = extrahandlesize;
+	sock->result = ISC_R_UNSET;
+
+	sock->tid = 0;
+	sock->fd = -1;
+
+#ifndef _WIN32
+	if (!mgr->load_balance_sockets) {
+		fd = isc__nm_udp_lb_socket(mgr, iface->type.sa.sa_family);
+	}
+#endif
+
+	isc_barrier_init(&sock->startlistening, sock->nchildren);
+
+	for (size_t i = 0; i < sock->nchildren; i++) {
+		if ((int)i == isc_nm_tid()) {
+			continue;
+		}
+		start_udp_child(mgr, iface, sock, fd, i);
+	}
+
+	if (isc__nm_in_netthread()) {
+		start_udp_child(mgr, iface, sock, fd, isc_nm_tid());
+	}
+
+#ifndef _WIN32
+	if (!mgr->load_balance_sockets) {
+		isc__nm_closesocket(fd);
+	}
+#endif
+
+	LOCK(&sock->lock);
+	while (atomic_load(&sock->rchildren) != sock->nchildren) {
+		WAIT(&sock->cond, &sock->lock);
+	}
+	result = sock->result;
+	atomic_store(&sock->active, true);
+	UNLOCK(&sock->lock);
+
+	INSIST(result != ISC_R_UNSET);
+
+	if (result == ISC_R_SUCCESS) {
+		REQUIRE(atomic_load(&sock->rchildren) == sock->nchildren);
+		*sockp = sock;
+	} else {
+		atomic_store(&sock->active, false);
+		enqueue_stoplistening(sock);
+		isc_nmsocket_close(&sock);
+	}
+
+	return (result);
+}
+
+/*
+ * Asynchronous 'udplisten' call handler: start listening on a UDP socket.
+ */
+void
+isc__nm_async_udplisten(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_udplisten_t *ievent = (isc__netievent_udplisten_t *)ev0;
+	isc_nmsocket_t *sock = NULL;
+	int r, uv_bind_flags = 0;
+	int uv_init_flags = 0;
+	sa_family_t sa_family;
+	isc_result_t result = ISC_R_UNSET;
+	isc_nm_t *mgr = NULL;
+
+	REQUIRE(VALID_NMSOCK(ievent->sock));
+	REQUIRE(ievent->sock->tid == isc_nm_tid());
+	REQUIRE(VALID_NMSOCK(ievent->sock->parent));
+
+	sock = ievent->sock;
+	sa_family = sock->iface.type.sa.sa_family;
+	mgr = sock->mgr;
+
+	REQUIRE(sock->type == isc_nm_udpsocket);
+	REQUIRE(sock->parent != NULL);
+	REQUIRE(sock->tid == isc_nm_tid());
+
+#if HAVE_DECL_UV_UDP_RECVMMSG
+	uv_init_flags |= UV_UDP_RECVMMSG;
+#endif
+	r = uv_udp_init_ex(&worker->loop, &sock->uv_handle.udp, uv_init_flags);
+	UV_RUNTIME_CHECK(uv_udp_init_ex, r);
+	uv_handle_set_data(&sock->uv_handle.handle, sock);
+	/* This keeps the socket alive after everything else is gone */
+	isc__nmsocket_attach(sock, &(isc_nmsocket_t *){ NULL });
+
+	r = uv_timer_init(&worker->loop, &sock->read_timer);
+	UV_RUNTIME_CHECK(uv_timer_init, r);
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+
+	LOCK(&sock->parent->lock);
+
+	r = uv_udp_open(&sock->uv_handle.udp, sock->fd);
+	if (r < 0) {
+		isc__nm_closesocket(sock->fd);
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPENFAIL]);
+		goto done;
+	}
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPEN]);
+
+	if (sa_family == AF_INET6) {
+		uv_bind_flags |= UV_UDP_IPV6ONLY;
+	}
+
+#ifdef _WIN32
+	r = isc_uv_udp_freebind(&sock->uv_handle.udp,
+				&sock->parent->iface.type.sa, uv_bind_flags);
+	if (r < 0) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_BINDFAIL]);
+		goto done;
+	}
+#else
+	if (mgr->load_balance_sockets) {
+		r = isc_uv_udp_freebind(&sock->uv_handle.udp,
+					&sock->parent->iface.type.sa,
+					uv_bind_flags);
+		if (r < 0) {
+			isc__nm_incstats(sock->mgr,
+					 sock->statsindex[STATID_BINDFAIL]);
+			goto done;
+		}
+	} else {
+		if (sock->parent->fd == -1) {
+			/* This thread is first, bind the socket */
+			r = isc_uv_udp_freebind(&sock->uv_handle.udp,
+						&sock->parent->iface.type.sa,
+						uv_bind_flags);
+			if (r < 0) {
+				isc__nm_incstats(sock->mgr, STATID_BINDFAIL);
+				goto done;
+			}
+			sock->parent->uv_handle.udp.flags =
+				sock->uv_handle.udp.flags;
+			sock->parent->fd = sock->fd;
+		} else {
+			/* The socket is already bound, just copy the flags */
+			sock->uv_handle.udp.flags =
+				sock->parent->uv_handle.udp.flags;
+		}
+	}
+#endif
+
+#ifdef ISC_RECV_BUFFER_SIZE
+	uv_recv_buffer_size(&sock->uv_handle.handle,
+			    &(int){ ISC_RECV_BUFFER_SIZE });
+#endif
+#ifdef ISC_SEND_BUFFER_SIZE
+	uv_send_buffer_size(&sock->uv_handle.handle,
+			    &(int){ ISC_SEND_BUFFER_SIZE });
+#endif
+	r = uv_udp_recv_start(&sock->uv_handle.udp, isc__nm_alloc_cb,
+			      udp_recv_cb);
+	if (r != 0) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_BINDFAIL]);
+		goto done;
+	}
+
+	atomic_store(&sock->listening, true);
+
+done:
+	result = isc__nm_uverr2result(r);
+	atomic_fetch_add(&sock->parent->rchildren, 1);
+	if (sock->parent->result == ISC_R_UNSET) {
+		sock->parent->result = result;
+	}
+	SIGNAL(&sock->parent->cond);
+	UNLOCK(&sock->parent->lock);
+
+	isc_barrier_wait(&sock->parent->startlistening);
+}
+
+void
+isc__nm_udp_stoplistening(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_udplistener);
+
+	if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
+					    true))
+	{
+		UNREACHABLE();
+	}
+
+	if (!isc__nm_in_netthread()) {
+		enqueue_stoplistening(sock);
+	} else {
+		stop_udp_parent(sock);
+	}
+}
+
+/*
+ * Asynchronous 'udpstop' call handler: stop listening on a UDP socket.
+ */
+void
+isc__nm_async_udpstop(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_udpstop_t *ievent = (isc__netievent_udpstop_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (sock->parent != NULL) {
+		stop_udp_child(sock);
+		return;
+	}
+
+	stop_udp_parent(sock);
+}
+
+/*
+ * udp_recv_cb handles incoming UDP packet from uv.  The buffer here is
+ * reused for a series of packets, so we need to allocate a new one.
+ * This new one can be reused to send the response then.
+ */
+static void
+udp_recv_cb(uv_udp_t *handle, ssize_t nrecv, const uv_buf_t *buf,
+	    const struct sockaddr *addr, unsigned flags) {
+	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)handle);
+	isc__nm_uvreq_t *req = NULL;
+	uint32_t maxudp;
+	isc_sockaddr_t sockaddr;
+	isc_result_t result;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->reading);
+
+	/*
+	 * When using recvmmsg(2), if no errors occur, there will be a final
+	 * callback with nrecv set to 0, addr set to NULL and the buffer
+	 * pointing at the initially allocated data with the UV_UDP_MMSG_CHUNK
+	 * flag cleared and the UV_UDP_MMSG_FREE flag set.
+	 */
+#if HAVE_DECL_UV_UDP_MMSG_FREE
+	if ((flags & UV_UDP_MMSG_FREE) == UV_UDP_MMSG_FREE) {
+		INSIST(nrecv == 0);
+		INSIST(addr == NULL);
+		goto free;
+	}
+#else
+	UNUSED(flags);
+#endif
+
+	/*
+	 * - If we're simulating a firewall blocking UDP packets
+	 *   bigger than 'maxudp' bytes for testing purposes.
+	 */
+	maxudp = atomic_load(&sock->mgr->maxudp);
+	if ((maxudp != 0 && (uint32_t)nrecv > maxudp)) {
+		/*
+		 * We need to keep the read_cb intact in case, so the
+		 * readtimeout_cb can trigger and not crash because of
+		 * missing read_req.
+		 */
+		goto free;
+	}
+
+	/*
+	 * - If addr == NULL, in which case it's the end of stream;
+	 *   we can free the buffer and bail.
+	 */
+	if (addr == NULL) {
+		isc__nm_failed_read_cb(sock, ISC_R_EOF, false);
+		goto free;
+	}
+
+	/*
+	 * - If the socket is no longer active.
+	 */
+	if (!isc__nmsocket_active(sock)) {
+		isc__nm_failed_read_cb(sock, ISC_R_CANCELED, false);
+		goto free;
+	}
+
+	if (nrecv < 0) {
+		isc__nm_failed_read_cb(sock, isc__nm_uverr2result(nrecv),
+				       false);
+		goto free;
+	}
+
+	result = isc_sockaddr_fromsockaddr(&sockaddr, addr);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	req = isc__nm_get_read_req(sock, &sockaddr);
+
+	/*
+	 * The callback will be called synchronously, because result is
+	 * ISC_R_SUCCESS, so we are ok of passing the buf directly.
+	 */
+	req->uvbuf.base = buf->base;
+	req->uvbuf.len = nrecv;
+
+	sock->recv_read = false;
+
+	REQUIRE(!sock->processing);
+	sock->processing = true;
+	isc__nm_readcb(sock, req, ISC_R_SUCCESS);
+	sock->processing = false;
+
+free:
+#if HAVE_DECL_UV_UDP_MMSG_CHUNK
+	/*
+	 * When using recvmmsg(2), chunks will have the UV_UDP_MMSG_CHUNK flag
+	 * set, those must not be freed.
+	 */
+	if ((flags & UV_UDP_MMSG_CHUNK) == UV_UDP_MMSG_CHUNK) {
+		return;
+	}
+#endif
+
+	/*
+	 * When using recvmmsg(2), if a UDP socket error occurs, nrecv will be <
+	 * 0. In either scenario, the callee can now safely free the provided
+	 * buffer.
+	 */
+	if (nrecv < 0) {
+		/*
+		 * The buffer may be a null buffer on error.
+		 */
+		if (buf->base == NULL && buf->len == 0) {
+			return;
+		}
+	}
+
+	isc__nm_free_uvbuf(sock, buf);
+}
+
+/*
+ * Send the data in 'region' to a peer via a UDP socket. We try to find
+ * a proper sibling/child socket so that we won't have to jump to
+ * another thread.
+ */
+void
+isc__nm_udp_send(isc_nmhandle_t *handle, const isc_region_t *region,
+		 isc_nm_cb_t cb, void *cbarg) {
+	isc_nmsocket_t *sock = handle->sock;
+	isc_nmsocket_t *rsock = NULL;
+	isc_sockaddr_t *peer = &handle->peer;
+	isc__nm_uvreq_t *uvreq = NULL;
+	uint32_t maxudp = atomic_load(&sock->mgr->maxudp);
+	int ntid;
+
+	INSIST(sock->type == isc_nm_udpsocket);
+
+	/*
+	 * We're simulating a firewall blocking UDP packets bigger than
+	 * 'maxudp' bytes, for testing purposes.
+	 *
+	 * The client would ordinarily have unreferenced the handle
+	 * in the callback, but that won't happen in this case, so
+	 * we need to do so here.
+	 */
+	if (maxudp != 0 && region->length > maxudp) {
+		isc_nmhandle_detach(&handle);
+		return;
+	}
+
+	if (atomic_load(&sock->client)) {
+		/*
+		 * When we are sending from the client socket, we directly use
+		 * the socket provided.
+		 */
+		rsock = sock;
+		goto send;
+	} else {
+		/*
+		 * When we are sending from the server socket, we either use the
+		 * socket associated with the network thread we are in, or we
+		 * use the thread from the socket associated with the handle.
+		 */
+		INSIST(sock->parent != NULL);
+
+#if defined(WIN32)
+		/* On Windows, we have only a single listening listener */
+		rsock = sock;
+#else
+		if (isc__nm_in_netthread()) {
+			ntid = isc_nm_tid();
+		} else {
+			ntid = sock->tid;
+		}
+		rsock = &sock->parent->children[ntid];
+#endif
+	}
+
+send:
+	uvreq = isc__nm_uvreq_get(rsock->mgr, rsock);
+	uvreq->uvbuf.base = (char *)region->base;
+	uvreq->uvbuf.len = region->length;
+
+	isc_nmhandle_attach(handle, &uvreq->handle);
+
+	uvreq->cb.send = cb;
+	uvreq->cbarg = cbarg;
+
+	if (isc_nm_tid() == rsock->tid) {
+		REQUIRE(rsock->tid == isc_nm_tid());
+		isc__netievent_udpsend_t ievent = { .sock = rsock,
+						    .req = uvreq,
+						    .peer = *peer };
+
+		isc__nm_async_udpsend(NULL, (isc__netievent_t *)&ievent);
+	} else {
+		isc__netievent_udpsend_t *ievent =
+			isc__nm_get_netievent_udpsend(sock->mgr, rsock);
+		ievent->peer = *peer;
+		ievent->req = uvreq;
+
+		isc__nm_enqueue_ievent(&sock->mgr->workers[rsock->tid],
+				       (isc__netievent_t *)ievent);
+	}
+}
+
+/*
+ * Asynchronous 'udpsend' event handler: send a packet on a UDP socket.
+ */
+void
+isc__nm_async_udpsend(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc_result_t result;
+	isc__netievent_udpsend_t *ievent = (isc__netievent_udpsend_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc__nm_uvreq_t *uvreq = ievent->req;
+
+	REQUIRE(sock->type == isc_nm_udpsocket);
+	REQUIRE(sock->tid == isc_nm_tid());
+	UNUSED(worker);
+
+	if (isc__nmsocket_closing(sock)) {
+		isc__nm_failed_send_cb(sock, uvreq, ISC_R_CANCELED);
+		return;
+	}
+
+	result = udp_send_direct(sock, uvreq, &ievent->peer);
+	if (result != ISC_R_SUCCESS) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
+		isc__nm_failed_send_cb(sock, uvreq, result);
+	}
+}
+
+static void
+udp_send_cb(uv_udp_send_t *req, int status) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc__nm_uvreq_t *uvreq = uv_handle_get_data((uv_handle_t *)req);
+	isc_nmsocket_t *sock = NULL;
+
+	REQUIRE(VALID_UVREQ(uvreq));
+	REQUIRE(VALID_NMHANDLE(uvreq->handle));
+
+	sock = uvreq->sock;
+
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (status < 0) {
+		result = isc__nm_uverr2result(status);
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
+	}
+
+	isc__nm_sendcb(sock, uvreq, result, false);
+}
+
+/*
+ * udp_send_direct sends buf to a peer on a socket. Sock has to be in
+ * the same thread as the callee.
+ */
+static isc_result_t
+udp_send_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req,
+		isc_sockaddr_t *peer) {
+	const struct sockaddr *sa = &peer->type.sa;
+	int r;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(VALID_UVREQ(req));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->type == isc_nm_udpsocket);
+
+	if (isc__nmsocket_closing(sock)) {
+		return (ISC_R_CANCELED);
+	}
+
+#if UV_VERSION_HEX >= UV_VERSION(1, 27, 0)
+	/*
+	 * If we used uv_udp_connect() (and not the shim version for
+	 * older versions of libuv), then the peer address has to be
+	 * set to NULL or else uv_udp_send() could fail or assert,
+	 * depending on the libuv version.
+	 */
+	if (atomic_load(&sock->connected)) {
+		sa = NULL;
+	}
+#endif
+
+	r = uv_udp_send(&req->uv_req.udp_send, &sock->uv_handle.udp,
+			&req->uvbuf, 1, sa, udp_send_cb);
+	if (r < 0) {
+		return (isc__nm_uverr2result(r));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+udp_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
+	isc__networker_t *worker = NULL;
+	int uv_bind_flags = UV_UDP_REUSEADDR;
+	isc_result_t result = ISC_R_UNSET;
+	int tries = 3;
+	int r;
+
+	REQUIRE(isc__nm_in_netthread());
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	worker = &sock->mgr->workers[isc_nm_tid()];
+
+	atomic_store(&sock->connecting, true);
+
+	r = uv_udp_init(&worker->loop, &sock->uv_handle.udp);
+	UV_RUNTIME_CHECK(uv_udp_init, r);
+	uv_handle_set_data(&sock->uv_handle.handle, sock);
+
+	r = uv_timer_init(&worker->loop, &sock->read_timer);
+	UV_RUNTIME_CHECK(uv_timer_init, r);
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+
+	r = uv_udp_open(&sock->uv_handle.udp, sock->fd);
+	if (r != 0) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPENFAIL]);
+		goto done;
+	}
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPEN]);
+
+	if (sock->iface.type.sa.sa_family == AF_INET6) {
+		uv_bind_flags |= UV_UDP_IPV6ONLY;
+	}
+
+	r = uv_udp_bind(&sock->uv_handle.udp, &sock->iface.type.sa,
+			uv_bind_flags);
+	if (r != 0) {
+		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_BINDFAIL]);
+		goto done;
+	}
+
+#ifdef ISC_RECV_BUFFER_SIZE
+	uv_recv_buffer_size(&sock->uv_handle.handle,
+			    &(int){ ISC_RECV_BUFFER_SIZE });
+#endif
+#ifdef ISC_SEND_BUFFER_SIZE
+	uv_send_buffer_size(&sock->uv_handle.handle,
+			    &(int){ ISC_SEND_BUFFER_SIZE });
+#endif
+
+	/*
+	 * On FreeBSD the UDP connect() call sometimes results in a
+	 * spurious transient EADDRINUSE. Try a few more times before
+	 * giving up.
+	 */
+	do {
+		r = isc_uv_udp_connect(&sock->uv_handle.udp,
+				       &req->peer.type.sa);
+	} while (r == UV_EADDRINUSE && --tries > 0);
+	if (r != 0) {
+		isc__nm_incstats(sock->mgr,
+				 sock->statsindex[STATID_CONNECTFAIL]);
+		goto done;
+	}
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CONNECT]);
+
+	atomic_store(&sock->connecting, false);
+	atomic_store(&sock->connected, true);
+
+done:
+	result = isc__nm_uverr2result(r);
+
+	LOCK(&sock->lock);
+	sock->result = result;
+	SIGNAL(&sock->cond);
+	if (!atomic_load(&sock->active)) {
+		WAIT(&sock->scond, &sock->lock);
+	}
+	INSIST(atomic_load(&sock->active));
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+/*
+ * Asynchronous 'udpconnect' call handler: open a new UDP socket and
+ * call the 'open' callback with a handle.
+ */
+void
+isc__nm_async_udpconnect(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_udpconnect_t *ievent =
+		(isc__netievent_udpconnect_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc__nm_uvreq_t *req = ievent->req;
+	isc_result_t result;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_udpsocket);
+	REQUIRE(sock->parent == NULL);
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	result = udp_connect_direct(sock, req);
+	if (result != ISC_R_SUCCESS) {
+		atomic_store(&sock->active, false);
+		isc__nm_udp_close(sock);
+		isc__nm_connectcb(sock, req, result, true);
+	} else {
+		/*
+		 * The callback has to be called after the socket has been
+		 * initialized
+		 */
+		isc__nm_connectcb(sock, req, ISC_R_SUCCESS, true);
+	}
+
+	/*
+	 * The sock is now attached to the handle.
+	 */
+	isc__nmsocket_detach(&sock);
+}
+
+void
+isc_nm_udpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
+		  isc_nm_cb_t cb, void *cbarg, unsigned int timeout,
+		  size_t extrahandlesize) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *sock = NULL;
+	isc__netievent_udpconnect_t *event = NULL;
+	isc__nm_uvreq_t *req = NULL;
+	sa_family_t sa_family;
+
+	REQUIRE(VALID_NM(mgr));
+	REQUIRE(local != NULL);
+	REQUIRE(peer != NULL);
+
+	sa_family = peer->type.sa.sa_family;
+
+	sock = isc_mem_get(mgr->mctx, sizeof(isc_nmsocket_t));
+	isc__nmsocket_init(sock, mgr, isc_nm_udpsocket, local);
+
+	sock->connect_cb = cb;
+	sock->connect_cbarg = cbarg;
+	sock->read_timeout = timeout;
+	sock->extrahandlesize = extrahandlesize;
+	sock->peer = *peer;
+	sock->result = ISC_R_UNSET;
+	atomic_init(&sock->client, true);
+
+	req = isc__nm_uvreq_get(mgr, sock);
+	req->cb.connect = cb;
+	req->cbarg = cbarg;
+	req->peer = *peer;
+	req->local = *local;
+	req->handle = isc__nmhandle_get(sock, &req->peer, &sock->iface);
+
+	result = isc__nm_socket(sa_family, SOCK_DGRAM, 0, &sock->fd);
+	if (result != ISC_R_SUCCESS) {
+		if (isc__nm_in_netthread()) {
+			sock->tid = isc_nm_tid();
+		}
+		isc__nmsocket_clearcb(sock);
+		isc__nm_connectcb(sock, req, result, true);
+		atomic_store(&sock->closed, true);
+		isc__nmsocket_detach(&sock);
+		return;
+	}
+
+	result = isc__nm_socket_reuse(sock->fd);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS ||
+		      result == ISC_R_NOTIMPLEMENTED);
+
+	result = isc__nm_socket_reuse_lb(sock->fd);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS ||
+		      result == ISC_R_NOTIMPLEMENTED);
+
+	(void)isc__nm_socket_incoming_cpu(sock->fd);
+
+	(void)isc__nm_socket_disable_pmtud(sock->fd, sa_family);
+
+	event = isc__nm_get_netievent_udpconnect(mgr, sock, req);
+
+	if (isc__nm_in_netthread()) {
+		atomic_store(&sock->active, true);
+		sock->tid = isc_nm_tid();
+		isc__nm_async_udpconnect(&mgr->workers[sock->tid],
+					 (isc__netievent_t *)event);
+		isc__nm_put_netievent_udpconnect(mgr, event);
+	} else {
+		atomic_init(&sock->active, false);
+		sock->tid = isc_random_uniform(mgr->nworkers);
+		isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
+				       (isc__netievent_t *)event);
+	}
+	LOCK(&sock->lock);
+	while (sock->result == ISC_R_UNSET) {
+		WAIT(&sock->cond, &sock->lock);
+	}
+	atomic_store(&sock->active, true);
+	BROADCAST(&sock->scond);
+	UNLOCK(&sock->lock);
+}
+
+void
+isc__nm_udp_read_cb(uv_udp_t *handle, ssize_t nrecv, const uv_buf_t *buf,
+		    const struct sockaddr *addr, unsigned flags) {
+	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)handle);
+	REQUIRE(VALID_NMSOCK(sock));
+
+	udp_recv_cb(handle, nrecv, buf, addr, flags);
+	/*
+	 * If a caller calls isc_nm_read() on a listening socket, we can
+	 * get here, but we MUST NOT stop reading from the listener
+	 * socket.  The only difference between listener and connected
+	 * sockets is that the former has sock->parent set and later
+	 * does not.
+	 */
+	if (!sock->parent) {
+		isc__nm_stop_reading(sock);
+	}
+}
+
+void
+isc__nm_udp_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(result != ISC_R_SUCCESS);
+
+	if (atomic_load(&sock->client)) {
+		isc__nmsocket_timer_stop(sock);
+		isc__nm_stop_reading(sock);
+
+		if (!sock->recv_read) {
+			goto destroy;
+		}
+		sock->recv_read = false;
+
+		if (sock->recv_cb != NULL) {
+			isc__nm_uvreq_t *req = isc__nm_get_read_req(sock, NULL);
+			isc__nmsocket_clearcb(sock);
+			isc__nm_readcb(sock, req, result);
+		}
+
+	destroy:
+		isc__nmsocket_prep_destroy(sock);
+		return;
+	}
+
+	/*
+	 * For UDP server socket, we don't have child socket via
+	 * "accept", so we:
+	 * - we continue to read
+	 * - we don't clear the callbacks
+	 * - we don't destroy it (only stoplistening could do that)
+	 */
+	if (!sock->recv_read) {
+		return;
+	}
+	sock->recv_read = false;
+
+	if (sock->recv_cb != NULL) {
+		isc__nm_uvreq_t *req = isc__nm_get_read_req(sock, NULL);
+		isc__nm_readcb(sock, req, result);
+	}
+}
+
+/*
+ * Asynchronous 'udpread' call handler: start or resume reading on a
+ * socket; pause reading and call the 'recv' callback after each
+ * datagram.
+ */
+void
+isc__nm_async_udpread(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_udpread_t *ievent = (isc__netievent_udpread_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+	isc_result_t result;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (isc__nmsocket_closing(sock)) {
+		result = ISC_R_CANCELED;
+	} else {
+		result = isc__nm_start_reading(sock);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		sock->reading = true;
+		isc__nm_failed_read_cb(sock, result, false);
+		return;
+	}
+
+	isc__nmsocket_timer_start(sock);
+}
+
+void
+isc__nm_udp_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) {
+	REQUIRE(VALID_NMHANDLE(handle));
+	REQUIRE(VALID_NMSOCK(handle->sock));
+
+	isc_nmsocket_t *sock = handle->sock;
+
+	REQUIRE(sock->type == isc_nm_udpsocket);
+	REQUIRE(sock->statichandle == handle);
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(!sock->recv_read);
+
+	sock->recv_cb = cb;
+	sock->recv_cbarg = cbarg;
+	sock->recv_read = true;
+
+	if (!sock->reading && sock->tid == isc_nm_tid()) {
+		isc__netievent_udpread_t ievent = { .sock = sock };
+		isc__nm_async_udpread(NULL, (isc__netievent_t *)&ievent);
+	} else {
+		isc__netievent_udpread_t *ievent =
+			isc__nm_get_netievent_udpread(sock->mgr, sock);
+		isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				       (isc__netievent_t *)ievent);
+	}
+}
+
+static void
+udp_stop_cb(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+	uv_handle_set_data(handle, NULL);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(atomic_load(&sock->closing));
+
+	if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false },
+					    true))
+	{
+		UNREACHABLE();
+	}
+
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]);
+
+	atomic_store(&sock->listening, false);
+
+	isc__nmsocket_detach(&sock);
+}
+
+static void
+udp_close_cb(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+	uv_handle_set_data(handle, NULL);
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(atomic_load(&sock->closing));
+
+	if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false },
+					    true))
+	{
+		UNREACHABLE();
+	}
+
+	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]);
+
+	if (sock->server != NULL) {
+		isc__nmsocket_detach(&sock->server);
+	}
+
+	atomic_store(&sock->connected, false);
+	atomic_store(&sock->listening, false);
+
+	isc__nmsocket_prep_destroy(sock);
+}
+
+static void
+read_timer_close_cb(uv_handle_t *handle) {
+	isc_nmsocket_t *sock = uv_handle_get_data(handle);
+	uv_handle_set_data(handle, NULL);
+
+	if (sock->parent) {
+		uv_close(&sock->uv_handle.handle, udp_stop_cb);
+	} else {
+		uv_close(&sock->uv_handle.handle, udp_close_cb);
+	}
+}
+
+static void
+stop_udp_child(isc_nmsocket_t *sock) {
+	REQUIRE(sock->type == isc_nm_udpsocket);
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
+					    true))
+	{
+		return;
+	}
+
+	udp_close_direct(sock);
+
+	atomic_fetch_sub(&sock->parent->rchildren, 1);
+
+	isc_barrier_wait(&sock->parent->stoplistening);
+}
+
+static void
+stop_udp_parent(isc_nmsocket_t *sock) {
+	isc_nmsocket_t *csock = NULL;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->type == isc_nm_udplistener);
+
+	isc_barrier_init(&sock->stoplistening, sock->nchildren);
+
+	for (size_t i = 0; i < sock->nchildren; i++) {
+		csock = &sock->children[i];
+		REQUIRE(VALID_NMSOCK(csock));
+
+		if ((int)i == isc_nm_tid()) {
+			/*
+			 * We need to schedule closing the other sockets first
+			 */
+			continue;
+		}
+
+		atomic_store(&csock->active, false);
+		enqueue_stoplistening(csock);
+	}
+
+	csock = &sock->children[isc_nm_tid()];
+	atomic_store(&csock->active, false);
+	stop_udp_child(csock);
+
+	atomic_store(&sock->closed, true);
+	isc__nmsocket_prep_destroy(sock);
+}
+
+static void
+udp_close_direct(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+
+	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
+	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
+}
+
+void
+isc__nm_async_udpclose(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_udpclose_t *ievent = (isc__netievent_udpclose_t *)ev0;
+	isc_nmsocket_t *sock = ievent->sock;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	UNUSED(worker);
+
+	udp_close_direct(sock);
+}
+
+void
+isc__nm_udp_close(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_udpsocket);
+	REQUIRE(!isc__nmsocket_active(sock));
+
+	if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false },
+					    true))
+	{
+		return;
+	}
+
+	if (sock->tid == isc_nm_tid()) {
+		udp_close_direct(sock);
+	} else {
+		isc__netievent_udpclose_t *ievent =
+			isc__nm_get_netievent_udpclose(sock->mgr, sock);
+		isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+				       (isc__netievent_t *)ievent);
+	}
+}
+
+void
+isc__nm_udp_shutdown(isc_nmsocket_t *sock) {
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(sock->type == isc_nm_udpsocket);
+
+	/*
+	 * If the socket is active, mark it inactive and
+	 * continue. If it isn't active, stop now.
+	 */
+	if (!isc__nmsocket_deactivate(sock)) {
+		return;
+	}
+
+	/*
+	 * If the socket is connecting, the cancel will happen in the
+	 * async_udpconnect() due socket being inactive now.
+	 */
+	if (atomic_load(&sock->connecting)) {
+		return;
+	}
+
+	/*
+	 * When the client detaches the last handle, the
+	 * sock->statichandle would be NULL, in that case, nobody is
+	 * interested in the callback.
+	 */
+	if (sock->statichandle != NULL) {
+		isc__nm_failed_read_cb(sock, ISC_R_CANCELED, false);
+		return;
+	}
+
+	/*
+	 * Otherwise, we just send the socket to abyss...
+	 */
+	if (sock->parent == NULL) {
+		isc__nmsocket_prep_destroy(sock);
+	}
+}
+
+void
+isc__nm_udp_cancelread(isc_nmhandle_t *handle) {
+	isc_nmsocket_t *sock = NULL;
+	isc__netievent_udpcancel_t *ievent = NULL;
+
+	REQUIRE(VALID_NMHANDLE(handle));
+
+	sock = handle->sock;
+
+	REQUIRE(VALID_NMSOCK(sock));
+	REQUIRE(sock->type == isc_nm_udpsocket);
+
+	ievent = isc__nm_get_netievent_udpcancel(sock->mgr, sock, handle);
+
+	isc__nm_enqueue_ievent(&sock->mgr->workers[sock->tid],
+			       (isc__netievent_t *)ievent);
+}
+
+void
+isc__nm_async_udpcancel(isc__networker_t *worker, isc__netievent_t *ev0) {
+	isc__netievent_udpcancel_t *ievent = (isc__netievent_udpcancel_t *)ev0;
+	isc_nmsocket_t *sock = NULL;
+
+	UNUSED(worker);
+
+	REQUIRE(VALID_NMSOCK(ievent->sock));
+
+	sock = ievent->sock;
+
+	REQUIRE(sock->tid == isc_nm_tid());
+	REQUIRE(atomic_load(&sock->client));
+
+	isc__nm_failed_read_cb(sock, ISC_R_EOF, false);
+}
diff --git a/lib/isc/netmgr/uv-compat.c b/lib/isc/netmgr/uv-compat.c
new file mode 100644
index 0000000..a1fc309
--- /dev/null
+++ b/lib/isc/netmgr/uv-compat.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include "uv-compat.h"
+#include <unistd.h>
+
+#include <isc/util.h>
+
+#include "netmgr-int.h"
+
+#if UV_VERSION_HEX < UV_VERSION(1, 27, 0)
+int
+isc_uv_udp_connect(uv_udp_t *handle, const struct sockaddr *addr) {
+	int err = 0;
+
+	do {
+		int addrlen = (addr->sa_family == AF_INET)
+				      ? sizeof(struct sockaddr_in)
+				      : sizeof(struct sockaddr_in6);
+#ifdef WIN32
+		err = connect(handle->socket, addr, addrlen);
+#else  /* WIN32 */
+		err = connect(handle->io_watcher.fd, addr, addrlen);
+#endif /* WIN32 */
+	} while (err == -1 && errno == EINTR);
+
+	if (err) {
+#ifdef WIN32
+		return (uv_translate_sys_error(err));
+#else /* WIN32 */
+#if UV_VERSION_HEX >= UV_VERSION(1, 10, 0)
+		return (uv_translate_sys_error(errno));
+#else
+		return (-errno);
+#endif /* UV_VERSION_HEX >= UV_VERSION(1, 10, 0) */
+#endif /* WIN32 */
+	}
+
+	return (0);
+}
+#endif /* UV_VERSION_HEX < UV_VERSION(1, 27, 0) */
+
+#if UV_VERSION_HEX < UV_VERSION(1, 32, 0)
+int
+uv_tcp_close_reset(uv_tcp_t *handle, uv_close_cb close_cb) {
+	if (setsockopt(handle->io_watcher.fd, SOL_SOCKET, SO_LINGER,
+		       &(struct linger){ 1, 0 }, sizeof(struct linger)) == -1)
+	{
+#if UV_VERSION_HEX >= UV_VERSION(1, 10, 0)
+		return (uv_translate_sys_error(errno));
+#else
+		return (-errno);
+#endif /* UV_VERSION_HEX >= UV_VERSION(1, 10, 0) */
+	}
+
+	uv_close((uv_handle_t *)handle, close_cb);
+	return (0);
+}
+#endif /* UV_VERSION_HEX < UV_VERSION(1, 32, 0) */
+
+int
+isc_uv_udp_freebind(uv_udp_t *handle, const struct sockaddr *addr,
+		    unsigned int flags) {
+	int r;
+	uv_os_sock_t fd;
+
+	r = uv_fileno((const uv_handle_t *)handle, (uv_os_fd_t *)&fd);
+	if (r < 0) {
+		return (r);
+	}
+
+#if defined(WIN32)
+	REQUIRE(fd != INVALID_SOCKET);
+#endif
+
+	r = uv_udp_bind(handle, addr, flags);
+	if (r == UV_EADDRNOTAVAIL &&
+	    isc__nm_socket_freebind(fd, addr->sa_family) == ISC_R_SUCCESS)
+	{
+		/*
+		 * Retry binding with IP_FREEBIND (or equivalent option) if the
+		 * address is not available. This helps with IPv6 tentative
+		 * addresses which are reported by the route socket, although
+		 * named is not yet able to properly bind to them.
+		 */
+		r = uv_udp_bind(handle, addr, flags);
+	}
+
+	return (r);
+}
+
+static int
+isc__uv_tcp_bind_now(uv_tcp_t *handle, const struct sockaddr *addr,
+		     unsigned int flags) {
+	int r;
+	struct sockaddr_storage sname;
+	int snamelen = sizeof(sname);
+
+	r = uv_tcp_bind(handle, addr, flags);
+	if (r < 0) {
+		return (r);
+	}
+
+	/*
+	 * uv_tcp_bind() uses a delayed error, initially returning
+	 * success even if bind() fails. By calling uv_tcp_getsockname()
+	 * here we can find out whether the bind() call was successful.
+	 */
+	r = uv_tcp_getsockname(handle, (struct sockaddr *)&sname, &snamelen);
+	if (r < 0) {
+		return (r);
+	}
+
+	return (0);
+}
+
+int
+isc_uv_tcp_freebind(uv_tcp_t *handle, const struct sockaddr *addr,
+		    unsigned int flags) {
+	int r;
+	uv_os_sock_t fd;
+
+	r = uv_fileno((const uv_handle_t *)handle, (uv_os_fd_t *)&fd);
+	if (r < 0) {
+		return (r);
+	}
+
+	r = isc__uv_tcp_bind_now(handle, addr, flags);
+	if (r == UV_EADDRNOTAVAIL &&
+	    isc__nm_socket_freebind(fd, addr->sa_family) == ISC_R_SUCCESS)
+	{
+		/*
+		 * Retry binding with IP_FREEBIND (or equivalent option) if the
+		 * address is not available. This helps with IPv6 tentative
+		 * addresses which are reported by the route socket, although
+		 * named is not yet able to properly bind to them.
+		 */
+		r = isc__uv_tcp_bind_now(handle, addr, flags);
+	}
+
+	return (r);
+}
diff --git a/lib/isc/netmgr/uv-compat.h b/lib/isc/netmgr/uv-compat.h
new file mode 100644
index 0000000..3a10387
--- /dev/null
+++ b/lib/isc/netmgr/uv-compat.h
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+#include <uv.h>
+
+/*
+ * These functions were introduced in newer libuv, but we still
+ * want BIND9 compile on older ones so we emulate them.
+ * They're inline to avoid conflicts when running with a newer
+ * library version.
+ */
+
+#define UV_VERSION(major, minor, patch) ((major << 16) | (minor << 8) | (patch))
+
+/*
+ * Copied verbatim from libuv/src/version.c
+ */
+
+#define UV_STRINGIFY(v)	       UV_STRINGIFY_HELPER(v)
+#define UV_STRINGIFY_HELPER(v) #v
+
+#define UV_VERSION_STRING_BASE         \
+	UV_STRINGIFY(UV_VERSION_MAJOR) \
+	"." UV_STRINGIFY(UV_VERSION_MINOR) "." UV_STRINGIFY(UV_VERSION_PATCH)
+
+#if UV_VERSION_IS_RELEASE
+#define UV_VERSION_STRING UV_VERSION_STRING_BASE
+#else
+#define UV_VERSION_STRING UV_VERSION_STRING_BASE "-" UV_VERSION_SUFFIX
+#endif
+
+#if !defined(UV__ERR)
+#define UV__ERR(x) (-(x))
+#endif
+
+#if UV_VERSION_HEX < UV_VERSION(1, 19, 0)
+static inline void *
+uv_handle_get_data(const uv_handle_t *handle) {
+	return (handle->data);
+}
+
+static inline void
+uv_handle_set_data(uv_handle_t *handle, void *data) {
+	handle->data = data;
+}
+
+static inline void *
+uv_req_get_data(const uv_req_t *req) {
+	return (req->data);
+}
+
+static inline void
+uv_req_set_data(uv_req_t *req, void *data) {
+	req->data = data;
+}
+#endif /* UV_VERSION_HEX < UV_VERSION(1, 19, 0) */
+
+#if UV_VERSION_HEX < UV_VERSION(1, 32, 0)
+int
+uv_tcp_close_reset(uv_tcp_t *handle, uv_close_cb close_cb);
+#endif
+
+#if UV_VERSION_HEX < UV_VERSION(1, 34, 0)
+#define uv_sleep(msec) usleep(msec * 1000)
+#endif /* UV_VERSION_HEX < UV_VERSION(1, 34, 0) */
+
+#if UV_VERSION_HEX < UV_VERSION(1, 27, 0)
+int
+isc_uv_udp_connect(uv_udp_t *handle, const struct sockaddr *addr);
+/*%<
+ * Associate the UDP handle to a remote address and port, so every message sent
+ * by this handle is automatically sent to that destination.
+ *
+ * NOTE: This is just a limited shim for uv_udp_connect() as it requires the
+ * handle to be bound.
+ */
+#else /* UV_VERSION_HEX < UV_VERSION(1, 27, 0) */
+#define isc_uv_udp_connect uv_udp_connect
+#endif /* UV_VERSION_HEX < UV_VERSION(1, 27, 0) */
+
+#if UV_VERSION_HEX < UV_VERSION(1, 12, 0)
+#include <stdlib.h>
+#include <string.h>
+
+static inline int
+uv_os_getenv(const char *name, char *buffer, size_t *size) {
+	size_t len;
+	char *buf = getenv(name);
+
+	if (buf == NULL) {
+		return (UV_ENOENT);
+	}
+
+	len = strlen(buf) + 1;
+	if (len > *size) {
+		*size = len;
+		return (UV_ENOBUFS);
+	}
+
+	*size = len;
+	memmove(buffer, buf, len);
+
+	return (0);
+}
+
+#define uv_os_setenv(name, value) setenv(name, value, 0)
+#endif /* UV_VERSION_HEX < UV_VERSION(1, 12, 0) */
+
+int
+isc_uv_udp_freebind(uv_udp_t *handle, const struct sockaddr *addr,
+		    unsigned int flags);
+
+int
+isc_uv_tcp_freebind(uv_tcp_t *handle, const struct sockaddr *addr,
+		    unsigned int flags);
diff --git a/lib/isc/netmgr/uverr2result.c b/lib/isc/netmgr/uverr2result.c
new file mode 100644
index 0000000..5ce953d
--- /dev/null
+++ b/lib/isc/netmgr/uverr2result.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <uv.h>
+
+#include <isc/result.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include "netmgr-int.h"
+
+/*%
+ * Convert a libuv error value into an isc_result_t.  The
+ * list of supported error values is not complete; new users
+ * of this function should add any expected errors that are
+ * not already there.
+ */
+isc_result_t
+isc___nm_uverr2result(int uverr, bool dolog, const char *file,
+		      unsigned int line, const char *func) {
+	switch (uverr) {
+	case 0:
+		return (ISC_R_SUCCESS);
+	case UV_ENOTDIR:
+	case UV_ELOOP:
+	case UV_EINVAL: /* XXX sometimes this is not for files */
+	case UV_ENAMETOOLONG:
+	case UV_EBADF:
+		return (ISC_R_INVALIDFILE);
+	case UV_ENOENT:
+		return (ISC_R_FILENOTFOUND);
+	case UV_EAGAIN:
+		return (ISC_R_NOCONN);
+	case UV_EACCES:
+	case UV_EPERM:
+		return (ISC_R_NOPERM);
+	case UV_EEXIST:
+		return (ISC_R_FILEEXISTS);
+	case UV_EIO:
+		return (ISC_R_IOERROR);
+	case UV_ENOMEM:
+		return (ISC_R_NOMEMORY);
+	case UV_ENFILE:
+	case UV_EMFILE:
+		return (ISC_R_TOOMANYOPENFILES);
+	case UV_ENOSPC:
+		return (ISC_R_DISCFULL);
+	case UV_EPIPE:
+	case UV_ECONNRESET:
+	case UV_ECONNABORTED:
+		return (ISC_R_CONNECTIONRESET);
+	case UV_ENOTCONN:
+		return (ISC_R_NOTCONNECTED);
+	case UV_ETIMEDOUT:
+		return (ISC_R_TIMEDOUT);
+	case UV_ENOBUFS:
+		return (ISC_R_NORESOURCES);
+	case UV_EAFNOSUPPORT:
+		return (ISC_R_FAMILYNOSUPPORT);
+	case UV_ENETDOWN:
+		return (ISC_R_NETDOWN);
+	case UV_EHOSTDOWN:
+		return (ISC_R_HOSTDOWN);
+	case UV_ENETUNREACH:
+		return (ISC_R_NETUNREACH);
+	case UV_EHOSTUNREACH:
+		return (ISC_R_HOSTUNREACH);
+	case UV_EADDRINUSE:
+		return (ISC_R_ADDRINUSE);
+	case UV_EADDRNOTAVAIL:
+		return (ISC_R_ADDRNOTAVAIL);
+	case UV_ECONNREFUSED:
+		return (ISC_R_CONNREFUSED);
+	case UV_ECANCELED:
+		return (ISC_R_CANCELED);
+	case UV_EOF:
+		return (ISC_R_EOF);
+	case UV_EMSGSIZE:
+		return (ISC_R_MAXSIZE);
+	case UV_ENOTSUP:
+		return (ISC_R_FAMILYNOSUPPORT);
+	default:
+		if (dolog) {
+			UNEXPECTED_ERROR(
+				file, line,
+				"unable to convert libuv "
+				"error code in %s to isc_result: %d: %s",
+				func, uverr, uv_strerror(uverr));
+		}
+		return (ISC_R_UNEXPECTED);
+	}
+}
diff --git a/lib/isc/netmgr_p.h b/lib/isc/netmgr_p.h
new file mode 100644
index 0000000..73171a9
--- /dev/null
+++ b/lib/isc/netmgr_p.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <isc/mem.h>
+#include <isc/result.h>
+
+void
+isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netgmrp);
+/*%<
+ * Creates a new network manager with 'workers' worker threads,
+ * and starts it running.
+ */
+
+void
+isc__netmgr_destroy(isc_nm_t **netmgrp);
+/*%<
+ * Similar to isc_nm_detach(), but actively waits for all other references
+ * to be gone before returning.
+ */
+
+void
+isc__netmgr_shutdown(isc_nm_t *mgr);
+/*%<
+ * Shut down all active connections, freeing associated resources;
+ * prevent new connections from being established.
+ */
diff --git a/lib/isc/netscope.c b/lib/isc/netscope.c
new file mode 100644
index 0000000..69c3e9a
--- /dev/null
+++ b/lib/isc/netscope.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdlib.h>
+
+#include <isc/net.h>
+#include <isc/netscope.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_netscope_pton(int af, char *scopename, void *addr, uint32_t *zoneid) {
+	char *ep;
+#ifdef HAVE_IF_NAMETOINDEX
+	unsigned int ifid;
+	struct in6_addr *in6;
+#endif /* ifdef HAVE_IF_NAMETOINDEX */
+	uint32_t zone = 0;
+	uint64_t llz;
+
+#ifndef HAVE_IF_NAMETOINDEX
+	UNUSED(addr);
+#endif
+
+	/* at this moment, we only support AF_INET6 */
+	if (af != AF_INET6) {
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * Basically, "names" are more stable than numeric IDs in terms
+	 * of renumbering, and are more preferred.  However, since there
+	 * is no standard naming convention and APIs to deal with the
+	 * names.  Thus, we only handle the case of link-local
+	 * addresses, for which we use interface names as link names,
+	 * assuming one to one mapping between interfaces and links.
+	 */
+#ifdef HAVE_IF_NAMETOINDEX
+	in6 = (struct in6_addr *)addr;
+	if (IN6_IS_ADDR_LINKLOCAL(in6) &&
+	    (ifid = if_nametoindex((const char *)scopename)) != 0)
+	{
+		zone = (uint32_t)ifid;
+	} else {
+#endif /* ifdef HAVE_IF_NAMETOINDEX */
+		llz = strtoull(scopename, &ep, 10);
+		if (ep == scopename) {
+			return (ISC_R_FAILURE);
+		}
+
+		/* check overflow */
+		zone = (uint32_t)(llz & 0xffffffffUL);
+		if (zone != llz) {
+			return (ISC_R_FAILURE);
+		}
+#ifdef HAVE_IF_NAMETOINDEX
+	}
+#endif /* ifdef HAVE_IF_NAMETOINDEX */
+
+	*zoneid = zone;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/nonce.c b/lib/isc/nonce.c
new file mode 100644
index 0000000..4c2baff
--- /dev/null
+++ b/lib/isc/nonce.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/nonce.h>
+
+#include "entropy_private.h"
+
+void
+isc_nonce_buf(void *buf, size_t buflen) {
+	isc_entropy_get(buf, buflen);
+}
diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
new file mode 100644
index 0000000..3baa04a
--- /dev/null
+++ b/lib/isc/openssl_shim.c
@@ -0,0 +1,231 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/crypto.h>
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/opensslv.h>
+#include <openssl/ssl.h>
+
+#include "openssl_shim.h"
+
+#if !HAVE_CRYPTO_ZALLOC
+void *
+CRYPTO_zalloc(size_t num, const char *file, int line) {
+	void *ret = CRYPTO_malloc(num, file, line);
+	if (ret != NULL) {
+		memset(ret, 0, num);
+	}
+	return (ret);
+}
+#endif /* if !HAVE_CRYPTO_ZALLOC */
+
+#if !HAVE_EVP_CIPHER_CTX_NEW
+EVP_CIPHER_CTX *
+EVP_CIPHER_CTX_new(void) {
+	EVP_CIPHER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+	return (ctx);
+}
+#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */
+
+#if !HAVE_EVP_CIPHER_CTX_FREE
+void
+EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) {
+	if (ctx != NULL) {
+		EVP_CIPHER_CTX_cleanup(ctx);
+		OPENSSL_free(ctx);
+	}
+}
+#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */
+
+#if !HAVE_EVP_MD_CTX_NEW
+EVP_MD_CTX *
+EVP_MD_CTX_new(void) {
+	EVP_MD_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
+	if (ctx != NULL) {
+		memset(ctx, 0, sizeof(*ctx));
+	}
+	return (ctx);
+}
+#endif /* if !HAVE_EVP_MD_CTX_NEW */
+
+#if !HAVE_EVP_MD_CTX_FREE
+void
+EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
+	if (ctx != NULL) {
+		EVP_MD_CTX_cleanup(ctx);
+		OPENSSL_free(ctx);
+	}
+}
+#endif /* if !HAVE_EVP_MD_CTX_FREE */
+
+#if !HAVE_EVP_MD_CTX_RESET
+int
+EVP_MD_CTX_reset(EVP_MD_CTX *ctx) {
+	return (EVP_MD_CTX_cleanup(ctx));
+}
+#endif /* if !HAVE_EVP_MD_CTX_RESET */
+
+#if !HAVE_HMAC_CTX_NEW
+HMAC_CTX *
+HMAC_CTX_new(void) {
+	HMAC_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+	if (ctx != NULL) {
+		if (!HMAC_CTX_reset(ctx)) {
+			HMAC_CTX_free(ctx);
+			return (NULL);
+		}
+	}
+	return (ctx);
+}
+#endif /* if !HAVE_HMAC_CTX_NEW */
+
+#if !HAVE_HMAC_CTX_FREE
+void
+HMAC_CTX_free(HMAC_CTX *ctx) {
+	if (ctx != NULL) {
+		HMAC_CTX_cleanup(ctx);
+		OPENSSL_free(ctx);
+	}
+}
+#endif /* if !HAVE_HMAC_CTX_FREE */
+
+#if !HAVE_HMAC_CTX_RESET
+int
+HMAC_CTX_reset(HMAC_CTX *ctx) {
+	HMAC_CTX_cleanup(ctx);
+	return (1);
+}
+#endif /* if !HAVE_HMAC_CTX_RESET */
+
+#if !HAVE_HMAC_CTX_GET_MD
+const EVP_MD *
+HMAC_CTX_get_md(const HMAC_CTX *ctx) {
+	return (ctx->md);
+}
+#endif /* if !HAVE_HMAC_CTX_GET_MD */
+
+#if !HAVE_SSL_READ_EX
+int
+SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) {
+	int rv = SSL_read(ssl, buf, num);
+	if (rv > 0) {
+		*readbytes = rv;
+		rv = 1;
+	}
+
+	return (rv);
+}
+#endif
+
+#if !HAVE_SSL_PEEK_EX
+int
+SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) {
+	int rv = SSL_peek(ssl, buf, num);
+	if (rv > 0) {
+		*readbytes = rv;
+		rv = 1;
+	}
+
+	return (rv);
+}
+#endif
+
+#if !HAVE_SSL_WRITE_EX
+int
+SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written) {
+	int rv = SSL_write(ssl, buf, num);
+	if (rv > 0) {
+		*written = rv;
+		rv = 1;
+	}
+
+	return (rv);
+}
+#endif
+
+#if !HAVE_BIO_READ_EX
+int
+BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) {
+	int rv = BIO_read(b, data, dlen);
+	if (rv > 0) {
+		*readbytes = rv;
+		rv = 1;
+	}
+
+	return (rv);
+}
+#endif
+
+#if !HAVE_BIO_WRITE_EX
+int
+BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written) {
+	int rv = BIO_write(b, data, dlen);
+	if (rv > 0) {
+		*written = rv;
+		rv = 1;
+	}
+
+	return (rv);
+}
+#endif
+
+#if !HAVE_OPENSSL_INIT_CRYPTO
+int
+OPENSSL_init_crypto(uint64_t opts, const void *settings) {
+	(void)settings;
+
+	if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) == 0) {
+		ERR_load_crypto_strings();
+	}
+
+	if ((opts & (OPENSSL_INIT_NO_ADD_ALL_CIPHERS |
+		     OPENSSL_INIT_NO_ADD_ALL_CIPHERS)) == 0)
+	{
+		OpenSSL_add_all_algorithms();
+	} else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) {
+		OpenSSL_add_all_digests();
+	} else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) {
+		OpenSSL_add_all_ciphers();
+	}
+
+	return (1);
+}
+#endif
+
+#if !HAVE_OPENSSL_INIT_SSL
+int
+OPENSSL_init_ssl(uint64_t opts, const void *settings) {
+	OPENSSL_init_crypto(opts, settings);
+
+	SSL_library_init();
+
+	if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS) == 0) {
+		SSL_load_error_strings();
+	}
+
+	return (1);
+}
+#endif
+
+#if !HAVE_OPENSSL_CLEANUP
+void
+OPENSSL_cleanup(void) {
+	return;
+}
+#endif
diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
new file mode 100644
index 0000000..9c8a63a
--- /dev/null
+++ b/lib/isc/openssl_shim.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <openssl/crypto.h>
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/opensslv.h>
+#include <openssl/ssl.h>
+
+#if !HAVE_CRYPTO_ZALLOC
+void *
+CRYPTO_zalloc(size_t num, const char *file, int line);
+#endif /* if !HAVE_CRYPTO_ZALLOC */
+
+#if !defined(OPENSSL_zalloc)
+#define OPENSSL_zalloc(num) CRYPTO_zalloc(num, __FILE__, __LINE__)
+#endif
+
+#if !HAVE_EVP_CIPHER_CTX_NEW
+EVP_CIPHER_CTX *
+EVP_CIPHER_CTX_new(void);
+#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */
+
+#if !HAVE_EVP_CIPHER_CTX_FREE
+void
+EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
+#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */
+
+#if !HAVE_EVP_MD_CTX_NEW
+EVP_MD_CTX *
+EVP_MD_CTX_new(void);
+#endif /* if !HAVE_EVP_MD_CTX_NEW */
+
+#if !HAVE_EVP_MD_CTX_FREE
+void
+EVP_MD_CTX_free(EVP_MD_CTX *ctx);
+#endif /* if !HAVE_EVP_MD_CTX_FREE */
+
+#if !HAVE_EVP_MD_CTX_RESET
+int
+EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
+#endif /* if !HAVE_EVP_MD_CTX_RESET */
+
+#if !HAVE_HMAC_CTX_NEW
+HMAC_CTX *
+HMAC_CTX_new(void);
+#endif /* if !HAVE_HMAC_CTX_NEW */
+
+#if !HAVE_HMAC_CTX_FREE
+void
+HMAC_CTX_free(HMAC_CTX *ctx);
+#endif /* if !HAVE_HMAC_CTX_FREE */
+
+#if !HAVE_HMAC_CTX_RESET
+int
+HMAC_CTX_reset(HMAC_CTX *ctx);
+#endif /* if !HAVE_HMAC_CTX_RESET */
+
+#if !HAVE_HMAC_CTX_GET_MD
+const EVP_MD *
+HMAC_CTX_get_md(const HMAC_CTX *ctx);
+#endif /* if !HAVE_HMAC_CTX_GET_MD */
+
+#if !HAVE_SSL_READ_EX
+int
+SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
+#endif
+
+#if !HAVE_SSL_PEEK_EX
+int
+SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
+#endif
+
+#if !HAVE_SSL_WRITE_EX
+int
+SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written);
+#endif
+
+#if !HAVE_BIO_READ_EX
+int
+BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes);
+#endif
+
+#if !HAVE_BIO_WRITE_EX
+int
+BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written);
+#endif
+
+#if !HAVE_OPENSSL_INIT_CRYPTO
+
+#define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0x00000001L
+#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS    0x00000002L
+#define OPENSSL_INIT_ADD_ALL_CIPHERS	    0x00000004L
+#define OPENSSL_INIT_ADD_ALL_DIGESTS	    0x00000008L
+#define OPENSSL_INIT_NO_ADD_ALL_CIPHERS	    0x00000010L
+#define OPENSSL_INIT_NO_ADD_ALL_DIGESTS	    0x00000020L
+
+int
+OPENSSL_init_crypto(uint64_t opts, const void *settings);
+#endif
+
+#if !HAVE_OPENSSL_INIT_SSL
+#define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L
+#define OPENSSL_INIT_LOAD_SSL_STRINGS	 0x00200000L
+
+int
+OPENSSL_init_ssl(uint64_t opts, const void *settings);
+
+#endif
+
+#if !HAVE_OPENSSL_CLEANUP
+void
+OPENSSL_cleanup(void);
+#endif
+
+#if !HAVE_TLS_SERVER_METHOD
+#define TLS_server_method SSLv23_server_method
+#endif
+
+#if !HAVE_TLS_CLIENT_METHOD
+#define TLS_client_method SSLv23_client_method
+#endif
diff --git a/lib/isc/parseint.c b/lib/isc/parseint.c
new file mode 100644
index 0000000..da6c281
--- /dev/null
+++ b/lib/isc/parseint.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#include <isc/parseint.h>
+#include <isc/result.h>
+
+isc_result_t
+isc_parse_uint32(uint32_t *uip, const char *string, int base) {
+	unsigned long n;
+	uint32_t r;
+	char *e;
+	if (!isalnum((unsigned char)(string[0]))) {
+		return (ISC_R_BADNUMBER);
+	}
+	errno = 0;
+	n = strtoul(string, &e, base);
+	if (*e != '\0') {
+		return (ISC_R_BADNUMBER);
+	}
+	/*
+	 * Where long is 64 bits we need to convert to 32 bits then test for
+	 * equality.  This is a no-op on 32 bit machines and a good compiler
+	 * will optimise it away.
+	 */
+	r = (uint32_t)n;
+	if ((n == ULONG_MAX && errno == ERANGE) || (n != (unsigned long)r)) {
+		return (ISC_R_RANGE);
+	}
+	*uip = r;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_parse_uint16(uint16_t *uip, const char *string, int base) {
+	uint32_t val;
+	isc_result_t result;
+	result = isc_parse_uint32(&val, string, base);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (val > 0xFFFF) {
+		return (ISC_R_RANGE);
+	}
+	*uip = (uint16_t)val;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_parse_uint8(uint8_t *uip, const char *string, int base) {
+	uint32_t val;
+	isc_result_t result;
+	result = isc_parse_uint32(&val, string, base);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (val > 0xFF) {
+		return (ISC_R_RANGE);
+	}
+	*uip = (uint8_t)val;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
new file mode 100644
index 0000000..6d77314
--- /dev/null
+++ b/lib/isc/pk11.c
@@ -0,0 +1,1112 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+#include <pk11/result.h>
+#include <pk11/site.h>
+#include <pkcs11/pkcs11.h>
+
+#include <dst/result.h>
+
+/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */
+#ifndef PINLEN
+#define PINLEN 256
+#endif /* ifndef PINLEN */
+
+#ifndef PK11_NO_LOGERR
+#define PK11_NO_LOGERR 1
+#endif /* ifndef PK11_NO_LOGERR */
+
+LIBISC_EXTERNAL_DATA bool pk11_verbose_init = false;
+
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_mem_t *pk11_mctx = NULL;
+static int32_t allocsize = 0;
+static bool initialized = false;
+
+typedef struct pk11_session pk11_session_t;
+typedef struct pk11_token pk11_token_t;
+typedef ISC_LIST(pk11_session_t) pk11_sessionlist_t;
+
+struct pk11_session {
+	unsigned int magic;
+	CK_SESSION_HANDLE session;
+	ISC_LINK(pk11_session_t) link;
+	pk11_token_t *token;
+};
+
+struct pk11_token {
+	unsigned int magic;
+	unsigned int operations;
+	ISC_LINK(pk11_token_t) link;
+	CK_SLOT_ID slotid;
+	pk11_sessionlist_t sessions;
+	bool logged;
+	char name[32];
+	char manuf[32];
+	char model[16];
+	char serial[16];
+	char pin[PINLEN + 1];
+};
+static ISC_LIST(pk11_token_t) tokens;
+
+static pk11_token_t *best_rsa_token;
+static pk11_token_t *best_ecdsa_token;
+static pk11_token_t *best_eddsa_token;
+
+static isc_result_t
+free_all_sessions(void);
+static isc_result_t
+free_session_list(pk11_sessionlist_t *slist);
+static isc_result_t
+setup_session(pk11_session_t *sp, pk11_token_t *token, bool rw);
+static void
+scan_slots(void);
+static isc_result_t
+token_login(pk11_session_t *sp);
+static char *
+percent_decode(char *x, size_t *len);
+static bool
+pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny);
+static CK_ATTRIBUTE *
+push_attribute(pk11_object_t *obj, isc_mem_t *mctx, size_t len);
+
+static isc_mutex_t alloclock;
+static isc_mutex_t sessionlock;
+
+static pk11_sessionlist_t actives;
+
+static CK_C_INITIALIZE_ARGS pk11_init_args = {
+	NULL_PTR,	   /* CreateMutex */
+	NULL_PTR,	   /* DestroyMutex */
+	NULL_PTR,	   /* LockMutex */
+	NULL_PTR,	   /* UnlockMutex */
+	CKF_OS_LOCKING_OK, /* flags */
+	NULL_PTR,	   /* pReserved */
+};
+
+#ifndef PK11_LIB_LOCATION
+#define PK11_LIB_LOCATION "unknown_provider"
+#endif /* ifndef PK11_LIB_LOCATION */
+
+#ifndef WIN32
+static const char *lib_name = PK11_LIB_LOCATION;
+#else  /* ifndef WIN32 */
+static const char *lib_name = PK11_LIB_LOCATION ".dll";
+#endif /* ifndef WIN32 */
+
+void
+pk11_set_lib_name(const char *name) {
+	lib_name = name;
+}
+
+const char *
+pk11_get_lib_name(void) {
+	return (lib_name);
+}
+
+static void
+initialize(void) {
+	char *pk11_provider;
+
+	isc_mutex_init(&alloclock);
+	isc_mutex_init(&sessionlock);
+
+	pk11_provider = getenv("PKCS11_PROVIDER");
+	if (pk11_provider != NULL) {
+		lib_name = pk11_provider;
+	}
+}
+
+void *
+pk11_mem_get(size_t size) {
+	void *ptr;
+
+	LOCK(&alloclock);
+	if (pk11_mctx != NULL) {
+		ptr = isc_mem_get(pk11_mctx, size);
+	} else {
+		ptr = malloc(size);
+		if (ptr == NULL && size != 0) {
+			char strbuf[ISC_STRERRORSIZE];
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			isc_error_fatal(__FILE__, __LINE__, "malloc failed: %s",
+					strbuf);
+		}
+	}
+	UNLOCK(&alloclock);
+
+	if (ptr != NULL) {
+		memset(ptr, 0, size);
+	}
+	return (ptr);
+}
+
+void
+pk11_mem_put(void *ptr, size_t size) {
+	if (ptr != NULL) {
+		memset(ptr, 0, size);
+	}
+	LOCK(&alloclock);
+	if (pk11_mctx != NULL) {
+		isc_mem_put(pk11_mctx, ptr, size);
+	} else {
+		if (ptr != NULL) {
+			allocsize -= (int)size;
+		}
+		free(ptr);
+	}
+	UNLOCK(&alloclock);
+}
+
+isc_result_t
+pk11_initialize(isc_mem_t *mctx, const char *engine) {
+	isc_result_t result = ISC_R_SUCCESS;
+	CK_RV rv;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&sessionlock);
+	LOCK(&alloclock);
+	if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) {
+		isc_mem_attach(mctx, &pk11_mctx);
+	}
+	UNLOCK(&alloclock);
+	if (initialized) {
+		goto unlock;
+	} else {
+		initialized = true;
+	}
+
+	ISC_LIST_INIT(tokens);
+	ISC_LIST_INIT(actives);
+
+	if (engine != NULL) {
+		lib_name = engine;
+	}
+
+	/* Initialize the CRYPTOKI library */
+	rv = pkcs_C_Initialize((CK_VOID_PTR)&pk11_init_args);
+
+	if (rv == 0xfe) {
+		result = PK11_R_NOPROVIDER;
+		fprintf(stderr, "Can't load PKCS#11 provider: %s\n",
+			pk11_get_load_error_message());
+		goto unlock;
+	}
+	if (rv != CKR_OK) {
+		result = PK11_R_INITFAILED;
+		goto unlock;
+	}
+
+	scan_slots();
+unlock:
+	UNLOCK(&sessionlock);
+	return (result);
+}
+
+isc_result_t
+pk11_finalize(void) {
+	pk11_token_t *token, *next;
+	isc_result_t ret;
+
+	ret = free_all_sessions();
+	(void)pkcs_C_Finalize(NULL_PTR);
+	token = ISC_LIST_HEAD(tokens);
+	while (token != NULL) {
+		next = ISC_LIST_NEXT(token, link);
+		ISC_LIST_UNLINK(tokens, token, link);
+		if (token == best_rsa_token) {
+			best_rsa_token = NULL;
+		}
+		if (token == best_ecdsa_token) {
+			best_ecdsa_token = NULL;
+		}
+		if (token == best_eddsa_token) {
+			best_eddsa_token = NULL;
+		}
+		pk11_mem_put(token, sizeof(*token));
+		token = next;
+	}
+	if (pk11_mctx != NULL) {
+		isc_mem_detach(&pk11_mctx);
+	}
+	initialized = false;
+	return (ret);
+}
+
+isc_result_t
+pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, bool need_services,
+		 bool rw, bool logon, const char *pin, CK_SLOT_ID slot) {
+	pk11_token_t *token = NULL;
+	pk11_sessionlist_t *freelist;
+	pk11_session_t *sp;
+	isc_result_t ret;
+	UNUSED(need_services);
+
+	memset(ctx, 0, sizeof(pk11_context_t));
+	ctx->handle = NULL;
+	ctx->session = CK_INVALID_HANDLE;
+
+	ret = pk11_initialize(NULL, NULL);
+	if (ret != ISC_R_SUCCESS) {
+		return (ret);
+	}
+
+	LOCK(&sessionlock);
+	/* wait for initialization to finish */
+	UNLOCK(&sessionlock);
+
+	switch (optype) {
+	case OP_ANY:
+		for (token = ISC_LIST_HEAD(tokens); token != NULL;
+		     token = ISC_LIST_NEXT(token, link))
+		{
+			if (token->slotid == slot) {
+				break;
+			}
+		}
+		break;
+	default:
+		for (token = ISC_LIST_HEAD(tokens); token != NULL;
+		     token = ISC_LIST_NEXT(token, link))
+		{
+			if (token->slotid == slot) {
+				break;
+			}
+		}
+		break;
+	}
+	if (token == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	/* Override the token's PIN */
+	if (logon && pin != NULL && *pin != '\0') {
+		if (strlen(pin) > PINLEN) {
+			return (ISC_R_RANGE);
+		}
+		/*
+		 * We want to zero out the old pin before
+		 * overwriting with a new one.
+		 */
+		memset(token->pin, 0, sizeof(token->pin));
+		strlcpy(token->pin, pin, sizeof(token->pin));
+	}
+
+	freelist = &token->sessions;
+
+	LOCK(&sessionlock);
+	sp = ISC_LIST_HEAD(*freelist);
+	if (sp != NULL) {
+		ISC_LIST_UNLINK(*freelist, sp, link);
+		ISC_LIST_APPEND(actives, sp, link);
+		UNLOCK(&sessionlock);
+		if (logon) {
+			ret = token_login(sp);
+		}
+		ctx->handle = sp;
+		ctx->session = sp->session;
+		return (ret);
+	}
+	UNLOCK(&sessionlock);
+
+	sp = pk11_mem_get(sizeof(*sp));
+	sp->magic = SES_MAGIC;
+	sp->token = token;
+	sp->session = CK_INVALID_HANDLE;
+	ISC_LINK_INIT(sp, link);
+	ret = setup_session(sp, token, rw);
+	if ((ret == ISC_R_SUCCESS) && logon) {
+		ret = token_login(sp);
+	}
+	LOCK(&sessionlock);
+	ISC_LIST_APPEND(actives, sp, link);
+	UNLOCK(&sessionlock);
+	ctx->handle = sp;
+	ctx->session = sp->session;
+	return (ret);
+}
+
+void
+pk11_return_session(pk11_context_t *ctx) {
+	pk11_session_t *sp = (pk11_session_t *)ctx->handle;
+
+	if (sp == NULL) {
+		return;
+	}
+	ctx->handle = NULL;
+	ctx->session = CK_INVALID_HANDLE;
+
+	LOCK(&sessionlock);
+	ISC_LIST_UNLINK(actives, sp, link);
+	UNLOCK(&sessionlock);
+	if (sp->session == CK_INVALID_HANDLE) {
+		pk11_mem_put(sp, sizeof(*sp));
+		return;
+	}
+
+	LOCK(&sessionlock);
+	ISC_LIST_APPEND(sp->token->sessions, sp, link);
+	UNLOCK(&sessionlock);
+}
+
+static isc_result_t
+free_all_sessions(void) {
+	pk11_token_t *token;
+	isc_result_t ret = ISC_R_SUCCESS;
+	isc_result_t oret;
+
+	for (token = ISC_LIST_HEAD(tokens); token != NULL;
+	     token = ISC_LIST_NEXT(token, link))
+	{
+		oret = free_session_list(&token->sessions);
+		if (oret != ISC_R_SUCCESS) {
+			ret = oret;
+		}
+	}
+	if (!ISC_LIST_EMPTY(actives)) {
+		ret = ISC_R_ADDRINUSE;
+		oret = free_session_list(&actives);
+		if (oret != ISC_R_SUCCESS) {
+			ret = oret;
+		}
+	}
+	return (ret);
+}
+
+static isc_result_t
+free_session_list(pk11_sessionlist_t *slist) {
+	pk11_session_t *sp;
+	CK_RV rv;
+	isc_result_t ret;
+
+	ret = ISC_R_SUCCESS;
+	LOCK(&sessionlock);
+	while (!ISC_LIST_EMPTY(*slist)) {
+		sp = ISC_LIST_HEAD(*slist);
+		ISC_LIST_UNLINK(*slist, sp, link);
+		UNLOCK(&sessionlock);
+		if (sp->session != CK_INVALID_HANDLE) {
+			rv = pkcs_C_CloseSession(sp->session);
+			if (rv != CKR_OK) {
+				ret = DST_R_CRYPTOFAILURE;
+			}
+		}
+		LOCK(&sessionlock);
+		pk11_mem_put(sp, sizeof(*sp));
+	}
+	UNLOCK(&sessionlock);
+
+	return (ret);
+}
+
+static isc_result_t
+setup_session(pk11_session_t *sp, pk11_token_t *token, bool rw) {
+	CK_RV rv;
+	CK_FLAGS flags = CKF_SERIAL_SESSION;
+
+	if (rw) {
+		flags += CKF_RW_SESSION;
+	}
+
+	rv = pkcs_C_OpenSession(token->slotid, flags, NULL_PTR, NULL_PTR,
+				&sp->session);
+	if (rv != CKR_OK) {
+		return (DST_R_CRYPTOFAILURE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+token_login(pk11_session_t *sp) {
+	CK_RV rv;
+	pk11_token_t *token = sp->token;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	LOCK(&sessionlock);
+	if (!token->logged) {
+		rv = pkcs_C_Login(sp->session, CKU_USER,
+				  (CK_UTF8CHAR_PTR)token->pin,
+				  (CK_ULONG)strlen(token->pin));
+		if (rv != CKR_OK) {
+#if PK11_NO_LOGERR
+			pk11_error_fatalcheck(__FILE__, __LINE__,
+					      "pkcs_C_Login", rv);
+#else  /* if PK11_NO_LOGERR */
+			ret = ISC_R_NOPERM;
+#endif /* if PK11_NO_LOGERR */
+		} else {
+			token->logged = true;
+		}
+	}
+	UNLOCK(&sessionlock);
+	return (ret);
+}
+
+#define PK11_TRACE(fmt)        \
+	if (pk11_verbose_init) \
+	fprintf(stderr, fmt)
+#define PK11_TRACE1(fmt, arg)  \
+	if (pk11_verbose_init) \
+	fprintf(stderr, fmt, arg)
+#define PK11_TRACE2(fmt, arg1, arg2) \
+	if (pk11_verbose_init)       \
+	fprintf(stderr, fmt, arg1, arg2)
+#define PK11_TRACEM(mech)      \
+	if (pk11_verbose_init) \
+	fprintf(stderr, #mech ": 0x%lx\n", rv)
+
+static void
+scan_slots(void) {
+	CK_MECHANISM_INFO mechInfo;
+	CK_TOKEN_INFO tokenInfo;
+	CK_RV rv;
+	CK_SLOT_ID slot;
+	CK_SLOT_ID_PTR slotList;
+	CK_ULONG slotCount;
+	pk11_token_t *token;
+	unsigned int i;
+	bool bad;
+
+	slotCount = 0;
+	PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount));
+	PK11_TRACE1("slotCount=%lu\n", slotCount);
+	/* it's not an error if we didn't find any providers */
+	if (slotCount == 0) {
+		return;
+	}
+	slotList = pk11_mem_get(sizeof(CK_SLOT_ID) * slotCount);
+	PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount));
+
+	for (i = 0; i < slotCount; i++) {
+		slot = slotList[i];
+		PK11_TRACE2("slot#%u=0x%lx\n", i, slot);
+
+		rv = pkcs_C_GetTokenInfo(slot, &tokenInfo);
+		if (rv != CKR_OK) {
+			continue;
+		}
+		token = pk11_mem_get(sizeof(*token));
+		token->magic = TOK_MAGIC;
+		token->slotid = slot;
+		ISC_LINK_INIT(token, link);
+		ISC_LIST_INIT(token->sessions);
+		memmove(token->name, tokenInfo.label, 32);
+		memmove(token->manuf, tokenInfo.manufacturerID, 32);
+		memmove(token->model, tokenInfo.model, 16);
+		memmove(token->serial, tokenInfo.serialNumber, 16);
+		ISC_LIST_APPEND(tokens, token, link);
+
+		/* Check for RSA support */
+		bad = false;
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+		{
+			bad = true;
+			PK11_TRACEM(CKM_RSA_PKCS_KEY_PAIR_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_RSA_PKCS, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0))
+		{
+			bad = true;
+			PK11_TRACEM(CKM_MD5_RSA_PKCS);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
+					     &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0))
+		{
+			bad = true;
+			PK11_TRACEM(CKM_SHA1_RSA_PKCS);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS,
+					     &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0))
+		{
+			bad = true;
+			PK11_TRACEM(CKM_SHA256_RSA_PKCS);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS,
+					     &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0))
+		{
+			bad = true;
+			PK11_TRACEM(CKM_SHA512_RSA_PKCS);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0))
+		{
+			bad = true;
+			PK11_TRACEM(CKM_RSA_PKCS);
+		}
+		if (!bad) {
+			token->operations |= 1 << OP_RSA;
+			if (best_rsa_token == NULL) {
+				best_rsa_token = token;
+			}
+		}
+
+		/* Check for ECDSA support */
+		bad = false;
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+		{
+			bad = true;
+			PK11_TRACEM(CKM_EC_KEY_PAIR_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_ECDSA, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0))
+		{
+			bad = true;
+			PK11_TRACEM(CKM_ECDSA);
+		}
+		if (!bad) {
+			token->operations |= 1 << OP_ECDSA;
+			if (best_ecdsa_token == NULL) {
+				best_ecdsa_token = token;
+			}
+		}
+
+		/* Check for EDDSA support */
+		bad = false;
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_EDWARDS_KEY_PAIR_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+		{
+			bad = true;
+			PK11_TRACEM(CKM_EC_EDWARDS_KEY_PAIR_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0))
+		{
+			bad = true;
+			PK11_TRACEM(CKM_EDDSA);
+		}
+		if (!bad) {
+			token->operations |= 1 << OP_EDDSA;
+			if (best_eddsa_token == NULL) {
+				best_eddsa_token = token;
+			}
+		}
+	}
+
+	if (slotList != NULL) {
+		pk11_mem_put(slotList, sizeof(CK_SLOT_ID) * slotCount);
+	}
+}
+
+CK_SLOT_ID
+pk11_get_best_token(pk11_optype_t optype) {
+	pk11_token_t *token = NULL;
+
+	switch (optype) {
+	case OP_RSA:
+		token = best_rsa_token;
+		break;
+	case OP_ECDSA:
+		token = best_ecdsa_token;
+		break;
+	case OP_EDDSA:
+		token = best_eddsa_token;
+		break;
+	default:
+		break;
+	}
+	if (token == NULL) {
+		return (0);
+	}
+	return (token->slotid);
+}
+
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
+	unsigned int bitcnt, i;
+	CK_BYTE top;
+
+	if (bytecnt == 0) {
+		*bits = 0;
+		return (ISC_R_SUCCESS);
+	}
+	bitcnt = bytecnt * 8;
+	for (i = 0; i < bytecnt; i++) {
+		top = data[i];
+		if (top == 0) {
+			bitcnt -= 8;
+			continue;
+		}
+		if (top & 0x80) {
+			*bits = bitcnt;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x40) {
+			*bits = bitcnt - 1;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x20) {
+			*bits = bitcnt - 2;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x10) {
+			*bits = bitcnt - 3;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x08) {
+			*bits = bitcnt - 4;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x04) {
+			*bits = bitcnt - 5;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x02) {
+			*bits = bitcnt - 6;
+			return (ISC_R_SUCCESS);
+		}
+		if (top & 0x01) {
+			*bits = bitcnt - 7;
+			return (ISC_R_SUCCESS);
+		}
+		break;
+	}
+	return (ISC_R_RANGE);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_first(const pk11_object_t *obj) {
+	return (obj->repr);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_next(const pk11_object_t *obj, CK_ATTRIBUTE *attr) {
+	CK_ATTRIBUTE *next;
+
+	next = attr + 1;
+	if ((next - obj->repr) >= obj->attrcnt) {
+		return (NULL);
+	}
+	return (next);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_bytype(const pk11_object_t *obj, CK_ATTRIBUTE_TYPE type) {
+	CK_ATTRIBUTE *attr;
+
+	for (attr = pk11_attribute_first(obj); attr != NULL;
+	     attr = pk11_attribute_next(obj, attr))
+	{
+		if (attr->type == type) {
+			return (attr);
+		}
+	}
+	return (NULL);
+}
+
+static char *
+percent_decode(char *x, size_t *len) {
+	char *p, *c;
+	unsigned char v = 0;
+
+	INSIST(len != NULL);
+
+	for (p = c = x; p[0] != '\0'; p++, c++) {
+		switch (p[0]) {
+		case '%':
+			switch (p[1]) {
+			case '0':
+			case '1':
+			case '2':
+			case '3':
+			case '4':
+			case '5':
+			case '6':
+			case '7':
+			case '8':
+			case '9':
+				v = (p[1] - '0') << 4;
+				break;
+			case 'A':
+			case 'B':
+			case 'C':
+			case 'D':
+			case 'E':
+			case 'F':
+				v = (p[1] - 'A' + 10) << 4;
+				break;
+			case 'a':
+			case 'b':
+			case 'c':
+			case 'd':
+			case 'e':
+			case 'f':
+				v = (p[1] - 'a' + 10) << 4;
+				break;
+			default:
+				return (NULL);
+			}
+			switch (p[2]) {
+			case '0':
+			case '1':
+			case '2':
+			case '3':
+			case '4':
+			case '5':
+			case '6':
+			case '7':
+			case '8':
+			case '9':
+				v |= (p[2] - '0') & 0x0f;
+				break;
+			case 'A':
+			case 'B':
+			case 'C':
+			case 'D':
+			case 'E':
+			case 'F':
+				v = (p[2] - 'A' + 10) & 0x0f;
+				break;
+			case 'a':
+			case 'b':
+			case 'c':
+			case 'd':
+			case 'e':
+			case 'f':
+				v = (p[2] - 'a' + 10) & 0x0f;
+				break;
+			default:
+				return (NULL);
+			}
+			p += 2;
+			*c = (char)v;
+			(*len)++;
+			break;
+		default:
+			*c = *p;
+			(*len)++;
+		}
+	}
+	return (x);
+}
+
+static bool
+pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny) {
+	char buf[32];
+
+	INSIST((leny == 32) || (leny == 16));
+
+	memset(buf, ' ', 32);
+	if (lenx > leny) {
+		lenx = leny;
+	}
+	memmove(buf, x, lenx);
+	return (memcmp(buf, y, leny) == 0);
+}
+
+static CK_ATTRIBUTE *
+push_attribute(pk11_object_t *obj, isc_mem_t *mctx, size_t len) {
+	CK_ATTRIBUTE *old = obj->repr;
+	CK_ATTRIBUTE *attr;
+	CK_BYTE cnt = obj->attrcnt;
+
+	REQUIRE(old != NULL || cnt == 0);
+
+	obj->repr = isc_mem_get(mctx, (cnt + 1) * sizeof(*attr));
+	memset(obj->repr, 0, (cnt + 1) * sizeof(*attr));
+	if (old != NULL) {
+		memmove(obj->repr, old, cnt * sizeof(*attr));
+	}
+	attr = obj->repr + cnt;
+	attr->ulValueLen = (CK_ULONG)len;
+	attr->pValue = isc_mem_get(mctx, len);
+	memset(attr->pValue, 0, len);
+	if (old != NULL) {
+		memset(old, 0, cnt * sizeof(*attr));
+		isc_mem_put(mctx, old, cnt * sizeof(*attr));
+	}
+	obj->attrcnt++;
+	return (attr);
+}
+
+#define DST_RET(a)        \
+	{                 \
+		ret = a;  \
+		goto err; \
+	}
+
+isc_result_t
+pk11_parse_uri(pk11_object_t *obj, const char *label, isc_mem_t *mctx,
+	       pk11_optype_t optype) {
+	CK_ATTRIBUTE *attr;
+	pk11_token_t *token = NULL;
+	char *uri, *p, *a, *na, *v;
+	size_t len, l;
+	FILE *stream = NULL;
+	char pin[PINLEN + 1];
+	bool gotpin = false;
+	isc_result_t ret;
+
+	/* get values to work on */
+	len = strlen(label) + 1;
+	uri = isc_mem_get(mctx, len);
+	memmove(uri, label, len);
+
+	/* get the URI scheme */
+	p = strchr(uri, ':');
+	if (p == NULL) {
+		DST_RET(PK11_R_NOPROVIDER);
+	}
+	*p++ = '\0';
+	if (strcmp(uri, "pkcs11") != 0) {
+		DST_RET(PK11_R_NOPROVIDER);
+	}
+
+	/* get attributes */
+	for (na = p; na != NULL;) {
+		a = na;
+		p = strchr(a, ';');
+		if (p == NULL) {
+			/* last attribute */
+			na = NULL;
+		} else {
+			*p++ = '\0';
+			na = p;
+		}
+		p = strchr(a, '=');
+		if (p != NULL) {
+			*p++ = '\0';
+			v = p;
+		} else {
+			v = a;
+		}
+		l = 0;
+		v = percent_decode(v, &l);
+		if (v == NULL) {
+			DST_RET(PK11_R_NOPROVIDER);
+		}
+		if ((a == v) || (strcmp(a, "object") == 0)) {
+			/* object: CKA_LABEL */
+			attr = pk11_attribute_bytype(obj, CKA_LABEL);
+			if (attr != NULL) {
+				DST_RET(PK11_R_NOPROVIDER);
+			}
+			attr = push_attribute(obj, mctx, l);
+			if (attr == NULL) {
+				DST_RET(ISC_R_NOMEMORY);
+			}
+			attr->type = CKA_LABEL;
+			memmove(attr->pValue, v, l);
+		} else if (strcmp(a, "token") == 0) {
+			/* token: CK_TOKEN_INFO label */
+			if (token == NULL) {
+				for (token = ISC_LIST_HEAD(tokens);
+				     token != NULL;
+				     token = ISC_LIST_NEXT(token, link))
+				{
+					if (pk11strcmp(v, l, token->name, 32)) {
+						break;
+					}
+				}
+			}
+		} else if (strcmp(a, "manufacturer") == 0) {
+			/* manufacturer: CK_TOKEN_INFO manufacturerID */
+			if (token == NULL) {
+				for (token = ISC_LIST_HEAD(tokens);
+				     token != NULL;
+				     token = ISC_LIST_NEXT(token, link))
+				{
+					if (pk11strcmp(v, l, token->manuf, 32))
+					{
+						break;
+					}
+				}
+			}
+		} else if (strcmp(a, "serial") == 0) {
+			/* serial: CK_TOKEN_INFO serialNumber */
+			if (token == NULL) {
+				for (token = ISC_LIST_HEAD(tokens);
+				     token != NULL;
+				     token = ISC_LIST_NEXT(token, link))
+				{
+					if (pk11strcmp(v, l, token->serial, 16))
+					{
+						break;
+					}
+				}
+			}
+		} else if (strcmp(a, "model") == 0) {
+			/* model: CK_TOKEN_INFO model */
+			if (token == NULL) {
+				for (token = ISC_LIST_HEAD(tokens);
+				     token != NULL;
+				     token = ISC_LIST_NEXT(token, link))
+				{
+					if (pk11strcmp(v, l, token->model, 16))
+					{
+						break;
+					}
+				}
+			}
+		} else if (strcmp(a, "library-manufacturer") == 0) {
+			/* ignored */
+		} else if (strcmp(a, "library-description") == 0) {
+			/* ignored */
+		} else if (strcmp(a, "library-version") == 0) {
+			/* ignored */
+		} else if (strcmp(a, "object-type") == 0) {
+			/* object-type: CKA_CLASS */
+			/* only private makes sense */
+			if (strcmp(v, "private") != 0) {
+				DST_RET(PK11_R_NOPROVIDER);
+			}
+		} else if (strcmp(a, "id") == 0) {
+			/* id: CKA_ID */
+			attr = pk11_attribute_bytype(obj, CKA_ID);
+			if (attr != NULL) {
+				DST_RET(PK11_R_NOPROVIDER);
+			}
+			attr = push_attribute(obj, mctx, l);
+			if (attr == NULL) {
+				DST_RET(ISC_R_NOMEMORY);
+			}
+			attr->type = CKA_ID;
+			memmove(attr->pValue, v, l);
+		} else if (strcmp(a, "pin-source") == 0) {
+			/* pin-source: PIN */
+			ret = isc_stdio_open(v, "r", &stream);
+			if (ret != ISC_R_SUCCESS) {
+				goto err;
+			}
+			memset(pin, 0, PINLEN + 1);
+			ret = isc_stdio_read(pin, 1, PINLEN + 1, stream, &l);
+			if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) {
+				goto err;
+			}
+			if (l > PINLEN) {
+				DST_RET(ISC_R_RANGE);
+			}
+			ret = isc_stdio_close(stream);
+			stream = NULL;
+			if (ret != ISC_R_SUCCESS) {
+				goto err;
+			}
+			gotpin = true;
+		} else {
+			DST_RET(PK11_R_NOPROVIDER);
+		}
+	}
+
+	if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) &&
+	    (pk11_attribute_bytype(obj, CKA_ID) == NULL))
+	{
+		DST_RET(ISC_R_NOTFOUND);
+	}
+
+	if (token == NULL) {
+		if (optype == OP_RSA) {
+			token = best_rsa_token;
+		} else if (optype == OP_ECDSA) {
+			token = best_ecdsa_token;
+		} else if (optype == OP_EDDSA) {
+			token = best_eddsa_token;
+		}
+	}
+	if (token == NULL) {
+		DST_RET(ISC_R_NOTFOUND);
+	}
+	obj->slot = token->slotid;
+	if (gotpin) {
+		memmove(token->pin, pin, PINLEN + 1);
+		obj->reqlogon = true;
+	}
+
+	ret = ISC_R_SUCCESS;
+
+err:
+	if (stream != NULL) {
+		(void)isc_stdio_close(stream);
+	}
+	isc_mem_put(mctx, uri, len);
+	return (ret);
+}
+
+void
+pk11_error_fatalcheck(const char *file, int line, const char *funcname,
+		      CK_RV rv) {
+	isc_error_fatal(file, line, "%s: Error = 0x%.8lX\n", funcname, rv);
+}
+
+void
+pk11_dump_tokens(void) {
+	pk11_token_t *token;
+	bool first;
+
+	printf("DEFAULTS\n");
+	printf("\tbest_rsa_token=%p\n", best_rsa_token);
+	printf("\tbest_ecdsa_token=%p\n", best_ecdsa_token);
+	printf("\tbest_eddsa_token=%p\n", best_eddsa_token);
+
+	for (token = ISC_LIST_HEAD(tokens); token != NULL;
+	     token = ISC_LIST_NEXT(token, link))
+	{
+		printf("\nTOKEN\n");
+		printf("\taddress=%p\n", token);
+		printf("\tslotID=%lu\n", token->slotid);
+		printf("\tlabel=%.32s\n", token->name);
+		printf("\tmanufacturerID=%.32s\n", token->manuf);
+		printf("\tmodel=%.16s\n", token->model);
+		printf("\tserialNumber=%.16s\n", token->serial);
+		printf("\tsupported operations=0x%x (", token->operations);
+		first = true;
+		if (token->operations & (1 << OP_RSA)) {
+			first = false;
+			printf("RSA");
+		}
+		if (token->operations & (1 << OP_ECDSA)) {
+			if (!first) {
+				printf(",");
+			}
+			printf("EC");
+		}
+		printf(")\n");
+	}
+}
diff --git a/lib/isc/pk11_result.c b/lib/isc/pk11_result.c
new file mode 100644
index 0000000..73966fa
--- /dev/null
+++ b/lib/isc/pk11_result.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stddef.h>
+
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <pk11/result.h>
+
+static const char *text[PK11_R_NRESULTS] = {
+	"PKCS#11 initialization failed", /*%< 0 */
+	"no PKCS#11 provider",		 /*%< 1 */
+	"PKCS#11 no random service",	 /*%< 2 */
+	"PKCS#11 no digist service",	 /*%< 3 */
+	"PKCS#11 no AES service",	 /*%< 4 */
+};
+
+static const char *ids[PK11_R_NRESULTS] = {
+	"PK11_R_INITFAILED",	  "PK11_R_NOPROVIDER",
+	"PK11_R_NORANDOMSERVICE", "PK11_R_NODIGESTSERVICE",
+	"PK11_R_NOAESSERVICE",
+};
+
+#define PK11_RESULT_RESULTSET 2
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS,
+				     text, PK11_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+	}
+
+	result = isc_result_registerids(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS,
+					ids, PK11_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_registerids() failed: %u", result);
+	}
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+pk11_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+pk11_result_register(void) {
+	initialize();
+}
diff --git a/lib/isc/pool.c b/lib/isc/pool.c
new file mode 100644
index 0000000..5a5fb12
--- /dev/null
+++ b/lib/isc/pool.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/pool.h>
+#include <isc/random.h>
+#include <isc/util.h>
+
+/***
+ *** Types.
+ ***/
+
+struct isc_pool {
+	isc_mem_t *mctx;
+	unsigned int count;
+	isc_pooldeallocator_t free;
+	isc_poolinitializer_t init;
+	void *initarg;
+	void **pool;
+};
+
+/***
+ *** Functions.
+ ***/
+
+static isc_result_t
+alloc_pool(isc_mem_t *mctx, unsigned int count, isc_pool_t **poolp) {
+	isc_pool_t *pool;
+
+	pool = isc_mem_get(mctx, sizeof(*pool));
+	pool->count = count;
+	pool->free = NULL;
+	pool->init = NULL;
+	pool->initarg = NULL;
+	pool->mctx = NULL;
+	isc_mem_attach(mctx, &pool->mctx);
+	pool->pool = isc_mem_get(mctx, count * sizeof(void *));
+	memset(pool->pool, 0, count * sizeof(void *));
+
+	*poolp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_pool_create(isc_mem_t *mctx, unsigned int count,
+		isc_pooldeallocator_t release, isc_poolinitializer_t init,
+		void *initarg, isc_pool_t **poolp) {
+	isc_pool_t *pool = NULL;
+	isc_result_t result;
+	unsigned int i;
+
+	INSIST(count > 0);
+
+	/* Allocate the pool structure */
+	result = alloc_pool(mctx, count, &pool);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	pool->free = release;
+	pool->init = init;
+	pool->initarg = initarg;
+
+	/* Populate the pool */
+	for (i = 0; i < count; i++) {
+		result = init(&pool->pool[i], initarg);
+		if (result != ISC_R_SUCCESS) {
+			isc_pool_destroy(&pool);
+			return (result);
+		}
+	}
+
+	*poolp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+void *
+isc_pool_get(isc_pool_t *pool) {
+	return (pool->pool[isc_random_uniform(pool->count)]);
+}
+
+int
+isc_pool_count(isc_pool_t *pool) {
+	REQUIRE(pool != NULL);
+	return (pool->count);
+}
+
+isc_result_t
+isc_pool_expand(isc_pool_t **sourcep, unsigned int count,
+		isc_pool_t **targetp) {
+	isc_result_t result;
+	isc_pool_t *pool;
+
+	REQUIRE(sourcep != NULL && *sourcep != NULL);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	pool = *sourcep;
+	*sourcep = NULL;
+	if (count > pool->count) {
+		isc_pool_t *newpool = NULL;
+		unsigned int i;
+
+		/* Allocate a new pool structure */
+		result = alloc_pool(pool->mctx, count, &newpool);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		newpool->free = pool->free;
+		newpool->init = pool->init;
+		newpool->initarg = pool->initarg;
+
+		/* Populate the new entries */
+		for (i = pool->count; i < count; i++) {
+			result = newpool->init(&newpool->pool[i],
+					       newpool->initarg);
+			if (result != ISC_R_SUCCESS) {
+				isc_pool_destroy(&newpool);
+				return (result);
+			}
+		}
+
+		/* Copy over the objects from the old pool */
+		for (i = 0; i < pool->count; i++) {
+			newpool->pool[i] = pool->pool[i];
+			pool->pool[i] = NULL;
+		}
+
+		isc_pool_destroy(&pool);
+		pool = newpool;
+	}
+
+	*targetp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_pool_destroy(isc_pool_t **poolp) {
+	unsigned int i;
+	isc_pool_t *pool = *poolp;
+	*poolp = NULL;
+	for (i = 0; i < pool->count; i++) {
+		if (pool->free != NULL && pool->pool[i] != NULL) {
+			pool->free(&pool->pool[i]);
+		}
+	}
+	isc_mem_put(pool->mctx, pool->pool, pool->count * sizeof(void *));
+	isc_mem_putanddetach(&pool->mctx, pool, sizeof(*pool));
+}
diff --git a/lib/isc/portset.c b/lib/isc/portset.c
new file mode 100644
index 0000000..52b96f5
--- /dev/null
+++ b/lib/isc/portset.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/portset.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#define ISC_PORTSET_BUFSIZE (65536 / (sizeof(uint32_t) * 8))
+
+/*%
+ * Internal representation of portset.  It's an array of 32-bit integers, each
+ * bit corresponding to a single port in the ascending order.  For example,
+ * the second most significant bit of buf[0] corresponds to port 1.
+ */
+struct isc_portset {
+	unsigned int nports; /*%< number of ports in the set */
+	uint32_t buf[ISC_PORTSET_BUFSIZE];
+};
+
+static bool
+portset_isset(isc_portset_t *portset, in_port_t port) {
+	return ((portset->buf[port >> 5] & ((uint32_t)1 << (port & 31))) != 0);
+}
+
+static void
+portset_add(isc_portset_t *portset, in_port_t port) {
+	if (!portset_isset(portset, port)) {
+		portset->nports++;
+		portset->buf[port >> 5] |= ((uint32_t)1 << (port & 31));
+	}
+}
+
+static void
+portset_remove(isc_portset_t *portset, in_port_t port) {
+	if (portset_isset(portset, port)) {
+		portset->nports--;
+		portset->buf[port >> 5] &= ~((uint32_t)1 << (port & 31));
+	}
+}
+
+isc_result_t
+isc_portset_create(isc_mem_t *mctx, isc_portset_t **portsetp) {
+	isc_portset_t *portset;
+
+	REQUIRE(portsetp != NULL && *portsetp == NULL);
+
+	portset = isc_mem_get(mctx, sizeof(*portset));
+
+	/* Make the set 'empty' by default */
+	memset(portset, 0, sizeof(*portset));
+	*portsetp = portset;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_portset_destroy(isc_mem_t *mctx, isc_portset_t **portsetp) {
+	isc_portset_t *portset;
+
+	REQUIRE(portsetp != NULL);
+	portset = *portsetp;
+
+	isc_mem_put(mctx, portset, sizeof(*portset));
+}
+
+bool
+isc_portset_isset(isc_portset_t *portset, in_port_t port) {
+	REQUIRE(portset != NULL);
+
+	return (portset_isset(portset, port));
+}
+
+unsigned int
+isc_portset_nports(isc_portset_t *portset) {
+	REQUIRE(portset != NULL);
+
+	return (portset->nports);
+}
+
+void
+isc_portset_add(isc_portset_t *portset, in_port_t port) {
+	REQUIRE(portset != NULL);
+
+	portset_add(portset, port);
+}
+
+void
+isc_portset_remove(isc_portset_t *portset, in_port_t port) {
+	portset_remove(portset, port);
+}
+
+void
+isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo,
+		     in_port_t port_hi) {
+	in_port_t p;
+
+	REQUIRE(portset != NULL);
+	REQUIRE(port_lo <= port_hi);
+
+	p = port_lo;
+	do {
+		portset_add(portset, p);
+	} while (p++ < port_hi);
+}
+
+void
+isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo,
+			in_port_t port_hi) {
+	in_port_t p;
+
+	REQUIRE(portset != NULL);
+	REQUIRE(port_lo <= port_hi);
+
+	p = port_lo;
+	do {
+		portset_remove(portset, p);
+	} while (p++ < port_hi);
+}
diff --git a/lib/isc/pthreads/Makefile.in b/lib/isc/pthreads/Makefile.in
new file mode 100644
index 0000000..c79e949
--- /dev/null
+++ b/lib/isc/pthreads/Makefile.in
@@ -0,0 +1,32 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		condition.@O@ mutex.@O@ thread.@O@
+
+SRCS =		condition.c mutex.c thread.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/pthreads/condition.c b/lib/isc/pthreads/condition.c
new file mode 100644
index 0000000..7657b18
--- /dev/null
+++ b/lib/isc/pthreads/condition.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+
+#include <isc/condition.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *c, isc_mutex_t *m, isc_time_t *t) {
+	int presult;
+	isc_result_t result;
+	struct timespec ts;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(c != NULL && m != NULL && t != NULL);
+
+	/*
+	 * POSIX defines a timespec's tv_sec as time_t.
+	 */
+	result = isc_time_secondsastimet(t, &ts.tv_sec);
+
+	/*
+	 * If we have a range error ts.tv_sec is most probably a signed
+	 * 32 bit value.  Set ts.tv_sec to INT_MAX.  This is a kludge.
+	 */
+	if (result == ISC_R_RANGE) {
+		ts.tv_sec = INT_MAX;
+	} else if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*!
+	 * POSIX defines a timespec's tv_nsec as long.  isc_time_nanoseconds
+	 * ensures its return value is < 1 billion, which will fit in a long.
+	 */
+	ts.tv_nsec = (long)isc_time_nanoseconds(t);
+
+	do {
+#if ISC_MUTEX_PROFILE
+		presult = pthread_cond_timedwait(c, &m->mutex, &ts);
+#else  /* if ISC_MUTEX_PROFILE */
+		presult = pthread_cond_timedwait(c, m, &ts);
+#endif /* if ISC_MUTEX_PROFILE */
+		if (presult == 0) {
+			return (ISC_R_SUCCESS);
+		}
+		if (presult == ETIMEDOUT) {
+			return (ISC_R_TIMEDOUT);
+		}
+	} while (presult == EINTR);
+
+	strerror_r(presult, strbuf, sizeof(strbuf));
+	UNEXPECTED_ERROR(__FILE__, __LINE__,
+			 "pthread_cond_timedwait() returned %s", strbuf);
+	return (ISC_R_UNEXPECTED);
+}
diff --git a/lib/isc/pthreads/include/.clang-format b/lib/isc/pthreads/include/.clang-format
new file mode 120000
index 0000000..e919bba
--- /dev/null
+++ b/lib/isc/pthreads/include/.clang-format
@@ -0,0 +1 @@
+../../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/isc/pthreads/include/Makefile.in b/lib/isc/pthreads/include/Makefile.in
new file mode 100644
index 0000000..60a0a67
--- /dev/null
+++ b/lib/isc/pthreads/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/pthreads/include/isc/Makefile.in b/lib/isc/pthreads/include/isc/Makefile.in
new file mode 100644
index 0000000..e92364d
--- /dev/null
+++ b/lib/isc/pthreads/include/isc/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	condition.h mutex.h once.h thread.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/pthreads/include/isc/condition.h b/lib/isc/pthreads/include/isc/condition.h
new file mode 100644
index 0000000..8a79eb4
--- /dev/null
+++ b/lib/isc/pthreads/include/isc/condition.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file */
+
+#include <errno.h>
+
+#include <isc/error.h>
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/result.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/types.h>
+
+typedef pthread_cond_t isc_condition_t;
+
+#define isc_condition_init(cond)                                \
+	if (pthread_cond_init(cond, NULL) != 0) {               \
+		char isc_condition_strbuf[ISC_STRERRORSIZE];    \
+		strerror_r(errno, isc_condition_strbuf,         \
+			   sizeof(isc_condition_strbuf));       \
+		isc_error_fatal(__FILE__, __LINE__,             \
+				"pthread_cond_init failed: %s", \
+				isc_condition_strbuf);          \
+	}
+
+#if ISC_MUTEX_PROFILE
+#define isc_condition_wait(cp, mp)                                      \
+	((pthread_cond_wait((cp), &((mp)->mutex)) == 0) ? ISC_R_SUCCESS \
+							: ISC_R_UNEXPECTED)
+#else /* if ISC_MUTEX_PROFILE */
+#define isc_condition_wait(cp, mp)                            \
+	((pthread_cond_wait((cp), (mp)) == 0) ? ISC_R_SUCCESS \
+					      : ISC_R_UNEXPECTED)
+#endif /* if ISC_MUTEX_PROFILE */
+
+#define isc_condition_signal(cp) \
+	((pthread_cond_signal((cp)) == 0) ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#define isc_condition_broadcast(cp) \
+	((pthread_cond_broadcast((cp)) == 0) ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#define isc_condition_destroy(cp) \
+	((pthread_cond_destroy((cp)) == 0) ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *, isc_mutex_t *, isc_time_t *);
+
+ISC_LANG_ENDDECLS
diff --git a/lib/isc/pthreads/include/isc/mutex.h b/lib/isc/pthreads/include/isc/mutex.h
new file mode 100644
index 0000000..2390cd9
--- /dev/null
+++ b/lib/isc/pthreads/include/isc/mutex.h
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_MUTEX_H
+#define ISC_MUTEX_H 1
+
+/*! \file */
+
+#include <pthread.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/result.h> /* for ISC_R_ codes */
+
+ISC_LANG_BEGINDECLS
+
+/*!
+ * Supply mutex attributes that enable deadlock detection
+ * (helpful when debugging).  This is system dependent and
+ * currently only supported on NetBSD.
+ */
+#if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
+extern pthread_mutexattr_t isc__mutex_attrs;
+#define ISC__MUTEX_ATTRS &isc__mutex_attrs
+#else /* if ISC_MUTEX_DEBUG && defined(__NetBSD__) && \
+       * defined(PTHREAD_MUTEX_ERRORCHECK) */
+#define ISC__MUTEX_ATTRS NULL
+#endif /* if ISC_MUTEX_DEBUG && defined(__NetBSD__) && \
+	* defined(PTHREAD_MUTEX_ERRORCHECK) */
+
+/* XXX We could do fancier error handling... */
+
+/*!
+ * Define ISC_MUTEX_PROFILE to turn on profiling of mutexes by line.  When
+ * enabled, isc_mutex_stats() can be used to print a table showing the
+ * number of times each type of mutex was locked and the amount of time
+ * waiting to obtain the lock.
+ */
+#ifndef ISC_MUTEX_PROFILE
+#define ISC_MUTEX_PROFILE 0
+#endif /* ifndef ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_PROFILE
+typedef struct isc_mutexstats isc_mutexstats_t;
+
+typedef struct {
+	pthread_mutex_t	  mutex; /*%< The actual mutex. */
+	isc_mutexstats_t *stats; /*%< Mutex statistics. */
+} isc_mutex_t;
+#else  /* if ISC_MUTEX_PROFILE */
+typedef pthread_mutex_t isc_mutex_t;
+#endif /* if ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_init(mp) isc_mutex_init_profile((mp), __FILE__, __LINE__)
+#else /* if ISC_MUTEX_PROFILE */
+#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
+#define isc_mutex_init(mp) isc_mutex_init_errcheck((mp))
+#else /* if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK) */
+#define isc_mutex_init(mp) isc__mutex_init((mp), __FILE__, __LINE__)
+void
+isc__mutex_init(isc_mutex_t *mp, const char *file, unsigned int line);
+#endif /* if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK) */
+#endif /* if ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_lock(mp) isc_mutex_lock_profile((mp), __FILE__, __LINE__)
+#else /* if ISC_MUTEX_PROFILE */
+#define isc_mutex_lock(mp) \
+	((pthread_mutex_lock((mp)) == 0) ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif /* if ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_unlock(mp) isc_mutex_unlock_profile((mp), __FILE__, __LINE__)
+#else /* if ISC_MUTEX_PROFILE */
+#define isc_mutex_unlock(mp) \
+	((pthread_mutex_unlock((mp)) == 0) ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif /* if ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_trylock(mp)                                         \
+	((pthread_mutex_trylock((&(mp)->mutex)) == 0) ? ISC_R_SUCCESS \
+						      : ISC_R_LOCKBUSY)
+#else /* if ISC_MUTEX_PROFILE */
+#define isc_mutex_trylock(mp) \
+	((pthread_mutex_trylock((mp)) == 0) ? ISC_R_SUCCESS : ISC_R_LOCKBUSY)
+#endif /* if ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_destroy(mp) \
+	RUNTIME_CHECK(pthread_mutex_destroy((&(mp)->mutex)) == 0)
+#else /* if ISC_MUTEX_PROFILE */
+#define isc_mutex_destroy(mp) RUNTIME_CHECK(pthread_mutex_destroy((mp)) == 0)
+#endif /* if ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_stats(fp) isc_mutex_statsprofile(fp);
+#else /* if ISC_MUTEX_PROFILE */
+#define isc_mutex_stats(fp)
+#endif /* if ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_PROFILE
+
+void
+isc_mutex_init_profile(isc_mutex_t *mp, const char *_file, int _line);
+isc_result_t
+isc_mutex_lock_profile(isc_mutex_t *mp, const char *_file, int _line);
+isc_result_t
+isc_mutex_unlock_profile(isc_mutex_t *mp, const char *_file, int _line);
+
+void
+isc_mutex_statsprofile(FILE *fp);
+#endif /* ISC_MUTEX_PROFILE */
+
+void
+isc_mutex_init_errcheck(isc_mutex_t *mp);
+
+ISC_LANG_ENDDECLS
+#endif /* ISC_MUTEX_H */
diff --git a/lib/isc/pthreads/include/isc/once.h b/lib/isc/pthreads/include/isc/once.h
new file mode 100644
index 0000000..481dba5
--- /dev/null
+++ b/lib/isc/pthreads/include/isc/once.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_ONCE_H
+#define ISC_ONCE_H 1
+
+/*! \file */
+
+#include <pthread.h>
+
+#include <isc/platform.h>
+#include <isc/result.h>
+
+typedef pthread_once_t isc_once_t;
+
+#define ISC_ONCE_INIT PTHREAD_ONCE_INIT
+
+/* XXX We could do fancier error handling... */
+
+#define isc_once_do(op, f) \
+	((pthread_once((op), (f)) == 0) ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#endif /* ISC_ONCE_H */
diff --git a/lib/isc/pthreads/include/isc/thread.h b/lib/isc/pthreads/include/isc/thread.h
new file mode 100644
index 0000000..6f83191
--- /dev/null
+++ b/lib/isc/pthreads/include/isc/thread.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_THREAD_H
+#define ISC_THREAD_H 1
+
+/*! \file */
+
+#include <pthread.h>
+
+#if defined(HAVE_PTHREAD_NP_H)
+#include <pthread_np.h>
+#endif /* if defined(HAVE_PTHREAD_NP_H) */
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+#if defined(HAVE_THREAD_LOCAL)
+#include <threads.h>
+extern thread_local size_t isc_tid_v;
+#elif defined(HAVE___THREAD)
+extern __thread size_t isc_tid_v;
+#endif /* if defined(HAVE_THREAD_LOCAL) */
+
+ISC_LANG_BEGINDECLS
+
+typedef pthread_t isc_thread_t;
+typedef void	 *isc_threadresult_t;
+typedef void	 *isc_threadarg_t;
+typedef isc_threadresult_t (*isc_threadfunc_t)(isc_threadarg_t);
+
+void
+isc_thread_create(isc_threadfunc_t, isc_threadarg_t, isc_thread_t *);
+
+void
+isc_thread_join(isc_thread_t thread, isc_threadresult_t *result);
+
+void
+isc_thread_yield(void);
+
+void
+isc_thread_setname(isc_thread_t thread, const char *name);
+
+#define isc_thread_self (uintptr_t) pthread_self
+
+/***
+ *** Thread-Local Storage
+ ***/
+
+#if defined(HAVE_TLS)
+#if defined(HAVE_THREAD_LOCAL)
+#define ISC_THREAD_LOCAL static thread_local
+#elif defined(HAVE___THREAD)
+#define ISC_THREAD_LOCAL static __thread
+#else /* if defined(HAVE_THREAD_LOCAL) */
+#error "Unknown method for defining a TLS variable!"
+#endif /* if defined(HAVE_THREAD_LOCAL) */
+#else  /* if defined(HAVE_TLS) */
+#error "Thread-local storage support is required!"
+#endif /* if defined(HAVE_TLS) */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_THREAD_H */
diff --git a/lib/isc/pthreads/mutex.c b/lib/isc/pthreads/mutex.c
new file mode 100644
index 0000000..aa3dc53
--- /dev/null
+++ b/lib/isc/pthreads/mutex.c
@@ -0,0 +1,302 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <sys/time.h>
+#include <time.h>
+
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#if ISC_MUTEX_PROFILE
+
+/*@{*/
+/*% Operations on timevals; adapted from FreeBSD's sys/time.h */
+#define timevalclear(tvp) ((tvp)->tv_sec = (tvp)->tv_usec = 0)
+#define timevaladd(vvp, uvp)                       \
+	do {                                       \
+		(vvp)->tv_sec += (uvp)->tv_sec;    \
+		(vvp)->tv_usec += (uvp)->tv_usec;  \
+		if ((vvp)->tv_usec >= 1000000) {   \
+			(vvp)->tv_sec++;           \
+			(vvp)->tv_usec -= 1000000; \
+		}                                  \
+	} while (0)
+#define timevalsub(vvp, uvp)                       \
+	do {                                       \
+		(vvp)->tv_sec -= (uvp)->tv_sec;    \
+		(vvp)->tv_usec -= (uvp)->tv_usec;  \
+		if ((vvp)->tv_usec < 0) {          \
+			(vvp)->tv_sec--;           \
+			(vvp)->tv_usec += 1000000; \
+		}                                  \
+	} while (0)
+
+/*@}*/
+
+#define ISC_MUTEX_MAX_LOCKERS 32
+
+typedef struct {
+	const char *file;
+	int line;
+	unsigned count;
+	struct timeval locked_total;
+	struct timeval wait_total;
+} isc_mutexlocker_t;
+
+struct isc_mutexstats {
+	const char *file; /*%< File mutex was created in. */
+	int line;	  /*%< Line mutex was created on. */
+	unsigned count;
+	struct timeval lock_t;
+	struct timeval locked_total;
+	struct timeval wait_total;
+	isc_mutexlocker_t *cur_locker;
+	isc_mutexlocker_t lockers[ISC_MUTEX_MAX_LOCKERS];
+};
+
+#ifndef ISC_MUTEX_PROFTABLESIZE
+#define ISC_MUTEX_PROFTABLESIZE (1024 * 1024)
+#endif /* ifndef ISC_MUTEX_PROFTABLESIZE */
+static isc_mutexstats_t stats[ISC_MUTEX_PROFTABLESIZE];
+static int stats_next = 0;
+static bool stats_init = false;
+static pthread_mutex_t statslock = PTHREAD_MUTEX_INITIALIZER;
+
+void
+isc_mutex_init_profile(isc_mutex_t *mp, const char *file, int line) {
+	int i, err;
+
+	err = pthread_mutex_init(&mp->mutex, NULL);
+	if (err != 0) {
+		strerror_r(err, strbuf, sizeof(strbuf));
+		isc_error_fatal(file, line, "pthread_mutex_init failed: %s",
+				strbuf);
+	}
+
+	RUNTIME_CHECK(pthread_mutex_lock(&statslock) == 0);
+
+	if (!stats_init) {
+		stats_init = true;
+	}
+
+	/*
+	 * If all statistics entries have been used, give up and trigger an
+	 * assertion failure.  There would be no other way to deal with this
+	 * because we'd like to keep record of all locks for the purpose of
+	 * debugging and the number of necessary locks is unpredictable.
+	 * If this failure is triggered while debugging, named should be
+	 * rebuilt with an increased ISC_MUTEX_PROFTABLESIZE.
+	 */
+	RUNTIME_CHECK(stats_next < ISC_MUTEX_PROFTABLESIZE);
+	mp->stats = &stats[stats_next++];
+
+	RUNTIME_CHECK(pthread_mutex_unlock(&statslock) == 0);
+
+	mp->stats->file = file;
+	mp->stats->line = line;
+	mp->stats->count = 0;
+	timevalclear(&mp->stats->locked_total);
+	timevalclear(&mp->stats->wait_total);
+	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
+		mp->stats->lockers[i].file = NULL;
+		mp->stats->lockers[i].line = 0;
+		mp->stats->lockers[i].count = 0;
+		timevalclear(&mp->stats->lockers[i].locked_total);
+		timevalclear(&mp->stats->lockers[i].wait_total);
+	}
+}
+
+isc_result_t
+isc_mutex_lock_profile(isc_mutex_t *mp, const char *file, int line) {
+	struct timeval prelock_t;
+	struct timeval postlock_t;
+	isc_mutexlocker_t *locker = NULL;
+	int i;
+
+	gettimeofday(&prelock_t, NULL);
+
+	if (pthread_mutex_lock(&mp->mutex) != 0) {
+		return (ISC_R_UNEXPECTED);
+	}
+
+	gettimeofday(&postlock_t, NULL);
+	mp->stats->lock_t = postlock_t;
+
+	timevalsub(&postlock_t, &prelock_t);
+
+	mp->stats->count++;
+	timevaladd(&mp->stats->wait_total, &postlock_t);
+
+	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
+		if (mp->stats->lockers[i].file == NULL) {
+			locker = &mp->stats->lockers[i];
+			locker->file = file;
+			locker->line = line;
+			break;
+		} else if (mp->stats->lockers[i].file == file &&
+			   mp->stats->lockers[i].line == line)
+		{
+			locker = &mp->stats->lockers[i];
+			break;
+		}
+	}
+
+	if (locker != NULL) {
+		locker->count++;
+		timevaladd(&locker->wait_total, &postlock_t);
+	}
+
+	mp->stats->cur_locker = locker;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_mutex_unlock_profile(isc_mutex_t *mp, const char *file, int line) {
+	struct timeval unlock_t;
+
+	UNUSED(file);
+	UNUSED(line);
+
+	if (mp->stats->cur_locker != NULL) {
+		gettimeofday(&unlock_t, NULL);
+		timevalsub(&unlock_t, &mp->stats->lock_t);
+		timevaladd(&mp->stats->locked_total, &unlock_t);
+		timevaladd(&mp->stats->cur_locker->locked_total, &unlock_t);
+		mp->stats->cur_locker = NULL;
+	}
+
+	return ((pthread_mutex_unlock((&mp->mutex)) == 0) ? ISC_R_SUCCESS
+							  : ISC_R_UNEXPECTED);
+}
+
+void
+isc_mutex_statsprofile(FILE *fp) {
+	isc_mutexlocker_t *locker;
+	int i, j;
+
+	fprintf(fp, "Mutex stats (in us)\n");
+	for (i = 0; i < stats_next; i++) {
+		fprintf(fp, "%-12s %4d: %10u  %lu.%06lu %lu.%06lu %5d\n",
+			stats[i].file, stats[i].line, stats[i].count,
+			stats[i].locked_total.tv_sec,
+			stats[i].locked_total.tv_usec,
+			stats[i].wait_total.tv_sec, stats[i].wait_total.tv_usec,
+			i);
+		for (j = 0; j < ISC_MUTEX_MAX_LOCKERS; j++) {
+			locker = &stats[i].lockers[j];
+			if (locker->file == NULL) {
+				continue;
+			}
+			fprintf(fp,
+				" %-11s %4d: %10u  %lu.%06lu %lu.%06lu %5d\n",
+				locker->file, locker->line, locker->count,
+				locker->locked_total.tv_sec,
+				locker->locked_total.tv_usec,
+				locker->wait_total.tv_sec,
+				locker->wait_total.tv_usec, i);
+		}
+	}
+}
+
+#endif /* ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
+
+static bool errcheck_initialized = false;
+static pthread_mutexattr_t errcheck;
+static isc_once_t once_errcheck = ISC_ONCE_INIT;
+
+static void
+initialize_errcheck(void) {
+	RUNTIME_CHECK(pthread_mutexattr_init(&errcheck) == 0);
+	RUNTIME_CHECK(pthread_mutexattr_settype(&errcheck,
+						PTHREAD_MUTEX_ERRORCHECK) == 0);
+	errcheck_initialized = true;
+}
+
+void
+isc_mutex_init_errcheck(isc_mutex_t *mp) {
+	isc_result_t result;
+	int err;
+
+	result = isc_once_do(&once_errcheck, initialize_errcheck);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	err = pthread_mutex_init(mp, &errcheck);
+	if (err != 0) {
+		strerror_r(err, strbuf, sizeof(strbuf));
+		isc_error_fatal(file, line, "pthread_mutex_init failed: %s",
+				strbuf);
+	}
+}
+#endif /* if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK) */
+
+#if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
+pthread_mutexattr_t isc__mutex_attrs = {
+	PTHREAD_MUTEX_ERRORCHECK, /* m_type */
+	0			  /* m_flags, which appears to be unused. */
+};
+#endif /* if ISC_MUTEX_DEBUG && defined(__NetBSD__) && \
+	* defined(PTHREAD_MUTEX_ERRORCHECK) */
+
+#if !(ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)) && \
+	!ISC_MUTEX_PROFILE
+
+#ifdef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
+static bool attr_initialized = false;
+static pthread_mutexattr_t attr;
+static isc_once_t once_attr = ISC_ONCE_INIT;
+#endif /* HAVE_PTHREAD_MUTEX_ADAPTIVE_NP */
+
+#ifdef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
+static void
+initialize_attr(void) {
+	RUNTIME_CHECK(pthread_mutexattr_init(&attr) == 0);
+	RUNTIME_CHECK(pthread_mutexattr_settype(
+			      &attr, PTHREAD_MUTEX_ADAPTIVE_NP) == 0);
+	attr_initialized = true;
+}
+#endif /* HAVE_PTHREAD_MUTEX_ADAPTIVE_NP */
+
+void
+isc__mutex_init(isc_mutex_t *mp, const char *file, unsigned int line) {
+	int err;
+
+#ifdef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
+	isc_result_t result = ISC_R_SUCCESS;
+	result = isc_once_do(&once_attr, initialize_attr);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	err = pthread_mutex_init(mp, &attr);
+#else  /* HAVE_PTHREAD_MUTEX_ADAPTIVE_NP */
+	err = pthread_mutex_init(mp, ISC__MUTEX_ATTRS);
+#endif /* HAVE_PTHREAD_MUTEX_ADAPTIVE_NP */
+	if (err != 0) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(err, strbuf, sizeof(strbuf));
+		isc_error_fatal(file, line, "pthread_mutex_init failed: %s",
+				strbuf);
+	}
+}
+#endif /* if !(ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)) && \
+	* !ISC_MUTEX_PROFILE */
diff --git a/lib/isc/pthreads/thread.c b/lib/isc/pthreads/thread.c
new file mode 100644
index 0000000..4c7380c
--- /dev/null
+++ b/lib/isc/pthreads/thread.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#if defined(HAVE_SCHED_H)
+#include <sched.h>
+#endif /* if defined(HAVE_SCHED_H) */
+
+#if defined(HAVE_CPUSET_H)
+#include <sys/cpuset.h>
+#include <sys/param.h>
+#endif /* if defined(HAVE_CPUSET_H) */
+
+#if defined(HAVE_SYS_PROCSET_H)
+#include <sys/processor.h>
+#include <sys/procset.h>
+#include <sys/types.h>
+#endif /* if defined(HAVE_SYS_PROCSET_H) */
+
+#include <isc/strerr.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "trampoline_p.h"
+
+#ifndef THREAD_MINSTACKSIZE
+#define THREAD_MINSTACKSIZE (1024U * 1024)
+#endif /* ifndef THREAD_MINSTACKSIZE */
+
+#define _FATAL(r, f)                                                          \
+	{                                                                     \
+		char strbuf[ISC_STRERRORSIZE];                                \
+		strerror_r(r, strbuf, sizeof(strbuf));                        \
+		isc_error_fatal(__FILE__, __LINE__, f " failed: %s", strbuf); \
+	}
+
+void
+isc_thread_create(isc_threadfunc_t func, isc_threadarg_t arg,
+		  isc_thread_t *thread) {
+	pthread_attr_t attr;
+	isc__trampoline_t *trampoline_arg;
+
+	trampoline_arg = isc__trampoline_get(func, arg);
+
+#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
+	defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE)
+	size_t stacksize;
+#endif /* if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
+	* defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE) */
+	int ret;
+
+	pthread_attr_init(&attr);
+
+#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
+	defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE)
+	ret = pthread_attr_getstacksize(&attr, &stacksize);
+	if (ret != 0) {
+		_FATAL(ret, "pthread_attr_getstacksize()");
+	}
+
+	if (stacksize < THREAD_MINSTACKSIZE) {
+		ret = pthread_attr_setstacksize(&attr, THREAD_MINSTACKSIZE);
+		if (ret != 0) {
+			_FATAL(ret, "pthread_attr_setstacksize()");
+		}
+	}
+#endif /* if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
+	* defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE) */
+
+	ret = pthread_create(thread, &attr, isc__trampoline_run,
+			     trampoline_arg);
+	if (ret != 0) {
+		_FATAL(ret, "pthread_create()");
+	}
+
+	pthread_attr_destroy(&attr);
+
+	return;
+}
+
+void
+isc_thread_join(isc_thread_t thread, isc_threadresult_t *result) {
+	int ret = pthread_join(thread, result);
+	if (ret != 0) {
+		_FATAL(ret, "pthread_join()");
+	}
+}
+
+void
+isc_thread_setname(isc_thread_t thread, const char *name) {
+#if defined(HAVE_PTHREAD_SETNAME_NP) && !defined(__APPLE__)
+	/*
+	 * macOS has pthread_setname_np but only works on the
+	 * current thread so it's not used here
+	 */
+#if defined(__NetBSD__)
+	(void)pthread_setname_np(thread, name, NULL);
+#else  /* if defined(__NetBSD__) */
+	(void)pthread_setname_np(thread, name);
+#endif /* if defined(__NetBSD__) */
+#elif defined(HAVE_PTHREAD_SET_NAME_NP)
+	(void)pthread_set_name_np(thread, name);
+#else  /* if defined(HAVE_PTHREAD_SETNAME_NP) && !defined(__APPLE__) */
+	UNUSED(thread);
+	UNUSED(name);
+#endif /* if defined(HAVE_PTHREAD_SETNAME_NP) && !defined(__APPLE__) */
+}
+
+void
+isc_thread_yield(void) {
+#if defined(HAVE_SCHED_YIELD)
+	sched_yield();
+#elif defined(HAVE_PTHREAD_YIELD)
+	pthread_yield();
+#elif defined(HAVE_PTHREAD_YIELD_NP)
+	pthread_yield_np();
+#endif /* if defined(HAVE_SCHED_YIELD) */
+}
diff --git a/lib/isc/quota.c b/lib/isc/quota.c
new file mode 100644
index 0000000..02c7176
--- /dev/null
+++ b/lib/isc/quota.c
@@ -0,0 +1,198 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stddef.h>
+
+#include <isc/atomic.h>
+#include <isc/quota.h>
+#include <isc/util.h>
+
+#define QUOTA_MAGIC    ISC_MAGIC('Q', 'U', 'O', 'T')
+#define VALID_QUOTA(p) ISC_MAGIC_VALID(p, QUOTA_MAGIC)
+
+#define QUOTA_CB_MAGIC	  ISC_MAGIC('Q', 'T', 'C', 'B')
+#define VALID_QUOTA_CB(p) ISC_MAGIC_VALID(p, QUOTA_CB_MAGIC)
+
+void
+isc_quota_init(isc_quota_t *quota, unsigned int max) {
+	atomic_init(&quota->max, max);
+	atomic_init(&quota->used, 0);
+	atomic_init(&quota->soft, 0);
+	atomic_init(&quota->waiting, 0);
+	ISC_LIST_INIT(quota->cbs);
+	isc_mutex_init(&quota->cblock);
+	quota->magic = QUOTA_MAGIC;
+}
+
+void
+isc_quota_destroy(isc_quota_t *quota) {
+	REQUIRE(VALID_QUOTA(quota));
+	quota->magic = 0;
+
+	INSIST(atomic_load(&quota->used) == 0);
+	INSIST(atomic_load(&quota->waiting) == 0);
+	INSIST(ISC_LIST_EMPTY(quota->cbs));
+	atomic_store_release(&quota->max, 0);
+	atomic_store_release(&quota->used, 0);
+	atomic_store_release(&quota->soft, 0);
+	isc_mutex_destroy(&quota->cblock);
+}
+
+void
+isc_quota_soft(isc_quota_t *quota, unsigned int soft) {
+	REQUIRE(VALID_QUOTA(quota));
+	atomic_store_release(&quota->soft, soft);
+}
+
+void
+isc_quota_max(isc_quota_t *quota, unsigned int max) {
+	REQUIRE(VALID_QUOTA(quota));
+	atomic_store_release(&quota->max, max);
+}
+
+unsigned int
+isc_quota_getmax(isc_quota_t *quota) {
+	REQUIRE(VALID_QUOTA(quota));
+	return (atomic_load_relaxed(&quota->max));
+}
+
+unsigned int
+isc_quota_getsoft(isc_quota_t *quota) {
+	REQUIRE(VALID_QUOTA(quota));
+	return (atomic_load_relaxed(&quota->soft));
+}
+
+unsigned int
+isc_quota_getused(isc_quota_t *quota) {
+	REQUIRE(VALID_QUOTA(quota));
+	return (atomic_load_relaxed(&quota->used));
+}
+
+static isc_result_t
+quota_reserve(isc_quota_t *quota) {
+	isc_result_t result;
+	uint_fast32_t max = atomic_load_acquire(&quota->max);
+	uint_fast32_t soft = atomic_load_acquire(&quota->soft);
+	uint_fast32_t used = atomic_load_acquire(&quota->used);
+	do {
+		if (max != 0 && used >= max) {
+			return (ISC_R_QUOTA);
+		}
+		if (soft != 0 && used >= soft) {
+			result = ISC_R_SOFTQUOTA;
+		} else {
+			result = ISC_R_SUCCESS;
+		}
+	} while (!atomic_compare_exchange_weak_acq_rel(&quota->used, &used,
+						       used + 1));
+	return (result);
+}
+
+/* Must be quota->cbslock locked */
+static void
+enqueue(isc_quota_t *quota, isc_quota_cb_t *cb) {
+	REQUIRE(cb != NULL);
+	ISC_LIST_ENQUEUE(quota->cbs, cb, link);
+	atomic_fetch_add_release(&quota->waiting, 1);
+}
+
+/* Must be quota->cbslock locked */
+static isc_quota_cb_t *
+dequeue(isc_quota_t *quota) {
+	isc_quota_cb_t *cb = ISC_LIST_HEAD(quota->cbs);
+	INSIST(cb != NULL);
+	ISC_LIST_DEQUEUE(quota->cbs, cb, link);
+	atomic_fetch_sub_relaxed(&quota->waiting, 1);
+	return (cb);
+}
+
+static void
+quota_release(isc_quota_t *quota) {
+	/*
+	 * This is opportunistic - we might race with a failing quota_attach_cb
+	 * and not detect that something is waiting, but eventually someone will
+	 * be releasing quota and will detect it, so we don't need to worry -
+	 * and we're saving a lot by not locking cblock every time.
+	 */
+
+	if (atomic_load_acquire(&quota->waiting) > 0) {
+		isc_quota_cb_t *cb = NULL;
+		LOCK(&quota->cblock);
+		if (atomic_load_relaxed(&quota->waiting) > 0) {
+			cb = dequeue(quota);
+		}
+		UNLOCK(&quota->cblock);
+		if (cb != NULL) {
+			cb->cb_func(quota, cb->data);
+			return;
+		}
+	}
+
+	INSIST(atomic_fetch_sub_release(&quota->used, 1) > 0);
+}
+
+static isc_result_t
+doattach(isc_quota_t *quota, isc_quota_t **p) {
+	isc_result_t result;
+	REQUIRE(p != NULL && *p == NULL);
+
+	result = quota_reserve(quota);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
+		*p = quota;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **quotap) {
+	REQUIRE(VALID_QUOTA(quota));
+	REQUIRE(quotap != NULL && *quotap == NULL);
+
+	return (isc_quota_attach_cb(quota, quotap, NULL));
+}
+
+isc_result_t
+isc_quota_attach_cb(isc_quota_t *quota, isc_quota_t **quotap,
+		    isc_quota_cb_t *cb) {
+	REQUIRE(VALID_QUOTA(quota));
+	REQUIRE(cb == NULL || VALID_QUOTA_CB(cb));
+	REQUIRE(quotap != NULL && *quotap == NULL);
+
+	isc_result_t result = doattach(quota, quotap);
+	if (result == ISC_R_QUOTA && cb != NULL) {
+		LOCK(&quota->cblock);
+		enqueue(quota, cb);
+		UNLOCK(&quota->cblock);
+	}
+	return (result);
+}
+
+void
+isc_quota_cb_init(isc_quota_cb_t *cb, isc_quota_cb_func_t cb_func, void *data) {
+	ISC_LINK_INIT(cb, link);
+	cb->cb_func = cb_func;
+	cb->data = data;
+	cb->magic = QUOTA_CB_MAGIC;
+}
+
+void
+isc_quota_detach(isc_quota_t **quotap) {
+	REQUIRE(quotap != NULL && VALID_QUOTA(*quotap));
+	isc_quota_t *quota = *quotap;
+	*quotap = NULL;
+
+	quota_release(quota);
+}
diff --git a/lib/isc/radix.c b/lib/isc/radix.c
new file mode 100644
index 0000000..d84e5d0
--- /dev/null
+++ b/lib/isc/radix.c
@@ -0,0 +1,706 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This source was adapted from MRT's RCS Ids:
+ * Id: radix.c,v 1.10.2.1 1999/11/29 05:16:24 masaki Exp
+ * Id: prefix.c,v 1.37.2.9 2000/03/10 02:53:19 labovit Exp
+ */
+
+#include <inttypes.h>
+
+#include <isc/mem.h>
+#include <isc/radix.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#define BIT_TEST(f, b) (((f) & (b)) != 0)
+
+static isc_result_t
+_new_prefix(isc_mem_t *mctx, isc_prefix_t **target, int family, void *dest,
+	    int bitlen);
+
+static void
+_deref_prefix(isc_prefix_t *prefix);
+
+static isc_result_t
+_ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix);
+
+static int
+_comp_with_mask(void *addr, void *dest, u_int mask);
+
+static void
+_clear_radix(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func);
+
+static isc_result_t
+_new_prefix(isc_mem_t *mctx, isc_prefix_t **target, int family, void *dest,
+	    int bitlen) {
+	isc_prefix_t *prefix;
+
+	REQUIRE(target != NULL);
+
+	if (family != AF_INET6 && family != AF_INET && family != AF_UNSPEC) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	prefix = isc_mem_get(mctx, sizeof(isc_prefix_t));
+
+	if (family == AF_INET6) {
+		prefix->bitlen = (bitlen >= 0) ? bitlen : 128;
+		memmove(&prefix->add.sin6, dest, 16);
+	} else {
+		/* AF_UNSPEC is "any" or "none"--treat it as AF_INET */
+		prefix->bitlen = (bitlen >= 0) ? bitlen : 32;
+		memmove(&prefix->add.sin, dest, 4);
+	}
+
+	prefix->family = family;
+	prefix->mctx = NULL;
+	isc_mem_attach(mctx, &prefix->mctx);
+
+	isc_refcount_init(&prefix->refcount, 1);
+
+	*target = prefix;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+_deref_prefix(isc_prefix_t *prefix) {
+	if (prefix != NULL) {
+		if (isc_refcount_decrement(&prefix->refcount) == 1) {
+			isc_refcount_destroy(&prefix->refcount);
+			isc_mem_putanddetach(&prefix->mctx, prefix,
+					     sizeof(isc_prefix_t));
+		}
+	}
+}
+
+static isc_result_t
+_ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix) {
+	INSIST(prefix != NULL);
+	INSIST((prefix->family == AF_INET && prefix->bitlen <= 32) ||
+	       (prefix->family == AF_INET6 && prefix->bitlen <= 128) ||
+	       (prefix->family == AF_UNSPEC && prefix->bitlen == 0));
+	REQUIRE(target != NULL && *target == NULL);
+
+	/*
+	 * If this prefix is a static allocation, copy it into new memory.
+	 * (Note, the refcount still has to be destroyed by the calling
+	 * routine.)
+	 */
+	if (isc_refcount_current(&prefix->refcount) == 0) {
+		isc_result_t ret;
+		ret = _new_prefix(mctx, target, prefix->family, &prefix->add,
+				  prefix->bitlen);
+		return (ret);
+	}
+
+	isc_refcount_increment(&prefix->refcount);
+
+	*target = prefix;
+	return (ISC_R_SUCCESS);
+}
+
+static int
+_comp_with_mask(void *addr, void *dest, u_int mask) {
+	/* Mask length of zero matches everything */
+	if (mask == 0) {
+		return (1);
+	}
+
+	if (memcmp(addr, dest, mask / 8) == 0) {
+		u_int n = mask / 8;
+		u_int m = ((~0U) << (8 - (mask % 8)));
+
+		if ((mask % 8) == 0 ||
+		    (((u_char *)addr)[n] & m) == (((u_char *)dest)[n] & m))
+		{
+			return (1);
+		}
+	}
+	return (0);
+}
+
+isc_result_t
+isc_radix_create(isc_mem_t *mctx, isc_radix_tree_t **target, int maxbits) {
+	isc_radix_tree_t *radix;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	radix = isc_mem_get(mctx, sizeof(isc_radix_tree_t));
+
+	radix->mctx = NULL;
+	isc_mem_attach(mctx, &radix->mctx);
+	radix->maxbits = maxbits;
+	radix->head = NULL;
+	radix->num_active_node = 0;
+	radix->num_added_node = 0;
+	RUNTIME_CHECK(maxbits <= RADIX_MAXBITS); /* XXX */
+	radix->magic = RADIX_TREE_MAGIC;
+	*target = radix;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * if func is supplied, it will be called as func(node->data)
+ * before deleting the node
+ */
+
+static void
+_clear_radix(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func) {
+	REQUIRE(radix != NULL);
+
+	if (radix->head != NULL) {
+		isc_radix_node_t *Xstack[RADIX_MAXBITS + 1];
+		isc_radix_node_t **Xsp = Xstack;
+		isc_radix_node_t *Xrn = radix->head;
+
+		while (Xrn != NULL) {
+			isc_radix_node_t *l = Xrn->l;
+			isc_radix_node_t *r = Xrn->r;
+
+			if (Xrn->prefix != NULL) {
+				_deref_prefix(Xrn->prefix);
+				if (func != NULL) {
+					func(Xrn->data);
+				}
+			} else {
+				INSIST(Xrn->data[RADIX_V4] == NULL &&
+				       Xrn->data[RADIX_V6] == NULL);
+			}
+
+			isc_mem_put(radix->mctx, Xrn, sizeof(*Xrn));
+			radix->num_active_node--;
+
+			if (l != NULL) {
+				if (r != NULL) {
+					*Xsp++ = r;
+				}
+				Xrn = l;
+			} else if (r != NULL) {
+				Xrn = r;
+			} else if (Xsp != Xstack) {
+				Xrn = *(--Xsp);
+			} else {
+				Xrn = NULL;
+			}
+		}
+	}
+	RUNTIME_CHECK(radix->num_active_node == 0);
+}
+
+void
+isc_radix_destroy(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func) {
+	REQUIRE(radix != NULL);
+	_clear_radix(radix, func);
+	isc_mem_putanddetach(&radix->mctx, radix, sizeof(*radix));
+}
+
+/*
+ * func will be called as func(node->prefix, node->data)
+ */
+void
+isc_radix_process(isc_radix_tree_t *radix, isc_radix_processfunc_t func) {
+	isc_radix_node_t *node;
+
+	REQUIRE(func != NULL);
+
+	RADIX_WALK(radix->head, node) { func(node->prefix, node->data); }
+	RADIX_WALK_END;
+}
+
+isc_result_t
+isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_prefix_t *prefix) {
+	isc_radix_node_t *node;
+	isc_radix_node_t *stack[RADIX_MAXBITS + 1];
+	u_char *addr;
+	uint32_t bitlen;
+	int tfam = -1, cnt = 0;
+
+	REQUIRE(radix != NULL);
+	REQUIRE(prefix != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+	RUNTIME_CHECK(prefix->bitlen <= radix->maxbits);
+
+	*target = NULL;
+
+	node = radix->head;
+
+	if (node == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	addr = isc_prefix_touchar(prefix);
+	bitlen = prefix->bitlen;
+
+	while (node != NULL && node->bit < bitlen) {
+		if (node->prefix) {
+			stack[cnt++] = node;
+		}
+
+		if (BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
+		{
+			node = node->r;
+		} else {
+			node = node->l;
+		}
+	}
+
+	if (node != NULL && node->prefix) {
+		stack[cnt++] = node;
+	}
+
+	while (cnt-- > 0) {
+		node = stack[cnt];
+
+		if (prefix->bitlen < node->bit) {
+			continue;
+		}
+
+		if (_comp_with_mask(isc_prefix_tochar(node->prefix),
+				    isc_prefix_tochar(prefix),
+				    node->prefix->bitlen))
+		{
+			int fam = ISC_RADIX_FAMILY(prefix);
+			if (node->node_num[fam] != -1 &&
+			    ((*target == NULL) ||
+			     (*target)->node_num[tfam] > node->node_num[fam]))
+			{
+				*target = node;
+				tfam = fam;
+			}
+		}
+	}
+
+	if (*target == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+isc_result_t
+isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_radix_node_t *source, isc_prefix_t *prefix) {
+	isc_radix_node_t *node, *new_node, *parent, *glue = NULL;
+	u_char *addr, *test_addr;
+	uint32_t bitlen, fam, check_bit, differ_bit;
+	uint32_t i, j, r;
+	isc_result_t result;
+
+	REQUIRE(radix != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+	REQUIRE(prefix != NULL || (source != NULL && source->prefix != NULL));
+	RUNTIME_CHECK(prefix == NULL || prefix->bitlen <= radix->maxbits);
+
+	if (prefix == NULL) {
+		prefix = source->prefix;
+	}
+
+	INSIST(prefix != NULL);
+
+	bitlen = prefix->bitlen;
+	fam = prefix->family;
+
+	if (radix->head == NULL) {
+		node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
+		node->bit = bitlen;
+		for (i = 0; i < RADIX_FAMILIES; i++) {
+			node->node_num[i] = -1;
+		}
+		node->prefix = NULL;
+		result = _ref_prefix(radix->mctx, &node->prefix, prefix);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(radix->mctx, node,
+				    sizeof(isc_radix_node_t));
+			return (result);
+		}
+		node->parent = NULL;
+		node->l = node->r = NULL;
+		if (source != NULL) {
+			/*
+			 * If source is non-NULL, then we're merging in a
+			 * node from an existing radix tree.  To keep
+			 * the node_num values consistent, the calling
+			 * function will add the total number of nodes
+			 * added to num_added_node at the end of
+			 * the merge operation--we don't do it here.
+			 */
+			for (i = 0; i < RADIX_FAMILIES; i++) {
+				if (source->node_num[i] != -1) {
+					node->node_num[i] =
+						radix->num_added_node +
+						source->node_num[i];
+				}
+				node->data[i] = source->data[i];
+			}
+		} else {
+			int next = ++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				for (i = 0; i < RADIX_FAMILIES; i++) {
+					node->node_num[i] = next;
+				}
+			} else {
+				node->node_num[ISC_RADIX_FAMILY(prefix)] = next;
+			}
+
+			memset(node->data, 0, sizeof(node->data));
+		}
+		radix->head = node;
+		radix->num_active_node++;
+		*target = node;
+		return (ISC_R_SUCCESS);
+	}
+
+	addr = isc_prefix_touchar(prefix);
+	node = radix->head;
+
+	while (node->bit < bitlen || node->prefix == NULL) {
+		if (node->bit < radix->maxbits &&
+		    BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
+		{
+			if (node->r == NULL) {
+				break;
+			}
+			node = node->r;
+		} else {
+			if (node->l == NULL) {
+				break;
+			}
+			node = node->l;
+		}
+
+		INSIST(node != NULL);
+	}
+
+	INSIST(node->prefix != NULL);
+
+	test_addr = isc_prefix_touchar(node->prefix);
+	/* Find the first bit different. */
+	check_bit = (node->bit < bitlen) ? node->bit : bitlen;
+	differ_bit = 0;
+	for (i = 0; i * 8 < check_bit; i++) {
+		if ((r = (addr[i] ^ test_addr[i])) == 0) {
+			differ_bit = (i + 1) * 8;
+			continue;
+		}
+		/* I know the better way, but for now. */
+		for (j = 0; j < 8; j++) {
+			if (BIT_TEST(r, (0x80 >> j))) {
+				break;
+			}
+		}
+		/* Must be found. */
+		INSIST(j < 8);
+		differ_bit = i * 8 + j;
+		break;
+	}
+
+	if (differ_bit > check_bit) {
+		differ_bit = check_bit;
+	}
+
+	parent = node->parent;
+	while (parent != NULL && parent->bit >= differ_bit) {
+		node = parent;
+		parent = node->parent;
+	}
+
+	if (differ_bit == bitlen && node->bit == bitlen) {
+		if (node->prefix != NULL) {
+			/* Set node_num only if it hasn't been set before */
+			if (source != NULL) {
+				/* Merging nodes */
+				for (i = 0; i < RADIX_FAMILIES; i++) {
+					if (node->node_num[i] == -1 &&
+					    source->node_num[i] != -1)
+					{
+						node->node_num[i] =
+							radix->num_added_node +
+							source->node_num[i];
+						node->data[i] = source->data[i];
+					}
+				}
+			} else {
+				if (fam == AF_UNSPEC) {
+					/* "any" or "none" */
+					int next = radix->num_added_node + 1;
+					for (i = 0; i < RADIX_FAMILIES; i++) {
+						if (node->node_num[i] == -1) {
+							node->node_num[i] =
+								next;
+							radix->num_added_node =
+								next;
+						}
+					}
+				} else {
+					int foff = ISC_RADIX_FAMILY(prefix);
+					if (node->node_num[foff] == -1) {
+						node->node_num[foff] =
+							++radix->num_added_node;
+					}
+				}
+			}
+			*target = node;
+			return (ISC_R_SUCCESS);
+		} else {
+			result = _ref_prefix(radix->mctx, &node->prefix,
+					     prefix);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+		INSIST(node->data[RADIX_V4] == NULL &&
+		       node->node_num[RADIX_V4] == -1 &&
+		       node->data[RADIX_V4] == NULL &&
+		       node->node_num[RADIX_V4] == -1);
+		if (source != NULL) {
+			/* Merging node */
+			for (i = 0; i < RADIX_FAMILIES; i++) {
+				int cur = radix->num_added_node;
+				if (source->node_num[i] != -1) {
+					node->node_num[i] =
+						source->node_num[i] + cur;
+					node->data[i] = source->data[i];
+				}
+			}
+		} else {
+			int next = ++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				for (i = 0; i < RADIX_FAMILIES; i++) {
+					node->node_num[i] = next;
+				}
+			} else {
+				node->node_num[ISC_RADIX_FAMILY(prefix)] = next;
+			}
+		}
+		*target = node;
+		return (ISC_R_SUCCESS);
+	}
+
+	new_node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
+	if (node->bit != differ_bit && bitlen != differ_bit) {
+		glue = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
+	}
+	new_node->bit = bitlen;
+	new_node->prefix = NULL;
+	result = _ref_prefix(radix->mctx, &new_node->prefix, prefix);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(radix->mctx, new_node, sizeof(isc_radix_node_t));
+		if (glue != NULL) {
+			isc_mem_put(radix->mctx, glue,
+				    sizeof(isc_radix_node_t));
+		}
+		return (result);
+	}
+	new_node->parent = NULL;
+	new_node->l = new_node->r = NULL;
+	for (i = 0; i < RADIX_FAMILIES; i++) {
+		new_node->node_num[i] = -1;
+		new_node->data[i] = NULL;
+	}
+	radix->num_active_node++;
+
+	if (source != NULL) {
+		/* Merging node */
+		for (i = 0; i < RADIX_FAMILIES; i++) {
+			int cur = radix->num_added_node;
+			if (source->node_num[i] != -1) {
+				new_node->node_num[i] = source->node_num[i] +
+							cur;
+				new_node->data[i] = source->data[i];
+			}
+		}
+	} else {
+		int next = ++radix->num_added_node;
+		if (fam == AF_UNSPEC) {
+			/* "any" or "none" */
+			for (i = 0; i < RADIX_FAMILIES; i++) {
+				new_node->node_num[i] = next;
+			}
+		} else {
+			new_node->node_num[ISC_RADIX_FAMILY(prefix)] = next;
+		}
+		memset(new_node->data, 0, sizeof(new_node->data));
+	}
+
+	if (node->bit == differ_bit) {
+		INSIST(glue == NULL);
+		new_node->parent = node;
+		if (node->bit < radix->maxbits &&
+		    BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
+		{
+			INSIST(node->r == NULL);
+			node->r = new_node;
+		} else {
+			INSIST(node->l == NULL);
+			node->l = new_node;
+		}
+		*target = new_node;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (bitlen == differ_bit) {
+		INSIST(glue == NULL);
+		if (bitlen < radix->maxbits &&
+		    BIT_TEST(test_addr[bitlen >> 3], 0x80 >> (bitlen & 0x07)))
+		{
+			new_node->r = node;
+		} else {
+			new_node->l = node;
+		}
+		new_node->parent = node->parent;
+		if (node->parent == NULL) {
+			INSIST(radix->head == node);
+			radix->head = new_node;
+		} else if (node->parent->r == node) {
+			node->parent->r = new_node;
+		} else {
+			node->parent->l = new_node;
+		}
+		node->parent = new_node;
+	} else {
+		INSIST(glue != NULL);
+		glue->bit = differ_bit;
+		glue->prefix = NULL;
+		glue->parent = node->parent;
+		for (i = 0; i < RADIX_FAMILIES; i++) {
+			glue->data[i] = NULL;
+			glue->node_num[i] = -1;
+		}
+		radix->num_active_node++;
+		if (differ_bit < radix->maxbits &&
+		    BIT_TEST(addr[differ_bit >> 3], 0x80 >> (differ_bit & 07)))
+		{
+			glue->r = new_node;
+			glue->l = node;
+		} else {
+			glue->r = node;
+			glue->l = new_node;
+		}
+		new_node->parent = glue;
+
+		if (node->parent == NULL) {
+			INSIST(radix->head == node);
+			radix->head = glue;
+		} else if (node->parent->r == node) {
+			node->parent->r = glue;
+		} else {
+			node->parent->l = glue;
+		}
+		node->parent = glue;
+	}
+
+	*target = new_node;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node) {
+	isc_radix_node_t *parent, *child;
+
+	REQUIRE(radix != NULL);
+	REQUIRE(node != NULL);
+
+	if (node->r && node->l) {
+		/*
+		 * This might be a placeholder node -- have to check and
+		 * make sure there is a prefix associated with it!
+		 */
+		if (node->prefix != NULL) {
+			_deref_prefix(node->prefix);
+		}
+
+		node->prefix = NULL;
+		memset(node->data, 0, sizeof(node->data));
+		return;
+	}
+
+	if (node->r == NULL && node->l == NULL) {
+		parent = node->parent;
+		_deref_prefix(node->prefix);
+
+		if (parent == NULL) {
+			INSIST(radix->head == node);
+			radix->head = NULL;
+			isc_mem_put(radix->mctx, node, sizeof(*node));
+			radix->num_active_node--;
+			return;
+		}
+
+		if (parent->r == node) {
+			parent->r = NULL;
+			child = parent->l;
+		} else {
+			INSIST(parent->l == node);
+			parent->l = NULL;
+			child = parent->r;
+		}
+
+		isc_mem_put(radix->mctx, node, sizeof(*node));
+		radix->num_active_node--;
+
+		if (parent->prefix) {
+			return;
+		}
+
+		/* We need to remove parent too. */
+		if (parent->parent == NULL) {
+			INSIST(radix->head == parent);
+			radix->head = child;
+		} else if (parent->parent->r == parent) {
+			parent->parent->r = child;
+		} else {
+			INSIST(parent->parent->l == parent);
+			parent->parent->l = child;
+		}
+
+		child->parent = parent->parent;
+		isc_mem_put(radix->mctx, parent, sizeof(*parent));
+		radix->num_active_node--;
+		return;
+	}
+
+	if (node->r) {
+		child = node->r;
+	} else {
+		INSIST(node->l != NULL);
+		child = node->l;
+	}
+
+	parent = node->parent;
+	child->parent = parent;
+
+	_deref_prefix(node->prefix);
+
+	if (parent == NULL) {
+		INSIST(radix->head == node);
+		radix->head = child;
+		isc_mem_put(radix->mctx, node, sizeof(*node));
+		radix->num_active_node--;
+		return;
+	}
+
+	isc_mem_put(radix->mctx, node, sizeof(*node));
+	radix->num_active_node--;
+
+	if (parent->r == node) {
+		parent->r = child;
+	} else {
+		INSIST(parent->l == node);
+		parent->l = child;
+	}
+}
diff --git a/lib/isc/random.c b/lib/isc/random.c
new file mode 100644
index 0000000..b11c39f
--- /dev/null
+++ b/lib/isc/random.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions of isc_random_uniform():
+ *
+ * Copyright (c) 1996, David Mazieres <dm@uun.org>
+ * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/random.h>
+#include <isc/result.h>
+#include <isc/thread.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include "entropy_private.h"
+
+/*
+ * The specific implementation for PRNG is included as a C file
+ * that has to provide a static variable named seed, and a function
+ * uint32_t next(void) that provides next random number.
+ *
+ * The implementation must be thread-safe.
+ */
+
+/*
+ * Two contestants have been considered: the xoroshiro family of the
+ * functions by Villa&Blackman, and PCG by O'Neill.  After
+ * consideration, the xoshiro128starstar function has been chosen as
+ * the uint32_t random number provider because it is very fast and has
+ * good enough properties for our usage pattern.
+ */
+#include "xoshiro128starstar.c"
+
+ISC_THREAD_LOCAL isc_once_t isc_random_once = ISC_ONCE_INIT;
+
+static void
+isc_random_initialize(void) {
+	int useed[4] = { 0, 0, 0, 1 };
+#if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+	/*
+	 * Set a constant seed to help in problem reproduction should fuzzing
+	 * find a crash or a hang.  The seed array must be non-zero else
+	 * xoshiro128starstar will generate an infinite series of zeroes.
+	 */
+#else  /* if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
+	isc_entropy_get(useed, sizeof(useed));
+#endif /* if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
+	memmove(seed, useed, sizeof(seed));
+}
+
+uint8_t
+isc_random8(void) {
+	RUNTIME_CHECK(isc_once_do(&isc_random_once, isc_random_initialize) ==
+		      ISC_R_SUCCESS);
+	return (next() & 0xff);
+}
+
+uint16_t
+isc_random16(void) {
+	RUNTIME_CHECK(isc_once_do(&isc_random_once, isc_random_initialize) ==
+		      ISC_R_SUCCESS);
+	return (next() & 0xffff);
+}
+
+uint32_t
+isc_random32(void) {
+	RUNTIME_CHECK(isc_once_do(&isc_random_once, isc_random_initialize) ==
+		      ISC_R_SUCCESS);
+	return (next());
+}
+
+void
+isc_random_buf(void *buf, size_t buflen) {
+	int i;
+	uint32_t r;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(buflen > 0);
+
+	RUNTIME_CHECK(isc_once_do(&isc_random_once, isc_random_initialize) ==
+		      ISC_R_SUCCESS);
+
+	for (i = 0; i + sizeof(r) <= buflen; i += sizeof(r)) {
+		r = next();
+		memmove((uint8_t *)buf + i, &r, sizeof(r));
+	}
+	r = next();
+	memmove((uint8_t *)buf + i, &r, buflen % sizeof(r));
+	return;
+}
+
+uint32_t
+isc_random_uniform(uint32_t upper_bound) {
+	/* Copy of arc4random_uniform from OpenBSD */
+	uint32_t r, min;
+
+	RUNTIME_CHECK(isc_once_do(&isc_random_once, isc_random_initialize) ==
+		      ISC_R_SUCCESS);
+
+	if (upper_bound < 2) {
+		return (0);
+	}
+
+#if (ULONG_MAX > 0xffffffffUL)
+	min = 0x100000000UL % upper_bound;
+#else  /* if (ULONG_MAX > 0xffffffffUL) */
+	/* Calculate (2**32 % upper_bound) avoiding 64-bit math */
+	if (upper_bound > 0x80000000) {
+		min = 1 + ~upper_bound; /* 2**32 - upper_bound */
+	} else {
+		/* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */
+		min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound;
+	}
+#endif /* if (ULONG_MAX > 0xffffffffUL) */
+
+	/*
+	 * This could theoretically loop forever but each retry has
+	 * p > 0.5 (worst case, usually far better) of selecting a
+	 * number inside the range we need, so it should rarely need
+	 * to re-roll.
+	 */
+	for (;;) {
+		r = next();
+		if (r >= min) {
+			break;
+		}
+	}
+
+	return (r % upper_bound);
+}
diff --git a/lib/isc/ratelimiter.c b/lib/isc/ratelimiter.c
new file mode 100644
index 0000000..f502bbd
--- /dev/null
+++ b/lib/isc/ratelimiter.c
@@ -0,0 +1,372 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/ratelimiter.h>
+#include <isc/refcount.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+typedef enum {
+	isc_ratelimiter_stalled = 0,
+	isc_ratelimiter_ratelimited = 1,
+	isc_ratelimiter_idle = 2,
+	isc_ratelimiter_shuttingdown = 3
+} isc_ratelimiter_state_t;
+
+struct isc_ratelimiter {
+	isc_mem_t *mctx;
+	isc_mutex_t lock;
+	isc_refcount_t references;
+	isc_task_t *task;
+	isc_timer_t *timer;
+	isc_interval_t interval;
+	uint32_t pertic;
+	bool pushpop;
+	isc_ratelimiter_state_t state;
+	isc_event_t shutdownevent;
+	ISC_LIST(isc_event_t) pending;
+};
+
+#define ISC_RATELIMITEREVENT_SHUTDOWN (ISC_EVENTCLASS_RATELIMITER + 1)
+
+static void
+ratelimiter_tick(isc_task_t *task, isc_event_t *event);
+
+static void
+ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event);
+
+isc_result_t
+isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp) {
+	isc_result_t result;
+	isc_ratelimiter_t *rl;
+	INSIST(ratelimiterp != NULL && *ratelimiterp == NULL);
+
+	rl = isc_mem_get(mctx, sizeof(*rl));
+	*rl = (isc_ratelimiter_t){
+		.mctx = mctx,
+		.task = task,
+		.pertic = 1,
+		.state = isc_ratelimiter_idle,
+	};
+
+	isc_refcount_init(&rl->references, 1);
+	isc_interval_set(&rl->interval, 0, 0);
+	ISC_LIST_INIT(rl->pending);
+
+	isc_mutex_init(&rl->lock);
+
+	result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
+				  rl->task, ratelimiter_tick, rl, &rl->timer);
+	if (result != ISC_R_SUCCESS) {
+		goto free_mutex;
+	}
+
+	/*
+	 * Increment the reference count to indicate that we may
+	 * (soon) have events outstanding.
+	 */
+	isc_refcount_increment(&rl->references);
+
+	ISC_EVENT_INIT(&rl->shutdownevent, sizeof(isc_event_t), 0, NULL,
+		       ISC_RATELIMITEREVENT_SHUTDOWN,
+		       ratelimiter_shutdowncomplete, rl, rl, NULL, NULL);
+
+	*ratelimiterp = rl;
+	return (ISC_R_SUCCESS);
+
+free_mutex:
+	isc_refcount_decrementz(&rl->references);
+	isc_refcount_destroy(&rl->references);
+	isc_mutex_destroy(&rl->lock);
+	isc_mem_put(mctx, rl, sizeof(*rl));
+	return (result);
+}
+
+isc_result_t
+isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rl != NULL);
+	REQUIRE(interval != NULL);
+
+	LOCK(&rl->lock);
+	rl->interval = *interval;
+	/*
+	 * If the timer is currently running, change its rate.
+	 */
+	if (rl->state == isc_ratelimiter_ratelimited) {
+		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
+					 &rl->interval, false);
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
+
+void
+isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, uint32_t pertic) {
+	REQUIRE(rl != NULL);
+
+	if (pertic == 0) {
+		pertic = 1;
+	}
+	rl->pertic = pertic;
+}
+
+void
+isc_ratelimiter_setpushpop(isc_ratelimiter_t *rl, bool pushpop) {
+	REQUIRE(rl != NULL);
+
+	rl->pushpop = pushpop;
+}
+
+isc_result_t
+isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
+			isc_event_t **eventp) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_event_t *ev;
+
+	REQUIRE(rl != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(eventp != NULL && *eventp != NULL);
+	ev = *eventp;
+	REQUIRE(ev->ev_sender == NULL);
+
+	LOCK(&rl->lock);
+	if (rl->state == isc_ratelimiter_ratelimited ||
+	    rl->state == isc_ratelimiter_stalled)
+	{
+		ev->ev_sender = task;
+		*eventp = NULL;
+		if (rl->pushpop) {
+			ISC_LIST_PREPEND(rl->pending, ev, ev_ratelink);
+		} else {
+			ISC_LIST_APPEND(rl->pending, ev, ev_ratelink);
+		}
+	} else if (rl->state == isc_ratelimiter_idle) {
+		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
+					 &rl->interval, false);
+		if (result == ISC_R_SUCCESS) {
+			ev->ev_sender = task;
+			rl->state = isc_ratelimiter_ratelimited;
+		}
+	} else {
+		INSIST(rl->state == isc_ratelimiter_shuttingdown);
+		result = ISC_R_SHUTTINGDOWN;
+	}
+	UNLOCK(&rl->lock);
+	if (*eventp != NULL && result == ISC_R_SUCCESS) {
+		isc_task_send(task, eventp);
+	}
+	return (result);
+}
+
+isc_result_t
+isc_ratelimiter_dequeue(isc_ratelimiter_t *rl, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rl != NULL);
+	REQUIRE(event != NULL);
+
+	LOCK(&rl->lock);
+	if (ISC_LINK_LINKED(event, ev_ratelink)) {
+		ISC_LIST_UNLINK(rl->pending, event, ev_ratelink);
+		event->ev_sender = NULL;
+	} else {
+		result = ISC_R_NOTFOUND;
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
+
+static void
+ratelimiter_tick(isc_task_t *task, isc_event_t *event) {
+	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
+	isc_event_t *p;
+	uint32_t pertic;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	pertic = rl->pertic;
+	while (pertic != 0) {
+		pertic--;
+		LOCK(&rl->lock);
+		p = ISC_LIST_HEAD(rl->pending);
+		if (p != NULL) {
+			/*
+			 * There is work to do.  Let's do it after unlocking.
+			 */
+			ISC_LIST_UNLINK(rl->pending, p, ev_ratelink);
+		} else {
+			/*
+			 * No work left to do.  Stop the timer so that we don't
+			 * waste resources by having it fire periodically.
+			 */
+			isc_result_t result = isc_timer_reset(
+				rl->timer, isc_timertype_inactive, NULL, NULL,
+				false);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			rl->state = isc_ratelimiter_idle;
+			pertic = 0; /* Force the loop to exit. */
+		}
+		UNLOCK(&rl->lock);
+		if (p != NULL) {
+			isc_task_t *evtask = p->ev_sender;
+			isc_task_send(evtask, &p);
+		}
+		INSIST(p == NULL);
+	}
+}
+
+void
+isc_ratelimiter_shutdown(isc_ratelimiter_t *rl) {
+	isc_event_t *ev;
+	isc_task_t *task;
+	isc_result_t result;
+
+	REQUIRE(rl != NULL);
+
+	LOCK(&rl->lock);
+	rl->state = isc_ratelimiter_shuttingdown;
+	(void)isc_timer_reset(rl->timer, isc_timertype_inactive, NULL, NULL,
+			      false);
+	while ((ev = ISC_LIST_HEAD(rl->pending)) != NULL) {
+		task = ev->ev_sender;
+		ISC_LIST_UNLINK(rl->pending, ev, ev_ratelink);
+		ev->ev_attributes |= ISC_EVENTATTR_CANCELED;
+		isc_task_send(task, &ev);
+	}
+	task = NULL;
+	isc_task_attach(rl->task, &task);
+
+	result = isc_timer_reset(rl->timer, isc_timertype_inactive, NULL, NULL,
+				 false);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_timer_destroy(&rl->timer);
+
+	/*
+	 * Send an event to our task.  The delivery of this event
+	 * indicates that no more timer events will be delivered.
+	 */
+	ev = &rl->shutdownevent;
+	isc_task_send(rl->task, &ev);
+
+	UNLOCK(&rl->lock);
+}
+
+static void
+ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event) {
+	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	isc_ratelimiter_detach(&rl);
+	isc_task_detach(&task);
+}
+
+static void
+ratelimiter_free(isc_ratelimiter_t *rl) {
+	isc_refcount_destroy(&rl->references);
+	isc_mutex_destroy(&rl->lock);
+	isc_mem_put(rl->mctx, rl, sizeof(*rl));
+}
+
+void
+isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target) {
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*target = source;
+}
+
+void
+isc_ratelimiter_detach(isc_ratelimiter_t **rlp) {
+	isc_ratelimiter_t *rl;
+
+	REQUIRE(rlp != NULL && *rlp != NULL);
+
+	rl = *rlp;
+	*rlp = NULL;
+
+	if (isc_refcount_decrement(&rl->references) == 1) {
+		ratelimiter_free(rl);
+	}
+}
+
+isc_result_t
+isc_ratelimiter_stall(isc_ratelimiter_t *rl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rl != NULL);
+
+	LOCK(&rl->lock);
+	switch (rl->state) {
+	case isc_ratelimiter_shuttingdown:
+		result = ISC_R_SHUTTINGDOWN;
+		break;
+	case isc_ratelimiter_ratelimited:
+		result = isc_timer_reset(rl->timer, isc_timertype_inactive,
+					 NULL, NULL, false);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		FALLTHROUGH;
+	case isc_ratelimiter_idle:
+	case isc_ratelimiter_stalled:
+		rl->state = isc_ratelimiter_stalled;
+		break;
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
+
+isc_result_t
+isc_ratelimiter_release(isc_ratelimiter_t *rl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rl != NULL);
+
+	LOCK(&rl->lock);
+	switch (rl->state) {
+	case isc_ratelimiter_shuttingdown:
+		result = ISC_R_SHUTTINGDOWN;
+		break;
+	case isc_ratelimiter_stalled:
+		if (!ISC_LIST_EMPTY(rl->pending)) {
+			result = isc_timer_reset(rl->timer,
+						 isc_timertype_ticker, NULL,
+						 &rl->interval, false);
+			if (result == ISC_R_SUCCESS) {
+				rl->state = isc_ratelimiter_ratelimited;
+			}
+		} else {
+			rl->state = isc_ratelimiter_idle;
+		}
+		break;
+	case isc_ratelimiter_ratelimited:
+	case isc_ratelimiter_idle:
+		break;
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
diff --git a/lib/isc/regex.c b/lib/isc/regex.c
new file mode 100644
index 0000000..f7a3f5e
--- /dev/null
+++ b/lib/isc/regex.c
@@ -0,0 +1,436 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+
+#include <isc/file.h>
+#include <isc/print.h>
+#include <isc/regex.h>
+#include <isc/string.h>
+
+#if VALREGEX_REPORT_REASON
+#define FAIL(x)               \
+	do {                  \
+		reason = (x); \
+		goto error;   \
+	} while (0)
+#else /* if VALREGEX_REPORT_REASON */
+#define FAIL(x) goto error
+#endif /* if VALREGEX_REPORT_REASON */
+
+/*
+ * Validate the regular expression 'C' locale.
+ */
+int
+isc_regex_validate(const char *c) {
+	enum {
+		none,
+		parse_bracket,
+		parse_bound,
+		parse_ce,
+		parse_ec,
+		parse_cc
+	} state = none;
+	/* Well known character classes. */
+	const char *cc[] = { ":alnum:", ":digit:", ":punct:", ":alpha:",
+			     ":graph:", ":space:", ":blank:", ":lower:",
+			     ":upper:", ":cntrl:", ":print:", ":xdigit:" };
+	bool seen_comma = false;
+	bool seen_high = false;
+	bool seen_char = false;
+	bool seen_ec = false;
+	bool seen_ce = false;
+	bool have_atom = false;
+	int group = 0;
+	int range = 0;
+	int sub = 0;
+	bool empty_ok = false;
+	bool neg = false;
+	bool was_multiple = false;
+	unsigned int low = 0;
+	unsigned int high = 0;
+	const char *ccname = NULL;
+	int range_start = 0;
+#if VALREGEX_REPORT_REASON
+	const char *reason = "";
+#endif /* if VALREGEX_REPORT_REASON */
+
+	if (c == NULL || *c == 0) {
+		FAIL("empty string");
+	}
+
+	while (c != NULL && *c != 0) {
+		switch (state) {
+		case none:
+			switch (*c) {
+			case '\\': /* make literal */
+				++c;
+				switch (*c) {
+				case '1':
+				case '2':
+				case '3':
+				case '4':
+				case '5':
+				case '6':
+				case '7':
+				case '8':
+				case '9':
+					if ((*c - '0') > sub) {
+						FAIL("bad back reference");
+					}
+					have_atom = true;
+					was_multiple = false;
+					break;
+				case 0:
+					FAIL("escaped end-of-string");
+				default:
+					goto literal;
+				}
+				++c;
+				break;
+			case '[': /* bracket start */
+				++c;
+				neg = false;
+				was_multiple = false;
+				seen_char = false;
+				state = parse_bracket;
+				break;
+			case '{': /* bound start */
+				switch (c[1]) {
+				case '0':
+				case '1':
+				case '2':
+				case '3':
+				case '4':
+				case '5':
+				case '6':
+				case '7':
+				case '8':
+				case '9':
+					if (!have_atom) {
+						FAIL("no atom");
+					}
+					if (was_multiple) {
+						FAIL("was multiple");
+					}
+					seen_comma = false;
+					seen_high = false;
+					low = high = 0;
+					state = parse_bound;
+					break;
+				default:
+					goto literal;
+				}
+				++c;
+				have_atom = true;
+				was_multiple = true;
+				break;
+			case '}':
+				goto literal;
+			case '(': /* group start */
+				have_atom = false;
+				was_multiple = false;
+				empty_ok = true;
+				++group;
+				++sub;
+				++c;
+				break;
+			case ')': /* group end */
+				if (group && !have_atom && !empty_ok) {
+					FAIL("empty alternative");
+				}
+				have_atom = true;
+				was_multiple = false;
+				if (group != 0) {
+					--group;
+				}
+				++c;
+				break;
+			case '|': /* alternative separator */
+				if (!have_atom) {
+					FAIL("no atom");
+				}
+				have_atom = false;
+				empty_ok = false;
+				was_multiple = false;
+				++c;
+				break;
+			case '^':
+			case '$':
+				have_atom = true;
+				was_multiple = true;
+				++c;
+				break;
+			case '+':
+			case '*':
+			case '?':
+				if (was_multiple) {
+					FAIL("was multiple");
+				}
+				if (!have_atom) {
+					FAIL("no atom");
+				}
+				have_atom = true;
+				was_multiple = true;
+				++c;
+				break;
+			case '.':
+			default:
+			literal:
+				have_atom = true;
+				was_multiple = false;
+				++c;
+				break;
+			}
+			break;
+		case parse_bound:
+			switch (*c) {
+			case '0':
+			case '1':
+			case '2':
+			case '3':
+			case '4':
+			case '5':
+			case '6':
+			case '7':
+			case '8':
+			case '9':
+				if (!seen_comma) {
+					low = low * 10 + *c - '0';
+					if (low > 255) {
+						FAIL("lower bound too big");
+					}
+				} else {
+					seen_high = true;
+					high = high * 10 + *c - '0';
+					if (high > 255) {
+						FAIL("upper bound too big");
+					}
+				}
+				++c;
+				break;
+			case ',':
+				if (seen_comma) {
+					FAIL("multiple commas");
+				}
+				seen_comma = true;
+				++c;
+				break;
+			default:
+			case '{':
+				FAIL("non digit/comma");
+			case '}':
+				if (seen_high && low > high) {
+					FAIL("bad parse bound");
+				}
+				seen_comma = false;
+				state = none;
+				++c;
+				break;
+			}
+			break;
+		case parse_bracket:
+			switch (*c) {
+			case '^':
+				if (seen_char || neg) {
+					goto inside;
+				}
+				neg = true;
+				++c;
+				break;
+			case '-':
+				if (range == 2) {
+					goto inside;
+				}
+				if (!seen_char) {
+					goto inside;
+				}
+				if (range == 1) {
+					FAIL("bad range");
+				}
+				range = 2;
+				++c;
+				break;
+			case '[':
+				++c;
+				switch (*c) {
+				case '.': /* collating element */
+					if (range != 0) {
+						--range;
+					}
+					++c;
+					state = parse_ce;
+					seen_ce = false;
+					break;
+				case '=': /* equivalence class */
+					if (range == 2) {
+						FAIL("equivalence class in "
+						     "range");
+					}
+					++c;
+					state = parse_ec;
+					seen_ec = false;
+					break;
+				case ':': /* character class */
+					if (range == 2) {
+						FAIL("character class in "
+						     "range");
+					}
+					ccname = c;
+					++c;
+					state = parse_cc;
+					break;
+				}
+				seen_char = true;
+				break;
+			case ']':
+				if (!c[1] && !seen_char) {
+					FAIL("unfinished brace");
+				}
+				if (!seen_char) {
+					goto inside;
+				}
+				++c;
+				range = 0;
+				have_atom = true;
+				state = none;
+				break;
+			default:
+			inside:
+				seen_char = true;
+				if (range == 2 && (*c & 0xff) < range_start) {
+					FAIL("out of order range");
+				}
+				if (range != 0) {
+					--range;
+				}
+				range_start = *c & 0xff;
+				++c;
+				break;
+			}
+			break;
+		case parse_ce:
+			switch (*c) {
+			case '.':
+				++c;
+				switch (*c) {
+				case ']':
+					if (!seen_ce) {
+						FAIL("empty ce");
+					}
+					++c;
+					state = parse_bracket;
+					break;
+				default:
+					if (seen_ce) {
+						range_start = 256;
+					} else {
+						range_start = '.';
+					}
+					seen_ce = true;
+					break;
+				}
+				break;
+			default:
+				if (seen_ce) {
+					range_start = 256;
+				} else {
+					range_start = *c;
+				}
+				seen_ce = true;
+				++c;
+				break;
+			}
+			break;
+		case parse_ec:
+			switch (*c) {
+			case '=':
+				++c;
+				switch (*c) {
+				case ']':
+					if (!seen_ec) {
+						FAIL("no ec");
+					}
+					++c;
+					state = parse_bracket;
+					break;
+				default:
+					seen_ec = true;
+					break;
+				}
+				break;
+			default:
+				seen_ec = true;
+				++c;
+				break;
+			}
+			break;
+		case parse_cc:
+			switch (*c) {
+			case ':':
+				++c;
+				switch (*c) {
+				case ']': {
+					unsigned int i;
+					bool found = false;
+					for (i = 0;
+					     i < sizeof(cc) / sizeof(*cc); i++)
+					{
+						unsigned int len;
+						len = strlen(cc[i]);
+						if (len !=
+						    (unsigned int)(c - ccname))
+						{
+							continue;
+						}
+						if (strncmp(cc[i], ccname, len))
+						{
+							continue;
+						}
+						found = true;
+					}
+					if (!found) {
+						FAIL("unknown cc");
+					}
+					++c;
+					state = parse_bracket;
+					break;
+				}
+				default:
+					break;
+				}
+				break;
+			default:
+				++c;
+				break;
+			}
+			break;
+		}
+	}
+	if (group != 0) {
+		FAIL("group open");
+	}
+	if (state != none) {
+		FAIL("incomplete");
+	}
+	if (!have_atom) {
+		FAIL("no atom");
+	}
+	return (sub);
+
+error:
+#if VALREGEX_REPORT_REASON
+	fprintf(stderr, "%s\n", reason);
+#endif /* if VALREGEX_REPORT_REASON */
+	return (-1);
+}
diff --git a/lib/isc/region.c b/lib/isc/region.c
new file mode 100644
index 0000000..675f4ec
--- /dev/null
+++ b/lib/isc/region.c
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/region.h>
+#include <isc/util.h>
+
+int
+isc_region_compare(isc_region_t *r1, isc_region_t *r2) {
+	unsigned int l;
+	int result;
+
+	REQUIRE(r1 != NULL);
+	REQUIRE(r2 != NULL);
+
+	l = (r1->length < r2->length) ? r1->length : r2->length;
+
+	if ((result = memcmp(r1->base, r2->base, l)) != 0) {
+		return ((result < 0) ? -1 : 1);
+	} else {
+		return ((r1->length == r2->length)  ? 0
+			: (r1->length < r2->length) ? -1
+						    : 1);
+	}
+}
diff --git a/lib/isc/result.c b/lib/isc/result.c
new file mode 100644
index 0000000..d083000
--- /dev/null
+++ b/lib/isc/result.c
@@ -0,0 +1,306 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stddef.h>
+#include <stdlib.h>
+
+#include <isc/lib.h>
+#include <isc/once.h>
+#include <isc/resultclass.h>
+#include <isc/rwlock.h>
+#include <isc/util.h>
+
+typedef struct resulttable {
+	unsigned int base;
+	unsigned int last;
+	const char **text;
+	int set;
+	ISC_LINK(struct resulttable) link;
+} resulttable;
+
+typedef ISC_LIST(resulttable) resulttable_list_t;
+
+static const char *description[ISC_R_NRESULTS] = {
+	"success",			    /*%< 0 */
+	"out of memory",		    /*%< 1 */
+	"timed out",			    /*%< 2 */
+	"no available threads",		    /*%< 3 */
+	"address not available",	    /*%< 4 */
+	"address in use",		    /*%< 5 */
+	"permission denied",		    /*%< 6 */
+	"no pending connections",	    /*%< 7 */
+	"network unreachable",		    /*%< 8 */
+	"host unreachable",		    /*%< 9 */
+	"network down",			    /*%< 10 */
+	"host down",			    /*%< 11 */
+	"connection refused",		    /*%< 12 */
+	"not enough free resources",	    /*%< 13 */
+	"end of file",			    /*%< 14 */
+	"socket already bound",		    /*%< 15 */
+	"reload",			    /*%< 16 */
+	"lock busy",			    /*%< 17 */
+	"already exists",		    /*%< 18 */
+	"ran out of space",		    /*%< 19 */
+	"operation canceled",		    /*%< 20 */
+	"socket is not bound",		    /*%< 21 */
+	"shutting down",		    /*%< 22 */
+	"not found",			    /*%< 23 */
+	"unexpected end of input",	    /*%< 24 */
+	"failure",			    /*%< 25 */
+	"I/O error",			    /*%< 26 */
+	"not implemented",		    /*%< 27 */
+	"unbalanced parentheses",	    /*%< 28 */
+	"no more",			    /*%< 29 */
+	"invalid file",			    /*%< 30 */
+	"bad base64 encoding",		    /*%< 31 */
+	"unexpected token",		    /*%< 32 */
+	"quota reached",		    /*%< 33 */
+	"unexpected error",		    /*%< 34 */
+	"already running",		    /*%< 35 */
+	"ignore",			    /*%< 36 */
+	"address mask not contiguous",	    /*%< 37 */
+	"file not found",		    /*%< 38 */
+	"file already exists",		    /*%< 39 */
+	"socket is not connected",	    /*%< 40 */
+	"out of range",			    /*%< 41 */
+	"out of entropy",		    /*%< 42 */
+	"invalid use of multicast address", /*%< 43 */
+	"not a file",			    /*%< 44 */
+	"not a directory",		    /*%< 45 */
+	"queue is empty",		    /*%< 46 */
+	"address family mismatch",	    /*%< 47 */
+	"address family not supported",	    /*%< 48 */
+	"bad hex encoding",		    /*%< 49 */
+	"too many open files",		    /*%< 50 */
+	"not blocking",			    /*%< 51 */
+	"unbalanced quotes",		    /*%< 52 */
+	"operation in progress",	    /*%< 53 */
+	"connection reset",		    /*%< 54 */
+	"soft quota reached",		    /*%< 55 */
+	"not a valid number",		    /*%< 56 */
+	"disabled",			    /*%< 57 */
+	"max size",			    /*%< 58 */
+	"invalid address format",	    /*%< 59 */
+	"bad base32 encoding",		    /*%< 60 */
+	"unset",			    /*%< 61 */
+	"multiple",			    /*%< 62 */
+	"would block",			    /*%< 63 */
+	"complete",			    /*%< 64 */
+	"crypto failure",		    /*%< 65 */
+	"disc quota",			    /*%< 66 */
+	"disc full",			    /*%< 67 */
+	"default",			    /*%< 68 */
+	"IPv4 prefix",			    /*%< 69 */
+	"TLS error",			    /*%< 70 */
+	"ALPN for HTTP/2 failed"	    /*%< 71 */
+};
+
+static const char *identifier[ISC_R_NRESULTS] = { "ISC_R_SUCCESS",
+						  "ISC_R_NOMEMORY",
+						  "ISC_R_TIMEDOUT",
+						  "ISC_R_NOTHREADS",
+						  "ISC_R_ADDRNOTAVAIL",
+						  "ISC_R_ADDRINUSE",
+						  "ISC_R_NOPERM",
+						  "ISC_R_NOCONN",
+						  "ISC_R_NETUNREACH",
+						  "ISC_R_HOSTUNREACH",
+						  "ISC_R_NETDOWN",
+						  "ISC_R_HOSTDOWN",
+						  "ISC_R_CONNREFUSED",
+						  "ISC_R_NORESOURCES",
+						  "ISC_R_EOF",
+						  "ISC_R_BOUND",
+						  "ISC_R_RELOAD",
+						  "ISC_R_LOCKBUSY",
+						  "ISC_R_EXISTS",
+						  "ISC_R_NOSPACE",
+						  "ISC_R_CANCELED",
+						  "ISC_R_NOTBOUND",
+						  "ISC_R_SHUTTINGDOWN",
+						  "ISC_R_NOTFOUND",
+						  "ISC_R_UNEXPECTEDEND",
+						  "ISC_R_FAILURE",
+						  "ISC_R_IOERROR",
+						  "ISC_R_NOTIMPLEMENTED",
+						  "ISC_R_UNBALANCED",
+						  "ISC_R_NOMORE",
+						  "ISC_R_INVALIDFILE",
+						  "ISC_R_BADBASE64",
+						  "ISC_R_UNEXPECTEDTOKEN",
+						  "ISC_R_QUOTA",
+						  "ISC_R_UNEXPECTED",
+						  "ISC_R_ALREADYRUNNING",
+						  "ISC_R_IGNORE",
+						  "ISC_R_MASKNONCONTIG",
+						  "ISC_R_FILENOTFOUND",
+						  "ISC_R_FILEEXISTS",
+						  "ISC_R_NOTCONNECTED",
+						  "ISC_R_RANGE",
+						  "ISC_R_NOENTROPY",
+						  "ISC_R_MULTICAST",
+						  "ISC_R_NOTFILE",
+						  "ISC_R_NOTDIRECTORY",
+						  "ISC_R_EMPTY",
+						  "ISC_R_FAMILYMISMATCH",
+						  "ISC_R_FAMILYNOSUPPORT",
+						  "ISC_R_BADHEX",
+						  "ISC_R_TOOMANYOPENFILES",
+						  "ISC_R_NOTBLOCKING",
+						  "ISC_R_UNBALANCEDQUOTES",
+						  "ISC_R_INPROGRESS",
+						  "ISC_R_CONNECTIONRESET",
+						  "ISC_R_SOFTQUOTA",
+						  "ISC_R_BADNUMBER",
+						  "ISC_R_DISABLED",
+						  "ISC_R_MAXSIZE",
+						  "ISC_R_BADADDRESSFORM",
+						  "ISC_R_BADBASE32",
+						  "ISC_R_UNSET",
+						  "ISC_R_MULTIPLE",
+						  "ISC_R_WOULDBLOCK",
+						  "ISC_R_COMPLETE",
+						  "ISC_R_CRYPTOFAILURE",
+						  "ISC_R_DISCQUOTA",
+						  "ISC_R_DISCFULL",
+						  "ISC_R_DEFAULT",
+						  "ISC_R_IPV4PREFIX",
+						  "ISC_R_TLSERROR",
+						  "ISC_R_HTTP2ALPNERROR" };
+
+#define ISC_RESULT_RESULTSET	  2
+#define ISC_RESULT_UNAVAILABLESET 3
+
+static isc_once_t once = ISC_ONCE_INIT;
+static resulttable_list_t description_tables;
+static resulttable_list_t identifier_tables;
+static isc_rwlock_t lock;
+
+static isc_result_t
+register_table(resulttable_list_t *tables, unsigned int base,
+	       unsigned int nresults, const char **text, int set) {
+	resulttable *table;
+
+	REQUIRE(base % ISC_RESULTCLASS_SIZE == 0);
+	REQUIRE(nresults <= ISC_RESULTCLASS_SIZE);
+	REQUIRE(text != NULL);
+
+	/*
+	 * We use malloc() here because we we want to be able to use
+	 * isc_result_totext() even if there is no memory context.
+	 */
+	table = malloc(sizeof(*table));
+	if (table == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	table->base = base;
+	table->last = base + nresults - 1;
+	table->text = text;
+	table->set = set;
+	ISC_LINK_INIT(table, link);
+
+	RWLOCK(&lock, isc_rwlocktype_write);
+
+	ISC_LIST_APPEND(*tables, table, link);
+
+	RWUNLOCK(&lock, isc_rwlocktype_write);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	isc_rwlock_init(&lock, 0, 0);
+	ISC_LIST_INIT(description_tables);
+	ISC_LIST_INIT(identifier_tables);
+
+	result = register_table(&description_tables, ISC_RESULTCLASS_ISC,
+				ISC_R_NRESULTS, description,
+				ISC_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "register_table() failed: %u", result);
+	}
+
+	result = register_table(&identifier_tables, ISC_RESULTCLASS_ISC,
+				ISC_R_NRESULTS, identifier,
+				ISC_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "register_table() failed: %u", result);
+	}
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+static const char *
+isc_result_tomany_helper(resulttable_list_t *tables, isc_result_t result) {
+	resulttable *table;
+	const char *text;
+	int index;
+
+	initialize();
+
+	RWLOCK(&lock, isc_rwlocktype_read);
+
+	text = NULL;
+	for (table = ISC_LIST_HEAD(*tables); table != NULL;
+	     table = ISC_LIST_NEXT(table, link))
+	{
+		if (result >= table->base && result <= table->last) {
+			index = (int)(result - table->base);
+			text = table->text[index];
+			break;
+		}
+	}
+	if (text == NULL) {
+		text = "(result code text not available)";
+	}
+
+	RWUNLOCK(&lock, isc_rwlocktype_read);
+
+	return (text);
+}
+
+const char *
+isc_result_totext(isc_result_t result) {
+	return (isc_result_tomany_helper(&description_tables, result));
+}
+
+const char *
+isc_result_toid(isc_result_t result) {
+	return (isc_result_tomany_helper(&identifier_tables, result));
+}
+
+isc_result_t
+isc_result_register(unsigned int base, unsigned int nresults, const char **text,
+		    int set) {
+	initialize();
+
+	return (register_table(&description_tables, base, nresults, text, set));
+}
+
+isc_result_t
+isc_result_registerids(unsigned int base, unsigned int nresults,
+		       const char **ids, int set) {
+	initialize();
+
+	return (register_table(&identifier_tables, base, nresults, ids, set));
+}
diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c
new file mode 100644
index 0000000..c69b6d7
--- /dev/null
+++ b/lib/isc/rwlock.c
@@ -0,0 +1,646 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stddef.h>
+
+#if defined(sun) && (defined(__sparc) || defined(__sparc__))
+#include <synch.h> /* for smt_pause(3c) */
+#endif /* if defined(sun) && (defined(__sparc) || defined(__sparc__)) */
+
+#include <isc/atomic.h>
+#include <isc/magic.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/util.h>
+
+#if USE_PTHREAD_RWLOCK
+
+#include <errno.h>
+#include <pthread.h>
+
+void
+isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
+		unsigned int write_quota) {
+	UNUSED(read_quota);
+	UNUSED(write_quota);
+	REQUIRE(pthread_rwlock_init(&rwl->rwlock, NULL) == 0);
+	atomic_init(&rwl->downgrade, false);
+}
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	switch (type) {
+	case isc_rwlocktype_read:
+		REQUIRE(pthread_rwlock_rdlock(&rwl->rwlock) == 0);
+		break;
+	case isc_rwlocktype_write:
+		while (true) {
+			REQUIRE(pthread_rwlock_wrlock(&rwl->rwlock) == 0);
+			/* Unlock if in middle of downgrade operation */
+			if (atomic_load_acquire(&rwl->downgrade)) {
+				REQUIRE(pthread_rwlock_unlock(&rwl->rwlock) ==
+					0);
+				while (atomic_load_acquire(&rwl->downgrade)) {
+				}
+				continue;
+			}
+			break;
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	int ret = 0;
+	switch (type) {
+	case isc_rwlocktype_read:
+		ret = pthread_rwlock_tryrdlock(&rwl->rwlock);
+		break;
+	case isc_rwlocktype_write:
+		ret = pthread_rwlock_trywrlock(&rwl->rwlock);
+		if ((ret == 0) && atomic_load_acquire(&rwl->downgrade)) {
+			isc_rwlock_unlock(rwl, type);
+			return (ISC_R_LOCKBUSY);
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	switch (ret) {
+	case 0:
+		return (ISC_R_SUCCESS);
+	case EBUSY:
+		return (ISC_R_LOCKBUSY);
+	case EAGAIN:
+		return (ISC_R_LOCKBUSY);
+	default:
+		UNREACHABLE();
+	}
+}
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	UNUSED(type);
+	REQUIRE(pthread_rwlock_unlock(&rwl->rwlock) == 0);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
+	UNUSED(rwl);
+	return (ISC_R_LOCKBUSY);
+}
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl) {
+	isc_result_t result;
+	atomic_store_release(&rwl->downgrade, true);
+	result = isc_rwlock_unlock(rwl, isc_rwlocktype_write);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	result = isc_rwlock_lock(rwl, isc_rwlocktype_read);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	atomic_store_release(&rwl->downgrade, false);
+}
+
+void
+isc_rwlock_destroy(isc_rwlock_t *rwl) {
+	pthread_rwlock_destroy(&rwl->rwlock);
+}
+
+#else /* if USE_PTHREAD_RWLOCK */
+
+#define RWLOCK_MAGIC	  ISC_MAGIC('R', 'W', 'L', 'k')
+#define VALID_RWLOCK(rwl) ISC_MAGIC_VALID(rwl, RWLOCK_MAGIC)
+
+#ifndef RWLOCK_DEFAULT_READ_QUOTA
+#define RWLOCK_DEFAULT_READ_QUOTA 4
+#endif /* ifndef RWLOCK_DEFAULT_READ_QUOTA */
+
+#ifndef RWLOCK_DEFAULT_WRITE_QUOTA
+#define RWLOCK_DEFAULT_WRITE_QUOTA 4
+#endif /* ifndef RWLOCK_DEFAULT_WRITE_QUOTA */
+
+#ifndef RWLOCK_MAX_ADAPTIVE_COUNT
+#define RWLOCK_MAX_ADAPTIVE_COUNT 100
+#endif /* ifndef RWLOCK_MAX_ADAPTIVE_COUNT */
+
+#if defined(_MSC_VER)
+#include <intrin.h>
+#define isc_rwlock_pause() YieldProcessor()
+#elif defined(__x86_64__)
+#include <immintrin.h>
+#define isc_rwlock_pause() _mm_pause()
+#elif defined(__i386__)
+#define isc_rwlock_pause() __asm__ __volatile__("rep; nop")
+#elif defined(__ia64__)
+#define isc_rwlock_pause() __asm__ __volatile__("hint @pause")
+#elif defined(__arm__) && HAVE_ARM_YIELD
+#define isc_rwlock_pause() __asm__ __volatile__("yield")
+#elif defined(sun) && (defined(__sparc) || defined(__sparc__))
+#define isc_rwlock_pause() smt_pause()
+#elif (defined(__sparc) || defined(__sparc__)) && HAVE_SPARC_PAUSE
+#define isc_rwlock_pause() __asm__ __volatile__("pause")
+#elif defined(__ppc__) || defined(_ARCH_PPC) || defined(_ARCH_PWR) || \
+	defined(_ARCH_PWR2) || defined(_POWER)
+#define isc_rwlock_pause() __asm__ volatile("or 27,27,27")
+#else /* if defined(_MSC_VER) */
+#define isc_rwlock_pause()
+#endif /* if defined(_MSC_VER) */
+
+static isc_result_t
+isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+#ifdef ISC_RWLOCK_TRACE
+#include <stdio.h> /* Required for fprintf/stderr. */
+
+#include <isc/thread.h> /* Required for isc_thread_self(). */
+
+static void
+print_lock(const char *operation, isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	fprintf(stderr,
+		"rwlock %p thread %" PRIuPTR " %s(%s): "
+		"write_requests=%u, write_completions=%u, "
+		"cnt_and_flag=0x%x, readers_waiting=%u, "
+		"write_granted=%u, write_quota=%u\n",
+		rwl, isc_thread_self(), operation,
+		(type == isc_rwlocktype_read ? "read" : "write"),
+		atomic_load_acquire(&rwl->write_requests),
+		atomic_load_acquire(&rwl->write_completions),
+		atomic_load_acquire(&rwl->cnt_and_flag), rwl->readers_waiting,
+		atomic_load_acquire(&rwl->write_granted), rwl->write_quota);
+}
+#endif			/* ISC_RWLOCK_TRACE */
+
+void
+isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
+		unsigned int write_quota) {
+	REQUIRE(rwl != NULL);
+
+	/*
+	 * In case there's trouble initializing, we zero magic now.  If all
+	 * goes well, we'll set it to RWLOCK_MAGIC.
+	 */
+	rwl->magic = 0;
+
+	atomic_init(&rwl->spins, 0);
+	atomic_init(&rwl->write_requests, 0);
+	atomic_init(&rwl->write_completions, 0);
+	atomic_init(&rwl->cnt_and_flag, 0);
+	rwl->readers_waiting = 0;
+	atomic_init(&rwl->write_granted, 0);
+	if (read_quota != 0) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "read quota is not supported");
+	}
+	if (write_quota == 0) {
+		write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
+	}
+	rwl->write_quota = write_quota;
+
+	isc_mutex_init(&rwl->lock);
+
+	isc_condition_init(&rwl->readable);
+	isc_condition_init(&rwl->writeable);
+
+	rwl->magic = RWLOCK_MAGIC;
+}
+
+void
+isc_rwlock_destroy(isc_rwlock_t *rwl) {
+	REQUIRE(VALID_RWLOCK(rwl));
+
+	REQUIRE(atomic_load_acquire(&rwl->write_requests) ==
+			atomic_load_acquire(&rwl->write_completions) &&
+		atomic_load_acquire(&rwl->cnt_and_flag) == 0 &&
+		rwl->readers_waiting == 0);
+
+	rwl->magic = 0;
+	(void)isc_condition_destroy(&rwl->readable);
+	(void)isc_condition_destroy(&rwl->writeable);
+	isc_mutex_destroy(&rwl->lock);
+}
+
+/*
+ * When some architecture-dependent atomic operations are available,
+ * rwlock can be more efficient than the generic algorithm defined below.
+ * The basic algorithm is described in the following URL:
+ *   http://www.cs.rochester.edu/u/scott/synchronization/pseudocode/rw.html
+ *
+ * The key is to use the following integer variables modified atomically:
+ *   write_requests, write_completions, and cnt_and_flag.
+ *
+ * write_requests and write_completions act as a waiting queue for writers
+ * in order to ensure the FIFO order.  Both variables begin with the initial
+ * value of 0.  When a new writer tries to get a write lock, it increments
+ * write_requests and gets the previous value of the variable as a "ticket".
+ * When write_completions reaches the ticket number, the new writer can start
+ * writing.  When the writer completes its work, it increments
+ * write_completions so that another new writer can start working.  If the
+ * write_requests is not equal to write_completions, it means a writer is now
+ * working or waiting.  In this case, a new readers cannot start reading, or
+ * in other words, this algorithm basically prefers writers.
+ *
+ * cnt_and_flag is a "lock" shared by all readers and writers.  This integer
+ * variable is a kind of structure with two members: writer_flag (1 bit) and
+ * reader_count (31 bits).  The writer_flag shows whether a writer is working,
+ * and the reader_count shows the number of readers currently working or almost
+ * ready for working.  A writer who has the current "ticket" tries to get the
+ * lock by exclusively setting the writer_flag to 1, provided that the whole
+ * 32-bit is 0 (meaning no readers or writers working).  On the other hand,
+ * a new reader tries to increment the "reader_count" field provided that
+ * the writer_flag is 0 (meaning there is no writer working).
+ *
+ * If some of the above operations fail, the reader or the writer sleeps
+ * until the related condition changes.  When a working reader or writer
+ * completes its work, some readers or writers are sleeping, and the condition
+ * that suspended the reader or writer has changed, it wakes up the sleeping
+ * readers or writers.
+ *
+ * As already noted, this algorithm basically prefers writers.  In order to
+ * prevent readers from starving, however, the algorithm also introduces the
+ * "writer quota" (Q).  When Q consecutive writers have completed their work,
+ * suspending readers, the last writer will wake up the readers, even if a new
+ * writer is waiting.
+ *
+ * Implementation specific note: due to the combination of atomic operations
+ * and a mutex lock, ordering between the atomic operation and locks can be
+ * very sensitive in some cases.  In particular, it is generally very important
+ * to check the atomic variable that requires a reader or writer to sleep after
+ * locking the mutex and before actually sleeping; otherwise, it could be very
+ * likely to cause a deadlock.  For example, assume "var" is a variable
+ * atomically modified, then the corresponding code would be:
+ *	if (var == need_sleep) {
+ *		LOCK(lock);
+ *		if (var == need_sleep)
+ *			WAIT(cond, lock);
+ *		UNLOCK(lock);
+ *	}
+ * The second check is important, since "var" is protected by the atomic
+ * operation, not by the mutex, and can be changed just before sleeping.
+ * (The first "if" could be omitted, but this is also important in order to
+ * make the code efficient by avoiding the use of the mutex unless it is
+ * really necessary.)
+ */
+
+#define WRITER_ACTIVE 0x1
+#define READER_INCR   0x2
+
+static isc_result_t
+isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	int32_t cntflag;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock("prelock", rwl, type);
+#endif /* ifdef ISC_RWLOCK_TRACE */
+
+	if (type == isc_rwlocktype_read) {
+		if (atomic_load_acquire(&rwl->write_requests) !=
+		    atomic_load_acquire(&rwl->write_completions))
+		{
+			/* there is a waiting or active writer */
+			LOCK(&rwl->lock);
+			if (atomic_load_acquire(&rwl->write_requests) !=
+			    atomic_load_acquire(&rwl->write_completions))
+			{
+				rwl->readers_waiting++;
+				WAIT(&rwl->readable, &rwl->lock);
+				rwl->readers_waiting--;
+			}
+			UNLOCK(&rwl->lock);
+		}
+
+		cntflag = atomic_fetch_add_release(&rwl->cnt_and_flag,
+						   READER_INCR);
+		POST(cntflag);
+		while (1) {
+			if ((atomic_load_acquire(&rwl->cnt_and_flag) &
+			     WRITER_ACTIVE) == 0)
+			{
+				break;
+			}
+
+			/* A writer is still working */
+			LOCK(&rwl->lock);
+			rwl->readers_waiting++;
+			if ((atomic_load_acquire(&rwl->cnt_and_flag) &
+			     WRITER_ACTIVE) != 0)
+			{
+				WAIT(&rwl->readable, &rwl->lock);
+			}
+			rwl->readers_waiting--;
+			UNLOCK(&rwl->lock);
+
+			/*
+			 * Typically, the reader should be able to get a lock
+			 * at this stage:
+			 *   (1) there should have been no pending writer when
+			 *       the reader was trying to increment the
+			 *       counter; otherwise, the writer should be in
+			 *       the waiting queue, preventing the reader from
+			 *       proceeding to this point.
+			 *   (2) once the reader increments the counter, no
+			 *       more writer can get a lock.
+			 * Still, it is possible another writer can work at
+			 * this point, e.g. in the following scenario:
+			 *   A previous writer unlocks the writer lock.
+			 *   This reader proceeds to point (1).
+			 *   A new writer appears, and gets a new lock before
+			 *   the reader increments the counter.
+			 *   The reader then increments the counter.
+			 *   The previous writer notices there is a waiting
+			 *   reader who is almost ready, and wakes it up.
+			 * So, the reader needs to confirm whether it can now
+			 * read explicitly (thus we loop).  Note that this is
+			 * not an infinite process, since the reader has
+			 * incremented the counter at this point.
+			 */
+		}
+
+		/*
+		 * If we are temporarily preferred to writers due to the writer
+		 * quota, reset the condition (race among readers doesn't
+		 * matter).
+		 */
+		atomic_store_release(&rwl->write_granted, 0);
+	} else {
+		int32_t prev_writer;
+
+		/* enter the waiting queue, and wait for our turn */
+		prev_writer = atomic_fetch_add_release(&rwl->write_requests, 1);
+		while (atomic_load_acquire(&rwl->write_completions) !=
+		       prev_writer)
+		{
+			LOCK(&rwl->lock);
+			if (atomic_load_acquire(&rwl->write_completions) !=
+			    prev_writer)
+			{
+				WAIT(&rwl->writeable, &rwl->lock);
+				UNLOCK(&rwl->lock);
+				continue;
+			}
+			UNLOCK(&rwl->lock);
+			break;
+		}
+
+		while (!atomic_compare_exchange_weak_acq_rel(
+			&rwl->cnt_and_flag, &(int_fast32_t){ 0 },
+			WRITER_ACTIVE))
+		{
+			/* Another active reader or writer is working. */
+			LOCK(&rwl->lock);
+			if (atomic_load_acquire(&rwl->cnt_and_flag) != 0) {
+				WAIT(&rwl->writeable, &rwl->lock);
+			}
+			UNLOCK(&rwl->lock);
+		}
+
+		INSIST((atomic_load_acquire(&rwl->cnt_and_flag) &
+			WRITER_ACTIVE));
+		atomic_fetch_add_release(&rwl->write_granted, 1);
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock("postlock", rwl, type);
+#endif /* ifdef ISC_RWLOCK_TRACE */
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	int32_t cnt = 0;
+	int32_t spins = atomic_load_acquire(&rwl->spins) * 2 + 10;
+	int32_t max_cnt = ISC_MAX(spins, RWLOCK_MAX_ADAPTIVE_COUNT);
+	isc_result_t result = ISC_R_SUCCESS;
+
+	do {
+		if (cnt++ >= max_cnt) {
+			result = isc__rwlock_lock(rwl, type);
+			break;
+		}
+		isc_rwlock_pause();
+	} while (isc_rwlock_trylock(rwl, type) != ISC_R_SUCCESS);
+
+	atomic_fetch_add_release(&rwl->spins, (cnt - spins) / 8);
+
+	return (result);
+}
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	int32_t cntflag;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock("prelock", rwl, type);
+#endif /* ifdef ISC_RWLOCK_TRACE */
+
+	if (type == isc_rwlocktype_read) {
+		/* If a writer is waiting or working, we fail. */
+		if (atomic_load_acquire(&rwl->write_requests) !=
+		    atomic_load_acquire(&rwl->write_completions))
+		{
+			return (ISC_R_LOCKBUSY);
+		}
+
+		/* Otherwise, be ready for reading. */
+		cntflag = atomic_fetch_add_release(&rwl->cnt_and_flag,
+						   READER_INCR);
+		if ((cntflag & WRITER_ACTIVE) != 0) {
+			/*
+			 * A writer is working.  We lose, and cancel the read
+			 * request.
+			 */
+			cntflag = atomic_fetch_sub_release(&rwl->cnt_and_flag,
+							   READER_INCR);
+			/*
+			 * If no other readers are waiting and we've suspended
+			 * new writers in this short period, wake them up.
+			 */
+			if (cntflag == READER_INCR &&
+			    atomic_load_acquire(&rwl->write_completions) !=
+				    atomic_load_acquire(&rwl->write_requests))
+			{
+				LOCK(&rwl->lock);
+				BROADCAST(&rwl->writeable);
+				UNLOCK(&rwl->lock);
+			}
+
+			return (ISC_R_LOCKBUSY);
+		}
+	} else {
+		/* Try locking without entering the waiting queue. */
+		int_fast32_t zero = 0;
+		if (!atomic_compare_exchange_strong_acq_rel(
+			    &rwl->cnt_and_flag, &zero, WRITER_ACTIVE))
+		{
+			return (ISC_R_LOCKBUSY);
+		}
+
+		/*
+		 * XXXJT: jump into the queue, possibly breaking the writer
+		 * order.
+		 */
+		atomic_fetch_sub_release(&rwl->write_completions, 1);
+		atomic_fetch_add_release(&rwl->write_granted, 1);
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock("postlock", rwl, type);
+#endif /* ifdef ISC_RWLOCK_TRACE */
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
+	REQUIRE(VALID_RWLOCK(rwl));
+
+	int_fast32_t reader_incr = READER_INCR;
+
+	/* Try to acquire write access. */
+	atomic_compare_exchange_strong_acq_rel(&rwl->cnt_and_flag, &reader_incr,
+					       WRITER_ACTIVE);
+	/*
+	 * There must have been no writer, and there must have
+	 * been at least one reader.
+	 */
+	INSIST((reader_incr & WRITER_ACTIVE) == 0 &&
+	       (reader_incr & ~WRITER_ACTIVE) != 0);
+
+	if (reader_incr == READER_INCR) {
+		/*
+		 * We are the only reader and have been upgraded.
+		 * Now jump into the head of the writer waiting queue.
+		 */
+		atomic_fetch_sub_release(&rwl->write_completions, 1);
+	} else {
+		return (ISC_R_LOCKBUSY);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl) {
+	int32_t prev_readers;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+	/* Become an active reader. */
+	prev_readers = atomic_fetch_add_release(&rwl->cnt_and_flag,
+						READER_INCR);
+	/* We must have been a writer. */
+	INSIST((prev_readers & WRITER_ACTIVE) != 0);
+
+	/* Complete write */
+	atomic_fetch_sub_release(&rwl->cnt_and_flag, WRITER_ACTIVE);
+	atomic_fetch_add_release(&rwl->write_completions, 1);
+
+	/* Resume other readers */
+	LOCK(&rwl->lock);
+	if (rwl->readers_waiting > 0) {
+		BROADCAST(&rwl->readable);
+	}
+	UNLOCK(&rwl->lock);
+}
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	int32_t prev_cnt;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock("preunlock", rwl, type);
+#endif /* ifdef ISC_RWLOCK_TRACE */
+
+	if (type == isc_rwlocktype_read) {
+		prev_cnt = atomic_fetch_sub_release(&rwl->cnt_and_flag,
+						    READER_INCR);
+		/*
+		 * If we're the last reader and any writers are waiting, wake
+		 * them up.  We need to wake up all of them to ensure the
+		 * FIFO order.
+		 */
+		if (prev_cnt == READER_INCR &&
+		    atomic_load_acquire(&rwl->write_completions) !=
+			    atomic_load_acquire(&rwl->write_requests))
+		{
+			LOCK(&rwl->lock);
+			BROADCAST(&rwl->writeable);
+			UNLOCK(&rwl->lock);
+		}
+	} else {
+		bool wakeup_writers = true;
+
+		/*
+		 * Reset the flag, and (implicitly) tell other writers
+		 * we are done.
+		 */
+		atomic_fetch_sub_release(&rwl->cnt_and_flag, WRITER_ACTIVE);
+		atomic_fetch_add_release(&rwl->write_completions, 1);
+
+		if ((atomic_load_acquire(&rwl->write_granted) >=
+		     rwl->write_quota) ||
+		    (atomic_load_acquire(&rwl->write_requests) ==
+		     atomic_load_acquire(&rwl->write_completions)) ||
+		    (atomic_load_acquire(&rwl->cnt_and_flag) & ~WRITER_ACTIVE))
+		{
+			/*
+			 * We have passed the write quota, no writer is
+			 * waiting, or some readers are almost ready, pending
+			 * possible writers.  Note that the last case can
+			 * happen even if write_requests != write_completions
+			 * (which means a new writer in the queue), so we need
+			 * to catch the case explicitly.
+			 */
+			LOCK(&rwl->lock);
+			if (rwl->readers_waiting > 0) {
+				wakeup_writers = false;
+				BROADCAST(&rwl->readable);
+			}
+			UNLOCK(&rwl->lock);
+		}
+
+		if ((atomic_load_acquire(&rwl->write_requests) !=
+		     atomic_load_acquire(&rwl->write_completions)) &&
+		    wakeup_writers)
+		{
+			LOCK(&rwl->lock);
+			BROADCAST(&rwl->writeable);
+			UNLOCK(&rwl->lock);
+		}
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock("postunlock", rwl, type);
+#endif /* ifdef ISC_RWLOCK_TRACE */
+
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* USE_PTHREAD_RWLOCK */
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
new file mode 100644
index 0000000..988034d
--- /dev/null
+++ b/lib/isc/safe.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <openssl/crypto.h>
+
+#include <isc/safe.h>
+
+int
+isc_safe_memequal(const void *s1, const void *s2, size_t len) {
+	return (!CRYPTO_memcmp(s1, s2, len));
+}
+
+void
+isc_safe_memwipe(void *ptr, size_t len) {
+	OPENSSL_cleanse(ptr, len);
+}
diff --git a/lib/isc/serial.c b/lib/isc/serial.c
new file mode 100644
index 0000000..5ede64b
--- /dev/null
+++ b/lib/isc/serial.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/serial.h>
+
+bool
+isc_serial_lt(uint32_t a, uint32_t b) {
+	/*
+	 * Undefined => false
+	 */
+	if (a == (b ^ 0x80000000U)) {
+		return (false);
+	}
+	return (((int32_t)(a - b) < 0) ? true : false);
+}
+
+bool
+isc_serial_gt(uint32_t a, uint32_t b) {
+	return (((int32_t)(a - b) > 0) ? true : false);
+}
+
+bool
+isc_serial_le(uint32_t a, uint32_t b) {
+	return ((a == b) ? true : isc_serial_lt(a, b));
+}
+
+bool
+isc_serial_ge(uint32_t a, uint32_t b) {
+	return ((a == b) ? true : isc_serial_gt(a, b));
+}
+
+bool
+isc_serial_eq(uint32_t a, uint32_t b) {
+	return ((a == b) ? true : false);
+}
+
+bool
+isc_serial_ne(uint32_t a, uint32_t b) {
+	return ((a != b) ? true : false);
+}
diff --git a/lib/isc/siphash.c b/lib/isc/siphash.c
new file mode 100644
index 0000000..a6e60cf
--- /dev/null
+++ b/lib/isc/siphash.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/endian.h>
+#include <isc/siphash.h>
+#include <isc/util.h>
+
+/*
+ * The implementation is based on SipHash reference C implementation by
+ *
+ * Copyright (c) 2012-2016 Jean-Philippe Aumasson
+ * <jeanphilippe.aumasson@gmail.com> Copyright (c) 2012-2014 Daniel J. Bernstein
+ * <djb@cr.yp.to>
+ *
+ * To the extent possible under law, the author(s) have dedicated all copyright
+ * and related and neighboring rights to this software to the public domain
+ * worldwide. This software is distributed without any warranty.  You should
+ * have received a copy of the CC0 Public Domain Dedication along with this
+ * software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
+ */
+
+#define cROUNDS 2
+#define dROUNDS 4
+
+#define ROTATE64(x, b) (uint64_t)(((x) << (b)) | ((x) >> (64 - (b))))
+
+#define HALF_ROUND64(a, b, c, d, s, t) \
+	a += b;                        \
+	c += d;                        \
+	b = ROTATE64(b, s) ^ a;        \
+	d = ROTATE64(d, t) ^ c;        \
+	a = ROTATE64(a, 32);
+
+#define FULL_ROUND64(v0, v1, v2, v3)          \
+	HALF_ROUND64(v0, v1, v2, v3, 13, 16); \
+	HALF_ROUND64(v2, v1, v0, v3, 17, 21);
+
+#define SIPROUND FULL_ROUND64
+
+#define ROTATE32(x, b) (uint32_t)(((x) << (b)) | ((x) >> (32 - (b))))
+
+#define HALF_ROUND32(a, b, c, d, s, t) \
+	a += b;                        \
+	c += d;                        \
+	b = ROTATE32(b, s) ^ a;        \
+	d = ROTATE32(d, t) ^ c;        \
+	a = ROTATE32(a, 16);
+
+#define FULL_ROUND32(v0, v1, v2, v3)        \
+	HALF_ROUND32(v0, v1, v2, v3, 5, 8); \
+	HALF_ROUND32(v2, v1, v0, v3, 13, 7);
+
+#define HALFSIPROUND FULL_ROUND32
+
+#define U32TO8_LE(p, v)                \
+	(p)[0] = (uint8_t)((v));       \
+	(p)[1] = (uint8_t)((v) >> 8);  \
+	(p)[2] = (uint8_t)((v) >> 16); \
+	(p)[3] = (uint8_t)((v) >> 24);
+
+#define U8TO32_LE(p)                                        \
+	(((uint32_t)((p)[0])) | ((uint32_t)((p)[1]) << 8) | \
+	 ((uint32_t)((p)[2]) << 16) | ((uint32_t)((p)[3]) << 24))
+
+#define U64TO8_LE(p, v)                  \
+	U32TO8_LE((p), (uint32_t)((v))); \
+	U32TO8_LE((p) + 4, (uint32_t)((v) >> 32));
+
+#define U8TO64_LE(p)                                               \
+	(((uint64_t)((p)[0])) | ((uint64_t)((p)[1]) << 8) |        \
+	 ((uint64_t)((p)[2]) << 16) | ((uint64_t)((p)[3]) << 24) | \
+	 ((uint64_t)((p)[4]) << 32) | ((uint64_t)((p)[5]) << 40) | \
+	 ((uint64_t)((p)[6]) << 48) | ((uint64_t)((p)[7]) << 56))
+
+void
+isc_siphash24(const uint8_t *k, const uint8_t *in, const size_t inlen,
+	      uint8_t *out) {
+	REQUIRE(k != NULL);
+	REQUIRE(out != NULL);
+	REQUIRE(inlen == 0 || in != NULL);
+
+	uint64_t k0 = U8TO64_LE(k);
+	uint64_t k1 = U8TO64_LE(k + 8);
+
+	uint64_t v0 = UINT64_C(0x736f6d6570736575) ^ k0;
+	uint64_t v1 = UINT64_C(0x646f72616e646f6d) ^ k1;
+	uint64_t v2 = UINT64_C(0x6c7967656e657261) ^ k0;
+	uint64_t v3 = UINT64_C(0x7465646279746573) ^ k1;
+
+	uint64_t b = ((uint64_t)inlen) << 56;
+
+	const uint8_t *end = (in == NULL)
+				     ? NULL
+				     : in + inlen - (inlen % sizeof(uint64_t));
+	const size_t left = inlen & 7;
+
+	for (; in != end; in += 8) {
+		uint64_t m = U8TO64_LE(in);
+
+		v3 ^= m;
+
+		for (size_t i = 0; i < cROUNDS; ++i) {
+			SIPROUND(v0, v1, v2, v3);
+		}
+
+		v0 ^= m;
+	}
+
+	switch (left) {
+	case 7:
+		b |= ((uint64_t)in[6]) << 48;
+		FALLTHROUGH;
+	case 6:
+		b |= ((uint64_t)in[5]) << 40;
+		FALLTHROUGH;
+	case 5:
+		b |= ((uint64_t)in[4]) << 32;
+		FALLTHROUGH;
+	case 4:
+		b |= ((uint64_t)in[3]) << 24;
+		FALLTHROUGH;
+	case 3:
+		b |= ((uint64_t)in[2]) << 16;
+		FALLTHROUGH;
+	case 2:
+		b |= ((uint64_t)in[1]) << 8;
+		FALLTHROUGH;
+	case 1:
+		b |= ((uint64_t)in[0]);
+		FALLTHROUGH;
+	case 0:
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	v3 ^= b;
+
+	for (size_t i = 0; i < cROUNDS; ++i) {
+		SIPROUND(v0, v1, v2, v3);
+	}
+
+	v0 ^= b;
+
+	v2 ^= 0xff;
+
+	for (size_t i = 0; i < dROUNDS; ++i) {
+		SIPROUND(v0, v1, v2, v3);
+	}
+
+	b = v0 ^ v1 ^ v2 ^ v3;
+
+	U64TO8_LE(out, b);
+}
+
+void
+isc_halfsiphash24(const uint8_t *k, const uint8_t *in, const size_t inlen,
+		  uint8_t *out) {
+	REQUIRE(k != NULL);
+	REQUIRE(out != NULL);
+	REQUIRE(inlen == 0 || in != NULL);
+
+	uint32_t k0 = U8TO32_LE(k);
+	uint32_t k1 = U8TO32_LE(k + 4);
+
+	uint32_t v0 = UINT32_C(0x00000000) ^ k0;
+	uint32_t v1 = UINT32_C(0x00000000) ^ k1;
+	uint32_t v2 = UINT32_C(0x6c796765) ^ k0;
+	uint32_t v3 = UINT32_C(0x74656462) ^ k1;
+
+	uint32_t b = ((uint32_t)inlen) << 24;
+
+	const uint8_t *end = (in == NULL)
+				     ? NULL
+				     : in + inlen - (inlen % sizeof(uint32_t));
+	const int left = inlen & 3;
+
+	for (; in != end; in += 4) {
+		uint32_t m = U8TO32_LE(in);
+		v3 ^= m;
+
+		for (size_t i = 0; i < cROUNDS; ++i) {
+			HALFSIPROUND(v0, v1, v2, v3);
+		}
+
+		v0 ^= m;
+	}
+
+	switch (left) {
+	case 3:
+		b |= ((uint32_t)in[2]) << 16;
+		FALLTHROUGH;
+	case 2:
+		b |= ((uint32_t)in[1]) << 8;
+		FALLTHROUGH;
+	case 1:
+		b |= ((uint32_t)in[0]);
+		FALLTHROUGH;
+	case 0:
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	v3 ^= b;
+
+	for (size_t i = 0; i < cROUNDS; ++i) {
+		HALFSIPROUND(v0, v1, v2, v3);
+	}
+
+	v0 ^= b;
+
+	v2 ^= 0xff;
+
+	for (size_t i = 0; i < dROUNDS; ++i) {
+		HALFSIPROUND(v0, v1, v2, v3);
+	}
+
+	b = v1 ^ v3;
+	U32TO8_LE(out, b);
+}
diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
new file mode 100644
index 0000000..16afbd5
--- /dev/null
+++ b/lib/isc/sockaddr.c
@@ -0,0 +1,513 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+#include <stdio.h>
+#if defined(WIN32) || defined(WIN64)
+#include <malloc.h>
+#endif /* if defined(WIN32) || defined(WIN64) */
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+bool
+isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
+	return (isc_sockaddr_compare(a, b,
+				     ISC_SOCKADDR_CMPADDR |
+					     ISC_SOCKADDR_CMPPORT |
+					     ISC_SOCKADDR_CMPSCOPE));
+}
+
+bool
+isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
+	return (isc_sockaddr_compare(
+		a, b, ISC_SOCKADDR_CMPADDR | ISC_SOCKADDR_CMPSCOPE));
+}
+
+bool
+isc_sockaddr_compare(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+		     unsigned int flags) {
+	REQUIRE(a != NULL && b != NULL);
+
+	if (a->length != b->length) {
+		return (false);
+	}
+
+	/*
+	 * We don't just memcmp because the sin_zero field isn't always
+	 * zero.
+	 */
+
+	if (a->type.sa.sa_family != b->type.sa.sa_family) {
+		return (false);
+	}
+	switch (a->type.sa.sa_family) {
+	case AF_INET:
+		if ((flags & ISC_SOCKADDR_CMPADDR) != 0 &&
+		    memcmp(&a->type.sin.sin_addr, &b->type.sin.sin_addr,
+			   sizeof(a->type.sin.sin_addr)) != 0)
+		{
+			return (false);
+		}
+		if ((flags & ISC_SOCKADDR_CMPPORT) != 0 &&
+		    a->type.sin.sin_port != b->type.sin.sin_port)
+		{
+			return (false);
+		}
+		break;
+	case AF_INET6:
+		if ((flags & ISC_SOCKADDR_CMPADDR) != 0 &&
+		    memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr,
+			   sizeof(a->type.sin6.sin6_addr)) != 0)
+		{
+			return (false);
+		}
+		/*
+		 * If ISC_SOCKADDR_CMPSCOPEZERO is set then don't return
+		 * false if one of the scopes in zero.
+		 */
+		if ((flags & ISC_SOCKADDR_CMPSCOPE) != 0 &&
+		    a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id &&
+		    ((flags & ISC_SOCKADDR_CMPSCOPEZERO) == 0 ||
+		     (a->type.sin6.sin6_scope_id != 0 &&
+		      b->type.sin6.sin6_scope_id != 0)))
+		{
+			return (false);
+		}
+		if ((flags & ISC_SOCKADDR_CMPPORT) != 0 &&
+		    a->type.sin6.sin6_port != b->type.sin6.sin6_port)
+		{
+			return (false);
+		}
+		break;
+	default:
+		if (memcmp(&a->type, &b->type, a->length) != 0) {
+			return (false);
+		}
+	}
+	return (true);
+}
+
+bool
+isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+			  unsigned int prefixlen) {
+	isc_netaddr_t na, nb;
+	isc_netaddr_fromsockaddr(&na, a);
+	isc_netaddr_fromsockaddr(&nb, b);
+	return (isc_netaddr_eqprefix(&na, &nb, prefixlen));
+}
+
+isc_result_t
+isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	char pbuf[sizeof("65000")];
+	unsigned int plen;
+	isc_region_t avail;
+
+	REQUIRE(sockaddr != NULL);
+
+	/*
+	 * Do the port first, giving us the opportunity to check for
+	 * unsupported address families before calling
+	 * isc_netaddr_fromsockaddr().
+	 */
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		snprintf(pbuf, sizeof(pbuf), "%u",
+			 ntohs(sockaddr->type.sin.sin_port));
+		break;
+	case AF_INET6:
+		snprintf(pbuf, sizeof(pbuf), "%u",
+			 ntohs(sockaddr->type.sin6.sin6_port));
+		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		plen = strlen(sockaddr->type.sunix.sun_path);
+		if (plen >= isc_buffer_availablelength(target)) {
+			return (ISC_R_NOSPACE);
+		}
+
+		isc_buffer_putmem(
+			target,
+			(const unsigned char *)sockaddr->type.sunix.sun_path,
+			plen);
+
+		/*
+		 * Null terminate after used region.
+		 */
+		isc_buffer_availableregion(target, &avail);
+		INSIST(avail.length >= 1);
+		avail.base[0] = '\0';
+
+		return (ISC_R_SUCCESS);
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	plen = strlen(pbuf);
+	INSIST(plen < sizeof(pbuf));
+
+	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+	result = isc_netaddr_totext(&netaddr, target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (1 + plen + 1 > isc_buffer_availablelength(target)) {
+		return (ISC_R_NOSPACE);
+	}
+
+	isc_buffer_putmem(target, (const unsigned char *)"#", 1);
+	isc_buffer_putmem(target, (const unsigned char *)pbuf, plen);
+
+	/*
+	 * Null terminate after used region.
+	 */
+	isc_buffer_availableregion(target, &avail);
+	INSIST(avail.length >= 1);
+	avail.base[0] = '\0';
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	if (size == 0U) {
+		return;
+	}
+
+	isc_buffer_init(&buf, array, size);
+	result = isc_sockaddr_totext(sa, &buf);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * The message is the same as in netaddr.c.
+		 */
+		snprintf(array, size, "<unknown address, family %u>",
+			 sa->type.sa.sa_family);
+		array[size - 1] = '\0';
+	}
+}
+
+unsigned int
+isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, bool address_only) {
+	unsigned int length = 0;
+	const unsigned char *s = NULL;
+	unsigned int h = 0;
+	unsigned int p = 0;
+	const struct in6_addr *in6;
+
+	REQUIRE(sockaddr != NULL);
+
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		s = (const unsigned char *)&sockaddr->type.sin.sin_addr;
+		p = ntohs(sockaddr->type.sin.sin_port);
+		length = sizeof(sockaddr->type.sin.sin_addr.s_addr);
+		break;
+	case AF_INET6:
+		in6 = &sockaddr->type.sin6.sin6_addr;
+		s = (const unsigned char *)in6;
+		if (IN6_IS_ADDR_V4MAPPED(in6)) {
+			s += 12;
+			length = sizeof(sockaddr->type.sin.sin_addr.s_addr);
+		} else {
+			length = sizeof(sockaddr->type.sin6.sin6_addr);
+		}
+		p = ntohs(sockaddr->type.sin6.sin6_port);
+		break;
+	default:
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "unknown address family: %d",
+				 (int)sockaddr->type.sa.sa_family);
+		s = (const unsigned char *)&sockaddr->type;
+		length = sockaddr->length;
+		p = 0;
+	}
+
+	uint8_t buf[sizeof(struct sockaddr_storage) + sizeof(p)];
+	memmove(buf, s, length);
+	if (!address_only) {
+		memmove(buf + length, &p, sizeof(p));
+		h = isc_hash_function(buf, length + sizeof(p), true);
+	} else {
+		h = isc_hash_function(buf, length, true);
+	}
+
+	return (h);
+}
+
+void
+isc_sockaddr_any(isc_sockaddr_t *sockaddr) {
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin.sin_family = AF_INET;
+	sockaddr->type.sin.sin_addr.s_addr = INADDR_ANY;
+	sockaddr->type.sin.sin_port = 0;
+	sockaddr->length = sizeof(sockaddr->type.sin);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_any6(isc_sockaddr_t *sockaddr) {
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin6.sin6_family = AF_INET6;
+	sockaddr->type.sin6.sin6_addr = in6addr_any;
+	sockaddr->type.sin6.sin6_port = 0;
+	sockaddr->length = sizeof(sockaddr->type.sin6);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		    in_port_t port) {
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin.sin_family = AF_INET;
+	sockaddr->type.sin.sin_addr = *ina;
+	sockaddr->type.sin.sin_port = htons(port);
+	sockaddr->length = sizeof(sockaddr->type.sin);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int pf) {
+	switch (pf) {
+	case AF_INET:
+		isc_sockaddr_any(sockaddr);
+		break;
+	case AF_INET6:
+		isc_sockaddr_any6(sockaddr);
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+void
+isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
+		     in_port_t port) {
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin6.sin6_family = AF_INET6;
+	sockaddr->type.sin6.sin6_addr = *ina6;
+	sockaddr->type.sin6.sin6_port = htons(port);
+	sockaddr->length = sizeof(sockaddr->type.sin6);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		      in_port_t port) {
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin6.sin6_family = AF_INET6;
+	sockaddr->type.sin6.sin6_addr.s6_addr[10] = 0xff;
+	sockaddr->type.sin6.sin6_addr.s6_addr[11] = 0xff;
+	memmove(&sockaddr->type.sin6.sin6_addr.s6_addr[12], ina, 4);
+	sockaddr->type.sin6.sin6_port = htons(port);
+	sockaddr->length = sizeof(sockaddr->type.sin6);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+int
+isc_sockaddr_pf(const isc_sockaddr_t *sockaddr) {
+	/*
+	 * Get the protocol family of 'sockaddr'.
+	 */
+
+#if (AF_INET == PF_INET && AF_INET6 == PF_INET6)
+	/*
+	 * Assume that PF_xxx == AF_xxx for all AF and PF.
+	 */
+	return (sockaddr->type.sa.sa_family);
+#else  /* if (AF_INET == PF_INET && AF_INET6 == PF_INET6) */
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		return (PF_INET);
+	case AF_INET6:
+		return (PF_INET6);
+	default:
+		FATAL_ERROR(__FILE__, __LINE__, "unknown address family: %d",
+			    (int)sockaddr->type.sa.sa_family);
+	}
+#endif /* if (AF_INET == PF_INET && AF_INET6 == PF_INET6) */
+}
+
+void
+isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
+			 in_port_t port) {
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin.sin_family = na->family;
+	switch (na->family) {
+	case AF_INET:
+		sockaddr->length = sizeof(sockaddr->type.sin);
+		sockaddr->type.sin.sin_addr = na->type.in;
+		sockaddr->type.sin.sin_port = htons(port);
+		break;
+	case AF_INET6:
+		sockaddr->length = sizeof(sockaddr->type.sin6);
+		memmove(&sockaddr->type.sin6.sin6_addr, &na->type.in6, 16);
+		sockaddr->type.sin6.sin6_scope_id = isc_netaddr_getzone(na);
+		sockaddr->type.sin6.sin6_port = htons(port);
+		break;
+	default:
+		UNREACHABLE();
+	}
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port) {
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		sockaddr->type.sin.sin_port = htons(port);
+		break;
+	case AF_INET6:
+		sockaddr->type.sin6.sin6_port = htons(port);
+		break;
+	default:
+		FATAL_ERROR(__FILE__, __LINE__, "unknown address family: %d",
+			    (int)sockaddr->type.sa.sa_family);
+	}
+}
+
+in_port_t
+isc_sockaddr_getport(const isc_sockaddr_t *sockaddr) {
+	in_port_t port = 0;
+
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		port = ntohs(sockaddr->type.sin.sin_port);
+		break;
+	case AF_INET6:
+		port = ntohs(sockaddr->type.sin6.sin6_port);
+		break;
+	default:
+		FATAL_ERROR(__FILE__, __LINE__, "unknown address family: %d",
+			    (int)sockaddr->type.sa.sa_family);
+	}
+
+	return (port);
+}
+
+bool
+isc_sockaddr_ismulticast(const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET ||
+	    sockaddr->type.sa.sa_family == AF_INET6)
+	{
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_ismulticast(&netaddr));
+	}
+	return (false);
+}
+
+bool
+isc_sockaddr_isexperimental(const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_isexperimental(&netaddr));
+	}
+	return (false);
+}
+
+bool
+isc_sockaddr_issitelocal(const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET6) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_issitelocal(&netaddr));
+	}
+	return (false);
+}
+
+bool
+isc_sockaddr_islinklocal(const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET6) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_islinklocal(&netaddr));
+	}
+	return (false);
+}
+
+bool
+isc_sockaddr_isnetzero(const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_isnetzero(&netaddr));
+	}
+	return (false);
+}
+
+isc_result_t
+isc_sockaddr_frompath(isc_sockaddr_t *sockaddr, const char *path) {
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	if (strlen(path) >= sizeof(sockaddr->type.sunix.sun_path)) {
+		return (ISC_R_NOSPACE);
+	}
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->length = sizeof(sockaddr->type.sunix);
+	sockaddr->type.sunix.sun_family = AF_UNIX;
+	strlcpy(sockaddr->type.sunix.sun_path, path,
+		sizeof(sockaddr->type.sunix.sun_path));
+	return (ISC_R_SUCCESS);
+#else  /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	UNUSED(sockaddr);
+	UNUSED(path);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+}
+
+isc_result_t
+isc_sockaddr_fromsockaddr(isc_sockaddr_t *isa, const struct sockaddr *sa) {
+	unsigned int length = 0;
+
+	switch (sa->sa_family) {
+	case AF_INET:
+		length = sizeof(isa->type.sin);
+		break;
+	case AF_INET6:
+		length = sizeof(isa->type.sin6);
+		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		length = sizeof(isa->type.sunix);
+		break;
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	memset(isa, 0, sizeof(isc_sockaddr_t));
+	memmove(isa, sa, length);
+	isa->length = length;
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/stats.c b/lib/isc/stats.c
new file mode 100644
index 0000000..aca8074
--- /dev/null
+++ b/lib/isc/stats.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/atomic.h>
+#include <isc/buffer.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/stats.h>
+#include <isc/util.h>
+
+#define ISC_STATS_MAGIC	   ISC_MAGIC('S', 't', 'a', 't')
+#define ISC_STATS_VALID(x) ISC_MAGIC_VALID(x, ISC_STATS_MAGIC)
+
+#if defined(_WIN32) && !defined(_WIN64)
+typedef atomic_int_fast32_t isc__atomic_statcounter_t;
+#else  /* if defined(_WIN32) && !defined(_WIN64) */
+typedef atomic_int_fast64_t isc__atomic_statcounter_t;
+#endif /* if defined(_WIN32) && !defined(_WIN64) */
+
+struct isc_stats {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_refcount_t references;
+	int ncounters;
+	isc__atomic_statcounter_t *counters;
+};
+
+static isc_result_t
+create_stats(isc_mem_t *mctx, int ncounters, isc_stats_t **statsp) {
+	isc_stats_t *stats;
+	size_t counters_alloc_size;
+
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	stats = isc_mem_get(mctx, sizeof(*stats));
+	counters_alloc_size = sizeof(isc__atomic_statcounter_t) * ncounters;
+	stats->counters = isc_mem_get(mctx, counters_alloc_size);
+	isc_refcount_init(&stats->references, 1);
+	for (int i = 0; i < ncounters; i++) {
+		atomic_init(&stats->counters[i], 0);
+	}
+	stats->mctx = NULL;
+	isc_mem_attach(mctx, &stats->mctx);
+	stats->ncounters = ncounters;
+	stats->magic = ISC_STATS_MAGIC;
+	*statsp = stats;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_stats_attach(isc_stats_t *stats, isc_stats_t **statsp) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	isc_refcount_increment(&stats->references);
+	*statsp = stats;
+}
+
+void
+isc_stats_detach(isc_stats_t **statsp) {
+	isc_stats_t *stats;
+
+	REQUIRE(statsp != NULL && ISC_STATS_VALID(*statsp));
+
+	stats = *statsp;
+	*statsp = NULL;
+
+	if (isc_refcount_decrement(&stats->references) == 1) {
+		isc_refcount_destroy(&stats->references);
+		isc_mem_put(stats->mctx, stats->counters,
+			    sizeof(isc__atomic_statcounter_t) *
+				    stats->ncounters);
+		isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats));
+	}
+}
+
+int
+isc_stats_ncounters(isc_stats_t *stats) {
+	REQUIRE(ISC_STATS_VALID(stats));
+
+	return (stats->ncounters);
+}
+
+isc_result_t
+isc_stats_create(isc_mem_t *mctx, isc_stats_t **statsp, int ncounters) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, ncounters, statsp));
+}
+
+void
+isc_stats_increment(isc_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(counter < stats->ncounters);
+
+	atomic_fetch_add_relaxed(&stats->counters[counter], 1);
+}
+
+void
+isc_stats_decrement(isc_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(counter < stats->ncounters);
+	atomic_fetch_sub_release(&stats->counters[counter], 1);
+}
+
+void
+isc_stats_dump(isc_stats_t *stats, isc_stats_dumper_t dump_fn, void *arg,
+	       unsigned int options) {
+	int i;
+
+	REQUIRE(ISC_STATS_VALID(stats));
+
+	for (i = 0; i < stats->ncounters; i++) {
+		uint32_t counter = atomic_load_acquire(&stats->counters[i]);
+		if ((options & ISC_STATSDUMP_VERBOSE) == 0 && counter == 0) {
+			continue;
+		}
+		dump_fn((isc_statscounter_t)i, counter, arg);
+	}
+}
+
+void
+isc_stats_set(isc_stats_t *stats, uint64_t val, isc_statscounter_t counter) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(counter < stats->ncounters);
+
+	atomic_store_release(&stats->counters[counter], val);
+}
+
+void
+isc_stats_update_if_greater(isc_stats_t *stats, isc_statscounter_t counter,
+			    isc_statscounter_t value) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(counter < stats->ncounters);
+
+	isc_statscounter_t curr_value =
+		atomic_load_acquire(&stats->counters[counter]);
+	do {
+		if (curr_value >= value) {
+			break;
+		}
+	} while (!atomic_compare_exchange_weak_acq_rel(
+		&stats->counters[counter], &curr_value, value));
+}
+
+isc_statscounter_t
+isc_stats_get_counter(isc_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(counter < stats->ncounters);
+
+	return (atomic_load_acquire(&stats->counters[counter]));
+}
+
+void
+isc_stats_resize(isc_stats_t **statsp, int ncounters) {
+	isc_stats_t *stats;
+	size_t counters_alloc_size;
+	isc__atomic_statcounter_t *newcounters;
+
+	REQUIRE(statsp != NULL && *statsp != NULL);
+	REQUIRE(ISC_STATS_VALID(*statsp));
+	REQUIRE(ncounters > 0);
+
+	stats = *statsp;
+	if (stats->ncounters >= ncounters) {
+		/* We already have enough counters. */
+		return;
+	}
+
+	/* Grow number of counters. */
+	counters_alloc_size = sizeof(isc__atomic_statcounter_t) * ncounters;
+	newcounters = isc_mem_get(stats->mctx, counters_alloc_size);
+	for (int i = 0; i < ncounters; i++) {
+		atomic_init(&newcounters[i], 0);
+	}
+	for (int i = 0; i < stats->ncounters; i++) {
+		uint32_t counter = atomic_load_acquire(&stats->counters[i]);
+		atomic_store_release(&newcounters[i], counter);
+	}
+	isc_mem_put(stats->mctx, stats->counters,
+		    sizeof(isc__atomic_statcounter_t) * stats->ncounters);
+	stats->counters = newcounters;
+	stats->ncounters = ncounters;
+}
diff --git a/lib/isc/string.c b/lib/isc/string.c
new file mode 100644
index 0000000..5de6d88
--- /dev/null
+++ b/lib/isc/string.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ * Copyright (c) 2001 Mike Barcroft <mike@FreeBSD.org>
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Chris Torek.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*! \file */
+
+#ifdef _GNU_SOURCE
+#undef _GNU_SOURCE
+#endif /* ifdef _GNU_SOURCE */
+#include <string.h>
+
+#include <isc/string.h> /* IWYU pragma: keep */
+#include <isc/util.h>
+
+#if !defined(HAVE_STRLCPY)
+size_t
+strlcpy(char *dst, const char *src, size_t size) {
+	char *d = dst;
+	const char *s = src;
+	size_t n = size;
+
+	/* Copy as many bytes as will fit */
+	if (n != 0U && --n != 0U) {
+		do {
+			if ((*d++ = *s++) == 0) {
+				break;
+			}
+		} while (--n != 0U);
+	}
+
+	/* Not enough room in dst, add NUL and traverse rest of src */
+	if (n == 0U) {
+		if (size != 0U) {
+			*d = '\0'; /* NUL-terminate dst */
+		}
+		while (*s++) {
+		}
+	}
+
+	return (s - src - 1); /* count does not include NUL */
+}
+#endif /* !defined(HAVE_STRLCPY) */
+
+#if !defined(HAVE_STRLCAT)
+size_t
+strlcat(char *dst, const char *src, size_t size) {
+	char *d = dst;
+	const char *s = src;
+	size_t n = size;
+	size_t dlen;
+
+	/* Find the end of dst and adjust bytes left but don't go past end */
+	while (n-- != 0U && *d != '\0') {
+		d++;
+	}
+	dlen = d - dst;
+	n = size - dlen;
+
+	if (n == 0U) {
+		return (dlen + strlen(s));
+	}
+	while (*s != '\0') {
+		if (n != 1U) {
+			*d++ = *s;
+			n--;
+		}
+		s++;
+	}
+	*d = '\0';
+
+	return (dlen + (s - src)); /* count does not include NUL */
+}
+#endif /* !defined(HAVE_STRLCAT) */
+
+#if !defined(HAVE_STRNSTR)
+char *
+strnstr(const char *s, const char *find, size_t slen) {
+	char c, sc, *r;
+	size_t len;
+
+	if ((c = *find++) != '\0') {
+		len = strlen(find);
+		do {
+			do {
+				if (slen-- < 1 || (sc = *s++) == '\0')
+					return (NULL);
+			} while (sc != c);
+			if (len > slen)
+				return (NULL);
+		} while (strncmp(s, find, len) != 0);
+		s--;
+	}
+	DE_CONST(s, r);
+	return (r);
+}
+#endif
+
+int
+isc_string_strerror_r(int errnum, char *buf, size_t buflen) {
+#if defined(_WIN32) || defined(_WIN64)
+	return (strerror_s(buf, buflen, errnum));
+#else  /* if defined(_WIN32) || defined(_WIN64) */
+	return (strerror_r(errnum, buf, buflen));
+#endif /* if defined(_WIN32) || defined(_WIN64) */
+}
diff --git a/lib/isc/symtab.c b/lib/isc/symtab.c
new file mode 100644
index 0000000..ff022a2
--- /dev/null
+++ b/lib/isc/symtab.c
@@ -0,0 +1,294 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+typedef struct elt {
+	char *key;
+	unsigned int type;
+	isc_symvalue_t value;
+	LINK(struct elt) link;
+} elt_t;
+
+typedef LIST(elt_t) eltlist_t;
+
+#define SYMTAB_MAGIC	 ISC_MAGIC('S', 'y', 'm', 'T')
+#define VALID_SYMTAB(st) ISC_MAGIC_VALID(st, SYMTAB_MAGIC)
+
+struct isc_symtab {
+	/* Unlocked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	unsigned int size;
+	unsigned int count;
+	unsigned int maxload;
+	eltlist_t *table;
+	isc_symtabaction_t undefine_action;
+	void *undefine_arg;
+	bool case_sensitive;
+};
+
+isc_result_t
+isc_symtab_create(isc_mem_t *mctx, unsigned int size,
+		  isc_symtabaction_t undefine_action, void *undefine_arg,
+		  bool case_sensitive, isc_symtab_t **symtabp) {
+	isc_symtab_t *symtab;
+	unsigned int i;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(symtabp != NULL && *symtabp == NULL);
+	REQUIRE(size > 0); /* Should be prime. */
+
+	symtab = isc_mem_get(mctx, sizeof(*symtab));
+
+	symtab->mctx = NULL;
+	isc_mem_attach(mctx, &symtab->mctx);
+	symtab->table = isc_mem_get(mctx, size * sizeof(eltlist_t));
+	for (i = 0; i < size; i++) {
+		INIT_LIST(symtab->table[i]);
+	}
+	symtab->size = size;
+	symtab->count = 0;
+	symtab->maxload = size * 3 / 4;
+	symtab->undefine_action = undefine_action;
+	symtab->undefine_arg = undefine_arg;
+	symtab->case_sensitive = case_sensitive;
+	symtab->magic = SYMTAB_MAGIC;
+
+	*symtabp = symtab;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_symtab_destroy(isc_symtab_t **symtabp) {
+	isc_symtab_t *symtab;
+	unsigned int i;
+	elt_t *elt, *nelt;
+
+	REQUIRE(symtabp != NULL);
+	symtab = *symtabp;
+	*symtabp = NULL;
+	REQUIRE(VALID_SYMTAB(symtab));
+
+	for (i = 0; i < symtab->size; i++) {
+		for (elt = HEAD(symtab->table[i]); elt != NULL; elt = nelt) {
+			nelt = NEXT(elt, link);
+			if (symtab->undefine_action != NULL) {
+				(symtab->undefine_action)(elt->key, elt->type,
+							  elt->value,
+							  symtab->undefine_arg);
+			}
+			isc_mem_put(symtab->mctx, elt, sizeof(*elt));
+		}
+	}
+	isc_mem_put(symtab->mctx, symtab->table,
+		    symtab->size * sizeof(eltlist_t));
+	symtab->magic = 0;
+	isc_mem_putanddetach(&symtab->mctx, symtab, sizeof(*symtab));
+}
+
+static unsigned int
+hash(const char *key, bool case_sensitive) {
+	const char *s;
+	unsigned int h = 0;
+	int c;
+
+	/*
+	 * This hash function is similar to the one Ousterhout
+	 * uses in Tcl.
+	 */
+
+	if (case_sensitive) {
+		for (s = key; *s != '\0'; s++) {
+			h += (h << 3) + *s;
+		}
+	} else {
+		for (s = key; *s != '\0'; s++) {
+			c = *s;
+			c = tolower((unsigned char)c);
+			h += (h << 3) + c;
+		}
+	}
+
+	return (h);
+}
+
+#define FIND(s, k, t, b, e)                                                   \
+	b = hash((k), (s)->case_sensitive) % (s)->size;                       \
+	if ((s)->case_sensitive) {                                            \
+		for (e = HEAD((s)->table[b]); e != NULL; e = NEXT(e, link)) { \
+			if (((t) == 0 || e->type == (t)) &&                   \
+			    strcmp(e->key, (k)) == 0)                         \
+				break;                                        \
+		}                                                             \
+	} else {                                                              \
+		for (e = HEAD((s)->table[b]); e != NULL; e = NEXT(e, link)) { \
+			if (((t) == 0 || e->type == (t)) &&                   \
+			    strcasecmp(e->key, (k)) == 0)                     \
+				break;                                        \
+		}                                                             \
+	}
+
+isc_result_t
+isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t *value) {
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (value != NULL) {
+		*value = elt->value;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+grow_table(isc_symtab_t *symtab) {
+	eltlist_t *newtable;
+	unsigned int i, newsize, newmax;
+
+	REQUIRE(symtab != NULL);
+
+	newsize = symtab->size * 2;
+	newmax = newsize * 3 / 4;
+	INSIST(newsize > 0U && newmax > 0U);
+
+	newtable = isc_mem_get(symtab->mctx, newsize * sizeof(eltlist_t));
+
+	for (i = 0; i < newsize; i++) {
+		INIT_LIST(newtable[i]);
+	}
+
+	for (i = 0; i < symtab->size; i++) {
+		elt_t *elt, *nelt;
+
+		for (elt = HEAD(symtab->table[i]); elt != NULL; elt = nelt) {
+			unsigned int hv;
+
+			nelt = NEXT(elt, link);
+
+			UNLINK(symtab->table[i], elt, link);
+			hv = hash(elt->key, symtab->case_sensitive);
+			APPEND(newtable[hv % newsize], elt, link);
+		}
+	}
+
+	isc_mem_put(symtab->mctx, symtab->table,
+		    symtab->size * sizeof(eltlist_t));
+
+	symtab->table = newtable;
+	symtab->size = newsize;
+	symtab->maxload = newmax;
+}
+
+isc_result_t
+isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t value, isc_symexists_t exists_policy) {
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+	REQUIRE(type != 0);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (exists_policy != isc_symexists_add && elt != NULL) {
+		if (exists_policy == isc_symexists_reject) {
+			return (ISC_R_EXISTS);
+		}
+		INSIST(exists_policy == isc_symexists_replace);
+		UNLINK(symtab->table[bucket], elt, link);
+		if (symtab->undefine_action != NULL) {
+			(symtab->undefine_action)(elt->key, elt->type,
+						  elt->value,
+						  symtab->undefine_arg);
+		}
+	} else {
+		elt = isc_mem_get(symtab->mctx, sizeof(*elt));
+		ISC_LINK_INIT(elt, link);
+		symtab->count++;
+	}
+
+	/*
+	 * Though the "key" can be const coming in, it is not stored as const
+	 * so that the calling program can easily have writable access to
+	 * it in its undefine_action function.  In the event that it *was*
+	 * truly const coming in and then the caller modified it anyway ...
+	 * well, don't do that!
+	 */
+	DE_CONST(key, elt->key);
+	elt->type = type;
+	elt->value = value;
+
+	/*
+	 * We prepend so that the most recent definition will be found.
+	 */
+	PREPEND(symtab->table[bucket], elt, link);
+
+	if (symtab->count > symtab->maxload) {
+		grow_table(symtab);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type) {
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (symtab->undefine_action != NULL) {
+		(symtab->undefine_action)(elt->key, elt->type, elt->value,
+					  symtab->undefine_arg);
+	}
+	UNLINK(symtab->table[bucket], elt, link);
+	isc_mem_put(symtab->mctx, elt, sizeof(*elt));
+	symtab->count--;
+
+	return (ISC_R_SUCCESS);
+}
+
+unsigned int
+isc_symtab_count(isc_symtab_t *symtab) {
+	REQUIRE(VALID_SYMTAB(symtab));
+	return (symtab->count);
+}
diff --git a/lib/isc/task.c b/lib/isc/task.c
new file mode 100644
index 0000000..3d8deaf
--- /dev/null
+++ b/lib/isc/task.c
@@ -0,0 +1,1486 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/*
+ * XXXRTH  Need to document the states a task can be in, and the rules
+ * for changing states.
+ */
+
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/atomic.h>
+#include <isc/condition.h>
+#include <isc/event.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#ifdef HAVE_LIBXML2
+#include <libxml/xmlwriter.h>
+#define ISC_XMLCHAR (const xmlChar *)
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+#include <json_object.h>
+#endif /* HAVE_JSON_C */
+
+#include "task_p.h"
+
+/*
+ * Task manager is built around 'as little locking as possible' concept.
+ * Each thread has his own queue of tasks to be run, if a task is in running
+ * state it will stay on the runner it's currently on, if a task is in idle
+ * state it can be woken up on a specific runner with isc_task_sendto - that
+ * helps with data locality on CPU.
+ *
+ * To make load even some tasks (from task pools) are bound to specific
+ * queues using isc_task_create_bound. This way load balancing between
+ * CPUs/queues happens on the higher layer.
+ */
+
+#ifdef ISC_TASK_TRACE
+#define XTRACE(m) \
+	fprintf(stderr, "task %p thread %zu: %s\n", task, isc_tid_v, (m))
+#define XTTRACE(t, m) \
+	fprintf(stderr, "task %p thread %zu: %s\n", (t), isc_tid_v, (m))
+#define XTHREADTRACE(m) fprintf(stderr, "thread %zu: %s\n", isc_tid_v, (m))
+#else /* ifdef ISC_TASK_TRACE */
+#define XTRACE(m)
+#define XTTRACE(t, m)
+#define XTHREADTRACE(m)
+#endif /* ifdef ISC_TASK_TRACE */
+
+/***
+ *** Types.
+ ***/
+
+typedef enum {
+	task_state_idle,    /* not doing anything, events queue empty */
+	task_state_ready,   /* waiting in worker's queue */
+	task_state_paused,  /* not running, paused */
+	task_state_pausing, /* running, waiting to be paused */
+	task_state_running, /* actively processing events */
+	task_state_done	    /* shutting down, no events or references */
+} task_state_t;
+
+#if defined(HAVE_LIBXML2) || defined(HAVE_JSON_C)
+static const char *statenames[] = {
+	"idle", "ready", "paused", "pausing", "running", "done",
+};
+#endif /* if defined(HAVE_LIBXML2) || defined(HAVE_JSON_C) */
+
+#define TASK_MAGIC    ISC_MAGIC('T', 'A', 'S', 'K')
+#define VALID_TASK(t) ISC_MAGIC_VALID(t, TASK_MAGIC)
+
+struct isc_task {
+	/* Not locked. */
+	unsigned int magic;
+	isc_taskmgr_t *manager;
+	isc_mutex_t lock;
+	/* Locked by task lock. */
+	int threadid;
+	task_state_t state;
+	int pause_cnt;
+	isc_refcount_t references;
+	isc_refcount_t running;
+	isc_eventlist_t events;
+	isc_eventlist_t on_shutdown;
+	unsigned int nevents;
+	unsigned int quantum;
+	isc_stdtime_t now;
+	isc_time_t tnow;
+	char name[16];
+	void *tag;
+	bool bound;
+	/* Protected by atomics */
+	atomic_bool shuttingdown;
+	atomic_bool privileged;
+	/* Locked by task manager lock. */
+	LINK(isc_task_t) link;
+};
+
+#define TASK_SHUTTINGDOWN(t) (atomic_load_acquire(&(t)->shuttingdown))
+#define TASK_PRIVILEGED(t)   (atomic_load_acquire(&(t)->privileged))
+
+#define TASK_MANAGER_MAGIC ISC_MAGIC('T', 'S', 'K', 'M')
+#define VALID_MANAGER(m)   ISC_MAGIC_VALID(m, TASK_MANAGER_MAGIC)
+
+struct isc_taskmgr {
+	/* Not locked. */
+	unsigned int magic;
+	isc_refcount_t references;
+	isc_mem_t *mctx;
+	isc_mutex_t lock;
+	atomic_uint_fast32_t tasks_count;
+	isc_nm_t *netmgr;
+
+	/* Locked by task manager lock. */
+	unsigned int default_quantum;
+	LIST(isc_task_t) tasks;
+	atomic_uint_fast32_t mode;
+	atomic_bool exclusive_req;
+	bool exiting;
+	isc_task_t *excl;
+};
+
+#define DEFAULT_DEFAULT_QUANTUM 25
+
+/*%
+ * The following are intended for internal use (indicated by "isc__"
+ * prefix) but are not declared as static, allowing direct access from
+ * unit tests etc.
+ */
+
+bool
+isc_task_purgeevent(isc_task_t *task, isc_event_t *event);
+void
+isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task);
+isc_result_t
+isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp);
+
+/***
+ *** Tasks.
+ ***/
+
+static void
+task_finished(isc_task_t *task) {
+	isc_taskmgr_t *manager = task->manager;
+	isc_mem_t *mctx = manager->mctx;
+	REQUIRE(EMPTY(task->events));
+	REQUIRE(task->nevents == 0);
+	REQUIRE(EMPTY(task->on_shutdown));
+	REQUIRE(task->state == task_state_done);
+
+	XTRACE("task_finished");
+
+	isc_refcount_destroy(&task->running);
+	isc_refcount_destroy(&task->references);
+
+	LOCK(&manager->lock);
+	UNLINK(manager->tasks, task, link);
+	atomic_fetch_sub(&manager->tasks_count, 1);
+	UNLOCK(&manager->lock);
+
+	isc_mutex_destroy(&task->lock);
+	task->magic = 0;
+	isc_mem_put(mctx, task, sizeof(*task));
+
+	isc_taskmgr_detach(&manager);
+}
+
+isc_result_t
+isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
+		isc_task_t **taskp) {
+	return (isc_task_create_bound(manager, quantum, taskp, -1));
+}
+
+isc_result_t
+isc_task_create_bound(isc_taskmgr_t *manager, unsigned int quantum,
+		      isc_task_t **taskp, int threadid) {
+	isc_task_t *task = NULL;
+	bool exiting;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(taskp != NULL && *taskp == NULL);
+
+	XTRACE("isc_task_create");
+
+	task = isc_mem_get(manager->mctx, sizeof(*task));
+	*task = (isc_task_t){ 0 };
+
+	isc_taskmgr_attach(manager, &task->manager);
+
+	if (threadid == -1) {
+		/*
+		 * Task is not pinned to a queue, it's threadid will be
+		 * chosen when first task will be sent to it - either
+		 * randomly or specified by isc_task_sendto.
+		 */
+		task->bound = false;
+		task->threadid = -1;
+	} else {
+		/*
+		 * Task is pinned to a queue, it'll always be run
+		 * by a specific thread.
+		 */
+		task->bound = true;
+		task->threadid = threadid;
+	}
+
+	isc_mutex_init(&task->lock);
+	task->state = task_state_idle;
+	task->pause_cnt = 0;
+
+	isc_refcount_init(&task->references, 1);
+	isc_refcount_init(&task->running, 0);
+	INIT_LIST(task->events);
+	INIT_LIST(task->on_shutdown);
+	task->nevents = 0;
+	task->quantum = (quantum > 0) ? quantum : manager->default_quantum;
+	atomic_init(&task->shuttingdown, false);
+	atomic_init(&task->privileged, false);
+	task->now = 0;
+	isc_time_settoepoch(&task->tnow);
+	memset(task->name, 0, sizeof(task->name));
+	task->tag = NULL;
+	INIT_LINK(task, link);
+	task->magic = TASK_MAGIC;
+
+	LOCK(&manager->lock);
+	exiting = manager->exiting;
+	if (!exiting) {
+		APPEND(manager->tasks, task, link);
+		atomic_fetch_add(&manager->tasks_count, 1);
+	}
+	UNLOCK(&manager->lock);
+
+	if (exiting) {
+		isc_refcount_destroy(&task->running);
+		isc_refcount_decrement(&task->references);
+		isc_refcount_destroy(&task->references);
+		isc_mutex_destroy(&task->lock);
+		isc_taskmgr_detach(&task->manager);
+		isc_mem_put(manager->mctx, task, sizeof(*task));
+		return (ISC_R_SHUTTINGDOWN);
+	}
+
+	*taskp = task;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(VALID_TASK(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	XTTRACE(source, "isc_task_attach");
+
+	isc_refcount_increment(&source->references);
+
+	*targetp = source;
+}
+
+static bool
+task_shutdown(isc_task_t *task) {
+	bool was_idle = false;
+	isc_event_t *event, *prev;
+
+	/*
+	 * Caller must be holding the task's lock.
+	 */
+
+	XTRACE("task_shutdown");
+
+	if (atomic_compare_exchange_strong(&task->shuttingdown,
+					   &(bool){ false }, true))
+	{
+		XTRACE("shutting down");
+		if (task->state == task_state_idle) {
+			INSIST(EMPTY(task->events));
+			task->state = task_state_ready;
+			was_idle = true;
+		}
+		INSIST(task->state == task_state_ready ||
+		       task->state == task_state_paused ||
+		       task->state == task_state_pausing ||
+		       task->state == task_state_running);
+
+		/*
+		 * Note that we post shutdown events LIFO.
+		 */
+		for (event = TAIL(task->on_shutdown); event != NULL;
+		     event = prev)
+		{
+			prev = PREV(event, ev_link);
+			DEQUEUE(task->on_shutdown, event, ev_link);
+			ENQUEUE(task->events, event, ev_link);
+			task->nevents++;
+		}
+	}
+
+	return (was_idle);
+}
+
+/*
+ * Moves a task onto the appropriate run queue.
+ *
+ * Caller must NOT hold queue lock.
+ */
+static void
+task_ready(isc_task_t *task) {
+	isc_taskmgr_t *manager = task->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	XTRACE("task_ready");
+
+	isc_refcount_increment0(&task->running);
+	LOCK(&task->lock);
+	isc_nm_task_enqueue(manager->netmgr, task, task->threadid);
+	UNLOCK(&task->lock);
+}
+
+void
+isc_task_ready(isc_task_t *task) {
+	task_ready(task);
+}
+
+static bool
+task_detach(isc_task_t *task) {
+	/*
+	 * Caller must be holding the task lock.
+	 */
+
+	XTRACE("detach");
+
+	if (isc_refcount_decrement(&task->references) == 1 &&
+	    task->state == task_state_idle)
+	{
+		INSIST(EMPTY(task->events));
+		/*
+		 * There are no references to this task, and no
+		 * pending events.  We could try to optimize and
+		 * either initiate shutdown or clean up the task,
+		 * depending on its state, but it's easier to just
+		 * make the task ready and allow run() or the event
+		 * loop to deal with shutting down and termination.
+		 */
+		task->state = task_state_ready;
+		return (true);
+	}
+
+	return (false);
+}
+
+void
+isc_task_detach(isc_task_t **taskp) {
+	isc_task_t *task;
+	bool was_idle;
+
+	/*
+	 * Detach *taskp from its task.
+	 */
+
+	REQUIRE(taskp != NULL);
+	task = *taskp;
+	REQUIRE(VALID_TASK(task));
+
+	XTRACE("isc_task_detach");
+
+	LOCK(&task->lock);
+	was_idle = task_detach(task);
+	UNLOCK(&task->lock);
+
+	if (was_idle) {
+		task_ready(task);
+	}
+
+	*taskp = NULL;
+}
+
+static bool
+task_send(isc_task_t *task, isc_event_t **eventp, int c) {
+	bool was_idle = false;
+	isc_event_t *event;
+
+	/*
+	 * Caller must be holding the task lock.
+	 */
+
+	REQUIRE(eventp != NULL);
+	event = *eventp;
+	*eventp = NULL;
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_type > 0);
+	REQUIRE(task->state != task_state_done);
+	REQUIRE(!ISC_LINK_LINKED(event, ev_ratelink));
+
+	XTRACE("task_send");
+
+	if (task->bound) {
+		c = task->threadid;
+	} else if (c < 0) {
+		c = -1;
+	}
+
+	if (task->state == task_state_idle) {
+		was_idle = true;
+		task->threadid = c;
+		INSIST(EMPTY(task->events));
+		task->state = task_state_ready;
+	}
+	INSIST(task->state == task_state_ready ||
+	       task->state == task_state_running ||
+	       task->state == task_state_paused ||
+	       task->state == task_state_pausing);
+	ENQUEUE(task->events, event, ev_link);
+	task->nevents++;
+
+	return (was_idle);
+}
+
+void
+isc_task_send(isc_task_t *task, isc_event_t **eventp) {
+	isc_task_sendto(task, eventp, -1);
+}
+
+void
+isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
+	isc_task_sendtoanddetach(taskp, eventp, -1);
+}
+
+void
+isc_task_sendto(isc_task_t *task, isc_event_t **eventp, int c) {
+	bool was_idle;
+
+	/*
+	 * Send '*event' to 'task'.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+	XTRACE("isc_task_send");
+
+	/*
+	 * We're trying hard to hold locks for as short a time as possible.
+	 * We're also trying to hold as few locks as possible.  This is why
+	 * some processing is deferred until after the lock is released.
+	 */
+	LOCK(&task->lock);
+	was_idle = task_send(task, eventp, c);
+	UNLOCK(&task->lock);
+
+	if (was_idle) {
+		/*
+		 * We need to add this task to the ready queue.
+		 *
+		 * We've waited until now to do it because making a task
+		 * ready requires locking the manager.  If we tried to do
+		 * this while holding the task lock, we could deadlock.
+		 *
+		 * We've changed the state to ready, so no one else will
+		 * be trying to add this task to the ready queue.  The
+		 * only way to leave the ready state is by executing the
+		 * task.  It thus doesn't matter if events are added,
+		 * removed, or a shutdown is started in the interval
+		 * between the time we released the task lock, and the time
+		 * we add the task to the ready queue.
+		 */
+		task_ready(task);
+	}
+}
+
+void
+isc_task_sendtoanddetach(isc_task_t **taskp, isc_event_t **eventp, int c) {
+	bool idle1, idle2;
+	isc_task_t *task;
+
+	/*
+	 * Send '*event' to '*taskp' and then detach '*taskp' from its
+	 * task.
+	 */
+
+	REQUIRE(taskp != NULL);
+	task = *taskp;
+	REQUIRE(VALID_TASK(task));
+	XTRACE("isc_task_sendanddetach");
+
+	LOCK(&task->lock);
+	idle1 = task_send(task, eventp, c);
+	idle2 = task_detach(task);
+	UNLOCK(&task->lock);
+
+	/*
+	 * If idle1, then idle2 shouldn't be true as well since we're holding
+	 * the task lock, and thus the task cannot switch from ready back to
+	 * idle.
+	 */
+	INSIST(!(idle1 && idle2));
+
+	if (idle1 || idle2) {
+		task_ready(task);
+	}
+
+	*taskp = NULL;
+}
+
+#define PURGE_OK(event) (((event)->ev_attributes & ISC_EVENTATTR_NOPURGE) == 0)
+
+static unsigned int
+dequeue_events(isc_task_t *task, void *sender, isc_eventtype_t first,
+	       isc_eventtype_t last, void *tag, isc_eventlist_t *events,
+	       bool purging) {
+	isc_event_t *event, *next_event;
+	unsigned int count = 0;
+
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(last >= first);
+
+	XTRACE("dequeue_events");
+
+	/*
+	 * Events matching 'sender', whose type is >= first and <= last, and
+	 * whose tag is 'tag' will be dequeued.  If 'purging', matching events
+	 * which are marked as unpurgable will not be dequeued.
+	 *
+	 * sender == NULL means "any sender", and tag == NULL means "any tag".
+	 */
+
+	LOCK(&task->lock);
+
+	for (event = HEAD(task->events); event != NULL; event = next_event) {
+		next_event = NEXT(event, ev_link);
+		if (event->ev_type >= first && event->ev_type <= last &&
+		    (sender == NULL || event->ev_sender == sender) &&
+		    (tag == NULL || event->ev_tag == tag) &&
+		    (!purging || PURGE_OK(event)))
+		{
+			DEQUEUE(task->events, event, ev_link);
+			task->nevents--;
+			ENQUEUE(*events, event, ev_link);
+			count++;
+		}
+	}
+
+	UNLOCK(&task->lock);
+
+	return (count);
+}
+
+unsigned int
+isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		    isc_eventtype_t last, void *tag) {
+	unsigned int count;
+	isc_eventlist_t events;
+	isc_event_t *event, *next_event;
+	REQUIRE(VALID_TASK(task));
+
+	/*
+	 * Purge events from a task's event queue.
+	 */
+
+	XTRACE("isc_task_purgerange");
+
+	ISC_LIST_INIT(events);
+
+	count = dequeue_events(task, sender, first, last, tag, &events, true);
+
+	for (event = HEAD(events); event != NULL; event = next_event) {
+		next_event = NEXT(event, ev_link);
+		ISC_LIST_UNLINK(events, event, ev_link);
+		isc_event_free(&event);
+	}
+
+	/*
+	 * Note that purging never changes the state of the task.
+	 */
+
+	return (count);
+}
+
+unsigned int
+isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
+	       void *tag) {
+	/*
+	 * Purge events from a task's event queue.
+	 */
+	REQUIRE(VALID_TASK(task));
+
+	XTRACE("isc_task_purge");
+
+	return (isc_task_purgerange(task, sender, type, type, tag));
+}
+
+bool
+isc_task_purgeevent(isc_task_t *task, isc_event_t *event) {
+	bool found = false;
+
+	/*
+	 * Purge 'event' from a task's event queue.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+	/*
+	 * If 'event' is on the task's event queue, it will be purged,
+	 * unless it is marked as unpurgeable.  'event' does not have to be
+	 * on the task's event queue; in fact, it can even be an invalid
+	 * pointer.  Purging only occurs if the event is actually on the task's
+	 * event queue.
+	 *
+	 * Purging never changes the state of the task.
+	 */
+
+	LOCK(&task->lock);
+	if (ISC_LINK_LINKED(event, ev_link)) {
+		DEQUEUE(task->events, event, ev_link);
+		task->nevents--;
+		found = true;
+	}
+	UNLOCK(&task->lock);
+
+	if (!found) {
+		return (false);
+	}
+
+	isc_event_free(&event);
+
+	return (true);
+}
+
+unsigned int
+isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag, isc_eventlist_t *events) {
+	/*
+	 * Remove events from a task's event queue.
+	 */
+	REQUIRE(VALID_TASK(task));
+
+	XTRACE("isc_task_unsendrange");
+
+	return (dequeue_events(task, sender, first, last, tag, events, false));
+}
+
+unsigned int
+isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type, void *tag,
+		isc_eventlist_t *events) {
+	/*
+	 * Remove events from a task's event queue.
+	 */
+
+	XTRACE("isc_task_unsend");
+
+	return (dequeue_events(task, sender, type, type, tag, events, false));
+}
+
+isc_result_t
+isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, void *arg) {
+	bool disallowed = false;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_event_t *event;
+
+	/*
+	 * Send a shutdown event with action 'action' and argument 'arg' when
+	 * 'task' is shutdown.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(action != NULL);
+
+	event = isc_event_allocate(task->manager->mctx, NULL,
+				   ISC_TASKEVENT_SHUTDOWN, action, arg,
+				   sizeof(*event));
+
+	if (TASK_SHUTTINGDOWN(task)) {
+		disallowed = true;
+		result = ISC_R_SHUTTINGDOWN;
+	} else {
+		LOCK(&task->lock);
+		ENQUEUE(task->on_shutdown, event, ev_link);
+		UNLOCK(&task->lock);
+	}
+
+	if (disallowed) {
+		isc_mem_put(task->manager->mctx, event, sizeof(*event));
+	}
+
+	return (result);
+}
+
+void
+isc_task_shutdown(isc_task_t *task) {
+	bool was_idle;
+
+	/*
+	 * Shutdown 'task'.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+	LOCK(&task->lock);
+	was_idle = task_shutdown(task);
+	UNLOCK(&task->lock);
+
+	if (was_idle) {
+		task_ready(task);
+	}
+}
+
+void
+isc_task_destroy(isc_task_t **taskp) {
+	/*
+	 * Destroy '*taskp'.
+	 */
+
+	REQUIRE(taskp != NULL);
+
+	isc_task_shutdown(*taskp);
+	isc_task_detach(taskp);
+}
+
+void
+isc_task_setname(isc_task_t *task, const char *name, void *tag) {
+	/*
+	 * Name 'task'.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+	LOCK(&task->lock);
+	strlcpy(task->name, name, sizeof(task->name));
+	task->tag = tag;
+	UNLOCK(&task->lock);
+}
+
+const char *
+isc_task_getname(isc_task_t *task) {
+	REQUIRE(VALID_TASK(task));
+
+	return (task->name);
+}
+
+void *
+isc_task_gettag(isc_task_t *task) {
+	REQUIRE(VALID_TASK(task));
+
+	return (task->tag);
+}
+
+void
+isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t) {
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(t != NULL);
+
+	LOCK(&task->lock);
+	*t = task->now;
+	UNLOCK(&task->lock);
+}
+
+void
+isc_task_getcurrenttimex(isc_task_t *task, isc_time_t *t) {
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(t != NULL);
+
+	LOCK(&task->lock);
+	*t = task->tnow;
+	UNLOCK(&task->lock);
+}
+
+isc_nm_t *
+isc_task_getnetmgr(isc_task_t *task) {
+	REQUIRE(VALID_TASK(task));
+
+	return (task->manager->netmgr);
+}
+
+void
+isc_task_setquantum(isc_task_t *task, unsigned int quantum) {
+	REQUIRE(VALID_TASK(task));
+
+	LOCK(&task->lock);
+	task->quantum = (quantum > 0) ? quantum
+				      : task->manager->default_quantum;
+	UNLOCK(&task->lock);
+}
+
+/***
+ *** Task Manager.
+ ***/
+
+static isc_result_t
+task_run(isc_task_t *task) {
+	unsigned int dispatch_count = 0;
+	bool finished = false;
+	isc_event_t *event = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	uint32_t quantum;
+
+	REQUIRE(VALID_TASK(task));
+
+	LOCK(&task->lock);
+	quantum = task->quantum;
+
+	/*
+	 * It is possible because that we have a paused task in the queue - it
+	 * might have been paused in the meantime and we never hold both queue
+	 * and task lock to avoid deadlocks, just bail then.
+	 */
+	if (task->state != task_state_ready) {
+		goto done;
+	}
+
+	INSIST(task->state == task_state_ready);
+	task->state = task_state_running;
+	XTRACE("running");
+	XTRACE(task->name);
+	TIME_NOW(&task->tnow);
+	task->now = isc_time_seconds(&task->tnow);
+
+	while (true) {
+		if (!EMPTY(task->events)) {
+			event = HEAD(task->events);
+			DEQUEUE(task->events, event, ev_link);
+			task->nevents--;
+
+			/*
+			 * Execute the event action.
+			 */
+			XTRACE("execute action");
+			XTRACE(task->name);
+			if (event->ev_action != NULL) {
+				UNLOCK(&task->lock);
+				(event->ev_action)(task, event);
+				LOCK(&task->lock);
+			}
+			XTRACE("execution complete");
+			dispatch_count++;
+		}
+
+		if (isc_refcount_current(&task->references) == 0 &&
+		    EMPTY(task->events) && !TASK_SHUTTINGDOWN(task))
+		{
+			/*
+			 * There are no references and no pending events for
+			 * this task, which means it will not become runnable
+			 * again via an external action (such as sending an
+			 * event or detaching).
+			 *
+			 * We initiate shutdown to prevent it from becoming a
+			 * zombie.
+			 *
+			 * We do this here instead of in the "if
+			 * EMPTY(task->events)" block below because:
+			 *
+			 *	If we post no shutdown events, we want the task
+			 *	to finish.
+			 *
+			 *	If we did post shutdown events, will still want
+			 *	the task's quantum to be applied.
+			 */
+			INSIST(!task_shutdown(task));
+		}
+
+		if (EMPTY(task->events)) {
+			/*
+			 * Nothing else to do for this task right now.
+			 */
+			XTRACE("empty");
+			if (isc_refcount_current(&task->references) == 0 &&
+			    TASK_SHUTTINGDOWN(task))
+			{
+				/*
+				 * The task is done.
+				 */
+				XTRACE("done");
+				task->state = task_state_done;
+			} else {
+				if (task->state == task_state_running) {
+					XTRACE("idling");
+					task->state = task_state_idle;
+				} else if (task->state == task_state_pausing) {
+					XTRACE("pausing");
+					task->state = task_state_paused;
+				}
+			}
+			break;
+		} else if (task->state == task_state_pausing) {
+			/*
+			 * We got a pause request on this task, stop working on
+			 * it and switch the state to paused.
+			 */
+			XTRACE("pausing");
+			task->state = task_state_paused;
+			break;
+		} else if (dispatch_count >= quantum) {
+			/*
+			 * Our quantum has expired, but there is more work to be
+			 * done.  We'll requeue it to the ready queue later.
+			 *
+			 * We don't check quantum until dispatching at least one
+			 * event, so the minimum quantum is one.
+			 */
+			XTRACE("quantum");
+			task->state = task_state_ready;
+			result = ISC_R_QUOTA;
+			break;
+		}
+	}
+
+done:
+	if (isc_refcount_decrement(&task->running) == 1 &&
+	    task->state == task_state_done)
+	{
+		finished = true;
+	}
+	UNLOCK(&task->lock);
+
+	if (finished) {
+		task_finished(task);
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_task_run(isc_task_t *task) {
+	return (task_run(task));
+}
+
+static void
+manager_free(isc_taskmgr_t *manager) {
+	isc_refcount_destroy(&manager->references);
+	isc_nm_detach(&manager->netmgr);
+
+	isc_mutex_destroy(&manager->lock);
+	manager->magic = 0;
+	isc_mem_putanddetach(&manager->mctx, manager, sizeof(*manager));
+}
+
+void
+isc_taskmgr_attach(isc_taskmgr_t *source, isc_taskmgr_t **targetp) {
+	REQUIRE(VALID_MANAGER(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references);
+
+	*targetp = source;
+}
+
+void
+isc_taskmgr_detach(isc_taskmgr_t **managerp) {
+	REQUIRE(managerp != NULL);
+	REQUIRE(VALID_MANAGER(*managerp));
+
+	isc_taskmgr_t *manager = *managerp;
+	*managerp = NULL;
+
+	if (isc_refcount_decrement(&manager->references) == 1) {
+		manager_free(manager);
+	}
+}
+
+isc_result_t
+isc__taskmgr_create(isc_mem_t *mctx, unsigned int default_quantum, isc_nm_t *nm,
+		    isc_taskmgr_t **managerp) {
+	isc_taskmgr_t *manager;
+
+	/*
+	 * Create a new task manager.
+	 */
+
+	REQUIRE(managerp != NULL && *managerp == NULL);
+	REQUIRE(nm != NULL);
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+	*manager = (isc_taskmgr_t){ .magic = TASK_MANAGER_MAGIC };
+
+	isc_mutex_init(&manager->lock);
+
+	if (default_quantum == 0) {
+		default_quantum = DEFAULT_DEFAULT_QUANTUM;
+	}
+	manager->default_quantum = default_quantum;
+
+	if (nm != NULL) {
+		isc_nm_attach(nm, &manager->netmgr);
+	}
+
+	INIT_LIST(manager->tasks);
+	atomic_init(&manager->mode, isc_taskmgrmode_normal);
+	atomic_init(&manager->exclusive_req, false);
+	atomic_init(&manager->tasks_count, 0);
+
+	isc_mem_attach(mctx, &manager->mctx);
+
+	isc_refcount_init(&manager->references, 1);
+
+	*managerp = manager;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__taskmgr_shutdown(isc_taskmgr_t *manager) {
+	isc_task_t *task;
+
+	REQUIRE(VALID_MANAGER(manager));
+
+	XTHREADTRACE("isc_taskmgr_shutdown");
+	/*
+	 * Only one non-worker thread may ever call this routine.
+	 * If a worker thread wants to initiate shutdown of the
+	 * task manager, it should ask some non-worker thread to call
+	 * isc_taskmgr_destroy(), e.g. by signalling a condition variable
+	 * that the startup thread is sleeping on.
+	 */
+
+	/*
+	 * Unlike elsewhere, we're going to hold this lock a long time.
+	 * We need to do so, because otherwise the list of tasks could
+	 * change while we were traversing it.
+	 *
+	 * This is also the only function where we will hold both the
+	 * task manager lock and a task lock at the same time.
+	 */
+	LOCK(&manager->lock);
+	if (manager->excl != NULL) {
+		isc_task_detach((isc_task_t **)&manager->excl);
+	}
+
+	/*
+	 * Make sure we only get called once.
+	 */
+	INSIST(manager->exiting == false);
+	manager->exiting = true;
+
+	/*
+	 * Post shutdown event(s) to every task (if they haven't already been
+	 * posted).
+	 */
+	for (task = HEAD(manager->tasks); task != NULL; task = NEXT(task, link))
+	{
+		bool was_idle;
+
+		LOCK(&task->lock);
+		was_idle = task_shutdown(task);
+		if (was_idle) {
+			task->threadid = 0;
+		}
+		UNLOCK(&task->lock);
+
+		if (was_idle) {
+			task_ready(task);
+		}
+	}
+
+	UNLOCK(&manager->lock);
+}
+
+void
+isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
+	REQUIRE(managerp != NULL && VALID_MANAGER(*managerp));
+	XTHREADTRACE("isc_taskmgr_destroy");
+
+#ifdef ISC_TASK_TRACE
+	int counter = 0;
+	while (isc_refcount_current(&(*managerp)->references) > 1 &&
+	       counter++ < 1000)
+	{
+		usleep(10 * 1000);
+	}
+	INSIST(counter < 1000);
+#else
+	while (isc_refcount_current(&(*managerp)->references) > 1) {
+		usleep(10 * 1000);
+	}
+#endif
+
+	isc_taskmgr_detach(managerp);
+}
+
+void
+isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task) {
+	REQUIRE(VALID_MANAGER(mgr));
+	REQUIRE(VALID_TASK(task));
+
+	LOCK(&task->lock);
+	REQUIRE(task->threadid == 0);
+	UNLOCK(&task->lock);
+
+	LOCK(&mgr->lock);
+	if (mgr->excl != NULL) {
+		isc_task_detach(&mgr->excl);
+	}
+	isc_task_attach(task, &mgr->excl);
+	UNLOCK(&mgr->lock);
+}
+
+isc_result_t
+isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp) {
+	isc_result_t result;
+
+	REQUIRE(VALID_MANAGER(mgr));
+	REQUIRE(taskp != NULL && *taskp == NULL);
+
+	LOCK(&mgr->lock);
+	if (mgr->excl != NULL) {
+		isc_task_attach(mgr->excl, taskp);
+		result = ISC_R_SUCCESS;
+	} else if (mgr->exiting) {
+		result = ISC_R_SHUTTINGDOWN;
+	} else {
+		result = ISC_R_NOTFOUND;
+	}
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc_task_beginexclusive(isc_task_t *task) {
+	isc_taskmgr_t *manager;
+
+	REQUIRE(VALID_TASK(task));
+
+	manager = task->manager;
+
+	REQUIRE(task->state == task_state_running);
+
+	LOCK(&manager->lock);
+	REQUIRE(task == manager->excl ||
+		(manager->exiting && manager->excl == NULL));
+	UNLOCK(&manager->lock);
+
+	if (!atomic_compare_exchange_strong(&manager->exclusive_req,
+					    &(bool){ false }, true))
+	{
+		return (ISC_R_LOCKBUSY);
+	}
+
+	if (isc_log_wouldlog(isc_lctx, ISC_LOG_DEBUG(1))) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_OTHER, ISC_LOG_DEBUG(1),
+			      "exclusive task mode: %s", "starting");
+	}
+
+	isc_nm_pause(manager->netmgr);
+
+	if (isc_log_wouldlog(isc_lctx, ISC_LOG_DEBUG(1))) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_OTHER, ISC_LOG_DEBUG(1),
+			      "exclusive task mode: %s", "started");
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_task_endexclusive(isc_task_t *task) {
+	isc_taskmgr_t *manager;
+
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(task->state == task_state_running);
+	manager = task->manager;
+
+	if (isc_log_wouldlog(isc_lctx, ISC_LOG_DEBUG(1))) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_OTHER, ISC_LOG_DEBUG(1),
+			      "exclusive task mode: %s", "ending");
+	}
+
+	isc_nm_resume(manager->netmgr);
+
+	if (isc_log_wouldlog(isc_lctx, ISC_LOG_DEBUG(1))) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_OTHER, ISC_LOG_DEBUG(1),
+			      "exclusive task mode: %s", "ended");
+	}
+
+	REQUIRE(atomic_compare_exchange_strong(&manager->exclusive_req,
+					       &(bool){ true }, false));
+}
+
+void
+isc_task_pause(isc_task_t *task) {
+	REQUIRE(VALID_TASK(task));
+
+	LOCK(&task->lock);
+	task->pause_cnt++;
+	if (task->pause_cnt > 1) {
+		/*
+		 * Someone already paused this task, just increase
+		 * the number of pausing clients.
+		 */
+		UNLOCK(&task->lock);
+		return;
+	}
+
+	INSIST(task->state == task_state_idle ||
+	       task->state == task_state_ready ||
+	       task->state == task_state_running);
+	if (task->state == task_state_running) {
+		task->state = task_state_pausing;
+	} else {
+		task->state = task_state_paused;
+	}
+	UNLOCK(&task->lock);
+}
+
+void
+isc_task_unpause(isc_task_t *task) {
+	bool was_idle = false;
+
+	REQUIRE(VALID_TASK(task));
+
+	LOCK(&task->lock);
+	task->pause_cnt--;
+	INSIST(task->pause_cnt >= 0);
+	if (task->pause_cnt > 0) {
+		UNLOCK(&task->lock);
+		return;
+	}
+
+	INSIST(task->state == task_state_paused ||
+	       task->state == task_state_pausing);
+	/* If the task was pausing we can't reschedule it */
+	if (task->state == task_state_pausing) {
+		task->state = task_state_running;
+	} else {
+		task->state = task_state_idle;
+	}
+	if (task->state == task_state_idle && !EMPTY(task->events)) {
+		task->state = task_state_ready;
+		was_idle = true;
+	}
+	UNLOCK(&task->lock);
+
+	if (was_idle) {
+		task_ready(task);
+	}
+}
+
+void
+isc_taskmgr_setmode(isc_taskmgr_t *manager, isc_taskmgrmode_t mode) {
+	atomic_store(&manager->mode, mode);
+}
+
+isc_taskmgrmode_t
+isc_taskmgr_mode(isc_taskmgr_t *manager) {
+	return (atomic_load(&manager->mode));
+}
+
+void
+isc_task_setprivilege(isc_task_t *task, bool priv) {
+	REQUIRE(VALID_TASK(task));
+
+	atomic_store_release(&task->privileged, priv);
+}
+
+bool
+isc_task_getprivilege(isc_task_t *task) {
+	REQUIRE(VALID_TASK(task));
+
+	return (TASK_PRIVILEGED(task));
+}
+
+bool
+isc_task_privileged(isc_task_t *task) {
+	REQUIRE(VALID_TASK(task));
+
+	return (isc_taskmgr_mode(task->manager) && TASK_PRIVILEGED(task));
+}
+
+bool
+isc_task_exiting(isc_task_t *task) {
+	REQUIRE(VALID_TASK(task));
+
+	return (TASK_SHUTTINGDOWN(task));
+}
+
+#ifdef HAVE_LIBXML2
+#define TRY0(a)                     \
+	do {                        \
+		xmlrc = (a);        \
+		if (xmlrc < 0)      \
+			goto error; \
+	} while (0)
+int
+isc_taskmgr_renderxml(isc_taskmgr_t *mgr, void *writer0) {
+	isc_task_t *task = NULL;
+	int xmlrc;
+	xmlTextWriterPtr writer = (xmlTextWriterPtr)writer0;
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * Write out the thread-model, and some details about each depending
+	 * on which type is enabled.
+	 */
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "thread-model"));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "type"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "threaded"));
+	TRY0(xmlTextWriterEndElement(writer)); /* type */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "default-quantum"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%d",
+					    mgr->default_quantum));
+	TRY0(xmlTextWriterEndElement(writer)); /* default-quantum */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* thread-model */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks"));
+	task = ISC_LIST_HEAD(mgr->tasks);
+	while (task != NULL) {
+		LOCK(&task->lock);
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "task"));
+
+		if (task->name[0] != 0) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "name"));
+			TRY0(xmlTextWriterWriteFormatString(writer, "%s",
+							    task->name));
+			TRY0(xmlTextWriterEndElement(writer)); /* name */
+		}
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "reference"
+								   "s"));
+		TRY0(xmlTextWriterWriteFormatString(
+			writer, "%" PRIuFAST32,
+			isc_refcount_current(&task->references)));
+		TRY0(xmlTextWriterEndElement(writer)); /* references */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%p", task));
+		TRY0(xmlTextWriterEndElement(writer)); /* id */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "state"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%s",
+						    statenames[task->state]));
+		TRY0(xmlTextWriterEndElement(writer)); /* state */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "quantum"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%d",
+						    task->quantum));
+		TRY0(xmlTextWriterEndElement(writer)); /* quantum */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "events"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%d",
+						    task->nevents));
+		TRY0(xmlTextWriterEndElement(writer)); /* events */
+
+		TRY0(xmlTextWriterEndElement(writer));
+
+		UNLOCK(&task->lock);
+		task = ISC_LIST_NEXT(task, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* tasks */
+
+error:
+	if (task != NULL) {
+		UNLOCK(&task->lock);
+	}
+	UNLOCK(&mgr->lock);
+
+	return (xmlrc);
+}
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+#define CHECKMEM(m)                              \
+	do {                                     \
+		if (m == NULL) {                 \
+			result = ISC_R_NOMEMORY; \
+			goto error;              \
+		}                                \
+	} while (0)
+
+isc_result_t
+isc_taskmgr_renderjson(isc_taskmgr_t *mgr, void *tasks0) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_task_t *task = NULL;
+	json_object *obj = NULL, *array = NULL, *taskobj = NULL;
+	json_object *tasks = (json_object *)tasks0;
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * Write out the thread-model, and some details about each depending
+	 * on which type is enabled.
+	 */
+	obj = json_object_new_string("threaded");
+	CHECKMEM(obj);
+	json_object_object_add(tasks, "thread-model", obj);
+
+	obj = json_object_new_int(mgr->default_quantum);
+	CHECKMEM(obj);
+	json_object_object_add(tasks, "default-quantum", obj);
+
+	array = json_object_new_array();
+	CHECKMEM(array);
+
+	for (task = ISC_LIST_HEAD(mgr->tasks); task != NULL;
+	     task = ISC_LIST_NEXT(task, link))
+	{
+		char buf[255];
+
+		LOCK(&task->lock);
+
+		taskobj = json_object_new_object();
+		CHECKMEM(taskobj);
+		json_object_array_add(array, taskobj);
+
+		snprintf(buf, sizeof(buf), "%p", task);
+		obj = json_object_new_string(buf);
+		CHECKMEM(obj);
+		json_object_object_add(taskobj, "id", obj);
+
+		if (task->name[0] != 0) {
+			obj = json_object_new_string(task->name);
+			CHECKMEM(obj);
+			json_object_object_add(taskobj, "name", obj);
+		}
+
+		obj = json_object_new_int(
+			isc_refcount_current(&task->references));
+		CHECKMEM(obj);
+		json_object_object_add(taskobj, "references", obj);
+
+		obj = json_object_new_string(statenames[task->state]);
+		CHECKMEM(obj);
+		json_object_object_add(taskobj, "state", obj);
+
+		obj = json_object_new_int(task->quantum);
+		CHECKMEM(obj);
+		json_object_object_add(taskobj, "quantum", obj);
+
+		obj = json_object_new_int(task->nevents);
+		CHECKMEM(obj);
+		json_object_object_add(taskobj, "events", obj);
+
+		UNLOCK(&task->lock);
+	}
+
+	json_object_object_add(tasks, "tasks", array);
+	array = NULL;
+	result = ISC_R_SUCCESS;
+
+error:
+	if (array != NULL) {
+		json_object_put(array);
+	}
+
+	if (task != NULL) {
+		UNLOCK(&task->lock);
+	}
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+#endif /* ifdef HAVE_JSON_C */
diff --git a/lib/isc/task_p.h b/lib/isc/task_p.h
new file mode 100644
index 0000000..5fc50b0
--- /dev/null
+++ b/lib/isc/task_p.h
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/task.h>
+
+isc_result_t
+isc__taskmgr_create(isc_mem_t *mctx, unsigned int default_quantum, isc_nm_t *nm,
+		    isc_taskmgr_t **managerp);
+/*%<
+ * Create a new task manager.
+ *
+ * Notes:
+ *
+ *\li	If 'default_quantum' is non-zero, then it will be used as the default
+ *	quantum value when tasks are created.  If zero, then an implementation
+ *	defined default quantum will be used.
+ *
+ *\li	If 'nm' is set then netmgr is paused when an exclusive task mode
+ *	is requested.
+ *
+ * Requires:
+ *
+ *\li      'mctx' is a valid memory context.
+ *
+ *\li	managerp != NULL && *managerp == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, '*managerp' will be attached to the newly created task
+ *	manager.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_NOTHREADS		No threads could be created.
+ *\li	#ISC_R_UNEXPECTED		An unexpected error occurred.
+ *\li	#ISC_R_SHUTTINGDOWN		The non-threaded, shared, task
+ *					manager shutting down.
+ */
+
+void
+isc__taskmgr_destroy(isc_taskmgr_t **managerp);
+/*%<
+ * Destroy '*managerp'.
+ *
+ * Notes:
+ *
+ *\li	Calling isc_taskmgr_destroy() will shutdown all tasks managed by
+ *	*managerp that haven't already been shutdown.  The call will block
+ *	until all tasks have entered the done state.
+ *
+ *\li	isc_taskmgr_destroy() must not be called by a task event action,
+ *	because it would block forever waiting for the event action to
+ *	complete.  An event action that wants to cause task manager shutdown
+ *	should request some non-event action thread of execution to do the
+ *	shutdown, e.g. by signaling a condition variable or using
+ *	isc_app_shutdown().
+ *
+ *\li	Task manager references are not reference counted, so the caller
+ *	must ensure that no attempt will be made to use the manager after
+ *	isc_taskmgr_destroy() returns.
+ *
+ * Requires:
+ *
+ *\li	'*managerp' is a valid task manager.
+ *
+ *\li   'isc__taskmgr_shutdown()' and isc__netmgr_shutdown() have been
+ *	called.
+ */
+
+void
+isc__taskmgr_shutdown(isc_taskmgr_t *manager);
+/*%>
+ * Shutdown 'manager'.
+ *
+ * Notes:
+ *
+ *\li	Calling isc__taskmgr_shutdown() will shut down all tasks managed by
+ *	*managerp that haven't already been shut down.
+ *
+ * Requires:
+ *
+ *\li   'manager' is a valid task manager.
+ *
+ *\li	isc_taskmgr_destroy() has not be called previously on '*managerp'.
+ *
+ * Ensures:
+ *
+ *\li	All resources used by the task manager, and any tasks it managed,
+ *	have been freed.
+ */
diff --git a/lib/isc/taskpool.c b/lib/isc/taskpool.c
new file mode 100644
index 0000000..3099532
--- /dev/null
+++ b/lib/isc/taskpool.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/random.h>
+#include <isc/taskpool.h>
+#include <isc/util.h>
+
+/***
+ *** Types.
+ ***/
+
+struct isc_taskpool {
+	isc_mem_t *mctx;
+	isc_taskmgr_t *tmgr;
+	unsigned int ntasks;
+	unsigned int quantum;
+	isc_task_t **tasks;
+};
+
+/***
+ *** Functions.
+ ***/
+
+static void
+alloc_pool(isc_taskmgr_t *tmgr, isc_mem_t *mctx, unsigned int ntasks,
+	   unsigned int quantum, isc_taskpool_t **poolp) {
+	isc_taskpool_t *pool;
+	unsigned int i;
+
+	pool = isc_mem_get(mctx, sizeof(*pool));
+
+	pool->mctx = NULL;
+	isc_mem_attach(mctx, &pool->mctx);
+	pool->ntasks = ntasks;
+	pool->quantum = quantum;
+	pool->tmgr = tmgr;
+	pool->tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
+	for (i = 0; i < ntasks; i++) {
+		pool->tasks[i] = NULL;
+	}
+
+	*poolp = pool;
+}
+
+isc_result_t
+isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx, unsigned int ntasks,
+		    unsigned int quantum, bool priv, isc_taskpool_t **poolp) {
+	unsigned int i;
+	isc_taskpool_t *pool = NULL;
+
+	INSIST(ntasks > 0);
+
+	/* Allocate the pool structure */
+	alloc_pool(tmgr, mctx, ntasks, quantum, &pool);
+
+	/* Create the tasks */
+	for (i = 0; i < ntasks; i++) {
+		isc_result_t result = isc_task_create_bound(tmgr, quantum,
+							    &pool->tasks[i], i);
+		if (result != ISC_R_SUCCESS) {
+			isc_taskpool_destroy(&pool);
+			return (result);
+		}
+		isc_task_setprivilege(pool->tasks[i], priv);
+		isc_task_setname(pool->tasks[i], "taskpool", NULL);
+	}
+
+	*poolp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_taskpool_gettask(isc_taskpool_t *pool, isc_task_t **targetp) {
+	isc_task_attach(pool->tasks[isc_random_uniform(pool->ntasks)], targetp);
+}
+
+int
+isc_taskpool_size(isc_taskpool_t *pool) {
+	REQUIRE(pool != NULL);
+	return (pool->ntasks);
+}
+
+isc_result_t
+isc_taskpool_expand(isc_taskpool_t **sourcep, unsigned int size, bool priv,
+		    isc_taskpool_t **targetp) {
+	isc_taskpool_t *pool;
+
+	REQUIRE(sourcep != NULL && *sourcep != NULL);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	pool = *sourcep;
+	*sourcep = NULL;
+	if (size > pool->ntasks) {
+		isc_taskpool_t *newpool = NULL;
+		unsigned int i;
+
+		/* Allocate a new pool structure */
+		alloc_pool(pool->tmgr, pool->mctx, size, pool->quantum,
+			   &newpool);
+
+		/* Copy over the tasks from the old pool */
+		for (i = 0; i < pool->ntasks; i++) {
+			newpool->tasks[i] = pool->tasks[i];
+			pool->tasks[i] = NULL;
+		}
+
+		/* Create new tasks */
+		for (i = pool->ntasks; i < size; i++) {
+			isc_result_t result =
+				isc_task_create_bound(pool->tmgr, pool->quantum,
+						      &newpool->tasks[i], i);
+			if (result != ISC_R_SUCCESS) {
+				*sourcep = pool;
+				isc_taskpool_destroy(&newpool);
+				return (result);
+			}
+			isc_task_setprivilege(newpool->tasks[i], priv);
+			isc_task_setname(newpool->tasks[i], "taskpool", NULL);
+		}
+
+		isc_taskpool_destroy(&pool);
+		pool = newpool;
+	}
+
+	*targetp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_taskpool_destroy(isc_taskpool_t **poolp) {
+	unsigned int i;
+	isc_taskpool_t *pool = *poolp;
+	*poolp = NULL;
+	for (i = 0; i < pool->ntasks; i++) {
+		if (pool->tasks[i] != NULL) {
+			isc_task_detach(&pool->tasks[i]);
+		}
+	}
+	isc_mem_put(pool->mctx, pool->tasks,
+		    pool->ntasks * sizeof(isc_task_t *));
+	isc_mem_putanddetach(&pool->mctx, pool, sizeof(*pool));
+}
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
new file mode 100644
index 0000000..89b962c
--- /dev/null
+++ b/lib/isc/tests/Kyuafile
@@ -0,0 +1,43 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+tap_test_program{name='aes_test'}
+tap_test_program{name='buffer_test'}
+tap_test_program{name='counter_test'}
+tap_test_program{name='errno_test'}
+tap_test_program{name='file_test'}
+tap_test_program{name='hash_test'}
+tap_test_program{name='heap_test'}
+tap_test_program{name='hmac_test'}
+tap_test_program{name='ht_test'}
+tap_test_program{name='lex_test'}
+tap_test_program{name='md_test'}
+tap_test_program{name='mem_test'}
+tap_test_program{name='netaddr_test'}
+tap_test_program{name='netmgr_test'}
+tap_test_program{name='parse_test'}
+tap_test_program{name='pool_test'}
+tap_test_program{name='radix_test'}
+tap_test_program{name='quota_test'}
+tap_test_program{name='regex_test'}
+tap_test_program{name='result_test'}
+tap_test_program{name='safe_test'}
+tap_test_program{name='siphash_test'}
+tap_test_program{name='sockaddr_test'}
+tap_test_program{name='socket_test'}
+tap_test_program{name='symtab_test'}
+tap_test_program{name='task_test'}
+tap_test_program{name='taskpool_test'}
+tap_test_program{name='time_test'}
+tap_test_program{name='timer_test'}
diff --git a/lib/isc/tests/Makefile.in b/lib/isc/tests/Makefile.in
new file mode 100644
index 0000000..2a2020f
--- /dev/null
+++ b/lib/isc/tests/Makefile.in
@@ -0,0 +1,227 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude ${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS} @CMOCKA_CFLAGS@ \
+		${JSON_C_CFLAGS} \
+		${LIBUV_CFLAGS} \
+		${LIBXML2_CFLAGS}
+CDEFINES =	-DTESTS="\"${top_builddir}/lib/isc/tests/\""
+
+ISCLIBS =	../libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCDEPLIBS =	../libisc.@A@
+
+LIBS =		@LIBS@ @CMOCKA_LIBS@
+
+OBJS =		isctest.@O@
+
+SRCS =		isctest.c aes_test.c buffer_test.c \
+		counter_test.c crc64_test.c errno_test.c file_test.c hash_test.c \
+		heap_test.c hmac_test.c ht_test.c lex_test.c \
+		mem_test.c md_test.c netaddr_test.c netmgr_test.c \
+		parse_test.c pool_test.c \
+		quota_test.c radix_test.c random_test.c \
+		regex_test.c result_test.c safe_test.c siphash_test.c sockaddr_test.c \
+		socket_test.c stats_test.c symtab_test.c task_test.c \
+		taskpool_test.c time_test.c timer_test.c
+
+SUBDIRS =
+TARGETS =	aes_test@EXEEXT@ buffer_test@EXEEXT@ \
+		counter_test@EXEEXT@ crc64_test@EXEEXT@ \
+		errno_test@EXEEXT@ file_test@EXEEXT@ \
+		hash_test@EXEEXT@ heap_test@EXEEXT@ hmac_test@EXEEXT@ \
+		ht_test@EXEEXT@ lex_test@EXEEXT@ \
+		mem_test@EXEEXT@ md_test@EXEEXT@ \
+		netaddr_test@EXEEXT@ netmgr_test@EXEEXT@ \
+		parse_test@EXEEXT@ pool_test@EXEEXT@ \
+		quota_test@EXEEXT@ radix_test@EXEEXT@ \
+		random_test@EXEEXT@ regex_test@EXEEXT@ result_test@EXEEXT@ \
+		safe_test@EXEEXT@ siphash_test@EXEEXT@ sockaddr_test@EXEEXT@ \
+		socket_test@EXEEXT@ stats_test@EXEEXT@ symtab_test@EXEEXT@ \
+		task_test@EXEEXT@ taskpool_test@EXEEXT@ time_test@EXEEXT@ \
+		timer_test@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+aes_test@EXEEXT@: aes_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ aes_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+buffer_test@EXEEXT@: buffer_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ buffer_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+counter_test@EXEEXT@: counter_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ counter_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+crc64_test@EXEEXT@: crc64_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ crc64_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+errno_test@EXEEXT@: errno_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ errno_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+file_test@EXEEXT@: file_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ file_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+hash_test@EXEEXT@: hash_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ hash_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+heap_test@EXEEXT@: heap_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ heap_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+hmac_test@EXEEXT@: hmac_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ hmac_test.@O@ \
+		${ISCLIBS} ${OPENSSL_LIBS} ${LIBS}
+
+ht_test@EXEEXT@: ht_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ ht_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+lex_test@EXEEXT@: lex_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ lex_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+md_test@EXEEXT@: md_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ md_test.@O@ \
+		${ISCLIBS} ${OPENSSL_LIBS} ${LIBS}
+
+mem_test@EXEEXT@: mem_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ mem_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+netaddr_test@EXEEXT@: netaddr_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ netaddr_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+parse_test@EXEEXT@: parse_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ parse_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+pool_test@EXEEXT@: pool_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ pool_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+quota_test@EXEEXT@: quota_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ quota_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+radix_test@EXEEXT@: radix_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ radix_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+random_test@EXEEXT@: random_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ random_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS} -lm
+
+regex_test@EXEEXT@: regex_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ regex_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+result_test@EXEEXT@: result_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ result_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+safe_test@EXEEXT@: safe_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ safe_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+siphash_test@EXEEXT@: siphash_test.@O@ ../siphash.c ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ siphash_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+socket_test@EXEEXT@: socket_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ socket_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+sockaddr_test@EXEEXT@: sockaddr_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ sockaddr_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+stats_test@EXEEXT@: stats_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ stats_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+symtab_test@EXEEXT@: symtab_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ symtab_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+task_test@EXEEXT@: task_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ task_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+taskpool_test@EXEEXT@: taskpool_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ taskpool_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+netmgr_test@EXEEXT@: netmgr_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ netmgr_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS} ${LIBUV_LIBS}
+
+time_test@EXEEXT@: time_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ time_test.@O@ \
+		${ISCLIBS} ${LIBS}
+
+timer_test@EXEEXT@: timer_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ timer_test.@O@ isctest.@O@ \
+		${ISCLIBS} ${LIBS}
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
diff --git a/lib/isc/tests/aes_test.c b/lib/isc/tests/aes_test.c
new file mode 100644
index 0000000..2990184
--- /dev/null
+++ b/lib/isc/tests/aes_test.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/aes.h>
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/platform.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*
+ * Test data from NIST KAT
+ */
+
+isc_result_t
+tohexstr(unsigned char *d, char *out);
+
+size_t
+fromhexstr(const char *in, unsigned char *d);
+
+unsigned char plaintext[3 * ISC_AES_BLOCK_LENGTH];
+unsigned char ciphertext[ISC_AES_BLOCK_LENGTH];
+char str[2 * ISC_AES_BLOCK_LENGTH + 1];
+unsigned char key[ISC_AES256_KEYLENGTH + 1];
+size_t len;
+
+isc_result_t
+tohexstr(unsigned char *d, char *out) {
+	isc_buffer_t b;
+	isc_region_t r;
+
+	isc_buffer_init(&b, out, 2 * ISC_AES_BLOCK_LENGTH + 1);
+	r.base = d;
+	r.length = ISC_AES_BLOCK_LENGTH;
+	return (isc_hex_totext(&r, 0, "", &b));
+}
+
+size_t
+fromhexstr(const char *in, unsigned char *d) {
+	isc_buffer_t b;
+	isc_result_t ret;
+
+	isc_buffer_init(&b, d, ISC_AES256_KEYLENGTH + 1);
+	ret = isc_hex_decodestring(in, &b);
+	if (ret != ISC_R_SUCCESS) {
+		return (0);
+	}
+	return (isc_buffer_usedlength(&b));
+}
+
+typedef struct aes_testcase {
+	const char *key;
+	const char *input;
+	const char *result;
+} aes_testcase_t;
+
+/* AES 128 test vectors */
+static void
+isc_aes128_test(void **state) {
+	aes_testcase_t testcases[] = { /* Test 1 (KAT ECBVarTxt128 #3) */
+				       { "00000000000000000000000000000000",
+					 "F0000000000000000000000000000000",
+					 "96D9FD5CC4F07441727DF0F33E401A36" },
+				       /* Test 2 (KAT ECBVarTxt128 #123) */
+				       { "00000000000000000000000000000000",
+					 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+					 "F9B0FDA0C4A898F5B9E6F661C4CE4D07" },
+				       /* Test 3 (KAT ECBVarKey128 #3) */
+				       { "F0000000000000000000000000000000",
+					 "00000000000000000000000000000000",
+					 "970014D634E2B7650777E8E84D03CCD8" },
+				       /* Test 4 (KAT ECBVarKey128 #123) */
+				       { "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+					 "00000000000000000000000000000000",
+					 "41C78C135ED9E98C096640647265DA1E" },
+				       /* Test 5 (KAT ECBGFSbox128 #3) */
+				       { "00000000000000000000000000000000",
+					 "6A118A874519E64E9963798A503F1D35",
+					 "DC43BE40BE0E53712F7E2BF5CA707209" },
+				       /* Test 6 (KAT ECBKeySbox128 #3) */
+				       { "B6364AC4E1DE1E285EAF144A2415F7A0",
+					 "00000000000000000000000000000000",
+					 "5D9B05578FC944B3CF1CCF0E746CD581" },
+				       { NULL, NULL, NULL }
+	};
+
+	aes_testcase_t *testcase = testcases;
+
+	UNUSED(state);
+
+	while (testcase->key != NULL) {
+		len = fromhexstr(testcase->key, key);
+		assert_int_equal(len, ISC_AES128_KEYLENGTH);
+		len = fromhexstr(testcase->input, plaintext);
+		assert_int_equal(len, ISC_AES_BLOCK_LENGTH);
+		isc_aes128_crypt(key, plaintext, ciphertext);
+		assert_int_equal(tohexstr(ciphertext, str), ISC_R_SUCCESS);
+		assert_string_equal(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+/* AES 192 test vectors */
+static void
+isc_aes192_test(void **state) {
+	aes_testcase_t testcases[] = {
+		/* Test 1 (KAT ECBVarTxt192 #3) */
+		{ "000000000000000000000000000000000000000000000000",
+		  "F0000000000000000000000000000000",
+		  "2A560364CE529EFC21788779568D5555" },
+		/* Test 2 (KAT ECBVarTxt192 #123) */
+		{ "000000000000000000000000000000000000000000000000",
+		  "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+		  "2AABB999F43693175AF65C6C612C46FB" },
+		/* Test 3 (KAT ECBVarKey192 #3) */
+		{ "F00000000000000000000000000000000000000000000000",
+		  "00000000000000000000000000000000",
+		  "180B09F267C45145DB2F826C2582D35C" },
+		/* Test 4 (KAT ECBVarKey192 #187) */
+		{ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+		  "00000000000000000000000000000000",
+		  "EACF1E6C4224EFB38900B185AB1DFD42" },
+		/* Test 5 (KAT ECBGFSbox192 #3) */
+		{ "000000000000000000000000000000000000000000000000",
+		  "51719783D3185A535BD75ADC65071CE1",
+		  "4F354592FF7C8847D2D0870CA9481B7C" },
+		/* Test 6 (KAT ECBKeySbox192 #3) */
+		{ "CD62376D5EBB414917F0C78F05266433DC9192A1EC943300",
+		  "00000000000000000000000000000000",
+		  "7F6C25FF41858561BB62F36492E93C29" },
+		{ NULL, NULL, NULL }
+	};
+
+	aes_testcase_t *testcase = testcases;
+
+	UNUSED(state);
+
+	while (testcase->key != NULL) {
+		len = fromhexstr(testcase->key, key);
+		assert_int_equal(len, ISC_AES192_KEYLENGTH);
+		len = fromhexstr(testcase->input, plaintext);
+		assert_int_equal(len, ISC_AES_BLOCK_LENGTH);
+		isc_aes192_crypt(key, plaintext, ciphertext);
+		assert_int_equal(tohexstr(ciphertext, str), ISC_R_SUCCESS);
+		assert_string_equal(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+/* AES 256 test vectors */
+static void
+isc_aes256_test(void **state) {
+	aes_testcase_t testcases[] = { /* Test 1 (KAT ECBVarTxt256 #3) */
+				       { "00000000000000000000000000000000"
+					 "00000000000000000000000000000000",
+					 "F0000000000000000000000000000000",
+					 "7F2C5ECE07A98D8BEE13C51177395FF7" },
+				       /* Test 2 (KAT ECBVarTxt256 #123) */
+				       { "00000000000000000000000000000000"
+					 "00000000000000000000000000000000",
+					 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+					 "7240E524BC51D8C4D440B1BE55D1062C" },
+				       /* Test 3 (KAT ECBVarKey256 #3) */
+				       { "F0000000000000000000000000000000"
+					 "00000000000000000000000000000000",
+					 "00000000000000000000000000000000",
+					 "1C777679D50037C79491A94DA76A9A35" },
+				       /* Test 4 (KAT ECBVarKey256 #251) */
+				       { "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+					 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+					 "00000000000000000000000000000000",
+					 "03720371A04962EAEA0A852E69972858" },
+				       /* Test 5 (KAT ECBGFSbox256 #3) */
+				       { "00000000000000000000000000000000"
+					 "00000000000000000000000000000000",
+					 "8A560769D605868AD80D819BDBA03771",
+					 "38F2C7AE10612415D27CA190D27DA8B4" },
+				       /* Test 6 (KAT ECBKeySbox256 #3) */
+				       { "984CA75F4EE8D706F46C2D98C0BF4A45"
+					 "F5B00D791C2DFEB191B5ED8E420FD627",
+					 "00000000000000000000000000000000",
+					 "4307456A9E67813B452E15FA8FFFE398" },
+				       { NULL, NULL, NULL }
+	};
+
+	aes_testcase_t *testcase = testcases;
+
+	UNUSED(state);
+
+	while (testcase->key != NULL) {
+		len = fromhexstr(testcase->key, key);
+		assert_int_equal(len, ISC_AES256_KEYLENGTH);
+		len = fromhexstr(testcase->input, plaintext);
+		assert_int_equal(len, ISC_AES_BLOCK_LENGTH);
+		isc_aes256_crypt(key, plaintext, ciphertext);
+		assert_int_equal(tohexstr(ciphertext, str), ISC_R_SUCCESS);
+		assert_string_equal(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_aes128_test),
+		cmocka_unit_test(isc_aes192_test),
+		cmocka_unit_test(isc_aes256_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/buffer_test.c b/lib/isc/tests/buffer_test.c
new file mode 100644
index 0000000..91eb890
--- /dev/null
+++ b/lib/isc/tests/buffer_test.c
@@ -0,0 +1,351 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <fcntl.h>
+#include <limits.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+/* reserve space in dynamic buffers */
+static void
+isc_buffer_reserve_test(void **state) {
+	isc_result_t result;
+	isc_buffer_t *b;
+
+	UNUSED(state);
+
+	b = NULL;
+	isc_buffer_allocate(test_mctx, &b, 1024);
+	assert_int_equal(b->length, 1024);
+
+	/*
+	 * 1024 bytes should already be available, so this call does
+	 * nothing.
+	 */
+	result = isc_buffer_reserve(&b, 1024);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(ISC_BUFFER_VALID(b));
+	assert_non_null(b);
+	assert_int_equal(b->length, 1024);
+
+	/*
+	 * This call should grow it to 2048 bytes as only 1024 bytes are
+	 * available in the buffer.
+	 */
+	result = isc_buffer_reserve(&b, 1025);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(ISC_BUFFER_VALID(b));
+	assert_non_null(b);
+	assert_int_equal(b->length, 2048);
+
+	/*
+	 * 2048 bytes should already be available, so this call does
+	 * nothing.
+	 */
+	result = isc_buffer_reserve(&b, 2000);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(ISC_BUFFER_VALID(b));
+	assert_non_null(b);
+	assert_int_equal(b->length, 2048);
+
+	/*
+	 * This call should grow it to 4096 bytes as only 2048 bytes are
+	 * available in the buffer.
+	 */
+	result = isc_buffer_reserve(&b, 3000);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(ISC_BUFFER_VALID(b));
+	assert_non_null(b);
+	assert_int_equal(b->length, 4096);
+
+	/* Consume some of the buffer so we can run the next test. */
+	isc_buffer_add(b, 4096);
+
+	/*
+	 * This call should fail and leave buffer untouched.
+	 */
+	result = isc_buffer_reserve(&b, UINT_MAX);
+	assert_int_equal(result, ISC_R_NOMEMORY);
+	assert_true(ISC_BUFFER_VALID(b));
+	assert_non_null(b);
+	assert_int_equal(b->length, 4096);
+
+	isc_buffer_free(&b);
+}
+
+/* dynamic buffer automatic reallocation */
+static void
+isc_buffer_dynamic_test(void **state) {
+	isc_buffer_t *b;
+	size_t last_length = 10;
+	int i;
+
+	UNUSED(state);
+
+	b = NULL;
+	isc_buffer_allocate(test_mctx, &b, last_length);
+	assert_non_null(b);
+	assert_int_equal(b->length, last_length);
+
+	isc_buffer_setautorealloc(b, true);
+
+	isc_buffer_putuint8(b, 1);
+
+	for (i = 0; i < 1000; i++) {
+		isc_buffer_putstr(b, "thisisa24charslongstring");
+	}
+	assert_true(b->length - last_length >= 1000 * 24);
+	last_length += 1000 * 24;
+
+	for (i = 0; i < 10000; i++) {
+		isc_buffer_putuint8(b, 1);
+	}
+
+	assert_true(b->length - last_length >= 10000 * 1);
+	last_length += 10000 * 1;
+
+	for (i = 0; i < 10000; i++) {
+		isc_buffer_putuint16(b, 1);
+	}
+
+	assert_true(b->length - last_length >= 10000 * 2);
+
+	last_length += 10000 * 2;
+	for (i = 0; i < 10000; i++) {
+		isc_buffer_putuint24(b, 1);
+	}
+	assert_true(b->length - last_length >= 10000 * 3);
+
+	last_length += 10000 * 3;
+
+	for (i = 0; i < 10000; i++) {
+		isc_buffer_putuint32(b, 1);
+	}
+	assert_true(b->length - last_length >= 10000 * 4);
+
+	isc_buffer_free(&b);
+}
+
+/* copy a region into a buffer */
+static void
+isc_buffer_copyregion_test(void **state) {
+	unsigned char data[] = { 0x11, 0x22, 0x33, 0x44 };
+	isc_buffer_t *b = NULL;
+	isc_result_t result;
+
+	isc_region_t r = {
+		.base = data,
+		.length = sizeof(data),
+	};
+
+	UNUSED(state);
+
+	isc_buffer_allocate(test_mctx, &b, sizeof(data));
+
+	/*
+	 * Fill originally allocated buffer space.
+	 */
+	result = isc_buffer_copyregion(b, &r);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Appending more data to the buffer should fail.
+	 */
+	result = isc_buffer_copyregion(b, &r);
+	assert_int_equal(result, ISC_R_NOSPACE);
+
+	/*
+	 * Enable auto reallocation and retry.  Appending should now succeed.
+	 */
+	isc_buffer_setautorealloc(b, true);
+	result = isc_buffer_copyregion(b, &r);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_buffer_free(&b);
+}
+
+/* sprintf() into a buffer */
+static void
+isc_buffer_printf_test(void **state) {
+	unsigned int used, prev_used;
+	const char *empty_fmt;
+	isc_result_t result;
+	isc_buffer_t *b, sb;
+	char buf[8];
+
+	UNUSED(state);
+
+	/*
+	 * Prepare a buffer with auto-reallocation enabled.
+	 */
+	b = NULL;
+	isc_buffer_allocate(test_mctx, &b, 0);
+	isc_buffer_setautorealloc(b, true);
+
+	/*
+	 * Sanity check.
+	 */
+	result = isc_buffer_printf(b, "foo");
+	assert_int_equal(result, ISC_R_SUCCESS);
+	used = isc_buffer_usedlength(b);
+	assert_int_equal(used, 3);
+
+	result = isc_buffer_printf(b, "bar");
+	assert_int_equal(result, ISC_R_SUCCESS);
+	used = isc_buffer_usedlength(b);
+	assert_int_equal(used, 3 + 3);
+
+	/*
+	 * Also check the terminating NULL byte is there, even though it is not
+	 * part of the buffer's used region.
+	 */
+	assert_memory_equal(isc_buffer_current(b), "foobar", 7);
+
+	/*
+	 * Skip over data from previous check to prevent failures in previous
+	 * check from affecting this one.
+	 */
+	prev_used = used;
+	isc_buffer_forward(b, prev_used);
+
+	/*
+	 * Some standard usage checks.
+	 */
+	isc_buffer_printf(b, "%d", 42);
+	used = isc_buffer_usedlength(b);
+	assert_int_equal(used - prev_used, 2);
+
+	isc_buffer_printf(b, "baz%1X", 42);
+	used = isc_buffer_usedlength(b);
+	assert_int_equal(used - prev_used, 2 + 5);
+
+	isc_buffer_printf(b, "%6.1f", 42.42f);
+	used = isc_buffer_usedlength(b);
+	assert_int_equal(used - prev_used, 2 + 5 + 6);
+
+	/*
+	 * Also check the terminating NULL byte is there, even though it is not
+	 * part of the buffer's used region.
+	 */
+	assert_memory_equal(isc_buffer_current(b), "42baz2A  42.4", 14);
+
+	/*
+	 * Check an empty format string is properly handled.
+	 *
+	 * Note: we don't use a string literal for the format string to
+	 * avoid triggering [-Werror=format-zero-length].
+	 * Note: we have a dummy third argument as some compilers complain
+	 * without it.
+	 */
+	prev_used = used;
+	empty_fmt = "";
+	result = isc_buffer_printf(b, empty_fmt, "");
+	assert_int_equal(result, ISC_R_SUCCESS);
+	used = isc_buffer_usedlength(b);
+	assert_int_equal(prev_used, used);
+
+	isc_buffer_free(&b);
+
+	/*
+	 * Check overflow on a static buffer.
+	 */
+	isc_buffer_init(&sb, buf, sizeof(buf));
+	result = isc_buffer_printf(&sb, "123456");
+	assert_int_equal(result, ISC_R_SUCCESS);
+	used = isc_buffer_usedlength(&sb);
+	assert_int_equal(used, 6);
+
+	result = isc_buffer_printf(&sb, "789");
+	assert_int_equal(result, ISC_R_NOSPACE);
+	used = isc_buffer_usedlength(&sb);
+	assert_int_equal(used, 6);
+
+	result = isc_buffer_printf(&sb, "78");
+	assert_int_equal(result, ISC_R_NOSPACE);
+	used = isc_buffer_usedlength(&sb);
+	assert_int_equal(used, 6);
+
+	result = isc_buffer_printf(&sb, "7");
+	assert_int_equal(result, ISC_R_SUCCESS);
+	used = isc_buffer_usedlength(&sb);
+	assert_int_equal(used, 7);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(isc_buffer_reserve_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(isc_buffer_dynamic_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(isc_buffer_copyregion_test,
+						_setup, _teardown),
+		cmocka_unit_test_setup_teardown(isc_buffer_printf_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/counter_test.c b/lib/isc/tests/counter_test.c
new file mode 100644
index 0000000..6a454f8
--- /dev/null
+++ b/lib/isc/tests/counter_test.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/counter.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+/* test isc_counter object */
+static void
+isc_counter_test(void **state) {
+	isc_result_t result;
+	isc_counter_t *counter = NULL;
+	int i;
+
+	UNUSED(state);
+
+	result = isc_counter_create(test_mctx, 0, &counter);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	for (i = 0; i < 10; i++) {
+		result = isc_counter_increment(counter);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	assert_int_equal(isc_counter_used(counter), 10);
+
+	isc_counter_setlimit(counter, 15);
+	for (i = 0; i < 10; i++) {
+		result = isc_counter_increment(counter);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+	}
+
+	assert_int_equal(isc_counter_used(counter), 15);
+
+	isc_counter_detach(&counter);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(isc_counter_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/crc64_test.c b/lib/isc/tests/crc64_test.c
new file mode 100644
index 0000000..1c4f4f4
--- /dev/null
+++ b/lib/isc/tests/crc64_test.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#if HAVE_CMOCKA
+
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/crc64.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#define TEST_INPUT(x) (x), sizeof(x) - 1
+
+typedef struct hash_testcase {
+	const char *input;
+	size_t input_len;
+	const char *result;
+	int repeats;
+} hash_testcase_t;
+
+static void
+isc_crc64_init_test(void **state) {
+	uint64_t crc;
+
+	UNUSED(state);
+
+	isc_crc64_init(&crc);
+	assert_int_equal(crc, 0xffffffffffffffffUL);
+}
+
+static void
+_crc64(const char *buf, size_t buflen, const char *result, const int repeats) {
+	uint64_t crc;
+
+	isc_crc64_init(&crc);
+	assert_int_equal(crc, 0xffffffffffffffffUL);
+
+	for (int i = 0; i < repeats; i++) {
+		isc_crc64_update(&crc, buf, buflen);
+	}
+
+	isc_crc64_final(&crc);
+
+	char hex[16 + 1];
+	snprintf(hex, sizeof(hex), "%016" PRIX64, crc);
+
+	assert_memory_equal(hex, result, (result ? strlen(result) : 0));
+}
+
+/* 64-bit cyclic redundancy check */
+static void
+isc_crc64_test(void **state) {
+	UNUSED(state);
+
+	_crc64(TEST_INPUT(""), "0000000000000000", 1);
+	_crc64(TEST_INPUT("a"), "CE73F427ACC0A99A", 1);
+	_crc64(TEST_INPUT("abc"), "048B813AF9F49702", 1);
+	_crc64(TEST_INPUT("message digest"), "5273F9EA7A357BF4", 1);
+	_crc64(TEST_INPUT("abcdefghijklmnopqrstuvwxyz"), "59F079F9218BAAA1", 1);
+	_crc64(TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm"
+			  "nopqrstuvwxyz0123456789"),
+	       "A36DA8F71E78B6FB", 1);
+	_crc64(TEST_INPUT("123456789012345678901234567890123456789"
+			  "01234567890123456789012345678901234567890"),
+	       "81E5EB73C8E7874A", 1);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_crc64_init_test),
+		cmocka_unit_test(isc_crc64_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/errno_test.c b/lib/isc/tests/errno_test.c
new file mode 100644
index 0000000..56da651
--- /dev/null
+++ b/lib/isc/tests/errno_test.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <errno.h>
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/errno.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+typedef struct {
+	int err;
+	isc_result_t result;
+} testpair_t;
+
+testpair_t testpair[] = { { EPERM, ISC_R_NOPERM },
+			  { ENOENT, ISC_R_FILENOTFOUND },
+			  { EIO, ISC_R_IOERROR },
+			  { EBADF, ISC_R_INVALIDFILE },
+			  { ENOMEM, ISC_R_NOMEMORY },
+			  { EACCES, ISC_R_NOPERM },
+			  { EEXIST, ISC_R_FILEEXISTS },
+			  { ENOTDIR, ISC_R_INVALIDFILE },
+			  { EINVAL, ISC_R_INVALIDFILE },
+			  { ENFILE, ISC_R_TOOMANYOPENFILES },
+			  { EMFILE, ISC_R_TOOMANYOPENFILES },
+			  { EPIPE, ISC_R_CONNECTIONRESET },
+			  { ENAMETOOLONG, ISC_R_INVALIDFILE },
+			  { ELOOP, ISC_R_INVALIDFILE },
+#ifdef EOVERFLOW
+			  { EOVERFLOW, ISC_R_RANGE },
+#endif /* ifdef EOVERFLOW */
+#ifdef EAFNOSUPPORT
+			  { EAFNOSUPPORT, ISC_R_FAMILYNOSUPPORT },
+#endif /* ifdef EAFNOSUPPORT */
+#ifdef EADDRINUSE
+			  { EADDRINUSE, ISC_R_ADDRINUSE },
+#endif /* ifdef EADDRINUSE */
+			  { EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL },
+#ifdef ENETDOWN
+			  { ENETDOWN, ISC_R_NETDOWN },
+#endif /* ifdef ENETDOWN */
+#ifdef ENETUNREACH
+			  { ENETUNREACH, ISC_R_NETUNREACH },
+#endif /* ifdef ENETUNREACH */
+#ifdef ECONNABORTED
+			  { ECONNABORTED, ISC_R_CONNECTIONRESET },
+#endif /* ifdef ECONNABORTED */
+#ifdef ECONNRESET
+			  { ECONNRESET, ISC_R_CONNECTIONRESET },
+#endif /* ifdef ECONNRESET */
+#ifdef ENOBUFS
+			  { ENOBUFS, ISC_R_NORESOURCES },
+#endif /* ifdef ENOBUFS */
+#ifdef ENOTCONN
+			  { ENOTCONN, ISC_R_NOTCONNECTED },
+#endif /* ifdef ENOTCONN */
+#ifdef ETIMEDOUT
+			  { ETIMEDOUT, ISC_R_TIMEDOUT },
+#endif /* ifdef ETIMEDOUT */
+			  { ECONNREFUSED, ISC_R_CONNREFUSED },
+#ifdef EHOSTDOWN
+			  { EHOSTDOWN, ISC_R_HOSTDOWN },
+#endif /* ifdef EHOSTDOWN */
+#ifdef EHOSTUNREACH
+			  { EHOSTUNREACH, ISC_R_HOSTUNREACH },
+#endif /* ifdef EHOSTUNREACH */
+			  { 0, ISC_R_UNEXPECTED } };
+
+/* convert errno to ISC result */
+static void
+isc_errno_toresult_test(void **state) {
+	isc_result_t result, expect;
+	size_t i;
+
+	UNUSED(state);
+
+	for (i = 0; i < sizeof(testpair) / sizeof(testpair[0]); i++) {
+		result = isc_errno_toresult(testpair[i].err);
+		expect = testpair[i].result;
+		assert_int_equal(result, expect);
+	}
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_errno_toresult_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/file_test.c b/lib/isc/tests/file_test.c
new file mode 100644
index 0000000..6d81ff9
--- /dev/null
+++ b/lib/isc/tests/file_test.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <fcntl.h>
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/file.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#define NAME	  "internal"
+#define SHA	  "3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f"
+#define TRUNC_SHA "3bed2cb3a3acf7b6"
+
+#define BAD1	 "in/internal"
+#define BADHASH1 "8bbb97a888791399"
+
+#define BAD2	 "Internal"
+#define BADHASH2 "2ea1842b445b0c81"
+
+#define F(x) "testdata/file/" x ".test"
+
+static void
+touch(const char *filename) {
+	int fd;
+
+	unlink(filename);
+	fd = creat(filename, 0644);
+	if (fd != -1) {
+		close(fd);
+	}
+}
+
+/* test sanitized filenames */
+static void
+isc_file_sanitize_test(void **state) {
+	isc_result_t result;
+	char buf[1024];
+
+	UNUSED(state);
+
+	assert_return_code(chdir(TESTS), 0);
+
+	result = isc_file_sanitize("testdata/file", NAME, "test", buf, 1024);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(strcmp(buf, F(NAME)), 0);
+
+	touch(F(TRUNC_SHA));
+	result = isc_file_sanitize("testdata/file", NAME, "test", buf, 1024);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(strcmp(buf, F(TRUNC_SHA)), 0);
+
+	touch(F(SHA));
+	result = isc_file_sanitize("testdata/file", NAME, "test", buf, 1024);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(strcmp(buf, F(SHA)), 0);
+
+	result = isc_file_sanitize("testdata/file", BAD1, "test", buf, 1024);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(strcmp(buf, F(BADHASH1)), 0);
+
+	result = isc_file_sanitize("testdata/file", BAD2, "test", buf, 1024);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(strcmp(buf, F(BADHASH2)), 0);
+
+	unlink(F(TRUNC_SHA));
+	unlink(F(SHA));
+}
+
+/* test filename templates */
+static void
+isc_file_template_test(void **state) {
+	isc_result_t result;
+	char buf[1024];
+
+	UNUSED(state);
+
+	assert_return_code(chdir(TESTS), 0);
+
+	result = isc_file_template("/absolute/path", "file-XXXXXXXX", buf,
+				   sizeof(buf));
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, "/absolute/file-XXXXXXXX");
+
+	result = isc_file_template("relative/path", "file-XXXXXXXX", buf,
+				   sizeof(buf));
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, "relative/file-XXXXXXXX");
+
+	result = isc_file_template("/trailing/slash/", "file-XXXXXXXX", buf,
+				   sizeof(buf));
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, "/trailing/slash/file-XXXXXXXX");
+
+	result = isc_file_template("relative/trailing/slash/", "file-XXXXXXXX",
+				   buf, sizeof(buf));
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, "relative/trailing/slash/file-XXXXXXXX");
+
+	result = isc_file_template("/", "file-XXXXXXXX", buf, sizeof(buf));
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, "/file-XXXXXXXX");
+
+	result = isc_file_template("noslash", "file-XXXXXXXX", buf,
+				   sizeof(buf));
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, "file-XXXXXXXX");
+
+	result = isc_file_template(NULL, "file-XXXXXXXX", buf, sizeof(buf));
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_string_equal(buf, "file-XXXXXXXX");
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_file_sanitize_test),
+		cmocka_unit_test(isc_file_template_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c
new file mode 100644
index 0000000..ad0eb9d
--- /dev/null
+++ b/lib/isc/tests/hash_test.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/hex.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#define TEST_INPUT(x) (x), sizeof(x) - 1
+
+/*Hash function test */
+static void
+isc_hash_function_test(void **state) {
+	unsigned int h1;
+	unsigned int h2;
+
+	UNUSED(state);
+
+	/* Immutability of hash function */
+	h1 = isc_hash_function(NULL, 0, true);
+	h2 = isc_hash_function(NULL, 0, true);
+
+	assert_int_equal(h1, h2);
+
+	/* Hash function characteristics */
+	h1 = isc_hash_function("Hello world", 12, true);
+	h2 = isc_hash_function("Hello world", 12, true);
+
+	assert_int_equal(h1, h2);
+
+	/* Case */
+	h1 = isc_hash_function("Hello world", 12, false);
+	h2 = isc_hash_function("heLLo WorLd", 12, false);
+
+	assert_int_equal(h1, h2);
+
+	/* Unequal */
+	h1 = isc_hash_function("Hello world", 12, true);
+	h2 = isc_hash_function("heLLo WorLd", 12, true);
+
+	assert_int_not_equal(h1, h2);
+}
+
+/* Hash function initializer test */
+static void
+isc_hash_initializer_test(void **state) {
+	unsigned int h1;
+	unsigned int h2;
+
+	UNUSED(state);
+
+	h1 = isc_hash_function("Hello world", 12, true);
+	h2 = isc_hash_function("Hello world", 12, true);
+
+	assert_int_equal(h1, h2);
+
+	isc_hash_set_initializer(isc_hash_get_initializer());
+
+	/* Hash value must not change */
+	h2 = isc_hash_function("Hello world", 12, true);
+
+	assert_int_equal(h1, h2);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_hash_function_test),
+		cmocka_unit_test(isc_hash_initializer_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/heap_test.c b/lib/isc/tests/heap_test.c
new file mode 100644
index 0000000..5c41b20
--- /dev/null
+++ b/lib/isc/tests/heap_test.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/heap.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+struct e {
+	unsigned int value;
+	unsigned int index;
+};
+
+static bool
+compare(void *p1, void *p2) {
+	struct e *e1 = p1;
+	struct e *e2 = p2;
+
+	return (e1->value < e2->value);
+}
+
+static void
+idx(void *p, unsigned int i) {
+	struct e *e = p;
+
+	e->index = i;
+}
+
+/* test isc_heap_delete() */
+static void
+isc_heap_delete_test(void **state) {
+	isc_heap_t *heap = NULL;
+	struct e e1 = { 100, 0 };
+
+	UNUSED(state);
+
+	isc_heap_create(test_mctx, compare, idx, 0, &heap);
+	assert_non_null(heap);
+
+	isc_heap_insert(heap, &e1);
+	assert_int_equal(e1.index, 1);
+
+	isc_heap_delete(heap, e1.index);
+	assert_int_equal(e1.index, 0);
+
+	isc_heap_destroy(&heap);
+	assert_null(heap);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_heap_delete_test),
+	};
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/hmac_test.c b/lib/isc/tests/hmac_test.c
new file mode 100644
index 0000000..74c8106
--- /dev/null
+++ b/lib/isc/tests/hmac_test.c
@@ -0,0 +1,949 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/hmac.h>
+#include <isc/region.h>
+#include <isc/result.h>
+
+#include "../hmac.c"
+
+#define TEST_INPUT(x) (x), sizeof(x) - 1
+
+static int
+_setup(void **state) {
+	isc_hmac_t *hmac = isc_hmac_new();
+	if (hmac == NULL) {
+		return (-1);
+	}
+	*state = hmac;
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	if (*state == NULL) {
+		return (-1);
+	}
+	isc_hmac_free(*state);
+	return (0);
+}
+
+static int
+_reset(void **state) {
+	if (*state == NULL) {
+		return (-1);
+	}
+	if (isc_hmac_reset(*state) != ISC_R_SUCCESS) {
+		return (-1);
+	}
+	return (0);
+}
+
+static void
+isc_hmac_new_test(void **state) {
+	UNUSED(state);
+
+	isc_hmac_t *hmac = isc_hmac_new();
+	assert_non_null(hmac);
+	isc_hmac_free(hmac); /* Cleanup */
+}
+
+static void
+isc_hmac_free_test(void **state) {
+	UNUSED(state);
+
+	isc_hmac_t *hmac = isc_hmac_new();
+	assert_non_null(hmac);
+	isc_hmac_free(hmac); /* Test freeing valid message digest context */
+	isc_hmac_free(NULL); /* Test freeing NULL argument */
+}
+
+static void
+isc_hmac_test(isc_hmac_t *hmac, const void *key, size_t keylen,
+	      const isc_md_type_t *type, const char *buf, size_t buflen,
+	      const char *result, const int repeats) {
+	assert_non_null(hmac);
+	assert_int_equal(isc_hmac_init(hmac, key, keylen, type), ISC_R_SUCCESS);
+
+	int i;
+
+	for (i = 0; i < repeats; i++) {
+		assert_int_equal(isc_hmac_update(hmac,
+						 (const unsigned char *)buf,
+						 buflen),
+				 ISC_R_SUCCESS);
+	}
+
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	unsigned int digestlen;
+	assert_int_equal(isc_hmac_final(hmac, digest, &digestlen),
+			 ISC_R_SUCCESS);
+
+	char hexdigest[ISC_MAX_MD_SIZE * 2 + 3];
+	isc_region_t r = { .base = digest, .length = digestlen };
+	isc_buffer_t b;
+	isc_buffer_init(&b, hexdigest, sizeof(hexdigest));
+
+	assert_return_code(isc_hex_totext(&r, 0, "", &b), ISC_R_SUCCESS);
+
+	assert_memory_equal(hexdigest, result, (result ? strlen(result) : 0));
+	assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS);
+}
+
+static void
+isc_hmac_init_test(void **state) {
+	isc_hmac_t *hmac = *state;
+	assert_non_null(hmac);
+
+	expect_assert_failure(isc_hmac_init(NULL, "", 0, ISC_MD_MD5));
+
+	assert_int_equal(isc_hmac_init(hmac, "", 0, NULL),
+			 ISC_R_NOTIMPLEMENTED);
+
+	expect_assert_failure(isc_hmac_init(hmac, NULL, 0, ISC_MD_MD5));
+
+	assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_MD5), ISC_R_SUCCESS);
+	assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS);
+
+	assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA1),
+			 ISC_R_SUCCESS);
+	assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS);
+
+	assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA224),
+			 ISC_R_SUCCESS);
+	assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS);
+
+	assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA256),
+			 ISC_R_SUCCESS);
+	assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS);
+
+	assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA384),
+			 ISC_R_SUCCESS);
+	assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS);
+
+	assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA512),
+			 ISC_R_SUCCESS);
+	assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS);
+}
+
+static void
+isc_hmac_update_test(void **state) {
+	isc_hmac_t *hmac = *state;
+	assert_non_null(hmac);
+
+	/* Uses message digest context initialized in isc_hmac_init_test() */
+	expect_assert_failure(isc_hmac_update(NULL, NULL, 0));
+
+	assert_int_equal(isc_hmac_update(hmac, NULL, 100), ISC_R_SUCCESS);
+	assert_int_equal(isc_hmac_update(hmac, (const unsigned char *)"", 0),
+			 ISC_R_SUCCESS);
+}
+
+static void
+isc_hmac_reset_test(void **state) {
+	isc_hmac_t *hmac = *state;
+#if 0
+	unsigned char digest[ISC_MAX_MD_SIZE] __attribute((unused));
+	unsigned int digestlen __attribute((unused));
+#endif /* if 0 */
+
+	assert_non_null(hmac);
+
+	assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA512),
+			 ISC_R_SUCCESS);
+	assert_int_equal(isc_hmac_update(hmac, (const unsigned char *)"a", 1),
+			 ISC_R_SUCCESS);
+	assert_int_equal(isc_hmac_update(hmac, (const unsigned char *)"b", 1),
+			 ISC_R_SUCCESS);
+
+	assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS);
+
+#if 0
+	/*
+	 * This test would require OpenSSL compiled with mock_assert(),
+	 * so this could be only manually checked that the test will
+	 * segfault when called by hand
+	 */
+	expect_assert_failure(isc_hmac_final(hmac,digest,&digestlen));
+#endif /* if 0 */
+}
+
+static void
+isc_hmac_final_test(void **state) {
+	isc_hmac_t *hmac = *state;
+	assert_non_null(hmac);
+
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	unsigned int digestlen;
+
+	/* Fail when message digest context is empty */
+	expect_assert_failure(isc_hmac_final(NULL, digest, &digestlen));
+	/* Fail when output buffer is empty */
+	expect_assert_failure(isc_hmac_final(hmac, NULL, &digestlen));
+
+	assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA512),
+			 ISC_R_SUCCESS);
+	assert_int_equal(isc_hmac_final(hmac, digest, NULL), ISC_R_SUCCESS);
+}
+
+static void
+isc_hmac_md5_test(void **state) {
+	isc_hmac_t *hmac = *state;
+
+	/* Test 0 */
+	isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_MD5, TEST_INPUT(""),
+		      "74E6F7298A9C2D168935F58C001BAD88", 1);
+
+	/* Test 1 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+				 "\x0b\x0b\x0b\x0b\x0b\x0b"),
+		      ISC_MD_MD5,
+		      TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+		      "9294727A3638BB1C13F48EF8158BFC9D", 1);
+
+	/* Test 2 */
+	isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_MD5,
+		      TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79"
+				 "\x61\x20\x77\x61\x6e\x74\x20\x66\x6f"
+				 "\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+		      "750C783E6AB0B503EAA86E310A5DB738", 1);
+
+	/* Test 3 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa"),
+		      ISC_MD_MD5,
+		      TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+		      "56BE34521D144C88DBB8C733F0E8B3F6", 1);
+	/* Test 4 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+				 "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+				 "\x15\x16\x17\x18\x19"),
+		      ISC_MD_MD5,
+		      TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+		      "697EAF0ACA3A3AEA3A75164746FFAA79", 1);
+#if 0
+	/* Test 5 -- unimplemented optional functionality */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+				 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"),
+		      ISC_MD_MD5,
+		      TEST_INPUT("Test With Truncation"),
+		      "4C1A03424B55E07FE7F27BE1",
+		      1);
+	/* Test 6 -- unimplemented optional functionality */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+		      ISC_MD_MD5,
+		      TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				 "Hash Key First"),
+		      "AA4AE5E15272D00E95705637CE8A3B55ED402112",
+		      1);
+	/* Test 7 -- unimplemented optional functionality */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+		      ISC_MD_MD5,
+		      TEST_INPUT("Test Using Larger Than Block-Size Key and "
+				 "Larger Than One Block-Size Data"),
+		      "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91",
+		      1);
+#endif /* if 0 */
+}
+
+static void
+isc_hmac_sha1_test(void **state) {
+	isc_hmac_t *hmac = *state;
+
+	/* Test 0 */
+	isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_SHA1, TEST_INPUT(""),
+		      "FBDB1D1B18AA6C08324B7D64B71FB76370690E1D", 1);
+
+	/* Test 1 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+				 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
+		      ISC_MD_SHA1,
+		      TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+		      "B617318655057264E28BC0B6FB378C8EF146BE00", 1);
+	/* Test 2 */
+	isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_SHA1,
+		      TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61"
+				 "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20"
+				 "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+		      "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", 1);
+	/* Test 3 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+		      ISC_MD_SHA1,
+		      TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+		      "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", 1);
+	/* Test 4 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+				 "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+				 "\x15\x16\x17\x18\x19"),
+		      ISC_MD_SHA1,
+		      TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+		      "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", 1);
+#if 0
+	/* Test 5 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+				 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"),
+		      ISC_MD_SHA1,
+		      TEST_INPUT("Test With Truncation"),
+		      "4C1A03424B55E07FE7F27BE1",
+		      1);
+#endif /* if 0 */
+	/* Test 6 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+		      ISC_MD_SHA1,
+		      TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				 "Hash Key First"),
+		      "AA4AE5E15272D00E95705637CE8A3B55ED402112", 1);
+	/* Test 7 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+		      ISC_MD_SHA1,
+		      TEST_INPUT("Test Using Larger Than Block-Size Key and "
+				 "Larger Than One Block-Size Data"),
+		      "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", 1);
+}
+
+static void
+isc_hmac_sha224_test(void **state) {
+	isc_hmac_t *hmac = *state;
+
+	/* Test 0 */
+	isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_SHA224, TEST_INPUT(""),
+		      "5CE14F72894662213E2748D2A6BA234B74263910CEDDE2F5"
+		      "A9271524",
+		      1);
+
+	/* Test 1 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+				 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
+		      ISC_MD_SHA224,
+		      TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+		      "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA"
+		      "4F53684B22",
+		      1);
+	/* Test 2 */
+	isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_SHA224,
+		      TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61"
+				 "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20"
+				 "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+		      "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E61480"
+		      "08FD05E44",
+		      1);
+	/* Test 3 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+		      ISC_MD_SHA224,
+		      TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+		      "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69"
+		      "D1EC8333EA",
+		      1);
+	/* Test 4 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+				 "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+				 "\x15\x16\x17\x18\x19"),
+		      ISC_MD_SHA224,
+		      TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+		      "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC01"
+		      "2DE7AFEC5A",
+		      1);
+#if 0
+	/* Test 5 -- unimplemented optional functionality */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+				 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"),
+		      ISC_MD_SHA224,
+		      TEST_INPUT("Test With Truncation"),
+		      "4C1A03424B55E07FE7F27BE1",
+		      1);
+#endif /* if 0 */
+	/* Test 6 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa"),
+		      ISC_MD_SHA224,
+		      TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				 "Hash Key First"),
+		      "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7"
+		      "273FA6870E",
+		      1);
+	/* Test 7 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa"),
+		      ISC_MD_SHA224,
+		      TEST_INPUT("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20"
+				 "\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67"
+				 "\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20"
+				 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b"
+				 "\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20"
+				 "\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67"
+				 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c"
+				 "\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64"
+				 "\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b"
+				 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74"
+				 "\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65"
+				 "\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62"
+				 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20"
+				 "\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41"
+				 "\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68"
+				 "\x6d\x2e"),
+		      "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95"
+		      "C9F6F565D1",
+		      1);
+}
+
+static void
+isc_hmac_sha256_test(void **state) {
+	isc_hmac_t *hmac = *state;
+
+	/* Test 0 */
+	isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_SHA256, TEST_INPUT(""),
+		      "B613679A0814D9EC772F95D778C35FC5FF1697C493715653"
+		      "C6C712144292C5AD",
+		      1);
+
+	/* Test 1 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+				 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
+		      ISC_MD_SHA256,
+		      TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+		      "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833D"
+		      "A726E9376C2E32CFF7",
+		      1);
+	/* Test 2 */
+	isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_SHA256,
+		      TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61"
+				 "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20"
+				 "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+		      "5BDCC146BF60754E6A042426089575C75A003F089D2739"
+		      "839DEC58B964EC3843",
+		      1);
+	/* Test 3 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+		      ISC_MD_SHA256,
+		      TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+		      "773EA91E36800E46854DB8EBD09181A72959098B3EF8C1"
+		      "22D9635514CED565FE",
+		      1);
+	/* Test 4 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+				 "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+				 "\x15\x16\x17\x18\x19"),
+		      ISC_MD_SHA256,
+		      TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+		      "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8"
+		      "077A2E3FF46729665B",
+		      1);
+#if 0
+	/* Test 5 -- unimplemented optional functionality */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+				 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"),
+		      ISC_MD_SHA256,
+		      TEST_INPUT("Test With Truncation"),
+		      "4C1A03424B55E07FE7F27BE1",
+		      1);
+#endif /* if 0 */
+	/* Test 6 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa"),
+		      ISC_MD_SHA256,
+		      TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				 "Hash Key First"),
+		      "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5"
+		      "140546040F0EE37F54",
+		      1);
+	/* Test 7 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa"),
+		      ISC_MD_SHA256,
+		      TEST_INPUT("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20"
+				 "\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67"
+				 "\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20"
+				 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b"
+				 "\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20"
+				 "\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67"
+				 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c"
+				 "\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64"
+				 "\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b"
+				 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74"
+				 "\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65"
+				 "\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62"
+				 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20"
+				 "\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41"
+				 "\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68"
+				 "\x6d\x2e"),
+		      "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713"
+		      "938A7F51535C3A35E2",
+		      1);
+}
+
+static void
+isc_hmac_sha384_test(void **state) {
+	isc_hmac_t *hmac = *state;
+
+	/* Test 0 */
+	isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_SHA384, TEST_INPUT(""),
+		      "6C1F2EE938FAD2E24BD91298474382CA218C75DB3D83E114"
+		      "B3D4367776D14D3551289E75E8209CD4B792302840234ADC",
+		      1);
+
+	/* Test 1 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+				 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
+		      ISC_MD_SHA384,
+		      TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+		      "AFD03944D84895626B0825F4AB46907F15F9DADBE4101E"
+		      "C682AA034C7CEBC59CFAEA9EA9076EDE7F4AF152"
+		      "E8B2FA9CB6",
+		      1);
+	/* Test 2 */
+	isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_SHA384,
+		      TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61"
+				 "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20"
+				 "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+		      "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B"
+		      "47E42EC3736322445E8E2240CA5E69E2C78B3239"
+		      "ECFAB21649",
+		      1);
+	/* Test 3 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+		      ISC_MD_SHA384,
+		      TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+		      "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9F"
+		      "EBE83EF4E55966144B2A5AB39DC13814B94E3AB6"
+		      "E101A34F27",
+		      1);
+	/* Test 4 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+				 "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+				 "\x15\x16\x17\x18\x19"),
+		      ISC_MD_SHA384,
+		      TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+		      "3E8A69B7783C25851933AB6290AF6CA77A998148085000"
+		      "9CC5577C6E1F573B4E6801DD23C4A7D679CCF8A3"
+		      "86C674CFFB",
+		      1);
+#if 0
+	/* Test 5 -- unimplemented optional functionality */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+				 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"),
+		      ISC_MD_SHA384,
+		      TEST_INPUT("Test With Truncation"),
+		      "4C1A03424B55E07FE7F27BE1",
+		      1);
+#endif /* if 0 */
+	/* Test 6 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa"),
+		      ISC_MD_SHA384,
+		      TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				 "Hash Key First"),
+		      "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B58"
+		      "8F3CD11F05033AC4C60C2EF6AB4030FE8296248D"
+		      "F163F44952",
+		      1);
+	/* Test 7 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa"),
+		      ISC_MD_SHA384,
+		      TEST_INPUT("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20"
+				 "\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67"
+				 "\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20"
+				 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b"
+				 "\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20"
+				 "\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67"
+				 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c"
+				 "\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64"
+				 "\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b"
+				 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74"
+				 "\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65"
+				 "\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62"
+				 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20"
+				 "\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41"
+				 "\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68"
+				 "\x6d\x2e"),
+		      "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB"
+		      "9ADCCEBB82461E99C5A678CC31E799176D3860E6"
+		      "110C46523E",
+		      1);
+}
+
+static void
+isc_hmac_sha512_test(void **state) {
+	isc_hmac_t *hmac = *state;
+
+	/* Test 0 */
+	isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_SHA512, TEST_INPUT(""),
+		      "B936CEE86C9F87AA5D3C6F2E84CB5A4239A5FE50480A6EC6"
+		      "6B70AB5B1F4AC6730C6C515421B327EC1D69402E53DFB49A"
+		      "D7381EB067B338FD7B0CB22247225D47",
+		      1);
+
+	/* Test 1 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+				 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
+		      ISC_MD_SHA512,
+		      TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+		      "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2"
+		      "787AD0B30545E17CDEDAA833B7D6B8A702038B27"
+		      "4EAEA3F4E4BE9D914EEB61F1702E696C203A126854",
+		      1);
+	/* Test 2 */
+	isc_hmac_test(hmac, TEST_INPUT("Jefe"), ISC_MD_SHA512,
+		      TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61"
+				 "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20"
+				 "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+		      "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831F"
+		      "D610270CD7EA2505549758BF75C05A994A6D034F"
+		      "65F8F0E6FDCAEAB1A34D4A6B4B636E070A38BCE737",
+		      1);
+	/* Test 3 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+		      ISC_MD_SHA512,
+		      TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+		      "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A"
+		      "3655F83E33B2279D39BF3E848279A722C806B485"
+		      "A47E67C807B946A337BEE8942674278859E13292FB",
+		      1);
+	/* Test 4 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+				 "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+				 "\x15\x16\x17\x18\x19"),
+		      ISC_MD_SHA512,
+		      TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+		      "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B87"
+		      "2DE76F8050361EE3DBA91CA5C11AA25EB4D67927"
+		      "5CC5788063A5F19741120C4F2DE2ADEBEB10A298DD",
+		      1);
+#if 0
+	/* Test 5 -- unimplemented optional functionality */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+				 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"),
+		      ISC_MD_SHA512,
+		      TEST_INPUT("Test With Truncation"),
+		      "4C1A03424B55E07FE7F27BE1",
+		      1);
+#endif /* if 0 */
+	/* Test 6 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa"),
+		      ISC_MD_SHA512,
+		      TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				 "Hash Key First"),
+		      "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEE"
+		      "C1121B013783F8F3526B56D037E05F2598BD0FD2"
+		      "215D6A1E5295E64F73F63F0AEC8B915A985D786598",
+		      1);
+	/* Test 7 */
+	isc_hmac_test(hmac,
+		      TEST_INPUT("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+				 "\xaa"),
+		      ISC_MD_SHA512,
+		      TEST_INPUT("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20"
+				 "\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67"
+				 "\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20"
+				 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b"
+				 "\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20"
+				 "\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67"
+				 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c"
+				 "\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64"
+				 "\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b"
+				 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74"
+				 "\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65"
+				 "\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62"
+				 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20"
+				 "\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41"
+				 "\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68"
+				 "\x6d\x2e"),
+		      "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289"
+		      "865DF5A32D20CDC944B6022CAC3C4982B10D5EEB"
+		      "55C3E4DE15134676FB6DE0446065C97440FA8C6A58",
+		      1);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		/* isc_hmac_new() */
+		cmocka_unit_test(isc_hmac_new_test),
+
+		/* isc_hmac_init() */
+		cmocka_unit_test_setup_teardown(isc_hmac_init_test, _reset,
+						_reset),
+
+		/* isc_hmac_reset() */
+		cmocka_unit_test_setup_teardown(isc_hmac_reset_test, _reset,
+						_reset),
+
+		/* isc_hmac_init() -> isc_hmac_update() -> isc_hmac_final() */
+		cmocka_unit_test(isc_hmac_md5_test),
+		cmocka_unit_test(isc_hmac_sha1_test),
+		cmocka_unit_test(isc_hmac_sha224_test),
+		cmocka_unit_test(isc_hmac_sha256_test),
+		cmocka_unit_test(isc_hmac_sha384_test),
+		cmocka_unit_test(isc_hmac_sha512_test),
+
+		cmocka_unit_test_setup_teardown(isc_hmac_update_test, _reset,
+						_reset),
+		cmocka_unit_test_setup_teardown(isc_hmac_final_test, _reset,
+						_reset),
+
+		cmocka_unit_test(isc_hmac_free_test),
+	};
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/ht_test.c b/lib/isc/tests/ht_test.c
new file mode 100644
index 0000000..30cc615
--- /dev/null
+++ b/lib/isc/tests/ht_test.c
@@ -0,0 +1,358 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/hash.h>
+#include <isc/ht.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+static void
+test_ht_full(int bits, uintptr_t count) {
+	isc_ht_t *ht = NULL;
+	isc_result_t result;
+	uintptr_t i;
+
+	isc_ht_init(&ht, test_mctx, bits);
+	assert_non_null(ht);
+
+	for (i = 1; i < count; i++) {
+		/*
+		 * Note: snprintf() is followed with strlcat()
+		 * to ensure we are always filling the 16 byte key.
+		 */
+		unsigned char key[16];
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_add(ht, key, 16, (void *)i);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		void *f = NULL;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_find(ht, key, 16, &f);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		assert_ptr_equal((void *)i, (uintptr_t)f);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_add(ht, key, 16, (void *)i);
+		assert_int_equal(result, ISC_R_EXISTS);
+	}
+
+	for (i = 1; i < count; i++) {
+		char key[64];
+		/*
+		 * Note: the key size is now strlen(key) which is bigger
+		 * then the keys added above.
+		 */
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_add(ht, (const unsigned char *)key, strlen(key),
+				    (void *)i);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		void *f = NULL;
+		/*
+		 * Note: case of KEY is now in capitals,
+		 */
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " KEY of a raw hashtable!!", sizeof(key));
+		result = isc_ht_find(ht, key, 16, &f);
+		assert_int_equal(result, ISC_R_NOTFOUND);
+		assert_null(f);
+	}
+
+	for (i = 1; i < count; i++) {
+		char key[64];
+		void *f = NULL;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_find(ht, (const unsigned char *)key,
+				     strlen(key), &f);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		assert_ptr_equal(f, (void *)i);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		void *f = NULL;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_delete(ht, key, 16);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		result = isc_ht_find(ht, key, 16, &f);
+		assert_int_equal(result, ISC_R_NOTFOUND);
+		assert_null(f);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		/*
+		 * Note: upper case KEY.
+		 */
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " KEY of a raw hashtable!!", sizeof(key));
+		result = isc_ht_add(ht, key, 16, (void *)i);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	for (i = 1; i < count; i++) {
+		char key[64];
+		void *f = NULL;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_delete(ht, (const unsigned char *)key,
+				       strlen(key));
+		assert_int_equal(result, ISC_R_SUCCESS);
+		result = isc_ht_find(ht, (const unsigned char *)key,
+				     strlen(key), &f);
+		assert_int_equal(result, ISC_R_NOTFOUND);
+		assert_null(f);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		void *f = NULL;
+		/*
+		 * Note: case of KEY is now in capitals,
+		 */
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " KEY of a raw hashtable!!", sizeof(key));
+		result = isc_ht_find(ht, key, 16, &f);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		assert_ptr_equal((void *)i, (uintptr_t)f);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		void *f = NULL;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_find(ht, key, 16, &f);
+		assert_int_equal(result, ISC_R_NOTFOUND);
+		assert_null(f);
+	}
+
+	isc_ht_destroy(&ht);
+	assert_null(ht);
+}
+
+static void
+test_ht_iterator() {
+	isc_ht_t *ht = NULL;
+	isc_result_t result;
+	isc_ht_iter_t *iter = NULL;
+	uintptr_t i;
+	uintptr_t count = 10000;
+	uint32_t walked;
+	unsigned char key[16];
+	size_t tksize;
+
+	isc_ht_init(&ht, test_mctx, 16);
+	assert_non_null(ht);
+	for (i = 1; i <= count; i++) {
+		/*
+		 * Note that the string we're snprintfing is always > 16 bytes
+		 * so we are always filling the key.
+		 */
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, "key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_add(ht, key, 16, (void *)i);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	walked = 0;
+	isc_ht_iter_create(ht, &iter);
+
+	for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_next(iter))
+	{
+		unsigned char *tkey = NULL;
+		void *v = NULL;
+
+		isc_ht_iter_current(iter, &v);
+		isc_ht_iter_currentkey(iter, &tkey, &tksize);
+		assert_int_equal(tksize, 16);
+		i = (uintptr_t)v;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, "key of a raw hashtable!!", sizeof(key));
+		assert_memory_equal(key, tkey, 16);
+		walked++;
+	}
+	assert_int_equal(walked, count);
+	assert_int_equal(result, ISC_R_NOMORE);
+
+	/* erase odd */
+	walked = 0;
+	result = isc_ht_iter_first(iter);
+	while (result == ISC_R_SUCCESS) {
+		unsigned char *tkey = NULL;
+		void *v = NULL;
+
+		isc_ht_iter_current(iter, &v);
+		isc_ht_iter_currentkey(iter, &tkey, &tksize);
+		assert_int_equal(tksize, 16);
+		i = (uintptr_t)v;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, "key of a raw hashtable!!", sizeof(key));
+		assert_memory_equal(key, tkey, 16);
+		if ((uintptr_t)v % 2 == 0) {
+			result = isc_ht_iter_delcurrent_next(iter);
+		} else {
+			result = isc_ht_iter_next(iter);
+		}
+		walked++;
+	}
+	assert_int_equal(result, ISC_R_NOMORE);
+	assert_int_equal(walked, count);
+
+	/* erase even */
+	walked = 0;
+	result = isc_ht_iter_first(iter);
+	while (result == ISC_R_SUCCESS) {
+		unsigned char *tkey = NULL;
+		void *v = NULL;
+
+		isc_ht_iter_current(iter, &v);
+		isc_ht_iter_currentkey(iter, &tkey, &tksize);
+		assert_int_equal(tksize, 16);
+		i = (uintptr_t)v;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, "key of a raw hashtable!!", sizeof(key));
+		assert_memory_equal(key, tkey, 16);
+		if ((uintptr_t)v % 2 == 1) {
+			result = isc_ht_iter_delcurrent_next(iter);
+		} else {
+			result = isc_ht_iter_next(iter);
+		}
+		walked++;
+	}
+	assert_int_equal(result, ISC_R_NOMORE);
+	assert_int_equal(walked, count / 2);
+
+	walked = 0;
+	for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_next(iter))
+	{
+		walked++;
+	}
+
+	assert_int_equal(result, ISC_R_NOMORE);
+	assert_int_equal(walked, 0);
+
+	isc_ht_iter_destroy(&iter);
+	assert_null(iter);
+
+	isc_ht_destroy(&ht);
+	assert_null(ht);
+}
+
+/* 20 bit, 200K elements test */
+static void
+isc_ht_20(void **state) {
+	UNUSED(state);
+	test_ht_full(20, 200000);
+}
+
+/* 8 bit, 20000 elements crowded test */
+static void
+isc_ht_8(void **state) {
+	UNUSED(state);
+	test_ht_full(8, 20000);
+}
+
+/* 8 bit, 100 elements corner case test */
+static void
+isc_ht_1(void **state) {
+	UNUSED(state);
+	test_ht_full(1, 100);
+}
+
+/* test hashtable iterator */
+static void
+isc_ht_iterator_test(void **state) {
+	UNUSED(state);
+	test_ht_iterator();
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_ht_20),
+		cmocka_unit_test(isc_ht_8),
+		cmocka_unit_test(isc_ht_1),
+		cmocka_unit_test(isc_ht_iterator_test),
+	};
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/isctest.c b/lib/isc/tests/isctest.c
new file mode 100644
index 0000000..3b0235b
--- /dev/null
+++ b/lib/isc/tests/isctest.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include "isctest.h"
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+isc_mem_t *test_mctx = NULL;
+isc_log_t *test_lctx = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_socketmgr_t *socketmgr = NULL;
+isc_nm_t *netmgr = NULL;
+isc_task_t *maintask = NULL;
+int ncpus;
+
+static bool test_running = false;
+
+/*
+ * Logging categories: this needs to match the list in bin/named/log.c.
+ */
+static isc_logcategory_t categories[] = { { "", 0 },
+					  { "client", 0 },
+					  { "network", 0 },
+					  { "update", 0 },
+					  { "queries", 0 },
+					  { "unmatched", 0 },
+					  { "update-security", 0 },
+					  { "query-errors", 0 },
+					  { NULL, 0 } };
+
+static void
+cleanup_managers(void) {
+	if (maintask != NULL) {
+		isc_task_shutdown(maintask);
+		isc_task_destroy(&maintask);
+	}
+
+	isc_managers_destroy(netmgr == NULL ? NULL : &netmgr,
+			     taskmgr == NULL ? NULL : &taskmgr);
+
+	if (socketmgr != NULL) {
+		isc_socketmgr_destroy(&socketmgr);
+	}
+	if (timermgr != NULL) {
+		isc_timermgr_destroy(&timermgr);
+	}
+}
+
+static isc_result_t
+create_managers(unsigned int workers) {
+	isc_result_t result;
+	char *p;
+
+	if (workers == 0) {
+		workers = isc_os_ncpus();
+	}
+
+	p = getenv("ISC_TASK_WORKERS");
+	if (p != NULL) {
+		workers = atoi(p);
+	}
+
+	CHECK(isc_managers_create(test_mctx, workers, 0, &netmgr, &taskmgr));
+	CHECK(isc_task_create_bound(taskmgr, 0, &maintask, 0));
+	isc_taskmgr_setexcltask(taskmgr, maintask);
+
+	CHECK(isc_timermgr_create(test_mctx, &timermgr));
+	CHECK(isc_socketmgr_create(test_mctx, &socketmgr));
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	cleanup_managers();
+	return (result);
+}
+
+isc_result_t
+isc_test_begin(FILE *logfile, bool start_managers, unsigned int workers) {
+	isc_result_t result;
+
+	INSIST(!test_running);
+	test_running = true;
+
+	isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+
+	INSIST(test_mctx == NULL);
+	isc_mem_create(&test_mctx);
+
+	if (logfile != NULL) {
+		isc_logdestination_t destination;
+		isc_logconfig_t *logconfig = NULL;
+
+		INSIST(test_lctx == NULL);
+		isc_log_create(test_mctx, &test_lctx, &logconfig);
+		isc_log_registercategories(test_lctx, categories);
+		isc_log_setcontext(test_lctx);
+
+		destination.file.stream = logfile;
+		destination.file.name = NULL;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+				      ISC_LOG_DYNAMIC, &destination, 0);
+		CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL));
+	}
+
+	ncpus = isc_os_ncpus();
+
+	if (start_managers) {
+		CHECK(create_managers(workers));
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	isc_test_end();
+	return (result);
+}
+
+void
+isc_test_end(void) {
+	if (maintask != NULL) {
+		isc_task_detach(&maintask);
+	}
+
+	cleanup_managers();
+
+	if (test_lctx != NULL) {
+		isc_log_destroy(&test_lctx);
+	}
+	if (test_mctx != NULL) {
+		isc_mem_destroy(&test_mctx);
+	}
+
+	test_running = false;
+}
+
+/*
+ * Sleep for 'usec' microseconds.
+ */
+void
+isc_test_nap(uint32_t usec) {
+	struct timespec ts;
+
+	ts.tv_sec = usec / 1000000;
+	ts.tv_nsec = (usec % 1000000) * 1000;
+	nanosleep(&ts, NULL);
+}
diff --git a/lib/isc/tests/isctest.h b/lib/isc/tests/isctest.h
new file mode 100644
index 0000000..4f88e91
--- /dev/null
+++ b/lib/isc/tests/isctest.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+extern isc_mem_t *test_mctx;
+extern isc_log_t *test_lctx;
+extern isc_taskmgr_t *taskmgr;
+extern isc_timermgr_t *timermgr;
+extern isc_socketmgr_t *socketmgr;
+extern isc_nm_t *netmgr;
+extern int ncpus;
+
+isc_result_t
+isc_test_begin(FILE *logfile, bool start_managers, unsigned int workers);
+/*%<
+ * Begin test, logging to 'logfile' or default if not specified.
+ *
+ * If 'start_managers' is set, start a task manager, timer manager,
+ * and socket manager.
+ *
+ * If 'workers' is zero, use the number of CPUs on the system as a default;
+ * otherwise, set up the task manager with the specified number of worker
+ * threads. The environment variable ISC_TASK_WORKERS overrides this value.
+ */
+
+void
+isc_test_end(void);
+
+void
+isc_test_nap(uint32_t usec);
diff --git a/lib/isc/tests/lex_test.c b/lib/isc/tests/lex_test.c
new file mode 100644
index 0000000..4f8f80d
--- /dev/null
+++ b/lib/isc/tests/lex_test.c
@@ -0,0 +1,432 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+#define AS_STR(x) (x).value.as_textregion.base
+
+static bool debug = false;
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+/* check handling of 0xff */
+static void
+lex_0xff(void **state) {
+	isc_result_t result;
+	isc_lex_t *lex = NULL;
+	isc_buffer_t death_buf;
+	isc_token_t token;
+
+	unsigned char death[] = { EOF, 'A' };
+
+	UNUSED(state);
+
+	result = isc_lex_create(test_mctx, 1024, &lex);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_buffer_init(&death_buf, &death[0], sizeof(death));
+	isc_buffer_add(&death_buf, sizeof(death));
+
+	result = isc_lex_openbuffer(lex, &death_buf);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_lex_gettoken(lex, 0, &token);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_lex_destroy(&lex);
+}
+
+/* check setting of source line */
+static void
+lex_setline(void **state) {
+	isc_result_t result;
+	isc_lex_t *lex = NULL;
+	unsigned char text[] = "text\nto\nbe\nprocessed\nby\nlexer";
+	isc_buffer_t buf;
+	isc_token_t token;
+	unsigned long line;
+	int i;
+
+	UNUSED(state);
+
+	result = isc_lex_create(test_mctx, 1024, &lex);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_buffer_init(&buf, &text[0], sizeof(text));
+	isc_buffer_add(&buf, sizeof(text));
+
+	result = isc_lex_openbuffer(lex, &buf);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_lex_setsourceline(lex, 100);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	for (i = 0; i < 6; i++) {
+		result = isc_lex_gettoken(lex, 0, &token);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		line = isc_lex_getsourceline(lex);
+		assert_int_equal(line, 100U + i);
+	}
+
+	result = isc_lex_gettoken(lex, 0, &token);
+	assert_int_equal(result, ISC_R_EOF);
+
+	line = isc_lex_getsourceline(lex);
+	assert_int_equal(line, 105U);
+
+	isc_lex_destroy(&lex);
+}
+
+static struct {
+	const char *text;
+	const char *string_value;
+	isc_result_t string_result;
+	isc_tokentype_t string_type;
+	const char *qstring_value;
+	isc_result_t qstring_result;
+	isc_tokentype_t qstring_type;
+	const char *qvpair_value;
+	isc_result_t qvpair_result;
+	isc_tokentype_t qvpair_type;
+} parse_tests[] = {
+	{ "", "", ISC_R_SUCCESS, isc_tokentype_eof, "", ISC_R_SUCCESS,
+	  isc_tokentype_eof, "", ISC_R_SUCCESS, isc_tokentype_eof },
+	{ "1234", "1234", ISC_R_SUCCESS, isc_tokentype_string, "1234",
+	  ISC_R_SUCCESS, isc_tokentype_string, "1234", ISC_R_SUCCESS,
+	  isc_tokentype_string },
+	{ "1234=", "1234=", ISC_R_SUCCESS, isc_tokentype_string,
+	  "1234=", ISC_R_SUCCESS, isc_tokentype_string, "1234=", ISC_R_SUCCESS,
+	  isc_tokentype_vpair },
+	{ "1234=foo", "1234=foo", ISC_R_SUCCESS, isc_tokentype_string,
+	  "1234=foo", ISC_R_SUCCESS, isc_tokentype_string, "1234=foo",
+	  ISC_R_SUCCESS, isc_tokentype_vpair },
+	{ "1234=\"foo", "1234=\"foo", ISC_R_SUCCESS, isc_tokentype_string,
+	  "1234=\"foo", ISC_R_SUCCESS, isc_tokentype_string, NULL,
+	  ISC_R_UNEXPECTEDEND, 0 },
+	{ "1234=\"foo\"", "1234=\"foo\"", ISC_R_SUCCESS, isc_tokentype_string,
+	  "1234=\"foo\"", ISC_R_SUCCESS, isc_tokentype_string, "1234=foo",
+	  ISC_R_SUCCESS, isc_tokentype_qvpair },
+	{ "key", "key", ISC_R_SUCCESS, isc_tokentype_string, "key",
+	  ISC_R_SUCCESS, isc_tokentype_string, "key", ISC_R_SUCCESS,
+	  isc_tokentype_string },
+	{ "\"key=", "\"key=", ISC_R_SUCCESS, isc_tokentype_string, NULL,
+	  ISC_R_UNEXPECTEDEND, 0, "\"key=", ISC_R_SUCCESS,
+	  isc_tokentype_vpair },
+	{ "\"key=\"", "\"key=\"", ISC_R_SUCCESS, isc_tokentype_string, "key=",
+	  ISC_R_SUCCESS, isc_tokentype_qstring, NULL, ISC_R_UNEXPECTEDEND, 0 },
+	{ "key=\"\"", "key=\"\"", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key=\"\"", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key=", ISC_R_SUCCESS, isc_tokentype_qvpair },
+	{ "key=\"a b\"", "key=\"a", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key=\"a", ISC_R_SUCCESS, isc_tokentype_string, "key=a b",
+	  ISC_R_SUCCESS, isc_tokentype_qvpair },
+	{ "key=\"a\tb\"", "key=\"a", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key=\"a", ISC_R_SUCCESS, isc_tokentype_string, "key=a\tb",
+	  ISC_R_SUCCESS, isc_tokentype_qvpair },
+	/* double quote not immediately after '=' is not special. */
+	{ "key=c\"a b\"", "key=c\"a", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key=c\"a", ISC_R_SUCCESS, isc_tokentype_string, "key=c\"a",
+	  ISC_R_SUCCESS, isc_tokentype_vpair },
+	/* remove special meaning for '=' by escaping */
+	{ "key\\=", "key\\=", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key\\=", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key\\=", ISC_R_SUCCESS, isc_tokentype_string },
+	{ "key\\=\"a\"", "key\\=\"a\"", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key\\=\"a\"", ISC_R_SUCCESS, isc_tokentype_string, "key\\=\"a\"",
+	  ISC_R_SUCCESS, isc_tokentype_string },
+	{ "key\\=\"a \"", "key\\=\"a", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key\\=\"a", ISC_R_SUCCESS, isc_tokentype_string, "key\\=\"a",
+	  ISC_R_SUCCESS, isc_tokentype_string },
+	/* vpair with a key of 'key\=' (would need to be deescaped) */
+	{ "key\\==", "key\\==", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key\\==", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key\\==", ISC_R_SUCCESS, isc_tokentype_vpair },
+	{ "key\\==\"\"", "key\\==\"\"", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key\\==\"\"", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key\\==", ISC_R_SUCCESS, isc_tokentype_qvpair },
+	{ "key=\\\\\\\\", "key=\\\\\\\\", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key=\\\\\\\\", ISC_R_SUCCESS, isc_tokentype_string, "key=\\\\\\\\",
+	  ISC_R_SUCCESS, isc_tokentype_vpair },
+	{ "key=\\\\\\\"", "key=\\\\\\\"", ISC_R_SUCCESS, isc_tokentype_string,
+	  "key=\\\\\\\"", ISC_R_SUCCESS, isc_tokentype_string, "key=\\\\\\\"",
+	  ISC_R_SUCCESS, isc_tokentype_vpair },
+	/* incomplete escape sequence */
+	{ "key=\\\"\\", NULL, ISC_R_UNEXPECTEDEND, isc_tokentype_string, NULL,
+	  ISC_R_UNEXPECTEDEND, 0, NULL, ISC_R_UNEXPECTEDEND, 0 },
+	/* incomplete escape sequence */
+	{ "key=\\", NULL, ISC_R_UNEXPECTEDEND, isc_tokentype_string, NULL,
+	  ISC_R_UNEXPECTEDEND, 0, NULL, ISC_R_UNEXPECTEDEND, 0 },
+};
+
+/*%
+ * string
+ */
+static void
+lex_string(void **state) {
+	isc_buffer_t buf;
+	isc_lex_t *lex = NULL;
+	isc_result_t result;
+	isc_token_t token;
+	size_t i;
+
+	UNUSED(state);
+
+	for (i = 0; i < ARRAY_SIZE(parse_tests); i++) {
+		result = isc_lex_create(test_mctx, 1024, &lex);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		isc_buffer_constinit(&buf, parse_tests[i].text,
+				     strlen(parse_tests[i].text));
+		isc_buffer_add(&buf, strlen(parse_tests[i].text));
+
+		result = isc_lex_openbuffer(lex, &buf);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		result = isc_lex_setsourceline(lex, 100);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		memset(&token, 0, sizeof(token));
+		result = isc_lex_getmastertoken(lex, &token,
+						isc_tokentype_string, true);
+		if (debug) {
+			fprintf(stdout, "# '%s' -> result=%s/%s, type=%d/%d\n",
+				parse_tests[i].text, isc_result_toid(result),
+				isc_result_toid(parse_tests[i].string_result),
+				token.type, parse_tests[i].string_type);
+		}
+
+		assert_int_equal(result, parse_tests[i].string_result);
+		if (result == ISC_R_SUCCESS) {
+			switch (token.type) {
+			case isc_tokentype_string:
+			case isc_tokentype_qstring:
+			case isc_tokentype_vpair:
+			case isc_tokentype_qvpair:
+				if (debug) {
+					fprintf(stdout, "# value='%s'\n",
+						AS_STR(token));
+				}
+				assert_int_equal(token.type,
+						 parse_tests[i].string_type);
+				assert_string_equal(
+					AS_STR(token),
+					parse_tests[i].string_value);
+				break;
+			default:
+				assert_int_equal(token.type,
+						 parse_tests[i].string_type);
+				break;
+			}
+		}
+
+		isc_lex_destroy(&lex);
+	}
+}
+
+/*%
+ * qstring
+ */
+static void
+lex_qstring(void **state) {
+	isc_buffer_t buf;
+	isc_lex_t *lex = NULL;
+	isc_result_t result;
+	isc_token_t token;
+	size_t i;
+
+	UNUSED(state);
+
+	for (i = 0; i < ARRAY_SIZE(parse_tests); i++) {
+		result = isc_lex_create(test_mctx, 1024, &lex);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		isc_buffer_constinit(&buf, parse_tests[i].text,
+				     strlen(parse_tests[i].text));
+		isc_buffer_add(&buf, strlen(parse_tests[i].text));
+
+		result = isc_lex_openbuffer(lex, &buf);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		result = isc_lex_setsourceline(lex, 100);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		memset(&token, 0, sizeof(token));
+		result = isc_lex_getmastertoken(lex, &token,
+						isc_tokentype_qstring, true);
+		if (debug) {
+			fprintf(stdout, "# '%s' -> result=%s/%s, type=%d/%d\n",
+				parse_tests[i].text, isc_result_toid(result),
+				isc_result_toid(parse_tests[i].qstring_result),
+				token.type, parse_tests[i].qstring_type);
+		}
+
+		assert_int_equal(result, parse_tests[i].qstring_result);
+		if (result == ISC_R_SUCCESS) {
+			switch (token.type) {
+			case isc_tokentype_string:
+			case isc_tokentype_qstring:
+			case isc_tokentype_vpair:
+			case isc_tokentype_qvpair:
+				if (debug) {
+					fprintf(stdout, "# value='%s'\n",
+						AS_STR(token));
+				}
+				assert_int_equal(token.type,
+						 parse_tests[i].qstring_type);
+				assert_string_equal(
+					AS_STR(token),
+					parse_tests[i].qstring_value);
+				break;
+			default:
+				assert_int_equal(token.type,
+						 parse_tests[i].qstring_type);
+				break;
+			}
+		}
+
+		isc_lex_destroy(&lex);
+	}
+}
+
+/*%
+ * keypair is <string>=<qstring>.  This has implications double quotes
+ * in key names.
+ */
+static void
+lex_keypair(void **state) {
+	isc_buffer_t buf;
+	isc_lex_t *lex = NULL;
+	isc_result_t result;
+	isc_token_t token;
+	size_t i;
+
+	UNUSED(state);
+
+	for (i = 0; i < ARRAY_SIZE(parse_tests); i++) {
+		result = isc_lex_create(test_mctx, 1024, &lex);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		isc_buffer_constinit(&buf, parse_tests[i].text,
+				     strlen(parse_tests[i].text));
+		isc_buffer_add(&buf, strlen(parse_tests[i].text));
+
+		result = isc_lex_openbuffer(lex, &buf);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		result = isc_lex_setsourceline(lex, 100);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		memset(&token, 0, sizeof(token));
+		result = isc_lex_getmastertoken(lex, &token,
+						isc_tokentype_qvpair, true);
+		if (debug) {
+			fprintf(stdout, "# '%s' -> result=%s/%s, type=%d/%d\n",
+				parse_tests[i].text, isc_result_toid(result),
+				isc_result_toid(parse_tests[i].qvpair_result),
+				token.type, parse_tests[i].qvpair_type);
+		}
+
+		assert_int_equal(result, parse_tests[i].qvpair_result);
+		if (result == ISC_R_SUCCESS) {
+			switch (token.type) {
+			case isc_tokentype_string:
+			case isc_tokentype_qstring:
+			case isc_tokentype_vpair:
+			case isc_tokentype_qvpair:
+				if (debug) {
+					fprintf(stdout, "# value='%s'\n",
+						AS_STR(token));
+				}
+				assert_int_equal(token.type,
+						 parse_tests[i].qvpair_type);
+				assert_string_equal(
+					AS_STR(token),
+					parse_tests[i].qvpair_value);
+				break;
+			default:
+				assert_int_equal(token.type,
+						 parse_tests[i].qvpair_type);
+				break;
+			}
+		}
+
+		isc_lex_destroy(&lex);
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(lex_0xff),    cmocka_unit_test(lex_keypair),
+		cmocka_unit_test(lex_setline), cmocka_unit_test(lex_string),
+		cmocka_unit_test(lex_qstring),
+	};
+
+	UNUSED(argv);
+
+	if (argc > 1) {
+		debug = true;
+	}
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/md_test.c b/lib/isc/tests/md_test.c
new file mode 100644
index 0000000..83c44c4
--- /dev/null
+++ b/lib/isc/tests/md_test.c
@@ -0,0 +1,587 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <string.h>
+
+/* For FIPS_mode() */
+#include <openssl/crypto.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/md.h>
+#include <isc/region.h>
+#include <isc/result.h>
+
+#include "../md.c"
+
+#define TEST_INPUT(x) (x), sizeof(x) - 1
+
+static int
+_setup(void **state) {
+	isc_md_t *md = isc_md_new();
+	if (md == NULL) {
+		return (-1);
+	}
+	*state = md;
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	if (*state == NULL) {
+		return (-1);
+	}
+	isc_md_free(*state);
+	return (0);
+}
+
+static int
+_reset(void **state) {
+	if (*state == NULL) {
+		return (-1);
+	}
+	if (isc_md_reset(*state) != ISC_R_SUCCESS) {
+		return (-1);
+	}
+	return (0);
+}
+
+static void
+isc_md_new_test(void **state) {
+	UNUSED(state);
+
+	isc_md_t *md = isc_md_new();
+	assert_non_null(md);
+	isc_md_free(md); /* Cleanup */
+}
+
+static void
+isc_md_free_test(void **state) {
+	UNUSED(state);
+
+	isc_md_t *md = isc_md_new();
+	assert_non_null(md);
+	isc_md_free(md);   /* Test freeing valid message digest context */
+	isc_md_free(NULL); /* Test freeing NULL argument */
+}
+
+static void
+isc_md_test(isc_md_t *md, const isc_md_type_t *type, const char *buf,
+	    size_t buflen, const char *result, const int repeats) {
+	assert_non_null(md);
+	assert_int_equal(isc_md_init(md, type), ISC_R_SUCCESS);
+
+	int i;
+
+	for (i = 0; i < repeats; i++) {
+		assert_int_equal(
+			isc_md_update(md, (const unsigned char *)buf, buflen),
+			ISC_R_SUCCESS);
+	}
+
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	unsigned int digestlen;
+	assert_int_equal(isc_md_final(md, digest, &digestlen), ISC_R_SUCCESS);
+
+	char hexdigest[ISC_MAX_MD_SIZE * 2 + 3];
+	isc_region_t r = { .base = digest, .length = digestlen };
+	isc_buffer_t b;
+	isc_buffer_init(&b, hexdigest, sizeof(hexdigest));
+
+	assert_return_code(isc_hex_totext(&r, 0, "", &b), ISC_R_SUCCESS);
+
+	assert_memory_equal(hexdigest, result, (result ? strlen(result) : 0));
+	assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
+}
+
+static void
+isc_md_init_test(void **state) {
+	isc_md_t *md = *state;
+	assert_non_null(md);
+
+	expect_assert_failure(isc_md_init(NULL, ISC_MD_MD5));
+
+	assert_int_equal(isc_md_init(md, NULL), ISC_R_NOTIMPLEMENTED);
+
+	assert_int_equal(isc_md_init(md, ISC_MD_MD5), ISC_R_SUCCESS);
+	assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
+
+	assert_int_equal(isc_md_init(md, ISC_MD_SHA1), ISC_R_SUCCESS);
+	assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
+
+	assert_int_equal(isc_md_init(md, ISC_MD_SHA224), ISC_R_SUCCESS);
+	assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
+
+	assert_int_equal(isc_md_init(md, ISC_MD_SHA256), ISC_R_SUCCESS);
+	assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
+
+	assert_int_equal(isc_md_init(md, ISC_MD_SHA384), ISC_R_SUCCESS);
+	assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
+
+	assert_int_equal(isc_md_init(md, ISC_MD_SHA512), ISC_R_SUCCESS);
+	assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
+}
+
+static void
+isc_md_update_test(void **state) {
+	isc_md_t *md = *state;
+	assert_non_null(md);
+
+	/* Uses message digest context initialized in isc_md_init_test() */
+	expect_assert_failure(isc_md_update(NULL, NULL, 0));
+
+	assert_int_equal(isc_md_update(md, NULL, 100), ISC_R_SUCCESS);
+	assert_int_equal(isc_md_update(md, (const unsigned char *)"", 0),
+			 ISC_R_SUCCESS);
+}
+
+static void
+isc_md_reset_test(void **state) {
+	isc_md_t *md = *state;
+#if 0
+	unsigned char digest[ISC_MAX_MD_SIZE] __attribute((unused));
+	unsigned int digestlen __attribute((unused));
+#endif /* if 0 */
+
+	assert_non_null(md);
+
+	assert_int_equal(isc_md_init(md, ISC_MD_SHA512), ISC_R_SUCCESS);
+	assert_int_equal(isc_md_update(md, (const unsigned char *)"a", 1),
+			 ISC_R_SUCCESS);
+	assert_int_equal(isc_md_update(md, (const unsigned char *)"b", 1),
+			 ISC_R_SUCCESS);
+
+	assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
+
+#if 0
+	/*
+	 * This test would require OpenSSL compiled with mock_assert(),
+	 * so this could be only manually checked that the test will
+	 * segfault when called by hand
+	 */
+	expect_assert_failure(isc_md_final(md,digest,&digestlen));
+#endif /* if 0 */
+}
+
+static void
+isc_md_final_test(void **state) {
+	isc_md_t *md = *state;
+	assert_non_null(md);
+
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	unsigned int digestlen;
+
+	/* Fail when message digest context is empty */
+	expect_assert_failure(isc_md_final(NULL, digest, &digestlen));
+	/* Fail when output buffer is empty */
+	expect_assert_failure(isc_md_final(md, NULL, &digestlen));
+
+	assert_int_equal(isc_md_init(md, ISC_MD_SHA512), ISC_R_SUCCESS);
+	assert_int_equal(isc_md_final(md, digest, NULL), ISC_R_SUCCESS);
+}
+
+static void
+isc_md_md5_test(void **state) {
+	isc_md_t *md = *state;
+	isc_md_test(md, ISC_MD_MD5, NULL, 0, NULL, 0);
+	isc_md_test(md, ISC_MD_MD5, TEST_INPUT(""),
+		    "D41D8CD98F00B204E9800998ECF8427E", 1);
+	isc_md_test(md, ISC_MD_MD5, TEST_INPUT("a"),
+		    "0CC175B9C0F1B6A831C399E269772661", 1);
+	isc_md_test(md, ISC_MD_MD5, TEST_INPUT("abc"),
+		    "900150983CD24FB0D6963F7D28E17F72", 1);
+	isc_md_test(md, ISC_MD_MD5, TEST_INPUT("message digest"),
+		    "F96B697D7CB7938D525A2F31AAF161D0", 1);
+	isc_md_test(md, ISC_MD_MD5, TEST_INPUT("abcdefghijklmnopqrstuvwxyz"),
+		    "C3FCD3D76192E4007DFB496CCA67E13B", 1);
+	isc_md_test(md, ISC_MD_MD5,
+		    TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm"
+			       "nopqrstuvwxyz0123456789"),
+		    "D174AB98D277D9F5A5611C2C9F419D9F", 1);
+	isc_md_test(md, ISC_MD_MD5,
+		    TEST_INPUT("123456789012345678901234567890123456789"
+			       "01234567890123456789012345678901234567890"),
+		    "57EDF4A22BE3C955AC49DA2E2107B67A", 1);
+}
+
+static void
+isc_md_sha1_test(void **state) {
+	isc_md_t *md = *state;
+	isc_md_test(md, ISC_MD_SHA1, NULL, 0, NULL, 0);
+	isc_md_test(md, ISC_MD_SHA1, TEST_INPUT(""),
+		    "DA39A3EE5E6B4B0D3255BFEF95601890AFD80709", 1);
+	isc_md_test(md, ISC_MD_SHA1, TEST_INPUT("abc"),
+		    "A9993E364706816ABA3E25717850C26C9CD0D89D", 1);
+	isc_md_test(md, ISC_MD_SHA1,
+		    TEST_INPUT("abcdbcdecdefdefgefghfghighijhijkijk"
+			       "ljklmklmnlmnomnopnopq"),
+		    "84983E441C3BD26EBAAE4AA1F95129E5E54670F1", 1);
+	isc_md_test(md, ISC_MD_SHA1, TEST_INPUT("a"),
+		    "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F", 1000000);
+	isc_md_test(md, ISC_MD_SHA1,
+		    TEST_INPUT("01234567012345670123456701234567"),
+		    "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452", 20);
+	isc_md_test(md, ISC_MD_SHA1, TEST_INPUT("\x5e"),
+		    "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2", 1);
+	isc_md_test(md, ISC_MD_SHA1,
+		    TEST_INPUT("\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46"
+			       "\xaa\x55\xfe\x75\x71\x46"),
+		    "82ABFF6605DBE1C17DEF12A394FA22A82B544A35", 1);
+	isc_md_test(md, ISC_MD_SHA1,
+		    TEST_INPUT("\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b"
+			       "\x4f\xba\x15\xa1\xd5\x9f\x3f\xd8\x4d\x22"
+			       "\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e"
+			       "\xd1\x15\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea"
+			       "\xd2\x44\x21\xde\xd9\xc3\x25\x92\xbd\x57"
+			       "\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a"
+			       "\x84\xd0\xcf\x1f\x7b\xee\xad\x17\x13\xe2"
+			       "\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04"
+			       "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83"
+			       "\x6f\xd5\x56\x2a\x56\xca\xb1\xa2\x8e\x81"
+			       "\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8"
+			       "\x6e\x3b\x33\xa1\x08\xb0\x53\x07\xc0\x0a"
+			       "\xff\x14\xa7\x68\xed\x73\x50\x60\x6a\x0f"
+			       "\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57"
+			       "\x7f\x9b\x38\x80\x7c\x7d\x52\x3d\x6d\x79"
+			       "\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27"
+			       "\xcd\xbb\xfb"),
+		    "CB0082C8F197D260991BA6A460E76E202BAD27B3", 1);
+}
+
+static void
+isc_md_sha224_test(void **state) {
+	isc_md_t *md = *state;
+
+	isc_md_test(md, ISC_MD_SHA224, NULL, 0, NULL, 0);
+	isc_md_test(md, ISC_MD_SHA224, TEST_INPUT(""),
+		    "D14A028C2A3A2BC9476102BB288234C415A2B01F828EA62AC5B3E42F",
+		    1);
+	isc_md_test(md, ISC_MD_SHA224, TEST_INPUT("abc"),
+		    "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7"
+		    "E36C9DA7",
+		    1);
+	isc_md_test(md, ISC_MD_SHA224,
+		    TEST_INPUT("abcdbcdecdefdefgefghfghighijhijkijklj"
+			       "klmklmnlmnomnopnopq"),
+		    "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B"
+		    "1952522525",
+		    1);
+	isc_md_test(md, ISC_MD_SHA224, TEST_INPUT("a"),
+		    "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2"
+		    "EE4EE7AD67",
+		    1000000);
+	isc_md_test(md, ISC_MD_SHA224,
+		    TEST_INPUT("01234567012345670123456701234567"),
+		    "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA"
+		    "0EB7AB8262",
+		    20);
+	isc_md_test(md, ISC_MD_SHA224, TEST_INPUT("\x07"),
+		    "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450"
+		    "BEE2AA8C2A",
+		    1);
+	isc_md_test(md, ISC_MD_SHA224,
+		    TEST_INPUT("\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29"
+			       "\x9d\x6f\x9d\x93\xdf\x62"),
+		    "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC38"
+		    "8E56191DB1",
+		    1);
+	isc_md_test(md, ISC_MD_SHA224,
+		    TEST_INPUT("\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52"
+			       "\x06\x22\xd1\xac\x97\xd5\xcd\xbe\x8c\xb3"
+			       "\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba"
+			       "\x09\xab\xc8\x53\x3c\x52\x50\x88\x7a\x43"
+			       "\xbe\xbb\xac\x90\x6c\x2e\x18\x37\xf2\x6b"
+			       "\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89"
+			       "\x6b\x71\x8b\x2a\x38\x3e\xcd\xac\x16\xb9"
+			       "\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74"
+			       "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11"
+			       "\x12\x24\x5f\x48\xee\x47\x0d\x39\x6c\x1e"
+			       "\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee"
+			       "\xa8\x14\xb6\x13\x5e\xca\x54\x39\x2b\xde"
+			       "\xdb\x94\x89\xbc\x9b\x87\x5a\x8b\xaf\x0d"
+			       "\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2"
+			       "\x64\xbc\x07\x9d\x26\x9f\x2c\x0d\x7e\xdd"
+			       "\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c"
+			       "\x87\x82\x73"),
+		    "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E"
+		    "9F20D5C3A4",
+		    1);
+}
+
+static void
+isc_md_sha256_test(void **state) {
+	isc_md_t *md = *state;
+
+	isc_md_test(md, ISC_MD_SHA256, NULL, 0, NULL, 0);
+	isc_md_test(md, ISC_MD_SHA256, TEST_INPUT(""),
+		    "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B93"
+		    "4CA495991B7852B855",
+		    1);
+
+	isc_md_test(md, ISC_MD_SHA256, TEST_INPUT("abc"),
+		    "BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A"
+		    "9CB410FF61F20015AD",
+		    1);
+	isc_md_test(md, ISC_MD_SHA256,
+		    TEST_INPUT("abcdbcdecdefdefgefghfghighijhijkijkljk"
+			       "lmklmnlmnomnopnopq"),
+		    "248D6A61D20638B8E5C026930C3E6039A33CE45964FF21"
+		    "67F6ECEDD419DB06C1",
+		    1);
+	isc_md_test(md, ISC_MD_SHA256, TEST_INPUT("a"),
+		    "CDC76E5C9914FB9281A1C7E284D73E67F1809A48A49720"
+		    "0E046D39CCC7112CD0",
+		    1000000);
+	isc_md_test(md, ISC_MD_SHA256,
+		    TEST_INPUT("01234567012345670123456701234567"),
+		    "594847328451BDFA85056225462CC1D867D877FB388DF0"
+		    "CE35F25AB5562BFBB5",
+		    20);
+	isc_md_test(md, ISC_MD_SHA256, TEST_INPUT("\x19"),
+		    "68AA2E2EE5DFF96E3355E6C7EE373E3D6A4E17F75F9518"
+		    "D843709C0C9BC3E3D4",
+		    1);
+	isc_md_test(md, ISC_MD_SHA256,
+		    TEST_INPUT("\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3"
+			       "\x88\x7a\xb2\xcd\x68\x46\x52"),
+		    "175EE69B02BA9B58E2B0A5FD13819CEA573F3940A94F82"
+		    "5128CF4209BEABB4E8",
+		    1);
+	isc_md_test(md, ISC_MD_SHA256,
+		    TEST_INPUT("\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1"
+			       "\x2b\x20\x52\x7a\xfe\xf0\x4d\x8a\x05\x69"
+			       "\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76"
+			       "\x00\x00\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08"
+			       "\x3a\xa3\x9d\x81\x0d\xb3\x10\x77\x7d\xab"
+			       "\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32"
+			       "\x5f\x8b\x23\x74\xde\x7a\x4b\x5a\x58\xcb"
+			       "\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b"
+			       "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65"
+			       "\x92\xec\xed\xaa\x66\xca\x82\xa2\x9d\x0c"
+			       "\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4"
+			       "\xc0\xa4\x3f\x8d\x79\xa3\x0a\x16\x5c\xba"
+			       "\xbe\x45\x2b\x77\x4b\x9c\x71\x09\xa9\x7d"
+			       "\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc"
+			       "\x10\x6a\xad\x5a\x9f\xdd\x30\x82\x57\x69"
+			       "\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39"
+			       "\x3d\x54\xd6"),
+		    "97DBCA7DF46D62C8A422C941DD7E835B8AD3361763F7E9"
+		    "B2D95F4F0DA6E1CCBC",
+		    1);
+}
+
+static void
+isc_md_sha384_test(void **state) {
+	isc_md_t *md = *state;
+
+	isc_md_test(md, ISC_MD_SHA384, NULL, 0, NULL, 0);
+	isc_md_test(md, ISC_MD_SHA384, TEST_INPUT(""),
+		    "38B060A751AC96384CD9327EB1B1E36A21FDB71114BE07"
+		    "434C0CC7BF63F6E1DA274EDEBFE76F65FBD51AD2F14898"
+		    "B95B"
+		    "",
+		    1);
+	isc_md_test(md, ISC_MD_SHA384, TEST_INPUT("abc"),
+		    "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED1"
+		    "631A8B605A43FF5BED8086072BA1E7CC2358BAEC"
+		    "A134C825A7",
+		    1);
+	isc_md_test(md, ISC_MD_SHA384,
+		    TEST_INPUT("abcdefghbcdefghicdefghijdefghijkefghijkl"
+			       "fghijklmghijklmnhijklmnoijklmnopjklmnopq"
+			       "klmnopqrlmnopqrsmnopqrstnopqrstu"),
+		    "09330C33F71147E83D192FC782CD1B4753111B173B3B05"
+		    "D22FA08086E3B0F712FCC7C71A557E2DB966C3E9"
+		    "FA91746039",
+		    1);
+	isc_md_test(md, ISC_MD_SHA384, TEST_INPUT("a"),
+		    "9D0E1809716474CB086E834E310A4A1CED149E9C00F248"
+		    "527972CEC5704C2A5B07B8B3DC38ECC4EBAE97DD"
+		    "D87F3D8985",
+		    1000000);
+	isc_md_test(md, ISC_MD_SHA384,
+		    TEST_INPUT("01234567012345670123456701234567"),
+		    "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A"
+		    "70BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A"
+		    "0D79FB4596",
+		    20);
+	isc_md_test(md, ISC_MD_SHA384, TEST_INPUT("\xb9"),
+		    "BC8089A19007C0B14195F4ECC74094FEC64F01F9092928"
+		    "2C2FB392881578208AD466828B1C6C283D2722CF"
+		    "0AD1AB6938",
+		    1);
+	isc_md_test(md, ISC_MD_SHA384,
+		    TEST_INPUT("\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1"
+			       "\x0a\x7f\x4e\x08\x59\x17\x39"),
+		    "C9A68443A005812256B8EC76B00516F0DBB74FAB26D665"
+		    "913F194B6FFB0E91EA9967566B58109CBC675CC2"
+		    "08E4C823F7",
+		    1);
+	isc_md_test(md, ISC_MD_SHA384,
+		    TEST_INPUT("\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb"
+			       "\x69\x12\xec\x10\xff\xcf\x74\x79\x03\x49"
+			       "\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21"
+			       "\xdb\x0f\x3e\x7d\xc8\x7f\x82\x32\x64\xbb"
+			       "\xe4\x0d\x18\x11\xc9\xea\x20\x61\xe1\xc8"
+			       "\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02"
+			       "\xfc\x3f\x50\x42\xe6\xbf\x58\xcb\xa8\xa2"
+			       "\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71"
+			       "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86"
+			       "\x5f\x25\xcc\x22\xb5\xe8\x77\x84\xa1\x2f"
+			       "\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a"
+			       "\x2c\xe6\x56\x5c\xbd\xf1\x3d\xca\x40\x38"
+			       "\x32\xcf\xcb\x0e\x8b\x72\x11\xe8\x3a\xf3"
+			       "\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5"
+			       "\x1c\xc0\x27\xaa\xed\xef\xf8\x5a\xad\x7c"
+			       "\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a"
+			       "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15"
+			       "\x1c\xb9\xbc\x51\x25\xa4\x22\xe9\x41\xde"
+			       "\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd"
+			       "\xd0\x96\x76\x71\x1c\xf3\xdb\x0a\x34\x40"
+			       "\x72\x0e\x16\x15\xc1\xf2\x2f\xbc\x3c\x72"
+			       "\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77"
+			       "\x40\x86\x42\x14\x7e\xd0\x96"),
+		    "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4A"
+		    "AF38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD2"
+		    "0CFF1288C0",
+		    1);
+}
+
+static void
+isc_md_sha512_test(void **state) {
+	isc_md_t *md = *state;
+
+	isc_md_test(md, ISC_MD_SHA512, NULL, 0, NULL, 0);
+	isc_md_test(md, ISC_MD_SHA512, TEST_INPUT(""),
+		    "CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715"
+		    "DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877E"
+		    "EC2F63B931BD47417A81A538327AF927DA3E",
+		    1);
+	isc_md_test(md, ISC_MD_SHA512, TEST_INPUT("abc"),
+		    "DDAF35A193617ABACC417349AE20413112E6FA4E89A97E"
+		    "A20A9EEEE64B55D39A2192992A274FC1A836BA3C"
+		    "23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F",
+		    1);
+	isc_md_test(md, ISC_MD_SHA512,
+		    TEST_INPUT("abcdefghbcdefghicdefghijdefghijkefghijkl"
+			       "fghijklmghijklmnhijklmnoijklmnopjklmnopq"
+			       "klmnopqrlmnopqrsmnopqrstnopqrstu"),
+		    "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7F"
+		    "A17299AEADB6889018501D289E4900F7E4331B99"
+		    "DEC4B5433AC7D329EEB6DD26545E96E55B874BE909",
+		    1);
+	isc_md_test(md, ISC_MD_SHA512, TEST_INPUT("a"),
+		    "E718483D0CE769644E2E42C7BC15B4638E1F98B13B2044"
+		    "285632A803AFA973EBDE0FF244877EA60A4CB043"
+		    "2CE577C31BEB009C5C2C49AA2E4EADB217AD8CC09B",
+		    1000000);
+	isc_md_test(md, ISC_MD_SHA512,
+		    TEST_INPUT("01234567012345670123456701234567"),
+		    "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E0"
+		    "24DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF"
+		    "33C765CB510813A39CD5A84C4ACAA64D3F3FB7BAE9",
+		    20);
+	isc_md_test(md, ISC_MD_SHA512, TEST_INPUT("\xD0"),
+		    "9992202938E882E73E20F6B69E68A0A7149090423D93C8"
+		    "1BAB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA"
+		    "8306826C4AD6E74CECE9631BFA8A549B4AB3FBBA15",
+		    1);
+	isc_md_test(md, ISC_MD_SHA512,
+		    TEST_INPUT("\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81"
+			       "\x6e\x9d\x98\xbf\xf0\xa0"),
+		    "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75AC"
+		    "BDD1C153C9828924C3DDEDAAFE669C5FDD0BC66F"
+		    "630F6773988213EB1B16F517AD0DE4B2F0C95C90F8",
+		    1);
+	isc_md_test(md, ISC_MD_SHA512,
+		    TEST_INPUT("\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a"
+			       "\x50\x2d\x65\x82\x4e\x31\xa2\x30\x54\x32"
+			       "\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d"
+			       "\xe1\xde\x69\x74\xbf\x49\x54\x69\xfc\x7f"
+			       "\x33\x8f\x80\x54\xd5\x8c\x26\xc4\x93\x60"
+			       "\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d"
+			       "\x03\xe5\x6f\xf2\xf8\x68\x00\x2b\xc3\xe4"
+			       "\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3"
+			       "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69"
+			       "\x4f\xcb\xba\xf8\x8d\x95\x19\xe4\xeb\x50"
+			       "\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc"
+			       "\x44\x65\xc8\x82\x1a\xac\xd2\xfe\x15\xab"
+			       "\x49\x81\x16\x4b\xbb\x6d\xc3\x2f\x96\x90"
+			       "\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b"
+			       "\x76\x32\x99\x41\x9c\xc4\x12\x8b\xe9\xa0"
+			       "\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28"
+			       "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13"
+			       "\x2e\x9a\x0d\xc6\xd3\xb1\xf8\xb2\x46\xf1"
+			       "\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20"
+			       "\x98\xe8\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f"
+			       "\x47\x07\xfe\x1e\xa1\xa1\x79\x1b\xa2\xf3"
+			       "\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9"
+			       "\x49\xad\x47\xd7\xfb\x40\xd2"),
+		    "C665BEFB36DA189D78822D10528CBF3B12B3EEF7260399"
+		    "09C1A16A270D48719377966B957A878E72058477"
+		    "9A62825C18DA26415E49A7176A894E7510FD1451F5",
+		    1);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		/* isc_md_new() */
+		cmocka_unit_test(isc_md_new_test),
+
+		/* isc_md_init() */
+		cmocka_unit_test_setup_teardown(isc_md_init_test, _reset,
+						_reset),
+
+		/* isc_md_reset() */
+		cmocka_unit_test_setup_teardown(isc_md_reset_test, _reset,
+						_reset),
+
+		/* isc_md_init() -> isc_md_update() -> isc_md_final() */
+		cmocka_unit_test(isc_md_md5_test),
+		cmocka_unit_test(isc_md_sha1_test),
+		cmocka_unit_test(isc_md_sha224_test),
+		cmocka_unit_test(isc_md_sha256_test),
+		cmocka_unit_test(isc_md_sha384_test),
+		cmocka_unit_test(isc_md_sha512_test),
+
+		cmocka_unit_test_setup_teardown(isc_md_update_test, _reset,
+						_reset),
+		cmocka_unit_test_setup_teardown(isc_md_final_test, _reset,
+						_reset),
+
+		cmocka_unit_test(isc_md_free_test),
+	};
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/mem_test.c b/lib/isc/tests/mem_test.c
new file mode 100644
index 0000000..9b180cd
--- /dev/null
+++ b/lib/isc/tests/mem_test.c
@@ -0,0 +1,477 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <fcntl.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include "../mem_p.h"
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+#define MP1_FREEMAX  10
+#define MP1_FILLCNT  10
+#define MP1_MAXALLOC 30
+
+#define MP2_FREEMAX 25
+#define MP2_FILLCNT 25
+
+/* general memory system tests */
+static void
+isc_mem_test(void **state) {
+	void *items1[50];
+	void *items2[50];
+	void *tmp;
+	isc_mempool_t *mp1 = NULL, *mp2 = NULL;
+	unsigned int i, j;
+	int rval;
+
+	UNUSED(state);
+
+	isc_mempool_create(test_mctx, 24, &mp1);
+	isc_mempool_create(test_mctx, 31, &mp2);
+
+	isc_mempool_setfreemax(mp1, MP1_FREEMAX);
+	isc_mempool_setfillcount(mp1, MP1_FILLCNT);
+	isc_mempool_setmaxalloc(mp1, MP1_MAXALLOC);
+
+	/*
+	 * Allocate MP1_MAXALLOC items from the pool.  This is our max.
+	 */
+	for (i = 0; i < MP1_MAXALLOC; i++) {
+		items1[i] = isc_mempool_get(mp1);
+		assert_non_null(items1[i]);
+	}
+
+	/*
+	 * Try to allocate one more.  This should fail.
+	 */
+	tmp = isc_mempool_get(mp1);
+	assert_null(tmp);
+
+	/*
+	 * Free the first 11 items.  Verify that there are 10 free items on
+	 * the free list (which is our max).
+	 */
+	for (i = 0; i < 11; i++) {
+		isc_mempool_put(mp1, items1[i]);
+		items1[i] = NULL;
+	}
+
+#if !__SANITIZE_ADDRESS__
+	rval = isc_mempool_getfreecount(mp1);
+	assert_int_equal(rval, 10);
+#endif /* !__SANITIZE_ADDRESS__ */
+
+	rval = isc_mempool_getallocated(mp1);
+	assert_int_equal(rval, 19);
+
+	/*
+	 * Now, beat up on mp2 for a while.  Allocate 50 items, then free
+	 * them, then allocate 50 more, etc.
+	 */
+
+	isc_mempool_setfreemax(mp2, 25);
+	isc_mempool_setfillcount(mp2, 25);
+
+	for (j = 0; j < 500000; j++) {
+		for (i = 0; i < 50; i++) {
+			items2[i] = isc_mempool_get(mp2);
+			assert_non_null(items2[i]);
+		}
+		for (i = 0; i < 50; i++) {
+			isc_mempool_put(mp2, items2[i]);
+			items2[i] = NULL;
+		}
+	}
+
+	/*
+	 * Free all the other items and blow away this pool.
+	 */
+	for (i = 11; i < MP1_MAXALLOC; i++) {
+		isc_mempool_put(mp1, items1[i]);
+		items1[i] = NULL;
+	}
+
+	isc_mempool_destroy(&mp1);
+	isc_mempool_destroy(&mp2);
+
+	isc_mempool_create(test_mctx, 2, &mp1);
+
+	tmp = isc_mempool_get(mp1);
+	assert_non_null(tmp);
+
+	isc_mempool_put(mp1, tmp);
+
+	isc_mempool_destroy(&mp1);
+}
+
+/* test TotalUse calculation */
+static void
+isc_mem_total_test(void **state) {
+	isc_mem_t *mctx2 = NULL;
+	size_t before, after;
+	ssize_t diff;
+	int i;
+
+	UNUSED(state);
+
+	/* Local alloc, free */
+	mctx2 = NULL;
+	isc_mem_create(&mctx2);
+
+	before = isc_mem_total(mctx2);
+
+	for (i = 0; i < 100000; i++) {
+		void *ptr;
+
+		ptr = isc_mem_allocate(mctx2, 2048);
+		isc_mem_free(mctx2, ptr);
+	}
+
+	after = isc_mem_total(mctx2);
+	diff = after - before;
+
+	/* 2048 +8 bytes extra for size_info */
+	assert_int_equal(diff, (2048 + 8) * 100000);
+
+	/* ISC_MEMFLAG_INTERNAL */
+
+	before = isc_mem_total(test_mctx);
+
+	for (i = 0; i < 100000; i++) {
+		void *ptr;
+
+		ptr = isc_mem_allocate(test_mctx, 2048);
+		isc_mem_free(test_mctx, ptr);
+	}
+
+	after = isc_mem_total(test_mctx);
+	diff = after - before;
+
+	/* 2048 +8 bytes extra for size_info */
+	assert_int_equal(diff, (2048 + 8) * 100000);
+
+	isc_mem_destroy(&mctx2);
+}
+
+/* test InUse calculation */
+static void
+isc_mem_inuse_test(void **state) {
+	isc_mem_t *mctx2 = NULL;
+	size_t before, after;
+	ssize_t diff;
+	void *ptr;
+
+	UNUSED(state);
+
+	mctx2 = NULL;
+	isc_mem_create(&mctx2);
+
+	before = isc_mem_inuse(mctx2);
+	ptr = isc_mem_allocate(mctx2, 1024000);
+	isc_mem_free(mctx2, ptr);
+	after = isc_mem_inuse(mctx2);
+
+	diff = after - before;
+
+	assert_int_equal(diff, 0);
+
+	isc_mem_destroy(&mctx2);
+}
+
+#if ISC_MEM_TRACKLINES
+
+/* test mem with no flags */
+static void
+isc_mem_noflags_test(void **state) {
+	isc_result_t result;
+	isc_mem_t *mctx2 = NULL;
+	char buf[4096], *p, *q;
+	FILE *f;
+	void *ptr;
+
+	result = isc_stdio_open("mem.output", "w", &f);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	UNUSED(state);
+
+	isc_mem_create(&mctx2);
+	isc_mem_debugging = 0;
+	ptr = isc_mem_get(mctx2, 2048);
+	assert_non_null(ptr);
+	isc__mem_printactive(mctx2, f);
+	isc_mem_put(mctx2, ptr, 2048);
+	isc_mem_destroy(&mctx2);
+	isc_stdio_close(f);
+
+	memset(buf, 0, sizeof(buf));
+	result = isc_stdio_open("mem.output", "r", &f);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_stdio_read(buf, sizeof(buf), 1, f, NULL);
+	assert_int_equal(result, ISC_R_EOF);
+	isc_stdio_close(f);
+	isc_file_remove("mem.output");
+
+	buf[sizeof(buf) - 1] = 0;
+
+	p = strchr(buf, '\n');
+	assert_non_null(p);
+	assert_in_range(p, 0, buf + sizeof(buf) - 3);
+	p += 2;
+	q = strchr(p, '\n');
+	assert_non_null(q);
+	*q = '\0';
+	assert_string_equal(p, "None.");
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+}
+
+/* test mem with record flag */
+static void
+isc_mem_recordflag_test(void **state) {
+	isc_result_t result;
+	isc_mem_t *mctx2 = NULL;
+	char buf[4096], *p;
+	FILE *f;
+	void *ptr;
+
+	result = isc_stdio_open("mem.output", "w", &f);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	UNUSED(state);
+
+	isc_mem_create(&mctx2);
+	ptr = isc_mem_get(mctx2, 2048);
+	assert_non_null(ptr);
+	isc__mem_printactive(mctx2, f);
+	isc_mem_put(mctx2, ptr, 2048);
+	isc_mem_destroy(&mctx2);
+	isc_stdio_close(f);
+
+	memset(buf, 0, sizeof(buf));
+	result = isc_stdio_open("mem.output", "r", &f);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_stdio_read(buf, sizeof(buf), 1, f, NULL);
+	assert_int_equal(result, ISC_R_EOF);
+	isc_stdio_close(f);
+	isc_file_remove("mem.output");
+
+	buf[sizeof(buf) - 1] = 0;
+
+	p = strchr(buf, '\n');
+	assert_non_null(p);
+	assert_in_range(p, 0, buf + sizeof(buf) - 3);
+	assert_memory_equal(p + 2, "ptr ", 4);
+	p = strchr(p + 1, '\n');
+	assert_non_null(p);
+	assert_int_equal(strlen(p), 1);
+}
+
+/* test mem with trace flag */
+static void
+isc_mem_traceflag_test(void **state) {
+	isc_result_t result;
+	isc_mem_t *mctx2 = NULL;
+	char buf[4096], *p;
+	FILE *f;
+	void *ptr;
+
+	/* redirect stderr so we can check trace output */
+	f = freopen("mem.output", "w", stderr);
+	assert_non_null(f);
+
+	UNUSED(state);
+
+	isc_mem_create(&mctx2);
+	isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+	ptr = isc_mem_get(mctx2, 2048);
+	assert_non_null(ptr);
+	isc__mem_printactive(mctx2, f);
+	isc_mem_put(mctx2, ptr, 2048);
+	isc_mem_destroy(&mctx2);
+	isc_stdio_close(f);
+
+	memset(buf, 0, sizeof(buf));
+	result = isc_stdio_open("mem.output", "r", &f);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_stdio_read(buf, sizeof(buf), 1, f, NULL);
+	assert_int_equal(result, ISC_R_EOF);
+	isc_stdio_close(f);
+	isc_file_remove("mem.output");
+
+	/* return stderr to TTY so we can see errors */
+	f = freopen("/dev/tty", "w", stderr);
+
+	buf[sizeof(buf) - 1] = 0;
+
+	assert_memory_equal(buf, "add ", 4);
+	p = strchr(buf, '\n');
+	assert_non_null(p);
+	p = strchr(p + 1, '\n');
+	assert_non_null(p);
+	assert_in_range(p, 0, buf + sizeof(buf) - 3);
+	assert_memory_equal(p + 2, "ptr ", 4);
+	p = strchr(p + 1, '\n');
+	assert_non_null(p);
+	assert_memory_equal(p + 1, "del ", 4);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+}
+#endif /* if ISC_MEM_TRACKLINES */
+
+#if !defined(__SANITIZE_THREAD__)
+
+#define ITERS	  512
+#define NUM_ITEMS 1024 /* 768 */
+#define ITEM_SIZE 65534
+
+static isc_threadresult_t
+mem_thread(isc_threadarg_t arg) {
+	void *items[NUM_ITEMS];
+	size_t size = *((size_t *)arg);
+
+	for (int i = 0; i < ITERS; i++) {
+		for (int j = 0; j < NUM_ITEMS; j++) {
+			items[j] = isc_mem_get(test_mctx, size);
+		}
+		for (int j = 0; j < NUM_ITEMS; j++) {
+			isc_mem_put(test_mctx, items[j], size);
+		}
+	}
+
+	return ((isc_threadresult_t)0);
+}
+
+static void
+isc_mem_benchmark(void **state) {
+	int nthreads = ISC_MAX(ISC_MIN(isc_os_ncpus(), 32), 1);
+	isc_thread_t threads[32];
+	isc_time_t ts1, ts2;
+	double t;
+	isc_result_t result;
+	size_t size = ITEM_SIZE;
+
+	UNUSED(state);
+
+	result = isc_time_now(&ts1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	for (int i = 0; i < nthreads; i++) {
+		isc_thread_create(mem_thread, &size, &threads[i]);
+		size = size / 2;
+	}
+	for (int i = 0; i < nthreads; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	result = isc_time_now(&ts2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	t = isc_time_microdiff(&ts2, &ts1);
+
+	printf("[ TIME     ] isc_mem_benchmark: "
+	       "%d isc_mem_{get,put} calls, %f seconds, %f calls/second\n",
+	       nthreads * ITERS * NUM_ITEMS, t / 1000000.0,
+	       (nthreads * ITERS * NUM_ITEMS) / (t / 1000000.0));
+}
+
+#endif /* __SANITIZE_THREAD */
+
+/*
+ * Main
+ */
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(isc_mem_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(isc_mem_total_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(isc_mem_inuse_test, _setup,
+						_teardown),
+
+#if !defined(__SANITIZE_THREAD__)
+		cmocka_unit_test_setup_teardown(isc_mem_benchmark, _setup,
+						_teardown),
+#endif /* __SANITIZE_THREAD__ */
+#if ISC_MEM_TRACKLINES
+		cmocka_unit_test_setup_teardown(isc_mem_noflags_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(isc_mem_recordflag_test, _setup,
+						_teardown),
+		/*
+		 * traceflag_test closes stderr, which causes weird
+		 * side effects for any next test trying to use libuv.
+		 * This test has to be the last one to avoid problems.
+		 */
+		cmocka_unit_test_setup_teardown(isc_mem_traceflag_test, _setup,
+						_teardown),
+#endif /* if ISC_MEM_TRACKLINES */
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/netaddr_test.c b/lib/isc/tests/netaddr_test.c
new file mode 100644
index 0000000..473e747
--- /dev/null
+++ b/lib/isc/tests/netaddr_test.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+/* test isc_netaddr_isnetzero() */
+static void
+netaddr_isnetzero(void **state) {
+	unsigned int i;
+	struct in_addr ina;
+	struct {
+		const char *address;
+		bool expect;
+	} tests[] = { { "0.0.0.0", true },    { "0.0.0.1", true },
+		      { "0.0.1.2", true },    { "0.1.2.3", true },
+		      { "10.0.0.0", false },  { "10.9.0.0", false },
+		      { "10.9.8.0", false },  { "10.9.8.7", false },
+		      { "127.0.0.0", false }, { "127.0.0.1", false } };
+	bool result;
+	isc_netaddr_t netaddr;
+
+	UNUSED(state);
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		ina.s_addr = inet_addr(tests[i].address);
+		isc_netaddr_fromin(&netaddr, &ina);
+		result = isc_netaddr_isnetzero(&netaddr);
+		assert_int_equal(result, tests[i].expect);
+	}
+}
+
+/* test isc_netaddr_masktoprefixlen() calculates correct prefix lengths */
+static void
+netaddr_masktoprefixlen(void **state) {
+	struct in_addr na_a;
+	struct in_addr na_b;
+	struct in_addr na_c;
+	struct in_addr na_d;
+	isc_netaddr_t ina_a;
+	isc_netaddr_t ina_b;
+	isc_netaddr_t ina_c;
+	isc_netaddr_t ina_d;
+	unsigned int plen;
+
+	UNUSED(state);
+
+	assert_true(inet_pton(AF_INET, "0.0.0.0", &na_a) >= 0);
+	assert_true(inet_pton(AF_INET, "255.255.255.254", &na_b) >= 0);
+	assert_true(inet_pton(AF_INET, "255.255.255.255", &na_c) >= 0);
+	assert_true(inet_pton(AF_INET, "255.255.255.0", &na_d) >= 0);
+
+	isc_netaddr_fromin(&ina_a, &na_a);
+	isc_netaddr_fromin(&ina_b, &na_b);
+	isc_netaddr_fromin(&ina_c, &na_c);
+	isc_netaddr_fromin(&ina_d, &na_d);
+
+	assert_int_equal(isc_netaddr_masktoprefixlen(&ina_a, &plen),
+			 ISC_R_SUCCESS);
+	assert_int_equal(plen, 0);
+
+	assert_int_equal(isc_netaddr_masktoprefixlen(&ina_b, &plen),
+			 ISC_R_SUCCESS);
+	assert_int_equal(plen, 31);
+
+	assert_int_equal(isc_netaddr_masktoprefixlen(&ina_c, &plen),
+			 ISC_R_SUCCESS);
+	assert_int_equal(plen, 32);
+
+	assert_int_equal(isc_netaddr_masktoprefixlen(&ina_d, &plen),
+			 ISC_R_SUCCESS);
+	assert_int_equal(plen, 24);
+}
+
+/* check multicast addresses are detected properly */
+static void
+netaddr_multicast(void **state) {
+	unsigned int i;
+	struct {
+		int family;
+		const char *addr;
+		bool is_multicast;
+	} tests[] = {
+		{ AF_INET, "1.2.3.4", false },	{ AF_INET, "4.3.2.1", false },
+		{ AF_INET, "224.1.1.1", true }, { AF_INET, "1.1.1.244", false },
+		{ AF_INET6, "::1", false },	{ AF_INET6, "ff02::1", true }
+	};
+
+	UNUSED(state);
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		isc_netaddr_t na;
+		struct in_addr in;
+		struct in6_addr in6;
+		int r;
+
+		if (tests[i].family == AF_INET) {
+			r = inet_pton(AF_INET, tests[i].addr,
+				      (unsigned char *)&in);
+			assert_int_equal(r, 1);
+			isc_netaddr_fromin(&na, &in);
+		} else {
+			r = inet_pton(AF_INET6, tests[i].addr,
+				      (unsigned char *)&in6);
+			assert_int_equal(r, 1);
+			isc_netaddr_fromin6(&na, &in6);
+		}
+
+		assert_int_equal(isc_netaddr_ismulticast(&na),
+				 tests[i].is_multicast);
+	}
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(netaddr_isnetzero),
+		cmocka_unit_test(netaddr_masktoprefixlen),
+		cmocka_unit_test(netaddr_multicast),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/netmgr_test.c b/lib/isc/tests/netmgr_test.c
new file mode 100644
index 0000000..8e30359
--- /dev/null
+++ b/lib/isc/tests/netmgr_test.c
@@ -0,0 +1,2218 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <uv.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/nonce.h>
+#include <isc/os.h>
+#include <isc/quota.h>
+#include <isc/refcount.h>
+#include <isc/sockaddr.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "uv_wrap.h"
+#define KEEP_BEFORE
+
+#include "../netmgr/netmgr-int.h"
+#include "../netmgr/udp.c"
+#include "../netmgr/uv-compat.c"
+#include "../netmgr/uv-compat.h"
+#include "../netmgr_p.h"
+#include "isctest.h"
+
+typedef void (*stream_connect_function)(isc_nm_t *nm);
+
+static void
+connect_connect_cb(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg);
+static void
+connect_read_cb(isc_nmhandle_t *handle, isc_result_t eresult,
+		isc_region_t *region, void *cbarg);
+
+isc_nm_t *listen_nm = NULL;
+isc_nm_t *connect_nm = NULL;
+
+static isc_sockaddr_t udp_listen_addr;
+static isc_sockaddr_t udp_connect_addr;
+
+static isc_sockaddr_t tcp_listen_addr;
+static isc_sockaddr_t tcp_connect_addr;
+
+static uint64_t send_magic = 0;
+static uint64_t stop_magic = 0;
+
+static isc_region_t send_msg = { .base = (unsigned char *)&send_magic,
+				 .length = sizeof(send_magic) };
+
+static isc_region_t stop_msg = { .base = (unsigned char *)&stop_magic,
+				 .length = sizeof(stop_magic) };
+
+static atomic_bool do_send = false;
+static unsigned int workers = 0;
+
+static atomic_int_fast64_t nsends;
+static int_fast64_t esends; /* expected sends */
+
+static atomic_int_fast64_t ssends = 0;
+static atomic_int_fast64_t sreads = 0;
+static atomic_int_fast64_t saccepts = 0;
+
+static atomic_int_fast64_t cconnects = 0;
+static atomic_int_fast64_t csends = 0;
+static atomic_int_fast64_t creads = 0;
+static atomic_int_fast64_t ctimeouts = 0;
+
+static isc_refcount_t active_cconnects;
+static isc_refcount_t active_csends;
+static isc_refcount_t active_creads;
+static isc_refcount_t active_ssends;
+static isc_refcount_t active_sreads;
+
+static isc_quota_t listener_quota;
+static atomic_bool check_listener_quota;
+
+static bool skip_long_tests = false;
+
+static bool allow_send_back = false;
+static bool noanswer = false;
+
+static isc_nm_recv_cb_t connect_readcb = NULL;
+
+#define SKIP_IN_CI             \
+	if (skip_long_tests) { \
+		skip();        \
+		return;        \
+	}
+
+#define NSENDS 100
+
+/* Timeout for soft-timeout tests (0.05 seconds) */
+#define T_SOFT 50
+
+/* Timeouts in miliseconds */
+#define T_INIT	     120 * 1000
+#define T_IDLE	     120 * 1000
+#define T_KEEPALIVE  120 * 1000
+#define T_ADVERTISED 120 * 1000
+#define T_CONNECT    30 * 1000
+
+/* Wait for 1 second (1000 * 1000 microseconds) */
+#define WAIT_REPEATS 1000
+#define T_WAIT	     1000 /* In microseconds */
+
+#define WAIT_FOR(v, op, val)                                \
+	{                                                   \
+		X(v);                                       \
+		int_fast64_t __r = WAIT_REPEATS;            \
+		int_fast64_t __o = 0;                       \
+		do {                                        \
+			int_fast64_t __l = atomic_load(&v); \
+			if (__l op val) {                   \
+				break;                      \
+			};                                  \
+			if (__o == __l) {                   \
+				__r--;                      \
+			} else {                            \
+				__r = WAIT_REPEATS;         \
+			}                                   \
+			__o = __l;                          \
+			isc_test_nap(T_WAIT);               \
+		} while (__r > 0);                          \
+		X(v);                                       \
+		P(__r);                                     \
+		assert_true(atomic_load(&v) op val);        \
+	}
+
+#define WAIT_FOR_EQ(v, val) WAIT_FOR(v, ==, val)
+#define WAIT_FOR_NE(v, val) WAIT_FOR(v, !=, val)
+#define WAIT_FOR_LE(v, val) WAIT_FOR(v, <=, val)
+#define WAIT_FOR_LT(v, val) WAIT_FOR(v, <, val)
+#define WAIT_FOR_GE(v, val) WAIT_FOR(v, >=, val)
+#define WAIT_FOR_GT(v, val) WAIT_FOR(v, >, val)
+
+#define DONE() atomic_store(&do_send, false);
+
+#define CHECK_RANGE_FULL(v)                \
+	{                                  \
+		int __v = atomic_load(&v); \
+		assert_true(__v > 1);      \
+	}
+
+#define CHECK_RANGE_HALF(v)                \
+	{                                  \
+		int __v = atomic_load(&v); \
+		assert_true(__v > 1);      \
+	}
+
+/* Enable this to print values while running tests */
+#undef PRINT_DEBUG
+#ifdef PRINT_DEBUG
+#define X(v)                                                               \
+	fprintf(stderr, "%s:%s:%d:%s = %" PRId64 "\n", __func__, __FILE__, \
+		__LINE__, #v, atomic_load(&v))
+#define P(v) fprintf(stderr, #v " = %" PRId64 "\n", v)
+#define F()                                                   \
+	fprintf(stderr, "%s(%p, %s, %p)\n", __func__, handle, \
+		isc_result_totext(eresult), cbarg)
+#else
+#define X(v)
+#define P(v)
+#define F()
+#endif
+
+#define atomic_assert_int_eq(val, exp) assert_int_equal(atomic_load(&val), exp)
+#define atomic_assert_int_ne(val, exp) \
+	assert_int_not_equal(atomic_load(&val), exp)
+#define atomic_assert_int_le(val, exp) assert_true(atomic_load(&val) <= exp)
+#define atomic_assert_int_lt(val, exp) assert_true(atomic_load(&val) > exp)
+#define atomic_assert_int_ge(val, exp) assert_true(atomic_load(&val) >= exp)
+#define atomic_assert_int_gt(val, exp) assert_true(atomic_load(&val) > exp)
+
+static int
+_setup(void **state __attribute__((unused))) {
+	char *p = NULL;
+
+	if (workers == 0) {
+		workers = isc_os_ncpus();
+	}
+	p = getenv("ISC_TASK_WORKERS");
+	if (p != NULL) {
+		workers = atoi(p);
+	}
+	INSIST(workers != 0);
+
+	if (isc_test_begin(NULL, false, workers) != ISC_R_SUCCESS) {
+		return (-1);
+	}
+
+	signal(SIGPIPE, SIG_IGN);
+
+	if (getenv("CI") == NULL || getenv("CI_ENABLE_ALL_TESTS") != NULL) {
+		esends = NSENDS * workers;
+	} else {
+		esends = workers;
+		skip_long_tests = true;
+	}
+
+	return (0);
+}
+
+static int
+_teardown(void **state __attribute__((unused))) {
+	isc_test_end();
+
+	return (0);
+}
+
+static int
+setup_ephemeral_port(isc_sockaddr_t *addr, sa_family_t family) {
+	socklen_t addrlen = sizeof(*addr);
+	uv_os_sock_t fd;
+	int r;
+
+	isc_sockaddr_fromin6(addr, &in6addr_loopback, 0);
+
+	fd = socket(AF_INET6, family, 0);
+	if (fd < 0) {
+		perror("setup_ephemeral_port: socket()");
+		return (-1);
+	}
+
+	r = bind(fd, (const struct sockaddr *)&addr->type.sa,
+		 sizeof(addr->type.sin6));
+	if (r != 0) {
+		perror("setup_ephemeral_port: bind()");
+		isc__nm_closesocket(fd);
+		return (r);
+	}
+
+	r = getsockname(fd, (struct sockaddr *)&addr->type.sa, &addrlen);
+	if (r != 0) {
+		perror("setup_ephemeral_port: getsockname()");
+		isc__nm_closesocket(fd);
+		return (r);
+	}
+
+#if IPV6_RECVERR
+#define setsockopt_on(socket, level, name) \
+	setsockopt(socket, level, name, &(int){ 1 }, sizeof(int))
+
+	r = setsockopt_on(fd, IPPROTO_IPV6, IPV6_RECVERR);
+	if (r != 0) {
+		perror("setup_ephemeral_port");
+		isc__nm_closesocket(fd);
+		return (r);
+	}
+#endif
+
+	return (fd);
+}
+
+static int
+nm_setup(void **state __attribute__((unused))) {
+	uv_os_sock_t tcp_listen_sock = -1;
+	uv_os_sock_t udp_listen_sock = -1;
+
+	udp_connect_addr = (isc_sockaddr_t){ .length = 0 };
+	isc_sockaddr_fromin6(&udp_connect_addr, &in6addr_loopback, 0);
+
+	udp_listen_addr = (isc_sockaddr_t){ .length = 0 };
+	udp_listen_sock = setup_ephemeral_port(&udp_listen_addr, SOCK_DGRAM);
+	if (udp_listen_sock < 0) {
+		return (-1);
+	}
+	isc__nm_closesocket(udp_listen_sock);
+
+	tcp_connect_addr = (isc_sockaddr_t){ .length = 0 };
+	isc_sockaddr_fromin6(&tcp_connect_addr, &in6addr_loopback, 0);
+
+	tcp_listen_addr = (isc_sockaddr_t){ .length = 0 };
+	tcp_listen_sock = setup_ephemeral_port(&tcp_listen_addr, SOCK_STREAM);
+	if (tcp_listen_sock < 0) {
+		return (-1);
+	}
+	isc__nm_closesocket(tcp_listen_sock);
+
+	atomic_store(&do_send, true);
+	atomic_store(&nsends, esends);
+
+	atomic_store(&saccepts, 0);
+	atomic_store(&sreads, 0);
+	atomic_store(&ssends, 0);
+
+	atomic_store(&cconnects, 0);
+	atomic_store(&csends, 0);
+	atomic_store(&creads, 0);
+	atomic_store(&ctimeouts, 0);
+	allow_send_back = false;
+
+	isc_refcount_init(&active_cconnects, 0);
+	isc_refcount_init(&active_csends, 0);
+	isc_refcount_init(&active_creads, 0);
+	isc_refcount_init(&active_ssends, 0);
+	isc_refcount_init(&active_sreads, 0);
+
+	isc_nonce_buf(&send_magic, sizeof(send_magic));
+	isc_nonce_buf(&stop_magic, sizeof(stop_magic));
+	if (send_magic == stop_magic) {
+		return (-1);
+	}
+
+	isc__netmgr_create(test_mctx, workers, &listen_nm);
+	assert_non_null(listen_nm);
+	isc_nm_settimeouts(listen_nm, T_INIT, T_IDLE, T_KEEPALIVE,
+			   T_ADVERTISED);
+
+	isc__netmgr_create(test_mctx, workers, &connect_nm);
+	assert_non_null(connect_nm);
+	isc_nm_settimeouts(connect_nm, T_INIT, T_IDLE, T_KEEPALIVE,
+			   T_ADVERTISED);
+
+	isc_quota_init(&listener_quota, 0);
+	atomic_store(&check_listener_quota, false);
+
+	connect_readcb = connect_read_cb;
+	noanswer = false;
+
+	return (0);
+}
+
+static int
+nm_teardown(void **state __attribute__((unused))) {
+	UNUSED(state);
+
+	isc__netmgr_destroy(&connect_nm);
+	assert_null(connect_nm);
+
+	isc__netmgr_destroy(&listen_nm);
+	assert_null(listen_nm);
+
+	WAIT_FOR_EQ(active_cconnects, 0);
+	WAIT_FOR_EQ(active_csends, 0);
+	WAIT_FOR_EQ(active_csends, 0);
+	WAIT_FOR_EQ(active_ssends, 0);
+	WAIT_FOR_EQ(active_sreads, 0);
+
+	isc_refcount_destroy(&active_cconnects);
+	isc_refcount_destroy(&active_csends);
+	isc_refcount_destroy(&active_creads);
+	isc_refcount_destroy(&active_ssends);
+	isc_refcount_destroy(&active_sreads);
+
+	return (0);
+}
+
+/* Callbacks */
+
+static void
+noop_recv_cb(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region,
+	     void *cbarg) {
+	UNUSED(handle);
+	UNUSED(eresult);
+	UNUSED(region);
+	UNUSED(cbarg);
+}
+
+static unsigned int
+noop_accept_cb(isc_nmhandle_t *handle, unsigned int result, void *cbarg) {
+	UNUSED(handle);
+	UNUSED(result);
+	UNUSED(cbarg);
+
+	return (0);
+}
+
+static void
+connect_send_cb(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg);
+
+static void
+connect_send(isc_nmhandle_t *handle);
+
+static void
+connect_send_cb(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg) {
+	isc_nmhandle_t *sendhandle = handle;
+
+	assert_non_null(sendhandle);
+
+	UNUSED(cbarg);
+
+	F();
+
+	if (eresult != ISC_R_SUCCESS) {
+		/* Send failed, we need to stop reading too */
+		isc_nm_cancelread(handle);
+		goto unref;
+	}
+
+	atomic_fetch_add(&csends, 1);
+unref:
+	isc_refcount_decrement(&active_csends);
+	isc_nmhandle_detach(&sendhandle);
+}
+
+static void
+connect_send(isc_nmhandle_t *handle) {
+	isc_nmhandle_t *sendhandle = NULL;
+	isc_refcount_increment0(&active_csends);
+	isc_nmhandle_attach(handle, &sendhandle);
+	isc_nmhandle_setwritetimeout(handle, T_IDLE);
+	if (atomic_fetch_sub(&nsends, 1) > 1) {
+		isc_nm_send(sendhandle, &send_msg, connect_send_cb, NULL);
+	} else {
+		isc_nm_send(sendhandle, &stop_msg, connect_send_cb, NULL);
+	}
+}
+
+static void
+connect_read_cb(isc_nmhandle_t *handle, isc_result_t eresult,
+		isc_region_t *region, void *cbarg) {
+	uint64_t magic = 0;
+
+	UNUSED(cbarg);
+
+	assert_non_null(handle);
+
+	F();
+
+	if (eresult != ISC_R_SUCCESS) {
+		goto unref;
+	}
+
+	assert_true(region->length >= sizeof(magic));
+
+	atomic_fetch_add(&creads, 1);
+
+	memmove(&magic, region->base, sizeof(magic));
+
+	assert_true(magic == stop_magic || magic == send_magic);
+
+	if (magic == send_magic && allow_send_back) {
+		connect_send(handle);
+		return;
+	}
+
+unref:
+	isc_refcount_decrement(&active_creads);
+	isc_nmhandle_detach(&handle);
+}
+
+static void
+connect_connect_cb(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg) {
+	isc_nmhandle_t *readhandle = NULL;
+
+	UNUSED(cbarg);
+
+	F();
+
+	isc_refcount_decrement(&active_cconnects);
+
+	if (eresult != ISC_R_SUCCESS || connect_readcb == NULL) {
+		return;
+	}
+
+	atomic_fetch_add(&cconnects, 1);
+
+	isc_refcount_increment0(&active_creads);
+	isc_nmhandle_attach(handle, &readhandle);
+	isc_nm_read(handle, connect_readcb, NULL);
+
+	connect_send(handle);
+}
+
+static void
+listen_send_cb(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg) {
+	isc_nmhandle_t *sendhandle = handle;
+
+	UNUSED(cbarg);
+	UNUSED(eresult);
+
+	assert_non_null(sendhandle);
+
+	F();
+
+	if (eresult != ISC_R_SUCCESS) {
+		goto unref;
+	}
+
+	atomic_fetch_add(&ssends, 1);
+unref:
+	isc_nmhandle_detach(&sendhandle);
+	isc_refcount_decrement(&active_ssends);
+}
+
+static void
+listen_read_cb(isc_nmhandle_t *handle, isc_result_t eresult,
+	       isc_region_t *region, void *cbarg) {
+	uint64_t magic = 0;
+
+	assert_non_null(handle);
+
+	F();
+
+	if (eresult != ISC_R_SUCCESS) {
+		goto unref;
+	}
+
+	atomic_fetch_add(&sreads, 1);
+
+	assert_true(region->length >= sizeof(magic));
+
+	memmove(&magic, region->base, sizeof(magic));
+	assert_true(magic == stop_magic || magic == send_magic);
+
+	if (magic == send_magic) {
+		if (!noanswer) {
+			isc_nmhandle_t *sendhandle = NULL;
+			isc_nmhandle_attach(handle, &sendhandle);
+			isc_refcount_increment0(&active_ssends);
+			isc_nmhandle_setwritetimeout(sendhandle, T_IDLE);
+			isc_nm_send(sendhandle, &send_msg, listen_send_cb,
+				    cbarg);
+		}
+		return;
+	}
+
+unref:
+	if (handle == cbarg) {
+		isc_refcount_decrement(&active_sreads);
+		isc_nmhandle_detach(&handle);
+	}
+}
+
+static isc_result_t
+listen_accept_cb(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg) {
+	UNUSED(handle);
+	UNUSED(cbarg);
+
+	F();
+
+	return (eresult);
+}
+
+static isc_result_t
+stream_accept_cb(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg) {
+	isc_nmhandle_t *readhandle = NULL;
+
+	UNUSED(cbarg);
+
+	F();
+
+	if (eresult != ISC_R_SUCCESS) {
+		return (eresult);
+	}
+
+	atomic_fetch_add(&saccepts, 1);
+
+	isc_refcount_increment0(&active_sreads);
+	isc_nmhandle_attach(handle, &readhandle);
+	isc_nm_read(handle, listen_read_cb, readhandle);
+
+	return (ISC_R_SUCCESS);
+}
+
+typedef void (*connect_func)(isc_nm_t *);
+
+static isc_threadresult_t
+connect_thread(isc_threadarg_t arg) {
+	connect_func connect = (connect_func)arg;
+	isc_sockaddr_t connect_addr;
+
+	connect_addr = (isc_sockaddr_t){ .length = 0 };
+	isc_sockaddr_fromin6(&connect_addr, &in6addr_loopback, 0);
+
+	while (atomic_load(&do_send)) {
+		uint_fast32_t active =
+			isc_refcount_increment0(&active_cconnects);
+		if (active > workers) {
+			/*
+			 * If we have more active connections than workers,
+			 * start slowing down the connections to prevent the
+			 * thundering herd problem.
+			 */
+			isc_test_nap((active - workers) * 1000);
+		}
+		connect(connect_nm);
+	}
+
+	return ((isc_threadresult_t)0);
+}
+
+/* UDP */
+
+static void
+udp_connect(isc_nm_t *nm) {
+	isc_nm_udpconnect(nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+}
+
+static void
+mock_listenudp_uv_udp_open(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	WILL_RETURN(uv_udp_open, UV_ENOMEM);
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, noop_recv_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_not_equal(result, ISC_R_SUCCESS);
+	assert_null(listen_sock);
+
+	RESET_RETURN;
+}
+
+static void
+mock_listenudp_uv_udp_bind(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	WILL_RETURN(uv_udp_bind, UV_EADDRINUSE);
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, noop_recv_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_not_equal(result, ISC_R_SUCCESS);
+	assert_null(listen_sock);
+
+	RESET_RETURN;
+}
+
+static void
+mock_listenudp_uv_udp_recv_start(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	WILL_RETURN(uv_udp_recv_start, UV_EADDRINUSE);
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, noop_recv_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_not_equal(result, ISC_R_SUCCESS);
+	assert_null(listen_sock);
+
+	RESET_RETURN;
+}
+
+static void
+mock_udpconnect_uv_udp_open(void **state __attribute__((unused))) {
+	WILL_RETURN(uv_udp_open, UV_ENOMEM);
+
+	connect_readcb = NULL;
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+	isc__netmgr_shutdown(connect_nm);
+
+	RESET_RETURN;
+}
+
+static void
+mock_udpconnect_uv_udp_bind(void **state __attribute__((unused))) {
+	WILL_RETURN(uv_udp_bind, UV_ENOMEM);
+
+	connect_readcb = NULL;
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+	isc__netmgr_shutdown(connect_nm);
+
+	RESET_RETURN;
+}
+
+#if UV_VERSION_HEX >= UV_VERSION(1, 27, 0)
+static void
+mock_udpconnect_uv_udp_connect(void **state __attribute__((unused))) {
+	WILL_RETURN(uv_udp_connect, UV_ENOMEM);
+
+	connect_readcb = NULL;
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+	isc__netmgr_shutdown(connect_nm);
+
+	RESET_RETURN;
+}
+#endif
+
+static void
+mock_udpconnect_uv_recv_buffer_size(void **state __attribute__((unused))) {
+	WILL_RETURN(uv_recv_buffer_size, UV_ENOMEM);
+
+	connect_readcb = NULL;
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+	isc__netmgr_shutdown(connect_nm);
+
+	RESET_RETURN;
+}
+
+static void
+mock_udpconnect_uv_send_buffer_size(void **state __attribute__((unused))) {
+	WILL_RETURN(uv_send_buffer_size, UV_ENOMEM);
+
+	connect_readcb = NULL;
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+	isc__netmgr_shutdown(connect_nm);
+
+	RESET_RETURN;
+}
+
+static void
+udp_noop(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, noop_recv_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	connect_readcb = NULL;
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+	isc__netmgr_shutdown(connect_nm);
+
+	atomic_assert_int_eq(cconnects, 0);
+	atomic_assert_int_eq(csends, 0);
+	atomic_assert_int_eq(creads, 0);
+	atomic_assert_int_eq(sreads, 0);
+	atomic_assert_int_eq(ssends, 0);
+}
+
+static void
+udp_noresponse(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, noop_recv_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+	WAIT_FOR_EQ(csends, 1);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	atomic_assert_int_eq(cconnects, 1);
+	atomic_assert_int_eq(csends, 1);
+	atomic_assert_int_eq(creads, 0);
+	atomic_assert_int_eq(sreads, 0);
+	atomic_assert_int_eq(ssends, 0);
+}
+
+static void
+timeout_retry_cb(isc_nmhandle_t *handle, isc_result_t eresult,
+		 isc_region_t *region, void *cbarg) {
+	UNUSED(region);
+	UNUSED(cbarg);
+
+	assert_non_null(handle);
+
+	F();
+
+	if (eresult == ISC_R_TIMEDOUT && atomic_load(&csends) < 5) {
+		isc_nmhandle_settimeout(handle, T_SOFT);
+		connect_send(handle);
+		return;
+	}
+
+	atomic_fetch_add(&ctimeouts, 1);
+
+	isc_refcount_decrement(&active_creads);
+	isc_nmhandle_detach(&handle);
+}
+
+static void
+udp_timeout_recovery(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	SKIP_IN_CI;
+
+	/*
+	 * Listen using the noop callback so that client reads will time out.
+	 */
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, noop_recv_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Connect with client timeout set to 0.05 seconds, then sleep for at
+	 * least a second for each 'tick'. timeout_retry_cb() will give up
+	 * after five timeouts.
+	 */
+	connect_readcb = timeout_retry_cb;
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_SOFT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+	WAIT_FOR_GE(csends, 1);
+	WAIT_FOR_GE(csends, 2);
+	WAIT_FOR_GE(csends, 3);
+	WAIT_FOR_GE(csends, 4);
+	WAIT_FOR_EQ(csends, 5);
+	WAIT_FOR_EQ(ctimeouts, 1);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+}
+
+static void
+udp_recv_one(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	atomic_store(&nsends, 1);
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, listen_read_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+	WAIT_FOR_LE(nsends, 0);
+	WAIT_FOR_EQ(csends, 1);
+	WAIT_FOR_EQ(sreads, 1);
+	WAIT_FOR_EQ(ssends, 0);
+	WAIT_FOR_EQ(creads, 0);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	atomic_assert_int_eq(cconnects, 1);
+	atomic_assert_int_eq(csends, 1);
+	atomic_assert_int_eq(creads, 0);
+	atomic_assert_int_eq(sreads, 1);
+	atomic_assert_int_eq(ssends, 0);
+}
+
+static void
+udp_recv_two(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	atomic_store(&nsends, 2);
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, listen_read_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_udpconnect(connect_nm, &udp_connect_addr, &udp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 2);
+	WAIT_FOR_LE(nsends, 0);
+	WAIT_FOR_EQ(csends, 2);
+	WAIT_FOR_EQ(sreads, 2);
+	WAIT_FOR_EQ(ssends, 1);
+	WAIT_FOR_EQ(creads, 1);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	atomic_assert_int_eq(cconnects, 2);
+	atomic_assert_int_eq(csends, 2);
+	atomic_assert_int_eq(creads, 1);
+	atomic_assert_int_eq(sreads, 2);
+	atomic_assert_int_eq(ssends, 1);
+}
+
+static void
+udp_recv_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+
+	SKIP_IN_CI;
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, listen_read_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, udp_connect, &threads[i]);
+	}
+
+	WAIT_FOR_GE(cconnects, esends);
+	WAIT_FOR_GE(csends, esends);
+	WAIT_FOR_GE(sreads, esends);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	isc__netmgr_shutdown(connect_nm);
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_FULL(csends);
+	CHECK_RANGE_FULL(creads);
+	CHECK_RANGE_FULL(sreads);
+	CHECK_RANGE_FULL(ssends);
+}
+
+static void
+udp_recv_half_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+
+	SKIP_IN_CI;
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, listen_read_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, udp_connect, &threads[i]);
+	}
+
+	WAIT_FOR_GE(cconnects, esends / 2);
+	WAIT_FOR_GE(csends, esends / 2);
+	WAIT_FOR_GE(sreads, esends / 2);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	isc__netmgr_shutdown(connect_nm);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_FULL(csends);
+	CHECK_RANGE_HALF(creads);
+	CHECK_RANGE_HALF(sreads);
+	CHECK_RANGE_HALF(ssends);
+}
+
+static void
+udp_half_recv_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+
+	SKIP_IN_CI;
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, listen_read_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, udp_connect, &threads[i]);
+	}
+
+	WAIT_FOR_GE(cconnects, esends / 2);
+	WAIT_FOR_GE(csends, esends / 2);
+	WAIT_FOR_GE(sreads, esends / 2);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	/* Try to send a little while longer */
+	isc_test_nap((esends / 2) * 10000);
+
+	isc__netmgr_shutdown(connect_nm);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_FULL(csends);
+	CHECK_RANGE_HALF(creads);
+	CHECK_RANGE_HALF(sreads);
+	CHECK_RANGE_HALF(ssends);
+}
+
+static void
+udp_half_recv_half_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+
+	SKIP_IN_CI;
+
+	result = isc_nm_listenudp(listen_nm, &udp_listen_addr, listen_read_cb,
+				  NULL, 0, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, udp_connect, &threads[i]);
+	}
+
+	WAIT_FOR_GE(cconnects, esends / 2);
+	WAIT_FOR_GE(csends, esends / 2);
+	WAIT_FOR_GE(sreads, esends / 2);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	isc__netmgr_shutdown(connect_nm);
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_FULL(csends);
+	CHECK_RANGE_HALF(creads);
+	CHECK_RANGE_HALF(sreads);
+	CHECK_RANGE_HALF(ssends);
+}
+
+/* Common stream protocols code */
+
+static isc_quota_t *
+tcp_listener_init_quota(size_t nthreads) {
+	isc_quota_t *quotap = NULL;
+	if (atomic_load(&check_listener_quota)) {
+		unsigned max_quota = ISC_MAX(nthreads / 2, 1);
+		isc_quota_max(&listener_quota, max_quota);
+		quotap = &listener_quota;
+	}
+	return (quotap);
+}
+
+static void
+tcp_connect(isc_nm_t *nm) {
+	isc_nm_tcpconnect(nm, &tcp_connect_addr, &tcp_listen_addr,
+			  connect_connect_cb, NULL, T_CONNECT, 0);
+}
+
+static stream_connect_function
+get_stream_connect_function(void) {
+	return (tcp_connect);
+}
+
+static isc_result_t
+stream_listen(isc_nm_accept_cb_t accept_cb, void *accept_cbarg,
+	      size_t extrahandlesize, int backlog, isc_quota_t *quota,
+	      isc_nmsocket_t **sockp) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	result = isc_nm_listentcp(listen_nm, &tcp_listen_addr, accept_cb,
+				  accept_cbarg, extrahandlesize, backlog, quota,
+				  sockp);
+
+	return (result);
+}
+
+static void
+stream_connect(isc_nm_cb_t cb, void *cbarg, unsigned int timeout,
+	       size_t extrahandlesize) {
+	isc_nm_tcpconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr, cb,
+			  cbarg, timeout, extrahandlesize);
+}
+
+static void
+stream_noop(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	result = stream_listen(noop_accept_cb, NULL, 0, 0, NULL, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	connect_readcb = NULL;
+	isc_refcount_increment0(&active_cconnects);
+	stream_connect(connect_connect_cb, NULL, T_CONNECT, 0);
+	isc__netmgr_shutdown(connect_nm);
+
+	atomic_assert_int_eq(cconnects, 0);
+	atomic_assert_int_eq(csends, 0);
+	atomic_assert_int_eq(creads, 0);
+	atomic_assert_int_eq(sreads, 0);
+	atomic_assert_int_eq(ssends, 0);
+}
+
+static void
+stream_noresponse(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	result = stream_listen(noop_accept_cb, NULL, 0, 0, NULL, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_refcount_increment0(&active_cconnects);
+	stream_connect(connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+	WAIT_FOR_EQ(csends, 1);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	atomic_assert_int_eq(cconnects, 1);
+	atomic_assert_int_eq(csends, 1);
+	atomic_assert_int_eq(creads, 0);
+	atomic_assert_int_eq(sreads, 0);
+	atomic_assert_int_eq(ssends, 0);
+}
+
+static void
+stream_timeout_recovery(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	SKIP_IN_CI;
+
+	/*
+	 * Accept connections but don't send responses, forcing client
+	 * reads to time out.
+	 */
+	noanswer = true;
+	result = stream_listen(stream_accept_cb, NULL, 0, 0, NULL,
+			       &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Shorten all the client timeouts to 0.05 seconds.
+	 */
+	isc_nm_settimeouts(connect_nm, T_SOFT, T_SOFT, T_SOFT, T_SOFT);
+	connect_readcb = timeout_retry_cb;
+	isc_refcount_increment0(&active_cconnects);
+	stream_connect(connect_connect_cb, NULL, T_SOFT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+	WAIT_FOR_GE(csends, 1);
+	WAIT_FOR_GE(csends, 2);
+	WAIT_FOR_GE(csends, 3);
+	WAIT_FOR_GE(csends, 4);
+	WAIT_FOR_EQ(csends, 5);
+	WAIT_FOR_EQ(ctimeouts, 1);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+}
+
+static void
+stream_recv_one(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_quota_t *quotap = tcp_listener_init_quota(1);
+
+	atomic_store(&nsends, 1);
+
+	result = stream_listen(stream_accept_cb, NULL, 0, 0, quotap,
+			       &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_refcount_increment0(&active_cconnects);
+	stream_connect(connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+	WAIT_FOR_LE(nsends, 0);
+	WAIT_FOR_EQ(csends, 1);
+	WAIT_FOR_EQ(sreads, 1);
+	WAIT_FOR_EQ(ssends, 0);
+	WAIT_FOR_EQ(creads, 0);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	atomic_assert_int_eq(cconnects, 1);
+	atomic_assert_int_eq(csends, 1);
+	atomic_assert_int_eq(creads, 0);
+	atomic_assert_int_eq(sreads, 1);
+	atomic_assert_int_eq(ssends, 0);
+}
+
+static void
+stream_recv_two(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_quota_t *quotap = tcp_listener_init_quota(1);
+
+	atomic_store(&nsends, 2);
+
+	result = stream_listen(stream_accept_cb, NULL, 0, 0, quotap,
+			       &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_refcount_increment0(&active_cconnects);
+	stream_connect(connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+
+	isc_refcount_increment0(&active_cconnects);
+	stream_connect(connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 2);
+	WAIT_FOR_LE(nsends, 0);
+	WAIT_FOR_EQ(csends, 2);
+	WAIT_FOR_EQ(sreads, 2);
+	WAIT_FOR_EQ(ssends, 1);
+	WAIT_FOR_EQ(creads, 1);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	atomic_assert_int_eq(cconnects, 2);
+	atomic_assert_int_eq(csends, 2);
+	atomic_assert_int_eq(creads, 1);
+	atomic_assert_int_eq(sreads, 2);
+	atomic_assert_int_eq(ssends, 1);
+}
+
+static void
+stream_recv_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+	isc_quota_t *quotap = tcp_listener_init_quota(workers);
+
+	SKIP_IN_CI;
+
+	result = stream_listen(stream_accept_cb, NULL, 0, 0, quotap,
+			       &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, get_stream_connect_function(),
+				  &threads[i]);
+	}
+
+	if (allow_send_back) {
+		WAIT_FOR_GE(cconnects, 1);
+	} else {
+		WAIT_FOR_GE(cconnects, esends);
+	}
+	WAIT_FOR_GE(csends, esends);
+	WAIT_FOR_GE(sreads, esends);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	isc__netmgr_shutdown(connect_nm);
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_FULL(csends);
+	CHECK_RANGE_FULL(creads);
+	CHECK_RANGE_FULL(sreads);
+	CHECK_RANGE_FULL(ssends);
+}
+
+static void
+stream_recv_half_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+	isc_quota_t *quotap = tcp_listener_init_quota(workers);
+
+	SKIP_IN_CI;
+
+	result = stream_listen(stream_accept_cb, NULL, 0, 0, quotap,
+			       &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, get_stream_connect_function(),
+				  &threads[i]);
+	}
+
+	if (allow_send_back) {
+		WAIT_FOR_GE(cconnects, 1);
+	} else {
+		WAIT_FOR_GE(cconnects, esends / 2);
+	}
+	WAIT_FOR_GE(csends, esends / 2);
+	WAIT_FOR_GE(sreads, esends / 2);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	isc__netmgr_shutdown(connect_nm);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_HALF(csends);
+	CHECK_RANGE_HALF(creads);
+	CHECK_RANGE_HALF(sreads);
+	CHECK_RANGE_HALF(ssends);
+}
+
+static void
+stream_half_recv_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+	isc_quota_t *quotap = tcp_listener_init_quota(workers);
+
+	SKIP_IN_CI;
+
+	result = stream_listen(stream_accept_cb, NULL, 0, 0, quotap,
+			       &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, get_stream_connect_function(),
+				  &threads[i]);
+	}
+
+	if (allow_send_back) {
+		WAIT_FOR_GE(cconnects, 1);
+	} else {
+		WAIT_FOR_GE(cconnects, esends / 2);
+	}
+	WAIT_FOR_GE(csends, esends / 2);
+	WAIT_FOR_GE(sreads, esends / 2);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	/* Try to send a little while longer */
+	isc_test_nap((esends / 2) * 10000);
+
+	isc__netmgr_shutdown(connect_nm);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_HALF(csends);
+	CHECK_RANGE_HALF(creads);
+	CHECK_RANGE_HALF(sreads);
+	CHECK_RANGE_HALF(ssends);
+}
+
+static void
+stream_half_recv_half_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+	isc_quota_t *quotap = tcp_listener_init_quota(workers);
+
+	SKIP_IN_CI;
+
+	result = stream_listen(stream_accept_cb, NULL, 0, 0, quotap,
+			       &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, get_stream_connect_function(),
+				  &threads[i]);
+	}
+
+	if (allow_send_back) {
+		WAIT_FOR_GE(cconnects, 1);
+	} else {
+		WAIT_FOR_GE(cconnects, esends / 2);
+	}
+	WAIT_FOR_GE(csends, esends / 2);
+	WAIT_FOR_GE(sreads, esends / 2);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	isc__netmgr_shutdown(connect_nm);
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_HALF(csends);
+	CHECK_RANGE_HALF(creads);
+	CHECK_RANGE_HALF(sreads);
+	CHECK_RANGE_HALF(ssends);
+}
+
+/* TCP */
+static void
+tcp_noop(void **state) {
+	stream_noop(state);
+}
+
+static void
+tcp_noresponse(void **state) {
+	stream_noresponse(state);
+}
+
+static void
+tcp_timeout_recovery(void **state) {
+	stream_timeout_recovery(state);
+}
+
+static void
+tcp_recv_one(void **state) {
+	stream_recv_one(state);
+}
+
+static void
+tcp_recv_two(void **state) {
+	stream_recv_two(state);
+}
+
+static void
+tcp_recv_send(void **state) {
+	SKIP_IN_CI;
+	stream_recv_send(state);
+}
+
+static void
+tcp_recv_half_send(void **state) {
+	SKIP_IN_CI;
+	stream_recv_half_send(state);
+}
+
+static void
+tcp_half_recv_send(void **state) {
+	SKIP_IN_CI;
+	stream_half_recv_send(state);
+}
+
+static void
+tcp_half_recv_half_send(void **state) {
+	SKIP_IN_CI;
+	stream_half_recv_half_send(state);
+}
+
+static void
+tcp_recv_send_sendback(void **state) {
+	SKIP_IN_CI;
+	stream_recv_send(state);
+}
+
+static void
+tcp_recv_half_send_sendback(void **state) {
+	SKIP_IN_CI;
+	stream_recv_half_send(state);
+}
+
+static void
+tcp_half_recv_send_sendback(void **state) {
+	SKIP_IN_CI;
+	stream_half_recv_send(state);
+}
+
+static void
+tcp_half_recv_half_send_sendback(void **state) {
+	SKIP_IN_CI;
+	stream_half_recv_half_send(state);
+}
+
+/* TCP Quota */
+
+static void
+tcp_recv_one_quota(void **state) {
+	atomic_store(&check_listener_quota, true);
+	stream_recv_one(state);
+}
+
+static void
+tcp_recv_two_quota(void **state) {
+	atomic_store(&check_listener_quota, true);
+	stream_recv_two(state);
+}
+
+static void
+tcp_recv_send_quota(void **state) {
+	SKIP_IN_CI;
+	atomic_store(&check_listener_quota, true);
+	stream_recv_send(state);
+}
+
+static void
+tcp_recv_half_send_quota(void **state) {
+	SKIP_IN_CI;
+	atomic_store(&check_listener_quota, true);
+	stream_recv_half_send(state);
+}
+
+static void
+tcp_half_recv_send_quota(void **state) {
+	SKIP_IN_CI;
+	atomic_store(&check_listener_quota, true);
+	stream_half_recv_send(state);
+}
+
+static void
+tcp_half_recv_half_send_quota(void **state) {
+	SKIP_IN_CI;
+	atomic_store(&check_listener_quota, true);
+	stream_half_recv_half_send(state);
+}
+
+static void
+tcp_recv_send_quota_sendback(void **state) {
+	SKIP_IN_CI;
+	atomic_store(&check_listener_quota, true);
+	allow_send_back = true;
+	stream_recv_send(state);
+}
+
+static void
+tcp_recv_half_send_quota_sendback(void **state) {
+	SKIP_IN_CI;
+	atomic_store(&check_listener_quota, true);
+	allow_send_back = true;
+	stream_recv_half_send(state);
+}
+
+static void
+tcp_half_recv_send_quota_sendback(void **state) {
+	SKIP_IN_CI;
+	atomic_store(&check_listener_quota, true);
+	allow_send_back = true;
+	stream_half_recv_send(state);
+}
+
+static void
+tcp_half_recv_half_send_quota_sendback(void **state) {
+	SKIP_IN_CI;
+	atomic_store(&check_listener_quota, true);
+	allow_send_back = true;
+	stream_half_recv_half_send(state);
+}
+
+/* TCPDNS */
+
+static void
+tcpdns_connect(isc_nm_t *nm) {
+	isc_nm_tcpdnsconnect(nm, &tcp_connect_addr, &tcp_listen_addr,
+			     connect_connect_cb, NULL, T_CONNECT, 0);
+}
+
+static void
+tcpdns_noop(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr, noop_recv_cb,
+				     NULL, noop_accept_cb, NULL, 0, 0, NULL,
+				     &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	connect_readcb = NULL;
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_tcpdnsconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr,
+			     connect_connect_cb, NULL, T_CONNECT, 0);
+	isc__netmgr_shutdown(connect_nm);
+
+	atomic_assert_int_eq(cconnects, 0);
+	atomic_assert_int_eq(csends, 0);
+	atomic_assert_int_eq(creads, 0);
+	atomic_assert_int_eq(sreads, 0);
+	atomic_assert_int_eq(ssends, 0);
+}
+
+static void
+tcpdns_noresponse(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	isc_refcount_increment0(&active_cconnects);
+	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr, noop_recv_cb,
+				     NULL, noop_accept_cb, NULL, 0, 0, NULL,
+				     &listen_sock);
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_decrement(&active_cconnects);
+		isc_test_nap(1000);
+	}
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_nm_tcpdnsconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr,
+			     connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+	WAIT_FOR_EQ(csends, 1);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	atomic_assert_int_eq(cconnects, 1);
+	atomic_assert_int_eq(csends, 1);
+	atomic_assert_int_eq(creads, 0);
+	atomic_assert_int_eq(sreads, 0);
+	atomic_assert_int_eq(ssends, 0);
+}
+
+static void
+tcpdns_timeout_recovery(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	SKIP_IN_CI;
+
+	/*
+	 * Accept connections but don't send responses, forcing client
+	 * reads to time out.
+	 */
+	noanswer = true;
+	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
+				     listen_read_cb, NULL, listen_accept_cb,
+				     NULL, 0, 0, NULL, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Shorten all the TCP client timeouts to 0.05 seconds, connect,
+	 * then sleep for at least a second for each 'tick'.
+	 * timeout_retry_cb() will give up after five timeouts.
+	 */
+	connect_readcb = timeout_retry_cb;
+	isc_nm_settimeouts(connect_nm, T_SOFT, T_SOFT, T_SOFT, T_SOFT);
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_tcpdnsconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr,
+			     connect_connect_cb, NULL, T_SOFT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+	WAIT_FOR_GE(csends, 1);
+	WAIT_FOR_GE(csends, 2);
+	WAIT_FOR_GE(csends, 3);
+	WAIT_FOR_GE(csends, 4);
+	WAIT_FOR_EQ(csends, 5);
+	WAIT_FOR_EQ(ctimeouts, 1);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+}
+
+static void
+tcpdns_recv_one(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	atomic_store(&nsends, 1);
+
+	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
+				     listen_read_cb, NULL, listen_accept_cb,
+				     NULL, 0, 0, NULL, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_tcpdnsconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr,
+			     connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+	WAIT_FOR_LE(nsends, 0);
+	WAIT_FOR_EQ(csends, 1);
+	WAIT_FOR_EQ(sreads, 1);
+	WAIT_FOR_EQ(ssends, 0);
+	WAIT_FOR_EQ(creads, 0);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	atomic_assert_int_eq(cconnects, 1);
+	atomic_assert_int_eq(csends, 1);
+	atomic_assert_int_eq(creads, 0);
+	atomic_assert_int_eq(sreads, 1);
+	atomic_assert_int_eq(ssends, 0);
+}
+
+static void
+tcpdns_recv_two(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+
+	atomic_store(&nsends, 2);
+
+	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
+				     listen_read_cb, NULL, listen_accept_cb,
+				     NULL, 0, 0, NULL, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_tcpdnsconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr,
+			     connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 1);
+
+	isc_refcount_increment0(&active_cconnects);
+	isc_nm_tcpdnsconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr,
+			     connect_connect_cb, NULL, T_CONNECT, 0);
+
+	WAIT_FOR_EQ(cconnects, 2);
+
+	WAIT_FOR_LE(nsends, 0);
+	WAIT_FOR_EQ(csends, 2);
+	WAIT_FOR_EQ(sreads, 2);
+	WAIT_FOR_EQ(ssends, 1);
+	WAIT_FOR_EQ(creads, 1);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+	isc__netmgr_shutdown(connect_nm);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	atomic_assert_int_eq(cconnects, 2);
+	atomic_assert_int_eq(csends, 2);
+	atomic_assert_int_eq(creads, 1);
+	atomic_assert_int_eq(sreads, 2);
+	atomic_assert_int_eq(ssends, 1);
+}
+
+static void
+tcpdns_recv_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+
+	SKIP_IN_CI;
+
+	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
+				     listen_read_cb, NULL, listen_accept_cb,
+				     NULL, 0, 0, NULL, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, tcpdns_connect, &threads[i]);
+	}
+
+	WAIT_FOR_GE(cconnects, esends);
+	WAIT_FOR_GE(csends, esends);
+	WAIT_FOR_GE(sreads, esends);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	isc__netmgr_shutdown(connect_nm);
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_FULL(csends);
+	CHECK_RANGE_FULL(creads);
+	CHECK_RANGE_FULL(sreads);
+	CHECK_RANGE_FULL(ssends);
+}
+
+static void
+tcpdns_recv_half_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+
+	SKIP_IN_CI;
+
+	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
+				     listen_read_cb, NULL, listen_accept_cb,
+				     NULL, 0, 0, NULL, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, tcpdns_connect, &threads[i]);
+	}
+
+	WAIT_FOR_GE(cconnects, esends / 2);
+	WAIT_FOR_GE(csends, esends / 2);
+	WAIT_FOR_GE(sreads, esends / 2);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	isc__netmgr_shutdown(connect_nm);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_HALF(csends);
+	CHECK_RANGE_HALF(creads);
+	CHECK_RANGE_HALF(sreads);
+	CHECK_RANGE_HALF(ssends);
+}
+
+static void
+tcpdns_half_recv_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+
+	SKIP_IN_CI;
+
+	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
+				     listen_read_cb, NULL, listen_accept_cb,
+				     NULL, 0, 0, NULL, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, tcpdns_connect, &threads[i]);
+	}
+
+	WAIT_FOR_GE(cconnects, esends / 2);
+	WAIT_FOR_GE(csends, esends / 2);
+	WAIT_FOR_GE(sreads, esends / 2);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	/* Try to send a little while longer */
+	isc_test_nap((esends / 2) * 10000);
+
+	isc__netmgr_shutdown(connect_nm);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_HALF(csends);
+	CHECK_RANGE_HALF(creads);
+	CHECK_RANGE_HALF(sreads);
+	CHECK_RANGE_HALF(ssends);
+}
+
+static void
+tcpdns_half_recv_half_send(void **state __attribute__((unused))) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_nmsocket_t *listen_sock = NULL;
+	isc_thread_t threads[workers];
+
+	SKIP_IN_CI;
+
+	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
+				     listen_read_cb, NULL, listen_accept_cb,
+				     NULL, 0, 0, NULL, &listen_sock);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	memset(threads, 0, sizeof(threads));
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_create(connect_thread, tcpdns_connect, &threads[i]);
+	}
+
+	WAIT_FOR_GE(cconnects, esends / 2);
+	WAIT_FOR_GE(csends, esends / 2);
+	WAIT_FOR_GE(sreads, esends / 2);
+	WAIT_FOR_GE(ssends, esends / 2);
+	WAIT_FOR_GE(creads, esends / 2);
+
+	isc__netmgr_shutdown(connect_nm);
+	isc_nm_stoplistening(listen_sock);
+	isc_nmsocket_close(&listen_sock);
+	assert_null(listen_sock);
+
+	DONE();
+	for (size_t i = 0; i < workers; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	X(cconnects);
+	X(csends);
+	X(creads);
+	X(sreads);
+	X(ssends);
+
+	CHECK_RANGE_HALF(csends);
+	CHECK_RANGE_HALF(creads);
+	CHECK_RANGE_HALF(sreads);
+	CHECK_RANGE_HALF(ssends);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		/* UDP */
+		cmocka_unit_test_setup_teardown(mock_listenudp_uv_udp_open,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(mock_listenudp_uv_udp_bind,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(
+			mock_listenudp_uv_udp_recv_start, nm_setup,
+			nm_teardown),
+		cmocka_unit_test_setup_teardown(mock_udpconnect_uv_udp_open,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(mock_udpconnect_uv_udp_bind,
+						nm_setup, nm_teardown),
+#if UV_VERSION_HEX >= UV_VERSION(1, 27, 0)
+		cmocka_unit_test_setup_teardown(mock_udpconnect_uv_udp_connect,
+						nm_setup, nm_teardown),
+#endif
+		cmocka_unit_test_setup_teardown(
+			mock_udpconnect_uv_recv_buffer_size, nm_setup,
+			nm_teardown),
+		cmocka_unit_test_setup_teardown(
+			mock_udpconnect_uv_send_buffer_size, nm_setup,
+			nm_teardown),
+		cmocka_unit_test_setup_teardown(udp_noop, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(udp_noresponse, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(udp_timeout_recovery, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(udp_recv_one, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(udp_recv_two, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(udp_recv_send, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(udp_recv_half_send, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(udp_half_recv_send, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(udp_half_recv_half_send,
+						nm_setup, nm_teardown),
+
+		/* TCP */
+		cmocka_unit_test_setup_teardown(tcp_noop, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_noresponse, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_timeout_recovery, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_recv_one, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_recv_two, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_recv_send, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_recv_half_send, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_half_recv_send, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_half_recv_half_send,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_recv_send_sendback,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_recv_half_send_sendback,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_half_recv_send_sendback,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(
+			tcp_half_recv_half_send_sendback, nm_setup,
+			nm_teardown),
+
+		/* TCP Quota */
+		cmocka_unit_test_setup_teardown(tcp_recv_one_quota, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_recv_two_quota, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_recv_send_quota, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_recv_half_send_quota,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_half_recv_send_quota,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_half_recv_half_send_quota,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(tcp_recv_send_quota_sendback,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(
+			tcp_recv_half_send_quota_sendback, nm_setup,
+			nm_teardown),
+		cmocka_unit_test_setup_teardown(
+			tcp_half_recv_send_quota_sendback, nm_setup,
+			nm_teardown),
+		cmocka_unit_test_setup_teardown(
+			tcp_half_recv_half_send_quota_sendback, nm_setup,
+			nm_teardown),
+
+		/* TCPDNS */
+		cmocka_unit_test_setup_teardown(tcpdns_recv_one, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcpdns_recv_two, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcpdns_noop, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcpdns_noresponse, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcpdns_timeout_recovery,
+						nm_setup, nm_teardown),
+		cmocka_unit_test_setup_teardown(tcpdns_recv_send, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcpdns_recv_half_send, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcpdns_half_recv_send, nm_setup,
+						nm_teardown),
+		cmocka_unit_test_setup_teardown(tcpdns_half_recv_half_send,
+						nm_setup, nm_teardown),
+
+	};
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/parse_test.c b/lib/isc/tests/parse_test.c
new file mode 100644
index 0000000..378690d
--- /dev/null
+++ b/lib/isc/tests/parse_test.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/parseint.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+/* Test for 32 bit overflow on 64 bit machines in isc_parse_uint32 */
+static void
+parse_overflow(void **state) {
+	isc_result_t result;
+	uint32_t output;
+
+	UNUSED(state);
+
+	result = isc_parse_uint32(&output, "1234567890", 10);
+	assert_int_equal(ISC_R_SUCCESS, result);
+	assert_int_equal(1234567890, output);
+
+	result = isc_parse_uint32(&output, "123456789012345", 10);
+	assert_int_equal(ISC_R_RANGE, result);
+
+	result = isc_parse_uint32(&output, "12345678901234567890", 10);
+	assert_int_equal(ISC_R_RANGE, result);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(parse_overflow, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/pool_test.c b/lib/isc/tests/pool_test.c
new file mode 100644
index 0000000..1ce51f6
--- /dev/null
+++ b/lib/isc/tests/pool_test.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/mem.h>
+#include <isc/pool.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+static isc_result_t
+poolinit(void **target, void *arg) {
+	isc_result_t result;
+
+	isc_taskmgr_t *mgr = (isc_taskmgr_t *)arg;
+	isc_task_t *task = NULL;
+	result = isc_task_create(mgr, 0, &task);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	*target = (void *)task;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+poolfree(void **target) {
+	isc_task_t *task = *(isc_task_t **)target;
+	isc_task_destroy(&task);
+	*target = NULL;
+}
+
+/* Create a pool */
+static void
+create_pool(void **state) {
+	isc_result_t result;
+	isc_pool_t *pool = NULL;
+
+	UNUSED(state);
+
+	result = isc_pool_create(test_mctx, 8, poolfree, poolinit, taskmgr,
+				 &pool);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_pool_count(pool), 8);
+
+	isc_pool_destroy(&pool);
+	assert_null(pool);
+}
+
+/* Resize a pool */
+static void
+expand_pool(void **state) {
+	isc_result_t result;
+	isc_pool_t *pool1 = NULL, *pool2 = NULL, *hold = NULL;
+
+	UNUSED(state);
+
+	result = isc_pool_create(test_mctx, 10, poolfree, poolinit, taskmgr,
+				 &pool1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_pool_count(pool1), 10);
+
+	/* resizing to a smaller size should have no effect */
+	hold = pool1;
+	result = isc_pool_expand(&pool1, 5, &pool2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_pool_count(pool2), 10);
+	assert_ptr_equal(pool2, hold);
+	assert_null(pool1);
+	pool1 = pool2;
+	pool2 = NULL;
+
+	/* resizing to the same size should have no effect */
+	hold = pool1;
+	result = isc_pool_expand(&pool1, 10, &pool2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_pool_count(pool2), 10);
+	assert_ptr_equal(pool2, hold);
+	assert_null(pool1);
+	pool1 = pool2;
+	pool2 = NULL;
+
+	/* resizing to larger size should make a new pool */
+	hold = pool1;
+	result = isc_pool_expand(&pool1, 20, &pool2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_pool_count(pool2), 20);
+	assert_ptr_not_equal(pool2, hold);
+	assert_null(pool1);
+
+	isc_pool_destroy(&pool2);
+	assert_null(pool2);
+}
+
+/* Get objects */
+static void
+get_objects(void **state) {
+	isc_result_t result;
+	isc_pool_t *pool = NULL;
+	void *item;
+	isc_task_t *task1 = NULL, *task2 = NULL, *task3 = NULL;
+
+	UNUSED(state);
+
+	result = isc_pool_create(test_mctx, 2, poolfree, poolinit, taskmgr,
+				 &pool);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_pool_count(pool), 2);
+
+	item = isc_pool_get(pool);
+	assert_non_null(item);
+	isc_task_attach((isc_task_t *)item, &task1);
+
+	item = isc_pool_get(pool);
+	assert_non_null(item);
+	isc_task_attach((isc_task_t *)item, &task2);
+
+	item = isc_pool_get(pool);
+	assert_non_null(item);
+	isc_task_attach((isc_task_t *)item, &task3);
+
+	isc_task_detach(&task1);
+	isc_task_detach(&task2);
+	isc_task_detach(&task3);
+
+	isc_pool_destroy(&pool);
+	assert_null(pool);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(create_pool, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(expand_pool, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(get_objects, _setup, _teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/quota_test.c b/lib/isc/tests/quota_test.c
new file mode 100644
index 0000000..854afd9
--- /dev/null
+++ b/lib/isc/tests/quota_test.c
@@ -0,0 +1,358 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/quota.h>
+#include <isc/result.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static void
+isc_quota_get_set_test(void **state) {
+	UNUSED(state);
+	isc_quota_t quota;
+	isc_quota_t *quota2 = NULL;
+	isc_quota_init(&quota, 100);
+
+	assert_int_equal(isc_quota_getmax(&quota), 100);
+	assert_int_equal(isc_quota_getsoft(&quota), 0);
+
+	isc_quota_max(&quota, 50);
+	isc_quota_soft(&quota, 30);
+
+	assert_int_equal(isc_quota_getmax(&quota), 50);
+	assert_int_equal(isc_quota_getsoft(&quota), 30);
+
+	assert_int_equal(isc_quota_getused(&quota), 0);
+	isc_quota_attach(&quota, &quota2);
+	assert_int_equal(isc_quota_getused(&quota), 1);
+	isc_quota_detach(&quota2);
+	assert_int_equal(isc_quota_getused(&quota), 0);
+	isc_quota_destroy(&quota);
+}
+
+static void
+add_quota(isc_quota_t *source, isc_quota_t **target,
+	  isc_result_t expected_result, int expected_used) {
+	isc_result_t result;
+
+	*target = NULL;
+
+	result = isc_quota_attach(source, target);
+	assert_int_equal(result, expected_result);
+
+	switch (expected_result) {
+	case ISC_R_SUCCESS:
+	case ISC_R_SOFTQUOTA:
+		assert_ptr_equal(*target, source);
+		break;
+	default:
+		assert_null(*target);
+		break;
+	}
+
+	assert_int_equal(isc_quota_getused(source), expected_used);
+}
+
+static void
+isc_quota_hard_test(void **state) {
+	isc_quota_t quota;
+	isc_quota_t *quotas[110];
+	int i;
+	UNUSED(state);
+
+	isc_quota_init(&quota, 100);
+
+	for (i = 0; i < 100; i++) {
+		add_quota(&quota, &quotas[i], ISC_R_SUCCESS, i + 1);
+	}
+
+	add_quota(&quota, &quotas[100], ISC_R_QUOTA, 100);
+
+	assert_int_equal(isc_quota_getused(&quota), 100);
+
+	isc_quota_detach(&quotas[0]);
+	assert_null(quotas[0]);
+
+	add_quota(&quota, &quotas[100], ISC_R_SUCCESS, 100);
+	add_quota(&quota, &quotas[101], ISC_R_QUOTA, 100);
+
+	for (i = 100; i > 0; i--) {
+		isc_quota_detach(&quotas[i]);
+		assert_null(quotas[i]);
+		assert_int_equal(isc_quota_getused(&quota), i - 1);
+	}
+	assert_int_equal(isc_quota_getused(&quota), 0);
+	isc_quota_destroy(&quota);
+}
+
+static void
+isc_quota_soft_test(void **state) {
+	isc_quota_t quota;
+	isc_quota_t *quotas[110];
+	int i;
+	UNUSED(state);
+
+	isc_quota_init(&quota, 100);
+	isc_quota_soft(&quota, 50);
+
+	for (i = 0; i < 50; i++) {
+		add_quota(&quota, &quotas[i], ISC_R_SUCCESS, i + 1);
+	}
+	for (i = 50; i < 100; i++) {
+		add_quota(&quota, &quotas[i], ISC_R_SOFTQUOTA, i + 1);
+	}
+
+	add_quota(&quota, &quotas[i], ISC_R_QUOTA, 100);
+
+	for (i = 99; i >= 0; i--) {
+		isc_quota_detach(&quotas[i]);
+		assert_null(quotas[i]);
+		assert_int_equal(isc_quota_getused(&quota), i);
+	}
+	assert_int_equal(isc_quota_getused(&quota), 0);
+	isc_quota_destroy(&quota);
+}
+
+static atomic_uint_fast32_t cb_calls = 0;
+static isc_quota_cb_t cbs[30];
+static isc_quota_t *qp;
+
+static void
+callback(isc_quota_t *quota, void *data) {
+	int val = *(int *)data;
+	/* Callback is not called if we get the quota directly */
+	assert_int_not_equal(val, -1);
+
+	/* We get the proper quota pointer */
+	assert_ptr_equal(quota, qp);
+
+	/* Verify that the callbacks are called in order */
+	int v = atomic_fetch_add_relaxed(&cb_calls, 1);
+	assert_int_equal(v, val);
+
+	/*
+	 * First 5 will be detached by the test function,
+	 * for the last 5 - do a 'chain detach'.
+	 */
+	if (v >= 5) {
+		isc_quota_detach(&quota);
+	}
+}
+
+static void
+isc_quota_callback_test(void **state) {
+	isc_result_t result;
+	isc_quota_t quota;
+	isc_quota_t *quotas[30];
+	qp = &quota;
+	/*
+	 * - 10 calls that end with SUCCESS
+	 * - 10 calls that end with SOFTQUOTA
+	 * - 10 callbacks
+	 */
+	int ints[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+		       -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+		       0,  1,  2,  3,  4,  5,  6,  7,  8,  9 };
+	int i;
+	UNUSED(state);
+
+	isc_quota_init(&quota, 20);
+	isc_quota_soft(&quota, 10);
+
+	for (i = 0; i < 10; i++) {
+		quotas[i] = NULL;
+		isc_quota_cb_init(&cbs[i], callback, &ints[i]);
+		result = isc_quota_attach_cb(&quota, &quotas[i], &cbs[i]);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		assert_ptr_equal(quotas[i], &quota);
+		assert_int_equal(isc_quota_getused(&quota), i + 1);
+	}
+	for (i = 10; i < 20; i++) {
+		quotas[i] = NULL;
+		isc_quota_cb_init(&cbs[i], callback, &ints[i]);
+		result = isc_quota_attach_cb(&quota, &quotas[i], &cbs[i]);
+		assert_int_equal(result, ISC_R_SOFTQUOTA);
+		assert_ptr_equal(quotas[i], &quota);
+		assert_int_equal(isc_quota_getused(&quota), i + 1);
+	}
+
+	for (i = 20; i < 30; i++) {
+		quotas[i] = NULL;
+		isc_quota_cb_init(&cbs[i], callback, &ints[i]);
+		result = isc_quota_attach_cb(&quota, &quotas[i], &cbs[i]);
+		assert_int_equal(result, ISC_R_QUOTA);
+		assert_ptr_equal(quotas[i], NULL);
+		assert_int_equal(isc_quota_getused(&quota), 20);
+	}
+	assert_int_equal(atomic_load(&cb_calls), 0);
+
+	for (i = 0; i < 5; i++) {
+		isc_quota_detach(&quotas[i]);
+		assert_null(quotas[i]);
+		assert_int_equal(isc_quota_getused(&quota), 20);
+		assert_int_equal(atomic_load(&cb_calls), i + 1);
+	}
+	/* That should cause a chain reaction */
+	isc_quota_detach(&quotas[5]);
+	assert_int_equal(atomic_load(&cb_calls), 10);
+
+	/* Release the quotas that we did not released in the callback */
+	for (i = 0; i < 5; i++) {
+		qp = &quota;
+		isc_quota_detach(&qp);
+	}
+
+	for (i = 6; i < 20; i++) {
+		isc_quota_detach(&quotas[i]);
+		assert_null(quotas[i]);
+		assert_int_equal(isc_quota_getused(&quota), 19 - i);
+	}
+	assert_int_equal(atomic_load(&cb_calls), 10);
+
+	assert_int_equal(isc_quota_getused(&quota), 0);
+	isc_quota_destroy(&quota);
+}
+
+/*
+ * Multithreaded quota callback test:
+ * - quota set to 100
+ * - 10 threads, each trying to get 100 quotas.
+ * - creates a separate thread to release it after 10ms
+ */
+
+typedef struct qthreadinfo {
+	atomic_uint_fast32_t direct;
+	atomic_uint_fast32_t callback;
+	isc_quota_t *quota;
+	isc_quota_cb_t callbacks[100];
+} qthreadinfo_t;
+
+static atomic_uint_fast32_t g_tnum = 0;
+/* at most 10 * 100 quota_detach threads */
+isc_thread_t g_threads[10 * 100];
+
+static void *
+quota_detach(void *quotap) {
+	isc_quota_t *quota = (isc_quota_t *)quotap;
+	isc_test_nap(10000);
+	isc_quota_detach(&quota);
+	return ((isc_threadresult_t)0);
+}
+
+static void
+quota_callback(isc_quota_t *quota, void *data) {
+	qthreadinfo_t *qti = (qthreadinfo_t *)data;
+	atomic_fetch_add_relaxed(&qti->callback, 1);
+	int tnum = atomic_fetch_add_relaxed(&g_tnum, 1);
+	isc_thread_create(quota_detach, quota, &g_threads[tnum]);
+}
+
+static isc_threadresult_t
+quota_thread(void *qtip) {
+	qthreadinfo_t *qti = (qthreadinfo_t *)qtip;
+	for (int i = 0; i < 100; i++) {
+		isc_quota_cb_init(&qti->callbacks[i], quota_callback, qti);
+		isc_quota_t *quota = NULL;
+		isc_result_t result = isc_quota_attach_cb(qti->quota, &quota,
+							  &qti->callbacks[i]);
+		if (result == ISC_R_SUCCESS) {
+			atomic_fetch_add_relaxed(&qti->direct, 1);
+			int tnum = atomic_fetch_add_relaxed(&g_tnum, 1);
+			isc_thread_create(quota_detach, quota,
+					  &g_threads[tnum]);
+		}
+	}
+	return ((isc_threadresult_t)0);
+}
+
+static void
+isc_quota_callback_mt_test(void **state) {
+	UNUSED(state);
+	isc_quota_t quota;
+	int i;
+
+	isc_quota_init(&quota, 100);
+	static qthreadinfo_t qtis[10];
+	isc_thread_t threads[10];
+	for (i = 0; i < 10; i++) {
+		atomic_init(&qtis[i].direct, 0);
+		atomic_init(&qtis[i].callback, 0);
+		qtis[i].quota = &quota;
+		isc_thread_create(quota_thread, &qtis[i], &threads[i]);
+	}
+	for (i = 0; i < 10; i++) {
+		isc_thread_join(threads[i], NULL);
+	}
+
+	for (i = 0; i < (int)atomic_load(&g_tnum); i++) {
+		isc_thread_join(g_threads[i], NULL);
+	}
+	int direct = 0, callback = 0;
+
+	for (i = 0; i < 10; i++) {
+		direct += atomic_load(&qtis[i].direct);
+		callback += atomic_load(&qtis[i].callback);
+	}
+	/* Total quota gained must be 10 threads * 100 tries */
+	assert_int_equal(direct + callback, 10 * 100);
+	/*
+	 * At least 100 must be direct, the rest is virtually random:
+	 * - in a regular run I'm constantly getting 100:900 ratio
+	 * - under rr - usually around ~120:880
+	 * - under rr -h - 1000:0
+	 */
+	assert_true(direct >= 100);
+
+	isc_quota_destroy(&quota);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_quota_get_set_test),
+		cmocka_unit_test(isc_quota_hard_test),
+		cmocka_unit_test(isc_quota_soft_test),
+		cmocka_unit_test(isc_quota_callback_test),
+		cmocka_unit_test(isc_quota_callback_mt_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/radix_test.c b/lib/isc/tests/radix_test.c
new file mode 100644
index 0000000..132b64d
--- /dev/null
+++ b/lib/isc/tests/radix_test.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/radix.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+/* test radix searching */
+static void
+isc_radix_search_test(void **state) {
+	isc_radix_tree_t *radix = NULL;
+	isc_radix_node_t *node;
+	isc_prefix_t prefix;
+	isc_result_t result;
+	struct in_addr in_addr;
+	isc_netaddr_t netaddr;
+
+	UNUSED(state);
+
+	result = isc_radix_create(test_mctx, &radix, 32);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	in_addr.s_addr = inet_addr("3.3.3.0");
+	isc_netaddr_fromin(&netaddr, &in_addr);
+	NETADDR_TO_PREFIX_T(&netaddr, prefix, 24);
+
+	node = NULL;
+	result = isc_radix_insert(radix, &node, NULL, &prefix);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	node->data[0] = (void *)1;
+	isc_refcount_destroy(&prefix.refcount);
+
+	in_addr.s_addr = inet_addr("3.3.0.0");
+	isc_netaddr_fromin(&netaddr, &in_addr);
+	NETADDR_TO_PREFIX_T(&netaddr, prefix, 16);
+
+	node = NULL;
+	result = isc_radix_insert(radix, &node, NULL, &prefix);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	node->data[0] = (void *)2;
+	isc_refcount_destroy(&prefix.refcount);
+
+	in_addr.s_addr = inet_addr("3.3.3.3");
+	isc_netaddr_fromin(&netaddr, &in_addr);
+	NETADDR_TO_PREFIX_T(&netaddr, prefix, 22);
+
+	node = NULL;
+	result = isc_radix_search(radix, &node, &prefix);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_ptr_equal(node->data[0], (void *)2);
+
+	isc_refcount_destroy(&prefix.refcount);
+
+	isc_radix_destroy(radix, NULL);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(isc_radix_search_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/random_test.c b/lib/isc/tests/random_test.c
new file mode 100644
index 0000000..8025583
--- /dev/null
+++ b/lib/isc/tests/random_test.c
@@ -0,0 +1,894 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * IMPORTANT NOTE:
+ * These tests work by generating a large number of pseudo-random numbers
+ * and then statistically analyzing them to determine whether they seem
+ * random. The test is expected to fail on occasion by random happenstance.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <math.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/nonce.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+#define REPS 25000
+
+typedef double(pvalue_func_t)(isc_mem_t *mctx, uint16_t *values, size_t length);
+
+/* igamc(), igam(), etc. were adapted (and cleaned up) from the Cephes
+ * math library:
+ *
+ * Cephes Math Library Release 2.8:  June, 2000
+ * Copyright 1985, 1987, 2000 by Stephen L. Moshier
+ *
+ * The Cephes math library was released into the public domain as part
+ * of netlib.
+ */
+
+static double MACHEP = 1.11022302462515654042E-16;
+static double MAXLOG = 7.09782712893383996843E2;
+static double big = 4.503599627370496e15;
+static double biginv = 2.22044604925031308085e-16;
+
+static double
+igamc(double a, double x);
+static double
+igam(double a, double x);
+
+/* Set to true (or use -v option) for verbose output */
+static bool verbose = false;
+
+typedef enum {
+	ISC_RANDOM8,
+	ISC_RANDOM16,
+	ISC_RANDOM32,
+	ISC_RANDOM_BYTES,
+	ISC_RANDOM_UNIFORM,
+	ISC_NONCE_BYTES
+} isc_random_func;
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+static double
+igamc(double a, double x) {
+	double ans, ax, c, yc, r, t, y, z;
+	double pk, pkm1, pkm2, qk, qkm1, qkm2;
+
+	if ((x <= 0) || (a <= 0)) {
+		return (1.0);
+	}
+
+	if ((x < 1.0) || (x < a)) {
+		return (1.0 - igam(a, x));
+	}
+
+	ax = a * log(x) - x - lgamma(a);
+	if (ax < -MAXLOG) {
+		print_error("# igamc: UNDERFLOW, ax=%f\n", ax);
+		return (0.0);
+	}
+	ax = exp(ax);
+
+	/* continued fraction */
+	y = 1.0 - a;
+	z = x + y + 1.0;
+	c = 0.0;
+	pkm2 = 1.0;
+	qkm2 = x;
+	pkm1 = x + 1.0;
+	qkm1 = z * x;
+	ans = pkm1 / qkm1;
+
+	do {
+		c += 1.0;
+		y += 1.0;
+		z += 2.0;
+		yc = y * c;
+		pk = pkm1 * z - pkm2 * yc;
+		qk = qkm1 * z - qkm2 * yc;
+		if (qk != 0) {
+			r = pk / qk;
+			t = fabs((ans - r) / r);
+			ans = r;
+		} else {
+			t = 1.0;
+		}
+
+		pkm2 = pkm1;
+		pkm1 = pk;
+		qkm2 = qkm1;
+		qkm1 = qk;
+
+		if (fabs(pk) > big) {
+			pkm2 *= biginv;
+			pkm1 *= biginv;
+			qkm2 *= biginv;
+			qkm1 *= biginv;
+		}
+	} while (t > MACHEP);
+
+	return (ans * ax);
+}
+
+static double
+igam(double a, double x) {
+	double ans, ax, c, r;
+
+	if ((x <= 0) || (a <= 0)) {
+		return (0.0);
+	}
+
+	if ((x > 1.0) && (x > a)) {
+		return (1.0 - igamc(a, x));
+	}
+
+	/* Compute  x**a * exp(-x) / md_gamma(a)  */
+	ax = a * log(x) - x - lgamma(a);
+	if (ax < -MAXLOG) {
+		print_error("# igam: UNDERFLOW, ax=%f\n", ax);
+		return (0.0);
+	}
+	ax = exp(ax);
+
+	/* power series */
+	r = a;
+	c = 1.0;
+	ans = 1.0;
+
+	do {
+		r += 1.0;
+		c *= x / r;
+		ans += c;
+	} while (c / ans > MACHEP);
+
+	return (ans * ax / a);
+}
+
+static int8_t scounts_table[65536];
+static uint8_t bitcounts_table[65536];
+
+static int8_t
+scount_calculate(uint16_t n) {
+	int i;
+	int8_t sc;
+
+	sc = 0;
+	for (i = 0; i < 16; i++) {
+		uint16_t lsb;
+
+		lsb = n & 1;
+		if (lsb != 0) {
+			sc += 1;
+		} else {
+			sc -= 1;
+		}
+
+		n >>= 1;
+	}
+
+	return (sc);
+}
+
+static uint8_t
+bitcount_calculate(uint16_t n) {
+	int i;
+	uint8_t bc;
+
+	bc = 0;
+	for (i = 0; i < 16; i++) {
+		uint16_t lsb;
+
+		lsb = n & 1;
+		if (lsb != 0) {
+			bc += 1;
+		}
+
+		n >>= 1;
+	}
+
+	return (bc);
+}
+
+static void
+tables_init(void) {
+	uint32_t i;
+
+	for (i = 0; i < 65536; i++) {
+		scounts_table[i] = scount_calculate(i);
+		bitcounts_table[i] = bitcount_calculate(i);
+	}
+}
+
+/*
+ * The following code for computing Marsaglia's rank is based on the
+ * implementation in cdbinrnk.c from the diehard tests by George
+ * Marsaglia.
+ *
+ * This function destroys (modifies) the data passed in bits.
+ */
+static uint32_t
+matrix_binaryrank(uint32_t *bits, size_t rows, size_t cols) {
+	size_t i, j, k;
+	unsigned int rt = 0;
+	uint32_t rank = 0;
+	uint32_t tmp;
+
+	for (k = 0; k < rows; k++) {
+		i = k;
+
+		while (rt >= cols || ((bits[i] >> rt) & 1) == 0) {
+			i++;
+
+			if (i < rows) {
+				continue;
+			} else {
+				rt++;
+				if (rt < cols) {
+					i = k;
+					continue;
+				}
+			}
+
+			return (rank);
+		}
+
+		rank++;
+		if (i != k) {
+			tmp = bits[i];
+			bits[i] = bits[k];
+			bits[k] = tmp;
+		}
+
+		for (j = i + 1; j < rows; j++) {
+			if (((bits[j] >> rt) & 1) == 0) {
+				continue;
+			} else {
+				bits[j] ^= bits[k];
+			}
+		}
+
+		rt++;
+	}
+
+	return (rank);
+}
+
+static void
+random_test(pvalue_func_t *func, isc_random_func test_func) {
+	uint32_t m;
+	uint32_t j;
+	uint32_t histogram[11] = { 0 };
+	uint32_t passed;
+	double proportion;
+	double p_hat;
+	double lower_confidence, higher_confidence;
+	double chi_square;
+	double p_value_t;
+	double alpha;
+
+	tables_init();
+
+	m = 1000;
+	passed = 0;
+
+	for (j = 0; j < m; j++) {
+		uint32_t i;
+		uint32_t values[REPS];
+		uint16_t *uniform_values;
+		double p_value;
+
+		switch (test_func) {
+		case ISC_RANDOM8:
+			for (i = 0; i < (sizeof(values) / sizeof(*values)); i++)
+			{
+				values[i] = isc_random8();
+			}
+			break;
+		case ISC_RANDOM16:
+			for (i = 0; i < (sizeof(values) / sizeof(*values)); i++)
+			{
+				values[i] = isc_random16();
+			}
+			break;
+		case ISC_RANDOM32:
+			for (i = 0; i < (sizeof(values) / sizeof(*values)); i++)
+			{
+				values[i] = isc_random32();
+			}
+			break;
+		case ISC_RANDOM_BYTES:
+			isc_random_buf(values, sizeof(values));
+			break;
+		case ISC_RANDOM_UNIFORM:
+			uniform_values = (uint16_t *)values;
+			for (i = 0;
+			     i < (sizeof(values) / (sizeof(*uniform_values)));
+			     i++)
+			{
+				uniform_values[i] =
+					isc_random_uniform(UINT16_MAX);
+			}
+			break;
+		case ISC_NONCE_BYTES:
+			isc_nonce_buf(values, sizeof(values));
+			break;
+		}
+
+		p_value = (*func)(test_mctx, (uint16_t *)values, REPS * 2);
+		if (p_value >= 0.01) {
+			passed++;
+		}
+
+		assert_in_range(p_value, 0.0, 1.0);
+
+		i = (int)floor(p_value * 10);
+		histogram[i]++;
+	}
+
+	/*
+	 * Check proportion of sequences passing a test (see section
+	 * 4.2.1 in NIST SP 800-22).
+	 */
+	alpha = 0.01; /* the significance level */
+	proportion = (double)passed / (double)m;
+	p_hat = 1.0 - alpha;
+	lower_confidence = p_hat - (3.0 * sqrt((p_hat * (1.0 - p_hat)) / m));
+	higher_confidence = p_hat + (3.0 * sqrt((p_hat * (1.0 - p_hat)) / m));
+
+	if (verbose) {
+		print_message("# passed=%u/1000\n", passed);
+		print_message("# higher_confidence=%f, lower_confidence=%f, "
+			      "proportion=%f\n",
+			      higher_confidence, lower_confidence, proportion);
+	}
+
+	assert_in_range(proportion, lower_confidence, higher_confidence);
+
+	/*
+	 * Check uniform distribution of p-values (see section 4.2.2 in
+	 * NIST SP 800-22).
+	 */
+
+	/* Fold histogram[10] (p_value = 1.0) into histogram[9] for
+	 * interval [0.9, 1.0]
+	 */
+	histogram[9] += histogram[10];
+	histogram[10] = 0;
+
+	/* Pre-requisite that at least 55 sequences are processed. */
+	assert_true(m >= 55);
+
+	if (verbose) {
+		print_message("# ");
+	}
+
+	chi_square = 0.0;
+	for (j = 0; j < 10; j++) {
+		double numer;
+		double denom;
+
+		if (verbose) {
+			print_message("hist%u=%u ", j, histogram[j]);
+		}
+
+		numer = (histogram[j] - (m / 10.0)) *
+			(histogram[j] - (m / 10.0));
+		denom = m / 10.0;
+		chi_square += numer / denom;
+	}
+
+	if (verbose) {
+		print_message("\n");
+	}
+
+	p_value_t = igamc(9 / 2.0, chi_square / 2.0);
+
+	assert_true(p_value_t >= 0.0001);
+}
+
+/*
+ * This is a frequency (monobits) test taken from the NIST SP 800-22
+ * RANDOM test suite.
+ */
+static double
+monobit(isc_mem_t *mctx, uint16_t *values, size_t length) {
+	size_t i;
+	int32_t scount;
+	uint32_t numbits;
+	double s_obs;
+	double p_value;
+
+	UNUSED(mctx);
+
+	numbits = length * sizeof(*values) * 8;
+	scount = 0;
+
+	for (i = 0; i < length; i++) {
+		scount += scounts_table[values[i]];
+	}
+
+	/* Preconditions (section 2.1.7 in NIST SP 800-22) */
+	assert_true(numbits >= 100);
+
+	if (verbose) {
+		print_message("# numbits=%u, scount=%d\n", numbits, scount);
+	}
+
+	s_obs = abs(scount) / sqrt(numbits);
+	p_value = erfc(s_obs / sqrt(2.0));
+
+	return (p_value);
+}
+
+/*
+ * This is the runs test taken from the NIST SP 800-22 RNG test suite.
+ */
+static double
+runs(isc_mem_t *mctx, uint16_t *values, size_t length) {
+	size_t i;
+	uint32_t bcount;
+	uint32_t numbits;
+	double pi;
+	double tau;
+	uint32_t j;
+	uint32_t b;
+	uint8_t bit_this;
+	uint8_t bit_prev;
+	uint32_t v_obs;
+	double numer;
+	double denom;
+	double p_value;
+
+	UNUSED(mctx);
+
+	numbits = length * sizeof(*values) * 8;
+	bcount = 0;
+
+	for (i = 0; i < length; i++) {
+		bcount += bitcounts_table[values[i]];
+	}
+
+	if (verbose) {
+		print_message("# numbits=%u, bcount=%u\n", numbits, bcount);
+	}
+
+	pi = (double)bcount / (double)numbits;
+	tau = 2.0 / sqrt(numbits);
+
+	/* Preconditions (section 2.3.7 in NIST SP 800-22) */
+	assert_true(numbits >= 100);
+
+	/*
+	 * Pre-condition implied from the monobit test. This can fail
+	 * for some sequences, and the p-value is taken as 0 in these
+	 * cases.
+	 */
+	if (fabs(pi - 0.5) >= tau) {
+		return (0.0);
+	}
+
+	/* Compute v_obs */
+	j = 0;
+	b = 14;
+	bit_prev = (values[j] & (1U << 15)) == 0 ? 0 : 1;
+
+	v_obs = 0;
+
+	for (i = 1; i < numbits; i++) {
+		bit_this = (values[j] & (1U << b)) == 0 ? 0 : 1;
+		if (b == 0) {
+			b = 15;
+			j++;
+		} else {
+			b--;
+		}
+
+		v_obs += bit_this ^ bit_prev;
+
+		bit_prev = bit_this;
+	}
+
+	v_obs += 1;
+
+	numer = fabs(v_obs - (2.0 * numbits * pi * (1.0 - pi)));
+	denom = 2.0 * sqrt(2.0 * numbits) * pi * (1.0 - pi);
+
+	p_value = erfc(numer / denom);
+
+	return (p_value);
+}
+
+/*
+ * This is the block frequency test taken from the NIST SP 800-22 RNG
+ * test suite.
+ */
+static double
+blockfrequency(isc_mem_t *mctx, uint16_t *values, size_t length) {
+	uint32_t i;
+	uint32_t numbits;
+	uint32_t mbits;
+	uint32_t mwords;
+	uint32_t numblocks;
+	double *pi;
+	double chi_square;
+	double p_value;
+
+	numbits = length * sizeof(*values) * 8;
+	mbits = 32000;
+	mwords = mbits / 16;
+	numblocks = numbits / mbits;
+
+	if (verbose) {
+		print_message("# numblocks=%u\n", numblocks);
+	}
+
+	/* Preconditions (section 2.2.7 in NIST SP 800-22) */
+	assert_true(numbits >= 100);
+	assert_true(mbits >= 20);
+	assert_true((double)mbits > (0.01 * numbits));
+	assert_true(numblocks < 100);
+	assert_true(numbits >= (mbits * numblocks));
+
+	pi = isc_mem_get(mctx, numblocks * sizeof(double));
+	assert_non_null(pi);
+
+	for (i = 0; i < numblocks; i++) {
+		uint32_t j;
+		pi[i] = 0.0;
+		for (j = 0; j < mwords; j++) {
+			uint32_t idx;
+
+			idx = i * mwords + j;
+			pi[i] += bitcounts_table[values[idx]];
+		}
+		pi[i] /= mbits;
+	}
+
+	/* Compute chi_square */
+	chi_square = 0.0;
+	for (i = 0; i < numblocks; i++) {
+		chi_square += (pi[i] - 0.5) * (pi[i] - 0.5);
+	}
+
+	chi_square *= 4 * mbits;
+
+	isc_mem_put(mctx, pi, numblocks * sizeof(double));
+
+	if (verbose) {
+		print_message("# chi_square=%f\n", chi_square);
+	}
+
+	p_value = igamc(numblocks * 0.5, chi_square * 0.5);
+
+	return (p_value);
+}
+
+/*
+ * This is the binary matrix rank test taken from the NIST SP 800-22 RNG
+ * test suite.
+ */
+static double
+binarymatrixrank(isc_mem_t *mctx, uint16_t *values, size_t length) {
+	uint32_t i;
+	size_t matrix_m;
+	size_t matrix_q;
+	uint32_t num_matrices;
+	size_t numbits;
+	uint32_t fm_0;
+	uint32_t fm_1;
+	uint32_t fm_rest;
+	double term1;
+	double term2;
+	double term3;
+	double chi_square;
+	double p_value;
+
+	UNUSED(mctx);
+
+	matrix_m = 32;
+	matrix_q = 32;
+	num_matrices = length / ((matrix_m * matrix_q) / 16);
+	numbits = num_matrices * matrix_m * matrix_q;
+
+	/* Preconditions (section 2.5.7 in NIST SP 800-22) */
+	assert_int_equal(matrix_m, 32);
+	assert_int_equal(matrix_q, 32);
+	assert_true(numbits >= (38 * matrix_m * matrix_q));
+
+	fm_0 = 0;
+	fm_1 = 0;
+	fm_rest = 0;
+	for (i = 0; i < num_matrices; i++) {
+		/*
+		 * Each uint32_t supplies 32 bits, so a 32x32 bit matrix
+		 * takes up uint32_t array of size 32.
+		 */
+		uint32_t bits[32];
+		int j;
+		uint32_t rank;
+
+		for (j = 0; j < 32; j++) {
+			size_t idx;
+			uint32_t r1;
+			uint32_t r2;
+
+			idx = i * ((matrix_m * matrix_q) / 16);
+			idx += j * 2;
+
+			r1 = values[idx];
+			r2 = values[idx + 1];
+			bits[j] = (r1 << 16) | r2;
+		}
+
+		rank = matrix_binaryrank(bits, matrix_m, matrix_q);
+
+		if (rank == matrix_m) {
+			fm_0++;
+		} else if (rank == (matrix_m - 1)) {
+			fm_1++;
+		} else {
+			fm_rest++;
+		}
+	}
+
+	/* Compute chi_square */
+	term1 = ((fm_0 - (0.2888 * num_matrices)) *
+		 (fm_0 - (0.2888 * num_matrices))) /
+		(0.2888 * num_matrices);
+	term2 = ((fm_1 - (0.5776 * num_matrices)) *
+		 (fm_1 - (0.5776 * num_matrices))) /
+		(0.5776 * num_matrices);
+	term3 = ((fm_rest - (0.1336 * num_matrices)) *
+		 (fm_rest - (0.1336 * num_matrices))) /
+		(0.1336 * num_matrices);
+
+	chi_square = term1 + term2 + term3;
+
+	if (verbose) {
+		print_message("# fm_0=%u, fm_1=%u, fm_rest=%u, chi_square=%f\n",
+			      fm_0, fm_1, fm_rest, chi_square);
+	}
+
+	p_value = exp(-chi_square * 0.5);
+
+	return (p_value);
+}
+
+/***
+ *** Tests for isc_random32() function
+ ***/
+
+/* Monobit test for the RANDOM */
+static void
+isc_random32_monobit(void **state) {
+	UNUSED(state);
+
+	random_test(monobit, ISC_RANDOM32);
+}
+
+/* Runs test for the RANDOM */
+static void
+isc_random32_runs(void **state) {
+	UNUSED(state);
+
+	random_test(runs, ISC_RANDOM32);
+}
+
+/* Block frequency test for the RANDOM */
+static void
+isc_random32_blockfrequency(void **state) {
+	UNUSED(state);
+
+	random_test(blockfrequency, ISC_RANDOM32);
+}
+
+/* Binary matrix rank test for the RANDOM */
+static void
+isc_random32_binarymatrixrank(void **state) {
+	UNUSED(state);
+
+	random_test(binarymatrixrank, ISC_RANDOM32);
+}
+
+/***
+ *** Tests for isc_random_bytes() function
+ ***/
+
+/* Monobit test for the RANDOM */
+static void
+isc_random_bytes_monobit(void **state) {
+	UNUSED(state);
+
+	random_test(monobit, ISC_RANDOM_BYTES);
+}
+
+/* Runs test for the RANDOM */
+static void
+isc_random_bytes_runs(void **state) {
+	UNUSED(state);
+
+	random_test(runs, ISC_RANDOM_BYTES);
+}
+
+/* Block frequency test for the RANDOM */
+static void
+isc_random_bytes_blockfrequency(void **state) {
+	UNUSED(state);
+
+	random_test(blockfrequency, ISC_RANDOM_BYTES);
+}
+
+/* Binary matrix rank test for the RANDOM */
+static void
+isc_random_bytes_binarymatrixrank(void **state) {
+	UNUSED(state);
+
+	random_test(binarymatrixrank, ISC_RANDOM_BYTES);
+}
+
+/***
+ *** Tests for isc_random_uniform() function:
+ ***/
+
+/* Monobit test for the RANDOM */
+static void
+isc_random_uniform_monobit(void **state) {
+	UNUSED(state);
+
+	random_test(monobit, ISC_RANDOM_UNIFORM);
+}
+
+/* Runs test for the RANDOM */
+static void
+isc_random_uniform_runs(void **state) {
+	UNUSED(state);
+
+	random_test(runs, ISC_RANDOM_UNIFORM);
+}
+
+/* Block frequency test for the RANDOM */
+static void
+isc_random_uniform_blockfrequency(void **state) {
+	UNUSED(state);
+
+	random_test(blockfrequency, ISC_RANDOM_UNIFORM);
+}
+
+/* Binary matrix rank test for the RANDOM */
+static void
+isc_random_uniform_binarymatrixrank(void **state) {
+	UNUSED(state);
+
+	random_test(binarymatrixrank, ISC_RANDOM_UNIFORM);
+}
+
+/* Tests for isc_nonce_bytes() function */
+
+/* Monobit test for the RANDOM */
+static void
+isc_nonce_bytes_monobit(void **state) {
+	UNUSED(state);
+
+	random_test(monobit, ISC_NONCE_BYTES);
+}
+
+/* Runs test for the RANDOM */
+static void
+isc_nonce_bytes_runs(void **state) {
+	UNUSED(state);
+
+	random_test(runs, ISC_NONCE_BYTES);
+}
+
+/* Block frequency test for the RANDOM */
+static void
+isc_nonce_bytes_blockfrequency(void **state) {
+	UNUSED(state);
+
+	random_test(blockfrequency, ISC_NONCE_BYTES);
+}
+
+/* Binary matrix rank test for the RANDOM */
+static void
+isc_nonce_bytes_binarymatrixrank(void **state) {
+	UNUSED(state);
+
+	random_test(binarymatrixrank, ISC_NONCE_BYTES);
+}
+
+int
+main(int argc, char **argv) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_random32_monobit),
+		cmocka_unit_test(isc_random32_runs),
+		cmocka_unit_test(isc_random32_blockfrequency),
+		cmocka_unit_test(isc_random32_binarymatrixrank),
+		cmocka_unit_test(isc_random_bytes_monobit),
+		cmocka_unit_test(isc_random_bytes_runs),
+		cmocka_unit_test(isc_random_bytes_blockfrequency),
+		cmocka_unit_test(isc_random_bytes_binarymatrixrank),
+		cmocka_unit_test(isc_random_uniform_monobit),
+		cmocka_unit_test(isc_random_uniform_runs),
+		cmocka_unit_test(isc_random_uniform_blockfrequency),
+		cmocka_unit_test(isc_random_uniform_binarymatrixrank),
+		cmocka_unit_test(isc_nonce_bytes_monobit),
+		cmocka_unit_test(isc_nonce_bytes_runs),
+		cmocka_unit_test(isc_nonce_bytes_blockfrequency),
+		cmocka_unit_test(isc_nonce_bytes_binarymatrixrank),
+	};
+	int c;
+
+	while ((c = isc_commandline_parse(argc, argv, "v")) != -1) {
+		switch (c) {
+		case 'v':
+			verbose = true;
+			break;
+		default:
+			break;
+		}
+	}
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/regex_test.c b/lib/isc/tests/regex_test.c
new file mode 100644
index 0000000..700df92
--- /dev/null
+++ b/lib/isc/tests/regex_test.c
@@ -0,0 +1,2374 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#ifdef HAVE_REGEX_H
+#include <regex.h>
+#endif /* ifdef HAVE_REGEX_H */
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/regex.h>
+#include <isc/util.h>
+
+/* Set to true (or use -v option) for verbose output */
+static bool verbose = false;
+
+/* test isc_regex_validate() */
+static void
+regex_validate(void **state) {
+	/*
+	 *  test regex were generated using http://code.google.com/p/regfuzz/
+	 *  modified to use only printable characters
+	 */
+	struct {
+		const char *expression;
+		int expect;
+		int exception; /* regcomp accepts but is
+				* disallowed. */
+	} tests[] = {
+		{ "", -1, 0 },
+		{ "*", -1, 0 },
+		{ ".*", 0, 0 },
+		{ ".**", -1, 0 },
+		{ ".*\?", -1, 0 },
+		{ ".*+", -1, 0 },
+		{ "+", -1, 0 },
+		{ ".+", 0, 0 },
+		{ ".++", -1, 0 },
+		{ ".+\?", -1, 0 },
+		{ ".+*", -1, 0 },
+		{ "\?", -1, 0 },
+		{ ".\?", 0, 0 },
+		{ ".\?\?", -1, 0 },
+		{ ".\?*", -1, 0 },
+		{ ".\?+", -1, 0 },
+		{ "(", -1, 0 },
+		{ "()", 1, 0 },
+		{ "(|)", -1, 0 },
+		{ "(a|)", -1, 0 },
+		{ "(|b)", -1, 0 },
+		{ ".{", 0, 0 },
+		{ ".{1", -1, 0 },
+		{ ".\\{1", 0, 0 },
+		{ ".{1}", 0, 0 },
+		{ ".\\{1}", 0, 0 },
+		{ ".{,", 0, 0 },
+		{ ".{,}", 0, 0 },
+		{ ".{1,}", 0, 0 },
+		{ ".\\{1,}", 0, 0 },
+		{ ".{1,\\}", -1, 0 },
+		{ ".{1,", -1, 0 },
+		{ ".\\{1,", 0, 0 },
+		{ ".{1,2}", 0, 0 },
+		{ ".{1,2}*", -1, 0 },
+		{ ".{1,2}+", -1, 0 },
+		{ ".{1,2}\?", -1, 0 },
+		{ ".{1,2", -1, 0 },
+		{ ".{2,1}", -1, 0 },
+		{ "[", -1, 0 },
+		{ "[]", -1, 0 },
+		{ "[]]", 0, 0 },
+		{ "[[]", 0, 0 },
+		{ "[^]", -1, 0 },
+		{ "[1-2-3]", -1, 0 },
+		{ "[1-22-3]", 0, 0 },
+		{ "[+--23]", 0, 0 },
+		{ "[+--]", 0, 0 },
+		{ "[-1]", 0, 0 },
+		{ "[1-]", 0, 0 },
+		{ "[[.^.]]", 0, 0 },
+		{ "[^]]", 0, 0 },
+		{ "[^^]", 0, 0 },
+		{ "[]]\?", 0, 0 },
+		{ "[[]\?", 0, 0 },
+		{ "[[..]]", -1, 0 },
+		{ "[[...]]", 0, 0 },
+		{ "[[..5.]--]", -1, 0 },
+		{ "[[.+.]--]", 0, 0 },
+		{ "[[..+.]--]", -1, 0 },
+		{ "[[.5.]--]", -1, 0 },
+		{ "[1-[=x=]]", -1, 0 },
+		{ "[[:alpha:]]", 0, 0 },
+		{ "[[:alpha:]", -1, 0 },
+		{ "[[:alnum:]]", 0, 0 },
+		{ "[[:alnum:]", -1, 0 },
+		{ "[[:digit:]]", 0, 0 },
+		{ "[[:digit:]", -1, 0 },
+		{ "[[:punct:]]", 0, 0 },
+		{ "[[:punct:]", -1, 0 },
+		{ "[[:graph:]]", 0, 0 },
+		{ "[[:graph:]", -1, 0 },
+		{ "[[:space:]]", 0, 0 },
+		{ "[[:space:]", -1, 0 },
+		{ "[[:blank:]]", 0, 0 },
+		{ "[[:blank:]", -1, 0 },
+		{ "[[:upper:]]", 0, 0 },
+		{ "[[:upper:]", -1, 0 },
+		{ "[[:cntrl:]]", 0, 0 },
+		{ "[[:cntrl:]", -1, 0 },
+		{ "[[:print:]]", 0, 0 },
+		{ "[[:print:]", -1, 0 },
+		{ "[[:xdigit:]]", 0, 0 },
+		{ "[[:xdigit:]", -1, 0 },
+		{ "[[:unknown:]]", -1, 0 },
+		{ "\\[", 0, 0 },
+		{ "(a)\\1", 1, 0 },
+		{ "(a)\\2", -1, 1 },
+		{ "\\0", 0, 0 },
+		{ "[[][:g(\?(raph:][:alnu)(\?{m:][:space:]h]<Z3})AAA)S[:space:]"
+		  "{176,}",
+		  0, 0 },
+		{ "(()IIIIIIII(III[[[[[[[[[[[[[[[[[[^[[[[[[[[              [^  "
+		  "     "
+		  "fX][:ascii:].)N[:a(\?<!lpha:])][:punct:]e*y+)a{-124,223}",
+		  3, 0 },
+		{ "(pP\\\\\\(\?<!"
+		  "\\\\\\\\\\\\\\\\\\\\\\lRRRRRRRRRRRRRRRRBBBBBBBBBBBBBBBB))"
+		  "kkkkkkkkkkkkkkkkkkkkk|^",
+		  1, 0 },
+		{ "[^[^[{111}(\?=(\?:(\?>/"
+		  "r(\?<(\?=!(\?(\?!<!Q(\?:=0_{Meqipm`(\?((\?{x|N)))))|))+]+]Z)"
+		  "O{,-215}])}))___________________{}",
+		  0, 0 },
+		{ "[C{,-218(\?=}E^< ]PP-Ga)t``````````````````````````{138}", 0,
+		  0 },
+		{ "[^h(\?<!(\?>Nn(\?#])))", 0, 0 },
+		{ "[(\?!(\?<=[^{,37}AAAA(AAAAAAAAAAAAA])", 0, 0 },
+		{ "[^((\?(\?:ms(\?<!xims:A{}(\?{*</H(\?=xL "
+		  "$(\?<!,[})))*)qqqqqqqqqqqqqqqqqq)]"
+		  "33333333333333333333333333333{[:graph:]p)-+( "
+		  "oqD]){-10,}-{247}_______________________X-e[:alpha:][:"
+		  "upperword:]_(______wwwwwwwww "
+		  "/c[:upperword:][:alnum:][:alnum:][:pun(\?{ct:])[:blankcntrl:"
+		  "]})*_*",
+		  2, 0 },
+		{ "[(\?<!:lowerprin(\?{t:]{}}){113,})[:punct:]"
+		  "IIIIIIIIIIIIIIIIIIIIIIII",
+		  0, 0 },
+		{ "PP)", 0, 0 },
+		{ "(([^(\?<!((\?>\?=[])p.]}8X[:blankcntrl:],{-119,94})XmF1.{)-)"
+		  "[:upperword:])[:digit:]{zg-q",
+		  2, 0 },
+		{ "[^[({(\?#254}))Z[l][x50]=444444444444(4444444444u[:punct:]"
+		  "\?[:punct:(\?!])])",
+		  1, 0 },
+		{ "[^[^[^([^((*4[(^((\?<=])Ec)", 0, 0 },
+		{ "(0)Y:8biiiiiiiiiiiiiiiiiii", 1, 0 },
+		{ "[^w(\?!)P::::::::::::::(\?#::(\?<=:::::::::]\"\"{}["
+		  "3333333333333333(\?<=33333(\?!)9Xja][:alph(\?<=a:])xB1)("
+		  "PX8Cf\?4444)qq[:digit:])",
+		  1, 0 },
+		{ "([U[^[^].]^m]/306KS7JJJJJJJJ{})", 1, 0 },
+		{ "[^[^([^[(\?!(\?>8j`Wg2(\?{,(\?>!#N++++(\?<![++++++)+"
+		  "44444444bA:K(\?<!O3([:digit:]3]}}}}}}}}}}}}}}}}}}}}}}}}LP})"
+		  "S",
+		  0, 0 },
+		{ "[({(\?{,(\?(=213}*))})]WWWWWWWWWWWWWWW[:alnum:])", 0, 0 },
+		{ "[:(\?<=ascii:])", 0, 0 },
+		{ "[U(\?#)(\?<=+HzE])[:punct:]{-207,170}\?s.!", 0, 0 },
+		{ "{}z=jU75~n#soD\"&\?UL`X{xxxxxxxxxxxxxxxxxxxx(xxxxxx${-246,"
+		  "27}[:graph:]g\"{_bX)[:alnum:][:punct:]{-79,}-",
+		  1, 0 },
+		{ "[^{,-186}@@@@[^(\?{@@(\?>@+(\?>l.]}))*\\BCYX]^W{52,123}("
+		  "lXislccccccccccccccccc)-*)",
+		  1, 0 },
+		{ "(x42+,)7=]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]", 1, 0 },
+		{ "[^(*[:graph:]q/TH\?B(\?{P)]})uZn[:digit:]+2", 0, 0 },
+		{ "([XXXXXXXXXXXXXXXXXXXXX[(:alnum:][:space:]i%[:upperw(\?=o("
+		  "\?#rd:])) ",
+		  1, 0 },
+		{ "(@@@@)", 1, 0 },
+		{ "{-18,}[:as[(\?>^[cii:]]{}>+{-46,}{,95}[:punct:]{}"
+		  "99999999999999])-{-134}'sK$"
+		  "wCKjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj",
+		  0, 0 },
+		{ "(l[:alpha:(\?!]))", 1, 0 },
+		{ "[[^(\?{]|JJ[:alph(a:]X{})B^][:lowerprint:]n-219{-32}{19,105}"
+		  "k4P}){,-144}",
+		  0, 0 },
+		{ "[[^]P[:punct:][:alpha:][:xdigit:]syh]|W#JS*(m<2,P-RK)cA@", 1,
+		  0 },
+		{ "([^((\?({\?<=)}){[^}^]{}])^P4[:punct:[]$)]", 1, 0 },
+		{ "([(\?#:(\?{space:]}):{}{-242,}n)F[:alpha:]3$)d4H3up6qS[:"
+		  "blankcntrl:]B:C{}[:upperword:]r",
+		  1, 0 },
+		{ "([(\?:]))[:digit:]mLV.{}", 1, 0 },
+		{ "[^PPP-[]{[,50}{128,}]111111111111111]p", 0, 0 },
+		{ "[^([^([^([[^[([^[^[[2[[[[[[[[[[[[[^[[[[(\?(\?{:[[[[[[(\?([-["
+		  ":ascii:]--*)",
+		  -1, 0 },
+		{ ")!F^DA/ZZZZZZZZZZZZZZZZZZ", 0, 0 },
+		{ "[[[[[[[((\?=\?(\?>([[[[[[[^[[[[(\?()[[[K(\?#))])))]7Y[:"
+		  "space:]{,-96}pP)[:ascii:]u{-88}:N{-251}uo",
+		  0, 0 },
+		{ "t[:x(\?<=digit:])eYYYYYYYYYYYYYYYYYY{,-220}A", 0, 0 },
+		{ "[[({10,}[:graph:]Pdddddd(\?#X)])[:alnum:(]]L-C){,50}[:"
+		  "blankcntrl:]p[:gra(ph:]){66,}",
+		  0, 0 },
+		{ "[^[^]*4br]w[:digit(\?::]n99999999999999999)P[:punct:]pP", 0,
+		  0 },
+		{ "[:digit:]{67,247}!N{122})VrXe", 0, 0 },
+		{ "[:xdigit:]^[:xdigit:]Z[:alnum:]^^^^1[:upperword:(\?=])[:"
+		  "lowerprint:]*JJ-",
+		  0, 0 },
+		{ "[[(\?imsximsx:^*e(){,3[6}](V~\?^[:asc(\?!ii:]I.dZ))]$^"
+		  "AAAAAAAAAAAAAAAAAAAAAAAA[:space:]k)]",
+		  1, 0 },
+		{ "W{,112}[:lowerp(\?<!rint:]$#GT>R7~t'"
+		  "\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"9,O).",
+		  0, 0 },
+		{ "[^{6((\?>\?:4}(\?<=G))f)"
+		  "KKKKKKKKKKKKKKKKKKKKKKKKKKKKKpppppppp(\?=ppppp]{,-101}|[:"
+		  "blankcntrl:]Z{-182})",
+		  0, 0 },
+		{ "([:punct:]@^,,,,,,,,,,,,,,,,,,,,,,,,,,0\?:-o8NPIIIIIIIII)"
+		  "pPKKKKKKKKKKKKKKKKKKKK",
+		  1, 0 },
+		{ "([^[[^[^]]]])", 1, 0 },
+		{ "[([^[(333\"(\?#\\\\[)(\?isx-x:\"Tx]')", 0, 0 },
+		{ "[[n>^>T%.zzzzzzzzzzzzzzzzz$&|Fk.1o7^o, "
+		  "^8{202,-12}$[:alnum:]]G[:upperword:]V[:xdigit:]L|[:"
+		  "upperword:]KKKKKKKKKKKKYX\"\")xJ "
+		  "~B@[{,-68}/][:upperword:]QI.",
+		  0, 0 },
+		{ "[^[]tN^hy3\"d@v T[GE\?^~{124,10(\?{2}]})\?[:upperword:]O", 0,
+		  0 },
+		{ "d.``````````````````````````[:up(\?=perword:]"
+		  "RRRRRRRRRRRRRRR)",
+		  0, 0 },
+		{ "[Z{{{{{{{{{{{{{(\?={(\?<!{{{{{{{{{(\?>{{J6N:H[tA+mN3Zmf:p\?]"
+		  "\?){-181,82}S4n.b[:lowerpri(\?{nt:]|"
+		  "ggggggggggggggggggggggggggggggg}))4)",
+		  0, 0 },
+		{ "[^((/////[^////[^/////////[(^/////]fI{240}{-120}+]R]GA)", 0,
+		  0 },
+		{ "[-(\?#.)(\?())[:alpha:](\?={(\?#}r)[:space:]PPW]o)", 0, 0 },
+		{ "[:lowerp(\?{rint:]})201{46,}[:a[^scii:]0Q{37,}][:blankcntrl:"
+		  "]1331",
+		  0, 0 },
+		{ "[^(\?!(\?#)\\GIwxKKKKKKKKKK'$KKKKKKKK]l)bbb^&\?", 0, 0 },
+		{ "[:ascii:]*[:sp(\?<=ace:])", 0, 0 },
+		{ "({-66,}Z{})0I{-111,}[:punct(\?():])", 1, 0 },
+		{ "[[^(\?!()%%%%%%%%%%%%%(\?:%%%%%%%%%%%%%%%%)t(\?{VX>B#6sUU("
+		  "\?<!UUUUUU(\?=UUU[^UUUUUUUUUUUU(\?((\?:UPPPPPPPPPPP)"
+		  "PPPPPPPPPPPPPPP]ffffffffffffffffffffffff)^[:space:]"
+		  "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww{243}9[:lowerprint:]Dv[:"
+		  "graph:])][:blankcntrl:]V%E[:graph:]})[:space:]{-83,}cQZ{}4{-"
+		  "23,135}",
+		  0, 0 },
+		{ "({,-76[}]O[:xdi(\?<!git:])\?5))))))))\?d[:lowerprint:]"
+		  "b666666[:graph:]c",
+		  1, 0 },
+		{ "{}{-145,}[:(\?(spa)ce:])f", 0, 0 },
+		{ "[([^].{116,243}]T*[[^:punct(\?[{[^:(\?<!]]8()])[:alnum:])})]"
+		  "N{}{,243}*[n]][:graph:]",
+		  1, 0 },
+		{ "[^w]8888888888888888_________(__________[:ascii:]BdqTE$^0|"
+		  "MNto*i#############[^#################])",
+		  1, 0 },
+		{ "[^[[[<[()\?]GGG{,26[}[:alnum:]SSSSS.gggggggg[:graph:]"
+		  "CCCCCCCCCCC{79,}{138,191}][:di(git:]u]@]"
+		  "JJJJJJJJJJJJJJJJJJJJJJJ[:graph:(\?:][:alnum:]])[:alnum:])]",
+		  0, 0 },
+		{ "[^(((BBBBBBBBBB(\?>BBBZvvvvvvvvvv(\?m(sximsx:vvv)iiiiiiii)))"
+		  "j>Rs:Sm]0MMMMMMMMMMM|@F)Y]*^#EEEEEEE)*",
+		  0, 0 },
+		{ "([^([(U(\?!)<<<<<<<<<<(\?#<<<<(\?<!<<<)(\?=L.{73,})+]n9U}fk%"
+		  "Jn}'b Na<%yyyyyyyyyyyy)){-198,}]))[:space:].pP361U]3s@u_9AU "
+		  "Te/{s`6=IMZdL1|.ySRo",
+		  1, 0 },
+		{ "[[((\?<=\?>(\?#){}]{}`){1,82}){-143[,}]^G", 0, 0 },
+		{ "[:digit:]W|[:up(\?<!perword:]{,-101}llllllllllllllllll[:"
+		  "upperword:])mmYYYYYYYYYYYYYYYYYYYYYYY*",
+		  0, 0 },
+		{ "@NHy)", 0, 0 },
+		{ "([^[^]][:alnum:]222[^22222222(\?{2222222222222222][:lo(\?:"
+		  "werprint:][:xdigit:]^[:blankcntrl:]s+N)[:alpha:]-"
+		  "NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNWxxxxxxxxxxxxxxxxxxxxxxxxxxD["
+		  ":space:]U)TTTTTTTTTTfffffffffffzzzzzzzzzzzzzzzzzzzzzzzzz})",
+		  1, 0 },
+		{ "[^[^[[^[][^[]pP([^\?[^<=(\?=]){158,})]]]][:digit:]]"
+		  "K22222222222p^dUKJ`\">@]",
+		  1, 0 },
+		{ "[^[^[(\?imsximsx::p(\?{unct:][(\?>:ascii:]5w)]{159}\\Q\?@C]"
+		  "4(44444444}[^)|)[:graph:]]C:b)",
+		  1, 0 },
+		{ "[^[[(tYri[W<8%1(\?='yt][:lowerprint:[]))1r]][:alnum:][:"
+		  "digit:]{48}{-52,-183}+][:alpha:]r][:upperword:]\?{-105,155}{"
+		  "-55,-87}pPN#############################{63,232}]",
+		  0, 0 },
+		{ "[*(\?>L(\?<(\?>=))]&&&&&&&(&&&&&&&&&&&&&&&&&&))[|WIX]{-62,-"
+		  "114}S  K=HW60XE<2+W",
+		  1, 0 },
+		{ "(00000000000)z\\\\*t{}R{88}[:alnum:]*", 1, 0 },
+		{ "(([^(\?=\?gggggg[gLw)]{-250,}[:xdigit:]yZ[:g(raph:]8QNr[:"
+		  "space:][:blankcntrl:]A)][:digit:]D)[:xdigit:])",
+		  2, 0 },
+		{ "[^([^,(\?<!]*))]", 0, 0 },
+		{ "[^(\?{[:alnum:]]}}}}}}}}}}}}}}}}}}}}}}}){-83}", 0, 0 },
+		{ "WWWWWWWW[:alnum(\?<=(\?#:]{,-1})@OSSS)[:digit:]", 0, 0 },
+		{ "[^(\?!*]+G)", 0, 0 },
+		{ "[LLLLLLLLLLLLLLLLLLLLLLLLLLLLLL>s8.>[^{}$(\?(]]XXXXXXX)"
+		  "XXXXXXXXXXXXXX[:alpha:]Whii\?p[:xdigit:])+",
+		  0, 0 },
+		{ "(7777[:blankcntrl:])", 1, 0 },
+		{ "[^C[:digit:]]{}YYYY(YYYYYYYYYYYYYYYY)", 1, 0 },
+		{ "on|,#tve%F(w-::::::::::::::::::::::::::::*=->)", 1, 0 },
+		{ "([((\?=(\?!((\?=')))27(<{})S-vvvvvvvvvv(\?="
+		  "vvvvvvvvvvvvvvvvv[:punct:][:alnum:]}}}}}}}}}}}}}}}}}}}}}}}"
+		  "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPgggggggggggggggggggggggggg(\?#("
+		  "\?#gggggg<X){}]{-164,61})>+))uQ)W>[:punct:][:xdigit:][:"
+		  "digit:][:punct:]{}[:digit:][:space:]){,-105}=xiAyf}o[:alpha:"
+		  "]akZSYK+sl{",
+		  1, 0 },
+		{ "[^[^]/S:Hq<[:upperword:(\?<=]W[:alnum:]X])1973", 0, 0 },
+		{ "[[^[[^([^VVVV(\?!(VVVVVVVVVVVVVVVVVVVVV[VVVVX][^]2))"
+		  "98ppppppppppppppppppppppppppppppp/////////////////////"
+		  "b.]G{-101,}[:[ascii:]P].=~])AAAAAAAAAAAAA2{-153,}]]]]]]]]]]]"
+		  "]]]]]]]]]]]]]]]]]]]]][:alnum:][:lowerprint:]WN/"
+		  "D!rD]|4444{180}]V_@3lW#lat]",
+		  0, 0 },
+		{ "[^[^([^TTTTT(\?:T(\?:T7777{,59}])[:graph:][:ascii(\?<=:]))f]"
+		  "AD{,-43}%%%%%%%%%%%%%%%%)S|[:digit:]FZm<[:blankcntrl:]QT&xj*"
+		  "{-114,}$[:xdigit:]042][:xdig[it:]{-180}027[:alpha:][:ascii:]"
+		  "[:lowerprint:][:xdigit:]^|[:alnum:][^Mi]z!suQ{-44,-32}[:"
+		  "digit:]]",
+		  0, 0 },
+		{ ")", 0, 0 },
+		{ "''''''''''[:a(\?imsxisx:lnum:])P", 0, 0 },
+		{ "(([{20(\?<=8}[:alnum:]pP$`(\?#N)wRH[:graph:]aaaaaaaaaaaaaa("
+		  "\?=aaaaaaaaaaaaaaaaP]a)))[:punct:]-\?)A^",
+		  2, 0 },
+		{ "[^(.//"
+		  "[:punct:]&-333333333333333333333333333(\?<!33)"
+		  "LLLLLLLLLLLLLLLLL[:alnum:]$1]~8]|^\"A[:xdigit:]\?[:ascii:]{"
+		  "128,}{,-74}[:graph:]{157}3N){-196,184}D",
+		  0, 0 },
+		{ "[^($(\?{(\?<=)[#)]})[:space:]]nWML0D{}", 0, 0 },
+		{ ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,[^]x{213,-93}(\?{A7]V{}})", 0,
+		  0 },
+		{ "[k(\?=*)+^[f(])r_H6", 0, 0 },
+		{ "[(\?#(\?{)]q})", 0, 0 },
+		{ "([GLLLLLLLLLL(\?!((\?:LLLLLLLL]))C#T$Y))^|>W90DDDDDDDDDDD[^"
+		  "DDDDDDDDDDDDDDDDDDDD]B[:punct:]c/",
+		  1, 0 },
+		{ "[^(\?<!)(\?{b}){,199}A[:space:]+++++++(\?!++++++++{36}Tn])",
+		  0, 0 },
+		{ "()[:alpha:]a", 1, 0 },
+		{ "[(\?(:blan)kcntrl:])lUUUUUUUUUUUUUUUUUUUUUUU", 0, 0 },
+		{ "[^[^(s[[[[[[[[[[[[[[(\?#[[[[[[[)\?`````][:blankcntrl:(\?>]|)"
+		  "p1EmmmmmmmmmmmmmmmmmmmmmmmmmmmmL{-241}666666666666666666666)"
+		  "]^bLDDDDDDDDDDDDD]",
+		  0, 0 },
+		{ "[nn(\?<!nnnnn(\?#n8)=````````````````````{41,}]U,cb*%Y[:"
+		  "graph:]).[:alnum:]\\\\\\\\\\gt",
+		  0, 0 },
+		{ "()\?5{,-195}lm*Ga[:space:]Y", 1, 0 },
+		{ "[(\?:].di)c", 0, 0 },
+		{ "([([^([\?{})Za,$S(\?!p(\?{++(\?##V(\?<!Evuil.2(\?<![^[h|[^']"
+		  "C)*\"]5]",
+		  1, 0 },
+		{ "[((^24(\?#4[^Kkj{}))]]{232}47)077[:alpha:]zzzzzzzz{}", 0,
+		  0 },
+		{ "[^(\?:[^F]o$h)-iV%]", 0, 0 },
+		{ "[[^[([((([^(\?{[^((\?=)kaSx(\?imsximsx:w3A[`%+A$I{,62}ns&Y!#"
+		  "ay "
+		  "o9YAo{Y>1((\?>\?#45)Z{,108}{}11111111111111111111111111qqqq)"
+		  "\?][:lowerprint:]mbo#)@",
+		  0, 0 },
+		{ "[^iii8(888888(\?<!8^]))s", 0, 0 },
+		{ "([[(\?(\?:({^]}[)[(r)])G]{,-87}", 1, 0 },
+		{ "([[^{249,}(\?>(\?=)]]T()[:bl(\?!ankcntrl:]=jjjjjjjjjjjjjjjj-"
+		  ")))t{}[:alpha:]-\":i! Gn[A4Ym7<<<<<<<<<<<<<<<<]",
+		  2, 0 },
+		{ "^{}{[^,241(\?#}(\?m(\?ixim:sximsx:]t))+oD)", 0, 0 },
+		{ "5[(\?#:xdigit:])", 0, 0 },
+		{ "[^f{(\?>,22(9}[^[^])6KKKKKKKKKKKKK)]RRRRRRRRfuK99999999C}"
+		  "osnNR]BgCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC[:blankcntrl:]",
+		  0, 0 },
+		{ "[^(\?=U){24,}W-{,17(\?:3[^}]q.nQ#PU_|i$$$$$$$$$$$$$$+)[:dig("
+		  "\?<!it:]){-98}\?[:upperword:]]",
+		  -1, 0 },
+		{ "[(\?<=[0(\?!72])euE.]{,-159}[:alnum:]t-:l\?)$"
+		  "yyyyyyyyyyyyyyyyyyyyyyyyyyfffffffffffffffffffffffffff",
+		  0, 0 },
+		{ "[^[^]q[:asc(\?imsxmsx:ii:]JJJJJJJJJJJJJJJJJJJJ[:graph:]]$)`#"
+		  "DdY^qqqqqqqqqqqqqqqqqqqqqqqqqqqu>4^4ta[:alpha:]",
+		  0, 0 },
+		{ "(((b0HN)q))p5<T())`7JJv{'cv'#L8BNz", 4, 0 },
+		{ "[pFp2VttBg(\?<=7777777777777|TTTTTTTTTTTTTTT[:space:]Z]^p\"["
+		  ":blankcntrl:])",
+		  0, 0 },
+		{ ")aM@@@@@@@@@@@@@", 0, 0 },
+		{ "([^[(\?<![^])", 1, 0 },
+		{ "()Z[:ascii:]", 1, 0 },
+		{ "(fuPPo)..........................[:xdigit:]{}{,4}*kkkkkkkCx#"
+		  ",_=&~)|.2x",
+		  1, 0 },
+		{ "[+(\?<=){}++++++[:alnum:](\?=+]s)[:alnum:]~~~~~~"
+		  "XXXXXXXXXXXXXXX.[:digit:]",
+		  0, 0 },
+		{ "[{}[^^(\?(]))CCCCCCCCCCCCCCCCCCCCEg2cF]{}3", 0, 0 },
+		{ "([[[^[^[^([[^[^([(\?<=G[[)=(\?!===(\?isximsx:==(\?#==[^====="
+		  "(\?{==================$T[[^^u_TiC.Fo.02>X)uH]$})354b[:alnum:"
+		  "]]]EVVVVVVVVVVVVVVVVVVVVVVVVVVVVVz[:digi(\?(t:][:upperword:]"
+		  ")",
+		  1, 0 },
+		{ "([:blankcntrl:]t-){121,}[:ascii:]444444{}[:graph:]E040", 1,
+		  0 },
+		{ "[^{134,}]DzQ\?{-30,191})z,\?1Vfq!z}cgv)ERK)1T/=f\?>'", 0,
+		  0 },
+		{ "@v)<yN]'l-/"
+		  "KKKKKKKBBBBBBBBBBBBBMa2eLA[:digit(\?<!:])\"\"e|l$&m`_yn[:"
+		  "blankcntrl:]uuuuuuuuuuuuuuuuuuu[:punct:]",
+		  0, 0 },
+		{ "[[999999999999999(\?<=(\?:(\?ixmx:(\?>))])Y]|){,10}\?{}", 0,
+		  0 },
+		{ "([[[(\?!^]P-AA[AAAAAA[A[^A)r]+B]])", 1, 0 },
+		{ "3}|[:ascii:][:punct:]()", 1, 0 },
+		{ "()dw", 1, 0 },
+		{ "[N]{})))))))))))))))))))))))", 0, 0 },
+		{ "[[[^([[(\?()(\?#)++([^\?{+++[^+++++++++++(\?!+(\?=+++++++r9/"
+		  "n]N7{-219}{-91}pP[:punct:]T]mROm+~[:digit:][:digit:])Y:",
+		  0, 0 },
+		{ "[^'Pu[(\?<!D&]_a[:alnum:]E<,F%4&[:xdigit:])][:lowerprint:]",
+		  0, 0 },
+		{ "tttt(tttttttttt*uKKUUUUU)", 1, 0 },
+		{ "([:ascii:]GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG)+kX______________{"
+		  "}GGGGG\?TUH3,{67,77}|[:graph:]C{,-136}{}[:upperword:[]{,-6}&"
+		  "]T84]n={C",
+		  1, 0 },
+		{ "[:upperword:]DC[:u(\?<=pperword:]*d`H0\?m>~\?N|z#Ar--SO{,-"
+		  "141}076)G\?{,-110}M+-[:alpha:]",
+		  0, 0 },
+		{ "{,-214}{,10(9})", 1, 0 },
+		{ "([^xxxxxxxxxxxxxxxxxMMMMMMMMMMMMMMXW])].[:punct:]Q`{-63,63}"
+		  "Uua[:alnum:]\?OQssb#L@@@@@@@@(@@@)[:graph:]",
+		  2, 0 },
+		{ "[[^(\?!```[^``````````````(\?<=``(\?>````````M/////(\?!/////"
+		  "///////////////"
+		  "[^GD!|#li]~)*.$]))Tq!]C[:lowerprint:]Qk[{}]]"
+		  "JJJJJJJJJJJJJJJJJJJJJJJ{e])c",
+		  0, 0 },
+		{ "$[5(7ES])[:xdigit:]%{MRMtYD&aS&g6jp&ghJ@:!I~4%{"
+		  "P\?0vvvvvvvvvvvvvvvvvvvv\\\\\\\\\\\\\\\\\\\\\\\\x54[:"
+		  "lowerprint:][:upperword:]",
+		  0, 0 },
+		{ "[((([(\?((\?>[:alnum:][):as(\?<!cii:(\?:]Re))K|)|^){-28,89}"
+		  "l<H.<H:N)QKuuuuuuuuw8E136P)^)[:ascii:]][:xdigit:]-",
+		  0, 0 },
+		{ "(pjvA'x]=D\"qUby\\+'R)r\?C22[:ascii:]", 1, 0 },
+		{ "[]*b~y C=#P\"6(gD%#-[^FBt{}]${-244}", 0, 0 },
+		{ "[:up(\?!pe(\?=rword:])lA-'yb\"Xk|K_V\"/"
+		  "@}:&zUA-)W#{-178,-142}(){-202,}",
+		  1, 0 },
+		{ "()1.WldRA-!!!!!!!!!!!!!!!!!", 1, 0 },
+		{ "lZZZZZZZZZZZZZZZ(Z[:al(\?:num:])"
+		  "ttttttttttttttttttttttttttttttg.)6$yyy",
+		  1, 0 },
+		{ "[([^([^[^(([([^[^(([[$(\?{P(\?=(\?<(\?!=(\?#P[^Y])<GA[:"
+		  "ascii:][(\?#(\?<!:alpha:](B{100,})]}))\?)XU=",
+		  1, 0 },
+		{ "[[dVw{6(\?{9,}2222kkkkkkkkkkkkkkkkkkkkkkkkkk|{}*E]]{}SB{35}-"
+		  "w%{eh})<{-178,}",
+		  0, 0 },
+		{ "(D(~))", 2, 0 },
+		{ "[(:alpha:]{,90}Z|)[:ascii:]Du\?[:grap[^h:]^w+|{}][:ascii:]",
+		  0, 0 },
+		{ "[:p(\?<=unct:]kkkkkkkkkkkkkkkkkkkk)", 0, 0 },
+		{ "{}[:((\?<!dig((\?#it(\?#:]())p))ZZZZZZZZZZ[:blankcntrl:]){}{"
+		  "-124,})[:ascii:]",
+		  1, 0 },
+		{ "[[:graph:]{168}lRRRRRRRRRRRRR(\?#RRRRRRRRRRRRRRRRR)rrrr(\?("
+		  "rrrrrr)rrrrrrrS[(\?<!@f)6>{,-49})q${98,}J\?]){",
+		  0, 0 },
+		{ "([:pu(\?(nc)t:]F{-32,-102}+)\?cpP[:lowerprint:].^)", 1, 0 },
+		{ "([{}{210,-238}]1:h)", 1, 0 },
+		{ "([]QQQQ[QQQQQQQQQQQQQQQQQQ][:digit:]Z{-20,}Slllllll[:space:]"
+		  "C^(@{-174,-156}fx{cf2c}{-242,}rBBBBBBBBBBBBBBBBBBc[:alpha:]"
+		  "N\?))$[:graph:][:ascii:]P+nnnnnnnnnnnnnnnnnnnnnnn1N$r>>>>>>>"
+		  ">>>>>>>>>>>>>>>>>(>>{,88}{,-234}__________)[:upperword:]R.[:"
+		  "alnum:][:lowerprint:]^}\"",
+		  3, 0 },
+		{ "([^(\?=]-))$", 1, 0 },
+		{ "([:ascii:]\?,D[:upperword:][:xdigit:]tttttttttttt[^tt(\?<!"
+		  "ttttttttt21f|.(pP[:punct:])])rrrrrrrr)",
+		  1, 0 },
+		{ "([{1(\?=16}iiiiiiiiii((\?<=iiiiiiiiiiiiiiiiii|ZZZZZZZZZZZ("
+		  "\?(\?#{ZZZZZZZ))c}))<<<<<(\?#<<<<<<<<<<<d7CVq8]w{-148,-168}"
+		  "\\Gp){-230,}D3",
+		  1, 0 },
+		{ "[^8888(88888888888EX].[:alnum:]){}", 0, 0 },
+		{ "([^][^)2]-[:lower(\?=print:]{,79}[:graph:]n)", 1, 0 },
+		{ "[bSi\?x_mp(C)0{64}[:space:]hhh(\?(hhh)hhL){5,130}'w\"$l&[:"
+		  "xdigit:][:alpha:]IIIIIIIIIIIIIIIIIIIIIII+-SOOOOOOOOOOOO     "
+		  "          (\?( )              ]f)ed",
+		  0, 0 },
+		{ "[[^[(^(C.Jl[^X&Rb64a+Sd])'m[:alpha:])]]]{134,}", 0, 0 },
+		{ "()L", 1, 0 },
+		{ "[[(({224,(\?#88})@======(\?!=========(\?{=)PPP)i^@p(\?([:"
+		  "punct:]})^^[^^^^^^^^^^^^^^^^^^^^^@)m]|{CS{,-3}168)-[:xdigit:"
+		  "][:upperword:]hnD=Bns)z)AAAAAAAAAAAAAAAAAAAAAAA[^A{}"
+		  "ccccccccccc)SZ]Q-p.sD]]+P",
+		  0, 0 },
+		{ "[[^[^]{135,}66666666666666666666[6(666i2M9.!uhmT\?JMm.*(\?!+"
+		  ")[:alpha:]eeeeeeeeeeeeeeeeeeeeeeeeeee]]])ZZ[:blankcntrl:][:"
+		  "ascii:]",
+		  0, 0 },
+		{ "(13[3Ux>{,10}[(\?<=:xdigit:]))PL9{-89,-181}F'''''''''", 1,
+		  0 },
+		{ "[^.|(\?{af]})^$XE!$", 0, 0 },
+		{ "(WWWWWWWWWWWWWWWWWWWWWWWWWWWW#J)", 1, 0 },
+		{ "({}}M7we-216)L[:digit:][:upperword:]", 1, 0 },
+		{ "([:aln[^u(\?=m:]))].z", 1, 0 },
+		{ "([:alpha:]{(92})%6{41,136})Vij@[:alnum:][:lowerprint:]", 2,
+		  0 },
+		{ "[[[++(\?{+++{}})n{{137,}{51,-177}Z[]M*[:ascii:]{(-29,-47}2)$"
+		  "e^{,-195}{-156,}^]{}{-225,69}A]{-222,}{,20}m[:blankcntrl:]",
+		  1, 0 },
+		{ ")l)[:alnum:][:graph:]g8TTTTTTTTTTTTTTTTLLLLLLLLLLLLLLLLL", 0,
+		  0 },
+		{ "[([(\?<=.(\?{)/})mmmmmmmm(\?(mmmmm]{-154,-176}*S)I]", 0, 0 },
+		{ "[(([{(\?(\?<!im(\?imsix:sim(sx:,141}])D)l{,42}ttttt[(\?::"
+		  "punct:])){-162,-141}{-26,})dU@@@@@@@@@@@@@@@ "
+		  "S)\\A\?w|VVVVVVVVV)X.kN{,21}{-208,-52}>[:lowerprint:][:"
+		  "ascii:]e-]]]]]]]]]]]]]]]]]]]]]",
+		  0, 0 },
+		{ "[^({}(){(66(\?=,}[^]'''''QQQQQQQQQ).P#>^){86,168}Z[(\?<!:"
+		  "lowerprint:]{-166,-70}<k",
+		  0, 0 },
+		{ "APP[:alpha:][:alnum:]nd[:upperword:(\?(]^"
+		  "xxxxxxxxxxxxxxxxxxx)xxxxxxxxx{-70}[:punct:]l)U-",
+		  0, 0 },
+		{ "[^(.\"od~(6({[^(\?<!228}\?)\?)######(\?:#########z "
+		  ")c(\?<!aQ`(\?{UKSwu[})][^-17]{11,}}][:ascii:]))^RiH+WyspP["
+		  "qi&)=p6])[:space:]{-221,}]6p",
+		  0, 0 },
+		{ "{-78}()[:xdigit:]{155}{,-92}", 1, 0 },
+		{ "[(\?>Q{,147}_____________(\?!______uuuuuuuuuuuuuTr]){74,179}"
+		  "{}){,103}{-209,16}*RRRRRRRRRRRRRRRRw{,87}9{144}[:ascii:]'<"
+		  "Ab",
+		  0, 0 },
+		{ "([666c] {-171}yc,8-k_)EEEEEEEEEEEEEEEEEEEEE<", 1, 0 },
+		{ "[^(\?>(\?<!)2(\?imim:)6HwN)^|fc!(\?(d]75))065)G", 0, 0 },
+		{ "[[^xDB[:alnum:][:xdigit:]][:digit:]jW]([:alpha:])", 1, 0 },
+		{ "[ds~T+[x55[:digit:]X[JJJJJJJ.[(\?::upperword:]){,-14}][:"
+		  "xdigit:]bbbbbbbbbbb",
+		  0, 0 },
+		{ "[qqqqq(\?<=qqqq(\?(qqq)^G[):ascii:]])W", 0, 0 },
+		{ "[:space:]JJJJJJ[:alph(\?<!a:]|[:ascii:(\?(])[:x)digit:]- "
+		  "XSstG[:g(\?>raph:])^)Ny6RF_ndoU9@*rxW{4,41}4{}",
+		  0, 0 },
+		{ "[:punct:]{162,}j[:aln(um:].....................[^...]\?>z[:"
+		  "l[owerprint:]){55,222}]",
+		  0, 0 },
+		{ "(>vWa)OXcccccccccccccccccccccccc[:alpha:]C{,-10}81|m1D^T)[:"
+		  "lowerprint:]''''[:alpha:]l",
+		  1, 0 },
+		{ "(XZcgM/UI-/"
+		  "mZq-222){-85,-196}[:alpha:]{114}rrrrrrrrrrrrrrrrrrrrrrrr{,"
+		  "157}ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZLkD-&&&&&&&&&&&&&&&-][:"
+		  "alnum:]{}{,111}[:digit:]",
+		  1, 0 },
+		{ "[^(\?:]MMMMMMMMMMMMMMMMMMMMMMMMMMM)cK["
+		  "KKKKKKKKKKKKKKKKKKKKKKKK]P{146}",
+		  0, 0 },
+		{ "([^[^wqesa)n\?L(\?<=FH+G[^rCGmfD]w)m1D\"%}]])", 1, 0 },
+		{ "[((\?:[^.HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH|S)xd)*[:space:](])["
+		  ":xdigit:]ngr'G#/B]-----------------------------",
+		  0, 0 },
+		{ ")[:lowerprint(\?<=(:]l))G p", 0, 0 },
+		{ "[^[^(\?<(\?<(=(\?imsximx:![(((\?<!\?(^))\?]^)[:xdigit:][:"
+		  "graph:]{-104,})Gf+GD*qc)c]f))])",
+		  0, 0 },
+		{ "[^([\?())P[:alnum:]w]{-186,-139}-[:space:]RN3w[Fmvpl[:space:"
+		  "][:digit:]&&&&&&&&&&&&}(\?#}}}}}}}}}}}}}}}}}}}])z",
+		  0, 0 },
+		{ "([[^^*C[()f][(\?=:punct([\?#:]o)]V)]%%%%%%%%%%%%%%%%%%%%%%%%"
+		  "%%%%%%[^x{1f948})]]",
+		  1, 0 },
+		{ "[(:xdigit:])zE", 0, 0 },
+		{ "[:pu(\?(nc)t:])(a*){-51}", 1, 0 },
+		{ "[^(.NKKKKKKKKKKKKKKKKKKKKKKKK-[:upperword:][:space:]`MPi>",
+		  -1, 0 },
+		{ "Nvvv[vv.][:alnu[^m:]+|Crrrrrrrrrrrrrrrrrrrrr[:xdigit:]j1n)v#"
+		  "]",
+		  0, 0 },
+		{ "[^#}[(\?>:alnum:]).QQQQ[^QQQQQQ!!![!!!!!!!-s.n]se]{-238,}Tf]"
+		  "p4721",
+		  0, 0 },
+		{ "([((\?#\?<=)+)Hr:-H]z[:graph:].{}oooooo(ooooooooo][:punct:]"
+		  "k<gXG@@@@@@@@@@@@@@@@@@@{,-176}){}L`)$",
+		  2, 0 },
+		{ "({,249}{-73,}Z&&&&&&&&Ds35MB<v)qqqqqqqqqqqqqqqqqqqqqqqqq", 1,
+		  0 },
+		{ "[^.N][:blankcntrl:]))))))))))))))))))))))))))))))", 0, 0 },
+		{ "(()*){198,}", 2, 0 },
+		{ "{-237,}220{}[:ascii:]```````(`````````````\?{-115,185}){,-"
+		  "18}[:punct:]'|Kk",
+		  1, 0 },
+		{ "[(\?()])", 0, 0 },
+		{ "([(\?#[:alnum:]CQ)}}}}}}}}(\?>}}}}}}}(}}}}}\?310[|))xA5r][[^"
+		  ":ascii:]^{,-156}{])CCCCCCCCCCC-145]FzwOD_u\?",
+		  1, 0 },
+		{ "[^[^[]{-163}{(-203}[(\?!:upperword:]PPGjZ[:xdi(\?=git(\?#:]{"
+		  "-73}s)qqqq(qqqqqqqqqqqqqqqqqq{173,210}[:xdigit:(\?<(\?>=]WW["
+		  "^WWWWWWW\?*O)))Q){}08)[(\?(\?<=#:blankcntrl:]{90,}]U)])L)"
+		  "ooooooooooooooooooooooooooox--^c[:ascii:]])s)",
+		  2, 0 },
+		{ "[(\?!:punc(\?imximx:t[^:]4F<}!)]'M-)tKKKa4904", 0, 0 },
+		{ "[^^{}\\(\?<!\\\\\\\\\\\\\\\\\\(\?#\\\\\\\\[:punct:](\?>)"
+		  "T000000000(\?(000)00000))+])",
+		  0, 0 },
+		{ "L[:p(\?#unct:])", 0, 0 },
+		{ "[:upperw(\?<!ord:])", 0, 0 },
+		{ "@$\"\"\"\"\"\"\"[\"\"\"\"\"\"\"\"\"\"[^(\"\"\"\"\"(\"\"][]))"
+		  "*U{223,138}*o```````````````(\?=[```````````````]{238}"
+		  "mmmPPPPPPPPPPPPPPP&&&&&&&&&&&&&&&&&&)sF$[:digit:[]]",
+		  0, 0 },
+		{ "[^#Txx[xxxlPB(\?><[^U/)]]{}X3333333333(3333333f*])", 1, 0 },
+		{ "<<<<<<<<<<<<<<<[^<<<<<<<<<.][(\?#:ascii:])[:xdigit:]|^", 0,
+		  0 },
+		{ "([:punct:]{}){-167,}{-59,}Pd\"", 1, 0 },
+		{ "[((\?#{,214})t$)VVV[:xdigit:]{104(\?<=}D][:graph:])|H){1,}{-"
+		  "176,}",
+		  0, 0 },
+		{ "[[([[^N,,,,,(\?=,,(\?#(\?:,,,,,,,,,,,[^,,,,,,,,,,]<,~4::_.A]"
+		  "){-52,}-[:alnum:]Pnnnnnnnnnnnnnnnnnn)d",
+		  0, 0 },
+		{ "{-18(3,})uT{4,}", 1, 0 },
+		{ "[^[^[(p+c(\?<!b$))(\?:EU(\?(.][^{}]3[:xdigi[^t):][:punct(\?>"
+		  ":])[])][:s[^pace:]][:alnum:][:alpha:]]kw06E",
+		  0, 0 },
+		{ "[^^^^^^JJJJJJJJ(JJ(\?=JJ(.6[:space:]H]{231,}A^eqqq)[:ascii:("
+		  "\?>(])[(\?>:spa(\?:ce:]xxxxxxxxx)@_t-))"
+		  "138GNNNNNNNNNNNNNNNNNNNNNNNNNN[:digit:]no!`#E\?&[:"
+		  "lowerprint:].)[:graph:]{86,}[:digit:][:alnum:]",
+		  0, 0 },
+		{ "[:g(\?<=raph:]a{114,146}(){}0Y[:bl(ankcntrl:])D)\?", 1, 0 },
+		{ "[^[^]*H{-192,96}S|]G)6B-kLB", 0, 0 },
+		{ "[[^[^][/"
+		  "NS8`um(\?{82&{((\?{\?<!-[110,-88}]m)})kkkkkkkk$$$$$$$$$$$$[^"
+		  "$$$$$@n%BuK@X!P)y0v!^]YY[YYY[YYYYYYYYYYYYYYYYYY///////"
+		  "{}{{{{{{{{{{{{{oiiii})]8{-2[53}w{82,}]{,245}]{-134}]"
+		  "fffffffffffffffffff]\"I>DW>9tN%{113}{unE",
+		  0, 0 },
+		{ "[:(\?(alpha:]`))Y2sCqWQ104", 0, 0 },
+		{ "(([^()Wcccccccc(\?{cccccccccccccccccc(\?<!c(ccccc[:space:]$)"
+		  "(\?>)FZ{}{}`|||||||||||||*````````````````````````````'="
+		  "dLQmx/"
+		  "Y.A7j'o}jn{}:})][:punct:]$|,-)!&Y:Ys#"
+		  "ykL7JJJJJJJJJJJJJJJJJJJJJJJJJ8yex>#mv[:punct:](x@)$[:uppe("
+		  "\?<!rword:])_)",
+		  3, 0 },
+		{ "[[(^HHHHHHHHHHHH(\?imsximx:HH(HHHHHH(\?{HH[HH])qjR>9))i})]a!"
+		  "lBW3p{A=or)ShE%[:punct:]{}]5r",
+		  0, 0 },
+		{ "[:pu[nc[^t:]]]}}}}}}}[}}}}}}}(\?#}])@@@@@@@@@@@@@@@@@@"
+		  "DDDDDDDDDDDDDDDDDDD\?]xA2\?",
+		  0, 0 },
+		{ "(.[:alpha:]xB7[:alnu(\?{m:]})RRRRRRRRRRRRRRRRRRRRRRRRRRRL)[:"
+		  "space:]G\?",
+		  1, 0 },
+		{ "[:blan(\?<!(\?=kcntrl:]){71,})!ooooooooooooN", 0, 0 },
+		{ "()e$$$$$$$$$$$$$$$$$$$$iiiiiiii", 1, 0 },
+		{ "(b[:ascii:]67777777777777777777777777)({-106}kkk^F----------"
+		  "---------------------{13}A)f00000000sBAddddd{-66}kd!D'",
+		  2, 0 },
+		{ "(Q                        ^])[^lf][:space:][:lowerprint:]\?",
+		  1, 0 },
+		{ "[[^]\\S{152}W![:digit:][[^:space:(\?(]=pEhwY][:alnum:][:"
+		  "digit):][:graph:]])QQIC9h-oowf[:xdigit:]{-52}{,190}"
+		  "1111111111111111111fX{-189,226}W",
+		  0, 0 },
+		{ "[^(\?!(\?<=)]).h[:as(\?>cii:])[:alnum:]$$$$$[:space:]3$$$$$$"
+		  "$$$$$$$$$$$$$$$$$$$$$$$$$1",
+		  0, 0 },
+		{ "[[$zQ================(\?<!=(\?>=========(\?====D[^))|i{}"
+		  "\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?)][:s(pace:]])"
+		  ")]",
+		  0, 0 },
+		{ "[^{,-[15(\?#6}]Vwjjjjjjjj[jjjjjjjjjjjjjjjjjjS9999)]q]"
+		  "rWWWWWWWWWWWWWWWW[:punct:]@@@@@@@@@@@@@@@@@@@@@@@@gO[:"
+		  "blankcntrl:]>L[:ascii:]:::::::::::::::::::"
+		  "x11uuuuuuuuuuuuuuuuuuuuuuuuuuuuu{-124,114}[:graph:]C#{tcg[:"
+		  "xdigit:]gZZZZ[:lowerprint:]nA(_{{{{{{{{{{{{{{{{{{{{SS)\\D[:"
+		  "alpha:]",
+		  1, 0 },
+		{ "[^(\?())]!T\?[:asc[^ii:]E:4},,]I[^b(\?:n4(njj~+{\?'k{7}{189,"
+		  "-194}{ig.[[[[[[(\?#[[[_bs6,JD`1(\?<!WBo]F+{d*VO22z2K1][:"
+		  "xdigit:]))Suuuuuuuuuuu[^u{,117}\?YYYYYYYYYYYYYYYYYYYYYYYYB^]"
+		  "|q]:eY1GGGGGGGGGGGGGGGGGGGGGGGGGGGGe\?)bU[:punct:]",
+		  0, 0 },
+		{ "[\?UA(\?:]\?)[:xdigit:]A^mmmmmmmmmmmmmm>>>>>>>>>>>>>>>>>>>>>"
+		  ">>>>>>>[^>>>(\?(>)){,-165}]",
+		  0, 0 },
+		{ "([^[][^n(\?{[[p]#})|][^]L|66666666666[:graph:]][:graph:]2[:"
+		  "xdigit:][:space:]9b})[:digit(\?imsximsx::]+PZ):{}|E)[:"
+		  "xdigit[^:]|>]^[:alpha:]::::::::[:ascii:]````[:ascii:]:",
+		  1, 0 },
+		{ "[:lowerprint(\?<!:])", 0, 0 },
+		{ "[[^[]{-47}[:lowerprint:][:punct:]L[(\?::g(raph:]lY[:alnum:])"
+		  "qWYU)}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}[c%$dp5[:alnum:]DDDDDDDD^"
+		  "^%&{,-94}E]{-8,175}[:alpha:]-.^[:digi(t:]CCCC(CCCCCCCCC])."
+		  "ax72)",
+		  1, 0 },
+		{ "[[^($$$$$$$$$$$$$$$$$$[^$I((\?{\?(u)\"YuK "
+		  "ZpOHq[!(\?>t|LQT(|)L[(:ascii:])",
+		  0, 0 },
+		{ "[^[^([:graph:](QpPdyDQ`[:alpha:](.X[:digit:]wwwwwwwwwwwwww("
+		  "\?imxims:wwwwwwwe(\?<!z)ONNN(\?#)[^])[:space:](KKKKKKKKK{"
+		  "113,}327[:xdigit:]k)]CeeeeeeeeeeeeeeeeeMMMMMMMMMMMMMMMMM)[:"
+		  "lowerprint:]]HHHHHHHHHHHHHHHHHHH]]]]]]]]]]]]]",
+		  1, 0 },
+		{ "[Q(r(\?=)v]dm[:alnum:][:b(\?{lankcntrl:][:xdigit(\?=:])})P[:"
+		  "graph:]bd/Rx){50}{-150,-172}",
+		  0, 0 },
+		{ "[(\?(im(\?:sxims:))9]))L", 0, 0 },
+		{ "[[^[(\?{^Z][^0[:alpha:]]\\XB*{-151}t})][:alnum:]]", 0, 0 },
+		{ "[([(D\?/////////////////////.'yvYysU&5AU-]kV)*){,123}z]", 0,
+		  0 },
+		{ "[:alnu(\?{m:][:a(\?=lpha:][:alpha:])n}))7[:ascii:][:xdigit:]"
+		  "[:punct:]-",
+		  0, 0 },
+		{ "[^[:graph:]IIIIIIIIIIIIIIIIIIIIIII][:sp(\?<!ace:])", 0, 0 },
+		{ "[[[(\?=[[[cDD(\?<!D(\?:DDDDDDDDDDDD(\?<=DDD(DDDDDD(\?:"
+		  "DDDDDDD(\?<=D(\?()])rvp{243,}D$<[:space:]([:lowerpr)int:])])"
+		  "Ea{}U[:upperword:][:xdigit(\?#:]or}Z+34gD{/P NJ",
+		  1, 0 },
+		{ "[^(,H>)*d2K0DNX5)T(].)[:digit:].", 0, 0 },
+		{ "([:punct:(\?#])})JJJJJJJJ[:xdigit:]"
+		  "PPUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU.......................0hSk{"
+		  ",89}[:xdigit:].[:xdigit:]Z",
+		  1, 0 },
+		{ "(LGTTTTTTTTTTTTTTTTTTTTTTTTTT[:alpha:]){-106,113}[:punct:]d|"
+		  "[:digit:]kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk\?wP",
+		  1, 0 },
+		{ "([^[^<N_-k\?{(\?#18}]i]::::::::::::::::::::::::::)1+LLLLn{}/"
+		  "){-198}",
+		  1, 0 },
+		{ "([[^(AAAAAAAAAA(\?(AAAAA)AAAAf).LzHHHHHHHHHHHHHHHHHHHHH(\?#"
+		  "HHHHH|)[ZEEEEE(\?#EEEEEEEEE(\?<!EEEEEEEEsG)q[:punct:]{}][:"
+		  "upperword:]D)[:space:][:digit:]+e[:ascii:]].i|JJJJJJJJ+n][:"
+		  "xdigit:]Se)P[:lowerprint:]_______________________________.[:"
+		  "punct:]pP{-172,86}iiiiiiiiiiiiiiiiiiiiiiiii){,-178}",
+		  1, 0 },
+		{ "([\?=[[^,BDRRPZ{129}*D-[:punct:]]])([:upperword:]ud)\?][:"
+		  "punct:]A",
+		  -1, 0 },
+		{ "(([(\?#((\?{\?=^])c-)C[:lowerprint:]xvkR}k\")"
+		  "ccccccccccccccccccccNNNNNNN[:alp[ha:]{,93}vhlX:|A]2})nSw)]"
+		  "N.",
+		  2, 0 },
+		{ "()g/qzyiV(x3d|A0wllllll){162}[:space:]", 2, 0 },
+		{ "qqqqqqqqqqqqqqqqqqqqvvvvvvvvvvvv8[:x(\?imsxmsx:digit:][:"
+		  "alpha:]''''''''''''''''''''''''''')",
+		  0, 0 },
+		{ "({,226}nf^W=vs$xK^=A=M#b,)V", 1, 0 },
+		{ "(_T 2BC9N'cccccccccc-87EF#&^eQfDDDn._,m&c`tjAwR "
+		  "#~A)[:(\?imsimx:alpha:])/yHYL6|{-40,47}",
+		  1, 0 },
+		{ "[[^]{-8(4,138})z[:xdigit:]{180,}]", 1, 0 },
+		{ "[([^T____________________(\?:__C(\?<=]-)])+[:ascii:])r[:"
+		  "graph:].----------",
+		  0, 0 },
+		{ "[f{}LLLL(LLp((((\?<!((((((((((((((({,56}]BR`{,52}){-22,}\?[:"
+		  "space:]h>Sow",
+		  0, 0 },
+		{ "{-179}^[:alpha:(\?!].a'5wacA3\\\\\\\\AAAAAAAA)~^]wC", 0, 0 },
+		{ ">[:digit:]{,-212}+(`)LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL[:ascii:"
+		  "][:digit:][:space:]",
+		  1, 0 },
+		{ "[[^[[^RBW{,255(}(\?(\?>=(W)_]uu][:blankcntrl:])O)]]", 0, 0 },
+		{ "(C_______________________________)2", 1, 0 },
+		{ "([/ntf_a3].)", 1, 0 },
+		{ "[:space:]+[(:upperword:],c7[:asci(\?<=i:]ggggggggggg)[:"
+		  "ascii:]/1$$$$$$$$$$$$$$$$$$$$$$$$$$)",
+		  0, 0 },
+		{ "Xq{109}~EEEEEEEE[:upper[^word:]lgB:X(h[:alpha:]B[:space:]].)"
+		  "IkaH@3}}H'yK~\?[:upperw(\?#ord:(\?:]){=================[:"
+		  "blankcntrl:])",
+		  1, 0 },
+		{ "(([[^]]$3Xr^$%%%%%%%%%%%%%%%%%%%%%================U[:ascii:]"
+		  ")X).FFFFFFFFFFgO[:punct:]oooooooooooooooooooBC[:blankcntrl:]"
+		  "mmmmmmmmmmmmmmmmmmmm[:lowerprint:]rBM~<HAc#Sb&&&&&&&&&&&&&&&"
+		  "&&&&&&&&&&&&&&Cy",
+		  2, 0 },
+		{ "([([([^(\?:)D]-{M#H "
+		  ">rERRRRRRR[^RRRRR(\?>RRRRR])[(\?=^)X]{207,}U])))Z[:"
+		  "blankcntrl:]]yyyyyyyyyyyyyyyy\?",
+		  1, 0 },
+		{ "[Q(\?{*[^(\?(\?!!])[:graph:]]})[:alnum:]iE)dGGGGGGG[^"
+		  "GGGGGGGGGG[:xdigit:]w]",
+		  0, 0 },
+		{ "[^Z(\?!6(\?(\?><=)[:graph:])]BBBBBBBBBBBBBBBB^)", 0, 0 },
+		{ "[[^([^[^][[[[[[[(\?({[[(\?(\?imsxmsx(\?imsi[ms:::[[[[[[[[[})"
+		  ")]$)){12,})|:::::::::::::::::::[:lowerprint:]{}{-96,-147}){"
+		  "13,}`[:digit:]]\"^Ca%%%%%%%%%%%%%%%%%%%%%%%%%%"
+		  "UUUUUUUUUUUUUUUUUU]]9",
+		  0, 0 },
+		{ "[^(\?(\?(\?#!<=))JLBS\"zi)'''''''''''['''''''''''''"
+		  "piiiiiiiiiiiii(\?<=iiii]])ZZZZZZZZZZZZZZZZZZ[:space:]",
+		  0, 0 },
+		{ "({})[:punct:]", 1, 0 },
+		{ "E9[:blankc(\?{ntrl:]})N", 0, 0 },
+		{ "[:alph(\?#a:]){198,}sq\?X0B7", 0, 0 },
+		{ "[^\\\\\\\\(\\\\\\[\\\\\\\\\\\\[(\?<(\?isximsx:={11(\?(9,}"
+		  "\?0])]]))\?FN3M\?{-128,}Z444444)444fbLiVN8)",
+		  0, 0 },
+		{ "[[^[^([[[[[[[[[(\?>[[[[[[[[[[[[[[[[[[[[[{53(\?<=,-175(\?>}"
+		  "ggggggggggggggggg%))[:alnum:])[:punct:]"
+		  "kkkkkkkkkkkkkkkkkkkkkkkkk)+"
+		  "Soooooooooooooooooooooooooooooooo](WR+--)x36+llllllllllll{,"
+		  "35}]Fqb^=F]KKKKKKaaaaa{,131}",
+		  1, 0 },
+		{ "(g\"Ssqw<&{Cl{82,}Mdf|9cIlmCW{}[:digit:]4C{}[:alnum:]PP)", 1,
+		  0 },
+		{ "OOOOOOOU[*evVIIIIIIIIIIIIIIIII(\?#(\?#IIII)]PP[:xdigit:]"
+		  "2222222222222222[:xdigit:]Kx)p[:digit:]",
+		  0, 0 },
+		{ "([[{248,16(\?=5(\?#}][:alpha:])|[:p(\?!unct:(\?(]", 1, 0 },
+		{ "[pP((\?=S)(\?#)]$[:aln(\?(um:)]2\?)$GGGGGGGGGGGGGGGGG({-U:c)"
+		  "{-61,}[:ascii:]{-202}G",
+		  1, 0 },
+		{ "()$D[:alnum:]", 1, 0 },
+		{ "[(\?#^]){}[:ascii:]", 0, 0 },
+		{ "[uuuuuuuuuuuuuuuuuuuuuuuuuuuuuu]FFFFFFFFFFFFFFFFFFFFFF&2e\?)"
+		  "%oP'mc@z2b}n{<b4_Laz^0LLLLLLLLLLLLLLLLLLLLLLL,,,d",
+		  0, 0 },
+		{ "{}(^________________''|$)RRRRRRRRRRRRRRRRRRR", 1, 0 },
+		{ "(H)####################bbbbbbbbbbbbbbbbVSSSSSSSSSSS|"
+		  "tdU\"goeAbPP{-248,81}",
+		  1, 0 },
+		{ "[^[(\?ims(\?>xisx:)UHpP*n{}]{}fx14<7OEpE>n2150)"
+		  "8888888888888888]^GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGS",
+		  0, 0 },
+		{ "(d)+", 1, 0 },
+		{ "[^.(\?(>)(\?=e)])al[:space:]x", 0, 0 },
+		{ "[^256c(\?!]){-19,}", 0, 0 },
+		{ "Q)", 0, 0 },
+		{ "[^s\?\?(\?{\?\?\?(\?#\?(\?<!\?\?\?\?\?\?\?\?\?\?\?("
+		  "\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?{}]F\?j(jjjjjjjjjjjjjjjjjjn)"
+		  "kTI1f[{1|(\?<=^[^+[:digit:]{}^s^))})))T]{-17}{CCCCCCCCCCa{-"
+		  "21,}{,-146}^uZQB]YuLu-|tUGRMz^^",
+		  1, 0 },
+		{ "([^.{}.EE[EEEEEEEE(\?<=EEEEEEEEEEEEEEEU]]-@s))$", 1, 0 },
+		{ "[^([((\?#[#])|a)])[cccccccccccccccc][:digit:]LLLLLLL[:alnum:"
+		  "]}[P%vzl{}^]&",
+		  0, 0 },
+		{ "({}[:space:]E)101+A{-35,11}", 1, 0 },
+		{ "(va:7)u[:alpha:]", 1, 0 },
+		{ "([^[[rrrrrrrrrr(\?:rrrrrrrrrr(\?<!rrrrrrrrry|D'*AH@a{}\?[:"
+		  "space:][:alpha:]^]$ "
+		  "{-225}[(\?(:as)(\?(>cii:])){-107,-139}6/"
+		  "{^[:upperw(\?imsxmsx:ord:]{,-47} "
+		  "]wuH#nAn)GGGGGGGGGGGGGGGGGr[)]T{91}lJ))[:lowerprint:][:"
+		  "xdigit:][:lowerprint:])]*",
+		  1, 0 },
+		{ "()[:space:]~!$[:alnum:]JJJJ[:ascii:]", 1, 0 },
+		{ "[^(\?<=)-]()k", 1, 0 },
+		{ "(()W){,8}ea", 2, 0 },
+		{ "({,-56}5G&&&&rrrrrrrrrrrrrrrrrrrrrrrrrrk.8) hWJ,TM)0Yd-", 1,
+		  0 },
+		{ "(Z-fddddddddddddddddddddddd)-{9}", 1, 0 },
+		{ "[^<[(\?!:asc(\?:i(\?<!i:])F])[:alp(ha:]b))-}Wwx8B", 0, 0 },
+		{ "[^[^[^([(\?{}(\?=)(\?())-CCCCCCCCCCC(\?=CCCCCCCC(CCCCC(\?:"
+		  "CCCCCCCC(\?{l[(\?!:space:]})[:upperwor(\?:d:]{-27}[:al[^pha:"
+		  "][:xdigit:]^f",
+		  0, 0 },
+		{ "[[^]G@>2!+[:punct:(\?<!]{,189}6ZF[:blankcntrl:][:digit:]{,"
+		  "214}){-115,-14}l[:upperword:]{101,}Z[:ascii:]Ld&02|c]<0~<bc",
+		  0, 0 },
+		{ "(Q)[:digit:]x", 1, 0 },
+		{ "hT[[:alnum:]\?]O[OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOxFF%^(\?(_"
+		  "LN "
+		  "8uXQT\"*/"
+		  "L)+l)>qQ[^]e[:ascii:]PP()[:digit:]NQ8%6d=&2I{-62,-142}w]].e{"
+		  "}*",
+		  1, 0 },
+		{ "{,-219}xxxtEEEEEEEEEEEEEEEE[:pun(\?(ct:])qqq)"
+		  "nnnnnnnnnnnnnnnnnnnnnnnnnnn",
+		  0, 0 },
+		{ "[:di(\?>git:])W4", 0, 0 },
+		{ "([^y])Fkvto$", 1, 0 },
+		{ "[^($$$$$$(\?!$$$$$(\?{$$$$$$(\?<=$$$$$$$$$$$+===)[:alnum:]"
+		  "MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM)Z]{}^[:blankcntrl:]--"
+		  "xxxxxxxxxxxxxxx[^xxxxxxx)\?tVG\?{232,81}{121,}xn{,-226}})"
+		  "tttttttttttttttttttttttmu(\?<!&&&&&&&&&&&&&&&&&&&&&&0b]z)$"
+		  "87{,-192}{}{-242,}",
+		  0, 0 },
+		{ "l[:dig(\?(it:]|s*)aA[:digit(\?<=:].^.))x[:digit:]", 0, 0 },
+		{ "[:grap[^(\?#h:]').]Z", 0, 0 },
+		{ "[:gra[^ph:]t[:digit:]222222222222(22222222222222222H "
+		  "qM]pWZr[:ascii:]-hRb_.)Q{-228,-204}{}",
+		  1, 0 },
+		{ "AAAAAAAAAAAAAAA(AA)YeX", 1, 0 },
+		{ "(!dqqqF*^){(,-79}s!!!!!!!!!!!!)", 2, 0 },
+		{ "[^(\?msxm(\?#sx:]|)ZHYup)j{95}0L:vXB#')d'DX\?m."
+		  "T034\\\\\\\\\\\\\\\\\\\\\\y5rV{}S",
+		  0, 0 },
+		{ "(W*O+yl([\?!P(\?:)I]${}{-195,-14}[:upperword:]{}[:xdi[^git:]"
+		  "[:space:]X[:grap[^h:]~]zzzzzzzzzzzzzzzzzzzzzzzL)+)Y "
+		  "b.-=jf{-216,}${/!}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}|]",
+		  2, 0 },
+		{ "[^\\\\\\\\\\(\?<=\\\\\\\\\\\\\\\\m]{-48,234}[:alpha:]s)", 0,
+		  0 },
+		{ "[(\?{U}(\?<!)])LLLLLLLLLLLLLLsssssssssssssssssssssssssss[:"
+		  "ascii:][:blankcntrl:]---------b",
+		  0, 0 },
+		{ "[^[^[(\?#)(\?imsxims[x:)<<<<[<<<<<<<<<<(\?<!<<<<<<<([^\?(<<<"
+		  "<<<<<<<z(\?(zu(\?<=~83}aZpIE)[:alnum:](\?imsximsx:(\?!jrE6("
+		  "\?<!\?V(SzDU)000[000000000((\?=\?)=0])L|lOYuWXk",
+		  0, 0 },
+		{ "$o[:dig(it:]nnnnnnnnnnnnnnn{-94}|G)[:alpha(\?!:] "
+		  "{,-108}D=\?>[:digit:]S[:space:]t",
+		  0, 0 },
+		{ "()n", 1, 0 },
+		{ "[:upp(erword:]$)<}.vZM<lEY5Y*", 0, 0 },
+		{ "[^([^\?>)rCD&{5(\?msxisx:7,}qqqqqqqqqqqqqqqqqq{31,}@w#W:(@("
+		  "\?:zp$YYYYA[:alpha:]{1}A)*dZJ\"5OG|\?(\?#a])]|){-150}[:"
+		  "xdigit:]",
+		  0, 0 },
+		{ "[($)gwo{`\"]{-160,}"
+		  "\\\\\\\\\\\\\\\\\\\\\\\\\\66666666666666888888888888",
+		  -1, 1 },
+		{ "((}DA+Rc000000000000000000)%vvvvvvvvvvvvvvvvvvvvv%C&emZ*[:"
+		  "alnum:]#m/"
+		  "D[:graph:][:blank[^cntrl:]E{,168})"
+		  "kkkkkkkkkk000000000000000]",
+		  2, 0 },
+		{ "[^[u*(\?#x01234)oxGGGGG(\?([GGGG)GGGGGGGGG]^U)!!CCCCBM`4QB^"
+		  "XEN]{,-60}[:upperword:]G]",
+		  0, 0 },
+		{ "(%)~t{S,K^MI3PMo)=b", 1, 0 },
+		{ "[[[^]{}eU([:xdigit:]&&&&&&&&&&&&&&&&&)\"W|43[:alpha:][:"
+		  "graph:]J8b[:blankcntrl:]gggggQ{,183}{,-254}\?[:ascii(:]{,"
+		  "134}",
+		  1, 0 },
+		{ "[[([^[^([^(\?=)1RRRRRRRRRRRRRRRRRRRRRR(\?:(\?(\?(\?!=#RRRRR("
+		  "\?=RRRR(\?<[^!Ru)])]o[:[graph:[^]{,7})[:digit(\?::]{-215,}e["
+		  ":space:]]",
+		  0, 0 },
+		{ "({{{{{{{{{{{{{{{{{{KKKKKKKKKKKKKKKKKKKKKKKKKKKKBBBBBBBBBBBB)"
+		  "[:space:]0[:alnum:]HcctQA",
+		  1, 0 },
+		{ "[^(pP7(HsN[^g{186,-87}\?\?]EQ%u:-Y)+>>>>>>>>>>>>>>>>>>>>>pP]"
+		  "[:alpha:]",
+		  0, 0 },
+		{ "[(.{141}h|)((\?:\?=@Q} "
+		  "ghcC{+*(R)D+][:lo(\?#werprint:]"
+		  "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzz))",
+		  0, 0 },
+		{ "[^({}S)PPFl(])-216", 0, 0 },
+		{ "[([[^(((([(\?#^[^[^\?4[(:[dig[^it(\?(:]{122,})y\?", 0, 0 },
+		{ "[[2${188}u{1(4(\?(1,1(\?{98}e{&tbaoI]q)[:punct:])d}))"
+		  "Nqffffffffffffffffffffffffffff[:ascii:]+]",
+		  0, 0 },
+		{ "()K-", 1, 0 },
+		{ "[[{2(2((\?(\?!()2})])[:alpha:]fVVVVVVVVV{-47}):::::::::::)"
+		  "\?vwyyyyyyyyyyyyyyyyyyyyyyyyy-]{}",
+		  0, 0 },
+		{ "ivcs)g", 0, 0 },
+		{ "(hhhh[^hhhh(\?{h\?]})%%%%%%%%%%%%%%%)\"+38mbY:s9{/d# "
+		  "zaNnbQb)b:*zpKI{-26,-189}",
+		  1, 0 },
+		{ "S*(#)[:graph:]lllllllll&G)t", 1, 0 },
+		{ "([^[(([\?=\?<!)]]___{-63,})]nt", 1, 0 },
+		{ "[:b(lankcntrl:][:alpha:]*[:pu[^[nct:][:alpha:]A]$"
+		  "aaaaaaaaaaaa*)A[:digit:]U][:alnum:]",
+		  0, 0 },
+		{ "[^f[^p000{68(\?isxmx:,}(\?!vvvvvv)$)]PP#*{(})[:punct:]&&&&&&"
+		  "&&&&&&&[:punct:]\?][:blankcntrl:]",
+		  1, 0 },
+		{ "[^(((\?(\?(()))GGGGGGGGG{(\?!($)))((\?!)V^{228,145}))]{-229}"
+		  "Qjjjjj[:punct:]R)",
+		  0, 0 },
+		{ "[(Q[^((\?{(\?:]~z)})gE(.<){}|)Kuuuuu$*"
+		  "222222222222222222222D]",
+		  -1, 0 },
+		{ "([^`(\?<=`````[^`````````M]\?)=L74A[:upperword:]]P", 1, 0 },
+		{ "(({}[:space:]qv-T){,-192}{-45}{65}9\?X).d", 2, 0 },
+		{ "_[(:upperword:]mU(P}qX>\?%)$Lwq[:alpha:]{-115,}============="
+		  "==================={127,}",
+		  1, 0 },
+		{ "e)", 0, 0 },
+		{ "[{,2[5}Klen+D0'YX(\?<=|_H]I,Y\"*/<3sM[:digit:]])#.", 0, 0 },
+		{ "[:(xdigit:]){[:digit(\?mxmsx::][:as(\?<=cii:]d!{135})#)pP[:"
+		  "space:]Syyyyyyyyyyyyyyyyyyyy\"Gg8",
+		  0, 0 },
+		{ "[(\?()])", 0, 0 },
+		{ "[^([^[^[[^[:alpha:]SIus[^f<f]}}}}}}}}}}][:xdigit(\?=:]Z{-13}"
+		  "*]_[]LLLL)]E[:alnum:]b$)]]]]]]]]]]]]]]]]]]]]]]]]][:"
+		  "lowerprint:][:ascii:]{,40}{86,}"
+		  "333333333999999999999999999999999999*"
+		  "fffffffffffffffffffffffff99999999U9|[:digit:][:upperword:]"
+		  "oowwwwwwww[wwwwwwwwww{195}[:xdigit:]]H{-73,153}R+zAz{}r/////"
+		  "////////"
+		  "{232,}kAoffffffffff[:blankcntrl:]xxxxxxxxxxxxxxx]KKKKKl0,[:"
+		  "alpha:]|{,-165}Qc{96}CCCCCCCCCCCCCCCCCCCC/",
+		  0, 0 },
+		{ "{}:V(7O-)[:ascii:][:graph:]PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP#",
+		  1, 0 },
+		{ "[^(\?<[^=CC(CC$)]*        c)BBBBBBBBBBBBBBBBBBBBBBB]z{-18,}",
+		  0, 0 },
+		{ "[[qqqqqqqqqqq(\?(qq235|ttttttttttttttttttttttttttttt[[ttt<<<"
+		  "<(\?{<<<<<<<<<<<<)<<<<<<<<p)/"
+		  "S9(\?{OOOOOOO(\?<!OOOk)})]nIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIb]"
+		  "Z})",
+		  0, 0 },
+		{ "[^[^(\?>][^((\?<!C(\?!+(\?=)]^8)6nx).)){,-13}[:blankcntrl:]"
+		  "\"(L{}){,29}nnnnn{-83}]l[:upperword:])",
+		  1, 0 },
+		{ "[(ZZ\"#(\?#Nb(\?<!:U)oRRRR])Zei${Ec/)s", 0, 0 },
+		{ "[^[^[(\?(t(\?:3```````)`````)|#CB)//////////////////////////"
+		  "///"
+		  "*!liB#|CCCCCCCCCCCCCC(\?=CCCCCCa7N]weTTTTTTTTTTTTTTTT1{}o\?{"
+		  "}BBBBBBBBBBBBBBBBBBBBBBBB.])u{-218,126}.,[:space:]]",
+		  0, 0 },
+		{ "[[([:alnum:])yyy(\?!yyyyyyyyyy(\?!yyyyyyyyyyyyyyyyyyy[:"
+		  "graph:]I])Uw*X.^[:ascii:]{,-63}[:digit:]{-88})&&&&&&&&&&&&&&"
+		  "]*",
+		  0, 0 },
+		{ "[[[^K(\?=KKKKKKKKKKKK(\?:KKKKKKKKK[KKKKKK]]U[:digit:])]dd)({"
+		  ",16})xy+Pu)JJJJJJJJJJJJJJJ[:space:][:ascii:][:upperword:]ql_"
+		  "jywmt4B+]{-30,}^555555555Xza[:punct:]",
+		  1, 0 },
+		{ "[[^^XXX(\?:XXX((XXXXXXXXXXXXXXXXXXXX)v)$N9$"
+		  "r\"\"\"\"\"\"\"\"\"\"\"\"\"].{,239}$[:punct:]\"9999][:alpha:"
+		  "]{}c){,55}s[:upperword:][:xdigit:]310",
+		  0, 0 },
+		{ "[@([^I8oNl)]-{-203,-224}{-78,}KKKKKKKKc{-66}[:xdi(\?=git:]=="
+		  "========){}f{-124,}[:upperword:][:lowerprint:]]{}--------l+",
+		  0, 0 },
+		{ "[^]ozp+0(\?#\"[(\?()X]))[:blankcntrl:][^e{99,222}"
+		  "JJJJJJJJJJJJJJJ3F]\?[:blankcntrl:]l$ot",
+		  0, 0 },
+		{ "[[^[[((\?isximx:)2222222222(\?=22222[:graph:])+U)((\?{\?<=("
+		  "\?()iYv8qc@#y)G])+}))FvnP\"7OZ-b273[:ascii:]Ak6*`S[:digit:]["
+		  ":graph:]]{2}^G{79,}DDDDDbbbbbbbbbbbbbbbbbbbbbbbb(bbbbbbb)|"
+		  "tP48y{wNJ_S hJbY]]dc",
+		  1, 0 },
+		{ "[:alph(\?{a:]p1[:lowerprint:]}){163,}", 0, 0 },
+		{ "W()", 1, 0 },
+		{ "()``````````````````````````[:ascii:][:alnum:]{,26}[:graph:"
+		  "]",
+		  1, 0 },
+		{ "[:al(\?<!num:]|byyy,*)U5%u${190}-{-221,-33}"
+		  "k7777777777777777777777777777777+eXXXXXXXXXXXXXXXXX[X(\?(XX)"
+		  "XX)S'vEAa]*e",
+		  -1, 0 },
+		{ "[^(([R_AC[lE'{2(\?{28(]8LTt[]b[:punct:]]O)|2[:graph:][:"
+		  "space:]})                               "
+		  "x3C[:alpha:])uI+dddddddddddddddddddddddd{-165,}"
+		  "FFFFFFFFFFFFFFFFFFFFFFF)cccc*[:upperword:]]G{,-38}{24,}"
+		  "555555555555555555555555555VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVZ["
+		  ":blankcntrl:][:ascii:]",
+		  0, 0 },
+		{ "[^QQQQQQQ(\?#QQ(QQQQQQ[:punct:][:space:]){(\?(\?:!}[:graph:]"
+		  "t}}[^}}(}}}}}444444[^444444444444444444444]\?]G)E)L{,-103}{"
+		  "84,}r$ii]-[:alp(\?<=ha:]S5G~9>n*)P<"
+		  "3tttttttttttttttttttttttttt)n{}[:graph:]"
+		  "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeee{,83}[:digit:])"
+		  "0BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB[:alpha:]{-155,}{151,}",
+		  0, 0 },
+		{ "Ue{,254}+f[:lowerp(\?<=rint:]U.fff)", 0, 0 },
+		{ "QQQQQQQQQQQQQQQQQQQQQQQQAY<J)'MPi_u%#2doopqU7/"
+		  "{103}[:graph:]e!7{GOr",
+		  0, 0 },
+		{ "[^({,[^233}[^d)BBBBBBBBBBBBBBB=======(\?>===========[^=S|[^["
+		  ":alpha:]G/]qqqqqqqqq{}[:xdigit:])..k",
+		  0, 0 },
+		{ "[([^[[:space:]ffffff(\?=ff]M]))[:xdigit:]UbCI,CzalLU*y5I[:"
+		  "digit:]r{-30,180}{-209,-45}Paf]",
+		  0, 0 },
+		{ "[^[h(\?{hhhhhhhhhhhhhhhhhhhhh})]{,143}[:lowerprint:][:ascii:"
+		  "((\?(\?=])[:asc)ii:])zp]",
+		  0, 0 },
+		{ "[[(\?{]})]", 0, 0 },
+		{ "[[1\"3m^,(\?<!2((\?!\?#t```````````````````````````)\?)|c^)"
+		  "A^~]{61}W\\\\\\vvvvrrrrrrrrrrr[:digit(\?#:])]F[:upperword:]"
+		  "dX\\\\",
+		  0, 0 },
+		{ "([${144,}(\?<!)-RAk_F(\?imsxisx:=9]z/))", 1, 0 },
+		{ "[[^[[[^([[^[^[^([[^([[Uiiiii#####(\?(\?{(\?<!#########(\?=##"
+		  "###).^)(.|>2m[M/"
+		  "2222222222222222222222222222(\?:22222222222(\?#22(\?:(\?="
+		  "22222{,243}]x68+I/"
+		  "K)11111111111]\\pP[:graph:]$[:space:]^{}A)[:xdigit:]-={>",
+		  0, 0 },
+		{ "[(\?>[(^()Vty2vvvvvvvvvvvvvvvvz^])ZZZZZZZZZZZZZZZZZZZ-------"
+		  "---------5\\dVLSp8UE2m+z3X/Sd",
+		  0, 0 },
+		{ "[}}}}}}}}}}}}}}}}}}}(\?#}}(\?<=)|*C "
+		  "]*29JW7O9mEB]pE_OoxN)[:alpha:]",
+		  0, 0 },
+		{ "([^((\?<=\?)D{,200}.[(\?#:ascii:])[:space:].)[:alpha:]D|[:"
+		  "graph:]{,-41}*LLUUUUUUUUUUUUU{-189,-131}]qHR<k2@P{27}<^e,ub%"
+		  "\?/4){-243}+[:digit:]%*x9lA^",
+		  1, 0 },
+		{ "([:alpha:]bT&+_)$Z{,212}x26`", 1, 0 },
+		{ "[^([^(A{[^}g(\?()A9p#54b]-------------------------------)."
+		  "wzD#=f\\)A)8a]]DNNNNNNNNNNNNNNNNNNNNNNNNNN",
+		  0, 0 },
+		{ "(W000000000000000000000000000000)", 1, 0 },
+		{ "www(wwwwwwwwwwwww)", 1, 0 },
+		{ "()555555555555{18}i+[:alnum:]E  {}U", 1, 0 },
+		{ "SqbHoooooooooooo[^oooooo([^ooooooo])\\N[:xdigit:]]oooo`", 0,
+		  0 },
+		{ "[999999999999999999uE{193,0}lx{7917}[:punct:]4&d]{221,}[:"
+		  "digit:]{49,156}[:lowe(\?<=rprint:])[:space:]{-33}w+",
+		  0, 0 },
+		{ "[^(\?{})<{220,-193}[(\?=:xdigit:]UUUUUUUUUUUUUUUUUUU'{-18}]"
+		  ")",
+		  0, 0 },
+		{ "b[(\?<=:upperw(\?{ord:][:digit:]})EEEEEEEEEEEEEEEEEEEEE/////"
+		  "/////////////){177}C",
+		  0, 0 },
+		{ "(^).[:alnum:][^[(\?=[(\?{[})DA5{)[[I~y&O\?9>])]][:"
+		  "blankcntrl:]M[:alpha:]x9[:upperword:]|[:xdigit:]b",
+		  1, 0 },
+		{ "()[:digit:][^[U}-]]{,206}V*WJ@R]\?", 1, 0 },
+		{ "[^](\?#{}(\?[<=)yv)]r", 0, 0 },
+		{ "({,-192}//////////////////////7!eW_0eoL){}", 1, 0 },
+		{ "^[:punct:(]+)IIIIIIIII[:punct:]P$pP", 0, 0 },
+		{ "[(\?=|U)^-]{-52,-72}[:digit:]*6666666666\?{{{", 0, 0 },
+		{ "([^f(\?:+{1((\?=34,}]))^)s0bux7\?5`Bwr[:upperword:])Dy+", 1,
+		  0 },
+		{ "AL{}:::::::::::::::::::::::::::::::{,(104}~@,Ysey@h).", 1,
+		  0 },
+		{ "[^((.)))(\?()))))))))))))))))))))(\?msxims:))))))))))[)][:"
+		  "upperword:][:alpha:])",
+		  0, 0 },
+		{ "[^(()f])G^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^T{}N*nK[G]{,61}^^^^^"
+		  "^^^]",
+		  0, 0 },
+		{ "[(N::(\?<=[:digit:][:graph:][:space:]xB5[(:xdigit:]|Yv{}"
+		  "HHHHHHHHHHHHHHHHHHHHHHHHd).[:g(\?<=raph:])[:digit:]<<)[:"
+		  "digit:])[:space:]Q[:punct:]x7C]",
+		  0, 0 },
+		{ "[^((\?(\?(())a)(\?!){})W)pP3333333333("
+		  "33333333333333333333hhh]{})",
+		  0, 0 },
+		{ "[^                [               "
+		  "a*FFFFF[^FFFFFFFFFFF(\?<[^!FFFF(\?=FF])])L1]{,-52}{B-bxsPKg{"
+		  ",8}[:digit:][:punct:][:upperword:]DD${,-131}",
+		  0, 0 },
+		{ "($$$$$$$$$$$$$$$$$$$$$$$$$$$$$^pP),,,,,,,,,,,,,(,,,,,,,,,,,,"
+		  ")QQQQQQQQQQQQQQQQQQQQQQQQ",
+		  2, 0 },
+		{ "[:lowerprint:]|l{(,-54}C{}*-)IIIIIIIIIIIIIIIII", 1, 0 },
+		{ "()+", 1, 0 },
+		{ "[(([(\?{[:punct:]]|))[[[[[[[[[[})]WWWWWWWW&$$$$$$$[:graph:]",
+		  0, 0 },
+		{ "[^(\?{}){(107[(^,}][:space:[]))^w,&aPPPPPP[^PPPPP{117,-213}"
+		  "s\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?]]]222222[:d(\?("
+		  "igit:]NNNNNN)NNNNNNNNNNNNN8)I",
+		  0, 0 },
+		{ "[^(\?<!$)|TTTTTTTTTTTTTTTTTTTTTT(TTTT]a8)2<", 0, 0 },
+		{ "([^[]%[^[^]-][:alpha:]37*:[:space:]]lQvu)[:xdigit:][:"
+		  "blankcntrl:]",
+		  1, 0 },
+		{ "[[Bl_>9C^:\?X_KK]2sw@hHZT!],uuuuuuut|lFW()''''''''''''''''''"
+		  "'''[:graph:]<~v{-251}0[:digit:]C[{222,}]{,41}{}*g^UuS/"
+		  "{-114}",
+		  1, 0 },
+		{ "(D{,-79}[:gra(ph:(\?(]C[:ascii:]))I[tC.%tkllll[^"
+		  "llllllllllllllll]&&&&&&)&&&&&&&&&&&&&&&&&&&&&&)]10435",
+		  1, 0 },
+		{ "[:al(\?{[^num:]]})}x'[:(\?#xdigit:])"
+		  "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKKKKKKKKKKKKKKKKKKKKKKKKKKKKTT"
+		  "Tr*%{~f",
+		  0, 0 },
+		{ "[ZQKEEEEEEEEEEEEEEEEE(\?<!]3|.~~~~~~~~~~~~~~303)"
+		  "33333333333333333",
+		  0, 0 },
+		{ "(-62([:ascii:]5555){-230,}<<<<<<SM[:punct:]{72}|E{160,})"
+		  "Pfqba!{,-188}DS{ +2tRu\"0JG$",
+		  2, 0 },
+		{ "([^(\?:(Ea00000000000000[:punct:][:graph:]{}]))[:xdigit:]{-"
+		  "65}t){164,}",
+		  1, 0 },
+		{ "[\?$$$$$$$$$$$$$$$$$$$$$$$$$F......(\?(.).q#R:j6%TTLCdtuM|8*"
+		  "54<GHoqEh9FBW0:W]L0)o][:upperword:]",
+		  0, 0 },
+		{ "[(\?>[:alnum:]W[:space:]]D)|L", 0, 0 },
+		{ "(M(MM)[:alnum:]|[:lowerprint:]4)", 2, 0 },
+		{ "[[^(\?:{}{2[2(\?>0,})]]]Etu)-)", 0, 0 },
+		{ "([^[^^z[:graph:]]#{-144,96}[:punct:]!4LY//////////////////"
+		  "SSSSSSSSSSSSSSSSSSSSSSSSS[[^:xdigit:]\?`-!L#p0{52}]%{-121,}["
+		  ":graph:]]WqJ>$6UBg{,7}[:blankcntrl:])[:upperword:]y2wW!A[:"
+		  "blankcntrl:]0CN\?",
+		  1, 0 },
+		{ "[[^(\?:|+bII(IIIIIII(\?(\?>!)275SIIIIIIIIII(IIIIIII(\?="
+		  "IIIIII[:graph:]|)`]S\?.}A)[:alnum:]Jgggggggggg{-150,}{-89,})"
+		  "[:alpha:]Q)|07be5:j)]",
+		  0, 0 },
+		{ "([(\?i(ms(\?=x-x(\?>:))C)]){})>eIqm~lFb[:upperword:][:"
+		  "blankcntrl:]w=[:digit:][:graph:]",
+		  1, 0 },
+		{ "([HHHHHHHHHHHHHHHHHHHHHHHHHH[^HHH("
+		  "\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?!!!!!!!!!!!!!!!!!!"
+		  "!!{23}]~J=[:ascii:]tttttttttttttttt])-216",
+		  1, 0 },
+		{ "B{[^-32,246}{13(\?!0}q>GVQw*[:digit:][:punct:]."
+		  "77777777777777777777`T(-t01odD]\?${}{-247}+gV{131})+[:"
+		  "lowerprint:]m/z~d",
+		  0, 0 },
+		{ "[t[$FV+(\?=E=[^])]-$U{-22[5,}{253,}08g]$[{}][:xdigit:][:"
+		  "punct:]{-18}{-173,}]{,-191}V_|90",
+		  0, 0 },
+		{ "()$", 1, 0 },
+		{ "[^[^((((((((((((((W[(\?::blankcntrl:]&-JH]J){93}LLLLLLL|r{,"
+		  "221}tY/172]-AS",
+		  0, 0 },
+		{ "[^()(\?{qqqq(\?msimsx:qqqqqqqqqq3999999999999GGGGG|S*W%{,"
+		  "128}][:xdigit:]AJt]}\"Zf!lRpr{>){,36}})",
+		  0, 0 },
+		{ "[([]^]^)", 0, 0 },
+		{ "([.(\?#){}[:alpha:]\?S{2}P%Gw]"
+		  "nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnYiq5)>i*r<",
+		  1, 0 },
+		{ "[ggggggggggg$PPP:S "
+		  "(:]N{239,}|A[:lowerprint:]vvvvvvvvvv[:lower(print:]{-184}({-"
+		  "133,}+)[:punct:]P/Q.OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO",
+		  1, 0 },
+		{ "(RRRRRRR[^RRRRR[RRRRRRRRR])]", 1, 0 },
+		{ "[(\?:^])D%", 0, 0 },
+		{ "()[]#C[+[j]{,29}-]", 1, 0 },
+		{ "(([(\?(((\?{\?!(\?=\?=#[Es*){02$r'}(\?:3pz)"
+		  "uPPPPPPPPPPPPPPPP(\?(\?>:PPPP][:graph:][:ascii:]`.)[:punct:]"
+		  "[:a(\?mxi:lnum:])r)$)[:xdigit:]$[:(\?=digit:])aa[^]a)\?])"
+		  "sQQQQQQQQQQQQQQQQQQQQQQQQQQ^|$)-}))",
+		  2, 0 },
+		{ "z@@@@@@@y${}[:(\?:upperword:]l\?{,144}-)", 0, 0 },
+		{ "[:aln(\?:(\?>um:(\?imximsx:]){})FGGGGGGGGGG|-p){,105}", 0,
+		  0 },
+		{ "[[{17}llllllllllllllll(\?:lllllllll{,(\?#-94}OUUUUUUU(\?#"
+		  "UUUUUUUUUUUUUAA]p[:digit:]{-1(57,}5yyyyyyyyyyyyyyyyyyyyy[:"
+		  "alnum:]v{-185}^^^^^^^^^^^^^)d[[[p)]))",
+		  1, 0 },
+		{ "()|[:digit:].E2o", 1, 0 },
+		{ "()3[:lowerprint:]", 1, 0 },
+		{ "[(\?{(\?#(\?>SN}[^)z+r^t[:digit:]seP[:alnum:]$b1ZY[U(\?<!"
+		  "U4IIIIIIIIIIIII(\?<=IIIIIIIIII]m)]))]4)",
+		  0, 0 },
+		{ "{,74}      qkk[^p]kbi6>{}000000000000000000000000000000$|)",
+		  0, 0 },
+		{ "[:(\?=digit:])v{164}", 0, 0 },
+		{ "[:graph:]h[:upper(\?(wo(\?{rd:)])00000[^000000000000})."
+		  "4OEVf{,-46}]A",
+		  0, 0 },
+		{ "[](((((((((((((((N{{{{{{{{{{{{{{{{,-1}e]a{-166,-44}", 0, 0 },
+		{ "([[^[^[(^[]]YYYYYYYYYYY]D.cQ{}[:alpha:]ttttttt000000[^0000("
+		  "\?<!0000000000000000N::::::::].][:alpha:]#5\?{}{-253,-193}]"
+		  "\\[:ascii:]tS{,35}B)ffffffffffffffffffffffff))/",
+		  1, 0 },
+		{ "(G)[:alpha:(\?#])W{-197,-220}w8", 1, 0 },
+		{ "{-2[^00,(\?#-([84}ig+)]]l[:graph:][:graph:][:space:])"
+		  "aaaaaaaaaaaaaaaaaaa{-208,}ea{,224}",
+		  0, 0 },
+		{ "[^[W(\?<=[B[:xdigit:]{255,}FAAAAAAAAAAAAAAAAAAAPP])[:xdigit:"
+		  "]+][:lowerprint:]${-195}",
+		  0, 0 },
+		{ "[v{104,}BB].HHHHHHHHHHHH[:ascii:]"
+		  "bbbbbbbbbbbbbbbbbbbbbbbbbbbb(btttttttttttttttttttttttttt){"
+		  "180}",
+		  1, 0 },
+		{ "[^(i[^iiiiiiiiiiiiiiiiii(ii)n])#######################]", 0,
+		  0 },
+		{ "(([:space:])[:g(\?>raph:])[:punct:][:upperword:]LV\"t+t!)[:"
+		  "ascii:][:lowerprint:]q",
+		  2, 0 },
+		{ "[[[^([7(\?[<!)\\PP~D7L        (\?imsimsx:(\?=  "
+		  "$GS26L3-J(\?()!)]]{-178}%$[:p(\?!unct:]))yyyyyyyyyyyyyy@w,["
+		  "11!R86:)G*[(\?(:blankcntrl:]267$~L\?{-108}k[:alnum:]So\?Y/"
+		  "eq]-|[:xdigit:]555555555555555555555555555)55555........W*O)"
+		  ")][:alnum:]]I{,-126}[:lowerprint:]8\?[:xdigit:]u%wHc6\?:Pc.."
+		  ".........................,,,,,,,,,,,,,,,,,,,,,,,,,,,]",
+		  0, 0 },
+		{ "((3pPp))QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ", 2, 0 },
+		{ "[[^]{-244[}(\?([^|W0E4]UUUUUUUUUUUUUU[:upper)word:][:space:]"
+		  "{-57,})+L>R]]$PeFuufcBA`qr!!!!!!!!!!!!!!!!!!!!!!!!!",
+		  0, 0 },
+		{ "[[(\?#F^(\?<!)|)fff(\?!fffffffffffffffff(\?{ffffff(\?:"
+		  "ffffff[:alnum:])]]c.\?-}))",
+		  0, 0 },
+		{ "[^[^((\?:)ww[wwww(\?>wwwww)3z/57z){34}]/(/////////////[^////"
+		  "//////////////)]E%)L{-133}]*$]",
+		  1, 0 },
+		{ "(!)GS[:ascii:][:punct:]{235}T'&-_h\"", 1, 0 },
+		{ "(){}", 1, 0 },
+		{ "[[^((\?!(\?<=)*QF[:alpha:])([^[^\?<!x60t(\?<!"
+		  "UUUUUUUUUUUUUUUUUUUU)K&d{118}z7nM.G)````````````````````````"
+		  "```E:(\?(){31,}){}]k]){,109}[:space:]]ZZ[:xdigit:]]{-68,}`{}"
+		  "{}e\?[:alnum:]",
+		  0, 0 },
+		{ "[^{223}.^,-qqqqqqqqq((\?!\?>qqqqqqqqqqqqqqqqqqqqqqqP6W0_'O)"
+		  "Bur*'6&*t)]{65})+",
+		  0, 0 },
+		{ "([(\?=)]wr$7f5ru){100,}[:xdigit:]y{}[:digit:]{}2n@P|9#mru~"
+		  "97{-189,73}$a",
+		  1, 0 },
+		{ "({-113,213}){-172,221}B[:ascii:]{,-48}", 1, 0 },
+		{ "[^[[Xf`````((\?{(\?<=\?imsmsx:`````````(\?!`````````[```("
+		  "\?mximsx:``(\?(&|o{xIaO][:)space:]3))\?])+)*<|@@@@@@@@@@@@@@"
+		  "@@@@@@@@){-251,}{}]*[:graph:]1!azE\?|-120u*][:lowerprint:]}"
+		  ")",
+		  0, 0 },
+		{ "[[[^##(\?################(\?>(\?(##t)][:punct:])b))<<<<<<<<<"
+		  "<<<<<<<<<<<<<<<<<[:alnum:]y "
+		  ">u=l:rp8i3Ci#]46%NIO-W[:space:]IIIIIIIIIIIIIIIIII]W[:space:]"
+		  "f]l{-253}",
+		  0, 0 },
+		{ "[:graph:]L{-136,175}{[^}h(\?=t)Q]ooooooooo("
+		  "ooooooooooooooooo_)[:space:]q\?",
+		  1, 0 },
+		{ "()$.", 1, 0 },
+		{ "[(\?<!^$.\?{197}B]$)", 0, 0 },
+		{ "[:di(git:])[:low(erprint:])qqqqqqqqqqqqqqqq[:digit:]", 0,
+		  0 },
+		{ "((zzzzzzzzzzzzAUUUU)l$]VD                 z~)n", 2, 0 },
+		{ "([^[(\?<=^[]{}][.WWWW)044444444444(\?=44(\?{444(\?{("
+		  "444444444444e{(\?=}}))..t]+[:(\?<!xdigit:]P]-N}))))|)",
+		  1, 0 },
+		{ "\\ce[:(\?#asc(\?{ii:])})[:upperword:]`^", 0, 0 },
+		{ "[:graph:(\?<=])[:alpha:]", 0, 0 },
+		{ "([:upp(\?=erword:])pC)lp\?", 1, 0 },
+		{ "(oooooooooooooo\?fN)-[:alpha:]{-213}[:alnum:]qHEu", 1, 0 },
+		{ "[:punct:]TTTTTTTTTTTTTTTTTTT[:d(\?#igit:])[:alpha:]", 0, 0 },
+		{ "([^[^[^J4(+++++++++++++++++++++SgDE(\?>\"y8].]::::::::::::::"
+		  ":)pP5-]p)O{,199}xxxxxxxxxxxxxxxxxxxxxx[:ascii:]%",
+		  1, 0 },
+		{ "([:alpha:]Fs)Z", 1, 0 },
+		{ "[()]{209}[:alpha:]hhhhhhhhh(hhhhhhhhhhhhhhhhhhhhh)pP<<<<<<<<"
+		  "<<<<<<<<<<<<<<<<<<<<<",
+		  1, 0 },
+		{ "-{-8,}.[:(\?imsxx:ascii(\?<!:]{-231}aa*{}K^UQL\?)d\?[:"
+		  "lowerprint:]W)q>D9'",
+		  0, 0 },
+		{ "[#(\?msximsx:#########################-IIIIIIIIIIIIII(IIII("
+		  "\?#IIIII((\?#[^III{})N.[(\?=:lowerprint:]))CwT,,,,,,,,,,,,,,"
+		  ",,,,,,Sq]$CCCCCCCCCCCCCCCCCCCCCCCuuuuuuuu])))",
+		  0, 0 },
+		{ "[:xdigit:][(\?#]){13}{,75}lllllllll", 0, 0 },
+		{ "[c]QQQQQQQQ1+{-252[(\?#}33333])[:upperword:]", 0, 0 },
+		{ "P@i #>>PF!@8G<[(\?:^P]-)D", 0, 0 },
+		{ "uZZZZZZZZZZZZZZ[^ZZZZZl*-211{199}(\?!p])"
+		  "EEEEEEEEEEEEEEEEEEEEEEEEEEED[:lowerp(\?msximsx:rint:])",
+		  0, 0 },
+		{ "[(\?!^])021[:graph:]'", 0, 0 },
+		{ "\\(\?>[(\?<=:ascii:]{}[:alpha:]d8}G))", 0, 0 },
+		{ "[^[((\?!1)[^,a|]\?{,242}[:alnum:])X\"a", 0, 0 },
+		{ "pP[((\?simx::a(\?!lnum:]vvvvvvvvvvvvvvvvvvvvvvvvv)|O0)[:"
+		  "digit:]ooooooooooooooooooooo)"
+		  "\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"",
+		  0, 0 },
+		{ "_ L:8J-~ Y$[:uppe(rword:]{,-184}]{}6.A)", 0, 0 },
+		{ "{,105}.(9]]{-12})N@0nOOE", 1, 0 },
+		{ "HHHHHHHHHH[:xdigit:]uuuuuuuuuuuu{}E^X\\\\\\12601", -1, 1 },
+		{ "( o)=\"OU7h{V>", 1, 0 },
+		{ "[[:xdigit:])))))$[:xdigit:]+{152}{,-50}(c),,,,,,!!!!!!!!!!!!"
+		  "!!(\?>!!!!!!!!!!!!!.[:digit:]i>\"O'i9])-175d_",
+		  0, 0 },
+		{ "[([^[^[^([[Eeee[^eeeeeee(\?(\?<!(eeeeeeeeeeeeeeeeeef|]][:"
+		  "alph()\?>(\?!(\?>a:]a{,166})/////////////////////"
+		  "[:gr[^aph:])Gpu",
+		  0, 0 },
+		{ "(7)NNNNNNNNNNN132", 1, 0 },
+		{ "[([\?#^[]{QKm$v])][:alp[^ha:]]", 0, 0 },
+		{ "(:{86})7{K|[:alpha:]{O", 1, 0 },
+		{ "([Y(\?{[[^:alnum:][:alnum:][:digit:][:a(\?(lpha(\?(:].})", 1,
+		  0 },
+		{ "[[({29,-30}([[^:digit:])Y]]J=~{,220}[:blankcntrl:])"
+		  "0ooooooooooooooooooooooooooooooo[:punct:]&]",
+		  0, 0 },
+		{ "[^1Dx32[:alnum:]]{[(\?::punct:]MMMMMMMMMM)12759", 0, 0 },
+		{ "([[[]]*|(_])[:u(\?{pperword:]})", 2, 0 },
+		{ "[:upper(\?(wo)rd:]){-16,250}", 0, 0 },
+		{ "([^{194}i(\?({161)}PP\\S{}{,-14}]))z{208,225}BpPEt", 1, 0 },
+		{ "[(\?m-ms:)}&!@29k0sUqzt9}<-x|A$!+G>>>>>>>>>>>>>>>>>>>>>>>>>>"
+		  ">>>>>>CCCCCCCCCC-][[:space:]][:space:]El",
+		  0, 0 },
+		{ "()[:digit:(\?isx(\?>ix:]K^WQQQQQQQQQQQQQQs)[:lowerprint:])",
+		  1, 0 },
+		{ "[a|(\?imix:S(\?(SSSS)SS(\?>S)]W)8t[:ascii:]f$)[:alnum:]"
+		  "111111111111111111111[^[:space:]x{12729}+'''''''''''''''']",
+		  0, 0 },
+		{ "[^(\?!(\?(\?#=)a)[:punct:]=2)(){}$$$$$$$$$(\?ims(\?#-isx:$$$"
+		  "$$$$$$$$$$$$$(\?#$$s)x{294b}##############################"
+		  "slllll)]){,209}333333333333333333G:v2/K",
+		  0, 0 },
+		{ "[^]ub(\?<=)vQ6(\?#Z\"3.)[:space:]u[[:digit:]]"
+		  "7777777777777777U'{}sssssssssss",
+		  0, 0 },
+		{ "(([(])`[:ascii:]b)", 2, 0 },
+		{ "[[[^[^([^[^(\?=(\?imxisx:[[^w])", 0, 0 },
+		{ "pppp(pppppppppp-{-175}Nb>k&)sssss{-190,-54}", 1, 0 },
+		{ "()OJ@`'%[:(as(\?!cii(\?#:]))+pffffffffffffffffffffffffffff{,"
+		  "162}[:ascii:]5)s-[:graph:]",
+		  1, 0 },
+		{ "[(M{}Ux5{jaW/"
+		  "{}[^u[:alpha:]s^{84,}PPb@Wt$(\?>nha<Yf41a)]{}[:lowerprint:])"
+		  "*[:lowerprint:]][:upperword:]^1gS.^=pp{}"
+		  "FFFFFFFFFFFFFFFFFFFFFFFFFFF33333333333{}",
+		  0, 0 },
+		{ ")\?L9~h4BQnNp F\\Q{}", 0, 0 },
+		{ "($)[:upperwor(\?:d:])N[:alnum:]"
+		  "bcccccccc5555555555555555555555555.N[:blankcntrl:]",
+		  1, 0 },
+		{ "2222222222222222222ppppppppppppppppp[:lowerprint:]))[^B\\e{{"
+		  "{{{f]6#+{,-104}{{{{{{{{{{{{{",
+		  0, 0 },
+		{ "<[(\?>:al[^pha:]])\"O\"vN", 0, 0 },
+		{ "[(\?>d8E@b.{(\?<=,-250}(\?=mx48[:punct:]^&)]nAeYY)W)-13272",
+		  0, 0 },
+		{ "22222222222222222222222222///////////////////"
+		  "[:digi(\?#t:]eM)[:lowerprint:][:alpha:][:alpha:]EEEEEEEEEEE",
+		  0, 0 },
+		{ "[(\?={38,223})^\\\\\\\\\\\\\\\\L(\?:{,-50}3|)}r]aW\\x70U{-"
+		  "110,}8LUf)w]4+oav",
+		  0, 0 },
+		{ "G[:upperword:]v[:lowerprint:]-tu)j8CK", 0, 0 },
+		{ "[([([^().(\?(\?><=c)'(\?<(='(\?<!''''''''(\?(\?<!!''''''''''"
+		  "'(\?=''''''/"
+		  "(|dHj(P>L\?q!G))|)(\?=n(\?(^tk)T-z$q!D|2<rc[^{,53})]jZy))))"
+		  "6)[:bla)nkcntrl:])010])7pE`l[:space:]([:lowerprint:]"
+		  "eXXXXXXXXXXXXXXXXXXXTTTrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr]+[:"
+		  "alph(\?!a:]7)444444444444444444444444l{34,}]J{}"
+		  "yyyyyyyyyyyyyyyyyyyyyyyyyyy)\?'z9~9s.mA",
+		  1, 0 },
+		{ "().", 1, 0 },
+		{ "{-205(,}[:al(ph(\?>[^a:]W,[4DLR[^^8THMtVv~KKw(\?>)pPF)].{-"
+		  "245,}]))fffffffffd[:alpha:]zzzzzzzzzzzzzzzzzzzzzzzzzzzzz",
+		  1, 0 },
+		{ "[^[[^]{-[1(\?imximx:83,}{,182}][:graph:]]^])-bTO X0P", 0,
+		  0 },
+		{ "[11111111111(\?#11111111]U[:asc([\?!ii:]{,37}+{-89}){-170,"
+		  "218}{-21,})f[:xdigit:]]P.[:xdig(\?:it:]145)YYYYYY$S@:@@@@@@@"
+		  "@@{-150,-109}",
+		  0, 0 },
+		{ "{-40}<o][^D[(:graph:]]d).Q", 0, 0 },
+		{ "()APPLn[:xdigit:]", 1, 0 },
+		{ "[([^\?+++++++++++      [       (\?>  (\?(     (\?{  "
+		  "(\?!]E{-29})pP)})ZpP",
+		  0, 0 },
+		{ "(t|{}c[^z^\?(@YLD]bSSSSSSSSSSSSSSS)+{{{{{{{{{{{{{{{[:xdigit:"
+		  "]n>1)WkF}7",
+		  1, 0 },
+		{ "W22[0Q[^d-d{}PPPPPPPPPPPPPPP<^FZ(\?<=\"[U]Yo}9H'cYy]S[:"
+		  "alnum:]^8wTDH)^u",
+		  0, 0 },
+		{ "([^[(\?:(\?>((\?#$)(\?{^(\?>))///////////(\?>/"
+		  "ggggggggggggggggg{1(\?!90,-13}\\D)Dyyyyyyyyyyyy(\?!y(\?<!"
+		  "yyyyyyy)})]]$)[:xdigit:]|{}-)#a))nPpP[:lowerprint:]AA)V+q^[:"
+		  "blankcntrl:]",
+		  1, 0 },
+		{ "([^(\?!]))D{,97}", 1, 0 },
+		{ "(c){,141}", 1, 0 },
+		{ "nn[:s(\?<=pace:])[:upperword:]ooooooooooooooooooo*^[:space:]"
+		  "`{-188,129}mmmmmmmmmmmmm^.",
+		  0, 0 },
+		{ "[[G{(\?imsximsx:2(49}{,-46}r(\?(\?=#Gw]u))[:bl(\?>ankcntrl:]"
+		  "))(^m+)zSiZ "
+		  "F4[!]VV$E{-9,-100}''''('''''''''\?DEOOOOOOOOOOOO############"
+		  "###[:space:])HHHH)[:digit:]'////////////",
+		  2, 0 },
+		{ "[^*}(\?>)(\?:7Q=#+]KKKKKKKKKKKKKKKKKKKKKKKKKKKG)]]]]]]]]]]]]"
+		  "]]]]]]]]]]]]]][:alpha:]-{}",
+		  0, 0 },
+		{ "[n(\?<(\?#!nnnnnn55555{205,}!)[:alnum:]^]!!!!!!!!!!!!!!!!!!!"
+		  "!!!![:punct:])[:x(\?(digit:]vr)|'n6W5 D&jk[:punct:]5)",
+		  0, 0 },
+		{ "[^P(P{(\?i(msxisx:235,}))***])[:alpha:]^", 0, 0 },
+		{ "[([t(\?<!(\?<!4])[:u(\?=pperword:]))-])}}}}}}}}}}}}}}}}}c{-"
+		  "39,}[:digit:]$-",
+		  0, 0 },
+		{ "([^)]{241}[:xdigit:][:upp(\?=erwo(\?(rd:]-xF5b{})q[:ascii:])"
+		  "T4U{185}9999999999)()X&Ny[:alpha:]@@@@@@@@@@@@@@@@@@@@@@@@@@"
+		  "@@@@@@{69,}[:alnum:]x{d7f8}p-[:digit:]",
+		  2, 0 },
+		{ "(f)(${,111}{25,}!\\d{,94}[:blankcntrl:]@[:space:][:ascii:])-"
+		  "237{,232}DQVVVVVVVVVVVVVV)-",
+		  2, 0 },
+		{ "PP[:g(\?!raph:]){}", 0, 0 },
+		{ "([[^-][^4[:digit:]NNNNNNNNNNN]TVU:])[:ascii:]", 1, 0 },
+		{ "(([^(\?[[^<=)][:graph:]+iiiiiiiiiiiiiiiiiiiiiiiiii0INFX[:"
+		  "xdigi(\?(t:][:blankcntrl:]][:graph:]qM6A[:alpha:][:graph:])"
+		  "1*]eFvvvvvvvvvv)v-)U))t{89}",
+		  2, 0 },
+		{ "[^ZZZZZZZZZZZZZZZiiiiiiiiiiiii(iiiiiiiiiiiiiii{}))))))))))))"
+		  "))))))]))))))))))))))))))))))))[:digit:]-",
+		  0, 0 },
+		{ "ddddddddd+zzzzzzzzzzzz[:graph(:])ssssssM{-223}[:graph:]", 0,
+		  0 },
+		{ "[:alph(\?>a:])x11{-144,45}.", 0, 0 },
+		{ "[]{#y.^(\?{{}&&&&(\?:[^&&&&&&&&)[:punct:]n{190}OylBQ{(\?!-"
+		  "73})2u',x(\?#Ds(\?#{})j(\?{-})})u0(((((((\?{(((([:alnum:])"
+		  "MC})b=71TncyE>[:xdigit:]*\\f]{}]\"p#!8twZT\")[:punct:][:"
+		  "space:]",
+		  0, 0 },
+		{ "[^(Z6]8)|'@p8{}[:upperword:]MMMMMMMMMMMMMMMMMMMMMMMMMMMM{}"
+		  "7c",
+		  0, 0 },
+		{ "$0)@#vp,VcJ.Bdh", 0, 0 },
+		{ "[[^(-])nnnn+s`[:alpha:][:blankcnt[^rl:][:upperword:]{-15,}]["
+		  ":g(raph:]c]){,-177}6[:upperword:]##################{,-14}",
+		  0, 0 },
+		{ "[[(5C{86(,}PPrrrrrrrrrrrrrrrrrrrrr{150,182})N{}LSC|)-[:"
+		  "alnum:]{}KKKKKKKKKKKKKKKK<4=~7K3PPPPPPPPPPPPPPPPPPPPPPP[:"
+		  "lowerprint:]]]",
+		  -1, 0 },
+		{ "([^(x{145b[5}^hfc.0)+]z@_&lA{-34,}])X\?", 1, 0 },
+		{ "([(\?<=)(\?!])l)L", 1, 0 },
+		{ "({-104,}DrPPDF4444444444444[:space:])[:space:]", 1, 0 },
+		{ "())))", 1, 0 },
+		{ "[[^((\?>\?(\?[{})q5v}r7t(P)xtffffffffffff))]{,-66}kdExX&-"
+		  "SCeCzzzzzzzzzEc)E,\"^I]x{e629}|{}]",
+		  0, 0 },
+		{ "[h[:punct:]p\\[\\\\(\?:\\\\[^\\\\)Eo#:C$u[^T/"
+		  "ysA[*%nM:f]{,221}[:lowerprin[^t:]{]bx{f285}E]E[:alnum:]+]"
+		  "1oe3B][:alp(ha:]]fh7}M$l)D{17}",
+		  0, 0 },
+		{ "IIIIIIII[^IIIIIIX]-_S[:digit(\?#:])"
+		  "33333333333333333333333333[:punct:]iiiiiiiiiiiiiiiiii",
+		  0, 0 },
+		{ "[^[[:punct:](\?((\?:^ "
+		  "#Q_po(\?=[:alpha:]{}z()(\?!======'wq$Q2)LLLLLLLLLLLLLLLe("
+		  "C9gggggggggggggggggg[(\?<=:alnum:]()\?<!{-85,}W[[[[[[[[[[[[["
+		  "[[[(\?{[[[[[[^)(]\?])|uuu[uuuuuuuuuuuuuuuuuu{,-20}p${}]MHI&"
+		  "7s:\?$[:digit:]-:)_V`*{-52,}{250}$:ME9izF/"
+		  "uP[:blankcntrl:]})''''''''''''''''''''''''''''')"
+		  "CCCCCCCCCCCCCCCCCCCCCCCCdd[:ascii:][:lowerprint:]."
+		  "Mcccccccccc2B{-230,}$[:digit:]",
+		  1, 0 },
+		{ "()|mOAuK~P144[:space:]^9dddddddddddddddddddddddddddddd[:"
+		  "blankcntrl:]",
+		  1, 0 },
+		{ "[^[^[^.L[^-vEUl(\?>(\?=a!Ib1P]])])~~~~~~~]xE9", 0, 0 },
+		{ "X()", 1, 0 },
+		{ "[^()(\?#G(\?<!)(\?=^r])*,XXXXXXXXXXXXXXXXX@)444444444", 0,
+		  0 },
+		{ "([[((\?<=({,-70})-[:xd(\?=igit:]{,138})", -1, 0 },
+		{ "[(^]{62,67})", 0, 0 },
+		{ "([((])[:space:]))", 1, 0 },
+		{ "(a{(109,})[:alpha:]{,-121}{})]RRRRRRRRRRRRRRRRRRRRRRRR{}{"
+		  "125,}ttttttttt{46,}`[:space:]",
+		  2, 0 },
+		{ "[^[^([q[8]~.IPmiBSspP)]QpX[pT==8@lulANS]]{,-98}]", 0, 0 },
+		{ "[^77777777777777777777777(\?>777777])", 0, 0 },
+		{ "(),e<^X~{[:alpha:]{}G{70}", 1, 0 },
+		{ "({-211,}'){}", 1, 0 },
+		{ "[^(\?imsxsx:{}[*])cccccccccccccccccccccccccccccccc<z0W8]$",
+		  0, 0 },
+		{ "(){2,89}$z", 1, 0 },
+		{ "((050[^\"\"\"\"\"\"\"\"z]8|j{}{,-112}$).pP)qq1~hW}L", 2, 0 },
+		{ "[[^[(+xx(\?<!xxxxxxxx(\?!xxxxxxxxxx(\?#(\?>[x))(\?:]r.]]]))["
+		  ":graph(\?<=:])))",
+		  0, 0 },
+		{ "[^([(\?#)(\?(\?(<=)l|\?(\?!])kkkkkkkkkkkkkkkkkkkkkkkkkk", 0,
+		  0 },
+		{ "[:xdigit:]K(KKKKKKK)^3c.OOO{-240,-10}2{-97,-139}*{-34,}[:"
+		  "xdigit:]",
+		  1, 0 },
+		{ "[([^66666666F(\?>FFFFFFFFFFwpP)LLLLLDeDA&Am$l[:xdigit:]!T5#]"
+		  "n[:alpha:]U*)))))))))))))PP]",
+		  0, 0 },
+		{ "[[[:punct:]u^[:xdigit:]L(\?:[:xdigit:][[:graph:]PP{21}A[:"
+		  "alpha:]8%I(M%b<eE~#C@r=uG~~~~~~~~~~~~~~~~~~~~~~~~~~~~+w]pP)"
+		  "T]]$$$$$$$$$$$$$$${-121,}|l",
+		  0, 0 },
+		{ "([(107{,-4(\?=}~[^D)])f]{,46}+ri<)", 1, 0 },
+		{ "[(\?<=]{,208}+~)", 0, 0 },
+		{ "[^444(\?<=4444444[:alnum:]&[,i]0)[:alpha:][:upperword:]", 0,
+		  0 },
+		{ "[^([^(\?()*+)SS(\?>SSSSSSSSSSSSSSSSSSSSSS]]]]]]]]]]]]]]]]]]]"
+		  "]]]]]]]]]]]{,-1}])[:blankcntrl:]============================"
+		  "===[:punct:][:blankcntrl:]Z[:space:][:ascii:]$|$[:"
+		  "blankcntrl:] JR.{,133}[:alpha:]$\?)<]",
+		  -1, 0 },
+		{ "(OL[:u[pperword(:][:s[^pace:].[:spac(e:],,,,]*])$)\?)", 1,
+		  0 },
+		{ "(VI[:digit:][:alpha:]6)EG", 1, 0 },
+		{ "({}){-2,-40}rrrrrrrrrrrrrrrrrrrrrrr[:punct:]", 1, 0 },
+		{ "()q", 1, 0 },
+		{ "[^([^[([^C|])]{,-56}[:xdigit:]{-144,}V])fYv{-[40,-58}$@@@@@@"
+		  "@@@@@@@]|Y(-]-.]h-[:dig(it:])>>>dddddddddddddddddddddddddd{"
+		  "101,}",
+		  1, 0 },
+		{ "([P,{1(\?(\?(<=28,-218[^)}LoZX)])!!!!!!!!!!!!!!*[:blank(\?!"
+		  "cntrl:]ed)\\\\\\\\\\\\\\\\\\\\[\\L\?][:graph:]:*Y{-108,120}"
+		  "xCC)]",
+		  1, 0 },
+		{ "(A[:space:]PP{185}a^!!!!!!lllllll)*db\?$Pfr", 1, 0 },
+		{ "{-21,-118}kG[(\?{:xdigit:]})[:punct:]{69}"
+		  "Qyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy5{}TTTTTTTTTTTTTTTTTTTTT",
+		  0, 0 },
+		{ "[[^[P(\?<=P$X>0^d.[:punct:](\?#ccccccccccccccccccccccccc{}"
+		  "3N000(\?>00000000000000000000000000000]f[:punct:]5)).R======"
+		  "=========={,222}^wwwwwwww$)]-{}              "
+		  "]{,-22}CjP{242,}",
+		  0, 0 },
+		{ "[(\?#^]{})", 0, 0 },
+		{ "[^([[([([[([^[^(\?:(\?(\?(!)]\"))h>\"RRRRRRRRRRRRRRRR[^"
+		  "RRRRR{68,-65}7Q(\?{]",
+		  0, 0 },
+		{ "(P{}){175,}PP{}rttttttttttt", 1, 0 },
+		{ "[:bla(\?{nkcntrl(\?#:]})))))))))))))))))))))))!!!!sR{})", 0,
+		  0 },
+		{ " [:digit:]dAAAAAAAAAAAAA^[:ascii(:]55)^", 0, 0 },
+		{ "($*)dZY", -1, 0 },
+		{ "[:graph:][:lowerprint:]S[:gr(\?=aph:]{-128,}"
+		  "666666666666666666666{}[:upperword:]|"
+		  "nnnnnnnnnnnnnnnnnnnnnnnnnnB)c[:xdigit:]{-225,}{-4,}{-192,}"
+		  "QQQQQQQQQQQQQQQ@@@@@@@@@@@@@@@@@@@@@@.",
+		  0, 0 },
+		{ "([:digit:]s{44,}{}{-31,}c{,-130}pP){-241,}UeN", 1, 0 },
+		{ "([^)((\?>\?#{}hK\"V2\?d][KKK(\?imsxim:KKKKKKKKKKKKKKKKKKKK[^"
+		  "KKKKKKKKKWWWW[WWWWWWWWWWWWWWWWW)B])_l_3",
+		  1, 0 },
+		{ "[(^[(\?!*){[^,91}].j]*]L)*c|[:alpha:]&", 0, 0 },
+		{ "[^[[[^[777GGG(\?:W_U(\?imsxms:[:punct:]A]-)[:digit:][:"
+		  "blankcntrl(\?(:]][:alnum:)])]WRRRRRRRRRRRRRRRRRRRRRRRRRRR]{"
+		  "31,}[:xdigit:]][:xdigit:]))))))))))))))))))))))$[:xdigit:]",
+		  0, 0 },
+		{ "[:ascii:]m*[:punct:]#[(\?<!:punct:][:alpha:]-,"
+		  "7vyXeeeeeeeeeeeeeeeeeeeeeeeee^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
+		  "^%%%%%%%%%%%%%%%%%%%%%%%%%%%%[:digit:]''''''''''''''''')",
+		  0, 0 },
+		{ "([^*[(:punct:]9999999999999999999{147,}]j{,193}{171}Z-)){"
+		  "208}0[:graph:]yDt",
+		  1, 0 },
+		{ "(dw[[:alpha:]U]ttt[tttttttttttttttttttt]Q^171e)[:xdigit:]/",
+		  1, 0 },
+		{ "[[^((\?#)Tqqqqqqqqqqqqqqqqqqqqqqqqq105++++++++++++++++++++++"
+		  "++++b7V+7dit]])|D",
+		  0, 0 },
+		{ "{}P7.Ajh[:xdigit:]^[:blankc((\?(\?<=nt[rl:]FFF)-]){}o|a[:"
+		  "grap(\?!h:]))PsssssssssssssssssssssssssssssssN^{-60,}Kb",
+		  0, 0 },
+		{ "[:alpha(\?(:]$!_+777777777777777777777777O)666)lll[^llllll[^"
+		  "l{{{{{{{{{{{{{{{{{{{{{{|]{-217,}MoEl`7)^)LlU[:alph[a:]({-"
+		  "241,27})]]{-212}{,249}n)X",
+		  1, 0 },
+		{ "[U|ajP[:alnum:]n[(:digit:]]W)[:graph:]b[:xdigit:].P", 0, 0 },
+		{ "(([:low(\?-imsx:erprint:]|{}[:ascii:][:gr(\?:aph:])>>>>>>>>>"
+		  ">>>>{,-129}))\?{-226,}^P)R",
+		  2, 0 },
+		{ "[^[[nnnnnnnnnn(\?=nnnn(\?!nnnnnnnnnnnn(\?#nnnnnn{,-38}N){"
+		  "202,}]$[:alnum:])]t][:alnum:[]^=w){237}][:alpha:]-[:alpha:]+"
+		  "e",
+		  0, 0 },
+		{ "()[(\?(:digit):]+qc)O88888888{,151}aJ", 1, 0 },
+		{ "([^([(\?!sv(\?=)d]{-200,})N))]Z{-73,15}", 1, 0 },
+		{ "([\?\?\?\?|||||||||||(\?{||(\?=||||||||-}[))Ehhhhhhhhhhhhh{,"
+		  "202}&TcfL((\?:>)((\?!\?>$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$8[:"
+		  "alpha:]\\d])]C[:graph:]h*,\"\?u{|mU,a)[:blankcntrl:][:"
+		  "lowerp(\?>rint:])PPnP+9.[:xdigit:]*PPjjjjjjjjjj~y<#*scf_\"^"
+		  "e[:xdig(\?(i)t(:])~$y)^){-131,77}^L%",
+		  1, 0 },
+		{ "[^[(((\?>)$}h9$B5+yhU/"
+		  "Nqh$YYYYYYYYYYYYYYYYYYYYYShK)3WHw1vMMMMMMMMMMMMM(\?="
+		  "MMMMMMMMMMMM[:alnum:]/"
+		  ")dddddddddddd(dddddd\"e5zLW)+![:space:]+BHGHfAS]"
+		  "\?IIIIIIIIIIIIIIII*&&&&&&&&&&&&&&&&&&)NNvwDteepjdm<<<<<<<<<<"
+		  "<<<<<<<<<<<<<<<<<<<<${61,219}D][:digit:]0",
+		  -1, 0 },
+		{ "[:punct:][{177,(\?=234}]ix9*)", 0, 0 },
+		{ "([^K{,3(\?<=4}]I)\?U)", 1, 0 },
+		{ "[([^[[[^([([^[^(\?=])X", 0, 0 },
+		{ "[:blankcntrl:(])qd_R\?{\?r[=\"[^[^6]vX8)a+{C%H84CK6Uy#E]sE{"
+		  "208}",
+		  0, 0 },
+		{ "PPPPPPPPPPPPPPPPPPPPPPPPPPnnnnnnnnnn()[:upperword:]us", 1,
+		  0 },
+		{ "x{,46}[:graph:]LU{}CU)", 0, 0 },
+		{ "()-t|[^W{}][:lo[^werprint:]{}]\?b5", 1, 0 },
+		{ "()x5A", 1, 0 },
+		{ "[([^]-217)]s{-47,135}0000000000000000000000000000000{,-108}",
+		  0, 0 },
+		{ "[^((\?{[^L\?u]})f", 0, 0 },
+		{ "()[[^^(\?{y(\?=VF_(\?<=]D}))]-= {46,})^5bIEQ{,-96}Z", 1, 0 },
+		{ "([^{}f[:punct:]\"X%%%%%%%%%%%%%%%%%%%%]5{-194}A[:punct:]"
+		  "mnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn+AAAAAAAAAA-)",
+		  1, 0 },
+		{ "(CCCCCCCCCCCCCCCCCCCC{-230}352{-182,-68}O4{})", 1, 0 },
+		{ "([^[^\?[:space:]$TTTTTTTTTTTTLLLLL[^LLLLLLLLLL[^({}{4,-179}]"
+		  "]J] C]){}C{}{-224,})QQQQQQQQQQQQQQQQQ^",
+		  1, 0 },
+		{ "([[:alnum:]].){-155,-82}dzI{55,}^", 1, 0 },
+		{ "([[:alnum:](\?#{88,-178})[:graph:]NC\"pI[:punct:]rmWd5y^p+"
+		  "gUP]YYYYYYYYYYYYYYYYYYYY~{,-62}{,200}{-109}{}+"
+		  "333333333333333333333333333333{}p)^.hhhhhhhhhhhhhhh",
+		  1, 0 },
+		{ "[000000(\?mmsx:00000000000000000000000)M]]]]2*`[^]QQQQQQQQ("
+		  "\?<=QQQQQQQQQQQQQQQQQQQQQQQ])\"<h\?",
+		  0, 0 },
+		{ "[^((<g(\?>5j[bbbbbbb(\?{bb)o{}3(\?imxisx:E]g})YYYYY[:"
+		  "blankcntr(\?#l:].(()w264[:ascii:]^)[:ascii:]G)&(n "
+		  "{^PGn[:xdigit:])nv_e|]{-103,30}",
+		  3, 0 },
+		{ "[^(([(\?!{}@[^HCO[[^^D[|]{,-49}][:xdigit:]]c`4[:ascii(\?<!:]"
+		  ")$66666666666)*)]PP$Z[:alpha:]{,-235}UK],(aT/"
+		  "+6rbMqs60EloA)[:g(\?isx:raph:]!)]z$o{-24,}x1E[:blankcntrl:]"
+		  "ZDFvk",
+		  1, 0 },
+		{ "[:blank(\?=cntrl:]US@.!\"[:digit:]*E)$16182", 0, 0 },
+		{ "[-{}x{3772[}][:(\?<=xdigit:][:u(\?#pperword:].W)aD)<pfN<b=C|"
+		  "-{-38}EZdOP|!>ggggggggggggggg\\\\\\\\\\\\\\\\\\\\\\\\\\Ef[:"
+		  "space:]\?][:ascii:]{21,}",
+		  0, 0 },
+		{ "([:xdigit:]W[:u(pperword(\?::]jS "
+		  "[:upperword:]*)[:alpha:]nnnnnnnnnnn))-148}SSu",
+		  1, 0 },
+		{ "([^(\?!\?)[(:upperword:])Bx^x$~lCr6*)6", 1, 0 },
+		{ "[{,-78}Y[:xdigit:][^s(\?>]P[:space:])]YYYYYYYYY[:punct:][:"
+		  "alnum:][:blankcntrl:]",
+		  0, 0 },
+		{ "([MMMMMM(\?(MMM)M(\?<=MMMMMMMMMMMMMMM[^M)]en][:punct:]-[:"
+		  "alpha:]))Nr[:space:]",
+		  1, 0 },
+		{ "~=1([^(\?=(\?:l){}])j{-44}{-18}[^u[:graph:]]{-187,}[:xdigit:"
+		  "]w[:alpha:])",
+		  1, 0 },
+		{ "[ccccc(\?>c(\?{cccc[ccccwetoCei+)w&-+{,-142}[:alpha:]"
+		  "PP66io4(|zkA=],,,,,,,,,,,,,,,,,,,,,Lx5Cx{d2bb}]{188}U~~~~~~~"
+		  "~~~~~~~~~~~~~~~~})",
+		  0, 0 },
+		{ "Q|0\"[:d(\?:igit:]^{,-174})", 0, 0 },
+		{ "[^[(\?>rh])]", 0, 0 },
+		{ "[ees{{{{{{{{{{{{{{{{{bbbbbbb4`ml******(\?=****+])", 0, 0 },
+		{ "((hdG[((\?<=:dig(it:])[^[:alpha:]$(\?sxi:)x{11390}[(\?{:"
+		  "upperword:]~)i 8[:blankcn[trl:(])]+{,-183}Zqp",
+		  2, 0 },
+		{ "Dd{D8`+DW={-[53,1(\?<=71}])", 0, 0 },
+		{ "[:(\?(alpha:][:punct:])", 0, 0 },
+		{ ".LLLLLLLLLLLLLLLLLLLLLLLLLLLL{}pP[:punct:]x0CZ{30,}!!!(!!!!!"
+		  "!!!!!!!!!!!!!!!!!!!!==@77.%[:graph:]D)",
+		  1, 0 },
+		{ "[^[^[[r(\?#]){-237,}RRRRRRRRRRRRRRRRRRRRRRRR[^Rll(\?!(\?{"
+		  "lllll]",
+		  0, 0 },
+		{ "()*ooooooooooooooooooooyyyyyyyyyyyyyyy", 1, 0 },
+		{ "{,4(}D)JJJJJJJJJJJJJJJJJJJJJJJJJ", 1, 0 },
+		{ "((b.D{}[:al[pha:]{64}]{})==========================[:alnum:]"
+		  "h>77b)!Ab",
+		  2, 0 },
+		{ "([^[^[^oooooooooooooooooooooo][:space:][:punct:]PeniKe*~$"
+		  "g\?${>[:lowerprint:]w))))))))))))))){}yyyyyyyyyyyyyyyyyy]pP."
+		  "|QhZ]{,190})sssssssssssssr+=[:blankcntrl:]"
+		  "WWWWWWWWWWWWWWWWWWWWW",
+		  1, 0 },
+		{ "([*(\?{})hhhhhhhhhhhhhhhh]G{,-170}QdErrrrrrrc-"
+		  "jjjjjjjjjjjjjjjjjjjjn+{-130,-10})PpDS@Bee",
+		  1, 0 },
+		{ "([:b(\?=lankcntrl:]))T[:alnum:]{-224}ywt", 1, 0 },
+		{ "([633(\?<=333(\?<=3333333333(333333)^\?]aGA)[:digi(\?>(\?{t:"
+		  "])$[[:space:][:xdigit:])|8T\?',_{171}{}{113}b\?5kAv0/"
+		  "7{})`huh>xM]C8pYRz]s$Eu08)",
+		  1, 0 },
+		{ "-(pP)[:alnum:]$^", 1, 0 },
+		{ "[^x(\?{{17681}]P*)U(_t/8E_\"iN})3333333", 1, 0 },
+		{ "(([^([[r(\?=[[^^*kx$][:alpha:]:::[:::::[^[^::::::::((\?{\?{:"
+		  ":]).^p[:space:]}){52}{}]W{}fn",
+		  2, 0 },
+		{ "[:(\?>punct:]Ef[:xdigit:]x{c07b}{-50}Z{129,}YL1T`\\A)x[:"
+		  "punc(\?=t:]e[:xdigit:]2c6E46Y)+n               ",
+		  0, 0 },
+		{ "[^(\?!{,-79}[:punct:]'|}>,)][:blankcntrl:]{-118,-231}{-119,-"
+		  "50}:XXXXXXXXXXXXXXXXX-~{}$txlB)3KFL",
+		  0, 0 },
+		{ "[^(([^fccccccccccccccccccc(\?<!ccccgQeKMfKzz]X$$$$$$$$$$$$$$"
+		  "$$$$$$$$$$$$$$$$$[:l(\?<=(\?<=owerprint:]))s{-97}{}))EUi${,-"
+		  "132}'{79}---------{,-93}77777777777777777[:lowerprint:].:H)["
+		  ":punct:]nnnnnncP\?s1:dGed{186}N@pppppppppppppppppppppP{-212,"
+		  "-110}[:space:][:lowerprint:]$S}7{-112,164}-*.{-184,}"
+		  "OOOOOOOOOO]f\?",
+		  0, 0 },
+		{ "(([\?#(\?>)])qcU$Q7|82\?{})", 2, 0 },
+		{ "[^yyyyyyyyyyyyyyyyyyyy(\?#yyyyyyyyyyya][:ascii:]\?)", 0, 0 },
+		{ "(([((\?{)EEEE(\?<!EEEEE(\?:EEEEEE~)}){244,}"
+		  "QQQQQQQQQQQQQQQQQQQ(\?>QQQQQQ(\?!QQQQQ][:digit:]\?))"
+		  "99999999999999)[:digit:][:upperword:]b))PP{}{}",
+		  2, 0 },
+		{ "(K(c=B))", 2, 0 },
+		{ "(G`*s\?b[:g(raph:]))", 1, 0 },
+		{ "[^[([[[*QQQQQQQQQQQQQQQQ(\?=(\?=QQQQQQ(\?<!"
+		  "QQQQQQQQZddddddddd((\?{\?>ddddddddddc{22,}iiiiiiiii("
+		  "iiiiiiiiiiiiiii(\?#iiiiiii[^i))\?\?\?\?\?\?]WWW)[:"
+		  "lowerprint:])]{-60,202}+[:upperword:]f[:xdigit:][:alnum:]{,-"
+		  "214})1~~~~~~~MMMMMMMMMMMMMMMMMM.",
+		  0, 0 },
+		{ "({-102,})A.", 1, 0 },
+		{ "[((((\?<!(\?[^>(\?#\?()))p\"JD.{}(\?>)))((\?{l(\?<=).'053][:"
+		  "xdigit:]N+)})]WWWW%[:asc(\?{ii:]}))B[:alnum:]X){}s[:digit:]",
+		  0, 0 },
+		{ "x7&{139}WWWWWWWWWWWWWW[:blankcntr[^(\?<!l:]-71]\"{-167}cqkI)"
+		  "[:dig[^it:]{}{}[:digit:]*[:punct:]-[l11111111111111111(\?("
+		  "111111111{175,-216}~[:alnum:]`+X1F)vCpWSp(\?>~[^n@f`````````"
+		  "````)````````P])Y,N{}{}]{}pXF@)",
+		  0, 0 },
+		{ "G[([(\?(^)$])P]^[:alnum:]){,-48}[:blankcntrl:]{}", 0, 0 },
+		{ "[[^[^f(\?=f(\?<=fffffff[^fffffffff[^fffffffff(\?<=fff]){-"
+		  "194,150}fx{e5a4}V",
+		  0, 0 },
+		{ "9[:xdigit(\?{:]})", 0, 0 },
+		{ "[^([[(\?>()$xxxxxxxxxxxxxx[xxxxxxxxxxxxxxxx((\?=aA)s13]])pp["
+		  "(\?>pppppppppppppppp|{}){20,}]b)]{-179,183}{-204,}[:ascii:])"
+		  "]-11111111{}{,132}qooooooooooooooooooo{}${}|9t",
+		  0, 0 },
+		{ "([^[{}]\"[^6]*-{,-106}{}u]BR~8WG,U-)[:blankcntrl:]", 1, 0 },
+		{ "[''''''''(''''''''''z])c", 0, 0 },
+		{ "[^[(\?>])[:alnum:]r[:alnum:]+{,215}D]", 0, 0 },
+		{ "([({,127}7Qr(\?:z)pPNev%}(\?msximsx:4(\?<!){}&.D5555(\?<="
+		  "55555555555555555555i$[:xdigit:]){,-157}[:graph:]U[:punct:]"
+		  "nn(\?=nnnnnnnnnnnn(\?>nn(\?:nnnnnnnn_U{}]E)):^"
+		  "oooooooooooooooooooooooooooo)",
+		  1, 0 },
+		{ "[^(\?#)(\?<!k2z]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]BW[:alnum:][:"
+		  "graph:]{157}Y]s$C)[:graph:]{,-189}",
+		  0, 0 },
+		{ "$+CCCCCCCCC[^CCCCCC(\?<=Ca=]r{-81}[:alpha:][:alpha:])E=", -1,
+		  0 },
+		{ "[(((\?=\?{([^(\?<=)])>!(([:alnum:]{252}{}})ffffffffffffl){}"
+		  "A2r\?~ImE\"[:punct:]){}[:digit:]",
+		  2, 0 },
+		{ "([:blank[cntrl:]].t^P)", 1, 0 },
+		{ "[^[(\?:X])|rrrrrrrrrrrrrrrrrrrrrrrrrr*P]Q", 0, 0 },
+		{ "[[[^(\?{((\?<!))s})(\?<!A){14}(\?:L*+TTTTTTT]U{[^-12([\?!,}"
+		  "\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?)Y`Y)L]|]]|"
+		  "]",
+		  0, 0 },
+		{ "hkXzf',]yP$+[:u(pperword:])", -1, 0 },
+		{ "(#[:blankcnt(\?iximsx:rl:])$QQQQQQ{}[:digit:])\?A", 1, 0 },
+		{ "(B{-34,})*{,106}", 1, 0 },
+		{ "[(\?{:graph:]})", 0, 0 },
+		{ "((){}{,63}[:punct:]^t[:space:])^17737", 2, 0 },
+		{ "([^[SSSSSSSSS[SSSSSSSSSSSSSSS[([[[{38,}]Jn][:alpha:]])])$'",
+		  1, 0 },
+		{ "[^({}{95})B{1(\?>15}]x{f779}ZZ,Wo)O[:alpha:][:lowerprint:]{"
+		  "81,228}Q[:upperword:]",
+		  0, 0 },
+		{ "[[^[^()n[[[[[[[[[[[[^[[[[[[[[[[(\?: G)(\?{K![^m) "
+		  "j(\?:C|((\?:n*Xlaa908:n$m,))[:xdigit:]x(\?{{1a5cd}"
+		  "pppppppppppppp(\?(pppp)p(pQ)))"
+		  "ddddddddddddddddddddddddddddddd]q[:alnum:(\?{]Ga})\?})@[:"
+		  "lowerprint:]{,169}[:blankcntrl:][:graph:]]n{-76,}|U\"{,-54}"
+		  "t]I{}{-64,-232}]\?].\?{-111,227}) "
+		  "@hFp\?j=H$Wbu<{,209}De{,145}{206}-})[:blankcntrl:]",
+		  0, 0 },
+		{ "[^[^(LLLLLLLLLLLLLL[^L[L[:alpha:]3{,189}(\?#(\?>n){}^"
+		  "EXXXXXXXXXXXXXXXXXXXXXXXXX]c*)^r=$WWWWWWWWWWWWW",
+		  0, 0 },
+		{ ")w###################", 0, 0 },
+		{ "{,121}[:d(\?(i)git:])E\?[:punct:]LLLLLLLLL[:ascii:]+", 0,
+		  0 },
+		{ "([]]]]]]]]]]]]][:space:]Jrt3o.]b)pwwwwwwwwwwwQfm~", 1, 0 },
+		{ "[+-{,-120}*(\?!()t*(\?(\?{>G)F)yd]V{}f<\?}){245}"
+		  "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[:upperword:]",
+		  0, 0 },
+		{ "(DDDDDDDDDDDDDDDDDDDDDDDDDDDDDc[:space:][:pu[^nct:]{-11,12}["
+		  ":ascii:][:alpha:]{,155}P])",
+		  1, 0 },
+		{ "()ggggggg{-136,-21}", 1, 0 },
+		{ "([^((\?<=U\?)(\?=^^^^^^^^^^^[^^^^^^^^^^^^^///(\?#//[////////"
+		  "////////////"
+		  "(\?()#######b+]$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$^[:digit:])"
+		  "\\U]Q8@}4d)\\U",
+		  1, 0 },
+		{ "A[:graph(\?::])-mo=U[:upperword:]"
+		  "ttttttttttttttttttttttttttt",
+		  0, 0 },
+		{ "[^(((\?=\?im-m(sx:)c~~[^~~~~~~~~~~~~~(\?>~~~~~~~~~~~~~"
+		  "SSSSSSSSSSSSSSSSSSSS]{51,}[:digit:]{,-179}N))kk["
+		  "kkkkkkkkkkkkkkg$)[(\?::punct:]zWl)]|)*",
+		  0, 0 },
+		{ "[((\?=()+A)][:graph:]x0B)[:graph:]", 0, 0 },
+		{ "(nR%B[:blankcntrl:]C=|en-[:digit:]n[:graph:]HHHH[HH]D\?%[:"
+		  "digit:]MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM.z(oF9zW8A7cfff(f))-["
+		  ":blankcntrl:][:blankcntrl:]A[:digit:])D{,-243}",
+		  3, 0 },
+		{ "([[()]]{,-251(})\?L)uw@", 2, 0 },
+		{ "\"|{(,-144})A.ooooooooo(ooooooFFFFFFFFFFFFF\?)n{,-18}", 2,
+		  0 },
+		{ "([^([(([[^([000000[0(0(\?!0(\?=0000000])45|E]", 1, 0 },
+		{ "[B[[[[[[[[[[[|{}*oKqv%(\?<=wsQ{1pMeK1^6%nLNqi<@ge][:punct:]="
+		  " M@* "
+		  "D|NwL\\-"
+		  "117\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"~"
+		  "Qnd]h.O\"01x:[:alpha:]^){}D}\"",
+		  0, 0 },
+		{ "([[RRRRRRRRRRRRRRRRRRRRRRRRRRRRxpSrx{7d79}*oJ2`Ft{n1,3g:1H@"
+		  "bT$D "
+		  "&[n/"
+		  "Cg)=ld@Ir{Fk>*4*`(\?>````````````````````(\?:`````.........."
+		  "...........]]{,246})7 \"F4[^F|/g)]+e`rw@{,-69}H)",
+		  1, 0 },
+		{ "([(\?<=)X[:digit:]PP.[(\?#:((\?#\?#graph:])[:digit:][Q+)(N]["
+		  ":alpha:]]f)[:graph:])+Elllllllllllllllll[:digit:]=)pP{uU-"
+		  "20bzY|ZKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKt<c",
+		  1, 0 },
+		{ "[^(([^$(\?:(\?#w)[(\?::punct:]]d{-149,}[:ascii:])[:"
+		  "blankcntrl:]@@@@@[@@@@@@@@@@@@@@[:graph:][:xdigit:]O[:alpha:"
+		  "]2$-[:graph:])[:lowerprint:]-\?#S[:blankcntrl:][:alnum:]){-"
+		  "77,}]d[:digit:]N5v+Sqqqqqqq^% "
+		  "-I4]*.)^[:alnum:]"
+		  "JDfjMRU7ttttttttttttjjjjjjjjjjjjjjjjjjjjjjCCCCCCCCCCCCCCCCCC"
+		  "CD{,21}{0,67}[:graph:]{,208}B",
+		  -1, 0 },
+		{ "(%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%[:ascii:])i{}[:lowerprint:]"
+		  "epxxxxxxxxxxxxxx[:lowerprint:]r-",
+		  1, 0 },
+		{ "([(^w(\?!)()])-s", 1, 0 },
+		{ "[aIIIIIIIIIIIII(\?imsxims(\?=x:IIIIIIIm^NXXXXX(\?!("
+		  "\?isximsx:XXXXXXXXXXXXXS0]F)z))+"
+		  "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr{,-237})"
+		  "ZZZZZZZZZZZZZZZZZZZZZZ",
+		  0, 0 },
+		{ "(Z)[:alpha:]", 1, 0 },
+		{ "U#Z(=)", 1, 0 },
+		{ "([:lowerprint:][:punct:])1cVb*[:xdigit:]&&&&&&&&&&&&&&&&&&&&"
+		  "&&&&O",
+		  1, 0 },
+		{ "()~K`3/[^*h[]G6[:upperw(\?()ord:]w)[:punct:]]{}", 1, 0 },
+		{ "[[[]V[:digit(\?>:])|l*KKKKKKKKKKKKKKKKK,,,,,,,[,,,s.{148,}"
+		  "P33333][:lo(\?<!werprin(\?!t:]ZZZZZZZZZZZZZZZZZZZZZZZ]{,-"
+		  "229}{-160,}){,-211}XPPP].{}z[:alnum:][:alpha:(\?=]t{166,}"
+		  "uuuuu6]i*p(m))[:space:]E|S",
+		  1, 0 },
+		{ "[^(h(\?(\?({#2})(\?(\?#>Q){,57}%[:digit:]"
+		  "\?\?\?\?\?\?\?\?\?\?.[)]]d{)-49,}f)^O{,68})\?C",
+		  0, 0 },
+		{ "(}u])18621", 1, 0 },
+		{ "[:as(\?=cii:][^(\?=)(S-{.F-[:punct:]3-105^[:lowerprint:]"
+		  "111111111111111111111111---)][:alnum:][:ascii:]JJJJJwHSk",
+		  -1, 0 },
+		{ "[^3>>>>>>-sZ^^^^(\?>]Y[:di(\?(\?imxim:#git:]{-158,-102}[:"
+		  "punct:]{}{87,})))[:upperword:]",
+		  0, 0 },
+		{ "[(\?<!^r]$W){}*[:alpha:].[:digit:]", 0, 0 },
+		{ "[:ascii(\?::[^])X]-", 0, 0 },
+		{ "[([^]Z)[:upperword:]N{}*[:graph:]*^", 0, 0 },
+		{ "([[(\?#^[(:graph:]]){205,}[:gr(aph:]T%]^"
+		  "MMMMMMMMMMMMMMMMMMMM){) <v\\[:digit:])",
+		  1, 0 },
+		{ "[^Y.h~b(\?<=~P{(\?=169,65}\?[^\?\?\?\?\?\?\?\?\?["
+		  "\?\?\?\?\?\?\?\?\?K\"s`[yT7oP[:alpha:]{})]zrrrrrrrrrrrrrr)]"
+		  "KKKKKKKKKKKKKKK[:digit:]S][:lowerprint:][:digit:]",
+		  0, 0 },
+		{ "(s)", 1, 0 },
+		{ "[u(\?!uuuuuuuuuuuuuuuuuuuu[:digit:]{,48}[:graph:]WL[:alnum:]"
+		  "]v=_)VN>{AjBBBBBBBBBBBBBBBBBBBBBBB[:upperword:]`'W)",
+		  0, 0 },
+		{ "[^([[()DN1[^][|]\?]{-104,}])[:space:]][:lowerprint:]r[:"
+		  "alpha:].DU",
+		  0, 0 },
+		{ "[^((33333333333333333333333(\?<=3333333D))"
+		  "kkkkkkkkkkkkkkkkkkkkkkk[k[:alpha:]])]X+",
+		  0, 0 },
+		{ "[({,-17})[@e{220,(\?#41}])]]{-213,-225}", 0, 0 },
+		{ "[[^(\?#[(\?:^[[(\?(^]))]])]vvvvvvvvvvvvvvvvvvvvv{,96}|m]{-"
+		  "79,248}[:alpha:])",
+		  0, 0 },
+		{ "([[(\?imsisx:^}$,-[:al(\?>num:]Xqqqqqqqqqqqq{-185,154}]b#+T)"
+		  "{-241,})A{-27}[(\?<!:lowerprint:]X)[:punct:]ME-]+"
+		  "BBBBBBBBBBBBBBBBa|{-40}M8mhgD 0HU]{16})",
+		  -1, 0 },
+		{ "[^(\?>([\?()(\?#))]--R1rk^UnP.[(\?!:digit:]])^)[:upperword:]"
+		  "{}0000000000000000000000000000000~U{-139,-19}z<L-228",
+		  0, 0 },
+		{ "()-:=3uE$[:alnum:]bP%{-210,}", 1, 0 },
+		{ "(U)7777]]]]]]]]]]]]]]]]]]]]]]]]]]]]]c::AA[:alpha:]{,3}f1{"
+		  "NzH@3lTf{}{",
+		  1, 0 },
+		{ "[C{(\?>})RR(\?=R<]p'N~&.-})6]", 0, 0 },
+		{ "[^\?[^(\?(lFt]).[^7Q-])kkkkkkkkkkkk]XTFy\"1Deiv!,'xVK", 0,
+		  0 },
+		{ "[^$[^[:xdigit:](\?{*{245,99}h8v(\?!)]]u)Z[:punct:]})[:alnum:"
+		  "]+|[:blankcntrl:]u{}[:lowerprint:]+bBJ4+k-v{-116}",
+		  0, 0 },
+		{ "S)f{,180}[:graph:]&{12,244}", 0, 0 },
+		{ "(([[(.()[^^{80(\?>(\?<=,235})ddddddddd[^ddddddddd(\?<=d.__B{"
+		  "36}````````````````(\?:```(\?>```````,,,,,,,(\?:,,)P$U,[:"
+		  "xdigit:])zzzzzzzzzzzzz]UUUU[uB]n<&[(:ascii:].][:alnum:])\?S]"
+		  "{})d{138,}s9========[:lowerprint:]]OOOOOOOOOOOOOOO|"
+		  "yyyyyyyyyyyyyyy$LZ[:lowerprint:]EEEEEEE[:ascii:][:punct:]"
+		  "VpP^{-48}D){,46}x))2P))a[:lowerprint:]r",
+		  2, 0 },
+		{ "[^(((\?<!):())PPPPPPPPPPPPPPP(\?=[PPPPPPP(\?{PPPPPPPP$)})"
+		  "77777777777777777]{,-57}::::::::::::(::::::::::::::::)]g{89}"
+		  "__________________[:xdigit:]l[:punct:])N",
+		  1, 0 },
+		{ ":02-k\?p3I7aEhJ\\265-[:space:]pP[:space:]x0F[:alnum:]aM4[:"
+		  "lowerprint:]sA@@@@@@@@@@@@@@@@@@@@@@@@@@@@",
+		  -1, 1 },
+		{ "a[:upper(\?{word:]})X{-173,}-2F[:lowerprint:]", 0, 0 },
+		{ "u,w<g*Q002S{,130}{239}[:lower(print:]cr{-165,}#$k<L/"
+		  "&)[:blankcntrl:]aaaaaaaaaaaaaaaaaaaaaa[:ascii:]",
+		  0, 0 },
+		{ "(xFA^{-161,93})U[:xdigit:]", 1, 0 },
+		{ "[^(\?=]{})mE`", 0, 0 },
+		{ "[[((\?(\?#:alnum:]])x6CS[:digit:]{-197,}.)N", 0, 0 },
+		{ "[^(\?![])C*[:upp(erword:])-176]", 0, 0 },
+		{ "[[^[[^[55555555555555555555555555(\?>555(\?<!555)S][]]A[:l("
+		  "\?>owerp(rint:]])]*",
+		  0, 0 },
+		{ "Au)khgzAfXIZoZ=g[:digit:]){,186}Upvf=x<]Tbd5Rq\?.", 0, 0 },
+		{ "b{-176,}B^[:bla(\?(<!nkcntrl:]{-6,133}#B "
+		  ":)<<<<<<<<<<<<<<<<<<<)[:alnum:]$}}}}}}}}}}}}}}}}}}}}}}}[:"
+		  "xdigit:]tw",
+		  0, 0 },
+		{ "(4IIIII(IIIIIIIIIIIIIIIII{})W{-152,-238}){,-56}^{-142,}", 2,
+		  0 },
+		{ "[^([[(\?(\?(!)>>>>>>>>>>>>>(>>>>>>>>D)Ix{(1(\?imxmsx:762)c})"
+		  ")A)[[[[[[[[[[[[[[5Rp]DDDDDDDDDDDDDDDDDDDD]Us+\\w[:digit:]{-"
+		  "47}[:xdigit:][:blankcntrl:])ddddddddddddddd[^ddddddddddddd[:"
+		  "digit:]|]]*{-165,-230}{-212}{53,}]\?",
+		  0, 0 },
+		{ "[^[^]]|[:(\?:alnum:])}}}}}}}}}}}}}}}}}}}}", 0, 0 },
+		{ "VVVVVVVVVVVVVVVVVVVVVVVVVVVV[:d(i(\?#git:])){{{{{{[:digit:]"
+		  "ZfQ55555555{}Z",
+		  0, 0 },
+		{ "[L][:blankcnt(\?((\?=rl:(\?=]){-35,[^}){)eJb>>>>>>>>>>>>>>>>"
+		  ">>>>>>$ [:xdigit:]l0Tv2Tw2@C[:space:]Zc/{*)>]N3j~.dMBBBB",
+		  0, 0 },
+		{ "[[^(\?>(([]))])[:graph:]]{65,}as#Q:lQ", 0, 0 },
+		{ "[^[fPPUUUUUUUUUUU(\?#UUU[^UUUUUU(\?<="
+		  "UUUUUUUUUGGGGGGGGGGGGGGGGGGG((\?{\?=GGGGGG.MK))+]+)&UxFW)"
+		  "rwv\?@D.",
+		  0, 0 },
+		{ "{-(60,})m", 1, 0 },
+		{ "b[(])^w", 0, 0 },
+		{ "[][^qVs(\?:(p])X)\?'", 0, 0 },
+		{ "()8", 1, 0 },
+		{ "(t[:punc[^t:(\?{][:blankcntrl:])})[^8\?]z*]", 1, 0 },
+		{ "[:lowerprint:])[:graph:]lppppppppppppppppppppppppppppf", 0,
+		  0 },
+		{ "[:alph(a:])[:ascii:]g +z-Bc-U{,%Gk", 0, 0 },
+		{ "u[:graph:(\?=]*)W:::", 0, 0 },
+		{ "([:alnum(:])l)", 1, 0 },
+		{ "[[[}}}}}}}}(\?<!}}}}}}}+(\?{),,,,,,,,,,,,,,(\?!,,,,,,,,]"
+		  "99999999999&R[:ascii:]ZZZZ-{-10,}{96}Ed*][:graph:])]}){}{}G{"
+		  "-9,}",
+		  0, 0 },
+		{ "([^[{}]]Z[[^:graph:]{-47}55555555555555555555555555555[:"
+		  "ascii:]s]6,$:3qAew1Y)+)[:punct:]",
+		  1, 0 },
+		{ "[[[[[([[[[[[[[[[[[[[[[[[[[[[[[8!1i]')", 0, 0 },
+		{ "([((\?(\?#>)(\?{,)At]%M9FSq5)EB", 1, 0 },
+		{ "(}````````````````(``{210,})[:(\?#space:]P[:digit:])PP.{-"
+		  "227,}$pK~mm ImR|{,51}[:alnum:]<)[:alpha:]",
+		  2, 0 },
+		{ "[^(\?<=])[:digit:]", 0, 0 },
+		{ "[^'''''''{(\?:178,}e{,16}$QQQQQQQQQQQQQQQQQQQQQQQ$])", 0,
+		  0 },
+		{ "[^(\?>@K*)(\?#d18]{78,}B)[:digit:]{-193,}=wg{,59}", 0, 0 },
+		{ "[^.{156,}!(\?<=!!!!!!!!!!!!!!(\?{!(\?(!!!!!!!!!!!!!)})"
+		  "TTTTTTTTTTTTTTTTTTTTTTTTTTTTT[^}}}}}}}}}}}})}}}}}}}}}}}}}]])"
+		  "{}^L#%-{}FC",
+		  0, 0 },
+		{ "(eeeee{-169,-100}-fa[:upperword:]N)$Nellllllllllllll", 1,
+		  0 },
+		{ "[[(\?!())\?[(\?!:alnum:]e{,28}M])[:punct:]"
+		  "CCCCCCCCCCCCCCCCCCCC]{-150,}{-167}",
+		  0, 0 },
+		{ "[[@[@(\?#@[@]P]Z{')]{-186,117}]+)7f-", 0, 0 },
+		{ "\\Q+kD}]AEM)u ", 0, 0 },
+		{ "([(\?{(\?=:::::::::::::&){,210}]^})P{-31,}8[:space:]C[:"
+		  "alnum:][:a(scii:]z|[:upperword:])[:alnum:][:graph:])zr~Zk",
+		  1, 0 },
+		{ ".[:space:]e[:g(\?{(\?{raph:]})})@@@@@@@@@@@@@wb|~k", 0, 0 },
+		{ "()ooooooooo\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"[:graph:]", 1,
+		  0 },
+		{ "[^64h(\?(@Eyw][:xdi[git:]pP%%%%%u(uuu[:up[perword:]`8Utdh{)}"
+		  "]]))lW[:punct:]W.hhhhhhhhhhhhhhhhhhhhhhhh'm<<}O8`ZXtG.$",
+		  1, 0 },
+		{ "BPP[:digit:]bbbbbbbbbbb(bb)S+[:alnum:]", 1, 0 },
+		{ "um.[:ascii((\?#\?!:])*)+KKKKKKKKKKKKKKKKKKKKKKKKKS.=<Bf", 0,
+		  0 },
+		{ "", -1, 0 },
+		{ "(()$[:lowerprint:][:s[pace:]2]bbbbbbbbbyoooooooooooooooooo*{"
+		  "39,}$')qV`AcH>,eDl",
+		  -1, 0 },
+		{ "(()[^])e{-241,}", -1, 0 },
+		{ "()[:alpha:]rliiiiiiii[:alnum:]Mb*QW9N.>\?{115,}&u*j", -1,
+		  0 },
+		{ "()[]p", -1, 0 },
+		{ "(I[^]pfL)$[:punct:]", -1, 0 },
+		{ "([])>>>>>>>>>>[:alnum:]", -1, 0 },
+		{ "([])O\\\\\\\\\\\\\\fffffffffffffffffffffff=s6jCZy/"
+		  "b+ir2'*{151,}",
+		  -1, 0 },
+		{ "([])nnnnnnnnnnnnnnnnnnnnnnnnnn[:xdigit:]^N$f", -1, 0 },
+		{ "([]M)[:lowerprint:]a(pg$Z[:punct:])77777777777.", -1, 0 },
+		{ "([]XXXXXXXXXXXXXXXXXXXXXX-===========)", -1, 0 },
+		{ "([]lkX{-224}[:blankcntrl:]$gPKIZlSC#F@XX "
+		  "I'^}{234}yZm)uuuuuuuuuuuuuuuuuuuuuurS",
+		  -1, 0 },
+		{ "([^0kYkg9])IIIIIIIIIIIIIIIIIIIIII/"
+		  "{(192,-118}l+FoSD6\?A)c[:xdigit:]`````````````````e-{-4,-"
+		  "170}x{4620}Z[:upperword:]",
+		  -1, 0 },
+		{ "([^[^[^()(\?>){}B]XYF+#[:alpha:]{-85((,-55[^}t]n).{,-33}]]("
+		  "bQJ!|O+{175,})RFh)Z+^.{137,}:VpP[:alpha:]-MceqVVkkkk("
+		  "kkkkkkkkkkkkkkkkkk)"
+		  "\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?{-"
+		  "115,-67})``````````````````````````````",
+		  -1, 0 },
+		{ "([^]EzU[:alnum:]+^^^^^^^^^^^^^^^^^^^)[:xdigit:]HHHHHHHH$"
+		  "66666666666666666666666666666666UUUUUUUUUUUUUUUUUUUUL{}iiii{"
+		  "-76}X",
+		  -1, 0 },
+		{ "([^]~~~~~~~~~~{240,})]NOp", -1, 0 },
+		{ "(sb)[:digit:]VVVVVVVVx{9569}52,|]", -1, 0 },
+		{ "(x{19762}){}", -1, 0 },
+		{ "-[:xdigit:][]", -1, 0 },
+		{ "121|", -1, 0 },
+		{ "141[:xdigit:][:lowerprint:]{24}{59,191}[:digit:]/", -1, 0 },
+		{ "G[^],,,,,,,,,,,,,+\"DiX", -1, 0 },
+		{ "Gm(ho9:\"8{-188,-200}Z[:blankcntrl:]{,171}"
+		  "\?\?\?\?\?\?\?\?\?\?\?[:blankcntrl:]LLLLLLLLLLLLLLLLLLLLLLL{"
+		  "}^[:graph:][:blankc(\?#ntrl:])w",
+		  -1, 0 },
+		{ "N\"\"\"\"\"\"\"-------------------------|[:alnum:]"
+		  "AAAAAAAAAAAAAAAAAAAAf\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?",
+		  -1, 0 },
+		{ "U{-30,}^\?\?\?", -1, 0 },
+		{ "W^*04rAY(Ee*>[^o3[]]_)", -1, 0 },
+		{ "X[^]}*C[:alnum:]", -1, 0 },
+		{ "[${,-3}]+^\?[|x8A|][:space:]'''''['''''"
+		  "JJJJJJJJJJJJJJJJJJJJJJJJJJJJJyl}.Y7G]",
+		  -1, 0 },
+		{ "[()&[&&&]\?\?["
+		  "\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?"
+		  "pg%k8ug`Wqk4|NR{h[CK5Ez=]jHpQw&`{:]{,91}D",
+		  -1, 0 },
+		{ "[(\?#(\?:)[)([\?>)(\?>(\?:[:alnum:])]G]{85}[^)w]N]gYrUs|",
+		  -1, 0 },
+		{ "[(\?<=)[:digit:]\?]{152,}VR|", -1, 0 },
+		{ "[****(\?>**********(\?<!*******Q)Vr){[^25,}*:"
+		  "FFFFFFFFFFFFFFFFFFFFFFFF(\?{FFFF(({}D]|",
+		  -1, 0 },
+		{ "[:ascii:]+{124,}:*]\?$-{92}D[:lowerprint:]``````````````````"
+		  "```",
+		  -1, 0 },
+		{ "[:ascii:]\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?A<", -1, 0 },
+		{ "[:blankcntrl:]p\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?$"
+		  "\?TTTTTTTTTTTTTTTTT[:ascii:][:upperword:]",
+		  -1, 0 },
+		{ "[:punct:]{254}DDDDDDDDDDDDDDD@[:alpha:]Z\?\?-----R", -1, 0 },
+		{ "[:upperword:]J\?\?nqCAdfyW5", -1, 0 },
+		{ "[:upperword:]{-39}|", -1, 0 },
+		{ "[:xdigit:]^\?", -1, 0 },
+		{ "[Z*e ]NdmP\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?", -1, 0 },
+		{ "[[:punct:]q]ex{15625}-", -1, 0 },
+		{ "[[[^([^L((\?{b(\?=C\?]-134{,-207}[:ascii:]Hz}XIz}|", -1, 0 },
+		{ "[[^V(\?:(\?<!(\?>))TTTTTTTTTTTTTTTTTTTTTTT)[:punct:][:digit:"
+		  "]]GGGGGGGGGGGGGGGGGGGGG,]|.{-224}{96}{239,}1",
+		  -1, 0 },
+		{ "[[^^PP]{,-222}{182}{141}]zFD}-.", -1, 0 },
+		{ "[] Hn&[:xdigit:][:upperword:]f", -1, 0 },
+		{ "[]$.B", -1, 0 },
+		{ "[]&&&&&&&&&&&&&&&&&&&&&&&", -1, 0 },
+		{ "[]()[:xdigit:]er063{132,140}$", -1, 0 },
+		{ "[]+1434", -1, 0 },
+		{ "[]-", -1, 0 },
+		{ "[]-#yyK", -1, 0 },
+		{ "[]-(S$5)AxbdTKO[:alnum:]", -1, 0 },
+		{ "[]2883", -1, 0 },
+		{ "[]2dhd-[:alpha:]"
+		  "sssssssssssssssss55555555555555555555555555555555Z[:punct:]",
+		  -1, 0 },
+		{ "[]4", -1, 0 },
+		{ "[]44444444444444444G", -1, 0 },
+		{ "[]\?", -1, 0 },
+		{ "[]A", -1, 0 },
+		{ "[]Gap8bc", -1, 0 },
+		{ "[]OOOO", -1, 0 },
+		{ "[]PP", -1, 0 },
+		{ "[]QQ", -1, 0 },
+		{ "[]WaFaGO,o", -1, 0 },
+		{ "[]Z", -1, 0 },
+		{ "[][:alpha:]|[:digit:]Ls$I-Ff~+xA3e", -1, 0 },
+		{ "[][:ascii:]-218", -1, 0 },
+		{ "[][:ascii:]N}}}}}}}}}}}}}}}-{137,}8682", -1, 0 },
+		{ "[][:lowerprint:]Ur", -1, 0 },
+		{ "[][:space:]15097", -1, 0 },
+		{ "[][:xdigit:]", -1, 0 },
+		{ "[]dpSSSSSSSS", -1, 0 },
+		{ "[]e13768", -1, 0 },
+		{ "[]gT", -1, 0 },
+		{ "[]h", -1, 0 },
+		{ "[]n", -1, 0 },
+		{ "[]vvvvvvvvvvvvvvvvvvvvvvvvvv*[:xdigit:]", -1, 0 },
+		{ "[]{,-212}1111111111111111111C3821", -1, 0 },
+		{ "[]{-128,}hc", -1, 0 },
+		{ "[]{-181,}&[:xdigit:].\?}}}}}}}}}}}}}}}}}}}}}}", -1, 0 },
+		{ "[]{}F&}i`7|ZAH", -1, 0 },
+		{ "[^(\?())u{196,}pP][r^ndddddddddddddddddddddd]{31,246}\?J",
+		  -1, 0 },
+		{ "[^.ii.1-S]lwwwwwwwwwwwwwwwwww[^wwwwwwwwwwwwww[:alnum:]DOpP+<"
+		  "N][^]44{179}{-194,56}",
+		  -1, 0 },
+		{ "[^2[:alnum:]]\?t\?\?", -1, 0 },
+		{ "[^[((\?{[^^<<<<(\?(\?<!{)})(\?<!]{,184}{-213}|", -1, 0 },
+		{ "[^[^[]\?{89,}PPsvf{[:space:]]]vd{161,}", -1, 0 },
+		{ "[^[^].]+{0}s", -1, 0 },
+		{ "[^]${}", -1, 0 },
+		{ "[^]([:punct:]),%[:xdigit:]w^0\?{-233}", -1, 0 },
+		{ "[^]-", -1, 0 },
+		{ "[^].^", -1, 0 },
+		{ "[^]6743", -1, 0 },
+		{ "[^]JD", -1, 0 },
+		{ "[^]N=[:upperword:]zzzzzzzzzzzzzzzzz.", -1, 0 },
+		{ "[^]OLz_6", -1, 0 },
+		{ "[^]PP[:digit:]0eBEx=", -1, 0 },
+		{ "[^]SHzuKp", -1, 0 },
+		{ "[^][:upperword:]{111}-TpmXw", -1, 0 },
+		{ "[^]^''''''''z{-73,}", -1, 0 },
+		{ "[^]^{,141}e", -1, 0 },
+		{ "[^]aaaaaaaaaaaaaaaaaaa{-98,43}", -1, 0 },
+		{ "[^]f", -1, 0 },
+		{ "[^]l", -1, 0 },
+		{ "[^]n\"Wt", -1, 0 },
+		{ "[^]pPZ\?q+m0LJ+", -1, 0 },
+		{ "[^]p[:upperword:]L:", -1, 0 },
+		{ "[^]q\?{,-18}-", -1, 0 },
+		{ "[^]s[:space:(\?<=]$", -1, 0 },
+		{ "[^]{,58}t", -1, 0 },
+		{ "[^]{255,}JJJJJJJJJJJJJJJJJJJJJJJJJJ", -1, 0 },
+		{ "[^]{45}", -1, 0 },
+		{ "[^]{W", -1, 0 },
+		{ "[^]{}{-22}", -1, 0 },
+		{ "[^]{}{}{}[:xdigit:]+", -1, 0 },
+		{ "[^]|9{,-108}{}.LVIJJJJJJJJJJJJJJJPP", -1, 0 },
+		{ "[^{,-254}]|", -1, 0 },
+		{ "[o(\?{(\?<=}[))f++++++++++++++++"
+		  "777777777777777777777777yzPPs]"
+		  "\?\?dRRRRRRRRRRRRRRRRRRRRRRRRRRRR&]>%fffffffffff",
+		  -1, 0 },
+		{ "aW|", -1, 0 },
+		{ "cT{}[]C^r2``tm", -1, 0 },
+		{ "kkkkkkkkkkkkkkkkkkkkkkk[:blankcntrl:]|{}3{26,}{151,}[:punct:"
+		  "]JJJlH$gP%(2WUE%%%%%%%%%%%%%%%%%%%%a){ibf{}\?",
+		  -1, 0 },
+		{ "lZ\?\?\?\?\?\?\?\?\?\?\?-P2eZt[:punct:]", -1, 0 },
+		{ "vF3qn[^]N.", -1, 0 },
+		{ "wwwwwwwwwwwwww{-176,}275[^]>."
+		  "UUUUUUUUUUUUUUUUUUUUeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee2$Yd",
+		  -1, 0 },
+		{ "{-197,223}bf]]]]]]]]]]\?&}/s\?\?~c", -1, 0 },
+		{ "{-37,}EpP|", -1, 0 },
+		{ "{}@]a[][:xdigit:]z{a", -1, 0 },
+		{ "}02|", -1, 0 },
+		{ "}}}}}}}}}(}}){}[llll]^N|", -1, 0 },
+	};
+	unsigned int i;
+	int r;
+
+	UNUSED(state);
+
+#ifdef HAVE_REGEX_H
+	/*
+	 * Check if we get the expected response.
+	 */
+	for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
+		regex_t preg;
+
+		memset(&preg, 0, sizeof(preg));
+		r = regcomp(&preg, tests[i].expression, REG_EXTENDED);
+		if (((r != 0 && tests[i].expect != -1) ||
+		     (r == 0 && tests[i].expect == -1)) &&
+		    !tests[i].exception)
+		{
+			if (verbose) {
+				print_error("regcomp(%s) -> %s expected %s\n",
+					    tests[i].expression,
+					    r != 0 ? "bad" : "good",
+					    tests[i].expect == -1 ? "bad"
+								  : "good");
+			}
+		} else if (r == 0 &&
+			   preg.re_nsub != (unsigned int)tests[i].expect &&
+			   !tests[i].exception)
+		{
+			if (verbose) {
+				print_error("%s preg.re_nsub %lu expected %d\n",
+					    tests[i].expression,
+					    (unsigned long)preg.re_nsub,
+					    tests[i].expect);
+			}
+			tests[i].expect = preg.re_nsub;
+		}
+		if (r == 0) {
+			regfree(&preg);
+		}
+	}
+#endif /* ifdef HAVE_REGEX_H */
+
+	/*
+	 * Check if we get the expected response.
+	 */
+	for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
+		r = isc_regex_validate(tests[i].expression);
+		if (r != tests[i].expect) {
+			print_error("# %s -> %d expected %d\n",
+				    tests[i].expression, r, tests[i].expect);
+		}
+		assert_int_equal(r, tests[i].expect);
+	}
+}
+
+int
+main(int argc, char **argv) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(regex_validate),
+	};
+	int c;
+
+	while ((c = isc_commandline_parse(argc, argv, "v")) != -1) {
+		switch (c) {
+		case 'v':
+			verbose = true;
+			break;
+		default:
+			break;
+		}
+	}
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/result_test.c b/lib/isc/tests/result_test.c
new file mode 100644
index 0000000..a0f6702
--- /dev/null
+++ b/lib/isc/tests/result_test.c
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <pk11/result.h>
+
+/* convert result to identifier string */
+static void
+isc_result_toid_test(void **state) {
+	const char *id;
+
+	UNUSED(state);
+
+	id = isc_result_toid(ISC_R_SUCCESS);
+	assert_string_equal("ISC_R_SUCCESS", id);
+
+	id = isc_result_toid(ISC_R_FAILURE);
+	assert_string_equal("ISC_R_FAILURE", id);
+}
+
+/* convert result to description string */
+static void
+isc_result_totext_test(void **state) {
+	const char *str;
+
+	UNUSED(state);
+
+	str = isc_result_totext(ISC_R_SUCCESS);
+	assert_string_equal("success", str);
+
+	str = isc_result_totext(ISC_R_FAILURE);
+	assert_string_equal("failure", str);
+}
+
+/* check tables are populated */
+static void
+tables(void **state) {
+	const char *str;
+	isc_result_t result;
+
+	UNUSED(state);
+
+	pk11_result_register();
+
+	for (result = 0; result < ISC_R_NRESULTS; result++) {
+		str = isc_result_toid(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+
+		str = isc_result_totext(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+	}
+
+	str = isc_result_toid(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+
+	str = isc_result_totext(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+
+	for (result = ISC_RESULTCLASS_PK11;
+	     result < (ISC_RESULTCLASS_PK11 + PK11_R_NRESULTS); result++)
+	{
+		str = isc_result_toid(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+
+		str = isc_result_totext(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+	}
+
+	str = isc_result_toid(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+
+	str = isc_result_totext(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_result_toid_test),
+		cmocka_unit_test(isc_result_totext_test),
+		cmocka_unit_test(tables),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
new file mode 100644
index 0000000..89bd3ba
--- /dev/null
+++ b/lib/isc/tests/safe_test.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/safe.h>
+#include <isc/util.h>
+
+/* test isc_safe_memequal() */
+static void
+isc_safe_memequal_test(void **state) {
+	UNUSED(state);
+
+	assert_true(isc_safe_memequal("test", "test", 4));
+	assert_true(!isc_safe_memequal("test", "tesc", 4));
+	assert_true(
+		isc_safe_memequal("\x00\x00\x00\x00", "\x00\x00\x00\x00", 4));
+	assert_true(
+		!isc_safe_memequal("\x00\x00\x00\x00", "\x00\x00\x00\x01", 4));
+	assert_true(
+		!isc_safe_memequal("\x00\x00\x00\x02", "\x00\x00\x00\x00", 4));
+}
+
+/* test isc_safe_memwipe() */
+static void
+isc_safe_memwipe_test(void **state) {
+	UNUSED(state);
+
+	/* These should pass. */
+	isc_safe_memwipe(NULL, 0);
+	isc_safe_memwipe((void *)-1, 0);
+
+	/*
+	 * isc_safe_memwipe(ptr, size) should function same as
+	 * memset(ptr, 0, size);
+	 */
+	{
+		char buf1[4] = { 1, 2, 3, 4 };
+		char buf2[4] = { 1, 2, 3, 4 };
+
+		isc_safe_memwipe(buf1, sizeof(buf1));
+		memset(buf2, 0, sizeof(buf2));
+
+		assert_int_equal(memcmp(buf1, buf2, sizeof(buf1)), 0);
+	}
+
+	/*
+	 * Boundary test.
+	 */
+	{
+		char buf1[4] = { 1, 2, 3, 4 };
+		char buf2[4] = { 1, 2, 3, 4 };
+
+		/*
+		 * We wipe 3 elements on purpose, keeping the 4th in
+		 * place.
+		 */
+		isc_safe_memwipe(buf1, 3);
+		memset(buf2, 0, 3);
+
+		assert_int_equal(memcmp(buf1, buf2, sizeof(buf1)), 0);
+	}
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_safe_memequal_test),
+		cmocka_unit_test(isc_safe_memwipe_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/siphash_test.c b/lib/isc/tests/siphash_test.c
new file mode 100644
index 0000000..72c7126
--- /dev/null
+++ b/lib/isc/tests/siphash_test.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h>
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/siphash.h>
+
+#include "../siphash.c"
+
+const uint8_t vectors_sip64[64][8] = {
+	{ 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72 },
+	{ 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74 },
+	{ 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d },
+	{ 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85 },
+	{ 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf },
+	{ 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18 },
+	{ 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb },
+	{ 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab },
+	{ 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93 },
+	{ 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e },
+	{ 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a },
+	{ 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4 },
+	{ 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75 },
+	{ 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14 },
+	{ 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7 },
+	{ 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1 },
+	{ 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f },
+	{ 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69 },
+	{ 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b },
+	{ 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb },
+	{ 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe },
+	{ 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0 },
+	{ 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93 },
+	{ 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8 },
+	{ 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8 },
+	{ 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc },
+	{ 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17 },
+	{ 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f },
+	{ 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde },
+	{ 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6 },
+	{ 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad },
+	{ 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32 },
+	{ 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71 },
+	{ 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7 },
+	{ 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12 },
+	{ 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15 },
+	{ 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31 },
+	{ 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02 },
+	{ 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca },
+	{ 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a },
+	{ 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e },
+	{ 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad },
+	{ 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18 },
+	{ 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4 },
+	{ 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9 },
+	{ 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9 },
+	{ 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb },
+	{ 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0 },
+	{ 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6 },
+	{ 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7 },
+	{ 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee },
+	{ 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1 },
+	{ 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a },
+	{ 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81 },
+	{ 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f },
+	{ 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24 },
+	{ 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7 },
+	{ 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea },
+	{ 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60 },
+	{ 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66 },
+	{ 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c },
+	{ 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f },
+	{ 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5 },
+	{ 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95 }
+};
+
+const uint8_t vectors_hsip32[64][4] = {
+	{ 0xa9, 0x35, 0x9f, 0x5b }, { 0x27, 0x47, 0x5a, 0xb8 },
+	{ 0xfa, 0x62, 0xa6, 0x03 }, { 0x8a, 0xfe, 0xe7, 0x04 },
+	{ 0x2a, 0x6e, 0x46, 0x89 }, { 0xc5, 0xfa, 0xb6, 0x69 },
+	{ 0x58, 0x63, 0xfc, 0x23 }, { 0x8b, 0xcf, 0x63, 0xc5 },
+	{ 0xd0, 0xb8, 0x84, 0x8f }, { 0xf8, 0x06, 0xe7, 0x79 },
+	{ 0x94, 0xb0, 0x79, 0x34 }, { 0x08, 0x08, 0x30, 0x50 },
+	{ 0x57, 0xf0, 0x87, 0x2f }, { 0x77, 0xe6, 0x63, 0xff },
+	{ 0xd6, 0xff, 0xf8, 0x7c }, { 0x74, 0xfe, 0x2b, 0x97 },
+	{ 0xd9, 0xb5, 0xac, 0x84 }, { 0xc4, 0x74, 0x64, 0x5b },
+	{ 0x46, 0x5b, 0x8d, 0x9b }, { 0x7b, 0xef, 0xe3, 0x87 },
+	{ 0xe3, 0x4d, 0x10, 0x45 }, { 0x61, 0x3f, 0x62, 0xb3 },
+	{ 0x70, 0xf3, 0x67, 0xfe }, { 0xe6, 0xad, 0xb8, 0xbd },
+	{ 0x27, 0x40, 0x0c, 0x63 }, { 0x26, 0x78, 0x78, 0x75 },
+	{ 0x4f, 0x56, 0x7b, 0x5f }, { 0x3a, 0xb0, 0xe6, 0x69 },
+	{ 0xb0, 0x64, 0x40, 0x00 }, { 0xff, 0x67, 0x0f, 0xb4 },
+	{ 0x50, 0x9e, 0x33, 0x8b }, { 0x5d, 0x58, 0x9f, 0x1a },
+	{ 0xfe, 0xe7, 0x21, 0x12 }, { 0x33, 0x75, 0x32, 0x59 },
+	{ 0x6a, 0x43, 0x4f, 0x8c }, { 0xfe, 0x28, 0xb7, 0x29 },
+	{ 0xe7, 0x5c, 0xc6, 0xec }, { 0x69, 0x7e, 0x8d, 0x54 },
+	{ 0x63, 0x68, 0x8b, 0x0f }, { 0x65, 0x0b, 0x62, 0xb4 },
+	{ 0xb6, 0xbc, 0x18, 0x40 }, { 0x5d, 0x07, 0x45, 0x05 },
+	{ 0x24, 0x42, 0xfd, 0x2e }, { 0x7b, 0xb7, 0x86, 0x3a },
+	{ 0x77, 0x05, 0xd5, 0x48 }, { 0xd7, 0x52, 0x08, 0xb1 },
+	{ 0xb6, 0xd4, 0x99, 0xc8 }, { 0x08, 0x92, 0x20, 0x2e },
+	{ 0x69, 0xe1, 0x2c, 0xe3 }, { 0x8d, 0xb5, 0x80, 0xe5 },
+	{ 0x36, 0x97, 0x64, 0xc6 }, { 0x01, 0x6e, 0x02, 0x04 },
+	{ 0x3b, 0x85, 0xf3, 0xd4 }, { 0xfe, 0xdb, 0x66, 0xbe },
+	{ 0x1e, 0x69, 0x2a, 0x3a }, { 0xc6, 0x89, 0x84, 0xc0 },
+	{ 0xa5, 0xc5, 0xb9, 0x40 }, { 0x9b, 0xe9, 0xe8, 0x8c },
+	{ 0x7d, 0xbc, 0x81, 0x40 }, { 0x7c, 0x07, 0x8e, 0xc5 },
+	{ 0xd4, 0xe7, 0x6c, 0x73 }, { 0x42, 0x8f, 0xcb, 0xb9 },
+	{ 0xbd, 0x83, 0x99, 0x7a }, { 0x59, 0xea, 0x4a, 0x74 }
+};
+
+static void
+isc_siphash24_test(void **state) {
+	UNUSED(state);
+
+	uint8_t in[64], out[8], key[16];
+	for (size_t i = 0; i < ARRAY_SIZE(key); i++) {
+		key[i] = i;
+	}
+
+	for (size_t i = 0; i < ARRAY_SIZE(in); i++) {
+		in[i] = i;
+		isc_siphash24(key, in, i, out);
+		assert_memory_equal(out, vectors_sip64[i], 8);
+	}
+}
+
+static void
+isc_halfsiphash24_test(void **state) {
+	UNUSED(state);
+
+	uint8_t in[64], out[4], key[16];
+	for (size_t i = 0; i < ARRAY_SIZE(key); i++) {
+		key[i] = i;
+	}
+
+	for (size_t i = 0; i < ARRAY_SIZE(in); i++) {
+		in[i] = i;
+		isc_halfsiphash24(key, in, i, out);
+		assert_memory_equal(out, vectors_hsip32[i], 4);
+	}
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_siphash24_test),
+		cmocka_unit_test(isc_halfsiphash24_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/sockaddr_test.c b/lib/isc/tests/sockaddr_test.c
new file mode 100644
index 0000000..6719a6e
--- /dev/null
+++ b/lib/isc/tests/sockaddr_test.c
@@ -0,0 +1,188 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+/* test sockaddr hash */
+static void
+sockaddr_hash(void **state) {
+	isc_sockaddr_t addr;
+	struct in_addr in;
+	struct in6_addr in6;
+	unsigned int h1, h2, h3, h4;
+	int ret;
+
+	UNUSED(state);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr, &in, 1);
+	h1 = isc_sockaddr_hash(&addr, true);
+	h2 = isc_sockaddr_hash(&addr, false);
+	assert_int_not_equal(h1, h2);
+
+	ret = inet_pton(AF_INET6, "::ffff:127.0.0.1", &in6);
+	assert_int_equal(ret, 1);
+	isc_sockaddr_fromin6(&addr, &in6, 1);
+	h3 = isc_sockaddr_hash(&addr, true);
+	h4 = isc_sockaddr_hash(&addr, false);
+	assert_int_equal(h1, h3);
+	assert_int_equal(h2, h4);
+}
+
+/* test isc_sockaddr_isnetzero() */
+static void
+sockaddr_isnetzero(void **state) {
+	isc_sockaddr_t addr;
+	struct in_addr in;
+	struct in6_addr in6;
+	bool r;
+	int ret;
+	size_t i;
+	struct {
+		const char *string;
+		bool expect;
+	} data4[] = {
+		{ "0.0.0.0", true },	      { "0.0.0.1", true },
+		{ "0.0.1.0", true },	      { "0.1.0.0", true },
+		{ "1.0.0.0", false },	      { "0.0.0.127", true },
+		{ "0.0.0.255", true },	      { "127.0.0.1", false },
+		{ "255.255.255.255", false },
+	};
+	/*
+	 * Mapped addresses are currently not netzero.
+	 */
+	struct {
+		const char *string;
+		bool expect;
+	} data6[] = {
+		{ "::ffff:0.0.0.0", false },
+		{ "::ffff:0.0.0.1", false },
+		{ "::ffff:0.0.0.127", false },
+		{ "::ffff:0.0.0.255", false },
+		{ "::ffff:127.0.0.1", false },
+		{ "::ffff:255.255.255.255", false },
+	};
+
+	UNUSED(state);
+
+	for (i = 0; i < sizeof(data4) / sizeof(data4[0]); i++) {
+		in.s_addr = inet_addr(data4[i].string);
+		isc_sockaddr_fromin(&addr, &in, 1);
+		r = isc_sockaddr_isnetzero(&addr);
+		assert_int_equal(r, data4[i].expect);
+	}
+
+	for (i = 0; i < sizeof(data6) / sizeof(data6[0]); i++) {
+		ret = inet_pton(AF_INET6, data6[i].string, &in6);
+		assert_int_equal(ret, 1);
+		isc_sockaddr_fromin6(&addr, &in6, 1);
+		r = isc_sockaddr_isnetzero(&addr);
+		assert_int_equal(r, data6[i].expect);
+	}
+}
+
+/*
+ * test that isc_sockaddr_eqaddrprefix() returns true when prefixes of a
+ * and b are equal, and false when they are not equal
+ */
+static void
+sockaddr_eqaddrprefix(void **state) {
+	struct in_addr ina_a;
+	struct in_addr ina_b;
+	struct in_addr ina_c;
+	isc_sockaddr_t isa_a;
+	isc_sockaddr_t isa_b;
+	isc_sockaddr_t isa_c;
+
+	UNUSED(state);
+
+	assert_true(inet_pton(AF_INET, "194.100.32.87", &ina_a) >= 0);
+	assert_true(inet_pton(AF_INET, "194.100.32.80", &ina_b) >= 0);
+	assert_true(inet_pton(AF_INET, "194.101.32.87", &ina_c) >= 0);
+
+	isc_sockaddr_fromin(&isa_a, &ina_a, 0);
+	isc_sockaddr_fromin(&isa_b, &ina_b, 42);
+	isc_sockaddr_fromin(&isa_c, &ina_c, 0);
+
+	assert_true(isc_sockaddr_eqaddrprefix(&isa_a, &isa_b, 0));
+	assert_true(isc_sockaddr_eqaddrprefix(&isa_a, &isa_b, 29));
+	assert_true(isc_sockaddr_eqaddrprefix(&isa_a, &isa_c, 8));
+
+	assert_false(isc_sockaddr_eqaddrprefix(&isa_a, &isa_b, 30));
+	assert_false(isc_sockaddr_eqaddrprefix(&isa_a, &isa_b, 32));
+	assert_false(isc_sockaddr_eqaddrprefix(&isa_a, &isa_c, 16));
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(sockaddr_hash, _setup,
+						_teardown),
+		cmocka_unit_test(sockaddr_isnetzero),
+		cmocka_unit_test(sockaddr_eqaddrprefix),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/socket_test.c b/lib/isc/tests/socket_test.c
new file mode 100644
index 0000000..ab19b06
--- /dev/null
+++ b/lib/isc/tests/socket_test.c
@@ -0,0 +1,833 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#if HAVE_CMOCKA
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/atomic.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+
+#include "../unix/socket_p.h"
+#include "isctest.h"
+
+static bool recv_dscp;
+static unsigned int recv_dscp_value;
+static bool recv_trunc;
+isc_socket_t *s1 = NULL, *s2 = NULL, *s3 = NULL;
+isc_task_t *test_task = NULL;
+
+/*
+ * Helper functions
+ */
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	if (s1 != NULL) {
+		isc_socket_detach(&s1);
+	}
+	if (s2 != NULL) {
+		isc_socket_detach(&s2);
+	}
+	if (s3 != NULL) {
+		isc_socket_detach(&s3);
+	}
+	if (test_task != NULL) {
+		isc_task_detach(&test_task);
+	}
+
+	isc_test_end();
+
+	return (0);
+}
+
+typedef struct {
+	atomic_bool done;
+	isc_result_t result;
+	isc_socket_t *socket;
+} completion_t;
+
+static void
+completion_init(completion_t *completion) {
+	atomic_init(&completion->done, false);
+	completion->socket = NULL;
+}
+
+static void
+accept_done(isc_task_t *task, isc_event_t *event) {
+	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
+	completion_t *completion = event->ev_arg;
+
+	UNUSED(task);
+
+	completion->result = nevent->result;
+	atomic_store(&completion->done, true);
+	if (completion->result == ISC_R_SUCCESS) {
+		completion->socket = nevent->newsocket;
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+event_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sev = NULL;
+	isc_socket_connev_t *connev = NULL;
+	completion_t *completion = event->ev_arg;
+	UNUSED(task);
+
+	switch (event->ev_type) {
+	case ISC_SOCKEVENT_RECVDONE:
+	case ISC_SOCKEVENT_SENDDONE:
+		sev = (isc_socketevent_t *)event;
+		completion->result = sev->result;
+		if ((sev->attributes & ISC_SOCKEVENTATTR_DSCP) != 0) {
+			recv_dscp = true;
+			recv_dscp_value = sev->dscp;
+		} else {
+			recv_dscp = false;
+		}
+		recv_trunc = ((sev->attributes & ISC_SOCKEVENTATTR_TRUNC) != 0);
+		break;
+	case ISC_SOCKEVENT_CONNECT:
+		connev = (isc_socket_connev_t *)event;
+		completion->result = connev->result;
+		break;
+	default:
+		assert_false(true);
+	}
+	atomic_store(&completion->done, true);
+	isc_event_free(&event);
+}
+
+static isc_result_t
+waitfor(completion_t *completion) {
+	int i = 0;
+	while (!atomic_load(&completion->done) && i++ < 5000) {
+		isc_test_nap(1000);
+	}
+	if (atomic_load(&completion->done)) {
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_FAILURE);
+}
+
+static void
+waitbody(void) {
+	isc_test_nap(1000);
+}
+
+static isc_result_t
+waitfor2(completion_t *c1, completion_t *c2) {
+	int i = 0;
+
+	while (!(atomic_load(&c1->done) && atomic_load(&c2->done)) &&
+	       i++ < 5000)
+	{
+		waitbody();
+	}
+	if (atomic_load(&c1->done) && atomic_load(&c2->done)) {
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_FAILURE);
+}
+
+/*
+ * Individual unit tests
+ */
+
+/* Test UDP sendto/recv (IPv4) */
+static void
+udp_sendto_test(void **state) {
+	isc_result_t result;
+	isc_sockaddr_t addr1, addr2;
+	struct in_addr in;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion;
+	isc_region_t r;
+
+	UNUSED(state);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 0);
+	isc_sockaddr_fromin(&addr2, &in, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s1, &addr1, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s2, &addr2, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s2, &addr2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr2) != 0);
+
+	result = isc_task_create(taskmgr, 0, &test_task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *)sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+	result = isc_socket_sendto(s1, &r, test_task, event_done, &completion,
+				   &addr2, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *)recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_string_equal(recvbuf, "Hello");
+}
+
+/* Test UDP sendto/recv with duplicated socket */
+static void
+udp_dup_test(void **state) {
+	isc_result_t result;
+	isc_sockaddr_t addr1, addr2;
+	struct in_addr in;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion;
+	isc_region_t r;
+
+	UNUSED(state);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 0);
+	isc_sockaddr_fromin(&addr2, &in, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s1, &addr1, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s2, &addr2, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s2, &addr2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr2) != 0);
+
+	result = isc_socket_dup(s2, &s3);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &test_task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *)sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+	result = isc_socket_sendto(s1, &r, test_task, event_done, &completion,
+				   &addr2, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+
+	snprintf(sendbuf, sizeof(sendbuf), "World");
+	r.base = (void *)sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+	result = isc_socket_sendto(s1, &r, test_task, event_done, &completion,
+				   &addr2, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *)recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_string_equal(recvbuf, "Hello");
+
+	r.base = (void *)recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s3, &r, 1, test_task, event_done, &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_string_equal(recvbuf, "World");
+}
+
+/* Test UDP sendto/recv (IPv4) */
+static void
+udp_dscp_v4_test(void **state) {
+	isc_result_t result;
+	isc_sockaddr_t addr1, addr2;
+	struct in_addr in;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion;
+	isc_region_t r;
+	isc_socketevent_t *socketevent;
+
+	UNUSED(state);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 0);
+	isc_sockaddr_fromin(&addr2, &in, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s1, &addr1, ISC_SOCKET_REUSEADDRESS);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s2, &addr2, ISC_SOCKET_REUSEADDRESS);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s2, &addr2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr2) != 0);
+
+	result = isc_task_create(taskmgr, 0, &test_task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *)sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+
+	socketevent = isc_socket_socketevent(
+		test_mctx, s1, ISC_SOCKEVENT_SENDDONE, event_done, &completion);
+	assert_non_null(socketevent);
+
+	if ((isc_net_probedscp() & ISC_NET_DSCPPKTV4) != 0) {
+		socketevent->dscp = 056; /* EF */
+		socketevent->attributes |= ISC_SOCKEVENTATTR_DSCP;
+	} else if ((isc_net_probedscp() & ISC_NET_DSCPSETV4) != 0) {
+		isc_socket_dscp(s1, 056); /* EF */
+		socketevent->dscp = 0;
+		socketevent->attributes &= ~ISC_SOCKEVENTATTR_DSCP;
+	}
+
+	recv_dscp = false;
+	recv_dscp_value = 0;
+
+	result = isc_socket_sendto2(s1, &r, test_task, &addr2, NULL,
+				    socketevent, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *)recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_string_equal(recvbuf, "Hello");
+
+	if ((isc_net_probedscp() & ISC_NET_DSCPRECVV4) != 0) {
+		assert_true(recv_dscp);
+		assert_int_equal(recv_dscp_value, 056);
+	} else {
+		assert_false(recv_dscp);
+	}
+}
+
+/* Test UDP sendto/recv (IPv6) */
+static void
+udp_dscp_v6_test(void **state) {
+	isc_result_t result;
+	isc_sockaddr_t addr1, addr2;
+	struct in6_addr in6;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion;
+	isc_region_t r;
+	isc_socketevent_t *socketevent;
+	int n;
+
+	UNUSED(state);
+
+	n = inet_pton(AF_INET6, "::1", &in6.s6_addr);
+	assert_true(n == 1);
+	isc_sockaddr_fromin6(&addr1, &in6, 0);
+	isc_sockaddr_fromin6(&addr2, &in6, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET6, isc_sockettype_udp,
+				   &s1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s1, &addr1, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_create(socketmgr, PF_INET6, isc_sockettype_udp,
+				   &s2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s2, &addr2, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s2, &addr2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr2) != 0);
+
+	result = isc_task_create(taskmgr, 0, &test_task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *)sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+
+	socketevent = isc_socket_socketevent(
+		test_mctx, s1, ISC_SOCKEVENT_SENDDONE, event_done, &completion);
+	assert_non_null(socketevent);
+
+	if ((isc_net_probedscp() & ISC_NET_DSCPPKTV6) != 0) {
+		socketevent->dscp = 056; /* EF */
+		socketevent->attributes = ISC_SOCKEVENTATTR_DSCP;
+	} else if ((isc_net_probedscp() & ISC_NET_DSCPSETV6) != 0) {
+		isc_socket_dscp(s1, 056); /* EF */
+	}
+
+	recv_dscp = false;
+	recv_dscp_value = 0;
+
+	result = isc_socket_sendto2(s1, &r, test_task, &addr2, NULL,
+				    socketevent, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *)recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_string_equal(recvbuf, "Hello");
+	if ((isc_net_probedscp() & ISC_NET_DSCPRECVV6) != 0) {
+		assert_true(recv_dscp);
+		assert_int_equal(recv_dscp_value, 056);
+	} else {
+		assert_false(recv_dscp);
+	}
+}
+
+/* Test TCP sendto/recv (IPv4) */
+static void
+tcp_dscp_v4_test(void **state) {
+	isc_result_t result;
+	isc_sockaddr_t addr1;
+	struct in_addr in;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion, completion2;
+	isc_region_t r;
+
+	UNUSED(state);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_tcp, &s1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_socket_bind(s1, &addr1, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_listen(s1, 3);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_tcp, &s2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &test_task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	completion_init(&completion2);
+	result = isc_socket_accept(s1, test_task, accept_done, &completion2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	completion_init(&completion);
+	result = isc_socket_connect(s2, &addr1, test_task, event_done,
+				    &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor2(&completion, &completion2);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_true(atomic_load(&completion2.done));
+	assert_int_equal(completion2.result, ISC_R_SUCCESS);
+	s3 = completion2.socket;
+
+	isc_socket_dscp(s2, 056); /* EF */
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *)sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	recv_dscp = false;
+	recv_dscp_value = 0;
+
+	completion_init(&completion);
+	result = isc_socket_sendto(s2, &r, test_task, event_done, &completion,
+				   NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *)recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s3, &r, 1, test_task, event_done, &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_string_equal(recvbuf, "Hello");
+
+	if ((isc_net_probedscp() & ISC_NET_DSCPRECVV4) != 0) {
+		if (recv_dscp) {
+			assert_int_equal(recv_dscp_value, 056);
+		}
+	} else {
+		assert_false(recv_dscp);
+	}
+}
+
+/* Test TCP sendto/recv (IPv6) */
+static void
+tcp_dscp_v6_test(void **state) {
+	isc_result_t result;
+	isc_sockaddr_t addr1;
+	struct in6_addr in6;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion, completion2;
+	isc_region_t r;
+	int n;
+
+	UNUSED(state);
+
+	n = inet_pton(AF_INET6, "::1", &in6.s6_addr);
+	assert_true(n == 1);
+	isc_sockaddr_fromin6(&addr1, &in6, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET6, isc_sockettype_tcp,
+				   &s1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_socket_bind(s1, &addr1, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_listen(s1, 3);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_socket_create(socketmgr, PF_INET6, isc_sockettype_tcp,
+				   &s2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &test_task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	completion_init(&completion2);
+	result = isc_socket_accept(s1, test_task, accept_done, &completion2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	completion_init(&completion);
+	result = isc_socket_connect(s2, &addr1, test_task, event_done,
+				    &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor2(&completion, &completion2);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_true(atomic_load(&completion2.done));
+	assert_int_equal(completion2.result, ISC_R_SUCCESS);
+	s3 = completion2.socket;
+
+	isc_socket_dscp(s2, 056); /* EF */
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *)sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	recv_dscp = false;
+	recv_dscp_value = 0;
+
+	completion_init(&completion);
+	result = isc_socket_sendto(s2, &r, test_task, event_done, &completion,
+				   NULL, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *)recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s3, &r, 1, test_task, event_done, &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_string_equal(recvbuf, "Hello");
+
+	if ((isc_net_probedscp() & ISC_NET_DSCPRECVV6) != 0) {
+		/*
+		 * IPV6_RECVTCLASS is undefined for TCP however
+		 * if we do get it it should be the value we set.
+		 */
+		if (recv_dscp) {
+			assert_int_equal(recv_dscp_value, 056);
+		}
+	} else {
+		assert_false(recv_dscp);
+	}
+}
+
+/* probe dscp capabilities */
+static void
+net_probedscp_test(void **state) {
+	unsigned int n;
+
+	UNUSED(state);
+
+	n = isc_net_probedscp();
+	assert_true((n & ~ISC_NET_DSCPALL) == 0);
+
+	/* ISC_NET_DSCPSETV4 MUST be set if any is set. */
+	if (n & (ISC_NET_DSCPPKTV4 | ISC_NET_DSCPRECVV4)) {
+		assert_true((n & ISC_NET_DSCPSETV4) != 0);
+	}
+
+	/* ISC_NET_DSCPSETV6 MUST be set if any is set. */
+	if (n & (ISC_NET_DSCPPKTV6 | ISC_NET_DSCPRECVV6)) {
+		assert_true((n & ISC_NET_DSCPSETV6) != 0);
+	}
+
+#if 0
+	fprintf(stdout,"IPv4:%s%s%s\n",
+		(n & ISC_NET_DSCPSETV4) ? " set" : "none",
+		(n & ISC_NET_DSCPPKTV4) ? " packet" : "",
+		(n & ISC_NET_DSCPRECVV4) ? " receive" : "");
+
+	fprintf(stdout,"IPv6:%s%s%s\n",
+		(n & ISC_NET_DSCPSETV6) ? " set" : "none",
+		(n & ISC_NET_DSCPPKTV6) ? " packet" : "",
+		(n & ISC_NET_DSCPRECVV6) ? " receive" : "");
+#endif /* if 0 */
+}
+
+/* Test UDP truncation detection */
+static void
+udp_trunc_test(void **state) {
+	isc_result_t result;
+	isc_sockaddr_t addr1, addr2;
+	struct in_addr in;
+	char sendbuf[BUFSIZ * 2], recvbuf[BUFSIZ];
+	completion_t completion;
+	isc_region_t r;
+	isc_socketevent_t *socketevent;
+
+	UNUSED(state);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 0);
+	isc_sockaddr_fromin(&addr2, &in, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s1, &addr1, ISC_SOCKET_REUSEADDRESS);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr1) != 0);
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s2, &addr2, ISC_SOCKET_REUSEADDRESS);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s2, &addr2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(isc_sockaddr_getport(&addr2) != 0);
+
+	result = isc_task_create(taskmgr, 0, &test_task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Send a message that will not be truncated.
+	 */
+	memset(sendbuf, 0xff, sizeof(sendbuf));
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *)sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+
+	socketevent = isc_socket_socketevent(
+		test_mctx, s1, ISC_SOCKEVENT_SENDDONE, event_done, &completion);
+	assert_non_null(socketevent);
+
+	result = isc_socket_sendto2(s1, &r, test_task, &addr2, NULL,
+				    socketevent, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *)recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	recv_trunc = false;
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_string_equal(recvbuf, "Hello");
+	assert_false(recv_trunc);
+
+	/*
+	 * Send a message that will be truncated.
+	 */
+	memset(sendbuf, 0xff, sizeof(sendbuf));
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *)sendbuf;
+	r.length = sizeof(sendbuf);
+
+	completion_init(&completion);
+
+	socketevent = isc_socket_socketevent(
+		test_mctx, s1, ISC_SOCKEVENT_SENDDONE, event_done, &completion);
+	assert_non_null(socketevent);
+
+	result = isc_socket_sendto2(s1, &r, test_task, &addr2, NULL,
+				    socketevent, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *)recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	recv_trunc = false;
+	result = isc_socket_recv(s2, &r, 1, test_task, event_done, &completion);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	assert_true(atomic_load(&completion.done));
+	assert_int_equal(completion.result, ISC_R_SUCCESS);
+	assert_string_equal(recvbuf, "Hello");
+	assert_true(recv_trunc);
+}
+
+/*
+ * Main
+ */
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(udp_sendto_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(udp_dup_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(tcp_dscp_v4_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(tcp_dscp_v6_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(udp_dscp_v4_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(udp_dscp_v6_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(net_probedscp_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(udp_trunc_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/stats_test.c b/lib/isc/tests/stats_test.c
new file mode 100644
index 0000000..89b2462
--- /dev/null
+++ b/lib/isc/tests/stats_test.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/stats.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+/* test stats */
+static void
+isc_stats_basic_test(void **state) {
+	isc_stats_t *stats = NULL;
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_stats_create(test_mctx, &stats, 4);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_stats_ncounters(stats), 4);
+
+	/* Default all 0. */
+	for (int i = 0; i < isc_stats_ncounters(stats); i++) {
+		assert_int_equal(isc_stats_get_counter(stats, i), 0);
+	}
+
+	/* Test increment. */
+	for (int i = 0; i < isc_stats_ncounters(stats); i++) {
+		isc_stats_increment(stats, i);
+		assert_int_equal(isc_stats_get_counter(stats, i), 1);
+		isc_stats_increment(stats, i);
+		assert_int_equal(isc_stats_get_counter(stats, i), 2);
+	}
+
+	/* Test decrement. */
+	for (int i = 0; i < isc_stats_ncounters(stats); i++) {
+		isc_stats_decrement(stats, i);
+		assert_int_equal(isc_stats_get_counter(stats, i), 1);
+		isc_stats_decrement(stats, i);
+		assert_int_equal(isc_stats_get_counter(stats, i), 0);
+	}
+
+	/* Test set. */
+	for (int i = 0; i < isc_stats_ncounters(stats); i++) {
+		isc_stats_set(stats, i, i);
+		assert_int_equal(isc_stats_get_counter(stats, i), i);
+	}
+
+	/* Test update if greater. */
+	for (int i = 0; i < isc_stats_ncounters(stats); i++) {
+		isc_stats_update_if_greater(stats, i, i);
+		assert_int_equal(isc_stats_get_counter(stats, i), i);
+		isc_stats_update_if_greater(stats, i, i + 1);
+		assert_int_equal(isc_stats_get_counter(stats, i), i + 1);
+	}
+
+	/* Test resize. */
+	isc_stats_resize(&stats, 3);
+	assert_int_equal(isc_stats_ncounters(stats), 4);
+	isc_stats_resize(&stats, 4);
+	assert_int_equal(isc_stats_ncounters(stats), 4);
+	isc_stats_resize(&stats, 5);
+	assert_int_equal(isc_stats_ncounters(stats), 5);
+
+	/* Existing counters are retained */
+	for (int i = 0; i < isc_stats_ncounters(stats); i++) {
+		uint32_t expect = i + 1;
+		if (i == 4) {
+			expect = 0;
+		}
+		assert_int_equal(isc_stats_get_counter(stats, i), expect);
+	}
+
+	isc_stats_detach(&stats);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(isc_stats_basic_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/symtab_test.c b/lib/isc/tests/symtab_test.c
new file mode 100644
index 0000000..4b82308
--- /dev/null
+++ b/lib/isc/tests/symtab_test.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/print.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+static void
+undefine(char *key, unsigned int type, isc_symvalue_t value, void *arg) {
+	UNUSED(arg);
+
+	assert_int_equal(type, 1);
+	isc_mem_free(test_mctx, key);
+	isc_mem_free(test_mctx, value.as_pointer);
+}
+
+/* test symbol table growth */
+static void
+symtab_grow(void **state) {
+	isc_result_t result;
+	isc_symtab_t *st = NULL;
+	isc_symvalue_t value;
+	isc_symexists_t policy = isc_symexists_reject;
+	int i;
+
+	UNUSED(state);
+
+	result = isc_symtab_create(test_mctx, 3, undefine, NULL, false, &st);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_non_null(st);
+
+	/* Nothing should be in the table yet */
+
+	/*
+	 * Put 1024 entries in the table (this should necessate
+	 * regrowing the hash table several times
+	 */
+	for (i = 0; i < 1024; i++) {
+		char str[16], *key;
+
+		snprintf(str, sizeof(str), "%04x", i);
+		key = isc_mem_strdup(test_mctx, str);
+		assert_non_null(key);
+		value.as_pointer = isc_mem_strdup(test_mctx, str);
+		assert_non_null(value.as_pointer);
+		result = isc_symtab_define(st, key, 1, value, policy);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS) {
+			undefine(key, 1, value, NULL);
+		}
+	}
+
+	/*
+	 * Try to put them in again; this should fail
+	 */
+	for (i = 0; i < 1024; i++) {
+		char str[16], *key;
+
+		snprintf(str, sizeof(str), "%04x", i);
+		key = isc_mem_strdup(test_mctx, str);
+		assert_non_null(key);
+		value.as_pointer = isc_mem_strdup(test_mctx, str);
+		assert_non_null(value.as_pointer);
+		result = isc_symtab_define(st, key, 1, value, policy);
+		assert_int_equal(result, ISC_R_EXISTS);
+		undefine(key, 1, value, NULL);
+	}
+
+	/*
+	 * Retrieve them; this should succeed
+	 */
+	for (i = 0; i < 1024; i++) {
+		char str[16];
+
+		snprintf(str, sizeof(str), "%04x", i);
+		result = isc_symtab_lookup(st, str, 0, &value);
+		assert_int_equal(result, ISC_R_SUCCESS);
+		assert_string_equal(str, (char *)value.as_pointer);
+	}
+
+	/*
+	 * Undefine them
+	 */
+	for (i = 0; i < 1024; i++) {
+		char str[16];
+
+		snprintf(str, sizeof(str), "%04x", i);
+		result = isc_symtab_undefine(st, str, 1);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Retrieve them again; this should fail
+	 */
+	for (i = 0; i < 1024; i++) {
+		char str[16];
+
+		snprintf(str, sizeof(str), "%04x", i);
+		result = isc_symtab_lookup(st, str, 0, &value);
+		assert_int_equal(result, ISC_R_NOTFOUND);
+	}
+
+	isc_symtab_destroy(&st);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(symtab_grow, _setup, _teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/task_test.c b/lib/isc/tests/task_test.c
new file mode 100644
index 0000000..7d7132d
--- /dev/null
+++ b/lib/isc/tests/task_test.c
@@ -0,0 +1,1595 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+
+#include <cmocka.h>
+
+#include <isc/atomic.h>
+#include <isc/cmocka.h>
+#include <isc/commandline.h>
+#include <isc/condition.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+/* Set to true (or use -v option) for verbose output */
+static bool verbose = false;
+
+static isc_mutex_t lock;
+static isc_condition_t cv;
+
+atomic_int_fast32_t counter;
+static int active[10];
+static atomic_bool done, done2;
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	isc_mutex_init(&lock);
+
+	isc_condition_init(&cv);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_setup2(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	isc_mutex_init(&lock);
+
+	isc_condition_init(&cv);
+
+	/* Two worker threads */
+	result = isc_test_begin(NULL, true, 2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_setup4(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	isc_mutex_init(&lock);
+
+	isc_condition_init(&cv);
+
+	/* Four worker threads */
+	result = isc_test_begin(NULL, true, 4);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+	isc_condition_destroy(&cv);
+
+	return (0);
+}
+
+static void
+set(isc_task_t *task, isc_event_t *event) {
+	atomic_int_fast32_t *value = (atomic_int_fast32_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+	atomic_store(value, atomic_fetch_add(&counter, 1));
+}
+
+#include <isc/thread.h>
+
+static void
+set_and_drop(isc_task_t *task, isc_event_t *event) {
+	atomic_int_fast32_t *value = (atomic_int_fast32_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+	LOCK(&lock);
+	atomic_store(value, atomic_fetch_add(&counter, 1));
+	UNLOCK(&lock);
+}
+
+/* Create a task */
+static void
+create_task(void **state) {
+	isc_result_t result;
+	isc_task_t *task = NULL;
+
+	UNUSED(state);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_task_destroy(&task);
+	assert_null(task);
+}
+
+/* Process events */
+static void
+all_events(void **state) {
+	isc_result_t result;
+	isc_task_t *task = NULL;
+	isc_event_t *event = NULL;
+	atomic_int_fast32_t a, b;
+	int i = 0;
+
+	UNUSED(state);
+
+	atomic_init(&counter, 1);
+	atomic_init(&a, 0);
+	atomic_init(&b, 0);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* First event */
+	event = isc_event_allocate(test_mctx, task, ISC_TASKEVENT_TEST, set, &a,
+				   sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&a), 0);
+	isc_task_send(task, &event);
+
+	event = isc_event_allocate(test_mctx, task, ISC_TASKEVENT_TEST, set, &b,
+				   sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&b), 0);
+	isc_task_send(task, &event);
+
+	while ((atomic_load(&a) == 0 || atomic_load(&b) == 0) && i++ < 5000) {
+		isc_test_nap(1000);
+	}
+
+	assert_int_not_equal(atomic_load(&a), 0);
+	assert_int_not_equal(atomic_load(&b), 0);
+
+	isc_task_destroy(&task);
+	assert_null(task);
+}
+
+/* Privileged events */
+static void
+privileged_events(void **state) {
+	isc_result_t result;
+	isc_task_t *task1 = NULL, *task2 = NULL;
+	isc_event_t *event = NULL;
+	atomic_int_fast32_t a, b, c, d, e;
+	int i = 0;
+
+	UNUSED(state);
+
+	atomic_init(&counter, 1);
+	atomic_init(&a, -1);
+	atomic_init(&b, -1);
+	atomic_init(&c, -1);
+	atomic_init(&d, -1);
+	atomic_init(&e, -1);
+
+	/*
+	 * Pause the net/task manager so we can fill up the work
+	 * queue without things happening while we do it.
+	 */
+	isc_nm_pause(netmgr);
+	isc_taskmgr_setmode(taskmgr, isc_taskmgrmode_privileged);
+
+	result = isc_task_create(taskmgr, 0, &task1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	isc_task_setname(task1, "privileged", NULL);
+	assert_false(isc_task_getprivilege(task1));
+	isc_task_setprivilege(task1, true);
+	assert_true(isc_task_getprivilege(task1));
+
+	result = isc_task_create(taskmgr, 0, &task2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	isc_task_setname(task2, "normal", NULL);
+	assert_false(isc_task_getprivilege(task2));
+
+	/* First event: privileged */
+	event = isc_event_allocate(test_mctx, task1, ISC_TASKEVENT_TEST, set,
+				   &a, sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&a), -1);
+	isc_task_send(task1, &event);
+
+	/* Second event: not privileged */
+	event = isc_event_allocate(test_mctx, task2, ISC_TASKEVENT_TEST, set,
+				   &b, sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&b), -1);
+	isc_task_send(task2, &event);
+
+	/* Third event: privileged */
+	event = isc_event_allocate(test_mctx, task1, ISC_TASKEVENT_TEST, set,
+				   &c, sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&c), -1);
+	isc_task_send(task1, &event);
+
+	/* Fourth event: privileged */
+	event = isc_event_allocate(test_mctx, task1, ISC_TASKEVENT_TEST, set,
+				   &d, sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&d), -1);
+	isc_task_send(task1, &event);
+
+	/* Fifth event: not privileged */
+	event = isc_event_allocate(test_mctx, task2, ISC_TASKEVENT_TEST, set,
+				   &e, sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&e), -1);
+	isc_task_send(task2, &event);
+
+	isc_nm_resume(netmgr);
+
+	/* We're waiting for *all* variables to be set */
+	while ((atomic_load(&a) < 0 || atomic_load(&b) < 0 ||
+		atomic_load(&c) < 0 || atomic_load(&d) < 0 ||
+		atomic_load(&e) < 0) &&
+	       i++ < 5000)
+	{
+		isc_test_nap(1000);
+	}
+
+	/*
+	 * We can't guarantee what order the events fire, but
+	 * we do know the privileged tasks that set a, c, and d
+	 * would have fired first.
+	 */
+	assert_true(atomic_load(&a) <= 3);
+	assert_true(atomic_load(&c) <= 3);
+	assert_true(atomic_load(&d) <= 3);
+
+	/* ...and the non-privileged tasks that set b and e, last */
+	assert_true(atomic_load(&b) > 3);
+	assert_true(atomic_load(&e) > 3);
+
+	assert_int_equal(atomic_load(&counter), 6);
+
+	isc_task_setprivilege(task1, false);
+	assert_false(isc_task_getprivilege(task1));
+
+	isc_task_destroy(&task1);
+	assert_null(task1);
+	isc_task_destroy(&task2);
+	assert_null(task2);
+}
+
+/*
+ * Edge case: this tests that the task manager behaves as expected when
+ * we explicitly set it into normal mode *while* running privileged.
+ */
+static void
+privilege_drop(void **state) {
+	isc_result_t result;
+	isc_task_t *task1 = NULL, *task2 = NULL;
+	isc_event_t *event = NULL;
+	atomic_int_fast32_t a, b, c, d, e; /* non valid states */
+	int i = 0;
+
+	UNUSED(state);
+
+	atomic_init(&counter, 1);
+	atomic_init(&a, -1);
+	atomic_init(&b, -1);
+	atomic_init(&c, -1);
+	atomic_init(&d, -1);
+	atomic_init(&e, -1);
+
+	/*
+	 * Pause the net/task manager so we can fill up the work queue
+	 * without things happening while we do it.
+	 */
+	isc_nm_pause(netmgr);
+	isc_taskmgr_setmode(taskmgr, isc_taskmgrmode_privileged);
+
+	result = isc_task_create(taskmgr, 0, &task1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	isc_task_setname(task1, "privileged", NULL);
+	assert_false(isc_task_getprivilege(task1));
+	isc_task_setprivilege(task1, true);
+	assert_true(isc_task_getprivilege(task1));
+
+	result = isc_task_create(taskmgr, 0, &task2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	isc_task_setname(task2, "normal", NULL);
+	assert_false(isc_task_getprivilege(task2));
+
+	/* First event: privileged */
+	event = isc_event_allocate(test_mctx, task1, ISC_TASKEVENT_TEST,
+				   set_and_drop, &a, sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&a), -1);
+	isc_task_send(task1, &event);
+
+	/* Second event: not privileged */
+	event = isc_event_allocate(test_mctx, task2, ISC_TASKEVENT_TEST,
+				   set_and_drop, &b, sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&b), -1);
+	isc_task_send(task2, &event);
+
+	/* Third event: privileged */
+	event = isc_event_allocate(test_mctx, task1, ISC_TASKEVENT_TEST,
+				   set_and_drop, &c, sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&c), -1);
+	isc_task_send(task1, &event);
+
+	/* Fourth event: privileged */
+	event = isc_event_allocate(test_mctx, task1, ISC_TASKEVENT_TEST,
+				   set_and_drop, &d, sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&d), -1);
+	isc_task_send(task1, &event);
+
+	/* Fifth event: not privileged */
+	event = isc_event_allocate(test_mctx, task2, ISC_TASKEVENT_TEST,
+				   set_and_drop, &e, sizeof(isc_event_t));
+	assert_non_null(event);
+
+	assert_int_equal(atomic_load(&e), -1);
+	isc_task_send(task2, &event);
+
+	isc_nm_resume(netmgr);
+
+	/* We're waiting for all variables to be set. */
+	while ((atomic_load(&a) == -1 || atomic_load(&b) == -1 ||
+		atomic_load(&c) == -1 || atomic_load(&d) == -1 ||
+		atomic_load(&e) == -1) &&
+	       i++ < 5000)
+	{
+		isc_test_nap(1000);
+	}
+
+	/*
+	 * We need to check that all privilege mode events were fired
+	 * in privileged mode, and non privileged in non-privileged.
+	 */
+	assert_true(atomic_load(&a) <= 3);
+	assert_true(atomic_load(&c) <= 3);
+	assert_true(atomic_load(&d) <= 3);
+
+	/* ...and neither of the non-privileged tasks did... */
+	assert_true(atomic_load(&b) > 3);
+	assert_true(atomic_load(&e) > 3);
+
+	/* ...but all five of them did run. */
+	assert_int_equal(atomic_load(&counter), 6);
+
+	isc_task_destroy(&task1);
+	assert_null(task1);
+	isc_task_destroy(&task2);
+	assert_null(task2);
+}
+
+static void
+sleep_cb(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+	int p = *(int *)event->ev_arg;
+	if (p == 1) {
+		/*
+		 * Signal the main thread that we're running, so that
+		 * it can trigger the race.
+		 */
+		LOCK(&lock);
+		atomic_store(&done2, true);
+		SIGNAL(&cv);
+		UNLOCK(&lock);
+		/*
+		 * Wait for the operations in the main thread to be finished.
+		 */
+		LOCK(&lock);
+		while (!atomic_load(&done)) {
+			WAIT(&cv, &lock);
+		}
+		UNLOCK(&lock);
+	} else {
+		/*
+		 * Wait for the operations in the main thread to be finished.
+		 */
+		LOCK(&lock);
+		atomic_store(&done2, true);
+		SIGNAL(&cv);
+		UNLOCK(&lock);
+	}
+	isc_event_free(&event);
+}
+
+static void
+pause_unpause(void **state) {
+	isc_result_t result;
+	isc_task_t *task = NULL;
+	isc_event_t *event1, *event2 = NULL;
+	UNUSED(state);
+	atomic_store(&done, false);
+	atomic_store(&done2, false);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	event1 = isc_event_allocate(test_mctx, task, ISC_TASKEVENT_TEST,
+				    sleep_cb, &(int){ 1 }, sizeof(isc_event_t));
+	assert_non_null(event1);
+	event2 = isc_event_allocate(test_mctx, task, ISC_TASKEVENT_TEST,
+				    sleep_cb, &(int){ 2 }, sizeof(isc_event_t));
+	assert_non_null(event2);
+	isc_task_send(task, &event1);
+	isc_task_send(task, &event2);
+	/* Wait for event1 to be running */
+	LOCK(&lock);
+	while (!atomic_load(&done2)) {
+		WAIT(&cv, &lock);
+	}
+	UNLOCK(&lock);
+	/* Pause-unpause-detach is what causes the race */
+	isc_task_pause(task);
+	isc_task_unpause(task);
+	isc_task_detach(&task);
+	/* Signal event1 to finish */
+	LOCK(&lock);
+	atomic_store(&done2, false);
+	atomic_store(&done, true);
+	SIGNAL(&cv);
+	UNLOCK(&lock);
+	/* Wait for event2 to finish */
+	LOCK(&lock);
+	while (!atomic_load(&done2)) {
+		WAIT(&cv, &lock);
+	}
+	UNLOCK(&lock);
+}
+
+/*
+ * Basic task functions:
+ */
+static void
+basic_cb(isc_task_t *task, isc_event_t *event) {
+	int i, j;
+
+	UNUSED(task);
+
+	j = 0;
+	for (i = 0; i < 1000000; i++) {
+		j += 100;
+	}
+
+	UNUSED(j);
+
+	if (verbose) {
+		print_message("# task %s\n", (char *)event->ev_arg);
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+basic_shutdown(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	if (verbose) {
+		print_message("# shutdown %s\n", (char *)event->ev_arg);
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+basic_tick(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	if (verbose) {
+		print_message("# %s\n", (char *)event->ev_arg);
+	}
+
+	isc_event_free(&event);
+}
+
+static char one[] = "1";
+static char two[] = "2";
+static char three[] = "3";
+static char four[] = "4";
+static char tick[] = "tick";
+static char tock[] = "tock";
+
+static void
+basic(void **state) {
+	isc_result_t result;
+	isc_task_t *task1 = NULL;
+	isc_task_t *task2 = NULL;
+	isc_task_t *task3 = NULL;
+	isc_task_t *task4 = NULL;
+	isc_event_t *event = NULL;
+	isc_timer_t *ti1 = NULL;
+	isc_timer_t *ti2 = NULL;
+	isc_time_t absolute;
+	isc_interval_t interval;
+	char *testarray[] = { one, one, one,   one,  one, one,	 one,  one,
+			      one, two, three, four, two, three, four, NULL };
+	int i;
+
+	UNUSED(state);
+
+	result = isc_task_create(taskmgr, 0, &task1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_task_create(taskmgr, 0, &task2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_task_create(taskmgr, 0, &task3);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_task_create(taskmgr, 0, &task4);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task1, basic_shutdown, one);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_task_onshutdown(task2, basic_shutdown, two);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_task_onshutdown(task3, basic_shutdown, three);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	result = isc_task_onshutdown(task4, basic_shutdown, four);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_time_settoepoch(&absolute);
+	isc_interval_set(&interval, 1, 0);
+	result = isc_timer_create(timermgr, isc_timertype_ticker, &absolute,
+				  &interval, task1, basic_tick, tick, &ti1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	ti2 = NULL;
+	isc_time_settoepoch(&absolute);
+	isc_interval_set(&interval, 1, 0);
+	result = isc_timer_create(timermgr, isc_timertype_ticker, &absolute,
+				  &interval, task2, basic_tick, tock, &ti2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+#ifndef WIN32
+	sleep(2);
+#else  /* ifndef WIN32 */
+	Sleep(2000);
+#endif /* ifndef WIN32 */
+
+	for (i = 0; testarray[i] != NULL; i++) {
+		/*
+		 * Note:  (void *)1 is used as a sender here, since some
+		 * compilers don't like casting a function pointer to a
+		 * (void *).
+		 *
+		 * In a real use, it is more likely the sender would be a
+		 * structure (socket, timer, task, etc) but this is just a
+		 * test program.
+		 */
+		event = isc_event_allocate(test_mctx, (void *)1, 1, basic_cb,
+					   testarray[i], sizeof(*event));
+		assert_non_null(event);
+		isc_task_send(task1, &event);
+	}
+
+	(void)isc_task_purge(task3, NULL, 0, 0);
+
+	isc_task_detach(&task1);
+	isc_task_detach(&task2);
+	isc_task_detach(&task3);
+	isc_task_detach(&task4);
+
+#ifndef WIN32
+	sleep(10);
+#else  /* ifndef WIN32 */
+	Sleep(10000);
+#endif /* ifndef WIN32 */
+	isc_timer_destroy(&ti1);
+	isc_timer_destroy(&ti2);
+}
+
+/*
+ * Exclusive mode test:
+ * When one task enters exclusive mode, all other active
+ * tasks complete first.
+ */
+static int
+spin(int n) {
+	int i;
+	int r = 0;
+	for (i = 0; i < n; i++) {
+		r += i;
+		if (r > 1000000) {
+			r = 0;
+		}
+	}
+	return (r);
+}
+
+static void
+exclusive_cb(isc_task_t *task, isc_event_t *event) {
+	int taskno = *(int *)(event->ev_arg);
+
+	if (verbose) {
+		print_message("# task enter %d\n", taskno);
+	}
+
+	/* task chosen from the middle of the range */
+	if (taskno == 6) {
+		isc_result_t result;
+		int i;
+
+		result = isc_task_beginexclusive(task);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		for (i = 0; i < 10; i++) {
+			assert_int_equal(active[i], 0);
+		}
+
+		isc_task_endexclusive(task);
+		atomic_store(&done, true);
+	} else {
+		active[taskno]++;
+		(void)spin(10000000);
+		active[taskno]--;
+	}
+
+	if (verbose) {
+		print_message("# task exit %d\n", taskno);
+	}
+
+	if (atomic_load(&done)) {
+		isc_mem_put(event->ev_destroy_arg, event->ev_arg, sizeof(int));
+		isc_event_free(&event);
+		atomic_fetch_sub(&counter, 1);
+	} else {
+		isc_task_send(task, &event);
+	}
+}
+
+static void
+task_exclusive(void **state) {
+	isc_task_t *tasks[10];
+	isc_result_t result;
+	int i;
+
+	UNUSED(state);
+
+	atomic_init(&counter, 0);
+
+	for (i = 0; i < 10; i++) {
+		isc_event_t *event = NULL;
+		int *v;
+
+		tasks[i] = NULL;
+
+		if (i == 6) {
+			/* task chosen from the middle of the range */
+			result = isc_task_create_bound(taskmgr, 0, &tasks[i],
+						       0);
+			assert_int_equal(result, ISC_R_SUCCESS);
+
+			isc_taskmgr_setexcltask(taskmgr, tasks[6]);
+		} else {
+			result = isc_task_create(taskmgr, 0, &tasks[i]);
+			assert_int_equal(result, ISC_R_SUCCESS);
+		}
+
+		v = isc_mem_get(test_mctx, sizeof *v);
+		assert_non_null(v);
+
+		*v = i;
+
+		event = isc_event_allocate(test_mctx, NULL, 1, exclusive_cb, v,
+					   sizeof(*event));
+		assert_non_null(event);
+
+		isc_task_send(tasks[i], &event);
+		atomic_fetch_add(&counter, 1);
+	}
+
+	for (i = 0; i < 10; i++) {
+		isc_task_detach(&tasks[i]);
+	}
+
+	while (atomic_load(&counter) > 0) {
+		isc_test_nap(1000);
+	}
+}
+
+/*
+ * Max tasks test:
+ * The task system can create and execute many tasks. Tests with 10000.
+ */
+static void
+maxtask_shutdown(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	if (event->ev_arg != NULL) {
+		isc_task_destroy((isc_task_t **)&event->ev_arg);
+	} else {
+		LOCK(&lock);
+		atomic_store(&done, true);
+		SIGNAL(&cv);
+		UNLOCK(&lock);
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+maxtask_cb(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+
+	if (event->ev_arg != NULL) {
+		isc_task_t *newtask = NULL;
+
+		event->ev_arg = (void *)(((uintptr_t)event->ev_arg) - 1);
+
+		/*
+		 * Create a new task and forward the message.
+		 */
+		result = isc_task_create(taskmgr, 0, &newtask);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		result = isc_task_onshutdown(newtask, maxtask_shutdown,
+					     (void *)task);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		isc_task_send(newtask, &event);
+	} else if (task != NULL) {
+		isc_task_destroy(&task);
+		isc_event_free(&event);
+	}
+}
+
+static void
+manytasks(void **state) {
+	isc_mem_t *mctx = NULL;
+	isc_event_t *event = NULL;
+	uintptr_t ntasks = 10000;
+
+	UNUSED(state);
+
+	if (verbose) {
+		print_message("# Testing with %lu tasks\n",
+			      (unsigned long)ntasks);
+	}
+
+	isc_mutex_init(&lock);
+	isc_condition_init(&cv);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+	isc_mem_create(&mctx);
+
+	isc_managers_create(mctx, 4, 0, &netmgr, &taskmgr);
+
+	atomic_init(&done, false);
+
+	event = isc_event_allocate(mctx, (void *)1, 1, maxtask_cb,
+				   (void *)ntasks, sizeof(*event));
+	assert_non_null(event);
+
+	LOCK(&lock);
+	maxtask_cb(NULL, event);
+	while (!atomic_load(&done)) {
+		WAIT(&cv, &lock);
+	}
+	UNLOCK(&lock);
+
+	isc_managers_destroy(&netmgr, &taskmgr);
+
+	isc_mem_destroy(&mctx);
+	isc_condition_destroy(&cv);
+	isc_mutex_destroy(&lock);
+}
+
+/*
+ * Shutdown test:
+ * When isc_task_shutdown() is called, shutdown events are posted
+ * in LIFO order.
+ */
+
+static int nevents = 0;
+static int nsdevents = 0;
+static int senders[4];
+atomic_bool ready, all_done;
+
+static void
+sd_sde1(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	assert_int_equal(nevents, 256);
+	assert_int_equal(nsdevents, 1);
+	++nsdevents;
+
+	if (verbose) {
+		print_message("# shutdown 1\n");
+	}
+
+	isc_event_free(&event);
+
+	atomic_store(&all_done, true);
+}
+
+static void
+sd_sde2(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	assert_int_equal(nevents, 256);
+	assert_int_equal(nsdevents, 0);
+	++nsdevents;
+
+	if (verbose) {
+		print_message("# shutdown 2\n");
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+sd_event1(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+	while (!atomic_load(&ready)) {
+		WAIT(&cv, &lock);
+	}
+	UNLOCK(&lock);
+
+	if (verbose) {
+		print_message("# event 1\n");
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+sd_event2(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	++nevents;
+
+	if (verbose) {
+		print_message("# event 2\n");
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+task_shutdown(void **state) {
+	isc_result_t result;
+	isc_eventtype_t event_type;
+	isc_event_t *event = NULL;
+	isc_task_t *task = NULL;
+	int i;
+
+	UNUSED(state);
+
+	nevents = nsdevents = 0;
+	event_type = 3;
+	atomic_init(&ready, false);
+	atomic_init(&all_done, false);
+
+	LOCK(&lock);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * This event causes the task to wait on cv.
+	 */
+	event = isc_event_allocate(test_mctx, &senders[1], event_type,
+				   sd_event1, NULL, sizeof(*event));
+	assert_non_null(event);
+	isc_task_send(task, &event);
+
+	/*
+	 * Now we fill up the task's event queue with some events.
+	 */
+	for (i = 0; i < 256; ++i) {
+		event = isc_event_allocate(test_mctx, &senders[1], event_type,
+					   sd_event2, NULL, sizeof(*event));
+		assert_non_null(event);
+		isc_task_send(task, &event);
+	}
+
+	/*
+	 * Now we register two shutdown events.
+	 */
+	result = isc_task_onshutdown(task, sd_sde1, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task, sd_sde2, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_task_shutdown(task);
+	isc_task_detach(&task);
+
+	/*
+	 * Now we free the task by signaling cv.
+	 */
+	atomic_store(&ready, true);
+	SIGNAL(&cv);
+	UNLOCK(&lock);
+
+	while (!atomic_load(&all_done)) {
+		isc_test_nap(1000);
+	}
+
+	assert_int_equal(nsdevents, 2);
+}
+
+/*
+ * Post-shutdown test:
+ * After isc_task_shutdown() has been called, any call to
+ * isc_task_onshutdown() will return ISC_R_SHUTTINGDOWN.
+ */
+static void
+psd_event1(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+
+	while (!atomic_load(&done)) {
+		WAIT(&cv, &lock);
+	}
+
+	UNLOCK(&lock);
+
+	isc_event_free(&event);
+}
+
+static void
+psd_sde(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	isc_event_free(&event);
+}
+
+static void
+post_shutdown(void **state) {
+	isc_result_t result;
+	isc_eventtype_t event_type;
+	isc_event_t *event;
+	isc_task_t *task;
+
+	UNUSED(state);
+
+	atomic_init(&done, false);
+	event_type = 4;
+
+	isc_condition_init(&cv);
+
+	LOCK(&lock);
+
+	task = NULL;
+	result = isc_task_create(taskmgr, 0, &task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * This event causes the task to wait on cv.
+	 */
+	event = isc_event_allocate(test_mctx, &senders[1], event_type,
+				   psd_event1, NULL, sizeof(*event));
+	assert_non_null(event);
+	isc_task_send(task, &event);
+
+	isc_task_shutdown(task);
+
+	result = isc_task_onshutdown(task, psd_sde, NULL);
+	assert_int_equal(result, ISC_R_SHUTTINGDOWN);
+
+	/*
+	 * Release the task.
+	 */
+	atomic_store(&done, true);
+
+	SIGNAL(&cv);
+	UNLOCK(&lock);
+
+	isc_task_detach(&task);
+}
+
+/*
+ * Helper for the purge tests below:
+ */
+
+#define SENDERCNT 3
+#define TYPECNT	  4
+#define TAGCNT	  5
+#define NEVENTS	  (SENDERCNT * TYPECNT * TAGCNT)
+
+static bool testrange;
+static void *purge_sender;
+static isc_eventtype_t purge_type_first;
+static isc_eventtype_t purge_type_last;
+static void *purge_tag;
+static int eventcnt;
+
+atomic_bool started;
+
+static void
+pg_event1(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+	while (!atomic_load(&started)) {
+		WAIT(&cv, &lock);
+	}
+	UNLOCK(&lock);
+
+	isc_event_free(&event);
+}
+
+static void
+pg_event2(isc_task_t *task, isc_event_t *event) {
+	bool sender_match = false;
+	bool type_match = false;
+	bool tag_match = false;
+
+	UNUSED(task);
+
+	if ((purge_sender == NULL) || (purge_sender == event->ev_sender)) {
+		sender_match = true;
+	}
+
+	if (testrange) {
+		if ((purge_type_first <= event->ev_type) &&
+		    (event->ev_type <= purge_type_last))
+		{
+			type_match = true;
+		}
+	} else {
+		if (purge_type_first == event->ev_type) {
+			type_match = true;
+		}
+	}
+
+	if ((purge_tag == NULL) || (purge_tag == event->ev_tag)) {
+		tag_match = true;
+	}
+
+	if (sender_match && type_match && tag_match) {
+		if ((event->ev_attributes & ISC_EVENTATTR_NOPURGE) != 0) {
+			if (verbose) {
+				print_message("# event %p,%d,%p "
+					      "matched but was not "
+					      "purgeable\n",
+					      event->ev_sender,
+					      (int)event->ev_type,
+					      event->ev_tag);
+			}
+			++eventcnt;
+		} else if (verbose) {
+			print_message("# event %p,%d,%p not purged\n",
+				      event->ev_sender, (int)event->ev_type,
+				      event->ev_tag);
+		}
+	} else {
+		++eventcnt;
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+pg_sde(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+	atomic_store(&done, true);
+	SIGNAL(&cv);
+	UNLOCK(&lock);
+
+	isc_event_free(&event);
+}
+
+static void
+test_purge(int sender, int type, int tag, int exp_purged) {
+	isc_result_t result;
+	isc_task_t *task = NULL;
+	isc_event_t *eventtab[NEVENTS];
+	isc_event_t *event = NULL;
+	isc_interval_t interval;
+	isc_time_t now;
+	int sender_cnt, type_cnt, tag_cnt, event_cnt, i;
+	int purged = 0;
+
+	atomic_init(&started, false);
+	atomic_init(&done, false);
+	eventcnt = 0;
+
+	isc_condition_init(&cv);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task, pg_sde, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Block the task on cv.
+	 */
+	event = isc_event_allocate(test_mctx, (void *)1, 9999, pg_event1, NULL,
+				   sizeof(*event));
+
+	assert_non_null(event);
+	isc_task_send(task, &event);
+
+	/*
+	 * Fill the task's queue with some messages with varying
+	 * sender, type, tag, and purgeable attribute values.
+	 */
+	event_cnt = 0;
+	for (sender_cnt = 0; sender_cnt < SENDERCNT; ++sender_cnt) {
+		for (type_cnt = 0; type_cnt < TYPECNT; ++type_cnt) {
+			for (tag_cnt = 0; tag_cnt < TAGCNT; ++tag_cnt) {
+				eventtab[event_cnt] = isc_event_allocate(
+					test_mctx,
+					&senders[sender + sender_cnt],
+					(isc_eventtype_t)(type + type_cnt),
+					pg_event2, NULL, sizeof(*event));
+
+				assert_non_null(eventtab[event_cnt]);
+
+				eventtab[event_cnt]->ev_tag =
+					(void *)((uintptr_t)tag + tag_cnt);
+
+				/*
+				 * Mark events as non-purgeable if
+				 * sender, type and tag are all
+				 * odd-numbered. (There should be 4
+				 * of these out of 60 events total.)
+				 */
+				if (((sender_cnt % 2) != 0) &&
+				    ((type_cnt % 2) != 0) &&
+				    ((tag_cnt % 2) != 0))
+				{
+					eventtab[event_cnt]->ev_attributes |=
+						ISC_EVENTATTR_NOPURGE;
+				}
+				++event_cnt;
+			}
+		}
+	}
+
+	for (i = 0; i < event_cnt; ++i) {
+		isc_task_send(task, &eventtab[i]);
+	}
+
+	if (testrange) {
+		/*
+		 * We're testing isc_task_purgerange.
+		 */
+		purged = isc_task_purgerange(
+			task, purge_sender, (isc_eventtype_t)purge_type_first,
+			(isc_eventtype_t)purge_type_last, purge_tag);
+		assert_int_equal(purged, exp_purged);
+	} else {
+		/*
+		 * We're testing isc_task_purge.
+		 */
+		if (verbose) {
+			print_message("# purge events %p,%u,%p\n", purge_sender,
+				      purge_type_first, purge_tag);
+		}
+		purged = isc_task_purge(task, purge_sender,
+					(isc_eventtype_t)purge_type_first,
+					purge_tag);
+		if (verbose) {
+			print_message("# purged %d expected %d\n", purged,
+				      exp_purged);
+		}
+
+		assert_int_equal(purged, exp_purged);
+	}
+
+	/*
+	 * Unblock the task, allowing event processing.
+	 */
+	LOCK(&lock);
+	atomic_store(&started, true);
+	SIGNAL(&cv);
+
+	isc_task_shutdown(task);
+
+	isc_interval_set(&interval, 5, 0);
+
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
+	while (!atomic_load(&done)) {
+		result = isc_time_nowplusinterval(&now, &interval);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		WAITUNTIL(&cv, &lock, &now);
+	}
+
+	UNLOCK(&lock);
+
+	isc_task_detach(&task);
+
+	assert_int_equal(eventcnt, event_cnt - exp_purged);
+}
+
+/*
+ * Purge test:
+ * A call to isc_task_purge(task, sender, type, tag) purges all events of
+ * type 'type' and with tag 'tag' not marked as unpurgeable from sender
+ * from the task's " queue and returns the number of events purged.
+ */
+static void
+purge(void **state) {
+	UNUSED(state);
+
+	/* Try purging on a specific sender. */
+	if (verbose) {
+		print_message("# testing purge on 2,4,8 expecting 1\n");
+	}
+	purge_sender = &senders[2];
+	purge_type_first = 4;
+	purge_type_last = 4;
+	purge_tag = (void *)8;
+	testrange = false;
+	test_purge(1, 4, 7, 1);
+
+	/* Try purging on all senders. */
+	if (verbose) {
+		print_message("# testing purge on 0,4,8 expecting 3\n");
+	}
+	purge_sender = NULL;
+	purge_type_first = 4;
+	purge_type_last = 4;
+	purge_tag = (void *)8;
+	testrange = false;
+	test_purge(1, 4, 7, 3);
+
+	/* Try purging on all senders, specified type, all tags. */
+	if (verbose) {
+		print_message("# testing purge on 0,4,0 expecting 15\n");
+	}
+	purge_sender = NULL;
+	purge_type_first = 4;
+	purge_type_last = 4;
+	purge_tag = NULL;
+	testrange = false;
+	test_purge(1, 4, 7, 15);
+
+	/* Try purging on a specified tag, no such type. */
+	if (verbose) {
+		print_message("# testing purge on 0,99,8 expecting 0\n");
+	}
+	purge_sender = NULL;
+	purge_type_first = 99;
+	purge_type_last = 99;
+	purge_tag = (void *)8;
+	testrange = false;
+	test_purge(1, 4, 7, 0);
+
+	/* Try purging on specified sender, type, all tags. */
+	if (verbose) {
+		print_message("# testing purge on 3,5,0 expecting 5\n");
+	}
+	purge_sender = &senders[3];
+	purge_type_first = 5;
+	purge_type_last = 5;
+	purge_tag = NULL;
+	testrange = false;
+	test_purge(1, 4, 7, 5);
+}
+
+/*
+ * Purge range test:
+ * A call to isc_event_purgerange(task, sender, first, last, tag) purges
+ * all events not marked unpurgeable from sender 'sender' and of type within
+ * the range 'first' to 'last' inclusive from the task's event queue and
+ * returns the number of tasks purged.
+ */
+
+static void
+purgerange(void **state) {
+	UNUSED(state);
+
+	/* Now let's try some ranges. */
+	/* testing purgerange on 2,4-5,8 expecting 1 */
+	purge_sender = &senders[2];
+	purge_type_first = 4;
+	purge_type_last = 5;
+	purge_tag = (void *)8;
+	testrange = true;
+	test_purge(1, 4, 7, 1);
+
+	/* Try purging on all senders. */
+	if (verbose) {
+		print_message("# testing purge on 0,4-5,8 expecting 5\n");
+	}
+	purge_sender = NULL;
+	purge_type_first = 4;
+	purge_type_last = 5;
+	purge_tag = (void *)8;
+	testrange = true;
+	test_purge(1, 4, 7, 5);
+
+	/* Try purging on all senders, specified type, all tags. */
+	if (verbose) {
+		print_message("# testing purge on 0,5-6,0 expecting 28\n");
+	}
+	purge_sender = NULL;
+	purge_type_first = 5;
+	purge_type_last = 6;
+	purge_tag = NULL;
+	testrange = true;
+	test_purge(1, 4, 7, 28);
+
+	/* Try purging on a specified tag, no such type. */
+	if (verbose) {
+		print_message("# testing purge on 0,99-101,8 expecting 0\n");
+	}
+	purge_sender = NULL;
+	purge_type_first = 99;
+	purge_type_last = 101;
+	purge_tag = (void *)8;
+	testrange = true;
+	test_purge(1, 4, 7, 0);
+
+	/* Try purging on specified sender, type, all tags. */
+	if (verbose) {
+		print_message("# testing purge on 3,5-6,0 expecting 10\n");
+	}
+	purge_sender = &senders[3];
+	purge_type_first = 5;
+	purge_type_last = 6;
+	purge_tag = NULL;
+	testrange = true;
+	test_purge(1, 4, 7, 10);
+}
+
+/*
+ * Helpers for purge event tests
+ */
+static void
+pge_event1(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+	while (!atomic_load(&started)) {
+		WAIT(&cv, &lock);
+	}
+	UNLOCK(&lock);
+
+	isc_event_free(&event);
+}
+
+static void
+pge_event2(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	++eventcnt;
+	isc_event_free(&event);
+}
+
+static void
+pge_sde(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+	atomic_store(&done, true);
+	SIGNAL(&cv);
+	UNLOCK(&lock);
+
+	isc_event_free(&event);
+}
+
+static void
+try_purgeevent(bool purgeable) {
+	isc_result_t result;
+	isc_task_t *task = NULL;
+	bool purged;
+	isc_event_t *event1 = NULL;
+	isc_event_t *event2 = NULL;
+	isc_event_t *event2_clone = NULL;
+	isc_time_t now;
+	isc_interval_t interval;
+
+	atomic_init(&started, false);
+	atomic_init(&done, false);
+	eventcnt = 0;
+
+	isc_condition_init(&cv);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task, pge_sde, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Block the task on cv.
+	 */
+	event1 = isc_event_allocate(test_mctx, (void *)1, (isc_eventtype_t)1,
+				    pge_event1, NULL, sizeof(*event1));
+	assert_non_null(event1);
+	isc_task_send(task, &event1);
+
+	event2 = isc_event_allocate(test_mctx, (void *)1, (isc_eventtype_t)1,
+				    pge_event2, NULL, sizeof(*event2));
+	assert_non_null(event2);
+
+	event2_clone = event2;
+
+	if (purgeable) {
+		event2->ev_attributes &= ~ISC_EVENTATTR_NOPURGE;
+	} else {
+		event2->ev_attributes |= ISC_EVENTATTR_NOPURGE;
+	}
+
+	isc_task_send(task, &event2);
+
+	purged = isc_task_purgeevent(task, event2_clone);
+	assert_int_equal(purgeable, purged);
+
+	/*
+	 * Unblock the task, allowing event processing.
+	 */
+	LOCK(&lock);
+	atomic_store(&started, true);
+	SIGNAL(&cv);
+
+	isc_task_shutdown(task);
+
+	isc_interval_set(&interval, 5, 0);
+
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
+	while (!atomic_load(&done)) {
+		result = isc_time_nowplusinterval(&now, &interval);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		WAITUNTIL(&cv, &lock, &now);
+	}
+
+	UNLOCK(&lock);
+
+	isc_task_detach(&task);
+
+	assert_int_equal(eventcnt, (purgeable ? 0 : 1));
+}
+
+/*
+ * Purge event test:
+ * When the event is marked as purgeable, a call to
+ * isc_task_purgeevent(task, event) purges the event 'event' from the
+ * task's queue and returns true.
+ */
+
+static void
+purgeevent(void **state) {
+	UNUSED(state);
+
+	try_purgeevent(true);
+}
+
+int
+main(int argc, char **argv) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(manytasks),
+		cmocka_unit_test_setup_teardown(all_events, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(basic, _setup2, _teardown),
+		cmocka_unit_test_setup_teardown(create_task, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(pause_unpause, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(post_shutdown, _setup2,
+						_teardown),
+		cmocka_unit_test_setup_teardown(privilege_drop, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(privileged_events, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(purge, _setup2, _teardown),
+		cmocka_unit_test_setup_teardown(purgeevent, _setup2, _teardown),
+		cmocka_unit_test_setup_teardown(purgerange, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(task_shutdown, _setup4,
+						_teardown),
+		cmocka_unit_test_setup_teardown(task_exclusive, _setup4,
+						_teardown),
+	};
+	struct CMUnitTest selected[sizeof(tests) / sizeof(tests[0])];
+	size_t i;
+	int c;
+
+	memset(selected, 0, sizeof(selected));
+
+	while ((c = isc_commandline_parse(argc, argv, "lt:v")) != -1) {
+		switch (c) {
+		case 'l':
+			for (i = 0; i < (sizeof(tests) / sizeof(tests[0])); i++)
+			{
+				if (tests[i].name != NULL) {
+					fprintf(stdout, "%s\n", tests[i].name);
+				}
+			}
+			return (0);
+		case 't':
+			if (!cmocka_add_test_byname(
+				    tests, isc_commandline_argument, selected))
+			{
+				fprintf(stderr, "unknown test '%s'\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		case 'v':
+			verbose = true;
+			break;
+		default:
+			break;
+		}
+	}
+
+	if (selected[0].name != NULL) {
+		return (cmocka_run_group_tests(selected, NULL, NULL));
+	} else {
+		return (cmocka_run_group_tests(tests, NULL, NULL));
+	}
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/taskpool_test.c b/lib/isc/tests/taskpool_test.c
new file mode 100644
index 0000000..64a4641
--- /dev/null
+++ b/lib/isc/tests/taskpool_test.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/task.h>
+#include <isc/taskpool.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+#define TASK_MAGIC    ISC_MAGIC('T', 'A', 'S', 'K')
+#define VALID_TASK(t) ISC_MAGIC_VALID(t, TASK_MAGIC)
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = isc_test_begin(NULL, true, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+/* Create a taskpool */
+static void
+create_pool(void **state) {
+	isc_result_t result;
+	isc_taskpool_t *pool = NULL;
+
+	UNUSED(state);
+
+	result = isc_taskpool_create(taskmgr, test_mctx, 8, 2, false, &pool);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_taskpool_size(pool), 8);
+
+	isc_taskpool_destroy(&pool);
+	assert_null(pool);
+}
+
+/* Resize a taskpool */
+static void
+expand_pool(void **state) {
+	isc_result_t result;
+	isc_taskpool_t *pool1 = NULL, *pool2 = NULL, *hold = NULL;
+
+	UNUSED(state);
+
+	result = isc_taskpool_create(taskmgr, test_mctx, 10, 2, false, &pool1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_taskpool_size(pool1), 10);
+
+	/* resizing to a smaller size should have no effect */
+	hold = pool1;
+	result = isc_taskpool_expand(&pool1, 5, false, &pool2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_taskpool_size(pool2), 10);
+	assert_ptr_equal(pool2, hold);
+	assert_null(pool1);
+	pool1 = pool2;
+	pool2 = NULL;
+
+	/* resizing to the same size should have no effect */
+	hold = pool1;
+	result = isc_taskpool_expand(&pool1, 10, false, &pool2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_taskpool_size(pool2), 10);
+	assert_ptr_equal(pool2, hold);
+	assert_null(pool1);
+	pool1 = pool2;
+	pool2 = NULL;
+
+	/* resizing to larger size should make a new pool */
+	hold = pool1;
+	result = isc_taskpool_expand(&pool1, 20, false, &pool2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_taskpool_size(pool2), 20);
+	assert_ptr_not_equal(pool2, hold);
+	assert_null(pool1);
+
+	isc_taskpool_destroy(&pool2);
+	assert_null(pool2);
+}
+
+/* Get tasks */
+static void
+get_tasks(void **state) {
+	isc_result_t result;
+	isc_taskpool_t *pool = NULL;
+	isc_task_t *task1 = NULL, *task2 = NULL, *task3 = NULL;
+
+	UNUSED(state);
+
+	result = isc_taskpool_create(taskmgr, test_mctx, 2, 2, false, &pool);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_taskpool_size(pool), 2);
+
+	/* two tasks in pool; make sure we can access them more than twice */
+	isc_taskpool_gettask(pool, &task1);
+	assert_true(VALID_TASK(task1));
+
+	isc_taskpool_gettask(pool, &task2);
+	assert_true(VALID_TASK(task2));
+
+	isc_taskpool_gettask(pool, &task3);
+	assert_true(VALID_TASK(task3));
+
+	isc_task_destroy(&task1);
+	isc_task_destroy(&task2);
+	isc_task_destroy(&task3);
+
+	isc_taskpool_destroy(&pool);
+	assert_null(pool);
+}
+
+/* Set privileges */
+static void
+set_privilege(void **state) {
+	isc_result_t result;
+	isc_taskpool_t *pool = NULL;
+	isc_task_t *task1 = NULL, *task2 = NULL, *task3 = NULL;
+
+	UNUSED(state);
+
+	result = isc_taskpool_create(taskmgr, test_mctx, 2, 2, true, &pool);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_taskpool_size(pool), 2);
+
+	isc_taskpool_gettask(pool, &task1);
+	isc_taskpool_gettask(pool, &task2);
+	isc_taskpool_gettask(pool, &task3);
+
+	assert_true(VALID_TASK(task1));
+	assert_true(VALID_TASK(task2));
+	assert_true(VALID_TASK(task3));
+
+	assert_true(isc_task_getprivilege(task1));
+	assert_true(isc_task_getprivilege(task2));
+	assert_true(isc_task_getprivilege(task3));
+
+	isc_task_destroy(&task1);
+	isc_task_destroy(&task2);
+	isc_task_destroy(&task3);
+
+	isc_taskpool_destroy(&pool);
+	assert_null(pool);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(create_pool, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(expand_pool, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(get_tasks, _setup, _teardown),
+		cmocka_unit_test_setup_teardown(set_privilege, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/testdata/file/keep b/lib/isc/tests/testdata/file/keep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/lib/isc/tests/testdata/file/keep
diff --git a/lib/isc/tests/time_test.c b/lib/isc/tests/time_test.c
new file mode 100644
index 0000000..870d9bf
--- /dev/null
+++ b/lib/isc/tests/time_test.c
@@ -0,0 +1,430 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/result.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include "../time.c"
+
+#define NS_PER_S 1000000000 /*%< Nanoseconds per second. */
+#define MAX_NS	 (NS_PER_S - 1)
+
+struct time_vectors {
+	isc_time_t a;
+	isc_interval_t b;
+	isc_time_t r;
+	isc_result_t result;
+};
+
+const struct time_vectors vectors_add[8] = {
+	{ { 0, 0 }, { 0, 0 }, { 0, 0 }, ISC_R_SUCCESS },
+	{ { 0, MAX_NS }, { 0, MAX_NS }, { 1, MAX_NS - 1 }, ISC_R_SUCCESS },
+	{ { 0, NS_PER_S / 2 }, { 0, NS_PER_S / 2 }, { 1, 0 }, ISC_R_SUCCESS },
+	{ { UINT_MAX, MAX_NS }, { 0, 0 }, { UINT_MAX, MAX_NS }, ISC_R_SUCCESS },
+	{ { UINT_MAX, 0 }, { 0, MAX_NS }, { UINT_MAX, MAX_NS }, ISC_R_SUCCESS },
+	{ { UINT_MAX, 0 }, { 1, 0 }, { 0, 0 }, ISC_R_RANGE },
+	{ { UINT_MAX, MAX_NS }, { 0, 1 }, { 0, 0 }, ISC_R_RANGE },
+	{ { UINT_MAX / 2 + 1, NS_PER_S / 2 },
+	  { UINT_MAX / 2, NS_PER_S / 2 },
+	  { 0, 0 },
+	  ISC_R_RANGE },
+};
+
+const struct time_vectors vectors_sub[7] = {
+	{ { 0, 0 }, { 0, 0 }, { 0, 0 }, ISC_R_SUCCESS },
+	{ { 1, 0 }, { 0, MAX_NS }, { 0, 1 }, ISC_R_SUCCESS },
+	{ { 1, NS_PER_S / 2 },
+	  { 0, MAX_NS },
+	  { 0, NS_PER_S / 2 + 1 },
+	  ISC_R_SUCCESS },
+	{ { UINT_MAX, MAX_NS }, { UINT_MAX, 0 }, { 0, MAX_NS }, ISC_R_SUCCESS },
+	{ { 0, 0 }, { 1, 0 }, { 0, 0 }, ISC_R_RANGE },
+	{ { 0, 0 }, { 0, MAX_NS }, { 0, 0 }, ISC_R_RANGE },
+};
+
+static void
+isc_time_add_test(void **state) {
+	UNUSED(state);
+
+	for (size_t i = 0; i < ARRAY_SIZE(vectors_add); i++) {
+		isc_time_t r = { UINT_MAX, UINT_MAX };
+		isc_result_t result = isc_time_add(&(vectors_add[i].a),
+						   &(vectors_add[i].b), &r);
+		assert_int_equal(result, vectors_add[i].result);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+
+		assert_int_equal(r.seconds, vectors_add[i].r.seconds);
+		assert_int_equal(r.nanoseconds, vectors_add[i].r.nanoseconds);
+	}
+
+	expect_assert_failure((void)isc_time_add(&(isc_time_t){ 0, MAX_NS + 1 },
+						 &(isc_interval_t){ 0, 0 },
+						 &(isc_time_t){ 0, 0 }));
+	expect_assert_failure((void)isc_time_add(
+		&(isc_time_t){ 0, 0 }, &(isc_interval_t){ 0, MAX_NS + 1 },
+		&(isc_time_t){ 0, 0 }));
+
+	expect_assert_failure((void)isc_time_add((isc_time_t *)NULL,
+						 &(isc_interval_t){ 0, 0 },
+						 &(isc_time_t){ 0, 0 }));
+	expect_assert_failure((void)isc_time_add(&(isc_time_t){ 0, 0 },
+						 (isc_interval_t *)NULL,
+						 &(isc_time_t){ 0, 0 }));
+	expect_assert_failure((void)isc_time_add(
+		&(isc_time_t){ 0, 0 }, &(isc_interval_t){ 0, 0 }, NULL));
+}
+
+static void
+isc_time_sub_test(void **state) {
+	UNUSED(state);
+
+	for (size_t i = 0; i < ARRAY_SIZE(vectors_sub); i++) {
+		isc_time_t r = { UINT_MAX, UINT_MAX };
+		isc_result_t result = isc_time_subtract(
+			&(vectors_sub[i].a), &(vectors_sub[i].b), &r);
+		assert_int_equal(result, vectors_sub[i].result);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		assert_int_equal(r.seconds, vectors_sub[i].r.seconds);
+		assert_int_equal(r.nanoseconds, vectors_sub[i].r.nanoseconds);
+	}
+
+	expect_assert_failure((void)isc_time_subtract(
+		&(isc_time_t){ 0, MAX_NS + 1 }, &(isc_interval_t){ 0, 0 },
+		&(isc_time_t){ 0, 0 }));
+	expect_assert_failure((void)isc_time_subtract(
+		&(isc_time_t){ 0, 0 }, &(isc_interval_t){ 0, MAX_NS + 1 },
+		&(isc_time_t){ 0, 0 }));
+
+	expect_assert_failure((void)isc_time_subtract((isc_time_t *)NULL,
+						      &(isc_interval_t){ 0, 0 },
+						      &(isc_time_t){ 0, 0 }));
+	expect_assert_failure((void)isc_time_subtract(&(isc_time_t){ 0, 0 },
+						      (isc_interval_t *)NULL,
+						      &(isc_time_t){ 0, 0 }));
+	expect_assert_failure((void)isc_time_subtract(
+		&(isc_time_t){ 0, 0 }, &(isc_interval_t){ 0, 0 }, NULL));
+}
+
+/* parse http time stamp */
+static void
+isc_time_parsehttptimestamp_test(void **state) {
+	isc_result_t result;
+	isc_time_t t, x;
+	char buf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+
+	UNUSED(state);
+
+	setenv("TZ", "America/Los_Angeles", 1);
+	result = isc_time_now(&t);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_time_formathttptimestamp(&t, buf, sizeof(buf));
+	result = isc_time_parsehttptimestamp(buf, &x);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(isc_time_seconds(&t), isc_time_seconds(&x));
+}
+
+/* print UTC in ISO8601 */
+static void
+isc_time_formatISO8601_test(void **state) {
+	isc_result_t result;
+	isc_time_t t;
+	char buf[64];
+
+	UNUSED(state);
+
+	setenv("TZ", "America/Los_Angeles", 1);
+	result = isc_time_now(&t);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* check formatting: yyyy-mm-ddThh:mm:ssZ */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_formatISO8601(&t, buf, sizeof(buf));
+	assert_int_equal(strlen(buf), 20);
+	assert_int_equal(buf[4], '-');
+	assert_int_equal(buf[7], '-');
+	assert_int_equal(buf[10], 'T');
+	assert_int_equal(buf[13], ':');
+	assert_int_equal(buf[16], ':');
+	assert_int_equal(buf[19], 'Z');
+
+	/* check time conversion correctness */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_settoepoch(&t);
+	isc_time_formatISO8601(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "1970-01-01T00:00:00Z");
+
+	memset(buf, 'X', sizeof(buf));
+	isc_time_set(&t, 1450000000, 123000000);
+	isc_time_formatISO8601(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "2015-12-13T09:46:40Z");
+}
+
+/* print UTC in ISO8601 with milliseconds */
+static void
+isc_time_formatISO8601ms_test(void **state) {
+	isc_result_t result;
+	isc_time_t t;
+	char buf[64];
+
+	UNUSED(state);
+
+	setenv("TZ", "America/Los_Angeles", 1);
+	result = isc_time_now(&t);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* check formatting: yyyy-mm-ddThh:mm:ss.sssZ */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_formatISO8601ms(&t, buf, sizeof(buf));
+	assert_int_equal(strlen(buf), 24);
+	assert_int_equal(buf[4], '-');
+	assert_int_equal(buf[7], '-');
+	assert_int_equal(buf[10], 'T');
+	assert_int_equal(buf[13], ':');
+	assert_int_equal(buf[16], ':');
+	assert_int_equal(buf[19], '.');
+	assert_int_equal(buf[23], 'Z');
+
+	/* check time conversion correctness */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_settoepoch(&t);
+	isc_time_formatISO8601ms(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "1970-01-01T00:00:00.000Z");
+
+	memset(buf, 'X', sizeof(buf));
+	isc_time_set(&t, 1450000000, 123000000);
+	isc_time_formatISO8601ms(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "2015-12-13T09:46:40.123Z");
+}
+
+/* print UTC in ISO8601 with microseconds */
+static void
+isc_time_formatISO8601us_test(void **state) {
+	isc_result_t result;
+	isc_time_t t;
+	char buf[64];
+
+	UNUSED(state);
+
+	setenv("TZ", "America/Los_Angeles", 1);
+	result = isc_time_now_hires(&t);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* check formatting: yyyy-mm-ddThh:mm:ss.ssssssZ */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_formatISO8601us(&t, buf, sizeof(buf));
+	assert_int_equal(strlen(buf), 27);
+	assert_int_equal(buf[4], '-');
+	assert_int_equal(buf[7], '-');
+	assert_int_equal(buf[10], 'T');
+	assert_int_equal(buf[13], ':');
+	assert_int_equal(buf[16], ':');
+	assert_int_equal(buf[19], '.');
+	assert_int_equal(buf[26], 'Z');
+
+	/* check time conversion correctness */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_settoepoch(&t);
+	isc_time_formatISO8601us(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "1970-01-01T00:00:00.000000Z");
+
+	memset(buf, 'X', sizeof(buf));
+	isc_time_set(&t, 1450000000, 123456000);
+	isc_time_formatISO8601us(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "2015-12-13T09:46:40.123456Z");
+}
+
+/* print local time in ISO8601 */
+static void
+isc_time_formatISO8601L_test(void **state) {
+	isc_result_t result;
+	isc_time_t t;
+	char buf[64];
+
+	UNUSED(state);
+
+	setenv("TZ", "America/Los_Angeles", 1);
+	result = isc_time_now(&t);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* check formatting: yyyy-mm-ddThh:mm:ss */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_formatISO8601L(&t, buf, sizeof(buf));
+	assert_int_equal(strlen(buf), 19);
+	assert_int_equal(buf[4], '-');
+	assert_int_equal(buf[7], '-');
+	assert_int_equal(buf[10], 'T');
+	assert_int_equal(buf[13], ':');
+	assert_int_equal(buf[16], ':');
+
+	/* check time conversion correctness */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_settoepoch(&t);
+	isc_time_formatISO8601L(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "1969-12-31T16:00:00");
+
+	memset(buf, 'X', sizeof(buf));
+	isc_time_set(&t, 1450000000, 123000000);
+	isc_time_formatISO8601L(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "2015-12-13T01:46:40");
+}
+
+/* print local time in ISO8601 with milliseconds */
+static void
+isc_time_formatISO8601Lms_test(void **state) {
+	isc_result_t result;
+	isc_time_t t;
+	char buf[64];
+
+	UNUSED(state);
+
+	setenv("TZ", "America/Los_Angeles", 1);
+	result = isc_time_now(&t);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* check formatting: yyyy-mm-ddThh:mm:ss.sss */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_formatISO8601Lms(&t, buf, sizeof(buf));
+	assert_int_equal(strlen(buf), 23);
+	assert_int_equal(buf[4], '-');
+	assert_int_equal(buf[7], '-');
+	assert_int_equal(buf[10], 'T');
+	assert_int_equal(buf[13], ':');
+	assert_int_equal(buf[16], ':');
+	assert_int_equal(buf[19], '.');
+
+	/* check time conversion correctness */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_settoepoch(&t);
+	isc_time_formatISO8601Lms(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "1969-12-31T16:00:00.000");
+
+	memset(buf, 'X', sizeof(buf));
+	isc_time_set(&t, 1450000000, 123000000);
+	isc_time_formatISO8601Lms(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "2015-12-13T01:46:40.123");
+}
+
+/* print local time in ISO8601 with microseconds */
+static void
+isc_time_formatISO8601Lus_test(void **state) {
+	isc_result_t result;
+	isc_time_t t;
+	char buf[64];
+
+	UNUSED(state);
+
+	setenv("TZ", "America/Los_Angeles", 1);
+	result = isc_time_now_hires(&t);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* check formatting: yyyy-mm-ddThh:mm:ss.ssssss */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_formatISO8601Lus(&t, buf, sizeof(buf));
+	assert_int_equal(strlen(buf), 26);
+	assert_int_equal(buf[4], '-');
+	assert_int_equal(buf[7], '-');
+	assert_int_equal(buf[10], 'T');
+	assert_int_equal(buf[13], ':');
+	assert_int_equal(buf[16], ':');
+	assert_int_equal(buf[19], '.');
+
+	/* check time conversion correctness */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_settoepoch(&t);
+	isc_time_formatISO8601Lus(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "1969-12-31T16:00:00.000000");
+
+	memset(buf, 'X', sizeof(buf));
+	isc_time_set(&t, 1450000000, 123456000);
+	isc_time_formatISO8601Lus(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "2015-12-13T01:46:40.123456");
+}
+
+/* print UTC time as yyyymmddhhmmsssss */
+static void
+isc_time_formatshorttimestamp_test(void **state) {
+	isc_result_t result;
+	isc_time_t t;
+	char buf[64];
+
+	UNUSED(state);
+
+	setenv("TZ", "America/Los_Angeles", 1);
+	result = isc_time_now(&t);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/* check formatting: yyyymmddhhmmsssss */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_formatshorttimestamp(&t, buf, sizeof(buf));
+	assert_int_equal(strlen(buf), 17);
+
+	/* check time conversion correctness */
+	memset(buf, 'X', sizeof(buf));
+	isc_time_settoepoch(&t);
+	isc_time_formatshorttimestamp(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "19700101000000000");
+
+	memset(buf, 'X', sizeof(buf));
+	isc_time_set(&t, 1450000000, 123000000);
+	isc_time_formatshorttimestamp(&t, buf, sizeof(buf));
+	assert_string_equal(buf, "20151213094640123");
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_time_add_test),
+		cmocka_unit_test(isc_time_sub_test),
+		cmocka_unit_test(isc_time_parsehttptimestamp_test),
+		cmocka_unit_test(isc_time_formatISO8601_test),
+		cmocka_unit_test(isc_time_formatISO8601ms_test),
+		cmocka_unit_test(isc_time_formatISO8601us_test),
+		cmocka_unit_test(isc_time_formatISO8601L_test),
+		cmocka_unit_test(isc_time_formatISO8601Lms_test),
+		cmocka_unit_test(isc_time_formatISO8601Lus_test),
+		cmocka_unit_test(isc_time_formatshorttimestamp_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/timer_test.c b/lib/isc/tests/timer_test.c
new file mode 100644
index 0000000..9bf4cf7
--- /dev/null
+++ b/lib/isc/tests/timer_test.c
@@ -0,0 +1,634 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/atomic.h>
+#include <isc/commandline.h>
+#include <isc/condition.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include "../timer.c"
+#include "isctest.h"
+
+/* Set to true (or use -v option) for verbose output */
+static bool verbose = false;
+
+#define FUDGE_SECONDS	  0	    /* in absence of clock_getres() */
+#define FUDGE_NANOSECONDS 500000000 /* in absence of clock_getres() */
+
+static isc_timer_t *timer = NULL;
+static isc_condition_t cv;
+static isc_mutex_t mx;
+static isc_time_t endtime;
+static isc_mutex_t lasttime_mx;
+static isc_time_t lasttime;
+static int seconds;
+static int nanoseconds;
+static atomic_int_fast32_t eventcnt;
+static atomic_uint_fast32_t errcnt;
+static int nevents;
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	/* Timer tests require two worker threads */
+	result = isc_test_begin(NULL, true, 2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	atomic_init(&errcnt, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	isc_test_end();
+
+	return (0);
+}
+
+static void
+test_shutdown(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+
+	UNUSED(task);
+
+	/*
+	 * Signal shutdown processing complete.
+	 */
+	result = isc_mutex_lock(&mx);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_condition_signal(&cv);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_mutex_unlock(&mx);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_event_free(&event);
+}
+
+static void
+setup_test(isc_timertype_t timertype, isc_time_t *expires,
+	   isc_interval_t *interval,
+	   void (*action)(isc_task_t *, isc_event_t *)) {
+	isc_result_t result;
+	isc_task_t *task = NULL;
+	isc_time_settoepoch(&endtime);
+	atomic_init(&eventcnt, 0);
+
+	isc_mutex_init(&mx);
+	isc_mutex_init(&lasttime_mx);
+
+	isc_condition_init(&cv);
+
+	atomic_store(&errcnt, ISC_R_SUCCESS);
+
+	LOCK(&mx);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task, test_shutdown, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_mutex_lock(&lasttime_mx);
+	result = isc_time_now(&lasttime);
+	isc_mutex_unlock(&lasttime_mx);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_timer_create(timermgr, timertype, expires, interval, task,
+				  action, (void *)timertype, &timer);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
+	while (atomic_load(&eventcnt) != nevents) {
+		result = isc_condition_wait(&cv, &mx);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	UNLOCK(&mx);
+
+	assert_int_equal(atomic_load(&errcnt), ISC_R_SUCCESS);
+
+	isc_task_detach(&task);
+	isc_mutex_destroy(&mx);
+	isc_mutex_destroy(&lasttime_mx);
+	(void)isc_condition_destroy(&cv);
+}
+
+static void
+set_global_error(isc_result_t result) {
+	(void)atomic_compare_exchange_strong(
+		&errcnt, &(uint_fast32_t){ ISC_R_SUCCESS }, result);
+}
+
+static void
+subthread_assert_true(bool expected, const char *file, unsigned int line) {
+	if (!expected) {
+		printf("# %s:%u subthread_assert_true\n", file, line);
+		set_global_error(ISC_R_UNEXPECTED);
+	}
+}
+#define subthread_assert_true(expected) \
+	subthread_assert_true(expected, __FILE__, __LINE__)
+
+static void
+subthread_assert_int_equal(int observed, int expected, const char *file,
+			   unsigned int line) {
+	if (observed != expected) {
+		printf("# %s:%u subthread_assert_int_equal(%d != %d)\n", file,
+		       line, observed, expected);
+		set_global_error(ISC_R_UNEXPECTED);
+	}
+}
+#define subthread_assert_int_equal(observed, expected) \
+	subthread_assert_int_equal(observed, expected, __FILE__, __LINE__)
+
+static void
+subthread_assert_result_equal(isc_result_t result, isc_result_t expected,
+			      const char *file, unsigned int line) {
+	if (result != expected) {
+		printf("# %s:%u subthread_assert_result_equal(%u != %u)\n",
+		       file, line, result, expected);
+		set_global_error(result);
+	}
+}
+#define subthread_assert_result_equal(observed, expected) \
+	subthread_assert_result_equal(observed, expected, __FILE__, __LINE__)
+
+static void
+ticktock(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_time_t now;
+	isc_time_t base;
+	isc_time_t ulim;
+	isc_time_t llim;
+	isc_interval_t interval;
+	isc_eventtype_t expected_event_type;
+
+	int tick = atomic_fetch_add(&eventcnt, 1);
+
+	if (verbose) {
+		print_message("# tick %d\n", tick);
+	}
+
+	expected_event_type = ISC_TIMEREVENT_LIFE;
+	if ((uintptr_t)event->ev_arg == isc_timertype_ticker) {
+		expected_event_type = ISC_TIMEREVENT_TICK;
+	}
+
+	if (event->ev_type != expected_event_type) {
+		print_error("# expected event type %u, got %u\n",
+			    expected_event_type, event->ev_type);
+	}
+
+	result = isc_time_now(&now);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	isc_mutex_lock(&lasttime_mx);
+	result = isc_time_add(&lasttime, &interval, &base);
+	isc_mutex_unlock(&lasttime_mx);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, FUDGE_SECONDS, FUDGE_NANOSECONDS);
+	result = isc_time_add(&base, &interval, &ulim);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	result = isc_time_subtract(&base, &interval, &llim);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	subthread_assert_true(isc_time_compare(&llim, &now) <= 0);
+	subthread_assert_true(isc_time_compare(&ulim, &now) >= 0);
+
+	isc_interval_set(&interval, 0, 0);
+	isc_mutex_lock(&lasttime_mx);
+	result = isc_time_add(&now, &interval, &lasttime);
+	isc_mutex_unlock(&lasttime_mx);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	isc_event_free(&event);
+
+	if (atomic_load(&eventcnt) == nevents) {
+		result = isc_time_now(&endtime);
+		subthread_assert_result_equal(result, ISC_R_SUCCESS);
+		isc_timer_destroy(&timer);
+		isc_task_shutdown(task);
+	}
+}
+
+/*
+ * Individual unit tests
+ */
+
+/* timer type ticker */
+static void
+ticker(void **state) {
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(state);
+
+	nevents = 12;
+	seconds = 0;
+	nanoseconds = 500000000;
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	isc_time_settoepoch(&expires);
+
+	setup_test(isc_timertype_ticker, &expires, &interval, ticktock);
+}
+
+/* timer type once reaches lifetime */
+static void
+once_life(void **state) {
+	isc_result_t result;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(state);
+
+	nevents = 1;
+	seconds = 1;
+	nanoseconds = 100000000;
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	result = isc_time_nowplusinterval(&expires, &interval);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, 0, 0);
+
+	setup_test(isc_timertype_once, &expires, &interval, ticktock);
+}
+
+static void
+test_idle(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_time_t now;
+	isc_time_t base;
+	isc_time_t ulim;
+	isc_time_t llim;
+	isc_interval_t interval;
+
+	int tick = atomic_fetch_add(&eventcnt, 1);
+
+	if (verbose) {
+		print_message("# tick %d\n", tick);
+	}
+
+	result = isc_time_now(&now);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	isc_mutex_lock(&lasttime_mx);
+	result = isc_time_add(&lasttime, &interval, &base);
+	isc_mutex_unlock(&lasttime_mx);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, FUDGE_SECONDS, FUDGE_NANOSECONDS);
+	result = isc_time_add(&base, &interval, &ulim);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	result = isc_time_subtract(&base, &interval, &llim);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	subthread_assert_true(isc_time_compare(&llim, &now) <= 0);
+	subthread_assert_true(isc_time_compare(&ulim, &now) >= 0);
+
+	isc_interval_set(&interval, 0, 0);
+	isc_mutex_lock(&lasttime_mx);
+	isc_time_add(&now, &interval, &lasttime);
+	isc_mutex_unlock(&lasttime_mx);
+
+	subthread_assert_int_equal(event->ev_type, ISC_TIMEREVENT_IDLE);
+
+	isc_event_free(&event);
+
+	isc_timer_destroy(&timer);
+	isc_task_shutdown(task);
+}
+
+/* timer type once idles out */
+static void
+once_idle(void **state) {
+	isc_result_t result;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(state);
+
+	nevents = 1;
+	seconds = 1;
+	nanoseconds = 200000000;
+
+	isc_interval_set(&interval, seconds + 1, nanoseconds);
+	result = isc_time_nowplusinterval(&expires, &interval);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+
+	setup_test(isc_timertype_once, &expires, &interval, test_idle);
+}
+
+/* timer reset */
+static void
+test_reset(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_time_t now;
+	isc_time_t base;
+	isc_time_t ulim;
+	isc_time_t llim;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	int tick = atomic_fetch_add(&eventcnt, 1);
+
+	if (verbose) {
+		print_message("# tick %d\n", tick);
+	}
+
+	/*
+	 * Check expired time.
+	 */
+
+	result = isc_time_now(&now);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	isc_mutex_lock(&lasttime_mx);
+	result = isc_time_add(&lasttime, &interval, &base);
+	isc_mutex_unlock(&lasttime_mx);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, FUDGE_SECONDS, FUDGE_NANOSECONDS);
+	result = isc_time_add(&base, &interval, &ulim);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	result = isc_time_subtract(&base, &interval, &llim);
+	subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+	subthread_assert_true(isc_time_compare(&llim, &now) <= 0);
+	subthread_assert_true(isc_time_compare(&ulim, &now) >= 0);
+
+	isc_interval_set(&interval, 0, 0);
+	isc_mutex_lock(&lasttime_mx);
+	isc_time_add(&now, &interval, &lasttime);
+	isc_mutex_unlock(&lasttime_mx);
+
+	int _eventcnt = atomic_load(&eventcnt);
+
+	if (_eventcnt < 3) {
+		subthread_assert_int_equal(event->ev_type, ISC_TIMEREVENT_TICK);
+
+		if (_eventcnt == 2) {
+			isc_interval_set(&interval, seconds, nanoseconds);
+			result = isc_time_nowplusinterval(&expires, &interval);
+			subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+			isc_interval_set(&interval, 0, 0);
+			result = isc_timer_reset(timer, isc_timertype_once,
+						 &expires, &interval, false);
+			subthread_assert_result_equal(result, ISC_R_SUCCESS);
+		}
+
+		isc_event_free(&event);
+	} else {
+		subthread_assert_int_equal(event->ev_type, ISC_TIMEREVENT_LIFE);
+
+		isc_event_free(&event);
+		isc_timer_destroy(&timer);
+		isc_task_shutdown(task);
+	}
+}
+
+static void
+reset(void **state) {
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(state);
+
+	nevents = 3;
+	seconds = 0;
+	nanoseconds = 750000000;
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	isc_time_settoepoch(&expires);
+
+	setup_test(isc_timertype_ticker, &expires, &interval, test_reset);
+}
+
+static atomic_bool startflag;
+static atomic_bool shutdownflag;
+static isc_timer_t *tickertimer = NULL;
+static isc_timer_t *oncetimer = NULL;
+static isc_task_t *task1 = NULL;
+static isc_task_t *task2 = NULL;
+
+/*
+ * task1 blocks on mx while events accumulate
+ * in its queue, until signaled by task2.
+ */
+
+static void
+tick_event(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(task);
+
+	if (!atomic_load(&startflag)) {
+		if (verbose) {
+			print_message("# tick_event %d\n", -1);
+		}
+		isc_event_free(&event);
+		return;
+	}
+
+	int tick = atomic_fetch_add(&eventcnt, 1);
+	if (verbose) {
+		print_message("# tick_event %d\n", tick);
+	}
+
+	/*
+	 * On the first tick, purge all remaining tick events
+	 * and then shut down the task.
+	 */
+	if (tick == 0) {
+		isc_time_settoepoch(&expires);
+		isc_interval_set(&interval, seconds, 0);
+		result = isc_timer_reset(tickertimer, isc_timertype_ticker,
+					 &expires, &interval, true);
+		subthread_assert_result_equal(result, ISC_R_SUCCESS);
+
+		isc_task_shutdown(task);
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+once_event(isc_task_t *task, isc_event_t *event) {
+	if (verbose) {
+		print_message("# once_event\n");
+	}
+
+	/*
+	 * Allow task1 to start processing events.
+	 */
+	atomic_store(&startflag, true);
+
+	isc_event_free(&event);
+	isc_task_shutdown(task);
+}
+
+static void
+shutdown_purge(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+	UNUSED(event);
+
+	if (verbose) {
+		print_message("# shutdown_event\n");
+	}
+
+	/*
+	 * Signal shutdown processing complete.
+	 */
+	atomic_store(&shutdownflag, 1);
+
+	isc_event_free(&event);
+}
+
+/* timer events purged */
+static void
+purge(void **state) {
+	isc_result_t result;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(state);
+
+	atomic_init(&startflag, 0);
+	atomic_init(&shutdownflag, 0);
+	atomic_init(&eventcnt, 0);
+	seconds = 1;
+	nanoseconds = 0;
+
+	result = isc_task_create(taskmgr, 0, &task1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task1, shutdown_purge, NULL);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_time_settoepoch(&expires);
+	isc_interval_set(&interval, seconds, 0);
+
+	tickertimer = NULL;
+	result = isc_timer_create(timermgr, isc_timertype_ticker, &expires,
+				  &interval, task1, tick_event, NULL,
+				  &tickertimer);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	oncetimer = NULL;
+
+	isc_interval_set(&interval, (seconds * 2) + 1, 0);
+	result = isc_time_nowplusinterval(&expires, &interval);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, 0, 0);
+	result = isc_timer_create(timermgr, isc_timertype_once, &expires,
+				  &interval, task2, once_event, NULL,
+				  &oncetimer);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
+	while (!atomic_load(&shutdownflag)) {
+		isc_test_nap(1000);
+	}
+
+	assert_int_equal(atomic_load(&errcnt), ISC_R_SUCCESS);
+
+	assert_int_equal(atomic_load(&eventcnt), 1);
+
+	isc_timer_destroy(&tickertimer);
+	isc_timer_destroy(&oncetimer);
+	isc_task_destroy(&task1);
+	isc_task_destroy(&task2);
+}
+
+int
+main(int argc, char **argv) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(ticker),    cmocka_unit_test(once_life),
+		cmocka_unit_test(once_idle), cmocka_unit_test(reset),
+		cmocka_unit_test(purge),
+	};
+	int c;
+
+	while ((c = isc_commandline_parse(argc, argv, "v")) != -1) {
+		switch (c) {
+		case 'v':
+			verbose = true;
+			break;
+		default:
+			break;
+		}
+	}
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isc/tests/uv_wrap.h b/lib/isc/tests/uv_wrap.h
new file mode 100644
index 0000000..968a624
--- /dev/null
+++ b/lib/isc/tests/uv_wrap.h
@@ -0,0 +1,323 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+#include <uv.h>
+
+#include <isc/atomic.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include "../netmgr/uv-compat.h"
+
+/* uv_udp_t */
+
+int
+__wrap_uv_udp_open(uv_udp_t *handle, uv_os_sock_t sock);
+int
+__wrap_uv_udp_bind(uv_udp_t *handle, const struct sockaddr *addr,
+		   unsigned int flags);
+#if UV_VERSION_HEX >= UV_VERSION(1, 27, 0)
+int
+__wrap_uv_udp_connect(uv_udp_t *handle, const struct sockaddr *addr);
+int
+__wrap_uv_udp_getpeername(const uv_udp_t *handle, struct sockaddr *name,
+			  int *namelen);
+#endif /* UV_VERSION_HEX >= UV_VERSION(1, 27, 0) */
+int
+__wrap_uv_udp_getsockname(const uv_udp_t *handle, struct sockaddr *name,
+			  int *namelen);
+int
+__wrap_uv_udp_send(uv_udp_send_t *req, uv_udp_t *handle, const uv_buf_t bufs[],
+		   unsigned int nbufs, const struct sockaddr *addr,
+		   uv_udp_send_cb send_cb);
+int
+__wrap_uv_udp_recv_start(uv_udp_t *handle, uv_alloc_cb alloc_cb,
+			 uv_udp_recv_cb recv_cb);
+int
+__wrap_uv_udp_recv_stop(uv_udp_t *handle);
+
+/* uv_tcp_t */
+int
+__wrap_uv_tcp_open(uv_tcp_t *handle, uv_os_sock_t sock);
+int
+__wrap_uv_tcp_bind(uv_tcp_t *handle, const struct sockaddr *addr,
+		   unsigned int flags);
+int
+__wrap_uv_tcp_getsockname(const uv_tcp_t *handle, struct sockaddr *name,
+			  int *namelen);
+int
+__wrap_uv_tcp_getpeername(const uv_tcp_t *handle, struct sockaddr *name,
+			  int *namelen);
+int
+__wrap_uv_tcp_connect(uv_connect_t *req, uv_tcp_t *handle,
+		      const struct sockaddr *addr, uv_connect_cb cb);
+
+/* uv_stream_t */
+int
+__wrap_uv_listen(uv_stream_t *stream, int backlog, uv_connection_cb cb);
+int
+__wrap_uv_accept(uv_stream_t *server, uv_stream_t *client);
+
+/* uv_handle_t */
+int
+__wrap_uv_send_buffer_size(uv_handle_t *handle, int *value);
+int
+__wrap_uv_recv_buffer_size(uv_handle_t *handle, int *value);
+int
+__wrap_uv_fileno(const uv_handle_t *handle, uv_os_fd_t *fd);
+
+/* uv_timer_t */
+/* FIXME */
+/*
+ * uv_timer_init
+ * uv_timer_start
+ */
+
+static atomic_int __state_uv_udp_open = 0;
+
+int
+__wrap_uv_udp_open(uv_udp_t *handle, uv_os_sock_t sock) {
+	if (atomic_load(&__state_uv_udp_open) == 0) {
+		return (uv_udp_open(handle, sock));
+	}
+	return (atomic_load(&__state_uv_udp_open));
+}
+
+static atomic_int __state_uv_udp_bind = 0;
+
+int
+__wrap_uv_udp_bind(uv_udp_t *handle, const struct sockaddr *addr,
+		   unsigned int flags) {
+	if (atomic_load(&__state_uv_udp_bind) == 0) {
+		return (uv_udp_bind(handle, addr, flags));
+	}
+	return (atomic_load(&__state_uv_udp_bind));
+}
+
+static atomic_int __state_uv_udp_connect = 0;
+#if UV_VERSION_HEX >= UV_VERSION(1, 27, 0)
+int
+__wrap_uv_udp_connect(uv_udp_t *handle, const struct sockaddr *addr) {
+	if (atomic_load(&__state_uv_udp_connect) == 0) {
+		return (uv_udp_connect(handle, addr));
+	}
+	return (atomic_load(&__state_uv_udp_connect));
+}
+#endif /* UV_VERSION_HEX >= UV_VERSION(1, 27, 0) */
+
+static atomic_int __state_uv_udp_getpeername = 0;
+#if UV_VERSION_HEX >= UV_VERSION(1, 27, 0)
+int
+__wrap_uv_udp_getpeername(const uv_udp_t *handle, struct sockaddr *name,
+			  int *namelen) {
+	if (atomic_load(&__state_uv_udp_getpeername) == 0) {
+		return (uv_udp_getpeername(handle, name, namelen));
+	}
+	return (atomic_load(&__state_uv_udp_getpeername));
+}
+#endif /* UV_VERSION_HEX >= UV_VERSION(1, 27, 0) */
+
+static atomic_int __state_uv_udp_getsockname = 0;
+int
+__wrap_uv_udp_getsockname(const uv_udp_t *handle, struct sockaddr *name,
+			  int *namelen) {
+	if (atomic_load(&__state_uv_udp_getsockname) == 0) {
+		return (uv_udp_getsockname(handle, name, namelen));
+	}
+	return (atomic_load(&__state_uv_udp_getsockname));
+}
+
+static atomic_int __state_uv_udp_send = 0;
+int
+__wrap_uv_udp_send(uv_udp_send_t *req, uv_udp_t *handle, const uv_buf_t bufs[],
+		   unsigned int nbufs, const struct sockaddr *addr,
+		   uv_udp_send_cb send_cb) {
+	if (atomic_load(&__state_uv_udp_send) == 0) {
+		return (uv_udp_send(req, handle, bufs, nbufs, addr, send_cb));
+	}
+	return (atomic_load(&__state_uv_udp_send));
+}
+
+static atomic_int __state_uv_udp_recv_start = 0;
+int
+__wrap_uv_udp_recv_start(uv_udp_t *handle, uv_alloc_cb alloc_cb,
+			 uv_udp_recv_cb recv_cb) {
+	if (atomic_load(&__state_uv_udp_recv_start) == 0) {
+		return (uv_udp_recv_start(handle, alloc_cb, recv_cb));
+	}
+	return (atomic_load(&__state_uv_udp_recv_start));
+}
+
+static atomic_int __state_uv_udp_recv_stop = 0;
+int
+__wrap_uv_udp_recv_stop(uv_udp_t *handle) {
+	if (atomic_load(&__state_uv_udp_recv_stop) == 0) {
+		return (uv_udp_recv_stop(handle));
+	}
+	return (atomic_load(&__state_uv_udp_recv_stop));
+}
+
+static atomic_int __state_uv_tcp_open = 0;
+int
+__wrap_uv_tcp_open(uv_tcp_t *handle, uv_os_sock_t sock) {
+	if (atomic_load(&__state_uv_tcp_open) == 0) {
+		return (uv_tcp_open(handle, sock));
+	}
+	return (atomic_load(&__state_uv_tcp_open));
+}
+
+static atomic_int __state_uv_tcp_bind = 0;
+int
+__wrap_uv_tcp_bind(uv_tcp_t *handle, const struct sockaddr *addr,
+		   unsigned int flags) {
+	if (atomic_load(&__state_uv_tcp_bind) == 0) {
+		return (uv_tcp_bind(handle, addr, flags));
+	}
+	return (atomic_load(&__state_uv_tcp_bind));
+}
+
+static atomic_int __state_uv_tcp_getsockname = 0;
+int
+__wrap_uv_tcp_getsockname(const uv_tcp_t *handle, struct sockaddr *name,
+			  int *namelen) {
+	if (atomic_load(&__state_uv_tcp_getsockname) == 0) {
+		return (uv_tcp_getsockname(handle, name, namelen));
+	}
+	return (atomic_load(&__state_uv_tcp_getsockname));
+}
+
+static atomic_int __state_uv_tcp_getpeername = 0;
+int
+__wrap_uv_tcp_getpeername(const uv_tcp_t *handle, struct sockaddr *name,
+			  int *namelen) {
+	if (atomic_load(&__state_uv_tcp_getpeername) == 0) {
+		return (uv_tcp_getpeername(handle, name, namelen));
+	}
+	return (atomic_load(&__state_uv_tcp_getpeername));
+}
+
+static atomic_int __state_uv_tcp_connect = 0;
+int
+__wrap_uv_tcp_connect(uv_connect_t *req, uv_tcp_t *handle,
+		      const struct sockaddr *addr, uv_connect_cb cb) {
+	if (atomic_load(&__state_uv_tcp_connect) == 0) {
+		return (uv_tcp_connect(req, handle, addr, cb));
+	}
+	return (atomic_load(&__state_uv_tcp_connect));
+}
+
+static atomic_int __state_uv_listen = 0;
+int
+__wrap_uv_listen(uv_stream_t *stream, int backlog, uv_connection_cb cb) {
+	if (atomic_load(&__state_uv_listen) == 0) {
+		return (uv_listen(stream, backlog, cb));
+	}
+	return (atomic_load(&__state_uv_listen));
+}
+
+static atomic_int __state_uv_accept = 0;
+int
+__wrap_uv_accept(uv_stream_t *server, uv_stream_t *client) {
+	if (atomic_load(&__state_uv_accept) == 0) {
+		return (uv_accept(server, client));
+	}
+	return (atomic_load(&__state_uv_accept));
+}
+
+static atomic_int __state_uv_send_buffer_size = 0;
+int
+__wrap_uv_send_buffer_size(uv_handle_t *handle, int *value) {
+	if (atomic_load(&__state_uv_send_buffer_size) == 0) {
+		return (uv_send_buffer_size(handle, value));
+	}
+	return (atomic_load(&__state_uv_send_buffer_size));
+}
+
+static atomic_int __state_uv_recv_buffer_size = 0;
+int
+__wrap_uv_recv_buffer_size(uv_handle_t *handle, int *value) {
+	if (atomic_load(&__state_uv_recv_buffer_size) == 0) {
+		return (uv_recv_buffer_size(handle, value));
+	}
+	return (atomic_load(&__state_uv_recv_buffer_size));
+}
+
+static atomic_int __state_uv_fileno = 0;
+int
+__wrap_uv_fileno(const uv_handle_t *handle, uv_os_fd_t *fd) {
+	if (atomic_load(&__state_uv_fileno) == 0) {
+		return (uv_fileno(handle, fd));
+	}
+	return (atomic_load(&__state_uv_fileno));
+}
+
+#define uv_udp_open(...) __wrap_uv_udp_open(__VA_ARGS__)
+#define uv_udp_bind(...) __wrap_uv_udp_bind(__VA_ARGS__)
+#if UV_VERSION_HEX >= UV_VERSION(1, 27, 0)
+#define uv_udp_connect(...)	__wrap_uv_udp_connect(__VA_ARGS__)
+#define uv_udp_getpeername(...) __wrap_uv_udp_getpeername(__VA_ARGS__)
+#endif /* UV_VERSION_HEX >= UV_VERSION(1, 27, 0) */
+#define uv_udp_getsockname(...) __wrap_uv_udp_getsockname(__VA_ARGS__)
+#define uv_udp_send(...)	__wrap_uv_udp_send(__VA_ARGS__)
+#define uv_udp_recv_start(...)	__wrap_uv_udp_recv_start(__VA_ARGS__)
+#define uv_udp_recv_stop(...)	__wrap_uv_udp_recv_stop(__VA_ARGS__)
+
+#define uv_tcp_open(...)	__wrap_uv_tcp_open(__VA_ARGS__)
+#define uv_tcp_bind(...)	__wrap_uv_tcp_bind(__VA_ARGS__)
+#define uv_tcp_getsockname(...) __wrap_uv_tcp_getsockname(__VA_ARGS__)
+#define uv_tcp_getpeername(...) __wrap_uv_tcp_getpeername(__VA_ARGS__)
+#define uv_tcp_connect(...)	__wrap_uv_tcp_connect(__VA_ARGS__)
+
+#define uv_listen(...) __wrap_uv_listen(__VA_ARGS__)
+#define uv_accept(...) __wrap_uv_accept(__VA_ARGS__)
+
+#define uv_send_buffer_size(...) __wrap_uv_send_buffer_size(__VA_ARGS__)
+#define uv_recv_buffer_size(...) __wrap_uv_recv_buffer_size(__VA_ARGS__)
+#define uv_fileno(...)		 __wrap_uv_fileno(__VA_ARGS__)
+
+#define RESET_RETURN                                           \
+	{                                                      \
+		atomic_store(&__state_uv_udp_open, 0);         \
+		atomic_store(&__state_uv_udp_bind, 0);         \
+		atomic_store(&__state_uv_udp_connect, 0);      \
+		atomic_store(&__state_uv_udp_getpeername, 0);  \
+		atomic_store(&__state_uv_udp_getsockname, 0);  \
+		atomic_store(&__state_uv_udp_send, 0);         \
+		atomic_store(&__state_uv_udp_recv_start, 0);   \
+		atomic_store(&__state_uv_udp_recv_stop, 0);    \
+		atomic_store(&__state_uv_tcp_open, 0);         \
+		atomic_store(&__state_uv_tcp_bind, 0);         \
+		atomic_store(&__state_uv_tcp_getpeername, 0);  \
+		atomic_store(&__state_uv_tcp_getsockname, 0);  \
+		atomic_store(&__state_uv_tcp_connect, 0);      \
+		atomic_store(&__state_uv_listen, 0);           \
+		atomic_store(&__state_uv_accept, 0);           \
+		atomic_store(&__state_uv_send_buffer_size, 0); \
+		atomic_store(&__state_uv_recv_buffer_size, 0); \
+		atomic_store(&__state_uv_fileno, 0);           \
+	}
+
+#define WILL_RETURN(func, value) atomic_store(&__state_##func, value)
+
+#endif /* HAVE_CMOCKA */
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
new file mode 100644
index 0000000..e659f58
--- /dev/null
+++ b/lib/isc/timer.c
@@ -0,0 +1,753 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/app.h>
+#include <isc/condition.h>
+#include <isc/heap.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#ifdef OPENSSL_LEAKS
+#include <openssl/err.h>
+#endif /* ifdef OPENSSL_LEAKS */
+
+#ifdef ISC_TIMER_TRACE
+#define XTRACE(s)      fprintf(stderr, "%s\n", (s))
+#define XTRACEID(s, t) fprintf(stderr, "%s %p\n", (s), (t))
+#define XTRACETIME(s, d) \
+	fprintf(stderr, "%s %u.%09u\n", (s), (d).seconds, (d).nanoseconds)
+#define XTRACETIME2(s, d, n)                                      \
+	fprintf(stderr, "%s %u.%09u %u.%09u\n", (s), (d).seconds, \
+		(d).nanoseconds, (n).seconds, (n).nanoseconds)
+#define XTRACETIMER(s, t, d)                                      \
+	fprintf(stderr, "%s %p %u.%09u\n", (s), (t), (d).seconds, \
+		(d).nanoseconds)
+#else /* ifdef ISC_TIMER_TRACE */
+#define XTRACE(s)
+#define XTRACEID(s, t)
+#define XTRACETIME(s, d)
+#define XTRACETIME2(s, d, n)
+#define XTRACETIMER(s, t, d)
+#endif /* ISC_TIMER_TRACE */
+
+#define TIMER_MAGIC    ISC_MAGIC('T', 'I', 'M', 'R')
+#define VALID_TIMER(t) ISC_MAGIC_VALID(t, TIMER_MAGIC)
+
+struct isc_timer {
+	/*! Not locked. */
+	unsigned int magic;
+	isc_timermgr_t *manager;
+	isc_mutex_t lock;
+	/*! Locked by timer lock. */
+	isc_time_t idle;
+	ISC_LIST(isc_timerevent_t) active;
+	/*! Locked by manager lock. */
+	isc_timertype_t type;
+	isc_time_t expires;
+	isc_interval_t interval;
+	isc_task_t *task;
+	isc_taskaction_t action;
+	void *arg;
+	unsigned int index;
+	isc_time_t due;
+	LINK(isc_timer_t) link;
+};
+
+#define TIMER_MANAGER_MAGIC ISC_MAGIC('T', 'I', 'M', 'M')
+#define VALID_MANAGER(m)    ISC_MAGIC_VALID(m, TIMER_MANAGER_MAGIC)
+
+struct isc_timermgr {
+	/* Not locked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_mutex_t lock;
+	/* Locked by manager lock. */
+	bool done;
+	LIST(isc_timer_t) timers;
+	unsigned int nscheduled;
+	isc_time_t due;
+	isc_condition_t wakeup;
+	isc_thread_t thread;
+	isc_heap_t *heap;
+};
+
+void
+isc_timermgr_poke(isc_timermgr_t *manager0);
+
+static isc_result_t
+schedule(isc_timer_t *timer, isc_time_t *now, bool signal_ok) {
+	isc_timermgr_t *manager;
+	isc_time_t due;
+	int cmp;
+
+	/*!
+	 * Note: the caller must ensure locking.
+	 */
+
+	REQUIRE(timer->type != isc_timertype_inactive);
+
+	manager = timer->manager;
+
+	/*
+	 * Compute the new due time.
+	 */
+	if (timer->type != isc_timertype_once) {
+		isc_result_t result = isc_time_add(now, &timer->interval, &due);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		if (timer->type == isc_timertype_limited &&
+		    isc_time_compare(&timer->expires, &due) < 0)
+		{
+			due = timer->expires;
+		}
+	} else {
+		if (isc_time_isepoch(&timer->idle)) {
+			due = timer->expires;
+		} else if (isc_time_isepoch(&timer->expires)) {
+			due = timer->idle;
+		} else if (isc_time_compare(&timer->idle, &timer->expires) < 0)
+		{
+			due = timer->idle;
+		} else {
+			due = timer->expires;
+		}
+	}
+
+	/*
+	 * Schedule the timer.
+	 */
+
+	if (timer->index > 0) {
+		/*
+		 * Already scheduled.
+		 */
+		cmp = isc_time_compare(&due, &timer->due);
+		timer->due = due;
+		switch (cmp) {
+		case -1:
+			isc_heap_increased(manager->heap, timer->index);
+			break;
+		case 1:
+			isc_heap_decreased(manager->heap, timer->index);
+			break;
+		case 0:
+			/* Nothing to do. */
+			break;
+		}
+	} else {
+		timer->due = due;
+		isc_heap_insert(manager->heap, timer);
+		manager->nscheduled++;
+	}
+
+	XTRACETIMER("schedule", timer, due);
+
+	/*
+	 * If this timer is at the head of the queue, we need to ensure
+	 * that we won't miss it if it has a more recent due time than
+	 * the current "next" timer.  We do this either by waking up the
+	 * run thread, or explicitly setting the value in the manager.
+	 */
+
+	if (timer->index == 1 && signal_ok) {
+		XTRACE("signal (schedule)");
+		SIGNAL(&manager->wakeup);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+deschedule(isc_timer_t *timer) {
+	bool need_wakeup = false;
+	isc_timermgr_t *manager;
+
+	/*
+	 * The caller must ensure locking.
+	 */
+
+	manager = timer->manager;
+	if (timer->index > 0) {
+		if (timer->index == 1) {
+			need_wakeup = true;
+		}
+		isc_heap_delete(manager->heap, timer->index);
+		timer->index = 0;
+		INSIST(manager->nscheduled > 0);
+		manager->nscheduled--;
+		if (need_wakeup) {
+			XTRACE("signal (deschedule)");
+			SIGNAL(&manager->wakeup);
+		}
+	}
+}
+
+static void
+timerevent_unlink(isc_timer_t *timer, isc_timerevent_t *event) {
+	REQUIRE(ISC_LINK_LINKED(event, ev_timerlink));
+	ISC_LIST_UNLINK(timer->active, event, ev_timerlink);
+}
+
+static void
+timerevent_destroy(isc_event_t *event0) {
+	isc_timer_t *timer = event0->ev_destroy_arg;
+	isc_timerevent_t *event = (isc_timerevent_t *)event0;
+
+	LOCK(&timer->lock);
+	if (ISC_LINK_LINKED(event, ev_timerlink)) {
+		/* The event was unlinked via timer_purge() */
+		timerevent_unlink(timer, event);
+	}
+	UNLOCK(&timer->lock);
+
+	isc_mem_put(timer->manager->mctx, event, event0->ev_size);
+}
+
+static void
+timer_purge(isc_timer_t *timer) {
+	isc_timerevent_t *event = NULL;
+
+	while ((event = ISC_LIST_HEAD(timer->active)) != NULL) {
+		timerevent_unlink(timer, event);
+		UNLOCK(&timer->lock);
+		(void)isc_task_purgeevent(timer->task, (isc_event_t *)event);
+		LOCK(&timer->lock);
+	}
+}
+
+isc_result_t
+isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
+		 const isc_time_t *expires, const isc_interval_t *interval,
+		 isc_task_t *task, isc_taskaction_t action, void *arg,
+		 isc_timer_t **timerp) {
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	isc_timer_t *timer;
+	isc_result_t result;
+	isc_time_t now;
+
+	/*
+	 * Create a new 'type' timer managed by 'manager'.  The timers
+	 * parameters are specified by 'expires' and 'interval'.  Events
+	 * will be posted to 'task' and when dispatched 'action' will be
+	 * called with 'arg' as the arg value.  The new timer is returned
+	 * in 'timerp'.
+	 */
+	if (expires == NULL) {
+		expires = isc_time_epoch;
+	}
+	if (interval == NULL) {
+		interval = isc_interval_zero;
+	}
+	REQUIRE(type == isc_timertype_inactive ||
+		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
+	REQUIRE(timerp != NULL && *timerp == NULL);
+	REQUIRE(type != isc_timertype_limited ||
+		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
+
+	/*
+	 * Get current time.
+	 */
+	if (type != isc_timertype_inactive) {
+		TIME_NOW(&now);
+	} else {
+		/*
+		 * We don't have to do this, but it keeps the compiler from
+		 * complaining about "now" possibly being used without being
+		 * set, even though it will never actually happen.
+		 */
+		isc_time_settoepoch(&now);
+	}
+
+	timer = isc_mem_get(manager->mctx, sizeof(*timer));
+
+	timer->manager = manager;
+
+	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
+		result = isc_time_add(&now, interval, &timer->idle);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(manager->mctx, timer, sizeof(*timer));
+			return (result);
+		}
+	} else {
+		isc_time_settoepoch(&timer->idle);
+	}
+
+	timer->type = type;
+	timer->expires = *expires;
+	timer->interval = *interval;
+	timer->task = NULL;
+	isc_task_attach(task, &timer->task);
+	timer->action = action;
+	/*
+	 * Removing the const attribute from "arg" is the best of two
+	 * evils here.  If the timer->arg member is made const, then
+	 * it affects a great many recipients of the timer event
+	 * which did not pass in an "arg" that was truly const.
+	 * Changing isc_timer_create() to not have "arg" prototyped as const,
+	 * though, can cause compilers warnings for calls that *do*
+	 * have a truly const arg.  The caller will have to carefully
+	 * keep track of whether arg started as a true const.
+	 */
+	DE_CONST(arg, timer->arg);
+	timer->index = 0;
+	isc_mutex_init(&timer->lock);
+	ISC_LINK_INIT(timer, link);
+
+	ISC_LIST_INIT(timer->active);
+
+	timer->magic = TIMER_MAGIC;
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Note we don't have to lock the timer like we normally would because
+	 * there are no external references to it yet.
+	 */
+
+	if (type != isc_timertype_inactive) {
+		result = schedule(timer, &now, true);
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+	if (result == ISC_R_SUCCESS) {
+		*timerp = timer;
+		APPEND(manager->timers, timer, link);
+	}
+
+	UNLOCK(&manager->lock);
+
+	if (result != ISC_R_SUCCESS) {
+		timer->magic = 0;
+		isc_mutex_destroy(&timer->lock);
+		isc_task_detach(&timer->task);
+		isc_mem_put(manager->mctx, timer, sizeof(*timer));
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
+		const isc_time_t *expires, const isc_interval_t *interval,
+		bool purge) {
+	isc_time_t now;
+	isc_timermgr_t *manager;
+	isc_result_t result;
+
+	/*
+	 * Change the timer's type, expires, and interval values to the given
+	 * values.  If 'purge' is true, any pending events from this timer
+	 * are purged from its task's event queue.
+	 */
+
+	REQUIRE(VALID_TIMER(timer));
+	manager = timer->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	if (expires == NULL) {
+		expires = isc_time_epoch;
+	}
+	if (interval == NULL) {
+		interval = isc_interval_zero;
+	}
+	REQUIRE(type == isc_timertype_inactive ||
+		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
+	REQUIRE(type != isc_timertype_limited ||
+		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
+
+	/*
+	 * Get current time.
+	 */
+	if (type != isc_timertype_inactive) {
+		TIME_NOW(&now);
+	} else {
+		/*
+		 * We don't have to do this, but it keeps the compiler from
+		 * complaining about "now" possibly being used without being
+		 * set, even though it will never actually happen.
+		 */
+		isc_time_settoepoch(&now);
+	}
+
+	LOCK(&manager->lock);
+	LOCK(&timer->lock);
+
+	if (purge) {
+		timer_purge(timer);
+	}
+	timer->type = type;
+	timer->expires = *expires;
+	timer->interval = *interval;
+	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
+		result = isc_time_add(&now, interval, &timer->idle);
+	} else {
+		isc_time_settoepoch(&timer->idle);
+		result = ISC_R_SUCCESS;
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		if (type == isc_timertype_inactive) {
+			deschedule(timer);
+			result = ISC_R_SUCCESS;
+		} else {
+			result = schedule(timer, &now, true);
+		}
+	}
+
+	UNLOCK(&timer->lock);
+	UNLOCK(&manager->lock);
+
+	return (result);
+}
+
+isc_timertype_t
+isc_timer_gettype(isc_timer_t *timer) {
+	isc_timertype_t t;
+
+	REQUIRE(VALID_TIMER(timer));
+
+	LOCK(&timer->lock);
+	t = timer->type;
+	UNLOCK(&timer->lock);
+
+	return (t);
+}
+
+isc_result_t
+isc_timer_touch(isc_timer_t *timer) {
+	isc_result_t result;
+	isc_time_t now;
+
+	/*
+	 * Set the last-touched time of 'timer' to the current time.
+	 */
+
+	REQUIRE(VALID_TIMER(timer));
+
+	LOCK(&timer->lock);
+
+	/*
+	 * We'd like to
+	 *
+	 *	REQUIRE(timer->type == isc_timertype_once);
+	 *
+	 * but we cannot without locking the manager lock too, which we
+	 * don't want to do.
+	 */
+
+	TIME_NOW(&now);
+	result = isc_time_add(&now, &timer->interval, &timer->idle);
+
+	UNLOCK(&timer->lock);
+
+	return (result);
+}
+
+void
+isc_timer_destroy(isc_timer_t **timerp) {
+	isc_timer_t *timer = NULL;
+	isc_timermgr_t *manager = NULL;
+
+	REQUIRE(timerp != NULL && VALID_TIMER(*timerp));
+
+	timer = *timerp;
+	*timerp = NULL;
+
+	manager = timer->manager;
+
+	LOCK(&manager->lock);
+
+	LOCK(&timer->lock);
+	timer_purge(timer);
+	deschedule(timer);
+	UNLOCK(&timer->lock);
+
+	UNLINK(manager->timers, timer, link);
+
+	UNLOCK(&manager->lock);
+
+	isc_task_detach(&timer->task);
+	isc_mutex_destroy(&timer->lock);
+	timer->magic = 0;
+	isc_mem_put(manager->mctx, timer, sizeof(*timer));
+}
+
+static void
+timer_post_event(isc_timermgr_t *manager, isc_timer_t *timer,
+		 isc_eventtype_t type) {
+	isc_timerevent_t *event;
+	XTRACEID("posting", timer);
+
+	event = (isc_timerevent_t *)isc_event_allocate(
+		manager->mctx, timer, type, timer->action, timer->arg,
+		sizeof(*event));
+
+	ISC_LINK_INIT(event, ev_timerlink);
+	((isc_event_t *)event)->ev_destroy = timerevent_destroy;
+	((isc_event_t *)event)->ev_destroy_arg = timer;
+
+	event->due = timer->due;
+
+	LOCK(&timer->lock);
+	ISC_LIST_APPEND(timer->active, event, ev_timerlink);
+	UNLOCK(&timer->lock);
+
+	isc_task_send(timer->task, ISC_EVENT_PTR(&event));
+}
+
+static void
+dispatch(isc_timermgr_t *manager, isc_time_t *now) {
+	bool done = false, post_event, need_schedule;
+	isc_eventtype_t type = 0;
+	isc_timer_t *timer;
+	isc_result_t result;
+	bool idle;
+
+	/*!
+	 * The caller must be holding the manager lock.
+	 */
+
+	while (manager->nscheduled > 0 && !done) {
+		timer = isc_heap_element(manager->heap, 1);
+		INSIST(timer != NULL && timer->type != isc_timertype_inactive);
+		if (isc_time_compare(now, &timer->due) >= 0) {
+			if (timer->type == isc_timertype_ticker) {
+				type = ISC_TIMEREVENT_TICK;
+				post_event = true;
+				need_schedule = true;
+			} else if (timer->type == isc_timertype_limited) {
+				int cmp;
+				cmp = isc_time_compare(now, &timer->expires);
+				if (cmp >= 0) {
+					type = ISC_TIMEREVENT_LIFE;
+					post_event = true;
+					need_schedule = false;
+				} else {
+					type = ISC_TIMEREVENT_TICK;
+					post_event = true;
+					need_schedule = true;
+				}
+			} else if (!isc_time_isepoch(&timer->expires) &&
+				   isc_time_compare(now, &timer->expires) >= 0)
+			{
+				type = ISC_TIMEREVENT_LIFE;
+				post_event = true;
+				need_schedule = false;
+			} else {
+				idle = false;
+
+				LOCK(&timer->lock);
+				if (!isc_time_isepoch(&timer->idle) &&
+				    isc_time_compare(now, &timer->idle) >= 0)
+				{
+					idle = true;
+				}
+				UNLOCK(&timer->lock);
+				if (idle) {
+					type = ISC_TIMEREVENT_IDLE;
+					post_event = true;
+					need_schedule = false;
+				} else {
+					/*
+					 * Idle timer has been touched;
+					 * reschedule.
+					 */
+					XTRACEID("idle reschedule", timer);
+					post_event = false;
+					need_schedule = true;
+				}
+			}
+
+			if (post_event) {
+				timer_post_event(manager, timer, type);
+			}
+
+			timer->index = 0;
+			isc_heap_delete(manager->heap, 1);
+			manager->nscheduled--;
+
+			if (need_schedule) {
+				result = schedule(timer, now, false);
+				if (result != ISC_R_SUCCESS) {
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+							 "%s: %u",
+							 "couldn't schedule "
+							 "timer",
+							 result);
+				}
+			}
+		} else {
+			manager->due = timer->due;
+			done = true;
+		}
+	}
+}
+
+static isc_threadresult_t
+#ifdef _WIN32 /* XXXDCL */
+	WINAPI
+#endif /* ifdef _WIN32 */
+	run(void *uap) {
+	isc_timermgr_t *manager = uap;
+	isc_time_t now;
+	isc_result_t result;
+
+	LOCK(&manager->lock);
+	while (!manager->done) {
+		TIME_NOW(&now);
+
+		XTRACETIME("running", now);
+
+		dispatch(manager, &now);
+
+		if (manager->nscheduled > 0) {
+			XTRACETIME2("waituntil", manager->due, now);
+			result = WAITUNTIL(&manager->wakeup, &manager->lock,
+					   &manager->due);
+			INSIST(result == ISC_R_SUCCESS ||
+			       result == ISC_R_TIMEDOUT);
+		} else {
+			XTRACETIME("wait", now);
+			WAIT(&manager->wakeup, &manager->lock);
+		}
+		XTRACE("wakeup");
+	}
+	UNLOCK(&manager->lock);
+
+#ifdef OPENSSL_LEAKS
+	ERR_remove_state(0);
+#endif /* ifdef OPENSSL_LEAKS */
+
+	return ((isc_threadresult_t)0);
+}
+
+static bool
+sooner(void *v1, void *v2) {
+	isc_timer_t *t1, *t2;
+
+	t1 = v1;
+	t2 = v2;
+	REQUIRE(VALID_TIMER(t1));
+	REQUIRE(VALID_TIMER(t2));
+
+	if (isc_time_compare(&t1->due, &t2->due) < 0) {
+		return (true);
+	}
+	return (false);
+}
+
+static void
+set_index(void *what, unsigned int index) {
+	isc_timer_t *timer;
+
+	REQUIRE(VALID_TIMER(what));
+	timer = what;
+
+	timer->index = index;
+}
+
+isc_result_t
+isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
+	isc_timermgr_t *manager;
+
+	/*
+	 * Create a timer manager.
+	 */
+
+	REQUIRE(managerp != NULL && *managerp == NULL);
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+
+	manager->magic = TIMER_MANAGER_MAGIC;
+	manager->mctx = NULL;
+	manager->done = false;
+	INIT_LIST(manager->timers);
+	manager->nscheduled = 0;
+	isc_time_settoepoch(&manager->due);
+	manager->heap = NULL;
+	isc_heap_create(mctx, sooner, set_index, 0, &manager->heap);
+	isc_mutex_init(&manager->lock);
+	isc_mem_attach(mctx, &manager->mctx);
+	isc_condition_init(&manager->wakeup);
+	isc_thread_create(run, manager, &manager->thread);
+	isc_thread_setname(manager->thread, "isc-timer");
+
+	*managerp = manager;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_timermgr_poke(isc_timermgr_t *manager) {
+	REQUIRE(VALID_MANAGER(manager));
+
+	SIGNAL(&manager->wakeup);
+}
+
+void
+isc_timermgr_destroy(isc_timermgr_t **managerp) {
+	isc_timermgr_t *manager;
+
+	/*
+	 * Destroy a timer manager.
+	 */
+
+	REQUIRE(managerp != NULL);
+	manager = *managerp;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&manager->lock);
+
+	REQUIRE(EMPTY(manager->timers));
+	manager->done = true;
+
+	XTRACE("signal (destroy)");
+	SIGNAL(&manager->wakeup);
+
+	UNLOCK(&manager->lock);
+
+	/*
+	 * Wait for thread to exit.
+	 */
+	isc_thread_join(manager->thread, NULL);
+
+	/*
+	 * Clean up.
+	 */
+	(void)isc_condition_destroy(&manager->wakeup);
+	isc_mutex_destroy(&manager->lock);
+	isc_heap_destroy(&manager->heap);
+	manager->magic = 0;
+	isc_mem_putanddetach(&manager->mctx, manager, sizeof(*manager));
+
+	*managerp = NULL;
+}
diff --git a/lib/isc/timer_p.h b/lib/isc/timer_p.h
new file mode 100644
index 0000000..84c5b2f
--- /dev/null
+++ b/lib/isc/timer_p.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_TIMER_P_H
+#define ISC_TIMER_P_H
+
+/*! \file */
+
+isc_result_t
+isc__timermgr_nextevent(isc_timermgr_t *timermgr, isc_time_t *when);
+
+void
+isc__timermgr_dispatch(isc_timermgr_t *timermgr);
+
+#endif /* ISC_TIMER_P_H */
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
new file mode 100644
index 0000000..859c73c
--- /dev/null
+++ b/lib/isc/tls.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+
+#include <openssl/bn.h>
+#include <openssl/conf.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/opensslv.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
+
+#include <isc/atomic.h>
+#include <isc/log.h>
+#include <isc/mutex.h>
+#include <isc/mutexblock.h>
+#include <isc/once.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "openssl_shim.h"
+#include "tls_p.h"
+
+static isc_once_t init_once = ISC_ONCE_INIT;
+static isc_once_t shut_once = ISC_ONCE_INIT;
+static atomic_bool init_done = false;
+static atomic_bool shut_done = false;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static isc_mutex_t *locks = NULL;
+static int nlocks;
+
+static void
+isc__tls_lock_callback(int mode, int type, const char *file, int line) {
+	UNUSED(file);
+	UNUSED(line);
+	if ((mode & CRYPTO_LOCK) != 0) {
+		LOCK(&locks[type]);
+	} else {
+		UNLOCK(&locks[type]);
+	}
+}
+
+static void
+isc__tls_set_thread_id(CRYPTO_THREADID *id) {
+	CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self());
+}
+#endif
+
+static void
+tls_initialize(void) {
+	REQUIRE(!atomic_load(&init_done));
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN |
+					       OPENSSL_INIT_LOAD_CONFIG,
+				       NULL) == 1);
+#else
+	nlocks = CRYPTO_num_locks();
+	/*
+	 * We can't use isc_mem API here, because it's called too
+	 * early and when the isc_mem_debugging flags are changed
+	 * later and ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX flags are
+	 * added, neither isc_mem_put() nor isc_mem_free() can be used
+	 * to free up the memory allocated here because the flags were
+	 * not set when calling isc_mem_get() or isc_mem_allocate()
+	 * here.
+	 *
+	 * Actually, since this is a single allocation at library load
+	 * and deallocation at library unload, using the standard
+	 * allocator without the tracking is fine for this purpose.
+	 */
+	locks = calloc(nlocks, sizeof(locks[0]));
+	isc_mutexblock_init(locks, nlocks);
+	CRYPTO_set_locking_callback(isc__tls_lock_callback);
+	CRYPTO_THREADID_set_callback(isc__tls_set_thread_id);
+
+	CRYPTO_malloc_init();
+	ERR_load_crypto_strings();
+	SSL_load_error_strings();
+	SSL_library_init();
+
+#if !defined(OPENSSL_NO_ENGINE)
+	ENGINE_load_builtin_engines();
+#endif
+	OpenSSL_add_all_algorithms();
+	OPENSSL_load_builtin_modules();
+
+	CONF_modules_load_file(NULL, NULL,
+			       CONF_MFLAGS_DEFAULT_SECTION |
+				       CONF_MFLAGS_IGNORE_MISSING_FILE);
+#endif
+
+	/* Protect ourselves against unseeded PRNG */
+	if (RAND_status() != 1) {
+		FATAL_ERROR(__FILE__, __LINE__,
+			    "OpenSSL pseudorandom number generator "
+			    "cannot be initialized (see the `PRNG not "
+			    "seeded' message in the OpenSSL FAQ)");
+	}
+
+	REQUIRE(atomic_compare_exchange_strong(&init_done, &(bool){ false },
+					       true));
+}
+
+void
+isc__tls_initialize(void) {
+	isc_result_t result = isc_once_do(&init_once, tls_initialize);
+	REQUIRE(result == ISC_R_SUCCESS);
+	REQUIRE(atomic_load(&init_done));
+}
+
+static void
+tls_shutdown(void) {
+	REQUIRE(atomic_load(&init_done));
+	REQUIRE(!atomic_load(&shut_done));
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	OPENSSL_cleanup();
+#else
+	CONF_modules_unload(1);
+	OBJ_cleanup();
+	EVP_cleanup();
+#if !defined(OPENSSL_NO_ENGINE)
+	ENGINE_cleanup();
+#endif
+	CRYPTO_cleanup_all_ex_data();
+	ERR_remove_thread_state(NULL);
+	RAND_cleanup();
+	ERR_free_strings();
+
+	CRYPTO_set_locking_callback(NULL);
+
+	if (locks != NULL) {
+		isc_mutexblock_destroy(locks, nlocks);
+		free(locks);
+		locks = NULL;
+	}
+#endif
+
+	REQUIRE(atomic_compare_exchange_strong(&shut_done, &(bool){ false },
+					       true));
+}
+
+void
+isc__tls_shutdown(void) {
+	isc_result_t result = isc_once_do(&shut_once, tls_shutdown);
+	REQUIRE(result == ISC_R_SUCCESS);
+	REQUIRE(atomic_load(&shut_done));
+}
diff --git a/lib/isc/tls_p.h b/lib/isc/tls_p.h
new file mode 100644
index 0000000..c0bd693
--- /dev/null
+++ b/lib/isc/tls_p.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+void
+isc__tls_initialize(void);
+
+void
+isc__tls_shutdown(void);
diff --git a/lib/isc/tm.c b/lib/isc/tm.c
new file mode 100644
index 0000000..19a7bee
--- /dev/null
+++ b/lib/isc/tm.c
@@ -0,0 +1,469 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND BSD-2-Clause
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*-
+ * Copyright (c) 1997, 1998 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code was contributed to The NetBSD Foundation by Klaus Klein.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <isc/tm.h>
+#include <isc/util.h>
+
+/*
+ * Portable conversion routines for struct tm, replacing
+ * timegm() and strptime(), which are not available on all
+ * platforms and don't always behave the same way when they
+ * are.
+ */
+
+/*
+ * We do not implement alternate representations. However, we always
+ * check whether a given modifier is allowed for a certain conversion.
+ */
+#define ALT_E 0x01
+#define ALT_O 0x02
+#define LEGAL_ALT(x)                          \
+	{                                     \
+		if ((alt_format & ~(x)) != 0) \
+			return ((0));         \
+	}
+
+#ifndef TM_YEAR_BASE
+#define TM_YEAR_BASE 1900
+#endif /* ifndef TM_YEAR_BASE */
+
+static const char *day[7] = { "Sunday",	  "Monday", "Tuesday", "Wednesday",
+			      "Thursday", "Friday", "Saturday" };
+static const char *abday[7] = {
+	"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"
+};
+static const char *mon[12] = {
+	"January", "February", "March",	    "April",   "May",	   "June",
+	"July",	   "August",   "September", "October", "November", "December"
+};
+static const char *abmon[12] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+				 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
+static const char *am_pm[2] = { "AM", "PM" };
+
+static int
+conv_num(const char **buf, int *dest, int llim, int ulim) {
+	int result = 0;
+
+	/* The limit also determines the number of valid digits. */
+	int rulim = ulim;
+
+	if (!isdigit((unsigned char)**buf)) {
+		return (0);
+	}
+
+	do {
+		result *= 10;
+		result += *(*buf)++ - '0';
+		rulim /= 10;
+	} while ((result * 10 <= ulim) && rulim && **buf >= '0' &&
+		 **buf <= '9');
+
+	if (result < llim || result > ulim) {
+		return (0);
+	}
+
+	*dest = result;
+	return (1);
+}
+
+time_t
+isc_tm_timegm(struct tm *tm) {
+	time_t ret;
+	int i, yday = 0, leapday;
+	int mdays[] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30 };
+
+	leapday = ((((tm->tm_year + 1900) % 4) == 0 &&
+		    ((tm->tm_year + 1900) % 100) != 0) ||
+		   ((tm->tm_year + 1900) % 400) == 0)
+			  ? 1
+			  : 0;
+	mdays[1] += leapday;
+
+	yday = tm->tm_mday - 1;
+	for (i = 1; i <= tm->tm_mon; i++) {
+		yday += mdays[i - 1];
+	}
+	ret = tm->tm_sec + (60 * tm->tm_min) + (3600 * tm->tm_hour) +
+	      (86400 *
+	       (yday + ((tm->tm_year - 70) * 365) + ((tm->tm_year - 69) / 4) -
+		((tm->tm_year - 1) / 100) + ((tm->tm_year + 299) / 400)));
+	return (ret);
+}
+
+char *
+isc_tm_strptime(const char *buf, const char *fmt, struct tm *tm) {
+	char c, *ret;
+	const char *bp;
+	size_t len = 0;
+	int alt_format, i, split_year = 0;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(fmt != NULL);
+	REQUIRE(tm != NULL);
+
+	memset(tm, 0, sizeof(struct tm));
+
+	bp = buf;
+
+	while ((c = *fmt) != '\0') {
+		/* Clear `alternate' modifier prior to new conversion. */
+		alt_format = 0;
+
+		/* Eat up white-space. */
+		if (isspace((unsigned char)c)) {
+			while (isspace((unsigned char)*bp)) {
+				bp++;
+			}
+
+			fmt++;
+			continue;
+		}
+
+		if ((c = *fmt++) != '%') {
+			goto literal;
+		}
+
+	again:
+		switch (c = *fmt++) {
+		case '%': /* "%%" is converted to "%". */
+		literal:
+			if (c != *bp++) {
+				return (0);
+			}
+			break;
+
+		/*
+		 * "Alternative" modifiers. Just set the appropriate flag
+		 * and start over again.
+		 */
+		case 'E': /* "%E?" alternative conversion modifier. */
+			LEGAL_ALT(0);
+			alt_format |= ALT_E;
+			goto again;
+
+		case 'O': /* "%O?" alternative conversion modifier. */
+			LEGAL_ALT(0);
+			alt_format |= ALT_O;
+			goto again;
+
+		/*
+		 * "Complex" conversion rules, implemented through recursion.
+		 */
+		case 'c': /* Date and time, using the locale's format. */
+			LEGAL_ALT(ALT_E);
+			if (!(bp = isc_tm_strptime(bp, "%x %X", tm))) {
+				return (0);
+			}
+			break;
+
+		case 'D': /* The date as "%m/%d/%y". */
+			LEGAL_ALT(0);
+			if (!(bp = isc_tm_strptime(bp, "%m/%d/%y", tm))) {
+				return (0);
+			}
+			break;
+
+		case 'R': /* The time as "%H:%M". */
+			LEGAL_ALT(0);
+			if (!(bp = isc_tm_strptime(bp, "%H:%M", tm))) {
+				return (0);
+			}
+			break;
+
+		case 'r': /* The time in 12-hour clock representation. */
+			LEGAL_ALT(0);
+			if (!(bp = isc_tm_strptime(bp, "%I:%M:%S %p", tm))) {
+				return (0);
+			}
+			break;
+
+		case 'T': /* The time as "%H:%M:%S". */
+			LEGAL_ALT(0);
+			if (!(bp = isc_tm_strptime(bp, "%H:%M:%S", tm))) {
+				return (0);
+			}
+			break;
+
+		case 'X': /* The time, using the locale's format. */
+			LEGAL_ALT(ALT_E);
+			if (!(bp = isc_tm_strptime(bp, "%H:%M:%S", tm))) {
+				return (0);
+			}
+			break;
+
+		case 'x': /* The date, using the locale's format. */
+			LEGAL_ALT(ALT_E);
+			if (!(bp = isc_tm_strptime(bp, "%m/%d/%y", tm))) {
+				return (0);
+			}
+			break;
+
+		/*
+		 * "Elementary" conversion rules.
+		 */
+		case 'A': /* The day of week, using the locale's form. */
+		case 'a':
+			LEGAL_ALT(0);
+			for (i = 0; i < 7; i++) {
+				/* Full name. */
+				len = strlen(day[i]);
+				if (strncasecmp(day[i], bp, len) == 0) {
+					break;
+				}
+
+				/* Abbreviated name. */
+				len = strlen(abday[i]);
+				if (strncasecmp(abday[i], bp, len) == 0) {
+					break;
+				}
+			}
+
+			/* Nothing matched. */
+			if (i == 7) {
+				return (0);
+			}
+
+			tm->tm_wday = i;
+			bp += len;
+			break;
+
+		case 'B': /* The month, using the locale's form. */
+		case 'b':
+		case 'h':
+			LEGAL_ALT(0);
+			for (i = 0; i < 12; i++) {
+				/* Full name. */
+				len = strlen(mon[i]);
+				if (strncasecmp(mon[i], bp, len) == 0) {
+					break;
+				}
+
+				/* Abbreviated name. */
+				len = strlen(abmon[i]);
+				if (strncasecmp(abmon[i], bp, len) == 0) {
+					break;
+				}
+			}
+
+			/* Nothing matched. */
+			if (i == 12) {
+				return (0);
+			}
+
+			tm->tm_mon = i;
+			bp += len;
+			break;
+
+		case 'C': /* The century number. */
+			LEGAL_ALT(ALT_E);
+			if (!(conv_num(&bp, &i, 0, 99))) {
+				return (0);
+			}
+
+			if (split_year) {
+				tm->tm_year = (tm->tm_year % 100) + (i * 100);
+			} else {
+				tm->tm_year = i * 100;
+				split_year = 1;
+			}
+			break;
+
+		case 'd': /* The day of month. */
+		case 'e':
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_mday, 1, 31))) {
+				return (0);
+			}
+			break;
+
+		case 'k': /* The hour (24-hour clock representation). */
+			LEGAL_ALT(0);
+			FALLTHROUGH;
+		case 'H':
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_hour, 0, 23))) {
+				return (0);
+			}
+			break;
+
+		case 'l': /* The hour (12-hour clock representation). */
+			LEGAL_ALT(0);
+			FALLTHROUGH;
+		case 'I':
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_hour, 1, 12))) {
+				return (0);
+			}
+			if (tm->tm_hour == 12) {
+				tm->tm_hour = 0;
+			}
+			break;
+
+		case 'j': /* The day of year. */
+			LEGAL_ALT(0);
+			if (!(conv_num(&bp, &i, 1, 366))) {
+				return (0);
+			}
+			tm->tm_yday = i - 1;
+			break;
+
+		case 'M': /* The minute. */
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_min, 0, 59))) {
+				return (0);
+			}
+			break;
+
+		case 'm': /* The month. */
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &i, 1, 12))) {
+				return (0);
+			}
+			tm->tm_mon = i - 1;
+			break;
+
+		case 'p': /* The locale's equivalent of AM/PM. */
+			LEGAL_ALT(0);
+			/* AM? */
+			if (strcasecmp(am_pm[0], bp) == 0) {
+				if (tm->tm_hour > 11) {
+					return (0);
+				}
+
+				bp += strlen(am_pm[0]);
+				break;
+			}
+			/* PM? */
+			else if (strcasecmp(am_pm[1], bp) == 0)
+			{
+				if (tm->tm_hour > 11) {
+					return (0);
+				}
+
+				tm->tm_hour += 12;
+				bp += strlen(am_pm[1]);
+				break;
+			}
+
+			/* Nothing matched. */
+			return (0);
+
+		case 'S': /* The seconds. */
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_sec, 0, 61))) {
+				return (0);
+			}
+			break;
+
+		case 'U': /* The week of year, beginning on sunday. */
+		case 'W': /* The week of year, beginning on monday. */
+			LEGAL_ALT(ALT_O);
+			/*
+			 * XXX This is bogus, as we can not assume any valid
+			 * information present in the tm structure at this
+			 * point to calculate a real value, so just check the
+			 * range for now.
+			 */
+			if (!(conv_num(&bp, &i, 0, 53))) {
+				return (0);
+			}
+			break;
+
+		case 'w': /* The day of week, beginning on sunday. */
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_wday, 0, 6))) {
+				return (0);
+			}
+			break;
+
+		case 'Y': /* The year. */
+			LEGAL_ALT(ALT_E);
+			if (!(conv_num(&bp, &i, 0, 9999))) {
+				return (0);
+			}
+
+			tm->tm_year = i - TM_YEAR_BASE;
+			break;
+
+		case 'y': /* The year within 100 years of the epoch. */
+			LEGAL_ALT(ALT_E | ALT_O);
+			if (!(conv_num(&bp, &i, 0, 99))) {
+				return (0);
+			}
+
+			if (split_year) {
+				tm->tm_year = ((tm->tm_year / 100) * 100) + i;
+				break;
+			}
+			split_year = 1;
+			if (i <= 68) {
+				tm->tm_year = i + 2000 - TM_YEAR_BASE;
+			} else {
+				tm->tm_year = i + 1900 - TM_YEAR_BASE;
+			}
+			break;
+
+		/*
+		 * Miscellaneous conversions.
+		 */
+		case 'n': /* Any kind of white-space. */
+		case 't':
+			LEGAL_ALT(0);
+			while (isspace((unsigned char)*bp)) {
+				bp++;
+			}
+			break;
+
+		default: /* Unknown/unsupported conversion. */
+			return (0);
+		}
+	}
+
+	/* LINTED functional specification */
+	DE_CONST(bp, ret);
+	return (ret);
+}
diff --git a/lib/isc/trampoline.c b/lib/isc/trampoline.c
new file mode 100644
index 0000000..be451a9
--- /dev/null
+++ b/lib/isc/trampoline.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdlib.h>
+#include <uv.h>
+
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "trampoline_p.h"
+
+#define ISC__TRAMPOLINE_UNUSED 0
+
+struct isc__trampoline {
+	int tid; /* const */
+	uintptr_t self;
+	isc_threadfunc_t start;
+	isc_threadarg_t arg;
+	void *jemalloc_enforce_init;
+};
+
+/*
+ * We can't use isc_mem API here, because it's called too
+ * early and when the isc_mem_debugging flags are changed
+ * later and ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX flags are
+ * added, neither isc_mem_put() nor isc_mem_free() can be used
+ * to free up the memory allocated here because the flags were
+ * not set when calling isc_mem_get() or isc_mem_allocate()
+ * here.
+ *
+ * Since this is a single allocation at library load and deallocation at library
+ * unload, using the standard allocator without the tracking is fine for this
+ * single purpose.
+ *
+ * We can't use isc_mutex API either, because we track whether the mutexes get
+ * properly destroyed, and we intentionally leak the static mutex here without
+ * destroying it to prevent data race between library destructor running while
+ * thread is being still created.
+ */
+
+static uv_mutex_t isc__trampoline_lock;
+static isc__trampoline_t **trampolines;
+#if defined(HAVE_THREAD_LOCAL)
+#include <threads.h>
+thread_local size_t isc_tid_v = SIZE_MAX;
+#elif defined(HAVE___THREAD)
+__thread size_t isc_tid_v = SIZE_MAX;
+#elif HAVE___DECLSPEC_THREAD
+__declspec(thread) size_t isc_tid_v = SIZE_MAX;
+#endif /* if defined(HAVE_THREAD_LOCAL) */
+static size_t isc__trampoline_min = 1;
+static size_t isc__trampoline_max = 65;
+
+static isc_once_t start_once = ISC_ONCE_INIT;
+static isc_once_t stop_once = ISC_ONCE_INIT;
+
+static isc__trampoline_t *
+isc__trampoline_new(int tid, isc_threadfunc_t start, isc_threadarg_t arg) {
+	isc__trampoline_t *trampoline = calloc(1, sizeof(*trampoline));
+	RUNTIME_CHECK(trampoline != NULL);
+
+	*trampoline = (isc__trampoline_t){
+		.tid = tid,
+		.start = start,
+		.arg = arg,
+		.self = ISC__TRAMPOLINE_UNUSED,
+	};
+
+	return (trampoline);
+}
+
+static void
+do_init(void) {
+	uv_mutex_init(&isc__trampoline_lock);
+
+	trampolines = calloc(isc__trampoline_max, sizeof(trampolines[0]));
+	RUNTIME_CHECK(trampolines != NULL);
+
+	/* Get the trampoline slot 0 for the main thread */
+	trampolines[0] = isc__trampoline_new(0, NULL, NULL);
+	isc_tid_v = trampolines[0]->tid;
+	trampolines[0]->self = isc_thread_self();
+
+	/* Initialize the other trampolines */
+	for (size_t i = 1; i < isc__trampoline_max; i++) {
+		trampolines[i] = NULL;
+	}
+	isc__trampoline_min = 1;
+}
+
+void
+isc__trampoline_initialize(void) {
+	isc_once_do(&start_once, do_init);
+}
+
+static void
+do_shutdown(void) {
+	/*
+	 * When the program using the library exits abruptly and the library
+	 * gets unloaded, there might be some existing trampolines from unjoined
+	 * threads.  We intentionally ignore those and don't check whether all
+	 * trampolines have been cleared before exiting, so we leak a little bit
+	 * of resources here, including the lock.
+	 */
+	free(trampolines[0]);
+}
+
+void
+isc__trampoline_shutdown(void) {
+	isc_once_do(&stop_once, do_shutdown);
+}
+
+isc__trampoline_t *
+isc__trampoline_get(isc_threadfunc_t start, isc_threadarg_t arg) {
+	isc__trampoline_t **tmp = NULL;
+	isc__trampoline_t *trampoline = NULL;
+	uv_mutex_lock(&isc__trampoline_lock);
+again:
+	for (size_t i = isc__trampoline_min; i < isc__trampoline_max; i++) {
+		if (trampolines[i] == NULL) {
+			trampoline = isc__trampoline_new(i, start, arg);
+			trampolines[i] = trampoline;
+			isc__trampoline_min = i + 1;
+			goto done;
+		}
+	}
+	tmp = calloc(2 * isc__trampoline_max, sizeof(trampolines[0]));
+	RUNTIME_CHECK(tmp != NULL);
+	for (size_t i = 0; i < isc__trampoline_max; i++) {
+		tmp[i] = trampolines[i];
+	}
+	for (size_t i = isc__trampoline_max; i < 2 * isc__trampoline_max; i++) {
+		tmp[i] = NULL;
+	}
+	free(trampolines);
+	trampolines = tmp;
+	isc__trampoline_max = isc__trampoline_max * 2;
+	goto again;
+done:
+	INSIST(trampoline != NULL);
+	uv_mutex_unlock(&isc__trampoline_lock);
+
+	return (trampoline);
+}
+
+void
+isc__trampoline_detach(isc__trampoline_t *trampoline) {
+	uv_mutex_lock(&isc__trampoline_lock);
+	REQUIRE(trampoline->self == isc_thread_self());
+	REQUIRE(trampoline->tid > 0);
+	REQUIRE((size_t)trampoline->tid < isc__trampoline_max);
+	REQUIRE(trampolines[trampoline->tid] == trampoline);
+
+	trampolines[trampoline->tid] = NULL;
+
+	if (isc__trampoline_min > (size_t)trampoline->tid) {
+		isc__trampoline_min = trampoline->tid;
+	}
+
+	free(trampoline->jemalloc_enforce_init);
+	free(trampoline);
+
+	uv_mutex_unlock(&isc__trampoline_lock);
+	return;
+}
+
+void
+isc__trampoline_attach(isc__trampoline_t *trampoline) {
+	uv_mutex_lock(&isc__trampoline_lock);
+	REQUIRE(trampoline->self == ISC__TRAMPOLINE_UNUSED);
+	REQUIRE(trampoline->tid > 0);
+	REQUIRE((size_t)trampoline->tid < isc__trampoline_max);
+	REQUIRE(trampolines[trampoline->tid] == trampoline);
+
+	/* Initialize the trampoline */
+	isc_tid_v = trampoline->tid;
+	trampoline->self = isc_thread_self();
+
+	/*
+	 * Ensure every thread starts with a malloc() call to prevent memory
+	 * bloat caused by a jemalloc quirk.  While this dummy allocation is
+	 * not used for anything, free() must not be immediately called for it
+	 * so that an optimizing compiler does not strip away such a pair of
+	 * malloc() + free() calls altogether, as it would foil the fix.
+	 */
+	trampoline->jemalloc_enforce_init = malloc(8);
+	uv_mutex_unlock(&isc__trampoline_lock);
+}
+
+isc_threadresult_t
+isc__trampoline_run(isc_threadarg_t arg) {
+	isc__trampoline_t *trampoline = (isc__trampoline_t *)arg;
+	isc_threadresult_t result;
+
+	isc__trampoline_attach(trampoline);
+
+	/* Run the main function */
+	result = (trampoline->start)(trampoline->arg);
+
+	isc__trampoline_detach(trampoline);
+
+	return (result);
+}
diff --git a/lib/isc/trampoline_p.h b/lib/isc/trampoline_p.h
new file mode 100644
index 0000000..4599ea1
--- /dev/null
+++ b/lib/isc/trampoline_p.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <isc/thread.h>
+
+/*! \file isc/trampoline_p.h
+ * \brief isc__trampoline: allows safe reuse of thread ID numbers.
+ *
+ * The 'isc_hp' hazard pointer API uses an internal thread ID
+ * variable ('tid_v') that is incremented for each new thread that uses
+ * hazard pointers. This thread ID is then used as an index into a global
+ * shared table of hazard pointer state.
+ *
+ * Since the thread ID is only incremented and never decremented, the
+ * table can overflow if threads are frequently created and destroyed.
+ *
+ * A trampoline is a thin wrapper around any function to be called from
+ * a newly launched thread. It maintains a table of thread IDs used by
+ * current and previous threads; when a thread is destroyed, its slot in
+ * the trampoline table becomes available, and the next thread to occupy
+ * that slot can use the same thread ID that its predecessor did.
+ *
+ * The trampoline table initially has space for 64 worker threads in
+ * addition to the main thread. If more threads than that are in
+ * concurrent use, the table is reallocated with twice as much space.
+ * (Note that the number of concurrent threads is currently capped at
+ * 128 by the queue and hazard pointer implementations.)
+ */
+
+typedef struct isc__trampoline isc__trampoline_t;
+
+void
+isc__trampoline_initialize(void);
+/*%<
+ * Initialize the thread trampoline internal structures, must be called only
+ * once as a library constructor (see lib/isc/lib.c).
+ */
+
+void
+isc__trampoline_shutdown(void);
+/*%<
+ * Destroy the thread trampoline internal structures, must be called only
+ * once as a library destructor (see lib/isc/lib.c).
+ */
+
+isc__trampoline_t *
+isc__trampoline_get(isc_threadfunc_t start_routine, isc_threadarg_t arg);
+/*%<
+ * Get a free thread trampoline structure and initialize it with
+ * start_routine and arg passed to start_routine.
+ *
+ * Requires:
+ *\li	'start_routine' is a valid non-NULL thread start_routine
+ */
+
+void
+isc__trampoline_attach(isc__trampoline_t *trampoline);
+void
+isc__trampoline_detach(isc__trampoline_t *trampoline);
+/*%<
+ * Attach/detach the trampoline to/from the current thread.
+ *
+ * Requires:
+ * \li  'trampoline' is a valid isc__trampoline_t
+ */
+
+isc_threadresult_t
+isc__trampoline_run(isc_threadarg_t arg);
+/*%<
+ * Run the thread trampoline, this will get passed to the actual
+ * pthread_create() (or Windows equivalent), initialize the isc_tid_v.
+ *
+ * Requires:
+ *\li	'arg' is a valid isc_trampoline_t
+ *
+ * Returns:
+ *\li	return value from start_routine (see isc__trampoline_get())
+ */
diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in
new file mode 100644
index 0000000..4af7d6e
--- /dev/null
+++ b/lib/isc/unix/Makefile.in
@@ -0,0 +1,48 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../pthreads/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/.. \
+		${OPENSSL_CFLAGS} \
+		${JSON_C_CFLAGS} \
+		${LIBXML2_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		pk11_api.@O@ \
+		dir.@O@ errno.@O@ errno2result.@O@ \
+		file.@O@ fsaccess.@O@ interfaceiter.@O@ \
+		meminfo.@O@ \
+		net.@O@ os.@O@ resource.@O@ socket.@O@ stdio.@O@ stdtime.@O@ \
+		syslog.@O@ time.@O@
+
+# Alphabetically
+SRCS =		pk11_api.c \
+		dir.c errno.c errno2result.c \
+		file.c fsaccess.c interfaceiter.c meminfo.c \
+		net.c os.c resource.c socket.c stdio.c stdtime.c \
+		syslog.c time.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
+
+interfaceiter.@O@: interfaceiter.c ifiter_getifaddrs.c
diff --git a/lib/isc/unix/dir.c b/lib/isc/unix/dir.c
new file mode 100644
index 0000000..b7eabe9
--- /dev/null
+++ b/lib/isc/unix/dir.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <isc/dir.h>
+#include <isc/magic.h>
+#include <isc/netdb.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+#define ISC_DIR_MAGIC  ISC_MAGIC('D', 'I', 'R', '*')
+#define VALID_DIR(dir) ISC_MAGIC_VALID(dir, ISC_DIR_MAGIC)
+
+void
+isc_dir_init(isc_dir_t *dir) {
+	REQUIRE(dir != NULL);
+
+	dir->entry.name[0] = '\0';
+	dir->entry.length = 0;
+
+	dir->handle = NULL;
+
+	dir->magic = ISC_DIR_MAGIC;
+}
+
+/*!
+ * \brief Allocate workspace and open directory stream. If either one fails,
+ * NULL will be returned.
+ */
+isc_result_t
+isc_dir_open(isc_dir_t *dir, const char *dirname) {
+	char *p;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_DIR(dir));
+	REQUIRE(dirname != NULL);
+
+	/*
+	 * Copy directory name.  Need to have enough space for the name,
+	 * a possible path separator, the wildcard, and the final NUL.
+	 */
+	if (strlen(dirname) + 3 > sizeof(dir->dirname)) {
+		/* XXXDCL ? */
+		return (ISC_R_NOSPACE);
+	}
+	strlcpy(dir->dirname, dirname, sizeof(dir->dirname));
+
+	/*
+	 * Append path separator, if needed, and "*".
+	 */
+	p = dir->dirname + strlen(dir->dirname);
+	if (dir->dirname < p && *(p - 1) != '/') {
+		*p++ = '/';
+	}
+	*p++ = '*';
+	*p = '\0';
+
+	/*
+	 * Open stream.
+	 */
+	dir->handle = opendir(dirname);
+
+	if (dir->handle == NULL) {
+		return (isc__errno2result(errno));
+	}
+
+	return (result);
+}
+
+/*!
+ * \brief Return previously retrieved file or get next one.
+ *
+ * Unix's dirent has
+ * separate open and read functions, but the Win32 and DOS interfaces open
+ * the dir stream and reads the first file in one operation.
+ */
+isc_result_t
+isc_dir_read(isc_dir_t *dir) {
+	struct dirent *entry;
+
+	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
+
+	/*
+	 * Fetch next file in directory.
+	 */
+	entry = readdir(dir->handle);
+
+	if (entry == NULL) {
+		return (ISC_R_NOMORE);
+	}
+
+	/*
+	 * Make sure that the space for the name is long enough.
+	 */
+	if (sizeof(dir->entry.name) <= strlen(entry->d_name)) {
+		return (ISC_R_UNEXPECTED);
+	}
+
+	strlcpy(dir->entry.name, entry->d_name, sizeof(dir->entry.name));
+
+	/*
+	 * Some dirents have d_namlen, but it is not portable.
+	 */
+	dir->entry.length = strlen(entry->d_name);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*!
+ * \brief Close directory stream.
+ */
+void
+isc_dir_close(isc_dir_t *dir) {
+	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
+
+	(void)closedir(dir->handle);
+	dir->handle = NULL;
+}
+
+/*!
+ * \brief Reposition directory stream at start.
+ */
+isc_result_t
+isc_dir_reset(isc_dir_t *dir) {
+	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
+
+	rewinddir(dir->handle);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_chdir(const char *dirname) {
+	/*!
+	 * \brief Change the current directory to 'dirname'.
+	 */
+
+	REQUIRE(dirname != NULL);
+
+	if (chdir(dirname) < 0) {
+		return (isc__errno2result(errno));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_chroot(const char *dirname) {
+#ifdef HAVE_CHROOT
+	void *tmp;
+#endif /* ifdef HAVE_CHROOT */
+
+	REQUIRE(dirname != NULL);
+
+#ifdef HAVE_CHROOT
+	/*
+	 * Try to use getservbyname and getprotobyname before chroot.
+	 * If WKS records are used in a zone under chroot, Name Service Switch
+	 * may fail to load library in chroot.
+	 * Do not report errors if it fails, we do not need any result now.
+	 */
+	tmp = getprotobyname("udp");
+	if (tmp != NULL) {
+		(void)getservbyname("domain", "udp");
+	}
+
+	if (chroot(dirname) < 0 || chdir("/") < 0) {
+		return (isc__errno2result(errno));
+	}
+
+	return (ISC_R_SUCCESS);
+#else  /* ifdef HAVE_CHROOT */
+	return (ISC_R_NOTIMPLEMENTED);
+#endif /* ifdef HAVE_CHROOT */
+}
+
+isc_result_t
+isc_dir_createunique(char *templet) {
+	isc_result_t result;
+	char *x;
+	char *p;
+	int i;
+	int pid;
+
+	REQUIRE(templet != NULL);
+
+	/*!
+	 * \brief mkdtemp is not portable, so this emulates it.
+	 */
+
+	pid = getpid();
+
+	/*
+	 * Replace trailing Xs with the process-id, zero-filled.
+	 */
+	for (x = templet + strlen(templet) - 1; *x == 'X' && x >= templet;
+	     x--, pid /= 10)
+	{
+		*x = pid % 10 + '0';
+	}
+
+	x++; /* Set x to start of ex-Xs. */
+
+	do {
+		i = mkdir(templet, 0700);
+		if (i == 0 || errno != EEXIST) {
+			break;
+		}
+
+		/*
+		 * The BSD algorithm.
+		 */
+		p = x;
+		while (*p != '\0') {
+			if (isdigit((unsigned char)*p)) {
+				*p = 'a';
+			} else if (*p != 'z') {
+				++*p;
+			} else {
+				/*
+				 * Reset character and move to next.
+				 */
+				*p++ = 'a';
+				continue;
+			}
+
+			break;
+		}
+
+		if (*p == '\0') {
+			/*
+			 * Tried all combinations.  errno should already
+			 * be EEXIST, but ensure it is anyway for
+			 * isc__errno2result().
+			 */
+			errno = EEXIST;
+			break;
+		}
+	} while (1);
+
+	if (i == -1) {
+		result = isc__errno2result(errno);
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
diff --git a/lib/isc/unix/errno.c b/lib/isc/unix/errno.c
new file mode 100644
index 0000000..5875f3b
--- /dev/null
+++ b/lib/isc/unix/errno.c
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/errno.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+isc_result_t
+isc_errno_toresult(int err) {
+	return (isc___errno2result(err, false, 0, 0));
+}
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
new file mode 100644
index 0000000..6f752df
--- /dev/null
+++ b/lib/isc/unix/errno2result.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include "errno2result.h"
+#include <stdbool.h>
+
+#include <isc/platform.h>
+#include <isc/result.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*%
+ * Convert a POSIX errno value into an isc_result_t.  The
+ * list of supported errno values is not complete; new users
+ * of this function should add any expected errors that are
+ * not already there.
+ */
+isc_result_t
+isc___errno2result(int posixerrno, bool dolog, const char *file,
+		   unsigned int line) {
+	char strbuf[ISC_STRERRORSIZE];
+
+	switch (posixerrno) {
+	case ENOTDIR:
+	case ELOOP:
+	case EINVAL: /* XXX sometimes this is not for files */
+	case ENAMETOOLONG:
+	case EBADF:
+		return (ISC_R_INVALIDFILE);
+	case ENOENT:
+		return (ISC_R_FILENOTFOUND);
+	case EACCES:
+	case EPERM:
+		return (ISC_R_NOPERM);
+	case EEXIST:
+		return (ISC_R_FILEEXISTS);
+	case EIO:
+		return (ISC_R_IOERROR);
+	case ENOMEM:
+		return (ISC_R_NOMEMORY);
+	case ENFILE:
+	case EMFILE:
+		return (ISC_R_TOOMANYOPENFILES);
+#ifdef EDQUOT
+	case EDQUOT:
+		return (ISC_R_DISCQUOTA);
+#endif /* ifdef EDQUOT */
+	case ENOSPC:
+		return (ISC_R_DISCFULL);
+#ifdef EOVERFLOW
+	case EOVERFLOW:
+		return (ISC_R_RANGE);
+#endif /* ifdef EOVERFLOW */
+	case EPIPE:
+#ifdef ECONNRESET
+	case ECONNRESET:
+#endif /* ifdef ECONNRESET */
+#ifdef ECONNABORTED
+	case ECONNABORTED:
+#endif /* ifdef ECONNABORTED */
+		return (ISC_R_CONNECTIONRESET);
+#ifdef ENOTCONN
+	case ENOTCONN:
+		return (ISC_R_NOTCONNECTED);
+#endif /* ifdef ENOTCONN */
+#ifdef ETIMEDOUT
+	case ETIMEDOUT:
+		return (ISC_R_TIMEDOUT);
+#endif /* ifdef ETIMEDOUT */
+#ifdef ENOBUFS
+	case ENOBUFS:
+		return (ISC_R_NORESOURCES);
+#endif /* ifdef ENOBUFS */
+#ifdef EAFNOSUPPORT
+	case EAFNOSUPPORT:
+		return (ISC_R_FAMILYNOSUPPORT);
+#endif /* ifdef EAFNOSUPPORT */
+#ifdef ENETDOWN
+	case ENETDOWN:
+		return (ISC_R_NETDOWN);
+#endif /* ifdef ENETDOWN */
+#ifdef EHOSTDOWN
+	case EHOSTDOWN:
+		return (ISC_R_HOSTDOWN);
+#endif /* ifdef EHOSTDOWN */
+#ifdef ENETUNREACH
+	case ENETUNREACH:
+		return (ISC_R_NETUNREACH);
+#endif /* ifdef ENETUNREACH */
+#ifdef EHOSTUNREACH
+	case EHOSTUNREACH:
+		return (ISC_R_HOSTUNREACH);
+#endif /* ifdef EHOSTUNREACH */
+#ifdef EADDRINUSE
+	case EADDRINUSE:
+		return (ISC_R_ADDRINUSE);
+#endif /* ifdef EADDRINUSE */
+	case EADDRNOTAVAIL:
+		return (ISC_R_ADDRNOTAVAIL);
+	case ECONNREFUSED:
+		return (ISC_R_CONNREFUSED);
+	default:
+		if (dolog) {
+			strerror_r(posixerrno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(file, line,
+					 "unable to convert errno "
+					 "to isc_result: %d: %s",
+					 posixerrno, strbuf);
+		}
+		/*
+		 * XXXDCL would be nice if perhaps this function could
+		 * return the system's error string, so the caller
+		 * might have something more descriptive than "unexpected
+		 * error" to log with.
+		 */
+		return (ISC_R_UNEXPECTED);
+	}
+}
diff --git a/lib/isc/unix/errno2result.h b/lib/isc/unix/errno2result.h
new file mode 100644
index 0000000..05de1f2
--- /dev/null
+++ b/lib/isc/unix/errno2result.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef UNIX_ERRNO2RESULT_H
+#define UNIX_ERRNO2RESULT_H 1
+
+/*! \file */
+
+/* XXXDCL this should be moved to lib/isc/include/isc/errno2result.h. */
+
+#include <errno.h> /* Provides errno. */
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define isc__errno2result(x) isc___errno2result(x, true, __FILE__, __LINE__)
+
+isc_result_t
+isc___errno2result(int posixerrno, bool dolog, const char *file,
+		   unsigned int line);
+
+ISC_LANG_ENDDECLS
+
+#endif /* UNIX_ERRNO2RESULT_H */
diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c
new file mode 100644
index 0000000..0604f14
--- /dev/null
+++ b/lib/isc/unix/file.c
@@ -0,0 +1,840 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions Copyright (c) 1987, 1993
+ *      The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <time.h>   /* Required for utimes on some platforms. */
+#include <unistd.h> /* Required for mkstemp on NetBSD. */
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif /* ifdef HAVE_SYS_MMAN_H */
+
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/log.h>
+#include <isc/md.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+/*
+ * XXXDCL As the API for accessing file statistics undoubtedly gets expanded,
+ * it might be good to provide a mechanism that allows for the results
+ * of a previous stat() to be used again without having to do another stat,
+ * such as perl's mechanism of using "_" in place of a file name to indicate
+ * that the results of the last stat should be used.  But then you get into
+ * annoying MP issues.   BTW, Win32 has stat().
+ */
+static isc_result_t
+file_stats(const char *file, struct stat *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(file != NULL);
+	REQUIRE(stats != NULL);
+
+	if (stat(file, stats) != 0) {
+		result = isc__errno2result(errno);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+fd_stats(int fd, struct stat *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(stats != NULL);
+
+	if (fstat(fd, stats) != 0) {
+		result = isc__errno2result(errno);
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_getsizefd(int fd, off_t *size) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(size != NULL);
+
+	result = fd_stats(fd, &stats);
+
+	if (result == ISC_R_SUCCESS) {
+		*size = stats.st_size;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_mode(const char *file, mode_t *modep) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(modep != NULL);
+
+	result = file_stats(file, &stats);
+	if (result == ISC_R_SUCCESS) {
+		*modep = (stats.st_mode & 07777);
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_getmodtime(const char *file, isc_time_t *modtime) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(file != NULL);
+	REQUIRE(modtime != NULL);
+
+	result = file_stats(file, &stats);
+
+	if (result == ISC_R_SUCCESS) {
+#if defined(HAVE_STAT_NSEC)
+		isc_time_set(modtime, stats.st_mtime, stats.st_mtim.tv_nsec);
+#else  /* if defined(HAVE_STAT_NSEC) */
+		isc_time_set(modtime, stats.st_mtime, 0);
+#endif /* if defined(HAVE_STAT_NSEC) */
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_getsize(const char *file, off_t *size) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(file != NULL);
+	REQUIRE(size != NULL);
+
+	result = file_stats(file, &stats);
+
+	if (result == ISC_R_SUCCESS) {
+		*size = stats.st_size;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_settime(const char *file, isc_time_t *when) {
+	struct timeval times[2];
+
+	REQUIRE(file != NULL && when != NULL);
+
+	/*
+	 * tv_sec is at least a 32 bit quantity on all platforms we're
+	 * dealing with, but it is signed on most (all?) of them,
+	 * so we need to make sure the high bit isn't set.  This unfortunately
+	 * loses when either:
+	 *   * tv_sec becomes a signed 64 bit integer but long is 32 bits
+	 *	and isc_time_seconds > LONG_MAX, or
+	 *   * isc_time_seconds is changed to be > 32 bits but long is 32 bits
+	 *      and isc_time_seconds has at least 33 significant bits.
+	 */
+	times[0].tv_sec = times[1].tv_sec = (long)isc_time_seconds(when);
+
+	/*
+	 * Here is the real check for the high bit being set.
+	 */
+	if ((times[0].tv_sec &
+	     (1ULL << (sizeof(times[0].tv_sec) * CHAR_BIT - 1))) != 0)
+	{
+		return (ISC_R_RANGE);
+	}
+
+	/*
+	 * isc_time_nanoseconds guarantees a value that divided by 1000 will
+	 * fit into the minimum possible size tv_usec field.
+	 */
+	times[0].tv_usec = times[1].tv_usec =
+		(int32_t)(isc_time_nanoseconds(when) / 1000);
+
+	if (utimes(file, times) < 0) {
+		return (isc__errno2result(errno));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+#undef TEMPLATE
+#define TEMPLATE "tmp-XXXXXXXXXX" /*%< 14 characters. */
+
+isc_result_t
+isc_file_mktemplate(const char *path, char *buf, size_t buflen) {
+	return (isc_file_template(path, TEMPLATE, buf, buflen));
+}
+
+isc_result_t
+isc_file_template(const char *path, const char *templet, char *buf,
+		  size_t buflen) {
+	const char *s;
+
+	REQUIRE(templet != NULL);
+	REQUIRE(buf != NULL);
+
+	if (path == NULL) {
+		path = "";
+	}
+
+	s = strrchr(templet, '/');
+	if (s != NULL) {
+		templet = s + 1;
+	}
+
+	s = strrchr(path, '/');
+
+	if (s != NULL) {
+		size_t prefixlen = s - path + 1;
+		if ((prefixlen + strlen(templet) + 1) > buflen) {
+			return (ISC_R_NOSPACE);
+		}
+
+		/* Copy 'prefixlen' bytes and NUL terminate. */
+		strlcpy(buf, path, ISC_MIN(prefixlen + 1, buflen));
+		strlcat(buf, templet, buflen);
+	} else {
+		if ((strlen(templet) + 1) > buflen) {
+			return (ISC_R_NOSPACE);
+		}
+
+		strlcpy(buf, templet, buflen);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static const char alphnum[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv"
+			      "wxyz0123456789";
+
+isc_result_t
+isc_file_renameunique(const char *file, char *templet) {
+	char *x;
+	char *cp;
+
+	REQUIRE(file != NULL);
+	REQUIRE(templet != NULL);
+
+	cp = templet;
+	while (*cp != '\0') {
+		cp++;
+	}
+	if (cp == templet) {
+		return (ISC_R_FAILURE);
+	}
+
+	x = cp--;
+	while (cp >= templet && *cp == 'X') {
+		*cp = alphnum[isc_random_uniform(sizeof(alphnum) - 1)];
+		x = cp--;
+	}
+	while (link(file, templet) == -1) {
+		if (errno != EEXIST) {
+			return (isc__errno2result(errno));
+		}
+		for (cp = x;;) {
+			const char *t;
+			if (*cp == '\0') {
+				return (ISC_R_FAILURE);
+			}
+			t = strchr(alphnum, *cp);
+			if (t == NULL || *++t == '\0') {
+				*cp++ = alphnum[0];
+			} else {
+				*cp = *t;
+				break;
+			}
+		}
+	}
+	if (unlink(file) < 0) {
+		if (errno != ENOENT) {
+			return (isc__errno2result(errno));
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_openunique(char *templet, FILE **fp) {
+	int mode = S_IWUSR | S_IRUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_openuniqueprivate(char *templet, FILE **fp) {
+	int mode = S_IWUSR | S_IRUSR;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_openuniquemode(char *templet, int mode, FILE **fp) {
+	int fd;
+	FILE *f;
+	isc_result_t result = ISC_R_SUCCESS;
+	char *x;
+	char *cp;
+
+	REQUIRE(templet != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	cp = templet;
+	while (*cp != '\0') {
+		cp++;
+	}
+	if (cp == templet) {
+		return (ISC_R_FAILURE);
+	}
+
+	x = cp--;
+	while (cp >= templet && *cp == 'X') {
+		*cp = alphnum[isc_random_uniform(sizeof(alphnum) - 1)];
+		x = cp--;
+	}
+
+	while ((fd = open(templet, O_RDWR | O_CREAT | O_EXCL, mode)) == -1) {
+		if (errno != EEXIST) {
+			return (isc__errno2result(errno));
+		}
+		for (cp = x;;) {
+			char *t;
+			if (*cp == '\0') {
+				return (ISC_R_FAILURE);
+			}
+			t = strchr(alphnum, *cp);
+			if (t == NULL || *++t == '\0') {
+				*cp++ = alphnum[0];
+			} else {
+				*cp = *t;
+				break;
+			}
+		}
+	}
+	f = fdopen(fd, "w+");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		if (remove(templet) < 0) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_FILE, ISC_LOG_ERROR,
+				      "remove '%s': failed", templet);
+		}
+		(void)close(fd);
+	} else {
+		*fp = f;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_bopenunique(char *templet, FILE **fp) {
+	int mode = S_IWUSR | S_IRUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_bopenuniqueprivate(char *templet, FILE **fp) {
+	int mode = S_IWUSR | S_IRUSR;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_bopenuniquemode(char *templet, int mode, FILE **fp) {
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_remove(const char *filename) {
+	int r;
+
+	REQUIRE(filename != NULL);
+
+	r = unlink(filename);
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+isc_result_t
+isc_file_rename(const char *oldname, const char *newname) {
+	int r;
+
+	REQUIRE(oldname != NULL);
+	REQUIRE(newname != NULL);
+
+	r = rename(oldname, newname);
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+bool
+isc_file_exists(const char *pathname) {
+	struct stat stats;
+
+	REQUIRE(pathname != NULL);
+
+	return (file_stats(pathname, &stats) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isplainfile(const char *filename) {
+	/*
+	 * This function returns success if filename is a plain file.
+	 */
+	struct stat filestat;
+	memset(&filestat, 0, sizeof(struct stat));
+
+	if ((stat(filename, &filestat)) == -1) {
+		return (isc__errno2result(errno));
+	}
+
+	if (!S_ISREG(filestat.st_mode)) {
+		return (ISC_R_INVALIDFILE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isplainfilefd(int fd) {
+	/*
+	 * This function returns success if filename is a plain file.
+	 */
+	struct stat filestat;
+	memset(&filestat, 0, sizeof(struct stat));
+
+	if ((fstat(fd, &filestat)) == -1) {
+		return (isc__errno2result(errno));
+	}
+
+	if (!S_ISREG(filestat.st_mode)) {
+		return (ISC_R_INVALIDFILE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isdirectory(const char *filename) {
+	/*
+	 * This function returns success if filename exists and is a
+	 * directory.
+	 */
+	struct stat filestat;
+	memset(&filestat, 0, sizeof(struct stat));
+
+	if ((stat(filename, &filestat)) == -1) {
+		return (isc__errno2result(errno));
+	}
+
+	if (!S_ISDIR(filestat.st_mode)) {
+		return (ISC_R_INVALIDFILE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+bool
+isc_file_isabsolute(const char *filename) {
+	REQUIRE(filename != NULL);
+	return (filename[0] == '/');
+}
+
+bool
+isc_file_iscurrentdir(const char *filename) {
+	REQUIRE(filename != NULL);
+	return (filename[0] == '.' && filename[1] == '\0');
+}
+
+bool
+isc_file_ischdiridempotent(const char *filename) {
+	REQUIRE(filename != NULL);
+	if (isc_file_isabsolute(filename)) {
+		return (true);
+	}
+	if (isc_file_iscurrentdir(filename)) {
+		return (true);
+	}
+	return (false);
+}
+
+const char *
+isc_file_basename(const char *filename) {
+	const char *s;
+
+	REQUIRE(filename != NULL);
+
+	s = strrchr(filename, '/');
+	if (s == NULL) {
+		return (filename);
+	}
+
+	return (s + 1);
+}
+
+isc_result_t
+isc_file_progname(const char *filename, char *buf, size_t buflen) {
+	const char *base;
+	size_t len;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(buf != NULL);
+
+	base = isc_file_basename(filename);
+	len = strlen(base) + 1;
+
+	if (len > buflen) {
+		return (ISC_R_NOSPACE);
+	}
+	memmove(buf, base, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Put the absolute name of the current directory into 'dirname', which is
+ * a buffer of at least 'length' characters.  End the string with the
+ * appropriate path separator, such that the final product could be
+ * concatenated with a relative pathname to make a valid pathname string.
+ */
+static isc_result_t
+dir_current(char *dirname, size_t length) {
+	char *cwd;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(dirname != NULL);
+	REQUIRE(length > 0U);
+
+	cwd = getcwd(dirname, length);
+
+	if (cwd == NULL) {
+		if (errno == ERANGE) {
+			result = ISC_R_NOSPACE;
+		} else {
+			result = isc__errno2result(errno);
+		}
+	} else {
+		if (strlen(dirname) + 1 == length) {
+			result = ISC_R_NOSPACE;
+		} else if (dirname[1] != '\0') {
+			strlcat(dirname, "/", length);
+		}
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
+	isc_result_t result;
+	result = dir_current(path, pathlen);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (strlen(path) + strlen(filename) + 1 > pathlen) {
+		return (ISC_R_NOSPACE);
+	}
+	strlcat(path, filename, pathlen);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (truncate(filename, size) < 0) {
+		result = isc__errno2result(errno);
+	}
+	return (result);
+}
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp) {
+	isc_result_t result;
+	int flags;
+	struct stat sb;
+	FILE *f;
+	int fd;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	result = file_stats(filename, &sb);
+	if (result == ISC_R_SUCCESS) {
+		if ((sb.st_mode & S_IFREG) == 0) {
+			return (ISC_R_INVALIDFILE);
+		}
+		flags = O_WRONLY | O_TRUNC;
+	} else if (result == ISC_R_FILENOTFOUND) {
+		flags = O_WRONLY | O_CREAT | O_EXCL;
+	} else {
+		return (result);
+	}
+
+	fd = open(filename, flags, S_IRUSR | S_IWUSR);
+	if (fd == -1) {
+		return (isc__errno2result(errno));
+	}
+
+	f = fdopen(fd, "w");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		close(fd);
+		return (result);
+	}
+
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, const char *path, char **dirname,
+		   char const **bname) {
+	char *dir;
+	const char *file, *slash;
+
+	if (path == NULL) {
+		return (ISC_R_INVALIDFILE);
+	}
+
+	slash = strrchr(path, '/');
+
+	if (slash == path) {
+		file = ++slash;
+		dir = isc_mem_strdup(mctx, "/");
+	} else if (slash != NULL) {
+		file = ++slash;
+		dir = isc_mem_allocate(mctx, slash - path);
+		strlcpy(dir, path, slash - path);
+	} else {
+		file = path;
+		dir = isc_mem_strdup(mctx, ".");
+	}
+
+	if (dir == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (*file == '\0') {
+		isc_mem_free(mctx, dir);
+		return (ISC_R_INVALIDFILE);
+	}
+
+	*dirname = dir;
+	*bname = file;
+
+	return (ISC_R_SUCCESS);
+}
+
+void *
+isc_file_mmap(void *addr, size_t len, int prot, int flags, int fd,
+	      off_t offset) {
+#ifdef HAVE_MMAP
+	return (mmap(addr, len, prot, flags, fd, offset));
+#else  /* ifdef HAVE_MMAP */
+	void *buf;
+	ssize_t ret;
+	off_t end;
+
+	UNUSED(addr);
+	UNUSED(prot);
+	UNUSED(flags);
+
+	end = lseek(fd, 0, SEEK_END);
+	lseek(fd, offset, SEEK_SET);
+	if (end - offset < (off_t)len) {
+		len = end - offset;
+	}
+
+	buf = malloc(len);
+	if (buf == NULL) {
+		return (NULL);
+	}
+
+	ret = read(fd, buf, len);
+	if (ret != (ssize_t)len) {
+		free(buf);
+		buf = NULL;
+	}
+
+	return (buf);
+#endif /* ifdef HAVE_MMAP */
+}
+
+int
+isc_file_munmap(void *addr, size_t len) {
+#ifdef HAVE_MMAP
+	return (munmap(addr, len));
+#else  /* ifdef HAVE_MMAP */
+	UNUSED(len);
+
+	free(addr);
+	return (0);
+#endif /* ifdef HAVE_MMAP */
+}
+
+#define DISALLOW "\\/ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+
+static isc_result_t
+digest2hex(unsigned char *digest, unsigned int digestlen, char *hash,
+	   size_t hashlen) {
+	unsigned int i;
+	int ret;
+	for (i = 0; i < digestlen; i++) {
+		size_t left = hashlen - i * 2;
+		ret = snprintf(hash + i * 2, left, "%02x", digest[i]);
+		if (ret < 0 || (size_t)ret >= left) {
+			return (ISC_R_NOSPACE);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_sanitize(const char *dir, const char *base, const char *ext,
+		  char *path, size_t length) {
+	char buf[PATH_MAX];
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	unsigned int digestlen;
+	char hash[ISC_MAX_MD_SIZE * 2 + 1];
+	size_t l = 0;
+	isc_result_t err;
+
+	REQUIRE(base != NULL);
+	REQUIRE(path != NULL);
+
+	l = strlen(base) + 1;
+
+	/*
+	 * allow room for a full sha256 hash (64 chars
+	 * plus null terminator)
+	 */
+	if (l < 65U) {
+		l = 65;
+	}
+
+	if (dir != NULL) {
+		l += strlen(dir) + 1;
+	}
+	if (ext != NULL) {
+		l += strlen(ext) + 1;
+	}
+
+	if (l > length || l > (unsigned)PATH_MAX) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/* Check whether the full-length SHA256 hash filename exists */
+	err = isc_md(ISC_MD_SHA256, (const unsigned char *)base, strlen(base),
+		     digest, &digestlen);
+	if (err != ISC_R_SUCCESS) {
+		return (err);
+	}
+
+	err = digest2hex(digest, digestlen, hash, sizeof(hash));
+	if (err != ISC_R_SUCCESS) {
+		return (err);
+	}
+
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s", dir != NULL ? dir : "",
+		 dir != NULL ? "/" : "", hash, ext != NULL ? "." : "",
+		 ext != NULL ? ext : "");
+	if (isc_file_exists(buf)) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Check for a truncated SHA256 hash filename */
+	hash[16] = '\0';
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s", dir != NULL ? dir : "",
+		 dir != NULL ? "/" : "", hash, ext != NULL ? "." : "",
+		 ext != NULL ? ext : "");
+	if (isc_file_exists(buf)) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If neither hash filename already exists, then we'll use
+	 * the original base name if it has no disallowed characters,
+	 * or the truncated hash name if it does.
+	 */
+	if (strpbrk(base, DISALLOW) != NULL) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s", dir != NULL ? dir : "",
+		 dir != NULL ? "/" : "", base, ext != NULL ? "." : "",
+		 ext != NULL ? ext : "");
+	strlcpy(path, buf, length);
+	return (ISC_R_SUCCESS);
+}
+
+bool
+isc_file_isdirwritable(const char *path) {
+	return (access(path, W_OK | X_OK) == 0);
+}
diff --git a/lib/isc/unix/fsaccess.c b/lib/isc/unix/fsaccess.c
new file mode 100644
index 0000000..306cdfd
--- /dev/null
+++ b/lib/isc/unix/fsaccess.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <errno.h>
+#include <stdbool.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include "errno2result.h"
+
+/*! \file
+ * \brief
+ * The OS-independent part of the API is in lib/isc.
+ */
+#include "../fsaccess.c"
+
+isc_result_t
+isc_fsaccess_set(const char *path, isc_fsaccess_t access) {
+	struct stat statb;
+	mode_t mode;
+	bool is_dir = false;
+	isc_fsaccess_t bits;
+	isc_result_t result;
+
+	if (stat(path, &statb) != 0) {
+		return (isc__errno2result(errno));
+	}
+
+	if ((statb.st_mode & S_IFDIR) != 0) {
+		is_dir = true;
+	} else if ((statb.st_mode & S_IFREG) == 0) {
+		return (ISC_R_INVALIDFILE);
+	}
+
+	result = check_bad_bits(access, is_dir);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Done with checking bad bits.  Set mode_t.
+	 */
+	mode = 0;
+
+#define SET_AND_CLEAR1(modebit)     \
+	if ((access & bits) != 0) { \
+		mode |= modebit;    \
+		access &= ~bits;    \
+	}
+#define SET_AND_CLEAR(user, group, other) \
+	SET_AND_CLEAR1(user);             \
+	bits <<= STEP;                    \
+	SET_AND_CLEAR1(group);            \
+	bits <<= STEP;                    \
+	SET_AND_CLEAR1(other);
+
+	bits = ISC_FSACCESS_READ | ISC_FSACCESS_LISTDIRECTORY;
+
+	SET_AND_CLEAR(S_IRUSR, S_IRGRP, S_IROTH);
+
+	bits = ISC_FSACCESS_WRITE | ISC_FSACCESS_CREATECHILD |
+	       ISC_FSACCESS_DELETECHILD;
+
+	SET_AND_CLEAR(S_IWUSR, S_IWGRP, S_IWOTH);
+
+	bits = ISC_FSACCESS_EXECUTE | ISC_FSACCESS_ACCESSCHILD;
+
+	SET_AND_CLEAR(S_IXUSR, S_IXGRP, S_IXOTH);
+
+	INSIST(access == 0);
+
+	if (chmod(path, mode) < 0) {
+		return (isc__errno2result(errno));
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/unix/ifiter_getifaddrs.c b/lib/isc/unix/ifiter_getifaddrs.c
new file mode 100644
index 0000000..9f8b31a
--- /dev/null
+++ b/lib/isc/unix/ifiter_getifaddrs.c
@@ -0,0 +1,240 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ * \brief
+ * Obtain the list of network interfaces using the getifaddrs(3) library.
+ */
+
+#include <ifaddrs.h>
+#include <stdbool.h>
+
+#include <isc/strerr.h>
+
+/*% Iterator Magic */
+#define IFITER_MAGIC ISC_MAGIC('I', 'F', 'I', 'G')
+/*% Valid Iterator */
+#define VALID_IFITER(t) ISC_MAGIC_VALID(t, IFITER_MAGIC)
+
+#ifdef __linux
+static bool seenv6 = false;
+#endif /* ifdef __linux */
+
+/*% Iterator structure */
+struct isc_interfaceiter {
+	unsigned int magic; /*%< Magic number. */
+	isc_mem_t *mctx;
+	void *buf;		 /*%< (unused) */
+	unsigned int bufsize;	 /*%< (always 0) */
+	struct ifaddrs *ifaddrs; /*%< List of ifaddrs */
+	struct ifaddrs *pos;	 /*%< Ptr to current ifaddr */
+	isc_interface_t current; /*%< Current interface data. */
+	isc_result_t result;	 /*%< Last result code. */
+#ifdef __linux
+	FILE *proc;
+	char entry[ISC_IF_INET6_SZ];
+	isc_result_t valid;
+#endif /* ifdef __linux */
+};
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+
+	iter->mctx = mctx;
+	iter->buf = NULL;
+	iter->bufsize = 0;
+	iter->ifaddrs = NULL;
+#ifdef __linux
+	/*
+	 * Only open "/proc/net/if_inet6" if we have never seen a IPv6
+	 * address returned by getifaddrs().
+	 */
+	if (!seenv6) {
+		iter->proc = fopen("/proc/net/if_inet6", "r");
+	} else {
+		iter->proc = NULL;
+	}
+	iter->valid = ISC_R_FAILURE;
+#endif /* ifdef __linux */
+
+	if (getifaddrs(&iter->ifaddrs) < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "getting interface addresses: getifaddrs: %s",
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto failure;
+	}
+
+	/*
+	 * A newly created iterator has an undefined position
+	 * until isc_interfaceiter_first() is called.
+	 */
+	iter->pos = NULL;
+	iter->result = ISC_R_FAILURE;
+
+	iter->magic = IFITER_MAGIC;
+	*iterp = iter;
+	return (ISC_R_SUCCESS);
+
+failure:
+#ifdef __linux
+	if (iter->proc != NULL) {
+		fclose(iter->proc);
+	}
+#endif				     /* ifdef __linux */
+	if (iter->ifaddrs != NULL) { /* just in case */
+		freeifaddrs(iter->ifaddrs);
+	}
+	isc_mem_put(mctx, iter, sizeof(*iter));
+	return (result);
+}
+
+/*
+ * Get information about the current interface to iter->current.
+ * If successful, return ISC_R_SUCCESS.
+ * If the interface has an unsupported address family,
+ * return ISC_R_IGNORE.
+ */
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+	struct ifaddrs *ifa;
+	int family;
+	unsigned int namelen;
+
+	REQUIRE(VALID_IFITER(iter));
+
+	ifa = iter->pos;
+
+#ifdef __linux
+	if (iter->pos == NULL) {
+		return (linux_if_inet6_current(iter));
+	}
+#endif /* ifdef __linux */
+
+	INSIST(ifa != NULL);
+	INSIST(ifa->ifa_name != NULL);
+
+	if (ifa->ifa_addr == NULL) {
+		return (ISC_R_IGNORE);
+	}
+
+	family = ifa->ifa_addr->sa_family;
+	if (family != AF_INET && family != AF_INET6) {
+		return (ISC_R_IGNORE);
+	}
+
+#ifdef __linux
+	if (family == AF_INET6) {
+		seenv6 = true;
+	}
+#endif /* ifdef __linux */
+
+	memset(&iter->current, 0, sizeof(iter->current));
+
+	namelen = strlen(ifa->ifa_name);
+	if (namelen > sizeof(iter->current.name) - 1) {
+		namelen = sizeof(iter->current.name) - 1;
+	}
+
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	memmove(iter->current.name, ifa->ifa_name, namelen);
+
+	iter->current.flags = 0;
+
+	if ((ifa->ifa_flags & IFF_UP) != 0) {
+		iter->current.flags |= INTERFACE_F_UP;
+	}
+
+	if ((ifa->ifa_flags & IFF_POINTOPOINT) != 0) {
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+	}
+
+	if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) {
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+	}
+
+	iter->current.af = family;
+
+	get_addr(family, &iter->current.address, ifa->ifa_addr, ifa->ifa_name);
+
+	if (ifa->ifa_netmask != NULL) {
+		get_addr(family, &iter->current.netmask, ifa->ifa_netmask,
+			 ifa->ifa_name);
+	}
+
+	if (ifa->ifa_dstaddr != NULL &&
+	    (iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0)
+	{
+		get_addr(family, &iter->current.dstaddress, ifa->ifa_dstaddr,
+			 ifa->ifa_name);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Step the iterator to the next interface.  Unlike
+ * isc_interfaceiter_next(), this may leave the iterator
+ * positioned on an interface that will ultimately
+ * be ignored.  Return ISC_R_NOMORE if there are no more
+ * interfaces, otherwise ISC_R_SUCCESS.
+ */
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+	if (iter->pos != NULL) {
+		iter->pos = iter->pos->ifa_next;
+	}
+	if (iter->pos == NULL) {
+#ifdef __linux
+		if (!seenv6) {
+			return (linux_if_inet6_next(iter));
+		}
+#endif /* ifdef __linux */
+		return (ISC_R_NOMORE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+internal_destroy(isc_interfaceiter_t *iter) {
+#ifdef __linux
+	if (iter->proc != NULL) {
+		fclose(iter->proc);
+	}
+	iter->proc = NULL;
+#endif /* ifdef __linux */
+	if (iter->ifaddrs) {
+		freeifaddrs(iter->ifaddrs);
+	}
+	iter->ifaddrs = NULL;
+}
+
+static void
+internal_first(isc_interfaceiter_t *iter) {
+#ifdef __linux
+	linux_if_inet6_first(iter);
+#endif /* ifdef __linux */
+	iter->pos = iter->ifaddrs;
+}
diff --git a/lib/isc/unix/include/.clang-format b/lib/isc/unix/include/.clang-format
new file mode 120000
index 0000000..e919bba
--- /dev/null
+++ b/lib/isc/unix/include/.clang-format
@@ -0,0 +1 @@
+../../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/isc/unix/include/Makefile.in b/lib/isc/unix/include/Makefile.in
new file mode 100644
index 0000000..60a0a67
--- /dev/null
+++ b/lib/isc/unix/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/unix/include/isc/Makefile.in b/lib/isc/unix/include/isc/Makefile.in
new file mode 100644
index 0000000..06f7806
--- /dev/null
+++ b/lib/isc/unix/include/isc/Makefile.in
@@ -0,0 +1,37 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	align.h dir.h net.h netdb.h offset.h stat.h \
+		stdatomic.h stdtime.h syslog.h time.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/unix/include/isc/align.h b/lib/isc/unix/include/isc/align.h
new file mode 100644
index 0000000..7b72e9d
--- /dev/null
+++ b/lib/isc/unix/include/isc/align.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#ifdef HAVE_STDALIGN_H
+#include <stdalign.h>
+#else /* ifdef HAVE_STDALIGN_H */
+#define alignas(x) __attribute__((__aligned__(x)))
+#endif /* ifdef HAVE_STDALIGN_H */
diff --git a/lib/isc/unix/include/isc/dir.h b/lib/isc/unix/include/isc/dir.h
new file mode 100644
index 0000000..89d1338
--- /dev/null
+++ b/lib/isc/unix/include/isc/dir.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_DIR_H
+#define ISC_DIR_H 1
+
+/*! \file */
+
+#include <dirent.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/result.h>
+
+#include <sys/types.h> /* Required on some systems. */
+
+/*% Directory Entry */
+typedef struct isc_direntry {
+	char	     name[NAME_MAX];
+	unsigned int length;
+} isc_direntry_t;
+
+/*% Directory */
+typedef struct isc_dir {
+	unsigned int   magic;
+	char	       dirname[PATH_MAX];
+	isc_direntry_t entry;
+	DIR	      *handle;
+} isc_dir_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_dir_init(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_open(isc_dir_t *dir, const char *dirname);
+
+isc_result_t
+isc_dir_read(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_reset(isc_dir_t *dir);
+
+void
+isc_dir_close(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_chdir(const char *dirname);
+
+isc_result_t
+isc_dir_chroot(const char *dirname);
+
+isc_result_t
+isc_dir_createunique(char *templet);
+/*!<
+ * Use a templet (such as from isc_file_mktemplate()) to create a uniquely
+ * named, empty directory.  The templet string is modified in place.
+ * If result == ISC_R_SUCCESS, it is the name of the directory that was
+ * created.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_DIR_H */
diff --git a/lib/isc/unix/include/isc/net.h b/lib/isc/unix/include/isc/net.h
new file mode 100644
index 0000000..ead9c7f
--- /dev/null
+++ b/lib/isc/unix/include/isc/net.h
@@ -0,0 +1,310 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_NET_H
+#define ISC_NET_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * Basic Networking Types
+ *
+ * This module is responsible for defining the following basic networking
+ * types:
+ *
+ *\li		struct in_addr
+ *\li		struct in6_addr
+ *\li		struct in6_pktinfo
+ *\li		struct sockaddr
+ *\li		struct sockaddr_in
+ *\li		struct sockaddr_in6
+ *\li		struct sockaddr_storage
+ *\li		in_port_t
+ *
+ * It ensures that the AF_ and PF_ macros are defined.
+ *
+ * It declares ntoh[sl]() and hton[sl]().
+ *
+ * It declares inet_ntop(), and inet_pton().
+ *
+ * It ensures that #INADDR_LOOPBACK, #INADDR_ANY, #IN6ADDR_ANY_INIT,
+ * IN6ADDR_V4MAPPED_INIT, in6addr_any, and in6addr_loopback are available.
+ *
+ * It ensures that IN_MULTICAST() is available to check for multicast
+ * addresses.
+ *
+ * MP:
+ *\li	No impact.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	N/A.
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	BSD Socket API
+ *\li	RFC2553
+ */
+
+/***
+ *** Imports.
+ ***/
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#include <arpa/inet.h> /* Contractual promise. */
+#include <net/if.h>
+#include <netinet/in.h> /* Contractual promise. */
+#include <sys/socket.h> /* Contractual promise. */
+#include <sys/types.h>
+
+#ifndef IN6ADDR_LOOPBACK_INIT
+#ifdef s6_addr
+/*% IPv6 address loopback init */
+#define IN6ADDR_LOOPBACK_INIT                                                  \
+	{                                                                      \
+		{                                                              \
+			{                                                      \
+				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 \
+			}                                                      \
+		}                                                              \
+	}
+#else /* ifdef s6_addr */
+#define IN6ADDR_LOOPBACK_INIT                                          \
+	{                                                              \
+		{                                                      \
+			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 \
+		}                                                      \
+	}
+#endif /* ifdef s6_addr */
+#endif /* ifndef IN6ADDR_LOOPBACK_INIT */
+
+#ifndef IN6ADDR_V4MAPPED_INIT
+#ifdef s6_addr
+/*% IPv6 v4mapped prefix init */
+#define IN6ADDR_V4MAPPED_INIT                                                \
+	{                                                                    \
+		{                                                            \
+			{                                                    \
+				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 0, \
+					0, 0, 0                              \
+			}                                                    \
+		}                                                            \
+	}
+#else /* ifdef s6_addr */
+#define IN6ADDR_V4MAPPED_INIT                                                \
+	{                                                                    \
+		{                                                            \
+			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 0, 0, 0, 0 \
+		}                                                            \
+	}
+#endif /* ifdef s6_addr */
+#endif /* ifndef IN6ADDR_V4MAPPED_INIT */
+
+#ifndef IN6_IS_ADDR_V4MAPPED
+/*% Is IPv6 address V4 mapped? */
+#define IN6_IS_ADDR_V4MAPPED(x)                                \
+	(memcmp((x)->s6_addr, in6addr_any.s6_addr, 10) == 0 && \
+	 (x)->s6_addr[10] == 0xff && (x)->s6_addr[11] == 0xff)
+#endif /* ifndef IN6_IS_ADDR_V4MAPPED */
+
+#ifndef IN6_IS_ADDR_V4COMPAT
+/*% Is IPv6 address V4 compatible? */
+#define IN6_IS_ADDR_V4COMPAT(x)                                \
+	(memcmp((x)->s6_addr, in6addr_any.s6_addr, 12) == 0 && \
+	 ((x)->s6_addr[12] != 0 || (x)->s6_addr[13] != 0 ||    \
+	  (x)->s6_addr[14] != 0 ||                             \
+	  ((x)->s6_addr[15] != 0 && (x)->s6_addr[15] != 1)))
+#endif /* ifndef IN6_IS_ADDR_V4COMPAT */
+
+#ifndef IN6_IS_ADDR_MULTICAST
+/*% Is IPv6 address multicast? */
+#define IN6_IS_ADDR_MULTICAST(a) ((a)->s6_addr[0] == 0xff)
+#endif /* ifndef IN6_IS_ADDR_MULTICAST */
+
+#ifndef IN6_IS_ADDR_LINKLOCAL
+/*% Is IPv6 address linklocal? */
+#define IN6_IS_ADDR_LINKLOCAL(a) \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
+#endif /* ifndef IN6_IS_ADDR_LINKLOCAL */
+
+#ifndef IN6_IS_ADDR_SITELOCAL
+/*% is IPv6 address sitelocal? */
+#define IN6_IS_ADDR_SITELOCAL(a) \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
+#endif /* ifndef IN6_IS_ADDR_SITELOCAL */
+
+#ifndef IN6_IS_ADDR_LOOPBACK
+/*% is IPv6 address loopback? */
+#define IN6_IS_ADDR_LOOPBACK(x) \
+	(memcmp((x)->s6_addr, in6addr_loopback.s6_addr, 16) == 0)
+#endif /* ifndef IN6_IS_ADDR_LOOPBACK */
+
+#ifndef AF_INET6
+/*% IPv6 */
+#define AF_INET6 99
+#endif /* ifndef AF_INET6 */
+
+#ifndef PF_INET6
+/*% IPv6 */
+#define PF_INET6 AF_INET6
+#endif /* ifndef PF_INET6 */
+
+#ifndef INADDR_ANY
+/*% inaddr any */
+#define INADDR_ANY 0x00000000UL
+#endif /* ifndef INADDR_ANY */
+
+#ifndef INADDR_LOOPBACK
+/*% inaddr loopback */
+#define INADDR_LOOPBACK 0x7f000001UL
+#endif /* ifndef INADDR_LOOPBACK */
+
+#ifndef MSG_TRUNC
+/*%
+ * If this system does not have MSG_TRUNC (as returned from recvmsg())
+ * ISC_PLATFORM_RECVOVERFLOW will be defined.  This will enable the MSG_TRUNC
+ * faking code in socket.c.
+ */
+#define ISC_PLATFORM_RECVOVERFLOW
+#endif /* ifndef MSG_TRUNC */
+
+/*% IP address. */
+#define ISC__IPADDR(x) ((uint32_t)htonl((uint32_t)(x)))
+
+/*% Is IP address multicast? */
+#define ISC_IPADDR_ISMULTICAST(i) \
+	(((uint32_t)(i)&ISC__IPADDR(0xf0000000)) == ISC__IPADDR(0xe0000000))
+
+#define ISC_IPADDR_ISEXPERIMENTAL(i) \
+	(((uint32_t)(i)&ISC__IPADDR(0xf0000000)) == ISC__IPADDR(0xf0000000))
+
+/***
+ *** Functions.
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_net_probeipv4(void);
+/*%<
+ * Check if the system's kernel supports IPv4.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		IPv4 is supported.
+ *\li	#ISC_R_NOTFOUND		IPv4 is not supported.
+ *\li	#ISC_R_DISABLED		IPv4 is disabled.
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probeipv6(void);
+/*%<
+ * Check if the system's kernel supports IPv6.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		IPv6 is supported.
+ *\li	#ISC_R_NOTFOUND		IPv6 is not supported.
+ *\li	#ISC_R_DISABLED		IPv6 is disabled.
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probe_ipv6only(void);
+/*%<
+ * Check if the system's kernel supports the IPV6_V6ONLY socket option.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		the option is supported for both TCP and UDP.
+ *\li	#ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probe_ipv6pktinfo(void);
+/*
+ * Check if the system's kernel supports the IPV6_(RECV)PKTINFO socket option
+ * for UDP sockets.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS		the option is supported.
+ * \li	#ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ * \li	#ISC_R_UNEXPECTED
+ */
+
+void
+isc_net_disableipv4(void);
+
+void
+isc_net_disableipv6(void);
+
+void
+isc_net_enableipv4(void);
+
+void
+isc_net_enableipv6(void);
+
+isc_result_t
+isc_net_probeunix(void);
+/*
+ * Returns whether UNIX domain sockets are supported.
+ */
+
+#define ISC_NET_DSCPRECVV4 0x01 /* Can receive sent DSCP value IPv4 */
+#define ISC_NET_DSCPRECVV6 0x02 /* Can receive sent DSCP value IPv6 */
+#define ISC_NET_DSCPSETV4  0x04 /* Can set DSCP on socket IPv4 */
+#define ISC_NET_DSCPSETV6  0x08 /* Can set DSCP on socket IPv6 */
+#define ISC_NET_DSCPPKTV4  0x10 /* Can set DSCP on per packet IPv4 */
+#define ISC_NET_DSCPPKTV6  0x20 /* Can set DSCP on per packet IPv6 */
+#define ISC_NET_DSCPALL	   0x3f /* All valid flags */
+
+unsigned int
+isc_net_probedscp(void);
+/*%<
+ * Probe the level of DSCP support.
+ */
+
+isc_result_t
+isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high);
+/*%<
+ * Returns system's default range of ephemeral UDP ports, if defined.
+ * If the range is not available or unknown, ISC_NET_PORTRANGELOW and
+ * ISC_NET_PORTRANGEHIGH will be returned.
+ *
+ * Requires:
+ *
+ *\li	'low' and 'high' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	*low and *high will be the ports specifying the low and high ends of
+ *	the range.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NET_H */
diff --git a/lib/isc/unix/include/isc/netdb.h b/lib/isc/unix/include/isc/netdb.h
new file mode 100644
index 0000000..dab845a
--- /dev/null
+++ b/lib/isc/unix/include/isc/netdb.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_NETDB_H
+#define ISC_NETDB_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * Portable netdb.h support.
+ *
+ * This module is responsible for defining the get<x>by<y> APIs.
+ *
+ * MP:
+ *\li	No impact.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	N/A.
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	BSD API
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <netdb.h>
+
+#include <isc/net.h>
+
+#endif /* ISC_NETDB_H */
diff --git a/lib/isc/unix/include/isc/offset.h b/lib/isc/unix/include/isc/offset.h
new file mode 100644
index 0000000..fa24ae4
--- /dev/null
+++ b/lib/isc/unix/include/isc/offset.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_OFFSET_H
+#define ISC_OFFSET_H 1
+
+/*! \file
+ * \brief
+ * File offsets are operating-system dependent.
+ */
+#include <limits.h> /* Required for CHAR_BIT. */
+#include <stddef.h> /* For Linux Standard Base. */
+
+#include <sys/types.h>
+
+typedef off_t isc_offset_t;
+
+#endif /* ISC_OFFSET_H */
diff --git a/lib/isc/unix/include/isc/stat.h b/lib/isc/unix/include/isc/stat.h
new file mode 100644
index 0000000..6ddddd7
--- /dev/null
+++ b/lib/isc/unix/include/isc/stat.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_STAT_H
+#define ISC_STAT_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*
+ * Portable <sys/stat.h> support.
+ *
+ * This module is responsible for defining S_IS??? macros.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#endif /* ISC_STAT_H */
diff --git a/lib/isc/unix/include/isc/stdatomic.h b/lib/isc/unix/include/isc/stdatomic.h
new file mode 100644
index 0000000..f071b6a
--- /dev/null
+++ b/lib/isc/unix/include/isc/stdatomic.h
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stddef.h>
+#if HAVE_UCHAR_H
+#include <uchar.h>
+#endif /* HAVE_UCHAR_H */
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif /* if !defined(__has_feature) */
+
+#if !defined(__has_extension)
+#define __has_extension(x) __has_feature(x)
+#endif /* if !defined(__has_extension) */
+
+#if !defined(__GNUC_PREREQ__)
+#if defined(__GNUC__) && defined(__GNUC_MINOR__)
+#define __GNUC_PREREQ__(maj, min) \
+	((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
+#else /* if defined(__GNUC__) && defined(__GNUC_MINOR__) */
+#define __GNUC_PREREQ__(maj, min) 0
+#endif /* if defined(__GNUC__) && defined(__GNUC_MINOR__) */
+#endif /* if !defined(__GNUC_PREREQ__) */
+
+#if !defined(__CLANG_ATOMICS) && !defined(__GNUC_ATOMICS)
+#if __has_extension(c_atomic) || __has_extension(cxx_atomic)
+#define __CLANG_ATOMICS
+#elif __GNUC_PREREQ__(4, 7)
+#define __GNUC_ATOMICS
+#elif !defined(__GNUC__)
+#error "isc/stdatomic.h does not support your compiler"
+#endif /* if __has_extension(c_atomic) || __has_extension(cxx_atomic) */
+#endif /* if !defined(__CLANG_ATOMICS) && !defined(__GNUC_ATOMICS) */
+
+#ifndef __ATOMIC_RELAXED
+#define __ATOMIC_RELAXED 0
+#endif /* ifndef __ATOMIC_RELAXED */
+#ifndef __ATOMIC_CONSUME
+#define __ATOMIC_CONSUME 1
+#endif /* ifndef __ATOMIC_CONSUME */
+#ifndef __ATOMIC_ACQUIRE
+#define __ATOMIC_ACQUIRE 2
+#endif /* ifndef __ATOMIC_ACQUIRE */
+#ifndef __ATOMIC_RELEASE
+#define __ATOMIC_RELEASE 3
+#endif /* ifndef __ATOMIC_RELEASE */
+#ifndef __ATOMIC_ACQ_REL
+#define __ATOMIC_ACQ_REL 4
+#endif /* ifndef __ATOMIC_ACQ_REL */
+#ifndef __ATOMIC_SEQ_CST
+#define __ATOMIC_SEQ_CST 5
+#endif /* ifndef __ATOMIC_SEQ_CST */
+
+enum memory_order {
+	memory_order_relaxed = __ATOMIC_RELAXED,
+	memory_order_consume = __ATOMIC_CONSUME,
+	memory_order_acquire = __ATOMIC_ACQUIRE,
+	memory_order_release = __ATOMIC_RELEASE,
+	memory_order_acq_rel = __ATOMIC_ACQ_REL,
+	memory_order_seq_cst = __ATOMIC_SEQ_CST
+};
+
+typedef enum memory_order memory_order;
+
+#ifndef HAVE_UCHAR_H
+typedef uint_least16_t char16_t;
+typedef uint_least32_t char32_t;
+#endif /* HAVE_UCHAR_H */
+
+typedef bool		   atomic_bool;
+typedef char		   atomic_char;
+typedef signed char	   atomic_schar;
+typedef unsigned char	   atomic_uchar;
+typedef short		   atomic_short;
+typedef unsigned short	   atomic_ushort;
+typedef int		   atomic_int;
+typedef unsigned int	   atomic_uint;
+typedef long		   atomic_long;
+typedef unsigned long	   atomic_ulong;
+typedef long long	   atomic_llong;
+typedef unsigned long long atomic_ullong;
+typedef char16_t	   atomic_char16_t;
+typedef char32_t	   atomic_char32_t;
+typedef wchar_t		   atomic_wchar_t;
+typedef int_least8_t	   atomic_int_least8_t;
+typedef uint_least8_t	   atomic_uint_least8_t;
+typedef int_least16_t	   atomic_int_least16_t;
+typedef uint_least16_t	   atomic_uint_least16_t;
+typedef int_least32_t	   atomic_int_least32_t;
+typedef uint_least32_t	   atomic_uint_least32_t;
+typedef int_least64_t	   atomic_int_least64_t;
+typedef uint_least64_t	   atomic_uint_least64_t;
+typedef int_fast8_t	   atomic_int_fast8_t;
+typedef uint_fast8_t	   atomic_uint_fast8_t;
+typedef int_fast16_t	   atomic_int_fast16_t;
+typedef uint_fast16_t	   atomic_uint_fast16_t;
+typedef int_fast32_t	   atomic_int_fast32_t;
+typedef uint_fast32_t	   atomic_uint_fast32_t;
+typedef int_fast64_t	   atomic_int_fast64_t;
+typedef uint_fast64_t	   atomic_uint_fast64_t;
+typedef intptr_t	   atomic_intptr_t;
+typedef uintptr_t	   atomic_uintptr_t;
+typedef size_t		   atomic_size_t;
+typedef ptrdiff_t	   atomic_ptrdiff_t;
+typedef intmax_t	   atomic_intmax_t;
+typedef uintmax_t	   atomic_uintmax_t;
+
+#if defined(__CLANG_ATOMICS) /* __c11_atomic builtins */
+#define atomic_init(obj, desired)	 __c11_atomic_init(obj, desired)
+#define atomic_load_explicit(obj, order) __c11_atomic_load(obj, order)
+#define atomic_store_explicit(obj, desired, order) \
+	__c11_atomic_store(obj, desired, order)
+#define atomic_fetch_add_explicit(obj, arg, order) \
+	__c11_atomic_fetch_add(obj, arg, order)
+#define atomic_fetch_sub_explicit(obj, arg, order) \
+	__c11_atomic_fetch_sub(obj, arg, order)
+#define atomic_fetch_and_explicit(obj, arg, order) \
+	__c11_atomic_fetch_and(obj, arg, order)
+#define atomic_fetch_or_explicit(obj, arg, order) \
+	__c11_atomic_fetch_or(obj, arg, order)
+#define atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, \
+						fail)                         \
+	__c11_atomic_compare_exchange_strong_explicit(obj, expected, desired, \
+						      succ, fail)
+#define atomic_compare_exchange_weak_explicit(obj, expected, desired, succ, \
+					      fail)                         \
+	__c11_atomic_compare_exchange_weak_explicit(obj, expected, desired, \
+						    succ, fail)
+#define atomic_exchange_explicit(obj, desired, order) \
+	__c11_atomic_exchange_explicit(obj, expected, order)
+#elif defined(__GNUC_ATOMICS) /* __atomic builtins */
+#define atomic_init(obj, desired)	 (*obj = desired)
+#define atomic_load_explicit(obj, order) __atomic_load_n(obj, order)
+#define atomic_store_explicit(obj, desired, order) \
+	__atomic_store_n(obj, desired, order)
+#define atomic_fetch_add_explicit(obj, arg, order) \
+	__atomic_fetch_add(obj, arg, order)
+#define atomic_fetch_sub_explicit(obj, arg, order) \
+	__atomic_fetch_sub(obj, arg, order)
+#define atomic_fetch_and_explicit(obj, arg, order) \
+	__atomic_fetch_and(obj, arg, order)
+#define atomic_fetch_or_explicit(obj, arg, order) \
+	__atomic_fetch_or(obj, arg, order)
+#define atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, \
+						fail)                         \
+	__atomic_compare_exchange_n(obj, expected, desired, 0, succ, fail)
+#define atomic_compare_exchange_weak_explicit(obj, expected, desired, succ, \
+					      fail)                         \
+	__atomic_compare_exchange_n(obj, expected, desired, 1, succ, fail)
+#define atomic_exchange_explicit(obj, desired, order) \
+	__atomic_exchange_n(obj, desired, order)
+#else /* __sync builtins */
+#define atomic_init(obj, desired)	 (*obj = desired)
+#define atomic_load_explicit(obj, order) __sync_fetch_and_add(obj, 0)
+#define atomic_store_explicit(obj, desired, order) \
+	do {                                       \
+		__sync_synchronize();              \
+		*obj = desired;                    \
+		__sync_synchronize();              \
+	} while (0);
+#define atomic_fetch_add_explicit(obj, arg, order) \
+	__sync_fetch_and_add(obj, arg)
+#define atomic_fetch_sub_explicit(obj, arg, order) \
+	__sync_fetch_and_sub(obj, arg, order)
+#define atomic_fetch_and_explicit(obj, arg, order) \
+	__sync_fetch_and_and(obj, arg, order)
+#define atomic_fetch_or_explicit(obj, arg, order) \
+	__sync_fetch_and_or(obj, arg, order)
+#define atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, \
+						fail)                         \
+	({                                                                    \
+		__typeof__(obj) __v;                                          \
+		_Bool		__r;                                          \
+		__v = (__typeof__(obj))__sync_val_compare_and_swap(           \
+			obj, *(expected), desired);                           \
+		__r = ((__typeof__(obj))*(expected) == __v);                  \
+		*(expected) = __v;                                            \
+		__r;                                                          \
+	})
+#define atomic_compare_exchange_weak_explicit(obj, expected, desired, succ,   \
+					      fail)                           \
+	atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, \
+						fail)
+#define atomic_exchange_explicit(obj, desired, order) \
+	__sync_lock_test_and_set(obj, desired)
+
+#endif /* if defined(__CLANG_ATOMICS) */
+
+#define atomic_load(obj) atomic_load_explicit(obj, memory_order_seq_cst)
+#define atomic_store(obj, arg) \
+	atomic_store_explicit(obj, arg, memory_order_seq_cst)
+#define atomic_fetch_add(obj, arg) \
+	atomic_fetch_add_explicit(obj, arg, memory_order_seq_cst)
+#define atomic_fetch_sub(obj, arg) \
+	atomic_fetch_sub_explicit(obj, arg, memory_order_seq_cst)
+#define atomic_fetch_and(obj, arg) \
+	atomic_fetch_and_explicit(obj, arg, memory_order_seq_cst)
+#define atomic_fetch_or(obj, arg) \
+	atomic_fetch_or_explicit(obj, arg, memory_order_seq_cst)
+#define atomic_compare_exchange_strong(obj, expected, desired)          \
+	atomic_compare_exchange_strong_explicit(obj, expected, desired, \
+						memory_order_seq_cst,   \
+						memory_order_seq_cst)
+#define atomic_compare_exchange_weak(obj, expected, desired)          \
+	atomic_compare_exchange_weak_explicit(obj, expected, desired, \
+					      memory_order_seq_cst,   \
+					      memory_order_seq_cst)
+#define atomic_exchange(obj, desired) \
+	atomic_exchange_explicit(obj, desired, memory_order_seq_cst)
diff --git a/lib/isc/unix/include/isc/stdtime.h b/lib/isc/unix/include/isc/stdtime.h
new file mode 100644
index 0000000..e38a2c6
--- /dev/null
+++ b/lib/isc/unix/include/isc/stdtime.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_STDTIME_H
+#define ISC_STDTIME_H 1
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdlib.h>
+
+#include <isc/lang.h>
+
+/*%
+ * It's public information that 'isc_stdtime_t' is an unsigned integral type.
+ * Applications that want maximum portability should not assume anything
+ * about its size.
+ */
+typedef uint32_t isc_stdtime_t;
+
+ISC_LANG_BEGINDECLS
+/* */
+void
+isc_stdtime_get(isc_stdtime_t *t);
+/*%<
+ * Set 't' to the number of seconds since 00:00:00 UTC, January 1, 1970.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ */
+
+void
+isc_stdtime_tostring(isc_stdtime_t t, char *out, size_t outlen);
+/*
+ * Convert 't' into a null-terminated string of the form
+ * "Wed Jun 30 21:49:08 1993". Store the string in the 'out'
+ * buffer.
+ *
+ * Requires:
+ *
+ *	't' is a valid time.
+ *	'out' is a valid pointer.
+ *	'outlen' is at least 26.
+ */
+
+#define isc_stdtime_convert32(t, t32p) (*(t32p) = t)
+/*
+ * Convert the standard time to its 32-bit version.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STDTIME_H */
diff --git a/lib/isc/unix/include/isc/syslog.h b/lib/isc/unix/include/isc/syslog.h
new file mode 100644
index 0000000..f46dc1a
--- /dev/null
+++ b/lib/isc/unix/include/isc/syslog.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_SYSLOG_H
+#define ISC_SYSLOG_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_syslog_facilityfromstring(const char *str, int *facilityp);
+/*%<
+ * Convert 'str' to the appropriate syslog facility constant.
+ *
+ * Requires:
+ *
+ *\li	'str' is not NULL
+ *\li	'facilityp' is not NULL
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SYSLOG_H */
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
new file mode 100644
index 0000000..ecec64d
--- /dev/null
+++ b/lib/isc/unix/include/isc/time.h
@@ -0,0 +1,452 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_TIME_H
+#define ISC_TIME_H 1
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/***
+ *** Intervals
+ ***/
+
+/*!
+ *  \brief
+ * The contents of this structure are private, and MUST NOT be accessed
+ * directly by callers.
+ *
+ * The contents are exposed only to allow callers to avoid dynamic allocation.
+ */
+struct isc_interval {
+	unsigned int seconds;
+	unsigned int nanoseconds;
+};
+
+extern const isc_interval_t *const isc_interval_zero;
+
+/*
+ * ISC_FORMATHTTPTIMESTAMP_SIZE needs to be 30 in C locale and potentially
+ * more for other locales to handle longer national abbreviations when
+ * expanding strftime's %a and %b.
+ */
+#define ISC_FORMATHTTPTIMESTAMP_SIZE 50
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_interval_set(isc_interval_t *i, unsigned int seconds,
+		 unsigned int nanoseconds);
+/*%<
+ * Set 'i' to a value representing an interval of 'seconds' seconds and
+ * 'nanoseconds' nanoseconds, suitable for use in isc_time_add() and
+ * isc_time_subtract().
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ *\li	nanoseconds < 1000000000.
+ */
+
+bool
+isc_interval_iszero(const isc_interval_t *i);
+/*%<
+ * Returns true iff. 'i' is the zero interval.
+ *
+ * Requires:
+ *
+ *\li	'i' is a valid pointer.
+ */
+
+/***
+ *** Absolute Times
+ ***/
+
+/*%
+ * The contents of this structure are private, and MUST NOT be accessed
+ * directly by callers.
+ *
+ * The contents are exposed only to allow callers to avoid dynamic allocation.
+ */
+
+struct isc_time {
+	unsigned int seconds;
+	unsigned int nanoseconds;
+};
+
+extern const isc_time_t *const isc_time_epoch;
+
+void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
+/*%<
+ * Set 't' to a value which represents the given number of seconds and
+ * nanoseconds since 00:00:00 January 1, 1970, UTC.
+ *
+ * Notes:
+ *\li	The Unix version of this call is equivalent to:
+ *\code
+ *	isc_time_settoepoch(t);
+ *	isc_interval_set(i, seconds, nanoseconds);
+ *	isc_time_add(t, i, t);
+ *\endcode
+ *
+ * Requires:
+ *\li	't' is a valid pointer.
+ *\li	nanoseconds < 1000000000.
+ */
+
+void
+isc_time_settoepoch(isc_time_t *t);
+/*%<
+ * Set 't' to the time of the epoch.
+ *
+ * Notes:
+ *\li	The date of the epoch is platform-dependent.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ */
+
+bool
+isc_time_isepoch(const isc_time_t *t);
+/*%<
+ * Returns true iff. 't' is the epoch ("time zero").
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_now(isc_time_t *t);
+/*%<
+ * Set 't' to the current absolute time.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	Unexpected error
+ *		Getting the time from the system failed.
+ *\li	Out of range
+ *		The time from the system is too large to be represented
+ *		in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_now_hires(isc_time_t *t);
+/*%<
+ * Set 't' to the current absolute time. Uses higher resolution clocks
+ * recommended when microsecond accuracy is required.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	Unexpected error
+ *		Getting the time from the system failed.
+ *\li	Out of range
+ *		The time from the system is too large to be represented
+ *		in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
+/*%<
+ * Set *t to the current absolute time + i.
+ *
+ * Note:
+ *\li	This call is equivalent to:
+ *
+ *\code
+ *		isc_time_now(t);
+ *		isc_time_add(t, i, t);
+ *\endcode
+ *
+ * Requires:
+ *
+ *\li	't' and 'i' are valid pointers.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	Unexpected error
+ *		Getting the time from the system failed.
+ *\li	Out of range
+ *		The interval added to the time from the system is too large to
+ *		be represented in the current definition of isc_time_t.
+ */
+
+int
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2);
+/*%<
+ * Compare the times referenced by 't1' and 't2'
+ *
+ * Requires:
+ *
+ *\li	't1' and 't2' are valid pointers.
+ *
+ * Returns:
+ *
+ *\li	-1		t1 < t2		(comparing times, not pointers)
+ *\li	0		t1 = t2
+ *\li	1		t1 > t2
+ */
+
+isc_result_t
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
+/*%<
+ * Add 'i' to 't', storing the result in 'result'.
+ *
+ * Requires:
+ *
+ *\li	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Out of range
+ * 		The interval added to the time is too large to
+ *		be represented in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result);
+/*%<
+ * Subtract 'i' from 't', storing the result in 'result'.
+ *
+ * Requires:
+ *
+ *\li	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Out of range
+ *		The interval is larger than the time since the epoch.
+ */
+
+uint64_t
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2);
+/*%<
+ * Find the difference in microseconds between time t1 and time t2.
+ * t2 is the subtrahend of t1; ie, difference = t1 - t2.
+ *
+ * Requires:
+ *
+ *\li	't1' and 't2' are valid pointers.
+ *
+ * Returns:
+ *\li	The difference of t1 - t2, or 0 if t1 <= t2.
+ */
+
+uint32_t
+isc_time_seconds(const isc_time_t *t);
+/*%<
+ * Return the number of seconds since the epoch stored in a time structure.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp);
+/*%<
+ * Ensure the number of seconds in an isc_time_t is representable by a time_t.
+ *
+ * Notes:
+ *\li	The number of seconds stored in an isc_time_t might be larger
+ *	than the number of seconds a time_t is able to handle.  Since
+ *	time_t is mostly opaque according to the ANSI/ISO standard
+ *	(essentially, all you can be sure of is that it is an arithmetic type,
+ *	not even necessarily integral), it can be tricky to ensure that
+ *	the isc_time_t is in the range a time_t can handle.  Use this
+ *	function in place of isc_time_seconds() any time you need to set a
+ *	time_t from an isc_time_t.
+ *
+ * Requires:
+ *\li	't' is a valid pointer.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Out of range
+ */
+
+uint32_t
+isc_time_nanoseconds(const isc_time_t *t);
+/*%<
+ * Return the number of nanoseconds stored in a time structure.
+ *
+ * Notes:
+ *\li	This is the number of nanoseconds in excess of the number
+ *	of seconds since the epoch; it will always be less than one
+ *	full second.
+ *
+ * Requires:
+ *\li	't' is a valid pointer.
+ *
+ * Ensures:
+ *\li	The returned value is less than 1*10^9.
+ */
+
+void
+isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "30-Aug-2000 04:06:47.997" and the local time zone.
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+isc_result_t
+isc_time_parsehttptimestamp(char *input, isc_time_t *t);
+/*%<
+ * Parse the time in 'input' into the isc_time_t pointed to by 't',
+ * expecting a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ *
+ *  Requires:
+ *\li      'buf' and 't' are not NULL.
+ */
+
+void
+isc_time_formatISO8601L(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601Lms(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss.sss"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601Lus(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss.ssssss"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss.sssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601us(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss.ssssssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatshorttimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the format "yyyymmddhhmmsssss" useful for file timestamping.
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TIME_H */
diff --git a/lib/isc/unix/interfaceiter.c b/lib/isc/unix/interfaceiter.c
new file mode 100644
index 0000000..a1f6c9d
--- /dev/null
+++ b/lib/isc/unix/interfaceiter.c
@@ -0,0 +1,301 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h> /* Required for ifiter_ioctl.c. */
+#endif			/* ifdef HAVE_SYS_SOCKIO_H */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/interfaceiter.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+/* Must follow <isc/net.h>. */
+#ifdef HAVE_NET_IF6_H
+#include <net/if6.h>
+#endif /* ifdef HAVE_NET_IF6_H */
+#include <net/if.h>
+
+/* Common utility functions */
+
+/*%
+ * Extract the network address part from a "struct sockaddr".
+ * \brief
+ * The address family is given explicitly
+ * instead of using src->sa_family, because the latter does not work
+ * for copying a network mask obtained by SIOCGIFNETMASK (it does
+ * not have a valid address family).
+ */
+
+static void
+get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src,
+	 char *ifname) {
+	struct sockaddr_in6 *sa6;
+
+#if !defined(HAVE_IF_NAMETOINDEX)
+	UNUSED(ifname);
+#endif /* if !defined(HAVE_IF_NAMETOINDEX) */
+
+	/* clear any remaining value for safety */
+	memset(dst, 0, sizeof(*dst));
+
+	dst->family = family;
+	switch (family) {
+	case AF_INET:
+		memmove(&dst->type.in, &((struct sockaddr_in *)src)->sin_addr,
+			sizeof(struct in_addr));
+		break;
+	case AF_INET6:
+		sa6 = (struct sockaddr_in6 *)src;
+		memmove(&dst->type.in6, &sa6->sin6_addr,
+			sizeof(struct in6_addr));
+		if (sa6->sin6_scope_id != 0) {
+			isc_netaddr_setzone(dst, sa6->sin6_scope_id);
+		} else {
+			/*
+			 * BSD variants embed scope zone IDs in the 128bit
+			 * address as a kernel internal form.  Unfortunately,
+			 * the embedded IDs are not hidden from applications
+			 * when getting access to them by sysctl or ioctl.
+			 * We convert the internal format to the pure address
+			 * part and the zone ID part.
+			 * Since multicast addresses should not appear here
+			 * and they cannot be distinguished from netmasks,
+			 * we only consider unicast link-local addresses.
+			 */
+			if (IN6_IS_ADDR_LINKLOCAL(&sa6->sin6_addr)) {
+				uint16_t zone16;
+
+				memmove(&zone16, &sa6->sin6_addr.s6_addr[2],
+					sizeof(zone16));
+				zone16 = ntohs(zone16);
+				if (zone16 != 0) {
+					/* the zone ID is embedded */
+					isc_netaddr_setzone(dst,
+							    (uint32_t)zone16);
+					dst->type.in6.s6_addr[2] = 0;
+					dst->type.in6.s6_addr[3] = 0;
+#ifdef HAVE_IF_NAMETOINDEX
+				} else if (ifname != NULL) {
+					unsigned int zone;
+
+					/*
+					 * sin6_scope_id is still not provided,
+					 * but the corresponding interface name
+					 * is know.  Use the interface ID as
+					 * the link ID.
+					 */
+					zone = if_nametoindex(ifname);
+					if (zone != 0) {
+						isc_netaddr_setzone(
+							dst, (uint32_t)zone);
+					}
+#endif /* ifdef HAVE_IF_NAMETOINDEX */
+				}
+			}
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+/*
+ * Include system-dependent code.
+ */
+
+#ifdef __linux
+#define ISC_IF_INET6_SZ                                        \
+	sizeof("00000000000000000000000000000001 01 80 10 80 " \
+	       "XXXXXXloXXXXXXXX\n")
+static isc_result_t
+linux_if_inet6_next(isc_interfaceiter_t *);
+static isc_result_t
+linux_if_inet6_current(isc_interfaceiter_t *);
+static void
+linux_if_inet6_first(isc_interfaceiter_t *iter);
+#endif /* ifdef __linux */
+
+#include "ifiter_getifaddrs.c"
+
+#ifdef __linux
+static void
+linux_if_inet6_first(isc_interfaceiter_t *iter) {
+	if (iter->proc != NULL) {
+		rewind(iter->proc);
+		(void)linux_if_inet6_next(iter);
+	} else {
+		iter->valid = ISC_R_NOMORE;
+	}
+}
+
+static isc_result_t
+linux_if_inet6_next(isc_interfaceiter_t *iter) {
+	if (iter->proc != NULL &&
+	    fgets(iter->entry, sizeof(iter->entry), iter->proc) != NULL)
+	{
+		iter->valid = ISC_R_SUCCESS;
+	} else {
+		iter->valid = ISC_R_NOMORE;
+	}
+	return (iter->valid);
+}
+
+static isc_result_t
+linux_if_inet6_current(isc_interfaceiter_t *iter) {
+	char address[33];
+	char name[IF_NAMESIZE + 1];
+	struct in6_addr addr6;
+	unsigned int ifindex, prefix, flag3, flag4;
+	int res;
+	unsigned int i;
+
+	if (iter->valid != ISC_R_SUCCESS) {
+		return (iter->valid);
+	}
+	if (iter->proc == NULL) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:iter->proc == NULL");
+		return (ISC_R_FAILURE);
+	}
+
+	res = sscanf(iter->entry, "%32[a-f0-9] %x %x %x %x %16s\n", address,
+		     &ifindex, &prefix, &flag3, &flag4, name);
+	if (res != 6) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:sscanf() -> %d (expected 6)",
+			      res);
+		return (ISC_R_FAILURE);
+	}
+	if (strlen(address) != 32) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:strlen(%s) != 32", address);
+		return (ISC_R_FAILURE);
+	}
+	for (i = 0; i < 16; i++) {
+		unsigned char byte;
+		static const char hex[] = "0123456789abcdef";
+		byte = ((strchr(hex, address[i * 2]) - hex) << 4) |
+		       (strchr(hex, address[i * 2 + 1]) - hex);
+		addr6.s6_addr[i] = byte;
+	}
+	iter->current.af = AF_INET6;
+	iter->current.flags = INTERFACE_F_UP;
+	isc_netaddr_fromin6(&iter->current.address, &addr6);
+	if (isc_netaddr_islinklocal(&iter->current.address)) {
+		isc_netaddr_setzone(&iter->current.address, (uint32_t)ifindex);
+	}
+	for (i = 0; i < 16; i++) {
+		if (prefix > 8) {
+			addr6.s6_addr[i] = 0xff;
+			prefix -= 8;
+		} else {
+			addr6.s6_addr[i] = (0xff << (8 - prefix)) & 0xff;
+			prefix = 0;
+		}
+	}
+	isc_netaddr_fromin6(&iter->current.netmask, &addr6);
+	strlcpy(iter->current.name, name, sizeof(iter->current.name));
+	return (ISC_R_SUCCESS);
+}
+#endif /* ifdef __linux */
+
+/*
+ * The remaining code is common to the sysctl and ioctl case.
+ */
+
+isc_result_t
+isc_interfaceiter_current(isc_interfaceiter_t *iter, isc_interface_t *ifdata) {
+	REQUIRE(iter->result == ISC_R_SUCCESS);
+	memmove(ifdata, &iter->current, sizeof(*ifdata));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_interfaceiter_first(isc_interfaceiter_t *iter) {
+	isc_result_t result;
+
+	REQUIRE(VALID_IFITER(iter));
+
+	internal_first(iter);
+	for (;;) {
+		result = internal_current(iter);
+		if (result != ISC_R_IGNORE) {
+			break;
+		}
+		result = internal_next(iter);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+	}
+	iter->result = result;
+	return (result);
+}
+
+isc_result_t
+isc_interfaceiter_next(isc_interfaceiter_t *iter) {
+	isc_result_t result;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE(iter->result == ISC_R_SUCCESS);
+
+	for (;;) {
+		result = internal_next(iter);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		result = internal_current(iter);
+		if (result != ISC_R_IGNORE) {
+			break;
+		}
+	}
+	iter->result = result;
+	return (result);
+}
+
+void
+isc_interfaceiter_destroy(isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	REQUIRE(iterp != NULL);
+	iter = *iterp;
+	*iterp = NULL;
+	REQUIRE(VALID_IFITER(iter));
+
+	internal_destroy(iter);
+	if (iter->buf != NULL) {
+		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
+	}
+
+	iter->magic = 0;
+	isc_mem_put(iter->mctx, iter, sizeof(*iter));
+}
diff --git a/lib/isc/unix/meminfo.c b/lib/isc/unix/meminfo.c
new file mode 100644
index 0000000..612ccea
--- /dev/null
+++ b/lib/isc/unix/meminfo.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <unistd.h>
+
+#include <isc/meminfo.h>
+#if defined(HAVE_SYS_SYSCTL_H) && !defined(__linux__)
+#include <sys/sysctl.h>
+#endif /* if defined(HAVE_SYS_SYSCTL_H) && !defined(__linux__) */
+
+uint64_t
+isc_meminfo_totalphys(void) {
+#if defined(CTL_HW) && (defined(HW_PHYSMEM64) || defined(HW_MEMSIZE))
+	int mib[2];
+	mib[0] = CTL_HW;
+#if defined(HW_MEMSIZE)
+	mib[1] = HW_MEMSIZE;
+#elif defined(HW_PHYSMEM64)
+	mib[1] = HW_PHYSMEM64;
+#endif /* if defined(HW_MEMSIZE) */
+	uint64_t size = 0;
+	size_t len = sizeof(size);
+	if (sysctl(mib, 2, &size, &len, NULL, 0) == 0) {
+		return (size);
+	}
+#endif /* if defined(CTL_HW) && (defined(HW_PHYSMEM64) || defined(HW_MEMSIZE)) \
+	* */
+#if defined(_SC_PHYS_PAGES) && defined(_SC_PAGESIZE)
+	long pages = sysconf(_SC_PHYS_PAGES);
+	long pagesize = sysconf(_SC_PAGESIZE);
+
+	if (pages == -1 || pagesize == -1) {
+		return (0);
+	}
+
+	return ((size_t)pages * pagesize);
+#endif /* if defined(_SC_PHYS_PAGES) && defined(_SC_PAGESIZE) */
+	return (0);
+}
diff --git a/lib/isc/unix/net.c b/lib/isc/unix/net.c
new file mode 100644
index 0000000..1e43b4b
--- /dev/null
+++ b/lib/isc/unix/net.c
@@ -0,0 +1,860 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+#include <sys/types.h>
+
+#if defined(HAVE_SYS_SYSCTL_H) && !defined(__linux__)
+#if defined(HAVE_SYS_PARAM_H)
+#include <sys/param.h>
+#endif /* if defined(HAVE_SYS_PARAM_H) */
+#include <sys/sysctl.h>
+#endif /* if defined(HAVE_SYS_SYSCTL_H) && !defined(__linux__) */
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+#include <isc/log.h>
+#include <isc/net.h>
+#include <isc/netdb.h>
+#include <isc/once.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#ifndef socklen_t
+#define socklen_t unsigned int
+#endif /* ifndef socklen_t */
+
+/*%
+ * Definitions about UDP port range specification.  This is a total mess of
+ * portability variants: some use sysctl (but the sysctl names vary), some use
+ * system-specific interfaces, some have the same interface for IPv4 and IPv6,
+ * some separate them, etc...
+ */
+
+/*%
+ * The last resort defaults: use all non well known port space
+ */
+#ifndef ISC_NET_PORTRANGELOW
+#define ISC_NET_PORTRANGELOW 1024
+#endif /* ISC_NET_PORTRANGELOW */
+#ifndef ISC_NET_PORTRANGEHIGH
+#define ISC_NET_PORTRANGEHIGH 65535
+#endif /* ISC_NET_PORTRANGEHIGH */
+
+#ifdef HAVE_SYSCTLBYNAME
+
+/*%
+ * sysctl variants
+ */
+#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__DragonFly__)
+#define USE_SYSCTL_PORTRANGE
+#define SYSCTL_V4PORTRANGE_LOW	"net.inet.ip.portrange.hifirst"
+#define SYSCTL_V4PORTRANGE_HIGH "net.inet.ip.portrange.hilast"
+#define SYSCTL_V6PORTRANGE_LOW	"net.inet.ip.portrange.hifirst"
+#define SYSCTL_V6PORTRANGE_HIGH "net.inet.ip.portrange.hilast"
+#endif /* if defined(__FreeBSD__) || defined(__APPLE__) || \
+	* defined(__DragonFly__) */
+
+#ifdef __NetBSD__
+#define USE_SYSCTL_PORTRANGE
+#define SYSCTL_V4PORTRANGE_LOW	"net.inet.ip.anonportmin"
+#define SYSCTL_V4PORTRANGE_HIGH "net.inet.ip.anonportmax"
+#define SYSCTL_V6PORTRANGE_LOW	"net.inet6.ip6.anonportmin"
+#define SYSCTL_V6PORTRANGE_HIGH "net.inet6.ip6.anonportmax"
+#endif /* ifdef __NetBSD__ */
+
+#else /* !HAVE_SYSCTLBYNAME */
+
+#ifdef __OpenBSD__
+#define USE_SYSCTL_PORTRANGE
+#define SYSCTL_V4PORTRANGE_LOW                                         \
+	{                                                              \
+		CTL_NET, PF_INET, IPPROTO_IP, IPCTL_IPPORT_HIFIRSTAUTO \
+	}
+#define SYSCTL_V4PORTRANGE_HIGH                                       \
+	{                                                             \
+		CTL_NET, PF_INET, IPPROTO_IP, IPCTL_IPPORT_HILASTAUTO \
+	}
+/* Same for IPv6 */
+#define SYSCTL_V6PORTRANGE_LOW	SYSCTL_V4PORTRANGE_LOW
+#define SYSCTL_V6PORTRANGE_HIGH SYSCTL_V4PORTRANGE_HIGH
+#endif /* ifdef __OpenBSD__ */
+
+#endif /* HAVE_SYSCTLBYNAME */
+
+static isc_once_t once_ipv6only = ISC_ONCE_INIT;
+#ifdef __notyet__
+static isc_once_t once_ipv6pktinfo = ISC_ONCE_INIT;
+#endif /* ifdef __notyet__ */
+
+#ifndef ISC_CMSG_IP_TOS
+#ifdef __APPLE__
+#define ISC_CMSG_IP_TOS 0 /* As of 10.8.2. */
+#else			  /* ! __APPLE__ */
+#define ISC_CMSG_IP_TOS 1
+#endif /* ! __APPLE__ */
+#endif /* ! ISC_CMSG_IP_TOS */
+
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_once_t once_dscp = ISC_ONCE_INIT;
+
+static isc_result_t ipv4_result = ISC_R_NOTFOUND;
+static isc_result_t ipv6_result = ISC_R_NOTFOUND;
+static isc_result_t unix_result = ISC_R_NOTFOUND;
+static isc_result_t ipv6only_result = ISC_R_NOTFOUND;
+static isc_result_t ipv6pktinfo_result = ISC_R_NOTFOUND;
+static unsigned int dscp_result = 0;
+
+static isc_result_t
+try_proto(int domain) {
+	int s;
+	isc_result_t result = ISC_R_SUCCESS;
+	char strbuf[ISC_STRERRORSIZE];
+
+	s = socket(domain, SOCK_STREAM, 0);
+	if (s == -1) {
+		switch (errno) {
+#ifdef EAFNOSUPPORT
+		case EAFNOSUPPORT:
+#endif /* ifdef EAFNOSUPPORT */
+#ifdef EPFNOSUPPORT
+		case EPFNOSUPPORT:
+#endif /* ifdef EPFNOSUPPORT */
+#ifdef EPROTONOSUPPORT
+		case EPROTONOSUPPORT:
+#endif /* ifdef EPROTONOSUPPORT */
+#ifdef EINVAL
+		case EINVAL:
+#endif /* ifdef EINVAL */
+			return (ISC_R_NOTFOUND);
+		default:
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "socket() failed: %s", strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	if (domain == PF_INET6) {
+		struct sockaddr_in6 sin6;
+		unsigned int len;
+
+		/*
+		 * Check to see if IPv6 is broken, as is common on Linux.
+		 */
+		len = sizeof(sin6);
+		if (getsockname(s, (struct sockaddr *)&sin6, (void *)&len) < 0)
+		{
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "retrieving the address of an IPv6 "
+				      "socket from the kernel failed.");
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "IPv6 is not supported.");
+			result = ISC_R_NOTFOUND;
+		} else {
+			if (len == sizeof(struct sockaddr_in6)) {
+				result = ISC_R_SUCCESS;
+			} else {
+				isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_SOCKET,
+					      ISC_LOG_ERROR,
+					      "IPv6 structures in kernel and "
+					      "user space do not match.");
+				isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_SOCKET,
+					      ISC_LOG_ERROR,
+					      "IPv6 is not supported.");
+				result = ISC_R_NOTFOUND;
+			}
+		}
+	}
+
+	(void)close(s);
+
+	return (result);
+}
+
+static void
+initialize_action(void) {
+	ipv4_result = try_proto(PF_INET);
+	ipv6_result = try_proto(PF_INET6);
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	unix_result = try_proto(PF_UNIX);
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_net_probeipv4(void) {
+	initialize();
+	return (ipv4_result);
+}
+
+isc_result_t
+isc_net_probeipv6(void) {
+	initialize();
+	return (ipv6_result);
+}
+
+isc_result_t
+isc_net_probeunix(void) {
+	initialize();
+	return (unix_result);
+}
+
+static void
+try_ipv6only(void) {
+#ifdef IPV6_V6ONLY
+	int s, on;
+	char strbuf[ISC_STRERRORSIZE];
+#endif /* ifdef IPV6_V6ONLY */
+	isc_result_t result;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6only_result = result;
+		return;
+	}
+
+#ifndef IPV6_V6ONLY
+	ipv6only_result = ISC_R_NOTFOUND;
+	return;
+#else  /* ifndef IPV6_V6ONLY */
+	/* check for TCP sockets */
+	s = socket(PF_INET6, SOCK_STREAM, 0);
+	if (s == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "socket() failed: %s",
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	close(s);
+
+	/* check for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, 0);
+	if (s == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "socket() failed: %s",
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	ipv6only_result = ISC_R_SUCCESS;
+
+close:
+	close(s);
+	return;
+#endif /* IPV6_V6ONLY */
+}
+
+static void
+initialize_ipv6only(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6only, try_ipv6only) ==
+		      ISC_R_SUCCESS);
+}
+
+#ifdef __notyet__
+static void
+try_ipv6pktinfo(void) {
+	int s, on;
+	char strbuf[ISC_STRERRORSIZE];
+	isc_result_t result;
+	int optname;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6pktinfo_result = result;
+		return;
+	}
+
+	/* we only use this for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+	if (s == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "socket() failed: %s",
+				 strbuf);
+		ipv6pktinfo_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+#ifdef IPV6_RECVPKTINFO
+	optname = IPV6_RECVPKTINFO;
+#else  /* ifdef IPV6_RECVPKTINFO */
+	optname = IPV6_PKTINFO;
+#endif /* ifdef IPV6_RECVPKTINFO */
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, optname, &on, sizeof(on)) < 0) {
+		ipv6pktinfo_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	ipv6pktinfo_result = ISC_R_SUCCESS;
+
+close:
+	close(s);
+	return;
+}
+
+static void
+initialize_ipv6pktinfo(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6pktinfo, try_ipv6pktinfo) ==
+		      ISC_R_SUCCESS);
+}
+#endif /* ifdef __notyet__ */
+
+isc_result_t
+isc_net_probe_ipv6only(void) {
+	initialize_ipv6only();
+	return (ipv6only_result);
+}
+
+isc_result_t
+isc_net_probe_ipv6pktinfo(void) {
+/*
+ * XXXWPK if pktinfo were supported then we could listen on :: for ipv6 and get
+ * the information about the destination address from pktinfo structure passed
+ * in recvmsg but this method is not portable and libuv doesn't support it - so
+ * we need to listen on all interfaces.
+ * We should verify that this doesn't impact performance (we already do it for
+ * ipv4) and either remove all the ipv6pktinfo detection code from above
+ * or think of fixing libuv.
+ */
+#ifdef __notyet__
+	initialize_ipv6pktinfo();
+#endif /* ifdef __notyet__ */
+	return (ipv6pktinfo_result);
+}
+
+#if ISC_CMSG_IP_TOS || defined(IPV6_TCLASS)
+
+static socklen_t
+cmsg_len(socklen_t len) {
+#ifdef CMSG_LEN
+	return (CMSG_LEN(len));
+#else  /* ifdef CMSG_LEN */
+	socklen_t hdrlen;
+
+	/*
+	 * Cast NULL so that any pointer arithmetic performed by CMSG_DATA
+	 * is correct.
+	 */
+	hdrlen = (socklen_t)CMSG_DATA(((struct cmsghdr *)NULL));
+	return (hdrlen + len);
+#endif /* ifdef CMSG_LEN */
+}
+
+static socklen_t
+cmsg_space(socklen_t len) {
+#ifdef CMSG_SPACE
+	return (CMSG_SPACE(len));
+#else  /* ifdef CMSG_SPACE */
+	struct msghdr msg;
+	struct cmsghdr *cmsgp;
+	/*
+	 * XXX: The buffer length is an ad-hoc value, but should be enough
+	 * in a practical sense.
+	 */
+	char dummybuf[sizeof(struct cmsghdr) + 1024];
+
+	memset(&msg, 0, sizeof(msg));
+	msg.msg_control = dummybuf;
+	msg.msg_controllen = sizeof(dummybuf);
+
+	cmsgp = (struct cmsghdr *)dummybuf;
+	cmsgp->cmsg_len = cmsg_len(len);
+
+	cmsgp = CMSG_NXTHDR(&msg, cmsgp);
+	if (cmsgp != NULL) {
+		return ((char *)cmsgp - (char *)msg.msg_control);
+	} else {
+		return (0);
+	}
+#endif /* ifdef CMSG_SPACE */
+}
+
+/*
+ * Make a fd non-blocking.
+ */
+static isc_result_t
+make_nonblock(int fd) {
+	int ret;
+	int flags;
+	char strbuf[ISC_STRERRORSIZE];
+#ifdef USE_FIONBIO_IOCTL
+	int on = 1;
+
+	ret = ioctl(fd, FIONBIO, (char *)&on);
+#else  /* ifdef USE_FIONBIO_IOCTL */
+	flags = fcntl(fd, F_GETFL, 0);
+	flags |= PORT_NONBLOCK;
+	ret = fcntl(fd, F_SETFL, flags);
+#endif /* ifdef USE_FIONBIO_IOCTL */
+
+	if (ret == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+#ifdef USE_FIONBIO_IOCTL
+				 "ioctl(%d, FIONBIO, &on): %s", fd,
+#else  /* ifdef USE_FIONBIO_IOCTL */
+				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
+#endif /* ifdef USE_FIONBIO_IOCTL */
+				 strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+cmsgsend(int s, int level, int type, struct addrinfo *res) {
+	char strbuf[ISC_STRERRORSIZE];
+	struct sockaddr_storage ss;
+	socklen_t len = sizeof(ss);
+	struct msghdr msg;
+	union {
+		struct cmsghdr h;
+		unsigned char b[256];
+	} control;
+	struct cmsghdr *cmsgp;
+	int dscp = (46 << 2); /* Expedited forwarding. */
+	struct iovec iovec;
+	char buf[1] = { 0 };
+	isc_result_t result;
+
+	if (bind(s, res->ai_addr, res->ai_addrlen) < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "bind: %s", strbuf);
+		return (false);
+	}
+
+	if (getsockname(s, (struct sockaddr *)&ss, &len) < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "getsockname: %s", strbuf);
+		return (false);
+	}
+
+	iovec.iov_base = buf;
+	iovec.iov_len = sizeof(buf);
+
+	memset(&msg, 0, sizeof(msg));
+	msg.msg_name = (struct sockaddr *)&ss;
+	msg.msg_namelen = len;
+	msg.msg_iov = &iovec;
+	msg.msg_iovlen = 1;
+	msg.msg_control = (void *)&control;
+	msg.msg_controllen = 0;
+	msg.msg_flags = 0;
+
+	cmsgp = msg.msg_control;
+
+	switch (type) {
+#ifdef IP_TOS
+	case IP_TOS:
+		memset(cmsgp, 0, cmsg_space(sizeof(char)));
+		cmsgp->cmsg_level = level;
+		cmsgp->cmsg_type = type;
+		cmsgp->cmsg_len = cmsg_len(sizeof(char));
+		*(unsigned char *)CMSG_DATA(cmsgp) = dscp;
+		msg.msg_controllen += cmsg_space(sizeof(char));
+		break;
+#endif /* ifdef IP_TOS */
+#ifdef IPV6_TCLASS
+	case IPV6_TCLASS:
+		memset(cmsgp, 0, cmsg_space(sizeof(dscp)));
+		cmsgp->cmsg_level = level;
+		cmsgp->cmsg_type = type;
+		cmsgp->cmsg_len = cmsg_len(sizeof(dscp));
+		memmove(CMSG_DATA(cmsgp), &dscp, sizeof(dscp));
+		msg.msg_controllen += cmsg_space(sizeof(dscp));
+		break;
+#endif /* ifdef IPV6_TCLASS */
+	default:
+		UNREACHABLE();
+	}
+
+	if (sendmsg(s, &msg, 0) < 0) {
+		int debug = ISC_LOG_DEBUG(10);
+		const char *typestr;
+		switch (errno) {
+#ifdef ENOPROTOOPT
+		case ENOPROTOOPT:
+#endif /* ifdef ENOPROTOOPT */
+#ifdef EOPNOTSUPP
+		case EOPNOTSUPP:
+#endif /* ifdef EOPNOTSUPP */
+		case EINVAL:
+		case EPERM:
+			break;
+		default:
+			debug = ISC_LOG_NOTICE;
+		}
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		if (debug != ISC_LOG_NOTICE) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+				      "sendmsg: %s", strbuf);
+		} else {
+			typestr = (type == IP_TOS) ? "IP_TOS" : "IPV6_TCLASS";
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "probing "
+					 "sendmsg() with %s=%02x failed: %s",
+					 typestr, dscp, strbuf);
+		}
+		return (false);
+	}
+
+	/*
+	 * Make sure the message actually got sent.
+	 */
+	result = make_nonblock(s);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	iovec.iov_base = buf;
+	iovec.iov_len = sizeof(buf);
+
+	memset(&msg, 0, sizeof(msg));
+	msg.msg_name = (struct sockaddr *)&ss;
+	msg.msg_namelen = sizeof(ss);
+	msg.msg_iov = &iovec;
+	msg.msg_iovlen = 1;
+	msg.msg_control = NULL;
+	msg.msg_controllen = 0;
+	msg.msg_flags = 0;
+
+	if (recvmsg(s, &msg, 0) < 0) {
+		return (false);
+	}
+
+	return (true);
+}
+#endif /* if ISC_CMSG_IP_TOS || defined(IPV6_TCLASS) */
+
+static void
+try_dscp_v4(void) {
+#ifdef IP_TOS
+	char strbuf[ISC_STRERRORSIZE];
+	struct addrinfo hints, *res0;
+	int s, dscp = 0, n;
+#ifdef IP_RECVTOS
+	int on = 1;
+#endif /* IP_RECVTOS */
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_INET;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+#ifdef AI_NUMERICHOST
+	hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+#else  /* ifdef AI_NUMERICHOST */
+	hints.ai_flags = AI_PASSIVE;
+#endif /* ifdef AI_NUMERICHOST */
+
+	n = getaddrinfo("127.0.0.1", NULL, &hints, &res0);
+	if (n != 0 || res0 == NULL) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "getaddrinfo(127.0.0.1): %s", gai_strerror(n));
+		return;
+	}
+
+	s = socket(res0->ai_family, res0->ai_socktype, res0->ai_protocol);
+
+	if (s == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "socket: %s", strbuf);
+		freeaddrinfo(res0);
+		return;
+	}
+
+	if (setsockopt(s, IPPROTO_IP, IP_TOS, &dscp, sizeof(dscp)) == 0) {
+		dscp_result |= ISC_NET_DSCPSETV4;
+	}
+
+#ifdef IP_RECVTOS
+	on = 1;
+	if (setsockopt(s, IPPROTO_IP, IP_RECVTOS, &on, sizeof(on)) == 0) {
+		dscp_result |= ISC_NET_DSCPRECVV4;
+	}
+#endif /* IP_RECVTOS */
+
+#if ISC_CMSG_IP_TOS
+	if (cmsgsend(s, IPPROTO_IP, IP_TOS, res0)) {
+		dscp_result |= ISC_NET_DSCPPKTV4;
+	}
+#endif /* ISC_CMSG_IP_TOS */
+
+	freeaddrinfo(res0);
+	close(s);
+
+#endif /* IP_TOS */
+}
+
+static void
+try_dscp_v6(void) {
+#ifdef IPV6_TCLASS
+	char strbuf[ISC_STRERRORSIZE];
+	struct addrinfo hints, *res0;
+	int s, dscp = 0, n;
+#if defined(IPV6_RECVTCLASS)
+	int on = 1;
+#endif /* IPV6_RECVTCLASS */
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_INET6;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+#ifdef AI_NUMERICHOST
+	hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+#else  /* ifdef AI_NUMERICHOST */
+	hints.ai_flags = AI_PASSIVE;
+#endif /* ifdef AI_NUMERICHOST */
+
+	n = getaddrinfo("::1", NULL, &hints, &res0);
+	if (n != 0 || res0 == NULL) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "getaddrinfo(::1): %s", gai_strerror(n));
+		return;
+	}
+
+	s = socket(res0->ai_family, res0->ai_socktype, res0->ai_protocol);
+	if (s == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "socket: %s", strbuf);
+		freeaddrinfo(res0);
+		return;
+	}
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_TCLASS, &dscp, sizeof(dscp)) == 0)
+	{
+		dscp_result |= ISC_NET_DSCPSETV6;
+	}
+
+#ifdef IPV6_RECVTCLASS
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVTCLASS, &on, sizeof(on)) == 0)
+	{
+		dscp_result |= ISC_NET_DSCPRECVV6;
+	}
+#endif /* IPV6_RECVTCLASS */
+
+	if (cmsgsend(s, IPPROTO_IPV6, IPV6_TCLASS, res0)) {
+		dscp_result |= ISC_NET_DSCPPKTV6;
+	}
+
+	freeaddrinfo(res0);
+	close(s);
+
+#endif /* IPV6_TCLASS */
+}
+
+static void
+try_dscp(void) {
+	try_dscp_v4();
+	try_dscp_v6();
+}
+
+static void
+initialize_dscp(void) {
+	RUNTIME_CHECK(isc_once_do(&once_dscp, try_dscp) == ISC_R_SUCCESS);
+}
+
+unsigned int
+isc_net_probedscp(void) {
+	initialize_dscp();
+	return (dscp_result);
+}
+
+#if defined(USE_SYSCTL_PORTRANGE)
+#if defined(HAVE_SYSCTLBYNAME)
+static isc_result_t
+getudpportrange_sysctl(int af, in_port_t *low, in_port_t *high) {
+	int port_low, port_high;
+	size_t portlen;
+	const char *sysctlname_lowport, *sysctlname_hiport;
+
+	if (af == AF_INET) {
+		sysctlname_lowport = SYSCTL_V4PORTRANGE_LOW;
+		sysctlname_hiport = SYSCTL_V4PORTRANGE_HIGH;
+	} else {
+		sysctlname_lowport = SYSCTL_V6PORTRANGE_LOW;
+		sysctlname_hiport = SYSCTL_V6PORTRANGE_HIGH;
+	}
+	portlen = sizeof(port_low);
+	if (sysctlbyname(sysctlname_lowport, &port_low, &portlen, NULL, 0) < 0)
+	{
+		return (ISC_R_FAILURE);
+	}
+	portlen = sizeof(port_high);
+	if (sysctlbyname(sysctlname_hiport, &port_high, &portlen, NULL, 0) < 0)
+	{
+		return (ISC_R_FAILURE);
+	}
+	if ((port_low & ~0xffff) != 0 || (port_high & ~0xffff) != 0) {
+		return (ISC_R_RANGE);
+	}
+
+	*low = (in_port_t)port_low;
+	*high = (in_port_t)port_high;
+
+	return (ISC_R_SUCCESS);
+}
+#else  /* !HAVE_SYSCTLBYNAME */
+static isc_result_t
+getudpportrange_sysctl(int af, in_port_t *low, in_port_t *high) {
+	int mib_lo4[4] = SYSCTL_V4PORTRANGE_LOW;
+	int mib_hi4[4] = SYSCTL_V4PORTRANGE_HIGH;
+	int mib_lo6[4] = SYSCTL_V6PORTRANGE_LOW;
+	int mib_hi6[4] = SYSCTL_V6PORTRANGE_HIGH;
+	int *mib_lo, *mib_hi, miblen;
+	int port_low, port_high;
+	size_t portlen;
+
+	if (af == AF_INET) {
+		mib_lo = mib_lo4;
+		mib_hi = mib_hi4;
+		miblen = sizeof(mib_lo4) / sizeof(mib_lo4[0]);
+	} else {
+		mib_lo = mib_lo6;
+		mib_hi = mib_hi6;
+		miblen = sizeof(mib_lo6) / sizeof(mib_lo6[0]);
+	}
+
+	portlen = sizeof(port_low);
+	if (sysctl(mib_lo, miblen, &port_low, &portlen, NULL, 0) < 0) {
+		return (ISC_R_FAILURE);
+	}
+
+	portlen = sizeof(port_high);
+	if (sysctl(mib_hi, miblen, &port_high, &portlen, NULL, 0) < 0) {
+		return (ISC_R_FAILURE);
+	}
+
+	if ((port_low & ~0xffff) != 0 || (port_high & ~0xffff) != 0) {
+		return (ISC_R_RANGE);
+	}
+
+	*low = (in_port_t)port_low;
+	*high = (in_port_t)port_high;
+
+	return (ISC_R_SUCCESS);
+}
+#endif /* HAVE_SYSCTLBYNAME */
+#endif /* USE_SYSCTL_PORTRANGE */
+
+isc_result_t
+isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high) {
+	int result = ISC_R_FAILURE;
+#if !defined(USE_SYSCTL_PORTRANGE) && defined(__linux)
+	FILE *fp;
+#endif /* if !defined(USE_SYSCTL_PORTRANGE) && defined(__linux) */
+
+	REQUIRE(low != NULL && high != NULL);
+
+#if defined(USE_SYSCTL_PORTRANGE)
+	result = getudpportrange_sysctl(af, low, high);
+#elif defined(__linux)
+
+	UNUSED(af);
+
+	/*
+	 * Linux local ports are address family agnostic.
+	 */
+	fp = fopen("/proc/sys/net/ipv4/ip_local_port_range", "r");
+	if (fp != NULL) {
+		int n;
+		unsigned int l, h;
+
+		n = fscanf(fp, "%u %u", &l, &h);
+		if (n == 2 && (l & ~0xffff) == 0 && (h & ~0xffff) == 0) {
+			*low = l;
+			*high = h;
+			result = ISC_R_SUCCESS;
+		}
+		fclose(fp);
+	}
+#else  /* if defined(USE_SYSCTL_PORTRANGE) */
+	UNUSED(af);
+#endif /* if defined(USE_SYSCTL_PORTRANGE) */
+
+	if (result != ISC_R_SUCCESS) {
+		*low = ISC_NET_PORTRANGELOW;
+		*high = ISC_NET_PORTRANGEHIGH;
+	}
+
+	return (ISC_R_SUCCESS); /* we currently never fail in this function */
+}
+
+void
+isc_net_disableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_SUCCESS) {
+		ipv4_result = ISC_R_DISABLED;
+	}
+}
+
+void
+isc_net_disableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_SUCCESS) {
+		ipv6_result = ISC_R_DISABLED;
+	}
+}
+
+void
+isc_net_enableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_DISABLED) {
+		ipv4_result = ISC_R_SUCCESS;
+	}
+}
+
+void
+isc_net_enableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_DISABLED) {
+		ipv6_result = ISC_R_SUCCESS;
+	}
+}
diff --git a/lib/isc/unix/os.c b/lib/isc/unix/os.c
new file mode 100644
index 0000000..5577587
--- /dev/null
+++ b/lib/isc/unix/os.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/os.h>
+
+#ifdef HAVE_SYSCONF
+
+#include <unistd.h>
+
+static long
+sysconf_ncpus(void) {
+#if defined(_SC_NPROCESSORS_ONLN)
+	return (sysconf((_SC_NPROCESSORS_ONLN)));
+#elif defined(_SC_NPROC_ONLN)
+	return (sysconf((_SC_NPROC_ONLN)));
+#else  /* if defined(_SC_NPROCESSORS_ONLN) */
+	return (0);
+#endif /* if defined(_SC_NPROCESSORS_ONLN) */
+}
+#endif /* HAVE_SYSCONF */
+
+#if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
+#include <sys/param.h> /* for NetBSD */
+#include <sys/sysctl.h>
+#include <sys/types.h> /* for FreeBSD */
+
+static int
+sysctl_ncpus(void) {
+	int ncpu, result;
+	size_t len;
+
+	len = sizeof(ncpu);
+	result = sysctlbyname("hw.ncpu", &ncpu, &len, 0, 0);
+	if (result != -1) {
+		return (ncpu);
+	}
+	return (0);
+}
+#endif /* if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME) */
+
+unsigned int
+isc_os_ncpus(void) {
+	long ncpus = 0;
+
+#if defined(HAVE_SYSCONF)
+	ncpus = sysconf_ncpus();
+#endif /* if defined(HAVE_SYSCONF) */
+#if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
+	if (ncpus <= 0) {
+		ncpus = sysctl_ncpus();
+	}
+#endif /* if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME) */
+	if (ncpus <= 0) {
+		ncpus = 1;
+	}
+
+	return ((unsigned int)ncpus);
+}
diff --git a/lib/isc/unix/pk11_api.c b/lib/isc/unix/pk11_api.c
new file mode 100644
index 0000000..babd1a9
--- /dev/null
+++ b/lib/isc/unix/pk11_api.c
@@ -0,0 +1,708 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <dlfcn.h>
+#include <string.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <pkcs11/pkcs11.h>
+
+#define KEEP_PKCS11_NAMES
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+
+static void *hPK11 = NULL;
+static char loaderrmsg[1024];
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved) {
+	CK_C_Initialize sym;
+
+	if (hPK11 != NULL) {
+		return (CKR_CRYPTOKI_ALREADY_INITIALIZED);
+	}
+
+	hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
+
+	if (hPK11 == NULL) {
+		snprintf(loaderrmsg, sizeof(loaderrmsg),
+			 "dlopen(\"%s\") failed: %s\n", pk11_get_lib_name(),
+			 dlerror());
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize");
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(pReserved));
+}
+
+char *
+pk11_get_load_error_message(void) {
+	return (loaderrmsg);
+}
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved) {
+	CK_C_Finalize sym;
+	CK_RV rv;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize");
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	rv = (*sym)(pReserved);
+	if ((rv == CKR_OK) && (dlclose(hPK11) != 0)) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	hPK11 = NULL;
+	return (rv);
+}
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
+		   CK_ULONG_PTR pulCount) {
+	static CK_C_GetSlotList sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GetSlotList)dlsym(hPK11, "C_GetSlotList");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(tokenPresent, pSlotList, pulCount));
+}
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
+	static CK_C_GetTokenInfo sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GetTokenInfo)dlsym(hPK11, "C_GetTokenInfo");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(slotID, pInfo));
+}
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+			CK_MECHANISM_INFO_PTR pInfo) {
+	static CK_C_GetMechanismInfo sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GetMechanismInfo)dlsym(hPK11, "C_GetMechanismInfo");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(slotID, type, pInfo));
+}
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication,
+		   CK_RV (*Notify)(CK_SESSION_HANDLE hSession,
+				   CK_NOTIFICATION event,
+				   CK_VOID_PTR pApplication),
+		   CK_SESSION_HANDLE_PTR phSession) {
+	static CK_C_OpenSession sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
+	}
+	if (hPK11 == NULL) {
+		snprintf(loaderrmsg, sizeof(loaderrmsg),
+			 "dlopen(\"%s\") failed: %s\n", pk11_get_lib_name(),
+			 dlerror());
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(slotID, flags, pApplication, Notify, phSession));
+}
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) {
+	static CK_C_CloseSession sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession));
+}
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+	     CK_CHAR_PTR pPin, CK_ULONG usPinLen) {
+	static CK_C_Login sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_Login)dlsym(hPK11, "C_Login");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, userType, pPin, usPinLen));
+}
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession) {
+	static CK_C_Logout sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_Logout)dlsym(hPK11, "C_Logout");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession));
+}
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject) {
+	static CK_C_CreateObject sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pTemplate, usCount, phObject));
+}
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
+	static CK_C_DestroyObject sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, hObject));
+}
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+			 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) {
+	static CK_C_GetAttributeValue sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GetAttributeValue)dlsym(hPK11, "C_"
+							   "GetAttributeValue");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, hObject, pTemplate, usCount));
+}
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+			 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) {
+	static CK_C_SetAttributeValue sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_SetAttributeValue)dlsym(hPK11, "C_"
+							   "SetAttributeValue");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, hObject, pTemplate, usCount));
+}
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+		       CK_ULONG usCount) {
+	static CK_C_FindObjectsInit sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pTemplate, usCount));
+}
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
+		   CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount) {
+	static CK_C_FindObjects sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount));
+}
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
+	static CK_C_FindObjectsFinal sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_FindObjectsFinal)dlsym(hPK11, "C_FindObjectsFinal");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession));
+}
+
+CK_RV
+pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		   CK_OBJECT_HANDLE hKey) {
+	static CK_C_EncryptInit sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_EncryptInit)dlsym(hPK11, "C_EncryptInit");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pMechanism, hKey));
+}
+
+CK_RV
+pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+	       CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
+	       CK_ULONG_PTR pulEncryptedDataLen) {
+	static CK_C_Encrypt sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_Encrypt)dlsym(hPK11, "C_Encrypt");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pData, ulDataLen, pEncryptedData,
+		       pulEncryptedDataLen));
+}
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) {
+	static CK_C_DigestInit sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_DigestInit)dlsym(hPK11, "C_DigestInit");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pMechanism));
+}
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		    CK_ULONG ulPartLen) {
+	static CK_C_DigestUpdate sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_DigestUpdate)dlsym(hPK11, "C_DigestUpdate");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pPart, ulPartLen));
+}
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+		   CK_ULONG_PTR pulDigestLen) {
+	static CK_C_DigestFinal sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_DigestFinal)dlsym(hPK11, "C_DigestFinal");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pDigest, pulDigestLen));
+}
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		CK_OBJECT_HANDLE hKey) {
+	static CK_C_SignInit sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_SignInit)dlsym(hPK11, "C_SignInit");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pMechanism, hKey));
+}
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
+	    CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) {
+	static CK_C_Sign sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_Sign)dlsym(hPK11, "C_Sign");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pData, ulDataLen, pSignature,
+		       pulSignatureLen));
+}
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		  CK_ULONG ulPartLen) {
+	static CK_C_SignUpdate sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_SignUpdate)dlsym(hPK11, "C_SignUpdate");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pPart, ulPartLen));
+}
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+		 CK_ULONG_PTR pulSignatureLen) {
+	static CK_C_SignFinal sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_SignFinal)dlsym(hPK11, "C_SignFinal");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pSignature, pulSignatureLen));
+}
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		  CK_OBJECT_HANDLE hKey) {
+	static CK_C_VerifyInit sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_VerifyInit)dlsym(hPK11, "C_VerifyInit");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pMechanism, hKey));
+}
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
+	      CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) {
+	static CK_C_Verify sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_Verify)dlsym(hPK11, "C_Verify");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen));
+}
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		    CK_ULONG ulPartLen) {
+	static CK_C_VerifyUpdate sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_VerifyUpdate)dlsym(hPK11, "C_VerifyUpdate");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pPart, ulPartLen));
+}
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+		   CK_ULONG ulSignatureLen) {
+	static CK_C_VerifyFinal sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_VerifyFinal)dlsym(hPK11, "C_VerifyFinal");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pSignature, ulSignatureLen));
+}
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		   CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+		   CK_OBJECT_HANDLE_PTR phKey) {
+	static CK_C_GenerateKey sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GenerateKey)dlsym(hPK11, "C_GenerateKey");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pMechanism, pTemplate, ulCount, phKey));
+}
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		       CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+		       CK_ULONG usPublicKeyAttributeCount,
+		       CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+		       CK_ULONG usPrivateKeyAttributeCount,
+		       CK_OBJECT_HANDLE_PTR phPrivateKey,
+		       CK_OBJECT_HANDLE_PTR phPublicKey) {
+	static CK_C_GenerateKeyPair sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pMechanism, pPublicKeyTemplate,
+		       usPublicKeyAttributeCount, pPrivateKeyTemplate,
+		       usPrivateKeyAttributeCount, phPrivateKey, phPublicKey));
+}
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		 CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
+		 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) {
+	static CK_C_DeriveKey sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_DeriveKey)dlsym(hPK11, "C_DeriveKey");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pMechanism, hBaseKey, pTemplate,
+		       ulAttributeCount, phKey));
+}
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+		  CK_ULONG ulSeedLen) {
+	static CK_C_SeedRandom sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_SeedRandom)dlsym(hPK11, "C_SeedRandom");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, pSeed, ulSeedLen));
+}
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
+		      CK_ULONG ulRandomLen) {
+	static CK_C_GenerateRandom sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_LOAD_FAILED);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GenerateRandom)dlsym(hPK11, "C_GenerateRandom");
+	}
+	if (sym == NULL) {
+		return (CKR_FUNCTION_NOT_SUPPORTED);
+	}
+	return ((*sym)(hSession, RandomData, ulRandomLen));
+}
diff --git a/lib/isc/unix/resource.c b/lib/isc/unix/resource.c
new file mode 100644
index 0000000..6020b39
--- /dev/null
+++ b/lib/isc/unix/resource.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <sys/resource.h>
+#include <sys/time.h> /* Required on some systems for <sys/resource.h>. */
+#include <sys/types.h>
+
+#include <isc/platform.h>
+#include <isc/resource.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#ifdef __linux__
+#include <linux/fs.h> /* To get the large NR_OPEN. */
+#endif		      /* ifdef __linux__ */
+
+#include "errno2result.h"
+
+static isc_result_t
+resource2rlim(isc_resource_t resource, int *rlim_resource) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	switch (resource) {
+	case isc_resource_coresize:
+		*rlim_resource = RLIMIT_CORE;
+		break;
+	case isc_resource_cputime:
+		*rlim_resource = RLIMIT_CPU;
+		break;
+	case isc_resource_datasize:
+		*rlim_resource = RLIMIT_DATA;
+		break;
+	case isc_resource_filesize:
+		*rlim_resource = RLIMIT_FSIZE;
+		break;
+	case isc_resource_lockedmemory:
+#ifdef RLIMIT_MEMLOCK
+		*rlim_resource = RLIMIT_MEMLOCK;
+#else  /* ifdef RLIMIT_MEMLOCK */
+		result = ISC_R_NOTIMPLEMENTED;
+#endif /* ifdef RLIMIT_MEMLOCK */
+		break;
+	case isc_resource_openfiles:
+#ifdef RLIMIT_NOFILE
+		*rlim_resource = RLIMIT_NOFILE;
+#else  /* ifdef RLIMIT_NOFILE */
+		result = ISC_R_NOTIMPLEMENTED;
+#endif /* ifdef RLIMIT_NOFILE */
+		break;
+	case isc_resource_processes:
+#ifdef RLIMIT_NPROC
+		*rlim_resource = RLIMIT_NPROC;
+#else  /* ifdef RLIMIT_NPROC */
+		result = ISC_R_NOTIMPLEMENTED;
+#endif /* ifdef RLIMIT_NPROC */
+		break;
+	case isc_resource_residentsize:
+#ifdef RLIMIT_RSS
+		*rlim_resource = RLIMIT_RSS;
+#else  /* ifdef RLIMIT_RSS */
+		result = ISC_R_NOTIMPLEMENTED;
+#endif /* ifdef RLIMIT_RSS */
+		break;
+	case isc_resource_stacksize:
+		*rlim_resource = RLIMIT_STACK;
+		break;
+	default:
+		/*
+		 * This test is not very robust if isc_resource_t
+		 * changes, but generates a clear assertion message.
+		 */
+		REQUIRE(resource >= isc_resource_coresize &&
+			resource <= isc_resource_stacksize);
+
+		result = ISC_R_RANGE;
+		break;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value) {
+	struct rlimit rl;
+	rlim_t rlim_value;
+	int unixresult;
+	int unixresource;
+	isc_result_t result;
+
+	result = resource2rlim(resource, &unixresource);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (value == ISC_RESOURCE_UNLIMITED) {
+		rlim_value = RLIM_INFINITY;
+	} else {
+		/*
+		 * isc_resourcevalue_t was chosen as an unsigned 64 bit
+		 * integer so that it could contain the maximum range of
+		 * reasonable values.  Unfortunately, this exceeds the typical
+		 * range on Unix systems.  Ensure the range of
+		 * rlim_t is not overflowed.
+		 */
+		isc_resourcevalue_t rlim_max;
+		bool rlim_t_is_signed = (((double)(rlim_t)-1) < 0);
+
+		if (rlim_t_is_signed) {
+			rlim_max = ~((rlim_t)1 << (sizeof(rlim_t) * 8 - 1));
+		} else {
+			rlim_max = (rlim_t)-1;
+		}
+
+		if (value > rlim_max) {
+			value = rlim_max;
+		}
+
+		rlim_value = value;
+	}
+
+	rl.rlim_cur = rl.rlim_max = rlim_value;
+	unixresult = setrlimit(unixresource, &rl);
+
+	if (unixresult == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+#if defined(OPEN_MAX) && defined(__APPLE__)
+	/*
+	 * The Darwin kernel doesn't accept RLIM_INFINITY for rlim_cur; the
+	 * maximum possible value is OPEN_MAX.  BIND8 used to use
+	 * sysconf(_SC_OPEN_MAX) for such a case, but this value is much
+	 * smaller than OPEN_MAX and is not really effective.
+	 */
+	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
+		rl.rlim_cur = OPEN_MAX;
+		unixresult = setrlimit(unixresource, &rl);
+		if (unixresult == 0) {
+			return (ISC_R_SUCCESS);
+		}
+	}
+#elif defined(__linux__)
+#ifndef NR_OPEN
+#define NR_OPEN (1024 * 1024)
+#endif /* ifndef NR_OPEN */
+
+	/*
+	 * Some Linux kernels don't accept RLIM_INFINIT; the maximum
+	 * possible value is the NR_OPEN defined in linux/fs.h.
+	 */
+	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
+		rl.rlim_cur = rl.rlim_max = NR_OPEN;
+		unixresult = setrlimit(unixresource, &rl);
+		if (unixresult == 0) {
+			return (ISC_R_SUCCESS);
+		}
+	}
+#endif /* if defined(OPEN_MAX) && defined(__APPLE__) */
+	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
+		if (getrlimit(unixresource, &rl) == 0) {
+			rl.rlim_cur = rl.rlim_max;
+			unixresult = setrlimit(unixresource, &rl);
+			if (unixresult == 0) {
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+	return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
+	int unixresource;
+	struct rlimit rl;
+	isc_result_t result;
+
+	result = resource2rlim(resource, &unixresource);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (getrlimit(unixresource, &rl) != 0) {
+		return (isc__errno2result(errno));
+	}
+
+	*value = rl.rlim_max;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_resource_getcurlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
+	int unixresource;
+	struct rlimit rl;
+	isc_result_t result;
+
+	result = resource2rlim(resource, &unixresource);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (getrlimit(unixresource, &rl) != 0) {
+		return (isc__errno2result(errno));
+	}
+
+	*value = rl.rlim_cur;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
new file mode 100644
index 0000000..d6578ea
--- /dev/null
+++ b/lib/isc/unix/socket.c
@@ -0,0 +1,5521 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#if defined(HAVE_SYS_SYSCTL_H) && !defined(__linux__)
+#include <sys/sysctl.h>
+#endif /* if defined(HAVE_SYS_SYSCTL_H) && !defined(__linux__) */
+#include <sys/time.h>
+#include <sys/uio.h>
+
+#if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H)
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#endif /* if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H) \
+	*/
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/condition.h>
+#include <isc/formatcheck.h>
+#include <isc/list.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/region.h>
+#include <isc/resource.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/un.h>
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+#ifdef HAVE_KQUEUE
+#include <sys/event.h>
+#endif /* ifdef HAVE_KQUEUE */
+#ifdef HAVE_EPOLL_CREATE1
+#include <sys/epoll.h>
+#endif /* ifdef HAVE_EPOLL_CREATE1 */
+#if defined(HAVE_SYS_DEVPOLL_H)
+#include <sys/devpoll.h>
+#elif defined(HAVE_DEVPOLL_H)
+#include <devpoll.h>
+#endif /* if defined(HAVE_SYS_DEVPOLL_H) */
+
+#include <netinet/tcp.h>
+
+#include "errno2result.h"
+
+#ifdef ENABLE_TCP_FASTOPEN
+#include <netinet/tcp.h>
+#endif /* ifdef ENABLE_TCP_FASTOPEN */
+
+#ifdef HAVE_JSON_C
+#include <json_object.h>
+#endif /* HAVE_JSON_C */
+
+#ifdef HAVE_LIBXML2
+#include <libxml/xmlwriter.h>
+#define ISC_XMLCHAR (const xmlChar *)
+#endif /* HAVE_LIBXML2 */
+
+/*%
+ * Choose the most preferable multiplex method.
+ */
+#if defined(HAVE_KQUEUE)
+#define USE_KQUEUE
+#elif defined(HAVE_EPOLL_CREATE1)
+#define USE_EPOLL
+#elif defined(HAVE_SYS_DEVPOLL_H) || defined(HAVE_DEVPOLL_H)
+#define USE_DEVPOLL
+typedef struct {
+	unsigned int want_read : 1, want_write : 1;
+} pollinfo_t;
+#else /* if defined(HAVE_KQUEUE) */
+#define USE_SELECT
+#endif /* HAVE_KQUEUE */
+
+/*
+ * Set by the -T dscp option on the command line. If set to a value
+ * other than -1, we check to make sure DSCP values match it, and
+ * assert if not.
+ */
+int isc_dscp_check_value = -1;
+
+/*%
+ * Maximum number of allowable open sockets.  This is also the maximum
+ * allowable socket file descriptor.
+ *
+ * Care should be taken before modifying this value for select():
+ * The API standard doesn't ensure select() accept more than (the system default
+ * of) FD_SETSIZE descriptors, and the default size should in fact be fine in
+ * the vast majority of cases.  This constant should therefore be increased only
+ * when absolutely necessary and possible, i.e., the server is exhausting all
+ * available file descriptors (up to FD_SETSIZE) and the select() function
+ * and FD_xxx macros support larger values than FD_SETSIZE (which may not
+ * always by true, but we keep using some of them to ensure as much
+ * portability as possible).  Note also that overall server performance
+ * may be rather worsened with a larger value of this constant due to
+ * inherent scalability problems of select().
+ *
+ * As a special note, this value shouldn't have to be touched if
+ * this is a build for an authoritative only DNS server.
+ */
+#ifndef ISC_SOCKET_MAXSOCKETS
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+#ifdef TUNE_LARGE
+#define ISC_SOCKET_MAXSOCKETS 21000
+#else /* ifdef TUNE_LARGE */
+#define ISC_SOCKET_MAXSOCKETS 4096
+#endif /* TUNE_LARGE */
+#elif defined(USE_SELECT)
+#define ISC_SOCKET_MAXSOCKETS FD_SETSIZE
+#endif /* USE_KQUEUE... */
+#endif /* ISC_SOCKET_MAXSOCKETS */
+
+#ifdef USE_SELECT
+/*%
+ * Mac OS X needs a special definition to support larger values in select().
+ * We always define this because a larger value can be specified run-time.
+ */
+#ifdef __APPLE__
+#define _DARWIN_UNLIMITED_SELECT
+#endif /* __APPLE__ */
+#endif /* USE_SELECT */
+
+#ifdef ISC_SOCKET_USE_POLLWATCH
+/*%
+ * If this macro is defined, enable workaround for a Solaris /dev/poll kernel
+ * bug: DP_POLL ioctl could keep sleeping even if socket I/O is possible for
+ * some of the specified FD.  The idea is based on the observation that it's
+ * likely for a busy server to keep receiving packets.  It specifically works
+ * as follows: the socket watcher is first initialized with the state of
+ * "poll_idle".  While it's in the idle state it keeps sleeping until a socket
+ * event occurs.  When it wakes up for a socket I/O event, it moves to the
+ * poll_active state, and sets the poll timeout to a short period
+ * (ISC_SOCKET_POLLWATCH_TIMEOUT msec).  If timeout occurs in this state, the
+ * watcher goes to the poll_checking state with the same timeout period.
+ * In this state, the watcher tries to detect whether this is a break
+ * during intermittent events or the kernel bug is triggered.  If the next
+ * polling reports an event within the short period, the previous timeout is
+ * likely to be a kernel bug, and so the watcher goes back to the active state.
+ * Otherwise, it moves to the idle state again.
+ *
+ * It's not clear whether this is a thread-related bug, but since we've only
+ * seen this with threads, this workaround is used only when enabling threads.
+ */
+
+typedef enum { poll_idle, poll_active, poll_checking } pollstate_t;
+
+#ifndef ISC_SOCKET_POLLWATCH_TIMEOUT
+#define ISC_SOCKET_POLLWATCH_TIMEOUT 10
+#endif /* ISC_SOCKET_POLLWATCH_TIMEOUT */
+#endif /* ISC_SOCKET_USE_POLLWATCH */
+
+/*%
+ * Per-FD lock buckets, we shuffle them around a bit as FDs come in herds.
+ */
+#define FDLOCK_BITS  10
+#define FDLOCK_COUNT (1 << FDLOCK_BITS)
+#define FDLOCK_ID(fd)                                   \
+	(((fd) % (FDLOCK_COUNT) >> (FDLOCK_BITS / 2)) | \
+	 (((fd) << (FDLOCK_BITS / 2)) % (FDLOCK_COUNT)))
+
+/*%
+ * Maximum number of events communicated with the kernel.  There should normally
+ * be no need for having a large number.
+ */
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+#ifndef ISC_SOCKET_MAXEVENTS
+#ifdef TUNE_LARGE
+#define ISC_SOCKET_MAXEVENTS 2048
+#else /* ifdef TUNE_LARGE */
+#define ISC_SOCKET_MAXEVENTS 64
+#endif /* TUNE_LARGE */
+#endif /* ifndef ISC_SOCKET_MAXEVENTS */
+#endif /* if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL) \
+	* */
+
+/*%
+ * Some systems define the socket length argument as an int, some as size_t,
+ * some as socklen_t.  This is here so it can be easily changed if needed.
+ */
+#ifndef socklen_t
+#define socklen_t unsigned int
+#endif /* ifndef socklen_t */
+
+/*%
+ * Define what the possible "soft" errors can be.  These are non-fatal returns
+ * of various network related functions, like recv() and so on.
+ *
+ * For some reason, BSDI (and perhaps others) will sometimes return <0
+ * from recv() but will have errno==0.  This is broken, but we have to
+ * work around it here.
+ */
+#define SOFT_ERROR(e)                                             \
+	((e) == EAGAIN || (e) == EWOULDBLOCK || (e) == ENOBUFS || \
+	 (e) == EINTR || (e) == 0)
+
+#define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
+
+/*!<
+ * DLVL(90)  --  Function entry/exit and other tracing.
+ * DLVL(70)  --  Socket "correctness" -- including returning of events, etc.
+ * DLVL(60)  --  Socket data send/receive
+ * DLVL(50)  --  Event tracing, including receiving/sending completion events.
+ * DLVL(20)  --  Socket creation/destruction.
+ */
+#define TRACE_LEVEL	  90
+#define CORRECTNESS_LEVEL 70
+#define IOEVENT_LEVEL	  60
+#define EVENT_LEVEL	  50
+#define CREATION_LEVEL	  20
+
+#define TRACE	    DLVL(TRACE_LEVEL)
+#define CORRECTNESS DLVL(CORRECTNESS_LEVEL)
+#define IOEVENT	    DLVL(IOEVENT_LEVEL)
+#define EVENT	    DLVL(EVENT_LEVEL)
+#define CREATION    DLVL(CREATION_LEVEL)
+
+typedef isc_event_t intev_t;
+
+#define SOCKET_MAGIC	ISC_MAGIC('I', 'O', 'i', 'o')
+#define VALID_SOCKET(s) ISC_MAGIC_VALID(s, SOCKET_MAGIC)
+
+/*!
+ * IPv6 control information.  If the socket is an IPv6 socket we want
+ * to collect the destination address and interface so the client can
+ * set them on outgoing packets.
+ */
+#ifndef USE_CMSG
+#define USE_CMSG 1
+#endif /* ifndef USE_CMSG */
+
+/*%
+ * NetBSD and FreeBSD can timestamp packets.  XXXMLG Should we have
+ * a setsockopt() like interface to request timestamps, and if the OS
+ * doesn't do it for us, call gettimeofday() on every UDP receive?
+ */
+#ifdef SO_TIMESTAMP
+#ifndef USE_CMSG
+#define USE_CMSG 1
+#endif /* ifndef USE_CMSG */
+#endif /* ifdef SO_TIMESTAMP */
+
+#if defined(SO_RCVBUF) && defined(ISC_RECV_BUFFER_SIZE)
+#define SET_RCVBUF
+#endif
+
+#if defined(SO_SNDBUF) && defined(ISC_SEND_BUFFER_SIZE)
+#define SET_SNDBUF
+#endif
+
+/*%
+ * Instead of calculating the cmsgbuf lengths every time we take
+ * a rule of thumb approach - sizes are taken from x86_64 linux,
+ * multiplied by 2, everything should fit. Those sizes are not
+ * large enough to cause any concern.
+ */
+#if defined(USE_CMSG)
+#define CMSG_SP_IN6PKT 40
+#else /* if defined(USE_CMSG) */
+#define CMSG_SP_IN6PKT 0
+#endif /* if defined(USE_CMSG) */
+
+#if defined(USE_CMSG) && defined(SO_TIMESTAMP)
+#define CMSG_SP_TIMESTAMP 32
+#else /* if defined(USE_CMSG) && defined(SO_TIMESTAMP) */
+#define CMSG_SP_TIMESTAMP 0
+#endif /* if defined(USE_CMSG) && defined(SO_TIMESTAMP) */
+
+#if defined(USE_CMSG) && (defined(IPV6_TCLASS) || defined(IP_TOS))
+#define CMSG_SP_TCTOS 24
+#else /* if defined(USE_CMSG) && (defined(IPV6_TCLASS) || defined(IP_TOS)) */
+#define CMSG_SP_TCTOS 0
+#endif /* if defined(USE_CMSG) && (defined(IPV6_TCLASS) || defined(IP_TOS)) */
+
+#define CMSG_SP_INT 24
+
+/* Align cmsg buffers to be safe on SPARC etc. */
+#define RECVCMSGBUFLEN                                                       \
+	ISC_ALIGN(2 * (CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS) + \
+			  1,                                                 \
+		  sizeof(void *))
+#define SENDCMSGBUFLEN                                                    \
+	ISC_ALIGN(2 * (CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS) + 1, \
+		  sizeof(void *))
+
+/*%
+ * The number of times a send operation is repeated if the result is EINTR.
+ */
+#define NRETRIES 10
+
+typedef struct isc__socketthread isc__socketthread_t;
+
+#define NEWCONNSOCK(ev) ((ev)->newsocket)
+
+struct isc_socket {
+	/* Not locked. */
+	unsigned int magic;
+	isc_socketmgr_t *manager;
+	isc_mutex_t lock;
+	isc_sockettype_t type;
+	const isc_statscounter_t *statsindex;
+	isc_refcount_t references;
+
+	/* Locked by socket lock. */
+	ISC_LINK(isc_socket_t) link;
+	int fd;
+	int pf;
+	int threadid;
+	char name[16];
+	void *tag;
+
+	ISC_LIST(isc_socketevent_t) send_list;
+	ISC_LIST(isc_socketevent_t) recv_list;
+	ISC_LIST(isc_socket_newconnev_t) accept_list;
+	ISC_LIST(isc_socket_connev_t) connect_list;
+
+	isc_sockaddr_t peer_address; /* remote address */
+
+	unsigned int listener : 1,	       /* listener socket */
+		connected : 1, connecting : 1, /* connect pending
+						* */
+		bound  : 1,		       /* bound to local addr */
+		dupped : 1, active : 1,	       /* currently active */
+		pktdscp : 1;		       /* per packet dscp */
+
+#ifdef ISC_PLATFORM_RECVOVERFLOW
+	unsigned char overflow; /* used for MSG_TRUNC fake */
+#endif				/* ifdef ISC_PLATFORM_RECVOVERFLOW */
+
+	unsigned int dscp;
+};
+
+#define SOCKET_MANAGER_MAGIC ISC_MAGIC('I', 'O', 'm', 'g')
+#define VALID_MANAGER(m)     ISC_MAGIC_VALID(m, SOCKET_MANAGER_MAGIC)
+
+struct isc_socketmgr {
+	/* Not locked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_mutex_t lock;
+	isc_stats_t *stats;
+	int nthreads;
+	isc__socketthread_t *threads;
+	unsigned int maxsocks;
+	/* Locked by manager lock. */
+	ISC_LIST(isc_socket_t) socklist;
+	int reserved; /* unlocked */
+	isc_condition_t shutdown_ok;
+	size_t maxudp;
+};
+
+struct isc__socketthread {
+	isc_socketmgr_t *manager;
+	int threadid;
+	isc_thread_t thread;
+	int pipe_fds[2];
+	isc_mutex_t *fdlock;
+	/* Locked by fdlock. */
+	isc_socket_t **fds;
+	int *fdstate;
+#ifdef USE_KQUEUE
+	int kqueue_fd;
+	int nevents;
+	struct kevent *events;
+#endif /* USE_KQUEUE */
+#ifdef USE_EPOLL
+	int epoll_fd;
+	int nevents;
+	struct epoll_event *events;
+	uint32_t *epoll_events;
+#endif /* USE_EPOLL */
+#ifdef USE_DEVPOLL
+	int devpoll_fd;
+	isc_resourcevalue_t open_max;
+	unsigned int calls;
+	int nevents;
+	struct pollfd *events;
+	pollinfo_t *fdpollinfo;
+#endif /* USE_DEVPOLL */
+#ifdef USE_SELECT
+	int fd_bufsize;
+	fd_set *read_fds;
+	fd_set *read_fds_copy;
+	fd_set *write_fds;
+	fd_set *write_fds_copy;
+	int maxfd;
+#endif /* USE_SELECT */
+};
+
+#define CLOSED	      0 /* this one must be zero */
+#define MANAGED	      1
+#define CLOSE_PENDING 2
+
+/*
+ * send() and recv() iovec counts
+ */
+#define MAXSCATTERGATHER_SEND (ISC_SOCKET_MAXSCATTERGATHER)
+#ifdef ISC_PLATFORM_RECVOVERFLOW
+#define MAXSCATTERGATHER_RECV (ISC_SOCKET_MAXSCATTERGATHER + 1)
+#else /* ifdef ISC_PLATFORM_RECVOVERFLOW */
+#define MAXSCATTERGATHER_RECV (ISC_SOCKET_MAXSCATTERGATHER)
+#endif /* ifdef ISC_PLATFORM_RECVOVERFLOW */
+
+static isc_result_t
+socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type,
+	      isc_socket_t **socketp, isc_socket_t *dup_socket);
+static void
+send_recvdone_event(isc_socket_t *, isc_socketevent_t **);
+static void
+send_senddone_event(isc_socket_t *, isc_socketevent_t **);
+static void
+send_connectdone_event(isc_socket_t *, isc_socket_connev_t **);
+static void
+free_socket(isc_socket_t **);
+static isc_result_t
+allocate_socket(isc_socketmgr_t *, isc_sockettype_t, isc_socket_t **);
+static void
+destroy(isc_socket_t **);
+static void
+internal_accept(isc_socket_t *);
+static void
+internal_connect(isc_socket_t *);
+static void
+internal_recv(isc_socket_t *);
+static void
+internal_send(isc_socket_t *);
+static void
+process_cmsg(isc_socket_t *, struct msghdr *, isc_socketevent_t *);
+static void
+build_msghdr_send(isc_socket_t *, char *, isc_socketevent_t *, struct msghdr *,
+		  struct iovec *, size_t *);
+static void
+build_msghdr_recv(isc_socket_t *, char *, isc_socketevent_t *, struct msghdr *,
+		  struct iovec *, size_t *);
+static bool
+process_ctlfd(isc__socketthread_t *thread);
+static void
+setdscp(isc_socket_t *sock, isc_dscp_t dscp);
+
+#define SELECT_POKE_SHUTDOWN (-1)
+#define SELECT_POKE_NOTHING  (-2)
+#define SELECT_POKE_READ     (-3)
+#define SELECT_POKE_ACCEPT   (-3) /*%< Same as _READ */
+#define SELECT_POKE_WRITE    (-4)
+#define SELECT_POKE_CONNECT  (-4) /*%< Same as _WRITE */
+#define SELECT_POKE_CLOSE    (-5)
+
+/*%
+ * Shortcut index arrays to get access to statistics counters.
+ */
+enum {
+	STATID_OPEN = 0,
+	STATID_OPENFAIL = 1,
+	STATID_CLOSE = 2,
+	STATID_BINDFAIL = 3,
+	STATID_CONNECTFAIL = 4,
+	STATID_CONNECT = 5,
+	STATID_ACCEPTFAIL = 6,
+	STATID_ACCEPT = 7,
+	STATID_SENDFAIL = 8,
+	STATID_RECVFAIL = 9,
+	STATID_ACTIVE = 10
+};
+static const isc_statscounter_t udp4statsindex[] = {
+	isc_sockstatscounter_udp4open,
+	isc_sockstatscounter_udp4openfail,
+	isc_sockstatscounter_udp4close,
+	isc_sockstatscounter_udp4bindfail,
+	isc_sockstatscounter_udp4connectfail,
+	isc_sockstatscounter_udp4connect,
+	-1,
+	-1,
+	isc_sockstatscounter_udp4sendfail,
+	isc_sockstatscounter_udp4recvfail,
+	isc_sockstatscounter_udp4active
+};
+static const isc_statscounter_t udp6statsindex[] = {
+	isc_sockstatscounter_udp6open,
+	isc_sockstatscounter_udp6openfail,
+	isc_sockstatscounter_udp6close,
+	isc_sockstatscounter_udp6bindfail,
+	isc_sockstatscounter_udp6connectfail,
+	isc_sockstatscounter_udp6connect,
+	-1,
+	-1,
+	isc_sockstatscounter_udp6sendfail,
+	isc_sockstatscounter_udp6recvfail,
+	isc_sockstatscounter_udp6active
+};
+static const isc_statscounter_t tcp4statsindex[] = {
+	isc_sockstatscounter_tcp4open,	      isc_sockstatscounter_tcp4openfail,
+	isc_sockstatscounter_tcp4close,	      isc_sockstatscounter_tcp4bindfail,
+	isc_sockstatscounter_tcp4connectfail, isc_sockstatscounter_tcp4connect,
+	isc_sockstatscounter_tcp4acceptfail,  isc_sockstatscounter_tcp4accept,
+	isc_sockstatscounter_tcp4sendfail,    isc_sockstatscounter_tcp4recvfail,
+	isc_sockstatscounter_tcp4active
+};
+static const isc_statscounter_t tcp6statsindex[] = {
+	isc_sockstatscounter_tcp6open,	      isc_sockstatscounter_tcp6openfail,
+	isc_sockstatscounter_tcp6close,	      isc_sockstatscounter_tcp6bindfail,
+	isc_sockstatscounter_tcp6connectfail, isc_sockstatscounter_tcp6connect,
+	isc_sockstatscounter_tcp6acceptfail,  isc_sockstatscounter_tcp6accept,
+	isc_sockstatscounter_tcp6sendfail,    isc_sockstatscounter_tcp6recvfail,
+	isc_sockstatscounter_tcp6active
+};
+static const isc_statscounter_t unixstatsindex[] = {
+	isc_sockstatscounter_unixopen,	      isc_sockstatscounter_unixopenfail,
+	isc_sockstatscounter_unixclose,	      isc_sockstatscounter_unixbindfail,
+	isc_sockstatscounter_unixconnectfail, isc_sockstatscounter_unixconnect,
+	isc_sockstatscounter_unixacceptfail,  isc_sockstatscounter_unixaccept,
+	isc_sockstatscounter_unixsendfail,    isc_sockstatscounter_unixrecvfail,
+	isc_sockstatscounter_unixactive
+};
+static const isc_statscounter_t rawstatsindex[] = {
+	isc_sockstatscounter_rawopen,
+	isc_sockstatscounter_rawopenfail,
+	isc_sockstatscounter_rawclose,
+	-1,
+	-1,
+	-1,
+	-1,
+	-1,
+	-1,
+	isc_sockstatscounter_rawrecvfail,
+	isc_sockstatscounter_rawactive
+};
+
+static int
+gen_threadid(isc_socket_t *sock);
+
+static int
+gen_threadid(isc_socket_t *sock) {
+	return (sock->fd % sock->manager->nthreads);
+}
+
+static void
+manager_log(isc_socketmgr_t *sockmgr, isc_logcategory_t *category,
+	    isc_logmodule_t *module, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(5, 6);
+static void
+manager_log(isc_socketmgr_t *sockmgr, isc_logcategory_t *category,
+	    isc_logmodule_t *module, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	if (!isc_log_wouldlog(isc_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(isc_lctx, category, module, level, "sockmgr %p: %s",
+		      sockmgr, msgbuf);
+}
+
+static void
+thread_log(isc__socketthread_t *thread, isc_logcategory_t *category,
+	   isc_logmodule_t *module, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(5, 6);
+static void
+thread_log(isc__socketthread_t *thread, isc_logcategory_t *category,
+	   isc_logmodule_t *module, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	if (!isc_log_wouldlog(isc_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(isc_lctx, category, module, level,
+		      "sockmgr %p thread %d: %s", thread->manager,
+		      thread->threadid, msgbuf);
+}
+
+static void
+socket_log(isc_socket_t *sock, const isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   const char *fmt, ...) ISC_FORMAT_PRINTF(6, 7);
+static void
+socket_log(isc_socket_t *sock, const isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   const char *fmt, ...) {
+	char msgbuf[2048];
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	va_list ap;
+
+	if (!isc_log_wouldlog(isc_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (address == NULL) {
+		isc_log_write(isc_lctx, category, module, level,
+			      "socket %p: %s", sock, msgbuf);
+	} else {
+		isc_sockaddr_format(address, peerbuf, sizeof(peerbuf));
+		isc_log_write(isc_lctx, category, module, level,
+			      "socket %p %s: %s", sock, peerbuf, msgbuf);
+	}
+}
+
+/*%
+ * Increment socket-related statistics counters.
+ */
+static void
+inc_stats(isc_stats_t *stats, isc_statscounter_t counterid) {
+	REQUIRE(counterid != -1);
+
+	if (stats != NULL) {
+		isc_stats_increment(stats, counterid);
+	}
+}
+
+/*%
+ * Decrement socket-related statistics counters.
+ */
+static void
+dec_stats(isc_stats_t *stats, isc_statscounter_t counterid) {
+	REQUIRE(counterid != -1);
+
+	if (stats != NULL) {
+		isc_stats_decrement(stats, counterid);
+	}
+}
+
+static isc_result_t
+watch_fd(isc__socketthread_t *thread, int fd, int msg) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+#ifdef USE_KQUEUE
+	struct kevent evchange;
+
+	memset(&evchange, 0, sizeof(evchange));
+	if (msg == SELECT_POKE_READ) {
+		evchange.filter = EVFILT_READ;
+	} else {
+		evchange.filter = EVFILT_WRITE;
+	}
+	evchange.flags = EV_ADD;
+	evchange.ident = fd;
+	if (kevent(thread->kqueue_fd, &evchange, 1, NULL, 0, NULL) != 0) {
+		result = isc__errno2result(errno);
+	}
+
+	return (result);
+#elif defined(USE_EPOLL)
+	struct epoll_event event;
+	uint32_t oldevents;
+	int ret;
+	int op;
+
+	oldevents = thread->epoll_events[fd];
+	if (msg == SELECT_POKE_READ) {
+		thread->epoll_events[fd] |= EPOLLIN;
+	} else {
+		thread->epoll_events[fd] |= EPOLLOUT;
+	}
+
+	event.events = thread->epoll_events[fd];
+	memset(&event.data, 0, sizeof(event.data));
+	event.data.fd = fd;
+
+	op = (oldevents == 0U) ? EPOLL_CTL_ADD : EPOLL_CTL_MOD;
+	if (thread->fds[fd] != NULL) {
+		LOCK(&thread->fds[fd]->lock);
+	}
+	ret = epoll_ctl(thread->epoll_fd, op, fd, &event);
+	if (thread->fds[fd] != NULL) {
+		UNLOCK(&thread->fds[fd]->lock);
+	}
+	if (ret == -1) {
+		if (errno == EEXIST) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "epoll_ctl(ADD/MOD) returned "
+					 "EEXIST for fd %d",
+					 fd);
+		}
+		result = isc__errno2result(errno);
+	}
+
+	return (result);
+#elif defined(USE_DEVPOLL)
+	struct pollfd pfd;
+
+	memset(&pfd, 0, sizeof(pfd));
+	if (msg == SELECT_POKE_READ) {
+		pfd.events = POLLIN;
+	} else {
+		pfd.events = POLLOUT;
+	}
+	pfd.fd = fd;
+	pfd.revents = 0;
+	if (write(thread->devpoll_fd, &pfd, sizeof(pfd)) == -1) {
+		result = isc__errno2result(errno);
+	} else {
+		if (msg == SELECT_POKE_READ) {
+			thread->fdpollinfo[fd].want_read = 1;
+		} else {
+			thread->fdpollinfo[fd].want_write = 1;
+		}
+	}
+
+	return (result);
+#elif defined(USE_SELECT)
+	LOCK(&thread->manager->lock);
+	if (msg == SELECT_POKE_READ) {
+		FD_SET(fd, thread->read_fds);
+	}
+	if (msg == SELECT_POKE_WRITE) {
+		FD_SET(fd, thread->write_fds);
+	}
+	UNLOCK(&thread->manager->lock);
+
+	return (result);
+#endif /* ifdef USE_KQUEUE */
+}
+
+static isc_result_t
+unwatch_fd(isc__socketthread_t *thread, int fd, int msg) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+#ifdef USE_KQUEUE
+	struct kevent evchange;
+
+	memset(&evchange, 0, sizeof(evchange));
+	if (msg == SELECT_POKE_READ) {
+		evchange.filter = EVFILT_READ;
+	} else {
+		evchange.filter = EVFILT_WRITE;
+	}
+	evchange.flags = EV_DELETE;
+	evchange.ident = fd;
+	if (kevent(thread->kqueue_fd, &evchange, 1, NULL, 0, NULL) != 0) {
+		result = isc__errno2result(errno);
+	}
+
+	return (result);
+#elif defined(USE_EPOLL)
+	struct epoll_event event;
+	int ret;
+	int op;
+
+	if (msg == SELECT_POKE_READ) {
+		thread->epoll_events[fd] &= ~(EPOLLIN);
+	} else {
+		thread->epoll_events[fd] &= ~(EPOLLOUT);
+	}
+
+	event.events = thread->epoll_events[fd];
+	memset(&event.data, 0, sizeof(event.data));
+	event.data.fd = fd;
+
+	op = (event.events == 0U) ? EPOLL_CTL_DEL : EPOLL_CTL_MOD;
+	ret = epoll_ctl(thread->epoll_fd, op, fd, &event);
+	if (ret == -1 && errno != ENOENT) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "epoll_ctl(DEL), %d: %s",
+				 fd, strbuf);
+		result = ISC_R_UNEXPECTED;
+	}
+	return (result);
+#elif defined(USE_DEVPOLL)
+	struct pollfd pfds[2];
+	size_t writelen = sizeof(pfds[0]);
+
+	memset(pfds, 0, sizeof(pfds));
+	pfds[0].events = POLLREMOVE;
+	pfds[0].fd = fd;
+
+	/*
+	 * Canceling read or write polling via /dev/poll is tricky.  Since it
+	 * only provides a way of canceling per FD, we may need to re-poll the
+	 * socket for the other operation.
+	 */
+	if (msg == SELECT_POKE_READ && thread->fdpollinfo[fd].want_write == 1) {
+		pfds[1].events = POLLOUT;
+		pfds[1].fd = fd;
+		writelen += sizeof(pfds[1]);
+	}
+	if (msg == SELECT_POKE_WRITE && thread->fdpollinfo[fd].want_read == 1) {
+		pfds[1].events = POLLIN;
+		pfds[1].fd = fd;
+		writelen += sizeof(pfds[1]);
+	}
+
+	if (write(thread->devpoll_fd, pfds, writelen) == -1) {
+		result = isc__errno2result(errno);
+	} else {
+		if (msg == SELECT_POKE_READ) {
+			thread->fdpollinfo[fd].want_read = 0;
+		} else {
+			thread->fdpollinfo[fd].want_write = 0;
+		}
+	}
+
+	return (result);
+#elif defined(USE_SELECT)
+	LOCK(&thread->manager->lock);
+	if (msg == SELECT_POKE_READ) {
+		FD_CLR(fd, thread->read_fds);
+	} else if (msg == SELECT_POKE_WRITE) {
+		FD_CLR(fd, thread->write_fds);
+	}
+	UNLOCK(&thread->manager->lock);
+
+	return (result);
+#endif /* ifdef USE_KQUEUE */
+}
+
+/*
+ * A poke message was received, perform a proper watch/unwatch
+ * on a fd provided
+ */
+static void
+wakeup_socket(isc__socketthread_t *thread, int fd, int msg) {
+	isc_result_t result;
+	int lockid = FDLOCK_ID(fd);
+
+	/*
+	 * This is a wakeup on a socket.  If the socket is not in the
+	 * process of being closed, start watching it for either reads
+	 * or writes.
+	 */
+
+	INSIST(fd >= 0 && fd < (int)thread->manager->maxsocks);
+
+	if (msg == SELECT_POKE_CLOSE) {
+		LOCK(&thread->fdlock[lockid]);
+		INSIST(thread->fdstate[fd] == CLOSE_PENDING);
+		thread->fdstate[fd] = CLOSED;
+		(void)unwatch_fd(thread, fd, SELECT_POKE_READ);
+		(void)unwatch_fd(thread, fd, SELECT_POKE_WRITE);
+		(void)close(fd);
+		UNLOCK(&thread->fdlock[lockid]);
+		return;
+	}
+
+	LOCK(&thread->fdlock[lockid]);
+	if (thread->fdstate[fd] == CLOSE_PENDING) {
+		/*
+		 * We accept (and ignore) any error from unwatch_fd() as we are
+		 * closing the socket, hoping it doesn't leave dangling state in
+		 * the kernel.
+		 * Note that unwatch_fd() must be called after releasing the
+		 * fdlock; otherwise it could cause deadlock due to a lock order
+		 * reversal.
+		 */
+		(void)unwatch_fd(thread, fd, SELECT_POKE_READ);
+		(void)unwatch_fd(thread, fd, SELECT_POKE_WRITE);
+		UNLOCK(&thread->fdlock[lockid]);
+		return;
+	}
+	if (thread->fdstate[fd] != MANAGED) {
+		UNLOCK(&thread->fdlock[lockid]);
+		return;
+	}
+
+	/*
+	 * Set requested bit.
+	 */
+	result = watch_fd(thread, fd, msg);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * XXXJT: what should we do?  Ignoring the failure of watching
+		 * a socket will make the application dysfunctional, but there
+		 * seems to be no reasonable recovery process.
+		 */
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      "failed to start watching FD (%d): %s", fd,
+			      isc_result_totext(result));
+	}
+	UNLOCK(&thread->fdlock[lockid]);
+}
+
+/*
+ * Poke the select loop when there is something for us to do.
+ * The write is required (by POSIX) to complete.  That is, we
+ * will not get partial writes.
+ */
+static void
+select_poke(isc_socketmgr_t *mgr, int threadid, int fd, int msg) {
+	int cc;
+	int buf[2];
+	char strbuf[ISC_STRERRORSIZE];
+
+	buf[0] = fd;
+	buf[1] = msg;
+
+	do {
+		cc = write(mgr->threads[threadid].pipe_fds[1], buf,
+			   sizeof(buf));
+#ifdef ENOSR
+		/*
+		 * Treat ENOSR as EAGAIN but loop slowly as it is
+		 * unlikely to clear fast.
+		 */
+		if (cc < 0 && errno == ENOSR) {
+			sleep(1);
+			errno = EAGAIN;
+		}
+#endif /* ifdef ENOSR */
+	} while (cc < 0 && SOFT_ERROR(errno));
+
+	if (cc < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+			    "write() failed during watcher poke: %s", strbuf);
+	}
+
+	INSIST(cc == sizeof(buf));
+}
+
+/*
+ * Read a message on the internal fd.
+ */
+static void
+select_readmsg(isc__socketthread_t *thread, int *fd, int *msg) {
+	int buf[2];
+	int cc;
+	char strbuf[ISC_STRERRORSIZE];
+
+	cc = read(thread->pipe_fds[0], buf, sizeof(buf));
+	if (cc < 0) {
+		*msg = SELECT_POKE_NOTHING;
+		*fd = -1; /* Silence compiler. */
+		if (SOFT_ERROR(errno)) {
+			return;
+		}
+
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+			    "read() failed during watcher poke: %s", strbuf);
+	}
+	INSIST(cc == sizeof(buf));
+
+	*fd = buf[0];
+	*msg = buf[1];
+}
+
+/*
+ * Make a fd non-blocking.
+ */
+static isc_result_t
+make_nonblock(int fd) {
+	int ret;
+	char strbuf[ISC_STRERRORSIZE];
+#ifdef USE_FIONBIO_IOCTL
+	int on = 1;
+#else  /* ifdef USE_FIONBIO_IOCTL */
+	int flags;
+#endif /* ifdef USE_FIONBIO_IOCTL */
+
+#ifdef USE_FIONBIO_IOCTL
+	ret = ioctl(fd, FIONBIO, (char *)&on);
+#else  /* ifdef USE_FIONBIO_IOCTL */
+	flags = fcntl(fd, F_GETFL, 0);
+	flags |= PORT_NONBLOCK;
+	ret = fcntl(fd, F_SETFL, flags);
+#endif /* ifdef USE_FIONBIO_IOCTL */
+
+	if (ret == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+#ifdef USE_FIONBIO_IOCTL
+				 "ioctl(%d, FIONBIO, &on): %s", fd,
+#else  /* ifdef USE_FIONBIO_IOCTL */
+				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
+#endif /* ifdef USE_FIONBIO_IOCTL */
+				 strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef USE_CMSG
+/*
+ * Not all OSes support advanced CMSG macros: CMSG_LEN and CMSG_SPACE.
+ * In order to ensure as much portability as possible, we provide wrapper
+ * functions of these macros.
+ * Note that cmsg_space() could run slow on OSes that do not have
+ * CMSG_SPACE.
+ */
+static socklen_t
+cmsg_len(socklen_t len) {
+#ifdef CMSG_LEN
+	return (CMSG_LEN(len));
+#else  /* ifdef CMSG_LEN */
+	socklen_t hdrlen;
+
+	/*
+	 * Cast NULL so that any pointer arithmetic performed by CMSG_DATA
+	 * is correct.
+	 */
+	hdrlen = (socklen_t)CMSG_DATA(((struct cmsghdr *)NULL));
+	return (hdrlen + len);
+#endif /* ifdef CMSG_LEN */
+}
+
+static socklen_t
+cmsg_space(socklen_t len) {
+#ifdef CMSG_SPACE
+	return (CMSG_SPACE(len));
+#else  /* ifdef CMSG_SPACE */
+	struct msghdr msg;
+	struct cmsghdr *cmsgp;
+	/*
+	 * XXX: The buffer length is an ad-hoc value, but should be enough
+	 * in a practical sense.
+	 */
+	char dummybuf[sizeof(struct cmsghdr) + 1024];
+
+	memset(&msg, 0, sizeof(msg));
+	msg.msg_control = dummybuf;
+	msg.msg_controllen = sizeof(dummybuf);
+
+	cmsgp = (struct cmsghdr *)dummybuf;
+	cmsgp->cmsg_len = cmsg_len(len);
+
+	cmsgp = CMSG_NXTHDR(&msg, cmsgp);
+	if (cmsgp != NULL) {
+		return ((char *)cmsgp - (char *)msg.msg_control);
+	} else {
+		return (0);
+	}
+#endif /* ifdef CMSG_SPACE */
+}
+#endif /* USE_CMSG */
+
+/*
+ * Process control messages received on a socket.
+ */
+static void
+process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
+#ifdef USE_CMSG
+	struct cmsghdr *cmsgp;
+	struct in6_pktinfo *pktinfop;
+#ifdef SO_TIMESTAMP
+	void *timevalp;
+#endif /* ifdef SO_TIMESTAMP */
+#endif /* ifdef USE_CMSG */
+
+	/*
+	 * sock is used only when ISC_NET_BSD44MSGHDR and USE_CMSG are defined.
+	 * msg and dev are used only when ISC_NET_BSD44MSGHDR is defined.
+	 * They are all here, outside of the CPP tests, because it is
+	 * more consistent with the usual ISC coding style.
+	 */
+	UNUSED(sock);
+	UNUSED(msg);
+	UNUSED(dev);
+
+#ifdef MSG_TRUNC
+	if ((msg->msg_flags & MSG_TRUNC) != 0) {
+		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
+	}
+#endif /* ifdef MSG_TRUNC */
+
+#ifdef MSG_CTRUNC
+	if ((msg->msg_flags & MSG_CTRUNC) != 0) {
+		dev->attributes |= ISC_SOCKEVENTATTR_CTRUNC;
+	}
+#endif /* ifdef MSG_CTRUNC */
+
+#ifndef USE_CMSG
+	return;
+#else /* ifndef USE_CMSG */
+	if (msg->msg_controllen == 0U || msg->msg_control == NULL) {
+		return;
+	}
+
+#ifdef SO_TIMESTAMP
+	timevalp = NULL;
+#endif /* ifdef SO_TIMESTAMP */
+	pktinfop = NULL;
+
+	cmsgp = CMSG_FIRSTHDR(msg);
+	while (cmsgp != NULL) {
+		socket_log(sock, NULL, TRACE, "processing cmsg %p", cmsgp);
+
+		if (cmsgp->cmsg_level == IPPROTO_IPV6 &&
+		    cmsgp->cmsg_type == IPV6_PKTINFO)
+		{
+			pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
+			memmove(&dev->pktinfo, pktinfop,
+				sizeof(struct in6_pktinfo));
+			dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
+			socket_log(sock, NULL, TRACE,
+				   "interface received on ifindex %u",
+				   dev->pktinfo.ipi6_ifindex);
+			if (IN6_IS_ADDR_MULTICAST(&pktinfop->ipi6_addr)) {
+				dev->attributes |= ISC_SOCKEVENTATTR_MULTICAST;
+			}
+			goto next;
+		}
+
+#ifdef SO_TIMESTAMP
+		if (cmsgp->cmsg_level == SOL_SOCKET &&
+		    cmsgp->cmsg_type == SCM_TIMESTAMP)
+		{
+			struct timeval tv;
+			timevalp = CMSG_DATA(cmsgp);
+			memmove(&tv, timevalp, sizeof(tv));
+			dev->timestamp.seconds = tv.tv_sec;
+			dev->timestamp.nanoseconds = tv.tv_usec * 1000;
+			dev->attributes |= ISC_SOCKEVENTATTR_TIMESTAMP;
+			goto next;
+		}
+#endif /* ifdef SO_TIMESTAMP */
+
+#ifdef IPV6_TCLASS
+		if (cmsgp->cmsg_level == IPPROTO_IPV6 &&
+		    cmsgp->cmsg_type == IPV6_TCLASS)
+		{
+			dev->dscp = *(int *)CMSG_DATA(cmsgp);
+			dev->dscp >>= 2;
+			dev->attributes |= ISC_SOCKEVENTATTR_DSCP;
+			goto next;
+		}
+#endif /* ifdef IPV6_TCLASS */
+
+#ifdef IP_TOS
+		if (cmsgp->cmsg_level == IPPROTO_IP &&
+		    (cmsgp->cmsg_type == IP_TOS
+#ifdef IP_RECVTOS
+		     || cmsgp->cmsg_type == IP_RECVTOS
+#endif /* ifdef IP_RECVTOS */
+		     ))
+		{
+			dev->dscp = (int)*(unsigned char *)CMSG_DATA(cmsgp);
+			dev->dscp >>= 2;
+			dev->attributes |= ISC_SOCKEVENTATTR_DSCP;
+			goto next;
+		}
+#endif /* ifdef IP_TOS */
+	next:
+		cmsgp = CMSG_NXTHDR(msg, cmsgp);
+	}
+#endif /* USE_CMSG */
+}
+
+/*
+ * Construct an iov array and attach it to the msghdr passed in.  This is
+ * the SEND constructor, which will use the used region of the buffer
+ * (if using a buffer list) or will use the internal region (if a single
+ * buffer I/O is requested).
+ *
+ * Nothing can be NULL, and the done event must list at least one buffer
+ * on the buffer linked list for this function to be meaningful.
+ *
+ * If write_countp != NULL, *write_countp will hold the number of bytes
+ * this transaction can send.
+ */
+static void
+build_msghdr_send(isc_socket_t *sock, char *cmsgbuf, isc_socketevent_t *dev,
+		  struct msghdr *msg, struct iovec *iov, size_t *write_countp) {
+	unsigned int iovcount;
+	size_t write_count;
+	struct cmsghdr *cmsgp;
+
+	memset(msg, 0, sizeof(*msg));
+
+	if (!sock->connected) {
+		msg->msg_name = (void *)&dev->address.type.sa;
+		msg->msg_namelen = dev->address.length;
+	} else {
+		msg->msg_name = NULL;
+		msg->msg_namelen = 0;
+	}
+
+	write_count = dev->region.length - dev->n;
+	iov[0].iov_base = (void *)(dev->region.base + dev->n);
+	iov[0].iov_len = write_count;
+	iovcount = 1;
+
+	msg->msg_iov = iov;
+	msg->msg_iovlen = iovcount;
+	msg->msg_control = NULL;
+	msg->msg_controllen = 0;
+	msg->msg_flags = 0;
+#if defined(USE_CMSG)
+
+	if ((sock->type == isc_sockettype_udp) &&
+	    ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0))
+	{
+		struct in6_pktinfo *pktinfop;
+
+		socket_log(sock, NULL, TRACE, "sendto pktinfo data, ifindex %u",
+			   dev->pktinfo.ipi6_ifindex);
+
+		msg->msg_control = (void *)cmsgbuf;
+		msg->msg_controllen = cmsg_space(sizeof(struct in6_pktinfo));
+		INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
+
+		cmsgp = (struct cmsghdr *)cmsgbuf;
+		cmsgp->cmsg_level = IPPROTO_IPV6;
+		cmsgp->cmsg_type = IPV6_PKTINFO;
+		cmsgp->cmsg_len = cmsg_len(sizeof(struct in6_pktinfo));
+		pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
+		memmove(pktinfop, &dev->pktinfo, sizeof(struct in6_pktinfo));
+	}
+
+#if defined(IPV6_USE_MIN_MTU)
+	if ((sock->type == isc_sockettype_udp) && (sock->pf == AF_INET6) &&
+	    ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0))
+	{
+		int use_min_mtu = 1; /* -1, 0, 1 */
+
+		cmsgp = (struct cmsghdr *)(cmsgbuf + msg->msg_controllen);
+		msg->msg_control = (void *)cmsgbuf;
+		msg->msg_controllen += cmsg_space(sizeof(use_min_mtu));
+		INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
+
+		cmsgp->cmsg_level = IPPROTO_IPV6;
+		cmsgp->cmsg_type = IPV6_USE_MIN_MTU;
+		cmsgp->cmsg_len = cmsg_len(sizeof(use_min_mtu));
+		memmove(CMSG_DATA(cmsgp), &use_min_mtu, sizeof(use_min_mtu));
+	}
+#endif /* if defined(IPV6_USE_MIN_MTU) */
+
+	if (isc_dscp_check_value > -1) {
+		if (sock->type == isc_sockettype_udp) {
+			INSIST((int)dev->dscp == isc_dscp_check_value);
+		} else if (sock->type == isc_sockettype_tcp) {
+			INSIST((int)sock->dscp == isc_dscp_check_value);
+		}
+	}
+
+#if defined(IP_TOS) || (defined(IPPROTO_IPV6) && defined(IPV6_TCLASS))
+	if ((sock->type == isc_sockettype_udp) &&
+	    ((dev->attributes & ISC_SOCKEVENTATTR_DSCP) != 0))
+	{
+		int dscp = (dev->dscp << 2) & 0xff;
+
+		INSIST(dev->dscp < 0x40);
+
+#ifdef IP_TOS
+		if (sock->pf == AF_INET && sock->pktdscp) {
+			cmsgp = (struct cmsghdr *)(cmsgbuf +
+						   msg->msg_controllen);
+			msg->msg_control = (void *)cmsgbuf;
+			msg->msg_controllen += cmsg_space(sizeof(dscp));
+			INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
+
+			cmsgp->cmsg_level = IPPROTO_IP;
+			cmsgp->cmsg_type = IP_TOS;
+			cmsgp->cmsg_len = cmsg_len(sizeof(char));
+			*(unsigned char *)CMSG_DATA(cmsgp) = dscp;
+		} else if (sock->pf == AF_INET && sock->dscp != dev->dscp) {
+			if (setsockopt(sock->fd, IPPROTO_IP, IP_TOS,
+				       (void *)&dscp, sizeof(int)) < 0)
+			{
+				char strbuf[ISC_STRERRORSIZE];
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "setsockopt(%d, IP_TOS, %.02x)"
+						 " failed: %s",
+						 sock->fd, dscp >> 2, strbuf);
+			} else {
+				sock->dscp = dscp;
+			}
+		}
+#endif /* ifdef IP_TOS */
+#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
+		if (sock->pf == AF_INET6 && sock->pktdscp) {
+			cmsgp = (struct cmsghdr *)(cmsgbuf +
+						   msg->msg_controllen);
+			msg->msg_control = (void *)cmsgbuf;
+			msg->msg_controllen += cmsg_space(sizeof(dscp));
+			INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
+
+			cmsgp->cmsg_level = IPPROTO_IPV6;
+			cmsgp->cmsg_type = IPV6_TCLASS;
+			cmsgp->cmsg_len = cmsg_len(sizeof(dscp));
+			memmove(CMSG_DATA(cmsgp), &dscp, sizeof(dscp));
+		} else if (sock->pf == AF_INET6 && sock->dscp != dev->dscp) {
+			if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_TCLASS,
+				       (void *)&dscp, sizeof(int)) < 0)
+			{
+				char strbuf[ISC_STRERRORSIZE];
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "setsockopt(%d, IPV6_TCLASS, "
+						 "%.02x) failed: %s",
+						 sock->fd, dscp >> 2, strbuf);
+			} else {
+				sock->dscp = dscp;
+			}
+		}
+#endif /* if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) */
+		if (msg->msg_controllen != 0 &&
+		    msg->msg_controllen < SENDCMSGBUFLEN)
+		{
+			memset(cmsgbuf + msg->msg_controllen, 0,
+			       SENDCMSGBUFLEN - msg->msg_controllen);
+		}
+	}
+#endif /* if defined(IP_TOS) || (defined(IPPROTO_IPV6) && \
+	* defined(IPV6_TCLASS))                           \
+	* */
+#endif /* USE_CMSG */
+
+	if (write_countp != NULL) {
+		*write_countp = write_count;
+	}
+}
+
+/*
+ * Construct an iov array and attach it to the msghdr passed in.  This is
+ * the RECV constructor, which will use the available region of the buffer
+ * (if using a buffer list) or will use the internal region (if a single
+ * buffer I/O is requested).
+ *
+ * Nothing can be NULL, and the done event must list at least one buffer
+ * on the buffer linked list for this function to be meaningful.
+ *
+ * If read_countp != NULL, *read_countp will hold the number of bytes
+ * this transaction can receive.
+ */
+static void
+build_msghdr_recv(isc_socket_t *sock, char *cmsgbuf, isc_socketevent_t *dev,
+		  struct msghdr *msg, struct iovec *iov, size_t *read_countp) {
+	unsigned int iovcount;
+	size_t read_count;
+
+	memset(msg, 0, sizeof(struct msghdr));
+
+	if (sock->type == isc_sockettype_udp) {
+		memset(&dev->address, 0, sizeof(dev->address));
+		msg->msg_name = (void *)&dev->address.type.sa;
+		msg->msg_namelen = sizeof(dev->address.type);
+	} else { /* TCP */
+		msg->msg_name = NULL;
+		msg->msg_namelen = 0;
+		dev->address = sock->peer_address;
+	}
+
+	read_count = dev->region.length - dev->n;
+	iov[0].iov_base = (void *)(dev->region.base + dev->n);
+	iov[0].iov_len = read_count;
+	iovcount = 1;
+
+	/*
+	 * If needed, set up to receive that one extra byte.
+	 */
+#ifdef ISC_PLATFORM_RECVOVERFLOW
+	if (sock->type == isc_sockettype_udp) {
+		INSIST(iovcount < MAXSCATTERGATHER_RECV);
+		iov[iovcount].iov_base = (void *)(&sock->overflow);
+		iov[iovcount].iov_len = 1;
+		iovcount++;
+	}
+#endif /* ifdef ISC_PLATFORM_RECVOVERFLOW */
+
+	msg->msg_iov = iov;
+	msg->msg_iovlen = iovcount;
+
+#if defined(USE_CMSG)
+	msg->msg_control = cmsgbuf;
+	msg->msg_controllen = RECVCMSGBUFLEN;
+#else  /* if defined(USE_CMSG) */
+	msg->msg_control = NULL;
+	msg->msg_controllen = 0;
+#endif /* USE_CMSG */
+	msg->msg_flags = 0;
+
+	if (read_countp != NULL) {
+		*read_countp = read_count;
+	}
+}
+
+static void
+set_dev_address(const isc_sockaddr_t *address, isc_socket_t *sock,
+		isc_socketevent_t *dev) {
+	if (sock->type == isc_sockettype_udp) {
+		if (address != NULL) {
+			dev->address = *address;
+		} else {
+			dev->address = sock->peer_address;
+		}
+	} else if (sock->type == isc_sockettype_tcp) {
+		INSIST(address == NULL);
+		dev->address = sock->peer_address;
+	}
+}
+
+static void
+destroy_socketevent(isc_event_t *event) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)event;
+
+	(ev->destroy)(event);
+}
+
+static isc_socketevent_t *
+allocate_socketevent(isc_mem_t *mctx, void *sender, isc_eventtype_t eventtype,
+		     isc_taskaction_t action, void *arg) {
+	isc_socketevent_t *ev;
+
+	ev = (isc_socketevent_t *)isc_event_allocate(mctx, sender, eventtype,
+						     action, arg, sizeof(*ev));
+
+	ev->result = ISC_R_UNSET;
+	ISC_LINK_INIT(ev, ev_link);
+	ev->region.base = NULL;
+	ev->n = 0;
+	ev->offset = 0;
+	ev->attributes = 0;
+	ev->destroy = ev->ev_destroy;
+	ev->ev_destroy = destroy_socketevent;
+	ev->dscp = 0;
+
+	return (ev);
+}
+
+#if defined(ISC_SOCKET_DEBUG)
+static void
+dump_msg(struct msghdr *msg) {
+	unsigned int i;
+
+	printf("MSGHDR %p\n", msg);
+	printf("\tname %p, namelen %ld\n", msg->msg_name,
+	       (long)msg->msg_namelen);
+	printf("\tiov %p, iovlen %ld\n", msg->msg_iov, (long)msg->msg_iovlen);
+	for (i = 0; i < (unsigned int)msg->msg_iovlen; i++) {
+		printf("\t\t%u\tbase %p, len %ld\n", i,
+		       msg->msg_iov[i].iov_base, (long)msg->msg_iov[i].iov_len);
+	}
+	printf("\tcontrol %p, controllen %ld\n", msg->msg_control,
+	       (long)msg->msg_controllen);
+}
+#endif /* if defined(ISC_SOCKET_DEBUG) */
+
+#define DOIO_SUCCESS 0 /* i/o ok, event sent */
+#define DOIO_SOFT    1 /* i/o ok, soft error, no event sent */
+#define DOIO_HARD    2 /* i/o error, event sent */
+#define DOIO_EOF     3 /* EOF, no event sent */
+
+static int
+doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
+	int cc;
+	struct iovec iov[MAXSCATTERGATHER_RECV];
+	size_t read_count;
+	struct msghdr msghdr;
+	int recv_errno;
+	char strbuf[ISC_STRERRORSIZE];
+	char cmsgbuf[RECVCMSGBUFLEN] = { 0 };
+
+	build_msghdr_recv(sock, cmsgbuf, dev, &msghdr, iov, &read_count);
+
+#if defined(ISC_SOCKET_DEBUG)
+	dump_msg(&msghdr);
+#endif /* if defined(ISC_SOCKET_DEBUG) */
+
+	cc = recvmsg(sock->fd, &msghdr, 0);
+	recv_errno = errno;
+
+#if defined(ISC_SOCKET_DEBUG)
+	dump_msg(&msghdr);
+#endif /* if defined(ISC_SOCKET_DEBUG) */
+
+	if (cc < 0) {
+		if (SOFT_ERROR(recv_errno)) {
+			return (DOIO_SOFT);
+		}
+
+		if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
+			strerror_r(recv_errno, strbuf, sizeof(strbuf));
+			socket_log(sock, NULL, IOEVENT,
+				   "doio_recv: recvmsg(%d) %d bytes, err %d/%s",
+				   sock->fd, cc, recv_errno, strbuf);
+		}
+
+#define SOFT_OR_HARD(_system, _isc)                                   \
+	if (recv_errno == _system) {                                  \
+		if (sock->connected) {                                \
+			dev->result = _isc;                           \
+			inc_stats(sock->manager->stats,               \
+				  sock->statsindex[STATID_RECVFAIL]); \
+			return (DOIO_HARD);                           \
+		}                                                     \
+		return (DOIO_SOFT);                                   \
+	}
+#define ALWAYS_HARD(_system, _isc)                            \
+	if (recv_errno == _system) {                          \
+		dev->result = _isc;                           \
+		inc_stats(sock->manager->stats,               \
+			  sock->statsindex[STATID_RECVFAIL]); \
+		return (DOIO_HARD);                           \
+	}
+
+		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
+		SOFT_OR_HARD(ENETUNREACH, ISC_R_NETUNREACH);
+		SOFT_OR_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+		SOFT_OR_HARD(EHOSTDOWN, ISC_R_HOSTDOWN);
+		SOFT_OR_HARD(ENOBUFS, ISC_R_NORESOURCES);
+		/*
+		 * Older operating systems may still return EPROTO in some
+		 * situations, for example when receiving ICMP/ICMPv6 errors.
+		 * A real life scenario is when ICMPv6 returns code 5 or 6.
+		 * These codes are introduced in RFC 4443 from March 2006,
+		 * and the document obsoletes RFC 1885. But unfortunately not
+		 * all operating systems have caught up with the new standard
+		 * (in 2020) and thus a generic protocol error is returned.
+		 */
+		SOFT_OR_HARD(EPROTO, ISC_R_HOSTUNREACH);
+		/* Should never get this one but it was seen. */
+#ifdef ENOPROTOOPT
+		SOFT_OR_HARD(ENOPROTOOPT, ISC_R_HOSTUNREACH);
+#endif /* ifdef ENOPROTOOPT */
+		SOFT_OR_HARD(EINVAL, ISC_R_HOSTUNREACH);
+
+#undef SOFT_OR_HARD
+#undef ALWAYS_HARD
+
+		dev->result = isc__errno2result(recv_errno);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_RECVFAIL]);
+		return (DOIO_HARD);
+	}
+
+	/*
+	 * On TCP and UNIX sockets, zero length reads indicate EOF,
+	 * while on UDP sockets, zero length reads are perfectly valid,
+	 * although strange.
+	 */
+	switch (sock->type) {
+	case isc_sockettype_tcp:
+	case isc_sockettype_unix:
+		if (cc == 0) {
+			return (DOIO_EOF);
+		}
+		break;
+	case isc_sockettype_udp:
+	case isc_sockettype_raw:
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	if (sock->type == isc_sockettype_udp) {
+		dev->address.length = msghdr.msg_namelen;
+		if (isc_sockaddr_getport(&dev->address) == 0) {
+			if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
+				socket_log(sock, &dev->address, IOEVENT,
+					   "dropping source port zero packet");
+			}
+			return (DOIO_SOFT);
+		}
+		/*
+		 * Simulate a firewall blocking UDP responses bigger than
+		 * 'maxudp' bytes.
+		 */
+		if (sock->manager->maxudp != 0 &&
+		    cc > (int)sock->manager->maxudp)
+		{
+			return (DOIO_SOFT);
+		}
+	}
+
+	socket_log(sock, &dev->address, IOEVENT, "packet received correctly");
+
+	/*
+	 * Overflow bit detection.  If we received MORE bytes than we should,
+	 * this indicates an overflow situation.  Set the flag in the
+	 * dev entry and adjust how much we read by one.
+	 */
+#ifdef ISC_PLATFORM_RECVOVERFLOW
+	if ((sock->type == isc_sockettype_udp) && ((size_t)cc > read_count)) {
+		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
+		cc--;
+	}
+#endif /* ifdef ISC_PLATFORM_RECVOVERFLOW */
+
+	/*
+	 * If there are control messages attached, run through them and pull
+	 * out the interesting bits.
+	 */
+	process_cmsg(sock, &msghdr, dev);
+
+	/*
+	 * update the buffers (if any) and the i/o count
+	 */
+	dev->n += cc;
+
+	/*
+	 * If we read less than we expected, update counters,
+	 * and let the upper layer poke the descriptor.
+	 */
+	if (((size_t)cc != read_count) && (dev->n < dev->minimum)) {
+		return (DOIO_SOFT);
+	}
+
+	/*
+	 * Full reads are posted, or partials if partials are ok.
+	 */
+	dev->result = ISC_R_SUCCESS;
+	return (DOIO_SUCCESS);
+}
+
+/*
+ * Returns:
+ *	DOIO_SUCCESS	The operation succeeded.  dev->result contains
+ *			ISC_R_SUCCESS.
+ *
+ *	DOIO_HARD	A hard or unexpected I/O error was encountered.
+ *			dev->result contains the appropriate error.
+ *
+ *	DOIO_SOFT	A soft I/O error was encountered.  No senddone
+ *			event was sent.  The operation should be retried.
+ *
+ *	No other return values are possible.
+ */
+static int
+doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
+	int cc;
+	struct iovec iov[MAXSCATTERGATHER_SEND];
+	size_t write_count;
+	struct msghdr msghdr;
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	int attempts = 0;
+	int send_errno;
+	char strbuf[ISC_STRERRORSIZE];
+	char cmsgbuf[SENDCMSGBUFLEN] = { 0 };
+
+	build_msghdr_send(sock, cmsgbuf, dev, &msghdr, iov, &write_count);
+
+resend:
+	if (sock->type == isc_sockettype_udp && sock->manager->maxudp != 0 &&
+	    write_count > sock->manager->maxudp)
+	{
+		cc = write_count;
+	} else {
+		cc = sendmsg(sock->fd, &msghdr, 0);
+	}
+	send_errno = errno;
+
+	/*
+	 * Check for error or block condition.
+	 */
+	if (cc < 0) {
+		if (send_errno == EINTR && ++attempts < NRETRIES) {
+			goto resend;
+		}
+
+		if (SOFT_ERROR(send_errno)) {
+			if (errno == EWOULDBLOCK || errno == EAGAIN) {
+				dev->result = ISC_R_WOULDBLOCK;
+			}
+			return (DOIO_SOFT);
+		}
+
+#define SOFT_OR_HARD(_system, _isc)                                   \
+	if (send_errno == _system) {                                  \
+		if (sock->connected) {                                \
+			dev->result = _isc;                           \
+			inc_stats(sock->manager->stats,               \
+				  sock->statsindex[STATID_SENDFAIL]); \
+			return (DOIO_HARD);                           \
+		}                                                     \
+		return (DOIO_SOFT);                                   \
+	}
+#define ALWAYS_HARD(_system, _isc)                            \
+	if (send_errno == _system) {                          \
+		dev->result = _isc;                           \
+		inc_stats(sock->manager->stats,               \
+			  sock->statsindex[STATID_SENDFAIL]); \
+		return (DOIO_HARD);                           \
+	}
+
+		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
+		ALWAYS_HARD(EACCES, ISC_R_NOPERM);
+		ALWAYS_HARD(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+		ALWAYS_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+		ALWAYS_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+#ifdef EHOSTDOWN
+		ALWAYS_HARD(EHOSTDOWN, ISC_R_HOSTUNREACH);
+#endif /* ifdef EHOSTDOWN */
+		ALWAYS_HARD(ENETUNREACH, ISC_R_NETUNREACH);
+		SOFT_OR_HARD(ENOBUFS, ISC_R_NORESOURCES);
+		ALWAYS_HARD(EPERM, ISC_R_HOSTUNREACH);
+		ALWAYS_HARD(EPIPE, ISC_R_NOTCONNECTED);
+		ALWAYS_HARD(ECONNRESET, ISC_R_CONNECTIONRESET);
+
+#undef SOFT_OR_HARD
+#undef ALWAYS_HARD
+
+		/*
+		 * The other error types depend on whether or not the
+		 * socket is UDP or TCP.  If it is UDP, some errors
+		 * that we expect to be fatal under TCP are merely
+		 * annoying, and are really soft errors.
+		 *
+		 * However, these soft errors are still returned as
+		 * a status.
+		 */
+		isc_sockaddr_format(&dev->address, addrbuf, sizeof(addrbuf));
+		strerror_r(send_errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "internal_send: %s: %s",
+				 addrbuf, strbuf);
+		dev->result = isc__errno2result(send_errno);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_SENDFAIL]);
+		return (DOIO_HARD);
+	}
+
+	if (cc == 0) {
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_SENDFAIL]);
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "doio_send: send() returned 0");
+	}
+
+	/*
+	 * If we write less than we expected, update counters, poke.
+	 */
+	dev->n += cc;
+	if ((size_t)cc != write_count) {
+		return (DOIO_SOFT);
+	}
+
+	/*
+	 * Exactly what we wanted to write.  We're done with this
+	 * entry.  Post its completion event.
+	 */
+	dev->result = ISC_R_SUCCESS;
+	return (DOIO_SUCCESS);
+}
+
+/*
+ * Kill.
+ *
+ * Caller must ensure that the socket is not locked and no external
+ * references exist.
+ */
+static void
+socketclose(isc__socketthread_t *thread, isc_socket_t *sock, int fd) {
+	int lockid = FDLOCK_ID(fd);
+	/*
+	 * No one has this socket open, so the watcher doesn't have to be
+	 * poked, and the socket doesn't have to be locked.
+	 */
+	LOCK(&thread->fdlock[lockid]);
+	thread->fds[fd] = NULL;
+	thread->fdstate[fd] = CLOSE_PENDING;
+	UNLOCK(&thread->fdlock[lockid]);
+	select_poke(thread->manager, thread->threadid, fd, SELECT_POKE_CLOSE);
+
+	inc_stats(thread->manager->stats, sock->statsindex[STATID_CLOSE]);
+
+	LOCK(&sock->lock);
+	if (sock->active == 1) {
+		dec_stats(thread->manager->stats,
+			  sock->statsindex[STATID_ACTIVE]);
+		sock->active = 0;
+	}
+	UNLOCK(&sock->lock);
+
+	/*
+	 * update manager->maxfd here (XXX: this should be implemented more
+	 * efficiently)
+	 */
+#ifdef USE_SELECT
+	LOCK(&thread->manager->lock);
+	if (thread->maxfd == fd) {
+		int i;
+
+		thread->maxfd = 0;
+		for (i = fd - 1; i >= 0; i--) {
+			lockid = FDLOCK_ID(i);
+
+			LOCK(&thread->fdlock[lockid]);
+			if (thread->fdstate[i] == MANAGED) {
+				thread->maxfd = i;
+				UNLOCK(&thread->fdlock[lockid]);
+				break;
+			}
+			UNLOCK(&thread->fdlock[lockid]);
+		}
+		if (thread->maxfd < thread->pipe_fds[0]) {
+			thread->maxfd = thread->pipe_fds[0];
+		}
+	}
+
+	UNLOCK(&thread->manager->lock);
+#endif /* USE_SELECT */
+}
+
+static void
+destroy(isc_socket_t **sockp) {
+	int fd = 0;
+	isc_socket_t *sock = *sockp;
+	isc_socketmgr_t *manager = sock->manager;
+	isc__socketthread_t *thread = NULL;
+
+	socket_log(sock, NULL, CREATION, "destroying");
+
+	isc_refcount_destroy(&sock->references);
+
+	LOCK(&sock->lock);
+	INSIST(ISC_LIST_EMPTY(sock->connect_list));
+	INSIST(ISC_LIST_EMPTY(sock->accept_list));
+	INSIST(ISC_LIST_EMPTY(sock->recv_list));
+	INSIST(ISC_LIST_EMPTY(sock->send_list));
+	INSIST(sock->fd >= -1 && sock->fd < (int)manager->maxsocks);
+
+	if (sock->fd >= 0) {
+		fd = sock->fd;
+		thread = &manager->threads[sock->threadid];
+		sock->fd = -1;
+		sock->threadid = -1;
+	}
+	UNLOCK(&sock->lock);
+
+	if (fd > 0) {
+		socketclose(thread, sock, fd);
+	}
+
+	LOCK(&manager->lock);
+
+	ISC_LIST_UNLINK(manager->socklist, sock, link);
+
+	if (ISC_LIST_EMPTY(manager->socklist)) {
+		SIGNAL(&manager->shutdown_ok);
+	}
+
+	/* can't unlock manager as its memory context is still used */
+	free_socket(sockp);
+
+	UNLOCK(&manager->lock);
+}
+
+static isc_result_t
+allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
+		isc_socket_t **socketp) {
+	isc_socket_t *sock;
+
+	sock = isc_mem_get(manager->mctx, sizeof(*sock));
+
+	sock->magic = 0;
+	isc_refcount_init(&sock->references, 0);
+
+	sock->manager = manager;
+	sock->type = type;
+	sock->fd = -1;
+	sock->threadid = -1;
+	sock->dscp = 0; /* TOS/TCLASS is zero until set. */
+	sock->dupped = 0;
+	sock->statsindex = NULL;
+	sock->active = 0;
+
+	ISC_LINK_INIT(sock, link);
+
+	memset(sock->name, 0, sizeof(sock->name));
+	sock->tag = NULL;
+
+	/*
+	 * Set up list of readers and writers to be initially empty.
+	 */
+	ISC_LIST_INIT(sock->recv_list);
+	ISC_LIST_INIT(sock->send_list);
+	ISC_LIST_INIT(sock->accept_list);
+	ISC_LIST_INIT(sock->connect_list);
+
+	sock->listener = 0;
+	sock->connected = 0;
+	sock->connecting = 0;
+	sock->bound = 0;
+	sock->pktdscp = 0;
+
+	/*
+	 * Initialize the lock.
+	 */
+	isc_mutex_init(&sock->lock);
+
+	sock->magic = SOCKET_MAGIC;
+	*socketp = sock;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This event requires that the various lists be empty, that the reference
+ * count be 1, and that the magic number is valid.  The other socket bits,
+ * like the lock, must be initialized as well.  The fd associated must be
+ * marked as closed, by setting it to -1 on close, or this routine will
+ * also close the socket.
+ */
+static void
+free_socket(isc_socket_t **socketp) {
+	isc_socket_t *sock = *socketp;
+	*socketp = NULL;
+
+	INSIST(VALID_SOCKET(sock));
+	isc_refcount_destroy(&sock->references);
+	LOCK(&sock->lock);
+	INSIST(!sock->connecting);
+	INSIST(ISC_LIST_EMPTY(sock->recv_list));
+	INSIST(ISC_LIST_EMPTY(sock->send_list));
+	INSIST(ISC_LIST_EMPTY(sock->accept_list));
+	INSIST(ISC_LIST_EMPTY(sock->connect_list));
+	INSIST(!ISC_LINK_LINKED(sock, link));
+	UNLOCK(&sock->lock);
+
+	sock->magic = 0;
+
+	isc_mutex_destroy(&sock->lock);
+
+	isc_mem_put(sock->manager->mctx, sock, sizeof(*sock));
+}
+
+#if defined(SET_RCVBUF)
+static isc_once_t rcvbuf_once = ISC_ONCE_INIT;
+static int rcvbuf = ISC_RECV_BUFFER_SIZE;
+
+static void
+set_rcvbuf(void) {
+	int fd;
+	int max = rcvbuf, min;
+	socklen_t len;
+
+	fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+	if (fd == -1) {
+		switch (errno) {
+		case EPROTONOSUPPORT:
+		case EPFNOSUPPORT:
+		case EAFNOSUPPORT:
+		/*
+		 * Linux 2.2 (and maybe others) return EINVAL instead of
+		 * EAFNOSUPPORT.
+		 */
+		case EINVAL:
+			fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+			break;
+		}
+	}
+	if (fd == -1) {
+		return;
+	}
+
+	len = sizeof(min);
+	if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, (void *)&min, &len) == 0 &&
+	    min < rcvbuf)
+	{
+	again:
+		if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (void *)&rcvbuf,
+			       sizeof(rcvbuf)) == -1)
+		{
+			if (errno == ENOBUFS && rcvbuf > min) {
+				max = rcvbuf - 1;
+				rcvbuf = (rcvbuf + min) / 2;
+				goto again;
+			} else {
+				rcvbuf = min;
+				goto cleanup;
+			}
+		} else {
+			min = rcvbuf;
+		}
+		if (min != max) {
+			rcvbuf = max;
+			goto again;
+		}
+	}
+cleanup:
+	close(fd);
+}
+#endif /* ifdef SO_RCVBUF */
+
+#if defined(SET_SNDBUF)
+static isc_once_t sndbuf_once = ISC_ONCE_INIT;
+static int sndbuf = ISC_SEND_BUFFER_SIZE;
+
+static void
+set_sndbuf(void) {
+	int fd;
+	int max = sndbuf, min;
+	socklen_t len;
+
+	fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+	if (fd == -1) {
+		switch (errno) {
+		case EPROTONOSUPPORT:
+		case EPFNOSUPPORT:
+		case EAFNOSUPPORT:
+		/*
+		 * Linux 2.2 (and maybe others) return EINVAL instead of
+		 * EAFNOSUPPORT.
+		 */
+		case EINVAL:
+			fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+			break;
+		}
+	}
+	if (fd == -1) {
+		return;
+	}
+
+	len = sizeof(min);
+	if (getsockopt(fd, SOL_SOCKET, SO_SNDBUF, (void *)&min, &len) == 0 &&
+	    min < sndbuf)
+	{
+	again:
+		if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, (void *)&sndbuf,
+			       sizeof(sndbuf)) == -1)
+		{
+			if (errno == ENOBUFS && sndbuf > min) {
+				max = sndbuf - 1;
+				sndbuf = (sndbuf + min) / 2;
+				goto again;
+			} else {
+				sndbuf = min;
+				goto cleanup;
+			}
+		} else {
+			min = sndbuf;
+		}
+		if (min != max) {
+			sndbuf = max;
+			goto again;
+		}
+	}
+cleanup:
+	close(fd);
+}
+#endif /* ifdef SO_SNDBUF */
+
+static void
+use_min_mtu(isc_socket_t *sock) {
+#if !defined(IPV6_USE_MIN_MTU) && !defined(IPV6_MTU)
+	UNUSED(sock);
+#endif /* if !defined(IPV6_USE_MIN_MTU) && !defined(IPV6_MTU) */
+#ifdef IPV6_USE_MIN_MTU
+	/* use minimum MTU */
+	if (sock->pf == AF_INET6) {
+		int on = 1;
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
+				 (void *)&on, sizeof(on));
+	}
+#endif /* ifdef IPV6_USE_MIN_MTU */
+#if defined(IPV6_MTU)
+	/*
+	 * Use minimum MTU on IPv6 sockets.
+	 */
+	if (sock->pf == AF_INET6) {
+		int mtu = 1280;
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU, &mtu,
+				 sizeof(mtu));
+	}
+#endif /* if defined(IPV6_MTU) */
+}
+
+static void
+set_tcp_maxseg(isc_socket_t *sock, int size) {
+#ifdef TCP_MAXSEG
+	if (sock->type == isc_sockettype_tcp) {
+		(void)setsockopt(sock->fd, IPPROTO_TCP, TCP_MAXSEG,
+				 (void *)&size, sizeof(size));
+	}
+#endif /* ifdef TCP_MAXSEG */
+}
+
+static void
+set_ip_disable_pmtud(isc_socket_t *sock) {
+	/*
+	 * Disable Path MTU Discover on IP packets
+	 */
+	if (sock->pf == AF_INET6) {
+#if defined(IPV6_DONTFRAG)
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_DONTFRAG,
+				 &(int){ 0 }, sizeof(int));
+#endif
+#if defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
+				 &(int){ IP_PMTUDISC_OMIT }, sizeof(int));
+#endif
+	} else if (sock->pf == AF_INET) {
+#if defined(IP_DONTFRAG)
+		(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG, &(int){ 0 },
+				 sizeof(int));
+#endif
+#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
+		(void)setsockopt(sock->fd, IPPROTO_IP, IP_MTU_DISCOVER,
+				 &(int){ IP_PMTUDISC_OMIT }, sizeof(int));
+#endif
+	}
+}
+
+static isc_result_t
+opensocket(isc_socketmgr_t *manager, isc_socket_t *sock,
+	   isc_socket_t *dup_socket) {
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+	const char *err = "socket";
+	int tries = 0;
+#if defined(USE_CMSG) || defined(SO_NOSIGPIPE)
+	int on = 1;
+#endif /* if defined(USE_CMSG) || defined(SO_NOSIGPIPE) */
+#if defined(SET_RCVBUF) || defined(SET_SNDBUF)
+	socklen_t optlen;
+	int size = 0;
+#endif
+
+again:
+	if (dup_socket == NULL) {
+		switch (sock->type) {
+		case isc_sockettype_udp:
+			sock->fd = socket(sock->pf, SOCK_DGRAM, IPPROTO_UDP);
+			break;
+		case isc_sockettype_tcp:
+			sock->fd = socket(sock->pf, SOCK_STREAM, IPPROTO_TCP);
+			break;
+		case isc_sockettype_unix:
+			sock->fd = socket(sock->pf, SOCK_STREAM, 0);
+			break;
+		case isc_sockettype_raw:
+			errno = EPFNOSUPPORT;
+			/*
+			 * PF_ROUTE is a alias for PF_NETLINK on linux.
+			 */
+#if defined(PF_ROUTE)
+			if (sock->fd == -1 && sock->pf == PF_ROUTE) {
+#ifdef NETLINK_ROUTE
+				sock->fd = socket(sock->pf, SOCK_RAW,
+						  NETLINK_ROUTE);
+#else  /* ifdef NETLINK_ROUTE */
+				sock->fd = socket(sock->pf, SOCK_RAW, 0);
+#endif /* ifdef NETLINK_ROUTE */
+				if (sock->fd != -1) {
+#ifdef NETLINK_ROUTE
+					struct sockaddr_nl sa;
+					int n;
+
+					/*
+					 * Do an implicit bind.
+					 */
+					memset(&sa, 0, sizeof(sa));
+					sa.nl_family = AF_NETLINK;
+					sa.nl_groups = RTMGRP_IPV4_IFADDR |
+						       RTMGRP_IPV6_IFADDR;
+					n = bind(sock->fd,
+						 (struct sockaddr *)&sa,
+						 sizeof(sa));
+					if (n < 0) {
+						close(sock->fd);
+						sock->fd = -1;
+					}
+#endif /* ifdef NETLINK_ROUTE */
+					sock->bound = 1;
+				}
+			}
+#endif /* if defined(PF_ROUTE) */
+			break;
+		}
+	} else {
+		sock->fd = dup(dup_socket->fd);
+		sock->dupped = 1;
+		sock->bound = dup_socket->bound;
+	}
+	if (sock->fd == -1 && errno == EINTR && tries++ < 42) {
+		goto again;
+	}
+
+#ifdef F_DUPFD
+	/*
+	 * Leave a space for stdio and TCP to work in.
+	 */
+	if (manager->reserved != 0 && sock->type == isc_sockettype_udp &&
+	    sock->fd >= 0 && sock->fd < manager->reserved)
+	{
+		int newfd, tmp;
+		newfd = fcntl(sock->fd, F_DUPFD, manager->reserved);
+		tmp = errno;
+		(void)close(sock->fd);
+		errno = tmp;
+		sock->fd = newfd;
+		err = "isc_socket_create: fcntl/reserved";
+	} else if (sock->fd >= 0 && sock->fd < 20) {
+		int newfd, tmp;
+		newfd = fcntl(sock->fd, F_DUPFD, 20);
+		tmp = errno;
+		(void)close(sock->fd);
+		errno = tmp;
+		sock->fd = newfd;
+		err = "isc_socket_create: fcntl";
+	}
+#endif /* ifdef F_DUPFD */
+
+	if (sock->fd >= (int)manager->maxsocks) {
+		(void)close(sock->fd);
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      "socket: file descriptor exceeds limit (%d/%u)",
+			      sock->fd, manager->maxsocks);
+		inc_stats(manager->stats, sock->statsindex[STATID_OPENFAIL]);
+		return (ISC_R_NORESOURCES);
+	}
+
+	if (sock->fd < 0) {
+		switch (errno) {
+		case EMFILE:
+		case ENFILE:
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "%s: %s", err, strbuf);
+			FALLTHROUGH;
+		case ENOBUFS:
+			inc_stats(manager->stats,
+				  sock->statsindex[STATID_OPENFAIL]);
+			return (ISC_R_NORESOURCES);
+
+		case EPROTONOSUPPORT:
+		case EPFNOSUPPORT:
+		case EAFNOSUPPORT:
+		/*
+		 * Linux 2.2 (and maybe others) return EINVAL instead of
+		 * EAFNOSUPPORT.
+		 */
+		case EINVAL:
+			inc_stats(manager->stats,
+				  sock->statsindex[STATID_OPENFAIL]);
+			return (ISC_R_FAMILYNOSUPPORT);
+
+		default:
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__, "%s() failed: %s",
+					 err, strbuf);
+			inc_stats(manager->stats,
+				  sock->statsindex[STATID_OPENFAIL]);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	if (dup_socket != NULL) {
+		goto setup_done;
+	}
+
+	result = make_nonblock(sock->fd);
+	if (result != ISC_R_SUCCESS) {
+		(void)close(sock->fd);
+		inc_stats(manager->stats, sock->statsindex[STATID_OPENFAIL]);
+		return (result);
+	}
+
+#ifdef SO_NOSIGPIPE
+	if (setsockopt(sock->fd, SOL_SOCKET, SO_NOSIGPIPE, (void *)&on,
+		       sizeof(on)) < 0)
+	{
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, SO_NOSIGPIPE) failed: %s",
+				 sock->fd, strbuf);
+		/* Press on... */
+	}
+#endif /* ifdef SO_NOSIGPIPE */
+
+	/*
+	 * Use minimum mtu if possible.
+	 */
+	if (sock->type == isc_sockettype_tcp && sock->pf == AF_INET6) {
+		use_min_mtu(sock);
+		set_tcp_maxseg(sock, 1280 - 20 - 40); /* 1280 - TCP - IPV6 */
+	}
+
+#if defined(USE_CMSG) || defined(SET_RCVBUF) || defined(SET_SNDBUF)
+	if (sock->type == isc_sockettype_udp) {
+#if defined(USE_CMSG)
+#if defined(SO_TIMESTAMP)
+		if (setsockopt(sock->fd, SOL_SOCKET, SO_TIMESTAMP, (void *)&on,
+			       sizeof(on)) < 0 &&
+		    errno != ENOPROTOOPT)
+		{
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, SO_TIMESTAMP) failed: "
+					 "%s",
+					 sock->fd, strbuf);
+			/* Press on... */
+		}
+#endif /* SO_TIMESTAMP */
+
+#ifdef IPV6_RECVPKTINFO
+		/* RFC 3542 */
+		if ((sock->pf == AF_INET6) &&
+		    (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
+				(void *)&on, sizeof(on)) < 0))
+		{
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_RECVPKTINFO) "
+					 "failed: %s",
+					 sock->fd, strbuf);
+		}
+#else  /* ifdef IPV6_RECVPKTINFO */
+		/* RFC 2292 */
+		if ((sock->pf == AF_INET6) &&
+		    (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO,
+				(void *)&on, sizeof(on)) < 0))
+		{
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_PKTINFO) failed: "
+					 "%s",
+					 sock->fd, strbuf);
+		}
+#endif /* IPV6_RECVPKTINFO */
+#endif /* defined(USE_CMSG) */
+
+#if defined(SET_RCVBUF)
+		optlen = sizeof(size);
+		if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF, (void *)&size,
+			       &optlen) == 0 &&
+		    size < rcvbuf)
+		{
+			RUNTIME_CHECK(isc_once_do(&rcvbuf_once, set_rcvbuf) ==
+				      ISC_R_SUCCESS);
+			if (setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
+				       (void *)&rcvbuf, sizeof(rcvbuf)) == -1)
+			{
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "setsockopt(%d, SO_RCVBUF, "
+						 "%d) failed: %s",
+						 sock->fd, rcvbuf, strbuf);
+			}
+		}
+#endif /* if defined(SET_RCVBUF) */
+
+#if defined(SET_SNDBUF)
+		optlen = sizeof(size);
+		if (getsockopt(sock->fd, SOL_SOCKET, SO_SNDBUF, (void *)&size,
+			       &optlen) == 0 &&
+		    size < sndbuf)
+		{
+			RUNTIME_CHECK(isc_once_do(&sndbuf_once, set_sndbuf) ==
+				      ISC_R_SUCCESS);
+			if (setsockopt(sock->fd, SOL_SOCKET, SO_SNDBUF,
+				       (void *)&sndbuf, sizeof(sndbuf)) == -1)
+			{
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "setsockopt(%d, SO_SNDBUF, "
+						 "%d) failed: %s",
+						 sock->fd, sndbuf, strbuf);
+			}
+		}
+#endif /* if defined(SO_SNDBUF) */
+	}
+#ifdef IPV6_RECVTCLASS
+	if ((sock->pf == AF_INET6) &&
+	    (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVTCLASS, (void *)&on,
+			sizeof(on)) < 0))
+	{
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, IPV6_RECVTCLASS) "
+				 "failed: %s",
+				 sock->fd, strbuf);
+	}
+#endif /* ifdef IPV6_RECVTCLASS */
+#ifdef IP_RECVTOS
+	if ((sock->pf == AF_INET) &&
+	    (setsockopt(sock->fd, IPPROTO_IP, IP_RECVTOS, (void *)&on,
+			sizeof(on)) < 0))
+	{
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, IP_RECVTOS) "
+				 "failed: %s",
+				 sock->fd, strbuf);
+	}
+#endif /* ifdef IP_RECVTOS */
+#endif /* defined(USE_CMSG) || defined(SET_RCVBUF) || defined(SET_SNDBUF) */
+
+	set_ip_disable_pmtud(sock);
+
+setup_done:
+	inc_stats(manager->stats, sock->statsindex[STATID_OPEN]);
+	if (sock->active == 0) {
+		inc_stats(manager->stats, sock->statsindex[STATID_ACTIVE]);
+		sock->active = 1;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Create a 'type' socket or duplicate an existing socket, managed
+ * by 'manager'.  Events will be posted to 'task' and when dispatched
+ * 'action' will be called with 'arg' as the arg value.  The new
+ * socket is returned in 'socketp'.
+ */
+static isc_result_t
+socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+	      isc_socket_t **socketp, isc_socket_t *dup_socket) {
+	isc_socket_t *sock = NULL;
+	isc__socketthread_t *thread;
+	isc_result_t result;
+	int lockid;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	result = allocate_socket(manager, type, &sock);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	switch (sock->type) {
+	case isc_sockettype_udp:
+		sock->statsindex = (pf == AF_INET) ? udp4statsindex
+						   : udp6statsindex;
+#define DCSPPKT(pf) ((pf == AF_INET) ? ISC_NET_DSCPPKTV4 : ISC_NET_DSCPPKTV6)
+		sock->pktdscp = (isc_net_probedscp() & DCSPPKT(pf)) != 0;
+		break;
+	case isc_sockettype_tcp:
+		sock->statsindex = (pf == AF_INET) ? tcp4statsindex
+						   : tcp6statsindex;
+		break;
+	case isc_sockettype_unix:
+		sock->statsindex = unixstatsindex;
+		break;
+	case isc_sockettype_raw:
+		sock->statsindex = rawstatsindex;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	sock->pf = pf;
+
+	result = opensocket(manager, sock, dup_socket);
+	if (result != ISC_R_SUCCESS) {
+		free_socket(&sock);
+		return (result);
+	}
+
+	if (sock->fd == -1) {
+		abort();
+	}
+	sock->threadid = gen_threadid(sock);
+	isc_refcount_increment0(&sock->references);
+	thread = &manager->threads[sock->threadid];
+	*socketp = sock;
+
+	/*
+	 * Note we don't have to lock the socket like we normally would because
+	 * there are no external references to it yet.
+	 */
+
+	lockid = FDLOCK_ID(sock->fd);
+	LOCK(&thread->fdlock[lockid]);
+	thread->fds[sock->fd] = sock;
+	thread->fdstate[sock->fd] = MANAGED;
+#if defined(USE_EPOLL)
+	thread->epoll_events[sock->fd] = 0;
+#endif /* if defined(USE_EPOLL) */
+#ifdef USE_DEVPOLL
+	INSIST(thread->fdpollinfo[sock->fd].want_read == 0 &&
+	       thread->fdpollinfo[sock->fd].want_write == 0);
+#endif /* ifdef USE_DEVPOLL */
+	UNLOCK(&thread->fdlock[lockid]);
+
+	LOCK(&manager->lock);
+	ISC_LIST_APPEND(manager->socklist, sock, link);
+#ifdef USE_SELECT
+	if (thread->maxfd < sock->fd) {
+		thread->maxfd = sock->fd;
+	}
+#endif /* ifdef USE_SELECT */
+	UNLOCK(&manager->lock);
+
+	socket_log(sock, NULL, CREATION,
+		   dup_socket != NULL ? "dupped" : "created");
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Create a new 'type' socket managed by 'manager'.  Events
+ * will be posted to 'task' and when dispatched 'action' will be
+ * called with 'arg' as the arg value.  The new socket is returned
+ * in 'socketp'.
+ */
+isc_result_t
+isc_socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type,
+		  isc_socket_t **socketp) {
+	return (socket_create(manager0, pf, type, socketp, NULL));
+}
+
+/*%
+ * Duplicate an existing socket.  The new socket is returned
+ * in 'socketp'.
+ */
+isc_result_t
+isc_socket_dup(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	return (socket_create(sock->manager, sock->pf, sock->type, socketp,
+			      sock));
+}
+
+isc_result_t
+isc_socket_open(isc_socket_t *sock) {
+	isc_result_t result;
+	isc__socketthread_t *thread;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	REQUIRE(isc_refcount_current(&sock->references) >= 1);
+	REQUIRE(sock->fd == -1);
+	REQUIRE(sock->threadid == -1);
+
+	result = opensocket(sock->manager, sock, NULL);
+
+	UNLOCK(&sock->lock);
+
+	if (result != ISC_R_SUCCESS) {
+		sock->fd = -1;
+	} else {
+		sock->threadid = gen_threadid(sock);
+		thread = &sock->manager->threads[sock->threadid];
+		int lockid = FDLOCK_ID(sock->fd);
+
+		LOCK(&thread->fdlock[lockid]);
+		thread->fds[sock->fd] = sock;
+		thread->fdstate[sock->fd] = MANAGED;
+#if defined(USE_EPOLL)
+		thread->epoll_events[sock->fd] = 0;
+#endif /* if defined(USE_EPOLL) */
+#ifdef USE_DEVPOLL
+		INSIST(thread->fdpollinfo[sock->fd].want_read == 0 &&
+		       thread->fdpollinfo[sock->fd].want_write == 0);
+#endif /* ifdef USE_DEVPOLL */
+		UNLOCK(&thread->fdlock[lockid]);
+
+#ifdef USE_SELECT
+		LOCK(&sock->manager->lock);
+		if (thread->maxfd < sock->fd) {
+			thread->maxfd = sock->fd;
+		}
+		UNLOCK(&sock->manager->lock);
+#endif /* ifdef USE_SELECT */
+	}
+
+	return (result);
+}
+
+/*
+ * Attach to a socket.  Caller must explicitly detach when it is done.
+ */
+void
+isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	int old_refs = isc_refcount_increment(&sock->references);
+	REQUIRE(old_refs > 0);
+
+	*socketp = sock;
+}
+
+/*
+ * Dereference a socket.  If this is the last reference to it, clean things
+ * up by destroying the socket.
+ */
+void
+isc_socket_detach(isc_socket_t **socketp) {
+	isc_socket_t *sock;
+
+	REQUIRE(socketp != NULL);
+	sock = *socketp;
+	REQUIRE(VALID_SOCKET(sock));
+	if (isc_refcount_decrement(&sock->references) == 1) {
+		destroy(&sock);
+	}
+
+	*socketp = NULL;
+}
+
+isc_result_t
+isc_socket_close(isc_socket_t *sock) {
+	int fd;
+	isc_socketmgr_t *manager;
+	isc__socketthread_t *thread;
+	fflush(stdout);
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	REQUIRE(sock->fd >= 0 && sock->fd < (int)sock->manager->maxsocks);
+
+	INSIST(!sock->connecting);
+	INSIST(ISC_LIST_EMPTY(sock->recv_list));
+	INSIST(ISC_LIST_EMPTY(sock->send_list));
+	INSIST(ISC_LIST_EMPTY(sock->accept_list));
+	INSIST(ISC_LIST_EMPTY(sock->connect_list));
+
+	manager = sock->manager;
+	thread = &manager->threads[sock->threadid];
+	fd = sock->fd;
+	sock->fd = -1;
+	sock->threadid = -1;
+
+	sock->dupped = 0;
+	memset(sock->name, 0, sizeof(sock->name));
+	sock->tag = NULL;
+	sock->listener = 0;
+	sock->connected = 0;
+	sock->connecting = 0;
+	sock->bound = 0;
+	isc_sockaddr_any(&sock->peer_address);
+
+	UNLOCK(&sock->lock);
+
+	socketclose(thread, sock, fd);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Dequeue an item off the given socket's read queue, set the result code
+ * in the done event to the one provided, and send it to the task it was
+ * destined for.
+ *
+ * If the event to be sent is on a list, remove it before sending.  If
+ * asked to, send and detach from the socket as well.
+ *
+ * Caller must have the socket locked if the event is attached to the socket.
+ */
+static void
+send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+	isc_task_t *task;
+
+	task = (*dev)->ev_sender;
+
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link)) {
+		ISC_LIST_DEQUEUE(sock->recv_list, *dev, ev_link);
+	}
+
+	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED) != 0) {
+		isc_task_sendtoanddetach(&task, (isc_event_t **)dev,
+					 sock->threadid);
+	} else {
+		isc_task_sendto(task, (isc_event_t **)dev, sock->threadid);
+	}
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ *
+ * Caller must have the socket locked if the event is attached to the socket.
+ */
+static void
+send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+	isc_task_t *task;
+
+	INSIST(dev != NULL && *dev != NULL);
+
+	task = (*dev)->ev_sender;
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link)) {
+		ISC_LIST_DEQUEUE(sock->send_list, *dev, ev_link);
+	}
+
+	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED) != 0) {
+		isc_task_sendtoanddetach(&task, (isc_event_t **)dev,
+					 sock->threadid);
+	} else {
+		isc_task_sendto(task, (isc_event_t **)dev, sock->threadid);
+	}
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ *
+ * Caller must have the socket locked if the event is attached to the socket.
+ */
+static void
+send_connectdone_event(isc_socket_t *sock, isc_socket_connev_t **dev) {
+	isc_task_t *task;
+
+	INSIST(dev != NULL && *dev != NULL);
+
+	task = (*dev)->ev_sender;
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link)) {
+		ISC_LIST_DEQUEUE(sock->connect_list, *dev, ev_link);
+	}
+
+	isc_task_sendtoanddetach(&task, (isc_event_t **)dev, sock->threadid);
+}
+
+/*
+ * Call accept() on a socket, to get the new file descriptor.  The listen
+ * socket is used as a prototype to create a new isc_socket_t.  The new
+ * socket has one outstanding reference.  The task receiving the event
+ * will be detached from just after the event is delivered.
+ *
+ * On entry to this function, the event delivered is the internal
+ * readable event, and the first item on the accept_list should be
+ * the done event we want to send.  If the list is empty, this is a no-op,
+ * so just unlock and return.
+ */
+static void
+internal_accept(isc_socket_t *sock) {
+	isc_socketmgr_t *manager;
+	isc__socketthread_t *thread, *nthread;
+	isc_socket_newconnev_t *dev;
+	isc_task_t *task;
+	socklen_t addrlen;
+	int fd;
+	isc_result_t result = ISC_R_SUCCESS;
+	char strbuf[ISC_STRERRORSIZE];
+	const char *err = "accept";
+
+	INSIST(VALID_SOCKET(sock));
+	REQUIRE(sock->fd >= 0);
+
+	socket_log(sock, NULL, TRACE, "internal_accept called, locked socket");
+
+	manager = sock->manager;
+	INSIST(VALID_MANAGER(manager));
+	thread = &manager->threads[sock->threadid];
+
+	INSIST(sock->listener);
+
+	/*
+	 * Get the first item off the accept list.
+	 * If it is empty, unlock the socket and return.
+	 */
+	dev = ISC_LIST_HEAD(sock->accept_list);
+	if (dev == NULL) {
+		unwatch_fd(thread, sock->fd, SELECT_POKE_ACCEPT);
+		UNLOCK(&sock->lock);
+		return;
+	}
+
+	/*
+	 * Try to accept the new connection.  If the accept fails with
+	 * EAGAIN or EINTR, simply poke the watcher to watch this socket
+	 * again.  Also ignore ECONNRESET, which has been reported to
+	 * be spuriously returned on Linux 2.2.19 although it is not
+	 * a documented error for accept().  ECONNABORTED has been
+	 * reported for Solaris 8.  The rest are thrown in not because
+	 * we have seen them but because they are ignored by other
+	 * daemons such as BIND 8 and Apache.
+	 */
+
+	addrlen = sizeof(NEWCONNSOCK(dev)->peer_address.type);
+	memset(&NEWCONNSOCK(dev)->peer_address.type, 0, addrlen);
+	fd = accept(sock->fd, &NEWCONNSOCK(dev)->peer_address.type.sa,
+		    (void *)&addrlen);
+
+#ifdef F_DUPFD
+	/*
+	 * Leave a space for stdio to work in.
+	 */
+	if (fd >= 0 && fd < 20) {
+		int newfd, tmp;
+		newfd = fcntl(fd, F_DUPFD, 20);
+		tmp = errno;
+		(void)close(fd);
+		errno = tmp;
+		fd = newfd;
+		err = "accept/fcntl";
+	}
+#endif /* ifdef F_DUPFD */
+
+	if (fd < 0) {
+		if (SOFT_ERROR(errno)) {
+			goto soft_error;
+		}
+		switch (errno) {
+		case ENFILE:
+		case EMFILE:
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "%s: too many open file descriptors",
+				      err);
+			goto soft_error;
+
+		case ENOBUFS:
+		case ENOMEM:
+		case ECONNRESET:
+		case ECONNABORTED:
+		case EHOSTUNREACH:
+		case EHOSTDOWN:
+		case ENETUNREACH:
+		case ENETDOWN:
+		case ECONNREFUSED:
+#ifdef EPROTO
+		case EPROTO:
+#endif /* ifdef EPROTO */
+#ifdef ENONET
+		case ENONET:
+#endif /* ifdef ENONET */
+			goto soft_error;
+		default:
+			break;
+		}
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "internal_accept: %s() failed: %s", err,
+				 strbuf);
+		fd = -1;
+		result = ISC_R_UNEXPECTED;
+	} else {
+		if (addrlen == 0U) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "internal_accept(): "
+					 "accept() failed to return "
+					 "remote address");
+
+			(void)close(fd);
+			goto soft_error;
+		} else if (NEWCONNSOCK(dev)->peer_address.type.sa.sa_family !=
+			   sock->pf)
+		{
+			UNEXPECTED_ERROR(
+				__FILE__, __LINE__,
+				"internal_accept(): "
+				"accept() returned peer address "
+				"family %u (expected %u)",
+				NEWCONNSOCK(dev)->peer_address.type.sa.sa_family,
+				sock->pf);
+			(void)close(fd);
+			goto soft_error;
+		} else if (fd >= (int)manager->maxsocks) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "accept: file descriptor exceeds limit "
+				      "(%d/%u)",
+				      fd, manager->maxsocks);
+			(void)close(fd);
+			goto soft_error;
+		}
+	}
+
+	if (fd != -1) {
+		NEWCONNSOCK(dev)->peer_address.length = addrlen;
+		NEWCONNSOCK(dev)->pf = sock->pf;
+	}
+
+	/*
+	 * Pull off the done event.
+	 */
+	ISC_LIST_UNLINK(sock->accept_list, dev, ev_link);
+
+	/*
+	 * Poke watcher if there are more pending accepts.
+	 */
+	if (ISC_LIST_EMPTY(sock->accept_list)) {
+		unwatch_fd(thread, sock->fd, SELECT_POKE_ACCEPT);
+	}
+
+	if (fd != -1) {
+		result = make_nonblock(fd);
+		if (result != ISC_R_SUCCESS) {
+			(void)close(fd);
+			fd = -1;
+		}
+	}
+
+	/*
+	 * We need to unlock sock->lock now to be able to lock manager->lock
+	 * without risking a deadlock with xmlstats.
+	 */
+	UNLOCK(&sock->lock);
+
+	/*
+	 * -1 means the new socket didn't happen.
+	 */
+	if (fd != -1) {
+		int lockid = FDLOCK_ID(fd);
+
+		NEWCONNSOCK(dev)->fd = fd;
+		NEWCONNSOCK(dev)->threadid = gen_threadid(NEWCONNSOCK(dev));
+		NEWCONNSOCK(dev)->bound = 1;
+		NEWCONNSOCK(dev)->connected = 1;
+		nthread = &manager->threads[NEWCONNSOCK(dev)->threadid];
+
+		/*
+		 * We already hold a lock on one fdlock in accepting thread,
+		 * we need to make sure that we don't double lock.
+		 */
+		bool same_bucket = (sock->threadid ==
+				    NEWCONNSOCK(dev)->threadid) &&
+				   (FDLOCK_ID(sock->fd) == lockid);
+
+		/*
+		 * Use minimum mtu if possible.
+		 */
+		use_min_mtu(NEWCONNSOCK(dev));
+		set_tcp_maxseg(NEWCONNSOCK(dev), 1280 - 20 - 40);
+
+		/*
+		 * Ensure DSCP settings are inherited across accept.
+		 */
+		setdscp(NEWCONNSOCK(dev), sock->dscp);
+
+		/*
+		 * Save away the remote address
+		 */
+		dev->address = NEWCONNSOCK(dev)->peer_address;
+
+		if (NEWCONNSOCK(dev)->active == 0) {
+			inc_stats(manager->stats,
+				  NEWCONNSOCK(dev)->statsindex[STATID_ACTIVE]);
+			NEWCONNSOCK(dev)->active = 1;
+		}
+
+		if (!same_bucket) {
+			LOCK(&nthread->fdlock[lockid]);
+		}
+		nthread->fds[fd] = NEWCONNSOCK(dev);
+		nthread->fdstate[fd] = MANAGED;
+#if defined(USE_EPOLL)
+		nthread->epoll_events[fd] = 0;
+#endif /* if defined(USE_EPOLL) */
+		if (!same_bucket) {
+			UNLOCK(&nthread->fdlock[lockid]);
+		}
+
+		LOCK(&manager->lock);
+
+#ifdef USE_SELECT
+		if (nthread->maxfd < fd) {
+			nthread->maxfd = fd;
+		}
+#endif /* ifdef USE_SELECT */
+
+		socket_log(sock, &NEWCONNSOCK(dev)->peer_address, CREATION,
+			   "accepted connection, new socket %p",
+			   dev->newsocket);
+
+		ISC_LIST_APPEND(manager->socklist, NEWCONNSOCK(dev), link);
+
+		UNLOCK(&manager->lock);
+
+		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPT]);
+	} else {
+		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
+		isc_refcount_decrementz(&NEWCONNSOCK(dev)->references);
+		free_socket((isc_socket_t **)&dev->newsocket);
+	}
+
+	/*
+	 * Fill in the done event details and send it off.
+	 */
+	dev->result = result;
+	task = dev->ev_sender;
+	dev->ev_sender = sock;
+
+	isc_task_sendtoanddetach(&task, ISC_EVENT_PTR(&dev), sock->threadid);
+	return;
+
+soft_error:
+	watch_fd(thread, sock->fd, SELECT_POKE_ACCEPT);
+	UNLOCK(&sock->lock);
+
+	inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
+	return;
+}
+
+static void
+internal_recv(isc_socket_t *sock) {
+	isc_socketevent_t *dev;
+
+	INSIST(VALID_SOCKET(sock));
+	REQUIRE(sock->fd >= 0);
+
+	dev = ISC_LIST_HEAD(sock->recv_list);
+	if (dev == NULL) {
+		goto finish;
+	}
+
+	socket_log(sock, NULL, IOEVENT, "internal_recv: event %p -> task %p",
+		   dev, dev->ev_sender);
+
+	/*
+	 * Try to do as much I/O as possible on this socket.  There are no
+	 * limits here, currently.
+	 */
+	while (dev != NULL) {
+		switch (doio_recv(sock, dev)) {
+		case DOIO_SOFT:
+			goto finish;
+
+		case DOIO_EOF:
+			/*
+			 * read of 0 means the remote end was closed.
+			 * Run through the event queue and dispatch all
+			 * the events with an EOF result code.
+			 */
+			do {
+				dev->result = ISC_R_EOF;
+				send_recvdone_event(sock, &dev);
+				dev = ISC_LIST_HEAD(sock->recv_list);
+			} while (dev != NULL);
+			goto finish;
+
+		case DOIO_SUCCESS:
+		case DOIO_HARD:
+			send_recvdone_event(sock, &dev);
+			break;
+		}
+
+		dev = ISC_LIST_HEAD(sock->recv_list);
+	}
+
+finish:
+	if (ISC_LIST_EMPTY(sock->recv_list)) {
+		unwatch_fd(&sock->manager->threads[sock->threadid], sock->fd,
+			   SELECT_POKE_READ);
+	}
+}
+
+static void
+internal_send(isc_socket_t *sock) {
+	isc_socketevent_t *dev;
+
+	INSIST(VALID_SOCKET(sock));
+	REQUIRE(sock->fd >= 0);
+
+	dev = ISC_LIST_HEAD(sock->send_list);
+	if (dev == NULL) {
+		goto finish;
+	}
+	socket_log(sock, NULL, EVENT, "internal_send: event %p -> task %p", dev,
+		   dev->ev_sender);
+
+	/*
+	 * Try to do as much I/O as possible on this socket.  There are no
+	 * limits here, currently.
+	 */
+	while (dev != NULL) {
+		switch (doio_send(sock, dev)) {
+		case DOIO_SOFT:
+			goto finish;
+
+		case DOIO_HARD:
+		case DOIO_SUCCESS:
+			send_senddone_event(sock, &dev);
+			break;
+		}
+
+		dev = ISC_LIST_HEAD(sock->send_list);
+	}
+
+finish:
+	if (ISC_LIST_EMPTY(sock->send_list)) {
+		unwatch_fd(&sock->manager->threads[sock->threadid], sock->fd,
+			   SELECT_POKE_WRITE);
+	}
+}
+
+/*
+ * Process read/writes on each fd here.  Avoid locking
+ * and unlocking twice if both reads and writes are possible.
+ */
+static void
+process_fd(isc__socketthread_t *thread, int fd, bool readable, bool writeable) {
+	isc_socket_t *sock;
+	int lockid = FDLOCK_ID(fd);
+
+	/*
+	 * If the socket is going to be closed, don't do more I/O.
+	 */
+	LOCK(&thread->fdlock[lockid]);
+	if (thread->fdstate[fd] == CLOSE_PENDING) {
+		UNLOCK(&thread->fdlock[lockid]);
+
+		(void)unwatch_fd(thread, fd, SELECT_POKE_READ);
+		(void)unwatch_fd(thread, fd, SELECT_POKE_WRITE);
+		return;
+	}
+
+	sock = thread->fds[fd];
+	if (sock == NULL) {
+		UNLOCK(&thread->fdlock[lockid]);
+		return;
+	}
+
+	LOCK(&sock->lock);
+
+	if (sock->fd < 0) {
+		/*
+		 * Sock is being closed - the final external reference
+		 * is gone but it was not yet removed from event loop
+		 * and fdstate[]/fds[] as destroy() is waiting on
+		 * thread->fdlock[lockid] or sock->lock that we're holding.
+		 * Just release the locks and bail.
+		 */
+		UNLOCK(&sock->lock);
+		UNLOCK(&thread->fdlock[lockid]);
+		return;
+	}
+
+	REQUIRE(readable || writeable);
+	if (writeable) {
+		if (sock->connecting) {
+			internal_connect(sock);
+		} else {
+			internal_send(sock);
+		}
+	}
+
+	if (readable) {
+		if (sock->listener) {
+			internal_accept(sock); /* unlocks sock */
+		} else {
+			internal_recv(sock);
+			UNLOCK(&sock->lock);
+		}
+	} else {
+		UNLOCK(&sock->lock);
+	}
+
+	UNLOCK(&thread->fdlock[lockid]);
+
+	/*
+	 * Socket destruction might be pending, it will resume
+	 * after releasing fdlock and sock->lock.
+	 */
+}
+
+/*
+ * process_fds is different for different event loops
+ * it takes the events from event loops and for each FD
+ * launches process_fd
+ */
+#ifdef USE_KQUEUE
+static bool
+process_fds(isc__socketthread_t *thread, struct kevent *events, int nevents) {
+	int i;
+	bool readable, writable;
+	bool done = false;
+	bool have_ctlevent = false;
+	if (nevents == thread->nevents) {
+		/*
+		 * This is not an error, but something unexpected.  If this
+		 * happens, it may indicate the need for increasing
+		 * ISC_SOCKET_MAXEVENTS.
+		 */
+		thread_log(thread, ISC_LOGCATEGORY_GENERAL,
+			   ISC_LOGMODULE_SOCKET, ISC_LOG_INFO,
+			   "maximum number of FD events (%d) received",
+			   nevents);
+	}
+
+	for (i = 0; i < nevents; i++) {
+		REQUIRE(events[i].ident < thread->manager->maxsocks);
+		if (events[i].ident == (uintptr_t)thread->pipe_fds[0]) {
+			have_ctlevent = true;
+			continue;
+		}
+		readable = (events[i].filter == EVFILT_READ);
+		writable = (events[i].filter == EVFILT_WRITE);
+		process_fd(thread, events[i].ident, readable, writable);
+	}
+
+	if (have_ctlevent) {
+		done = process_ctlfd(thread);
+	}
+
+	return (done);
+}
+#elif defined(USE_EPOLL)
+static bool
+process_fds(isc__socketthread_t *thread, struct epoll_event *events,
+	    int nevents) {
+	int i;
+	bool done = false;
+	bool have_ctlevent = false;
+
+	if (nevents == thread->nevents) {
+		thread_log(thread, ISC_LOGCATEGORY_GENERAL,
+			   ISC_LOGMODULE_SOCKET, ISC_LOG_INFO,
+			   "maximum number of FD events (%d) received",
+			   nevents);
+	}
+
+	for (i = 0; i < nevents; i++) {
+		REQUIRE(events[i].data.fd < (int)thread->manager->maxsocks);
+		if (events[i].data.fd == thread->pipe_fds[0]) {
+			have_ctlevent = true;
+			continue;
+		}
+		if ((events[i].events & EPOLLERR) != 0 ||
+		    (events[i].events & EPOLLHUP) != 0)
+		{
+			/*
+			 * epoll does not set IN/OUT bits on an erroneous
+			 * condition, so we need to try both anyway.  This is a
+			 * bit inefficient, but should be okay for such rare
+			 * events.  Note also that the read or write attempt
+			 * won't block because we use non-blocking sockets.
+			 */
+			int fd = events[i].data.fd;
+			events[i].events |= thread->epoll_events[fd];
+		}
+		process_fd(thread, events[i].data.fd,
+			   (events[i].events & EPOLLIN) != 0,
+			   (events[i].events & EPOLLOUT) != 0);
+	}
+
+	if (have_ctlevent) {
+		done = process_ctlfd(thread);
+	}
+
+	return (done);
+}
+#elif defined(USE_DEVPOLL)
+static bool
+process_fds(isc__socketthread_t *thread, struct pollfd *events, int nevents) {
+	int i;
+	bool done = false;
+	bool have_ctlevent = false;
+
+	if (nevents == thread->nevents) {
+		thread_log(thread, ISC_LOGCATEGORY_GENERAL,
+			   ISC_LOGMODULE_SOCKET, ISC_LOG_INFO,
+			   "maximum number of FD events (%d) received",
+			   nevents);
+	}
+
+	for (i = 0; i < nevents; i++) {
+		REQUIRE(events[i].fd < (int)thread->manager->maxsocks);
+		if (events[i].fd == thread->pipe_fds[0]) {
+			have_ctlevent = true;
+			continue;
+		}
+		process_fd(thread, events[i].fd,
+			   (events[i].events & POLLIN) != 0,
+			   (events[i].events & POLLOUT) != 0);
+	}
+
+	if (have_ctlevent) {
+		done = process_ctlfd(thread);
+	}
+
+	return (done);
+}
+#elif defined(USE_SELECT)
+static void
+process_fds(isc__socketthread_t *thread, int maxfd, fd_set *readfds,
+	    fd_set *writefds) {
+	int i;
+
+	REQUIRE(maxfd <= (int)thread->manager->maxsocks);
+
+	for (i = 0; i < maxfd; i++) {
+		if (i == thread->pipe_fds[0] || i == thread->pipe_fds[1]) {
+			continue;
+		}
+		process_fd(thread, i, FD_ISSET(i, readfds),
+			   FD_ISSET(i, writefds));
+	}
+}
+#endif /* ifdef USE_KQUEUE */
+
+static bool
+process_ctlfd(isc__socketthread_t *thread) {
+	int msg, fd;
+
+	for (;;) {
+		select_readmsg(thread, &fd, &msg);
+
+		thread_log(thread, IOEVENT,
+			   "watcher got message %d for socket %d", msg, fd);
+
+		/*
+		 * Nothing to read?
+		 */
+		if (msg == SELECT_POKE_NOTHING) {
+			break;
+		}
+
+		/*
+		 * Handle shutdown message.  We really should
+		 * jump out of this loop right away, but
+		 * it doesn't matter if we have to do a little
+		 * more work first.
+		 */
+		if (msg == SELECT_POKE_SHUTDOWN) {
+			return (true);
+		}
+
+		/*
+		 * This is a wakeup on a socket.  Look
+		 * at the event queue for both read and write,
+		 * and decide if we need to watch on it now
+		 * or not.
+		 */
+		wakeup_socket(thread, fd, msg);
+	}
+
+	return (false);
+}
+
+/*
+ * This is the thread that will loop forever, always in a select or poll
+ * call.
+ *
+ * When select returns something to do, do whatever's necessary and post
+ * an event to the task that was requesting the action.
+ */
+static isc_threadresult_t
+netthread(void *uap) {
+	isc__socketthread_t *thread = uap;
+	isc_socketmgr_t *manager = thread->manager;
+	(void)manager;
+	bool done;
+	int cc;
+#ifdef USE_KQUEUE
+	const char *fnname = "kevent()";
+#elif defined(USE_EPOLL)
+	const char *fnname = "epoll_wait()";
+#elif defined(USE_DEVPOLL)
+	isc_result_t result;
+	const char *fnname = "ioctl(DP_POLL)";
+	struct dvpoll dvp;
+	int pass;
+#if defined(ISC_SOCKET_USE_POLLWATCH)
+	pollstate_t pollstate = poll_idle;
+#endif /* if defined(ISC_SOCKET_USE_POLLWATCH) */
+#elif defined(USE_SELECT)
+	const char *fnname = "select()";
+	int maxfd;
+	int ctlfd;
+#endif /* ifdef USE_KQUEUE */
+	char strbuf[ISC_STRERRORSIZE];
+
+#if defined(USE_SELECT)
+	/*
+	 * Get the control fd here.  This will never change.
+	 */
+	ctlfd = thread->pipe_fds[0];
+#endif /* if defined(USE_SELECT) */
+	done = false;
+	while (!done) {
+		do {
+#ifdef USE_KQUEUE
+			cc = kevent(thread->kqueue_fd, NULL, 0, thread->events,
+				    thread->nevents, NULL);
+#elif defined(USE_EPOLL)
+			cc = epoll_wait(thread->epoll_fd, thread->events,
+					thread->nevents, -1);
+#elif defined(USE_DEVPOLL)
+			/*
+			 * Re-probe every thousand calls.
+			 */
+			if (thread->calls++ > 1000U) {
+				result = isc_resource_getcurlimit(
+					isc_resource_openfiles,
+					&thread->open_max);
+				if (result != ISC_R_SUCCESS) {
+					thread->open_max = 64;
+				}
+				thread->calls = 0;
+			}
+			for (pass = 0; pass < 2; pass++) {
+				dvp.dp_fds = thread->events;
+				dvp.dp_nfds = thread->nevents;
+				if (dvp.dp_nfds >= thread->open_max) {
+					dvp.dp_nfds = thread->open_max - 1;
+				}
+#ifndef ISC_SOCKET_USE_POLLWATCH
+				dvp.dp_timeout = -1;
+#else  /* ifndef ISC_SOCKET_USE_POLLWATCH */
+				if (pollstate == poll_idle) {
+					dvp.dp_timeout = -1;
+				} else {
+					dvp.dp_timeout =
+						ISC_SOCKET_POLLWATCH_TIMEOUT;
+				}
+#endif /* ISC_SOCKET_USE_POLLWATCH */
+				cc = ioctl(thread->devpoll_fd, DP_POLL, &dvp);
+				if (cc == -1 && errno == EINVAL) {
+					/*
+					 * {OPEN_MAX} may have dropped.  Look
+					 * up the current value and try again.
+					 */
+					result = isc_resource_getcurlimit(
+						isc_resource_openfiles,
+						&thread->open_max);
+					if (result != ISC_R_SUCCESS) {
+						thread->open_max = 64;
+					}
+				} else {
+					break;
+				}
+			}
+#elif defined(USE_SELECT)
+			/*
+			 * We will have only one thread anyway, we can lock
+			 * manager lock and don't care
+			 */
+			LOCK(&manager->lock);
+			memmove(thread->read_fds_copy, thread->read_fds,
+				thread->fd_bufsize);
+			memmove(thread->write_fds_copy, thread->write_fds,
+				thread->fd_bufsize);
+			maxfd = thread->maxfd + 1;
+			UNLOCK(&manager->lock);
+
+			cc = select(maxfd, thread->read_fds_copy,
+				    thread->write_fds_copy, NULL, NULL);
+#endif /* USE_KQUEUE */
+
+			if (cc < 0 && !SOFT_ERROR(errno)) {
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				FATAL_ERROR(__FILE__, __LINE__, "%s failed: %s",
+					    fnname, strbuf);
+			}
+
+#if defined(USE_DEVPOLL) && defined(ISC_SOCKET_USE_POLLWATCH)
+			if (cc == 0) {
+				if (pollstate == poll_active) {
+					pollstate = poll_checking;
+				} else if (pollstate == poll_checking) {
+					pollstate = poll_idle;
+				}
+			} else if (cc > 0) {
+				if (pollstate == poll_checking) {
+					/*
+					 * XXX: We'd like to use a more
+					 * verbose log level as it's actually an
+					 * unexpected event, but the kernel bug
+					 * reportedly happens pretty frequently
+					 * (and it can also be a false positive)
+					 * so it would be just too noisy.
+					 */
+					thread_log(thread,
+						   ISC_LOGCATEGORY_GENERAL,
+						   ISC_LOGMODULE_SOCKET,
+						   ISC_LOG_DEBUG(1),
+						   "unexpected POLL timeout");
+				}
+				pollstate = poll_active;
+			}
+#endif /* if defined(USE_DEVPOLL) && defined(ISC_SOCKET_USE_POLLWATCH) */
+		} while (cc < 0);
+
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+		done = process_fds(thread, thread->events, cc);
+#elif defined(USE_SELECT)
+		process_fds(thread, maxfd, thread->read_fds_copy,
+			    thread->write_fds_copy);
+
+		/*
+		 * Process reads on internal, control fd.
+		 */
+		if (FD_ISSET(ctlfd, thread->read_fds_copy)) {
+			done = process_ctlfd(thread);
+		}
+#endif /* if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL) \
+	* */
+	}
+
+	thread_log(thread, TRACE, "watcher exiting");
+	return ((isc_threadresult_t)0);
+}
+
+void
+isc_socketmgr_setreserved(isc_socketmgr_t *manager, uint32_t reserved) {
+	REQUIRE(VALID_MANAGER(manager));
+
+	manager->reserved = reserved;
+}
+
+void
+isc_socketmgr_maxudp(isc_socketmgr_t *manager, unsigned int maxudp) {
+	REQUIRE(VALID_MANAGER(manager));
+
+	manager->maxudp = maxudp;
+}
+
+/*
+ * Setup socket thread, thread->manager and thread->threadid must be filled.
+ */
+
+static isc_result_t
+setup_thread(isc__socketthread_t *thread) {
+	isc_result_t result = ISC_R_SUCCESS;
+	int i;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(thread != NULL);
+	REQUIRE(VALID_MANAGER(thread->manager));
+	REQUIRE(thread->threadid >= 0 &&
+		thread->threadid < thread->manager->nthreads);
+
+	thread->fds =
+		isc_mem_get(thread->manager->mctx,
+			    thread->manager->maxsocks * sizeof(isc_socket_t *));
+
+	memset(thread->fds, 0,
+	       thread->manager->maxsocks * sizeof(isc_socket_t *));
+
+	thread->fdstate = isc_mem_get(thread->manager->mctx,
+				      thread->manager->maxsocks * sizeof(int));
+
+	memset(thread->fdstate, 0, thread->manager->maxsocks * sizeof(int));
+
+	thread->fdlock = isc_mem_get(thread->manager->mctx,
+				     FDLOCK_COUNT * sizeof(isc_mutex_t));
+
+	for (i = 0; i < FDLOCK_COUNT; i++) {
+		isc_mutex_init(&thread->fdlock[i]);
+	}
+
+	if (pipe(thread->pipe_fds) != 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "pipe() failed: %s",
+				 strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+	RUNTIME_CHECK(make_nonblock(thread->pipe_fds[0]) == ISC_R_SUCCESS);
+
+#ifdef USE_KQUEUE
+	thread->nevents = ISC_SOCKET_MAXEVENTS;
+	thread->events = isc_mem_get(thread->manager->mctx,
+				     sizeof(struct kevent) * thread->nevents);
+
+	thread->kqueue_fd = kqueue();
+	if (thread->kqueue_fd == -1) {
+		result = isc__errno2result(errno);
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "kqueue failed: %s",
+				 strbuf);
+		isc_mem_put(thread->manager->mctx, thread->events,
+			    sizeof(struct kevent) * thread->nevents);
+		return (result);
+	}
+
+	result = watch_fd(thread, thread->pipe_fds[0], SELECT_POKE_READ);
+	if (result != ISC_R_SUCCESS) {
+		close(thread->kqueue_fd);
+		isc_mem_put(thread->manager->mctx, thread->events,
+			    sizeof(struct kevent) * thread->nevents);
+	}
+	return (result);
+
+#elif defined(USE_EPOLL)
+	thread->nevents = ISC_SOCKET_MAXEVENTS;
+	thread->epoll_events =
+		isc_mem_get(thread->manager->mctx,
+			    (thread->manager->maxsocks * sizeof(uint32_t)));
+
+	memset(thread->epoll_events, 0,
+	       thread->manager->maxsocks * sizeof(uint32_t));
+
+	thread->events =
+		isc_mem_get(thread->manager->mctx,
+			    sizeof(struct epoll_event) * thread->nevents);
+
+	thread->epoll_fd = epoll_create(thread->nevents);
+	if (thread->epoll_fd == -1) {
+		result = isc__errno2result(errno);
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "epoll_create failed: %s",
+				 strbuf);
+		return (result);
+	}
+
+	result = watch_fd(thread, thread->pipe_fds[0], SELECT_POKE_READ);
+	return (result);
+
+#elif defined(USE_DEVPOLL)
+	thread->nevents = ISC_SOCKET_MAXEVENTS;
+	result = isc_resource_getcurlimit(isc_resource_openfiles,
+					  &thread->open_max);
+	if (result != ISC_R_SUCCESS) {
+		thread->open_max = 64;
+	}
+	thread->calls = 0;
+	thread->events = isc_mem_get(thread->manager->mctx,
+				     sizeof(struct pollfd) * thread->nevents);
+
+	/*
+	 * Note: fdpollinfo should be able to support all possible FDs, so
+	 * it must have maxsocks entries (not nevents).
+	 */
+	thread->fdpollinfo =
+		isc_mem_get(thread->manager->mctx,
+			    sizeof(pollinfo_t) * thread->manager->maxsocks);
+	memset(thread->fdpollinfo, 0,
+	       sizeof(pollinfo_t) * thread->manager->maxsocks);
+	thread->devpoll_fd = open("/dev/poll", O_RDWR);
+	if (thread->devpoll_fd == -1) {
+		result = isc__errno2result(errno);
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "open(/dev/poll) failed: %s", strbuf);
+		isc_mem_put(thread->manager->mctx, thread->events,
+			    sizeof(struct pollfd) * thread->nevents);
+		isc_mem_put(thread->manager->mctx, thread->fdpollinfo,
+			    sizeof(pollinfo_t) * thread->manager->maxsocks);
+		return (result);
+	}
+	result = watch_fd(thread, thread->pipe_fds[0], SELECT_POKE_READ);
+	if (result != ISC_R_SUCCESS) {
+		close(thread->devpoll_fd);
+		isc_mem_put(thread->manager->mctx, thread->events,
+			    sizeof(struct pollfd) * thread->nevents);
+		isc_mem_put(thread->manager->mctx, thread->fdpollinfo,
+			    sizeof(pollinfo_t) * thread->manager->maxsocks);
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+#elif defined(USE_SELECT)
+	UNUSED(result);
+
+#if ISC_SOCKET_MAXSOCKETS > FD_SETSIZE
+	/*
+	 * Note: this code should also cover the case of MAXSOCKETS <=
+	 * FD_SETSIZE, but we separate the cases to avoid possible portability
+	 * issues regarding howmany() and the actual representation of fd_set.
+	 */
+	thread->fd_bufsize = howmany(manager->maxsocks, NFDBITS) *
+			     sizeof(fd_mask);
+#else  /* if ISC_SOCKET_MAXSOCKETS > FD_SETSIZE */
+	thread->fd_bufsize = sizeof(fd_set);
+#endif /* if ISC_SOCKET_MAXSOCKETS > FD_SETSIZE */
+
+	thread->read_fds = isc_mem_get(thread->manager->mctx,
+				       thread->fd_bufsize);
+	thread->read_fds_copy = isc_mem_get(thread->manager->mctx,
+					    thread->fd_bufsize);
+	thread->write_fds = isc_mem_get(thread->manager->mctx,
+					thread->fd_bufsize);
+	thread->write_fds_copy = isc_mem_get(thread->manager->mctx,
+					     thread->fd_bufsize);
+	memset(thread->read_fds, 0, thread->fd_bufsize);
+	memset(thread->write_fds, 0, thread->fd_bufsize);
+
+	(void)watch_fd(thread, thread->pipe_fds[0], SELECT_POKE_READ);
+	thread->maxfd = thread->pipe_fds[0];
+
+	return (ISC_R_SUCCESS);
+#endif /* USE_KQUEUE */
+}
+
+static void
+cleanup_thread(isc_mem_t *mctx, isc__socketthread_t *thread) {
+	isc_result_t result;
+	int i;
+
+	result = unwatch_fd(thread, thread->pipe_fds[0], SELECT_POKE_READ);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "epoll_ctl(DEL) failed");
+	}
+#ifdef USE_KQUEUE
+	close(thread->kqueue_fd);
+	isc_mem_put(mctx, thread->events,
+		    sizeof(struct kevent) * thread->nevents);
+#elif defined(USE_EPOLL)
+	close(thread->epoll_fd);
+
+	isc_mem_put(mctx, thread->events,
+		    sizeof(struct epoll_event) * thread->nevents);
+#elif defined(USE_DEVPOLL)
+	close(thread->devpoll_fd);
+	isc_mem_put(mctx, thread->events,
+		    sizeof(struct pollfd) * thread->nevents);
+	isc_mem_put(mctx, thread->fdpollinfo,
+		    sizeof(pollinfo_t) * thread->manager->maxsocks);
+#elif defined(USE_SELECT)
+	if (thread->read_fds != NULL) {
+		isc_mem_put(mctx, thread->read_fds, thread->fd_bufsize);
+	}
+	if (thread->read_fds_copy != NULL) {
+		isc_mem_put(mctx, thread->read_fds_copy, thread->fd_bufsize);
+	}
+	if (thread->write_fds != NULL) {
+		isc_mem_put(mctx, thread->write_fds, thread->fd_bufsize);
+	}
+	if (thread->write_fds_copy != NULL) {
+		isc_mem_put(mctx, thread->write_fds_copy, thread->fd_bufsize);
+	}
+#endif /* USE_KQUEUE */
+	for (i = 0; i < (int)thread->manager->maxsocks; i++) {
+		if (thread->fdstate[i] == CLOSE_PENDING) {
+			/* no need to lock */
+			(void)close(i);
+		}
+	}
+
+#if defined(USE_EPOLL)
+	isc_mem_put(thread->manager->mctx, thread->epoll_events,
+		    thread->manager->maxsocks * sizeof(uint32_t));
+#endif /* if defined(USE_EPOLL) */
+	isc_mem_put(thread->manager->mctx, thread->fds,
+		    thread->manager->maxsocks * sizeof(isc_socket_t *));
+	isc_mem_put(thread->manager->mctx, thread->fdstate,
+		    thread->manager->maxsocks * sizeof(int));
+
+	for (i = 0; i < FDLOCK_COUNT; i++) {
+		isc_mutex_destroy(&thread->fdlock[i]);
+	}
+	isc_mem_put(thread->manager->mctx, thread->fdlock,
+		    FDLOCK_COUNT * sizeof(isc_mutex_t));
+}
+
+isc_result_t
+isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+	return (isc_socketmgr_create2(mctx, managerp, 0, 1));
+}
+
+isc_result_t
+isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		      unsigned int maxsocks, int nthreads) {
+	int i;
+	isc_socketmgr_t *manager;
+
+	REQUIRE(managerp != NULL && *managerp == NULL);
+
+	if (maxsocks == 0) {
+		maxsocks = ISC_SOCKET_MAXSOCKETS;
+	}
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+
+	/* zero-clear so that necessary cleanup on failure will be easy */
+	memset(manager, 0, sizeof(*manager));
+	manager->maxsocks = maxsocks;
+	manager->reserved = 0;
+	manager->maxudp = 0;
+	manager->nthreads = nthreads;
+	manager->stats = NULL;
+
+	manager->magic = SOCKET_MANAGER_MAGIC;
+	manager->mctx = NULL;
+	ISC_LIST_INIT(manager->socklist);
+	isc_mutex_init(&manager->lock);
+	isc_condition_init(&manager->shutdown_ok);
+
+	/*
+	 * Start up the select/poll thread.
+	 */
+	manager->threads = isc_mem_get(mctx, sizeof(isc__socketthread_t) *
+						     manager->nthreads);
+	isc_mem_attach(mctx, &manager->mctx);
+
+	for (i = 0; i < manager->nthreads; i++) {
+		manager->threads[i].manager = manager;
+		manager->threads[i].threadid = i;
+		setup_thread(&manager->threads[i]);
+		isc_thread_create(netthread, &manager->threads[i],
+				  &manager->threads[i].thread);
+		char tname[1024];
+		sprintf(tname, "isc-socket-%d", i);
+		isc_thread_setname(manager->threads[i].thread, tname);
+	}
+
+	*managerp = manager;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(nsockp != NULL);
+
+	*nsockp = manager->maxsocks;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(ISC_LIST_EMPTY(manager->socklist));
+	REQUIRE(manager->stats == NULL);
+	REQUIRE(isc_stats_ncounters(stats) == isc_sockstatscounter_max);
+
+	isc_stats_attach(stats, &manager->stats);
+}
+
+void
+isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
+	isc_socketmgr_t *manager;
+
+	/*
+	 * Destroy a socket manager.
+	 */
+
+	REQUIRE(managerp != NULL);
+	manager = *managerp;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Wait for all sockets to be destroyed.
+	 */
+	while (!ISC_LIST_EMPTY(manager->socklist)) {
+		manager_log(manager, CREATION, "sockets exist");
+		WAIT(&manager->shutdown_ok, &manager->lock);
+	}
+
+	UNLOCK(&manager->lock);
+
+	/*
+	 * Here, poke our select/poll thread.  Do this by closing the write
+	 * half of the pipe, which will send EOF to the read half.
+	 * This is currently a no-op in the non-threaded case.
+	 */
+	for (int i = 0; i < manager->nthreads; i++) {
+		select_poke(manager, i, 0, SELECT_POKE_SHUTDOWN);
+	}
+
+	/*
+	 * Wait for thread to exit.
+	 */
+	for (int i = 0; i < manager->nthreads; i++) {
+		isc_thread_join(manager->threads[i].thread, NULL);
+		cleanup_thread(manager->mctx, &manager->threads[i]);
+	}
+	/*
+	 * Clean up.
+	 */
+	isc_mem_put(manager->mctx, manager->threads,
+		    sizeof(isc__socketthread_t) * manager->nthreads);
+	(void)isc_condition_destroy(&manager->shutdown_ok);
+
+	if (manager->stats != NULL) {
+		isc_stats_detach(&manager->stats);
+	}
+	isc_mutex_destroy(&manager->lock);
+	manager->magic = 0;
+	isc_mem_putanddetach(&manager->mctx, manager, sizeof(*manager));
+
+	*managerp = NULL;
+}
+
+static isc_result_t
+socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+	    unsigned int flags) {
+	int io_state;
+	bool have_lock = false;
+	isc_task_t *ntask = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dev->ev_sender = task;
+
+	if (sock->type == isc_sockettype_udp) {
+		io_state = doio_recv(sock, dev);
+	} else {
+		LOCK(&sock->lock);
+		have_lock = true;
+
+		if (ISC_LIST_EMPTY(sock->recv_list)) {
+			io_state = doio_recv(sock, dev);
+		} else {
+			io_state = DOIO_SOFT;
+		}
+	}
+
+	switch (io_state) {
+	case DOIO_SOFT:
+		/*
+		 * We couldn't read all or part of the request right now, so
+		 * queue it.
+		 *
+		 * Attach to socket and to task
+		 */
+		isc_task_attach(task, &ntask);
+		dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
+
+		if (!have_lock) {
+			LOCK(&sock->lock);
+			have_lock = true;
+		}
+
+		/*
+		 * Enqueue the request.  If the socket was previously not being
+		 * watched, poke the watcher to start paying attention to it.
+		 */
+		bool do_poke = ISC_LIST_EMPTY(sock->recv_list);
+		ISC_LIST_ENQUEUE(sock->recv_list, dev, ev_link);
+		if (do_poke) {
+			select_poke(sock->manager, sock->threadid, sock->fd,
+				    SELECT_POKE_READ);
+		}
+
+		socket_log(sock, NULL, EVENT,
+			   "socket_recv: event %p -> task %p", dev, ntask);
+
+		if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0) {
+			result = ISC_R_INPROGRESS;
+		}
+		break;
+
+	case DOIO_EOF:
+		dev->result = ISC_R_EOF;
+		FALLTHROUGH;
+
+	case DOIO_HARD:
+	case DOIO_SUCCESS:
+		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0) {
+			send_recvdone_event(sock, &dev);
+		}
+		break;
+	}
+
+	if (have_lock) {
+		UNLOCK(&sock->lock);
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
+		isc_task_t *task, isc_taskaction_t action, void *arg) {
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(manager->mctx, sock, ISC_SOCKEVENT_RECVDONE,
+				   action, arg);
+	if (dev == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	return (isc_socket_recv2(sock, region, minimum, task, dev, 0));
+}
+
+isc_result_t
+isc_socket_recv2(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
+		 isc_task_t *task, isc_socketevent_t *event,
+		 unsigned int flags) {
+	event->ev_sender = sock;
+	event->result = ISC_R_UNSET;
+	event->region = *region;
+	event->n = 0;
+	event->offset = 0;
+	event->attributes = 0;
+
+	/*
+	 * UDP sockets are always partial read.
+	 */
+	if (sock->type == isc_sockettype_udp) {
+		event->minimum = 1;
+	} else {
+		if (minimum == 0) {
+			event->minimum = region->length;
+		} else {
+			event->minimum = minimum;
+		}
+	}
+
+	return (socket_recv(sock, event, task, flags));
+}
+
+static isc_result_t
+socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+	    const isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+	    unsigned int flags) {
+	int io_state;
+	bool have_lock = false;
+	isc_task_t *ntask = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dev->ev_sender = task;
+
+	set_dev_address(address, sock, dev);
+	if (pktinfo != NULL) {
+		dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
+		dev->pktinfo = *pktinfo;
+
+		if (!isc_sockaddr_issitelocal(&dev->address) &&
+		    !isc_sockaddr_islinklocal(&dev->address))
+		{
+			socket_log(sock, NULL, TRACE,
+				   "pktinfo structure provided, ifindex %u "
+				   "(set to 0)",
+				   pktinfo->ipi6_ifindex);
+
+			/*
+			 * Set the pktinfo index to 0 here, to let the
+			 * kernel decide what interface it should send on.
+			 */
+			dev->pktinfo.ipi6_ifindex = 0;
+		}
+	}
+
+	if (sock->type == isc_sockettype_udp) {
+		io_state = doio_send(sock, dev);
+	} else {
+		LOCK(&sock->lock);
+		have_lock = true;
+
+		if (ISC_LIST_EMPTY(sock->send_list)) {
+			io_state = doio_send(sock, dev);
+		} else {
+			io_state = DOIO_SOFT;
+		}
+	}
+
+	switch (io_state) {
+	case DOIO_SOFT:
+		/*
+		 * We couldn't send all or part of the request right now, so
+		 * queue it unless ISC_SOCKFLAG_NORETRY is set.
+		 */
+		if ((flags & ISC_SOCKFLAG_NORETRY) == 0) {
+			isc_task_attach(task, &ntask);
+			dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
+
+			if (!have_lock) {
+				LOCK(&sock->lock);
+				have_lock = true;
+			}
+
+			/*
+			 * Enqueue the request.  If the socket was previously
+			 * not being watched, poke the watcher to start
+			 * paying attention to it.
+			 */
+			bool do_poke = ISC_LIST_EMPTY(sock->send_list);
+			ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
+			if (do_poke) {
+				select_poke(sock->manager, sock->threadid,
+					    sock->fd, SELECT_POKE_WRITE);
+			}
+			socket_log(sock, NULL, EVENT,
+				   "socket_send: event %p -> task %p", dev,
+				   ntask);
+
+			if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0) {
+				result = ISC_R_INPROGRESS;
+			}
+			break;
+		}
+
+		FALLTHROUGH;
+
+	case DOIO_HARD:
+	case DOIO_SUCCESS:
+		if (!have_lock) {
+			LOCK(&sock->lock);
+			have_lock = true;
+		}
+		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0) {
+			send_senddone_event(sock, &dev);
+		}
+		break;
+	}
+
+	if (have_lock) {
+		UNLOCK(&sock->lock);
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_socket_send(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		isc_taskaction_t action, void *arg) {
+	/*
+	 * REQUIRE() checking is performed in isc_socket_sendto().
+	 */
+	return (isc_socket_sendto(sock, region, task, action, arg, NULL, NULL));
+}
+
+isc_result_t
+isc_socket_sendto(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		  isc_taskaction_t action, void *arg,
+		  const isc_sockaddr_t *address, struct in6_pktinfo *pktinfo) {
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(region != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(manager->mctx, sock, ISC_SOCKEVENT_SENDDONE,
+				   action, arg);
+	if (dev == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	dev->region = *region;
+
+	return (socket_send(sock, dev, task, address, pktinfo, 0));
+}
+
+isc_result_t
+isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		   const isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		   isc_socketevent_t *event, unsigned int flags) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE((flags & ~(ISC_SOCKFLAG_IMMEDIATE | ISC_SOCKFLAG_NORETRY)) ==
+		0);
+	if ((flags & ISC_SOCKFLAG_NORETRY) != 0) {
+		REQUIRE(sock->type == isc_sockettype_udp);
+	}
+	event->ev_sender = sock;
+	event->result = ISC_R_UNSET;
+	event->region = *region;
+	event->n = 0;
+	event->offset = 0;
+	event->attributes &= ~ISC_SOCKEVENTATTR_ATTACHED;
+
+	return (socket_send(sock, event, task, address, pktinfo, flags));
+}
+
+void
+isc_socket_cleanunix(const isc_sockaddr_t *sockaddr, bool active) {
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	int s;
+	struct stat sb;
+	char strbuf[ISC_STRERRORSIZE];
+
+	if (sockaddr->type.sa.sa_family != AF_UNIX) {
+		return;
+	}
+
+#ifndef S_ISSOCK
+#if defined(S_IFMT) && defined(S_IFSOCK)
+#define S_ISSOCK(mode) ((mode & S_IFMT) == S_IFSOCK)
+#elif defined(_S_IFMT) && defined(S_IFSOCK)
+#define S_ISSOCK(mode) ((mode & _S_IFMT) == S_IFSOCK)
+#endif /* if defined(S_IFMT) && defined(S_IFSOCK) */
+#endif /* ifndef S_ISSOCK */
+
+#ifndef S_ISFIFO
+#if defined(S_IFMT) && defined(S_IFIFO)
+#define S_ISFIFO(mode) ((mode & S_IFMT) == S_IFIFO)
+#elif defined(_S_IFMT) && defined(S_IFIFO)
+#define S_ISFIFO(mode) ((mode & _S_IFMT) == S_IFIFO)
+#endif /* if defined(S_IFMT) && defined(S_IFIFO) */
+#endif /* ifndef S_ISFIFO */
+
+#if !defined(S_ISFIFO) && !defined(S_ISSOCK)
+/* cppcheck-suppress preprocessorErrorDirective */
+#error \
+	You need to define S_ISFIFO and S_ISSOCK as appropriate for your platform.  See <sys/stat.h>.
+#endif /* if !defined(S_ISFIFO) && !defined(S_ISSOCK) */
+
+#ifndef S_ISFIFO
+#define S_ISFIFO(mode) 0
+#endif /* ifndef S_ISFIFO */
+
+#ifndef S_ISSOCK
+#define S_ISSOCK(mode) 0
+#endif /* ifndef S_ISSOCK */
+
+	if (stat(sockaddr->type.sunix.sun_path, &sb) < 0) {
+		switch (errno) {
+		case ENOENT:
+			if (active) { /* We exited cleanly last time */
+				break;
+			}
+			FALLTHROUGH;
+		default:
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET,
+				      active ? ISC_LOG_ERROR : ISC_LOG_WARNING,
+				      "isc_socket_cleanunix: stat(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+			return;
+		}
+	} else {
+		if (!(S_ISSOCK(sb.st_mode) || S_ISFIFO(sb.st_mode))) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET,
+				      active ? ISC_LOG_ERROR : ISC_LOG_WARNING,
+				      "isc_socket_cleanunix: %s: not a socket",
+				      sockaddr->type.sunix.sun_path);
+			return;
+		}
+	}
+
+	if (active) {
+		if (unlink(sockaddr->type.sunix.sun_path) < 0) {
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "isc_socket_cleanunix: unlink(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+		}
+		return;
+	}
+
+	s = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (s < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+			      "isc_socket_cleanunix: socket(%s): %s",
+			      sockaddr->type.sunix.sun_path, strbuf);
+		return;
+	}
+
+	if (connect(s, (const struct sockaddr *)&sockaddr->type.sunix,
+		    sizeof(sockaddr->type.sunix)) < 0)
+	{
+		switch (errno) {
+		case ECONNREFUSED:
+		case ECONNRESET:
+			if (unlink(sockaddr->type.sunix.sun_path) < 0) {
+				strerror_r(errno, strbuf, sizeof(strbuf));
+				isc_log_write(
+					isc_lctx, ISC_LOGCATEGORY_GENERAL,
+					ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+					"isc_socket_cleanunix: "
+					"unlink(%s): %s",
+					sockaddr->type.sunix.sun_path, strbuf);
+			}
+			break;
+		default:
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+				      "isc_socket_cleanunix: connect(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+			break;
+		}
+	}
+	close(s);
+#else  /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	UNUSED(sockaddr);
+	UNUSED(active);
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+}
+
+isc_result_t
+isc_socket_permunix(const isc_sockaddr_t *sockaddr, uint32_t perm,
+		    uint32_t owner, uint32_t group) {
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	isc_result_t result = ISC_R_SUCCESS;
+	char strbuf[ISC_STRERRORSIZE];
+	char path[sizeof(sockaddr->type.sunix.sun_path)];
+#ifdef NEED_SECURE_DIRECTORY
+	char *slash;
+#endif /* ifdef NEED_SECURE_DIRECTORY */
+
+	REQUIRE(sockaddr->type.sa.sa_family == AF_UNIX);
+	INSIST(strlen(sockaddr->type.sunix.sun_path) < sizeof(path));
+	strlcpy(path, sockaddr->type.sunix.sun_path, sizeof(path));
+
+#ifdef NEED_SECURE_DIRECTORY
+	slash = strrchr(path, '/');
+	if (slash != NULL) {
+		if (slash != path) {
+			*slash = '\0';
+		} else {
+			strlcpy(path, "/", sizeof(path));
+		}
+	} else {
+		strlcpy(path, ".", sizeof(path));
+	}
+#endif /* ifdef NEED_SECURE_DIRECTORY */
+
+	if (chmod(path, perm) < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      "isc_socket_permunix: chmod(%s, %d): %s", path,
+			      perm, strbuf);
+		result = ISC_R_FAILURE;
+	}
+	if (chown(path, owner, group) < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      "isc_socket_permunix: chown(%s, %d, %d): %s",
+			      path, owner, group, strbuf);
+		result = ISC_R_FAILURE;
+	}
+	return (result);
+#else  /* ifdef ISC_PLATFORM_HAVESYSUNH */
+	UNUSED(sockaddr);
+	UNUSED(perm);
+	UNUSED(owner);
+	UNUSED(group);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif /* ifdef ISC_PLATFORM_HAVESYSUNH */
+}
+
+isc_result_t
+isc_socket_bind(isc_socket_t *sock, const isc_sockaddr_t *sockaddr,
+		isc_socket_options_t options) {
+	char strbuf[ISC_STRERRORSIZE];
+	int on = 1;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	INSIST(!sock->bound);
+	INSIST(!sock->dupped);
+
+	if (sock->pf != sockaddr->type.sa.sa_family) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_FAMILYMISMATCH);
+	}
+
+	/*
+	 * Only set SO_REUSEADDR when we want a specific port.
+	 */
+#ifdef AF_UNIX
+	if (sock->pf == AF_UNIX) {
+		goto bind_socket;
+	}
+#endif /* ifdef AF_UNIX */
+	if ((options & ISC_SOCKET_REUSEADDRESS) != 0 &&
+	    isc_sockaddr_getport(sockaddr) != (in_port_t)0)
+	{
+		if (setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
+			       sizeof(on)) < 0)
+		{
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d) failed", sock->fd);
+		}
+#if defined(__FreeBSD_kernel__) && defined(SO_REUSEPORT_LB)
+		if (setsockopt(sock->fd, SOL_SOCKET, SO_REUSEPORT_LB,
+			       (void *)&on, sizeof(on)) < 0)
+		{
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d) failed", sock->fd);
+		}
+#elif defined(__linux__) && defined(SO_REUSEPORT)
+		if (setsockopt(sock->fd, SOL_SOCKET, SO_REUSEPORT, (void *)&on,
+			       sizeof(on)) < 0)
+		{
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d) failed", sock->fd);
+		}
+#endif		/* if defined(__FreeBSD_kernel__) && defined(SO_REUSEPORT_LB) */
+		/* Press on... */
+	}
+#ifdef AF_UNIX
+bind_socket:
+#endif /* ifdef AF_UNIX */
+	if (bind(sock->fd, &sockaddr->type.sa, sockaddr->length) < 0) {
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_BINDFAIL]);
+
+		UNLOCK(&sock->lock);
+		switch (errno) {
+		case EACCES:
+			return (ISC_R_NOPERM);
+		case EADDRNOTAVAIL:
+			return (ISC_R_ADDRNOTAVAIL);
+		case EADDRINUSE:
+			return (ISC_R_ADDRINUSE);
+		case EINVAL:
+			return (ISC_R_BOUND);
+		default:
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__, "bind: %s",
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	socket_log(sock, sockaddr, TRACE, "bound");
+	sock->bound = 1;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Enable this only for specific OS versions, and only when they have repaired
+ * their problems with it.  Until then, this is is broken and needs to be
+ * disabled by default.  See RT22589 for details.
+ */
+#undef ENABLE_ACCEPTFILTER
+
+isc_result_t
+isc_socket_filter(isc_socket_t *sock, const char *filter) {
+#if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
+	char strbuf[ISC_STRERRORSIZE];
+	struct accept_filter_arg afa;
+#else  /* if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER) */
+	UNUSED(sock);
+	UNUSED(filter);
+#endif /* if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER) */
+
+	REQUIRE(VALID_SOCKET(sock));
+
+#if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
+	bzero(&afa, sizeof(afa));
+	strlcpy(afa.af_name, filter, sizeof(afa.af_name));
+	if (setsockopt(sock->fd, SOL_SOCKET, SO_ACCEPTFILTER, &afa,
+		       sizeof(afa)) == -1)
+	{
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		socket_log(sock, NULL, CREATION,
+			   "setsockopt(SO_ACCEPTFILTER): %s", strbuf);
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+#else  /* if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER) */
+	return (ISC_R_NOTIMPLEMENTED);
+#endif /* if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER) */
+}
+
+/*
+ * Try enabling TCP Fast Open for a given socket if the OS supports it.
+ */
+static void
+set_tcp_fastopen(isc_socket_t *sock, unsigned int backlog) {
+#if defined(ENABLE_TCP_FASTOPEN) && defined(TCP_FASTOPEN)
+	char strbuf[ISC_STRERRORSIZE];
+
+/*
+ * FreeBSD, as of versions 10.3 and 11.0, defines TCP_FASTOPEN while also
+ * shipping a default kernel without TFO support, so we special-case it by
+ * performing an additional runtime check for TFO support using sysctl to
+ * prevent setsockopt() errors from being logged.
+ */
+#if defined(__FreeBSD__) && defined(HAVE_SYSCTLBYNAME)
+#define SYSCTL_TFO "net.inet.tcp.fastopen.enabled"
+	unsigned int enabled;
+	size_t enabledlen = sizeof(enabled);
+	static bool tfo_notice_logged = false;
+
+	if (sysctlbyname(SYSCTL_TFO, &enabled, &enabledlen, NULL, 0) < 0) {
+		/*
+		 * This kernel does not support TCP Fast Open.  There is
+		 * nothing more we can do.
+		 */
+		return;
+	} else if (enabled == 0) {
+		/*
+		 * This kernel does support TCP Fast Open, but it is disabled
+		 * by sysctl.  Notify the user, but do not nag.
+		 */
+		if (!tfo_notice_logged) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_NOTICE,
+				      "TCP_FASTOPEN support is disabled by "
+				      "sysctl (" SYSCTL_TFO " = 0)");
+			tfo_notice_logged = true;
+		}
+		return;
+	}
+#endif /* if defined(__FreeBSD__) && defined(HAVE_SYSCTLBYNAME) */
+
+#ifdef __APPLE__
+	backlog = 1;
+#else  /* ifdef __APPLE__ */
+	backlog = backlog / 2;
+	if (backlog == 0) {
+		backlog = 1;
+	}
+#endif /* ifdef __APPLE__ */
+	if (setsockopt(sock->fd, IPPROTO_TCP, TCP_FASTOPEN, (void *)&backlog,
+		       sizeof(backlog)) < 0)
+	{
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, TCP_FASTOPEN) failed with %s",
+				 sock->fd, strbuf);
+		/* TCP_FASTOPEN is experimental so ignore failures */
+	}
+#else  /* if defined(ENABLE_TCP_FASTOPEN) && defined(TCP_FASTOPEN) */
+	UNUSED(sock);
+	UNUSED(backlog);
+#endif /* if defined(ENABLE_TCP_FASTOPEN) && defined(TCP_FASTOPEN) */
+}
+
+/*
+ * Set up to listen on a given socket.  We do this by creating an internal
+ * event that will be dispatched when the socket has read activity.  The
+ * watcher will send the internal event to the task when there is a new
+ * connection.
+ *
+ * Unlike in read, we don't preallocate a done event here.  Every time there
+ * is a new connection we'll have to allocate a new one anyway, so we might
+ * as well keep things simple rather than having to track them.
+ */
+isc_result_t
+isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	REQUIRE(!sock->listener);
+	REQUIRE(sock->bound);
+	REQUIRE(sock->type == isc_sockettype_tcp ||
+		sock->type == isc_sockettype_unix);
+
+	if (backlog == 0) {
+		backlog = SOMAXCONN;
+	}
+
+	if (listen(sock->fd, (int)backlog) < 0) {
+		UNLOCK(&sock->lock);
+		strerror_r(errno, strbuf, sizeof(strbuf));
+
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "listen: %s", strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	set_tcp_fastopen(sock, backlog);
+
+	sock->listener = 1;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This should try to do aggressive accept() XXXMLG
+ */
+isc_result_t
+isc_socket_accept(isc_socket_t *sock, isc_task_t *task, isc_taskaction_t action,
+		  void *arg) {
+	isc_socket_newconnev_t *dev;
+	isc_socketmgr_t *manager;
+	isc_task_t *ntask = NULL;
+	isc_socket_t *nsock;
+	isc_result_t result;
+	bool do_poke = false;
+
+	REQUIRE(VALID_SOCKET(sock));
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&sock->lock);
+
+	REQUIRE(sock->listener);
+
+	/*
+	 * Sender field is overloaded here with the task we will be sending
+	 * this event to.  Just before the actual event is delivered the
+	 * actual ev_sender will be touched up to be the socket.
+	 */
+	dev = (isc_socket_newconnev_t *)isc_event_allocate(
+		manager->mctx, task, ISC_SOCKEVENT_NEWCONN, action, arg,
+		sizeof(*dev));
+	ISC_LINK_INIT(dev, ev_link);
+
+	result = allocate_socket(manager, sock->type, &nsock);
+	if (result != ISC_R_SUCCESS) {
+		isc_event_free(ISC_EVENT_PTR(&dev));
+		UNLOCK(&sock->lock);
+		return (result);
+	}
+
+	/*
+	 * Attach to socket and to task.
+	 */
+	isc_task_attach(task, &ntask);
+	if (isc_task_exiting(ntask)) {
+		free_socket(&nsock);
+		isc_task_detach(&ntask);
+		isc_event_free(ISC_EVENT_PTR(&dev));
+		UNLOCK(&sock->lock);
+		return (ISC_R_SHUTTINGDOWN);
+	}
+	isc_refcount_increment0(&nsock->references);
+	nsock->statsindex = sock->statsindex;
+
+	dev->ev_sender = ntask;
+	dev->newsocket = nsock;
+
+	/*
+	 * Poke watcher here.  We still have the socket locked, so there
+	 * is no race condition.  We will keep the lock for such a short
+	 * bit of time waking it up now or later won't matter all that much.
+	 */
+	do_poke = ISC_LIST_EMPTY(sock->accept_list);
+	ISC_LIST_ENQUEUE(sock->accept_list, dev, ev_link);
+	if (do_poke) {
+		select_poke(manager, sock->threadid, sock->fd,
+			    SELECT_POKE_ACCEPT);
+	}
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socket_connect(isc_socket_t *sock, const isc_sockaddr_t *addr,
+		   isc_task_t *task, isc_taskaction_t action, void *arg) {
+	isc_socket_connev_t *dev;
+	isc_task_t *ntask = NULL;
+	isc_socketmgr_t *manager;
+	int cc;
+	char strbuf[ISC_STRERRORSIZE];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(addr != NULL);
+
+	if (isc_sockaddr_ismulticast(addr)) {
+		return (ISC_R_MULTICAST);
+	}
+
+	LOCK(&sock->lock);
+
+	dev = (isc_socket_connev_t *)isc_event_allocate(
+		manager->mctx, sock, ISC_SOCKEVENT_CONNECT, action, arg,
+		sizeof(*dev));
+	ISC_LINK_INIT(dev, ev_link);
+
+	if (sock->connecting) {
+		INSIST(isc_sockaddr_equal(&sock->peer_address, addr));
+		goto queue;
+	}
+
+	if (sock->connected) {
+		INSIST(isc_sockaddr_equal(&sock->peer_address, addr));
+		dev->result = ISC_R_SUCCESS;
+		isc_task_sendto(task, ISC_EVENT_PTR(&dev), sock->threadid);
+
+		UNLOCK(&sock->lock);
+
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Try to do the connect right away, as there can be only one
+	 * outstanding, and it might happen to complete.
+	 */
+	sock->peer_address = *addr;
+	cc = connect(sock->fd, &addr->type.sa, addr->length);
+	if (cc < 0) {
+		/*
+		 * The socket is nonblocking and the connection cannot be
+		 * completed immediately.  It is possible to select(2) or
+		 * poll(2) for completion by selecting the socket for writing.
+		 * After select(2) indicates writability, use getsockopt(2) to
+		 * read the SO_ERROR option at level SOL_SOCKET to determine
+		 * whether connect() completed successfully (SO_ERROR is zero)
+		 * or unsuccessfully (SO_ERROR is one of the usual error codes
+		 * listed here, explaining the reason for the failure).
+		 */
+		if (sock->type == isc_sockettype_udp && errno == EINPROGRESS) {
+			cc = 0;
+			goto success;
+		}
+		if (SOFT_ERROR(errno) || errno == EINPROGRESS) {
+			goto queue;
+		}
+
+		switch (errno) {
+#define ERROR_MATCH(a, b)        \
+	case a:                  \
+		dev->result = b; \
+		goto err_exit;
+			ERROR_MATCH(EACCES, ISC_R_NOPERM);
+			ERROR_MATCH(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(ECONNREFUSED, ISC_R_CONNREFUSED);
+			ERROR_MATCH(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+#ifdef EHOSTDOWN
+			ERROR_MATCH(EHOSTDOWN, ISC_R_HOSTUNREACH);
+#endif /* ifdef EHOSTDOWN */
+			ERROR_MATCH(ENETUNREACH, ISC_R_NETUNREACH);
+			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
+			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
+			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
+			ERROR_MATCH(ETIMEDOUT, ISC_R_TIMEDOUT);
+			ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET);
+#undef ERROR_MATCH
+		}
+
+		sock->connected = 0;
+
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "connect(%s) %d/%s",
+				 addrbuf, errno, strbuf);
+
+		UNLOCK(&sock->lock);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECTFAIL]);
+		isc_event_free(ISC_EVENT_PTR(&dev));
+		return (ISC_R_UNEXPECTED);
+
+	err_exit:
+		sock->connected = 0;
+		isc_task_sendto(task, ISC_EVENT_PTR(&dev), sock->threadid);
+
+		UNLOCK(&sock->lock);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECTFAIL]);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If connect completed, fire off the done event.
+	 */
+success:
+	if (cc == 0) {
+		sock->connected = 1;
+		sock->bound = 1;
+		dev->result = ISC_R_SUCCESS;
+		isc_task_sendto(task, ISC_EVENT_PTR(&dev), sock->threadid);
+
+		UNLOCK(&sock->lock);
+
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECT]);
+
+		return (ISC_R_SUCCESS);
+	}
+
+queue:
+
+	/*
+	 * Attach to task.
+	 */
+	isc_task_attach(task, &ntask);
+
+	dev->ev_sender = ntask;
+
+	/*
+	 * Poke watcher here.  We still have the socket locked, so there
+	 * is no race condition.  We will keep the lock for such a short
+	 * bit of time waking it up now or later won't matter all that much.
+	 */
+	bool do_poke = ISC_LIST_EMPTY(sock->connect_list);
+	ISC_LIST_ENQUEUE(sock->connect_list, dev, ev_link);
+	if (do_poke && !sock->connecting) {
+		sock->connecting = 1;
+		select_poke(manager, sock->threadid, sock->fd,
+			    SELECT_POKE_CONNECT);
+	}
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Called when a socket with a pending connect() finishes.
+ */
+static void
+internal_connect(isc_socket_t *sock) {
+	isc_socket_connev_t *dev;
+	int cc;
+	isc_result_t result;
+	socklen_t optlen;
+	char strbuf[ISC_STRERRORSIZE];
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	INSIST(VALID_SOCKET(sock));
+	REQUIRE(sock->fd >= 0);
+
+	/*
+	 * Get the first item off the connect list.
+	 * If it is empty, unlock the socket and return.
+	 */
+	dev = ISC_LIST_HEAD(sock->connect_list);
+	if (dev == NULL) {
+		INSIST(!sock->connecting);
+		goto finish;
+	}
+
+	INSIST(sock->connecting);
+	sock->connecting = 0;
+
+	/*
+	 * Get any possible error status here.
+	 */
+	optlen = sizeof(cc);
+	if (getsockopt(sock->fd, SOL_SOCKET, SO_ERROR, (void *)&cc,
+		       (void *)&optlen) != 0)
+	{
+		cc = errno;
+	} else {
+		errno = cc;
+	}
+
+	if (errno != 0) {
+		/*
+		 * If the error is EAGAIN, just re-select on this
+		 * fd and pretend nothing strange happened.
+		 */
+		if (SOFT_ERROR(errno) || errno == EINPROGRESS) {
+			sock->connecting = 1;
+			return;
+		}
+
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECTFAIL]);
+
+		/*
+		 * Translate other errors into ISC_R_* flavors.
+		 */
+		switch (errno) {
+#define ERROR_MATCH(a, b)   \
+	case a:             \
+		result = b; \
+		break;
+			ERROR_MATCH(EACCES, ISC_R_NOPERM);
+			ERROR_MATCH(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(ECONNREFUSED, ISC_R_CONNREFUSED);
+			ERROR_MATCH(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+#ifdef EHOSTDOWN
+			ERROR_MATCH(EHOSTDOWN, ISC_R_HOSTUNREACH);
+#endif /* ifdef EHOSTDOWN */
+			ERROR_MATCH(ENETUNREACH, ISC_R_NETUNREACH);
+			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
+			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
+			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
+			ERROR_MATCH(ETIMEDOUT, ISC_R_TIMEDOUT);
+			ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET);
+#undef ERROR_MATCH
+		default:
+			result = ISC_R_UNEXPECTED;
+			isc_sockaddr_format(&sock->peer_address, peerbuf,
+					    sizeof(peerbuf));
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "internal_connect: connect(%s) %s",
+					 peerbuf, strbuf);
+		}
+	} else {
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECT]);
+		result = ISC_R_SUCCESS;
+		sock->connected = 1;
+		sock->bound = 1;
+	}
+
+	do {
+		dev->result = result;
+		send_connectdone_event(sock, &dev);
+		dev = ISC_LIST_HEAD(sock->connect_list);
+	} while (dev != NULL);
+
+finish:
+	unwatch_fd(&sock->manager->threads[sock->threadid], sock->fd,
+		   SELECT_POKE_CONNECT);
+}
+
+isc_result_t
+isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	isc_result_t result;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addressp != NULL);
+
+	LOCK(&sock->lock);
+
+	if (sock->connected) {
+		*addressp = sock->peer_address;
+		result = ISC_R_SUCCESS;
+	} else {
+		result = ISC_R_NOTCONNECTED;
+	}
+
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	socklen_t len;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addressp != NULL);
+
+	LOCK(&sock->lock);
+
+	if (!sock->bound) {
+		result = ISC_R_NOTBOUND;
+		goto out;
+	}
+
+	result = ISC_R_SUCCESS;
+
+	len = sizeof(addressp->type);
+	if (getsockname(sock->fd, &addressp->type.sa, (void *)&len) < 0) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "getsockname: %s", strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto out;
+	}
+	addressp->length = (unsigned int)len;
+
+out:
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+/*
+ * Run through the list of events on this socket, and cancel the ones
+ * queued for task "task" of type "how".  "how" is a bitmask.
+ */
+void
+isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
+	REQUIRE(VALID_SOCKET(sock));
+
+	/*
+	 * Quick exit if there is nothing to do.  Don't even bother locking
+	 * in this case.
+	 */
+	if (how == 0) {
+		return;
+	}
+
+	LOCK(&sock->lock);
+
+	/*
+	 * All of these do the same thing, more or less.
+	 * Each will:
+	 *	o If the internal event is marked as "posted" try to
+	 *	  remove it from the task's queue.  If this fails, mark it
+	 *	  as canceled instead, and let the task clean it up later.
+	 *	o For each I/O request for that task of that type, post
+	 *	  its done event with status of "ISC_R_CANCELED".
+	 *	o Reset any state needed.
+	 */
+	if (((how & ISC_SOCKCANCEL_RECV) != 0) &&
+	    !ISC_LIST_EMPTY(sock->recv_list))
+	{
+		isc_socketevent_t *dev;
+		isc_socketevent_t *next;
+		isc_task_t *current_task;
+
+		dev = ISC_LIST_HEAD(sock->recv_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_recvdone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+
+	if (((how & ISC_SOCKCANCEL_SEND) != 0) &&
+	    !ISC_LIST_EMPTY(sock->send_list))
+	{
+		isc_socketevent_t *dev;
+		isc_socketevent_t *next;
+		isc_task_t *current_task;
+
+		dev = ISC_LIST_HEAD(sock->send_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_senddone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+
+	if (((how & ISC_SOCKCANCEL_ACCEPT) != 0) &&
+	    !ISC_LIST_EMPTY(sock->accept_list))
+	{
+		isc_socket_newconnev_t *dev;
+		isc_socket_newconnev_t *next;
+		isc_task_t *current_task;
+
+		dev = ISC_LIST_HEAD(sock->accept_list);
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+				ISC_LIST_UNLINK(sock->accept_list, dev,
+						ev_link);
+
+				isc_refcount_decrementz(
+					&NEWCONNSOCK(dev)->references);
+				free_socket((isc_socket_t **)&dev->newsocket);
+
+				dev->result = ISC_R_CANCELED;
+				dev->ev_sender = sock;
+				isc_task_sendtoanddetach(&current_task,
+							 ISC_EVENT_PTR(&dev),
+							 sock->threadid);
+			}
+
+			dev = next;
+		}
+	}
+
+	if (((how & ISC_SOCKCANCEL_CONNECT) != 0) &&
+	    !ISC_LIST_EMPTY(sock->connect_list))
+	{
+		isc_socket_connev_t *dev;
+		isc_socket_connev_t *next;
+		isc_task_t *current_task;
+
+		INSIST(sock->connecting);
+		sock->connecting = 0;
+
+		dev = ISC_LIST_HEAD(sock->connect_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_connectdone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+
+	UNLOCK(&sock->lock);
+}
+
+isc_sockettype_t
+isc_socket_gettype(isc_socket_t *sock) {
+	REQUIRE(VALID_SOCKET(sock));
+
+	return (sock->type);
+}
+
+void
+isc_socket_ipv6only(isc_socket_t *sock, bool yes) {
+#if defined(IPV6_V6ONLY) && !defined(__OpenBSD__)
+	int onoff = yes ? 1 : 0;
+#else  /* if defined(IPV6_V6ONLY) */
+	UNUSED(yes);
+	UNUSED(sock);
+#endif /* if defined(IPV6_V6ONLY) */
+
+	REQUIRE(VALID_SOCKET(sock));
+	INSIST(!sock->dupped);
+
+#if defined(IPV6_V6ONLY) && !defined(__OpenBSD__)
+	if (sock->pf == AF_INET6) {
+		if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY,
+			       (void *)&onoff, sizeof(int)) < 0)
+		{
+			char strbuf[ISC_STRERRORSIZE];
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_V6ONLY) failed: "
+					 "%s",
+					 sock->fd, strbuf);
+		}
+	}
+#endif /* ifdef IPV6_V6ONLY */
+}
+
+static void
+setdscp(isc_socket_t *sock, isc_dscp_t dscp) {
+#if defined(IP_TOS) || defined(IPV6_TCLASS)
+	int value = dscp << 2;
+#endif /* if defined(IP_TOS) || defined(IPV6_TCLASS) */
+
+	sock->dscp = dscp;
+
+#ifdef IP_TOS
+	if (sock->pf == AF_INET) {
+		if (setsockopt(sock->fd, IPPROTO_IP, IP_TOS, (void *)&value,
+			       sizeof(value)) < 0)
+		{
+			char strbuf[ISC_STRERRORSIZE];
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IP_TOS, %.02x) "
+					 "failed: %s",
+					 sock->fd, value >> 2, strbuf);
+		}
+	}
+#endif /* ifdef IP_TOS */
+#ifdef IPV6_TCLASS
+	if (sock->pf == AF_INET6) {
+		if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_TCLASS,
+			       (void *)&value, sizeof(value)) < 0)
+		{
+			char strbuf[ISC_STRERRORSIZE];
+			strerror_r(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_TCLASS, %.02x) "
+					 "failed: %s",
+					 sock->fd, dscp >> 2, strbuf);
+		}
+	}
+#endif /* ifdef IPV6_TCLASS */
+}
+
+void
+isc_socket_dscp(isc_socket_t *sock, isc_dscp_t dscp) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(dscp < 0x40);
+
+#if !defined(IP_TOS) && !defined(IPV6_TCLASS)
+	UNUSED(dscp);
+#else  /* if !defined(IP_TOS) && !defined(IPV6_TCLASS) */
+	if (dscp < 0) {
+		return;
+	}
+
+	/* The DSCP value must not be changed once it has been set. */
+	if (isc_dscp_check_value != -1) {
+		INSIST(dscp == isc_dscp_check_value);
+	}
+#endif /* if !defined(IP_TOS) && !defined(IPV6_TCLASS) */
+
+#ifdef notyet
+	REQUIRE(!sock->dupped);
+#endif /* ifdef notyet */
+
+	setdscp(sock, dscp);
+}
+
+isc_socketevent_t *
+isc_socket_socketevent(isc_mem_t *mctx, void *sender, isc_eventtype_t eventtype,
+		       isc_taskaction_t action, void *arg) {
+	return (allocate_socketevent(mctx, sender, eventtype, action, arg));
+}
+
+void
+isc_socket_setname(isc_socket_t *sock, const char *name, void *tag) {
+	/*
+	 * Name 'sock'.
+	 */
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	strlcpy(sock->name, name, sizeof(sock->name));
+	sock->tag = tag;
+	UNLOCK(&sock->lock);
+}
+
+const char *
+isc_socket_getname(isc_socket_t *sock) {
+	return (sock->name);
+}
+
+void *
+isc_socket_gettag(isc_socket_t *sock) {
+	return (sock->tag);
+}
+
+int
+isc_socket_getfd(isc_socket_t *sock) {
+	return ((short)sock->fd);
+}
+
+static isc_once_t hasreuseport_once = ISC_ONCE_INIT;
+static bool hasreuseport = false;
+
+static void
+init_hasreuseport() {
+/*
+ * SO_REUSEPORT works very differently on *BSD and on Linux (because why not).
+ * We only want to use it on Linux, if it's available. On BSD we want to dup()
+ * sockets instead of re-binding them.
+ */
+#if (defined(SO_REUSEPORT) && defined(__linux__)) || \
+	(defined(SO_REUSEPORT_LB) && defined(__FreeBSD_kernel__))
+	int sock, yes = 1;
+	sock = socket(AF_INET, SOCK_DGRAM, 0);
+	if (sock < 0) {
+		sock = socket(AF_INET6, SOCK_DGRAM, 0);
+		if (sock < 0) {
+			return;
+		}
+	}
+	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&yes,
+		       sizeof(yes)) < 0)
+	{
+		close(sock);
+		return;
+#if defined(__FreeBSD_kernel__)
+	} else if (setsockopt(sock, SOL_SOCKET, SO_REUSEPORT_LB, (void *)&yes,
+			      sizeof(yes)) < 0)
+#else  /* if defined(__FreeBSD_kernel__) */
+	} else if (setsockopt(sock, SOL_SOCKET, SO_REUSEPORT, (void *)&yes,
+			      sizeof(yes)) < 0)
+#endif /* if defined(__FreeBSD_kernel__) */
+	{
+		close(sock);
+		return;
+	}
+	hasreuseport = true;
+	close(sock);
+#endif /* if (defined(SO_REUSEPORT) && defined(__linux__)) || \
+	* (defined(SO_REUSEPORT_LB) && defined(__FreeBSD_kernel__)) */
+}
+
+bool
+isc_socket_hasreuseport() {
+	RUNTIME_CHECK(isc_once_do(&hasreuseport_once, init_hasreuseport) ==
+		      ISC_R_SUCCESS);
+	return (hasreuseport);
+}
+
+#if defined(HAVE_LIBXML2) || defined(HAVE_JSON_C)
+static const char *
+_socktype(isc_sockettype_t type) {
+	switch (type) {
+	case isc_sockettype_udp:
+		return ("udp");
+	case isc_sockettype_tcp:
+		return ("tcp");
+	case isc_sockettype_unix:
+		return ("unix");
+	default:
+		return ("not-initialized");
+	}
+}
+#endif /* if defined(HAVE_LIBXML2) || defined(HAVE_JSON_C) */
+
+#ifdef HAVE_LIBXML2
+#define TRY0(a)                     \
+	do {                        \
+		xmlrc = (a);        \
+		if (xmlrc < 0)      \
+			goto error; \
+	} while (0)
+int
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr, void *writer0) {
+	isc_socket_t *sock = NULL;
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t addr;
+	socklen_t len;
+	int xmlrc;
+	xmlTextWriterPtr writer = (xmlTextWriterPtr)writer0;
+
+	LOCK(&mgr->lock);
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "sockets"));
+	sock = ISC_LIST_HEAD(mgr->socklist);
+	while (sock != NULL) {
+		LOCK(&sock->lock);
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socket"));
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%p", sock));
+		TRY0(xmlTextWriterEndElement(writer));
+
+		if (sock->name[0] != 0) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "name"));
+			TRY0(xmlTextWriterWriteFormatString(writer, "%s",
+							    sock->name));
+			TRY0(xmlTextWriterEndElement(writer)); /* name */
+		}
+
+		TRY0(xmlTextWriterStartElement(writer,
+					       ISC_XMLCHAR "references"));
+		TRY0(xmlTextWriterWriteFormatString(
+			writer, "%d",
+			(int)isc_refcount_current(&sock->references)));
+		TRY0(xmlTextWriterEndElement(writer));
+
+		TRY0(xmlTextWriterWriteElement(
+			writer, ISC_XMLCHAR "type",
+			ISC_XMLCHAR _socktype(sock->type)));
+
+		if (sock->connected) {
+			isc_sockaddr_format(&sock->peer_address, peerbuf,
+					    sizeof(peerbuf));
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "peer-address",
+				ISC_XMLCHAR peerbuf));
+		}
+
+		len = sizeof(addr);
+		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
+			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "local-address",
+				ISC_XMLCHAR peerbuf));
+		}
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "states"));
+		if (sock->listener) {
+			TRY0(xmlTextWriterWriteElement(writer,
+						       ISC_XMLCHAR "state",
+						       ISC_XMLCHAR "listener"));
+		}
+		if (sock->connected) {
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "state",
+				ISC_XMLCHAR "connected"));
+		}
+		if (sock->connecting) {
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "state",
+				ISC_XMLCHAR "connecting"));
+		}
+		if (sock->bound) {
+			TRY0(xmlTextWriterWriteElement(writer,
+						       ISC_XMLCHAR "state",
+						       ISC_XMLCHAR "bound"));
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* states */
+
+		TRY0(xmlTextWriterEndElement(writer)); /* socket */
+
+		UNLOCK(&sock->lock);
+		sock = ISC_LIST_NEXT(sock, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* sockets */
+
+error:
+	if (sock != NULL) {
+		UNLOCK(&sock->lock);
+	}
+
+	UNLOCK(&mgr->lock);
+
+	return (xmlrc);
+}
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+#define CHECKMEM(m)                              \
+	do {                                     \
+		if (m == NULL) {                 \
+			result = ISC_R_NOMEMORY; \
+			goto error;              \
+		}                                \
+	} while (0)
+
+isc_result_t
+isc_socketmgr_renderjson(isc_socketmgr_t *mgr, void *stats0) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_socket_t *sock = NULL;
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t addr;
+	socklen_t len;
+	json_object *obj, *array = json_object_new_array();
+	json_object *stats = (json_object *)stats0;
+
+	CHECKMEM(array);
+
+	LOCK(&mgr->lock);
+
+	sock = ISC_LIST_HEAD(mgr->socklist);
+	while (sock != NULL) {
+		json_object *states, *entry = json_object_new_object();
+		char buf[255];
+
+		CHECKMEM(entry);
+		json_object_array_add(array, entry);
+
+		LOCK(&sock->lock);
+
+		snprintf(buf, sizeof(buf), "%p", sock);
+		obj = json_object_new_string(buf);
+		CHECKMEM(obj);
+		json_object_object_add(entry, "id", obj);
+
+		if (sock->name[0] != 0) {
+			obj = json_object_new_string(sock->name);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "name", obj);
+		}
+
+		obj = json_object_new_int(
+			(int)isc_refcount_current(&sock->references));
+		CHECKMEM(obj);
+		json_object_object_add(entry, "references", obj);
+
+		obj = json_object_new_string(_socktype(sock->type));
+		CHECKMEM(obj);
+		json_object_object_add(entry, "type", obj);
+
+		if (sock->connected) {
+			isc_sockaddr_format(&sock->peer_address, peerbuf,
+					    sizeof(peerbuf));
+			obj = json_object_new_string(peerbuf);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "peer-address", obj);
+		}
+
+		len = sizeof(addr);
+		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
+			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
+			obj = json_object_new_string(peerbuf);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "local-address", obj);
+		}
+
+		states = json_object_new_array();
+		CHECKMEM(states);
+		json_object_object_add(entry, "states", states);
+
+		if (sock->listener) {
+			obj = json_object_new_string("listener");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->connected) {
+			obj = json_object_new_string("connected");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->connecting) {
+			obj = json_object_new_string("connecting");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->bound) {
+			obj = json_object_new_string("bound");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		UNLOCK(&sock->lock);
+		sock = ISC_LIST_NEXT(sock, link);
+	}
+
+	json_object_object_add(stats, "sockets", array);
+	array = NULL;
+	result = ISC_R_SUCCESS;
+
+error:
+	if (array != NULL) {
+		json_object_put(array);
+	}
+
+	if (sock != NULL) {
+		UNLOCK(&sock->lock);
+	}
+
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+#endif /* HAVE_JSON_C */
diff --git a/lib/isc/unix/socket_p.h b/lib/isc/unix/socket_p.h
new file mode 100644
index 0000000..3323cab
--- /dev/null
+++ b/lib/isc/unix/socket_p.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_SOCKET_P_H
+#define ISC_SOCKET_P_H
+
+/*! \file */
+
+#include <sys/time.h>
+
+typedef struct isc_socketwait isc_socketwait_t;
+int
+isc__socketmgr_waitevents(isc_socketmgr_t *, struct timeval *,
+			  isc_socketwait_t **);
+isc_result_t
+isc__socketmgr_dispatch(isc_socketmgr_t *, isc_socketwait_t *);
+#endif /* ISC_SOCKET_P_H */
diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
new file mode 100644
index 0000000..12ab678
--- /dev/null
+++ b/lib/isc/unix/stdio.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <isc/stat.h>
+#include <isc/stdio.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+isc_result_t
+isc_stdio_open(const char *filename, const char *mode, FILE **fp) {
+	FILE *f;
+
+	f = fopen(filename, mode);
+	if (f == NULL) {
+		return (isc__errno2result(errno));
+	}
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_stdio_close(FILE *f) {
+	int r;
+
+	r = fclose(f);
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+isc_result_t
+isc_stdio_seek(FILE *f, off_t offset, int whence) {
+	int r;
+
+	r = fseeko(f, offset, whence);
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+isc_result_t
+isc_stdio_tell(FILE *f, off_t *offsetp) {
+	off_t r;
+
+	REQUIRE(offsetp != NULL);
+
+	r = ftello(f);
+	if (r >= 0) {
+		*offsetp = r;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+isc_result_t
+isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f, size_t *nret) {
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+
+	clearerr(f);
+	r = fread(ptr, size, nmemb, f);
+	if (r != nmemb) {
+		if (feof(f)) {
+			result = ISC_R_EOF;
+		} else {
+			result = isc__errno2result(errno);
+		}
+	}
+	if (nret != NULL) {
+		*nret = r;
+	}
+	return (result);
+}
+
+isc_result_t
+isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
+		size_t *nret) {
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+
+	clearerr(f);
+	r = fwrite(ptr, size, nmemb, f);
+	if (r != nmemb) {
+		result = isc__errno2result(errno);
+	}
+	if (nret != NULL) {
+		*nret = r;
+	}
+	return (result);
+}
+
+isc_result_t
+isc_stdio_flush(FILE *f) {
+	int r;
+
+	r = fflush(f);
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+/*
+ * OpenBSD has deprecated ENOTSUP in favor of EOPNOTSUPP.
+ */
+#if defined(EOPNOTSUPP) && !defined(ENOTSUP)
+#define ENOTSUP EOPNOTSUPP
+#endif /* if defined(EOPNOTSUPP) && !defined(ENOTSUP) */
+
+isc_result_t
+isc_stdio_sync(FILE *f) {
+	struct stat buf;
+	int r;
+
+	if (fstat(fileno(f), &buf) != 0) {
+		return (isc__errno2result(errno));
+	}
+
+	/*
+	 * Only call fsync() on regular files.
+	 */
+	if ((buf.st_mode & S_IFMT) != S_IFREG) {
+		return (ISC_R_SUCCESS);
+	}
+
+	r = fsync(fileno(f));
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
diff --git a/lib/isc/unix/stdtime.c b/lib/isc/unix/stdtime.c
new file mode 100644
index 0000000..ada19d0
--- /dev/null
+++ b/lib/isc/unix/stdtime.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <stdbool.h>
+#include <stddef.h> /* NULL */
+#include <stdlib.h> /* NULL */
+#include <syslog.h>
+#include <time.h>
+
+#include <isc/stdtime.h>
+#include <isc/strerr.h>
+#include <isc/util.h>
+
+#define NS_PER_S 1000000000 /*%< Nanoseconds per second. */
+
+#if defined(CLOCK_REALTIME_COARSE)
+#define CLOCKSOURCE CLOCK_REALTIME_COARSE
+#elif defined(CLOCK_REALTIME_FAST)
+#define CLOCKSOURCE CLOCK_REALTIME_FAST
+#else /* if defined(CLOCK_REALTIME_COARSE) */
+#define CLOCKSOURCE CLOCK_REALTIME
+#endif /* if defined(CLOCK_REALTIME_COARSE) */
+
+void
+isc_stdtime_get(isc_stdtime_t *t) {
+	REQUIRE(t != NULL);
+
+	struct timespec ts;
+
+	if (clock_gettime(CLOCKSOURCE, &ts) == -1) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_error_fatal(__FILE__, __LINE__, "clock_gettime failed: %s",
+				strbuf);
+	}
+
+	REQUIRE(ts.tv_sec > 0 && ts.tv_nsec >= 0 && ts.tv_nsec < NS_PER_S);
+
+	*t = (isc_stdtime_t)ts.tv_sec;
+}
+
+void
+isc_stdtime_tostring(isc_stdtime_t t, char *out, size_t outlen) {
+	time_t when;
+
+	REQUIRE(out != NULL);
+	REQUIRE(outlen >= 26);
+
+	UNUSED(outlen);
+
+	/* time_t and isc_stdtime_t might be different sizes */
+	when = t;
+	INSIST((ctime_r(&when, out) != NULL));
+	*(out + strlen(out) - 1) = '\0';
+}
diff --git a/lib/isc/unix/syslog.c b/lib/isc/unix/syslog.c
new file mode 100644
index 0000000..81b99ca
--- /dev/null
+++ b/lib/isc/unix/syslog.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdlib.h>
+#include <syslog.h>
+
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/syslog.h>
+#include <isc/util.h>
+
+static struct dsn_c_pvt_sfnt {
+	int val;
+	const char *strval;
+} facilities[] = { { LOG_KERN, "kern" },
+		   { LOG_USER, "user" },
+		   { LOG_MAIL, "mail" },
+		   { LOG_DAEMON, "daemon" },
+		   { LOG_AUTH, "auth" },
+		   { LOG_SYSLOG, "syslog" },
+		   { LOG_LPR, "lpr" },
+#ifdef LOG_NEWS
+		   { LOG_NEWS, "news" },
+#endif /* ifdef LOG_NEWS */
+#ifdef LOG_UUCP
+		   { LOG_UUCP, "uucp" },
+#endif /* ifdef LOG_UUCP */
+#ifdef LOG_CRON
+		   { LOG_CRON, "cron" },
+#endif /* ifdef LOG_CRON */
+#ifdef LOG_AUTHPRIV
+		   { LOG_AUTHPRIV, "authpriv" },
+#endif /* ifdef LOG_AUTHPRIV */
+#ifdef LOG_FTP
+		   { LOG_FTP, "ftp" },
+#endif /* ifdef LOG_FTP */
+		   { LOG_LOCAL0, "local0" },
+		   { LOG_LOCAL1, "local1" },
+		   { LOG_LOCAL2, "local2" },
+		   { LOG_LOCAL3, "local3" },
+		   { LOG_LOCAL4, "local4" },
+		   { LOG_LOCAL5, "local5" },
+		   { LOG_LOCAL6, "local6" },
+		   { LOG_LOCAL7, "local7" },
+		   { 0, NULL } };
+
+isc_result_t
+isc_syslog_facilityfromstring(const char *str, int *facilityp) {
+	int i;
+
+	REQUIRE(str != NULL);
+	REQUIRE(facilityp != NULL);
+
+	for (i = 0; facilities[i].strval != NULL; i++) {
+		if (strcasecmp(facilities[i].strval, str) == 0) {
+			*facilityp = facilities[i].val;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
new file mode 100644
index 0000000..02291e4
--- /dev/null
+++ b/lib/isc/unix/time.c
@@ -0,0 +1,553 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/time.h> /* Required for struct timeval on some platforms. */
+#include <syslog.h>
+#include <time.h>
+
+#include <isc/log.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/tm.h>
+#include <isc/util.h>
+
+#define NS_PER_S  1000000000 /*%< Nanoseconds per second. */
+#define NS_PER_US 1000	     /*%< Nanoseconds per microsecond. */
+#define NS_PER_MS 1000000    /*%< Nanoseconds per millisecond. */
+
+#if defined(CLOCK_REALTIME)
+#define CLOCKSOURCE_HIRES CLOCK_REALTIME
+#endif /* #if defined(CLOCK_REALTIME) */
+
+#if defined(CLOCK_REALTIME_COARSE)
+#define CLOCKSOURCE CLOCK_REALTIME_COARSE
+#elif defined(CLOCK_REALTIME_FAST)
+#define CLOCKSOURCE CLOCK_REALTIME_FAST
+#else /* if defined(CLOCK_REALTIME_COARSE) */
+#define CLOCKSOURCE CLOCK_REALTIME
+#endif /* if defined(CLOCK_REALTIME_COARSE) */
+
+#if !defined(CLOCKSOURCE_HIRES)
+#define CLOCKSOURCE_HIRES CLOCKSOURCE
+#endif /* #ifndef CLOCKSOURCE_HIRES */
+
+/*%
+ *** Intervals
+ ***/
+
+#if !defined(UNIT_TESTING)
+static const isc_interval_t zero_interval = { 0, 0 };
+const isc_interval_t *const isc_interval_zero = &zero_interval;
+#endif
+
+void
+isc_interval_set(isc_interval_t *i, unsigned int seconds,
+		 unsigned int nanoseconds) {
+	REQUIRE(i != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	i->seconds = seconds;
+	i->nanoseconds = nanoseconds;
+}
+
+bool
+isc_interval_iszero(const isc_interval_t *i) {
+	REQUIRE(i != NULL);
+	INSIST(i->nanoseconds < NS_PER_S);
+
+	if (i->seconds == 0 && i->nanoseconds == 0) {
+		return (true);
+	}
+
+	return (false);
+}
+
+/***
+ *** Absolute Times
+ ***/
+
+#if !defined(UNIT_TESTING)
+static const isc_time_t epoch = { 0, 0 };
+const isc_time_t *const isc_time_epoch = &epoch;
+#endif
+
+void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds) {
+	REQUIRE(t != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	t->seconds = seconds;
+	t->nanoseconds = nanoseconds;
+}
+
+void
+isc_time_settoepoch(isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	t->seconds = 0;
+	t->nanoseconds = 0;
+}
+
+bool
+isc_time_isepoch(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
+	if (t->seconds == 0 && t->nanoseconds == 0) {
+		return (true);
+	}
+
+	return (false);
+}
+
+static isc_result_t
+time_now(isc_time_t *t, clockid_t clock) {
+	struct timespec ts;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(t != NULL);
+
+	if (clock_gettime(clock, &ts) == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	if (ts.tv_sec < 0 || ts.tv_nsec < 0 || ts.tv_nsec >= NS_PER_S) {
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Ensure the tv_sec value fits in t->seconds.
+	 */
+	if (sizeof(ts.tv_sec) > sizeof(t->seconds) &&
+	    ((ts.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
+	{
+		return (ISC_R_RANGE);
+	}
+
+	t->seconds = ts.tv_sec;
+	t->nanoseconds = ts.tv_nsec;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_now_hires(isc_time_t *t) {
+	return time_now(t, CLOCKSOURCE_HIRES);
+}
+
+isc_result_t
+isc_time_now(isc_time_t *t) {
+	return time_now(t, CLOCKSOURCE);
+}
+
+isc_result_t
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
+	struct timespec ts;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(t != NULL);
+	REQUIRE(i != NULL);
+	INSIST(i->nanoseconds < NS_PER_S);
+
+	if (clock_gettime(CLOCKSOURCE, &ts) == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	if (ts.tv_sec < 0 || ts.tv_nsec < 0 || ts.tv_nsec >= NS_PER_S) {
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Ensure the resulting seconds value fits in the size of an
+	 * unsigned int.  (It is written this way as a slight optimization;
+	 * note that even if both values == INT_MAX, then when added
+	 * and getting another 1 added below the result is UINT_MAX.)
+	 */
+	if ((ts.tv_sec > INT_MAX || i->seconds > INT_MAX) &&
+	    ((long long)ts.tv_sec + i->seconds > UINT_MAX))
+	{
+		return (ISC_R_RANGE);
+	}
+
+	t->seconds = ts.tv_sec + i->seconds;
+	t->nanoseconds = ts.tv_nsec + i->nanoseconds;
+	if (t->nanoseconds >= NS_PER_S) {
+		t->seconds++;
+		t->nanoseconds -= NS_PER_S;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+int
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2) {
+	REQUIRE(t1 != NULL && t2 != NULL);
+	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
+
+	if (t1->seconds < t2->seconds) {
+		return (-1);
+	}
+	if (t1->seconds > t2->seconds) {
+		return (1);
+	}
+	if (t1->nanoseconds < t2->nanoseconds) {
+		return (-1);
+	}
+	if (t1->nanoseconds > t2->nanoseconds) {
+		return (1);
+	}
+	return (0);
+}
+
+isc_result_t
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result) {
+	REQUIRE(t != NULL && i != NULL && result != NULL);
+	REQUIRE(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
+
+	/* Seconds */
+	if (t->seconds > UINT_MAX - i->seconds) {
+		return (ISC_R_RANGE);
+	}
+	result->seconds = t->seconds + i->seconds;
+
+	/* Nanoseconds */
+	result->nanoseconds = t->nanoseconds + i->nanoseconds;
+	if (result->nanoseconds >= NS_PER_S) {
+		if (result->seconds == UINT_MAX) {
+			return (ISC_R_RANGE);
+		}
+		result->nanoseconds -= NS_PER_S;
+		result->seconds++;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result) {
+	REQUIRE(t != NULL && i != NULL && result != NULL);
+	REQUIRE(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
+
+	/* Seconds */
+	if (t->seconds < i->seconds) {
+		return (ISC_R_RANGE);
+	}
+	result->seconds = t->seconds - i->seconds;
+
+	/* Nanoseconds */
+	if (t->nanoseconds >= i->nanoseconds) {
+		result->nanoseconds = t->nanoseconds - i->nanoseconds;
+	} else {
+		if (result->seconds == 0) {
+			return (ISC_R_RANGE);
+		}
+		result->seconds--;
+		result->nanoseconds = NS_PER_S + t->nanoseconds -
+				      i->nanoseconds;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+uint64_t
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) {
+	uint64_t i1, i2, i3;
+
+	REQUIRE(t1 != NULL && t2 != NULL);
+	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
+
+	i1 = (uint64_t)t1->seconds * NS_PER_S + t1->nanoseconds;
+	i2 = (uint64_t)t2->seconds * NS_PER_S + t2->nanoseconds;
+
+	if (i1 <= i2) {
+		return (0);
+	}
+
+	i3 = i1 - i2;
+
+	/*
+	 * Convert to microseconds.
+	 */
+	i3 /= NS_PER_US;
+
+	return (i3);
+}
+
+uint32_t
+isc_time_seconds(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
+	return ((uint32_t)t->seconds);
+}
+
+isc_result_t
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp) {
+	time_t seconds;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
+	/*
+	 * Ensure that the number of seconds represented by t->seconds
+	 * can be represented by a time_t.  Since t->seconds is an
+	 * unsigned int and since time_t is mostly opaque, this is
+	 * trickier than it seems.  (This standardized opaqueness of
+	 * time_t is *very* frustrating; time_t is not even limited to
+	 * being an integral type.)
+	 *
+	 * The mission, then, is to avoid generating any kind of warning
+	 * about "signed versus unsigned" while trying to determine if
+	 * the unsigned int t->seconds is out range for tv_sec,
+	 * which is pretty much only true if time_t is a signed integer
+	 * of the same size as the return value of isc_time_seconds.
+	 *
+	 * If the paradox in the if clause below is true, t->seconds is
+	 * out of range for time_t.
+	 */
+	seconds = (time_t)t->seconds;
+
+	INSIST(sizeof(unsigned int) == sizeof(uint32_t));
+	INSIST(sizeof(time_t) >= sizeof(uint32_t));
+
+	if (t->seconds > (~0U >> 1) && seconds <= (time_t)(~0U >> 1)) {
+		return (ISC_R_RANGE);
+	}
+
+	*secondsp = seconds;
+
+	return (ISC_R_SUCCESS);
+}
+
+uint32_t
+isc_time_nanoseconds(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	ENSURE(t->nanoseconds < NS_PER_S);
+
+	return ((uint32_t)t->nanoseconds);
+}
+
+void
+isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+	struct tm tm;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%d-%b-%Y %X", localtime_r(&now, &tm));
+	INSIST(flen < len);
+	if (flen != 0) {
+		snprintf(buf + flen, len - flen, ".%03u",
+			 t->nanoseconds / NS_PER_MS);
+	} else {
+		strlcpy(buf, "99-Bad-9999 99:99:99.999", len);
+	}
+}
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+	struct tm tm;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	/*
+	 * 5 spaces, 1 comma, 3 GMT, 2 %d, 4 %Y, 8 %H:%M:%S, 3+ %a, 3+
+	 * %b (29+)
+	 */
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%a, %d %b %Y %H:%M:%S GMT",
+			gmtime_r(&now, &tm));
+	INSIST(flen < len);
+}
+
+isc_result_t
+isc_time_parsehttptimestamp(char *buf, isc_time_t *t) {
+	struct tm t_tm;
+	time_t when;
+	char *p;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(t != NULL);
+
+	p = isc_tm_strptime(buf, "%a, %d %b %Y %H:%M:%S", &t_tm);
+	if (p == NULL) {
+		return (ISC_R_UNEXPECTED);
+	}
+	when = isc_tm_timegm(&t_tm);
+	if (when == -1) {
+		return (ISC_R_UNEXPECTED);
+	}
+	isc_time_set(t, when, 0);
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_time_formatISO8601L(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+	struct tm tm;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%S", localtime_r(&now, &tm));
+	INSIST(flen < len);
+}
+
+void
+isc_time_formatISO8601Lms(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+	struct tm tm;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%S", localtime_r(&now, &tm));
+	INSIST(flen < len);
+	if (flen > 0U && len - flen >= 6) {
+		snprintf(buf + flen, len - flen, ".%03u",
+			 t->nanoseconds / NS_PER_MS);
+	}
+}
+
+void
+isc_time_formatISO8601Lus(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+	struct tm tm;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%S", localtime_r(&now, &tm));
+	INSIST(flen < len);
+	if (flen > 0U && len - flen >= 6) {
+		snprintf(buf + flen, len - flen, ".%06u",
+			 t->nanoseconds / NS_PER_US);
+	}
+}
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+	struct tm tm;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime_r(&now, &tm));
+	INSIST(flen < len);
+}
+
+void
+isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+	struct tm tm;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime_r(&now, &tm));
+	INSIST(flen < len);
+	if (flen > 0U && len - flen >= 5) {
+		flen -= 1; /* rewind one character (Z) */
+		snprintf(buf + flen, len - flen, ".%03uZ",
+			 t->nanoseconds / NS_PER_MS);
+	}
+}
+
+void
+isc_time_formatISO8601us(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+	struct tm tm;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime_r(&now, &tm));
+	INSIST(flen < len);
+	if (flen > 0U && len - flen >= 5) {
+		flen -= 1; /* rewind one character (Z) */
+		snprintf(buf + flen, len - flen, ".%06uZ",
+			 t->nanoseconds / NS_PER_US);
+	}
+}
+
+void
+isc_time_formatshorttimestamp(const isc_time_t *t, char *buf,
+			      unsigned int len) {
+	time_t now;
+	unsigned int flen;
+	struct tm tm;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%Y%m%d%H%M%S", gmtime_r(&now, &tm));
+	INSIST(flen < len);
+	if (flen > 0U && len - flen >= 5) {
+		snprintf(buf + flen, len - flen, "%03u",
+			 t->nanoseconds / NS_PER_MS);
+	}
+}
diff --git a/lib/isc/url.c b/lib/isc/url.c
new file mode 100644
index 0000000..cccb712
--- /dev/null
+++ b/lib/isc/url.c
@@ -0,0 +1,671 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 and MIT
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright Joyent, Inc. and other Node contributors. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#include <ctype.h>
+#include <limits.h>
+#include <stddef.h>
+#include <string.h>
+
+#include <isc/url.h>
+#include <isc/util.h>
+
+#ifndef BIT_AT
+#define BIT_AT(a, i)                                    \
+	(!!((unsigned int)(a)[(unsigned int)(i) >> 3] & \
+	    (1 << ((unsigned int)(i)&7))))
+#endif
+
+#if HTTP_PARSER_STRICT
+#define T(v) 0
+#else
+#define T(v) v
+#endif
+
+static const uint8_t normal_url_char[32] = {
+	/*   0 nul  1 soh  2 stx  3 etx  4 eot  5 enq  6 ack  7 bel  */
+	0 | 0 | 0 | 0 | 0 | 0 | 0 | 0,
+	/*   8 bs   9 ht  10 nl  11 vt  12 np  13 cr  14 so  15 si */
+	0 | T(2) | 0 | 0 | T(16) | 0 | 0 | 0,
+	/*  16 dle 17 dc1 18 dc2 19 dc3 20 dc4 21 nak 22 syn 23 etb */
+	0 | 0 | 0 | 0 | 0 | 0 | 0 | 0,
+	/*  24 can 25 em  26 sub 27 esc 28 fs  29 gs  30 rs  31 us */
+	0 | 0 | 0 | 0 | 0 | 0 | 0 | 0,
+	/*  32 sp  33  !  34  "  35  #  36  $  37  %  38  &  39  ' */
+	0 | 2 | 4 | 0 | 16 | 32 | 64 | 128,
+	/*  40  (  41  )  42  *  43  +  44  ,  45  -  46  .  47  / */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 128,
+	/*  48  0  49  1  50  2  51  3  52  4  53  5  54  6  55  7 */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 128,
+	/*  56  8  57  9  58  :  59  ;  60  <  61  =  62  >  63  ?  */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 0,
+	/*  64  @  65  A  66  B  67  C  68  D  69  E  70  F  71  G */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 128,
+	/*  72  H  73  I  74  J  75  K  76  L  77  M  78  N  79  O */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 128,
+	/*  80  P  81  Q  82  R  83  S  84  T  85  U  86  V  87  W */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 128,
+	/*  88  X  89  Y  90  Z  91  [  92  \  93  ]  94  ^  95  _ */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 128,
+	/*  96  `  97  a  98  b  99  c 100  d 101  e 102  f 103  g */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 128,
+	/* 104  h 105  i 106  j 107  k 108  l 109  m 110  n 111  o */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 128,
+	/* 112  p 113  q 114  r 115  s 116  t 117  u 118  v 119  w */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 128,
+	/* 120  x 121  y 122  z 123  { 124  | 125  } 126  ~ 127 del */
+	1 | 2 | 4 | 8 | 16 | 32 | 64 | 0,
+};
+
+#undef T
+
+typedef enum {
+	s_dead = 1, /* important that this is > 0 */
+
+	s_start_req_or_res,
+	s_res_or_resp_H,
+	s_start_res,
+	s_res_H,
+	s_res_HT,
+	s_res_HTT,
+	s_res_HTTP,
+	s_res_http_major,
+	s_res_http_dot,
+	s_res_http_minor,
+	s_res_http_end,
+	s_res_first_status_code,
+	s_res_status_code,
+	s_res_status_start,
+	s_res_status,
+	s_res_line_almost_done,
+
+	s_start_req,
+
+	s_req_method,
+	s_req_spaces_before_url,
+	s_req_schema,
+	s_req_schema_slash,
+	s_req_schema_slash_slash,
+	s_req_server_start,
+	s_req_server,
+	s_req_server_with_at,
+	s_req_path,
+	s_req_query_string_start,
+	s_req_query_string,
+	s_req_fragment_start,
+	s_req_fragment,
+	s_req_http_start,
+	s_req_http_H,
+	s_req_http_HT,
+	s_req_http_HTT,
+	s_req_http_HTTP,
+	s_req_http_I,
+	s_req_http_IC,
+	s_req_http_major,
+	s_req_http_dot,
+	s_req_http_minor,
+	s_req_http_end,
+	s_req_line_almost_done,
+
+	s_header_field_start,
+	s_header_field,
+	s_header_value_discard_ws,
+	s_header_value_discard_ws_almost_done,
+	s_header_value_discard_lws,
+	s_header_value_start,
+	s_header_value,
+	s_header_value_lws,
+
+	s_header_almost_done,
+
+	s_chunk_size_start,
+	s_chunk_size,
+	s_chunk_parameters,
+	s_chunk_size_almost_done,
+
+	s_headers_almost_done,
+	s_headers_done,
+
+	/*
+	 * Important: 's_headers_done' must be the last 'header' state. All
+	 * states beyond this must be 'body' states. It is used for overflow
+	 * checking. See the PARSING_HEADER() macro.
+	 */
+
+	s_chunk_data,
+	s_chunk_data_almost_done,
+	s_chunk_data_done,
+
+	s_body_identity,
+	s_body_identity_eof,
+
+	s_message_done
+} state_t;
+
+typedef enum {
+	s_http_host_dead = 1,
+	s_http_userinfo_start,
+	s_http_userinfo,
+	s_http_host_start,
+	s_http_host_v6_start,
+	s_http_host,
+	s_http_host_v6,
+	s_http_host_v6_end,
+	s_http_host_v6_zone_start,
+	s_http_host_v6_zone,
+	s_http_host_port_start,
+	s_http_host_port
+} host_state_t;
+
+/* Macros for character classes; depends on strict-mode  */
+#define IS_MARK(c)                                                             \
+	((c) == '-' || (c) == '_' || (c) == '.' || (c) == '!' || (c) == '~' || \
+	 (c) == '*' || (c) == '\'' || (c) == '(' || (c) == ')')
+#define IS_USERINFO_CHAR(c)                                                    \
+	(isalnum((unsigned char)c) || IS_MARK(c) || (c) == '%' ||              \
+	 (c) == ';' || (c) == ':' || (c) == '&' || (c) == '=' || (c) == '+' || \
+	 (c) == '$' || (c) == ',')
+
+#if HTTP_PARSER_STRICT
+#define IS_URL_CHAR(c)	(BIT_AT(normal_url_char, (unsigned char)c))
+#define IS_HOST_CHAR(c) (isalnum((unsigned char)c) || (c) == '.' || (c) == '-')
+#else
+#define IS_URL_CHAR(c) (BIT_AT(normal_url_char, (unsigned char)c) || ((c)&0x80))
+#define IS_HOST_CHAR(c) \
+	(isalnum((unsigned char)c) || (c) == '.' || (c) == '-' || (c) == '_')
+#endif
+
+/*
+ * Our URL parser.
+ *
+ * This is designed to be shared by http_parser_execute() for URL validation,
+ * hence it has a state transition + byte-for-byte interface. In addition, it
+ * is meant to be embedded in http_parser_parse_url(), which does the dirty
+ * work of turning state transitions URL components for its API.
+ *
+ * This function should only be invoked with non-space characters. It is
+ * assumed that the caller cares about (and can detect) the transition between
+ * URL and non-URL states by looking for these.
+ */
+static state_t
+parse_url_char(state_t s, const char ch) {
+	if (ch == ' ' || ch == '\r' || ch == '\n') {
+		return (s_dead);
+	}
+
+#if HTTP_PARSER_STRICT
+	if (ch == '\t' || ch == '\f') {
+		return (s_dead);
+	}
+#endif
+
+	switch (s) {
+	case s_req_spaces_before_url:
+		/* Proxied requests are followed by scheme of an absolute URI
+		 * (alpha). All methods except CONNECT are followed by '/' or
+		 * '*'.
+		 */
+
+		if (ch == '/' || ch == '*') {
+			return (s_req_path);
+		}
+
+		if (isalpha((unsigned char)ch)) {
+			return (s_req_schema);
+		}
+
+		break;
+
+	case s_req_schema:
+		if (isalpha((unsigned char)ch)) {
+			return (s);
+		}
+
+		if (ch == ':') {
+			return (s_req_schema_slash);
+		}
+
+		break;
+
+	case s_req_schema_slash:
+		if (ch == '/') {
+			return (s_req_schema_slash_slash);
+		}
+
+		break;
+
+	case s_req_schema_slash_slash:
+		if (ch == '/') {
+			return (s_req_server_start);
+		}
+
+		break;
+
+	case s_req_server_with_at:
+		if (ch == '@') {
+			return (s_dead);
+		}
+
+		FALLTHROUGH;
+	case s_req_server_start:
+	case s_req_server:
+		if (ch == '/') {
+			return (s_req_path);
+		}
+
+		if (ch == '?') {
+			return (s_req_query_string_start);
+		}
+
+		if (ch == '@') {
+			return (s_req_server_with_at);
+		}
+
+		if (IS_USERINFO_CHAR(ch) || ch == '[' || ch == ']') {
+			return (s_req_server);
+		}
+
+		break;
+
+	case s_req_path:
+		if (IS_URL_CHAR(ch)) {
+			return (s);
+		}
+
+		switch (ch) {
+		case '?':
+			return (s_req_query_string_start);
+
+		case '#':
+			return (s_req_fragment_start);
+		}
+
+		break;
+
+	case s_req_query_string_start:
+	case s_req_query_string:
+		if (IS_URL_CHAR(ch)) {
+			return (s_req_query_string);
+		}
+
+		switch (ch) {
+		case '?':
+			/* allow extra '?' in query string */
+			return (s_req_query_string);
+
+		case '#':
+			return (s_req_fragment_start);
+		}
+
+		break;
+
+	case s_req_fragment_start:
+		if (IS_URL_CHAR(ch)) {
+			return (s_req_fragment);
+		}
+
+		switch (ch) {
+		case '?':
+			return (s_req_fragment);
+
+		case '#':
+			return (s);
+		}
+
+		break;
+
+	case s_req_fragment:
+		if (IS_URL_CHAR(ch)) {
+			return (s);
+		}
+
+		switch (ch) {
+		case '?':
+		case '#':
+			return (s);
+		}
+
+		break;
+
+	default:
+		break;
+	}
+
+	/*
+	 * We should never fall out of the switch above unless there's an
+	 * error.
+	 */
+	return (s_dead);
+}
+
+static host_state_t
+http_parse_host_char(host_state_t s, const char ch) {
+	switch (s) {
+	case s_http_userinfo:
+	case s_http_userinfo_start:
+		if (ch == '@') {
+			return (s_http_host_start);
+		}
+
+		if (IS_USERINFO_CHAR(ch)) {
+			return (s_http_userinfo);
+		}
+		break;
+
+	case s_http_host_start:
+		if (ch == '[') {
+			return (s_http_host_v6_start);
+		}
+
+		if (IS_HOST_CHAR(ch)) {
+			return (s_http_host);
+		}
+
+		break;
+
+	case s_http_host:
+		if (IS_HOST_CHAR(ch)) {
+			return (s_http_host);
+		}
+
+		FALLTHROUGH;
+	case s_http_host_v6_end:
+		if (ch == ':') {
+			return (s_http_host_port_start);
+		}
+
+		break;
+
+	case s_http_host_v6:
+		if (ch == ']') {
+			return (s_http_host_v6_end);
+		}
+
+		FALLTHROUGH;
+	case s_http_host_v6_start:
+		if (isxdigit((unsigned char)ch) || ch == ':' || ch == '.') {
+			return (s_http_host_v6);
+		}
+
+		if (s == s_http_host_v6 && ch == '%') {
+			return (s_http_host_v6_zone_start);
+		}
+		break;
+
+	case s_http_host_v6_zone:
+		if (ch == ']') {
+			return (s_http_host_v6_end);
+		}
+
+		FALLTHROUGH;
+	case s_http_host_v6_zone_start:
+		/* RFC 6874 Zone ID consists of 1*( unreserved / pct-encoded) */
+		if (isalnum((unsigned char)ch) || ch == '%' || ch == '.' ||
+		    ch == '-' || ch == '_' || ch == '~')
+		{
+			return (s_http_host_v6_zone);
+		}
+		break;
+
+	case s_http_host_port:
+	case s_http_host_port_start:
+		if (isdigit((unsigned char)ch)) {
+			return (s_http_host_port);
+		}
+
+		break;
+
+	default:
+		break;
+	}
+
+	return (s_http_host_dead);
+}
+
+static isc_result_t
+http_parse_host(const char *buf, isc_url_parser_t *up, int found_at) {
+	host_state_t s;
+	const char *p = NULL;
+	size_t buflen = up->field_data[ISC_UF_HOST].off +
+			up->field_data[ISC_UF_HOST].len;
+
+	REQUIRE((up->field_set & (1 << ISC_UF_HOST)) != 0);
+
+	up->field_data[ISC_UF_HOST].len = 0;
+
+	s = found_at ? s_http_userinfo_start : s_http_host_start;
+
+	for (p = buf + up->field_data[ISC_UF_HOST].off; p < buf + buflen; p++) {
+		host_state_t new_s = http_parse_host_char(s, *p);
+
+		if (new_s == s_http_host_dead) {
+			return (ISC_R_FAILURE);
+		}
+
+		switch (new_s) {
+		case s_http_host:
+			if (s != s_http_host) {
+				up->field_data[ISC_UF_HOST].off =
+					(uint16_t)(p - buf);
+			}
+			up->field_data[ISC_UF_HOST].len++;
+			break;
+
+		case s_http_host_v6:
+			if (s != s_http_host_v6) {
+				up->field_data[ISC_UF_HOST].off =
+					(uint16_t)(p - buf);
+			}
+			up->field_data[ISC_UF_HOST].len++;
+			break;
+
+		case s_http_host_v6_zone_start:
+		case s_http_host_v6_zone:
+			up->field_data[ISC_UF_HOST].len++;
+			break;
+
+		case s_http_host_port:
+			if (s != s_http_host_port) {
+				up->field_data[ISC_UF_PORT].off =
+					(uint16_t)(p - buf);
+				up->field_data[ISC_UF_PORT].len = 0;
+				up->field_set |= (1 << ISC_UF_PORT);
+			}
+			up->field_data[ISC_UF_PORT].len++;
+			break;
+
+		case s_http_userinfo:
+			if (s != s_http_userinfo) {
+				up->field_data[ISC_UF_USERINFO].off =
+					(uint16_t)(p - buf);
+				up->field_data[ISC_UF_USERINFO].len = 0;
+				up->field_set |= (1 << ISC_UF_USERINFO);
+			}
+			up->field_data[ISC_UF_USERINFO].len++;
+			break;
+
+		default:
+			break;
+		}
+
+		s = new_s;
+	}
+
+	/* Make sure we don't end somewhere unexpected */
+	switch (s) {
+	case s_http_host_start:
+	case s_http_host_v6_start:
+	case s_http_host_v6:
+	case s_http_host_v6_zone_start:
+	case s_http_host_v6_zone:
+	case s_http_host_port_start:
+	case s_http_userinfo:
+	case s_http_userinfo_start:
+		return (ISC_R_FAILURE);
+	default:
+		break;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_url_parse(const char *buf, size_t buflen, bool is_connect,
+	      isc_url_parser_t *up) {
+	state_t s;
+	isc_url_field_t uf, old_uf;
+	int found_at = 0;
+	const char *p = NULL;
+
+	if (buflen == 0) {
+		return (ISC_R_FAILURE);
+	}
+
+	up->port = up->field_set = 0;
+	s = is_connect ? s_req_server_start : s_req_spaces_before_url;
+	old_uf = ISC_UF_MAX;
+
+	for (p = buf; p < buf + buflen; p++) {
+		s = parse_url_char(s, *p);
+
+		/* Figure out the next field that we're operating on */
+		switch (s) {
+		case s_dead:
+			return (ISC_R_FAILURE);
+
+		/* Skip delimiters */
+		case s_req_schema_slash:
+		case s_req_schema_slash_slash:
+		case s_req_server_start:
+		case s_req_query_string_start:
+		case s_req_fragment_start:
+			continue;
+
+		case s_req_schema:
+			uf = ISC_UF_SCHEMA;
+			break;
+
+		case s_req_server_with_at:
+			found_at = 1;
+			FALLTHROUGH;
+		case s_req_server:
+			uf = ISC_UF_HOST;
+			break;
+
+		case s_req_path:
+			uf = ISC_UF_PATH;
+			break;
+
+		case s_req_query_string:
+			uf = ISC_UF_QUERY;
+			break;
+
+		case s_req_fragment:
+			uf = ISC_UF_FRAGMENT;
+			break;
+
+		default:
+			UNREACHABLE();
+		}
+
+		/* Nothing's changed; soldier on */
+		if (uf == old_uf) {
+			up->field_data[uf].len++;
+			continue;
+		}
+
+		up->field_data[uf].off = (uint16_t)(p - buf);
+		up->field_data[uf].len = 1;
+
+		up->field_set |= (1 << uf);
+		old_uf = uf;
+	}
+
+	/* host must be present if there is a schema */
+	/* parsing http:///toto will fail */
+	if ((up->field_set & (1 << ISC_UF_SCHEMA)) &&
+	    (up->field_set & (1 << ISC_UF_HOST)) == 0)
+	{
+		return (ISC_R_FAILURE);
+	}
+
+	if (up->field_set & (1 << ISC_UF_HOST)) {
+		isc_result_t result;
+
+		result = http_parse_host(buf, up, found_at);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	/* CONNECT requests can only contain "hostname:port" */
+	if (is_connect &&
+	    up->field_set != ((1 << ISC_UF_HOST) | (1 << ISC_UF_PORT)))
+	{
+		return (ISC_R_FAILURE);
+	}
+
+	if (up->field_set & (1 << ISC_UF_PORT)) {
+		uint16_t off;
+		uint16_t len;
+		const char *pp = NULL;
+		const char *end = NULL;
+		unsigned long v;
+
+		off = up->field_data[ISC_UF_PORT].off;
+		len = up->field_data[ISC_UF_PORT].len;
+		end = buf + off + len;
+
+		/*
+		 * NOTE: The characters are already validated and are in the
+		 * [0-9] range
+		 */
+		INSIST(off + len <= buflen);
+
+		v = 0;
+		for (pp = buf + off; pp < end; pp++) {
+			v *= 10;
+			v += *pp - '0';
+
+			/* Ports have a max value of 2^16 */
+			if (v > 0xffff) {
+				return (ISC_R_RANGE);
+			}
+		}
+
+		up->port = (uint16_t)v;
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/utf8.c b/lib/isc/utf8.c
new file mode 100644
index 0000000..a348c5d
--- /dev/null
+++ b/lib/isc/utf8.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <string.h>
+
+#include <isc/utf8.h>
+#include <isc/util.h>
+
+/*
+ * UTF-8 is defined in "The Unicode Standard -- Version 4.0"
+ * Also see RFC 3629.
+ *
+ * Char. number range  |        UTF-8 octet sequence
+ *    (hexadecimal)    |              (binary)
+ *  --------------------+---------------------------------------------
+ * 0000 0000-0000 007F | 0xxxxxxx
+ * 0000 0080-0000 07FF | 110xxxxx 10xxxxxx
+ * 0000 0800-0000 FFFF | 1110xxxx 10xxxxxx 10xxxxxx
+ * 0001 0000-0010 FFFF | 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+ */
+bool
+isc_utf8_valid(const unsigned char *buf, size_t len) {
+	REQUIRE(buf != NULL);
+
+	for (size_t i = 0; i < len; i++) {
+		if (buf[i] <= 0x7f) {
+			continue;
+		}
+		if ((i + 1) < len && (buf[i] & 0xe0) == 0xc0 &&
+		    (buf[i + 1] & 0xc0) == 0x80)
+		{
+			unsigned int w;
+			w = (buf[i] & 0x1f) << 6;
+			w |= (buf[++i] & 0x3f);
+			if (w < 0x80) {
+				return (false);
+			}
+			continue;
+		}
+		if ((i + 2) < len && (buf[i] & 0xf0) == 0xe0 &&
+		    (buf[i + 1] & 0xc0) == 0x80 && (buf[i + 2] & 0xc0) == 0x80)
+		{
+			unsigned int w;
+			w = (buf[i] & 0x0f) << 12;
+			w |= (buf[++i] & 0x3f) << 6;
+			w |= (buf[++i] & 0x3f);
+			if (w < 0x0800) {
+				return (false);
+			}
+			continue;
+		}
+		if ((i + 3) < len && (buf[i] & 0xf8) == 0xf0 &&
+		    (buf[i + 1] & 0xc0) == 0x80 &&
+		    (buf[i + 2] & 0xc0) == 0x80 && (buf[i + 3] & 0xc0) == 0x80)
+		{
+			unsigned int w;
+			w = (buf[i] & 0x07) << 18;
+			w |= (buf[++i] & 0x3f) << 12;
+			w |= (buf[++i] & 0x3f) << 6;
+			w |= (buf[++i] & 0x3f);
+			if (w < 0x10000 || w > 0x10FFFF) {
+				return (false);
+			}
+			continue;
+		}
+		return (false);
+	}
+	return (true);
+}
+
+bool
+isc_utf8_bom(const unsigned char *buf, size_t len) {
+	REQUIRE(buf != NULL);
+
+	if (len >= 3U && !memcmp(buf, "\xef\xbb\xbf", 3)) {
+		return (true);
+	}
+	return (false);
+}
diff --git a/lib/isc/version.c b/lib/isc/version.c
new file mode 100644
index 0000000..17aa210
--- /dev/null
+++ b/lib/isc/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/version.h>
+
+const char isc_version[] = VERSION;
diff --git a/lib/isc/win32/.dir-locals.el b/lib/isc/win32/.dir-locals.el
new file mode 100644
index 0000000..b16a1be
--- /dev/null
+++ b/lib/isc/win32/.dir-locals.el
@@ -0,0 +1,35 @@
+;;; Directory Local Variables
+;;; For more information see (info "(emacs) Directory Variables")
+
+((c-mode .
+  ((eval .
+	 (set (make-local-variable 'directory-of-current-dir-locals-file)
+	      (file-name-directory (locate-dominating-file default-directory ".dir-locals.el"))
+	      )
+	 )
+   (eval .
+	 (set (make-local-variable 'include-directories)
+	      (list
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "../../../"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "../include"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "../"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "./"))
+	       (expand-file-name
+		(concat directory-of-current-dir-locals-file "../../dns/include"))
+	       (expand-file-name "/usr/local/opt/openssl@1.1/include")
+	       (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
+	       (expand-file-name "/usr/local/include")
+	       )
+	      )
+	 )
+
+   (eval setq flycheck-clang-include-path include-directories)
+   (eval setq flycheck-cpp-include-path include-directories)
+   )
+  ))
diff --git a/lib/isc/win32/DLLMain.c b/lib/isc/win32/DLLMain.c
new file mode 100644
index 0000000..abaaf40
--- /dev/null
+++ b/lib/isc/win32/DLLMain.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+#include <windows.h>
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include "lib_p.h"
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI
+	DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process initialization or a call to
+	 * LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		isc__initialize();
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to process
+	 * termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		isc__shutdown();
+		break;
+
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
diff --git a/lib/isc/win32/Makefile.in b/lib/isc/win32/Makefile.in
new file mode 100644
index 0000000..e8377ff
--- /dev/null
+++ b/lib/isc/win32/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I${srcdir}/.. \
+		-I./include \
+		-I${srcdir}/include \
+		-I${srcdir}/../include
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		condition.@O@ dir.@O@ errno.@O@ file.@O@ \
+		meminfo.@O@ fsaccess.@O@ \
+		once.@O@ stdtime.@O@ thread.@O@ time.@O@ pk11_api.@O@
+
+# Alphabetically
+SRCS =		condition.c dir.c errno.c file.c \
+		meminfo.c once.c fsaccess.c \
+		stdtime.c thread.c time.c pk11_api.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/win32/condition.c b/lib/isc/win32/condition.c
new file mode 100644
index 0000000..ca11bce
--- /dev/null
+++ b/lib/isc/win32/condition.c
@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/assertions.h>
+#include <isc/condition.h>
+#include <isc/error.h>
+#include <isc/strerr.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#define LSIGNAL	   0
+#define LBROADCAST 1
+
+void
+isc_condition_init(isc_condition_t *cond) {
+	HANDLE h;
+
+	REQUIRE(cond != NULL);
+
+	cond->waiters = 0;
+	/*
+	 * This handle is shared across all threads
+	 */
+	h = CreateEvent(NULL, FALSE, FALSE, NULL);
+	if (h == NULL) {
+		char strbuf[ISC_STRERRORSIZE];
+		DWORD err = GetLastError();
+		strerror_r(err, strbuf, sizeof(strbuf));
+		isc_error_fatal(__FILE__, __LINE__, "CreateEvent failed: %s",
+				strbuf);
+	}
+	cond->events[LSIGNAL] = h;
+
+	/*
+	 * The threadlist will hold the actual events needed
+	 * for the wait condition
+	 */
+	ISC_LIST_INIT(cond->threadlist);
+}
+
+/*
+ * Add the thread to the threadlist along with the required events
+ */
+static isc_result_t
+register_thread(unsigned long thrd, isc_condition_t *gblcond,
+		isc_condition_thread_t **localcond) {
+	HANDLE hc;
+	isc_condition_thread_t *newthread;
+
+	REQUIRE(localcond != NULL && *localcond == NULL);
+
+	newthread = malloc(sizeof(isc_condition_thread_t));
+	if (newthread == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * Create the thread-specific handle
+	 */
+	hc = CreateEvent(NULL, FALSE, FALSE, NULL);
+	if (hc == NULL) {
+		free(newthread);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Add the thread ID and handles to list of threads for broadcast
+	 */
+	newthread->handle[LSIGNAL] = gblcond->events[LSIGNAL];
+	newthread->handle[LBROADCAST] = hc;
+	newthread->th = thrd;
+
+	/*
+	 * The thread is holding the manager lock so this is safe
+	 */
+	ISC_LINK_INIT(newthread, link);
+	ISC_LIST_APPEND(gblcond->threadlist, newthread, link);
+	*localcond = newthread;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+find_thread_condition(uintptr_t thrd, isc_condition_t *cond,
+		      isc_condition_thread_t **threadcondp) {
+	isc_condition_thread_t *threadcond;
+
+	REQUIRE(threadcondp != NULL && *threadcondp == NULL);
+
+	/*
+	 * Look for the thread ID.
+	 */
+	for (threadcond = ISC_LIST_HEAD(cond->threadlist); threadcond != NULL;
+	     threadcond = ISC_LIST_NEXT(threadcond, link))
+	{
+		if (threadcond->th == thrd) {
+			*threadcondp = threadcond;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	/*
+	 * Not found, so add it.
+	 */
+	return (register_thread(thrd, cond, threadcondp));
+}
+
+isc_result_t
+isc_condition_signal(isc_condition_t *cond) {
+	/*
+	 * Unlike pthreads, the caller MUST hold the lock associated with
+	 * the condition variable when calling us.
+	 */
+	REQUIRE(cond != NULL);
+
+	if (!SetEvent(cond->events[LSIGNAL])) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_condition_broadcast(isc_condition_t *cond) {
+	isc_condition_thread_t *threadcond;
+	bool failed = false;
+
+	/*
+	 * Unlike pthreads, the caller MUST hold the lock associated with
+	 * the condition variable when calling us.
+	 */
+	REQUIRE(cond != NULL);
+
+	/*
+	 * Notify every thread registered for this
+	 */
+	for (threadcond = ISC_LIST_HEAD(cond->threadlist); threadcond != NULL;
+	     threadcond = ISC_LIST_NEXT(threadcond, link))
+	{
+		if (!SetEvent(threadcond->handle[LBROADCAST])) {
+			failed = true;
+		}
+	}
+
+	if (failed) {
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_condition_destroy(isc_condition_t *cond) {
+	isc_condition_thread_t *next, *threadcond;
+
+	REQUIRE(cond != NULL);
+	REQUIRE(cond->waiters == 0);
+
+	(void)CloseHandle(cond->events[LSIGNAL]);
+
+	/*
+	 * Delete the threadlist
+	 */
+	threadcond = ISC_LIST_HEAD(cond->threadlist);
+
+	while (threadcond != NULL) {
+		next = ISC_LIST_NEXT(threadcond, link);
+		DEQUEUE(cond->threadlist, threadcond, link);
+		(void)CloseHandle(threadcond->handle[LBROADCAST]);
+		free(threadcond);
+		threadcond = next;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This is always called when the mutex (lock) is held, but because
+ * we are waiting we need to release it and reacquire it as soon as the wait
+ * is over. This allows other threads to make use of the object guarded
+ * by the mutex but it should never try to delete it as long as the
+ * number of waiters > 0. Always reacquire the mutex regardless of the
+ * result of the wait. Note that EnterCriticalSection will wait to acquire
+ * the mutex.
+ */
+static isc_result_t
+wait(isc_condition_t *cond, isc_mutex_t *mutex, DWORD milliseconds) {
+	DWORD result;
+	isc_result_t tresult;
+	isc_condition_thread_t *threadcond = NULL;
+
+	/*
+	 * Get the thread events needed for the wait
+	 */
+	tresult = find_thread_condition(isc_thread_self(), cond, &threadcond);
+	if (tresult != ISC_R_SUCCESS) {
+		return (tresult);
+	}
+
+	cond->waiters++;
+	LeaveCriticalSection(mutex);
+	result = WaitForMultipleObjects(2, threadcond->handle, FALSE,
+					milliseconds);
+	EnterCriticalSection(mutex);
+	cond->waiters--;
+	if (result == WAIT_FAILED) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
+	if (result == WAIT_TIMEOUT) {
+		return (ISC_R_TIMEDOUT);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_condition_wait(isc_condition_t *cond, isc_mutex_t *mutex) {
+	return (wait(cond, mutex, INFINITE));
+}
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *cond, isc_mutex_t *mutex,
+			isc_time_t *t) {
+	DWORD milliseconds;
+	uint64_t microseconds;
+	isc_time_t now;
+
+	if (isc_time_now(&now) != ISC_R_SUCCESS) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
+
+	microseconds = isc_time_microdiff(t, &now);
+	if (microseconds > 0xFFFFFFFFi64 * 1000) {
+		milliseconds = 0xFFFFFFFF;
+	} else {
+		milliseconds = (DWORD)(microseconds / 1000);
+	}
+
+	return (wait(cond, mutex, milliseconds));
+}
diff --git a/lib/isc/win32/dir.c b/lib/isc/win32/dir.c
new file mode 100644
index 0000000..9a512da
--- /dev/null
+++ b/lib/isc/win32/dir.c
@@ -0,0 +1,314 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <direct.h>
+#include <io.h>
+#include <process.h>
+#include <string.h>
+#include <sys/stat.h>
+
+#include <isc/assertions.h>
+#include <isc/dir.h>
+#include <isc/magic.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+#define ISC_DIR_MAGIC  ISC_MAGIC('D', 'I', 'R', '*')
+#define VALID_DIR(dir) ISC_MAGIC_VALID(dir, ISC_DIR_MAGIC)
+
+static isc_result_t
+start_directory(isc_dir_t *p);
+
+void
+isc_dir_init(isc_dir_t *dir) {
+	REQUIRE(dir != NULL);
+
+	dir->dirname[0] = '\0';
+
+	dir->entry.name[0] = '\0';
+	dir->entry.length = 0;
+	memset(&(dir->entry.find_data), 0, sizeof(dir->entry.find_data));
+
+	dir->entry_filled = false;
+	dir->search_handle = INVALID_HANDLE_VALUE;
+
+	dir->magic = ISC_DIR_MAGIC;
+}
+
+/*
+ * Allocate workspace and open directory stream. If either one fails,
+ * NULL will be returned.
+ */
+isc_result_t
+isc_dir_open(isc_dir_t *dir, const char *dirname) {
+	char *p;
+	isc_result_t result;
+
+	REQUIRE(dirname != NULL);
+	REQUIRE(VALID_DIR(dir) && dir->search_handle == INVALID_HANDLE_VALUE);
+
+	/*
+	 * Copy directory name.  Need to have enough space for the name,
+	 * a possible path separator, the wildcard, and the final NUL.
+	 */
+	if (strlen(dirname) + 3 > sizeof(dir->dirname)) {
+		/* XXXDCL ? */
+		return (ISC_R_NOSPACE);
+	}
+	strlcpy(dir->dirname, dirname, sizeof(dir->dirname));
+
+	/*
+	 * Append path separator, if needed, and "*".
+	 */
+	p = dir->dirname + strlen(dir->dirname);
+	if (dir->dirname < p && *(p - 1) != '\\' && *(p - 1) != ':') {
+		*p++ = '\\';
+	}
+	*p++ = '*';
+	*p = '\0';
+
+	/*
+	 * Open stream.
+	 */
+	result = start_directory(dir);
+
+	return (result);
+}
+
+/*
+ * Return previously retrieved file or get next one.  Unix's dirent has
+ * separate open and read functions, but the Win32 and DOS interfaces open
+ * the dir stream and reads the first file in one operation.
+ */
+isc_result_t
+isc_dir_read(isc_dir_t *dir) {
+	REQUIRE(VALID_DIR(dir) && dir->search_handle != INVALID_HANDLE_VALUE);
+
+	if (dir->entry_filled) {
+		/*
+		 * start_directory() already filled in the first entry.
+		 */
+		dir->entry_filled = false;
+	} else {
+		/*
+		 * Fetch next file in directory.
+		 */
+		if (FindNextFile(dir->search_handle, &dir->entry.find_data) ==
+		    FALSE)
+		{
+			/*
+			 * Either the last file has been processed or
+			 * an error has occurred.  The former is not
+			 * really an error, but the latter is.
+			 */
+			if (GetLastError() == ERROR_NO_MORE_FILES) {
+				return (ISC_R_NOMORE);
+			} else {
+				return (ISC_R_UNEXPECTED);
+			}
+		}
+	}
+
+	/*
+	 * Make sure that the space for the name is long enough.
+	 */
+	strlcpy(dir->entry.name, dir->entry.find_data.cFileName,
+		sizeof(dir->entry.name));
+	dir->entry.length = strlen(dir->entry.name);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Close directory stream.
+ */
+void
+isc_dir_close(isc_dir_t *dir) {
+	REQUIRE(VALID_DIR(dir) && dir->search_handle != INVALID_HANDLE_VALUE);
+
+	FindClose(dir->search_handle);
+	dir->search_handle = INVALID_HANDLE_VALUE;
+}
+
+/*
+ * Reposition directory stream at start.
+ */
+isc_result_t
+isc_dir_reset(isc_dir_t *dir) {
+	isc_result_t result;
+
+	REQUIRE(VALID_DIR(dir) && dir->search_handle != INVALID_HANDLE_VALUE);
+	REQUIRE(dir->dirname != NULL);
+
+	/*
+	 * NT cannot reposition the seek pointer to the beginning of the
+	 * the directory stream, but rather the directory needs to be
+	 * closed and reopened.  The latter might fail.
+	 */
+
+	isc_dir_close(dir);
+
+	result = start_directory(dir);
+
+	return (result);
+}
+
+/*
+ * Initialize isc_dir_t structure with new directory. The function
+ * returns 0 on failure and nonzero on success.
+ *
+ * Note:
+ * - Be sure to close previous stream before opening new one
+ */
+static isc_result_t
+start_directory(isc_dir_t *dir) {
+	REQUIRE(VALID_DIR(dir));
+	REQUIRE(dir->search_handle == INVALID_HANDLE_VALUE);
+
+	dir->entry_filled = false;
+
+	/*
+	 * Open stream and retrieve first file.
+	 */
+	dir->search_handle = FindFirstFile(dir->dirname, &dir->entry.find_data);
+
+	if (dir->search_handle == INVALID_HANDLE_VALUE) {
+		/*
+		 * Something went wrong but we don't know what. GetLastError()
+		 * could give us more information about the error, but the
+		 * MSDN documentation is frustratingly thin about what
+		 * possible errors could have resulted.  (Score one for
+		 * the Unix manual pages.)  So there is just this lame error
+		 * instead of being able to differentiate ISC_R_NOTFOUND
+		 * from ISC_R_UNEXPECTED.
+		 */
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * Make sure that the space for the name is long enough.
+	 */
+	INSIST(sizeof(dir->entry.name) >
+	       strlen(dir->entry.find_data.cFileName));
+
+	/*
+	 * Fill in the data for the first entry of the directory.
+	 */
+	strlcpy(dir->entry.name, dir->entry.find_data.cFileName,
+		sizeof(dir->entry.name));
+	dir->entry.length = strlen(dir->entry.name);
+
+	dir->entry_filled = true;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_chdir(const char *dirname) {
+	/*
+	 * Change the current directory to 'dirname'.
+	 */
+
+	REQUIRE(dirname != NULL);
+
+	if (chdir(dirname) < 0) {
+		return (isc__errno2result(errno));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_chroot(const char *dirname) {
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+isc_dir_createunique(char *templet) {
+	isc_result_t result;
+	char *x;
+	char *p;
+	int i;
+	int pid;
+
+	REQUIRE(templet != NULL);
+
+	/*
+	 * mkdtemp is not portable, so this emulates it.
+	 */
+
+	pid = getpid();
+
+	/*
+	 * Replace trailing Xs with the process-id, zero-filled.
+	 */
+	for (x = templet + strlen(templet) - 1; *x == 'X' && x >= templet;
+	     x--, pid /= 10)
+	{
+		*x = pid % 10 + '0';
+	}
+
+	x++; /* Set x to start of ex-Xs. */
+
+	do {
+		i = mkdir(templet);
+		if (i == 0) {
+			i = chmod(templet, 0700);
+		}
+
+		if (i == 0 || errno != EEXIST) {
+			break;
+		}
+
+		/*
+		 * The BSD algorithm.
+		 */
+		p = x;
+		while (*p != '\0') {
+			if (isdigit((unsigned char)*p)) {
+				*p = 'a';
+			} else if (*p != 'z') {
+				++*p;
+			} else {
+				/*
+				 * Reset character and move to next.
+				 */
+				*p++ = 'a';
+				continue;
+			}
+
+			break;
+		}
+
+		if (*p == '\0') {
+			/*
+			 * Tried all combinations.  errno should already
+			 * be EEXIST, but ensure it is anyway for
+			 * isc__errno2result().
+			 */
+			errno = EEXIST;
+			break;
+		}
+	} while (1);
+
+	if (i == -1) {
+		result = isc__errno2result(errno);
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
diff --git a/lib/isc/win32/errno.c b/lib/isc/win32/errno.c
new file mode 100644
index 0000000..fd6899f
--- /dev/null
+++ b/lib/isc/win32/errno.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include "errno2result.h"
+
+isc_result_t
+isc_errno_toresult(int err) {
+	return (isc__errno2resultx(err, false, 0, 0));
+}
diff --git a/lib/isc/win32/errno2result.c b/lib/isc/win32/errno2result.c
new file mode 100644
index 0000000..593c27b
--- /dev/null
+++ b/lib/isc/win32/errno2result.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include "errno2result.h"
+#include <stdbool.h>
+#include <winsock2.h>
+
+#include <isc/result.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*
+ * Convert a POSIX errno value into an isc_result_t.  The
+ * list of supported errno values is not complete; new users
+ * of this function should add any expected errors that are
+ * not already there.
+ */
+isc_result_t
+isc__errno2resultx(int posixerrno, bool dolog, const char *file, int line) {
+	char strbuf[ISC_STRERRORSIZE];
+
+	switch (posixerrno) {
+	case ENOTDIR:
+	case WSAELOOP:
+	case WSAEINVAL:
+	case EINVAL: /* XXX sometimes this is not for files */
+	case ENAMETOOLONG:
+	case WSAENAMETOOLONG:
+	case EBADF:
+	case WSAEBADF:
+		return (ISC_R_INVALIDFILE);
+	case ENOENT:
+		return (ISC_R_FILENOTFOUND);
+	case EACCES:
+	case WSAEACCES:
+	case EPERM:
+		return (ISC_R_NOPERM);
+	case EEXIST:
+		return (ISC_R_FILEEXISTS);
+	case EIO:
+		return (ISC_R_IOERROR);
+	case ENOMEM:
+		return (ISC_R_NOMEMORY);
+#ifdef EOVERFLOW
+	case EOVERFLOW:
+		return (ISC_R_RANGE);
+#endif /* ifdef EOVERFLOW */
+	case ENFILE:
+	case EMFILE:
+	case WSAEMFILE:
+		return (ISC_R_TOOMANYOPENFILES);
+	case ENOSPC:
+		return (ISC_R_DISCFULL);
+	case ERROR_CANCELLED:
+		return (ISC_R_CANCELED);
+	case ERROR_CONNECTION_REFUSED:
+	case WSAECONNREFUSED:
+		return (ISC_R_CONNREFUSED);
+	case WSAENOTCONN:
+	case ERROR_CONNECTION_INVALID:
+		return (ISC_R_NOTCONNECTED);
+	case ERROR_HOST_UNREACHABLE:
+	case WSAEHOSTUNREACH:
+		return (ISC_R_HOSTUNREACH);
+	case ERROR_NETWORK_UNREACHABLE:
+	case WSAENETUNREACH:
+		return (ISC_R_NETUNREACH);
+	case ERROR_NO_NETWORK:
+		return (ISC_R_NETUNREACH);
+	case ERROR_PORT_UNREACHABLE:
+		return (ISC_R_HOSTUNREACH);
+	case ERROR_SEM_TIMEOUT:
+		return (ISC_R_TIMEDOUT);
+	case WSAECONNRESET:
+	case WSAENETRESET:
+	case WSAECONNABORTED:
+	case WSAEDISCON:
+	case ERROR_OPERATION_ABORTED:
+	case ERROR_CONNECTION_ABORTED:
+	case ERROR_REQUEST_ABORTED:
+		return (ISC_R_CONNECTIONRESET);
+	case WSAEADDRNOTAVAIL:
+		return (ISC_R_ADDRNOTAVAIL);
+	case ERROR_NETNAME_DELETED:
+	case WSAENETDOWN:
+		return (ISC_R_NETUNREACH);
+	case WSAEHOSTDOWN:
+		return (ISC_R_HOSTUNREACH);
+	case WSAENOBUFS:
+		return (ISC_R_NORESOURCES);
+	default:
+		if (dolog) {
+			strerror_r(posixerrno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(file, line,
+					 "unable to convert errno "
+					 "to isc_result: %d: %s",
+					 posixerrno, strbuf);
+		}
+		/*
+		 * XXXDCL would be nice if perhaps this function could
+		 * return the system's error string, so the caller
+		 * might have something more descriptive than "unexpected
+		 * error" to log with.
+		 */
+		return (ISC_R_UNEXPECTED);
+	}
+}
diff --git a/lib/isc/win32/errno2result.h b/lib/isc/win32/errno2result.h
new file mode 100644
index 0000000..ce2d72e
--- /dev/null
+++ b/lib/isc/win32/errno2result.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef UNIX_ERRNO2RESULT_H
+#define UNIX_ERRNO2RESULT_H 1
+
+/* XXXDCL this should be moved to lib/isc/include/isc/errno2result.h. */
+
+#include <errno.h> /* Provides errno. */
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define isc__errno2result(posixerrno) \
+	isc__errno2resultx(posixerrno, true, __FILE__, __LINE__)
+
+isc_result_t
+isc__errno2resultx(int posixerrno, bool dolog, const char *file, int line);
+
+ISC_LANG_ENDDECLS
+
+#endif /* UNIX_ERRNO2RESULT_H */
diff --git a/lib/isc/win32/file.c b/lib/isc/win32/file.c
new file mode 100644
index 0000000..32f6a19
--- /dev/null
+++ b/lib/isc/win32/file.c
@@ -0,0 +1,1003 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#undef rename
+#include <errno.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <io.h>
+#include <limits.h>
+#include <process.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/utime.h>
+
+#include <isc/file.h>
+#include <isc/md.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/result.h>
+#include <isc/stat.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+static const char alphnum[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv"
+			      "wxyz0123456789";
+
+/*
+ * Emulate UNIX mkstemp, which returns an open FD to the new file
+ *
+ */
+static int
+gettemp(char *path, bool binary, int *doopen) {
+	char *start, *trv;
+	struct stat sbuf;
+	int flags = O_CREAT | O_EXCL | O_RDWR;
+
+	if (binary) {
+		flags |= _O_BINARY;
+	}
+
+	trv = strrchr(path, 'X');
+	trv++;
+	/* extra X's get set to 0's */
+	while (*--trv == 'X') {
+		uint32_t which = isc_random_uniform(sizeof(alphnum) - 1);
+		*trv = alphnum[which];
+	}
+	/*
+	 * check the target directory; if you have six X's and it
+	 * doesn't exist this runs for a *very* long time.
+	 */
+	for (start = trv + 1;; --trv) {
+		if (trv <= path) {
+			break;
+		}
+		if (*trv == '\\') {
+			*trv = '\0';
+			if (stat(path, &sbuf)) {
+				return (0);
+			}
+			if (!S_ISDIR(sbuf.st_mode)) {
+				errno = ENOTDIR;
+				return (0);
+			}
+			*trv = '\\';
+			break;
+		}
+	}
+
+	for (;;) {
+		if (doopen) {
+			if ((*doopen = open(path, flags,
+					    _S_IREAD | _S_IWRITE)) >= 0)
+			{
+				return (1);
+			}
+			if (errno != EEXIST) {
+				return (0);
+			}
+		} else if (stat(path, &sbuf)) {
+			return (errno == ENOENT ? 1 : 0);
+		}
+
+		/* tricky little algorithm for backward compatibility */
+		for (trv = start;;) {
+			if (!*trv) {
+				return (0);
+			}
+			if (*trv == 'z') {
+				*trv++ = 'a';
+			} else {
+				if (isdigit((unsigned char)*trv)) {
+					*trv = 'a';
+				} else {
+					++*trv;
+				}
+				break;
+			}
+		}
+	}
+	/*NOTREACHED*/
+}
+
+static int
+mkstemp(char *path, bool binary) {
+	int fd;
+
+	return (gettemp(path, binary, &fd) ? fd : -1);
+}
+
+/*
+ * XXXDCL As the API for accessing file statistics undoubtedly gets expanded,
+ * it might be good to provide a mechanism that allows for the results
+ * of a previous stat() to be used again without having to do another stat,
+ * such as perl's mechanism of using "_" in place of a file name to indicate
+ * that the results of the last stat should be used.  But then you get into
+ * annoying MP issues.   BTW, Win32 has stat().
+ */
+static isc_result_t
+file_stats(const char *file, struct stat *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(file != NULL);
+	REQUIRE(stats != NULL);
+
+	if (stat(file, stats) != 0) {
+		result = isc__errno2result(errno);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+fd_stats(int fd, struct stat *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(stats != NULL);
+
+	if (fstat(fd, stats) != 0) {
+		result = isc__errno2result(errno);
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_getsizefd(int fd, off_t *size) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(size != NULL);
+
+	result = fd_stats(fd, &stats);
+
+	if (result == ISC_R_SUCCESS) {
+		*size = stats.st_size;
+	}
+	return (result);
+}
+
+isc_result_t
+isc_file_mode(const char *file, mode_t *modep) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(modep != NULL);
+
+	result = file_stats(file, &stats);
+	if (result == ISC_R_SUCCESS) {
+		*modep = (stats.st_mode & 07777);
+	}
+	return (result);
+}
+
+/*
+ * isc_file_safemovefile is needed to be defined here to ensure that
+ * any file with the new name is renamed to a backup name and then the
+ * rename is done. If all goes well then the backup can be deleted,
+ * otherwise it gets renamed back.
+ */
+
+int
+isc_file_safemovefile(const char *oldname, const char *newname) {
+	BOOL filestatus;
+	char buf[512];
+	struct stat sbuf;
+	BOOL exists = FALSE;
+	int tmpfd;
+
+	/*
+	 * Make sure we have something to do
+	 */
+	if (stat(oldname, &sbuf) != 0) {
+		errno = ENOENT;
+		return (-1);
+	}
+
+	/*
+	 * Rename to a backup the new file if it still exists
+	 */
+	if (stat(newname, &sbuf) == 0) {
+		exists = TRUE;
+		strlcpy(buf, newname, sizeof(buf));
+		strlcat(buf, ".XXXXX", sizeof(buf));
+		tmpfd = mkstemp(buf, true);
+		if (tmpfd > 0) {
+			_close(tmpfd);
+		}
+		(void)DeleteFile(buf);
+		_chmod(newname, _S_IREAD | _S_IWRITE);
+
+		filestatus = MoveFile(newname, buf);
+	}
+	/* Now rename the file to the new name
+	 */
+	_chmod(oldname, _S_IREAD | _S_IWRITE);
+
+	filestatus = MoveFile(oldname, newname);
+	if (filestatus == 0) {
+		/*
+		 * Try to rename the backup back to the original name
+		 * if the backup got created
+		 */
+		if (exists == TRUE) {
+			filestatus = MoveFile(buf, newname);
+			if (filestatus == 0) {
+				errno = EACCES;
+			}
+		}
+		return (-1);
+	}
+
+	/*
+	 * Delete the backup file if it got created
+	 */
+	if (exists == TRUE) {
+		(void)DeleteFile(buf);
+	}
+	return (0);
+}
+
+isc_result_t
+isc_file_getmodtime(const char *file, isc_time_t *time) {
+	int fh;
+
+	REQUIRE(file != NULL);
+	REQUIRE(time != NULL);
+
+	if ((fh = open(file, _O_RDONLY | _O_BINARY)) < 0) {
+		return (isc__errno2result(errno));
+	}
+
+	if (!GetFileTime((HANDLE)_get_osfhandle(fh), NULL, NULL,
+			 &time->absolute))
+	{
+		close(fh);
+		errno = EINVAL;
+		return (isc__errno2result(errno));
+	}
+	close(fh);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_getsize(const char *file, off_t *size) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(file != NULL);
+	REQUIRE(size != NULL);
+
+	result = file_stats(file, &stats);
+
+	if (result == ISC_R_SUCCESS) {
+		*size = stats.st_size;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_settime(const char *file, isc_time_t *time) {
+	int fh;
+
+	REQUIRE(file != NULL && time != NULL);
+
+	if ((fh = open(file, _O_RDWR | _O_BINARY)) < 0) {
+		return (isc__errno2result(errno));
+	}
+
+	/*
+	 * Set the date via the filedate system call and return.  Failing
+	 * this call implies the new file times are not supported by the
+	 * underlying file system.
+	 */
+	if (!SetFileTime((HANDLE)_get_osfhandle(fh), NULL, &time->absolute,
+			 &time->absolute))
+	{
+		close(fh);
+		errno = EINVAL;
+		return (isc__errno2result(errno));
+	}
+
+	close(fh);
+	return (ISC_R_SUCCESS);
+}
+
+#undef TEMPLATE
+#define TEMPLATE "XXXXXXXXXX.tmp" /* 14 characters. */
+
+isc_result_t
+isc_file_mktemplate(const char *path, char *buf, size_t buflen) {
+	return (isc_file_template(path, TEMPLATE, buf, buflen));
+}
+
+isc_result_t
+isc_file_template(const char *path, const char *templet, char *buf,
+		  size_t buflen) {
+	char *s;
+
+	REQUIRE(templet != NULL);
+	REQUIRE(buf != NULL);
+
+	if (path == NULL) {
+		path = "";
+	}
+
+	s = strrchr(templet, '\\');
+	if (s != NULL) {
+		templet = s + 1;
+	}
+
+	s = strrchr(path, '\\');
+
+	if (s != NULL) {
+		size_t prefixlen = s - path + 1;
+		if ((prefixlen + strlen(templet) + 1) > buflen) {
+			return (ISC_R_NOSPACE);
+		}
+
+		/* Copy 'prefixlen' bytes and NUL terminate. */
+		strlcpy(buf, path, ISC_MIN(prefixlen + 1, buflen));
+		strlcat(buf, templet, buflen);
+	} else {
+		if ((strlen(templet) + 1) > buflen) {
+			return (ISC_R_NOSPACE);
+		}
+
+		strlcpy(buf, templet, buflen);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_renameunique(const char *file, char *templet) {
+	int fd;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(file != NULL);
+	REQUIRE(templet != NULL);
+
+	fd = mkstemp(templet, true);
+	if (fd == -1) {
+		result = isc__errno2result(errno);
+	} else {
+		close(fd);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		int res;
+		res = isc_file_safemovefile(file, templet);
+		if (res != 0) {
+			result = isc__errno2result(errno);
+			(void)unlink(templet);
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+openuniquemode(char *templet, int mode, bool binary, FILE **fp) {
+	int fd;
+	FILE *f;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(templet != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	/*
+	 * Win32 does not have mkstemp. Using emulation above.
+	 */
+	fd = mkstemp(templet, binary);
+
+	if (fd == -1) {
+		result = isc__errno2result(errno);
+	}
+	if (result == ISC_R_SUCCESS) {
+#if 1
+		UNUSED(mode);
+#else  /* if 1 */
+		(void)fchmod(fd, mode);
+#endif /* if 1 */
+		f = fdopen(fd, binary ? "wb+" : "w+");
+		if (f == NULL) {
+			result = isc__errno2result(errno);
+			(void)remove(templet);
+			(void)close(fd);
+		} else {
+			*fp = f;
+		}
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_openuniqueprivate(char *templet, FILE **fp) {
+	int mode = _S_IREAD | _S_IWRITE;
+	return (openuniquemode(templet, mode, false, fp));
+}
+
+isc_result_t
+isc_file_openunique(char *templet, FILE **fp) {
+	int mode = _S_IREAD | _S_IWRITE;
+	return (openuniquemode(templet, mode, false, fp));
+}
+
+isc_result_t
+isc_file_openuniquemode(char *templet, int mode, FILE **fp) {
+	return (openuniquemode(templet, mode, false, fp));
+}
+
+isc_result_t
+isc_file_bopenuniqueprivate(char *templet, FILE **fp) {
+	int mode = _S_IREAD | _S_IWRITE;
+	return (openuniquemode(templet, mode, true, fp));
+}
+
+isc_result_t
+isc_file_bopenunique(char *templet, FILE **fp) {
+	int mode = _S_IREAD | _S_IWRITE;
+	return (openuniquemode(templet, mode, true, fp));
+}
+
+isc_result_t
+isc_file_bopenuniquemode(char *templet, int mode, FILE **fp) {
+	return (openuniquemode(templet, mode, true, fp));
+}
+
+isc_result_t
+isc_file_remove(const char *filename) {
+	int r;
+
+	REQUIRE(filename != NULL);
+
+	r = unlink(filename);
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+isc_result_t
+isc_file_rename(const char *oldname, const char *newname) {
+	int r;
+
+	REQUIRE(oldname != NULL);
+	REQUIRE(newname != NULL);
+
+	r = isc_file_safemovefile(oldname, newname);
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+bool
+isc_file_exists(const char *pathname) {
+	struct stat stats;
+
+	REQUIRE(pathname != NULL);
+
+	return (file_stats(pathname, &stats) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isplainfile(const char *filename) {
+	/*
+	 * This function returns success if filename is a plain file.
+	 */
+	struct stat filestat;
+	memset(&filestat, 0, sizeof(struct stat));
+
+	if ((stat(filename, &filestat)) == -1) {
+		return (isc__errno2result(errno));
+	}
+
+	if (!S_ISREG(filestat.st_mode)) {
+		return (ISC_R_INVALIDFILE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isplainfilefd(int fd) {
+	/*
+	 * This function returns success if filename is a plain file.
+	 */
+	struct stat filestat;
+	memset(&filestat, 0, sizeof(struct stat));
+
+	if ((fstat(fd, &filestat)) == -1) {
+		return (isc__errno2result(errno));
+	}
+
+	if (!S_ISREG(filestat.st_mode)) {
+		return (ISC_R_INVALIDFILE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isdirectory(const char *filename) {
+	/*
+	 * This function returns success if filename is a directory.
+	 */
+	struct stat filestat;
+	memset(&filestat, 0, sizeof(struct stat));
+
+	if ((stat(filename, &filestat)) == -1) {
+		return (isc__errno2result(errno));
+	}
+
+	if (!S_ISDIR(filestat.st_mode)) {
+		return (ISC_R_INVALIDFILE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+bool
+isc_file_isabsolute(const char *filename) {
+	REQUIRE(filename != NULL);
+	/*
+	 * Look for c:\path\... style, c:/path/... or \\computer\shar\path...
+	 * the UNC style file specs
+	 */
+	if ((filename[0] == '\\') && (filename[1] == '\\')) {
+		return (true);
+	}
+	if (isalpha(filename[0]) && filename[1] == ':' && filename[2] == '\\') {
+		return (true);
+	}
+	if (isalpha(filename[0]) && filename[1] == ':' && filename[2] == '/') {
+		return (true);
+	}
+	return (false);
+}
+
+bool
+isc_file_iscurrentdir(const char *filename) {
+	REQUIRE(filename != NULL);
+	return (filename[0] == '.' && filename[1] == '\0');
+}
+
+bool
+isc_file_ischdiridempotent(const char *filename) {
+	REQUIRE(filename != NULL);
+
+	if (isc_file_isabsolute(filename)) {
+		return (true);
+	}
+	if (filename[0] == '\\') {
+		return (true);
+	}
+	if (filename[0] == '/') {
+		return (true);
+	}
+	if (isc_file_iscurrentdir(filename)) {
+		return (true);
+	}
+	return (false);
+}
+
+const char *
+isc_file_basename(const char *filename) {
+	char *s;
+
+	REQUIRE(filename != NULL);
+
+	s = strrchr(filename, '\\');
+	if (s == NULL) {
+		return (filename);
+	}
+	return (s + 1);
+}
+
+isc_result_t
+isc_file_progname(const char *filename, char *progname, size_t namelen) {
+	const char *s;
+	const char *p;
+	size_t len;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(progname != NULL);
+
+	/*
+	 * Strip the path from the name
+	 */
+	s = isc_file_basename(filename);
+	if (s == NULL) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * Strip any and all suffixes
+	 */
+	p = strchr(s, '.');
+	if (p == NULL) {
+		if (namelen <= strlen(s)) {
+			return (ISC_R_NOSPACE);
+		}
+
+		strlcpy(progname, s, namelen);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Copy the result to the buffer
+	 */
+	len = p - s;
+	if (len >= namelen) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/* Copy up to 'len' bytes and NUL terminate. */
+	strlcpy(progname, s, ISC_MIN(len + 1, namelen));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
+	char *ptrname;
+	DWORD retval;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(path != NULL);
+
+	retval = GetFullPathName(filename, (DWORD)pathlen, path, &ptrname);
+
+	/* Something went wrong in getting the path */
+	if (retval == 0) {
+		return (ISC_R_NOTFOUND);
+	}
+	/* Caller needs to provide a larger buffer to contain the string */
+	if (retval >= pathlen) {
+		return (ISC_R_NOSPACE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size) {
+	int fh;
+
+	REQUIRE(filename != NULL && size >= 0);
+
+	if ((fh = open(filename, _O_RDWR | _O_BINARY)) < 0) {
+		return (isc__errno2result(errno));
+	}
+
+	if (_chsize(fh, size) != 0) {
+		close(fh);
+		return (isc__errno2result(errno));
+	}
+	close(fh);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp) {
+	isc_result_t result;
+	int flags;
+	struct stat sb;
+	FILE *f;
+	int fd;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	result = file_stats(filename, &sb);
+	if (result == ISC_R_SUCCESS) {
+		if ((sb.st_mode & S_IFREG) == 0) {
+			return (ISC_R_INVALIDFILE);
+		}
+		flags = O_WRONLY | O_TRUNC;
+	} else if (result == ISC_R_FILENOTFOUND) {
+		flags = O_WRONLY | O_CREAT | O_EXCL;
+	} else {
+		return (result);
+	}
+
+	fd = open(filename, flags, S_IRUSR | S_IWUSR);
+	if (fd == -1) {
+		return (isc__errno2result(errno));
+	}
+
+	f = fdopen(fd, "w");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		close(fd);
+		return (result);
+	}
+
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, const char *path, char **dirname,
+		   char const **basename) {
+	char *dir;
+	const char *file, *slash;
+	char *backslash;
+
+	slash = strrchr(path, '/');
+
+	backslash = strrchr(path, '\\');
+	if ((slash != NULL && backslash != NULL && backslash > slash) ||
+	    (slash == NULL && backslash != NULL))
+	{
+		slash = backslash;
+	}
+
+	if (slash == path) {
+		file = ++slash;
+		dir = isc_mem_strdup(mctx, "/");
+	} else if (slash != NULL) {
+		file = ++slash;
+		dir = isc_mem_allocate(mctx, slash - path);
+		strlcpy(dir, path, slash - path);
+	} else {
+		file = path;
+		dir = isc_mem_strdup(mctx, ".");
+	}
+
+	if (dir == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (*file == '\0') {
+		isc_mem_free(mctx, dir);
+		return (ISC_R_INVALIDFILE);
+	}
+
+	*dirname = dir;
+	*basename = file;
+
+	return (ISC_R_SUCCESS);
+}
+
+void *
+isc_file_mmap(void *addr, size_t len, int prot, int flags, int fd,
+	      off_t offset) {
+	void *buf;
+	ssize_t ret;
+	off_t end;
+
+	UNUSED(addr);
+	UNUSED(prot);
+	UNUSED(flags);
+
+	end = lseek(fd, 0, SEEK_END);
+	lseek(fd, offset, SEEK_SET);
+	if (end - offset < (off_t)len) {
+		len = end - offset;
+	}
+
+	buf = malloc(len);
+	if (buf == NULL) {
+		return (NULL);
+	}
+
+	ret = read(fd, buf, (unsigned int)len);
+	if (ret != (ssize_t)len) {
+		free(buf);
+		buf = NULL;
+	}
+
+	return (buf);
+}
+
+int
+isc_file_munmap(void *addr, size_t len) {
+	UNUSED(len);
+	free(addr);
+	return (0);
+}
+
+#define DISALLOW "\\/:ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+
+static isc_result_t
+digest2hex(unsigned char *digest, unsigned int digestlen, char *hash,
+	   size_t hashlen) {
+	unsigned int i;
+	int ret;
+	for (i = 0; i < digestlen; i++) {
+		size_t left = hashlen - i * 2;
+		ret = snprintf(hash + i * 2, left, "%02x", digest[i]);
+		if (ret < 0 || (size_t)ret >= left) {
+			return (ISC_R_NOSPACE);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_sanitize(const char *dir, const char *base, const char *ext,
+		  char *path, size_t length) {
+	char buf[PATH_MAX];
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	unsigned int digestlen;
+	char hash[ISC_MAX_MD_SIZE * 2 + 1];
+	size_t l = 0;
+	isc_result_t err;
+
+	REQUIRE(base != NULL);
+	REQUIRE(path != NULL);
+
+	l = strlen(base) + 1;
+
+	/*
+	 * allow room for a full sha256 hash (64 chars
+	 * plus null terminator)
+	 */
+	if (l < 65) {
+		l = 65;
+	}
+
+	if (dir != NULL) {
+		l += strlen(dir) + 1;
+	}
+	if (ext != NULL) {
+		l += strlen(ext) + 1;
+	}
+
+	if (l > length || l > PATH_MAX) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/* Check whether the full-length SHA256 hash filename exists */
+	err = isc_md(ISC_MD_SHA256, (const unsigned char *)base, strlen(base),
+		     digest, &digestlen);
+	if (err != ISC_R_SUCCESS) {
+		return (err);
+	}
+
+	err = digest2hex(digest, digestlen, hash, sizeof(hash));
+	if (err != ISC_R_SUCCESS) {
+		return (err);
+	}
+
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s", dir != NULL ? dir : "",
+		 dir != NULL ? "/" : "", hash, ext != NULL ? "." : "",
+		 ext != NULL ? ext : "");
+	if (isc_file_exists(buf)) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Check for a truncated SHA256 hash filename */
+	hash[16] = '\0';
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s", dir != NULL ? dir : "",
+		 dir != NULL ? "/" : "", hash, ext != NULL ? "." : "",
+		 ext != NULL ? ext : "");
+	if (isc_file_exists(buf)) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If neither hash filename already exists, then we'll use
+	 * the original base name if it has no disallowed characters,
+	 * or the truncated hash name if it does.
+	 */
+	if (strpbrk(base, DISALLOW) != NULL) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s", dir != NULL ? dir : "",
+		 dir != NULL ? "/" : "", base, ext != NULL ? "." : "",
+		 ext != NULL ? ext : "");
+	strlcpy(path, buf, length);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Based on http://blog.aaronballman.com/2011/08/how-to-check-access-rights/
+ */
+bool
+isc_file_isdirwritable(const char *path) {
+	DWORD length = 0;
+	HANDLE hToken = NULL;
+	PSECURITY_DESCRIPTOR security = NULL;
+	bool answer = false;
+
+	if (isc_file_isdirectory(path) != ISC_R_SUCCESS) {
+		return (answer);
+	}
+
+	/*
+	 * Figure out buffer size. GetFileSecurity() should not succeed.
+	 */
+	if (GetFileSecurity(path,
+			    OWNER_SECURITY_INFORMATION |
+				    GROUP_SECURITY_INFORMATION |
+				    DACL_SECURITY_INFORMATION,
+			    NULL, 0, &length))
+	{
+		return (answer);
+	}
+
+	if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
+		return (answer);
+	}
+
+	security = malloc(length);
+	if (security == NULL) {
+		return (answer);
+	}
+
+	/*
+	 * GetFileSecurity() should succeed.
+	 */
+	if (!GetFileSecurity(path,
+			     OWNER_SECURITY_INFORMATION |
+				     GROUP_SECURITY_INFORMATION |
+				     DACL_SECURITY_INFORMATION,
+			     security, length, &length))
+	{
+		return (answer);
+	}
+
+	if (OpenProcessToken(GetCurrentProcess(),
+			     TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_DUPLICATE |
+				     STANDARD_RIGHTS_READ,
+			     &hToken))
+	{
+		HANDLE hImpersonatedToken = NULL;
+
+		if (DuplicateToken(hToken, SecurityImpersonation,
+				   &hImpersonatedToken))
+		{
+			GENERIC_MAPPING mapping;
+			PRIVILEGE_SET privileges = { 0 };
+			DWORD grantedAccess = 0;
+			DWORD privilegesLength = sizeof(privileges);
+			BOOL result = FALSE;
+			DWORD genericAccessRights = GENERIC_WRITE;
+
+			mapping.GenericRead = FILE_GENERIC_READ;
+			mapping.GenericWrite = FILE_GENERIC_WRITE;
+			mapping.GenericExecute = FILE_GENERIC_EXECUTE;
+			mapping.GenericAll = FILE_ALL_ACCESS;
+
+			MapGenericMask(&genericAccessRights, &mapping);
+			if (AccessCheck(security, hImpersonatedToken,
+					genericAccessRights, &mapping,
+					&privileges, &privilegesLength,
+					&grantedAccess, &result))
+			{
+				answer = result;
+			}
+			CloseHandle(hImpersonatedToken);
+		}
+		CloseHandle(hToken);
+	}
+	free(security);
+	return (answer);
+}
diff --git a/lib/isc/win32/fsaccess.c b/lib/isc/win32/fsaccess.c
new file mode 100644
index 0000000..909f9e5
--- /dev/null
+++ b/lib/isc/win32/fsaccess.c
@@ -0,0 +1,404 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Note that Win32 does not have the concept of files having access
+ * and ownership bits.  The FAT File system only has a readonly flag
+ * for everyone and that's all. NTFS uses ACL's which is a totally
+ * different concept of controlling access.
+ *
+ * This code needs to be revisited to set up proper access control for
+ * NTFS file systems.  Nothing can be done for FAT file systems.
+ */
+
+#include <aclapi.h>
+#include <errno.h>
+#include <io.h>
+#include <stdbool.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <isc/file.h>
+#include <isc/stat.h>
+#include <isc/string.h>
+
+#include "errno2result.h"
+
+/*
+ * The OS-independent part of the API is in lib/isc.
+ */
+#include "../fsaccess.c"
+
+/* Store the user account name locally */
+static char username[255] = "\0";
+static DWORD namelen = 0;
+
+/*
+ * In order to set or retrieve access information, we need to obtain
+ * the File System type.  These could be UNC-type shares.
+ */
+
+BOOL
+is_ntfs(const char *file) {
+	char drive[255];
+	char FSType[20];
+	char tmpbuf[256];
+	char *machinename;
+	char *sharename;
+	char filename[1024];
+	char *last;
+
+	REQUIRE(filename != NULL);
+
+	if (isc_file_absolutepath(file, filename, sizeof(filename)) !=
+	    ISC_R_SUCCESS)
+	{
+		return (FALSE);
+	}
+
+	/*
+	 * Look for c:\path\... style, c:/path/... or \\computer\shar\path...
+	 * the UNC style file specs
+	 */
+	if (isalpha(filename[0]) && filename[1] == ':' &&
+	    (filename[2] == '\\' || filename[2] == '/'))
+	{
+		/* Copy 'c:\' or 'c:/' and NUL terminate. */
+		strlcpy(drive, filename, ISC_MIN(3 + 1, sizeof(drive)));
+	} else if ((filename[0] == '\\') && (filename[1] == '\\')) {
+		/* Find the machine and share name and rebuild the UNC */
+		strlcpy(tmpbuf, filename, sizeof(tmpbuf));
+		machinename = strtok_r(tmpbuf, "\\", &last);
+		sharename = strtok_r(NULL, "\\", &last);
+		strlcpy(drive, "\\\\", sizeof(drive));
+		strlcat(drive, machinename, sizeof(drive));
+		strlcat(drive, "\\", sizeof(drive));
+		strlcat(drive, sharename, sizeof(drive));
+		strlcat(drive, "\\", sizeof(drive));
+	} else { /* Not determinable */
+		return (FALSE);
+	}
+
+	GetVolumeInformation(drive, NULL, 0, NULL, 0, NULL, FSType,
+			     sizeof(FSType));
+	if (strcmp(FSType, "NTFS") == 0) {
+		return (TRUE);
+	} else {
+		return (FALSE);
+	}
+}
+
+/*
+ * If it's not NTFS, we assume that it is FAT and proceed
+ * with almost nothing to do. Only the write flag can be set or
+ * cleared.
+ */
+isc_result_t
+FAT_fsaccess_set(const char *path, isc_fsaccess_t access) {
+	int mode;
+	isc_fsaccess_t bits;
+
+	/*
+	 * Done with checking bad bits.  Set mode_t.
+	 */
+	mode = 0;
+
+#define SET_AND_CLEAR1(modebit)     \
+	if ((access & bits) != 0) { \
+		mode |= modebit;    \
+		access &= ~bits;    \
+	}
+#define SET_AND_CLEAR(user, group, other) \
+	SET_AND_CLEAR1(user);             \
+	bits <<= STEP;                    \
+	SET_AND_CLEAR1(group);            \
+	bits <<= STEP;                    \
+	SET_AND_CLEAR1(other);
+
+	bits = ISC_FSACCESS_READ | ISC_FSACCESS_LISTDIRECTORY;
+
+	SET_AND_CLEAR(S_IRUSR, S_IRGRP, S_IROTH);
+
+	bits = ISC_FSACCESS_WRITE | ISC_FSACCESS_CREATECHILD |
+	       ISC_FSACCESS_DELETECHILD;
+
+	SET_AND_CLEAR(S_IWUSR, S_IWGRP, S_IWOTH);
+
+	INSIST(access == 0);
+
+	if (_chmod(path, mode) < 0) {
+		return (isc__errno2result(errno));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+NTFS_Access_Control(const char *filename, const char *user, int access,
+		    bool isdir) {
+	SECURITY_DESCRIPTOR sd;
+	BYTE aclBuffer[1024];
+	PACL pacl = (PACL)&aclBuffer;
+	BYTE sidBuffer[100];
+	PSID psid = (PSID)&sidBuffer;
+	DWORD sidBufferSize = sizeof(sidBuffer);
+	BYTE adminSidBuffer[100];
+	PSID padminsid = (PSID)&adminSidBuffer;
+	DWORD adminSidBufferSize = sizeof(adminSidBuffer);
+	BYTE otherSidBuffer[100];
+	PSID pothersid = (PSID)&otherSidBuffer;
+	DWORD otherSidBufferSize = sizeof(otherSidBuffer);
+	char domainBuffer[100];
+	DWORD domainBufferSize = sizeof(domainBuffer);
+	SID_NAME_USE snu;
+	DWORD NTFSbits;
+	int caccess;
+
+	/* Initialize an ACL */
+	if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) {
+		return (ISC_R_NOPERM);
+	}
+	if (!InitializeAcl(pacl, sizeof(aclBuffer), ACL_REVISION)) {
+		return (ISC_R_NOPERM);
+	}
+	if (!LookupAccountName(0, user, psid, &sidBufferSize, domainBuffer,
+			       &domainBufferSize, &snu))
+	{
+		return (ISC_R_NOPERM);
+	}
+	domainBufferSize = sizeof(domainBuffer);
+	if (!LookupAccountName(0, "Administrators", padminsid,
+			       &adminSidBufferSize, domainBuffer,
+			       &domainBufferSize, &snu))
+	{
+		(void)GetLastError();
+		return (ISC_R_NOPERM);
+	}
+	domainBufferSize = sizeof(domainBuffer);
+	if (!LookupAccountName(0, "Everyone", pothersid, &otherSidBufferSize,
+			       domainBuffer, &domainBufferSize, &snu))
+	{
+		(void)GetLastError();
+		return (ISC_R_NOPERM);
+	}
+
+	caccess = access;
+	/* Owner check */
+
+	NTFSbits = 0;
+	if ((caccess & ISC_FSACCESS_READ) != 0) {
+		NTFSbits |= FILE_GENERIC_READ;
+	}
+	if ((caccess & ISC_FSACCESS_WRITE) != 0) {
+		NTFSbits |= FILE_GENERIC_WRITE;
+	}
+	if ((caccess & ISC_FSACCESS_EXECUTE) != 0) {
+		NTFSbits |= FILE_GENERIC_EXECUTE;
+	}
+
+	/* For directories check the directory-specific bits */
+	if (isdir) {
+		if ((caccess & ISC_FSACCESS_CREATECHILD) != 0) {
+			NTFSbits |= FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE;
+		}
+		if ((caccess & ISC_FSACCESS_DELETECHILD) != 0) {
+			NTFSbits |= FILE_DELETE_CHILD;
+		}
+		if ((caccess & ISC_FSACCESS_LISTDIRECTORY) != 0) {
+			NTFSbits |= FILE_LIST_DIRECTORY;
+		}
+		if ((caccess & ISC_FSACCESS_ACCESSCHILD) != 0) {
+			NTFSbits |= FILE_TRAVERSE;
+		}
+	}
+
+	if (NTFSbits ==
+	    (FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE))
+	{
+		NTFSbits |= FILE_ALL_ACCESS;
+	}
+	/*
+	 * Owner and Administrator also get STANDARD_RIGHTS_ALL
+	 * to ensure that they have full control
+	 */
+
+	NTFSbits |= STANDARD_RIGHTS_ALL;
+
+	/* Add the ACE to the ACL */
+	if (!AddAccessAllowedAce(pacl, ACL_REVISION, NTFSbits, psid)) {
+		return (ISC_R_NOPERM);
+	}
+	if (!AddAccessAllowedAce(pacl, ACL_REVISION, NTFSbits, padminsid)) {
+		return (ISC_R_NOPERM);
+	}
+
+	/*
+	 * Group is ignored since we can be in multiple groups or no group
+	 * and its meaning is not clear on Win32
+	 */
+
+	caccess = caccess >> STEP;
+
+	/*
+	 * Other check.  We translate this to be the same as Everyone
+	 */
+
+	caccess = caccess >> STEP;
+
+	NTFSbits = 0;
+	if ((caccess & ISC_FSACCESS_READ) != 0) {
+		NTFSbits |= FILE_GENERIC_READ;
+	}
+	if ((caccess & ISC_FSACCESS_WRITE) != 0) {
+		NTFSbits |= FILE_GENERIC_WRITE;
+	}
+	if ((caccess & ISC_FSACCESS_EXECUTE) != 0) {
+		NTFSbits |= FILE_GENERIC_EXECUTE;
+	}
+
+	/* For directories check the directory-specific bits */
+	if (isdir == TRUE) {
+		if ((caccess & ISC_FSACCESS_CREATECHILD) != 0) {
+			NTFSbits |= FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE;
+		}
+		if ((caccess & ISC_FSACCESS_DELETECHILD) != 0) {
+			NTFSbits |= FILE_DELETE_CHILD;
+		}
+		if ((caccess & ISC_FSACCESS_LISTDIRECTORY) != 0) {
+			NTFSbits |= FILE_LIST_DIRECTORY;
+		}
+		if ((caccess & ISC_FSACCESS_ACCESSCHILD) != 0) {
+			NTFSbits |= FILE_TRAVERSE;
+		}
+	}
+	/* Add the ACE to the ACL */
+	if (!AddAccessAllowedAce(pacl, ACL_REVISION, NTFSbits, pothersid)) {
+		return (ISC_R_NOPERM);
+	}
+
+	if (!SetSecurityDescriptorDacl(&sd, TRUE, pacl, FALSE)) {
+		return (ISC_R_NOPERM);
+	}
+	if (!SetFileSecurity(filename, DACL_SECURITY_INFORMATION, &sd)) {
+		return (ISC_R_NOPERM);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+NTFS_fsaccess_set(const char *path, isc_fsaccess_t access, bool isdir) {
+	/*
+	 * For NTFS we first need to get the name of the account under
+	 * which BIND is running
+	 */
+	if (namelen == 0) {
+		namelen = sizeof(username);
+		if (GetUserName(username, &namelen) == 0) {
+			return (ISC_R_FAILURE);
+		}
+	}
+	return (NTFS_Access_Control(path, username, access, isdir));
+}
+
+isc_result_t
+isc_fsaccess_set(const char *path, isc_fsaccess_t access) {
+	struct stat statb;
+	bool is_dir = false;
+	isc_result_t result;
+
+	if (stat(path, &statb) != 0) {
+		return (isc__errno2result(errno));
+	}
+
+	if ((statb.st_mode & S_IFDIR) != 0) {
+		is_dir = true;
+	} else if ((statb.st_mode & S_IFREG) == 0) {
+		return (ISC_R_INVALIDFILE);
+	}
+
+	result = check_bad_bits(access, is_dir);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Determine if this is a FAT or NTFS disk and
+	 * call the appropriate function to set the permissions
+	 */
+	if (is_ntfs(path)) {
+		return (NTFS_fsaccess_set(path, access, is_dir));
+	} else {
+		return (FAT_fsaccess_set(path, access));
+	}
+}
+
+isc_result_t
+isc_fsaccess_changeowner(const char *filename, const char *user) {
+	SECURITY_DESCRIPTOR psd;
+	BYTE sidBuffer[500];
+	BYTE groupBuffer[500];
+	PSID psid = (PSID)&sidBuffer;
+	DWORD sidBufferSize = sizeof(sidBuffer);
+	char domainBuffer[100];
+	DWORD domainBufferSize = sizeof(domainBuffer);
+	SID_NAME_USE snu;
+	PSID pSidGroup = (PSID)&groupBuffer;
+	DWORD groupBufferSize = sizeof(groupBuffer);
+
+	/*
+	 * Determine if this is a FAT or NTFS disk and
+	 * call the appropriate function to set the ownership
+	 * FAT disks do not have ownership attributes so it's
+	 * a noop.
+	 */
+	if (is_ntfs(filename) == FALSE) {
+		return (ISC_R_SUCCESS);
+	}
+
+	if (!InitializeSecurityDescriptor(&psd, SECURITY_DESCRIPTOR_REVISION)) {
+		return (ISC_R_NOPERM);
+	}
+
+	if (!LookupAccountName(0, user, psid, &sidBufferSize, domainBuffer,
+			       &domainBufferSize, &snu))
+	{
+		return (ISC_R_NOPERM);
+	}
+
+	/* Make sure administrators can get to it */
+	domainBufferSize = sizeof(domainBuffer);
+	if (!LookupAccountName(0, "Administrators", pSidGroup, &groupBufferSize,
+			       domainBuffer, &domainBufferSize, &snu))
+	{
+		return (ISC_R_NOPERM);
+	}
+
+	if (!SetSecurityDescriptorOwner(&psd, psid, FALSE)) {
+		return (ISC_R_NOPERM);
+	}
+
+	if (!SetSecurityDescriptorGroup(&psd, pSidGroup, FALSE)) {
+		return (ISC_R_NOPERM);
+	}
+
+	if (!SetFileSecurity(filename,
+			     OWNER_SECURITY_INFORMATION |
+				     GROUP_SECURITY_INFORMATION,
+			     &psd))
+	{
+		return (ISC_R_NOPERM);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/win32/include/.clang-format b/lib/isc/win32/include/.clang-format
new file mode 120000
index 0000000..e919bba
--- /dev/null
+++ b/lib/isc/win32/include/.clang-format
@@ -0,0 +1 @@
+../../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/isc/win32/include/Makefile.in b/lib/isc/win32/include/Makefile.in
new file mode 100644
index 0000000..60a0a67
--- /dev/null
+++ b/lib/isc/win32/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/win32/include/isc/Makefile.in b/lib/isc/win32/include/isc/Makefile.in
new file mode 100644
index 0000000..7718caa
--- /dev/null
+++ b/lib/isc/win32/include/isc/Makefile.in
@@ -0,0 +1,32 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	align.h dir.h mutex.h net.h netdb.h once.h \
+		stat.h stdtime.h thread.h time.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}\isc
+
+install:: installdirs
+	for i in $(HEADERS); do \
+		$(INSTALL_DATA) $(srcdir)\$$i $(includedir)\isc || exit 1; \
+	done
diff --git a/lib/isc/win32/include/isc/align.h b/lib/isc/win32/include/isc/align.h
new file mode 100644
index 0000000..6e98665
--- /dev/null
+++ b/lib/isc/win32/include/isc/align.h
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+#define alignas(x) __declspec(align(x))
diff --git a/lib/isc/win32/include/isc/bind_registry.h b/lib/isc/win32/include/isc/bind_registry.h
new file mode 100644
index 0000000..6c997d6
--- /dev/null
+++ b/lib/isc/win32/include/isc/bind_registry.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_BINDREGISTRY_H
+#define ISC_BINDREGISTRY_H
+
+/*
+ * BIND makes use of the following Registry keys in various places, especially
+ * during startup and installation
+ */
+
+#define BIND_SUBKEY	    "Software\\ISC\\BIND"
+#define BIND_SESSION	    "CurrentSession"
+#define BIND_SESSION_SUBKEY "Software\\ISC\\BIND\\CurrentSession"
+#define BIND_UNINSTALL_SUBKEY \
+	"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ISC BIND"
+
+#define EVENTLOG_APP_SUBKEY \
+	"SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application"
+#define BIND_MESSAGE_SUBKEY \
+	"SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\named"
+#define BIND_MESSAGE_NAME "named"
+
+#define BIND_SERVICE_SUBKEY "SYSTEM\\CurrentControlSet\\Services\\named"
+
+#define BIND_CONFIGFILE 0
+#define BIND_DEBUGLEVEL 1
+#define BIND_QUERYLOG	2
+#define BIND_FOREGROUND 3
+#define BIND_PORT	4
+
+#endif /* ISC_BINDREGISTRY_H */
diff --git a/lib/isc/win32/include/isc/bindevt.h b/lib/isc/win32/include/isc/bindevt.h
new file mode 100644
index 0000000..406efe3
--- /dev/null
+++ b/lib/isc/win32/include/isc/bindevt.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_BINDEVT_H
+#define ISC_BINDEVT_H 1
+
+/*
+ * This is used for the event log for both logging the messages and
+ * later on by the event viewer when looking at the events
+ */
+
+/*
+ * Values are 32 bit values laid out as follows:
+ *
+ *   3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
+ *   1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+ *  +---+-+-+-----------------------+-------------------------------+
+ *  |Sev|C|R|     Facility          |               Code            |
+ *  +---+-+-+-----------------------+-------------------------------+
+ *
+ *  where
+ *
+ *      Sev - is the severity code
+ *
+ *          00 - Success
+ *          01 - Informational
+ *          10 - Warning
+ *          11 - Error
+ *
+ *      C - is the Customer code flag
+ *
+ *      R - is a reserved bit
+ *
+ *      Facility - is the facility code
+ *
+ *      Code - is the facility's status code
+ *
+ *
+ * Define the facility codes
+ */
+
+/*
+ * Define the severity codes
+ */
+
+/*
+ * MessageId: BIND_ERR_MSG
+ *
+ * MessageText:
+ *
+ *  %1
+ */
+#define BIND_ERR_MSG ((DWORD)0xC0000001L)
+
+/*
+ * MessageId: BIND_WARN_MSG
+ *
+ * MessageText:
+ *
+ *  %1
+ */
+#define BIND_WARN_MSG ((DWORD)0x80000002L)
+
+/*
+ * MessageId: BIND_INFO_MSG
+ *
+ * MessageText:
+ *
+ *  %1
+ */
+#define BIND_INFO_MSG ((DWORD)0x40000003L)
+
+#endif /* ISC_BINDEVT_H */
diff --git a/lib/isc/win32/include/isc/condition.h b/lib/isc/win32/include/isc/condition.h
new file mode 100644
index 0000000..738419c
--- /dev/null
+++ b/lib/isc/win32/include/isc/condition.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_CONDITION_H
+#define ISC_CONDITION_H 1
+
+#include <windows.h>
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/thread.h>
+#include <isc/types.h>
+
+typedef struct isc_condition_thread isc_condition_thread_t;
+
+struct isc_condition_thread {
+	uintptr_t th;
+	HANDLE	  handle[2];
+	ISC_LINK(isc_condition_thread_t) link;
+};
+
+typedef struct isc_condition {
+	HANDLE	     events[2];
+	unsigned int waiters;
+	ISC_LIST(isc_condition_thread_t) threadlist;
+} isc_condition_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_condition_init(isc_condition_t *);
+
+isc_result_t
+isc_condition_wait(isc_condition_t *, isc_mutex_t *);
+
+isc_result_t
+isc_condition_signal(isc_condition_t *);
+
+isc_result_t
+isc_condition_broadcast(isc_condition_t *);
+
+isc_result_t
+isc_condition_destroy(isc_condition_t *);
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *, isc_mutex_t *, isc_time_t *);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_CONDITION_H */
diff --git a/lib/isc/win32/include/isc/dir.h b/lib/isc/win32/include/isc/dir.h
new file mode 100644
index 0000000..f0050dd
--- /dev/null
+++ b/lib/isc/win32/include/isc/dir.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_DIR_H
+#define ISC_DIR_H 1
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <windows.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/result.h>
+
+typedef struct {
+	char		name[NAME_MAX];
+	unsigned int	length;
+	WIN32_FIND_DATA find_data;
+} isc_direntry_t;
+
+typedef struct {
+	unsigned int   magic;
+	char	       dirname[PATH_MAX];
+	isc_direntry_t entry;
+	bool	       entry_filled;
+	HANDLE	       search_handle;
+} isc_dir_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_dir_init(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_open(isc_dir_t *dir, const char *dirname);
+
+isc_result_t
+isc_dir_read(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_reset(isc_dir_t *dir);
+
+void
+isc_dir_close(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_chdir(const char *dirname);
+
+isc_result_t
+isc_dir_chroot(const char *dirname);
+
+isc_result_t
+isc_dir_createunique(char *templet);
+/*
+ * Use a templet (such as from isc_file_mktemplate()) to create a uniquely
+ * named, empty directory.  The templet string is modified in place.
+ * If result == ISC_R_SUCCESS, it is the name of the directory that was
+ * created.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_DIR_H */
diff --git a/lib/isc/win32/include/isc/ipv6.h b/lib/isc/win32/include/isc/ipv6.h
new file mode 100644
index 0000000..4ab567a
--- /dev/null
+++ b/lib/isc/win32/include/isc/ipv6.h
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_IPV6_H
+#define ISC_IPV6_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*
+ * IPv6 definitions for systems which do not support IPv6.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFC2553.
+ */
+
+#if _MSC_VER < 1300
+#define in6_addr in_addr6
+#endif /* if _MSC_VER < 1300 */
+
+#ifndef IN6ADDR_ANY_INIT
+#define IN6ADDR_ANY_INIT                                               \
+	{                                                              \
+		{                                                      \
+			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 \
+		}                                                      \
+	}
+#endif /* ifndef IN6ADDR_ANY_INIT */
+#ifndef IN6ADDR_LOOPBACK_INIT
+#define IN6ADDR_LOOPBACK_INIT                                          \
+	{                                                              \
+		{                                                      \
+			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 \
+		}                                                      \
+	}
+#endif /* ifndef IN6ADDR_LOOPBACK_INIT */
+#ifndef IN6ADDR_V4MAPPED_INIT
+#define IN6ADDR_V4MAPPED_INIT                                                \
+	{                                                                    \
+		{                                                            \
+			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 0, 0, 0, 0 \
+		}                                                            \
+	}
+#endif /* ifndef IN6ADDR_V4MAPPED_INIT */
+
+LIBISC_EXTERNAL_DATA extern const struct in6_addr isc_in6addr_any;
+LIBISC_EXTERNAL_DATA extern const struct in6_addr isc_in6addr_loopback;
+
+/*
+ * Unspecified
+ */
+#ifndef IN6_IS_ADDR_UNSPECIFIED
+#define IN6_IS_ADDR_UNSPECIFIED(a)               \
+	(*((u_long *)((a)->s6_addr)) == 0 &&     \
+	 *((u_long *)((a)->s6_addr) + 1) == 0 && \
+	 *((u_long *)((a)->s6_addr) + 2) == 0 && \
+	 *((u_long *)((a)->s6_addr) + 3) == 0)
+#endif /* ifndef IN6_IS_ADDR_UNSPECIFIED */
+
+/*
+ * Loopback
+ */
+#ifndef IN6_IS_ADDR_LOOPBACK
+#define IN6_IS_ADDR_LOOPBACK(a)                  \
+	(*((u_long *)((a)->s6_addr)) == 0 &&     \
+	 *((u_long *)((a)->s6_addr) + 1) == 0 && \
+	 *((u_long *)((a)->s6_addr) + 2) == 0 && \
+	 *((u_long *)((a)->s6_addr) + 3) == htonl(1))
+#endif /* ifndef IN6_IS_ADDR_LOOPBACK */
+
+/*
+ * IPv4 compatible
+ */
+#define IN6_IS_ADDR_V4COMPAT(a)                  \
+	(*((u_long *)((a)->s6_addr)) == 0 &&     \
+	 *((u_long *)((a)->s6_addr) + 1) == 0 && \
+	 *((u_long *)((a)->s6_addr) + 2) == 0 && \
+	 *((u_long *)((a)->s6_addr) + 3) != 0 && \
+	 *((u_long *)((a)->s6_addr) + 3) != htonl(1))
+
+/*
+ * Mapped
+ */
+#define IN6_IS_ADDR_V4MAPPED(a)                  \
+	(*((u_long *)((a)->s6_addr)) == 0 &&     \
+	 *((u_long *)((a)->s6_addr) + 1) == 0 && \
+	 *((u_long *)((a)->s6_addr) + 2) == htonl(0x0000ffff))
+
+/*
+ * Multicast
+ */
+#define IN6_IS_ADDR_MULTICAST(a) ((a)->s6_addr[0] == 0xffU)
+
+/*
+ * Unicast link / site local.
+ */
+#ifndef IN6_IS_ADDR_LINKLOCAL
+#define IN6_IS_ADDR_LINKLOCAL(a) \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
+#endif /* ifndef IN6_IS_ADDR_LINKLOCAL */
+
+#ifndef IN6_IS_ADDR_SITELOCAL
+#define IN6_IS_ADDR_SITELOCAL(a) \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
+#endif /* ifndef IN6_IS_ADDR_SITELOCAL */
+
+#endif /* ISC_IPV6_H */
diff --git a/lib/isc/win32/include/isc/mutex.h b/lib/isc/win32/include/isc/mutex.h
new file mode 100644
index 0000000..3fcc538
--- /dev/null
+++ b/lib/isc/win32/include/isc/mutex.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_MUTEX_H
+#define ISC_MUTEX_H 1
+
+#include <windows.h>
+
+#include <isc/net.h>
+#include <isc/result.h>
+
+typedef CRITICAL_SECTION isc_mutex_t;
+
+/*
+ * This definition is here since some versions of WINBASE.H
+ * omits it for some reason.
+ */
+#if (_WIN32_WINNT < 0x0400)
+WINBASEAPI BOOL WINAPI
+TryEnterCriticalSection(LPCRITICAL_SECTION lpCriticalSection);
+#endif /* _WIN32_WINNT < 0x0400 */
+
+#define isc_mutex_init(mp)   InitializeCriticalSection((mp))
+#define isc_mutex_lock(mp)   (EnterCriticalSection((mp)), ISC_R_SUCCESS)
+#define isc_mutex_unlock(mp) (LeaveCriticalSection((mp)), ISC_R_SUCCESS)
+#define isc_mutex_trylock(mp) \
+	(TryEnterCriticalSection((mp)) ? ISC_R_SUCCESS : ISC_R_LOCKBUSY)
+#define isc_mutex_destroy(mp) (DeleteCriticalSection((mp)))
+
+/*
+ * This is a placeholder for now since we are not keeping any mutex stats
+ */
+#define isc_mutex_stats(fp) \
+	do {                \
+	} while (0)
+
+#endif /* ISC_MUTEX_H */
diff --git a/lib/isc/win32/include/isc/net.h b/lib/isc/win32/include/isc/net.h
new file mode 100644
index 0000000..391614e
--- /dev/null
+++ b/lib/isc/win32/include/isc/net.h
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_NET_H
+#define ISC_NET_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*
+ * Basic Networking Types
+ *
+ * This module is responsible for defining the following basic networking
+ * types:
+ *
+ *		struct in_addr
+ *		struct in6_addr
+ *		struct in6_pktinfo
+ *		struct sockaddr
+ *		struct sockaddr_in
+ *		struct sockaddr_in6
+ *		in_port_t
+ *
+ * It ensures that the AF_ and PF_ macros are defined.
+ *
+ * It declares ntoh[sl]() and hton[sl]().
+ *
+ * It declares inet_ntop(), and inet_pton().
+ *
+ * It ensures that INADDR_ANY, IN6ADDR_ANY_INIT, in6addr_any, and
+ * in6addr_loopback are available.
+ *
+ * It ensures that IN_MULTICAST() is available to check for multicast
+ * addresses.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	BSD Socket API
+ *	RFC2553
+ */
+
+/***
+ *** Imports.
+ ***/
+#include <inttypes.h>
+
+#include <isc/platform.h>
+
+/*
+ * Because of some sort of problem in the MS header files, this cannot
+ * be simple "#include <winsock2.h>", because winsock2.h tries to include
+ * windows.h, which then generates an error out of mswsock.h.  _You_
+ * figure it out.
+ */
+#ifndef _WINSOCKAPI_
+#define _WINSOCKAPI_ /* Prevent inclusion of winsock.h in windows.h */
+#endif		     /* ifndef _WINSOCKAPI_ */
+
+#include <winsock2.h>
+#include <ws2tcpip.h>
+
+#include <isc/ipv6.h>
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <sys/types.h>
+
+/*
+ * This is here because named client, interfacemgr.c, etc. use the name as
+ * a variable
+ */
+#undef interface
+
+#ifndef INADDR_ANY
+#define INADDR_ANY 0x00000000UL
+#endif /* ifndef INADDR_ANY */
+
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK 0x7f000001UL
+#endif /* ifndef INADDR_LOOPBACK */
+
+#if _MSC_VER < 1300
+#define in6addr_any	 isc_in6addr_any
+#define in6addr_loopback isc_in6addr_loopback
+#endif /* if _MSC_VER < 1300 */
+
+/*
+ * Ensure type in_port_t is defined.
+ */
+typedef uint16_t in_port_t;
+
+/*
+ * If this system does not have MSG_TRUNC (as returned from recvmsg())
+ * ISC_PLATFORM_RECVOVERFLOW will be defined.  This will enable the MSG_TRUNC
+ * faking code in socket.c.
+ */
+#ifndef MSG_TRUNC
+#define ISC_PLATFORM_RECVOVERFLOW
+#endif /* ifndef MSG_TRUNC */
+
+#define ISC__IPADDR(x) ((uint32_t)htonl((uint32_t)(x)))
+
+#define ISC_IPADDR_ISMULTICAST(i) \
+	(((uint32_t)(i)&ISC__IPADDR(0xf0000000)) == ISC__IPADDR(0xe0000000))
+
+#define ISC_IPADDR_ISEXPERIMENTAL(i) \
+	(((uint32_t)(i)&ISC__IPADDR(0xf0000000)) == ISC__IPADDR(0xf0000000))
+
+/*
+ * Fix the FD_SET and FD_CLR Macros to properly cast
+ */
+#undef FD_CLR
+#define FD_CLR(fd, set)                                                        \
+	do {                                                                   \
+		u_int __i;                                                     \
+		for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) {  \
+			if (((fd_set FAR *)(set))->fd_array[__i] ==            \
+			    (SOCKET)fd) {                                      \
+				while (__i <                                   \
+				       ((fd_set FAR *)(set))->fd_count - 1)    \
+				{                                              \
+					((fd_set FAR *)(set))->fd_array[__i] = \
+						((fd_set FAR *)(set))          \
+							->fd_array[__i + 1];   \
+					__i++;                                 \
+				}                                              \
+				((fd_set FAR *)(set))->fd_count--;             \
+				break;                                         \
+			}                                                      \
+		}                                                              \
+	} while (0)
+
+#undef FD_SET
+#define FD_SET(fd, set)                                                       \
+	do {                                                                  \
+		u_int __i;                                                    \
+		for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
+			if (((fd_set FAR *)(set))->fd_array[__i] ==           \
+			    (SOCKET)(fd))                                     \
+			{                                                     \
+				break;                                        \
+			}                                                     \
+		}                                                             \
+		if (__i == ((fd_set FAR *)(set))->fd_count) {                 \
+			if (((fd_set FAR *)(set))->fd_count < FD_SETSIZE) {   \
+				((fd_set FAR *)(set))->fd_array[__i] =        \
+					(SOCKET)(fd);                         \
+				((fd_set FAR *)(set))->fd_count++;            \
+			}                                                     \
+		}                                                             \
+	} while (0)
+
+/*
+ * Windows Sockets errors redefined as regular Berkeley error constants.
+ * These are usually commented out in Windows NT to avoid conflicts with
+ * errno.h. Use the WSA constants instead.
+ */
+
+#include <errno.h>
+
+#ifndef EWOULDBLOCK
+#define EWOULDBLOCK WSAEWOULDBLOCK
+#endif /* ifndef EWOULDBLOCK */
+#ifndef EINPROGRESS
+#define EINPROGRESS WSAEINPROGRESS
+#endif /* ifndef EINPROGRESS */
+#ifndef EALREADY
+#define EALREADY WSAEALREADY
+#endif /* ifndef EALREADY */
+#ifndef ENOTSOCK
+#define ENOTSOCK WSAENOTSOCK
+#endif /* ifndef ENOTSOCK */
+#ifndef EDESTADDRREQ
+#define EDESTADDRREQ WSAEDESTADDRREQ
+#endif /* ifndef EDESTADDRREQ */
+#ifndef EMSGSIZE
+#define EMSGSIZE WSAEMSGSIZE
+#endif /* ifndef EMSGSIZE */
+#ifndef EPROTOTYPE
+#define EPROTOTYPE WSAEPROTOTYPE
+#endif /* ifndef EPROTOTYPE */
+#ifndef ENOPROTOOPT
+#define ENOPROTOOPT WSAENOPROTOOPT
+#endif /* ifndef ENOPROTOOPT */
+#ifndef EPROTONOSUPPORT
+#define EPROTONOSUPPORT WSAEPROTONOSUPPORT
+#endif /* ifndef EPROTONOSUPPORT */
+#ifndef ESOCKTNOSUPPORT
+#define ESOCKTNOSUPPORT WSAESOCKTNOSUPPORT
+#endif /* ifndef ESOCKTNOSUPPORT */
+#ifndef EOPNOTSUPP
+#define EOPNOTSUPP WSAEOPNOTSUPP
+#endif /* ifndef EOPNOTSUPP */
+#ifndef EPFNOSUPPORT
+#define EPFNOSUPPORT WSAEPFNOSUPPORT
+#endif /* ifndef EPFNOSUPPORT */
+#ifndef EAFNOSUPPORT
+#define EAFNOSUPPORT WSAEAFNOSUPPORT
+#endif /* ifndef EAFNOSUPPORT */
+#ifndef EADDRINUSE
+#define EADDRINUSE WSAEADDRINUSE
+#endif /* ifndef EADDRINUSE */
+#ifndef EADDRNOTAVAIL
+#define EADDRNOTAVAIL WSAEADDRNOTAVAIL
+#endif /* ifndef EADDRNOTAVAIL */
+#ifndef ENETDOWN
+#define ENETDOWN WSAENETDOWN
+#endif /* ifndef ENETDOWN */
+#ifndef ENETUNREACH
+#define ENETUNREACH WSAENETUNREACH
+#endif /* ifndef ENETUNREACH */
+#ifndef ENETRESET
+#define ENETRESET WSAENETRESET
+#endif /* ifndef ENETRESET */
+#ifndef ECONNABORTED
+#define ECONNABORTED WSAECONNABORTED
+#endif /* ifndef ECONNABORTED */
+#ifndef ECONNRESET
+#define ECONNRESET WSAECONNRESET
+#endif /* ifndef ECONNRESET */
+#ifndef ENOBUFS
+#define ENOBUFS WSAENOBUFS
+#endif /* ifndef ENOBUFS */
+#ifndef EISCONN
+#define EISCONN WSAEISCONN
+#endif /* ifndef EISCONN */
+#ifndef ENOTCONN
+#define ENOTCONN WSAENOTCONN
+#endif /* ifndef ENOTCONN */
+#ifndef ESHUTDOWN
+#define ESHUTDOWN WSAESHUTDOWN
+#endif /* ifndef ESHUTDOWN */
+#ifndef ETOOMANYREFS
+#define ETOOMANYREFS WSAETOOMANYREFS
+#endif /* ifndef ETOOMANYREFS */
+#ifndef ETIMEDOUT
+#define ETIMEDOUT WSAETIMEDOUT
+#endif /* ifndef ETIMEDOUT */
+#ifndef ECONNREFUSED
+#define ECONNREFUSED WSAECONNREFUSED
+#endif /* ifndef ECONNREFUSED */
+#ifndef ELOOP
+#define ELOOP WSAELOOP
+#endif /* ifndef ELOOP */
+#ifndef EHOSTDOWN
+#define EHOSTDOWN WSAEHOSTDOWN
+#endif /* ifndef EHOSTDOWN */
+#ifndef EHOSTUNREACH
+#define EHOSTUNREACH WSAEHOSTUNREACH
+#endif /* ifndef EHOSTUNREACH */
+#ifndef EPROCLIM
+#define EPROCLIM WSAEPROCLIM
+#endif /* ifndef EPROCLIM */
+#ifndef EUSERS
+#define EUSERS WSAEUSERS
+#endif /* ifndef EUSERS */
+#ifndef EDQUOT
+#define EDQUOT WSAEDQUOT
+#endif /* ifndef EDQUOT */
+#ifndef ESTALE
+#define ESTALE WSAESTALE
+#endif /* ifndef ESTALE */
+#ifndef EREMOTE
+#define EREMOTE WSAEREMOTE
+#endif /* ifndef EREMOTE */
+
+/***
+ *** Functions.
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_net_probeipv4(void);
+/*
+ * Check if the system's kernel supports IPv4.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		IPv4 is supported.
+ *	ISC_R_NOTFOUND		IPv4 is not supported.
+ *	ISC_R_DISABLED		IPv4 is disabled.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probeipv6(void);
+/*
+ * Check if the system's kernel supports IPv6.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		IPv6 is supported.
+ *	ISC_R_NOTFOUND		IPv6 is not supported.
+ *	ISC_R_DISABLED		IPv6 is disabled.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probeunix(void);
+/*
+ * Check if UNIX domain sockets are supported.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ */
+
+#define ISC_NET_DSCPRECVV4 0x01 /* Can receive sent DSCP value IPv4 */
+#define ISC_NET_DSCPRECVV6 0x02 /* Can receive sent DSCP value IPv6 */
+#define ISC_NET_DSCPSETV4  0x04 /* Can set DSCP on socket IPv4 */
+#define ISC_NET_DSCPSETV6  0x08 /* Can set DSCP on socket IPv6 */
+#define ISC_NET_DSCPPKTV4  0x10 /* Can set DSCP on per packet IPv4 */
+#define ISC_NET_DSCPPKTV6  0x20 /* Can set DSCP on per packet IPv6 */
+#define ISC_NET_DSCPALL	   0x3f /* All valid flags */
+
+unsigned int
+isc_net_probedscp(void);
+/*%<
+ * Probe the level of DSCP support.
+ */
+
+isc_result_t
+isc_net_probe_ipv6only(void);
+/*
+ * Check if the system's kernel supports the IPV6_V6ONLY socket option.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		the option is supported for both TCP and UDP.
+ *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probe_ipv6pktinfo(void);
+/*
+ * Check if the system's kernel supports the IPV6_(RECV)PKTINFO socket option
+ * for UDP sockets.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		the option is supported.
+ *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ *	ISC_R_UNEXPECTED
+ */
+
+void
+isc_net_disableipv4(void);
+
+void
+isc_net_disableipv6(void);
+
+void
+isc_net_enableipv4(void);
+
+void
+isc_net_enableipv6(void);
+
+isc_result_t
+isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high);
+/*%<
+ * Returns system's default range of ephemeral UDP ports, if defined.
+ * If the range is not available or unknown, ISC_NET_PORTRANGELOW and
+ * ISC_NET_PORTRANGEHIGH will be returned.
+ *
+ * Requires:
+ *
+ *\li	'low' and 'high' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	*low and *high will be the ports specifying the low and high ends of
+ *	the range.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NET_H */
diff --git a/lib/isc/win32/include/isc/netdb.h b/lib/isc/win32/include/isc/netdb.h
new file mode 100644
index 0000000..e37ecb5
--- /dev/null
+++ b/lib/isc/win32/include/isc/netdb.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_NETDB_H
+#define ISC_NETDB_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*
+ * Portable netdb.h support.
+ *
+ * This module is responsible for defining the get<x>by<y> APIs.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	BSD API
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/net.h>
+
+#endif /* ISC_NETDB_H */
diff --git a/lib/isc/win32/include/isc/ntgroups.h b/lib/isc/win32/include/isc/ntgroups.h
new file mode 100644
index 0000000..496f84a
--- /dev/null
+++ b/lib/isc/win32/include/isc/ntgroups.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_NTGROUPS_H
+#define ISC_NTGROUPS_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_ntsecurity_getaccountgroups(char *name, char **Groups,
+				unsigned int maxgroups, unsigned int *total);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NTGROUPS_H */
diff --git a/lib/isc/win32/include/isc/ntpaths.h b/lib/isc/win32/include/isc/ntpaths.h
new file mode 100644
index 0000000..37c915d
--- /dev/null
+++ b/lib/isc/win32/include/isc/ntpaths.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Windows-specific path definitions
+ * These routines are used to set up and return system-specific path
+ * information about the files enumerated in NtPaths
+ */
+
+#ifndef ISC_NTPATHS_H
+#define ISC_NTPATHS_H
+
+#include <isc/lang.h>
+
+/*
+ * Index of paths needed
+ */
+enum NtPaths {
+	NAMED_CONF_PATH,
+	RESOLV_CONF_PATH,
+	RNDC_CONF_PATH,
+	NAMED_PID_PATH,
+	NAMED_LOCK_PATH,
+	LOCAL_STATE_DIR,
+	SYS_CONF_DIR,
+	RNDC_KEY_PATH,
+	SESSION_KEY_PATH,
+	BIND_KEYS_PATH
+};
+
+/*
+ * Define macros to get the path of the config files
+ */
+#define NAMED_CONFFILE	isc_ntpaths_get(NAMED_CONF_PATH)
+#define RNDC_CONFFILE	isc_ntpaths_get(RNDC_CONF_PATH)
+#define RNDC_KEYFILE	isc_ntpaths_get(RNDC_KEY_PATH)
+#define SESSION_KEYFILE isc_ntpaths_get(SESSION_KEY_PATH)
+#define RESOLV_CONF	isc_ntpaths_get(RESOLV_CONF_PATH)
+
+/*
+ * Information about where the files are on disk
+ */
+#define NAMED_LOCALSTATEDIR "/dns/bin"
+#define NAMED_SYSCONFDIR    "/dns/etc"
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_ntpaths_init(void);
+
+char *
+isc_ntpaths_get(int);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NTPATHS_H */
diff --git a/lib/isc/win32/include/isc/offset.h b/lib/isc/win32/include/isc/offset.h
new file mode 100644
index 0000000..f09cfdb
--- /dev/null
+++ b/lib/isc/win32/include/isc/offset.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_OFFSET_H
+#define ISC_OFFSET_H 1
+
+/*
+ * File offsets are operating-system dependent.
+ */
+#include <limits.h> /* Required for CHAR_BIT. */
+
+#include <sys/types.h>
+
+typedef _off_t isc_offset_t;
+
+#endif /* ISC_OFFSET_H */
diff --git a/lib/isc/win32/include/isc/once.h b/lib/isc/win32/include/isc/once.h
new file mode 100644
index 0000000..d2d841f
--- /dev/null
+++ b/lib/isc/win32/include/isc/once.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_ONCE_H
+#define ISC_ONCE_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef struct {
+	int status;
+	int counter;
+} isc_once_t;
+
+#define ISC_ONCE_INIT_NEEDED 0
+#define ISC_ONCE_INIT_DONE   1
+
+#define ISC_ONCE_INIT                   \
+	{                               \
+		ISC_ONCE_INIT_NEEDED, 1 \
+	}
+
+isc_result_t
+isc_once_do(isc_once_t *controller, void (*function)(void));
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ONCE_H */
diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
new file mode 100644
index 0000000..b3fad9c
--- /dev/null
+++ b/lib/isc/win32/include/isc/platform.h.in
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_PLATFORM_H
+#define ISC_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+#if _MSC_VER > 1400
+#define HAVE_TLS 1
+#define HAVE___DECLSPEC_THREAD 1
+#endif
+
+/*
+ * Some compatibility cludges
+ */
+
+#if defined(_WIN32) || defined(_WIN64)
+/* We are on Windows */
+# define strtok_r strtok_s
+
+#define ISC_STRERRORSIZE 128
+
+#ifndef strtoull
+#define strtoull _strtoui64
+#endif
+
+#include <stdint.h>
+#if _MSC_VER < 1914
+typedef uint32_t socklen_t;
+#endif
+
+#endif
+
+#define __builtin_unreachable() __assume(0)
+
+/*
+ * Remove __attribute__ ((foo)) on Windows
+ */
+
+#define __attribute__(attribute) /* do nothing */
+
+/*
+ * Limits
+ */
+
+#ifndef NAME_MAX
+#define NAME_MAX _MAX_FNAME
+#endif
+
+#ifndef PATH_MAX
+#define PATH_MAX _MAX_PATH
+#endif
+
+/***
+ *** Network.
+ ***/
+
+#undef MSG_TRUNC
+
+typedef uint16_t sa_family_t;
+
+/*
+ * Define if the platform has <sys/un.h>.
+ */
+#undef ISC_PLATFORM_HAVESYSUNH
+
+/*
+ * Defines for the noreturn attribute.
+ */
+#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
+#define ISC_PLATFORM_NORETURN_POST
+
+/*
+ * Set up a macro for importing and exporting from the DLL
+ */
+
+#ifdef LIBISC_EXPORTS
+#define LIBISC_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISC_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBDNS_EXPORTS
+#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBISCCC_EXPORTS
+#define LIBISCCC_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCCC_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBISCCFG_EXPORTS
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBNS_EXPORTS
+#define LIBNS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBNS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBBIND9_EXPORTS
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBTESTS_EXPORTS
+#define LIBTESTS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBTESTS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#endif /* ISC_PLATFORM_H */
diff --git a/lib/isc/win32/include/isc/stat.h b/lib/isc/win32/include/isc/stat.h
new file mode 100644
index 0000000..63577f9
--- /dev/null
+++ b/lib/isc/win32/include/isc/stat.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_STAT_H
+#define ISC_STAT_H 1
+
+#include <sys/stat.h>
+
+/*
+ * Windows doesn't typedef this.
+ */
+typedef unsigned short mode_t;
+
+/* open() under unix allows setting of read/write permissions
+ * at the owner, group and other levels.  These don't exist in NT
+ * We'll just map them all to the NT equivalent
+ */
+
+#define S_IREAD	 _S_IREAD  /* read permission, owner */
+#define S_IWRITE _S_IWRITE /* write permission, owner */
+#define S_IRUSR	 _S_IREAD  /* Owner read permission */
+#define S_IWUSR	 _S_IWRITE /* Owner write permission */
+#define S_IRGRP	 _S_IREAD  /* Group read permission */
+#define S_IWGRP	 _S_IWRITE /* Group write permission */
+#define S_IROTH	 _S_IREAD  /* Other read permission */
+#define S_IWOTH	 _S_IWRITE /* Other write permission */
+
+#ifndef S_IFMT
+#define S_IFMT _S_IFMT
+#endif /* ifndef S_IFMT */
+#ifndef S_IFDIR
+#define S_IFDIR _S_IFDIR
+#endif /* ifndef S_IFDIR */
+#ifndef S_IFCHR
+#define S_IFCHR _S_IFCHR
+#endif /* ifndef S_IFCHR */
+#ifndef S_IFREG
+#define S_IFREG _S_IFREG
+#endif /* ifndef S_IFREG */
+
+#ifndef S_ISDIR
+#define S_ISDIR(m) (((m)&S_IFMT) == S_IFDIR)
+#endif /* ifndef S_ISDIR */
+#ifndef S_ISREG
+#define S_ISREG(m) (((m)&S_IFMT) == S_IFREG)
+#endif /* ifndef S_ISREG */
+
+#endif /* ISC_STAT_H */
diff --git a/lib/isc/win32/include/isc/stdatomic.h b/lib/isc/win32/include/isc/stdatomic.h
new file mode 100644
index 0000000..dd5293f
--- /dev/null
+++ b/lib/isc/win32/include/isc/stdatomic.h
@@ -0,0 +1,595 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#define WIN32_LEAN_AND_MEAN
+#include <intrin.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <uchar.h>
+#include <windows.h>
+
+#pragma warning(disable : 4133)
+#pragma warning(disable : 4090)
+
+#define InterlockedExchangeAdd8	    _InterlockedExchangeAdd8
+#define InterlockedCompareExchange8 _InterlockedCompareExchange8
+
+#pragma intrinsic(_InterlockedCompareExchange8, _InterlockedExchangeAdd8)
+
+#include <isc/util.h>
+
+#ifndef __ATOMIC_RELAXED
+#define __ATOMIC_RELAXED 0
+#endif /* ifndef __ATOMIC_RELAXED */
+#ifndef __ATOMIC_CONSUME
+#define __ATOMIC_CONSUME 1
+#endif /* ifndef __ATOMIC_CONSUME */
+#ifndef __ATOMIC_ACQUIRE
+#define __ATOMIC_ACQUIRE 2
+#endif /* ifndef __ATOMIC_ACQUIRE */
+#ifndef __ATOMIC_RELEASE
+#define __ATOMIC_RELEASE 3
+#endif /* ifndef __ATOMIC_RELEASE */
+#ifndef __ATOMIC_ACQ_REL
+#define __ATOMIC_ACQ_REL 4
+#endif /* ifndef __ATOMIC_ACQ_REL */
+#ifndef __ATOMIC_SEQ_CST
+#define __ATOMIC_SEQ_CST 5
+#endif /* ifndef __ATOMIC_SEQ_CST */
+
+enum memory_order {
+	memory_order_relaxed = __ATOMIC_RELAXED,
+	memory_order_consume = __ATOMIC_CONSUME,
+	memory_order_acquire = __ATOMIC_ACQUIRE,
+	memory_order_release = __ATOMIC_RELEASE,
+	memory_order_acq_rel = __ATOMIC_ACQ_REL,
+	memory_order_seq_cst = __ATOMIC_SEQ_CST
+};
+
+typedef enum memory_order memory_order;
+
+/*
+ * If you add a type with different sizeof() length,
+ * you need to implement atomic_<foo>_explicitNN macros.
+ */
+
+typedef bool volatile atomic_bool;
+typedef char volatile atomic_char;
+typedef signed char volatile atomic_schar;
+typedef unsigned char volatile atomic_uchar;
+typedef short volatile atomic_short;
+typedef unsigned short volatile atomic_ushort;
+typedef int volatile atomic_int;
+typedef unsigned int volatile atomic_uint;
+typedef long volatile atomic_long;
+typedef unsigned long volatile atomic_ulong;
+typedef long long volatile atomic_llong;
+typedef unsigned long long volatile atomic_ullong;
+typedef char16_t volatile atomic_char16_t;
+typedef char32_t volatile atomic_char32_t;
+typedef wchar_t volatile atomic_wchar_t;
+typedef int_least8_t volatile atomic_int_least8_t;
+typedef uint_least8_t volatile atomic_uint_least8_t;
+typedef int_least16_t volatile atomic_int_least16_t;
+typedef uint_least16_t volatile atomic_uint_least16_t;
+typedef int_least32_t volatile atomic_int_least32_t;
+typedef uint_least32_t volatile atomic_uint_least32_t;
+typedef int_least64_t volatile atomic_int_least64_t;
+typedef uint_least64_t volatile atomic_uint_least64_t;
+typedef int_fast8_t volatile atomic_int_fast8_t;
+typedef uint_fast8_t volatile atomic_uint_fast8_t;
+typedef int_fast16_t volatile atomic_int_fast16_t;
+typedef uint_fast16_t volatile atomic_uint_fast16_t;
+typedef int_fast32_t volatile atomic_int_fast32_t;
+typedef uint_fast32_t volatile atomic_uint_fast32_t;
+typedef int_fast64_t volatile atomic_int_fast64_t;
+typedef uint_fast64_t volatile atomic_uint_fast64_t;
+typedef intptr_t volatile atomic_intptr_t;
+typedef uintptr_t volatile atomic_uintptr_t;
+typedef size_t volatile atomic_size_t;
+typedef ptrdiff_t volatile atomic_ptrdiff_t;
+typedef intmax_t volatile atomic_intmax_t;
+typedef uintmax_t volatile atomic_uintmax_t;
+
+#define atomic_init(obj, desired) (*(obj) = (desired))
+
+#define atomic_store_explicit8(obj, desired, order) \
+	(void)InterlockedExchange8((atomic_int_fast8_t *)obj, desired)
+
+#define atomic_store_explicit16(obj, desired, order)                           \
+	(order == memory_order_relaxed                                         \
+		 ? (void)InterlockedExchangeNoFence16((atomic_short *)obj,     \
+						      desired)                 \
+		 : (order == memory_order_acquire                              \
+			    ? (void)InterlockedExchangeAcquire16(              \
+				      (atomic_short *)obj, desired)            \
+			    : (void)InterlockedExchange16((atomic_short *)obj, \
+							  desired)))
+
+#define atomic_store_explicit32(obj, desired, order)                       \
+	(order == memory_order_relaxed                                     \
+		 ? (void)InterlockedExchangeNoFence(                       \
+			   (atomic_int_fast32_t *)obj, desired)            \
+		 : (order == memory_order_acquire                          \
+			    ? (void)InterlockedExchangeAcquire(            \
+				      (atomic_int_fast32_t *)obj, desired) \
+			    : (void)InterlockedExchange(                   \
+				      (atomic_int_fast32_t *)obj, desired)))
+
+#ifdef _WIN64
+#define atomic_store_explicit64(obj, desired, order)                       \
+	(order == memory_order_relaxed                                     \
+		 ? (void)InterlockedExchangeNoFence64(                     \
+			   (atomic_int_fast64_t *)obj, desired)            \
+		 : (order == memory_order_acquire                          \
+			    ? (void)InterlockedExchangeAcquire64(          \
+				      (atomic_int_fast64_t *)obj, desired) \
+			    : (void)InterlockedExchange64(                 \
+				      (atomic_int_fast64_t *)obj, desired)))
+#else /* ifdef _WIN64 */
+#define atomic_store_explicit64(obj, desired, order) \
+	(void)InterlockedExchange64((atomic_int_fast64_t *)obj, desired)
+#endif /* ifdef _WIN64 */
+
+static inline void
+atomic_store_abort() {
+	UNREACHABLE();
+}
+
+#define atomic_store_explicit(obj, desired, order)                             \
+	(sizeof(*(obj)) == 8                                                   \
+		 ? atomic_store_explicit64(obj, desired, order)                \
+		 : (sizeof(*(obj)) == 4                                        \
+			    ? atomic_store_explicit32(obj, desired, order)     \
+			    : (sizeof(*(obj)) == 2                             \
+				       ? atomic_store_explicit16(obj, desired, \
+								 order)        \
+				       : (sizeof(*(obj)) == 1                  \
+						  ? atomic_store_explicit8(    \
+							    obj, desired,      \
+							    order)             \
+						  : atomic_store_abort()))))
+
+#define atomic_store(obj, desired) \
+	atomic_store_explicit(obj, desired, memory_order_seq_cst)
+
+#define atomic_load_explicit8(obj, order) \
+	(int8_t) InterlockedOr8((atomic_int_fast8_t *)obj, 0)
+
+#define atomic_load_explicit16(obj, order) \
+	(short)InterlockedOr16((atomic_short *)obj, 0)
+
+#define atomic_load_explicit32(obj, order)                                      \
+	(order == memory_order_relaxed                                          \
+		 ? (int32_t)InterlockedOrNoFence((atomic_int_fast32_t *)obj,    \
+						 0)                             \
+		 : (order == memory_order_acquire                               \
+			    ? (int32_t)InterlockedOrAcquire(                    \
+				      (atomic_int_fast32_t *)obj, 0)            \
+			    : (order == memory_order_release                    \
+				       ? (int32_t)InterlockedOrRelease(         \
+						 (atomic_int_fast32_t *)obj, 0) \
+				       : (int32_t)InterlockedOr(                \
+						 (atomic_int_fast32_t *)obj,    \
+						 0))))
+
+#ifdef _WIN64
+#define atomic_load_explicit64(obj, order)                                      \
+	(order == memory_order_relaxed                                          \
+		 ? InterlockedOr64NoFence((atomic_int_fast64_t *)obj, 0)        \
+		 : (order == memory_order_acquire                               \
+			    ? InterlockedOr64Acquire(                           \
+				      (atomic_int_fast64_t *)obj, 0)            \
+			    : (order == memory_order_release                    \
+				       ? InterlockedOr64Release(                \
+						 (atomic_int_fast64_t *)obj, 0) \
+				       : InterlockedOr64(                       \
+						 (atomic_int_fast64_t *)obj,    \
+						 0))))
+#else /* ifdef _WIN64 */
+#define atomic_load_explicit64(obj, order) \
+	InterlockedOr64((atomic_int_fast64_t *)obj, 0)
+#endif /* ifdef _WIN64 */
+
+static inline int8_t
+atomic_load_abort() {
+	UNREACHABLE();
+}
+
+#define atomic_load_explicit(obj, order)                                       \
+	(((sizeof(*(obj)) == 8)                                                \
+		  ? atomic_load_explicit64(obj, order)                         \
+		  : ((sizeof(*(obj)) == 4)                                     \
+			     ? atomic_load_explicit32(obj, order)              \
+			     : ((sizeof(*(obj)) == 2)                          \
+					? atomic_load_explicit16(obj, order)   \
+					: ((sizeof(*(obj)) == 1)               \
+						   ? atomic_load_explicit8(    \
+							     obj, order)       \
+						   : atomic_load_abort())))) & \
+	 ((sizeof(*(obj)) == 8)                                                \
+		  ? 0xffffffffffffffffULL                                      \
+		  : ((sizeof(*(obj)) == 4)                                     \
+			     ? 0xffffffffULL                                   \
+			     : ((sizeof(*(obj)) == 2)                          \
+					? 0xffffULL                            \
+					: ((sizeof(*(obj)) == 1)               \
+						   ? 0xffULL                   \
+						   : atomic_load_abort())))))
+
+#define atomic_load(obj) atomic_load_explicit(obj, memory_order_seq_cst)
+
+#define atomic_fetch_add_explicit8(obj, arg, order) \
+	InterlockedExchangeAdd8((atomic_int_fast8_t *)obj, arg)
+
+#define atomic_fetch_add_explicit16(obj, arg, order) \
+	InterlockedExchangeAdd16((atomic_short *)obj, arg)
+
+#define atomic_fetch_add_explicit32(obj, arg, order)                         \
+	(order == memory_order_relaxed                                       \
+		 ? InterlockedExchangeAddNoFence((atomic_int_fast32_t *)obj, \
+						 arg)                        \
+		 : (order == memory_order_acquire                            \
+			    ? InterlockedExchangeAddAcquire(                 \
+				      (atomic_int_fast32_t *)obj, arg)       \
+			    : (order == memory_order_release                 \
+				       ? InterlockedExchangeAddRelease(      \
+						 (atomic_int_fast32_t *)obj, \
+						 arg)                        \
+				       : InterlockedExchangeAdd(             \
+						 (atomic_int_fast32_t *)obj, \
+						 arg))))
+
+#ifdef _WIN64
+#define atomic_fetch_add_explicit64(obj, arg, order)                           \
+	(order == memory_order_relaxed                                         \
+		 ? InterlockedExchangeAddNoFence64((atomic_int_fast64_t *)obj, \
+						   arg)                        \
+		 : (order == memory_order_acquire                              \
+			    ? InterlockedExchangeAddAcquire64(                 \
+				      (atomic_int_fast64_t *)obj, arg)         \
+			    : (order == memory_order_release                   \
+				       ? InterlockedExchangeAddRelease64(      \
+						 (atomic_int_fast64_t *)obj,   \
+						 arg)                          \
+				       : InterlockedExchangeAdd64(             \
+						 (atomic_int_fast64_t *)obj,   \
+						 arg))))
+#else /* ifdef _WIN64 */
+#define atomic_fetch_add_explicit64(obj, arg, order) \
+	InterlockedExchangeAdd64((atomic_int_fast64_t *)obj, arg)
+#endif /* ifdef _WIN64 */
+
+static inline int8_t
+atomic_add_abort() {
+	UNREACHABLE();
+}
+
+#define atomic_fetch_add_explicit(obj, arg, order)                              \
+	(sizeof(*(obj)) == 8                                                    \
+		 ? atomic_fetch_add_explicit64(obj, arg, order)                 \
+		 : (sizeof(*(obj)) == 4                                         \
+			    ? atomic_fetch_add_explicit32(obj, arg, order)      \
+			    : (sizeof(*(obj)) == 2                              \
+				       ? atomic_fetch_add_explicit16(obj, arg,  \
+								     order)     \
+				       : (sizeof(*(obj)) == 1                   \
+						  ? atomic_fetch_add_explicit8( \
+							    obj, arg, order)    \
+						  : atomic_add_abort()))))
+
+#define atomic_fetch_add(obj, arg) \
+	atomic_fetch_add_explicit(obj, arg, memory_order_seq_cst)
+
+#define atomic_fetch_sub_explicit(obj, arg, order) \
+	atomic_fetch_add_explicit(obj, -arg, order)
+
+#define atomic_fetch_sub(obj, arg) \
+	atomic_fetch_sub_explicit(obj, arg, memory_order_seq_cst)
+
+#define atomic_fetch_and_explicit8(obj, arg, order) \
+	InterlockedAnd8((atomic_int_fast8_t *)obj, arg)
+
+#define atomic_fetch_and_explicit16(obj, arg, order) \
+	InterlockedAnd16((atomic_short *)obj, arg)
+
+#define atomic_fetch_and_explicit32(obj, arg, order)                         \
+	(order == memory_order_relaxed                                       \
+		 ? InterlockedAndNoFence((atomic_int_fast32_t *)obj, arg)    \
+		 : (order == memory_order_acquire                            \
+			    ? InterlockedAndAcquire(                         \
+				      (atomic_int_fast32_t *)obj, arg)       \
+			    : (order == memory_order_release                 \
+				       ? InterlockedAndRelease(              \
+						 (atomic_int_fast32_t *)obj, \
+						 arg)                        \
+				       : InterlockedAnd(                     \
+						 (atomic_int_fast32_t *)obj, \
+						 arg))))
+
+#ifdef _WIN64
+#define atomic_fetch_and_explicit64(obj, arg, order)                         \
+	(order == memory_order_relaxed                                       \
+		 ? InterlockedAnd64NoFence((atomic_int_fast64_t *)obj, arg)  \
+		 : (order == memory_order_acquire                            \
+			    ? InterlockedAnd64Acquire(                       \
+				      (atomic_int_fast64_t *)obj, arg)       \
+			    : (order == memory_order_release                 \
+				       ? InterlockedAnd64Release(            \
+						 (atomic_int_fast64_t *)obj, \
+						 arg)                        \
+				       : InterlockedAnd64(                   \
+						 (atomic_int_fast64_t *)obj, \
+						 arg))))
+#else /* ifdef _WIN64 */
+#define atomic_fetch_and_explicit64(obj, arg, order) \
+	InterlockedAnd64((atomic_int_fast64_t *)obj, arg)
+#endif /* ifdef _WIN64 */
+
+static inline int8_t
+atomic_and_abort() {
+	UNREACHABLE();
+}
+
+#define atomic_fetch_and_explicit(obj, arg, order)                              \
+	(sizeof(*(obj)) == 8                                                    \
+		 ? atomic_fetch_and_explicit64(obj, arg, order)                 \
+		 : (sizeof(*(obj)) == 4                                         \
+			    ? atomic_fetch_and_explicit32(obj, arg, order)      \
+			    : (sizeof(*(obj)) == 2                              \
+				       ? atomic_fetch_and_explicit16(obj, arg,  \
+								     order)     \
+				       : (sizeof(*(obj)) == 1                   \
+						  ? atomic_fetch_and_explicit8( \
+							    obj, arg, order)    \
+						  : atomic_and_abort()))))
+
+#define atomic_fetch_and(obj, arg) \
+	atomic_fetch_and_explicit(obj, arg, memory_order_seq_cst)
+
+#define atomic_fetch_or_explicit8(obj, arg, order) \
+	InterlockedOr8((atomic_int_fast8_t *)obj, arg)
+
+#define atomic_fetch_or_explicit16(obj, arg, order) \
+	InterlockedOr16((atomic_short *)obj, arg)
+
+#define atomic_fetch_or_explicit32(obj, arg, order)                            \
+	(order == memory_order_relaxed                                         \
+		 ? InterlockedOrNoFence((atomic_int_fast32_t *)obj, arg)       \
+		 : (order == memory_order_acquire                              \
+			    ? InterlockedOrAcquire((atomic_int_fast32_t *)obj, \
+						   arg)                        \
+			    : (order == memory_order_release                   \
+				       ? InterlockedOrRelease(                 \
+						 (atomic_int_fast32_t *)obj,   \
+						 arg)                          \
+				       : InterlockedOr(                        \
+						 (atomic_int_fast32_t *)obj,   \
+						 arg))))
+
+#ifdef _WIN64
+#define atomic_fetch_or_explicit64(obj, arg, order)                          \
+	(order == memory_order_relaxed                                       \
+		 ? InterlockedOr64NoFence((atomic_int_fast64_t *)obj, arg)   \
+		 : (order == memory_order_acquire                            \
+			    ? InterlockedOr64Acquire(                        \
+				      (atomic_int_fast64_t *)obj, arg)       \
+			    : (order == memory_order_release                 \
+				       ? InterlockedOr64Release(             \
+						 (atomic_int_fast64_t *)obj, \
+						 arg)                        \
+				       : InterlockedOr64(                    \
+						 (atomic_int_fast64_t *)obj, \
+						 arg))))
+#else /* ifdef _WIN64 */
+#define atomic_fetch_or_explicit64(obj, arg, order) \
+	InterlockedOr64((atomic_int_fast64_t *)obj, arg)
+#endif /* ifdef _WIN64 */
+
+static inline int8_t
+atomic_or_abort() {
+	UNREACHABLE();
+}
+
+#define atomic_fetch_or_explicit(obj, arg, order)                              \
+	(sizeof(*(obj)) == 8                                                   \
+		 ? atomic_fetch_or_explicit64(obj, arg, order)                 \
+		 : (sizeof(*(obj)) == 4                                        \
+			    ? atomic_fetch_or_explicit32(obj, arg, order)      \
+			    : (sizeof(*(obj)) == 2                             \
+				       ? atomic_fetch_or_explicit16(obj, arg,  \
+								    order)     \
+				       : (sizeof(*(obj)) == 1                  \
+						  ? atomic_fetch_or_explicit8( \
+							    obj, arg, order)   \
+						  : atomic_or_abort()))))
+
+#define atomic_fetch_or(obj, arg) \
+	atomic_fetch_or_explicit(obj, arg, memory_order_seq_cst)
+
+static inline bool
+atomic_compare_exchange_strong_explicit8(atomic_int_fast8_t *obj,
+					 int8_t *expected, int8_t desired,
+					 memory_order succ, memory_order fail) {
+	bool   __r;
+	int8_t __v;
+
+	UNUSED(succ);
+	UNUSED(fail);
+
+	__v = InterlockedCompareExchange8((atomic_int_fast8_t *)obj, desired,
+					  *expected);
+	__r = (*(expected) == __v);
+	if (!__r) {
+		*(expected) = __v;
+	}
+	return (__r);
+}
+
+static inline bool
+atomic_compare_exchange_strong_explicit16(atomic_short *obj, short *expected,
+					  short desired, memory_order succ,
+					  memory_order fail) {
+	bool  __r;
+	short __v;
+
+	UNUSED(succ);
+	UNUSED(fail);
+
+	__v = InterlockedCompareExchange16((atomic_short *)obj, desired,
+					   *expected);
+	__r = (*(expected) == __v);
+	if (!__r) {
+		*(expected) = __v;
+	}
+	return (__r);
+}
+
+static inline bool
+atomic_compare_exchange_strong_explicit32(atomic_int_fast32_t *obj,
+					  int32_t *expected, int32_t desired,
+					  memory_order succ,
+					  memory_order fail) {
+	bool	__r;
+	int32_t __v;
+
+	UNUSED(succ);
+	UNUSED(fail);
+
+	switch (succ) {
+	case memory_order_relaxed:
+		__v = InterlockedCompareExchangeNoFence(
+			(atomic_int_fast32_t *)obj, desired, *expected);
+		break;
+	case memory_order_acquire:
+		__v = InterlockedCompareExchangeAcquire(
+			(atomic_int_fast32_t *)obj, desired, *expected);
+		break;
+	case memory_order_release:
+		__v = InterlockedCompareExchangeRelease(
+			(atomic_int_fast32_t *)obj, desired, *expected);
+		break;
+	default:
+		__v = InterlockedCompareExchange((atomic_int_fast32_t *)obj,
+						 desired, *expected);
+		break;
+	}
+	__r = (*(expected) == __v);
+	if (!__r) {
+		*(expected) = __v;
+	}
+	return (__r);
+}
+
+static inline bool
+atomic_compare_exchange_strong_explicit64(atomic_int_fast64_t *obj,
+					  int64_t *expected, int64_t desired,
+					  memory_order succ,
+					  memory_order fail) {
+	bool	__r;
+	int64_t __v;
+
+	UNUSED(succ);
+	UNUSED(fail);
+
+#ifdef _WIN64
+	switch (succ) {
+	case memory_order_relaxed:
+		__v = InterlockedCompareExchangeNoFence64(
+			(atomic_int_fast64_t *)obj, desired, *expected);
+		break;
+	case memory_order_acquire:
+		__v = InterlockedCompareExchangeAcquire64(
+			(atomic_int_fast64_t *)obj, desired, *expected);
+		break;
+	case memory_order_release:
+		__v = InterlockedCompareExchangeRelease64(
+			(atomic_int_fast64_t *)obj, desired, *expected);
+		break;
+	default:
+		__v = InterlockedCompareExchange64((atomic_int_fast64_t *)obj,
+						   desired, *expected);
+		break;
+	}
+#else  /* ifdef _WIN64 */
+	__v = InterlockedCompareExchange64((atomic_int_fast64_t *)obj, desired,
+					   *expected);
+#endif /* ifdef _WIN64 */
+	__r = (*(expected) == __v);
+	if (!__r) {
+		*(expected) = __v;
+	}
+	return (__r);
+}
+
+static inline bool
+atomic_compare_exchange_abort() {
+	UNREACHABLE();
+}
+
+#define atomic_compare_exchange_strong_explicit(obj, expected, desired, succ,                 \
+						fail)                                         \
+	(sizeof(*(obj)) == 8                                                                  \
+		 ? atomic_compare_exchange_strong_explicit64(                                 \
+			   obj, expected, desired, succ, fail)                                \
+		 : (sizeof(*(obj)) == 4                                                       \
+			    ? atomic_compare_exchange_strong_explicit32(                      \
+				      obj, expected, desired, succ, fail)                     \
+			    : (sizeof(*(obj)) == 2                                            \
+				       ? atomic_compare_exchange_strong_explicit16(           \
+						 obj, expected, desired, succ,                \
+						 fail)                                        \
+				       : (sizeof(*(obj)) == 1                                 \
+						  ? atomic_compare_exchange_strong_explicit8( \
+							    obj, expected,                    \
+							    desired, succ,                    \
+							    fail)                             \
+						  : atomic_compare_exchange_abort()))))
+
+#define atomic_compare_exchange_strong(obj, expected, desired)          \
+	atomic_compare_exchange_strong_explicit(obj, expected, desired, \
+						memory_order_seq_cst,   \
+						memory_order_seq_cst)
+
+#define atomic_compare_exchange_weak_explicit(obj, expected, desired, succ,   \
+					      fail)                           \
+	atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, \
+						fail)
+
+#define atomic_compare_exchange_weak(obj, expected, desired)          \
+	atomic_compare_exchange_weak_explicit(obj, expected, desired, \
+					      memory_order_seq_cst,   \
+					      memory_order_seq_cst)
+
+static inline bool
+atomic_exchange_abort() {
+	UNREACHABLE();
+}
+
+#define atomic_exchange_explicit(obj, desired, order)                        \
+	(sizeof(*(obj)) == 8                                                 \
+		 ? InterlockedExchange64(obj, desired)                       \
+		 : (sizeof(*(obj)) == 4                                      \
+			    ? InterlockedExchange(obj, desired)              \
+			    : (sizeof(*(obj)) == 2                           \
+				       ? InterlockedExchange16(obj, desired) \
+				       : (sizeof(*(obj)) == 1                \
+						  ? InterlockedExchange8(    \
+							    obj, desired)    \
+						  : atomic_exchange_abort()))))
+
+#define atomic_exchange(obj, desired) \
+	atomic_exchange_explicit(obj, desired, memory_order_seq_cst)
diff --git a/lib/isc/win32/include/isc/stdtime.h b/lib/isc/win32/include/isc/stdtime.h
new file mode 100644
index 0000000..12e990c
--- /dev/null
+++ b/lib/isc/win32/include/isc/stdtime.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_STDTIME_H
+#define ISC_STDTIME_H 1
+
+#include <inttypes.h>
+#include <stdlib.h>
+
+#include <isc/lang.h>
+
+/*
+ * It's public information that 'isc_stdtime_t' is an unsigned integral type.
+ * Applications that want maximum portability should not assume anything
+ * about its size.
+ */
+typedef uint32_t isc_stdtime_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_stdtime_get(isc_stdtime_t *t);
+/*
+ * Set 't' to the number of seconds since 00:00:00 UTC, January 1, 1970.
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ */
+
+void
+isc_stdtime_tostring(isc_stdtime_t t, char *out, size_t outlen);
+/*
+ * Convert 't' into a null-terminated string of the form
+ * "Wed Jun 30 21:49:08 1993". Store the string in the 'out'
+ * buffer.
+ *
+ * Requires:
+ *
+ *	't' is a valid time.
+ *	'out' is a valid pointer.
+ *	'outlen' is at least 26.
+ */
+
+#define isc_stdtime_convert32(t, t32p) (*(t32p) = t)
+/*
+ * Convert the standard time to its 32-bit version.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STDTIME_H */
diff --git a/lib/isc/win32/include/isc/syslog.h b/lib/isc/win32/include/isc/syslog.h
new file mode 100644
index 0000000..2638ad2
--- /dev/null
+++ b/lib/isc/win32/include/isc/syslog.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_SYSLOG_H
+#define ISC_SYSLOG_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_syslog_facilityfromstring(const char *str, int *facilityp);
+/*
+ * Convert 'str' to the appropriate syslog facility constant.
+ *
+ * Requires:
+ *
+ *	'str' is not NULL
+ *	'facilityp' is not NULL
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_NOTFOUND
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SYSLOG_H */
diff --git a/lib/isc/win32/include/isc/thread.h b/lib/isc/win32/include/isc/thread.h
new file mode 100644
index 0000000..5e30c63
--- /dev/null
+++ b/lib/isc/win32/include/isc/thread.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_THREAD_H
+#define ISC_THREAD_H 1
+
+#include <inttypes.h>
+#include <windows.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+extern __declspec(thread) size_t isc_tid_v;
+
+/*
+ * Inlines to help with wait return checking
+ */
+
+/* check handle for NULL and INVALID_HANDLE */
+inline BOOL
+IsValidHandle(HANDLE hHandle) {
+	return ((hHandle != NULL) && (hHandle != INVALID_HANDLE_VALUE));
+}
+
+/* validate wait return codes... */
+inline BOOL
+WaitSucceeded(DWORD dwWaitResult, DWORD dwHandleCount) {
+	return ((dwWaitResult >= WAIT_OBJECT_0) &&
+		(dwWaitResult < WAIT_OBJECT_0 + dwHandleCount));
+}
+
+inline BOOL
+WaitAbandoned(DWORD dwWaitResult, DWORD dwHandleCount) {
+	return ((dwWaitResult >= WAIT_ABANDONED_0) &&
+		(dwWaitResult < WAIT_ABANDONED_0 + dwHandleCount));
+}
+
+inline BOOL
+WaitTimeout(DWORD dwWaitResult) {
+	return (dwWaitResult == WAIT_TIMEOUT);
+}
+
+inline BOOL
+WaitFailed(DWORD dwWaitResult) {
+	return (dwWaitResult == WAIT_FAILED);
+}
+
+/* compute object indices for waits... */
+inline DWORD
+WaitSucceededIndex(DWORD dwWaitResult) {
+	return (dwWaitResult - WAIT_OBJECT_0);
+}
+
+inline DWORD
+WaitAbandonedIndex(DWORD dwWaitResult) {
+	return (dwWaitResult - WAIT_ABANDONED_0);
+}
+
+typedef HANDLE isc_thread_t;
+typedef DWORD  isc_threadresult_t;
+typedef void  *isc_threadarg_t;
+typedef isc_threadresult_t(WINAPI *isc_threadfunc_t)(isc_threadarg_t);
+
+#define isc_thread_self (uintptr_t) GetCurrentThreadId
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_thread_create(isc_threadfunc_t, isc_threadarg_t, isc_thread_t *);
+
+void
+isc_thread_join(isc_thread_t, isc_threadresult_t *);
+
+void
+isc_thread_setconcurrency(unsigned int level);
+
+void
+isc_thread_setname(isc_thread_t, const char *);
+
+isc_result_t
+isc_thread_setaffinity(int cpu);
+
+#define isc_thread_yield() Sleep(0)
+
+#if HAVE___DECLSPEC_THREAD
+#define ISC_THREAD_LOCAL static __declspec(thread)
+#else /* if HAVE___DECLSPEC_THREAD */
+#error "Thread-local storage support is required!"
+#endif /* if HAVE___DECLSPEC_THREAD */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_THREAD_H */
diff --git a/lib/isc/win32/include/isc/time.h b/lib/isc/win32/include/isc/time.h
new file mode 100644
index 0000000..baed464
--- /dev/null
+++ b/lib/isc/win32/include/isc/time.h
@@ -0,0 +1,468 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_TIME_H
+#define ISC_TIME_H 1
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <time.h>
+#include <windows.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/***
+ *** POSIX Shims
+ ***/
+
+struct tm *
+gmtime_r(const time_t *clock, struct tm *result);
+
+struct tm *
+localtime_r(const time_t *clock, struct tm *result);
+
+int
+nanosleep(const struct timespec *req, struct timespec *rem);
+
+typedef uint32_t useconds_t;
+
+int
+usleep(useconds_t usec);
+
+/***
+ *** Intervals
+ ***/
+
+/*
+ * The contents of this structure are private, and MUST NOT be accessed
+ * directly by callers.
+ *
+ * The contents are exposed only to allow callers to avoid dynamic allocation.
+ */
+struct isc_interval {
+	int64_t interval;
+};
+
+LIBISC_EXTERNAL_DATA extern const isc_interval_t *const isc_interval_zero;
+
+/*
+ * ISC_FORMATHTTPTIMESTAMP_SIZE needs to be 30 in C locale and potentially
+ * more for other locales to handle longer national abbreviations when
+ * expanding strftime's %a and %b.
+ */
+#define ISC_FORMATHTTPTIMESTAMP_SIZE 50
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_interval_set(isc_interval_t *i, unsigned int seconds,
+		 unsigned int nanoseconds);
+/*
+ * Set 'i' to a value representing an interval of 'seconds' seconds and
+ * 'nanoseconds' nanoseconds, suitable for use in isc_time_add() and
+ * isc_time_subtract().
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ *	nanoseconds < 1000000000.
+ */
+
+bool
+isc_interval_iszero(const isc_interval_t *i);
+/*
+ * Returns true iff. 'i' is the zero interval.
+ *
+ * Requires:
+ *
+ *	'i' is a valid pointer.
+ */
+
+/***
+ *** Absolute Times
+ ***/
+
+/*
+ * The contents of this structure are private, and MUST NOT be accessed
+ * directly by callers.
+ *
+ * The contents are exposed only to allow callers to avoid dynamic allocation.
+ */
+
+struct isc_time {
+	FILETIME absolute;
+};
+
+LIBISC_EXTERNAL_DATA extern const isc_time_t *const isc_time_epoch;
+
+void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
+/*%<
+ * Set 't' to a value which represents the given number of seconds and
+ * nanoseconds since 00:00:00 January 1, 1970, UTC.
+ *
+ * Requires:
+ *\li   't' is a valid pointer.
+ *\li   nanoseconds < 1000000000.
+ */
+
+void
+isc_time_settoepoch(isc_time_t *t);
+/*
+ * Set 't' to the time of the epoch.
+ *
+ * Notes:
+ * 	The date of the epoch is platform-dependent.
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ */
+
+bool
+isc_time_isepoch(const isc_time_t *t);
+/*
+ * Returns true iff. 't' is the epoch ("time zero").
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_now(isc_time_t *t);
+/*
+ * Set 't' to the current absolute time.
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *	Success
+ *	Unexpected error
+ *		Getting the time from the system failed.
+ *	Out of range
+ *		The time from the system is too large to be represented
+ *		in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_now_hires(isc_time_t *t);
+/*%<
+ * Set 't' to the current absolute time. Uses higher resolution clocks
+ * recommended when microsecond accuracy is required.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	Unexpected error
+ *		Getting the time from the system failed.
+ *\li	Out of range
+ *		The time from the system is too large to be represented
+ *		in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
+/*
+ * Set *t to the current absolute time + i.
+ *
+ * Note:
+ *	This call is equivalent to:
+ *
+ *		isc_time_now(t);
+ *		isc_time_add(t, i, t);
+ *
+ * Requires:
+ *
+ *	't' and 'i' are valid pointers.
+ *
+ * Returns:
+ *
+ *	Success
+ *	Unexpected error
+ *		Getting the time from the system failed.
+ *	Out of range
+ *		The interval added to the time from the system is too large to
+ *		be represented in the current definition of isc_time_t.
+ */
+
+int
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2);
+/*
+ * Compare the times referenced by 't1' and 't2'
+ *
+ * Requires:
+ *
+ *	't1' and 't2' are valid pointers.
+ *
+ * Returns:
+ *
+ *	-1		t1 < t2		(comparing times, not pointers)
+ *	0		t1 = t2
+ *	1		t1 > t2
+ */
+
+isc_result_t
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
+/*
+ * Add 'i' to 't', storing the result in 'result'.
+ *
+ * Requires:
+ *
+ *	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ * 	Success
+ *	Out of range
+ * 		The interval added to the time is too large to
+ *		be represented in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result);
+/*
+ * Subtract 'i' from 't', storing the result in 'result'.
+ *
+ * Requires:
+ *
+ *	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ *	Success
+ *	Out of range
+ *		The interval is larger than the time since the epoch.
+ */
+
+uint64_t
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2);
+/*
+ * Find the difference in milliseconds between time t1 and time t2.
+ * t2 is the subtrahend of t1; ie, difference = t1 - t2.
+ *
+ * Requires:
+ *
+ *	't1' and 't2' are valid pointers.
+ *
+ * Returns:
+ *	The difference of t1 - t2, or 0 if t1 <= t2.
+ */
+
+isc_result_t
+isc_time_parsehttptimestamp(char *input, isc_time_t *t);
+/*%<
+ * Parse the time in 'input' into the isc_time_t pointed to by 't',
+ * expecting a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ *
+ *  Requires:
+ *\li      'buf' and 't' are not NULL.
+ */
+
+uint32_t
+isc_time_nanoseconds(const isc_time_t *t);
+/*
+ * Return the number of nanoseconds stored in a time structure.
+ *
+ * Notes:
+ *	This is the number of nanoseconds in excess of the number
+ *	of seconds since the epoch; it will always be less than one
+ *	full second.
+ *
+ * Requires:
+ *	't' is a valid pointer.
+ *
+ * Ensures:
+ *	The returned value is less than 1*10^9.
+ */
+
+void
+isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "30-Aug-2000 04:06:47.997" and the local time zone.
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *      'len' > 0
+ *      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *      'len' > 0
+ *      'buf' points to an array of at least len chars
+ *
+ */
+
+isc_result_t
+isc_time_parsehttptimestamp(char *input, isc_time_t *t);
+/*%<
+ * Parse the time in 'input' into the isc_time_t pointed to by 't',
+ * expecting a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ *
+ *  Requires:
+ *\li      'buf' and 't' are not NULL.
+ */
+
+void
+isc_time_formatISO8601L(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601Lms(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss.sss"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601Lus(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss.ssssss"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss.sssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601us(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss.ssssssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatshorttimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the format "yyyymmddhhmmsssss" useful for file timestamping.
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+uint32_t
+isc_time_seconds(const isc_time_t *t);
+/*%<
+ * Return the number of seconds since the epoch stored in a time structure.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp);
+/*%<
+ * Ensure the number of seconds in an isc_time_t is representable by a time_t.
+ *
+ * Notes:
+ *\li	The number of seconds stored in an isc_time_t might be larger
+ *	than the number of seconds a time_t is able to handle.  Since
+ *	time_t is mostly opaque according to the ANSI/ISO standard
+ *	(essentially, all you can be sure of is that it is an arithmetic type,
+ *	not even necessarily integral), it can be tricky to ensure that
+ *	the isc_time_t is in the range a time_t can handle.  Use this
+ *	function in place of isc_time_seconds() any time you need to set a
+ *	time_t from an isc_time_t.
+ *
+ * Requires:
+ *\li	't' is a valid pointer.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Out of range
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TIME_H */
diff --git a/lib/isc/win32/include/isc/win32os.h b/lib/isc/win32/include/isc/win32os.h
new file mode 100644
index 0000000..22def42
--- /dev/null
+++ b/lib/isc/win32/include/isc/win32os.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_WIN32OS_H
+#define ISC_WIN32OS_H 1
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Return the number of CPUs available on the system, or 1 if this cannot
+ * be determined.
+ */
+
+int
+isc_win32os_versioncheck(unsigned int major, unsigned int minor,
+			 unsigned int updatemajor, unsigned int updateminor);
+
+/*
+ * Checks the current version of the operating system with the
+ * supplied version information.
+ * Returns:
+ * -1	if less than the version information supplied
+ *  0   if equal to all of the version information supplied
+ * +1   if greater than the version information supplied
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_WIN32OS_H */
diff --git a/lib/isc/win32/interfaceiter.c b/lib/isc/win32/interfaceiter.c
new file mode 100644
index 0000000..db82e20
--- /dev/null
+++ b/lib/isc/win32/interfaceiter.c
@@ -0,0 +1,550 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Note that this code will need to be revisited to support IPv6 Interfaces.
+ * For now we just iterate through IPv4 interfaces.
+ */
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <winsock2.h>
+#include <ws2tcpip.h>
+
+#include <isc/interfaceiter.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+void
+InitSockets(void);
+
+/* Common utility functions */
+
+/*
+ * Extract the network address part from a "struct sockaddr".
+ *
+ * The address family is given explicitly
+ * instead of using src->sa_family, because the latter does not work
+ * for copying a network mask obtained by SIOCGIFNETMASK (it does
+ * not have a valid address family).
+ */
+
+#define IFITER_MAGIC	0x49464954U /* IFIT. */
+#define VALID_IFITER(t) ((t) != NULL && (t)->magic == IFITER_MAGIC)
+
+struct isc_interfaceiter {
+	unsigned int magic; /* Magic number. */
+	isc_mem_t *mctx;
+	SOCKET socket;
+	INTERFACE_INFO IFData;	   /* Current Interface Info. */
+	int numIF;		   /* Current Interface count. */
+	int v4IF;		   /* Number of IPv4 Interfaces */
+	INTERFACE_INFO *buf4;	   /* Buffer for WSAIoctl data. */
+	unsigned int buf4size;	   /* Bytes allocated. */
+	INTERFACE_INFO *pos4;	   /* Current offset in IF List */
+	SOCKET_ADDRESS_LIST *buf6; /* Buffer for WSAIoctl data. */
+	unsigned int buf6size;	   /* Bytes allocated. */
+	unsigned int pos6;	   /* Which entry to process. */
+	bool v6loop;		   /* See IPv6 loop address. */
+	bool pos6zero;		   /* Done pos6 == 0. */
+	isc_interface_t current;   /* Current interface data. */
+	isc_result_t result;	   /* Last result code. */
+};
+
+/*
+ * Size of buffer for SIO_GET_INTERFACE_LIST, in number of interfaces.
+ * We assume no sane system will have more than than 1K of IP addresses on
+ * all of its adapters.
+ */
+#define IFCONF_SIZE_INITIAL   16
+#define IFCONF_SIZE_INCREMENT 64
+#define IFCONF_SIZE_MAX	      1040
+
+static void
+get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src) {
+	dst->family = family;
+	switch (family) {
+	case AF_INET:
+		memmove(&dst->type.in, &((struct sockaddr_in *)src)->sin_addr,
+			sizeof(struct in_addr));
+		break;
+	case AF_INET6:
+		memmove(&dst->type.in6,
+			&((struct sockaddr_in6 *)src)->sin6_addr,
+			sizeof(struct in6_addr));
+		dst->zone = ((struct sockaddr_in6 *)src)->sin6_scope_id;
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	char strbuf[ISC_STRERRORSIZE];
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	int error;
+	unsigned long bytesReturned = 0;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+
+	InitSockets();
+
+	iter->mctx = mctx;
+	iter->buf4 = NULL;
+	iter->buf6 = NULL;
+	iter->pos4 = NULL;
+	iter->pos6 = 0;
+	iter->v6loop = true;
+	iter->pos6zero = true;
+	iter->buf6size = 0;
+	iter->buf4size = 0;
+	iter->result = ISC_R_FAILURE;
+	iter->numIF = 0;
+	iter->v4IF = 0;
+
+	/*
+	 * Create an unbound datagram socket to do the
+	 * SIO_GET_INTERFACE_LIST WSAIoctl on.
+	 */
+	iter->socket = socket(AF_INET, SOCK_DGRAM, 0);
+	if (iter->socket == INVALID_SOCKET) {
+		error = WSAGetLastError();
+		if (error == WSAEAFNOSUPPORT) {
+			goto inet6_only;
+		}
+		strerror_r(error, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "making interface scan socket: %s", strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto socket_failure;
+	}
+
+	/*
+	 * Get the interface configuration, allocating more memory if
+	 * necessary.
+	 */
+	iter->buf4size = IFCONF_SIZE_INITIAL * sizeof(INTERFACE_INFO);
+
+	for (;;) {
+		iter->buf4 = isc_mem_get(mctx, iter->buf4size);
+
+		if (WSAIoctl(iter->socket, SIO_GET_INTERFACE_LIST, 0, 0,
+			     iter->buf4, iter->buf4size, &bytesReturned, 0,
+			     0) == SOCKET_ERROR)
+		{
+			error = WSAGetLastError();
+			if (error != WSAEFAULT && error != WSAENOBUFS) {
+				errno = error;
+				strerror_r(error, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "get interface configuration: "
+						 "%s",
+						 strbuf);
+				result = ISC_R_UNEXPECTED;
+				goto ioctl_failure;
+			}
+			/*
+			 * EINVAL.  Retry with a bigger buffer.
+			 */
+		} else {
+			/*
+			 * The WSAIoctl succeeded.
+			 * If the number of the returned bytes is the same
+			 * as the buffer size, we will grow it just in
+			 * case and retry.
+			 */
+			if (bytesReturned > 0 &&
+			    (bytesReturned < iter->buf4size))
+			{
+				break;
+			}
+		}
+		if (iter->buf4size >= IFCONF_SIZE_MAX * sizeof(INTERFACE_INFO))
+		{
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "get interface configuration: "
+					 "maximum buffer size exceeded");
+			result = ISC_R_UNEXPECTED;
+			goto ioctl_failure;
+		}
+		isc_mem_put(mctx, iter->buf4, iter->buf4size);
+
+		iter->buf4size += IFCONF_SIZE_INCREMENT *
+				  sizeof(INTERFACE_INFO);
+	}
+
+	/*
+	 * A newly created iterator has an undefined position
+	 * until isc_interfaceiter_first() is called.
+	 */
+	iter->v4IF = bytesReturned / sizeof(INTERFACE_INFO);
+
+	/* We don't need the socket any more, so close it */
+	closesocket(iter->socket);
+
+inet6_only:
+	/*
+	 * Create an unbound datagram socket to do the
+	 * SIO_ADDRESS_LIST_QUERY WSAIoctl on.
+	 */
+	iter->socket = socket(AF_INET6, SOCK_DGRAM, 0);
+	if (iter->socket == INVALID_SOCKET) {
+		error = WSAGetLastError();
+		if (error == WSAEAFNOSUPPORT) {
+			goto inet_only;
+		}
+		strerror_r(error, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "making interface scan socket: %s", strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto ioctl_failure;
+	}
+
+	/*
+	 * Get the interface configuration, allocating more memory if
+	 * necessary.
+	 */
+	iter->buf6size = sizeof(SOCKET_ADDRESS_LIST) +
+			 IFCONF_SIZE_INITIAL * sizeof(SOCKET_ADDRESS);
+
+	for (;;) {
+		iter->buf6 = isc_mem_get(mctx, iter->buf6size);
+
+		if (WSAIoctl(iter->socket, SIO_ADDRESS_LIST_QUERY, 0, 0,
+			     iter->buf6, iter->buf6size, &bytesReturned, 0,
+			     0) == SOCKET_ERROR)
+		{
+			error = WSAGetLastError();
+			if (error != WSAEFAULT && error != WSAENOBUFS) {
+				errno = error;
+				strerror_r(error, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "sio address list query: %s",
+						 strbuf);
+				result = ISC_R_UNEXPECTED;
+				goto ioctl6_failure;
+			}
+			/*
+			 * EINVAL.  Retry with a bigger buffer.
+			 */
+		} else {
+			break;
+		}
+
+		if (iter->buf6size >= IFCONF_SIZE_MAX * sizeof(SOCKET_ADDRESS))
+		{
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "get interface configuration: "
+					 "maximum buffer size exceeded");
+			result = ISC_R_UNEXPECTED;
+			goto ioctl6_failure;
+		}
+		isc_mem_put(mctx, iter->buf6, iter->buf6size);
+
+		iter->buf6size += IFCONF_SIZE_INCREMENT *
+				  sizeof(SOCKET_ADDRESS);
+	}
+
+	closesocket(iter->socket);
+
+inet_only:
+	iter->magic = IFITER_MAGIC;
+	*iterp = iter;
+	return (ISC_R_SUCCESS);
+
+ioctl6_failure:
+	isc_mem_put(mctx, iter->buf6, iter->buf6size);
+
+ioctl_failure:
+	if (iter->buf4 != NULL) {
+		isc_mem_put(mctx, iter->buf4, iter->buf4size);
+	}
+	if (iter->socket != INVALID_SOCKET) {
+		(void)closesocket(iter->socket);
+	}
+
+socket_failure:
+	isc_mem_put(mctx, iter, sizeof(*iter));
+	return (result);
+}
+
+/*
+ * Get information about the current interface to iter->current.
+ * If successful, return ISC_R_SUCCESS.
+ * If the interface has an unsupported address family, or if
+ * some operation on it fails, return ISC_R_IGNORE to make
+ * the higher-level iterator code ignore it.
+ */
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+	BOOL ifNamed = FALSE;
+	unsigned long flags;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE(iter->numIF >= 0);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = AF_INET;
+
+	get_addr(AF_INET, &iter->current.address,
+		 (struct sockaddr *)&(iter->IFData.iiAddress));
+
+	/*
+	 * Get interface flags.
+	 */
+
+	iter->current.flags = 0;
+	flags = iter->IFData.iiFlags;
+
+	if ((flags & IFF_UP) != 0) {
+		iter->current.flags |= INTERFACE_F_UP;
+	}
+
+	if ((flags & IFF_POINTTOPOINT) != 0) {
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+		snprintf(iter->current.name, sizeof(iter->current.name),
+			 "PPP Interface %d", iter->numIF);
+		ifNamed = TRUE;
+	}
+
+	if ((flags & IFF_LOOPBACK) != 0) {
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+		snprintf(iter->current.name, sizeof(iter->current.name),
+			 "Loopback Interface %d", iter->numIF);
+		ifNamed = TRUE;
+	}
+
+	/*
+	 * If the interface is point-to-point, get the destination address.
+	 */
+	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
+		get_addr(AF_INET, &iter->current.dstaddress,
+			 (struct sockaddr *)&(iter->IFData.iiBroadcastAddress));
+	}
+
+	if (ifNamed == FALSE) {
+		snprintf(iter->current.name, sizeof(iter->current.name),
+			 "TCP/IP Interface %d", iter->numIF);
+	}
+
+	/*
+	 * Get the network mask.
+	 */
+	get_addr(AF_INET, &iter->current.netmask,
+		 (struct sockaddr *)&(iter->IFData.iiNetmask));
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+internal_current6(isc_interfaceiter_t *iter) {
+	SOCKET fd;
+	int i;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE(iter->buf6 != NULL);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = AF_INET6;
+
+	if (!iter->pos6zero) {
+		if (iter->pos6 == 0U) {
+			iter->pos6zero = true;
+		}
+		get_addr(AF_INET6, &iter->current.address,
+			 iter->buf6->Address[iter->pos6].lpSockaddr);
+
+		/*
+		 * Set interface flags.
+		 */
+
+		iter->current.flags = INTERFACE_F_UP;
+
+		snprintf(iter->current.name, sizeof(iter->current.name),
+			 "TCP/IPv6 Interface %u", iter->pos6 + 1);
+
+		for (i = 0; i < 16; i++) {
+			iter->current.netmask.type.in6.s6_addr[i] = 0xff;
+		}
+		iter->current.netmask.family = AF_INET6;
+		if (IN6_IS_ADDR_LOOPBACK(&iter->current.address.type.in6)) {
+			iter->v6loop = true;
+		}
+	} else {
+		/*
+		 * See if we can bind to the ::1 and if so return ::1.
+		 */
+		struct sockaddr_in6 sin6;
+
+		iter->v6loop = true; /* So we don't loop forever. */
+
+		fd = socket(AF_INET6, SOCK_DGRAM, 0);
+		if (fd == INVALID_SOCKET) {
+			return (ISC_R_IGNORE);
+		}
+		memset(&sin6, 0, sizeof(sin6));
+		sin6.sin6_family = AF_INET6;
+		sin6.sin6_addr.s6_addr[15] = 1;
+		if (bind(fd, (struct sockaddr *)&sin6, sizeof(sin6)) < 0) {
+			closesocket(fd);
+			return (ISC_R_IGNORE);
+		}
+		closesocket(fd);
+
+		iter->current.flags = INTERFACE_F_UP | INTERFACE_F_LOOPBACK;
+		snprintf(iter->current.name, sizeof(iter->current.name),
+			 "TCP/IPv6 Loopback Interface");
+		for (i = 0; i < 16; i++) {
+			if (i != 15) {
+				iter->current.address.type.in6.s6_addr[i] = 0;
+			} else {
+				iter->current.address.type.in6.s6_addr[i] = 1;
+			}
+			iter->current.netmask.type.in6.s6_addr[i] = 0xff;
+		}
+		iter->current.address.family = AF_INET6;
+		iter->current.netmask.family = AF_INET6;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Step the iterator to the next interface.  Unlike
+ * isc_interfaceiter_next(), this may leave the iterator
+ * positioned on an interface that will ultimately
+ * be ignored.  Return ISC_R_NOMORE if there are no more
+ * interfaces, otherwise ISC_R_SUCCESS.
+ */
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+	if (iter->numIF >= iter->v4IF) {
+		return (ISC_R_NOMORE);
+	}
+
+	/*
+	 * The first one needs to be set up to point to the last
+	 * Element of the array.  Go to the end and back up
+	 * Microsoft's implementation is peculiar for returning
+	 * the list in reverse order
+	 */
+
+	if (iter->numIF == 0) {
+		iter->pos4 = (INTERFACE_INFO *)(iter->buf4 + (iter->v4IF));
+	}
+
+	iter->pos4--;
+	if (&(iter->pos4) < &(iter->buf4)) {
+		return (ISC_R_NOMORE);
+	}
+
+	memset(&(iter->IFData), 0, sizeof(INTERFACE_INFO));
+	memmove(&(iter->IFData), iter->pos4, sizeof(INTERFACE_INFO));
+	iter->numIF++;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+internal_next6(isc_interfaceiter_t *iter) {
+	if (iter->pos6 == 0U && iter->v6loop) {
+		return (ISC_R_NOMORE);
+	}
+	if (iter->pos6 != 0U) {
+		iter->pos6--;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_interfaceiter_current(isc_interfaceiter_t *iter, isc_interface_t *ifdata) {
+	REQUIRE(iter->result == ISC_R_SUCCESS);
+	memmove(ifdata, &iter->current, sizeof(*ifdata));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_interfaceiter_first(isc_interfaceiter_t *iter) {
+	REQUIRE(VALID_IFITER(iter));
+
+	if (iter->buf6 != NULL) {
+		iter->pos6 = iter->buf6->iAddressCount;
+		iter->v6loop = false;
+		iter->pos6zero = (iter->pos6 == 0U);
+	}
+	iter->result = ISC_R_SUCCESS;
+	return (isc_interfaceiter_next(iter));
+}
+
+isc_result_t
+isc_interfaceiter_next(isc_interfaceiter_t *iter) {
+	isc_result_t result;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE(iter->result == ISC_R_SUCCESS);
+
+	for (;;) {
+		result = internal_next(iter);
+		if (result == ISC_R_NOMORE) {
+			result = internal_next6(iter);
+			if (result != ISC_R_SUCCESS) {
+				break;
+			}
+			result = internal_current6(iter);
+			if (result == ISC_R_IGNORE) {
+				continue;
+			}
+			break;
+		} else if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		result = internal_current(iter);
+		if (result != ISC_R_IGNORE) {
+			break;
+		}
+	}
+	iter->result = result;
+	return (result);
+}
+
+void
+isc_interfaceiter_destroy(isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	REQUIRE(iterp != NULL);
+	iter = *iterp;
+	*iterp = NULL;
+	REQUIRE(VALID_IFITER(iter));
+
+	if (iter->buf4 != NULL) {
+		isc_mem_put(iter->mctx, iter->buf4, iter->buf4size);
+	}
+	if (iter->buf6 != NULL) {
+		isc_mem_put(iter->mctx, iter->buf6, iter->buf6size);
+	}
+
+	iter->magic = 0;
+	isc_mem_put(iter->mctx, iter, sizeof(*iter));
+}
diff --git a/lib/isc/win32/ipv6.c b/lib/isc/win32/ipv6.c
new file mode 100644
index 0000000..fecec98
--- /dev/null
+++ b/lib/isc/win32/ipv6.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/net.h>
+#include <isc/platform.h>
+
+LIBISC_EXTERNAL_DATA const struct in6_addr isc_in6addr_loopback =
+	IN6ADDR_LOOPBACK_INIT;
diff --git a/lib/isc/win32/libgen.h b/lib/isc/win32/libgen.h
new file mode 100644
index 0000000..b04ac37
--- /dev/null
+++ b/lib/isc/win32/libgen.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef LIBGEN_H
+#define LIBGEN_H 1
+
+char *
+basename(const char *);
+char *
+dirname(const char *);
+
+#endif /* ifndef LIBGEN_H */
diff --git a/lib/isc/win32/libisc.def.exclude b/lib/isc/win32/libisc.def.exclude
new file mode 100644
index 0000000..d2fe4ec
--- /dev/null
+++ b/lib/isc/win32/libisc.def.exclude
@@ -0,0 +1,42 @@
+; These symbols are not needed by the WIN32 build, but build-tarballs
+; will complain if they aren't present here.
+isc_socket_accept
+isc_socket_attach
+isc_socket_bind
+isc_socket_cancel
+isc_socket_cleanunix
+isc_socket_close
+isc_socket_connect
+isc_socket_create
+isc_socket_detach
+isc_socket_dscp
+isc_socket_dup
+isc_socket_fdwatchcreate
+isc_socket_fdwatchpoke
+isc_socket_filter
+isc_socket_getpeername
+isc_socket_getsockname
+isc_socket_gettype
+isc_socket_ipv6only
+isc_socket_listen
+isc_socket_open
+isc_socket_permunix
+isc_socket_recv
+isc_socket_recv2
+isc_socket_recvv
+isc_socket_register
+isc_socket_send
+isc_socket_sendto
+isc_socket_sendto2
+isc_socket_sendtov
+isc_socket_sendtov2
+isc_socket_sendv
+isc_socketmgr_create
+isc_socketmgr_create2
+isc_socketmgr_destroy
+isc_socketmgr_setstats
+isc_print_fprintf
+isc_print_printf
+isc_print_snprintf
+isc_print_sprintf
+isc_print_vsnprintf
diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in
new file mode 100644
index 0000000..0ee055d
--- /dev/null
+++ b/lib/isc/win32/libisc.def.in
@@ -0,0 +1,805 @@
+LIBRARY libisc
+
+; Exported Functions
+EXPORTS
+
+NTReportError
+closelog
+@IF PKCS11
+getpassphrase
+@END PKCS11
+isc_app_block
+isc_app_ctxfinish
+isc_app_ctxonrun
+isc_app_ctxrun
+isc_app_ctxshutdown
+isc_app_ctxstart
+isc_app_ctxsuspend
+isc_app_finish
+isc_app_onrun
+isc_app_reload
+isc_app_run
+isc_app_shutdown
+isc_app_start
+isc_app_unblock
+isc_appctx_create
+isc_appctx_destroy
+isc_astack_destroy
+isc_astack_new
+isc_astack_pop
+isc_astack_trypush
+isc__buffer_activeregion
+isc__buffer_add
+isc__buffer_availableregion
+isc__buffer_back
+isc__buffer_clear
+isc__buffer_consumedregion
+isc__buffer_first
+isc__buffer_forward
+isc__buffer_init
+isc__buffer_initnull
+isc__buffer_invalidate
+isc__buffer_putmem
+isc__buffer_putstr
+isc__buffer_putuint16
+isc__buffer_putuint24
+isc__buffer_putuint32
+isc__buffer_putuint48
+isc__buffer_putuint8
+isc__buffer_region
+isc__buffer_remainingregion
+isc__buffer_setactive
+isc__buffer_subtract
+isc__buffer_usedregion
+isc__mem_allocate
+isc__mem_free
+isc__mem_get
+isc__mem_printactive
+isc__mem_put
+isc__mem_putanddetach
+isc__mem_reallocate
+isc__mem_strdup
+isc__mem_strndup
+isc__mempool_get
+isc__mempool_put
+isc__md_md5
+isc__md_sha1
+isc__md_sha224
+isc__md_sha256
+isc__md_sha384
+isc__md_sha512
+isc_socket_accept
+isc_socket_attach
+isc_socket_bind
+isc_socket_cancel
+isc_socket_cleanunix
+isc_socket_close
+isc_socket_connect
+isc_socket_create
+isc_socket_detach
+isc_socket_dscp
+isc_socket_dup
+isc_socket_filter
+isc_socket_getfd
+isc_socket_getname
+isc_socket_getpeername
+isc_socket_getsockname
+isc_socket_gettag
+isc_socket_gettype
+isc_socket_hasreuseport
+isc_socket_ipv6only
+isc_socket_listen
+isc_socket_open
+isc_socket_permunix
+isc_socket_recv
+isc_socket_recv2
+isc_socket_send
+isc_socket_sendto
+isc_socket_sendto2
+isc_socket_setname
+isc_socketmgr_create
+isc_socketmgr_create2
+isc_socketmgr_destroy
+isc_socketmgr_getmaxsockets
+isc_socketmgr_setreserved
+isc_socketmgr_setstats
+isc_aes128_crypt
+isc_aes192_crypt
+isc_aes256_crypt
+isc_app_block
+isc_app_ctxfinish
+isc_app_ctxonrun
+isc_app_ctxrun
+isc_app_ctxshutdown
+isc_app_ctxstart
+isc_app_ctxsuspend
+isc_app_finish
+isc_app_isrunning
+isc_app_onrun
+isc_app_reload
+isc_app_run
+isc_app_shutdown
+isc_app_start
+isc_app_unblock
+isc_appctx_create
+isc_appctx_destroy
+isc_assertion_failed
+isc_assertion_setcallback
+isc_assertion_typetotext
+isc_backtrace_getsymbol
+isc_backtrace_getsymbolfromindex
+isc_backtrace_gettrace
+isc_base32_decoderegion
+isc_base32_decodestring
+isc_base32_tobuffer
+isc_base32_totext
+isc_base32hex_decoderegion
+isc_base32hex_decodestring
+isc_base32hex_tobuffer
+isc_base32hex_totext
+isc_base32hexnp_decoderegion
+isc_base32hexnp_decodestring
+isc_base32hexnp_tobuffer
+isc_base32hexnp_totext
+isc_base64_decodestring
+isc_base64_tobuffer
+isc_base64_totext
+isc_buffer_allocate
+isc_buffer_compact
+isc_buffer_copyregion
+isc_buffer_dup
+isc_buffer_free
+isc_buffer_getuint16
+isc_buffer_getuint32
+isc_buffer_getuint48
+isc_buffer_getuint8
+isc_buffer_printf
+isc_buffer_putdecint
+isc_buffer_reinit
+isc_buffer_reserve
+isc_buffer_setautorealloc
+isc_bufferlist_availablecount
+isc_bufferlist_usedcount
+isc_commandline_parse
+isc_commandline_strtoargv
+isc_condition_broadcast
+isc_condition_destroy
+isc_condition_init
+isc_condition_signal
+isc_condition_wait
+isc_condition_waituntil
+isc_counter_attach
+isc_counter_create
+isc_counter_detach
+isc_counter_increment
+isc_counter_setlimit
+isc_counter_used
+isc_crc64_final
+isc_crc64_init
+isc_crc64_update
+isc_dir_chdir
+isc_dir_chroot
+isc_dir_close
+isc_dir_createunique
+isc_dir_init
+isc_dir_open
+isc_dir_read
+isc_dir_reset
+isc_enable_constructors
+isc_entropy_get
+isc_errno_toresult
+isc_error_fatal
+isc_error_runtimecheck
+isc_error_setfatal
+isc_error_setunexpected
+isc_error_unexpected
+isc_event_allocate
+isc_event_constallocate
+isc_event_free
+isc_file_absolutepath
+isc_file_basename
+isc_file_bopenunique
+isc_file_bopenuniquemode
+isc_file_bopenuniqueprivate
+isc_file_exists
+isc_file_getmodtime
+isc_file_getsize
+isc_file_getsizefd
+isc_file_isabsolute
+isc_file_ischdiridempotent
+isc_file_iscurrentdir
+isc_file_isdirectory
+isc_file_isdirwritable
+isc_file_isplainfile
+isc_file_isplainfilefd
+isc_file_mktemplate
+isc_file_mmap
+isc_file_mode
+isc_file_munmap
+isc_file_openunique
+isc_file_openuniquemode
+isc_file_openuniqueprivate
+isc_file_progname
+isc_file_remove
+isc_file_rename
+isc_file_renameunique
+isc_file_safecreate
+isc_file_safemovefile
+isc_file_sanitize
+isc_file_settime
+isc_file_splitpath
+isc_file_template
+isc_file_truncate
+isc_fsaccess_add
+isc_fsaccess_changeowner
+isc_fsaccess_remove
+isc_fsaccess_set
+isc_hash32
+isc_hash64
+isc_hash_get_initializer
+isc_hash_set_initializer
+isc_heap_create
+isc_heap_decreased
+isc_heap_delete
+isc_heap_destroy
+isc_heap_foreach
+isc_heap_element
+isc_heap_increased
+isc_heap_insert
+isc_hex_decodestring
+isc_hex_tobuffer
+isc_hex_totext
+isc_hmac
+isc_hmac_new
+isc_hmac_free
+isc_hmac_init
+isc_hmac_reset
+isc_hmac_update
+isc_hmac_final
+isc_hmac_get_md_type
+isc_hmac_get_size
+isc_hmac_get_block_size
+isc_ht_add
+isc_ht_count
+isc_ht_delete
+isc_ht_destroy
+isc_ht_find
+isc_ht_init
+isc_ht_iter_create
+isc_ht_iter_current
+isc_ht_iter_currentkey
+isc_ht_iter_delcurrent_next
+isc_ht_iter_destroy
+isc_ht_iter_first
+isc_ht_iter_next
+isc_httpd_addheader
+isc_httpd_addheaderuint
+isc_httpd_endheaders
+isc_httpd_response
+isc_httpd_setfinishhook
+isc_httpdmgr_addurl
+isc_httpdmgr_addurl2
+isc_httpdmgr_create
+isc_httpdmgr_shutdown
+isc_interfaceiter_create
+isc_interfaceiter_current
+isc_interfaceiter_destroy
+isc_interfaceiter_first
+isc_interfaceiter_next
+isc_interval_iszero
+isc_interval_set
+isc_iterated_hash
+isc_lex_close
+isc_lex_create
+isc_lex_destroy
+isc_lex_getcomments
+isc_lex_getlasttokentext
+isc_lex_getmastertoken
+isc_lex_getoctaltoken
+isc_lex_getsourceline
+isc_lex_getsourcename
+isc_lex_getspecials
+isc_lex_gettoken
+isc_lex_isfile
+isc_lex_openbuffer
+isc_lex_openfile
+isc_lex_openstream
+isc_lex_setcomments
+isc_lex_setsourceline
+isc_lex_setsourcename
+isc_lex_setspecials
+isc_lex_ungettoken
+isc_lfsr_generate
+isc_lfsr_generate32
+isc_lfsr_init
+isc_lfsr_skip
+isc_lib_ntservice
+isc_lib_register
+isc_log_categorybyname
+isc_log_closefilelogs
+isc_log_create
+isc_log_createchannel
+isc_log_destroy
+isc_log_getdebuglevel
+isc_log_getduplicateinterval
+isc_log_gettag
+isc_log_modulebyname
+isc_log_opensyslog
+isc_log_registercategories
+isc_log_registermodules
+isc_log_setcontext
+isc_log_setdebuglevel
+isc_log_setduplicateinterval
+isc_log_settag
+isc_log_usechannel
+isc_log_vwrite
+isc_log_vwrite1
+isc_log_wouldlog
+isc_log_write
+isc_log_write1
+isc_logconfig_create
+isc_logconfig_destroy
+isc_logconfig_use
+isc_logfile_roll
+isc_managers_create
+isc_managers_destroy
+isc_md_new
+isc_md_init
+isc_md_reset
+isc_md_update
+isc_md_final
+isc_md_free
+isc_md_get_md_type
+isc_md_get_size
+isc_md_get_block_size
+isc_md_type_get_size
+isc_md_type_get_block_size
+isc_md
+isc__mem_checkdestroyed
+isc__mem_initialize
+isc__mem_shutdown
+isc_mem_attach
+isc_mem_checkdestroyed
+isc_mem_create
+isc_mem_destroy
+isc_mem_detach
+isc_mem_getname
+isc_mem_gettag
+isc_mem_inuse
+isc_mem_isovermem
+isc_mem_maxinuse
+isc_mem_references
+@IF NOTYET
+isc_mem_renderjson
+@END NOTYET
+@IF LIBXML2
+isc_mem_renderxml
+@END LIBXML2
+isc_mem_setdestroycheck
+isc_mem_setname
+isc_mem_setwater
+isc_mem_stats
+isc_mem_total
+isc_mem_waterack
+isc_meminfo_totalphys
+isc_mempool_create
+isc_mempool_destroy
+isc_mempool_getallocated
+isc_mempool_getfillcount
+isc_mempool_getfreecount
+isc_mempool_getfreemax
+isc_mempool_getmaxalloc
+isc_mempool_setfillcount
+isc_mempool_setfreemax
+isc_mempool_setmaxalloc
+isc_mempool_setname
+isc_mutexblock_destroy
+isc_mutexblock_init
+isc_net_disableipv4
+isc_net_disableipv6
+isc_net_enableipv4
+isc_net_enableipv6
+isc_net_getudpportrange
+isc_net_probe_ipv6only
+isc_net_probe_ipv6pktinfo
+isc_net_probedscp
+isc_net_probeipv4
+isc_net_probeipv6
+isc_net_probeunix
+isc_netaddr_any
+isc_netaddr_any6
+isc_netaddr_eqprefix
+isc_netaddr_equal
+isc_netaddr_format
+isc_netaddr_fromin
+isc_netaddr_fromin6
+isc_netaddr_frompath
+isc_netaddr_fromsockaddr
+isc_netaddr_fromv4mapped
+isc_netaddr_getzone
+isc_netaddr_isexperimental
+isc_netaddr_islinklocal
+isc_netaddr_isloopback
+isc_netaddr_ismulticast
+isc_netaddr_isnetzero
+isc_netaddr_issitelocal
+isc_netaddr_masktoprefixlen
+isc_netaddr_prefixok
+isc_netaddr_setzone
+isc_netaddr_totext
+isc_netaddr_unspec
+isc_netscope_pton
+isc__nmhandle_attach
+isc__nmhandle_detach
+isc_nmhandle_cleartimeout
+isc_nmhandle_getdata
+isc_nmhandle_getextra
+isc_nmhandle_is_stream
+isc_nmhandle_keepalive
+isc_nmhandle_netmgr
+isc_nmhandle_localaddr
+isc_nmhandle_peeraddr
+isc_nmhandle_setdata
+isc_nmhandle_settimeout
+isc_nmhandle_setwritetimeout
+isc_nm_attach
+isc_nm_cancelread
+isc_nm_detach
+isc_nm_getloadbalancesockets
+isc_nm_gettimeouts
+isc_nm_listentcp
+isc_nm_listentcpdns
+isc_nm_listenudp
+isc_nm_maxudp
+isc_nm_pause
+isc_nm_pauseread
+isc_nm_read
+isc_nm_resume
+isc_nm_resumeread
+isc_nm_send
+isc_nm_setloadbalancesockets
+isc_nm_setstats
+isc_nm_settimeouts
+isc_nm_stoplistening
+isc_nm_task_enqueue
+isc_nm_tcpconnect
+isc_nm_tcpdnsconnect
+isc_nm_tcpdns_sequential
+isc_nm_tid
+isc_nm_timer_create
+isc_nm_timer_attach
+isc_nm_timer_detach
+isc_nm_timer_start
+isc_nm_timer_stop
+isc_nm_udpconnect
+isc_nm_work_offload
+isc_nmsocket_close
+isc__nm_acquire_interlocked
+isc__nm_drop_interlocked
+isc__nm_acquire_interlocked_force
+isc_nonce_buf
+isc_ntpaths_get
+isc_ntpaths_init
+isc_once_do
+isc_os_ncpus
+isc_parse_uint16
+isc_parse_uint32
+isc_parse_uint8
+isc_pool_count
+isc_pool_create
+isc_pool_destroy
+isc_pool_expand
+isc_pool_get
+isc_portset_add
+isc_portset_addrange
+isc_portset_create
+isc_portset_destroy
+isc_portset_isset
+isc_portset_nports
+isc_portset_remove
+isc_portset_removerange
+isc_quota_attach
+isc_quota_attach_cb
+isc_quota_cb_init
+isc_quota_destroy
+isc_quota_detach
+isc_quota_getmax
+isc_quota_getsoft
+isc_quota_getused
+isc_quota_init
+isc_quota_max
+isc_quota_soft
+isc_radix_create
+isc_radix_destroy
+isc_radix_insert
+isc_radix_process
+isc_radix_remove
+isc_radix_search
+isc_random8
+isc_random16
+isc_random32
+isc_random_buf
+isc_random_uniform
+isc_ratelimiter_attach
+isc_ratelimiter_create
+isc_ratelimiter_dequeue
+isc_ratelimiter_detach
+isc_ratelimiter_enqueue
+isc_ratelimiter_release
+isc_ratelimiter_setinterval
+isc_ratelimiter_setpertic
+isc_ratelimiter_setpushpop
+isc_ratelimiter_shutdown
+isc_ratelimiter_stall
+isc_regex_validate
+isc_region_compare
+isc_resource_getcurlimit
+isc_resource_getlimit
+isc_resource_setlimit
+isc_result_register
+isc_result_registerids
+isc_result_toid
+isc_result_totext
+isc_rwlock_destroy
+isc_rwlock_downgrade
+isc_rwlock_init
+isc_rwlock_lock
+isc_rwlock_trylock
+isc_rwlock_tryupgrade
+isc_rwlock_unlock
+isc_safe_memequal
+isc_safe_memwipe
+isc_serial_eq
+isc_serial_ge
+isc_serial_gt
+isc_serial_le
+isc_serial_lt
+isc_serial_ne
+isc_halfsiphash24
+isc_siphash24
+isc_sockaddr_any
+isc_sockaddr_any6
+isc_sockaddr_anyofpf
+isc_sockaddr_compare
+isc_sockaddr_eqaddr
+isc_sockaddr_eqaddrprefix
+isc_sockaddr_equal
+isc_sockaddr_format
+isc_sockaddr_fromin
+isc_sockaddr_fromin6
+isc_sockaddr_fromnetaddr
+isc_sockaddr_frompath
+isc_sockaddr_fromsockaddr
+isc_sockaddr_getport
+isc_sockaddr_hash
+isc_sockaddr_isexperimental
+isc_sockaddr_islinklocal
+isc_sockaddr_ismulticast
+isc_sockaddr_isnetzero
+isc_sockaddr_issitelocal
+isc_sockaddr_pf
+isc_sockaddr_setport
+isc_sockaddr_totext
+isc_sockaddr_v6fromin
+isc_socket_socketevent
+isc_socketmgr_maxudp
+@IF NOTYET
+isc_socketmgr_renderjson
+@END NOTYET
+@IF LIBXML2
+isc_socketmgr_renderxml
+@END LIBXML2
+isc_stats_attach
+isc_stats_create
+isc_stats_decrement
+isc_stats_detach
+isc_stats_dump
+isc_stats_get_counter
+isc_stats_increment
+isc_stats_ncounters
+isc_stats_resize
+isc_stats_set
+isc_stats_update_if_greater
+isc_stdio_close
+isc_stdio_flush
+isc_stdio_open
+isc_stdio_read
+isc_stdio_seek
+isc_stdio_sync
+isc_stdio_tell
+isc_stdio_write
+isc_stdtime_get
+isc_stdtime_tostring
+isc_string_strerror_r
+isc_symtab_count
+isc_symtab_create
+isc_symtab_define
+isc_symtab_destroy
+isc_symtab_lookup
+isc_symtab_undefine
+isc_syslog_facilityfromstring
+isc_task_attach
+isc_task_beginexclusive
+isc_task_create
+isc_task_create_bound
+isc_task_destroy
+isc_task_detach
+isc_task_endexclusive
+isc_task_exiting
+isc_task_getname
+isc_task_unsendrange
+isc_task_getcurrenttime
+isc_task_getcurrenttimex
+isc_task_getnetmgr
+isc_task_getprivilege
+isc_task_gettag
+isc_task_onshutdown
+isc_task_pause
+isc_task_privileged
+isc_task_purge
+isc_task_purgeevent
+isc_task_purgerange
+isc_task_ready
+isc_task_run
+isc_task_send
+isc_task_sendanddetach
+isc_task_sendto
+isc_task_sendtoanddetach
+isc_task_setname
+isc_task_setprivilege
+isc_task_setquantum
+isc_task_shutdown
+isc_task_unpause
+isc_task_unsend
+isc_taskmgr_attach
+isc_taskmgr_detach
+isc_taskmgr_excltask
+isc_taskmgr_mode
+@IF NOTYET
+isc_taskmgr_renderjson
+@END NOTYET
+@IF LIBXML2
+isc_taskmgr_renderxml
+@END LIBXML2
+isc_taskmgr_setexcltask
+isc_taskmgr_setmode
+isc_taskpool_create
+isc_taskpool_destroy
+isc_taskpool_expand
+isc_taskpool_gettask
+isc_taskpool_size
+isc_thread_create
+isc_thread_join
+isc_thread_setaffinity
+isc_thread_setconcurrency
+isc_thread_setname
+gmtime_r
+localtime_r
+nanosleep
+usleep
+isc_time_add
+isc_time_compare
+isc_time_formatISO8601
+isc_time_formatISO8601L
+isc_time_formatISO8601Lms
+isc_time_formatISO8601Lus
+isc_time_formatISO8601ms
+isc_time_formatISO8601us
+isc_time_formathttptimestamp
+isc_time_formatshorttimestamp
+isc_time_formattimestamp
+isc_time_isepoch
+isc_time_microdiff
+isc_time_nanoseconds
+isc_time_now
+isc_time_now_hires
+isc_time_nowplusinterval
+isc_time_parsehttptimestamp
+isc_time_secondsastimet
+isc_time_seconds
+isc_time_set
+isc_time_settoepoch
+isc_time_subtract
+isc_timer_create
+isc_timer_destroy
+isc_timer_gettype
+isc_timer_reset
+isc_timer_touch
+isc_timermgr_create
+isc_timermgr_destroy
+isc_timermgr_poke
+isc__tls_initialize
+isc__tls_shutdown
+isc__trampoline_initialize
+isc__trampoline_shutdown
+isc__trampoline_get
+isc__trampoline_run
+isc_tm_timegm
+isc_tm_strptime
+isc_url_parse
+isc_utf8_bom
+isc_utf8_valid
+isc_win32os_versioncheck
+openlog
+@IF PKCS11
+pk11_attribute_bytype
+pk11_attribute_first
+pk11_attribute_next
+pk11_dump_tokens
+pk11_error_fatalcheck
+pk11_finalize
+pk11_get_best_token
+pk11_get_lib_name
+pk11_get_load_error_message
+pk11_get_session
+pk11_initialize
+pk11_mem_get
+pk11_mem_put
+pk11_numbits
+pk11_parse_uri
+pk11_result_register
+pk11_result_totext
+pk11_return_session
+pk11_set_lib_name
+pkcs_C_CloseSession
+pkcs_C_CreateObject
+pkcs_C_DeriveKey
+pkcs_C_DestroyObject
+pkcs_C_DigestFinal
+pkcs_C_DigestInit
+pkcs_C_DigestUpdate
+pkcs_C_Encrypt
+pkcs_C_EncryptInit
+pkcs_C_Finalize
+pkcs_C_FindObjects
+pkcs_C_FindObjectsFinal
+pkcs_C_FindObjectsInit
+pkcs_C_GenerateKey
+pkcs_C_GenerateKeyPair
+pkcs_C_GenerateRandom
+pkcs_C_GetAttributeValue
+pkcs_C_GetMechanismInfo
+pkcs_C_GetSlotList
+pkcs_C_GetTokenInfo
+pkcs_C_Initialize
+pkcs_C_Login
+pkcs_C_Logout
+pkcs_C_OpenSession
+pkcs_C_SeedRandom
+pkcs_C_SetAttributeValue
+pkcs_C_Sign
+pkcs_C_SignFinal
+pkcs_C_SignInit
+pkcs_C_SignUpdate
+pkcs_C_Verify
+pkcs_C_VerifyFinal
+pkcs_C_VerifyInit
+pkcs_C_VerifyUpdate
+@END PKCS11
+strlcat
+strlcpy
+strnstr
+syslog
+
+@IF NOLONGER
+; Exported Data
+
+EXPORTS
+
+isc__backtrace_nsymbols		DATA
+isc__backtrace_symtable		DATA
+isc_bind9			DATA
+isc_commandline_argument	DATA
+isc_commandline_errprint	DATA
+isc_commandline_index		DATA
+isc_commandline_option		DATA
+isc_commandline_progname	DATA
+isc_commandline_reset		DATA
+isc_dscp_check_value		DATA
+isc_hashctx			DATA
+isc_mem_debugging		DATA
+isc_tid_v			DATA
+@IF PKCS11
+pk11_verbose_init		DATA
+@END PKCS11
+@END NOLONGER
diff --git a/lib/isc/win32/libisc.vcxproj.filters.in b/lib/isc/win32/libisc.vcxproj.filters.in
new file mode 100644
index 0000000..75a4c80
--- /dev/null
+++ b/lib/isc/win32/libisc.vcxproj.filters.in
@@ -0,0 +1,671 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Library Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Win32 Source Files">
+      <UniqueIdentifier>{289562c2-1bdd-4582-b6bd-3f598ee23cbd}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Win32 Header Files">
+      <UniqueIdentifier>{d03c3e6a-e78e-4a01-bd77-64c839b1adfe}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Library Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libisc.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\isc\aes.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\app.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\assertions.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\astack.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\atomic.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\backtrace.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\barrier.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\base32.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\base64.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\bind9.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\boolean.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\buffer.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\bufferlist.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\commandline.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\counter.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\crc64.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\endian.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\errno.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\error.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\event.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\eventclass.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\file.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\formatcheck.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\fsaccess.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\hash.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\heap.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\hex.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\hmac.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\ht.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\httpd.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\interfaceiter.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\iterated_hash.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\json.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\lang.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\lex.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\lfsr.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\lib.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\list.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\log.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\magic.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\managers.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\mem.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\meminfo.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\mutexblock.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\netaddr.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\netscope.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\nonce.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\os.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\parseint.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\pool.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\portset.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\print.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\quota.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\radix.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\random.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\ratelimiter.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\refcount.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\regex.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\region.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\resource.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\result.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\resultclass.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\rwlock.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\safe.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\serial.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\siphash.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\sockaddr.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\socket.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\stats.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\stdio.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\stdlib.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\strerr.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\string.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\symtab.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\task.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\taskpool.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\timer.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\tm.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\types.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\url.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\utf8.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\util.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\version.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+@IF PKCS11
+    <ClInclude Include="..\include\pk11\constants.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\pk11\internal.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\pk11\pk11.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\pk11\result.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\pkcs11\pkcs11.h">
+      <Filter>Pkcs11 Header Files</Filter>
+    </ClInclude>
+@END PKCS11
+    <ClInclude Include="include\isc\bind_registry.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\bindevt.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\condition.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\dir.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\ipv6.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\mutex.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\net.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\netdb.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\ntgroups.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\ntpaths.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\offset.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\once.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\platform.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\stat.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\stdatomic.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\stdtime.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\strerror.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\syslog.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\thread.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\time.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\win32os.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\entropy_private.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\netmgr_p.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\openssl_shim.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\trampoline_p.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="errno2result.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="syslog.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="unistd.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\config.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\versions.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="condition.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="dir.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="errno.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="errno2result.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="file.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="fsaccess.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="interfaceiter.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ipv6.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="meminfo.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="net.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ntpaths.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="once.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="os.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="resource.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="socket.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="stdio.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="stdtime.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="syslog.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="thread.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="time.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="win32os.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+@IF PKCS11
+    <ClCompile Include="pk11_api.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+@END PKCS11
+    <ClCompile Include="..\aes.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\app.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\assertions.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\astack.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\backtrace.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\backtrace-emptytbl.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\base32.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\base64.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\bind9.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\buffer.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\bufferlist.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\commandline.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\counter.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\crc64.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\error.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\event.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\entropy.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\hash.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\heap.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\hex.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\hmac.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ht.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\httpd.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\iterated_hash.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lex.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lfsr.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lib.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\log.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\managers.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\mem.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\mutexblock.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\netaddr.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\netmgr\netmgr.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\netmgr\tcp.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\netmgr\udp.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\netmgr\uverr2result.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\netmgr\uv-compat.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\netmgr\tcpdns.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\netscope.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\nonce.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\openssl_shim.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\parseint.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pool.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\portset.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\quota.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\radix.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\random.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ratelimiter.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\regex.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\region.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\result.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rwlock.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\safe.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\serial.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\siphash.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sockaddr.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\stats.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\string.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\symtab.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\task.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\taskpool.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\timer.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tls.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\trampoline.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tm.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\url.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\utf8.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+@IF PKCS11
+    <ClCompile Include="..\pk11.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pk11_result.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+@END PKCS11
+  </ItemGroup>
+</Project>
diff --git a/lib/isc/win32/libisc.vcxproj.in b/lib/isc/win32/libisc.vcxproj.in
new file mode 100644
index 0000000..8fd9381
--- /dev/null
+++ b/lib/isc/win32/libisc.vcxproj.in
@@ -0,0 +1,483 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3840E563-D180-4761-AA9C-E6155F02EAFF}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libisc</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+@IF PKCS11
+      <PreprocessorDefinitions>BIND9;@PK11_LIB_LOCATION@WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@LIBUV_INC@@OPENSSL_INC@@ZLIB_INC@include;..\include;..\;win32;..\..\isccfg\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+@ELSE PKCS11
+      <PreprocessorDefinitions>BIND9;WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@LIBUV_INC@@OPENSSL_INC@@ZLIB_INC@include;..\include;..\;win32;..\..\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+@END PKCS11
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBUV_LIB@@LIBXML2_LIB@@ZLIB_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+    <PreBuildEvent>
+      <Command>cd ..\..\..\win32utils
+
+if NOT Exist ..\Build mkdir ..\Build
+if NOT Exist ..\Build\Debug mkdir ..\Build\Debug
+
+echo Copying documentation.
+
+copy ..\*.md ..\Build\Debug
+copy ..\CHANGES* ..\Build\Debug
+copy ..\COPYRIGHT ..\Build\Debug
+copy ..\LICENSE ..\Build\Debug
+
+echo Copying COPYRIGHT notice.
+
+copy ..\COPYRIGHT ..\Build\Debug
+
+echo Copying the OpenSSL DLL and LICENSE.
+
+copy @OPENSSL_DLLCRYPTO@ ..\Build\Debug\
+copy @OPENSSL_DLLSSL@ ..\Build\Debug\
+copy @OPENSSL_PATH@\LICENSE ..\Build\Debug\OpenSSL-LICENSE
+
+echo Copying libuv DLL.
+copy @LIBUV_DLL@ ..\Build\Debug\
+
+@IF LIBXML2
+echo Copying the libxml DLL.
+
+copy @LIBXML2_DLL@ ..\Build\Debug\
+@END LIBXML2
+
+@IF GSSAPI
+echo Copying the GSSAPI and KRB5 DLLs.
+
+copy @GSSAPI_DLL@ ..\Build\Debug\
+copy @KRB5_DLL@ ..\Build\Debug\
+copy @COMERR_DLL@ ..\Build\Debug\
+copy @K5SPRT_DLL@ ..\Build\Debug\
+copy @WSHELP_DLL@ ..\Build\Debug\
+@END GSSAPI
+
+@IF IDNKIT
+echo Copying the IDN kit DLL.
+
+copy @IDN_DLL@ ..\Build\Debug\
+copy @ICONV_DLL@ ..\Build\Debug\
+@END IDNKIT
+
+@IF ZLIB
+echo Copying the zlib DLL.
+
+copy @ZLIB_DLL@	..\Build\Debug\
+@END ZLIB
+
+echo Copying Visual C x86 Redistributable Installer.
+
+copy /Y @VCREDIST_PATH@	..\Build\Debug\
+
+echo Copying install files (flags and file list).
+
+copy InstallFlags ..\Build\Debug\
+copy InstallFiles ..\Build\Debug\
+
+</Command>
+    </PreBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+@IF PKCS11
+      <PreprocessorDefinitions>BIND9;@PK11_LIB_LOCATION@WIN32;NDEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@LIBUV_INC@@OPENSSL_INC@@ZLIB_INC@include;..\include;..\;win32;..\..\isccfg\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+@ELSE PKCS11
+      <PreprocessorDefinitions>BIND9;WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@LIBUV_INC@@OPENSSL_INC@@ZLIB_INC@include;..\include;..\;win32;..\..\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+@END PKCS11
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBUV_LIB@@LIBXML2_LIB@@ZLIB_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+    <PreBuildEvent>
+      <Command>cd ..\..\..\win32utils
+
+if NOT Exist ..\Build mkdir ..\Build
+if NOT Exist ..\Build\Release mkdir ..\Build\Release
+
+echo Copying documentation.
+
+copy ..\*.md ..\Build\Release
+copy ..\CHANGES* ..\Build\Release
+copy ..\COPYRIGHT ..\Build\Release
+copy ..\LICENSE ..\Build\Release
+
+echo Copying the OpenSSL DLL and LICENSE.
+
+copy @OPENSSL_DLLCRYPTO@ ..\Build\Release\
+copy @OPENSSL_DLLSSL@ ..\Build\Release\
+copy @OPENSSL_PATH@\LICENSE ..\Build\Release\OpenSSL-LICENSE
+
+echo Copying libuv DLL.
+copy @LIBUV_DLL@ ..\Build\Release\
+
+@IF LIBXML2
+echo Copying the libxml DLL.
+
+copy @LIBXML2_DLL@ ..\Build\Release\
+@END LIBXML2
+
+@IF GSSAPI
+echo Copying the GSSAPI and KRB5 DLLs.
+
+copy @GSSAPI_DLL@ ..\Build\Release\
+copy @KRB5_DLL@ ..\Build\Release\
+copy @COMERR_DLL@ ..\Build\Release\
+copy @K5SPRT_DLL@ ..\Build\Release\
+copy @WSHELP_DLL@ ..\Build\Release\
+@END GSSAPI
+
+@IF IDNKIT
+echo Copying the IDN kit DLL.
+
+copy @IDN_DLL@ ..\Build\Release\
+copy @ICONV_DLL@ ..\Build\Release\
+@END IDNKIT
+
+@IF ZLIB
+echo Copying the zlib DLL.
+
+copy @ZLIB_DLL@ ..\Build\Release\
+@END ZLIB
+
+echo Copying Visual C x86 Redistributable Installer.
+
+copy /Y @VCREDIST_PATH@ ..\Build\Release\
+
+echo Copying install files (flags and file list).
+
+copy InstallFlags ..\Build\Release\
+copy InstallFiles ..\Build\Release\
+
+</Command>
+    </PreBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libisc.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\config.h" />
+    <ClInclude Include="..\include\isc\aes.h" />
+    <ClInclude Include="..\include\isc\app.h" />
+    <ClInclude Include="..\include\isc\assertions.h" />
+    <ClInclude Include="..\include\isc\astack.h" />
+    <ClInclude Include="..\include\isc\atomic.h" />
+    <ClInclude Include="..\include\isc\backtrace.h" />
+    <ClInclude Include="..\include\isc\barrier.h" />
+    <ClInclude Include="..\include\isc\base32.h" />
+    <ClInclude Include="..\include\isc\base64.h" />
+    <ClInclude Include="..\include\isc\bind9.h" />
+    <ClInclude Include="..\include\isc\boolean.h" />
+    <ClInclude Include="..\include\isc\buffer.h" />
+    <ClInclude Include="..\include\isc\bufferlist.h" />
+    <ClInclude Include="..\include\isc\commandline.h" />
+    <ClInclude Include="..\include\isc\counter.h" />
+    <ClInclude Include="..\include\isc\crc64.h" />
+    <ClInclude Include="..\include\isc\endian.h" />
+    <ClInclude Include="..\include\isc\errno.h" />
+    <ClInclude Include="..\include\isc\error.h" />
+    <ClInclude Include="..\include\isc\event.h" />
+    <ClInclude Include="..\include\isc\eventclass.h" />
+    <ClInclude Include="..\include\isc\file.h" />
+    <ClInclude Include="..\include\isc\formatcheck.h" />
+    <ClInclude Include="..\include\isc\fsaccess.h" />
+    <ClInclude Include="..\include\isc\hash.h" />
+    <ClInclude Include="..\include\isc\heap.h" />
+    <ClInclude Include="..\include\isc\hex.h" />
+    <ClInclude Include="..\include\isc\hmac.h" />
+    <ClInclude Include="..\include\isc\ht.h" />
+    <ClInclude Include="..\include\isc\httpd.h" />
+    <ClInclude Include="..\include\isc\interfaceiter.h" />
+    <ClInclude Include="..\include\isc\iterated_hash.h" />
+    <ClInclude Include="..\include\isc\json.h" />
+    <ClInclude Include="..\include\isc\lang.h" />
+    <ClInclude Include="..\include\isc\lex.h" />
+    <ClInclude Include="..\include\isc\lfsr.h" />
+    <ClInclude Include="..\include\isc\lib.h" />
+    <ClInclude Include="..\include\isc\list.h" />
+    <ClInclude Include="..\include\isc\log.h" />
+    <ClInclude Include="..\include\isc\magic.h" />
+    <ClInclude Include="..\include\isc\managers.h" />
+    <ClInclude Include="..\include\isc\md.h" />
+    <ClInclude Include="..\include\isc\mem.h" />
+    <ClInclude Include="..\include\isc\meminfo.h" />
+    <ClInclude Include="..\include\isc\mutexblock.h" />
+    <ClInclude Include="..\include\isc\netaddr.h" />
+    <ClInclude Include="..\include\isc\netscope.h" />
+    <ClInclude Include="..\include\isc\nonce.h" />
+    <ClInclude Include="..\include\isc\os.h" />
+    <ClInclude Include="..\include\isc\parseint.h" />
+    <ClInclude Include="..\include\isc\pool.h" />
+    <ClInclude Include="..\include\isc\portset.h" />
+    <ClInclude Include="..\include\isc\print.h" />
+    <ClInclude Include="..\include\isc\quota.h" />
+    <ClInclude Include="..\include\isc\radix.h" />
+    <ClInclude Include="..\include\isc\random.h" />
+    <ClInclude Include="..\include\isc\ratelimiter.h" />
+    <ClInclude Include="..\include\isc\refcount.h" />
+    <ClInclude Include="..\include\isc\regex.h" />
+    <ClInclude Include="..\include\isc\region.h" />
+    <ClInclude Include="..\include\isc\resource.h" />
+    <ClInclude Include="..\include\isc\result.h" />
+    <ClInclude Include="..\include\isc\resultclass.h" />
+    <ClInclude Include="..\include\isc\rwlock.h" />
+    <ClInclude Include="..\include\isc\safe.h" />
+    <ClInclude Include="..\include\isc\serial.h" />
+    <ClInclude Include="..\include\isc\siphash.h" />
+    <ClInclude Include="..\include\isc\sockaddr.h" />
+    <ClInclude Include="..\include\isc\socket.h" />
+    <ClInclude Include="..\include\isc\stats.h" />
+    <ClInclude Include="..\include\isc\stdio.h" />
+    <ClInclude Include="..\include\isc\stdlib.h" />
+    <ClInclude Include="..\include\isc\strerr.h" />
+    <ClInclude Include="..\include\isc\string.h" />
+    <ClInclude Include="..\include\isc\symtab.h" />
+    <ClInclude Include="..\include\isc\task.h" />
+    <ClInclude Include="..\include\isc\taskpool.h" />
+    <ClInclude Include="..\include\isc\timer.h" />
+    <ClInclude Include="..\include\isc\tm.h" />
+    <ClInclude Include="..\include\isc\types.h" />
+    <ClInclude Include="..\include\isc\utf8.h" />
+    <ClInclude Include="..\include\isc\util.h" />
+    <ClInclude Include="..\include\isc\version.h" />
+@IF PKCS11
+    <ClInclude Include="..\include\pk11\constants.h" />
+    <ClInclude Include="..\include\pk11\internal.h" />
+    <ClInclude Include="..\include\pk11\pk11.h" />
+    <ClInclude Include="..\include\pk11\result.h" />
+    <ClInclude Include="..\include\pkcs11\pkcs11.h" />
+@END PKCS11
+    <ClInclude Include="errno2result.h" />
+    <ClInclude Include="include\isc\bindevt.h" />
+    <ClInclude Include="include\isc\bind_registry.h" />
+    <ClInclude Include="include\isc\condition.h" />
+    <ClInclude Include="include\isc\dir.h" />
+    <ClInclude Include="include\isc\ipv6.h" />
+    <ClInclude Include="include\isc\mutex.h" />
+    <ClInclude Include="include\isc\net.h" />
+    <ClInclude Include="include\isc\netdb.h" />
+    <ClInclude Include="include\isc\ntgroups.h" />
+    <ClInclude Include="include\isc\ntpaths.h" />
+    <ClInclude Include="include\isc\offset.h" />
+    <ClInclude Include="include\isc\once.h" />
+    <ClInclude Include="include\isc\platform.h" />
+    <ClInclude Include="include\isc\stat.h" />
+    <ClInclude Include="include\isc\stdatomic.h" />
+    <ClInclude Include="include\isc\stdtime.h" />
+    <ClInclude Include="include\isc\strerror.h" />
+    <ClInclude Include="include\isc\syslog.h" />
+    <ClInclude Include="include\isc\thread.h" />
+    <ClInclude Include="include\isc\time.h" />
+    <ClInclude Include="include\isc\win32os.h" />
+    <ClInclude Include="..\entropy_private.h" />
+    <ClInclude Include="..\netmgr_p.h" />
+    <ClInclude Include="..\openssl_shim.h" />
+    <ClInclude Include="..\trampoline_p.h" />
+    <ClInclude Include="syslog.h" />
+    <ClInclude Include="unistd.h" />
+    <ClInclude Include="..\..\versions.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\aes.c" />
+    <ClCompile Include="..\app.c" />
+    <ClCompile Include="..\assertions.c" />
+    <ClCompile Include="..\astack.c" />
+    <ClCompile Include="..\backtrace-emptytbl.c" />
+    <ClCompile Include="..\backtrace.c" />
+    <ClCompile Include="..\base32.c" />
+    <ClCompile Include="..\base64.c" />
+    <ClCompile Include="..\bind9.c" />
+    <ClCompile Include="..\buffer.c" />
+    <ClCompile Include="..\bufferlist.c" />
+    <ClCompile Include="..\commandline.c" />
+    <ClCompile Include="..\counter.c" />
+    <ClCompile Include="..\crc64.c" />
+    <ClCompile Include="..\entropy.c" />
+    <ClCompile Include="..\error.c" />
+    <ClCompile Include="..\event.c" />
+    <ClCompile Include="..\hash.c" />
+    <ClCompile Include="..\heap.c" />
+    <ClCompile Include="..\hex.c" />
+    <ClCompile Include="..\hmac.c" />
+    <ClCompile Include="..\ht.c" />
+    <ClCompile Include="..\httpd.c" />
+    <ClCompile Include="..\iterated_hash.c" />
+    <ClCompile Include="..\lex.c" />
+    <ClCompile Include="..\lfsr.c" />
+    <ClCompile Include="..\lib.c" />
+    <ClCompile Include="..\log.c" />
+    <ClCompile Include="..\managers.c" />
+    <ClCompile Include="..\md.c" />
+    <ClCompile Include="..\mem.c" />
+    <ClCompile Include="..\mutexblock.c" />
+    <ClCompile Include="..\netaddr.c" />
+    <ClCompile Include="..\netmgr\netmgr.c" />
+    <ClCompile Include="..\netmgr\tcp.c" />
+    <ClCompile Include="..\netmgr\udp.c" />
+    <ClCompile Include="..\netmgr\uverr2result.c" />
+    <ClCompile Include="..\netmgr\uv-compat.c" />
+    <ClCompile Include="..\netmgr\tcpdns.c" />
+    <ClCompile Include="..\netscope.c" />
+    <ClCompile Include="..\nonce.c" />
+    <ClCompile Include="..\openssl_shim.c" />
+    <ClCompile Include="..\parseint.c" />
+    <ClCompile Include="..\pool.c" />
+    <ClCompile Include="..\portset.c" />
+    <ClCompile Include="..\quota.c" />
+    <ClCompile Include="..\radix.c" />
+    <ClCompile Include="..\random.c" />
+    <ClCompile Include="..\ratelimiter.c" />
+    <ClCompile Include="..\regex.c" />
+    <ClCompile Include="..\region.c" />
+    <ClCompile Include="..\result.c" />
+    <ClCompile Include="..\rwlock.c" />
+    <ClCompile Include="..\safe.c" />
+    <ClCompile Include="..\serial.c" />
+    <ClCompile Include="..\siphash.c" />
+    <ClCompile Include="..\sockaddr.c" />
+    <ClCompile Include="..\stats.c" />
+    <ClCompile Include="..\string.c" />
+    <ClCompile Include="..\symtab.c" />
+    <ClCompile Include="..\task.c" />
+    <ClCompile Include="..\taskpool.c" />
+    <ClCompile Include="..\timer.c" />
+    <ClCompile Include="..\trampoline.c" />
+    <ClCompile Include="..\tls.c" />
+    <ClCompile Include="..\tm.c" />
+    <ClCompile Include="..\url.c" />
+    <ClCompile Include="..\utf8.c" />
+@IF PKCS11
+    <ClCompile Include="..\pk11.c" />
+    <ClCompile Include="..\pk11_result.c" />
+@END PKCS11
+    <ClCompile Include="condition.c" />
+    <ClCompile Include="dir.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="errno.c" />
+    <ClCompile Include="errno2result.c" />
+    <ClCompile Include="file.c" />
+    <ClCompile Include="fsaccess.c" />
+    <ClCompile Include="interfaceiter.c" />
+    <ClCompile Include="ipv6.c" />
+    <ClCompile Include="meminfo.c" />
+    <ClCompile Include="net.c" />
+    <ClCompile Include="ntpaths.c" />
+    <ClCompile Include="once.c" />
+    <ClCompile Include="os.c" />
+    <ClCompile Include="resource.c" />
+    <ClCompile Include="socket.c" />
+    <ClCompile Include="stdio.c" />
+    <ClCompile Include="stdtime.c" />
+    <ClCompile Include="syslog.c" />
+    <ClCompile Include="thread.c" />
+    <ClCompile Include="time.c" />
+    <ClCompile Include="version.c" />
+    <ClCompile Include="win32os.c" />
+@IF PKCS11
+    <ClCompile Include="pk11_api.c" />
+@END PKCS11
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/isc/win32/libisc.vcxproj.user b/lib/isc/win32/libisc.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/lib/isc/win32/libisc.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/lib/isc/win32/meminfo.c b/lib/isc/win32/meminfo.c
new file mode 100644
index 0000000..ab10b89
--- /dev/null
+++ b/lib/isc/win32/meminfo.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <windows.h>
+
+#include <isc/meminfo.h>
+
+uint64_t
+isc_meminfo_totalphys(void) {
+	MEMORYSTATUSEX statex;
+
+	statex.dwLength = sizeof(statex);
+	GlobalMemoryStatusEx(&statex);
+	return ((uint64_t)statex.ullTotalPhys);
+}
diff --git a/lib/isc/win32/net.c b/lib/isc/win32/net.c
new file mode 100644
index 0000000..ea4656d
--- /dev/null
+++ b/lib/isc/win32/net.c
@@ -0,0 +1,301 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <isc/log.h>
+#include <isc/net.h>
+#include <isc/once.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*%
+ * Definitions about UDP port range specification.  This is a total mess of
+ * portability variants: some use sysctl (but the sysctl names vary), some use
+ * system-specific interfaces, some have the same interface for IPv4 and IPv6,
+ * some separate them, etc...
+ */
+
+/*%
+ * The last resort defaults: use all non well known port space
+ */
+#ifndef ISC_NET_PORTRANGELOW
+#define ISC_NET_PORTRANGELOW 32768
+#endif /* ISC_NET_PORTRANGELOW */
+#ifndef ISC_NET_PORTRANGEHIGH
+#define ISC_NET_PORTRANGEHIGH 65535
+#endif /* ISC_NET_PORTRANGEHIGH */
+
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_once_t once_ipv6only = ISC_ONCE_INIT;
+static isc_once_t once_ipv6pktinfo = ISC_ONCE_INIT;
+static isc_result_t ipv4_result = ISC_R_NOTFOUND;
+static isc_result_t ipv6_result = ISC_R_NOTFOUND;
+static isc_result_t ipv6only_result = ISC_R_NOTFOUND;
+static isc_result_t ipv6pktinfo_result = ISC_R_NOTFOUND;
+
+void
+InitSockets(void);
+
+static isc_result_t
+try_proto(int domain) {
+	SOCKET s;
+	char strbuf[ISC_STRERRORSIZE];
+	int errval;
+
+	s = socket(domain, SOCK_STREAM, IPPROTO_TCP);
+	if (s == INVALID_SOCKET) {
+		errval = WSAGetLastError();
+		switch (errval) {
+		case WSAEAFNOSUPPORT:
+		case WSAEPROTONOSUPPORT:
+		case WSAEINVAL:
+			return (ISC_R_NOTFOUND);
+		default:
+			strerror_r(errval, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "socket() failed: %s", strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	closesocket(s);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+initialize_action(void) {
+	InitSockets();
+	ipv4_result = try_proto(PF_INET);
+	ipv6_result = try_proto(PF_INET6);
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_net_probeipv4(void) {
+	initialize();
+	return (ipv4_result);
+}
+
+isc_result_t
+isc_net_probeipv6(void) {
+	initialize();
+	return (ipv6_result);
+}
+
+isc_result_t
+isc_net_probeunix(void) {
+	return (ISC_R_NOTFOUND);
+}
+
+static void
+try_ipv6only(void) {
+#ifdef IPV6_V6ONLY
+	SOCKET s;
+	int on;
+	char strbuf[ISC_STRERRORSIZE];
+#endif /* ifdef IPV6_V6ONLY */
+	isc_result_t result;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6only_result = result;
+		return;
+	}
+
+#ifndef IPV6_V6ONLY
+	ipv6only_result = ISC_R_NOTFOUND;
+	return;
+#else  /* ifndef IPV6_V6ONLY */
+	/* check for TCP sockets */
+	s = socket(PF_INET6, SOCK_STREAM, 0);
+	if (s == INVALID_SOCKET) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "socket() failed: %s",
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (const char *)&on,
+		       sizeof(on)) < 0)
+	{
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	closesocket(s);
+
+	/* check for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, 0);
+	if (s == INVALID_SOCKET) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "socket() failed: %s",
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (const char *)&on,
+		       sizeof(on)) < 0)
+	{
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	ipv6only_result = ISC_R_SUCCESS;
+
+close:
+	closesocket(s);
+	return;
+#endif /* IPV6_V6ONLY */
+}
+
+static void
+initialize_ipv6only(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6only, try_ipv6only) ==
+		      ISC_R_SUCCESS);
+}
+
+#ifdef __notyet__
+/*
+ * XXXMPA requires win32/socket.c to be updated to support
+ * WSASendMsg and WSARecvMsg which are themselves Winsock
+ * and compiler version dependent.
+ */
+static void
+try_ipv6pktinfo(void) {
+	SOCKET s;
+	int on;
+	char strbuf[ISC_STRERRORSIZE];
+	isc_result_t result;
+	int optname;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6pktinfo_result = result;
+		return;
+	}
+
+	/* we only use this for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+	if (s == INVALID_SOCKET) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "socket() failed: %s",
+				 strbuf);
+		ipv6pktinfo_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+#ifdef IPV6_RECVPKTINFO
+	optname = IPV6_RECVPKTINFO;
+#else  /* ifdef IPV6_RECVPKTINFO */
+	optname = IPV6_PKTINFO;
+#endif /* ifdef IPV6_RECVPKTINFO */
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, optname, (const char *)&on,
+		       sizeof(on)) < 0)
+	{
+		ipv6pktinfo_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	ipv6pktinfo_result = ISC_R_SUCCESS;
+
+close:
+	closesocket(s);
+	return;
+}
+
+static void
+initialize_ipv6pktinfo(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6pktinfo, try_ipv6pktinfo) ==
+		      ISC_R_SUCCESS);
+}
+#endif /* __notyet__ */
+
+isc_result_t
+isc_net_probe_ipv6only(void) {
+	initialize_ipv6only();
+	return (ipv6only_result);
+}
+
+isc_result_t
+isc_net_probe_ipv6pktinfo(void) {
+#ifdef __notyet__
+	initialize_ipv6pktinfo();
+#endif /* __notyet__ */
+	return (ipv6pktinfo_result);
+}
+
+isc_result_t
+isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high) {
+	int result = ISC_R_FAILURE;
+
+	REQUIRE(low != NULL && high != NULL);
+
+	UNUSED(af);
+
+	if (result != ISC_R_SUCCESS) {
+		*low = ISC_NET_PORTRANGELOW;
+		*high = ISC_NET_PORTRANGEHIGH;
+	}
+
+	return (ISC_R_SUCCESS); /* we currently never fail in this function */
+}
+
+void
+isc_net_disableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_SUCCESS) {
+		ipv4_result = ISC_R_DISABLED;
+	}
+}
+
+void
+isc_net_disableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_SUCCESS) {
+		ipv6_result = ISC_R_DISABLED;
+	}
+}
+
+void
+isc_net_enableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_DISABLED) {
+		ipv4_result = ISC_R_SUCCESS;
+	}
+}
+
+void
+isc_net_enableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_DISABLED) {
+		ipv6_result = ISC_R_SUCCESS;
+	}
+}
+
+unsigned int
+isc_net_probedscp(void) {
+	return (0);
+}
diff --git a/lib/isc/win32/netdb.h b/lib/isc/win32/netdb.h
new file mode 100644
index 0000000..5a5c122
--- /dev/null
+++ b/lib/isc/win32/netdb.h
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NETDB_H
+#define NETDB_H 1
+
+#include <stddef.h>
+#include <winsock2.h>
+
+/*
+ * Define if <netdb.h> does not declare struct addrinfo.
+ */
+
+#if _MSC_VER < 1600
+struct addrinfo {
+	int ai_flags;		  /* AI_PASSIVE, AI_CANONNAME */
+	int ai_family;		  /* PF_xxx */
+	int ai_socktype;	  /* SOCK_xxx */
+	int ai_protocol;	  /* 0 or IPPROTO_xxx for IPv4 and
+				   * IPv6 */
+	size_t ai_addrlen;	  /* Length of ai_addr */
+	char *ai_canonname;	  /* Canonical name for hostname */
+	struct sockaddr *ai_addr; /* Binary address */
+	struct addrinfo *ai_next; /* Next structure in linked list */
+};
+#endif /* if _MSC_VER < 1600 */
+
+/*
+ * Undefine all \#defines we are interested in as <netdb.h> may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef NETDB_INTERNAL
+#undef NETDB_SUCCESS
+#undef HOST_NOT_FOUND
+#undef TRY_AGAIN
+#undef NO_RECOVERY
+#undef NO_DATA
+#undef NO_ADDRESS
+
+#define NETDB_INTERNAL -1 /* see errno */
+#define NETDB_SUCCESS  0  /* no problem */
+#define HOST_NOT_FOUND 1  /* Authoritative Answer Host not found */
+#define TRY_AGAIN      2  /* Non-Authoritative Host not found, or SERVERFAIL */
+#define NO_RECOVERY    3  /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define NO_DATA	       4  /* Valid name, no data record of requested type */
+#define NO_ADDRESS     NO_DATA /* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo()
+ */
+
+#undef EAI_ADDRFAMILY
+#undef EAI_AGAIN
+#undef EAI_BADFLAGS
+#undef EAI_FAIL
+#undef EAI_FAMILY
+#undef EAI_MEMORY
+#undef EAI_NODATA
+#undef EAI_NONAME
+#undef EAI_SERVICE
+#undef EAI_SOCKTYPE
+#undef EAI_SYSTEM
+#undef EAI_BADHINTS
+#undef EAI_PROTOCOL
+#undef EAI_MAX
+
+#define EAI_ADDRFAMILY 1  /* address family for hostname not supported */
+#define EAI_AGAIN      2  /* temporary failure in name resolution */
+#define EAI_BADFLAGS   3  /* invalid value for ai_flags */
+#define EAI_FAIL       4  /* non-recoverable failure in name resolution */
+#define EAI_FAMILY     5  /* ai_family not supported */
+#define EAI_MEMORY     6  /* memory allocation failure */
+#define EAI_NODATA     7  /* no address associated with hostname */
+#define EAI_NONAME     8  /* hostname nor servname provided, or not known */
+#define EAI_SERVICE    9  /* servname not supported for ai_socktype */
+#define EAI_SOCKTYPE   10 /* ai_socktype not supported */
+#define EAI_SYSTEM     11 /* system error returned in errno */
+#define EAI_BADHINTS   12
+#define EAI_PROTOCOL   13
+#define EAI_MAX	       14
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef AI_PASSIVE
+#undef AI_CANONNAME
+#undef AI_NUMERICHOST
+
+#define AI_PASSIVE     0x00000001
+#define AI_CANONNAME   0x00000002
+#define AI_NUMERICHOST 0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED   0x00000008
+#define AI_ALL	      0x00000010
+#define AI_ADDRCONFIG 0x00000020
+#define AI_DEFAULT    (AI_V4MAPPED | AI_ADDRCONFIG)
+
+/*
+ * Constants for getnameinfo()
+ */
+#undef NI_MAXHOST
+#undef NI_MAXSERV
+
+#define NI_MAXHOST 1025
+#define NI_MAXSERV 32
+
+/*
+ * Flag values for getnameinfo()
+ */
+#undef NI_NOFQDN
+#undef NI_NUMERICHOST
+#undef NI_NAMEREQD
+#undef NI_NUMERICSERV
+#undef NI_DGRAM
+#undef NI_NUMERICSCOPE
+
+#define NI_NOFQDN	0x00000001
+#define NI_NUMERICHOST	0x00000002
+#define NI_NAMEREQD	0x00000004
+#define NI_NUMERICSERV	0x00000008
+#define NI_DGRAM	0x00000010
+#define NI_NUMERICSCOPE 0x00000020 /*2553bis-00*/
+
+/*
+ * Structures for getrrsetbyname()
+ */
+struct rdatainfo {
+	unsigned int rdi_length;
+	unsigned char *rdi_data;
+};
+
+struct rrsetinfo {
+	unsigned int rri_flags;
+	int rri_rdclass;
+	int rri_rdtype;
+	unsigned int rri_ttl;
+	unsigned int rri_nrdatas;
+	unsigned int rri_nsigs;
+	char *rri_name;
+	struct rdatainfo *rri_rdatas;
+	struct rdatainfo *rri_sigs;
+};
+
+/*
+ * Flags for getrrsetbyname()
+ */
+#define RRSET_VALIDATED 0x00000001
+/* Set was dnssec validated */
+
+/*
+ * Return codes for getrrsetbyname()
+ */
+#define ERRSET_SUCCESS	0
+#define ERRSET_NOMEMORY 1
+#define ERRSET_FAIL	2
+#define ERRSET_INVAL	3
+
+#endif /* NETDB_H */
diff --git a/lib/isc/win32/ntgroups.c b/lib/isc/win32/ntgroups.c
new file mode 100644
index 0000000..0584d48
--- /dev/null
+++ b/lib/isc/win32/ntgroups.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The NT Groups have two groups that are not well documented and are
+ * not normally seen: None and Everyone.  A user account belongs to
+ * any number of groups, but if it is not a member of any group then
+ * it is a member of the None Group. The None group is not listed
+ * anywhere. You cannot remove an account from the none group except
+ * by making it a member of some other group, The second group is the
+ * Everyone group.  All accounts, no matter how many groups that they
+ * belong to, also belong to the Everyone group. You cannot remove an
+ * account from the Everyone group.
+ */
+
+#ifndef UNICODE
+#define UNICODE
+#endif /* UNICODE */
+
+/*
+ * Silence warnings.
+ */
+#define _CRT_SECURE_NO_DEPRECATE 1
+
+/* clang-format off */
+#include <assert.h>
+#include <windows.h>
+#include <lm.h>
+/* clang-format on */
+
+#include <isc/ntgroups.h>
+#include <isc/result.h>
+
+#define MAX_NAME_LENGTH 256
+
+#define CHECK(op)                              \
+	do {                                   \
+		result = (op);                 \
+		if (result != ISC_R_SUCCESS) { \
+			goto cleanup;          \
+		}                              \
+	} while (0)
+
+isc_result_t
+isc_ntsecurity_getaccountgroups(char *username, char **GroupList,
+				unsigned int maxgroups,
+				unsigned int *totalGroups) {
+	LPGROUP_USERS_INFO_0 pTmpBuf;
+	LPLOCALGROUP_USERS_INFO_0 pTmpLBuf;
+	DWORD i;
+	LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
+	LPGROUP_USERS_INFO_0 pgrpBuf = NULL;
+	DWORD dwLevel = 0;
+	DWORD dwFlags = LG_INCLUDE_INDIRECT;
+	DWORD dwPrefMaxLen = MAX_PREFERRED_LENGTH;
+	DWORD dwEntriesRead = 0;
+	DWORD dwTotalEntries = 0;
+	NET_API_STATUS nStatus;
+	size_t retlen;
+	wchar_t user[MAX_NAME_LENGTH];
+	isc_result_t result;
+
+	*totalGroups = 0;
+
+	retlen = mbstowcs(user, username, MAX_NAME_LENGTH);
+	if (retlen == (size_t)(-1)) {
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * Call the NetUserGetLocalGroups function
+	 * specifying information level 0.
+	 *
+	 * The LG_INCLUDE_INDIRECT flag specifies that the
+	 * function should also return the names of the local
+	 * groups in which the user is indirectly a member.
+	 */
+	nStatus = NetUserGetLocalGroups(NULL, user, dwLevel, dwFlags,
+					(LPBYTE *)&pBuf, dwPrefMaxLen,
+					&dwEntriesRead, &dwTotalEntries);
+	/*
+	 * See if the call succeeds,
+	 */
+	if (nStatus != NERR_Success) {
+		if (nStatus == ERROR_ACCESS_DENIED) {
+			return (ISC_R_NOPERM);
+		}
+		if (nStatus == ERROR_MORE_DATA) {
+			return (ISC_R_NOSPACE);
+		}
+		if (nStatus == NERR_UserNotFound) {
+			dwEntriesRead = 0;
+		}
+	}
+
+	if (pBuf != NULL) {
+		pTmpLBuf = pBuf;
+		/*
+		 * Loop through the entries
+		 */
+		for (i = 0; (i < dwEntriesRead && *totalGroups < maxgroups);
+		     i++)
+		{
+			assert(pTmpLBuf != NULL);
+			if (pTmpLBuf == NULL) {
+				break;
+			}
+			retlen = wcslen(pTmpLBuf->lgrui0_name);
+			GroupList[*totalGroups] = (char *)malloc(retlen + 1);
+			if (GroupList[*totalGroups] == NULL) {
+				CHECK(ISC_R_NOMEMORY);
+			}
+
+			retlen = wcstombs(GroupList[*totalGroups],
+					  pTmpLBuf->lgrui0_name, retlen);
+			if (retlen == (size_t)(-1)) {
+				free(GroupList[*totalGroups]);
+				CHECK(ISC_R_FAILURE);
+			}
+			GroupList[*totalGroups][retlen] = '\0';
+			if (strcmp(GroupList[*totalGroups], "None") == 0) {
+				free(GroupList[*totalGroups]);
+			} else {
+				(*totalGroups)++;
+			}
+			pTmpLBuf++;
+		}
+	}
+	/* Free the allocated memory. */
+	/* cppcheck-suppress duplicateCondition */
+	if (pBuf != NULL) {
+		NetApiBufferFree(pBuf);
+	}
+
+	/*
+	 * Call the NetUserGetGroups function, specifying level 0.
+	 */
+	nStatus = NetUserGetGroups(NULL, user, dwLevel, (LPBYTE *)&pgrpBuf,
+				   dwPrefMaxLen, &dwEntriesRead,
+				   &dwTotalEntries);
+	/*
+	 * See if the call succeeds,
+	 */
+	if (nStatus != NERR_Success) {
+		if (nStatus == ERROR_ACCESS_DENIED) {
+			return (ISC_R_NOPERM);
+		}
+		if (nStatus == ERROR_MORE_DATA) {
+			return (ISC_R_NOSPACE);
+		}
+		if (nStatus == NERR_UserNotFound) {
+			dwEntriesRead = 0;
+		}
+	}
+
+	if (pgrpBuf != NULL) {
+		pTmpBuf = pgrpBuf;
+		/*
+		 * Loop through the entries
+		 */
+		for (i = 0; (i < dwEntriesRead && *totalGroups < maxgroups);
+		     i++)
+		{
+			assert(pTmpBuf != NULL);
+
+			if (pTmpBuf == NULL) {
+				break;
+			}
+			retlen = wcslen(pTmpBuf->grui0_name);
+			GroupList[*totalGroups] = (char *)malloc(retlen + 1);
+			if (GroupList[*totalGroups] == NULL) {
+				CHECK(ISC_R_NOMEMORY);
+			}
+
+			retlen = wcstombs(GroupList[*totalGroups],
+					  pTmpBuf->grui0_name, retlen);
+			if (retlen == (size_t)(-1)) {
+				free(GroupList[*totalGroups]);
+				CHECK(ISC_R_FAILURE);
+			}
+			GroupList[*totalGroups][retlen] = '\0';
+			if (strcmp(GroupList[*totalGroups], "None") == 0) {
+				free(GroupList[*totalGroups]);
+			} else {
+				(*totalGroups)++;
+			}
+			pTmpBuf++;
+		}
+	}
+	/*
+	 * Free the allocated memory.
+	 */
+	/* cppcheck-suppress duplicateCondition */
+	if (pgrpBuf != NULL) {
+		NetApiBufferFree(pgrpBuf);
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	while (--(*totalGroups) > 0) {
+		free(GroupList[*totalGroups]);
+	}
+	return (result);
+}
diff --git a/lib/isc/win32/ntpaths.c b/lib/isc/win32/ntpaths.c
new file mode 100644
index 0000000..793b72a
--- /dev/null
+++ b/lib/isc/win32/ntpaths.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This module fetches the required path information that is specific
+ * to NT systems which can have its configuration and system files
+ * almost anywhere. It can be used to override whatever the application
+ * had previously assigned to the pointer. Basic information about the
+ * file locations are stored in the registry.
+ */
+
+#include <isc/bind_registry.h>
+#include <isc/ntpaths.h>
+#include <isc/string.h>
+
+/*
+ * Module Variables
+ */
+
+static char systemDir[MAX_PATH];
+static char namedBase[MAX_PATH];
+static char ns_confFile[MAX_PATH];
+static char rndc_confFile[MAX_PATH];
+static char ns_defaultpidfile[MAX_PATH];
+static char ns_lockfile[MAX_PATH];
+static char local_state_dir[MAX_PATH];
+static char sys_conf_dir[MAX_PATH];
+static char rndc_keyFile[MAX_PATH];
+static char session_keyFile[MAX_PATH];
+static char resolv_confFile[MAX_PATH];
+static char bind_keysFile[MAX_PATH];
+
+static DWORD baseLen = MAX_PATH;
+static BOOL Initialized = FALSE;
+
+void
+isc_ntpaths_init(void) {
+	HKEY hKey;
+	BOOL keyFound = TRUE;
+
+	memset(namedBase, 0, sizeof(namedBase));
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, BIND_SUBKEY, 0, KEY_READ, &hKey) !=
+	    ERROR_SUCCESS)
+	{
+		keyFound = FALSE;
+	}
+
+	if (keyFound == TRUE) {
+		/* Get the named directory */
+		if (RegQueryValueEx(hKey, "InstallDir", NULL, NULL,
+				    (LPBYTE)namedBase,
+				    &baseLen) != ERROR_SUCCESS)
+		{
+			keyFound = FALSE;
+		}
+		RegCloseKey(hKey);
+	}
+
+	GetSystemDirectory(systemDir, MAX_PATH);
+
+	if (keyFound == FALSE) {
+		/* Use the System Directory as a default */
+		strlcpy(namedBase, systemDir, sizeof(namedBase));
+	}
+
+	strlcpy(ns_confFile, namedBase, sizeof(ns_confFile));
+	strlcat(ns_confFile, "\\etc\\named.conf", sizeof(ns_confFile));
+
+	strlcpy(rndc_keyFile, namedBase, sizeof(rndc_keyFile));
+	strlcat(rndc_keyFile, "\\etc\\rndc.key", sizeof(rndc_keyFile));
+
+	strlcpy(session_keyFile, namedBase, sizeof(session_keyFile));
+	strlcat(session_keyFile, "\\etc\\session.key", sizeof(session_keyFile));
+
+	strlcpy(rndc_confFile, namedBase, sizeof(rndc_confFile));
+	strlcat(rndc_confFile, "\\etc\\rndc.conf", sizeof(rndc_confFile));
+
+	strlcpy(ns_defaultpidfile, namedBase, sizeof(ns_defaultpidfile));
+	strlcat(ns_defaultpidfile, "\\etc\\named.pid",
+		sizeof(ns_defaultpidfile));
+
+	strlcpy(ns_lockfile, namedBase, sizeof(ns_lockfile));
+	strlcat(ns_lockfile, "\\etc\\named.lock", sizeof(ns_lockfile));
+
+	strlcpy(local_state_dir, namedBase, sizeof(local_state_dir));
+	strlcat(local_state_dir, "\\bin", sizeof(local_state_dir));
+
+	strlcpy(sys_conf_dir, namedBase, sizeof(sys_conf_dir));
+	strlcat(sys_conf_dir, "\\etc", sizeof(sys_conf_dir));
+
+	/* Added to avoid an assert on NULL value */
+	strlcpy(resolv_confFile, namedBase, sizeof(resolv_confFile));
+	strlcat(resolv_confFile, "\\etc\\resolv.conf", sizeof(resolv_confFile));
+
+	strlcpy(bind_keysFile, namedBase, sizeof(bind_keysFile));
+	strlcat(bind_keysFile, "\\etc\\bind.keys", sizeof(bind_keysFile));
+
+	Initialized = TRUE;
+}
+
+char *
+isc_ntpaths_get(int ind) {
+	if (!Initialized) {
+		isc_ntpaths_init();
+	}
+
+	switch (ind) {
+	case NAMED_CONF_PATH:
+		return (ns_confFile);
+		break;
+	case RESOLV_CONF_PATH:
+		return (resolv_confFile);
+		break;
+	case RNDC_CONF_PATH:
+		return (rndc_confFile);
+		break;
+	case NAMED_PID_PATH:
+		return (ns_defaultpidfile);
+		break;
+	case NAMED_LOCK_PATH:
+		return (ns_lockfile);
+		break;
+	case LOCAL_STATE_DIR:
+		return (local_state_dir);
+		break;
+	case SYS_CONF_DIR:
+		return (sys_conf_dir);
+		break;
+	case RNDC_KEY_PATH:
+		return (rndc_keyFile);
+		break;
+	case SESSION_KEY_PATH:
+		return (session_keyFile);
+		break;
+	case BIND_KEYS_PATH:
+		return (bind_keysFile);
+		break;
+	default:
+		return (NULL);
+	}
+}
diff --git a/lib/isc/win32/once.c b/lib/isc/win32/once.c
new file mode 100644
index 0000000..23966cb
--- /dev/null
+++ b/lib/isc/win32/once.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <windows.h>
+
+#include <isc/assertions.h>
+#include <isc/once.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_once_do(isc_once_t *controller, void (*function)(void)) {
+	REQUIRE(controller != NULL && function != NULL);
+
+	if (controller->status == ISC_ONCE_INIT_NEEDED) {
+		if (InterlockedDecrement(&controller->counter) == 0) {
+			if (controller->status == ISC_ONCE_INIT_NEEDED) {
+				function();
+				controller->status = ISC_ONCE_INIT_DONE;
+			}
+		} else {
+			while (controller->status == ISC_ONCE_INIT_NEEDED) {
+				/*
+				 * Sleep(0) indicates that this thread
+				 * should be suspended to allow other
+				 * waiting threads to execute.
+				 */
+				Sleep(0);
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/win32/os.c b/lib/isc/win32/os.c
new file mode 100644
index 0000000..19a992e
--- /dev/null
+++ b/lib/isc/win32/os.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <windows.h>
+
+#include <isc/os.h>
+
+static BOOL bInit = FALSE;
+static SYSTEM_INFO SystemInfo;
+
+static void
+initialize_action(void) {
+	if (bInit) {
+		return;
+	}
+
+	GetSystemInfo(&SystemInfo);
+	bInit = TRUE;
+}
+
+unsigned int
+isc_os_ncpus(void) {
+	long ncpus;
+	initialize_action();
+	ncpus = SystemInfo.dwNumberOfProcessors;
+	if (ncpus <= 0) {
+		ncpus = 1;
+	}
+
+	return ((unsigned int)ncpus);
+}
diff --git a/lib/isc/win32/pk11_api.c b/lib/isc/win32/pk11_api.c
new file mode 100644
index 0000000..5ee8e0d
--- /dev/null
+++ b/lib/isc/win32/pk11_api.c
@@ -0,0 +1,706 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/* missing code for WIN32 */
+
+#include <string.h>
+#include <windows.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+
+char *
+getpass(const char *prompt) {
+	static char buf[128];
+	HANDLE h;
+	DWORD cc, mode;
+	int cnt;
+
+	h = GetStdHandle(STD_INPUT_HANDLE);
+	fputs(prompt, stderr);
+	fflush(stderr);
+	fflush(stdout);
+	FlushConsoleInputBuffer(h);
+	GetConsoleMode(h, &mode);
+	SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
+
+	for (cnt = 0; cnt < sizeof(buf) - 1; cnt++) {
+		ReadFile(h, buf + cnt, 1, &cc, NULL);
+		if (buf[cnt] == '\r') {
+			break;
+		}
+		fputc('*', stdout);
+		fflush(stderr);
+		fflush(stdout);
+	}
+
+	SetConsoleMode(h, mode);
+	buf[cnt] = '\0';
+	fputs("\n", stderr);
+	return (buf);
+}
+
+/* load PKCS11 DLL */
+
+static HINSTANCE hPK11 = NULL;
+static char loaderrmsg[1024];
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved) {
+	CK_C_Initialize sym;
+	const char *lib_name = pk11_get_lib_name();
+
+	if (hPK11 != NULL) {
+		return (CKR_LIBRARY_ALREADY_INITIALIZED);
+	}
+
+	if (lib_name == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	/* Visual Studio conversion issue... */
+	if (*lib_name == ' ') {
+		lib_name++;
+	}
+
+	hPK11 = LoadLibraryA(lib_name);
+
+	if (hPK11 == NULL) {
+		const DWORD err = GetLastError();
+		snprintf(loaderrmsg, sizeof(loaderrmsg),
+			 "LoadLibraryA(\"%s\") failed with 0x%X\n", lib_name,
+			 err);
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	sym = (CK_C_Initialize)GetProcAddress(hPK11, "C_Initialize");
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(pReserved));
+}
+
+char *
+pk11_get_load_error_message(void) {
+	return (loaderrmsg);
+}
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved) {
+	CK_C_Finalize sym;
+	CK_RV rv;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	sym = (CK_C_Finalize)GetProcAddress(hPK11, "C_Finalize");
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	rv = (*sym)(pReserved);
+	if ((rv == CKR_OK) && (FreeLibrary(hPK11) == 0)) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	hPK11 = NULL;
+	return (rv);
+}
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
+		   CK_ULONG_PTR pulCount) {
+	static CK_C_GetSlotList sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_GetSlotList)GetProcAddress(hPK11, "C_GetSlotList");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(tokenPresent, pSlotList, pulCount));
+}
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
+	static CK_C_GetTokenInfo sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_GetTokenInfo)GetProcAddress(hPK11, "C_"
+							       "GetTokenInfo");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(slotID, pInfo));
+}
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+			CK_MECHANISM_INFO_PTR pInfo) {
+	static CK_C_GetMechanismInfo sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_GetMechanismInfo)GetProcAddress(hPK11, "C_"
+								   "GetMechanis"
+								   "mInfo");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(slotID, type, pInfo));
+}
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication,
+		   CK_RV (*Notify)(CK_SESSION_HANDLE hSession,
+				   CK_NOTIFICATION event,
+				   CK_VOID_PTR pApplication),
+		   CK_SESSION_HANDLE_PTR phSession) {
+	static CK_C_OpenSession sym = NULL;
+
+	if (hPK11 == NULL) {
+		hPK11 = LoadLibraryA(pk11_get_lib_name());
+	}
+	if (hPK11 == NULL) {
+		const DWORD err = GetLastError();
+		snprintf(loaderrmsg, sizeof(loaderrmsg),
+			 "LoadLibraryA(\"%s\") failed with 0x%X\n",
+			 pk11_get_lib_name(), err);
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_OpenSession)GetProcAddress(hPK11, "C_OpenSession");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(slotID, flags, pApplication, Notify, phSession));
+}
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) {
+	static CK_C_CloseSession sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_CloseSession)GetProcAddress(hPK11, "C_"
+							       "CloseSession");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession));
+}
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+	     CK_CHAR_PTR pPin, CK_ULONG usPinLen) {
+	static CK_C_Login sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_Login)GetProcAddress(hPK11, "C_Login");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, userType, pPin, usPinLen));
+}
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession) {
+	static CK_C_Logout sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_Logout)GetProcAddress(hPK11, "C_Logout");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession));
+}
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject) {
+	static CK_C_CreateObject sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_CreateObject)GetProcAddress(hPK11, "C_"
+							       "CreateObject");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pTemplate, usCount, phObject));
+}
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
+	static CK_C_DestroyObject sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_DestroyObject)GetProcAddress(hPK11, "C_"
+								"DestroyObjec"
+								"t");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, hObject));
+}
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+			 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) {
+	static CK_C_GetAttributeValue sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_GetAttributeValue)GetProcAddress(hPK11, "C_"
+								    "GetAttribu"
+								    "teValue");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, hObject, pTemplate, usCount));
+}
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+			 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) {
+	static CK_C_SetAttributeValue sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_SetAttributeValue)GetProcAddress(hPK11, "C_"
+								    "SetAttribu"
+								    "teValue");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, hObject, pTemplate, usCount));
+}
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+		       CK_ULONG usCount) {
+	static CK_C_FindObjectsInit sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_FindObjectsInit)GetProcAddress(hPK11, "C_"
+								  "FindObjectsI"
+								  "nit");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pTemplate, usCount));
+}
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
+		   CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount) {
+	static CK_C_FindObjects sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_FindObjects)GetProcAddress(hPK11, "C_FindObjects");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount));
+}
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
+	static CK_C_FindObjectsFinal sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_FindObjectsFinal)GetProcAddress(hPK11, "C_"
+								   "FindObjects"
+								   "Final");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession));
+}
+
+CK_RV
+pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		   CK_OBJECT_HANDLE hKey) {
+	static CK_C_EncryptInit sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_EncryptInit)GetProcAddress(hPK11, "C_EncryptInit");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pMechanism, hKey));
+}
+
+CK_RV
+pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+	       CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
+	       CK_ULONG_PTR pulEncryptedDataLen) {
+	static CK_C_Encrypt sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_Encrypt)GetProcAddress(hPK11, "C_Encrypt");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pData, ulDataLen, pEncryptedData,
+		       pulEncryptedDataLen));
+}
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) {
+	static CK_C_DigestInit sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_DigestInit)GetProcAddress(hPK11, "C_DigestInit");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pMechanism));
+}
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		    CK_ULONG ulPartLen) {
+	static CK_C_DigestUpdate sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_DigestUpdate)GetProcAddress(hPK11, "C_"
+							       "DigestUpdate");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pPart, ulPartLen));
+}
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+		   CK_ULONG_PTR pulDigestLen) {
+	static CK_C_DigestFinal sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_DigestFinal)GetProcAddress(hPK11, "C_DigestFinal");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pDigest, pulDigestLen));
+}
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		CK_OBJECT_HANDLE hKey) {
+	static CK_C_SignInit sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_SignInit)GetProcAddress(hPK11, "C_SignInit");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pMechanism, hKey));
+}
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
+	    CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) {
+	static CK_C_Sign sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_Sign)GetProcAddress(hPK11, "C_Sign");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pData, ulDataLen, pSignature,
+		       pulSignatureLen));
+}
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		  CK_ULONG ulPartLen) {
+	static CK_C_SignUpdate sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_SignUpdate)GetProcAddress(hPK11, "C_SignUpdate");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pPart, ulPartLen));
+}
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+		 CK_ULONG_PTR pulSignatureLen) {
+	static CK_C_SignFinal sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_SignFinal)GetProcAddress(hPK11, "C_SignFinal");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pSignature, pulSignatureLen));
+}
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		  CK_OBJECT_HANDLE hKey) {
+	static CK_C_VerifyInit sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_VerifyInit)GetProcAddress(hPK11, "C_VerifyInit");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pMechanism, hKey));
+}
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
+	      CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) {
+	static CK_C_Verify sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_Verify)GetProcAddress(hPK11, "C_Verify");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen));
+}
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		    CK_ULONG ulPartLen) {
+	static CK_C_VerifyUpdate sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_VerifyUpdate)GetProcAddress(hPK11, "C_"
+							       "VerifyUpdate");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pPart, ulPartLen));
+}
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+		   CK_ULONG ulSignatureLen) {
+	static CK_C_VerifyFinal sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_VerifyFinal)GetProcAddress(hPK11, "C_VerifyFinal");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pSignature, ulSignatureLen));
+}
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		   CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+		   CK_OBJECT_HANDLE_PTR phKey) {
+	static CK_C_GenerateKey sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_GenerateKey)GetProcAddress(hPK11, "C_GenerateKey");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pMechanism, pTemplate, ulCount, phKey));
+}
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		       CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+		       CK_ULONG usPublicKeyAttributeCount,
+		       CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+		       CK_ULONG usPrivateKeyAttributeCount,
+		       CK_OBJECT_HANDLE_PTR phPrivateKey,
+		       CK_OBJECT_HANDLE_PTR phPublicKey) {
+	static CK_C_GenerateKeyPair sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_GenerateKeyPair)GetProcAddress(hPK11, "C_"
+								  "GenerateKeyP"
+								  "air");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pMechanism, pPublicKeyTemplate,
+		       usPublicKeyAttributeCount, pPrivateKeyTemplate,
+		       usPrivateKeyAttributeCount, phPrivateKey, phPublicKey));
+}
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		 CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
+		 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) {
+	static CK_C_DeriveKey sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_DeriveKey)GetProcAddress(hPK11, "C_DeriveKey");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pMechanism, hBaseKey, pTemplate,
+		       ulAttributeCount, phKey));
+}
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+		  CK_ULONG ulSeedLen) {
+	static CK_C_SeedRandom sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_SeedRandom)GetProcAddress(hPK11, "C_SeedRandom");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, pSeed, ulSeedLen));
+}
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
+		      CK_ULONG ulRandomLen) {
+	static CK_C_GenerateRandom sym = NULL;
+
+	if (hPK11 == NULL) {
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL) {
+		sym = (CK_C_GenerateRandom)GetProcAddress(hPK11, "C_"
+								 "GenerateRando"
+								 "m");
+	}
+	if (sym == NULL) {
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	}
+	return ((*sym)(hSession, RandomData, ulRandomLen));
+}
diff --git a/lib/isc/win32/resource.c b/lib/isc/win32/resource.c
new file mode 100644
index 0000000..b44b322
--- /dev/null
+++ b/lib/isc/win32/resource.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+
+#include <isc/platform.h>
+#include <isc/resource.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+/*
+ * Windows limits the maximum number of open files to 2048
+ */
+
+#define WIN32_MAX_OPEN_FILES 2048
+
+isc_result_t
+isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value) {
+	isc_resourcevalue_t rlim_value;
+	int wresult;
+
+	if (resource != isc_resource_openfiles) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	if (value == ISC_RESOURCE_UNLIMITED) {
+		rlim_value = WIN32_MAX_OPEN_FILES;
+	} else {
+		rlim_value = min(value, WIN32_MAX_OPEN_FILES);
+	}
+
+	wresult = _setmaxstdio((int)rlim_value);
+
+	if (wresult > 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+isc_result_t
+isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
+	if (resource != isc_resource_openfiles) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	*value = WIN32_MAX_OPEN_FILES;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_resource_getcurlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
+	return (isc_resource_getlimit(resource, value));
+}
diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c
new file mode 100644
index 0000000..c154175
--- /dev/null
+++ b/lib/isc/win32/socket.c
@@ -0,0 +1,3965 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* This code uses functions which are only available on Server 2003 and
+ * higher, and Windows XP and higher.
+ *
+ * This code is by nature multithreaded and takes advantage of various
+ * features to pass on information through the completion port for
+ * when I/O is completed.  All sends, receives, accepts, and connects are
+ * completed through the completion port.
+ *
+ * The number of Completion Port Worker threads used is the total number
+ * of CPU's + 1. This increases the likelihood that a Worker Thread is
+ * available for processing a completed request.
+ *
+ * XXXPDM 5 August, 2002
+ */
+
+#define MAKE_EXTERNAL 1
+
+#include <sys/types.h>
+
+#ifndef _WINSOCKAPI_
+#define _WINSOCKAPI_ /* Prevent inclusion of winsock.h in windows.h */
+#endif		     /* ifndef _WINSOCKAPI_ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <io.h>
+#include <process.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/condition.h>
+#include <isc/list.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/once.h>
+#include <isc/os.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/region.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+#include <isc/strerr.h>
+#include <isc/string.h>
+#include <isc/syslog.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+#include <isc/win32os.h>
+
+/* clang-format off */
+/* U Can't Touch This */
+#include <mswsock.h>
+/* clang-format on */
+
+#ifdef HAVE_JSON_C
+#include <json_object.h>
+#endif /* HAVE_JSON_C */
+
+#ifdef HAVE_LIBXML2
+#include <libxml/xmlwriter.h>
+#define ISC_XMLCHAR (const xmlChar *)
+#endif /* HAVE_LIBXML2 */
+
+#include "errno2result.h"
+
+/*
+ * Set by the -T dscp option on the command line. If set to a value
+ * other than -1, we check to make sure DSCP values match it, and
+ * assert if not.
+ */
+LIBISC_EXTERNAL_DATA int isc_dscp_check_value = -1;
+
+/*
+ * How in the world can Microsoft exist with APIs like this?
+ * We can't actually call this directly, because it turns out
+ * no library exports this function.  Instead, we need to
+ * issue a runtime call to get the address.
+ */
+LPFN_CONNECTEX ISCConnectEx;
+LPFN_ACCEPTEX ISCAcceptEx;
+LPFN_GETACCEPTEXSOCKADDRS ISCGetAcceptExSockaddrs;
+
+/*
+ * Run expensive internal consistency checks.
+ */
+#ifdef ISC_SOCKET_CONSISTENCY_CHECKS
+#define CONSISTENT(sock) consistent(sock)
+#else /* ifdef ISC_SOCKET_CONSISTENCY_CHECKS */
+#define CONSISTENT(sock) \
+	do {             \
+	} while (0)
+#endif /* ifdef ISC_SOCKET_CONSISTENCY_CHECKS */
+static void
+consistent(isc_socket_t *sock);
+
+/*
+ * Define this macro to control the behavior of connection
+ * resets on UDP sockets.  See Microsoft KnowledgeBase Article Q263823
+ * for details.
+ * NOTE: This requires that Windows 2000 systems install Service Pack 2
+ * or later.
+ */
+#ifndef SIO_UDP_CONNRESET
+#define SIO_UDP_CONNRESET _WSAIOW(IOC_VENDOR, 12)
+#endif /* ifndef SIO_UDP_CONNRESET */
+
+/*
+ * Define what the possible "soft" errors can be.  These are non-fatal returns
+ * of various network related functions, like recv() and so on.
+ */
+#define SOFT_ERROR(e)                                                      \
+	((e) == WSAEINTR || (e) == WSAEWOULDBLOCK || (e) == EWOULDBLOCK || \
+	 (e) == EINTR || (e) == EAGAIN || (e) == 0)
+
+/*
+ * Pending errors are not really errors and should be
+ * kept separate
+ */
+#define PENDING_ERROR(e) ((e) == WSA_IO_PENDING || (e) == 0)
+
+#define DOIO_SUCCESS 0 /* i/o ok, event sent */
+#define DOIO_SOFT    1 /* i/o ok, soft error, no event sent */
+#define DOIO_HARD    2 /* i/o error, event sent */
+#define DOIO_EOF     3 /* EOF, no event sent */
+#define DOIO_PENDING 4 /* status when i/o is in process */
+#define DOIO_NEEDMORE                                          \
+	5 /* IO was processed, but we need more due to minimum \
+	   */
+
+#define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
+
+/*
+ * DLVL(90)  --  Function entry/exit and other tracing.
+ * DLVL(70)  --  Socket "correctness" -- including returning of events, etc.
+ * DLVL(60)  --  Socket data send/receive
+ * DLVL(50)  --  Event tracing, including receiving/sending completion events.
+ * DLVL(20)  --  Socket creation/destruction.
+ */
+#define TRACE_LEVEL	  90
+#define CORRECTNESS_LEVEL 70
+#define IOEVENT_LEVEL	  60
+#define EVENT_LEVEL	  50
+#define CREATION_LEVEL	  20
+
+#define TRACE	    DLVL(TRACE_LEVEL)
+#define CORRECTNESS DLVL(CORRECTNESS_LEVEL)
+#define IOEVENT	    DLVL(IOEVENT_LEVEL)
+#define EVENT	    DLVL(EVENT_LEVEL)
+#define CREATION    DLVL(CREATION_LEVEL)
+
+typedef isc_event_t intev_t;
+
+/*
+ * Socket State
+ */
+enum {
+	SOCK_INITIALIZED, /* Socket Initialized */
+	SOCK_OPEN,	  /* Socket opened but nothing yet to do */
+	SOCK_DATA,	  /* Socket sending or receiving data */
+	SOCK_LISTEN,	  /* TCP Socket listening for connects */
+	SOCK_ACCEPT,	  /* TCP socket is waiting to accept */
+	SOCK_CONNECT,	  /* TCP Socket connecting */
+	SOCK_CLOSED,	  /* Socket has been closed */
+};
+
+#define SOCKET_MAGIC	ISC_MAGIC('I', 'O', 'i', 'o')
+#define VALID_SOCKET(t) ISC_MAGIC_VALID(t, SOCKET_MAGIC)
+
+/*
+ * IPv6 control information.  If the socket is an IPv6 socket we want
+ * to collect the destination address and interface so the client can
+ * set them on outgoing packets.
+ */
+#ifndef USE_CMSG
+#define USE_CMSG 1
+#endif /* ifndef USE_CMSG */
+
+/*
+ * We really  don't want to try and use these control messages. Win32
+ * doesn't have this mechanism before XP.
+ */
+#undef USE_CMSG
+
+/*
+ * Message header for recvmsg and sendmsg calls.
+ * Used value-result for recvmsg, value only for sendmsg.
+ */
+struct msghdr {
+	SOCKADDR_STORAGE to_addr; /* UDP send/recv address */
+	int to_addr_len;	  /* length of the address */
+	WSABUF *msg_iov;	  /* scatter/gather array */
+	u_int msg_iovlen;	  /* # elements in msg_iov */
+	void *msg_control;	  /* ancillary data, see below */
+	u_int msg_controllen;	  /* ancillary data buffer len */
+	u_int msg_totallen;	  /* total length of this message */
+} msghdr;
+
+/*
+ * The size to raise the receive buffer to.
+ */
+#define RCVBUFSIZE (32 * 1024)
+
+/*
+ * The number of times a send operation is repeated if the result
+ * is WSAEINTR.
+ */
+#define NRETRIES 10
+
+struct isc_socket {
+	/* Not locked. */
+	unsigned int magic;
+	isc_socketmgr_t *manager;
+	isc_mutex_t lock;
+	isc_sockettype_t type;
+
+	/* Pointers to scatter/gather buffers */
+	WSABUF iov[ISC_SOCKET_MAXSCATTERGATHER];
+
+	/* Locked by socket lock. */
+	ISC_LINK(isc_socket_t) link;
+	isc_refcount_t references; /* EXTERNAL references */
+	SOCKET fd;		   /* file handle */
+	int pf;			   /* protocol family */
+	char name[16];
+	void *tag;
+
+	/*
+	 * Each recv() call uses this buffer.  It is a per-socket receive
+	 * buffer that allows us to decouple the system recv() from the
+	 * recv_list done events.  This means the items on the recv_list
+	 * can be removed without having to cancel pending system recv()
+	 * calls.  It also allows us to read-ahead in some cases.
+	 */
+	struct {
+		SOCKADDR_STORAGE from_addr; /* UDP send/recv address */
+		int from_addr_len;	    /* length of the address */
+		char *base;		    /* the base of the buffer */
+		char *consume_position;	    /* where to start
+					     * copying data from
+					     * next */
+		unsigned int len;	    /* the actual size of this buffer */
+		unsigned int remaining;	    /* the number of bytes
+					     * remaining */
+	} recvbuf;
+
+	ISC_LIST(isc_socketevent_t) send_list;
+	ISC_LIST(isc_socketevent_t) recv_list;
+	ISC_LIST(isc_socket_newconnev_t) accept_list;
+	ISC_LIST(isc_socket_connev_t) connect_list;
+
+	isc_sockaddr_t address; /* remote address */
+
+	unsigned int listener : 1,		    /* listener socket */
+		connected : 1, pending_connect : 1, /* connect
+						     * pending */
+		bound  : 1,			    /* bound to local addr */
+		dupped : 1;	     /* created by isc_socket_dup() */
+	unsigned int pending_iocp;   /* Should equal the counters below.
+				      * Debug. */
+	unsigned int pending_recv;   /* Number of outstanding recv() calls.
+				      * */
+	unsigned int pending_send;   /* Number of outstanding send() calls.
+				      * */
+	unsigned int pending_accept; /* Number of outstanding accept()
+				      * calls. */
+	unsigned int state;	     /* Socket state. Debugging and consistency
+				      * checking.
+				      */
+	int state_lineno;	     /* line which last touched state */
+};
+
+#define _set_state(sock, _state)                 \
+	do {                                     \
+		(sock)->state = (_state);        \
+		(sock)->state_lineno = __LINE__; \
+	} while (0)
+
+/*
+ * I/O Completion ports Info structures
+ */
+
+static HANDLE hHeapHandle = NULL;
+typedef struct IoCompletionInfo {
+	OVERLAPPED overlapped;
+	isc_socketevent_t *dev;	      /* send()/recv() done event */
+	isc_socket_connev_t *cdev;    /* connect() done event */
+	isc_socket_newconnev_t *adev; /* accept() done event */
+	void *acceptbuffer;
+	DWORD received_bytes;
+	int request_type;
+	struct msghdr messagehdr;
+	void *buf;
+	unsigned int buflen;
+} IoCompletionInfo;
+
+/*
+ * Define a maximum number of I/O Completion Port worker threads
+ * to handle the load on the Completion Port. The actual number
+ * used is the number of CPU's + 1.
+ */
+#define MAX_IOCPTHREADS 20
+
+#define SOCKET_MANAGER_MAGIC ISC_MAGIC('I', 'O', 'm', 'g')
+#define VALID_MANAGER(m)     ISC_MAGIC_VALID(m, SOCKET_MANAGER_MAGIC)
+
+struct isc_socketmgr {
+	/* Not locked. */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_mutex_t lock;
+	isc_stats_t *stats;
+
+	/* Locked by manager lock. */
+	ISC_LIST(isc_socket_t) socklist;
+	bool bShutdown;
+	isc_condition_t shutdown_ok;
+	HANDLE hIoCompletionPort;
+	int maxIOCPThreads;
+	HANDLE hIOCPThreads[MAX_IOCPTHREADS];
+	size_t maxudp;
+
+	/*
+	 * Debugging.
+	 * Modified by InterlockedIncrement() and InterlockedDecrement()
+	 */
+	LONG totalSockets;
+	LONG iocp_total;
+};
+
+enum { SOCKET_RECV, SOCKET_SEND, SOCKET_ACCEPT, SOCKET_CONNECT };
+
+/*
+ * send() and recv() iovec counts
+ */
+#define MAXSCATTERGATHER_SEND (ISC_SOCKET_MAXSCATTERGATHER)
+#define MAXSCATTERGATHER_RECV (ISC_SOCKET_MAXSCATTERGATHER)
+
+static isc_result_t
+socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type,
+	      isc_socket_t **socketp, isc_socket_t *dup_socket);
+static isc_threadresult_t WINAPI
+SocketIoThread(LPVOID ThreadContext);
+static void
+maybe_free_socket(isc_socket_t **, int);
+static void
+free_socket(isc_socket_t **, int);
+static bool
+senddone_is_active(isc_socket_t *sock, isc_socketevent_t *dev);
+static bool
+acceptdone_is_active(isc_socket_t *sock, isc_socket_newconnev_t *dev);
+static bool
+connectdone_is_active(isc_socket_t *sock, isc_socket_connev_t *dev);
+static void
+send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev);
+static void
+send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev);
+static void
+send_acceptdone_event(isc_socket_t *sock, isc_socket_newconnev_t **adev);
+static void
+send_connectdone_event(isc_socket_t *sock, isc_socket_connev_t **cdev);
+static void
+send_recvdone_abort(isc_socket_t *sock, isc_result_t result);
+static void
+send_connectdone_abort(isc_socket_t *sock, isc_result_t result);
+static void
+queue_receive_event(isc_socket_t *sock, isc_task_t *task,
+		    isc_socketevent_t *dev);
+static void
+queue_receive_request(isc_socket_t *sock);
+
+/*
+ * This is used to dump the contents of the sock structure
+ * You should make sure that the sock is locked before
+ * dumping it. Since the code uses simple printf() statements
+ * it should only be used interactively.
+ */
+void
+sock_dump(isc_socket_t *sock) {
+	isc_socketevent_t *ldev;
+	isc_socket_newconnev_t *ndev;
+	isc_socket_connev_t *cdev;
+
+#if 0
+	isc_sockaddr_t addr;
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	isc_result_t result;
+
+	result = isc_socket_getpeername(sock,&addr);
+	if (result == ISC_R_SUCCESS) {
+		isc_sockaddr_format(&addr,socktext,sizeof(socktext));
+		printf("Remote Socket: %s\n",socktext);
+	}
+	result = isc_socket_getsockname(sock,&addr);
+	if (result == ISC_R_SUCCESS) {
+		isc_sockaddr_format(&addr,socktext,sizeof(socktext));
+		printf("This Socket: %s\n",socktext);
+	}
+#endif /* if 0 */
+
+	printf("\n\t\tSock Dump\n");
+	printf("\t\tfd: %Iu\n", sock->fd);
+	printf("\t\treferences: %" PRIuFAST32 "\n",
+	       isc_refcount_current(&sock->references));
+	printf("\t\tpending_accept: %u\n", sock->pending_accept);
+	printf("\t\tconnecting: %u\n", sock->pending_connect);
+	printf("\t\tconnected: %u\n", sock->connected);
+	printf("\t\tbound: %u\n", sock->bound);
+	printf("\t\tpending_iocp: %u\n", sock->pending_iocp);
+	printf("\t\tsocket type: %d\n", sock->type);
+
+	printf("\n\t\tSock Recv List\n");
+	ldev = ISC_LIST_HEAD(sock->recv_list);
+	while (ldev != NULL) {
+		printf("\t\tdev: %p\n", ldev);
+		ldev = ISC_LIST_NEXT(ldev, ev_link);
+	}
+
+	printf("\n\t\tSock Send List\n");
+	ldev = ISC_LIST_HEAD(sock->send_list);
+	while (ldev != NULL) {
+		printf("\t\tdev: %p\n", ldev);
+		ldev = ISC_LIST_NEXT(ldev, ev_link);
+	}
+
+	printf("\n\t\tSock Accept List\n");
+	ndev = ISC_LIST_HEAD(sock->accept_list);
+	while (ndev != NULL) {
+		printf("\t\tdev: %p\n", ldev);
+		ndev = ISC_LIST_NEXT(ndev, ev_link);
+	}
+
+	printf("\n\t\tSock Connect List\n");
+	cdev = ISC_LIST_HEAD(sock->connect_list);
+	while (cdev != NULL) {
+		printf("\t\tdev: %p\n", cdev);
+		cdev = ISC_LIST_NEXT(cdev, ev_link);
+	}
+}
+
+static void
+socket_log(int lineno, isc_socket_t *sock, const isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   const char *fmt, ...) ISC_FORMAT_PRINTF(10, 11);
+
+/*  This function will add an entry to the I/O completion port
+ *  that will signal the I/O thread to exit (gracefully)
+ */
+static void
+signal_iocompletionport_exit(isc_socketmgr_t *manager) {
+	int i;
+	int errval;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_MANAGER(manager));
+	for (i = 0; i < manager->maxIOCPThreads; i++) {
+		if (!PostQueuedCompletionStatus(manager->hIoCompletionPort, 0,
+						0, 0))
+		{
+			errval = GetLastError();
+			strerror_r(errval, strbuf, sizeof(strbuf));
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Can't request service thread to exit: %s",
+				    strbuf);
+		}
+	}
+}
+
+/*
+ * Create the worker threads for the I/O Completion Port
+ */
+void
+iocompletionport_createthreads(int total_threads, isc_socketmgr_t *manager) {
+	int errval;
+	char strbuf[ISC_STRERRORSIZE];
+	int i;
+
+	INSIST(total_threads > 0);
+	REQUIRE(VALID_MANAGER(manager));
+	/*
+	 * We need at least one
+	 */
+	for (i = 0; i < total_threads; i++) {
+		isc_thread_create(SocketIoThread, manager,
+				  &manager->hIOCPThreads[i]);
+	}
+}
+
+/*
+ *  Create/initialise the I/O completion port
+ */
+void
+iocompletionport_init(isc_socketmgr_t *manager) {
+	int errval;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_MANAGER(manager));
+	/*
+	 * Create a private heap to handle the socket overlapped structure
+	 * The minimum number of structures is 10, there is no maximum
+	 */
+	hHeapHandle = HeapCreate(0, 10 * sizeof(IoCompletionInfo), 0);
+	if (hHeapHandle == NULL) {
+		errval = GetLastError();
+		strerror_r(errval, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+			    "HeapCreate() failed during initialization: %s",
+			    strbuf);
+	}
+
+	/* Now Create the Completion Port */
+	manager->hIoCompletionPort = CreateIoCompletionPort(
+		INVALID_HANDLE_VALUE, NULL, 0, manager->maxIOCPThreads);
+	if (manager->hIoCompletionPort == NULL) {
+		errval = GetLastError();
+		strerror_r(errval, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+			    "CreateIoCompletionPort() failed during "
+			    "initialization: %s",
+			    strbuf);
+	}
+
+	/*
+	 * Worker threads for servicing the I/O
+	 */
+	iocompletionport_createthreads(manager->maxIOCPThreads, manager);
+}
+
+/*
+ * Associate a socket with an IO Completion Port.  This allows us to queue
+ * events for it and have our worker pool of threads process them.
+ */
+void
+iocompletionport_update(isc_socket_t *sock) {
+	HANDLE hiocp;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	hiocp = CreateIoCompletionPort((HANDLE)sock->fd,
+				       sock->manager->hIoCompletionPort,
+				       (ULONG_PTR)sock, 0);
+
+	if (hiocp == NULL) {
+		DWORD errval = GetLastError();
+		strerror_r(errval, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      "iocompletionport_update: failed to open io "
+			      "completion port: %s",
+			      strbuf);
+
+		/* XXXMLG temporary hack to make failures detected.
+		 * This function should return errors to the caller, not
+		 * exit here.
+		 */
+		FATAL_ERROR(__FILE__, __LINE__,
+			    "CreateIoCompletionPort() failed during "
+			    "initialization: %s",
+			    strbuf);
+	}
+
+	InterlockedIncrement(&sock->manager->iocp_total);
+}
+
+/*
+ * Routine to cleanup and then close the socket.
+ * Only close the socket here if it is NOT associated
+ * with an event, otherwise the WSAWaitForMultipleEvents
+ * may fail due to the fact that the Wait should not
+ * be running while closing an event or a socket.
+ * The socket is locked before calling this function
+ */
+void
+socket_close(isc_socket_t *sock) {
+	REQUIRE(sock != NULL);
+
+	if (sock->fd != INVALID_SOCKET) {
+		closesocket(sock->fd);
+		sock->fd = INVALID_SOCKET;
+		_set_state(sock, SOCK_CLOSED);
+		InterlockedDecrement(&sock->manager->totalSockets);
+	}
+}
+
+static isc_once_t initialise_once = ISC_ONCE_INIT;
+static bool initialised = false;
+
+static void
+initialise(void) {
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	int err;
+	SOCKET sock;
+	GUID GUIDConnectEx = WSAID_CONNECTEX;
+	GUID GUIDAcceptEx = WSAID_ACCEPTEX;
+	GUID GUIDGetAcceptExSockaddrs = WSAID_GETACCEPTEXSOCKADDRS;
+	DWORD dwBytes;
+
+	/* Need Winsock 2.2 or better */
+	wVersionRequested = MAKEWORD(2, 2);
+
+	err = WSAStartup(wVersionRequested, &wsaData);
+	if (err != 0) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(err, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__, "WSAStartup() failed: %s",
+			    strbuf);
+	}
+	/*
+	 * The following APIs do not exist as functions in a library, but
+	 * we must ask winsock for them.  They are "extensions" -- but why
+	 * they cannot be actual functions is beyond me.  So, ask winsock
+	 * for the pointers to the functions we need.
+	 */
+	sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	INSIST(sock != INVALID_SOCKET);
+	err = WSAIoctl(sock, SIO_GET_EXTENSION_FUNCTION_POINTER, &GUIDConnectEx,
+		       sizeof(GUIDConnectEx), &ISCConnectEx,
+		       sizeof(ISCConnectEx), &dwBytes, NULL, NULL);
+	INSIST(err == 0);
+
+	err = WSAIoctl(sock, SIO_GET_EXTENSION_FUNCTION_POINTER, &GUIDAcceptEx,
+		       sizeof(GUIDAcceptEx), &ISCAcceptEx, sizeof(ISCAcceptEx),
+		       &dwBytes, NULL, NULL);
+	INSIST(err == 0);
+
+	err = WSAIoctl(sock, SIO_GET_EXTENSION_FUNCTION_POINTER,
+		       &GUIDGetAcceptExSockaddrs,
+		       sizeof(GUIDGetAcceptExSockaddrs),
+		       &ISCGetAcceptExSockaddrs,
+		       sizeof(ISCGetAcceptExSockaddrs), &dwBytes, NULL, NULL);
+	INSIST(err == 0);
+
+	closesocket(sock);
+
+	initialised = true;
+}
+
+/*
+ * Initialize socket services
+ */
+void
+InitSockets(void) {
+	RUNTIME_CHECK(isc_once_do(&initialise_once, initialise) ==
+		      ISC_R_SUCCESS);
+	if (!initialised) {
+		exit(1);
+	}
+}
+
+int
+internal_sendmsg(isc_socket_t *sock, IoCompletionInfo *lpo,
+		 struct msghdr *messagehdr, int flags, int *Error) {
+	int Result;
+	DWORD BytesSent;
+	DWORD Flags = flags;
+	int total_sent;
+
+	*Error = 0;
+	Result = WSASendTo(sock->fd, messagehdr->msg_iov,
+			   messagehdr->msg_iovlen, &BytesSent, Flags,
+			   (SOCKADDR *)&messagehdr->to_addr,
+			   messagehdr->to_addr_len, (LPWSAOVERLAPPED)lpo, NULL);
+
+	total_sent = (int)BytesSent;
+
+	/* Check for errors.*/
+	if (Result == SOCKET_ERROR) {
+		*Error = WSAGetLastError();
+
+		switch (*Error) {
+		case WSA_IO_INCOMPLETE:
+		case WSA_WAIT_IO_COMPLETION:
+		case WSA_IO_PENDING:
+		case NO_ERROR: /* Strange, but okay */
+			sock->pending_iocp++;
+			sock->pending_send++;
+			break;
+
+		default:
+			return (-1);
+			break;
+		}
+	} else {
+		sock->pending_iocp++;
+		sock->pending_send++;
+	}
+
+	if (lpo != NULL) {
+		return (0);
+	} else {
+		return (total_sent);
+	}
+}
+
+static void
+queue_receive_request(isc_socket_t *sock) {
+	DWORD Flags = 0;
+	DWORD NumBytes = 0;
+	int Result;
+	int Error;
+	int need_retry;
+	WSABUF iov[1];
+	IoCompletionInfo *lpo = NULL;
+	isc_result_t isc_result;
+
+retry:
+	need_retry = false;
+
+	/*
+	 * If we already have a receive pending, do nothing.
+	 */
+	if (sock->pending_recv > 0) {
+		if (lpo != NULL) {
+			HeapFree(hHeapHandle, 0, lpo);
+		}
+		return;
+	}
+
+	/*
+	 * If no one is waiting, do nothing.
+	 */
+	if (ISC_LIST_EMPTY(sock->recv_list)) {
+		if (lpo != NULL) {
+			HeapFree(hHeapHandle, 0, lpo);
+		}
+		return;
+	}
+
+	INSIST(sock->recvbuf.remaining == 0);
+	INSIST(sock->fd != INVALID_SOCKET);
+
+	iov[0].len = sock->recvbuf.len;
+	iov[0].buf = sock->recvbuf.base;
+
+	if (lpo == NULL) {
+		lpo = (IoCompletionInfo *)HeapAlloc(hHeapHandle,
+						    HEAP_ZERO_MEMORY,
+						    sizeof(IoCompletionInfo));
+		RUNTIME_CHECK(lpo != NULL);
+	} else {
+		ZeroMemory(lpo, sizeof(IoCompletionInfo));
+	}
+	lpo->request_type = SOCKET_RECV;
+
+	sock->recvbuf.from_addr_len = sizeof(sock->recvbuf.from_addr);
+
+	Error = 0;
+	Result = WSARecvFrom((SOCKET)sock->fd, iov, 1, &NumBytes, &Flags,
+			     (SOCKADDR *)&sock->recvbuf.from_addr,
+			     &sock->recvbuf.from_addr_len, (LPWSAOVERLAPPED)lpo,
+			     NULL);
+
+	/* Check for errors. */
+	if (Result == SOCKET_ERROR) {
+		Error = WSAGetLastError();
+
+		switch (Error) {
+		case WSA_IO_PENDING:
+			sock->pending_iocp++;
+			sock->pending_recv++;
+			break;
+
+		/* direct error: no completion event */
+		case ERROR_HOST_UNREACHABLE:
+		case WSAENETRESET:
+		case WSAECONNRESET:
+			if (!sock->connected) {
+				/* soft error */
+				need_retry = true;
+				break;
+			}
+			FALLTHROUGH;
+
+		default:
+			isc_result = isc__errno2result(Error);
+			if (isc_result == ISC_R_UNEXPECTED) {
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "WSARecvFrom: Windows error "
+						 "code: %d, isc result %d",
+						 Error, isc_result);
+			}
+			send_recvdone_abort(sock, isc_result);
+			HeapFree(hHeapHandle, 0, lpo);
+			lpo = NULL;
+			break;
+		}
+	} else {
+		/*
+		 * The recv() finished immediately, but we will still get
+		 * a completion event.  Rather than duplicate code, let
+		 * that thread handle sending the data along its way.
+		 */
+		sock->pending_iocp++;
+		sock->pending_recv++;
+	}
+
+	socket_log(__LINE__, sock, NULL, IOEVENT,
+		   "queue_io_request: fd %d result %d error %d", sock->fd,
+		   Result, Error);
+
+	CONSISTENT(sock);
+
+	if (need_retry) {
+		goto retry;
+	}
+}
+
+static void
+manager_log(isc_socketmgr_t *sockmgr, isc_logcategory_t *category,
+	    isc_logmodule_t *module, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	if (!isc_log_wouldlog(isc_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(isc_lctx, category, module, level, "sockmgr %p: %s",
+		      sockmgr, msgbuf);
+}
+
+static void
+socket_log(int lineno, isc_socket_t *sock, const isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   const char *fmt, ...) {
+	char msgbuf[2048];
+	char peerbuf[256];
+	va_list ap;
+
+	if (!isc_log_wouldlog(isc_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (address == NULL) {
+		isc_log_write(isc_lctx, category, module, level,
+			      "socket %p line %d: %s", sock, lineno, msgbuf);
+	} else {
+		isc_sockaddr_format(address, peerbuf, sizeof(peerbuf));
+		isc_log_write(isc_lctx, category, module, level,
+			      "socket %p line %d %s: %s", sock, lineno, peerbuf,
+			      msgbuf);
+	}
+}
+
+/*
+ * Make an fd SOCKET non-blocking.
+ */
+static isc_result_t
+make_nonblock(SOCKET fd) {
+	int ret;
+	unsigned long flags = 1;
+	char strbuf[ISC_STRERRORSIZE];
+
+	/* Set the socket to non-blocking */
+	ret = ioctlsocket(fd, FIONBIO, &flags);
+
+	if (ret == -1) {
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "ioctlsocket(%d, FIOBIO, %d): %s", fd, flags,
+				 strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Windows 2000 systems incorrectly cause UDP sockets using WSARecvFrom
+ * to not work correctly, returning a WSACONNRESET error when a WSASendTo
+ * fails with an "ICMP port unreachable" response and preventing the
+ * socket from using the WSARecvFrom in subsequent operations.
+ * The function below fixes this, but requires that Windows 2000
+ * Service Pack 2 or later be installed on the system.  NT 4.0
+ * systems are not affected by this and work correctly.
+ * See Microsoft Knowledge Base Article Q263823 for details of this.
+ */
+isc_result_t
+connection_reset_fix(SOCKET fd) {
+	DWORD dwBytesReturned = 0;
+	BOOL bNewBehavior = FALSE;
+	DWORD status;
+
+	if (isc_win32os_versioncheck(5, 0, 0, 0) < 0) {
+		return (ISC_R_SUCCESS); /*  NT 4.0 has no problem */
+	}
+	/* disable bad behavior using IOCTL: SIO_UDP_CONNRESET */
+	status = WSAIoctl(fd, SIO_UDP_CONNRESET, &bNewBehavior,
+			  sizeof(bNewBehavior), NULL, 0, &dwBytesReturned, NULL,
+			  NULL);
+	if (status != SOCKET_ERROR) {
+		return (ISC_R_SUCCESS);
+	} else {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "WSAIoctl(SIO_UDP_CONNRESET, oldBehaviour) "
+				 "failed");
+		return (ISC_R_UNEXPECTED);
+	}
+}
+
+/*
+ * Construct an iov array and attach it to the msghdr passed in.  This is
+ * the SEND constructor, which will use the used region of the buffer
+ * (if using a buffer list) or will use the internal region (if a single
+ * buffer I/O is requested).
+ *
+ * Nothing can be NULL, and the done event must list at least one buffer
+ * on the buffer linked list for this function to be meaningful.
+ */
+static void
+build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
+		  struct msghdr *msg, char *cmsg, WSABUF *iov,
+		  IoCompletionInfo *lpo) {
+	unsigned int iovcount;
+	size_t write_count;
+
+	memset(msg, 0, sizeof(*msg));
+
+	memmove(&msg->to_addr, &dev->address.type, dev->address.length);
+	msg->to_addr_len = dev->address.length;
+
+	write_count = 0;
+	iovcount = 0;
+
+	/*
+	 * Single buffer I/O?  Skip what we've done so far in this region.
+	 */
+	write_count = dev->region.length - dev->n;
+	lpo->buf = HeapAlloc(hHeapHandle, HEAP_ZERO_MEMORY, write_count);
+	RUNTIME_CHECK(lpo->buf != NULL);
+
+	socket_log(__LINE__, sock, NULL, TRACE, "alloc_buffer %p %d", lpo->buf,
+		   write_count);
+
+	memmove(lpo->buf, (dev->region.base + dev->n), write_count);
+	lpo->buflen = (unsigned int)write_count;
+	iov[0].buf = lpo->buf;
+	iov[0].len = (u_long)write_count;
+	iovcount = 1;
+
+	msg->msg_iov = iov;
+	msg->msg_iovlen = iovcount;
+	msg->msg_totallen = (u_int)write_count;
+}
+
+static void
+set_dev_address(const isc_sockaddr_t *address, isc_socket_t *sock,
+		isc_socketevent_t *dev) {
+	if (sock->type == isc_sockettype_udp) {
+		if (address != NULL) {
+			dev->address = *address;
+		} else {
+			dev->address = sock->address;
+		}
+	} else if (sock->type == isc_sockettype_tcp) {
+		INSIST(address == NULL);
+		dev->address = sock->address;
+	}
+}
+
+static void
+destroy_socketevent(isc_event_t *event) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)event;
+
+	(ev->destroy)(event);
+}
+
+static isc_socketevent_t *
+allocate_socketevent(isc_mem_t *mctx, isc_socket_t *sock,
+		     isc_eventtype_t eventtype, isc_taskaction_t action,
+		     void *arg) {
+	isc_socketevent_t *ev;
+
+	ev = (isc_socketevent_t *)isc_event_allocate(mctx, sock, eventtype,
+						     action, arg, sizeof(*ev));
+
+	ev->result = ISC_R_IOERROR; /* XXXMLG temporary change to detect failure
+				     */
+				    /* to set */
+	ISC_LINK_INIT(ev, ev_link);
+	ev->region.base = NULL;
+	ev->n = 0;
+	ev->offset = 0;
+	ev->attributes = 0;
+	ev->destroy = ev->ev_destroy;
+	ev->ev_destroy = destroy_socketevent;
+	ev->dscp = 0;
+
+	return (ev);
+}
+
+#if defined(ISC_SOCKET_DEBUG)
+static void
+dump_msg(struct msghdr *msg, isc_socket_t *sock) {
+	unsigned int i;
+
+	printf("MSGHDR %p, Socket #: %Iu\n", msg, sock->fd);
+	printf("\tname %p, namelen %d\n", msg->msg_name, msg->msg_namelen);
+	printf("\tiov %p, iovlen %d\n", msg->msg_iov, msg->msg_iovlen);
+	for (i = 0; i < (unsigned int)msg->msg_iovlen; i++) {
+		printf("\t\t%u\tbase %p, len %u\n", i, msg->msg_iov[i].buf,
+		       msg->msg_iov[i].len);
+	}
+}
+#endif /* if defined(ISC_SOCKET_DEBUG) */
+
+/*
+ * map the error code
+ */
+int
+map_socket_error(isc_socket_t *sock, int windows_errno, int *isc_errno,
+		 char *errorstring, size_t bufsize) {
+	int doreturn;
+	switch (windows_errno) {
+	case WSAECONNREFUSED:
+		*isc_errno = ISC_R_CONNREFUSED;
+		if (sock->connected) {
+			doreturn = DOIO_HARD;
+		} else {
+			doreturn = DOIO_SOFT;
+		}
+		break;
+	case WSAENETUNREACH:
+	case ERROR_NETWORK_UNREACHABLE:
+		*isc_errno = ISC_R_NETUNREACH;
+		if (sock->connected) {
+			doreturn = DOIO_HARD;
+		} else {
+			doreturn = DOIO_SOFT;
+		}
+		break;
+	case ERROR_PORT_UNREACHABLE:
+	case ERROR_HOST_UNREACHABLE:
+	case WSAEHOSTUNREACH:
+		*isc_errno = ISC_R_HOSTUNREACH;
+		if (sock->connected) {
+			doreturn = DOIO_HARD;
+		} else {
+			doreturn = DOIO_SOFT;
+		}
+		break;
+	case WSAENETDOWN:
+		*isc_errno = ISC_R_NETDOWN;
+		if (sock->connected) {
+			doreturn = DOIO_HARD;
+		} else {
+			doreturn = DOIO_SOFT;
+		}
+		break;
+	case WSAEHOSTDOWN:
+		*isc_errno = ISC_R_HOSTDOWN;
+		if (sock->connected) {
+			doreturn = DOIO_HARD;
+		} else {
+			doreturn = DOIO_SOFT;
+		}
+		break;
+	case WSAEACCES:
+		*isc_errno = ISC_R_NOPERM;
+		if (sock->connected) {
+			doreturn = DOIO_HARD;
+		} else {
+			doreturn = DOIO_SOFT;
+		}
+		break;
+	case WSAECONNRESET:
+	case WSAENETRESET:
+	case WSAECONNABORTED:
+	case WSAEDISCON:
+		*isc_errno = ISC_R_CONNECTIONRESET;
+		if (sock->connected) {
+			doreturn = DOIO_HARD;
+		} else {
+			doreturn = DOIO_SOFT;
+		}
+		break;
+	case WSAENOTCONN:
+		*isc_errno = ISC_R_NOTCONNECTED;
+		if (sock->connected) {
+			doreturn = DOIO_HARD;
+		} else {
+			doreturn = DOIO_SOFT;
+		}
+		break;
+	case ERROR_OPERATION_ABORTED:
+	case ERROR_CONNECTION_ABORTED:
+	case ERROR_REQUEST_ABORTED:
+		*isc_errno = ISC_R_CONNECTIONRESET;
+		doreturn = DOIO_HARD;
+		break;
+	case WSAENOBUFS:
+		*isc_errno = ISC_R_NORESOURCES;
+		doreturn = DOIO_HARD;
+		break;
+	case WSAEAFNOSUPPORT:
+		*isc_errno = ISC_R_FAMILYNOSUPPORT;
+		doreturn = DOIO_HARD;
+		break;
+	case WSAEADDRNOTAVAIL:
+		*isc_errno = ISC_R_ADDRNOTAVAIL;
+		doreturn = DOIO_HARD;
+		break;
+	case WSAEDESTADDRREQ:
+		*isc_errno = ISC_R_BADADDRESSFORM;
+		doreturn = DOIO_HARD;
+		break;
+	case ERROR_NETNAME_DELETED:
+		*isc_errno = ISC_R_NETDOWN;
+		doreturn = DOIO_HARD;
+		break;
+	default:
+		*isc_errno = ISC_R_IOERROR;
+		doreturn = DOIO_HARD;
+		break;
+	}
+	if (doreturn == DOIO_HARD) {
+		strerror_r(windows_errno, errorstring, bufsize);
+	}
+	return (doreturn);
+}
+
+static void
+fill_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
+	int copylen;
+
+	INSIST(dev->n < dev->minimum);
+	INSIST(sock->recvbuf.remaining > 0);
+	INSIST(sock->pending_recv == 0);
+
+	if (sock->type == isc_sockettype_udp) {
+		dev->address.length = sock->recvbuf.from_addr_len;
+		memmove(&dev->address.type, &sock->recvbuf.from_addr,
+			sock->recvbuf.from_addr_len);
+		if (isc_sockaddr_getport(&dev->address) == 0) {
+			if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
+				socket_log(__LINE__, sock, &dev->address,
+					   IOEVENT,
+					   "dropping source port zero packet");
+			}
+			sock->recvbuf.remaining = 0;
+			return;
+		}
+		/*
+		 * Simulate a firewall blocking UDP responses bigger than
+		 * 'maxudp' bytes.
+		 */
+		if (sock->manager->maxudp != 0 &&
+		    sock->recvbuf.remaining > sock->manager->maxudp)
+		{
+			sock->recvbuf.remaining = 0;
+			return;
+		}
+	} else if (sock->type == isc_sockettype_tcp) {
+		dev->address = sock->address;
+	}
+
+	copylen = min(dev->region.length - dev->n, sock->recvbuf.remaining);
+	memmove(dev->region.base + dev->n, sock->recvbuf.consume_position,
+		copylen);
+	sock->recvbuf.consume_position += copylen;
+	sock->recvbuf.remaining -= copylen;
+	dev->n += copylen;
+
+	/*
+	 * UDP receives are all-consuming.  That is, if we have 4k worth of
+	 * data in our receive buffer, and the caller only gave us
+	 * 1k of space, we will toss the remaining 3k of data.  TCP
+	 * will keep the extra data around and use it for later requests.
+	 */
+	if (sock->type == isc_sockettype_udp) {
+		sock->recvbuf.remaining = 0;
+	}
+}
+
+/*
+ * Copy out as much data from the internal buffer to done events.
+ * As each done event is filled, send it along its way.
+ */
+static void
+completeio_recv(isc_socket_t *sock) {
+	isc_socketevent_t *dev;
+
+	/*
+	 * If we are in the process of filling our buffer, we cannot
+	 * touch it yet, so don't.
+	 */
+	if (sock->pending_recv > 0) {
+		return;
+	}
+
+	while (sock->recvbuf.remaining > 0 && !ISC_LIST_EMPTY(sock->recv_list))
+	{
+		dev = ISC_LIST_HEAD(sock->recv_list);
+
+		/*
+		 * See if we have sufficient data in our receive buffer
+		 * to handle this.  If we do, copy out the data.
+		 */
+		fill_recv(sock, dev);
+
+		/*
+		 * Did we satisfy it?
+		 */
+		if (dev->n >= dev->minimum) {
+			dev->result = ISC_R_SUCCESS;
+			send_recvdone_event(sock, &dev);
+		}
+	}
+}
+
+/*
+ * Returns:
+ *	DOIO_SUCCESS	The operation succeeded.  dev->result contains
+ *			ISC_R_SUCCESS.
+ *
+ *	DOIO_HARD	A hard or unexpected I/O error was encountered.
+ *			dev->result contains the appropriate error.
+ *
+ *	DOIO_SOFT	A soft I/O error was encountered.  No senddone
+ *			event was sent.  The operation should be retried.
+ *
+ *	No other return values are possible.
+ */
+static int
+completeio_send(isc_socket_t *sock, isc_socketevent_t *dev,
+		struct msghdr *messagehdr, int cc, int send_errno) {
+	char strbuf[ISC_STRERRORSIZE];
+
+	if (send_errno != 0) {
+		if (SOFT_ERROR(send_errno)) {
+			return (DOIO_SOFT);
+		}
+
+		return (map_socket_error(sock, send_errno, &dev->result, strbuf,
+					 sizeof(strbuf)));
+	}
+
+	/*
+	 * If we write less than we expected, update counters, poke.
+	 */
+	dev->n += cc;
+	if (cc != messagehdr->msg_totallen) {
+		return (DOIO_SOFT);
+	}
+
+	/*
+	 * Exactly what we wanted to write.  We're done with this
+	 * entry.  Post its completion event.
+	 */
+	dev->result = ISC_R_SUCCESS;
+	return (DOIO_SUCCESS);
+}
+
+static int
+startio_send(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes,
+	     int *send_errno) {
+	char *cmsg = NULL;
+	char strbuf[ISC_STRERRORSIZE];
+	IoCompletionInfo *lpo;
+	int status;
+	struct msghdr *mh;
+
+	/*
+	 * Simulate a firewall blocking UDP responses bigger than
+	 * 'maxudp' bytes.
+	 */
+	if (sock->type == isc_sockettype_udp && sock->manager->maxudp != 0 &&
+	    dev->region.length - dev->n > sock->manager->maxudp)
+	{
+		*nbytes = dev->region.length - dev->n;
+		return (DOIO_SUCCESS);
+	}
+
+	lpo = (IoCompletionInfo *)HeapAlloc(hHeapHandle, HEAP_ZERO_MEMORY,
+					    sizeof(IoCompletionInfo));
+	RUNTIME_CHECK(lpo != NULL);
+	lpo->request_type = SOCKET_SEND;
+	lpo->dev = dev;
+	mh = &lpo->messagehdr;
+	memset(mh, 0, sizeof(struct msghdr));
+
+	build_msghdr_send(sock, dev, mh, cmsg, sock->iov, lpo);
+
+	*nbytes = internal_sendmsg(sock, lpo, mh, 0, send_errno);
+
+	if (*nbytes <= 0) {
+		/*
+		 * I/O has been initiated
+		 * completion will be through the completion port
+		 */
+		if (PENDING_ERROR(*send_errno)) {
+			status = DOIO_PENDING;
+			goto done;
+		}
+
+		if (SOFT_ERROR(*send_errno)) {
+			status = DOIO_SOFT;
+			goto done;
+		}
+
+		/*
+		 * If we got this far then something is wrong
+		 */
+		if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
+			strerror_r(*send_errno, strbuf, sizeof(strbuf));
+			socket_log(__LINE__, sock, NULL, IOEVENT,
+				   "startio_send: internal_sendmsg(%d) %d "
+				   "bytes, err %d/%s",
+				   sock->fd, *nbytes, *send_errno, strbuf);
+		}
+		status = DOIO_HARD;
+		goto done;
+	}
+	dev->result = ISC_R_SUCCESS;
+	status = DOIO_SOFT;
+done:
+	_set_state(sock, SOCK_DATA);
+	return (status);
+}
+
+static void
+use_min_mtu(isc_socket_t *sock) {
+#ifdef IPV6_USE_MIN_MTU
+	/* use minimum MTU */
+	if (sock->pf == AF_INET6) {
+		int on = 1;
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
+				 (void *)&on, sizeof(on));
+	}
+#else  /* ifdef IPV6_USE_MIN_MTU */
+	UNUSED(sock);
+#endif /* ifdef IPV6_USE_MIN_MTU */
+}
+
+static isc_result_t
+allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
+		isc_socket_t **socketp) {
+	isc_socket_t *sock;
+
+	sock = isc_mem_get(manager->mctx, sizeof(*sock));
+
+	sock->magic = 0;
+	isc_refcount_init(&sock->references, 0);
+
+	sock->manager = manager;
+	sock->type = type;
+	sock->fd = INVALID_SOCKET;
+
+	ISC_LINK_INIT(sock, link);
+
+	/*
+	 * Set up list of readers and writers to be initially empty.
+	 */
+	ISC_LIST_INIT(sock->recv_list);
+	ISC_LIST_INIT(sock->send_list);
+	ISC_LIST_INIT(sock->accept_list);
+	ISC_LIST_INIT(sock->connect_list);
+	sock->pending_accept = 0;
+	sock->pending_recv = 0;
+	sock->pending_send = 0;
+	sock->pending_iocp = 0;
+	sock->listener = 0;
+	sock->connected = 0;
+	sock->pending_connect = 0;
+	sock->bound = 0;
+	sock->dupped = 0;
+	memset(sock->name, 0, sizeof(sock->name)); /* zero the name field */
+	_set_state(sock, SOCK_INITIALIZED);
+
+	sock->recvbuf.len = 65536;
+	sock->recvbuf.consume_position = sock->recvbuf.base;
+	sock->recvbuf.remaining = 0;
+	sock->recvbuf.base = isc_mem_get(manager->mctx,
+					 sock->recvbuf.len); /* max buffer */
+							     /* size */
+
+	/*
+	 * Initialize the lock.
+	 */
+	isc_mutex_init(&sock->lock);
+
+	socket_log(__LINE__, sock, NULL, EVENT, "allocated");
+
+	sock->magic = SOCKET_MAGIC;
+	*socketp = sock;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Verify that the socket state is consistent.
+ */
+static void
+consistent(isc_socket_t *sock) {
+	isc_socketevent_t *dev;
+	isc_socket_newconnev_t *nev;
+	unsigned int count;
+	char *crash_reason;
+	bool crash = false;
+
+	REQUIRE(sock->pending_iocp == sock->pending_recv + sock->pending_send +
+					      sock->pending_accept +
+					      sock->pending_connect);
+
+	dev = ISC_LIST_HEAD(sock->send_list);
+	count = 0;
+	while (dev != NULL) {
+		count++;
+		dev = ISC_LIST_NEXT(dev, ev_link);
+	}
+	if (count > sock->pending_send) {
+		crash = true;
+		crash_reason = "send_list > sock->pending_send";
+	}
+
+	nev = ISC_LIST_HEAD(sock->accept_list);
+	count = 0;
+	while (nev != NULL) {
+		count++;
+		nev = ISC_LIST_NEXT(nev, ev_link);
+	}
+	if (count > sock->pending_accept) {
+		crash = true;
+		crash_reason = "accept_list > sock->pending_accept";
+	}
+
+	if (crash) {
+		socket_log(__LINE__, sock, NULL, CREATION,
+			   "SOCKET INCONSISTENT: %s", crash_reason);
+		sock_dump(sock);
+		INSIST(!crash);
+	}
+}
+
+/*
+ * Maybe free the socket.
+ *
+ * This function will verify that the socket is no longer in use in any way,
+ * either internally or externally.  This is the only place where this
+ * check is to be made; if some bit of code believes that IT is done with
+ * the socket (e.g., some reference counter reaches zero), it should call
+ * this function.
+ *
+ * When calling this function, the socket must be locked, and the manager
+ * must be unlocked.
+ *
+ * When this function returns, *socketp will be NULL.  No tricks to try
+ * to hold on to this pointer are allowed.
+ */
+static void
+maybe_free_socket(isc_socket_t **socketp, int lineno) {
+	isc_socket_t *sock = *socketp;
+	*socketp = NULL;
+
+	INSIST(VALID_SOCKET(sock));
+	CONSISTENT(sock);
+
+	if (sock->pending_iocp > 0 || sock->pending_recv > 0 ||
+	    sock->pending_send > 0 || sock->pending_accept > 0 ||
+	    isc_refcount_current(&sock->references) > 0 ||
+	    sock->pending_connect == 1 || !ISC_LIST_EMPTY(sock->recv_list) ||
+	    !ISC_LIST_EMPTY(sock->send_list) ||
+	    !ISC_LIST_EMPTY(sock->accept_list) ||
+	    !ISC_LIST_EMPTY(sock->connect_list) || sock->fd != INVALID_SOCKET)
+	{
+		UNLOCK(&sock->lock);
+		return;
+	}
+	UNLOCK(&sock->lock);
+
+	free_socket(&sock, lineno);
+}
+
+void
+free_socket(isc_socket_t **sockp, int lineno) {
+	isc_socketmgr_t *manager;
+	isc_socket_t *sock = *sockp;
+	*sockp = NULL;
+
+	/*
+	 * Seems we can free the socket after all.
+	 */
+	manager = sock->manager;
+	socket_log(__LINE__, sock, NULL, CREATION,
+		   "freeing socket line %d fd %d lock %p semaphore %p", lineno,
+		   sock->fd, &sock->lock, sock->lock.LockSemaphore);
+
+	sock->magic = 0;
+	isc_mutex_destroy(&sock->lock);
+
+	if (sock->recvbuf.base != NULL) {
+		isc_mem_put(manager->mctx, sock->recvbuf.base,
+			    sock->recvbuf.len);
+	}
+
+	LOCK(&manager->lock);
+	if (ISC_LINK_LINKED(sock, link)) {
+		ISC_LIST_UNLINK(manager->socklist, sock, link);
+	}
+	isc_mem_put(manager->mctx, sock, sizeof(*sock));
+
+	if (ISC_LIST_EMPTY(manager->socklist)) {
+		SIGNAL(&manager->shutdown_ok);
+	}
+	UNLOCK(&manager->lock);
+}
+
+/*
+ * Create a new 'type' socket managed by 'manager'.  Events
+ * will be posted to 'task' and when dispatched 'action' will be
+ * called with 'arg' as the arg value.  The new socket is returned
+ * in 'socketp'.
+ */
+static isc_result_t
+socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+	      isc_socket_t **socketp, isc_socket_t *dup_socket) {
+	isc_socket_t *sock = NULL;
+	isc_result_t result;
+#if defined(USE_CMSG)
+	int on = 1;
+#endif /* if defined(USE_CMSG) */
+#if defined(SO_RCVBUF)
+	socklen_t optlen;
+	int size;
+#endif /* if defined(SO_RCVBUF) */
+	int socket_errno;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+#ifndef SOCK_RAW
+	if (type == isc_sockettype_raw) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+#endif /* ifndef SOCK_RAW */
+
+	result = allocate_socket(manager, type, &sock);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	sock->pf = pf;
+	switch (type) {
+	case isc_sockettype_udp:
+		sock->fd = socket(pf, SOCK_DGRAM, IPPROTO_UDP);
+		if (sock->fd != INVALID_SOCKET) {
+			result = connection_reset_fix(sock->fd);
+			if (result != ISC_R_SUCCESS) {
+				socket_log(__LINE__, sock, NULL, EVENT,
+					   "closed %d %d %" PRIuFAST32 " "
+					   "con_reset_fix_failed",
+					   sock->pending_recv,
+					   sock->pending_send,
+					   isc_refcount_current(
+						   &sock->references));
+				closesocket(sock->fd);
+				_set_state(sock, SOCK_CLOSED);
+				sock->fd = INVALID_SOCKET;
+				free_socket(&sock, __LINE__);
+				return (result);
+			}
+		}
+		break;
+	case isc_sockettype_tcp:
+		sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP);
+		break;
+#ifdef SOCK_RAW
+	case isc_sockettype_raw:
+		sock->fd = socket(pf, SOCK_RAW, 0);
+#ifdef PF_ROUTE
+		if (pf == PF_ROUTE) {
+			sock->bound = 1;
+		}
+#endif /* ifdef PF_ROUTE */
+		break;
+#endif /* ifdef SOCK_RAW */
+	}
+
+	if (sock->fd == INVALID_SOCKET) {
+		socket_errno = WSAGetLastError();
+		free_socket(&sock, __LINE__);
+
+		switch (socket_errno) {
+		case WSAEMFILE:
+		case WSAENOBUFS:
+			return (ISC_R_NORESOURCES);
+
+		case WSAEPROTONOSUPPORT:
+		case WSAEPFNOSUPPORT:
+		case WSAEAFNOSUPPORT:
+			return (ISC_R_FAMILYNOSUPPORT);
+
+		default:
+			strerror_r(socket_errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "socket() failed: %s", strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	result = make_nonblock(sock->fd);
+	if (result != ISC_R_SUCCESS) {
+		socket_log(__LINE__, sock, NULL, EVENT,
+			   "closed %d %d %" PRIuFAST32 " make_nonblock_failed",
+			   sock->pending_recv, sock->pending_send,
+			   isc_refcount_current(&sock->references));
+		closesocket(sock->fd);
+		sock->fd = INVALID_SOCKET;
+		free_socket(&sock, __LINE__);
+		return (result);
+	}
+
+	/*
+	 * Use minimum mtu if possible.
+	 */
+	use_min_mtu(sock);
+
+#if defined(USE_CMSG) || defined(SO_RCVBUF)
+	if (type == isc_sockettype_udp) {
+#if defined(USE_CMSG)
+#ifdef IPV6_RECVPKTINFO
+		/* 2292bis */
+		if ((pf == AF_INET6) &&
+		    (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
+				(char *)&on, sizeof(on)) < 0))
+		{
+			strerror_r(WSAGetLastError(), strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_RECVPKTINFO) "
+					 "failed: %s",
+					 sock->fd, strbuf);
+		}
+#else  /* ifdef IPV6_RECVPKTINFO */
+		/* 2292 */
+		if ((pf == AF_INET6) &&
+		    (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO,
+				(char *)&on, sizeof(on)) < 0))
+		{
+			strerror_r(WSAGetLastError(), strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_PKTINFO) %s: %s",
+					 sock->fd, strbuf);
+		}
+#endif /* IPV6_RECVPKTINFO */
+#endif /* defined(USE_CMSG) */
+
+#if defined(SO_RCVBUF)
+		optlen = sizeof(size);
+		if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF, (char *)&size,
+			       &optlen) >= 0 &&
+		    size < RCVBUFSIZE)
+		{
+			size = RCVBUFSIZE;
+			(void)setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
+					 (char *)&size, sizeof(size));
+		}
+#endif /* if defined(SO_RCVBUF) */
+	}
+#endif /* defined(USE_CMSG) || defined(SO_RCVBUF) */
+
+	_set_state(sock, SOCK_OPEN);
+	isc_refcount_init(&sock->references, 1);
+	*socketp = sock;
+
+	iocompletionport_update(sock);
+
+	if (dup_socket) {
+#ifndef ISC_ALLOW_MAPPED
+		isc_socket_ipv6only(sock, true);
+#endif /* ifndef ISC_ALLOW_MAPPED */
+
+		if (dup_socket->bound) {
+			isc_sockaddr_t local;
+
+			result = isc_socket_getsockname(dup_socket, &local);
+			if (result != ISC_R_SUCCESS) {
+				isc_socket_close(sock);
+				return (result);
+			}
+			result = isc_socket_bind(sock, &local,
+						 ISC_SOCKET_REUSEADDRESS);
+			if (result != ISC_R_SUCCESS) {
+				isc_socket_close(sock);
+				return (result);
+			}
+		}
+		sock->dupped = 1;
+	}
+
+	/*
+	 * Note we don't have to lock the socket like we normally would because
+	 * there are no external references to it yet.
+	 */
+	LOCK(&manager->lock);
+	ISC_LIST_APPEND(manager->socklist, sock, link);
+	InterlockedIncrement(&manager->totalSockets);
+	UNLOCK(&manager->lock);
+
+	socket_log(__LINE__, sock, NULL, CREATION, "created %u type %u",
+		   sock->fd, type);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+		  isc_socket_t **socketp) {
+	return (socket_create(manager, pf, type, socketp, NULL));
+}
+
+isc_result_t
+isc_socket_dup(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	return (socket_create(sock->manager, sock->pf, sock->type, socketp,
+			      sock));
+}
+
+isc_result_t
+isc_socket_open(isc_socket_t *sock) {
+	REQUIRE(VALID_SOCKET(sock));
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * Attach to a socket.  Caller must explicitly detach when it is done.
+ */
+void
+isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+	UNLOCK(&sock->lock);
+
+	isc_refcount_increment0(&sock->references);
+
+	*socketp = sock;
+}
+
+/*
+ * Dereference a socket.  If this is the last reference to it, clean things
+ * up by destroying the socket.
+ */
+void
+isc_socket_detach(isc_socket_t **socketp) {
+	isc_socket_t *sock;
+	uint32_t references;
+
+	REQUIRE(socketp != NULL);
+	sock = *socketp;
+	*socketp = NULL;
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	references = isc_refcount_decrement(&sock->references);
+
+	socket_log(__LINE__, sock, NULL, EVENT,
+		   "detach_socket %d %d %" PRIuFAST32, sock->pending_recv,
+		   sock->pending_send, isc_refcount_current(&sock->references));
+
+	if (references == 1 && sock->fd != INVALID_SOCKET) {
+		closesocket(sock->fd);
+		sock->fd = INVALID_SOCKET;
+		_set_state(sock, SOCK_CLOSED);
+	}
+
+	maybe_free_socket(&sock, __LINE__); /* Also unlocks the socket lock */
+}
+
+isc_result_t
+isc_socket_close(isc_socket_t *sock) {
+	REQUIRE(VALID_SOCKET(sock));
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * Dequeue an item off the given socket's read queue, set the result code
+ * in the done event to the one provided, and send it to the task it was
+ * destined for.
+ *
+ * If the event to be sent is on a list, remove it before sending.  If
+ * asked to, send and detach from the task as well.
+ *
+ * Caller must have the socket locked if the event is attached to the socket.
+ */
+static void
+send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+	isc_task_t *task;
+
+	task = (*dev)->ev_sender;
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link)) {
+		ISC_LIST_DEQUEUE(sock->recv_list, *dev, ev_link);
+	}
+
+	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED) != 0) {
+		isc_task_sendanddetach(&task, (isc_event_t **)dev);
+	} else {
+		isc_task_send(task, (isc_event_t **)dev);
+	}
+
+	CONSISTENT(sock);
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ */
+static void
+send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+	isc_task_t *task;
+
+	INSIST(dev != NULL && *dev != NULL);
+
+	task = (*dev)->ev_sender;
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link)) {
+		ISC_LIST_DEQUEUE(sock->send_list, *dev, ev_link);
+	}
+
+	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED) != 0) {
+		isc_task_sendanddetach(&task, (isc_event_t **)dev);
+	} else {
+		isc_task_send(task, (isc_event_t **)dev);
+	}
+
+	CONSISTENT(sock);
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ */
+static void
+send_acceptdone_event(isc_socket_t *sock, isc_socket_newconnev_t **adev) {
+	isc_task_t *task;
+
+	INSIST(adev != NULL && *adev != NULL);
+
+	task = (*adev)->ev_sender;
+	(*adev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*adev, ev_link)) {
+		ISC_LIST_DEQUEUE(sock->accept_list, *adev, ev_link);
+	}
+
+	isc_task_sendanddetach(&task, (isc_event_t **)adev);
+
+	CONSISTENT(sock);
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ */
+static void
+send_connectdone_event(isc_socket_t *sock, isc_socket_connev_t **cdev) {
+	isc_task_t *task;
+
+	INSIST(cdev != NULL && *cdev != NULL);
+
+	task = (*cdev)->ev_sender;
+	(*cdev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*cdev, ev_link)) {
+		ISC_LIST_DEQUEUE(sock->connect_list, *cdev, ev_link);
+	}
+
+	isc_task_sendanddetach(&task, (isc_event_t **)cdev);
+
+	CONSISTENT(sock);
+}
+
+/*
+ * On entry to this function, the event delivered is the internal
+ * readable event, and the first item on the accept_list should be
+ * the done event we want to send.  If the list is empty, this is a no-op,
+ * so just close the new connection, unlock, and return.
+ *
+ * Note the socket is locked before entering here
+ */
+static void
+internal_accept(isc_socket_t *sock, IoCompletionInfo *lpo, int accept_errno) {
+	isc_socket_newconnev_t *adev;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_socket_t *nsock;
+	struct sockaddr *localaddr;
+	int localaddr_len = sizeof(*localaddr);
+	struct sockaddr *remoteaddr;
+	int remoteaddr_len = sizeof(*remoteaddr);
+
+	INSIST(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	socket_log(__LINE__, sock, NULL, TRACE, "internal_accept called");
+
+	INSIST(sock->listener);
+
+	INSIST(sock->pending_iocp > 0);
+	sock->pending_iocp--;
+	INSIST(sock->pending_accept > 0);
+	sock->pending_accept--;
+
+	adev = lpo->adev;
+
+	/*
+	 * If the event is no longer in the list we can just return.
+	 */
+	if (!acceptdone_is_active(sock, adev)) {
+		goto done;
+	}
+
+	nsock = adev->newsocket;
+
+	/*
+	 * Pull off the done event.
+	 */
+	ISC_LIST_UNLINK(sock->accept_list, adev, ev_link);
+
+	/*
+	 * Extract the addresses from the socket, copy them into the structure,
+	 * and return the new socket.
+	 */
+	ISCGetAcceptExSockaddrs(
+		lpo->acceptbuffer, 0, sizeof(SOCKADDR_STORAGE) + 16,
+		sizeof(SOCKADDR_STORAGE) + 16, (LPSOCKADDR *)&localaddr,
+		&localaddr_len, (LPSOCKADDR *)&remoteaddr, &remoteaddr_len);
+	memmove(&adev->address.type, remoteaddr, remoteaddr_len);
+	adev->address.length = remoteaddr_len;
+	nsock->address = adev->address;
+	nsock->pf = adev->address.type.sa.sa_family;
+
+	socket_log(__LINE__, nsock, &nsock->address, TRACE,
+		   "internal_accept parent %p", sock);
+
+	result = make_nonblock(adev->newsocket->fd);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/*
+	 * Use minimum mtu if possible.
+	 */
+	use_min_mtu(adev->newsocket);
+
+	INSIST(setsockopt(nsock->fd, SOL_SOCKET, SO_UPDATE_ACCEPT_CONTEXT,
+			  (char *)&sock->fd, sizeof(sock->fd)) == 0);
+
+	/*
+	 * Hook it up into the manager.
+	 */
+	nsock->bound = 1;
+	nsock->connected = 1;
+	_set_state(nsock, SOCK_OPEN);
+
+	LOCK(&nsock->manager->lock);
+	ISC_LIST_APPEND(nsock->manager->socklist, nsock, link);
+	InterlockedIncrement(&nsock->manager->totalSockets);
+	UNLOCK(&nsock->manager->lock);
+
+	socket_log(__LINE__, sock, &nsock->address, CREATION,
+		   "accepted_connection new_socket %p fd %d", nsock, nsock->fd);
+
+	adev->result = result;
+	send_acceptdone_event(sock, &adev);
+
+done:
+	CONSISTENT(sock);
+	UNLOCK(&sock->lock);
+
+	HeapFree(hHeapHandle, 0, lpo->acceptbuffer);
+	lpo->acceptbuffer = NULL;
+}
+
+/*
+ * Called when a socket with a pending connect() finishes.
+ * Note that the socket is locked before entering.
+ */
+static void
+internal_connect(isc_socket_t *sock, IoCompletionInfo *lpo, int connect_errno) {
+	isc_socket_connev_t *cdev;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	INSIST(sock->pending_iocp > 0);
+	sock->pending_iocp--;
+	INSIST(sock->pending_connect == 1);
+	sock->pending_connect = 0;
+
+	/*
+	 * If the event is no longer in the list we can just close and return.
+	 */
+	cdev = lpo->cdev;
+	if (!connectdone_is_active(sock, cdev)) {
+		sock->pending_connect = 0;
+		if (sock->fd != INVALID_SOCKET) {
+			closesocket(sock->fd);
+			sock->fd = INVALID_SOCKET;
+			_set_state(sock, SOCK_CLOSED);
+		}
+		CONSISTENT(sock);
+		UNLOCK(&sock->lock);
+		return;
+	}
+
+	/*
+	 * Check possible Windows network event error status here.
+	 */
+	if (connect_errno != 0) {
+		/*
+		 * If the error is SOFT, just try again on this
+		 * fd and pretend nothing strange happened.
+		 */
+		if (SOFT_ERROR(connect_errno) ||
+		    connect_errno == WSAEINPROGRESS)
+		{
+			sock->pending_connect = 1;
+			CONSISTENT(sock);
+			UNLOCK(&sock->lock);
+			return;
+		}
+
+		/*
+		 * Translate other errors into ISC_R_* flavors.
+		 */
+		switch (connect_errno) {
+#define ERROR_MATCH(a, b)   \
+	case a:             \
+		result = b; \
+		break;
+			ERROR_MATCH(WSAEACCES, ISC_R_NOPERM);
+			ERROR_MATCH(WSAEADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(WSAEAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(WSAECONNREFUSED, ISC_R_CONNREFUSED);
+			ERROR_MATCH(WSAEHOSTUNREACH, ISC_R_HOSTUNREACH);
+			ERROR_MATCH(WSAEHOSTDOWN, ISC_R_HOSTDOWN);
+			ERROR_MATCH(WSAENETUNREACH, ISC_R_NETUNREACH);
+			ERROR_MATCH(WSAENETDOWN, ISC_R_NETDOWN);
+			ERROR_MATCH(WSAENOBUFS, ISC_R_NORESOURCES);
+			ERROR_MATCH(WSAECONNRESET, ISC_R_CONNECTIONRESET);
+			ERROR_MATCH(WSAECONNABORTED, ISC_R_CONNECTIONRESET);
+			ERROR_MATCH(WSAETIMEDOUT, ISC_R_TIMEDOUT);
+#undef ERROR_MATCH
+		default:
+			result = ISC_R_UNEXPECTED;
+			strerror_r(connect_errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "internal_connect: connect() %s",
+					 strbuf);
+		}
+	} else {
+		INSIST(setsockopt(sock->fd, SOL_SOCKET,
+				  SO_UPDATE_CONNECT_CONTEXT, NULL, 0) == 0);
+		result = ISC_R_SUCCESS;
+		sock->connected = 1;
+		socket_log(__LINE__, sock, &sock->address, IOEVENT,
+			   "internal_connect: success");
+	}
+
+	do {
+		cdev->result = result;
+		send_connectdone_event(sock, &cdev);
+		cdev = ISC_LIST_HEAD(sock->connect_list);
+	} while (cdev != NULL);
+
+	UNLOCK(&sock->lock);
+}
+
+/*
+ * Loop through the socket, returning ISC_R_EOF for each done event pending.
+ */
+static void
+send_recvdone_abort(isc_socket_t *sock, isc_result_t result) {
+	isc_socketevent_t *dev;
+
+	while (!ISC_LIST_EMPTY(sock->recv_list)) {
+		dev = ISC_LIST_HEAD(sock->recv_list);
+		dev->result = result;
+		send_recvdone_event(sock, &dev);
+	}
+}
+
+/*
+ * Loop through the socket, returning result for each done event pending.
+ */
+static void
+send_connectdone_abort(isc_socket_t *sock, isc_result_t result) {
+	isc_socket_connev_t *dev;
+
+	while (!ISC_LIST_EMPTY(sock->connect_list)) {
+		dev = ISC_LIST_HEAD(sock->connect_list);
+		dev->result = result;
+		send_connectdone_event(sock, &dev);
+	}
+}
+
+/*
+ * Take the data we received in our private buffer, and if any recv() calls on
+ * our list are satisfied, send the corresponding done event.
+ *
+ * If we need more data (there are still items on the recv_list after we consume
+ * all our data) then arrange for another system recv() call to fill our
+ * buffers.
+ */
+static void
+internal_recv(isc_socket_t *sock, int nbytes) {
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	socket_log(__LINE__, sock, NULL, IOEVENT,
+		   "internal_recv: %d bytes received", nbytes);
+
+	/*
+	 * If we got here, the I/O operation succeeded.  However, we might
+	 * still have removed this event from our notification list (or never
+	 * placed it on it due to immediate completion.)
+	 * Handle the reference counting here, and handle the cancellation
+	 * event just after.
+	 */
+	INSIST(sock->pending_iocp > 0);
+	sock->pending_iocp--;
+	INSIST(sock->pending_recv > 0);
+	sock->pending_recv--;
+
+	/*
+	 * The only way we could have gotten here is that our I/O has
+	 * successfully completed. Update our pointers, and move on.
+	 *  The only odd case here is that we might not have received
+	 * enough data on a TCP stream to satisfy the minimum requirements.
+	 * If this is the case, we will re-issue the recv() call for what
+	 * we need.
+	 *
+	 * We do check for a recv() of 0 bytes on a TCP stream.  This
+	 * means the remote end has closed.
+	 */
+	if (nbytes == 0 && sock->type == isc_sockettype_tcp) {
+		send_recvdone_abort(sock, ISC_R_EOF);
+		maybe_free_socket(&sock, __LINE__);
+		return;
+	}
+	sock->recvbuf.remaining = nbytes;
+	sock->recvbuf.consume_position = sock->recvbuf.base;
+	completeio_recv(sock);
+
+	/*
+	 * If there are more receivers waiting for data, queue another receive
+	 * here.
+	 */
+	queue_receive_request(sock);
+
+	/*
+	 * Unlock and/or destroy if we are the last thing this socket has left
+	 * to do.
+	 */
+	maybe_free_socket(&sock, __LINE__);
+}
+
+static void
+internal_send(isc_socket_t *sock, isc_socketevent_t *dev,
+	      struct msghdr *messagehdr, int nbytes, int send_errno,
+	      IoCompletionInfo *lpo) {
+	/*
+	 * Find out what socket this is and lock it.
+	 */
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	socket_log(__LINE__, sock, NULL, IOEVENT,
+		   "internal_send: task got socket event %p", dev);
+
+	if (lpo->buf != NULL) {
+		socket_log(__LINE__, sock, NULL, TRACE, "free_buffer %p",
+			   lpo->buf);
+
+		HeapFree(hHeapHandle, 0, lpo->buf);
+		lpo->buf = NULL;
+		lpo->buflen = 0;
+	}
+
+	INSIST(sock->pending_iocp > 0);
+	sock->pending_iocp--;
+	INSIST(sock->pending_send > 0);
+	sock->pending_send--;
+
+	/* If the event is no longer in the list we can just return */
+	if (!senddone_is_active(sock, dev)) {
+		goto done;
+	}
+
+	/*
+	 * Set the error code and send things on its way.
+	 */
+	switch (completeio_send(sock, dev, messagehdr, nbytes, send_errno)) {
+	case DOIO_SOFT:
+		break;
+	case DOIO_HARD:
+	case DOIO_SUCCESS:
+		send_senddone_event(sock, &dev);
+		break;
+	}
+
+done:
+	maybe_free_socket(&sock, __LINE__);
+}
+
+/*
+ * These return if the done event passed in is on the list.
+ * Using these ensures we will not double-send an event.
+ */
+static bool
+senddone_is_active(isc_socket_t *sock, isc_socketevent_t *dev) {
+	isc_socketevent_t *ldev;
+
+	ldev = ISC_LIST_HEAD(sock->send_list);
+	while (ldev != NULL && ldev != dev) {
+		ldev = ISC_LIST_NEXT(ldev, ev_link);
+	}
+
+	return (ldev == NULL ? false : true);
+}
+
+static bool
+acceptdone_is_active(isc_socket_t *sock, isc_socket_newconnev_t *dev) {
+	isc_socket_newconnev_t *ldev;
+
+	ldev = ISC_LIST_HEAD(sock->accept_list);
+	while (ldev != NULL && ldev != dev) {
+		ldev = ISC_LIST_NEXT(ldev, ev_link);
+	}
+
+	return (ldev == NULL ? false : true);
+}
+
+static bool
+connectdone_is_active(isc_socket_t *sock, isc_socket_connev_t *dev) {
+	isc_socket_connev_t *cdev;
+
+	cdev = ISC_LIST_HEAD(sock->connect_list);
+	while (cdev != NULL && cdev != dev) {
+		cdev = ISC_LIST_NEXT(cdev, ev_link);
+	}
+
+	return (cdev == NULL ? false : true);
+}
+
+/* */
+/* The Windows network stack seems to have two very distinct paths depending */
+/* on what is installed.  Specifically, if something is looking at network */
+/* connections (like an anti-virus or anti-malware application, such as */
+/* McAfee products) Windows may return additional error conditions which */
+/* were not previously returned. */
+/* */
+/* One specific one is when a TCP SYN scan is used.  In this situation, */
+/* Windows responds with the SYN-ACK, but the scanner never responds with */
+/* the 3rd packet, the ACK.  Windows considers this a partially open connection.
+ */
+/* Most Unix networking stacks, and Windows without McAfee installed, will */
+/* not return this to the caller.  However, with this product installed, */
+/* Windows returns this as a failed status on the Accept() call.  Here, we */
+/* will just re-issue the ISCAcceptEx() call as if nothing had happened. */
+/* */
+/* This code should only be called when the listening socket has received */
+/* such an error.  Additionally, the "parent" socket must be locked. */
+/* Additionally, the lpo argument is re-used here, and must not be freed */
+/* by the caller. */
+/* */
+static isc_result_t
+restart_accept(isc_socket_t *parent, IoCompletionInfo *lpo) {
+	isc_socket_t *nsock = lpo->adev->newsocket;
+	SOCKET new_fd;
+
+	/*
+	 * AcceptEx() requires we pass in a socket.  Note that we carefully
+	 * do not close the previous socket in case of an error message returned
+	 * by our new socket() call.  If we return an error here, our caller
+	 * will clean up.
+	 */
+	new_fd = socket(parent->pf, SOCK_STREAM, IPPROTO_TCP);
+	if (nsock->fd == INVALID_SOCKET) {
+		return (ISC_R_FAILURE); /* parent will ask windows for error */
+					/* message */
+	}
+	closesocket(nsock->fd);
+	nsock->fd = new_fd;
+
+	memset(&lpo->overlapped, 0, sizeof(lpo->overlapped));
+
+	ISCAcceptEx(parent->fd, nsock->fd,	   /* Accepted Socket */
+		    lpo->acceptbuffer,		   /* Buffer for initial Recv */
+		    0,				   /* Length of Buffer */
+		    sizeof(SOCKADDR_STORAGE) + 16, /* Local address length + 16
+						    */
+		    sizeof(SOCKADDR_STORAGE) + 16, /* Remote address length + 16
+						    */
+		    (LPDWORD)&lpo->received_bytes, /* Bytes Recved */
+		    (LPOVERLAPPED)lpo		   /* Overlapped structure */
+	);
+
+	InterlockedDecrement(&nsock->manager->iocp_total);
+	iocompletionport_update(nsock);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This is the I/O Completion Port Worker Function. It loops forever
+ * waiting for I/O to complete and then forwards them for further
+ * processing. There are a number of these in separate threads.
+ */
+static isc_threadresult_t WINAPI
+SocketIoThread(LPVOID ThreadContext) {
+	isc_socketmgr_t *manager = ThreadContext;
+	DWORD nbytes;
+	IoCompletionInfo *lpo = NULL;
+	isc_socket_t *sock = NULL;
+	int request;
+	struct msghdr *messagehdr = NULL;
+	int errval;
+	char strbuf[ISC_STRERRORSIZE];
+	int errstatus;
+
+	REQUIRE(VALID_MANAGER(manager));
+
+	/*
+	 * Set the thread priority high enough so I/O will
+	 * preempt normal recv packet processing, but not
+	 * higher than the timer sync thread.
+	 */
+	if (!SetThreadPriority(GetCurrentThread(),
+			       THREAD_PRIORITY_ABOVE_NORMAL))
+	{
+		errval = GetLastError();
+		strerror_r(errval, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__, "Can't set thread priority: %s",
+			    strbuf);
+	}
+
+	/*
+	 * Loop forever waiting on I/O Completions and then processing them
+	 */
+	while (TRUE) {
+		BOOL bSuccess;
+
+	wait_again:
+		bSuccess = GetQueuedCompletionStatus(
+			manager->hIoCompletionPort, &nbytes, (PULONG_PTR)&sock,
+			(LPWSAOVERLAPPED *)&lpo, INFINITE);
+		if (lpo == NULL) { /* Received request to exit */
+			break;
+		}
+
+		REQUIRE(VALID_SOCKET(sock));
+
+		request = lpo->request_type;
+
+		if (!bSuccess) {
+			errstatus = GetLastError();
+		} else {
+			errstatus = 0;
+		}
+		if (!bSuccess && errstatus != ERROR_MORE_DATA) {
+			isc_result_t isc_result;
+
+			/*
+			 * Did the I/O operation complete?
+			 */
+			isc_result = isc__errno2result(errstatus);
+
+			LOCK(&sock->lock);
+			CONSISTENT(sock);
+			switch (request) {
+			case SOCKET_RECV:
+				INSIST(sock->pending_iocp > 0);
+				sock->pending_iocp--;
+				INSIST(sock->pending_recv > 0);
+				sock->pending_recv--;
+				if (!sock->connected &&
+				    ((errstatus == ERROR_HOST_UNREACHABLE) ||
+				     (errstatus == WSAENETRESET) ||
+				     (errstatus == WSAECONNRESET)))
+				{
+					/* ignore soft errors */
+					queue_receive_request(sock);
+					break;
+				}
+				send_recvdone_abort(sock, isc_result);
+				if (isc_result == ISC_R_UNEXPECTED) {
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+							 "SOCKET_RECV: Windows "
+							 "error code: %d, "
+							 "returning ISC error "
+							 "%d",
+							 errstatus, isc_result);
+				}
+				break;
+
+			case SOCKET_SEND:
+				INSIST(sock->pending_iocp > 0);
+				sock->pending_iocp--;
+				INSIST(sock->pending_send > 0);
+				sock->pending_send--;
+				if (senddone_is_active(sock, lpo->dev)) {
+					lpo->dev->result = isc_result;
+					socket_log(__LINE__, sock, NULL, EVENT,
+						   "canceled_send");
+					send_senddone_event(sock, &lpo->dev);
+				}
+				break;
+
+			case SOCKET_ACCEPT:
+				INSIST(sock->pending_iocp > 0);
+				INSIST(sock->pending_accept > 0);
+
+				socket_log(__LINE__, sock, NULL, EVENT,
+					   "Accept: errstatus=%d isc_result=%d",
+					   errstatus, isc_result);
+
+				if (acceptdone_is_active(sock, lpo->adev)) {
+					if (restart_accept(sock, lpo) ==
+					    ISC_R_SUCCESS)
+					{
+						UNLOCK(&sock->lock);
+						goto wait_again;
+					} else {
+						errstatus = GetLastError();
+						isc_result = isc__errno2result(
+							errstatus);
+						socket_log(__LINE__, sock, NULL,
+							   EVENT,
+							   "restart_accept() "
+							   "failed: "
+							   "errstatus=%d "
+							   "isc_result=%d",
+							   errstatus,
+							   isc_result);
+					}
+				}
+
+				sock->pending_iocp--;
+				sock->pending_accept--;
+				if (acceptdone_is_active(sock, lpo->adev)) {
+					closesocket(lpo->adev->newsocket->fd);
+					lpo->adev->newsocket->fd =
+						INVALID_SOCKET;
+					isc_refcount_decrementz(
+						&lpo->adev->newsocket
+							 ->references);
+					free_socket(&lpo->adev->newsocket,
+						    __LINE__);
+					lpo->adev->result = isc_result;
+					socket_log(__LINE__, sock, NULL, EVENT,
+						   "canceled_accept");
+					send_acceptdone_event(sock, &lpo->adev);
+				}
+				break;
+
+			case SOCKET_CONNECT:
+				INSIST(sock->pending_iocp > 0);
+				sock->pending_iocp--;
+				INSIST(sock->pending_connect == 1);
+				sock->pending_connect = 0;
+				if (connectdone_is_active(sock, lpo->cdev)) {
+					socket_log(__LINE__, sock, NULL, EVENT,
+						   "canceled_connect");
+					send_connectdone_abort(sock,
+							       isc_result);
+				}
+				break;
+			}
+			maybe_free_socket(&sock, __LINE__);
+
+			if (lpo != NULL) {
+				HeapFree(hHeapHandle, 0, lpo);
+			}
+			continue;
+		}
+
+		messagehdr = &lpo->messagehdr;
+
+		switch (request) {
+		case SOCKET_RECV:
+			internal_recv(sock, nbytes);
+			break;
+		case SOCKET_SEND:
+			internal_send(sock, lpo->dev, messagehdr, nbytes,
+				      errstatus, lpo);
+			break;
+		case SOCKET_ACCEPT:
+			internal_accept(sock, lpo, errstatus);
+			break;
+		case SOCKET_CONNECT:
+			internal_connect(sock, lpo, errstatus);
+			break;
+		}
+
+		if (lpo != NULL) {
+			HeapFree(hHeapHandle, 0, lpo);
+		}
+	}
+
+	/*
+	 * Exit Completion Port Thread
+	 */
+	manager_log(manager, TRACE, "SocketIoThread exiting");
+	return ((isc_threadresult_t)0);
+}
+
+/*
+ * Create a new socket manager.
+ */
+isc_result_t
+isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+	return (isc_socketmgr_create2(mctx, managerp, 0, 1));
+}
+
+isc_result_t
+isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		      unsigned int maxsocks, int nthreads) {
+	isc_socketmgr_t *manager;
+
+	REQUIRE(managerp != NULL && *managerp == NULL);
+
+	if (maxsocks != 0) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+
+	InitSockets();
+
+	manager->magic = SOCKET_MANAGER_MAGIC;
+	manager->mctx = NULL;
+	manager->stats = NULL;
+	ISC_LIST_INIT(manager->socklist);
+	isc_mutex_init(&manager->lock);
+	isc_condition_init(&manager->shutdown_ok);
+
+	isc_mem_attach(mctx, &manager->mctx);
+	if (nthreads == 0) {
+		nthreads = isc_os_ncpus() + 1;
+	}
+	manager->maxIOCPThreads = min(nthreads, MAX_IOCPTHREADS);
+
+	iocompletionport_init(manager); /* Create the Completion Ports */
+
+	manager->bShutdown = false;
+	manager->totalSockets = 0;
+	manager->iocp_total = 0;
+	manager->maxudp = 0;
+
+	*managerp = manager;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(nsockp != NULL);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+void
+isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(ISC_LIST_EMPTY(manager->socklist));
+	REQUIRE(manager->stats == NULL);
+	REQUIRE(isc_stats_ncounters(stats) == isc_sockstatscounter_max);
+
+	isc_stats_attach(stats, &manager->stats);
+}
+
+void
+isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
+	isc_socketmgr_t *manager;
+
+	/*
+	 * Destroy a socket manager.
+	 */
+
+	REQUIRE(managerp != NULL);
+	manager = *managerp;
+	*managerp = NULL;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Wait for all sockets to be destroyed.
+	 */
+	while (!ISC_LIST_EMPTY(manager->socklist)) {
+		manager_log(manager, CREATION, "sockets exist");
+		WAIT(&manager->shutdown_ok, &manager->lock);
+	}
+
+	UNLOCK(&manager->lock);
+
+	/*
+	 * Here, we need to had some wait code for the completion port
+	 * thread.
+	 */
+	signal_iocompletionport_exit(manager);
+	manager->bShutdown = true;
+
+	/*
+	 * Wait for threads to exit.
+	 */
+	for (int i = 0; i < manager->maxIOCPThreads; i++) {
+		isc_thread_join((isc_thread_t)manager->hIOCPThreads[i], NULL);
+	}
+	/*
+	 * Clean up.
+	 */
+
+	CloseHandle(manager->hIoCompletionPort);
+
+	(void)isc_condition_destroy(&manager->shutdown_ok);
+
+	isc_mutex_destroy(&manager->lock);
+	if (manager->stats != NULL) {
+		isc_stats_detach(&manager->stats);
+	}
+	manager->magic = 0;
+	isc_mem_putanddetach(&manager->mctx, manager, sizeof(*manager));
+}
+
+static void
+queue_receive_event(isc_socket_t *sock, isc_task_t *task,
+		    isc_socketevent_t *dev) {
+	isc_task_t *ntask = NULL;
+
+	isc_task_attach(task, &ntask);
+	dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
+
+	/*
+	 * Enqueue the request.
+	 */
+	INSIST(!ISC_LINK_LINKED(dev, ev_link));
+	ISC_LIST_ENQUEUE(sock->recv_list, dev, ev_link);
+
+	socket_log(__LINE__, sock, NULL, EVENT,
+		   "queue_receive_event: event %p -> task %p", dev, ntask);
+}
+
+/*
+ * Check the pending receive queue, and if we have data pending, give it to this
+ * caller.  If we have none, queue an I/O request.  If this caller is not the
+ * first on the list, then we will just queue this event and return.
+ *
+ * Caller must have the socket locked.
+ */
+static isc_result_t
+socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+	    unsigned int flags) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dev->ev_sender = task;
+
+	if (sock->fd == INVALID_SOCKET) {
+		return (ISC_R_EOF);
+	}
+
+	/*
+	 * Queue our event on the list of things to do.  Call our function to
+	 * attempt to fill buffers as much as possible, and return done events.
+	 * We are going to lie about our handling of the ISC_SOCKFLAG_IMMEDIATE
+	 * here and tell our caller that we could not satisfy it immediately.
+	 */
+	queue_receive_event(sock, task, dev);
+	if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0) {
+		result = ISC_R_INPROGRESS;
+	}
+
+	completeio_recv(sock);
+
+	/*
+	 * If there are more receivers waiting for data, queue another receive
+	 * here.  If the
+	 */
+	queue_receive_request(sock);
+
+	return (result);
+}
+
+isc_result_t
+isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
+		isc_task_t *task, isc_taskaction_t action, void *arg) {
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(manager->mctx, sock, ISC_SOCKEVENT_RECVDONE,
+				   action, arg);
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+
+	ret = isc_socket_recv2(sock, region, minimum, task, dev, 0);
+	UNLOCK(&sock->lock);
+	return (ret);
+}
+
+isc_result_t
+isc_socket_recv2(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
+		 isc_task_t *task, isc_socketevent_t *event,
+		 unsigned int flags) {
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	event->result = ISC_R_UNEXPECTED;
+	event->ev_sender = sock;
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	event->region = *region;
+	event->n = 0;
+	event->offset = 0;
+	event->attributes = 0;
+
+	/*
+	 * UDP sockets are always partial read.
+	 */
+	if (sock->type == isc_sockettype_udp) {
+		event->minimum = 1;
+	} else {
+		if (minimum == 0) {
+			event->minimum = region->length;
+		} else {
+			event->minimum = minimum;
+		}
+	}
+
+	ret = socket_recv(sock, event, task, flags);
+	UNLOCK(&sock->lock);
+	return (ret);
+}
+
+/*
+ * Caller must have the socket locked.
+ */
+static isc_result_t
+socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+	    const isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+	    unsigned int flags) {
+	int io_state;
+	int send_errno = 0;
+	int cc = 0;
+	isc_task_t *ntask = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dev->ev_sender = task;
+
+	set_dev_address(address, sock, dev);
+	if (pktinfo != NULL) {
+		socket_log(__LINE__, sock, NULL, TRACE,
+			   "pktinfo structure provided, ifindex %u (set to 0)",
+			   pktinfo->ipi6_ifindex);
+
+		dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
+		dev->pktinfo = *pktinfo;
+		/*
+		 * Set the pktinfo index to 0 here, to let the kernel decide
+		 * what interface it should send on.
+		 */
+		dev->pktinfo.ipi6_ifindex = 0;
+	}
+
+	io_state = startio_send(sock, dev, &cc, &send_errno);
+	switch (io_state) {
+	case DOIO_PENDING: /* I/O started. Enqueue completion event. */
+	case DOIO_SOFT:
+		/*
+		 * We couldn't send all or part of the request right now, so
+		 * queue it unless ISC_SOCKFLAG_NORETRY is set.
+		 */
+		if ((flags & ISC_SOCKFLAG_NORETRY) == 0 ||
+		    io_state == DOIO_PENDING)
+		{
+			isc_task_attach(task, &ntask);
+			dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
+
+			/*
+			 * Enqueue the request.
+			 */
+			INSIST(!ISC_LINK_LINKED(dev, ev_link));
+			ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
+
+			socket_log(__LINE__, sock, NULL, EVENT,
+				   "socket_send: event %p -> task %p", dev,
+				   ntask);
+
+			if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0) {
+				result = ISC_R_INPROGRESS;
+			}
+			break;
+		}
+
+	case DOIO_SUCCESS:
+		break;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_socket_send(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		isc_taskaction_t action, void *arg) {
+	/*
+	 * REQUIRE() checking is performed in isc_socket_sendto().
+	 */
+	return (isc_socket_sendto(sock, region, task, action, arg, NULL, NULL));
+}
+
+isc_result_t
+isc_socket_sendto(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		  isc_taskaction_t action, void *arg,
+		  const isc_sockaddr_t *address, struct in6_pktinfo *pktinfo) {
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+	REQUIRE(region != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(manager->mctx, sock, ISC_SOCKEVENT_SENDDONE,
+				   action, arg);
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+	dev->region = *region;
+
+	ret = socket_send(sock, dev, task, address, pktinfo, 0);
+	UNLOCK(&sock->lock);
+	return (ret);
+}
+
+isc_result_t
+isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		   const isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		   isc_socketevent_t *event, unsigned int flags) {
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	REQUIRE((flags & ~(ISC_SOCKFLAG_IMMEDIATE | ISC_SOCKFLAG_NORETRY)) ==
+		0);
+	if ((flags & ISC_SOCKFLAG_NORETRY) != 0) {
+		REQUIRE(sock->type == isc_sockettype_udp);
+	}
+	event->ev_sender = sock;
+	event->result = ISC_R_UNEXPECTED;
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+	event->region = *region;
+	event->n = 0;
+	event->offset = 0;
+	event->attributes = 0;
+
+	ret = socket_send(sock, event, task, address, pktinfo, flags);
+	UNLOCK(&sock->lock);
+	return (ret);
+}
+
+isc_result_t
+isc_socket_bind(isc_socket_t *sock, const isc_sockaddr_t *sockaddr,
+		isc_socket_options_t options) {
+	int bind_errno;
+	char strbuf[ISC_STRERRORSIZE];
+	int on = 1;
+
+	REQUIRE(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	INSIST(!sock->bound);
+	INSIST(!sock->dupped);
+
+	if (sock->pf != sockaddr->type.sa.sa_family) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_FAMILYMISMATCH);
+	}
+	/*
+	 * Only set SO_REUSEADDR when we want a specific port.
+	 */
+	if ((options & ISC_SOCKET_REUSEADDRESS) != 0 &&
+	    isc_sockaddr_getport(sockaddr) != (in_port_t)0 &&
+	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (char *)&on,
+		       sizeof(on)) < 0)
+	{
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "setsockopt(%d) failed",
+				 sock->fd);
+		/* Press on... */
+	}
+	if (bind(sock->fd, &sockaddr->type.sa, sockaddr->length) < 0) {
+		bind_errno = WSAGetLastError();
+		UNLOCK(&sock->lock);
+		switch (bind_errno) {
+		case WSAEACCES:
+			return (ISC_R_NOPERM);
+		case WSAEADDRNOTAVAIL:
+			return (ISC_R_ADDRNOTAVAIL);
+		case WSAEADDRINUSE:
+			return (ISC_R_ADDRINUSE);
+		case WSAEINVAL:
+			return (ISC_R_BOUND);
+		default:
+			strerror_r(bind_errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__, "bind: %s",
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	socket_log(__LINE__, sock, sockaddr, TRACE, "bound");
+	sock->bound = 1;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socket_filter(isc_socket_t *sock, const char *filter) {
+	UNUSED(sock);
+	UNUSED(filter);
+
+	REQUIRE(VALID_SOCKET(sock));
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * Set up to listen on a given socket.  We do this by creating an internal
+ * event that will be dispatched when the socket has read activity.  The
+ * watcher will send the internal event to the task when there is a new
+ * connection.
+ *
+ * Unlike in read, we don't preallocate a done event here.  Every time there
+ * is a new connection we'll have to allocate a new one anyway, so we might
+ * as well keep things simple rather than having to track them.
+ */
+isc_result_t
+isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
+	char strbuf[ISC_STRERRORSIZE];
+#if defined(ENABLE_TCP_FASTOPEN) && defined(TCP_FASTOPEN)
+	char on = 1;
+#endif /* if defined(ENABLE_TCP_FASTOPEN) && defined(TCP_FASTOPEN) */
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	REQUIRE(!sock->listener);
+	REQUIRE(sock->bound);
+	REQUIRE(sock->type == isc_sockettype_tcp);
+
+	if (backlog == 0) {
+		backlog = SOMAXCONN;
+	}
+
+	if (listen(sock->fd, (int)backlog) < 0) {
+		UNLOCK(&sock->lock);
+		strerror_r(WSAGetLastError(), strbuf, sizeof(strbuf));
+
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "listen: %s", strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+#if defined(ENABLE_TCP_FASTOPEN) && defined(TCP_FASTOPEN)
+	if (setsockopt(sock->fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on)) <
+	    0)
+	{
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, TCP_FASTOPEN) failed with %s",
+				 sock->fd, strbuf);
+		/* TCP_FASTOPEN is experimental so ignore failures */
+	}
+#endif /* if defined(ENABLE_TCP_FASTOPEN) && defined(TCP_FASTOPEN) */
+
+	socket_log(__LINE__, sock, NULL, TRACE, "listening");
+	sock->listener = 1;
+	_set_state(sock, SOCK_LISTEN);
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This should try to do aggressive accept() XXXMLG
+ */
+isc_result_t
+isc_socket_accept(isc_socket_t *sock, isc_task_t *task, isc_taskaction_t action,
+		  void *arg) {
+	isc_socket_newconnev_t *adev;
+	isc_socketmgr_t *manager;
+	isc_task_t *ntask = NULL;
+	isc_socket_t *nsock;
+	isc_result_t result;
+	IoCompletionInfo *lpo;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	REQUIRE(sock->listener);
+
+	/*
+	 * Sender field is overloaded here with the task we will be sending
+	 * this event to.  Just before the actual event is delivered the
+	 * actual ev_sender will be touched up to be the socket.
+	 */
+	adev = (isc_socket_newconnev_t *)isc_event_allocate(
+		manager->mctx, task, ISC_SOCKEVENT_NEWCONN, action, arg,
+		sizeof(*adev));
+	ISC_LINK_INIT(adev, ev_link);
+
+	result = allocate_socket(manager, sock->type, &nsock);
+	if (result != ISC_R_SUCCESS) {
+		isc_event_free((isc_event_t **)&adev);
+		UNLOCK(&sock->lock);
+		return (result);
+	}
+
+	/*
+	 * AcceptEx() requires we pass in a socket.
+	 */
+	nsock->fd = socket(sock->pf, SOCK_STREAM, IPPROTO_TCP);
+	if (nsock->fd == INVALID_SOCKET) {
+		free_socket(&nsock, __LINE__);
+		isc_event_free((isc_event_t **)&adev);
+		UNLOCK(&sock->lock);
+		return (ISC_R_FAILURE); /* XXXMLG need real error message */
+	}
+
+	/*
+	 * Attach to socket and to task.
+	 */
+	isc_task_attach(task, &ntask);
+	if (isc_task_exiting(ntask)) {
+		free_socket(&nsock, __LINE__);
+		isc_task_detach(&ntask);
+		isc_event_free(ISC_EVENT_PTR(&adev));
+		UNLOCK(&sock->lock);
+		return (ISC_R_SHUTTINGDOWN);
+	}
+	isc_refcount_increment0(&nsock->references);
+
+	adev->ev_sender = ntask;
+	adev->newsocket = nsock;
+	_set_state(nsock, SOCK_ACCEPT);
+
+	/*
+	 * Queue io completion for an accept().
+	 */
+	lpo = (IoCompletionInfo *)HeapAlloc(hHeapHandle, HEAP_ZERO_MEMORY,
+					    sizeof(IoCompletionInfo));
+	RUNTIME_CHECK(lpo != NULL);
+	lpo->acceptbuffer =
+		(void *)HeapAlloc(hHeapHandle, HEAP_ZERO_MEMORY,
+				  (sizeof(SOCKADDR_STORAGE) + 16) * 2);
+	RUNTIME_CHECK(lpo->acceptbuffer != NULL);
+
+	lpo->adev = adev;
+	lpo->request_type = SOCKET_ACCEPT;
+
+	ISCAcceptEx(sock->fd, nsock->fd,	   /* Accepted Socket */
+		    lpo->acceptbuffer,		   /* Buffer for initial Recv */
+		    0,				   /* Length of Buffer */
+		    sizeof(SOCKADDR_STORAGE) + 16, /* Local address length + 16
+						    */
+		    sizeof(SOCKADDR_STORAGE) + 16, /* Remote address length + 16
+						    */
+		    (LPDWORD)&lpo->received_bytes, /* Bytes Recved */
+		    (LPOVERLAPPED)lpo		   /* Overlapped structure */
+	);
+	iocompletionport_update(nsock);
+
+	socket_log(__LINE__, sock, NULL, TRACE, "accepting for nsock %p fd %d",
+		   nsock, nsock->fd);
+
+	/*
+	 * Enqueue the event
+	 */
+	ISC_LIST_ENQUEUE(sock->accept_list, adev, ev_link);
+	sock->pending_accept++;
+	sock->pending_iocp++;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socket_connect(isc_socket_t *sock, const isc_sockaddr_t *addr,
+		   isc_task_t *task, isc_taskaction_t action, void *arg) {
+	char strbuf[ISC_STRERRORSIZE];
+	isc_socket_connev_t *cdev;
+	isc_task_t *ntask = NULL;
+	isc_socketmgr_t *manager;
+	IoCompletionInfo *lpo;
+	int bind_errno;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(addr != NULL);
+
+	if (isc_sockaddr_ismulticast(addr)) {
+		return (ISC_R_MULTICAST);
+	}
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	/*
+	 * Windows sockets won't connect unless the socket is bound.
+	 */
+	if (!sock->bound) {
+		isc_sockaddr_t any;
+
+		isc_sockaddr_anyofpf(&any, isc_sockaddr_pf(addr));
+		if (bind(sock->fd, &any.type.sa, any.length) < 0) {
+			bind_errno = WSAGetLastError();
+			UNLOCK(&sock->lock);
+			switch (bind_errno) {
+			case WSAEACCES:
+				return (ISC_R_NOPERM);
+			case WSAEADDRNOTAVAIL:
+				return (ISC_R_ADDRNOTAVAIL);
+			case WSAEADDRINUSE:
+				return (ISC_R_ADDRINUSE);
+			case WSAEINVAL:
+				return (ISC_R_BOUND);
+			default:
+				strerror_r(bind_errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__, "bind: %s",
+						 strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
+		}
+		sock->bound = 1;
+	}
+
+	cdev = (isc_socket_connev_t *)isc_event_allocate(
+		manager->mctx, sock, ISC_SOCKEVENT_CONNECT, action, arg,
+		sizeof(*cdev));
+	ISC_LINK_INIT(cdev, ev_link);
+
+	if (sock->connected) {
+		INSIST(isc_sockaddr_equal(&sock->address, addr));
+		cdev->result = ISC_R_SUCCESS;
+		isc_task_send(task, ISC_EVENT_PTR(&cdev));
+
+		UNLOCK(&sock->lock);
+		return (ISC_R_SUCCESS);
+	}
+
+	if ((sock->type == isc_sockettype_tcp) && !sock->pending_connect) {
+		/*
+		 * Queue io completion for an accept().
+		 */
+		lpo = (IoCompletionInfo *)HeapAlloc(hHeapHandle,
+						    HEAP_ZERO_MEMORY,
+						    sizeof(IoCompletionInfo));
+		lpo->cdev = cdev;
+		lpo->request_type = SOCKET_CONNECT;
+
+		sock->address = *addr;
+		ISCConnectEx(sock->fd, &addr->type.sa, addr->length, NULL, 0,
+			     NULL, (LPOVERLAPPED)lpo);
+
+		/*
+		 * Attach to task.
+		 */
+		isc_task_attach(task, &ntask);
+		cdev->ev_sender = ntask;
+
+		sock->pending_connect = 1;
+		_set_state(sock, SOCK_CONNECT);
+
+		/*
+		 * Enqueue the request.
+		 */
+		INSIST(!ISC_LINK_LINKED(cdev, ev_link));
+		ISC_LIST_ENQUEUE(sock->connect_list, cdev, ev_link);
+		sock->pending_iocp++;
+	} else if (sock->type == isc_sockettype_tcp) {
+		INSIST(sock->pending_connect);
+		INSIST(isc_sockaddr_equal(&sock->address, addr));
+		isc_task_attach(task, &ntask);
+		cdev->ev_sender = ntask;
+		INSIST(!ISC_LINK_LINKED(cdev, ev_link));
+		ISC_LIST_ENQUEUE(sock->connect_list, cdev, ev_link);
+	} else {
+		REQUIRE(!sock->pending_connect);
+		WSAConnect(sock->fd, &addr->type.sa, addr->length, NULL, NULL,
+			   NULL, NULL);
+		cdev->result = ISC_R_SUCCESS;
+		isc_task_send(task, (isc_event_t **)&cdev);
+	}
+	CONSISTENT(sock);
+	UNLOCK(&sock->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	isc_result_t result;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addressp != NULL);
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	if (sock->connected) {
+		*addressp = sock->address;
+		result = ISC_R_SUCCESS;
+	} else {
+		result = ISC_R_NOTCONNECTED;
+	}
+
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	socklen_t len;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addressp != NULL);
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	if (!sock->bound) {
+		result = ISC_R_NOTBOUND;
+		goto out;
+	}
+
+	result = ISC_R_SUCCESS;
+
+	len = sizeof(addressp->type);
+	if (getsockname(sock->fd, &addressp->type.sa, (void *)&len) < 0) {
+		strerror_r(WSAGetLastError(), strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "getsockname: %s", strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto out;
+	}
+	addressp->length = (unsigned int)len;
+
+out:
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+/*
+ * Run through the list of events on this socket, and cancel the ones
+ * queued for task "task" of type "how".  "how" is a bitmask.
+ */
+void
+isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
+	REQUIRE(VALID_SOCKET(sock));
+
+	/*
+	 * Quick exit if there is nothing to do.  Don't even bother locking
+	 * in this case.
+	 */
+	if (how == 0) {
+		return;
+	}
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return;
+	}
+
+	/*
+	 * All of these do the same thing, more or less.
+	 * Each will:
+	 *	o If the internal event is marked as "posted" try to
+	 *	  remove it from the task's queue.  If this fails, mark it
+	 *	  as canceled instead, and let the task clean it up later.
+	 *	o For each I/O request for that task of that type, post
+	 *	  its done event with status of "ISC_R_CANCELED".
+	 *	o Reset any state needed.
+	 */
+
+	if ((how & ISC_SOCKCANCEL_RECV) != 0) {
+		isc_socketevent_t *dev;
+		isc_socketevent_t *next;
+		isc_task_t *current_task;
+
+		dev = ISC_LIST_HEAD(sock->recv_list);
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_recvdone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+	how &= ~ISC_SOCKCANCEL_RECV;
+
+	if ((how & ISC_SOCKCANCEL_SEND) != 0) {
+		isc_socketevent_t *dev;
+		isc_socketevent_t *next;
+		isc_task_t *current_task;
+
+		dev = ISC_LIST_HEAD(sock->send_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_senddone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+	how &= ~ISC_SOCKCANCEL_SEND;
+
+	if (((how & ISC_SOCKCANCEL_ACCEPT) != 0) &&
+	    !ISC_LIST_EMPTY(sock->accept_list))
+	{
+		isc_socket_newconnev_t *dev;
+		isc_socket_newconnev_t *next;
+		isc_task_t *current_task;
+
+		dev = ISC_LIST_HEAD(sock->accept_list);
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+				isc_refcount_decrementz(
+					&dev->newsocket->references);
+				closesocket(dev->newsocket->fd);
+				dev->newsocket->fd = INVALID_SOCKET;
+				free_socket(&dev->newsocket, __LINE__);
+
+				dev->result = ISC_R_CANCELED;
+				send_acceptdone_event(sock, &dev);
+			}
+
+			dev = next;
+		}
+	}
+	how &= ~ISC_SOCKCANCEL_ACCEPT;
+
+	if (((how & ISC_SOCKCANCEL_CONNECT) != 0) &&
+	    !ISC_LIST_EMPTY(sock->connect_list))
+	{
+		isc_socket_connev_t *dev;
+		isc_socket_connev_t *next;
+		isc_task_t *current_task;
+
+		INSIST(sock->pending_connect);
+
+		dev = ISC_LIST_HEAD(sock->connect_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_connectdone_event(sock, &dev);
+			}
+			dev = next;
+		}
+		closesocket(sock->fd);
+		sock->fd = INVALID_SOCKET;
+		_set_state(sock, SOCK_CLOSED);
+	}
+	how &= ~ISC_SOCKCANCEL_CONNECT;
+	UNUSED(how);
+
+	maybe_free_socket(&sock, __LINE__);
+}
+
+isc_sockettype_t
+isc_socket_gettype(isc_socket_t *sock) {
+	isc_sockettype_t type;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	type = sock->type;
+	UNLOCK(&sock->lock);
+	return (type);
+}
+
+void
+isc_socket_ipv6only(isc_socket_t *sock, bool yes) {
+#if defined(IPV6_V6ONLY)
+	int onoff = yes ? 1 : 0;
+#else  /* if defined(IPV6_V6ONLY) */
+	UNUSED(yes);
+#endif /* if defined(IPV6_V6ONLY) */
+
+	REQUIRE(VALID_SOCKET(sock));
+
+#ifdef IPV6_V6ONLY
+	if (sock->pf == AF_INET6) {
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY,
+				 (char *)&onoff, sizeof(onoff));
+	}
+#endif /* ifdef IPV6_V6ONLY */
+}
+
+void
+isc_socket_dscp(isc_socket_t *sock, isc_dscp_t dscp) {
+#if !defined(IP_TOS) && !defined(IPV6_TCLASS)
+	UNUSED(dscp);
+#else  /* if !defined(IP_TOS) && !defined(IPV6_TCLASS) */
+	if (dscp < 0) {
+		return;
+	}
+
+	dscp <<= 2;
+	dscp &= 0xff;
+#endif /* if !defined(IP_TOS) && !defined(IPV6_TCLASS) */
+
+	REQUIRE(VALID_SOCKET(sock));
+
+#ifdef IP_TOS
+	if (sock->pf == AF_INET) {
+		(void)setsockopt(sock->fd, IPPROTO_IP, IP_TOS, (char *)&dscp,
+				 sizeof(dscp));
+	}
+#endif /* ifdef IP_TOS */
+#ifdef IPV6_TCLASS
+	if (sock->pf == AF_INET6) {
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_TCLASS,
+				 (char *)&dscp, sizeof(dscp));
+	}
+#endif /* ifdef IPV6_TCLASS */
+}
+
+void
+isc_socket_cleanunix(const isc_sockaddr_t *addr, bool active) {
+	UNUSED(addr);
+	UNUSED(active);
+}
+
+isc_result_t
+isc_socket_permunix(const isc_sockaddr_t *addr, uint32_t perm, uint32_t owner,
+		    uint32_t group) {
+	UNUSED(addr);
+	UNUSED(perm);
+	UNUSED(owner);
+	UNUSED(group);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+void
+isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
+	/*
+	 * Name 'socket'.
+	 */
+
+	REQUIRE(VALID_SOCKET(socket));
+
+	LOCK(&socket->lock);
+	strlcpy(socket->name, name, sizeof(socket->name));
+	socket->tag = tag;
+	UNLOCK(&socket->lock);
+}
+
+const char *
+isc_socket_getname(isc_socket_t *socket) {
+	return (socket->name);
+}
+
+void *
+isc_socket_gettag(isc_socket_t *socket) {
+	return (socket->tag);
+}
+
+int
+isc_socket_getfd(isc_socket_t *socket) {
+	return ((short)socket->fd);
+}
+
+void
+isc_socketmgr_setreserved(isc_socketmgr_t *manager, uint32_t reserved) {
+	UNUSED(manager);
+	UNUSED(reserved);
+}
+
+isc_socketevent_t *
+isc_socket_socketevent(isc_mem_t *mctx, void *sender, isc_eventtype_t eventtype,
+		       isc_taskaction_t action, void *arg) {
+	return (allocate_socketevent(mctx, sender, eventtype, action, arg));
+}
+
+bool
+isc_socket_hasreuseport() {
+	return (false);
+}
+
+#ifdef HAVE_LIBXML2
+
+static const char *
+_socktype(isc_sockettype_t type) {
+	switch (type) {
+	case isc_sockettype_udp:
+		return ("udp");
+	case isc_sockettype_tcp:
+		return ("tcp");
+	case isc_sockettype_unix:
+		return ("unix");
+	default:
+		return ("not-initialized");
+	}
+}
+
+#define TRY0(a)                     \
+	do {                        \
+		xmlrc = (a);        \
+		if (xmlrc < 0)      \
+			goto error; \
+	} while (0)
+int
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr, void *writer0) {
+	isc_socket_t *sock = NULL;
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t addr;
+	socklen_t len;
+	int xmlrc;
+	xmlTextWriterPtr writer = (xmlTextWriterPtr)writer0;
+
+	LOCK(&mgr->lock);
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "sockets"));
+	sock = ISC_LIST_HEAD(mgr->socklist);
+	while (sock != NULL) {
+		LOCK(&sock->lock);
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socket"));
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%p", sock));
+		TRY0(xmlTextWriterEndElement(writer));
+
+		if (sock->name[0] != 0) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "name"));
+			TRY0(xmlTextWriterWriteFormatString(writer, "%s",
+							    sock->name));
+			TRY0(xmlTextWriterEndElement(writer)); /* name */
+		}
+
+		TRY0(xmlTextWriterStartElement(writer,
+					       ISC_XMLCHAR "references"));
+		TRY0(xmlTextWriterWriteFormatString(
+			writer, "%" PRIuFAST32,
+			isc_refcount_current(&sock->references)));
+		TRY0(xmlTextWriterEndElement(writer));
+
+		TRY0(xmlTextWriterWriteElement(
+			writer, ISC_XMLCHAR "type",
+			ISC_XMLCHAR _socktype(sock->type)));
+
+		if (sock->connected) {
+			isc_sockaddr_format(&sock->address, peerbuf,
+					    sizeof(peerbuf));
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "peer-address",
+				ISC_XMLCHAR peerbuf));
+		}
+
+		len = sizeof(addr);
+		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
+			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "local-address",
+				ISC_XMLCHAR peerbuf));
+		}
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "states"));
+		if (sock->pending_recv) {
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "state",
+				ISC_XMLCHAR "pending-receive"));
+		}
+		if (sock->pending_send) {
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "state",
+				ISC_XMLCHAR "pending-send"));
+		}
+		if (sock->pending_accept) {
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "state",
+				ISC_XMLCHAR "pending_accept"));
+		}
+		if (sock->listener) {
+			TRY0(xmlTextWriterWriteElement(writer,
+						       ISC_XMLCHAR "state",
+						       ISC_XMLCHAR "listener"));
+		}
+		if (sock->connected) {
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "state",
+				ISC_XMLCHAR "connected"));
+		}
+		if (sock->pending_connect) {
+			TRY0(xmlTextWriterWriteElement(
+				writer, ISC_XMLCHAR "state",
+				ISC_XMLCHAR "connecting"));
+		}
+		if (sock->bound) {
+			TRY0(xmlTextWriterWriteElement(writer,
+						       ISC_XMLCHAR "state",
+						       ISC_XMLCHAR "bound"));
+		}
+
+		TRY0(xmlTextWriterEndElement(writer)); /* states */
+
+		TRY0(xmlTextWriterEndElement(writer)); /* socket */
+
+		UNLOCK(&sock->lock);
+		sock = ISC_LIST_NEXT(sock, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* sockets */
+
+error:
+	if (sock != NULL) {
+		UNLOCK(&sock->lock);
+	}
+
+	UNLOCK(&mgr->lock);
+
+	return (xmlrc);
+}
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON_C
+#define CHECKMEM(m)                              \
+	do {                                     \
+		if (m == NULL) {                 \
+			result = ISC_R_NOMEMORY; \
+			goto error;              \
+		}                                \
+	} while (0)
+isc_result_t
+isc_socketmgr_renderjson(isc_socketmgr_t *mgr, void *stats0) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_socket_t *sock = NULL;
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t addr;
+	socklen_t len;
+	json_object *obj, *array = json_object_new_array();
+	json_object *stats = (json_object *)stats;
+
+	CHECKMEM(array);
+
+	LOCK(&mgr->lock);
+
+#ifdef USE_SHARED_MANAGER
+	obj = json_object_new_int(mgr->refs);
+	CHECKMEM(obj);
+	json_object_object_add(stats, "references", obj);
+#endif /* USE_SHARED_MANAGER */
+
+	sock = ISC_LIST_HEAD(mgr->socklist);
+	while (sock != NULL) {
+		json_object *states, *entry = json_object_new_object();
+		char buf[255];
+
+		CHECKMEM(entry);
+		json_object_array_add(array, entry);
+
+		LOCK(&sock->lock);
+
+		snprintf(buf, sizeof(buf), "%p", sock);
+		obj = json_object_new_string(buf);
+		CHECKMEM(obj);
+		json_object_object_add(entry, "id", obj);
+
+		if (sock->name[0] != 0) {
+			obj = json_object_new_string(sock->name);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "name", obj);
+		}
+
+		obj = json_object_new_int(
+			isc_refcount_current(&sock->references));
+		CHECKMEM(obj);
+		json_object_object_add(entry, "references", obj);
+
+		obj = json_object_new_string(_socktype(sock->type));
+		CHECKMEM(obj);
+		json_object_object_add(entry, "type", obj);
+
+		if (sock->connected) {
+			isc_sockaddr_format(&sock->address, peerbuf,
+					    sizeof(peerbuf));
+			obj = json_object_new_string(peerbuf);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "peer-address", obj);
+		}
+
+		len = sizeof(addr);
+		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
+			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
+			obj = json_object_new_string(peerbuf);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "local-address", obj);
+		}
+
+		states = json_object_new_array();
+		CHECKMEM(states);
+		json_object_object_add(entry, "states", states);
+
+		if (sock->pending_recv) {
+			obj = json_object_new_string("pending-receive");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->pending_send) {
+			obj = json_object_new_string("pending-send");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->pending_accept) {
+			obj = json_object_new_string("pending-accept");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->listener) {
+			obj = json_object_new_string("listener");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->connected) {
+			obj = json_object_new_string("connected");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->pending_connect) {
+			obj = json_object_new_string("connecting");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->bound) {
+			obj = json_object_new_string("bound");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		UNLOCK(&sock->lock);
+		sock = ISC_LIST_NEXT(sock, link);
+	}
+
+	json_object_object_add(stats, "sockets", array);
+	array = NULL;
+	result = ISC_R_SUCCESS;
+
+error:
+	if (array != NULL) {
+		json_object_put(array);
+	}
+
+	if (sock != NULL) {
+		UNLOCK(&sock->lock);
+	}
+
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+#endif /* HAVE_JSON_C */
+
+void
+isc_socketmgr_maxudp(isc_socketmgr_t *manager, unsigned int maxudp) {
+	REQUIRE(VALID_MANAGER(manager));
+
+	manager->maxudp = maxudp;
+}
diff --git a/lib/isc/win32/stdio.c b/lib/isc/win32/stdio.c
new file mode 100644
index 0000000..1e55c30
--- /dev/null
+++ b/lib/isc/win32/stdio.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <errno.h>
+#include <io.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <isc/stdio.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+isc_result_t
+isc_stdio_open(const char *filename, const char *mode, FILE **fp) {
+	FILE *f;
+
+	f = fopen(filename, mode);
+	if (f == NULL) {
+		return (isc__errno2result(errno));
+	}
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_stdio_close(FILE *f) {
+	int r;
+
+	r = fclose(f);
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+isc_result_t
+isc_stdio_seek(FILE *f, off_t offset, int whence) {
+	int r;
+
+#ifndef _WIN64
+	r = fseek(f, offset, whence);
+#else  /* ifndef _WIN64 */
+	r = _fseeki64(f, offset, whence);
+#endif /* ifndef _WIN64 */
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+isc_result_t
+isc_stdio_tell(FILE *f, off_t *offsetp) {
+#ifndef _WIN64
+	long r;
+#else  /* ifndef _WIN64 */
+	__int64 r;
+#endif /* ifndef _WIN64 */
+
+	REQUIRE(offsetp != NULL);
+
+#ifndef _WIN64
+	r = ftell(f);
+#else  /* ifndef _WIN64 */
+	r = _ftelli64(f);
+#endif /* ifndef _WIN64 */
+	if (r >= 0) {
+		*offsetp = r;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+isc_result_t
+isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f, size_t *nret) {
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+
+	clearerr(f);
+	r = fread(ptr, size, nmemb, f);
+	if (r != nmemb) {
+		if (feof(f)) {
+			result = ISC_R_EOF;
+		} else {
+			result = isc__errno2result(errno);
+		}
+	}
+	if (nret != NULL) {
+		*nret = r;
+	}
+	return (result);
+}
+
+isc_result_t
+isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
+		size_t *nret) {
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+
+	clearerr(f);
+	r = fwrite(ptr, size, nmemb, f);
+	if (r != nmemb) {
+		result = isc__errno2result(errno);
+	}
+	if (nret != NULL) {
+		*nret = r;
+	}
+	return (result);
+}
+
+isc_result_t
+isc_stdio_flush(FILE *f) {
+	int r;
+
+	r = fflush(f);
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
+
+isc_result_t
+isc_stdio_sync(FILE *f) {
+	struct _stat buf;
+	int r;
+
+	if (_fstat(_fileno(f), &buf) != 0) {
+		return (isc__errno2result(errno));
+	}
+
+	/*
+	 * Only call _commit() on regular files.
+	 */
+	if ((buf.st_mode & S_IFMT) != S_IFREG) {
+		return (ISC_R_SUCCESS);
+	}
+
+	r = _commit(_fileno(f));
+	if (r == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		return (isc__errno2result(errno));
+	}
+}
diff --git a/lib/isc/win32/stdtime.c b/lib/isc/win32/stdtime.c
new file mode 100644
index 0000000..93fcd66
--- /dev/null
+++ b/lib/isc/win32/stdtime.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <time.h>
+
+#include <isc/assertions.h>
+#include <isc/stdtime.h>
+#include <isc/util.h>
+
+void
+isc_stdtime_get(isc_stdtime_t *t) {
+	/*
+	 * Set 't' to the number of seconds past 00:00:00 UTC, January 1, 1970.
+	 */
+
+	REQUIRE(t != NULL);
+
+	(void)_time32(t);
+}
+
+void
+isc_stdtime_tostring(isc_stdtime_t t, char *out, size_t outlen) {
+	time_t when;
+
+	REQUIRE(out != NULL);
+	/* Minimum buffer as per ctime_r() specification. */
+	REQUIRE(outlen >= 26);
+
+	/* time_t and isc_stdtime_t might be different sizes */
+	when = t;
+	INSIST((ctime_s(out, outlen, &when) == 0));
+	*(out + strlen(out) - 1) = '\0';
+}
diff --git a/lib/isc/win32/syslog.c b/lib/isc/win32/syslog.c
new file mode 100644
index 0000000..ad23a0f
--- /dev/null
+++ b/lib/isc/win32/syslog.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <windows.h>
+
+#include <isc/bindevt.h>
+#include <isc/result.h>
+#include <isc/syslog.h>
+#include <isc/util.h>
+
+static HANDLE hAppLog = NULL;
+static FILE *log_stream;
+static int debug_level = 0;
+
+static struct dsn_c_pvt_sfnt {
+	int val;
+	const char *strval;
+} facilities[] = { { LOG_KERN, "kern" },
+		   { LOG_USER, "user" },
+		   { LOG_MAIL, "mail" },
+		   { LOG_DAEMON, "daemon" },
+		   { LOG_AUTH, "auth" },
+		   { LOG_SYSLOG, "syslog" },
+		   { LOG_LPR, "lpr" },
+#ifdef LOG_NEWS
+		   { LOG_NEWS, "news" },
+#endif /* ifdef LOG_NEWS */
+#ifdef LOG_UUCP
+		   { LOG_UUCP, "uucp" },
+#endif /* ifdef LOG_UUCP */
+#ifdef LOG_CRON
+		   { LOG_CRON, "cron" },
+#endif /* ifdef LOG_CRON */
+#ifdef LOG_AUTHPRIV
+		   { LOG_AUTHPRIV, "authpriv" },
+#endif /* ifdef LOG_AUTHPRIV */
+#ifdef LOG_FTP
+		   { LOG_FTP, "ftp" },
+#endif /* ifdef LOG_FTP */
+		   { LOG_LOCAL0, "local0" },
+		   { LOG_LOCAL1, "local1" },
+		   { LOG_LOCAL2, "local2" },
+		   { LOG_LOCAL3, "local3" },
+		   { LOG_LOCAL4, "local4" },
+		   { LOG_LOCAL5, "local5" },
+		   { LOG_LOCAL6, "local6" },
+		   { LOG_LOCAL7, "local7" },
+		   { 0, NULL } };
+
+isc_result_t
+isc_syslog_facilityfromstring(const char *str, int *facilityp) {
+	int i;
+
+	REQUIRE(str != NULL);
+	REQUIRE(facilityp != NULL);
+
+	for (i = 0; facilities[i].strval != NULL; i++) {
+		if (strcasecmp(facilities[i].strval, str) == 0) {
+			*facilityp = facilities[i].val;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+/*
+ * Log to the NT Event Log
+ */
+void
+syslog(int level, const char *fmt, ...) {
+	va_list ap;
+	char buf[1024];
+	char *str[1];
+
+	str[0] = buf;
+
+	va_start(ap, fmt);
+	vsprintf(buf, fmt, ap);
+	va_end(ap);
+
+	/* Make sure that the channel is open to write the event */
+	if (hAppLog != NULL) {
+		switch (level) {
+		case LOG_INFO:
+		case LOG_NOTICE:
+		case LOG_DEBUG:
+			ReportEvent(hAppLog, EVENTLOG_INFORMATION_TYPE, 0,
+				    BIND_INFO_MSG, NULL, 1, 0, str, NULL);
+			break;
+		case LOG_WARNING:
+			ReportEvent(hAppLog, EVENTLOG_WARNING_TYPE, 0,
+				    BIND_WARN_MSG, NULL, 1, 0, str, NULL);
+			break;
+		default:
+			ReportEvent(hAppLog, EVENTLOG_ERROR_TYPE, 0,
+				    BIND_ERR_MSG, NULL, 1, 0, str, NULL);
+			break;
+		}
+	}
+}
+
+/*
+ * Initialize event logging
+ */
+void
+openlog(const char *name, int flags, ...) {
+	/* Get a handle to the Application event log */
+	hAppLog = RegisterEventSource(NULL, name);
+}
+
+/*
+ * Close the Handle to the application Event Log
+ * We don't care whether or not we succeeded so ignore return values
+ * In fact if we failed then we would have nowhere to put the message
+ */
+void
+closelog(void) {
+	DeregisterEventSource(hAppLog);
+}
+
+/*
+ * Keep event logging synced with the current debug level
+ */
+void
+ModifyLogLevel(int level) {
+	debug_level = level;
+}
+
+/*
+ * Initialize logging for the port section of libbind.
+ * Piggyback onto stream given.
+ */
+void
+InitNTLogging(FILE *stream, int debug) {
+	log_stream = stream;
+	ModifyLogLevel(debug);
+}
+/*
+ * This function is for reporting errors to the application
+ * event log in case the regular syslog is not available
+ * mainly during startup. It should not be used under normal
+ * circumstances.
+ */
+void
+NTReportError(const char *name, const char *str) {
+	HANDLE hNTAppLog = NULL;
+	const char *buf[1];
+
+	buf[0] = str;
+
+	hNTAppLog = RegisterEventSource(NULL, name);
+
+	ReportEvent(hNTAppLog, EVENTLOG_ERROR_TYPE, 0, BIND_ERR_MSG, NULL, 1, 0,
+		    buf, NULL);
+
+	DeregisterEventSource(hNTAppLog);
+}
diff --git a/lib/isc/win32/syslog.h b/lib/isc/win32/syslog.h
new file mode 100644
index 0000000..e785144
--- /dev/null
+++ b/lib/isc/win32/syslog.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef _SYSLOG_H
+#define _SYSLOG_H
+
+#include <stdio.h>
+
+/* Constant definitions for openlog() */
+#define LOG_PID	 1
+#define LOG_CONS 2
+/* NT event log does not support facility level */
+#define LOG_KERN   0
+#define LOG_USER   0
+#define LOG_MAIL   0
+#define LOG_DAEMON 0
+#define LOG_AUTH   0
+#define LOG_SYSLOG 0
+#define LOG_LPR	   0
+#define LOG_LOCAL0 0
+#define LOG_LOCAL1 0
+#define LOG_LOCAL2 0
+#define LOG_LOCAL3 0
+#define LOG_LOCAL4 0
+#define LOG_LOCAL5 0
+#define LOG_LOCAL6 0
+#define LOG_LOCAL7 0
+
+#define LOG_EMERG   0 /* system is unusable */
+#define LOG_ALERT   1 /* action must be taken immediately */
+#define LOG_CRIT    2 /* critical conditions */
+#define LOG_ERR	    3 /* error conditions */
+#define LOG_WARNING 4 /* warning conditions */
+#define LOG_NOTICE  5 /* normal but signification condition */
+#define LOG_INFO    6 /* informational */
+#define LOG_DEBUG   7 /* debug-level messages */
+
+void
+syslog(int level, const char *fmt, ...);
+
+void
+openlog(const char *, int, ...);
+
+void
+closelog(void);
+
+void
+ModifyLogLevel(int level);
+
+void
+InitNTLogging(FILE *, int);
+
+void
+NTReportError(const char *, const char *);
+/*
+ * Include the event codes required for logging.
+ */
+#include <isc/bindevt.h>
+
+#endif /* ifndef _SYSLOG_H */
diff --git a/lib/isc/win32/thread.c b/lib/isc/win32/thread.c
new file mode 100644
index 0000000..e373e75
--- /dev/null
+++ b/lib/isc/win32/thread.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <process.h>
+
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/strerr.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "trampoline_p.h"
+
+void
+isc_thread_create(isc_threadfunc_t start, isc_threadarg_t arg,
+		  isc_thread_t *threadp) {
+	isc_thread_t thread;
+	unsigned int id;
+	isc__trampoline_t *trampoline_arg;
+
+	trampoline_arg = isc__trampoline_get(start, arg);
+
+	thread = (isc_thread_t)_beginthreadex(NULL, 0, isc__trampoline_run,
+					      trampoline_arg, 0, &id);
+	if (thread == NULL) {
+		char strbuf[ISC_STRERRORSIZE];
+		strerror_r(errno, strbuf, sizeof(strbuf));
+		isc_error_fatal(__FILE__, __LINE__, "_beginthreadex failed: %s",
+				strbuf);
+	}
+
+	*threadp = thread;
+
+	return;
+}
+
+void
+isc_thread_join(isc_thread_t thread, isc_threadresult_t *rp) {
+	DWORD result;
+
+	result = WaitForSingleObject(thread, INFINITE);
+	if (result != WAIT_OBJECT_0) {
+		isc_error_fatal(__FILE__, __LINE__,
+				"WaitForSingleObject() != WAIT_OBJECT_0");
+	}
+	if (rp != NULL && !GetExitCodeThread(thread, rp)) {
+		isc_error_fatal(__FILE__, __LINE__,
+				"GetExitCodeThread() failed: %d",
+				GetLastError());
+	}
+	(void)CloseHandle(thread);
+}
+
+void
+isc_thread_setconcurrency(unsigned int level) {
+	/*
+	 * This is unnecessary on Win32 systems, but is here so that the
+	 * call exists
+	 */
+}
+
+void
+isc_thread_setname(isc_thread_t thread, const char *name) {
+	UNUSED(thread);
+	UNUSED(name);
+}
+
+isc_result_t
+isc_thread_setaffinity(int cpu) {
+	/* no-op on Windows for now */
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/win32/time.c b/lib/isc/win32/time.c
new file mode 100644
index 0000000..c29edd3
--- /dev/null
+++ b/lib/isc/win32/time.c
@@ -0,0 +1,651 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <windows.h>
+
+#include <isc/assertions.h>
+#include <isc/once.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/tm.h>
+#include <isc/util.h>
+
+/*
+ * struct FILETIME uses "100-nanoseconds intervals".
+ * NS / S = 1000000000 (10^9).
+ * While it is reasonably obvious that this makes the needed
+ * conversion factor 10^7, it is coded this way for additional clarity.
+ */
+#define NS_PER_S	1000000000
+#define NS_INTERVAL	100
+#define INTERVALS_PER_S (NS_PER_S / NS_INTERVAL)
+
+/***
+ *** Absolute Times
+ ***/
+
+static const isc_time_t epoch = { { 0, 0 } };
+LIBISC_EXTERNAL_DATA const isc_time_t *const isc_time_epoch = &epoch;
+
+/***
+ *** Intervals
+ ***/
+
+static const isc_interval_t zero_interval = { 0 };
+LIBISC_EXTERNAL_DATA const isc_interval_t *const isc_interval_zero =
+	&zero_interval;
+
+void
+isc_interval_set(isc_interval_t *i, unsigned int seconds,
+		 unsigned int nanoseconds) {
+	REQUIRE(i != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	/*
+	 * This rounds nanoseconds up not down.
+	 */
+	i->interval = (LONGLONG)seconds * INTERVALS_PER_S +
+		      (nanoseconds + NS_INTERVAL - 1) / NS_INTERVAL;
+}
+
+bool
+isc_interval_iszero(const isc_interval_t *i) {
+	REQUIRE(i != NULL);
+	if (i->interval == 0) {
+		return (true);
+	}
+
+	return (false);
+}
+
+void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds) {
+	SYSTEMTIME epoch1970 = { 1970, 1, 4, 1, 0, 0, 0, 0 };
+	FILETIME temp;
+	ULARGE_INTEGER i1;
+
+	REQUIRE(t != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	SystemTimeToFileTime(&epoch1970, &temp);
+
+	i1.LowPart = temp.dwLowDateTime;
+	i1.HighPart = temp.dwHighDateTime;
+
+	/* cppcheck-suppress unreadVariable */
+	i1.QuadPart += (unsigned __int64)nanoseconds / 100;
+	/* cppcheck-suppress unreadVariable */
+	i1.QuadPart += (unsigned __int64)seconds * 10000000;
+
+	t->absolute.dwLowDateTime = i1.LowPart;
+	t->absolute.dwHighDateTime = i1.HighPart;
+}
+
+void
+isc_time_settoepoch(isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	t->absolute.dwLowDateTime = 0;
+	t->absolute.dwHighDateTime = 0;
+}
+
+bool
+isc_time_isepoch(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	if (t->absolute.dwLowDateTime == 0 && t->absolute.dwHighDateTime == 0) {
+		return (true);
+	}
+
+	return (false);
+}
+
+isc_result_t
+isc_time_now(isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	GetSystemTimeAsFileTime(&t->absolute);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_now_hires(isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	GetSystemTimePreciseAsFileTime(&t->absolute);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
+	ULARGE_INTEGER i1;
+
+	REQUIRE(t != NULL);
+	REQUIRE(i != NULL);
+
+	GetSystemTimeAsFileTime(&t->absolute);
+
+	i1.LowPart = t->absolute.dwLowDateTime;
+	i1.HighPart = t->absolute.dwHighDateTime;
+
+	if (UINT64_MAX - i1.QuadPart < (unsigned __int64)i->interval) {
+		return (ISC_R_RANGE);
+	}
+
+	/* cppcheck-suppress unreadVariable */
+	i1.QuadPart += i->interval;
+
+	t->absolute.dwLowDateTime = i1.LowPart;
+	t->absolute.dwHighDateTime = i1.HighPart;
+
+	return (ISC_R_SUCCESS);
+}
+
+int
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2) {
+	REQUIRE(t1 != NULL && t2 != NULL);
+
+	return ((int)CompareFileTime(&t1->absolute, &t2->absolute));
+}
+
+isc_result_t
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result) {
+	ULARGE_INTEGER i1;
+
+	REQUIRE(t != NULL && i != NULL && result != NULL);
+
+	i1.LowPart = t->absolute.dwLowDateTime;
+	i1.HighPart = t->absolute.dwHighDateTime;
+
+	if (UINT64_MAX - i1.QuadPart < (unsigned __int64)i->interval) {
+		return (ISC_R_RANGE);
+	}
+
+	/* cppcheck-suppress unreadVariable */
+	i1.QuadPart += i->interval;
+
+	result->absolute.dwLowDateTime = i1.LowPart;
+	result->absolute.dwHighDateTime = i1.HighPart;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result) {
+	ULARGE_INTEGER i1;
+
+	REQUIRE(t != NULL && i != NULL && result != NULL);
+
+	i1.LowPart = t->absolute.dwLowDateTime;
+	i1.HighPart = t->absolute.dwHighDateTime;
+
+	if (i1.QuadPart < (unsigned __int64)i->interval) {
+		return (ISC_R_RANGE);
+	}
+
+	/* cppcheck-suppress unreadVariable */
+	i1.QuadPart -= i->interval;
+
+	result->absolute.dwLowDateTime = i1.LowPart;
+	result->absolute.dwHighDateTime = i1.HighPart;
+
+	return (ISC_R_SUCCESS);
+}
+
+uint64_t
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) {
+	ULARGE_INTEGER i1, i2;
+	LONGLONG i3;
+
+	REQUIRE(t1 != NULL && t2 != NULL);
+
+	/* cppcheck-suppress unreadVariable */
+	i1.LowPart = t1->absolute.dwLowDateTime;
+	/* cppcheck-suppress unreadVariable */
+	i1.HighPart = t1->absolute.dwHighDateTime;
+	/* cppcheck-suppress unreadVariable */
+	i2.LowPart = t2->absolute.dwLowDateTime;
+	/* cppcheck-suppress unreadVariable */
+	i2.HighPart = t2->absolute.dwHighDateTime;
+
+	if (i1.QuadPart <= i2.QuadPart) {
+		return (0);
+	}
+
+	/*
+	 * Convert to microseconds.
+	 */
+	i3 = (i1.QuadPart - i2.QuadPart) / 10;
+
+	return (i3);
+}
+
+uint32_t
+isc_time_seconds(const isc_time_t *t) {
+	SYSTEMTIME epoch1970 = { 1970, 1, 4, 1, 0, 0, 0, 0 };
+	FILETIME temp;
+	ULARGE_INTEGER i1, i2;
+	LONGLONG i3;
+
+	SystemTimeToFileTime(&epoch1970, &temp);
+
+	/* cppcheck-suppress unreadVariable */
+	i1.LowPart = t->absolute.dwLowDateTime;
+	/* cppcheck-suppress unreadVariable */
+	i1.HighPart = t->absolute.dwHighDateTime;
+	/* cppcheck-suppress unreadVariable */
+	i2.LowPart = temp.dwLowDateTime;
+	/* cppcheck-suppress unreadVariable */
+	i2.HighPart = temp.dwHighDateTime;
+
+	i3 = (i1.QuadPart - i2.QuadPart) / 10000000;
+
+	return ((uint32_t)i3);
+}
+
+isc_result_t
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp) {
+	time_t seconds;
+
+	REQUIRE(t != NULL);
+
+	seconds = (time_t)isc_time_seconds(t);
+
+	INSIST(sizeof(unsigned int) == sizeof(uint32_t));
+	INSIST(sizeof(time_t) >= sizeof(uint32_t));
+
+	if (isc_time_seconds(t) > (~0U >> 1) && seconds <= (time_t)(~0U >> 1)) {
+		return (ISC_R_RANGE);
+	}
+
+	*secondsp = seconds;
+
+	return (ISC_R_SUCCESS);
+}
+
+uint32_t
+isc_time_nanoseconds(const isc_time_t *t) {
+	ULARGE_INTEGER i;
+
+	i.LowPart = t->absolute.dwLowDateTime;
+	i.HighPart = t->absolute.dwHighDateTime;
+	return ((uint32_t)(i.QuadPart % 10000000) * 100);
+}
+
+void
+isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	FILETIME localft;
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToLocalFileTime(&t->absolute, &localft) &&
+	    FileTimeToSystemTime(&localft, &st))
+	{
+		GetDateFormat(LOCALE_USER_DEFAULT, 0, &st, "dd-MMM-yyyy",
+			      DateBuf, 50);
+		GetTimeFormat(LOCALE_USER_DEFAULT,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT, &st,
+			      NULL, TimeBuf, 50);
+
+		snprintf(buf, len, "%s %s.%03u", DateBuf, TimeBuf,
+			 st.wMilliseconds);
+	} else {
+		strlcpy(buf, "99-Bad-9999 99:99:99.999", len);
+	}
+}
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	/* strftime() format: "%a, %d %b %Y %H:%M:%S GMT" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		GetDateFormat(LOCALE_USER_DEFAULT, 0, &st, "ddd',' dd MMM yyyy",
+			      DateBuf, 50);
+		GetTimeFormat(LOCALE_USER_DEFAULT,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT, &st,
+			      "hh':'mm':'ss", TimeBuf, 50);
+
+		snprintf(buf, len, "%s %s GMT", DateBuf, TimeBuf);
+	} else {
+		buf[0] = 0;
+	}
+}
+
+isc_result_t
+isc_time_parsehttptimestamp(char *buf, isc_time_t *t) {
+	struct tm t_tm;
+	time_t when;
+	char *p;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(t != NULL);
+
+	p = isc_tm_strptime(buf, "%a, %d %b %Y %H:%M:%S", &t_tm);
+	if (p == NULL) {
+		return (ISC_R_UNEXPECTED);
+	}
+	when = isc_tm_timegm(&t_tm);
+	if (when == -1) {
+		return (ISC_R_UNEXPECTED);
+	}
+	isc_time_set(t, (unsigned int)when, 0);
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_time_formatISO8601L(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	/* strtime() format: "%Y-%m-%dT%H:%M:%S" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		GetDateFormat(LOCALE_USER_DEFAULT, 0, &st, "yyyy-MM-dd",
+			      DateBuf, 50);
+		GetTimeFormat(LOCALE_USER_DEFAULT,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT, &st,
+			      "hh':'mm':'ss", TimeBuf, 50);
+		snprintf(buf, len, "%sT%s", DateBuf, TimeBuf);
+	} else {
+		buf[0] = 0;
+	}
+}
+
+void
+isc_time_formatISO8601Lms(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	/* strtime() format: "%Y-%m-%dT%H:%M:%S.SSS" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		GetDateFormat(LOCALE_USER_DEFAULT, 0, &st, "yyyy-MM-dd",
+			      DateBuf, 50);
+		GetTimeFormat(LOCALE_USER_DEFAULT,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT, &st,
+			      "hh':'mm':'ss", TimeBuf, 50);
+		snprintf(buf, len, "%sT%s.%03u", DateBuf, TimeBuf,
+			 st.wMilliseconds);
+	} else {
+		buf[0] = 0;
+	}
+}
+
+void
+isc_time_formatISO8601Lus(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	/* strtime() format: "%Y-%m-%dT%H:%M:%S.SSSSSS" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		ULARGE_INTEGER i;
+
+		GetDateFormat(LOCALE_USER_DEFAULT, 0, &st, "yyyy-MM-dd",
+			      DateBuf, 50);
+		GetTimeFormat(LOCALE_USER_DEFAULT,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT, &st,
+			      "hh':'mm':'ss", TimeBuf, 50);
+		i.LowPart = t->absolute.dwLowDateTime;
+		i.HighPart = t->absolute.dwHighDateTime;
+		snprintf(buf, len, "%sT%s.%06u", DateBuf, TimeBuf,
+			 (uint32_t)(i.QuadPart % 10000000) / 10);
+	} else {
+		buf[0] = 0;
+	}
+}
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	/* strtime() format: "%Y-%m-%dT%H:%M:%SZ" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		GetDateFormat(LOCALE_NEUTRAL, 0, &st, "yyyy-MM-dd", DateBuf,
+			      50);
+		GetTimeFormat(LOCALE_NEUTRAL,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT, &st,
+			      "hh':'mm':'ss", TimeBuf, 50);
+		snprintf(buf, len, "%sT%sZ", DateBuf, TimeBuf);
+	} else {
+		buf[0] = 0;
+	}
+}
+
+void
+isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	/* strtime() format: "%Y-%m-%dT%H:%M:%S.SSSZ" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		GetDateFormat(LOCALE_NEUTRAL, 0, &st, "yyyy-MM-dd", DateBuf,
+			      50);
+		GetTimeFormat(LOCALE_NEUTRAL,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT, &st,
+			      "hh':'mm':'ss", TimeBuf, 50);
+		snprintf(buf, len, "%sT%s.%03uZ", DateBuf, TimeBuf,
+			 st.wMilliseconds);
+	} else {
+		buf[0] = 0;
+	}
+}
+
+void
+isc_time_formatISO8601us(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	/* strtime() format: "%Y-%m-%dT%H:%M:%S.SSSSSSZ" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		ULARGE_INTEGER i;
+
+		GetDateFormat(LOCALE_NEUTRAL, 0, &st, "yyyy-MM-dd", DateBuf,
+			      50);
+		GetTimeFormat(LOCALE_NEUTRAL,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT, &st,
+			      "hh':'mm':'ss", TimeBuf, 50);
+		i.LowPart = t->absolute.dwLowDateTime;
+		i.HighPart = t->absolute.dwHighDateTime;
+		snprintf(buf, len, "%sT%s.%06uZ", DateBuf, TimeBuf,
+			 (uint32_t)(i.QuadPart % 10000000) / 10);
+	} else {
+		buf[0] = 0;
+	}
+}
+
+void
+isc_time_formatshorttimestamp(const isc_time_t *t, char *buf,
+			      unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	/* strtime() format: "%Y%m%d%H%M%SSSS" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		GetDateFormat(LOCALE_NEUTRAL, 0, &st, "yyyyMMdd", DateBuf, 50);
+		GetTimeFormat(LOCALE_NEUTRAL,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT, &st,
+			      "hhmmss", TimeBuf, 50);
+		snprintf(buf, len, "%s%s%03u", DateBuf, TimeBuf,
+			 st.wMilliseconds);
+	} else {
+		buf[0] = 0;
+	}
+}
+
+/*
+ * POSIX Shims
+ */
+
+struct tm *
+gmtime_r(const time_t *clock, struct tm *result) {
+	errno_t ret = gmtime_s(result, clock);
+	if (ret != 0) {
+		errno = ret;
+		return (NULL);
+	}
+	return (result);
+}
+
+struct tm *
+localtime_r(const time_t *clock, struct tm *result) {
+	errno_t ret = localtime_s(result, clock);
+	if (ret != 0) {
+		errno = ret;
+		return (NULL);
+	}
+	return (result);
+}
+
+#define BILLION 1000000000
+
+static isc_once_t nsec_ticks_once = ISC_ONCE_INIT;
+static double nsec_ticks = 0;
+
+static void
+nsec_ticks_init(void) {
+	LARGE_INTEGER ticks;
+	RUNTIME_CHECK(QueryPerformanceFrequency(&ticks) != 0);
+	nsec_ticks = (double)ticks.QuadPart / 1000000000.0;
+	RUNTIME_CHECK(nsec_ticks != 0.0);
+}
+
+int
+nanosleep(const struct timespec *req, struct timespec *rem) {
+	int_fast64_t sleep_msec;
+	uint_fast64_t ticks, until;
+	LARGE_INTEGER before, after;
+
+	RUNTIME_CHECK(isc_once_do(&nsec_ticks_once, nsec_ticks_init) ==
+		      ISC_R_SUCCESS);
+
+	if (req->tv_nsec < 0 || BILLION <= req->tv_nsec) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	/* Sleep() is not interruptible; there is no remaining delay ever  */
+	if (rem != NULL) {
+		rem->tv_sec = 0;
+		rem->tv_nsec = 0;
+	}
+
+	if (req->tv_sec >= 0) {
+		/*
+		 * For requested delays of one second or more, 15ms resolution
+		 * granularity is sufficient.
+		 */
+		Sleep(req->tv_sec * 1000 + req->tv_nsec / 1000000);
+
+		return (0);
+	}
+
+	/* Sleep has <-8,8> ms precision, so substract 10 milliseconds */
+	sleep_msec = (int64_t)req->tv_nsec / 1000000 - 10;
+	ticks = req->tv_nsec * nsec_ticks;
+
+	RUNTIME_CHECK(QueryPerformanceCounter(&before) != 0);
+
+	until = before.QuadPart + ticks;
+
+	if (sleep_msec > 0) {
+		Sleep(sleep_msec);
+	}
+
+	while (true) {
+		LARGE_INTEGER after;
+		RUNTIME_CHECK(QueryPerformanceCounter(&after) != 0);
+		if (after.QuadPart >= until) {
+			break;
+		}
+	}
+
+done:
+	return (0);
+}
+
+int
+usleep(useconds_t useconds) {
+	struct timespec req;
+
+	req.tv_sec = useconds / 1000000;
+	req.tv_nsec = (useconds * 1000) % 1000000000;
+
+	nanosleep(&req, NULL);
+
+	return (0);
+}
diff --git a/lib/isc/win32/unistd.h b/lib/isc/win32/unistd.h
new file mode 100644
index 0000000..e1aff40
--- /dev/null
+++ b/lib/isc/win32/unistd.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* None of these are defined in NT, so define them for our use */
+#define O_NONBLOCK    1
+#define PORT_NONBLOCK O_NONBLOCK
+
+/*
+ * fcntl() commands
+ */
+#define F_SETFL 0
+#define F_GETFL 1
+#define F_SETFD 2
+#define F_GETFD 3
+/*
+ * Enough problems not having full fcntl() without worrying about this!
+ */
+#undef F_DUPFD
+
+int
+fcntl(int, int, ...);
+
+/*
+ * access() related definitions for winXP
+ */
+#include <io.h>
+#ifndef F_OK
+#define F_OK 0
+#endif /* ifndef F_OK */
+
+#ifndef X_OK
+#define X_OK 1
+#endif /* ifndef X_OK */
+
+#ifndef W_OK
+#define W_OK 2
+#endif /* ifndef W_OK */
+
+#ifndef R_OK
+#define R_OK 4
+#endif /* ifndef R_OK */
+
+#define access _access
+
+#include <process.h>
diff --git a/lib/isc/win32/version.c b/lib/isc/win32/version.c
new file mode 100644
index 0000000..b49347f
--- /dev/null
+++ b/lib/isc/win32/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <versions.h>
+
+#include <isc/version.h>
+
+LIBISC_EXTERNAL_DATA const char isc_version[] = VERSION;
diff --git a/lib/isc/win32/win32os.c b/lib/isc/win32/win32os.c
new file mode 100644
index 0000000..4f86d38
--- /dev/null
+++ b/lib/isc/win32/win32os.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <windows.h>
+
+#ifndef TESTVERSION
+#include <isc/win32os.h>
+#else /* ifndef TESTVERSION */
+#include <stdio.h>
+
+#include <isc/util.h>
+#endif /* ifndef TESTVERSION */
+#include <isc/print.h>
+
+int
+isc_win32os_versioncheck(unsigned int major, unsigned int minor,
+			 unsigned int spmajor, unsigned int spminor) {
+	OSVERSIONINFOEX osVer;
+	DWORD typeMask;
+	ULONGLONG conditionMask;
+
+	memset(&osVer, 0, sizeof(OSVERSIONINFOEX));
+	osVer.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+	typeMask = 0;
+	conditionMask = 0;
+
+	/* Optimistic: likely greater */
+	osVer.dwMajorVersion = major;
+	typeMask |= VER_MAJORVERSION;
+	conditionMask = VerSetConditionMask(conditionMask, VER_MAJORVERSION,
+					    VER_GREATER);
+	osVer.dwMinorVersion = minor;
+	typeMask |= VER_MINORVERSION;
+	conditionMask = VerSetConditionMask(conditionMask, VER_MINORVERSION,
+					    VER_GREATER);
+	osVer.wServicePackMajor = spmajor;
+	typeMask |= VER_SERVICEPACKMAJOR;
+	conditionMask = VerSetConditionMask(conditionMask, VER_SERVICEPACKMAJOR,
+					    VER_GREATER);
+	osVer.wServicePackMinor = spminor;
+	typeMask |= VER_SERVICEPACKMINOR;
+	conditionMask = VerSetConditionMask(conditionMask, VER_SERVICEPACKMINOR,
+					    VER_GREATER);
+	if (VerifyVersionInfo(&osVer, typeMask, conditionMask)) {
+		return (1);
+	}
+
+	/* Failed: retry with equal */
+	conditionMask = 0;
+	conditionMask = VerSetConditionMask(conditionMask, VER_MAJORVERSION,
+					    VER_EQUAL);
+	conditionMask = VerSetConditionMask(conditionMask, VER_MINORVERSION,
+					    VER_EQUAL);
+	conditionMask = VerSetConditionMask(conditionMask, VER_SERVICEPACKMAJOR,
+					    VER_EQUAL);
+	conditionMask = VerSetConditionMask(conditionMask, VER_SERVICEPACKMINOR,
+					    VER_EQUAL);
+	if (VerifyVersionInfo(&osVer, typeMask, conditionMask)) {
+		return (0);
+	} else {
+		return (-1);
+	}
+}
+
+#ifdef TESTVERSION
+int
+main(int argc, char **argv) {
+	unsigned int major = 0;
+	unsigned int minor = 0;
+	unsigned int spmajor = 0;
+	unsigned int spminor = 0;
+	int ret;
+
+	if (argc > 1) {
+		--argc;
+		++argv;
+		major = (unsigned int)atoi(argv[0]);
+	}
+	if (argc > 1) {
+		--argc;
+		++argv;
+		minor = (unsigned int)atoi(argv[0]);
+	}
+	if (argc > 1) {
+		--argc;
+		++argv;
+		spmajor = (unsigned int)atoi(argv[0]);
+	}
+	if (argc > 1) {
+		--argc;
+		POST(argc);
+		++argv;
+		spminor = (unsigned int)atoi(argv[0]);
+	}
+
+	ret = isc_win32os_versioncheck(major, minor, spmajor, spminor);
+
+	printf("%s major %u minor %u SP major %u SP minor %u\n",
+	       ret > 0 ? "greater" : (ret == 0 ? "equal" : "less"), major,
+	       minor, spmajor, spminor);
+	return (ret);
+}
+#endif /* ifdef TESTVERSION */
diff --git a/lib/isc/xoshiro128starstar.c b/lib/isc/xoshiro128starstar.c
new file mode 100644
index 0000000..7698ee8
--- /dev/null
+++ b/lib/isc/xoshiro128starstar.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Written in 2018 by David Blackman and Sebastiano Vigna (vigna@acm.org)
+ *
+ * To the extent possible under law, the author has dedicated all
+ * copyright and related and neighboring rights to this software to the
+ * public domain worldwide. This software is distributed without any
+ * warranty.
+ *
+ * See <http://creativecommons.org/publicdomain/zero/1.0/>.
+ */
+
+#include <inttypes.h>
+
+#include <isc/thread.h>
+
+/*
+ * This is xoshiro128** 1.0, our 32-bit all-purpose, rock-solid generator.
+ * It has excellent (sub-ns) speed, a state size (128 bits) that is large
+ * enough for mild parallelism, and it passes all tests we are aware of.
+ *
+ * For generating just single-precision (i.e., 32-bit) floating-point
+ * numbers, xoshiro128+ is even faster.
+ *
+ * The state must be seeded so that it is not everywhere zero.
+ */
+ISC_THREAD_LOCAL uint32_t seed[4] = { 0 };
+
+static uint32_t
+rotl(const uint32_t x, int k) {
+	return ((x << k) | (x >> (32 - k)));
+}
+
+static uint32_t
+next(void) {
+	uint32_t result_starstar, t;
+
+	result_starstar = rotl(seed[0] * 5, 7) * 9;
+	t = seed[1] << 9;
+
+	seed[2] ^= seed[0];
+	seed[3] ^= seed[1];
+	seed[1] ^= seed[2];
+	seed[0] ^= seed[3];
+
+	seed[2] ^= t;
+
+	seed[3] = rotl(seed[3], 11);
+
+	return (result_starstar);
+}
diff --git a/lib/isccc/Kyuafile b/lib/isccc/Kyuafile
new file mode 100644
index 0000000..c796010
--- /dev/null
+++ b/lib/isccc/Kyuafile
@@ -0,0 +1,15 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/isccc/Makefile.in b/lib/isccc/Makefile.in
new file mode 100644
index 0000000..b542441
--- /dev/null
+++ b/lib/isccc/Makefile.in
@@ -0,0 +1,81 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${ISCCC_INCLUDES} \
+		${OPENSSL_CFLAGS}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCCDEPLIBS =	libisccc.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+
+# Alphabetically
+OBJS =		alist.@O@ base64.@O@ cc.@O@ ccmsg.@O@ \
+		result.@O@ sexpr.@O@ symtab.@O@ version.@O@
+
+# Alphabetically
+SRCS =		alist.c base64.c cc.c ccmsg.c \
+		result.c sexpr.c symtab.c version.c
+
+
+TARGETS = 	timestamp
+TESTDIRS =	@UNITTESTS@
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/version.c
+
+libisccc.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisccc.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccc.la -rpath ${libdir} \
+		-release "${VERSION}" \
+		${OBJS} ${ISCLIBS} ${LIBS}
+
+timestamp: libisccc.@A@
+	touch timestamp
+
+testdirs: libisccc.@A@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisccc.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisccc.@A@
+
+clean distclean::
+	rm -f libisccc.@A@ timestamp
diff --git a/lib/isccc/alist.c b/lib/isccc/alist.c
new file mode 100644
index 0000000..a39d4f9
--- /dev/null
+++ b/lib/isccc/alist.c
@@ -0,0 +1,320 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/assertions.h>
+#include <isc/print.h>
+
+#include <isccc/alist.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/util.h>
+
+#define CAR(s) (s)->value.as_dottedpair.car
+#define CDR(s) (s)->value.as_dottedpair.cdr
+
+#define ALIST_TAG  "*alist*"
+#define MAX_INDENT 64
+
+static char spaces[MAX_INDENT + 1] = "                                         "
+				     "                       ";
+
+isccc_sexpr_t *
+isccc_alist_create(void) {
+	isccc_sexpr_t *alist, *tag;
+
+	tag = isccc_sexpr_fromstring(ALIST_TAG);
+	if (tag == NULL) {
+		return (NULL);
+	}
+	alist = isccc_sexpr_cons(tag, NULL);
+	if (alist == NULL) {
+		isccc_sexpr_free(&tag);
+		return (NULL);
+	}
+
+	return (alist);
+}
+
+bool
+isccc_alist_alistp(isccc_sexpr_t *alist) {
+	isccc_sexpr_t *car;
+
+	if (alist == NULL || alist->type != ISCCC_SEXPRTYPE_DOTTEDPAIR) {
+		return (false);
+	}
+	car = CAR(alist);
+	if (car == NULL || car->type != ISCCC_SEXPRTYPE_STRING) {
+		return (false);
+	}
+	if (strcmp(car->value.as_string, ALIST_TAG) != 0) {
+		return (false);
+	}
+	return (true);
+}
+
+bool
+isccc_alist_emptyp(isccc_sexpr_t *alist) {
+	REQUIRE(isccc_alist_alistp(alist));
+
+	if (CDR(alist) == NULL) {
+		return (true);
+	}
+	return (false);
+}
+
+isccc_sexpr_t *
+isccc_alist_first(isccc_sexpr_t *alist) {
+	REQUIRE(isccc_alist_alistp(alist));
+
+	return (CDR(alist));
+}
+
+isccc_sexpr_t *
+isccc_alist_assq(isccc_sexpr_t *alist, const char *key) {
+	isccc_sexpr_t *car, *caar;
+
+	REQUIRE(isccc_alist_alistp(alist));
+
+	/*
+	 * Skip alist type tag.
+	 */
+	alist = CDR(alist);
+
+	while (alist != NULL) {
+		INSIST(alist->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		car = CAR(alist);
+		INSIST(car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		caar = CAR(car);
+		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
+		    strcmp(caar->value.as_string, key) == 0)
+		{
+			return (car);
+		}
+		alist = CDR(alist);
+	}
+
+	return (NULL);
+}
+
+void
+isccc_alist_delete(isccc_sexpr_t *alist, const char *key) {
+	isccc_sexpr_t *car, *caar, *rest, *prev;
+
+	REQUIRE(isccc_alist_alistp(alist));
+
+	prev = alist;
+	rest = CDR(alist);
+	while (rest != NULL) {
+		INSIST(rest->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		car = CAR(rest);
+		INSIST(car != NULL && car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		caar = CAR(car);
+		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
+		    strcmp(caar->value.as_string, key) == 0)
+		{
+			CDR(prev) = CDR(rest);
+			CDR(rest) = NULL;
+			isccc_sexpr_free(&rest);
+			break;
+		}
+		prev = rest;
+		rest = CDR(rest);
+	}
+}
+
+isccc_sexpr_t *
+isccc_alist_define(isccc_sexpr_t *alist, const char *key,
+		   isccc_sexpr_t *value) {
+	isccc_sexpr_t *kv, *k, *elt;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv == NULL) {
+		/*
+		 * New association.
+		 */
+		k = isccc_sexpr_fromstring(key);
+		if (k == NULL) {
+			return (NULL);
+		}
+		kv = isccc_sexpr_cons(k, value);
+		if (kv == NULL) {
+			isccc_sexpr_free(&kv);
+			return (NULL);
+		}
+		elt = isccc_sexpr_addtolist(&alist, kv);
+		if (elt == NULL) {
+			isccc_sexpr_free(&kv);
+			return (NULL);
+		}
+	} else {
+		/*
+		 * We've already got an entry for this key.  Replace it.
+		 */
+		isccc_sexpr_free(&CDR(kv));
+		CDR(kv) = value;
+	}
+
+	return (kv);
+}
+
+isccc_sexpr_t *
+isccc_alist_definestring(isccc_sexpr_t *alist, const char *key,
+			 const char *str) {
+	isccc_sexpr_t *v, *kv;
+
+	v = isccc_sexpr_fromstring(str);
+	if (v == NULL) {
+		return (NULL);
+	}
+	kv = isccc_alist_define(alist, key, v);
+	if (kv == NULL) {
+		isccc_sexpr_free(&v);
+	}
+
+	return (kv);
+}
+
+isccc_sexpr_t *
+isccc_alist_definebinary(isccc_sexpr_t *alist, const char *key,
+			 isccc_region_t *r) {
+	isccc_sexpr_t *v, *kv;
+
+	v = isccc_sexpr_frombinary(r);
+	if (v == NULL) {
+		return (NULL);
+	}
+	kv = isccc_alist_define(alist, key, v);
+	if (kv == NULL) {
+		isccc_sexpr_free(&v);
+	}
+
+	return (kv);
+}
+
+isccc_sexpr_t *
+isccc_alist_lookup(isccc_sexpr_t *alist, const char *key) {
+	isccc_sexpr_t *kv;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		return (CDR(kv));
+	}
+	return (NULL);
+}
+
+isc_result_t
+isccc_alist_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp) {
+	isccc_sexpr_t *kv, *v;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = CDR(kv);
+		if (isccc_sexpr_stringp(v)) {
+			if (strp != NULL) {
+				*strp = isccc_sexpr_tostring(v);
+			}
+			return (ISC_R_SUCCESS);
+		} else {
+			return (ISC_R_EXISTS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+isccc_alist_lookupbinary(isccc_sexpr_t *alist, const char *key,
+			 isccc_region_t **r) {
+	isccc_sexpr_t *kv, *v;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = CDR(kv);
+		if (isccc_sexpr_binaryp(v)) {
+			if (r != NULL) {
+				*r = isccc_sexpr_tobinary(v);
+			}
+			return (ISC_R_SUCCESS);
+		} else {
+			return (ISC_R_EXISTS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+void
+isccc_alist_prettyprint(isccc_sexpr_t *sexpr, unsigned int indent,
+			FILE *stream) {
+	isccc_sexpr_t *elt, *kv, *k, *v;
+
+	if (isccc_alist_alistp(sexpr)) {
+		fprintf(stream, "{\n");
+		indent += 4;
+		for (elt = isccc_alist_first(sexpr); elt != NULL;
+		     elt = CDR(elt))
+		{
+			kv = CAR(elt);
+			INSIST(isccc_sexpr_listp(kv));
+			k = CAR(kv);
+			v = CDR(kv);
+			INSIST(isccc_sexpr_stringp(k));
+			fprintf(stream, "%.*s%s => ", (int)indent, spaces,
+				isccc_sexpr_tostring(k));
+			isccc_alist_prettyprint(v, indent, stream);
+			if (CDR(elt) != NULL) {
+				fprintf(stream, ",");
+			}
+			fprintf(stream, "\n");
+		}
+		indent -= 4;
+		fprintf(stream, "%.*s}", (int)indent, spaces);
+	} else if (isccc_sexpr_listp(sexpr)) {
+		fprintf(stream, "(\n");
+		indent += 4;
+		for (elt = sexpr; elt != NULL; elt = CDR(elt)) {
+			fprintf(stream, "%.*s", (int)indent, spaces);
+			isccc_alist_prettyprint(CAR(elt), indent, stream);
+			if (CDR(elt) != NULL) {
+				fprintf(stream, ",");
+			}
+			fprintf(stream, "\n");
+		}
+		indent -= 4;
+		fprintf(stream, "%.*s)", (int)indent, spaces);
+	} else {
+		isccc_sexpr_print(sexpr, stream);
+	}
+}
diff --git a/lib/isccc/base64.c b/lib/isccc/base64.c
new file mode 100644
index 0000000..344d96a
--- /dev/null
+++ b/lib/isccc/base64.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/region.h>
+#include <isc/result.h>
+
+#include <isccc/base64.h>
+#include <isccc/result.h>
+#include <isccc/util.h>
+
+isc_result_t
+isccc_base64_encode(isccc_region_t *source, int wordlength,
+		    const char *wordbreak, isccc_region_t *target) {
+	isc_region_t sr;
+	isc_buffer_t tb;
+	isc_result_t result;
+
+	sr.base = source->rstart;
+	sr.length = (unsigned int)(source->rend - source->rstart);
+	isc_buffer_init(&tb, target->rstart,
+			(unsigned int)(target->rend - target->rstart));
+
+	result = isc_base64_totext(&sr, wordlength, wordbreak, &tb);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	source->rstart = source->rend;
+	target->rstart = isc_buffer_used(&tb);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_base64_decode(const char *cstr, isccc_region_t *target) {
+	isc_buffer_t b;
+	isc_result_t result;
+
+	isc_buffer_init(&b, target->rstart,
+			(unsigned int)(target->rend - target->rstart));
+	result = isc_base64_decodestring(cstr, &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	target->rstart = isc_buffer_used(&b);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
new file mode 100644
index 0000000..5a716bd
--- /dev/null
+++ b/lib/isccc/cc.c
@@ -0,0 +1,1059 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/assertions.h>
+#include <isc/hmac.h>
+#include <isc/print.h>
+#include <isc/safe.h>
+
+#include <pk11/site.h>
+
+#include <isccc/alist.h>
+#include <isccc/base64.h>
+#include <isccc/cc.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/symtab.h>
+#include <isccc/symtype.h>
+#include <isccc/util.h>
+
+#define MAX_TAGS     256
+#define DUP_LIFETIME 900
+#ifndef ISCCC_MAXDEPTH
+#define ISCCC_MAXDEPTH \
+	10 /* Big enough for rndc which just sends a string each way. */
+#endif
+
+typedef isccc_sexpr_t *sexpr_ptr;
+
+static unsigned char auth_hmd5[] = {
+	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */
+	ISCCC_CCMSGTYPE_TABLE,		    /*%< message type */
+	0x00, 0x00, 0x00, 0x20,		    /*%< length == 32 */
+	0x04, 0x68, 0x6d, 0x64, 0x35,	    /*%< len + hmd5 */
+	ISCCC_CCMSGTYPE_BINARYDATA,	    /*%< message type */
+	0x00, 0x00, 0x00, 0x16,		    /*%< length == 22 */
+	/*
+	 * The base64 encoding of one of our HMAC-MD5 signatures is
+	 * 22 bytes.
+	 */
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+#define HMD5_OFFSET 21 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
+#define HMD5_LENGTH 22
+
+static unsigned char auth_hsha[] = {
+	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */
+	ISCCC_CCMSGTYPE_TABLE,		    /*%< message type */
+	0x00, 0x00, 0x00, 0x63,		    /*%< length == 99 */
+	0x04, 0x68, 0x73, 0x68, 0x61,	    /*%< len + hsha */
+	ISCCC_CCMSGTYPE_BINARYDATA,	    /*%< message type */
+	0x00, 0x00, 0x00, 0x59,		    /*%< length == 89 */
+	0x00,				    /*%< algorithm */
+	/*
+	 * The base64 encoding of one of our HMAC-SHA* signatures is
+	 * 88 bytes.
+	 */
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00
+};
+
+#define HSHA_OFFSET 22 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 + 1 */
+#define HSHA_LENGTH 88
+
+static isc_result_t
+table_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer);
+
+static isc_result_t
+list_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer);
+
+static isc_result_t
+value_towire(isccc_sexpr_t *elt, isc_buffer_t **buffer) {
+	unsigned int len;
+	isccc_region_t *vr;
+	isc_result_t result;
+
+	if (isccc_sexpr_binaryp(elt)) {
+		vr = isccc_sexpr_tobinary(elt);
+		len = REGION_SIZE(*vr);
+		result = isc_buffer_reserve(buffer, 1 + 4);
+		if (result != ISC_R_SUCCESS) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putuint8(*buffer, ISCCC_CCMSGTYPE_BINARYDATA);
+		isc_buffer_putuint32(*buffer, len);
+
+		result = isc_buffer_reserve(buffer, len);
+		if (result != ISC_R_SUCCESS) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putmem(*buffer, vr->rstart, len);
+	} else if (isccc_alist_alistp(elt)) {
+		unsigned int used;
+		isc_buffer_t b;
+
+		result = isc_buffer_reserve(buffer, 1 + 4);
+		if (result != ISC_R_SUCCESS) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putuint8(*buffer, ISCCC_CCMSGTYPE_TABLE);
+		/*
+		 * Emit a placeholder length.
+		 */
+		used = (*buffer)->used;
+		isc_buffer_putuint32(*buffer, 0);
+
+		/*
+		 * Emit the table.
+		 */
+		result = table_towire(elt, buffer);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		len = (*buffer)->used - used;
+		/*
+		 * 'len' is 4 bytes too big, since it counts
+		 * the placeholder length too.	Adjust and
+		 * emit.
+		 */
+		INSIST(len >= 4U);
+		len -= 4;
+
+		isc_buffer_init(&b, (unsigned char *)(*buffer)->base + used, 4);
+		isc_buffer_putuint32(&b, len);
+	} else if (isccc_sexpr_listp(elt)) {
+		unsigned int used;
+		isc_buffer_t b;
+
+		result = isc_buffer_reserve(buffer, 1 + 4);
+		if (result != ISC_R_SUCCESS) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putuint8(*buffer, ISCCC_CCMSGTYPE_LIST);
+		/*
+		 * Emit a placeholder length.
+		 */
+		used = (*buffer)->used;
+		isc_buffer_putuint32(*buffer, 0);
+
+		/*
+		 * Emit the list.
+		 */
+		result = list_towire(elt, buffer);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		len = (*buffer)->used - used;
+		/*
+		 * 'len' is 4 bytes too big, since it counts
+		 * the placeholder length too.	Adjust and
+		 * emit.
+		 */
+		INSIST(len >= 4U);
+		len -= 4;
+
+		isc_buffer_init(&b, (unsigned char *)(*buffer)->base + used, 4);
+		isc_buffer_putuint32(&b, len);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+table_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer) {
+	isccc_sexpr_t *kv, *elt, *k, *v;
+	char *ks;
+	isc_result_t result;
+	unsigned int len;
+
+	for (elt = isccc_alist_first(alist); elt != NULL;
+	     elt = ISCCC_SEXPR_CDR(elt))
+	{
+		kv = ISCCC_SEXPR_CAR(elt);
+		k = ISCCC_SEXPR_CAR(kv);
+		ks = isccc_sexpr_tostring(k);
+		v = ISCCC_SEXPR_CDR(kv);
+		len = (unsigned int)strlen(ks);
+		INSIST(len <= 255U);
+		/*
+		 * Emit the key name.
+		 */
+		result = isc_buffer_reserve(buffer, 1 + len);
+		if (result != ISC_R_SUCCESS) {
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_putuint8(*buffer, (uint8_t)len);
+		isc_buffer_putmem(*buffer, (const unsigned char *)ks, len);
+		/*
+		 * Emit the value.
+		 */
+		result = value_towire(v, buffer);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+list_towire(isccc_sexpr_t *list, isc_buffer_t **buffer) {
+	isc_result_t result;
+
+	while (list != NULL) {
+		result = value_towire(ISCCC_SEXPR_CAR(list), buffer);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		list = ISCCC_SEXPR_CDR(list);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+sign(unsigned char *data, unsigned int length, unsigned char *hmac,
+     uint32_t algorithm, isccc_region_t *secret) {
+	const isc_md_type_t *md_type;
+	isc_result_t result;
+	isccc_region_t source, target;
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	unsigned int digestlen;
+	unsigned char digestb64[HSHA_LENGTH + 4];
+
+	source.rstart = digest;
+
+	switch (algorithm) {
+	case ISCCC_ALG_HMACMD5:
+		md_type = ISC_MD_MD5;
+		break;
+	case ISCCC_ALG_HMACSHA1:
+		md_type = ISC_MD_SHA1;
+		break;
+	case ISCCC_ALG_HMACSHA224:
+		md_type = ISC_MD_SHA224;
+		break;
+	case ISCCC_ALG_HMACSHA256:
+		md_type = ISC_MD_SHA256;
+		break;
+	case ISCCC_ALG_HMACSHA384:
+		md_type = ISC_MD_SHA384;
+		break;
+	case ISCCC_ALG_HMACSHA512:
+		md_type = ISC_MD_SHA512;
+		break;
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	result = isc_hmac(md_type, secret->rstart, REGION_SIZE(*secret), data,
+			  length, digest, &digestlen);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	source.rend = digest + digestlen;
+
+	memset(digestb64, 0, sizeof(digestb64));
+	target.rstart = digestb64;
+	target.rend = digestb64 + sizeof(digestb64);
+	result = isccc_base64_encode(&source, 64, "", &target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (algorithm == ISCCC_ALG_HMACMD5) {
+		PUT_MEM(digestb64, HMD5_LENGTH, hmac);
+	} else {
+		PUT_MEM(digestb64, HSHA_LENGTH, hmac);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, uint32_t algorithm,
+		isccc_region_t *secret) {
+	unsigned int hmac_base, signed_base;
+	isc_result_t result;
+
+	result = isc_buffer_reserve(buffer,
+				    4 + ((algorithm == ISCCC_ALG_HMACMD5)
+						 ? sizeof(auth_hmd5)
+						 : sizeof(auth_hsha)));
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * Emit protocol version.
+	 */
+	isc_buffer_putuint32(*buffer, 1);
+
+	if (secret != NULL) {
+		/*
+		 * Emit _auth section with zeroed HMAC signature.
+		 * We'll replace the zeros with the real signature once
+		 * we know what it is.
+		 */
+		if (algorithm == ISCCC_ALG_HMACMD5) {
+			hmac_base = (*buffer)->used + HMD5_OFFSET;
+			isc_buffer_putmem(*buffer, auth_hmd5,
+					  sizeof(auth_hmd5));
+		} else {
+			unsigned char *hmac_alg;
+
+			hmac_base = (*buffer)->used + HSHA_OFFSET;
+			hmac_alg = (unsigned char *)isc_buffer_used(*buffer) +
+				   HSHA_OFFSET - 1;
+			isc_buffer_putmem(*buffer, auth_hsha,
+					  sizeof(auth_hsha));
+			*hmac_alg = algorithm;
+		}
+	} else {
+		hmac_base = 0;
+	}
+	signed_base = (*buffer)->used;
+	/*
+	 * Delete any existing _auth section so that we don't try
+	 * to encode it.
+	 */
+	isccc_alist_delete(alist, "_auth");
+	/*
+	 * Emit the message.
+	 */
+	result = table_towire(alist, buffer);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	if (secret != NULL) {
+		return (sign((unsigned char *)(*buffer)->base + signed_base,
+			     (*buffer)->used - signed_base,
+			     (unsigned char *)(*buffer)->base + hmac_base,
+			     algorithm, secret));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+       uint32_t algorithm, isccc_region_t *secret) {
+	const isc_md_type_t *md_type;
+	isccc_region_t source;
+	isccc_region_t target;
+	isc_result_t result;
+	isccc_sexpr_t *_auth, *hmac;
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	unsigned int digestlen;
+	unsigned char digestb64[HSHA_LENGTH * 4];
+
+	/*
+	 * Extract digest.
+	 */
+	_auth = isccc_alist_lookup(alist, "_auth");
+	if (!isccc_alist_alistp(_auth)) {
+		return (ISC_R_FAILURE);
+	}
+	if (algorithm == ISCCC_ALG_HMACMD5) {
+		hmac = isccc_alist_lookup(_auth, "hmd5");
+	} else {
+		hmac = isccc_alist_lookup(_auth, "hsha");
+	}
+	if (!isccc_sexpr_binaryp(hmac)) {
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * Compute digest.
+	 */
+	source.rstart = digest;
+
+	switch (algorithm) {
+	case ISCCC_ALG_HMACMD5:
+		md_type = ISC_MD_MD5;
+		break;
+	case ISCCC_ALG_HMACSHA1:
+		md_type = ISC_MD_SHA1;
+		break;
+	case ISCCC_ALG_HMACSHA224:
+		md_type = ISC_MD_SHA224;
+		break;
+	case ISCCC_ALG_HMACSHA256:
+		md_type = ISC_MD_SHA256;
+		break;
+	case ISCCC_ALG_HMACSHA384:
+		md_type = ISC_MD_SHA384;
+		break;
+	case ISCCC_ALG_HMACSHA512:
+		md_type = ISC_MD_SHA512;
+		break;
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	result = isc_hmac(md_type, secret->rstart, REGION_SIZE(*secret), data,
+			  length, digest, &digestlen);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	source.rend = digest + digestlen;
+
+	target.rstart = digestb64;
+	target.rend = digestb64 + sizeof(digestb64);
+	memset(digestb64, 0, sizeof(digestb64));
+	result = isccc_base64_encode(&source, 64, "", &target);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Verify.
+	 */
+	if (algorithm == ISCCC_ALG_HMACMD5) {
+		isccc_region_t *region;
+		unsigned char *value;
+
+		region = isccc_sexpr_tobinary(hmac);
+		if ((region->rend - region->rstart) != HMD5_LENGTH) {
+			return (ISCCC_R_BADAUTH);
+		}
+		value = region->rstart;
+		if (!isc_safe_memequal(value, digestb64, HMD5_LENGTH)) {
+			return (ISCCC_R_BADAUTH);
+		}
+	} else {
+		isccc_region_t *region;
+		unsigned char *value;
+		uint32_t valalg;
+
+		region = isccc_sexpr_tobinary(hmac);
+
+		/*
+		 * Note: with non-MD5 algorithms, there's an extra octet
+		 * to identify which algorithm is in use.
+		 */
+		if ((region->rend - region->rstart) != HSHA_LENGTH + 1) {
+			return (ISCCC_R_BADAUTH);
+		}
+		value = region->rstart;
+		GET8(valalg, value);
+		if ((valalg != algorithm) ||
+		    !isc_safe_memequal(value, digestb64, HSHA_LENGTH))
+		{
+			return (ISCCC_R_BADAUTH);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+	       uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
+
+static isc_result_t
+list_fromwire(isccc_region_t *source, unsigned int depth,
+	      isccc_sexpr_t **listp);
+
+static isc_result_t
+value_fromwire(isccc_region_t *source, unsigned int depth,
+	       isccc_sexpr_t **valuep) {
+	unsigned int msgtype;
+	uint32_t len;
+	isccc_sexpr_t *value;
+	isccc_region_t active;
+	isc_result_t result;
+
+	if (depth > ISCCC_MAXDEPTH) {
+		return (ISCCC_R_MAXDEPTH);
+	}
+
+	if (REGION_SIZE(*source) < 1 + 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	GET8(msgtype, source->rstart);
+	GET32(len, source->rstart);
+	if (REGION_SIZE(*source) < len) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	active.rstart = source->rstart;
+	active.rend = active.rstart + len;
+	source->rstart = active.rend;
+	if (msgtype == ISCCC_CCMSGTYPE_BINARYDATA) {
+		value = isccc_sexpr_frombinary(&active);
+		if (value != NULL) {
+			*valuep = value;
+			result = ISC_R_SUCCESS;
+		} else {
+			result = ISC_R_NOMEMORY;
+		}
+	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE) {
+		result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
+	} else if (msgtype == ISCCC_CCMSGTYPE_LIST) {
+		result = list_fromwire(&active, depth + 1, valuep);
+	} else {
+		result = ISCCC_R_SYNTAX;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+	       uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) {
+	char key[256];
+	uint32_t len;
+	isc_result_t result;
+	isccc_sexpr_t *alist, *value;
+	bool first_tag;
+	unsigned char *checksum_rstart;
+
+	REQUIRE(alistp != NULL && *alistp == NULL);
+
+	if (depth > ISCCC_MAXDEPTH) {
+		return (ISCCC_R_MAXDEPTH);
+	}
+
+	checksum_rstart = NULL;
+	first_tag = true;
+	alist = isccc_alist_create();
+	if (alist == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	while (!REGION_EMPTY(*source)) {
+		GET8(len, source->rstart);
+		if (REGION_SIZE(*source) < len) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto bad;
+		}
+		GET_MEM(key, len, source->rstart);
+		key[len] = '\0'; /* Ensure NUL termination. */
+		value = NULL;
+		result = value_fromwire(source, depth + 1, &value);
+		if (result != ISC_R_SUCCESS) {
+			goto bad;
+		}
+		if (isccc_alist_define(alist, key, value) == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto bad;
+		}
+		if (first_tag && secret != NULL && strcmp(key, "_auth") == 0) {
+			checksum_rstart = source->rstart;
+		}
+		first_tag = false;
+	}
+
+	if (secret != NULL) {
+		if (checksum_rstart != NULL) {
+			result = verify(
+				alist, checksum_rstart,
+				(unsigned int)(source->rend - checksum_rstart),
+				algorithm, secret);
+		} else {
+			result = ISCCC_R_BADAUTH;
+		}
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+bad:
+	if (result == ISC_R_SUCCESS) {
+		*alistp = alist;
+	} else {
+		isccc_sexpr_free(&alist);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+list_fromwire(isccc_region_t *source, unsigned int depth,
+	      isccc_sexpr_t **listp) {
+	isccc_sexpr_t *list, *value;
+	isc_result_t result;
+
+	if (depth > ISCCC_MAXDEPTH) {
+		return (ISCCC_R_MAXDEPTH);
+	}
+
+	list = NULL;
+	while (!REGION_EMPTY(*source)) {
+		value = NULL;
+		result = value_fromwire(source, depth + 1, &value);
+		if (result != ISC_R_SUCCESS) {
+			isccc_sexpr_free(&list);
+			return (result);
+		}
+		if (isccc_sexpr_addtolist(&list, value) == NULL) {
+			isccc_sexpr_free(&value);
+			isccc_sexpr_free(&list);
+			return (ISC_R_NOMEMORY);
+		}
+	}
+
+	*listp = list;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+		  uint32_t algorithm, isccc_region_t *secret) {
+	unsigned int size;
+	uint32_t version;
+
+	size = REGION_SIZE(*source);
+	if (size < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	GET32(version, source->rstart);
+	if (version != 1) {
+		return (ISCCC_R_UNKNOWNVERSION);
+	}
+
+	return (table_fromwire(source, secret, algorithm, 0, alistp));
+}
+
+static isc_result_t
+createmessage(uint32_t version, const char *from, const char *to,
+	      uint32_t serial, isccc_time_t now, isccc_time_t expires,
+	      isccc_sexpr_t **alistp, bool want_expires) {
+	isccc_sexpr_t *alist, *_ctrl, *_data;
+	isc_result_t result;
+
+	REQUIRE(alistp != NULL && *alistp == NULL);
+
+	if (version != 1) {
+		return (ISCCC_R_UNKNOWNVERSION);
+	}
+
+	alist = isccc_alist_create();
+	if (alist == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	result = ISC_R_NOMEMORY;
+
+	_ctrl = isccc_alist_create();
+	if (_ctrl == NULL) {
+		goto bad;
+	}
+	if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL) {
+		isccc_sexpr_free(&_ctrl);
+		goto bad;
+	}
+
+	_data = isccc_alist_create();
+	if (_data == NULL) {
+		goto bad;
+	}
+	if (isccc_alist_define(alist, "_data", _data) == NULL) {
+		isccc_sexpr_free(&_data);
+		goto bad;
+	}
+
+	if (isccc_cc_defineuint32(_ctrl, "_ser", serial) == NULL ||
+	    isccc_cc_defineuint32(_ctrl, "_tim", now) == NULL ||
+	    (want_expires &&
+	     isccc_cc_defineuint32(_ctrl, "_exp", expires) == NULL))
+	{
+		goto bad;
+	}
+	if (from != NULL && isccc_cc_definestring(_ctrl, "_frm", from) == NULL)
+	{
+		goto bad;
+	}
+	if (to != NULL && isccc_cc_definestring(_ctrl, "_to", to) == NULL) {
+		goto bad;
+	}
+
+	*alistp = alist;
+
+	return (ISC_R_SUCCESS);
+
+bad:
+	isccc_sexpr_free(&alist);
+
+	return (result);
+}
+
+isc_result_t
+isccc_cc_createmessage(uint32_t version, const char *from, const char *to,
+		       uint32_t serial, isccc_time_t now, isccc_time_t expires,
+		       isccc_sexpr_t **alistp) {
+	return (createmessage(version, from, to, serial, now, expires, alistp,
+			      true));
+}
+
+isc_result_t
+isccc_cc_createack(isccc_sexpr_t *message, bool ok, isccc_sexpr_t **ackp) {
+	char *_frm, *_to;
+	uint32_t serial;
+	isccc_sexpr_t *ack, *_ctrl;
+	isc_result_t result;
+	isccc_time_t t;
+
+	REQUIRE(ackp != NULL && *ackp == NULL);
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl) ||
+	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+	    isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
+	{
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * _frm and _to are optional.
+	 */
+	_frm = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_frm", &_frm);
+	_to = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_to", &_to);
+	/*
+	 * Create the ack.
+	 */
+	ack = NULL;
+	result = createmessage(1, _to, _frm, serial, t, 0, &ack, false);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	_ctrl = isccc_alist_lookup(ack, "_ctrl");
+	if (_ctrl == NULL) {
+		result = ISC_R_FAILURE;
+		goto bad;
+	}
+	if (isccc_cc_definestring(ack, "_ack", (ok) ? "1" : "0") == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto bad;
+	}
+
+	*ackp = ack;
+
+	return (ISC_R_SUCCESS);
+
+bad:
+	isccc_sexpr_free(&ack);
+
+	return (result);
+}
+
+bool
+isccc_cc_isack(isccc_sexpr_t *message) {
+	isccc_sexpr_t *_ctrl;
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl)) {
+		return (false);
+	}
+	if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) {
+		return (true);
+	}
+	return (false);
+}
+
+bool
+isccc_cc_isreply(isccc_sexpr_t *message) {
+	isccc_sexpr_t *_ctrl;
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl)) {
+		return (false);
+	}
+	if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) {
+		return (true);
+	}
+	return (false);
+}
+
+isc_result_t
+isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
+			isccc_time_t expires, isccc_sexpr_t **alistp) {
+	char *_frm, *_to, *type = NULL;
+	uint32_t serial;
+	isccc_sexpr_t *alist, *_ctrl, *_data;
+	isc_result_t result;
+
+	REQUIRE(alistp != NULL && *alistp == NULL);
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	_data = isccc_alist_lookup(message, "_data");
+	if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
+	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+	    isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
+	{
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * _frm and _to are optional.
+	 */
+	_frm = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_frm", &_frm);
+	_to = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_to", &_to);
+	/*
+	 * Create the response.
+	 */
+	alist = NULL;
+	result = isccc_cc_createmessage(1, _to, _frm, serial, now, expires,
+					&alist);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	_ctrl = isccc_alist_lookup(alist, "_ctrl");
+	if (_ctrl == NULL) {
+		result = ISC_R_FAILURE;
+		goto bad;
+	}
+
+	_data = isccc_alist_lookup(alist, "_data");
+	if (_data == NULL) {
+		result = ISC_R_FAILURE;
+		goto bad;
+	}
+
+	if (isccc_cc_definestring(_ctrl, "_rpl", "1") == NULL ||
+	    isccc_cc_definestring(_data, "type", type) == NULL)
+	{
+		result = ISC_R_NOMEMORY;
+		goto bad;
+	}
+
+	*alistp = alist;
+
+	return (ISC_R_SUCCESS);
+
+bad:
+	isccc_sexpr_free(&alist);
+	return (result);
+}
+
+isccc_sexpr_t *
+isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str) {
+	size_t len;
+	isccc_region_t r;
+
+	len = strlen(str);
+	DE_CONST(str, r.rstart);
+	r.rend = r.rstart + len;
+
+	return (isccc_alist_definebinary(alist, key, &r));
+}
+
+isccc_sexpr_t *
+isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, uint32_t i) {
+	char b[100];
+	size_t len;
+	isccc_region_t r;
+
+	snprintf(b, sizeof(b), "%u", i);
+	len = strlen(b);
+	r.rstart = (unsigned char *)b;
+	r.rend = (unsigned char *)b + len;
+
+	return (isccc_alist_definebinary(alist, key, &r));
+}
+
+isc_result_t
+isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp) {
+	isccc_sexpr_t *kv, *v;
+
+	REQUIRE(strp == NULL || *strp == NULL);
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = ISCCC_SEXPR_CDR(kv);
+		if (isccc_sexpr_binaryp(v)) {
+			if (strp != NULL) {
+				*strp = isccc_sexpr_tostring(v);
+			}
+			return (ISC_R_SUCCESS);
+		} else {
+			return (ISC_R_EXISTS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key, uint32_t *uintp) {
+	isccc_sexpr_t *kv, *v;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = ISCCC_SEXPR_CDR(kv);
+		if (isccc_sexpr_binaryp(v)) {
+			if (uintp != NULL) {
+				*uintp = (uint32_t)strtoul(
+					isccc_sexpr_tostring(v), NULL, 10);
+			}
+			return (ISC_R_SUCCESS);
+		} else {
+			return (ISC_R_EXISTS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+static void
+symtab_undefine(char *key, unsigned int type, isccc_symvalue_t value,
+		void *arg) {
+	UNUSED(type);
+	UNUSED(value);
+	UNUSED(arg);
+
+	free(key);
+}
+
+static bool
+symtab_clean(char *key, unsigned int type, isccc_symvalue_t value, void *arg) {
+	isccc_time_t *now;
+
+	UNUSED(key);
+	UNUSED(type);
+
+	now = arg;
+
+	if (*now < value.as_uinteger) {
+		return (false);
+	}
+	if ((*now - value.as_uinteger) < DUP_LIFETIME) {
+		return (false);
+	}
+	return (true);
+}
+
+isc_result_t
+isccc_cc_createsymtab(isccc_symtab_t **symtabp) {
+	return (isccc_symtab_create(11897, symtab_undefine, NULL, false,
+				    symtabp));
+}
+
+void
+isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now) {
+	isccc_symtab_foreach(symtab, symtab_clean, &now);
+}
+
+static bool
+has_whitespace(const char *str) {
+	char c;
+
+	if (str == NULL) {
+		return (false);
+	}
+	while ((c = *str++) != '\0') {
+		if (c == ' ' || c == '\t' || c == '\n') {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+isc_result_t
+isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
+		  isccc_time_t now) {
+	const char *_frm;
+	const char *_to;
+	char *_ser = NULL, *_tim = NULL, *tmp;
+	isc_result_t result;
+	char *key;
+	size_t len;
+	isccc_symvalue_t value;
+	isccc_sexpr_t *_ctrl;
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl) ||
+	    isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
+	    isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
+	{
+		return (ISC_R_FAILURE);
+	}
+
+	INSIST(_ser != NULL);
+	INSIST(_tim != NULL);
+
+	/*
+	 * _frm and _to are optional.
+	 */
+	tmp = NULL;
+	if (isccc_cc_lookupstring(_ctrl, "_frm", &tmp) != ISC_R_SUCCESS) {
+		_frm = "";
+	} else {
+		_frm = tmp;
+	}
+	tmp = NULL;
+	if (isccc_cc_lookupstring(_ctrl, "_to", &tmp) != ISC_R_SUCCESS) {
+		_to = "";
+	} else {
+		_to = tmp;
+	}
+	/*
+	 * Ensure there is no newline in any of the strings.  This is so
+	 * we can write them to a file later.
+	 */
+	if (has_whitespace(_frm) || has_whitespace(_to) ||
+	    has_whitespace(_ser) || has_whitespace(_tim))
+	{
+		return (ISC_R_FAILURE);
+	}
+	len = strlen(_frm) + strlen(_to) + strlen(_ser) + strlen(_tim) + 4;
+	key = malloc(len);
+	if (key == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	snprintf(key, len, "%s;%s;%s;%s", _frm, _to, _ser, _tim);
+	value.as_uinteger = now;
+	result = isccc_symtab_define(symtab, key, ISCCC_SYMTYPE_CCDUP, value,
+				     isccc_symexists_reject);
+	if (result != ISC_R_SUCCESS) {
+		free(key);
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isccc/ccmsg.c b/lib/isccc/ccmsg.c
new file mode 100644
index 0000000..bb60a53
--- /dev/null
+++ b/lib/isccc/ccmsg.c
@@ -0,0 +1,231 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <isccc/ccmsg.h>
+#include <isccc/events.h>
+
+#define CCMSG_MAGIC	 ISC_MAGIC('C', 'C', 'm', 's')
+#define VALID_CCMSG(foo) ISC_MAGIC_VALID(foo, CCMSG_MAGIC)
+
+static void
+recv_length(isc_task_t *, isc_event_t *);
+static void
+recv_message(isc_task_t *, isc_event_t *);
+
+static void
+recv_length(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	isccc_ccmsg_t *ccmsg = ev_in->ev_arg;
+	isc_region_t region;
+	isc_result_t result;
+
+	INSIST(VALID_CCMSG(ccmsg));
+
+	dev = &ccmsg->event;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		ccmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	/*
+	 * Success.
+	 */
+	ccmsg->size = ntohl(ccmsg->size);
+	if (ccmsg->size == 0) {
+		ccmsg->result = ISC_R_UNEXPECTEDEND;
+		goto send_and_free;
+	}
+	if (ccmsg->size > ccmsg->maxsize) {
+		ccmsg->result = ISC_R_RANGE;
+		goto send_and_free;
+	}
+
+	region.base = isc_mem_get(ccmsg->mctx, ccmsg->size);
+	region.length = ccmsg->size;
+	if (region.base == NULL) {
+		ccmsg->result = ISC_R_NOMEMORY;
+		goto send_and_free;
+	}
+
+	isc_buffer_init(&ccmsg->buffer, region.base, region.length);
+	result = isc_socket_recv(ccmsg->sock, &region, 0, task, recv_message,
+				 ccmsg);
+	if (result != ISC_R_SUCCESS) {
+		ccmsg->result = result;
+		goto send_and_free;
+	}
+
+	isc_event_free(&ev_in);
+	return;
+
+send_and_free:
+	isc_task_send(ccmsg->task, &dev);
+	ccmsg->task = NULL;
+	isc_event_free(&ev_in);
+	return;
+}
+
+static void
+recv_message(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	isccc_ccmsg_t *ccmsg = ev_in->ev_arg;
+
+	(void)task;
+
+	INSIST(VALID_CCMSG(ccmsg));
+
+	dev = &ccmsg->event;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		ccmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	ccmsg->result = ISC_R_SUCCESS;
+	isc_buffer_add(&ccmsg->buffer, ev->n);
+	ccmsg->address = ev->address;
+
+send_and_free:
+	isc_task_send(ccmsg->task, &dev);
+	ccmsg->task = NULL;
+	isc_event_free(&ev_in);
+}
+
+void
+isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(sock != NULL);
+	REQUIRE(ccmsg != NULL);
+
+	ccmsg->magic = CCMSG_MAGIC;
+	ccmsg->size = 0;
+	ccmsg->buffer.base = NULL;
+	ccmsg->buffer.length = 0;
+	ccmsg->maxsize = 4294967295U; /* Largest message possible. */
+	ccmsg->mctx = mctx;
+	ccmsg->sock = sock;
+	ccmsg->task = NULL;		  /* None yet. */
+	ccmsg->result = ISC_R_UNEXPECTED; /* None yet. */
+					  /*
+					   * Should probably initialize the
+					   *event here, but it can wait.
+					   */
+}
+
+void
+isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	ccmsg->maxsize = maxsize;
+}
+
+isc_result_t
+isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg, isc_task_t *task,
+			isc_taskaction_t action, void *arg) {
+	isc_result_t result;
+	isc_region_t region;
+
+	REQUIRE(VALID_CCMSG(ccmsg));
+	REQUIRE(task != NULL);
+	REQUIRE(ccmsg->task == NULL); /* not currently in use */
+
+	if (ccmsg->buffer.base != NULL) {
+		isc_mem_put(ccmsg->mctx, ccmsg->buffer.base,
+			    ccmsg->buffer.length);
+		ccmsg->buffer.base = NULL;
+		ccmsg->buffer.length = 0;
+	}
+
+	ccmsg->task = task;
+	ccmsg->action = action;
+	ccmsg->arg = arg;
+	ccmsg->result = ISC_R_UNEXPECTED; /* unknown right now */
+
+	ISC_EVENT_INIT(&ccmsg->event, sizeof(isc_event_t), 0, 0,
+		       ISCCC_EVENT_CCMSG, action, arg, ccmsg, NULL, NULL);
+
+	region.base = (unsigned char *)&ccmsg->size;
+	region.length = 4; /* uint32_t */
+	result = isc_socket_recv(ccmsg->sock, &region, 0, ccmsg->task,
+				 recv_length, ccmsg);
+
+	if (result != ISC_R_SUCCESS) {
+		ccmsg->task = NULL;
+	}
+
+	return (result);
+}
+
+void
+isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	isc_socket_cancel(ccmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
+}
+
+#if 0
+void
+isccc_ccmsg_freebuffer(isccc_ccmsg_t*ccmsg) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	if (ccmsg->buffer.base == NULL) {
+		return;
+	}
+
+	isc_mem_put(ccmsg->mctx,ccmsg->buffer.base,ccmsg->buffer.length);
+	ccmsg->buffer.base = NULL;
+	ccmsg->buffer.length = 0;
+}
+#endif /* if 0 */
+
+void
+isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	ccmsg->magic = 0;
+
+	if (ccmsg->buffer.base != NULL) {
+		isc_mem_put(ccmsg->mctx, ccmsg->buffer.base,
+			    ccmsg->buffer.length);
+		ccmsg->buffer.base = NULL;
+		ccmsg->buffer.length = 0;
+	}
+}
diff --git a/lib/isccc/include/.clang-format b/lib/isccc/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/lib/isccc/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/isccc/include/Makefile.in b/lib/isccc/include/Makefile.in
new file mode 100644
index 0000000..09c4dd7
--- /dev/null
+++ b/lib/isccc/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isccc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isccc/include/isccc/Makefile.in b/lib/isccc/include/isccc/Makefile.in
new file mode 100644
index 0000000..af4ddf3
--- /dev/null
+++ b/lib/isccc/include/isccc/Makefile.in
@@ -0,0 +1,41 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	alist.h base64.h cc.h ccmsg.h events.h result.h \
+		sexpr.h symtab.h symtype.h types.h util.h version.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isccc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isccc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isccc/$$i || exit 1; \
+	done
diff --git a/lib/isccc/include/isccc/alist.h b/lib/isccc/include/isccc/alist.h
new file mode 100644
index 0000000..558378b
--- /dev/null
+++ b/lib/isccc/include/isccc/alist.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCCC_ALIST_H
+#define ISCCC_ALIST_H 1
+
+/*! \file isccc/alist.h */
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isccc_sexpr_t *
+isccc_alist_create(void);
+
+bool
+isccc_alist_alistp(isccc_sexpr_t *alist);
+
+bool
+isccc_alist_emptyp(isccc_sexpr_t *alist);
+
+isccc_sexpr_t *
+isccc_alist_first(isccc_sexpr_t *alist);
+
+isccc_sexpr_t *
+isccc_alist_assq(isccc_sexpr_t *alist, const char *key);
+
+void
+isccc_alist_delete(isccc_sexpr_t *alist, const char *key);
+
+isccc_sexpr_t *
+isccc_alist_define(isccc_sexpr_t *alist, const char *key, isccc_sexpr_t *value);
+
+isccc_sexpr_t *
+isccc_alist_definestring(isccc_sexpr_t *alist, const char *key,
+			 const char *str);
+
+isccc_sexpr_t *
+isccc_alist_definebinary(isccc_sexpr_t *alist, const char *key,
+			 isccc_region_t *r);
+
+isccc_sexpr_t *
+isccc_alist_lookup(isccc_sexpr_t *alist, const char *key);
+
+isc_result_t
+isccc_alist_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
+
+isc_result_t
+isccc_alist_lookupbinary(isccc_sexpr_t *alist, const char *key,
+			 isccc_region_t **r);
+
+void
+isccc_alist_prettyprint(isccc_sexpr_t *sexpr, unsigned int indent,
+			FILE *stream);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_ALIST_H */
diff --git a/lib/isccc/include/isccc/base64.h b/lib/isccc/include/isccc/base64.h
new file mode 100644
index 0000000..2eba95c
--- /dev/null
+++ b/lib/isccc/include/isccc/base64.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCCC_BASE64_H
+#define ISCCC_BASE64_H 1
+
+/*! \file isccc/base64.h */
+
+#include <isc/lang.h>
+
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isccc_base64_encode(isccc_region_t *source, int wordlength,
+		    const char *wordbreak, isccc_region_t *target);
+/*%<
+ * Convert data into base64 encoded text.
+ *
+ * Notes:
+ *\li	The base64 encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *\li	'source' is a region containing binary data.
+ *\li	'target' is a text region containing available space.
+ *\li	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters.
+ */
+
+isc_result_t
+isccc_base64_decode(const char *cstr, isccc_region_t *target);
+/*%<
+ * Decode a null-terminated base64 string.
+ *
+ * Requires:
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *\li	#ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
+ *\li	#ISC_R_NOSPACE	-- 'target' is not big enough.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_BASE64_H */
diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h
new file mode 100644
index 0000000..9b19904
--- /dev/null
+++ b/lib/isccc/include/isccc/cc.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCCC_CC_H
+#define ISCCC_CC_H 1
+
+/*! \file isccc/cc.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*% from lib/dns/include/dst/dst.h */
+
+#define ISCCC_ALG_UNKNOWN    0
+#define ISCCC_ALG_HMACMD5    157
+#define ISCCC_ALG_HMACSHA1   161
+#define ISCCC_ALG_HMACSHA224 162
+#define ISCCC_ALG_HMACSHA256 163
+#define ISCCC_ALG_HMACSHA384 164
+#define ISCCC_ALG_HMACSHA512 165
+
+/*% Maximum Datagram Package */
+#define ISCCC_CC_MAXDGRAMPACKET 4096
+
+/*% Message Type String */
+#define ISCCC_CCMSGTYPE_STRING 0x00
+/*% Message Type Binary Data */
+#define ISCCC_CCMSGTYPE_BINARYDATA 0x01
+/*% Message Type Table */
+#define ISCCC_CCMSGTYPE_TABLE 0x02
+/*% Message Type List */
+#define ISCCC_CCMSGTYPE_LIST 0x03
+
+/*% Send to Wire */
+isc_result_t
+isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, uint32_t algorithm,
+		isccc_region_t *secret);
+
+/*% Get From Wire */
+isc_result_t
+isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+		  uint32_t algorithm, isccc_region_t *secret);
+
+/*% Create Message */
+isc_result_t
+isccc_cc_createmessage(uint32_t version, const char *from, const char *to,
+		       uint32_t serial, isccc_time_t now, isccc_time_t expires,
+		       isccc_sexpr_t **alistp);
+
+/*% Create Acknowledgment */
+isc_result_t
+isccc_cc_createack(isccc_sexpr_t *message, bool ok, isccc_sexpr_t **ackp);
+
+/*% Is Ack? */
+bool
+isccc_cc_isack(isccc_sexpr_t *message);
+
+/*% Is Reply? */
+bool
+isccc_cc_isreply(isccc_sexpr_t *message);
+
+/*% Create Response */
+isc_result_t
+isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
+			isccc_time_t expires, isccc_sexpr_t **alistp);
+
+/*% Define String */
+isccc_sexpr_t *
+isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str);
+
+/*% Define uint 32 */
+isccc_sexpr_t *
+isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, uint32_t i);
+
+/*% Lookup String */
+isc_result_t
+isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
+
+/*% Lookup uint 32 */
+isc_result_t
+isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key, uint32_t *uintp);
+
+/*% Create Symbol Table */
+isc_result_t
+isccc_cc_createsymtab(isccc_symtab_t **symtabp);
+
+/*% Clean up Symbol Table */
+void
+isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
+
+/*% Check for Duplicates */
+isc_result_t
+isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
+		  isccc_time_t now);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_CC_H */
diff --git a/lib/isccc/include/isccc/ccmsg.h b/lib/isccc/include/isccc/ccmsg.h
new file mode 100644
index 0000000..db64fcf
--- /dev/null
+++ b/lib/isccc/include/isccc/ccmsg.h
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCCC_CCMSG_H
+#define ISCCC_CCMSG_H 1
+
+/*! \file isccc/ccmsg.h */
+
+#include <inttypes.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/socket.h>
+
+/*% ISCCC Message Structure */
+typedef struct isccc_ccmsg {
+	/* private (don't touch!) */
+	unsigned int	 magic;
+	uint32_t	 size;
+	isc_buffer_t	 buffer;
+	unsigned int	 maxsize;
+	isc_mem_t	*mctx;
+	isc_socket_t	*sock;
+	isc_task_t	*task;
+	isc_taskaction_t action;
+	void		*arg;
+	isc_event_t	 event;
+	/* public (read-only) */
+	isc_result_t   result;
+	isc_sockaddr_t address;
+} isccc_ccmsg_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg);
+/*%
+ * Associate a cc message state with a given memory context and
+ * TCP socket.
+ *
+ * Requires:
+ *
+ *\li	"mctx" and "sock" be non-NULL and valid types.
+ *
+ *\li	"sock" be a read/write TCP socket.
+ *
+ *\li	"ccmsg" be non-NULL and an uninitialized or invalidated structure.
+ *
+ * Ensures:
+ *
+ *\li	"ccmsg" is a valid structure.
+ */
+
+void
+isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize);
+/*%
+ * Set the maximum packet size to "maxsize"
+ *
+ * Requires:
+ *
+ *\li	"ccmsg" be valid.
+ *
+ *\li	512 <= "maxsize" <= 4294967296
+ */
+
+isc_result_t
+isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg, isc_task_t *task,
+			isc_taskaction_t action, void *arg);
+/*%
+ * Schedule an event to be delivered when a command channel message is
+ * readable, or when an error occurs on the socket.
+ *
+ * Requires:
+ *
+ *\li	"ccmsg" be valid.
+ *
+ *\li	"task", "taskaction", and "arg" be valid.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- no error
+ *\li	Anything that the isc_socket_recv() call can return.  XXXMLG
+ *
+ * Notes:
+ *
+ *\li	The event delivered is a fully generic event.  It will contain no
+ *	actual data.  The sender will be a pointer to the isccc_ccmsg_t.
+ *	The result code inside that structure should be checked to see
+ *	what the final result was.
+ */
+
+void
+isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg);
+/*%
+ * Cancel a readmessage() call.  The event will still be posted with a
+ * CANCELED result code.
+ *
+ * Requires:
+ *
+ *\li	"ccmsg" be valid.
+ */
+
+void
+isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg);
+/*%
+ * Clean up all allocated state, and invalidate the structure.
+ *
+ * Requires:
+ *
+ *\li	"ccmsg" be valid.
+ *
+ * Ensures:
+ *
+ *\li	"ccmsg" is invalidated and disassociated with all memory contexts,
+ *	sockets, etc.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_CCMSG_H */
diff --git a/lib/isccc/include/isccc/events.h b/lib/isccc/include/isccc/events.h
new file mode 100644
index 0000000..78ee02d
--- /dev/null
+++ b/lib/isccc/include/isccc/events.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCCC_EVENTS_H
+#define ISCCC_EVENTS_H 1
+
+/*! \file isccc/events.h */
+
+#include <isc/eventclass.h>
+
+/*%
+ * Registry of ISCCC event numbers.
+ */
+
+#define ISCCC_EVENT_CCMSG (ISC_EVENTCLASS_ISCCC + 0)
+
+#define ISCCC_EVENT_FIRSTEVENT (ISC_EVENTCLASS_ISCCC + 0)
+#define ISCCC_EVENT_LASTEVENT  (ISC_EVENTCLASS_ISCCC + 65535)
+
+#endif /* ISCCC_EVENTS_H */
diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
new file mode 100644
index 0000000..56f9c38
--- /dev/null
+++ b/lib/isccc/include/isccc/result.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCC_RESULT_H
+#define ISCCC_RESULT_H 1
+
+/*! \file isccc/result.h */
+
+#include <isc/lang.h>
+#include <isc/result.h>
+#include <isc/resultclass.h>
+
+#include <isccc/types.h>
+
+/*% Unknown Version */
+#define ISCCC_R_UNKNOWNVERSION (ISC_RESULTCLASS_ISCCC + 0)
+/*% Syntax Error */
+#define ISCCC_R_SYNTAX (ISC_RESULTCLASS_ISCCC + 1)
+/*% Bad Authorization */
+#define ISCCC_R_BADAUTH (ISC_RESULTCLASS_ISCCC + 2)
+/*% Expired */
+#define ISCCC_R_EXPIRED (ISC_RESULTCLASS_ISCCC + 3)
+/*% Clock Skew */
+#define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4)
+/*% Duplicate */
+#define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5)
+/*% Maximum recursion depth */
+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6)
+
+#define ISCCC_R_NRESULTS 7 /*%< Number of results */
+
+ISC_LANG_BEGINDECLS
+
+const char *
+isccc_result_totext(isc_result_t result);
+/*%
+ * Convert a isccc_result_t into a string message describing the result.
+ */
+
+void
+isccc_result_register(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_RESULT_H */
diff --git a/lib/isccc/include/isccc/sexpr.h b/lib/isccc/include/isccc/sexpr.h
new file mode 100644
index 0000000..dae9906
--- /dev/null
+++ b/lib/isccc/include/isccc/sexpr.h
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCCC_SEXPR_H
+#define ISCCC_SEXPR_H 1
+
+/*! \file isccc/sexpr.h */
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*% dotted pair structure */
+struct isccc_dottedpair {
+	isccc_sexpr_t *car;
+	isccc_sexpr_t *cdr;
+};
+
+/*% iscc_sexpr structure */
+struct isccc_sexpr {
+	unsigned int type;
+	union {
+		char		  *as_string;
+		isccc_dottedpair_t as_dottedpair;
+		isccc_region_t	   as_region;
+	} value;
+};
+
+#define ISCCC_SEXPRTYPE_NONE	   0x00 /*%< Illegal. */
+#define ISCCC_SEXPRTYPE_T	   0x01
+#define ISCCC_SEXPRTYPE_STRING	   0x02
+#define ISCCC_SEXPRTYPE_DOTTEDPAIR 0x03
+#define ISCCC_SEXPRTYPE_BINARY	   0x04
+
+#define ISCCC_SEXPR_CAR(s) (s)->value.as_dottedpair.car
+#define ISCCC_SEXPR_CDR(s) (s)->value.as_dottedpair.cdr
+
+isccc_sexpr_t *
+isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr);
+
+isccc_sexpr_t *
+isccc_sexpr_tconst(void);
+
+isccc_sexpr_t *
+isccc_sexpr_fromstring(const char *str);
+
+isccc_sexpr_t *
+isccc_sexpr_frombinary(const isccc_region_t *region);
+
+void
+isccc_sexpr_free(isccc_sexpr_t **sexprp);
+
+void
+isccc_sexpr_print(isccc_sexpr_t *sexpr, FILE *stream);
+
+isccc_sexpr_t *
+isccc_sexpr_car(isccc_sexpr_t *list);
+
+isccc_sexpr_t *
+isccc_sexpr_cdr(isccc_sexpr_t *list);
+
+void
+isccc_sexpr_setcar(isccc_sexpr_t *pair, isccc_sexpr_t *car);
+
+void
+isccc_sexpr_setcdr(isccc_sexpr_t *pair, isccc_sexpr_t *cdr);
+
+isccc_sexpr_t *
+isccc_sexpr_addtolist(isccc_sexpr_t **l1p, isccc_sexpr_t *l2);
+
+bool
+isccc_sexpr_listp(isccc_sexpr_t *sexpr);
+
+bool
+isccc_sexpr_emptyp(isccc_sexpr_t *sexpr);
+
+bool
+isccc_sexpr_stringp(isccc_sexpr_t *sexpr);
+
+bool
+isccc_sexpr_binaryp(isccc_sexpr_t *sexpr);
+
+char *
+isccc_sexpr_tostring(isccc_sexpr_t *sexpr);
+
+isccc_region_t *
+isccc_sexpr_tobinary(isccc_sexpr_t *sexpr);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_SEXPR_H */
diff --git a/lib/isccc/include/isccc/symtab.h b/lib/isccc/include/isccc/symtab.h
new file mode 100644
index 0000000..ff978b2
--- /dev/null
+++ b/lib/isccc/include/isccc/symtab.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCCC_SYMTAB_H
+#define ISCCC_SYMTAB_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isccc/symtab.h
+ * \brief
+ * Provides a simple memory-based symbol table.
+ *
+ * Keys are C strings.  A type may be specified when looking up,
+ * defining, or undefining.  A type value of 0 means "match any type";
+ * any other value will only match the given type.
+ *
+ * It's possible that a client will attempt to define a <key, type,
+ * value> tuple when a tuple with the given key and type already
+ * exists in the table.  What to do in this case is specified by the
+ * client.  Possible policies are:
+ *
+ *\li	isccc_symexists_reject	Disallow the define, returning #ISC_R_EXISTS
+ *\li	isccc_symexists_replace	Replace the old value with the new.  The
+ *				undefine action (if provided) will be called
+ *				with the old <key, type, value> tuple.
+ *\li	isccc_symexists_add	Add the new tuple, leaving the old tuple in
+ *				the table.  Subsequent lookups will retrieve
+ *				the most-recently-defined tuple.
+ *
+ * A lookup of a key using type 0 will return the most-recently
+ * defined symbol with that key.  An undefine of a key using type 0
+ * will undefine the most-recently defined symbol with that key.
+ * Trying to define a key with type 0 is illegal.
+ *
+ * The symbol table library does not make a copy the key field, so the
+ * caller must ensure that any key it passes to isccc_symtab_define()
+ * will not change until it calls isccc_symtab_undefine() or
+ * isccc_symtab_destroy().
+ *
+ * A user-specified action will be called (if provided) when a symbol
+ * is undefined.  It can be used to free memory associated with keys
+ * and/or values.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <isccc/types.h>
+
+/***
+ *** Symbol Tables.
+ ***/
+
+typedef union isccc_symvalue {
+	void	    *as_pointer;
+	int	     as_integer;
+	unsigned int as_uinteger;
+} isccc_symvalue_t;
+
+typedef void (*isccc_symtabundefaction_t)(char *key, unsigned int type,
+					  isccc_symvalue_t value,
+					  void		  *userarg);
+
+typedef bool (*isccc_symtabforeachaction_t)(char *key, unsigned int type,
+					    isccc_symvalue_t value,
+					    void	    *userarg);
+
+typedef enum {
+	isccc_symexists_reject = 0,
+	isccc_symexists_replace = 1,
+	isccc_symexists_add = 2
+} isccc_symexists_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isccc_symtab_create(unsigned int	      size,
+		    isccc_symtabundefaction_t undefine_action,
+		    void *undefine_arg, bool case_sensitive,
+		    isccc_symtab_t **symtabp);
+
+void
+isccc_symtab_destroy(isccc_symtab_t **symtabp);
+
+isc_result_t
+isccc_symtab_lookup(isccc_symtab_t *symtab, const char *key, unsigned int type,
+		    isccc_symvalue_t *value);
+
+isc_result_t
+isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
+		    isccc_symvalue_t value, isccc_symexists_t exists_policy);
+
+isc_result_t
+isccc_symtab_undefine(isccc_symtab_t *symtab, const char *key,
+		      unsigned int type);
+
+void
+isccc_symtab_foreach(isccc_symtab_t *symtab, isccc_symtabforeachaction_t action,
+		     void *arg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_SYMTAB_H */
diff --git a/lib/isccc/include/isccc/symtype.h b/lib/isccc/include/isccc/symtype.h
new file mode 100644
index 0000000..9003683
--- /dev/null
+++ b/lib/isccc/include/isccc/symtype.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCCC_SYMTYPE_H
+#define ISCCC_SYMTYPE_H 1
+
+/*! \file isccc/symtype.h */
+
+#define ISCCC_SYMTYPE_ZONESTATS	   0x0001
+#define ISCCC_SYMTYPE_CCDUP	   0x0002
+#define ISCCC_SYMTYPE_TELLSERVICE  0x0003
+#define ISCCC_SYMTYPE_TELLRESPONSE 0x0004
+
+#endif /* ISCCC_SYMTYPE_H */
diff --git a/lib/isccc/include/isccc/types.h b/lib/isccc/include/isccc/types.h
new file mode 100644
index 0000000..477e2df
--- /dev/null
+++ b/lib/isccc/include/isccc/types.h
@@ -0,0 +1,55 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCCC_TYPES_H
+#define ISCCC_TYPES_H 1
+
+/*! \file isccc/types.h */
+
+#include <inttypes.h>
+
+#include <isc/result.h>
+
+/*% isccc_time_t typedef */
+typedef uint32_t isccc_time_t;
+
+/*% isccc_sexpr_t typedef */
+typedef struct isccc_sexpr isccc_sexpr_t;
+/*% isccc_dottedpair_t typedef */
+typedef struct isccc_dottedpair isccc_dottedpair_t;
+/*% isccc_symtab_t typedef */
+typedef struct isccc_symtab isccc_symtab_t;
+
+/*% iscc region structure */
+typedef struct isccc_region {
+	unsigned char *rstart;
+	unsigned char *rend;
+} isccc_region_t;
+
+#endif /* ISCCC_TYPES_H */
diff --git a/lib/isccc/include/isccc/util.h b/lib/isccc/include/isccc/util.h
new file mode 100644
index 0000000..546423d
--- /dev/null
+++ b/lib/isccc/include/isccc/util.h
@@ -0,0 +1,229 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCCC_UTIL_H
+#define ISCCC_UTIL_H 1
+
+#include <inttypes.h>
+
+#include <isc/util.h>
+
+/*! \file isccc/util.h
+ * \brief
+ * Macros for dealing with unaligned numbers.
+ *
+ * \note no side effects are allowed when invoking these macros!
+ */
+
+#define GET8(v, w)      \
+	do {            \
+		v = *w; \
+		w++;    \
+	} while (0)
+
+#define GET16(v, w)                          \
+	do {                                 \
+		v = (unsigned int)w[0] << 8; \
+		v |= (unsigned int)w[1];     \
+		w += 2;                      \
+	} while (0)
+
+#define GET24(v, w)                           \
+	do {                                  \
+		v = (unsigned int)w[0] << 16; \
+		v |= (unsigned int)w[1] << 8; \
+		v |= (unsigned int)w[2];      \
+		w += 3;                       \
+	} while (0)
+
+#define GET32(v, w)                            \
+	do {                                   \
+		v = (unsigned int)w[0] << 24;  \
+		v |= (unsigned int)w[1] << 16; \
+		v |= (unsigned int)w[2] << 8;  \
+		v |= (unsigned int)w[3];       \
+		w += 4;                        \
+	} while (0)
+
+#define GET64(v, w)                        \
+	do {                               \
+		v = (uint64_t)w[0] << 56;  \
+		v |= (uint64_t)w[1] << 48; \
+		v |= (uint64_t)w[2] << 40; \
+		v |= (uint64_t)w[3] << 32; \
+		v |= (uint64_t)w[4] << 24; \
+		v |= (uint64_t)w[5] << 16; \
+		v |= (uint64_t)w[6] << 8;  \
+		v |= (uint64_t)w[7];       \
+		w += 8;                    \
+	} while (0)
+
+#define GETC16(v, w, d)                      \
+	do {                                 \
+		GET8(v, w);                  \
+		if (v == 0) {                \
+			d = ISCCC_TRUE;      \
+		} else {                     \
+			d = ISCCC_FALSE;     \
+			if (v == 255)        \
+				GET16(v, w); \
+		}                            \
+	} while (0)
+
+#define GETC32(v, w)                  \
+	do {                          \
+		GET24(v, w);          \
+		if (v == 0xffffffu) { \
+			GET32(v, w);  \
+		}                     \
+	} while (0)
+
+#define GET_OFFSET(v, w) GET32(v, w)
+
+#define GET_MEM(v, c, w)          \
+	do {                      \
+		memmove(v, w, c); \
+		w += c;           \
+	} while (0)
+
+#define GET_TYPE(v, w)                                                        \
+	do {                                                                  \
+		GET8(v, w);                                                   \
+		if (v > 127) {                                                \
+			if (v < 255) {                                        \
+				v = ((v & 0x7f) << 16) | ISCCC_RDATATYPE_SIG; \
+			} else {                                              \
+				GET32(v, w);                                  \
+			}                                                     \
+		}                                                             \
+	} while (0)
+
+#define PUT8(v, w)                      \
+	do {                            \
+		*w = (v & 0x000000ffU); \
+		w++;                    \
+	} while (0)
+
+#define PUT16(v, w)                            \
+	do {                                   \
+		w[0] = (v & 0x0000ff00U) >> 8; \
+		w[1] = (v & 0x000000ffU);      \
+		w += 2;                        \
+	} while (0)
+
+#define PUT24(v, w)                             \
+	do {                                    \
+		w[0] = (v & 0x00ff0000U) >> 16; \
+		w[1] = (v & 0x0000ff00U) >> 8;  \
+		w[2] = (v & 0x000000ffU);       \
+		w += 3;                         \
+	} while (0)
+
+#define PUT32(v, w)                             \
+	do {                                    \
+		w[0] = (v & 0xff000000U) >> 24; \
+		w[1] = (v & 0x00ff0000U) >> 16; \
+		w[2] = (v & 0x0000ff00U) >> 8;  \
+		w[3] = (v & 0x000000ffU);       \
+		w += 4;                         \
+	} while (0)
+
+#define PUT64(v, w)                                       \
+	do {                                              \
+		w[0] = (v & 0xff00000000000000ULL) >> 56; \
+		w[1] = (v & 0x00ff000000000000ULL) >> 48; \
+		w[2] = (v & 0x0000ff0000000000ULL) >> 40; \
+		w[3] = (v & 0x000000ff00000000ULL) >> 32; \
+		w[4] = (v & 0x00000000ff000000ULL) >> 24; \
+		w[5] = (v & 0x0000000000ff0000ULL) >> 16; \
+		w[6] = (v & 0x000000000000ff00ULL) >> 8;  \
+		w[7] = (v & 0x00000000000000ffULL);       \
+		w += 8;                                   \
+	} while (0)
+
+#define PUTC16(v, w)                    \
+	do {                            \
+		if (v > 0 && v < 255) { \
+			PUT8(v, w);     \
+		} else {                \
+			PUT8(255, w);   \
+			PUT16(v, w);    \
+		}                       \
+	} while (0)
+
+#define PUTC32(v, w)                         \
+	do {                                 \
+		if (v < 0xffffffU) {         \
+			PUT24(v, w);         \
+		} else {                     \
+			PUT24(0xffffffU, w); \
+			PUT32(v, w);         \
+		}                            \
+	} while (0)
+
+#define PUT_OFFSET(v, w) PUT32(v, w)
+
+#include <string.h>
+
+#define PUT_MEM(s, c, w)          \
+	do {                      \
+		memmove(w, s, c); \
+		w += c;           \
+	} while (0)
+
+/*
+ * Regions.
+ */
+#define REGION_SIZE(r)	((unsigned int)((r).rend - (r).rstart))
+#define REGION_EMPTY(r) ((r).rstart == (r).rend)
+#define REGION_FROMSTRING(r, s)                    \
+	do {                                       \
+		(r).rstart = (unsigned char *)s;   \
+		(r).rend = (r).rstart + strlen(s); \
+	} while (0)
+
+/*%
+ * Use this to remove the const qualifier of a variable to assign it to
+ * a non-const variable or pass it as a non-const function argument ...
+ * but only when you are sure it won't then be changed!
+ * This is necessary to sometimes shut up some compilers
+ * (as with gcc -Wcast-qual) when there is just no other good way to avoid the
+ * situation.
+ */
+#define DE_CONST(konst, var)           \
+	do {                           \
+		union {                \
+			const void *k; \
+			void	   *v; \
+		} _u;                  \
+		_u.k = konst;          \
+		var = _u.v;            \
+	} while (0)
+
+#endif /* ISCCC_UTIL_H */
diff --git a/lib/isccc/include/isccc/version.h b/lib/isccc/include/isccc/version.h
new file mode 100644
index 0000000..9dc1a6d
--- /dev/null
+++ b/lib/isccc/include/isccc/version.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isccc/version.h */
+
+#include <isc/platform.h>
+
+LIBISCCC_EXTERNAL_DATA extern const char isccc_version[];
diff --git a/lib/isccc/result.c b/lib/isccc/result.c
new file mode 100644
index 0000000..127dd77
--- /dev/null
+++ b/lib/isccc/result.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <isccc/result.h>
+
+static const char *text[ISCCC_R_NRESULTS] = {
+	"unknown version", /* 1 */
+	"syntax error",	   /* 2 */
+	"bad auth",	   /* 3 */
+	"expired",	   /* 4 */
+	"clock skew",	   /* 5 */
+	"duplicate",	   /* 6 */
+	"max depth"	   /* 7 */
+};
+
+static const char *ids[ISCCC_R_NRESULTS] = {
+	"ISCCC_R_UNKNOWNVERSION", "ISCCC_R_SYNTAX",    "ISCCC_R_BADAUTH",
+	"ISCCC_R_EXPIRED",	  "ISCCC_R_CLOCKSKEW", "ISCCC_R_DUPLICATE",
+	"ISCCC_R_MAXDEPTH"
+};
+
+#define ISCCC_RESULT_RESULTSET 2
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_ISCCC, ISCCC_R_NRESULTS,
+				     text, ISCCC_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+	}
+
+	result = isc_result_registerids(ISC_RESULTCLASS_ISCCC, ISCCC_R_NRESULTS,
+					ids, ISCCC_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_registerids() failed: %u", result);
+	}
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+isccc_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+isccc_result_register(void) {
+	initialize();
+}
diff --git a/lib/isccc/sexpr.c b/lib/isccc/sexpr.c
new file mode 100644
index 0000000..62c80c4
--- /dev/null
+++ b/lib/isccc/sexpr.c
@@ -0,0 +1,317 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/assertions.h>
+#include <isc/print.h>
+
+#include <isccc/sexpr.h>
+#include <isccc/util.h>
+
+static isccc_sexpr_t sexpr_t = { ISCCC_SEXPRTYPE_T, { NULL } };
+
+#define CAR(s) (s)->value.as_dottedpair.car
+#define CDR(s) (s)->value.as_dottedpair.cdr
+
+isccc_sexpr_t *
+isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr) {
+	isccc_sexpr_t *sexpr;
+
+	sexpr = malloc(sizeof(*sexpr));
+	if (sexpr == NULL) {
+		return (NULL);
+	}
+	sexpr->type = ISCCC_SEXPRTYPE_DOTTEDPAIR;
+	CAR(sexpr) = car;
+	CDR(sexpr) = cdr;
+
+	return (sexpr);
+}
+
+isccc_sexpr_t *
+isccc_sexpr_tconst(void) {
+	return (&sexpr_t);
+}
+
+isccc_sexpr_t *
+isccc_sexpr_fromstring(const char *str) {
+	isccc_sexpr_t *sexpr;
+
+	sexpr = malloc(sizeof(*sexpr));
+	if (sexpr == NULL) {
+		return (NULL);
+	}
+	sexpr->type = ISCCC_SEXPRTYPE_STRING;
+	sexpr->value.as_string = strdup(str);
+	if (sexpr->value.as_string == NULL) {
+		free(sexpr);
+		return (NULL);
+	}
+
+	return (sexpr);
+}
+
+isccc_sexpr_t *
+isccc_sexpr_frombinary(const isccc_region_t *region) {
+	isccc_sexpr_t *sexpr;
+	unsigned int region_size;
+
+	sexpr = malloc(sizeof(*sexpr));
+	if (sexpr == NULL) {
+		return (NULL);
+	}
+	sexpr->type = ISCCC_SEXPRTYPE_BINARY;
+	region_size = REGION_SIZE(*region);
+	/*
+	 * We add an extra byte when we malloc so we can NUL terminate
+	 * the binary data.  This allows the caller to use it as a C
+	 * string.  It's up to the caller to ensure this is safe.  We don't
+	 * add 1 to the length of the binary region, because the NUL is
+	 * not part of the binary data.
+	 */
+	sexpr->value.as_region.rstart = malloc(region_size + 1);
+	if (sexpr->value.as_region.rstart == NULL) {
+		free(sexpr);
+		return (NULL);
+	}
+	sexpr->value.as_region.rend = sexpr->value.as_region.rstart +
+				      region_size;
+	memmove(sexpr->value.as_region.rstart, region->rstart, region_size);
+	/*
+	 * NUL terminate.
+	 */
+	sexpr->value.as_region.rstart[region_size] = '\0';
+
+	return (sexpr);
+}
+
+void
+isccc_sexpr_free(isccc_sexpr_t **sexprp) {
+	isccc_sexpr_t *sexpr;
+	isccc_sexpr_t *item;
+
+	sexpr = *sexprp;
+	*sexprp = NULL;
+	if (sexpr == NULL) {
+		return;
+	}
+	switch (sexpr->type) {
+	case ISCCC_SEXPRTYPE_STRING:
+		free(sexpr->value.as_string);
+		break;
+	case ISCCC_SEXPRTYPE_DOTTEDPAIR:
+		item = CAR(sexpr);
+		if (item != NULL) {
+			isccc_sexpr_free(&item);
+		}
+		item = CDR(sexpr);
+		if (item != NULL) {
+			isccc_sexpr_free(&item);
+		}
+		break;
+	case ISCCC_SEXPRTYPE_BINARY:
+		free(sexpr->value.as_region.rstart);
+		break;
+	}
+	free(sexpr);
+}
+
+static bool
+printable(isccc_region_t *r) {
+	unsigned char *curr;
+
+	curr = r->rstart;
+	while (curr != r->rend) {
+		if (!isprint(*curr)) {
+			return (false);
+		}
+		curr++;
+	}
+
+	return (true);
+}
+
+void
+isccc_sexpr_print(isccc_sexpr_t *sexpr, FILE *stream) {
+	isccc_sexpr_t *cdr;
+	unsigned int size, i;
+	unsigned char *curr;
+
+	if (sexpr == NULL) {
+		fprintf(stream, "nil");
+		return;
+	}
+
+	switch (sexpr->type) {
+	case ISCCC_SEXPRTYPE_T:
+		fprintf(stream, "t");
+		break;
+	case ISCCC_SEXPRTYPE_STRING:
+		fprintf(stream, "\"%s\"", sexpr->value.as_string);
+		break;
+	case ISCCC_SEXPRTYPE_DOTTEDPAIR:
+		fprintf(stream, "(");
+		do {
+			isccc_sexpr_print(CAR(sexpr), stream);
+			cdr = CDR(sexpr);
+			if (cdr != NULL) {
+				fprintf(stream, " ");
+				if (cdr->type != ISCCC_SEXPRTYPE_DOTTEDPAIR) {
+					fprintf(stream, ". ");
+					isccc_sexpr_print(cdr, stream);
+					cdr = NULL;
+				}
+			}
+			sexpr = cdr;
+		} while (sexpr != NULL);
+		fprintf(stream, ")");
+		break;
+	case ISCCC_SEXPRTYPE_BINARY:
+		size = REGION_SIZE(sexpr->value.as_region);
+		curr = sexpr->value.as_region.rstart;
+		if (printable(&sexpr->value.as_region)) {
+			fprintf(stream, "'%.*s'", (int)size, curr);
+		} else {
+			fprintf(stream, "0x");
+			for (i = 0; i < size; i++) {
+				fprintf(stream, "%02x", *curr++);
+			}
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+isccc_sexpr_t *
+isccc_sexpr_car(isccc_sexpr_t *list) {
+	REQUIRE(list->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	return (CAR(list));
+}
+
+isccc_sexpr_t *
+isccc_sexpr_cdr(isccc_sexpr_t *list) {
+	REQUIRE(list->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	return (CDR(list));
+}
+
+void
+isccc_sexpr_setcar(isccc_sexpr_t *pair, isccc_sexpr_t *car) {
+	REQUIRE(pair->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	CAR(pair) = car;
+}
+
+void
+isccc_sexpr_setcdr(isccc_sexpr_t *pair, isccc_sexpr_t *cdr) {
+	REQUIRE(pair->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	CDR(pair) = cdr;
+}
+
+isccc_sexpr_t *
+isccc_sexpr_addtolist(isccc_sexpr_t **l1p, isccc_sexpr_t *l2) {
+	isccc_sexpr_t *last, *elt, *l1;
+
+	REQUIRE(l1p != NULL);
+	l1 = *l1p;
+	REQUIRE(l1 == NULL || l1->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	elt = isccc_sexpr_cons(l2, NULL);
+	if (elt == NULL) {
+		return (NULL);
+	}
+	if (l1 == NULL) {
+		*l1p = elt;
+		return (elt);
+	}
+	for (last = l1; CDR(last) != NULL; last = CDR(last)) {
+		/* Nothing */
+	}
+	CDR(last) = elt;
+
+	return (elt);
+}
+
+bool
+isccc_sexpr_listp(isccc_sexpr_t *sexpr) {
+	if (sexpr == NULL || sexpr->type == ISCCC_SEXPRTYPE_DOTTEDPAIR) {
+		return (true);
+	}
+	return (false);
+}
+
+bool
+isccc_sexpr_emptyp(isccc_sexpr_t *sexpr) {
+	if (sexpr == NULL) {
+		return (true);
+	}
+	return (false);
+}
+
+bool
+isccc_sexpr_stringp(isccc_sexpr_t *sexpr) {
+	if (sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_STRING) {
+		return (true);
+	}
+	return (false);
+}
+
+bool
+isccc_sexpr_binaryp(isccc_sexpr_t *sexpr) {
+	if (sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_BINARY) {
+		return (true);
+	}
+	return (false);
+}
+
+char *
+isccc_sexpr_tostring(isccc_sexpr_t *sexpr) {
+	REQUIRE(sexpr != NULL && (sexpr->type == ISCCC_SEXPRTYPE_STRING ||
+				  sexpr->type == ISCCC_SEXPRTYPE_BINARY));
+
+	if (sexpr->type == ISCCC_SEXPRTYPE_BINARY) {
+		return ((char *)sexpr->value.as_region.rstart);
+	}
+	return (sexpr->value.as_string);
+}
+
+isccc_region_t *
+isccc_sexpr_tobinary(isccc_sexpr_t *sexpr) {
+	REQUIRE(sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_BINARY);
+	return (&sexpr->value.as_region);
+}
diff --git a/lib/isccc/symtab.c b/lib/isccc/symtab.c
new file mode 100644
index 0000000..2ab969a
--- /dev/null
+++ b/lib/isccc/symtab.c
@@ -0,0 +1,293 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND ISC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/assertions.h>
+#include <isc/magic.h>
+#include <isc/string.h>
+
+#include <isccc/result.h>
+#include <isccc/symtab.h>
+#include <isccc/util.h>
+
+typedef struct elt {
+	char *key;
+	unsigned int type;
+	isccc_symvalue_t value;
+	ISC_LINK(struct elt) link;
+} elt_t;
+
+typedef ISC_LIST(elt_t) eltlist_t;
+
+#define SYMTAB_MAGIC	 ISC_MAGIC('S', 'y', 'm', 'T')
+#define VALID_SYMTAB(st) ISC_MAGIC_VALID(st, SYMTAB_MAGIC)
+
+struct isccc_symtab {
+	unsigned int magic;
+	unsigned int size;
+	eltlist_t *table;
+	isccc_symtabundefaction_t undefine_action;
+	void *undefine_arg;
+	bool case_sensitive;
+};
+
+isc_result_t
+isccc_symtab_create(unsigned int size,
+		    isccc_symtabundefaction_t undefine_action,
+		    void *undefine_arg, bool case_sensitive,
+		    isccc_symtab_t **symtabp) {
+	isccc_symtab_t *symtab;
+	unsigned int i;
+
+	REQUIRE(symtabp != NULL && *symtabp == NULL);
+	REQUIRE(size > 0); /* Should be prime. */
+
+	symtab = malloc(sizeof(*symtab));
+	if (symtab == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+	symtab->table = malloc(size * sizeof(eltlist_t));
+	if (symtab->table == NULL) {
+		free(symtab);
+		return (ISC_R_NOMEMORY);
+	}
+	for (i = 0; i < size; i++) {
+		ISC_LIST_INIT(symtab->table[i]);
+	}
+	symtab->size = size;
+	symtab->undefine_action = undefine_action;
+	symtab->undefine_arg = undefine_arg;
+	symtab->case_sensitive = case_sensitive;
+	symtab->magic = SYMTAB_MAGIC;
+
+	*symtabp = symtab;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+free_elt(isccc_symtab_t *symtab, unsigned int bucket, elt_t *elt) {
+	ISC_LIST_UNLINK(symtab->table[bucket], elt, link);
+	if (symtab->undefine_action != NULL) {
+		(symtab->undefine_action)(elt->key, elt->type, elt->value,
+					  symtab->undefine_arg);
+	}
+	free(elt);
+}
+
+void
+isccc_symtab_destroy(isccc_symtab_t **symtabp) {
+	isccc_symtab_t *symtab;
+	unsigned int i;
+	elt_t *elt, *nelt;
+
+	REQUIRE(symtabp != NULL);
+	symtab = *symtabp;
+	*symtabp = NULL;
+	REQUIRE(VALID_SYMTAB(symtab));
+
+	for (i = 0; i < symtab->size; i++) {
+		for (elt = ISC_LIST_HEAD(symtab->table[i]); elt != NULL;
+		     elt = nelt)
+		{
+			nelt = ISC_LIST_NEXT(elt, link);
+			free_elt(symtab, i, elt);
+		}
+	}
+	free(symtab->table);
+	symtab->magic = 0;
+	free(symtab);
+}
+
+static unsigned int
+hash(const char *key, bool case_sensitive) {
+	const char *s;
+	unsigned int h = 0;
+	unsigned int g;
+	int c;
+
+	/*
+	 * P. J. Weinberger's hash function, adapted from p. 436 of
+	 * _Compilers: Principles, Techniques, and Tools_, Aho, Sethi
+	 * and Ullman, Addison-Wesley, 1986, ISBN 0-201-10088-6.
+	 */
+
+	if (case_sensitive) {
+		for (s = key; *s != '\0'; s++) {
+			h = (h << 4) + *s;
+			if ((g = (h & 0xf0000000)) != 0) {
+				h = h ^ (g >> 24);
+				h = h ^ g;
+			}
+		}
+	} else {
+		for (s = key; *s != '\0'; s++) {
+			c = *s;
+			c = tolower((unsigned char)c);
+			h = (h << 4) + c;
+			if ((g = (h & 0xf0000000)) != 0) {
+				h = h ^ (g >> 24);
+				h = h ^ g;
+			}
+		}
+	}
+
+	return (h);
+}
+
+#define FIND(s, k, t, b, e)                                       \
+	b = hash((k), (s)->case_sensitive) % (s)->size;           \
+	if ((s)->case_sensitive) {                                \
+		for (e = ISC_LIST_HEAD((s)->table[b]); e != NULL; \
+		     e = ISC_LIST_NEXT(e, link))                  \
+		{                                                 \
+			if (((t) == 0 || e->type == (t)) &&       \
+			    strcmp(e->key, (k)) == 0)             \
+				break;                            \
+		}                                                 \
+	} else {                                                  \
+		for (e = ISC_LIST_HEAD((s)->table[b]); e != NULL; \
+		     e = ISC_LIST_NEXT(e, link))                  \
+		{                                                 \
+			if (((t) == 0 || e->type == (t)) &&       \
+			    strcasecmp(e->key, (k)) == 0)         \
+				break;                            \
+		}                                                 \
+	}
+
+isc_result_t
+isccc_symtab_lookup(isccc_symtab_t *symtab, const char *key, unsigned int type,
+		    isccc_symvalue_t *value) {
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (value != NULL) {
+		*value = elt->value;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
+		    isccc_symvalue_t value, isccc_symexists_t exists_policy) {
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+	REQUIRE(type != 0);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (exists_policy != isccc_symexists_add && elt != NULL) {
+		if (exists_policy == isccc_symexists_reject) {
+			return (ISC_R_EXISTS);
+		}
+		INSIST(exists_policy == isccc_symexists_replace);
+		ISC_LIST_UNLINK(symtab->table[bucket], elt, link);
+		if (symtab->undefine_action != NULL) {
+			(symtab->undefine_action)(elt->key, elt->type,
+						  elt->value,
+						  symtab->undefine_arg);
+		}
+	} else {
+		elt = malloc(sizeof(*elt));
+		if (elt == NULL) {
+			return (ISC_R_NOMEMORY);
+		}
+		ISC_LINK_INIT(elt, link);
+	}
+
+	elt->key = key;
+	elt->type = type;
+	elt->value = value;
+
+	/*
+	 * We prepend so that the most recent definition will be found.
+	 */
+	ISC_LIST_PREPEND(symtab->table[bucket], elt, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_symtab_undefine(isccc_symtab_t *symtab, const char *key,
+		      unsigned int type) {
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	free_elt(symtab, bucket, elt);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isccc_symtab_foreach(isccc_symtab_t *symtab, isccc_symtabforeachaction_t action,
+		     void *arg) {
+	unsigned int i;
+	elt_t *elt, *nelt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(action != NULL);
+
+	for (i = 0; i < symtab->size; i++) {
+		for (elt = ISC_LIST_HEAD(symtab->table[i]); elt != NULL;
+		     elt = nelt)
+		{
+			nelt = ISC_LIST_NEXT(elt, link);
+			if ((action)(elt->key, elt->type, elt->value, arg)) {
+				free_elt(symtab, i, elt);
+			}
+		}
+	}
+}
diff --git a/lib/isccc/tests/Kyuafile b/lib/isccc/tests/Kyuafile
new file mode 100644
index 0000000..79c8b3c
--- /dev/null
+++ b/lib/isccc/tests/Kyuafile
@@ -0,0 +1,15 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+tap_test_program{name='result_test'}
diff --git a/lib/isccc/tests/Makefile.in b/lib/isccc/tests/Makefile.in
new file mode 100644
index 0000000..f9f1968
--- /dev/null
+++ b/lib/isccc/tests/Makefile.in
@@ -0,0 +1,51 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude ${ISCCC_INCLUDES} ${ISC_INCLUDES} @CMOCKA_CFLAGS@
+CDEFINES =
+
+ISCLIBS =	../../isc/libisc.@A@
+ISCDEPLIBS =	../../isc/libisc.@A@
+ISCCCLIBS =	../libisccc.@A@
+ISCCCDEPLIBS =	../libisccc.@A@
+
+LIBS =		@LIBS@ @CMOCKA_LIBS@
+
+OBJS =
+SRCS =		result_test.c
+SUBDIRS =
+TARGETS =	result_test@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+result_test@EXEEXT@: result_test.@O@ ${ISCDEPLIBS} ${ISCCCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ result_test.@O@ \
+		${ISCCCLIBS} ${ISCLIBS} ${LIBS}
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
diff --git a/lib/isccc/tests/result_test.c b/lib/isccc/tests/result_test.c
new file mode 100644
index 0000000..b27ee22
--- /dev/null
+++ b/lib/isccc/tests/result_test.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <isccc/result.h>
+
+/*
+ * Check tables are populated.
+ */
+static void
+tables(void **state) {
+	const char *str;
+	isc_result_t result;
+
+	UNUSED(state);
+
+	isccc_result_register();
+
+	for (result = ISC_RESULTCLASS_ISCCC;
+	     result < (ISC_RESULTCLASS_ISCCC + ISCCC_R_NRESULTS); result++)
+	{
+		str = isc_result_toid(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+
+		str = isc_result_totext(result);
+		assert_non_null(str);
+		assert_string_not_equal(str, "(result code text not "
+					     "available)");
+	}
+
+	str = isc_result_toid(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+
+	str = isc_result_totext(result);
+	assert_non_null(str);
+	assert_string_equal(str, "(result code text not available)");
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(tables),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isccc/version.c b/lib/isccc/version.c
new file mode 100644
index 0000000..95f9ee2
--- /dev/null
+++ b/lib/isccc/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isccc/version.h>
+
+const char isccc_version[] = VERSION;
diff --git a/lib/isccc/win32/DLLMain.c b/lib/isccc/win32/DLLMain.c
new file mode 100644
index 0000000..62c6e53
--- /dev/null
+++ b/lib/isccc/win32/DLLMain.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <signal.h>
+#include <windows.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI
+	DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
diff --git a/lib/isccc/win32/libisccc.def b/lib/isccc/win32/libisccc.def
new file mode 100644
index 0000000..5cb5662
--- /dev/null
+++ b/lib/isccc/win32/libisccc.def
@@ -0,0 +1,65 @@
+LIBRARY libisccc
+
+; Exported Functions
+EXPORTS
+
+isccc_alist_create
+isccc_alist_alistp
+isccc_alist_emptyp
+isccc_alist_first
+isccc_alist_assq
+isccc_alist_delete
+isccc_alist_define
+isccc_alist_definestring
+isccc_alist_definebinary
+isccc_alist_lookup
+isccc_alist_lookupstring
+isccc_alist_lookupbinary
+isccc_alist_prettyprint
+isccc_base64_encode
+isccc_base64_decode
+isccc_cc_towire
+isccc_cc_fromwire
+isccc_cc_createmessage
+isccc_cc_createack
+isccc_cc_isack
+isccc_cc_isreply
+isccc_cc_createresponse
+isccc_cc_definestring
+isccc_cc_defineuint32
+isccc_cc_lookupstring
+isccc_cc_lookupuint32
+isccc_cc_createsymtab
+isccc_cc_cleansymtab
+isccc_cc_checkdup
+isccc_ccmsg_init
+isccc_ccmsg_setmaxsize
+isccc_ccmsg_readmessage
+isccc_ccmsg_cancelread
+isccc_ccmsg_invalidate
+isccc_result_totext
+isccc_result_register
+isccc_sexpr_cons
+isccc_sexpr_tconst
+isccc_sexpr_fromstring
+isccc_sexpr_frombinary
+isccc_sexpr_free
+isccc_sexpr_print
+isccc_sexpr_car
+isccc_sexpr_cdr
+isccc_sexpr_setcar
+isccc_sexpr_setcdr
+isccc_sexpr_addtolist
+isccc_sexpr_listp
+isccc_sexpr_emptyp
+isccc_sexpr_stringp
+isccc_sexpr_binaryp
+isccc_sexpr_tostring
+isccc_sexpr_tobinary
+isccc_symtab_destroy
+isccc_symtab_create
+isccc_symtab_destroy
+isccc_symtab_lookup
+isccc_symtab_define
+isccc_symtab_undefine
+isccc_symtab_foreach
diff --git a/lib/isccc/win32/libisccc.vcxproj.filters.in b/lib/isccc/win32/libisccc.vcxproj.filters.in
new file mode 100644
index 0000000..1d1ff10
--- /dev/null
+++ b/lib/isccc/win32/libisccc.vcxproj.filters.in
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libisccc.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\alist.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\base64.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\cc.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ccmsg.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\result.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sexpr.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\symtab.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\isccc\alist.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\base64.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\cc.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\ccmsg.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\events.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\result.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\sexpr.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\symtab.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\symtype.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\types.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\util.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
diff --git a/lib/isccc/win32/libisccc.vcxproj.in b/lib/isccc/win32/libisccc.vcxproj.in
new file mode 100644
index 0000000..86de718
--- /dev/null
+++ b/lib/isccc/win32/libisccc.vcxproj.in
@@ -0,0 +1,148 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{B556705F-1920-4400-878A-B259D3556047}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libisccc</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libisccc.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\alist.c" />
+    <ClCompile Include="..\base64.c" />
+    <ClCompile Include="..\cc.c" />
+    <ClCompile Include="..\ccmsg.c" />
+    <ClCompile Include="..\result.c" />
+    <ClCompile Include="..\sexpr.c" />
+    <ClCompile Include="..\symtab.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\isccc\alist.h" />
+    <ClInclude Include="..\include\isccc\base64.h" />
+    <ClInclude Include="..\include\isccc\cc.h" />
+    <ClInclude Include="..\include\isccc\ccmsg.h" />
+    <ClInclude Include="..\include\isccc\events.h" />
+    <ClInclude Include="..\include\isccc\result.h" />
+    <ClInclude Include="..\include\isccc\sexpr.h" />
+    <ClInclude Include="..\include\isccc\symtab.h" />
+    <ClInclude Include="..\include\isccc\symtype.h" />
+    <ClInclude Include="..\include\isccc\types.h" />
+    <ClInclude Include="..\include\isccc\util.h" />
+    <ClInclude Include="..\include\isccc\version.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/isccc/win32/libisccc.vcxproj.user b/lib/isccc/win32/libisccc.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/lib/isccc/win32/libisccc.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/lib/isccc/win32/version.c b/lib/isccc/win32/version.c
new file mode 100644
index 0000000..6576b52
--- /dev/null
+++ b/lib/isccc/win32/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <versions.h>
+
+#include <isccc/version.h>
+
+LIBISCCC_EXTERNAL_DATA const char isccc_version[] = VERSION;
diff --git a/lib/isccfg/Kyuafile b/lib/isccfg/Kyuafile
new file mode 100644
index 0000000..c796010
--- /dev/null
+++ b/lib/isccfg/Kyuafile
@@ -0,0 +1,15 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in
new file mode 100644
index 0000000..efe04b4
--- /dev/null
+++ b/lib/isccfg/Makefile.in
@@ -0,0 +1,79 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+ISCCFGLIBS =	../../lib/cfg/libisccfg.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	libisccfg.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+TESTDIRS =	@UNITTESTS@
+
+# Alphabetically
+OBJS =		aclconf.@O@ dnsconf.@O@ kaspconf.@O@ log.@O@ namedconf.@O@ \
+		parser.@O@ version.@O@
+
+# Alphabetically
+SRCS =		aclconf.c dnsconf.c kaspconf.c log.c namedconf.c \
+		parser.c version.c
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/version.c
+
+libisccfg.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisccfg.la: ${OBJS}
+	 ${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la -rpath ${libdir} \
+		-release "${VERSION}" \
+		${OBJS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+timestamp: libisccfg.@A@
+	touch timestamp
+
+testdirs: libisccfg.@A@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisccfg.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisccfg.@A@
+
+clean distclean::
+	rm -f libisccfg.@A@ timestamp
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
new file mode 100644
index 0000000..f0d3b18
--- /dev/null
+++ b/lib/isccfg/aclconf.c
@@ -0,0 +1,934 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h> /* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/fixedname.h>
+#include <dns/iptable.h>
+#include <dns/log.h>
+
+#include <isccfg/aclconf.h>
+#include <isccfg/namedconf.h>
+
+#define LOOP_MAGIC ISC_MAGIC('L', 'O', 'O', 'P')
+
+#if defined(HAVE_GEOIP2)
+static const char *geoip_dbnames[] = {
+	"country", "city", "asnum", "isp", "domain", NULL,
+};
+#endif /* if defined(HAVE_GEOIP2) */
+
+isc_result_t
+cfg_aclconfctx_create(isc_mem_t *mctx, cfg_aclconfctx_t **ret) {
+	cfg_aclconfctx_t *actx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	actx = isc_mem_get(mctx, sizeof(*actx));
+
+	isc_refcount_init(&actx->references, 1);
+
+	actx->mctx = NULL;
+	isc_mem_attach(mctx, &actx->mctx);
+	ISC_LIST_INIT(actx->named_acl_cache);
+
+#if defined(HAVE_GEOIP2)
+	actx->geoip = NULL;
+#endif /* if defined(HAVE_GEOIP2) */
+
+	*ret = actx;
+	return (ISC_R_SUCCESS);
+}
+
+void
+cfg_aclconfctx_attach(cfg_aclconfctx_t *src, cfg_aclconfctx_t **dest) {
+	REQUIRE(src != NULL);
+	REQUIRE(dest != NULL && *dest == NULL);
+
+	isc_refcount_increment(&src->references);
+	*dest = src;
+}
+
+void
+cfg_aclconfctx_detach(cfg_aclconfctx_t **actxp) {
+	REQUIRE(actxp != NULL && *actxp != NULL);
+	cfg_aclconfctx_t *actx = *actxp;
+	*actxp = NULL;
+
+	if (isc_refcount_decrement(&actx->references) == 1) {
+		dns_acl_t *dacl, *next;
+		isc_refcount_destroy(&actx->references);
+		for (dacl = ISC_LIST_HEAD(actx->named_acl_cache); dacl != NULL;
+		     dacl = next)
+		{
+			next = ISC_LIST_NEXT(dacl, nextincache);
+			ISC_LIST_UNLINK(actx->named_acl_cache, dacl,
+					nextincache);
+			dns_acl_detach(&dacl);
+		}
+		isc_mem_putanddetach(&actx->mctx, actx, sizeof(*actx));
+	}
+}
+
+/*
+ * Find the definition of the named acl whose name is "name".
+ */
+static isc_result_t
+get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
+	isc_result_t result;
+	const cfg_obj_t *acls = NULL;
+	const cfg_listelt_t *elt;
+
+	result = cfg_map_get(cctx, "acl", &acls);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	for (elt = cfg_list_first(acls); elt != NULL; elt = cfg_list_next(elt))
+	{
+		const cfg_obj_t *acl = cfg_listelt_value(elt);
+		const char *aclname =
+			cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+		if (strcasecmp(aclname, name) == 0) {
+			if (ret != NULL) {
+				*ret = cfg_tuple_get(acl, "value");
+			}
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
+		  isc_log_t *lctx, cfg_aclconfctx_t *ctx, isc_mem_t *mctx,
+		  unsigned int nest_level, dns_acl_t **target) {
+	isc_result_t result;
+	const cfg_obj_t *cacl = NULL;
+	dns_acl_t *dacl;
+	dns_acl_t loop;
+	const char *aclname = cfg_obj_asstring(nameobj);
+
+	/* Look for an already-converted version. */
+	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache); dacl != NULL;
+	     dacl = ISC_LIST_NEXT(dacl, nextincache))
+	{
+		/* cppcheck-suppress nullPointerRedundantCheck symbolName=dacl
+		 */
+		if (strcasecmp(aclname, dacl->name) == 0) {
+			if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
+				cfg_obj_log(nameobj, lctx, ISC_LOG_ERROR,
+					    "acl loop detected: %s", aclname);
+				return (ISC_R_FAILURE);
+			}
+			dns_acl_attach(dacl, target);
+			return (ISC_R_SUCCESS);
+		}
+	}
+	/* Not yet converted.  Convert now. */
+	result = get_acl_def(cctx, aclname, &cacl);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(nameobj, lctx, ISC_LOG_WARNING,
+			    "undefined ACL '%s'", aclname);
+		return (result);
+	}
+	/*
+	 * Add a loop detection element.
+	 */
+	memset(&loop, 0, sizeof(loop));
+	ISC_LINK_INIT(&loop, nextincache);
+	DE_CONST(aclname, loop.name);
+	loop.magic = LOOP_MAGIC;
+	ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
+	result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx, nest_level,
+				    &dacl);
+	ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
+	loop.magic = 0;
+	loop.name = NULL;
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	dacl->name = isc_mem_strdup(dacl->mctx, aclname);
+	ISC_LIST_APPEND(ctx->named_acl_cache, dacl, nextincache);
+	dns_acl_attach(dacl, target);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+convert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
+		dns_name_t *dnsname) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_fixedname_t fixname;
+	unsigned int keylen;
+	const char *txtname = cfg_obj_asstring(keyobj);
+
+	keylen = strlen(txtname);
+	isc_buffer_constinit(&buf, txtname, keylen);
+	isc_buffer_add(&buf, keylen);
+	dns_fixedname_init(&fixname);
+	result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
+				   dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(keyobj, lctx, ISC_LOG_WARNING,
+			    "key name '%s' is not a valid domain name",
+			    txtname);
+		return (result);
+	}
+	dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Recursively pre-parse an ACL definition to find the total number
+ * of non-IP-prefix elements (localhost, localnets, key) in all nested
+ * ACLs, so that the parent will have enough space allocated for the
+ * elements table after all the nested ACLs have been merged in to the
+ * parent.
+ */
+static isc_result_t
+count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		   isc_log_t *lctx, cfg_aclconfctx_t *ctx, isc_mem_t *mctx,
+		   uint32_t *count, bool *has_negative) {
+	const cfg_listelt_t *elt;
+	isc_result_t result;
+	uint32_t n = 0;
+
+	REQUIRE(count != NULL);
+
+	if (has_negative != NULL) {
+		*has_negative = false;
+	}
+
+	for (elt = cfg_list_first(caml); elt != NULL; elt = cfg_list_next(elt))
+	{
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+
+		/* might be a negated element, in which case get the value. */
+		if (cfg_obj_istuple(ce)) {
+			const cfg_obj_t *negated = cfg_tuple_get(ce, "negated");
+			if (!cfg_obj_isvoid(negated)) {
+				ce = negated;
+				if (has_negative != NULL) {
+					*has_negative = true;
+				}
+			}
+		}
+
+		if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			n++;
+		} else if (cfg_obj_islist(ce)) {
+			bool negative;
+			uint32_t sub;
+			result = count_acl_elements(ce, cctx, lctx, ctx, mctx,
+						    &sub, &negative);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+			n += sub;
+			if (negative) {
+				n++;
+			}
+#if defined(HAVE_GEOIP2)
+		} else if (cfg_obj_istuple(ce) &&
+			   cfg_obj_isvoid(cfg_tuple_get(ce, "negated")))
+		{
+			n++;
+#endif /* HAVE_GEOIP2 */
+		} else if (cfg_obj_isstring(ce)) {
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "localhost") == 0 ||
+			    strcasecmp(name, "localnets") == 0 ||
+			    strcasecmp(name, "none") == 0)
+			{
+				n++;
+			} else if (strcasecmp(name, "any") != 0) {
+				dns_acl_t *inneracl = NULL;
+				/*
+				 * Convert any named acls we reference now if
+				 * they have not already been converted.
+				 */
+				result = convert_named_acl(ce, cctx, lctx, ctx,
+							   mctx, 0, &inneracl);
+				if (result == ISC_R_SUCCESS) {
+					if (inneracl->has_negatives) {
+						n++;
+					} else {
+						n += inneracl->length;
+					}
+					dns_acl_detach(&inneracl);
+				} else {
+					return (result);
+				}
+			}
+		}
+	}
+
+	*count = n;
+	return (ISC_R_SUCCESS);
+}
+
+#if defined(HAVE_GEOIP2)
+static dns_geoip_subtype_t
+get_subtype(const cfg_obj_t *obj, isc_log_t *lctx, dns_geoip_subtype_t subtype,
+	    const char *dbname) {
+	if (dbname == NULL) {
+		return (subtype);
+	}
+
+	switch (subtype) {
+	case dns_geoip_countrycode:
+		if (strcasecmp(dbname, "city") == 0) {
+			return (dns_geoip_city_countrycode);
+		} else if (strcasecmp(dbname, "country") == 0) {
+			return (dns_geoip_country_code);
+		}
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid database specified for "
+			    "country search: ignored");
+		return (subtype);
+	case dns_geoip_countryname:
+		if (strcasecmp(dbname, "city") == 0) {
+			return (dns_geoip_city_countryname);
+		} else if (strcasecmp(dbname, "country") == 0) {
+			return (dns_geoip_country_name);
+		}
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid database specified for "
+			    "country search: ignored");
+		return (subtype);
+	case dns_geoip_continentcode:
+		if (strcasecmp(dbname, "city") == 0) {
+			return (dns_geoip_city_continentcode);
+		} else if (strcasecmp(dbname, "country") == 0) {
+			return (dns_geoip_country_continentcode);
+		}
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid database specified for "
+			    "continent search: ignored");
+		return (subtype);
+	case dns_geoip_continent:
+		if (strcasecmp(dbname, "city") == 0) {
+			return (dns_geoip_city_continent);
+		} else if (strcasecmp(dbname, "country") == 0) {
+			return (dns_geoip_country_continent);
+		}
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid database specified for "
+			    "continent search: ignored");
+		return (subtype);
+	case dns_geoip_region:
+		if (strcasecmp(dbname, "city") == 0) {
+			return (dns_geoip_city_region);
+		}
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid database specified for "
+			    "region/subdivision search: ignored");
+		return (subtype);
+	case dns_geoip_regionname:
+		if (strcasecmp(dbname, "city") == 0) {
+			return (dns_geoip_city_regionname);
+		}
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid database specified for "
+			    "region/subdivision search: ignored");
+		return (subtype);
+
+	/*
+	 * Log a warning if the wrong database was specified
+	 * on an unambiguous query
+	 */
+	case dns_geoip_city_name:
+	case dns_geoip_city_postalcode:
+	case dns_geoip_city_metrocode:
+	case dns_geoip_city_areacode:
+	case dns_geoip_city_timezonecode:
+		if (strcasecmp(dbname, "city") != 0) {
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid database specified for "
+				    "a 'city'-only search type: ignoring");
+		}
+		return (subtype);
+	case dns_geoip_isp_name:
+		if (strcasecmp(dbname, "isp") != 0) {
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid database specified for "
+				    "an 'isp' search: ignoring");
+		}
+		return (subtype);
+	case dns_geoip_org_name:
+		if (strcasecmp(dbname, "org") != 0) {
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid database specified for "
+				    "an 'org' search: ignoring");
+		}
+		return (subtype);
+	case dns_geoip_as_asnum:
+		if (strcasecmp(dbname, "asnum") != 0) {
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid database specified for "
+				    "an 'asnum' search: ignoring");
+		}
+		return (subtype);
+	case dns_geoip_domain_name:
+		if (strcasecmp(dbname, "domain") != 0) {
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid database specified for "
+				    "a 'domain' search: ignoring");
+		}
+		return (subtype);
+	case dns_geoip_netspeed_id:
+		if (strcasecmp(dbname, "netspeed") != 0) {
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid database specified for "
+				    "a 'netspeed' search: ignoring");
+		}
+		return (subtype);
+	default:
+		UNREACHABLE();
+	}
+}
+
+static bool
+geoip_can_answer(dns_aclelement_t *elt, cfg_aclconfctx_t *ctx) {
+	if (ctx->geoip == NULL) {
+		return (true);
+	}
+
+	switch (elt->geoip_elem.subtype) {
+	case dns_geoip_countrycode:
+	case dns_geoip_countryname:
+	case dns_geoip_continentcode:
+	case dns_geoip_continent:
+		if (ctx->geoip->country != NULL || ctx->geoip->city != NULL) {
+			return (true);
+		}
+		break;
+	case dns_geoip_country_code:
+	case dns_geoip_country_name:
+	case dns_geoip_country_continentcode:
+	case dns_geoip_country_continent:
+		if (ctx->geoip->country != NULL) {
+			return (true);
+		}
+		/* city db can answer these too, so: */
+		FALLTHROUGH;
+	case dns_geoip_region:
+	case dns_geoip_regionname:
+	case dns_geoip_city_countrycode:
+	case dns_geoip_city_countryname:
+	case dns_geoip_city_region:
+	case dns_geoip_city_regionname:
+	case dns_geoip_city_name:
+	case dns_geoip_city_postalcode:
+	case dns_geoip_city_metrocode:
+	case dns_geoip_city_areacode:
+	case dns_geoip_city_continentcode:
+	case dns_geoip_city_continent:
+	case dns_geoip_city_timezonecode:
+		if (ctx->geoip->city != NULL) {
+			return (true);
+		}
+		break;
+	case dns_geoip_isp_name:
+		if (ctx->geoip->isp != NULL) {
+			return (true);
+		}
+		break;
+	case dns_geoip_as_asnum:
+	case dns_geoip_org_name:
+		if (ctx->geoip->as != NULL) {
+			return (true);
+		}
+		break;
+	case dns_geoip_domain_name:
+		if (ctx->geoip->domain != NULL) {
+			return (true);
+		}
+		break;
+	default:
+		break;
+	}
+
+	return (false);
+}
+
+static isc_result_t
+parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
+		    cfg_aclconfctx_t *ctx, dns_aclelement_t *dep) {
+	const cfg_obj_t *ge;
+	const char *dbname = NULL;
+	const char *stype = NULL, *search = NULL;
+	dns_geoip_subtype_t subtype;
+	dns_aclelement_t de;
+	size_t len;
+
+	REQUIRE(dep != NULL);
+
+	de = *dep;
+
+	ge = cfg_tuple_get(obj, "db");
+	if (!cfg_obj_isvoid(ge)) {
+		int i;
+
+		dbname = cfg_obj_asstring(ge);
+
+		for (i = 0; geoip_dbnames[i] != NULL; i++) {
+			if (strcasecmp(dbname, geoip_dbnames[i]) == 0) {
+				break;
+			}
+		}
+		if (geoip_dbnames[i] == NULL) {
+			cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+				    "database '%s' is not defined for GeoIP2",
+				    dbname);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	stype = cfg_obj_asstring(cfg_tuple_get(obj, "subtype"));
+	search = cfg_obj_asstring(cfg_tuple_get(obj, "search"));
+	len = strlen(search);
+
+	if (len == 0) {
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "zero-length geoip search field");
+		return (ISC_R_FAILURE);
+	}
+
+	if (strcasecmp(stype, "country") == 0 && len == 2) {
+		/* Two-letter country code */
+		subtype = dns_geoip_countrycode;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "country") == 0 && len == 3) {
+		/* Three-letter country code */
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "three-letter country codes are unavailable "
+			    "in GeoIP2 databases");
+		return (ISC_R_FAILURE);
+	} else if (strcasecmp(stype, "country") == 0) {
+		/* Country name */
+		subtype = dns_geoip_countryname;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "continent") == 0 && len == 2) {
+		/* Two-letter continent code */
+		subtype = dns_geoip_continentcode;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "continent") == 0) {
+		subtype = dns_geoip_continent;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if ((strcasecmp(stype, "region") == 0 ||
+		    strcasecmp(stype, "subdivision") == 0) &&
+		   len == 2)
+	{
+		/* Two-letter region code */
+		subtype = dns_geoip_region;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "region") == 0 ||
+		   strcasecmp(stype, "subdivision") == 0)
+	{
+		/* Region name */
+		subtype = dns_geoip_regionname;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "city") == 0) {
+		/* City name */
+		subtype = dns_geoip_city_name;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "postal") == 0 ||
+		   strcasecmp(stype, "postalcode") == 0)
+	{
+		if (len < 7) {
+			subtype = dns_geoip_city_postalcode;
+			strlcpy(de.geoip_elem.as_string, search,
+				sizeof(de.geoip_elem.as_string));
+		} else {
+			cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+				    "geoiop postal code (%s) too long", search);
+			return (ISC_R_FAILURE);
+		}
+	} else if (strcasecmp(stype, "metro") == 0 ||
+		   strcasecmp(stype, "metrocode") == 0)
+	{
+		subtype = dns_geoip_city_metrocode;
+		de.geoip_elem.as_int = atoi(search);
+	} else if (strcasecmp(stype, "tz") == 0 ||
+		   strcasecmp(stype, "timezone") == 0)
+	{
+		subtype = dns_geoip_city_timezonecode;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "isp") == 0) {
+		subtype = dns_geoip_isp_name;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "asnum") == 0) {
+		subtype = dns_geoip_as_asnum;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "org") == 0) {
+		subtype = dns_geoip_org_name;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "domain") == 0) {
+		subtype = dns_geoip_domain_name;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else {
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "type '%s' is unavailable "
+			    "in GeoIP2 databases",
+			    stype);
+		return (ISC_R_FAILURE);
+	}
+
+	de.geoip_elem.subtype = get_subtype(obj, lctx, subtype, dbname);
+
+	if (!geoip_can_answer(&de, ctx)) {
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "no GeoIP2 database installed which can answer "
+			    "queries of type '%s'",
+			    stype);
+		return (ISC_R_FAILURE);
+	}
+
+	*dep = de;
+
+	return (ISC_R_SUCCESS);
+}
+#endif /* HAVE_GEOIP2 */
+
+isc_result_t
+cfg_acl_fromconfig(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		   isc_log_t *lctx, cfg_aclconfctx_t *ctx, isc_mem_t *mctx,
+		   unsigned int nest_level, dns_acl_t **target) {
+	return (cfg_acl_fromconfig2(caml, cctx, lctx, ctx, mctx, nest_level, 0,
+				    target));
+}
+
+isc_result_t
+cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		    isc_log_t *lctx, cfg_aclconfctx_t *ctx, isc_mem_t *mctx,
+		    unsigned int nest_level, uint16_t family,
+		    dns_acl_t **target) {
+	isc_result_t result;
+	dns_acl_t *dacl = NULL, *inneracl = NULL;
+	dns_aclelement_t *de;
+	const cfg_listelt_t *elt;
+	dns_iptable_t *iptab;
+	int new_nest_level = 0;
+	bool setpos;
+
+	if (nest_level != 0) {
+		new_nest_level = nest_level - 1;
+	}
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(target != NULL);
+	REQUIRE(*target == NULL || DNS_ACL_VALID(*target));
+
+	if (*target != NULL) {
+		/*
+		 * If target already points to an ACL, then we're being
+		 * called recursively to configure a nested ACL.  The
+		 * nested ACL's contents should just be absorbed into its
+		 * parent ACL.
+		 */
+		dns_acl_attach(*target, &dacl);
+		dns_acl_detach(target);
+	} else {
+		/*
+		 * Need to allocate a new ACL structure.  Count the items
+		 * in the ACL definition that will require space in the
+		 * elements table.  (Note that if nest_level is nonzero,
+		 * *everything* goes in the elements table.)
+		 */
+		uint32_t nelem;
+
+		if (nest_level == 0) {
+			result = count_acl_elements(caml, cctx, lctx, ctx, mctx,
+						    &nelem, NULL);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		} else {
+			nelem = cfg_list_length(caml, false);
+		}
+
+		result = dns_acl_create(mctx, nelem, &dacl);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+
+	de = dacl->elements;
+	for (elt = cfg_list_first(caml); elt != NULL; elt = cfg_list_next(elt))
+	{
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+		bool neg = false;
+
+		INSIST(dacl->length <= dacl->alloc);
+
+		if (cfg_obj_istuple(ce)) {
+			/* Might be a negated element */
+			const cfg_obj_t *negated = cfg_tuple_get(ce, "negated");
+			if (!cfg_obj_isvoid(negated)) {
+				neg = true;
+				dacl->has_negatives = true;
+				ce = negated;
+			}
+		}
+
+		/*
+		 * If nest_level is nonzero, then every element is
+		 * to be stored as a separate, nested ACL rather than
+		 * merged into the main iptable.
+		 */
+		iptab = dacl->iptable;
+
+		if (nest_level != 0) {
+			result = dns_acl_create(mctx,
+						cfg_list_length(ce, false),
+						&de->nestedacl);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			iptab = de->nestedacl->iptable;
+		}
+
+		if (cfg_obj_isnetprefix(ce)) {
+			/* Network prefix */
+			isc_netaddr_t addr;
+			unsigned int bitlen;
+
+			cfg_obj_asnetprefix(ce, &addr, &bitlen);
+			if (family != 0 && family != addr.family) {
+				char buf[ISC_NETADDR_FORMATSIZE + 1];
+				isc_netaddr_format(&addr, buf, sizeof(buf));
+				cfg_obj_log(ce, lctx, ISC_LOG_WARNING,
+					    "'%s': incorrect address family; "
+					    "ignoring",
+					    buf);
+				if (nest_level != 0) {
+					dns_acl_detach(&de->nestedacl);
+				}
+				continue;
+			}
+			result = isc_netaddr_prefixok(&addr, bitlen);
+			if (result != ISC_R_SUCCESS) {
+				char buf[ISC_NETADDR_FORMATSIZE + 1];
+				isc_netaddr_format(&addr, buf, sizeof(buf));
+				cfg_obj_log(ce, lctx, ISC_LOG_ERROR,
+					    "'%s/%u': address/prefix length "
+					    "mismatch",
+					    buf, bitlen);
+				goto cleanup;
+			}
+
+			/*
+			 * If nesting ACLs (nest_level != 0), we negate
+			 * the nestedacl element, not the iptable entry.
+			 */
+			setpos = (nest_level != 0 || !neg);
+			result = dns_iptable_addprefix(iptab, &addr, bitlen,
+						       setpos);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+
+			if (nest_level > 0) {
+				INSIST(dacl->length < dacl->alloc);
+				de->type = dns_aclelementtype_nestedacl;
+				de->negative = neg;
+			} else {
+				continue;
+			}
+		} else if (cfg_obj_islist(ce)) {
+			/*
+			 * If we're nesting ACLs, put the nested
+			 * ACL onto the elements list; otherwise
+			 * merge it into *this* ACL.  We nest ACLs
+			 * in two cases: 1) sortlist, 2) if the
+			 * nested ACL contains negated members.
+			 */
+			if (inneracl != NULL) {
+				dns_acl_detach(&inneracl);
+			}
+			result = cfg_acl_fromconfig(ce, cctx, lctx, ctx, mctx,
+						    new_nest_level, &inneracl);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		nested_acl:
+			if (nest_level > 0 || inneracl->has_negatives) {
+				INSIST(dacl->length < dacl->alloc);
+				de->type = dns_aclelementtype_nestedacl;
+				de->negative = neg;
+				if (de->nestedacl != NULL) {
+					dns_acl_detach(&de->nestedacl);
+				}
+				dns_acl_attach(inneracl, &de->nestedacl);
+				dns_acl_detach(&inneracl);
+				/* Fall through. */
+			} else {
+				INSIST(dacl->length + inneracl->length <=
+				       dacl->alloc);
+				dns_acl_merge(dacl, inneracl, !neg);
+				de += inneracl->length; /* elements added */
+				dns_acl_detach(&inneracl);
+				INSIST(dacl->length <= dacl->alloc);
+				continue;
+			}
+		} else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			/* Key name. */
+			INSIST(dacl->length < dacl->alloc);
+			de->type = dns_aclelementtype_keyname;
+			de->negative = neg;
+			dns_name_init(&de->keyname, NULL);
+			result = convert_keyname(ce, lctx, mctx, &de->keyname);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+#if defined(HAVE_GEOIP2)
+		} else if (cfg_obj_istuple(ce) &&
+			   cfg_obj_isvoid(cfg_tuple_get(ce, "negated")))
+		{
+			INSIST(dacl->length < dacl->alloc);
+			result = parse_geoip_element(ce, lctx, ctx, de);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			de->type = dns_aclelementtype_geoip;
+			de->negative = neg;
+#endif /* HAVE_GEOIP2 */
+		} else if (cfg_obj_isstring(ce)) {
+			/* ACL name. */
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "any") == 0) {
+				/* Iptable entry with zero bit length. */
+				setpos = (nest_level != 0 || !neg);
+				result = dns_iptable_addprefix(iptab, NULL, 0,
+							       setpos);
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+
+				if (nest_level != 0) {
+					INSIST(dacl->length < dacl->alloc);
+					de->type = dns_aclelementtype_nestedacl;
+					de->negative = neg;
+				} else {
+					continue;
+				}
+			} else if (strcasecmp(name, "none") == 0) {
+				/* none == !any */
+				/*
+				 * We don't unconditional set
+				 * dacl->has_negatives and
+				 * de->negative to true so we can handle
+				 * "!none;".
+				 */
+				setpos = (nest_level != 0 || neg);
+				result = dns_iptable_addprefix(iptab, NULL, 0,
+							       setpos);
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+
+				if (!neg) {
+					dacl->has_negatives = !neg;
+				}
+
+				if (nest_level != 0) {
+					INSIST(dacl->length < dacl->alloc);
+					de->type = dns_aclelementtype_nestedacl;
+					de->negative = !neg;
+				} else {
+					continue;
+				}
+			} else if (strcasecmp(name, "localhost") == 0) {
+				INSIST(dacl->length < dacl->alloc);
+				de->type = dns_aclelementtype_localhost;
+				de->negative = neg;
+			} else if (strcasecmp(name, "localnets") == 0) {
+				INSIST(dacl->length < dacl->alloc);
+				de->type = dns_aclelementtype_localnets;
+				de->negative = neg;
+			} else {
+				if (inneracl != NULL) {
+					dns_acl_detach(&inneracl);
+				}
+				/*
+				 * This call should just find the cached
+				 * of the named acl.
+				 */
+				result = convert_named_acl(ce, cctx, lctx, ctx,
+							   mctx, new_nest_level,
+							   &inneracl);
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+
+				goto nested_acl;
+			}
+		} else {
+			cfg_obj_log(ce, lctx, ISC_LOG_WARNING,
+				    "address match list contains "
+				    "unsupported element type");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		/*
+		 * This should only be reached for localhost, localnets
+		 * and keyname elements, and nested ACLs if nest_level is
+		 * nonzero (i.e., in sortlists).
+		 */
+		if (de->nestedacl != NULL &&
+		    de->type != dns_aclelementtype_nestedacl)
+		{
+			dns_acl_detach(&de->nestedacl);
+		}
+
+		dns_acl_node_count(dacl)++;
+		de->node_num = dns_acl_node_count(dacl);
+
+		dacl->length++;
+		de++;
+		INSIST(dacl->length <= dacl->alloc);
+	}
+
+	dns_acl_attach(dacl, target);
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (inneracl != NULL) {
+		dns_acl_detach(&inneracl);
+	}
+	dns_acl_detach(&dacl);
+	return (result);
+}
diff --git a/lib/isccfg/dnsconf.c b/lib/isccfg/dnsconf.c
new file mode 100644
index 0000000..3c69256
--- /dev/null
+++ b/lib/isccfg/dnsconf.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+
+/*%
+ * A trusted key, as used in the "trusted-keys" statement.
+ */
+static cfg_tuplefielddef_t trustedkey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_trustedkey = { "trustedkey",	   cfg_parse_tuple,
+					  cfg_print_tuple, cfg_doc_tuple,
+					  &cfg_rep_tuple,  trustedkey_fields };
+
+static cfg_type_t cfg_type_trustedkeys = { "trusted-keys",
+					   cfg_parse_bracketed_list,
+					   cfg_print_bracketed_list,
+					   cfg_doc_bracketed_list,
+					   &cfg_rep_list,
+					   &cfg_type_trustedkey };
+
+/*%
+ * Clauses that can be found within the top level of the dns.conf
+ * file only.
+ */
+static cfg_clausedef_t dnsconf_clauses[] = {
+	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*% The top-level dns.conf syntax. */
+
+static cfg_clausedef_t *dnsconf_clausesets[] = { dnsconf_clauses, NULL };
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_dnsconf = {
+	"dnsconf",	 cfg_parse_mapbody, cfg_print_mapbody,
+	cfg_doc_mapbody, &cfg_rep_map,	    dnsconf_clausesets
+};
diff --git a/lib/isccfg/include/.clang-format b/lib/isccfg/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/lib/isccfg/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/isccfg/include/Makefile.in b/lib/isccfg/include/Makefile.in
new file mode 100644
index 0000000..20b0c35
--- /dev/null
+++ b/lib/isccfg/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isccfg
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isccfg/include/isccfg/Makefile.in b/lib/isccfg/include/isccfg/Makefile.in
new file mode 100644
index 0000000..208db25
--- /dev/null
+++ b/lib/isccfg/include/isccfg/Makefile.in
@@ -0,0 +1,42 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	aclconf.h cfg.h dnsconf.h grammar.h kaspconf.h log.h \
+		namedconf.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isccfg
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isccfg || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isccfg/$$i || exit 1; \
+	done
diff --git a/lib/isccfg/include/isccfg/aclconf.h b/lib/isccfg/include/isccfg/aclconf.h
new file mode 100644
index 0000000..b0bceca
--- /dev/null
+++ b/lib/isccfg/include/isccfg/aclconf.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCFG_ACLCONF_H
+#define ISCCFG_ACLCONF_H 1
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+
+#include <dns/geoip.h>
+#include <dns/types.h>
+
+#include <isccfg/cfg.h>
+
+typedef struct cfg_aclconfctx {
+	ISC_LIST(dns_acl_t) named_acl_cache;
+	isc_mem_t *mctx;
+#if defined(HAVE_GEOIP2)
+	dns_geoip_databases_t *geoip;
+#endif /* if defined(HAVE_GEOIP2) */
+	isc_refcount_t references;
+} cfg_aclconfctx_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+cfg_aclconfctx_create(isc_mem_t *mctx, cfg_aclconfctx_t **ret);
+/*
+ * Creates and initializes an ACL configuration context.
+ */
+
+void
+cfg_aclconfctx_detach(cfg_aclconfctx_t **actxp);
+/*
+ * Removes a reference to an ACL configuration context; when references
+ * reaches zero, clears the contents and deallocate the structure.
+ */
+
+void
+cfg_aclconfctx_attach(cfg_aclconfctx_t *src, cfg_aclconfctx_t **dest);
+/*
+ * Attaches a pointer to an existing ACL configuration context.
+ */
+
+isc_result_t
+cfg_acl_fromconfig(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		   isc_log_t *lctx, cfg_aclconfctx_t *ctx, isc_mem_t *mctx,
+		   unsigned int nest_level, dns_acl_t **target);
+
+isc_result_t
+cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		    isc_log_t *lctx, cfg_aclconfctx_t *ctx, isc_mem_t *mctx,
+		    unsigned int nest_level, uint16_t family,
+		    dns_acl_t **target);
+/*
+ * Construct a new dns_acl_t from configuration data in 'caml' and
+ * 'cctx'.  Memory is allocated through 'mctx'.
+ *
+ * Any named ACLs referred to within 'caml' will be be converted
+ * into nested dns_acl_t objects.  Multiple references to the same
+ * named ACLs will be converted into shared references to a single
+ * nested dns_acl_t object when the referring objects were created
+ * passing the same ACL configuration context 'ctx'.
+ *
+ * cfg_acl_fromconfig() is a backward-compatible version of
+ * cfg_acl_fromconfig2(), which allows an address family to be
+ * specified.  If 'family' is not zero, then only addresses/prefixes
+ * of a matching family (AF_INET or AF_INET6) may be configured.
+ *
+ * On success, attach '*target' to the new dns_acl_t object.
+ *
+ * Require:
+ *	'ctx' to be non NULL.
+ *	'*target' to be NULL or a valid dns_acl_t.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCFG_ACLCONF_H */
diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h
new file mode 100644
index 0000000..7c460d2
--- /dev/null
+++ b/lib/isccfg/include/isccfg/cfg.h
@@ -0,0 +1,626 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCFG_CFG_H
+#define ISCCFG_CFG_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file isccfg/cfg.h
+ * \brief
+ * This is the new, table-driven, YACC-free configuration file parser.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <time.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/list.h>
+#include <isc/refcount.h>
+#include <isc/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * A configuration parser.
+ */
+typedef struct cfg_parser cfg_parser_t;
+
+/*%
+ * A configuration type definition object.  There is a single
+ * static cfg_type_t object for each data type supported by
+ * the configuration parser.
+ */
+typedef struct cfg_type cfg_type_t;
+
+/*%
+ * A configuration object.  This is the basic building block of the
+ * configuration parse tree.  It contains a value (which may be
+ * of one of several types) and information identifying the file
+ * and line number the value came from, for printing error
+ * messages.
+ */
+typedef struct cfg_obj cfg_obj_t;
+
+/*%
+ * A configuration object list element.
+ */
+typedef struct cfg_listelt cfg_listelt_t;
+
+/*%
+ * A callback function to be called when parsing an option
+ * that needs to be interpreted at parsing time, like
+ * "directory".
+ */
+typedef isc_result_t (*cfg_parsecallback_t)(const char	    *clausename,
+					    const cfg_obj_t *obj, void *arg);
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+void
+cfg_parser_attach(cfg_parser_t *src, cfg_parser_t **dest);
+/*%<
+ * Reference a parser object.
+ */
+
+isc_result_t
+cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret);
+/*%<
+ * Create a configuration file parser.  Any warning and error
+ * messages will be logged to 'lctx'.
+ *
+ * The parser object returned can be used for a single call
+ * to cfg_parse_file() or cfg_parse_buffer().  It must not
+ * be reused for parsing multiple files or buffers.
+ */
+
+void
+cfg_parser_setflags(cfg_parser_t *pctx, unsigned int flags, bool turn_on);
+/*%<
+ * Set parser context flags. The flags are not checked for sensibility.
+ * If 'turn_on' is 'true' the flags will be set, otherwise the flags will
+ * be cleared.
+ *
+ * Requires:
+ *\li 	"pctx" is not NULL.
+ */
+
+void
+cfg_parser_setcallback(cfg_parser_t *pctx, cfg_parsecallback_t callback,
+		       void *arg);
+/*%<
+ * Make the parser call 'callback' whenever it encounters
+ * a configuration clause with the callback attribute,
+ * passing it the clause name, the clause value,
+ * and 'arg' as arguments.
+ *
+ * To restore the default of not invoking callbacks, pass
+ * callback==NULL and arg==NULL.
+ */
+
+isc_result_t
+cfg_parse_file(cfg_parser_t *pctx, const char *file, const cfg_type_t *type,
+	       cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer, const char *file,
+		 unsigned int line, const cfg_type_t *type, unsigned int flags,
+		 cfg_obj_t **ret);
+/*%<
+ * Read a configuration containing data of type 'type'
+ * and make '*ret' point to its parse tree.
+ *
+ * The configuration is read from the file 'filename'
+ * (isc_parse_file()) or the buffer 'buffer'
+ * (isc_parse_buffer()).
+ *
+ * If 'file' is not NULL, it is the name of the file, or a name to use
+ * for the buffer in place of the filename, when logging errors.
+ *
+ * If 'line' is not 0, then it is the beginning line number to report
+ * when logging errors. This is useful when passing text that has been
+ * read from the middle of a file.
+ *
+ * Returns an error if the file or buffer does not parse correctly.
+ *
+ * Requires:
+ *\li 	"filename" is valid.
+ *\li 	"mem" is valid.
+ *\li	"type" is valid.
+ *\li 	"cfg" is non-NULL and "*cfg" is NULL.
+ *\li   "flags" be one or more of CFG_PCTX_NODEPRECATED or zero.
+ *
+ * Returns:
+ *     \li #ISC_R_SUCCESS                 - success
+ *\li      #ISC_R_NOMEMORY                - no memory available
+ *\li      #ISC_R_INVALIDFILE             - file doesn't exist or is unreadable
+ *\li      others	                      - file contains errors
+ */
+
+isc_result_t
+cfg_parser_mapadd(cfg_parser_t *pctx, cfg_obj_t *mapobj, cfg_obj_t *obj,
+		  const char *clause);
+/*%<
+ * Add the object 'obj' to the specified clause in mapbody 'mapobj'.
+ * Used for adding new zones.
+ *
+ * Require:
+ * \li     'obj' is a valid cfg_obj_t.
+ * \li     'mapobj' is a valid cfg_obj_t of type map.
+ * \li     'pctx' is a valid cfg_parser_t.
+ */
+
+void
+cfg_parser_reset(cfg_parser_t *pctx);
+/*%<
+ * Reset an existing parser so it can be re-used for a new file or
+ * buffer.
+ */
+
+void
+cfg_parser_destroy(cfg_parser_t **pctxp);
+/*%<
+ * Remove a reference to a configuration parser; destroy it if there are no
+ * more references.
+ */
+
+bool
+cfg_obj_isvoid(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of void type (e.g., an optional
+ * value not specified).
+ */
+
+bool
+cfg_obj_ismap(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of a map type.
+ */
+
+bool
+cfg_obj_isfixedpoint(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of a fixedpoint type.
+ */
+
+bool
+cfg_obj_ispercentage(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of a percentage type.
+ */
+
+isc_result_t
+cfg_map_get(const cfg_obj_t *mapobj, const char *name, const cfg_obj_t **obj);
+/*%<
+ * Extract an element from a configuration object, which
+ * must be of a map type.
+ *
+ * Requires:
+ * \li     'mapobj' points to a valid configuration object of a map type.
+ * \li     'name' points to a null-terminated string.
+ * \li	'obj' is non-NULL and '*obj' is NULL.
+ *
+ * Returns:
+ * \li     #ISC_R_SUCCESS                  - success
+ * \li     #ISC_R_NOTFOUND                 - name not found in map
+ */
+
+const cfg_obj_t *
+cfg_map_getname(const cfg_obj_t *mapobj);
+/*%<
+ * Get the name of a named map object, like a server "key" clause.
+ *
+ * Requires:
+ *    \li  'mapobj' points to a valid configuration object of a map type.
+ *
+ * Returns:
+ * \li     A pointer to a configuration object naming the map object,
+ *	or NULL if the map object does not have a name.
+ */
+
+unsigned int
+cfg_map_count(const cfg_obj_t *mapobj);
+/*%<
+ * Get the number of elements defined in the symbol table of a map object.
+ *
+ * Requires:
+ *    \li  'mapobj' points to a valid configuration object of a map type.
+ *
+ * Returns:
+ * \li     The number of elements in the map object.
+ */
+
+bool
+cfg_obj_istuple(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of a map type.
+ */
+
+const cfg_obj_t *
+cfg_tuple_get(const cfg_obj_t *tupleobj, const char *name);
+/*%<
+ * Extract an element from a configuration object, which
+ * must be of a tuple type.
+ *
+ * Requires:
+ * \li     'tupleobj' points to a valid configuration object of a tuple type.
+ * \li     'name' points to a null-terminated string naming one of the
+ *\li	fields of said tuple type.
+ */
+
+bool
+cfg_obj_isuint32(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of integer type.
+ */
+
+uint32_t
+cfg_obj_asuint32(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of 32-bit integer type.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of 32-bit integer type.
+ *
+ * Returns:
+ * \li     A 32-bit unsigned integer.
+ */
+
+bool
+cfg_obj_isuint64(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of integer type.
+ */
+
+uint64_t
+cfg_obj_asuint64(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of 64-bit integer type.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of 64-bit integer type.
+ *
+ * Returns:
+ * \li     A 64-bit unsigned integer.
+ */
+
+uint32_t
+cfg_obj_asfixedpoint(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of fixed point number.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of fixed point type.
+ *
+ * Returns:
+ * \li     A 32-bit unsigned integer.
+ */
+
+uint32_t
+cfg_obj_aspercentage(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of percentage
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of percentage type.
+ *
+ * Returns:
+ * \li     A 32-bit unsigned integer.
+ */
+
+bool
+cfg_obj_isduration(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of duration type.
+ */
+
+uint32_t
+cfg_obj_asduration(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of duration
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of duration type.
+ *
+ * Returns:
+ * \li     A duration in seconds.
+ */
+
+bool
+cfg_obj_isstring(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of string type.
+ */
+
+const char *
+cfg_obj_asstring(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of a string type
+ * as a null-terminated string.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of a string type.
+ *
+ * Returns:
+ * \li     A pointer to a null terminated string.
+ */
+
+bool
+cfg_obj_isboolean(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of a boolean type.
+ */
+
+bool
+cfg_obj_asboolean(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of a boolean type.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of a boolean type.
+ *
+ * Returns:
+ * \li     A boolean value.
+ */
+
+bool
+cfg_obj_issockaddr(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is a socket address.
+ */
+
+const isc_sockaddr_t *
+cfg_obj_assockaddr(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object representing a socket address.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of a socket address
+ * type.
+ *
+ * Returns:
+ * \li     A pointer to a sockaddr.  The sockaddr must be copied by the caller
+ *      if necessary.
+ */
+
+isc_dscp_t
+cfg_obj_getdscp(const cfg_obj_t *obj);
+/*%<
+ * Returns the DSCP value of a configuration object representing a
+ * socket address.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of a
+ *         socket address type.
+ *
+ * Returns:
+ * \li     DSCP value associated with a sockaddr, or -1.
+ */
+
+bool
+cfg_obj_isnetprefix(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is a network prefix.
+ */
+
+void
+cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
+		    unsigned int *prefixlen);
+/*%<
+ * Gets the value of a configuration object representing a network
+ * prefix.  The network address is returned through 'netaddr' and the
+ * prefix length in bits through 'prefixlen'.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of network prefix type.
+ *\li	'netaddr' and 'prefixlen' are non-NULL.
+ */
+
+bool
+cfg_obj_islist(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of list type.
+ */
+
+const cfg_listelt_t *
+cfg_list_first(const cfg_obj_t *obj);
+/*%<
+ * Returns the first list element in a configuration object of a list type.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of a list type or NULL.
+ *
+ * Returns:
+ *   \li   A pointer to a cfg_listelt_t representing the first list element,
+ * 	or NULL if the list is empty or nonexistent.
+ */
+
+const cfg_listelt_t *
+cfg_list_next(const cfg_listelt_t *elt);
+/*%<
+ * Returns the next element of a list of configuration objects.
+ *
+ * Requires:
+ * \li     'elt' points to cfg_listelt_t obtained from cfg_list_first() or
+ *	a previous call to cfg_list_next().
+ *
+ * Returns:
+ * \li     A pointer to a cfg_listelt_t representing the next element,
+ * 	or NULL if there are no more elements.
+ */
+
+unsigned int
+cfg_list_length(const cfg_obj_t *obj, bool recurse);
+/*%<
+ * Returns the length of a list of configure objects.  If obj is
+ * not a list, returns 0.  If recurse is true, add in the length of
+ * all contained lists.
+ */
+
+cfg_obj_t *
+cfg_listelt_value(const cfg_listelt_t *elt);
+/*%<
+ * Returns the configuration object associated with cfg_listelt_t.
+ *
+ * Requires:
+ * \li     'elt' points to cfg_listelt_t obtained from cfg_list_first() or
+ *	cfg_list_next().
+ *
+ * Returns:
+ * \li     A non-NULL pointer to a configuration object.
+ */
+
+void
+cfg_print(const cfg_obj_t *obj,
+	  void (*f)(void *closure, const char *text, int textlen),
+	  void *closure);
+void
+cfg_printx(const cfg_obj_t *obj, unsigned int flags,
+	   void (*f)(void *closure, const char *text, int textlen),
+	   void *closure);
+
+#define CFG_PRINTER_XKEY    0x1 /* '?' out shared keys. */
+#define CFG_PRINTER_ONELINE 0x2 /* print config as a single line */
+#define CFG_PRINTER_ACTIVEONLY                 \
+	0x4 /* print only active configuration \
+	     * options, omitting ancient,      \
+	     * obsolete, nonimplemented,       \
+	     * and test-only options. */
+
+/*%<
+ * Print the configuration object 'obj' by repeatedly calling the
+ * function 'f', passing 'closure' and a region of text starting
+ * at 'text' and comprising 'textlen' characters.
+ *
+ * If CFG_PRINTER_XKEY the contents of shared keys will be obscured
+ * by replacing them with question marks ('?')
+ */
+
+void
+cfg_print_grammar(const cfg_type_t *type, unsigned int flags,
+		  void (*f)(void *closure, const char *text, int textlen),
+		  void *closure);
+/*%<
+ * Print a summary of the grammar of the configuration type 'type'.
+ */
+
+bool
+cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type);
+/*%<
+ * Return true iff 'obj' is of type 'type'.
+ */
+
+void
+cfg_obj_attach(cfg_obj_t *src, cfg_obj_t **dest);
+/*%<
+ * Reference a configuration object.
+ */
+
+void
+cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
+/*%<
+ * Delete a reference to a configuration object; destroy the object if
+ * there are no more references.
+ *
+ * Require:
+ * \li     '*obj' is a valid cfg_obj_t.
+ * \li     'pctx' is a valid cfg_parser_t.
+ */
+
+void
+cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt,
+	    ...) ISC_FORMAT_PRINTF(4, 5);
+/*%<
+ * Log a message concerning configuration object 'obj' to the logging
+ * channel of 'pctx', at log level 'level'.  The message will be prefixed
+ * with the file name(s) and line number where 'obj' was defined.
+ */
+
+const char *
+cfg_obj_file(const cfg_obj_t *obj);
+/*%<
+ * Return the file that defined this object.
+ */
+
+unsigned int
+cfg_obj_line(const cfg_obj_t *obj);
+/*%<
+ * Return the line in file where this object was defined.
+ */
+
+const char *
+cfg_map_firstclause(const cfg_type_t *map, const void **clauses,
+		    unsigned int *idx);
+const char *
+cfg_map_nextclause(const cfg_type_t *map, const void **clauses,
+		   unsigned int *idx);
+
+typedef isc_result_t(pluginlist_cb_t)(const cfg_obj_t *config,
+				      const cfg_obj_t *obj,
+				      const char      *plugin_path,
+				      const char      *parameters,
+				      void	      *callback_data);
+/*%<
+ * Function prototype for the callback used with cfg_pluginlist_foreach().
+ * Called once for each element of the list passed to cfg_pluginlist_foreach().
+ * If this callback returns anything else than #ISC_R_SUCCESS, no further list
+ * elements will be processed.
+ *
+ * \li 'config' - the 'config' object passed to cfg_pluginlist_foreach()
+ * \li 'obj' - object representing the specific "plugin" stanza to be processed
+ * \li 'plugin_path' - path to the shared object with plugin code
+ * \li 'parameters' - configuration text for the plugin
+ * \li 'callback_data' - the pointer passed to cfg_pluginlist_foreach()
+ */
+
+isc_result_t
+cfg_pluginlist_foreach(const cfg_obj_t *config, const cfg_obj_t *list,
+		       isc_log_t *lctx, pluginlist_cb_t *callback,
+		       void *callback_data);
+/*%<
+ * For every "plugin" stanza present in 'list' (which in turn is a part of
+ * 'config'), invoke the given 'callback', passing 'callback_data' to it along
+ * with a fixed set of arguments (see the definition of the #pluginlist_cb_t
+ * type).  Use logging context 'lctx' for logging error messages.  Interrupt
+ * processing if 'callback' returns something else than #ISC_R_SUCCESS for any
+ * element of 'list'.
+ *
+ * Requires:
+ *
+ * \li 'config' is not NULL
+ * \li 'callback' is not NULL
+ *
+ * Returns:
+ *
+ * \li #ISC_R_SUCCESS if 'callback' returned #ISC_R_SUCCESS for all elements of
+ *     'list'
+ * \li first 'callback' return value which was not #ISC_R_SUCCESS otherwise
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCFG_CFG_H */
diff --git a/lib/isccfg/include/isccfg/dnsconf.h b/lib/isccfg/include/isccfg/dnsconf.h
new file mode 100644
index 0000000..5050b70
--- /dev/null
+++ b/lib/isccfg/include/isccfg/dnsconf.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCFG_DNSCONF_H
+#define ISCCFG_DNSCONF_H 1
+
+/*! \file
+ * \brief
+ * This module defines the named.conf, rndc.conf, and rndc.key grammars.
+ */
+
+#include <isccfg/cfg.h>
+
+/*
+ * Configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_dnsconf;
+/*%< A complete dns.conf file. */
+
+#endif /* ISCCFG_DNSCONF_H */
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
new file mode 100644
index 0000000..0bc40e0
--- /dev/null
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -0,0 +1,620 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCFG_GRAMMAR_H
+#define ISCCFG_GRAMMAR_H 1
+
+/*! \file isccfg/grammar.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lex.h>
+#include <isc/netaddr.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/types.h>
+
+#include <isccfg/cfg.h>
+
+/*
+ * Definitions shared between the configuration parser
+ * and the grammars; not visible to users of the parser.
+ */
+
+/*% Clause may occur multiple times (e.g., "zone") */
+#define CFG_CLAUSEFLAG_MULTI 0x00000001
+/*% Clause is obsolete (logs a warning, but is not a fatal error) */
+#define CFG_CLAUSEFLAG_OBSOLETE 0x00000002
+/*% Clause is not implemented, and may never be */
+#define CFG_CLAUSEFLAG_NOTIMP 0x00000004
+/*% Clause is not implemented yet */
+#define CFG_CLAUSEFLAG_NYI 0x00000008
+/*% Default value has changed since earlier release */
+#define CFG_CLAUSEFLAG_NEWDEFAULT 0x00000010
+/*%
+ * Clause needs to be interpreted during parsing
+ * by calling a callback function, like the
+ * "directory" option.
+ */
+#define CFG_CLAUSEFLAG_CALLBACK 0x00000020
+/*% A option that is only used in testing. */
+#define CFG_CLAUSEFLAG_TESTONLY 0x00000040
+/*% A configuration option that was not configured at compile time. */
+#define CFG_CLAUSEFLAG_NOTCONFIGURED 0x00000080
+/*% A option for a experimental feature. */
+#define CFG_CLAUSEFLAG_EXPERIMENTAL 0x00000100
+/*% A configuration option that is ineffective due to
+ * compile time options, but is harmless. */
+#define CFG_CLAUSEFLAG_NOOP 0x00000200
+/*% Clause will be obsolete in a future release (logs a warning) */
+#define CFG_CLAUSEFLAG_DEPRECATED 0x00000400
+/*% Clause has been obsolete so long that it's now a fatal error */
+#define CFG_CLAUSEFLAG_ANCIENT 0x00000800
+
+/*%
+ * Zone types for which a clause is valid:
+ * These share space with CFG_CLAUSEFLAG values, but count
+ * down from the top.
+ */
+#define CFG_ZONE_PRIMARY    0x80000000
+#define CFG_ZONE_SECONDARY  0x40000000
+#define CFG_ZONE_STUB	    0x20000000
+#define CFG_ZONE_HINT	    0x10000000
+#define CFG_ZONE_FORWARD    0x08000000
+#define CFG_ZONE_STATICSTUB 0x04000000
+#define CFG_ZONE_REDIRECT   0x02000000
+#define CFG_ZONE_DELEGATION 0x01000000
+#define CFG_ZONE_INVIEW	    0x00800000
+#define CFG_ZONE_MIRROR	    0x00400000
+
+typedef struct cfg_clausedef	 cfg_clausedef_t;
+typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
+typedef struct cfg_printer	 cfg_printer_t;
+typedef ISC_LIST(cfg_listelt_t) cfg_list_t;
+typedef struct cfg_map	    cfg_map_t;
+typedef struct cfg_rep	    cfg_rep_t;
+typedef struct cfg_duration cfg_duration_t;
+
+#define CFG_DURATION_MAXLEN 80
+
+/*
+ * Function types for configuration object methods
+ */
+
+typedef isc_result_t (*cfg_parsefunc_t)(cfg_parser_t *, const cfg_type_t *type,
+					cfg_obj_t **);
+typedef void (*cfg_printfunc_t)(cfg_printer_t *, const cfg_obj_t *);
+typedef void (*cfg_docfunc_t)(cfg_printer_t *, const cfg_type_t *);
+typedef void (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
+
+/*
+ * Structure definitions
+ */
+
+/*%
+ * A configuration printer object.  This is an abstract
+ * interface to a destination to which text can be printed
+ * by calling the function 'f'.
+ */
+struct cfg_printer {
+	void (*f)(void *closure, const char *text, int textlen);
+	void *closure;
+	int   indent;
+	int   flags;
+};
+
+/*% A clause definition. */
+struct cfg_clausedef {
+	const char  *name;
+	cfg_type_t  *type;
+	unsigned int flags;
+};
+
+/*% A tuple field definition. */
+struct cfg_tuplefielddef {
+	const char  *name;
+	cfg_type_t  *type;
+	unsigned int flags;
+};
+
+/*% A configuration object type definition. */
+struct cfg_type {
+	const char     *name; /*%< For debugging purposes only */
+	cfg_parsefunc_t parse;
+	cfg_printfunc_t print;
+	cfg_docfunc_t	doc; /*%< Print grammar description */
+	cfg_rep_t      *rep; /*%< Data representation */
+	const void     *of;  /*%< Additional data for meta-types */
+};
+
+/*% A keyword-type definition, for things like "port <integer>". */
+typedef struct {
+	const char	 *name;
+	const cfg_type_t *type;
+} keyword_type_t;
+
+struct cfg_map {
+	cfg_obj_t *id; /*%< Used for 'named maps' like
+			* keys, zones, &c */
+	const cfg_clausedef_t *const *clausesets; /*%< The clauses that
+						   * can occur in this map;
+						   * used for printing */
+	isc_symtab_t *symtab;
+};
+
+typedef struct cfg_netprefix cfg_netprefix_t;
+
+struct cfg_netprefix {
+	isc_netaddr_t address; /* IP4/IP6 */
+	unsigned int  prefixlen;
+};
+
+/*%
+ * A configuration object to store ISO 8601 durations.
+ */
+struct cfg_duration {
+	/*
+	 * The duration is stored in multiple parts:
+	 * [0] Years
+	 * [1] Months
+	 * [2] Weeks
+	 * [3] Days
+	 * [4] Hours
+	 * [5] Minutes
+	 * [6] Seconds
+	 */
+	uint32_t parts[7];
+	bool	 iso8601;
+	bool	 unlimited;
+};
+
+/*%
+ * A configuration data representation.
+ */
+struct cfg_rep {
+	const char    *name; /*%< For debugging only */
+	cfg_freefunc_t free; /*%< How to free this kind of data. */
+};
+
+/*%
+ * A configuration object.  This is the main building block
+ * of the configuration parse tree.
+ */
+
+struct cfg_obj {
+	const cfg_type_t *type;
+	union {
+		uint32_t	 uint32;
+		uint64_t	 uint64;
+		isc_textregion_t string; /*%< null terminated, too */
+		bool		 boolean;
+		cfg_map_t	 map;
+		cfg_list_t	 list;
+		cfg_obj_t      **tuple;
+		isc_sockaddr_t	 sockaddr;
+		struct {
+			isc_sockaddr_t sockaddr;
+			isc_dscp_t     dscp;
+		} sockaddrdscp;
+		cfg_netprefix_t netprefix;
+		cfg_duration_t	duration;
+	} value;
+	isc_refcount_t references; /*%< reference counter */
+	const char    *file;
+	unsigned int   line;
+	cfg_parser_t  *pctx;
+};
+
+/*% A list element. */
+struct cfg_listelt {
+	cfg_obj_t *obj;
+	ISC_LINK(cfg_listelt_t) link;
+};
+
+/*% The parser object. */
+struct cfg_parser {
+	isc_mem_t   *mctx;
+	isc_log_t   *lctx;
+	isc_lex_t   *lexer;
+	unsigned int errors;
+	unsigned int warnings;
+	isc_token_t  token;
+
+	/*% We are at the end of all input. */
+	bool seen_eof;
+
+	/*% The current token has been pushed back. */
+	bool ungotten;
+
+	/*%
+	 * The stack of currently active files, represented
+	 * as a configuration list of configuration strings.
+	 * The head is the top-level file, subsequent elements
+	 * (if any) are the nested include files, and the
+	 * last element is the file currently being parsed.
+	 */
+	cfg_obj_t *open_files;
+
+	/*%
+	 * Names of files that we have parsed and closed
+	 * and were previously on the open_file list.
+	 * We keep these objects around after closing
+	 * the files because the file names may still be
+	 * referenced from other configuration objects
+	 * for use in reporting semantic errors after
+	 * parsing is complete.
+	 */
+	cfg_obj_t *closed_files;
+
+	/*%
+	 * Name of a buffer being parsed; used only for
+	 * logging.
+	 */
+	char const *buf_name;
+
+	/*%
+	 * Current line number.  We maintain our own
+	 * copy of this so that it is available even
+	 * when a file has just been closed.
+	 */
+	unsigned int line;
+
+	/*%
+	 * Parser context flags, used for maintaining state
+	 * from one token to the next.
+	 */
+	unsigned int flags;
+
+	/*%< Reference counter */
+	isc_refcount_t references;
+
+	cfg_parsecallback_t callback;
+	void		   *callbackarg;
+};
+
+/* Parser context flags */
+#define CFG_PCTX_SKIP	      0x1
+#define CFG_PCTX_NODEPRECATED 0x2
+
+/*@{*/
+/*%
+ * Flags defining whether to accept certain types of network addresses.
+ */
+#define CFG_ADDR_V4OK	    0x00000001
+#define CFG_ADDR_V4PREFIXOK 0x00000002
+#define CFG_ADDR_V6OK	    0x00000004
+#define CFG_ADDR_WILDOK	    0x00000008
+#define CFG_ADDR_DSCPOK	    0x00000010
+#define CFG_ADDR_MASK	    (CFG_ADDR_V6OK | CFG_ADDR_V4OK)
+/*@}*/
+
+/*@{*/
+/*%
+ * Predefined data representation types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_uint32;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_uint64;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_string;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_boolean;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_map;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_list;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_tuple;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_sockaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_netprefix;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_void;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_fixedpoint;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_percentage;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_duration;
+/*@}*/
+
+/*@{*/
+/*%
+ * Predefined configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_boolean;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint32;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint64;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_qstring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_astring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ustring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sstring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bracketed_aml;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bracketed_text;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_optional_bracketed_text;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddrdscp;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr4;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr4wild;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr6;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr6wild;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netprefix;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_void;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_token;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_unsupported;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_fixedpoint;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_percentage;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_duration;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_duration_or_unlimited;
+/*@}*/
+
+isc_result_t
+cfg_gettoken(cfg_parser_t *pctx, int options);
+
+isc_result_t
+cfg_peektoken(cfg_parser_t *pctx, int options);
+
+void
+cfg_ungettoken(cfg_parser_t *pctx);
+
+#define CFG_LEXOPT_QSTRING (ISC_LEXOPT_QSTRING | ISC_LEXOPT_QSTRINGMULTILINE)
+
+isc_result_t
+cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+void
+cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u);
+
+isc_result_t
+cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_sstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na);
+
+void
+cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na);
+
+bool
+cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags);
+
+isc_result_t
+cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port);
+
+isc_result_t
+cfg_parse_dscp(cfg_parser_t *pctx, isc_dscp_t *dscp);
+
+isc_result_t
+cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_special(cfg_parser_t *pctx, int special);
+/*%< Parse a required special character 'special'. */
+
+isc_result_t
+cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+isc_result_t
+cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+isc_result_t
+cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
+		  cfg_listelt_t **ret);
+
+isc_result_t
+cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type,
+			 cfg_obj_t **ret);
+
+void
+cfg_print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret);
+
+void
+cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
+			const cfg_type_t *othertype, cfg_obj_t **ret);
+
+void
+cfg_doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *enumtype,
+		      const cfg_type_t *othertype);
+
+void
+cfg_print_chars(cfg_printer_t *pctx, const char *text, int len);
+/*%< Print 'len' characters at 'text' */
+
+void
+cfg_print_cstr(cfg_printer_t *pctx, const char *s);
+/*%< Print the null-terminated string 's' */
+
+isc_result_t
+cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret);
+
+void
+cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_void(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_fixedpoint(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret);
+
+void
+cfg_print_fixedpoint(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_percentage(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret);
+
+void
+cfg_print_percentage(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_duration(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_duration_or_unlimited(cfg_parser_t *pctx, const cfg_type_t *type,
+				cfg_obj_t **ret);
+
+void
+cfg_print_duration_or_unlimited(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type);
+/*%<
+ * Print a description of the grammar of an arbitrary configuration
+ * type 'type'
+ */
+
+void
+cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type);
+/*%<
+ * Document the type 'type' as a terminal by printing its
+ * name in angle brackets, e.g., &lt;uint32>.
+ */
+
+void
+cfg_parser_error(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+/*!
+ * Pass one of these flags to cfg_parser_error() to include the
+ * token text in log message.
+ */
+#define CFG_LOG_NEAR   0x00000001 /*%< Say "near <token>" */
+#define CFG_LOG_BEFORE 0x00000002 /*%< Say "before <token>" */
+#define CFG_LOG_NOPREP 0x00000004 /*%< Say just "<token>" */
+
+void
+cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+
+bool
+cfg_is_enum(const char *s, const char *const *enums);
+/*%< Return true iff the string 's' is one of the strings in 'enums' */
+
+bool
+cfg_clause_validforzone(const char *name, unsigned int ztype);
+/*%<
+ * Check whether an option is legal for the specified zone type.
+ */
+
+void
+cfg_print_zonegrammar(const unsigned int zonetype, unsigned int flags,
+		      void (*f)(void *closure, const char *text, int textlen),
+		      void *closure);
+/*%<
+ * Print a summary of the grammar of the zone type represented by
+ * 'zonetype'.
+ */
+
+void
+cfg_print_clauseflags(cfg_printer_t *pctx, unsigned int flags);
+/*%<
+ * Print clause flags (e.g. "obsolete", "not implemented", etc) in
+ * human readable form
+ */
+
+void
+cfg_print_indent(cfg_printer_t *pctx);
+/*%<
+ * Print the necessary indent required by the current settings of 'pctx'.
+ */
+
+#endif /* ISCCFG_GRAMMAR_H */
diff --git a/lib/isccfg/include/isccfg/kaspconf.h b/lib/isccfg/include/isccfg/kaspconf.h
new file mode 100644
index 0000000..66b316f
--- /dev/null
+++ b/lib/isccfg/include/isccfg/kaspconf.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCFG_KASPCONF_H
+#define ISCCFG_KASPCONF_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#include <isccfg/cfg.h>
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
+		    isc_log_t *logctx, dns_kasplist_t *kasplist,
+		    dns_kasp_t **kaspp);
+/*%<
+ * Create and configure a KASP. If 'config' is NULL, a built-in configuration
+ * is used, referred to by 'name'. If a 'kasplist' is provided, a lookup
+ * happens and if a KASP already exists with the same name, no new KASP is
+ * created, and no attach to 'kaspp' happens.
+ *
+ * Requires:
+ *
+ *\li  'name' is either NULL, or a valid C string.
+ *
+ *\li  'mctx' is a valid memory context.
+ *
+ *\li  'logctx' is a valid logging context.
+ *
+ *\li  kaspp != NULL && *kaspp == NULL
+ *
+ * Returns:
+ *
+ *\li  #ISC_R_SUCCESS  If creating and configuring the KASP succeeds.
+ *\li  #ISC_R_EXISTS   If 'kasplist' already has a kasp structure with 'name'.
+ *\li  #ISC_R_NOMEMORY
+ *
+ *\li  Other errors are possible.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCFG_KASPCONF_H */
diff --git a/lib/isccfg/include/isccfg/log.h b/lib/isccfg/include/isccfg/log.h
new file mode 100644
index 0000000..62fa68f
--- /dev/null
+++ b/lib/isccfg/include/isccfg/log.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCFG_LOG_H
+#define ISCCFG_LOG_H 1
+
+/*! \file isccfg/log.h */
+
+#include <isc/lang.h>
+#include <isc/log.h>
+
+LIBISCCFG_EXTERNAL_DATA extern isc_logcategory_t cfg_categories[];
+LIBISCCFG_EXTERNAL_DATA extern isc_logmodule_t	 cfg_modules[];
+
+#define CFG_LOGCATEGORY_CONFIG (&cfg_categories[0])
+
+#define CFG_LOGMODULE_PARSER (&cfg_modules[0])
+
+ISC_LANG_BEGINDECLS
+
+void
+cfg_log_init(isc_log_t *lctx);
+/*%<
+ * Make the libisccfg categories and modules available for use with the
+ * ISC logging library.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ *\li	cfg_log_init() is called only once.
+ *
+ * Ensures:
+ * \li	The categories and modules defined above are available for
+ * 	use by isc_log_usechannnel() and isc_log_write().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCFG_LOG_H */
diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h
new file mode 100644
index 0000000..98878c0
--- /dev/null
+++ b/lib/isccfg/include/isccfg/namedconf.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCFG_NAMEDCONF_H
+#define ISCCFG_NAMEDCONF_H 1
+
+/*! \file isccfg/namedconf.h
+ * \brief
+ * This module defines the named.conf, rndc.conf, and rndc.key grammars.
+ */
+
+#include <isccfg/cfg.h>
+
+/*
+ * Configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
+/*%< A complete named.conf file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bindkeys;
+/*%< A bind.keys file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_newzones;
+/*%< A new-zones file (for zones added by 'rndc addzone'). */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_addzoneconf;
+/*%< A single zone passed via the addzone rndc command. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
+/*%< A complete rndc.conf file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
+/*%< A complete rndc.key file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sessionkey;
+/*%< A complete session.key file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
+/*%< A key reference, used as an ACL element */
+
+/*%< Zone options */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_zoneopts;
+
+/*%< DNSSEC Key and Signing Policy options */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_dnssecpolicyopts;
+
+#endif /* ISCCFG_NAMEDCONF_H */
diff --git a/lib/isccfg/include/isccfg/version.h b/lib/isccfg/include/isccfg/version.h
new file mode 100644
index 0000000..846adbf
--- /dev/null
+++ b/lib/isccfg/include/isccfg/version.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isccfg/version.h */
+
+#include <isc/platform.h>
+
+LIBISCCFG_EXTERNAL_DATA extern const char cfg_version[];
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
new file mode 100644
index 0000000..32f7684
--- /dev/null
+++ b/lib/isccfg/kaspconf.c
@@ -0,0 +1,423 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/kasp.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/nsec3.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/kaspconf.h>
+#include <isccfg/namedconf.h>
+
+#define DEFAULT_NSEC3PARAM_ITER	   5
+#define DEFAULT_NSEC3PARAM_SALTLEN 8
+
+/*
+ * Utility function for getting a configuration option.
+ */
+static isc_result_t
+confget(cfg_obj_t const *const *maps, const char *name, const cfg_obj_t **obj) {
+	for (size_t i = 0;; i++) {
+		if (maps[i] == NULL) {
+			return (ISC_R_NOTFOUND);
+		}
+		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) {
+			return (ISC_R_SUCCESS);
+		}
+	}
+}
+
+/*
+ * Utility function for configuring durations.
+ */
+static uint32_t
+get_duration(const cfg_obj_t **maps, const char *option, uint32_t dfl) {
+	const cfg_obj_t *obj;
+	isc_result_t result;
+	obj = NULL;
+
+	result = confget(maps, option, &obj);
+	if (result == ISC_R_NOTFOUND) {
+		return (dfl);
+	}
+	INSIST(result == ISC_R_SUCCESS);
+	return (cfg_obj_asduration(obj));
+}
+
+/*
+ * Create a new kasp key derived from configuration.
+ */
+static isc_result_t
+cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
+		       isc_log_t *logctx) {
+	isc_result_t result;
+	dns_kasp_key_t *key = NULL;
+
+	/* Create a new key reference. */
+	result = dns_kasp_key_create(kasp, &key);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (config == NULL) {
+		/* We are creating a key reference for the default kasp. */
+		key->role |= DNS_KASP_KEY_ROLE_KSK | DNS_KASP_KEY_ROLE_ZSK;
+		key->lifetime = 0; /* unlimited */
+		key->algorithm = DNS_KEYALG_ECDSA256;
+		key->length = -1;
+	} else {
+		const char *rolestr = NULL;
+		const cfg_obj_t *obj = NULL;
+		isc_consttextregion_t alg;
+
+		rolestr = cfg_obj_asstring(cfg_tuple_get(config, "role"));
+		if (strcmp(rolestr, "ksk") == 0) {
+			key->role |= DNS_KASP_KEY_ROLE_KSK;
+		} else if (strcmp(rolestr, "zsk") == 0) {
+			key->role |= DNS_KASP_KEY_ROLE_ZSK;
+		} else if (strcmp(rolestr, "csk") == 0) {
+			key->role |= DNS_KASP_KEY_ROLE_KSK;
+			key->role |= DNS_KASP_KEY_ROLE_ZSK;
+		}
+
+		key->lifetime = 0; /* unlimited */
+		obj = cfg_tuple_get(config, "lifetime");
+		if (cfg_obj_isduration(obj)) {
+			key->lifetime = cfg_obj_asduration(obj);
+		}
+
+		obj = cfg_tuple_get(config, "algorithm");
+		alg.base = cfg_obj_asstring(obj);
+		alg.length = strlen(alg.base);
+		result = dns_secalg_fromtext(&key->algorithm,
+					     (isc_textregion_t *)&alg);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-policy: bad algorithm %s",
+				    alg.base);
+			result = DNS_R_BADALG;
+			goto cleanup;
+		}
+
+		obj = cfg_tuple_get(config, "length");
+		if (cfg_obj_isuint32(obj)) {
+			uint32_t min, size;
+			size = cfg_obj_asuint32(obj);
+
+			switch (key->algorithm) {
+			case DNS_KEYALG_RSASHA1:
+			case DNS_KEYALG_NSEC3RSASHA1:
+			case DNS_KEYALG_RSASHA256:
+			case DNS_KEYALG_RSASHA512:
+				min = DNS_KEYALG_RSASHA512 ? 1024 : 512;
+				if (size < min || size > 4096) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "dnssec-policy: key with "
+						    "algorithm %s has invalid "
+						    "key length %u",
+						    alg.base, size);
+					result = ISC_R_RANGE;
+					goto cleanup;
+				}
+				break;
+			case DNS_KEYALG_ECDSA256:
+			case DNS_KEYALG_ECDSA384:
+			case DNS_KEYALG_ED25519:
+			case DNS_KEYALG_ED448:
+				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+					    "dnssec-policy: key algorithm %s "
+					    "has predefined length; ignoring "
+					    "length value %u",
+					    alg.base, size);
+			default:
+				break;
+			}
+
+			key->length = size;
+		}
+	}
+
+	dns_kasp_addkey(kasp, key);
+	return (ISC_R_SUCCESS);
+
+cleanup:
+
+	dns_kasp_key_destroy(key);
+	return (result);
+}
+
+static isc_result_t
+cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
+			  isc_log_t *logctx) {
+	dns_kasp_key_t *kkey;
+	unsigned int min_keysize = 4096;
+	const cfg_obj_t *obj = NULL;
+	uint32_t iter = DEFAULT_NSEC3PARAM_ITER;
+	uint32_t saltlen = DEFAULT_NSEC3PARAM_SALTLEN;
+	uint32_t badalg = 0;
+	bool optout = false;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	/* How many iterations. */
+	obj = cfg_tuple_get(config, "iterations");
+	if (cfg_obj_isuint32(obj)) {
+		iter = cfg_obj_asuint32(obj);
+	}
+	dns_kasp_freeze(kasp);
+	for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
+	     kkey = ISC_LIST_NEXT(kkey, link))
+	{
+		unsigned int keysize = dns_kasp_key_size(kkey);
+		uint32_t keyalg = dns_kasp_key_algorithm(kkey);
+
+		if (keysize < min_keysize) {
+			min_keysize = keysize;
+		}
+
+		/* NSEC3 cannot be used with certain key algorithms. */
+		if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DH ||
+		    keyalg == DNS_KEYALG_DSA || keyalg == DNS_KEYALG_RSASHA1)
+		{
+			badalg = keyalg;
+		}
+	}
+	dns_kasp_thaw(kasp);
+
+	if (badalg > 0) {
+		char algstr[DNS_SECALG_FORMATSIZE];
+		dns_secalg_format((dns_secalg_t)badalg, algstr, sizeof(algstr));
+		cfg_obj_log(
+			obj, logctx, ISC_LOG_ERROR,
+			"dnssec-policy: cannot use nsec3 with algorithm '%s'",
+			algstr);
+		return (DNS_R_NSEC3BADALG);
+	}
+
+	if (iter > dns_nsec3_maxiterations()) {
+		ret = DNS_R_NSEC3ITERRANGE;
+	}
+
+	if (ret == DNS_R_NSEC3ITERRANGE) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "dnssec-policy: nsec3 iterations value %u "
+			    "out of range",
+			    iter);
+		return (ret);
+	}
+
+	/* Opt-out? */
+	obj = cfg_tuple_get(config, "optout");
+	if (cfg_obj_isboolean(obj)) {
+		optout = cfg_obj_asboolean(obj);
+	}
+
+	/* Salt */
+	obj = cfg_tuple_get(config, "salt-length");
+	if (cfg_obj_isuint32(obj)) {
+		saltlen = cfg_obj_asuint32(obj);
+	}
+	if (saltlen > 0xff) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "dnssec-policy: nsec3 salt length %u too high",
+			    saltlen);
+		return (DNS_R_NSEC3SALTRANGE);
+	}
+
+	dns_kasp_setnsec3param(kasp, iter, optout, saltlen);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
+		    isc_log_t *logctx, dns_kasplist_t *kasplist,
+		    dns_kasp_t **kaspp) {
+	isc_result_t result;
+	const cfg_obj_t *maps[2];
+	const cfg_obj_t *koptions = NULL;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *nsec3 = NULL;
+	const cfg_listelt_t *element = NULL;
+	const char *kaspname = NULL;
+	dns_kasp_t *kasp = NULL;
+	size_t i = 0;
+
+	REQUIRE(kaspp != NULL && *kaspp == NULL);
+
+	kaspname = (name == NULL)
+			   ? cfg_obj_asstring(cfg_tuple_get(config, "name"))
+			   : name;
+	INSIST(kaspname != NULL);
+
+	result = dns_kasplist_find(kasplist, kaspname, &kasp);
+
+	if (result == ISC_R_SUCCESS) {
+		cfg_obj_log(
+			config, logctx, ISC_LOG_ERROR,
+			"dnssec-policy: duplicately named policy found '%s'",
+			kaspname);
+		dns_kasp_detach(&kasp);
+		return (ISC_R_EXISTS);
+	}
+	if (result != ISC_R_NOTFOUND) {
+		return (result);
+	}
+
+	/* No kasp with configured name was found in list, create new one. */
+	INSIST(kasp == NULL);
+	result = dns_kasp_create(mctx, kaspname, &kasp);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	INSIST(kasp != NULL);
+
+	/* Now configure. */
+	INSIST(DNS_KASP_VALID(kasp));
+
+	if (config != NULL) {
+		koptions = cfg_tuple_get(config, "options");
+		maps[i++] = koptions;
+	}
+	maps[i] = NULL;
+
+	/* Configuration: Signatures */
+	dns_kasp_setsigrefresh(kasp, get_duration(maps, "signatures-refresh",
+						  DNS_KASP_SIG_REFRESH));
+	dns_kasp_setsigvalidity(kasp, get_duration(maps, "signatures-validity",
+						   DNS_KASP_SIG_VALIDITY));
+	dns_kasp_setsigvalidity_dnskey(
+		kasp, get_duration(maps, "signatures-validity-dnskey",
+				   DNS_KASP_SIG_VALIDITY_DNSKEY));
+
+	/* Configuration: Keys */
+	dns_kasp_setdnskeyttl(
+		kasp, get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL));
+	dns_kasp_setpublishsafety(kasp, get_duration(maps, "publish-safety",
+						     DNS_KASP_PUBLISH_SAFETY));
+	dns_kasp_setretiresafety(kasp, get_duration(maps, "retire-safety",
+						    DNS_KASP_RETIRE_SAFETY));
+	dns_kasp_setpurgekeys(
+		kasp, get_duration(maps, "purge-keys", DNS_KASP_PURGE_KEYS));
+
+	(void)confget(maps, "keys", &keys);
+	if (keys != NULL) {
+		char role[256] = { 0 };
+		dns_kasp_key_t *kkey = NULL;
+
+		for (element = cfg_list_first(keys); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			cfg_obj_t *kobj = cfg_listelt_value(element);
+			result = cfg_kaspkey_fromconfig(kobj, kasp, logctx);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
+		INSIST(!(dns_kasp_keylist_empty(kasp)));
+		dns_kasp_freeze(kasp);
+		for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
+		     kkey = ISC_LIST_NEXT(kkey, link))
+		{
+			uint32_t keyalg = dns_kasp_key_algorithm(kkey);
+			INSIST(keyalg < ARRAY_SIZE(role));
+
+			if (dns_kasp_key_zsk(kkey)) {
+				role[keyalg] |= DNS_KASP_KEY_ROLE_ZSK;
+			}
+
+			if (dns_kasp_key_ksk(kkey)) {
+				role[keyalg] |= DNS_KASP_KEY_ROLE_KSK;
+			}
+		}
+		dns_kasp_thaw(kasp);
+		for (i = 0; i < ARRAY_SIZE(role); i++) {
+			if (role[i] != 0 && role[i] != (DNS_KASP_KEY_ROLE_ZSK |
+							DNS_KASP_KEY_ROLE_KSK))
+			{
+				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
+					    "dnssec-policy: algorithm %zu "
+					    "requires both KSK and ZSK roles",
+					    i);
+				result = ISC_R_FAILURE;
+			}
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	} else if (strcmp(kaspname, "insecure") == 0) {
+		/* "dnssec-policy insecure": key list must be empty */
+		INSIST(strcmp(kaspname, "insecure") == 0);
+		INSIST(dns_kasp_keylist_empty(kasp));
+	} else {
+		/* No keys clause configured, use the "default". */
+		result = cfg_kaspkey_fromconfig(NULL, kasp, logctx);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		INSIST(!(dns_kasp_keylist_empty(kasp)));
+	}
+
+	/* Configuration: NSEC3 */
+	(void)confget(maps, "nsec3param", &nsec3);
+	if (nsec3 == NULL) {
+		dns_kasp_setnsec3(kasp, false);
+	} else {
+		dns_kasp_setnsec3(kasp, true);
+		result = cfg_nsec3param_fromconfig(nsec3, kasp, logctx);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	/* Configuration: Zone settings */
+	dns_kasp_setzonemaxttl(
+		kasp, get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL));
+	dns_kasp_setzonepropagationdelay(
+		kasp, get_duration(maps, "zone-propagation-delay",
+				   DNS_KASP_ZONE_PROPDELAY));
+
+	/* Configuration: Parent settings */
+	dns_kasp_setdsttl(kasp,
+			  get_duration(maps, "parent-ds-ttl", DNS_KASP_DS_TTL));
+	dns_kasp_setparentpropagationdelay(
+		kasp, get_duration(maps, "parent-propagation-delay",
+				   DNS_KASP_PARENT_PROPDELAY));
+
+	/* Append it to the list for future lookups. */
+	ISC_LIST_APPEND(*kasplist, kasp, link);
+	INSIST(!(ISC_LIST_EMPTY(*kasplist)));
+
+	/* Success: Attach the kasp to the pointer and return. */
+	dns_kasp_attach(kasp, kaspp);
+
+	/* Don't detach as kasp is on '*kasplist' */
+	return (ISC_R_SUCCESS);
+
+cleanup:
+
+	/* Something bad happened, detach (destroys kasp) and return error. */
+	dns_kasp_detach(&kasp);
+	return (result);
+}
diff --git a/lib/isccfg/log.c b/lib/isccfg/log.c
new file mode 100644
index 0000000..7a6b7fd
--- /dev/null
+++ b/lib/isccfg/log.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/util.h>
+
+#include <isccfg/log.h>
+
+/*%
+ * When adding a new category, be sure to add the appropriate
+ * \#define to <isccfg/log.h>.
+ */
+LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = { { "config", 0 },
+							       { NULL, 0 } };
+
+/*%
+ * When adding a new module, be sure to add the appropriate
+ * \#define to <isccfg/log.h>.
+ */
+LIBISCCFG_EXTERNAL_DATA isc_logmodule_t cfg_modules[] = {
+	{ "isccfg/parser", 0 }, { NULL, 0 }
+};
+
+void
+cfg_log_init(isc_log_t *lctx) {
+	REQUIRE(lctx != NULL);
+
+	isc_log_registercategories(lctx, cfg_categories);
+	isc_log_registermodules(lctx, cfg_modules);
+}
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
new file mode 100644
index 0000000..6e63d86
--- /dev/null
+++ b/lib/isccfg/namedconf.c
@@ -0,0 +1,3891 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/ttl.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/log.h>
+#include <isccfg/namedconf.h>
+
+#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
+
+/*% Check a return value. */
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+/*% Clean up a configuration object if non-NULL. */
+#define CLEANUP_OBJ(obj)                               \
+	do {                                           \
+		if ((obj) != NULL)                     \
+			cfg_obj_destroy(pctx, &(obj)); \
+	} while (0)
+
+/*%
+ * Forward declarations of static functions.
+ */
+
+static isc_result_t
+parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static isc_result_t
+parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret);
+
+static isc_result_t
+parse_updatepolicy(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+static void
+print_updatepolicy(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+static void
+doc_updatepolicy(cfg_printer_t *pctx, const cfg_type_t *type);
+
+static void
+print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+static void
+doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
+
+static void
+doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
+
+static cfg_type_t cfg_type_acl;
+static cfg_type_t cfg_type_bracketed_dscpsockaddrlist;
+static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
+static cfg_type_t cfg_type_bracketed_netaddrlist;
+static cfg_type_t cfg_type_bracketed_sockaddrnameportlist;
+static cfg_type_t cfg_type_controls;
+static cfg_type_t cfg_type_controls_sockaddr;
+static cfg_type_t cfg_type_destinationlist;
+static cfg_type_t cfg_type_dialuptype;
+static cfg_type_t cfg_type_dlz;
+static cfg_type_t cfg_type_dnssecpolicy;
+static cfg_type_t cfg_type_dnstap;
+static cfg_type_t cfg_type_dnstapoutput;
+static cfg_type_t cfg_type_dyndb;
+static cfg_type_t cfg_type_plugin;
+static cfg_type_t cfg_type_ixfrdifftype;
+static cfg_type_t cfg_type_ixfrratio;
+static cfg_type_t cfg_type_key;
+static cfg_type_t cfg_type_logfile;
+static cfg_type_t cfg_type_logging;
+static cfg_type_t cfg_type_logseverity;
+static cfg_type_t cfg_type_logsuffix;
+static cfg_type_t cfg_type_logversions;
+static cfg_type_t cfg_type_remoteselement;
+static cfg_type_t cfg_type_maxduration;
+static cfg_type_t cfg_type_minimal;
+static cfg_type_t cfg_type_nameportiplist;
+static cfg_type_t cfg_type_notifytype;
+static cfg_type_t cfg_type_optional_allow;
+static cfg_type_t cfg_type_optional_class;
+static cfg_type_t cfg_type_optional_dscp;
+static cfg_type_t cfg_type_optional_facility;
+static cfg_type_t cfg_type_optional_keyref;
+static cfg_type_t cfg_type_optional_port;
+static cfg_type_t cfg_type_optional_uint32;
+static cfg_type_t cfg_type_options;
+static cfg_type_t cfg_type_portiplist;
+static cfg_type_t cfg_type_printtime;
+static cfg_type_t cfg_type_qminmethod;
+static cfg_type_t cfg_type_querysource4;
+static cfg_type_t cfg_type_querysource6;
+static cfg_type_t cfg_type_querysource;
+static cfg_type_t cfg_type_server;
+static cfg_type_t cfg_type_server_key_kludge;
+static cfg_type_t cfg_type_size;
+static cfg_type_t cfg_type_sizenodefault;
+static cfg_type_t cfg_type_sizeorpercent;
+static cfg_type_t cfg_type_sizeval;
+static cfg_type_t cfg_type_sockaddr4wild;
+static cfg_type_t cfg_type_sockaddr6wild;
+static cfg_type_t cfg_type_statschannels;
+static cfg_type_t cfg_type_view;
+static cfg_type_t cfg_type_viewopts;
+static cfg_type_t cfg_type_zone;
+
+/*% tkey-dhkey */
+
+static cfg_tuplefielddef_t tkey_dhkey_fields[] = {
+	{ "name", &cfg_type_qstring, 0 },
+	{ "keyid", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_tkey_dhkey = { "tkey-dhkey",	   cfg_parse_tuple,
+					  cfg_print_tuple, cfg_doc_tuple,
+					  &cfg_rep_tuple,  tkey_dhkey_fields };
+
+/*% listen-on */
+
+static cfg_tuplefielddef_t listenon_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "dscp", &cfg_type_optional_dscp, CFG_CLAUSEFLAG_DEPRECATED },
+	{ "acl", &cfg_type_bracketed_aml, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_listenon = { "listenon",	 cfg_parse_tuple,
+					cfg_print_tuple, cfg_doc_tuple,
+					&cfg_rep_tuple,	 listenon_fields };
+
+/*% acl */
+
+static cfg_tuplefielddef_t acl_fields[] = { { "name", &cfg_type_astring, 0 },
+					    { "value", &cfg_type_bracketed_aml,
+					      0 },
+					    { NULL, NULL, 0 } };
+
+static cfg_type_t cfg_type_acl = { "acl",	    cfg_parse_tuple,
+				   cfg_print_tuple, cfg_doc_tuple,
+				   &cfg_rep_tuple,  acl_fields };
+
+/*% remote servers, used for primaries and parental agents */
+static cfg_tuplefielddef_t remotes_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "dscp", &cfg_type_optional_dscp, CFG_CLAUSEFLAG_DEPRECATED },
+	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_remoteservers = { "remote-servers", cfg_parse_tuple,
+					     cfg_print_tuple,  cfg_doc_tuple,
+					     &cfg_rep_tuple,   remotes_fields };
+
+/*%
+ * "sockaddrkeylist", a list of socket addresses with optional keys
+ * and an optional default port, as used in the remote-servers option.
+ * E.g.,
+ *   "port 1234 { myservers; 10.0.0.1 key foo; 1::2 port 69; }"
+ */
+
+static cfg_tuplefielddef_t namesockaddrkey_fields[] = {
+	{ "remoteselement", &cfg_type_remoteselement, 0 },
+	{ "key", &cfg_type_optional_keyref, 0 },
+	{ NULL, NULL, 0 },
+};
+
+static cfg_type_t cfg_type_namesockaddrkey = {
+	"namesockaddrkey", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,	   &cfg_rep_tuple,  namesockaddrkey_fields
+};
+
+static cfg_type_t cfg_type_bracketed_namesockaddrkeylist = {
+	"bracketed_namesockaddrkeylist",
+	cfg_parse_bracketed_list,
+	cfg_print_bracketed_list,
+	cfg_doc_bracketed_list,
+	&cfg_rep_list,
+	&cfg_type_namesockaddrkey
+};
+
+static cfg_tuplefielddef_t namesockaddrkeylist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "dscp", &cfg_type_optional_dscp, CFG_CLAUSEFLAG_DEPRECATED },
+	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_namesockaddrkeylist = {
+	"sockaddrkeylist", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,	   &cfg_rep_tuple,  namesockaddrkeylist_fields
+};
+
+/*%
+ * A list of socket addresses with an optional default port, as used
+ * in the 'listen-on' option.  E.g., "{ 10.0.0.1; 1::2 port 69; }"
+ */
+static cfg_tuplefielddef_t portiplist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "dscp", &cfg_type_optional_dscp, CFG_CLAUSEFLAG_DEPRECATED },
+	{ "addresses", &cfg_type_bracketed_dscpsockaddrlist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_portiplist = { "portiplist",	   cfg_parse_tuple,
+					  cfg_print_tuple, cfg_doc_tuple,
+					  &cfg_rep_tuple,  portiplist_fields };
+
+/*
+ * Obsolete format for the "pubkey" statement.
+ */
+static cfg_tuplefielddef_t pubkey_fields[] = {
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_pubkey = { "pubkey",	       cfg_parse_tuple,
+				      cfg_print_tuple, cfg_doc_tuple,
+				      &cfg_rep_tuple,  pubkey_fields };
+
+/*%
+ * A list of RR types, used in grant statements.
+ * Note that the old parser allows quotes around the RR type names.
+ */
+static cfg_type_t cfg_type_rrtypelist = {
+	"rrtypelist",	  cfg_parse_spacelist, cfg_print_spacelist,
+	cfg_doc_terminal, &cfg_rep_list,       &cfg_type_astring
+};
+
+static const char *mode_enums[] = { "deny", "grant", NULL };
+static cfg_type_t cfg_type_mode = {
+	"mode",	      cfg_parse_enum,  cfg_print_ustring,
+	cfg_doc_enum, &cfg_rep_string, &mode_enums
+};
+
+static isc_result_t
+parse_matchtype(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "zonesub") == 0)
+	{
+		pctx->flags |= CFG_PCTX_SKIP;
+	}
+	return (cfg_parse_enum(pctx, type, ret));
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_matchname(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	if ((pctx->flags & CFG_PCTX_SKIP) != 0) {
+		pctx->flags &= ~CFG_PCTX_SKIP;
+		CHECK(cfg_parse_void(pctx, NULL, &obj));
+	} else {
+		result = cfg_parse_astring(pctx, type, &obj);
+	}
+
+	*ret = obj;
+cleanup:
+	return (result);
+}
+
+static void
+doc_matchname(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_print_cstr(pctx, "[ ");
+	cfg_doc_obj(pctx, type->of);
+	cfg_print_cstr(pctx, " ]");
+}
+
+static const char *matchtype_enums[] = { "6to4-self",
+					 "external",
+					 "krb5-self",
+					 "krb5-selfsub",
+					 "krb5-subdomain",
+					 "ms-self",
+					 "ms-selfsub",
+					 "ms-subdomain",
+					 "name",
+					 "self",
+					 "selfsub",
+					 "selfwild",
+					 "subdomain",
+					 "tcp-self",
+					 "wildcard",
+					 "zonesub",
+					 NULL };
+
+static cfg_type_t cfg_type_matchtype = { "matchtype",	    parse_matchtype,
+					 cfg_print_ustring, cfg_doc_enum,
+					 &cfg_rep_string,   &matchtype_enums };
+
+static cfg_type_t cfg_type_matchname = {
+	"optional_matchname", parse_matchname, cfg_print_ustring,
+	doc_matchname,	      &cfg_rep_tuple,  &cfg_type_ustring
+};
+
+/*%
+ * A grant statement, used in the update policy.
+ */
+static cfg_tuplefielddef_t grant_fields[] = {
+	{ "mode", &cfg_type_mode, 0 },
+	{ "identity", &cfg_type_astring, 0 }, /* domain name */
+	{ "matchtype", &cfg_type_matchtype, 0 },
+	{ "name", &cfg_type_matchname, 0 }, /* domain name */
+	{ "types", &cfg_type_rrtypelist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_grant = { "grant",	      cfg_parse_tuple,
+				     cfg_print_tuple, cfg_doc_tuple,
+				     &cfg_rep_tuple,  grant_fields };
+
+static cfg_type_t cfg_type_updatepolicy = {
+	"update_policy",  parse_updatepolicy, print_updatepolicy,
+	doc_updatepolicy, &cfg_rep_list,      &cfg_type_grant
+};
+
+static isc_result_t
+parse_updatepolicy(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret) {
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == '{')
+	{
+		cfg_ungettoken(pctx);
+		return (cfg_parse_bracketed_list(pctx, type, ret));
+	}
+
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "local") == 0)
+	{
+		cfg_obj_t *obj = NULL;
+		CHECK(cfg_create_obj(pctx, &cfg_type_ustring, &obj));
+		obj->value.string.length = strlen("local");
+		obj->value.string.base =
+			isc_mem_get(pctx->mctx, obj->value.string.length + 1);
+		memmove(obj->value.string.base, "local", 5);
+		obj->value.string.base[5] = '\0';
+		*ret = obj;
+		return (ISC_R_SUCCESS);
+	}
+
+	cfg_ungettoken(pctx);
+	return (ISC_R_UNEXPECTEDTOKEN);
+
+cleanup:
+	return (result);
+}
+
+static void
+print_updatepolicy(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	if (cfg_obj_isstring(obj)) {
+		cfg_print_ustring(pctx, obj);
+	} else {
+		cfg_print_bracketed_list(pctx, obj);
+	}
+}
+
+static void
+doc_updatepolicy(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_print_cstr(pctx, "( local | { ");
+	cfg_doc_obj(pctx, type->of);
+	cfg_print_cstr(pctx, "; ... } )");
+}
+
+/*%
+ * A view statement.
+ */
+static cfg_tuplefielddef_t view_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_viewopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_view = { "view",	     cfg_parse_tuple,
+				    cfg_print_tuple, cfg_doc_tuple,
+				    &cfg_rep_tuple,  view_fields };
+
+/*%
+ * A zone statement.
+ */
+static cfg_tuplefielddef_t zone_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_zoneopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_zone = { "zone",	     cfg_parse_tuple,
+				    cfg_print_tuple, cfg_doc_tuple,
+				    &cfg_rep_tuple,  zone_fields };
+
+/*%
+ * A dnssec-policy statement.
+ */
+static cfg_tuplefielddef_t dnssecpolicy_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "options", &cfg_type_dnssecpolicyopts, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_dnssecpolicy = {
+	"dnssec-policy", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,	 &cfg_rep_tuple,  dnssecpolicy_fields
+};
+
+/*%
+ * A "category" clause in the "logging" statement.
+ */
+static cfg_tuplefielddef_t category_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "destinations", &cfg_type_destinationlist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_category = { "category",	 cfg_parse_tuple,
+					cfg_print_tuple, cfg_doc_tuple,
+					&cfg_rep_tuple,	 category_fields };
+
+static isc_result_t
+parse_maxduration(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_duration, ret));
+}
+
+static void
+doc_maxduration(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_duration);
+}
+
+/*%
+ * A duration or "unlimited", but not "default".
+ */
+static const char *maxduration_enums[] = { "unlimited", NULL };
+static cfg_type_t cfg_type_maxduration = {
+	"maxduration_no_default", parse_maxduration, cfg_print_ustring,
+	doc_maxduration,	  &cfg_rep_duration, maxduration_enums
+};
+
+/*%
+ * A dnssec key, as used in the "trusted-keys" statement.
+ */
+static cfg_tuplefielddef_t dnsseckey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "anchortype", &cfg_type_void, 0 },
+	{ "rdata1", &cfg_type_uint32, 0 },
+	{ "rdata2", &cfg_type_uint32, 0 },
+	{ "rdata3", &cfg_type_uint32, 0 },
+	{ "data", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_dnsseckey = { "dnsseckey",	  cfg_parse_tuple,
+					 cfg_print_tuple, cfg_doc_tuple,
+					 &cfg_rep_tuple,  dnsseckey_fields };
+
+/*%
+ * Optional enums.
+ *
+ */
+static isc_result_t
+parse_optional_enum(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_void, ret));
+}
+
+static void
+doc_optional_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "[ ");
+	cfg_doc_enum(pctx, type);
+	cfg_print_cstr(pctx, " ]");
+}
+
+/*%
+ * A key initialization specifier, as used in the
+ * "trust-anchors" (or synonymous "managed-keys") statement.
+ */
+static const char *anchortype_enums[] = { "static-key", "initial-key",
+					  "static-ds", "initial-ds", NULL };
+static cfg_type_t cfg_type_anchortype = { "anchortype",	     cfg_parse_enum,
+					  cfg_print_ustring, cfg_doc_enum,
+					  &cfg_rep_string,   anchortype_enums };
+static cfg_tuplefielddef_t managedkey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "anchortype", &cfg_type_anchortype, 0 },
+	{ "rdata1", &cfg_type_uint32, 0 },
+	{ "rdata2", &cfg_type_uint32, 0 },
+	{ "rdata3", &cfg_type_uint32, 0 },
+	{ "data", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_managedkey = { "managedkey",	   cfg_parse_tuple,
+					  cfg_print_tuple, cfg_doc_tuple,
+					  &cfg_rep_tuple,  managedkey_fields };
+
+/*%
+ * DNSSEC key roles.
+ */
+static const char *dnsseckeyrole_enums[] = { "csk", "ksk", "zsk", NULL };
+static cfg_type_t cfg_type_dnsseckeyrole = {
+	"dnssec-key-role", cfg_parse_enum,  cfg_print_ustring,
+	cfg_doc_enum,	   &cfg_rep_string, &dnsseckeyrole_enums
+};
+
+/*%
+ * DNSSEC key storage types.
+ */
+static const char *dnsseckeystore_enums[] = { "key-directory", NULL };
+static cfg_type_t cfg_type_dnsseckeystore = {
+	"dnssec-key-storage", parse_optional_enum, cfg_print_ustring,
+	doc_optional_enum,    &cfg_rep_string,	   dnsseckeystore_enums
+};
+
+/*%
+ * A dnssec key, as used in the "keys" statement in a "dnssec-policy".
+ */
+static keyword_type_t algorithm_kw = { "algorithm", &cfg_type_ustring };
+static cfg_type_t cfg_type_algorithm = { "algorithm",	  parse_keyvalue,
+					 print_keyvalue,  doc_keyvalue,
+					 &cfg_rep_string, &algorithm_kw };
+
+static keyword_type_t lifetime_kw = { "lifetime",
+				      &cfg_type_duration_or_unlimited };
+static cfg_type_t cfg_type_lifetime = { "lifetime",	   parse_keyvalue,
+					print_keyvalue,	   doc_keyvalue,
+					&cfg_rep_duration, &lifetime_kw };
+
+static cfg_tuplefielddef_t kaspkey_fields[] = {
+	{ "role", &cfg_type_dnsseckeyrole, 0 },
+	{ "keystore-type", &cfg_type_dnsseckeystore, 0 },
+	{ "lifetime", &cfg_type_lifetime, 0 },
+	{ "algorithm", &cfg_type_algorithm, 0 },
+	{ "length", &cfg_type_optional_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_kaspkey = { "kaspkey",	cfg_parse_tuple,
+				       cfg_print_tuple, cfg_doc_tuple,
+				       &cfg_rep_tuple,	kaspkey_fields };
+
+/*%
+ * NSEC3 parameters.
+ */
+static keyword_type_t nsec3iter_kw = { "iterations", &cfg_type_uint32 };
+static cfg_type_t cfg_type_nsec3iter = {
+	"iterations",	       parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_uint32,		&nsec3iter_kw
+};
+
+static keyword_type_t nsec3optout_kw = { "optout", &cfg_type_boolean };
+static cfg_type_t cfg_type_nsec3optout = {
+	"optout",	  parse_optional_keyvalue,
+	print_keyvalue,	  doc_optional_keyvalue,
+	&cfg_rep_boolean, &nsec3optout_kw
+};
+
+static keyword_type_t nsec3salt_kw = { "salt-length", &cfg_type_uint32 };
+static cfg_type_t cfg_type_nsec3salt = {
+	"salt-length",	       parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_uint32,		&nsec3salt_kw
+};
+
+static cfg_tuplefielddef_t nsec3param_fields[] = {
+	{ "iterations", &cfg_type_nsec3iter, 0 },
+	{ "optout", &cfg_type_nsec3optout, 0 },
+	{ "salt-length", &cfg_type_nsec3salt, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_nsec3 = { "nsec3param",    cfg_parse_tuple,
+				     cfg_print_tuple, cfg_doc_tuple,
+				     &cfg_rep_tuple,  nsec3param_fields };
+
+/*%
+ * Wild class, type, name.
+ */
+static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
+
+static cfg_type_t cfg_type_optional_wild_class = {
+	"optional_wild_class", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string,		&wild_class_kw
+};
+
+static keyword_type_t wild_type_kw = { "type", &cfg_type_ustring };
+
+static cfg_type_t cfg_type_optional_wild_type = {
+	"optional_wild_type",  parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string,		&wild_type_kw
+};
+
+static keyword_type_t wild_name_kw = { "name", &cfg_type_qstring };
+
+static cfg_type_t cfg_type_optional_wild_name = {
+	"optional_wild_name",  parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string,		&wild_name_kw
+};
+
+/*%
+ * An rrset ordering element.
+ */
+static cfg_tuplefielddef_t rrsetorderingelement_fields[] = {
+	{ "class", &cfg_type_optional_wild_class, 0 },
+	{ "type", &cfg_type_optional_wild_type, 0 },
+	{ "name", &cfg_type_optional_wild_name, 0 },
+	{ "order", &cfg_type_ustring, 0 }, /* must be literal "order" */
+	{ "ordering", &cfg_type_ustring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rrsetorderingelement = {
+	"rrsetorderingelement", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,		&cfg_rep_tuple,	 rrsetorderingelement_fields
+};
+
+/*%
+ * A global or view "check-names" option.  Note that the zone
+ * "check-names" option has a different syntax.
+ */
+
+static const char *checktype_enums[] = { "primary", "master",	"secondary",
+					 "slave",   "response", NULL };
+static cfg_type_t cfg_type_checktype = { "checktype",	    cfg_parse_enum,
+					 cfg_print_ustring, cfg_doc_enum,
+					 &cfg_rep_string,   &checktype_enums };
+
+static const char *checkmode_enums[] = { "fail", "warn", "ignore", NULL };
+static cfg_type_t cfg_type_checkmode = { "checkmode",	    cfg_parse_enum,
+					 cfg_print_ustring, cfg_doc_enum,
+					 &cfg_rep_string,   &checkmode_enums };
+
+static const char *warn_enums[] = { "warn", "ignore", NULL };
+static cfg_type_t cfg_type_warn = {
+	"warn",	      cfg_parse_enum,  cfg_print_ustring,
+	cfg_doc_enum, &cfg_rep_string, &warn_enums
+};
+
+static cfg_tuplefielddef_t checknames_fields[] = {
+	{ "type", &cfg_type_checktype, 0 },
+	{ "mode", &cfg_type_checkmode, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_checknames = { "checknames",	   cfg_parse_tuple,
+					  cfg_print_tuple, cfg_doc_tuple,
+					  &cfg_rep_tuple,  checknames_fields };
+
+static cfg_type_t cfg_type_bracketed_dscpsockaddrlist = {
+	"bracketed_sockaddrlist",
+	cfg_parse_bracketed_list,
+	cfg_print_bracketed_list,
+	cfg_doc_bracketed_list,
+	&cfg_rep_list,
+	&cfg_type_sockaddrdscp
+};
+
+static cfg_type_t cfg_type_bracketed_netaddrlist = { "bracketed_netaddrlist",
+						     cfg_parse_bracketed_list,
+						     cfg_print_bracketed_list,
+						     cfg_doc_bracketed_list,
+						     &cfg_rep_list,
+						     &cfg_type_netaddr };
+
+static const char *autodnssec_enums[] = { "allow", "maintain", "off", NULL };
+static cfg_type_t cfg_type_autodnssec = {
+	"autodnssec", cfg_parse_enum,  cfg_print_ustring,
+	cfg_doc_enum, &cfg_rep_string, &autodnssec_enums
+};
+
+static const char *dnssecupdatemode_enums[] = { "maintain", "no-resign", NULL };
+static cfg_type_t cfg_type_dnssecupdatemode = {
+	"dnssecupdatemode", cfg_parse_enum,  cfg_print_ustring,
+	cfg_doc_enum,	    &cfg_rep_string, &dnssecupdatemode_enums
+};
+
+static const char *updatemethods_enums[] = { "date", "increment", "unixtime",
+					     NULL };
+static cfg_type_t cfg_type_updatemethod = {
+	"updatemethod", cfg_parse_enum,	 cfg_print_ustring,
+	cfg_doc_enum,	&cfg_rep_string, &updatemethods_enums
+};
+
+/*
+ * zone-statistics: full, terse, or none.
+ *
+ * for backward compatibility, we also support boolean values.
+ * yes represents "full", no represents "terse". in the future we
+ * may change no to mean "none".
+ */
+static const char *zonestat_enums[] = { "full", "terse", "none", NULL };
+static isc_result_t
+parse_zonestat(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_zonestat(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_zonestat = { "zonestat",	   parse_zonestat,
+					cfg_print_ustring, doc_zonestat,
+					&cfg_rep_string,   zonestat_enums };
+
+static cfg_type_t cfg_type_rrsetorder = { "rrsetorder",
+					  cfg_parse_bracketed_list,
+					  cfg_print_bracketed_list,
+					  cfg_doc_bracketed_list,
+					  &cfg_rep_list,
+					  &cfg_type_rrsetorderingelement };
+
+static keyword_type_t dscp_kw = { "dscp", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_optional_dscp = {
+	"optional_dscp",       parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_uint32,		&dscp_kw
+};
+
+static keyword_type_t port_kw = { "port", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_optional_port = {
+	"optional_port",       parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_uint32,		&port_kw
+};
+
+/*% A list of keys, as in the "key" clause of the controls statement. */
+static cfg_type_t cfg_type_keylist = { "keylist",
+				       cfg_parse_bracketed_list,
+				       cfg_print_bracketed_list,
+				       cfg_doc_bracketed_list,
+				       &cfg_rep_list,
+				       &cfg_type_astring };
+
+/*% A list of dnssec keys, as in "trusted-keys". Deprecated. */
+static cfg_type_t cfg_type_trustedkeys = { "trustedkeys",
+					   cfg_parse_bracketed_list,
+					   cfg_print_bracketed_list,
+					   cfg_doc_bracketed_list,
+					   &cfg_rep_list,
+					   &cfg_type_dnsseckey };
+
+/*%
+ * A list of managed trust anchors.  Each entry contains a name, a keyword
+ * ("static-key", initial-key", "static-ds" or "initial-ds"), and the
+ * fields associated with either a DNSKEY or a DS record.
+ */
+static cfg_type_t cfg_type_dnsseckeys = { "dnsseckeys",
+					  cfg_parse_bracketed_list,
+					  cfg_print_bracketed_list,
+					  cfg_doc_bracketed_list,
+					  &cfg_rep_list,
+					  &cfg_type_managedkey };
+
+/*%
+ * A list of key entries, used in a DNSSEC Key and Signing Policy.
+ */
+static cfg_type_t cfg_type_kaspkeys = { "kaspkeys",
+					cfg_parse_bracketed_list,
+					cfg_print_bracketed_list,
+					cfg_doc_bracketed_list,
+					&cfg_rep_list,
+					&cfg_type_kaspkey };
+
+static const char *forwardtype_enums[] = { "first", "only", NULL };
+static cfg_type_t cfg_type_forwardtype = {
+	"forwardtype", cfg_parse_enum,	cfg_print_ustring,
+	cfg_doc_enum,  &cfg_rep_string, &forwardtype_enums
+};
+
+static const char *zonetype_enums[] = {
+	"primary",  "master",	       "secondary", "slave",
+	"mirror",   "delegation-only", "forward",   "hint",
+	"redirect", "static-stub",     "stub",	    NULL
+};
+static cfg_type_t cfg_type_zonetype = { "zonetype",	   cfg_parse_enum,
+					cfg_print_ustring, cfg_doc_enum,
+					&cfg_rep_string,   &zonetype_enums };
+
+static const char *loglevel_enums[] = { "critical", "error", "warning",
+					"notice",   "info",  "dynamic",
+					NULL };
+static cfg_type_t cfg_type_loglevel = { "loglevel",	   cfg_parse_enum,
+					cfg_print_ustring, cfg_doc_enum,
+					&cfg_rep_string,   &loglevel_enums };
+
+static const char *transferformat_enums[] = { "many-answers", "one-answer",
+					      NULL };
+static cfg_type_t cfg_type_transferformat = {
+	"transferformat", cfg_parse_enum,  cfg_print_ustring,
+	cfg_doc_enum,	  &cfg_rep_string, &transferformat_enums
+};
+
+/*%
+ * The special keyword "none", as used in the pid-file option.
+ */
+
+static void
+print_none(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_cstr(pctx, "none");
+}
+
+static cfg_type_t cfg_type_none = { "none", NULL,	   print_none,
+				    NULL,   &cfg_rep_void, NULL };
+
+/*%
+ * A quoted string or the special keyword "none".  Used in the pid-file option.
+ */
+static isc_result_t
+parse_qstringornone(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret) {
+	isc_result_t result;
+
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
+	{
+		return (cfg_create_obj(pctx, &cfg_type_none, ret));
+	}
+	cfg_ungettoken(pctx);
+	return (cfg_parse_qstring(pctx, type, ret));
+cleanup:
+	return (result);
+}
+
+static void
+doc_qstringornone(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( <quoted_string> | none )");
+}
+
+static cfg_type_t cfg_type_qstringornone = { "qstringornone",
+					     parse_qstringornone,
+					     NULL,
+					     doc_qstringornone,
+					     NULL,
+					     NULL };
+
+/*%
+ * A boolean ("yes" or "no"), or the special keyword "auto".
+ * Used in the dnssec-validation option.
+ */
+static void
+print_auto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_cstr(pctx, "auto");
+}
+
+static cfg_type_t cfg_type_auto = { "auto", NULL,	   print_auto,
+				    NULL,   &cfg_rep_void, NULL };
+
+static isc_result_t
+parse_boolorauto(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "auto") == 0)
+	{
+		return (cfg_create_obj(pctx, &cfg_type_auto, ret));
+	}
+	cfg_ungettoken(pctx);
+	return (cfg_parse_boolean(pctx, type, ret));
+cleanup:
+	return (result);
+}
+
+static void
+print_boolorauto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	if (obj->type->rep == &cfg_rep_void) {
+		cfg_print_cstr(pctx, "auto");
+	} else if (obj->value.boolean) {
+		cfg_print_cstr(pctx, "yes");
+	} else {
+		cfg_print_cstr(pctx, "no");
+	}
+}
+
+static void
+doc_boolorauto(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( yes | no | auto )");
+}
+
+static cfg_type_t cfg_type_boolorauto = {
+	"boolorauto", parse_boolorauto, print_boolorauto, doc_boolorauto, NULL,
+	NULL
+};
+
+/*%
+ * keyword hostname
+ */
+static void
+print_hostname(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_cstr(pctx, "hostname");
+}
+
+static cfg_type_t cfg_type_hostname = { "hostname",	  NULL,
+					print_hostname,	  NULL,
+					&cfg_rep_boolean, NULL };
+
+/*%
+ * "server-id" argument.
+ */
+
+static isc_result_t
+parse_serverid(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
+	{
+		return (cfg_create_obj(pctx, &cfg_type_none, ret));
+	}
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "hostname") == 0)
+	{
+		result = cfg_create_obj(pctx, &cfg_type_hostname, ret);
+		if (result == ISC_R_SUCCESS) {
+			(*ret)->value.boolean = true;
+		}
+		return (result);
+	}
+	cfg_ungettoken(pctx);
+	return (cfg_parse_qstring(pctx, type, ret));
+cleanup:
+	return (result);
+}
+
+static void
+doc_serverid(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( <quoted_string> | none | hostname )");
+}
+
+static cfg_type_t cfg_type_serverid = { "serverid",   parse_serverid, NULL,
+					doc_serverid, NULL,	      NULL };
+
+/*%
+ * Port list.
+ */
+static void
+print_porttuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_cstr(pctx, "range ");
+	cfg_print_tuple(pctx, obj);
+}
+static cfg_tuplefielddef_t porttuple_fields[] = {
+	{ "loport", &cfg_type_uint32, 0 },
+	{ "hiport", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_porttuple = { "porttuple",	  cfg_parse_tuple,
+					 print_porttuple, cfg_doc_tuple,
+					 &cfg_rep_tuple,  porttuple_fields };
+
+static isc_result_t
+parse_port(cfg_parser_t *pctx, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	CHECK(cfg_parse_uint32(pctx, NULL, ret));
+	if ((*ret)->value.uint32 > 0xffff) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid port");
+		cfg_obj_destroy(pctx, ret);
+		result = ISC_R_RANGE;
+	}
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_portrange(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+	if (pctx->token.type == isc_tokentype_number) {
+		CHECK(parse_port(pctx, ret));
+	} else {
+		CHECK(cfg_gettoken(pctx, 0));
+		if (pctx->token.type != isc_tokentype_string ||
+		    strcasecmp(TOKEN_STRING(pctx), "range") != 0)
+		{
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected integer or 'range'");
+			return (ISC_R_UNEXPECTEDTOKEN);
+		}
+		CHECK(cfg_create_tuple(pctx, &cfg_type_porttuple, &obj));
+		CHECK(parse_port(pctx, &obj->value.tuple[0]));
+		CHECK(parse_port(pctx, &obj->value.tuple[1]));
+		if (obj->value.tuple[0]->value.uint32 >
+		    obj->value.tuple[1]->value.uint32)
+		{
+			cfg_parser_error(pctx, CFG_LOG_NOPREP,
+					 "low port '%u' must not be larger "
+					 "than high port",
+					 obj->value.tuple[0]->value.uint32);
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		*ret = obj;
+		obj = NULL;
+	}
+
+cleanup:
+	if (obj != NULL) {
+		cfg_obj_destroy(pctx, &obj);
+	}
+	return (result);
+}
+
+static cfg_type_t cfg_type_portrange = { "portrange", parse_portrange,
+					 NULL,	      cfg_doc_terminal,
+					 NULL,	      NULL };
+
+static cfg_type_t cfg_type_bracketed_portlist = { "bracketed_sockaddrlist",
+						  cfg_parse_bracketed_list,
+						  cfg_print_bracketed_list,
+						  cfg_doc_bracketed_list,
+						  &cfg_rep_list,
+						  &cfg_type_portrange };
+
+static const char *cookiealg_enums[] = { "aes", "siphash24", NULL };
+static cfg_type_t cfg_type_cookiealg = { "cookiealg",	    cfg_parse_enum,
+					 cfg_print_ustring, cfg_doc_enum,
+					 &cfg_rep_string,   &cookiealg_enums };
+
+/*%
+ * fetch-quota-params
+ */
+
+static cfg_tuplefielddef_t fetchquota_fields[] = {
+	{ "frequency", &cfg_type_uint32, 0 },
+	{ "low", &cfg_type_fixedpoint, 0 },
+	{ "high", &cfg_type_fixedpoint, 0 },
+	{ "discount", &cfg_type_fixedpoint, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_fetchquota = { "fetchquota",	   cfg_parse_tuple,
+					  cfg_print_tuple, cfg_doc_tuple,
+					  &cfg_rep_tuple,  fetchquota_fields };
+
+/*%
+ * fetches-per-server or fetches-per-zone
+ */
+
+static const char *response_enums[] = { "drop", "fail", NULL };
+
+static cfg_type_t cfg_type_responsetype = {
+	"responsetype",	   parse_optional_enum, cfg_print_ustring,
+	doc_optional_enum, &cfg_rep_string,	response_enums
+};
+
+static cfg_tuplefielddef_t fetchesper_fields[] = {
+	{ "fetches", &cfg_type_uint32, 0 },
+	{ "response", &cfg_type_responsetype, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_fetchesper = { "fetchesper",	   cfg_parse_tuple,
+					  cfg_print_tuple, cfg_doc_tuple,
+					  &cfg_rep_tuple,  fetchesper_fields };
+
+/*%
+ * Clauses that can be found within the top level of the named.conf
+ * file only.
+ */
+static cfg_clausedef_t namedconf_clauses[] = {
+	{ "acl", &cfg_type_acl, CFG_CLAUSEFLAG_MULTI },
+	{ "controls", &cfg_type_controls, CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-policy", &cfg_type_dnssecpolicy, CFG_CLAUSEFLAG_MULTI },
+	{ "logging", &cfg_type_logging, 0 },
+	{ "lwres", &cfg_type_bracketed_text,
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE },
+	{ "masters", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI },
+	{ "options", &cfg_type_options, 0 },
+	{ "parental-agents", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI },
+	{ "primaries", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI },
+	{ "statistics-channels", &cfg_type_statschannels,
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Clauses that can occur at the top level or in the view
+ * statement, but not in the options block.
+ */
+static cfg_clausedef_t namedconf_or_view_clauses[] = {
+	{ "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI },
+	{ "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI },
+	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
+	{ "managed-keys", &cfg_type_dnsseckeys,
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+	{ "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI },
+	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
+	{ "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ "trusted-keys", &cfg_type_trustedkeys,
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Clauses that can occur in the bind.keys file.
+ */
+static cfg_clausedef_t bindkeys_clauses[] = {
+	{ "managed-keys", &cfg_type_dnsseckeys,
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+	{ "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ "trusted-keys", &cfg_type_trustedkeys,
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+	{ NULL, NULL, 0 }
+};
+
+static const char *fstrm_model_enums[] = { "mpsc", "spsc", NULL };
+static cfg_type_t cfg_type_fstrm_model = {
+	"model",      cfg_parse_enum,  cfg_print_ustring,
+	cfg_doc_enum, &cfg_rep_string, &fstrm_model_enums
+};
+
+/*%
+ * Clauses that can be found within the 'options' statement.
+ */
+static cfg_clausedef_t options_clauses[] = {
+	{ "answer-cookie", &cfg_type_boolean, 0 },
+	{ "automatic-interface-scan", &cfg_type_boolean, 0 },
+	{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "bindkeys-file", &cfg_type_qstring, 0 },
+	{ "blackhole", &cfg_type_bracketed_aml, 0 },
+	{ "cookie-algorithm", &cfg_type_cookiealg, 0 },
+	{ "cookie-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_MULTI },
+	{ "coresize", &cfg_type_size, 0 },
+	{ "datasize", &cfg_type_size, 0 },
+	{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
+#ifdef HAVE_DNSTAP
+	{ "dnstap-output", &cfg_type_dnstapoutput, 0 },
+	{ "dnstap-identity", &cfg_type_serverid, 0 },
+	{ "dnstap-version", &cfg_type_qstringornone, 0 },
+#else  /* ifdef HAVE_DNSTAP */
+	{ "dnstap-output", &cfg_type_dnstapoutput,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "dnstap-identity", &cfg_type_serverid, CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "dnstap-version", &cfg_type_qstringornone,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* ifdef HAVE_DNSTAP */
+	{ "dscp", &cfg_type_uint32, CFG_CLAUSEFLAG_DEPRECATED },
+	{ "dump-file", &cfg_type_qstring, 0 },
+	{ "fake-iquery", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "files", &cfg_type_size, 0 },
+	{ "flush-zones-on-shutdown", &cfg_type_boolean, 0 },
+#ifdef HAVE_DNSTAP
+	{ "fstrm-set-buffer-hint", &cfg_type_uint32, 0 },
+	{ "fstrm-set-flush-timeout", &cfg_type_uint32, 0 },
+	{ "fstrm-set-input-queue-size", &cfg_type_uint32, 0 },
+	{ "fstrm-set-output-notify-threshold", &cfg_type_uint32, 0 },
+	{ "fstrm-set-output-queue-model", &cfg_type_fstrm_model, 0 },
+	{ "fstrm-set-output-queue-size", &cfg_type_uint32, 0 },
+	{ "fstrm-set-reopen-interval", &cfg_type_duration, 0 },
+#else  /* ifdef HAVE_DNSTAP */
+	{ "fstrm-set-buffer-hint", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-flush-timeout", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-input-queue-size", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-output-notify-threshold", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-output-queue-model", &cfg_type_fstrm_model,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-output-queue-size", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-reopen-interval", &cfg_type_duration,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* HAVE_DNSTAP */
+#if defined(HAVE_GEOIP2)
+	{ "geoip-directory", &cfg_type_qstringornone, 0 },
+#else  /* if defined(HAVE_GEOIP2) */
+	{ "geoip-directory", &cfg_type_qstringornone,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* HAVE_GEOIP2 */
+	{ "geoip-use-ecs", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "heartbeat-interval", &cfg_type_uint32, 0 },
+	{ "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "host-statistics-max", &cfg_type_uint32, CFG_CLAUSEFLAG_ANCIENT },
+	{ "hostname", &cfg_type_qstringornone, 0 },
+	{ "interface-interval", &cfg_type_duration, 0 },
+	{ "keep-response-order", &cfg_type_bracketed_aml, 0 },
+	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
+	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
+	{ "lock-file", &cfg_type_qstringornone, 0 },
+	{ "managed-keys-directory", &cfg_type_qstring, 0 },
+	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
+	{ "max-rsa-exponent-size", &cfg_type_uint32, 0 },
+	{ "memstatistics", &cfg_type_boolean, 0 },
+	{ "memstatistics-file", &cfg_type_qstring, 0 },
+	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_ANCIENT },
+	{ "notify-rate", &cfg_type_uint32, 0 },
+	{ "pid-file", &cfg_type_qstringornone, 0 },
+	{ "port", &cfg_type_uint32, 0 },
+	{ "querylog", &cfg_type_boolean, 0 },
+	{ "random-device", &cfg_type_qstringornone, 0 },
+	{ "recursing-file", &cfg_type_qstring, 0 },
+	{ "recursive-clients", &cfg_type_uint32, 0 },
+	{ "reuseport", &cfg_type_boolean, 0 },
+	{ "reserved-sockets", &cfg_type_uint32, 0 },
+	{ "secroots-file", &cfg_type_qstring, 0 },
+	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_ANCIENT },
+	{ "serial-query-rate", &cfg_type_uint32, 0 },
+	{ "server-id", &cfg_type_serverid, 0 },
+	{ "session-keyalg", &cfg_type_astring, 0 },
+	{ "session-keyfile", &cfg_type_qstringornone, 0 },
+	{ "session-keyname", &cfg_type_astring, 0 },
+	{ "sit-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "stacksize", &cfg_type_size, 0 },
+	{ "startup-notify-rate", &cfg_type_uint32, 0 },
+	{ "statistics-file", &cfg_type_qstring, 0 },
+	{ "statistics-interval", &cfg_type_uint32, CFG_CLAUSEFLAG_ANCIENT },
+	{ "tcp-advertised-timeout", &cfg_type_uint32, 0 },
+	{ "tcp-clients", &cfg_type_uint32, 0 },
+	{ "tcp-idle-timeout", &cfg_type_uint32, 0 },
+	{ "tcp-initial-timeout", &cfg_type_uint32, 0 },
+	{ "tcp-keepalive-timeout", &cfg_type_uint32, 0 },
+	{ "tcp-listen-queue", &cfg_type_uint32, 0 },
+	{ "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
+	{ "tkey-domain", &cfg_type_qstring, 0 },
+	{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
+	{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
+	{ "transfer-message-size", &cfg_type_uint32, 0 },
+	{ "transfers-in", &cfg_type_uint32, 0 },
+	{ "transfers-out", &cfg_type_uint32, 0 },
+	{ "transfers-per-ns", &cfg_type_uint32, 0 },
+	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "update-quota", &cfg_type_uint32, 0 },
+	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "use-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "version", &cfg_type_qstringornone, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_namelist = { "namelist",
+					cfg_parse_bracketed_list,
+					cfg_print_bracketed_list,
+					cfg_doc_bracketed_list,
+					&cfg_rep_list,
+					&cfg_type_astring };
+
+static keyword_type_t exclude_kw = { "exclude", &cfg_type_namelist };
+
+static cfg_type_t cfg_type_optional_exclude = {
+	"optional_exclude",    parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_list,		&exclude_kw
+};
+
+static keyword_type_t exceptionnames_kw = { "except-from", &cfg_type_namelist };
+
+static cfg_type_t cfg_type_optional_exceptionnames = {
+	"optional_allow",      parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_list,		&exceptionnames_kw
+};
+
+static cfg_tuplefielddef_t denyaddresses_fields[] = {
+	{ "acl", &cfg_type_bracketed_aml, 0 },
+	{ "except-from", &cfg_type_optional_exceptionnames, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_denyaddresses = {
+	"denyaddresses", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,	 &cfg_rep_tuple,  denyaddresses_fields
+};
+
+static cfg_tuplefielddef_t denyaliases_fields[] = {
+	{ "name", &cfg_type_namelist, 0 },
+	{ "except-from", &cfg_type_optional_exceptionnames, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_denyaliases = {
+	"denyaliases", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple, &cfg_rep_tuple,	denyaliases_fields
+};
+
+static cfg_type_t cfg_type_algorithmlist = { "algorithmlist",
+					     cfg_parse_bracketed_list,
+					     cfg_print_bracketed_list,
+					     cfg_doc_bracketed_list,
+					     &cfg_rep_list,
+					     &cfg_type_astring };
+
+static cfg_tuplefielddef_t disablealgorithm_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "algorithms", &cfg_type_algorithmlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_disablealgorithm = {
+	"disablealgorithm", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,	    &cfg_rep_tuple,  disablealgorithm_fields
+};
+
+static cfg_type_t cfg_type_dsdigestlist = { "dsdigestlist",
+					    cfg_parse_bracketed_list,
+					    cfg_print_bracketed_list,
+					    cfg_doc_bracketed_list,
+					    &cfg_rep_list,
+					    &cfg_type_astring };
+
+static cfg_tuplefielddef_t disabledsdigest_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "digests", &cfg_type_dsdigestlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_disabledsdigest = {
+	"disabledsdigest", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,	   &cfg_rep_tuple,  disabledsdigest_fields
+};
+
+static cfg_tuplefielddef_t mustbesecure_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "value", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_mustbesecure = {
+	"mustbesecure", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,	&cfg_rep_tuple,	 mustbesecure_fields
+};
+
+static const char *masterformat_enums[] = { "map", "raw", "text", NULL };
+static cfg_type_t cfg_type_masterformat = {
+	"masterformat", cfg_parse_enum,	 cfg_print_ustring,
+	cfg_doc_enum,	&cfg_rep_string, &masterformat_enums
+};
+
+static const char *masterstyle_enums[] = { "full", "relative", NULL };
+static cfg_type_t cfg_type_masterstyle = {
+	"masterstyle", cfg_parse_enum,	cfg_print_ustring,
+	cfg_doc_enum,  &cfg_rep_string, &masterstyle_enums
+};
+
+static keyword_type_t blocksize_kw = { "block-size", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_blocksize = { "blocksize",	  parse_keyvalue,
+					 print_keyvalue,  doc_keyvalue,
+					 &cfg_rep_uint32, &blocksize_kw };
+
+static cfg_tuplefielddef_t resppadding_fields[] = {
+	{ "acl", &cfg_type_bracketed_aml, 0 },
+	{ "block-size", &cfg_type_blocksize, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_resppadding = {
+	"resppadding", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple, &cfg_rep_tuple,	resppadding_fields
+};
+
+/*%
+ *  dnstap {
+ *      &lt;message type&gt; [query | response] ;
+ *      ...
+ *  }
+ *
+ *  ... where message type is one of: client, resolver, auth, forwarder,
+ *                                    update, all
+ */
+static const char *dnstap_types[] = { "all",	   "auth",     "client",
+				      "forwarder", "resolver", "update",
+				      NULL };
+
+static const char *dnstap_modes[] = { "query", "response", NULL };
+
+static cfg_type_t cfg_type_dnstap_type = { "dnstap_type",     cfg_parse_enum,
+					   cfg_print_ustring, cfg_doc_enum,
+					   &cfg_rep_string,   dnstap_types };
+
+static cfg_type_t cfg_type_dnstap_mode = {
+	"dnstap_mode",	   parse_optional_enum, cfg_print_ustring,
+	doc_optional_enum, &cfg_rep_string,	dnstap_modes
+};
+
+static cfg_tuplefielddef_t dnstap_fields[] = {
+	{ "type", &cfg_type_dnstap_type, 0 },
+	{ "mode", &cfg_type_dnstap_mode, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_dnstap_entry = { "dnstap_value",  cfg_parse_tuple,
+					    cfg_print_tuple, cfg_doc_tuple,
+					    &cfg_rep_tuple,  dnstap_fields };
+
+static cfg_type_t cfg_type_dnstap = { "dnstap",
+				      cfg_parse_bracketed_list,
+				      cfg_print_bracketed_list,
+				      cfg_doc_bracketed_list,
+				      &cfg_rep_list,
+				      &cfg_type_dnstap_entry };
+
+/*%
+ * dnstap-output
+ */
+static isc_result_t
+parse_dtout(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const cfg_tuplefielddef_t *fields = type->of;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+
+	/* Parse the mandatory "mode" and "path" fields */
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+	CHECK(cfg_parse_obj(pctx, fields[1].type, &obj->value.tuple[1]));
+
+	/* Parse "versions" and "size" fields in any order. */
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			CHECK(cfg_gettoken(pctx, 0));
+			if (strcasecmp(TOKEN_STRING(pctx), "size") == 0 &&
+			    obj->value.tuple[2] == NULL)
+			{
+				CHECK(cfg_parse_obj(pctx, fields[2].type,
+						    &obj->value.tuple[2]));
+			} else if (strcasecmp(TOKEN_STRING(pctx), "versions") ==
+					   0 &&
+				   obj->value.tuple[3] == NULL)
+			{
+				CHECK(cfg_parse_obj(pctx, fields[3].type,
+						    &obj->value.tuple[3]));
+			} else if (strcasecmp(TOKEN_STRING(pctx), "suffix") ==
+					   0 &&
+				   obj->value.tuple[4] == NULL)
+			{
+				CHECK(cfg_parse_obj(pctx, fields[4].type,
+						    &obj->value.tuple[4]));
+			} else {
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
+						 "unexpected token");
+				result = ISC_R_UNEXPECTEDTOKEN;
+				goto cleanup;
+			}
+		} else {
+			break;
+		}
+	}
+
+	/* Create void objects for missing optional values. */
+	if (obj->value.tuple[2] == NULL) {
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[2]));
+	}
+	if (obj->value.tuple[3] == NULL) {
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[3]));
+	}
+	if (obj->value.tuple[4] == NULL) {
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[4]));
+	}
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+print_dtout(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_obj(pctx, obj->value.tuple[0]); /* mode */
+	cfg_print_obj(pctx, obj->value.tuple[1]); /* file */
+	if (obj->value.tuple[2]->type->print != cfg_print_void) {
+		cfg_print_cstr(pctx, " size ");
+		cfg_print_obj(pctx, obj->value.tuple[2]);
+	}
+	if (obj->value.tuple[3]->type->print != cfg_print_void) {
+		cfg_print_cstr(pctx, " versions ");
+		cfg_print_obj(pctx, obj->value.tuple[3]);
+	}
+	if (obj->value.tuple[4]->type->print != cfg_print_void) {
+		cfg_print_cstr(pctx, " suffix ");
+		cfg_print_obj(pctx, obj->value.tuple[4]);
+	}
+}
+
+static void
+doc_dtout(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( file | unix ) <quoted_string>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ size ( unlimited | <size> ) ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ versions ( unlimited | <integer> ) ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ suffix ( increment | timestamp ) ]");
+}
+
+static const char *dtoutmode_enums[] = { "file", "unix", NULL };
+static cfg_type_t cfg_type_dtmode = { "dtmode",		 cfg_parse_enum,
+				      cfg_print_ustring, cfg_doc_enum,
+				      &cfg_rep_string,	 &dtoutmode_enums };
+
+static cfg_tuplefielddef_t dtout_fields[] = {
+	{ "mode", &cfg_type_dtmode, 0 },
+	{ "path", &cfg_type_qstring, 0 },
+	{ "size", &cfg_type_sizenodefault, 0 },
+	{ "versions", &cfg_type_logversions, 0 },
+	{ "suffix", &cfg_type_logsuffix, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_dnstapoutput = { "dnstapoutput", parse_dtout,
+					    print_dtout,    doc_dtout,
+					    &cfg_rep_tuple, dtout_fields };
+
+/*%
+ *  response-policy {
+ *	zone &lt;string&gt; [ policy (given|disabled|passthru|drop|tcp-only|
+ *					nxdomain|nodata|cname &lt;domain&gt; ) ]
+ *		      [ recursive-only yes|no ] [ log yes|no ]
+ *		      [ max-policy-ttl number ]
+ *		      [ nsip-enable yes|no ] [ nsdname-enable yes|no ];
+ *  } [ recursive-only yes|no ] [ max-policy-ttl number ]
+ *	 [ min-update-interval number ]
+ *	 [ break-dnssec yes|no ] [ min-ns-dots number ]
+ *	 [ qname-wait-recurse yes|no ]
+ *	 [ nsip-enable yes|no ] [ nsdname-enable yes|no ]
+ *	 [ dnsrps-enable yes|no ]
+ *	 [ dnsrps-options { DNSRPS configuration string } ];
+ */
+
+static void
+doc_rpz_policy(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const char *const *p;
+	/*
+	 * This is cfg_doc_enum() without the trailing " )".
+	 */
+	cfg_print_cstr(pctx, "( ");
+	for (p = type->of; *p != NULL; p++) {
+		cfg_print_cstr(pctx, *p);
+		if (p[1] != NULL) {
+			cfg_print_cstr(pctx, " | ");
+		}
+	}
+}
+
+static void
+doc_rpz_cname(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_terminal(pctx, type);
+	cfg_print_cstr(pctx, " )");
+}
+
+/*
+ * Parse
+ *	given|disabled|passthru|drop|tcp-only|nxdomain|nodata|cname <domain>
+ */
+static isc_result_t
+cfg_parse_rpz_policy(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const cfg_tuplefielddef_t *fields;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+
+	fields = type->of;
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+	/*
+	 * parse cname domain only after "policy cname"
+	 */
+	if (strcasecmp("cname", cfg_obj_asstring(obj->value.tuple[0])) != 0) {
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
+	} else {
+		CHECK(cfg_parse_obj(pctx, fields[1].type,
+				    &obj->value.tuple[1]));
+	}
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+/*
+ * Parse a tuple consisting of any kind of required field followed
+ * by 2 or more optional keyvalues that can be in any order.
+ */
+static isc_result_t
+cfg_parse_kv_tuple(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret) {
+	const cfg_tuplefielddef_t *fields, *f;
+	cfg_obj_t *obj = NULL;
+	int fn;
+	isc_result_t result;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+
+	/*
+	 * The zone first field is required and always first.
+	 */
+	fields = type->of;
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+		if (pctx->token.type != isc_tokentype_string) {
+			break;
+		}
+
+		for (fn = 1, f = &fields[1];; ++fn, ++f) {
+			if (f->name == NULL) {
+				cfg_parser_error(pctx, 0, "unexpected '%s'",
+						 TOKEN_STRING(pctx));
+				result = ISC_R_UNEXPECTEDTOKEN;
+				goto cleanup;
+			}
+			if (obj->value.tuple[fn] == NULL &&
+			    strcasecmp(f->name, TOKEN_STRING(pctx)) == 0)
+			{
+				break;
+			}
+		}
+
+		CHECK(cfg_gettoken(pctx, 0));
+		CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[fn]));
+	}
+
+	for (fn = 1, f = &fields[1]; f->name != NULL; ++fn, ++f) {
+		if (obj->value.tuple[fn] == NULL) {
+			CHECK(cfg_parse_void(pctx, NULL,
+					     &obj->value.tuple[fn]));
+		}
+	}
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+cfg_print_kv_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields, *f;
+	const cfg_obj_t *fieldobj;
+
+	fields = obj->type->of;
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		fieldobj = obj->value.tuple[i];
+		if (fieldobj->type->print == cfg_print_void) {
+			continue;
+		}
+		if (i != 0) {
+			cfg_print_cstr(pctx, " ");
+			cfg_print_cstr(pctx, f->name);
+			cfg_print_cstr(pctx, " ");
+		}
+		cfg_print_obj(pctx, fieldobj);
+	}
+}
+
+static void
+cfg_doc_kv_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_tuplefielddef_t *fields, *f;
+
+	fields = type->of;
+	for (f = fields; f->name != NULL; f++) {
+		if (f != fields) {
+			cfg_print_cstr(pctx, " [ ");
+			cfg_print_cstr(pctx, f->name);
+			if (f->type->doc != cfg_doc_void) {
+				cfg_print_cstr(pctx, " ");
+			}
+		}
+		cfg_doc_obj(pctx, f->type);
+		if (f != fields) {
+			cfg_print_cstr(pctx, " ]");
+		}
+	}
+}
+
+static keyword_type_t zone_kw = { "zone", &cfg_type_astring };
+static cfg_type_t cfg_type_rpz_zone = { "zone",		 parse_keyvalue,
+					print_keyvalue,	 doc_keyvalue,
+					&cfg_rep_string, &zone_kw };
+/*
+ * "no-op" is an obsolete equivalent of "passthru".
+ */
+static const char *rpz_policies[] = { "cname",	  "disabled", "drop",
+				      "given",	  "no-op",    "nodata",
+				      "nxdomain", "passthru", "tcp-only",
+				      NULL };
+static cfg_type_t cfg_type_rpz_policy_name = {
+	"policy name",	cfg_parse_enum,	 cfg_print_ustring,
+	doc_rpz_policy, &cfg_rep_string, &rpz_policies
+};
+static cfg_type_t cfg_type_rpz_cname = {
+	"quoted_string", cfg_parse_astring, NULL,
+	doc_rpz_cname,	 &cfg_rep_string,   NULL
+};
+static cfg_tuplefielddef_t rpz_policy_fields[] = {
+	{ "policy name", &cfg_type_rpz_policy_name, 0 },
+	{ "cname", &cfg_type_rpz_cname, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rpz_policy = { "policy tuple",  cfg_parse_rpz_policy,
+					  cfg_print_tuple, cfg_doc_tuple,
+					  &cfg_rep_tuple,  rpz_policy_fields };
+static cfg_tuplefielddef_t rpz_zone_fields[] = {
+	{ "zone name", &cfg_type_rpz_zone, 0 },
+	{ "add-soa", &cfg_type_boolean, 0 },
+	{ "log", &cfg_type_boolean, 0 },
+	{ "max-policy-ttl", &cfg_type_duration, 0 },
+	{ "min-update-interval", &cfg_type_duration, 0 },
+	{ "policy", &cfg_type_rpz_policy, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
+	{ "nsip-enable", &cfg_type_boolean, 0 },
+	{ "nsdname-enable", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rpz_tuple = { "rpz tuple",	     cfg_parse_kv_tuple,
+					 cfg_print_kv_tuple, cfg_doc_kv_tuple,
+					 &cfg_rep_tuple,     rpz_zone_fields };
+static cfg_type_t cfg_type_rpz_list = { "zone list",
+					cfg_parse_bracketed_list,
+					cfg_print_bracketed_list,
+					cfg_doc_bracketed_list,
+					&cfg_rep_list,
+					&cfg_type_rpz_tuple };
+static cfg_tuplefielddef_t rpz_fields[] = {
+	{ "zone list", &cfg_type_rpz_list, 0 },
+	{ "add-soa", &cfg_type_boolean, 0 },
+	{ "break-dnssec", &cfg_type_boolean, 0 },
+	{ "max-policy-ttl", &cfg_type_duration, 0 },
+	{ "min-update-interval", &cfg_type_duration, 0 },
+	{ "min-ns-dots", &cfg_type_uint32, 0 },
+	{ "nsip-wait-recurse", &cfg_type_boolean, 0 },
+	{ "qname-wait-recurse", &cfg_type_boolean, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
+	{ "nsip-enable", &cfg_type_boolean, 0 },
+	{ "nsdname-enable", &cfg_type_boolean, 0 },
+#ifdef USE_DNSRPS
+	{ "dnsrps-enable", &cfg_type_boolean, 0 },
+	{ "dnsrps-options", &cfg_type_bracketed_text, 0 },
+#else  /* ifdef USE_DNSRPS */
+	{ "dnsrps-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "dnsrps-options", &cfg_type_bracketed_text,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* ifdef USE_DNSRPS */
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rpz = { "rpz",
+				   cfg_parse_kv_tuple,
+				   cfg_print_kv_tuple,
+				   cfg_doc_kv_tuple,
+				   &cfg_rep_tuple,
+				   rpz_fields };
+
+/*
+ * Catalog zones
+ */
+static cfg_type_t cfg_type_catz_zone = { "zone",	  parse_keyvalue,
+					 print_keyvalue,  doc_keyvalue,
+					 &cfg_rep_string, &zone_kw };
+
+static cfg_tuplefielddef_t catz_zone_fields[] = {
+	{ "zone name", &cfg_type_catz_zone, 0 },
+	{ "default-masters", &cfg_type_namesockaddrkeylist, 0 },
+	{ "zone-directory", &cfg_type_qstring, 0 },
+	{ "in-memory", &cfg_type_boolean, 0 },
+	{ "min-update-interval", &cfg_type_duration, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_catz_tuple = {
+	"catz tuple",	  cfg_parse_kv_tuple, cfg_print_kv_tuple,
+	cfg_doc_kv_tuple, &cfg_rep_tuple,     catz_zone_fields
+};
+static cfg_type_t cfg_type_catz_list = { "zone list",
+					 cfg_parse_bracketed_list,
+					 cfg_print_bracketed_list,
+					 cfg_doc_bracketed_list,
+					 &cfg_rep_list,
+					 &cfg_type_catz_tuple };
+static cfg_tuplefielddef_t catz_fields[] = {
+	{ "zone list", &cfg_type_catz_list, 0 }, { NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_catz = {
+	"catz",		  cfg_parse_kv_tuple, cfg_print_kv_tuple,
+	cfg_doc_kv_tuple, &cfg_rep_tuple,     catz_fields
+};
+
+/*
+ * rate-limit
+ */
+static cfg_clausedef_t rrl_clauses[] = {
+	{ "all-per-second", &cfg_type_uint32, 0 },
+	{ "errors-per-second", &cfg_type_uint32, 0 },
+	{ "exempt-clients", &cfg_type_bracketed_aml, 0 },
+	{ "ipv4-prefix-length", &cfg_type_uint32, 0 },
+	{ "ipv6-prefix-length", &cfg_type_uint32, 0 },
+	{ "log-only", &cfg_type_boolean, 0 },
+	{ "max-table-size", &cfg_type_uint32, 0 },
+	{ "min-table-size", &cfg_type_uint32, 0 },
+	{ "nodata-per-second", &cfg_type_uint32, 0 },
+	{ "nxdomains-per-second", &cfg_type_uint32, 0 },
+	{ "qps-scale", &cfg_type_uint32, 0 },
+	{ "referrals-per-second", &cfg_type_uint32, 0 },
+	{ "responses-per-second", &cfg_type_uint32, 0 },
+	{ "slip", &cfg_type_uint32, 0 },
+	{ "window", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *rrl_clausesets[] = { rrl_clauses, NULL };
+
+static cfg_type_t cfg_type_rrl = { "rate-limit", cfg_parse_map, cfg_print_map,
+				   cfg_doc_map,	 &cfg_rep_map,	rrl_clausesets };
+
+/*%
+ * dnssec-lookaside
+ */
+
+static void
+print_lookaside(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_obj_t *domain = obj->value.tuple[0];
+
+	if (domain->value.string.length == 4 &&
+	    strncmp(domain->value.string.base, "auto", 4) == 0)
+	{
+		cfg_print_cstr(pctx, "auto");
+	} else {
+		cfg_print_tuple(pctx, obj);
+	}
+}
+
+static void
+doc_lookaside(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( <string> trust-anchor <string> | auto | no )");
+}
+
+static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
+
+static cfg_type_t cfg_type_optional_trustanchor = {
+	"optional_trustanchor", parse_optional_keyvalue, print_keyvalue,
+	doc_keyvalue,		&cfg_rep_string,	 &trustanchor_kw
+};
+
+static cfg_tuplefielddef_t lookaside_fields[] = {
+	{ "domain", &cfg_type_astring, 0 },
+	{ "trust-anchor", &cfg_type_optional_trustanchor, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_lookaside = { "lookaside",	  cfg_parse_tuple,
+					 print_lookaside, doc_lookaside,
+					 &cfg_rep_tuple,  lookaside_fields };
+
+static isc_result_t
+parse_optional_uint32(cfg_parser_t *pctx, const cfg_type_t *type,
+		      cfg_obj_t **ret) {
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+	if (pctx->token.type == isc_tokentype_number) {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_uint32, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+	}
+cleanup:
+	return (result);
+}
+
+static void
+doc_optional_uint32(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "[ <integer> ]");
+}
+
+static cfg_type_t cfg_type_optional_uint32 = { "optional_uint32",
+					       parse_optional_uint32,
+					       NULL,
+					       doc_optional_uint32,
+					       NULL,
+					       NULL };
+
+static cfg_tuplefielddef_t prefetch_fields[] = {
+	{ "trigger", &cfg_type_uint32, 0 },
+	{ "eligible", &cfg_type_optional_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_prefetch = { "prefetch",	 cfg_parse_tuple,
+					cfg_print_tuple, cfg_doc_tuple,
+					&cfg_rep_tuple,	 prefetch_fields };
+/*
+ * DNS64.
+ */
+static cfg_clausedef_t dns64_clauses[] = {
+	{ "break-dnssec", &cfg_type_boolean, 0 },
+	{ "clients", &cfg_type_bracketed_aml, 0 },
+	{ "exclude", &cfg_type_bracketed_aml, 0 },
+	{ "mapped", &cfg_type_bracketed_aml, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
+	{ "suffix", &cfg_type_netaddr6, 0 },
+	{ NULL, NULL, 0 },
+};
+
+static cfg_clausedef_t *dns64_clausesets[] = { dns64_clauses, NULL };
+
+static cfg_type_t cfg_type_dns64 = { "dns64",	    cfg_parse_netprefix_map,
+				     cfg_print_map, cfg_doc_map,
+				     &cfg_rep_map,  dns64_clausesets };
+
+static const char *staleanswerclienttimeout_enums[] = { "disabled", "off",
+							NULL };
+static isc_result_t
+parse_staleanswerclienttimeout(cfg_parser_t *pctx, const cfg_type_t *type,
+			       cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_uint32, ret));
+}
+
+static void
+doc_staleanswerclienttimeout(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_uint32);
+}
+
+static cfg_type_t cfg_type_staleanswerclienttimeout = {
+	"staleanswerclienttimeout",
+	parse_staleanswerclienttimeout,
+	cfg_print_ustring,
+	doc_staleanswerclienttimeout,
+	&cfg_rep_string,
+	staleanswerclienttimeout_enums
+};
+
+/*%
+ * Clauses that can be found within the 'view' statement,
+ * with defaults in the 'options' statement.
+ */
+
+static cfg_clausedef_t view_clauses[] = {
+	{ "acache-cleaning-interval", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "acache-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "additional-from-auth", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "additional-from-cache", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "allow-new-zones", &cfg_type_boolean, 0 },
+	{ "allow-query-cache", &cfg_type_bracketed_aml, 0 },
+	{ "allow-query-cache-on", &cfg_type_bracketed_aml, 0 },
+	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
+	{ "allow-recursion-on", &cfg_type_bracketed_aml, 0 },
+	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
+	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "attach-cache", &cfg_type_astring, 0 },
+	{ "auth-nxdomain", &cfg_type_boolean, CFG_CLAUSEFLAG_NEWDEFAULT },
+	{ "cache-file", &cfg_type_qstring, CFG_CLAUSEFLAG_DEPRECATED },
+	{ "catalog-zones", &cfg_type_catz, 0 },
+	{ "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI },
+	{ "cleaning-interval", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "clients-per-query", &cfg_type_uint32, 0 },
+	{ "deny-answer-addresses", &cfg_type_denyaddresses, 0 },
+	{ "deny-answer-aliases", &cfg_type_denyaliases, 0 },
+	{ "disable-algorithms", &cfg_type_disablealgorithm,
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "disable-ds-digests", &cfg_type_disabledsdigest,
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "disable-empty-zone", &cfg_type_astring, CFG_CLAUSEFLAG_MULTI },
+	{ "dns64", &cfg_type_dns64, CFG_CLAUSEFLAG_MULTI },
+	{ "dns64-contact", &cfg_type_astring, 0 },
+	{ "dns64-server", &cfg_type_astring, 0 },
+#ifdef USE_DNSRPS
+	{ "dnsrps-enable", &cfg_type_boolean, 0 },
+	{ "dnsrps-options", &cfg_type_bracketed_text, 0 },
+#else  /* ifdef USE_DNSRPS */
+	{ "dnsrps-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "dnsrps-options", &cfg_type_bracketed_text,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* ifdef USE_DNSRPS */
+	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
+	{ "dnssec-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "dnssec-lookaside", &cfg_type_lookaside,
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE },
+	{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-validation", &cfg_type_boolorauto, 0 },
+#ifdef HAVE_DNSTAP
+	{ "dnstap", &cfg_type_dnstap, 0 },
+#else  /* ifdef HAVE_DNSTAP */
+	{ "dnstap", &cfg_type_dnstap, CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* HAVE_DNSTAP */
+	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
+	{ "edns-udp-size", &cfg_type_uint32, 0 },
+	{ "empty-contact", &cfg_type_astring, 0 },
+	{ "empty-server", &cfg_type_astring, 0 },
+	{ "empty-zones-enable", &cfg_type_boolean, 0 },
+	{ "fetch-glue", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "fetch-quota-params", &cfg_type_fetchquota, 0 },
+	{ "fetches-per-server", &cfg_type_fetchesper, 0 },
+	{ "fetches-per-zone", &cfg_type_fetchesper, 0 },
+	{ "filter-aaaa", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "filter-aaaa-on-v4", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "filter-aaaa-on-v6", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "glue-cache", &cfg_type_boolean, 0 },
+	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
+	{ "lame-ttl", &cfg_type_duration, 0 },
+#ifdef HAVE_LMDB
+	{ "lmdb-mapsize", &cfg_type_sizeval, 0 },
+#else  /* ifdef HAVE_LMDB */
+	{ "lmdb-mapsize", &cfg_type_sizeval, CFG_CLAUSEFLAG_NOOP },
+#endif /* ifdef HAVE_LMDB */
+	{ "max-acache-size", &cfg_type_sizenodefault, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "max-cache-size", &cfg_type_sizeorpercent, 0 },
+	{ "max-cache-ttl", &cfg_type_duration, 0 },
+	{ "max-clients-per-query", &cfg_type_uint32, 0 },
+	{ "max-ncache-ttl", &cfg_type_duration, 0 },
+	{ "max-recursion-depth", &cfg_type_uint32, 0 },
+	{ "max-recursion-queries", &cfg_type_uint32, 0 },
+	{ "max-stale-ttl", &cfg_type_duration, 0 },
+	{ "max-udp-size", &cfg_type_uint32, 0 },
+	{ "message-compression", &cfg_type_boolean, 0 },
+	{ "min-cache-ttl", &cfg_type_duration, 0 },
+	{ "min-ncache-ttl", &cfg_type_duration, 0 },
+	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_ANCIENT },
+	{ "minimal-any", &cfg_type_boolean, 0 },
+	{ "minimal-responses", &cfg_type_minimal, 0 },
+	{ "new-zones-directory", &cfg_type_qstring, 0 },
+	{ "no-case-compress", &cfg_type_bracketed_aml, 0 },
+	{ "nocookie-udp-size", &cfg_type_uint32, 0 },
+	{ "nosit-udp-size", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "nta-lifetime", &cfg_type_duration, 0 },
+	{ "nta-recheck", &cfg_type_duration, 0 },
+	{ "nxdomain-redirect", &cfg_type_astring, 0 },
+	{ "preferred-glue", &cfg_type_astring, 0 },
+	{ "prefetch", &cfg_type_prefetch, 0 },
+	{ "provide-ixfr", &cfg_type_boolean, 0 },
+	{ "qname-minimization", &cfg_type_qminmethod, 0 },
+	/*
+	 * Note that the query-source option syntax is different
+	 * from the other -source options.
+	 */
+	{ "query-source", &cfg_type_querysource4, 0 },
+	{ "query-source-v6", &cfg_type_querysource6, 0 },
+	{ "queryport-pool-ports", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "queryport-pool-updateinterval", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "rate-limit", &cfg_type_rrl, 0 },
+	{ "recursion", &cfg_type_boolean, 0 },
+	{ "request-nsid", &cfg_type_boolean, 0 },
+	{ "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "require-server-cookie", &cfg_type_boolean, 0 },
+	{ "resolver-nonbackoff-tries", &cfg_type_uint32, 0 },
+	{ "resolver-query-timeout", &cfg_type_uint32, 0 },
+	{ "resolver-retry-interval", &cfg_type_uint32, 0 },
+	{ "response-padding", &cfg_type_resppadding, 0 },
+	{ "response-policy", &cfg_type_rpz, 0 },
+	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "root-delegation-only", &cfg_type_optional_exclude, 0 },
+	{ "root-key-sentinel", &cfg_type_boolean, 0 },
+	{ "rrset-order", &cfg_type_rrsetorder, 0 },
+	{ "send-cookie", &cfg_type_boolean, 0 },
+	{ "servfail-ttl", &cfg_type_duration, 0 },
+	{ "sortlist", &cfg_type_bracketed_aml, 0 },
+	{ "stale-answer-enable", &cfg_type_boolean, 0 },
+	{ "stale-answer-client-timeout", &cfg_type_staleanswerclienttimeout,
+	  0 },
+	{ "stale-answer-ttl", &cfg_type_duration, 0 },
+	{ "stale-cache-enable", &cfg_type_boolean, 0 },
+	{ "stale-refresh-time", &cfg_type_duration, 0 },
+	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
+	{ "synth-from-dnssec", &cfg_type_boolean, 0 },
+	{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_ANCIENT },
+	{ "transfer-format", &cfg_type_transferformat, 0 },
+	{ "trust-anchor-telemetry", &cfg_type_boolean,
+	  CFG_CLAUSEFLAG_EXPERIMENTAL },
+	{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "validate-except", &cfg_type_namelist, 0 },
+	{ "v6-bias", &cfg_type_uint32, 0 },
+	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Clauses that can be found within the 'view' statement only.
+ */
+static cfg_clausedef_t view_only_clauses[] = {
+	{ "match-clients", &cfg_type_bracketed_aml, 0 },
+	{ "match-destinations", &cfg_type_bracketed_aml, 0 },
+	{ "match-recursive-only", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Sig-validity-interval.
+ */
+
+static cfg_tuplefielddef_t validityinterval_fields[] = {
+	{ "validity", &cfg_type_uint32, 0 },
+	{ "re-sign", &cfg_type_optional_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_validityinterval = {
+	"validityinterval", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,	    &cfg_rep_tuple,  validityinterval_fields
+};
+
+/*%
+ * Clauses that can be found in a 'dnssec-policy' statement.
+ */
+static cfg_clausedef_t dnssecpolicy_clauses[] = {
+	{ "dnskey-ttl", &cfg_type_duration, 0 },
+	{ "keys", &cfg_type_kaspkeys, 0 },
+	{ "max-zone-ttl", &cfg_type_duration, 0 },
+	{ "nsec3param", &cfg_type_nsec3, 0 },
+	{ "parent-ds-ttl", &cfg_type_duration, 0 },
+	{ "parent-propagation-delay", &cfg_type_duration, 0 },
+	{ "parent-registration-delay", &cfg_type_duration,
+	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "publish-safety", &cfg_type_duration, 0 },
+	{ "purge-keys", &cfg_type_duration, 0 },
+	{ "retire-safety", &cfg_type_duration, 0 },
+	{ "signatures-refresh", &cfg_type_duration, 0 },
+	{ "signatures-validity", &cfg_type_duration, 0 },
+	{ "signatures-validity-dnskey", &cfg_type_duration, 0 },
+	{ "zone-propagation-delay", &cfg_type_duration, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Clauses that can be found in a 'zone' statement,
+ * with defaults in the 'view' or 'options' statement.
+ *
+ * Note: CFG_ZONE_* options indicate in which zone types this clause is
+ * legal.
+ */
+static cfg_clausedef_t zone_clauses[] = {
+	{ "allow-notify", &cfg_type_bracketed_aml,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "allow-query", &cfg_type_bracketed_aml,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_ZONE_STUB | CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB },
+	{ "allow-query-on", &cfg_type_bracketed_aml,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_ZONE_STUB | CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB },
+	{ "allow-transfer", &cfg_type_bracketed_aml,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "allow-update", &cfg_type_bracketed_aml, CFG_ZONE_PRIMARY },
+	{ "allow-update-forwarding", &cfg_type_bracketed_aml,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "also-notify", &cfg_type_namesockaddrkeylist,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "alt-transfer-source", &cfg_type_sockaddr4wild,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "auto-dnssec", &cfg_type_autodnssec,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_DEPRECATED },
+	{ "check-dup-records", &cfg_type_checkmode, CFG_ZONE_PRIMARY },
+	{ "check-integrity", &cfg_type_boolean, CFG_ZONE_PRIMARY },
+	{ "check-mx", &cfg_type_checkmode, CFG_ZONE_PRIMARY },
+	{ "check-mx-cname", &cfg_type_checkmode, CFG_ZONE_PRIMARY },
+	{ "check-sibling", &cfg_type_boolean, CFG_ZONE_PRIMARY },
+	{ "check-spf", &cfg_type_warn, CFG_ZONE_PRIMARY },
+	{ "check-srv-cname", &cfg_type_checkmode, CFG_ZONE_PRIMARY },
+	{ "check-wildcard", &cfg_type_boolean, CFG_ZONE_PRIMARY },
+	{ "dialup", &cfg_type_dialuptype,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_STUB },
+	{ "dnssec-dnskey-kskonly", &cfg_type_boolean,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "dnssec-loadkeys-interval", &cfg_type_uint32,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "dnssec-policy", &cfg_type_astring,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "dnssec-secure-to-insecure", &cfg_type_boolean, CFG_ZONE_PRIMARY },
+	{ "dnssec-update-mode", &cfg_type_dnssecupdatemode,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "forward", &cfg_type_forwardtype,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_STUB |
+		  CFG_ZONE_STATICSTUB | CFG_ZONE_FORWARD },
+	{ "forwarders", &cfg_type_portiplist,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_STUB |
+		  CFG_ZONE_STATICSTUB | CFG_ZONE_FORWARD },
+	{ "key-directory", &cfg_type_qstring,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "maintain-ixfr-base", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "masterfile-format", &cfg_type_masterformat,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_ZONE_STUB | CFG_ZONE_REDIRECT },
+	{ "masterfile-style", &cfg_type_masterstyle,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_ZONE_STUB | CFG_ZONE_REDIRECT },
+	{ "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_ANCIENT },
+	{ "max-ixfr-ratio", &cfg_type_ixfrratio,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "max-journal-size", &cfg_type_size,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "max-records", &cfg_type_uint32,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT },
+	{ "max-refresh-time", &cfg_type_uint32,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	{ "max-retry-time", &cfg_type_uint32,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	{ "max-transfer-idle-in", &cfg_type_uint32,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	{ "max-transfer-idle-out", &cfg_type_uint32,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_MIRROR | CFG_ZONE_SECONDARY },
+	{ "max-transfer-time-in", &cfg_type_uint32,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	{ "max-transfer-time-out", &cfg_type_uint32,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_MIRROR | CFG_ZONE_SECONDARY },
+	{ "max-zone-ttl", &cfg_type_maxduration,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_REDIRECT },
+	{ "min-refresh-time", &cfg_type_uint32,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	{ "min-retry-time", &cfg_type_uint32,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	{ "multi-master", &cfg_type_boolean,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	{ "notify", &cfg_type_notifytype,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "notify-delay", &cfg_type_uint32,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "notify-source", &cfg_type_sockaddr4wild,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "notify-source-v6", &cfg_type_sockaddr6wild,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "notify-to-soa", &cfg_type_boolean,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "nsec3-test-zone", &cfg_type_boolean,
+	  CFG_CLAUSEFLAG_TESTONLY | CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "parental-source", &cfg_type_sockaddr4wild,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "parental-source-v6", &cfg_type_sockaddr6wild,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "request-expire", &cfg_type_boolean,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "request-ixfr", &cfg_type_boolean,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "serial-update-method", &cfg_type_updatemethod, CFG_ZONE_PRIMARY },
+	{ "sig-signing-nodes", &cfg_type_uint32,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "sig-signing-signatures", &cfg_type_uint32,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "sig-signing-type", &cfg_type_uint32,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "sig-validity-interval", &cfg_type_validityinterval,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "dnskey-sig-validity", &cfg_type_uint32,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "transfer-source", &cfg_type_sockaddr4wild,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	{ "transfer-source-v6", &cfg_type_sockaddr6wild,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	{ "try-tcp-refresh", &cfg_type_boolean,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "update-check-ksk", &cfg_type_boolean,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "use-alt-transfer-source", &cfg_type_boolean,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	{ "zero-no-soa-ttl", &cfg_type_boolean,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "zone-statistics", &cfg_type_zonestat,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Clauses that can be found in a 'zone' statement only.
+ *
+ * Note: CFG_ZONE_* options indicate in which zone types this clause is
+ * legal.
+ */
+static cfg_clausedef_t zone_only_clauses[] = {
+	/*
+	 * Note that the format of the check-names option is different between
+	 * the zone options and the global/view options.  Ugh.
+	 */
+	{ "type", &cfg_type_zonetype,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_DELEGATION |
+		  CFG_ZONE_HINT | CFG_ZONE_REDIRECT | CFG_ZONE_FORWARD },
+	{ "check-names", &cfg_type_checkmode,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_ZONE_HINT | CFG_ZONE_STUB },
+	{ "database", &cfg_type_astring,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_ZONE_STUB },
+	{ "delegation-only", &cfg_type_boolean,
+	  CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD },
+	{ "dlz", &cfg_type_astring,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_REDIRECT },
+	{ "file", &cfg_type_qstring,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_ZONE_STUB | CFG_ZONE_HINT | CFG_ZONE_REDIRECT },
+	{ "in-view", &cfg_type_astring, CFG_ZONE_INVIEW },
+	{ "inline-signing", &cfg_type_boolean,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "ixfr-base", &cfg_type_qstring, CFG_CLAUSEFLAG_ANCIENT },
+	{ "ixfr-from-differences", &cfg_type_boolean,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "ixfr-tmp-file", &cfg_type_qstring, CFG_CLAUSEFLAG_ANCIENT },
+	{ "journal", &cfg_type_qstring,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	{ "masters", &cfg_type_namesockaddrkeylist,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB |
+		  CFG_ZONE_REDIRECT },
+	{ "parental-agents", &cfg_type_namesockaddrkeylist,
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+	{ "primaries", &cfg_type_namesockaddrkeylist,
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB |
+		  CFG_ZONE_REDIRECT },
+	{ "pubkey", &cfg_type_pubkey, CFG_CLAUSEFLAG_ANCIENT },
+	{ "server-addresses", &cfg_type_bracketed_netaddrlist,
+	  CFG_ZONE_STATICSTUB },
+	{ "server-names", &cfg_type_namelist, CFG_ZONE_STATICSTUB },
+	{ "update-policy", &cfg_type_updatepolicy, CFG_ZONE_PRIMARY },
+	{ NULL, NULL, 0 }
+};
+
+/*% The top-level named.conf syntax. */
+
+static cfg_clausedef_t *namedconf_clausesets[] = { namedconf_clauses,
+						   namedconf_or_view_clauses,
+						   NULL };
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
+	"namedconf",	 cfg_parse_mapbody, cfg_print_mapbody,
+	cfg_doc_mapbody, &cfg_rep_map,	    namedconf_clausesets
+};
+
+/*% The bind.keys syntax (trust-anchors/managed-keys/trusted-keys only). */
+static cfg_clausedef_t *bindkeys_clausesets[] = { bindkeys_clauses, NULL };
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bindkeys = {
+	"bindkeys",	 cfg_parse_mapbody, cfg_print_mapbody,
+	cfg_doc_mapbody, &cfg_rep_map,	    bindkeys_clausesets
+};
+
+/*% The "options" statement syntax. */
+
+static cfg_clausedef_t *options_clausesets[] = { options_clauses, view_clauses,
+						 zone_clauses, NULL };
+static cfg_type_t cfg_type_options = { "options",     cfg_parse_map,
+				       cfg_print_map, cfg_doc_map,
+				       &cfg_rep_map,  options_clausesets };
+
+/*% The "view" statement syntax. */
+
+static cfg_clausedef_t *view_clausesets[] = { view_only_clauses,
+					      namedconf_or_view_clauses,
+					      view_clauses, zone_clauses,
+					      NULL };
+
+static cfg_type_t cfg_type_viewopts = { "view",	       cfg_parse_map,
+					cfg_print_map, cfg_doc_map,
+					&cfg_rep_map,  view_clausesets };
+
+/*% The "zone" statement syntax. */
+
+static cfg_clausedef_t *zone_clausesets[] = { zone_only_clauses, zone_clauses,
+					      NULL };
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_zoneopts = {
+	"zoneopts",  cfg_parse_map, cfg_print_map,
+	cfg_doc_map, &cfg_rep_map,  zone_clausesets
+};
+
+/*% The "dnssec-policy" statement syntax. */
+static cfg_clausedef_t *dnssecpolicy_clausesets[] = { dnssecpolicy_clauses,
+						      NULL };
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_dnssecpolicyopts = {
+	"dnssecpolicyopts", cfg_parse_map, cfg_print_map,
+	cfg_doc_map,	    &cfg_rep_map,  dnssecpolicy_clausesets
+};
+
+/*% The "dynamically loadable zones" statement syntax. */
+
+static cfg_clausedef_t dlz_clauses[] = { { "database", &cfg_type_astring, 0 },
+					 { "search", &cfg_type_boolean, 0 },
+					 { NULL, NULL, 0 } };
+static cfg_clausedef_t *dlz_clausesets[] = { dlz_clauses, NULL };
+static cfg_type_t cfg_type_dlz = { "dlz",	  cfg_parse_named_map,
+				   cfg_print_map, cfg_doc_map,
+				   &cfg_rep_map,  dlz_clausesets };
+
+/*%
+ * The "dyndb" statement syntax.
+ */
+
+static cfg_tuplefielddef_t dyndb_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "library", &cfg_type_qstring, 0 },
+	{ "parameters", &cfg_type_bracketed_text, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_dyndb = { "dyndb",	      cfg_parse_tuple,
+				     cfg_print_tuple, cfg_doc_tuple,
+				     &cfg_rep_tuple,  dyndb_fields };
+
+/*%
+ * The "plugin" statement syntax.
+ * Currently only one plugin type is supported: query.
+ */
+
+static const char *plugin_enums[] = { "query", NULL };
+static cfg_type_t cfg_type_plugintype = { "plugintype",	     cfg_parse_enum,
+					  cfg_print_ustring, cfg_doc_enum,
+					  &cfg_rep_string,   plugin_enums };
+static cfg_tuplefielddef_t plugin_fields[] = {
+	{ "type", &cfg_type_plugintype, 0 },
+	{ "library", &cfg_type_astring, 0 },
+	{ "parameters", &cfg_type_optional_bracketed_text, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_plugin = { "plugin",	       cfg_parse_tuple,
+				      cfg_print_tuple, cfg_doc_tuple,
+				      &cfg_rep_tuple,  plugin_fields };
+
+/*%
+ * Clauses that can be found within the 'key' statement.
+ */
+static cfg_clausedef_t key_clauses[] = { { "algorithm", &cfg_type_astring, 0 },
+					 { "secret", &cfg_type_sstring, 0 },
+					 { NULL, NULL, 0 } };
+
+static cfg_clausedef_t *key_clausesets[] = { key_clauses, NULL };
+static cfg_type_t cfg_type_key = { "key",	  cfg_parse_named_map,
+				   cfg_print_map, cfg_doc_map,
+				   &cfg_rep_map,  key_clausesets };
+
+/*%
+ * Clauses that can be found in a 'server' statement.
+ */
+static cfg_clausedef_t server_clauses[] = {
+	{ "bogus", &cfg_type_boolean, 0 },
+	{ "edns", &cfg_type_boolean, 0 },
+	{ "edns-udp-size", &cfg_type_uint32, 0 },
+	{ "edns-version", &cfg_type_uint32, 0 },
+	{ "keys", &cfg_type_server_key_kludge, 0 },
+	{ "max-udp-size", &cfg_type_uint32, 0 },
+	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
+	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "padding", &cfg_type_uint32, 0 },
+	{ "provide-ixfr", &cfg_type_boolean, 0 },
+	{ "query-source", &cfg_type_querysource4, 0 },
+	{ "query-source-v6", &cfg_type_querysource6, 0 },
+	{ "request-expire", &cfg_type_boolean, 0 },
+	{ "request-ixfr", &cfg_type_boolean, 0 },
+	{ "request-nsid", &cfg_type_boolean, 0 },
+	{ "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "send-cookie", &cfg_type_boolean, 0 },
+	{ "support-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "tcp-keepalive", &cfg_type_boolean, 0 },
+	{ "tcp-only", &cfg_type_boolean, 0 },
+	{ "transfer-format", &cfg_type_transferformat, 0 },
+	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
+	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "transfers", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *server_clausesets[] = { server_clauses, NULL };
+static cfg_type_t cfg_type_server = { "server",	     cfg_parse_netprefix_map,
+				      cfg_print_map, cfg_doc_map,
+				      &cfg_rep_map,  server_clausesets };
+
+/*%
+ * Clauses that can be found in a 'channel' clause in the
+ * 'logging' statement.
+ *
+ * These have some additional constraints that need to be
+ * checked after parsing:
+ *  - There must exactly one of file/syslog/null/stderr
+ */
+
+static const char *printtime_enums[] = { "iso8601", "iso8601-utc", "local",
+					 NULL };
+static isc_result_t
+parse_printtime(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_printtime(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_printtime = { "printtime",	    parse_printtime,
+					 cfg_print_ustring, doc_printtime,
+					 &cfg_rep_string,   printtime_enums };
+
+static cfg_clausedef_t channel_clauses[] = {
+	/* Destinations.  We no longer require these to be first. */
+	{ "file", &cfg_type_logfile, 0 },
+	{ "syslog", &cfg_type_optional_facility, 0 },
+	{ "null", &cfg_type_void, 0 },
+	{ "stderr", &cfg_type_void, 0 },
+	/* Options.  We now accept these for the null channel, too. */
+	{ "severity", &cfg_type_logseverity, 0 },
+	{ "print-time", &cfg_type_printtime, 0 },
+	{ "print-severity", &cfg_type_boolean, 0 },
+	{ "print-category", &cfg_type_boolean, 0 },
+	{ "buffered", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *channel_clausesets[] = { channel_clauses, NULL };
+static cfg_type_t cfg_type_channel = { "channel",     cfg_parse_named_map,
+				       cfg_print_map, cfg_doc_map,
+				       &cfg_rep_map,  channel_clausesets };
+
+/*% A list of log destination, used in the "category" clause. */
+static cfg_type_t cfg_type_destinationlist = { "destinationlist",
+					       cfg_parse_bracketed_list,
+					       cfg_print_bracketed_list,
+					       cfg_doc_bracketed_list,
+					       &cfg_rep_list,
+					       &cfg_type_astring };
+
+/*%
+ * Clauses that can be found in a 'logging' statement.
+ */
+static cfg_clausedef_t logging_clauses[] = {
+	{ "channel", &cfg_type_channel, CFG_CLAUSEFLAG_MULTI },
+	{ "category", &cfg_type_category, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *logging_clausesets[] = { logging_clauses, NULL };
+static cfg_type_t cfg_type_logging = { "logging",     cfg_parse_map,
+				       cfg_print_map, cfg_doc_map,
+				       &cfg_rep_map,  logging_clausesets };
+
+/*%
+ * For parsing an 'addzone' statement
+ */
+static cfg_tuplefielddef_t addzone_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "view", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_zoneopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_addzone = { "zone",		cfg_parse_tuple,
+				       cfg_print_tuple, cfg_doc_tuple,
+				       &cfg_rep_tuple,	addzone_fields };
+
+static cfg_clausedef_t addzoneconf_clauses[] = {
+	{ "zone", &cfg_type_addzone, CFG_CLAUSEFLAG_MULTI }, { NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *addzoneconf_clausesets[] = { addzoneconf_clauses,
+						     NULL };
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_addzoneconf = {
+	"addzoneconf",	 cfg_parse_mapbody, cfg_print_mapbody,
+	cfg_doc_mapbody, &cfg_rep_map,	    addzoneconf_clausesets
+};
+
+static isc_result_t
+parse_unitstring(char *str, isc_resourcevalue_t *valuep) {
+	char *endp;
+	unsigned int len;
+	uint64_t value;
+	uint64_t unit;
+
+	value = strtoull(str, &endp, 10);
+	if (*endp == 0) {
+		*valuep = value;
+		return (ISC_R_SUCCESS);
+	}
+
+	len = strlen(str);
+	if (len < 2 || endp[1] != '\0') {
+		return (ISC_R_FAILURE);
+	}
+
+	switch (str[len - 1]) {
+	case 'k':
+	case 'K':
+		unit = 1024;
+		break;
+	case 'm':
+	case 'M':
+		unit = 1024 * 1024;
+		break;
+	case 'g':
+	case 'G':
+		unit = 1024 * 1024 * 1024;
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+	if (value > ((uint64_t)UINT64_MAX / unit)) {
+		return (ISC_R_FAILURE);
+	}
+	*valuep = value * unit;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+parse_sizeval(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	uint64_t val;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+	CHECK(parse_unitstring(TOKEN_STRING(pctx), &val));
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_uint64, &obj));
+	obj->value.uint64 = val;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR,
+			 "expected integer and optional unit");
+	return (result);
+}
+
+static isc_result_t
+parse_sizeval_percent(cfg_parser_t *pctx, const cfg_type_t *type,
+		      cfg_obj_t **ret) {
+	char *endp;
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	uint64_t val;
+	uint64_t percent;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+
+	percent = strtoull(TOKEN_STRING(pctx), &endp, 10);
+
+	if (*endp == '%' && *(endp + 1) == 0) {
+		CHECK(cfg_create_obj(pctx, &cfg_type_percentage, &obj));
+		obj->value.uint32 = (uint32_t)percent;
+		*ret = obj;
+		return (ISC_R_SUCCESS);
+	} else {
+		CHECK(parse_unitstring(TOKEN_STRING(pctx), &val));
+		CHECK(cfg_create_obj(pctx, &cfg_type_uint64, &obj));
+		obj->value.uint64 = val;
+		*ret = obj;
+		return (ISC_R_SUCCESS);
+	}
+
+cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR,
+			 "expected integer and optional unit or percent");
+	return (result);
+}
+
+static void
+doc_sizeval_percent(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+
+	cfg_print_cstr(pctx, "( ");
+	cfg_doc_terminal(pctx, &cfg_type_size);
+	cfg_print_cstr(pctx, " | ");
+	cfg_doc_terminal(pctx, &cfg_type_percentage);
+	cfg_print_cstr(pctx, " )");
+}
+
+/*%
+ * A size value (number + optional unit).
+ */
+static cfg_type_t cfg_type_sizeval = { "sizeval",	 parse_sizeval,
+				       cfg_print_uint64, cfg_doc_terminal,
+				       &cfg_rep_uint64,	 NULL };
+
+/*%
+ * A size, "unlimited", or "default".
+ */
+
+static isc_result_t
+parse_size(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_sizeval, ret));
+}
+
+static void
+doc_size(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_sizeval);
+}
+
+static const char *size_enums[] = { "default", "unlimited", NULL };
+static cfg_type_t cfg_type_size = {
+	"size",	  parse_size,	   cfg_print_ustring,
+	doc_size, &cfg_rep_string, size_enums
+};
+
+/*%
+ * A size or "unlimited", but not "default".
+ */
+static const char *sizenodefault_enums[] = { "unlimited", NULL };
+static cfg_type_t cfg_type_sizenodefault = {
+	"size_no_default", parse_size,	    cfg_print_ustring,
+	doc_size,	   &cfg_rep_string, sizenodefault_enums
+};
+
+/*%
+ * A size in absolute values or percents.
+ */
+static cfg_type_t cfg_type_sizeval_percent = {
+	"sizeval_percent",   parse_sizeval_percent, cfg_print_ustring,
+	doc_sizeval_percent, &cfg_rep_string,	    NULL
+};
+
+/*%
+ * A size in absolute values or percents, or "unlimited", or "default"
+ */
+
+static isc_result_t
+parse_size_or_percent(cfg_parser_t *pctx, const cfg_type_t *type,
+		      cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_sizeval_percent,
+					ret));
+}
+
+static void
+doc_parse_size_or_percent(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( default | unlimited | ");
+	cfg_doc_terminal(pctx, &cfg_type_sizeval);
+	cfg_print_cstr(pctx, " | ");
+	cfg_doc_terminal(pctx, &cfg_type_percentage);
+	cfg_print_cstr(pctx, " )");
+}
+
+static const char *sizeorpercent_enums[] = { "default", "unlimited", NULL };
+static cfg_type_t cfg_type_sizeorpercent = {
+	"size_or_percent",	   parse_size_or_percent, cfg_print_ustring,
+	doc_parse_size_or_percent, &cfg_rep_string,	  sizeorpercent_enums
+};
+
+/*%
+ * An IXFR size ratio: percentage, or "unlimited".
+ */
+
+static isc_result_t
+parse_ixfrratio(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_percentage, ret));
+}
+
+static void
+doc_ixfrratio(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( unlimited | ");
+	cfg_doc_terminal(pctx, &cfg_type_percentage);
+	cfg_print_cstr(pctx, " )");
+}
+
+static const char *ixfrratio_enums[] = { "unlimited", NULL };
+static cfg_type_t cfg_type_ixfrratio = { "ixfr_ratio", parse_ixfrratio,
+					 NULL,	       doc_ixfrratio,
+					 NULL,	       ixfrratio_enums };
+
+/*%
+ * optional_keyvalue
+ */
+static isc_result_t
+parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
+			      bool optional, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const keyword_type_t *kw = type->of;
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), kw->name) == 0)
+	{
+		CHECK(cfg_gettoken(pctx, 0));
+		CHECK(kw->type->parse(pctx, kw->type, &obj));
+		obj->type = type; /* XXX kludge */
+	} else {
+		if (optional) {
+			CHECK(cfg_parse_void(pctx, NULL, &obj));
+		} else {
+			cfg_parser_error(pctx, CFG_LOG_NEAR, "expected '%s'",
+					 kw->name);
+			result = ISC_R_UNEXPECTEDTOKEN;
+			goto cleanup;
+		}
+	}
+	*ret = obj;
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_maybe_optional_keyvalue(pctx, type, false, ret));
+}
+
+static isc_result_t
+parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret) {
+	return (parse_maybe_optional_keyvalue(pctx, type, true, ret));
+}
+
+static void
+print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const keyword_type_t *kw = obj->type->of;
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_cstr(pctx, " ");
+	kw->type->print(pctx, obj);
+}
+
+static void
+doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_cstr(pctx, " ");
+	cfg_doc_obj(pctx, kw->type);
+}
+
+static void
+doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_cstr(pctx, "[ ");
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_cstr(pctx, " ");
+	cfg_doc_obj(pctx, kw->type);
+	cfg_print_cstr(pctx, " ]");
+}
+
+static const char *dialup_enums[] = { "notify", "notify-passive", "passive",
+				      "refresh", NULL };
+static isc_result_t
+parse_dialup_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_dialup_type(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_dialuptype = { "dialuptype",	     parse_dialup_type,
+					  cfg_print_ustring, doc_dialup_type,
+					  &cfg_rep_string,   dialup_enums };
+
+static const char *notify_enums[] = { "explicit", "master-only", "primary-only",
+				      NULL };
+static isc_result_t
+parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_notify_type(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_notifytype = {
+	"notifytype",	 parse_notify_type, cfg_print_ustring,
+	doc_notify_type, &cfg_rep_string,   notify_enums,
+};
+
+static const char *minimal_enums[] = { "no-auth", "no-auth-recursive", NULL };
+static isc_result_t
+parse_minimal(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_minimal(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_minimal = {
+	"minimal",   parse_minimal,   cfg_print_ustring,
+	doc_minimal, &cfg_rep_string, minimal_enums,
+};
+
+static const char *ixfrdiff_enums[] = { "primary", "master", "secondary",
+					"slave", NULL };
+static isc_result_t
+parse_ixfrdiff_type(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_ixfrdiff_type(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_ixfrdifftype = {
+	"ixfrdiff",	   parse_ixfrdiff_type, cfg_print_ustring,
+	doc_ixfrdiff_type, &cfg_rep_string,	ixfrdiff_enums,
+};
+
+static keyword_type_t key_kw = { "key", &cfg_type_astring };
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
+	"keyref",     parse_keyvalue,  print_keyvalue,
+	doc_keyvalue, &cfg_rep_string, &key_kw
+};
+
+static cfg_type_t cfg_type_optional_keyref = {
+	"optional_keyref",     parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string,		&key_kw
+};
+
+static const char *qminmethod_enums[] = { "strict", "relaxed", "disabled",
+					  "off", NULL };
+
+static cfg_type_t cfg_type_qminmethod = { "qminmethod",	     cfg_parse_enum,
+					  cfg_print_ustring, cfg_doc_enum,
+					  &cfg_rep_string,   qminmethod_enums };
+
+/*%
+ * A "controls" statement is represented as a map with the multivalued
+ * "inet" and "unix" clauses.
+ */
+
+static keyword_type_t controls_allow_kw = { "allow", &cfg_type_bracketed_aml };
+
+static cfg_type_t cfg_type_controls_allow = {
+	"controls_allow", parse_keyvalue, print_keyvalue,
+	doc_keyvalue,	  &cfg_rep_list,  &controls_allow_kw
+};
+
+static keyword_type_t controls_keys_kw = { "keys", &cfg_type_keylist };
+
+static cfg_type_t cfg_type_controls_keys = {
+	"controls_keys",       parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_list,		&controls_keys_kw
+};
+
+static keyword_type_t controls_readonly_kw = { "read-only", &cfg_type_boolean };
+
+static cfg_type_t cfg_type_controls_readonly = {
+	"controls_readonly",   parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_boolean,	&controls_readonly_kw
+};
+
+static cfg_tuplefielddef_t inetcontrol_fields[] = {
+	{ "address", &cfg_type_controls_sockaddr, 0 },
+	{ "allow", &cfg_type_controls_allow, 0 },
+	{ "keys", &cfg_type_controls_keys, 0 },
+	{ "read-only", &cfg_type_controls_readonly, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_inetcontrol = {
+	"inetcontrol", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple, &cfg_rep_tuple,	inetcontrol_fields
+};
+
+static keyword_type_t controls_perm_kw = { "perm", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_controls_perm = {
+	"controls_perm", parse_keyvalue,  print_keyvalue,
+	doc_keyvalue,	 &cfg_rep_uint32, &controls_perm_kw
+};
+
+static keyword_type_t controls_owner_kw = { "owner", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_controls_owner = {
+	"controls_owner", parse_keyvalue,  print_keyvalue,
+	doc_keyvalue,	  &cfg_rep_uint32, &controls_owner_kw
+};
+
+static keyword_type_t controls_group_kw = { "group", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_controls_group = {
+	"controls_allow", parse_keyvalue,  print_keyvalue,
+	doc_keyvalue,	  &cfg_rep_uint32, &controls_group_kw
+};
+
+static cfg_tuplefielddef_t unixcontrol_fields[] = {
+	{ "path", &cfg_type_qstring, 0 },
+	{ "perm", &cfg_type_controls_perm, 0 },
+	{ "owner", &cfg_type_controls_owner, 0 },
+	{ "group", &cfg_type_controls_group, 0 },
+	{ "keys", &cfg_type_controls_keys, 0 },
+	{ "read-only", &cfg_type_controls_readonly, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_unixcontrol = {
+	"unixcontrol", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple, &cfg_rep_tuple,	unixcontrol_fields
+};
+
+static cfg_clausedef_t controls_clauses[] = {
+	{ "inet", &cfg_type_inetcontrol, CFG_CLAUSEFLAG_MULTI },
+	{ "unix", &cfg_type_unixcontrol, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *controls_clausesets[] = { controls_clauses, NULL };
+static cfg_type_t cfg_type_controls = { "controls",    cfg_parse_map,
+					cfg_print_map, cfg_doc_map,
+					&cfg_rep_map,  &controls_clausesets };
+
+/*%
+ * A "statistics-channels" statement is represented as a map with the
+ * multivalued "inet" clauses.
+ */
+static void
+doc_optional_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_cstr(pctx, "[ ");
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_cstr(pctx, " ");
+	cfg_doc_obj(pctx, kw->type);
+	cfg_print_cstr(pctx, " ]");
+}
+
+static cfg_type_t cfg_type_optional_allow = {
+	"optional_allow", parse_optional_keyvalue,
+	print_keyvalue,	  doc_optional_bracketed_list,
+	&cfg_rep_list,	  &controls_allow_kw
+};
+
+static cfg_tuplefielddef_t statserver_fields[] = {
+	{ "address", &cfg_type_controls_sockaddr, 0 }, /* reuse controls def */
+	{ "allow", &cfg_type_optional_allow, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_statschannel = {
+	"statschannel", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,	&cfg_rep_tuple,	 statserver_fields
+};
+
+static cfg_clausedef_t statservers_clauses[] = {
+	{ "inet", &cfg_type_statschannel, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *statservers_clausesets[] = { statservers_clauses,
+						     NULL };
+
+static cfg_type_t cfg_type_statschannels = {
+	"statistics-channels", cfg_parse_map, cfg_print_map,
+	cfg_doc_map,	       &cfg_rep_map,  &statservers_clausesets
+};
+
+/*%
+ * An optional class, as used in view and zone statements.
+ */
+static isc_result_t
+parse_optional_class(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret) {
+	isc_result_t result;
+	UNUSED(type);
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string) {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_ustring, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+	}
+cleanup:
+	return (result);
+}
+
+static void
+doc_optional_class(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "[ <class> ]");
+}
+
+static cfg_type_t cfg_type_optional_class = { "optional_class",
+					      parse_optional_class,
+					      NULL,
+					      doc_optional_class,
+					      NULL,
+					      NULL };
+
+static isc_result_t
+parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_netaddr_t netaddr;
+	in_port_t port = 0;
+	isc_dscp_t dscp = -1;
+	unsigned int have_address = 0;
+	unsigned int have_port = 0;
+	unsigned int have_dscp = 0;
+	const unsigned int *flagp = type->of;
+
+	if ((*flagp & CFG_ADDR_V4OK) != 0) {
+		isc_netaddr_any(&netaddr);
+	} else if ((*flagp & CFG_ADDR_V6OK) != 0) {
+		isc_netaddr_any6(&netaddr);
+	} else {
+		UNREACHABLE();
+	}
+
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			if (strcasecmp(TOKEN_STRING(pctx), "address") == 0) {
+				/* read "address" */
+				CHECK(cfg_gettoken(pctx, 0));
+				CHECK(cfg_parse_rawaddr(pctx, *flagp,
+							&netaddr));
+				have_address++;
+			} else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0)
+			{
+				/* read "port" */
+				CHECK(cfg_gettoken(pctx, 0));
+				CHECK(cfg_parse_rawport(pctx, CFG_ADDR_WILDOK,
+							&port));
+				have_port++;
+			} else if (strcasecmp(TOKEN_STRING(pctx), "dscp") == 0)
+			{
+				if ((pctx->flags & CFG_PCTX_NODEPRECATED) == 0)
+				{
+					cfg_parser_warning(
+						pctx, 0,
+						"token 'dscp' is deprecated");
+				}
+				/* read "dscp" */
+				CHECK(cfg_gettoken(pctx, 0));
+				CHECK(cfg_parse_dscp(pctx, &dscp));
+				have_dscp++;
+			} else if (have_port == 0 && have_dscp == 0 &&
+				   have_address == 0)
+			{
+				return (cfg_parse_sockaddr(pctx, type, ret));
+			} else {
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
+						 "expected 'address', 'port', "
+						 "or 'dscp'");
+				return (ISC_R_UNEXPECTEDTOKEN);
+			}
+		} else {
+			break;
+		}
+	}
+	if (have_address > 1 || have_port > 1 || have_address + have_port == 0)
+	{
+		cfg_parser_error(pctx, 0, "expected one address and/or port");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	if (have_dscp > 1) {
+		cfg_parser_error(pctx, 0, "expected at most one dscp");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj));
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
+	obj->value.sockaddrdscp.dscp = dscp;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid query source");
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	isc_netaddr_t na;
+	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
+	cfg_print_cstr(pctx, "address ");
+	cfg_print_rawaddr(pctx, &na);
+	cfg_print_cstr(pctx, " port ");
+	cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
+	if (obj->value.sockaddrdscp.dscp != -1) {
+		cfg_print_cstr(pctx, " dscp ");
+		cfg_print_rawuint(pctx, obj->value.sockaddrdscp.dscp);
+	}
+}
+
+static void
+doc_querysource(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const unsigned int *flagp = type->of;
+
+	cfg_print_cstr(pctx, "( ( [ address ] ( ");
+	if ((*flagp & CFG_ADDR_V4OK) != 0) {
+		cfg_print_cstr(pctx, "<ipv4_address>");
+	} else if ((*flagp & CFG_ADDR_V6OK) != 0) {
+		cfg_print_cstr(pctx, "<ipv6_address>");
+	} else {
+		UNREACHABLE();
+	}
+	cfg_print_cstr(pctx, " | * ) [ port ( <integer> | * ) ] ) | "
+			     "( [ [ address ] ( ");
+	if ((*flagp & CFG_ADDR_V4OK) != 0) {
+		cfg_print_cstr(pctx, "<ipv4_address>");
+	} else if ((*flagp & CFG_ADDR_V6OK) != 0) {
+		cfg_print_cstr(pctx, "<ipv6_address>");
+	} else {
+		UNREACHABLE();
+	}
+	cfg_print_cstr(pctx, " | * ) ] port ( <integer> | * ) ) )"
+			     " [ dscp <integer> ]");
+}
+
+static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK |
+					  CFG_ADDR_DSCPOK;
+static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK |
+					  CFG_ADDR_DSCPOK;
+
+static cfg_type_t cfg_type_querysource4 = {
+	"querysource4", parse_querysource,   NULL, doc_querysource,
+	NULL,		&sockaddr4wild_flags
+};
+
+static cfg_type_t cfg_type_querysource6 = {
+	"querysource6", parse_querysource,   NULL, doc_querysource,
+	NULL,		&sockaddr6wild_flags
+};
+
+static cfg_type_t cfg_type_querysource = { "querysource",     NULL,
+					   print_querysource, NULL,
+					   &cfg_rep_sockaddr, NULL };
+
+/*%
+ * The socket address syntax in the "controls" statement is silly.
+ * It allows both socket address families, but also allows "*",
+ * which is gratuitously interpreted as the IPv4 wildcard address.
+ */
+static unsigned int controls_sockaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK |
+					      CFG_ADDR_WILDOK;
+static cfg_type_t cfg_type_controls_sockaddr = {
+	"controls_sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr,    &cfg_rep_sockaddr,	 &controls_sockaddr_flags
+};
+
+/*%
+ * Handle the special kludge syntax of the "keys" clause in the "server"
+ * statement, which takes a single key with or without braces and semicolon.
+ */
+static isc_result_t
+parse_server_key_kludge(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret) {
+	isc_result_t result;
+	bool braces = false;
+	UNUSED(type);
+
+	/* Allow opening brace. */
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == '{')
+	{
+		CHECK(cfg_gettoken(pctx, 0));
+		braces = true;
+	}
+
+	CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
+
+	if (braces) {
+		/* Skip semicolon if present. */
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special &&
+		    pctx->token.value.as_char == ';')
+		{
+			CHECK(cfg_gettoken(pctx, 0));
+		}
+
+		CHECK(cfg_parse_special(pctx, '}'));
+	}
+cleanup:
+	return (result);
+}
+static cfg_type_t cfg_type_server_key_kludge = {
+	"server_key", parse_server_key_kludge, NULL, cfg_doc_terminal, NULL,
+	NULL
+};
+
+/*%
+ * An optional logging facility.
+ */
+
+static isc_result_t
+parse_optional_facility(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret) {
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring)
+	{
+		CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+	}
+cleanup:
+	return (result);
+}
+
+static void
+doc_optional_facility(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "[ <syslog_facility> ]");
+}
+
+static cfg_type_t cfg_type_optional_facility = { "optional_facility",
+						 parse_optional_facility,
+						 NULL,
+						 doc_optional_facility,
+						 NULL,
+						 NULL };
+
+/*%
+ * A log severity.  Return as a string, except "debug N",
+ * which is returned as a keyword object.
+ */
+
+static keyword_type_t debug_kw = { "debug", &cfg_type_uint32 };
+static cfg_type_t cfg_type_debuglevel = { "debuglevel",	   parse_keyvalue,
+					  print_keyvalue,  doc_keyvalue,
+					  &cfg_rep_uint32, &debug_kw };
+
+static isc_result_t
+parse_logseverity(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "debug") == 0)
+	{
+		CHECK(cfg_gettoken(pctx, 0)); /* read "debug" */
+		CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER));
+		if (pctx->token.type == isc_tokentype_number) {
+			CHECK(cfg_parse_uint32(pctx, NULL, ret));
+		} else {
+			/*
+			 * The debug level is optional and defaults to 1.
+			 * This makes little sense, but we support it for
+			 * compatibility with BIND 8.
+			 */
+			CHECK(cfg_create_obj(pctx, &cfg_type_uint32, ret));
+			(*ret)->value.uint32 = 1;
+		}
+		(*ret)->type = &cfg_type_debuglevel; /* XXX kludge */
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_loglevel, ret));
+	}
+cleanup:
+	return (result);
+}
+
+static cfg_type_t cfg_type_logseverity = { "log_severity", parse_logseverity,
+					   NULL,	   cfg_doc_terminal,
+					   NULL,	   NULL };
+
+/*%
+ * The "file" clause of the "channel" statement.
+ * This is yet another special case.
+ */
+
+static const char *logversions_enums[] = { "unlimited", NULL };
+static isc_result_t
+parse_logversions(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (cfg_parse_enum_or_other(pctx, type, &cfg_type_uint32, ret));
+}
+
+static void
+doc_logversions(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_enum_or_other(pctx, type, &cfg_type_uint32);
+}
+
+static cfg_type_t cfg_type_logversions = {
+	"logversions",	 parse_logversions, cfg_print_ustring,
+	doc_logversions, &cfg_rep_string,   logversions_enums
+};
+
+static const char *logsuffix_enums[] = { "increment", "timestamp", NULL };
+static cfg_type_t cfg_type_logsuffix = { "logsuffix",	    cfg_parse_enum,
+					 cfg_print_ustring, cfg_doc_enum,
+					 &cfg_rep_string,   &logsuffix_enums };
+
+static cfg_tuplefielddef_t logfile_fields[] = {
+	{ "file", &cfg_type_qstring, 0 },
+	{ "versions", &cfg_type_logversions, 0 },
+	{ "size", &cfg_type_size, 0 },
+	{ "suffix", &cfg_type_logsuffix, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static isc_result_t
+parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const cfg_tuplefielddef_t *fields = type->of;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+
+	/* Parse the mandatory "file" field */
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+
+	/* Parse "versions" and "size" fields in any order. */
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			CHECK(cfg_gettoken(pctx, 0));
+			if (strcasecmp(TOKEN_STRING(pctx), "versions") == 0 &&
+			    obj->value.tuple[1] == NULL)
+			{
+				CHECK(cfg_parse_obj(pctx, fields[1].type,
+						    &obj->value.tuple[1]));
+			} else if (strcasecmp(TOKEN_STRING(pctx), "size") ==
+					   0 &&
+				   obj->value.tuple[2] == NULL)
+			{
+				CHECK(cfg_parse_obj(pctx, fields[2].type,
+						    &obj->value.tuple[2]));
+			} else if (strcasecmp(TOKEN_STRING(pctx), "suffix") ==
+					   0 &&
+				   obj->value.tuple[3] == NULL)
+			{
+				CHECK(cfg_parse_obj(pctx, fields[3].type,
+						    &obj->value.tuple[3]));
+			} else {
+				break;
+			}
+		} else {
+			break;
+		}
+	}
+
+	/* Create void objects for missing optional values. */
+	if (obj->value.tuple[1] == NULL) {
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
+	}
+	if (obj->value.tuple[2] == NULL) {
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[2]));
+	}
+	if (obj->value.tuple[3] == NULL) {
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[3]));
+	}
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+print_logfile(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_obj(pctx, obj->value.tuple[0]); /* file */
+	if (obj->value.tuple[1]->type->print != cfg_print_void) {
+		cfg_print_cstr(pctx, " versions ");
+		cfg_print_obj(pctx, obj->value.tuple[1]);
+	}
+	if (obj->value.tuple[2]->type->print != cfg_print_void) {
+		cfg_print_cstr(pctx, " size ");
+		cfg_print_obj(pctx, obj->value.tuple[2]);
+	}
+	if (obj->value.tuple[3]->type->print != cfg_print_void) {
+		cfg_print_cstr(pctx, " suffix ");
+		cfg_print_obj(pctx, obj->value.tuple[3]);
+	}
+}
+
+static void
+doc_logfile(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "<quoted_string>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ versions ( unlimited | <integer> ) ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ size <size> ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ suffix ( increment | timestamp ) ]");
+}
+
+static cfg_type_t cfg_type_logfile = { "log_file",     parse_logfile,
+				       print_logfile,  doc_logfile,
+				       &cfg_rep_tuple, logfile_fields };
+
+/*% An IPv4 address with optional dscp and port, "*" accepted as wildcard. */
+static cfg_type_t cfg_type_sockaddr4wild = {
+	"sockaddr4wild",  cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr,  &sockaddr4wild_flags
+};
+
+/*% An IPv6 address with optional port, "*" accepted as wildcard. */
+static cfg_type_t cfg_type_sockaddr6wild = {
+	"v6addrportwild", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr,  &sockaddr6wild_flags
+};
+
+/*%
+ * rndc
+ */
+
+static cfg_clausedef_t rndcconf_options_clauses[] = {
+	{ "default-key", &cfg_type_astring, 0 },
+	{ "default-port", &cfg_type_uint32, 0 },
+	{ "default-server", &cfg_type_astring, 0 },
+	{ "default-source-address", &cfg_type_netaddr4wild, 0 },
+	{ "default-source-address-v6", &cfg_type_netaddr6wild, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *rndcconf_options_clausesets[] = {
+	rndcconf_options_clauses, NULL
+};
+
+static cfg_type_t cfg_type_rndcconf_options = {
+	"rndcconf_options", cfg_parse_map, cfg_print_map,
+	cfg_doc_map,	    &cfg_rep_map,  rndcconf_options_clausesets
+};
+
+static cfg_clausedef_t rndcconf_server_clauses[] = {
+	{ "key", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_uint32, 0 },
+	{ "source-address", &cfg_type_netaddr4wild, 0 },
+	{ "source-address-v6", &cfg_type_netaddr6wild, 0 },
+	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *rndcconf_server_clausesets[] = {
+	rndcconf_server_clauses, NULL
+};
+
+static cfg_type_t cfg_type_rndcconf_server = {
+	"rndcconf_server", cfg_parse_named_map, cfg_print_map,
+	cfg_doc_map,	   &cfg_rep_map,	rndcconf_server_clausesets
+};
+
+static cfg_clausedef_t rndcconf_clauses[] = {
+	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
+	{ "server", &cfg_type_rndcconf_server, CFG_CLAUSEFLAG_MULTI },
+	{ "options", &cfg_type_rndcconf_options, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *rndcconf_clausesets[] = { rndcconf_clauses, NULL };
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndcconf = {
+	"rndcconf",	 cfg_parse_mapbody, cfg_print_mapbody,
+	cfg_doc_mapbody, &cfg_rep_map,	    rndcconf_clausesets
+};
+
+static cfg_clausedef_t rndckey_clauses[] = { { "key", &cfg_type_key, 0 },
+					     { NULL, NULL, 0 } };
+
+static cfg_clausedef_t *rndckey_clausesets[] = { rndckey_clauses, NULL };
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndckey = {
+	"rndckey",	 cfg_parse_mapbody, cfg_print_mapbody,
+	cfg_doc_mapbody, &cfg_rep_map,	    rndckey_clausesets
+};
+
+/*
+ * session.key has exactly the same syntax as rndc.key, but it's defined
+ * separately for clarity (and so we can extend it someday, if needed).
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_sessionkey = {
+	"sessionkey",	 cfg_parse_mapbody, cfg_print_mapbody,
+	cfg_doc_mapbody, &cfg_rep_map,	    rndckey_clausesets
+};
+
+static cfg_tuplefielddef_t nameport_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "dscp", &cfg_type_optional_dscp, CFG_CLAUSEFLAG_DEPRECATED },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_nameport = { "nameport",	 cfg_parse_tuple,
+					cfg_print_tuple, cfg_doc_tuple,
+					&cfg_rep_tuple,	 nameport_fields };
+
+static void
+doc_sockaddrnameport(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( ");
+	cfg_print_cstr(pctx, "<quoted_string>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ port <integer> ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ dscp <integer> ]");
+	cfg_print_cstr(pctx, " | ");
+	cfg_print_cstr(pctx, "<ipv4_address>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ port <integer> ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ dscp <integer> ]");
+	cfg_print_cstr(pctx, " | ");
+	cfg_print_cstr(pctx, "<ipv6_address>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ port <integer> ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ dscp <integer> ]");
+	cfg_print_cstr(pctx, " )");
+}
+
+static isc_result_t
+parse_sockaddrnameport(cfg_parser_t *pctx, const cfg_type_t *type,
+		       cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring)
+	{
+		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
+		{
+			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr,
+						 ret));
+		} else {
+			const cfg_tuplefielddef_t *fields =
+				cfg_type_nameport.of;
+			CHECK(cfg_create_tuple(pctx, &cfg_type_nameport, &obj));
+			CHECK(cfg_parse_obj(pctx, fields[0].type,
+					    &obj->value.tuple[0]));
+			CHECK(cfg_parse_obj(pctx, fields[1].type,
+					    &obj->value.tuple[1]));
+			CHECK(cfg_parse_obj(pctx, fields[2].type,
+					    &obj->value.tuple[2]));
+			*ret = obj;
+			obj = NULL;
+		}
+	} else {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected IP address or hostname");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static cfg_type_t cfg_type_sockaddrnameport = { "sockaddrnameport_element",
+						parse_sockaddrnameport,
+						NULL,
+						doc_sockaddrnameport,
+						NULL,
+						NULL };
+
+static cfg_type_t cfg_type_bracketed_sockaddrnameportlist = {
+	"bracketed_sockaddrnameportlist",
+	cfg_parse_bracketed_list,
+	cfg_print_bracketed_list,
+	cfg_doc_bracketed_list,
+	&cfg_rep_list,
+	&cfg_type_sockaddrnameport
+};
+
+/*%
+ * A list of socket addresses or name with an optional default port,
+ * as used in the dual-stack-servers option.  E.g.,
+ * "port 1234 { dual-stack-servers.net; 10.0.0.1; 1::2 port 69; }"
+ */
+static cfg_tuplefielddef_t nameportiplist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_nameportiplist = {
+	"nameportiplist", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple,	  &cfg_rep_tuple,  nameportiplist_fields
+};
+
+/*%
+ * primaries element.
+ */
+
+static void
+doc_remoteselement(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( ");
+	cfg_print_cstr(pctx, "<remote-servers>");
+	cfg_print_cstr(pctx, " | ");
+	cfg_print_cstr(pctx, "<ipv4_address>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ port <integer> ]");
+	cfg_print_cstr(pctx, " | ");
+	cfg_print_cstr(pctx, "<ipv6_address>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ port <integer> ]");
+	cfg_print_cstr(pctx, " )");
+}
+
+static isc_result_t
+parse_remoteselement(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring)
+	{
+		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
+		{
+			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr,
+						 ret));
+		} else {
+			CHECK(cfg_parse_astring(pctx, &cfg_type_astring, ret));
+		}
+	} else {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected IP address or remote servers list "
+				 "name");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static cfg_type_t cfg_type_remoteselement = { "remotes_element",
+					      parse_remoteselement,
+					      NULL,
+					      doc_remoteselement,
+					      NULL,
+					      NULL };
+
+static int
+cmp_clause(const void *ap, const void *bp) {
+	const cfg_clausedef_t *a = (const cfg_clausedef_t *)ap;
+	const cfg_clausedef_t *b = (const cfg_clausedef_t *)bp;
+	return (strcmp(a->name, b->name));
+}
+
+bool
+cfg_clause_validforzone(const char *name, unsigned int ztype) {
+	const cfg_clausedef_t *clause;
+	bool valid = false;
+
+	for (clause = zone_clauses; clause->name != NULL; clause++) {
+		if ((clause->flags & ztype) == 0 ||
+		    strcmp(clause->name, name) != 0)
+		{
+			continue;
+		}
+		valid = true;
+	}
+	for (clause = zone_only_clauses; clause->name != NULL; clause++) {
+		if ((clause->flags & ztype) == 0 ||
+		    strcmp(clause->name, name) != 0)
+		{
+			continue;
+		}
+		valid = true;
+	}
+
+	return (valid);
+}
+
+void
+cfg_print_zonegrammar(const unsigned int zonetype, unsigned int flags,
+		      void (*f)(void *closure, const char *text, int textlen),
+		      void *closure) {
+#define NCLAUSES                                               \
+	(((sizeof(zone_clauses) + sizeof(zone_only_clauses)) / \
+	  sizeof(clause[0])) -                                 \
+	 1)
+
+	cfg_printer_t pctx;
+	cfg_clausedef_t *clause = NULL;
+	cfg_clausedef_t clauses[NCLAUSES];
+
+	pctx.f = f;
+	pctx.closure = closure;
+	pctx.indent = 0;
+	pctx.flags = flags;
+
+	memmove(clauses, zone_clauses, sizeof(zone_clauses));
+	memmove(clauses + sizeof(zone_clauses) / sizeof(zone_clauses[0]) - 1,
+		zone_only_clauses, sizeof(zone_only_clauses));
+	qsort(clauses, NCLAUSES - 1, sizeof(clause[0]), cmp_clause);
+
+	cfg_print_cstr(&pctx, "zone <string> [ <class> ] {\n");
+	pctx.indent++;
+
+	switch (zonetype) {
+	case CFG_ZONE_PRIMARY:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type ( master | primary );\n");
+		break;
+	case CFG_ZONE_SECONDARY:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type ( slave | secondary );\n");
+		break;
+	case CFG_ZONE_MIRROR:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type mirror;\n");
+		break;
+	case CFG_ZONE_STUB:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type stub;\n");
+		break;
+	case CFG_ZONE_HINT:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type hint;\n");
+		break;
+	case CFG_ZONE_FORWARD:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type forward;\n");
+		break;
+	case CFG_ZONE_STATICSTUB:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type static-stub;\n");
+		break;
+	case CFG_ZONE_REDIRECT:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type redirect;\n");
+		break;
+	case CFG_ZONE_DELEGATION:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type delegation-only;\n");
+		break;
+	case CFG_ZONE_INVIEW:
+		/* no zone type is specified for these */
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	for (clause = clauses; clause->name != NULL; clause++) {
+		if (((pctx.flags & CFG_PRINTER_ACTIVEONLY) != 0) &&
+		    (((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) ||
+		     ((clause->flags & CFG_CLAUSEFLAG_ANCIENT) != 0) ||
+		     ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) ||
+		     ((clause->flags & CFG_CLAUSEFLAG_TESTONLY) != 0)))
+		{
+			continue;
+		}
+		if ((clause->flags & zonetype) == 0 ||
+		    strcasecmp(clause->name, "type") == 0)
+		{
+			continue;
+		}
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, clause->name);
+		cfg_print_cstr(&pctx, " ");
+		cfg_doc_obj(&pctx, clause->type);
+		cfg_print_cstr(&pctx, ";");
+		cfg_print_clauseflags(&pctx, clause->flags);
+		cfg_print_cstr(&pctx, "\n");
+	}
+
+	pctx.indent--;
+	cfg_print_cstr(&pctx, "};\n");
+}
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
new file mode 100644
index 0000000..4ba93ee
--- /dev/null
+++ b/lib/isccfg/parser.c
@@ -0,0 +1,4145 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0 AND BSD-2-Clause
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * duration_fromtext initially taken from OpenDNSSEC code base.
+ * Modified to fit the BIND 9 code.
+ *
+ * Copyright (c) 2009-2018 NLNet Labs.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+ * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+ * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+ * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/formatcheck.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/netscope.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+#include <dns/ttl.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/log.h>
+
+/* Shorthand */
+#define CAT CFG_LOGCATEGORY_CONFIG
+#define MOD CFG_LOGMODULE_PARSER
+
+#define MAP_SYM 1 /* Unique type for isc_symtab */
+
+#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
+
+/* Check a return value. */
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+/* Clean up a configuration object if non-NULL. */
+#define CLEANUP_OBJ(obj)                               \
+	do {                                           \
+		if ((obj) != NULL)                     \
+			cfg_obj_destroy(pctx, &(obj)); \
+	} while (0)
+
+/*
+ * Forward declarations of static functions.
+ */
+
+static void
+free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+parse_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static void
+print_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+static void
+free_list(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp);
+
+static isc_result_t
+create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
+	      cfg_obj_t **ret);
+
+static void
+free_string(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+static void
+free_map(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+parse_symtab_elt(cfg_parser_t *pctx, const char *name, cfg_type_t *elttype,
+		 isc_symtab_t *symtab, bool callback);
+
+static void
+free_noop(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+cfg_getstringtoken(cfg_parser_t *pctx);
+
+static void
+parser_complain(cfg_parser_t *pctx, bool is_warning, unsigned int flags,
+		const char *format, va_list args);
+
+#if defined(HAVE_GEOIP2)
+static isc_result_t
+parse_geoip(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static void
+print_geoip(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+static void
+doc_geoip(cfg_printer_t *pctx, const cfg_type_t *type);
+#endif /* HAVE_GEOIP2 */
+
+/*
+ * Data representations.  These correspond to members of the
+ * "value" union in struct cfg_obj (except "void", which does
+ * not need a union member).
+ */
+
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_uint32 = { "uint32", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_uint64 = { "uint64", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_string = { "string", free_string };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_boolean = { "boolean", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_map = { "map", free_map };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_list = { "list", free_list };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_tuple = { "tuple", free_tuple };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_sockaddr = { "sockaddr", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_netprefix = { "netprefix",
+							free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_void = { "void", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_fixedpoint = { "fixedpoint",
+							 free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_percentage = { "percentage",
+							 free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_duration = { "duration", free_noop };
+
+/*
+ * Configuration type definitions.
+ */
+
+/*%
+ * An implicit list.  These are formed by clauses that occur multiple times.
+ */
+static cfg_type_t cfg_type_implicitlist = { "implicitlist", NULL,
+					    print_list,	    NULL,
+					    &cfg_rep_list,  NULL };
+
+/* Functions. */
+
+void
+cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	obj->type->print(pctx, obj);
+}
+
+void
+cfg_print_chars(cfg_printer_t *pctx, const char *text, int len) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(text != NULL);
+
+	pctx->f(pctx->closure, text, len);
+}
+
+static void
+print_open(cfg_printer_t *pctx) {
+	if ((pctx->flags & CFG_PRINTER_ONELINE) != 0) {
+		cfg_print_cstr(pctx, "{ ");
+	} else {
+		cfg_print_cstr(pctx, "{\n");
+		pctx->indent++;
+	}
+}
+
+void
+cfg_print_indent(cfg_printer_t *pctx) {
+	int indent = pctx->indent;
+	if ((pctx->flags & CFG_PRINTER_ONELINE) != 0) {
+		cfg_print_cstr(pctx, " ");
+		return;
+	}
+	while (indent > 0) {
+		cfg_print_cstr(pctx, "\t");
+		indent--;
+	}
+}
+
+static void
+print_close(cfg_printer_t *pctx) {
+	if ((pctx->flags & CFG_PRINTER_ONELINE) == 0) {
+		pctx->indent--;
+		cfg_print_indent(pctx);
+	}
+	cfg_print_cstr(pctx, "}");
+}
+
+isc_result_t
+cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	result = type->parse(pctx, type, ret);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	ENSURE(*ret != NULL);
+	return (ISC_R_SUCCESS);
+}
+
+void
+cfg_print(const cfg_obj_t *obj,
+	  void (*f)(void *closure, const char *text, int textlen),
+	  void *closure) {
+	REQUIRE(obj != NULL);
+	REQUIRE(f != NULL);
+
+	cfg_printx(obj, 0, f, closure);
+}
+
+void
+cfg_printx(const cfg_obj_t *obj, unsigned int flags,
+	   void (*f)(void *closure, const char *text, int textlen),
+	   void *closure) {
+	cfg_printer_t pctx;
+
+	REQUIRE(obj != NULL);
+	REQUIRE(f != NULL);
+
+	pctx.f = f;
+	pctx.closure = closure;
+	pctx.indent = 0;
+	pctx.flags = flags;
+	obj->type->print(&pctx, obj);
+}
+
+/* Tuples. */
+
+isc_result_t
+cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	const cfg_tuplefielddef_t *fields;
+	const cfg_tuplefielddef_t *f;
+	cfg_obj_t *obj = NULL;
+	unsigned int nfields = 0;
+	int i;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	fields = type->of;
+
+	for (f = fields; f->name != NULL; f++) {
+		nfields++;
+	}
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	obj->value.tuple = isc_mem_get(pctx->mctx,
+				       nfields * sizeof(cfg_obj_t *));
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		obj->value.tuple[i] = NULL;
+	}
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (obj != NULL) {
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+	}
+	return (result);
+}
+
+isc_result_t
+cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	const cfg_tuplefielddef_t *fields;
+	const cfg_tuplefielddef_t *f;
+	cfg_obj_t *obj = NULL;
+	unsigned int i;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	fields = type->of;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[i]));
+	}
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+void
+cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields;
+	const cfg_tuplefielddef_t *f;
+	bool need_space = false;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	fields = obj->type->of;
+
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		const cfg_obj_t *fieldobj = obj->value.tuple[i];
+		if (need_space && fieldobj->type->rep != &cfg_rep_void) {
+			cfg_print_cstr(pctx, " ");
+		}
+		cfg_print_obj(pctx, fieldobj);
+		need_space = (need_space ||
+			      fieldobj->type->print != cfg_print_void);
+	}
+}
+
+void
+cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_tuplefielddef_t *fields;
+	const cfg_tuplefielddef_t *f;
+	bool need_space = false;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	fields = type->of;
+
+	for (f = fields; f->name != NULL; f++) {
+		if (need_space) {
+			cfg_print_cstr(pctx, " ");
+		}
+		cfg_doc_obj(pctx, f->type);
+		need_space = (f->type->print != cfg_print_void);
+	}
+}
+
+static void
+free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields = obj->type->of;
+	const cfg_tuplefielddef_t *f;
+	unsigned int nfields = 0;
+
+	if (obj->value.tuple == NULL) {
+		return;
+	}
+
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		CLEANUP_OBJ(obj->value.tuple[i]);
+		nfields++;
+	}
+	isc_mem_put(pctx->mctx, obj->value.tuple,
+		    nfields * sizeof(cfg_obj_t *));
+}
+
+bool
+cfg_obj_istuple(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_tuple);
+}
+
+const cfg_obj_t *
+cfg_tuple_get(const cfg_obj_t *tupleobj, const char *name) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields;
+	const cfg_tuplefielddef_t *f;
+
+	REQUIRE(tupleobj != NULL && tupleobj->type->rep == &cfg_rep_tuple);
+	REQUIRE(name != NULL);
+
+	fields = tupleobj->type->of;
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		if (strcmp(f->name, name) == 0) {
+			return (tupleobj->value.tuple[i]);
+		}
+	}
+	UNREACHABLE();
+}
+
+isc_result_t
+cfg_parse_special(cfg_parser_t *pctx, int special) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == special)
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "'%c' expected", special);
+	return (ISC_R_UNEXPECTEDTOKEN);
+cleanup:
+	return (result);
+}
+
+/*
+ * Parse a required semicolon.  If it is not there, log
+ * an error and increment the error count but continue
+ * parsing.  Since the next token is pushed back,
+ * care must be taken to make sure it is eventually
+ * consumed or an infinite loop may result.
+ */
+static isc_result_t
+parse_semicolon(cfg_parser_t *pctx) {
+	isc_result_t result;
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == ';')
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	cfg_parser_error(pctx, CFG_LOG_BEFORE, "missing ';'");
+	cfg_ungettoken(pctx);
+cleanup:
+	return (result);
+}
+
+/*
+ * Parse EOF, logging and returning an error if not there.
+ */
+static isc_result_t
+parse_eof(cfg_parser_t *pctx) {
+	isc_result_t result;
+
+	CHECK(cfg_gettoken(pctx, 0));
+
+	if (pctx->token.type == isc_tokentype_eof) {
+		return (ISC_R_SUCCESS);
+	}
+
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "syntax error");
+	return (ISC_R_UNEXPECTEDTOKEN);
+cleanup:
+	return (result);
+}
+
+/* A list of files, used internally for pctx->files. */
+
+static cfg_type_t cfg_type_filelist = { "filelist",    NULL,
+					print_list,    NULL,
+					&cfg_rep_list, &cfg_type_qstring };
+
+isc_result_t
+cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret) {
+	isc_result_t result;
+	cfg_parser_t *pctx;
+	isc_lexspecials_t specials;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	pctx = isc_mem_get(mctx, sizeof(*pctx));
+
+	pctx->mctx = NULL;
+	isc_mem_attach(mctx, &pctx->mctx);
+
+	isc_refcount_init(&pctx->references, 1);
+
+	pctx->lctx = lctx;
+	pctx->lexer = NULL;
+	pctx->seen_eof = false;
+	pctx->ungotten = false;
+	pctx->errors = 0;
+	pctx->warnings = 0;
+	pctx->open_files = NULL;
+	pctx->closed_files = NULL;
+	pctx->line = 0;
+	pctx->callback = NULL;
+	pctx->callbackarg = NULL;
+	pctx->token.type = isc_tokentype_unknown;
+	pctx->flags = 0;
+	pctx->buf_name = NULL;
+
+	memset(specials, 0, sizeof(specials));
+	specials['{'] = 1;
+	specials['}'] = 1;
+	specials[';'] = 1;
+	specials['/'] = 1;
+	specials['"'] = 1;
+	specials['!'] = 1;
+
+	CHECK(isc_lex_create(pctx->mctx, 1024, &pctx->lexer));
+
+	isc_lex_setspecials(pctx->lexer, specials);
+	isc_lex_setcomments(pctx->lexer,
+			    (ISC_LEXCOMMENT_C | ISC_LEXCOMMENT_CPLUSPLUS |
+			     ISC_LEXCOMMENT_SHELL));
+
+	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->open_files));
+	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->closed_files));
+
+	*ret = pctx;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (pctx->lexer != NULL) {
+		isc_lex_destroy(&pctx->lexer);
+	}
+	CLEANUP_OBJ(pctx->open_files);
+	CLEANUP_OBJ(pctx->closed_files);
+	isc_mem_putanddetach(&pctx->mctx, pctx, sizeof(*pctx));
+	return (result);
+}
+
+void
+cfg_parser_setflags(cfg_parser_t *pctx, unsigned int flags, bool turn_on) {
+	REQUIRE(pctx != NULL);
+
+	if (turn_on) {
+		pctx->flags |= flags;
+	} else {
+		pctx->flags &= ~flags;
+	}
+}
+
+static isc_result_t
+parser_openfile(cfg_parser_t *pctx, const char *filename) {
+	isc_result_t result;
+	cfg_listelt_t *elt = NULL;
+	cfg_obj_t *stringobj = NULL;
+
+	result = isc_lex_openfile(pctx->lexer, filename);
+	if (result != ISC_R_SUCCESS) {
+		cfg_parser_error(pctx, 0, "open: %s: %s", filename,
+				 isc_result_totext(result));
+		goto cleanup;
+	}
+
+	CHECK(create_string(pctx, filename, &cfg_type_qstring, &stringobj));
+	CHECK(create_listelt(pctx, &elt));
+	elt->obj = stringobj;
+	ISC_LIST_APPEND(pctx->open_files->value.list, elt, link);
+
+	return (ISC_R_SUCCESS);
+cleanup:
+	CLEANUP_OBJ(stringobj);
+	return (result);
+}
+
+void
+cfg_parser_setcallback(cfg_parser_t *pctx, cfg_parsecallback_t callback,
+		       void *arg) {
+	REQUIRE(pctx != NULL);
+
+	pctx->callback = callback;
+	pctx->callbackarg = arg;
+}
+
+void
+cfg_parser_reset(cfg_parser_t *pctx) {
+	REQUIRE(pctx != NULL);
+
+	if (pctx->lexer != NULL) {
+		isc_lex_close(pctx->lexer);
+	}
+
+	pctx->seen_eof = false;
+	pctx->ungotten = false;
+	pctx->errors = 0;
+	pctx->warnings = 0;
+	pctx->line = 0;
+}
+
+/*
+ * Parse a configuration using a pctx where a lexer has already
+ * been set up with a source.
+ */
+static isc_result_t
+parse2(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	result = cfg_parse_obj(pctx, type, &obj);
+
+	if (pctx->errors != 0) {
+		/* Errors have been logged. */
+		if (result == ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+		}
+		goto cleanup;
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		/* Parsing failed but no errors have been logged. */
+		cfg_parser_error(pctx, 0, "parsing failed: %s",
+				 isc_result_totext(result));
+		goto cleanup;
+	}
+
+	CHECK(parse_eof(pctx));
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+isc_result_t
+cfg_parse_file(cfg_parser_t *pctx, const char *filename, const cfg_type_t *type,
+	       cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_listelt_t *elt;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(filename != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(parser_openfile(pctx, filename));
+
+	result = parse2(pctx, type, ret);
+
+	/* Clean up the opened file */
+	elt = ISC_LIST_TAIL(pctx->open_files->value.list);
+	INSIST(elt != NULL);
+	ISC_LIST_UNLINK(pctx->open_files->value.list, elt, link);
+	ISC_LIST_APPEND(pctx->closed_files->value.list, elt, link);
+
+cleanup:
+	return (result);
+}
+
+isc_result_t
+cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer, const char *file,
+		 unsigned int line, const cfg_type_t *type, unsigned int flags,
+		 cfg_obj_t **ret) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(buffer != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+	REQUIRE((flags & ~(CFG_PCTX_NODEPRECATED)) == 0);
+
+	CHECK(isc_lex_openbuffer(pctx->lexer, buffer));
+
+	pctx->buf_name = file;
+	pctx->flags = flags;
+
+	if (line != 0U) {
+		CHECK(isc_lex_setsourceline(pctx->lexer, line));
+	}
+
+	CHECK(parse2(pctx, type, ret));
+	pctx->buf_name = NULL;
+
+cleanup:
+	return (result);
+}
+
+void
+cfg_parser_attach(cfg_parser_t *src, cfg_parser_t **dest) {
+	REQUIRE(src != NULL);
+	REQUIRE(dest != NULL && *dest == NULL);
+
+	isc_refcount_increment(&src->references);
+	*dest = src;
+}
+
+void
+cfg_parser_destroy(cfg_parser_t **pctxp) {
+	cfg_parser_t *pctx;
+
+	REQUIRE(pctxp != NULL && *pctxp != NULL);
+	pctx = *pctxp;
+	*pctxp = NULL;
+
+	if (isc_refcount_decrement(&pctx->references) == 1) {
+		isc_lex_destroy(&pctx->lexer);
+		/*
+		 * Cleaning up open_files does not
+		 * close the files; that was already done
+		 * by closing the lexer.
+		 */
+		CLEANUP_OBJ(pctx->open_files);
+		CLEANUP_OBJ(pctx->closed_files);
+		isc_mem_putanddetach(&pctx->mctx, pctx, sizeof(*pctx));
+	}
+}
+
+/*
+ * void
+ */
+isc_result_t
+cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	return (cfg_create_obj(pctx, &cfg_type_void, ret));
+}
+
+void
+cfg_print_void(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	UNUSED(pctx);
+	UNUSED(obj);
+}
+
+void
+cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	UNUSED(pctx);
+	UNUSED(type);
+}
+
+bool
+cfg_obj_isvoid(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_void);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_void = {
+	"void",	      cfg_parse_void, cfg_print_void,
+	cfg_doc_void, &cfg_rep_void,  NULL
+};
+
+/*
+ * percentage
+ */
+isc_result_t
+cfg_parse_percentage(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret) {
+	char *endp;
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	uint64_t percent;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected percentage");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	percent = strtoull(TOKEN_STRING(pctx), &endp, 10);
+	if (*endp != '%' || *(endp + 1) != 0) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected percentage");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_percentage, &obj));
+	obj->value.uint32 = (uint32_t)percent;
+	*ret = obj;
+
+cleanup:
+	return (result);
+}
+
+void
+cfg_print_percentage(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	char buf[64];
+	int n;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	n = snprintf(buf, sizeof(buf), "%u%%", obj->value.uint32);
+	INSIST(n > 0 && (size_t)n < sizeof(buf));
+	cfg_print_chars(pctx, buf, strlen(buf));
+}
+
+uint32_t
+cfg_obj_aspercentage(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_percentage);
+	return (obj->value.uint32);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_percentage = {
+	"percentage",	  cfg_parse_percentage, cfg_print_percentage,
+	cfg_doc_terminal, &cfg_rep_percentage,	NULL
+};
+
+bool
+cfg_obj_ispercentage(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_percentage);
+}
+
+/*
+ * Fixed point
+ */
+isc_result_t
+cfg_parse_fixedpoint(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	size_t n1, n2, n3, l;
+	const char *p;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected fixed point number");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	p = TOKEN_STRING(pctx);
+	l = strlen(p);
+	n1 = strspn(p, "0123456789");
+	n2 = strspn(p + n1, ".");
+	n3 = strspn(p + n1 + n2, "0123456789");
+
+	if ((n1 + n2 + n3 != l) || (n1 + n3 == 0) || n1 > 5 || n2 > 1 || n3 > 2)
+	{
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected fixed point number");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_fixedpoint, &obj));
+
+	obj->value.uint32 = strtoul(p, NULL, 10) * 100;
+	switch (n3) {
+	case 2:
+		obj->value.uint32 += strtoul(p + n1 + n2, NULL, 10);
+		break;
+	case 1:
+		obj->value.uint32 += strtoul(p + n1 + n2, NULL, 10) * 10;
+		break;
+	}
+	*ret = obj;
+
+cleanup:
+	return (result);
+}
+
+void
+cfg_print_fixedpoint(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	char buf[64];
+	int n;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	n = snprintf(buf, sizeof(buf), "%u.%02u", obj->value.uint32 / 100,
+		     obj->value.uint32 % 100);
+	INSIST(n > 0 && (size_t)n < sizeof(buf));
+	cfg_print_chars(pctx, buf, strlen(buf));
+}
+
+uint32_t
+cfg_obj_asfixedpoint(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_fixedpoint);
+	return (obj->value.uint32);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_fixedpoint = {
+	"fixedpoint",	  cfg_parse_fixedpoint, cfg_print_fixedpoint,
+	cfg_doc_terminal, &cfg_rep_fixedpoint,	NULL
+};
+
+bool
+cfg_obj_isfixedpoint(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_fixedpoint);
+}
+
+/*
+ * uint32
+ */
+isc_result_t
+cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+	if (pctx->token.type != isc_tokentype_number) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected number");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_uint32, &obj));
+
+	obj->value.uint32 = pctx->token.value.as_ulong;
+	*ret = obj;
+cleanup:
+	return (result);
+}
+
+void
+cfg_print_cstr(cfg_printer_t *pctx, const char *s) {
+	cfg_print_chars(pctx, s, strlen(s));
+}
+
+void
+cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u) {
+	char buf[32];
+
+	snprintf(buf, sizeof(buf), "%u", u);
+	cfg_print_cstr(pctx, buf);
+}
+
+void
+cfg_print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_rawuint(pctx, obj->value.uint32);
+}
+
+bool
+cfg_obj_isuint32(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_uint32);
+}
+
+uint32_t
+cfg_obj_asuint32(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint32);
+	return (obj->value.uint32);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_uint32 = {
+	"integer",	  cfg_parse_uint32, cfg_print_uint32,
+	cfg_doc_terminal, &cfg_rep_uint32,  NULL
+};
+
+/*
+ * uint64
+ */
+bool
+cfg_obj_isuint64(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_uint64);
+}
+
+uint64_t
+cfg_obj_asuint64(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint64);
+	return (obj->value.uint64);
+}
+
+void
+cfg_print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	char buf[32];
+
+	snprintf(buf, sizeof(buf), "%" PRIu64, obj->value.uint64);
+	cfg_print_cstr(pctx, buf);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_uint64 = {
+	"64_bit_integer", NULL, cfg_print_uint64, cfg_doc_terminal,
+	&cfg_rep_uint64,  NULL
+};
+
+/*
+ * Get the number of digits in a number.
+ */
+static size_t
+numlen(uint32_t num) {
+	uint32_t period = num;
+	size_t count = 0;
+
+	if (period == 0) {
+		return (1);
+	}
+	while (period > 0) {
+		count++;
+		period /= 10;
+	}
+	return (count);
+}
+
+/*
+ * duration
+ */
+void
+cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	char buf[CFG_DURATION_MAXLEN];
+	char *str;
+	const char *indicators = "YMWDHMS";
+	int count, i;
+	int durationlen[7] = { 0 };
+	cfg_duration_t duration;
+	/*
+	 * D ? The duration has a date part.
+	 * T ? The duration has a time part.
+	 */
+	bool D = false, T = false;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	duration = obj->value.duration;
+
+	/* If this is not an ISO 8601 duration, just print it as a number. */
+	if (!duration.iso8601) {
+		cfg_print_rawuint(pctx, duration.parts[6]);
+		return;
+	}
+
+	/* Calculate length of string. */
+	buf[0] = 'P';
+	buf[1] = '\0';
+	str = &buf[1];
+	count = 2;
+	for (i = 0; i < 6; i++) {
+		if (duration.parts[i] > 0) {
+			durationlen[i] = 1 + numlen(duration.parts[i]);
+			if (i < 4) {
+				D = true;
+			} else {
+				T = true;
+			}
+			count += durationlen[i];
+		}
+	}
+	/*
+	 * Special case for seconds which is not taken into account in the
+	 * above for loop: Count the length of the seconds part if it is
+	 * non-zero, or if all the other parts are also zero.  In the latter
+	 * case this function will print "PT0S".
+	 */
+	if (duration.parts[6] > 0 ||
+	    (!D && !duration.parts[4] && !duration.parts[5]))
+	{
+		durationlen[6] = 1 + numlen(duration.parts[6]);
+		T = true;
+		count += durationlen[6];
+	}
+	/* Add one character for the time indicator. */
+	if (T) {
+		count++;
+	}
+	INSIST(count < CFG_DURATION_MAXLEN);
+
+	/* Now print the duration. */
+	for (i = 0; i < 6; i++) {
+		/*
+		 * We don't check here if weeks and other time indicator are
+		 * used mutually exclusively.
+		 */
+		if (duration.parts[i] > 0) {
+			snprintf(str, durationlen[i] + 2, "%u%c",
+				 (uint32_t)duration.parts[i], indicators[i]);
+			str += durationlen[i];
+		}
+		if (i == 3 && T) {
+			snprintf(str, 2, "T");
+			str += 1;
+		}
+	}
+	/* Special case for seconds. */
+	if (duration.parts[6] > 0 ||
+	    (!D && !duration.parts[4] && !duration.parts[5]))
+	{
+		snprintf(str, durationlen[6] + 2, "%u%c",
+			 (uint32_t)duration.parts[6], indicators[6]);
+	}
+	cfg_print_chars(pctx, buf, strlen(buf));
+}
+
+void
+cfg_print_duration_or_unlimited(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_duration_t duration;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	duration = obj->value.duration;
+
+	if (duration.unlimited) {
+		cfg_print_cstr(pctx, "unlimited");
+	} else {
+		cfg_print_duration(pctx, obj);
+	}
+}
+
+bool
+cfg_obj_isduration(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_duration);
+}
+
+uint32_t
+cfg_obj_asduration(const cfg_obj_t *obj) {
+	uint64_t seconds = 0;
+	cfg_duration_t duration;
+
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_duration);
+
+	duration = obj->value.duration;
+
+	seconds += (uint64_t)duration.parts[6];		    /* Seconds */
+	seconds += (uint64_t)duration.parts[5] * 60;	    /* Minutes */
+	seconds += (uint64_t)duration.parts[4] * 3600;	    /* Hours */
+	seconds += (uint64_t)duration.parts[3] * 86400;	    /* Days */
+	seconds += (uint64_t)duration.parts[2] * 86400 * 7; /* Weeks */
+	/*
+	 * The below additions are not entirely correct
+	 * because days may vary per month and per year.
+	 */
+	seconds += (uint64_t)duration.parts[1] * 86400 * 31;  /* Months */
+	seconds += (uint64_t)duration.parts[0] * 86400 * 365; /* Years */
+
+	return (seconds > UINT32_MAX ? UINT32_MAX : (uint32_t)seconds);
+}
+
+static isc_result_t
+duration_fromtext(isc_textregion_t *source, cfg_duration_t *duration) {
+	char buf[CFG_DURATION_MAXLEN] = { 0 };
+	char *P, *X, *T, *W, *str;
+	bool not_weeks = false;
+	int i;
+	long long int lli;
+
+	/*
+	 * Copy the buffer as it may not be NULL terminated.
+	 */
+	if (source->length > sizeof(buf) - 1) {
+		return (ISC_R_BADNUMBER);
+	}
+	/* Copy source->length bytes and NULL terminate. */
+	snprintf(buf, sizeof(buf), "%.*s", (int)source->length, source->base);
+	str = buf;
+
+	/* Clear out duration. */
+	for (i = 0; i < 7; i++) {
+		duration->parts[i] = 0;
+	}
+
+	/* Every duration starts with 'P' */
+	P = strpbrk(str, "Pp");
+	if (P == NULL) {
+		return (ISC_R_BADNUMBER);
+	}
+
+	/* Record the time indicator. */
+	T = strpbrk(str, "Tt");
+
+	/* Record years. */
+	X = strpbrk(str, "Yy");
+	if (X != NULL) {
+		errno = 0;
+		lli = strtoll(str + 1, NULL, 10);
+		if (errno != 0 || lli < 0 || lli > UINT32_MAX) {
+			return (ISC_R_BADNUMBER);
+		}
+		duration->parts[0] = (uint32_t)lli;
+		str = X;
+		not_weeks = true;
+	}
+
+	/* Record months. */
+	X = strpbrk(str, "Mm");
+
+	/*
+	 * M could be months or minutes. This is months if there is no time
+	 * part, or this M indicator is before the time indicator.
+	 */
+	if (X != NULL && (T == NULL || (size_t)(X - P) < (size_t)(T - P))) {
+		errno = 0;
+		lli = strtoll(str + 1, NULL, 10);
+		if (errno != 0 || lli < 0 || lli > UINT32_MAX) {
+			return (ISC_R_BADNUMBER);
+		}
+		duration->parts[1] = (uint32_t)lli;
+		str = X;
+		not_weeks = true;
+	}
+
+	/* Record days. */
+	X = strpbrk(str, "Dd");
+	if (X != NULL) {
+		errno = 0;
+		lli = strtoll(str + 1, NULL, 10);
+		if (errno != 0 || lli < 0 || lli > UINT32_MAX) {
+			return (ISC_R_BADNUMBER);
+		}
+		duration->parts[3] = (uint32_t)lli;
+		str = X;
+		not_weeks = true;
+	}
+
+	/* Time part? */
+	if (T != NULL) {
+		str = T;
+		not_weeks = true;
+	}
+
+	/* Record hours. */
+	X = strpbrk(str, "Hh");
+	if (X != NULL && T != NULL) {
+		errno = 0;
+		lli = strtoll(str + 1, NULL, 10);
+		if (errno != 0 || lli < 0 || lli > UINT32_MAX) {
+			return (ISC_R_BADNUMBER);
+		}
+		duration->parts[4] = (uint32_t)lli;
+		str = X;
+		not_weeks = true;
+	}
+
+	/* Record minutes. */
+	X = strpbrk(str, "Mm");
+
+	/*
+	 * M could be months or minutes. This is minutes if there is a time
+	 * part and the M indicator is behind the time indicator.
+	 */
+	if (X != NULL && T != NULL && (size_t)(X - P) > (size_t)(T - P)) {
+		errno = 0;
+		lli = strtoll(str + 1, NULL, 10);
+		if (errno != 0 || lli < 0 || lli > UINT32_MAX) {
+			return (ISC_R_BADNUMBER);
+		}
+		duration->parts[5] = (uint32_t)lli;
+		str = X;
+		not_weeks = true;
+	}
+
+	/* Record seconds. */
+	X = strpbrk(str, "Ss");
+	if (X != NULL && T != NULL) {
+		errno = 0;
+		lli = strtoll(str + 1, NULL, 10);
+		if (errno != 0 || lli < 0 || lli > UINT32_MAX) {
+			return (ISC_R_BADNUMBER);
+		}
+		duration->parts[6] = (uint32_t)lli;
+		str = X;
+		not_weeks = true;
+	}
+
+	/* Or is the duration configured in weeks? */
+	W = strpbrk(buf, "Ww");
+	if (W != NULL) {
+		if (not_weeks) {
+			/* Mix of weeks and other indicators is not allowed */
+			return (ISC_R_BADNUMBER);
+		} else {
+			errno = 0;
+			lli = strtoll(str + 1, NULL, 10);
+			if (errno != 0 || lli < 0 || lli > UINT32_MAX) {
+				return (ISC_R_BADNUMBER);
+			}
+			duration->parts[2] = (uint32_t)lli;
+			str = W;
+		}
+	}
+
+	/* Deal with trailing garbage. */
+	if (str[1] != '\0') {
+		return (ISC_R_BADNUMBER);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+parse_duration(cfg_parser_t *pctx, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	cfg_duration_t duration;
+
+	duration.unlimited = false;
+
+	if (toupper((unsigned char)TOKEN_STRING(pctx)[0]) == 'P') {
+		result = duration_fromtext(&pctx->token.value.as_textregion,
+					   &duration);
+		duration.iso8601 = true;
+	} else {
+		uint32_t ttl;
+		result = dns_ttl_fromtext(&pctx->token.value.as_textregion,
+					  &ttl);
+		/*
+		 * With dns_ttl_fromtext() the information on optional units.
+		 * is lost, and is treated as seconds from now on.
+		 */
+		for (int i = 0; i < 6; i++) {
+			duration.parts[i] = 0;
+		}
+		duration.parts[6] = ttl;
+		duration.iso8601 = false;
+	}
+
+	if (result == ISC_R_RANGE) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "duration or TTL out of range");
+		return (result);
+	} else if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_duration, &obj));
+	obj->value.duration = duration;
+	*ret = obj;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR,
+			 "expected ISO 8601 duration or TTL value");
+	return (result);
+}
+
+isc_result_t
+cfg_parse_duration(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret) {
+	isc_result_t result;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+
+	return (parse_duration(pctx, ret));
+
+cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR,
+			 "expected ISO 8601 duration or TTL value");
+	return (result);
+}
+
+isc_result_t
+cfg_parse_duration_or_unlimited(cfg_parser_t *pctx, const cfg_type_t *type,
+				cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	cfg_duration_t duration;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+
+	if (strcmp(TOKEN_STRING(pctx), "unlimited") == 0) {
+		for (int i = 0; i < 7; i++) {
+			duration.parts[i] = 0;
+		}
+		duration.iso8601 = false;
+		duration.unlimited = true;
+
+		CHECK(cfg_create_obj(pctx, &cfg_type_duration, &obj));
+		obj->value.duration = duration;
+		*ret = obj;
+		return (ISC_R_SUCCESS);
+	}
+
+	return (parse_duration(pctx, ret));
+
+cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR,
+			 "expected ISO 8601 duration, TTL value, or unlimited");
+	return (result);
+}
+
+/*%
+ * A duration as defined by ISO 8601 (P[n]Y[n]M[n]DT[n]H[n]M[n]S).
+ * - P is the duration indicator ("period") placed at the start.
+ * - Y is the year indicator that follows the value for the number of years.
+ * - M is the month indicator that follows the value for the number of months.
+ * - D is the day indicator that follows the value for the number of days.
+ * - T is the time indicator that precedes the time components.
+ * - H is the hour indicator that follows the value for the number of hours.
+ * - M is the minute indicator that follows the value for the number of
+ *   minutes.
+ * - S is the second indicator that follows the value for the number of
+ *   seconds.
+ *
+ * A duration can also be a TTL value (number + optional unit).
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_duration = {
+	"duration",	  cfg_parse_duration, cfg_print_duration,
+	cfg_doc_terminal, &cfg_rep_duration,  NULL
+};
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_duration_or_unlimited = {
+	"duration_or_unlimited",
+	cfg_parse_duration_or_unlimited,
+	cfg_print_duration_or_unlimited,
+	cfg_doc_terminal,
+	&cfg_rep_duration,
+	NULL
+};
+
+/*
+ * qstring (quoted string), ustring (unquoted string), astring
+ * (any string), sstring (secret string)
+ */
+
+/* Create a string object from a null-terminated C string. */
+static isc_result_t
+create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
+	      cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	int len;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	len = strlen(contents);
+	obj->value.string.length = len;
+	obj->value.string.base = isc_mem_get(pctx->mctx, len + 1);
+	if (obj->value.string.base == 0) {
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+		return (ISC_R_NOMEMORY);
+	}
+	memmove(obj->value.string.base, contents, len);
+	obj->value.string.base[len] = '\0';
+
+	*ret = obj;
+cleanup:
+	return (result);
+}
+
+isc_result_t
+cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type != isc_tokentype_qstring) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected quoted string");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (create_string(pctx, TOKEN_STRING(pctx), &cfg_type_qstring,
+			      ret));
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_ustring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected unquoted string");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (create_string(pctx, TOKEN_STRING(pctx), &cfg_type_ustring,
+			      ret));
+cleanup:
+	return (result);
+}
+
+isc_result_t
+cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_getstringtoken(pctx));
+	return (create_string(pctx, TOKEN_STRING(pctx), &cfg_type_qstring,
+			      ret));
+cleanup:
+	return (result);
+}
+
+isc_result_t
+cfg_parse_sstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_getstringtoken(pctx));
+	return (create_string(pctx, TOKEN_STRING(pctx), &cfg_type_sstring,
+			      ret));
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_btext(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_BTEXT));
+	if (pctx->token.type != isc_tokentype_btext) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected bracketed text");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (create_string(pctx, TOKEN_STRING(pctx),
+			      &cfg_type_bracketed_text, ret));
+cleanup:
+	return (result);
+}
+
+static void
+print_btext(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	/*
+	 * We need to print "{" instead of running print_open()
+	 * in order to preserve the exact original formatting
+	 * of the bracketed text. But we increment the indent value
+	 * so that print_close() will leave us back in our original
+	 * state.
+	 */
+	pctx->indent++;
+	cfg_print_cstr(pctx, "{");
+	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
+	print_close(pctx);
+}
+
+static void
+doc_btext(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+
+	cfg_print_cstr(pctx, "{ <unspecified-text> }");
+}
+
+bool
+cfg_is_enum(const char *s, const char *const *enums) {
+	const char *const *p;
+
+	REQUIRE(s != NULL);
+	REQUIRE(enums != NULL);
+
+	for (p = enums; *p != NULL; p++) {
+		if (strcasecmp(*p, s) == 0) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+static isc_result_t
+check_enum(cfg_parser_t *pctx, cfg_obj_t *obj, const char *const *enums) {
+	const char *s = obj->value.string.base;
+
+	if (cfg_is_enum(s, enums)) {
+		return (ISC_R_SUCCESS);
+	}
+	cfg_parser_error(pctx, 0, "'%s' unexpected", s);
+	return (ISC_R_UNEXPECTEDTOKEN);
+}
+
+isc_result_t
+cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(parse_ustring(pctx, NULL, &obj));
+	CHECK(check_enum(pctx, obj, type->of));
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+void
+cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const char *const *p;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	cfg_print_cstr(pctx, "( ");
+	for (p = type->of; *p != NULL; p++) {
+		cfg_print_cstr(pctx, *p);
+		if (p[1] != NULL) {
+			cfg_print_cstr(pctx, " | ");
+		}
+	}
+	cfg_print_cstr(pctx, " )");
+}
+
+isc_result_t
+cfg_parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
+			const cfg_type_t *othertype, cfg_obj_t **ret) {
+	isc_result_t result;
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    cfg_is_enum(TOKEN_STRING(pctx), enumtype->of))
+	{
+		CHECK(cfg_parse_enum(pctx, enumtype, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, othertype, ret));
+	}
+cleanup:
+	return (result);
+}
+
+void
+cfg_doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *enumtype,
+		      const cfg_type_t *othertype) {
+	const char *const *p;
+	bool first = true;
+
+	/*
+	 * If othertype is cfg_type_void, it means that enumtype is
+	 * optional.
+	 */
+
+	if (othertype == &cfg_type_void) {
+		cfg_print_cstr(pctx, "[ ");
+	}
+	cfg_print_cstr(pctx, "( ");
+	for (p = enumtype->of; *p != NULL; p++) {
+		if (!first) {
+			cfg_print_cstr(pctx, " | ");
+		}
+		first = false;
+		cfg_print_cstr(pctx, *p);
+	}
+	if (othertype != &cfg_type_void) {
+		if (!first) {
+			cfg_print_cstr(pctx, " | ");
+		}
+		cfg_doc_terminal(pctx, othertype);
+	}
+	cfg_print_cstr(pctx, " )");
+	if (othertype == &cfg_type_void) {
+		cfg_print_cstr(pctx, " ]");
+	}
+}
+
+void
+cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
+}
+
+static void
+print_qstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_cstr(pctx, "\"");
+	for (size_t i = 0; i < obj->value.string.length; i++) {
+		if (obj->value.string.base[i] == '"') {
+			cfg_print_cstr(pctx, "\\");
+		}
+		cfg_print_chars(pctx, &obj->value.string.base[i], 1);
+	}
+	cfg_print_cstr(pctx, "\"");
+}
+
+static void
+print_sstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_cstr(pctx, "\"");
+	if ((pctx->flags & CFG_PRINTER_XKEY) != 0) {
+		unsigned int len = obj->value.string.length;
+		while (len-- > 0) {
+			cfg_print_cstr(pctx, "?");
+		}
+	} else {
+		cfg_print_ustring(pctx, obj);
+	}
+	cfg_print_cstr(pctx, "\"");
+}
+
+static void
+free_string(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	isc_mem_put(pctx->mctx, obj->value.string.base,
+		    obj->value.string.length + 1);
+}
+
+bool
+cfg_obj_isstring(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_string);
+}
+
+const char *
+cfg_obj_asstring(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_string);
+	return (obj->value.string.base);
+}
+
+/* Quoted string only */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_qstring = {
+	"quoted_string",  cfg_parse_qstring, print_qstring,
+	cfg_doc_terminal, &cfg_rep_string,   NULL
+};
+
+/* Unquoted string only */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_ustring = {
+	"string",	  parse_ustring,   cfg_print_ustring,
+	cfg_doc_terminal, &cfg_rep_string, NULL
+};
+
+/* Any string (quoted or unquoted); printed with quotes */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_astring = {
+	"string",	  cfg_parse_astring, print_qstring,
+	cfg_doc_terminal, &cfg_rep_string,   NULL
+};
+
+/*
+ * Any string (quoted or unquoted); printed with quotes.
+ * If CFG_PRINTER_XKEY is set when printing the string will be '?' out.
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_sstring = {
+	"string",	  cfg_parse_sstring, print_sstring,
+	cfg_doc_terminal, &cfg_rep_string,   NULL
+};
+
+/*
+ * Text enclosed in brackets. Used to pass a block of configuration
+ * text to dynamic library or external application. Checked for
+ * bracket balance, but not otherwise parsed.
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bracketed_text = {
+	"bracketed_text", parse_btext,	   print_btext,
+	doc_btext,	  &cfg_rep_string, NULL
+};
+
+#if defined(HAVE_GEOIP2)
+/*
+ * "geoip" ACL element:
+ * geoip [ db <database> ] search-type <string>
+ */
+static const char *geoiptype_enums[] = {
+	"area",	      "areacode",  "asnum",	  "city",     "continent",
+	"country",    "country3",  "countryname", "domain",   "isp",
+	"metro",      "metrocode", "netspeed",	  "org",      "postal",
+	"postalcode", "region",	   "regionname",  "timezone", "tz",
+	NULL
+};
+static cfg_type_t cfg_type_geoiptype = { "geoiptype",	    cfg_parse_enum,
+					 cfg_print_ustring, cfg_doc_enum,
+					 &cfg_rep_string,   &geoiptype_enums };
+
+static cfg_tuplefielddef_t geoip_fields[] = {
+	{ "negated", &cfg_type_void, 0 },
+	{ "db", &cfg_type_astring, 0 },
+	{ "subtype", &cfg_type_geoiptype, 0 },
+	{ "search", &cfg_type_astring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_geoip = { "geoip",	parse_geoip,	print_geoip,
+				     doc_geoip, &cfg_rep_tuple, geoip_fields };
+
+static isc_result_t
+parse_geoip(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const cfg_tuplefielddef_t *fields = type->of;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+	CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[0]));
+
+	/* Parse the optional "db" field. */
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string) {
+		CHECK(cfg_gettoken(pctx, 0));
+		if (strcasecmp(TOKEN_STRING(pctx), "db") == 0 &&
+		    obj->value.tuple[1] == NULL)
+		{
+			CHECK(cfg_parse_obj(pctx, fields[1].type,
+					    &obj->value.tuple[1]));
+		} else {
+			CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
+			cfg_ungettoken(pctx);
+		}
+	}
+
+	CHECK(cfg_parse_obj(pctx, fields[2].type, &obj->value.tuple[2]));
+	CHECK(cfg_parse_obj(pctx, fields[3].type, &obj->value.tuple[3]));
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+print_geoip(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	if (obj->value.tuple[1]->type->print != cfg_print_void) {
+		cfg_print_cstr(pctx, " db ");
+		cfg_print_obj(pctx, obj->value.tuple[1]);
+	}
+	cfg_print_obj(pctx, obj->value.tuple[2]);
+	cfg_print_obj(pctx, obj->value.tuple[3]);
+}
+
+static void
+doc_geoip(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "[ db ");
+	cfg_doc_obj(pctx, &cfg_type_astring);
+	cfg_print_cstr(pctx, " ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_doc_enum(pctx, &cfg_type_geoiptype);
+	cfg_print_cstr(pctx, " ");
+	cfg_doc_obj(pctx, &cfg_type_astring);
+}
+#endif /* HAVE_GEOIP2 */
+
+static cfg_type_t cfg_type_addrmatchelt;
+static cfg_type_t cfg_type_negated;
+
+static isc_result_t
+parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret) {
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring)
+	{
+		if (pctx->token.type == isc_tokentype_string &&
+		    (strcasecmp(TOKEN_STRING(pctx), "key") == 0))
+		{
+			CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret));
+		} else if (pctx->token.type == isc_tokentype_string &&
+			   (strcasecmp(TOKEN_STRING(pctx), "geoip") == 0))
+		{
+#if defined(HAVE_GEOIP2)
+			CHECK(cfg_gettoken(pctx, 0));
+			CHECK(cfg_parse_obj(pctx, &cfg_type_geoip, ret));
+#else  /* if defined(HAVE_GEOIP2) */
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "'geoip' "
+					 "not supported in this build");
+			return (ISC_R_UNEXPECTEDTOKEN);
+#endif /* if defined(HAVE_GEOIP2) */
+		} else {
+			if (cfg_lookingat_netaddr(
+				    pctx, CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK |
+						  CFG_ADDR_V6OK))
+			{
+				CHECK(cfg_parse_netprefix(pctx, NULL, ret));
+			} else {
+				CHECK(cfg_parse_astring(pctx, NULL, ret));
+			}
+		}
+	} else if (pctx->token.type == isc_tokentype_special) {
+		if (pctx->token.value.as_char == '{') {
+			/* Nested match list. */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_bracketed_aml,
+					    ret));
+		} else if (pctx->token.value.as_char == '!') {
+			CHECK(cfg_gettoken(pctx, 0)); /* read "!" */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_negated, ret));
+		} else {
+			goto bad;
+		}
+	} else {
+	bad:
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected IP match list element");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+cleanup:
+	return (result);
+}
+
+/*%
+ * A negated address match list element (like "! 10.0.0.1").
+ * Somewhat sneakily, the caller is expected to parse the
+ * "!", but not to print it.
+ */
+static cfg_tuplefielddef_t negated_fields[] = {
+	{ "negated", &cfg_type_addrmatchelt, 0 }, { NULL, NULL, 0 }
+};
+
+static void
+print_negated(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_cstr(pctx, "!");
+	cfg_print_tuple(pctx, obj);
+}
+
+static cfg_type_t cfg_type_negated = { "negated",      cfg_parse_tuple,
+				       print_negated,  NULL,
+				       &cfg_rep_tuple, &negated_fields };
+
+/*% An address match list element */
+
+static cfg_type_t cfg_type_addrmatchelt = { "address_match_element",
+					    parse_addrmatchelt,
+					    NULL,
+					    cfg_doc_terminal,
+					    NULL,
+					    NULL };
+
+/*%
+ * A bracketed address match list
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bracketed_aml = {
+	"bracketed_aml",
+	cfg_parse_bracketed_list,
+	cfg_print_bracketed_list,
+	cfg_doc_bracketed_list,
+	&cfg_rep_list,
+	&cfg_type_addrmatchelt
+};
+
+/*
+ * Optional bracketed text
+ */
+static isc_result_t
+parse_optional_btext(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret) {
+	isc_result_t result;
+
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, ISC_LEXOPT_BTEXT));
+	if (pctx->token.type == isc_tokentype_btext) {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_bracketed_text, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+	}
+cleanup:
+	return (result);
+}
+
+static void
+print_optional_btext(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	if (obj->type == &cfg_type_void) {
+		return;
+	}
+
+	pctx->indent++;
+	cfg_print_cstr(pctx, "{");
+	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
+	print_close(pctx);
+}
+
+static void
+doc_optional_btext(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+
+	cfg_print_cstr(pctx, "[ { <unspecified-text> } ]");
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_optional_bracketed_text = {
+	"optional_btext",
+	parse_optional_btext,
+	print_optional_btext,
+	doc_optional_btext,
+	NULL,
+	NULL
+};
+
+/*
+ * Booleans
+ */
+
+bool
+cfg_obj_isboolean(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_boolean);
+}
+
+bool
+cfg_obj_asboolean(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_boolean);
+	return (obj->value.boolean);
+}
+
+isc_result_t
+cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	bool value;
+	cfg_obj_t *obj = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	result = cfg_gettoken(pctx, 0);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (pctx->token.type != isc_tokentype_string) {
+		goto bad_boolean;
+	}
+
+	if ((strcasecmp(TOKEN_STRING(pctx), "true") == 0) ||
+	    (strcasecmp(TOKEN_STRING(pctx), "yes") == 0) ||
+	    (strcmp(TOKEN_STRING(pctx), "1") == 0))
+	{
+		value = true;
+	} else if ((strcasecmp(TOKEN_STRING(pctx), "false") == 0) ||
+		   (strcasecmp(TOKEN_STRING(pctx), "no") == 0) ||
+		   (strcmp(TOKEN_STRING(pctx), "0") == 0))
+	{
+		value = false;
+	} else {
+		goto bad_boolean;
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_boolean, &obj));
+	obj->value.boolean = value;
+	*ret = obj;
+	return (result);
+
+bad_boolean:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "boolean expected");
+	return (ISC_R_UNEXPECTEDTOKEN);
+
+cleanup:
+	return (result);
+}
+
+void
+cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	if (obj->value.boolean) {
+		cfg_print_cstr(pctx, "yes");
+	} else {
+		cfg_print_cstr(pctx, "no");
+	}
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_boolean = {
+	"boolean",	  cfg_parse_boolean, cfg_print_boolean,
+	cfg_doc_terminal, &cfg_rep_boolean,  NULL
+};
+
+/*
+ * Lists.
+ */
+
+isc_result_t
+cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **obj) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(obj != NULL && *obj == NULL);
+
+	CHECK(cfg_create_obj(pctx, type, obj));
+	ISC_LIST_INIT((*obj)->value.list);
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp) {
+	cfg_listelt_t *elt;
+
+	elt = isc_mem_get(pctx->mctx, sizeof(*elt));
+	elt->obj = NULL;
+	ISC_LINK_INIT(elt, link);
+	*eltp = elt;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+free_listelt(cfg_parser_t *pctx, cfg_listelt_t *elt) {
+	if (elt->obj != NULL) {
+		cfg_obj_destroy(pctx, &elt->obj);
+	}
+	isc_mem_put(pctx->mctx, elt, sizeof(*elt));
+}
+
+static void
+free_list(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	cfg_listelt_t *elt, *next;
+	for (elt = ISC_LIST_HEAD(obj->value.list); elt != NULL; elt = next) {
+		next = ISC_LIST_NEXT(elt, link);
+		free_listelt(pctx, elt);
+	}
+}
+
+isc_result_t
+cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
+		  cfg_listelt_t **ret) {
+	isc_result_t result;
+	cfg_listelt_t *elt = NULL;
+	cfg_obj_t *value = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(elttype != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(create_listelt(pctx, &elt));
+
+	result = cfg_parse_obj(pctx, elttype, &value);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	elt->obj = value;
+
+	*ret = elt;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	isc_mem_put(pctx->mctx, elt, sizeof(*elt));
+	return (result);
+}
+
+/*
+ * Parse a homogeneous list whose elements are of type 'elttype'
+ * and where each element is terminated by a semicolon.
+ */
+static isc_result_t
+parse_list(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret) {
+	cfg_obj_t *listobj = NULL;
+	const cfg_type_t *listof = listtype->of;
+	isc_result_t result;
+	cfg_listelt_t *elt = NULL;
+
+	CHECK(cfg_create_list(pctx, listtype, &listobj));
+
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special &&
+		    pctx->token.value.as_char == /*{*/ '}')
+		{
+			break;
+		}
+		CHECK(cfg_parse_listelt(pctx, listof, &elt));
+		CHECK(parse_semicolon(pctx));
+		ISC_LIST_APPEND(listobj->value.list, elt, link);
+		elt = NULL;
+	}
+	*ret = listobj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (elt != NULL) {
+		free_listelt(pctx, elt);
+	}
+	CLEANUP_OBJ(listobj);
+	return (result);
+}
+
+static void
+print_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_list_t *list = &obj->value.list;
+	const cfg_listelt_t *elt;
+
+	for (elt = ISC_LIST_HEAD(*list); elt != NULL;
+	     elt = ISC_LIST_NEXT(elt, link))
+	{
+		if ((pctx->flags & CFG_PRINTER_ONELINE) != 0) {
+			cfg_print_obj(pctx, elt->obj);
+			cfg_print_cstr(pctx, "; ");
+		} else {
+			cfg_print_indent(pctx);
+			cfg_print_obj(pctx, elt->obj);
+			cfg_print_cstr(pctx, ";\n");
+		}
+	}
+}
+
+isc_result_t
+cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type,
+			 cfg_obj_t **ret) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(cfg_parse_special(pctx, '{'));
+	CHECK(parse_list(pctx, type, ret));
+	CHECK(cfg_parse_special(pctx, '}'));
+cleanup:
+	return (result);
+}
+
+void
+cfg_print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	print_open(pctx);
+	print_list(pctx, obj);
+	print_close(pctx);
+}
+
+void
+cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	cfg_print_cstr(pctx, "{ ");
+	cfg_doc_obj(pctx, type->of);
+	cfg_print_cstr(pctx, "; ... }");
+}
+
+/*
+ * Parse a homogeneous list whose elements are of type 'elttype'
+ * and where elements are separated by space.  The list ends
+ * before the first semicolon.
+ */
+isc_result_t
+cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype,
+		    cfg_obj_t **ret) {
+	cfg_obj_t *listobj = NULL;
+	const cfg_type_t *listof;
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(listtype != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	listof = listtype->of;
+
+	CHECK(cfg_create_list(pctx, listtype, &listobj));
+
+	for (;;) {
+		cfg_listelt_t *elt = NULL;
+
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special &&
+		    pctx->token.value.as_char == ';')
+		{
+			break;
+		}
+		CHECK(cfg_parse_listelt(pctx, listof, &elt));
+		ISC_LIST_APPEND(listobj->value.list, elt, link);
+	}
+	*ret = listobj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(listobj);
+	return (result);
+}
+
+void
+cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_list_t *list = NULL;
+	const cfg_listelt_t *elt = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	list = &obj->value.list;
+
+	for (elt = ISC_LIST_HEAD(*list); elt != NULL;
+	     elt = ISC_LIST_NEXT(elt, link))
+	{
+		cfg_print_obj(pctx, elt->obj);
+		if (ISC_LIST_NEXT(elt, link) != NULL) {
+			cfg_print_cstr(pctx, " ");
+		}
+	}
+}
+
+bool
+cfg_obj_islist(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_list);
+}
+
+const cfg_listelt_t *
+cfg_list_first(const cfg_obj_t *obj) {
+	REQUIRE(obj == NULL || obj->type->rep == &cfg_rep_list);
+	if (obj == NULL) {
+		return (NULL);
+	}
+	return (ISC_LIST_HEAD(obj->value.list));
+}
+
+const cfg_listelt_t *
+cfg_list_next(const cfg_listelt_t *elt) {
+	REQUIRE(elt != NULL);
+	return (ISC_LIST_NEXT(elt, link));
+}
+
+/*
+ * Return the length of a list object.  If obj is NULL or is not
+ * a list, return 0.
+ */
+unsigned int
+cfg_list_length(const cfg_obj_t *obj, bool recurse) {
+	const cfg_listelt_t *elt;
+	unsigned int count = 0;
+
+	if (obj == NULL || !cfg_obj_islist(obj)) {
+		return (0U);
+	}
+	for (elt = cfg_list_first(obj); elt != NULL; elt = cfg_list_next(elt)) {
+		if (recurse && cfg_obj_islist(elt->obj)) {
+			count += cfg_list_length(elt->obj, recurse);
+		} else {
+			count++;
+		}
+	}
+	return (count);
+}
+
+cfg_obj_t *
+cfg_listelt_value(const cfg_listelt_t *elt) {
+	REQUIRE(elt != NULL);
+	return (elt->obj);
+}
+
+/*
+ * Maps.
+ */
+
+/*
+ * Parse a map body.  That's something like
+ *
+ *   "foo 1; bar { glub; }; zap true; zap false;"
+ *
+ * i.e., a sequence of option names followed by values and
+ * terminated by semicolons.  Used for the top level of
+ * the named.conf syntax, as well as for the body of the
+ * options, view, zone, and other statements.
+ */
+isc_result_t
+cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	const cfg_clausedef_t *const *clausesets;
+	isc_result_t result;
+	const cfg_clausedef_t *const *clauseset;
+	const cfg_clausedef_t *clause;
+	cfg_obj_t *value = NULL;
+	cfg_obj_t *obj = NULL;
+	cfg_obj_t *eltobj = NULL;
+	cfg_obj_t *includename = NULL;
+	isc_symvalue_t symval;
+	cfg_list_t *list = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	clausesets = type->of;
+
+	CHECK(create_map(pctx, type, &obj));
+
+	obj->value.map.clausesets = clausesets;
+
+	for (;;) {
+		cfg_listelt_t *elt;
+
+	redo:
+		/*
+		 * Parse the option name and see if it is known.
+		 */
+		CHECK(cfg_gettoken(pctx, 0));
+
+		if (pctx->token.type != isc_tokentype_string) {
+			cfg_ungettoken(pctx);
+			break;
+		}
+
+		/*
+		 * We accept "include" statements wherever a map body
+		 * clause can occur.
+		 */
+		if (strcasecmp(TOKEN_STRING(pctx), "include") == 0) {
+			/*
+			 * Turn the file name into a temporary configuration
+			 * object just so that it is not overwritten by the
+			 * semicolon token.
+			 */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_qstring,
+					    &includename));
+			CHECK(parse_semicolon(pctx));
+			CHECK(parser_openfile(pctx,
+					      includename->value.string.base));
+			cfg_obj_destroy(pctx, &includename);
+			goto redo;
+		}
+
+		clause = NULL;
+		for (clauseset = clausesets; *clauseset != NULL; clauseset++) {
+			for (clause = *clauseset; clause->name != NULL;
+			     clause++)
+			{
+				if (strcasecmp(TOKEN_STRING(pctx),
+					       clause->name) == 0)
+				{
+					goto done;
+				}
+			}
+		}
+	done:
+		if (clause == NULL || clause->name == NULL) {
+			cfg_parser_error(pctx, CFG_LOG_NOPREP,
+					 "unknown option");
+			/*
+			 * Try to recover by parsing this option as an unknown
+			 * option and discarding it.
+			 */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_unsupported,
+					    &eltobj));
+			cfg_obj_destroy(pctx, &eltobj);
+			CHECK(parse_semicolon(pctx));
+			continue;
+		}
+
+		/* Clause is known. */
+
+		/* Issue fatal errors if appropriate */
+		if ((clause->flags & CFG_CLAUSEFLAG_ANCIENT) != 0) {
+			cfg_parser_error(pctx, 0,
+					 "option '%s' no longer exists",
+					 clause->name);
+			CHECK(ISC_R_FAILURE);
+		}
+
+		/* Issue warnings if appropriate */
+		if ((pctx->flags & CFG_PCTX_NODEPRECATED) == 0 &&
+		    (clause->flags & CFG_CLAUSEFLAG_DEPRECATED) != 0)
+		{
+			cfg_parser_warning(pctx, 0, "option '%s' is deprecated",
+					   clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) {
+			cfg_parser_warning(pctx, 0,
+					   "option '%s' is obsolete and "
+					   "should be removed ",
+					   clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0) {
+			cfg_parser_warning(pctx, 0,
+					   "option '%s' is not implemented",
+					   clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) {
+			cfg_parser_warning(pctx, 0,
+					   "option '%s' is not implemented",
+					   clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_NOOP) != 0) {
+			cfg_parser_warning(pctx, 0,
+					   "option '%s' was not "
+					   "enabled at compile time "
+					   "(ignored)",
+					   clause->name);
+		}
+
+		if ((clause->flags & CFG_CLAUSEFLAG_NOTCONFIGURED) != 0) {
+			cfg_parser_error(pctx, 0,
+					 "option '%s' was not "
+					 "enabled at compile time",
+					 clause->name);
+			CHECK(ISC_R_FAILURE);
+		}
+
+		/*
+		 * Don't log options with CFG_CLAUSEFLAG_NEWDEFAULT
+		 * set here - we need to log the *lack* of such an option,
+		 * not its presence.
+		 */
+
+		/* See if the clause already has a value; if not create one. */
+		result = isc_symtab_lookup(obj->value.map.symtab, clause->name,
+					   0, &symval);
+
+		if ((clause->flags & CFG_CLAUSEFLAG_MULTI) != 0) {
+			/* Multivalued clause */
+			cfg_obj_t *listobj = NULL;
+			if (result == ISC_R_NOTFOUND) {
+				CHECK(cfg_create_list(pctx,
+						      &cfg_type_implicitlist,
+						      &listobj));
+				symval.as_pointer = listobj;
+				result = isc_symtab_define(
+					obj->value.map.symtab, clause->name, 1,
+					symval, isc_symexists_reject);
+				if (result != ISC_R_SUCCESS) {
+					cfg_parser_error(pctx, CFG_LOG_NEAR,
+							 "isc_symtab_define(%s)"
+							 " "
+							 "failed",
+							 clause->name);
+					isc_mem_put(pctx->mctx, list,
+						    sizeof(cfg_list_t));
+					goto cleanup;
+				}
+			} else {
+				INSIST(result == ISC_R_SUCCESS);
+				listobj = symval.as_pointer;
+			}
+
+			elt = NULL;
+			CHECK(cfg_parse_listelt(pctx, clause->type, &elt));
+			CHECK(parse_semicolon(pctx));
+
+			ISC_LIST_APPEND(listobj->value.list, elt, link);
+		} else {
+			/* Single-valued clause */
+			if (result == ISC_R_NOTFOUND) {
+				bool callback = ((clause->flags &
+						  CFG_CLAUSEFLAG_CALLBACK) !=
+						 0);
+				CHECK(parse_symtab_elt(
+					pctx, clause->name, clause->type,
+					obj->value.map.symtab, callback));
+				CHECK(parse_semicolon(pctx));
+			} else if (result == ISC_R_SUCCESS) {
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
+						 "'%s' redefined",
+						 clause->name);
+				result = ISC_R_EXISTS;
+				goto cleanup;
+			} else {
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
+						 "isc_symtab_define() failed");
+				goto cleanup;
+			}
+		}
+	}
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(value);
+	CLEANUP_OBJ(obj);
+	CLEANUP_OBJ(eltobj);
+	CLEANUP_OBJ(includename);
+	return (result);
+}
+
+static isc_result_t
+parse_symtab_elt(cfg_parser_t *pctx, const char *name, cfg_type_t *elttype,
+		 isc_symtab_t *symtab, bool callback) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_symvalue_t symval;
+
+	CHECK(cfg_parse_obj(pctx, elttype, &obj));
+
+	if (callback && pctx->callback != NULL) {
+		CHECK(pctx->callback(name, obj, pctx->callbackarg));
+	}
+
+	symval.as_pointer = obj;
+	CHECK(isc_symtab_define(symtab, name, 1, symval, isc_symexists_reject));
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+/*
+ * Parse a map; e.g., "{ foo 1; bar { glub; }; zap true; zap false; }"
+ */
+isc_result_t
+cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(cfg_parse_special(pctx, '{'));
+	CHECK(cfg_parse_mapbody(pctx, type, ret));
+	CHECK(cfg_parse_special(pctx, '}'));
+cleanup:
+	return (result);
+}
+
+/*
+ * Subroutine for cfg_parse_named_map() and cfg_parse_addressed_map().
+ */
+static isc_result_t
+parse_any_named_map(cfg_parser_t *pctx, cfg_type_t *nametype,
+		    const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *idobj = NULL;
+	cfg_obj_t *mapobj = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(nametype != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(cfg_parse_obj(pctx, nametype, &idobj));
+	CHECK(cfg_parse_map(pctx, type, &mapobj));
+	mapobj->value.map.id = idobj;
+	*ret = mapobj;
+	return (result);
+cleanup:
+	CLEANUP_OBJ(idobj);
+	CLEANUP_OBJ(mapobj);
+	return (result);
+}
+
+/*
+ * Parse a map identified by a string name.  E.g., "name { foo 1; }".
+ * Used for the "key" and "channel" statements.
+ */
+isc_result_t
+cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret) {
+	return (parse_any_named_map(pctx, &cfg_type_astring, type, ret));
+}
+
+/*
+ * Parse a map identified by a network address.
+ * Used to be used for the "server" statement.
+ */
+isc_result_t
+cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret) {
+	return (parse_any_named_map(pctx, &cfg_type_netaddr, type, ret));
+}
+
+/*
+ * Parse a map identified by a network prefix.
+ * Used for the "server" statement.
+ */
+isc_result_t
+cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret) {
+	return (parse_any_named_map(pctx, &cfg_type_netprefix, type, ret));
+}
+
+static void
+print_symval(cfg_printer_t *pctx, const char *name, cfg_obj_t *obj) {
+	if ((pctx->flags & CFG_PRINTER_ONELINE) == 0) {
+		cfg_print_indent(pctx);
+	}
+
+	cfg_print_cstr(pctx, name);
+	cfg_print_cstr(pctx, " ");
+	cfg_print_obj(pctx, obj);
+
+	if ((pctx->flags & CFG_PRINTER_ONELINE) == 0) {
+		cfg_print_cstr(pctx, ";\n");
+	} else {
+		cfg_print_cstr(pctx, "; ");
+	}
+}
+
+void
+cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_clausedef_t *const *clauseset;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	for (clauseset = obj->value.map.clausesets; *clauseset != NULL;
+	     clauseset++)
+	{
+		isc_symvalue_t symval;
+		const cfg_clausedef_t *clause;
+
+		for (clause = *clauseset; clause->name != NULL; clause++) {
+			isc_result_t result;
+			result = isc_symtab_lookup(obj->value.map.symtab,
+						   clause->name, 0, &symval);
+			if (result == ISC_R_SUCCESS) {
+				cfg_obj_t *symobj = symval.as_pointer;
+				if (symobj->type == &cfg_type_implicitlist) {
+					/* Multivalued. */
+					cfg_list_t *list = &symobj->value.list;
+					cfg_listelt_t *elt;
+					for (elt = ISC_LIST_HEAD(*list);
+					     elt != NULL;
+					     elt = ISC_LIST_NEXT(elt, link))
+					{
+						print_symval(pctx, clause->name,
+							     elt->obj);
+					}
+				} else {
+					/* Single-valued. */
+					print_symval(pctx, clause->name,
+						     symobj);
+				}
+			} else if (result == ISC_R_NOTFOUND) {
+				/* do nothing */
+			} else {
+				UNREACHABLE();
+			}
+		}
+	}
+}
+
+static struct flagtext {
+	unsigned int flag;
+	const char *text;
+} flagtexts[] = { { CFG_CLAUSEFLAG_NOTIMP, "not implemented" },
+		  { CFG_CLAUSEFLAG_NYI, "not yet implemented" },
+		  { CFG_CLAUSEFLAG_OBSOLETE, "obsolete" },
+		  { CFG_CLAUSEFLAG_NEWDEFAULT, "default changed" },
+		  { CFG_CLAUSEFLAG_TESTONLY, "test only" },
+		  { CFG_CLAUSEFLAG_NOTCONFIGURED, "not configured" },
+		  { CFG_CLAUSEFLAG_MULTI, "may occur multiple times" },
+		  { CFG_CLAUSEFLAG_EXPERIMENTAL, "experimental" },
+		  { CFG_CLAUSEFLAG_NOOP, "non-operational" },
+		  { CFG_CLAUSEFLAG_DEPRECATED, "deprecated" },
+		  { CFG_CLAUSEFLAG_ANCIENT, "ancient" },
+		  { 0, NULL } };
+
+void
+cfg_print_clauseflags(cfg_printer_t *pctx, unsigned int flags) {
+	struct flagtext *p;
+	bool first = true;
+	for (p = flagtexts; p->flag != 0; p++) {
+		if ((flags & p->flag) != 0) {
+			if (first) {
+				cfg_print_cstr(pctx, " // ");
+			} else {
+				cfg_print_cstr(pctx, ", ");
+			}
+			cfg_print_cstr(pctx, p->text);
+			first = false;
+		}
+	}
+}
+
+void
+cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_clausedef_t *const *clauseset;
+	const cfg_clausedef_t *clause;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
+		for (clause = *clauseset; clause->name != NULL; clause++) {
+			if (((pctx->flags & CFG_PRINTER_ACTIVEONLY) != 0) &&
+			    (((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) ||
+			     ((clause->flags & CFG_CLAUSEFLAG_ANCIENT) != 0) ||
+			     ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) ||
+			     ((clause->flags & CFG_CLAUSEFLAG_TESTONLY) != 0)))
+			{
+				continue;
+			}
+			cfg_print_cstr(pctx, clause->name);
+			cfg_print_cstr(pctx, " ");
+			cfg_doc_obj(pctx, clause->type);
+			cfg_print_cstr(pctx, ";");
+			cfg_print_clauseflags(pctx, clause->flags);
+			cfg_print_cstr(pctx, "\n\n");
+		}
+	}
+}
+
+void
+cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	if (obj->value.map.id != NULL) {
+		cfg_print_obj(pctx, obj->value.map.id);
+		cfg_print_cstr(pctx, " ");
+	}
+	print_open(pctx);
+	cfg_print_mapbody(pctx, obj);
+	print_close(pctx);
+}
+
+void
+cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_clausedef_t *const *clauseset;
+	const cfg_clausedef_t *clause;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	if (type->parse == cfg_parse_named_map) {
+		cfg_doc_obj(pctx, &cfg_type_astring);
+		cfg_print_cstr(pctx, " ");
+	} else if (type->parse == cfg_parse_addressed_map) {
+		cfg_doc_obj(pctx, &cfg_type_netaddr);
+		cfg_print_cstr(pctx, " ");
+	} else if (type->parse == cfg_parse_netprefix_map) {
+		cfg_doc_obj(pctx, &cfg_type_netprefix);
+		cfg_print_cstr(pctx, " ");
+	}
+
+	print_open(pctx);
+
+	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
+		for (clause = *clauseset; clause->name != NULL; clause++) {
+			if (((pctx->flags & CFG_PRINTER_ACTIVEONLY) != 0) &&
+			    (((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) ||
+			     ((clause->flags & CFG_CLAUSEFLAG_ANCIENT) != 0) ||
+			     ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) ||
+			     ((clause->flags & CFG_CLAUSEFLAG_TESTONLY) != 0)))
+			{
+				continue;
+			}
+			cfg_print_indent(pctx);
+			cfg_print_cstr(pctx, clause->name);
+			if (clause->type->print != cfg_print_void) {
+				cfg_print_cstr(pctx, " ");
+			}
+			cfg_doc_obj(pctx, clause->type);
+			cfg_print_cstr(pctx, ";");
+			cfg_print_clauseflags(pctx, clause->flags);
+			cfg_print_cstr(pctx, "\n");
+		}
+	}
+	print_close(pctx);
+}
+
+bool
+cfg_obj_ismap(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_map);
+}
+
+isc_result_t
+cfg_map_get(const cfg_obj_t *mapobj, const char *name, const cfg_obj_t **obj) {
+	isc_result_t result;
+	isc_symvalue_t val;
+	const cfg_map_t *map;
+
+	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
+	REQUIRE(name != NULL);
+	REQUIRE(obj != NULL && *obj == NULL);
+
+	map = &mapobj->value.map;
+
+	result = isc_symtab_lookup(map->symtab, name, MAP_SYM, &val);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	*obj = val.as_pointer;
+	return (ISC_R_SUCCESS);
+}
+
+const cfg_obj_t *
+cfg_map_getname(const cfg_obj_t *mapobj) {
+	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
+	return (mapobj->value.map.id);
+}
+
+unsigned int
+cfg_map_count(const cfg_obj_t *mapobj) {
+	const cfg_map_t *map;
+
+	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
+
+	map = &mapobj->value.map;
+	return (isc_symtab_count(map->symtab));
+}
+
+const char *
+cfg_map_firstclause(const cfg_type_t *map, const void **clauses,
+		    unsigned int *idx) {
+	cfg_clausedef_t *const *clauseset;
+
+	REQUIRE(map != NULL && map->rep == &cfg_rep_map);
+	REQUIRE(idx != NULL);
+	REQUIRE(clauses != NULL && *clauses == NULL);
+
+	clauseset = map->of;
+	if (*clauseset == NULL) {
+		return (NULL);
+	}
+	*clauses = *clauseset;
+	*idx = 0;
+	while ((*clauseset)[*idx].name == NULL) {
+		*clauses = (*++clauseset);
+		if (*clauses == NULL) {
+			return (NULL);
+		}
+	}
+	return ((*clauseset)[*idx].name);
+}
+
+const char *
+cfg_map_nextclause(const cfg_type_t *map, const void **clauses,
+		   unsigned int *idx) {
+	cfg_clausedef_t *const *clauseset;
+
+	REQUIRE(map != NULL && map->rep == &cfg_rep_map);
+	REQUIRE(idx != NULL);
+	REQUIRE(clauses != NULL && *clauses != NULL);
+
+	clauseset = map->of;
+	while (*clauseset != NULL && *clauseset != *clauses) {
+		clauseset++;
+	}
+	INSIST(*clauseset == *clauses);
+	(*idx)++;
+	while ((*clauseset)[*idx].name == NULL) {
+		*idx = 0;
+		*clauses = (*++clauseset);
+		if (*clauses == NULL) {
+			return (NULL);
+		}
+	}
+	return ((*clauseset)[*idx].name);
+}
+
+/* Parse an arbitrary token, storing its raw text representation. */
+static isc_result_t
+parse_token(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	cfg_obj_t *obj = NULL;
+	isc_result_t result;
+	isc_region_t r;
+
+	UNUSED(type);
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_token, &obj));
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_eof) {
+		cfg_ungettoken(pctx);
+		result = ISC_R_EOF;
+		goto cleanup;
+	}
+
+	isc_lex_getlasttokentext(pctx->lexer, &pctx->token, &r);
+
+	obj->value.string.base = isc_mem_get(pctx->mctx, r.length + 1);
+	obj->value.string.length = r.length;
+	memmove(obj->value.string.base, r.base, r.length);
+	obj->value.string.base[r.length] = '\0';
+	*ret = obj;
+	return (result);
+
+cleanup:
+	if (obj != NULL) {
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+	}
+	return (result);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_token = {
+	"token",	  parse_token,	   cfg_print_ustring,
+	cfg_doc_terminal, &cfg_rep_string, NULL
+};
+
+/*
+ * An unsupported option.  This is just a list of tokens with balanced braces
+ * ending in a semicolon.
+ */
+
+static isc_result_t
+parse_unsupported(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	cfg_obj_t *listobj = NULL;
+	isc_result_t result;
+	int braces = 0;
+
+	CHECK(cfg_create_list(pctx, type, &listobj));
+
+	for (;;) {
+		cfg_listelt_t *elt = NULL;
+
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special) {
+			if (pctx->token.value.as_char == '{') {
+				braces++;
+			} else if (pctx->token.value.as_char == '}') {
+				braces--;
+			} else if (pctx->token.value.as_char == ';') {
+				if (braces == 0) {
+					break;
+				}
+			}
+		}
+		if (pctx->token.type == isc_tokentype_eof || braces < 0) {
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "unexpected token");
+			result = ISC_R_UNEXPECTEDTOKEN;
+			goto cleanup;
+		}
+
+		CHECK(cfg_parse_listelt(pctx, &cfg_type_token, &elt));
+		ISC_LIST_APPEND(listobj->value.list, elt, link);
+	}
+	INSIST(braces == 0);
+	*ret = listobj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(listobj);
+	return (result);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_unsupported = {
+	"unsupported",	  parse_unsupported, cfg_print_spacelist,
+	cfg_doc_terminal, &cfg_rep_list,     NULL
+};
+
+/*
+ * Try interpreting the current token as a network address.
+ *
+ * If CFG_ADDR_WILDOK is set in flags, "*" can be used as a wildcard
+ * and at least one of CFG_ADDR_V4OK and CFG_ADDR_V6OK must also be set.  The
+ * "*" is interpreted as the IPv4 wildcard address if CFG_ADDR_V4OK is
+ * set (including the case where CFG_ADDR_V4OK and CFG_ADDR_V6OK are both set),
+ * and the IPv6 wildcard address otherwise.
+ */
+static isc_result_t
+token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
+	char *s;
+	struct in_addr in4a;
+	struct in6_addr in6a;
+
+	if (pctx->token.type != isc_tokentype_string) {
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	s = TOKEN_STRING(pctx);
+	if ((flags & CFG_ADDR_WILDOK) != 0 && strcmp(s, "*") == 0) {
+		if ((flags & CFG_ADDR_V4OK) != 0) {
+			isc_netaddr_any(na);
+			return (ISC_R_SUCCESS);
+		} else if ((flags & CFG_ADDR_V6OK) != 0) {
+			isc_netaddr_any6(na);
+			return (ISC_R_SUCCESS);
+		} else {
+			UNREACHABLE();
+		}
+	} else {
+		if ((flags & (CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK)) != 0) {
+			if (inet_pton(AF_INET, s, &in4a) == 1) {
+				isc_netaddr_fromin(na, &in4a);
+				return (ISC_R_SUCCESS);
+			}
+		}
+		if ((flags & CFG_ADDR_V4PREFIXOK) != 0 && strlen(s) <= 15U) {
+			char buf[64];
+			int i;
+
+			strlcpy(buf, s, sizeof(buf));
+			for (i = 0; i < 3; i++) {
+				strlcat(buf, ".0", sizeof(buf));
+				if (inet_pton(AF_INET, buf, &in4a) == 1) {
+					isc_netaddr_fromin(na, &in4a);
+					return (ISC_R_IPV4PREFIX);
+				}
+			}
+		}
+		if ((flags & CFG_ADDR_V6OK) != 0 && strlen(s) <= 127U) {
+			char buf[128];	   /* see lib/bind9/getaddresses.c */
+			char *d;	   /* zone delimiter */
+			uint32_t zone = 0; /* scope zone ID */
+
+			strlcpy(buf, s, sizeof(buf));
+			d = strchr(buf, '%');
+			if (d != NULL) {
+				*d = '\0';
+			}
+
+			if (inet_pton(AF_INET6, buf, &in6a) == 1) {
+				if (d != NULL) {
+					isc_result_t result;
+
+					result = isc_netscope_pton(
+						AF_INET6, d + 1, &in6a, &zone);
+					if (result != ISC_R_SUCCESS) {
+						return (result);
+					}
+				}
+
+				isc_netaddr_fromin6(na, &in6a);
+				isc_netaddr_setzone(na, zone);
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+	return (ISC_R_UNEXPECTEDTOKEN);
+}
+
+isc_result_t
+cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
+	isc_result_t result;
+	const char *wild = "";
+	const char *prefix = "";
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(na != NULL);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	result = token_addr(pctx, flags, na);
+	if (result == ISC_R_UNEXPECTEDTOKEN) {
+		if ((flags & CFG_ADDR_WILDOK) != 0) {
+			wild = " or '*'";
+		}
+		if ((flags & CFG_ADDR_V4PREFIXOK) != 0) {
+			wild = " or IPv4 prefix";
+		}
+		if ((flags & CFG_ADDR_MASK) == CFG_ADDR_V4OK) {
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected IPv4 address%s%s", prefix,
+					 wild);
+		} else if ((flags & CFG_ADDR_MASK) == CFG_ADDR_V6OK) {
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected IPv6 address%s%s", prefix,
+					 wild);
+		} else {
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected IP address%s%s", prefix,
+					 wild);
+		}
+	}
+cleanup:
+	return (result);
+}
+
+bool
+cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags) {
+	isc_result_t result;
+	isc_netaddr_t na_dummy;
+
+	REQUIRE(pctx != NULL);
+
+	result = token_addr(pctx, flags, &na_dummy);
+	return (result == ISC_R_SUCCESS || result == ISC_R_IPV4PREFIX);
+}
+
+isc_result_t
+cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(port != NULL);
+
+	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
+
+	if ((flags & CFG_ADDR_WILDOK) != 0 &&
+	    pctx->token.type == isc_tokentype_string &&
+	    strcmp(TOKEN_STRING(pctx), "*") == 0)
+	{
+		*port = 0;
+		return (ISC_R_SUCCESS);
+	}
+	if (pctx->token.type != isc_tokentype_number) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected port number or '*'");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	if (pctx->token.value.as_ulong >= 65536U) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "port number out of range");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	*port = (in_port_t)(pctx->token.value.as_ulong);
+	return (ISC_R_SUCCESS);
+cleanup:
+	return (result);
+}
+
+void
+cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na) {
+	isc_result_t result;
+	char text[128];
+	isc_buffer_t buf;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(na != NULL);
+
+	isc_buffer_init(&buf, text, sizeof(text));
+	result = isc_netaddr_totext(na, &buf);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	cfg_print_chars(pctx, isc_buffer_base(&buf),
+			isc_buffer_usedlength(&buf));
+}
+
+isc_result_t
+cfg_parse_dscp(cfg_parser_t *pctx, isc_dscp_t *dscp) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(dscp != NULL);
+
+	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+
+	if (pctx->token.type != isc_tokentype_number) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected number");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	if (pctx->token.value.as_ulong > 63U) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "dscp out of range");
+		return (ISC_R_RANGE);
+	}
+	*dscp = (isc_dscp_t)(pctx->token.value.as_ulong);
+	return (ISC_R_SUCCESS);
+cleanup:
+	return (result);
+}
+
+/* netaddr */
+
+static unsigned int netaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
+static unsigned int netaddr4_flags = CFG_ADDR_V4OK;
+static unsigned int netaddr4wild_flags = CFG_ADDR_V4OK | CFG_ADDR_WILDOK;
+static unsigned int netaddr6_flags = CFG_ADDR_V6OK;
+static unsigned int netaddr6wild_flags = CFG_ADDR_V6OK | CFG_ADDR_WILDOK;
+
+static isc_result_t
+parse_netaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_netaddr_t netaddr;
+	unsigned int flags = *(const unsigned int *)type->of;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, 0);
+	obj->value.sockaddrdscp.dscp = -1;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+cfg_doc_netaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const unsigned int *flagp = type->of;
+	int n = 0;
+	if (*flagp != CFG_ADDR_V4OK && *flagp != CFG_ADDR_V6OK) {
+		cfg_print_cstr(pctx, "( ");
+	}
+	if ((*flagp & CFG_ADDR_V4OK) != 0) {
+		cfg_print_cstr(pctx, "<ipv4_address>");
+		n++;
+	}
+	if ((*flagp & CFG_ADDR_V6OK) != 0) {
+		if (n != 0) {
+			cfg_print_cstr(pctx, " | ");
+		}
+		cfg_print_cstr(pctx, "<ipv6_address>");
+		n++;
+	}
+	if ((*flagp & CFG_ADDR_WILDOK) != 0) {
+		if (n != 0) {
+			cfg_print_cstr(pctx, " | ");
+		}
+		cfg_print_cstr(pctx, "*");
+		n++;
+		POST(n);
+	}
+	if (*flagp != CFG_ADDR_V4OK && *flagp != CFG_ADDR_V6OK) {
+		cfg_print_cstr(pctx, " )");
+	}
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netaddr = {
+	"netaddr",	 parse_netaddr,	    cfg_print_sockaddr,
+	cfg_doc_netaddr, &cfg_rep_sockaddr, &netaddr_flags
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netaddr4 = {
+	"netaddr4",	 parse_netaddr,	    cfg_print_sockaddr,
+	cfg_doc_netaddr, &cfg_rep_sockaddr, &netaddr4_flags
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netaddr4wild = {
+	"netaddr4wild",	 parse_netaddr,	    cfg_print_sockaddr,
+	cfg_doc_netaddr, &cfg_rep_sockaddr, &netaddr4wild_flags
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netaddr6 = {
+	"netaddr6",	 parse_netaddr,	    cfg_print_sockaddr,
+	cfg_doc_netaddr, &cfg_rep_sockaddr, &netaddr6_flags
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netaddr6wild = {
+	"netaddr6wild",	 parse_netaddr,	    cfg_print_sockaddr,
+	cfg_doc_netaddr, &cfg_rep_sockaddr, &netaddr6wild_flags
+};
+
+/* netprefix */
+
+isc_result_t
+cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret) {
+	cfg_obj_t *obj = NULL;
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	unsigned int addrlen = 0, prefixlen;
+	bool expectprefix;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	result = cfg_parse_rawaddr(
+		pctx, CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK | CFG_ADDR_V6OK,
+		&netaddr);
+	if (result != ISC_R_SUCCESS && result != ISC_R_IPV4PREFIX) {
+		CHECK(result);
+	}
+	switch (netaddr.family) {
+	case AF_INET:
+		addrlen = 32;
+		break;
+	case AF_INET6:
+		addrlen = 128;
+		break;
+	default:
+		UNREACHABLE();
+	}
+	expectprefix = (result == ISC_R_IPV4PREFIX);
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == '/')
+	{
+		CHECK(cfg_gettoken(pctx, 0)); /* read "/" */
+		CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
+		if (pctx->token.type != isc_tokentype_number) {
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected prefix length");
+			return (ISC_R_UNEXPECTEDTOKEN);
+		}
+		prefixlen = pctx->token.value.as_ulong;
+		if (prefixlen > addrlen) {
+			cfg_parser_error(pctx, CFG_LOG_NOPREP,
+					 "invalid prefix length");
+			return (ISC_R_RANGE);
+		}
+		result = isc_netaddr_prefixok(&netaddr, prefixlen);
+		if (result != ISC_R_SUCCESS) {
+			char buf[ISC_NETADDR_FORMATSIZE + 1];
+			isc_netaddr_format(&netaddr, buf, sizeof(buf));
+			cfg_parser_error(pctx, CFG_LOG_NOPREP,
+					 "'%s/%u': address/prefix length "
+					 "mismatch",
+					 buf, prefixlen);
+			return (ISC_R_FAILURE);
+		}
+	} else {
+		if (expectprefix) {
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "incomplete IPv4 address or prefix");
+			return (ISC_R_FAILURE);
+		}
+		prefixlen = addrlen;
+	}
+	CHECK(cfg_create_obj(pctx, &cfg_type_netprefix, &obj));
+	obj->value.netprefix.address = netaddr;
+	obj->value.netprefix.prefixlen = prefixlen;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "expected network prefix");
+	return (result);
+}
+
+static void
+print_netprefix(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_netprefix_t *p = &obj->value.netprefix;
+
+	cfg_print_rawaddr(pctx, &p->address);
+	cfg_print_cstr(pctx, "/");
+	cfg_print_rawuint(pctx, p->prefixlen);
+}
+
+bool
+cfg_obj_isnetprefix(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_netprefix);
+}
+
+void
+cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
+		    unsigned int *prefixlen) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_netprefix);
+	REQUIRE(netaddr != NULL);
+	REQUIRE(prefixlen != NULL);
+
+	*netaddr = obj->value.netprefix.address;
+	*prefixlen = obj->value.netprefix.prefixlen;
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netprefix = {
+	"netprefix",	  cfg_parse_netprefix, print_netprefix,
+	cfg_doc_terminal, &cfg_rep_netprefix,  NULL
+};
+
+static isc_result_t
+parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type, int flags,
+		  cfg_obj_t **ret) {
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	in_port_t port = 0;
+	isc_dscp_t dscp = -1;
+	cfg_obj_t *obj = NULL;
+	int have_port = 0, have_dscp = 0;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			if (strcasecmp(TOKEN_STRING(pctx), "port") == 0) {
+				CHECK(cfg_gettoken(pctx, 0)); /* read "port" */
+				CHECK(cfg_parse_rawport(pctx, flags, &port));
+				++have_port;
+			} else if ((flags & CFG_ADDR_DSCPOK) != 0 &&
+				   strcasecmp(TOKEN_STRING(pctx), "dscp") == 0)
+			{
+				if ((pctx->flags & CFG_PCTX_NODEPRECATED) == 0)
+				{
+					cfg_parser_warning(
+						pctx, 0,
+						"token 'dscp' is deprecated");
+				}
+				CHECK(cfg_gettoken(pctx, 0)); /* read "dscp" */
+				CHECK(cfg_parse_dscp(pctx, &dscp));
+				++have_dscp;
+			} else {
+				break;
+			}
+		} else {
+			break;
+		}
+	}
+	if (have_port > 1) {
+		cfg_parser_error(pctx, 0, "expected at most one port");
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+
+	if (have_dscp > 1) {
+		cfg_parser_error(pctx, 0, "expected at most one dscp");
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
+	obj->value.sockaddrdscp.dscp = dscp;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static unsigned int sockaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_sockaddr = {
+	"sockaddr",	  cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr,  &sockaddr_flags
+};
+
+static unsigned int sockaddrdscp_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK |
+					 CFG_ADDR_DSCPOK;
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_sockaddrdscp = {
+	"sockaddr",	  cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr,  &sockaddrdscp_flags
+};
+
+isc_result_t
+cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret) {
+	const unsigned int *flagp;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	flagp = type->of;
+
+	return (parse_sockaddrsub(pctx, &cfg_type_sockaddr, *flagp, ret));
+}
+
+void
+cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	isc_netaddr_t netaddr;
+	in_port_t port;
+	char buf[ISC_NETADDR_FORMATSIZE];
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	isc_netaddr_fromsockaddr(&netaddr, &obj->value.sockaddr);
+	isc_netaddr_format(&netaddr, buf, sizeof(buf));
+	cfg_print_cstr(pctx, buf);
+	port = isc_sockaddr_getport(&obj->value.sockaddr);
+	if (port != 0) {
+		cfg_print_cstr(pctx, " port ");
+		cfg_print_rawuint(pctx, port);
+	}
+	if (obj->value.sockaddrdscp.dscp != -1) {
+		cfg_print_cstr(pctx, " dscp ");
+		cfg_print_rawuint(pctx, obj->value.sockaddrdscp.dscp);
+	}
+}
+
+void
+cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const unsigned int *flagp;
+	int n = 0;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	flagp = type->of;
+
+	cfg_print_cstr(pctx, "( ");
+	if ((*flagp & CFG_ADDR_V4OK) != 0) {
+		cfg_print_cstr(pctx, "<ipv4_address>");
+		n++;
+	}
+	if ((*flagp & CFG_ADDR_V6OK) != 0) {
+		if (n != 0) {
+			cfg_print_cstr(pctx, " | ");
+		}
+		cfg_print_cstr(pctx, "<ipv6_address>");
+		n++;
+	}
+	if ((*flagp & CFG_ADDR_WILDOK) != 0) {
+		if (n != 0) {
+			cfg_print_cstr(pctx, " | ");
+		}
+		cfg_print_cstr(pctx, "*");
+		n++;
+		POST(n);
+	}
+	cfg_print_cstr(pctx, " ) ");
+	if ((*flagp & CFG_ADDR_WILDOK) != 0) {
+		cfg_print_cstr(pctx, "[ port ( <integer> | * ) ]");
+	} else {
+		cfg_print_cstr(pctx, "[ port <integer> ]");
+	}
+	if ((*flagp & CFG_ADDR_DSCPOK) != 0) {
+		cfg_print_cstr(pctx, " [ dscp <integer> ]");
+	}
+}
+
+bool
+cfg_obj_issockaddr(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_sockaddr);
+}
+
+const isc_sockaddr_t *
+cfg_obj_assockaddr(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
+	return (&obj->value.sockaddr);
+}
+
+isc_dscp_t
+cfg_obj_getdscp(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
+	return (obj->value.sockaddrdscp.dscp);
+}
+
+isc_result_t
+cfg_gettoken(cfg_parser_t *pctx, int options) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+
+	if (pctx->seen_eof) {
+		return (ISC_R_SUCCESS);
+	}
+
+	options |= (ISC_LEXOPT_EOF | ISC_LEXOPT_NOMORE);
+
+redo:
+	pctx->token.type = isc_tokentype_unknown;
+	result = isc_lex_gettoken(pctx->lexer, options, &pctx->token);
+	pctx->ungotten = false;
+	pctx->line = isc_lex_getsourceline(pctx->lexer);
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+		if (pctx->token.type == isc_tokentype_eof) {
+			result = isc_lex_close(pctx->lexer);
+			INSIST(result == ISC_R_NOMORE ||
+			       result == ISC_R_SUCCESS);
+
+			if (isc_lex_getsourcename(pctx->lexer) != NULL) {
+				/*
+				 * Closed an included file, not the main file.
+				 */
+				cfg_listelt_t *elt;
+				elt = ISC_LIST_TAIL(
+					pctx->open_files->value.list);
+				INSIST(elt != NULL);
+				ISC_LIST_UNLINK(pctx->open_files->value.list,
+						elt, link);
+				ISC_LIST_APPEND(pctx->closed_files->value.list,
+						elt, link);
+				goto redo;
+			}
+			pctx->seen_eof = true;
+		}
+		break;
+
+	case ISC_R_NOSPACE:
+		/* More understandable than "ran out of space". */
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "token too big");
+		break;
+
+	case ISC_R_IOERROR:
+		cfg_parser_error(pctx, 0, "%s", isc_result_totext(result));
+		break;
+
+	default:
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "%s",
+				 isc_result_totext(result));
+		break;
+	}
+	return (result);
+}
+
+void
+cfg_ungettoken(cfg_parser_t *pctx) {
+	REQUIRE(pctx != NULL);
+
+	if (pctx->seen_eof) {
+		return;
+	}
+	isc_lex_ungettoken(pctx->lexer, &pctx->token);
+	pctx->ungotten = true;
+}
+
+isc_result_t
+cfg_peektoken(cfg_parser_t *pctx, int options) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+
+	CHECK(cfg_gettoken(pctx, options));
+	cfg_ungettoken(pctx);
+cleanup:
+	return (result);
+}
+
+/*
+ * Get a string token, accepting both the quoted and the unquoted form.
+ * Log an error if the next token is not a string.
+ */
+static isc_result_t
+cfg_getstringtoken(cfg_parser_t *pctx) {
+	isc_result_t result;
+
+	result = cfg_gettoken(pctx, CFG_LEXOPT_QSTRING);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (pctx->token.type != isc_tokentype_string &&
+	    pctx->token.type != isc_tokentype_qstring)
+	{
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected string");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+void
+cfg_parser_error(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
+	va_list args;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(fmt != NULL);
+
+	va_start(args, fmt);
+	parser_complain(pctx, false, flags, fmt, args);
+	va_end(args);
+	pctx->errors++;
+}
+
+void
+cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags, const char *fmt,
+		   ...) {
+	va_list args;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(fmt != NULL);
+
+	va_start(args, fmt);
+	parser_complain(pctx, true, flags, fmt, args);
+	va_end(args);
+	pctx->warnings++;
+}
+
+#define MAX_LOG_TOKEN 30 /* How much of a token to quote in log messages. */
+
+static bool
+have_current_file(cfg_parser_t *pctx) {
+	cfg_listelt_t *elt;
+	if (pctx->open_files == NULL) {
+		return (false);
+	}
+
+	elt = ISC_LIST_TAIL(pctx->open_files->value.list);
+	if (elt == NULL) {
+		return (false);
+	}
+
+	return (true);
+}
+
+static char *
+current_file(cfg_parser_t *pctx) {
+	static char none[] = "none";
+	cfg_listelt_t *elt;
+	cfg_obj_t *fileobj;
+
+	if (!have_current_file(pctx)) {
+		return (none);
+	}
+
+	elt = ISC_LIST_TAIL(pctx->open_files->value.list);
+	if (elt == NULL) { /* shouldn't be possible, but... */
+		return (none);
+	}
+
+	fileobj = elt->obj;
+	INSIST(fileobj->type == &cfg_type_qstring);
+	return (fileobj->value.string.base);
+}
+
+static void
+parser_complain(cfg_parser_t *pctx, bool is_warning, unsigned int flags,
+		const char *format, va_list args) {
+	char tokenbuf[MAX_LOG_TOKEN + 10];
+	static char where[PATH_MAX + 100];
+	static char message[2048];
+	int level = ISC_LOG_ERROR;
+	const char *prep = "";
+	size_t len;
+
+	if (is_warning) {
+		level = ISC_LOG_WARNING;
+	}
+
+	where[0] = '\0';
+	if (have_current_file(pctx)) {
+		snprintf(where, sizeof(where), "%s:%u: ", current_file(pctx),
+			 pctx->line);
+	} else if (pctx->buf_name != NULL) {
+		snprintf(where, sizeof(where), "%s: ", pctx->buf_name);
+	}
+
+	len = vsnprintf(message, sizeof(message), format, args);
+#define ELLIPSIS " ... "
+	if (len >= sizeof(message)) {
+		message[sizeof(message) - sizeof(ELLIPSIS)] = 0;
+		strlcat(message, ELLIPSIS, sizeof(message));
+	}
+
+	if ((flags & (CFG_LOG_NEAR | CFG_LOG_BEFORE | CFG_LOG_NOPREP)) != 0) {
+		isc_region_t r;
+
+		if (pctx->ungotten) {
+			(void)cfg_gettoken(pctx, 0);
+		}
+
+		if (pctx->token.type == isc_tokentype_eof) {
+			snprintf(tokenbuf, sizeof(tokenbuf), "end of file");
+		} else if (pctx->token.type == isc_tokentype_unknown) {
+			flags = 0;
+			tokenbuf[0] = '\0';
+		} else {
+			isc_lex_getlasttokentext(pctx->lexer, &pctx->token, &r);
+			if (r.length > MAX_LOG_TOKEN) {
+				snprintf(tokenbuf, sizeof(tokenbuf),
+					 "'%.*s...'", MAX_LOG_TOKEN, r.base);
+			} else {
+				snprintf(tokenbuf, sizeof(tokenbuf), "'%.*s'",
+					 (int)r.length, r.base);
+			}
+		}
+
+		/* Choose a preposition. */
+		if ((flags & CFG_LOG_NEAR) != 0) {
+			prep = " near ";
+		} else if ((flags & CFG_LOG_BEFORE) != 0) {
+			prep = " before ";
+		} else {
+			prep = " ";
+		}
+	} else {
+		tokenbuf[0] = '\0';
+	}
+	isc_log_write(pctx->lctx, CAT, MOD, level, "%s%s%s%s", where, message,
+		      prep, tokenbuf);
+}
+
+void
+cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt,
+	    ...) {
+	va_list ap;
+	char msgbuf[2048];
+
+	REQUIRE(obj != NULL);
+	REQUIRE(fmt != NULL);
+
+	if (!isc_log_wouldlog(lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (obj->file != NULL) {
+		isc_log_write(lctx, CAT, MOD, level, "%s:%u: %s", obj->file,
+			      obj->line, msgbuf);
+	} else {
+		isc_log_write(lctx, CAT, MOD, level, "%s", msgbuf);
+	}
+}
+
+const char *
+cfg_obj_file(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+
+	return (obj->file);
+}
+
+unsigned int
+cfg_obj_line(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+
+	return (obj->line);
+}
+
+isc_result_t
+cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	cfg_obj_t *obj;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	obj = isc_mem_get(pctx->mctx, sizeof(cfg_obj_t));
+
+	obj->type = type;
+	obj->file = current_file(pctx);
+	obj->line = pctx->line;
+	obj->pctx = pctx;
+
+	isc_refcount_init(&obj->references, 1);
+
+	*ret = obj;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+map_symtabitem_destroy(char *key, unsigned int type, isc_symvalue_t symval,
+		       void *userarg) {
+	cfg_obj_t *obj = symval.as_pointer;
+	cfg_parser_t *pctx = (cfg_parser_t *)userarg;
+
+	UNUSED(key);
+	UNUSED(type);
+
+	cfg_obj_destroy(pctx, &obj);
+}
+
+static isc_result_t
+create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	isc_symtab_t *symtab = NULL;
+	cfg_obj_t *obj = NULL;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(isc_symtab_create(pctx->mctx, 5, /* XXX */
+				map_symtabitem_destroy, pctx, false, &symtab));
+	obj->value.map.symtab = symtab;
+	obj->value.map.id = NULL;
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (obj != NULL) {
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+	}
+	return (result);
+}
+
+static void
+free_map(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	CLEANUP_OBJ(obj->value.map.id);
+	isc_symtab_destroy(&obj->value.map.symtab);
+}
+
+bool
+cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type) {
+	REQUIRE(obj != NULL);
+	REQUIRE(type != NULL);
+
+	return (obj->type == type);
+}
+
+/*
+ * Destroy 'obj', a configuration object created in 'pctx'.
+ */
+void
+cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **objp) {
+	REQUIRE(objp != NULL && *objp != NULL);
+	REQUIRE(pctx != NULL);
+
+	cfg_obj_t *obj = *objp;
+	*objp = NULL;
+
+	if (isc_refcount_decrement(&obj->references) == 1) {
+		obj->type->rep->free(pctx, obj);
+		isc_refcount_destroy(&obj->references);
+		isc_mem_put(pctx->mctx, obj, sizeof(cfg_obj_t));
+	}
+}
+
+void
+cfg_obj_attach(cfg_obj_t *src, cfg_obj_t **dest) {
+	REQUIRE(src != NULL);
+	REQUIRE(dest != NULL && *dest == NULL);
+
+	isc_refcount_increment(&src->references);
+	*dest = src;
+}
+
+static void
+free_noop(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	UNUSED(pctx);
+	UNUSED(obj);
+}
+
+void
+cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	type->doc(pctx, type);
+}
+
+void
+cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	cfg_print_cstr(pctx, "<");
+	cfg_print_cstr(pctx, type->name);
+	cfg_print_cstr(pctx, ">");
+}
+
+void
+cfg_print_grammar(const cfg_type_t *type, unsigned int flags,
+		  void (*f)(void *closure, const char *text, int textlen),
+		  void *closure) {
+	cfg_printer_t pctx;
+
+	pctx.f = f;
+	pctx.closure = closure;
+	pctx.indent = 0;
+	pctx.flags = flags;
+	cfg_doc_obj(&pctx, type);
+}
+
+isc_result_t
+cfg_parser_mapadd(cfg_parser_t *pctx, cfg_obj_t *mapobj, cfg_obj_t *obj,
+		  const char *clausename) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_map_t *map;
+	isc_symvalue_t symval;
+	cfg_obj_t *destobj = NULL;
+	cfg_listelt_t *elt = NULL;
+	const cfg_clausedef_t *const *clauseset;
+	const cfg_clausedef_t *clause;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
+	REQUIRE(obj != NULL);
+	REQUIRE(clausename != NULL);
+
+	map = &mapobj->value.map;
+
+	clause = NULL;
+	for (clauseset = map->clausesets; *clauseset != NULL; clauseset++) {
+		for (clause = *clauseset; clause->name != NULL; clause++) {
+			if (strcasecmp(clause->name, clausename) == 0) {
+				goto breakout;
+			}
+		}
+	}
+
+breakout:
+	if (clause == NULL || clause->name == NULL) {
+		return (ISC_R_FAILURE);
+	}
+
+	result = isc_symtab_lookup(map->symtab, clausename, 0, &symval);
+	if (result == ISC_R_NOTFOUND) {
+		if ((clause->flags & CFG_CLAUSEFLAG_MULTI) != 0) {
+			CHECK(cfg_create_list(pctx, &cfg_type_implicitlist,
+					      &destobj));
+			CHECK(create_listelt(pctx, &elt));
+			cfg_obj_attach(obj, &elt->obj);
+			ISC_LIST_APPEND(destobj->value.list, elt, link);
+			symval.as_pointer = destobj;
+		} else {
+			symval.as_pointer = obj;
+		}
+
+		CHECK(isc_symtab_define(map->symtab, clausename, 1, symval,
+					isc_symexists_reject));
+	} else {
+		cfg_obj_t *destobj2 = symval.as_pointer;
+
+		INSIST(result == ISC_R_SUCCESS);
+
+		if (destobj2->type == &cfg_type_implicitlist) {
+			CHECK(create_listelt(pctx, &elt));
+			cfg_obj_attach(obj, &elt->obj);
+			ISC_LIST_APPEND(destobj2->value.list, elt, link);
+		} else {
+			result = ISC_R_EXISTS;
+		}
+	}
+
+	destobj = NULL;
+	elt = NULL;
+
+cleanup:
+	if (elt != NULL) {
+		free_listelt(pctx, elt);
+	}
+	CLEANUP_OBJ(destobj);
+
+	return (result);
+}
+
+isc_result_t
+cfg_pluginlist_foreach(const cfg_obj_t *config, const cfg_obj_t *list,
+		       isc_log_t *lctx, pluginlist_cb_t *callback,
+		       void *callback_data) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_listelt_t *element;
+
+	REQUIRE(config != NULL);
+	REQUIRE(callback != NULL);
+
+	for (element = cfg_list_first(list); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *plugin = cfg_listelt_value(element);
+		const cfg_obj_t *obj;
+		const char *type, *library;
+		const char *parameters = NULL;
+
+		/* Get the path to the plugin module. */
+		obj = cfg_tuple_get(plugin, "type");
+		type = cfg_obj_asstring(obj);
+
+		/* Only query plugins are supported currently. */
+		if (strcasecmp(type, "query") != 0) {
+			cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+				    "unsupported plugin type");
+			return (ISC_R_FAILURE);
+		}
+
+		library = cfg_obj_asstring(cfg_tuple_get(plugin, "library"));
+
+		obj = cfg_tuple_get(plugin, "parameters");
+		if (obj != NULL && cfg_obj_isstring(obj)) {
+			parameters = cfg_obj_asstring(obj);
+		}
+
+		result = callback(config, obj, library, parameters,
+				  callback_data);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+	}
+
+	return (result);
+}
diff --git a/lib/isccfg/tests/Kyuafile b/lib/isccfg/tests/Kyuafile
new file mode 100644
index 0000000..ad599af
--- /dev/null
+++ b/lib/isccfg/tests/Kyuafile
@@ -0,0 +1,16 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+tap_test_program{name='duration_test'}
+tap_test_program{name='parser_test'}
diff --git a/lib/isccfg/tests/Makefile.in b/lib/isccfg/tests/Makefile.in
new file mode 100644
index 0000000..33b74c8
--- /dev/null
+++ b/lib/isccfg/tests/Makefile.in
@@ -0,0 +1,57 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude \
+		${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+		${OPENSSL_CFLAGS} @CMOCKA_CFLAGS@
+CDEFINES =	-DTESTS="\"${top_builddir}/lib/dns/tests/\""
+
+ISCLIBS =	../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCDEPLIBS =	../../isc/libisc.@A@
+DNSLIBS =	../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS =	../../dns/libdns.@A@
+ISCCFGLIBS = 	../libisccfg.@A@
+ISCCFGDEPLIBS = ../libisccfg.@A@
+
+LIBS =		@LIBS@ @CMOCKA_LIBS@
+
+OBJS =
+SRCS =		duration_test.c parser_test.c
+
+SUBDIRS =
+TARGETS =	duration_test@EXEEXT@ parser_test@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+duration_test@EXEEXT@: duration_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ duration_test.@O@ \
+		${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+parser_test@EXEEXT@: parser_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} -o $@ parser_test.@O@ \
+		${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
diff --git a/lib/isccfg/tests/duration_test.c b/lib/isccfg/tests/duration_test.c
new file mode 100644
index 0000000..da52903
--- /dev/null
+++ b/lib/isccfg/tests/duration_test.c
@@ -0,0 +1,278 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/namedconf.h>
+
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+isc_mem_t *mctx = NULL;
+isc_log_t *lctx = NULL;
+static isc_logcategory_t categories[] = { { "", 0 },
+					  { "client", 0 },
+					  { "network", 0 },
+					  { "update", 0 },
+					  { "queries", 0 },
+					  { "unmatched", 0 },
+					  { "update-security", 0 },
+					  { "query-errors", 0 },
+					  { NULL, 0 } };
+
+static void
+cleanup() {
+	if (lctx != NULL) {
+		isc_log_destroy(&lctx);
+	}
+	if (mctx != NULL) {
+		isc_mem_destroy(&mctx);
+	}
+}
+
+static isc_result_t
+setup() {
+	isc_result_t result;
+
+	isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+	isc_mem_create(&mctx);
+
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+
+	isc_log_create(mctx, &lctx, &logconfig);
+	isc_log_registercategories(lctx, categories);
+	isc_log_setcontext(lctx);
+
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, 0);
+	CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL));
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	cleanup();
+	return (result);
+}
+
+struct duration_conf {
+	const char *string;
+	uint32_t time;
+	const char *out;
+};
+typedef struct duration_conf duration_conf_t;
+
+static void
+output(void *closure, const char *text, int textlen) {
+	int r;
+
+	REQUIRE(textlen >= 0 && textlen < CFG_DURATION_MAXLEN);
+
+	r = snprintf(closure, CFG_DURATION_MAXLEN, "%s", text);
+	INSIST(r == textlen);
+}
+
+/* test cfg_obj_asduration() and cfg_print_duration() */
+static void
+duration_test(void **state) {
+	isc_result_t result;
+	/*
+	 * When 'out' is NULL, the printed result is expected to be the same as
+	 * the input 'string', compared by ignoring the case of the characters.
+	 */
+	duration_conf_t durations[] = {
+		{ .string = "unlimited", .time = 0 },
+		{ .string = "PT0S", .time = 0 },
+		{ .string = "PT42S", .time = 42 },
+		{ .string = "PT10m", .time = 600 },
+		{ .string = "PT10m4S", .time = 604 },
+		{ .string = "PT3600S", .time = 3600 },
+		{ .string = "pT2H", .time = 7200 },
+		{ .string = "Pt2H3S", .time = 7203 },
+		{ .string = "PT2h1m3s", .time = 7263 },
+		{ .string = "p7d", .time = 604800 },
+		{ .string = "P7DT2h", .time = 612000 },
+		{ .string = "P2W", .time = 1209600 },
+		{ .string = "P3M", .time = 8035200 },
+		{ .string = "P3MT10M", .time = 8035800 },
+		{ .string = "p5y", .time = 157680000 },
+		{ .string = "P5YT2H", .time = 157687200 },
+		{ .string = "P1Y1M1DT1H1M1S", .time = 34304461 },
+		{ .string = "P99Y399M999DT3999H9999M2911754S",
+		  .time = UINT32_MAX - 1 },
+		{ .string = "P99Y399M999DT3999H9999M2911755S",
+		  .time = UINT32_MAX },
+		{ .string = "P4294967295Y4294967295M4294967295D"
+			    "T4294967295H4294967295M4294967295S",
+		  .time = UINT32_MAX },
+		{ .string = "PT4294967294S", .time = UINT32_MAX - 1 },
+		{ .string = "PT4294967295S", .time = UINT32_MAX },
+		{ .string = "0", .time = 0 },
+		{ .string = "30", .time = 30 },
+		{ .string = "42s", .time = 42, .out = "42" },
+		{ .string = "10m", .time = 600, .out = "600" },
+		{ .string = "2H", .time = 7200, .out = "7200" },
+		{ .string = "7d", .time = 604800, .out = "604800" },
+		{ .string = "2w", .time = 1209600, .out = "1209600" },
+		{ 0 }, /* Indicates that the remaining durations are invalid. */
+		{ .string = "PT4Y" },
+		{ .string = "P-4Y2M" },
+		{ .string = "P5H1M30S" },
+		{ .string = "P7Y4W" },
+		{ .string = "X7Y4M" },
+		{ .string = "T7H4M" },
+		{ .string = "1Y6M" },
+		{ .string = "PT4294967296S" },
+		{ .string = "PT99999999999S" },
+		{ .string = "P99999999999Y99999999999M99999999999D"
+			    "T99999999999H99999999999M99999999999S" },
+	};
+	isc_buffer_t buf1;
+	cfg_parser_t *p1 = NULL;
+	cfg_obj_t *c1 = NULL;
+	bool must_fail = false;
+
+	UNUSED(state);
+
+	setup();
+
+	for (size_t i = 0; i < ARRAY_SIZE(durations); i++) {
+		const cfg_listelt_t *element;
+		const cfg_obj_t *kasps = NULL;
+		const char cfg_tpl[] =
+			"dnssec-policy \"dp\"\n"
+			"{\nkeys {csk lifetime %s algorithm rsasha256;};\n};\n";
+		char conf[sizeof(cfg_tpl) + CFG_DURATION_MAXLEN] = { 0 };
+		char out[CFG_DURATION_MAXLEN] = { 0 };
+		cfg_printer_t pctx = { .f = output, .closure = out };
+
+		if (durations[i].string == NULL) {
+			must_fail = true;
+			continue;
+		}
+
+		snprintf(&conf[0], sizeof(conf), cfg_tpl, durations[i].string);
+
+		isc_buffer_init(&buf1, conf, strlen(conf) - 1);
+		isc_buffer_add(&buf1, strlen(conf) - 1);
+
+		/* Parse with default line numbering */
+		result = cfg_parser_create(mctx, lctx, &p1);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		result = cfg_parse_buffer(p1, &buf1, "text1", 0,
+					  &cfg_type_namedconf, 0, &c1);
+		if (must_fail) {
+			assert_int_not_equal(result, ISC_R_SUCCESS);
+			cfg_parser_destroy(&p1);
+			continue;
+		}
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		(void)cfg_map_get(c1, "dnssec-policy", &kasps);
+		assert_non_null(kasps);
+		for (element = cfg_list_first(kasps); element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const cfg_listelt_t *key_element;
+			const cfg_obj_t *lifetime = NULL;
+			const cfg_obj_t *keys = NULL;
+			const cfg_obj_t *key = NULL;
+			const cfg_obj_t *kopts = NULL;
+			cfg_obj_t *kconf = cfg_listelt_value(element);
+			int cmp;
+
+			assert_non_null(kconf);
+
+			kopts = cfg_tuple_get(kconf, "options");
+			result = cfg_map_get(kopts, "keys", &keys);
+			assert_int_equal(result, ISC_R_SUCCESS);
+
+			key_element = cfg_list_first(keys);
+			assert_non_null(key_element);
+
+			key = cfg_listelt_value(key_element);
+			assert_non_null(key);
+
+			lifetime = cfg_tuple_get(key, "lifetime");
+			assert_non_null(lifetime);
+
+			assert_int_equal(durations[i].time,
+					 cfg_obj_asduration(lifetime));
+
+			cfg_print_duration_or_unlimited(&pctx, lifetime);
+			cmp = strncasecmp(durations[i].out != NULL
+						  ? durations[i].out
+						  : durations[i].string,
+					  out, strlen(durations[i].string));
+			assert_int_equal(cmp, 0);
+		}
+
+		cfg_obj_destroy(p1, &c1);
+		cfg_parser_destroy(&p1);
+	}
+
+	cleanup();
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(duration_test),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isccfg/tests/parser_test.c b/lib/isccfg/tests/parser_test.c
new file mode 100644
index 0000000..960f592
--- /dev/null
+++ b/lib/isccfg/tests/parser_test.c
@@ -0,0 +1,290 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/namedconf.h>
+
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+isc_mem_t *mctx = NULL;
+isc_log_t *lctx = NULL;
+static isc_logcategory_t categories[] = { { "", 0 },
+					  { "client", 0 },
+					  { "network", 0 },
+					  { "update", 0 },
+					  { "queries", 0 },
+					  { "unmatched", 0 },
+					  { "update-security", 0 },
+					  { "query-errors", 0 },
+					  { NULL, 0 } };
+
+static void
+cleanup() {
+	if (lctx != NULL) {
+		isc_log_setcontext(NULL);
+		isc_log_destroy(&lctx);
+	}
+	if (mctx != NULL) {
+		isc_mem_destroy(&mctx);
+	}
+}
+
+static isc_result_t
+setup() {
+	isc_result_t result;
+
+	isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+	isc_mem_create(&mctx);
+
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+
+	isc_log_create(mctx, &lctx, &logconfig);
+	isc_log_registercategories(lctx, categories);
+	isc_log_setcontext(lctx);
+
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+			      ISC_LOG_DYNAMIC, &destination, 0);
+	CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL));
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	cleanup();
+	return (result);
+}
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = setup();
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	cleanup();
+
+	return (0);
+}
+
+/* mimic calling nzf_append() */
+static void
+append(void *arg, const char *str, int len) {
+	char *buf = arg;
+	size_t l = strlen(buf);
+	snprintf(buf + l, 1024 - l, "%.*s", len, str);
+}
+
+static void
+addzoneconf(void **state) {
+	isc_result_t result;
+	isc_buffer_t b;
+	cfg_parser_t *p = NULL;
+	const char *tests[] = {
+		"zone \"test4.baz\" { type master; file \"e.db\"; };",
+		"zone \"test/.baz\" { type master; file \"e.db\"; };",
+		"zone \"test\\\".baz\" { type master; file \"e.db\"; };",
+		"zone \"test\\.baz\" { type master; file \"e.db\"; };",
+		"zone \"test\\\\.baz\" { type master; file \"e.db\"; };",
+		"zone \"test\\032.baz\" { type master; file \"e.db\"; };",
+		"zone \"test\\010.baz\" { type master; file \"e.db\"; };"
+	};
+	char buf[1024];
+
+	UNUSED(state);
+
+	/* Parse with default line numbering */
+	result = cfg_parser_create(mctx, lctx, &p);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+#define ARRAYSIZE(x) (sizeof(x) / sizeof(x[0]))
+
+	for (size_t i = 0; i < ARRAYSIZE(tests); i++) {
+		cfg_obj_t *conf = NULL;
+		const cfg_obj_t *obj = NULL, *zlist = NULL;
+
+		isc_buffer_constinit(&b, tests[i], strlen(tests[i]));
+		isc_buffer_add(&b, strlen(tests[i]));
+
+		result = cfg_parse_buffer(p, &b, "text1", 0,
+					  &cfg_type_namedconf, 0, &conf);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		/*
+		 * Mimic calling nzf_append() from bin/named/server.c
+		 * and check that the output matches the input.
+		 */
+		result = cfg_map_get(conf, "zone", &zlist);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		obj = cfg_listelt_value(cfg_list_first(zlist));
+		assert_ptr_not_equal(obj, NULL);
+
+		strlcpy(buf, "zone ", sizeof(buf));
+		cfg_printx(obj, CFG_PRINTER_ONELINE, append, buf);
+		strlcat(buf, ";", sizeof(buf));
+		assert_string_equal(tests[i], buf);
+
+		cfg_obj_destroy(p, &conf);
+		cfg_parser_reset(p);
+	}
+
+	cfg_parser_destroy(&p);
+}
+
+/* test cfg_parse_buffer() */
+static void
+parse_buffer_test(void **state) {
+	isc_result_t result;
+	unsigned char text[] = "options\n{\nrecursion yes;\n};\n";
+	isc_buffer_t buf1, buf2;
+	cfg_parser_t *p1 = NULL, *p2 = NULL;
+	cfg_obj_t *c1 = NULL, *c2 = NULL;
+
+	UNUSED(state);
+
+	isc_buffer_init(&buf1, &text[0], sizeof(text) - 1);
+	isc_buffer_add(&buf1, sizeof(text) - 1);
+
+	/* Parse with default line numbering */
+	result = cfg_parser_create(mctx, lctx, &p1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = cfg_parse_buffer(p1, &buf1, "text1", 0, &cfg_type_namedconf, 0,
+				  &c1);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(p1->line, 5);
+
+	isc_buffer_init(&buf2, &text[0], sizeof(text) - 1);
+	isc_buffer_add(&buf2, sizeof(text) - 1);
+
+	/* Parse with changed line number */
+	result = cfg_parser_create(mctx, lctx, &p2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = cfg_parse_buffer(p2, &buf2, "text2", 100, &cfg_type_namedconf,
+				  0, &c2);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_int_equal(p2->line, 104);
+
+	cfg_obj_destroy(p1, &c1);
+	cfg_obj_destroy(p2, &c2);
+
+	cfg_parser_destroy(&p1);
+	cfg_parser_destroy(&p2);
+}
+
+/* test cfg_map_firstclause() */
+static void
+cfg_map_firstclause_test(void **state) {
+	const char *name = NULL;
+	const void *clauses = NULL;
+	unsigned int idx;
+
+	UNUSED(state);
+
+	name = cfg_map_firstclause(&cfg_type_zoneopts, &clauses, &idx);
+	assert_non_null(name);
+	assert_non_null(clauses);
+	assert_int_equal(idx, 0);
+}
+
+/* test cfg_map_nextclause() */
+static void
+cfg_map_nextclause_test(void **state) {
+	const char *name = NULL;
+	const void *clauses = NULL;
+	unsigned int idx;
+
+	UNUSED(state);
+
+	name = cfg_map_firstclause(&cfg_type_zoneopts, &clauses, &idx);
+	assert_non_null(name);
+	assert_non_null(clauses);
+	assert_int_equal(idx, ISC_R_SUCCESS);
+
+	do {
+		name = cfg_map_nextclause(&cfg_type_zoneopts, &clauses, &idx);
+		if (name != NULL) {
+			assert_non_null(clauses);
+		} else {
+			assert_null(clauses);
+			assert_int_equal(idx, 0);
+		}
+	} while (name != NULL);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(addzoneconf),
+		cmocka_unit_test(parse_buffer_test),
+		cmocka_unit_test(cfg_map_firstclause_test),
+		cmocka_unit_test(cfg_map_nextclause_test),
+	};
+
+	return (cmocka_run_group_tests(tests, _setup, _teardown));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/isccfg/version.c b/lib/isccfg/version.c
new file mode 100644
index 0000000..8d8f424
--- /dev/null
+++ b/lib/isccfg/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isccfg/version.h>
+
+const char cfg_version[] = VERSION;
diff --git a/lib/isccfg/win32/DLLMain.c b/lib/isccfg/win32/DLLMain.c
new file mode 100644
index 0000000..5c38e89
--- /dev/null
+++ b/lib/isccfg/win32/DLLMain.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <signal.h>
+#include <windows.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI
+	DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/*
+	 * The attached process creates a new thread.
+	 */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
diff --git a/lib/isccfg/win32/libisccfg.def b/lib/isccfg/win32/libisccfg.def
new file mode 100644
index 0000000..eba897e
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.def
@@ -0,0 +1,175 @@
+LIBRARY libisccfg
+
+; Exported Functions
+EXPORTS
+
+cfg_acl_fromconfig
+cfg_acl_fromconfig2
+cfg_aclconfctx_attach
+cfg_aclconfctx_create
+cfg_aclconfctx_detach
+cfg_clause_validforzone
+cfg_create_list
+cfg_create_obj
+cfg_create_tuple
+cfg_doc_bracketed_list
+cfg_doc_enum
+cfg_doc_enum_or_other
+cfg_doc_map
+cfg_doc_mapbody
+cfg_doc_obj
+cfg_doc_sockaddr
+cfg_doc_terminal
+cfg_doc_tuple
+cfg_doc_void
+cfg_gettoken
+cfg_is_enum
+cfg_kasp_fromconfig
+cfg_list_first
+cfg_list_length
+cfg_list_next
+cfg_listelt_value
+cfg_log_init
+cfg_lookingat_netaddr
+cfg_map_count
+cfg_map_firstclause
+cfg_map_get
+cfg_map_getname
+cfg_map_nextclause
+cfg_obj_asboolean
+cfg_obj_asduration
+cfg_obj_asfixedpoint
+cfg_obj_asnetprefix
+cfg_obj_aspercentage
+cfg_obj_assockaddr
+cfg_obj_asstring
+cfg_obj_asuint32
+cfg_obj_asuint64
+cfg_obj_attach
+cfg_obj_destroy
+cfg_obj_file
+cfg_obj_getdscp
+cfg_obj_isboolean
+cfg_obj_isduration
+cfg_obj_isfixedpoint
+cfg_obj_islist
+cfg_obj_ismap
+cfg_obj_isnetprefix
+cfg_obj_ispercentage
+cfg_obj_issockaddr
+cfg_obj_isstring
+cfg_obj_istuple
+cfg_obj_istype
+cfg_obj_isuint32
+cfg_obj_isuint64
+cfg_obj_isvoid
+cfg_obj_line
+cfg_obj_log
+cfg_parse_addressed_map
+cfg_parse_astring
+cfg_parse_boolean
+cfg_parse_bracketed_list
+cfg_parse_buffer
+cfg_parse_dscp
+cfg_parse_duration
+cfg_parse_duration_or_unlimited
+cfg_parse_enum
+cfg_parse_enum_or_other
+cfg_parse_file
+cfg_parse_fixedpoint
+cfg_parse_listelt
+cfg_parse_map
+cfg_parse_mapbody
+cfg_parse_named_map
+cfg_parse_netprefix
+cfg_parse_netprefix_map
+cfg_parse_obj
+cfg_parse_percentage
+cfg_parse_qstring
+cfg_parse_rawaddr
+cfg_parse_rawport
+cfg_parse_sockaddr
+cfg_parse_spacelist
+cfg_parse_special
+cfg_parse_sstring
+cfg_parse_tuple
+cfg_parse_uint32
+cfg_parse_void
+cfg_parser_attach
+cfg_parser_create
+cfg_parser_destroy
+cfg_parser_error
+cfg_parser_mapadd
+cfg_parser_reset
+cfg_parser_setcallback
+cfg_parser_setflags
+cfg_parser_warning
+cfg_peektoken
+cfg_pluginlist_foreach
+cfg_print
+cfg_print_boolean
+cfg_print_bracketed_list
+cfg_print_chars
+cfg_print_clauseflags
+cfg_print_cstr
+cfg_print_duration
+cfg_print_duration_or_unlimited
+cfg_print_fixedpoint
+cfg_print_grammar
+cfg_print_indent
+cfg_print_map
+cfg_print_mapbody
+cfg_print_obj
+cfg_print_percentage
+cfg_print_rawaddr
+cfg_print_rawuint
+cfg_print_sockaddr
+cfg_print_spacelist
+cfg_print_tuple
+cfg_print_uint32
+cfg_print_uint64
+cfg_print_ustring
+cfg_print_void
+cfg_print_zonegrammar
+cfg_printx
+cfg_tuple_get
+cfg_ungettoken
+
+; Exported Data
+
+;cfg_rep_boolean
+;cfg_rep_duration
+;cfg_rep_fixedpoint
+;cfg_rep_list
+;cfg_rep_map
+;cfg_rep_netprefix
+;cfg_rep_percentage
+;cfg_rep_sockaddr
+;cfg_rep_string
+;cfg_rep_tuple
+;cfg_rep_uint32
+;cfg_rep_uint64
+;cfg_rep_void
+;cfg_type_astring
+;cfg_type_boolean
+;cfg_type_bracketed_text
+;cfg_type_fixedpoint
+;cfg_type_netaddr
+;cfg_type_netaddr4
+;cfg_type_netaddr4wild
+;cfg_type_netaddr6
+;cfg_type_netaddr6wild
+;cfg_type_netprefix
+;cfg_type_optional_bracketed_text
+;cfg_type_percentage
+;cfg_type_qstring
+;cfg_type_rndcconf
+;cfg_type_sockaddr
+;cfg_type_sockaddrdscp
+;cfg_type_sstring
+;cfg_type_token
+;cfg_type_uint32
+;cfg_type_uint64
+;cfg_type_unsupported
+;cfg_type_ustring
+;cfg_type_void
diff --git a/lib/isccfg/win32/libisccfg.vcxproj.filters.in b/lib/isccfg/win32/libisccfg.vcxproj.filters.in
new file mode 100644
index 0000000..91d4202
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.vcxproj.filters.in
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libisccfg.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\aclconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dnsconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\kaspconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\log.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\namedconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\parser.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\isccfg\aclconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\dnsconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\cfg.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\grammar.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\kaspconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\log.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\namedconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
diff --git a/lib/isccfg/win32/libisccfg.vcxproj.in b/lib/isccfg/win32/libisccfg.vcxproj.in
new file mode 100644
index 0000000..4b81300
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.vcxproj.in
@@ -0,0 +1,143 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libisccfg</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalLibraryDirectories>..\..\dns\win32\$(Configuration);..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libdns.lib;libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>..\..\dns\win32\$(Configuration);..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libdns.lib;libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libisccfg.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\aclconf.c" />
+    <ClCompile Include="..\dnsconf.c" />
+    <ClCompile Include="..\kaspconf.c" />
+    <ClCompile Include="..\log.c" />
+    <ClCompile Include="..\namedconf.c" />
+    <ClCompile Include="..\parser.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\isccfg\aclconf.h" />
+    <ClInclude Include="..\include\isccfg\dnsconf.h" />
+    <ClInclude Include="..\include\isccfg\cfg.h" />
+    <ClInclude Include="..\include\isccfg\grammar.h" />
+    <ClInclude Include="..\include\isccfg\kaspconf.h" />
+    <ClInclude Include="..\include\isccfg\log.h" />
+    <ClInclude Include="..\include\isccfg\namedconf.h" />
+    <ClInclude Include="..\include\isccfg\version.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/isccfg/win32/libisccfg.vcxproj.user b/lib/isccfg/win32/libisccfg.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/lib/isccfg/win32/version.c b/lib/isccfg/win32/version.c
new file mode 100644
index 0000000..ad4271f
--- /dev/null
+++ b/lib/isccfg/win32/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <versions.h>
+
+#include <isccfg/version.h>
+
+LIBISCCFG_EXTERNAL_DATA const char cfg_version[] = VERSION;
diff --git a/lib/ns/Kyuafile b/lib/ns/Kyuafile
new file mode 100644
index 0000000..c796010
--- /dev/null
+++ b/lib/ns/Kyuafile
@@ -0,0 +1,15 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/ns/Makefile.in b/lib/ns/Makefile.in
new file mode 100644
index 0000000..efadf78
--- /dev/null
+++ b/lib/ns/Makefile.in
@@ -0,0 +1,89 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+@BIND9_MAJOR@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -I${top_srcdir}/lib/ns -Iinclude \
+		${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
+		${FSTRM_CFLAGS}
+
+CDEFINES =	-DNAMED_PLUGINDIR=\"${plugindir}\"
+
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+
+LIBS =		@LIBS@
+
+# Alphabetically
+OBJS =		client.@O@ hooks.@O@ interfacemgr.@O@ lib.@O@ \
+		listenlist.@O@ log.@O@ notify.@O@ query.@O@ \
+		server.@O@ sortlist.@O@ stats.@O@ update.@O@ \
+		version.@O@ xfrout.@O@
+
+SRCS =		client.c hooks.c interfacemgr.c lib.c listenlist.c \
+		log.c notify.c query.c server.c sortlist.c stats.c \
+		update.c version.c xfrout.c
+
+SUBDIRS =	include
+TESTDIRS =	@UNITTESTS@
+TARGETS =	timestamp
+
+SO_CFLAGS =	@CFLAGS@ @SO_CFLAGS@
+SO_LDFLAGS =	@LDFLAGS@ @SO_LDFLAGS@
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DMAJOR=\"${MAJOR}\" \
+		-c ${srcdir}/version.c
+
+libns.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libns.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \
+		-release "${VERSION}" \
+		${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+
+timestamp: libns.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \
+		${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@
+
+clean distclean::
+	rm -f libns.@A@ timestamp
diff --git a/lib/ns/client.c b/lib/ns/client.c
new file mode 100644
index 0000000..d4ce000
--- /dev/null
+++ b/lib/ns/client.c
@@ -0,0 +1,3053 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <limits.h>
+#include <stdbool.h>
+
+#include <isc/aes.h>
+#include <isc/atomic.h>
+#include <isc/formatcheck.h>
+#include <isc/fuzz.h>
+#include <isc/hmac.h>
+#include <isc/mutex.h>
+#include <isc/nonce.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/safe.h>
+#include <isc/serial.h>
+#include <isc/siphash.h>
+#include <isc/stats.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/badcache.h>
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/dnstap.h>
+#include <dns/edns.h>
+#include <dns/events.h>
+#include <dns/message.h>
+#include <dns/peer.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/resolver.h>
+#include <dns/stats.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include <ns/client.h>
+#include <ns/interfacemgr.h>
+#include <ns/log.h>
+#include <ns/notify.h>
+#include <ns/server.h>
+#include <ns/stats.h>
+#include <ns/update.h>
+
+#ifndef _POSIX_HOST_NAME_MAX
+#define _POSIX_HOST_NAME_MAX 255
+#endif
+
+/***
+ *** Client
+ ***/
+
+/*! \file
+ * Client Routines
+ *
+ * Important note!
+ *
+ * All client state changes, other than that from idle to listening, occur
+ * as a result of events.  This guarantees serialization and avoids the
+ * need for locking.
+ *
+ * If a routine is ever created that allows someone other than the client's
+ * task to change the client, then the client will have to be locked.
+ */
+
+#ifdef NS_CLIENT_TRACE
+#define CTRACE(m)                                                         \
+	ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, \
+		      ISC_LOG_DEBUG(3), "%s", (m))
+#define MTRACE(m)                                                          \
+	isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, \
+		      ISC_LOG_DEBUG(3), "clientmgr @%p: %s", manager, (m))
+#else /* ifdef NS_CLIENT_TRACE */
+#define CTRACE(m) ((void)(m))
+#define MTRACE(m) ((void)(m))
+#endif /* ifdef NS_CLIENT_TRACE */
+
+#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0)
+
+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
+#define ECS_SIZE    20U /* 2 + 1 + 1 + [0..16] */
+
+#define WANTNSID(x)	(((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
+#define WANTEXPIRE(x)	(((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
+#define WANTPAD(x)	(((x)->attributes & NS_CLIENTATTR_WANTPAD) != 0)
+#define USEKEEPALIVE(x) (((x)->attributes & NS_CLIENTATTR_USEKEEPALIVE) != 0)
+
+#define MANAGER_MAGIC	 ISC_MAGIC('N', 'S', 'C', 'm')
+#define VALID_MANAGER(m) ISC_MAGIC_VALID(m, MANAGER_MAGIC)
+
+/*
+ * Enable ns_client_dropport() by default.
+ */
+#ifndef NS_CLIENT_DROPPORT
+#define NS_CLIENT_DROPPORT 1
+#endif /* ifndef NS_CLIENT_DROPPORT */
+
+#define CLIENT_NMCTXS_PERCPU 8
+/*%<
+ * Number of 'mctx pools' for clients. (Should this be configurable?)
+ * When enabling threads, we use a pool of memory contexts shared by
+ * client objects, since concurrent access to a shared context would cause
+ * heavy contentions.  The above constant is expected to be enough for
+ * completely avoiding contentions among threads for an authoritative-only
+ * server.
+ */
+
+#define CLIENT_NTASKS_PERCPU 32
+/*%<
+ * Number of tasks to be used by clients - those are used only when recursing
+ */
+
+#if defined(_WIN32) && !defined(_WIN64)
+LIBNS_EXTERNAL_DATA atomic_uint_fast32_t ns_client_requests = 0;
+#else  /* if defined(_WIN32) && !defined(_WIN64) */
+LIBNS_EXTERNAL_DATA atomic_uint_fast64_t ns_client_requests = 0;
+#endif /* if defined(_WIN32) && !defined(_WIN64) */
+
+static void
+clientmgr_attach(ns_clientmgr_t *source, ns_clientmgr_t **targetp);
+static void
+clientmgr_detach(ns_clientmgr_t **mp);
+static void
+clientmgr_destroy(ns_clientmgr_t *manager);
+static void
+ns_client_endrequest(ns_client_t *client);
+static void
+ns_client_dumpmessage(ns_client_t *client, const char *reason);
+static void
+compute_cookie(ns_client_t *client, uint32_t when, uint32_t nonce,
+	       const unsigned char *secret, isc_buffer_t *buf);
+static void
+get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp);
+static void
+get_clienttask(ns_clientmgr_t *manager, isc_task_t **taskp);
+
+void
+ns_client_recursing(ns_client_t *client) {
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(client->state == NS_CLIENTSTATE_WORKING);
+
+	LOCK(&client->manager->reclock);
+	client->state = NS_CLIENTSTATE_RECURSING;
+	ISC_LIST_APPEND(client->manager->recursing, client, rlink);
+	UNLOCK(&client->manager->reclock);
+}
+
+void
+ns_client_killoldestquery(ns_client_t *client) {
+	ns_client_t *oldest;
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	LOCK(&client->manager->reclock);
+	oldest = ISC_LIST_HEAD(client->manager->recursing);
+	if (oldest != NULL) {
+		ISC_LIST_UNLINK(client->manager->recursing, oldest, rlink);
+		ns_query_cancel(oldest);
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_reclimitdropped);
+	}
+	UNLOCK(&client->manager->reclock);
+}
+
+void
+ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
+	UNUSED(client);
+	UNUSED(seconds);
+	/* XXXWPK TODO use netmgr to set timeout */
+}
+
+static void
+ns_client_endrequest(ns_client_t *client) {
+	INSIST(client->nupdates == 0);
+	INSIST(client->state == NS_CLIENTSTATE_WORKING ||
+	       client->state == NS_CLIENTSTATE_RECURSING);
+
+	CTRACE("endrequest");
+
+	if (client->state == NS_CLIENTSTATE_RECURSING) {
+		LOCK(&client->manager->reclock);
+		if (ISC_LINK_LINKED(client, rlink)) {
+			ISC_LIST_UNLINK(client->manager->recursing, client,
+					rlink);
+		}
+		UNLOCK(&client->manager->reclock);
+	}
+
+	if (client->cleanup != NULL) {
+		(client->cleanup)(client);
+		client->cleanup = NULL;
+	}
+
+	if (client->view != NULL) {
+#ifdef ENABLE_AFL
+		if (client->sctx->fuzztype == isc_fuzz_resolver) {
+			dns_cache_clean(client->view->cache, INT_MAX);
+			dns_adb_flush(client->view->adb);
+		}
+#endif /* ifdef ENABLE_AFL */
+		dns_view_detach(&client->view);
+	}
+	if (client->opt != NULL) {
+		INSIST(dns_rdataset_isassociated(client->opt));
+		dns_rdataset_disassociate(client->opt);
+		dns_message_puttemprdataset(client->message, &client->opt);
+	}
+
+	client->signer = NULL;
+	client->udpsize = 512;
+	client->extflags = 0;
+	client->ednsversion = -1;
+	dns_ecs_init(&client->ecs);
+	dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE);
+
+	/*
+	 * Clean up from recursion - normally this would be done in
+	 * fetch_callback(), but if we're shutting down and canceling then
+	 * it might not have happened.
+	 */
+	if (client->recursionquota != NULL) {
+		isc_quota_detach(&client->recursionquota);
+		ns_stats_decrement(client->sctx->nsstats,
+				   ns_statscounter_recursclients);
+	}
+
+	/*
+	 * Clear all client attributes that are specific to the request
+	 */
+	client->attributes = 0;
+#ifdef ENABLE_AFL
+	if (client->sctx->fuzznotify != NULL &&
+	    (client->sctx->fuzztype == isc_fuzz_client ||
+	     client->sctx->fuzztype == isc_fuzz_tcpclient ||
+	     client->sctx->fuzztype == isc_fuzz_resolver))
+	{
+		client->sctx->fuzznotify();
+	}
+#endif /* ENABLE_AFL */
+}
+
+void
+ns_client_drop(ns_client_t *client, isc_result_t result) {
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(client->state == NS_CLIENTSTATE_WORKING ||
+		client->state == NS_CLIENTSTATE_RECURSING);
+
+	CTRACE("drop");
+	if (result != ISC_R_SUCCESS) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "request failed: %s", isc_result_totext(result));
+	}
+}
+
+static void
+client_senddone(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
+	ns_client_t *client = cbarg;
+
+	REQUIRE(client->sendhandle == handle);
+
+	CTRACE("senddone");
+
+	/*
+	 * Set sendhandle to NULL, but don't detach it immediately, in
+	 * case we need to retry the send. If we do resend, then
+	 * sendhandle will be reattached. Whether or not we resend,
+	 * we will then detach the handle from *this* send by detaching
+	 * 'handle' directly below.
+	 */
+	client->sendhandle = NULL;
+
+	if (result != ISC_R_SUCCESS) {
+		if (!TCP_CLIENT(client) && result == ISC_R_MAXSIZE) {
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+				      "send exceeded maximum size: truncating");
+			client->query.attributes &= ~NS_QUERYATTR_ANSWERED;
+			client->rcode_override = dns_rcode_noerror;
+			ns_client_error(client, ISC_R_MAXSIZE);
+		} else {
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+				      "send failed: %s",
+				      isc_result_totext(result));
+		}
+	}
+
+	isc_nmhandle_detach(&handle);
+}
+
+static void
+client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer,
+		    unsigned char **datap) {
+	unsigned char *data;
+	uint32_t bufsize;
+
+	REQUIRE(datap != NULL);
+
+	if (TCP_CLIENT(client)) {
+		INSIST(client->tcpbuf == NULL);
+		client->tcpbuf = isc_mem_get(client->mctx,
+					     NS_CLIENT_TCP_BUFFER_SIZE);
+		data = client->tcpbuf;
+		isc_buffer_init(buffer, data, NS_CLIENT_TCP_BUFFER_SIZE);
+	} else {
+		data = client->sendbuf;
+		if ((client->attributes & NS_CLIENTATTR_HAVECOOKIE) == 0) {
+			if (client->view != NULL) {
+				bufsize = client->view->nocookieudp;
+			} else {
+				bufsize = 512;
+			}
+		} else {
+			bufsize = client->udpsize;
+		}
+		if (bufsize > client->udpsize) {
+			bufsize = client->udpsize;
+		}
+		if (bufsize > NS_CLIENT_SEND_BUFFER_SIZE) {
+			bufsize = NS_CLIENT_SEND_BUFFER_SIZE;
+		}
+		isc_buffer_init(buffer, data, bufsize);
+	}
+	*datap = data;
+}
+
+static void
+client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) {
+	isc_region_t r;
+
+	REQUIRE(client->sendhandle == NULL);
+
+	isc_buffer_usedregion(buffer, &r);
+	isc_nmhandle_attach(client->handle, &client->sendhandle);
+	isc_nm_send(client->handle, &r, client_senddone, client);
+}
+
+void
+ns_client_sendraw(ns_client_t *client, dns_message_t *message) {
+	isc_result_t result;
+	unsigned char *data;
+	isc_buffer_t buffer;
+	isc_region_t r;
+	isc_region_t *mr;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	CTRACE("sendraw");
+
+	mr = dns_message_getrawmessage(message);
+	if (mr == NULL) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto done;
+	}
+
+	client_allocsendbuf(client, &buffer, &data);
+
+	if (mr->length > isc_buffer_length(&buffer)) {
+		result = ISC_R_NOSPACE;
+		goto done;
+	}
+
+	/*
+	 * Copy message to buffer and fixup id.
+	 */
+	isc_buffer_availableregion(&buffer, &r);
+	result = isc_buffer_copyregion(&buffer, mr);
+	if (result != ISC_R_SUCCESS) {
+		goto done;
+	}
+	r.base[0] = (client->message->id >> 8) & 0xff;
+	r.base[1] = client->message->id & 0xff;
+
+#ifdef HAVE_DNSTAP
+	if (client->view != NULL) {
+		bool tcp = TCP_CLIENT(client);
+		dns_dtmsgtype_t dtmsgtype;
+		if (client->message->opcode == dns_opcode_update) {
+			dtmsgtype = DNS_DTTYPE_UR;
+		} else if ((client->message->flags & DNS_MESSAGEFLAG_RD) != 0) {
+			dtmsgtype = DNS_DTTYPE_CR;
+		} else {
+			dtmsgtype = DNS_DTTYPE_AR;
+		}
+		dns_dt_send(client->view, dtmsgtype, &client->peeraddr,
+			    &client->destsockaddr, tcp, NULL,
+			    &client->requesttime, NULL, &buffer);
+	}
+#endif
+
+	client_sendpkg(client, &buffer);
+
+	return;
+done:
+	if (client->tcpbuf != NULL) {
+		isc_mem_put(client->mctx, client->tcpbuf,
+			    NS_CLIENT_TCP_BUFFER_SIZE);
+		client->tcpbuf = NULL;
+	}
+
+	ns_client_drop(client, result);
+}
+
+void
+ns_client_send(ns_client_t *client) {
+	isc_result_t result;
+	unsigned char *data;
+	isc_buffer_t buffer = { .magic = 0 };
+	isc_region_t r;
+	dns_compress_t cctx;
+	bool cleanup_cctx = false;
+	unsigned int render_opts;
+	unsigned int preferred_glue;
+	bool opt_included = false;
+	size_t respsize;
+	dns_aclenv_t *env;
+#ifdef HAVE_DNSTAP
+	unsigned char zone[DNS_NAME_MAXWIRE];
+	dns_dtmsgtype_t dtmsgtype;
+	isc_region_t zr;
+#endif /* HAVE_DNSTAP */
+
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	if ((client->query.attributes & NS_QUERYATTR_ANSWERED) != 0) {
+		return;
+	}
+
+	/*
+	 * XXXWPK TODO
+	 * Delay the response according to the -T delay option
+	 */
+
+	env = ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+
+	CTRACE("send");
+
+	if (client->message->opcode == dns_opcode_query &&
+	    (client->attributes & NS_CLIENTATTR_RA) != 0)
+	{
+		client->message->flags |= DNS_MESSAGEFLAG_RA;
+	}
+
+	if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0) {
+		render_opts = 0;
+	} else {
+		render_opts = DNS_MESSAGERENDER_OMITDNSSEC;
+	}
+
+	preferred_glue = 0;
+	if (client->view != NULL) {
+		if (client->view->preferred_glue == dns_rdatatype_a) {
+			preferred_glue = DNS_MESSAGERENDER_PREFER_A;
+		} else if (client->view->preferred_glue == dns_rdatatype_aaaa) {
+			preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
+		}
+	}
+	if (preferred_glue == 0) {
+		if (isc_sockaddr_pf(&client->peeraddr) == AF_INET) {
+			preferred_glue = DNS_MESSAGERENDER_PREFER_A;
+		} else {
+			preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
+		}
+	}
+
+	/*
+	 * Create an OPT for our reply.
+	 */
+	if ((client->attributes & NS_CLIENTATTR_WANTOPT) != 0) {
+		result = ns_client_addopt(client, client->message,
+					  &client->opt);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
+	client_allocsendbuf(client, &buffer, &data);
+
+	result = dns_compress_init(&cctx, -1, client->mctx);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	if (client->peeraddr_valid && client->view != NULL) {
+		isc_netaddr_t netaddr;
+		dns_name_t *name = NULL;
+
+		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+		if (client->message->tsigkey != NULL) {
+			name = &client->message->tsigkey->name;
+		}
+
+		if (client->view->nocasecompress == NULL ||
+		    !dns_acl_allowed(&netaddr, name,
+				     client->view->nocasecompress, env))
+		{
+			dns_compress_setsensitive(&cctx, true);
+		}
+
+		if (!client->view->msgcompression) {
+			dns_compress_disable(&cctx);
+		}
+	}
+	cleanup_cctx = true;
+
+	result = dns_message_renderbegin(client->message, &cctx, &buffer);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	if (client->opt != NULL) {
+		result = dns_message_setopt(client->message, client->opt);
+		opt_included = true;
+		client->opt = NULL;
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+	result = dns_message_rendersection(client->message,
+					   DNS_SECTION_QUESTION, 0);
+	if (result == ISC_R_NOSPACE) {
+		client->message->flags |= DNS_MESSAGEFLAG_TC;
+		goto renderend;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	/*
+	 * Stop after the question if TC was set for rate limiting.
+	 */
+	if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		goto renderend;
+	}
+	result = dns_message_rendersection(client->message, DNS_SECTION_ANSWER,
+					   DNS_MESSAGERENDER_PARTIAL |
+						   render_opts);
+	if (result == ISC_R_NOSPACE) {
+		client->message->flags |= DNS_MESSAGEFLAG_TC;
+		goto renderend;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_rendersection(
+		client->message, DNS_SECTION_AUTHORITY,
+		DNS_MESSAGERENDER_PARTIAL | render_opts);
+	if (result == ISC_R_NOSPACE) {
+		client->message->flags |= DNS_MESSAGEFLAG_TC;
+		goto renderend;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_rendersection(client->message,
+					   DNS_SECTION_ADDITIONAL,
+					   preferred_glue | render_opts);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE) {
+		goto cleanup;
+	}
+renderend:
+	result = dns_message_renderend(client->message);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+#ifdef HAVE_DNSTAP
+	memset(&zr, 0, sizeof(zr));
+	if (((client->message->flags & DNS_MESSAGEFLAG_AA) != 0) &&
+	    (client->query.authzone != NULL))
+	{
+		isc_result_t eresult;
+		isc_buffer_t b;
+		dns_name_t *zo = dns_zone_getorigin(client->query.authzone);
+
+		isc_buffer_init(&b, zone, sizeof(zone));
+		dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE);
+		eresult = dns_name_towire(zo, &cctx, &b);
+		if (eresult == ISC_R_SUCCESS) {
+			isc_buffer_usedregion(&b, &zr);
+		}
+	}
+
+	if (client->message->opcode == dns_opcode_update) {
+		dtmsgtype = DNS_DTTYPE_UR;
+	} else if ((client->message->flags & DNS_MESSAGEFLAG_RD) != 0) {
+		dtmsgtype = DNS_DTTYPE_CR;
+	} else {
+		dtmsgtype = DNS_DTTYPE_AR;
+	}
+#endif /* HAVE_DNSTAP */
+
+	if (cleanup_cctx) {
+		dns_compress_invalidate(&cctx);
+	}
+
+	if (client->sendcb != NULL) {
+		client->sendcb(&buffer);
+	} else if (TCP_CLIENT(client)) {
+		isc_buffer_usedregion(&buffer, &r);
+#ifdef HAVE_DNSTAP
+		if (client->view != NULL) {
+			dns_dt_send(client->view, dtmsgtype, &client->peeraddr,
+				    &client->destsockaddr, true, &zr,
+				    &client->requesttime, NULL, &buffer);
+		}
+#endif /* HAVE_DNSTAP */
+
+		respsize = isc_buffer_usedlength(&buffer);
+
+		client_sendpkg(client, &buffer);
+
+		switch (isc_sockaddr_pf(&client->peeraddr)) {
+		case AF_INET:
+			isc_stats_increment(client->sctx->tcpoutstats4,
+					    ISC_MIN((int)respsize / 16, 256));
+			break;
+		case AF_INET6:
+			isc_stats_increment(client->sctx->tcpoutstats6,
+					    ISC_MIN((int)respsize / 16, 256));
+			break;
+		default:
+			UNREACHABLE();
+		}
+	} else {
+#ifdef HAVE_DNSTAP
+		/*
+		 * Log dnstap data first, because client_sendpkg() may
+		 * leave client->view set to NULL.
+		 */
+		if (client->view != NULL) {
+			dns_dt_send(client->view, dtmsgtype, &client->peeraddr,
+				    &client->destsockaddr, false, &zr,
+				    &client->requesttime, NULL, &buffer);
+		}
+#endif /* HAVE_DNSTAP */
+
+		respsize = isc_buffer_usedlength(&buffer);
+
+		client_sendpkg(client, &buffer);
+
+		switch (isc_sockaddr_pf(&client->peeraddr)) {
+		case AF_INET:
+			isc_stats_increment(client->sctx->udpoutstats4,
+					    ISC_MIN((int)respsize / 16, 256));
+			break;
+		case AF_INET6:
+			isc_stats_increment(client->sctx->udpoutstats6,
+					    ISC_MIN((int)respsize / 16, 256));
+			break;
+		default:
+			UNREACHABLE();
+		}
+	}
+
+	/* update statistics (XXXJT: is it okay to access message->xxxkey?) */
+	ns_stats_increment(client->sctx->nsstats, ns_statscounter_response);
+
+	dns_rcodestats_increment(client->sctx->rcodestats,
+				 client->message->rcode);
+	if (opt_included) {
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_edns0out);
+	}
+	if (client->message->tsigkey != NULL) {
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_tsigout);
+	}
+	if (client->message->sig0key != NULL) {
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_sig0out);
+	}
+	if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_truncatedresp);
+	}
+
+	client->query.attributes |= NS_QUERYATTR_ANSWERED;
+
+	return;
+
+cleanup:
+	if (client->tcpbuf != NULL) {
+		isc_mem_put(client->mctx, client->tcpbuf,
+			    NS_CLIENT_TCP_BUFFER_SIZE);
+		client->tcpbuf = NULL;
+	}
+
+	if (cleanup_cctx) {
+		dns_compress_invalidate(&cctx);
+	}
+}
+
+#if NS_CLIENT_DROPPORT
+#define DROPPORT_NO	  0
+#define DROPPORT_REQUEST  1
+#define DROPPORT_RESPONSE 2
+/*%
+ * ns_client_dropport determines if certain requests / responses
+ * should be dropped based on the port number.
+ *
+ * Returns:
+ * \li	0:	Don't drop.
+ * \li	1:	Drop request.
+ * \li	2:	Drop (error) response.
+ */
+static int
+ns_client_dropport(in_port_t port) {
+	switch (port) {
+	case 7:	 /* echo */
+	case 13: /* daytime */
+	case 19: /* chargen */
+	case 37: /* time */
+		return (DROPPORT_REQUEST);
+	case 464: /* kpasswd */
+		return (DROPPORT_RESPONSE);
+	}
+	return (DROPPORT_NO);
+}
+#endif /* if NS_CLIENT_DROPPORT */
+
+void
+ns_client_error(ns_client_t *client, isc_result_t result) {
+	dns_message_t *message = NULL;
+	dns_rcode_t rcode;
+	bool trunc = false;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	CTRACE("error");
+
+	message = client->message;
+
+	if (client->rcode_override == -1) {
+		rcode = dns_result_torcode(result);
+	} else {
+		rcode = (dns_rcode_t)(client->rcode_override & 0xfff);
+	}
+
+	if (result == ISC_R_MAXSIZE) {
+		trunc = true;
+	}
+
+#if NS_CLIENT_DROPPORT
+	/*
+	 * Don't send FORMERR to ports on the drop port list.
+	 */
+	if (rcode == dns_rcode_formerr &&
+	    ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) !=
+		    DROPPORT_NO)
+	{
+		char buf[64];
+		isc_buffer_t b;
+
+		isc_buffer_init(&b, buf, sizeof(buf) - 1);
+		if (dns_rcode_totext(rcode, &b) != ISC_R_SUCCESS) {
+			isc_buffer_putstr(&b, "UNKNOWN RCODE");
+		}
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+			      "dropped error (%.*s) response: suspicious port",
+			      (int)isc_buffer_usedlength(&b), buf);
+		ns_client_drop(client, ISC_R_SUCCESS);
+		return;
+	}
+#endif /* if NS_CLIENT_DROPPORT */
+
+	/*
+	 * Try to rate limit error responses.
+	 */
+	if (client->view != NULL && client->view->rrl != NULL) {
+		bool wouldlog;
+		char log_buf[DNS_RRL_LOG_BUF_LEN];
+		dns_rrl_result_t rrl_result;
+		int loglevel;
+
+		if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) {
+			loglevel = DNS_RRL_LOG_DROP;
+		} else {
+			loglevel = ISC_LOG_DEBUG(1);
+		}
+		wouldlog = isc_log_wouldlog(ns_lctx, loglevel);
+		rrl_result = dns_rrl(client->view, NULL, &client->peeraddr,
+				     TCP_CLIENT(client), dns_rdataclass_in,
+				     dns_rdatatype_none, NULL, result,
+				     client->now, wouldlog, log_buf,
+				     sizeof(log_buf));
+		if (rrl_result != DNS_RRL_RESULT_OK) {
+			/*
+			 * Log dropped errors in the query category
+			 * so that they are not lost in silence.
+			 * Starts of rate-limited bursts are logged in
+			 * NS_LOGCATEGORY_RRL.
+			 */
+			if (wouldlog) {
+				ns_client_log(client,
+					      NS_LOGCATEGORY_QUERY_ERRORS,
+					      NS_LOGMODULE_CLIENT, loglevel,
+					      "%s", log_buf);
+			}
+			/*
+			 * Some error responses cannot be 'slipped',
+			 * so don't try to slip any error responses.
+			 */
+			if (!client->view->rrl->log_only) {
+				ns_stats_increment(client->sctx->nsstats,
+						   ns_statscounter_ratedropped);
+				ns_stats_increment(client->sctx->nsstats,
+						   ns_statscounter_dropped);
+				ns_client_drop(client, DNS_R_DROP);
+				return;
+			}
+		}
+	}
+
+	/*
+	 * Message may be an in-progress reply that we had trouble
+	 * with, in which case QR will be set.  We need to clear QR before
+	 * calling dns_message_reply() to avoid triggering an assertion.
+	 */
+	message->flags &= ~DNS_MESSAGEFLAG_QR;
+	/*
+	 * AA and AD shouldn't be set.
+	 */
+	message->flags &= ~(DNS_MESSAGEFLAG_AA | DNS_MESSAGEFLAG_AD);
+	result = dns_message_reply(message, true);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * It could be that we've got a query with a good header,
+		 * but a bad question section, so we try again with
+		 * want_question_section set to false.
+		 */
+		result = dns_message_reply(message, false);
+		if (result != ISC_R_SUCCESS) {
+			ns_client_drop(client, result);
+			return;
+		}
+	}
+
+	message->rcode = rcode;
+	if (trunc) {
+		message->flags |= DNS_MESSAGEFLAG_TC;
+	}
+
+	if (rcode == dns_rcode_formerr) {
+		/*
+		 * FORMERR loop avoidance:  If we sent a FORMERR message
+		 * with the same ID to the same client less than two
+		 * seconds ago, assume that we are in an infinite error
+		 * packet dialog with a server for some protocol whose
+		 * error responses look enough like DNS queries to
+		 * elicit a FORMERR response.  Drop a packet to break
+		 * the loop.
+		 */
+		if (isc_sockaddr_equal(&client->peeraddr,
+				       &client->formerrcache.addr) &&
+		    message->id == client->formerrcache.id &&
+		    (isc_time_seconds(&client->requesttime) -
+		     client->formerrcache.time) < 2)
+		{
+			/* Drop packet. */
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
+				      "possible error packet loop, "
+				      "FORMERR dropped");
+			ns_client_drop(client, result);
+			return;
+		}
+		client->formerrcache.addr = client->peeraddr;
+		client->formerrcache.time =
+			isc_time_seconds(&client->requesttime);
+		client->formerrcache.id = message->id;
+	} else if (rcode == dns_rcode_servfail && client->query.qname != NULL &&
+		   client->view != NULL && client->view->fail_ttl != 0 &&
+		   ((client->attributes & NS_CLIENTATTR_NOSETFC) == 0))
+	{
+		/*
+		 * SERVFAIL caching: store qname/qtype of failed queries
+		 */
+		isc_time_t expire;
+		isc_interval_t i;
+		uint32_t flags = 0;
+
+		if ((message->flags & DNS_MESSAGEFLAG_CD) != 0) {
+			flags = NS_FAILCACHE_CD;
+		}
+
+		isc_interval_set(&i, client->view->fail_ttl, 0);
+		result = isc_time_nowplusinterval(&expire, &i);
+		if (result == ISC_R_SUCCESS) {
+			dns_badcache_add(
+				client->view->failcache, client->query.qname,
+				client->query.qtype, true, flags, &expire);
+		}
+	}
+
+	ns_client_send(client);
+}
+
+isc_result_t
+ns_client_addopt(ns_client_t *client, dns_message_t *message,
+		 dns_rdataset_t **opt) {
+	unsigned char ecs[ECS_SIZE];
+	char nsid[_POSIX_HOST_NAME_MAX + 1], *nsidp = NULL;
+	unsigned char cookie[COOKIE_SIZE];
+	isc_result_t result;
+	dns_view_t *view;
+	dns_resolver_t *resolver;
+	uint16_t udpsize;
+	dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS];
+	int count = 0;
+	unsigned int flags;
+	unsigned char expire[4];
+	unsigned char advtimo[2];
+	dns_aclenv_t *env;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(opt != NULL && *opt == NULL);
+	REQUIRE(message != NULL);
+
+	env = ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+	view = client->view;
+	resolver = (view != NULL) ? view->resolver : NULL;
+	if (resolver != NULL) {
+		udpsize = dns_resolver_getudpsize(resolver);
+	} else {
+		udpsize = client->sctx->udpsize;
+	}
+
+	flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
+
+	/* Set EDNS options if applicable */
+	if (WANTNSID(client)) {
+		if (client->sctx->server_id != NULL) {
+			nsidp = client->sctx->server_id;
+		} else if (client->sctx->gethostname != NULL) {
+			result = client->sctx->gethostname(nsid, sizeof(nsid));
+			if (result != ISC_R_SUCCESS) {
+				goto no_nsid;
+			}
+			nsidp = nsid;
+		} else {
+			goto no_nsid;
+		}
+
+		INSIST(count < DNS_EDNSOPTIONS);
+		ednsopts[count].code = DNS_OPT_NSID;
+		ednsopts[count].length = (uint16_t)strlen(nsidp);
+		ednsopts[count].value = (unsigned char *)nsidp;
+		count++;
+	}
+no_nsid:
+	if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) {
+		isc_buffer_t buf;
+		isc_stdtime_t now;
+		uint32_t nonce;
+
+		isc_buffer_init(&buf, cookie, sizeof(cookie));
+		isc_stdtime_get(&now);
+
+		isc_random_buf(&nonce, sizeof(nonce));
+
+		compute_cookie(client, now, nonce, client->sctx->secret, &buf);
+
+		INSIST(count < DNS_EDNSOPTIONS);
+		ednsopts[count].code = DNS_OPT_COOKIE;
+		ednsopts[count].length = COOKIE_SIZE;
+		ednsopts[count].value = cookie;
+		count++;
+	}
+	if ((client->attributes & NS_CLIENTATTR_HAVEEXPIRE) != 0) {
+		isc_buffer_t buf;
+
+		INSIST(count < DNS_EDNSOPTIONS);
+
+		isc_buffer_init(&buf, expire, sizeof(expire));
+		isc_buffer_putuint32(&buf, client->expire);
+		ednsopts[count].code = DNS_OPT_EXPIRE;
+		ednsopts[count].length = 4;
+		ednsopts[count].value = expire;
+		count++;
+	}
+	if (((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) &&
+	    (client->ecs.addr.family == AF_INET ||
+	     client->ecs.addr.family == AF_INET6 ||
+	     client->ecs.addr.family == AF_UNSPEC))
+	{
+		isc_buffer_t buf;
+		uint8_t addr[16];
+		uint32_t plen, addrl;
+		uint16_t family = 0;
+
+		/* Add CLIENT-SUBNET option. */
+
+		plen = client->ecs.source;
+
+		/* Round up prefix len to a multiple of 8 */
+		addrl = (plen + 7) / 8;
+
+		switch (client->ecs.addr.family) {
+		case AF_UNSPEC:
+			INSIST(plen == 0);
+			family = 0;
+			break;
+		case AF_INET:
+			INSIST(plen <= 32);
+			family = 1;
+			memmove(addr, &client->ecs.addr.type, addrl);
+			break;
+		case AF_INET6:
+			INSIST(plen <= 128);
+			family = 2;
+			memmove(addr, &client->ecs.addr.type, addrl);
+			break;
+		default:
+			UNREACHABLE();
+		}
+
+		isc_buffer_init(&buf, ecs, sizeof(ecs));
+		/* family */
+		isc_buffer_putuint16(&buf, family);
+		/* source prefix-length */
+		isc_buffer_putuint8(&buf, client->ecs.source);
+		/* scope prefix-length */
+		isc_buffer_putuint8(&buf, client->ecs.scope);
+
+		/* address */
+		if (addrl > 0) {
+			/* Mask off last address byte */
+			if ((plen % 8) != 0) {
+				addr[addrl - 1] &= ~0U << (8 - (plen % 8));
+			}
+			isc_buffer_putmem(&buf, addr, (unsigned)addrl);
+		}
+
+		ednsopts[count].code = DNS_OPT_CLIENT_SUBNET;
+		ednsopts[count].length = addrl + 4;
+		ednsopts[count].value = ecs;
+		count++;
+	}
+	if (TCP_CLIENT(client) && USEKEEPALIVE(client)) {
+		isc_buffer_t buf;
+		uint32_t adv;
+
+		INSIST(count < DNS_EDNSOPTIONS);
+
+		isc_nm_gettimeouts(isc_nmhandle_netmgr(client->handle), NULL,
+				   NULL, NULL, &adv);
+		adv /= 100; /* units of 100 milliseconds */
+		isc_buffer_init(&buf, advtimo, sizeof(advtimo));
+		isc_buffer_putuint16(&buf, (uint16_t)adv);
+		ednsopts[count].code = DNS_OPT_TCP_KEEPALIVE;
+		ednsopts[count].length = 2;
+		ednsopts[count].value = advtimo;
+		count++;
+	}
+
+	/* Padding must be added last */
+	if ((view != NULL) && (view->padding > 0) && WANTPAD(client) &&
+	    (TCP_CLIENT(client) ||
+	     ((client->attributes & NS_CLIENTATTR_HAVECOOKIE) != 0)))
+	{
+		isc_netaddr_t netaddr;
+		int match;
+
+		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+		result = dns_acl_match(&netaddr, NULL, view->pad_acl, env,
+				       &match, NULL);
+		if (result == ISC_R_SUCCESS && match > 0) {
+			INSIST(count < DNS_EDNSOPTIONS);
+
+			ednsopts[count].code = DNS_OPT_PAD;
+			ednsopts[count].length = 0;
+			ednsopts[count].value = NULL;
+			count++;
+
+			dns_message_setpadding(message, view->padding);
+		}
+	}
+
+	result = dns_message_buildopt(message, opt, 0, udpsize, flags, ednsopts,
+				      count);
+	return (result);
+}
+
+static void
+compute_cookie(ns_client_t *client, uint32_t when, uint32_t nonce,
+	       const unsigned char *secret, isc_buffer_t *buf) {
+	unsigned char digest[ISC_MAX_MD_SIZE] ISC_NONSTRING = { 0 };
+	STATIC_ASSERT(ISC_MAX_MD_SIZE >= ISC_SIPHASH24_TAG_LENGTH, "You need "
+								   "to "
+								   "increase "
+								   "the digest "
+								   "buffer.");
+	STATIC_ASSERT(ISC_MAX_MD_SIZE >= ISC_AES_BLOCK_LENGTH, "You need to "
+							       "increase the "
+							       "digest "
+							       "buffer.");
+
+	switch (client->sctx->cookiealg) {
+	case ns_cookiealg_siphash24: {
+		unsigned char input[16 + 16] ISC_NONSTRING = { 0 };
+		size_t inputlen = 0;
+		isc_netaddr_t netaddr;
+		unsigned char *cp;
+
+		cp = isc_buffer_used(buf);
+		isc_buffer_putmem(buf, client->cookie, 8);
+		isc_buffer_putuint8(buf, NS_COOKIE_VERSION_1);
+		isc_buffer_putuint24(buf, 0); /* Reserved */
+		isc_buffer_putuint32(buf, when);
+
+		memmove(input, cp, 16);
+
+		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+		switch (netaddr.family) {
+		case AF_INET:
+			cp = (unsigned char *)&netaddr.type.in;
+			memmove(input + 16, cp, 4);
+			inputlen = 20;
+			break;
+		case AF_INET6:
+			cp = (unsigned char *)&netaddr.type.in6;
+			memmove(input + 16, cp, 16);
+			inputlen = 32;
+			break;
+		default:
+			UNREACHABLE();
+		}
+
+		isc_siphash24(secret, input, inputlen, digest);
+		isc_buffer_putmem(buf, digest, 8);
+		break;
+	}
+	case ns_cookiealg_aes: {
+		unsigned char input[4 + 4 + 16] ISC_NONSTRING = { 0 };
+		isc_netaddr_t netaddr;
+		unsigned char *cp;
+		unsigned int i;
+
+		cp = isc_buffer_used(buf);
+		isc_buffer_putmem(buf, client->cookie, 8);
+		isc_buffer_putuint32(buf, nonce);
+		isc_buffer_putuint32(buf, when);
+		memmove(input, cp, 16);
+		isc_aes128_crypt(secret, input, digest);
+		for (i = 0; i < 8; i++) {
+			input[i] = digest[i] ^ digest[i + 8];
+		}
+		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+		switch (netaddr.family) {
+		case AF_INET:
+			cp = (unsigned char *)&netaddr.type.in;
+			memmove(input + 8, cp, 4);
+			memset(input + 12, 0, 4);
+			isc_aes128_crypt(secret, input, digest);
+			break;
+		case AF_INET6:
+			cp = (unsigned char *)&netaddr.type.in6;
+			memmove(input + 8, cp, 16);
+			isc_aes128_crypt(secret, input, digest);
+			for (i = 0; i < 8; i++) {
+				input[i + 8] = digest[i] ^ digest[i + 8];
+			}
+			isc_aes128_crypt(client->sctx->secret, input + 8,
+					 digest);
+			break;
+		default:
+			UNREACHABLE();
+		}
+		for (i = 0; i < 8; i++) {
+			digest[i] ^= digest[i + 8];
+		}
+		isc_buffer_putmem(buf, digest, 8);
+		break;
+	}
+
+	default:
+		UNREACHABLE();
+	}
+}
+
+static void
+process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+	ns_altsecret_t *altsecret;
+	unsigned char dbuf[COOKIE_SIZE];
+	unsigned char *old;
+	isc_stdtime_t now;
+	uint32_t when;
+	uint32_t nonce;
+	isc_buffer_t db;
+
+	/*
+	 * If we have already seen a cookie option skip this cookie option.
+	 */
+	if ((!client->sctx->answercookie) ||
+	    (client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0)
+	{
+		isc_buffer_forward(buf, (unsigned int)optlen);
+		return;
+	}
+
+	client->attributes |= NS_CLIENTATTR_WANTCOOKIE;
+
+	ns_stats_increment(client->sctx->nsstats, ns_statscounter_cookiein);
+
+	if (optlen != COOKIE_SIZE) {
+		/*
+		 * Not our token.
+		 */
+		INSIST(optlen >= 8U);
+		memmove(client->cookie, isc_buffer_current(buf), 8);
+		isc_buffer_forward(buf, (unsigned int)optlen);
+
+		if (optlen == 8U) {
+			ns_stats_increment(client->sctx->nsstats,
+					   ns_statscounter_cookienew);
+		} else {
+			ns_stats_increment(client->sctx->nsstats,
+					   ns_statscounter_cookiebadsize);
+		}
+		return;
+	}
+
+	/*
+	 * Process all of the incoming buffer.
+	 */
+	old = isc_buffer_current(buf);
+	memmove(client->cookie, old, 8);
+	isc_buffer_forward(buf, 8);
+	nonce = isc_buffer_getuint32(buf);
+	when = isc_buffer_getuint32(buf);
+	isc_buffer_forward(buf, 8);
+
+	/*
+	 * Allow for a 5 minute clock skew between servers sharing a secret.
+	 * Only accept COOKIE if we have talked to the client in the last hour.
+	 */
+	isc_stdtime_get(&now);
+	if (isc_serial_gt(when, (now + 300)) || /* In the future. */
+	    isc_serial_lt(when, (now - 3600)))
+	{ /* In the past. */
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_cookiebadtime);
+		return;
+	}
+
+	isc_buffer_init(&db, dbuf, sizeof(dbuf));
+	compute_cookie(client, when, nonce, client->sctx->secret, &db);
+
+	if (isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_cookiematch);
+		client->attributes |= NS_CLIENTATTR_HAVECOOKIE;
+		return;
+	}
+
+	for (altsecret = ISC_LIST_HEAD(client->sctx->altsecrets);
+	     altsecret != NULL; altsecret = ISC_LIST_NEXT(altsecret, link))
+	{
+		isc_buffer_init(&db, dbuf, sizeof(dbuf));
+		compute_cookie(client, when, nonce, altsecret->secret, &db);
+		if (isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
+			ns_stats_increment(client->sctx->nsstats,
+					   ns_statscounter_cookiematch);
+			client->attributes |= NS_CLIENTATTR_HAVECOOKIE;
+			return;
+		}
+	}
+
+	ns_stats_increment(client->sctx->nsstats,
+			   ns_statscounter_cookienomatch);
+}
+
+static isc_result_t
+process_ecs(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+	uint16_t family;
+	uint8_t addrlen, addrbytes, scope, *paddr;
+	isc_netaddr_t caddr;
+
+	/*
+	 * If we have already seen a ECS option skip this ECS option.
+	 */
+	if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) {
+		isc_buffer_forward(buf, (unsigned int)optlen);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * XXXMUKS: Is there any need to repeat these checks here
+	 * (except query's scope length) when they are done in the OPT
+	 * RDATA fromwire code?
+	 */
+
+	if (optlen < 4U) {
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
+			      "EDNS client-subnet option too short");
+		return (DNS_R_FORMERR);
+	}
+
+	family = isc_buffer_getuint16(buf);
+	addrlen = isc_buffer_getuint8(buf);
+	scope = isc_buffer_getuint8(buf);
+	optlen -= 4;
+
+	if (scope != 0U) {
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
+			      "EDNS client-subnet option: invalid scope");
+		return (DNS_R_OPTERR);
+	}
+
+	memset(&caddr, 0, sizeof(caddr));
+	switch (family) {
+	case 0:
+		/*
+		 * XXXMUKS: In queries, if FAMILY is set to 0, SOURCE
+		 * PREFIX-LENGTH must be 0 and ADDRESS should not be
+		 * present as the address and prefix lengths don't make
+		 * sense because the family is unknown.
+		 */
+		if (addrlen != 0U) {
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
+				      "EDNS client-subnet option: invalid "
+				      "address length (%u) for FAMILY=0",
+				      addrlen);
+			return (DNS_R_OPTERR);
+		}
+		caddr.family = AF_UNSPEC;
+		break;
+	case 1:
+		if (addrlen > 32U) {
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
+				      "EDNS client-subnet option: invalid "
+				      "address length (%u) for IPv4",
+				      addrlen);
+			return (DNS_R_OPTERR);
+		}
+		caddr.family = AF_INET;
+		break;
+	case 2:
+		if (addrlen > 128U) {
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
+				      "EDNS client-subnet option: invalid "
+				      "address length (%u) for IPv6",
+				      addrlen);
+			return (DNS_R_OPTERR);
+		}
+		caddr.family = AF_INET6;
+		break;
+	default:
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
+			      "EDNS client-subnet option: invalid family");
+		return (DNS_R_OPTERR);
+	}
+
+	addrbytes = (addrlen + 7) / 8;
+	if (isc_buffer_remaininglength(buf) < addrbytes) {
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
+			      "EDNS client-subnet option: address too short");
+		return (DNS_R_OPTERR);
+	}
+
+	paddr = (uint8_t *)&caddr.type;
+	if (addrbytes != 0U) {
+		memmove(paddr, isc_buffer_current(buf), addrbytes);
+		isc_buffer_forward(buf, addrbytes);
+		optlen -= addrbytes;
+
+		if ((addrlen % 8) != 0) {
+			uint8_t bits = ~0U << (8 - (addrlen % 8));
+			bits &= paddr[addrbytes - 1];
+			if (bits != paddr[addrbytes - 1]) {
+				return (DNS_R_OPTERR);
+			}
+		}
+	}
+
+	memmove(&client->ecs.addr, &caddr, sizeof(caddr));
+	client->ecs.source = addrlen;
+	client->ecs.scope = 0;
+	client->attributes |= NS_CLIENTATTR_HAVEECS;
+
+	isc_buffer_forward(buf, (unsigned int)optlen);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+	if (optlen == 0 || (optlen % 2) != 0) {
+		isc_buffer_forward(buf, (unsigned int)optlen);
+		return (DNS_R_OPTERR);
+	}
+
+	/* Silently drop additional keytag options. */
+	if (client->keytag != NULL) {
+		isc_buffer_forward(buf, (unsigned int)optlen);
+		return (ISC_R_SUCCESS);
+	}
+
+	client->keytag = isc_mem_get(client->mctx, optlen);
+	{
+		client->keytag_len = (uint16_t)optlen;
+		memmove(client->keytag, isc_buffer_current(buf), optlen);
+	}
+	isc_buffer_forward(buf, (unsigned int)optlen);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+process_opt(ns_client_t *client, dns_rdataset_t *opt) {
+	dns_rdata_t rdata;
+	isc_buffer_t optbuf;
+	isc_result_t result;
+	uint16_t optcode;
+	uint16_t optlen;
+
+	/*
+	 * Set the client's UDP buffer size.
+	 */
+	client->udpsize = opt->rdclass;
+
+	/*
+	 * If the requested UDP buffer size is less than 512,
+	 * ignore it and use 512.
+	 */
+	if (client->udpsize < 512) {
+		client->udpsize = 512;
+	}
+
+	/*
+	 * Get the flags out of the OPT record.
+	 */
+	client->extflags = (uint16_t)(opt->ttl & 0xFFFF);
+
+	/*
+	 * Do we understand this version of EDNS?
+	 *
+	 * XXXRTH need library support for this!
+	 */
+	client->ednsversion = (opt->ttl & 0x00FF0000) >> 16;
+	if (client->ednsversion > DNS_EDNS_VERSION) {
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_badednsver);
+		result = ns_client_addopt(client, client->message,
+					  &client->opt);
+		if (result == ISC_R_SUCCESS) {
+			result = DNS_R_BADVERS;
+		}
+		ns_client_error(client, result);
+		return (result);
+	}
+
+	/* Check for NSID request */
+	result = dns_rdataset_first(opt);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(opt, &rdata);
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) >= 4) {
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+			switch (optcode) {
+			case DNS_OPT_NSID:
+				if (!WANTNSID(client)) {
+					ns_stats_increment(
+						client->sctx->nsstats,
+						ns_statscounter_nsidopt);
+				}
+				client->attributes |= NS_CLIENTATTR_WANTNSID;
+				isc_buffer_forward(&optbuf, optlen);
+				break;
+			case DNS_OPT_COOKIE:
+				process_cookie(client, &optbuf, optlen);
+				break;
+			case DNS_OPT_EXPIRE:
+				if (!WANTEXPIRE(client)) {
+					ns_stats_increment(
+						client->sctx->nsstats,
+						ns_statscounter_expireopt);
+				}
+				client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
+				isc_buffer_forward(&optbuf, optlen);
+				break;
+			case DNS_OPT_CLIENT_SUBNET:
+				result = process_ecs(client, &optbuf, optlen);
+				if (result != ISC_R_SUCCESS) {
+					ns_client_error(client, result);
+					return (result);
+				}
+				ns_stats_increment(client->sctx->nsstats,
+						   ns_statscounter_ecsopt);
+				break;
+			case DNS_OPT_TCP_KEEPALIVE:
+				if (!USEKEEPALIVE(client)) {
+					ns_stats_increment(
+						client->sctx->nsstats,
+						ns_statscounter_keepaliveopt);
+				}
+				client->attributes |=
+					NS_CLIENTATTR_USEKEEPALIVE;
+				isc_nmhandle_keepalive(client->handle, true);
+				isc_buffer_forward(&optbuf, optlen);
+				break;
+			case DNS_OPT_PAD:
+				client->attributes |= NS_CLIENTATTR_WANTPAD;
+				ns_stats_increment(client->sctx->nsstats,
+						   ns_statscounter_padopt);
+				isc_buffer_forward(&optbuf, optlen);
+				break;
+			case DNS_OPT_KEY_TAG:
+				result = process_keytag(client, &optbuf,
+							optlen);
+				if (result != ISC_R_SUCCESS) {
+					ns_client_error(client, result);
+					return (result);
+				}
+				ns_stats_increment(client->sctx->nsstats,
+						   ns_statscounter_keytagopt);
+				break;
+			default:
+				ns_stats_increment(client->sctx->nsstats,
+						   ns_statscounter_otheropt);
+				isc_buffer_forward(&optbuf, optlen);
+				break;
+			}
+		}
+	}
+
+	ns_stats_increment(client->sctx->nsstats, ns_statscounter_edns0in);
+	client->attributes |= NS_CLIENTATTR_WANTOPT;
+
+	return (result);
+}
+
+void
+ns__client_reset_cb(void *client0) {
+	ns_client_t *client = client0;
+
+	ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
+		      ISC_LOG_DEBUG(3), "reset client");
+
+	/*
+	 * We never started processing this client, possible if we're
+	 * shutting down, just exit.
+	 */
+	if (client->state == NS_CLIENTSTATE_READY) {
+		return;
+	}
+
+	ns_client_endrequest(client);
+	if (client->tcpbuf != NULL) {
+		isc_mem_put(client->mctx, client->tcpbuf,
+			    NS_CLIENT_TCP_BUFFER_SIZE);
+	}
+
+	if (client->keytag != NULL) {
+		isc_mem_put(client->mctx, client->keytag, client->keytag_len);
+		client->keytag_len = 0;
+	}
+
+	client->state = NS_CLIENTSTATE_READY;
+	INSIST(client->recursionquota == NULL);
+}
+
+void
+ns__client_put_cb(void *client0) {
+	ns_client_t *client = client0;
+
+	ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
+		      ISC_LOG_DEBUG(3), "freeing client");
+
+	/*
+	 * Call this first because it requires a valid client.
+	 */
+	ns_query_free(client);
+
+	client->magic = 0;
+	client->shuttingdown = true;
+
+	if (client->manager != NULL) {
+		clientmgr_detach(&client->manager);
+	}
+
+	isc_mem_put(client->mctx, client->sendbuf, NS_CLIENT_SEND_BUFFER_SIZE);
+	if (client->opt != NULL) {
+		INSIST(dns_rdataset_isassociated(client->opt));
+		dns_rdataset_disassociate(client->opt);
+		dns_message_puttemprdataset(client->message, &client->opt);
+	}
+
+	dns_message_detach(&client->message);
+
+	/*
+	 * Detaching the task must be done after unlinking from
+	 * the manager's lists because the manager accesses
+	 * client->task.
+	 */
+	if (client->task != NULL) {
+		isc_task_detach(&client->task);
+	}
+
+	/*
+	 * Destroy the fetchlock mutex that was created in
+	 * ns_query_init().
+	 */
+	isc_mutex_destroy(&client->query.fetchlock);
+
+	if (client->sctx != NULL) {
+		ns_server_detach(&client->sctx);
+	}
+
+	if (client->mctx != NULL) {
+		isc_mem_detach(&client->mctx);
+	}
+}
+
+/*
+ * Handle an incoming request event from the socket (UDP case)
+ * or tcpmsg (TCP case).
+ */
+void
+ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
+		   isc_region_t *region, void *arg) {
+	ns_client_t *client = NULL;
+	isc_result_t result;
+	isc_result_t sigresult = ISC_R_SUCCESS;
+	isc_buffer_t *buffer = NULL;
+	isc_buffer_t tbuffer;
+	dns_rdataset_t *opt = NULL;
+	const dns_name_t *signame = NULL;
+	bool ra; /* Recursion available. */
+	isc_netaddr_t netaddr;
+	int match;
+	dns_messageid_t id;
+	unsigned int flags;
+	bool notimp;
+	size_t reqsize;
+	dns_aclenv_t *env = NULL;
+#ifdef HAVE_DNSTAP
+	dns_dtmsgtype_t dtmsgtype;
+#endif /* ifdef HAVE_DNSTAP */
+
+	if (eresult != ISC_R_SUCCESS) {
+		return;
+	}
+
+	client = isc_nmhandle_getdata(handle);
+	if (client == NULL) {
+		ns_interface_t *ifp = (ns_interface_t *)arg;
+
+		INSIST(VALID_MANAGER(ifp->clientmgr));
+
+		client = isc_nmhandle_getextra(handle);
+
+		result = ns__client_setup(client, ifp->clientmgr, true);
+		if (result != ISC_R_SUCCESS) {
+			return;
+		}
+
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "allocate new client");
+	} else {
+		result = ns__client_setup(client, NULL, false);
+		if (result != ISC_R_SUCCESS) {
+			return;
+		}
+	}
+
+	client->state = NS_CLIENTSTATE_READY;
+
+	isc_task_pause(client->task);
+	if (client->handle == NULL) {
+		isc_nmhandle_setdata(handle, client, ns__client_reset_cb,
+				     ns__client_put_cb);
+		client->handle = handle;
+	}
+
+	if (isc_nmhandle_is_stream(handle)) {
+		client->attributes |= NS_CLIENTATTR_TCP;
+	}
+
+	INSIST(client->recursionquota == NULL);
+
+	INSIST(client->state == NS_CLIENTSTATE_READY);
+
+	(void)atomic_fetch_add_relaxed(&ns_client_requests, 1);
+
+	isc_buffer_init(&tbuffer, region->base, region->length);
+	isc_buffer_add(&tbuffer, region->length);
+	buffer = &tbuffer;
+
+	client->peeraddr = isc_nmhandle_peeraddr(handle);
+	client->peeraddr_valid = true;
+
+	reqsize = isc_buffer_usedlength(buffer);
+
+	client->state = NS_CLIENTSTATE_WORKING;
+
+	TIME_NOW(&client->requesttime);
+	client->tnow = client->requesttime;
+	client->now = isc_time_seconds(&client->tnow);
+
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+#if NS_CLIENT_DROPPORT
+	if (ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) ==
+	    DROPPORT_REQUEST)
+	{
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+			      "dropped request: suspicious port");
+		isc_task_unpause(client->task);
+		return;
+	}
+#endif /* if NS_CLIENT_DROPPORT */
+
+	env = ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+	if (client->sctx->blackholeacl != NULL &&
+	    (dns_acl_match(&netaddr, NULL, client->sctx->blackholeacl, env,
+			   &match, NULL) == ISC_R_SUCCESS) &&
+	    match > 0)
+	{
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+			      "dropped request: blackholed peer");
+		isc_task_unpause(client->task);
+		return;
+	}
+
+	ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT,
+		      ISC_LOG_DEBUG(3), "%s request",
+		      TCP_CLIENT(client) ? "TCP" : "UDP");
+
+	result = dns_message_peekheader(buffer, &id, &flags);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * There isn't enough header to determine whether
+		 * this was a request or a response.  Drop it.
+		 */
+		isc_task_unpause(client->task);
+		return;
+	}
+
+	/*
+	 * The client object handles requests, not responses.
+	 * If this is a UDP response, forward it to the dispatcher.
+	 * If it's a TCP response, discard it here.
+	 */
+	if ((flags & DNS_MESSAGEFLAG_QR) != 0) {
+		CTRACE("unexpected response");
+		isc_task_unpause(client->task);
+		return;
+	}
+
+	/*
+	 * Update some statistics counters.  Don't count responses.
+	 */
+	if (isc_sockaddr_pf(&client->peeraddr) == PF_INET) {
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_requestv4);
+	} else {
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_requestv6);
+	}
+	if (TCP_CLIENT(client)) {
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_requesttcp);
+		switch (isc_sockaddr_pf(&client->peeraddr)) {
+		case AF_INET:
+			isc_stats_increment(client->sctx->tcpinstats4,
+					    ISC_MIN((int)reqsize / 16, 18));
+			break;
+		case AF_INET6:
+			isc_stats_increment(client->sctx->tcpinstats6,
+					    ISC_MIN((int)reqsize / 16, 18));
+			break;
+		default:
+			UNREACHABLE();
+		}
+	} else {
+		switch (isc_sockaddr_pf(&client->peeraddr)) {
+		case AF_INET:
+			isc_stats_increment(client->sctx->udpinstats4,
+					    ISC_MIN((int)reqsize / 16, 18));
+			break;
+		case AF_INET6:
+			isc_stats_increment(client->sctx->udpinstats6,
+					    ISC_MIN((int)reqsize / 16, 18));
+			break;
+		default:
+			UNREACHABLE();
+		}
+	}
+
+	/*
+	 * It's a request.  Parse it.
+	 */
+	result = dns_message_parse(client->message, buffer, 0);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Parsing the request failed.  Send a response
+		 * (typically FORMERR or SERVFAIL).
+		 */
+		if (result == DNS_R_OPTERR) {
+			(void)ns_client_addopt(client, client->message,
+					       &client->opt);
+		}
+
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
+			      "message parsing failed: %s",
+			      isc_result_totext(result));
+		if (result == ISC_R_NOSPACE || result == DNS_R_BADTSIG) {
+			result = DNS_R_FORMERR;
+		}
+		ns_client_error(client, result);
+		isc_task_unpause(client->task);
+		return;
+	}
+
+	/*
+	 * Disable pipelined TCP query processing if necessary.
+	 */
+	if (TCP_CLIENT(client) &&
+	    (client->message->opcode != dns_opcode_query ||
+	     (client->sctx->keepresporder != NULL &&
+	      dns_acl_allowed(&netaddr, NULL, client->sctx->keepresporder,
+			      env))))
+	{
+		isc_nm_tcpdns_sequential(handle);
+	}
+
+	dns_opcodestats_increment(client->sctx->opcodestats,
+				  client->message->opcode);
+	switch (client->message->opcode) {
+	case dns_opcode_query:
+	case dns_opcode_update:
+	case dns_opcode_notify:
+		notimp = false;
+		break;
+	case dns_opcode_iquery:
+	default:
+		notimp = true;
+		break;
+	}
+
+	client->message->rcode = dns_rcode_noerror;
+
+	/*
+	 * Deal with EDNS.
+	 */
+	if ((client->sctx->options & NS_SERVER_NOEDNS) != 0) {
+		opt = NULL;
+	} else {
+		opt = dns_message_getopt(client->message);
+	}
+
+	client->ecs.source = 0;
+	client->ecs.scope = 0;
+
+	if (opt != NULL) {
+		/*
+		 * Are returning FORMERR to all EDNS queries?
+		 * Simulate a STD13 compliant server.
+		 */
+		if ((client->sctx->options & NS_SERVER_EDNSFORMERR) != 0) {
+			ns_client_error(client, DNS_R_FORMERR);
+			isc_task_unpause(client->task);
+			return;
+		}
+
+		/*
+		 * Are returning NOTIMP to all EDNS queries?
+		 */
+		if ((client->sctx->options & NS_SERVER_EDNSNOTIMP) != 0) {
+			ns_client_error(client, DNS_R_NOTIMP);
+			isc_task_unpause(client->task);
+			return;
+		}
+
+		/*
+		 * Are returning REFUSED to all EDNS queries?
+		 */
+		if ((client->sctx->options & NS_SERVER_EDNSREFUSED) != 0) {
+			ns_client_error(client, DNS_R_REFUSED);
+			isc_task_unpause(client->task);
+			return;
+		}
+
+		/*
+		 * Are we dropping all EDNS queries?
+		 */
+		if ((client->sctx->options & NS_SERVER_DROPEDNS) != 0) {
+			ns_client_drop(client, ISC_R_SUCCESS);
+			isc_task_unpause(client->task);
+			return;
+		}
+
+		result = process_opt(client, opt);
+		if (result != ISC_R_SUCCESS) {
+			isc_task_unpause(client->task);
+			return;
+		}
+	}
+
+	if (client->message->rdclass == 0) {
+		if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0 &&
+		    client->message->opcode == dns_opcode_query &&
+		    client->message->counts[DNS_SECTION_QUESTION] == 0U)
+		{
+			result = dns_message_reply(client->message, true);
+			if (result != ISC_R_SUCCESS) {
+				ns_client_error(client, result);
+				isc_task_unpause(client->task);
+				return;
+			}
+
+			if (notimp) {
+				client->message->rcode = dns_rcode_notimp;
+			}
+
+			ns_client_send(client);
+			isc_task_unpause(client->task);
+			return;
+		}
+
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
+			      "message class could not be determined");
+		ns_client_dumpmessage(client, "message class could not be "
+					      "determined");
+		ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_FORMERR);
+		isc_task_unpause(client->task);
+		return;
+	}
+
+	if ((client->manager->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0)
+	{
+		client->destsockaddr = client->manager->interface->addr;
+	} else {
+		client->destsockaddr = isc_nmhandle_localaddr(handle);
+	}
+	isc_netaddr_fromsockaddr(&client->destaddr, &client->destsockaddr);
+
+	result = client->sctx->matchingview(&netaddr, &client->destaddr,
+					    client->message, env, &sigresult,
+					    &client->view);
+	if (result != ISC_R_SUCCESS) {
+		char classname[DNS_RDATACLASS_FORMATSIZE];
+
+		/*
+		 * Do a dummy TSIG verification attempt so that the
+		 * response will have a TSIG if the query did, as
+		 * required by RFC2845.
+		 */
+		isc_buffer_t b;
+		isc_region_t *r;
+
+		dns_message_resetsig(client->message);
+
+		r = dns_message_getrawmessage(client->message);
+		isc_buffer_init(&b, r->base, r->length);
+		isc_buffer_add(&b, r->length);
+		(void)dns_tsig_verify(&b, client->message, NULL, NULL);
+
+		dns_rdataclass_format(client->message->rdclass, classname,
+				      sizeof(classname));
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
+			      "no matching view in class '%s'", classname);
+		ns_client_dumpmessage(client, "no matching view in class");
+		ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_REFUSED);
+		isc_task_unpause(client->task);
+		return;
+	}
+
+	ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT,
+		      ISC_LOG_DEBUG(5), "using view '%s'", client->view->name);
+
+	/*
+	 * Check for a signature.  We log bad signatures regardless of
+	 * whether they ultimately cause the request to be rejected or
+	 * not.  We do not log the lack of a signature unless we are
+	 * debugging.
+	 */
+	client->signer = NULL;
+	dns_name_init(&client->signername, NULL);
+	result = dns_message_signer(client->message, &client->signername);
+	if (result != ISC_R_NOTFOUND) {
+		signame = NULL;
+		if (dns_message_gettsig(client->message, &signame) != NULL) {
+			ns_stats_increment(client->sctx->nsstats,
+					   ns_statscounter_tsigin);
+		} else {
+			ns_stats_increment(client->sctx->nsstats,
+					   ns_statscounter_sig0in);
+		}
+	}
+	if (result == ISC_R_SUCCESS) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(&client->signername, namebuf, sizeof(namebuf));
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "request has valid signature: %s", namebuf);
+		client->signer = &client->signername;
+	} else if (result == ISC_R_NOTFOUND) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "request is not signed");
+	} else if (result == DNS_R_NOIDENTITY) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "request is signed by a nonauthoritative key");
+	} else {
+		char tsigrcode[64];
+		isc_buffer_t b;
+		dns_rcode_t status;
+		isc_result_t tresult;
+
+		/* There is a signature, but it is bad. */
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_invalidsig);
+		signame = NULL;
+		if (dns_message_gettsig(client->message, &signame) != NULL) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			char cnamebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(signame, namebuf, sizeof(namebuf));
+			status = client->message->tsigstatus;
+			isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
+			tresult = dns_tsigrcode_totext(status, &b);
+			INSIST(tresult == ISC_R_SUCCESS);
+			tsigrcode[isc_buffer_usedlength(&b)] = '\0';
+			if (client->message->tsigkey->generated) {
+				dns_name_format(
+					client->message->tsigkey->creator,
+					cnamebuf, sizeof(cnamebuf));
+				ns_client_log(
+					client, DNS_LOGCATEGORY_SECURITY,
+					NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+					"request has invalid signature: "
+					"TSIG %s (%s): %s (%s)",
+					namebuf, cnamebuf,
+					isc_result_totext(result), tsigrcode);
+			} else {
+				ns_client_log(
+					client, DNS_LOGCATEGORY_SECURITY,
+					NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+					"request has invalid signature: "
+					"TSIG %s: %s (%s)",
+					namebuf, isc_result_totext(result),
+					tsigrcode);
+			}
+		} else {
+			status = client->message->sig0status;
+			isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
+			tresult = dns_tsigrcode_totext(status, &b);
+			INSIST(tresult == ISC_R_SUCCESS);
+			tsigrcode[isc_buffer_usedlength(&b)] = '\0';
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+				      "request has invalid signature: %s (%s)",
+				      isc_result_totext(result), tsigrcode);
+		}
+
+		/*
+		 * Accept update messages signed by unknown keys so that
+		 * update forwarding works transparently through slaves
+		 * that don't have all the same keys as the master.
+		 */
+		if (!(client->message->tsigstatus == dns_tsigerror_badkey &&
+		      client->message->opcode == dns_opcode_update))
+		{
+			ns_client_error(client, sigresult);
+			isc_task_unpause(client->task);
+			return;
+		}
+	}
+
+	/*
+	 * Decide whether recursive service is available to this client.
+	 * We do this here rather than in the query code so that we can
+	 * set the RA bit correctly on all kinds of responses, not just
+	 * responses to ordinary queries.  Note if you can't query the
+	 * cache there is no point in setting RA.
+	 */
+	ra = false;
+	if (client->view->resolver != NULL && client->view->recursion &&
+	    ns_client_checkaclsilent(client, NULL, client->view->recursionacl,
+				     true) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, NULL, client->view->cacheacl,
+				     true) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, &client->destaddr,
+				     client->view->recursiononacl,
+				     true) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, &client->destaddr,
+				     client->view->cacheonacl,
+				     true) == ISC_R_SUCCESS)
+	{
+		ra = true;
+	}
+
+	if (ra) {
+		client->attributes |= NS_CLIENTATTR_RA;
+	}
+
+	ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
+		      ISC_LOG_DEBUG(3),
+		      ra ? "recursion available" : "recursion not available");
+
+	/*
+	 * Adjust maximum UDP response size for this client.
+	 */
+	if (client->udpsize > 512) {
+		dns_peer_t *peer = NULL;
+		uint16_t udpsize = client->view->maxudp;
+		(void)dns_peerlist_peerbyaddr(client->view->peers, &netaddr,
+					      &peer);
+		if (peer != NULL) {
+			dns_peer_getmaxudp(peer, &udpsize);
+		}
+		if (client->udpsize > udpsize) {
+			client->udpsize = udpsize;
+		}
+	}
+
+	/*
+	 * Dispatch the request.
+	 */
+	switch (client->message->opcode) {
+	case dns_opcode_query:
+		CTRACE("query");
+#ifdef HAVE_DNSTAP
+		if (ra && (client->message->flags & DNS_MESSAGEFLAG_RD) != 0) {
+			dtmsgtype = DNS_DTTYPE_CQ;
+		} else {
+			dtmsgtype = DNS_DTTYPE_AQ;
+		}
+
+		dns_dt_send(client->view, dtmsgtype, &client->peeraddr,
+			    &client->destsockaddr, TCP_CLIENT(client), NULL,
+			    &client->requesttime, NULL, buffer);
+#endif /* HAVE_DNSTAP */
+
+		ns_query_start(client, handle);
+		break;
+	case dns_opcode_update:
+		CTRACE("update");
+#ifdef HAVE_DNSTAP
+		dns_dt_send(client->view, DNS_DTTYPE_UQ, &client->peeraddr,
+			    &client->destsockaddr, TCP_CLIENT(client), NULL,
+			    &client->requesttime, NULL, buffer);
+#endif /* HAVE_DNSTAP */
+		ns_client_settimeout(client, 60);
+		ns_update_start(client, handle, sigresult);
+		break;
+	case dns_opcode_notify:
+		CTRACE("notify");
+		ns_client_settimeout(client, 60);
+		ns_notify_start(client, handle);
+		break;
+	case dns_opcode_iquery:
+		CTRACE("iquery");
+		ns_client_error(client, DNS_R_NOTIMP);
+		break;
+	default:
+		CTRACE("unknown opcode");
+		ns_client_error(client, DNS_R_NOTIMP);
+	}
+
+	isc_task_unpause(client->task);
+}
+
+isc_result_t
+ns__client_tcpconn(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
+	ns_interface_t *ifp = (ns_interface_t *)arg;
+	dns_aclenv_t *env = ns_interfacemgr_getaclenv(ifp->mgr);
+	ns_server_t *sctx = ns_interfacemgr_getserver(ifp->mgr);
+	unsigned int tcpquota;
+	isc_sockaddr_t peeraddr;
+	isc_netaddr_t netaddr;
+	int match;
+
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (handle != NULL) {
+		peeraddr = isc_nmhandle_peeraddr(handle);
+		isc_netaddr_fromsockaddr(&netaddr, &peeraddr);
+
+		if (sctx->blackholeacl != NULL &&
+		    (dns_acl_match(&netaddr, NULL, sctx->blackholeacl, env,
+				   &match, NULL) == ISC_R_SUCCESS) &&
+		    match > 0)
+		{
+			return (ISC_R_CONNREFUSED);
+		}
+	}
+
+	tcpquota = isc_quota_getused(&sctx->tcpquota);
+	ns_stats_update_if_greater(sctx->nsstats, ns_statscounter_tcphighwater,
+				   tcpquota);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) {
+	isc_mem_t *clientmctx;
+	MTRACE("clientmctx");
+
+	int tid = isc_nm_tid();
+	if (tid < 0) {
+		tid = isc_random_uniform(manager->ncpus);
+	}
+	int rand = isc_random_uniform(CLIENT_NMCTXS_PERCPU);
+	int nextmctx = (rand * manager->ncpus) + tid;
+	clientmctx = manager->mctxpool[nextmctx];
+
+	isc_mem_attach(clientmctx, mctxp);
+}
+
+static void
+get_clienttask(ns_clientmgr_t *manager, isc_task_t **taskp) {
+	MTRACE("clienttask");
+
+	int tid = isc_nm_tid();
+	if (tid < 0) {
+		tid = isc_random_uniform(manager->ncpus);
+	}
+
+	int rand = isc_random_uniform(CLIENT_NTASKS_PERCPU);
+	int nexttask = (rand * manager->ncpus) + tid;
+	isc_task_attach(manager->taskpool[nexttask], taskp);
+}
+
+isc_result_t
+ns__client_setup(ns_client_t *client, ns_clientmgr_t *mgr, bool new) {
+	isc_result_t result;
+
+	/*
+	 * Caller must be holding the manager lock.
+	 *
+	 * Note: creating a client does not add the client to the
+	 * manager's client list or set the client's manager pointer.
+	 * The caller is responsible for that.
+	 */
+
+	REQUIRE(NS_CLIENT_VALID(client) || (new &&client != NULL));
+	REQUIRE(VALID_MANAGER(mgr) || !new);
+
+	if (new) {
+		*client = (ns_client_t){ .magic = 0 };
+
+		get_clientmctx(mgr, &client->mctx);
+		clientmgr_attach(mgr, &client->manager);
+		ns_server_attach(mgr->sctx, &client->sctx);
+		get_clienttask(mgr, &client->task);
+
+		dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE,
+				   &client->message);
+
+		client->sendbuf = isc_mem_get(client->mctx,
+					      NS_CLIENT_SEND_BUFFER_SIZE);
+		/*
+		 * Set magic earlier than usual because ns_query_init()
+		 * and the functions it calls will require it.
+		 */
+		client->magic = NS_CLIENT_MAGIC;
+		result = ns_query_init(client);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	} else {
+		ns_clientmgr_t *oldmgr = client->manager;
+		ns_server_t *sctx = client->sctx;
+		isc_task_t *task = client->task;
+		unsigned char *sendbuf = client->sendbuf;
+		dns_message_t *message = client->message;
+		isc_mem_t *oldmctx = client->mctx;
+		ns_query_t query = client->query;
+
+		/*
+		 * Retain these values from the existing client, but
+		 * zero every thing else.
+		 */
+		*client = (ns_client_t){ .magic = 0,
+					 .mctx = oldmctx,
+					 .manager = oldmgr,
+					 .sctx = sctx,
+					 .task = task,
+					 .sendbuf = sendbuf,
+					 .message = message,
+					 .query = query };
+	}
+
+	client->query.attributes &= ~NS_QUERYATTR_ANSWERED;
+	client->state = NS_CLIENTSTATE_INACTIVE;
+	client->udpsize = 512;
+	client->ednsversion = -1;
+	dns_name_init(&client->signername, NULL);
+	dns_ecs_init(&client->ecs);
+	isc_sockaddr_any(&client->formerrcache.addr);
+	client->formerrcache.time = 0;
+	client->formerrcache.id = 0;
+	ISC_LINK_INIT(client, rlink);
+	client->rcode_override = -1; /* not set */
+
+	client->magic = NS_CLIENT_MAGIC;
+
+	CTRACE("client_setup");
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (client->sendbuf != NULL) {
+		isc_mem_put(client->mctx, client->sendbuf,
+			    NS_CLIENT_SEND_BUFFER_SIZE);
+	}
+
+	if (client->message != NULL) {
+		dns_message_detach(&client->message);
+	}
+
+	if (client->task != NULL) {
+		isc_task_detach(&client->task);
+	}
+
+	if (client->manager != NULL) {
+		clientmgr_detach(&client->manager);
+	}
+	if (client->mctx != NULL) {
+		isc_mem_detach(&client->mctx);
+	}
+	if (client->sctx != NULL) {
+		ns_server_detach(&client->sctx);
+	}
+
+	return (result);
+}
+
+bool
+ns_client_shuttingdown(ns_client_t *client) {
+	return (client->shuttingdown);
+}
+
+/***
+ *** Client Manager
+ ***/
+
+static void
+clientmgr_attach(ns_clientmgr_t *source, ns_clientmgr_t **targetp) {
+	int32_t oldrefs;
+
+	REQUIRE(VALID_MANAGER(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	oldrefs = isc_refcount_increment0(&source->references);
+	isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT,
+		      ISC_LOG_DEBUG(3), "clientmgr @%p attach: %d", source,
+		      oldrefs + 1);
+
+	*targetp = source;
+}
+
+static void
+clientmgr_detach(ns_clientmgr_t **mp) {
+	int32_t oldrefs;
+	ns_clientmgr_t *mgr = *mp;
+	*mp = NULL;
+
+	oldrefs = isc_refcount_decrement(&mgr->references);
+	isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT,
+		      ISC_LOG_DEBUG(3), "clientmgr @%p detach: %d", mgr,
+		      oldrefs - 1);
+	if (oldrefs == 1) {
+		clientmgr_destroy(mgr);
+	}
+}
+
+static void
+clientmgr_destroy(ns_clientmgr_t *manager) {
+	int i;
+
+	MTRACE("clientmgr_destroy");
+
+	isc_refcount_destroy(&manager->references);
+	manager->magic = 0;
+
+	for (i = 0; i < manager->ncpus * CLIENT_NMCTXS_PERCPU; i++) {
+		isc_mem_detach(&manager->mctxpool[i]);
+	}
+	isc_mem_put(manager->mctx, manager->mctxpool,
+		    manager->ncpus * CLIENT_NMCTXS_PERCPU *
+			    sizeof(isc_mem_t *));
+
+	if (manager->interface != NULL) {
+		ns_interface_detach(&manager->interface);
+	}
+
+	isc_mutex_destroy(&manager->lock);
+	isc_mutex_destroy(&manager->reclock);
+
+	if (manager->excl != NULL) {
+		isc_task_detach(&manager->excl);
+	}
+
+	for (i = 0; i < manager->ncpus * CLIENT_NTASKS_PERCPU; i++) {
+		if (manager->taskpool[i] != NULL) {
+			isc_task_detach(&manager->taskpool[i]);
+		}
+	}
+	isc_mem_put(manager->mctx, manager->taskpool,
+		    manager->ncpus * CLIENT_NTASKS_PERCPU *
+			    sizeof(isc_task_t *));
+	ns_server_detach(&manager->sctx);
+
+	isc_mem_put(manager->mctx, manager, sizeof(*manager));
+}
+
+isc_result_t
+ns_clientmgr_create(isc_mem_t *mctx, ns_server_t *sctx, isc_taskmgr_t *taskmgr,
+		    isc_timermgr_t *timermgr, ns_interface_t *interface,
+		    int ncpus, ns_clientmgr_t **managerp) {
+	ns_clientmgr_t *manager;
+	isc_result_t result;
+	int i;
+	int npools;
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+	*manager = (ns_clientmgr_t){ .magic = 0 };
+
+	isc_mutex_init(&manager->lock);
+	isc_mutex_init(&manager->reclock);
+
+	manager->excl = NULL;
+	result = isc_taskmgr_excltask(taskmgr, &manager->excl);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_reclock;
+	}
+
+	manager->mctx = mctx;
+	manager->taskmgr = taskmgr;
+	manager->timermgr = timermgr;
+	manager->ncpus = ncpus;
+
+	ns_interface_attach(interface, &manager->interface);
+
+	manager->exiting = false;
+	int ntasks = CLIENT_NTASKS_PERCPU * manager->ncpus;
+	manager->taskpool = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
+	for (i = 0; i < ntasks; i++) {
+		manager->taskpool[i] = NULL;
+		result = isc_task_create_bound(manager->taskmgr, 20,
+					       &manager->taskpool[i],
+					       i % CLIENT_NTASKS_PERCPU);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+	isc_refcount_init(&manager->references, 1);
+	manager->sctx = NULL;
+	ns_server_attach(sctx, &manager->sctx);
+
+	ISC_LIST_INIT(manager->recursing);
+
+	npools = CLIENT_NMCTXS_PERCPU * manager->ncpus;
+	manager->mctxpool = isc_mem_get(manager->mctx,
+					npools * sizeof(isc_mem_t *));
+	for (i = 0; i < npools; i++) {
+		manager->mctxpool[i] = NULL;
+		isc_mem_create(&manager->mctxpool[i]);
+		isc_mem_setname(manager->mctxpool[i], "client", NULL);
+	}
+
+	manager->magic = MANAGER_MAGIC;
+
+	MTRACE("create");
+
+	*managerp = manager;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_reclock:
+	isc_mutex_destroy(&manager->reclock);
+	isc_mutex_destroy(&manager->lock);
+
+	isc_mem_put(mctx, manager, sizeof(*manager));
+
+	return (result);
+}
+
+void
+ns_clientmgr_shutdown(ns_clientmgr_t *manager) {
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&manager->reclock);
+	for (ns_client_t *client = ISC_LIST_HEAD(manager->recursing);
+	     client != NULL; client = ISC_LIST_NEXT(client, rlink))
+	{
+		ns_query_cancel(client);
+	}
+	UNLOCK(&manager->reclock);
+}
+
+void
+ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
+	isc_result_t result;
+	ns_clientmgr_t *manager;
+	bool unlock = false;
+
+	REQUIRE(managerp != NULL);
+	manager = *managerp;
+	*managerp = NULL;
+	REQUIRE(VALID_MANAGER(manager));
+
+	MTRACE("destroy");
+
+	/*
+	 * Check for success because we may already be task-exclusive
+	 * at this point.  Only if we succeed at obtaining an exclusive
+	 * lock now will we need to relinquish it later.
+	 */
+	result = isc_task_beginexclusive(manager->excl);
+	if (result == ISC_R_SUCCESS) {
+		unlock = true;
+	}
+
+	manager->exiting = true;
+
+	if (unlock) {
+		isc_task_endexclusive(manager->excl);
+	}
+
+	if (isc_refcount_decrement(&manager->references) == 1) {
+		clientmgr_destroy(manager);
+	}
+}
+
+isc_sockaddr_t *
+ns_client_getsockaddr(ns_client_t *client) {
+	return (&client->peeraddr);
+}
+
+isc_sockaddr_t *
+ns_client_getdestaddr(ns_client_t *client) {
+	return (&client->destsockaddr);
+}
+
+isc_result_t
+ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
+			 dns_acl_t *acl, bool default_allow) {
+	isc_result_t result;
+	dns_aclenv_t *env =
+		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+	isc_netaddr_t tmpnetaddr;
+	int match;
+
+	if (acl == NULL) {
+		if (default_allow) {
+			goto allow;
+		} else {
+			goto deny;
+		}
+	}
+
+	if (netaddr == NULL) {
+		isc_netaddr_fromsockaddr(&tmpnetaddr, &client->peeraddr);
+		netaddr = &tmpnetaddr;
+	}
+
+	result = dns_acl_match(netaddr, client->signer, acl, env, &match, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto deny; /* Internal error, already logged. */
+	}
+
+	if (match > 0) {
+		goto allow;
+	}
+	goto deny; /* Negative match or no match. */
+
+allow:
+	return (ISC_R_SUCCESS);
+
+deny:
+	return (DNS_R_REFUSED);
+}
+
+isc_result_t
+ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
+		   const char *opname, dns_acl_t *acl, bool default_allow,
+		   int log_level) {
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+
+	if (sockaddr != NULL) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+	}
+
+	result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
+					  acl, default_allow);
+
+	if (result == ISC_R_SUCCESS) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "%s approved", opname);
+	} else {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, log_level, "%s denied",
+			      opname);
+	}
+	return (result);
+}
+
+static void
+ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
+	if (client->peeraddr_valid) {
+		isc_sockaddr_format(&client->peeraddr, peerbuf,
+				    (unsigned int)len);
+	} else {
+		snprintf(peerbuf, len, "@%p", client);
+	}
+}
+
+void
+ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt,
+	       va_list ap) {
+	char msgbuf[4096];
+	char signerbuf[DNS_NAME_FORMATSIZE], qnamebuf[DNS_NAME_FORMATSIZE];
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	const char *viewname = "";
+	const char *sep1 = "", *sep2 = "", *sep3 = "", *sep4 = "";
+	const char *signer = "", *qname = "";
+	dns_name_t *q = NULL;
+
+	REQUIRE(client != NULL);
+
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+
+	if (client->signer != NULL) {
+		dns_name_format(client->signer, signerbuf, sizeof(signerbuf));
+		sep1 = "/key ";
+		signer = signerbuf;
+	}
+
+	q = client->query.origqname != NULL ? client->query.origqname
+					    : client->query.qname;
+	if (q != NULL) {
+		dns_name_format(q, qnamebuf, sizeof(qnamebuf));
+		sep2 = " (";
+		sep3 = ")";
+		qname = qnamebuf;
+	}
+
+	if (client->view != NULL && strcmp(client->view->name, "_bind") != 0 &&
+	    strcmp(client->view->name, "_default") != 0)
+	{
+		sep4 = ": view ";
+		viewname = client->view->name;
+	}
+
+	if (client->peeraddr_valid) {
+		isc_sockaddr_format(&client->peeraddr, peerbuf,
+				    sizeof(peerbuf));
+	} else {
+		snprintf(peerbuf, sizeof(peerbuf), "(no-peer)");
+	}
+
+	isc_log_write(ns_lctx, category, module, level,
+		      "client @%p %s%s%s%s%s%s%s%s: %s", client, peerbuf, sep1,
+		      signer, sep2, qname, sep3, sep4, viewname, msgbuf);
+}
+
+void
+ns_client_log(ns_client_t *client, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level, const char *fmt, ...) {
+	va_list ap;
+
+	if (!isc_log_wouldlog(ns_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	ns_client_logv(client, category, module, level, fmt, ap);
+	va_end(ap);
+}
+
+void
+ns_client_aclmsg(const char *msg, const dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataclass_t rdclass, char *buf, size_t len) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+	dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
+	(void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf,
+		       classbuf);
+}
+
+static void
+ns_client_dumpmessage(ns_client_t *client, const char *reason) {
+	isc_buffer_t buffer;
+	char *buf = NULL;
+	int len = 1024;
+	isc_result_t result;
+
+	if (!isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) {
+		return;
+	}
+
+	/*
+	 * Note that these are multiline debug messages.  We want a newline
+	 * to appear in the log after each message.
+	 */
+
+	do {
+		buf = isc_mem_get(client->mctx, len);
+		isc_buffer_init(&buffer, buf, len);
+		result = dns_message_totext(
+			client->message, &dns_master_style_debug, 0, &buffer);
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(client->mctx, buf, len);
+			len += 1024;
+		} else if (result == ISC_R_SUCCESS) {
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
+				      "%s\n%.*s", reason,
+				      (int)isc_buffer_usedlength(&buffer), buf);
+		}
+	} while (result == ISC_R_NOSPACE);
+
+	if (buf != NULL) {
+		isc_mem_put(client->mctx, buf, len);
+	}
+}
+
+void
+ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
+	ns_client_t *client;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char original[DNS_NAME_FORMATSIZE];
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	const char *name;
+	const char *sep;
+	const char *origfor;
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&manager->reclock);
+	client = ISC_LIST_HEAD(manager->recursing);
+	while (client != NULL) {
+		INSIST(client->state == NS_CLIENTSTATE_RECURSING);
+
+		ns_client_name(client, peerbuf, sizeof(peerbuf));
+		if (client->view != NULL &&
+		    strcmp(client->view->name, "_bind") != 0 &&
+		    strcmp(client->view->name, "_default") != 0)
+		{
+			name = client->view->name;
+			sep = ": view ";
+		} else {
+			name = "";
+			sep = "";
+		}
+
+		LOCK(&client->query.fetchlock);
+		INSIST(client->query.qname != NULL);
+		dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
+		if (client->query.qname != client->query.origqname &&
+		    client->query.origqname != NULL)
+		{
+			origfor = " for ";
+			dns_name_format(client->query.origqname, original,
+					sizeof(original));
+		} else {
+			origfor = "";
+			original[0] = '\0';
+		}
+		rdataset = ISC_LIST_HEAD(client->query.qname->list);
+		if (rdataset == NULL && client->query.origqname != NULL) {
+			rdataset = ISC_LIST_HEAD(client->query.origqname->list);
+		}
+		if (rdataset != NULL) {
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+		} else {
+			strlcpy(typebuf, "-", sizeof(typebuf));
+			strlcpy(classbuf, "-", sizeof(classbuf));
+		}
+		UNLOCK(&client->query.fetchlock);
+		fprintf(f,
+			"; client %s%s%s: id %u '%s/%s/%s'%s%s "
+			"requesttime %u\n",
+			peerbuf, sep, name, client->message->id, namebuf,
+			typebuf, classbuf, origfor, original,
+			isc_time_seconds(&client->requesttime));
+		client = ISC_LIST_NEXT(client, rlink);
+	}
+	UNLOCK(&manager->reclock);
+}
+
+void
+ns_client_qnamereplace(ns_client_t *client, dns_name_t *name) {
+	LOCK(&client->query.fetchlock);
+	if (client->query.restarts > 0) {
+		/*
+		 * client->query.qname was dynamically allocated.
+		 */
+		dns_message_puttempname(client->message, &client->query.qname);
+	}
+	client->query.qname = name;
+	client->query.attributes &= ~NS_QUERYATTR_REDIRECT;
+	UNLOCK(&client->query.fetchlock);
+}
+
+isc_result_t
+ns_client_sourceip(dns_clientinfo_t *ci, isc_sockaddr_t **addrp) {
+	ns_client_t *client = (ns_client_t *)ci->data;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(addrp != NULL);
+
+	*addrp = &client->peeraddr;
+	return (ISC_R_SUCCESS);
+}
+
+dns_rdataset_t *
+ns_client_newrdataset(ns_client_t *client) {
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	rdataset = NULL;
+	result = dns_message_gettemprdataset(client->message, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+		return (NULL);
+	}
+
+	return (rdataset);
+}
+
+void
+ns_client_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(rdatasetp != NULL);
+
+	rdataset = *rdatasetp;
+
+	if (rdataset != NULL) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+		dns_message_puttemprdataset(client->message, rdatasetp);
+	}
+}
+
+isc_result_t
+ns_client_newnamebuf(ns_client_t *client) {
+	isc_buffer_t *dbuf = NULL;
+
+	CTRACE("ns_client_newnamebuf");
+
+	isc_buffer_allocate(client->mctx, &dbuf, 1024);
+	ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
+
+	CTRACE("ns_client_newnamebuf: done");
+	return (ISC_R_SUCCESS);
+}
+
+dns_name_t *
+ns_client_newname(ns_client_t *client, isc_buffer_t *dbuf, isc_buffer_t *nbuf) {
+	dns_name_t *name = NULL;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
+
+	CTRACE("ns_client_newname");
+
+	result = dns_message_gettempname(client->message, &name);
+	if (result != ISC_R_SUCCESS) {
+		CTRACE("ns_client_newname: "
+		       "dns_message_gettempname failed: done");
+		return (NULL);
+	}
+	isc_buffer_availableregion(dbuf, &r);
+	isc_buffer_init(nbuf, r.base, r.length);
+	dns_name_setbuffer(name, NULL);
+	dns_name_setbuffer(name, nbuf);
+	client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
+
+	CTRACE("ns_client_newname: done");
+	return (name);
+}
+
+isc_buffer_t *
+ns_client_getnamebuf(ns_client_t *client) {
+	isc_buffer_t *dbuf;
+	isc_region_t r;
+
+	CTRACE("ns_client_getnamebuf");
+
+	/*%
+	 * Return a name buffer with space for a maximal name, allocating
+	 * a new one if necessary.
+	 */
+	if (ISC_LIST_EMPTY(client->query.namebufs)) {
+		ns_client_newnamebuf(client);
+	}
+
+	dbuf = ISC_LIST_TAIL(client->query.namebufs);
+	INSIST(dbuf != NULL);
+	isc_buffer_availableregion(dbuf, &r);
+	if (r.length < DNS_NAME_MAXWIRE) {
+		ns_client_newnamebuf(client);
+		dbuf = ISC_LIST_TAIL(client->query.namebufs);
+		isc_buffer_availableregion(dbuf, &r);
+		INSIST(r.length >= 255);
+	}
+	CTRACE("ns_client_getnamebuf: done");
+	return (dbuf);
+}
+
+void
+ns_client_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
+	isc_region_t r;
+
+	CTRACE("ns_client_keepname");
+
+	/*%
+	 * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
+	 * adjusted to take account of that.  We do the adjustment.
+	 */
+	REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
+
+	dns_name_toregion(name, &r);
+	isc_buffer_add(dbuf, r.length);
+	dns_name_setbuffer(name, NULL);
+	client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
+}
+
+void
+ns_client_releasename(ns_client_t *client, dns_name_t **namep) {
+	/*%
+	 * 'name' is no longer needed.  Return it to our pool of temporary
+	 * names.  If it is using a name buffer, relinquish its exclusive
+	 * rights on the buffer.
+	 */
+
+	CTRACE("ns_client_releasename");
+	client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
+	dns_message_puttempname(client->message, namep);
+	CTRACE("ns_client_releasename: done");
+}
+
+isc_result_t
+ns_client_newdbversion(ns_client_t *client, unsigned int n) {
+	unsigned int i;
+	ns_dbversion_t *dbversion = NULL;
+
+	for (i = 0; i < n; i++) {
+		dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
+		*dbversion = (ns_dbversion_t){ 0 };
+		ISC_LIST_INITANDAPPEND(client->query.freeversions, dbversion,
+				       link);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static ns_dbversion_t *
+client_getdbversion(ns_client_t *client) {
+	ns_dbversion_t *dbversion = NULL;
+
+	if (ISC_LIST_EMPTY(client->query.freeversions)) {
+		ns_client_newdbversion(client, 1);
+	}
+	dbversion = ISC_LIST_HEAD(client->query.freeversions);
+	INSIST(dbversion != NULL);
+	ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
+
+	return (dbversion);
+}
+
+ns_dbversion_t *
+ns_client_findversion(ns_client_t *client, dns_db_t *db) {
+	ns_dbversion_t *dbversion;
+
+	for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
+	     dbversion != NULL; dbversion = ISC_LIST_NEXT(dbversion, link))
+	{
+		if (dbversion->db == db) {
+			break;
+		}
+	}
+
+	if (dbversion == NULL) {
+		/*
+		 * This is a new zone for this query.  Add it to
+		 * the active list.
+		 */
+		dbversion = client_getdbversion(client);
+		if (dbversion == NULL) {
+			return (NULL);
+		}
+		dns_db_attach(db, &dbversion->db);
+		dns_db_currentversion(db, &dbversion->version);
+		dbversion->acl_checked = false;
+		dbversion->queryok = false;
+		ISC_LIST_APPEND(client->query.activeversions, dbversion, link);
+	}
+
+	return (dbversion);
+}
diff --git a/lib/ns/hooks.c b/lib/ns/hooks.c
new file mode 100644
index 0000000..1b8b8d0
--- /dev/null
+++ b/lib/ns/hooks.c
@@ -0,0 +1,544 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#elif _WIN32
+#include <windows.h>
+#endif /* if HAVE_DLFCN_H */
+
+#include <isc/errno.h>
+#include <isc/list.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/view.h>
+
+#include <ns/hooks.h>
+#include <ns/log.h>
+#include <ns/query.h>
+
+#define CHECK(op)                              \
+	do {                                   \
+		result = (op);                 \
+		if (result != ISC_R_SUCCESS) { \
+			goto cleanup;          \
+		}                              \
+	} while (0)
+
+struct ns_plugin {
+	isc_mem_t *mctx;
+	void *handle;
+	void *inst;
+	char *modpath;
+	ns_plugin_check_t *check_func;
+	ns_plugin_register_t *register_func;
+	ns_plugin_destroy_t *destroy_func;
+	LINK(ns_plugin_t) link;
+};
+
+static ns_hooklist_t default_hooktable[NS_HOOKPOINTS_COUNT];
+LIBNS_EXTERNAL_DATA ns_hooktable_t *ns__hook_table = &default_hooktable;
+
+isc_result_t
+ns_plugin_expandpath(const char *src, char *dst, size_t dstsize) {
+	int result;
+
+#ifndef WIN32
+	/*
+	 * On Unix systems, differentiate between paths and filenames.
+	 */
+	if (strchr(src, '/') != NULL) {
+		/*
+		 * 'src' is an absolute or relative path.  Copy it verbatim.
+		 */
+		result = snprintf(dst, dstsize, "%s", src);
+	} else {
+		/*
+		 * 'src' is a filename.  Prepend default plugin directory path.
+		 */
+		result = snprintf(dst, dstsize, "%s/%s", NAMED_PLUGINDIR, src);
+	}
+#else  /* ifndef WIN32 */
+	/*
+	 * On Windows, always copy 'src' do 'dst'.
+	 */
+	result = snprintf(dst, dstsize, "%s", src);
+#endif /* ifndef WIN32 */
+
+	if (result < 0) {
+		return (isc_errno_toresult(errno));
+	} else if ((size_t)result >= dstsize) {
+		return (ISC_R_NOSPACE);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+#if HAVE_DLFCN_H && HAVE_DLOPEN
+static isc_result_t
+load_symbol(void *handle, const char *modpath, const char *symbol_name,
+	    void **symbolp) {
+	void *symbol = NULL;
+
+	REQUIRE(handle != NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	/*
+	 * Clear any pre-existing error conditions before running dlsym().
+	 * (In this case, we expect dlsym() to return non-NULL values
+	 * and will always return an error if it returns NULL, but
+	 * this ensures that we'll report the correct error condition
+	 * if there is one.)
+	 */
+	dlerror();
+	symbol = dlsym(handle, symbol_name);
+	if (symbol == NULL) {
+		const char *errmsg = dlerror();
+		if (errmsg == NULL) {
+			errmsg = "returned function pointer is NULL";
+		}
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_HOOKS, ISC_LOG_ERROR,
+			      "failed to look up symbol %s in "
+			      "plugin '%s': %s",
+			      symbol_name, modpath, errmsg);
+		return (ISC_R_FAILURE);
+	}
+
+	*symbolp = symbol;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_plugin(isc_mem_t *mctx, const char *modpath, ns_plugin_t **pluginp) {
+	isc_result_t result;
+	void *handle = NULL;
+	ns_plugin_t *plugin = NULL;
+	ns_plugin_check_t *check_func = NULL;
+	ns_plugin_register_t *register_func = NULL;
+	ns_plugin_destroy_t *destroy_func = NULL;
+	ns_plugin_version_t *version_func = NULL;
+	int version, flags;
+
+	REQUIRE(pluginp != NULL && *pluginp == NULL);
+
+	flags = RTLD_LAZY | RTLD_LOCAL;
+#if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__ && !__SANITIZE_THREAD__
+	flags |= RTLD_DEEPBIND;
+#endif /* if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__ && \
+	  !__SANITIZE_THREAD__ */
+
+	handle = dlopen(modpath, flags);
+	if (handle == NULL) {
+		const char *errmsg = dlerror();
+		if (errmsg == NULL) {
+			errmsg = "unknown error";
+		}
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_HOOKS, ISC_LOG_ERROR,
+			      "failed to dlopen() plugin '%s': %s", modpath,
+			      errmsg);
+		return (ISC_R_FAILURE);
+	}
+
+	CHECK(load_symbol(handle, modpath, "plugin_version",
+			  (void **)&version_func));
+
+	version = version_func();
+	if (version < (NS_PLUGIN_VERSION - NS_PLUGIN_AGE) ||
+	    version > NS_PLUGIN_VERSION)
+	{
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_HOOKS, ISC_LOG_ERROR,
+			      "plugin API version mismatch: %d/%d", version,
+			      NS_PLUGIN_VERSION);
+		CHECK(ISC_R_FAILURE);
+	}
+
+	CHECK(load_symbol(handle, modpath, "plugin_check",
+			  (void **)&check_func));
+	CHECK(load_symbol(handle, modpath, "plugin_register",
+			  (void **)&register_func));
+	CHECK(load_symbol(handle, modpath, "plugin_destroy",
+			  (void **)&destroy_func));
+
+	plugin = isc_mem_get(mctx, sizeof(*plugin));
+	memset(plugin, 0, sizeof(*plugin));
+	isc_mem_attach(mctx, &plugin->mctx);
+	plugin->handle = handle;
+	plugin->modpath = isc_mem_strdup(plugin->mctx, modpath);
+	plugin->check_func = check_func;
+	plugin->register_func = register_func;
+	plugin->destroy_func = destroy_func;
+
+	ISC_LINK_INIT(plugin, link);
+
+	*pluginp = plugin;
+	plugin = NULL;
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_HOOKS, ISC_LOG_ERROR,
+			      "failed to dynamically load "
+			      "plugin '%s': %s",
+			      modpath, isc_result_totext(result));
+
+		if (plugin != NULL) {
+			isc_mem_putanddetach(&plugin->mctx, plugin,
+					     sizeof(*plugin));
+		}
+
+		(void)dlclose(handle);
+	}
+
+	return (result);
+}
+
+static void
+unload_plugin(ns_plugin_t **pluginp) {
+	ns_plugin_t *plugin = NULL;
+
+	REQUIRE(pluginp != NULL && *pluginp != NULL);
+
+	plugin = *pluginp;
+	*pluginp = NULL;
+
+	isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS,
+		      ISC_LOG_DEBUG(1), "unloading plugin '%s'",
+		      plugin->modpath);
+
+	if (plugin->inst != NULL) {
+		plugin->destroy_func(&plugin->inst);
+	}
+	if (plugin->handle != NULL) {
+		(void)dlclose(plugin->handle);
+	}
+	if (plugin->modpath != NULL) {
+		isc_mem_free(plugin->mctx, plugin->modpath);
+	}
+
+	isc_mem_putanddetach(&plugin->mctx, plugin, sizeof(*plugin));
+}
+#elif _WIN32
+static isc_result_t
+load_symbol(HMODULE handle, const char *modpath, const char *symbol_name,
+	    void **symbolp) {
+	void *symbol = NULL;
+
+	REQUIRE(handle != NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	symbol = GetProcAddress(handle, symbol_name);
+	if (symbol == NULL) {
+		int errstatus = GetLastError();
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_HOOKS, ISC_LOG_ERROR,
+			      "failed to look up symbol %s in "
+			      "plugin '%s': %d",
+			      symbol_name, modpath, errstatus);
+		return (ISC_R_FAILURE);
+	}
+
+	*symbolp = symbol;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_plugin(isc_mem_t *mctx, const char *modpath, ns_plugin_t **pluginp) {
+	isc_result_t result;
+	HMODULE handle;
+	ns_plugin_t *plugin = NULL;
+	ns_plugin_register_t *register_func = NULL;
+	ns_plugin_destroy_t *destroy_func = NULL;
+	ns_plugin_version_t *version_func = NULL;
+	int version;
+
+	REQUIRE(pluginp != NULL && *pluginp == NULL);
+
+	handle = LoadLibraryA(modpath);
+	if (handle == NULL) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	CHECK(load_symbol(handle, modpath, "plugin_version",
+			  (void **)&version_func));
+
+	version = version_func();
+	if (version < (NS_PLUGIN_VERSION - NS_PLUGIN_AGE) ||
+	    version > NS_PLUGIN_VERSION)
+	{
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_HOOKS, ISC_LOG_ERROR,
+			      "plugin API version mismatch: %d/%d", version,
+			      NS_PLUGIN_VERSION);
+		CHECK(ISC_R_FAILURE);
+	}
+
+	CHECK(load_symbol(handle, modpath, "plugin_register",
+			  (void **)&register_func));
+	CHECK(load_symbol(handle, modpath, "plugin_destroy",
+			  (void **)&destroy_func));
+
+	plugin = isc_mem_get(mctx, sizeof(*plugin));
+	memset(plugin, 0, sizeof(*plugin));
+	isc_mem_attach(mctx, &plugin->mctx);
+	plugin->handle = handle;
+	plugin->modpath = isc_mem_strdup(plugin->mctx, modpath);
+	plugin->register_func = register_func;
+	plugin->destroy_func = destroy_func;
+
+	ISC_LINK_INIT(plugin, link);
+
+	*pluginp = plugin;
+	plugin = NULL;
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_HOOKS, ISC_LOG_ERROR,
+			      "failed to dynamically load "
+			      "plugin '%s': %d (%s)",
+			      modpath, GetLastError(),
+			      isc_result_totext(result));
+
+		if (plugin != NULL) {
+			isc_mem_putanddetach(&plugin->mctx, plugin,
+					     sizeof(*plugin));
+		}
+
+		if (handle != NULL) {
+			FreeLibrary(handle);
+		}
+	}
+
+	return (result);
+}
+
+static void
+unload_plugin(ns_plugin_t **pluginp) {
+	ns_plugin_t *plugin = NULL;
+
+	REQUIRE(pluginp != NULL && *pluginp != NULL);
+
+	plugin = *pluginp;
+	*pluginp = NULL;
+
+	isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS,
+		      ISC_LOG_DEBUG(1), "unloading plugin '%s'",
+		      plugin->modpath);
+
+	if (plugin->inst != NULL) {
+		plugin->destroy_func(&plugin->inst);
+	}
+	if (plugin->handle != NULL) {
+		FreeLibrary(plugin->handle);
+	}
+
+	if (plugin->modpath != NULL) {
+		isc_mem_free(plugin->mctx, plugin->modpath);
+	}
+
+	isc_mem_putanddetach(&plugin->mctx, plugin, sizeof(*plugin));
+}
+#else  /* HAVE_DLFCN_H || _WIN32 */
+static isc_result_t
+load_plugin(isc_mem_t *mctx, const char *modpath, ns_plugin_t **pluginp) {
+	UNUSED(mctx);
+	UNUSED(modpath);
+	UNUSED(pluginp);
+
+	isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS,
+		      ISC_LOG_ERROR, "plugin support is not implemented");
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+unload_plugin(ns_plugin_t **pluginp) {
+	UNUSED(pluginp);
+}
+#endif /* HAVE_DLFCN_H */
+
+isc_result_t
+ns_plugin_register(const char *modpath, const char *parameters, const void *cfg,
+		   const char *cfg_file, unsigned long cfg_line,
+		   isc_mem_t *mctx, isc_log_t *lctx, void *actx,
+		   dns_view_t *view) {
+	isc_result_t result;
+	ns_plugin_t *plugin = NULL;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(lctx != NULL);
+	REQUIRE(view != NULL);
+
+	isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS,
+		      ISC_LOG_INFO, "loading plugin '%s'", modpath);
+
+	CHECK(load_plugin(mctx, modpath, &plugin));
+
+	isc_log_write(ns_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS,
+		      ISC_LOG_INFO, "registering plugin '%s'", modpath);
+
+	CHECK(plugin->register_func(parameters, cfg, cfg_file, cfg_line, mctx,
+				    lctx, actx, view->hooktable,
+				    &plugin->inst));
+
+	ISC_LIST_APPEND(*(ns_plugins_t *)view->plugins, plugin, link);
+
+cleanup:
+	if (result != ISC_R_SUCCESS && plugin != NULL) {
+		unload_plugin(&plugin);
+	}
+
+	return (result);
+}
+
+isc_result_t
+ns_plugin_check(const char *modpath, const char *parameters, const void *cfg,
+		const char *cfg_file, unsigned long cfg_line, isc_mem_t *mctx,
+		isc_log_t *lctx, void *actx) {
+	isc_result_t result;
+	ns_plugin_t *plugin = NULL;
+
+	CHECK(load_plugin(mctx, modpath, &plugin));
+
+	result = plugin->check_func(parameters, cfg, cfg_file, cfg_line, mctx,
+				    lctx, actx);
+
+cleanup:
+	if (plugin != NULL) {
+		unload_plugin(&plugin);
+	}
+
+	return (result);
+}
+
+void
+ns_hooktable_init(ns_hooktable_t *hooktable) {
+	int i;
+
+	for (i = 0; i < NS_HOOKPOINTS_COUNT; i++) {
+		ISC_LIST_INIT((*hooktable)[i]);
+	}
+}
+
+isc_result_t
+ns_hooktable_create(isc_mem_t *mctx, ns_hooktable_t **tablep) {
+	ns_hooktable_t *hooktable = NULL;
+
+	REQUIRE(tablep != NULL && *tablep == NULL);
+
+	hooktable = isc_mem_get(mctx, sizeof(*hooktable));
+
+	ns_hooktable_init(hooktable);
+
+	*tablep = hooktable;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_hooktable_free(isc_mem_t *mctx, void **tablep) {
+	ns_hooktable_t *table = NULL;
+	ns_hook_t *hook = NULL, *next = NULL;
+	int i = 0;
+
+	REQUIRE(tablep != NULL && *tablep != NULL);
+
+	table = *tablep;
+	*tablep = NULL;
+
+	for (i = 0; i < NS_HOOKPOINTS_COUNT; i++) {
+		for (hook = ISC_LIST_HEAD((*table)[i]); hook != NULL;
+		     hook = next)
+		{
+			next = ISC_LIST_NEXT(hook, link);
+			ISC_LIST_UNLINK((*table)[i], hook, link);
+			if (hook->mctx != NULL) {
+				isc_mem_putanddetach(&hook->mctx, hook,
+						     sizeof(*hook));
+			}
+		}
+	}
+
+	isc_mem_put(mctx, table, sizeof(*table));
+}
+
+void
+ns_hook_add(ns_hooktable_t *hooktable, isc_mem_t *mctx,
+	    ns_hookpoint_t hookpoint, const ns_hook_t *hook) {
+	ns_hook_t *copy = NULL;
+
+	REQUIRE(hooktable != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(hookpoint < NS_HOOKPOINTS_COUNT);
+	REQUIRE(hook != NULL);
+
+	copy = isc_mem_get(mctx, sizeof(*copy));
+	memset(copy, 0, sizeof(*copy));
+
+	copy->action = hook->action;
+	copy->action_data = hook->action_data;
+	isc_mem_attach(mctx, &copy->mctx);
+
+	ISC_LINK_INIT(copy, link);
+	ISC_LIST_APPEND((*hooktable)[hookpoint], copy, link);
+}
+
+void
+ns_plugins_create(isc_mem_t *mctx, ns_plugins_t **listp) {
+	ns_plugins_t *plugins = NULL;
+
+	REQUIRE(listp != NULL && *listp == NULL);
+
+	plugins = isc_mem_get(mctx, sizeof(*plugins));
+	memset(plugins, 0, sizeof(*plugins));
+	ISC_LIST_INIT(*plugins);
+
+	*listp = plugins;
+}
+
+void
+ns_plugins_free(isc_mem_t *mctx, void **listp) {
+	ns_plugins_t *list = NULL;
+	ns_plugin_t *plugin = NULL, *next = NULL;
+
+	REQUIRE(listp != NULL && *listp != NULL);
+
+	list = *listp;
+	*listp = NULL;
+
+	for (plugin = ISC_LIST_HEAD(*list); plugin != NULL; plugin = next) {
+		next = ISC_LIST_NEXT(plugin, link);
+		ISC_LIST_UNLINK(*list, plugin, link);
+		unload_plugin(&plugin);
+	}
+
+	isc_mem_put(mctx, list, sizeof(*list));
+}
diff --git a/lib/ns/include/.clang-format b/lib/ns/include/.clang-format
new file mode 120000
index 0000000..0e62f72
--- /dev/null
+++ b/lib/ns/include/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format.headers
\ No newline at end of file
diff --git a/lib/ns/include/Makefile.in b/lib/ns/include/Makefile.in
new file mode 100644
index 0000000..5863acb
--- /dev/null
+++ b/lib/ns/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	ns
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/ns/include/ns/Makefile.in b/lib/ns/include/ns/Makefile.in
new file mode 100644
index 0000000..6976e1e
--- /dev/null
+++ b/lib/ns/include/ns/Makefile.in
@@ -0,0 +1,37 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	client.h hooks.h interfacemgr.h lib.h listenlist.h log.h \
+		notify.h query.h server.h sortlist.h stats.h \
+		types.h update.h version.h xfrout.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/ns
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/ns || exit 1 ; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/ns/$$i || exit 1 ; \
+	done
diff --git a/lib/ns/include/ns/client.h b/lib/ns/include/ns/client.h
new file mode 100644
index 0000000..d1e2fde
--- /dev/null
+++ b/lib/ns/include/ns/client.h
@@ -0,0 +1,585 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_CLIENT_H
+#define NS_CLIENT_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * This module defines two objects, ns_client_t and ns_clientmgr_t.
+ *
+ * An ns_client_t object handles incoming DNS requests from clients
+ * on a given network interface.
+ *
+ * Each ns_client_t object can handle only one TCP connection or UDP
+ * request at a time.  Therefore, several ns_client_t objects are
+ * typically created to serve each network interface, e.g., one
+ * for handling TCP requests and a few (one per CPU) for handling
+ * UDP requests.
+ *
+ * Incoming requests are classified as queries, zone transfer
+ * requests, update requests, notify requests, etc, and handed off
+ * to the appropriate request handler.  When the request has been
+ * fully handled (which can be much later), the ns_client_t must be
+ * notified of this by calling one of the following functions
+ * exactly once in the context of its task:
+ * \code
+ *   ns_client_send()	 (sending a non-error response)
+ *   ns_client_sendraw() (sending a raw response)
+ *   ns_client_error()	 (sending an error response)
+ *   ns_client_drop() (sending no response, logging the reason)
+ *\endcode
+ * This will release any resources used by the request and
+ * and allow the ns_client_t to listen for the next request.
+ *
+ * A ns_clientmgr_t manages a number of ns_client_t objects.
+ * New ns_client_t objects are created by calling
+ * ns_clientmgr_createclients(). They are destroyed by
+ * destroying their manager.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/atomic.h>
+#include <isc/buffer.h>
+#include <isc/magic.h>
+#include <isc/netmgr.h>
+#include <isc/platform.h>
+#include <isc/quota.h>
+#include <isc/stdtime.h>
+
+#include <dns/db.h>
+#include <dns/ecs.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/tcpmsg.h>
+#include <dns/types.h>
+
+#include <ns/query.h>
+#include <ns/types.h>
+
+/***
+ *** Types
+ ***/
+
+#define NS_CLIENT_TCP_BUFFER_SIZE  65535
+#define NS_CLIENT_SEND_BUFFER_SIZE 4096
+
+/*!
+ * Client object states.  Ordering is significant: higher-numbered
+ * states are generally "more active", meaning that the client can
+ * have more dynamically allocated data, outstanding events, etc.
+ * In the list below, any such properties listed for state N
+ * also apply to any state > N.
+ */
+
+typedef enum {
+	NS_CLIENTSTATE_FREED = 0,
+	/*%<
+	 * The client object no longer exists.
+	 */
+
+	NS_CLIENTSTATE_INACTIVE = 1,
+	/*%<
+	 * The client object exists and has a task and timer.
+	 * Its "query" struct and sendbuf are initialized.
+	 * It has a message and OPT, both in the reset state.
+	 */
+
+	NS_CLIENTSTATE_READY = 2,
+	/*%<
+	 * The client object is either a TCP or a UDP one, and
+	 * it is associated with a network interface.  It is on the
+	 * client manager's list of active clients.
+	 *
+	 * If it is a TCP client object, it has a TCP listener socket
+	 * and an outstanding TCP listen request.
+	 *
+	 * If it is a UDP client object, it has a UDP listener socket
+	 * and an outstanding UDP receive request.
+	 */
+
+	NS_CLIENTSTATE_WORKING = 3,
+	/*%<
+	 * The client object has received a request and is working
+	 * on it.  It has a view, and it may have any of a non-reset OPT,
+	 * recursion quota, and an outstanding write request.
+	 */
+
+	NS_CLIENTSTATE_RECURSING = 4,
+	/*%<
+	 * The client object is recursing.  It will be on the
+	 * 'recursing' list.
+	 */
+
+	NS_CLIENTSTATE_MAX = 5
+	/*%<
+	 * Sentinel value used to indicate "no state".
+	 */
+} ns_clientstate_t;
+
+typedef ISC_LIST(ns_client_t) client_list_t;
+
+/*% nameserver client manager structure */
+struct ns_clientmgr {
+	/* Unlocked. */
+	unsigned int magic;
+
+	isc_mem_t      *mctx;
+	ns_server_t    *sctx;
+	isc_taskmgr_t  *taskmgr;
+	isc_timermgr_t *timermgr;
+	isc_task_t     *excl;
+	isc_refcount_t	references;
+	int		ncpus;
+
+	/* Attached by clients, needed for e.g. recursion */
+	isc_task_t **taskpool;
+
+	ns_interface_t *interface;
+
+	/* Lock covers manager state. */
+	isc_mutex_t lock;
+	bool	    exiting;
+
+	/* Lock covers the recursing list */
+	isc_mutex_t   reclock;
+	client_list_t recursing; /*%< Recursing clients */
+
+	/*%< mctx pool for clients. */
+	isc_mem_t **mctxpool;
+};
+
+/*% nameserver client structure */
+struct ns_client {
+	unsigned int	 magic;
+	isc_mem_t	*mctx;
+	bool		 allocated; /* Do we need to free it? */
+	ns_server_t	*sctx;
+	ns_clientmgr_t	*manager;
+	ns_clientstate_t state;
+	int		 nupdates;
+	bool		 nodetach;
+	bool		 shuttingdown;
+	unsigned int	 attributes;
+	isc_task_t	*task;
+	dns_view_t	*view;
+	dns_dispatch_t	*dispatch;
+	isc_nmhandle_t	*handle;	/* Permanent pointer to handle */
+	isc_nmhandle_t	*sendhandle;	/* Waiting for send callback */
+	isc_nmhandle_t	*reqhandle;	/* Waiting for request callback
+					   (query, update, notify) */
+	isc_nmhandle_t *fetchhandle;	/* Waiting for recursive fetch */
+	isc_nmhandle_t *prefetchhandle; /* Waiting for prefetch / rpzfetch */
+	isc_nmhandle_t *updatehandle;	/* Waiting for update callback */
+	unsigned char  *tcpbuf;
+	dns_message_t  *message;
+	unsigned char  *sendbuf;
+	dns_rdataset_t *opt;
+	uint16_t	udpsize;
+	uint16_t	extflags;
+	int16_t		ednsversion; /* -1 noedns */
+	void (*cleanup)(ns_client_t *);
+	ns_query_t    query;
+	isc_time_t    requesttime;
+	isc_stdtime_t now;
+	isc_time_t    tnow;
+	dns_name_t    signername; /*%< [T]SIG key name */
+	dns_name_t   *signer;	  /*%< NULL if not valid sig */
+	bool	      mortal;	  /*%< Die after handling request */
+	isc_quota_t  *recursionquota;
+
+	isc_sockaddr_t peeraddr;
+	bool	       peeraddr_valid;
+	isc_netaddr_t  destaddr;
+	isc_sockaddr_t destsockaddr;
+
+	dns_ecs_t ecs; /*%< EDNS client subnet sent by client */
+
+	struct in6_pktinfo pktinfo;
+	isc_dscp_t	   dscp;
+	/*%
+	 * Information about recent FORMERR response(s), for
+	 * FORMERR loop avoidance.  This is separate for each
+	 * client object rather than global only to avoid
+	 * the need for locking.
+	 */
+	struct {
+		isc_sockaddr_t	addr;
+		isc_stdtime_t	time;
+		dns_messageid_t id;
+	} formerrcache;
+
+	/*% Callback function to send a response when unit testing */
+	void (*sendcb)(isc_buffer_t *buf);
+
+	ISC_LINK(ns_client_t) rlink;
+	unsigned char  cookie[8];
+	uint32_t       expire;
+	unsigned char *keytag;
+	uint16_t       keytag_len;
+
+	/*%
+	 * Used to override the DNS response code in ns_client_error().
+	 * If set to -1, the rcode is determined from the result code,
+	 * but if set to any other value, the least significant 12
+	 * bits will be used as the rcode in the response message.
+	 */
+	int32_t rcode_override;
+};
+
+#define NS_CLIENT_MAGIC	   ISC_MAGIC('N', 'S', 'C', 'c')
+#define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
+
+#define NS_CLIENTATTR_TCP	 0x00001
+#define NS_CLIENTATTR_RA	 0x00002 /*%< Client gets recursive service */
+#define NS_CLIENTATTR_PKTINFO	 0x00004 /*%< pktinfo is valid */
+#define NS_CLIENTATTR_MULTICAST	 0x00008 /*%< recv'd from multicast */
+#define NS_CLIENTATTR_WANTDNSSEC 0x00010 /*%< include dnssec records */
+#define NS_CLIENTATTR_WANTNSID	 0x00020 /*%< include nameserver ID */
+/* Obsolete: NS_CLIENTATTR_FILTER_AAAA	0x00040 */
+/* Obsolete: NS_CLIENTATTR_FILTER_AAAA_RC 0x00080 */
+#define NS_CLIENTATTR_WANTAD	   0x00100 /*%< want AD in response if possible */
+#define NS_CLIENTATTR_WANTCOOKIE   0x00200 /*%< return a COOKIE */
+#define NS_CLIENTATTR_HAVECOOKIE   0x00400 /*%< has a valid COOKIE */
+#define NS_CLIENTATTR_WANTEXPIRE   0x00800 /*%< return seconds to expire */
+#define NS_CLIENTATTR_HAVEEXPIRE   0x01000 /*%< return seconds to expire */
+#define NS_CLIENTATTR_WANTOPT	   0x02000 /*%< add opt to reply */
+#define NS_CLIENTATTR_HAVEECS	   0x04000 /*%< received an ECS option */
+#define NS_CLIENTATTR_WANTPAD	   0x08000 /*%< pad reply */
+#define NS_CLIENTATTR_USEKEEPALIVE 0x10000 /*%< use TCP keepalive */
+
+#define NS_CLIENTATTR_NOSETFC 0x20000 /*%< don't set servfail cache */
+
+/*
+ * Flag to use with the SERVFAIL cache to indicate
+ * that a query had the CD bit set.
+ */
+#define NS_FAILCACHE_CD 0x01
+
+#if defined(_WIN32) && !defined(_WIN64)
+LIBNS_EXTERNAL_DATA extern atomic_uint_fast32_t ns_client_requests;
+#else  /* if defined(_WIN32) && !defined(_WIN64) */
+LIBNS_EXTERNAL_DATA extern atomic_uint_fast64_t ns_client_requests;
+#endif /* if defined(_WIN32) && !defined(_WIN64) */
+
+/***
+ *** Functions
+ ***/
+
+/*
+ * Note!  These ns_client_ routines MUST be called ONLY from the client's
+ * task in order to ensure synchronization.
+ */
+
+void
+ns_client_send(ns_client_t *client);
+/*%<
+ * Finish processing the current client request and
+ * send client->message as a response.
+ * \brief
+ * Note!  These ns_client_ routines MUST be called ONLY from the client's
+ * task in order to ensure synchronization.
+ */
+
+void
+ns_client_sendraw(ns_client_t *client, dns_message_t *msg);
+/*%<
+ * Finish processing the current client request and
+ * send msg as a response using client->message->id for the id.
+ */
+
+void
+ns_client_error(ns_client_t *client, isc_result_t result);
+/*%<
+ * Finish processing the current client request and return
+ * an error response to the client.  The error response
+ * will have an RCODE determined by 'result'.
+ */
+
+void
+ns_client_drop(ns_client_t *client, isc_result_t result);
+/*%<
+ * Log the reason the current client request has failed; no response
+ * will be sent.
+ */
+
+bool
+ns_client_shuttingdown(ns_client_t *client);
+/*%<
+ * Return true iff the client is currently shutting down.
+ */
+
+isc_result_t
+ns_client_replace(ns_client_t *client);
+/*%<
+ * Try to replace the current client with a new one, so that the
+ * current one can go off and do some lengthy work without
+ * leaving the dispatch/socket without service.
+ */
+
+void
+ns_client_settimeout(ns_client_t *client, unsigned int seconds);
+/*%<
+ * Set a timer in the client to go off in the specified amount of time.
+ */
+
+isc_result_t
+ns_clientmgr_create(isc_mem_t *mctx, ns_server_t *sctx, isc_taskmgr_t *taskmgr,
+		    isc_timermgr_t *timermgr, ns_interface_t *ifp, int ncpus,
+		    ns_clientmgr_t **managerp);
+/*%<
+ * Create a client manager.
+ */
+
+void
+ns_clientmgr_shutdown(ns_clientmgr_t *manager);
+/*%<
+ * Shutdown a client manager and all ns_client_t objects
+ * managed by it.
+ */
+
+void
+ns_clientmgr_destroy(ns_clientmgr_t **managerp);
+/*%<
+ * Destroy a client manager.
+ */
+
+isc_sockaddr_t *
+ns_client_getsockaddr(ns_client_t *client);
+/*%<
+ * Get the socket address of the client whose request is
+ * currently being processed.
+ */
+
+isc_sockaddr_t *
+ns_client_getdestaddr(ns_client_t *client);
+/*%<
+ * Get the destination address (server) for the request that is
+ * currently being processed.
+ */
+
+isc_result_t
+ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
+			 dns_acl_t *acl, bool default_allow);
+
+/*%<
+ * Convenience function for client request ACL checking.
+ *
+ * Check the current client request against 'acl'.  If 'acl'
+ * is NULL, allow the request iff 'default_allow' is true.
+ * If netaddr is NULL, check the ACL against client->peeraddr;
+ * otherwise check it against netaddr.
+ *
+ * Notes:
+ *\li	This is appropriate for checking allow-update,
+ * 	allow-query, allow-transfer, etc.  It is not appropriate
+ * 	for checking the blackhole list because we treat positive
+ * 	matches as "allow" and negative matches as "deny"; in
+ *	the case of the blackhole list this would be backwards.
+ *
+ * Requires:
+ *\li	'client' points to a valid client.
+ *\li	'netaddr' points to a valid address, or is NULL.
+ *\li	'acl' points to a valid ACL, or is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	if the request should be allowed
+ * \li	DNS_R_REFUSED	if the request should be denied
+ *\li	No other return values are possible.
+ */
+
+isc_result_t
+ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
+		   const char *opname, dns_acl_t *acl, bool default_allow,
+		   int log_level);
+/*%<
+ * Like ns_client_checkaclsilent, except the outcome of the check is
+ * logged at log level 'log_level' if denied, and at debug 3 if approved.
+ * Log messages will refer to the request as an 'opname' request.
+ *
+ * Requires:
+ *\li	'client' points to a valid client.
+ *\li	'sockaddr' points to a valid address, or is NULL.
+ *\li	'acl' points to a valid ACL, or is NULL.
+ *\li	'opname' points to a null-terminated string.
+ */
+
+void
+ns_client_log(ns_client_t *client, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(5, 6);
+
+void
+ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+	ISC_FORMAT_PRINTF(5, 0);
+
+void
+ns_client_aclmsg(const char *msg, const dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataclass_t rdclass, char *buf, size_t len);
+
+#define NS_CLIENT_ACLMSGSIZE(x)                           \
+	(DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + \
+	 DNS_RDATACLASS_FORMATSIZE + sizeof(x) + sizeof("'/'"))
+
+void
+ns_client_recursing(ns_client_t *client);
+/*%<
+ * Add client to end of th recursing list.
+ */
+
+void
+ns_client_killoldestquery(ns_client_t *client);
+/*%<
+ * Kill the oldest recursive query (recursing list head).
+ */
+
+void
+ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager);
+/*%<
+ * Dump the outstanding recursive queries to 'f'.
+ */
+
+void
+ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
+/*%<
+ * Replace the qname.
+ */
+
+isc_result_t
+ns_client_sourceip(dns_clientinfo_t *ci, isc_sockaddr_t **addrp);
+
+isc_result_t
+ns_client_addopt(ns_client_t *client, dns_message_t *message,
+		 dns_rdataset_t **opt);
+
+/*%<
+ * Get a client object from the inactive queue, or create one, as needed.
+ * (Not intended for use outside this module and associated tests.)
+ */
+
+void
+ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
+		   isc_region_t *region, void *arg);
+
+/*%<
+ * Handle client requests.
+ * (Not intended for use outside this module and associated tests.)
+ */
+
+isc_result_t
+ns__client_tcpconn(isc_nmhandle_t *handle, isc_result_t result, void *arg);
+
+/*%<
+ * Called every time a TCP connection is establish.  This is used for
+ * updating TCP statistics.
+ */
+
+dns_rdataset_t *
+ns_client_newrdataset(ns_client_t *client);
+
+void
+ns_client_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp);
+/*%<
+ * Get and release temporary rdatasets in the client message;
+ * used in query.c and in plugins.
+ */
+
+isc_result_t
+ns_client_newnamebuf(ns_client_t *client);
+/*%<
+ * Allocate a name buffer for the client message.
+ */
+
+dns_name_t *
+ns_client_newname(ns_client_t *client, isc_buffer_t *dbuf, isc_buffer_t *nbuf);
+/*%<
+ * Get a temporary name for the client message.
+ */
+
+isc_buffer_t *
+ns_client_getnamebuf(ns_client_t *client);
+/*%<
+ * Get a name buffer from the pool, or allocate a new one if needed.
+ */
+
+void
+ns_client_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf);
+/*%<
+ * Adjust buffer 'dbuf' to reflect that 'name' is using space in it,
+ * and set client attributes appropriately.
+ */
+
+void
+ns_client_releasename(ns_client_t *client, dns_name_t **namep);
+/*%<
+ * Release 'name' back to the pool of temporary names for the client
+ * message. If it is using a name buffer, relinquish its exclusive
+ * rights on the buffer.
+ */
+
+isc_result_t
+ns_client_newdbversion(ns_client_t *client, unsigned int n);
+/*%<
+ * Allocate 'n' new database versions for use by client queries.
+ */
+
+ns_dbversion_t *
+ns_client_getdbversion(ns_client_t *client);
+/*%<
+ * Get a free database version for use by a client query, allocating
+ * a new one if necessary.
+ */
+
+ns_dbversion_t *
+ns_client_findversion(ns_client_t *client, dns_db_t *db);
+/*%<
+ * Find the correct database version to use with a client query.
+ * If we have already done a query related to the database 'db',
+ * make sure subsequent queries are from the same version;
+ * otherwise, take a database version from the list of dbversions
+ * allocated by ns_client_newdbversion().
+ */
+
+isc_result_t
+ns__client_setup(ns_client_t *client, ns_clientmgr_t *manager, bool new);
+/*%<
+ * Perform initial setup of an allocated client.
+ */
+
+void
+ns__client_reset_cb(void *client0);
+/*%<
+ * Reset the client object so that it can be reused.
+ */
+
+void
+ns__client_put_cb(void *client0);
+/*%<
+ * Free all resources allocated to this client object, so that
+ * it can be freed.
+ */
+
+#endif /* NS_CLIENT_H */
diff --git a/lib/ns/include/ns/hooks.h b/lib/ns/include/ns/hooks.h
new file mode 100644
index 0000000..db3846d
--- /dev/null
+++ b/lib/ns/include/ns/hooks.h
@@ -0,0 +1,420 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_HOOKS_H
+#define NS_HOOKS_H 1
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/list.h>
+#include <isc/magic.h>
+#include <isc/result.h>
+
+#include <dns/rdatatype.h>
+
+#include <ns/client.h>
+#include <ns/query.h>
+/*
+ * "Hooks" are a mechanism to call a defined function or set of functions once
+ * a certain place in code is reached.  Hook actions can inspect and alter the
+ * state of an ongoing process, allowing processing to continue afterward or
+ * triggering an early return.
+ *
+ * Currently hooks are used in two ways: in plugins, which use them to
+ * add functionality to query processing, and in the unit tests for libns,
+ * where they are used to inspect state before and after certain functions have
+ * run.
+ *
+ * Both of these uses are limited to libns, so hooks are currently defined in
+ * the ns/hooks.h header file, and hook-related macro and function names are
+ * prefixed with `NS_` and `ns_`.  However, the design is fairly generic and
+ * could be repurposed for general use, e.g. as part of libisc, after some
+ * further customization.
+ *
+ * Hooks are created by defining a hook point identifier in the ns_hookpoint_t
+ * enum below, and placing a special call at a corresponding location in the
+ * code which invokes the action(s) for that hook; there are two such special
+ * calls currently implemented, namely the CALL_HOOK() and CALL_HOOK_NORETURN()
+ * macros in query.c.  The former macro contains a "goto cleanup" statement
+ * which is inlined into the function into which the hook has been inserted;
+ * this enables the hook action to cause the calling function to return from
+ * the hook insertion point.  For functions returning isc_result_t, if a hook
+ * action intends to cause a return at hook insertion point, it also has to set
+ * the value to be returned by the calling function.
+ *
+ * A hook table is an array (indexed by the value of the hook point identifier)
+ * in which each cell contains a linked list of structures, each of which
+ * contains a function pointer to a hook action and a pointer to data which is
+ * to be passed to the action function when it is called.
+ *
+ * Each view has its own separate hook table, populated by loading plugin
+ * modules specified in the "plugin" statements in named.conf.  There is also a
+ * special, global hook table (ns__hook_table) that is only used by libns unit
+ * tests and whose existence can be safely ignored by plugin modules.
+ *
+ * Hook actions are functions which:
+ *
+ *   - return an ns_hookresult_t value:
+ *       - if NS_HOOK_RETURN is returned by the hook action, the function
+ *         into which the hook is inserted will return and no further hook
+ *         actions at the same hook point will be invoked,
+ *       - if NS_HOOK_CONTINUE is returned by the hook action and there are
+ *         further hook actions set up at the same hook point, they will be
+ *         processed; if NS_HOOK_CONTINUE is returned and there are no
+ *         further hook actions set up at the same hook point, execution of
+ *         the function into which the hook has been inserted will be
+ *         resumed.
+ *
+ *   - accept three pointers as arguments:
+ *       - a pointer specified by the special call at the hook insertion point,
+ *       - a pointer specified upon inserting the action into the hook table,
+ *       - a pointer to an isc_result_t value which will be returned by the
+ *         function into which the hook is inserted if the action returns
+ *         NS_HOOK_RETURN.
+ *
+ * In order for a hook action to be called for a given hook, a pointer to that
+ * action function (along with an optional pointer to action-specific data) has
+ * to be inserted into the relevant hook table entry for that hook using an
+ * ns_hook_add() call.  If multiple actions are set up at a single hook point
+ * (e.g. by multiple plugin modules), they are processed in FIFO order, that is
+ * they are performed in the same order in which their relevant ns_hook_add()
+ * calls were issued.  Since the configuration is loaded from a single thread,
+ * this means that multiple actions at a single hook point are determined by
+ * the order in which the relevant plugin modules were declared in the
+ * configuration file(s).  The hook API currently does not support changing
+ * this order.
+ *
+ * As an example, consider the following hypothetical function in query.c:
+ *
+ * ----------------------------------------------------------------------------
+ * static isc_result_t
+ * query_foo(query_ctx_t *qctx) {
+ *     isc_result_t result;
+ *
+ *     CALL_HOOK(NS_QUERY_FOO_BEGIN, qctx);
+ *
+ *     ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
+ *                   ISC_LOG_DEBUG(99), "Lorem ipsum dolor sit amet...");
+ *
+ *     result = ISC_R_COMPLETE;
+ *
+ *  cleanup:
+ *     return (result);
+ * }
+ * ----------------------------------------------------------------------------
+ *
+ * and the following hook action:
+ *
+ * ----------------------------------------------------------------------------
+ * static ns_hookresult_t
+ * cause_failure(void *hook_data, void *action_data, isc_result_t *resultp) {
+ *     UNUSED(hook_data);
+ *     UNUSED(action_data);
+ *
+ *     *resultp = ISC_R_FAILURE;
+ *
+ *     return (NS_HOOK_RETURN);
+ * }
+ * ----------------------------------------------------------------------------
+ *
+ * If this hook action was installed in the hook table using:
+ *
+ * ----------------------------------------------------------------------------
+ * const ns_hook_t foo_fail = {
+ *     .action = cause_failure,
+ * };
+ *
+ * ns_hook_add(..., NS_QUERY_FOO_BEGIN, &foo_fail);
+ * ----------------------------------------------------------------------------
+ *
+ * then query_foo() would return ISC_R_FAILURE every time it is called due
+ * to the cause_failure() hook action returning NS_HOOK_RETURN and setting
+ * '*resultp' to ISC_R_FAILURE.  query_foo() would also never log the
+ * "Lorem ipsum dolor sit amet..." message.
+ *
+ * Consider a different hook action:
+ *
+ * ----------------------------------------------------------------------------
+ * static ns_hookresult_t
+ * log_qtype(void *hook_data, void *action_data, isc_result_t *resultp) {
+ *     query_ctx_t *qctx = (query_ctx_t *)hook_data;
+ *     FILE *stream = (FILE *)action_data;
+ *
+ *     UNUSED(resultp);
+ *
+ *     fprintf(stream, "QTYPE=%u\n", qctx->qtype);
+ *
+ *     return (NS_HOOK_CONTINUE);
+ * }
+ * ----------------------------------------------------------------------------
+ *
+ * If this hook action was installed in the hook table instead of
+ * cause_failure(), using:
+ *
+ * ----------------------------------------------------------------------------
+ * const ns_hook_t foo_log_qtype = {
+ *     .action = log_qtype,
+ *     .action_data = stderr,
+ * };
+ *
+ * ns_hook_add(..., NS_QUERY_FOO_BEGIN, &foo_log_qtype);
+ * ----------------------------------------------------------------------------
+ *
+ * then the QTYPE stored in the query context passed to query_foo() would be
+ * logged to stderr upon each call to that function; 'qctx' would be passed to
+ * the hook action in 'hook_data' since it is specified in the CALL_HOOK() call
+ * inside query_foo() while stderr would be passed to the hook action in
+ * 'action_data' since it is specified in the ns_hook_t structure passed to
+ * ns_hook_add().  As the hook action returns NS_HOOK_CONTINUE,
+ * query_foo() would also be logging the "Lorem ipsum dolor sit amet..."
+ * message before returning ISC_R_COMPLETE.
+ */
+
+/*!
+ * Currently-defined hook points. So long as these are unique,
+ * the order in which they are declared is unimportant, but
+ * currently matches the order in which they are referenced in
+ * query.c.
+ */
+typedef enum {
+	/* hookpoints from query.c */
+	NS_QUERY_QCTX_INITIALIZED,
+	NS_QUERY_QCTX_DESTROYED,
+	NS_QUERY_SETUP,
+	NS_QUERY_START_BEGIN,
+	NS_QUERY_LOOKUP_BEGIN,
+	NS_QUERY_RESUME_BEGIN,
+	NS_QUERY_RESUME_RESTORED,
+	NS_QUERY_GOT_ANSWER_BEGIN,
+	NS_QUERY_RESPOND_ANY_BEGIN,
+	NS_QUERY_RESPOND_ANY_FOUND,
+	NS_QUERY_ADDANSWER_BEGIN,
+	NS_QUERY_RESPOND_BEGIN,
+	NS_QUERY_NOTFOUND_BEGIN,
+	NS_QUERY_NOTFOUND_RECURSE,
+	NS_QUERY_PREP_DELEGATION_BEGIN,
+	NS_QUERY_ZONE_DELEGATION_BEGIN,
+	NS_QUERY_DELEGATION_BEGIN,
+	NS_QUERY_DELEGATION_RECURSE_BEGIN,
+	NS_QUERY_NODATA_BEGIN,
+	NS_QUERY_NXDOMAIN_BEGIN,
+	NS_QUERY_NCACHE_BEGIN,
+	NS_QUERY_ZEROTTL_RECURSE,
+	NS_QUERY_CNAME_BEGIN,
+	NS_QUERY_DNAME_BEGIN,
+	NS_QUERY_PREP_RESPONSE_BEGIN,
+	NS_QUERY_DONE_BEGIN,
+	NS_QUERY_DONE_SEND,
+
+	/* XXX other files could be added later */
+
+	NS_HOOKPOINTS_COUNT /* MUST BE LAST */
+} ns_hookpoint_t;
+
+/*
+ * Returned by a hook action to indicate how to proceed after it has
+ * been called: continue processing, or return immediately.
+ */
+typedef enum {
+	NS_HOOK_CONTINUE,
+	NS_HOOK_RETURN,
+} ns_hookresult_t;
+
+typedef ns_hookresult_t (*ns_hook_action_t)(void *arg, void *data,
+					    isc_result_t *resultp);
+
+typedef struct ns_hook {
+	isc_mem_t	*mctx;
+	ns_hook_action_t action;
+	void		*action_data;
+	ISC_LINK(struct ns_hook) link;
+} ns_hook_t;
+
+typedef ISC_LIST(ns_hook_t) ns_hooklist_t;
+typedef ns_hooklist_t ns_hooktable_t[NS_HOOKPOINTS_COUNT];
+
+/*%
+ * ns__hook_table is a global hook table, which is used if view->hooktable
+ * is NULL.  It's intended only for use by unit tests.
+ */
+LIBNS_EXTERNAL_DATA extern ns_hooktable_t *ns__hook_table;
+
+/*
+ * Plugin API version
+ *
+ * When the API changes, increment NS_PLUGIN_VERSION. If the
+ * change is backward-compatible (e.g., adding a new function call
+ * but not changing or removing an old one), increment NS_PLUGIN_AGE
+ * as well; if not, set NS_PLUGIN_AGE to 0.
+ */
+#ifndef NS_PLUGIN_VERSION
+#define NS_PLUGIN_VERSION 1
+#define NS_PLUGIN_AGE	  0
+#endif /* ifndef NS_PLUGIN_VERSION */
+
+typedef isc_result_t
+ns_plugin_register_t(const char *parameters, const void *cfg, const char *file,
+		     unsigned long line, isc_mem_t *mctx, isc_log_t *lctx,
+		     void *actx, ns_hooktable_t *hooktable, void **instp);
+/*%<
+ * Called when registering a new plugin.
+ *
+ * 'parameters' contains the plugin configuration text.
+ *
+ * '*instp' will be set to the module instance handle if the function
+ * is successful.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	Other errors are possible
+ */
+
+typedef void
+ns_plugin_destroy_t(void **instp);
+/*%<
+ * Destroy a plugin instance.
+ *
+ * '*instp' must be set to NULL by the function before it returns.
+ */
+
+typedef isc_result_t
+ns_plugin_check_t(const char *parameters, const void *cfg, const char *file,
+		  unsigned long line, isc_mem_t *mctx, isc_log_t *lctx,
+		  void *actx);
+/*%<
+ * Check the validity of 'parameters'.
+ */
+
+typedef int
+ns_plugin_version_t(void);
+/*%<
+ * Return the API version number a plugin was compiled with.
+ *
+ * If the returned version number is no greater than
+ * NS_PLUGIN_VERSION, and no less than NS_PLUGIN_VERSION - NS_PLUGIN_AGE,
+ * then the module is API-compatible with named.
+ */
+
+/*%
+ * Prototypes for API functions to be defined in each module.
+ */
+ns_plugin_check_t    plugin_check;
+ns_plugin_destroy_t  plugin_destroy;
+ns_plugin_register_t plugin_register;
+ns_plugin_version_t  plugin_version;
+
+isc_result_t
+ns_plugin_expandpath(const char *src, char *dst, size_t dstsize);
+/*%<
+ * Prepare the plugin location to be passed to dlopen() based on the plugin
+ * path or filename found in the configuration file ('src').  Store the result
+ * in 'dst', which is 'dstsize' bytes large.
+ *
+ * On Unix systems, two classes of 'src' are recognized:
+ *
+ *   - If 'src' is an absolute or relative path, it will be copied to 'dst'
+ *     verbatim.
+ *
+ *   - If 'src' is a filename (i.e. does not contain a path separator), the
+ *     path to the directory into which named plugins are installed will be
+ *     prepended to it and the result will be stored in 'dst'.
+ *
+ * On Windows, 'src' is always copied to 'dst' verbatim.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_NOSPACE	'dst' is not large enough to hold the output string
+ *\li	Other result	snprintf() returned a negative value
+ */
+
+isc_result_t
+ns_plugin_register(const char *modpath, const char *parameters, const void *cfg,
+		   const char *cfg_file, unsigned long cfg_line,
+		   isc_mem_t *mctx, isc_log_t *lctx, void *actx,
+		   dns_view_t *view);
+/*%<
+ * Load the plugin module specified from the file 'modpath', and
+ * register an instance using 'parameters'.
+ *
+ * 'cfg_file' and 'cfg_line' specify the location of the plugin
+ * declaration in the configuration file.
+ *
+ * 'cfg' and 'actx' are the configuration context and ACL configuration
+ * context, respectively; they are passed as void * here in order to
+ * prevent this library from having a dependency on libisccfg).
+ *
+ * 'instp' will be left pointing to the instance of the plugin
+ * created by the module's plugin_register function.
+ */
+
+isc_result_t
+ns_plugin_check(const char *modpath, const char *parameters, const void *cfg,
+		const char *cfg_file, unsigned long cfg_line, isc_mem_t *mctx,
+		isc_log_t *lctx, void *actx);
+/*%<
+ * Open the plugin module at 'modpath' and check the validity of
+ * 'parameters', logging any errors or warnings found, then
+ * close it without configuring it.
+ */
+
+void
+ns_plugins_create(isc_mem_t *mctx, ns_plugins_t **listp);
+/*%<
+ * Create and initialize a plugin list.
+ */
+
+void
+ns_plugins_free(isc_mem_t *mctx, void **listp);
+/*%<
+ * Close each plugin module in a plugin list, then free the list object.
+ */
+
+void
+ns_hooktable_free(isc_mem_t *mctx, void **tablep);
+/*%<
+ * Free a hook table.
+ */
+
+void
+ns_hook_add(ns_hooktable_t *hooktable, isc_mem_t *mctx,
+	    ns_hookpoint_t hookpoint, const ns_hook_t *hook);
+/*%<
+ * Allocate (using memory context 'mctx') a copy of the 'hook' structure
+ * describing a hook action and append it to the list of hooks at 'hookpoint'
+ * in 'hooktable'.
+ *
+ * Requires:
+ *\li 'hooktable' is not NULL
+ *
+ *\li 'mctx' is not NULL
+ *
+ *\li 'hookpoint' is less than NS_QUERY_HOOKS_COUNT
+ *
+ *\li 'hook' is not NULL
+ */
+
+void
+ns_hooktable_init(ns_hooktable_t *hooktable);
+/*%<
+ * Initialize a hook table.
+ */
+
+isc_result_t
+ns_hooktable_create(isc_mem_t *mctx, ns_hooktable_t **tablep);
+/*%<
+ * Allocate and initialize a hook table.
+ */
+#endif /* NS_HOOKS_H */
diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h
new file mode 100644
index 0000000..9f696e2
--- /dev/null
+++ b/lib/ns/include/ns/interfacemgr.h
@@ -0,0 +1,202 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_INTERFACEMGR_H
+#define NS_INTERFACEMGR_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * The interface manager monitors the operating system's list
+ * of network interfaces, creating and destroying listeners
+ * as needed.
+ *
+ * Reliability:
+ *\li	No impact expected.
+ *
+ * Resources:
+ *
+ * Security:
+ * \li	The server will only be able to bind to the DNS port on
+ *	newly discovered interfaces if it is running as root.
+ *
+ * Standards:
+ *\li	The API for scanning varies greatly among operating systems.
+ *	This module attempts to hide the differences.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/refcount.h>
+#include <isc/socket.h>
+
+#include <dns/geoip.h>
+#include <dns/result.h>
+
+#include <ns/listenlist.h>
+#include <ns/types.h>
+
+/***
+ *** Types
+ ***/
+
+#define IFACE_MAGIC	      ISC_MAGIC('I', ':', '-', ')')
+#define NS_INTERFACE_VALID(t) ISC_MAGIC_VALID(t, IFACE_MAGIC)
+
+#define NS_INTERFACEFLAG_ANYADDR 0x01U /*%< bound to "any" address */
+#define MAX_UDP_DISPATCH                           \
+	128 /*%< Maximum number of UDP dispatchers \
+	     *           to start per interface */
+/*% The nameserver interface structure */
+struct ns_interface {
+	unsigned int	   magic; /*%< Magic number. */
+	ns_interfacemgr_t *mgr;	  /*%< Interface manager. */
+	isc_mutex_t	   lock;
+	isc_refcount_t	   references;
+	unsigned int	   generation; /*%< Generation number. */
+	isc_sockaddr_t	   addr;       /*%< Address and port. */
+	unsigned int	   flags;      /*%< Interface flags */
+	char		   name[32];   /*%< Null terminated. */
+	dns_dispatch_t	  *udpdispatch[MAX_UDP_DISPATCH];
+	/*%< UDP dispatchers. */
+	isc_socket_t   *tcpsocket; /*%< TCP socket. */
+	isc_nmsocket_t *udplistensocket;
+	isc_nmsocket_t *tcplistensocket;
+	isc_dscp_t	dscp;	       /*%< "listen-on" DSCP value */
+	isc_refcount_t	ntcpaccepting; /*%< Number of clients
+					*   ready to accept new
+					*   TCP connections on this
+					*   interface */
+	isc_refcount_t ntcpactive;     /*%< Number of clients
+					*   servicing TCP queries
+					*   (whether accepting or
+					*   connected) */
+	int		nudpdispatch;  /*%< Number of UDP dispatches */
+	ns_clientmgr_t *clientmgr;     /*%< Client manager. */
+	ISC_LINK(ns_interface_t) link;
+};
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+ns_interfacemgr_create(isc_mem_t *mctx, ns_server_t *sctx,
+		       isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr,
+		       isc_socketmgr_t *socketmgr, isc_nm_t *nm,
+		       dns_dispatchmgr_t *dispatchmgr, isc_task_t *task,
+		       unsigned int udpdisp, dns_geoip_databases_t *geoip,
+		       int ncpus, ns_interfacemgr_t **mgrp);
+/*%<
+ * Create a new interface manager.
+ *
+ * Initially, the new manager will not listen on any interfaces.
+ * Call ns_interfacemgr_setlistenon() and/or ns_interfacemgr_setlistenon6()
+ * to set nonempty listen-on lists.
+ */
+
+void
+ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target);
+
+void
+ns_interfacemgr_detach(ns_interfacemgr_t **targetp);
+
+void
+ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr);
+
+void
+ns_interfacemgr_setbacklog(ns_interfacemgr_t *mgr, int backlog);
+/*%<
+ * Set the size of the listen() backlog queue.
+ */
+
+bool
+ns_interfacemgr_islistening(ns_interfacemgr_t *mgr);
+/*%<
+ * Return if the manager is listening on any interface. It can be called
+ * after a scan or adjust.
+ */
+
+isc_result_t
+ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose);
+/*%<
+ * Scan the operatings system's list of network interfaces
+ * and create listeners when new interfaces are discovered.
+ * Shut down the sockets for interfaces that go away.
+ *
+ * This should be called once on server startup and then
+ * periodically according to the 'interface-interval' option
+ * in named.conf.
+ */
+
+void
+ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
+/*%<
+ * Set the IPv4 "listen-on" list of 'mgr' to 'value'.
+ * The previous IPv4 listen-on list is freed.
+ */
+
+void
+ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
+/*%<
+ * Set the IPv6 "listen-on" list of 'mgr' to 'value'.
+ * The previous IPv6 listen-on list is freed.
+ */
+
+dns_aclenv_t *
+ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr);
+
+void
+ns_interface_attach(ns_interface_t *source, ns_interface_t **target);
+
+void
+ns_interface_detach(ns_interface_t **targetp);
+
+void
+ns_interface_shutdown(ns_interface_t *ifp);
+/*%<
+ * Stop listening for queries on interface 'ifp'.
+ * May safely be called multiple times.
+ */
+
+void
+ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr);
+
+bool
+ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, const isc_sockaddr_t *addr);
+
+ns_server_t *
+ns_interfacemgr_getserver(ns_interfacemgr_t *mgr);
+/*%<
+ * Returns the ns_server object associated with the interface manager.
+ */
+
+ns_interface_t *
+ns__interfacemgr_getif(ns_interfacemgr_t *mgr);
+ns_interface_t *
+ns__interfacemgr_nextif(ns_interface_t *ifp);
+/*
+ * Functions to allow external callers to walk the interfaces list.
+ * (Not intended for use outside this module and associated tests.)
+ */
+#endif /* NS_INTERFACEMGR_H */
diff --git a/lib/ns/include/ns/lib.h b/lib/ns/include/ns/lib.h
new file mode 100644
index 0000000..8c1d113
--- /dev/null
+++ b/lib/ns/include/ns/lib.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file include/ns/lib.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBNS_EXTERNAL_DATA extern unsigned int ns_pps;
+
+isc_result_t
+ns_lib_init(void);
+/*%<
+ * A set of initialization procedures used in the NS library.
+ */
+
+void
+ns_lib_shutdown(void);
+/*%<
+ * Free temporary resources allocated in ns_lib_init().
+ */
+
+ISC_LANG_ENDDECLS
diff --git a/lib/ns/include/ns/listenlist.h b/lib/ns/include/ns/listenlist.h
new file mode 100644
index 0000000..74ff87b
--- /dev/null
+++ b/lib/ns/include/ns/listenlist.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_LISTENLIST_H
+#define NS_LISTENLIST_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * "Listen lists", as in the "listen-on" configuration statement.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/net.h>
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef struct ns_listenelt  ns_listenelt_t;
+typedef struct ns_listenlist ns_listenlist_t;
+
+struct ns_listenelt {
+	isc_mem_t *mctx;
+	in_port_t  port;
+	isc_dscp_t dscp; /* -1 = not set, 0..63 */
+	dns_acl_t *acl;
+	ISC_LINK(ns_listenelt_t) link;
+};
+
+struct ns_listenlist {
+	isc_mem_t *mctx;
+	int	   refcount;
+	ISC_LIST(ns_listenelt_t) elts;
+};
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
+		    dns_acl_t *acl, ns_listenelt_t **target);
+/*%<
+ * Create a listen-on list element.
+ */
+
+void
+ns_listenelt_destroy(ns_listenelt_t *elt);
+/*%<
+ * Destroy a listen-on list element.
+ */
+
+isc_result_t
+ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target);
+/*%<
+ * Create a new, empty listen-on list.
+ */
+
+void
+ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target);
+/*%<
+ * Attach '*target' to '*source'.
+ */
+
+void
+ns_listenlist_detach(ns_listenlist_t **listp);
+/*%<
+ * Detach 'listp'.
+ */
+
+isc_result_t
+ns_listenlist_default(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
+		      bool enabled, ns_listenlist_t **target);
+/*%<
+ * Create a listen-on list with default contents, matching
+ * all addresses with port 'port' (if 'enabled' is true),
+ * or no addresses (if 'enabled' is false).
+ */
+
+#endif /* NS_LISTENLIST_H */
diff --git a/lib/ns/include/ns/log.h b/lib/ns/include/ns/log.h
new file mode 100644
index 0000000..eb12ff6
--- /dev/null
+++ b/lib/ns/include/ns/log.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_LOG_H
+#define NS_LOG_H 1
+
+/*! \file */
+
+#include <isc/log.h>
+#include <isc/types.h>
+
+LIBNS_EXTERNAL_DATA extern isc_log_t	    *ns_lctx;
+LIBNS_EXTERNAL_DATA extern isc_logcategory_t ns_categories[];
+LIBNS_EXTERNAL_DATA extern isc_logmodule_t   ns_modules[];
+
+#define NS_LOGCATEGORY_CLIENT	       (&ns_categories[0])
+#define NS_LOGCATEGORY_NETWORK	       (&ns_categories[1])
+#define NS_LOGCATEGORY_UPDATE	       (&ns_categories[2])
+#define NS_LOGCATEGORY_QUERIES	       (&ns_categories[3])
+#define NS_LOGCATEGORY_UPDATE_SECURITY (&ns_categories[4])
+#define NS_LOGCATEGORY_QUERY_ERRORS    (&ns_categories[5])
+#define NS_LOGCATEGORY_TAT	       (&ns_categories[6])
+#define NS_LOGCATEGORY_SERVE_STALE     (&ns_categories[7])
+
+/*
+ * Backwards compatibility.
+ */
+#define NS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL
+
+#define NS_LOGMODULE_CLIENT	  (&ns_modules[0])
+#define NS_LOGMODULE_QUERY	  (&ns_modules[1])
+#define NS_LOGMODULE_INTERFACEMGR (&ns_modules[2])
+#define NS_LOGMODULE_UPDATE	  (&ns_modules[3])
+#define NS_LOGMODULE_XFER_IN	  (&ns_modules[4])
+#define NS_LOGMODULE_XFER_OUT	  (&ns_modules[5])
+#define NS_LOGMODULE_NOTIFY	  (&ns_modules[6])
+#define NS_LOGMODULE_HOOKS	  (&ns_modules[7])
+
+void
+ns_log_init(isc_log_t *lctx);
+/*%<
+ * Make the libns categories and modules available for use with the
+ * ISC logging library.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ *\li	ns_log_init() is called only once.
+ *
+ * Ensures:
+ *\li	The categories and modules defined above are available for
+ * 	use by isc_log_usechannnel() and isc_log_write().
+ */
+
+void
+ns_log_setcontext(isc_log_t *lctx);
+/*%<
+ * Make the libns library use the provided context for logging internal
+ * messages.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ */
+#endif /* NS_LOG_H */
diff --git a/lib/ns/include/ns/notify.h b/lib/ns/include/ns/notify.h
new file mode 100644
index 0000000..2c5fcf3
--- /dev/null
+++ b/lib/ns/include/ns/notify.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_NOTIFY_H
+#define NS_NOTIFY_H 1
+
+#include <ns/client.h>
+
+/***
+ ***	Module Info
+ ***/
+
+/*! \file
+ * \brief
+ *	RFC1996
+ *	A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
+ */
+
+/***
+ ***	Functions.
+ ***/
+
+void
+ns_notify_start(ns_client_t *client, isc_nmhandle_t *handle);
+
+/*%<
+ *	Examines the incoming message to determine appropriate zone.
+ *	Returns FORMERR if there is not exactly one question.
+ *	Returns REFUSED if we do not serve the listed zone.
+ *	Pass the message to the zone module for processing
+ *	and returns the return status.
+ *
+ * Requires
+ *\li	client to be valid.
+ */
+
+#endif /* NS_NOTIFY_H */
diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h
new file mode 100644
index 0000000..be0dadd
--- /dev/null
+++ b/lib/ns/include/ns/query.h
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_QUERY_H
+#define NS_QUERY_H 1
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/netaddr.h>
+#include <isc/types.h>
+
+#include <dns/rdataset.h>
+#include <dns/resolver.h>
+#include <dns/rpz.h>
+#include <dns/types.h>
+
+#include <ns/types.h>
+
+/*% nameserver database version structure */
+typedef struct ns_dbversion {
+	dns_db_t	*db;
+	dns_dbversion_t *version;
+	bool		 acl_checked;
+	bool		 queryok;
+	ISC_LINK(struct ns_dbversion) link;
+} ns_dbversion_t;
+
+/*%
+ * nameserver recursion parameters, to uniquely identify a recursion
+ * query; this is used to detect a recursion loop
+ */
+typedef struct ns_query_recparam {
+	dns_rdatatype_t qtype;
+	dns_name_t     *qname;
+	dns_fixedname_t fqname;
+	dns_name_t     *qdomain;
+	dns_fixedname_t fqdomain;
+} ns_query_recparam_t;
+
+/*% nameserver query structure */
+struct ns_query {
+	unsigned int	 attributes;
+	unsigned int	 restarts;
+	bool		 timerset;
+	dns_name_t	*qname;
+	dns_name_t	*origqname;
+	dns_rdatatype_t	 qtype;
+	unsigned int	 dboptions;
+	unsigned int	 fetchoptions;
+	dns_db_t	*gluedb;
+	dns_db_t	*authdb;
+	dns_zone_t	*authzone;
+	bool		 authdbset;
+	bool		 isreferral;
+	isc_mutex_t	 fetchlock;
+	dns_fetch_t	*fetch;
+	dns_fetch_t	*prefetch;
+	dns_rpz_st_t	*rpz_st;
+	isc_bufferlist_t namebufs;
+	ISC_LIST(ns_dbversion_t) activeversions;
+	ISC_LIST(ns_dbversion_t) freeversions;
+	dns_rdataset_t *dns64_aaaa;
+	dns_rdataset_t *dns64_sigaaaa;
+	bool	       *dns64_aaaaok;
+	unsigned int	dns64_aaaaoklen;
+	unsigned int	dns64_options;
+	unsigned int	dns64_ttl;
+
+	struct {
+		dns_db_t       *db;
+		dns_zone_t     *zone;
+		dns_dbnode_t   *node;
+		dns_rdatatype_t qtype;
+		dns_name_t     *fname;
+		dns_fixedname_t fixed;
+		isc_result_t	result;
+		dns_rdataset_t *rdataset;
+		dns_rdataset_t *sigrdataset;
+		bool		authoritative;
+		bool		is_zone;
+	} redirect;
+
+	ns_query_recparam_t recparam;
+
+	dns_keytag_t root_key_sentinel_keyid;
+	bool	     root_key_sentinel_is_ta;
+	bool	     root_key_sentinel_not_ta;
+};
+
+#define NS_QUERYATTR_RECURSIONOK     0x000001
+#define NS_QUERYATTR_CACHEOK	     0x000002
+#define NS_QUERYATTR_PARTIALANSWER   0x000004
+#define NS_QUERYATTR_NAMEBUFUSED     0x000008
+#define NS_QUERYATTR_RECURSING	     0x000010
+#define NS_QUERYATTR_QUERYOKVALID    0x000040
+#define NS_QUERYATTR_QUERYOK	     0x000080
+#define NS_QUERYATTR_WANTRECURSION   0x000100
+#define NS_QUERYATTR_SECURE	     0x000200
+#define NS_QUERYATTR_NOAUTHORITY     0x000400
+#define NS_QUERYATTR_NOADDITIONAL    0x000800
+#define NS_QUERYATTR_CACHEACLOKVALID 0x001000
+#define NS_QUERYATTR_CACHEACLOK	     0x002000
+#define NS_QUERYATTR_DNS64	     0x004000
+#define NS_QUERYATTR_DNS64EXCLUDE    0x008000
+#define NS_QUERYATTR_RRL_CHECKED     0x010000
+#define NS_QUERYATTR_REDIRECT	     0x020000
+#define NS_QUERYATTR_ANSWERED	     0x040000
+#define NS_QUERYATTR_STALEOK	     0x080000
+#define NS_QUERYATTR_STALEPENDING    0x100000
+
+typedef struct query_ctx query_ctx_t;
+
+/* query context structure */
+struct query_ctx {
+	isc_buffer_t *dbuf;	     /* name buffer */
+	dns_name_t   *fname;	     /* found name from DB lookup */
+	dns_name_t   *tname;	     /* temporary name, used
+				      * when processing ANY
+				      * queries */
+	dns_rdataset_t *rdataset;    /* found rdataset */
+	dns_rdataset_t *sigrdataset; /* found sigrdataset */
+	dns_rdataset_t *noqname;     /* rdataset needing
+				      * NOQNAME proof */
+	dns_rdatatype_t qtype;
+	dns_rdatatype_t type;
+
+	unsigned int options; /* DB lookup options */
+
+	bool redirected; /* nxdomain redirected? */
+	bool is_zone;	 /* is DB a zone DB? */
+	bool is_staticstub_zone;
+	bool resuming; /* resumed from recursion? */
+	bool dns64, dns64_exclude, rpz;
+	bool authoritative;		    /* authoritative query? */
+	bool want_restart;		    /* CNAME chain or other
+					     * restart needed */
+	bool		refresh_rrset;	    /* stale RRset refresh needed */
+	bool		need_wildcardproof; /* wildcard proof needed */
+	bool		nxrewrite;	    /* negative answer from RPZ */
+	bool		findcoveringnsec;   /* lookup covering NSEC */
+	bool		answer_has_ns;	    /* NS is in answer */
+	dns_fixedname_t wildcardname;	    /* name needing wcard proof */
+	dns_fixedname_t dsname;		    /* name needing DS */
+
+	ns_client_t *client;	    /* client object */
+	bool	     detach_client; /* client needs detaching */
+
+	dns_fetchevent_t *event; /* recursion event */
+
+	dns_db_t	*db;	  /* zone or cache database */
+	dns_dbversion_t *version; /* DB version */
+	dns_dbnode_t	*node;	  /* DB node */
+
+	dns_db_t	*zdb;	 /* zone DB values, saved */
+	dns_dbnode_t	*znode;	 /* while searching cache */
+	dns_name_t	*zfname; /* for a better answer */
+	dns_dbversion_t *zversion;
+	dns_rdataset_t	*zrdataset;
+	dns_rdataset_t	*zsigrdataset;
+
+	dns_rpz_st_t *rpz_st; /* RPZ state */
+	dns_zone_t   *zone;   /* zone to search */
+
+	dns_view_t *view; /* client view */
+
+	isc_result_t result; /* query result */
+	int	     line;   /* line to report error */
+};
+
+isc_result_t
+ns_query_done(query_ctx_t *qctx);
+/*%<
+ * Finalize this phase of the query process:
+ *
+ * - Clean up.
+ * - If we have an answer ready (positive or negative), send it.
+ * - If we need to restart for a chaining query, call ns__query_start() again.
+ * - If we've started recursion, then just clean up; things will be
+ *   restarted via fetch_callback()/query_resume().
+ */
+
+isc_result_t
+ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
+		 dns_name_t *qdomain, dns_rdataset_t *nameservers,
+		 bool resuming);
+/*%<
+ * Prepare client for recursion, then create a resolver fetch, with
+ * the event callback set to fetch_callback(). Afterward we terminate
+ * this phase of the query, and resume with a new query context when
+ * recursion completes.
+ */
+
+isc_result_t
+ns_query_init(ns_client_t *client);
+
+void
+ns_query_free(ns_client_t *client);
+
+void
+ns_query_start(ns_client_t *client, isc_nmhandle_t *handle);
+
+void
+ns_query_cancel(ns_client_t *client);
+
+/*
+ * The following functions are expected to be used only within query.c
+ * and query modules.
+ */
+
+isc_result_t
+ns__query_sfcache(query_ctx_t *qctx);
+/*%<
+ * (Must not be used outside this module and its associated unit tests.)
+ */
+
+isc_result_t
+ns__query_start(query_ctx_t *qctx);
+/*%<
+ * (Must not be used outside this module and its associated unit tests.)
+ */
+
+#endif /* NS_QUERY_H */
diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
new file mode 100644
index 0000000..6ace9f3
--- /dev/null
+++ b/lib/ns/include/ns/server.h
@@ -0,0 +1,189 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_SERVER_H
+#define NS_SERVER_H 1
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/fuzz.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/quota.h>
+#include <isc/random.h>
+#include <isc/sockaddr.h>
+#include <isc/types.h>
+
+#include <dns/acl.h>
+#include <dns/types.h>
+
+#include <ns/types.h>
+
+#define NS_EVENT_CLIENTCONTROL (ISC_EVENTCLASS_NS + 0)
+
+#define NS_SERVER_LOGQUERIES   0x00000001U /*%< log queries */
+#define NS_SERVER_NOAA	       0x00000002U /*%< -T noaa */
+#define NS_SERVER_NOSOA	       0x00000004U /*%< -T nosoa */
+#define NS_SERVER_NONEAREST    0x00000008U /*%< -T nonearest */
+#define NS_SERVER_NOEDNS       0x00000020U /*%< -T noedns */
+#define NS_SERVER_DROPEDNS     0x00000040U /*%< -T dropedns */
+#define NS_SERVER_NOTCP	       0x00000080U /*%< -T notcp */
+#define NS_SERVER_DISABLE4     0x00000100U /*%< -6 */
+#define NS_SERVER_DISABLE6     0x00000200U /*%< -4 */
+#define NS_SERVER_FIXEDLOCAL   0x00000400U /*%< -T fixedlocal */
+#define NS_SERVER_SIGVALINSECS 0x00000800U /*%< -T sigvalinsecs */
+#define NS_SERVER_EDNSFORMERR  0x00001000U /*%< -T ednsformerr (STD13) */
+#define NS_SERVER_EDNSNOTIMP   0x00002000U /*%< -T ednsnotimp */
+#define NS_SERVER_EDNSREFUSED  0x00004000U /*%< -T ednsrefused */
+
+/*%
+ * Type for callback function to get hostname.
+ */
+typedef isc_result_t (*ns_hostnamecb_t)(char *buf, size_t len);
+
+/*%
+ * Type for callback function to signal the fuzzer thread
+ * when built with AFL.
+ */
+typedef void (*ns_fuzzcb_t)(void);
+
+/*%
+ * Type for callback function to get the view that can answer a query.
+ */
+typedef isc_result_t (*ns_matchview_t)(
+	isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr, dns_message_t *message,
+	dns_aclenv_t *env, isc_result_t *sigresultp, dns_view_t **viewp);
+
+/*%
+ * Server context.
+ */
+struct ns_server {
+	unsigned int magic;
+	isc_mem_t   *mctx;
+
+	isc_refcount_t references;
+
+	/*% Server cookie secret and algorithm */
+	unsigned char	   secret[32];
+	ns_cookiealg_t	   cookiealg;
+	ns_altsecretlist_t altsecrets;
+	bool		   answercookie;
+
+	/*% Quotas */
+	isc_quota_t recursionquota;
+	isc_quota_t tcpquota;
+	isc_quota_t xfroutquota;
+	isc_quota_t updquota;
+
+	/*% Test options and other configurables */
+	uint32_t options;
+
+	dns_acl_t     *blackholeacl;
+	dns_acl_t     *keepresporder;
+	uint16_t       udpsize;
+	uint16_t       transfer_tcp_message_size;
+	bool	       interface_auto;
+	dns_tkeyctx_t *tkeyctx;
+
+	/*% Server id for NSID */
+	char	       *server_id;
+	ns_hostnamecb_t gethostname;
+
+	/*% Fuzzer callback */
+	isc_fuzztype_t fuzztype;
+	ns_fuzzcb_t    fuzznotify;
+
+	/*% Callback to find a matching view for a query */
+	ns_matchview_t matchingview;
+
+	/*% Stats counters */
+	ns_stats_t  *nsstats;
+	dns_stats_t *rcvquerystats;
+	dns_stats_t *opcodestats;
+	dns_stats_t *rcodestats;
+
+	isc_stats_t *udpinstats4;
+	isc_stats_t *udpoutstats4;
+	isc_stats_t *udpinstats6;
+	isc_stats_t *udpoutstats6;
+
+	isc_stats_t *tcpinstats4;
+	isc_stats_t *tcpoutstats4;
+	isc_stats_t *tcpinstats6;
+	isc_stats_t *tcpoutstats6;
+};
+
+struct ns_altsecret {
+	ISC_LINK(ns_altsecret_t) link;
+	unsigned char secret[32];
+};
+
+isc_result_t
+ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
+		 ns_server_t **sctxp);
+/*%<
+ * Create a server context object with default settings.
+ */
+
+void
+ns_server_attach(ns_server_t *src, ns_server_t **dest);
+/*%<
+ * Attach a server context.
+ *
+ * Requires:
+ *\li	'src' is valid.
+ */
+
+void
+ns_server_detach(ns_server_t **sctxp);
+/*%<
+ * Detach from a server context.  If its reference count drops to zero, destroy
+ * it, freeing its memory.
+ *
+ * Requires:
+ *\li	'*sctxp' is valid.
+ * Ensures:
+ *\li	'*sctxp' is NULL on return.
+ */
+
+isc_result_t
+ns_server_setserverid(ns_server_t *sctx, const char *serverid);
+/*%<
+ * Set sctx->server_id to 'serverid'. If it was set previously, free the memory.
+ *
+ * Requires:
+ *\li	'sctx' is valid.
+ */
+
+void
+ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value);
+/*%<
+ *	Set the given options on (if 'value' == #true)
+ *	or off (if 'value' == #false).
+ *
+ * Requires:
+ *\li	'sctx' is valid
+ */
+
+bool
+ns_server_getoption(ns_server_t *sctx, unsigned int option);
+/*%<
+ *	Returns the current value of the specified server option.
+ *
+ * Requires:
+ *\li	'sctx' is valid.
+ */
+#endif /* NS_SERVER_H */
diff --git a/lib/ns/include/ns/sortlist.h b/lib/ns/include/ns/sortlist.h
new file mode 100644
index 0000000..a2eedd9
--- /dev/null
+++ b/lib/ns/include/ns/sortlist.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_SORTLIST_H
+#define NS_SORTLIST_H 1
+
+/*! \file */
+
+#include <isc/types.h>
+
+#include <dns/acl.h>
+#include <dns/types.h>
+
+/*%
+ * Type for callback functions that rank addresses.
+ */
+typedef int (*dns_addressorderfunc_t)(const isc_netaddr_t *address,
+				      const void	  *arg);
+
+/*%
+ * Return value type for setup_sortlist.
+ */
+typedef enum {
+	NS_SORTLISTTYPE_NONE,
+	NS_SORTLISTTYPE_1ELEMENT,
+	NS_SORTLISTTYPE_2ELEMENT
+} ns_sortlisttype_t;
+
+ns_sortlisttype_t
+ns_sortlist_setup(dns_acl_t *acl, dns_aclenv_t *env, isc_netaddr_t *clientaddr,
+		  const void **argp);
+/*%<
+ * Find the sortlist statement in 'acl' (for ACL environment 'env')
+ * that applies to 'clientaddr', if any.
+ *
+ * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and
+ * make '*argp' point to the matching subelement.
+ *
+ * If a 2-element sortlist item applies, return NS_SORTLISTTYPE_2ELEMENT and
+ * make '*argp' point to ACL that forms the second element.
+ *
+ * If no sortlist item applies, return NS_SORTLISTTYPE_NONE and set '*argp'
+ * to NULL.
+ */
+
+int
+ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg);
+/*%<
+ * Find the sort order of 'addr' in 'arg', the matching element
+ * of a 1-element top-level sortlist statement.
+ */
+
+int
+ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
+/*%<
+ * Find the sort order of 'addr' in 'arg', a topology-like
+ * ACL forming the second element in a 2-element top-level
+ * sortlist statement.
+ */
+
+void
+ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, dns_aclenv_t *env,
+			isc_netaddr_t	       *client_addr,
+			dns_addressorderfunc_t *orderp, const void **argp);
+/*%<
+ * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
+ * If a sortlist statement applies, return in '*orderp' a pointer to a function
+ * for ranking network addresses based on that sortlist statement, and in
+ * '*argp' an argument to pass to said function.  If no sortlist statement
+ * applies, set '*orderp' and '*argp' to NULL.
+ */
+
+#endif /* NS_SORTLIST_H */
diff --git a/lib/ns/include/ns/stats.h b/lib/ns/include/ns/stats.h
new file mode 100644
index 0000000..b9564aa
--- /dev/null
+++ b/lib/ns/include/ns/stats.h
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_STATS_H
+#define NS_STATS_H 1
+
+/*! \file include/ns/stats.h */
+
+#include <ns/types.h>
+
+/*%
+ * Server statistics counters.  Used as isc_statscounter_t values.
+ */
+enum {
+	ns_statscounter_requestv4 = 0,
+	ns_statscounter_requestv6 = 1,
+	ns_statscounter_edns0in = 2,
+	ns_statscounter_badednsver = 3,
+	ns_statscounter_tsigin = 4,
+	ns_statscounter_sig0in = 5,
+	ns_statscounter_invalidsig = 6,
+	ns_statscounter_requesttcp = 7,
+
+	ns_statscounter_authrej = 8,
+	ns_statscounter_recurserej = 9,
+	ns_statscounter_xfrrej = 10,
+	ns_statscounter_updaterej = 11,
+
+	ns_statscounter_response = 12,
+	ns_statscounter_truncatedresp = 13,
+	ns_statscounter_edns0out = 14,
+	ns_statscounter_tsigout = 15,
+	ns_statscounter_sig0out = 16,
+
+	ns_statscounter_success = 17,
+	ns_statscounter_authans = 18,
+	ns_statscounter_nonauthans = 19,
+	ns_statscounter_referral = 20,
+	ns_statscounter_nxrrset = 21,
+	ns_statscounter_servfail = 22,
+	ns_statscounter_formerr = 23,
+	ns_statscounter_nxdomain = 24,
+	ns_statscounter_recursion = 25,
+	ns_statscounter_duplicate = 26,
+	ns_statscounter_dropped = 27,
+	ns_statscounter_failure = 28,
+
+	ns_statscounter_xfrdone = 29,
+
+	ns_statscounter_updatereqfwd = 30,
+	ns_statscounter_updaterespfwd = 31,
+	ns_statscounter_updatefwdfail = 32,
+	ns_statscounter_updatedone = 33,
+	ns_statscounter_updatefail = 34,
+	ns_statscounter_updatebadprereq = 35,
+
+	ns_statscounter_recursclients = 36,
+
+	ns_statscounter_dns64 = 37,
+
+	ns_statscounter_ratedropped = 38,
+	ns_statscounter_rateslipped = 39,
+
+	ns_statscounter_rpz_rewrites = 40,
+
+	ns_statscounter_udp = 41,
+	ns_statscounter_tcp = 42,
+
+	ns_statscounter_nsidopt = 43,
+	ns_statscounter_expireopt = 44,
+	ns_statscounter_otheropt = 45,
+	ns_statscounter_ecsopt = 46,
+	ns_statscounter_padopt = 47,
+	ns_statscounter_keepaliveopt = 48,
+
+	ns_statscounter_nxdomainredirect = 49,
+	ns_statscounter_nxdomainredirect_rlookup = 50,
+
+	ns_statscounter_cookiein = 51,
+	ns_statscounter_cookiebadsize = 52,
+	ns_statscounter_cookiebadtime = 53,
+	ns_statscounter_cookienomatch = 54,
+	ns_statscounter_cookiematch = 55,
+	ns_statscounter_cookienew = 56,
+	ns_statscounter_badcookie = 57,
+
+	ns_statscounter_nxdomainsynth = 58,
+	ns_statscounter_nodatasynth = 59,
+	ns_statscounter_wildcardsynth = 60,
+
+	ns_statscounter_trystale = 61,
+	ns_statscounter_usedstale = 62,
+
+	ns_statscounter_prefetch = 63,
+	ns_statscounter_keytagopt = 64,
+
+	ns_statscounter_tcphighwater = 65,
+
+	ns_statscounter_reclimitdropped = 66,
+
+	ns_statscounter_updatequota = 67,
+
+	ns_statscounter_max = 68,
+};
+
+void
+ns_stats_attach(ns_stats_t *stats, ns_stats_t **statsp);
+
+void
+ns_stats_detach(ns_stats_t **statsp);
+
+isc_result_t
+ns_stats_create(isc_mem_t *mctx, int ncounters, ns_stats_t **statsp);
+
+void
+ns_stats_increment(ns_stats_t *stats, isc_statscounter_t counter);
+
+void
+ns_stats_decrement(ns_stats_t *stats, isc_statscounter_t counter);
+
+isc_stats_t *
+ns_stats_get(ns_stats_t *stats);
+
+void
+ns_stats_update_if_greater(ns_stats_t *stats, isc_statscounter_t counter,
+			   isc_statscounter_t value);
+
+isc_statscounter_t
+ns_stats_get_counter(ns_stats_t *stats, isc_statscounter_t counter);
+
+#endif /* NS_STATS_H */
diff --git a/lib/ns/include/ns/types.h b/lib/ns/include/ns/types.h
new file mode 100644
index 0000000..f16f9a0
--- /dev/null
+++ b/lib/ns/include/ns/types.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_TYPES_H
+#define NS_TYPES_H 1
+
+/*! \file */
+
+typedef struct ns_altsecret ns_altsecret_t;
+typedef ISC_LIST(ns_altsecret_t) ns_altsecretlist_t;
+typedef struct ns_client    ns_client_t;
+typedef struct ns_clientmgr ns_clientmgr_t;
+typedef struct ns_plugin    ns_plugin_t;
+typedef ISC_LIST(ns_plugin_t) ns_plugins_t;
+typedef struct ns_interface    ns_interface_t;
+typedef struct ns_interfacemgr ns_interfacemgr_t;
+typedef struct ns_query	       ns_query_t;
+typedef struct ns_server       ns_server_t;
+typedef struct ns_stats	       ns_stats_t;
+
+typedef enum { ns_cookiealg_aes, ns_cookiealg_siphash24 } ns_cookiealg_t;
+
+#define NS_COOKIE_VERSION_1 1
+
+#endif /* NS_TYPES_H */
diff --git a/lib/ns/include/ns/update.h b/lib/ns/include/ns/update.h
new file mode 100644
index 0000000..72ac604
--- /dev/null
+++ b/lib/ns/include/ns/update.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_UPDATE_H
+#define NS_UPDATE_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * RFC2136 Dynamic Update
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <dns/result.h>
+#include <dns/types.h>
+
+/***
+ *** Types.
+ ***/
+
+/***
+ *** Functions
+ ***/
+
+void
+ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
+		isc_result_t sigresult);
+
+#endif /* NS_UPDATE_H */
diff --git a/lib/ns/include/ns/version.h b/lib/ns/include/ns/version.h
new file mode 100644
index 0000000..e342717
--- /dev/null
+++ b/lib/ns/include/ns/version.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file include/ns/version.h */
+
+#include <isc/platform.h>
+
+LIBNS_EXTERNAL_DATA extern const char ns_version[];
diff --git a/lib/ns/include/ns/xfrout.h b/lib/ns/include/ns/xfrout.h
new file mode 100644
index 0000000..8f0809e
--- /dev/null
+++ b/lib/ns/include/ns/xfrout.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef NS_XFROUT_H
+#define NS_XFROUT_H 1
+
+/*****
+***** Module Info
+*****/
+
+/*! \file
+ * \brief
+ * Outgoing zone transfers (AXFR + IXFR).
+ */
+
+/***
+ *** Functions
+ ***/
+
+void
+ns_xfr_start(ns_client_t *client, dns_rdatatype_t xfrtype);
+
+#endif /* NS_XFROUT_H */
diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
new file mode 100644
index 0000000..216e274
--- /dev/null
+++ b/lib/ns/interfacemgr.c
@@ -0,0 +1,1263 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/interfaceiter.h>
+#include <isc/netmgr.h>
+#include <isc/os.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/dispatch.h>
+
+#include <ns/client.h>
+#include <ns/interfacemgr.h>
+#include <ns/log.h>
+#include <ns/server.h>
+#include <ns/stats.h>
+
+#ifdef HAVE_NET_ROUTE_H
+#include <net/route.h>
+#if defined(RTM_VERSION) && defined(RTM_NEWADDR) && defined(RTM_DELADDR)
+#define USE_ROUTE_SOCKET      1
+#define ROUTE_SOCKET_PROTOCOL PF_ROUTE
+#define MSGHDR		      rt_msghdr
+#define MSGTYPE		      rtm_type
+#endif /* if defined(RTM_VERSION) && defined(RTM_NEWADDR) && \
+	* defined(RTM_DELADDR) */
+#endif /* ifdef HAVE_NET_ROUTE_H */
+
+#if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H)
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#if defined(RTM_NEWADDR) && defined(RTM_DELADDR)
+#define USE_ROUTE_SOCKET      1
+#define ROUTE_SOCKET_PROTOCOL PF_NETLINK
+#define MSGHDR		      nlmsghdr
+#define MSGTYPE		      nlmsg_type
+#endif /* if defined(RTM_NEWADDR) && defined(RTM_DELADDR) */
+#endif /* if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H) \
+	*/
+
+#ifdef TUNE_LARGE
+#define UDPBUFFERS 32768
+#else /* ifdef TUNE_LARGE */
+#define UDPBUFFERS 1000
+#endif /* TUNE_LARGE */
+
+#define IFMGR_MAGIC		 ISC_MAGIC('I', 'F', 'M', 'G')
+#define NS_INTERFACEMGR_VALID(t) ISC_MAGIC_VALID(t, IFMGR_MAGIC)
+
+#define IFMGR_COMMON_LOGARGS \
+	ns_lctx, NS_LOGCATEGORY_NETWORK, NS_LOGMODULE_INTERFACEMGR
+
+/*% nameserver interface manager structure */
+struct ns_interfacemgr {
+	unsigned int magic; /*%< Magic number. */
+	isc_refcount_t references;
+	isc_mutex_t lock;
+	isc_mem_t *mctx;	    /*%< Memory context. */
+	ns_server_t *sctx;	    /*%< Server context. */
+	isc_taskmgr_t *taskmgr;	    /*%< Task manager. */
+	isc_task_t *excl;	    /*%< Exclusive task. */
+	isc_timermgr_t *timermgr;   /*%< Timer manager. */
+	isc_socketmgr_t *socketmgr; /*%< Socket manager. */
+	isc_nm_t *nm;		    /*%< Net manager. */
+	int ncpus;		    /*%< Number of workers . */
+	dns_dispatchmgr_t *dispatchmgr;
+	unsigned int generation; /*%< Current generation no. */
+	ns_listenlist_t *listenon4;
+	ns_listenlist_t *listenon6;
+	dns_aclenv_t aclenv;		     /*%< Localhost/localnets ACLs */
+	ISC_LIST(ns_interface_t) interfaces; /*%< List of interfaces. */
+	ISC_LIST(isc_sockaddr_t) listenon;
+	int backlog;		  /*%< Listen queue size */
+	unsigned int udpdisp;	  /*%< UDP dispatch count */
+	atomic_bool shuttingdown; /*%< Interfacemgr is shutting
+				   * down */
+#ifdef USE_ROUTE_SOCKET
+	isc_task_t *task;
+	isc_socket_t *route;
+	unsigned char buf[2048];
+#endif /* ifdef USE_ROUTE_SOCKET */
+};
+
+static void
+purge_old_interfaces(ns_interfacemgr_t *mgr);
+
+static void
+clearlistenon(ns_interfacemgr_t *mgr);
+
+#ifdef USE_ROUTE_SOCKET
+static void
+route_event(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = NULL;
+	ns_interfacemgr_t *mgr = NULL;
+	isc_region_t r;
+	isc_result_t result;
+	struct MSGHDR *rtm;
+	bool done = true;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
+	mgr = event->ev_arg;
+	sevent = (isc_socketevent_t *)event;
+
+	if (sevent->result != ISC_R_SUCCESS) {
+		if (sevent->result != ISC_R_CANCELED) {
+			isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+				      "automatic interface scanning "
+				      "terminated: %s",
+				      isc_result_totext(sevent->result));
+		}
+		ns_interfacemgr_detach(&mgr);
+		isc_event_free(&event);
+		return;
+	}
+
+	rtm = (struct MSGHDR *)mgr->buf;
+#ifdef RTM_VERSION
+	if (rtm->rtm_version != RTM_VERSION) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "automatic interface rescanning disabled: "
+			      "rtm->rtm_version mismatch (%u != %u) "
+			      "recompile required",
+			      rtm->rtm_version, RTM_VERSION);
+		ns_interfacemgr_detach(&mgr);
+		isc_event_free(&event);
+		return;
+	}
+#endif /* ifdef RTM_VERSION */
+
+	switch (rtm->MSGTYPE) {
+	case RTM_NEWADDR:
+	case RTM_DELADDR:
+		if (mgr->route != NULL && mgr->sctx->interface_auto) {
+			ns_interfacemgr_scan(mgr, false);
+		}
+		break;
+	default:
+		break;
+	}
+
+	LOCK(&mgr->lock);
+	if (mgr->route != NULL) {
+		/*
+		 * Look for next route event.
+		 */
+		r.base = mgr->buf;
+		r.length = sizeof(mgr->buf);
+		result = isc_socket_recv(mgr->route, &r, 1, mgr->task,
+					 route_event, mgr);
+		if (result == ISC_R_SUCCESS) {
+			done = false;
+		}
+	}
+	UNLOCK(&mgr->lock);
+
+	if (done) {
+		ns_interfacemgr_detach(&mgr);
+	}
+	isc_event_free(&event);
+	return;
+}
+#endif /* ifdef USE_ROUTE_SOCKET */
+
+isc_result_t
+ns_interfacemgr_create(isc_mem_t *mctx, ns_server_t *sctx,
+		       isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr,
+		       isc_socketmgr_t *socketmgr, isc_nm_t *nm,
+		       dns_dispatchmgr_t *dispatchmgr, isc_task_t *task,
+		       unsigned int udpdisp, dns_geoip_databases_t *geoip,
+		       int ncpus, ns_interfacemgr_t **mgrp) {
+	isc_result_t result;
+	ns_interfacemgr_t *mgr;
+
+#ifndef USE_ROUTE_SOCKET
+	UNUSED(task);
+#endif /* ifndef USE_ROUTE_SOCKET */
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(mgrp != NULL);
+	REQUIRE(*mgrp == NULL);
+
+	mgr = isc_mem_get(mctx, sizeof(*mgr));
+
+	mgr->mctx = NULL;
+	isc_mem_attach(mctx, &mgr->mctx);
+
+	mgr->sctx = NULL;
+	ns_server_attach(sctx, &mgr->sctx);
+
+	isc_mutex_init(&mgr->lock);
+
+	mgr->excl = NULL;
+	result = isc_taskmgr_excltask(taskmgr, &mgr->excl);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_lock;
+	}
+
+	mgr->taskmgr = taskmgr;
+	mgr->timermgr = timermgr;
+	mgr->socketmgr = socketmgr;
+	mgr->nm = nm;
+	mgr->dispatchmgr = dispatchmgr;
+	mgr->generation = 1;
+	mgr->listenon4 = NULL;
+	mgr->listenon6 = NULL;
+	mgr->udpdisp = udpdisp;
+	mgr->ncpus = ncpus;
+	atomic_init(&mgr->shuttingdown, false);
+
+	ISC_LIST_INIT(mgr->interfaces);
+	ISC_LIST_INIT(mgr->listenon);
+
+	/*
+	 * The listen-on lists are initially empty.
+	 */
+	result = ns_listenlist_create(mctx, &mgr->listenon4);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_ctx;
+	}
+	ns_listenlist_attach(mgr->listenon4, &mgr->listenon6);
+
+	result = dns_aclenv_init(mctx, &mgr->aclenv);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_listenon;
+	}
+#if defined(HAVE_GEOIP2)
+	mgr->aclenv.geoip = geoip;
+#else  /* if defined(HAVE_GEOIP2) */
+	UNUSED(geoip);
+#endif /* if defined(HAVE_GEOIP2) */
+
+#ifdef USE_ROUTE_SOCKET
+	mgr->route = NULL;
+	result = isc_socket_create(mgr->socketmgr, ROUTE_SOCKET_PROTOCOL,
+				   isc_sockettype_raw, &mgr->route);
+	switch (result) {
+	case ISC_R_NOPERM:
+	case ISC_R_SUCCESS:
+	case ISC_R_NOTIMPLEMENTED:
+	case ISC_R_FAMILYNOSUPPORT:
+		break;
+	default:
+		goto cleanup_aclenv;
+	}
+
+	mgr->task = NULL;
+	if (mgr->route != NULL) {
+		isc_task_attach(task, &mgr->task);
+	}
+	isc_refcount_init(&mgr->references, (mgr->route != NULL) ? 2 : 1);
+#else  /* ifdef USE_ROUTE_SOCKET */
+	isc_refcount_init(&mgr->references, 1);
+#endif /* ifdef USE_ROUTE_SOCKET */
+	mgr->magic = IFMGR_MAGIC;
+	*mgrp = mgr;
+
+#ifdef USE_ROUTE_SOCKET
+	if (mgr->route != NULL) {
+		isc_region_t r = { mgr->buf, sizeof(mgr->buf) };
+
+		result = isc_socket_recv(mgr->route, &r, 1, mgr->task,
+					 route_event, mgr);
+		if (result != ISC_R_SUCCESS) {
+			isc_task_detach(&mgr->task);
+			isc_socket_detach(&mgr->route);
+			ns_interfacemgr_detach(&mgr);
+		}
+	}
+#endif /* ifdef USE_ROUTE_SOCKET */
+	return (ISC_R_SUCCESS);
+
+#ifdef USE_ROUTE_SOCKET
+cleanup_aclenv:
+	dns_aclenv_destroy(&mgr->aclenv);
+#endif /* ifdef USE_ROUTE_SOCKET */
+cleanup_listenon:
+	ns_listenlist_detach(&mgr->listenon4);
+	ns_listenlist_detach(&mgr->listenon6);
+cleanup_lock:
+	isc_mutex_destroy(&mgr->lock);
+cleanup_ctx:
+	ns_server_detach(&mgr->sctx);
+	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
+	return (result);
+}
+
+static void
+ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	isc_refcount_destroy(&mgr->references);
+
+#ifdef USE_ROUTE_SOCKET
+	if (mgr->route != NULL) {
+		isc_socket_detach(&mgr->route);
+	}
+	if (mgr->task != NULL) {
+		isc_task_detach(&mgr->task);
+	}
+#endif /* ifdef USE_ROUTE_SOCKET */
+	dns_aclenv_destroy(&mgr->aclenv);
+	ns_listenlist_detach(&mgr->listenon4);
+	ns_listenlist_detach(&mgr->listenon6);
+	clearlistenon(mgr);
+	isc_mutex_destroy(&mgr->lock);
+	if (mgr->sctx != NULL) {
+		ns_server_detach(&mgr->sctx);
+	}
+	if (mgr->excl != NULL) {
+		isc_task_detach(&mgr->excl);
+	}
+	mgr->magic = 0;
+	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
+}
+
+void
+ns_interfacemgr_setbacklog(ns_interfacemgr_t *mgr, int backlog) {
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+	LOCK(&mgr->lock);
+	mgr->backlog = backlog;
+	UNLOCK(&mgr->lock);
+}
+
+dns_aclenv_t *
+ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr) {
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	return (&mgr->aclenv);
+}
+
+void
+ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target) {
+	REQUIRE(NS_INTERFACEMGR_VALID(source));
+	isc_refcount_increment(&source->references);
+	*target = source;
+}
+
+void
+ns_interfacemgr_detach(ns_interfacemgr_t **targetp) {
+	ns_interfacemgr_t *target = *targetp;
+	*targetp = NULL;
+	REQUIRE(target != NULL);
+	REQUIRE(NS_INTERFACEMGR_VALID(target));
+	if (isc_refcount_decrement(&target->references) == 1) {
+		ns_interfacemgr_destroy(target);
+	}
+}
+
+void
+ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) {
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	/*%
+	 * Shut down and detach all interfaces.
+	 * By incrementing the generation count, we make purge_old_interfaces()
+	 * consider all interfaces "old".
+	 */
+	mgr->generation++;
+	atomic_store(&mgr->shuttingdown, true);
+#ifdef USE_ROUTE_SOCKET
+	LOCK(&mgr->lock);
+	if (mgr->route != NULL) {
+		isc_socket_cancel(mgr->route, mgr->task, ISC_SOCKCANCEL_RECV);
+		isc_socket_detach(&mgr->route);
+		isc_task_detach(&mgr->task);
+	}
+	UNLOCK(&mgr->lock);
+#endif /* ifdef USE_ROUTE_SOCKET */
+	purge_old_interfaces(mgr);
+}
+
+static isc_result_t
+ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
+		    const char *name, ns_interface_t **ifpret) {
+	ns_interface_t *ifp = NULL;
+	isc_result_t result;
+	int disp;
+
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	ifp = isc_mem_get(mgr->mctx, sizeof(*ifp));
+	*ifp = (ns_interface_t){ .generation = mgr->generation,
+				 .addr = *addr,
+				 .dscp = -1 };
+
+	strlcpy(ifp->name, name, sizeof(ifp->name));
+
+	isc_mutex_init(&ifp->lock);
+
+	for (disp = 0; disp < MAX_UDP_DISPATCH; disp++) {
+		ifp->udpdispatch[disp] = NULL;
+	}
+
+	/*
+	 * Create a single TCP client object.  It will replace itself
+	 * with a new one as soon as it gets a connection, so the actual
+	 * connections will be handled in parallel even though there is
+	 * only one client initially.
+	 */
+	isc_refcount_init(&ifp->ntcpaccepting, 0);
+	isc_refcount_init(&ifp->ntcpactive, 0);
+
+	ISC_LINK_INIT(ifp, link);
+
+	ns_interfacemgr_attach(mgr, &ifp->mgr);
+	isc_refcount_init(&ifp->references, 1);
+	ifp->magic = IFACE_MAGIC;
+
+	LOCK(&mgr->lock);
+	ISC_LIST_APPEND(mgr->interfaces, ifp, link);
+	UNLOCK(&mgr->lock);
+
+	result = ns_clientmgr_create(mgr->mctx, mgr->sctx, mgr->taskmgr,
+				     mgr->timermgr, ifp, mgr->ncpus,
+				     &ifp->clientmgr);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "ns_clientmgr_create() failed: %s",
+			      isc_result_totext(result));
+		goto failure;
+	}
+
+	*ifpret = ifp;
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	LOCK(&ifp->mgr->lock);
+	ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
+	UNLOCK(&ifp->mgr->lock);
+
+	ifp->magic = 0;
+	ns_interfacemgr_detach(&ifp->mgr);
+	isc_refcount_decrement(&ifp->references);
+	isc_refcount_destroy(&ifp->references);
+	isc_mutex_destroy(&ifp->lock);
+
+	isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
+	return (ISC_R_UNEXPECTED);
+}
+
+static isc_result_t
+ns_interface_listenudp(ns_interface_t *ifp) {
+	isc_result_t result;
+
+	/* Reserve space for an ns_client_t with the netmgr handle */
+	result = isc_nm_listenudp(ifp->mgr->nm, &ifp->addr, ns__client_request,
+				  ifp, sizeof(ns_client_t),
+				  &ifp->udplistensocket);
+	return (result);
+}
+
+static isc_result_t
+ns_interface_listentcp(ns_interface_t *ifp) {
+	isc_result_t result;
+
+	result = isc_nm_listentcpdns(
+		ifp->mgr->nm, &ifp->addr, ns__client_request, ifp,
+		ns__client_tcpconn, ifp, sizeof(ns_client_t), ifp->mgr->backlog,
+		&ifp->mgr->sctx->tcpquota, &ifp->tcplistensocket);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "creating TCP socket: %s",
+			      isc_result_totext(result));
+	}
+
+	/*
+	 * We call this now to update the tcp-highwater statistic:
+	 * this is necessary because we are adding to the TCP quota just
+	 * by listening.
+	 */
+	result = ns__client_tcpconn(NULL, ISC_R_SUCCESS, ifp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "connecting TCP socket: %s",
+			      isc_result_totext(result));
+	}
+
+#if 0
+#ifndef ISC_ALLOW_MAPPED
+	isc_socket_ipv6only(ifp->tcpsocket,true);
+#endif /* ifndef ISC_ALLOW_MAPPED */
+
+	if (ifp->dscp != -1) {
+		isc_socket_dscp(ifp->tcpsocket,ifp->dscp);
+	}
+
+	(void)isc_socket_filter(ifp->tcpsocket,"dataready");
+#endif /* if 0 */
+	return (result);
+}
+
+static isc_result_t
+ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
+		   const char *name, ns_interface_t **ifpret, isc_dscp_t dscp,
+		   bool *addr_in_use) {
+	isc_result_t result;
+	ns_interface_t *ifp = NULL;
+	REQUIRE(ifpret != NULL && *ifpret == NULL);
+	REQUIRE(addr_in_use == NULL || !*addr_in_use);
+
+	result = ns_interface_create(mgr, addr, name, &ifp);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	ifp->dscp = dscp;
+
+	result = ns_interface_listenudp(ifp);
+	if (result != ISC_R_SUCCESS) {
+		if ((result == ISC_R_ADDRINUSE) && (addr_in_use != NULL)) {
+			*addr_in_use = true;
+		}
+		goto cleanup_interface;
+	}
+
+	if (((mgr->sctx->options & NS_SERVER_NOTCP) == 0)) {
+		result = ns_interface_listentcp(ifp);
+		if (result != ISC_R_SUCCESS) {
+			if ((result == ISC_R_ADDRINUSE) &&
+			    (addr_in_use != NULL))
+			{
+				*addr_in_use = true;
+			}
+
+			/*
+			 * XXXRTH We don't currently have a way to easily stop
+			 * dispatch service, so we currently return
+			 * ISC_R_SUCCESS (the UDP stuff will work even if TCP
+			 * creation failed).  This will be fixed later.
+			 */
+			result = ISC_R_SUCCESS;
+		}
+	}
+	*ifpret = ifp;
+	return (result);
+
+cleanup_interface:
+	LOCK(&ifp->mgr->lock);
+	ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
+	UNLOCK(&ifp->mgr->lock);
+	ns_interface_shutdown(ifp);
+	ns_interface_detach(&ifp);
+	return (result);
+}
+
+void
+ns_interface_shutdown(ns_interface_t *ifp) {
+	if (ifp->udplistensocket != NULL) {
+		isc_nm_stoplistening(ifp->udplistensocket);
+		isc_nmsocket_close(&ifp->udplistensocket);
+	}
+	if (ifp->tcplistensocket != NULL) {
+		isc_nm_stoplistening(ifp->tcplistensocket);
+		isc_nmsocket_close(&ifp->tcplistensocket);
+	}
+	if (ifp->clientmgr != NULL) {
+		ns_clientmgr_shutdown(ifp->clientmgr);
+		ns_clientmgr_destroy(&ifp->clientmgr);
+	}
+}
+
+static void
+ns_interface_destroy(ns_interface_t *ifp) {
+	REQUIRE(NS_INTERFACE_VALID(ifp));
+
+	isc_mem_t *mctx = ifp->mgr->mctx;
+
+	ns_interface_shutdown(ifp);
+
+	for (int disp = 0; disp < ifp->nudpdispatch; disp++) {
+		if (ifp->udpdispatch[disp] != NULL) {
+			dns_dispatch_changeattributes(
+				ifp->udpdispatch[disp], 0,
+				DNS_DISPATCHATTR_NOLISTEN);
+			dns_dispatch_detach(&(ifp->udpdispatch[disp]));
+		}
+	}
+
+	if (ifp->tcpsocket != NULL) {
+		isc_socket_detach(&ifp->tcpsocket);
+	}
+
+	isc_mutex_destroy(&ifp->lock);
+
+	ns_interfacemgr_detach(&ifp->mgr);
+
+	isc_refcount_destroy(&ifp->ntcpactive);
+	isc_refcount_destroy(&ifp->ntcpaccepting);
+
+	ifp->magic = 0;
+
+	isc_mem_put(mctx, ifp, sizeof(*ifp));
+}
+
+void
+ns_interface_attach(ns_interface_t *source, ns_interface_t **target) {
+	REQUIRE(NS_INTERFACE_VALID(source));
+	isc_refcount_increment(&source->references);
+	*target = source;
+}
+
+void
+ns_interface_detach(ns_interface_t **targetp) {
+	ns_interface_t *target = *targetp;
+	*targetp = NULL;
+	REQUIRE(target != NULL);
+	REQUIRE(NS_INTERFACE_VALID(target));
+	if (isc_refcount_decrement(&target->references) == 1) {
+		ns_interface_destroy(target);
+	}
+}
+
+/*%
+ * Search the interface list for an interface whose address and port
+ * both match those of 'addr'.  Return a pointer to it, or NULL if not found.
+ */
+static ns_interface_t *
+find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) {
+	ns_interface_t *ifp;
+	LOCK(&mgr->lock);
+	for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL;
+	     ifp = ISC_LIST_NEXT(ifp, link))
+	{
+		if (isc_sockaddr_equal(&ifp->addr, addr)) {
+			break;
+		}
+	}
+	UNLOCK(&mgr->lock);
+	return (ifp);
+}
+
+/*%
+ * Remove any interfaces whose generation number is not the current one.
+ */
+static void
+purge_old_interfaces(ns_interfacemgr_t *mgr) {
+	ns_interface_t *ifp, *next;
+	LOCK(&mgr->lock);
+	for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL; ifp = next) {
+		INSIST(NS_INTERFACE_VALID(ifp));
+		next = ISC_LIST_NEXT(ifp, link);
+		if (ifp->generation != mgr->generation) {
+			char sabuf[256];
+			ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
+			isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
+			isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
+				      "no longer listening on %s", sabuf);
+			ns_interface_shutdown(ifp);
+			ns_interface_detach(&ifp);
+		}
+	}
+	UNLOCK(&mgr->lock);
+}
+
+static isc_result_t
+clearacl(isc_mem_t *mctx, dns_acl_t **aclp) {
+	dns_acl_t *newacl = NULL;
+	isc_result_t result;
+	result = dns_acl_create(mctx, 0, &newacl);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	dns_acl_detach(aclp);
+	dns_acl_attach(newacl, aclp);
+	dns_acl_detach(&newacl);
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+listenon_is_ip6_any(ns_listenelt_t *elt) {
+	REQUIRE(elt && elt->acl);
+	return (dns_acl_isany(elt->acl));
+}
+
+static isc_result_t
+setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) {
+	isc_result_t result;
+	unsigned int prefixlen;
+	isc_netaddr_t *netaddr;
+
+	netaddr = &interface->address;
+
+	/* First add localhost address */
+	prefixlen = (netaddr->family == AF_INET) ? 32 : 128;
+	result = dns_iptable_addprefix(mgr->aclenv.localhost->iptable, netaddr,
+				       prefixlen, true);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/* Then add localnets prefix */
+	result = isc_netaddr_masktoprefixlen(&interface->netmask, &prefixlen);
+
+	/* Non contiguous netmasks not allowed by IPv6 arch. */
+	if (result != ISC_R_SUCCESS && netaddr->family == AF_INET6) {
+		return (result);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
+			      "omitting IPv4 interface %s from "
+			      "localnets ACL: %s",
+			      interface->name, isc_result_totext(result));
+		return (ISC_R_SUCCESS);
+	}
+
+	if (prefixlen == 0U) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
+			      "omitting %s interface %s from localnets ACL: "
+			      "zero prefix length detected",
+			      (netaddr->family == AF_INET) ? "IPv4" : "IPv6",
+			      interface->name);
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_iptable_addprefix(mgr->aclenv.localnets->iptable, netaddr,
+				       prefixlen, true);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+setup_listenon(ns_interfacemgr_t *mgr, isc_interface_t *interface,
+	       in_port_t port) {
+	isc_sockaddr_t *addr;
+	isc_sockaddr_t *old;
+
+	addr = isc_mem_get(mgr->mctx, sizeof(*addr));
+
+	isc_sockaddr_fromnetaddr(addr, &interface->address, port);
+
+	LOCK(&mgr->lock);
+	for (old = ISC_LIST_HEAD(mgr->listenon); old != NULL;
+	     old = ISC_LIST_NEXT(old, link))
+	{
+		if (isc_sockaddr_equal(addr, old)) {
+			break;
+		}
+	}
+
+	if (old != NULL) {
+		isc_mem_put(mgr->mctx, addr, sizeof(*addr));
+	} else {
+		ISC_LIST_APPEND(mgr->listenon, addr, link);
+	}
+	UNLOCK(&mgr->lock);
+}
+
+static void
+clearlistenon(ns_interfacemgr_t *mgr) {
+	isc_sockaddr_t *old;
+
+	LOCK(&mgr->lock);
+	old = ISC_LIST_HEAD(mgr->listenon);
+	while (old != NULL) {
+		ISC_LIST_UNLINK(mgr->listenon, old, link);
+		isc_mem_put(mgr->mctx, old, sizeof(*old));
+		old = ISC_LIST_HEAD(mgr->listenon);
+	}
+	UNLOCK(&mgr->lock);
+}
+
+static isc_result_t
+do_scan(ns_interfacemgr_t *mgr, bool verbose) {
+	isc_interfaceiter_t *iter = NULL;
+	bool scan_ipv4 = false;
+	bool scan_ipv6 = false;
+	bool ipv6only = true;
+	bool ipv6pktinfo = true;
+	isc_result_t result;
+	isc_netaddr_t zero_address, zero_address6;
+	ns_listenelt_t *le;
+	isc_sockaddr_t listen_addr;
+	ns_interface_t *ifp;
+	bool log_explicit = false;
+	bool dolistenon;
+	char sabuf[ISC_SOCKADDR_FORMATSIZE];
+	bool tried_listening;
+	bool all_addresses_in_use;
+
+	if (isc_net_probeipv6() == ISC_R_SUCCESS) {
+		scan_ipv6 = true;
+	} else if ((mgr->sctx->options & NS_SERVER_DISABLE6) == 0) {
+		isc_log_write(IFMGR_COMMON_LOGARGS,
+			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
+			      "no IPv6 interfaces found");
+	}
+
+	if (isc_net_probeipv4() == ISC_R_SUCCESS) {
+		scan_ipv4 = true;
+	} else if ((mgr->sctx->options & NS_SERVER_DISABLE4) == 0) {
+		isc_log_write(IFMGR_COMMON_LOGARGS,
+			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
+			      "no IPv4 interfaces found");
+	}
+
+	/*
+	 * A special, but typical case; listen-on-v6 { any; }.
+	 * When we can make the socket IPv6-only, open a single wildcard
+	 * socket for IPv6 communication.  Otherwise, make separate
+	 * socket for each IPv6 address in order to avoid accepting IPv4
+	 * packets as the form of mapped addresses unintentionally
+	 * unless explicitly allowed.
+	 */
+#ifndef ISC_ALLOW_MAPPED
+	if (scan_ipv6 && isc_net_probe_ipv6only() != ISC_R_SUCCESS) {
+		ipv6only = false;
+		log_explicit = true;
+	}
+#endif /* ifndef ISC_ALLOW_MAPPED */
+	if (scan_ipv6 && isc_net_probe_ipv6pktinfo() != ISC_R_SUCCESS) {
+		ipv6pktinfo = false;
+		log_explicit = true;
+	}
+	if (scan_ipv6 && ipv6only && ipv6pktinfo) {
+		for (le = ISC_LIST_HEAD(mgr->listenon6->elts); le != NULL;
+		     le = ISC_LIST_NEXT(le, link))
+		{
+			struct in6_addr in6a;
+
+			if (!listenon_is_ip6_any(le)) {
+				continue;
+			}
+
+			in6a = in6addr_any;
+			isc_sockaddr_fromin6(&listen_addr, &in6a, le->port);
+
+			ifp = find_matching_interface(mgr, &listen_addr);
+			if (ifp != NULL) {
+				ifp->generation = mgr->generation;
+				if (le->dscp != -1 && ifp->dscp == -1) {
+					ifp->dscp = le->dscp;
+				} else if (le->dscp != ifp->dscp) {
+					isc_sockaddr_format(&listen_addr, sabuf,
+							    sizeof(sabuf));
+					isc_log_write(IFMGR_COMMON_LOGARGS,
+						      ISC_LOG_WARNING,
+						      "%s: conflicting DSCP "
+						      "values, using %d",
+						      sabuf, ifp->dscp);
+				}
+			} else {
+				isc_log_write(IFMGR_COMMON_LOGARGS,
+					      ISC_LOG_INFO,
+					      "listening on IPv6 "
+					      "interfaces, port %u",
+					      le->port);
+				result = ns_interface_setup(mgr, &listen_addr,
+							    "<any>", &ifp,
+							    le->dscp, NULL);
+				if (result == ISC_R_SUCCESS) {
+					ifp->flags |= NS_INTERFACEFLAG_ANYADDR;
+				} else {
+					isc_log_write(IFMGR_COMMON_LOGARGS,
+						      ISC_LOG_ERROR,
+						      "listening on all IPv6 "
+						      "interfaces failed");
+				}
+				/* Continue. */
+			}
+		}
+	}
+
+	isc_netaddr_any(&zero_address);
+	isc_netaddr_any6(&zero_address6);
+
+	result = isc_interfaceiter_create(mgr->mctx, &iter);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = clearacl(mgr->mctx, &mgr->aclenv.localhost);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_iter;
+	}
+	result = clearacl(mgr->mctx, &mgr->aclenv.localnets);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_iter;
+	}
+	clearlistenon(mgr);
+
+	tried_listening = false;
+	all_addresses_in_use = true;
+	for (result = isc_interfaceiter_first(iter); result == ISC_R_SUCCESS;
+	     result = isc_interfaceiter_next(iter))
+	{
+		isc_interface_t interface;
+		ns_listenlist_t *ll;
+		unsigned int family;
+
+		result = isc_interfaceiter_current(iter, &interface);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		family = interface.address.family;
+		if (family != AF_INET && family != AF_INET6) {
+			continue;
+		}
+		if (!scan_ipv4 && family == AF_INET) {
+			continue;
+		}
+		if (!scan_ipv6 && family == AF_INET6) {
+			continue;
+		}
+
+		/*
+		 * Test for the address being nonzero rather than testing
+		 * INTERFACE_F_UP, because on some systems the latter
+		 * follows the media state and we could end up ignoring
+		 * the interface for an entire rescan interval due to
+		 * a temporary media glitch at rescan time.
+		 */
+		if (family == AF_INET &&
+		    isc_netaddr_equal(&interface.address, &zero_address))
+		{
+			continue;
+		}
+		if (family == AF_INET6 &&
+		    isc_netaddr_equal(&interface.address, &zero_address6))
+		{
+			continue;
+		}
+
+		/*
+		 * If running with -T fixedlocal, then we only
+		 * want 127.0.0.1 and ::1 in the localhost ACL.
+		 */
+		if (((mgr->sctx->options & NS_SERVER_FIXEDLOCAL) != 0) &&
+		    !isc_netaddr_isloopback(&interface.address))
+		{
+			goto listenon;
+		}
+
+		result = setup_locals(mgr, &interface);
+		if (result != ISC_R_SUCCESS) {
+			goto ignore_interface;
+		}
+
+	listenon:
+		ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6;
+		dolistenon = true;
+		for (le = ISC_LIST_HEAD(ll->elts); le != NULL;
+		     le = ISC_LIST_NEXT(le, link))
+		{
+			int match;
+			bool ipv6_wildcard = false;
+			isc_netaddr_t listen_netaddr;
+			isc_sockaddr_t listen_sockaddr;
+
+			/*
+			 * Construct a socket address for this IP/port
+			 * combination.
+			 */
+			if (family == AF_INET) {
+				isc_netaddr_fromin(&listen_netaddr,
+						   &interface.address.type.in);
+			} else {
+				isc_netaddr_fromin6(
+					&listen_netaddr,
+					&interface.address.type.in6);
+				isc_netaddr_setzone(&listen_netaddr,
+						    interface.address.zone);
+			}
+			isc_sockaddr_fromnetaddr(&listen_sockaddr,
+						 &listen_netaddr, le->port);
+
+			/*
+			 * See if the address matches the listen-on statement;
+			 * if not, ignore the interface.
+			 */
+			(void)dns_acl_match(&listen_netaddr, NULL, le->acl,
+					    &mgr->aclenv, &match, NULL);
+			if (match <= 0) {
+				continue;
+			}
+
+			if (dolistenon) {
+				setup_listenon(mgr, &interface, le->port);
+				dolistenon = false;
+			}
+
+			/*
+			 * The case of "any" IPv6 address will require
+			 * special considerations later, so remember it.
+			 */
+			if (family == AF_INET6 && ipv6only && ipv6pktinfo &&
+			    listenon_is_ip6_any(le))
+			{
+				ipv6_wildcard = true;
+			}
+
+			ifp = find_matching_interface(mgr, &listen_sockaddr);
+			if (ifp != NULL) {
+				ifp->generation = mgr->generation;
+				if (le->dscp != -1 && ifp->dscp == -1) {
+					ifp->dscp = le->dscp;
+				} else if (le->dscp != ifp->dscp) {
+					isc_sockaddr_format(&listen_sockaddr,
+							    sabuf,
+							    sizeof(sabuf));
+					isc_log_write(IFMGR_COMMON_LOGARGS,
+						      ISC_LOG_WARNING,
+						      "%s: conflicting DSCP "
+						      "values, using %d",
+						      sabuf, ifp->dscp);
+				}
+			} else {
+				bool addr_in_use = false;
+
+				if (ipv6_wildcard) {
+					continue;
+				}
+
+				if (log_explicit && family == AF_INET6 &&
+				    listenon_is_ip6_any(le))
+				{
+					isc_log_write(
+						IFMGR_COMMON_LOGARGS,
+						verbose ? ISC_LOG_INFO
+							: ISC_LOG_DEBUG(1),
+						"IPv6 socket API is "
+						"incomplete; explicitly "
+						"binding to each IPv6 "
+						"address separately");
+					log_explicit = false;
+				}
+				isc_sockaddr_format(&listen_sockaddr, sabuf,
+						    sizeof(sabuf));
+				isc_log_write(
+					IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
+					"listening on %s interface "
+					"%s, %s",
+					(family == AF_INET) ? "IPv4" : "IPv6",
+					interface.name, sabuf);
+
+				result = ns_interface_setup(
+					mgr, &listen_sockaddr, interface.name,
+					&ifp, le->dscp, &addr_in_use);
+
+				tried_listening = true;
+				if (!addr_in_use) {
+					all_addresses_in_use = false;
+				}
+
+				if (result != ISC_R_SUCCESS) {
+					isc_log_write(IFMGR_COMMON_LOGARGS,
+						      ISC_LOG_ERROR,
+						      "creating %s interface "
+						      "%s failed; interface "
+						      "ignored",
+						      (family == AF_INET) ? "IP"
+									    "v4"
+									  : "IP"
+									    "v"
+									    "6",
+						      interface.name);
+				}
+				/* Continue. */
+			}
+		}
+		continue;
+
+	ignore_interface:
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "ignoring %s interface %s: %s",
+			      (family == AF_INET) ? "IPv4" : "IPv6",
+			      interface.name, isc_result_totext(result));
+		continue;
+	}
+	if (result != ISC_R_NOMORE) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "interface iteration failed: %s",
+				 isc_result_totext(result));
+	} else {
+		result = ((tried_listening && all_addresses_in_use)
+				  ? ISC_R_ADDRINUSE
+				  : ISC_R_SUCCESS);
+	}
+cleanup_iter:
+	isc_interfaceiter_destroy(&iter);
+	return (result);
+}
+
+static isc_result_t
+ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, bool verbose) {
+	isc_result_t result;
+	bool purge = true;
+
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	mgr->generation++; /* Increment the generation count. */
+
+	result = do_scan(mgr, verbose);
+	if ((result != ISC_R_SUCCESS) && (result != ISC_R_ADDRINUSE)) {
+		purge = false;
+	}
+
+	/*
+	 * Now go through the interface list and delete anything that
+	 * does not have the current generation number.  This is
+	 * how we catch interfaces that go away or change their
+	 * addresses.
+	 */
+	if (purge) {
+		purge_old_interfaces(mgr);
+	}
+
+	/*
+	 * Warn if we are not listening on any interface.
+	 */
+	if (ISC_LIST_EMPTY(mgr->interfaces)) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
+			      "not listening on any interfaces");
+	}
+
+	return (result);
+}
+
+bool
+ns_interfacemgr_islistening(ns_interfacemgr_t *mgr) {
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	return (ISC_LIST_EMPTY(mgr->interfaces) ? false : true);
+}
+
+isc_result_t
+ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose) {
+	isc_result_t result;
+	bool unlock = false;
+
+	/*
+	 * Check for success because we may already be task-exclusive
+	 * at this point.  Only if we succeed at obtaining an exclusive
+	 * lock now will we need to relinquish it later.
+	 */
+	result = isc_task_beginexclusive(mgr->excl);
+	if (result == ISC_R_SUCCESS) {
+		unlock = true;
+	}
+
+	result = ns_interfacemgr_scan0(mgr, verbose);
+
+	if (unlock) {
+		isc_task_endexclusive(mgr->excl);
+	}
+
+	return (result);
+}
+
+void
+ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	LOCK(&mgr->lock);
+	ns_listenlist_detach(&mgr->listenon4);
+	ns_listenlist_attach(value, &mgr->listenon4);
+	UNLOCK(&mgr->lock);
+}
+
+void
+ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	LOCK(&mgr->lock);
+	ns_listenlist_detach(&mgr->listenon6);
+	ns_listenlist_attach(value, &mgr->listenon6);
+	UNLOCK(&mgr->lock);
+}
+
+void
+ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) {
+	ns_interface_t *interface;
+
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	LOCK(&mgr->lock);
+	interface = ISC_LIST_HEAD(mgr->interfaces);
+	while (interface != NULL) {
+		if (interface->clientmgr != NULL) {
+			ns_client_dumprecursing(f, interface->clientmgr);
+		}
+		interface = ISC_LIST_NEXT(interface, link);
+	}
+	UNLOCK(&mgr->lock);
+}
+
+bool
+ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr,
+			    const isc_sockaddr_t *addr) {
+	isc_sockaddr_t *old;
+	bool result = false;
+
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+	/*
+	 * If the manager is shutting down it's safer to
+	 * return true.
+	 */
+	if (atomic_load(&mgr->shuttingdown)) {
+		return (true);
+	}
+	LOCK(&mgr->lock);
+	for (old = ISC_LIST_HEAD(mgr->listenon); old != NULL;
+	     old = ISC_LIST_NEXT(old, link))
+	{
+		if (isc_sockaddr_equal(old, addr)) {
+			result = true;
+			break;
+		}
+	}
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+
+ns_server_t *
+ns_interfacemgr_getserver(ns_interfacemgr_t *mgr) {
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	return (mgr->sctx);
+}
+
+ns_interface_t *
+ns__interfacemgr_getif(ns_interfacemgr_t *mgr) {
+	ns_interface_t *head;
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+	LOCK(&mgr->lock);
+	head = ISC_LIST_HEAD(mgr->interfaces);
+	UNLOCK(&mgr->lock);
+	return (head);
+}
+
+ns_interface_t *
+ns__interfacemgr_nextif(ns_interface_t *ifp) {
+	ns_interface_t *next;
+	LOCK(&ifp->lock);
+	next = ISC_LIST_NEXT(ifp, link);
+	UNLOCK(&ifp->lock);
+	return (next);
+}
diff --git a/lib/ns/lib.c b/lib/ns/lib.c
new file mode 100644
index 0000000..0c4a18f
--- /dev/null
+++ b/lib/ns/lib.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+#include <stddef.h>
+
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/refcount.h>
+#include <isc/util.h>
+
+#include <dns/name.h>
+
+#include <ns/lib.h>
+
+/***
+ *** Globals
+ ***/
+
+LIBNS_EXTERNAL_DATA unsigned int ns_pps = 0U;
+
+/***
+ *** Private
+ ***/
+
+static isc_once_t init_once = ISC_ONCE_INIT;
+static isc_mem_t *ns_g_mctx = NULL;
+static bool initialize_done = false;
+static isc_refcount_t references;
+
+static void
+initialize(void) {
+	REQUIRE(!initialize_done);
+
+	isc_mem_create(&ns_g_mctx);
+
+	isc_refcount_init(&references, 0);
+	initialize_done = true;
+	return;
+}
+
+isc_result_t
+ns_lib_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Since this routine is expected to be used by a normal application,
+	 * it should be better to return an error, instead of an emergency
+	 * abort, on any failure.
+	 */
+	result = isc_once_do(&init_once, initialize);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (!initialize_done) {
+		return (ISC_R_FAILURE);
+	}
+
+	isc_refcount_increment0(&references);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_lib_shutdown(void) {
+	if (isc_refcount_decrement(&references) == 1) {
+		isc_refcount_destroy(&references);
+		if (ns_g_mctx != NULL) {
+			isc_mem_detach(&ns_g_mctx);
+		}
+	}
+}
diff --git a/lib/ns/listenlist.c b/lib/ns/listenlist.c
new file mode 100644
index 0000000..9fb3674
--- /dev/null
+++ b/lib/ns/listenlist.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+
+#include <ns/listenlist.h>
+
+static void
+destroy(ns_listenlist_t *list);
+
+isc_result_t
+ns_listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
+		    dns_acl_t *acl, ns_listenelt_t **target) {
+	ns_listenelt_t *elt = NULL;
+	REQUIRE(target != NULL && *target == NULL);
+	elt = isc_mem_get(mctx, sizeof(*elt));
+	elt->mctx = mctx;
+	ISC_LINK_INIT(elt, link);
+	elt->port = port;
+	elt->dscp = dscp;
+	elt->acl = acl;
+	*target = elt;
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_listenelt_destroy(ns_listenelt_t *elt) {
+	if (elt->acl != NULL) {
+		dns_acl_detach(&elt->acl);
+	}
+	isc_mem_put(elt->mctx, elt, sizeof(*elt));
+}
+
+isc_result_t
+ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target) {
+	ns_listenlist_t *list = NULL;
+	REQUIRE(target != NULL && *target == NULL);
+	list = isc_mem_get(mctx, sizeof(*list));
+	list->mctx = mctx;
+	list->refcount = 1;
+	ISC_LIST_INIT(list->elts);
+	*target = list;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroy(ns_listenlist_t *list) {
+	ns_listenelt_t *elt, *next;
+	for (elt = ISC_LIST_HEAD(list->elts); elt != NULL; elt = next) {
+		next = ISC_LIST_NEXT(elt, link);
+		ns_listenelt_destroy(elt);
+	}
+	isc_mem_put(list->mctx, list, sizeof(*list));
+}
+
+void
+ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target) {
+	INSIST(source->refcount > 0);
+	source->refcount++;
+	*target = source;
+}
+
+void
+ns_listenlist_detach(ns_listenlist_t **listp) {
+	ns_listenlist_t *list = *listp;
+	*listp = NULL;
+	INSIST(list->refcount > 0);
+	list->refcount--;
+	if (list->refcount == 0) {
+		destroy(list);
+	}
+}
+
+isc_result_t
+ns_listenlist_default(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
+		      bool enabled, ns_listenlist_t **target) {
+	isc_result_t result;
+	dns_acl_t *acl = NULL;
+	ns_listenelt_t *elt = NULL;
+	ns_listenlist_t *list = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+	if (enabled) {
+		result = dns_acl_any(mctx, &acl);
+	} else {
+		result = dns_acl_none(mctx, &acl);
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = ns_listenelt_create(mctx, port, dscp, acl, &elt);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_acl;
+	}
+
+	result = ns_listenlist_create(mctx, &list);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_listenelt;
+	}
+
+	ISC_LIST_APPEND(list->elts, elt, link);
+
+	*target = list;
+	return (ISC_R_SUCCESS);
+
+cleanup_listenelt:
+	ns_listenelt_destroy(elt);
+cleanup_acl:
+	dns_acl_detach(&acl);
+cleanup:
+	return (result);
+}
diff --git a/lib/ns/log.c b/lib/ns/log.c
new file mode 100644
index 0000000..01ea0b2
--- /dev/null
+++ b/lib/ns/log.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <ns/log.h>
+
+#ifndef ISC_FACILITY
+#define ISC_FACILITY LOG_DAEMON
+#endif /* ifndef ISC_FACILITY */
+
+/*%
+ * When adding a new category, be sure to add the appropriate
+ * \#define to <ns/log.h>
+ */
+LIBNS_EXTERNAL_DATA isc_logcategory_t ns_categories[] = {
+	{ "client", 0 },
+	{ "network", 0 },
+	{ "update", 0 },
+	{ "queries", 0 },
+	{ "update-security", 0 },
+	{ "query-errors", 0 },
+	{ "trust-anchor-telemetry", 0 },
+	{ "serve-stale", 0 },
+	{ NULL, 0 }
+};
+
+/*%
+ * When adding a new module, be sure to add the appropriate
+ * \#define to <ns/log.h>.
+ */
+LIBNS_EXTERNAL_DATA isc_logmodule_t ns_modules[] = {
+	{ "ns/client", 0 }, { "ns/query", 0 },	 { "ns/interfacemgr", 0 },
+	{ "ns/update", 0 }, { "ns/xfer-in", 0 }, { "ns/xfer-out", 0 },
+	{ "ns/notify", 0 }, { "ns/hooks", 0 },	 { NULL, 0 }
+};
+
+LIBNS_EXTERNAL_DATA isc_log_t *ns_lctx = NULL;
+
+void
+ns_log_init(isc_log_t *lctx) {
+	REQUIRE(lctx != NULL);
+
+	isc_log_registercategories(lctx, ns_categories);
+	isc_log_registermodules(lctx, ns_modules);
+}
+
+void
+ns_log_setcontext(isc_log_t *lctx) {
+	ns_lctx = lctx;
+}
diff --git a/lib/ns/notify.c b/lib/ns/notify.c
new file mode 100644
index 0000000..86f8647
--- /dev/null
+++ b/lib/ns/notify.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/log.h>
+#include <isc/print.h>
+
+#include <dns/message.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <ns/log.h>
+#include <ns/notify.h>
+#include <ns/types.h>
+
+/*! \file
+ * \brief
+ * This module implements notify as in RFC1996.
+ */
+
+static void
+notify_log(ns_client_t *client, int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	ns_client_logv(client, DNS_LOGCATEGORY_NOTIFY, NS_LOGMODULE_NOTIFY,
+		       level, fmt, ap);
+	va_end(ap);
+}
+
+static void
+respond(ns_client_t *client, isc_result_t result) {
+	dns_rcode_t rcode;
+	dns_message_t *message;
+	isc_result_t msg_result;
+
+	message = client->message;
+	rcode = dns_result_torcode(result);
+
+	msg_result = dns_message_reply(message, true);
+	if (msg_result != ISC_R_SUCCESS) {
+		msg_result = dns_message_reply(message, false);
+	}
+	if (msg_result != ISC_R_SUCCESS) {
+		ns_client_drop(client, msg_result);
+		isc_nmhandle_detach(&client->reqhandle);
+		return;
+	}
+	message->rcode = rcode;
+	if (rcode == dns_rcode_noerror) {
+		message->flags |= DNS_MESSAGEFLAG_AA;
+	} else {
+		message->flags &= ~DNS_MESSAGEFLAG_AA;
+	}
+
+	ns_client_send(client);
+	isc_nmhandle_detach(&client->reqhandle);
+}
+
+void
+ns_notify_start(ns_client_t *client, isc_nmhandle_t *handle) {
+	dns_message_t *request = client->message;
+	isc_result_t result;
+	dns_name_t *zonename;
+	dns_rdataset_t *zone_rdataset;
+	dns_zone_t *zone = NULL;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char tsigbuf[DNS_NAME_FORMATSIZE * 2 + sizeof(": TSIG '' ()")];
+	dns_tsigkey_t *tsigkey;
+
+	/*
+	 * Attach to the request handle
+	 */
+	isc_nmhandle_attach(handle, &client->reqhandle);
+
+	/*
+	 * Interpret the question section.
+	 */
+	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
+	if (result != ISC_R_SUCCESS) {
+		notify_log(client, ISC_LOG_NOTICE,
+			   "notify question section empty");
+		result = DNS_R_FORMERR;
+		goto done;
+	}
+
+	/*
+	 * The question section must contain exactly one question.
+	 */
+	zonename = NULL;
+	dns_message_currentname(request, DNS_SECTION_QUESTION, &zonename);
+	zone_rdataset = ISC_LIST_HEAD(zonename->list);
+	if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) {
+		notify_log(client, ISC_LOG_NOTICE,
+			   "notify question section contains multiple RRs");
+		result = DNS_R_FORMERR;
+		goto done;
+	}
+
+	/* The zone section must have exactly one name. */
+	result = dns_message_nextname(request, DNS_SECTION_ZONE);
+	if (result != ISC_R_NOMORE) {
+		notify_log(client, ISC_LOG_NOTICE,
+			   "notify question section contains multiple RRs");
+		result = DNS_R_FORMERR;
+		goto done;
+	}
+
+	/* The one rdataset must be an SOA. */
+	if (zone_rdataset->type != dns_rdatatype_soa) {
+		notify_log(client, ISC_LOG_NOTICE,
+			   "notify question section contains no SOA");
+		result = DNS_R_FORMERR;
+		goto done;
+	}
+
+	tsigkey = dns_message_gettsigkey(request);
+	if (tsigkey != NULL) {
+		dns_name_format(&tsigkey->name, namebuf, sizeof(namebuf));
+
+		if (tsigkey->generated) {
+			char cnamebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(tsigkey->creator, cnamebuf,
+					sizeof(cnamebuf));
+			snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s' (%s)",
+				 namebuf, cnamebuf);
+		} else {
+			snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'",
+				 namebuf);
+		}
+	} else {
+		tsigbuf[0] = '\0';
+	}
+
+	dns_name_format(zonename, namebuf, sizeof(namebuf));
+	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone);
+	if (result == ISC_R_SUCCESS) {
+		dns_zonetype_t zonetype = dns_zone_gettype(zone);
+
+		if ((zonetype == dns_zone_primary) ||
+		    (zonetype == dns_zone_secondary) ||
+		    (zonetype == dns_zone_mirror) ||
+		    (zonetype == dns_zone_stub))
+		{
+			isc_sockaddr_t *from = ns_client_getsockaddr(client);
+			isc_sockaddr_t *to = ns_client_getdestaddr(client);
+			notify_log(client, ISC_LOG_INFO,
+				   "received notify for zone '%s'%s", namebuf,
+				   tsigbuf);
+			result = dns_zone_notifyreceive(zone, from, to,
+							request);
+			goto done;
+		}
+	}
+
+	notify_log(client, ISC_LOG_NOTICE,
+		   "received notify for zone '%s'%s: not authoritative",
+		   namebuf, tsigbuf);
+	result = DNS_R_NOTAUTH;
+
+done:
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	respond(client, result);
+}
diff --git a/lib/ns/query.c b/lib/ns/query.c
new file mode 100644
index 0000000..4503b8d
--- /dev/null
+++ b/lib/ns/query.c
@@ -0,0 +1,12013 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/hex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/rwlock.h>
+#include <isc/serial.h>
+#include <isc/stats.h>
+#include <isc/string.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/badcache.h>
+#include <dns/byaddr.h>
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dlz.h>
+#include <dns/dns64.h>
+#include <dns/dnsrps.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/keytable.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/order.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+#include <dns/tkey.h>
+#include <dns/types.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <ns/client.h>
+#include <ns/hooks.h>
+#include <ns/interfacemgr.h>
+#include <ns/log.h>
+#include <ns/server.h>
+#include <ns/sortlist.h>
+#include <ns/stats.h>
+#include <ns/xfrout.h>
+
+#if 0
+/*
+ * It has been recommended that DNS64 be changed to return excluded
+ * AAAA addresses if DNS64 synthesis does not occur.  This minimises
+ * the impact on the lookup results.  While most DNS AAAA lookups are
+ * done to send IP packets to a host, not all of them are and filtering
+ * excluded addresses has a negative impact on those uses.
+ */
+#define dns64_bis_return_excluded_addresses 1
+#endif /* if 0 */
+
+/*%
+ * Maximum number of chained queries before we give up
+ * to prevent CNAME loops.
+ */
+#define MAX_RESTARTS 16
+
+#define QUERY_ERROR(qctx, r)                  \
+	do {                                  \
+		(qctx)->result = r;           \
+		(qctx)->want_restart = false; \
+		(qctx)->line = __LINE__;      \
+	} while (0)
+
+/*% Partial answer? */
+#define PARTIALANSWER(c) \
+	(((c)->query.attributes & NS_QUERYATTR_PARTIALANSWER) != 0)
+/*% Use Cache? */
+#define USECACHE(c) (((c)->query.attributes & NS_QUERYATTR_CACHEOK) != 0)
+/*% Recursion OK? */
+#define RECURSIONOK(c) (((c)->query.attributes & NS_QUERYATTR_RECURSIONOK) != 0)
+/*% Recursing? */
+#define RECURSING(c) (((c)->query.attributes & NS_QUERYATTR_RECURSING) != 0)
+/*% Want Recursion? */
+#define WANTRECURSION(c) \
+	(((c)->query.attributes & NS_QUERYATTR_WANTRECURSION) != 0)
+/*% Is TCP? */
+#define TCP(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0)
+
+/*% Want DNSSEC? */
+#define WANTDNSSEC(c) (((c)->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)
+/*% Want WANTAD? */
+#define WANTAD(c) (((c)->attributes & NS_CLIENTATTR_WANTAD) != 0)
+/*% Client presented a valid COOKIE. */
+#define HAVECOOKIE(c) (((c)->attributes & NS_CLIENTATTR_HAVECOOKIE) != 0)
+/*% Client presented a COOKIE. */
+#define WANTCOOKIE(c) (((c)->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0)
+/*% Client presented a CLIENT-SUBNET option. */
+#define HAVEECS(c) (((c)->attributes & NS_CLIENTATTR_HAVEECS) != 0)
+/*% No authority? */
+#define NOAUTHORITY(c) (((c)->query.attributes & NS_QUERYATTR_NOAUTHORITY) != 0)
+/*% No additional? */
+#define NOADDITIONAL(c) \
+	(((c)->query.attributes & NS_QUERYATTR_NOADDITIONAL) != 0)
+/*% Secure? */
+#define SECURE(c) (((c)->query.attributes & NS_QUERYATTR_SECURE) != 0)
+/*% DNS64 A lookup? */
+#define DNS64(c) (((c)->query.attributes & NS_QUERYATTR_DNS64) != 0)
+
+#define DNS64EXCLUDE(c) \
+	(((c)->query.attributes & NS_QUERYATTR_DNS64EXCLUDE) != 0)
+
+#define REDIRECT(c) (((c)->query.attributes & NS_QUERYATTR_REDIRECT) != 0)
+
+/*% Was the client already sent a response? */
+#define QUERY_ANSWERED(q) (((q)->attributes & NS_QUERYATTR_ANSWERED) != 0)
+
+/*% Have we already processed an answer via stale-answer-client-timeout? */
+#define QUERY_STALEPENDING(q) \
+	(((q)->attributes & NS_QUERYATTR_STALEPENDING) != 0)
+
+/*% Does the query allow stale data in the response? */
+#define QUERY_STALEOK(q) (((q)->attributes & NS_QUERYATTR_STALEOK) != 0)
+
+/*% Does the query wants to check for stale RRset due to a timeout? */
+#define QUERY_STALETIMEOUT(q) (((q)->dboptions & DNS_DBFIND_STALETIMEOUT) != 0)
+
+/*% Does the rdataset 'r' have an attached 'No QNAME Proof'? */
+#define NOQNAME(r) (((r)->attributes & DNS_RDATASETATTR_NOQNAME) != 0)
+
+/*% Does the rdataset 'r' contain a stale answer? */
+#define STALE(r) (((r)->attributes & DNS_RDATASETATTR_STALE) != 0)
+
+/*% Does the rdataset 'r' is stale and within stale-refresh-time? */
+#define STALE_WINDOW(r) (((r)->attributes & DNS_RDATASETATTR_STALE_WINDOW) != 0)
+
+#ifdef WANT_QUERYTRACE
+static void
+client_trace(ns_client_t *client, int level, const char *message) {
+	if (client != NULL && client->query.qname != NULL) {
+		if (isc_log_wouldlog(ns_lctx, level)) {
+			char qbuf[DNS_NAME_FORMATSIZE];
+			char tbuf[DNS_RDATATYPE_FORMATSIZE];
+			dns_name_format(client->query.qname, qbuf,
+					sizeof(qbuf));
+			dns_rdatatype_format(client->query.qtype, tbuf,
+					     sizeof(tbuf));
+			isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_QUERY, level,
+				      "query client=%p thread=0x%" PRIxPTR
+				      "(%s/%s): %s",
+				      client, isc_thread_self(), qbuf, tbuf,
+				      message);
+		}
+	} else {
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_QUERY, level,
+			      "query client=%p thread=0x%" PRIxPTR
+			      "(<unknown-query>): %s",
+			      client, isc_thread_self(), message);
+	}
+}
+#define CTRACE(l, m)  client_trace(client, l, m)
+#define CCTRACE(l, m) client_trace(qctx->client, l, m)
+#else /* ifdef WANT_QUERYTRACE */
+#define CTRACE(l, m)  ((void)m)
+#define CCTRACE(l, m) ((void)m)
+#endif /* WANT_QUERYTRACE */
+
+#define DNS_GETDB_NOEXACT    0x01U
+#define DNS_GETDB_NOLOG	     0x02U
+#define DNS_GETDB_PARTIAL    0x04U
+#define DNS_GETDB_IGNOREACL  0x08U
+#define DNS_GETDB_STALEFIRST 0X0CU
+
+#define PENDINGOK(x) (((x)&DNS_DBFIND_PENDINGOK) != 0)
+
+#define SFCACHE_CDFLAG 0x1
+
+/*
+ * These have the same semantics as:
+ *
+ * 	foo_attach(b, a);
+ *	foo_detach(&a);
+ *
+ * without the locking and magic testing.
+ *
+ * We use SAVE and RESTORE as that shows the operation being performed.
+ */
+#define SAVE(a, b)                 \
+	do {                       \
+		INSIST(a == NULL); \
+		a = b;             \
+		b = NULL;          \
+	} while (0)
+#define RESTORE(a, b) SAVE(a, b)
+
+static bool
+validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
+	 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+
+static void
+query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
+		       dns_dbversion_t *version, ns_client_t *client,
+		       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		       dns_name_t *fname, bool exact, dns_name_t *found);
+
+static void
+log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
+
+static void
+rpz_st_clear(ns_client_t *client);
+
+static bool
+rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult,
+	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+
+static void
+log_noexistnodata(void *val, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+
+/*
+ * Return the hooktable in use with 'qctx', or if there isn't one
+ * set, return the default hooktable.
+ */
+static ns_hooktable_t *
+get_hooktab(query_ctx_t *qctx) {
+	if (qctx == NULL || qctx->view == NULL || qctx->view->hooktable == NULL)
+	{
+		return (ns__hook_table);
+	}
+
+	return (qctx->view->hooktable);
+}
+
+/*
+ * Call the specified hook function in every configured module that implements
+ * that function. If any hook function returns NS_HOOK_RETURN, we
+ * set 'result' and terminate processing by jumping to the 'cleanup' tag.
+ *
+ * (Note that a hook function may set the 'result' to ISC_R_SUCCESS but
+ * still terminate processing within the calling function. That's why this
+ * is a macro instead of a static function; it needs to be able to use
+ * 'goto cleanup' regardless of the return value.)
+ */
+#define CALL_HOOK(_id, _qctx)                                       \
+	do {                                                        \
+		isc_result_t _res;                                  \
+		ns_hooktable_t *_tab = get_hooktab(_qctx);          \
+		ns_hook_t *_hook;                                   \
+		_hook = ISC_LIST_HEAD((*_tab)[_id]);                \
+		while (_hook != NULL) {                             \
+			ns_hook_action_t _func = _hook->action;     \
+			void *_data = _hook->action_data;           \
+			INSIST(_func != NULL);                      \
+			switch (_func(_qctx, _data, &_res)) {       \
+			case NS_HOOK_CONTINUE:                      \
+				_hook = ISC_LIST_NEXT(_hook, link); \
+				break;                              \
+			case NS_HOOK_RETURN:                        \
+				result = _res;                      \
+				goto cleanup;                       \
+			default:                                    \
+				UNREACHABLE();                      \
+			}                                           \
+		}                                                   \
+	} while (false)
+
+/*
+ * Call the specified hook function in every configured module that
+ * implements that function. All modules are called; hook function return
+ * codes are ignored. This is intended for use with initialization and
+ * destruction calls which *must* run in every configured module.
+ *
+ * (This could be implemented as a static void function, but is left as a
+ * macro for symmetry with CALL_HOOK above.)
+ */
+#define CALL_HOOK_NORETURN(_id, _qctx)                          \
+	do {                                                    \
+		isc_result_t _res;                              \
+		ns_hooktable_t *_tab = get_hooktab(_qctx);      \
+		ns_hook_t *_hook;                               \
+		_hook = ISC_LIST_HEAD((*_tab)[_id]);            \
+		while (_hook != NULL) {                         \
+			ns_hook_action_t _func = _hook->action; \
+			void *_data = _hook->action_data;       \
+			INSIST(_func != NULL);                  \
+			_func(_qctx, _data, &_res);             \
+			_hook = ISC_LIST_NEXT(_hook, link);     \
+		}                                               \
+	} while (false)
+
+/*
+ * The functions defined below implement the query logic that previously lived
+ * in the single very complex function query_find().  The query_ctx_t structure
+ * defined in <ns/query.h> maintains state from function to function.  The call
+ * flow for the general query processing algorithm is described below:
+ *
+ * 1. Set up query context and other resources for a client
+ *    query (query_setup())
+ *
+ * 2. Start the search (ns__query_start())
+ *
+ * 3. Identify authoritative data sources which may have an answer;
+ *    search them (query_lookup()). If an answer is found, go to 7.
+ *
+ * 4. If recursion or cache access are allowed, search the cache
+ *    (query_lookup() again, using the cache database) to find a better
+ *    answer. If an answer is found, go to 7.
+ *
+ * 5. If recursion is allowed, begin recursion (ns_query_recurse()).
+ *    Go to 15 to clean up this phase of the query. When recursion
+ *    is complete, processing will resume at 6.
+ *
+ * 6. Resume from recursion; set up query context for resumed processing.
+ *
+ * 7. Determine what sort of answer we've found (query_gotanswer())
+ *    and call other functions accordingly:
+ *      - not found (auth or cache), go to 8
+ *      - delegation, go to 9
+ *      - no such domain (auth), go to 10
+ *      - empty answer (auth), go to 11
+ *      - negative response (cache), go to 12
+ *      - answer found, go to 13
+ *
+ * 8. The answer was not found in the database (query_notfound().
+ *    Set up a referral and go to 9.
+ *
+ * 9. Handle a delegation response (query_delegation()). If we need
+ *    to and are allowed to recurse (query_delegation_recurse()), go to 5,
+ *    otherwise go to 15 to clean up and return the delegation to the client.
+ *
+ * 10. No such domain (query_nxdomain()). Attempt redirection; if
+ *     unsuccessful, add authority section records (query_addsoa(),
+ *     query_addauth()), then go to 15 to return NXDOMAIN to client.
+ *
+ * 11. Empty answer (query_nodata()). Add authority section records
+ *     (query_addsoa(), query_addauth()) and signatures if authoritative
+ *     (query_sign_nodata()) then go to 15 and return
+ *     NOERROR/ANCOUNT=0 to client.
+ *
+ * 12. No such domain or empty answer returned from cache (query_ncache()).
+ *     Set response code appropriately, go to 11.
+ *
+ * 13. Prepare a response (query_prepresponse()) and then fill it
+ *     appropriately (query_respond(), or for type ANY,
+ *     query_respond_any()).
+ *
+ * 14. If a restart is needed due to CNAME/DNAME chaining, go to 2.
+ *
+ * 15. Clean up resources. If recursing, stop and wait for the event
+ *     handler to be called back (step 6).  If an answer is ready,
+ *     return it to the client.
+ *
+ * (XXX: This description omits several special cases including
+ * DNS64, RPZ, RRL, and the SERVFAIL cache. It also doesn't discuss
+ * plugins.)
+ */
+
+static void
+query_trace(query_ctx_t *qctx);
+
+static void
+qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype,
+	  query_ctx_t *qctx);
+
+static isc_result_t
+query_setup(ns_client_t *client, dns_rdatatype_t qtype);
+
+static isc_result_t
+query_lookup(query_ctx_t *qctx);
+
+static void
+fetch_callback(isc_task_t *task, isc_event_t *event);
+
+static void
+recparam_update(ns_query_recparam_t *param, dns_rdatatype_t qtype,
+		const dns_name_t *qname, const dns_name_t *qdomain);
+
+static isc_result_t
+query_resume(query_ctx_t *qctx);
+
+static isc_result_t
+query_checkrrl(query_ctx_t *qctx, isc_result_t result);
+
+static isc_result_t
+query_checkrpz(query_ctx_t *qctx, isc_result_t result);
+
+static isc_result_t
+query_rpzcname(query_ctx_t *qctx, dns_name_t *cname);
+
+static isc_result_t
+query_gotanswer(query_ctx_t *qctx, isc_result_t result);
+
+static void
+query_addnoqnameproof(query_ctx_t *qctx);
+
+static isc_result_t
+query_respond_any(query_ctx_t *qctx);
+
+static isc_result_t
+query_respond(query_ctx_t *qctx);
+
+static isc_result_t
+query_dns64(query_ctx_t *qctx);
+
+static void
+query_filter64(query_ctx_t *qctx);
+
+static isc_result_t
+query_notfound(query_ctx_t *qctx);
+
+static isc_result_t
+query_zone_delegation(query_ctx_t *qctx);
+
+static isc_result_t
+query_delegation(query_ctx_t *qctx);
+
+static isc_result_t
+query_delegation_recurse(query_ctx_t *qctx);
+
+static void
+query_addds(query_ctx_t *qctx);
+
+static isc_result_t
+query_nodata(query_ctx_t *qctx, isc_result_t result);
+
+static isc_result_t
+query_sign_nodata(query_ctx_t *qctx);
+
+static void
+query_addnxrrsetnsec(query_ctx_t *qctx);
+
+static isc_result_t
+query_nxdomain(query_ctx_t *qctx, bool empty_wild);
+
+static isc_result_t
+query_redirect(query_ctx_t *qctx);
+
+static isc_result_t
+query_ncache(query_ctx_t *qctx, isc_result_t result);
+
+static isc_result_t
+query_coveringnsec(query_ctx_t *qctx);
+
+static isc_result_t
+query_zerottl_refetch(query_ctx_t *qctx);
+
+static isc_result_t
+query_cname(query_ctx_t *qctx);
+
+static isc_result_t
+query_dname(query_ctx_t *qctx);
+
+static isc_result_t
+query_addcname(query_ctx_t *qctx, dns_trust_t trust, dns_ttl_t ttl);
+
+static isc_result_t
+query_prepresponse(query_ctx_t *qctx);
+
+static isc_result_t
+query_addsoa(query_ctx_t *qctx, unsigned int override_ttl,
+	     dns_section_t section);
+
+static isc_result_t
+query_addns(query_ctx_t *qctx);
+
+static void
+query_addbestns(query_ctx_t *qctx);
+
+static void
+query_addwildcardproof(query_ctx_t *qctx, bool ispositive, bool nodata);
+
+static void
+query_addauth(query_ctx_t *qctx);
+
+static void
+query_clear_stale(ns_client_t *client);
+
+/*
+ * Increment query statistics counters.
+ */
+static void
+inc_stats(ns_client_t *client, isc_statscounter_t counter) {
+	dns_zone_t *zone = client->query.authzone;
+	dns_rdatatype_t qtype;
+	dns_rdataset_t *rdataset;
+	isc_stats_t *zonestats;
+	dns_stats_t *querystats = NULL;
+
+	ns_stats_increment(client->sctx->nsstats, counter);
+
+	if (zone == NULL) {
+		return;
+	}
+
+	/* Do regular response type stats */
+	zonestats = dns_zone_getrequeststats(zone);
+
+	if (zonestats != NULL) {
+		isc_stats_increment(zonestats, counter);
+	}
+
+	/* Do query type statistics
+	 *
+	 * We only increment per-type if we're using the authoritative
+	 * answer counter, preventing double-counting.
+	 */
+	if (counter == ns_statscounter_authans) {
+		querystats = dns_zone_getrcvquerystats(zone);
+		if (querystats != NULL) {
+			rdataset = ISC_LIST_HEAD(client->query.qname->list);
+			if (rdataset != NULL) {
+				qtype = rdataset->type;
+				dns_rdatatypestats_increment(querystats, qtype);
+			}
+		}
+	}
+}
+
+static void
+query_send(ns_client_t *client) {
+	isc_statscounter_t counter;
+
+	if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		inc_stats(client, ns_statscounter_nonauthans);
+	} else {
+		inc_stats(client, ns_statscounter_authans);
+	}
+
+	if (client->message->rcode == dns_rcode_noerror) {
+		dns_section_t answer = DNS_SECTION_ANSWER;
+		if (ISC_LIST_EMPTY(client->message->sections[answer])) {
+			if (client->query.isreferral) {
+				counter = ns_statscounter_referral;
+			} else {
+				counter = ns_statscounter_nxrrset;
+			}
+		} else {
+			counter = ns_statscounter_success;
+		}
+	} else if (client->message->rcode == dns_rcode_nxdomain) {
+		counter = ns_statscounter_nxdomain;
+	} else if (client->message->rcode == dns_rcode_badcookie) {
+		counter = ns_statscounter_badcookie;
+	} else { /* We end up here in case of YXDOMAIN, and maybe others */
+		counter = ns_statscounter_failure;
+	}
+
+	inc_stats(client, counter);
+	ns_client_send(client);
+
+	if (!client->nodetach) {
+		isc_nmhandle_detach(&client->reqhandle);
+	}
+}
+
+static void
+query_error(ns_client_t *client, isc_result_t result, int line) {
+	int loglevel = ISC_LOG_DEBUG(3);
+
+	switch (dns_result_torcode(result)) {
+	case dns_rcode_servfail:
+		loglevel = ISC_LOG_DEBUG(1);
+		inc_stats(client, ns_statscounter_servfail);
+		break;
+	case dns_rcode_formerr:
+		inc_stats(client, ns_statscounter_formerr);
+		break;
+	default:
+		inc_stats(client, ns_statscounter_failure);
+		break;
+	}
+
+	if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) {
+		loglevel = ISC_LOG_INFO;
+	}
+
+	log_queryerror(client, result, line, loglevel);
+
+	ns_client_error(client, result);
+
+	if (!client->nodetach) {
+		isc_nmhandle_detach(&client->reqhandle);
+	}
+}
+
+static void
+query_next(ns_client_t *client, isc_result_t result) {
+	if (result == DNS_R_DUPLICATE) {
+		inc_stats(client, ns_statscounter_duplicate);
+	} else if (result == DNS_R_DROP) {
+		inc_stats(client, ns_statscounter_dropped);
+	} else {
+		inc_stats(client, ns_statscounter_failure);
+	}
+	ns_client_drop(client, result);
+
+	if (!client->nodetach) {
+		isc_nmhandle_detach(&client->reqhandle);
+	}
+}
+
+static void
+query_freefreeversions(ns_client_t *client, bool everything) {
+	ns_dbversion_t *dbversion, *dbversion_next;
+	unsigned int i;
+
+	for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
+	     dbversion != NULL; dbversion = dbversion_next, i++)
+	{
+		dbversion_next = ISC_LIST_NEXT(dbversion, link);
+		/*
+		 * If we're not freeing everything, we keep the first three
+		 * dbversions structures around.
+		 */
+		if (i > 3 || everything) {
+			ISC_LIST_UNLINK(client->query.freeversions, dbversion,
+					link);
+			isc_mem_put(client->mctx, dbversion,
+				    sizeof(*dbversion));
+		}
+	}
+}
+
+void
+ns_query_cancel(ns_client_t *client) {
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	LOCK(&client->query.fetchlock);
+	if (client->query.fetch != NULL) {
+		dns_resolver_cancelfetch(client->query.fetch);
+
+		client->query.fetch = NULL;
+	}
+	UNLOCK(&client->query.fetchlock);
+}
+
+static void
+query_reset(ns_client_t *client, bool everything) {
+	isc_buffer_t *dbuf, *dbuf_next;
+	ns_dbversion_t *dbversion, *dbversion_next;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_reset");
+
+	/*%
+	 * Reset the query state of a client to its default state.
+	 */
+
+	/*
+	 * Cancel the fetch if it's running.
+	 */
+	ns_query_cancel(client);
+
+	/*
+	 * Cleanup any active versions.
+	 */
+	for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
+	     dbversion != NULL; dbversion = dbversion_next)
+	{
+		dbversion_next = ISC_LIST_NEXT(dbversion, link);
+		dns_db_closeversion(dbversion->db, &dbversion->version, false);
+		dns_db_detach(&dbversion->db);
+		ISC_LIST_INITANDAPPEND(client->query.freeversions, dbversion,
+				       link);
+	}
+	ISC_LIST_INIT(client->query.activeversions);
+
+	if (client->query.authdb != NULL) {
+		dns_db_detach(&client->query.authdb);
+	}
+	if (client->query.authzone != NULL) {
+		dns_zone_detach(&client->query.authzone);
+	}
+
+	if (client->query.dns64_aaaa != NULL) {
+		ns_client_putrdataset(client, &client->query.dns64_aaaa);
+	}
+	if (client->query.dns64_sigaaaa != NULL) {
+		ns_client_putrdataset(client, &client->query.dns64_sigaaaa);
+	}
+	if (client->query.dns64_aaaaok != NULL) {
+		isc_mem_put(client->mctx, client->query.dns64_aaaaok,
+			    client->query.dns64_aaaaoklen * sizeof(bool));
+		client->query.dns64_aaaaok = NULL;
+		client->query.dns64_aaaaoklen = 0;
+	}
+
+	ns_client_putrdataset(client, &client->query.redirect.rdataset);
+	ns_client_putrdataset(client, &client->query.redirect.sigrdataset);
+	if (client->query.redirect.db != NULL) {
+		if (client->query.redirect.node != NULL) {
+			dns_db_detachnode(client->query.redirect.db,
+					  &client->query.redirect.node);
+		}
+		dns_db_detach(&client->query.redirect.db);
+	}
+	if (client->query.redirect.zone != NULL) {
+		dns_zone_detach(&client->query.redirect.zone);
+	}
+
+	query_freefreeversions(client, everything);
+
+	for (dbuf = ISC_LIST_HEAD(client->query.namebufs); dbuf != NULL;
+	     dbuf = dbuf_next)
+	{
+		dbuf_next = ISC_LIST_NEXT(dbuf, link);
+		if (dbuf_next != NULL || everything) {
+			ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
+			isc_buffer_free(&dbuf);
+		}
+	}
+
+	if (client->query.restarts > 0) {
+		/*
+		 * client->query.qname was dynamically allocated.
+		 */
+		dns_message_puttempname(client->message, &client->query.qname);
+	}
+	client->query.qname = NULL;
+	client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
+				    NS_QUERYATTR_CACHEOK | NS_QUERYATTR_SECURE);
+	client->query.restarts = 0;
+	client->query.timerset = false;
+	if (client->query.rpz_st != NULL) {
+		rpz_st_clear(client);
+		if (everything) {
+			INSIST(client->query.rpz_st->rpsdb == NULL);
+			isc_mem_put(client->mctx, client->query.rpz_st,
+				    sizeof(*client->query.rpz_st));
+			client->query.rpz_st = NULL;
+		}
+	}
+	client->query.origqname = NULL;
+	client->query.dboptions = 0;
+	client->query.fetchoptions = 0;
+	client->query.gluedb = NULL;
+	client->query.authdbset = false;
+	client->query.isreferral = false;
+	client->query.dns64_options = 0;
+	client->query.dns64_ttl = UINT32_MAX;
+	recparam_update(&client->query.recparam, 0, NULL, NULL);
+	client->query.root_key_sentinel_keyid = 0;
+	client->query.root_key_sentinel_is_ta = false;
+	client->query.root_key_sentinel_not_ta = false;
+}
+
+static void
+query_cleanup(ns_client_t *client) {
+	query_reset(client, false);
+}
+
+void
+ns_query_free(ns_client_t *client) {
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	query_reset(client, true);
+}
+
+isc_result_t
+ns_query_init(ns_client_t *client) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	ISC_LIST_INIT(client->query.namebufs);
+	ISC_LIST_INIT(client->query.activeversions);
+	ISC_LIST_INIT(client->query.freeversions);
+	client->query.restarts = 0;
+	client->query.timerset = false;
+	client->query.rpz_st = NULL;
+	client->query.qname = NULL;
+	/*
+	 * This mutex is destroyed when the client is destroyed in
+	 * exit_check().
+	 */
+	isc_mutex_init(&client->query.fetchlock);
+
+	client->query.fetch = NULL;
+	client->query.prefetch = NULL;
+	client->query.authdb = NULL;
+	client->query.authzone = NULL;
+	client->query.authdbset = false;
+	client->query.isreferral = false;
+	client->query.dns64_aaaa = NULL;
+	client->query.dns64_sigaaaa = NULL;
+	client->query.dns64_aaaaok = NULL;
+	client->query.dns64_aaaaoklen = 0;
+	client->query.redirect.db = NULL;
+	client->query.redirect.node = NULL;
+	client->query.redirect.zone = NULL;
+	client->query.redirect.qtype = dns_rdatatype_none;
+	client->query.redirect.result = ISC_R_SUCCESS;
+	client->query.redirect.rdataset = NULL;
+	client->query.redirect.sigrdataset = NULL;
+	client->query.redirect.authoritative = false;
+	client->query.redirect.is_zone = false;
+	client->query.redirect.fname =
+		dns_fixedname_initname(&client->query.redirect.fixed);
+	query_reset(client, false);
+	ns_client_newdbversion(client, 3);
+	ns_client_newnamebuf(client);
+
+	return (result);
+}
+
+/*%
+ * Check if 'client' is allowed to query the cache of its associated view.
+ * Unless 'options' has DNS_GETDB_NOLOG set, log the result of cache ACL
+ * evaluation using the appropriate level, along with 'name' and 'qtype'.
+ *
+ * The cache ACL is only evaluated once for each client and then the result is
+ * cached: if NS_QUERYATTR_CACHEACLOKVALID is set in client->query.attributes,
+ * cache ACL evaluation has already been performed.  The evaluation result is
+ * also stored in client->query.attributes: if NS_QUERYATTR_CACHEACLOK is set,
+ * the client is allowed cache access.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS	'client' is allowed to access cache
+ *\li	#DNS_R_REFUSED	'client' is not allowed to access cache
+ */
+static isc_result_t
+query_checkcacheaccess(ns_client_t *client, const dns_name_t *name,
+		       dns_rdatatype_t qtype, unsigned int options) {
+	isc_result_t result;
+
+	if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) == 0) {
+		/*
+		 * The view's cache ACLs have not yet been evaluated.
+		 * Do it now. Both allow-query-cache and
+		 * allow-query-cache-on must be satsified.
+		 */
+		bool log = ((options & DNS_GETDB_NOLOG) == 0);
+		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
+
+		result = ns_client_checkaclsilent(client, NULL,
+						  client->view->cacheacl, true);
+		if (result == ISC_R_SUCCESS) {
+			result = ns_client_checkaclsilent(
+				client, &client->destaddr,
+				client->view->cacheonacl, true);
+		}
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We were allowed by the "allow-query-cache" ACL.
+			 */
+			client->query.attributes |= NS_QUERYATTR_CACHEACLOK;
+			if (log && isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(3)))
+			{
+				ns_client_aclmsg("query (cache)", name, qtype,
+						 client->view->rdclass, msg,
+						 sizeof(msg));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_DEBUG(3), "%s approved",
+					      msg);
+			}
+		} else if (log) {
+			/*
+			 * We were denied by the "allow-query-cache" ACL.
+			 * There is no need to clear NS_QUERYATTR_CACHEACLOK
+			 * since it is cleared by query_reset(), before query
+			 * processing starts.
+			 */
+			ns_client_aclmsg("query (cache)", name, qtype,
+					 client->view->rdclass, msg,
+					 sizeof(msg));
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+				      "%s denied", msg);
+		}
+
+		/*
+		 * Evaluation has been finished; make sure we will just consult
+		 * NS_QUERYATTR_CACHEACLOK for this client from now on.
+		 */
+		client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID;
+	}
+
+	return ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) != 0
+			? ISC_R_SUCCESS
+			: DNS_R_REFUSED);
+}
+
+static isc_result_t
+query_validatezonedb(ns_client_t *client, const dns_name_t *name,
+		     dns_rdatatype_t qtype, unsigned int options,
+		     dns_zone_t *zone, dns_db_t *db,
+		     dns_dbversion_t **versionp) {
+	isc_result_t result;
+	dns_acl_t *queryacl, *queryonacl;
+	ns_dbversion_t *dbversion;
+
+	REQUIRE(zone != NULL);
+	REQUIRE(db != NULL);
+
+	/*
+	 * Mirror zone data is treated as cache data.
+	 */
+	if (dns_zone_gettype(zone) == dns_zone_mirror) {
+		return (query_checkcacheaccess(client, name, qtype, options));
+	}
+
+	/*
+	 * This limits our searching to the zone where the first name
+	 * (the query target) was looked for.  This prevents following
+	 * CNAMES or DNAMES into other zones and prevents returning
+	 * additional data from other zones. This does not apply if we're
+	 * answering a query where recursion is requested and allowed.
+	 */
+	if (client->query.rpz_st == NULL &&
+	    !(WANTRECURSION(client) && RECURSIONOK(client)) &&
+	    client->query.authdbset && db != client->query.authdb)
+	{
+		return (DNS_R_REFUSED);
+	}
+
+	/*
+	 * Non recursive query to a static-stub zone is prohibited; its
+	 * zone content is not public data, but a part of local configuration
+	 * and should not be disclosed.
+	 */
+	if (dns_zone_gettype(zone) == dns_zone_staticstub &&
+	    !RECURSIONOK(client))
+	{
+		return (DNS_R_REFUSED);
+	}
+
+	/*
+	 * If the zone has an ACL, we'll check it, otherwise
+	 * we use the view's "allow-query" ACL.  Each ACL is only checked
+	 * once per query.
+	 *
+	 * Also, get the database version to use.
+	 */
+
+	/*
+	 * Get the current version of this database.
+	 */
+	dbversion = ns_client_findversion(client, db);
+	if (dbversion == NULL) {
+		CTRACE(ISC_LOG_ERROR, "unable to get db version");
+		return (DNS_R_SERVFAIL);
+	}
+
+	if ((options & DNS_GETDB_IGNOREACL) != 0) {
+		goto approved;
+	}
+	if (dbversion->acl_checked) {
+		if (!dbversion->queryok) {
+			return (DNS_R_REFUSED);
+		}
+		goto approved;
+	}
+
+	queryacl = dns_zone_getqueryacl(zone);
+	if (queryacl == NULL) {
+		queryacl = client->view->queryacl;
+		if ((client->query.attributes & NS_QUERYATTR_QUERYOKVALID) != 0)
+		{
+			/*
+			 * We've evaluated the view's queryacl already.  If
+			 * NS_QUERYATTR_QUERYOK is set, then the client is
+			 * allowed to make queries, otherwise the query should
+			 * be refused.
+			 */
+			dbversion->acl_checked = true;
+			if ((client->query.attributes & NS_QUERYATTR_QUERYOK) ==
+			    0)
+			{
+				dbversion->queryok = false;
+				return (DNS_R_REFUSED);
+			}
+			dbversion->queryok = true;
+			goto approved;
+		}
+	}
+
+	result = ns_client_checkaclsilent(client, NULL, queryacl, true);
+	if ((options & DNS_GETDB_NOLOG) == 0) {
+		char msg[NS_CLIENT_ACLMSGSIZE("query")];
+		if (result == ISC_R_SUCCESS) {
+			if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(3))) {
+				ns_client_aclmsg("query", name, qtype,
+						 client->view->rdclass, msg,
+						 sizeof(msg));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_DEBUG(3), "%s approved",
+					      msg);
+			}
+		} else {
+			ns_client_aclmsg("query", name, qtype,
+					 client->view->rdclass, msg,
+					 sizeof(msg));
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+				      "%s denied", msg);
+		}
+	}
+
+	if (queryacl == client->view->queryacl) {
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We were allowed by the default
+			 * "allow-query" ACL.  Remember this so we
+			 * don't have to check again.
+			 */
+			client->query.attributes |= NS_QUERYATTR_QUERYOK;
+		}
+		/*
+		 * We've now evaluated the view's query ACL, and
+		 * the NS_QUERYATTR_QUERYOK attribute is now valid.
+		 */
+		client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
+	}
+
+	/* If and only if we've gotten this far, check allow-query-on too */
+	if (result == ISC_R_SUCCESS) {
+		queryonacl = dns_zone_getqueryonacl(zone);
+		if (queryonacl == NULL) {
+			queryonacl = client->view->queryonacl;
+		}
+
+		result = ns_client_checkaclsilent(client, &client->destaddr,
+						  queryonacl, true);
+		if ((options & DNS_GETDB_NOLOG) == 0 && result != ISC_R_SUCCESS)
+		{
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+				      "query-on denied");
+		}
+	}
+
+	dbversion->acl_checked = true;
+	if (result != ISC_R_SUCCESS) {
+		dbversion->queryok = false;
+		return (DNS_R_REFUSED);
+	}
+	dbversion->queryok = true;
+
+approved:
+	/* Transfer ownership, if necessary. */
+	if (versionp != NULL) {
+		*versionp = dbversion->version;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+query_getzonedb(ns_client_t *client, const dns_name_t *name,
+		dns_rdatatype_t qtype, unsigned int options, dns_zone_t **zonep,
+		dns_db_t **dbp, dns_dbversion_t **versionp) {
+	isc_result_t result;
+	unsigned int ztoptions;
+	dns_zone_t *zone = NULL;
+	dns_db_t *db = NULL;
+	bool partial = false;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	/*%
+	 * Find a zone database to answer the query.
+	 */
+	ztoptions = DNS_ZTFIND_MIRROR;
+	if ((options & DNS_GETDB_NOEXACT) != 0) {
+		ztoptions |= DNS_ZTFIND_NOEXACT;
+	}
+
+	result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
+			     &zone);
+
+	if (result == DNS_R_PARTIALMATCH) {
+		partial = true;
+	}
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		result = dns_zone_getdb(zone, &db);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+
+	result = query_validatezonedb(client, name, qtype, options, zone, db,
+				      versionp);
+
+	if (result != ISC_R_SUCCESS) {
+		goto fail;
+	}
+
+	/* Transfer ownership. */
+	*zonep = zone;
+	*dbp = db;
+
+	if (partial && (options & DNS_GETDB_PARTIAL) != 0) {
+		return (DNS_R_PARTIALMATCH);
+	}
+	return (ISC_R_SUCCESS);
+
+fail:
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	return (result);
+}
+
+static void
+rpz_log_rewrite(ns_client_t *client, bool disabled, dns_rpz_policy_t policy,
+		dns_rpz_type_t type, dns_zone_t *p_zone, dns_name_t *p_name,
+		dns_name_t *cname, dns_rpz_num_t rpz_num) {
+	char cname_buf[DNS_NAME_FORMATSIZE] = { 0 };
+	char p_name_buf[DNS_NAME_FORMATSIZE];
+	char qname_buf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	const char *s1 = cname_buf, *s2 = cname_buf;
+	dns_rdataset_t *rdataset;
+	dns_rpz_st_t *st;
+	isc_stats_t *zonestats;
+
+	/*
+	 * Count enabled rewrites in the global counter.
+	 * Count both enabled and disabled rewrites for each zone.
+	 */
+	if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) {
+		ns_stats_increment(client->sctx->nsstats,
+				   ns_statscounter_rpz_rewrites);
+	}
+	if (p_zone != NULL) {
+		zonestats = dns_zone_getrequeststats(p_zone);
+		if (zonestats != NULL) {
+			isc_stats_increment(zonestats,
+					    ns_statscounter_rpz_rewrites);
+		}
+	}
+
+	if (!isc_log_wouldlog(ns_lctx, DNS_RPZ_INFO_LEVEL)) {
+		return;
+	}
+
+	st = client->query.rpz_st;
+	if ((st->popt.no_log & DNS_RPZ_ZBIT(rpz_num)) != 0) {
+		return;
+	}
+
+	dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf));
+	dns_name_format(p_name, p_name_buf, sizeof(p_name_buf));
+	if (cname != NULL) {
+		s1 = " (CNAME to: ";
+		dns_name_format(cname, cname_buf, sizeof(cname_buf));
+		s2 = ")";
+	}
+
+	/*
+	 *  Log Qclass and Qtype in addition to existing
+	 *  fields.
+	 */
+	rdataset = ISC_LIST_HEAD(client->query.origqname->list);
+	INSIST(rdataset != NULL);
+	dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf));
+	dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
+
+	ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
+		      DNS_RPZ_INFO_LEVEL,
+		      "%srpz %s %s rewrite %s/%s/%s via %s%s%s%s",
+		      disabled ? "disabled " : "", dns_rpz_type2str(type),
+		      dns_rpz_policy2str(policy), qname_buf, typebuf, classbuf,
+		      p_name_buf, s1, cname_buf, s2);
+}
+
+static void
+rpz_log_fail_helper(ns_client_t *client, int level, dns_name_t *p_name,
+		    dns_rpz_type_t rpz_type1, dns_rpz_type_t rpz_type2,
+		    const char *str, isc_result_t result) {
+	char qnamebuf[DNS_NAME_FORMATSIZE];
+	char p_namebuf[DNS_NAME_FORMATSIZE];
+	const char *failed, *via, *slash, *str_blank;
+	const char *rpztypestr1;
+	const char *rpztypestr2;
+
+	if (!isc_log_wouldlog(ns_lctx, level)) {
+		return;
+	}
+
+	/*
+	 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed" for problems.
+	 */
+	if (level <= DNS_RPZ_DEBUG_LEVEL1) {
+		failed = " failed: ";
+	} else {
+		failed = ": ";
+	}
+
+	rpztypestr1 = dns_rpz_type2str(rpz_type1);
+	if (rpz_type2 != DNS_RPZ_TYPE_BAD) {
+		slash = "/";
+		rpztypestr2 = dns_rpz_type2str(rpz_type2);
+	} else {
+		slash = "";
+		rpztypestr2 = "";
+	}
+
+	str_blank = (*str != ' ' && *str != '\0') ? " " : "";
+
+	dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf));
+
+	if (p_name != NULL) {
+		via = " via ";
+		dns_name_format(p_name, p_namebuf, sizeof(p_namebuf));
+	} else {
+		via = "";
+		p_namebuf[0] = '\0';
+	}
+
+	ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS, NS_LOGMODULE_QUERY,
+		      level, "rpz %s%s%s rewrite %s%s%s%s%s%s%s", rpztypestr1,
+		      slash, rpztypestr2, qnamebuf, via, p_namebuf, str_blank,
+		      str, failed, isc_result_totext(result));
+}
+
+static void
+rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name,
+	     dns_rpz_type_t rpz_type, const char *str, isc_result_t result) {
+	rpz_log_fail_helper(client, level, p_name, rpz_type, DNS_RPZ_TYPE_BAD,
+			    str, result);
+}
+
+/*
+ * Get a policy rewrite zone database.
+ */
+static isc_result_t
+rpz_getdb(ns_client_t *client, dns_name_t *p_name, dns_rpz_type_t rpz_type,
+	  dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp) {
+	char qnamebuf[DNS_NAME_FORMATSIZE];
+	char p_namebuf[DNS_NAME_FORMATSIZE];
+	dns_dbversion_t *rpz_version = NULL;
+	isc_result_t result;
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_getdb");
+
+	result = query_getzonedb(client, p_name, dns_rdatatype_any,
+				 DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version);
+	if (result == ISC_R_SUCCESS) {
+		dns_rpz_st_t *st = client->query.rpz_st;
+
+		/*
+		 * It isn't meaningful to log this message when
+		 * logging is disabled for some policy zones.
+		 */
+		if (st->popt.no_log == 0 &&
+		    isc_log_wouldlog(ns_lctx, DNS_RPZ_DEBUG_LEVEL2))
+		{
+			dns_name_format(client->query.qname, qnamebuf,
+					sizeof(qnamebuf));
+			dns_name_format(p_name, p_namebuf, sizeof(p_namebuf));
+			ns_client_log(client, DNS_LOGCATEGORY_RPZ,
+				      NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2,
+				      "try rpz %s rewrite %s via %s",
+				      dns_rpz_type2str(rpz_type), qnamebuf,
+				      p_namebuf);
+		}
+		*versionp = rpz_version;
+		return (ISC_R_SUCCESS);
+	}
+	rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type,
+		     "query_getzonedb()", result);
+	return (result);
+}
+
+/*%
+ * Find a cache database to answer the query.  This may fail with DNS_R_REFUSED
+ * if the client is not allowed to use the cache.
+ */
+static isc_result_t
+query_getcachedb(ns_client_t *client, const dns_name_t *name,
+		 dns_rdatatype_t qtype, dns_db_t **dbp, unsigned int options) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	if (!USECACHE(client)) {
+		return (DNS_R_REFUSED);
+	}
+
+	dns_db_attach(client->view->cachedb, &db);
+
+	result = query_checkcacheaccess(client, name, qtype, options);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detach(&db);
+	}
+
+	/*
+	 * If query_checkcacheaccess() succeeded, transfer ownership of 'db'.
+	 * Otherwise, 'db' will be NULL due to the dns_db_detach() call above.
+	 */
+	*dbp = db;
+
+	return (result);
+}
+
+static isc_result_t
+query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
+	    unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
+	    dns_dbversion_t **versionp, bool *is_zonep) {
+	isc_result_t result;
+	isc_result_t tresult;
+	unsigned int namelabels;
+	unsigned int zonelabels;
+	dns_zone_t *zone = NULL;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	/* Calculate how many labels are in name. */
+	namelabels = dns_name_countlabels(name);
+	zonelabels = 0;
+
+	/* Try to find name in bind's standard database. */
+	result = query_getzonedb(client, name, qtype, options, &zone, dbp,
+				 versionp);
+
+	/* See how many labels are in the zone's name.	  */
+	if (result == ISC_R_SUCCESS && zone != NULL) {
+		zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
+	}
+
+	/*
+	 * If # zone labels < # name labels, try to find an even better match
+	 * Only try if DLZ drivers are loaded for this view
+	 */
+	if (ISC_UNLIKELY(zonelabels < namelabels &&
+			 !ISC_LIST_EMPTY(client->view->dlz_searched)))
+	{
+		dns_clientinfomethods_t cm;
+		dns_clientinfo_t ci;
+		dns_db_t *tdbp;
+
+		dns_clientinfomethods_init(&cm, ns_client_sourceip);
+		dns_clientinfo_init(&ci, client, &client->ecs, NULL);
+
+		tdbp = NULL;
+		tresult = dns_view_searchdlz(client->view, name, zonelabels,
+					     &cm, &ci, &tdbp);
+		/* If we successful, we found a better match. */
+		if (tresult == ISC_R_SUCCESS) {
+			ns_dbversion_t *dbversion;
+
+			/*
+			 * If the previous search returned a zone, detach it.
+			 */
+			if (zone != NULL) {
+				dns_zone_detach(&zone);
+			}
+
+			/*
+			 * If the previous search returned a database,
+			 * detach it.
+			 */
+			if (*dbp != NULL) {
+				dns_db_detach(dbp);
+			}
+
+			/*
+			 * If the previous search returned a version, clear it.
+			 */
+			*versionp = NULL;
+
+			dbversion = ns_client_findversion(client, tdbp);
+			if (dbversion == NULL) {
+				tresult = ISC_R_NOMEMORY;
+			} else {
+				/*
+				 * Be sure to return our database.
+				 */
+				*dbp = tdbp;
+				*versionp = dbversion->version;
+			}
+
+			/*
+			 * We return a null zone, No stats for DLZ zones.
+			 */
+			zone = NULL;
+			result = tresult;
+		}
+	}
+
+	/* If successful, Transfer ownership of zone. */
+	if (result == ISC_R_SUCCESS) {
+		*zonep = zone;
+		/*
+		 * If neither attempt above succeeded, return the cache instead
+		 */
+		*is_zonep = true;
+	} else {
+		if (result == ISC_R_NOTFOUND) {
+			result = query_getcachedb(client, name, qtype, dbp,
+						  options);
+		}
+		*is_zonep = false;
+	}
+	return (result);
+}
+
+static bool
+query_isduplicate(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
+		  dns_name_t **mnamep) {
+	dns_section_t section;
+	dns_name_t *mname = NULL;
+	isc_result_t result;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate");
+
+	for (section = DNS_SECTION_ANSWER; section <= DNS_SECTION_ADDITIONAL;
+	     section++)
+	{
+		result = dns_message_findname(client->message, section, name,
+					      type, 0, &mname, NULL);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We've already got this RRset in the response.
+			 */
+			CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: true: "
+						 "done");
+			return (true);
+		} else if (result == DNS_R_NXRRSET) {
+			/*
+			 * The name exists, but the rdataset does not.
+			 */
+			if (section == DNS_SECTION_ADDITIONAL) {
+				break;
+			}
+		} else {
+			RUNTIME_CHECK(result == DNS_R_NXDOMAIN);
+		}
+		mname = NULL;
+	}
+
+	if (mnamep != NULL) {
+		*mnamep = mname;
+	}
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: false: done");
+	return (false);
+}
+
+/*
+ * Look up data for given 'name' and 'type' in given 'version' of 'db' for
+ * 'client'. Called from query_additionalauth().
+ *
+ * If the lookup is successful:
+ *
+ *   - store the node containing the result at 'nodep',
+ *
+ *   - store the owner name of the returned node in 'fname',
+ *
+ *   - if 'type' is not ANY, dns_db_findext() will put the exact rdataset being
+ *     looked for in 'rdataset' and its signatures (if any) in 'sigrdataset',
+ *
+ *   - if 'type' is ANY, dns_db_findext() will leave 'rdataset' and
+ *     'sigrdataset' disassociated and the returned node will be iterated in
+ *     query_additional_cb().
+ *
+ * If the lookup is not successful:
+ *
+ *   - 'nodep' will not be written to,
+ *   - 'fname' may still be modified as it is passed to dns_db_findext(),
+ *   - 'rdataset' and 'sigrdataset' will remain disassociated.
+ */
+static isc_result_t
+query_additionalauthfind(dns_db_t *db, dns_dbversion_t *version,
+			 const dns_name_t *name, dns_rdatatype_t type,
+			 ns_client_t *client, dns_dbnode_t **nodep,
+			 dns_name_t *fname, dns_rdataset_t *rdataset,
+			 dns_rdataset_t *sigrdataset) {
+	dns_clientinfomethods_t cm;
+	dns_dbnode_t *node = NULL;
+	dns_clientinfo_t ci;
+	isc_result_t result;
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+
+	/*
+	 * Since we are looking for authoritative data, we do not set
+	 * the GLUEOK flag.  Glue will be looked for later, but not
+	 * necessarily in the same database.
+	 */
+	result = dns_db_findext(db, name, version, type,
+				client->query.dboptions, client->now, &node,
+				fname, &cm, &ci, rdataset, sigrdataset);
+	if (result != ISC_R_SUCCESS) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+		{
+			dns_rdataset_disassociate(sigrdataset);
+		}
+
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+
+		return (result);
+	}
+
+	/*
+	 * Do not return signatures if the zone is not fully signed.
+	 */
+	if (sigrdataset != NULL && !dns_db_issecure(db) &&
+	    dns_rdataset_isassociated(sigrdataset))
+	{
+		dns_rdataset_disassociate(sigrdataset);
+	}
+
+	*nodep = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * For query context 'qctx', try finding authoritative additional data for
+ * given 'name' and 'type'. Called from query_additional_cb().
+ *
+ * If successful:
+ *
+ *   - store pointers to the database and node which contain the result in
+ *     'dbp' and 'nodep', respectively,
+ *
+ *   - store the owner name of the returned node in 'fname',
+ *
+ *   - potentially bind 'rdataset' and 'sigrdataset', as explained in the
+ *     comment for query_additionalauthfind().
+ *
+ * If unsuccessful:
+ *
+ *   - 'dbp' and 'nodep' will not be written to,
+ *   - 'fname' may still be modified as it is passed to dns_db_findext(),
+ *   - 'rdataset' and 'sigrdataset' will remain disassociated.
+ */
+static isc_result_t
+query_additionalauth(query_ctx_t *qctx, const dns_name_t *name,
+		     dns_rdatatype_t type, dns_db_t **dbp, dns_dbnode_t **nodep,
+		     dns_name_t *fname, dns_rdataset_t *rdataset,
+		     dns_rdataset_t *sigrdataset) {
+	ns_client_t *client = qctx->client;
+	ns_dbversion_t *dbversion = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_zone_t *zone = NULL;
+	dns_db_t *db = NULL;
+	isc_result_t result;
+
+	/*
+	 * First, look within the same zone database for authoritative
+	 * additional data.
+	 */
+	if (!client->query.authdbset || client->query.authdb == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	dbversion = ns_client_findversion(client, client->query.authdb);
+	if (dbversion == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	dns_db_attach(client->query.authdb, &db);
+	version = dbversion->version;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_additionalauth: same zone");
+
+	result = query_additionalauthfind(db, version, name, type, client,
+					  &node, fname, rdataset, sigrdataset);
+	if (result != ISC_R_SUCCESS &&
+	    qctx->view->minimalresponses == dns_minimal_no &&
+	    RECURSIONOK(client))
+	{
+		/*
+		 * If we aren't doing response minimization and recursion is
+		 * allowed, we can try and see if any other zone matches.
+		 */
+		version = NULL;
+		dns_db_detach(&db);
+		result = query_getzonedb(client, name, type, DNS_GETDB_NOLOG,
+					 &zone, &db, &version);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+		dns_zone_detach(&zone);
+
+		CTRACE(ISC_LOG_DEBUG(3), "query_additionalauth: other zone");
+
+		result = query_additionalauthfind(db, version, name, type,
+						  client, &node, fname,
+						  rdataset, sigrdataset);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detach(&db);
+	} else {
+		*nodep = node;
+		node = NULL;
+
+		*dbp = db;
+		db = NULL;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+query_additional_cb(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
+	query_ctx_t *qctx = arg;
+	ns_client_t *client = qctx->client;
+	isc_result_t result, eresult = ISC_R_SUCCESS;
+	dns_dbnode_t *node = NULL;
+	dns_db_t *db = NULL;
+	dns_name_t *fname = NULL, *mname = NULL;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t *trdataset = NULL;
+	isc_buffer_t *dbuf = NULL;
+	isc_buffer_t b;
+	ns_dbversion_t *dbversion = NULL;
+	dns_dbversion_t *version = NULL;
+	bool added_something = false, need_addname = false;
+	dns_rdatatype_t type;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+	dns_rdatasetadditional_t additionaltype =
+		dns_rdatasetadditional_fromauth;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(qtype != dns_rdatatype_any);
+
+	if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb");
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+
+	/*
+	 * We treat type A additional section processing as if it
+	 * were "any address type" additional section processing.
+	 * To avoid multiple lookups, we do an 'any' database
+	 * lookup and iterate over the node.
+	 */
+	if (qtype == dns_rdatatype_a) {
+		type = dns_rdatatype_any;
+	} else {
+		type = qtype;
+	}
+
+	/*
+	 * Get some resources.
+	 */
+	dbuf = ns_client_getnamebuf(client);
+	if (dbuf == NULL) {
+		goto cleanup;
+	}
+	fname = ns_client_newname(client, dbuf, &b);
+	rdataset = ns_client_newrdataset(client);
+	if (fname == NULL || rdataset == NULL) {
+		goto cleanup;
+	}
+	if (WANTDNSSEC(client)) {
+		sigrdataset = ns_client_newrdataset(client);
+		if (sigrdataset == NULL) {
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * If we want only minimal responses and are here, then it must
+	 * be for glue.
+	 */
+	if (qctx->view->minimalresponses == dns_minimal_yes &&
+	    client->query.qtype != dns_rdatatype_ns)
+	{
+		goto try_glue;
+	}
+
+	/*
+	 * First, look for authoritative additional data.
+	 */
+	result = query_additionalauth(qctx, name, type, &db, &node, fname,
+				      rdataset, sigrdataset);
+	if (result == ISC_R_SUCCESS) {
+		goto found;
+	}
+
+	/*
+	 * No authoritative data was found.  The cache is our next best bet.
+	 */
+	if (!qctx->view->recursion) {
+		goto try_glue;
+	}
+
+	additionaltype = dns_rdatasetadditional_fromcache;
+	result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Most likely the client isn't allowed to query the cache.
+		 */
+		goto try_glue;
+	}
+	/*
+	 * Attempt to validate glue.
+	 */
+	if (sigrdataset == NULL) {
+		sigrdataset = ns_client_newrdataset(client);
+		if (sigrdataset == NULL) {
+			goto cleanup;
+		}
+	}
+
+	version = NULL;
+	result = dns_db_findext(db, name, version, type,
+				client->query.dboptions | DNS_DBFIND_GLUEOK |
+					DNS_DBFIND_ADDITIONALOK,
+				client->now, &node, fname, &cm, &ci, rdataset,
+				sigrdataset);
+
+	dns_cache_updatestats(qctx->view->cache, result);
+	if (!WANTDNSSEC(client)) {
+		ns_client_putrdataset(client, &sigrdataset);
+	}
+	if (result == ISC_R_SUCCESS) {
+		goto found;
+	}
+
+	if (dns_rdataset_isassociated(rdataset)) {
+		dns_rdataset_disassociate(rdataset);
+	}
+	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
+		dns_rdataset_disassociate(sigrdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	dns_db_detach(&db);
+
+try_glue:
+	/*
+	 * No cached data was found.  Glue is our last chance.
+	 * RFC1035 sayeth:
+	 *
+	 *	NS records cause both the usual additional section
+	 *	processing to locate a type A record, and, when used
+	 *	in a referral, a special search of the zone in which
+	 *	they reside for glue information.
+	 *
+	 * This is the "special search".  Note that we must search
+	 * the zone where the NS record resides, not the zone it
+	 * points to, and that we only do the search in the delegation
+	 * case (identified by client->query.gluedb being set).
+	 */
+
+	if (client->query.gluedb == NULL) {
+		goto cleanup;
+	}
+
+	/*
+	 * Don't poison caches using the bailiwick protection model.
+	 */
+	if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb))) {
+		goto cleanup;
+	}
+
+	dbversion = ns_client_findversion(client, client->query.gluedb);
+	if (dbversion == NULL) {
+		goto cleanup;
+	}
+
+	dns_db_attach(client->query.gluedb, &db);
+	version = dbversion->version;
+	additionaltype = dns_rdatasetadditional_fromglue;
+	result = dns_db_findext(db, name, version, type,
+				client->query.dboptions | DNS_DBFIND_GLUEOK,
+				client->now, &node, fname, &cm, &ci, rdataset,
+				sigrdataset);
+	if (result != ISC_R_SUCCESS && result != DNS_R_ZONECUT &&
+	    result != DNS_R_GLUE)
+	{
+		goto cleanup;
+	}
+
+found:
+	/*
+	 * We have found a potential additional data rdataset, or
+	 * at least a node to iterate over.
+	 */
+	ns_client_keepname(client, fname, dbuf);
+
+	/*
+	 * If we have an rdataset, add it to the additional data
+	 * section.
+	 */
+	mname = NULL;
+	if (dns_rdataset_isassociated(rdataset) &&
+	    !query_isduplicate(client, fname, type, &mname))
+	{
+		if (mname != NULL) {
+			INSIST(mname != fname);
+			ns_client_releasename(client, &fname);
+			fname = mname;
+		} else {
+			need_addname = true;
+		}
+		ISC_LIST_APPEND(fname->list, rdataset, link);
+		trdataset = rdataset;
+		rdataset = NULL;
+		added_something = true;
+		/*
+		 * Note: we only add SIGs if we've added the type they cover,
+		 * so we do not need to check if the SIG rdataset is already
+		 * in the response.
+		 */
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+		{
+			ISC_LIST_APPEND(fname->list, sigrdataset, link);
+			sigrdataset = NULL;
+		}
+	}
+
+	if (qtype == dns_rdatatype_a) {
+		/*
+		 * We now go looking for A and AAAA records, along with
+		 * their signatures.
+		 *
+		 * XXXRTH  This code could be more efficient.
+		 */
+		if (rdataset != NULL) {
+			if (dns_rdataset_isassociated(rdataset)) {
+				dns_rdataset_disassociate(rdataset);
+			}
+		} else {
+			rdataset = ns_client_newrdataset(client);
+			if (rdataset == NULL) {
+				goto addname;
+			}
+		}
+		if (sigrdataset != NULL) {
+			if (dns_rdataset_isassociated(sigrdataset)) {
+				dns_rdataset_disassociate(sigrdataset);
+			}
+		} else if (WANTDNSSEC(client)) {
+			sigrdataset = ns_client_newrdataset(client);
+			if (sigrdataset == NULL) {
+				goto addname;
+			}
+		}
+		if (query_isduplicate(client, fname, dns_rdatatype_a, NULL)) {
+			goto aaaa_lookup;
+		}
+		result = dns_db_findrdataset(db, node, version, dns_rdatatype_a,
+					     0, client->now, rdataset,
+					     sigrdataset);
+		if (result == DNS_R_NCACHENXDOMAIN) {
+			goto addname;
+		} else if (result == DNS_R_NCACHENXRRSET) {
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset))
+			{
+				dns_rdataset_disassociate(sigrdataset);
+			}
+		} else if (result == ISC_R_SUCCESS) {
+			bool invalid = false;
+			mname = NULL;
+			if (additionaltype ==
+				    dns_rdatasetadditional_fromcache &&
+			    (DNS_TRUST_PENDING(rdataset->trust) ||
+			     DNS_TRUST_GLUE(rdataset->trust)))
+			{
+				/* validate() may change rdataset->trust */
+				invalid = !validate(client, db, fname, rdataset,
+						    sigrdataset);
+			}
+			if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
+				dns_rdataset_disassociate(rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+				{
+					dns_rdataset_disassociate(sigrdataset);
+				}
+			} else if (!query_isduplicate(client, fname,
+						      dns_rdatatype_a, &mname))
+			{
+				if (mname != fname) {
+					if (mname != NULL) {
+						ns_client_releasename(client,
+								      &fname);
+						fname = mname;
+					} else {
+						need_addname = true;
+					}
+				}
+				ISC_LIST_APPEND(fname->list, rdataset, link);
+				added_something = true;
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+				{
+					ISC_LIST_APPEND(fname->list,
+							sigrdataset, link);
+					sigrdataset =
+						ns_client_newrdataset(client);
+				}
+				rdataset = ns_client_newrdataset(client);
+				if (rdataset == NULL) {
+					goto addname;
+				}
+				if (WANTDNSSEC(client) && sigrdataset == NULL) {
+					goto addname;
+				}
+			} else {
+				dns_rdataset_disassociate(rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+				{
+					dns_rdataset_disassociate(sigrdataset);
+				}
+			}
+		}
+	aaaa_lookup:
+		if (query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
+		{
+			goto addname;
+		}
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_aaaa, 0, client->now,
+					     rdataset, sigrdataset);
+		if (result == DNS_R_NCACHENXDOMAIN) {
+			goto addname;
+		} else if (result == DNS_R_NCACHENXRRSET) {
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset))
+			{
+				dns_rdataset_disassociate(sigrdataset);
+			}
+		} else if (result == ISC_R_SUCCESS) {
+			bool invalid = false;
+			mname = NULL;
+
+			if (additionaltype ==
+				    dns_rdatasetadditional_fromcache &&
+			    (DNS_TRUST_PENDING(rdataset->trust) ||
+			     DNS_TRUST_GLUE(rdataset->trust)))
+			{
+				/* validate() may change rdataset->trust */
+				invalid = !validate(client, db, fname, rdataset,
+						    sigrdataset);
+			}
+
+			if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
+				dns_rdataset_disassociate(rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+				{
+					dns_rdataset_disassociate(sigrdataset);
+				}
+			} else if (!query_isduplicate(client, fname,
+						      dns_rdatatype_aaaa,
+						      &mname))
+			{
+				if (mname != fname) {
+					if (mname != NULL) {
+						ns_client_releasename(client,
+								      &fname);
+						fname = mname;
+					} else {
+						need_addname = true;
+					}
+				}
+				ISC_LIST_APPEND(fname->list, rdataset, link);
+				added_something = true;
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+				{
+					ISC_LIST_APPEND(fname->list,
+							sigrdataset, link);
+					sigrdataset = NULL;
+				}
+				rdataset = NULL;
+			}
+		}
+	}
+
+addname:
+	CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: addname");
+	/*
+	 * If we haven't added anything, then we're done.
+	 */
+	if (!added_something) {
+		goto cleanup;
+	}
+
+	/*
+	 * We may have added our rdatasets to an existing name, if so, then
+	 * need_addname will be false.  Whether we used an existing name
+	 * or a new one, we must set fname to NULL to prevent cleanup.
+	 */
+	if (need_addname) {
+		dns_message_addname(client->message, fname,
+				    DNS_SECTION_ADDITIONAL);
+	}
+	fname = NULL;
+
+	/*
+	 * In some cases, a record that has been added as additional
+	 * data may *also* trigger the addition of additional data.
+	 * This cannot go more than MAX_RESTARTS levels deep.
+	 */
+	if (trdataset != NULL && dns_rdatatype_followadditional(type)) {
+		eresult = dns_rdataset_additionaldata(
+			trdataset, query_additional_cb, qctx);
+	}
+
+cleanup:
+	CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: cleanup");
+	ns_client_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL) {
+		ns_client_putrdataset(client, &sigrdataset);
+	}
+	if (fname != NULL) {
+		ns_client_releasename(client, &fname);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: done");
+	return (eresult);
+}
+
+/*
+ * Add 'rdataset' to 'name'.
+ */
+static void
+query_addtoname(dns_name_t *name, dns_rdataset_t *rdataset) {
+	ISC_LIST_APPEND(name->list, rdataset, link);
+}
+
+/*
+ * Set the ordering for 'rdataset'.
+ */
+static void
+query_setorder(query_ctx_t *qctx, dns_name_t *name, dns_rdataset_t *rdataset) {
+	ns_client_t *client = qctx->client;
+	dns_order_t *order = client->view->order;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_setorder");
+
+	UNUSED(client);
+
+	if (order != NULL) {
+		rdataset->attributes |= dns_order_find(
+			order, name, rdataset->type, rdataset->rdclass);
+	}
+	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
+}
+
+/*
+ * Handle glue and fetch any other needed additional data for 'rdataset'.
+ */
+static void
+query_additional(query_ctx_t *qctx, dns_rdataset_t *rdataset) {
+	ns_client_t *client = qctx->client;
+	isc_result_t result;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_additional");
+
+	if (NOADDITIONAL(client)) {
+		return;
+	}
+
+	/*
+	 * Try to process glue directly.
+	 */
+	if (qctx->view->use_glue_cache &&
+	    (rdataset->type == dns_rdatatype_ns) &&
+	    (client->query.gluedb != NULL) &&
+	    dns_db_iszone(client->query.gluedb))
+	{
+		ns_dbversion_t *dbversion;
+
+		dbversion = ns_client_findversion(client, client->query.gluedb);
+		if (dbversion == NULL) {
+			goto regular;
+		}
+
+		result = dns_rdataset_addglue(rdataset, dbversion->version,
+					      client->message);
+		if (result == ISC_R_SUCCESS) {
+			return;
+		}
+	}
+
+regular:
+	/*
+	 * Add other additional data if needed.
+	 * We don't care if dns_rdataset_additionaldata() fails.
+	 */
+	(void)dns_rdataset_additionaldata(rdataset, query_additional_cb, qctx);
+	CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
+}
+
+static void
+query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+	       dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
+	       isc_buffer_t *dbuf, dns_section_t section) {
+	isc_result_t result;
+	ns_client_t *client = qctx->client;
+	dns_name_t *name = *namep, *mname = NULL;
+	dns_rdataset_t *rdataset = *rdatasetp, *mrdataset = NULL;
+	dns_rdataset_t *sigrdataset = NULL;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_addrrset");
+
+	REQUIRE(name != NULL);
+
+	if (sigrdatasetp != NULL) {
+		sigrdataset = *sigrdatasetp;
+	}
+
+	/*%
+	 * To the current response for 'client', add the answer RRset
+	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
+	 * owner name '*namep', to section 'section', unless they are
+	 * already there.  Also add any pertinent additional data.
+	 *
+	 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
+	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
+	 * when it returns the name will either have been kept or released.
+	 */
+	result = dns_message_findname(client->message, section, name,
+				      rdataset->type, rdataset->covers, &mname,
+				      &mrdataset);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * We've already got an RRset of the given name and type.
+		 */
+		CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: dns_message_findname "
+					 "succeeded: done");
+		if (dbuf != NULL) {
+			ns_client_releasename(client, namep);
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_REQUIRED) != 0) {
+			mrdataset->attributes |= DNS_RDATASETATTR_REQUIRED;
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_STALE_ADDED) != 0)
+		{
+			mrdataset->attributes |= DNS_RDATASETATTR_STALE_ADDED;
+		}
+		return;
+	} else if (result == DNS_R_NXDOMAIN) {
+		/*
+		 * The name doesn't exist.
+		 */
+		if (dbuf != NULL) {
+			ns_client_keepname(client, name, dbuf);
+		}
+		dns_message_addname(client->message, name, section);
+		*namep = NULL;
+		mname = name;
+	} else {
+		RUNTIME_CHECK(result == DNS_R_NXRRSET);
+		if (dbuf != NULL) {
+			ns_client_releasename(client, namep);
+		}
+	}
+
+	if (rdataset->trust != dns_trust_secure &&
+	    (section == DNS_SECTION_ANSWER || section == DNS_SECTION_AUTHORITY))
+	{
+		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+	}
+
+	/*
+	 * Update message name, set rdataset order, and do additional
+	 * section processing if needed.
+	 */
+	query_addtoname(mname, rdataset);
+	query_setorder(qctx, mname, rdataset);
+	query_additional(qctx, rdataset);
+
+	/*
+	 * Note: we only add SIGs if we've added the type they cover, so
+	 * we do not need to check if the SIG rdataset is already in the
+	 * response.
+	 */
+	*rdatasetp = NULL;
+	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
+		/*
+		 * We have a signature.  Add it to the response.
+		 */
+		ISC_LIST_APPEND(mname->list, sigrdataset, link);
+		*sigrdatasetp = NULL;
+	}
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: done");
+}
+
+/*
+ * Mark the RRsets as secure.  Update the cache (db) to reflect the
+ * change in trust level.
+ */
+static void
+mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
+	    dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset,
+	    dns_rdataset_t *sigrdataset) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+	isc_stdtime_t now;
+
+	rdataset->trust = dns_trust_secure;
+	sigrdataset->trust = dns_trust_secure;
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+
+	/*
+	 * Save the updated secure state.  Ignore failures.
+	 */
+	result = dns_db_findnodeext(db, name, true, &cm, &ci, &node);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	isc_stdtime_get(&now);
+	dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now,
+			     client->view->acceptexpired);
+
+	(void)dns_db_addrdataset(db, node, NULL, client->now, rdataset, 0,
+				 NULL);
+	(void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset, 0,
+				 NULL);
+	dns_db_detachnode(db, &node);
+}
+
+/*
+ * Find the secure key that corresponds to rrsig.
+ * Note: 'keyrdataset' maintains state between successive calls,
+ * there may be multiple keys with the same keyid.
+ * Return false if we have exhausted all the possible keys.
+ */
+static bool
+get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig,
+	dns_rdataset_t *keyrdataset, dst_key_t **keyp) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	bool secure = false;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+
+	if (!dns_rdataset_isassociated(keyrdataset)) {
+		result = dns_db_findnodeext(db, &rrsig->signer, false, &cm, &ci,
+					    &node);
+		if (result != ISC_R_SUCCESS) {
+			return (false);
+		}
+
+		result = dns_db_findrdataset(db, node, NULL,
+					     dns_rdatatype_dnskey, 0,
+					     client->now, keyrdataset, NULL);
+		dns_db_detachnode(db, &node);
+		if (result != ISC_R_SUCCESS) {
+			return (false);
+		}
+
+		if (keyrdataset->trust != dns_trust_secure) {
+			return (false);
+		}
+
+		result = dns_rdataset_first(keyrdataset);
+	} else {
+		result = dns_rdataset_next(keyrdataset);
+	}
+
+	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(keyrdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		isc_buffer_t b;
+
+		dns_rdataset_current(keyrdataset, &rdata);
+		isc_buffer_init(&b, rdata.data, rdata.length);
+		isc_buffer_add(&b, rdata.length);
+		result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b,
+					 client->mctx, keyp);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) &&
+		    rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) &&
+		    dst_key_iszonekey(*keyp))
+		{
+			secure = true;
+			break;
+		}
+		dst_key_free(keyp);
+	}
+	return (secure);
+}
+
+static bool
+verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
+       dns_rdata_t *rdata, ns_client_t *client) {
+	isc_result_t result;
+	dns_fixedname_t fixed;
+	bool ignore = false;
+
+	dns_fixedname_init(&fixed);
+
+again:
+	result = dns_dnssec_verify(name, rdataset, key, ignore,
+				   client->view->maxbits, client->mctx, rdata,
+				   NULL);
+	if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) {
+		ignore = true;
+		goto again;
+	}
+	if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
+		return (true);
+	}
+	return (false);
+}
+
+/*
+ * Validate the rdataset if possible with available records.
+ */
+static bool
+validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
+	 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t rrsig;
+	dst_key_t *key = NULL;
+	dns_rdataset_t keyrdataset;
+
+	if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)) {
+		return (false);
+	}
+
+	for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(sigrdataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(sigrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (!dns_resolver_algorithm_supported(client->view->resolver,
+						      name, rrsig.algorithm))
+		{
+			continue;
+		}
+		if (!dns_name_issubdomain(name, &rrsig.signer)) {
+			continue;
+		}
+		dns_rdataset_init(&keyrdataset);
+		do {
+			if (!get_key(client, db, &rrsig, &keyrdataset, &key)) {
+				break;
+			}
+			if (verify(key, name, rdataset, &rdata, client)) {
+				dst_key_free(&key);
+				dns_rdataset_disassociate(&keyrdataset);
+				mark_secure(client, db, name, &rrsig, rdataset,
+					    sigrdataset);
+				return (true);
+			}
+			dst_key_free(&key);
+		} while (1);
+		if (dns_rdataset_isassociated(&keyrdataset)) {
+			dns_rdataset_disassociate(&keyrdataset);
+		}
+	}
+	return (false);
+}
+
+static void
+fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) {
+	if (*rdataset == NULL) {
+		*rdataset = ns_client_newrdataset(client);
+	} else if (dns_rdataset_isassociated(*rdataset)) {
+		dns_rdataset_disassociate(*rdataset);
+	}
+}
+
+static void
+fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf,
+	 isc_buffer_t *nbuf) {
+	if (*fname == NULL) {
+		*dbuf = ns_client_getnamebuf(client);
+		if (*dbuf == NULL) {
+			return;
+		}
+		*fname = ns_client_newname(client, *dbuf, nbuf);
+	}
+}
+
+static void
+free_devent(ns_client_t *client, isc_event_t **eventp,
+	    dns_fetchevent_t **deventp) {
+	dns_fetchevent_t *devent = *deventp;
+
+	REQUIRE((void *)(*eventp) == (void *)(*deventp));
+
+	CTRACE(ISC_LOG_DEBUG(3), "free_devent");
+
+	if (devent->fetch != NULL) {
+		dns_resolver_destroyfetch(&devent->fetch);
+	}
+	if (devent->node != NULL) {
+		dns_db_detachnode(devent->db, &devent->node);
+	}
+	if (devent->db != NULL) {
+		dns_db_detach(&devent->db);
+	}
+	if (devent->rdataset != NULL) {
+		ns_client_putrdataset(client, &devent->rdataset);
+	}
+	if (devent->sigrdataset != NULL) {
+		ns_client_putrdataset(client, &devent->sigrdataset);
+	}
+
+	/*
+	 * If the two pointers are the same then leave the setting of
+	 * (*deventp) to NULL to isc_event_free.
+	 */
+	if ((void *)eventp != (void *)deventp) {
+		(*deventp) = NULL;
+	}
+	isc_event_free(eventp);
+}
+
+static void
+prefetch_done(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
+	ns_client_t *client;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	client = devent->ev_arg;
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(task == client->task);
+
+	CTRACE(ISC_LOG_DEBUG(3), "prefetch_done");
+
+	LOCK(&client->query.fetchlock);
+	if (client->query.prefetch != NULL) {
+		INSIST(devent->fetch == client->query.prefetch);
+		client->query.prefetch = NULL;
+	}
+	UNLOCK(&client->query.fetchlock);
+
+	/*
+	 * We're done prefetching, detach from quota.
+	 */
+	if (client->recursionquota != NULL) {
+		isc_quota_detach(&client->recursionquota);
+		ns_stats_decrement(client->sctx->nsstats,
+				   ns_statscounter_recursclients);
+	}
+
+	free_devent(client, &event, &devent);
+	isc_nmhandle_detach(&client->prefetchhandle);
+}
+
+static void
+query_prefetch(ns_client_t *client, dns_name_t *qname,
+	       dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	isc_sockaddr_t *peeraddr;
+	dns_rdataset_t *tmprdataset;
+	unsigned int options;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_prefetch");
+
+	if (client->query.prefetch != NULL ||
+	    client->view->prefetch_trigger == 0U ||
+	    rdataset->ttl > client->view->prefetch_trigger ||
+	    (rdataset->attributes & DNS_RDATASETATTR_PREFETCH) == 0)
+	{
+		return;
+	}
+
+	if (client->recursionquota == NULL) {
+		result = isc_quota_attach(&client->sctx->recursionquota,
+					  &client->recursionquota);
+		switch (result) {
+		case ISC_R_SUCCESS:
+			ns_stats_increment(client->sctx->nsstats,
+					   ns_statscounter_recursclients);
+			break;
+		case ISC_R_SOFTQUOTA:
+			isc_quota_detach(&client->recursionquota);
+			FALLTHROUGH;
+		default:
+			return;
+		}
+	}
+
+	tmprdataset = ns_client_newrdataset(client);
+	if (tmprdataset == NULL) {
+		return;
+	}
+
+	if (!TCP(client)) {
+		peeraddr = &client->peeraddr;
+	} else {
+		peeraddr = NULL;
+	}
+
+	isc_nmhandle_attach(client->handle, &client->prefetchhandle);
+	options = client->query.fetchoptions | DNS_FETCHOPT_PREFETCH;
+	result = dns_resolver_createfetch(
+		client->view->resolver, qname, rdataset->type, NULL, NULL, NULL,
+		peeraddr, client->message->id, options, 0, NULL, client->task,
+		prefetch_done, client, tmprdataset, NULL,
+		&client->query.prefetch);
+	if (result != ISC_R_SUCCESS) {
+		ns_client_putrdataset(client, &tmprdataset);
+		isc_nmhandle_detach(&client->prefetchhandle);
+	}
+
+	dns_rdataset_clearprefetch(rdataset);
+	ns_stats_increment(client->sctx->nsstats, ns_statscounter_prefetch);
+}
+
+static void
+rpz_clean(dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep,
+	  dns_rdataset_t **rdatasetp) {
+	if (nodep != NULL && *nodep != NULL) {
+		REQUIRE(dbp != NULL && *dbp != NULL);
+		dns_db_detachnode(*dbp, nodep);
+	}
+	if (dbp != NULL && *dbp != NULL) {
+		dns_db_detach(dbp);
+	}
+	if (zonep != NULL && *zonep != NULL) {
+		dns_zone_detach(zonep);
+	}
+	if (rdatasetp != NULL && *rdatasetp != NULL &&
+	    dns_rdataset_isassociated(*rdatasetp))
+	{
+		dns_rdataset_disassociate(*rdatasetp);
+	}
+}
+
+static void
+rpz_match_clear(dns_rpz_st_t *st) {
+	rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset);
+	st->m.version = NULL;
+}
+
+static isc_result_t
+rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) {
+	REQUIRE(rdatasetp != NULL);
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_ready");
+
+	if (*rdatasetp == NULL) {
+		*rdatasetp = ns_client_newrdataset(client);
+		if (*rdatasetp == NULL) {
+			CTRACE(ISC_LOG_ERROR, "rpz_ready: "
+					      "ns_client_newrdataset failed");
+			return (DNS_R_SERVFAIL);
+		}
+	} else if (dns_rdataset_isassociated(*rdatasetp)) {
+		dns_rdataset_disassociate(*rdatasetp);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rpz_st_clear(ns_client_t *client) {
+	dns_rpz_st_t *st = client->query.rpz_st;
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_st_clear");
+
+	if (st->m.rdataset != NULL) {
+		ns_client_putrdataset(client, &st->m.rdataset);
+	}
+	rpz_match_clear(st);
+
+	rpz_clean(NULL, &st->r.db, NULL, NULL);
+	if (st->r.ns_rdataset != NULL) {
+		ns_client_putrdataset(client, &st->r.ns_rdataset);
+	}
+	if (st->r.r_rdataset != NULL) {
+		ns_client_putrdataset(client, &st->r.r_rdataset);
+	}
+
+	rpz_clean(&st->q.zone, &st->q.db, &st->q.node, NULL);
+	if (st->q.rdataset != NULL) {
+		ns_client_putrdataset(client, &st->q.rdataset);
+	}
+	if (st->q.sigrdataset != NULL) {
+		ns_client_putrdataset(client, &st->q.sigrdataset);
+	}
+	st->state = 0;
+	st->m.type = DNS_RPZ_TYPE_BAD;
+	st->m.policy = DNS_RPZ_POLICY_MISS;
+	if (st->rpsdb != NULL) {
+		dns_db_detach(&st->rpsdb);
+	}
+}
+
+static dns_rpz_zbits_t
+rpz_get_zbits(ns_client_t *client, dns_rdatatype_t ip_type,
+	      dns_rpz_type_t rpz_type) {
+	dns_rpz_st_t *st;
+	dns_rpz_zbits_t zbits = 0;
+
+	REQUIRE(client != NULL);
+	REQUIRE(client->query.rpz_st != NULL);
+
+	st = client->query.rpz_st;
+
+#ifdef USE_DNSRPS
+	if (st->popt.dnsrps_enabled) {
+		if (st->rpsdb == NULL ||
+		    librpz->have_trig(dns_dnsrps_type2trig(rpz_type),
+				      ip_type == dns_rdatatype_aaaa,
+				      ((rpsdb_t *)st->rpsdb)->rsp))
+		{
+			return (DNS_RPZ_ALL_ZBITS);
+		}
+		return (0);
+	}
+#endif /* ifdef USE_DNSRPS */
+
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		zbits = st->have.client_ip;
+		break;
+	case DNS_RPZ_TYPE_QNAME:
+		zbits = st->have.qname;
+		break;
+	case DNS_RPZ_TYPE_IP:
+		if (ip_type == dns_rdatatype_a) {
+			zbits = st->have.ipv4;
+		} else if (ip_type == dns_rdatatype_aaaa) {
+			zbits = st->have.ipv6;
+		} else {
+			zbits = st->have.ip;
+		}
+		break;
+	case DNS_RPZ_TYPE_NSDNAME:
+		zbits = st->have.nsdname;
+		break;
+	case DNS_RPZ_TYPE_NSIP:
+		if (ip_type == dns_rdatatype_a) {
+			zbits = st->have.nsipv4;
+		} else if (ip_type == dns_rdatatype_aaaa) {
+			zbits = st->have.nsipv6;
+		} else {
+			zbits = st->have.nsip;
+		}
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	/*
+	 * Choose
+	 *	the earliest configured policy zone (rpz->num)
+	 *	QNAME over IP over NSDNAME over NSIP (rpz_type)
+	 *	the smallest name,
+	 *	the longest IP address prefix,
+	 *	the lexically smallest address.
+	 */
+	if (st->m.policy != DNS_RPZ_POLICY_MISS) {
+		if (st->m.type >= rpz_type) {
+			zbits &= DNS_RPZ_ZMASK(st->m.rpz->num);
+		} else {
+			zbits &= DNS_RPZ_ZMASK(st->m.rpz->num) >> 1;
+		}
+	}
+
+	/*
+	 * If the client wants recursion, allow only compatible policies.
+	 */
+	if (!RECURSIONOK(client)) {
+		zbits &= st->popt.no_rd_ok;
+	}
+
+	return (zbits);
+}
+
+static void
+query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) {
+	isc_result_t result;
+	isc_sockaddr_t *peeraddr;
+	dns_rdataset_t *tmprdataset;
+	unsigned int options;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_rpzfetch");
+
+	if (client->query.prefetch != NULL) {
+		return;
+	}
+
+	if (client->recursionquota == NULL) {
+		result = isc_quota_attach(&client->sctx->recursionquota,
+					  &client->recursionquota);
+		switch (result) {
+		case ISC_R_SUCCESS:
+			ns_stats_increment(client->sctx->nsstats,
+					   ns_statscounter_recursclients);
+			break;
+		case ISC_R_SOFTQUOTA:
+			isc_quota_detach(&client->recursionquota);
+			FALLTHROUGH;
+		default:
+			return;
+		}
+	}
+
+	tmprdataset = ns_client_newrdataset(client);
+	if (tmprdataset == NULL) {
+		return;
+	}
+
+	if (!TCP(client)) {
+		peeraddr = &client->peeraddr;
+	} else {
+		peeraddr = NULL;
+	}
+
+	options = client->query.fetchoptions;
+	isc_nmhandle_attach(client->handle, &client->prefetchhandle);
+	result = dns_resolver_createfetch(
+		client->view->resolver, qname, type, NULL, NULL, NULL, peeraddr,
+		client->message->id, options, 0, NULL, client->task,
+		prefetch_done, client, tmprdataset, NULL,
+		&client->query.prefetch);
+	if (result != ISC_R_SUCCESS) {
+		ns_client_putrdataset(client, &tmprdataset);
+		isc_nmhandle_detach(&client->prefetchhandle);
+	}
+}
+
+/*
+ * Get an NS, A, or AAAA rrset related to the response for the client
+ * to check the contents of that rrset for hits by eligible policy zones.
+ */
+static isc_result_t
+rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
+	       unsigned int options, dns_rpz_type_t rpz_type, dns_db_t **dbp,
+	       dns_dbversion_t *version, dns_rdataset_t **rdatasetp,
+	       bool resuming) {
+	dns_rpz_st_t *st;
+	bool is_zone;
+	dns_dbnode_t *node;
+	dns_fixedname_t fixed;
+	dns_name_t *found;
+	isc_result_t result;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rrset_find");
+
+	st = client->query.rpz_st;
+	if ((st->state & DNS_RPZ_RECURSING) != 0) {
+		INSIST(st->r.r_type == type);
+		INSIST(dns_name_equal(name, st->r_name));
+		INSIST(*rdatasetp == NULL ||
+		       !dns_rdataset_isassociated(*rdatasetp));
+		st->state &= ~DNS_RPZ_RECURSING;
+		RESTORE(*dbp, st->r.db);
+		if (*rdatasetp != NULL) {
+			ns_client_putrdataset(client, rdatasetp);
+		}
+		RESTORE(*rdatasetp, st->r.r_rdataset);
+		result = st->r.r_result;
+		if (result == DNS_R_DELEGATION) {
+			CTRACE(ISC_LOG_ERROR, "RPZ recursing");
+			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
+				     rpz_type, "rpz_rrset_find(1)", result);
+			st->m.policy = DNS_RPZ_POLICY_ERROR;
+			result = DNS_R_SERVFAIL;
+		}
+		return (result);
+	}
+
+	result = rpz_ready(client, rdatasetp);
+	if (result != ISC_R_SUCCESS) {
+		st->m.policy = DNS_RPZ_POLICY_ERROR;
+		return (result);
+	}
+	if (*dbp != NULL) {
+		is_zone = false;
+	} else {
+		dns_zone_t *zone;
+
+		version = NULL;
+		zone = NULL;
+		result = query_getdb(client, name, type, 0, &zone, dbp,
+				     &version, &is_zone);
+		if (result != ISC_R_SUCCESS) {
+			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
+				     rpz_type, "rpz_rrset_find(2)", result);
+			st->m.policy = DNS_RPZ_POLICY_ERROR;
+			if (zone != NULL) {
+				dns_zone_detach(&zone);
+			}
+			return (result);
+		}
+		if (zone != NULL) {
+			dns_zone_detach(&zone);
+		}
+	}
+
+	node = NULL;
+	found = dns_fixedname_initname(&fixed);
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+	result = dns_db_findext(*dbp, name, version, type, options, client->now,
+				&node, found, &cm, &ci, *rdatasetp, NULL);
+	if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) {
+		/*
+		 * Try the cache if we're authoritative for an
+		 * ancestor but not the domain itself.
+		 */
+		rpz_clean(NULL, dbp, &node, rdatasetp);
+		version = NULL;
+		dns_db_attach(client->view->cachedb, dbp);
+		result = dns_db_findext(*dbp, name, version, type, 0,
+					client->now, &node, found, &cm, &ci,
+					*rdatasetp, NULL);
+	}
+	rpz_clean(NULL, dbp, &node, NULL);
+	if (result == DNS_R_DELEGATION) {
+		rpz_clean(NULL, NULL, NULL, rdatasetp);
+		/*
+		 * Recurse for NS rrset or A or AAAA rrset for an NS.
+		 * Do not recurse for addresses for the query name.
+		 */
+		if (rpz_type == DNS_RPZ_TYPE_IP) {
+			result = DNS_R_NXRRSET;
+		} else if (!client->view->rpzs->p.nsip_wait_recurse) {
+			query_rpzfetch(client, name, type);
+			result = DNS_R_NXRRSET;
+		} else {
+			dns_name_copynf(name, st->r_name);
+			result = ns_query_recurse(client, type, st->r_name,
+						  NULL, NULL, resuming);
+			if (result == ISC_R_SUCCESS) {
+				st->state |= DNS_RPZ_RECURSING;
+				result = DNS_R_DELEGATION;
+			}
+		}
+	}
+	return (result);
+}
+
+/*
+ * Compute a policy owner name, p_name, in a policy zone given the needed
+ * policy type and the trigger name.
+ */
+static isc_result_t
+rpz_get_p_name(ns_client_t *client, dns_name_t *p_name, dns_rpz_zone_t *rpz,
+	       dns_rpz_type_t rpz_type, dns_name_t *trig_name) {
+	dns_offsets_t prefix_offsets;
+	dns_name_t prefix, *suffix;
+	unsigned int first, labels;
+	isc_result_t result;
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_get_p_name");
+
+	/*
+	 * The policy owner name consists of a suffix depending on the type
+	 * and policy zone and a prefix that is the longest possible string
+	 * from the trigger name that keesp the resulting policy owner name
+	 * from being too long.
+	 */
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		suffix = &rpz->client_ip;
+		break;
+	case DNS_RPZ_TYPE_QNAME:
+		suffix = &rpz->origin;
+		break;
+	case DNS_RPZ_TYPE_IP:
+		suffix = &rpz->ip;
+		break;
+	case DNS_RPZ_TYPE_NSDNAME:
+		suffix = &rpz->nsdname;
+		break;
+	case DNS_RPZ_TYPE_NSIP:
+		suffix = &rpz->nsip;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	/*
+	 * Start with relative version of the full trigger name,
+	 * and trim enough allow the addition of the suffix.
+	 */
+	dns_name_init(&prefix, prefix_offsets);
+	labels = dns_name_countlabels(trig_name);
+	first = 0;
+	for (;;) {
+		dns_name_getlabelsequence(trig_name, first, labels - first - 1,
+					  &prefix);
+		result = dns_name_concatenate(&prefix, suffix, p_name, NULL);
+		if (result == ISC_R_SUCCESS) {
+			break;
+		}
+		INSIST(result == DNS_R_NAMETOOLONG);
+		/*
+		 * Trim the trigger name until the combination is not too long.
+		 */
+		if (labels - first < 2) {
+			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, suffix,
+				     rpz_type, "concatenate()", result);
+			return (ISC_R_FAILURE);
+		}
+		/*
+		 * Complain once about trimming the trigger name.
+		 */
+		if (first == 0) {
+			rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, suffix,
+				     rpz_type, "concatenate()", result);
+		}
+		++first;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Look in policy zone rpz for a policy of rpz_type by p_name.
+ * The self-name (usually the client qname or an NS name) is compared with
+ * the target of a CNAME policy for the old style passthru encoding.
+ * If found, the policy is recorded in *zonep, *dbp, *versionp, *nodep,
+ * *rdatasetp, and *policyp.
+ * The target DNS type, qtype, chooses the best rdataset for *rdatasetp.
+ * The caller must decide if the found policy is most suitable, including
+ * better than a previously found policy.
+ * If it is best, the caller records it in client->query.rpz_st->m.
+ */
+static isc_result_t
+rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype,
+	   dns_name_t *p_name, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
+	   dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp,
+	   dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
+	   dns_rpz_policy_t *policyp) {
+	dns_fixedname_t foundf;
+	dns_name_t *found;
+	isc_result_t result;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+	bool found_a = false;
+
+	REQUIRE(nodep != NULL);
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_find_p");
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+
+	/*
+	 * Try to find either a CNAME or the type of record demanded by the
+	 * request from the policy zone.
+	 */
+	rpz_clean(zonep, dbp, nodep, rdatasetp);
+	result = rpz_ready(client, rdatasetp);
+	if (result != ISC_R_SUCCESS) {
+		CTRACE(ISC_LOG_ERROR, "rpz_ready() failed");
+		return (DNS_R_SERVFAIL);
+	}
+	*versionp = NULL;
+	result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp);
+	if (result != ISC_R_SUCCESS) {
+		return (DNS_R_NXDOMAIN);
+	}
+	found = dns_fixedname_initname(&foundf);
+
+	result = dns_db_findext(*dbp, p_name, *versionp, dns_rdatatype_any, 0,
+				client->now, nodep, found, &cm, &ci, *rdatasetp,
+				NULL);
+	/*
+	 * Choose the best rdataset if we found something.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_t *rdsiter;
+
+		rdsiter = NULL;
+		result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0, 0,
+					     &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name,
+				     rpz_type, "allrdatasets()", result);
+			CTRACE(ISC_LOG_ERROR,
+			       "rpz_find_p: allrdatasets failed");
+			return (DNS_R_SERVFAIL);
+		}
+		if (qtype == dns_rdatatype_aaaa &&
+		    !ISC_LIST_EMPTY(client->view->dns64))
+		{
+			for (result = dns_rdatasetiter_first(rdsiter);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdatasetiter_next(rdsiter))
+			{
+				dns_rdatasetiter_current(rdsiter, *rdatasetp);
+				if ((*rdatasetp)->type == dns_rdatatype_a) {
+					found_a = true;
+				}
+				dns_rdataset_disassociate(*rdatasetp);
+			}
+		}
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter))
+		{
+			dns_rdatasetiter_current(rdsiter, *rdatasetp);
+			if ((*rdatasetp)->type == dns_rdatatype_cname ||
+			    (*rdatasetp)->type == qtype)
+			{
+				break;
+			}
+			dns_rdataset_disassociate(*rdatasetp);
+		}
+		dns_rdatasetiter_destroy(&rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			if (result != ISC_R_NOMORE) {
+				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
+					     p_name, rpz_type, "rdatasetiter",
+					     result);
+				CTRACE(ISC_LOG_ERROR, "rpz_find_p: "
+						      "rdatasetiter failed");
+				return (DNS_R_SERVFAIL);
+			}
+			/*
+			 * Ask again to get the right DNS_R_DNAME/NXRRSET/...
+			 * result if there is neither a CNAME nor target type.
+			 */
+			if (dns_rdataset_isassociated(*rdatasetp)) {
+				dns_rdataset_disassociate(*rdatasetp);
+			}
+			dns_db_detachnode(*dbp, nodep);
+
+			if (qtype == dns_rdatatype_rrsig ||
+			    qtype == dns_rdatatype_sig)
+			{
+				result = DNS_R_NXRRSET;
+			} else {
+				result = dns_db_findext(*dbp, p_name, *versionp,
+							qtype, 0, client->now,
+							nodep, found, &cm, &ci,
+							*rdatasetp, NULL);
+			}
+		}
+	}
+	switch (result) {
+	case ISC_R_SUCCESS:
+		if ((*rdatasetp)->type != dns_rdatatype_cname) {
+			*policyp = DNS_RPZ_POLICY_RECORD;
+		} else {
+			*policyp = dns_rpz_decode_cname(rpz, *rdatasetp,
+							self_name);
+			if ((*policyp == DNS_RPZ_POLICY_RECORD ||
+			     *policyp == DNS_RPZ_POLICY_WILDCNAME) &&
+			    qtype != dns_rdatatype_cname &&
+			    qtype != dns_rdatatype_any)
+			{
+				return (DNS_R_CNAME);
+			}
+		}
+		return (ISC_R_SUCCESS);
+	case DNS_R_NXRRSET:
+		if (found_a) {
+			*policyp = DNS_RPZ_POLICY_DNS64;
+		} else {
+			*policyp = DNS_RPZ_POLICY_NODATA;
+		}
+		return (result);
+	case DNS_R_DNAME:
+	/*
+	 * DNAME policy RRs have very few if any uses that are not
+	 * better served with simple wildcards.  Making them work would
+	 * require complications to get the number of labels matched
+	 * in the name or the found name to the main DNS_R_DNAME case
+	 * in query_dname().  The domain also does not appear in the
+	 * summary database at the right level, so this happens only
+	 * with a single policy zone when we have no summary database.
+	 * Treat it as a miss.
+	 */
+	case DNS_R_NXDOMAIN:
+	case DNS_R_EMPTYNAME:
+		return (DNS_R_NXDOMAIN);
+	default:
+		rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "",
+			     result);
+		CTRACE(ISC_LOG_ERROR, "rpz_find_p: unexpected result");
+		return (DNS_R_SERVFAIL);
+	}
+}
+
+static void
+rpz_save_p(dns_rpz_st_t *st, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
+	   dns_rpz_policy_t policy, dns_name_t *p_name, dns_rpz_prefix_t prefix,
+	   isc_result_t result, dns_zone_t **zonep, dns_db_t **dbp,
+	   dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
+	   dns_dbversion_t *version) {
+	dns_rdataset_t *trdataset = NULL;
+
+	rpz_match_clear(st);
+	st->m.rpz = rpz;
+	st->m.type = rpz_type;
+	st->m.policy = policy;
+	dns_name_copynf(p_name, st->p_name);
+	st->m.prefix = prefix;
+	st->m.result = result;
+	SAVE(st->m.zone, *zonep);
+	SAVE(st->m.db, *dbp);
+	SAVE(st->m.node, *nodep);
+	if (*rdatasetp != NULL && dns_rdataset_isassociated(*rdatasetp)) {
+		/*
+		 * Save the replacement rdataset from the policy
+		 * and make the previous replacement rdataset scratch.
+		 */
+		SAVE(trdataset, st->m.rdataset);
+		SAVE(st->m.rdataset, *rdatasetp);
+		SAVE(*rdatasetp, trdataset);
+		st->m.ttl = ISC_MIN(st->m.rdataset->ttl, rpz->max_policy_ttl);
+	} else {
+		st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, rpz->max_policy_ttl);
+	}
+	SAVE(st->m.version, version);
+}
+
+#ifdef USE_DNSRPS
+/*
+ * Check the results of a RPZ service interface lookup.
+ * Stop after an error (<0) or not a hit on a disabled zone (0).
+ * Continue after a hit on a disabled zone (>0).
+ */
+static int
+dnsrps_ck(librpz_emsg_t *emsg, ns_client_t *client, rpsdb_t *rpsdb,
+	  bool recursed) {
+	isc_region_t region;
+	librpz_domain_buf_t pname_buf;
+
+	if (!librpz->rsp_result(emsg, &rpsdb->result, recursed, rpsdb->rsp)) {
+		return (-1);
+	}
+
+	/*
+	 * Forget the state from before the IP address or domain check
+	 * if the lookup hit nothing.
+	 */
+	if (rpsdb->result.policy == LIBRPZ_POLICY_UNDEFINED ||
+	    rpsdb->result.hit_id != rpsdb->hit_id ||
+	    rpsdb->result.policy != LIBRPZ_POLICY_DISABLED)
+	{
+		if (!librpz->rsp_pop_discard(emsg, rpsdb->rsp)) {
+			return (-1);
+		}
+		return (0);
+	}
+
+	/*
+	 * Log a hit on a disabled zone.
+	 * Forget the zone to not try it again, and restore the pre-hit state.
+	 */
+	if (!librpz->rsp_domain(emsg, &pname_buf, rpsdb->rsp)) {
+		return (-1);
+	}
+	region.base = pname_buf.d;
+	region.length = pname_buf.size;
+	dns_name_fromregion(client->query.rpz_st->p_name, &region);
+	rpz_log_rewrite(client, true, dns_dnsrps_2policy(rpsdb->result.zpolicy),
+			dns_dnsrps_trig2type(rpsdb->result.trig), NULL,
+			client->query.rpz_st->p_name, NULL,
+			rpsdb->result.cznum);
+
+	if (!librpz->rsp_forget_zone(emsg, rpsdb->result.cznum, rpsdb->rsp) ||
+	    !librpz->rsp_pop(emsg, &rpsdb->result, rpsdb->rsp))
+	{
+		return (-1);
+	}
+	return (1);
+}
+
+/*
+ * Ready the shim database and rdataset for a DNSRPS hit.
+ */
+static bool
+dnsrps_set_p(librpz_emsg_t *emsg, ns_client_t *client, dns_rpz_st_t *st,
+	     dns_rdatatype_t qtype, dns_rdataset_t **p_rdatasetp,
+	     bool recursed) {
+	rpsdb_t *rpsdb;
+	librpz_domain_buf_t pname_buf;
+	isc_region_t region;
+	dns_zone_t *p_zone;
+	dns_db_t *p_db;
+	dns_dbnode_t *p_node;
+	dns_rpz_policy_t policy;
+	dns_fixedname_t foundf;
+	dns_name_t *found;
+	dns_rdatatype_t foundtype, searchtype;
+	isc_result_t result;
+
+	rpsdb = (rpsdb_t *)st->rpsdb;
+
+	if (!librpz->rsp_result(emsg, &rpsdb->result, recursed, rpsdb->rsp)) {
+		return (false);
+	}
+
+	if (rpsdb->result.policy == LIBRPZ_POLICY_UNDEFINED) {
+		return (true);
+	}
+
+	/*
+	 * Give the fake or shim DNSRPS database its new origin.
+	 */
+	if (!librpz->rsp_soa(emsg, NULL, NULL, &rpsdb->origin_buf,
+			     &rpsdb->result, rpsdb->rsp))
+	{
+		return (false);
+	}
+	region.base = rpsdb->origin_buf.d;
+	region.length = rpsdb->origin_buf.size;
+	dns_name_fromregion(&rpsdb->common.origin, &region);
+
+	if (!librpz->rsp_domain(emsg, &pname_buf, rpsdb->rsp)) {
+		return (false);
+	}
+	region.base = pname_buf.d;
+	region.length = pname_buf.size;
+	dns_name_fromregion(st->p_name, &region);
+
+	p_zone = NULL;
+	p_db = NULL;
+	p_node = NULL;
+	rpz_ready(client, p_rdatasetp);
+	dns_db_attach(st->rpsdb, &p_db);
+	policy = dns_dnsrps_2policy(rpsdb->result.policy);
+	if (policy != DNS_RPZ_POLICY_RECORD) {
+		result = ISC_R_SUCCESS;
+	} else if (qtype == dns_rdatatype_rrsig) {
+		/*
+		 * dns_find_db() refuses to look for and fail to
+		 * find dns_rdatatype_rrsig.
+		 */
+		result = DNS_R_NXRRSET;
+		policy = DNS_RPZ_POLICY_NODATA;
+	} else {
+		/*
+		 * Get the next (and so first) RR from the policy node.
+		 * If it is a CNAME, then look for it regardless of the
+		 * query type.
+		 */
+		if (!librpz->rsp_rr(emsg, &foundtype, NULL, NULL, NULL,
+				    &rpsdb->result, rpsdb->qname->ndata,
+				    rpsdb->qname->length, rpsdb->rsp))
+		{
+			return (false);
+		}
+		if (foundtype == dns_rdatatype_cname) {
+			searchtype = dns_rdatatype_cname;
+		} else {
+			searchtype = qtype;
+		}
+		/*
+		 * Get the DNSPRS imitation rdataset.
+		 */
+		found = dns_fixedname_initname(&foundf);
+		result = dns_db_find(p_db, st->p_name, NULL, searchtype, 0, 0,
+				     &p_node, found, *p_rdatasetp, NULL);
+
+		if (result == ISC_R_SUCCESS) {
+			if (searchtype == dns_rdatatype_cname &&
+			    qtype != dns_rdatatype_cname)
+			{
+				result = DNS_R_CNAME;
+			}
+		} else if (result == DNS_R_NXRRSET) {
+			policy = DNS_RPZ_POLICY_NODATA;
+		} else {
+			snprintf(emsg->c, sizeof(emsg->c), "dns_db_find(): %s",
+				 isc_result_totext(result));
+			return (false);
+		}
+	}
+
+	rpz_save_p(st, client->view->rpzs->zones[rpsdb->result.cznum],
+		   dns_dnsrps_trig2type(rpsdb->result.trig), policy, st->p_name,
+		   0, result, &p_zone, &p_db, &p_node, p_rdatasetp, NULL);
+
+	rpz_clean(NULL, NULL, NULL, p_rdatasetp);
+
+	return (true);
+}
+
+static isc_result_t
+dnsrps_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr,
+		  dns_rpz_type_t rpz_type, dns_rdataset_t **p_rdatasetp) {
+	dns_rpz_st_t *st;
+	rpsdb_t *rpsdb;
+	librpz_trig_t trig = LIBRPZ_TRIG_CLIENT_IP;
+	bool recursed = false;
+	int res;
+	librpz_emsg_t emsg;
+	isc_result_t result;
+
+	st = client->query.rpz_st;
+	rpsdb = (rpsdb_t *)st->rpsdb;
+
+	result = rpz_ready(client, p_rdatasetp);
+	if (result != ISC_R_SUCCESS) {
+		st->m.policy = DNS_RPZ_POLICY_ERROR;
+		return (result);
+	}
+
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		trig = LIBRPZ_TRIG_CLIENT_IP;
+		recursed = false;
+		break;
+	case DNS_RPZ_TYPE_IP:
+		trig = LIBRPZ_TRIG_IP;
+		recursed = true;
+		break;
+	case DNS_RPZ_TYPE_NSIP:
+		trig = LIBRPZ_TRIG_NSIP;
+		recursed = true;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	do {
+		if (!librpz->rsp_push(&emsg, rpsdb->rsp) ||
+		    !librpz->ck_ip(&emsg,
+				   netaddr->family == AF_INET
+					   ? (const void *)&netaddr->type.in
+					   : (const void *)&netaddr->type.in6,
+				   netaddr->family, trig, ++rpsdb->hit_id,
+				   recursed, rpsdb->rsp) ||
+		    (res = dnsrps_ck(&emsg, client, rpsdb, recursed)) < 0)
+		{
+			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL,
+				     rpz_type, emsg.c, DNS_R_SERVFAIL);
+			st->m.policy = DNS_RPZ_POLICY_ERROR;
+			return (DNS_R_SERVFAIL);
+		}
+	} while (res != 0);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dnsrps_rewrite_name(ns_client_t *client, dns_name_t *trig_name, bool recursed,
+		    dns_rpz_type_t rpz_type, dns_rdataset_t **p_rdatasetp) {
+	dns_rpz_st_t *st;
+	rpsdb_t *rpsdb;
+	librpz_trig_t trig = LIBRPZ_TRIG_CLIENT_IP;
+	isc_region_t r;
+	int res;
+	librpz_emsg_t emsg;
+	isc_result_t result;
+
+	st = client->query.rpz_st;
+	rpsdb = (rpsdb_t *)st->rpsdb;
+
+	result = rpz_ready(client, p_rdatasetp);
+	if (result != ISC_R_SUCCESS) {
+		st->m.policy = DNS_RPZ_POLICY_ERROR;
+		return (result);
+	}
+
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_QNAME:
+		trig = LIBRPZ_TRIG_QNAME;
+		break;
+	case DNS_RPZ_TYPE_NSDNAME:
+		trig = LIBRPZ_TRIG_NSDNAME;
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	dns_name_toregion(trig_name, &r);
+	do {
+		if (!librpz->rsp_push(&emsg, rpsdb->rsp) ||
+		    !librpz->ck_domain(&emsg, r.base, r.length, trig,
+				       ++rpsdb->hit_id, recursed, rpsdb->rsp) ||
+		    (res = dnsrps_ck(&emsg, client, rpsdb, recursed)) < 0)
+		{
+			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL,
+				     rpz_type, emsg.c, DNS_R_SERVFAIL);
+			st->m.policy = DNS_RPZ_POLICY_ERROR;
+			return (DNS_R_SERVFAIL);
+		}
+	} while (res != 0);
+	return (ISC_R_SUCCESS);
+}
+#endif /* USE_DNSRPS */
+
+/*
+ * Check this address in every eligible policy zone.
+ */
+static isc_result_t
+rpz_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr,
+	       dns_rdatatype_t qtype, dns_rpz_type_t rpz_type,
+	       dns_rpz_zbits_t zbits, dns_rdataset_t **p_rdatasetp) {
+	dns_rpz_zones_t *rpzs;
+	dns_rpz_st_t *st;
+	dns_rpz_zone_t *rpz;
+	dns_rpz_prefix_t prefix;
+	dns_rpz_num_t rpz_num;
+	dns_fixedname_t ip_namef, p_namef;
+	dns_name_t *ip_name, *p_name;
+	dns_zone_t *p_zone;
+	dns_db_t *p_db;
+	dns_dbversion_t *p_version;
+	dns_dbnode_t *p_node;
+	dns_rpz_policy_t policy;
+	isc_result_t result;
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip");
+
+	rpzs = client->view->rpzs;
+	st = client->query.rpz_st;
+#ifdef USE_DNSRPS
+	if (st->popt.dnsrps_enabled) {
+		return (dnsrps_rewrite_ip(client, netaddr, rpz_type,
+					  p_rdatasetp));
+	}
+#endif /* ifdef USE_DNSRPS */
+
+	ip_name = dns_fixedname_initname(&ip_namef);
+
+	p_zone = NULL;
+	p_db = NULL;
+	p_node = NULL;
+
+	while (zbits != 0) {
+		rpz_num = dns_rpz_find_ip(rpzs, rpz_type, zbits, netaddr,
+					  ip_name, &prefix);
+		if (rpz_num == DNS_RPZ_INVALID_NUM) {
+			break;
+		}
+		zbits &= (DNS_RPZ_ZMASK(rpz_num) >> 1);
+
+		/*
+		 * Do not try applying policy zones that cannot replace a
+		 * previously found policy zone.
+		 * Stop looking if the next best choice cannot
+		 * replace what we already have.
+		 */
+		rpz = rpzs->zones[rpz_num];
+		if (st->m.policy != DNS_RPZ_POLICY_MISS) {
+			if (st->m.rpz->num < rpz->num) {
+				break;
+			}
+			if (st->m.rpz->num == rpz->num &&
+			    (st->m.type < rpz_type || st->m.prefix > prefix))
+			{
+				break;
+			}
+		}
+
+		/*
+		 * Get the policy for a prefix at least as long
+		 * as the prefix of the entry we had before.
+		 */
+		p_name = dns_fixedname_initname(&p_namef);
+		result = rpz_get_p_name(client, p_name, rpz, rpz_type, ip_name);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		result = rpz_find_p(client, ip_name, qtype, p_name, rpz,
+				    rpz_type, &p_zone, &p_db, &p_version,
+				    &p_node, p_rdatasetp, &policy);
+		switch (result) {
+		case DNS_R_NXDOMAIN:
+			/*
+			 * Continue after a policy record that is missing
+			 * contrary to the summary data.  The summary
+			 * data can out of date during races with and among
+			 * policy zone updates.
+			 */
+			CTRACE(ISC_LOG_ERROR, "rpz_rewrite_ip: mismatched "
+					      "summary data; "
+					      "continuing");
+			continue;
+		case DNS_R_SERVFAIL:
+			rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp);
+			st->m.policy = DNS_RPZ_POLICY_ERROR;
+			return (DNS_R_SERVFAIL);
+		default:
+			/*
+			 * Forget this policy if it is not preferable
+			 * to the previously found policy.
+			 * If this policy is not good, then stop looking
+			 * because none of the later policy zones would work.
+			 *
+			 * With more than one applicable policy, prefer
+			 * the earliest configured policy,
+			 * client-IP over QNAME over IP over NSDNAME over NSIP,
+			 * the longest prefix
+			 * the lexically smallest address.
+			 * dns_rpz_find_ip() ensures st->m.rpz->num >= rpz->num.
+			 * We can compare new and current p_name because
+			 * both are of the same type and in the same zone.
+			 * The tests above eliminate other reasons to
+			 * reject this policy.  If this policy can't work,
+			 * then neither can later zones.
+			 */
+			if (st->m.policy != DNS_RPZ_POLICY_MISS &&
+			    rpz->num == st->m.rpz->num &&
+			    (st->m.type == rpz_type && st->m.prefix == prefix &&
+			     0 > dns_name_rdatacompare(st->p_name, p_name)))
+			{
+				break;
+			}
+
+			/*
+			 * Stop checking after saving an enabled hit in this
+			 * policy zone.  The radix tree in the policy zone
+			 * ensures that we found the longest match.
+			 */
+			if (rpz->policy != DNS_RPZ_POLICY_DISABLED) {
+				CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip: "
+							 "rpz_save_p");
+				rpz_save_p(st, rpz, rpz_type, policy, p_name,
+					   prefix, result, &p_zone, &p_db,
+					   &p_node, p_rdatasetp, p_version);
+				break;
+			}
+
+			/*
+			 * Log DNS_RPZ_POLICY_DISABLED zones
+			 * and try the next eligible policy zone.
+			 */
+			rpz_log_rewrite(client, true, policy, rpz_type, p_zone,
+					p_name, NULL, rpz_num);
+		}
+	}
+
+	rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Check the IP addresses in the A or AAAA rrsets for name against
+ * all eligible rpz_type (IP or NSIP) response policy rewrite rules.
+ */
+static isc_result_t
+rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
+		     dns_rdatatype_t qtype, dns_rpz_type_t rpz_type,
+		     dns_rdatatype_t ip_type, dns_db_t **ip_dbp,
+		     dns_dbversion_t *ip_version, dns_rdataset_t **ip_rdatasetp,
+		     dns_rdataset_t **p_rdatasetp, bool resuming) {
+	dns_rpz_zbits_t zbits;
+	isc_netaddr_t netaddr;
+	struct in_addr ina;
+	struct in6_addr in6a;
+	isc_result_t result;
+	unsigned int options = client->query.dboptions | DNS_DBFIND_GLUEOK;
+	bool done = false;
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset");
+
+	do {
+		zbits = rpz_get_zbits(client, ip_type, rpz_type);
+		if (zbits == 0) {
+			return (ISC_R_SUCCESS);
+		}
+
+		/*
+		 * Get the A or AAAA rdataset.
+		 */
+		result = rpz_rrset_find(client, name, ip_type, options,
+					rpz_type, ip_dbp, ip_version,
+					ip_rdatasetp, resuming);
+		switch (result) {
+		case ISC_R_SUCCESS:
+		case DNS_R_GLUE:
+		case DNS_R_ZONECUT:
+			break;
+		case DNS_R_EMPTYNAME:
+		case DNS_R_EMPTYWILD:
+		case DNS_R_NXDOMAIN:
+		case DNS_R_NCACHENXDOMAIN:
+		case DNS_R_NXRRSET:
+		case DNS_R_NCACHENXRRSET:
+		case ISC_R_NOTFOUND:
+			return (ISC_R_SUCCESS);
+		case DNS_R_DELEGATION:
+		case DNS_R_DUPLICATE:
+		case DNS_R_DROP:
+			return (result);
+		case DNS_R_CNAME:
+		case DNS_R_DNAME:
+			rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name,
+				     rpz_type, "NS address rewrite rrset",
+				     result);
+			return (ISC_R_SUCCESS);
+		default:
+			if (client->query.rpz_st->m.policy !=
+			    DNS_RPZ_POLICY_ERROR)
+			{
+				client->query.rpz_st->m.policy =
+					DNS_RPZ_POLICY_ERROR;
+				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
+					     rpz_type,
+					     "NS address rewrite rrset",
+					     result);
+			}
+			CTRACE(ISC_LOG_ERROR,
+			       "rpz_rewrite_ip_rrset: unexpected "
+			       "result");
+			return (DNS_R_SERVFAIL);
+		}
+
+		/*
+		 * If we are processing glue setup for the next loop
+		 * otherwise we are done.
+		 */
+		if (result == DNS_R_GLUE) {
+			options = client->query.dboptions;
+		} else {
+			options = client->query.dboptions | DNS_DBFIND_GLUEOK;
+			done = true;
+		}
+
+		/*
+		 * Check all of the IP addresses in the rdataset.
+		 */
+		for (result = dns_rdataset_first(*ip_rdatasetp);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(*ip_rdatasetp))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdataset_current(*ip_rdatasetp, &rdata);
+			switch (rdata.type) {
+			case dns_rdatatype_a:
+				INSIST(rdata.length == 4);
+				memmove(&ina.s_addr, rdata.data, 4);
+				isc_netaddr_fromin(&netaddr, &ina);
+				break;
+			case dns_rdatatype_aaaa:
+				INSIST(rdata.length == 16);
+				memmove(in6a.s6_addr, rdata.data, 16);
+				isc_netaddr_fromin6(&netaddr, &in6a);
+				break;
+			default:
+				continue;
+			}
+
+			result = rpz_rewrite_ip(client, &netaddr, qtype,
+						rpz_type, zbits, p_rdatasetp);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+	} while (!done &&
+		 client->query.rpz_st->m.policy == DNS_RPZ_POLICY_MISS);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Look for IP addresses in A and AAAA rdatasets
+ * that trigger all eligible IP or NSIP policy rules.
+ */
+static isc_result_t
+rpz_rewrite_ip_rrsets(ns_client_t *client, dns_name_t *name,
+		      dns_rdatatype_t qtype, dns_rpz_type_t rpz_type,
+		      dns_rdataset_t **ip_rdatasetp, bool resuming) {
+	dns_rpz_st_t *st;
+	dns_dbversion_t *ip_version;
+	dns_db_t *ip_db;
+	dns_rdataset_t *p_rdataset;
+	isc_result_t result;
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrsets");
+
+	st = client->query.rpz_st;
+	ip_version = NULL;
+	ip_db = NULL;
+	p_rdataset = NULL;
+	if ((st->state & DNS_RPZ_DONE_IPv4) == 0 &&
+	    (qtype == dns_rdatatype_a || qtype == dns_rdatatype_any ||
+	     rpz_type == DNS_RPZ_TYPE_NSIP))
+	{
+		/*
+		 * Rewrite based on an IPv4 address that will appear
+		 * in the ANSWER section or if we are checking IP addresses.
+		 */
+		result = rpz_rewrite_ip_rrset(
+			client, name, qtype, rpz_type, dns_rdatatype_a, &ip_db,
+			ip_version, ip_rdatasetp, &p_rdataset, resuming);
+		if (result == ISC_R_SUCCESS) {
+			st->state |= DNS_RPZ_DONE_IPv4;
+		}
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+	if (result == ISC_R_SUCCESS &&
+	    (qtype == dns_rdatatype_aaaa || qtype == dns_rdatatype_any ||
+	     rpz_type == DNS_RPZ_TYPE_NSIP))
+	{
+		/*
+		 * Rewrite based on IPv6 addresses that will appear
+		 * in the ANSWER section or if we are checking IP addresses.
+		 */
+		result = rpz_rewrite_ip_rrset(client, name, qtype, rpz_type,
+					      dns_rdatatype_aaaa, &ip_db,
+					      ip_version, ip_rdatasetp,
+					      &p_rdataset, resuming);
+	}
+	if (ip_db != NULL) {
+		dns_db_detach(&ip_db);
+	}
+	ns_client_putrdataset(client, &p_rdataset);
+	return (result);
+}
+
+/*
+ * Try to rewrite a request for a qtype rdataset based on the trigger name
+ * trig_name and rpz_type (DNS_RPZ_TYPE_QNAME or DNS_RPZ_TYPE_NSDNAME).
+ * Record the results including the replacement rdataset if any
+ * in client->query.rpz_st.
+ * *rdatasetp is a scratch rdataset.
+ */
+static isc_result_t
+rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name,
+		 dns_rdatatype_t qtype, dns_rpz_type_t rpz_type,
+		 dns_rpz_zbits_t allowed_zbits, bool recursed,
+		 dns_rdataset_t **rdatasetp) {
+	dns_rpz_zones_t *rpzs;
+	dns_rpz_zone_t *rpz;
+	dns_rpz_st_t *st;
+	dns_fixedname_t p_namef;
+	dns_name_t *p_name;
+	dns_rpz_zbits_t zbits;
+	dns_rpz_num_t rpz_num;
+	dns_zone_t *p_zone;
+	dns_db_t *p_db;
+	dns_dbversion_t *p_version;
+	dns_dbnode_t *p_node;
+	dns_rpz_policy_t policy;
+	isc_result_t result;
+
+#ifndef USE_DNSRPS
+	UNUSED(recursed);
+#endif /* ifndef USE_DNSRPS */
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_name");
+
+	rpzs = client->view->rpzs;
+	st = client->query.rpz_st;
+
+#ifdef USE_DNSRPS
+	if (st->popt.dnsrps_enabled) {
+		return (dnsrps_rewrite_name(client, trig_name, recursed,
+					    rpz_type, rdatasetp));
+	}
+#endif /* ifdef USE_DNSRPS */
+
+	zbits = rpz_get_zbits(client, qtype, rpz_type);
+	zbits &= allowed_zbits;
+	if (zbits == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Use the summary database to find the bit mask of policy zones
+	 * with policies for this trigger name. We do this even if there
+	 * is only one eligible policy zone so that wildcard triggers
+	 * are matched correctly, and not into their parent.
+	 */
+	zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name);
+	if (zbits == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	p_name = dns_fixedname_initname(&p_namef);
+
+	p_zone = NULL;
+	p_db = NULL;
+	p_node = NULL;
+
+	/*
+	 * Check the trigger name in every policy zone that the summary data
+	 * says has a hit for the trigger name.
+	 * Most of the time there are no eligible zones and the summary data
+	 * keeps us from getting this far.
+	 * We check the most eligible zone first and so usually check only
+	 * one policy zone.
+	 */
+	for (rpz_num = 0; zbits != 0; ++rpz_num, zbits >>= 1) {
+		if ((zbits & 1) == 0) {
+			continue;
+		}
+
+		/*
+		 * Do not check policy zones that cannot replace a previously
+		 * found policy.
+		 */
+		rpz = rpzs->zones[rpz_num];
+		if (st->m.policy != DNS_RPZ_POLICY_MISS) {
+			if (st->m.rpz->num < rpz->num) {
+				break;
+			}
+			if (st->m.rpz->num == rpz->num && st->m.type < rpz_type)
+			{
+				break;
+			}
+		}
+
+		/*
+		 * Get the next policy zone's record for this trigger name.
+		 */
+		result = rpz_get_p_name(client, p_name, rpz, rpz_type,
+					trig_name);
+		if (result != ISC_R_SUCCESS) {
+			continue;
+		}
+		result = rpz_find_p(client, trig_name, qtype, p_name, rpz,
+				    rpz_type, &p_zone, &p_db, &p_version,
+				    &p_node, rdatasetp, &policy);
+		switch (result) {
+		case DNS_R_NXDOMAIN:
+			/*
+			 * Continue after a missing policy record
+			 * contrary to the summary data.  The summary
+			 * data can out of date during races with and among
+			 * policy zone updates.
+			 */
+			CTRACE(ISC_LOG_ERROR, "rpz_rewrite_name: mismatched "
+					      "summary data; "
+					      "continuing");
+			continue;
+		case DNS_R_SERVFAIL:
+			rpz_clean(&p_zone, &p_db, &p_node, rdatasetp);
+			st->m.policy = DNS_RPZ_POLICY_ERROR;
+			return (DNS_R_SERVFAIL);
+		default:
+			/*
+			 * With more than one applicable policy, prefer
+			 * the earliest configured policy,
+			 * client-IP over QNAME over IP over NSDNAME over NSIP,
+			 * and the smallest name.
+			 * We known st->m.rpz->num >= rpz->num  and either
+			 * st->m.rpz->num > rpz->num or st->m.type >= rpz_type
+			 */
+			if (st->m.policy != DNS_RPZ_POLICY_MISS &&
+			    rpz->num == st->m.rpz->num &&
+			    (st->m.type < rpz_type ||
+			     (st->m.type == rpz_type &&
+			      0 >= dns_name_compare(p_name, st->p_name))))
+			{
+				continue;
+			}
+
+			if (rpz->policy != DNS_RPZ_POLICY_DISABLED) {
+				CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_name: "
+							 "rpz_save_p");
+				rpz_save_p(st, rpz, rpz_type, policy, p_name, 0,
+					   result, &p_zone, &p_db, &p_node,
+					   rdatasetp, p_version);
+				/*
+				 * After a hit, higher numbered policy zones
+				 * are irrelevant
+				 */
+				rpz_clean(&p_zone, &p_db, &p_node, rdatasetp);
+				return (ISC_R_SUCCESS);
+			}
+			/*
+			 * Log DNS_RPZ_POLICY_DISABLED zones
+			 * and try the next eligible policy zone.
+			 */
+			rpz_log_rewrite(client, true, policy, rpz_type, p_zone,
+					p_name, NULL, rpz_num);
+			break;
+		}
+	}
+
+	rpz_clean(&p_zone, &p_db, &p_node, rdatasetp);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname,
+		    isc_result_t result, int level, const char *str) {
+	dns_rpz_st_t *st;
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ns_skip");
+
+	st = client->query.rpz_st;
+
+	if (str != NULL) {
+		rpz_log_fail_helper(client, level, nsname, DNS_RPZ_TYPE_NSIP,
+				    DNS_RPZ_TYPE_NSDNAME, str, result);
+	}
+	if (st->r.ns_rdataset != NULL &&
+	    dns_rdataset_isassociated(st->r.ns_rdataset))
+	{
+		dns_rdataset_disassociate(st->r.ns_rdataset);
+	}
+
+	st->r.label--;
+}
+
+/*
+ * RPZ query result types
+ */
+typedef enum {
+	qresult_type_done = 0,
+	qresult_type_restart = 1,
+	qresult_type_recurse = 2
+} qresult_type_t;
+
+/*
+ * Look for response policy zone QNAME, NSIP, and NSDNAME rewriting.
+ */
+static isc_result_t
+rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
+	    bool resuming, dns_rdataset_t *ordataset, dns_rdataset_t *osigset) {
+	dns_rpz_zones_t *rpzs;
+	dns_rpz_st_t *st;
+	dns_rdataset_t *rdataset;
+	dns_fixedname_t nsnamef;
+	dns_name_t *nsname;
+	qresult_type_t qresult_type;
+	dns_rpz_zbits_t zbits;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rpz_have_t have;
+	dns_rpz_popt_t popt;
+	int rpz_ver;
+	unsigned int options;
+#ifdef USE_DNSRPS
+	librpz_emsg_t emsg;
+#endif /* ifdef USE_DNSRPS */
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite");
+
+	rpzs = client->view->rpzs;
+	st = client->query.rpz_st;
+
+	if (rpzs == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+	if (st != NULL && (st->state & DNS_RPZ_REWRITTEN) != 0) {
+		return (DNS_R_DISALLOWED);
+	}
+	if (RECURSING(client)) {
+		return (DNS_R_DISALLOWED);
+	}
+
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+	if ((rpzs->p.num_zones == 0 && !rpzs->p.dnsrps_enabled) ||
+	    (!RECURSIONOK(client) && rpzs->p.no_rd_ok == 0) ||
+	    !rpz_ck_dnssec(client, qresult, ordataset, osigset))
+	{
+		RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+		return (DNS_R_DISALLOWED);
+	}
+	have = rpzs->have;
+	popt = rpzs->p;
+	rpz_ver = rpzs->rpz_ver;
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+
+#ifndef USE_DNSRPS
+	INSIST(!popt.dnsrps_enabled);
+#endif /* ifndef USE_DNSRPS */
+
+	if (st == NULL) {
+		st = isc_mem_get(client->mctx, sizeof(*st));
+		st->state = 0;
+		st->rpsdb = NULL;
+	}
+	if (st->state == 0) {
+		st->state |= DNS_RPZ_ACTIVE;
+		memset(&st->m, 0, sizeof(st->m));
+		st->m.type = DNS_RPZ_TYPE_BAD;
+		st->m.policy = DNS_RPZ_POLICY_MISS;
+		st->m.ttl = ~0;
+		memset(&st->r, 0, sizeof(st->r));
+		memset(&st->q, 0, sizeof(st->q));
+		st->p_name = dns_fixedname_initname(&st->_p_namef);
+		st->r_name = dns_fixedname_initname(&st->_r_namef);
+		st->fname = dns_fixedname_initname(&st->_fnamef);
+		st->have = have;
+		st->popt = popt;
+		st->rpz_ver = rpz_ver;
+		client->query.rpz_st = st;
+#ifdef USE_DNSRPS
+		if (popt.dnsrps_enabled) {
+			if (st->rpsdb != NULL) {
+				dns_db_detach(&st->rpsdb);
+			}
+			result = dns_dnsrps_rewrite_init(
+				&emsg, st, rpzs, client->query.qname,
+				client->mctx, RECURSIONOK(client));
+			if (result != ISC_R_SUCCESS) {
+				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL,
+					     DNS_RPZ_TYPE_QNAME, emsg.c,
+					     result);
+				st->m.policy = DNS_RPZ_POLICY_ERROR;
+				return (ISC_R_SUCCESS);
+			}
+		}
+#endif /* ifdef USE_DNSRPS */
+	}
+
+	/*
+	 * There is nothing to rewrite if the main query failed.
+	 */
+	switch (qresult) {
+	case ISC_R_SUCCESS:
+	case DNS_R_GLUE:
+	case DNS_R_ZONECUT:
+		qresult_type = qresult_type_done;
+		break;
+	case DNS_R_EMPTYNAME:
+	case DNS_R_NXRRSET:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_EMPTYWILD:
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+	case DNS_R_COVERINGNSEC:
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+		qresult_type = qresult_type_restart;
+		break;
+	case DNS_R_DELEGATION:
+	case ISC_R_NOTFOUND:
+		/*
+		 * If recursion is on, do only tentative rewriting.
+		 * If recursion is off, this the normal and only time we
+		 * can rewrite.
+		 */
+		if (RECURSIONOK(client)) {
+			qresult_type = qresult_type_recurse;
+		} else {
+			qresult_type = qresult_type_restart;
+		}
+		break;
+	case ISC_R_FAILURE:
+	case ISC_R_TIMEDOUT:
+	case DNS_R_BROKENCHAIN:
+		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, NULL,
+			     DNS_RPZ_TYPE_QNAME,
+			     "stop on qresult in rpz_rewrite()", qresult);
+		return (ISC_R_SUCCESS);
+	default:
+		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, NULL,
+			     DNS_RPZ_TYPE_QNAME,
+			     "stop on unrecognized qresult in rpz_rewrite()",
+			     qresult);
+		return (ISC_R_SUCCESS);
+	}
+
+	rdataset = NULL;
+
+	if ((st->state & (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) !=
+	    (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME))
+	{
+		isc_netaddr_t netaddr;
+		dns_rpz_zbits_t allowed;
+
+		if (!st->popt.dnsrps_enabled &&
+		    qresult_type == qresult_type_recurse)
+		{
+			/*
+			 * This request needs recursion that has not been done.
+			 * Get bits for the policy zones that do not need
+			 * to wait for the results of recursion.
+			 */
+			allowed = st->have.qname_skip_recurse;
+			if (allowed == 0) {
+				return (ISC_R_SUCCESS);
+			}
+		} else {
+			allowed = DNS_RPZ_ALL_ZBITS;
+		}
+
+		/*
+		 * Check once for triggers for the client IP address.
+		 */
+		if ((st->state & DNS_RPZ_DONE_CLIENT_IP) == 0) {
+			zbits = rpz_get_zbits(client, dns_rdatatype_none,
+					      DNS_RPZ_TYPE_CLIENT_IP);
+			zbits &= allowed;
+			if (zbits != 0) {
+				isc_netaddr_fromsockaddr(&netaddr,
+							 &client->peeraddr);
+				result = rpz_rewrite_ip(client, &netaddr, qtype,
+							DNS_RPZ_TYPE_CLIENT_IP,
+							zbits, &rdataset);
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+			}
+		}
+
+		/*
+		 * Check triggers for the query name if this is the first time
+		 * for the current qname.
+		 * There is a first time for each name in a CNAME chain
+		 */
+		if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
+			bool norec = (qresult_type != qresult_type_recurse);
+			result = rpz_rewrite_name(client, client->query.qname,
+						  qtype, DNS_RPZ_TYPE_QNAME,
+						  allowed, norec, &rdataset);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+
+			/*
+			 * Check IPv4 addresses in A RRs next.
+			 * Reset to the start of the NS names.
+			 */
+			st->r.label = dns_name_countlabels(client->query.qname);
+			st->state &= ~(DNS_RPZ_DONE_QNAME_IP |
+				       DNS_RPZ_DONE_IPv4);
+		}
+
+		/*
+		 * Quit if this was an attempt to find a qname or
+		 * client-IP trigger before recursion.
+		 * We will be back if no pre-recursion triggers hit.
+		 * For example, consider 2 policy zones, both with qname and
+		 * IP address triggers.  If the qname misses the 1st zone,
+		 * then we cannot know whether a hit for the qname in the
+		 * 2nd zone matters until after recursing to get the A RRs and
+		 * testing them in the first zone.
+		 * Do not bother saving the work from this attempt,
+		 * because recursion is so slow.
+		 */
+		if (qresult_type == qresult_type_recurse) {
+			goto cleanup;
+		}
+
+		/*
+		 * DNS_RPZ_DONE_QNAME but not DNS_RPZ_DONE_CLIENT_IP
+		 * is reset at the end of dealing with each CNAME.
+		 */
+		st->state |= (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME);
+	}
+
+	/*
+	 * Check known IP addresses for the query name if the database lookup
+	 * resulted in some addresses (qresult_type == qresult_type_done)
+	 * and if we have not already checked them.
+	 * Any recursion required for the query has already happened.
+	 * Do not check addresses that will not be in the ANSWER section.
+	 */
+	if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 &&
+	    qresult_type == qresult_type_done &&
+	    rpz_get_zbits(client, qtype, DNS_RPZ_TYPE_IP) != 0)
+	{
+		result = rpz_rewrite_ip_rrsets(client, client->query.qname,
+					       qtype, DNS_RPZ_TYPE_IP,
+					       &rdataset, resuming);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		/*
+		 * We are finished checking the IP addresses for the qname.
+		 * Start with IPv4 if we will check NS IP addresses.
+		 */
+		st->state |= DNS_RPZ_DONE_QNAME_IP;
+		st->state &= ~DNS_RPZ_DONE_IPv4;
+	}
+
+	/*
+	 * Stop looking for rules if there are none of the other kinds
+	 * that could override what we already have.
+	 */
+	if (rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSDNAME) ==
+		    0 &&
+	    rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSIP) == 0)
+	{
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	dns_fixedname_init(&nsnamef);
+	dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
+	options = client->query.dboptions | DNS_DBFIND_GLUEOK;
+	while (st->r.label > st->popt.min_ns_labels) {
+		bool was_glue = false;
+		/*
+		 * Get NS rrset for each domain in the current qname.
+		 */
+		if (st->r.label == dns_name_countlabels(client->query.qname)) {
+			nsname = client->query.qname;
+		} else {
+			nsname = dns_fixedname_name(&nsnamef);
+			dns_name_split(client->query.qname, st->r.label, NULL,
+				       nsname);
+		}
+		if (st->r.ns_rdataset == NULL ||
+		    !dns_rdataset_isassociated(st->r.ns_rdataset))
+		{
+			dns_db_t *db = NULL;
+			result = rpz_rrset_find(client, nsname,
+						dns_rdatatype_ns, options,
+						DNS_RPZ_TYPE_NSDNAME, &db, NULL,
+						&st->r.ns_rdataset, resuming);
+			if (db != NULL) {
+				dns_db_detach(&db);
+			}
+			if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
+				goto cleanup;
+			}
+			switch (result) {
+			case DNS_R_GLUE:
+				was_glue = true;
+				FALLTHROUGH;
+			case ISC_R_SUCCESS:
+				result = dns_rdataset_first(st->r.ns_rdataset);
+				if (result != ISC_R_SUCCESS) {
+					goto cleanup;
+				}
+				st->state &= ~(DNS_RPZ_DONE_NSDNAME |
+					       DNS_RPZ_DONE_IPv4);
+				break;
+			case DNS_R_DELEGATION:
+			case DNS_R_DUPLICATE:
+			case DNS_R_DROP:
+				goto cleanup;
+			case DNS_R_EMPTYNAME:
+			case DNS_R_NXRRSET:
+			case DNS_R_EMPTYWILD:
+			case DNS_R_NXDOMAIN:
+			case DNS_R_NCACHENXDOMAIN:
+			case DNS_R_NCACHENXRRSET:
+			case ISC_R_NOTFOUND:
+			case DNS_R_CNAME:
+			case DNS_R_DNAME:
+				rpz_rewrite_ns_skip(client, nsname, result, 0,
+						    NULL);
+				continue;
+			case ISC_R_TIMEDOUT:
+			case DNS_R_BROKENCHAIN:
+			case ISC_R_FAILURE:
+				rpz_rewrite_ns_skip(client, nsname, result,
+						    DNS_RPZ_DEBUG_LEVEL3,
+						    " NS rpz_rrset_find()");
+				continue;
+			default:
+				rpz_rewrite_ns_skip(client, nsname, result,
+						    DNS_RPZ_INFO_LEVEL,
+						    " unrecognized NS"
+						    " rpz_rrset_find()");
+				continue;
+			}
+		}
+
+		/*
+		 * Check all NS names.
+		 */
+		do {
+			dns_rdata_ns_t ns;
+			dns_rdata_t nsrdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(st->r.ns_rdataset, &nsrdata);
+			result = dns_rdata_tostruct(&nsrdata, &ns, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_rdata_reset(&nsrdata);
+
+			/*
+			 * Do nothing about "NS ."
+			 */
+			if (dns_name_equal(&ns.name, dns_rootname)) {
+				dns_rdata_freestruct(&ns);
+				result = dns_rdataset_next(st->r.ns_rdataset);
+				continue;
+			}
+			/*
+			 * Check this NS name if we did not handle it
+			 * during a previous recursion.
+			 */
+			if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0) {
+				result = rpz_rewrite_name(
+					client, &ns.name, qtype,
+					DNS_RPZ_TYPE_NSDNAME, DNS_RPZ_ALL_ZBITS,
+					true, &rdataset);
+				if (result != ISC_R_SUCCESS) {
+					dns_rdata_freestruct(&ns);
+					goto cleanup;
+				}
+				st->state |= DNS_RPZ_DONE_NSDNAME;
+			}
+			/*
+			 * Check all IP addresses for this NS name.
+			 */
+			result = rpz_rewrite_ip_rrsets(client, &ns.name, qtype,
+						       DNS_RPZ_TYPE_NSIP,
+						       &rdataset, resuming);
+			dns_rdata_freestruct(&ns);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			st->state &= ~(DNS_RPZ_DONE_NSDNAME |
+				       DNS_RPZ_DONE_IPv4);
+			result = dns_rdataset_next(st->r.ns_rdataset);
+		} while (result == ISC_R_SUCCESS);
+		dns_rdataset_disassociate(st->r.ns_rdataset);
+
+		/*
+		 * If we just checked a glue NS RRset retry without allowing
+		 * glue responses, otherwise setup for the next name.
+		 */
+		if (was_glue) {
+			options = client->query.dboptions;
+		} else {
+			options = client->query.dboptions | DNS_DBFIND_GLUEOK;
+			st->r.label--;
+		}
+
+		if (rpz_get_zbits(client, dns_rdatatype_any,
+				  DNS_RPZ_TYPE_NSDNAME) == 0 &&
+		    rpz_get_zbits(client, dns_rdatatype_any,
+				  DNS_RPZ_TYPE_NSIP) == 0)
+		{
+			break;
+		}
+	}
+
+	/*
+	 * Use the best hit, if any.
+	 */
+	result = ISC_R_SUCCESS;
+
+cleanup:
+#ifdef USE_DNSRPS
+	if (st->popt.dnsrps_enabled && st->m.policy != DNS_RPZ_POLICY_ERROR &&
+	    !dnsrps_set_p(&emsg, client, st, qtype, &rdataset,
+			  (qresult_type != qresult_type_recurse)))
+	{
+		rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL,
+			     DNS_RPZ_TYPE_BAD, emsg.c, DNS_R_SERVFAIL);
+		st->m.policy = DNS_RPZ_POLICY_ERROR;
+	}
+#endif /* ifdef USE_DNSRPS */
+	if (st->m.policy != DNS_RPZ_POLICY_MISS &&
+	    st->m.policy != DNS_RPZ_POLICY_ERROR &&
+	    st->m.rpz->policy != DNS_RPZ_POLICY_GIVEN)
+	{
+		st->m.policy = st->m.rpz->policy;
+	}
+	if (st->m.policy == DNS_RPZ_POLICY_MISS ||
+	    st->m.policy == DNS_RPZ_POLICY_PASSTHRU ||
+	    st->m.policy == DNS_RPZ_POLICY_ERROR)
+	{
+		if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
+		    result != DNS_R_DELEGATION)
+		{
+			rpz_log_rewrite(client, false, st->m.policy, st->m.type,
+					st->m.zone, st->p_name, NULL,
+					st->m.rpz->num);
+		}
+		rpz_match_clear(st);
+	}
+	if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
+		CTRACE(ISC_LOG_ERROR, "SERVFAIL due to RPZ policy");
+		st->m.type = DNS_RPZ_TYPE_BAD;
+		result = DNS_R_SERVFAIL;
+	}
+	ns_client_putrdataset(client, &rdataset);
+	if ((st->state & DNS_RPZ_RECURSING) == 0) {
+		rpz_clean(NULL, &st->r.db, NULL, &st->r.ns_rdataset);
+	}
+
+	return (result);
+}
+
+/*
+ * See if response policy zone rewriting is allowed by a lack of interest
+ * by the client in DNSSEC or a lack of signatures.
+ */
+static bool
+rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult,
+	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	dns_fixedname_t fixed;
+	dns_name_t *found;
+	dns_rdataset_t trdataset;
+	dns_rdatatype_t type;
+	isc_result_t result;
+
+	CTRACE(ISC_LOG_DEBUG(3), "rpz_ck_dnssec");
+
+	if (client->view->rpzs->p.break_dnssec || !WANTDNSSEC(client)) {
+		return (true);
+	}
+
+	/*
+	 * We do not know if there are signatures if we have not recursed
+	 * for them.
+	 */
+	if (qresult == DNS_R_DELEGATION || qresult == ISC_R_NOTFOUND) {
+		return (false);
+	}
+
+	if (sigrdataset == NULL) {
+		return (true);
+	}
+	if (dns_rdataset_isassociated(sigrdataset)) {
+		return (false);
+	}
+
+	/*
+	 * We are happy to rewrite nothing.
+	 */
+	if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) {
+		return (true);
+	}
+	/*
+	 * Do not rewrite if there is any sign of signatures.
+	 */
+	if (rdataset->type == dns_rdatatype_nsec ||
+	    rdataset->type == dns_rdatatype_nsec3 ||
+	    rdataset->type == dns_rdatatype_rrsig)
+	{
+		return (false);
+	}
+
+	/*
+	 * Look for a signature in a negative cache rdataset.
+	 */
+	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0) {
+		return (true);
+	}
+	found = dns_fixedname_initname(&fixed);
+	dns_rdataset_init(&trdataset);
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_ncache_current(rdataset, found, &trdataset);
+		type = trdataset.type;
+		dns_rdataset_disassociate(&trdataset);
+		if (type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3 ||
+		    type == dns_rdatatype_rrsig)
+		{
+			return (false);
+		}
+	}
+	return (true);
+}
+
+/*
+ * Extract a network address from the RDATA of an A or AAAA
+ * record.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTIMPLEMENTED	The rdata is not a known address type.
+ */
+static isc_result_t
+rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
+	struct in_addr ina;
+	struct in6_addr in6a;
+
+	switch (rdata->type) {
+	case dns_rdatatype_a:
+		INSIST(rdata->length == 4);
+		memmove(&ina.s_addr, rdata->data, 4);
+		isc_netaddr_fromin(netaddr, &ina);
+		return (ISC_R_SUCCESS);
+	case dns_rdatatype_aaaa:
+		INSIST(rdata->length == 16);
+		memmove(in6a.s6_addr, rdata->data, 16);
+		isc_netaddr_fromin6(netaddr, &in6a);
+		return (ISC_R_SUCCESS);
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+}
+
+static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
+static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
+static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
+
+static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA";
+
+static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA";
+
+static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA";
+
+static dns_name_t rfc1918names[] = {
+	DNS_NAME_INITABSOLUTE(inaddr10, inaddr10_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr16172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr17172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr18172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr19172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr20172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr21172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr22172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr23172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr24172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr25172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr26172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr27172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr28172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr29172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr30172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr31172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr168192, inaddr192_offsets)
+};
+
+static unsigned char prisoner_data[] = "\010prisoner\004iana\003org";
+static unsigned char hostmaster_data[] = "\012hostmaster\014root-"
+					 "servers\003org";
+
+static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 };
+static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 };
+
+static dns_name_t const prisoner = DNS_NAME_INITABSOLUTE(prisoner_data,
+							 prisoner_offsets);
+static dns_name_t const hostmaster = DNS_NAME_INITABSOLUTE(hostmaster_data,
+							   hostmaster_offsets);
+
+static void
+warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) {
+	unsigned int i;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	dns_rdataset_t found;
+	isc_result_t result;
+
+	for (i = 0; i < (sizeof(rfc1918names) / sizeof(*rfc1918names)); i++) {
+		if (dns_name_issubdomain(fname, &rfc1918names[i])) {
+			dns_rdataset_init(&found);
+			result = dns_ncache_getrdataset(
+				rdataset, &rfc1918names[i], dns_rdatatype_soa,
+				&found);
+			if (result != ISC_R_SUCCESS) {
+				return;
+			}
+
+			result = dns_rdataset_first(&found);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_rdataset_current(&found, &rdata);
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (dns_name_equal(&soa.origin, &prisoner) &&
+			    dns_name_equal(&soa.contact, &hostmaster))
+			{
+				char buf[DNS_NAME_FORMATSIZE];
+				dns_name_format(fname, buf, sizeof(buf));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_WARNING,
+					      "RFC 1918 response from "
+					      "Internet for %s",
+					      buf);
+			}
+			dns_rdataset_disassociate(&found);
+			return;
+		}
+	}
+}
+
+static void
+query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
+		       dns_dbversion_t *version, ns_client_t *client,
+		       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		       dns_name_t *fname, bool exact, dns_name_t *found) {
+	unsigned char salt[256];
+	size_t salt_length;
+	uint16_t iterations;
+	isc_result_t result;
+	unsigned int dboptions;
+	dns_fixedname_t fixed;
+	dns_hash_t hash;
+	dns_name_t name;
+	unsigned int skip = 0, labels;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	bool optout;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+
+	salt_length = sizeof(salt);
+	result = dns_db_getnsec3parameters(db, version, &hash, NULL,
+					   &iterations, salt, &salt_length);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	dns_name_init(&name, NULL);
+	dns_name_clone(qname, &name);
+	labels = dns_name_countlabels(&name);
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+
+	/*
+	 * Map unknown algorithm to known value.
+	 */
+	if (hash == DNS_NSEC3_UNKNOWNALG) {
+		hash = 1;
+	}
+
+again:
+	dns_fixedname_init(&fixed);
+	result = dns_nsec3_hashname(&fixed, NULL, NULL, &name,
+				    dns_db_origin(db), hash, iterations, salt,
+				    salt_length);
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+
+	dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3;
+	result = dns_db_findext(db, dns_fixedname_name(&fixed), version,
+				dns_rdatatype_nsec3, dboptions, client->now,
+				NULL, fname, &cm, &ci, rdataset, sigrdataset);
+
+	if (result == DNS_R_NXDOMAIN) {
+		if (!dns_rdataset_isassociated(rdataset)) {
+			return;
+		}
+		result = dns_rdataset_first(rdataset);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+		optout = ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
+		if (found != NULL && optout &&
+		    dns_name_issubdomain(&name, dns_db_origin(db)))
+		{
+			dns_rdataset_disassociate(rdataset);
+			if (dns_rdataset_isassociated(sigrdataset)) {
+				dns_rdataset_disassociate(sigrdataset);
+			}
+			skip++;
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  &name);
+			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
+				      "looking for closest provable encloser");
+			goto again;
+		}
+		if (exact) {
+			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+				      "expected a exact match NSEC3, got "
+				      "a covering record");
+		}
+	} else if (result != ISC_R_SUCCESS) {
+		return;
+	} else if (!exact) {
+		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+			      "expected covering NSEC3, got an exact match");
+	}
+	if (found == qname) {
+		if (skip != 0U) {
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  found);
+		}
+	} else if (found != NULL) {
+		dns_name_copynf(&name, found);
+	}
+	return;
+}
+
+static uint32_t
+dns64_ttl(dns_db_t *db, dns_dbversion_t *version) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	uint32_t ttl = UINT32_MAX;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa, 0, 0,
+				     &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dns_rdataset_current(&rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	ttl = ISC_MIN(rdataset.ttl, soa.minimum);
+
+cleanup:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (ttl);
+}
+
+static bool
+dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset,
+	     dns_rdataset_t *sigrdataset) {
+	isc_netaddr_t netaddr;
+	dns_aclenv_t *env =
+		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+	dns_dns64_t *dns64 = ISC_LIST_HEAD(client->view->dns64);
+	unsigned int flags = 0;
+	unsigned int i, count;
+	bool *aaaaok;
+
+	INSIST(client->query.dns64_aaaaok == NULL);
+	INSIST(client->query.dns64_aaaaoklen == 0);
+	INSIST(client->query.dns64_aaaa == NULL);
+	INSIST(client->query.dns64_sigaaaa == NULL);
+
+	if (dns64 == NULL) {
+		return (true);
+	}
+
+	if (RECURSIONOK(client)) {
+		flags |= DNS_DNS64_RECURSIVE;
+	}
+
+	if (WANTDNSSEC(client) && sigrdataset != NULL &&
+	    dns_rdataset_isassociated(sigrdataset))
+	{
+		flags |= DNS_DNS64_DNSSEC;
+	}
+
+	count = dns_rdataset_count(rdataset);
+	aaaaok = isc_mem_get(client->mctx, sizeof(bool) * count);
+
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+	if (dns_dns64_aaaaok(dns64, &netaddr, client->signer, env, flags,
+			     rdataset, aaaaok, count))
+	{
+		for (i = 0; i < count; i++) {
+			if (aaaaok != NULL && !aaaaok[i]) {
+				SAVE(client->query.dns64_aaaaok, aaaaok);
+				client->query.dns64_aaaaoklen = count;
+				break;
+			}
+		}
+		if (aaaaok != NULL) {
+			isc_mem_put(client->mctx, aaaaok, sizeof(bool) * count);
+		}
+		return (true);
+	}
+	if (aaaaok != NULL) {
+		isc_mem_put(client->mctx, aaaaok, sizeof(bool) * count);
+	}
+	return (false);
+}
+
+/*
+ * Look for the name and type in the redirection zone.  If found update
+ * the arguments as appropriate.  Return true if a update was
+ * performed.
+ *
+ * Only perform the update if the client is in the allow query acl and
+ * returning the update would not cause a DNSSEC validation failure.
+ */
+static isc_result_t
+redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
+	 dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp,
+	 dns_rdatatype_t qtype) {
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *found;
+	dns_rdataset_t trdataset;
+	isc_result_t result;
+	dns_rdatatype_t type;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+	ns_dbversion_t *dbversion;
+
+	CTRACE(ISC_LOG_DEBUG(3), "redirect");
+
+	if (client->view->redirect == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	found = dns_fixedname_initname(&fixed);
+	dns_rdataset_init(&trdataset);
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, &client->ecs, NULL);
+
+	if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))
+	{
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {
+		if (rdataset->trust == dns_trust_secure) {
+			return (ISC_R_NOTFOUND);
+		}
+		if (rdataset->trust == dns_trust_ultimate &&
+		    (rdataset->type == dns_rdatatype_nsec ||
+		     rdataset->type == dns_rdatatype_nsec3))
+		{
+			return (ISC_R_NOTFOUND);
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset))
+			{
+				dns_ncache_current(rdataset, found, &trdataset);
+				type = trdataset.type;
+				dns_rdataset_disassociate(&trdataset);
+				if (type == dns_rdatatype_nsec ||
+				    type == dns_rdatatype_nsec3 ||
+				    type == dns_rdatatype_rrsig)
+				{
+					return (ISC_R_NOTFOUND);
+				}
+			}
+		}
+	}
+
+	result = ns_client_checkaclsilent(
+		client, NULL, dns_zone_getqueryacl(client->view->redirect),
+		true);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	result = dns_zone_getdb(client->view->redirect, &db);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	dbversion = ns_client_findversion(client, db);
+	if (dbversion == NULL) {
+		dns_db_detach(&db);
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * Lookup the requested data in the redirect zone.
+	 */
+	result = dns_db_findext(db, client->query.qname, dbversion->version,
+				qtype, DNS_DBFIND_NOZONECUT, client->now, &node,
+				found, &cm, &ci, &trdataset, NULL);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+		if (dns_rdataset_isassociated(&trdataset)) {
+			dns_rdataset_disassociate(&trdataset);
+		}
+		goto nxrrset;
+	} else if (result != ISC_R_SUCCESS) {
+		if (dns_rdataset_isassociated(&trdataset)) {
+			dns_rdataset_disassociate(&trdataset);
+		}
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+		dns_db_detach(&db);
+		return (ISC_R_NOTFOUND);
+	}
+
+	CTRACE(ISC_LOG_DEBUG(3), "redirect: found data: done");
+	dns_name_copynf(found, name);
+	if (dns_rdataset_isassociated(rdataset)) {
+		dns_rdataset_disassociate(rdataset);
+	}
+	if (dns_rdataset_isassociated(&trdataset)) {
+		dns_rdataset_clone(&trdataset, rdataset);
+		dns_rdataset_disassociate(&trdataset);
+	}
+nxrrset:
+	if (*nodep != NULL) {
+		dns_db_detachnode(*dbp, nodep);
+	}
+	dns_db_detach(dbp);
+	dns_db_attachnode(db, node, nodep);
+	dns_db_attach(db, dbp);
+	dns_db_detachnode(db, &node);
+	dns_db_detach(&db);
+	*versionp = dbversion->version;
+
+	client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
+				     NS_QUERYATTR_NOADDITIONAL);
+
+	return (result);
+}
+
+static isc_result_t
+redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
+	  dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp,
+	  dns_rdatatype_t qtype, bool *is_zonep) {
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fixedredirect;
+	dns_name_t *found, *redirectname;
+	dns_rdataset_t trdataset;
+	isc_result_t result;
+	dns_rdatatype_t type;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+	dns_dbversion_t *version = NULL;
+	dns_zone_t *zone = NULL;
+	bool is_zone;
+	unsigned int labels;
+	unsigned int options;
+
+	CTRACE(ISC_LOG_DEBUG(3), "redirect2");
+
+	if (client->view->redirectzone == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (dns_name_issubdomain(name, client->view->redirectzone)) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	found = dns_fixedname_initname(&fixed);
+	dns_rdataset_init(&trdataset);
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, &client->ecs, NULL);
+
+	if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))
+	{
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {
+		if (rdataset->trust == dns_trust_secure) {
+			return (ISC_R_NOTFOUND);
+		}
+		if (rdataset->trust == dns_trust_ultimate &&
+		    (rdataset->type == dns_rdatatype_nsec ||
+		     rdataset->type == dns_rdatatype_nsec3))
+		{
+			return (ISC_R_NOTFOUND);
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset))
+			{
+				dns_ncache_current(rdataset, found, &trdataset);
+				type = trdataset.type;
+				dns_rdataset_disassociate(&trdataset);
+				if (type == dns_rdatatype_nsec ||
+				    type == dns_rdatatype_nsec3 ||
+				    type == dns_rdatatype_rrsig)
+				{
+					return (ISC_R_NOTFOUND);
+				}
+			}
+		}
+	}
+
+	redirectname = dns_fixedname_initname(&fixedredirect);
+	labels = dns_name_countlabels(client->query.qname);
+	if (labels > 1U) {
+		dns_name_t prefix;
+
+		dns_name_init(&prefix, NULL);
+		dns_name_getlabelsequence(client->query.qname, 0, labels - 1,
+					  &prefix);
+		result = dns_name_concatenate(&prefix,
+					      client->view->redirectzone,
+					      redirectname, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (ISC_R_NOTFOUND);
+		}
+	} else {
+		dns_name_copynf(redirectname, client->view->redirectzone);
+	}
+
+	options = 0;
+	result = query_getdb(client, redirectname, qtype, options, &zone, &db,
+			     &version, &is_zone);
+	if (result != ISC_R_SUCCESS) {
+		return (ISC_R_NOTFOUND);
+	}
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+
+	/*
+	 * Lookup the requested data in the redirect zone.
+	 */
+	result = dns_db_findext(db, redirectname, version, qtype, 0,
+				client->now, &node, found, &cm, &ci, &trdataset,
+				NULL);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+		if (dns_rdataset_isassociated(&trdataset)) {
+			dns_rdataset_disassociate(&trdataset);
+		}
+		goto nxrrset;
+	} else if (result == ISC_R_NOTFOUND || result == DNS_R_DELEGATION) {
+		/*
+		 * Cleanup.
+		 */
+		if (dns_rdataset_isassociated(&trdataset)) {
+			dns_rdataset_disassociate(&trdataset);
+		}
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+		dns_db_detach(&db);
+		/*
+		 * Don't loop forever if the lookup failed last time.
+		 */
+		if (!REDIRECT(client)) {
+			result = ns_query_recurse(client, qtype, redirectname,
+						  NULL, NULL, true);
+			if (result == ISC_R_SUCCESS) {
+				client->query.attributes |=
+					NS_QUERYATTR_RECURSING;
+				client->query.attributes |=
+					NS_QUERYATTR_REDIRECT;
+				return (DNS_R_CONTINUE);
+			}
+		}
+		return (ISC_R_NOTFOUND);
+	} else if (result != ISC_R_SUCCESS) {
+		if (dns_rdataset_isassociated(&trdataset)) {
+			dns_rdataset_disassociate(&trdataset);
+		}
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+		dns_db_detach(&db);
+		return (ISC_R_NOTFOUND);
+	}
+
+	CTRACE(ISC_LOG_DEBUG(3), "redirect2: found data: done");
+	/*
+	 * Adjust the found name to not include the redirectzone suffix.
+	 */
+	dns_name_split(found, dns_name_countlabels(client->view->redirectzone),
+		       found, NULL);
+	/*
+	 * Make the name absolute.
+	 */
+	result = dns_name_concatenate(found, dns_rootname, found, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	dns_name_copynf(found, name);
+	if (dns_rdataset_isassociated(rdataset)) {
+		dns_rdataset_disassociate(rdataset);
+	}
+	if (dns_rdataset_isassociated(&trdataset)) {
+		dns_rdataset_clone(&trdataset, rdataset);
+		dns_rdataset_disassociate(&trdataset);
+	}
+nxrrset:
+	if (*nodep != NULL) {
+		dns_db_detachnode(*dbp, nodep);
+	}
+	dns_db_detach(dbp);
+	dns_db_attachnode(db, node, nodep);
+	dns_db_attach(db, dbp);
+	dns_db_detachnode(db, &node);
+	dns_db_detach(&db);
+	*is_zonep = is_zone;
+	*versionp = version;
+
+	client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
+				     NS_QUERYATTR_NOADDITIONAL);
+
+	return (result);
+}
+
+/*%
+ * Initialize query context 'qctx'. Run by query_setup() when
+ * first handling a client query, and by query_resume() when
+ * returning from recursion.
+ *
+ * Whenever this function is called, qctx_destroy() must be called
+ * when leaving the scope or freeing the qctx.
+ */
+static void
+qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype,
+	  query_ctx_t *qctx) {
+	REQUIRE(qctx != NULL);
+	REQUIRE(client != NULL);
+
+	memset(qctx, 0, sizeof(*qctx));
+
+	/* Set this first so CCTRACE will work */
+	qctx->client = client;
+
+	dns_view_attach(client->view, &qctx->view);
+
+	CCTRACE(ISC_LOG_DEBUG(3), "qctx_init");
+
+	if (eventp != NULL) {
+		qctx->event = *eventp;
+		*eventp = NULL;
+	} else {
+		qctx->event = NULL;
+	}
+	qctx->qtype = qctx->type = qtype;
+	qctx->result = ISC_R_SUCCESS;
+	qctx->findcoveringnsec = qctx->view->synthfromdnssec;
+
+	/*
+	 * If it's an RRSIG or SIG query, we'll iterate the node.
+	 */
+	if (qctx->qtype == dns_rdatatype_rrsig ||
+	    qctx->qtype == dns_rdatatype_sig)
+	{
+		qctx->type = dns_rdatatype_any;
+	}
+
+	CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx);
+}
+
+/*
+ * Make 'dst' and exact copy of 'src', with exception of the
+ * option field, which is reset to zero.
+ * This function also attaches dst's view and db to the src's
+ * view and cachedb.
+ */
+static void
+qctx_copy(const query_ctx_t *qctx, query_ctx_t *dst) {
+	REQUIRE(qctx != NULL);
+	REQUIRE(dst != NULL);
+
+	memmove(dst, qctx, sizeof(*dst));
+	dst->view = NULL;
+	dst->db = NULL;
+	dst->options = 0;
+	dns_view_attach(qctx->view, &dst->view);
+	dns_db_attach(qctx->view->cachedb, &dst->db);
+	CCTRACE(ISC_LOG_DEBUG(3), "qctx_copy");
+}
+
+/*%
+ * Clean up and disassociate the rdataset and node pointers in qctx.
+ */
+static void
+qctx_clean(query_ctx_t *qctx) {
+	if (qctx->rdataset != NULL && dns_rdataset_isassociated(qctx->rdataset))
+	{
+		dns_rdataset_disassociate(qctx->rdataset);
+	}
+	if (qctx->sigrdataset != NULL &&
+	    dns_rdataset_isassociated(qctx->sigrdataset))
+	{
+		dns_rdataset_disassociate(qctx->sigrdataset);
+	}
+	if (qctx->db != NULL && qctx->node != NULL) {
+		dns_db_detachnode(qctx->db, &qctx->node);
+	}
+}
+
+/*%
+ * Free any allocated memory associated with qctx.
+ */
+static void
+qctx_freedata(query_ctx_t *qctx) {
+	if (qctx->rdataset != NULL) {
+		ns_client_putrdataset(qctx->client, &qctx->rdataset);
+	}
+
+	if (qctx->sigrdataset != NULL) {
+		ns_client_putrdataset(qctx->client, &qctx->sigrdataset);
+	}
+
+	if (qctx->fname != NULL) {
+		ns_client_releasename(qctx->client, &qctx->fname);
+	}
+
+	if (qctx->db != NULL) {
+		INSIST(qctx->node == NULL);
+		dns_db_detach(&qctx->db);
+	}
+
+	if (qctx->zone != NULL) {
+		dns_zone_detach(&qctx->zone);
+	}
+
+	if (qctx->zdb != NULL) {
+		ns_client_putrdataset(qctx->client, &qctx->zsigrdataset);
+		ns_client_putrdataset(qctx->client, &qctx->zrdataset);
+		ns_client_releasename(qctx->client, &qctx->zfname);
+		dns_db_detachnode(qctx->zdb, &qctx->znode);
+		dns_db_detach(&qctx->zdb);
+	}
+
+	if (qctx->event != NULL && !qctx->client->nodetach) {
+		free_devent(qctx->client, ISC_EVENT_PTR(&qctx->event),
+			    &qctx->event);
+	}
+}
+
+static void
+qctx_destroy(query_ctx_t *qctx) {
+	CALL_HOOK_NORETURN(NS_QUERY_QCTX_DESTROYED, qctx);
+
+	dns_view_detach(&qctx->view);
+}
+
+/*%
+ * Log detailed information about the query immediately after
+ * the client request or a return from recursion.
+ */
+static void
+query_trace(query_ctx_t *qctx) {
+#ifdef WANT_QUERYTRACE
+	char mbuf[2 * DNS_NAME_FORMATSIZE];
+	char qbuf[DNS_NAME_FORMATSIZE];
+
+	if (qctx->client->query.origqname != NULL) {
+		dns_name_format(qctx->client->query.origqname, qbuf,
+				sizeof(qbuf));
+	} else {
+		snprintf(qbuf, sizeof(qbuf), "<unset>");
+	}
+
+	snprintf(mbuf, sizeof(mbuf) - 1,
+		 "client attr:0x%x, query attr:0x%X, restarts:%u, "
+		 "origqname:%s, timer:%d, authdb:%d, referral:%d",
+		 qctx->client->attributes, qctx->client->query.attributes,
+		 qctx->client->query.restarts, qbuf,
+		 (int)qctx->client->query.timerset,
+		 (int)qctx->client->query.authdbset,
+		 (int)qctx->client->query.isreferral);
+	CCTRACE(ISC_LOG_DEBUG(3), mbuf);
+#else  /* ifdef WANT_QUERYTRACE */
+	UNUSED(qctx);
+#endif /* ifdef WANT_QUERYTRACE */
+}
+
+/*
+ * Set up query processing for the current query of 'client'.
+ * Calls qctx_init() to initialize a query context, checks
+ * the SERVFAIL cache, then hands off processing to ns__query_start().
+ *
+ * This is called only from ns_query_start(), to begin a query
+ * for the first time.  Restarting an existing query (for
+ * instance, to handle CNAME lookups), is done by calling
+ * ns__query_start() again with the same query context. Resuming from
+ * recursion is handled by query_resume().
+ */
+static isc_result_t
+query_setup(ns_client_t *client, dns_rdatatype_t qtype) {
+	isc_result_t result;
+	query_ctx_t qctx;
+
+	qctx_init(client, NULL, qtype, &qctx);
+	query_trace(&qctx);
+
+	CALL_HOOK(NS_QUERY_SETUP, &qctx);
+
+	/*
+	 * Check SERVFAIL cache
+	 */
+	result = ns__query_sfcache(&qctx);
+	if (result != ISC_R_COMPLETE) {
+		qctx_destroy(&qctx);
+		return (result);
+	}
+
+	result = ns__query_start(&qctx);
+
+cleanup:
+	qctx_destroy(&qctx);
+	return (result);
+}
+
+static bool
+get_root_key_sentinel_id(query_ctx_t *qctx, const char *ndata) {
+	unsigned int v = 0;
+	int i;
+
+	for (i = 0; i < 5; i++) {
+		if (!isdigit((unsigned char)ndata[i])) {
+			return (false);
+		}
+		v *= 10;
+		v += ndata[i] - '0';
+	}
+	if (v > 65535U) {
+		return (false);
+	}
+	qctx->client->query.root_key_sentinel_keyid = v;
+	return (true);
+}
+
+/*%
+ * Find out if the query is for a root key sentinel and if so, record the type
+ * of root key sentinel query and the key id that is being checked for.
+ *
+ * The code is assuming a zero padded decimal field of width 5.
+ */
+static void
+root_key_sentinel_detect(query_ctx_t *qctx) {
+	const char *ndata = (const char *)qctx->client->query.qname->ndata;
+
+	if (qctx->client->query.qname->length > 30 && ndata[0] == 29 &&
+	    strncasecmp(ndata + 1, "root-key-sentinel-is-ta-", 24) == 0)
+	{
+		if (!get_root_key_sentinel_id(qctx, ndata + 25)) {
+			return;
+		}
+		qctx->client->query.root_key_sentinel_is_ta = true;
+		/*
+		 * Simplify processing by disabling aggressive
+		 * negative caching.
+		 */
+		qctx->findcoveringnsec = false;
+		ns_client_log(qctx->client, NS_LOGCATEGORY_TAT,
+			      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+			      "root-key-sentinel-is-ta query label found");
+	} else if (qctx->client->query.qname->length > 31 && ndata[0] == 30 &&
+		   strncasecmp(ndata + 1, "root-key-sentinel-not-ta-", 25) == 0)
+	{
+		if (!get_root_key_sentinel_id(qctx, ndata + 26)) {
+			return;
+		}
+		qctx->client->query.root_key_sentinel_not_ta = true;
+		/*
+		 * Simplify processing by disabling aggressive
+		 * negative caching.
+		 */
+		qctx->findcoveringnsec = false;
+		ns_client_log(qctx->client, NS_LOGCATEGORY_TAT,
+			      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+			      "root-key-sentinel-not-ta query label found");
+	}
+}
+
+/*%
+ * Starting point for a client query or a chaining query.
+ *
+ * Called first by query_setup(), and then again as often as needed to
+ * follow a CNAME chain.  Determines which authoritative database to
+ * search, then hands off processing to query_lookup().
+ */
+isc_result_t
+ns__query_start(query_ctx_t *qctx) {
+	isc_result_t result;
+	CCTRACE(ISC_LOG_DEBUG(3), "ns__query_start");
+	qctx->want_restart = false;
+	qctx->authoritative = false;
+	qctx->version = NULL;
+	qctx->zversion = NULL;
+	qctx->need_wildcardproof = false;
+	qctx->rpz = false;
+
+	CALL_HOOK(NS_QUERY_START_BEGIN, qctx);
+
+	/*
+	 * If we require a server cookie then send back BADCOOKIE
+	 * before we have done too much work.
+	 */
+	if (!TCP(qctx->client) && qctx->view->requireservercookie &&
+	    WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client))
+	{
+		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA;
+		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
+		qctx->client->message->rcode = dns_rcode_badcookie;
+		return (ns_query_done(qctx));
+	}
+
+	if (qctx->view->checknames &&
+	    !dns_rdata_checkowner(qctx->client->query.qname,
+				  qctx->client->message->rdclass, qctx->qtype,
+				  false))
+	{
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char typebuf[DNS_RDATATYPE_FORMATSIZE];
+		char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+		dns_name_format(qctx->client->query.qname, namebuf,
+				sizeof(namebuf));
+		dns_rdatatype_format(qctx->qtype, typebuf, sizeof(typebuf));
+		dns_rdataclass_format(qctx->client->message->rdclass, classbuf,
+				      sizeof(classbuf));
+		ns_client_log(qctx->client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_QUERY, ISC_LOG_ERROR,
+			      "check-names failure %s/%s/%s", namebuf, typebuf,
+			      classbuf);
+		QUERY_ERROR(qctx, DNS_R_REFUSED);
+		return (ns_query_done(qctx));
+	}
+
+	/*
+	 * Setup for root key sentinel processing.
+	 */
+	if (qctx->view->root_key_sentinel &&
+	    qctx->client->query.restarts == 0 &&
+	    (qctx->qtype == dns_rdatatype_a ||
+	     qctx->qtype == dns_rdatatype_aaaa) &&
+	    (qctx->client->message->flags & DNS_MESSAGEFLAG_CD) == 0)
+	{
+		root_key_sentinel_detect(qctx);
+	}
+
+	/*
+	 * First we must find the right database.
+	 */
+	qctx->options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */
+	if (dns_rdatatype_atparent(qctx->qtype) &&
+	    !dns_name_equal(qctx->client->query.qname, dns_rootname))
+	{
+		/*
+		 * If authoritative data for this QTYPE is supposed to live in
+		 * the parent zone, do not look for an exact match for QNAME,
+		 * but rather for its containing zone (unless the QNAME is
+		 * root).
+		 */
+		qctx->options |= DNS_GETDB_NOEXACT;
+	}
+
+	result = query_getdb(qctx->client, qctx->client->query.qname,
+			     qctx->qtype, qctx->options, &qctx->zone, &qctx->db,
+			     &qctx->version, &qctx->is_zone);
+	if (ISC_UNLIKELY((result != ISC_R_SUCCESS || !qctx->is_zone) &&
+			 qctx->qtype == dns_rdatatype_ds &&
+			 !RECURSIONOK(qctx->client) &&
+			 (qctx->options & DNS_GETDB_NOEXACT) != 0))
+	{
+		/*
+		 * This is a non-recursive QTYPE=DS query with QNAME whose
+		 * parent we are not authoritative for.  Check whether we are
+		 * authoritative for QNAME, because if so, we need to send a
+		 * "no data" response as required by RFC 4035, section 3.1.4.1.
+		 */
+		dns_db_t *tdb = NULL;
+		dns_zone_t *tzone = NULL;
+		dns_dbversion_t *tversion = NULL;
+		isc_result_t tresult;
+
+		tresult = query_getzonedb(
+			qctx->client, qctx->client->query.qname, qctx->qtype,
+			DNS_GETDB_PARTIAL, &tzone, &tdb, &tversion);
+		if (tresult == ISC_R_SUCCESS) {
+			/*
+			 * We are authoritative for QNAME.  Attach the relevant
+			 * zone to query context, set result to ISC_R_SUCCESS.
+			 */
+			qctx->options &= ~DNS_GETDB_NOEXACT;
+			ns_client_putrdataset(qctx->client, &qctx->rdataset);
+			if (qctx->db != NULL) {
+				dns_db_detach(&qctx->db);
+			}
+			if (qctx->zone != NULL) {
+				dns_zone_detach(&qctx->zone);
+			}
+			qctx->version = NULL;
+			RESTORE(qctx->version, tversion);
+			RESTORE(qctx->db, tdb);
+			RESTORE(qctx->zone, tzone);
+			qctx->is_zone = true;
+			result = ISC_R_SUCCESS;
+		} else {
+			/*
+			 * We are not authoritative for QNAME.  Clean up and
+			 * leave result as it was.
+			 */
+			if (tdb != NULL) {
+				dns_db_detach(&tdb);
+			}
+			if (tzone != NULL) {
+				dns_zone_detach(&tzone);
+			}
+		}
+	}
+	/*
+	 * If we did not find a database from which we can answer the query,
+	 * respond with either REFUSED or SERVFAIL, depending on what the
+	 * result of query_getdb() was.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_REFUSED) {
+			if (WANTRECURSION(qctx->client)) {
+				inc_stats(qctx->client,
+					  ns_statscounter_recurserej);
+			} else {
+				inc_stats(qctx->client,
+					  ns_statscounter_authrej);
+			}
+			if (!PARTIALANSWER(qctx->client)) {
+				QUERY_ERROR(qctx, DNS_R_REFUSED);
+			}
+		} else {
+			CCTRACE(ISC_LOG_ERROR, "ns__query_start: query_getdb "
+					       "failed");
+			QUERY_ERROR(qctx, result);
+		}
+		return (ns_query_done(qctx));
+	}
+
+	/*
+	 * We found a database from which we can answer the query.  Update
+	 * relevant query context flags if the answer is to be prepared using
+	 * authoritative data.
+	 */
+	qctx->is_staticstub_zone = false;
+	if (qctx->is_zone) {
+		qctx->authoritative = true;
+		if (qctx->zone != NULL) {
+			if (dns_zone_gettype(qctx->zone) == dns_zone_mirror) {
+				qctx->authoritative = false;
+			}
+			if (dns_zone_gettype(qctx->zone) == dns_zone_staticstub)
+			{
+				qctx->is_staticstub_zone = true;
+			}
+		}
+	}
+
+	/*
+	 * Attach to the database which will be used to prepare the answer.
+	 * Update query statistics.
+	 */
+	if (qctx->event == NULL && qctx->client->query.restarts == 0) {
+		if (qctx->is_zone) {
+			if (qctx->zone != NULL) {
+				/*
+				 * if is_zone = true, zone = NULL then this is
+				 * a DLZ zone.  Don't attempt to attach zone.
+				 */
+				dns_zone_attach(qctx->zone,
+						&qctx->client->query.authzone);
+			}
+			dns_db_attach(qctx->db, &qctx->client->query.authdb);
+		}
+		qctx->client->query.authdbset = true;
+
+		/* Track TCP vs UDP stats per zone */
+		if (TCP(qctx->client)) {
+			inc_stats(qctx->client, ns_statscounter_tcp);
+		} else {
+			inc_stats(qctx->client, ns_statscounter_udp);
+		}
+	}
+
+	if (!qctx->is_zone && (qctx->view->staleanswerclienttimeout == 0) &&
+	    dns_view_staleanswerenabled(qctx->view))
+	{
+		/*
+		 * If stale answers are enabled and
+		 * stale-answer-client-timeout is zero, then we can promptly
+		 * answer with a stale RRset if one is available in cache.
+		 */
+		qctx->options |= DNS_GETDB_STALEFIRST;
+	}
+
+	result = query_lookup(qctx);
+
+	/*
+	 * Clear "look-also-for-stale-data" flag.
+	 * If a fetch is created to resolve this query, then,
+	 * when it completes, this option is not expected to be set.
+	 */
+	qctx->options &= ~DNS_GETDB_STALEFIRST;
+
+cleanup:
+	return (result);
+}
+
+/*
+ * Allocate buffers in 'qctx' used to store query results.
+ *
+ * 'buffer' must be a pointer to an object whose lifetime
+ * doesn't expire while 'qctx' is in use.
+ */
+static isc_result_t
+qctx_prepare_buffers(query_ctx_t *qctx, isc_buffer_t *buffer) {
+	REQUIRE(qctx != NULL);
+	REQUIRE(qctx->client != NULL);
+	REQUIRE(buffer != NULL);
+
+	qctx->dbuf = ns_client_getnamebuf(qctx->client);
+	if (ISC_UNLIKELY(qctx->dbuf == NULL)) {
+		CCTRACE(ISC_LOG_ERROR,
+			"qctx_prepare_buffers: ns_client_getnamebuf "
+			"failed");
+		return (ISC_R_NOMEMORY);
+	}
+
+	qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, buffer);
+	if (ISC_UNLIKELY(qctx->fname == NULL)) {
+		CCTRACE(ISC_LOG_ERROR,
+			"qctx_prepare_buffers: ns_client_newname failed");
+
+		return (ISC_R_NOMEMORY);
+	}
+
+	qctx->rdataset = ns_client_newrdataset(qctx->client);
+	if (ISC_UNLIKELY(qctx->rdataset == NULL)) {
+		CCTRACE(ISC_LOG_ERROR,
+			"qctx_prepare_buffers: ns_client_newrdataset failed");
+		goto error;
+	}
+
+	if ((WANTDNSSEC(qctx->client) || qctx->findcoveringnsec) &&
+	    (!qctx->is_zone || dns_db_issecure(qctx->db)))
+	{
+		qctx->sigrdataset = ns_client_newrdataset(qctx->client);
+		if (qctx->sigrdataset == NULL) {
+			CCTRACE(ISC_LOG_ERROR,
+				"qctx_prepare_buffers: "
+				"ns_client_newrdataset failed (2)");
+			goto error;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+error:
+	if (qctx->fname != NULL) {
+		ns_client_releasename(qctx->client, &qctx->fname);
+	}
+	if (qctx->rdataset != NULL) {
+		ns_client_putrdataset(qctx->client, &qctx->rdataset);
+	}
+
+	return (ISC_R_NOMEMORY);
+}
+
+/*
+ * Setup a new query context for resolving a query.
+ *
+ * This function is only called if both these conditions are met:
+ *    1. BIND is configured with stale-answer-client-timeout 0.
+ *    2. A stale RRset is found in cache during initial query
+ *       database lookup.
+ *
+ * We continue with this function for refreshing/resolving an RRset
+ * after answering a client with stale data.
+ */
+static void
+query_refresh_rrset(query_ctx_t *orig_qctx) {
+	isc_buffer_t buffer;
+	query_ctx_t qctx;
+
+	REQUIRE(orig_qctx != NULL);
+	REQUIRE(orig_qctx->client != NULL);
+
+	qctx_copy(orig_qctx, &qctx);
+	qctx.client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT |
+					  DNS_DBFIND_STALEOK |
+					  DNS_DBFIND_STALEENABLED);
+	qctx.client->nodetach = false;
+
+	/*
+	 * We'll need some resources...
+	 */
+	if (qctx_prepare_buffers(&qctx, &buffer) != ISC_R_SUCCESS) {
+		dns_db_detach(&qctx.db);
+		qctx_destroy(&qctx);
+		return;
+	}
+
+	/*
+	 * Pretend we didn't find anything in cache.
+	 */
+	(void)query_gotanswer(&qctx, ISC_R_NOTFOUND);
+
+	if (qctx.fname != NULL) {
+		ns_client_releasename(qctx.client, &qctx.fname);
+	}
+	if (qctx.rdataset != NULL) {
+		ns_client_putrdataset(qctx.client, &qctx.rdataset);
+	}
+
+	qctx_destroy(&qctx);
+}
+
+/*%
+ * Depending on the db lookup result, we can respond to the
+ * client this stale answer.
+ */
+static bool
+stale_client_answer(isc_result_t result) {
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_EMPTYNAME:
+	case DNS_R_NXRRSET:
+	case DNS_R_NCACHENXRRSET:
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+		return (true);
+	default:
+		return (false);
+	}
+
+	UNREACHABLE();
+}
+
+/*%
+ * Perform a local database lookup, in either an authoritative or
+ * cache database. If unable to answer, call ns_query_done(); otherwise
+ * hand off processing to query_gotanswer().
+ */
+static isc_result_t
+query_lookup(query_ctx_t *qctx) {
+	isc_buffer_t buffer;
+	isc_result_t result = ISC_R_UNSET;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+	dns_name_t *rpzqname = NULL;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	unsigned int dboptions;
+	dns_ttl_t stale_refresh = 0;
+	bool dbfind_stale = false;
+	bool stale_timeout = false;
+	bool answer_found = false;
+	bool stale_found = false;
+	bool stale_refresh_window = false;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_lookup");
+
+	CALL_HOOK(NS_QUERY_LOOKUP_BEGIN, qctx);
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, qctx->client,
+			    HAVEECS(qctx->client) ? &qctx->client->ecs : NULL,
+			    NULL);
+
+	/*
+	 * We'll need some resources...
+	 */
+	result = qctx_prepare_buffers(qctx, &buffer);
+	if (result != ISC_R_SUCCESS) {
+		QUERY_ERROR(qctx, result);
+		return (ns_query_done(qctx));
+	}
+
+	/*
+	 * Now look for an answer in the database.
+	 */
+	if (qctx->dns64 && qctx->rpz) {
+		rpzqname = qctx->client->query.rpz_st->p_name;
+	} else {
+		rpzqname = qctx->client->query.qname;
+	}
+
+	if ((qctx->options & DNS_GETDB_STALEFIRST) != 0) {
+		/*
+		 * If DNS_GETDB_STALEFIRST is set, it means that a stale
+		 * RRset may be returned as part of this lookup. An attempt
+		 * to refresh the RRset will still take place if an
+		 * active RRset is not available.
+		 */
+		qctx->client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
+	}
+
+	dboptions = qctx->client->query.dboptions;
+	if (!qctx->is_zone && qctx->findcoveringnsec &&
+	    (qctx->type != dns_rdatatype_null || !dns_name_istat(rpzqname)))
+	{
+		dboptions |= DNS_DBFIND_COVERINGNSEC;
+	}
+
+	(void)dns_db_getservestalerefresh(qctx->client->view->cachedb,
+					  &stale_refresh);
+	if (stale_refresh > 0 &&
+	    dns_view_staleanswerenabled(qctx->client->view))
+	{
+		dboptions |= DNS_DBFIND_STALEENABLED;
+	}
+
+	result = dns_db_findext(qctx->db, rpzqname, qctx->version, qctx->type,
+				dboptions, qctx->client->now, &qctx->node,
+				qctx->fname, &cm, &ci, qctx->rdataset,
+				qctx->sigrdataset);
+
+	/*
+	 * Fixup fname and sigrdataset.
+	 */
+	if (qctx->dns64 && qctx->rpz) {
+		dns_name_copynf(qctx->client->query.qname, qctx->fname);
+		if (qctx->sigrdataset != NULL &&
+		    dns_rdataset_isassociated(qctx->sigrdataset))
+		{
+			dns_rdataset_disassociate(qctx->sigrdataset);
+		}
+	}
+
+	if (!qctx->is_zone) {
+		dns_cache_updatestats(qctx->view->cache, result);
+	}
+
+	/*
+	 * If DNS_DBFIND_STALEOK is set this means we are dealing with a
+	 * lookup following a failed lookup and it is okay to serve a stale
+	 * answer. This will (re)start the 'stale-refresh-time' window in
+	 * rbtdb, tracking the last time the RRset lookup failed.
+	 */
+	dbfind_stale = ((dboptions & DNS_DBFIND_STALEOK) != 0);
+
+	/*
+	 * If DNS_DBFIND_STALEENABLED is set, this may be a normal lookup, but
+	 * we are allowed to immediately respond with a stale answer if the
+	 * request is within the 'stale-refresh-time' window.
+	 */
+	stale_refresh_window = (STALE_WINDOW(qctx->rdataset) &&
+				(dboptions & DNS_DBFIND_STALEENABLED) != 0);
+
+	/*
+	 * If DNS_DBFIND_STALETIMEOUT is set, a stale answer is requested.
+	 * This can happen if 'stale-answer-client-timeout' is enabled.
+	 *
+	 * If 'stale-answer-client-timeout' is set to 0, and a stale
+	 * answer is found, send it to the client, and try to refresh the
+	 * RRset.
+	 *
+	 * If 'stale-answer-client-timeout' is non-zero, and a stale
+	 * answer is found, send it to the client. Don't try to refresh the
+	 * RRset because a fetch is already in progress.
+	 */
+	stale_timeout = ((dboptions & DNS_DBFIND_STALETIMEOUT) != 0);
+
+	if (dns_rdataset_isassociated(qctx->rdataset) &&
+	    dns_rdataset_count(qctx->rdataset) > 0 && !STALE(qctx->rdataset))
+	{
+		/* Found non-stale usable rdataset. */
+		answer_found = true;
+	}
+
+	if (dbfind_stale || stale_refresh_window || stale_timeout) {
+		dns_name_format(qctx->client->query.qname, namebuf,
+				sizeof(namebuf));
+
+		inc_stats(qctx->client, ns_statscounter_trystale);
+
+		if (dns_rdataset_isassociated(qctx->rdataset) &&
+		    dns_rdataset_count(qctx->rdataset) > 0 &&
+		    STALE(qctx->rdataset))
+		{
+			qctx->rdataset->ttl = qctx->view->staleanswerttl;
+			stale_found = true;
+			inc_stats(qctx->client, ns_statscounter_usedstale);
+		} else {
+			stale_found = false;
+		}
+	}
+
+	if (dbfind_stale) {
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE,
+			      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+			      "%s resolver failure, stale answer %s", namebuf,
+			      stale_found ? "used" : "unavailable");
+		if (!stale_found && !answer_found) {
+			/*
+			 * Resolver failure, no stale data, nothing more we
+			 * can do, return SERVFAIL.
+			 */
+			QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+			return (ns_query_done(qctx));
+		}
+	} else if (stale_refresh_window) {
+		/*
+		 * A recent lookup failed, so during this time window we are
+		 * allowed to return stale data immediately.
+		 */
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE,
+			      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+			      "%s query within stale refresh time, stale "
+			      "answer %s",
+			      namebuf, stale_found ? "used" : "unavailable");
+
+		if (!stale_found && !answer_found) {
+			/*
+			 * During the stale refresh window explicitly do not try
+			 * to refresh the data, because a recent lookup failed.
+			 */
+			QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+			return (ns_query_done(qctx));
+		}
+	} else if (stale_timeout) {
+		if ((qctx->options & DNS_GETDB_STALEFIRST) != 0) {
+			if (!stale_found && !answer_found) {
+				/*
+				 * We have nothing useful in cache to return
+				 * immediately.
+				 */
+				qctx_clean(qctx);
+				qctx_freedata(qctx);
+				dns_db_attach(qctx->client->view->cachedb,
+					      &qctx->db);
+				qctx->client->query.dboptions &=
+					~DNS_DBFIND_STALETIMEOUT;
+				qctx->options &= ~DNS_GETDB_STALEFIRST;
+				if (qctx->client->query.fetch != NULL) {
+					dns_resolver_destroyfetch(
+						&qctx->client->query.fetch);
+				}
+				return (query_lookup(qctx));
+			} else if (stale_client_answer(result)) {
+				/*
+				 * Immediately return the stale answer, start a
+				 * resolver fetch to refresh the data in cache.
+				 */
+				isc_log_write(
+					ns_lctx, NS_LOGCATEGORY_SERVE_STALE,
+					NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+					"%s stale answer used, an attempt to "
+					"refresh the RRset will still be made",
+					namebuf);
+
+				qctx->refresh_rrset = STALE(qctx->rdataset);
+
+				/*
+				 * If we are refreshing the RRSet, we must not
+				 * detach from the client in query_send().
+				 */
+				qctx->client->nodetach = qctx->refresh_rrset;
+			}
+		} else {
+			/*
+			 * The 'stale-answer-client-timeout' triggered, return
+			 * the stale answer if available, otherwise wait until
+			 * the resolver finishes.
+			 */
+			isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE,
+				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+				      "%s client timeout, stale answer %s",
+				      namebuf,
+				      stale_found ? "used" : "unavailable");
+			if (!stale_found && !answer_found) {
+				return (result);
+			}
+
+			if (!stale_client_answer(result)) {
+				return (result);
+			}
+
+			/*
+			 * There still might be real answer later. Mark the
+			 * query so we'll know we can skip answering.
+			 */
+			qctx->client->query.attributes |=
+				NS_QUERYATTR_STALEPENDING;
+		}
+	}
+
+	if (stale_timeout && (answer_found || stale_found)) {
+		/*
+		 * Mark RRsets that we are adding to the client message on a
+		 * lookup during 'stale-answer-client-timeout', so we can
+		 * clean it up if needed when we resume from recursion.
+		 */
+		qctx->client->query.attributes |= NS_QUERYATTR_STALEOK;
+		qctx->rdataset->attributes |= DNS_RDATASETATTR_STALE_ADDED;
+	}
+
+	result = query_gotanswer(qctx, result);
+
+cleanup:
+	return (result);
+}
+
+/*
+ * Clear all rdatasets from the message that are in the given section and
+ * that have the 'attr' attribute set.
+ */
+static void
+message_clearrdataset(dns_message_t *msg, unsigned int attr) {
+	unsigned int i;
+	dns_name_t *name, *next_name;
+	dns_rdataset_t *rds, *next_rds;
+
+	/*
+	 * Clean up name lists by calling the rdataset disassociate function.
+	 */
+	for (i = DNS_SECTION_ANSWER; i < DNS_SECTION_MAX; i++) {
+		name = ISC_LIST_HEAD(msg->sections[i]);
+		while (name != NULL) {
+			next_name = ISC_LIST_NEXT(name, link);
+
+			rds = ISC_LIST_HEAD(name->list);
+			while (rds != NULL) {
+				next_rds = ISC_LIST_NEXT(rds, link);
+				if ((rds->attributes & attr) != attr) {
+					rds = next_rds;
+					continue;
+				}
+				ISC_LIST_UNLINK(name->list, rds, link);
+				INSIST(dns_rdataset_isassociated(rds));
+				dns_rdataset_disassociate(rds);
+				isc_mempool_put(msg->rdspool, rds);
+				rds = next_rds;
+			}
+
+			if (ISC_LIST_EMPTY(name->list)) {
+				ISC_LIST_UNLINK(msg->sections[i], name, link);
+				if (dns_name_dynamic(name)) {
+					dns_name_free(name, msg->mctx);
+				}
+				isc_mempool_put(msg->namepool, name);
+			}
+
+			name = next_name;
+		}
+	}
+}
+
+/*
+ * Clear any rdatasets from the client's message that were added on a lookup
+ * due to a client timeout.
+ */
+static void
+query_clear_stale(ns_client_t *client) {
+	message_clearrdataset(client->message, DNS_RDATASETATTR_STALE_ADDED);
+}
+
+/*
+ * Create a new query context with the sole intent of looking up for a stale
+ * RRset in cache. If an entry is found, we mark the original query as
+ * answered, in order to avoid answering the query twice, when the original
+ * fetch finishes.
+ */
+static void
+query_lookup_stale(ns_client_t *client) {
+	query_ctx_t qctx;
+
+	qctx_init(client, NULL, client->query.qtype, &qctx);
+	dns_db_attach(client->view->cachedb, &qctx.db);
+	client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
+	client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
+	client->nodetach = true;
+	(void)query_lookup(&qctx);
+	if (qctx.node != NULL) {
+		dns_db_detachnode(qctx.db, &qctx.node);
+	}
+	qctx_freedata(&qctx);
+	qctx_destroy(&qctx);
+}
+
+/*
+ * Event handler to resume processing a query after recursion, or when a
+ * client timeout is triggered. If the query has timed out or been cancelled
+ * or the system is shutting down, clean up and exit. If a client timeout is
+ * triggered, see if we can respond with a stale answer from cache. Otherwise,
+ * call query_resume() to continue the ongoing work.
+ */
+static void
+fetch_callback(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
+	dns_fetch_t *fetch = NULL;
+	ns_client_t *client = NULL;
+	bool fetch_canceled = false;
+	bool fetch_answered = false;
+	bool client_shuttingdown = false;
+	isc_logcategory_t *logcategory = NS_LOGCATEGORY_QUERY_ERRORS;
+	isc_result_t result;
+	int errorloglevel;
+	query_ctx_t qctx;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE ||
+		event->ev_type == DNS_EVENT_TRYSTALE);
+
+	client = devent->ev_arg;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(task == client->task);
+	REQUIRE(RECURSING(client));
+
+	CTRACE(ISC_LOG_DEBUG(3), "fetch_callback");
+
+	if (event->ev_type == DNS_EVENT_TRYSTALE) {
+		if (devent->result != ISC_R_CANCELED) {
+			query_lookup_stale(client);
+		}
+		isc_event_free(ISC_EVENT_PTR(&event));
+		return;
+	}
+	/*
+	 * We are resuming from recursion. Reset any attributes, options
+	 * that a lookup due to stale-answer-client-timeout may have set.
+	 */
+	if (client->view->cachedb != NULL && client->view->recursion) {
+		client->query.attributes |= NS_QUERYATTR_RECURSIONOK;
+	}
+	client->query.fetchoptions &= ~DNS_FETCHOPT_TRYSTALE_ONTIMEOUT;
+	client->query.dboptions &= ~DNS_DBFIND_STALETIMEOUT;
+	client->nodetach = false;
+
+	LOCK(&client->query.fetchlock);
+	INSIST(client->query.fetch == devent->fetch ||
+	       client->query.fetch == NULL);
+	if (QUERY_STALEPENDING(&client->query)) {
+		/*
+		 * We've gotten an authoritative answer to a query that
+		 * was left pending after a stale timeout. We don't need
+		 * to do anything with it; free all the data and go home.
+		 */
+		client->query.fetch = NULL;
+		fetch_answered = true;
+	} else if (client->query.fetch != NULL) {
+		/*
+		 * This is the fetch we've been waiting for.
+		 */
+		INSIST(devent->fetch == client->query.fetch);
+		client->query.fetch = NULL;
+
+		/*
+		 * Update client->now.
+		 */
+		isc_stdtime_get(&client->now);
+	} else {
+		/*
+		 * This is a fetch completion event for a canceled fetch.
+		 * Clean up and don't resume the find.
+		 */
+		fetch_canceled = true;
+	}
+	UNLOCK(&client->query.fetchlock);
+
+	SAVE(fetch, devent->fetch);
+
+	/*
+	 * We're done recursing, detach from quota and unlink from
+	 * the manager's recursing-clients list.
+	 */
+
+	if (client->recursionquota != NULL) {
+		isc_quota_detach(&client->recursionquota);
+		ns_stats_decrement(client->sctx->nsstats,
+				   ns_statscounter_recursclients);
+	}
+
+	LOCK(&client->manager->reclock);
+	if (ISC_LINK_LINKED(client, rlink)) {
+		ISC_LIST_UNLINK(client->manager->recursing, client, rlink);
+	}
+	UNLOCK(&client->manager->reclock);
+
+	isc_nmhandle_detach(&client->fetchhandle);
+
+	client->query.attributes &= ~NS_QUERYATTR_RECURSING;
+	client->state = NS_CLIENTSTATE_WORKING;
+
+	/*
+	 * Initialize a new qctx and use it to either resume from
+	 * recursion or clean up after cancelation.  Transfer
+	 * ownership of devent to the new qctx in the process.
+	 */
+	qctx_init(client, &devent, 0, &qctx);
+
+	client_shuttingdown = ns_client_shuttingdown(client);
+	if (fetch_canceled || fetch_answered || client_shuttingdown) {
+		/*
+		 * We've timed out or are shutting down. We can now
+		 * free the event and other resources held by qctx, but
+		 * don't call qctx_destroy() yet: it might destroy the
+		 * client, which we still need for a moment.
+		 */
+		qctx_freedata(&qctx);
+
+		/*
+		 * Return an error to the client, or just drop.
+		 */
+		if (fetch_canceled) {
+			CTRACE(ISC_LOG_ERROR, "fetch cancelled");
+			query_error(client, DNS_R_SERVFAIL, __LINE__);
+		} else {
+			query_next(client, ISC_R_CANCELED);
+		}
+
+		/*
+		 * Free any persistent plugin data that was allocated to
+		 * service the client, then detach the client object.
+		 */
+		qctx.detach_client = true;
+		qctx_destroy(&qctx);
+	} else {
+		/*
+		 * Resume the find process.
+		 */
+		query_trace(&qctx);
+
+		result = query_resume(&qctx);
+		if (result != ISC_R_SUCCESS) {
+			if (result == DNS_R_SERVFAIL) {
+				errorloglevel = ISC_LOG_DEBUG(2);
+			} else {
+				errorloglevel = ISC_LOG_DEBUG(4);
+			}
+			if (isc_log_wouldlog(ns_lctx, errorloglevel)) {
+				dns_resolver_logfetch(fetch, ns_lctx,
+						      logcategory,
+						      NS_LOGMODULE_QUERY,
+						      errorloglevel, false);
+			}
+		}
+
+		qctx_destroy(&qctx);
+	}
+
+	dns_resolver_destroyfetch(&fetch);
+}
+
+/*%
+ * Check whether the recursion parameters in 'param' match the current query's
+ * recursion parameters provided in 'qtype', 'qname', and 'qdomain'.
+ */
+static bool
+recparam_match(const ns_query_recparam_t *param, dns_rdatatype_t qtype,
+	       const dns_name_t *qname, const dns_name_t *qdomain) {
+	REQUIRE(param != NULL);
+
+	return (param->qtype == qtype && param->qname != NULL &&
+		qname != NULL && param->qdomain != NULL && qdomain != NULL &&
+		dns_name_equal(param->qname, qname) &&
+		dns_name_equal(param->qdomain, qdomain));
+}
+
+/*%
+ * Update 'param' with current query's recursion parameters provided in
+ * 'qtype', 'qname', and 'qdomain'.
+ */
+static void
+recparam_update(ns_query_recparam_t *param, dns_rdatatype_t qtype,
+		const dns_name_t *qname, const dns_name_t *qdomain) {
+	REQUIRE(param != NULL);
+
+	param->qtype = qtype;
+
+	if (qname == NULL) {
+		param->qname = NULL;
+	} else {
+		param->qname = dns_fixedname_initname(&param->fqname);
+		dns_name_copynf(qname, param->qname);
+	}
+
+	if (qdomain == NULL) {
+		param->qdomain = NULL;
+	} else {
+		param->qdomain = dns_fixedname_initname(&param->fqdomain);
+		dns_name_copynf(qdomain, param->qdomain);
+	}
+}
+static atomic_uint_fast32_t last_soft, last_hard;
+
+isc_result_t
+ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
+		 dns_name_t *qdomain, dns_rdataset_t *nameservers,
+		 bool resuming) {
+	isc_result_t result;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	isc_sockaddr_t *peeraddr = NULL;
+
+	CTRACE(ISC_LOG_DEBUG(3), "ns_query_recurse");
+
+	/*
+	 * Check recursion parameters from the previous query to see if they
+	 * match.  If not, update recursion parameters and proceed.
+	 */
+	if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) {
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
+			      ISC_LOG_INFO, "recursion loop detected");
+		return (ISC_R_ALREADYRUNNING);
+	}
+
+	recparam_update(&client->query.recparam, qtype, qname, qdomain);
+
+	if (!resuming) {
+		inc_stats(client, ns_statscounter_recursion);
+	}
+
+	/*
+	 * We are about to recurse, which means that this client will
+	 * be unavailable for serving new requests for an indeterminate
+	 * amount of time.  If this client is currently responsible
+	 * for handling incoming queries, set up a new client
+	 * object to handle them while we are waiting for a
+	 * response.  There is no need to replace TCP clients
+	 * because those have already been replaced when the
+	 * connection was accepted (if allowed by the TCP quota).
+	 */
+	if (client->recursionquota == NULL) {
+		result = isc_quota_attach(&client->sctx->recursionquota,
+					  &client->recursionquota);
+		if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
+			ns_stats_increment(client->sctx->nsstats,
+					   ns_statscounter_recursclients);
+		}
+
+		if (result == ISC_R_SOFTQUOTA) {
+			isc_stdtime_t now;
+			isc_stdtime_get(&now);
+			if (now != atomic_load_relaxed(&last_soft)) {
+				atomic_store_relaxed(&last_soft, now);
+				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_WARNING,
+					      "recursive-clients soft limit "
+					      "exceeded (%u/%u/%u), "
+					      "aborting oldest query",
+					      isc_quota_getused(
+						      client->recursionquota),
+					      isc_quota_getsoft(
+						      client->recursionquota),
+					      isc_quota_getmax(
+						      client->recursionquota));
+			}
+			ns_client_killoldestquery(client);
+			result = ISC_R_SUCCESS;
+		} else if (result == ISC_R_QUOTA) {
+			isc_stdtime_t now;
+			isc_stdtime_get(&now);
+			if (now != atomic_load_relaxed(&last_hard)) {
+				ns_server_t *sctx = client->sctx;
+				atomic_store_relaxed(&last_hard, now);
+				ns_client_log(
+					client, NS_LOGCATEGORY_CLIENT,
+					NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+					"no more recursive clients "
+					"(%u/%u/%u): %s",
+					isc_quota_getused(
+						&sctx->recursionquota),
+					isc_quota_getsoft(
+						&sctx->recursionquota),
+					isc_quota_getmax(&sctx->recursionquota),
+					isc_result_totext(result));
+			}
+			ns_client_killoldestquery(client);
+		}
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		dns_message_clonebuffer(client->message);
+		ns_client_recursing(client);
+	}
+
+	/*
+	 * Invoke the resolver.
+	 */
+	REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns);
+	REQUIRE(client->query.fetch == NULL);
+
+	rdataset = ns_client_newrdataset(client);
+	if (rdataset == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (WANTDNSSEC(client)) {
+		sigrdataset = ns_client_newrdataset(client);
+		if (sigrdataset == NULL) {
+			ns_client_putrdataset(client, &rdataset);
+			return (ISC_R_NOMEMORY);
+		}
+	} else {
+		sigrdataset = NULL;
+	}
+
+	if (!client->query.timerset) {
+		ns_client_settimeout(client, 60);
+	}
+
+	if (!TCP(client)) {
+		peeraddr = &client->peeraddr;
+	}
+
+	if (client->view->staleanswerclienttimeout > 0 &&
+	    client->view->staleanswerclienttimeout != (uint32_t)-1 &&
+	    dns_view_staleanswerenabled(client->view))
+	{
+		client->query.fetchoptions |= DNS_FETCHOPT_TRYSTALE_ONTIMEOUT;
+	}
+
+	isc_nmhandle_attach(client->handle, &client->fetchhandle);
+	result = dns_resolver_createfetch(
+		client->view->resolver, qname, qtype, qdomain, nameservers,
+		NULL, peeraddr, client->message->id, client->query.fetchoptions,
+		0, NULL, client->task, fetch_callback, client, rdataset,
+		sigrdataset, &client->query.fetch);
+	if (result != ISC_R_SUCCESS) {
+		isc_nmhandle_detach(&client->fetchhandle);
+		ns_client_putrdataset(client, &rdataset);
+		if (sigrdataset != NULL) {
+			ns_client_putrdataset(client, &sigrdataset);
+		}
+	}
+
+	/*
+	 * We're now waiting for a fetch event. A client which is
+	 * shutting down will not be destroyed until all the events
+	 * have been received.
+	 */
+
+	return (result);
+}
+
+/*%
+ * Restores the query context after resuming from recursion, and
+ * continues the query processing if needed.
+ */
+static isc_result_t
+query_resume(query_ctx_t *qctx) {
+	isc_result_t result;
+	dns_name_t *tname;
+	isc_buffer_t b;
+#ifdef WANT_QUERYTRACE
+	char mbuf[4 * DNS_NAME_FORMATSIZE];
+	char qbuf[DNS_NAME_FORMATSIZE];
+	char tbuf[DNS_RDATATYPE_FORMATSIZE];
+#endif /* ifdef WANT_QUERYTRACE */
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_resume");
+
+	CALL_HOOK(NS_QUERY_RESUME_BEGIN, qctx);
+
+	qctx->want_restart = false;
+
+	qctx->rpz_st = qctx->client->query.rpz_st;
+	if (qctx->rpz_st != NULL &&
+	    (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0)
+	{
+		CCTRACE(ISC_LOG_DEBUG(3), "resume from RPZ recursion");
+#ifdef WANT_QUERYTRACE
+		{
+			char pbuf[DNS_NAME_FORMATSIZE] = "<unset>";
+			char fbuf[DNS_NAME_FORMATSIZE] = "<unset>";
+			if (qctx->rpz_st->r_name != NULL) {
+				dns_name_format(qctx->rpz_st->r_name, qbuf,
+						sizeof(qbuf));
+			} else {
+				snprintf(qbuf, sizeof(qbuf), "<unset>");
+			}
+			if (qctx->rpz_st->p_name != NULL) {
+				dns_name_format(qctx->rpz_st->p_name, pbuf,
+						sizeof(pbuf));
+			}
+			if (qctx->rpz_st->fname != NULL) {
+				dns_name_format(qctx->rpz_st->fname, fbuf,
+						sizeof(fbuf));
+			}
+
+			snprintf(mbuf, sizeof(mbuf) - 1,
+				 "rpz rname:%s, pname:%s, qctx->fname:%s", qbuf,
+				 pbuf, fbuf);
+			CCTRACE(ISC_LOG_DEBUG(3), mbuf);
+		}
+#endif /* ifdef WANT_QUERYTRACE */
+
+		qctx->is_zone = qctx->rpz_st->q.is_zone;
+		qctx->authoritative = qctx->rpz_st->q.authoritative;
+		RESTORE(qctx->zone, qctx->rpz_st->q.zone);
+		RESTORE(qctx->node, qctx->rpz_st->q.node);
+		RESTORE(qctx->db, qctx->rpz_st->q.db);
+		RESTORE(qctx->rdataset, qctx->rpz_st->q.rdataset);
+		RESTORE(qctx->sigrdataset, qctx->rpz_st->q.sigrdataset);
+		qctx->qtype = qctx->rpz_st->q.qtype;
+
+		if (qctx->event->node != NULL) {
+			dns_db_detachnode(qctx->event->db, &qctx->event->node);
+		}
+		SAVE(qctx->rpz_st->r.db, qctx->event->db);
+		qctx->rpz_st->r.r_type = qctx->event->qtype;
+		SAVE(qctx->rpz_st->r.r_rdataset, qctx->event->rdataset);
+		ns_client_putrdataset(qctx->client, &qctx->event->sigrdataset);
+	} else if (REDIRECT(qctx->client)) {
+		/*
+		 * Restore saved state.
+		 */
+		CCTRACE(ISC_LOG_DEBUG(3), "resume from redirect recursion");
+#ifdef WANT_QUERYTRACE
+		dns_name_format(qctx->client->query.redirect.fname, qbuf,
+				sizeof(qbuf));
+		dns_rdatatype_format(qctx->client->query.redirect.qtype, tbuf,
+				     sizeof(tbuf));
+		snprintf(mbuf, sizeof(mbuf) - 1,
+			 "redirect qctx->fname:%s, qtype:%s, auth:%d", qbuf,
+			 tbuf, qctx->client->query.redirect.authoritative);
+		CCTRACE(ISC_LOG_DEBUG(3), mbuf);
+#endif /* ifdef WANT_QUERYTRACE */
+		qctx->qtype = qctx->client->query.redirect.qtype;
+		INSIST(qctx->client->query.redirect.rdataset != NULL);
+		RESTORE(qctx->rdataset, qctx->client->query.redirect.rdataset);
+		RESTORE(qctx->sigrdataset,
+			qctx->client->query.redirect.sigrdataset);
+		RESTORE(qctx->db, qctx->client->query.redirect.db);
+		RESTORE(qctx->node, qctx->client->query.redirect.node);
+		RESTORE(qctx->zone, qctx->client->query.redirect.zone);
+		qctx->authoritative =
+			qctx->client->query.redirect.authoritative;
+
+		/*
+		 * Free resources used while recursing.
+		 */
+		ns_client_putrdataset(qctx->client, &qctx->event->rdataset);
+		ns_client_putrdataset(qctx->client, &qctx->event->sigrdataset);
+		if (qctx->event->node != NULL) {
+			dns_db_detachnode(qctx->event->db, &qctx->event->node);
+		}
+		if (qctx->event->db != NULL) {
+			dns_db_detach(&qctx->event->db);
+		}
+	} else {
+		CCTRACE(ISC_LOG_DEBUG(3), "resume from normal recursion");
+		qctx->authoritative = false;
+
+		qctx->qtype = qctx->event->qtype;
+		SAVE(qctx->db, qctx->event->db);
+		SAVE(qctx->node, qctx->event->node);
+		SAVE(qctx->rdataset, qctx->event->rdataset);
+		SAVE(qctx->sigrdataset, qctx->event->sigrdataset);
+	}
+	INSIST(qctx->rdataset != NULL);
+
+	if (qctx->qtype == dns_rdatatype_rrsig ||
+	    qctx->qtype == dns_rdatatype_sig)
+	{
+		qctx->type = dns_rdatatype_any;
+	} else {
+		qctx->type = qctx->qtype;
+	}
+
+	CALL_HOOK(NS_QUERY_RESUME_RESTORED, qctx);
+
+	if (DNS64(qctx->client)) {
+		qctx->client->query.attributes &= ~NS_QUERYATTR_DNS64;
+		qctx->dns64 = true;
+	}
+
+	if (DNS64EXCLUDE(qctx->client)) {
+		qctx->client->query.attributes &= ~NS_QUERYATTR_DNS64EXCLUDE;
+		qctx->dns64_exclude = true;
+	}
+
+	if (qctx->rpz_st != NULL &&
+	    (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0)
+	{
+		/*
+		 * Has response policy changed out from under us?
+		 */
+		if (qctx->rpz_st->rpz_ver != qctx->view->rpzs->rpz_ver) {
+			ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL,
+				      "query_resume: RPZ settings "
+				      "out of date "
+				      "(rpz_ver %d, expected %d)",
+				      qctx->view->rpzs->rpz_ver,
+				      qctx->rpz_st->rpz_ver);
+			QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+			return (ns_query_done(qctx));
+		}
+	}
+
+	/*
+	 * We'll need some resources...
+	 */
+	qctx->dbuf = ns_client_getnamebuf(qctx->client);
+	if (qctx->dbuf == NULL) {
+		CCTRACE(ISC_LOG_ERROR, "query_resume: ns_client_getnamebuf "
+				       "failed (1)");
+		QUERY_ERROR(qctx, ISC_R_NOMEMORY);
+		return (ns_query_done(qctx));
+	}
+
+	qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b);
+	if (qctx->fname == NULL) {
+		CCTRACE(ISC_LOG_ERROR, "query_resume: ns_client_newname failed "
+				       "(1)");
+		QUERY_ERROR(qctx, ISC_R_NOMEMORY);
+		return (ns_query_done(qctx));
+	}
+
+	if (qctx->rpz_st != NULL &&
+	    (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0)
+	{
+		tname = qctx->rpz_st->fname;
+	} else if (REDIRECT(qctx->client)) {
+		tname = qctx->client->query.redirect.fname;
+	} else {
+		tname = dns_fixedname_name(&qctx->event->foundname);
+	}
+
+	dns_name_copynf(tname, qctx->fname);
+
+	if (qctx->rpz_st != NULL &&
+	    (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0)
+	{
+		qctx->rpz_st->r.r_result = qctx->event->result;
+		result = qctx->rpz_st->q.result;
+		free_devent(qctx->client, ISC_EVENT_PTR(&qctx->event),
+			    &qctx->event);
+	} else if (REDIRECT(qctx->client)) {
+		result = qctx->client->query.redirect.result;
+	} else {
+		result = qctx->event->result;
+	}
+
+	qctx->resuming = true;
+
+	return (query_gotanswer(qctx, result));
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * If the query is recursive, check the SERVFAIL cache to see whether
+ * identical queries have failed recently.  If we find a match, and it was
+ * from a query with CD=1, *or* if the current query has CD=0, then we just
+ * return SERVFAIL again.  This prevents a validation failure from eliciting a
+ * SERVFAIL response to a CD=1 query.
+ */
+isc_result_t
+ns__query_sfcache(query_ctx_t *qctx) {
+	bool failcache;
+	uint32_t flags;
+
+	/*
+	 * The SERVFAIL cache doesn't apply to authoritative queries.
+	 */
+	if (!RECURSIONOK(qctx->client)) {
+		return (ISC_R_COMPLETE);
+	}
+
+	flags = 0;
+#ifdef ENABLE_AFL
+	if (qctx->client->sctx->fuzztype == isc_fuzz_resolver) {
+		failcache = false;
+	} else {
+		failcache = dns_badcache_find(
+			qctx->view->failcache, qctx->client->query.qname,
+			qctx->qtype, &flags, &qctx->client->tnow);
+	}
+#else  /* ifdef ENABLE_AFL */
+	failcache = dns_badcache_find(qctx->view->failcache,
+				      qctx->client->query.qname, qctx->qtype,
+				      &flags, &qctx->client->tnow);
+#endif /* ifdef ENABLE_AFL */
+	if (failcache &&
+	    (((flags & NS_FAILCACHE_CD) != 0) ||
+	     ((qctx->client->message->flags & DNS_MESSAGEFLAG_CD) == 0)))
+	{
+		if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+			dns_name_format(qctx->client->query.qname, namebuf,
+					sizeof(namebuf));
+			dns_rdatatype_format(qctx->qtype, typebuf,
+					     sizeof(typebuf));
+			ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(1),
+				      "servfail cache hit %s/%s (%s)", namebuf,
+				      typebuf,
+				      ((flags & NS_FAILCACHE_CD) != 0) ? "CD=1"
+								       : "CD="
+									 "0");
+		}
+
+		qctx->client->attributes |= NS_CLIENTATTR_NOSETFC;
+		QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+		return (ns_query_done(qctx));
+	}
+
+	return (ISC_R_COMPLETE);
+}
+
+/*%
+ * Handle response rate limiting (RRL).
+ */
+static isc_result_t
+query_checkrrl(query_ctx_t *qctx, isc_result_t result) {
+	/*
+	 * Rate limit these responses to this client.
+	 * Do not delay counting and handling obvious referrals,
+	 *	since those won't come here again.
+	 * Delay handling delegations for which we are certain to recurse and
+	 *	return here (DNS_R_DELEGATION, not a child of one of our
+	 *	own zones, and recursion enabled)
+	 * Don't mess with responses rewritten by RPZ
+	 * Count each response at most once.
+	 */
+
+	/*
+	 * XXXMPA the rrl system tests fails sometimes and RRL_CHECKED
+	 * is set when we are called the second time preventing the
+	 * response being dropped.
+	 */
+	ns_client_log(
+		qctx->client, DNS_LOGCATEGORY_RRL, NS_LOGMODULE_QUERY,
+		ISC_LOG_DEBUG(99),
+		"rrl=%p, HAVECOOKIE=%u, result=%s, "
+		"fname=%p(%u), is_zone=%u, RECURSIONOK=%u, "
+		"query.rpz_st=%p(%u), RRL_CHECKED=%u\n",
+		qctx->client->view->rrl, HAVECOOKIE(qctx->client),
+		isc_result_toid(result), qctx->fname,
+		qctx->fname != NULL ? dns_name_isabsolute(qctx->fname) : 0,
+		qctx->is_zone, RECURSIONOK(qctx->client),
+		qctx->client->query.rpz_st,
+		qctx->client->query.rpz_st != NULL
+			? ((qctx->client->query.rpz_st->state &
+			    DNS_RPZ_REWRITTEN) != 0)
+			: 0,
+		(qctx->client->query.attributes & NS_QUERYATTR_RRL_CHECKED) !=
+			0);
+
+	if (qctx->view->rrl != NULL && !HAVECOOKIE(qctx->client) &&
+	    ((qctx->fname != NULL && dns_name_isabsolute(qctx->fname)) ||
+	     (result == ISC_R_NOTFOUND && !RECURSIONOK(qctx->client))) &&
+	    !(result == DNS_R_DELEGATION && !qctx->is_zone &&
+	      RECURSIONOK(qctx->client)) &&
+	    (qctx->client->query.rpz_st == NULL ||
+	     (qctx->client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) &&
+	    (qctx->client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0)
+	{
+		dns_rdataset_t nc_rdataset;
+		bool wouldlog;
+		dns_fixedname_t fixed;
+		const dns_name_t *constname;
+		char log_buf[DNS_RRL_LOG_BUF_LEN];
+		isc_result_t nc_result, resp_result;
+		dns_rrl_result_t rrl_result;
+
+		qctx->client->query.attributes |= NS_QUERYATTR_RRL_CHECKED;
+
+		wouldlog = isc_log_wouldlog(ns_lctx, DNS_RRL_LOG_DROP);
+		constname = qctx->fname;
+		if (result == DNS_R_NXDOMAIN) {
+			/*
+			 * Use the database origin name to rate limit NXDOMAIN
+			 */
+			if (qctx->db != NULL) {
+				constname = dns_db_origin(qctx->db);
+			}
+			resp_result = result;
+		} else if (result == DNS_R_NCACHENXDOMAIN &&
+			   qctx->rdataset != NULL &&
+			   dns_rdataset_isassociated(qctx->rdataset) &&
+			   (qctx->rdataset->attributes &
+			    DNS_RDATASETATTR_NEGATIVE) != 0)
+		{
+			/*
+			 * Try to use owner name in the negative cache SOA.
+			 */
+			dns_fixedname_init(&fixed);
+			dns_rdataset_init(&nc_rdataset);
+			for (nc_result = dns_rdataset_first(qctx->rdataset);
+			     nc_result == ISC_R_SUCCESS;
+			     nc_result = dns_rdataset_next(qctx->rdataset))
+			{
+				dns_ncache_current(qctx->rdataset,
+						   dns_fixedname_name(&fixed),
+						   &nc_rdataset);
+				if (nc_rdataset.type == dns_rdatatype_soa) {
+					dns_rdataset_disassociate(&nc_rdataset);
+					constname = dns_fixedname_name(&fixed);
+					break;
+				}
+				dns_rdataset_disassociate(&nc_rdataset);
+			}
+			resp_result = DNS_R_NXDOMAIN;
+		} else if (result == DNS_R_NXRRSET || result == DNS_R_EMPTYNAME)
+		{
+			resp_result = DNS_R_NXRRSET;
+		} else if (result == DNS_R_DELEGATION) {
+			resp_result = result;
+		} else if (result == ISC_R_NOTFOUND) {
+			/*
+			 * Handle referral to ".", including when recursion
+			 * is off or not requested and the hints have not
+			 * been loaded or we have "additional-from-cache no".
+			 */
+			constname = dns_rootname;
+			resp_result = DNS_R_DELEGATION;
+		} else {
+			resp_result = ISC_R_SUCCESS;
+		}
+
+		rrl_result = dns_rrl(
+			qctx->view, qctx->zone, &qctx->client->peeraddr,
+			TCP(qctx->client), qctx->client->message->rdclass,
+			qctx->qtype, constname, resp_result, qctx->client->now,
+			wouldlog, log_buf, sizeof(log_buf));
+		if (rrl_result != DNS_RRL_RESULT_OK) {
+			/*
+			 * Log dropped or slipped responses in the query
+			 * category so that requests are not silently lost.
+			 * Starts of rate-limited bursts are logged in
+			 * DNS_LOGCATEGORY_RRL.
+			 *
+			 * Dropped responses are counted with dropped queries
+			 * in QryDropped while slipped responses are counted
+			 * with other truncated responses in RespTruncated.
+			 */
+			if (wouldlog) {
+				ns_client_log(qctx->client, DNS_LOGCATEGORY_RRL,
+					      NS_LOGMODULE_QUERY,
+					      DNS_RRL_LOG_DROP, "%s", log_buf);
+			}
+
+			if (!qctx->view->rrl->log_only) {
+				if (rrl_result == DNS_RRL_RESULT_DROP) {
+					/*
+					 * These will also be counted in
+					 * ns_statscounter_dropped
+					 */
+					inc_stats(qctx->client,
+						  ns_statscounter_ratedropped);
+					QUERY_ERROR(qctx, DNS_R_DROP);
+				} else {
+					/*
+					 * These will also be counted in
+					 * ns_statscounter_truncatedresp
+					 */
+					inc_stats(qctx->client,
+						  ns_statscounter_rateslipped);
+					if (WANTCOOKIE(qctx->client)) {
+						qctx->client->message->flags &=
+							~DNS_MESSAGEFLAG_AA;
+						qctx->client->message->flags &=
+							~DNS_MESSAGEFLAG_AD;
+						qctx->client->message->rcode =
+							dns_rcode_badcookie;
+					} else {
+						qctx->client->message->flags |=
+							DNS_MESSAGEFLAG_TC;
+						if (resp_result ==
+						    DNS_R_NXDOMAIN)
+						{
+							qctx->client->message
+								->rcode =
+								dns_rcode_nxdomain;
+						}
+					}
+				}
+				return (DNS_R_DROP);
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Do any RPZ rewriting that may be needed for this query.
+ */
+static isc_result_t
+query_checkrpz(query_ctx_t *qctx, isc_result_t result) {
+	isc_result_t rresult;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_checkrpz");
+
+	rresult = rpz_rewrite(qctx->client, qctx->qtype, result, qctx->resuming,
+			      qctx->rdataset, qctx->sigrdataset);
+	qctx->rpz_st = qctx->client->query.rpz_st;
+	switch (rresult) {
+	case ISC_R_SUCCESS:
+		break;
+	case ISC_R_NOTFOUND:
+	case DNS_R_DISALLOWED:
+		return (result);
+	case DNS_R_DELEGATION:
+		/*
+		 * recursing for NS names or addresses,
+		 * so save the main query state
+		 */
+		INSIST(!RECURSING(qctx->client));
+		qctx->rpz_st->q.qtype = qctx->qtype;
+		qctx->rpz_st->q.is_zone = qctx->is_zone;
+		qctx->rpz_st->q.authoritative = qctx->authoritative;
+		SAVE(qctx->rpz_st->q.zone, qctx->zone);
+		SAVE(qctx->rpz_st->q.db, qctx->db);
+		SAVE(qctx->rpz_st->q.node, qctx->node);
+		SAVE(qctx->rpz_st->q.rdataset, qctx->rdataset);
+		SAVE(qctx->rpz_st->q.sigrdataset, qctx->sigrdataset);
+		dns_name_copynf(qctx->fname, qctx->rpz_st->fname);
+		qctx->rpz_st->q.result = result;
+		qctx->client->query.attributes |= NS_QUERYATTR_RECURSING;
+		return (ISC_R_COMPLETE);
+	default:
+		QUERY_ERROR(qctx, rresult);
+		return (ISC_R_COMPLETE);
+	}
+
+	if (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS) {
+		qctx->rpz_st->state |= DNS_RPZ_REWRITTEN;
+	}
+
+	if (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS &&
+	    qctx->rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU &&
+	    (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_TCP_ONLY ||
+	     !TCP(qctx->client)) &&
+	    qctx->rpz_st->m.policy != DNS_RPZ_POLICY_ERROR)
+	{
+		/*
+		 * We got a hit and are going to answer with our
+		 * fiction. Ensure that we answer with the name
+		 * we looked up even if we were stopped short
+		 * in recursion or for a deferral.
+		 */
+		dns_name_copynf(qctx->client->query.qname, qctx->fname);
+		rpz_clean(&qctx->zone, &qctx->db, &qctx->node, NULL);
+		if (qctx->rpz_st->m.rdataset != NULL) {
+			ns_client_putrdataset(qctx->client, &qctx->rdataset);
+			RESTORE(qctx->rdataset, qctx->rpz_st->m.rdataset);
+		} else {
+			qctx_clean(qctx);
+		}
+		qctx->version = NULL;
+
+		RESTORE(qctx->node, qctx->rpz_st->m.node);
+		RESTORE(qctx->db, qctx->rpz_st->m.db);
+		RESTORE(qctx->version, qctx->rpz_st->m.version);
+		RESTORE(qctx->zone, qctx->rpz_st->m.zone);
+
+		/*
+		 * Add SOA record to additional section
+		 */
+		if (qctx->rpz_st->m.rpz->addsoa) {
+			bool override_ttl =
+				dns_rdataset_isassociated(qctx->rdataset);
+			rresult = query_addsoa(qctx, override_ttl,
+					       DNS_SECTION_ADDITIONAL);
+			if (rresult != ISC_R_SUCCESS) {
+				QUERY_ERROR(qctx, result);
+				return (ISC_R_COMPLETE);
+			}
+		}
+
+		switch (qctx->rpz_st->m.policy) {
+		case DNS_RPZ_POLICY_TCP_ONLY:
+			qctx->client->message->flags |= DNS_MESSAGEFLAG_TC;
+			if (result == DNS_R_NXDOMAIN ||
+			    result == DNS_R_NCACHENXDOMAIN)
+			{
+				qctx->client->message->rcode =
+					dns_rcode_nxdomain;
+			}
+			rpz_log_rewrite(qctx->client, false,
+					qctx->rpz_st->m.policy,
+					qctx->rpz_st->m.type, qctx->zone,
+					qctx->rpz_st->p_name, NULL,
+					qctx->rpz_st->m.rpz->num);
+			return (ISC_R_COMPLETE);
+		case DNS_RPZ_POLICY_DROP:
+			QUERY_ERROR(qctx, DNS_R_DROP);
+			rpz_log_rewrite(qctx->client, false,
+					qctx->rpz_st->m.policy,
+					qctx->rpz_st->m.type, qctx->zone,
+					qctx->rpz_st->p_name, NULL,
+					qctx->rpz_st->m.rpz->num);
+			return (ISC_R_COMPLETE);
+		case DNS_RPZ_POLICY_NXDOMAIN:
+			result = DNS_R_NXDOMAIN;
+			qctx->nxrewrite = true;
+			qctx->rpz = true;
+			break;
+		case DNS_RPZ_POLICY_NODATA:
+			qctx->nxrewrite = true;
+			FALLTHROUGH;
+		case DNS_RPZ_POLICY_DNS64:
+			result = DNS_R_NXRRSET;
+			qctx->rpz = true;
+			break;
+		case DNS_RPZ_POLICY_RECORD:
+			result = qctx->rpz_st->m.result;
+			if (qctx->qtype == dns_rdatatype_any &&
+			    result != DNS_R_CNAME)
+			{
+				/*
+				 * We will add all of the rdatasets of
+				 * the node by iterating later,
+				 * and set the TTL then.
+				 */
+				if (dns_rdataset_isassociated(qctx->rdataset)) {
+					dns_rdataset_disassociate(
+						qctx->rdataset);
+				}
+			} else {
+				/*
+				 * We will add this rdataset.
+				 */
+				qctx->rdataset->ttl =
+					ISC_MIN(qctx->rdataset->ttl,
+						qctx->rpz_st->m.ttl);
+			}
+			qctx->rpz = true;
+			break;
+		case DNS_RPZ_POLICY_WILDCNAME: {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdata_cname_t cname;
+			result = dns_rdataset_first(qctx->rdataset);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_rdataset_current(qctx->rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &cname, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_rdata_reset(&rdata);
+			result = query_rpzcname(qctx, &cname.cname);
+			if (result != ISC_R_SUCCESS) {
+				return (ISC_R_COMPLETE);
+			}
+			qctx->fname = NULL;
+			qctx->want_restart = true;
+			return (ISC_R_COMPLETE);
+		}
+		case DNS_RPZ_POLICY_CNAME:
+			/*
+			 * Add overriding CNAME from a named.conf
+			 * response-policy statement
+			 */
+			result = query_rpzcname(qctx,
+						&qctx->rpz_st->m.rpz->cname);
+			if (result != ISC_R_SUCCESS) {
+				return (ISC_R_COMPLETE);
+			}
+			qctx->fname = NULL;
+			qctx->want_restart = true;
+			return (ISC_R_COMPLETE);
+		default:
+			UNREACHABLE();
+		}
+
+		/*
+		 * Turn off DNSSEC because the results of a
+		 * response policy zone cannot verify.
+		 */
+		qctx->client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
+					      NS_CLIENTATTR_WANTAD);
+		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
+		ns_client_putrdataset(qctx->client, &qctx->sigrdataset);
+		qctx->rpz_st->q.is_zone = qctx->is_zone;
+		qctx->is_zone = true;
+		rpz_log_rewrite(qctx->client, false, qctx->rpz_st->m.policy,
+				qctx->rpz_st->m.type, qctx->zone,
+				qctx->rpz_st->p_name, NULL,
+				qctx->rpz_st->m.rpz->num);
+	}
+
+	return (result);
+}
+
+/*%
+ * Add a CNAME to a query response, including translating foo.evil.com and
+ *	*.evil.com CNAME *.example.com
+ * to
+ *	foo.evil.com CNAME foo.evil.com.example.com
+ */
+static isc_result_t
+query_rpzcname(query_ctx_t *qctx, dns_name_t *cname) {
+	ns_client_t *client;
+	dns_fixedname_t prefix, suffix;
+	unsigned int labels;
+	isc_result_t result;
+
+	REQUIRE(qctx != NULL && qctx->client != NULL);
+
+	client = qctx->client;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_rpzcname");
+
+	labels = dns_name_countlabels(cname);
+	if (labels > 2 && dns_name_iswildcard(cname)) {
+		dns_fixedname_init(&prefix);
+		dns_name_split(client->query.qname, 1,
+			       dns_fixedname_name(&prefix), NULL);
+		dns_fixedname_init(&suffix);
+		dns_name_split(cname, labels - 1, NULL,
+			       dns_fixedname_name(&suffix));
+		result = dns_name_concatenate(dns_fixedname_name(&prefix),
+					      dns_fixedname_name(&suffix),
+					      qctx->fname, NULL);
+		if (result == DNS_R_NAMETOOLONG) {
+			client->message->rcode = dns_rcode_yxdomain;
+		} else if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	} else {
+		dns_name_copynf(cname, qctx->fname);
+	}
+
+	ns_client_keepname(client, qctx->fname, qctx->dbuf);
+	result = query_addcname(qctx, dns_trust_authanswer,
+				qctx->rpz_st->m.ttl);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	rpz_log_rewrite(client, false, qctx->rpz_st->m.policy,
+			qctx->rpz_st->m.type, qctx->rpz_st->m.zone,
+			qctx->rpz_st->p_name, qctx->fname,
+			qctx->rpz_st->m.rpz->num);
+
+	ns_client_qnamereplace(client, qctx->fname);
+
+	/*
+	 * Turn off DNSSEC because the results of a
+	 * response policy zone cannot verify.
+	 */
+	client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
+				NS_CLIENTATTR_WANTAD);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Check the configured trust anchors for a root zone trust anchor
+ * with a key id that matches qctx->client->query.root_key_sentinel_keyid.
+ *
+ * Return true when found, otherwise return false.
+ */
+static bool
+has_ta(query_ctx_t *qctx) {
+	dns_keytable_t *keytable = NULL;
+	dns_keynode_t *keynode = NULL;
+	dns_rdataset_t dsset;
+	dns_keytag_t sentinel = qctx->client->query.root_key_sentinel_keyid;
+	isc_result_t result;
+
+	result = dns_view_getsecroots(qctx->view, &keytable);
+	if (result != ISC_R_SUCCESS) {
+		return (false);
+	}
+
+	result = dns_keytable_find(keytable, dns_rootname, &keynode);
+	if (result != ISC_R_SUCCESS) {
+		if (keynode != NULL) {
+			dns_keytable_detachkeynode(keytable, &keynode);
+		}
+		dns_keytable_detach(&keytable);
+		return (false);
+	}
+
+	dns_rdataset_init(&dsset);
+	if (dns_keynode_dsset(keynode, &dsset)) {
+		for (result = dns_rdataset_first(&dsset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&dsset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdata_ds_t ds;
+
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&dsset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &ds, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (ds.key_tag == sentinel) {
+				dns_keytable_detachkeynode(keytable, &keynode);
+				dns_keytable_detach(&keytable);
+				dns_rdataset_disassociate(&dsset);
+				return (true);
+			}
+		}
+		dns_rdataset_disassociate(&dsset);
+	}
+
+	if (keynode != NULL) {
+		dns_keytable_detachkeynode(keytable, &keynode);
+	}
+
+	dns_keytable_detach(&keytable);
+
+	return (false);
+}
+
+/*%
+ * Check if a root key sentinel SERVFAIL should be returned.
+ */
+static bool
+root_key_sentinel_return_servfail(query_ctx_t *qctx, isc_result_t result) {
+	/*
+	 * Are we looking at a "root-key-sentinel" query?
+	 */
+	if (!qctx->client->query.root_key_sentinel_is_ta &&
+	    !qctx->client->query.root_key_sentinel_not_ta)
+	{
+		return (false);
+	}
+
+	/*
+	 * We only care about the query if 'result' indicates we have a cached
+	 * answer.
+	 */
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+		break;
+	default:
+		return (false);
+	}
+
+	/*
+	 * Do we meet the specified conditions to return SERVFAIL?
+	 */
+	if (!qctx->is_zone && qctx->rdataset->trust == dns_trust_secure &&
+	    ((qctx->client->query.root_key_sentinel_is_ta && !has_ta(qctx)) ||
+	     (qctx->client->query.root_key_sentinel_not_ta && has_ta(qctx))))
+	{
+		return (true);
+	}
+
+	/*
+	 * As special processing may only be triggered by the original QNAME,
+	 * disable it after following a CNAME/DNAME.
+	 */
+	qctx->client->query.root_key_sentinel_is_ta = false;
+	qctx->client->query.root_key_sentinel_not_ta = false;
+
+	return (false);
+}
+
+/*%
+ * If serving stale answers is allowed, set up 'qctx' to look for one and
+ * return true; otherwise, return false.
+ */
+static bool
+query_usestale(query_ctx_t *qctx, isc_result_t result) {
+	if ((qctx->client->query.dboptions & DNS_DBFIND_STALEOK) != 0) {
+		/*
+		 * Query was already using stale, if that didn't work the
+		 * last time, it won't work this time either.
+		 */
+		return (false);
+	}
+
+	if (qctx->refresh_rrset) {
+		/*
+		 * This is a refreshing query, we have already prioritized
+		 * stale data, so don't enable serve-stale again.
+		 */
+		return (false);
+	}
+
+	if (result == DNS_R_DUPLICATE || result == DNS_R_DROP ||
+	    result == ISC_R_ALREADYRUNNING)
+	{
+		/*
+		 * Don't enable serve-stale if the result signals a duplicate
+		 * query or a query that is being dropped or can't proceed
+		 * because of a recursion loop.
+		 */
+		return (false);
+	}
+
+	qctx_clean(qctx);
+	qctx_freedata(qctx);
+
+	if (dns_view_staleanswerenabled(qctx->client->view)) {
+		dns_db_attach(qctx->client->view->cachedb, &qctx->db);
+		qctx->version = NULL;
+		qctx->client->query.dboptions |= DNS_DBFIND_STALEOK;
+		if (qctx->client->query.fetch != NULL) {
+			dns_resolver_destroyfetch(&qctx->client->query.fetch);
+		}
+
+		/*
+		 * Start the stale-refresh-time window in case there was a
+		 * resolver query timeout.
+		 */
+		if (qctx->resuming && result == ISC_R_TIMEDOUT) {
+			qctx->client->query.dboptions |= DNS_DBFIND_STALESTART;
+		}
+		return (true);
+	}
+
+	return (false);
+}
+
+/*%
+ * Continue after doing a database lookup or returning from
+ * recursion, and call out to the next function depending on the
+ * result from the search.
+ */
+static isc_result_t
+query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
+	isc_result_t result = res;
+	char errmsg[256];
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer");
+
+	CALL_HOOK(NS_QUERY_GOT_ANSWER_BEGIN, qctx);
+
+	if (query_checkrrl(qctx, result) != ISC_R_SUCCESS) {
+		return (ns_query_done(qctx));
+	}
+
+	if (!dns_name_equal(qctx->client->query.qname, dns_rootname)) {
+		result = query_checkrpz(qctx, result);
+		if (result == ISC_R_NOTFOUND) {
+			/*
+			 * RPZ not configured for this view.
+			 */
+			goto root_key_sentinel;
+		}
+		if (RECURSING(qctx->client) && result == DNS_R_DISALLOWED) {
+			/*
+			 * We are recursing, and thus RPZ processing is not
+			 * allowed at the moment. This could happen on a
+			 * "stale-answer-client-timeout" lookup. In this case,
+			 * bail out and wait for recursion to complete, as we
+			 * we can't perform the RPZ rewrite rules.
+			 */
+			return (result);
+		}
+		if (result == ISC_R_COMPLETE) {
+			return (ns_query_done(qctx));
+		}
+	}
+
+root_key_sentinel:
+	/*
+	 * If required, handle special "root-key-sentinel-is-ta-<keyid>" and
+	 * "root-key-sentinel-not-ta-<keyid>" labels by returning SERVFAIL.
+	 */
+	if (root_key_sentinel_return_servfail(qctx, result)) {
+		/*
+		 * Don't record this response in the SERVFAIL cache.
+		 */
+		qctx->client->attributes |= NS_CLIENTATTR_NOSETFC;
+		QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+		return (ns_query_done(qctx));
+	}
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+		return (query_prepresponse(qctx));
+
+	case DNS_R_GLUE:
+	case DNS_R_ZONECUT:
+		INSIST(qctx->is_zone);
+		qctx->authoritative = false;
+		return (query_prepresponse(qctx));
+
+	case ISC_R_NOTFOUND:
+		return (query_notfound(qctx));
+
+	case DNS_R_DELEGATION:
+		return (query_delegation(qctx));
+
+	case DNS_R_EMPTYNAME:
+		return (query_nodata(qctx, DNS_R_EMPTYNAME));
+	case DNS_R_NXRRSET:
+		return (query_nodata(qctx, DNS_R_NXRRSET));
+
+	case DNS_R_EMPTYWILD:
+		return (query_nxdomain(qctx, true));
+
+	case DNS_R_NXDOMAIN:
+		return (query_nxdomain(qctx, false));
+
+	case DNS_R_COVERINGNSEC:
+		return (query_coveringnsec(qctx));
+
+	case DNS_R_NCACHENXDOMAIN:
+		result = query_redirect(qctx);
+		if (result != ISC_R_COMPLETE) {
+			return (result);
+		}
+		return (query_ncache(qctx, DNS_R_NCACHENXDOMAIN));
+
+	case DNS_R_NCACHENXRRSET:
+		return (query_ncache(qctx, DNS_R_NCACHENXRRSET));
+
+	case DNS_R_CNAME:
+		return (query_cname(qctx));
+
+	case DNS_R_DNAME:
+		return (query_dname(qctx));
+
+	default:
+		/*
+		 * Something has gone wrong.
+		 */
+		snprintf(errmsg, sizeof(errmsg) - 1,
+			 "query_gotanswer: unexpected error: %s",
+			 isc_result_totext(result));
+		CCTRACE(ISC_LOG_ERROR, errmsg);
+		if (query_usestale(qctx, result)) {
+			/*
+			 * If serve-stale is enabled, query_usestale() already
+			 * set up 'qctx' for looking up a stale response.
+			 */
+			return (query_lookup(qctx));
+		}
+
+		/*
+		 * Regardless of the triggering result, we definitely
+		 * want to return SERVFAIL from here.
+		 */
+		qctx->client->rcode_override = dns_rcode_servfail;
+
+		QUERY_ERROR(qctx, result);
+		return (ns_query_done(qctx));
+	}
+
+cleanup:
+	return (result);
+}
+
+static void
+query_addnoqnameproof(query_ctx_t *qctx) {
+	ns_client_t *client = qctx->client;
+	isc_buffer_t *dbuf, b;
+	dns_name_t *fname = NULL;
+	dns_rdataset_t *neg = NULL, *negsig = NULL;
+	isc_result_t result = ISC_R_NOMEMORY;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_addnoqnameproof");
+
+	if (qctx->noqname == NULL) {
+		return;
+	}
+
+	dbuf = ns_client_getnamebuf(client);
+	if (dbuf == NULL) {
+		goto cleanup;
+	}
+
+	fname = ns_client_newname(client, dbuf, &b);
+	neg = ns_client_newrdataset(client);
+	negsig = ns_client_newrdataset(client);
+	if (fname == NULL || neg == NULL || negsig == NULL) {
+		goto cleanup;
+	}
+
+	result = dns_rdataset_getnoqname(qctx->noqname, fname, neg, negsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	query_addrrset(qctx, &fname, &neg, &negsig, dbuf,
+		       DNS_SECTION_AUTHORITY);
+
+	if ((qctx->noqname->attributes & DNS_RDATASETATTR_CLOSEST) == 0) {
+		goto cleanup;
+	}
+
+	if (fname == NULL) {
+		dbuf = ns_client_getnamebuf(client);
+		if (dbuf == NULL) {
+			goto cleanup;
+		}
+		fname = ns_client_newname(client, dbuf, &b);
+	}
+
+	if (neg == NULL) {
+		neg = ns_client_newrdataset(client);
+	} else if (dns_rdataset_isassociated(neg)) {
+		dns_rdataset_disassociate(neg);
+	}
+
+	if (negsig == NULL) {
+		negsig = ns_client_newrdataset(client);
+	} else if (dns_rdataset_isassociated(negsig)) {
+		dns_rdataset_disassociate(negsig);
+	}
+
+	if (fname == NULL || neg == NULL || negsig == NULL) {
+		goto cleanup;
+	}
+	result = dns_rdataset_getclosest(qctx->noqname, fname, neg, negsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	query_addrrset(qctx, &fname, &neg, &negsig, dbuf,
+		       DNS_SECTION_AUTHORITY);
+
+cleanup:
+	if (neg != NULL) {
+		ns_client_putrdataset(client, &neg);
+	}
+	if (negsig != NULL) {
+		ns_client_putrdataset(client, &negsig);
+	}
+	if (fname != NULL) {
+		ns_client_releasename(client, &fname);
+	}
+}
+
+/*%
+ * Build the response for a query for type ANY.
+ */
+static isc_result_t
+query_respond_any(query_ctx_t *qctx) {
+	bool found = false, hidden = false;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result;
+	dns_rdatatype_t onetype = 0; /* type to use for minimal-any */
+	isc_buffer_t b;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_respond_any");
+
+	CALL_HOOK(NS_QUERY_RESPOND_ANY_BEGIN, qctx);
+
+	result = dns_db_allrdatasets(qctx->db, qctx->node, qctx->version, 0, 0,
+				     &rdsiter);
+	if (result != ISC_R_SUCCESS) {
+		CCTRACE(ISC_LOG_ERROR, "query_respond_any: allrdatasets "
+				       "failed");
+		QUERY_ERROR(qctx, result);
+		return (ns_query_done(qctx));
+	}
+
+	/*
+	 * Calling query_addrrset() with a non-NULL dbuf is going
+	 * to either keep or release the name.  We don't want it to
+	 * release fname, since we may have to call query_addrrset()
+	 * more than once.  That means we have to call ns_client_keepname()
+	 * now, and pass a NULL dbuf to query_addrrset().
+	 *
+	 * If we do a query_addrrset() below, we must set qctx->fname to
+	 * NULL before leaving this block, otherwise we might try to
+	 * cleanup qctx->fname even though we're using it!
+	 */
+	ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf);
+	qctx->tname = qctx->fname;
+
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, qctx->rdataset);
+
+		/*
+		 * We found an NS RRset; no need to add one later.
+		 */
+		if (qctx->qtype == dns_rdatatype_any &&
+		    qctx->rdataset->type == dns_rdatatype_ns)
+		{
+			qctx->answer_has_ns = true;
+		}
+
+		/*
+		 * Note: if we're in this function, then qctx->type
+		 * is guaranteed to be ANY, but qctx->qtype (i.e. the
+		 * original type requested) might have been RRSIG or
+		 * SIG; we need to check for that.
+		 */
+		if (qctx->is_zone && qctx->qtype == dns_rdatatype_any &&
+		    !dns_db_issecure(qctx->db) &&
+		    dns_rdatatype_isdnssec(qctx->rdataset->type))
+		{
+			/*
+			 * The zone may be transitioning from insecure
+			 * to secure. Hide DNSSEC records from ANY queries.
+			 */
+			dns_rdataset_disassociate(qctx->rdataset);
+			hidden = true;
+		} else if (qctx->view->minimal_any && !TCP(qctx->client) &&
+			   !WANTDNSSEC(qctx->client) &&
+			   qctx->qtype == dns_rdatatype_any &&
+			   (qctx->rdataset->type == dns_rdatatype_sig ||
+			    qctx->rdataset->type == dns_rdatatype_rrsig))
+		{
+			CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: "
+						  "minimal-any skip signature");
+			dns_rdataset_disassociate(qctx->rdataset);
+		} else if (qctx->view->minimal_any && !TCP(qctx->client) &&
+			   onetype != 0 && qctx->rdataset->type != onetype &&
+			   qctx->rdataset->covers != onetype)
+		{
+			CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: "
+						  "minimal-any skip rdataset");
+			dns_rdataset_disassociate(qctx->rdataset);
+		} else if ((qctx->qtype == dns_rdatatype_any ||
+			    qctx->rdataset->type == qctx->qtype) &&
+			   qctx->rdataset->type != 0)
+		{
+			if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client))
+			{
+				qctx->noqname = qctx->rdataset;
+			} else {
+				qctx->noqname = NULL;
+			}
+
+			qctx->rpz_st = qctx->client->query.rpz_st;
+			if (qctx->rpz_st != NULL) {
+				qctx->rdataset->ttl =
+					ISC_MIN(qctx->rdataset->ttl,
+						qctx->rpz_st->m.ttl);
+			}
+
+			if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
+				dns_name_t *name;
+				name = (qctx->fname != NULL) ? qctx->fname
+							     : qctx->tname;
+				query_prefetch(qctx->client, name,
+					       qctx->rdataset);
+			}
+
+			/*
+			 * Remember the first RRtype we find so we
+			 * can skip others with minimal-any.
+			 */
+			if (qctx->rdataset->type == dns_rdatatype_sig ||
+			    qctx->rdataset->type == dns_rdatatype_rrsig)
+			{
+				onetype = qctx->rdataset->covers;
+			} else {
+				onetype = qctx->rdataset->type;
+			}
+
+			query_addrrset(qctx,
+				       (qctx->fname != NULL) ? &qctx->fname
+							     : &qctx->tname,
+				       &qctx->rdataset, NULL, NULL,
+				       DNS_SECTION_ANSWER);
+
+			query_addnoqnameproof(qctx);
+
+			found = true;
+			INSIST(qctx->tname != NULL);
+
+			/*
+			 * rdataset is non-NULL only in certain
+			 * pathological cases involving DNAMEs.
+			 */
+			if (qctx->rdataset != NULL) {
+				ns_client_putrdataset(qctx->client,
+						      &qctx->rdataset);
+			}
+
+			qctx->rdataset = ns_client_newrdataset(qctx->client);
+			if (qctx->rdataset == NULL) {
+				break;
+			}
+		} else {
+			/*
+			 * We're not interested in this rdataset.
+			 */
+			dns_rdataset_disassociate(qctx->rdataset);
+		}
+
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	if (result != ISC_R_NOMORE) {
+		CCTRACE(ISC_LOG_ERROR, "query_respond_any: rdataset iterator "
+				       "failed");
+		QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+		return (ns_query_done(qctx));
+	}
+
+	if (found) {
+		/*
+		 * Call hook if any answers were found.
+		 * Do this before releasing qctx->fname, in case
+		 * the hook function needs it.
+		 */
+		CALL_HOOK(NS_QUERY_RESPOND_ANY_FOUND, qctx);
+	}
+
+	if (qctx->fname != NULL) {
+		dns_message_puttempname(qctx->client->message, &qctx->fname);
+	}
+
+	if (found) {
+		/*
+		 * At least one matching rdataset was found
+		 */
+		query_addauth(qctx);
+	} else if (qctx->qtype == dns_rdatatype_rrsig ||
+		   qctx->qtype == dns_rdatatype_sig)
+	{
+		/*
+		 * No matching rdatasets were found, but we got
+		 * here on a search for RRSIG/SIG, so that's okay.
+		 */
+		if (!qctx->is_zone) {
+			qctx->authoritative = false;
+			qctx->client->attributes &= ~NS_CLIENTATTR_RA;
+			query_addauth(qctx);
+			return (ns_query_done(qctx));
+		}
+
+		if (qctx->qtype == dns_rdatatype_rrsig &&
+		    dns_db_issecure(qctx->db))
+		{
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(qctx->client->query.qname, namebuf,
+					sizeof(namebuf));
+			ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC,
+				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+				      "missing signature for %s", namebuf);
+		}
+
+		qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b);
+		return (query_sign_nodata(qctx));
+	} else if (!hidden) {
+		/*
+		 * No matching rdatasets were found and nothing was
+		 * deliberately hidden: something must have gone wrong.
+		 */
+		QUERY_ERROR(qctx, DNS_R_SERVFAIL);
+	}
+
+	return (ns_query_done(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*
+ * Set the expire time, if requested, when answering from a slave, mirror, or
+ * master zone.
+ */
+static void
+query_getexpire(query_ctx_t *qctx) {
+	dns_zone_t *raw = NULL, *mayberaw;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_getexpire");
+
+	if (qctx->zone == NULL || !qctx->is_zone ||
+	    qctx->qtype != dns_rdatatype_soa ||
+	    qctx->client->query.restarts != 0 ||
+	    (qctx->client->attributes & NS_CLIENTATTR_WANTEXPIRE) == 0)
+	{
+		return;
+	}
+
+	dns_zone_getraw(qctx->zone, &raw);
+	mayberaw = (raw != NULL) ? raw : qctx->zone;
+
+	if (dns_zone_gettype(mayberaw) == dns_zone_secondary ||
+	    dns_zone_gettype(mayberaw) == dns_zone_mirror)
+	{
+		isc_time_t expiretime;
+		uint32_t secs;
+		dns_zone_getexpiretime(qctx->zone, &expiretime);
+		secs = isc_time_seconds(&expiretime);
+		if (secs >= qctx->client->now && qctx->result == ISC_R_SUCCESS)
+		{
+			qctx->client->attributes |= NS_CLIENTATTR_HAVEEXPIRE;
+			qctx->client->expire = secs - qctx->client->now;
+		}
+	} else if (dns_zone_gettype(mayberaw) == dns_zone_primary) {
+		isc_result_t result;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_soa_t soa;
+
+		result = dns_rdataset_first(qctx->rdataset);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		dns_rdataset_current(qctx->rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &soa, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		qctx->client->expire = soa.expire;
+		qctx->client->attributes |= NS_CLIENTATTR_HAVEEXPIRE;
+	}
+
+	if (raw != NULL) {
+		dns_zone_detach(&raw);
+	}
+}
+
+/*%
+ * Fill the ANSWER section of a positive response.
+ */
+static isc_result_t
+query_addanswer(query_ctx_t *qctx) {
+	dns_rdataset_t **sigrdatasetp = NULL;
+	isc_result_t result;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_addanswer");
+
+	CALL_HOOK(NS_QUERY_ADDANSWER_BEGIN, qctx);
+
+	/*
+	 * On normal lookups, clear any rdatasets that were added on a
+	 * lookup due to stale-answer-client-timeout. Do not clear if we
+	 * are going to refresh the RRset, because the stale contents are
+	 * prioritized.
+	 */
+	if (QUERY_STALEOK(&qctx->client->query) &&
+	    !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset)
+	{
+		CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale");
+		query_clear_stale(qctx->client);
+		/*
+		 * We can clear the attribute to prevent redundant clearing
+		 * in subsequent lookups.
+		 */
+		qctx->client->query.attributes &= ~NS_QUERYATTR_STALEOK;
+	}
+
+	if (qctx->dns64) {
+		result = query_dns64(qctx);
+		qctx->noqname = NULL;
+		dns_rdataset_disassociate(qctx->rdataset);
+		dns_message_puttemprdataset(qctx->client->message,
+					    &qctx->rdataset);
+		if (result == ISC_R_NOMORE) {
+#ifndef dns64_bis_return_excluded_addresses
+			if (qctx->dns64_exclude) {
+				if (!qctx->is_zone) {
+					return (ns_query_done(qctx));
+				}
+				/*
+				 * Add a fake SOA record.
+				 */
+				(void)query_addsoa(qctx, 600,
+						   DNS_SECTION_AUTHORITY);
+				return (ns_query_done(qctx));
+			}
+#endif /* ifndef dns64_bis_return_excluded_addresses */
+			if (qctx->is_zone) {
+				return (query_nodata(qctx, DNS_R_NXDOMAIN));
+			} else {
+				return (query_ncache(qctx, DNS_R_NXDOMAIN));
+			}
+		} else if (result != ISC_R_SUCCESS) {
+			qctx->result = result;
+			return (ns_query_done(qctx));
+		}
+	} else if (qctx->client->query.dns64_aaaaok != NULL) {
+		query_filter64(qctx);
+		ns_client_putrdataset(qctx->client, &qctx->rdataset);
+	} else {
+		if (!qctx->is_zone && RECURSIONOK(qctx->client) &&
+		    !QUERY_STALETIMEOUT(&qctx->client->query))
+		{
+			query_prefetch(qctx->client, qctx->fname,
+				       qctx->rdataset);
+		}
+		if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) {
+			sigrdatasetp = &qctx->sigrdataset;
+		}
+		query_addrrset(qctx, &qctx->fname, &qctx->rdataset,
+			       sigrdatasetp, qctx->dbuf, DNS_SECTION_ANSWER);
+	}
+
+	return (ISC_R_COMPLETE);
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * Build a response for a "normal" query, for a type other than ANY,
+ * for which we have an answer (either positive or negative).
+ */
+static isc_result_t
+query_respond(query_ctx_t *qctx) {
+	isc_result_t result;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_respond");
+
+	/*
+	 * Check to see if the AAAA RRset has non-excluded addresses
+	 * in it.  If not look for a A RRset.
+	 */
+	INSIST(qctx->client->query.dns64_aaaaok == NULL);
+
+	if (qctx->qtype == dns_rdatatype_aaaa && !qctx->dns64_exclude &&
+	    !ISC_LIST_EMPTY(qctx->view->dns64) &&
+	    qctx->client->message->rdclass == dns_rdataclass_in &&
+	    !dns64_aaaaok(qctx->client, qctx->rdataset, qctx->sigrdataset))
+	{
+		/*
+		 * Look to see if there are A records for this name.
+		 */
+		qctx->client->query.dns64_ttl = qctx->rdataset->ttl;
+		SAVE(qctx->client->query.dns64_aaaa, qctx->rdataset);
+		SAVE(qctx->client->query.dns64_sigaaaa, qctx->sigrdataset);
+		ns_client_releasename(qctx->client, &qctx->fname);
+		dns_db_detachnode(qctx->db, &qctx->node);
+		qctx->type = qctx->qtype = dns_rdatatype_a;
+		qctx->dns64_exclude = qctx->dns64 = true;
+
+		return (query_lookup(qctx));
+	}
+
+	/*
+	 * XXX: This hook is meant to be at the top of this function,
+	 * but is postponed until after DNS64 in order to avoid an
+	 * assertion if the hook causes recursion. (When DNS64 also
+	 * becomes a plugin, it will be necessary to find some
+	 * other way to prevent that assertion, since the order in
+	 * which plugins are configured can't be enforced.)
+	 */
+	CALL_HOOK(NS_QUERY_RESPOND_BEGIN, qctx);
+
+	if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) {
+		qctx->noqname = qctx->rdataset;
+	} else {
+		qctx->noqname = NULL;
+	}
+
+	/*
+	 * Special case NS handling
+	 */
+	if (qctx->is_zone && qctx->qtype == dns_rdatatype_ns) {
+		/*
+		 * We've already got an NS, no need to add one in
+		 * the authority section
+		 */
+		if (dns_name_equal(qctx->client->query.qname,
+				   dns_db_origin(qctx->db)))
+		{
+			qctx->answer_has_ns = true;
+		}
+
+		/*
+		 * Always add glue for root priming queries, regardless
+		 * of "minimal-responses" setting.
+		 */
+		if (dns_name_equal(qctx->client->query.qname, dns_rootname)) {
+			qctx->client->query.attributes &=
+				~NS_QUERYATTR_NOADDITIONAL;
+			dns_db_attach(qctx->db, &qctx->client->query.gluedb);
+		}
+	}
+
+	/*
+	 * Set expire time
+	 */
+	query_getexpire(qctx);
+
+	result = query_addanswer(qctx);
+	if (result != ISC_R_COMPLETE) {
+		return (result);
+	}
+
+	query_addnoqnameproof(qctx);
+
+	/*
+	 * 'qctx->rdataset' will only be non-NULL here if the ANSWER section of
+	 * the message to be sent to the client already contains an RRset with
+	 * the same owner name and the same type as 'qctx->rdataset'.  This
+	 * should never happen, with one exception: when chasing DNAME records,
+	 * one of the DNAME records placed in the ANSWER section may turn out
+	 * to be the final answer to the client's query, but we have no way of
+	 * knowing that until now.  In such a case, 'qctx->rdataset' will be
+	 * freed later, so we do not need to free it here.
+	 */
+	INSIST(qctx->rdataset == NULL || qctx->qtype == dns_rdatatype_dname);
+
+	query_addauth(qctx);
+
+	return (ns_query_done(qctx));
+
+cleanup:
+	return (result);
+}
+
+static isc_result_t
+query_dns64(query_ctx_t *qctx) {
+	ns_client_t *client = qctx->client;
+	dns_aclenv_t *env =
+		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+	dns_name_t *name, *mname;
+	dns_rdata_t *dns64_rdata;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t *dns64_rdatalist;
+	dns_rdataset_t *dns64_rdataset;
+	dns_rdataset_t *mrdataset;
+	isc_buffer_t *buffer;
+	isc_region_t r;
+	isc_result_t result;
+	dns_view_t *view = client->view;
+	isc_netaddr_t netaddr;
+	dns_dns64_t *dns64;
+	unsigned int flags = 0;
+	const dns_section_t section = DNS_SECTION_ANSWER;
+
+	/*%
+	 * To the current response for 'qctx->client', add the answer RRset
+	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
+	 * owner name '*namep', to the answer section, unless they are
+	 * already there.  Also add any pertinent additional data.
+	 *
+	 * If 'qctx->dbuf' is not NULL, then 'qctx->fname' is the name
+	 * whose data is stored 'qctx->dbuf'.  In this case,
+	 * query_addrrset() guarantees that when it returns the name
+	 * will either have been kept or released.
+	 */
+	CTRACE(ISC_LOG_DEBUG(3), "query_dns64");
+
+	qctx->qtype = qctx->type = dns_rdatatype_aaaa;
+
+	name = qctx->fname;
+	mname = NULL;
+	mrdataset = NULL;
+	buffer = NULL;
+	dns64_rdata = NULL;
+	dns64_rdataset = NULL;
+	dns64_rdatalist = NULL;
+	result = dns_message_findname(
+		client->message, section, name, dns_rdatatype_aaaa,
+		qctx->rdataset->covers, &mname, &mrdataset);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * We've already got an RRset of the given name and type.
+		 * There's nothing else to do;
+		 */
+		CTRACE(ISC_LOG_DEBUG(3), "query_dns64: dns_message_findname "
+					 "succeeded: done");
+		if (qctx->dbuf != NULL) {
+			ns_client_releasename(client, &qctx->fname);
+		}
+		return (ISC_R_SUCCESS);
+	} else if (result == DNS_R_NXDOMAIN) {
+		/*
+		 * The name doesn't exist.
+		 */
+		if (qctx->dbuf != NULL) {
+			ns_client_keepname(client, name, qctx->dbuf);
+		}
+		dns_message_addname(client->message, name, section);
+		qctx->fname = NULL;
+		mname = name;
+	} else {
+		RUNTIME_CHECK(result == DNS_R_NXRRSET);
+		if (qctx->dbuf != NULL) {
+			ns_client_releasename(client, &qctx->fname);
+		}
+	}
+
+	if (qctx->rdataset->trust != dns_trust_secure) {
+		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+	}
+
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+	isc_buffer_allocate(client->mctx, &buffer,
+			    view->dns64cnt * 16 *
+				    dns_rdataset_count(qctx->rdataset));
+	result = dns_message_gettemprdataset(client->message, &dns64_rdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_gettemprdatalist(client->message,
+					      &dns64_rdatalist);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dns_rdatalist_init(dns64_rdatalist);
+	dns64_rdatalist->rdclass = dns_rdataclass_in;
+	dns64_rdatalist->type = dns_rdatatype_aaaa;
+	if (client->query.dns64_ttl != UINT32_MAX) {
+		dns64_rdatalist->ttl = ISC_MIN(qctx->rdataset->ttl,
+					       client->query.dns64_ttl);
+	} else {
+		dns64_rdatalist->ttl = ISC_MIN(qctx->rdataset->ttl, 600);
+	}
+
+	if (RECURSIONOK(client)) {
+		flags |= DNS_DNS64_RECURSIVE;
+	}
+
+	/*
+	 * We use the signatures from the A lookup to set DNS_DNS64_DNSSEC
+	 * as this provides a easy way to see if the answer was signed.
+	 */
+	if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL &&
+	    dns_rdataset_isassociated(qctx->sigrdataset))
+	{
+		flags |= DNS_DNS64_DNSSEC;
+	}
+
+	for (result = dns_rdataset_first(qctx->rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(qctx->rdataset))
+	{
+		for (dns64 = ISC_LIST_HEAD(client->view->dns64); dns64 != NULL;
+		     dns64 = dns_dns64_next(dns64))
+		{
+			dns_rdataset_current(qctx->rdataset, &rdata);
+			isc_buffer_availableregion(buffer, &r);
+			INSIST(r.length >= 16);
+			result = dns_dns64_aaaafroma(dns64, &netaddr,
+						     client->signer, env, flags,
+						     rdata.data, r.base);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdata_reset(&rdata);
+				continue;
+			}
+			isc_buffer_add(buffer, 16);
+			isc_buffer_remainingregion(buffer, &r);
+			isc_buffer_forward(buffer, 16);
+			result = dns_message_gettemprdata(client->message,
+							  &dns64_rdata);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+			dns_rdata_init(dns64_rdata);
+			dns_rdata_fromregion(dns64_rdata, dns_rdataclass_in,
+					     dns_rdatatype_aaaa, &r);
+			ISC_LIST_APPEND(dns64_rdatalist->rdata, dns64_rdata,
+					link);
+			dns64_rdata = NULL;
+			dns_rdata_reset(&rdata);
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup;
+	}
+
+	if (ISC_LIST_EMPTY(dns64_rdatalist->rdata)) {
+		goto cleanup;
+	}
+
+	result = dns_rdatalist_tordataset(dns64_rdatalist, dns64_rdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	dns_rdataset_setownercase(dns64_rdataset, mname);
+	client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
+	dns64_rdataset->trust = qctx->rdataset->trust;
+
+	query_addtoname(mname, dns64_rdataset);
+	query_setorder(qctx, mname, dns64_rdataset);
+
+	dns64_rdataset = NULL;
+	dns64_rdatalist = NULL;
+	dns_message_takebuffer(client->message, &buffer);
+	inc_stats(client, ns_statscounter_dns64);
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (buffer != NULL) {
+		isc_buffer_free(&buffer);
+	}
+
+	if (dns64_rdata != NULL) {
+		dns_message_puttemprdata(client->message, &dns64_rdata);
+	}
+
+	if (dns64_rdataset != NULL) {
+		dns_message_puttemprdataset(client->message, &dns64_rdataset);
+	}
+
+	if (dns64_rdatalist != NULL) {
+		for (dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata);
+		     dns64_rdata != NULL;
+		     dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata))
+		{
+			ISC_LIST_UNLINK(dns64_rdatalist->rdata, dns64_rdata,
+					link);
+			dns_message_puttemprdata(client->message, &dns64_rdata);
+		}
+		dns_message_puttemprdatalist(client->message, &dns64_rdatalist);
+	}
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_dns64: done");
+	return (result);
+}
+
+static void
+query_filter64(query_ctx_t *qctx) {
+	ns_client_t *client = qctx->client;
+	dns_name_t *name, *mname;
+	dns_rdata_t *myrdata;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t *myrdatalist;
+	dns_rdataset_t *myrdataset;
+	isc_buffer_t *buffer;
+	isc_region_t r;
+	isc_result_t result;
+	unsigned int i;
+	const dns_section_t section = DNS_SECTION_ANSWER;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_filter64");
+
+	INSIST(client->query.dns64_aaaaok != NULL);
+	INSIST(client->query.dns64_aaaaoklen ==
+	       dns_rdataset_count(qctx->rdataset));
+
+	name = qctx->fname;
+	mname = NULL;
+	buffer = NULL;
+	myrdata = NULL;
+	myrdataset = NULL;
+	myrdatalist = NULL;
+	result = dns_message_findname(
+		client->message, section, name, dns_rdatatype_aaaa,
+		qctx->rdataset->covers, &mname, &myrdataset);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * We've already got an RRset of the given name and type.
+		 * There's nothing else to do;
+		 */
+		CTRACE(ISC_LOG_DEBUG(3), "query_filter64: dns_message_findname "
+					 "succeeded: done");
+		if (qctx->dbuf != NULL) {
+			ns_client_releasename(client, &qctx->fname);
+		}
+		return;
+	} else if (result == DNS_R_NXDOMAIN) {
+		mname = name;
+		qctx->fname = NULL;
+	} else {
+		RUNTIME_CHECK(result == DNS_R_NXRRSET);
+		if (qctx->dbuf != NULL) {
+			ns_client_releasename(client, &qctx->fname);
+		}
+		qctx->dbuf = NULL;
+	}
+
+	if (qctx->rdataset->trust != dns_trust_secure) {
+		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+	}
+
+	isc_buffer_allocate(client->mctx, &buffer,
+			    16 * dns_rdataset_count(qctx->rdataset));
+	result = dns_message_gettemprdataset(client->message, &myrdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	result = dns_message_gettemprdatalist(client->message, &myrdatalist);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	dns_rdatalist_init(myrdatalist);
+	myrdatalist->rdclass = dns_rdataclass_in;
+	myrdatalist->type = dns_rdatatype_aaaa;
+	myrdatalist->ttl = qctx->rdataset->ttl;
+
+	i = 0;
+	for (result = dns_rdataset_first(qctx->rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(qctx->rdataset))
+	{
+		if (!client->query.dns64_aaaaok[i++]) {
+			continue;
+		}
+		dns_rdataset_current(qctx->rdataset, &rdata);
+		INSIST(rdata.length == 16);
+		isc_buffer_putmem(buffer, rdata.data, rdata.length);
+		isc_buffer_remainingregion(buffer, &r);
+		isc_buffer_forward(buffer, rdata.length);
+		result = dns_message_gettemprdata(client->message, &myrdata);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		dns_rdata_init(myrdata);
+		dns_rdata_fromregion(myrdata, dns_rdataclass_in,
+				     dns_rdatatype_aaaa, &r);
+		ISC_LIST_APPEND(myrdatalist->rdata, myrdata, link);
+		myrdata = NULL;
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup;
+	}
+
+	result = dns_rdatalist_tordataset(myrdatalist, myrdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	dns_rdataset_setownercase(myrdataset, name);
+	client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
+	if (mname == name) {
+		if (qctx->dbuf != NULL) {
+			ns_client_keepname(client, name, qctx->dbuf);
+		}
+		dns_message_addname(client->message, name, section);
+		qctx->dbuf = NULL;
+	}
+	myrdataset->trust = qctx->rdataset->trust;
+
+	query_addtoname(mname, myrdataset);
+	query_setorder(qctx, mname, myrdataset);
+
+	myrdataset = NULL;
+	myrdatalist = NULL;
+	dns_message_takebuffer(client->message, &buffer);
+
+cleanup:
+	if (buffer != NULL) {
+		isc_buffer_free(&buffer);
+	}
+
+	if (myrdata != NULL) {
+		dns_message_puttemprdata(client->message, &myrdata);
+	}
+
+	if (myrdataset != NULL) {
+		dns_message_puttemprdataset(client->message, &myrdataset);
+	}
+
+	if (myrdatalist != NULL) {
+		for (myrdata = ISC_LIST_HEAD(myrdatalist->rdata);
+		     myrdata != NULL;
+		     myrdata = ISC_LIST_HEAD(myrdatalist->rdata))
+		{
+			ISC_LIST_UNLINK(myrdatalist->rdata, myrdata, link);
+			dns_message_puttemprdata(client->message, &myrdata);
+		}
+		dns_message_puttemprdatalist(client->message, &myrdatalist);
+	}
+	if (qctx->dbuf != NULL) {
+		ns_client_releasename(client, &name);
+	}
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_filter64: done");
+}
+
+/*%
+ * Handle the case of a name not being found in a database lookup.
+ * Called from query_gotanswer(). Passes off processing to
+ * query_delegation() for a root referral if appropriate.
+ */
+static isc_result_t
+query_notfound(query_ctx_t *qctx) {
+	isc_result_t result;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_notfound");
+
+	CALL_HOOK(NS_QUERY_NOTFOUND_BEGIN, qctx);
+
+	INSIST(!qctx->is_zone);
+
+	if (qctx->db != NULL) {
+		dns_db_detach(&qctx->db);
+	}
+
+	/*
+	 * If the cache doesn't even have the root NS,
+	 * try to get that from the hints DB.
+	 */
+	if (qctx->view->hints != NULL) {
+		dns_clientinfomethods_t cm;
+		dns_clientinfo_t ci;
+
+		dns_clientinfomethods_init(&cm, ns_client_sourceip);
+		dns_clientinfo_init(&ci, qctx->client, NULL, NULL);
+
+		dns_db_attach(qctx->view->hints, &qctx->db);
+		result = dns_db_findext(qctx->db, dns_rootname, NULL,
+					dns_rdatatype_ns, 0, qctx->client->now,
+					&qctx->node, qctx->fname, &cm, &ci,
+					qctx->rdataset, qctx->sigrdataset);
+	} else {
+		/* We have no hints. */
+		result = ISC_R_FAILURE;
+	}
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Nonsensical root hints may require cleanup.
+		 */
+		qctx_clean(qctx);
+
+		/*
+		 * We don't have any root server hints, but
+		 * we may have working forwarders, so try to
+		 * recurse anyway.
+		 */
+		if (RECURSIONOK(qctx->client)) {
+			INSIST(!REDIRECT(qctx->client));
+			result = ns_query_recurse(qctx->client, qctx->qtype,
+						  qctx->client->query.qname,
+						  NULL, NULL, qctx->resuming);
+			if (result == ISC_R_SUCCESS) {
+				CALL_HOOK(NS_QUERY_NOTFOUND_RECURSE, qctx);
+				qctx->client->query.attributes |=
+					NS_QUERYATTR_RECURSING;
+
+				if (qctx->dns64) {
+					qctx->client->query.attributes |=
+						NS_QUERYATTR_DNS64;
+				}
+				if (qctx->dns64_exclude) {
+					qctx->client->query.attributes |=
+						NS_QUERYATTR_DNS64EXCLUDE;
+				}
+			} else if (query_usestale(qctx, result)) {
+				/*
+				 * If serve-stale is enabled, query_usestale()
+				 * already set up 'qctx' for looking up a
+				 * stale response.
+				 */
+				return (query_lookup(qctx));
+			} else {
+				QUERY_ERROR(qctx, result);
+			}
+			return (ns_query_done(qctx));
+		} else {
+			/* Unable to give root server referral. */
+			CCTRACE(ISC_LOG_ERROR, "unable to give root server "
+					       "referral");
+			QUERY_ERROR(qctx, result);
+			return (ns_query_done(qctx));
+		}
+	}
+
+	return (query_delegation(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * We have a delegation but recursion is not allowed, so return the delegation
+ * to the client.
+ */
+static isc_result_t
+query_prepare_delegation_response(query_ctx_t *qctx) {
+	isc_result_t result;
+	dns_rdataset_t **sigrdatasetp = NULL;
+	bool detach = false;
+
+	CALL_HOOK(NS_QUERY_PREP_DELEGATION_BEGIN, qctx);
+
+	/*
+	 * qctx->fname could be released in query_addrrset(), so save a copy of
+	 * it here in case we need it.
+	 */
+	dns_fixedname_init(&qctx->dsname);
+	dns_name_copynf(qctx->fname, dns_fixedname_name(&qctx->dsname));
+
+	/*
+	 * This is the best answer.
+	 */
+	qctx->client->query.isreferral = true;
+
+	if (!dns_db_iscache(qctx->db) && qctx->client->query.gluedb == NULL) {
+		dns_db_attach(qctx->db, &qctx->client->query.gluedb);
+		detach = true;
+	}
+
+	/*
+	 * We must ensure NOADDITIONAL is off, because the generation of
+	 * additional data is required in delegations.
+	 */
+	qctx->client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL;
+	if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) {
+		sigrdatasetp = &qctx->sigrdataset;
+	}
+	query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
+		       qctx->dbuf, DNS_SECTION_AUTHORITY);
+	if (detach) {
+		dns_db_detach(&qctx->client->query.gluedb);
+	}
+
+	/*
+	 * Add DS/NSEC(3) record(s) if needed.
+	 */
+	query_addds(qctx);
+
+	return (ns_query_done(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * Handle a delegation response from an authoritative lookup. This
+ * may trigger additional lookups, e.g. from the cache database to
+ * see if we have a better answer; if that is not allowed, return the
+ * delegation to the client and call ns_query_done().
+ */
+static isc_result_t
+query_zone_delegation(query_ctx_t *qctx) {
+	isc_result_t result;
+
+	CALL_HOOK(NS_QUERY_ZONE_DELEGATION_BEGIN, qctx);
+
+	/*
+	 * If the query type is DS, look to see if we are
+	 * authoritative for the child zone
+	 */
+	if (!RECURSIONOK(qctx->client) &&
+	    (qctx->options & DNS_GETDB_NOEXACT) != 0 &&
+	    qctx->qtype == dns_rdatatype_ds)
+	{
+		dns_db_t *tdb = NULL;
+		dns_zone_t *tzone = NULL;
+		dns_dbversion_t *tversion = NULL;
+		result = query_getzonedb(
+			qctx->client, qctx->client->query.qname, qctx->qtype,
+			DNS_GETDB_PARTIAL, &tzone, &tdb, &tversion);
+		if (result != ISC_R_SUCCESS) {
+			if (tdb != NULL) {
+				dns_db_detach(&tdb);
+			}
+			if (tzone != NULL) {
+				dns_zone_detach(&tzone);
+			}
+		} else {
+			qctx->options &= ~DNS_GETDB_NOEXACT;
+			ns_client_putrdataset(qctx->client, &qctx->rdataset);
+			if (qctx->sigrdataset != NULL) {
+				ns_client_putrdataset(qctx->client,
+						      &qctx->sigrdataset);
+			}
+			if (qctx->fname != NULL) {
+				ns_client_releasename(qctx->client,
+						      &qctx->fname);
+			}
+			if (qctx->node != NULL) {
+				dns_db_detachnode(qctx->db, &qctx->node);
+			}
+			if (qctx->db != NULL) {
+				dns_db_detach(&qctx->db);
+			}
+			if (qctx->zone != NULL) {
+				dns_zone_detach(&qctx->zone);
+			}
+			qctx->version = NULL;
+			RESTORE(qctx->version, tversion);
+			RESTORE(qctx->db, tdb);
+			RESTORE(qctx->zone, tzone);
+			qctx->authoritative = true;
+
+			return (query_lookup(qctx));
+		}
+	}
+
+	if (USECACHE(qctx->client) &&
+	    (RECURSIONOK(qctx->client) ||
+	     (qctx->zone != NULL &&
+	      dns_zone_gettype(qctx->zone) == dns_zone_mirror)))
+	{
+		/*
+		 * We might have a better answer or delegation in the
+		 * cache.  We'll remember the current values of fname,
+		 * rdataset, and sigrdataset.  We'll then go looking for
+		 * QNAME in the cache.  If we find something better, we'll
+		 * use it instead. If not, then query_lookup() calls
+		 * query_notfound() which calls query_delegation(), and
+		 * we'll restore these values there.
+		 */
+		ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf);
+		SAVE(qctx->zdb, qctx->db);
+		SAVE(qctx->znode, qctx->node);
+		SAVE(qctx->zfname, qctx->fname);
+		SAVE(qctx->zversion, qctx->version);
+		SAVE(qctx->zrdataset, qctx->rdataset);
+		SAVE(qctx->zsigrdataset, qctx->sigrdataset);
+		dns_db_attach(qctx->view->cachedb, &qctx->db);
+		qctx->is_zone = false;
+
+		return (query_lookup(qctx));
+	}
+
+	return (query_prepare_delegation_response(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * Handle delegation responses, including root referrals.
+ *
+ * If the delegation was returned from authoritative data,
+ * call query_zone_delgation().  Otherwise, we can start
+ * recursion if allowed; or else return the delegation to the
+ * client and call ns_query_done().
+ */
+static isc_result_t
+query_delegation(query_ctx_t *qctx) {
+	isc_result_t result;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_delegation");
+
+	CALL_HOOK(NS_QUERY_DELEGATION_BEGIN, qctx);
+
+	qctx->authoritative = false;
+
+	if (qctx->is_zone) {
+		return (query_zone_delegation(qctx));
+	}
+
+	if (qctx->zfname != NULL &&
+	    (!dns_name_issubdomain(qctx->fname, qctx->zfname) ||
+	     (qctx->is_staticstub_zone &&
+	      dns_name_equal(qctx->fname, qctx->zfname))))
+	{
+		/*
+		 * In the following cases use "authoritative"
+		 * data instead of the cache delegation:
+		 * 1. We've already got a delegation from
+		 *    authoritative data, and it is better
+		 *    than what we found in the cache.
+		 *    (See the comment above.)
+		 * 2. The query name matches the origin name
+		 *    of a static-stub zone.  This needs to be
+		 *    considered for the case where the NS of
+		 *    the static-stub zone and the cached NS
+		 *    are different.  We still need to contact
+		 *    the nameservers configured in the
+		 *    static-stub zone.
+		 */
+		ns_client_releasename(qctx->client, &qctx->fname);
+
+		/*
+		 * We've already done ns_client_keepname() on
+		 * qctx->zfname, so we must set dbuf to NULL to
+		 * prevent query_addrrset() from trying to
+		 * call ns_client_keepname() again.
+		 */
+		qctx->dbuf = NULL;
+		ns_client_putrdataset(qctx->client, &qctx->rdataset);
+		if (qctx->sigrdataset != NULL) {
+			ns_client_putrdataset(qctx->client, &qctx->sigrdataset);
+		}
+		qctx->version = NULL;
+
+		dns_db_detachnode(qctx->db, &qctx->node);
+		dns_db_detach(&qctx->db);
+		RESTORE(qctx->db, qctx->zdb);
+		RESTORE(qctx->node, qctx->znode);
+		RESTORE(qctx->fname, qctx->zfname);
+		RESTORE(qctx->version, qctx->zversion);
+		RESTORE(qctx->rdataset, qctx->zrdataset);
+		RESTORE(qctx->sigrdataset, qctx->zsigrdataset);
+	}
+
+	result = query_delegation_recurse(qctx);
+	if (result != ISC_R_COMPLETE) {
+		return (result);
+	}
+
+	return (query_prepare_delegation_response(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * Handle recursive queries that are triggered as part of the
+ * delegation process.
+ */
+static isc_result_t
+query_delegation_recurse(query_ctx_t *qctx) {
+	isc_result_t result;
+	dns_name_t *qname = qctx->client->query.qname;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_delegation_recurse");
+
+	if (!RECURSIONOK(qctx->client)) {
+		return (ISC_R_COMPLETE);
+	}
+
+	CALL_HOOK(NS_QUERY_DELEGATION_RECURSE_BEGIN, qctx);
+
+	/*
+	 * We have a delegation and recursion is allowed,
+	 * so we call ns_query_recurse() to follow it.
+	 * This phase of the query processing is done;
+	 * we'll resume via fetch_callback() and
+	 * query_resume() when the recursion is complete.
+	 */
+
+	INSIST(!REDIRECT(qctx->client));
+
+	if (dns_rdatatype_atparent(qctx->type)) {
+		/*
+		 * Parent is authoritative for this RDATA type (i.e. DS).
+		 */
+		result = ns_query_recurse(qctx->client, qctx->qtype, qname,
+					  NULL, NULL, qctx->resuming);
+	} else if (qctx->dns64) {
+		/*
+		 * Look up an A record so we can synthesize DNS64.
+		 */
+		result = ns_query_recurse(qctx->client, dns_rdatatype_a, qname,
+					  NULL, NULL, qctx->resuming);
+	} else {
+		/*
+		 * Any other recursion.
+		 */
+		result = ns_query_recurse(qctx->client, qctx->qtype, qname,
+					  qctx->fname, qctx->rdataset,
+					  qctx->resuming);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		qctx->client->query.attributes |= NS_QUERYATTR_RECURSING;
+		if (qctx->dns64) {
+			qctx->client->query.attributes |= NS_QUERYATTR_DNS64;
+		}
+		if (qctx->dns64_exclude) {
+			qctx->client->query.attributes |=
+				NS_QUERYATTR_DNS64EXCLUDE;
+		}
+	} else if (query_usestale(qctx, result)) {
+		/*
+		 * If serve-stale is enabled, query_usestale() already set up
+		 * 'qctx' for looking up a stale response.
+		 */
+		return (query_lookup(qctx));
+	} else {
+		QUERY_ERROR(qctx, result);
+	}
+
+	return (ns_query_done(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * Add DS/NSEC(3) record(s) if needed.
+ */
+static void
+query_addds(query_ctx_t *qctx) {
+	ns_client_t *client = qctx->client;
+	dns_fixedname_t fixed;
+	dns_name_t *fname = NULL;
+	dns_name_t *rname = NULL;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	isc_buffer_t *dbuf, b;
+	isc_result_t result;
+	unsigned int count;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_addds");
+
+	/*
+	 * DS not needed.
+	 */
+	if (!WANTDNSSEC(client)) {
+		return;
+	}
+
+	/*
+	 * We'll need some resources...
+	 */
+	rdataset = ns_client_newrdataset(client);
+	sigrdataset = ns_client_newrdataset(client);
+	if (rdataset == NULL || sigrdataset == NULL) {
+		goto cleanup;
+	}
+
+	/*
+	 * Look for the DS record, which may or may not be present.
+	 */
+	result = dns_db_findrdataset(qctx->db, qctx->node, qctx->version,
+				     dns_rdatatype_ds, 0, client->now, rdataset,
+				     sigrdataset);
+	/*
+	 * If we didn't find it, look for an NSEC.
+	 */
+	if (result == ISC_R_NOTFOUND) {
+		result = dns_db_findrdataset(
+			qctx->db, qctx->node, qctx->version, dns_rdatatype_nsec,
+			0, client->now, rdataset, sigrdataset);
+	}
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		goto addnsec3;
+	}
+	if (!dns_rdataset_isassociated(rdataset) ||
+	    !dns_rdataset_isassociated(sigrdataset))
+	{
+		goto addnsec3;
+	}
+
+	/*
+	 * We've already added the NS record, so if the name's not there,
+	 * we have other problems.
+	 */
+	result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * Find the delegation in the response message - it is not necessarily
+	 * the first name in the AUTHORITY section when wildcard processing is
+	 * involved.
+	 */
+	while (result == ISC_R_SUCCESS) {
+		rname = NULL;
+		dns_message_currentname(client->message, DNS_SECTION_AUTHORITY,
+					&rname);
+		result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL);
+		if (result == ISC_R_SUCCESS) {
+			break;
+		}
+		result = dns_message_nextname(client->message,
+					      DNS_SECTION_AUTHORITY);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/*
+	 * Add the relevant RRset (DS or NSEC) to the delegation.
+	 */
+	query_addrrset(qctx, &rname, &rdataset, &sigrdataset, NULL,
+		       DNS_SECTION_AUTHORITY);
+	goto cleanup;
+
+addnsec3:
+	if (!dns_db_iszone(qctx->db)) {
+		goto cleanup;
+	}
+	/*
+	 * Add the NSEC3 which proves the DS does not exist.
+	 */
+	dbuf = ns_client_getnamebuf(client);
+	if (dbuf == NULL) {
+		goto cleanup;
+	}
+	fname = ns_client_newname(client, dbuf, &b);
+	dns_fixedname_init(&fixed);
+	if (dns_rdataset_isassociated(rdataset)) {
+		dns_rdataset_disassociate(rdataset);
+	}
+	if (dns_rdataset_isassociated(sigrdataset)) {
+		dns_rdataset_disassociate(sigrdataset);
+	}
+	name = dns_fixedname_name(&qctx->dsname);
+	query_findclosestnsec3(name, qctx->db, qctx->version, client, rdataset,
+			       sigrdataset, fname, true,
+			       dns_fixedname_name(&fixed));
+	if (!dns_rdataset_isassociated(rdataset)) {
+		goto cleanup;
+	}
+	query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf,
+		       DNS_SECTION_AUTHORITY);
+	/*
+	 * Did we find the closest provable encloser instead?
+	 * If so add the nearest to the closest provable encloser.
+	 */
+	if (!dns_name_equal(name, dns_fixedname_name(&fixed))) {
+		count = dns_name_countlabels(dns_fixedname_name(&fixed)) + 1;
+		dns_name_getlabelsequence(name,
+					  dns_name_countlabels(name) - count,
+					  count, dns_fixedname_name(&fixed));
+		fixfname(client, &fname, &dbuf, &b);
+		fixrdataset(client, &rdataset);
+		fixrdataset(client, &sigrdataset);
+		if (fname == NULL || rdataset == NULL || sigrdataset == NULL) {
+			goto cleanup;
+		}
+		query_findclosestnsec3(dns_fixedname_name(&fixed), qctx->db,
+				       qctx->version, client, rdataset,
+				       sigrdataset, fname, false, NULL);
+		if (!dns_rdataset_isassociated(rdataset)) {
+			goto cleanup;
+		}
+		query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf,
+			       DNS_SECTION_AUTHORITY);
+	}
+
+cleanup:
+	if (rdataset != NULL) {
+		ns_client_putrdataset(client, &rdataset);
+	}
+	if (sigrdataset != NULL) {
+		ns_client_putrdataset(client, &sigrdataset);
+	}
+	if (fname != NULL) {
+		ns_client_releasename(client, &fname);
+	}
+}
+
+/*%
+ * Handle authoritative NOERROR/NODATA responses.
+ */
+static isc_result_t
+query_nodata(query_ctx_t *qctx, isc_result_t res) {
+	isc_result_t result = res;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_nodata");
+
+	CALL_HOOK(NS_QUERY_NODATA_BEGIN, qctx);
+
+#ifdef dns64_bis_return_excluded_addresses
+	if (qctx->dns64)
+#else  /* ifdef dns64_bis_return_excluded_addresses */
+	if (qctx->dns64 && !qctx->dns64_exclude)
+#endif /* ifdef dns64_bis_return_excluded_addresses */
+	{
+		isc_buffer_t b;
+		/*
+		 * Restore the answers from the previous AAAA lookup.
+		 */
+		if (qctx->rdataset != NULL) {
+			ns_client_putrdataset(qctx->client, &qctx->rdataset);
+		}
+		if (qctx->sigrdataset != NULL) {
+			ns_client_putrdataset(qctx->client, &qctx->sigrdataset);
+		}
+		RESTORE(qctx->rdataset, qctx->client->query.dns64_aaaa);
+		RESTORE(qctx->sigrdataset, qctx->client->query.dns64_sigaaaa);
+		if (qctx->fname == NULL) {
+			qctx->dbuf = ns_client_getnamebuf(qctx->client);
+			if (qctx->dbuf == NULL) {
+				CCTRACE(ISC_LOG_ERROR, "query_nodata: "
+						       "ns_client_getnamebuf "
+						       "failed (3)");
+				QUERY_ERROR(qctx, ISC_R_NOMEMORY);
+				return (ns_query_done(qctx));
+			}
+			qctx->fname = ns_client_newname(qctx->client,
+							qctx->dbuf, &b);
+			if (qctx->fname == NULL) {
+				CCTRACE(ISC_LOG_ERROR, "query_nodata: "
+						       "ns_client_newname "
+						       "failed (3)");
+				QUERY_ERROR(qctx, ISC_R_NOMEMORY);
+				return (ns_query_done(qctx));
+			}
+		}
+		dns_name_copynf(qctx->client->query.qname, qctx->fname);
+		qctx->dns64 = false;
+#ifdef dns64_bis_return_excluded_addresses
+		/*
+		 * Resume the diverted processing of the AAAA response?
+		 */
+		if (qctx->dns64_exclude) {
+			return (query_prepresponse(qctx));
+		}
+#endif /* ifdef dns64_bis_return_excluded_addresses */
+	} else if ((result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) &&
+		   !ISC_LIST_EMPTY(qctx->view->dns64) && !qctx->nxrewrite &&
+		   qctx->client->message->rdclass == dns_rdataclass_in &&
+		   qctx->qtype == dns_rdatatype_aaaa)
+	{
+		/*
+		 * Look to see if there are A records for this name.
+		 */
+		switch (result) {
+		case DNS_R_NCACHENXRRSET:
+			/*
+			 * This is from the negative cache; if the ttl is
+			 * zero, we need to work out whether we have just
+			 * decremented to zero or there was no negative
+			 * cache ttl in the answer.
+			 */
+			if (qctx->rdataset->ttl != 0) {
+				qctx->client->query.dns64_ttl =
+					qctx->rdataset->ttl;
+				break;
+			}
+			if (dns_rdataset_first(qctx->rdataset) == ISC_R_SUCCESS)
+			{
+				qctx->client->query.dns64_ttl = 0;
+			}
+			break;
+		case DNS_R_NXRRSET:
+			qctx->client->query.dns64_ttl =
+				dns64_ttl(qctx->db, qctx->version);
+			break;
+		default:
+			UNREACHABLE();
+		}
+
+		SAVE(qctx->client->query.dns64_aaaa, qctx->rdataset);
+		SAVE(qctx->client->query.dns64_sigaaaa, qctx->sigrdataset);
+		ns_client_releasename(qctx->client, &qctx->fname);
+		dns_db_detachnode(qctx->db, &qctx->node);
+		qctx->type = qctx->qtype = dns_rdatatype_a;
+		qctx->dns64 = true;
+		return (query_lookup(qctx));
+	}
+
+	if (qctx->is_zone) {
+		return (query_sign_nodata(qctx));
+	} else {
+		/*
+		 * We don't call query_addrrset() because we don't need any
+		 * of its extra features (and things would probably break!).
+		 */
+		if (dns_rdataset_isassociated(qctx->rdataset)) {
+			ns_client_keepname(qctx->client, qctx->fname,
+					   qctx->dbuf);
+			dns_message_addname(qctx->client->message, qctx->fname,
+					    DNS_SECTION_AUTHORITY);
+			ISC_LIST_APPEND(qctx->fname->list, qctx->rdataset,
+					link);
+			qctx->fname = NULL;
+			qctx->rdataset = NULL;
+		}
+	}
+
+	return (ns_query_done(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * Add RRSIGs for NOERROR/NODATA responses when answering authoritatively.
+ */
+isc_result_t
+query_sign_nodata(query_ctx_t *qctx) {
+	isc_result_t result;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_sign_nodata");
+
+	/*
+	 * Look for a NSEC3 record if we don't have a NSEC record.
+	 */
+	if (qctx->redirected) {
+		return (ns_query_done(qctx));
+	}
+	if (!dns_rdataset_isassociated(qctx->rdataset) &&
+	    WANTDNSSEC(qctx->client))
+	{
+		if ((qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
+			dns_name_t *found;
+			dns_name_t *qname;
+			dns_fixedname_t fixed;
+			isc_buffer_t b;
+
+			found = dns_fixedname_initname(&fixed);
+			qname = qctx->client->query.qname;
+
+			query_findclosestnsec3(qname, qctx->db, qctx->version,
+					       qctx->client, qctx->rdataset,
+					       qctx->sigrdataset, qctx->fname,
+					       true, found);
+			/*
+			 * Did we find the closest provable encloser
+			 * instead? If so add the nearest to the
+			 * closest provable encloser.
+			 */
+			if (dns_rdataset_isassociated(qctx->rdataset) &&
+			    !dns_name_equal(qname, found) &&
+			    (((qctx->client->sctx->options &
+			       NS_SERVER_NONEAREST) == 0) ||
+			     qctx->qtype == dns_rdatatype_ds))
+			{
+				unsigned int count;
+				unsigned int skip;
+
+				/*
+				 * Add the closest provable encloser.
+				 */
+				query_addrrset(qctx, &qctx->fname,
+					       &qctx->rdataset,
+					       &qctx->sigrdataset, qctx->dbuf,
+					       DNS_SECTION_AUTHORITY);
+
+				count = dns_name_countlabels(found) + 1;
+				skip = dns_name_countlabels(qname) - count;
+				dns_name_getlabelsequence(qname, skip, count,
+							  found);
+
+				fixfname(qctx->client, &qctx->fname,
+					 &qctx->dbuf, &b);
+				fixrdataset(qctx->client, &qctx->rdataset);
+				fixrdataset(qctx->client, &qctx->sigrdataset);
+				if (qctx->fname == NULL ||
+				    qctx->rdataset == NULL ||
+				    qctx->sigrdataset == NULL)
+				{
+					CCTRACE(ISC_LOG_ERROR, "query_sign_"
+							       "nodata: "
+							       "failure "
+							       "getting "
+							       "closest "
+							       "encloser");
+					QUERY_ERROR(qctx, ISC_R_NOMEMORY);
+					return (ns_query_done(qctx));
+				}
+				/*
+				 * 'nearest' doesn't exist so
+				 * 'exist' is set to false.
+				 */
+				query_findclosestnsec3(
+					found, qctx->db, qctx->version,
+					qctx->client, qctx->rdataset,
+					qctx->sigrdataset, qctx->fname, false,
+					NULL);
+			}
+		} else {
+			ns_client_releasename(qctx->client, &qctx->fname);
+			query_addwildcardproof(qctx, false, true);
+		}
+	}
+	if (dns_rdataset_isassociated(qctx->rdataset)) {
+		/*
+		 * If we've got a NSEC record, we need to save the
+		 * name now because we're going call query_addsoa()
+		 * below, and it needs to use the name buffer.
+		 */
+		ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf);
+	} else if (qctx->fname != NULL) {
+		/*
+		 * We're not going to use fname, and need to release
+		 * our hold on the name buffer so query_addsoa()
+		 * may use it.
+		 */
+		ns_client_releasename(qctx->client, &qctx->fname);
+	}
+
+	/*
+	 * The RPZ SOA has already been added to the additional section
+	 * if this was an RPZ rewrite, but if it wasn't, add it now.
+	 */
+	if (!qctx->nxrewrite) {
+		result = query_addsoa(qctx, UINT32_MAX, DNS_SECTION_AUTHORITY);
+		if (result != ISC_R_SUCCESS) {
+			QUERY_ERROR(qctx, result);
+			return (ns_query_done(qctx));
+		}
+	}
+
+	/*
+	 * Add NSEC record if we found one.
+	 */
+	if (WANTDNSSEC(qctx->client) &&
+	    dns_rdataset_isassociated(qctx->rdataset))
+	{
+		query_addnxrrsetnsec(qctx);
+	}
+
+	return (ns_query_done(qctx));
+}
+
+static void
+query_addnxrrsetnsec(query_ctx_t *qctx) {
+	ns_client_t *client = qctx->client;
+	dns_rdata_t sigrdata;
+	dns_rdata_rrsig_t sig;
+	unsigned int labels;
+	isc_buffer_t *dbuf, b;
+	dns_name_t *fname;
+	isc_result_t result;
+
+	INSIST(qctx->fname != NULL);
+
+	if ((qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
+		query_addrrset(qctx, &qctx->fname, &qctx->rdataset,
+			       &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY);
+		return;
+	}
+
+	if (qctx->sigrdataset == NULL ||
+	    !dns_rdataset_isassociated(qctx->sigrdataset))
+	{
+		return;
+	}
+
+	if (dns_rdataset_first(qctx->sigrdataset) != ISC_R_SUCCESS) {
+		return;
+	}
+
+	dns_rdata_init(&sigrdata);
+	dns_rdataset_current(qctx->sigrdataset, &sigrdata);
+	result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	labels = dns_name_countlabels(qctx->fname);
+	if ((unsigned int)sig.labels + 1 >= labels) {
+		return;
+	}
+
+	query_addwildcardproof(qctx, true, false);
+
+	/*
+	 * We'll need some resources...
+	 */
+	dbuf = ns_client_getnamebuf(client);
+	if (dbuf == NULL) {
+		return;
+	}
+
+	fname = ns_client_newname(client, dbuf, &b);
+	if (fname == NULL) {
+		return;
+	}
+
+	dns_name_split(qctx->fname, sig.labels + 1, NULL, fname);
+	/* This will succeed, since we've stripped labels. */
+	RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname,
+					   NULL) == ISC_R_SUCCESS);
+	query_addrrset(qctx, &fname, &qctx->rdataset, &qctx->sigrdataset, dbuf,
+		       DNS_SECTION_AUTHORITY);
+}
+
+/*%
+ * Handle NXDOMAIN and empty wildcard responses.
+ */
+static isc_result_t
+query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
+	dns_section_t section;
+	uint32_t ttl;
+	isc_result_t result;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain");
+
+	CALL_HOOK(NS_QUERY_NXDOMAIN_BEGIN, qctx);
+
+	INSIST(qctx->is_zone || REDIRECT(qctx->client));
+
+	if (!empty_wild) {
+		result = query_redirect(qctx);
+		if (result != ISC_R_COMPLETE) {
+			return (result);
+		}
+	}
+
+	if (dns_rdataset_isassociated(qctx->rdataset)) {
+		/*
+		 * If we've got a NSEC record, we need to save the
+		 * name now because we're going call query_addsoa()
+		 * below, and it needs to use the name buffer.
+		 */
+		ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf);
+	} else if (qctx->fname != NULL) {
+		/*
+		 * We're not going to use fname, and need to release
+		 * our hold on the name buffer so query_addsoa()
+		 * may use it.
+		 */
+		ns_client_releasename(qctx->client, &qctx->fname);
+	}
+
+	/*
+	 * Add SOA to the additional section if generated by a
+	 * RPZ rewrite.
+	 *
+	 * If the query was for a SOA record force the
+	 * ttl to zero so that it is possible for clients to find
+	 * the containing zone of an arbitrary name with a stub
+	 * resolver and not have it cached.
+	 */
+	section = qctx->nxrewrite ? DNS_SECTION_ADDITIONAL
+				  : DNS_SECTION_AUTHORITY;
+	ttl = UINT32_MAX;
+	if (!qctx->nxrewrite && qctx->qtype == dns_rdatatype_soa &&
+	    qctx->zone != NULL && dns_zone_getzeronosoattl(qctx->zone))
+	{
+		ttl = 0;
+	}
+	if (!qctx->nxrewrite ||
+	    (qctx->rpz_st != NULL && qctx->rpz_st->m.rpz->addsoa))
+	{
+		result = query_addsoa(qctx, ttl, section);
+		if (result != ISC_R_SUCCESS) {
+			QUERY_ERROR(qctx, result);
+			return (ns_query_done(qctx));
+		}
+	}
+
+	if (WANTDNSSEC(qctx->client)) {
+		/*
+		 * Add NSEC record if we found one.
+		 */
+		if (dns_rdataset_isassociated(qctx->rdataset)) {
+			query_addrrset(qctx, &qctx->fname, &qctx->rdataset,
+				       &qctx->sigrdataset, NULL,
+				       DNS_SECTION_AUTHORITY);
+		}
+		query_addwildcardproof(qctx, false, false);
+	}
+
+	/*
+	 * Set message rcode.
+	 */
+	if (empty_wild) {
+		qctx->client->message->rcode = dns_rcode_noerror;
+	} else {
+		qctx->client->message->rcode = dns_rcode_nxdomain;
+	}
+
+	return (ns_query_done(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*
+ * Handle both types of NXDOMAIN redirection, calling redirect()
+ * (which implements type redirect zones) and redirect2() (which
+ * implements recursive nxdomain-redirect lookups).
+ *
+ * Any result code other than ISC_R_COMPLETE means redirection was
+ * successful and the result code should be returned up the call stack.
+ *
+ * ISC_R_COMPLETE means we reached the end of this function without
+ * redirecting, so query processing should continue past it.
+ */
+static isc_result_t
+query_redirect(query_ctx_t *qctx) {
+	isc_result_t result;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_redirect");
+
+	result = redirect(qctx->client, qctx->fname, qctx->rdataset,
+			  &qctx->node, &qctx->db, &qctx->version, qctx->type);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		inc_stats(qctx->client, ns_statscounter_nxdomainredirect);
+		return (query_prepresponse(qctx));
+	case DNS_R_NXRRSET:
+		qctx->redirected = true;
+		qctx->is_zone = true;
+		return (query_nodata(qctx, DNS_R_NXRRSET));
+	case DNS_R_NCACHENXRRSET:
+		qctx->redirected = true;
+		qctx->is_zone = false;
+		return (query_ncache(qctx, DNS_R_NCACHENXRRSET));
+	default:
+		break;
+	}
+
+	result = redirect2(qctx->client, qctx->fname, qctx->rdataset,
+			   &qctx->node, &qctx->db, &qctx->version, qctx->type,
+			   &qctx->is_zone);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		inc_stats(qctx->client, ns_statscounter_nxdomainredirect);
+		return (query_prepresponse(qctx));
+	case DNS_R_CONTINUE:
+		inc_stats(qctx->client,
+			  ns_statscounter_nxdomainredirect_rlookup);
+		SAVE(qctx->client->query.redirect.db, qctx->db);
+		SAVE(qctx->client->query.redirect.node, qctx->node);
+		SAVE(qctx->client->query.redirect.zone, qctx->zone);
+		qctx->client->query.redirect.qtype = qctx->qtype;
+		INSIST(qctx->rdataset != NULL);
+		SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset);
+		SAVE(qctx->client->query.redirect.sigrdataset,
+		     qctx->sigrdataset);
+		qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN;
+		dns_name_copynf(qctx->fname,
+				qctx->client->query.redirect.fname);
+		qctx->client->query.redirect.authoritative =
+			qctx->authoritative;
+		qctx->client->query.redirect.is_zone = qctx->is_zone;
+		return (ns_query_done(qctx));
+	case DNS_R_NXRRSET:
+		qctx->redirected = true;
+		qctx->is_zone = true;
+		return (query_nodata(qctx, DNS_R_NXRRSET));
+	case DNS_R_NCACHENXRRSET:
+		qctx->redirected = true;
+		qctx->is_zone = false;
+		return (query_ncache(qctx, DNS_R_NCACHENXRRSET));
+	default:
+		break;
+	}
+
+	return (ISC_R_COMPLETE);
+}
+
+/*%
+ * Logging function to be passed to dns_nsec_noexistnodata.
+ */
+static void
+log_noexistnodata(void *val, int level, const char *fmt, ...) {
+	query_ctx_t *qctx = val;
+	va_list ap;
+
+	va_start(ap, fmt);
+	ns_client_logv(qctx->client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
+		       level, fmt, ap);
+	va_end(ap);
+}
+
+static dns_ttl_t
+query_synthttl(dns_rdataset_t *soardataset, dns_rdataset_t *sigsoardataset,
+	       dns_rdataset_t *p1rdataset, dns_rdataset_t *sigp1rdataset,
+	       dns_rdataset_t *p2rdataset, dns_rdataset_t *sigp2rdataset) {
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_ttl_t ttl;
+	isc_result_t result;
+
+	REQUIRE(soardataset != NULL);
+	REQUIRE(sigsoardataset != NULL);
+	REQUIRE(p1rdataset != NULL);
+	REQUIRE(sigp1rdataset != NULL);
+
+	result = dns_rdataset_first(soardataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdataset_current(soardataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	ttl = ISC_MIN(soa.minimum, soardataset->ttl);
+	ttl = ISC_MIN(ttl, sigsoardataset->ttl);
+	ttl = ISC_MIN(ttl, p1rdataset->ttl);
+	ttl = ISC_MIN(ttl, sigp1rdataset->ttl);
+	if (p2rdataset != NULL) {
+		ttl = ISC_MIN(ttl, p2rdataset->ttl);
+	}
+	if (sigp2rdataset != NULL) {
+		ttl = ISC_MIN(ttl, sigp2rdataset->ttl);
+	}
+
+	return (ttl);
+}
+
+/*
+ * Synthesize a NODATA response from the SOA and covering NSEC in cache.
+ */
+static isc_result_t
+query_synthnodata(query_ctx_t *qctx, const dns_name_t *signer,
+		  dns_rdataset_t **soardatasetp,
+		  dns_rdataset_t **sigsoardatasetp) {
+	dns_name_t *name = NULL;
+	dns_ttl_t ttl;
+	isc_buffer_t *dbuf, b;
+	isc_result_t result;
+
+	/*
+	 * Determine the correct TTL to use for the SOA and RRSIG
+	 */
+	ttl = query_synthttl(*soardatasetp, *sigsoardatasetp, qctx->rdataset,
+			     qctx->sigrdataset, NULL, NULL);
+	(*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl;
+
+	/*
+	 * We want the SOA record to be first, so save the
+	 * NODATA proof's name now or else discard it.
+	 */
+	if (WANTDNSSEC(qctx->client)) {
+		ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf);
+	} else {
+		ns_client_releasename(qctx->client, &qctx->fname);
+	}
+
+	dbuf = ns_client_getnamebuf(qctx->client);
+	if (dbuf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	name = ns_client_newname(qctx->client, dbuf, &b);
+	if (name == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	dns_name_copynf(signer, name);
+
+	/*
+	 * Add SOA record. Omit the RRSIG if DNSSEC was not requested.
+	 */
+	if (!WANTDNSSEC(qctx->client)) {
+		sigsoardatasetp = NULL;
+	}
+	query_addrrset(qctx, &name, soardatasetp, sigsoardatasetp, dbuf,
+		       DNS_SECTION_AUTHORITY);
+
+	if (WANTDNSSEC(qctx->client)) {
+		/*
+		 * Add NODATA proof.
+		 */
+		query_addrrset(qctx, &qctx->fname, &qctx->rdataset,
+			       &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY);
+	}
+
+	result = ISC_R_SUCCESS;
+	inc_stats(qctx->client, ns_statscounter_nodatasynth);
+
+cleanup:
+	if (name != NULL) {
+		ns_client_releasename(qctx->client, &name);
+	}
+	return (result);
+}
+
+/*
+ * Synthesize a wildcard answer using the contents of 'rdataset'.
+ * qctx contains the NODATA proof.
+ */
+static isc_result_t
+query_synthwildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset,
+		    dns_rdataset_t *sigrdataset) {
+	dns_name_t *name = NULL;
+	isc_buffer_t *dbuf, b;
+	isc_result_t result;
+	dns_rdataset_t *cloneset = NULL, *clonesigset = NULL;
+	dns_rdataset_t **sigrdatasetp;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_synthwildcard");
+
+	/*
+	 * We want the answer to be first, so save the
+	 * NOQNAME proof's name now or else discard it.
+	 */
+	if (WANTDNSSEC(qctx->client)) {
+		ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf);
+	} else {
+		ns_client_releasename(qctx->client, &qctx->fname);
+	}
+
+	dbuf = ns_client_getnamebuf(qctx->client);
+	if (dbuf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	name = ns_client_newname(qctx->client, dbuf, &b);
+	if (name == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	dns_name_copynf(qctx->client->query.qname, name);
+
+	cloneset = ns_client_newrdataset(qctx->client);
+	if (cloneset == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	dns_rdataset_clone(rdataset, cloneset);
+
+	/*
+	 * Add answer RRset. Omit the RRSIG if DNSSEC was not requested.
+	 */
+	if (WANTDNSSEC(qctx->client)) {
+		clonesigset = ns_client_newrdataset(qctx->client);
+		if (clonesigset == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		dns_rdataset_clone(sigrdataset, clonesigset);
+		sigrdatasetp = &clonesigset;
+	} else {
+		sigrdatasetp = NULL;
+	}
+
+	query_addrrset(qctx, &name, &cloneset, sigrdatasetp, dbuf,
+		       DNS_SECTION_ANSWER);
+
+	if (WANTDNSSEC(qctx->client)) {
+		/*
+		 * Add NOQNAME proof.
+		 */
+		query_addrrset(qctx, &qctx->fname, &qctx->rdataset,
+			       &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY);
+	}
+
+	result = ISC_R_SUCCESS;
+	inc_stats(qctx->client, ns_statscounter_wildcardsynth);
+
+cleanup:
+	if (name != NULL) {
+		ns_client_releasename(qctx->client, &name);
+	}
+	if (cloneset != NULL) {
+		ns_client_putrdataset(qctx->client, &cloneset);
+	}
+	if (clonesigset != NULL) {
+		ns_client_putrdataset(qctx->client, &clonesigset);
+	}
+	return (result);
+}
+
+/*
+ * Add a synthesized CNAME record from the wildard RRset (rdataset)
+ * and NODATA proof by calling query_synthwildcard then setup to
+ * follow the CNAME.
+ */
+static isc_result_t
+query_synthcnamewildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset,
+			 dns_rdataset_t *sigrdataset) {
+	isc_result_t result;
+	dns_name_t *tname = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_cname_t cname;
+
+	result = query_synthwildcard(qctx, rdataset, sigrdataset);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
+
+	/*
+	 * Reset qname to be the target name of the CNAME and restart
+	 * the query.
+	 */
+	result = dns_message_gettempname(qctx->client->message, &tname);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(qctx->client->message, &tname);
+		return (result);
+	}
+
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &cname, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdata_reset(&rdata);
+
+	if (dns_name_equal(qctx->client->query.qname, &cname.cname)) {
+		dns_message_puttempname(qctx->client->message, &tname);
+		dns_rdata_freestruct(&cname);
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_name_copynf(&cname.cname, tname);
+
+	dns_rdata_freestruct(&cname);
+	ns_client_qnamereplace(qctx->client, tname);
+	qctx->want_restart = true;
+	if (!WANTRECURSION(qctx->client)) {
+		qctx->options |= DNS_GETDB_NOLOG;
+	}
+
+	return (result);
+}
+
+/*
+ * Synthesize a NXDOMAIN response from qctx (which contains the
+ * NODATA proof), nowild + nowildrdataset + signowildrdataset (which
+ * contains the NOWILDCARD proof) and signer + soardatasetp + sigsoardatasetp
+ * which contain the SOA record + RRSIG for the negative answer.
+ */
+static isc_result_t
+query_synthnxdomain(query_ctx_t *qctx, dns_name_t *nowild,
+		    dns_rdataset_t *nowildrdataset,
+		    dns_rdataset_t *signowildrdataset, dns_name_t *signer,
+		    dns_rdataset_t **soardatasetp,
+		    dns_rdataset_t **sigsoardatasetp) {
+	dns_name_t *name = NULL;
+	dns_ttl_t ttl;
+	isc_buffer_t *dbuf, b;
+	isc_result_t result;
+	dns_rdataset_t *cloneset = NULL, *clonesigset = NULL;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_synthnxdomain");
+
+	/*
+	 * Determine the correct TTL to use for the SOA and RRSIG
+	 */
+	ttl = query_synthttl(*soardatasetp, *sigsoardatasetp, qctx->rdataset,
+			     qctx->sigrdataset, nowildrdataset,
+			     signowildrdataset);
+	(*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl;
+
+	/*
+	 * We want the SOA record to be first, so save the
+	 * NOQNAME proof's name now or else discard it.
+	 */
+	if (WANTDNSSEC(qctx->client)) {
+		ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf);
+	} else {
+		ns_client_releasename(qctx->client, &qctx->fname);
+	}
+
+	dbuf = ns_client_getnamebuf(qctx->client);
+	if (dbuf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	name = ns_client_newname(qctx->client, dbuf, &b);
+	if (name == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	dns_name_copynf(signer, name);
+
+	/*
+	 * Add SOA record. Omit the RRSIG if DNSSEC was not requested.
+	 */
+	if (!WANTDNSSEC(qctx->client)) {
+		sigsoardatasetp = NULL;
+	}
+	query_addrrset(qctx, &name, soardatasetp, sigsoardatasetp, dbuf,
+		       DNS_SECTION_AUTHORITY);
+
+	if (WANTDNSSEC(qctx->client)) {
+		/*
+		 * Add NOQNAME proof.
+		 */
+		query_addrrset(qctx, &qctx->fname, &qctx->rdataset,
+			       &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY);
+
+		dbuf = ns_client_getnamebuf(qctx->client);
+		if (dbuf == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		name = ns_client_newname(qctx->client, dbuf, &b);
+		if (name == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		dns_name_copynf(nowild, name);
+
+		cloneset = ns_client_newrdataset(qctx->client);
+		clonesigset = ns_client_newrdataset(qctx->client);
+		if (cloneset == NULL || clonesigset == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		dns_rdataset_clone(nowildrdataset, cloneset);
+		dns_rdataset_clone(signowildrdataset, clonesigset);
+
+		/*
+		 * Add NOWILDCARD proof.
+		 */
+		query_addrrset(qctx, &name, &cloneset, &clonesigset, dbuf,
+			       DNS_SECTION_AUTHORITY);
+	}
+
+	qctx->client->message->rcode = dns_rcode_nxdomain;
+	result = ISC_R_SUCCESS;
+	inc_stats(qctx->client, ns_statscounter_nxdomainsynth);
+
+cleanup:
+	if (name != NULL) {
+		ns_client_releasename(qctx->client, &name);
+	}
+	if (cloneset != NULL) {
+		ns_client_putrdataset(qctx->client, &cloneset);
+	}
+	if (clonesigset != NULL) {
+		ns_client_putrdataset(qctx->client, &clonesigset);
+	}
+	return (result);
+}
+
+/*
+ * Check that all signer names in sigrdataset match the expected signer.
+ */
+static isc_result_t
+checksignames(dns_name_t *signer, dns_rdataset_t *sigrdataset) {
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(sigrdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_rrsig_t rrsig;
+
+		dns_rdataset_current(sigrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (dns_name_countlabels(signer) == 0) {
+			dns_name_copynf(&rrsig.signer, signer);
+		} else if (!dns_name_equal(signer, &rrsig.signer)) {
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Handle covering NSEC responses.
+ *
+ * Verify the NSEC record is appropriate for the QNAME; if not,
+ * redo the initial query without DNS_DBFIND_COVERINGNSEC.
+ *
+ * If the covering NSEC proves that the name exists but not the type,
+ * synthesize a NODATA response.
+ *
+ * If the name doesn't exist, compute the wildcard record and check whether
+ * the wildcard name exists or not.  If we can't determine this, redo the
+ * initial query without DNS_DBFIND_COVERINGNSEC.
+ *
+ * If the wildcard name does not exist, compute the SOA name and look that
+ * up.  If the SOA record does not exist, redo the initial query without
+ * DNS_DBFIND_COVERINGNSEC.  If the SOA record exists, synthesize an
+ * NXDOMAIN response from the found records.
+ *
+ * If the wildcard name does exist, perform a lookup for the requested
+ * type at the wildcard name.
+ */
+static isc_result_t
+query_coveringnsec(query_ctx_t *qctx) {
+	dns_db_t *db = NULL;
+	dns_clientinfo_t ci;
+	dns_clientinfomethods_t cm;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fnowild;
+	dns_fixedname_t fsigner;
+	dns_fixedname_t fwild;
+	dns_name_t *fname = NULL;
+	dns_name_t *nowild = NULL;
+	dns_name_t *signer = NULL;
+	dns_name_t *wild = NULL;
+	dns_rdataset_t *soardataset = NULL, *sigsoardataset = NULL;
+	dns_rdataset_t rdataset, sigrdataset;
+	bool done = false;
+	bool exists = true, data = true;
+	bool redirected = false;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int dboptions = qctx->client->query.dboptions;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_coveringnsec");
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&sigrdataset);
+
+	/*
+	 * If we have no signer name, stop immediately.
+	 */
+	if (!dns_rdataset_isassociated(qctx->sigrdataset)) {
+		goto cleanup;
+	}
+
+	wild = dns_fixedname_initname(&fwild);
+	fname = dns_fixedname_initname(&fixed);
+	signer = dns_fixedname_initname(&fsigner);
+	nowild = dns_fixedname_initname(&fnowild);
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, qctx->client, NULL, NULL);
+
+	/*
+	 * All signer names must be the same to accept.
+	 */
+	result = checksignames(signer, qctx->sigrdataset);
+	if (result != ISC_R_SUCCESS) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/*
+	 * Check that we have the correct NOQNAME NSEC record.
+	 */
+	result = dns_nsec_noexistnodata(qctx->qtype, qctx->client->query.qname,
+					qctx->fname, qctx->rdataset, &exists,
+					&data, wild, log_noexistnodata, qctx);
+
+	if (result != ISC_R_SUCCESS || (exists && data)) {
+		goto cleanup;
+	}
+
+	if (exists) {
+		if (qctx->type == dns_rdatatype_any) { /* XXX not yet */
+			goto cleanup;
+		}
+		if (!ISC_LIST_EMPTY(qctx->view->dns64) &&
+		    (qctx->type == dns_rdatatype_a ||
+		     qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */
+		{
+			goto cleanup;
+		}
+		if (!qctx->resuming && !STALE(qctx->rdataset) &&
+		    qctx->rdataset->ttl == 0 && RECURSIONOK(qctx->client))
+		{
+			goto cleanup;
+		}
+
+		soardataset = ns_client_newrdataset(qctx->client);
+		sigsoardataset = ns_client_newrdataset(qctx->client);
+		if (soardataset == NULL || sigsoardataset == NULL) {
+			goto cleanup;
+		}
+
+		/*
+		 * Look for SOA record to construct NODATA response.
+		 */
+		dns_db_attach(qctx->db, &db);
+		result = dns_db_findext(db, signer, qctx->version,
+					dns_rdatatype_soa, dboptions,
+					qctx->client->now, &node, fname, &cm,
+					&ci, soardataset, sigsoardataset);
+
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+		(void)query_synthnodata(qctx, signer, &soardataset,
+					&sigsoardataset);
+		done = true;
+		goto cleanup;
+	}
+
+	/*
+	 * Look up the no-wildcard proof.
+	 */
+	dns_db_attach(qctx->db, &db);
+	result = dns_db_findext(db, wild, qctx->version, qctx->type,
+				dboptions | DNS_DBFIND_COVERINGNSEC,
+				qctx->client->now, &node, nowild, &cm, &ci,
+				&rdataset, &sigrdataset);
+
+	if (rdataset.trust != dns_trust_secure ||
+	    sigrdataset.trust != dns_trust_secure)
+	{
+		goto cleanup;
+	}
+
+	/*
+	 * Zero TTL handling of wildcard record.
+	 *
+	 * We don't yet have code to handle synthesis and type ANY or dns64
+	 * processing so we abort the synthesis here if there would be a
+	 * interaction.
+	 */
+	switch (result) {
+	case ISC_R_SUCCESS:
+		if (qctx->type == dns_rdatatype_any) { /* XXX not yet */
+			goto cleanup;
+		}
+		if (!ISC_LIST_EMPTY(qctx->view->dns64) &&
+		    (qctx->type == dns_rdatatype_a ||
+		     qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */
+		{
+			goto cleanup;
+		}
+		FALLTHROUGH;
+	case DNS_R_CNAME:
+		if (!qctx->resuming && !STALE(&rdataset) && rdataset.ttl == 0 &&
+		    RECURSIONOK(qctx->client))
+		{
+			goto cleanup;
+		}
+	default:
+		break;
+	}
+
+	switch (result) {
+	case DNS_R_COVERINGNSEC:
+		result = dns_nsec_noexistnodata(qctx->qtype, wild, nowild,
+						&rdataset, &exists, &data, NULL,
+						log_noexistnodata, qctx);
+		if (result != ISC_R_SUCCESS || exists) {
+			goto cleanup;
+		}
+		break;
+	case ISC_R_SUCCESS: /* wild card match */
+		(void)query_synthwildcard(qctx, &rdataset, &sigrdataset);
+		done = true;
+		goto cleanup;
+	case DNS_R_CNAME: /* wild card cname */
+		(void)query_synthcnamewildcard(qctx, &rdataset, &sigrdataset);
+		done = true;
+		goto cleanup;
+	case DNS_R_NCACHENXRRSET:  /* wild card nodata */
+	case DNS_R_NCACHENXDOMAIN: /* direct nxdomain */
+	default:
+		goto cleanup;
+	}
+
+	/*
+	 * We now have the proof that we have an NXDOMAIN.  Apply
+	 * NXDOMAIN redirection if configured.
+	 */
+	result = query_redirect(qctx);
+	if (result != ISC_R_COMPLETE) {
+		redirected = true;
+		goto cleanup;
+	}
+
+	/*
+	 * Must be signed to accept.
+	 */
+	if (!dns_rdataset_isassociated(&sigrdataset)) {
+		goto cleanup;
+	}
+
+	/*
+	 * Check signer signer names again.
+	 */
+	result = checksignames(signer, &sigrdataset);
+	if (result != ISC_R_SUCCESS) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+
+	soardataset = ns_client_newrdataset(qctx->client);
+	sigsoardataset = ns_client_newrdataset(qctx->client);
+	if (soardataset == NULL || sigsoardataset == NULL) {
+		goto cleanup;
+	}
+
+	/*
+	 * Look for SOA record to construct NXDOMAIN response.
+	 */
+	result = dns_db_findext(db, signer, qctx->version, dns_rdatatype_soa,
+				dboptions, qctx->client->now, &node, fname, &cm,
+				&ci, soardataset, sigsoardataset);
+
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	(void)query_synthnxdomain(qctx, nowild, &rdataset, &sigrdataset, signer,
+				  &soardataset, &sigsoardataset);
+	done = true;
+
+cleanup:
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (dns_rdataset_isassociated(&sigrdataset)) {
+		dns_rdataset_disassociate(&sigrdataset);
+	}
+	if (soardataset != NULL) {
+		ns_client_putrdataset(qctx->client, &soardataset);
+	}
+	if (sigsoardataset != NULL) {
+		ns_client_putrdataset(qctx->client, &sigsoardataset);
+	}
+	if (db != NULL) {
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+		dns_db_detach(&db);
+	}
+
+	if (redirected) {
+		return (result);
+	}
+
+	if (!done) {
+		/*
+		 * No covering NSEC was found; proceed with recursion.
+		 */
+		qctx->findcoveringnsec = false;
+		if (qctx->fname != NULL) {
+			ns_client_releasename(qctx->client, &qctx->fname);
+		}
+		if (qctx->node != NULL) {
+			dns_db_detachnode(qctx->db, &qctx->node);
+		}
+		ns_client_putrdataset(qctx->client, &qctx->rdataset);
+		if (qctx->sigrdataset != NULL) {
+			ns_client_putrdataset(qctx->client, &qctx->sigrdataset);
+		}
+		return (query_lookup(qctx));
+	}
+
+	return (ns_query_done(qctx));
+}
+
+/*%
+ * Handle negative cache responses, DNS_R_NCACHENXRRSET or
+ * DNS_R_NCACHENXDOMAIN. (Note: may also be called with result
+ * set to DNS_R_NXDOMAIN when handling DNS64 lookups.)
+ */
+static isc_result_t
+query_ncache(query_ctx_t *qctx, isc_result_t result) {
+	INSIST(!qctx->is_zone);
+	INSIST(result == DNS_R_NCACHENXDOMAIN ||
+	       result == DNS_R_NCACHENXRRSET || result == DNS_R_NXDOMAIN);
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_ncache");
+
+	CALL_HOOK(NS_QUERY_NCACHE_BEGIN, qctx);
+
+	qctx->authoritative = false;
+
+	if (result == DNS_R_NCACHENXDOMAIN) {
+		/*
+		 * Set message rcode. (This is not done when
+		 * result == DNS_R_NXDOMAIN because that means we're
+		 * being called after a DNS64 lookup and don't want
+		 * to update the rcode now.)
+		 */
+		qctx->client->message->rcode = dns_rcode_nxdomain;
+
+		/* Look for RFC 1918 leakage from Internet. */
+		if (qctx->qtype == dns_rdatatype_ptr &&
+		    qctx->client->message->rdclass == dns_rdataclass_in &&
+		    dns_name_countlabels(qctx->fname) == 7)
+		{
+			warn_rfc1918(qctx->client, qctx->fname, qctx->rdataset);
+		}
+	}
+
+	return (query_nodata(qctx, result));
+
+cleanup:
+	return (result);
+}
+
+/*
+ * If we have a zero ttl from the cache, refetch.
+ */
+static isc_result_t
+query_zerottl_refetch(query_ctx_t *qctx) {
+	isc_result_t result;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_zerottl_refetch");
+
+	if (qctx->is_zone || qctx->resuming || STALE(qctx->rdataset) ||
+	    qctx->rdataset->ttl != 0 || !RECURSIONOK(qctx->client))
+	{
+		return (ISC_R_COMPLETE);
+	}
+
+	qctx_clean(qctx);
+
+	INSIST(!REDIRECT(qctx->client));
+
+	result = ns_query_recurse(qctx->client, qctx->qtype,
+				  qctx->client->query.qname, NULL, NULL,
+				  qctx->resuming);
+	if (result == ISC_R_SUCCESS) {
+		CALL_HOOK(NS_QUERY_ZEROTTL_RECURSE, qctx);
+		qctx->client->query.attributes |= NS_QUERYATTR_RECURSING;
+
+		if (qctx->dns64) {
+			qctx->client->query.attributes |= NS_QUERYATTR_DNS64;
+		}
+		if (qctx->dns64_exclude) {
+			qctx->client->query.attributes |=
+				NS_QUERYATTR_DNS64EXCLUDE;
+		}
+	} else {
+		/*
+		 * There was a zero ttl from the cache, don't fallback to
+		 * serve-stale lookup.
+		 */
+		QUERY_ERROR(qctx, result);
+	}
+
+	return (ns_query_done(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*
+ * Handle CNAME responses.
+ */
+static isc_result_t
+query_cname(query_ctx_t *qctx) {
+	isc_result_t result = ISC_R_UNSET;
+	dns_name_t *tname = NULL;
+	dns_rdataset_t *trdataset = NULL;
+	dns_rdataset_t **sigrdatasetp = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_cname_t cname;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_cname");
+
+	CALL_HOOK(NS_QUERY_CNAME_BEGIN, qctx);
+
+	result = query_zerottl_refetch(qctx);
+	if (result != ISC_R_COMPLETE) {
+		return (result);
+	}
+
+	/*
+	 * Keep a copy of the rdataset.  We have to do this because
+	 * query_addrrset may clear 'rdataset' (to prevent the
+	 * cleanup code from cleaning it up).
+	 */
+	trdataset = qctx->rdataset;
+
+	/*
+	 * Add the CNAME to the answer section.
+	 */
+	if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) {
+		sigrdatasetp = &qctx->sigrdataset;
+	}
+
+	if (WANTDNSSEC(qctx->client) &&
+	    (qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
+	{
+		dns_fixedname_init(&qctx->wildcardname);
+		dns_name_copynf(qctx->fname,
+				dns_fixedname_name(&qctx->wildcardname));
+		qctx->need_wildcardproof = true;
+	}
+
+	if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) {
+		qctx->noqname = qctx->rdataset;
+	} else {
+		qctx->noqname = NULL;
+	}
+
+	if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
+		query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
+	}
+
+	query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
+		       qctx->dbuf, DNS_SECTION_ANSWER);
+
+	query_addnoqnameproof(qctx);
+
+	/*
+	 * We set the PARTIALANSWER attribute so that if anything goes
+	 * wrong later on, we'll return what we've got so far.
+	 */
+	qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
+
+	/*
+	 * Reset qname to be the target name of the CNAME and restart
+	 * the query.
+	 */
+	result = dns_message_gettempname(qctx->client->message, &tname);
+	if (result != ISC_R_SUCCESS) {
+		return (ns_query_done(qctx));
+	}
+
+	result = dns_rdataset_first(trdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(qctx->client->message, &tname);
+		return (ns_query_done(qctx));
+	}
+
+	dns_rdataset_current(trdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &cname, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdata_reset(&rdata);
+
+	dns_name_copynf(&cname.cname, tname);
+
+	dns_rdata_freestruct(&cname);
+	ns_client_qnamereplace(qctx->client, tname);
+	qctx->want_restart = true;
+	if (!WANTRECURSION(qctx->client)) {
+		qctx->options |= DNS_GETDB_NOLOG;
+	}
+
+	query_addauth(qctx);
+
+	return (ns_query_done(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*
+ * Handle DNAME responses.
+ */
+static isc_result_t
+query_dname(query_ctx_t *qctx) {
+	dns_name_t *tname, *prefix;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_dname_t dname;
+	dns_fixedname_t fixed;
+	dns_rdataset_t *trdataset;
+	dns_rdataset_t **sigrdatasetp = NULL;
+	dns_namereln_t namereln;
+	isc_buffer_t b;
+	int order;
+	isc_result_t result;
+	unsigned int nlabels;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_dname");
+
+	CALL_HOOK(NS_QUERY_DNAME_BEGIN, qctx);
+
+	/*
+	 * Compare the current qname to the found name.  We need
+	 * to know how many labels and bits are in common because
+	 * we're going to have to split qname later on.
+	 */
+	namereln = dns_name_fullcompare(qctx->client->query.qname, qctx->fname,
+					&order, &nlabels);
+	INSIST(namereln == dns_namereln_subdomain);
+
+	/*
+	 * Keep a copy of the rdataset.  We have to do this because
+	 * query_addrrset may clear 'rdataset' (to prevent the
+	 * cleanup code from cleaning it up).
+	 */
+	trdataset = qctx->rdataset;
+
+	/*
+	 * Add the DNAME to the answer section.
+	 */
+	if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) {
+		sigrdatasetp = &qctx->sigrdataset;
+	}
+
+	if (WANTDNSSEC(qctx->client) &&
+	    (qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
+	{
+		dns_fixedname_init(&qctx->wildcardname);
+		dns_name_copynf(qctx->fname,
+				dns_fixedname_name(&qctx->wildcardname));
+		qctx->need_wildcardproof = true;
+	}
+
+	if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
+		query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
+	}
+	query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
+		       qctx->dbuf, DNS_SECTION_ANSWER);
+
+	/*
+	 * We set the PARTIALANSWER attribute so that if anything goes
+	 * wrong later on, we'll return what we've got so far.
+	 */
+	qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
+
+	/*
+	 * Get the target name of the DNAME.
+	 */
+	tname = NULL;
+	result = dns_message_gettempname(qctx->client->message, &tname);
+	if (result != ISC_R_SUCCESS) {
+		return (ns_query_done(qctx));
+	}
+
+	result = dns_rdataset_first(trdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(qctx->client->message, &tname);
+		return (ns_query_done(qctx));
+	}
+
+	dns_rdataset_current(trdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &dname, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdata_reset(&rdata);
+
+	dns_name_copynf(&dname.dname, tname);
+	dns_rdata_freestruct(&dname);
+
+	/*
+	 * Construct the new qname consisting of
+	 * <found name prefix>.<dname target>
+	 */
+	prefix = dns_fixedname_initname(&fixed);
+	dns_name_split(qctx->client->query.qname, nlabels, prefix, NULL);
+	INSIST(qctx->fname == NULL);
+	qctx->dbuf = ns_client_getnamebuf(qctx->client);
+	if (qctx->dbuf == NULL) {
+		dns_message_puttempname(qctx->client->message, &tname);
+		return (ns_query_done(qctx));
+	}
+	qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b);
+	if (qctx->fname == NULL) {
+		dns_message_puttempname(qctx->client->message, &tname);
+		return (ns_query_done(qctx));
+	}
+	result = dns_name_concatenate(prefix, tname, qctx->fname, NULL);
+	dns_message_puttempname(qctx->client->message, &tname);
+
+	/*
+	 * RFC2672, section 4.1, subsection 3c says
+	 * we should return YXDOMAIN if the constructed
+	 * name would be too long.
+	 */
+	if (result == DNS_R_NAMETOOLONG) {
+		qctx->client->message->rcode = dns_rcode_yxdomain;
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (ns_query_done(qctx));
+	}
+
+	ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf);
+
+	/*
+	 * Synthesize a CNAME consisting of
+	 *   <old qname> <dname ttl> CNAME <new qname>
+	 *	    with <dname trust value>
+	 *
+	 * Synthesize a CNAME so old old clients that don't understand
+	 * DNAME can chain.
+	 *
+	 * We do not try to synthesize a signature because we hope
+	 * that security aware servers will understand DNAME.  Also,
+	 * even if we had an online key, making a signature
+	 * on-the-fly is costly, and not really legitimate anyway
+	 * since the synthesized CNAME is NOT in the zone.
+	 */
+	result = query_addcname(qctx, trdataset->trust, trdataset->ttl);
+	if (result != ISC_R_SUCCESS) {
+		return (ns_query_done(qctx));
+	}
+
+	/*
+	 * If the original query was not for a CNAME or ANY then follow the
+	 * CNAME.
+	 */
+	if (qctx->qtype != dns_rdatatype_cname &&
+	    qctx->qtype != dns_rdatatype_any)
+	{
+		/*
+		 * Switch to the new qname and restart.
+		 */
+		ns_client_qnamereplace(qctx->client, qctx->fname);
+		qctx->fname = NULL;
+		qctx->want_restart = true;
+		if (!WANTRECURSION(qctx->client)) {
+			qctx->options |= DNS_GETDB_NOLOG;
+		}
+	}
+
+	query_addauth(qctx);
+
+	return (ns_query_done(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * Add CNAME to response.
+ */
+static isc_result_t
+query_addcname(query_ctx_t *qctx, dns_trust_t trust, dns_ttl_t ttl) {
+	ns_client_t *client = qctx->client;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdata_t *rdata = NULL;
+	isc_region_t r;
+	dns_name_t *aname = NULL;
+	isc_result_t result;
+
+	result = dns_message_gettempname(client->message, &aname);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_name_copynf(client->query.qname, aname);
+
+	result = dns_message_gettemprdatalist(client->message, &rdatalist);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(client->message, &aname);
+		return (result);
+	}
+
+	result = dns_message_gettemprdata(client->message, &rdata);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(client->message, &aname);
+		dns_message_puttemprdatalist(client->message, &rdatalist);
+		return (result);
+	}
+
+	result = dns_message_gettemprdataset(client->message, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(client->message, &aname);
+		dns_message_puttemprdatalist(client->message, &rdatalist);
+		dns_message_puttemprdata(client->message, &rdata);
+		return (result);
+	}
+
+	rdatalist->type = dns_rdatatype_cname;
+	rdatalist->rdclass = client->message->rdclass;
+	rdatalist->ttl = ttl;
+
+	dns_name_toregion(qctx->fname, &r);
+	rdata->data = r.base;
+	rdata->length = r.length;
+	rdata->rdclass = client->message->rdclass;
+	rdata->type = dns_rdatatype_cname;
+
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
+		      ISC_R_SUCCESS);
+	rdataset->trust = trust;
+	dns_rdataset_setownercase(rdataset, aname);
+
+	query_addrrset(qctx, &aname, &rdataset, NULL, NULL, DNS_SECTION_ANSWER);
+	if (rdataset != NULL) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+		dns_message_puttemprdataset(client->message, &rdataset);
+	}
+	if (aname != NULL) {
+		dns_message_puttempname(client->message, &aname);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Prepare to respond: determine whether a wildcard proof is needed,
+ * then hand off to query_respond() or (for type ANY queries)
+ * query_respond_any().
+ */
+static isc_result_t
+query_prepresponse(query_ctx_t *qctx) {
+	isc_result_t result;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "query_prepresponse");
+
+	CALL_HOOK(NS_QUERY_PREP_RESPONSE_BEGIN, qctx);
+
+	if (WANTDNSSEC(qctx->client) &&
+	    (qctx->fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
+	{
+		dns_fixedname_init(&qctx->wildcardname);
+		dns_name_copynf(qctx->fname,
+				dns_fixedname_name(&qctx->wildcardname));
+		qctx->need_wildcardproof = true;
+	}
+
+	if (qctx->type == dns_rdatatype_any) {
+		return (query_respond_any(qctx));
+	}
+
+	result = query_zerottl_refetch(qctx);
+	if (result != ISC_R_COMPLETE) {
+		return (result);
+	}
+
+	return (query_respond(qctx));
+
+cleanup:
+	return (result);
+}
+
+/*%
+ * Add SOA to the authority section when sending negative responses
+ * (or to the additional section if sending negative responses triggered
+ * by RPZ rewriting.)
+ */
+static isc_result_t
+query_addsoa(query_ctx_t *qctx, unsigned int override_ttl,
+	     dns_section_t section) {
+	ns_client_t *client = qctx->client;
+	dns_name_t *name;
+	dns_dbnode_t *node;
+	isc_result_t result, eresult;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t **sigrdatasetp = NULL;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_addsoa");
+	/*
+	 * Initialization.
+	 */
+	eresult = ISC_R_SUCCESS;
+	name = NULL;
+	rdataset = NULL;
+	node = NULL;
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+
+	/*
+	 * Don't add the SOA record for test which set "-T nosoa".
+	 */
+	if (((client->sctx->options & NS_SERVER_NOSOA) != 0) &&
+	    (!WANTDNSSEC(client) || !dns_rdataset_isassociated(qctx->rdataset)))
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Get resources and make 'name' be the database origin.
+	 */
+	result = dns_message_gettempname(client->message, &name);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * We'll be releasing 'name' before returning, so it's safe to
+	 * use clone instead of copying here.
+	 */
+	dns_name_clone(dns_db_origin(qctx->db), name);
+
+	rdataset = ns_client_newrdataset(client);
+	if (rdataset == NULL) {
+		CTRACE(ISC_LOG_ERROR, "unable to allocate rdataset");
+		eresult = DNS_R_SERVFAIL;
+		goto cleanup;
+	}
+	if (WANTDNSSEC(client) && dns_db_issecure(qctx->db)) {
+		sigrdataset = ns_client_newrdataset(client);
+		if (sigrdataset == NULL) {
+			CTRACE(ISC_LOG_ERROR, "unable to allocate sigrdataset");
+			eresult = DNS_R_SERVFAIL;
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Find the SOA.
+	 */
+	result = dns_db_getoriginnode(qctx->db, &node);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_db_findrdataset(qctx->db, node, qctx->version,
+					     dns_rdatatype_soa, 0, client->now,
+					     rdataset, sigrdataset);
+	} else {
+		dns_fixedname_t foundname;
+		dns_name_t *fname;
+
+		fname = dns_fixedname_initname(&foundname);
+
+		result = dns_db_findext(qctx->db, name, qctx->version,
+					dns_rdatatype_soa,
+					client->query.dboptions, 0, &node,
+					fname, &cm, &ci, rdataset, sigrdataset);
+	}
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * This is bad.  We tried to get the SOA RR at the zone top
+		 * and it didn't work!
+		 */
+		CTRACE(ISC_LOG_ERROR, "unable to find SOA RR at zone apex");
+		eresult = DNS_R_SERVFAIL;
+	} else {
+		/*
+		 * Extract the SOA MINIMUM.
+		 */
+		dns_rdata_soa_t soa;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		result = dns_rdataset_first(rdataset);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &soa, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (override_ttl != UINT32_MAX && override_ttl < rdataset->ttl)
+		{
+			rdataset->ttl = override_ttl;
+			if (sigrdataset != NULL) {
+				sigrdataset->ttl = override_ttl;
+			}
+		}
+
+		/*
+		 * Add the SOA and its SIG to the response, with the
+		 * TTLs adjusted per RFC2308 section 3.
+		 */
+		if (rdataset->ttl > soa.minimum) {
+			rdataset->ttl = soa.minimum;
+		}
+		if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum) {
+			sigrdataset->ttl = soa.minimum;
+		}
+
+		if (sigrdataset != NULL) {
+			sigrdatasetp = &sigrdataset;
+		} else {
+			sigrdatasetp = NULL;
+		}
+
+		if (section == DNS_SECTION_ADDITIONAL) {
+			rdataset->attributes |= DNS_RDATASETATTR_REQUIRED;
+		}
+		query_addrrset(qctx, &name, &rdataset, sigrdatasetp, NULL,
+			       section);
+	}
+
+cleanup:
+	ns_client_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL) {
+		ns_client_putrdataset(client, &sigrdataset);
+	}
+	if (name != NULL) {
+		ns_client_releasename(client, &name);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(qctx->db, &node);
+	}
+
+	return (eresult);
+}
+
+/*%
+ * Add NS to authority section (used when the zone apex is already known).
+ */
+static isc_result_t
+query_addns(query_ctx_t *qctx) {
+	ns_client_t *client = qctx->client;
+	isc_result_t result, eresult;
+	dns_name_t *name = NULL, *fname;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t foundname;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t **sigrdatasetp = NULL;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_addns");
+
+	/*
+	 * Initialization.
+	 */
+	eresult = ISC_R_SUCCESS;
+	fname = dns_fixedname_initname(&foundname);
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+
+	/*
+	 * Get resources and make 'name' be the database origin.
+	 */
+	result = dns_message_gettempname(client->message, &name);
+	if (result != ISC_R_SUCCESS) {
+		CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_message_gettempname "
+					 "failed: done");
+		return (result);
+	}
+	dns_name_clone(dns_db_origin(qctx->db), name);
+	rdataset = ns_client_newrdataset(client);
+	if (rdataset == NULL) {
+		CTRACE(ISC_LOG_ERROR, "query_addns: ns_client_newrdataset "
+				      "failed");
+		eresult = DNS_R_SERVFAIL;
+		goto cleanup;
+	}
+
+	if (WANTDNSSEC(client) && dns_db_issecure(qctx->db)) {
+		sigrdataset = ns_client_newrdataset(client);
+		if (sigrdataset == NULL) {
+			CTRACE(ISC_LOG_ERROR, "query_addns: "
+					      "ns_client_newrdataset failed");
+			eresult = DNS_R_SERVFAIL;
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Find the NS rdataset.
+	 */
+	result = dns_db_getoriginnode(qctx->db, &node);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_db_findrdataset(qctx->db, node, qctx->version,
+					     dns_rdatatype_ns, 0, client->now,
+					     rdataset, sigrdataset);
+	} else {
+		CTRACE(ISC_LOG_DEBUG(3), "query_addns: calling dns_db_find");
+		result = dns_db_findext(qctx->db, name, NULL, dns_rdatatype_ns,
+					client->query.dboptions, 0, &node,
+					fname, &cm, &ci, rdataset, sigrdataset);
+		CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_db_find complete");
+	}
+	if (result != ISC_R_SUCCESS) {
+		CTRACE(ISC_LOG_ERROR, "query_addns: "
+				      "dns_db_findrdataset or dns_db_find "
+				      "failed");
+		/*
+		 * This is bad.  We tried to get the NS rdataset at the zone
+		 * top and it didn't work!
+		 */
+		eresult = DNS_R_SERVFAIL;
+	} else {
+		if (sigrdataset != NULL) {
+			sigrdatasetp = &sigrdataset;
+		}
+		query_addrrset(qctx, &name, &rdataset, sigrdatasetp, NULL,
+			       DNS_SECTION_AUTHORITY);
+	}
+
+cleanup:
+	CTRACE(ISC_LOG_DEBUG(3), "query_addns: cleanup");
+	ns_client_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL) {
+		ns_client_putrdataset(client, &sigrdataset);
+	}
+	if (name != NULL) {
+		ns_client_releasename(client, &name);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(qctx->db, &node);
+	}
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_addns: done");
+	return (eresult);
+}
+
+/*%
+ * Find the zone cut and add the best NS rrset to the authority section.
+ */
+static void
+query_addbestns(query_ctx_t *qctx) {
+	ns_client_t *client = qctx->client;
+	dns_db_t *db = NULL, *zdb = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_name_t *fname = NULL, *zfname = NULL;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t *zrdataset = NULL, *zsigrdataset = NULL;
+	bool is_zone = false, use_zone = false;
+	isc_buffer_t *dbuf = NULL;
+	isc_result_t result;
+	dns_dbversion_t *version = NULL;
+	dns_zone_t *zone = NULL;
+	isc_buffer_t b;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_addbestns");
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+
+	/*
+	 * Find the right database.
+	 */
+	result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
+			     &zone, &db, &version, &is_zone);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+db_find:
+	/*
+	 * We'll need some resources...
+	 */
+	dbuf = ns_client_getnamebuf(client);
+	if (dbuf == NULL) {
+		goto cleanup;
+	}
+	fname = ns_client_newname(client, dbuf, &b);
+	rdataset = ns_client_newrdataset(client);
+	if (fname == NULL || rdataset == NULL) {
+		goto cleanup;
+	}
+
+	/*
+	 * Get the RRSIGs if the client requested them or if we may
+	 * need to validate answers from the cache.
+	 */
+	if (WANTDNSSEC(client) || !is_zone) {
+		sigrdataset = ns_client_newrdataset(client);
+		if (sigrdataset == NULL) {
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Now look for the zonecut.
+	 */
+	if (is_zone) {
+		result = dns_db_findext(
+			db, client->query.qname, version, dns_rdatatype_ns,
+			client->query.dboptions, client->now, &node, fname, &cm,
+			&ci, rdataset, sigrdataset);
+		if (result != DNS_R_DELEGATION) {
+			goto cleanup;
+		}
+		if (USECACHE(client)) {
+			ns_client_keepname(client, fname, dbuf);
+			dns_db_detachnode(db, &node);
+			SAVE(zdb, db);
+			SAVE(zfname, fname);
+			SAVE(zrdataset, rdataset);
+			SAVE(zsigrdataset, sigrdataset);
+			version = NULL;
+			dns_db_attach(client->view->cachedb, &db);
+			is_zone = false;
+			goto db_find;
+		}
+	} else {
+		result = dns_db_findzonecut(
+			db, client->query.qname, client->query.dboptions,
+			client->now, &node, fname, NULL, rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS) {
+			if (zfname != NULL &&
+			    !dns_name_issubdomain(fname, zfname))
+			{
+				/*
+				 * We found a zonecut in the cache, but our
+				 * zone delegation is better.
+				 */
+				use_zone = true;
+			}
+		} else if (result == ISC_R_NOTFOUND && zfname != NULL) {
+			/*
+			 * We didn't find anything in the cache, but we
+			 * have a zone delegation, so use it.
+			 */
+			use_zone = true;
+		} else {
+			goto cleanup;
+		}
+	}
+
+	if (use_zone) {
+		ns_client_releasename(client, &fname);
+		/*
+		 * We've already done ns_client_keepname() on
+		 * zfname, so we must set dbuf to NULL to
+		 * prevent query_addrrset() from trying to
+		 * call ns_client_keepname() again.
+		 */
+		dbuf = NULL;
+		ns_client_putrdataset(client, &rdataset);
+		if (sigrdataset != NULL) {
+			ns_client_putrdataset(client, &sigrdataset);
+		}
+
+		if (node != NULL) {
+			dns_db_detachnode(db, &node);
+		}
+		dns_db_detach(&db);
+
+		RESTORE(db, zdb);
+		RESTORE(fname, zfname);
+		RESTORE(rdataset, zrdataset);
+		RESTORE(sigrdataset, zsigrdataset);
+	}
+
+	/*
+	 * Attempt to validate RRsets that are pending or that are glue.
+	 */
+	if ((DNS_TRUST_PENDING(rdataset->trust) ||
+	     (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust))) &&
+	    !validate(client, db, fname, rdataset, sigrdataset) &&
+	    !PENDINGOK(client->query.dboptions))
+	{
+		goto cleanup;
+	}
+
+	if ((DNS_TRUST_GLUE(rdataset->trust) ||
+	     (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) &&
+	    !validate(client, db, fname, rdataset, sigrdataset) &&
+	    SECURE(client) && WANTDNSSEC(client))
+	{
+		goto cleanup;
+	}
+
+	/*
+	 * If the answer is secure only add NS records if they are secure
+	 * when the client may be looking for AD in the response.
+	 */
+	if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) &&
+	    ((rdataset->trust != dns_trust_secure) ||
+	     (sigrdataset != NULL && sigrdataset->trust != dns_trust_secure)))
+	{
+		goto cleanup;
+	}
+
+	/*
+	 * If the client doesn't want DNSSEC we can discard the sigrdataset
+	 * now.
+	 */
+	if (!WANTDNSSEC(client)) {
+		ns_client_putrdataset(client, &sigrdataset);
+	}
+
+	query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf,
+		       DNS_SECTION_AUTHORITY);
+
+cleanup:
+	if (rdataset != NULL) {
+		ns_client_putrdataset(client, &rdataset);
+	}
+	if (sigrdataset != NULL) {
+		ns_client_putrdataset(client, &sigrdataset);
+	}
+	if (fname != NULL) {
+		ns_client_releasename(client, &fname);
+	}
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	if (zdb != NULL) {
+		ns_client_putrdataset(client, &zrdataset);
+		if (zsigrdataset != NULL) {
+			ns_client_putrdataset(client, &zsigrdataset);
+		}
+		if (zfname != NULL) {
+			ns_client_releasename(client, &zfname);
+		}
+		dns_db_detach(&zdb);
+	}
+}
+
+static void
+query_addwildcardproof(query_ctx_t *qctx, bool ispositive, bool nodata) {
+	ns_client_t *client = qctx->client;
+	isc_buffer_t *dbuf, b;
+	dns_name_t *name;
+	dns_name_t *fname = NULL;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_fixedname_t wfixed;
+	dns_name_t *wname;
+	dns_dbnode_t *node = NULL;
+	unsigned int options;
+	unsigned int olabels, nlabels, labels;
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec_t nsec;
+	bool have_wname;
+	int order;
+	dns_fixedname_t cfixed;
+	dns_name_t *cname;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+
+	CTRACE(ISC_LOG_DEBUG(3), "query_addwildcardproof");
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+	dns_clientinfo_init(&ci, client, NULL, NULL);
+
+	/*
+	 * If a name has been specifically flagged as needing
+	 * a wildcard proof then it will have been copied to
+	 * qctx->wildcardname. Otherwise we just use the client
+	 * QNAME.
+	 */
+	if (qctx->need_wildcardproof) {
+		name = dns_fixedname_name(&qctx->wildcardname);
+	} else {
+		name = client->query.qname;
+	}
+
+	/*
+	 * Get the NOQNAME proof then if !ispositive
+	 * get the NOWILDCARD proof.
+	 *
+	 * DNS_DBFIND_NOWILD finds the NSEC records that covers the
+	 * name ignoring any wildcard.  From the owner and next names
+	 * of this record you can compute which wildcard (if it exists)
+	 * will match by finding the longest common suffix of the
+	 * owner name and next names with the qname and prefixing that
+	 * with the wildcard label.
+	 *
+	 * e.g.
+	 *   Given:
+	 *	example SOA
+	 *	example NSEC b.example
+	 *	b.example A
+	 *	b.example NSEC a.d.example
+	 *	a.d.example A
+	 *	a.d.example NSEC g.f.example
+	 *	g.f.example A
+	 *	g.f.example NSEC z.i.example
+	 *	z.i.example A
+	 *	z.i.example NSEC example
+	 *
+	 *   QNAME:
+	 *   a.example -> example NSEC b.example
+	 *	owner common example
+	 *	next common example
+	 *	wild *.example
+	 *   d.b.example -> b.example NSEC a.d.example
+	 *	owner common b.example
+	 *	next common example
+	 *	wild *.b.example
+	 *   a.f.example -> a.d.example NSEC g.f.example
+	 *	owner common example
+	 *	next common f.example
+	 *	wild *.f.example
+	 *  j.example -> z.i.example NSEC example
+	 *	owner common example
+	 *	next common example
+	 *	wild *.example
+	 */
+	options = client->query.dboptions | DNS_DBFIND_NOWILD;
+	wname = dns_fixedname_initname(&wfixed);
+again:
+	have_wname = false;
+	/*
+	 * We'll need some resources...
+	 */
+	dbuf = ns_client_getnamebuf(client);
+	if (dbuf == NULL) {
+		goto cleanup;
+	}
+	fname = ns_client_newname(client, dbuf, &b);
+	rdataset = ns_client_newrdataset(client);
+	sigrdataset = ns_client_newrdataset(client);
+	if (fname == NULL || rdataset == NULL || sigrdataset == NULL) {
+		goto cleanup;
+	}
+
+	result = dns_db_findext(qctx->db, name, qctx->version,
+				dns_rdatatype_nsec, options, 0, &node, fname,
+				&cm, &ci, rdataset, sigrdataset);
+	if (node != NULL) {
+		dns_db_detachnode(qctx->db, &node);
+	}
+
+	if (!dns_rdataset_isassociated(rdataset)) {
+		/*
+		 * No NSEC proof available, return NSEC3 proofs instead.
+		 */
+		cname = dns_fixedname_initname(&cfixed);
+		/*
+		 * Find the closest encloser.
+		 */
+		dns_name_copynf(name, cname);
+		while (result == DNS_R_NXDOMAIN) {
+			labels = dns_name_countlabels(cname) - 1;
+			/*
+			 * Sanity check.
+			 */
+			if (labels == 0U) {
+				goto cleanup;
+			}
+			dns_name_split(cname, labels, NULL, cname);
+			result = dns_db_findext(qctx->db, cname, qctx->version,
+						dns_rdatatype_nsec, options, 0,
+						NULL, fname, &cm, &ci, NULL,
+						NULL);
+		}
+		/*
+		 * Add closest (provable) encloser NSEC3.
+		 */
+		query_findclosestnsec3(cname, qctx->db, qctx->version, client,
+				       rdataset, sigrdataset, fname, true,
+				       cname);
+		if (!dns_rdataset_isassociated(rdataset)) {
+			goto cleanup;
+		}
+		if (!ispositive) {
+			query_addrrset(qctx, &fname, &rdataset, &sigrdataset,
+				       dbuf, DNS_SECTION_AUTHORITY);
+		}
+
+		/*
+		 * Replace resources which were consumed by query_addrrset.
+		 */
+		if (fname == NULL) {
+			dbuf = ns_client_getnamebuf(client);
+			if (dbuf == NULL) {
+				goto cleanup;
+			}
+			fname = ns_client_newname(client, dbuf, &b);
+		}
+
+		if (rdataset == NULL) {
+			rdataset = ns_client_newrdataset(client);
+		} else if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+
+		if (sigrdataset == NULL) {
+			sigrdataset = ns_client_newrdataset(client);
+		} else if (dns_rdataset_isassociated(sigrdataset)) {
+			dns_rdataset_disassociate(sigrdataset);
+		}
+
+		if (fname == NULL || rdataset == NULL || sigrdataset == NULL) {
+			goto cleanup;
+		}
+		/*
+		 * Add no qname proof.
+		 */
+		labels = dns_name_countlabels(cname) + 1;
+		if (dns_name_countlabels(name) == labels) {
+			dns_name_copynf(name, wname);
+		} else {
+			dns_name_split(name, labels, NULL, wname);
+		}
+
+		query_findclosestnsec3(wname, qctx->db, qctx->version, client,
+				       rdataset, sigrdataset, fname, false,
+				       NULL);
+		if (!dns_rdataset_isassociated(rdataset)) {
+			goto cleanup;
+		}
+		query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf,
+			       DNS_SECTION_AUTHORITY);
+
+		if (ispositive) {
+			goto cleanup;
+		}
+
+		/*
+		 * Replace resources which were consumed by query_addrrset.
+		 */
+		if (fname == NULL) {
+			dbuf = ns_client_getnamebuf(client);
+			if (dbuf == NULL) {
+				goto cleanup;
+			}
+			fname = ns_client_newname(client, dbuf, &b);
+		}
+
+		if (rdataset == NULL) {
+			rdataset = ns_client_newrdataset(client);
+		} else if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
+
+		if (sigrdataset == NULL) {
+			sigrdataset = ns_client_newrdataset(client);
+		} else if (dns_rdataset_isassociated(sigrdataset)) {
+			dns_rdataset_disassociate(sigrdataset);
+		}
+
+		if (fname == NULL || rdataset == NULL || sigrdataset == NULL) {
+			goto cleanup;
+		}
+		/*
+		 * Add the no wildcard proof.
+		 */
+		result = dns_name_concatenate(dns_wildcardname, cname, wname,
+					      NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		query_findclosestnsec3(wname, qctx->db, qctx->version, client,
+				       rdataset, sigrdataset, fname, nodata,
+				       NULL);
+		if (!dns_rdataset_isassociated(rdataset)) {
+			goto cleanup;
+		}
+		query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf,
+			       DNS_SECTION_AUTHORITY);
+
+		goto cleanup;
+	} else if (result == DNS_R_NXDOMAIN) {
+		if (!ispositive) {
+			result = dns_rdataset_first(rdataset);
+		}
+		if (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			(void)dns_name_fullcompare(name, fname, &order,
+						   &olabels);
+			(void)dns_name_fullcompare(name, &nsec.next, &order,
+						   &nlabels);
+			/*
+			 * Check for a pathological condition created when
+			 * serving some malformed signed zones and bail out.
+			 */
+			if (dns_name_countlabels(name) == nlabels) {
+				goto cleanup;
+			}
+
+			if (olabels > nlabels) {
+				dns_name_split(name, olabels, NULL, wname);
+			} else {
+				dns_name_split(name, nlabels, NULL, wname);
+			}
+			result = dns_name_concatenate(dns_wildcardname, wname,
+						      wname, NULL);
+			if (result == ISC_R_SUCCESS) {
+				have_wname = true;
+			}
+			dns_rdata_freestruct(&nsec);
+		}
+		query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf,
+			       DNS_SECTION_AUTHORITY);
+	}
+	if (rdataset != NULL) {
+		ns_client_putrdataset(client, &rdataset);
+	}
+	if (sigrdataset != NULL) {
+		ns_client_putrdataset(client, &sigrdataset);
+	}
+	if (fname != NULL) {
+		ns_client_releasename(client, &fname);
+	}
+	if (have_wname) {
+		ispositive = true; /* prevent loop */
+		if (!dns_name_equal(name, wname)) {
+			name = wname;
+			goto again;
+		}
+	}
+cleanup:
+	if (rdataset != NULL) {
+		ns_client_putrdataset(client, &rdataset);
+	}
+	if (sigrdataset != NULL) {
+		ns_client_putrdataset(client, &sigrdataset);
+	}
+	if (fname != NULL) {
+		ns_client_releasename(client, &fname);
+	}
+}
+
+/*%
+ * Add NS records, and NSEC/NSEC3 wildcard proof records if needed,
+ * to the authority section.
+ */
+static void
+query_addauth(query_ctx_t *qctx) {
+	CCTRACE(ISC_LOG_DEBUG(3), "query_addauth");
+	/*
+	 * Add NS records to the authority section (if we haven't already
+	 * added them to the answer section).
+	 */
+	if (!qctx->want_restart && !NOAUTHORITY(qctx->client)) {
+		if (qctx->is_zone) {
+			if (!qctx->answer_has_ns) {
+				(void)query_addns(qctx);
+			}
+		} else if (!qctx->answer_has_ns &&
+			   qctx->qtype != dns_rdatatype_ns)
+		{
+			if (qctx->fname != NULL) {
+				ns_client_releasename(qctx->client,
+						      &qctx->fname);
+			}
+			query_addbestns(qctx);
+		}
+	}
+
+	/*
+	 * Add NSEC records to the authority section if they're needed for
+	 * DNSSEC wildcard proofs.
+	 */
+	if (qctx->need_wildcardproof && dns_db_issecure(qctx->db)) {
+		query_addwildcardproof(qctx, true, false);
+	}
+}
+
+/*
+ * Find the sort order of 'rdata' in the topology-like
+ * ACL forming the second element in a 2-element top-level
+ * sortlist statement.
+ */
+static int
+query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
+	isc_netaddr_t netaddr;
+
+	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) {
+		return (INT_MAX);
+	}
+	return (ns_sortlist_addrorder2(&netaddr, arg));
+}
+
+/*
+ * Find the sort order of 'rdata' in the matching element
+ * of a 1-element top-level sortlist statement.
+ */
+static int
+query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
+	isc_netaddr_t netaddr;
+
+	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) {
+		return (INT_MAX);
+	}
+	return (ns_sortlist_addrorder1(&netaddr, arg));
+}
+
+/*
+ * Find the sortlist statement that applies to 'client' and set up
+ * the sortlist info in in client->message appropriately.
+ */
+static void
+query_setup_sortlist(query_ctx_t *qctx) {
+	isc_netaddr_t netaddr;
+	ns_client_t *client = qctx->client;
+	dns_aclenv_t *env =
+		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+	const void *order_arg = NULL;
+
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+	switch (ns_sortlist_setup(client->view->sortlist, env, &netaddr,
+				  &order_arg))
+	{
+	case NS_SORTLISTTYPE_1ELEMENT:
+		dns_message_setsortorder(client->message,
+					 query_sortlist_order_1element, env,
+					 NULL, order_arg);
+		break;
+	case NS_SORTLISTTYPE_2ELEMENT:
+		dns_message_setsortorder(client->message,
+					 query_sortlist_order_2element, env,
+					 order_arg, NULL);
+		break;
+	case NS_SORTLISTTYPE_NONE:
+		break;
+	default:
+		UNREACHABLE();
+	}
+}
+
+/*
+ * When sending a referral, if the answer to the question is
+ * in the glue, sort it to the start of the additional section.
+ */
+static void
+query_glueanswer(query_ctx_t *qctx) {
+	const dns_namelist_t *secs = qctx->client->message->sections;
+	const dns_section_t section = DNS_SECTION_ADDITIONAL;
+	dns_name_t *name;
+	dns_message_t *msg;
+	dns_rdataset_t *rdataset = NULL;
+
+	if (!ISC_LIST_EMPTY(secs[DNS_SECTION_ANSWER]) ||
+	    qctx->client->message->rcode != dns_rcode_noerror ||
+	    (qctx->qtype != dns_rdatatype_a &&
+	     qctx->qtype != dns_rdatatype_aaaa))
+	{
+		return;
+	}
+
+	msg = qctx->client->message;
+	for (name = ISC_LIST_HEAD(msg->sections[section]); name != NULL;
+	     name = ISC_LIST_NEXT(name, link))
+	{
+		if (dns_name_equal(name, qctx->client->query.qname)) {
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (rdataset->type == qctx->qtype) {
+					break;
+				}
+			}
+			break;
+		}
+	}
+	if (rdataset != NULL) {
+		ISC_LIST_UNLINK(msg->sections[section], name, link);
+		ISC_LIST_PREPEND(msg->sections[section], name, link);
+		ISC_LIST_UNLINK(name->list, rdataset, link);
+		ISC_LIST_PREPEND(name->list, rdataset, link);
+		rdataset->attributes |= DNS_RDATASETATTR_REQUIRED;
+	}
+}
+
+isc_result_t
+ns_query_done(query_ctx_t *qctx) {
+	isc_result_t result;
+	const dns_namelist_t *secs = qctx->client->message->sections;
+	bool nodetach;
+
+	CCTRACE(ISC_LOG_DEBUG(3), "ns_query_done");
+
+	CALL_HOOK(NS_QUERY_DONE_BEGIN, qctx);
+
+	/*
+	 * General cleanup.
+	 */
+	qctx->rpz_st = qctx->client->query.rpz_st;
+	if (qctx->rpz_st != NULL &&
+	    (qctx->rpz_st->state & DNS_RPZ_RECURSING) == 0)
+	{
+		rpz_match_clear(qctx->rpz_st);
+		qctx->rpz_st->state &= ~DNS_RPZ_DONE_QNAME;
+	}
+
+	qctx_clean(qctx);
+	qctx_freedata(qctx);
+
+	if (qctx->client->query.gluedb != NULL) {
+		dns_db_detach(&qctx->client->query.gluedb);
+	}
+
+	/*
+	 * Clear the AA bit if we're not authoritative.
+	 */
+	if (qctx->client->query.restarts == 0 && !qctx->authoritative) {
+		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA;
+	}
+
+	/*
+	 * Do we need to restart the query (e.g. for CNAME chaining)?
+	 */
+	if (qctx->want_restart && qctx->client->query.restarts < MAX_RESTARTS) {
+		qctx->client->query.restarts++;
+		return (ns__query_start(qctx));
+	}
+
+	if (qctx->result != ISC_R_SUCCESS &&
+	    (!PARTIALANSWER(qctx->client) || WANTRECURSION(qctx->client) ||
+	     qctx->result == DNS_R_DROP))
+	{
+		if (qctx->result == DNS_R_DUPLICATE ||
+		    qctx->result == DNS_R_DROP)
+		{
+			/*
+			 * This was a duplicate query that we are
+			 * recursing on or the result of rate limiting.
+			 * Don't send a response now for a duplicate query,
+			 * because the original will still cause a response.
+			 */
+			query_next(qctx->client, qctx->result);
+		} else {
+			/*
+			 * If we don't have any answer to give the client,
+			 * or if the client requested recursion and thus wanted
+			 * the complete answer, send an error response.
+			 */
+			INSIST(qctx->line >= 0);
+			query_error(qctx->client, qctx->result, qctx->line);
+		}
+
+		qctx->detach_client = true;
+		return (qctx->result);
+	}
+
+	/*
+	 * If we're recursing then just return; the query will
+	 * resume when recursion ends.
+	 */
+	if (RECURSING(qctx->client) &&
+	    (!QUERY_STALETIMEOUT(&qctx->client->query) ||
+	     ((qctx->options & DNS_GETDB_STALEFIRST) != 0)))
+	{
+		return (qctx->result);
+	}
+
+	/*
+	 * We are done.  Set up sortlist data for the message
+	 * rendering code, sort the answer to the front of the
+	 * additional section if necessary, make a final tweak
+	 * to the AA bit if the auth-nxdomain config option
+	 * says so, then render and send the response.
+	 */
+	query_setup_sortlist(qctx);
+	query_glueanswer(qctx);
+
+	if (qctx->client->message->rcode == dns_rcode_nxdomain &&
+	    qctx->view->auth_nxdomain)
+	{
+		qctx->client->message->flags |= DNS_MESSAGEFLAG_AA;
+	}
+
+	/*
+	 * If the response is somehow unexpected for the client and this
+	 * is a result of recursion, return an error to the caller
+	 * to indicate it may need to be logged.
+	 */
+	if (qctx->resuming &&
+	    (ISC_LIST_EMPTY(secs[DNS_SECTION_ANSWER]) ||
+	     qctx->client->message->rcode != dns_rcode_noerror))
+	{
+		qctx->result = ISC_R_FAILURE;
+	}
+
+	CALL_HOOK(NS_QUERY_DONE_SEND, qctx);
+
+	/*
+	 * Client may have been detached after query_send(), so
+	 * we test and store the flag state here, for safety.
+	 */
+	nodetach = qctx->client->nodetach;
+	query_send(qctx->client);
+
+	if (qctx->refresh_rrset) {
+		/*
+		 * If we reached this point then it means that we have found a
+		 * stale RRset entry in cache and BIND is configured to allow
+		 * queries to be answered with stale data if no active RRset
+		 * is available, i.e. "stale-anwer-client-timeout 0". But, we
+		 * still need to refresh the RRset. To prevent adding duplicate
+		 * RRsets, clear the RRsets from the message before doing the
+		 * refresh.
+		 */
+		message_clearrdataset(qctx->client->message, 0);
+		query_refresh_rrset(qctx);
+	}
+
+	if (!nodetach) {
+		qctx->detach_client = true;
+	}
+	return (qctx->result);
+
+cleanup:
+	return (result);
+}
+
+static void
+log_tat(ns_client_t *client) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char clientbuf[ISC_NETADDR_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	isc_netaddr_t netaddr;
+	char *tags = NULL;
+	size_t taglen = 0;
+
+	if (!isc_log_wouldlog(ns_lctx, ISC_LOG_INFO)) {
+		return;
+	}
+
+	if ((client->query.qtype != dns_rdatatype_null ||
+	     !dns_name_istat(client->query.qname)) &&
+	    (client->keytag == NULL ||
+	     client->query.qtype != dns_rdatatype_dnskey))
+	{
+		return;
+	}
+
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+	dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
+	isc_netaddr_format(&netaddr, clientbuf, sizeof(clientbuf));
+	dns_rdataclass_format(client->view->rdclass, classbuf,
+			      sizeof(classbuf));
+
+	if (client->query.qtype == dns_rdatatype_dnskey) {
+		uint16_t keytags = client->keytag_len / 2;
+		size_t len = taglen = sizeof("65000") * keytags + 1;
+		char *cp = tags = isc_mem_get(client->mctx, taglen);
+		int i = 0;
+
+		INSIST(client->keytag != NULL);
+		if (tags != NULL) {
+			while (keytags-- > 0U) {
+				int n;
+				uint16_t keytag;
+				keytag = (client->keytag[i * 2] << 8) |
+					 client->keytag[i * 2 + 1];
+				n = snprintf(cp, len, " %u", keytag);
+				if (n > 0 && (size_t)n <= len) {
+					cp += n;
+					len -= n;
+					i++;
+				} else {
+					break;
+				}
+			}
+		}
+	}
+
+	isc_log_write(ns_lctx, NS_LOGCATEGORY_TAT, NS_LOGMODULE_QUERY,
+		      ISC_LOG_INFO, "trust-anchor-telemetry '%s/%s' from %s%s",
+		      namebuf, classbuf, clientbuf, tags != NULL ? tags : "");
+	if (tags != NULL) {
+		isc_mem_put(client->mctx, tags, taglen);
+	}
+}
+
+static void
+log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	char onbuf[ISC_NETADDR_FORMATSIZE];
+	char ecsbuf[DNS_ECS_FORMATSIZE + sizeof(" [ECS ]") - 1] = { 0 };
+	char ednsbuf[sizeof("E(65535)")] = { 0 };
+	dns_rdataset_t *rdataset;
+	int level = ISC_LOG_INFO;
+
+	if (!isc_log_wouldlog(ns_lctx, level)) {
+		return;
+	}
+
+	rdataset = ISC_LIST_HEAD(client->query.qname->list);
+	INSIST(rdataset != NULL);
+	dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
+	dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf));
+	dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
+	isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf));
+
+	if (client->ednsversion >= 0) {
+		snprintf(ednsbuf, sizeof(ednsbuf), "E(%hd)",
+			 client->ednsversion);
+	}
+
+	if (HAVEECS(client)) {
+		strlcpy(ecsbuf, " [ECS ", sizeof(ecsbuf));
+		dns_ecs_format(&client->ecs, ecsbuf + 6, sizeof(ecsbuf) - 6);
+		strlcat(ecsbuf, "]", sizeof(ecsbuf));
+	}
+
+	ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, level,
+		      "query: %s %s %s %s%s%s%s%s%s%s (%s)%s", namebuf,
+		      classbuf, typebuf, WANTRECURSION(client) ? "+" : "-",
+		      (client->signer != NULL) ? "S" : "", ednsbuf,
+		      TCP(client) ? "T" : "",
+		      ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
+		      ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "",
+		      HAVECOOKIE(client)   ? "V"
+		      : WANTCOOKIE(client) ? "K"
+					   : "",
+		      onbuf, ecsbuf);
+}
+
+static void
+log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	const char *namep, *typep, *classp, *sep1, *sep2;
+	dns_rdataset_t *rdataset;
+
+	if (!isc_log_wouldlog(ns_lctx, level)) {
+		return;
+	}
+
+	namep = typep = classp = sep1 = sep2 = "";
+
+	/*
+	 * Query errors can happen for various reasons.  In some cases we cannot
+	 * even assume the query contains a valid question section, so we should
+	 * expect exceptional cases.
+	 */
+	if (client->query.origqname != NULL) {
+		dns_name_format(client->query.origqname, namebuf,
+				sizeof(namebuf));
+		namep = namebuf;
+		sep1 = " for ";
+
+		rdataset = ISC_LIST_HEAD(client->query.origqname->list);
+		if (rdataset != NULL) {
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+			classp = classbuf;
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			typep = typebuf;
+			sep2 = "/";
+		}
+	}
+
+	ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS, NS_LOGMODULE_QUERY,
+		      level, "query failed (%s)%s%s%s%s%s%s at %s:%d",
+		      isc_result_totext(result), sep1, namep, sep2, classp,
+		      sep2, typep, __FILE__, line);
+}
+
+void
+ns_query_start(ns_client_t *client, isc_nmhandle_t *handle) {
+	isc_result_t result;
+	dns_message_t *message;
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t qtype;
+	unsigned int saved_extflags;
+	unsigned int saved_flags;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	/*
+	 * Attach to the request handle
+	 */
+	isc_nmhandle_attach(handle, &client->reqhandle);
+
+	message = client->message;
+	saved_extflags = client->extflags;
+	saved_flags = client->message->flags;
+
+	CTRACE(ISC_LOG_DEBUG(3), "ns_query_start");
+
+	/*
+	 * Ensure that appropriate cleanups occur.
+	 */
+	client->cleanup = query_cleanup;
+
+	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) {
+		client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
+	}
+
+	if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0) {
+		client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
+	}
+
+	switch (client->view->minimalresponses) {
+	case dns_minimal_no:
+		break;
+	case dns_minimal_yes:
+		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
+					     NS_QUERYATTR_NOADDITIONAL);
+		break;
+	case dns_minimal_noauth:
+		client->query.attributes |= NS_QUERYATTR_NOAUTHORITY;
+		break;
+	case dns_minimal_noauthrec:
+		if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) {
+			client->query.attributes |= NS_QUERYATTR_NOAUTHORITY;
+		}
+		break;
+	}
+
+	if (client->view->cachedb == NULL || !client->view->recursion) {
+		/*
+		 * We don't have a cache.  Turn off cache support and
+		 * recursion.
+		 */
+		client->query.attributes &= ~(NS_QUERYATTR_RECURSIONOK |
+					      NS_QUERYATTR_CACHEOK);
+		client->attributes |= NS_CLIENTATTR_NOSETFC;
+	} else if ((client->attributes & NS_CLIENTATTR_RA) == 0 ||
+		   (message->flags & DNS_MESSAGEFLAG_RD) == 0)
+	{
+		/*
+		 * If the client isn't allowed to recurse (due to
+		 * "recursion no", the allow-recursion ACL, or the
+		 * lack of a resolver in this view), or if it
+		 * doesn't want recursion, turn recursion off.
+		 */
+		client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
+		client->attributes |= NS_CLIENTATTR_NOSETFC;
+	}
+
+	/*
+	 * Check for multiple question queries, since edns1 is dead.
+	 */
+	if (message->counts[DNS_SECTION_QUESTION] > 1) {
+		query_error(client, DNS_R_FORMERR, __LINE__);
+		return;
+	}
+
+	/*
+	 * Get the question name.
+	 */
+	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
+	if (result != ISC_R_SUCCESS) {
+		query_error(client, result, __LINE__);
+		return;
+	}
+	dns_message_currentname(message, DNS_SECTION_QUESTION,
+				&client->query.qname);
+	client->query.origqname = client->query.qname;
+	result = dns_message_nextname(message, DNS_SECTION_QUESTION);
+	if (result != ISC_R_NOMORE) {
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * There's more than one QNAME in the question
+			 * section.
+			 */
+			query_error(client, DNS_R_FORMERR, __LINE__);
+		} else {
+			query_error(client, result, __LINE__);
+		}
+		return;
+	}
+
+	if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) {
+		log_query(client, saved_flags, saved_extflags);
+	}
+
+	/*
+	 * Check for meta-queries like IXFR and AXFR.
+	 */
+	rdataset = ISC_LIST_HEAD(client->query.qname->list);
+	INSIST(rdataset != NULL);
+	client->query.qtype = qtype = rdataset->type;
+	dns_rdatatypestats_increment(client->sctx->rcvquerystats, qtype);
+
+	log_tat(client);
+
+	if (dns_rdatatype_ismeta(qtype)) {
+		switch (qtype) {
+		case dns_rdatatype_any:
+			break; /* Let the query logic handle it. */
+		case dns_rdatatype_ixfr:
+		case dns_rdatatype_axfr:
+			ns_xfr_start(client, rdataset->type);
+			return;
+		case dns_rdatatype_maila:
+		case dns_rdatatype_mailb:
+			query_error(client, DNS_R_NOTIMP, __LINE__);
+			return;
+		case dns_rdatatype_tkey:
+			result = dns_tkey_processquery(
+				client->message, client->sctx->tkeyctx,
+				client->view->dynamickeys);
+			if (result == ISC_R_SUCCESS) {
+				query_send(client);
+			} else {
+				query_error(client, result, __LINE__);
+			}
+			return;
+		default: /* TSIG, etc. */
+			query_error(client, DNS_R_FORMERR, __LINE__);
+			return;
+		}
+	}
+
+	/*
+	 * Turn on minimal response for (C)DNSKEY and (C)DS queries.
+	 */
+	if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds ||
+	    qtype == dns_rdatatype_cdnskey || qtype == dns_rdatatype_cds)
+	{
+		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
+					     NS_QUERYATTR_NOADDITIONAL);
+	} else if (qtype == dns_rdatatype_ns) {
+		/*
+		 * Always turn on additional records for NS queries.
+		 */
+		client->query.attributes &= ~(NS_QUERYATTR_NOAUTHORITY |
+					      NS_QUERYATTR_NOADDITIONAL);
+	}
+
+	/*
+	 * Maybe turn on minimal responses for ANY queries.
+	 */
+	if (qtype == dns_rdatatype_any && client->view->minimal_any &&
+	    !TCP(client))
+	{
+		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
+					     NS_QUERYATTR_NOADDITIONAL);
+	}
+
+	/*
+	 * Turn on minimal responses for EDNS/UDP bufsize 512 queries.
+	 */
+	if (client->ednsversion >= 0 && client->udpsize <= 512U && !TCP(client))
+	{
+		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
+					     NS_QUERYATTR_NOADDITIONAL);
+	}
+
+	/*
+	 * If the client has requested that DNSSEC checking be disabled,
+	 * allow lookups to return pending data and instruct the resolver
+	 * to return data before validation has completed.
+	 *
+	 * We don't need to set DNS_DBFIND_PENDINGOK when validation is
+	 * disabled as there will be no pending data.
+	 */
+	if ((message->flags & DNS_MESSAGEFLAG_CD) != 0 ||
+	    qtype == dns_rdatatype_rrsig)
+	{
+		client->query.dboptions |= DNS_DBFIND_PENDINGOK;
+		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
+	} else if (!client->view->enablevalidation) {
+		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
+	}
+
+	if (client->view->qminimization) {
+		client->query.fetchoptions |= DNS_FETCHOPT_QMINIMIZE |
+					      DNS_FETCHOPT_QMIN_SKIP_IP6A;
+		if (client->view->qmin_strict) {
+			client->query.fetchoptions |= DNS_FETCHOPT_QMIN_STRICT;
+		} else {
+			client->query.fetchoptions |= DNS_FETCHOPT_QMIN_USE_A;
+		}
+	}
+
+	/*
+	 * Allow glue NS records to be added to the authority section
+	 * if the answer is secure.
+	 */
+	if ((message->flags & DNS_MESSAGEFLAG_CD) != 0) {
+		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+	}
+
+	/*
+	 * Set NS_CLIENTATTR_WANTAD if the client has set AD in the query.
+	 * This allows AD to be returned on queries without DO set.
+	 */
+	if ((message->flags & DNS_MESSAGEFLAG_AD) != 0) {
+		client->attributes |= NS_CLIENTATTR_WANTAD;
+	}
+
+	/*
+	 * This is an ordinary query.
+	 */
+	result = dns_message_reply(message, true);
+	if (result != ISC_R_SUCCESS) {
+		query_next(client, result);
+		return;
+	}
+
+	/*
+	 * Assume authoritative response until it is known to be
+	 * otherwise.
+	 *
+	 * If "-T noaa" has been set on the command line don't set
+	 * AA on authoritative answers.
+	 */
+	if ((client->sctx->options & NS_SERVER_NOAA) == 0) {
+		message->flags |= DNS_MESSAGEFLAG_AA;
+	}
+
+	/*
+	 * Set AD.  We must clear it if we add non-validated data to a
+	 * response.
+	 */
+	if (WANTDNSSEC(client) || WANTAD(client)) {
+		message->flags |= DNS_MESSAGEFLAG_AD;
+	}
+
+	(void)query_setup(client, qtype);
+}
diff --git a/lib/ns/server.c b/lib/ns/server.c
new file mode 100644
index 0000000..63bea5d
--- /dev/null
+++ b/lib/ns/server.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/stats.h>
+#include <isc/util.h>
+
+#include <dns/stats.h>
+#include <dns/tkey.h>
+
+#include <ns/query.h>
+#include <ns/server.h>
+#include <ns/stats.h>
+
+#define SCTX_MAGIC    ISC_MAGIC('S', 'c', 't', 'x')
+#define SCTX_VALID(s) ISC_MAGIC_VALID(s, SCTX_MAGIC)
+
+#define CHECKFATAL(op)                                  \
+	do {                                            \
+		result = (op);                          \
+		RUNTIME_CHECK(result == ISC_R_SUCCESS); \
+	} while (0)
+
+isc_result_t
+ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
+		 ns_server_t **sctxp) {
+	ns_server_t *sctx;
+	isc_result_t result;
+
+	REQUIRE(sctxp != NULL && *sctxp == NULL);
+
+	sctx = isc_mem_get(mctx, sizeof(*sctx));
+
+	memset(sctx, 0, sizeof(*sctx));
+
+	isc_mem_attach(mctx, &sctx->mctx);
+
+	isc_refcount_init(&sctx->references, 1);
+
+	isc_quota_init(&sctx->xfroutquota, 10);
+	isc_quota_init(&sctx->tcpquota, 10);
+	isc_quota_init(&sctx->recursionquota, 100);
+	isc_quota_init(&sctx->updquota, 100);
+
+	CHECKFATAL(dns_tkeyctx_create(mctx, &sctx->tkeyctx));
+
+	CHECKFATAL(ns_stats_create(mctx, ns_statscounter_max, &sctx->nsstats));
+
+	CHECKFATAL(dns_rdatatypestats_create(mctx, &sctx->rcvquerystats));
+
+	CHECKFATAL(dns_opcodestats_create(mctx, &sctx->opcodestats));
+
+	CHECKFATAL(dns_rcodestats_create(mctx, &sctx->rcodestats));
+
+	CHECKFATAL(isc_stats_create(mctx, &sctx->udpinstats4,
+				    dns_sizecounter_in_max));
+
+	CHECKFATAL(isc_stats_create(mctx, &sctx->udpoutstats4,
+				    dns_sizecounter_out_max));
+
+	CHECKFATAL(isc_stats_create(mctx, &sctx->udpinstats6,
+				    dns_sizecounter_in_max));
+
+	CHECKFATAL(isc_stats_create(mctx, &sctx->udpoutstats6,
+				    dns_sizecounter_out_max));
+
+	CHECKFATAL(isc_stats_create(mctx, &sctx->tcpinstats4,
+				    dns_sizecounter_in_max));
+
+	CHECKFATAL(isc_stats_create(mctx, &sctx->tcpoutstats4,
+				    dns_sizecounter_out_max));
+
+	CHECKFATAL(isc_stats_create(mctx, &sctx->tcpinstats6,
+				    dns_sizecounter_in_max));
+
+	CHECKFATAL(isc_stats_create(mctx, &sctx->tcpoutstats6,
+				    dns_sizecounter_out_max));
+
+	sctx->udpsize = 1232;
+	sctx->transfer_tcp_message_size = 20480;
+
+	sctx->fuzztype = isc_fuzz_none;
+	sctx->fuzznotify = NULL;
+	sctx->gethostname = NULL;
+
+	sctx->matchingview = matchingview;
+	sctx->answercookie = true;
+
+	ISC_LIST_INIT(sctx->altsecrets);
+
+	sctx->magic = SCTX_MAGIC;
+	*sctxp = sctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_server_attach(ns_server_t *src, ns_server_t **dest) {
+	REQUIRE(SCTX_VALID(src));
+	REQUIRE(dest != NULL && *dest == NULL);
+
+	isc_refcount_increment(&src->references);
+
+	*dest = src;
+}
+
+void
+ns_server_detach(ns_server_t **sctxp) {
+	ns_server_t *sctx;
+
+	REQUIRE(sctxp != NULL && SCTX_VALID(*sctxp));
+	sctx = *sctxp;
+	*sctxp = NULL;
+
+	if (isc_refcount_decrement(&sctx->references) == 1) {
+		ns_altsecret_t *altsecret;
+
+		while ((altsecret = ISC_LIST_HEAD(sctx->altsecrets)) != NULL) {
+			ISC_LIST_UNLINK(sctx->altsecrets, altsecret, link);
+			isc_mem_put(sctx->mctx, altsecret, sizeof(*altsecret));
+		}
+
+		isc_quota_destroy(&sctx->updquota);
+		isc_quota_destroy(&sctx->recursionquota);
+		isc_quota_destroy(&sctx->tcpquota);
+		isc_quota_destroy(&sctx->xfroutquota);
+
+		if (sctx->server_id != NULL) {
+			isc_mem_free(sctx->mctx, sctx->server_id);
+		}
+
+		if (sctx->blackholeacl != NULL) {
+			dns_acl_detach(&sctx->blackholeacl);
+		}
+		if (sctx->keepresporder != NULL) {
+			dns_acl_detach(&sctx->keepresporder);
+		}
+		if (sctx->tkeyctx != NULL) {
+			dns_tkeyctx_destroy(&sctx->tkeyctx);
+		}
+
+		if (sctx->nsstats != NULL) {
+			ns_stats_detach(&sctx->nsstats);
+		}
+
+		if (sctx->rcvquerystats != NULL) {
+			dns_stats_detach(&sctx->rcvquerystats);
+		}
+		if (sctx->opcodestats != NULL) {
+			dns_stats_detach(&sctx->opcodestats);
+		}
+		if (sctx->rcodestats != NULL) {
+			dns_stats_detach(&sctx->rcodestats);
+		}
+
+		if (sctx->udpinstats4 != NULL) {
+			isc_stats_detach(&sctx->udpinstats4);
+		}
+		if (sctx->tcpinstats4 != NULL) {
+			isc_stats_detach(&sctx->tcpinstats4);
+		}
+		if (sctx->udpoutstats4 != NULL) {
+			isc_stats_detach(&sctx->udpoutstats4);
+		}
+		if (sctx->tcpoutstats4 != NULL) {
+			isc_stats_detach(&sctx->tcpoutstats4);
+		}
+
+		if (sctx->udpinstats6 != NULL) {
+			isc_stats_detach(&sctx->udpinstats6);
+		}
+		if (sctx->tcpinstats6 != NULL) {
+			isc_stats_detach(&sctx->tcpinstats6);
+		}
+		if (sctx->udpoutstats6 != NULL) {
+			isc_stats_detach(&sctx->udpoutstats6);
+		}
+		if (sctx->tcpoutstats6 != NULL) {
+			isc_stats_detach(&sctx->tcpoutstats6);
+		}
+
+		sctx->magic = 0;
+
+		isc_mem_putanddetach(&sctx->mctx, sctx, sizeof(*sctx));
+	}
+}
+
+isc_result_t
+ns_server_setserverid(ns_server_t *sctx, const char *serverid) {
+	REQUIRE(SCTX_VALID(sctx));
+
+	if (sctx->server_id != NULL) {
+		isc_mem_free(sctx->mctx, sctx->server_id);
+		sctx->server_id = NULL;
+	}
+
+	if (serverid != NULL) {
+		sctx->server_id = isc_mem_strdup(sctx->mctx, serverid);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value) {
+	REQUIRE(SCTX_VALID(sctx));
+	if (value) {
+		sctx->options |= option;
+	} else {
+		sctx->options &= ~option;
+	}
+}
+
+bool
+ns_server_getoption(ns_server_t *sctx, unsigned int option) {
+	REQUIRE(SCTX_VALID(sctx));
+
+	return ((sctx->options & option) != 0);
+}
diff --git a/lib/ns/sortlist.c b/lib/ns/sortlist.c
new file mode 100644
index 0000000..5b7932f
--- /dev/null
+++ b/lib/ns/sortlist.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/message.h>
+#include <dns/result.h>
+
+#include <ns/server.h>
+#include <ns/sortlist.h>
+
+ns_sortlisttype_t
+ns_sortlist_setup(dns_acl_t *acl, dns_aclenv_t *env, isc_netaddr_t *clientaddr,
+		  const void **argp) {
+	unsigned int i;
+
+	if (acl == NULL) {
+		goto dont_sort;
+	}
+
+	for (i = 0; i < acl->length; i++) {
+		/*
+		 * 'e' refers to the current 'top level statement'
+		 * in the sortlist (see ARM).
+		 */
+		dns_aclelement_t *e = &acl->elements[i];
+		dns_aclelement_t *try_elt;
+		dns_aclelement_t *order_elt = NULL;
+		const dns_aclelement_t *matched_elt = NULL;
+
+		if (e->type == dns_aclelementtype_nestedacl) {
+			dns_acl_t *inner = e->nestedacl;
+
+			if (inner->length == 0) {
+				try_elt = e;
+			} else if (inner->length > 2) {
+				goto dont_sort;
+			} else if (inner->elements[0].negative) {
+				goto dont_sort;
+			} else {
+				try_elt = &inner->elements[0];
+				if (inner->length == 2) {
+					order_elt = &inner->elements[1];
+				}
+			}
+		} else {
+			/*
+			 * BIND 8 allows bare elements at the top level
+			 * as an undocumented feature.
+			 */
+			try_elt = e;
+		}
+
+		if (dns_aclelement_match(clientaddr, NULL, try_elt, env,
+					 &matched_elt))
+		{
+			if (order_elt != NULL) {
+				if (order_elt->type ==
+				    dns_aclelementtype_nestedacl)
+				{
+					*argp = order_elt->nestedacl;
+					return (NS_SORTLISTTYPE_2ELEMENT);
+				} else if (order_elt->type ==
+						   dns_aclelementtype_localhost &&
+					   env->localhost != NULL)
+				{
+					*argp = env->localhost;
+					return (NS_SORTLISTTYPE_2ELEMENT);
+				} else if (order_elt->type ==
+						   dns_aclelementtype_localnets &&
+					   env->localnets != NULL)
+				{
+					*argp = env->localnets;
+					return (NS_SORTLISTTYPE_2ELEMENT);
+				} else {
+					/*
+					 * BIND 8 allows a bare IP prefix as
+					 * the 2nd element of a 2-element
+					 * sortlist statement.
+					 */
+					*argp = order_elt;
+					return (NS_SORTLISTTYPE_1ELEMENT);
+				}
+			} else {
+				INSIST(matched_elt != NULL);
+				*argp = matched_elt;
+				return (NS_SORTLISTTYPE_1ELEMENT);
+			}
+		}
+	}
+
+	/* No match; don't sort. */
+dont_sort:
+	*argp = NULL;
+	return (NS_SORTLISTTYPE_NONE);
+}
+
+int
+ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) {
+	const dns_sortlist_arg_t *sla = (const dns_sortlist_arg_t *)arg;
+	const dns_aclenv_t *env = sla->env;
+	const dns_acl_t *sortacl = sla->acl;
+	int match;
+
+	(void)dns_acl_match(addr, NULL, sortacl, env, &match, NULL);
+	if (match > 0) {
+		return (match);
+	} else if (match < 0) {
+		return (INT_MAX - (-match));
+	} else {
+		return (INT_MAX / 2);
+	}
+}
+
+int
+ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) {
+	const dns_sortlist_arg_t *sla = (const dns_sortlist_arg_t *)arg;
+	const dns_aclenv_t *env = sla->env;
+	const dns_aclelement_t *element = sla->element;
+
+	if (dns_aclelement_match(addr, NULL, element, env, NULL)) {
+		return (0);
+	}
+
+	return (INT_MAX);
+}
+
+void
+ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, dns_aclenv_t *env,
+			isc_netaddr_t *client_addr,
+			dns_addressorderfunc_t *orderp, const void **argp) {
+	ns_sortlisttype_t sortlisttype;
+
+	sortlisttype = ns_sortlist_setup(sortlist_acl, env, client_addr, argp);
+
+	switch (sortlisttype) {
+	case NS_SORTLISTTYPE_1ELEMENT:
+		*orderp = ns_sortlist_addrorder1;
+		break;
+	case NS_SORTLISTTYPE_2ELEMENT:
+		*orderp = ns_sortlist_addrorder2;
+		break;
+	case NS_SORTLISTTYPE_NONE:
+		*orderp = NULL;
+		break;
+	default:
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "unexpected return from ns_sortlist_setup(): "
+				 "%d",
+				 sortlisttype);
+		break;
+	}
+}
diff --git a/lib/ns/stats.c b/lib/ns/stats.c
new file mode 100644
index 0000000..de5b083
--- /dev/null
+++ b/lib/ns/stats.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/refcount.h>
+#include <isc/stats.h>
+#include <isc/util.h>
+
+#include <ns/stats.h>
+
+#define NS_STATS_MAGIC	  ISC_MAGIC('N', 's', 't', 't')
+#define NS_STATS_VALID(x) ISC_MAGIC_VALID(x, NS_STATS_MAGIC)
+
+struct ns_stats {
+	/*% Unlocked */
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_stats_t *counters;
+	isc_refcount_t references;
+};
+
+void
+ns_stats_attach(ns_stats_t *stats, ns_stats_t **statsp) {
+	REQUIRE(NS_STATS_VALID(stats));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	isc_refcount_increment(&stats->references);
+
+	*statsp = stats;
+}
+
+void
+ns_stats_detach(ns_stats_t **statsp) {
+	ns_stats_t *stats;
+
+	REQUIRE(statsp != NULL && NS_STATS_VALID(*statsp));
+
+	stats = *statsp;
+	*statsp = NULL;
+
+	if (isc_refcount_decrement(&stats->references) == 1) {
+		isc_stats_detach(&stats->counters);
+		isc_refcount_destroy(&stats->references);
+		isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats));
+	}
+}
+
+isc_result_t
+ns_stats_create(isc_mem_t *mctx, int ncounters, ns_stats_t **statsp) {
+	ns_stats_t *stats;
+	isc_result_t result;
+
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	stats = isc_mem_get(mctx, sizeof(*stats));
+	stats->counters = NULL;
+
+	isc_refcount_init(&stats->references, 1);
+
+	result = isc_stats_create(mctx, &stats->counters, ncounters);
+	if (result != ISC_R_SUCCESS) {
+		goto clean_mem;
+	}
+
+	stats->magic = NS_STATS_MAGIC;
+	stats->mctx = NULL;
+	isc_mem_attach(mctx, &stats->mctx);
+	*statsp = stats;
+
+	return (ISC_R_SUCCESS);
+
+clean_mem:
+	isc_mem_put(mctx, stats, sizeof(*stats));
+
+	return (result);
+}
+
+/*%
+ * Increment/Decrement methods
+ */
+void
+ns_stats_increment(ns_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(NS_STATS_VALID(stats));
+
+	isc_stats_increment(stats->counters, counter);
+}
+
+void
+ns_stats_decrement(ns_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(NS_STATS_VALID(stats));
+
+	isc_stats_decrement(stats->counters, counter);
+}
+
+isc_stats_t *
+ns_stats_get(ns_stats_t *stats) {
+	REQUIRE(NS_STATS_VALID(stats));
+
+	return (stats->counters);
+}
+
+void
+ns_stats_update_if_greater(ns_stats_t *stats, isc_statscounter_t counter,
+			   isc_statscounter_t value) {
+	REQUIRE(NS_STATS_VALID(stats));
+
+	isc_stats_update_if_greater(stats->counters, counter, value);
+}
+
+isc_statscounter_t
+ns_stats_get_counter(ns_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(NS_STATS_VALID(stats));
+
+	return (isc_stats_get_counter(stats->counters, counter));
+}
diff --git a/lib/ns/tests/Kyuafile b/lib/ns/tests/Kyuafile
new file mode 100644
index 0000000..22cdcff
--- /dev/null
+++ b/lib/ns/tests/Kyuafile
@@ -0,0 +1,18 @@
+-- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+--
+-- SPDX-License-Identifier: MPL-2.0
+--
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0.  If a copy of the MPL was not distributed with this
+-- file, you can obtain one at https://mozilla.org/MPL/2.0/.
+--
+-- See the COPYRIGHT file distributed with this work for additional
+-- information regarding copyright ownership.
+
+syntax(2)
+test_suite('bind9')
+
+tap_test_program{name='listenlist_test'}
+tap_test_program{name='notify_test'}
+tap_test_program{name='plugin_test'}
+tap_test_program{name='query_test'}
diff --git a/lib/ns/tests/Makefile.in b/lib/ns/tests/Makefile.in
new file mode 100644
index 0000000..9adcb37
--- /dev/null
+++ b/lib/ns/tests/Makefile.in
@@ -0,0 +1,85 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+WRAP_OPTIONS =	-Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach
+
+CINCLUDES =	-I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${OPENSSL_CFLAGS} \
+		@CMOCKA_CFLAGS@
+CDEFINES =	-DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
+
+ISCLIBS =	../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ISCDEPLIBS =	../../isc/libisc.@A@
+DNSLIBS =	../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS =	../../dns/libdns.@A@
+NSLIBS =	../libns.@A@
+NSDEPLIBS =	../libns.@A@
+
+LIBS =		@LIBS@ @CMOCKA_LIBS@
+
+SO_CFLAGS =	@CFLAGS@ @SO_CFLAGS@
+SO_LDFLAGS =	@LDFLAGS@ @SO_LDFLAGS@
+
+OBJS =		nstest.@O@
+SRCS =		nstest.c \
+		listenlist_test.c \
+		notify_test.c \
+		plugin_test.c \
+		query_test.c
+
+SUBDIRS =
+TARGETS =	listenlist_test@EXEEXT@ \
+		notify_test@EXEEXT@ \
+		plugin_test@EXEEXT@ \
+		query_test@EXEEXT@
+
+LD_WRAP_TESTS=@LD_WRAP_TESTS@
+
+@BIND9_MAKE_RULES@
+
+listenlist_test@EXEEXT@: listenlist_test.@O@ nstest.@O@ ${NSDEPLIBS} ${ISCDEPLIBS} ${DNSDEPLIBS}
+	if test "${LD_WRAP_TESTS}" = true -a -z "${LIBTOOL}"; then WRAP="${WRAP_OPTIONS}"; fi; \
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} $${WRAP} -o $@ listenlist_test.@O@ nstest.@O@ \
+		${NSLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+notify_test@EXEEXT@: notify_test.@O@ nstest.@O@ ${NSDEPLIBS} ${ISCDEPLIBS} ${DNSDEPLIBS}
+	if test "${LD_WRAP_TESTS}" = true -a -z "${LIBTOOL}"; then WRAP="${WRAP_OPTIONS}"; fi; \
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} $${WRAP} -o $@ notify_test.@O@ nstest.@O@ \
+		${NSLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+plugin_test@EXEEXT@: plugin_test.@O@ nstest.@O@ ${NSDEPLIBS} ${ISCDEPLIBS} ${DNSDEPLIBS}
+	if test "${LD_WRAP_TESTS}" = true -a -z "${LIBTOOL}"; then WRAP="${WRAP_OPTIONS}"; fi; \
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} $${WRAP} -o $@ plugin_test.@O@ nstest.@O@ \
+		${NSLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+query_test@EXEEXT@: query_test.@O@ nstest.@O@ ${NSDEPLIBS} ${ISCDEPLIBS} ${DNSDEPLIBS}
+	if test "${LD_WRAP_TESTS}" = true -a -z "${LIBTOOL}"; then WRAP="${WRAP_OPTIONS}"; fi; \
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+		${LDFLAGS} $${WRAP} -o $@ query_test.@O@ nstest.@O@ \
+		${NSLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
diff --git a/lib/ns/tests/listenlist_test.c b/lib/ns/tests/listenlist_test.c
new file mode 100644
index 0000000..72cb36e
--- /dev/null
+++ b/lib/ns/tests/listenlist_test.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/util.h>
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/list.h>
+#include <isc/print.h>
+#include <isc/random.h>
+
+#include <dns/acl.h>
+
+#include <ns/listenlist.h>
+
+#include "nstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = ns_test_begin(NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	ns_test_end();
+
+	return (0);
+}
+
+/* test that ns_listenlist_default() works */
+static void
+ns_listenlist_default_test(void **state) {
+	isc_result_t result;
+	in_port_t port = 5300 + isc_random8();
+	ns_listenlist_t *list = NULL;
+	ns_listenelt_t *elt;
+	int count;
+
+	UNUSED(state);
+
+	result = ns_listenlist_default(mctx, port, -1, false, &list);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_non_null(list);
+
+	assert_false(ISC_LIST_EMPTY(list->elts));
+
+	count = 0;
+	elt = ISC_LIST_HEAD(list->elts);
+	while (elt != NULL) {
+		ns_listenelt_t *next = ISC_LIST_NEXT(elt, link);
+		dns_acl_t *acl = NULL;
+
+		dns_acl_attach(elt->acl, &acl);
+		ISC_LIST_UNLINK(list->elts, elt, link);
+		ns_listenelt_destroy(elt);
+		elt = next;
+
+		assert_true(dns_acl_isnone(acl));
+		dns_acl_detach(&acl);
+		count++;
+	}
+
+	assert_true(ISC_LIST_EMPTY(list->elts));
+	assert_int_equal(count, 1);
+
+	ns_listenlist_detach(&list);
+
+	result = ns_listenlist_default(mctx, port, -1, true, &list);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_false(ISC_LIST_EMPTY(list->elts));
+
+	/* This time just use ns_listenlist_detach() to destroy elements */
+	count = 0;
+	elt = ISC_LIST_HEAD(list->elts);
+	while (elt != NULL) {
+		ns_listenelt_t *next = ISC_LIST_NEXT(elt, link);
+		assert_true(dns_acl_isany(elt->acl));
+		elt = next;
+		count++;
+	}
+
+	assert_int_equal(count, 1);
+
+	ns_listenlist_detach(&list);
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(ns_listenlist_default_test,
+						_setup, _teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* HAVE_CMOCKA */
diff --git a/lib/ns/tests/notify_test.c b/lib/ns/tests/notify_test.c
new file mode 100644
index 0000000..82880fb
--- /dev/null
+++ b/lib/ns/tests/notify_test.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/util.h>
+
+#if HAVE_CMOCKA
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/event.h>
+#include <isc/print.h>
+#include <isc/task.h>
+
+#include <dns/acl.h>
+#include <dns/rcode.h>
+#include <dns/view.h>
+
+#include <ns/client.h>
+#include <ns/notify.h>
+
+#include "nstest.h"
+
+#if defined(USE_LIBTOOL) || LD_WRAP
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = ns_test_begin(NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	ns_test_end();
+
+	return (0);
+}
+
+static void
+check_response(isc_buffer_t *buf) {
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	char rcodebuf[20];
+	isc_buffer_t b;
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &message);
+
+	result = dns_message_parse(message, buf, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	isc_buffer_init(&b, rcodebuf, sizeof(rcodebuf));
+	result = dns_rcode_totext(message->rcode, &b);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	assert_int_equal(message->rcode, dns_rcode_noerror);
+
+	dns_message_detach(&message);
+}
+
+/* test ns_notify_start() */
+static void
+notify_start(void **state) {
+	isc_result_t result;
+	ns_client_t *client = NULL;
+	isc_nmhandle_t *handle = NULL;
+	dns_message_t *nmsg = NULL;
+	unsigned char ndata[4096];
+	isc_buffer_t nbuf;
+	size_t nsize;
+
+	UNUSED(state);
+
+	result = ns_test_getclient(NULL, false, &client);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = ns_test_makeview("view", false, &client->view);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = ns_test_serve_zone("example.com", "testdata/notify/zone1.db",
+				    client->view);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Create a NOTIFY message by parsing a file in testdata.
+	 * (XXX: use better message mocking method when available.)
+	 */
+
+	result = ns_test_getdata("testdata/notify/notify1.msg", ndata,
+				 sizeof(ndata), &nsize);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	isc_buffer_init(&nbuf, ndata, nsize);
+	isc_buffer_add(&nbuf, nsize);
+
+	dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &nmsg);
+
+	result = dns_message_parse(nmsg, &nbuf, 0);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	/*
+	 * Set up client object with this message and test the NOTIFY
+	 * handler.
+	 */
+	if (client->message != NULL) {
+		dns_message_detach(&client->message);
+	}
+	client->message = nmsg;
+	nmsg = NULL;
+	client->sendcb = check_response;
+	ns_notify_start(client, client->handle);
+
+	/*
+	 * Clean up
+	 */
+	ns_test_cleanup_zone();
+
+	handle = client->handle;
+	isc_nmhandle_detach(&client->handle);
+	isc_nmhandle_detach(&handle);
+}
+#endif /* if defined(USE_LIBTOOL) || LD_WRAP */
+
+int
+main(void) {
+#if defined(USE_LIBTOOL) || LD_WRAP
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(notify_start, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+#else  /* if defined(USE_LIBTOOL) || LD_WRAP */
+	print_message("1..0 # Skip notify_test requires libtool or LD_WRAP\n");
+#endif /* if defined(USE_LIBTOOL) || LD_WRAP */
+}
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* HAVE_CMOCKA */
diff --git a/lib/ns/tests/nstest.c b/lib/ns/tests/nstest.c
new file mode 100644
index 0000000..df15408
--- /dev/null
+++ b/lib/ns/tests/nstest.c
@@ -0,0 +1,1018 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include "nstest.h"
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/managers.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/resource.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/result.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include <ns/client.h>
+#include <ns/hooks.h>
+#include <ns/interfacemgr.h>
+#include <ns/server.h>
+
+isc_mem_t *mctx = NULL;
+isc_log_t *lctx = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_task_t *maintask = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_socketmgr_t *socketmgr = NULL;
+isc_nm_t *netmgr = NULL;
+dns_zonemgr_t *zonemgr = NULL;
+dns_dispatchmgr_t *dispatchmgr = NULL;
+ns_clientmgr_t *clientmgr = NULL;
+ns_interfacemgr_t *interfacemgr = NULL;
+ns_server_t *sctx = NULL;
+bool app_running = false;
+int ncpus;
+bool debug_mem_record = true;
+static atomic_bool run_managers = false;
+
+static bool dst_active = false;
+static bool test_running = false;
+
+static dns_zone_t *served_zone = NULL;
+
+/*
+ * We don't want to use netmgr-based client accounting, we need to emulate it.
+ */
+atomic_uint_fast32_t client_refs[32];
+atomic_uintptr_t client_addrs[32];
+
+void
+__wrap_isc__nmhandle_attach(isc_nmhandle_t *source, isc_nmhandle_t **targetp);
+void
+__wrap_isc__nmhandle_detach(isc_nmhandle_t **handlep);
+
+void
+__wrap_isc__nmhandle_attach(isc_nmhandle_t *source, isc_nmhandle_t **targetp) {
+	ns_client_t *client = (ns_client_t *)source;
+	int i;
+
+	for (i = 0; i < 32; i++) {
+		if (atomic_load(&client_addrs[i]) == (uintptr_t)client) {
+			break;
+		}
+	}
+	INSIST(i < 32);
+	INSIST(atomic_load(&client_refs[i]) > 0);
+
+	atomic_fetch_add(&client_refs[i], 1);
+
+	*targetp = source;
+	return;
+}
+
+void
+__wrap_isc__nmhandle_detach(isc_nmhandle_t **handlep) {
+	isc_nmhandle_t *handle = *handlep;
+	ns_client_t *client = (ns_client_t *)handle;
+	int i;
+
+	*handlep = NULL;
+
+	for (i = 0; i < 32; i++) {
+		if (atomic_load(&client_addrs[i]) == (uintptr_t)client) {
+			break;
+		}
+	}
+	INSIST(i < 32);
+
+	if (atomic_fetch_sub(&client_refs[i], 1) == 1) {
+		dns_view_detach(&client->view);
+		client->state = 4;
+		ns__client_reset_cb(client);
+		ns__client_put_cb(client);
+		isc_mem_put(mctx, client, sizeof(ns_client_t));
+	}
+
+	return;
+}
+
+#ifdef USE_LIBTOOL
+void
+isc__nmhandle_attach(isc_nmhandle_t *source, isc_nmhandle_t **targetp) {
+	__wrap_isc__nmhandle_attach(source, targetp);
+}
+void
+isc__nmhandle_detach(isc_nmhandle_t **handle) {
+	__wrap_isc__nmhandle_detach(handle);
+}
+#endif /* USE_LIBTOOL */
+
+/*
+ * Logging categories: this needs to match the list in lib/ns/log.c.
+ */
+static isc_logcategory_t categories[] = { { "", 0 },
+					  { "client", 0 },
+					  { "network", 0 },
+					  { "update", 0 },
+					  { "queries", 0 },
+					  { "unmatched", 0 },
+					  { "update-security", 0 },
+					  { "query-errors", 0 },
+					  { NULL, 0 } };
+
+static isc_result_t
+matchview(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr,
+	  dns_message_t *message, dns_aclenv_t *env, isc_result_t *sigresultp,
+	  dns_view_t **viewp) {
+	UNUSED(srcaddr);
+	UNUSED(destaddr);
+	UNUSED(message);
+	UNUSED(env);
+	UNUSED(sigresultp);
+	UNUSED(viewp);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * These need to be shut down from a running task.
+ */
+static atomic_bool shutdown_done = false;
+static void
+shutdown_managers(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	if (interfacemgr != NULL) {
+		ns_interfacemgr_shutdown(interfacemgr);
+		ns_interfacemgr_detach(&interfacemgr);
+	}
+
+	if (dispatchmgr != NULL) {
+		dns_dispatchmgr_destroy(&dispatchmgr);
+	}
+
+	atomic_store(&shutdown_done, true);
+	atomic_store(&run_managers, false);
+
+	isc_event_free(&event);
+}
+
+static void
+cleanup_managers(void) {
+	atomic_store(&shutdown_done, false);
+
+	if (maintask != NULL) {
+		isc_task_shutdown(maintask);
+		isc_task_destroy(&maintask);
+	}
+
+	while (atomic_load(&run_managers) && !atomic_load(&shutdown_done)) {
+		/*
+		 * There's no straightforward way to determine
+		 * whether all the clients have shut down, so
+		 * we'll just sleep for a bit and hope.
+		 */
+		ns_test_nap(500000);
+	}
+
+	if (sctx != NULL) {
+		ns_server_detach(&sctx);
+	}
+	if (interfacemgr != NULL) {
+		ns_interfacemgr_detach(&interfacemgr);
+	}
+	if (socketmgr != NULL) {
+		isc_socketmgr_destroy(&socketmgr);
+	}
+
+	isc_managers_destroy(netmgr == NULL ? NULL : &netmgr,
+			     taskmgr == NULL ? NULL : &taskmgr);
+
+	if (timermgr != NULL) {
+		isc_timermgr_destroy(&timermgr);
+	}
+	if (app_running) {
+		isc_app_finish();
+	}
+}
+
+static void
+scan_interfaces(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	ns_interfacemgr_scan(interfacemgr, true);
+	isc_event_free(&event);
+}
+
+static isc_result_t
+create_managers(void) {
+	isc_result_t result;
+	in_port_t port = 5300 + isc_random8();
+	ns_listenlist_t *listenon = NULL;
+	isc_event_t *event = NULL;
+	ncpus = isc_os_ncpus();
+
+	CHECK(isc_managers_create(mctx, ncpus, 0, &netmgr, &taskmgr));
+	CHECK(isc_task_create_bound(taskmgr, 0, &maintask, 0));
+	isc_taskmgr_setexcltask(taskmgr, maintask);
+	CHECK(isc_task_onshutdown(maintask, shutdown_managers, NULL));
+
+	CHECK(isc_timermgr_create(mctx, &timermgr));
+
+	CHECK(isc_socketmgr_create(mctx, &socketmgr));
+
+	CHECK(ns_server_create(mctx, matchview, &sctx));
+
+	CHECK(dns_dispatchmgr_create(mctx, &dispatchmgr));
+
+	CHECK(ns_interfacemgr_create(mctx, sctx, taskmgr, timermgr, socketmgr,
+				     netmgr, dispatchmgr, maintask, ncpus, NULL,
+				     ncpus, &interfacemgr));
+
+	CHECK(ns_listenlist_default(mctx, port, -1, true, &listenon));
+	ns_interfacemgr_setlistenon4(interfacemgr, listenon);
+	ns_listenlist_detach(&listenon);
+
+	event = isc_event_allocate(mctx, maintask, ISC_TASKEVENT_TEST,
+				   scan_interfaces, NULL, sizeof(isc_event_t));
+	isc_task_send(maintask, &event);
+
+	/*
+	 * There's no straightforward way to determine
+	 * whether the interfaces have been scanned,
+	 * we'll just sleep for a bit and hope.
+	 */
+	ns_test_nap(500000);
+	ns_interface_t *ifp = ns__interfacemgr_getif(interfacemgr);
+	clientmgr = ifp->clientmgr;
+
+	atomic_store(&run_managers, true);
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	cleanup_managers();
+	return (result);
+}
+
+isc_result_t
+ns_test_begin(FILE *logfile, bool start_managers) {
+	isc_result_t result;
+
+	INSIST(!test_running);
+	test_running = true;
+
+	if (start_managers) {
+		isc_resourcevalue_t files;
+
+		/*
+		 * The 'listenlist_test', 'notify_test', and 'query_test'
+		 * tests need more than 256 descriptors with 8 cpus.
+		 * Bump up to at least 1024.
+		 */
+		result = isc_resource_getcurlimit(isc_resource_openfiles,
+						  &files);
+		if (result == ISC_R_SUCCESS) {
+			if (files < 1024) {
+				files = 1024;
+				(void)isc_resource_setlimit(
+					isc_resource_openfiles, files);
+			}
+		}
+		CHECK(isc_app_start());
+	}
+	if (debug_mem_record) {
+		isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+	}
+
+	INSIST(mctx == NULL);
+	isc_mem_create(&mctx);
+
+	if (!dst_active) {
+		CHECK(dst_lib_init(mctx, NULL));
+		dst_active = true;
+	}
+
+	if (logfile != NULL) {
+		isc_logdestination_t destination;
+		isc_logconfig_t *logconfig = NULL;
+
+		INSIST(lctx == NULL);
+		isc_log_create(mctx, &lctx, &logconfig);
+
+		isc_log_registercategories(lctx, categories);
+		isc_log_setcontext(lctx);
+		dns_log_init(lctx);
+		dns_log_setcontext(lctx);
+
+		destination.file.stream = logfile;
+		destination.file.name = NULL;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC,
+				      ISC_LOG_DYNAMIC, &destination, 0);
+		CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL));
+	}
+
+	dns_result_register();
+
+	if (start_managers) {
+		CHECK(create_managers());
+	}
+
+	/*
+	 * atf-run changes us to a /tmp directory, so tests
+	 * that access test data files must first chdir to the proper
+	 * location.
+	 */
+	if (chdir(TESTS) == -1) {
+		CHECK(ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	ns_test_end();
+	return (result);
+}
+
+void
+ns_test_end(void) {
+	cleanup_managers();
+
+	dst_lib_destroy();
+	dst_active = false;
+
+	if (lctx != NULL) {
+		isc_log_destroy(&lctx);
+	}
+
+	if (mctx != NULL) {
+		isc_mem_destroy(&mctx);
+	}
+
+	test_running = false;
+}
+
+isc_result_t
+ns_test_makeview(const char *name, bool with_cache, dns_view_t **viewp) {
+	dns_cache_t *cache = NULL;
+	dns_view_t *view = NULL;
+	isc_result_t result;
+
+	CHECK(dns_view_create(mctx, dns_rdataclass_in, name, &view));
+
+	if (with_cache) {
+		CHECK(dns_cache_create(mctx, mctx, taskmgr, timermgr,
+				       dns_rdataclass_in, "", "rbt", 0, NULL,
+				       &cache));
+		dns_view_setcache(view, cache, false);
+		/*
+		 * Reference count for "cache" is now at 2, so decrement it in
+		 * order for the cache to be automatically freed when "view"
+		 * gets freed.
+		 */
+		dns_cache_detach(&cache);
+	}
+
+	*viewp = view;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (view != NULL) {
+		dns_view_detach(&view);
+	}
+	return (result);
+}
+
+/*
+ * Create a zone with origin 'name', return a pointer to the zone object in
+ * 'zonep'.  If 'view' is set, add the zone to that view; otherwise, create
+ * a new view for the purpose.
+ *
+ * If the created view is going to be needed by the caller subsequently,
+ * then 'keepview' should be set to true; this will prevent the view
+ * from being detached.  In this case, the caller is responsible for
+ * detaching the view.
+ */
+isc_result_t
+ns_test_makezone(const char *name, dns_zone_t **zonep, dns_view_t *view,
+		 bool keepview) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+
+	if (view == NULL) {
+		CHECK(dns_view_create(mctx, dns_rdataclass_in, "view", &view));
+	} else if (!keepview) {
+		keepview = true;
+	}
+
+	zone = *zonep;
+	if (zone == NULL) {
+		CHECK(dns_zone_create(&zone, mctx));
+	}
+
+	isc_buffer_constinit(&buffer, name, strlen(name));
+	isc_buffer_add(&buffer, strlen(name));
+	origin = dns_fixedname_initname(&fixorigin);
+	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
+	CHECK(dns_zone_setorigin(zone, origin));
+	dns_zone_setview(zone, view);
+	dns_zone_settype(zone, dns_zone_primary);
+	dns_zone_setclass(zone, view->rdclass);
+	dns_view_addzone(view, zone);
+
+	if (!keepview) {
+		dns_view_detach(&view);
+	}
+
+	*zonep = zone;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	if (view != NULL) {
+		dns_view_detach(&view);
+	}
+	return (result);
+}
+
+isc_result_t
+ns_test_setupzonemgr(void) {
+	isc_result_t result;
+	REQUIRE(zonemgr == NULL);
+
+	result = dns_zonemgr_create(mctx, taskmgr, timermgr, socketmgr,
+				    &zonemgr);
+	return (result);
+}
+
+isc_result_t
+ns_test_managezone(dns_zone_t *zone) {
+	isc_result_t result;
+	REQUIRE(zonemgr != NULL);
+
+	result = dns_zonemgr_setsize(zonemgr, 1);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_zonemgr_managezone(zonemgr, zone);
+	return (result);
+}
+
+void
+ns_test_releasezone(dns_zone_t *zone) {
+	REQUIRE(zonemgr != NULL);
+	dns_zonemgr_releasezone(zonemgr, zone);
+}
+
+void
+ns_test_closezonemgr(void) {
+	REQUIRE(zonemgr != NULL);
+
+	dns_zonemgr_shutdown(zonemgr);
+	dns_zonemgr_detach(&zonemgr);
+}
+
+isc_result_t
+ns_test_serve_zone(const char *zonename, const char *filename,
+		   dns_view_t *view) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	/*
+	 * Prepare zone structure for further processing.
+	 */
+	result = ns_test_makezone(zonename, &served_zone, view, true);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Start zone manager.
+	 */
+	result = ns_test_setupzonemgr();
+	if (result != ISC_R_SUCCESS) {
+		goto free_zone;
+	}
+
+	/*
+	 * Add the zone to the zone manager.
+	 */
+	result = ns_test_managezone(served_zone);
+	if (result != ISC_R_SUCCESS) {
+		goto close_zonemgr;
+	}
+
+	view->nocookieudp = 512;
+
+	/*
+	 * Set path to the master file for the zone and then load it.
+	 */
+	dns_zone_setfile(served_zone, filename, dns_masterformat_text,
+			 &dns_master_style_default);
+	result = dns_zone_load(served_zone, false);
+	if (result != ISC_R_SUCCESS) {
+		goto release_zone;
+	}
+
+	/*
+	 * The zone should now be loaded; test it.
+	 */
+	result = dns_zone_getdb(served_zone, &db);
+	if (result != ISC_R_SUCCESS) {
+		goto release_zone;
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	return (ISC_R_SUCCESS);
+
+release_zone:
+	ns_test_releasezone(served_zone);
+close_zonemgr:
+	ns_test_closezonemgr();
+free_zone:
+	dns_zone_detach(&served_zone);
+
+	return (result);
+}
+
+void
+ns_test_cleanup_zone(void) {
+	ns_test_releasezone(served_zone);
+	ns_test_closezonemgr();
+
+	dns_zone_detach(&served_zone);
+}
+
+isc_result_t
+ns_test_getclient(ns_interface_t *ifp0, bool tcp, ns_client_t **clientp) {
+	isc_result_t result;
+	ns_client_t *client = isc_mem_get(mctx, sizeof(ns_client_t));
+	int i;
+
+	UNUSED(ifp0);
+	UNUSED(tcp);
+
+	result = ns__client_setup(client, clientmgr, true);
+
+	for (i = 0; i < 32; i++) {
+		if (atomic_load(&client_addrs[i]) == (uintptr_t)NULL ||
+		    atomic_load(&client_addrs[i]) == (uintptr_t)client)
+		{
+			break;
+		}
+	}
+	REQUIRE(i < 32);
+
+	atomic_store(&client_refs[i], 2);
+	atomic_store(&client_addrs[i], (uintptr_t)client);
+	client->handle = (isc_nmhandle_t *)client; /* Hack */
+	*clientp = client;
+
+	return (result);
+}
+
+/*%
+ * Synthesize a DNS message based on supplied QNAME, QTYPE and flags, then
+ * parse it and store the results in client->message.
+ */
+static isc_result_t
+attach_query_msg_to_client(ns_client_t *client, const char *qnamestr,
+			   dns_rdatatype_t qtype, unsigned int qflags) {
+	dns_rdataset_t *qrdataset = NULL;
+	dns_message_t *message = NULL;
+	unsigned char query[65536];
+	dns_name_t *qname = NULL;
+	isc_buffer_t querybuf;
+	dns_compress_t cctx;
+	isc_result_t result;
+
+	REQUIRE(client != NULL);
+	REQUIRE(qnamestr != NULL);
+
+	/*
+	 * Create a new DNS message holding a query.
+	 */
+	dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &message);
+
+	/*
+	 * Set query ID to a random value.
+	 */
+	message->id = isc_random16();
+
+	/*
+	 * Set query flags as requested by the caller.
+	 */
+	message->flags = qflags;
+
+	/*
+	 * Allocate structures required to construct the query.
+	 */
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS) {
+		goto destroy_message;
+	}
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS) {
+		goto put_rdataset;
+	}
+
+	/*
+	 * Convert "qnamestr" to a DNS name, create a question rdataset of
+	 * class IN and type "qtype", link the two and add the result to the
+	 * QUESTION section of the query.
+	 */
+	result = dns_name_fromstring(qname, qnamestr, 0, mctx);
+	if (result != ISC_R_SUCCESS) {
+		goto put_name;
+	}
+	dns_rdataset_makequestion(qrdataset, dns_rdataclass_in, qtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	/*
+	 * Render the query.
+	 */
+	dns_compress_init(&cctx, -1, mctx);
+	isc_buffer_init(&querybuf, query, sizeof(query));
+	result = dns_message_renderbegin(message, &cctx, &querybuf);
+	if (result != ISC_R_SUCCESS) {
+		goto destroy_message;
+	}
+	result = dns_message_rendersection(message, DNS_SECTION_QUESTION, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto destroy_message;
+	}
+	result = dns_message_renderend(message);
+	if (result != ISC_R_SUCCESS) {
+		goto destroy_message;
+	}
+	dns_compress_invalidate(&cctx);
+
+	/*
+	 * Destroy the created message as it was rendered into "querybuf" and
+	 * the latter is all we are going to need from now on.
+	 */
+	dns_message_detach(&message);
+
+	/*
+	 * Parse the rendered query, storing results in client->message.
+	 */
+	isc_buffer_first(&querybuf);
+	return (dns_message_parse(client->message, &querybuf, 0));
+
+put_name:
+	dns_message_puttempname(message, &qname);
+put_rdataset:
+	dns_message_puttemprdataset(message, &qrdataset);
+destroy_message:
+	dns_message_detach(&message);
+
+	return (result);
+}
+
+/*%
+ * A hook action which stores the query context pointed to by "arg" at
+ * "data".  Causes execution to be interrupted at hook insertion
+ * point.
+ */
+static ns_hookresult_t
+extract_qctx(void *arg, void *data, isc_result_t *resultp) {
+	query_ctx_t **qctxp;
+	query_ctx_t *qctx;
+
+	REQUIRE(arg != NULL);
+	REQUIRE(data != NULL);
+	REQUIRE(resultp != NULL);
+
+	/*
+	 * qctx is a stack variable in lib/ns/query.c.  Its contents need to be
+	 * duplicated or otherwise they will become invalidated once the stack
+	 * gets unwound.
+	 */
+	qctx = isc_mem_get(mctx, sizeof(*qctx));
+	if (qctx != NULL) {
+		memmove(qctx, (query_ctx_t *)arg, sizeof(*qctx));
+	}
+
+	qctxp = (query_ctx_t **)data;
+	/*
+	 * If memory allocation failed, the supplied pointer will simply be set
+	 * to NULL.  We rely on the user of this hook to react properly.
+	 */
+	*qctxp = qctx;
+	*resultp = ISC_R_UNSET;
+
+	return (NS_HOOK_RETURN);
+}
+
+/*%
+ * Initialize a query context for "client" and store it in "qctxp".
+ *
+ * Requires:
+ *
+ * 	\li "client->message" to hold a parsed DNS query.
+ */
+static isc_result_t
+create_qctx_for_client(ns_client_t *client, query_ctx_t **qctxp) {
+	ns_hooktable_t *saved_hook_table = NULL, *query_hooks = NULL;
+	const ns_hook_t hook = {
+		.action = extract_qctx,
+		.action_data = qctxp,
+	};
+
+	REQUIRE(client != NULL);
+	REQUIRE(qctxp != NULL);
+	REQUIRE(*qctxp == NULL);
+
+	/*
+	 * Call ns_query_start() to initialize a query context for given
+	 * client, but first hook into query_setup() so that we can just
+	 * extract an initialized query context, without kicking off any
+	 * further processing.  Make sure we do not overwrite any previously
+	 * set hooks.
+	 */
+
+	ns_hooktable_create(mctx, &query_hooks);
+	ns_hook_add(query_hooks, mctx, NS_QUERY_SETUP, &hook);
+
+	saved_hook_table = ns__hook_table;
+	ns__hook_table = query_hooks;
+
+	ns_query_start(client, client->handle);
+
+	ns__hook_table = saved_hook_table;
+	ns_hooktable_free(mctx, (void **)&query_hooks);
+
+	isc_nmhandle_detach(&client->reqhandle);
+
+	if (*qctxp == NULL) {
+		return (ISC_R_NOMEMORY);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+isc_result_t
+ns_test_qctx_create(const ns_test_qctx_create_params_t *params,
+		    query_ctx_t **qctxp) {
+	ns_client_t *client = NULL;
+	isc_result_t result;
+	isc_nmhandle_t *handle = NULL;
+
+	REQUIRE(params != NULL);
+	REQUIRE(params->qname != NULL);
+	REQUIRE(qctxp != NULL);
+	REQUIRE(*qctxp == NULL);
+
+	/*
+	 * Allocate and initialize a client structure.
+	 */
+	result = ns_test_getclient(NULL, false, &client);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	TIME_NOW(&client->tnow);
+
+	/*
+	 * Every client needs to belong to a view.
+	 */
+	result = ns_test_makeview("view", params->with_cache, &client->view);
+	if (result != ISC_R_SUCCESS) {
+		goto detach_client;
+	}
+
+	/*
+	 * Synthesize a DNS query using given QNAME, QTYPE and flags, storing
+	 * it in client->message.
+	 */
+	result = attach_query_msg_to_client(client, params->qname,
+					    params->qtype, params->qflags);
+	if (result != ISC_R_SUCCESS) {
+		goto detach_view;
+	}
+
+	/*
+	 * Allow recursion for the client.  As NS_CLIENTATTR_RA normally gets
+	 * set in ns__client_request(), i.e. earlier than the unit tests hook
+	 * into the call chain, just set it manually.
+	 */
+	client->attributes |= NS_CLIENTATTR_RA;
+
+	/*
+	 * Create a query context for a client sending the previously
+	 * synthesized query.
+	 */
+	result = create_qctx_for_client(client, qctxp);
+	if (result != ISC_R_SUCCESS) {
+		goto detach_query;
+	}
+
+	/*
+	 * The reference count for "client" is now at 2, so we need to
+	 * decrement it in order for it to drop to zero when "qctx" gets
+	 * destroyed.
+	 */
+	handle = client->handle;
+	isc_nmhandle_detach(&handle);
+
+	return (ISC_R_SUCCESS);
+
+detach_query:
+	dns_message_detach(&client->message);
+detach_view:
+	dns_view_detach(&client->view);
+detach_client:
+	isc_nmhandle_detach(&client->handle);
+
+	return (result);
+}
+
+void
+ns_test_qctx_destroy(query_ctx_t **qctxp) {
+	query_ctx_t *qctx;
+
+	REQUIRE(qctxp != NULL);
+	REQUIRE(*qctxp != NULL);
+
+	qctx = *qctxp;
+	*qctxp = NULL;
+
+	if (qctx->zone != NULL) {
+		dns_zone_detach(&qctx->zone);
+	}
+	if (qctx->db != NULL) {
+		dns_db_detach(&qctx->db);
+	}
+	if (qctx->client != NULL) {
+		isc_nmhandle_detach(&qctx->client->handle);
+	}
+
+	isc_mem_put(mctx, qctx, sizeof(*qctx));
+}
+
+ns_hookresult_t
+ns_test_hook_catch_call(void *arg, void *data, isc_result_t *resultp) {
+	UNUSED(arg);
+	UNUSED(data);
+
+	*resultp = ISC_R_UNSET;
+
+	return (NS_HOOK_RETURN);
+}
+
+/*
+ * Sleep for 'usec' microseconds.
+ */
+void
+ns_test_nap(uint32_t usec) {
+	struct timespec ts;
+
+	ts.tv_sec = usec / 1000000;
+	ts.tv_nsec = (usec % 1000000) * 1000;
+	nanosleep(&ts, NULL);
+}
+
+isc_result_t
+ns_test_loaddb(dns_db_t **db, dns_dbtype_t dbtype, const char *origin,
+	       const char *testfile) {
+	isc_result_t result;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	name = dns_fixedname_initname(&fixed);
+
+	result = dns_name_fromstring(name, origin, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_create(mctx, "rbt", name, dbtype, dns_rdataclass_in, 0,
+			       NULL, db);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = dns_db_load(*db, testfile, dns_masterformat_text, 0);
+	return (result);
+}
+
+static int
+fromhex(char c) {
+	if (c >= '0' && c <= '9') {
+		return (c - '0');
+	} else if (c >= 'a' && c <= 'f') {
+		return (c - 'a' + 10);
+	} else if (c >= 'A' && c <= 'F') {
+		return (c - 'A' + 10);
+	}
+
+	printf("bad input format: %02x\n", c);
+	exit(3);
+}
+
+isc_result_t
+ns_test_getdata(const char *file, unsigned char *buf, size_t bufsiz,
+		size_t *sizep) {
+	isc_result_t result;
+	unsigned char *bp;
+	char *rp, *wp;
+	char s[BUFSIZ];
+	size_t len, i;
+	FILE *f = NULL;
+	int n;
+
+	result = isc_stdio_open(file, "r", &f);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	bp = buf;
+	while (fgets(s, sizeof(s), f) != NULL) {
+		rp = s;
+		wp = s;
+		len = 0;
+		while (*rp != '\0') {
+			if (*rp == '#') {
+				break;
+			}
+			if (*rp != ' ' && *rp != '\t' && *rp != '\r' &&
+			    *rp != '\n')
+			{
+				*wp++ = *rp;
+				len++;
+			}
+			rp++;
+		}
+		if (len == 0U) {
+			continue;
+		}
+		if (len % 2 != 0U) {
+			CHECK(ISC_R_UNEXPECTEDEND);
+		}
+		if (len > bufsiz * 2) {
+			CHECK(ISC_R_NOSPACE);
+		}
+		rp = s;
+		for (i = 0; i < len; i += 2) {
+			n = fromhex(*rp++);
+			n *= 16;
+			n += fromhex(*rp++);
+			*bp++ = n;
+		}
+	}
+
+	*sizep = bp - buf;
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	isc_stdio_close(f);
+	return (result);
+}
diff --git a/lib/ns/tests/nstest.h b/lib/ns/tests/nstest.h
new file mode 100644
index 0000000..87a26a6
--- /dev/null
+++ b/lib/ns/tests/nstest.h
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/zone.h>
+
+#include <ns/client.h>
+#include <ns/hooks.h>
+#include <ns/interfacemgr.h>
+
+typedef struct ns_test_id {
+	const char *description;
+	int lineno;
+} ns_test_id_t;
+
+#define NS_TEST_ID(desc)                                \
+	{                                               \
+		.description = desc, .lineno = __LINE__ \
+	}
+
+#define CHECK(r)                             \
+	do {                                 \
+		result = (r);                \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup;        \
+	} while (0)
+
+extern isc_mem_t *mctx;
+extern isc_log_t *lctx;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *maintask;
+extern isc_timermgr_t *timermgr;
+extern isc_socketmgr_t *socketmgr;
+extern dns_zonemgr_t *zonemgr;
+extern dns_dispatchmgr_t *dispatchmgr;
+extern ns_clientmgr_t *clientmgr;
+extern ns_interfacemgr_t *interfacemgr;
+extern ns_server_t *sctx;
+extern bool app_running;
+extern int ncpus;
+extern bool debug_mem_record;
+
+#ifdef NETMGR_TRACE
+#define FLARG                                              \
+	, const char *file __attribute__((unused)),        \
+		unsigned int line __attribute__((unused)), \
+		const char *func __attribute__((unused))
+#else
+#define FLARG
+#endif
+
+isc_result_t
+ns_test_begin(FILE *logfile, bool create_managers);
+
+void
+ns_test_end(void);
+
+/*%
+ * Create a view.  If "with_cache" is set to true, a cache database will
+ * also be created and attached to the created view.
+ */
+isc_result_t
+ns_test_makeview(const char *name, bool with_cache, dns_view_t **viewp);
+
+isc_result_t
+ns_test_makezone(const char *name, dns_zone_t **zonep, dns_view_t *view,
+		 bool keepview);
+
+isc_result_t
+ns_test_setupzonemgr(void);
+
+isc_result_t
+ns_test_managezone(dns_zone_t *zone);
+
+void
+ns_test_releasezone(dns_zone_t *zone);
+
+void
+ns_test_closezonemgr(void);
+
+/*%
+ * Load data for zone "zonename" from file "filename" and start serving it to
+ * clients matching "view".  Only one zone loaded using this function can be
+ * served at any given time.
+ */
+isc_result_t
+ns_test_serve_zone(const char *zonename, const char *filename,
+		   dns_view_t *view);
+
+/*%
+ * Release the zone loaded by ns_test_serve_zone().
+ */
+void
+ns_test_cleanup_zone(void);
+
+void
+ns_test_nap(uint32_t usec);
+
+isc_result_t
+ns_test_loaddb(dns_db_t **db, dns_dbtype_t dbtype, const char *origin,
+	       const char *testfile);
+
+isc_result_t
+ns_test_getdata(const char *file, unsigned char *buf, size_t bufsiz,
+		size_t *sizep);
+
+isc_result_t
+ns_test_getclient(ns_interface_t *ifp0, bool tcp, ns_client_t **clientp);
+
+/*%
+ * Structure containing parameters for ns_test_qctx_create().
+ */
+typedef struct ns_test_qctx_create_params {
+	const char *qname;
+	dns_rdatatype_t qtype;
+	unsigned int qflags;
+	bool with_cache;
+} ns_test_qctx_create_params_t;
+
+/*%
+ * Prepare a query context identical with one that would be prepared if a query
+ * with given QNAME, QTYPE and flags was received from a client.  Recursion is
+ * assumed to be allowed for this client.  If "with_cache" is set to true,
+ * a cache database will be created and associated with the view matching the
+ * incoming query.
+ */
+isc_result_t
+ns_test_qctx_create(const ns_test_qctx_create_params_t *params,
+		    query_ctx_t **qctxp);
+
+/*%
+ * Destroy a query context created by ns_test_qctx_create().
+ */
+void
+ns_test_qctx_destroy(query_ctx_t **qctxp);
+
+/*%
+ * A hook callback interrupting execution at given hook's insertion point.
+ */
+ns_hookresult_t
+ns_test_hook_catch_call(void *arg, void *data, isc_result_t *resultp);
diff --git a/lib/ns/tests/plugin_test.c b/lib/ns/tests/plugin_test.c
new file mode 100644
index 0000000..7870f7a
--- /dev/null
+++ b/lib/ns/tests/plugin_test.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#if HAVE_CMOCKA
+
+#include <limits.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+ISC_PLATFORM_NORETURN_PRE void
+_fail(const char *const file, const int line) ISC_PLATFORM_NORETURN_POST;
+
+#include <ns/hooks.h>
+
+#include "nstest.h"
+
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = ns_test_begin(NULL, false);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	if (*state != NULL) {
+		isc_mem_free(mctx, *state);
+	}
+
+	ns_test_end();
+
+	return (0);
+}
+
+/*%
+ * Structure containing parameters for run_full_path_test().
+ */
+typedef struct {
+	const ns_test_id_t id; /* libns test identifier */
+	const char *input;     /* source string - plugin name or path
+				* */
+	size_t output_size;    /* size of target char array to
+				* allocate */
+	isc_result_t result;   /* expected return value */
+	const char *output;    /* expected output string */
+} ns_plugin_expandpath_test_params_t;
+
+/*%
+ * Perform a single ns_plugin_expandpath() check using given parameters.
+ */
+static void
+run_full_path_test(const ns_plugin_expandpath_test_params_t *test,
+		   void **state) {
+	char **target = (char **)state;
+	isc_result_t result;
+
+	REQUIRE(test != NULL);
+	REQUIRE(test->id.description != NULL);
+	REQUIRE(test->input != NULL);
+	REQUIRE(test->result != ISC_R_SUCCESS || test->output != NULL);
+
+	/*
+	 * Prepare a target buffer of given size.  Store it in 'state' so that
+	 * it can get cleaned up by _teardown() if the test fails.
+	 */
+	*target = isc_mem_allocate(mctx, test->output_size);
+
+	/*
+	 * Call ns_plugin_expandpath().
+	 */
+	result = ns_plugin_expandpath(test->input, *target, test->output_size);
+
+	/*
+	 * Check return value.
+	 */
+	if (result != test->result) {
+		fail_msg("# test \"%s\" on line %d: "
+			 "expected result %d (%s), got %d (%s)",
+			 test->id.description, test->id.lineno, test->result,
+			 isc_result_totext(test->result), result,
+			 isc_result_totext(result));
+	}
+
+	/*
+	 * Check output string if return value indicates success.
+	 */
+	if (result == ISC_R_SUCCESS && strcmp(*target, test->output) != 0) {
+		fail_msg("# test \"%s\" on line %d: "
+			 "expected output \"%s\", got \"%s\"",
+			 test->id.description, test->id.lineno, test->output,
+			 *target);
+	}
+
+	isc_mem_free(mctx, *target);
+}
+
+/* test ns_plugin_expandpath() */
+static void
+ns_plugin_expandpath_test(void **state) {
+	size_t i;
+
+	const ns_plugin_expandpath_test_params_t tests[] = {
+		{
+			NS_TEST_ID("correct use with an absolute path"),
+			.input = "/usr/lib/named/foo.so",
+			.output_size = PATH_MAX,
+			.result = ISC_R_SUCCESS,
+			.output = "/usr/lib/named/foo.so",
+		},
+		{
+			NS_TEST_ID("correct use with a relative path"),
+			.input = "../../foo.so",
+			.output_size = PATH_MAX,
+			.result = ISC_R_SUCCESS,
+			.output = "../../foo.so",
+		},
+		{
+			NS_TEST_ID("correct use with a filename"),
+			.input = "foo.so",
+			.output_size = PATH_MAX,
+			.result = ISC_R_SUCCESS,
+#ifndef WIN32
+			.output = NAMED_PLUGINDIR "/foo.so",
+#else  /* ifndef WIN32 */
+			.output = "foo.so",
+#endif /* ifndef WIN32 */
+		},
+		{
+			NS_TEST_ID("no space at all in target buffer"),
+			.input = "/usr/lib/named/foo.so",
+			.output_size = 0,
+			.result = ISC_R_NOSPACE,
+		},
+		{
+			NS_TEST_ID("target buffer too small to fit input"),
+			.input = "/usr/lib/named/foo.so",
+			.output_size = 1,
+			.result = ISC_R_NOSPACE,
+		},
+		{
+			NS_TEST_ID("target buffer too small to fit NULL byte"),
+			.input = "/foo.so",
+			.output_size = 7,
+			.result = ISC_R_NOSPACE,
+		},
+#ifndef WIN32
+		{
+			NS_TEST_ID("target buffer too small to fit full path"),
+			.input = "foo.so",
+			.output_size = 7,
+			.result = ISC_R_NOSPACE,
+		},
+#endif /* ifndef WIN32 */
+	};
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		run_full_path_test(&tests[i], state);
+	}
+}
+
+int
+main(void) {
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(ns_plugin_expandpath_test,
+						_setup, _teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* if HAVE_CMOCKA */
diff --git a/lib/ns/tests/query_test.c b/lib/ns/tests/query_test.c
new file mode 100644
index 0000000..b3e8fc1
--- /dev/null
+++ b/lib/ns/tests/query_test.c
@@ -0,0 +1,632 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <isc/util.h>
+
+#if HAVE_CMOCKA
+
+#include <inttypes.h>
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <dns/badcache.h>
+#include <dns/view.h>
+
+#include <ns/client.h>
+#include <ns/hooks.h>
+#include <ns/query.h>
+
+#include "nstest.h"
+
+#if defined(USE_LIBTOOL) || LD_WRAP
+static int
+_setup(void **state) {
+	isc_result_t result;
+
+	UNUSED(state);
+
+	result = ns_test_begin(NULL, true);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	return (0);
+}
+
+static int
+_teardown(void **state) {
+	UNUSED(state);
+
+	ns_test_end();
+
+	return (0);
+}
+
+/*****
+***** ns__query_sfcache() tests
+*****/
+
+/*%
+ * Structure containing parameters for ns__query_sfcache_test().
+ */
+typedef struct {
+	const ns_test_id_t id;	    /* libns test identifier */
+	unsigned int qflags;	    /* query flags */
+	bool cache_entry_present;   /* whether a SERVFAIL
+				     * cache entry
+				     * matching the query
+				     * should be
+				     * present */
+	uint32_t cache_entry_flags; /* NS_FAILCACHE_* flags to
+				     * set for
+				     * the SERVFAIL cache entry
+				     * */
+	bool servfail_expected;	    /* whether a cached
+				     * SERVFAIL is
+				     * expected to be returned
+				     * */
+} ns__query_sfcache_test_params_t;
+
+/*%
+ * Perform a single ns__query_sfcache() check using given parameters.
+ */
+static void
+run_sfcache_test(const ns__query_sfcache_test_params_t *test) {
+	ns_hooktable_t *query_hooks = NULL;
+	query_ctx_t *qctx = NULL;
+	isc_result_t result;
+	const ns_hook_t hook = {
+		.action = ns_test_hook_catch_call,
+	};
+
+	REQUIRE(test != NULL);
+	REQUIRE(test->id.description != NULL);
+	REQUIRE(test->cache_entry_present || test->cache_entry_flags == 0);
+
+	/*
+	 * Interrupt execution if ns_query_done() is called.
+	 */
+
+	ns_hooktable_create(mctx, &query_hooks);
+	ns_hook_add(query_hooks, mctx, NS_QUERY_DONE_BEGIN, &hook);
+	ns__hook_table = query_hooks;
+
+	/*
+	 * Construct a query context for a ./NS query with given flags.
+	 */
+	{
+		const ns_test_qctx_create_params_t qctx_params = {
+			.qname = ".",
+			.qtype = dns_rdatatype_ns,
+			.qflags = test->qflags,
+			.with_cache = true,
+		};
+
+		result = ns_test_qctx_create(&qctx_params, &qctx);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If this test wants a SERVFAIL cache entry matching the query to
+	 * exist, create it.
+	 */
+	if (test->cache_entry_present) {
+		isc_interval_t hour;
+		isc_time_t expire;
+
+		isc_interval_set(&hour, 3600, 0);
+		result = isc_time_nowplusinterval(&expire, &hour);
+		assert_int_equal(result, ISC_R_SUCCESS);
+
+		dns_badcache_add(qctx->client->view->failcache, dns_rootname,
+				 dns_rdatatype_ns, true,
+				 test->cache_entry_flags, &expire);
+	}
+
+	/*
+	 * Check whether ns__query_sfcache() behaves as expected.
+	 */
+	ns__query_sfcache(qctx);
+
+	if (test->servfail_expected) {
+		if (qctx->result != DNS_R_SERVFAIL) {
+			fail_msg("# test \"%s\" on line %d: "
+				 "expected SERVFAIL, got %s",
+				 test->id.description, test->id.lineno,
+				 isc_result_totext(qctx->result));
+		}
+	} else {
+		if (qctx->result != ISC_R_SUCCESS) {
+			fail_msg("# test \"%s\" on line %d: "
+				 "expected success, got %s",
+				 test->id.description, test->id.lineno,
+				 isc_result_totext(qctx->result));
+		}
+	}
+
+	/*
+	 * Clean up.
+	 */
+	ns_test_qctx_destroy(&qctx);
+	ns_hooktable_free(mctx, (void **)&query_hooks);
+}
+
+/* test ns__query_sfcache() */
+static void
+ns__query_sfcache_test(void **state) {
+	size_t i;
+
+	const ns__query_sfcache_test_params_t tests[] = {
+		/*
+		 * Sanity check for an empty SERVFAIL cache.
+		 */
+		{
+			NS_TEST_ID("query: RD=1, CD=0; cache: empty"),
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.cache_entry_present = false,
+			.servfail_expected = false,
+		},
+		/*
+		 * Query: RD=1, CD=0.  Cache entry: CD=0.  Should SERVFAIL.
+		 */
+		{
+			NS_TEST_ID("query: RD=1, CD=0; cache: CD=0"),
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.cache_entry_present = true,
+			.cache_entry_flags = 0,
+			.servfail_expected = true,
+		},
+		/*
+		 * Query: RD=1, CD=1.  Cache entry: CD=0.  Should not SERVFAIL:
+		 * failed validation should not influence CD=1 queries.
+		 */
+		{
+			NS_TEST_ID("query: RD=1, CD=1; cache: CD=0"),
+			.qflags = DNS_MESSAGEFLAG_RD | DNS_MESSAGEFLAG_CD,
+			.cache_entry_present = true,
+			.cache_entry_flags = 0,
+			.servfail_expected = false,
+		},
+		/*
+		 * Query: RD=1, CD=1.  Cache entry: CD=1.  Should SERVFAIL:
+		 * SERVFAIL responses elicited by CD=1 queries can be
+		 * "replayed" for other CD=1 queries during the lifetime of the
+		 * SERVFAIL cache entry.
+		 */
+		{
+			NS_TEST_ID("query: RD=1, CD=1; cache: CD=1"),
+			.qflags = DNS_MESSAGEFLAG_RD | DNS_MESSAGEFLAG_CD,
+			.cache_entry_present = true,
+			.cache_entry_flags = NS_FAILCACHE_CD,
+			.servfail_expected = true,
+		},
+		/*
+		 * Query: RD=1, CD=0.  Cache entry: CD=1.  Should SERVFAIL: if
+		 * a CD=1 query elicited a SERVFAIL, a CD=0 query for the same
+		 * QNAME and QTYPE will SERVFAIL as well.
+		 */
+		{
+			NS_TEST_ID("query: RD=1, CD=0; cache: CD=1"),
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.cache_entry_present = true,
+			.cache_entry_flags = NS_FAILCACHE_CD,
+			.servfail_expected = true,
+		},
+		/*
+		 * Query: RD=0, CD=0.  Cache entry: CD=0.  Should not SERVFAIL
+		 * despite a matching entry being present as the SERVFAIL cache
+		 * should not be consulted for non-recursive queries.
+		 */
+		{
+			NS_TEST_ID("query: RD=0, CD=0; cache: CD=0"),
+			.qflags = 0,
+			.cache_entry_present = true,
+			.cache_entry_flags = 0,
+			.servfail_expected = false,
+		},
+	};
+
+	UNUSED(state);
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		run_sfcache_test(&tests[i]);
+	}
+}
+
+/*****
+***** ns__query_start() tests
+*****/
+
+/*%
+ * Structure containing parameters for ns__query_start_test().
+ */
+typedef struct {
+	const ns_test_id_t id;	      /* libns test identifier */
+	const char *qname;	      /* QNAME */
+	dns_rdatatype_t qtype;	      /* QTYPE */
+	unsigned int qflags;	      /* query flags */
+	bool disable_name_checks;     /* if set to true, owner
+				       * name
+				       *          checks will
+				       * be disabled for the
+				       *          view created
+				       * */
+	bool recursive_service;	      /* if set to true, the view
+				       *          created will
+				       * have a cache
+				       *          database
+				       * attached */
+	const char *auth_zone_origin; /* origin name of the zone
+				       * the
+				       * created view will be
+				       * authoritative for */
+	const char *auth_zone_path;   /* path to load the
+				       * authoritative
+				       * zone from */
+	enum {			      /* expected result: */
+	       NS__QUERY_START_R_INVALID,
+	       NS__QUERY_START_R_REFUSE, /* query should be REFUSED */
+	       NS__QUERY_START_R_CACHE,	 /* query should be answered from
+					  * cache */
+	       NS__QUERY_START_R_AUTH,	 /* query should be answered using
+					  * authoritative data */
+	} expected_result;
+} ns__query_start_test_params_t;
+
+/*%
+ * Perform a single ns__query_start() check using given parameters.
+ */
+static void
+run_start_test(const ns__query_start_test_params_t *test) {
+	ns_hooktable_t *query_hooks = NULL;
+	query_ctx_t *qctx = NULL;
+	isc_result_t result;
+	const ns_hook_t hook = {
+		.action = ns_test_hook_catch_call,
+	};
+
+	REQUIRE(test != NULL);
+	REQUIRE(test->id.description != NULL);
+	REQUIRE((test->auth_zone_origin == NULL &&
+		 test->auth_zone_path == NULL) ||
+		(test->auth_zone_origin != NULL &&
+		 test->auth_zone_path != NULL));
+
+	/*
+	 * Interrupt execution if query_lookup() or ns_query_done() is called.
+	 */
+	ns_hooktable_create(mctx, &query_hooks);
+	ns_hook_add(query_hooks, mctx, NS_QUERY_LOOKUP_BEGIN, &hook);
+	ns_hook_add(query_hooks, mctx, NS_QUERY_DONE_BEGIN, &hook);
+	ns__hook_table = query_hooks;
+
+	/*
+	 * Construct a query context using the supplied parameters.
+	 */
+	{
+		const ns_test_qctx_create_params_t qctx_params = {
+			.qname = test->qname,
+			.qtype = test->qtype,
+			.qflags = test->qflags,
+			.with_cache = test->recursive_service,
+		};
+		result = ns_test_qctx_create(&qctx_params, &qctx);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Enable view->checknames by default, disable if requested.
+	 */
+	qctx->client->view->checknames = !test->disable_name_checks;
+
+	/*
+	 * Load zone from file and attach it to the client's view, if
+	 * requested.
+	 */
+	if (test->auth_zone_path != NULL) {
+		result = ns_test_serve_zone(test->auth_zone_origin,
+					    test->auth_zone_path,
+					    qctx->client->view);
+		assert_int_equal(result, ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Check whether ns__query_start() behaves as expected.
+	 */
+	ns__query_start(qctx);
+
+	switch (test->expected_result) {
+	case NS__QUERY_START_R_REFUSE:
+		if (qctx->result != DNS_R_REFUSED) {
+			fail_msg("# test \"%s\" on line %d: "
+				 "expected REFUSED, got %s",
+				 test->id.description, test->id.lineno,
+				 isc_result_totext(qctx->result));
+		}
+		if (qctx->zone != NULL) {
+			fail_msg("# test \"%s\" on line %d: "
+				 "no zone was expected to be attached to "
+				 "query context, but some was",
+				 test->id.description, test->id.lineno);
+		}
+		if (qctx->db != NULL) {
+			fail_msg("# test \"%s\" on line %d: "
+				 "no database was expected to be attached to "
+				 "query context, but some was",
+				 test->id.description, test->id.lineno);
+		}
+		break;
+	case NS__QUERY_START_R_CACHE:
+		if (qctx->result != ISC_R_SUCCESS) {
+			fail_msg("# test \"%s\" on line %d: "
+				 "expected success, got %s",
+				 test->id.description, test->id.lineno,
+				 isc_result_totext(qctx->result));
+		}
+		if (qctx->zone != NULL) {
+			fail_msg("# test \"%s\" on line %d: "
+				 "no zone was expected to be attached to "
+				 "query context, but some was",
+				 test->id.description, test->id.lineno);
+		}
+		if (qctx->db == NULL || qctx->db != qctx->client->view->cachedb)
+		{
+			fail_msg("# test \"%s\" on line %d: "
+				 "cache database was expected to be "
+				 "attached to query context, but it was not",
+				 test->id.description, test->id.lineno);
+		}
+		break;
+	case NS__QUERY_START_R_AUTH:
+		if (qctx->result != ISC_R_SUCCESS) {
+			fail_msg("# test \"%s\" on line %d: "
+				 "expected success, got %s",
+				 test->id.description, test->id.lineno,
+				 isc_result_totext(qctx->result));
+		}
+		if (qctx->zone == NULL) {
+			fail_msg("# test \"%s\" on line %d: "
+				 "a zone was expected to be attached to query "
+				 "context, but it was not",
+				 test->id.description, test->id.lineno);
+		}
+		if (qctx->db == qctx->client->view->cachedb) {
+			fail_msg("# test \"%s\" on line %d: "
+				 "cache database was not expected to be "
+				 "attached to query context, but it is",
+				 test->id.description, test->id.lineno);
+		}
+		break;
+	case NS__QUERY_START_R_INVALID:
+		fail_msg("# test \"%s\" on line %d has no expected result set",
+			 test->id.description, test->id.lineno);
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	/*
+	 * Clean up.
+	 */
+	if (test->auth_zone_path != NULL) {
+		ns_test_cleanup_zone();
+	}
+	ns_test_qctx_destroy(&qctx);
+	ns_hooktable_free(mctx, (void **)&query_hooks);
+}
+
+/* test ns__query_start() */
+static void
+ns__query_start_test(void **state) {
+	size_t i;
+
+	const ns__query_start_test_params_t tests[] = {
+		/*
+		 * Recursive foo/A query to a server without recursive service
+		 * and no zones configured.  Query should be REFUSED.
+		 */
+		{
+			NS_TEST_ID("foo/A, no cache, no auth"),
+			.qname = "foo",
+			.qtype = dns_rdatatype_a,
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.recursive_service = false,
+			.expected_result = NS__QUERY_START_R_REFUSE,
+		},
+		/*
+		 * Recursive foo/A query to a server with recursive service and
+		 * no zones configured.  Query should be answered from cache.
+		 */
+		{
+			NS_TEST_ID("foo/A, cache, no auth"),
+			.qname = "foo",
+			.qtype = dns_rdatatype_a,
+			.recursive_service = true,
+			.expected_result = NS__QUERY_START_R_CACHE,
+		},
+		/*
+		 * Recursive foo/A query to a server with recursive service and
+		 * zone "foo" configured.  Query should be answered from
+		 * authoritative data.
+		 */
+		{
+			NS_TEST_ID("foo/A, RD=1, cache, auth for foo"),
+			.qname = "foo",
+			.qtype = dns_rdatatype_a,
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.recursive_service = true,
+			.auth_zone_origin = "foo",
+			.auth_zone_path = "testdata/query/foo.db",
+			.expected_result = NS__QUERY_START_R_AUTH,
+		},
+		/*
+		 * Recursive bar/A query to a server without recursive service
+		 * and zone "foo" configured.  Query should be REFUSED.
+		 */
+		{
+			NS_TEST_ID("bar/A, RD=1, no cache, auth for foo"),
+			.qname = "bar",
+			.qtype = dns_rdatatype_a,
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.recursive_service = false,
+			.auth_zone_origin = "foo",
+			.auth_zone_path = "testdata/query/foo.db",
+			.expected_result = NS__QUERY_START_R_REFUSE,
+		},
+		/*
+		 * Recursive bar/A query to a server with recursive service and
+		 * zone "foo" configured.  Query should be answered from
+		 * cache.
+		 */
+		{
+			NS_TEST_ID("bar/A, RD=1, cache, auth for foo"),
+			.qname = "bar",
+			.qtype = dns_rdatatype_a,
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.recursive_service = true,
+			.auth_zone_origin = "foo",
+			.auth_zone_path = "testdata/query/foo.db",
+			.expected_result = NS__QUERY_START_R_CACHE,
+		},
+		/*
+		 * Recursive bar.foo/DS query to a server with recursive
+		 * service and zone "foo" configured.  Query should be answered
+		 * from authoritative data.
+		 */
+		{
+			NS_TEST_ID("bar.foo/DS, RD=1, cache, auth for foo"),
+			.qname = "bar.foo",
+			.qtype = dns_rdatatype_ds,
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.recursive_service = true,
+			.auth_zone_origin = "foo",
+			.auth_zone_path = "testdata/query/foo.db",
+			.expected_result = NS__QUERY_START_R_AUTH,
+		},
+		/*
+		 * Non-recursive bar.foo/DS query to a server with recursive
+		 * service and zone "foo" configured.  Query should be answered
+		 * from authoritative data.
+		 */
+		{
+			NS_TEST_ID("bar.foo/DS, RD=0, cache, auth for foo"),
+			.qname = "bar.foo",
+			.qtype = dns_rdatatype_ds,
+			.qflags = 0,
+			.recursive_service = true,
+			.auth_zone_origin = "foo",
+			.auth_zone_path = "testdata/query/foo.db",
+			.expected_result = NS__QUERY_START_R_AUTH,
+		},
+		/*
+		 * Recursive foo/DS query to a server with recursive service
+		 * and zone "foo" configured.  Query should be answered from
+		 * cache.
+		 */
+		{
+			NS_TEST_ID("foo/DS, RD=1, cache, auth for foo"),
+			.qname = "foo",
+			.qtype = dns_rdatatype_ds,
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.recursive_service = true,
+			.auth_zone_origin = "foo",
+			.auth_zone_path = "testdata/query/foo.db",
+			.expected_result = NS__QUERY_START_R_CACHE,
+		},
+		/*
+		 * Non-recursive foo/DS query to a server with recursive
+		 * service and zone "foo" configured.  Query should be answered
+		 * from authoritative data.
+		 */
+		{
+			NS_TEST_ID("foo/DS, RD=0, cache, auth for foo"),
+			.qname = "foo",
+			.qtype = dns_rdatatype_ds,
+			.qflags = 0,
+			.recursive_service = true,
+			.auth_zone_origin = "foo",
+			.auth_zone_path = "testdata/query/foo.db",
+			.expected_result = NS__QUERY_START_R_AUTH,
+		},
+		/*
+		 * Recursive _foo/A query to a server with recursive service,
+		 * no zones configured and owner name checks disabled.  Query
+		 * should be answered from cache.
+		 */
+		{
+			NS_TEST_ID("_foo/A, cache, no auth, name checks off"),
+			.qname = "_foo",
+			.qtype = dns_rdatatype_a,
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.disable_name_checks = true,
+			.recursive_service = true,
+			.expected_result = NS__QUERY_START_R_CACHE,
+		},
+		/*
+		 * Recursive _foo/A query to a server with recursive service,
+		 * no zones configured and owner name checks enabled.  Query
+		 * should be REFUSED.
+		 */
+		{
+			NS_TEST_ID("_foo/A, cache, no auth, name checks on"),
+			.qname = "_foo",
+			.qtype = dns_rdatatype_a,
+			.qflags = DNS_MESSAGEFLAG_RD,
+			.disable_name_checks = false,
+			.recursive_service = true,
+			.expected_result = NS__QUERY_START_R_REFUSE,
+		},
+	};
+
+	UNUSED(state);
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		run_start_test(&tests[i]);
+	}
+}
+#endif /* if defined(USE_LIBTOOL) || LD_WRAP */
+
+int
+main(void) {
+#if defined(USE_LIBTOOL) || LD_WRAP
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(ns__query_sfcache_test, _setup,
+						_teardown),
+		cmocka_unit_test_setup_teardown(ns__query_start_test, _setup,
+						_teardown),
+	};
+
+	return (cmocka_run_group_tests(tests, NULL, NULL));
+#else  /* if defined(USE_LIBTOOL) || LD_WRAP */
+	print_message("1..0 # Skip query_test requires libtool or LD_WRAP\n");
+#endif /* if defined(USE_LIBTOOL) || LD_WRAP */
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+	printf("1..0 # Skipped: cmocka not available\n");
+
+	return (SKIPPED_TEST_EXIT_CODE);
+}
+
+#endif /* HAVE_CMOCKA */
diff --git a/lib/ns/tests/testdata/notify/notify1.msg b/lib/ns/tests/testdata/notify/notify1.msg
new file mode 100644
index 0000000..a84193b
--- /dev/null
+++ b/lib/ns/tests/testdata/notify/notify1.msg
@@ -0,0 +1,3 @@
+# notify for example.com
+10 a6 10 10 00 01 00 00 00 00 00 00 07 65 78 61
+6d 70 6c 65 03 63 6f 6d 00 00 06 00 01
diff --git a/lib/ns/tests/testdata/notify/zone1.db b/lib/ns/tests/testdata/notify/zone1.db
new file mode 100644
index 0000000..b218d6d
--- /dev/null
+++ b/lib/ns/tests/testdata/notify/zone1.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.example.com.
+		in	ns	ns2.example.com.
+		in	ns	ns3.example.com.
+ns		in	a	10.0.0.1
+ns2		in	a	10.0.0.2
+ns3		in	a	10.0.0.3
+
+a		in	a	1.2.3.4
diff --git a/lib/ns/tests/testdata/query/foo.db b/lib/ns/tests/testdata/query/foo.db
new file mode 100644
index 0000000..5fb2c42
--- /dev/null
+++ b/lib/ns/tests/testdata/query/foo.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		IN	SOA	localhost. postmaster.localhost. (
+				1		;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		IN	NS	ns
+ns		IN	A	127.0.0.1
diff --git a/lib/ns/update.c b/lib/ns/update.c
new file mode 100644
index 0000000..4e51cdc
--- /dev/null
+++ b/lib/ns/update.c
@@ -0,0 +1,3696 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/stats.h>
+#include <isc/string.h>
+#include <isc/taskpool.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/journal.h>
+#include <dns/keyvalues.h>
+#include <dns/message.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/private.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/soa.h>
+#include <dns/ssu.h>
+#include <dns/tsig.h>
+#include <dns/update.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <ns/client.h>
+#include <ns/interfacemgr.h>
+#include <ns/log.h>
+#include <ns/server.h>
+#include <ns/stats.h>
+#include <ns/update.h>
+
+/*! \file
+ * \brief
+ * This module implements dynamic update as in RFC2136.
+ */
+
+/*
+ *  XXX TODO:
+ * - document strict minimality
+ */
+
+/**************************************************************************/
+
+/*%
+ * Log level for tracing dynamic update protocol requests.
+ */
+#define LOGLEVEL_PROTOCOL ISC_LOG_INFO
+
+/*%
+ * Log level for low-level debug tracing.
+ */
+#define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8)
+
+/*%
+ * Check an operation for failure.  These macros all assume that
+ * the function using them has a 'result' variable and a 'failure'
+ * label.
+ */
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+/*%
+ * Fail unconditionally with result 'code', which must not
+ * be ISC_R_SUCCESS.  The reason for failure presumably has
+ * been logged already.
+ *
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+
+#define FAIL(code)                           \
+	do {                                 \
+		result = (code);             \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+/*%
+ * Fail unconditionally and log as a client error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAILC(code, msg)                                     \
+	do {                                                 \
+		const char *_what = "failed";                \
+		result = (code);                             \
+		switch (result) {                            \
+		case DNS_R_NXDOMAIN:                         \
+		case DNS_R_YXDOMAIN:                         \
+		case DNS_R_YXRRSET:                          \
+		case DNS_R_NXRRSET:                          \
+			_what = "unsuccessful";              \
+		}                                            \
+		update_log(client, zone, LOGLEVEL_PROTOCOL,  \
+			   "update %s: %s (%s)", _what, msg, \
+			   isc_result_totext(result));       \
+		if (result != ISC_R_SUCCESS)                 \
+			goto failure;                        \
+	} while (0)
+#define PREREQFAILC(code, msg)                                            \
+	do {                                                              \
+		inc_stats(client, zone, ns_statscounter_updatebadprereq); \
+		FAILC(code, msg);                                         \
+	} while (0)
+
+#define FAILN(code, name, msg)                                             \
+	do {                                                               \
+		const char *_what = "failed";                              \
+		result = (code);                                           \
+		switch (result) {                                          \
+		case DNS_R_NXDOMAIN:                                       \
+		case DNS_R_YXDOMAIN:                                       \
+		case DNS_R_YXRRSET:                                        \
+		case DNS_R_NXRRSET:                                        \
+			_what = "unsuccessful";                            \
+		}                                                          \
+		if (isc_log_wouldlog(ns_lctx, LOGLEVEL_PROTOCOL)) {        \
+			char _nbuf[DNS_NAME_FORMATSIZE];                   \
+			dns_name_format(name, _nbuf, sizeof(_nbuf));       \
+			update_log(client, zone, LOGLEVEL_PROTOCOL,        \
+				   "update %s: %s: %s (%s)", _what, _nbuf, \
+				   msg, isc_result_totext(result));        \
+		}                                                          \
+		if (result != ISC_R_SUCCESS)                               \
+			goto failure;                                      \
+	} while (0)
+#define PREREQFAILN(code, name, msg)                                      \
+	do {                                                              \
+		inc_stats(client, zone, ns_statscounter_updatebadprereq); \
+		FAILN(code, name, msg);                                   \
+	} while (0)
+
+#define FAILNT(code, name, type, msg)                                         \
+	do {                                                                  \
+		const char *_what = "failed";                                 \
+		result = (code);                                              \
+		switch (result) {                                             \
+		case DNS_R_NXDOMAIN:                                          \
+		case DNS_R_YXDOMAIN:                                          \
+		case DNS_R_YXRRSET:                                           \
+		case DNS_R_NXRRSET:                                           \
+			_what = "unsuccessful";                               \
+		}                                                             \
+		if (isc_log_wouldlog(ns_lctx, LOGLEVEL_PROTOCOL)) {           \
+			char _nbuf[DNS_NAME_FORMATSIZE];                      \
+			char _tbuf[DNS_RDATATYPE_FORMATSIZE];                 \
+			dns_name_format(name, _nbuf, sizeof(_nbuf));          \
+			dns_rdatatype_format(type, _tbuf, sizeof(_tbuf));     \
+			update_log(client, zone, LOGLEVEL_PROTOCOL,           \
+				   "update %s: %s/%s: %s (%s)", _what, _nbuf, \
+				   _tbuf, msg, isc_result_totext(result));    \
+		}                                                             \
+		if (result != ISC_R_SUCCESS)                                  \
+			goto failure;                                         \
+	} while (0)
+#define PREREQFAILNT(code, name, type, msg)                               \
+	do {                                                              \
+		inc_stats(client, zone, ns_statscounter_updatebadprereq); \
+		FAILNT(code, name, type, msg);                            \
+	} while (0)
+
+/*%
+ * Fail unconditionally and log as a server error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAILS(code, msg)                                                     \
+	do {                                                                 \
+		result = (code);                                             \
+		update_log(client, zone, LOGLEVEL_PROTOCOL, "error: %s: %s", \
+			   msg, isc_result_totext(result));                  \
+		if (result != ISC_R_SUCCESS)                                 \
+			goto failure;                                        \
+	} while (0)
+
+/*
+ * Return TRUE if NS_CLIENTATTR_TCP is set in the attributes other FALSE.
+ */
+#define TCPCLIENT(client) (((client)->attributes & NS_CLIENTATTR_TCP) != 0)
+
+/**************************************************************************/
+
+typedef struct rr rr_t;
+
+struct rr {
+	/* dns_name_t name; */
+	uint32_t ttl;
+	dns_rdata_t rdata;
+};
+
+typedef struct update_event update_event_t;
+
+struct update_event {
+	ISC_EVENT_COMMON(update_event_t);
+	dns_zone_t *zone;
+	isc_result_t result;
+	dns_message_t *answer;
+};
+
+/*%
+ * Prepare an RR for the addition of the new RR 'ctx->update_rr',
+ * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting
+ * the RRs if it is replaced by the new RR or has a conflicting TTL.
+ * The necessary changes are appended to ctx->del_diff and ctx->add_diff;
+ * we need to do all deletions before any additions so that we don't run
+ * into transient states with conflicting TTLs.
+ */
+
+typedef struct {
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	dns_diff_t *diff;
+	dns_name_t *name;
+	dns_name_t *oldname;
+	dns_rdata_t *update_rr;
+	dns_ttl_t update_rr_ttl;
+	bool ignore_add;
+	dns_diff_t del_diff;
+	dns_diff_t add_diff;
+} add_rr_prepare_ctx_t;
+
+/**************************************************************************/
+/*
+ * Forward declarations.
+ */
+
+static void
+update_action(isc_task_t *task, isc_event_t *event);
+static void
+updatedone_action(isc_task_t *task, isc_event_t *event);
+static isc_result_t
+send_forward_event(ns_client_t *client, dns_zone_t *zone);
+static void
+forward_done(isc_task_t *task, isc_event_t *event);
+static isc_result_t
+add_rr_prepare_action(void *data, rr_t *rr);
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  const dns_rdata_t *rdata, bool *flag);
+
+/**************************************************************************/
+
+static void
+update_log(ns_client_t *client, dns_zone_t *zone, int level, const char *fmt,
+	   ...) ISC_FORMAT_PRINTF(4, 5);
+
+static void
+update_log(ns_client_t *client, dns_zone_t *zone, int level, const char *fmt,
+	   ...) {
+	va_list ap;
+	char message[4096];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+	if (client == NULL) {
+		return;
+	}
+
+	if (!isc_log_wouldlog(ns_lctx, level)) {
+		return;
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+
+	if (zone != NULL) {
+		dns_name_format(dns_zone_getorigin(zone), namebuf,
+				sizeof(namebuf));
+		dns_rdataclass_format(dns_zone_getclass(zone), classbuf,
+				      sizeof(classbuf));
+
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE,
+			      NS_LOGMODULE_UPDATE, level,
+			      "updating zone '%s/%s': %s", namebuf, classbuf,
+			      message);
+	} else {
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE,
+			      NS_LOGMODULE_UPDATE, level, "%s", message);
+	}
+}
+
+static void
+update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) {
+	update_log(arg, zone, level, "%s", message);
+}
+
+/*%
+ * Increment updated-related statistics counters.
+ */
+static void
+inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) {
+	ns_stats_increment(client->sctx->nsstats, counter);
+
+	if (zone != NULL) {
+		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL) {
+			isc_stats_increment(zonestats, counter);
+		}
+	}
+}
+
+/*%
+ * Check if we could have queried for the contents of this zone or
+ * if the zone is potentially updateable.
+ * If the zone can potentially be updated and the check failed then
+ * log a error otherwise we log a informational message.
+ */
+static isc_result_t
+checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
+	      dns_acl_t *updateacl, dns_ssutable_t *ssutable) {
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	bool update_possible =
+		((updateacl != NULL && !dns_acl_isnone(updateacl)) ||
+		 ssutable != NULL);
+
+	result = ns_client_checkaclsilent(client, NULL, queryacl, true);
+	if (result != ISC_R_SUCCESS) {
+		int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
+
+		dns_name_format(zonename, namebuf, sizeof(namebuf));
+		dns_rdataclass_format(client->view->rdclass, classbuf,
+				      sizeof(classbuf));
+
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, level,
+			      "update '%s/%s' denied due to allow-query",
+			      namebuf, classbuf);
+	} else if (!update_possible) {
+		dns_name_format(zonename, namebuf, sizeof(namebuf));
+		dns_rdataclass_format(client->view->rdclass, classbuf,
+				      sizeof(classbuf));
+
+		result = DNS_R_REFUSED;
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
+			      "update '%s/%s' denied", namebuf, classbuf);
+	}
+	return (result);
+}
+
+/*%
+ * Override the default acl logging when checking whether a client
+ * can update the zone or whether we can forward the request to the
+ * master based on IP address.
+ *
+ * 'message' contains the type of operation that is being attempted.
+ * 'slave' indicates if this is a slave zone.  If 'acl' is NULL then
+ * log at debug=3.
+ * If the zone has no access controls configured ('acl' == NULL &&
+ * 'has_ssutable == ISC_FALS) log the attempt at info, otherwise
+ * at error.
+ *
+ * If the request was signed log that we received it.
+ */
+static isc_result_t
+checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
+	       dns_name_t *zonename, bool slave, bool has_ssutable) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	int level = ISC_LOG_ERROR;
+	const char *msg = "denied";
+	isc_result_t result;
+
+	if (slave && acl == NULL) {
+		result = DNS_R_NOTIMP;
+		level = ISC_LOG_DEBUG(3);
+		msg = "disabled";
+	} else {
+		result = ns_client_checkaclsilent(client, NULL, acl, false);
+		if (result == ISC_R_SUCCESS) {
+			level = ISC_LOG_DEBUG(3);
+			msg = "approved";
+		} else if (acl == NULL && !has_ssutable) {
+			level = ISC_LOG_INFO;
+		}
+	}
+
+	if (client->signer != NULL) {
+		dns_name_format(client->signer, namebuf, sizeof(namebuf));
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
+			      "signer \"%s\" %s", namebuf, msg);
+	}
+
+	dns_name_format(zonename, namebuf, sizeof(namebuf));
+	dns_rdataclass_format(client->view->rdclass, classbuf,
+			      sizeof(classbuf));
+
+	ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+		      NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s", message,
+		      namebuf, classbuf, msg);
+	return (result);
+}
+
+/*%
+ * Update a single RR in version 'ver' of 'db' and log the
+ * update in 'diff'.
+ *
+ * Ensures:
+ * \li	'*tuple' == NULL.  Either the tuple is freed, or its
+ *	ownership has been transferred to the diff.
+ */
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff) {
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Perform the updates in 'updates' in version 'ver' of 'db' and log the
+ * update in 'diff'.
+ *
+ * Ensures:
+ * \li	'updates' is empty.
+ */
+static isc_result_t
+do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
+	dns_diff_t *diff) {
+	isc_result_t result;
+	while (!ISC_LIST_EMPTY(updates->tuples)) {
+		dns_difftuple_t *t = ISC_LIST_HEAD(updates->tuples);
+		ISC_LIST_UNLINK(updates->tuples, t, link);
+		CHECK(do_one_tuple(&t, db, ver, diff));
+	}
+	return (ISC_R_SUCCESS);
+
+failure:
+	dns_diff_clear(diff);
+	return (result);
+}
+
+static isc_result_t
+update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+	      dns_rdata_t *rdata) {
+	dns_difftuple_t *tuple = NULL;
+	isc_result_t result;
+	result = dns_difftuple_create(diff->mctx, op, name, ttl, rdata, &tuple);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	return (do_one_tuple(&tuple, db, ver, diff));
+}
+
+/**************************************************************************/
+/*
+ * Callback-style iteration over rdatasets and rdatas.
+ *
+ * foreach_rrset() can be used to iterate over the RRsets
+ * of a name and call a callback function with each
+ * one.  Similarly, foreach_rr() can be used to iterate
+ * over the individual RRs at name, optionally restricted
+ * to RRs of a given type.
+ *
+ * The callback functions are called "actions" and take
+ * two arguments: a void pointer for passing arbitrary
+ * context information, and a pointer to the current RRset
+ * or RR.  By convention, their names end in "_action".
+ */
+
+/*
+ * XXXRTH  We might want to make this public somewhere in libdns.
+ */
+
+/*%
+ * Function type for foreach_rrset() iterator actions.
+ */
+typedef isc_result_t
+rrset_func(void *data, dns_rdataset_t *rrset);
+
+/*%
+ * Function type for foreach_rr() iterator actions.
+ */
+typedef isc_result_t
+rr_func(void *data, rr_t *rr);
+
+/*%
+ * Internal context struct for foreach_node_rr().
+ */
+typedef struct {
+	rr_func *rr_action;
+	void *rr_action_data;
+} foreach_node_rr_ctx_t;
+
+/*%
+ * Internal helper function for foreach_node_rr().
+ */
+static isc_result_t
+foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	foreach_node_rr_ctx_t *ctx = data;
+	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		rr_t rr = { 0, DNS_RDATA_INIT };
+
+		dns_rdataset_current(rdataset, &rr.rdata);
+		rr.ttl = rdataset->ttl;
+		result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		return (result);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * For each rdataset of 'name' in 'ver' of 'db', call 'action'
+ * with the rdataset and 'action_data' as arguments.  If the name
+ * does not exist, do nothing.
+ *
+ * If 'action' returns an error, abort iteration and return the error.
+ */
+static isc_result_t
+foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	      rrset_func *action, void *action_data) {
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdatasetiter_t *iter;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+	dns_dbversion_t *oldver = NULL;
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+
+	/*
+	 * Only set the clientinfo 'versionp' if the new version is
+	 * different from the current version
+	 */
+	dns_db_currentversion(db, &oldver);
+	dns_clientinfo_init(&ci, NULL, NULL, (ver != oldver) ? ver : NULL);
+	dns_db_closeversion(db, &oldver, false);
+
+	node = NULL;
+	result = dns_db_findnodeext(db, name, false, &cm, &ci, &node);
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	iter = NULL;
+	result = dns_db_allrdatasets(db, node, ver, 0, (isc_stdtime_t)0, &iter);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_node;
+	}
+
+	for (result = dns_rdatasetiter_first(iter); result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(iter, &rdataset);
+
+		result = (*action)(action_data, &rdataset);
+
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_iterator;
+		}
+	}
+	if (result == ISC_R_NOMORE) {
+		result = ISC_R_SUCCESS;
+	}
+
+cleanup_iterator:
+	dns_rdatasetiter_destroy(&iter);
+
+cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/*%
+ * For each RR of 'name' in 'ver' of 'db', call 'action'
+ * with the RR and 'action_data' as arguments.  If the name
+ * does not exist, do nothing.
+ *
+ * If 'action' returns an error, abort iteration
+ * and return the error.
+ */
+static isc_result_t
+foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+		rr_func *rr_action, void *rr_action_data) {
+	foreach_node_rr_ctx_t ctx;
+	ctx.rr_action = rr_action;
+	ctx.rr_action_data = rr_action_data;
+	return (foreach_rrset(db, ver, name, foreach_node_rr_action, &ctx));
+}
+
+/*%
+ * For each of the RRs specified by 'db', 'ver', 'name', 'type',
+ * (which can be dns_rdatatype_any to match any type), and 'covers', call
+ * 'action' with the RR and 'action_data' as arguments. If the name
+ * does not exist, or if no RRset of the given type exists at the name,
+ * do nothing.
+ *
+ * If 'action' returns an error, abort iteration and return the error.
+ */
+static isc_result_t
+foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	   dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action,
+	   void *rr_action_data) {
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdataset_t rdataset;
+	dns_clientinfomethods_t cm;
+	dns_clientinfo_t ci;
+	dns_dbversion_t *oldver = NULL;
+	dns_fixedname_t fixed;
+
+	dns_clientinfomethods_init(&cm, ns_client_sourceip);
+
+	/*
+	 * Only set the clientinfo 'versionp' if the new version is
+	 * different from the current version
+	 */
+	dns_db_currentversion(db, &oldver);
+	dns_clientinfo_init(&ci, NULL, NULL, (ver != oldver) ? ver : NULL);
+	dns_db_closeversion(db, &oldver, false);
+
+	if (type == dns_rdatatype_any) {
+		return (foreach_node_rr(db, ver, name, rr_action,
+					rr_action_data));
+	}
+
+	node = NULL;
+	if (type == dns_rdatatype_nsec3 ||
+	    (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3))
+	{
+		result = dns_db_findnsec3node(db, name, false, &node);
+	} else {
+		result = dns_db_findnodeext(db, name, false, &cm, &ci, &node);
+	}
+	if (result == ISC_R_NOTFOUND) {
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, type, covers,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto cleanup_node;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_node;
+	}
+
+	if (rr_action == add_rr_prepare_action) {
+		add_rr_prepare_ctx_t *ctx = rr_action_data;
+
+		ctx->oldname = dns_fixedname_initname(&fixed);
+		dns_name_copynf(name, ctx->oldname);
+		dns_rdataset_getownercase(&rdataset, ctx->oldname);
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		rr_t rr = { 0, DNS_RDATA_INIT };
+		dns_rdataset_current(&rdataset, &rr.rdata);
+		rr.ttl = rdataset.ttl;
+		result = (*rr_action)(rr_action_data, &rr);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup_rdataset;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup_rdataset;
+	}
+	result = ISC_R_SUCCESS;
+
+cleanup_rdataset:
+	dns_rdataset_disassociate(&rdataset);
+cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Various tests on the database contents (for prerequisites, etc).
+ */
+
+/*%
+ * Function type for predicate functions that compare a database RR 'db_rr'
+ * against an update RR 'update_rr'.
+ */
+typedef bool
+rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
+
+/*%
+ * Helper function for rrset_exists().
+ */
+static isc_result_t
+rrset_exists_action(void *data, rr_t *rr) {
+	UNUSED(data);
+	UNUSED(rr);
+	return (ISC_R_EXISTS);
+}
+
+/*%
+ * Utility macro for RR existence checking functions.
+ *
+ * If the variable 'result' has the value ISC_R_EXISTS or
+ * ISC_R_SUCCESS, set *exists to true or false,
+ * respectively, and return success.
+ *
+ * If 'result' has any other value, there was a failure.
+ * Return the failure result code and do not set *exists.
+ *
+ * This would be more readable as "do { if ... } while(0)",
+ * but that form generates tons of warnings on Solaris 2.6.
+ */
+#define RETURN_EXISTENCE_FLAG                                         \
+	return ((result == ISC_R_EXISTS)                              \
+			? (*exists = true, ISC_R_SUCCESS)             \
+			: ((result == ISC_R_SUCCESS)                  \
+				   ? (*exists = false, ISC_R_SUCCESS) \
+				   : result))
+
+/*%
+ * Set '*exists' to true iff an rrset of the given type exists,
+ * to false otherwise.
+ */
+static isc_result_t
+rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	     dns_rdatatype_t type, dns_rdatatype_t covers, bool *exists) {
+	isc_result_t result;
+	result = foreach_rr(db, ver, name, type, covers, rrset_exists_action,
+			    NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/*%
+ * Helper function for cname_incompatible_rrset_exists.
+ */
+static isc_result_t
+cname_compatibility_action(void *data, dns_rdataset_t *rrset) {
+	UNUSED(data);
+	if (rrset->type != dns_rdatatype_cname &&
+	    !dns_rdatatype_atcname(rrset->type))
+	{
+		return (ISC_R_EXISTS);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Check whether there is an rrset incompatible with adding a CNAME RR,
+ * i.e., anything but another CNAME (which can be replaced) or a
+ * DNSSEC RR (which can coexist).
+ *
+ * If such an incompatible rrset exists, set '*exists' to true.
+ * Otherwise, set it to false.
+ */
+static isc_result_t
+cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
+				dns_name_t *name, bool *exists) {
+	isc_result_t result;
+	result = foreach_rrset(db, ver, name, cname_compatibility_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/*%
+ * Helper function for rr_count().
+ */
+static isc_result_t
+count_rr_action(void *data, rr_t *rr) {
+	int *countp = data;
+	UNUSED(rr);
+	(*countp)++;
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'.
+ */
+static isc_result_t
+rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	 dns_rdatatype_t type, dns_rdatatype_t covers, int *countp) {
+	*countp = 0;
+	return (foreach_rr(db, ver, name, type, covers, count_rr_action,
+			   countp));
+}
+
+/*%
+ * Context struct and helper function for name_exists().
+ */
+
+static isc_result_t
+name_exists_action(void *data, dns_rdataset_t *rrset) {
+	UNUSED(data);
+	UNUSED(rrset);
+	return (ISC_R_EXISTS);
+}
+
+/*%
+ * Set '*exists' to true iff the given name exists, to false otherwise.
+ */
+static isc_result_t
+name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	    bool *exists) {
+	isc_result_t result;
+	result = foreach_rrset(db, ver, name, name_exists_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/*
+ *	'ssu_check_t' is used to pass the arguments to
+ *	dns_ssutable_checkrules() to the callback function
+ *	ssu_checkrule().
+ */
+typedef struct {
+	/* The ownername of the record to be updated. */
+	dns_name_t *name;
+
+	/* The signature's name if the request was signed. */
+	dns_name_t *signer;
+
+	/* The address of the client. */
+	isc_netaddr_t *addr;
+
+	/* The ACL environment */
+	dns_aclenv_t *aclenv;
+
+	/* Whether the request was sent via TCP. */
+	bool tcp;
+
+	/* The ssu table to check against. */
+	dns_ssutable_t *table;
+
+	/* the key used for TKEY requests */
+	dst_key_t *key;
+} ssu_check_t;
+
+static isc_result_t
+ssu_checkrule(void *data, dns_rdataset_t *rrset) {
+	ssu_check_t *ssuinfo = data;
+	bool rule_ok;
+
+	/*
+	 * If we're deleting all records, it's ok to delete RRSIG and NSEC even
+	 * if we're normally not allowed to.
+	 */
+	if (rrset->type == dns_rdatatype_rrsig ||
+	    rrset->type == dns_rdatatype_nsec)
+	{
+		return (ISC_R_SUCCESS);
+	}
+
+	rule_ok = dns_ssutable_checkrules(
+		ssuinfo->table, ssuinfo->signer, ssuinfo->name, ssuinfo->addr,
+		ssuinfo->tcp, ssuinfo->aclenv, rrset->type, ssuinfo->key);
+	return (rule_ok ? ISC_R_SUCCESS : ISC_R_FAILURE);
+}
+
+static bool
+ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	     dns_ssutable_t *ssutable, dns_name_t *signer, isc_netaddr_t *addr,
+	     dns_aclenv_t *aclenv, bool tcp, dst_key_t *key) {
+	isc_result_t result;
+	ssu_check_t ssuinfo;
+
+	ssuinfo.name = name;
+	ssuinfo.table = ssutable;
+	ssuinfo.signer = signer;
+	ssuinfo.addr = addr;
+	ssuinfo.aclenv = aclenv;
+	ssuinfo.tcp = tcp;
+	ssuinfo.key = key;
+	result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
+	return (result == ISC_R_SUCCESS);
+}
+
+/**************************************************************************/
+/*
+ * Checking of "RRset exists (value dependent)" prerequisites.
+ *
+ * In the RFC2136 section 3.2.5, this is the pseudocode involving
+ * a variable called "temp", a mapping of <name, type> tuples to rrsets.
+ *
+ * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t"
+ * where each tuple has op==DNS_DIFFOP_EXISTS.
+ */
+
+/*%
+ * Append a tuple asserting the existence of the RR with
+ * 'name' and 'rdata' to 'diff'.
+ */
+static isc_result_t
+temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS, name, 0,
+				   rdata, &tuple));
+	ISC_LIST_APPEND(diff->tuples, tuple, link);
+failure:
+	return (result);
+}
+
+/*%
+ * Compare two rdatasets represented as sorted lists of tuples.
+ * All list elements must have the same owner name and type.
+ * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
+ * if not.
+ */
+static isc_result_t
+temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) {
+	for (;;) {
+		if (a == NULL || b == NULL) {
+			break;
+		}
+		INSIST(a->op == DNS_DIFFOP_EXISTS &&
+		       b->op == DNS_DIFFOP_EXISTS);
+		INSIST(a->rdata.type == b->rdata.type);
+		INSIST(dns_name_equal(&a->name, &b->name));
+		if (dns_rdata_casecompare(&a->rdata, &b->rdata) != 0) {
+			return (DNS_R_NXRRSET);
+		}
+		a = ISC_LIST_NEXT(a, link);
+		b = ISC_LIST_NEXT(b, link);
+	}
+	if (a != NULL || b != NULL) {
+		return (DNS_R_NXRRSET);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * A comparison function defining the sorting order for the entries
+ * in the "temp" data structure.  The major sort key is the owner name,
+ * followed by the type and rdata.
+ */
+static int
+temp_order(const void *av, const void *bv) {
+	dns_difftuple_t const *const *ap = av;
+	dns_difftuple_t const *const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	int r;
+	r = dns_name_compare(&a->name, &b->name);
+	if (r != 0) {
+		return (r);
+	}
+	r = (b->rdata.type - a->rdata.type);
+	if (r != 0) {
+		return (r);
+	}
+	r = dns_rdata_casecompare(&a->rdata, &b->rdata);
+	return (r);
+}
+
+/*%
+ * Check the "RRset exists (value dependent)" prerequisite information
+ * in 'temp' against the contents of the database 'db'.
+ *
+ * Return ISC_R_SUCCESS if the prerequisites are satisfied,
+ * rcode(dns_rcode_nxrrset) if not.
+ *
+ * 'temp' must be pre-sorted.
+ */
+
+static isc_result_t
+temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
+	   dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_dbnode_t *node;
+	dns_difftuple_t *t;
+	dns_diff_t trash;
+
+	dns_diff_init(mctx, &trash);
+
+	/*
+	 * For each name and type in the prerequisites,
+	 * construct a sorted rdata list of the corresponding
+	 * database contents, and compare the lists.
+	 */
+	t = ISC_LIST_HEAD(temp->tuples);
+	while (t != NULL) {
+		name = &t->name;
+		dns_name_copynf(name, tmpname);
+		*typep = t->rdata.type;
+
+		/* A new unique name begins here. */
+		node = NULL;
+		result = dns_db_findnode(db, name, false, &node);
+		if (result == ISC_R_NOTFOUND) {
+			dns_diff_clear(&trash);
+			return (DNS_R_NXRRSET);
+		}
+		if (result != ISC_R_SUCCESS) {
+			dns_diff_clear(&trash);
+			return (result);
+		}
+
+		/* A new unique type begins here. */
+		while (t != NULL && dns_name_equal(&t->name, name)) {
+			dns_rdatatype_t type, covers;
+			dns_rdataset_t rdataset;
+			dns_diff_t d_rrs; /* Database RRs with
+					   *    this name and type */
+			dns_diff_t u_rrs; /* Update RRs with
+					   *    this name and type */
+
+			*typep = type = t->rdata.type;
+			if (type == dns_rdatatype_rrsig ||
+			    type == dns_rdatatype_sig)
+			{
+				covers = dns_rdata_covers(&t->rdata);
+			} else if (type == dns_rdatatype_any) {
+				dns_db_detachnode(db, &node);
+				dns_diff_clear(&trash);
+				return (DNS_R_NXRRSET);
+			} else {
+				covers = 0;
+			}
+
+			/*
+			 * Collect all database RRs for this name and type
+			 * onto d_rrs and sort them.
+			 */
+			dns_rdataset_init(&rdataset);
+			result = dns_db_findrdataset(db, node, ver, type,
+						     covers, (isc_stdtime_t)0,
+						     &rdataset, NULL);
+			if (result != ISC_R_SUCCESS) {
+				dns_db_detachnode(db, &node);
+				dns_diff_clear(&trash);
+				return (DNS_R_NXRRSET);
+			}
+
+			dns_diff_init(mctx, &d_rrs);
+			dns_diff_init(mctx, &u_rrs);
+
+			for (result = dns_rdataset_first(&rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(&rdataset))
+			{
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(&rdataset, &rdata);
+				result = temp_append(&d_rrs, name, &rdata);
+				if (result != ISC_R_SUCCESS) {
+					goto failure;
+				}
+			}
+			if (result != ISC_R_NOMORE) {
+				goto failure;
+			}
+			result = dns_diff_sort(&d_rrs, temp_order);
+			if (result != ISC_R_SUCCESS) {
+				goto failure;
+			}
+
+			/*
+			 * Collect all update RRs for this name and type
+			 * onto u_rrs.  No need to sort them here -
+			 * they are already sorted.
+			 */
+			while (t != NULL && dns_name_equal(&t->name, name) &&
+			       t->rdata.type == type)
+			{
+				dns_difftuple_t *next = ISC_LIST_NEXT(t, link);
+				ISC_LIST_UNLINK(temp->tuples, t, link);
+				ISC_LIST_APPEND(u_rrs.tuples, t, link);
+				t = next;
+			}
+
+			/* Compare the two sorted lists. */
+			result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples),
+						  ISC_LIST_HEAD(d_rrs.tuples));
+			if (result != ISC_R_SUCCESS) {
+				goto failure;
+			}
+
+			/*
+			 * We are done with the tuples, but we can't free
+			 * them yet because "name" still points into one
+			 * of them.  Move them on a temporary list.
+			 */
+			ISC_LIST_APPENDLIST(trash.tuples, u_rrs.tuples, link);
+			ISC_LIST_APPENDLIST(trash.tuples, d_rrs.tuples, link);
+			dns_rdataset_disassociate(&rdataset);
+
+			continue;
+
+		failure:
+			dns_diff_clear(&d_rrs);
+			dns_diff_clear(&u_rrs);
+			dns_diff_clear(&trash);
+			dns_rdataset_disassociate(&rdataset);
+			dns_db_detachnode(db, &node);
+			return (result);
+		}
+
+		dns_db_detachnode(db, &node);
+	}
+
+	dns_diff_clear(&trash);
+	return (ISC_R_SUCCESS);
+}
+
+/**************************************************************************/
+/*
+ * Conditional deletion of RRs.
+ */
+
+/*%
+ * Context structure for delete_if().
+ */
+
+typedef struct {
+	rr_predicate *predicate;
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	dns_diff_t *diff;
+	dns_name_t *name;
+	dns_rdata_t *update_rr;
+} conditional_delete_ctx_t;
+
+/*%
+ * Predicate functions for delete_if().
+ */
+
+/*%
+ * Return true iff 'db_rr' is neither a SOA nor an NS RR nor
+ * an RRSIG nor an NSEC3PARAM nor a NSEC.
+ */
+static bool
+type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	UNUSED(update_rr);
+	return ((db_rr->type != dns_rdatatype_soa &&
+		 db_rr->type != dns_rdatatype_ns &&
+		 db_rr->type != dns_rdatatype_nsec3param &&
+		 db_rr->type != dns_rdatatype_rrsig &&
+		 db_rr->type != dns_rdatatype_nsec)
+			? true
+			: false);
+}
+
+/*%
+ * Return true iff 'db_rr' is neither a RRSIG nor a NSEC.
+ */
+static bool
+type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	UNUSED(update_rr);
+	return ((db_rr->type != dns_rdatatype_rrsig &&
+		 db_rr->type != dns_rdatatype_nsec)
+			? true
+			: false);
+}
+
+/*%
+ * Return true always.
+ */
+static bool
+true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	UNUSED(update_rr);
+	UNUSED(db_rr);
+	return (true);
+}
+
+/*%
+ * Return true iff the two RRs have identical rdata.
+ */
+static bool
+rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	/*
+	 * XXXRTH  This is not a problem, but we should consider creating
+	 *         dns_rdata_equal() (that used dns_name_equal()), since it
+	 *         would be faster.  Not a priority.
+	 */
+	return (dns_rdata_casecompare(update_rr, db_rr) == 0 ? true : false);
+}
+
+/*%
+ * Return true iff 'update_rr' should replace 'db_rr' according
+ * to the special RFC2136 rules for CNAME, SOA, and WKS records.
+ *
+ * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs
+ * make little sense, so we replace those, too.
+ *
+ * Additionally replace RRSIG that have been generated by the same key
+ * for the same type.  This simplifies refreshing a offline KSK by not
+ * requiring that the old RRSIG be deleted.  It also simplifies key
+ * rollover by only requiring that the new RRSIG be added.
+ */
+static bool
+replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	dns_rdata_rrsig_t updatesig, dbsig;
+	isc_result_t result;
+
+	if (db_rr->type != update_rr->type) {
+		return (false);
+	}
+	if (db_rr->type == dns_rdatatype_cname) {
+		return (true);
+	}
+	if (db_rr->type == dns_rdatatype_dname) {
+		return (true);
+	}
+	if (db_rr->type == dns_rdatatype_soa) {
+		return (true);
+	}
+	if (db_rr->type == dns_rdatatype_nsec) {
+		return (true);
+	}
+	if (db_rr->type == dns_rdatatype_rrsig) {
+		/*
+		 * Replace existing RRSIG with the same keyid,
+		 * covered and algorithm.
+		 */
+		result = dns_rdata_tostruct(db_rr, &dbsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = dns_rdata_tostruct(update_rr, &updatesig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (dbsig.keyid == updatesig.keyid &&
+		    dbsig.covered == updatesig.covered &&
+		    dbsig.algorithm == updatesig.algorithm)
+		{
+			return (true);
+		}
+	}
+	if (db_rr->type == dns_rdatatype_wks) {
+		/*
+		 * Compare the address and protocol fields only.  These
+		 * form the first five bytes of the RR data.  Do a
+		 * raw binary comparison; unpacking the WKS RRs using
+		 * dns_rdata_tostruct() might be cleaner in some ways.
+		 */
+		INSIST(db_rr->length >= 5 && update_rr->length >= 5);
+		return (memcmp(db_rr->data, update_rr->data, 5) == 0 ? true
+								     : false);
+	}
+
+	if (db_rr->type == dns_rdatatype_nsec3param) {
+		if (db_rr->length != update_rr->length) {
+			return (false);
+		}
+		INSIST(db_rr->length >= 4 && update_rr->length >= 4);
+		/*
+		 * Replace NSEC3PARAM records that only differ by the
+		 * flags field.
+		 */
+		if (db_rr->data[0] == update_rr->data[0] &&
+		    memcmp(db_rr->data + 2, update_rr->data + 2,
+			   update_rr->length - 2) == 0)
+		{
+			return (true);
+		}
+	}
+	return (false);
+}
+
+/*%
+ * Internal helper function for delete_if().
+ */
+static isc_result_t
+delete_if_action(void *data, rr_t *rr) {
+	conditional_delete_ctx_t *ctx = data;
+	if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) {
+		isc_result_t result;
+		result = update_one_rr(ctx->db, ctx->ver, ctx->diff,
+				       DNS_DIFFOP_DEL, ctx->name, rr->ttl,
+				       &rr->rdata);
+		return (result);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+/*%
+ * Conditionally delete RRs.  Apply 'predicate' to the RRs
+ * specified by 'db', 'ver', 'name', and 'type' (which can
+ * be dns_rdatatype_any to match any type).  Delete those
+ * RRs for which the predicate returns true, and log the
+ * deletions in 'diff'.
+ */
+static isc_result_t
+delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver,
+	  dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
+	  dns_rdata_t *update_rr, dns_diff_t *diff) {
+	conditional_delete_ctx_t ctx;
+	ctx.predicate = predicate;
+	ctx.db = db;
+	ctx.ver = ver;
+	ctx.diff = diff;
+	ctx.name = name;
+	ctx.update_rr = update_rr;
+	return (foreach_rr(db, ver, name, type, covers, delete_if_action,
+			   &ctx));
+}
+
+/**************************************************************************/
+
+static isc_result_t
+add_rr_prepare_action(void *data, rr_t *rr) {
+	isc_result_t result = ISC_R_SUCCESS;
+	add_rr_prepare_ctx_t *ctx = data;
+	dns_difftuple_t *tuple = NULL;
+	bool equal, case_equal, ttl_equal;
+
+	/*
+	 * Are the new and old cases equal?
+	 */
+	case_equal = dns_name_caseequal(ctx->name, ctx->oldname);
+
+	/*
+	 * Are the ttl's equal?
+	 */
+	ttl_equal = rr->ttl == ctx->update_rr_ttl;
+
+	/*
+	 * If the update RR is a "duplicate" of a existing RR,
+	 * the update should be silently ignored.
+	 */
+	equal = (dns_rdata_casecompare(&rr->rdata, ctx->update_rr) == 0);
+	if (equal && case_equal && ttl_equal) {
+		ctx->ignore_add = true;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If this RR is "equal" to the update RR, it should
+	 * be deleted before the update RR is added.
+	 */
+	if (replaces_p(ctx->update_rr, &rr->rdata)) {
+		CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
+					   ctx->oldname, rr->ttl, &rr->rdata,
+					   &tuple));
+		dns_diff_append(&ctx->del_diff, &tuple);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If this RR differs in TTL or case from the update RR,
+	 * its TTL and case must be adjusted.
+	 */
+	if (!ttl_equal || !case_equal) {
+		CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
+					   ctx->oldname, rr->ttl, &rr->rdata,
+					   &tuple));
+		dns_diff_append(&ctx->del_diff, &tuple);
+		if (!equal) {
+			CHECK(dns_difftuple_create(
+				ctx->add_diff.mctx, DNS_DIFFOP_ADD, ctx->name,
+				ctx->update_rr_ttl, &rr->rdata, &tuple));
+			dns_diff_append(&ctx->add_diff, &tuple);
+		}
+	}
+failure:
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Miscellaneous subroutines.
+ */
+
+/*%
+ * Extract a single update RR from 'section' of dynamic update message
+ * 'msg', with consistency checking.
+ *
+ * Stores the owner name, rdata, and TTL of the update RR at 'name',
+ * 'rdata', and 'ttl', respectively.
+ */
+static void
+get_current_rr(dns_message_t *msg, dns_section_t section,
+	       dns_rdataclass_t zoneclass, dns_name_t **name,
+	       dns_rdata_t *rdata, dns_rdatatype_t *covers, dns_ttl_t *ttl,
+	       dns_rdataclass_t *update_class) {
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+	dns_message_currentname(msg, section, name);
+	rdataset = ISC_LIST_HEAD((*name)->list);
+	INSIST(rdataset != NULL);
+	INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
+	*covers = rdataset->covers;
+	*ttl = rdataset->ttl;
+	result = dns_rdataset_first(rdataset);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_rdataset_current(rdataset, rdata);
+	INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
+	*update_class = rdata->rdclass;
+	rdata->rdclass = zoneclass;
+}
+
+/*%
+ * Increment the SOA serial number of database 'db', version 'ver'.
+ * Replace the SOA record in the database, and log the
+ * change in 'diff'.
+ */
+
+/*
+ * XXXRTH  Failures in this routine will be worth logging, when
+ *         we have a logging system.  Failure to find the zonename
+ *	   or the SOA rdataset warrant at least an UNEXPECTED_ERROR().
+ */
+
+static isc_result_t
+update_soa_serial(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+		  isc_mem_t *mctx, dns_updatemethod_t method) {
+	dns_difftuple_t *deltuple = NULL;
+	dns_difftuple_t *addtuple = NULL;
+	uint32_t serial;
+	isc_result_t result;
+
+	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
+	CHECK(dns_difftuple_copy(deltuple, &addtuple));
+	addtuple->op = DNS_DIFFOP_ADD;
+
+	serial = dns_soa_getserial(&addtuple->rdata);
+	serial = dns_update_soaserial(serial, method, NULL);
+	dns_soa_setserial(serial, &addtuple->rdata);
+	CHECK(do_one_tuple(&deltuple, db, ver, diff));
+	CHECK(do_one_tuple(&addtuple, db, ver, diff));
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (addtuple != NULL) {
+		dns_difftuple_free(&addtuple);
+	}
+	if (deltuple != NULL) {
+		dns_difftuple_free(&deltuple);
+	}
+	return (result);
+}
+
+/*%
+ * Check that the new SOA record at 'update_rdata' does not
+ * illegally cause the SOA serial number to decrease or stay
+ * unchanged relative to the existing SOA in 'db'.
+ *
+ * Sets '*ok' to true if the update is legal, false if not.
+ *
+ * William King points out that RFC2136 is inconsistent about
+ * the case where the serial number stays unchanged:
+ *
+ *   section 3.4.2.2 requires a server to ignore a SOA update request
+ *   if the serial number on the update SOA is less_than_or_equal to
+ *   the zone SOA serial.
+ *
+ *   section 3.6 requires a server to ignore a SOA update request if
+ *   the serial is less_than the zone SOA serial.
+ *
+ * Paul says 3.4.2.2 is correct.
+ *
+ */
+static isc_result_t
+check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
+		    dns_rdata_t *update_rdata, bool *ok) {
+	uint32_t db_serial;
+	uint32_t update_serial;
+	isc_result_t result;
+
+	update_serial = dns_soa_getserial(update_rdata);
+
+	result = dns_db_getsoaserial(db, ver, &db_serial);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (DNS_SERIAL_GE(db_serial, update_serial)) {
+		*ok = false;
+	} else {
+		*ok = true;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/**************************************************************************/
+/*%
+ * The actual update code in all its glory.  We try to follow
+ * the RFC2136 pseudocode as closely as possible.
+ */
+
+static isc_result_t
+send_update_event(ns_client_t *client, dns_zone_t *zone) {
+	isc_result_t result = ISC_R_SUCCESS;
+	update_event_t *event = NULL;
+	isc_task_t *zonetask = NULL;
+	dns_ssutable_t *ssutable = NULL;
+	dns_message_t *request = client->message;
+	dns_aclenv_t *env =
+		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+	dns_rdataclass_t zoneclass;
+	dns_rdatatype_t covers;
+	dns_name_t *zonename = NULL;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+
+	CHECK(dns_zone_getdb(zone, &db));
+	zonename = dns_db_origin(db);
+	zoneclass = dns_db_class(db);
+	dns_zone_getssutable(zone, &ssutable);
+	dns_db_currentversion(db, &ver);
+
+	/*
+	 * Update message processing can leak record existence information
+	 * so check that we are allowed to query this zone.  Additionally,
+	 * if we would refuse all updates for this zone, we bail out here.
+	 */
+	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone),
+			    dns_zone_getorigin(zone),
+			    dns_zone_getupdateacl(zone), ssutable));
+
+	/*
+	 * Check requestor's permissions.
+	 */
+	if (ssutable == NULL) {
+		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
+				     "update", dns_zone_getorigin(zone), false,
+				     false));
+	} else if (client->signer == NULL && !TCPCLIENT(client)) {
+		CHECK(checkupdateacl(client, NULL, "update",
+				     dns_zone_getorigin(zone), false, true));
+	}
+
+	if (dns_zone_getupdatedisabled(zone)) {
+		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
+				     "because the zone is frozen.  Use "
+				     "'rndc thaw' to re-enable updates.");
+	}
+
+	/*
+	 * Prescan the update section, checking for updates that
+	 * are illegal or violate policy.
+	 */
+	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
+	{
+		dns_name_t *name = NULL;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_ttl_t ttl;
+		dns_rdataclass_t update_class;
+
+		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
+			       &rdata, &covers, &ttl, &update_class);
+
+		if (!dns_name_issubdomain(name, zonename)) {
+			FAILC(DNS_R_NOTZONE, "update RR is outside zone");
+		}
+		if (update_class == zoneclass) {
+			/*
+			 * Check for meta-RRs.  The RFC2136 pseudocode says
+			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
+			 * "or any other QUERY metatype"
+			 */
+			if (dns_rdatatype_ismeta(rdata.type)) {
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
+			}
+			result = dns_zone_checknames(zone, name, &rdata);
+			if (result != ISC_R_SUCCESS) {
+				FAIL(DNS_R_REFUSED);
+			}
+		} else if (update_class == dns_rdataclass_any) {
+			if (ttl != 0 || rdata.length != 0 ||
+			    (dns_rdatatype_ismeta(rdata.type) &&
+			     rdata.type != dns_rdatatype_any))
+			{
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
+			}
+		} else if (update_class == dns_rdataclass_none) {
+			if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
+			}
+		} else {
+			update_log(client, zone, ISC_LOG_WARNING,
+				   "update RR has incorrect class %d",
+				   update_class);
+			FAIL(DNS_R_FORMERR);
+		}
+
+		/*
+		 * draft-ietf-dnsind-simple-secure-update-01 says
+		 * "Unlike traditional dynamic update, the client
+		 * is forbidden from updating NSEC records."
+		 */
+		if (rdata.type == dns_rdatatype_nsec3) {
+			FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
+					     "allowed "
+					     "in secure zones");
+		} else if (rdata.type == dns_rdatatype_nsec) {
+			FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
+					     "allowed "
+					     "in secure zones");
+		} else if (rdata.type == dns_rdatatype_rrsig &&
+			   !dns_name_equal(name, zonename))
+		{
+			FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
+					     "currently "
+					     "not supported in secure zones "
+					     "except "
+					     "at the apex");
+		}
+
+		if (ssutable != NULL) {
+			isc_netaddr_t netaddr;
+			dst_key_t *tsigkey = NULL;
+			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+			if (client->message->tsigkey != NULL) {
+				tsigkey = client->message->tsigkey->key;
+			}
+
+			if (rdata.type != dns_rdatatype_any) {
+				if (!dns_ssutable_checkrules(
+					    ssutable, client->signer, name,
+					    &netaddr, TCPCLIENT(client), env,
+					    rdata.type, tsigkey))
+				{
+					FAILC(DNS_R_REFUSED, "rejected by "
+							     "secure update");
+				}
+			} else {
+				if (!ssu_checkall(db, ver, name, ssutable,
+						  client->signer, &netaddr, env,
+						  TCPCLIENT(client), tsigkey))
+				{
+					FAILC(DNS_R_REFUSED, "rejected by "
+							     "secure update");
+				}
+			}
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		FAIL(result);
+	}
+
+	update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
+
+	result = isc_quota_attach(&client->manager->sctx->updquota,
+				  &(isc_quota_t *){ NULL });
+	if (result != ISC_R_SUCCESS) {
+		update_log(client, zone, LOGLEVEL_PROTOCOL,
+			   "update failed: too many DNS UPDATEs queued (%s)",
+			   isc_result_totext(result));
+		ns_stats_increment(client->manager->sctx->nsstats,
+				   ns_statscounter_updatequota);
+		CHECK(DNS_R_DROP);
+	}
+
+	event = (update_event_t *)isc_event_allocate(
+		client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL,
+		sizeof(*event));
+	event->zone = zone;
+	event->result = ISC_R_SUCCESS;
+
+	INSIST(client->nupdates == 0);
+	client->nupdates++;
+	event->ev_arg = client;
+
+	isc_nmhandle_attach(client->handle, &client->updatehandle);
+	dns_zone_gettask(zone, &zonetask);
+	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
+
+failure:
+	if (db != NULL) {
+		dns_db_closeversion(db, &ver, false);
+		dns_db_detach(&db);
+	}
+
+	if (ssutable != NULL) {
+		dns_ssutable_detach(&ssutable);
+	}
+
+	return (result);
+}
+
+static void
+respond(ns_client_t *client, isc_result_t result) {
+	isc_result_t msg_result;
+
+	msg_result = dns_message_reply(client->message, true);
+	if (msg_result != ISC_R_SUCCESS) {
+		isc_log_write(ns_lctx, NS_LOGCATEGORY_UPDATE,
+			      NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
+			      "could not create update response message: %s",
+			      isc_result_totext(msg_result));
+		ns_client_drop(client, msg_result);
+		isc_nmhandle_detach(&client->reqhandle);
+		return;
+	}
+
+	client->message->rcode = dns_result_torcode(result);
+	ns_client_send(client);
+	isc_nmhandle_detach(&client->reqhandle);
+}
+
+void
+ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
+		isc_result_t sigresult) {
+	dns_message_t *request = client->message;
+	isc_result_t result;
+	dns_name_t *zonename;
+	dns_rdataset_t *zone_rdataset;
+	dns_zone_t *zone = NULL, *raw = NULL;
+
+	/*
+	 * Attach to the request handle. This will be held until
+	 * we respond, or drop the request.
+	 */
+	isc_nmhandle_attach(handle, &client->reqhandle);
+
+	/*
+	 * Interpret the zone section.
+	 */
+	result = dns_message_firstname(request, DNS_SECTION_ZONE);
+	if (result != ISC_R_SUCCESS) {
+		FAILC(DNS_R_FORMERR, "update zone section empty");
+	}
+
+	/*
+	 * The zone section must contain exactly one "question", and
+	 * it must be of type SOA.
+	 */
+	zonename = NULL;
+	dns_message_currentname(request, DNS_SECTION_ZONE, &zonename);
+	zone_rdataset = ISC_LIST_HEAD(zonename->list);
+	if (zone_rdataset->type != dns_rdatatype_soa) {
+		FAILC(DNS_R_FORMERR, "update zone section contains non-SOA");
+	}
+	if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) {
+		FAILC(DNS_R_FORMERR, "update zone section contains multiple "
+				     "RRs");
+	}
+
+	/* The zone section must have exactly one name. */
+	result = dns_message_nextname(request, DNS_SECTION_ZONE);
+	if (result != ISC_R_NOMORE) {
+		FAILC(DNS_R_FORMERR, "update zone section contains multiple "
+				     "RRs");
+	}
+
+	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * If we found a zone that is a parent of the update zonename,
+		 * detach it so it isn't mentioned in log - it is irrelevant.
+		 */
+		if (zone != NULL) {
+			dns_zone_detach(&zone);
+		}
+		FAILN(DNS_R_NOTAUTH, zonename,
+		      "not authoritative for update zone");
+	}
+
+	/*
+	 * If there is a raw (unsigned) zone associated with this
+	 * zone then it processes the UPDATE request.
+	 */
+	dns_zone_getraw(zone, &raw);
+	if (raw != NULL) {
+		dns_zone_detach(&zone);
+		dns_zone_attach(raw, &zone);
+		dns_zone_detach(&raw);
+	}
+
+	switch (dns_zone_gettype(zone)) {
+	case dns_zone_primary:
+	case dns_zone_dlz:
+		/*
+		 * We can now fail due to a bad signature as we now know
+		 * that we are the master.
+		 */
+		if (sigresult != ISC_R_SUCCESS) {
+			FAIL(sigresult);
+		}
+		dns_message_clonebuffer(client->message);
+		CHECK(send_update_event(client, zone));
+		break;
+	case dns_zone_secondary:
+	case dns_zone_mirror:
+		dns_message_clonebuffer(client->message);
+		CHECK(send_forward_event(client, zone));
+		break;
+	default:
+		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
+	}
+	return;
+
+failure:
+	if (result == DNS_R_REFUSED) {
+		inc_stats(client, zone, ns_statscounter_updaterej);
+	}
+
+	/*
+	 * We failed without having sent an update event to the zone.
+	 * We are still in the client task context, so we can
+	 * simply give an error response without switching tasks.
+	 */
+	if (result == DNS_R_DROP) {
+		ns_client_drop(client, result);
+		isc_nmhandle_detach(&client->reqhandle);
+	} else {
+		respond(client, result);
+	}
+
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+}
+
+/*%
+ * DS records are not allowed to exist without corresponding NS records,
+ * RFC 3658, 2.2 Protocol Change,
+ * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
+ */
+
+static isc_result_t
+remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
+	isc_result_t result;
+	bool ns_exists;
+	dns_difftuple_t *tuple;
+	dns_diff_t temp_diff;
+
+	dns_diff_init(diff->mctx, &temp_diff);
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link))
+	{
+		if (!((tuple->op == DNS_DIFFOP_DEL &&
+		       tuple->rdata.type == dns_rdatatype_ns) ||
+		      (tuple->op == DNS_DIFFOP_ADD &&
+		       tuple->rdata.type == dns_rdatatype_ds)))
+		{
+			continue;
+		}
+		CHECK(rrset_exists(db, newver, &tuple->name, dns_rdatatype_ns,
+				   0, &ns_exists));
+		if (ns_exists &&
+		    !dns_name_equal(&tuple->name, dns_db_origin(db)))
+		{
+			continue;
+		}
+		CHECK(delete_if(true_p, db, newver, &tuple->name,
+				dns_rdatatype_ds, 0, NULL, &temp_diff));
+	}
+	result = ISC_R_SUCCESS;
+
+failure:
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL;
+	     tuple = ISC_LIST_HEAD(temp_diff.tuples))
+	{
+		ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+		dns_diff_appendminimal(diff, &tuple);
+	}
+	return (result);
+}
+
+/*
+ * This implements the post load integrity checks for mx records.
+ */
+static isc_result_t
+check_mx(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+	 dns_dbversion_t *newver, dns_diff_t *diff) {
+	char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_difftuple_t *t;
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	dns_rdata_mx_t mx;
+	dns_rdata_t rdata;
+	bool ok = true;
+	bool isaddress;
+	isc_result_t result;
+	struct in6_addr addr6;
+	struct in_addr addr;
+	dns_zoneopt_t options;
+
+	foundname = dns_fixedname_initname(&fixed);
+	dns_rdata_init(&rdata);
+	options = dns_zone_getoptions(zone);
+
+	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		if (t->op != DNS_DIFFOP_ADD ||
+		    t->rdata.type != dns_rdatatype_mx)
+		{
+			continue;
+		}
+
+		result = dns_rdata_tostruct(&t->rdata, &mx, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		/*
+		 * Check if we will error out if we attempt to reload the
+		 * zone.
+		 */
+		dns_name_format(&mx.mx, namebuf, sizeof(namebuf));
+		dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf));
+		isaddress = false;
+		if ((options & DNS_ZONEOPT_CHECKMX) != 0 &&
+		    strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp))
+		{
+			if (tmp[strlen(tmp) - 1] == '.') {
+				tmp[strlen(tmp) - 1] = '\0';
+			}
+			if (inet_pton(AF_INET, tmp, &addr) == 1 ||
+			    inet_pton(AF_INET6, tmp, &addr6) == 1)
+			{
+				isaddress = true;
+			}
+		}
+
+		if (isaddress && (options & DNS_ZONEOPT_CHECKMXFAIL) != 0) {
+			update_log(client, zone, ISC_LOG_ERROR,
+				   "%s/MX: '%s': %s", ownerbuf, namebuf,
+				   dns_result_totext(DNS_R_MXISADDRESS));
+			ok = false;
+		} else if (isaddress) {
+			update_log(client, zone, ISC_LOG_WARNING,
+				   "%s/MX: warning: '%s': %s", ownerbuf,
+				   namebuf,
+				   dns_result_totext(DNS_R_MXISADDRESS));
+		}
+
+		/*
+		 * Check zone integrity checks.
+		 */
+		if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0) {
+			continue;
+		}
+		result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a, 0, 0,
+				     NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS) {
+			continue;
+		}
+
+		if (result == DNS_R_NXRRSET) {
+			result = dns_db_find(db, &mx.mx, newver,
+					     dns_rdatatype_aaaa, 0, 0, NULL,
+					     foundname, NULL, NULL);
+			if (result == ISC_R_SUCCESS) {
+				continue;
+			}
+		}
+
+		if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) {
+			update_log(client, zone, ISC_LOG_ERROR,
+				   "%s/MX '%s' has no address records "
+				   "(A or AAAA)",
+				   ownerbuf, namebuf);
+			ok = false;
+		} else if (result == DNS_R_CNAME) {
+			update_log(client, zone, ISC_LOG_ERROR,
+				   "%s/MX '%s' is a CNAME (illegal)", ownerbuf,
+				   namebuf);
+			ok = false;
+		} else if (result == DNS_R_DNAME) {
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			update_log(client, zone, ISC_LOG_ERROR,
+				   "%s/MX '%s' is below a DNAME '%s' (illegal)",
+				   ownerbuf, namebuf, altbuf);
+			ok = false;
+		}
+	}
+	return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED);
+}
+
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  const dns_rdata_t *rdata, bool *flag) {
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	if (rdata->type == dns_rdatatype_nsec3) {
+		CHECK(dns_db_findnsec3node(db, name, false, &node));
+	} else {
+		CHECK(dns_db_findnode(db, name, false, &node));
+	}
+	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*flag = false;
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t myrdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &myrdata);
+		if (!dns_rdata_casecompare(&myrdata, rdata)) {
+			break;
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*flag = true;
+	} else if (result == ISC_R_NOMORE) {
+		*flag = false;
+		result = ISC_R_SUCCESS;
+	}
+
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	return (result);
+}
+
+static isc_result_t
+get_iterations(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype,
+	       unsigned int *iterationsp) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	unsigned int iterations = 0;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		goto try_private;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
+			continue;
+		}
+		if (nsec3param.iterations > iterations) {
+			iterations = nsec3param.iterations;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+
+	dns_rdataset_disassociate(&rdataset);
+
+try_private:
+	if (privatetype == 0) {
+		goto success;
+	}
+
+	result = dns_db_findrdataset(db, node, ver, privatetype, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		goto success;
+	}
+	if (result != ISC_R_SUCCESS) {
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t private = DNS_RDATA_INIT;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+						sizeof(buf)))
+		{
+			continue;
+		}
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
+			continue;
+		}
+		if (nsec3param.iterations > iterations) {
+			iterations = nsec3param.iterations;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+
+success:
+	*iterationsp = iterations;
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+	return (result);
+}
+
+/*
+ * Prevent the zone entering a inconsistent state where
+ * NSEC only DNSKEYs are present with NSEC3 chains.
+ */
+static isc_result_t
+check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+	     dns_dbversion_t *ver, dns_diff_t *diff) {
+	dns_difftuple_t *tuple;
+	bool nseconly = false, nsec3 = false;
+	isc_result_t result;
+	unsigned int iterations = 0;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+
+	/* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */
+	for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link))
+	{
+		if (tuple->op != DNS_DIFFOP_ADD) {
+			continue;
+		}
+
+		if (tuple->rdata.type == dns_rdatatype_dnskey) {
+			uint8_t alg;
+			alg = tuple->rdata.data[3];
+			if (alg == DST_ALG_RSASHA1) {
+				nseconly = true;
+				break;
+			}
+		} else if (tuple->rdata.type == dns_rdatatype_nsec3param) {
+			nsec3 = true;
+			break;
+		}
+	}
+
+	/* Check existing DB for NSEC-only DNSKEY */
+	if (!nseconly) {
+		result = dns_nsec_nseconly(db, ver, &nseconly);
+
+		/*
+		 * An NSEC3PARAM update can proceed without a DNSKEY (it
+		 * will trigger a delayed change), so we can ignore
+		 * ISC_R_NOTFOUND here.
+		 */
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
+
+		CHECK(result);
+	}
+
+	/* Check existing DB for NSEC3 */
+	if (!nsec3) {
+		CHECK(dns_nsec3_activex(db, ver, false, privatetype, &nsec3));
+	}
+
+	/* Refuse to allow NSEC3 with NSEC-only keys */
+	if (nseconly && nsec3) {
+		update_log(client, zone, ISC_LOG_ERROR,
+			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
+		result = DNS_R_REFUSED;
+		goto failure;
+	}
+
+	/* Verify NSEC3 params */
+	CHECK(get_iterations(db, ver, privatetype, &iterations));
+	if (iterations > dns_nsec3_maxiterations()) {
+		update_log(client, zone, ISC_LOG_ERROR,
+			   "too many NSEC3 iterations (%u)", iterations);
+		result = DNS_R_REFUSED;
+		goto failure;
+	}
+
+failure:
+	return (result);
+}
+
+/*
+ * Delay NSEC3PARAM changes as they need to be applied to the whole zone.
+ */
+static isc_result_t
+add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+		       dns_dbversion_t *ver, dns_diff_t *diff) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_difftuple_t *tuple, *newtuple = NULL, *next;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
+	dns_diff_t temp_diff;
+	dns_diffop_t op;
+	bool flag;
+	dns_name_t *name = dns_zone_getorigin(zone);
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+	uint32_t ttl = 0;
+	bool ttl_good = false;
+
+	update_log(client, zone, ISC_LOG_DEBUG(3),
+		   "checking for NSEC3PARAM changes");
+
+	dns_diff_init(diff->mctx, &temp_diff);
+
+	/*
+	 * Extract NSEC3PARAM tuples from list.
+	 */
+	for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) {
+		next = ISC_LIST_NEXT(tuple, link);
+
+		if (tuple->rdata.type != dns_rdatatype_nsec3param ||
+		    !dns_name_equal(name, &tuple->name))
+		{
+			continue;
+		}
+		ISC_LIST_UNLINK(diff->tuples, tuple, link);
+		ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
+	}
+
+	/*
+	 * Extract TTL changes pairs, we don't need to convert these to
+	 * delayed changes.
+	 */
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL;
+	     tuple = next)
+	{
+		if (tuple->op == DNS_DIFFOP_ADD) {
+			if (!ttl_good) {
+				/*
+				 * Any adds here will contain the final
+				 * NSEC3PARAM RRset TTL.
+				 */
+				ttl = tuple->ttl;
+				ttl_good = true;
+			}
+			/*
+			 * Walk the temp_diff list looking for the
+			 * corresponding delete.
+			 */
+			next = ISC_LIST_HEAD(temp_diff.tuples);
+			while (next != NULL) {
+				unsigned char *next_data = next->rdata.data;
+				unsigned char *tuple_data = tuple->rdata.data;
+				if (next->op == DNS_DIFFOP_DEL &&
+				    next->rdata.length == tuple->rdata.length &&
+				    !memcmp(next_data, tuple_data,
+					    next->rdata.length))
+				{
+					ISC_LIST_UNLINK(temp_diff.tuples, next,
+							link);
+					ISC_LIST_APPEND(diff->tuples, next,
+							link);
+					break;
+				}
+				next = ISC_LIST_NEXT(next, link);
+			}
+			/*
+			 * If we have not found a pair move onto the next
+			 * tuple.
+			 */
+			if (next == NULL) {
+				next = ISC_LIST_NEXT(tuple, link);
+				continue;
+			}
+			/*
+			 * Find the next tuple to be processed before
+			 * unlinking then complete moving the pair to 'diff'.
+			 */
+			next = ISC_LIST_NEXT(tuple, link);
+			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+			ISC_LIST_APPEND(diff->tuples, tuple, link);
+		} else {
+			next = ISC_LIST_NEXT(tuple, link);
+		}
+	}
+
+	/*
+	 * Preserve any ongoing changes from a BIND 9.6.x upgrade.
+	 *
+	 * Any NSEC3PARAM records with flags other than OPTOUT named
+	 * in managing and should not be touched so revert such changes
+	 * taking into account any TTL change of the NSEC3PARAM RRset.
+	 */
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL;
+	     tuple = next)
+	{
+		next = ISC_LIST_NEXT(tuple, link);
+		if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
+			/*
+			 * If we haven't had any adds then the tuple->ttl must
+			 * be the original ttl and should be used for any
+			 * future changes.
+			 */
+			if (!ttl_good) {
+				ttl = tuple->ttl;
+				ttl_good = true;
+			}
+			op = (tuple->op == DNS_DIFFOP_DEL) ? DNS_DIFFOP_ADD
+							   : DNS_DIFFOP_DEL;
+			CHECK(dns_difftuple_create(diff->mctx, op, name, ttl,
+						   &tuple->rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+			dns_diff_appendminimal(diff, &tuple);
+		}
+	}
+
+	/*
+	 * We now have just the actual changes to the NSEC3PARAM RRset.
+	 * Convert the adds to delayed adds and the deletions into delayed
+	 * deletions.
+	 */
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL;
+	     tuple = next)
+	{
+		/*
+		 * If we haven't had any adds then the tuple->ttl must be the
+		 * original ttl and should be used for any future changes.
+		 */
+		if (!ttl_good) {
+			ttl = tuple->ttl;
+			ttl_good = true;
+		}
+		if (tuple->op == DNS_DIFFOP_ADD) {
+			bool nseconly = false;
+
+			/*
+			 * Look for any deletes which match this ADD ignoring
+			 * flags.  We don't need to explicitly remove them as
+			 * they will be removed a side effect of processing
+			 * the add.
+			 */
+			next = ISC_LIST_HEAD(temp_diff.tuples);
+			while (next != NULL) {
+				unsigned char *next_data = next->rdata.data;
+				unsigned char *tuple_data = tuple->rdata.data;
+				if (next->op != DNS_DIFFOP_DEL ||
+				    next->rdata.length != tuple->rdata.length ||
+				    next_data[0] != tuple_data[0] ||
+				    next_data[2] != tuple_data[2] ||
+				    next_data[3] != tuple_data[3] ||
+				    memcmp(next_data + 4, tuple_data + 4,
+					   tuple->rdata.length - 4))
+				{
+					next = ISC_LIST_NEXT(next, link);
+					continue;
+				}
+				ISC_LIST_UNLINK(temp_diff.tuples, next, link);
+				ISC_LIST_APPEND(diff->tuples, next, link);
+				next = ISC_LIST_HEAD(temp_diff.tuples);
+			}
+
+			/*
+			 * Create a private-type record to signal that
+			 * we want a delayed NSEC3 chain add/delete
+			 */
+			dns_nsec3param_toprivate(&tuple->rdata, &rdata,
+						 privatetype, buf, sizeof(buf));
+			buf[2] |= DNS_NSEC3FLAG_CREATE;
+
+			/*
+			 * If the zone is not currently capable of
+			 * supporting an NSEC3 chain, then we set the
+			 * INITIAL flag to indicate that these parameters
+			 * are to be used later.
+			 */
+			result = dns_nsec_nseconly(db, ver, &nseconly);
+			if (result == ISC_R_NOTFOUND || nseconly) {
+				buf[2] |= DNS_NSEC3FLAG_INITIAL;
+			}
+
+			/*
+			 * See if this CREATE request already exists.
+			 */
+			CHECK(rr_exists(db, ver, name, &rdata, &flag));
+
+			if (!flag) {
+				CHECK(dns_difftuple_create(
+					diff->mctx, DNS_DIFFOP_ADD, name, 0,
+					&rdata, &newtuple));
+				CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			}
+
+			/*
+			 * Remove any existing CREATE request to add an
+			 * otherwise identical chain with a reversed
+			 * OPTOUT state.
+			 */
+			buf[2] ^= DNS_NSEC3FLAG_OPTOUT;
+			CHECK(rr_exists(db, ver, name, &rdata, &flag));
+
+			if (flag) {
+				CHECK(dns_difftuple_create(
+					diff->mctx, DNS_DIFFOP_DEL, name, 0,
+					&rdata, &newtuple));
+				CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			}
+
+			/*
+			 * Find the next tuple to be processed and remove the
+			 * temporary add record.
+			 */
+			next = ISC_LIST_NEXT(tuple, link);
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
+						   name, ttl, &tuple->rdata,
+						   &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+			dns_diff_appendminimal(diff, &tuple);
+			dns_rdata_reset(&rdata);
+		} else {
+			next = ISC_LIST_NEXT(tuple, link);
+		}
+	}
+
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL;
+	     tuple = next)
+	{
+		INSIST(ttl_good);
+
+		next = ISC_LIST_NEXT(tuple, link);
+		/*
+		 * See if we already have a REMOVE request in progress.
+		 */
+		dns_nsec3param_toprivate(&tuple->rdata, &rdata, privatetype,
+					 buf, sizeof(buf));
+
+		buf[2] |= DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
+
+		CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		if (!flag) {
+			buf[2] &= ~DNS_NSEC3FLAG_NONSEC;
+			CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		}
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   name, 0, &rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+		}
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
+					   ttl, &tuple->rdata, &newtuple));
+		CHECK(do_one_tuple(&newtuple, db, ver, diff));
+		ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+		dns_diff_appendminimal(diff, &tuple);
+		dns_rdata_reset(&rdata);
+	}
+
+	result = ISC_R_SUCCESS;
+failure:
+	dns_diff_clear(&temp_diff);
+	return (result);
+}
+
+static isc_result_t
+rollback_private(dns_db_t *db, dns_rdatatype_t privatetype,
+		 dns_dbversion_t *ver, dns_diff_t *diff) {
+	dns_diff_t temp_diff;
+	dns_diffop_t op;
+	dns_difftuple_t *tuple, *newtuple = NULL, *next;
+	dns_name_t *name = dns_db_origin(db);
+	isc_mem_t *mctx = diff->mctx;
+	isc_result_t result;
+
+	if (privatetype == 0) {
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_diff_init(mctx, &temp_diff);
+
+	/*
+	 * Extract the changes to be rolled back.
+	 */
+	for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) {
+		next = ISC_LIST_NEXT(tuple, link);
+
+		if (tuple->rdata.type != privatetype ||
+		    !dns_name_equal(name, &tuple->name))
+		{
+			continue;
+		}
+
+		/*
+		 * Allow records which indicate that a zone has been
+		 * signed with a DNSKEY to be removed.
+		 */
+		if (tuple->op == DNS_DIFFOP_DEL && tuple->rdata.length == 5 &&
+		    tuple->rdata.data[0] != 0 && tuple->rdata.data[4] != 0)
+		{
+			continue;
+		}
+
+		ISC_LIST_UNLINK(diff->tuples, tuple, link);
+		ISC_LIST_PREPEND(temp_diff.tuples, tuple, link);
+	}
+
+	/*
+	 * Rollback the changes.
+	 */
+	while ((tuple = ISC_LIST_HEAD(temp_diff.tuples)) != NULL) {
+		op = (tuple->op == DNS_DIFFOP_DEL) ? DNS_DIFFOP_ADD
+						   : DNS_DIFFOP_DEL;
+		CHECK(dns_difftuple_create(mctx, op, name, tuple->ttl,
+					   &tuple->rdata, &newtuple));
+		CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
+	}
+	result = ISC_R_SUCCESS;
+
+failure:
+	dns_diff_clear(&temp_diff);
+	return (result);
+}
+
+/*
+ * Add records to cause the delayed signing of the zone by added DNSKEY
+ * to remove the RRSIG records generated by a deleted DNSKEY.
+ */
+static isc_result_t
+add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
+		    dns_dbversion_t *ver, dns_diff_t *diff) {
+	dns_difftuple_t *tuple, *newtuple = NULL, *next;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	bool flag;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	uint16_t keyid;
+	unsigned char buf[5];
+	dns_name_t *name = dns_db_origin(db);
+	dns_diff_t temp_diff;
+
+	dns_diff_init(diff->mctx, &temp_diff);
+
+	/*
+	 * Extract the DNSKEY tuples from the list.
+	 */
+	for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) {
+		next = ISC_LIST_NEXT(tuple, link);
+
+		if (tuple->rdata.type != dns_rdatatype_dnskey) {
+			continue;
+		}
+
+		ISC_LIST_UNLINK(diff->tuples, tuple, link);
+		ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
+	}
+
+	/*
+	 * Extract TTL changes pairs, we don't need signing records for these.
+	 */
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL;
+	     tuple = next)
+	{
+		if (tuple->op == DNS_DIFFOP_ADD) {
+			/*
+			 * Walk the temp_diff list looking for the
+			 * corresponding delete.
+			 */
+			next = ISC_LIST_HEAD(temp_diff.tuples);
+			while (next != NULL) {
+				unsigned char *next_data = next->rdata.data;
+				unsigned char *tuple_data = tuple->rdata.data;
+				if (next->op == DNS_DIFFOP_DEL &&
+				    dns_name_equal(&tuple->name, &next->name) &&
+				    next->rdata.length == tuple->rdata.length &&
+				    !memcmp(next_data, tuple_data,
+					    next->rdata.length))
+				{
+					ISC_LIST_UNLINK(temp_diff.tuples, next,
+							link);
+					ISC_LIST_APPEND(diff->tuples, next,
+							link);
+					break;
+				}
+				next = ISC_LIST_NEXT(next, link);
+			}
+			/*
+			 * If we have not found a pair move onto the next
+			 * tuple.
+			 */
+			if (next == NULL) {
+				next = ISC_LIST_NEXT(tuple, link);
+				continue;
+			}
+			/*
+			 * Find the next tuple to be processed before
+			 * unlinking then complete moving the pair to 'diff'.
+			 */
+			next = ISC_LIST_NEXT(tuple, link);
+			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+			ISC_LIST_APPEND(diff->tuples, tuple, link);
+		} else {
+			next = ISC_LIST_NEXT(tuple, link);
+		}
+	}
+
+	/*
+	 * Process the remaining DNSKEY entries.
+	 */
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL;
+	     tuple = ISC_LIST_HEAD(temp_diff.tuples))
+	{
+		ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+		ISC_LIST_APPEND(diff->tuples, tuple, link);
+
+		result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK |
+				     DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE)
+		{
+			continue;
+		}
+
+		dns_rdata_toregion(&tuple->rdata, &r);
+
+		keyid = dst_region_computeid(&r);
+
+		buf[0] = dnskey.algorithm;
+		buf[1] = (keyid & 0xff00) >> 8;
+		buf[2] = (keyid & 0xff);
+		buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
+		buf[4] = 0;
+		rdata.data = buf;
+		rdata.length = sizeof(buf);
+		rdata.type = privatetype;
+		rdata.rdclass = tuple->rdata.rdclass;
+
+		CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		if (flag) {
+			continue;
+		}
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0,
+					   &rdata, &newtuple));
+		CHECK(do_one_tuple(&newtuple, db, ver, diff));
+		INSIST(newtuple == NULL);
+		/*
+		 * Remove any record which says this operation has already
+		 * completed.
+		 */
+		buf[4] = 1;
+		CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		if (flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
+						   name, 0, &rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			INSIST(newtuple == NULL);
+		}
+	}
+
+failure:
+	dns_diff_clear(&temp_diff);
+	return (result);
+}
+
+static bool
+isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) {
+	isc_result_t result;
+	bool build_nsec, build_nsec3;
+
+	if (dns_db_issecure(db)) {
+		return (true);
+	}
+
+	result = dns_private_chains(db, ver, privatetype, &build_nsec,
+				    &build_nsec3);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	return (build_nsec || build_nsec3);
+}
+
+static void
+update_action(isc_task_t *task, isc_event_t *event) {
+	update_event_t *uev = (update_event_t *)event;
+	dns_zone_t *zone = uev->zone;
+	ns_client_t *client = (ns_client_t *)event->ev_arg;
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *oldver = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff; /* Pending updates. */
+	dns_diff_t temp; /* Pending RR existence assertions. */
+	bool soa_serial_changed = false;
+	isc_mem_t *mctx = client->mctx;
+	dns_rdatatype_t covers;
+	dns_message_t *request = client->message;
+	dns_rdataclass_t zoneclass;
+	dns_name_t *zonename = NULL;
+	dns_ssutable_t *ssutable = NULL;
+	dns_fixedname_t tmpnamefixed;
+	dns_name_t *tmpname = NULL;
+	dns_zoneopt_t options;
+	dns_difftuple_t *tuple;
+	dns_rdata_dnskey_t dnskey;
+	bool had_dnskey;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+	dns_ttl_t maxttl = 0;
+	uint32_t maxrecords;
+	uint64_t records;
+
+	INSIST(event->ev_type == DNS_EVENT_UPDATE);
+
+	dns_diff_init(mctx, &diff);
+	dns_diff_init(mctx, &temp);
+
+	CHECK(dns_zone_getdb(zone, &db));
+	zonename = dns_db_origin(db);
+	zoneclass = dns_db_class(db);
+	dns_zone_getssutable(zone, &ssutable);
+	options = dns_zone_getoptions(zone);
+
+	/*
+	 * Get old and new versions now that queryacl has been checked.
+	 */
+	dns_db_currentversion(db, &oldver);
+	CHECK(dns_db_newversion(db, &ver));
+
+	/*
+	 * Check prerequisites.
+	 */
+
+	for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE))
+	{
+		dns_name_t *name = NULL;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_ttl_t ttl;
+		dns_rdataclass_t update_class;
+		bool flag;
+
+		get_current_rr(request, DNS_SECTION_PREREQUISITE, zoneclass,
+			       &name, &rdata, &covers, &ttl, &update_class);
+
+		if (ttl != 0) {
+			PREREQFAILC(DNS_R_FORMERR, "prerequisite TTL is not "
+						   "zero");
+		}
+
+		if (!dns_name_issubdomain(name, zonename)) {
+			PREREQFAILN(DNS_R_NOTZONE, name,
+				    "prerequisite name is out of zone");
+		}
+
+		if (update_class == dns_rdataclass_any) {
+			if (rdata.length != 0) {
+				PREREQFAILC(DNS_R_FORMERR, "class ANY "
+							   "prerequisite "
+							   "RDATA is not "
+							   "empty");
+			}
+			if (rdata.type == dns_rdatatype_any) {
+				CHECK(name_exists(db, ver, name, &flag));
+				if (!flag) {
+					PREREQFAILN(DNS_R_NXDOMAIN, name,
+						    "'name in use' "
+						    "prerequisite not "
+						    "satisfied");
+				}
+			} else {
+				CHECK(rrset_exists(db, ver, name, rdata.type,
+						   covers, &flag));
+				if (!flag) {
+					/* RRset does not exist. */
+					PREREQFAILNT(DNS_R_NXRRSET, name,
+						     rdata.type,
+						     "'rrset exists (value "
+						     "independent)' "
+						     "prerequisite not "
+						     "satisfied");
+				}
+			}
+		} else if (update_class == dns_rdataclass_none) {
+			if (rdata.length != 0) {
+				PREREQFAILC(DNS_R_FORMERR, "class NONE "
+							   "prerequisite "
+							   "RDATA is not "
+							   "empty");
+			}
+			if (rdata.type == dns_rdatatype_any) {
+				CHECK(name_exists(db, ver, name, &flag));
+				if (flag) {
+					PREREQFAILN(DNS_R_YXDOMAIN, name,
+						    "'name not in use' "
+						    "prerequisite not "
+						    "satisfied");
+				}
+			} else {
+				CHECK(rrset_exists(db, ver, name, rdata.type,
+						   covers, &flag));
+				if (flag) {
+					/* RRset exists. */
+					PREREQFAILNT(DNS_R_YXRRSET, name,
+						     rdata.type,
+						     "'rrset does not exist' "
+						     "prerequisite not "
+						     "satisfied");
+				}
+			}
+		} else if (update_class == zoneclass) {
+			/* "temp<rr.name, rr.type> += rr;" */
+			result = temp_append(&temp, name, &rdata);
+			if (result != ISC_R_SUCCESS) {
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "temp entry creation failed: "
+						 "%s",
+						 dns_result_totext(result));
+				FAIL(ISC_R_UNEXPECTED);
+			}
+		} else {
+			PREREQFAILC(DNS_R_FORMERR, "malformed prerequisite");
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		FAIL(result);
+	}
+
+	/*
+	 * Perform the final check of the "rrset exists (value dependent)"
+	 * prerequisites.
+	 */
+	if (ISC_LIST_HEAD(temp.tuples) != NULL) {
+		dns_rdatatype_t type;
+
+		/*
+		 * Sort the prerequisite records by owner name,
+		 * type, and rdata.
+		 */
+		result = dns_diff_sort(&temp, temp_order);
+		if (result != ISC_R_SUCCESS) {
+			FAILC(result, "'RRset exists (value dependent)' "
+				      "prerequisite not satisfied");
+		}
+
+		tmpname = dns_fixedname_initname(&tmpnamefixed);
+		result = temp_check(mctx, &temp, db, ver, tmpname, &type);
+		if (result != ISC_R_SUCCESS) {
+			FAILNT(result, tmpname, type,
+			       "'RRset exists (value dependent)' "
+			       "prerequisite not satisfied");
+		}
+	}
+
+	update_log(client, zone, LOGLEVEL_DEBUG, "prerequisites are OK");
+
+	/*
+	 * Process the Update Section.
+	 */
+	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
+	{
+		dns_name_t *name = NULL;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_ttl_t ttl;
+		dns_rdataclass_t update_class;
+		bool flag;
+
+		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
+			       &rdata, &covers, &ttl, &update_class);
+
+		if (update_class == zoneclass) {
+			/*
+			 * RFC1123 doesn't allow MF and MD in master zones.
+			 */
+			if (rdata.type == dns_rdatatype_md ||
+			    rdata.type == dns_rdatatype_mf)
+			{
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+				dns_rdatatype_format(rdata.type, typebuf,
+						     sizeof(typebuf));
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to add %s ignored",
+					   typebuf);
+				continue;
+			}
+			if ((rdata.type == dns_rdatatype_ns ||
+			     rdata.type == dns_rdatatype_dname) &&
+			    dns_name_iswildcard(name))
+			{
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+				dns_rdatatype_format(rdata.type, typebuf,
+						     sizeof(typebuf));
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to add wildcard %s record "
+					   "ignored",
+					   typebuf);
+				continue;
+			}
+			if (rdata.type == dns_rdatatype_cname) {
+				CHECK(cname_incompatible_rrset_exists(
+					db, ver, name, &flag));
+				if (flag) {
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "attempt to add CNAME "
+						   "alongside non-CNAME "
+						   "ignored");
+					continue;
+				}
+			} else {
+				CHECK(rrset_exists(db, ver, name,
+						   dns_rdatatype_cname, 0,
+						   &flag));
+				if (flag && !dns_rdatatype_atcname(rdata.type))
+				{
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "attempt to add non-CNAME "
+						   "alongside CNAME ignored");
+					continue;
+				}
+			}
+			if (rdata.type == dns_rdatatype_soa) {
+				bool ok;
+				CHECK(rrset_exists(db, ver, name,
+						   dns_rdatatype_soa, 0,
+						   &flag));
+				if (!flag) {
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "attempt to create 2nd "
+						   "SOA ignored");
+					continue;
+				}
+				CHECK(check_soa_increment(db, ver, &rdata,
+							  &ok));
+				if (!ok) {
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "SOA update failed to "
+						   "increment serial, "
+						   "ignoring it");
+					continue;
+				}
+				soa_serial_changed = true;
+			}
+
+			if (dns_rdatatype_atparent(rdata.type) &&
+			    dns_name_equal(name, zonename))
+			{
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+				dns_rdatatype_format(rdata.type, typebuf,
+						     sizeof(typebuf));
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to add a %s record at "
+					   "zone apex ignored",
+					   typebuf);
+				continue;
+			}
+
+			if (rdata.type == privatetype) {
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to add a private type "
+					   "(%u) record rejected internal "
+					   "use only",
+					   privatetype);
+				continue;
+			}
+
+			if (rdata.type == dns_rdatatype_nsec3param) {
+				/*
+				 * Ignore attempts to add NSEC3PARAM records
+				 * with any flags other than OPTOUT.
+				 */
+				if ((rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) !=
+				    0)
+				{
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "attempt to add NSEC3PARAM "
+						   "record with non OPTOUT "
+						   "flag");
+					continue;
+				}
+			}
+
+			if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
+			    dns_name_internalwildcard(name))
+			{
+				char namestr[DNS_NAME_FORMATSIZE];
+				dns_name_format(name, namestr, sizeof(namestr));
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "warning: ownername '%s' contains "
+					   "a non-terminal wildcard",
+					   namestr);
+			}
+
+			if ((options & DNS_ZONEOPT_CHECKTTL) != 0) {
+				maxttl = dns_zone_getmaxttl(zone);
+				if (ttl > maxttl) {
+					ttl = maxttl;
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "reducing TTL to the "
+						   "configured max-zone-ttl %d",
+						   maxttl);
+				}
+			}
+
+			if (isc_log_wouldlog(ns_lctx, LOGLEVEL_PROTOCOL)) {
+				char namestr[DNS_NAME_FORMATSIZE];
+				char typestr[DNS_RDATATYPE_FORMATSIZE];
+				char rdstr[2048];
+				isc_buffer_t buf;
+				int len = 0;
+				const char *truncated = "";
+
+				dns_name_format(name, namestr, sizeof(namestr));
+				dns_rdatatype_format(rdata.type, typestr,
+						     sizeof(typestr));
+				isc_buffer_init(&buf, rdstr, sizeof(rdstr));
+				result = dns_rdata_totext(&rdata, NULL, &buf);
+				if (result == ISC_R_NOSPACE) {
+					len = (int)isc_buffer_usedlength(&buf);
+					truncated = " [TRUNCATED]";
+				} else if (result != ISC_R_SUCCESS) {
+					snprintf(rdstr, sizeof(rdstr),
+						 "[dns_"
+						 "rdata_totext failed: %s]",
+						 dns_result_totext(result));
+					len = strlen(rdstr);
+				} else {
+					len = (int)isc_buffer_usedlength(&buf);
+				}
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "adding an RR at '%s' %s %.*s%s",
+					   namestr, typestr, len, rdstr,
+					   truncated);
+			}
+
+			/* Prepare the affected RRset for the addition. */
+			{
+				add_rr_prepare_ctx_t ctx;
+				ctx.db = db;
+				ctx.ver = ver;
+				ctx.diff = &diff;
+				ctx.name = name;
+				ctx.oldname = name;
+				ctx.update_rr = &rdata;
+				ctx.update_rr_ttl = ttl;
+				ctx.ignore_add = false;
+				dns_diff_init(mctx, &ctx.del_diff);
+				dns_diff_init(mctx, &ctx.add_diff);
+				CHECK(foreach_rr(db, ver, name, rdata.type,
+						 covers, add_rr_prepare_action,
+						 &ctx));
+
+				if (ctx.ignore_add) {
+					dns_diff_clear(&ctx.del_diff);
+					dns_diff_clear(&ctx.add_diff);
+				} else {
+					result = do_diff(&ctx.del_diff, db, ver,
+							 &diff);
+					if (result == ISC_R_SUCCESS) {
+						result = do_diff(&ctx.add_diff,
+								 db, ver,
+								 &diff);
+					}
+					if (result != ISC_R_SUCCESS) {
+						dns_diff_clear(&ctx.del_diff);
+						dns_diff_clear(&ctx.add_diff);
+						goto failure;
+					}
+					CHECK(update_one_rr(db, ver, &diff,
+							    DNS_DIFFOP_ADD,
+							    name, ttl, &rdata));
+				}
+			}
+		} else if (update_class == dns_rdataclass_any) {
+			if (rdata.type == dns_rdatatype_any) {
+				if (isc_log_wouldlog(ns_lctx,
+						     LOGLEVEL_PROTOCOL))
+				{
+					char namestr[DNS_NAME_FORMATSIZE];
+					dns_name_format(name, namestr,
+							sizeof(namestr));
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "delete all rrsets from "
+						   "name '%s'",
+						   namestr);
+				}
+				if (dns_name_equal(name, zonename)) {
+					CHECK(delete_if(type_not_soa_nor_ns_p,
+							db, ver, name,
+							dns_rdatatype_any, 0,
+							&rdata, &diff));
+				} else {
+					CHECK(delete_if(type_not_dnssec, db,
+							ver, name,
+							dns_rdatatype_any, 0,
+							&rdata, &diff));
+				}
+			} else if (dns_name_equal(name, zonename) &&
+				   (rdata.type == dns_rdatatype_soa ||
+				    rdata.type == dns_rdatatype_ns))
+			{
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to delete all SOA "
+					   "or NS records ignored");
+				continue;
+			} else {
+				if (isc_log_wouldlog(ns_lctx,
+						     LOGLEVEL_PROTOCOL))
+				{
+					char namestr[DNS_NAME_FORMATSIZE];
+					char typestr[DNS_RDATATYPE_FORMATSIZE];
+					dns_name_format(name, namestr,
+							sizeof(namestr));
+					dns_rdatatype_format(rdata.type,
+							     typestr,
+							     sizeof(typestr));
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "deleting rrset at '%s' %s",
+						   namestr, typestr);
+				}
+				CHECK(delete_if(true_p, db, ver, name,
+						rdata.type, covers, &rdata,
+						&diff));
+			}
+		} else if (update_class == dns_rdataclass_none) {
+			char namestr[DNS_NAME_FORMATSIZE];
+			char typestr[DNS_RDATATYPE_FORMATSIZE];
+
+			/*
+			 * The (name == zonename) condition appears in
+			 * RFC2136 3.4.2.4 but is missing from the pseudocode.
+			 */
+			if (dns_name_equal(name, zonename)) {
+				if (rdata.type == dns_rdatatype_soa) {
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "attempt to delete SOA "
+						   "ignored");
+					continue;
+				}
+				if (rdata.type == dns_rdatatype_ns) {
+					int count;
+					CHECK(rr_count(db, ver, name,
+						       dns_rdatatype_ns, 0,
+						       &count));
+					if (count == 1) {
+						update_log(client, zone,
+							   LOGLEVEL_PROTOCOL,
+							   "attempt to "
+							   "delete last "
+							   "NS ignored");
+						continue;
+					}
+				}
+			}
+			dns_name_format(name, namestr, sizeof(namestr));
+			dns_rdatatype_format(rdata.type, typestr,
+					     sizeof(typestr));
+			update_log(client, zone, LOGLEVEL_PROTOCOL,
+				   "deleting an RR at %s %s", namestr, typestr);
+			CHECK(delete_if(rr_equal_p, db, ver, name, rdata.type,
+					covers, &rdata, &diff));
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		FAIL(result);
+	}
+
+	/*
+	 * Check that any changes to DNSKEY/NSEC3PARAM records make sense.
+	 * If they don't then back out all changes to DNSKEY/NSEC3PARAM
+	 * records.
+	 */
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		CHECK(check_dnssec(client, zone, db, ver, &diff));
+	}
+
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		unsigned int errors = 0;
+		CHECK(dns_zone_nscheck(zone, db, ver, &errors));
+		if (errors != 0) {
+			update_log(client, zone, LOGLEVEL_PROTOCOL,
+				   "update rejected: post update name server "
+				   "sanity check failed");
+			result = DNS_R_REFUSED;
+			goto failure;
+		}
+	}
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		result = dns_zone_cdscheck(zone, db, ver);
+		if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) {
+			update_log(client, zone, LOGLEVEL_PROTOCOL,
+				   "update rejected: bad %s RRset",
+				   result == DNS_R_BADCDS ? "CDS" : "CDNSKEY");
+			result = DNS_R_REFUSED;
+			goto failure;
+		}
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+	}
+
+	/*
+	 * If any changes were made, increment the SOA serial number,
+	 * update RRSIGs and NSECs (if zone is secure), and write the update
+	 * to the journal.
+	 */
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		char *journalfile;
+		dns_journal_t *journal;
+		bool has_dnskey;
+
+		/*
+		 * Increment the SOA serial, but only if it was not
+		 * changed as a result of an update operation.
+		 */
+		if (!soa_serial_changed) {
+			CHECK(update_soa_serial(
+				db, ver, &diff, mctx,
+				dns_zone_getserialupdatemethod(zone)));
+		}
+
+		CHECK(check_mx(client, zone, db, ver, &diff));
+
+		CHECK(remove_orphaned_ds(db, ver, &diff));
+
+		CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey, 0,
+				   &has_dnskey));
+
+#define ALLOW_SECURE_TO_INSECURE(zone) \
+	((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0)
+
+		CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey,
+				   0, &had_dnskey));
+		if (!ALLOW_SECURE_TO_INSECURE(zone)) {
+			if (had_dnskey && !has_dnskey) {
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "update rejected: all DNSKEY "
+					   "records removed and "
+					   "'dnssec-secure-to-insecure' "
+					   "not set");
+				result = DNS_R_REFUSED;
+				goto failure;
+			}
+		}
+
+		CHECK(rollback_private(db, privatetype, ver, &diff));
+
+		CHECK(add_signing_records(db, privatetype, ver, &diff));
+
+		CHECK(add_nsec3param_records(client, zone, db, ver, &diff));
+
+		if (had_dnskey && !has_dnskey) {
+			/*
+			 * We are transitioning from secure to insecure.
+			 * Cause all NSEC3 chains to be deleted.  When the
+			 * the last signature for the DNSKEY records are
+			 * remove any NSEC chain present will also be removed.
+			 */
+			CHECK(dns_nsec3param_deletechains(db, ver, zone, true,
+							  &diff));
+		} else if (has_dnskey && isdnssec(db, ver, privatetype)) {
+			dns_update_log_t log;
+			uint32_t interval =
+				dns_zone_getsigvalidityinterval(zone);
+
+			log.func = update_log_cb;
+			log.arg = client;
+			result = dns_update_signatures(&log, zone, db, oldver,
+						       ver, &diff, interval);
+
+			if (result != ISC_R_SUCCESS) {
+				update_log(client, zone, ISC_LOG_ERROR,
+					   "RRSIG/NSEC/NSEC3 update failed: %s",
+					   isc_result_totext(result));
+				goto failure;
+			}
+		}
+
+		maxrecords = dns_zone_getmaxrecords(zone);
+		if (maxrecords != 0U) {
+			result = dns_db_getsize(db, ver, &records, NULL);
+			if (result == ISC_R_SUCCESS && records > maxrecords) {
+				update_log(client, zone, ISC_LOG_ERROR,
+					   "records in zone (%" PRIu64 ") "
+					   "exceeds max-records (%u)",
+					   records, maxrecords);
+				result = DNS_R_TOOMANYRECORDS;
+				goto failure;
+			}
+		}
+
+		journalfile = dns_zone_getjournal(zone);
+		if (journalfile != NULL) {
+			update_log(client, zone, LOGLEVEL_DEBUG,
+				   "writing journal %s", journalfile);
+
+			journal = NULL;
+			result = dns_journal_open(mctx, journalfile,
+						  DNS_JOURNAL_CREATE, &journal);
+			if (result != ISC_R_SUCCESS) {
+				FAILS(result, "journal open failed");
+			}
+
+			result = dns_journal_write_transaction(journal, &diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_journal_destroy(&journal);
+				FAILS(result, "journal write failed");
+			}
+
+			dns_journal_destroy(&journal);
+		}
+
+		/*
+		 * XXXRTH  Just a note that this committing code will have
+		 *	   to change to handle databases that need two-phase
+		 *	   commit, but this isn't a priority.
+		 */
+		update_log(client, zone, LOGLEVEL_DEBUG,
+			   "committing update transaction");
+
+		dns_db_closeversion(db, &ver, true);
+
+		/*
+		 * Mark the zone as dirty so that it will be written to disk.
+		 */
+		dns_zone_markdirty(zone);
+
+		/*
+		 * Notify slaves of the change we just made.
+		 */
+		dns_zone_notify(zone);
+
+		/*
+		 * Cause the zone to be signed with the key that we
+		 * have just added or have the corresponding signatures
+		 * deleted.
+		 *
+		 * Note: we are already committed to this course of action.
+		 */
+		for (tuple = ISC_LIST_HEAD(diff.tuples); tuple != NULL;
+		     tuple = ISC_LIST_NEXT(tuple, link))
+		{
+			isc_region_t r;
+			dns_secalg_t algorithm;
+			uint16_t keyid;
+
+			if (tuple->rdata.type != dns_rdatatype_dnskey) {
+				continue;
+			}
+
+			dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+			if ((dnskey.flags &
+			     (DNS_KEYFLAG_OWNERMASK | DNS_KEYTYPE_NOAUTH)) !=
+			    DNS_KEYOWNER_ZONE)
+			{
+				continue;
+			}
+
+			dns_rdata_toregion(&tuple->rdata, &r);
+			algorithm = dnskey.algorithm;
+			keyid = dst_region_computeid(&r);
+
+			result = dns_zone_signwithkey(
+				zone, algorithm, keyid,
+				(tuple->op == DNS_DIFFOP_DEL));
+			if (result != ISC_R_SUCCESS) {
+				update_log(client, zone, ISC_LOG_ERROR,
+					   "dns_zone_signwithkey failed: %s",
+					   dns_result_totext(result));
+			}
+		}
+
+		/*
+		 * Cause the zone to add/delete NSEC3 chains for the
+		 * deferred NSEC3PARAM changes.
+		 *
+		 * Note: we are already committed to this course of action.
+		 */
+		for (tuple = ISC_LIST_HEAD(diff.tuples); tuple != NULL;
+		     tuple = ISC_LIST_NEXT(tuple, link))
+		{
+			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdata_nsec3param_t nsec3param;
+
+			if (tuple->rdata.type != privatetype ||
+			    tuple->op != DNS_DIFFOP_ADD)
+			{
+				continue;
+			}
+
+			if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
+							buf, sizeof(buf)))
+			{
+				continue;
+			}
+			dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+			if (nsec3param.flags == 0) {
+				continue;
+			}
+
+			result = dns_zone_addnsec3chain(zone, &nsec3param);
+			if (result != ISC_R_SUCCESS) {
+				update_log(client, zone, ISC_LOG_ERROR,
+					   "dns_zone_addnsec3chain failed: %s",
+					   dns_result_totext(result));
+			}
+		}
+	} else {
+		update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
+		dns_db_closeversion(db, &ver, true);
+	}
+	result = ISC_R_SUCCESS;
+	goto common;
+
+failure:
+	/*
+	 * The reason for failure should have been logged at this point.
+	 */
+	if (ver != NULL) {
+		update_log(client, zone, LOGLEVEL_DEBUG, "rolling back");
+		dns_db_closeversion(db, &ver, false);
+	}
+
+common:
+	dns_diff_clear(&temp);
+	dns_diff_clear(&diff);
+
+	if (oldver != NULL) {
+		dns_db_closeversion(db, &oldver, false);
+	}
+
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
+	if (ssutable != NULL) {
+		dns_ssutable_detach(&ssutable);
+	}
+
+	isc_task_detach(&task);
+	uev->result = result;
+	if (zone != NULL) {
+		INSIST(uev->zone == zone); /* we use this later */
+	}
+	uev->ev_type = DNS_EVENT_UPDATEDONE;
+	uev->ev_action = updatedone_action;
+
+	isc_task_send(client->task, &event);
+
+	INSIST(ver == NULL);
+	INSIST(event == NULL);
+}
+
+static void
+updatedone_action(isc_task_t *task, isc_event_t *event) {
+	update_event_t *uev = (update_event_t *)event;
+	ns_client_t *client = (ns_client_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_UPDATEDONE);
+	REQUIRE(task == client->task);
+	REQUIRE(client->updatehandle == client->handle);
+
+	INSIST(client->nupdates > 0);
+	switch (uev->result) {
+	case ISC_R_SUCCESS:
+		inc_stats(client, uev->zone, ns_statscounter_updatedone);
+		break;
+	case DNS_R_REFUSED:
+		inc_stats(client, uev->zone, ns_statscounter_updaterej);
+		break;
+	default:
+		inc_stats(client, uev->zone, ns_statscounter_updatefail);
+		break;
+	}
+	if (uev->zone != NULL) {
+		dns_zone_detach(&uev->zone);
+	}
+
+	client->nupdates--;
+
+	respond(client, uev->result);
+
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
+	isc_event_free(&event);
+	isc_nmhandle_detach(&client->updatehandle);
+}
+
+/*%
+ * Update forwarding support.
+ */
+static void
+forward_fail(isc_task_t *task, isc_event_t *event) {
+	ns_client_t *client = (ns_client_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	INSIST(client->nupdates > 0);
+	client->nupdates--;
+	respond(client, DNS_R_SERVFAIL);
+
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
+	isc_event_free(&event);
+	isc_nmhandle_detach(&client->updatehandle);
+}
+
+static void
+forward_callback(void *arg, isc_result_t result, dns_message_t *answer) {
+	update_event_t *uev = arg;
+	ns_client_t *client = uev->ev_arg;
+	dns_zone_t *zone = uev->zone;
+
+	if (result != ISC_R_SUCCESS) {
+		INSIST(answer == NULL);
+		uev->ev_type = DNS_EVENT_UPDATEDONE;
+		uev->ev_action = forward_fail;
+		inc_stats(client, zone, ns_statscounter_updatefwdfail);
+	} else {
+		uev->ev_type = DNS_EVENT_UPDATEDONE;
+		uev->ev_action = forward_done;
+		uev->answer = answer;
+		inc_stats(client, zone, ns_statscounter_updaterespfwd);
+	}
+
+	isc_task_send(client->task, ISC_EVENT_PTR(&uev));
+	dns_zone_detach(&zone);
+}
+
+static void
+forward_done(isc_task_t *task, isc_event_t *event) {
+	update_event_t *uev = (update_event_t *)event;
+	ns_client_t *client = (ns_client_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	INSIST(client->nupdates > 0);
+	client->nupdates--;
+	ns_client_sendraw(client, uev->answer);
+	dns_message_detach(&uev->answer);
+
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
+	isc_event_free(&event);
+	isc_nmhandle_detach(&client->reqhandle);
+	isc_nmhandle_detach(&client->updatehandle);
+}
+
+static void
+forward_action(isc_task_t *task, isc_event_t *event) {
+	update_event_t *uev = (update_event_t *)event;
+	dns_zone_t *zone = uev->zone;
+	ns_client_t *client = (ns_client_t *)event->ev_arg;
+	isc_result_t result;
+
+	result = dns_zone_forwardupdate(zone, client->message, forward_callback,
+					event);
+	if (result != ISC_R_SUCCESS) {
+		uev->ev_type = DNS_EVENT_UPDATEDONE;
+		uev->ev_action = forward_fail;
+		isc_task_send(client->task, &event);
+		inc_stats(client, zone, ns_statscounter_updatefwdfail);
+		dns_zone_detach(&zone);
+	} else {
+		inc_stats(client, zone, ns_statscounter_updatereqfwd);
+	}
+
+	isc_task_detach(&task);
+}
+
+static isc_result_t
+send_forward_event(ns_client_t *client, dns_zone_t *zone) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	isc_result_t result = ISC_R_SUCCESS;
+	update_event_t *event = NULL;
+	isc_task_t *zonetask = NULL;
+
+	result = checkupdateacl(client, dns_zone_getforwardacl(zone),
+				"update forwarding", dns_zone_getorigin(zone),
+				true, false);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = isc_quota_attach(&client->manager->sctx->updquota,
+				  &(isc_quota_t *){ NULL });
+	if (result != ISC_R_SUCCESS) {
+		update_log(client, zone, LOGLEVEL_PROTOCOL,
+			   "update failed: too many DNS UPDATEs queued (%s)",
+			   isc_result_totext(result));
+		ns_stats_increment(client->manager->sctx->nsstats,
+				   ns_statscounter_updatequota);
+		return (DNS_R_DROP);
+	}
+
+	event = (update_event_t *)isc_event_allocate(
+		client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL,
+		sizeof(*event));
+	event->zone = zone;
+	event->result = ISC_R_SUCCESS;
+
+	INSIST(client->nupdates == 0);
+	client->nupdates++;
+	event->ev_arg = client;
+
+	dns_name_format(dns_zone_getorigin(zone), namebuf, sizeof(namebuf));
+	dns_rdataclass_format(dns_zone_getclass(zone), classbuf,
+			      sizeof(classbuf));
+
+	ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
+		      LOGLEVEL_PROTOCOL, "forwarding update for zone '%s/%s'",
+		      namebuf, classbuf);
+
+	dns_zone_gettask(zone, &zonetask);
+	isc_nmhandle_attach(client->handle, &client->updatehandle);
+	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
+
+	if (event != NULL) {
+		isc_event_free(ISC_EVENT_PTR(&event));
+	}
+	return (result);
+}
diff --git a/lib/ns/version.c b/lib/ns/version.c
new file mode 100644
index 0000000..0efa262
--- /dev/null
+++ b/lib/ns/version.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <ns/version.h>
+
+const char ns_version[] = VERSION;
diff --git a/lib/ns/win32/DLLMain.c b/lib/ns/win32/DLLMain.c
new file mode 100644
index 0000000..62c6e53
--- /dev/null
+++ b/lib/ns/win32/DLLMain.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <signal.h>
+#include <windows.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI
+	DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
diff --git a/lib/ns/win32/libns.def b/lib/ns/win32/libns.def
new file mode 100644
index 0000000..50edf86
--- /dev/null
+++ b/lib/ns/win32/libns.def
@@ -0,0 +1,107 @@
+LIBRARY libns
+
+; Exported Functions
+EXPORTS
+
+ns__client_put_cb
+ns__client_request
+ns__client_reset_cb
+ns__client_setup
+ns__interfacemgr_getif
+ns__interfacemgr_nextif
+ns__query_sfcache
+ns__query_start
+ns__client_tcpconn
+ns_client_aclmsg
+ns_client_addopt
+ns_client_checkacl
+ns_client_checkaclsilent
+ns_client_drop
+ns_client_dumprecursing
+ns_client_error
+ns_client_findversion
+ns_client_getdestaddr
+ns_client_getnamebuf
+ns_client_getsockaddr
+ns_client_keepname
+ns_client_killoldestquery
+ns_client_log
+ns_client_logv
+ns_client_newdbversion
+ns_client_newname
+ns_client_newnamebuf
+ns_client_newrdataset
+ns_client_putrdataset
+ns_client_qnamereplace
+ns_client_recursing
+ns_client_releasename
+ns_client_send
+ns_client_sendraw
+ns_client_settimeout
+ns_client_shuttingdown
+ns_client_sourceip
+ns_clientmgr_create
+ns_clientmgr_destroy
+ns_clientmgr_shutdown
+ns_hook_add
+ns_hooktable_create
+ns_hooktable_free
+ns_hooktable_init
+ns_interface_attach
+ns_interface_detach
+ns_interface_shutdown
+ns_interfacemgr_attach
+ns_interfacemgr_create
+ns_interfacemgr_detach
+ns_interfacemgr_dumprecursing
+ns_interfacemgr_getaclenv
+ns_interfacemgr_getserver
+ns_interfacemgr_islistening
+ns_interfacemgr_listeningon
+ns_interfacemgr_scan
+ns_interfacemgr_setbacklog
+ns_interfacemgr_setlistenon4
+ns_interfacemgr_setlistenon6
+ns_interfacemgr_shutdown
+ns_lib_init
+ns_lib_shutdown
+ns_listenelt_create
+ns_listenelt_destroy
+ns_listenlist_attach
+ns_listenlist_create
+ns_listenlist_default
+ns_listenlist_detach
+ns_log_init
+ns_log_setcontext
+ns_notify_start
+ns_plugin_check
+ns_plugin_expandpath
+ns_plugin_register
+ns_plugins_create
+ns_plugins_free
+ns_query_cancel
+ns_query_done
+ns_query_free
+ns_query_init
+ns_query_recurse
+ns_query_start
+ns_server_attach
+ns_server_create
+ns_server_detach
+ns_server_getoption
+ns_server_setoption
+ns_server_setserverid
+ns_sortlist_addrorder1
+ns_sortlist_addrorder2
+ns_sortlist_byaddrsetup
+ns_sortlist_setup
+ns_stats_attach
+ns_stats_create
+ns_stats_decrement
+ns_stats_detach
+ns_stats_get
+ns_stats_get_counter
+ns_stats_increment
+ns_stats_update_if_greater
+ns_update_start
+ns_xfr_start
diff --git a/lib/ns/win32/libns.vcxproj.filters b/lib/ns/win32/libns.vcxproj.filters
new file mode 100644
index 0000000..2931412
--- /dev/null
+++ b/lib/ns/win32/libns.vcxproj.filters
@@ -0,0 +1,114 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libns.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\client.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\interfacemgr.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\hooks.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lib.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\listenlist.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\log.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\notify.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\query.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\server.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sortlist.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\stats.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\update.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\xfrout.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\ns\client.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\interfacemgr.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\hooks.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\lib.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\listenlist.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\log.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\notify.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\query.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\server.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\sortlist.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\stats.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\types.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\update.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\ns\xfrout.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/ns/win32/libns.vcxproj.in b/lib/ns/win32/libns.vcxproj.in
new file mode 100644
index 0000000..0249982
--- /dev/null
+++ b/lib/ns/win32/libns.vcxproj.in
@@ -0,0 +1,156 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libns</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;@USE_GSSAPI@_DEBUG;_USRDLL;LIBNS_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\..\lib\dns\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;@LIBXML2_LIB@@GSSAPI_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;@USE_GSSAPI@NDEBUG;_USRDLL;LIBNS_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\..\lib\dns\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;@LIBXML2_LIB@@GSSAPI_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libns.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\client.c" />
+    <ClCompile Include="..\interfacemgr.c" />
+    <ClCompile Include="..\hooks.c" />
+    <ClCompile Include="..\lib.c" />
+    <ClCompile Include="..\listenlist.c" />
+    <ClCompile Include="..\log.c" />
+    <ClCompile Include="..\notify.c" />
+    <ClCompile Include="..\query.c" />
+    <ClCompile Include="..\server.c" />
+    <ClCompile Include="..\sortlist.c" />
+    <ClCompile Include="..\stats.c" />
+    <ClCompile Include="..\update.c" />
+    <ClCompile Include="..\xfrout.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\ns\client.h" />
+    <ClInclude Include="..\include\ns\interfacemgr.h" />
+    <ClInclude Include="..\include\ns\hooks.h" />
+    <ClInclude Include="..\include\ns\lib.h" />
+    <ClInclude Include="..\include\ns\listenlist.h" />
+    <ClInclude Include="..\include\ns\log.h" />
+    <ClInclude Include="..\include\ns\notify.h" />
+    <ClInclude Include="..\include\ns\query.h" />
+    <ClInclude Include="..\include\ns\server.h" />
+    <ClInclude Include="..\include\ns\sortlist.h" />
+    <ClInclude Include="..\include\ns\stats.h" />
+    <ClInclude Include="..\include\ns\types.h" />
+    <ClInclude Include="..\include\ns\update.h" />
+    <ClInclude Include="..\include\ns\version.h" />
+    <ClInclude Include="..\include\ns\xfrout.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/ns/win32/libns.vcxproj.user b/lib/ns/win32/libns.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/lib/ns/win32/libns.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/lib/ns/win32/version.c b/lib/ns/win32/version.c
new file mode 100644
index 0000000..ac7a537
--- /dev/null
+++ b/lib/ns/win32/version.c
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <versions.h>
+
+#include <ns/version.h>
+
+LIBNS_EXTERNAL_DATA const char ns_version[] = VERSION;
+LIBNS_EXTERNAL_DATA const char ns_major[] = MAJOR;
+LIBNS_EXTERNAL_DATA const char ns_mapapi[] = MAPAPI;
diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c
new file mode 100644
index 0000000..f0c52f2
--- /dev/null
+++ b/lib/ns/xfrout.c
@@ -0,0 +1,1813 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/formatcheck.h>
+#include <isc/mem.h>
+#include <isc/netmgr.h>
+#include <isc/print.h>
+#include <isc/stats.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dlz.h>
+#include <dns/fixedname.h>
+#include <dns/journal.h>
+#include <dns/message.h>
+#include <dns/peer.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/rriterator.h>
+#include <dns/soa.h>
+#include <dns/stats.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <ns/client.h>
+#include <ns/log.h>
+#include <ns/server.h>
+#include <ns/stats.h>
+#include <ns/xfrout.h>
+
+/*! \file
+ * \brief
+ * Outgoing AXFR and IXFR.
+ */
+
+/*
+ * TODO:
+ *  - IXFR over UDP
+ */
+
+#define XFROUT_COMMON_LOGARGS \
+	ns_lctx, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT
+
+#define XFROUT_PROTOCOL_LOGARGS XFROUT_COMMON_LOGARGS, ISC_LOG_INFO
+
+#define XFROUT_DEBUG_LOGARGS(n) XFROUT_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
+
+#define XFROUT_RR_LOGARGS XFROUT_COMMON_LOGARGS, XFROUT_RR_LOGLEVEL
+
+#define XFROUT_RR_LOGLEVEL ISC_LOG_DEBUG(8)
+
+/*%
+ * Fail unconditionally and log as a client error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAILC(code, msg)                                                 \
+	do {                                                             \
+		result = (code);                                         \
+		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,          \
+			      NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO,       \
+			      "bad zone transfer request: %s (%s)", msg, \
+			      isc_result_totext(code));                  \
+		if (result != ISC_R_SUCCESS)                             \
+			goto failure;                                    \
+	} while (0)
+
+#define FAILQ(code, msg, question, rdclass)                                  \
+	do {                                                                 \
+		char _buf1[DNS_NAME_FORMATSIZE];                             \
+		char _buf2[DNS_RDATACLASS_FORMATSIZE];                       \
+		result = (code);                                             \
+		dns_name_format(question, _buf1, sizeof(_buf1));             \
+		dns_rdataclass_format(rdclass, _buf2, sizeof(_buf2));        \
+		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,              \
+			      NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO,           \
+			      "bad zone transfer request: '%s/%s': %s (%s)", \
+			      _buf1, _buf2, msg, isc_result_totext(code));   \
+		if (result != ISC_R_SUCCESS)                                 \
+			goto failure;                                        \
+	} while (0)
+
+#define CHECK(op)                            \
+	do {                                 \
+		result = (op);               \
+		if (result != ISC_R_SUCCESS) \
+			goto failure;        \
+	} while (0)
+
+/**************************************************************************/
+
+static void
+inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) {
+	ns_stats_increment(client->sctx->nsstats, counter);
+	if (zone != NULL) {
+		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL) {
+			isc_stats_increment(zonestats, counter);
+		}
+	}
+}
+
+/**************************************************************************/
+
+/*% Log an RR (for debugging) */
+
+static void
+log_rr(dns_name_t *name, dns_rdata_t *rdata, uint32_t ttl) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	char mem[2000];
+	dns_rdatalist_t rdl;
+	dns_rdataset_t rds;
+	dns_rdata_t rd = DNS_RDATA_INIT;
+
+	dns_rdatalist_init(&rdl);
+	rdl.type = rdata->type;
+	rdl.rdclass = rdata->rdclass;
+	rdl.ttl = ttl;
+	if (rdata->type == dns_rdatatype_sig ||
+	    rdata->type == dns_rdatatype_rrsig)
+	{
+		rdl.covers = dns_rdata_covers(rdata);
+	} else {
+		rdl.covers = dns_rdatatype_none;
+	}
+	dns_rdataset_init(&rds);
+	dns_rdata_init(&rd);
+	dns_rdata_clone(rdata, &rd);
+	ISC_LIST_APPEND(rdl.rdata, &rd, link);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(&rdl, &rds) == ISC_R_SUCCESS);
+
+	isc_buffer_init(&buf, mem, sizeof(mem));
+	result = dns_rdataset_totext(&rds, name, false, false, &buf);
+
+	/*
+	 * We could use xfrout_log(), but that would produce
+	 * very long lines with a repetitive prefix.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Get rid of final newline.
+		 */
+		INSIST(buf.used >= 1 &&
+		       ((char *)buf.base)[buf.used - 1] == '\n');
+		buf.used--;
+
+		isc_log_write(XFROUT_RR_LOGARGS, "%.*s",
+			      (int)isc_buffer_usedlength(&buf),
+			      (char *)isc_buffer_base(&buf));
+	} else {
+		isc_log_write(XFROUT_RR_LOGARGS, "<RR too large to print>");
+	}
+}
+
+/**************************************************************************/
+/*
+ * An 'rrstream_t' is a polymorphic iterator that returns
+ * a stream of resource records.  There are multiple implementations,
+ * e.g. for generating AXFR and IXFR records streams.
+ */
+
+typedef struct rrstream_methods rrstream_methods_t;
+
+typedef struct rrstream {
+	isc_mem_t *mctx;
+	rrstream_methods_t *methods;
+} rrstream_t;
+
+struct rrstream_methods {
+	isc_result_t (*first)(rrstream_t *);
+	isc_result_t (*next)(rrstream_t *);
+	void (*current)(rrstream_t *, dns_name_t **, uint32_t *,
+			dns_rdata_t **);
+	void (*pause)(rrstream_t *);
+	void (*destroy)(rrstream_t **);
+};
+
+static void
+rrstream_noop_pause(rrstream_t *rs) {
+	UNUSED(rs);
+}
+
+/**************************************************************************/
+/*
+ * An 'ixfr_rrstream_t' is an 'rrstream_t' that returns
+ * an IXFR-like RR stream from a journal file.
+ *
+ * The SOA at the beginning of each sequence of additions
+ * or deletions are included in the stream, but the extra
+ * SOAs at the beginning and end of the entire transfer are
+ * not included.
+ */
+
+typedef struct ixfr_rrstream {
+	rrstream_t common;
+	dns_journal_t *journal;
+} ixfr_rrstream_t;
+
+/* Forward declarations. */
+static void
+ixfr_rrstream_destroy(rrstream_t **sp);
+
+static rrstream_methods_t ixfr_rrstream_methods;
+
+/*
+ * Returns: anything dns_journal_open() or dns_journal_iter_init()
+ * may return.
+ */
+
+static isc_result_t
+ixfr_rrstream_create(isc_mem_t *mctx, const char *journal_filename,
+		     uint32_t begin_serial, uint32_t end_serial, size_t *sizep,
+		     rrstream_t **sp) {
+	isc_result_t result;
+	ixfr_rrstream_t *s = NULL;
+
+	INSIST(sp != NULL && *sp == NULL);
+
+	s = isc_mem_get(mctx, sizeof(*s));
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
+	s->common.methods = &ixfr_rrstream_methods;
+	s->journal = NULL;
+
+	CHECK(dns_journal_open(mctx, journal_filename, DNS_JOURNAL_READ,
+			       &s->journal));
+	CHECK(dns_journal_iter_init(s->journal, begin_serial, end_serial,
+				    sizep));
+
+	*sp = (rrstream_t *)s;
+	return (ISC_R_SUCCESS);
+
+failure:
+	ixfr_rrstream_destroy((rrstream_t **)(void *)&s);
+	return (result);
+}
+
+static isc_result_t
+ixfr_rrstream_first(rrstream_t *rs) {
+	ixfr_rrstream_t *s = (ixfr_rrstream_t *)rs;
+	return (dns_journal_first_rr(s->journal));
+}
+
+static isc_result_t
+ixfr_rrstream_next(rrstream_t *rs) {
+	ixfr_rrstream_t *s = (ixfr_rrstream_t *)rs;
+	return (dns_journal_next_rr(s->journal));
+}
+
+static void
+ixfr_rrstream_current(rrstream_t *rs, dns_name_t **name, uint32_t *ttl,
+		      dns_rdata_t **rdata) {
+	ixfr_rrstream_t *s = (ixfr_rrstream_t *)rs;
+	dns_journal_current_rr(s->journal, name, ttl, rdata);
+}
+
+static void
+ixfr_rrstream_destroy(rrstream_t **rsp) {
+	ixfr_rrstream_t *s = (ixfr_rrstream_t *)*rsp;
+	if (s->journal != NULL) {
+		dns_journal_destroy(&s->journal);
+	}
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
+}
+
+static rrstream_methods_t ixfr_rrstream_methods = {
+	ixfr_rrstream_first, ixfr_rrstream_next, ixfr_rrstream_current,
+	rrstream_noop_pause, ixfr_rrstream_destroy
+};
+
+/**************************************************************************/
+/*
+ * An 'axfr_rrstream_t' is an 'rrstream_t' that returns
+ * an AXFR-like RR stream from a database.
+ *
+ * The SOAs at the beginning and end of the transfer are
+ * not included in the stream.
+ */
+
+typedef struct axfr_rrstream {
+	rrstream_t common;
+	dns_rriterator_t it;
+	bool it_valid;
+} axfr_rrstream_t;
+
+/*
+ * Forward declarations.
+ */
+static void
+axfr_rrstream_destroy(rrstream_t **rsp);
+
+static rrstream_methods_t axfr_rrstream_methods;
+
+static isc_result_t
+axfr_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
+		     rrstream_t **sp) {
+	axfr_rrstream_t *s;
+	isc_result_t result;
+
+	INSIST(sp != NULL && *sp == NULL);
+
+	s = isc_mem_get(mctx, sizeof(*s));
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
+	s->common.methods = &axfr_rrstream_methods;
+	s->it_valid = false;
+
+	CHECK(dns_rriterator_init(&s->it, db, ver, 0));
+	s->it_valid = true;
+
+	*sp = (rrstream_t *)s;
+	return (ISC_R_SUCCESS);
+
+failure:
+	axfr_rrstream_destroy((rrstream_t **)(void *)&s);
+	return (result);
+}
+
+static isc_result_t
+axfr_rrstream_first(rrstream_t *rs) {
+	axfr_rrstream_t *s = (axfr_rrstream_t *)rs;
+	isc_result_t result;
+	result = dns_rriterator_first(&s->it);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	/* Skip SOA records. */
+	for (;;) {
+		dns_name_t *name_dummy = NULL;
+		uint32_t ttl_dummy;
+		dns_rdata_t *rdata = NULL;
+		dns_rriterator_current(&s->it, &name_dummy, &ttl_dummy, NULL,
+				       &rdata);
+		if (rdata->type != dns_rdatatype_soa) {
+			break;
+		}
+		result = dns_rriterator_next(&s->it);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+axfr_rrstream_next(rrstream_t *rs) {
+	axfr_rrstream_t *s = (axfr_rrstream_t *)rs;
+	isc_result_t result;
+
+	/* Skip SOA records. */
+	for (;;) {
+		dns_name_t *name_dummy = NULL;
+		uint32_t ttl_dummy;
+		dns_rdata_t *rdata = NULL;
+		result = dns_rriterator_next(&s->it);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		dns_rriterator_current(&s->it, &name_dummy, &ttl_dummy, NULL,
+				       &rdata);
+		if (rdata->type != dns_rdatatype_soa) {
+			break;
+		}
+	}
+	return (result);
+}
+
+static void
+axfr_rrstream_current(rrstream_t *rs, dns_name_t **name, uint32_t *ttl,
+		      dns_rdata_t **rdata) {
+	axfr_rrstream_t *s = (axfr_rrstream_t *)rs;
+	dns_rriterator_current(&s->it, name, ttl, NULL, rdata);
+}
+
+static void
+axfr_rrstream_pause(rrstream_t *rs) {
+	axfr_rrstream_t *s = (axfr_rrstream_t *)rs;
+	dns_rriterator_pause(&s->it);
+}
+
+static void
+axfr_rrstream_destroy(rrstream_t **rsp) {
+	axfr_rrstream_t *s = (axfr_rrstream_t *)*rsp;
+	if (s->it_valid) {
+		dns_rriterator_destroy(&s->it);
+	}
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
+}
+
+static rrstream_methods_t axfr_rrstream_methods = {
+	axfr_rrstream_first, axfr_rrstream_next, axfr_rrstream_current,
+	axfr_rrstream_pause, axfr_rrstream_destroy
+};
+
+/**************************************************************************/
+/*
+ * An 'soa_rrstream_t' is a degenerate 'rrstream_t' that returns
+ * a single SOA record.
+ */
+
+typedef struct soa_rrstream {
+	rrstream_t common;
+	dns_difftuple_t *soa_tuple;
+} soa_rrstream_t;
+
+/*
+ * Forward declarations.
+ */
+static void
+soa_rrstream_destroy(rrstream_t **rsp);
+
+static rrstream_methods_t soa_rrstream_methods;
+
+static isc_result_t
+soa_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
+		    rrstream_t **sp) {
+	soa_rrstream_t *s;
+	isc_result_t result;
+
+	INSIST(sp != NULL && *sp == NULL);
+
+	s = isc_mem_get(mctx, sizeof(*s));
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
+	s->common.methods = &soa_rrstream_methods;
+	s->soa_tuple = NULL;
+
+	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
+				    &s->soa_tuple));
+
+	*sp = (rrstream_t *)s;
+	return (ISC_R_SUCCESS);
+
+failure:
+	soa_rrstream_destroy((rrstream_t **)(void *)&s);
+	return (result);
+}
+
+static isc_result_t
+soa_rrstream_first(rrstream_t *rs) {
+	UNUSED(rs);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+soa_rrstream_next(rrstream_t *rs) {
+	UNUSED(rs);
+	return (ISC_R_NOMORE);
+}
+
+static void
+soa_rrstream_current(rrstream_t *rs, dns_name_t **name, uint32_t *ttl,
+		     dns_rdata_t **rdata) {
+	soa_rrstream_t *s = (soa_rrstream_t *)rs;
+	*name = &s->soa_tuple->name;
+	*ttl = s->soa_tuple->ttl;
+	*rdata = &s->soa_tuple->rdata;
+}
+
+static void
+soa_rrstream_destroy(rrstream_t **rsp) {
+	soa_rrstream_t *s = (soa_rrstream_t *)*rsp;
+	if (s->soa_tuple != NULL) {
+		dns_difftuple_free(&s->soa_tuple);
+	}
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
+}
+
+static rrstream_methods_t soa_rrstream_methods = {
+	soa_rrstream_first, soa_rrstream_next, soa_rrstream_current,
+	rrstream_noop_pause, soa_rrstream_destroy
+};
+
+/**************************************************************************/
+/*
+ * A 'compound_rrstream_t' objects owns a soa_rrstream
+ * and another rrstream, the "data stream".  It returns
+ * a concatenated stream consisting of the soa_rrstream, then
+ * the data stream, then the soa_rrstream again.
+ *
+ * The component streams are owned by the compound_rrstream_t
+ * and are destroyed with it.
+ */
+
+typedef struct compound_rrstream {
+	rrstream_t common;
+	rrstream_t *components[3];
+	int state;
+	isc_result_t result;
+} compound_rrstream_t;
+
+/*
+ * Forward declarations.
+ */
+static void
+compound_rrstream_destroy(rrstream_t **rsp);
+
+static isc_result_t
+compound_rrstream_next(rrstream_t *rs);
+
+static rrstream_methods_t compound_rrstream_methods;
+
+/*
+ * Requires:
+ *	soa_stream != NULL && *soa_stream != NULL
+ *	data_stream != NULL && *data_stream != NULL
+ *	sp != NULL && *sp == NULL
+ *
+ * Ensures:
+ *	*soa_stream == NULL
+ *	*data_stream == NULL
+ *	*sp points to a valid compound_rrstream_t
+ *	The soa and data streams will be destroyed
+ *	when the compound_rrstream_t is destroyed.
+ */
+static isc_result_t
+compound_rrstream_create(isc_mem_t *mctx, rrstream_t **soa_stream,
+			 rrstream_t **data_stream, rrstream_t **sp) {
+	compound_rrstream_t *s;
+
+	INSIST(sp != NULL && *sp == NULL);
+
+	s = isc_mem_get(mctx, sizeof(*s));
+	s->common.mctx = NULL;
+	isc_mem_attach(mctx, &s->common.mctx);
+	s->common.methods = &compound_rrstream_methods;
+	s->components[0] = *soa_stream;
+	s->components[1] = *data_stream;
+	s->components[2] = *soa_stream;
+	s->state = -1;
+	s->result = ISC_R_FAILURE;
+
+	*data_stream = NULL;
+	*soa_stream = NULL;
+	*sp = (rrstream_t *)s;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+compound_rrstream_first(rrstream_t *rs) {
+	compound_rrstream_t *s = (compound_rrstream_t *)rs;
+	s->state = 0;
+	do {
+		rrstream_t *curstream = s->components[s->state];
+		s->result = curstream->methods->first(curstream);
+	} while (s->result == ISC_R_NOMORE && s->state < 2);
+	return (s->result);
+}
+
+static isc_result_t
+compound_rrstream_next(rrstream_t *rs) {
+	compound_rrstream_t *s = (compound_rrstream_t *)rs;
+	rrstream_t *curstream = s->components[s->state];
+	s->result = curstream->methods->next(curstream);
+	while (s->result == ISC_R_NOMORE) {
+		/*
+		 * Make sure locks held by the current stream
+		 * are released before we switch streams.
+		 */
+		curstream->methods->pause(curstream);
+		if (s->state == 2) {
+			return (ISC_R_NOMORE);
+		}
+		s->state++;
+		curstream = s->components[s->state];
+		s->result = curstream->methods->first(curstream);
+	}
+	return (s->result);
+}
+
+static void
+compound_rrstream_current(rrstream_t *rs, dns_name_t **name, uint32_t *ttl,
+			  dns_rdata_t **rdata) {
+	compound_rrstream_t *s = (compound_rrstream_t *)rs;
+	rrstream_t *curstream;
+	INSIST(0 <= s->state && s->state < 3);
+	INSIST(s->result == ISC_R_SUCCESS);
+	curstream = s->components[s->state];
+	curstream->methods->current(curstream, name, ttl, rdata);
+}
+
+static void
+compound_rrstream_pause(rrstream_t *rs) {
+	compound_rrstream_t *s = (compound_rrstream_t *)rs;
+	rrstream_t *curstream;
+	INSIST(0 <= s->state && s->state < 3);
+	curstream = s->components[s->state];
+	curstream->methods->pause(curstream);
+}
+
+static void
+compound_rrstream_destroy(rrstream_t **rsp) {
+	compound_rrstream_t *s = (compound_rrstream_t *)*rsp;
+	s->components[0]->methods->destroy(&s->components[0]);
+	s->components[1]->methods->destroy(&s->components[1]);
+	s->components[2] = NULL; /* Copy of components[0]. */
+	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
+}
+
+static rrstream_methods_t compound_rrstream_methods = {
+	compound_rrstream_first, compound_rrstream_next,
+	compound_rrstream_current, compound_rrstream_pause,
+	compound_rrstream_destroy
+};
+
+/**************************************************************************/
+
+/*%
+ * Structure holding outgoing transfer statistics
+ */
+struct xfr_stats {
+	uint64_t nmsg;	  /*%< Number of messages sent */
+	uint64_t nrecs;	  /*%< Number of records sent */
+	uint64_t nbytes;  /*%< Number of bytes sent */
+	isc_time_t start; /*%< Start time of the transfer */
+	isc_time_t end;	  /*%< End time of the transfer */
+};
+
+/*%
+ * An 'xfrout_ctx_t' contains the state of an outgoing AXFR or IXFR
+ * in progress.
+ */
+typedef struct {
+	isc_mem_t *mctx;
+	ns_client_t *client;
+	unsigned int id;       /* ID of request */
+	dns_name_t *qname;     /* Question name of request */
+	dns_rdatatype_t qtype; /* dns_rdatatype_{a,i}xfr */
+	dns_rdataclass_t qclass;
+	dns_zone_t *zone; /* (necessary for stats) */
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	isc_quota_t *quota;
+	rrstream_t *stream;  /* The XFR RR stream */
+	bool question_added; /* QUESTION section sent? */
+	bool end_of_stream;  /* EOS has been reached */
+	isc_buffer_t buf;    /* Buffer for message owner
+			      * names and rdatas */
+	isc_buffer_t txbuf;  /* Transmit message buffer */
+	size_t cbytes;	     /* Length of current message */
+	void *txmem;
+	unsigned int txmemlen;
+	dns_tsigkey_t *tsigkey; /* Key used to create TSIG */
+	isc_buffer_t *lasttsig; /* the last TSIG */
+	bool verified_tsig;	/* verified request MAC */
+	bool many_answers;
+	int sends; /* Send in progress */
+	bool shuttingdown;
+	bool poll;
+	const char *mnemonic;	/* Style of transfer */
+	uint32_t end_serial;	/* Serial number after XFR is done */
+	struct xfr_stats stats; /*%< Transfer statistics */
+
+	/* Timeouts */
+	uint64_t maxtime; /*%< Maximum XFR timeout (in ms) */
+	isc_nm_timer_t *maxtime_timer;
+
+	uint64_t idletime; /*%< XFR idle timeout (in ms) */
+} xfrout_ctx_t;
+
+static void
+xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
+		  dns_name_t *qname, dns_rdatatype_t qtype,
+		  dns_rdataclass_t qclass, dns_zone_t *zone, dns_db_t *db,
+		  dns_dbversion_t *ver, isc_quota_t *quota, rrstream_t *stream,
+		  dns_tsigkey_t *tsigkey, isc_buffer_t *lasttsig,
+		  bool verified_tsig, unsigned int maxtime,
+		  unsigned int idletime, bool many_answers,
+		  xfrout_ctx_t **xfrp);
+
+static void
+sendstream(xfrout_ctx_t *xfr);
+
+static void
+xfrout_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg);
+
+static void
+xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg);
+
+static void
+xfrout_maybe_destroy(xfrout_ctx_t *xfr);
+
+static void
+xfrout_ctx_destroy(xfrout_ctx_t **xfrp);
+
+static void
+xfrout_client_timeout(void *arg, isc_result_t result);
+
+static void
+xfrout_log1(ns_client_t *client, dns_name_t *zonename, dns_rdataclass_t rdclass,
+	    int level, const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
+
+static void
+xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+
+/**************************************************************************/
+
+void
+ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
+	isc_result_t result;
+	dns_name_t *question_name;
+	dns_rdataset_t *question_rdataset;
+	dns_zone_t *zone = NULL, *raw = NULL, *mayberaw;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_rdataclass_t question_class;
+	rrstream_t *soa_stream = NULL;
+	rrstream_t *data_stream = NULL;
+	rrstream_t *stream = NULL;
+	dns_difftuple_t *current_soa_tuple = NULL;
+	dns_name_t *soa_name;
+	dns_rdataset_t *soa_rdataset;
+	dns_rdata_t soa_rdata = DNS_RDATA_INIT;
+	bool have_soa = false;
+	const char *mnemonic = NULL;
+	isc_mem_t *mctx = client->mctx;
+	dns_message_t *request = client->message;
+	xfrout_ctx_t *xfr = NULL;
+	isc_quota_t *quota = NULL;
+	dns_transfer_format_t format = client->view->transfer_format;
+	isc_netaddr_t na;
+	dns_peer_t *peer = NULL;
+	isc_buffer_t *tsigbuf = NULL;
+	char *journalfile;
+	char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")];
+	char keyname[DNS_NAME_FORMATSIZE];
+	bool is_poll = false;
+	bool is_dlz = false;
+	bool is_ixfr = false;
+	bool useviewacl = false;
+	uint32_t begin_serial = 0, current_serial;
+
+	switch (reqtype) {
+	case dns_rdatatype_axfr:
+		mnemonic = "AXFR";
+		break;
+	case dns_rdatatype_ixfr:
+		mnemonic = "IXFR";
+		break;
+	default:
+		UNREACHABLE();
+	}
+
+	ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT,
+		      ISC_LOG_DEBUG(6), "%s request", mnemonic);
+	/*
+	 * Apply quota.
+	 */
+	result = isc_quota_attach(&client->sctx->xfroutquota, &quota);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_WARNING,
+			      "%s request denied: %s", mnemonic,
+			      isc_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Interpret the question section.
+	 */
+	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/*
+	 * The question section must contain exactly one question, and
+	 * it must be for AXFR/IXFR as appropriate.
+	 */
+	question_name = NULL;
+	dns_message_currentname(request, DNS_SECTION_QUESTION, &question_name);
+	question_rdataset = ISC_LIST_HEAD(question_name->list);
+	question_class = question_rdataset->rdclass;
+	INSIST(question_rdataset->type == reqtype);
+	if (ISC_LIST_NEXT(question_rdataset, link) != NULL) {
+		FAILC(DNS_R_FORMERR, "multiple questions");
+	}
+	result = dns_message_nextname(request, DNS_SECTION_QUESTION);
+	if (result != ISC_R_NOMORE) {
+		FAILC(DNS_R_FORMERR, "multiple questions");
+	}
+
+	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
+			     &zone);
+
+	if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
+		/*
+		 * The normal zone table does not have a match, or this is
+		 * marked in the zone table as a DLZ zone. Check the DLZ
+		 * databases for a match.
+		 */
+		if (!ISC_LIST_EMPTY(client->view->dlz_searched)) {
+			result = dns_dlzallowzonexfr(client->view,
+						     question_name,
+						     &client->peeraddr, &db);
+			if (result == ISC_R_DEFAULT) {
+				useviewacl = true;
+				result = ISC_R_SUCCESS;
+			}
+			if (result == ISC_R_NOPERM) {
+				char _buf1[DNS_NAME_FORMATSIZE];
+				char _buf2[DNS_RDATACLASS_FORMATSIZE];
+
+				result = DNS_R_REFUSED;
+				dns_name_format(question_name, _buf1,
+						sizeof(_buf1));
+				dns_rdataclass_format(question_class, _buf2,
+						      sizeof(_buf2));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_XFER_OUT,
+					      ISC_LOG_ERROR,
+					      "zone transfer '%s/%s' denied",
+					      _buf1, _buf2);
+				goto failure;
+			}
+			if (result != ISC_R_SUCCESS) {
+				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+				      question_name, question_class);
+			}
+			is_dlz = true;
+		} else {
+			/*
+			 * not DLZ and not in normal zone table, we are
+			 * not authoritative
+			 */
+			FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+			      question_name, question_class);
+		}
+	} else {
+		/* zone table has a match */
+		switch (dns_zone_gettype(zone)) {
+		/*
+		 * Master, slave, and mirror zones are OK for transfer.
+		 */
+		case dns_zone_primary:
+		case dns_zone_secondary:
+		case dns_zone_mirror:
+		case dns_zone_dlz:
+			break;
+		default:
+			FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+			      question_name, question_class);
+		}
+		CHECK(dns_zone_getdb(zone, &db));
+		dns_db_currentversion(db, &ver);
+	}
+
+	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
+		    "%s question section OK", mnemonic);
+
+	/*
+	 * Check the authority section.  Look for a SOA record with
+	 * the same name and class as the question.
+	 */
+	for (result = dns_message_firstname(request, DNS_SECTION_AUTHORITY);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(request, DNS_SECTION_AUTHORITY))
+	{
+		soa_name = NULL;
+		dns_message_currentname(request, DNS_SECTION_AUTHORITY,
+					&soa_name);
+
+		/*
+		 * Ignore data whose owner name is not the zone apex.
+		 */
+		if (!dns_name_equal(soa_name, question_name)) {
+			continue;
+		}
+
+		for (soa_rdataset = ISC_LIST_HEAD(soa_name->list);
+		     soa_rdataset != NULL;
+		     soa_rdataset = ISC_LIST_NEXT(soa_rdataset, link))
+		{
+			/*
+			 * Ignore non-SOA data.
+			 */
+			if (soa_rdataset->type != dns_rdatatype_soa) {
+				continue;
+			}
+			if (soa_rdataset->rdclass != question_class) {
+				continue;
+			}
+
+			CHECK(dns_rdataset_first(soa_rdataset));
+			dns_rdataset_current(soa_rdataset, &soa_rdata);
+			result = dns_rdataset_next(soa_rdataset);
+			if (result == ISC_R_SUCCESS) {
+				FAILC(DNS_R_FORMERR, "IXFR authority section "
+						     "has multiple SOAs");
+			}
+			have_soa = true;
+			goto got_soa;
+		}
+	}
+got_soa:
+	if (result != ISC_R_NOMORE) {
+		CHECK(result);
+	}
+
+	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
+		    "%s authority section OK", mnemonic);
+
+	/*
+	 * If not a DLZ zone or we are falling back to the view's transfer
+	 * ACL, decide whether to allow this transfer.
+	 */
+	if (!is_dlz || useviewacl) {
+		dns_acl_t *acl;
+
+		ns_client_aclmsg("zone transfer", question_name, reqtype,
+				 client->view->rdclass, msg, sizeof(msg));
+		if (useviewacl) {
+			acl = client->view->transferacl;
+		} else {
+			acl = dns_zone_getxfracl(zone);
+		}
+		CHECK(ns_client_checkacl(client, NULL, msg, acl, true,
+					 ISC_LOG_ERROR));
+	}
+
+	/*
+	 * AXFR over UDP is not possible.
+	 */
+	if (reqtype == dns_rdatatype_axfr &&
+	    (client->attributes & NS_CLIENTATTR_TCP) == 0)
+	{
+		FAILC(DNS_R_FORMERR, "attempted AXFR over UDP");
+	}
+
+	/*
+	 * Look up the requesting server in the peer table.
+	 */
+	isc_netaddr_fromsockaddr(&na, &client->peeraddr);
+	(void)dns_peerlist_peerbyaddr(client->view->peers, &na, &peer);
+
+	/*
+	 * Decide on the transfer format (one-answer or many-answers).
+	 */
+	if (peer != NULL) {
+		(void)dns_peer_gettransferformat(peer, &format);
+	}
+
+	/*
+	 * Get a dynamically allocated copy of the current SOA.
+	 */
+	if (is_dlz) {
+		dns_db_currentversion(db, &ver);
+	}
+
+	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
+				    &current_soa_tuple));
+
+	current_serial = dns_soa_getserial(&current_soa_tuple->rdata);
+	if (reqtype == dns_rdatatype_ixfr) {
+		size_t jsize;
+		uint64_t dbsize;
+
+		/*
+		 * Outgoing IXFR may have been disabled for this peer
+		 * or globally.
+		 */
+		if ((client->attributes & NS_CLIENTATTR_TCP) != 0) {
+			bool provide_ixfr;
+
+			provide_ixfr = client->view->provideixfr;
+			if (peer != NULL) {
+				(void)dns_peer_getprovideixfr(peer,
+							      &provide_ixfr);
+			}
+			if (provide_ixfr == false) {
+				goto axfr_fallback;
+			}
+		}
+
+		if (!have_soa) {
+			FAILC(DNS_R_FORMERR, "IXFR request missing SOA");
+		}
+
+		begin_serial = dns_soa_getserial(&soa_rdata);
+
+		/*
+		 * RFC1995 says "If an IXFR query with the same or
+		 * newer version number than that of the server
+		 * is received, it is replied to with a single SOA
+		 * record of the server's current version, just as
+		 * in AXFR".  The claim about AXFR is incorrect,
+		 * but other than that, we do as the RFC says.
+		 *
+		 * Sending a single SOA record is also how we refuse
+		 * IXFR over UDP (currently, we always do).
+		 */
+		if (DNS_SERIAL_GE(begin_serial, current_serial) ||
+		    (client->attributes & NS_CLIENTATTR_TCP) == 0)
+		{
+			CHECK(soa_rrstream_create(mctx, db, ver, &stream));
+			is_poll = true;
+			goto have_stream;
+		}
+
+		/*
+		 * Outgoing IXFR may have been disabled for this peer
+		 * or globally.
+		 */
+		if ((client->attributes & NS_CLIENTATTR_TCP) != 0) {
+			bool provide_ixfr;
+
+			provide_ixfr = client->view->provideixfr;
+			if (peer != NULL) {
+				(void)dns_peer_getprovideixfr(peer,
+							      &provide_ixfr);
+			}
+			if (!provide_ixfr) {
+				xfrout_log1(client, question_name,
+					    question_class, ISC_LOG_DEBUG(4),
+					    "IXFR delta response disabled due "
+					    "to 'provide-ixfr no;' being set");
+				mnemonic = "AXFR-style IXFR";
+				goto axfr_fallback;
+			}
+		}
+
+		journalfile = is_dlz ? NULL : dns_zone_getjournal(zone);
+		if (journalfile != NULL) {
+			result = ixfr_rrstream_create(
+				mctx, journalfile, begin_serial, current_serial,
+				&jsize, &data_stream);
+		} else {
+			result = ISC_R_NOTFOUND;
+		}
+		if (result == ISC_R_NOTFOUND || result == ISC_R_RANGE) {
+			xfrout_log1(client, question_name, question_class,
+				    ISC_LOG_INFO,
+				    "IXFR version not in journal, "
+				    "falling back to AXFR");
+			mnemonic = "AXFR-style IXFR";
+			goto axfr_fallback;
+		}
+		CHECK(result);
+
+		result = dns_db_getsize(db, ver, NULL, &dbsize);
+		if (result == ISC_R_SUCCESS) {
+			uint32_t ratio = dns_zone_getixfrratio(zone);
+			if (ratio != 0 && ((100 * jsize) / dbsize) > ratio) {
+				data_stream->methods->destroy(&data_stream);
+				data_stream = NULL;
+				xfrout_log1(client, question_name,
+					    question_class, ISC_LOG_INFO,
+					    "IXFR delta size (%zu bytes) "
+					    "exceeds the maximum ratio to "
+					    "database size "
+					    "(%" PRIu64 " bytes), "
+					    "falling back to AXFR",
+					    jsize, dbsize);
+				mnemonic = "AXFR-style IXFR";
+				goto axfr_fallback;
+			} else {
+				xfrout_log1(client, question_name,
+					    question_class, ISC_LOG_DEBUG(4),
+					    "IXFR delta size (%zu bytes); "
+					    "database size "
+					    "(%" PRIu64 " bytes)",
+					    jsize, dbsize);
+			}
+		}
+		is_ixfr = true;
+	} else {
+	axfr_fallback:
+		CHECK(axfr_rrstream_create(mctx, db, ver, &data_stream));
+	}
+
+	/*
+	 * Bracket the data stream with SOAs.
+	 */
+	CHECK(soa_rrstream_create(mctx, db, ver, &soa_stream));
+	CHECK(compound_rrstream_create(mctx, &soa_stream, &data_stream,
+				       &stream));
+	soa_stream = NULL;
+	data_stream = NULL;
+
+have_stream:
+	CHECK(dns_message_getquerytsig(request, mctx, &tsigbuf));
+	/*
+	 * Create the xfrout context object.  This transfers the ownership
+	 * of "stream", "db", "ver", and "quota" to the xfrout context object.
+	 */
+
+	if (is_dlz) {
+		xfrout_ctx_create(mctx, client, request->id, question_name,
+				  reqtype, question_class, zone, db, ver, quota,
+				  stream, dns_message_gettsigkey(request),
+				  tsigbuf, request->verified_sig, 3600, 3600,
+				  (format == dns_many_answers) ? true : false,
+				  &xfr);
+	} else {
+		xfrout_ctx_create(
+			mctx, client, request->id, question_name, reqtype,
+			question_class, zone, db, ver, quota, stream,
+			dns_message_gettsigkey(request), tsigbuf,
+			request->verified_sig, dns_zone_getmaxxfrout(zone),
+			dns_zone_getidleout(zone),
+			(format == dns_many_answers) ? true : false, &xfr);
+	}
+
+	xfr->end_serial = current_serial;
+	xfr->mnemonic = mnemonic;
+	stream = NULL;
+	quota = NULL;
+
+	CHECK(xfr->stream->methods->first(xfr->stream));
+
+	if (xfr->tsigkey != NULL) {
+		dns_name_format(&xfr->tsigkey->name, keyname, sizeof(keyname));
+	} else {
+		keyname[0] = '\0';
+	}
+	xfr->poll = is_poll;
+	if (is_poll) {
+		xfr->mnemonic = "IXFR poll response";
+		xfrout_log1(client, question_name, question_class,
+			    ISC_LOG_DEBUG(1), "IXFR poll up to date%s%s",
+			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
+	} else if (is_ixfr) {
+		xfrout_log1(client, question_name, question_class, ISC_LOG_INFO,
+			    "%s started%s%s (serial %u -> %u)", mnemonic,
+			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname,
+			    begin_serial, current_serial);
+	} else {
+		xfrout_log1(client, question_name, question_class, ISC_LOG_INFO,
+			    "%s started%s%s (serial %u)", mnemonic,
+			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname,
+			    current_serial);
+	}
+
+	if (zone != NULL) {
+		dns_zone_getraw(zone, &raw);
+		mayberaw = (raw != NULL) ? raw : zone;
+		if ((client->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0 &&
+		    (dns_zone_gettype(mayberaw) == dns_zone_secondary ||
+		     dns_zone_gettype(mayberaw) == dns_zone_mirror))
+		{
+			isc_time_t expiretime;
+			uint32_t secs;
+			dns_zone_getexpiretime(zone, &expiretime);
+			secs = isc_time_seconds(&expiretime);
+			if (secs >= client->now && result == ISC_R_SUCCESS) {
+				client->attributes |= NS_CLIENTATTR_HAVEEXPIRE;
+				client->expire = secs - client->now;
+			}
+		}
+		if (raw != NULL) {
+			dns_zone_detach(&raw);
+		}
+	}
+
+	/* Start the timers */
+	if (xfr->maxtime > 0) {
+		xfrout_log(xfr, ISC_LOG_DEBUG(1),
+			   "starting maxtime timer %" PRIu64 " ms",
+			   xfr->maxtime);
+		isc_nm_timer_start(xfr->maxtime_timer, xfr->maxtime);
+	}
+
+	/*
+	 * Hand the context over to sendstream().  Set xfr to NULL;
+	 * sendstream() is responsible for either passing the
+	 * context on to a later event handler or destroying it.
+	 */
+	sendstream(xfr);
+	xfr = NULL;
+
+	result = ISC_R_SUCCESS;
+
+failure:
+	if (result == DNS_R_REFUSED) {
+		inc_stats(client, zone, ns_statscounter_xfrrej);
+	}
+	if (quota != NULL) {
+		isc_quota_detach(&quota);
+	}
+	if (current_soa_tuple != NULL) {
+		dns_difftuple_free(&current_soa_tuple);
+	}
+	if (stream != NULL) {
+		stream->methods->destroy(&stream);
+	}
+	if (soa_stream != NULL) {
+		soa_stream->methods->destroy(&soa_stream);
+	}
+	if (data_stream != NULL) {
+		data_stream->methods->destroy(&data_stream);
+	}
+	if (ver != NULL) {
+		dns_db_closeversion(db, &ver, false);
+	}
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+	if (zone != NULL) {
+		dns_zone_detach(&zone);
+	}
+	/* XXX kludge */
+	if (xfr != NULL) {
+		xfrout_fail(xfr, result, "setting up zone transfer");
+	} else if (result != ISC_R_SUCCESS) {
+		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
+			      NS_LOGMODULE_XFER_OUT, ISC_LOG_DEBUG(3),
+			      "zone transfer setup failed");
+		ns_client_error(client, result);
+		isc_nmhandle_detach(&client->reqhandle);
+	}
+}
+
+static void
+xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
+		  dns_name_t *qname, dns_rdatatype_t qtype,
+		  dns_rdataclass_t qclass, dns_zone_t *zone, dns_db_t *db,
+		  dns_dbversion_t *ver, isc_quota_t *quota, rrstream_t *stream,
+		  dns_tsigkey_t *tsigkey, isc_buffer_t *lasttsig,
+		  bool verified_tsig, unsigned int maxtime,
+		  unsigned int idletime, bool many_answers,
+		  xfrout_ctx_t **xfrp) {
+	xfrout_ctx_t *xfr = NULL;
+	unsigned int len = NS_CLIENT_TCP_BUFFER_SIZE;
+	void *mem = NULL;
+
+	REQUIRE(xfrp != NULL && *xfrp == NULL);
+
+	xfr = isc_mem_get(mctx, sizeof(*xfr));
+	*xfr = (xfrout_ctx_t){
+		.client = client,
+		.id = id,
+		.qname = qname,
+		.qtype = qtype,
+		.qclass = qclass,
+		.maxtime = maxtime * 1000,   /* in milliseconds */
+		.idletime = idletime * 1000, /* In milliseconds */
+		.tsigkey = tsigkey,
+		.lasttsig = lasttsig,
+		.verified_tsig = verified_tsig,
+		.many_answers = many_answers,
+	};
+
+	isc_mem_attach(mctx, &xfr->mctx);
+
+	if (zone != NULL) { /* zone will be NULL if it's DLZ */
+		dns_zone_attach(zone, &xfr->zone);
+	}
+	dns_db_attach(db, &xfr->db);
+	dns_db_attachversion(db, ver, &xfr->ver);
+
+	isc_time_now(&xfr->stats.start);
+
+	isc_nm_timer_create(xfr->client->handle, xfrout_client_timeout, xfr,
+			    &xfr->maxtime_timer);
+
+	/*
+	 * Allocate a temporary buffer for the uncompressed response
+	 * message data.  The buffer size must be 65535 bytes
+	 * (NS_CLIENT_TCP_BUFFER_SIZE): small enough that compressed
+	 * data will fit in a single TCP message, and big enough to
+	 * hold a maximum-sized RR.
+	 *
+	 * Note that although 65535-byte RRs are allowed in principle, they
+	 * cannot be zone-transferred (at least not if uncompressible),
+	 * because the message and RR headers would push the size of the
+	 * TCP message over the 65536 byte limit.
+	 */
+	mem = isc_mem_get(mctx, len);
+	isc_buffer_init(&xfr->buf, mem, len);
+
+	/*
+	 * Allocate another temporary buffer for the compressed
+	 * response message.
+	 */
+	mem = isc_mem_get(mctx, len);
+	isc_buffer_init(&xfr->txbuf, (char *)mem, len);
+	xfr->txmem = mem;
+	xfr->txmemlen = len;
+
+	/*
+	 * These MUST be after the last "goto failure;" / CHECK to
+	 * prevent a double free by the caller.
+	 */
+	xfr->quota = quota;
+	xfr->stream = stream;
+
+	*xfrp = xfr;
+}
+
+/*
+ * Arrange to send as much as we can of "stream" without blocking.
+ *
+ * Requires:
+ *	The stream iterator is initialized and points at an RR,
+ *      or possibly at the end of the stream (that is, the
+ *      _first method of the iterator has been called).
+ */
+static void
+sendstream(xfrout_ctx_t *xfr) {
+	dns_message_t *tcpmsg = NULL;
+	dns_message_t *msg = NULL; /* Client message if UDP, tcpmsg if TCP */
+	isc_result_t result;
+	dns_rdataset_t *qrdataset;
+	dns_name_t *msgname = NULL;
+	dns_rdata_t *msgrdata = NULL;
+	dns_rdatalist_t *msgrdl = NULL;
+	dns_rdataset_t *msgrds = NULL;
+	dns_compress_t cctx;
+	bool cleanup_cctx = false;
+	bool is_tcp;
+	int n_rrs;
+
+	isc_buffer_clear(&xfr->buf);
+	isc_buffer_clear(&xfr->txbuf);
+
+	is_tcp = ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0);
+	if (!is_tcp) {
+		/*
+		 * In the UDP case, we put the response data directly into
+		 * the client message.
+		 */
+		msg = xfr->client->message;
+		CHECK(dns_message_reply(msg, true));
+	} else {
+		/*
+		 * TCP. Build a response dns_message_t, temporarily storing
+		 * the raw, uncompressed owner names and RR data contiguously
+		 * in xfr->buf.  We know that if the uncompressed data fits
+		 * in xfr->buf, the compressed data will surely fit in a TCP
+		 * message.
+		 */
+
+		dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTRENDER,
+				   &tcpmsg);
+		msg = tcpmsg;
+
+		msg->id = xfr->id;
+		msg->rcode = dns_rcode_noerror;
+		msg->flags = DNS_MESSAGEFLAG_QR | DNS_MESSAGEFLAG_AA;
+		if ((xfr->client->attributes & NS_CLIENTATTR_RA) != 0) {
+			msg->flags |= DNS_MESSAGEFLAG_RA;
+		}
+		CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
+		CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
+		if (xfr->lasttsig != NULL) {
+			isc_buffer_free(&xfr->lasttsig);
+		}
+		msg->verified_sig = xfr->verified_tsig;
+
+		/*
+		 * Add a EDNS option to the message?
+		 */
+		if ((xfr->client->attributes & NS_CLIENTATTR_WANTOPT) != 0) {
+			dns_rdataset_t *opt = NULL;
+
+			CHECK(ns_client_addopt(xfr->client, msg, &opt));
+			CHECK(dns_message_setopt(msg, opt));
+			/*
+			 * Add to first message only.
+			 */
+			xfr->client->attributes &= ~NS_CLIENTATTR_WANTNSID;
+			xfr->client->attributes &= ~NS_CLIENTATTR_HAVEEXPIRE;
+		}
+
+		/*
+		 * Account for reserved space.
+		 */
+		if (xfr->tsigkey != NULL) {
+			INSIST(msg->reserved != 0U);
+		}
+		isc_buffer_add(&xfr->buf, msg->reserved);
+
+		/*
+		 * Include a question section in the first message only.
+		 * BIND 8.2.1 will not recognize an IXFR if it does not
+		 * have a question section.
+		 */
+		if (!xfr->question_added) {
+			dns_name_t *qname = NULL;
+			isc_region_t r;
+
+			/*
+			 * Reserve space for the 12-byte message header
+			 * and 4 bytes of question.
+			 */
+			isc_buffer_add(&xfr->buf, 12 + 4);
+
+			qrdataset = NULL;
+			result = dns_message_gettemprdataset(msg, &qrdataset);
+			if (result != ISC_R_SUCCESS) {
+				goto failure;
+			}
+			dns_rdataset_makequestion(qrdataset,
+						  xfr->client->message->rdclass,
+						  xfr->qtype);
+
+			result = dns_message_gettempname(msg, &qname);
+			if (result != ISC_R_SUCCESS) {
+				goto failure;
+			}
+			isc_buffer_availableregion(&xfr->buf, &r);
+			INSIST(r.length >= xfr->qname->length);
+			r.length = xfr->qname->length;
+			isc_buffer_putmem(&xfr->buf, xfr->qname->ndata,
+					  xfr->qname->length);
+			dns_name_fromregion(qname, &r);
+			ISC_LIST_INIT(qname->list);
+			ISC_LIST_APPEND(qname->list, qrdataset, link);
+
+			dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
+			xfr->question_added = true;
+		} else {
+			/*
+			 * Reserve space for the 12-byte message header
+			 */
+			isc_buffer_add(&xfr->buf, 12);
+			msg->tcp_continuation = 1;
+		}
+	}
+
+	/*
+	 * Try to fit in as many RRs as possible, unless "one-answer"
+	 * format has been requested.
+	 */
+	for (n_rrs = 0;; n_rrs++) {
+		dns_name_t *name = NULL;
+		uint32_t ttl;
+		dns_rdata_t *rdata = NULL;
+
+		unsigned int size;
+		isc_region_t r;
+
+		msgname = NULL;
+		msgrdata = NULL;
+		msgrdl = NULL;
+		msgrds = NULL;
+
+		xfr->stream->methods->current(xfr->stream, &name, &ttl, &rdata);
+		size = name->length + 10 + rdata->length;
+		isc_buffer_availableregion(&xfr->buf, &r);
+		if (size >= r.length) {
+			/*
+			 * RR would not fit.  If there are other RRs in the
+			 * buffer, send them now and leave this RR to the
+			 * next message.  If this RR overflows the buffer
+			 * all by itself, fail.
+			 *
+			 * In theory some RRs might fit in a TCP message
+			 * when compressed even if they do not fit when
+			 * uncompressed, but surely we don't want
+			 * to send such monstrosities to an unsuspecting
+			 * slave.
+			 */
+			if (n_rrs == 0) {
+				xfrout_log(xfr, ISC_LOG_WARNING,
+					   "RR too large for zone transfer "
+					   "(%d bytes)",
+					   size);
+				/* XXX DNS_R_RRTOOLARGE? */
+				result = ISC_R_NOSPACE;
+				goto failure;
+			}
+			break;
+		}
+
+		if (isc_log_wouldlog(ns_lctx, XFROUT_RR_LOGLEVEL)) {
+			log_rr(name, rdata, ttl); /* XXX */
+		}
+
+		result = dns_message_gettempname(msg, &msgname);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+		isc_buffer_availableregion(&xfr->buf, &r);
+		INSIST(r.length >= name->length);
+		r.length = name->length;
+		isc_buffer_putmem(&xfr->buf, name->ndata, name->length);
+		dns_name_fromregion(msgname, &r);
+
+		/* Reserve space for RR header. */
+		isc_buffer_add(&xfr->buf, 10);
+
+		result = dns_message_gettemprdata(msg, &msgrdata);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+		isc_buffer_availableregion(&xfr->buf, &r);
+		r.length = rdata->length;
+		isc_buffer_putmem(&xfr->buf, rdata->data, rdata->length);
+		dns_rdata_init(msgrdata);
+		dns_rdata_fromregion(msgrdata, rdata->rdclass, rdata->type, &r);
+
+		result = dns_message_gettemprdatalist(msg, &msgrdl);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+		msgrdl->type = rdata->type;
+		msgrdl->rdclass = rdata->rdclass;
+		msgrdl->ttl = ttl;
+		if (rdata->type == dns_rdatatype_sig ||
+		    rdata->type == dns_rdatatype_rrsig)
+		{
+			msgrdl->covers = dns_rdata_covers(rdata);
+		} else {
+			msgrdl->covers = dns_rdatatype_none;
+		}
+		ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link);
+
+		result = dns_message_gettemprdataset(msg, &msgrds);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+		result = dns_rdatalist_tordataset(msgrdl, msgrds);
+		INSIST(result == ISC_R_SUCCESS);
+
+		ISC_LIST_APPEND(msgname->list, msgrds, link);
+
+		dns_message_addname(msg, msgname, DNS_SECTION_ANSWER);
+		msgname = NULL;
+
+		xfr->stats.nrecs++;
+
+		result = xfr->stream->methods->next(xfr->stream);
+		if (result == ISC_R_NOMORE) {
+			xfr->end_of_stream = true;
+			break;
+		}
+		CHECK(result);
+
+		if (!xfr->many_answers) {
+			break;
+		}
+		/*
+		 * At this stage, at least 1 RR has been rendered into
+		 * the message. Check if we want to clamp this message
+		 * here (TCP only).
+		 */
+		if ((isc_buffer_usedlength(&xfr->buf) >=
+		     xfr->client->sctx->transfer_tcp_message_size) &&
+		    is_tcp)
+		{
+			break;
+		}
+	}
+
+	if (is_tcp) {
+		isc_region_t used;
+		CHECK(dns_compress_init(&cctx, -1, xfr->mctx));
+		dns_compress_setsensitive(&cctx, true);
+		cleanup_cctx = true;
+		CHECK(dns_message_renderbegin(msg, &cctx, &xfr->txbuf));
+		CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
+		CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
+		CHECK(dns_message_renderend(msg));
+		dns_compress_invalidate(&cctx);
+		cleanup_cctx = false;
+
+		isc_buffer_usedregion(&xfr->txbuf, &used);
+
+		xfrout_log(xfr, ISC_LOG_DEBUG(8),
+			   "sending TCP message of %d bytes", used.length);
+
+		isc_nmhandle_attach(xfr->client->handle,
+				    &xfr->client->sendhandle);
+		if (xfr->idletime > 0) {
+			isc_nmhandle_setwritetimeout(xfr->client->sendhandle,
+						     xfr->idletime);
+		}
+		isc_nm_send(xfr->client->sendhandle, &used, xfrout_senddone,
+			    xfr);
+		xfr->sends++;
+		xfr->cbytes = used.length;
+	} else {
+		xfrout_log(xfr, ISC_LOG_DEBUG(8), "sending IXFR UDP response");
+		ns_client_send(xfr->client);
+		xfr->stream->methods->pause(xfr->stream);
+		isc_nmhandle_detach(&xfr->client->reqhandle);
+		xfrout_ctx_destroy(&xfr);
+		return;
+	}
+
+	/* Advance lasttsig to be the last TSIG generated */
+	CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
+
+failure:
+	if (msgname != NULL) {
+		if (msgrds != NULL) {
+			if (dns_rdataset_isassociated(msgrds)) {
+				dns_rdataset_disassociate(msgrds);
+			}
+			dns_message_puttemprdataset(msg, &msgrds);
+		}
+		if (msgrdl != NULL) {
+			ISC_LIST_UNLINK(msgrdl->rdata, msgrdata, link);
+			dns_message_puttemprdatalist(msg, &msgrdl);
+		}
+		if (msgrdata != NULL) {
+			dns_message_puttemprdata(msg, &msgrdata);
+		}
+		dns_message_puttempname(msg, &msgname);
+	}
+
+	if (tcpmsg != NULL) {
+		dns_message_detach(&tcpmsg);
+	}
+
+	if (cleanup_cctx) {
+		dns_compress_invalidate(&cctx);
+	}
+	/*
+	 * Make sure to release any locks held by database
+	 * iterators before returning from the event handler.
+	 */
+	xfr->stream->methods->pause(xfr->stream);
+
+	if (result == ISC_R_SUCCESS) {
+		return;
+	}
+
+	if (xfr->client->sendhandle != NULL) {
+		isc_nmhandle_detach(&xfr->client->sendhandle);
+	}
+
+	xfrout_fail(xfr, result, "sending zone data");
+}
+
+static void
+xfrout_ctx_destroy(xfrout_ctx_t **xfrp) {
+	xfrout_ctx_t *xfr = *xfrp;
+	*xfrp = NULL;
+
+	INSIST(xfr->sends == 0);
+
+	isc_nm_timer_stop(xfr->maxtime_timer);
+	isc_nm_timer_detach(&xfr->maxtime_timer);
+
+	if (xfr->stream != NULL) {
+		xfr->stream->methods->destroy(&xfr->stream);
+	}
+	if (xfr->buf.base != NULL) {
+		isc_mem_put(xfr->mctx, xfr->buf.base, xfr->buf.length);
+	}
+	if (xfr->txmem != NULL) {
+		isc_mem_put(xfr->mctx, xfr->txmem, xfr->txmemlen);
+	}
+	if (xfr->lasttsig != NULL) {
+		isc_buffer_free(&xfr->lasttsig);
+	}
+	if (xfr->quota != NULL) {
+		isc_quota_detach(&xfr->quota);
+	}
+	if (xfr->ver != NULL) {
+		dns_db_closeversion(xfr->db, &xfr->ver, false);
+	}
+	if (xfr->zone != NULL) {
+		dns_zone_detach(&xfr->zone);
+	}
+	if (xfr->db != NULL) {
+		dns_db_detach(&xfr->db);
+	}
+
+	isc_mem_putanddetach(&xfr->mctx, xfr, sizeof(*xfr));
+}
+
+static void
+xfrout_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
+	xfrout_ctx_t *xfr = (xfrout_ctx_t *)arg;
+
+	REQUIRE((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0);
+
+	INSIST(handle == xfr->client->handle);
+
+	xfr->sends--;
+	INSIST(xfr->sends == 0);
+
+	isc_nmhandle_detach(&xfr->client->sendhandle);
+
+	/*
+	 * Update transfer statistics if sending succeeded, accounting for the
+	 * two-byte TCP length prefix included in the number of bytes sent.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		xfr->stats.nmsg++;
+		xfr->stats.nbytes += xfr->cbytes;
+	}
+
+	if (xfr->shuttingdown) {
+		xfrout_maybe_destroy(xfr);
+	} else if (result != ISC_R_SUCCESS) {
+		xfrout_fail(xfr, result, "send");
+	} else if (!xfr->end_of_stream) {
+		sendstream(xfr);
+	} else {
+		/* End of zone transfer stream. */
+		uint64_t msecs, persec;
+
+		inc_stats(xfr->client, xfr->zone, ns_statscounter_xfrdone);
+		isc_time_now(&xfr->stats.end);
+		msecs = isc_time_microdiff(&xfr->stats.end, &xfr->stats.start);
+		msecs /= 1000;
+		if (msecs == 0) {
+			msecs = 1;
+		}
+		persec = (xfr->stats.nbytes * 1000) / msecs;
+		xfrout_log(xfr, xfr->poll ? ISC_LOG_DEBUG(1) : ISC_LOG_INFO,
+			   "%s ended: "
+			   "%" PRIu64 " messages, %" PRIu64 " records, "
+			   "%" PRIu64 " bytes, "
+			   "%u.%03u secs (%u bytes/sec) (serial %u)",
+			   xfr->mnemonic, xfr->stats.nmsg, xfr->stats.nrecs,
+			   xfr->stats.nbytes, (unsigned int)(msecs / 1000),
+			   (unsigned int)(msecs % 1000), (unsigned int)persec,
+			   xfr->end_serial);
+
+		/*
+		 * We're done, unreference the handle and destroy the xfr
+		 * context.
+		 */
+		isc_nmhandle_detach(&xfr->client->reqhandle);
+		xfrout_ctx_destroy(&xfr);
+	}
+}
+
+static void
+xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg) {
+	xfr->shuttingdown = true;
+	xfrout_log(xfr, ISC_LOG_ERROR, "%s: %s", msg,
+		   isc_result_totext(result));
+	xfrout_maybe_destroy(xfr);
+}
+
+static void
+xfrout_maybe_destroy(xfrout_ctx_t *xfr) {
+	REQUIRE(xfr->shuttingdown);
+
+	ns_client_drop(xfr->client, ISC_R_CANCELED);
+	isc_nmhandle_detach(&xfr->client->reqhandle);
+	xfrout_ctx_destroy(&xfr);
+}
+
+static void
+xfrout_client_timeout(void *arg, isc_result_t result) {
+	xfrout_ctx_t *xfr = (xfrout_ctx_t *)arg;
+
+	xfr->shuttingdown = true;
+	xfrout_log(xfr, ISC_LOG_ERROR, "%s: %s", "aborted",
+		   isc_result_totext(result));
+}
+
+/*
+ * Log outgoing zone transfer messages in a format like
+ * <client>: transfer of <zone>: <message>
+ */
+
+static void
+xfrout_logv(ns_client_t *client, dns_name_t *zonename, dns_rdataclass_t rdclass,
+	    int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5, 0);
+
+static void
+xfrout_logv(ns_client_t *client, dns_name_t *zonename, dns_rdataclass_t rdclass,
+	    int level, const char *fmt, va_list ap) {
+	char msgbuf[2048];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+	dns_name_format(zonename, namebuf, sizeof(namebuf));
+	dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT,
+		      level, "transfer of '%s/%s': %s", namebuf, classbuf,
+		      msgbuf);
+}
+
+/*
+ * Logging function for use when a xfrout_ctx_t has not yet been created.
+ */
+static void
+xfrout_log1(ns_client_t *client, dns_name_t *zonename, dns_rdataclass_t rdclass,
+	    int level, const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	xfrout_logv(client, zonename, rdclass, level, fmt, ap);
+	va_end(ap);
+}
+
+/*
+ * Logging function for use when there is a xfrout_ctx_t.
+ */
+static void
+xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	xfrout_logv(xfr->client, xfr->qname, xfr->qclass, level, fmt, ap);
+	va_end(ap);
+}
diff --git a/lib/win32/bindevt/bindevt.c b/lib/win32/bindevt/bindevt.c
new file mode 100644
index 0000000..31cb368
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * bindevt.c : Defines the entry point for event log viewer DLL.
+ */
+
+#include <windows.h>
+
+BOOL APIENTRY
+DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
+	return (TRUE);
+}
diff --git a/lib/win32/bindevt/bindevt.mc b/lib/win32/bindevt/bindevt.mc
new file mode 100644
index 0000000..60a6346
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.mc
@@ -0,0 +1,41 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+MessageIdTypedef=DWORD
+
+LanguageNames = (English=0x409:MSG00409)
+
+OutputBase = 16
+
+
+MessageId=0x1
+Severity=Error
+Facility=Application
+SymbolicName=BIND_ERR_MSG
+Language=English
+%1
+.
+
+MessageId=0x2
+Severity=Warning
+Facility=Application
+SymbolicName=BIND_WARN_MSG
+Language=English
+%1
+.
+
+MessageId=0x3
+Severity=Informational
+Facility=Application
+SymbolicName=BIND_INFO_MSG
+Language=English
+%1
+.
diff --git a/lib/win32/bindevt/bindevt.vcxproj.filters.in b/lib/win32/bindevt/bindevt.vcxproj.filters.in
new file mode 100644
index 0000000..2b9ee98
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.vcxproj.filters.in
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <ClCompile Include="bindevt.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="bindevt.mc" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="bindevt.rc" />
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/win32/bindevt/bindevt.vcxproj.in b/lib/win32/bindevt/bindevt.vcxproj.in
new file mode 100644
index 0000000..78113e4
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.vcxproj.in
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{0D745CD9-FC3B-49DC-99BE-1E6DF85593F0}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>bindevt</RootNamespace>
+    @WINDOWS_TARGET_PLATFORM_VERSION@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    @PLATFORM_TOOLSET@
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <CustomBuildBeforeTargets>ResourceCompile</CustomBuildBeforeTargets>
+    <IgnoreImportLibrary>true</IgnoreImportLibrary>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <IntDirSharingDetected>None</IntDirSharingDetected>
+    <CustomBuildBeforeTargets>ResourceCompile</CustomBuildBeforeTargets>
+    <IgnoreImportLibrary>true</IgnoreImportLibrary>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;BINDEVT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>..\include;..\..\..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+    <CustomBuildStep>
+      <Command>mc bindevt.mc</Command>
+    </CustomBuildStep>
+    <CustomBuildStep>
+      <Outputs>$(TargetName).rc</Outputs>
+    </CustomBuildStep>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level1</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;BINDEVT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>..\include;..\..\..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+    <CustomBuildStep>
+      <Command>mc bindevt.mc</Command>
+    </CustomBuildStep>
+    <CustomBuildStep>
+      <Outputs>$(TargetName).rc</Outputs>
+    </CustomBuildStep>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="bindevt.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="bindevt.mc" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="bindevt.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/win32/bindevt/bindevt.vcxproj.user b/lib/win32/bindevt/bindevt.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/ltmain.sh b/ltmain.sh
new file mode 100755
index 0000000..21e5e07
--- /dev/null
+++ b/ltmain.sh
@@ -0,0 +1,11251 @@
+#! /bin/sh
+## DO NOT EDIT - This file generated from ./build-aux/ltmain.in
+##               by inline-source v2014-01-03.01
+
+# libtool (GNU libtool) 2.4.6
+# Provide generalized library-building support services.
+# Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+
+# Copyright (C) 1996-2015 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.  There is NO
+# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+# GNU Libtool is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# As a special exception to the GNU General Public License,
+# if you distribute this file as part of a program or library that
+# is built using GNU Libtool, you may include this file under the
+# same distribution terms that you use for the rest of that program.
+#
+# GNU Libtool is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+PROGRAM=libtool
+PACKAGE=libtool
+VERSION="2.4.6 Debian-2.4.6-15"
+package_revision=2.4.6
+
+
+## ------ ##
+## Usage. ##
+## ------ ##
+
+# Run './libtool --help' for help with using this script from the
+# command line.
+
+
+## ------------------------------- ##
+## User overridable command paths. ##
+## ------------------------------- ##
+
+# After configure completes, it has a better idea of some of the
+# shell tools we need than the defaults used by the functions shared
+# with bootstrap, so set those here where they can still be over-
+# ridden by the user, but otherwise take precedence.
+
+: ${AUTOCONF="autoconf"}
+: ${AUTOMAKE="automake"}
+
+
+## -------------------------- ##
+## Source external libraries. ##
+## -------------------------- ##
+
+# Much of our low-level functionality needs to be sourced from external
+# libraries, which are installed to $pkgauxdir.
+
+# Set a version string for this script.
+scriptversion=2015-01-20.17; # UTC
+
+# General shell script boiler plate, and helper functions.
+# Written by Gary V. Vaughan, 2004
+
+# Copyright (C) 2004-2015 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.  There is NO
+# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# As a special exception to the GNU General Public License, if you distribute
+# this file as part of a program or library that is built using GNU Libtool,
+# you may include this file under the same distribution terms that you use
+# for the rest of that program.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNES FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# Please report bugs or propose patches to gary@gnu.org.
+
+
+## ------ ##
+## Usage. ##
+## ------ ##
+
+# Evaluate this file near the top of your script to gain access to
+# the functions and variables defined here:
+#
+#   . `echo "$0" | ${SED-sed} 's|[^/]*$||'`/build-aux/funclib.sh
+#
+# If you need to override any of the default environment variable
+# settings, do that before evaluating this file.
+
+
+## -------------------- ##
+## Shell normalisation. ##
+## -------------------- ##
+
+# Some shells need a little help to be as Bourne compatible as possible.
+# Before doing anything else, make sure all that help has been provided!
+
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+  emulate sh
+  NULLCMD=:
+  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in *posix*) set -o posix ;; esac
+fi
+
+# NLS nuisances: We save the old values in case they are required later.
+_G_user_locale=
+_G_safe_locale=
+for _G_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
+do
+  eval "if test set = \"\${$_G_var+set}\"; then
+          save_$_G_var=\$$_G_var
+          $_G_var=C
+	  export $_G_var
+	  _G_user_locale=\"$_G_var=\\\$save_\$_G_var; \$_G_user_locale\"
+	  _G_safe_locale=\"$_G_var=C; \$_G_safe_locale\"
+	fi"
+done
+
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+# Make sure IFS has a sensible default
+sp=' '
+nl='
+'
+IFS="$sp	$nl"
+
+# There are apparently some retarded systems that use ';' as a PATH separator!
+if test "${PATH_SEPARATOR+set}" != set; then
+  PATH_SEPARATOR=:
+  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
+    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
+      PATH_SEPARATOR=';'
+  }
+fi
+
+
+
+## ------------------------- ##
+## Locate command utilities. ##
+## ------------------------- ##
+
+
+# func_executable_p FILE
+# ----------------------
+# Check that FILE is an executable regular file.
+func_executable_p ()
+{
+    test -f "$1" && test -x "$1"
+}
+
+
+# func_path_progs PROGS_LIST CHECK_FUNC [PATH]
+# --------------------------------------------
+# Search for either a program that responds to --version with output
+# containing "GNU", or else returned by CHECK_FUNC otherwise, by
+# trying all the directories in PATH with each of the elements of
+# PROGS_LIST.
+#
+# CHECK_FUNC should accept the path to a candidate program, and
+# set $func_check_prog_result if it truncates its output less than
+# $_G_path_prog_max characters.
+func_path_progs ()
+{
+    _G_progs_list=$1
+    _G_check_func=$2
+    _G_PATH=${3-"$PATH"}
+
+    _G_path_prog_max=0
+    _G_path_prog_found=false
+    _G_save_IFS=$IFS; IFS=${PATH_SEPARATOR-:}
+    for _G_dir in $_G_PATH; do
+      IFS=$_G_save_IFS
+      test -z "$_G_dir" && _G_dir=.
+      for _G_prog_name in $_G_progs_list; do
+        for _exeext in '' .EXE; do
+          _G_path_prog=$_G_dir/$_G_prog_name$_exeext
+          func_executable_p "$_G_path_prog" || continue
+          case `"$_G_path_prog" --version 2>&1` in
+            *GNU*) func_path_progs_result=$_G_path_prog _G_path_prog_found=: ;;
+            *)     $_G_check_func $_G_path_prog
+		   func_path_progs_result=$func_check_prog_result
+		   ;;
+          esac
+          $_G_path_prog_found && break 3
+        done
+      done
+    done
+    IFS=$_G_save_IFS
+    test -z "$func_path_progs_result" && {
+      echo "no acceptable sed could be found in \$PATH" >&2
+      exit 1
+    }
+}
+
+
+# We want to be able to use the functions in this file before configure
+# has figured out where the best binaries are kept, which means we have
+# to search for them ourselves - except when the results are already set
+# where we skip the searches.
+
+# Unless the user overrides by setting SED, search the path for either GNU
+# sed, or the sed that truncates its output the least.
+test -z "$SED" && {
+  _G_sed_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/
+  for _G_i in 1 2 3 4 5 6 7; do
+    _G_sed_script=$_G_sed_script$nl$_G_sed_script
+  done
+  echo "$_G_sed_script" 2>/dev/null | sed 99q >conftest.sed
+  _G_sed_script=
+
+  func_check_prog_sed ()
+  {
+    _G_path_prog=$1
+
+    _G_count=0
+    printf 0123456789 >conftest.in
+    while :
+    do
+      cat conftest.in conftest.in >conftest.tmp
+      mv conftest.tmp conftest.in
+      cp conftest.in conftest.nl
+      echo '' >> conftest.nl
+      "$_G_path_prog" -f conftest.sed <conftest.nl >conftest.out 2>/dev/null || break
+      diff conftest.out conftest.nl >/dev/null 2>&1 || break
+      _G_count=`expr $_G_count + 1`
+      if test "$_G_count" -gt "$_G_path_prog_max"; then
+        # Best one so far, save it but keep looking for a better one
+        func_check_prog_result=$_G_path_prog
+        _G_path_prog_max=$_G_count
+      fi
+      # 10*(2^10) chars as input seems more than enough
+      test 10 -lt "$_G_count" && break
+    done
+    rm -f conftest.in conftest.tmp conftest.nl conftest.out
+  }
+
+  func_path_progs "sed gsed" func_check_prog_sed $PATH:/usr/xpg4/bin
+  rm -f conftest.sed
+  SED=$func_path_progs_result
+}
+
+
+# Unless the user overrides by setting GREP, search the path for either GNU
+# grep, or the grep that truncates its output the least.
+test -z "$GREP" && {
+  func_check_prog_grep ()
+  {
+    _G_path_prog=$1
+
+    _G_count=0
+    _G_path_prog_max=0
+    printf 0123456789 >conftest.in
+    while :
+    do
+      cat conftest.in conftest.in >conftest.tmp
+      mv conftest.tmp conftest.in
+      cp conftest.in conftest.nl
+      echo 'GREP' >> conftest.nl
+      "$_G_path_prog" -e 'GREP$' -e '-(cannot match)-' <conftest.nl >conftest.out 2>/dev/null || break
+      diff conftest.out conftest.nl >/dev/null 2>&1 || break
+      _G_count=`expr $_G_count + 1`
+      if test "$_G_count" -gt "$_G_path_prog_max"; then
+        # Best one so far, save it but keep looking for a better one
+        func_check_prog_result=$_G_path_prog
+        _G_path_prog_max=$_G_count
+      fi
+      # 10*(2^10) chars as input seems more than enough
+      test 10 -lt "$_G_count" && break
+    done
+    rm -f conftest.in conftest.tmp conftest.nl conftest.out
+  }
+
+  func_path_progs "grep ggrep" func_check_prog_grep $PATH:/usr/xpg4/bin
+  GREP=$func_path_progs_result
+}
+
+
+## ------------------------------- ##
+## User overridable command paths. ##
+## ------------------------------- ##
+
+# All uppercase variable names are used for environment variables.  These
+# variables can be overridden by the user before calling a script that
+# uses them if a suitable command of that name is not already available
+# in the command search PATH.
+
+: ${CP="cp -f"}
+: ${ECHO="printf %s\n"}
+: ${EGREP="$GREP -E"}
+: ${FGREP="$GREP -F"}
+: ${LN_S="ln -s"}
+: ${MAKE="make"}
+: ${MKDIR="mkdir"}
+: ${MV="mv -f"}
+: ${RM="rm -f"}
+: ${SHELL="${CONFIG_SHELL-/bin/sh}"}
+
+
+## -------------------- ##
+## Useful sed snippets. ##
+## -------------------- ##
+
+sed_dirname='s|/[^/]*$||'
+sed_basename='s|^.*/||'
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+sed_quote_subst='s|\([`"$\\]\)|\\\1|g'
+
+# Same as above, but do not quote variable references.
+sed_double_quote_subst='s/\(["`\\]\)/\\\1/g'
+
+# Sed substitution that turns a string into a regex matching for the
+# string literally.
+sed_make_literal_regex='s|[].[^$\\*\/]|\\&|g'
+
+# Sed substitution that converts a w32 file name or path
+# that contains forward slashes, into one that contains
+# (escaped) backslashes.  A very naive implementation.
+sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
+
+# Re-'\' parameter expansions in output of sed_double_quote_subst that
+# were '\'-ed in input to the same.  If an odd number of '\' preceded a
+# '$' in input to sed_double_quote_subst, that '$' was protected from
+# expansion.  Since each input '\' is now two '\'s, look for any number
+# of runs of four '\'s followed by two '\'s and then a '$'.  '\' that '$'.
+_G_bs='\\'
+_G_bs2='\\\\'
+_G_bs4='\\\\\\\\'
+_G_dollar='\$'
+sed_double_backslash="\
+  s/$_G_bs4/&\\
+/g
+  s/^$_G_bs2$_G_dollar/$_G_bs&/
+  s/\\([^$_G_bs]\\)$_G_bs2$_G_dollar/\\1$_G_bs2$_G_bs$_G_dollar/g
+  s/\n//g"
+
+
+## ----------------- ##
+## Global variables. ##
+## ----------------- ##
+
+# Except for the global variables explicitly listed below, the following
+# functions in the '^func_' namespace, and the '^require_' namespace
+# variables initialised in the 'Resource management' section, sourcing
+# this file will not pollute your global namespace with anything
+# else. There's no portable way to scope variables in Bourne shell
+# though, so actually running these functions will sometimes place
+# results into a variable named after the function, and often use
+# temporary variables in the '^_G_' namespace. If you are careful to
+# avoid using those namespaces casually in your sourcing script, things
+# should continue to work as you expect. And, of course, you can freely
+# overwrite any of the functions or variables defined here before
+# calling anything to customize them.
+
+EXIT_SUCCESS=0
+EXIT_FAILURE=1
+EXIT_MISMATCH=63  # $? = 63 is used to indicate version mismatch to missing.
+EXIT_SKIP=77	  # $? = 77 is used to indicate a skipped test to automake.
+
+# Allow overriding, eg assuming that you follow the convention of
+# putting '$debug_cmd' at the start of all your functions, you can get
+# bash to show function call trace with:
+#
+#    debug_cmd='echo "${FUNCNAME[0]} $*" >&2' bash your-script-name
+debug_cmd=${debug_cmd-":"}
+exit_cmd=:
+
+# By convention, finish your script with:
+#
+#    exit $exit_status
+#
+# so that you can set exit_status to non-zero if you want to indicate
+# something went wrong during execution without actually bailing out at
+# the point of failure.
+exit_status=$EXIT_SUCCESS
+
+# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
+# is ksh but when the shell is invoked as "sh" and the current value of
+# the _XPG environment variable is not equal to 1 (one), the special
+# positional parameter $0, within a function call, is the name of the
+# function.
+progpath=$0
+
+# The name of this program.
+progname=`$ECHO "$progpath" |$SED "$sed_basename"`
+
+# Make sure we have an absolute progpath for reexecution:
+case $progpath in
+  [\\/]*|[A-Za-z]:\\*) ;;
+  *[\\/]*)
+     progdir=`$ECHO "$progpath" |$SED "$sed_dirname"`
+     progdir=`cd "$progdir" && pwd`
+     progpath=$progdir/$progname
+     ;;
+  *)
+     _G_IFS=$IFS
+     IFS=${PATH_SEPARATOR-:}
+     for progdir in $PATH; do
+       IFS=$_G_IFS
+       test -x "$progdir/$progname" && break
+     done
+     IFS=$_G_IFS
+     test -n "$progdir" || progdir=`pwd`
+     progpath=$progdir/$progname
+     ;;
+esac
+
+
+## ----------------- ##
+## Standard options. ##
+## ----------------- ##
+
+# The following options affect the operation of the functions defined
+# below, and should be set appropriately depending on run-time para-
+# meters passed on the command line.
+
+opt_dry_run=false
+opt_quiet=false
+opt_verbose=false
+
+# Categories 'all' and 'none' are always available.  Append any others
+# you will pass as the first argument to func_warning from your own
+# code.
+warning_categories=
+
+# By default, display warnings according to 'opt_warning_types'.  Set
+# 'warning_func'  to ':' to elide all warnings, or func_fatal_error to
+# treat the next displayed warning as a fatal error.
+warning_func=func_warn_and_continue
+
+# Set to 'all' to display all warnings, 'none' to suppress all
+# warnings, or a space delimited list of some subset of
+# 'warning_categories' to display only the listed warnings.
+opt_warning_types=all
+
+
+## -------------------- ##
+## Resource management. ##
+## -------------------- ##
+
+# This section contains definitions for functions that each ensure a
+# particular resource (a file, or a non-empty configuration variable for
+# example) is available, and if appropriate to extract default values
+# from pertinent package files. Call them using their associated
+# 'require_*' variable to ensure that they are executed, at most, once.
+#
+# It's entirely deliberate that calling these functions can set
+# variables that don't obey the namespace limitations obeyed by the rest
+# of this file, in order that that they be as useful as possible to
+# callers.
+
+
+# require_term_colors
+# -------------------
+# Allow display of bold text on terminals that support it.
+require_term_colors=func_require_term_colors
+func_require_term_colors ()
+{
+    $debug_cmd
+
+    test -t 1 && {
+      # COLORTERM and USE_ANSI_COLORS environment variables take
+      # precedence, because most terminfo databases neglect to describe
+      # whether color sequences are supported.
+      test -n "${COLORTERM+set}" && : ${USE_ANSI_COLORS="1"}
+
+      if test 1 = "$USE_ANSI_COLORS"; then
+        # Standard ANSI escape sequences
+        tc_reset=''
+        tc_bold='';   tc_standout=''
+        tc_red='';   tc_green=''
+        tc_blue='';  tc_cyan=''
+      else
+        # Otherwise trust the terminfo database after all.
+        test -n "`tput sgr0 2>/dev/null`" && {
+          tc_reset=`tput sgr0`
+          test -n "`tput bold 2>/dev/null`" && tc_bold=`tput bold`
+          tc_standout=$tc_bold
+          test -n "`tput smso 2>/dev/null`" && tc_standout=`tput smso`
+          test -n "`tput setaf 1 2>/dev/null`" && tc_red=`tput setaf 1`
+          test -n "`tput setaf 2 2>/dev/null`" && tc_green=`tput setaf 2`
+          test -n "`tput setaf 4 2>/dev/null`" && tc_blue=`tput setaf 4`
+          test -n "`tput setaf 5 2>/dev/null`" && tc_cyan=`tput setaf 5`
+        }
+      fi
+    }
+
+    require_term_colors=:
+}
+
+
+## ----------------- ##
+## Function library. ##
+## ----------------- ##
+
+# This section contains a variety of useful functions to call in your
+# scripts. Take note of the portable wrappers for features provided by
+# some modern shells, which will fall back to slower equivalents on
+# less featureful shells.
+
+
+# func_append VAR VALUE
+# ---------------------
+# Append VALUE onto the existing contents of VAR.
+
+  # We should try to minimise forks, especially on Windows where they are
+  # unreasonably slow, so skip the feature probes when bash or zsh are
+  # being used:
+  if test set = "${BASH_VERSION+set}${ZSH_VERSION+set}"; then
+    : ${_G_HAVE_ARITH_OP="yes"}
+    : ${_G_HAVE_XSI_OPS="yes"}
+    # The += operator was introduced in bash 3.1
+    case $BASH_VERSION in
+      [12].* | 3.0 | 3.0*) ;;
+      *)
+        : ${_G_HAVE_PLUSEQ_OP="yes"}
+        ;;
+    esac
+  fi
+
+  # _G_HAVE_PLUSEQ_OP
+  # Can be empty, in which case the shell is probed, "yes" if += is
+  # useable or anything else if it does not work.
+  test -z "$_G_HAVE_PLUSEQ_OP" \
+    && (eval 'x=a; x+=" b"; test "a b" = "$x"') 2>/dev/null \
+    && _G_HAVE_PLUSEQ_OP=yes
+
+if test yes = "$_G_HAVE_PLUSEQ_OP"
+then
+  # This is an XSI compatible shell, allowing a faster implementation...
+  eval 'func_append ()
+  {
+    $debug_cmd
+
+    eval "$1+=\$2"
+  }'
+else
+  # ...otherwise fall back to using expr, which is often a shell builtin.
+  func_append ()
+  {
+    $debug_cmd
+
+    eval "$1=\$$1\$2"
+  }
+fi
+
+
+# func_append_quoted VAR VALUE
+# ----------------------------
+# Quote VALUE and append to the end of shell variable VAR, separated
+# by a space.
+if test yes = "$_G_HAVE_PLUSEQ_OP"; then
+  eval 'func_append_quoted ()
+  {
+    $debug_cmd
+
+    func_quote_for_eval "$2"
+    eval "$1+=\\ \$func_quote_for_eval_result"
+  }'
+else
+  func_append_quoted ()
+  {
+    $debug_cmd
+
+    func_quote_for_eval "$2"
+    eval "$1=\$$1\\ \$func_quote_for_eval_result"
+  }
+fi
+
+
+# func_append_uniq VAR VALUE
+# --------------------------
+# Append unique VALUE onto the existing contents of VAR, assuming
+# entries are delimited by the first character of VALUE.  For example:
+#
+#   func_append_uniq options " --another-option option-argument"
+#
+# will only append to $options if " --another-option option-argument "
+# is not already present somewhere in $options already (note spaces at
+# each end implied by leading space in second argument).
+func_append_uniq ()
+{
+    $debug_cmd
+
+    eval _G_current_value='`$ECHO $'$1'`'
+    _G_delim=`expr "$2" : '\(.\)'`
+
+    case $_G_delim$_G_current_value$_G_delim in
+      *"$2$_G_delim"*) ;;
+      *) func_append "$@" ;;
+    esac
+}
+
+
+# func_arith TERM...
+# ------------------
+# Set func_arith_result to the result of evaluating TERMs.
+  test -z "$_G_HAVE_ARITH_OP" \
+    && (eval 'test 2 = $(( 1 + 1 ))') 2>/dev/null \
+    && _G_HAVE_ARITH_OP=yes
+
+if test yes = "$_G_HAVE_ARITH_OP"; then
+  eval 'func_arith ()
+  {
+    $debug_cmd
+
+    func_arith_result=$(( $* ))
+  }'
+else
+  func_arith ()
+  {
+    $debug_cmd
+
+    func_arith_result=`expr "$@"`
+  }
+fi
+
+
+# func_basename FILE
+# ------------------
+# Set func_basename_result to FILE with everything up to and including
+# the last / stripped.
+if test yes = "$_G_HAVE_XSI_OPS"; then
+  # If this shell supports suffix pattern removal, then use it to avoid
+  # forking. Hide the definitions single quotes in case the shell chokes
+  # on unsupported syntax...
+  _b='func_basename_result=${1##*/}'
+  _d='case $1 in
+        */*) func_dirname_result=${1%/*}$2 ;;
+        *  ) func_dirname_result=$3        ;;
+      esac'
+
+else
+  # ...otherwise fall back to using sed.
+  _b='func_basename_result=`$ECHO "$1" |$SED "$sed_basename"`'
+  _d='func_dirname_result=`$ECHO "$1"  |$SED "$sed_dirname"`
+      if test "X$func_dirname_result" = "X$1"; then
+        func_dirname_result=$3
+      else
+        func_append func_dirname_result "$2"
+      fi'
+fi
+
+eval 'func_basename ()
+{
+    $debug_cmd
+
+    '"$_b"'
+}'
+
+
+# func_dirname FILE APPEND NONDIR_REPLACEMENT
+# -------------------------------------------
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+eval 'func_dirname ()
+{
+    $debug_cmd
+
+    '"$_d"'
+}'
+
+
+# func_dirname_and_basename FILE APPEND NONDIR_REPLACEMENT
+# --------------------------------------------------------
+# Perform func_basename and func_dirname in a single function
+# call:
+#   dirname:  Compute the dirname of FILE.  If nonempty,
+#             add APPEND to the result, otherwise set result
+#             to NONDIR_REPLACEMENT.
+#             value returned in "$func_dirname_result"
+#   basename: Compute filename of FILE.
+#             value retuned in "$func_basename_result"
+# For efficiency, we do not delegate to the functions above but instead
+# duplicate the functionality here.
+eval 'func_dirname_and_basename ()
+{
+    $debug_cmd
+
+    '"$_b"'
+    '"$_d"'
+}'
+
+
+# func_echo ARG...
+# ----------------
+# Echo program name prefixed message.
+func_echo ()
+{
+    $debug_cmd
+
+    _G_message=$*
+
+    func_echo_IFS=$IFS
+    IFS=$nl
+    for _G_line in $_G_message; do
+      IFS=$func_echo_IFS
+      $ECHO "$progname: $_G_line"
+    done
+    IFS=$func_echo_IFS
+}
+
+
+# func_echo_all ARG...
+# --------------------
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO "$*"
+}
+
+
+# func_echo_infix_1 INFIX ARG...
+# ------------------------------
+# Echo program name, followed by INFIX on the first line, with any
+# additional lines not showing INFIX.
+func_echo_infix_1 ()
+{
+    $debug_cmd
+
+    $require_term_colors
+
+    _G_infix=$1; shift
+    _G_indent=$_G_infix
+    _G_prefix="$progname: $_G_infix: "
+    _G_message=$*
+
+    # Strip color escape sequences before counting printable length
+    for _G_tc in "$tc_reset" "$tc_bold" "$tc_standout" "$tc_red" "$tc_green" "$tc_blue" "$tc_cyan"
+    do
+      test -n "$_G_tc" && {
+        _G_esc_tc=`$ECHO "$_G_tc" | $SED "$sed_make_literal_regex"`
+        _G_indent=`$ECHO "$_G_indent" | $SED "s|$_G_esc_tc||g"`
+      }
+    done
+    _G_indent="$progname: "`echo "$_G_indent" | $SED 's|.| |g'`"  " ## exclude from sc_prohibit_nested_quotes
+
+    func_echo_infix_1_IFS=$IFS
+    IFS=$nl
+    for _G_line in $_G_message; do
+      IFS=$func_echo_infix_1_IFS
+      $ECHO "$_G_prefix$tc_bold$_G_line$tc_reset" >&2
+      _G_prefix=$_G_indent
+    done
+    IFS=$func_echo_infix_1_IFS
+}
+
+
+# func_error ARG...
+# -----------------
+# Echo program name prefixed message to standard error.
+func_error ()
+{
+    $debug_cmd
+
+    $require_term_colors
+
+    func_echo_infix_1 "  $tc_standout${tc_red}error$tc_reset" "$*" >&2
+}
+
+
+# func_fatal_error ARG...
+# -----------------------
+# Echo program name prefixed message to standard error, and exit.
+func_fatal_error ()
+{
+    $debug_cmd
+
+    func_error "$*"
+    exit $EXIT_FAILURE
+}
+
+
+# func_grep EXPRESSION FILENAME
+# -----------------------------
+# Check whether EXPRESSION matches any line of FILENAME, without output.
+func_grep ()
+{
+    $debug_cmd
+
+    $GREP "$1" "$2" >/dev/null 2>&1
+}
+
+
+# func_len STRING
+# ---------------
+# Set func_len_result to the length of STRING. STRING may not
+# start with a hyphen.
+  test -z "$_G_HAVE_XSI_OPS" \
+    && (eval 'x=a/b/c;
+      test 5aa/bb/cc = "${#x}${x%%/*}${x%/*}${x#*/}${x##*/}"') 2>/dev/null \
+    && _G_HAVE_XSI_OPS=yes
+
+if test yes = "$_G_HAVE_XSI_OPS"; then
+  eval 'func_len ()
+  {
+    $debug_cmd
+
+    func_len_result=${#1}
+  }'
+else
+  func_len ()
+  {
+    $debug_cmd
+
+    func_len_result=`expr "$1" : ".*" 2>/dev/null || echo $max_cmd_len`
+  }
+fi
+
+
+# func_mkdir_p DIRECTORY-PATH
+# ---------------------------
+# Make sure the entire path to DIRECTORY-PATH is available.
+func_mkdir_p ()
+{
+    $debug_cmd
+
+    _G_directory_path=$1
+    _G_dir_list=
+
+    if test -n "$_G_directory_path" && test : != "$opt_dry_run"; then
+
+      # Protect directory names starting with '-'
+      case $_G_directory_path in
+        -*) _G_directory_path=./$_G_directory_path ;;
+      esac
+
+      # While some portion of DIR does not yet exist...
+      while test ! -d "$_G_directory_path"; do
+        # ...make a list in topmost first order.  Use a colon delimited
+	# list incase some portion of path contains whitespace.
+        _G_dir_list=$_G_directory_path:$_G_dir_list
+
+        # If the last portion added has no slash in it, the list is done
+        case $_G_directory_path in */*) ;; *) break ;; esac
+
+        # ...otherwise throw away the child directory and loop
+        _G_directory_path=`$ECHO "$_G_directory_path" | $SED -e "$sed_dirname"`
+      done
+      _G_dir_list=`$ECHO "$_G_dir_list" | $SED 's|:*$||'`
+
+      func_mkdir_p_IFS=$IFS; IFS=:
+      for _G_dir in $_G_dir_list; do
+	IFS=$func_mkdir_p_IFS
+        # mkdir can fail with a 'File exist' error if two processes
+        # try to create one of the directories concurrently.  Don't
+        # stop in that case!
+        $MKDIR "$_G_dir" 2>/dev/null || :
+      done
+      IFS=$func_mkdir_p_IFS
+
+      # Bail out if we (or some other process) failed to create a directory.
+      test -d "$_G_directory_path" || \
+        func_fatal_error "Failed to create '$1'"
+    fi
+}
+
+
+# func_mktempdir [BASENAME]
+# -------------------------
+# Make a temporary directory that won't clash with other running
+# libtool processes, and avoids race conditions if possible.  If
+# given, BASENAME is the basename for that directory.
+func_mktempdir ()
+{
+    $debug_cmd
+
+    _G_template=${TMPDIR-/tmp}/${1-$progname}
+
+    if test : = "$opt_dry_run"; then
+      # Return a directory name, but don't create it in dry-run mode
+      _G_tmpdir=$_G_template-$$
+    else
+
+      # If mktemp works, use that first and foremost
+      _G_tmpdir=`mktemp -d "$_G_template-XXXXXXXX" 2>/dev/null`
+
+      if test ! -d "$_G_tmpdir"; then
+        # Failing that, at least try and use $RANDOM to avoid a race
+        _G_tmpdir=$_G_template-${RANDOM-0}$$
+
+        func_mktempdir_umask=`umask`
+        umask 0077
+        $MKDIR "$_G_tmpdir"
+        umask $func_mktempdir_umask
+      fi
+
+      # If we're not in dry-run mode, bomb out on failure
+      test -d "$_G_tmpdir" || \
+        func_fatal_error "cannot create temporary directory '$_G_tmpdir'"
+    fi
+
+    $ECHO "$_G_tmpdir"
+}
+
+
+# func_normal_abspath PATH
+# ------------------------
+# Remove doubled-up and trailing slashes, "." path components,
+# and cancel out any ".." path components in PATH after making
+# it an absolute path.
+func_normal_abspath ()
+{
+    $debug_cmd
+
+    # These SED scripts presuppose an absolute path with a trailing slash.
+    _G_pathcar='s|^/\([^/]*\).*$|\1|'
+    _G_pathcdr='s|^/[^/]*||'
+    _G_removedotparts=':dotsl
+		s|/\./|/|g
+		t dotsl
+		s|/\.$|/|'
+    _G_collapseslashes='s|/\{1,\}|/|g'
+    _G_finalslash='s|/*$|/|'
+
+    # Start from root dir and reassemble the path.
+    func_normal_abspath_result=
+    func_normal_abspath_tpath=$1
+    func_normal_abspath_altnamespace=
+    case $func_normal_abspath_tpath in
+      "")
+        # Empty path, that just means $cwd.
+        func_stripname '' '/' "`pwd`"
+        func_normal_abspath_result=$func_stripname_result
+        return
+        ;;
+      # The next three entries are used to spot a run of precisely
+      # two leading slashes without using negated character classes;
+      # we take advantage of case's first-match behaviour.
+      ///*)
+        # Unusual form of absolute path, do nothing.
+        ;;
+      //*)
+        # Not necessarily an ordinary path; POSIX reserves leading '//'
+        # and for example Cygwin uses it to access remote file shares
+        # over CIFS/SMB, so we conserve a leading double slash if found.
+        func_normal_abspath_altnamespace=/
+        ;;
+      /*)
+        # Absolute path, do nothing.
+        ;;
+      *)
+        # Relative path, prepend $cwd.
+        func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath
+        ;;
+    esac
+
+    # Cancel out all the simple stuff to save iterations.  We also want
+    # the path to end with a slash for ease of parsing, so make sure
+    # there is one (and only one) here.
+    func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
+          -e "$_G_removedotparts" -e "$_G_collapseslashes" -e "$_G_finalslash"`
+    while :; do
+      # Processed it all yet?
+      if test / = "$func_normal_abspath_tpath"; then
+        # If we ascended to the root using ".." the result may be empty now.
+        if test -z "$func_normal_abspath_result"; then
+          func_normal_abspath_result=/
+        fi
+        break
+      fi
+      func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \
+          -e "$_G_pathcar"`
+      func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
+          -e "$_G_pathcdr"`
+      # Figure out what to do with it
+      case $func_normal_abspath_tcomponent in
+        "")
+          # Trailing empty path component, ignore it.
+          ;;
+        ..)
+          # Parent dir; strip last assembled component from result.
+          func_dirname "$func_normal_abspath_result"
+          func_normal_abspath_result=$func_dirname_result
+          ;;
+        *)
+          # Actual path component, append it.
+          func_append func_normal_abspath_result "/$func_normal_abspath_tcomponent"
+          ;;
+      esac
+    done
+    # Restore leading double-slash if one was found on entry.
+    func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result
+}
+
+
+# func_notquiet ARG...
+# --------------------
+# Echo program name prefixed message only when not in quiet mode.
+func_notquiet ()
+{
+    $debug_cmd
+
+    $opt_quiet || func_echo ${1+"$@"}
+
+    # A bug in bash halts the script if the last line of a function
+    # fails when set -e is in force, so we need another command to
+    # work around that:
+    :
+}
+
+
+# func_relative_path SRCDIR DSTDIR
+# --------------------------------
+# Set func_relative_path_result to the relative path from SRCDIR to DSTDIR.
+func_relative_path ()
+{
+    $debug_cmd
+
+    func_relative_path_result=
+    func_normal_abspath "$1"
+    func_relative_path_tlibdir=$func_normal_abspath_result
+    func_normal_abspath "$2"
+    func_relative_path_tbindir=$func_normal_abspath_result
+
+    # Ascend the tree starting from libdir
+    while :; do
+      # check if we have found a prefix of bindir
+      case $func_relative_path_tbindir in
+        $func_relative_path_tlibdir)
+          # found an exact match
+          func_relative_path_tcancelled=
+          break
+          ;;
+        $func_relative_path_tlibdir*)
+          # found a matching prefix
+          func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir"
+          func_relative_path_tcancelled=$func_stripname_result
+          if test -z "$func_relative_path_result"; then
+            func_relative_path_result=.
+          fi
+          break
+          ;;
+        *)
+          func_dirname $func_relative_path_tlibdir
+          func_relative_path_tlibdir=$func_dirname_result
+          if test -z "$func_relative_path_tlibdir"; then
+            # Have to descend all the way to the root!
+            func_relative_path_result=../$func_relative_path_result
+            func_relative_path_tcancelled=$func_relative_path_tbindir
+            break
+          fi
+          func_relative_path_result=../$func_relative_path_result
+          ;;
+      esac
+    done
+
+    # Now calculate path; take care to avoid doubling-up slashes.
+    func_stripname '' '/' "$func_relative_path_result"
+    func_relative_path_result=$func_stripname_result
+    func_stripname '/' '/' "$func_relative_path_tcancelled"
+    if test -n "$func_stripname_result"; then
+      func_append func_relative_path_result "/$func_stripname_result"
+    fi
+
+    # Normalisation. If bindir is libdir, return '.' else relative path.
+    if test -n "$func_relative_path_result"; then
+      func_stripname './' '' "$func_relative_path_result"
+      func_relative_path_result=$func_stripname_result
+    fi
+
+    test -n "$func_relative_path_result" || func_relative_path_result=.
+
+    :
+}
+
+
+# func_quote_for_eval ARG...
+# --------------------------
+# Aesthetically quote ARGs to be evaled later.
+# This function returns two values:
+#   i) func_quote_for_eval_result
+#      double-quoted, suitable for a subsequent eval
+#  ii) func_quote_for_eval_unquoted_result
+#      has all characters that are still active within double
+#      quotes backslashified.
+func_quote_for_eval ()
+{
+    $debug_cmd
+
+    func_quote_for_eval_unquoted_result=
+    func_quote_for_eval_result=
+    while test 0 -lt $#; do
+      case $1 in
+        *[\\\`\"\$]*)
+	  _G_unquoted_arg=`printf '%s\n' "$1" |$SED "$sed_quote_subst"` ;;
+        *)
+          _G_unquoted_arg=$1 ;;
+      esac
+      if test -n "$func_quote_for_eval_unquoted_result"; then
+	func_append func_quote_for_eval_unquoted_result " $_G_unquoted_arg"
+      else
+        func_append func_quote_for_eval_unquoted_result "$_G_unquoted_arg"
+      fi
+
+      case $_G_unquoted_arg in
+        # Double-quote args containing shell metacharacters to delay
+        # word splitting, command substitution and variable expansion
+        # for a subsequent eval.
+        # Many Bourne shells cannot handle close brackets correctly
+        # in scan sets, so we specify it separately.
+        *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+          _G_quoted_arg=\"$_G_unquoted_arg\"
+          ;;
+        *)
+          _G_quoted_arg=$_G_unquoted_arg
+	  ;;
+      esac
+
+      if test -n "$func_quote_for_eval_result"; then
+	func_append func_quote_for_eval_result " $_G_quoted_arg"
+      else
+        func_append func_quote_for_eval_result "$_G_quoted_arg"
+      fi
+      shift
+    done
+}
+
+
+# func_quote_for_expand ARG
+# -------------------------
+# Aesthetically quote ARG to be evaled later; same as above,
+# but do not quote variable references.
+func_quote_for_expand ()
+{
+    $debug_cmd
+
+    case $1 in
+      *[\\\`\"]*)
+	_G_arg=`$ECHO "$1" | $SED \
+	    -e "$sed_double_quote_subst" -e "$sed_double_backslash"` ;;
+      *)
+        _G_arg=$1 ;;
+    esac
+
+    case $_G_arg in
+      # Double-quote args containing shell metacharacters to delay
+      # word splitting and command substitution for a subsequent eval.
+      # Many Bourne shells cannot handle close brackets correctly
+      # in scan sets, so we specify it separately.
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+        _G_arg=\"$_G_arg\"
+        ;;
+    esac
+
+    func_quote_for_expand_result=$_G_arg
+}
+
+
+# func_stripname PREFIX SUFFIX NAME
+# ---------------------------------
+# strip PREFIX and SUFFIX from NAME, and store in func_stripname_result.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+if test yes = "$_G_HAVE_XSI_OPS"; then
+  eval 'func_stripname ()
+  {
+    $debug_cmd
+
+    # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
+    # positional parameters, so assign one to ordinary variable first.
+    func_stripname_result=$3
+    func_stripname_result=${func_stripname_result#"$1"}
+    func_stripname_result=${func_stripname_result%"$2"}
+  }'
+else
+  func_stripname ()
+  {
+    $debug_cmd
+
+    case $2 in
+      .*) func_stripname_result=`$ECHO "$3" | $SED -e "s%^$1%%" -e "s%\\\\$2\$%%"`;;
+      *)  func_stripname_result=`$ECHO "$3" | $SED -e "s%^$1%%" -e "s%$2\$%%"`;;
+    esac
+  }
+fi
+
+
+# func_show_eval CMD [FAIL_EXP]
+# -----------------------------
+# Unless opt_quiet is true, then output CMD.  Then, if opt_dryrun is
+# not true, evaluate CMD.  If the evaluation of CMD fails, and FAIL_EXP
+# is given, then evaluate it.
+func_show_eval ()
+{
+    $debug_cmd
+
+    _G_cmd=$1
+    _G_fail_exp=${2-':'}
+
+    func_quote_for_expand "$_G_cmd"
+    eval "func_notquiet $func_quote_for_expand_result"
+
+    $opt_dry_run || {
+      eval "$_G_cmd"
+      _G_status=$?
+      if test 0 -ne "$_G_status"; then
+	eval "(exit $_G_status); $_G_fail_exp"
+      fi
+    }
+}
+
+
+# func_show_eval_locale CMD [FAIL_EXP]
+# ------------------------------------
+# Unless opt_quiet is true, then output CMD.  Then, if opt_dryrun is
+# not true, evaluate CMD.  If the evaluation of CMD fails, and FAIL_EXP
+# is given, then evaluate it.  Use the saved locale for evaluation.
+func_show_eval_locale ()
+{
+    $debug_cmd
+
+    _G_cmd=$1
+    _G_fail_exp=${2-':'}
+
+    $opt_quiet || {
+      func_quote_for_expand "$_G_cmd"
+      eval "func_echo $func_quote_for_expand_result"
+    }
+
+    $opt_dry_run || {
+      eval "$_G_user_locale
+	    $_G_cmd"
+      _G_status=$?
+      eval "$_G_safe_locale"
+      if test 0 -ne "$_G_status"; then
+	eval "(exit $_G_status); $_G_fail_exp"
+      fi
+    }
+}
+
+
+# func_tr_sh
+# ----------
+# Turn $1 into a string suitable for a shell variable name.
+# Result is stored in $func_tr_sh_result.  All characters
+# not in the set a-zA-Z0-9_ are replaced with '_'. Further,
+# if $1 begins with a digit, a '_' is prepended as well.
+func_tr_sh ()
+{
+    $debug_cmd
+
+    case $1 in
+    [0-9]* | *[!a-zA-Z0-9_]*)
+      func_tr_sh_result=`$ECHO "$1" | $SED -e 's/^\([0-9]\)/_\1/' -e 's/[^a-zA-Z0-9_]/_/g'`
+      ;;
+    * )
+      func_tr_sh_result=$1
+      ;;
+    esac
+}
+
+
+# func_verbose ARG...
+# -------------------
+# Echo program name prefixed message in verbose mode only.
+func_verbose ()
+{
+    $debug_cmd
+
+    $opt_verbose && func_echo "$*"
+
+    :
+}
+
+
+# func_warn_and_continue ARG...
+# -----------------------------
+# Echo program name prefixed warning message to standard error.
+func_warn_and_continue ()
+{
+    $debug_cmd
+
+    $require_term_colors
+
+    func_echo_infix_1 "${tc_red}warning$tc_reset" "$*" >&2
+}
+
+
+# func_warning CATEGORY ARG...
+# ----------------------------
+# Echo program name prefixed warning message to standard error. Warning
+# messages can be filtered according to CATEGORY, where this function
+# elides messages where CATEGORY is not listed in the global variable
+# 'opt_warning_types'.
+func_warning ()
+{
+    $debug_cmd
+
+    # CATEGORY must be in the warning_categories list!
+    case " $warning_categories " in
+      *" $1 "*) ;;
+      *) func_internal_error "invalid warning category '$1'" ;;
+    esac
+
+    _G_category=$1
+    shift
+
+    case " $opt_warning_types " in
+      *" $_G_category "*) $warning_func ${1+"$@"} ;;
+    esac
+}
+
+
+# func_sort_ver VER1 VER2
+# -----------------------
+# 'sort -V' is not generally available.
+# Note this deviates from the version comparison in automake
+# in that it treats 1.5 < 1.5.0, and treats 1.4.4a < 1.4-p3a
+# but this should suffice as we won't be specifying old
+# version formats or redundant trailing .0 in bootstrap.conf.
+# If we did want full compatibility then we should probably
+# use m4_version_compare from autoconf.
+func_sort_ver ()
+{
+    $debug_cmd
+
+    printf '%s\n%s\n' "$1" "$2" \
+      | sort -t. -k 1,1n -k 2,2n -k 3,3n -k 4,4n -k 5,5n -k 6,6n -k 7,7n -k 8,8n -k 9,9n
+}
+
+# func_lt_ver PREV CURR
+# ---------------------
+# Return true if PREV and CURR are in the correct order according to
+# func_sort_ver, otherwise false.  Use it like this:
+#
+#  func_lt_ver "$prev_ver" "$proposed_ver" || func_fatal_error "..."
+func_lt_ver ()
+{
+    $debug_cmd
+
+    test "x$1" = x`func_sort_ver "$1" "$2" | $SED 1q`
+}
+
+
+# Local variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'before-save-hook 'time-stamp)
+# time-stamp-pattern: "10/scriptversion=%:y-%02m-%02d.%02H; # UTC"
+# time-stamp-time-zone: "UTC"
+# End:
+#! /bin/sh
+
+# Set a version string for this script.
+scriptversion=2015-10-07.11; # UTC
+
+# A portable, pluggable option parser for Bourne shell.
+# Written by Gary V. Vaughan, 2010
+
+# Copyright (C) 2010-2015 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.  There is NO
+# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Please report bugs or propose patches to gary@gnu.org.
+
+
+## ------ ##
+## Usage. ##
+## ------ ##
+
+# This file is a library for parsing options in your shell scripts along
+# with assorted other useful supporting features that you can make use
+# of too.
+#
+# For the simplest scripts you might need only:
+#
+#   #!/bin/sh
+#   . relative/path/to/funclib.sh
+#   . relative/path/to/options-parser
+#   scriptversion=1.0
+#   func_options ${1+"$@"}
+#   eval set dummy "$func_options_result"; shift
+#   ...rest of your script...
+#
+# In order for the '--version' option to work, you will need to have a
+# suitably formatted comment like the one at the top of this file
+# starting with '# Written by ' and ending with '# warranty; '.
+#
+# For '-h' and '--help' to work, you will also need a one line
+# description of your script's purpose in a comment directly above the
+# '# Written by ' line, like the one at the top of this file.
+#
+# The default options also support '--debug', which will turn on shell
+# execution tracing (see the comment above debug_cmd below for another
+# use), and '--verbose' and the func_verbose function to allow your script
+# to display verbose messages only when your user has specified
+# '--verbose'.
+#
+# After sourcing this file, you can plug processing for additional
+# options by amending the variables from the 'Configuration' section
+# below, and following the instructions in the 'Option parsing'
+# section further down.
+
+## -------------- ##
+## Configuration. ##
+## -------------- ##
+
+# You should override these variables in your script after sourcing this
+# file so that they reflect the customisations you have added to the
+# option parser.
+
+# The usage line for option parsing errors and the start of '-h' and
+# '--help' output messages. You can embed shell variables for delayed
+# expansion at the time the message is displayed, but you will need to
+# quote other shell meta-characters carefully to prevent them being
+# expanded when the contents are evaled.
+usage='$progpath [OPTION]...'
+
+# Short help message in response to '-h' and '--help'.  Add to this or
+# override it after sourcing this library to reflect the full set of
+# options your script accepts.
+usage_message="\
+       --debug        enable verbose shell tracing
+   -W, --warnings=CATEGORY
+                      report the warnings falling in CATEGORY [all]
+   -v, --verbose      verbosely report processing
+       --version      print version information and exit
+   -h, --help         print short or long help message and exit
+"
+
+# Additional text appended to 'usage_message' in response to '--help'.
+long_help_message="
+Warning categories include:
+       'all'          show all warnings
+       'none'         turn off all the warnings
+       'error'        warnings are treated as fatal errors"
+
+# Help message printed before fatal option parsing errors.
+fatal_help="Try '\$progname --help' for more information."
+
+
+
+## ------------------------- ##
+## Hook function management. ##
+## ------------------------- ##
+
+# This section contains functions for adding, removing, and running hooks
+# to the main code.  A hook is just a named list of of function, that can
+# be run in order later on.
+
+# func_hookable FUNC_NAME
+# -----------------------
+# Declare that FUNC_NAME will run hooks added with
+# 'func_add_hook FUNC_NAME ...'.
+func_hookable ()
+{
+    $debug_cmd
+
+    func_append hookable_fns " $1"
+}
+
+
+# func_add_hook FUNC_NAME HOOK_FUNC
+# ---------------------------------
+# Request that FUNC_NAME call HOOK_FUNC before it returns.  FUNC_NAME must
+# first have been declared "hookable" by a call to 'func_hookable'.
+func_add_hook ()
+{
+    $debug_cmd
+
+    case " $hookable_fns " in
+      *" $1 "*) ;;
+      *) func_fatal_error "'$1' does not accept hook functions." ;;
+    esac
+
+    eval func_append ${1}_hooks '" $2"'
+}
+
+
+# func_remove_hook FUNC_NAME HOOK_FUNC
+# ------------------------------------
+# Remove HOOK_FUNC from the list of functions called by FUNC_NAME.
+func_remove_hook ()
+{
+    $debug_cmd
+
+    eval ${1}_hooks='`$ECHO "\$'$1'_hooks" |$SED "s| '$2'||"`'
+}
+
+
+# func_run_hooks FUNC_NAME [ARG]...
+# ---------------------------------
+# Run all hook functions registered to FUNC_NAME.
+# It is assumed that the list of hook functions contains nothing more
+# than a whitespace-delimited list of legal shell function names, and
+# no effort is wasted trying to catch shell meta-characters or preserve
+# whitespace.
+func_run_hooks ()
+{
+    $debug_cmd
+
+    _G_rc_run_hooks=false
+
+    case " $hookable_fns " in
+      *" $1 "*) ;;
+      *) func_fatal_error "'$1' does not support hook funcions.n" ;;
+    esac
+
+    eval _G_hook_fns=\$$1_hooks; shift
+
+    for _G_hook in $_G_hook_fns; do
+      if eval $_G_hook '"$@"'; then
+        # store returned options list back into positional
+        # parameters for next 'cmd' execution.
+        eval _G_hook_result=\$${_G_hook}_result
+        eval set dummy "$_G_hook_result"; shift
+        _G_rc_run_hooks=:
+      fi
+    done
+
+    $_G_rc_run_hooks && func_run_hooks_result=$_G_hook_result
+}
+
+
+
+## --------------- ##
+## Option parsing. ##
+## --------------- ##
+
+# In order to add your own option parsing hooks, you must accept the
+# full positional parameter list in your hook function, you may remove/edit
+# any options that you action, and then pass back the remaining unprocessed
+# options in '<hooked_function_name>_result', escaped suitably for
+# 'eval'.  In this case you also must return $EXIT_SUCCESS to let the
+# hook's caller know that it should pay attention to
+# '<hooked_function_name>_result'.  Returning $EXIT_FAILURE signalizes that
+# arguments are left untouched by the hook and therefore caller will ignore the
+# result variable.
+#
+# Like this:
+#
+#    my_options_prep ()
+#    {
+#        $debug_cmd
+#
+#        # Extend the existing usage message.
+#        usage_message=$usage_message'
+#      -s, --silent       don'\''t print informational messages
+#    '
+#        # No change in '$@' (ignored completely by this hook).  There is
+#        # no need to do the equivalent (but slower) action:
+#        # func_quote_for_eval ${1+"$@"}
+#        # my_options_prep_result=$func_quote_for_eval_result
+#        false
+#    }
+#    func_add_hook func_options_prep my_options_prep
+#
+#
+#    my_silent_option ()
+#    {
+#        $debug_cmd
+#
+#        args_changed=false
+#
+#        # Note that for efficiency, we parse as many options as we can
+#        # recognise in a loop before passing the remainder back to the
+#        # caller on the first unrecognised argument we encounter.
+#        while test $# -gt 0; do
+#          opt=$1; shift
+#          case $opt in
+#            --silent|-s) opt_silent=:
+#                         args_changed=:
+#                         ;;
+#            # Separate non-argument short options:
+#            -s*)         func_split_short_opt "$_G_opt"
+#                         set dummy "$func_split_short_opt_name" \
+#                             "-$func_split_short_opt_arg" ${1+"$@"}
+#                         shift
+#                         args_changed=:
+#                         ;;
+#            *)           # Make sure the first unrecognised option "$_G_opt"
+#                         # is added back to "$@", we could need that later
+#                         # if $args_changed is true.
+#                         set dummy "$_G_opt" ${1+"$@"}; shift; break ;;
+#          esac
+#        done
+#
+#        if $args_changed; then
+#          func_quote_for_eval ${1+"$@"}
+#          my_silent_option_result=$func_quote_for_eval_result
+#        fi
+#
+#        $args_changed
+#    }
+#    func_add_hook func_parse_options my_silent_option
+#
+#
+#    my_option_validation ()
+#    {
+#        $debug_cmd
+#
+#        $opt_silent && $opt_verbose && func_fatal_help "\
+#    '--silent' and '--verbose' options are mutually exclusive."
+#
+#        false
+#    }
+#    func_add_hook func_validate_options my_option_validation
+#
+# You'll also need to manually amend $usage_message to reflect the extra
+# options you parse.  It's preferable to append if you can, so that
+# multiple option parsing hooks can be added safely.
+
+
+# func_options_finish [ARG]...
+# ----------------------------
+# Finishing the option parse loop (call 'func_options' hooks ATM).
+func_options_finish ()
+{
+    $debug_cmd
+
+    _G_func_options_finish_exit=false
+    if func_run_hooks func_options ${1+"$@"}; then
+      func_options_finish_result=$func_run_hooks_result
+      _G_func_options_finish_exit=:
+    fi
+
+    $_G_func_options_finish_exit
+}
+
+
+# func_options [ARG]...
+# ---------------------
+# All the functions called inside func_options are hookable. See the
+# individual implementations for details.
+func_hookable func_options
+func_options ()
+{
+    $debug_cmd
+
+    _G_rc_options=false
+
+    for my_func in options_prep parse_options validate_options options_finish
+    do
+      if eval func_$my_func '${1+"$@"}'; then
+        eval _G_res_var='$'"func_${my_func}_result"
+        eval set dummy "$_G_res_var" ; shift
+        _G_rc_options=:
+      fi
+    done
+
+    # Save modified positional parameters for caller.  As a top-level
+    # options-parser function we always need to set the 'func_options_result'
+    # variable (regardless the $_G_rc_options value).
+    if $_G_rc_options; then
+      func_options_result=$_G_res_var
+    else
+      func_quote_for_eval ${1+"$@"}
+      func_options_result=$func_quote_for_eval_result
+    fi
+
+    $_G_rc_options
+}
+
+
+# func_options_prep [ARG]...
+# --------------------------
+# All initialisations required before starting the option parse loop.
+# Note that when calling hook functions, we pass through the list of
+# positional parameters.  If a hook function modifies that list, and
+# needs to propagate that back to rest of this script, then the complete
+# modified list must be put in 'func_run_hooks_result' before
+# returning $EXIT_SUCCESS (otherwise $EXIT_FAILURE is returned).
+func_hookable func_options_prep
+func_options_prep ()
+{
+    $debug_cmd
+
+    # Option defaults:
+    opt_verbose=false
+    opt_warning_types=
+
+    _G_rc_options_prep=false
+    if func_run_hooks func_options_prep ${1+"$@"}; then
+      _G_rc_options_prep=:
+      # save modified positional parameters for caller
+      func_options_prep_result=$func_run_hooks_result
+    fi
+
+    $_G_rc_options_prep
+}
+
+
+# func_parse_options [ARG]...
+# ---------------------------
+# The main option parsing loop.
+func_hookable func_parse_options
+func_parse_options ()
+{
+    $debug_cmd
+
+    func_parse_options_result=
+
+    _G_rc_parse_options=false
+    # this just eases exit handling
+    while test $# -gt 0; do
+      # Defer to hook functions for initial option parsing, so they
+      # get priority in the event of reusing an option name.
+      if func_run_hooks func_parse_options ${1+"$@"}; then
+        eval set dummy "$func_run_hooks_result"; shift
+        _G_rc_parse_options=:
+      fi
+
+      # Break out of the loop if we already parsed every option.
+      test $# -gt 0 || break
+
+      _G_match_parse_options=:
+      _G_opt=$1
+      shift
+      case $_G_opt in
+        --debug|-x)   debug_cmd='set -x'
+                      func_echo "enabling shell trace mode"
+                      $debug_cmd
+                      ;;
+
+        --no-warnings|--no-warning|--no-warn)
+                      set dummy --warnings none ${1+"$@"}
+                      shift
+		      ;;
+
+        --warnings|--warning|-W)
+                      if test $# = 0 && func_missing_arg $_G_opt; then
+                        _G_rc_parse_options=:
+                        break
+                      fi
+                      case " $warning_categories $1" in
+                        *" $1 "*)
+                          # trailing space prevents matching last $1 above
+                          func_append_uniq opt_warning_types " $1"
+                          ;;
+                        *all)
+                          opt_warning_types=$warning_categories
+                          ;;
+                        *none)
+                          opt_warning_types=none
+                          warning_func=:
+                          ;;
+                        *error)
+                          opt_warning_types=$warning_categories
+                          warning_func=func_fatal_error
+                          ;;
+                        *)
+                          func_fatal_error \
+                             "unsupported warning category: '$1'"
+                          ;;
+                      esac
+                      shift
+                      ;;
+
+        --verbose|-v) opt_verbose=: ;;
+        --version)    func_version ;;
+        -\?|-h)       func_usage ;;
+        --help)       func_help ;;
+
+	# Separate optargs to long options (plugins may need this):
+	--*=*)        func_split_equals "$_G_opt"
+	              set dummy "$func_split_equals_lhs" \
+                          "$func_split_equals_rhs" ${1+"$@"}
+                      shift
+                      ;;
+
+       # Separate optargs to short options:
+        -W*)
+                      func_split_short_opt "$_G_opt"
+                      set dummy "$func_split_short_opt_name" \
+                          "$func_split_short_opt_arg" ${1+"$@"}
+                      shift
+                      ;;
+
+        # Separate non-argument short options:
+        -\?*|-h*|-v*|-x*)
+                      func_split_short_opt "$_G_opt"
+                      set dummy "$func_split_short_opt_name" \
+                          "-$func_split_short_opt_arg" ${1+"$@"}
+                      shift
+                      ;;
+
+        --)           _G_rc_parse_options=: ; break ;;
+        -*)           func_fatal_help "unrecognised option: '$_G_opt'" ;;
+        *)            set dummy "$_G_opt" ${1+"$@"}; shift
+                      _G_match_parse_options=false
+                      break
+                      ;;
+      esac
+
+      $_G_match_parse_options && _G_rc_parse_options=:
+    done
+
+
+    if $_G_rc_parse_options; then
+      # save modified positional parameters for caller
+      func_quote_for_eval ${1+"$@"}
+      func_parse_options_result=$func_quote_for_eval_result
+    fi
+
+    $_G_rc_parse_options
+}
+
+
+# func_validate_options [ARG]...
+# ------------------------------
+# Perform any sanity checks on option settings and/or unconsumed
+# arguments.
+func_hookable func_validate_options
+func_validate_options ()
+{
+    $debug_cmd
+
+    _G_rc_validate_options=false
+
+    # Display all warnings if -W was not given.
+    test -n "$opt_warning_types" || opt_warning_types=" $warning_categories"
+
+    if func_run_hooks func_validate_options ${1+"$@"}; then
+      # save modified positional parameters for caller
+      func_validate_options_result=$func_run_hooks_result
+      _G_rc_validate_options=:
+    fi
+
+    # Bail if the options were screwed!
+    $exit_cmd $EXIT_FAILURE
+
+    $_G_rc_validate_options
+}
+
+
+
+## ----------------- ##
+## Helper functions. ##
+## ----------------- ##
+
+# This section contains the helper functions used by the rest of the
+# hookable option parser framework in ascii-betical order.
+
+
+# func_fatal_help ARG...
+# ----------------------
+# Echo program name prefixed message to standard error, followed by
+# a help hint, and exit.
+func_fatal_help ()
+{
+    $debug_cmd
+
+    eval \$ECHO \""Usage: $usage"\"
+    eval \$ECHO \""$fatal_help"\"
+    func_error ${1+"$@"}
+    exit $EXIT_FAILURE
+}
+
+
+# func_help
+# ---------
+# Echo long help message to standard output and exit.
+func_help ()
+{
+    $debug_cmd
+
+    func_usage_message
+    $ECHO "$long_help_message"
+    exit 0
+}
+
+
+# func_missing_arg ARGNAME
+# ------------------------
+# Echo program name prefixed message to standard error and set global
+# exit_cmd.
+func_missing_arg ()
+{
+    $debug_cmd
+
+    func_error "Missing argument for '$1'."
+    exit_cmd=exit
+}
+
+
+# func_split_equals STRING
+# ------------------------
+# Set func_split_equals_lhs and func_split_equals_rhs shell variables after
+# splitting STRING at the '=' sign.
+test -z "$_G_HAVE_XSI_OPS" \
+    && (eval 'x=a/b/c;
+      test 5aa/bb/cc = "${#x}${x%%/*}${x%/*}${x#*/}${x##*/}"') 2>/dev/null \
+    && _G_HAVE_XSI_OPS=yes
+
+if test yes = "$_G_HAVE_XSI_OPS"
+then
+  # This is an XSI compatible shell, allowing a faster implementation...
+  eval 'func_split_equals ()
+  {
+      $debug_cmd
+
+      func_split_equals_lhs=${1%%=*}
+      func_split_equals_rhs=${1#*=}
+      test "x$func_split_equals_lhs" = "x$1" \
+        && func_split_equals_rhs=
+  }'
+else
+  # ...otherwise fall back to using expr, which is often a shell builtin.
+  func_split_equals ()
+  {
+      $debug_cmd
+
+      func_split_equals_lhs=`expr "x$1" : 'x\([^=]*\)'`
+      func_split_equals_rhs=
+      test "x$func_split_equals_lhs" = "x$1" \
+        || func_split_equals_rhs=`expr "x$1" : 'x[^=]*=\(.*\)$'`
+  }
+fi #func_split_equals
+
+
+# func_split_short_opt SHORTOPT
+# -----------------------------
+# Set func_split_short_opt_name and func_split_short_opt_arg shell
+# variables after splitting SHORTOPT after the 2nd character.
+if test yes = "$_G_HAVE_XSI_OPS"
+then
+  # This is an XSI compatible shell, allowing a faster implementation...
+  eval 'func_split_short_opt ()
+  {
+      $debug_cmd
+
+      func_split_short_opt_arg=${1#??}
+      func_split_short_opt_name=${1%"$func_split_short_opt_arg"}
+  }'
+else
+  # ...otherwise fall back to using expr, which is often a shell builtin.
+  func_split_short_opt ()
+  {
+      $debug_cmd
+
+      func_split_short_opt_name=`expr "x$1" : 'x-\(.\)'`
+      func_split_short_opt_arg=`expr "x$1" : 'x-.\(.*\)$'`
+  }
+fi #func_split_short_opt
+
+
+# func_usage
+# ----------
+# Echo short help message to standard output and exit.
+func_usage ()
+{
+    $debug_cmd
+
+    func_usage_message
+    $ECHO "Run '$progname --help |${PAGER-more}' for full usage"
+    exit 0
+}
+
+
+# func_usage_message
+# ------------------
+# Echo short help message to standard output.
+func_usage_message ()
+{
+    $debug_cmd
+
+    eval \$ECHO \""Usage: $usage"\"
+    echo
+    $SED -n 's|^# ||
+        /^Written by/{
+          x;p;x
+        }
+	h
+	/^Written by/q' < "$progpath"
+    echo
+    eval \$ECHO \""$usage_message"\"
+}
+
+
+# func_version
+# ------------
+# Echo version message to standard output and exit.
+func_version ()
+{
+    $debug_cmd
+
+    printf '%s\n' "$progname $scriptversion"
+    $SED -n '
+        /(C)/!b go
+        :more
+        /\./!{
+          N
+          s|\n# | |
+          b more
+        }
+        :go
+        /^# Written by /,/# warranty; / {
+          s|^# ||
+          s|^# *$||
+          s|\((C)\)[ 0-9,-]*[ ,-]\([1-9][0-9]* \)|\1 \2|
+          p
+        }
+        /^# Written by / {
+          s|^# ||
+          p
+        }
+        /^warranty; /q' < "$progpath"
+
+    exit $?
+}
+
+
+# Local variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'before-save-hook 'time-stamp)
+# time-stamp-pattern: "10/scriptversion=%:y-%02m-%02d.%02H; # UTC"
+# time-stamp-time-zone: "UTC"
+# End:
+
+# Set a version string.
+scriptversion='(GNU libtool) 2.4.6'
+
+
+# func_echo ARG...
+# ----------------
+# Libtool also displays the current mode in messages, so override
+# funclib.sh func_echo with this custom definition.
+func_echo ()
+{
+    $debug_cmd
+
+    _G_message=$*
+
+    func_echo_IFS=$IFS
+    IFS=$nl
+    for _G_line in $_G_message; do
+      IFS=$func_echo_IFS
+      $ECHO "$progname${opt_mode+: $opt_mode}: $_G_line"
+    done
+    IFS=$func_echo_IFS
+}
+
+
+# func_warning ARG...
+# -------------------
+# Libtool warnings are not categorized, so override funclib.sh
+# func_warning with this simpler definition.
+func_warning ()
+{
+    $debug_cmd
+
+    $warning_func ${1+"$@"}
+}
+
+
+## ---------------- ##
+## Options parsing. ##
+## ---------------- ##
+
+# Hook in the functions to make sure our own options are parsed during
+# the option parsing loop.
+
+usage='$progpath [OPTION]... [MODE-ARG]...'
+
+# Short help message in response to '-h'.
+usage_message="Options:
+       --config             show all configuration variables
+       --debug              enable verbose shell tracing
+   -n, --dry-run            display commands without modifying any files
+       --features           display basic configuration information and exit
+       --mode=MODE          use operation mode MODE
+       --no-warnings        equivalent to '-Wnone'
+       --preserve-dup-deps  don't remove duplicate dependency libraries
+       --quiet, --silent    don't print informational messages
+       --tag=TAG            use configuration variables from tag TAG
+   -v, --verbose            print more informational messages than default
+       --version            print version information
+   -W, --warnings=CATEGORY  report the warnings falling in CATEGORY [all]
+   -h, --help, --help-all   print short, long, or detailed help message
+"
+
+# Additional text appended to 'usage_message' in response to '--help'.
+func_help ()
+{
+    $debug_cmd
+
+    func_usage_message
+    $ECHO "$long_help_message
+
+MODE must be one of the following:
+
+       clean           remove files from the build directory
+       compile         compile a source file into a libtool object
+       execute         automatically set library path, then run a program
+       finish          complete the installation of libtool libraries
+       install         install libraries or executables
+       link            create a library or an executable
+       uninstall       remove libraries from an installed directory
+
+MODE-ARGS vary depending on the MODE.  When passed as first option,
+'--mode=MODE' may be abbreviated as 'MODE' or a unique abbreviation of that.
+Try '$progname --help --mode=MODE' for a more detailed description of MODE.
+
+When reporting a bug, please describe a test case to reproduce it and
+include the following information:
+
+       host-triplet:   $host
+       shell:          $SHELL
+       compiler:       $LTCC
+       compiler flags: $LTCFLAGS
+       linker:         $LD (gnu? $with_gnu_ld)
+       version:        $progname $scriptversion Debian-2.4.6-15
+       automake:       `($AUTOMAKE --version) 2>/dev/null |$SED 1q`
+       autoconf:       `($AUTOCONF --version) 2>/dev/null |$SED 1q`
+
+Report bugs to <bug-libtool@gnu.org>.
+GNU libtool home page: <http://www.gnu.org/s/libtool/>.
+General help using GNU software: <http://www.gnu.org/gethelp/>."
+    exit 0
+}
+
+
+# func_lo2o OBJECT-NAME
+# ---------------------
+# Transform OBJECT-NAME from a '.lo' suffix to the platform specific
+# object suffix.
+
+lo2o=s/\\.lo\$/.$objext/
+o2lo=s/\\.$objext\$/.lo/
+
+if test yes = "$_G_HAVE_XSI_OPS"; then
+  eval 'func_lo2o ()
+  {
+    case $1 in
+      *.lo) func_lo2o_result=${1%.lo}.$objext ;;
+      *   ) func_lo2o_result=$1               ;;
+    esac
+  }'
+
+  # func_xform LIBOBJ-OR-SOURCE
+  # ---------------------------
+  # Transform LIBOBJ-OR-SOURCE from a '.o' or '.c' (or otherwise)
+  # suffix to a '.lo' libtool-object suffix.
+  eval 'func_xform ()
+  {
+    func_xform_result=${1%.*}.lo
+  }'
+else
+  # ...otherwise fall back to using sed.
+  func_lo2o ()
+  {
+    func_lo2o_result=`$ECHO "$1" | $SED "$lo2o"`
+  }
+
+  func_xform ()
+  {
+    func_xform_result=`$ECHO "$1" | $SED 's|\.[^.]*$|.lo|'`
+  }
+fi
+
+
+# func_fatal_configuration ARG...
+# -------------------------------
+# Echo program name prefixed message to standard error, followed by
+# a configuration failure hint, and exit.
+func_fatal_configuration ()
+{
+    func__fatal_error ${1+"$@"} \
+      "See the $PACKAGE documentation for more information." \
+      "Fatal configuration error."
+}
+
+
+# func_config
+# -----------
+# Display the configuration for all the tags in this script.
+func_config ()
+{
+    re_begincf='^# ### BEGIN LIBTOOL'
+    re_endcf='^# ### END LIBTOOL'
+
+    # Default configuration.
+    $SED "1,/$re_begincf CONFIG/d;/$re_endcf CONFIG/,\$d" < "$progpath"
+
+    # Now print the configurations for the tags.
+    for tagname in $taglist; do
+      $SED -n "/$re_begincf TAG CONFIG: $tagname\$/,/$re_endcf TAG CONFIG: $tagname\$/p" < "$progpath"
+    done
+
+    exit $?
+}
+
+
+# func_features
+# -------------
+# Display the features supported by this script.
+func_features ()
+{
+    echo "host: $host"
+    if test yes = "$build_libtool_libs"; then
+      echo "enable shared libraries"
+    else
+      echo "disable shared libraries"
+    fi
+    if test yes = "$build_old_libs"; then
+      echo "enable static libraries"
+    else
+      echo "disable static libraries"
+    fi
+
+    exit $?
+}
+
+
+# func_enable_tag TAGNAME
+# -----------------------
+# Verify that TAGNAME is valid, and either flag an error and exit, or
+# enable the TAGNAME tag.  We also add TAGNAME to the global $taglist
+# variable here.
+func_enable_tag ()
+{
+    # Global variable:
+    tagname=$1
+
+    re_begincf="^# ### BEGIN LIBTOOL TAG CONFIG: $tagname\$"
+    re_endcf="^# ### END LIBTOOL TAG CONFIG: $tagname\$"
+    sed_extractcf=/$re_begincf/,/$re_endcf/p
+
+    # Validate tagname.
+    case $tagname in
+      *[!-_A-Za-z0-9,/]*)
+        func_fatal_error "invalid tag name: $tagname"
+        ;;
+    esac
+
+    # Don't test for the "default" C tag, as we know it's
+    # there but not specially marked.
+    case $tagname in
+        CC) ;;
+    *)
+        if $GREP "$re_begincf" "$progpath" >/dev/null 2>&1; then
+	  taglist="$taglist $tagname"
+
+	  # Evaluate the configuration.  Be careful to quote the path
+	  # and the sed script, to avoid splitting on whitespace, but
+	  # also don't use non-portable quotes within backquotes within
+	  # quotes we have to do it in 2 steps:
+	  extractedcf=`$SED -n -e "$sed_extractcf" < "$progpath"`
+	  eval "$extractedcf"
+        else
+	  func_error "ignoring unknown tag $tagname"
+        fi
+        ;;
+    esac
+}
+
+
+# func_check_version_match
+# ------------------------
+# Ensure that we are using m4 macros, and libtool script from the same
+# release of libtool.
+func_check_version_match ()
+{
+    if test "$package_revision" != "$macro_revision"; then
+      if test "$VERSION" != "$macro_version"; then
+        if test -z "$macro_version"; then
+          cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
+$progname: definition of this LT_INIT comes from an older release.
+$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
+$progname: and run autoconf again.
+_LT_EOF
+        else
+          cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
+$progname: definition of this LT_INIT comes from $PACKAGE $macro_version.
+$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
+$progname: and run autoconf again.
+_LT_EOF
+        fi
+      else
+        cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, revision $package_revision,
+$progname: but the definition of this LT_INIT comes from revision $macro_revision.
+$progname: You should recreate aclocal.m4 with macros from revision $package_revision
+$progname: of $PACKAGE $VERSION and run autoconf again.
+_LT_EOF
+      fi
+
+      exit $EXIT_MISMATCH
+    fi
+}
+
+
+# libtool_options_prep [ARG]...
+# -----------------------------
+# Preparation for options parsed by libtool.
+libtool_options_prep ()
+{
+    $debug_mode
+
+    # Option defaults:
+    opt_config=false
+    opt_dlopen=
+    opt_dry_run=false
+    opt_help=false
+    opt_mode=
+    opt_preserve_dup_deps=false
+    opt_quiet=false
+
+    nonopt=
+    preserve_args=
+
+    _G_rc_lt_options_prep=:
+
+    # Shorthand for --mode=foo, only valid as the first argument
+    case $1 in
+    clean|clea|cle|cl)
+      shift; set dummy --mode clean ${1+"$@"}; shift
+      ;;
+    compile|compil|compi|comp|com|co|c)
+      shift; set dummy --mode compile ${1+"$@"}; shift
+      ;;
+    execute|execut|execu|exec|exe|ex|e)
+      shift; set dummy --mode execute ${1+"$@"}; shift
+      ;;
+    finish|finis|fini|fin|fi|f)
+      shift; set dummy --mode finish ${1+"$@"}; shift
+      ;;
+    install|instal|insta|inst|ins|in|i)
+      shift; set dummy --mode install ${1+"$@"}; shift
+      ;;
+    link|lin|li|l)
+      shift; set dummy --mode link ${1+"$@"}; shift
+      ;;
+    uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
+      shift; set dummy --mode uninstall ${1+"$@"}; shift
+      ;;
+    *)
+      _G_rc_lt_options_prep=false
+      ;;
+    esac
+
+    if $_G_rc_lt_options_prep; then
+      # Pass back the list of options.
+      func_quote_for_eval ${1+"$@"}
+      libtool_options_prep_result=$func_quote_for_eval_result
+    fi
+
+    $_G_rc_lt_options_prep
+}
+func_add_hook func_options_prep libtool_options_prep
+
+
+# libtool_parse_options [ARG]...
+# ---------------------------------
+# Provide handling for libtool specific options.
+libtool_parse_options ()
+{
+    $debug_cmd
+
+    _G_rc_lt_parse_options=false
+
+    # Perform our own loop to consume as many options as possible in
+    # each iteration.
+    while test $# -gt 0; do
+      _G_match_lt_parse_options=:
+      _G_opt=$1
+      shift
+      case $_G_opt in
+        --dry-run|--dryrun|-n)
+                        opt_dry_run=:
+                        ;;
+
+        --config)       func_config ;;
+
+        --dlopen|-dlopen)
+                        opt_dlopen="${opt_dlopen+$opt_dlopen
+}$1"
+                        shift
+                        ;;
+
+        --preserve-dup-deps)
+                        opt_preserve_dup_deps=: ;;
+
+        --features)     func_features ;;
+
+        --finish)       set dummy --mode finish ${1+"$@"}; shift ;;
+
+        --help)         opt_help=: ;;
+
+        --help-all)     opt_help=': help-all' ;;
+
+        --mode)         test $# = 0 && func_missing_arg $_G_opt && break
+                        opt_mode=$1
+                        case $1 in
+                          # Valid mode arguments:
+                          clean|compile|execute|finish|install|link|relink|uninstall) ;;
+
+                          # Catch anything else as an error
+                          *) func_error "invalid argument for $_G_opt"
+                             exit_cmd=exit
+                             break
+                             ;;
+                        esac
+                        shift
+                        ;;
+
+        --no-silent|--no-quiet)
+                        opt_quiet=false
+                        func_append preserve_args " $_G_opt"
+                        ;;
+
+        --no-warnings|--no-warning|--no-warn)
+                        opt_warning=false
+                        func_append preserve_args " $_G_opt"
+                        ;;
+
+        --no-verbose)
+                        opt_verbose=false
+                        func_append preserve_args " $_G_opt"
+                        ;;
+
+        --silent|--quiet)
+                        opt_quiet=:
+                        opt_verbose=false
+                        func_append preserve_args " $_G_opt"
+                        ;;
+
+        --tag)          test $# = 0 && func_missing_arg $_G_opt && break
+                        opt_tag=$1
+                        func_append preserve_args " $_G_opt $1"
+                        func_enable_tag "$1"
+                        shift
+                        ;;
+
+        --verbose|-v)   opt_quiet=false
+                        opt_verbose=:
+                        func_append preserve_args " $_G_opt"
+                        ;;
+
+        # An option not handled by this hook function:
+        *)              set dummy "$_G_opt" ${1+"$@"} ; shift
+                        _G_match_lt_parse_options=false
+                        break
+                        ;;
+      esac
+      $_G_match_lt_parse_options && _G_rc_lt_parse_options=:
+    done
+
+    if $_G_rc_lt_parse_options; then
+      # save modified positional parameters for caller
+      func_quote_for_eval ${1+"$@"}
+      libtool_parse_options_result=$func_quote_for_eval_result
+    fi
+
+    $_G_rc_lt_parse_options
+}
+func_add_hook func_parse_options libtool_parse_options
+
+
+
+# libtool_validate_options [ARG]...
+# ---------------------------------
+# Perform any sanity checks on option settings and/or unconsumed
+# arguments.
+libtool_validate_options ()
+{
+    # save first non-option argument
+    if test 0 -lt $#; then
+      nonopt=$1
+      shift
+    fi
+
+    # preserve --debug
+    test : = "$debug_cmd" || func_append preserve_args " --debug"
+
+    case $host in
+      # Solaris2 added to fix http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16452
+      # see also: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59788
+      *cygwin* | *mingw* | *pw32* | *cegcc* | *solaris2* | *os2*)
+        # don't eliminate duplications in $postdeps and $predeps
+        opt_duplicate_compiler_generated_deps=:
+        ;;
+      *)
+        opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps
+        ;;
+    esac
+
+    $opt_help || {
+      # Sanity checks first:
+      func_check_version_match
+
+      test yes != "$build_libtool_libs" \
+        && test yes != "$build_old_libs" \
+        && func_fatal_configuration "not configured to build any kind of library"
+
+      # Darwin sucks
+      eval std_shrext=\"$shrext_cmds\"
+
+      # Only execute mode is allowed to have -dlopen flags.
+      if test -n "$opt_dlopen" && test execute != "$opt_mode"; then
+        func_error "unrecognized option '-dlopen'"
+        $ECHO "$help" 1>&2
+        exit $EXIT_FAILURE
+      fi
+
+      # Change the help message to a mode-specific one.
+      generic_help=$help
+      help="Try '$progname --help --mode=$opt_mode' for more information."
+    }
+
+    # Pass back the unparsed argument list
+    func_quote_for_eval ${1+"$@"}
+    libtool_validate_options_result=$func_quote_for_eval_result
+}
+func_add_hook func_validate_options libtool_validate_options
+
+
+# Process options as early as possible so that --help and --version
+# can return quickly.
+func_options ${1+"$@"}
+eval set dummy "$func_options_result"; shift
+
+
+
+## ----------- ##
+##    Main.    ##
+## ----------- ##
+
+magic='%%%MAGIC variable%%%'
+magic_exe='%%%MAGIC EXE variable%%%'
+
+# Global variables.
+extracted_archives=
+extracted_serial=0
+
+# If this variable is set in any of the actions, the command in it
+# will be execed at the end.  This prevents here-documents from being
+# left over by shells.
+exec_cmd=
+
+
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+$1
+_LTECHO_EOF'
+}
+
+# func_generated_by_libtool
+# True iff stdin has been generated by Libtool. This function is only
+# a basic sanity check; it will hardly flush out determined imposters.
+func_generated_by_libtool_p ()
+{
+  $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1
+}
+
+# func_lalib_p file
+# True iff FILE is a libtool '.la' library or '.lo' object file.
+# This function is only a basic sanity check; it will hardly flush out
+# determined imposters.
+func_lalib_p ()
+{
+    test -f "$1" &&
+      $SED -e 4q "$1" 2>/dev/null | func_generated_by_libtool_p
+}
+
+# func_lalib_unsafe_p file
+# True iff FILE is a libtool '.la' library or '.lo' object file.
+# This function implements the same check as func_lalib_p without
+# resorting to external programs.  To this end, it redirects stdin and
+# closes it afterwards, without saving the original file descriptor.
+# As a safety measure, use it only where a negative result would be
+# fatal anyway.  Works if 'file' does not exist.
+func_lalib_unsafe_p ()
+{
+    lalib_p=no
+    if test -f "$1" && test -r "$1" && exec 5<&0 <"$1"; then
+	for lalib_p_l in 1 2 3 4
+	do
+	    read lalib_p_line
+	    case $lalib_p_line in
+		\#\ Generated\ by\ *$PACKAGE* ) lalib_p=yes; break;;
+	    esac
+	done
+	exec 0<&5 5<&-
+    fi
+    test yes = "$lalib_p"
+}
+
+# func_ltwrapper_script_p file
+# True iff FILE is a libtool wrapper script
+# This function is only a basic sanity check; it will hardly flush out
+# determined imposters.
+func_ltwrapper_script_p ()
+{
+    test -f "$1" &&
+      $lt_truncate_bin < "$1" 2>/dev/null | func_generated_by_libtool_p
+}
+
+# func_ltwrapper_executable_p file
+# True iff FILE is a libtool wrapper executable
+# This function is only a basic sanity check; it will hardly flush out
+# determined imposters.
+func_ltwrapper_executable_p ()
+{
+    func_ltwrapper_exec_suffix=
+    case $1 in
+    *.exe) ;;
+    *) func_ltwrapper_exec_suffix=.exe ;;
+    esac
+    $GREP "$magic_exe" "$1$func_ltwrapper_exec_suffix" >/dev/null 2>&1
+}
+
+# func_ltwrapper_scriptname file
+# Assumes file is an ltwrapper_executable
+# uses $file to determine the appropriate filename for a
+# temporary ltwrapper_script.
+func_ltwrapper_scriptname ()
+{
+    func_dirname_and_basename "$1" "" "."
+    func_stripname '' '.exe' "$func_basename_result"
+    func_ltwrapper_scriptname_result=$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper
+}
+
+# func_ltwrapper_p file
+# True iff FILE is a libtool wrapper script or wrapper executable
+# This function is only a basic sanity check; it will hardly flush out
+# determined imposters.
+func_ltwrapper_p ()
+{
+    func_ltwrapper_script_p "$1" || func_ltwrapper_executable_p "$1"
+}
+
+
+# func_execute_cmds commands fail_cmd
+# Execute tilde-delimited COMMANDS.
+# If FAIL_CMD is given, eval that upon failure.
+# FAIL_CMD may read-access the current command in variable CMD!
+func_execute_cmds ()
+{
+    $debug_cmd
+
+    save_ifs=$IFS; IFS='~'
+    for cmd in $1; do
+      IFS=$sp$nl
+      eval cmd=\"$cmd\"
+      IFS=$save_ifs
+      func_show_eval "$cmd" "${2-:}"
+    done
+    IFS=$save_ifs
+}
+
+
+# func_source file
+# Source FILE, adding directory component if necessary.
+# Note that it is not necessary on cygwin/mingw to append a dot to
+# FILE even if both FILE and FILE.exe exist: automatic-append-.exe
+# behavior happens only for exec(3), not for open(2)!  Also, sourcing
+# 'FILE.' does not work on cygwin managed mounts.
+func_source ()
+{
+    $debug_cmd
+
+    case $1 in
+    */* | *\\*)	. "$1" ;;
+    *)		. "./$1" ;;
+    esac
+}
+
+
+# func_resolve_sysroot PATH
+# Replace a leading = in PATH with a sysroot.  Store the result into
+# func_resolve_sysroot_result
+func_resolve_sysroot ()
+{
+  func_resolve_sysroot_result=$1
+  case $func_resolve_sysroot_result in
+  =*)
+    func_stripname '=' '' "$func_resolve_sysroot_result"
+    func_resolve_sysroot_result=$lt_sysroot$func_stripname_result
+    ;;
+  esac
+}
+
+# func_replace_sysroot PATH
+# If PATH begins with the sysroot, replace it with = and
+# store the result into func_replace_sysroot_result.
+func_replace_sysroot ()
+{
+  case $lt_sysroot:$1 in
+  ?*:"$lt_sysroot"*)
+    func_stripname "$lt_sysroot" '' "$1"
+    func_replace_sysroot_result='='$func_stripname_result
+    ;;
+  *)
+    # Including no sysroot.
+    func_replace_sysroot_result=$1
+    ;;
+  esac
+}
+
+# func_infer_tag arg
+# Infer tagged configuration to use if any are available and
+# if one wasn't chosen via the "--tag" command line option.
+# Only attempt this if the compiler in the base compile
+# command doesn't match the default compiler.
+# arg is usually of the form 'gcc ...'
+func_infer_tag ()
+{
+    $debug_cmd
+
+    if test -n "$available_tags" && test -z "$tagname"; then
+      CC_quoted=
+      for arg in $CC; do
+	func_append_quoted CC_quoted "$arg"
+      done
+      CC_expanded=`func_echo_all $CC`
+      CC_quoted_expanded=`func_echo_all $CC_quoted`
+      case $@ in
+      # Blanks in the command may have been stripped by the calling shell,
+      # but not from the CC environment variable when configure was run.
+      " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \
+      " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) ;;
+      # Blanks at the start of $base_compile will cause this to fail
+      # if we don't check for them as well.
+      *)
+	for z in $available_tags; do
+	  if $GREP "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
+	    # Evaluate the configuration.
+	    eval "`$SED -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
+	    CC_quoted=
+	    for arg in $CC; do
+	      # Double-quote args containing other shell metacharacters.
+	      func_append_quoted CC_quoted "$arg"
+	    done
+	    CC_expanded=`func_echo_all $CC`
+	    CC_quoted_expanded=`func_echo_all $CC_quoted`
+	    case "$@ " in
+	    " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \
+	    " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*)
+	      # The compiler in the base compile command matches
+	      # the one in the tagged configuration.
+	      # Assume this is the tagged configuration we want.
+	      tagname=$z
+	      break
+	      ;;
+	    esac
+	  fi
+	done
+	# If $tagname still isn't set, then no tagged configuration
+	# was found and let the user know that the "--tag" command
+	# line option must be used.
+	if test -z "$tagname"; then
+	  func_echo "unable to infer tagged configuration"
+	  func_fatal_error "specify a tag with '--tag'"
+#	else
+#	  func_verbose "using $tagname tagged configuration"
+	fi
+	;;
+      esac
+    fi
+}
+
+
+
+# func_write_libtool_object output_name pic_name nonpic_name
+# Create a libtool object file (analogous to a ".la" file),
+# but don't create it if we're doing a dry run.
+func_write_libtool_object ()
+{
+    write_libobj=$1
+    if test yes = "$build_libtool_libs"; then
+      write_lobj=\'$2\'
+    else
+      write_lobj=none
+    fi
+
+    if test yes = "$build_old_libs"; then
+      write_oldobj=\'$3\'
+    else
+      write_oldobj=none
+    fi
+
+    $opt_dry_run || {
+      cat >${write_libobj}T <<EOF
+# $write_libobj - a libtool object file
+# Generated by $PROGRAM (GNU $PACKAGE) $VERSION
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# Name of the PIC object.
+pic_object=$write_lobj
+
+# Name of the non-PIC object
+non_pic_object=$write_oldobj
+
+EOF
+      $MV "${write_libobj}T" "$write_libobj"
+    }
+}
+
+
+##################################################
+# FILE NAME AND PATH CONVERSION HELPER FUNCTIONS #
+##################################################
+
+# func_convert_core_file_wine_to_w32 ARG
+# Helper function used by file name conversion functions when $build is *nix,
+# and $host is mingw, cygwin, or some other w32 environment. Relies on a
+# correctly configured wine environment available, with the winepath program
+# in $build's $PATH.
+#
+# ARG is the $build file name to be converted to w32 format.
+# Result is available in $func_convert_core_file_wine_to_w32_result, and will
+# be empty on error (or when ARG is empty)
+func_convert_core_file_wine_to_w32 ()
+{
+  $debug_cmd
+
+  func_convert_core_file_wine_to_w32_result=$1
+  if test -n "$1"; then
+    # Unfortunately, winepath does not exit with a non-zero error code, so we
+    # are forced to check the contents of stdout. On the other hand, if the
+    # command is not found, the shell will set an exit code of 127 and print
+    # *an error message* to stdout. So we must check for both error code of
+    # zero AND non-empty stdout, which explains the odd construction:
+    func_convert_core_file_wine_to_w32_tmp=`winepath -w "$1" 2>/dev/null`
+    if test "$?" -eq 0 && test -n "$func_convert_core_file_wine_to_w32_tmp"; then
+      func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" |
+        $SED -e "$sed_naive_backslashify"`
+    else
+      func_convert_core_file_wine_to_w32_result=
+    fi
+  fi
+}
+# end: func_convert_core_file_wine_to_w32
+
+
+# func_convert_core_path_wine_to_w32 ARG
+# Helper function used by path conversion functions when $build is *nix, and
+# $host is mingw, cygwin, or some other w32 environment. Relies on a correctly
+# configured wine environment available, with the winepath program in $build's
+# $PATH. Assumes ARG has no leading or trailing path separator characters.
+#
+# ARG is path to be converted from $build format to win32.
+# Result is available in $func_convert_core_path_wine_to_w32_result.
+# Unconvertible file (directory) names in ARG are skipped; if no directory names
+# are convertible, then the result may be empty.
+func_convert_core_path_wine_to_w32 ()
+{
+  $debug_cmd
+
+  # unfortunately, winepath doesn't convert paths, only file names
+  func_convert_core_path_wine_to_w32_result=
+  if test -n "$1"; then
+    oldIFS=$IFS
+    IFS=:
+    for func_convert_core_path_wine_to_w32_f in $1; do
+      IFS=$oldIFS
+      func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f"
+      if test -n "$func_convert_core_file_wine_to_w32_result"; then
+        if test -z "$func_convert_core_path_wine_to_w32_result"; then
+          func_convert_core_path_wine_to_w32_result=$func_convert_core_file_wine_to_w32_result
+        else
+          func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result"
+        fi
+      fi
+    done
+    IFS=$oldIFS
+  fi
+}
+# end: func_convert_core_path_wine_to_w32
+
+
+# func_cygpath ARGS...
+# Wrapper around calling the cygpath program via LT_CYGPATH. This is used when
+# when (1) $build is *nix and Cygwin is hosted via a wine environment; or (2)
+# $build is MSYS and $host is Cygwin, or (3) $build is Cygwin. In case (1) or
+# (2), returns the Cygwin file name or path in func_cygpath_result (input
+# file name or path is assumed to be in w32 format, as previously converted
+# from $build's *nix or MSYS format). In case (3), returns the w32 file name
+# or path in func_cygpath_result (input file name or path is assumed to be in
+# Cygwin format). Returns an empty string on error.
+#
+# ARGS are passed to cygpath, with the last one being the file name or path to
+# be converted.
+#
+# Specify the absolute *nix (or w32) name to cygpath in the LT_CYGPATH
+# environment variable; do not put it in $PATH.
+func_cygpath ()
+{
+  $debug_cmd
+
+  if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then
+    func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null`
+    if test "$?" -ne 0; then
+      # on failure, ensure result is empty
+      func_cygpath_result=
+    fi
+  else
+    func_cygpath_result=
+    func_error "LT_CYGPATH is empty or specifies non-existent file: '$LT_CYGPATH'"
+  fi
+}
+#end: func_cygpath
+
+
+# func_convert_core_msys_to_w32 ARG
+# Convert file name or path ARG from MSYS format to w32 format.  Return
+# result in func_convert_core_msys_to_w32_result.
+func_convert_core_msys_to_w32 ()
+{
+  $debug_cmd
+
+  # awkward: cmd appends spaces to result
+  func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null |
+    $SED -e 's/[ ]*$//' -e "$sed_naive_backslashify"`
+}
+#end: func_convert_core_msys_to_w32
+
+
+# func_convert_file_check ARG1 ARG2
+# Verify that ARG1 (a file name in $build format) was converted to $host
+# format in ARG2. Otherwise, emit an error message, but continue (resetting
+# func_to_host_file_result to ARG1).
+func_convert_file_check ()
+{
+  $debug_cmd
+
+  if test -z "$2" && test -n "$1"; then
+    func_error "Could not determine host file name corresponding to"
+    func_error "  '$1'"
+    func_error "Continuing, but uninstalled executables may not work."
+    # Fallback:
+    func_to_host_file_result=$1
+  fi
+}
+# end func_convert_file_check
+
+
+# func_convert_path_check FROM_PATHSEP TO_PATHSEP FROM_PATH TO_PATH
+# Verify that FROM_PATH (a path in $build format) was converted to $host
+# format in TO_PATH. Otherwise, emit an error message, but continue, resetting
+# func_to_host_file_result to a simplistic fallback value (see below).
+func_convert_path_check ()
+{
+  $debug_cmd
+
+  if test -z "$4" && test -n "$3"; then
+    func_error "Could not determine the host path corresponding to"
+    func_error "  '$3'"
+    func_error "Continuing, but uninstalled executables may not work."
+    # Fallback.  This is a deliberately simplistic "conversion" and
+    # should not be "improved".  See libtool.info.
+    if test "x$1" != "x$2"; then
+      lt_replace_pathsep_chars="s|$1|$2|g"
+      func_to_host_path_result=`echo "$3" |
+        $SED -e "$lt_replace_pathsep_chars"`
+    else
+      func_to_host_path_result=$3
+    fi
+  fi
+}
+# end func_convert_path_check
+
+
+# func_convert_path_front_back_pathsep FRONTPAT BACKPAT REPL ORIG
+# Modifies func_to_host_path_result by prepending REPL if ORIG matches FRONTPAT
+# and appending REPL if ORIG matches BACKPAT.
+func_convert_path_front_back_pathsep ()
+{
+  $debug_cmd
+
+  case $4 in
+  $1 ) func_to_host_path_result=$3$func_to_host_path_result
+    ;;
+  esac
+  case $4 in
+  $2 ) func_append func_to_host_path_result "$3"
+    ;;
+  esac
+}
+# end func_convert_path_front_back_pathsep
+
+
+##################################################
+# $build to $host FILE NAME CONVERSION FUNCTIONS #
+##################################################
+# invoked via '$to_host_file_cmd ARG'
+#
+# In each case, ARG is the path to be converted from $build to $host format.
+# Result will be available in $func_to_host_file_result.
+
+
+# func_to_host_file ARG
+# Converts the file name ARG from $build format to $host format. Return result
+# in func_to_host_file_result.
+func_to_host_file ()
+{
+  $debug_cmd
+
+  $to_host_file_cmd "$1"
+}
+# end func_to_host_file
+
+
+# func_to_tool_file ARG LAZY
+# converts the file name ARG from $build format to toolchain format. Return
+# result in func_to_tool_file_result.  If the conversion in use is listed
+# in (the comma separated) LAZY, no conversion takes place.
+func_to_tool_file ()
+{
+  $debug_cmd
+
+  case ,$2, in
+    *,"$to_tool_file_cmd",*)
+      func_to_tool_file_result=$1
+      ;;
+    *)
+      $to_tool_file_cmd "$1"
+      func_to_tool_file_result=$func_to_host_file_result
+      ;;
+  esac
+}
+# end func_to_tool_file
+
+
+# func_convert_file_noop ARG
+# Copy ARG to func_to_host_file_result.
+func_convert_file_noop ()
+{
+  func_to_host_file_result=$1
+}
+# end func_convert_file_noop
+
+
+# func_convert_file_msys_to_w32 ARG
+# Convert file name ARG from (mingw) MSYS to (mingw) w32 format; automatic
+# conversion to w32 is not available inside the cwrapper.  Returns result in
+# func_to_host_file_result.
+func_convert_file_msys_to_w32 ()
+{
+  $debug_cmd
+
+  func_to_host_file_result=$1
+  if test -n "$1"; then
+    func_convert_core_msys_to_w32 "$1"
+    func_to_host_file_result=$func_convert_core_msys_to_w32_result
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_msys_to_w32
+
+
+# func_convert_file_cygwin_to_w32 ARG
+# Convert file name ARG from Cygwin to w32 format.  Returns result in
+# func_to_host_file_result.
+func_convert_file_cygwin_to_w32 ()
+{
+  $debug_cmd
+
+  func_to_host_file_result=$1
+  if test -n "$1"; then
+    # because $build is cygwin, we call "the" cygpath in $PATH; no need to use
+    # LT_CYGPATH in this case.
+    func_to_host_file_result=`cygpath -m "$1"`
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_cygwin_to_w32
+
+
+# func_convert_file_nix_to_w32 ARG
+# Convert file name ARG from *nix to w32 format.  Requires a wine environment
+# and a working winepath. Returns result in func_to_host_file_result.
+func_convert_file_nix_to_w32 ()
+{
+  $debug_cmd
+
+  func_to_host_file_result=$1
+  if test -n "$1"; then
+    func_convert_core_file_wine_to_w32 "$1"
+    func_to_host_file_result=$func_convert_core_file_wine_to_w32_result
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_nix_to_w32
+
+
+# func_convert_file_msys_to_cygwin ARG
+# Convert file name ARG from MSYS to Cygwin format.  Requires LT_CYGPATH set.
+# Returns result in func_to_host_file_result.
+func_convert_file_msys_to_cygwin ()
+{
+  $debug_cmd
+
+  func_to_host_file_result=$1
+  if test -n "$1"; then
+    func_convert_core_msys_to_w32 "$1"
+    func_cygpath -u "$func_convert_core_msys_to_w32_result"
+    func_to_host_file_result=$func_cygpath_result
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_msys_to_cygwin
+
+
+# func_convert_file_nix_to_cygwin ARG
+# Convert file name ARG from *nix to Cygwin format.  Requires Cygwin installed
+# in a wine environment, working winepath, and LT_CYGPATH set.  Returns result
+# in func_to_host_file_result.
+func_convert_file_nix_to_cygwin ()
+{
+  $debug_cmd
+
+  func_to_host_file_result=$1
+  if test -n "$1"; then
+    # convert from *nix to w32, then use cygpath to convert from w32 to cygwin.
+    func_convert_core_file_wine_to_w32 "$1"
+    func_cygpath -u "$func_convert_core_file_wine_to_w32_result"
+    func_to_host_file_result=$func_cygpath_result
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_nix_to_cygwin
+
+
+#############################################
+# $build to $host PATH CONVERSION FUNCTIONS #
+#############################################
+# invoked via '$to_host_path_cmd ARG'
+#
+# In each case, ARG is the path to be converted from $build to $host format.
+# The result will be available in $func_to_host_path_result.
+#
+# Path separators are also converted from $build format to $host format.  If
+# ARG begins or ends with a path separator character, it is preserved (but
+# converted to $host format) on output.
+#
+# All path conversion functions are named using the following convention:
+#   file name conversion function    : func_convert_file_X_to_Y ()
+#   path conversion function         : func_convert_path_X_to_Y ()
+# where, for any given $build/$host combination the 'X_to_Y' value is the
+# same.  If conversion functions are added for new $build/$host combinations,
+# the two new functions must follow this pattern, or func_init_to_host_path_cmd
+# will break.
+
+
+# func_init_to_host_path_cmd
+# Ensures that function "pointer" variable $to_host_path_cmd is set to the
+# appropriate value, based on the value of $to_host_file_cmd.
+to_host_path_cmd=
+func_init_to_host_path_cmd ()
+{
+  $debug_cmd
+
+  if test -z "$to_host_path_cmd"; then
+    func_stripname 'func_convert_file_' '' "$to_host_file_cmd"
+    to_host_path_cmd=func_convert_path_$func_stripname_result
+  fi
+}
+
+
+# func_to_host_path ARG
+# Converts the path ARG from $build format to $host format. Return result
+# in func_to_host_path_result.
+func_to_host_path ()
+{
+  $debug_cmd
+
+  func_init_to_host_path_cmd
+  $to_host_path_cmd "$1"
+}
+# end func_to_host_path
+
+
+# func_convert_path_noop ARG
+# Copy ARG to func_to_host_path_result.
+func_convert_path_noop ()
+{
+  func_to_host_path_result=$1
+}
+# end func_convert_path_noop
+
+
+# func_convert_path_msys_to_w32 ARG
+# Convert path ARG from (mingw) MSYS to (mingw) w32 format; automatic
+# conversion to w32 is not available inside the cwrapper.  Returns result in
+# func_to_host_path_result.
+func_convert_path_msys_to_w32 ()
+{
+  $debug_cmd
+
+  func_to_host_path_result=$1
+  if test -n "$1"; then
+    # Remove leading and trailing path separator characters from ARG.  MSYS
+    # behavior is inconsistent here; cygpath turns them into '.;' and ';.';
+    # and winepath ignores them completely.
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
+    func_to_host_path_result=$func_convert_core_msys_to_w32_result
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_msys_to_w32
+
+
+# func_convert_path_cygwin_to_w32 ARG
+# Convert path ARG from Cygwin to w32 format.  Returns result in
+# func_to_host_file_result.
+func_convert_path_cygwin_to_w32 ()
+{
+  $debug_cmd
+
+  func_to_host_path_result=$1
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_to_host_path_result=`cygpath -m -p "$func_to_host_path_tmp1"`
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_cygwin_to_w32
+
+
+# func_convert_path_nix_to_w32 ARG
+# Convert path ARG from *nix to w32 format.  Requires a wine environment and
+# a working winepath.  Returns result in func_to_host_file_result.
+func_convert_path_nix_to_w32 ()
+{
+  $debug_cmd
+
+  func_to_host_path_result=$1
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
+    func_to_host_path_result=$func_convert_core_path_wine_to_w32_result
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_nix_to_w32
+
+
+# func_convert_path_msys_to_cygwin ARG
+# Convert path ARG from MSYS to Cygwin format.  Requires LT_CYGPATH set.
+# Returns result in func_to_host_file_result.
+func_convert_path_msys_to_cygwin ()
+{
+  $debug_cmd
+
+  func_to_host_path_result=$1
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
+    func_cygpath -u -p "$func_convert_core_msys_to_w32_result"
+    func_to_host_path_result=$func_cygpath_result
+    func_convert_path_check : : \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" : "$1"
+  fi
+}
+# end func_convert_path_msys_to_cygwin
+
+
+# func_convert_path_nix_to_cygwin ARG
+# Convert path ARG from *nix to Cygwin format.  Requires Cygwin installed in a
+# a wine environment, working winepath, and LT_CYGPATH set.  Returns result in
+# func_to_host_file_result.
+func_convert_path_nix_to_cygwin ()
+{
+  $debug_cmd
+
+  func_to_host_path_result=$1
+  if test -n "$1"; then
+    # Remove leading and trailing path separator characters from
+    # ARG. msys behavior is inconsistent here, cygpath turns them
+    # into '.;' and ';.', and winepath ignores them completely.
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
+    func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result"
+    func_to_host_path_result=$func_cygpath_result
+    func_convert_path_check : : \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" : "$1"
+  fi
+}
+# end func_convert_path_nix_to_cygwin
+
+
+# func_dll_def_p FILE
+# True iff FILE is a Windows DLL '.def' file.
+# Keep in sync with _LT_DLL_DEF_P in libtool.m4
+func_dll_def_p ()
+{
+  $debug_cmd
+
+  func_dll_def_p_tmp=`$SED -n \
+    -e 's/^[	 ]*//' \
+    -e '/^\(;.*\)*$/d' \
+    -e 's/^\(EXPORTS\|LIBRARY\)\([	 ].*\)*$/DEF/p' \
+    -e q \
+    "$1"`
+  test DEF = "$func_dll_def_p_tmp"
+}
+
+
+# func_mode_compile arg...
+func_mode_compile ()
+{
+    $debug_cmd
+
+    # Get the compilation command and the source file.
+    base_compile=
+    srcfile=$nonopt  #  always keep a non-empty value in "srcfile"
+    suppress_opt=yes
+    suppress_output=
+    arg_mode=normal
+    libobj=
+    later=
+    pie_flag=
+
+    for arg
+    do
+      case $arg_mode in
+      arg  )
+	# do not "continue".  Instead, add this to base_compile
+	lastarg=$arg
+	arg_mode=normal
+	;;
+
+      target )
+	libobj=$arg
+	arg_mode=normal
+	continue
+	;;
+
+      normal )
+	# Accept any command-line options.
+	case $arg in
+	-o)
+	  test -n "$libobj" && \
+	    func_fatal_error "you cannot specify '-o' more than once"
+	  arg_mode=target
+	  continue
+	  ;;
+
+	-pie | -fpie | -fPIE)
+          func_append pie_flag " $arg"
+	  continue
+	  ;;
+
+	-shared | -static | -prefer-pic | -prefer-non-pic)
+	  func_append later " $arg"
+	  continue
+	  ;;
+
+	-no-suppress)
+	  suppress_opt=no
+	  continue
+	  ;;
+
+	-Xcompiler)
+	  arg_mode=arg  #  the next one goes into the "base_compile" arg list
+	  continue      #  The current "srcfile" will either be retained or
+	  ;;            #  replaced later.  I would guess that would be a bug.
+
+	-Wc,*)
+	  func_stripname '-Wc,' '' "$arg"
+	  args=$func_stripname_result
+	  lastarg=
+	  save_ifs=$IFS; IFS=,
+	  for arg in $args; do
+	    IFS=$save_ifs
+	    func_append_quoted lastarg "$arg"
+	  done
+	  IFS=$save_ifs
+	  func_stripname ' ' '' "$lastarg"
+	  lastarg=$func_stripname_result
+
+	  # Add the arguments to base_compile.
+	  func_append base_compile " $lastarg"
+	  continue
+	  ;;
+
+	*)
+	  # Accept the current argument as the source file.
+	  # The previous "srcfile" becomes the current argument.
+	  #
+	  lastarg=$srcfile
+	  srcfile=$arg
+	  ;;
+	esac  #  case $arg
+	;;
+      esac    #  case $arg_mode
+
+      # Aesthetically quote the previous argument.
+      func_append_quoted base_compile "$lastarg"
+    done # for arg
+
+    case $arg_mode in
+    arg)
+      func_fatal_error "you must specify an argument for -Xcompile"
+      ;;
+    target)
+      func_fatal_error "you must specify a target with '-o'"
+      ;;
+    *)
+      # Get the name of the library object.
+      test -z "$libobj" && {
+	func_basename "$srcfile"
+	libobj=$func_basename_result
+      }
+      ;;
+    esac
+
+    # Recognize several different file suffixes.
+    # If the user specifies -o file.o, it is replaced with file.lo
+    case $libobj in
+    *.[cCFSifmso] | \
+    *.ada | *.adb | *.ads | *.asm | \
+    *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \
+    *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup)
+      func_xform "$libobj"
+      libobj=$func_xform_result
+      ;;
+    esac
+
+    case $libobj in
+    *.lo) func_lo2o "$libobj"; obj=$func_lo2o_result ;;
+    *)
+      func_fatal_error "cannot determine name of library object from '$libobj'"
+      ;;
+    esac
+
+    func_infer_tag $base_compile
+
+    for arg in $later; do
+      case $arg in
+      -shared)
+	test yes = "$build_libtool_libs" \
+	  || func_fatal_configuration "cannot build a shared library"
+	build_old_libs=no
+	continue
+	;;
+
+      -static)
+	build_libtool_libs=no
+	build_old_libs=yes
+	continue
+	;;
+
+      -prefer-pic)
+	pic_mode=yes
+	continue
+	;;
+
+      -prefer-non-pic)
+	pic_mode=no
+	continue
+	;;
+      esac
+    done
+
+    func_quote_for_eval "$libobj"
+    test "X$libobj" != "X$func_quote_for_eval_result" \
+      && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"'	 &()|`$[]' \
+      && func_warning "libobj name '$libobj' may not contain shell special characters."
+    func_dirname_and_basename "$obj" "/" ""
+    objname=$func_basename_result
+    xdir=$func_dirname_result
+    lobj=$xdir$objdir/$objname
+
+    test -z "$base_compile" && \
+      func_fatal_help "you must specify a compilation command"
+
+    # Delete any leftover library objects.
+    if test yes = "$build_old_libs"; then
+      removelist="$obj $lobj $libobj ${libobj}T"
+    else
+      removelist="$lobj $libobj ${libobj}T"
+    fi
+
+    # On Cygwin there's no "real" PIC flag so we must build both object types
+    case $host_os in
+    cygwin* | mingw* | pw32* | os2* | cegcc*)
+      pic_mode=default
+      ;;
+    esac
+    if test no = "$pic_mode" && test pass_all != "$deplibs_check_method"; then
+      # non-PIC code in shared libraries is not supported
+      pic_mode=default
+    fi
+
+    # Calculate the filename of the output object if compiler does
+    # not support -o with -c
+    if test no = "$compiler_c_o"; then
+      output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.$objext
+      lockfile=$output_obj.lock
+    else
+      output_obj=
+      need_locks=no
+      lockfile=
+    fi
+
+    # Lock this critical section if it is needed
+    # We use this script file to make the link, it avoids creating a new file
+    if test yes = "$need_locks"; then
+      until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do
+	func_echo "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    elif test warn = "$need_locks"; then
+      if test -f "$lockfile"; then
+	$ECHO "\
+*** ERROR, $lockfile exists and contains:
+`cat $lockfile 2>/dev/null`
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support '-c' and '-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$opt_dry_run || $RM $removelist
+	exit $EXIT_FAILURE
+      fi
+      func_append removelist " $output_obj"
+      $ECHO "$srcfile" > "$lockfile"
+    fi
+
+    $opt_dry_run || $RM $removelist
+    func_append removelist " $lockfile"
+    trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15
+
+    func_to_tool_file "$srcfile" func_convert_file_msys_to_w32
+    srcfile=$func_to_tool_file_result
+    func_quote_for_eval "$srcfile"
+    qsrcfile=$func_quote_for_eval_result
+
+    # Only build a PIC object if we are building libtool libraries.
+    if test yes = "$build_libtool_libs"; then
+      # Without this assignment, base_compile gets emptied.
+      fbsd_hideous_sh_bug=$base_compile
+
+      if test no != "$pic_mode"; then
+	command="$base_compile $qsrcfile $pic_flag"
+      else
+	# Don't build PIC code
+	command="$base_compile $qsrcfile"
+      fi
+
+      func_mkdir_p "$xdir$objdir"
+
+      if test -z "$output_obj"; then
+	# Place PIC objects in $objdir
+	func_append command " -o $lobj"
+      fi
+
+      func_show_eval_locale "$command"	\
+          'test -n "$output_obj" && $RM $removelist; exit $EXIT_FAILURE'
+
+      if test warn = "$need_locks" &&
+	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
+	$ECHO "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support '-c' and '-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$opt_dry_run || $RM $removelist
+	exit $EXIT_FAILURE
+      fi
+
+      # Just move the object if needed, then go on to compile the next one
+      if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then
+	func_show_eval '$MV "$output_obj" "$lobj"' \
+	  'error=$?; $opt_dry_run || $RM $removelist; exit $error'
+      fi
+
+      # Allow error messages only from the first compilation.
+      if test yes = "$suppress_opt"; then
+	suppress_output=' >/dev/null 2>&1'
+      fi
+    fi
+
+    # Only build a position-dependent object if we build old libraries.
+    if test yes = "$build_old_libs"; then
+      if test yes != "$pic_mode"; then
+	# Don't build PIC code
+	command="$base_compile $qsrcfile$pie_flag"
+      else
+	command="$base_compile $qsrcfile $pic_flag"
+      fi
+      if test yes = "$compiler_c_o"; then
+	func_append command " -o $obj"
+      fi
+
+      # Suppress compiler output if we already did a PIC compilation.
+      func_append command "$suppress_output"
+      func_show_eval_locale "$command" \
+        '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE'
+
+      if test warn = "$need_locks" &&
+	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
+	$ECHO "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support '-c' and '-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$opt_dry_run || $RM $removelist
+	exit $EXIT_FAILURE
+      fi
+
+      # Just move the object if needed
+      if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then
+	func_show_eval '$MV "$output_obj" "$obj"' \
+	  'error=$?; $opt_dry_run || $RM $removelist; exit $error'
+      fi
+    fi
+
+    $opt_dry_run || {
+      func_write_libtool_object "$libobj" "$objdir/$objname" "$objname"
+
+      # Unlock the critical section if it was locked
+      if test no != "$need_locks"; then
+	removelist=$lockfile
+        $RM "$lockfile"
+      fi
+    }
+
+    exit $EXIT_SUCCESS
+}
+
+$opt_help || {
+  test compile = "$opt_mode" && func_mode_compile ${1+"$@"}
+}
+
+func_mode_help ()
+{
+    # We need to display help for each of the modes.
+    case $opt_mode in
+      "")
+        # Generic help is extracted from the usage comments
+        # at the start of this file.
+        func_help
+        ;;
+
+      clean)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
+
+Remove files from the build directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically '/bin/rm').  RM-OPTIONS are options (such as '-f') to be passed
+to RM.
+
+If FILE is a libtool library, object or program, all the files associated
+with it are deleted. Otherwise, only FILE itself is deleted using RM."
+        ;;
+
+      compile)
+      $ECHO \
+"Usage: $progname [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
+
+Compile a source file into a libtool library object.
+
+This mode accepts the following additional options:
+
+  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
+  -no-suppress      do not suppress compiler output for multiple passes
+  -prefer-pic       try to build PIC objects only
+  -prefer-non-pic   try to build non-PIC objects only
+  -shared           do not build a '.o' file suitable for static linking
+  -static           only build a '.o' file suitable for static linking
+  -Wc,FLAG          pass FLAG directly to the compiler
+
+COMPILE-COMMAND is a command to be used in creating a 'standard' object file
+from the given SOURCEFILE.
+
+The output file name is determined by removing the directory component from
+SOURCEFILE, then substituting the C source code suffix '.c' with the
+library object suffix, '.lo'."
+        ;;
+
+      execute)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=execute COMMAND [ARGS]...
+
+Automatically set library path, then run a program.
+
+This mode accepts the following additional options:
+
+  -dlopen FILE      add the directory containing FILE to the library path
+
+This mode sets the library path environment variable according to '-dlopen'
+flags.
+
+If any of the ARGS are libtool executable wrappers, then they are translated
+into their corresponding uninstalled binary, and any of their required library
+directories are added to the library path.
+
+Then, COMMAND is executed, with ARGS as arguments."
+        ;;
+
+      finish)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=finish [LIBDIR]...
+
+Complete the installation of libtool libraries.
+
+Each LIBDIR is a directory that contains libtool libraries.
+
+The commands that this mode executes may require superuser privileges.  Use
+the '--dry-run' option if you just want to see what would be executed."
+        ;;
+
+      install)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=install INSTALL-COMMAND...
+
+Install executables or libraries.
+
+INSTALL-COMMAND is the installation command.  The first component should be
+either the 'install' or 'cp' program.
+
+The following components of INSTALL-COMMAND are treated specially:
+
+  -inst-prefix-dir PREFIX-DIR  Use PREFIX-DIR as a staging area for installation
+
+The rest of the components are interpreted as arguments to that command (only
+BSD-compatible install options are recognized)."
+        ;;
+
+      link)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=link LINK-COMMAND...
+
+Link object files or libraries together to form another library, or to
+create an executable program.
+
+LINK-COMMAND is a command using the C compiler that you would use to create
+a program from several object files.
+
+The following components of LINK-COMMAND are treated specially:
+
+  -all-static       do not do any dynamic linking at all
+  -avoid-version    do not add a version suffix if possible
+  -bindir BINDIR    specify path to binaries directory (for systems where
+                    libraries must be found in the PATH setting at runtime)
+  -dlopen FILE      '-dlpreopen' FILE if it cannot be dlopened at runtime
+  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
+  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
+  -export-symbols SYMFILE
+                    try to export only the symbols listed in SYMFILE
+  -export-symbols-regex REGEX
+                    try to export only the symbols matching REGEX
+  -LLIBDIR          search LIBDIR for required installed libraries
+  -lNAME            OUTPUT-FILE requires the installed library libNAME
+  -module           build a library that can dlopened
+  -no-fast-install  disable the fast-install mode
+  -no-install       link a not-installable executable
+  -no-undefined     declare that a library does not refer to external symbols
+  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
+  -objectlist FILE  use a list of object files found in FILE to specify objects
+  -os2dllname NAME  force a short DLL name on OS/2 (no effect on other OSes)
+  -precious-files-regex REGEX
+                    don't remove output files matching REGEX
+  -release RELEASE  specify package release information
+  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
+  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
+  -shared           only do dynamic linking of libtool libraries
+  -shrext SUFFIX    override the standard shared library file extension
+  -static           do not do any dynamic linking of uninstalled libtool libraries
+  -static-libtool-libs
+                    do not do any dynamic linking of libtool libraries
+  -version-info CURRENT[:REVISION[:AGE]]
+                    specify library version info [each variable defaults to 0]
+  -weak LIBNAME     declare that the target provides the LIBNAME interface
+  -Wc,FLAG
+  -Xcompiler FLAG   pass linker-specific FLAG directly to the compiler
+  -Wl,FLAG
+  -Xlinker FLAG     pass linker-specific FLAG directly to the linker
+  -XCClinker FLAG   pass link-specific FLAG to the compiler driver (CC)
+
+All other options (arguments beginning with '-') are ignored.
+
+Every other argument is treated as a filename.  Files ending in '.la' are
+treated as uninstalled libtool libraries, other files are standard or library
+object files.
+
+If the OUTPUT-FILE ends in '.la', then a libtool library is created,
+only library objects ('.lo' files) may be specified, and '-rpath' is
+required, except when creating a convenience library.
+
+If OUTPUT-FILE ends in '.a' or '.lib', then a standard library is created
+using 'ar' and 'ranlib', or on Windows using 'lib'.
+
+If OUTPUT-FILE ends in '.lo' or '.$objext', then a reloadable object file
+is created, otherwise an executable program is created."
+        ;;
+
+      uninstall)
+        $ECHO \
+"Usage: $progname [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
+
+Remove libraries from an installation directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically '/bin/rm').  RM-OPTIONS are options (such as '-f') to be passed
+to RM.
+
+If FILE is a libtool library, all the files associated with it are deleted.
+Otherwise, only FILE itself is deleted using RM."
+        ;;
+
+      *)
+        func_fatal_help "invalid operation mode '$opt_mode'"
+        ;;
+    esac
+
+    echo
+    $ECHO "Try '$progname --help' for more information about other modes."
+}
+
+# Now that we've collected a possible --mode arg, show help if necessary
+if $opt_help; then
+  if test : = "$opt_help"; then
+    func_mode_help
+  else
+    {
+      func_help noexit
+      for opt_mode in compile link execute install finish uninstall clean; do
+	func_mode_help
+      done
+    } | $SED -n '1p; 2,$s/^Usage:/  or: /p'
+    {
+      func_help noexit
+      for opt_mode in compile link execute install finish uninstall clean; do
+	echo
+	func_mode_help
+      done
+    } |
+    $SED '1d
+      /^When reporting/,/^Report/{
+	H
+	d
+      }
+      $x
+      /information about other modes/d
+      /more detailed .*MODE/d
+      s/^Usage:.*--mode=\([^ ]*\) .*/Description of \1 mode:/'
+  fi
+  exit $?
+fi
+
+
+# func_mode_execute arg...
+func_mode_execute ()
+{
+    $debug_cmd
+
+    # The first argument is the command name.
+    cmd=$nonopt
+    test -z "$cmd" && \
+      func_fatal_help "you must specify a COMMAND"
+
+    # Handle -dlopen flags immediately.
+    for file in $opt_dlopen; do
+      test -f "$file" \
+	|| func_fatal_help "'$file' is not a file"
+
+      dir=
+      case $file in
+      *.la)
+	func_resolve_sysroot "$file"
+	file=$func_resolve_sysroot_result
+
+	# Check to see that this really is a libtool archive.
+	func_lalib_unsafe_p "$file" \
+	  || func_fatal_help "'$lib' is not a valid libtool archive"
+
+	# Read the libtool library.
+	dlname=
+	library_names=
+	func_source "$file"
+
+	# Skip this library if it cannot be dlopened.
+	if test -z "$dlname"; then
+	  # Warn if it was a shared library.
+	  test -n "$library_names" && \
+	    func_warning "'$file' was not linked with '-export-dynamic'"
+	  continue
+	fi
+
+	func_dirname "$file" "" "."
+	dir=$func_dirname_result
+
+	if test -f "$dir/$objdir/$dlname"; then
+	  func_append dir "/$objdir"
+	else
+	  if test ! -f "$dir/$dlname"; then
+	    func_fatal_error "cannot find '$dlname' in '$dir' or '$dir/$objdir'"
+	  fi
+	fi
+	;;
+
+      *.lo)
+	# Just add the directory containing the .lo file.
+	func_dirname "$file" "" "."
+	dir=$func_dirname_result
+	;;
+
+      *)
+	func_warning "'-dlopen' is ignored for non-libtool libraries and objects"
+	continue
+	;;
+      esac
+
+      # Get the absolute pathname.
+      absdir=`cd "$dir" && pwd`
+      test -n "$absdir" && dir=$absdir
+
+      # Now add the directory to shlibpath_var.
+      if eval "test -z \"\$$shlibpath_var\""; then
+	eval "$shlibpath_var=\"\$dir\""
+      else
+	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
+      fi
+    done
+
+    # This variable tells wrapper scripts just to set shlibpath_var
+    # rather than running their programs.
+    libtool_execute_magic=$magic
+
+    # Check if any of the arguments is a wrapper script.
+    args=
+    for file
+    do
+      case $file in
+      -* | *.la | *.lo ) ;;
+      *)
+	# Do a test to see if this is really a libtool program.
+	if func_ltwrapper_script_p "$file"; then
+	  func_source "$file"
+	  # Transform arg to wrapped name.
+	  file=$progdir/$program
+	elif func_ltwrapper_executable_p "$file"; then
+	  func_ltwrapper_scriptname "$file"
+	  func_source "$func_ltwrapper_scriptname_result"
+	  # Transform arg to wrapped name.
+	  file=$progdir/$program
+	fi
+	;;
+      esac
+      # Quote arguments (to preserve shell metacharacters).
+      func_append_quoted args "$file"
+    done
+
+    if $opt_dry_run; then
+      # Display what would be done.
+      if test -n "$shlibpath_var"; then
+	eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\""
+	echo "export $shlibpath_var"
+      fi
+      $ECHO "$cmd$args"
+      exit $EXIT_SUCCESS
+    else
+      if test -n "$shlibpath_var"; then
+	# Export the shlibpath_var.
+	eval "export $shlibpath_var"
+      fi
+
+      # Restore saved environment variables
+      for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
+      do
+	eval "if test \"\${save_$lt_var+set}\" = set; then
+                $lt_var=\$save_$lt_var; export $lt_var
+	      else
+		$lt_unset $lt_var
+	      fi"
+      done
+
+      # Now prepare to actually exec the command.
+      exec_cmd=\$cmd$args
+    fi
+}
+
+test execute = "$opt_mode" && func_mode_execute ${1+"$@"}
+
+
+# func_mode_finish arg...
+func_mode_finish ()
+{
+    $debug_cmd
+
+    libs=
+    libdirs=
+    admincmds=
+
+    for opt in "$nonopt" ${1+"$@"}
+    do
+      if test -d "$opt"; then
+	func_append libdirs " $opt"
+
+      elif test -f "$opt"; then
+	if func_lalib_unsafe_p "$opt"; then
+	  func_append libs " $opt"
+	else
+	  func_warning "'$opt' is not a valid libtool archive"
+	fi
+
+      else
+	func_fatal_error "invalid argument '$opt'"
+      fi
+    done
+
+    if test -n "$libs"; then
+      if test -n "$lt_sysroot"; then
+        sysroot_regex=`$ECHO "$lt_sysroot" | $SED "$sed_make_literal_regex"`
+        sysroot_cmd="s/\([ ']\)$sysroot_regex/\1/g;"
+      else
+        sysroot_cmd=
+      fi
+
+      # Remove sysroot references
+      if $opt_dry_run; then
+        for lib in $libs; do
+          echo "removing references to $lt_sysroot and '=' prefixes from $lib"
+        done
+      else
+        tmpdir=`func_mktempdir`
+        for lib in $libs; do
+	  $SED -e "$sysroot_cmd s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \
+	    > $tmpdir/tmp-la
+	  mv -f $tmpdir/tmp-la $lib
+	done
+        ${RM}r "$tmpdir"
+      fi
+    fi
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      for libdir in $libdirs; do
+	if test -n "$finish_cmds"; then
+	  # Do each command in the finish commands.
+	  func_execute_cmds "$finish_cmds" 'admincmds="$admincmds
+'"$cmd"'"'
+	fi
+	if test -n "$finish_eval"; then
+	  # Do the single finish_eval.
+	  eval cmds=\"$finish_eval\"
+	  $opt_dry_run || eval "$cmds" || func_append admincmds "
+       $cmds"
+	fi
+      done
+    fi
+
+    # Exit here if they wanted silent mode.
+    $opt_quiet && exit $EXIT_SUCCESS
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      echo "----------------------------------------------------------------------"
+      echo "Libraries have been installed in:"
+      for libdir in $libdirs; do
+	$ECHO "   $libdir"
+      done
+      echo
+      echo "If you ever happen to want to link against installed libraries"
+      echo "in a given directory, LIBDIR, you must either use libtool, and"
+      echo "specify the full pathname of the library, or use the '-LLIBDIR'"
+      echo "flag during linking and do at least one of the following:"
+      if test -n "$shlibpath_var"; then
+	echo "   - add LIBDIR to the '$shlibpath_var' environment variable"
+	echo "     during execution"
+      fi
+      if test -n "$runpath_var"; then
+	echo "   - add LIBDIR to the '$runpath_var' environment variable"
+	echo "     during linking"
+      fi
+      if test -n "$hardcode_libdir_flag_spec"; then
+	libdir=LIBDIR
+	eval flag=\"$hardcode_libdir_flag_spec\"
+
+	$ECHO "   - use the '$flag' linker flag"
+      fi
+      if test -n "$admincmds"; then
+	$ECHO "   - have your system administrator run these commands:$admincmds"
+      fi
+      if test -f /etc/ld.so.conf; then
+	echo "   - have your system administrator add LIBDIR to '/etc/ld.so.conf'"
+      fi
+      echo
+
+      echo "See any operating system documentation about shared libraries for"
+      case $host in
+	solaris2.[6789]|solaris2.1[0-9])
+	  echo "more information, such as the ld(1), crle(1) and ld.so(8) manual"
+	  echo "pages."
+	  ;;
+	*)
+	  echo "more information, such as the ld(1) and ld.so(8) manual pages."
+	  ;;
+      esac
+      echo "----------------------------------------------------------------------"
+    fi
+    exit $EXIT_SUCCESS
+}
+
+test finish = "$opt_mode" && func_mode_finish ${1+"$@"}
+
+
+# func_mode_install arg...
+func_mode_install ()
+{
+    $debug_cmd
+
+    # There may be an optional sh(1) argument at the beginning of
+    # install_prog (especially on Windows NT).
+    if test "$SHELL" = "$nonopt" || test /bin/sh = "$nonopt" ||
+       # Allow the use of GNU shtool's install command.
+       case $nonopt in *shtool*) :;; *) false;; esac
+    then
+      # Aesthetically quote it.
+      func_quote_for_eval "$nonopt"
+      install_prog="$func_quote_for_eval_result "
+      arg=$1
+      shift
+    else
+      install_prog=
+      arg=$nonopt
+    fi
+
+    # The real first argument should be the name of the installation program.
+    # Aesthetically quote it.
+    func_quote_for_eval "$arg"
+    func_append install_prog "$func_quote_for_eval_result"
+    install_shared_prog=$install_prog
+    case " $install_prog " in
+      *[\\\ /]cp\ *) install_cp=: ;;
+      *) install_cp=false ;;
+    esac
+
+    # We need to accept at least all the BSD install flags.
+    dest=
+    files=
+    opts=
+    prev=
+    install_type=
+    isdir=false
+    stripme=
+    no_mode=:
+    for arg
+    do
+      arg2=
+      if test -n "$dest"; then
+	func_append files " $dest"
+	dest=$arg
+	continue
+      fi
+
+      case $arg in
+      -d) isdir=: ;;
+      -f)
+	if $install_cp; then :; else
+	  prev=$arg
+	fi
+	;;
+      -g | -m | -o)
+	prev=$arg
+	;;
+      -s)
+	stripme=" -s"
+	continue
+	;;
+      -*)
+	;;
+      *)
+	# If the previous option needed an argument, then skip it.
+	if test -n "$prev"; then
+	  if test X-m = "X$prev" && test -n "$install_override_mode"; then
+	    arg2=$install_override_mode
+	    no_mode=false
+	  fi
+	  prev=
+	else
+	  dest=$arg
+	  continue
+	fi
+	;;
+      esac
+
+      # Aesthetically quote the argument.
+      func_quote_for_eval "$arg"
+      func_append install_prog " $func_quote_for_eval_result"
+      if test -n "$arg2"; then
+	func_quote_for_eval "$arg2"
+      fi
+      func_append install_shared_prog " $func_quote_for_eval_result"
+    done
+
+    test -z "$install_prog" && \
+      func_fatal_help "you must specify an install program"
+
+    test -n "$prev" && \
+      func_fatal_help "the '$prev' option requires an argument"
+
+    if test -n "$install_override_mode" && $no_mode; then
+      if $install_cp; then :; else
+	func_quote_for_eval "$install_override_mode"
+	func_append install_shared_prog " -m $func_quote_for_eval_result"
+      fi
+    fi
+
+    if test -z "$files"; then
+      if test -z "$dest"; then
+	func_fatal_help "no file or destination specified"
+      else
+	func_fatal_help "you must specify a destination"
+      fi
+    fi
+
+    # Strip any trailing slash from the destination.
+    func_stripname '' '/' "$dest"
+    dest=$func_stripname_result
+
+    # Check to see that the destination is a directory.
+    test -d "$dest" && isdir=:
+    if $isdir; then
+      destdir=$dest
+      destname=
+    else
+      func_dirname_and_basename "$dest" "" "."
+      destdir=$func_dirname_result
+      destname=$func_basename_result
+
+      # Not a directory, so check to see that there is only one file specified.
+      set dummy $files; shift
+      test "$#" -gt 1 && \
+	func_fatal_help "'$dest' is not a directory"
+    fi
+    case $destdir in
+    [\\/]* | [A-Za-z]:[\\/]*) ;;
+    *)
+      for file in $files; do
+	case $file in
+	*.lo) ;;
+	*)
+	  func_fatal_help "'$destdir' must be an absolute directory name"
+	  ;;
+	esac
+      done
+      ;;
+    esac
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic=$magic
+
+    staticlibs=
+    future_libdirs=
+    current_libdirs=
+    for file in $files; do
+
+      # Do each installation.
+      case $file in
+      *.$libext)
+	# Do the static libraries later.
+	func_append staticlibs " $file"
+	;;
+
+      *.la)
+	func_resolve_sysroot "$file"
+	file=$func_resolve_sysroot_result
+
+	# Check to see that this really is a libtool archive.
+	func_lalib_unsafe_p "$file" \
+	  || func_fatal_help "'$file' is not a valid libtool archive"
+
+	library_names=
+	old_library=
+	relink_command=
+	func_source "$file"
+
+	# Add the libdir to current_libdirs if it is the destination.
+	if test "X$destdir" = "X$libdir"; then
+	  case "$current_libdirs " in
+	  *" $libdir "*) ;;
+	  *) func_append current_libdirs " $libdir" ;;
+	  esac
+	else
+	  # Note the libdir as a future libdir.
+	  case "$future_libdirs " in
+	  *" $libdir "*) ;;
+	  *) func_append future_libdirs " $libdir" ;;
+	  esac
+	fi
+
+	func_dirname "$file" "/" ""
+	dir=$func_dirname_result
+	func_append dir "$objdir"
+
+	if test -n "$relink_command"; then
+	  # Determine the prefix the user has applied to our future dir.
+	  inst_prefix_dir=`$ECHO "$destdir" | $SED -e "s%$libdir\$%%"`
+
+	  # Don't allow the user to place us outside of our expected
+	  # location b/c this prevents finding dependent libraries that
+	  # are installed to the same prefix.
+	  # At present, this check doesn't affect windows .dll's that
+	  # are installed into $libdir/../bin (currently, that works fine)
+	  # but it's something to keep an eye on.
+	  test "$inst_prefix_dir" = "$destdir" && \
+	    func_fatal_error "error: cannot install '$file' to a directory not ending in $libdir"
+
+	  if test -n "$inst_prefix_dir"; then
+	    # Stick the inst_prefix_dir data into the link command.
+	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
+	  else
+	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
+	  fi
+
+	  func_warning "relinking '$file'"
+	  func_show_eval "$relink_command" \
+	    'func_fatal_error "error: relink '\''$file'\'' with the above command before installing it"'
+	fi
+
+	# See the names of the shared library.
+	set dummy $library_names; shift
+	if test -n "$1"; then
+	  realname=$1
+	  shift
+
+	  srcname=$realname
+	  test -n "$relink_command" && srcname=${realname}T
+
+	  # Install the shared library and build the symlinks.
+	  func_show_eval "$install_shared_prog $dir/$srcname $destdir/$realname" \
+	      'exit $?'
+	  tstripme=$stripme
+	  case $host_os in
+	  cygwin* | mingw* | pw32* | cegcc*)
+	    case $realname in
+	    *.dll.a)
+	      tstripme=
+	      ;;
+	    esac
+	    ;;
+	  os2*)
+	    case $realname in
+	    *_dll.a)
+	      tstripme=
+	      ;;
+	    esac
+	    ;;
+	  esac
+	  if test -n "$tstripme" && test -n "$striplib"; then
+	    func_show_eval "$striplib $destdir/$realname" 'exit $?'
+	  fi
+
+	  if test "$#" -gt 0; then
+	    # Delete the old symlinks, and create new ones.
+	    # Try 'ln -sf' first, because the 'ln' binary might depend on
+	    # the symlink we replace!  Solaris /bin/ln does not understand -f,
+	    # so we also need to try rm && ln -s.
+	    for linkname
+	    do
+	      test "$linkname" != "$realname" \
+		&& func_show_eval "(cd $destdir && { $LN_S -f $realname $linkname || { $RM $linkname && $LN_S $realname $linkname; }; })"
+	    done
+	  fi
+
+	  # Do each command in the postinstall commands.
+	  lib=$destdir/$realname
+	  func_execute_cmds "$postinstall_cmds" 'exit $?'
+	fi
+
+	# Install the pseudo-library for information purposes.
+	func_basename "$file"
+	name=$func_basename_result
+	instname=$dir/${name}i
+	func_show_eval "$install_prog $instname $destdir/$name" 'exit $?'
+
+	# Maybe install the static library, too.
+	test -n "$old_library" && func_append staticlibs " $dir/$old_library"
+	;;
+
+      *.lo)
+	# Install (i.e. copy) a libtool object.
+
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile=$destdir/$destname
+	else
+	  func_basename "$file"
+	  destfile=$func_basename_result
+	  destfile=$destdir/$destfile
+	fi
+
+	# Deduce the name of the destination old-style object file.
+	case $destfile in
+	*.lo)
+	  func_lo2o "$destfile"
+	  staticdest=$func_lo2o_result
+	  ;;
+	*.$objext)
+	  staticdest=$destfile
+	  destfile=
+	  ;;
+	*)
+	  func_fatal_help "cannot copy a libtool object to '$destfile'"
+	  ;;
+	esac
+
+	# Install the libtool object if requested.
+	test -n "$destfile" && \
+	  func_show_eval "$install_prog $file $destfile" 'exit $?'
+
+	# Install the old object if enabled.
+	if test yes = "$build_old_libs"; then
+	  # Deduce the name of the old-style object file.
+	  func_lo2o "$file"
+	  staticobj=$func_lo2o_result
+	  func_show_eval "$install_prog \$staticobj \$staticdest" 'exit $?'
+	fi
+	exit $EXIT_SUCCESS
+	;;
+
+      *)
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile=$destdir/$destname
+	else
+	  func_basename "$file"
+	  destfile=$func_basename_result
+	  destfile=$destdir/$destfile
+	fi
+
+	# If the file is missing, and there is a .exe on the end, strip it
+	# because it is most likely a libtool script we actually want to
+	# install
+	stripped_ext=
+	case $file in
+	  *.exe)
+	    if test ! -f "$file"; then
+	      func_stripname '' '.exe' "$file"
+	      file=$func_stripname_result
+	      stripped_ext=.exe
+	    fi
+	    ;;
+	esac
+
+	# Do a test to see if this is really a libtool program.
+	case $host in
+	*cygwin* | *mingw*)
+	    if func_ltwrapper_executable_p "$file"; then
+	      func_ltwrapper_scriptname "$file"
+	      wrapper=$func_ltwrapper_scriptname_result
+	    else
+	      func_stripname '' '.exe' "$file"
+	      wrapper=$func_stripname_result
+	    fi
+	    ;;
+	*)
+	    wrapper=$file
+	    ;;
+	esac
+	if func_ltwrapper_script_p "$wrapper"; then
+	  notinst_deplibs=
+	  relink_command=
+
+	  func_source "$wrapper"
+
+	  # Check the variables that should have been set.
+	  test -z "$generated_by_libtool_version" && \
+	    func_fatal_error "invalid libtool wrapper script '$wrapper'"
+
+	  finalize=:
+	  for lib in $notinst_deplibs; do
+	    # Check to see that each library is installed.
+	    libdir=
+	    if test -f "$lib"; then
+	      func_source "$lib"
+	    fi
+	    libfile=$libdir/`$ECHO "$lib" | $SED 's%^.*/%%g'`
+	    if test -n "$libdir" && test ! -f "$libfile"; then
+	      func_warning "'$lib' has not been installed in '$libdir'"
+	      finalize=false
+	    fi
+	  done
+
+	  relink_command=
+	  func_source "$wrapper"
+
+	  outputname=
+	  if test no = "$fast_install" && test -n "$relink_command"; then
+	    $opt_dry_run || {
+	      if $finalize; then
+	        tmpdir=`func_mktempdir`
+		func_basename "$file$stripped_ext"
+		file=$func_basename_result
+	        outputname=$tmpdir/$file
+	        # Replace the output file specification.
+	        relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'`
+
+	        $opt_quiet || {
+	          func_quote_for_expand "$relink_command"
+		  eval "func_echo $func_quote_for_expand_result"
+	        }
+	        if eval "$relink_command"; then :
+	          else
+		  func_error "error: relink '$file' with the above command before installing it"
+		  $opt_dry_run || ${RM}r "$tmpdir"
+		  continue
+	        fi
+	        file=$outputname
+	      else
+	        func_warning "cannot relink '$file'"
+	      fi
+	    }
+	  else
+	    # Install the binary that we compiled earlier.
+	    file=`$ECHO "$file$stripped_ext" | $SED "s%\([^/]*\)$%$objdir/\1%"`
+	  fi
+	fi
+
+	# remove .exe since cygwin /usr/bin/install will append another
+	# one anyway
+	case $install_prog,$host in
+	*/usr/bin/install*,*cygwin*)
+	  case $file:$destfile in
+	  *.exe:*.exe)
+	    # this is ok
+	    ;;
+	  *.exe:*)
+	    destfile=$destfile.exe
+	    ;;
+	  *:*.exe)
+	    func_stripname '' '.exe' "$destfile"
+	    destfile=$func_stripname_result
+	    ;;
+	  esac
+	  ;;
+	esac
+	func_show_eval "$install_prog\$stripme \$file \$destfile" 'exit $?'
+	$opt_dry_run || if test -n "$outputname"; then
+	  ${RM}r "$tmpdir"
+	fi
+	;;
+      esac
+    done
+
+    for file in $staticlibs; do
+      func_basename "$file"
+      name=$func_basename_result
+
+      # Set up the ranlib parameters.
+      oldlib=$destdir/$name
+      func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+      tool_oldlib=$func_to_tool_file_result
+
+      func_show_eval "$install_prog \$file \$oldlib" 'exit $?'
+
+      if test -n "$stripme" && test -n "$old_striplib"; then
+	func_show_eval "$old_striplib $tool_oldlib" 'exit $?'
+      fi
+
+      # Do each command in the postinstall commands.
+      func_execute_cmds "$old_postinstall_cmds" 'exit $?'
+    done
+
+    test -n "$future_libdirs" && \
+      func_warning "remember to run '$progname --finish$future_libdirs'"
+
+    if test -n "$current_libdirs"; then
+      # Maybe just do a dry run.
+      $opt_dry_run && current_libdirs=" -n$current_libdirs"
+      exec_cmd='$SHELL "$progpath" $preserve_args --finish$current_libdirs'
+    else
+      exit $EXIT_SUCCESS
+    fi
+}
+
+test install = "$opt_mode" && func_mode_install ${1+"$@"}
+
+
+# func_generate_dlsyms outputname originator pic_p
+# Extract symbols from dlprefiles and create ${outputname}S.o with
+# a dlpreopen symbol table.
+func_generate_dlsyms ()
+{
+    $debug_cmd
+
+    my_outputname=$1
+    my_originator=$2
+    my_pic_p=${3-false}
+    my_prefix=`$ECHO "$my_originator" | $SED 's%[^a-zA-Z0-9]%_%g'`
+    my_dlsyms=
+
+    if test -n "$dlfiles$dlprefiles" || test no != "$dlself"; then
+      if test -n "$NM" && test -n "$global_symbol_pipe"; then
+	my_dlsyms=${my_outputname}S.c
+      else
+	func_error "not configured to extract global symbols from dlpreopened files"
+      fi
+    fi
+
+    if test -n "$my_dlsyms"; then
+      case $my_dlsyms in
+      "") ;;
+      *.c)
+	# Discover the nlist of each of the dlfiles.
+	nlist=$output_objdir/$my_outputname.nm
+
+	func_show_eval "$RM $nlist ${nlist}S ${nlist}T"
+
+	# Parse the name list into a source file.
+	func_verbose "creating $output_objdir/$my_dlsyms"
+
+	$opt_dry_run || $ECHO > "$output_objdir/$my_dlsyms" "\
+/* $my_dlsyms - symbol resolution table for '$my_outputname' dlsym emulation. */
+/* Generated by $PROGRAM (GNU $PACKAGE) $VERSION */
+
+#ifdef __cplusplus
+extern \"C\" {
+#endif
+
+#if defined __GNUC__ && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4))
+#pragma GCC diagnostic ignored \"-Wstrict-prototypes\"
+#endif
+
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined _WIN32 || defined __CYGWIN__ || defined _WIN32_WCE
+/* DATA imports from DLLs on WIN32 can't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT_DLSYM_CONST
+#elif defined __osf__
+/* This system does not cope well with relocations in const data.  */
+# define LT_DLSYM_CONST
+#else
+# define LT_DLSYM_CONST const
+#endif
+
+#define STREQ(s1, s2) (strcmp ((s1), (s2)) == 0)
+
+/* External symbol declarations for the compiler. */\
+"
+
+	if test yes = "$dlself"; then
+	  func_verbose "generating symbol list for '$output'"
+
+	  $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist"
+
+	  # Add our own program objects to the symbol list.
+	  progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP`
+	  for progfile in $progfiles; do
+	    func_to_tool_file "$progfile" func_convert_file_msys_to_w32
+	    func_verbose "extracting global C symbols from '$func_to_tool_file_result'"
+	    $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'"
+	  done
+
+	  if test -n "$exclude_expsyms"; then
+	    $opt_dry_run || {
+	      eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
+	      eval '$MV "$nlist"T "$nlist"'
+	    }
+	  fi
+
+	  if test -n "$export_symbols_regex"; then
+	    $opt_dry_run || {
+	      eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T'
+	      eval '$MV "$nlist"T "$nlist"'
+	    }
+	  fi
+
+	  # Prepare the list of exported symbols
+	  if test -z "$export_symbols"; then
+	    export_symbols=$output_objdir/$outputname.exp
+	    $opt_dry_run || {
+	      $RM $export_symbols
+	      eval "$SED -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+	      case $host in
+	      *cygwin* | *mingw* | *cegcc* )
+                eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+                eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"'
+	        ;;
+	      esac
+	    }
+	  else
+	    $opt_dry_run || {
+	      eval "$SED -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
+	      eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
+	      eval '$MV "$nlist"T "$nlist"'
+	      case $host in
+	        *cygwin* | *mingw* | *cegcc* )
+	          eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+	          eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
+	          ;;
+	      esac
+	    }
+	  fi
+	fi
+
+	for dlprefile in $dlprefiles; do
+	  func_verbose "extracting global C symbols from '$dlprefile'"
+	  func_basename "$dlprefile"
+	  name=$func_basename_result
+          case $host in
+	    *cygwin* | *mingw* | *cegcc* )
+	      # if an import library, we need to obtain dlname
+	      if func_win32_import_lib_p "$dlprefile"; then
+	        func_tr_sh "$dlprefile"
+	        eval "curr_lafile=\$libfile_$func_tr_sh_result"
+	        dlprefile_dlbasename=
+	        if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then
+	          # Use subshell, to avoid clobbering current variable values
+	          dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"`
+	          if test -n "$dlprefile_dlname"; then
+	            func_basename "$dlprefile_dlname"
+	            dlprefile_dlbasename=$func_basename_result
+	          else
+	            # no lafile. user explicitly requested -dlpreopen <import library>.
+	            $sharedlib_from_linklib_cmd "$dlprefile"
+	            dlprefile_dlbasename=$sharedlib_from_linklib_result
+	          fi
+	        fi
+	        $opt_dry_run || {
+	          if test -n "$dlprefile_dlbasename"; then
+	            eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"'
+	          else
+	            func_warning "Could not compute DLL name from $name"
+	            eval '$ECHO ": $name " >> "$nlist"'
+	          fi
+	          func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	          eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe |
+	            $SED -e '/I __imp/d' -e 's/I __nm_/D /;s/_nm__//' >> '$nlist'"
+	        }
+	      else # not an import lib
+	        $opt_dry_run || {
+	          eval '$ECHO ": $name " >> "$nlist"'
+	          func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	          eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'"
+	        }
+	      fi
+	    ;;
+	    *)
+	      $opt_dry_run || {
+	        eval '$ECHO ": $name " >> "$nlist"'
+	        func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	        eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'"
+	      }
+	    ;;
+          esac
+	done
+
+	$opt_dry_run || {
+	  # Make sure we have at least an empty file.
+	  test -f "$nlist" || : > "$nlist"
+
+	  if test -n "$exclude_expsyms"; then
+	    $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
+	    $MV "$nlist"T "$nlist"
+	  fi
+
+	  # Try sorting and uniquifying the output.
+	  if $GREP -v "^: " < "$nlist" |
+	      if sort -k 3 </dev/null >/dev/null 2>&1; then
+		sort -k 3
+	      else
+		sort +2
+	      fi |
+	      uniq > "$nlist"S; then
+	    :
+	  else
+	    $GREP -v "^: " < "$nlist" > "$nlist"S
+	  fi
+
+	  if test -f "$nlist"S; then
+	    eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"'
+	  else
+	    echo '/* NONE */' >> "$output_objdir/$my_dlsyms"
+	  fi
+
+	  func_show_eval '$RM "${nlist}I"'
+	  if test -n "$global_symbol_to_import"; then
+	    eval "$global_symbol_to_import"' < "$nlist"S > "$nlist"I'
+	  fi
+
+	  echo >> "$output_objdir/$my_dlsyms" "\
+
+/* The mapping between symbol names and symbols.  */
+typedef struct {
+  const char *name;
+  void *address;
+} lt_dlsymlist;
+extern LT_DLSYM_CONST lt_dlsymlist
+lt_${my_prefix}_LTX_preloaded_symbols[];\
+"
+
+	  if test -s "$nlist"I; then
+	    echo >> "$output_objdir/$my_dlsyms" "\
+static void lt_syminit(void)
+{
+  LT_DLSYM_CONST lt_dlsymlist *symbol = lt_${my_prefix}_LTX_preloaded_symbols;
+  for (; symbol->name; ++symbol)
+    {"
+	    $SED 's/.*/      if (STREQ (symbol->name, \"&\")) symbol->address = (void *) \&&;/' < "$nlist"I >> "$output_objdir/$my_dlsyms"
+	    echo >> "$output_objdir/$my_dlsyms" "\
+    }
+}"
+	  fi
+	  echo >> "$output_objdir/$my_dlsyms" "\
+LT_DLSYM_CONST lt_dlsymlist
+lt_${my_prefix}_LTX_preloaded_symbols[] =
+{ {\"$my_originator\", (void *) 0},"
+
+	  if test -s "$nlist"I; then
+	    echo >> "$output_objdir/$my_dlsyms" "\
+  {\"@INIT@\", (void *) &lt_syminit},"
+	  fi
+
+	  case $need_lib_prefix in
+	  no)
+	    eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$my_dlsyms"
+	    ;;
+	  *)
+	    eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms"
+	    ;;
+	  esac
+	  echo >> "$output_objdir/$my_dlsyms" "\
+  {0, (void *) 0}
+};
+
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt_${my_prefix}_LTX_preloaded_symbols;
+}
+#endif
+
+#ifdef __cplusplus
+}
+#endif\
+"
+	} # !$opt_dry_run
+
+	pic_flag_for_symtable=
+	case "$compile_command " in
+	*" -static "*) ;;
+	*)
+	  case $host in
+	  # compiling the symbol table file with pic_flag works around
+	  # a FreeBSD bug that causes programs to crash when -lm is
+	  # linked before any other PIC object.  But we must not use
+	  # pic_flag when linking with -static.  The problem exists in
+	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
+	  *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	    pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;;
+	  *-*-hpux*)
+	    pic_flag_for_symtable=" $pic_flag"  ;;
+	  *)
+	    $my_pic_p && pic_flag_for_symtable=" $pic_flag"
+	    ;;
+	  esac
+	  ;;
+	esac
+	symtab_cflags=
+	for arg in $LTCFLAGS; do
+	  case $arg in
+	  -pie | -fpie | -fPIE) ;;
+	  *) func_append symtab_cflags " $arg" ;;
+	  esac
+	done
+
+	# Now compile the dynamic symbol file.
+	func_show_eval '(cd $output_objdir && $LTCC$symtab_cflags -c$no_builtin_flag$pic_flag_for_symtable "$my_dlsyms")' 'exit $?'
+
+	# Clean up the generated files.
+	func_show_eval '$RM "$output_objdir/$my_dlsyms" "$nlist" "${nlist}S" "${nlist}T" "${nlist}I"'
+
+	# Transform the symbol file into the correct name.
+	symfileobj=$output_objdir/${my_outputname}S.$objext
+	case $host in
+	*cygwin* | *mingw* | *cegcc* )
+	  if test -f "$output_objdir/$my_outputname.def"; then
+	    compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
+	    finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
+	  else
+	    compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"`
+	    finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"`
+	  fi
+	  ;;
+	*)
+	  compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"`
+	  finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"`
+	  ;;
+	esac
+	;;
+      *)
+	func_fatal_error "unknown suffix for '$my_dlsyms'"
+	;;
+      esac
+    else
+      # We keep going just in case the user didn't refer to
+      # lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
+      # really was required.
+
+      # Nullify the symbol file.
+      compile_command=`$ECHO "$compile_command" | $SED "s% @SYMFILE@%%"`
+      finalize_command=`$ECHO "$finalize_command" | $SED "s% @SYMFILE@%%"`
+    fi
+}
+
+# func_cygming_gnu_implib_p ARG
+# This predicate returns with zero status (TRUE) if
+# ARG is a GNU/binutils-style import library. Returns
+# with nonzero status (FALSE) otherwise.
+func_cygming_gnu_implib_p ()
+{
+  $debug_cmd
+
+  func_to_tool_file "$1" func_convert_file_msys_to_w32
+  func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'`
+  test -n "$func_cygming_gnu_implib_tmp"
+}
+
+# func_cygming_ms_implib_p ARG
+# This predicate returns with zero status (TRUE) if
+# ARG is an MS-style import library. Returns
+# with nonzero status (FALSE) otherwise.
+func_cygming_ms_implib_p ()
+{
+  $debug_cmd
+
+  func_to_tool_file "$1" func_convert_file_msys_to_w32
+  func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'`
+  test -n "$func_cygming_ms_implib_tmp"
+}
+
+# func_win32_libid arg
+# return the library type of file 'arg'
+#
+# Need a lot of goo to handle *both* DLLs and import libs
+# Has to be a shell function in order to 'eat' the argument
+# that is supplied when $file_magic_command is called.
+# Despite the name, also deal with 64 bit binaries.
+func_win32_libid ()
+{
+  $debug_cmd
+
+  win32_libid_type=unknown
+  win32_fileres=`file -L $1 2>/dev/null`
+  case $win32_fileres in
+  *ar\ archive\ import\ library*) # definitely import
+    win32_libid_type="x86 archive import"
+    ;;
+  *ar\ archive*) # could be an import, or static
+    # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD.
+    if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null |
+       $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then
+      case $nm_interface in
+      "MS dumpbin")
+	if func_cygming_ms_implib_p "$1" ||
+	   func_cygming_gnu_implib_p "$1"
+	then
+	  win32_nmres=import
+	else
+	  win32_nmres=
+	fi
+	;;
+      *)
+	func_to_tool_file "$1" func_convert_file_msys_to_w32
+	win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" |
+	  $SED -n -e '
+	    1,100{
+		/ I /{
+		    s|.*|import|
+		    p
+		    q
+		}
+	    }'`
+	;;
+      esac
+      case $win32_nmres in
+      import*)  win32_libid_type="x86 archive import";;
+      *)        win32_libid_type="x86 archive static";;
+      esac
+    fi
+    ;;
+  *DLL*)
+    win32_libid_type="x86 DLL"
+    ;;
+  *executable*) # but shell scripts are "executable" too...
+    case $win32_fileres in
+    *MS\ Windows\ PE\ Intel*)
+      win32_libid_type="x86 DLL"
+      ;;
+    esac
+    ;;
+  esac
+  $ECHO "$win32_libid_type"
+}
+
+# func_cygming_dll_for_implib ARG
+#
+# Platform-specific function to extract the
+# name of the DLL associated with the specified
+# import library ARG.
+# Invoked by eval'ing the libtool variable
+#    $sharedlib_from_linklib_cmd
+# Result is available in the variable
+#    $sharedlib_from_linklib_result
+func_cygming_dll_for_implib ()
+{
+  $debug_cmd
+
+  sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"`
+}
+
+# func_cygming_dll_for_implib_fallback_core SECTION_NAME LIBNAMEs
+#
+# The is the core of a fallback implementation of a
+# platform-specific function to extract the name of the
+# DLL associated with the specified import library LIBNAME.
+#
+# SECTION_NAME is either .idata$6 or .idata$7, depending
+# on the platform and compiler that created the implib.
+#
+# Echos the name of the DLL associated with the
+# specified import library.
+func_cygming_dll_for_implib_fallback_core ()
+{
+  $debug_cmd
+
+  match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"`
+  $OBJDUMP -s --section "$1" "$2" 2>/dev/null |
+    $SED '/^Contents of section '"$match_literal"':/{
+      # Place marker at beginning of archive member dllname section
+      s/.*/====MARK====/
+      p
+      d
+    }
+    # These lines can sometimes be longer than 43 characters, but
+    # are always uninteresting
+    /:[	 ]*file format pe[i]\{,1\}-/d
+    /^In archive [^:]*:/d
+    # Ensure marker is printed
+    /^====MARK====/p
+    # Remove all lines with less than 43 characters
+    /^.\{43\}/!d
+    # From remaining lines, remove first 43 characters
+    s/^.\{43\}//' |
+    $SED -n '
+      # Join marker and all lines until next marker into a single line
+      /^====MARK====/ b para
+      H
+      $ b para
+      b
+      :para
+      x
+      s/\n//g
+      # Remove the marker
+      s/^====MARK====//
+      # Remove trailing dots and whitespace
+      s/[\. \t]*$//
+      # Print
+      /./p' |
+    # we now have a list, one entry per line, of the stringified
+    # contents of the appropriate section of all members of the
+    # archive that possess that section. Heuristic: eliminate
+    # all those that have a first or second character that is
+    # a '.' (that is, objdump's representation of an unprintable
+    # character.) This should work for all archives with less than
+    # 0x302f exports -- but will fail for DLLs whose name actually
+    # begins with a literal '.' or a single character followed by
+    # a '.'.
+    #
+    # Of those that remain, print the first one.
+    $SED -e '/^\./d;/^.\./d;q'
+}
+
+# func_cygming_dll_for_implib_fallback ARG
+# Platform-specific function to extract the
+# name of the DLL associated with the specified
+# import library ARG.
+#
+# This fallback implementation is for use when $DLLTOOL
+# does not support the --identify-strict option.
+# Invoked by eval'ing the libtool variable
+#    $sharedlib_from_linklib_cmd
+# Result is available in the variable
+#    $sharedlib_from_linklib_result
+func_cygming_dll_for_implib_fallback ()
+{
+  $debug_cmd
+
+  if func_cygming_gnu_implib_p "$1"; then
+    # binutils import library
+    sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"`
+  elif func_cygming_ms_implib_p "$1"; then
+    # ms-generated import library
+    sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"`
+  else
+    # unknown
+    sharedlib_from_linklib_result=
+  fi
+}
+
+
+# func_extract_an_archive dir oldlib
+func_extract_an_archive ()
+{
+    $debug_cmd
+
+    f_ex_an_ar_dir=$1; shift
+    f_ex_an_ar_oldlib=$1
+    if test yes = "$lock_old_archive_extraction"; then
+      lockfile=$f_ex_an_ar_oldlib.lock
+      until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do
+	func_echo "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    fi
+    func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \
+		   'stat=$?; rm -f "$lockfile"; exit $stat'
+    if test yes = "$lock_old_archive_extraction"; then
+      $opt_dry_run || rm -f "$lockfile"
+    fi
+    if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
+     :
+    else
+      func_fatal_error "object name conflicts in archive: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib"
+    fi
+}
+
+
+# func_extract_archives gentop oldlib ...
+func_extract_archives ()
+{
+    $debug_cmd
+
+    my_gentop=$1; shift
+    my_oldlibs=${1+"$@"}
+    my_oldobjs=
+    my_xlib=
+    my_xabs=
+    my_xdir=
+
+    for my_xlib in $my_oldlibs; do
+      # Extract the objects.
+      case $my_xlib in
+	[\\/]* | [A-Za-z]:[\\/]*) my_xabs=$my_xlib ;;
+	*) my_xabs=`pwd`"/$my_xlib" ;;
+      esac
+      func_basename "$my_xlib"
+      my_xlib=$func_basename_result
+      my_xlib_u=$my_xlib
+      while :; do
+        case " $extracted_archives " in
+	*" $my_xlib_u "*)
+	  func_arith $extracted_serial + 1
+	  extracted_serial=$func_arith_result
+	  my_xlib_u=lt$extracted_serial-$my_xlib ;;
+	*) break ;;
+	esac
+      done
+      extracted_archives="$extracted_archives $my_xlib_u"
+      my_xdir=$my_gentop/$my_xlib_u
+
+      func_mkdir_p "$my_xdir"
+
+      case $host in
+      *-darwin*)
+	func_verbose "Extracting $my_xabs"
+	# Do not bother doing anything if just a dry run
+	$opt_dry_run || {
+	  darwin_orig_dir=`pwd`
+	  cd $my_xdir || exit $?
+	  darwin_archive=$my_xabs
+	  darwin_curdir=`pwd`
+	  func_basename "$darwin_archive"
+	  darwin_base_archive=$func_basename_result
+	  darwin_arches=`$LIPO -info "$darwin_archive" 2>/dev/null | $GREP Architectures 2>/dev/null || true`
+	  if test -n "$darwin_arches"; then
+	    darwin_arches=`$ECHO "$darwin_arches" | $SED -e 's/.*are://'`
+	    darwin_arch=
+	    func_verbose "$darwin_base_archive has multiple architectures $darwin_arches"
+	    for darwin_arch in  $darwin_arches; do
+	      func_mkdir_p "unfat-$$/$darwin_base_archive-$darwin_arch"
+	      $LIPO -thin $darwin_arch -output "unfat-$$/$darwin_base_archive-$darwin_arch/$darwin_base_archive" "$darwin_archive"
+	      cd "unfat-$$/$darwin_base_archive-$darwin_arch"
+	      func_extract_an_archive "`pwd`" "$darwin_base_archive"
+	      cd "$darwin_curdir"
+	      $RM "unfat-$$/$darwin_base_archive-$darwin_arch/$darwin_base_archive"
+	    done # $darwin_arches
+            ## Okay now we've a bunch of thin objects, gotta fatten them up :)
+	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print | $SED -e "$sed_basename" | sort -u`
+	    darwin_file=
+	    darwin_files=
+	    for darwin_file in $darwin_filelist; do
+	      darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP`
+	      $LIPO -create -output "$darwin_file" $darwin_files
+	    done # $darwin_filelist
+	    $RM -rf unfat-$$
+	    cd "$darwin_orig_dir"
+	  else
+	    cd $darwin_orig_dir
+	    func_extract_an_archive "$my_xdir" "$my_xabs"
+	  fi # $darwin_arches
+	} # !$opt_dry_run
+	;;
+      *)
+        func_extract_an_archive "$my_xdir" "$my_xabs"
+	;;
+      esac
+      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
+    done
+
+    func_extract_archives_result=$my_oldobjs
+}
+
+
+# func_emit_wrapper [arg=no]
+#
+# Emit a libtool wrapper script on stdout.
+# Don't directly open a file because we may want to
+# incorporate the script contents within a cygwin/mingw
+# wrapper executable.  Must ONLY be called from within
+# func_mode_link because it depends on a number of variables
+# set therein.
+#
+# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
+# variable will take.  If 'yes', then the emitted script
+# will assume that the directory where it is stored is
+# the $objdir directory.  This is a cygwin/mingw-specific
+# behavior.
+func_emit_wrapper ()
+{
+	func_emit_wrapper_arg1=${1-no}
+
+	$ECHO "\
+#! $SHELL
+
+# $output - temporary wrapper script for $objdir/$outputname
+# Generated by $PROGRAM (GNU $PACKAGE) $VERSION
+#
+# The $output program cannot be directly executed until all the libtool
+# libraries that it depends on are installed.
+#
+# This wrapper script should never be moved out of the build directory.
+# If it is, it will not operate correctly.
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+sed_quote_subst='$sed_quote_subst'
+
+# Be Bourne compatible
+if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '\${1+\"\$@\"}'='\"\$@\"'
+  setopt NO_GLOB_SUBST
+else
+  case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac
+fi
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+relink_command=\"$relink_command\"
+
+# This environment variable determines our operation mode.
+if test \"\$libtool_install_magic\" = \"$magic\"; then
+  # install mode needs the following variables:
+  generated_by_libtool_version='$macro_version'
+  notinst_deplibs='$notinst_deplibs'
+else
+  # When we are sourced in execute mode, \$file and \$ECHO are already set.
+  if test \"\$libtool_execute_magic\" != \"$magic\"; then
+    file=\"\$0\""
+
+    qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"`
+    $ECHO "\
+
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$1
+_LTECHO_EOF'
+}
+    ECHO=\"$qECHO\"
+  fi
+
+# Very basic option parsing. These options are (a) specific to
+# the libtool wrapper, (b) are identical between the wrapper
+# /script/ and the wrapper /executable/ that is used only on
+# windows platforms, and (c) all begin with the string "--lt-"
+# (application programs are unlikely to have options that match
+# this pattern).
+#
+# There are only two supported options: --lt-debug and
+# --lt-dump-script. There is, deliberately, no --lt-help.
+#
+# The first argument to this parsing function should be the
+# script's $0 value, followed by "$@".
+lt_option_debug=
+func_parse_lt_options ()
+{
+  lt_script_arg0=\$0
+  shift
+  for lt_opt
+  do
+    case \"\$lt_opt\" in
+    --lt-debug) lt_option_debug=1 ;;
+    --lt-dump-script)
+        lt_dump_D=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%/[^/]*$%%'\`
+        test \"X\$lt_dump_D\" = \"X\$lt_script_arg0\" && lt_dump_D=.
+        lt_dump_F=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%^.*/%%'\`
+        cat \"\$lt_dump_D/\$lt_dump_F\"
+        exit 0
+      ;;
+    --lt-*)
+        \$ECHO \"Unrecognized --lt- option: '\$lt_opt'\" 1>&2
+        exit 1
+      ;;
+    esac
+  done
+
+  # Print the debug banner immediately:
+  if test -n \"\$lt_option_debug\"; then
+    echo \"$outputname:$output:\$LINENO: libtool wrapper (GNU $PACKAGE) $VERSION\" 1>&2
+  fi
+}
+
+# Used when --lt-debug. Prints its arguments to stdout
+# (redirection is the responsibility of the caller)
+func_lt_dump_args ()
+{
+  lt_dump_args_N=1;
+  for lt_arg
+  do
+    \$ECHO \"$outputname:$output:\$LINENO: newargv[\$lt_dump_args_N]: \$lt_arg\"
+    lt_dump_args_N=\`expr \$lt_dump_args_N + 1\`
+  done
+}
+
+# Core function for launching the target application
+func_exec_program_core ()
+{
+"
+  case $host in
+  # Backslashes separate directories on plain windows
+  *-*-mingw | *-*-os2* | *-cegcc*)
+    $ECHO "\
+      if test -n \"\$lt_option_debug\"; then
+        \$ECHO \"$outputname:$output:\$LINENO: newargv[0]: \$progdir\\\\\$program\" 1>&2
+        func_lt_dump_args \${1+\"\$@\"} 1>&2
+      fi
+      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
+"
+    ;;
+
+  *)
+    $ECHO "\
+      if test -n \"\$lt_option_debug\"; then
+        \$ECHO \"$outputname:$output:\$LINENO: newargv[0]: \$progdir/\$program\" 1>&2
+        func_lt_dump_args \${1+\"\$@\"} 1>&2
+      fi
+      exec \"\$progdir/\$program\" \${1+\"\$@\"}
+"
+    ;;
+  esac
+  $ECHO "\
+      \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2
+      exit 1
+}
+
+# A function to encapsulate launching the target application
+# Strips options in the --lt-* namespace from \$@ and
+# launches target application with the remaining arguments.
+func_exec_program ()
+{
+  case \" \$* \" in
+  *\\ --lt-*)
+    for lt_wr_arg
+    do
+      case \$lt_wr_arg in
+      --lt-*) ;;
+      *) set x \"\$@\" \"\$lt_wr_arg\"; shift;;
+      esac
+      shift
+    done ;;
+  esac
+  func_exec_program_core \${1+\"\$@\"}
+}
+
+  # Parse options
+  func_parse_lt_options \"\$0\" \${1+\"\$@\"}
+
+  # Find the directory that this script lives in.
+  thisdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*$%%'\`
+  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
+
+  # Follow symbolic links until we get to the real thisdir.
+  file=\`ls -ld \"\$file\" | $SED -n 's/.*-> //p'\`
+  while test -n \"\$file\"; do
+    destdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*\$%%'\`
+
+    # If there was a directory component, then change thisdir.
+    if test \"x\$destdir\" != \"x\$file\"; then
+      case \"\$destdir\" in
+      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
+      *) thisdir=\"\$thisdir/\$destdir\" ;;
+      esac
+    fi
+
+    file=\`\$ECHO \"\$file\" | $SED 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | $SED -n 's/.*-> //p'\`
+  done
+
+  # Usually 'no', except on cygwin/mingw when embedded into
+  # the cwrapper.
+  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1
+  if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then
+    # special case for '.'
+    if test \"\$thisdir\" = \".\"; then
+      thisdir=\`pwd\`
+    fi
+    # remove .libs from thisdir
+    case \"\$thisdir\" in
+    *[\\\\/]$objdir ) thisdir=\`\$ECHO \"\$thisdir\" | $SED 's%[\\\\/][^\\\\/]*$%%'\` ;;
+    $objdir )   thisdir=. ;;
+    esac
+  fi
+
+  # Try to get the absolute directory name.
+  absdir=\`cd \"\$thisdir\" && pwd\`
+  test -n \"\$absdir\" && thisdir=\"\$absdir\"
+"
+
+	if test yes = "$fast_install"; then
+	  $ECHO "\
+  program=lt-'$outputname'$exeext
+  progdir=\"\$thisdir/$objdir\"
+
+  if test ! -f \"\$progdir/\$program\" ||
+     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | $SED 1q\`; \\
+       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
+
+    file=\"\$\$-\$program\"
+
+    if test ! -d \"\$progdir\"; then
+      $MKDIR \"\$progdir\"
+    else
+      $RM \"\$progdir/\$file\"
+    fi"
+
+	  $ECHO "\
+
+    # relink executable if necessary
+    if test -n \"\$relink_command\"; then
+      if relink_command_output=\`eval \$relink_command 2>&1\`; then :
+      else
+	\$ECHO \"\$relink_command_output\" >&2
+	$RM \"\$progdir/\$file\"
+	exit 1
+      fi
+    fi
+
+    $MV \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
+    { $RM \"\$progdir/\$program\";
+      $MV \"\$progdir/\$file\" \"\$progdir/\$program\"; }
+    $RM \"\$progdir/\$file\"
+  fi"
+	else
+	  $ECHO "\
+  program='$outputname'
+  progdir=\"\$thisdir/$objdir\"
+"
+	fi
+
+	$ECHO "\
+
+  if test -f \"\$progdir/\$program\"; then"
+
+	# fixup the dll searchpath if we need to.
+	#
+	# Fix the DLL searchpath if we need to.  Do this before prepending
+	# to shlibpath, because on Windows, both are PATH and uninstalled
+	# libraries must come first.
+	if test -n "$dllsearchpath"; then
+	  $ECHO "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
+	# Export our shlibpath_var if we have one.
+	if test yes = "$shlibpath_overrides_runpath" && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	  $ECHO "\
+    # Add our own library path to $shlibpath_var
+    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
+
+    # Some systems cannot cope with colon-terminated $shlibpath_var
+    # The second colon is a workaround for a bug in BeOS R4 sed
+    $shlibpath_var=\`\$ECHO \"\$$shlibpath_var\" | $SED 's/::*\$//'\`
+
+    export $shlibpath_var
+"
+	fi
+
+	$ECHO "\
+    if test \"\$libtool_execute_magic\" != \"$magic\"; then
+      # Run the actual program with our arguments.
+      func_exec_program \${1+\"\$@\"}
+    fi
+  else
+    # The program doesn't exist.
+    \$ECHO \"\$0: error: '\$progdir/\$program' does not exist\" 1>&2
+    \$ECHO \"This script is just a wrapper for \$program.\" 1>&2
+    \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2
+    exit 1
+  fi
+fi\
+"
+}
+
+
+# func_emit_cwrapperexe_src
+# emit the source code for a wrapper executable on stdout
+# Must ONLY be called from within func_mode_link because
+# it depends on a number of variable set therein.
+func_emit_cwrapperexe_src ()
+{
+	cat <<EOF
+
+/* $cwrappersource - temporary wrapper executable for $objdir/$outputname
+   Generated by $PROGRAM (GNU $PACKAGE) $VERSION
+
+   The $output program cannot be directly executed until all the libtool
+   libraries that it depends on are installed.
+
+   This wrapper executable should never be moved out of the build directory.
+   If it is, it will not operate correctly.
+*/
+EOF
+	    cat <<"EOF"
+#ifdef _MSC_VER
+# define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef _MSC_VER
+# include <direct.h>
+# include <process.h>
+# include <io.h>
+#else
+# include <unistd.h>
+# include <stdint.h>
+# ifdef __CYGWIN__
+#  include <io.h>
+# endif
+#endif
+#include <malloc.h>
+#include <stdarg.h>
+#include <assert.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+
+#define STREQ(s1, s2) (strcmp ((s1), (s2)) == 0)
+
+/* declarations of non-ANSI functions */
+#if defined __MINGW32__
+# ifdef __STRICT_ANSI__
+int _putenv (const char *);
+# endif
+#elif defined __CYGWIN__
+# ifdef __STRICT_ANSI__
+char *realpath (const char *, char *);
+int putenv (char *);
+int setenv (const char *, const char *, int);
+# endif
+/* #elif defined other_platform || defined ... */
+#endif
+
+/* portability defines, excluding path handling macros */
+#if defined _MSC_VER
+# define setmode _setmode
+# define stat    _stat
+# define chmod   _chmod
+# define getcwd  _getcwd
+# define putenv  _putenv
+# define S_IXUSR _S_IEXEC
+#elif defined __MINGW32__
+# define setmode _setmode
+# define stat    _stat
+# define chmod   _chmod
+# define getcwd  _getcwd
+# define putenv  _putenv
+#elif defined __CYGWIN__
+# define HAVE_SETENV
+# define FOPEN_WB "wb"
+/* #elif defined other platforms ... */
+#endif
+
+#if defined PATH_MAX
+# define LT_PATHMAX PATH_MAX
+#elif defined MAXPATHLEN
+# define LT_PATHMAX MAXPATHLEN
+#else
+# define LT_PATHMAX 1024
+#endif
+
+#ifndef S_IXOTH
+# define S_IXOTH 0
+#endif
+#ifndef S_IXGRP
+# define S_IXGRP 0
+#endif
+
+/* path handling portability macros */
+#ifndef DIR_SEPARATOR
+# define DIR_SEPARATOR '/'
+# define PATH_SEPARATOR ':'
+#endif
+
+#if defined _WIN32 || defined __MSDOS__ || defined __DJGPP__ || \
+  defined __OS2__
+# define HAVE_DOS_BASED_FILE_SYSTEM
+# define FOPEN_WB "wb"
+# ifndef DIR_SEPARATOR_2
+#  define DIR_SEPARATOR_2 '\\'
+# endif
+# ifndef PATH_SEPARATOR_2
+#  define PATH_SEPARATOR_2 ';'
+# endif
+#endif
+
+#ifndef DIR_SEPARATOR_2
+# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR)
+#else /* DIR_SEPARATOR_2 */
+# define IS_DIR_SEPARATOR(ch) \
+	(((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
+#endif /* DIR_SEPARATOR_2 */
+
+#ifndef PATH_SEPARATOR_2
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR)
+#else /* PATH_SEPARATOR_2 */
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
+#endif /* PATH_SEPARATOR_2 */
+
+#ifndef FOPEN_WB
+# define FOPEN_WB "w"
+#endif
+#ifndef _O_BINARY
+# define _O_BINARY 0
+#endif
+
+#define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
+#define XFREE(stale) do { \
+  if (stale) { free (stale); stale = 0; } \
+} while (0)
+
+#if defined LT_DEBUGWRAPPER
+static int lt_debug = 1;
+#else
+static int lt_debug = 0;
+#endif
+
+const char *program_name = "libtool-wrapper"; /* in case xstrdup fails */
+
+void *xmalloc (size_t num);
+char *xstrdup (const char *string);
+const char *base_name (const char *name);
+char *find_executable (const char *wrapper);
+char *chase_symlinks (const char *pathspec);
+int make_executable (const char *path);
+int check_executable (const char *path);
+char *strendzap (char *str, const char *pat);
+void lt_debugprintf (const char *file, int line, const char *fmt, ...);
+void lt_fatal (const char *file, int line, const char *message, ...);
+static const char *nonnull (const char *s);
+static const char *nonempty (const char *s);
+void lt_setenv (const char *name, const char *value);
+char *lt_extend_str (const char *orig_value, const char *add, int to_end);
+void lt_update_exe_path (const char *name, const char *value);
+void lt_update_lib_path (const char *name, const char *value);
+char **prepare_spawn (char **argv);
+void lt_dump_script (FILE *f);
+EOF
+
+	    cat <<EOF
+#if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 5)
+# define externally_visible volatile
+#else
+# define externally_visible __attribute__((externally_visible)) volatile
+#endif
+externally_visible const char * MAGIC_EXE = "$magic_exe";
+const char * LIB_PATH_VARNAME = "$shlibpath_var";
+EOF
+
+	    if test yes = "$shlibpath_overrides_runpath" && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+              func_to_host_path "$temp_rpath"
+	      cat <<EOF
+const char * LIB_PATH_VALUE   = "$func_to_host_path_result";
+EOF
+	    else
+	      cat <<"EOF"
+const char * LIB_PATH_VALUE   = "";
+EOF
+	    fi
+
+	    if test -n "$dllsearchpath"; then
+              func_to_host_path "$dllsearchpath:"
+	      cat <<EOF
+const char * EXE_PATH_VARNAME = "PATH";
+const char * EXE_PATH_VALUE   = "$func_to_host_path_result";
+EOF
+	    else
+	      cat <<"EOF"
+const char * EXE_PATH_VARNAME = "";
+const char * EXE_PATH_VALUE   = "";
+EOF
+	    fi
+
+	    if test yes = "$fast_install"; then
+	      cat <<EOF
+const char * TARGET_PROGRAM_NAME = "lt-$outputname"; /* hopefully, no .exe */
+EOF
+	    else
+	      cat <<EOF
+const char * TARGET_PROGRAM_NAME = "$outputname"; /* hopefully, no .exe */
+EOF
+	    fi
+
+
+	    cat <<"EOF"
+
+#define LTWRAPPER_OPTION_PREFIX         "--lt-"
+
+static const char *ltwrapper_option_prefix = LTWRAPPER_OPTION_PREFIX;
+static const char *dumpscript_opt       = LTWRAPPER_OPTION_PREFIX "dump-script";
+static const char *debug_opt            = LTWRAPPER_OPTION_PREFIX "debug";
+
+int
+main (int argc, char *argv[])
+{
+  char **newargz;
+  int  newargc;
+  char *tmp_pathspec;
+  char *actual_cwrapper_path;
+  char *actual_cwrapper_name;
+  char *target_name;
+  char *lt_argv_zero;
+  int rval = 127;
+
+  int i;
+
+  program_name = (char *) xstrdup (base_name (argv[0]));
+  newargz = XMALLOC (char *, (size_t) argc + 1);
+
+  /* very simple arg parsing; don't want to rely on getopt
+   * also, copy all non cwrapper options to newargz, except
+   * argz[0], which is handled differently
+   */
+  newargc=0;
+  for (i = 1; i < argc; i++)
+    {
+      if (STREQ (argv[i], dumpscript_opt))
+	{
+EOF
+	    case $host in
+	      *mingw* | *cygwin* )
+		# make stdout use "unix" line endings
+		echo "          setmode(1,_O_BINARY);"
+		;;
+	      esac
+
+	    cat <<"EOF"
+	  lt_dump_script (stdout);
+	  return 0;
+	}
+      if (STREQ (argv[i], debug_opt))
+	{
+          lt_debug = 1;
+          continue;
+	}
+      if (STREQ (argv[i], ltwrapper_option_prefix))
+        {
+          /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
+             namespace, but it is not one of the ones we know about and
+             have already dealt with, above (inluding dump-script), then
+             report an error. Otherwise, targets might begin to believe
+             they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
+             namespace. The first time any user complains about this, we'll
+             need to make LTWRAPPER_OPTION_PREFIX a configure-time option
+             or a configure.ac-settable value.
+           */
+          lt_fatal (__FILE__, __LINE__,
+		    "unrecognized %s option: '%s'",
+                    ltwrapper_option_prefix, argv[i]);
+        }
+      /* otherwise ... */
+      newargz[++newargc] = xstrdup (argv[i]);
+    }
+  newargz[++newargc] = NULL;
+
+EOF
+	    cat <<EOF
+  /* The GNU banner must be the first non-error debug message */
+  lt_debugprintf (__FILE__, __LINE__, "libtool wrapper (GNU $PACKAGE) $VERSION\n");
+EOF
+	    cat <<"EOF"
+  lt_debugprintf (__FILE__, __LINE__, "(main) argv[0]: %s\n", argv[0]);
+  lt_debugprintf (__FILE__, __LINE__, "(main) program_name: %s\n", program_name);
+
+  tmp_pathspec = find_executable (argv[0]);
+  if (tmp_pathspec == NULL)
+    lt_fatal (__FILE__, __LINE__, "couldn't find %s", argv[0]);
+  lt_debugprintf (__FILE__, __LINE__,
+                  "(main) found exe (before symlink chase) at: %s\n",
+		  tmp_pathspec);
+
+  actual_cwrapper_path = chase_symlinks (tmp_pathspec);
+  lt_debugprintf (__FILE__, __LINE__,
+                  "(main) found exe (after symlink chase) at: %s\n",
+		  actual_cwrapper_path);
+  XFREE (tmp_pathspec);
+
+  actual_cwrapper_name = xstrdup (base_name (actual_cwrapper_path));
+  strendzap (actual_cwrapper_path, actual_cwrapper_name);
+
+  /* wrapper name transforms */
+  strendzap (actual_cwrapper_name, ".exe");
+  tmp_pathspec = lt_extend_str (actual_cwrapper_name, ".exe", 1);
+  XFREE (actual_cwrapper_name);
+  actual_cwrapper_name = tmp_pathspec;
+  tmp_pathspec = 0;
+
+  /* target_name transforms -- use actual target program name; might have lt- prefix */
+  target_name = xstrdup (base_name (TARGET_PROGRAM_NAME));
+  strendzap (target_name, ".exe");
+  tmp_pathspec = lt_extend_str (target_name, ".exe", 1);
+  XFREE (target_name);
+  target_name = tmp_pathspec;
+  tmp_pathspec = 0;
+
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(main) libtool target name: %s\n",
+		  target_name);
+EOF
+
+	    cat <<EOF
+  newargz[0] =
+    XMALLOC (char, (strlen (actual_cwrapper_path) +
+		    strlen ("$objdir") + 1 + strlen (actual_cwrapper_name) + 1));
+  strcpy (newargz[0], actual_cwrapper_path);
+  strcat (newargz[0], "$objdir");
+  strcat (newargz[0], "/");
+EOF
+
+	    cat <<"EOF"
+  /* stop here, and copy so we don't have to do this twice */
+  tmp_pathspec = xstrdup (newargz[0]);
+
+  /* do NOT want the lt- prefix here, so use actual_cwrapper_name */
+  strcat (newargz[0], actual_cwrapper_name);
+
+  /* DO want the lt- prefix here if it exists, so use target_name */
+  lt_argv_zero = lt_extend_str (tmp_pathspec, target_name, 1);
+  XFREE (tmp_pathspec);
+  tmp_pathspec = NULL;
+EOF
+
+	    case $host_os in
+	      mingw*)
+	    cat <<"EOF"
+  {
+    char* p;
+    while ((p = strchr (newargz[0], '\\')) != NULL)
+      {
+	*p = '/';
+      }
+    while ((p = strchr (lt_argv_zero, '\\')) != NULL)
+      {
+	*p = '/';
+      }
+  }
+EOF
+	    ;;
+	    esac
+
+	    cat <<"EOF"
+  XFREE (target_name);
+  XFREE (actual_cwrapper_path);
+  XFREE (actual_cwrapper_name);
+
+  lt_setenv ("BIN_SH", "xpg4"); /* for Tru64 */
+  lt_setenv ("DUALCASE", "1");  /* for MSK sh */
+  /* Update the DLL searchpath.  EXE_PATH_VALUE ($dllsearchpath) must
+     be prepended before (that is, appear after) LIB_PATH_VALUE ($temp_rpath)
+     because on Windows, both *_VARNAMEs are PATH but uninstalled
+     libraries must come first. */
+  lt_update_exe_path (EXE_PATH_VARNAME, EXE_PATH_VALUE);
+  lt_update_lib_path (LIB_PATH_VARNAME, LIB_PATH_VALUE);
+
+  lt_debugprintf (__FILE__, __LINE__, "(main) lt_argv_zero: %s\n",
+		  nonnull (lt_argv_zero));
+  for (i = 0; i < newargc; i++)
+    {
+      lt_debugprintf (__FILE__, __LINE__, "(main) newargz[%d]: %s\n",
+		      i, nonnull (newargz[i]));
+    }
+
+EOF
+
+	    case $host_os in
+	      mingw*)
+		cat <<"EOF"
+  /* execv doesn't actually work on mingw as expected on unix */
+  newargz = prepare_spawn (newargz);
+  rval = (int) _spawnv (_P_WAIT, lt_argv_zero, (const char * const *) newargz);
+  if (rval == -1)
+    {
+      /* failed to start process */
+      lt_debugprintf (__FILE__, __LINE__,
+		      "(main) failed to launch target \"%s\": %s\n",
+		      lt_argv_zero, nonnull (strerror (errno)));
+      return 127;
+    }
+  return rval;
+EOF
+		;;
+	      *)
+		cat <<"EOF"
+  execv (lt_argv_zero, newargz);
+  return rval; /* =127, but avoids unused variable warning */
+EOF
+		;;
+	    esac
+
+	    cat <<"EOF"
+}
+
+void *
+xmalloc (size_t num)
+{
+  void *p = (void *) malloc (num);
+  if (!p)
+    lt_fatal (__FILE__, __LINE__, "memory exhausted");
+
+  return p;
+}
+
+char *
+xstrdup (const char *string)
+{
+  return string ? strcpy ((char *) xmalloc (strlen (string) + 1),
+			  string) : NULL;
+}
+
+const char *
+base_name (const char *name)
+{
+  const char *base;
+
+#if defined HAVE_DOS_BASED_FILE_SYSTEM
+  /* Skip over the disk name in MSDOS pathnames. */
+  if (isalpha ((unsigned char) name[0]) && name[1] == ':')
+    name += 2;
+#endif
+
+  for (base = name; *name; name++)
+    if (IS_DIR_SEPARATOR (*name))
+      base = name + 1;
+  return base;
+}
+
+int
+check_executable (const char *path)
+{
+  struct stat st;
+
+  lt_debugprintf (__FILE__, __LINE__, "(check_executable): %s\n",
+                  nonempty (path));
+  if ((!path) || (!*path))
+    return 0;
+
+  if ((stat (path, &st) >= 0)
+      && (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))
+    return 1;
+  else
+    return 0;
+}
+
+int
+make_executable (const char *path)
+{
+  int rval = 0;
+  struct stat st;
+
+  lt_debugprintf (__FILE__, __LINE__, "(make_executable): %s\n",
+                  nonempty (path));
+  if ((!path) || (!*path))
+    return 0;
+
+  if (stat (path, &st) >= 0)
+    {
+      rval = chmod (path, st.st_mode | S_IXOTH | S_IXGRP | S_IXUSR);
+    }
+  return rval;
+}
+
+/* Searches for the full path of the wrapper.  Returns
+   newly allocated full path name if found, NULL otherwise
+   Does not chase symlinks, even on platforms that support them.
+*/
+char *
+find_executable (const char *wrapper)
+{
+  int has_slash = 0;
+  const char *p;
+  const char *p_next;
+  /* static buffer for getcwd */
+  char tmp[LT_PATHMAX + 1];
+  size_t tmp_len;
+  char *concat_name;
+
+  lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n",
+                  nonempty (wrapper));
+
+  if ((wrapper == NULL) || (*wrapper == '\0'))
+    return NULL;
+
+  /* Absolute path? */
+#if defined HAVE_DOS_BASED_FILE_SYSTEM
+  if (isalpha ((unsigned char) wrapper[0]) && wrapper[1] == ':')
+    {
+      concat_name = xstrdup (wrapper);
+      if (check_executable (concat_name))
+	return concat_name;
+      XFREE (concat_name);
+    }
+  else
+    {
+#endif
+      if (IS_DIR_SEPARATOR (wrapper[0]))
+	{
+	  concat_name = xstrdup (wrapper);
+	  if (check_executable (concat_name))
+	    return concat_name;
+	  XFREE (concat_name);
+	}
+#if defined HAVE_DOS_BASED_FILE_SYSTEM
+    }
+#endif
+
+  for (p = wrapper; *p; p++)
+    if (*p == '/')
+      {
+	has_slash = 1;
+	break;
+      }
+  if (!has_slash)
+    {
+      /* no slashes; search PATH */
+      const char *path = getenv ("PATH");
+      if (path != NULL)
+	{
+	  for (p = path; *p; p = p_next)
+	    {
+	      const char *q;
+	      size_t p_len;
+	      for (q = p; *q; q++)
+		if (IS_PATH_SEPARATOR (*q))
+		  break;
+	      p_len = (size_t) (q - p);
+	      p_next = (*q == '\0' ? q : q + 1);
+	      if (p_len == 0)
+		{
+		  /* empty path: current directory */
+		  if (getcwd (tmp, LT_PATHMAX) == NULL)
+		    lt_fatal (__FILE__, __LINE__, "getcwd failed: %s",
+                              nonnull (strerror (errno)));
+		  tmp_len = strlen (tmp);
+		  concat_name =
+		    XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
+		  memcpy (concat_name, tmp, tmp_len);
+		  concat_name[tmp_len] = '/';
+		  strcpy (concat_name + tmp_len + 1, wrapper);
+		}
+	      else
+		{
+		  concat_name =
+		    XMALLOC (char, p_len + 1 + strlen (wrapper) + 1);
+		  memcpy (concat_name, p, p_len);
+		  concat_name[p_len] = '/';
+		  strcpy (concat_name + p_len + 1, wrapper);
+		}
+	      if (check_executable (concat_name))
+		return concat_name;
+	      XFREE (concat_name);
+	    }
+	}
+      /* not found in PATH; assume curdir */
+    }
+  /* Relative path | not found in path: prepend cwd */
+  if (getcwd (tmp, LT_PATHMAX) == NULL)
+    lt_fatal (__FILE__, __LINE__, "getcwd failed: %s",
+              nonnull (strerror (errno)));
+  tmp_len = strlen (tmp);
+  concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
+  memcpy (concat_name, tmp, tmp_len);
+  concat_name[tmp_len] = '/';
+  strcpy (concat_name + tmp_len + 1, wrapper);
+
+  if (check_executable (concat_name))
+    return concat_name;
+  XFREE (concat_name);
+  return NULL;
+}
+
+char *
+chase_symlinks (const char *pathspec)
+{
+#ifndef S_ISLNK
+  return xstrdup (pathspec);
+#else
+  char buf[LT_PATHMAX];
+  struct stat s;
+  char *tmp_pathspec = xstrdup (pathspec);
+  char *p;
+  int has_symlinks = 0;
+  while (strlen (tmp_pathspec) && !has_symlinks)
+    {
+      lt_debugprintf (__FILE__, __LINE__,
+		      "checking path component for symlinks: %s\n",
+		      tmp_pathspec);
+      if (lstat (tmp_pathspec, &s) == 0)
+	{
+	  if (S_ISLNK (s.st_mode) != 0)
+	    {
+	      has_symlinks = 1;
+	      break;
+	    }
+
+	  /* search backwards for last DIR_SEPARATOR */
+	  p = tmp_pathspec + strlen (tmp_pathspec) - 1;
+	  while ((p > tmp_pathspec) && (!IS_DIR_SEPARATOR (*p)))
+	    p--;
+	  if ((p == tmp_pathspec) && (!IS_DIR_SEPARATOR (*p)))
+	    {
+	      /* no more DIR_SEPARATORS left */
+	      break;
+	    }
+	  *p = '\0';
+	}
+      else
+	{
+	  lt_fatal (__FILE__, __LINE__,
+		    "error accessing file \"%s\": %s",
+		    tmp_pathspec, nonnull (strerror (errno)));
+	}
+    }
+  XFREE (tmp_pathspec);
+
+  if (!has_symlinks)
+    {
+      return xstrdup (pathspec);
+    }
+
+  tmp_pathspec = realpath (pathspec, buf);
+  if (tmp_pathspec == 0)
+    {
+      lt_fatal (__FILE__, __LINE__,
+		"could not follow symlinks for %s", pathspec);
+    }
+  return xstrdup (tmp_pathspec);
+#endif
+}
+
+char *
+strendzap (char *str, const char *pat)
+{
+  size_t len, patlen;
+
+  assert (str != NULL);
+  assert (pat != NULL);
+
+  len = strlen (str);
+  patlen = strlen (pat);
+
+  if (patlen <= len)
+    {
+      str += len - patlen;
+      if (STREQ (str, pat))
+	*str = '\0';
+    }
+  return str;
+}
+
+void
+lt_debugprintf (const char *file, int line, const char *fmt, ...)
+{
+  va_list args;
+  if (lt_debug)
+    {
+      (void) fprintf (stderr, "%s:%s:%d: ", program_name, file, line);
+      va_start (args, fmt);
+      (void) vfprintf (stderr, fmt, args);
+      va_end (args);
+    }
+}
+
+static void
+lt_error_core (int exit_status, const char *file,
+	       int line, const char *mode,
+	       const char *message, va_list ap)
+{
+  fprintf (stderr, "%s:%s:%d: %s: ", program_name, file, line, mode);
+  vfprintf (stderr, message, ap);
+  fprintf (stderr, ".\n");
+
+  if (exit_status >= 0)
+    exit (exit_status);
+}
+
+void
+lt_fatal (const char *file, int line, const char *message, ...)
+{
+  va_list ap;
+  va_start (ap, message);
+  lt_error_core (EXIT_FAILURE, file, line, "FATAL", message, ap);
+  va_end (ap);
+}
+
+static const char *
+nonnull (const char *s)
+{
+  return s ? s : "(null)";
+}
+
+static const char *
+nonempty (const char *s)
+{
+  return (s && !*s) ? "(empty)" : nonnull (s);
+}
+
+void
+lt_setenv (const char *name, const char *value)
+{
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_setenv) setting '%s' to '%s'\n",
+                  nonnull (name), nonnull (value));
+  {
+#ifdef HAVE_SETENV
+    /* always make a copy, for consistency with !HAVE_SETENV */
+    char *str = xstrdup (value);
+    setenv (name, str, 1);
+#else
+    size_t len = strlen (name) + 1 + strlen (value) + 1;
+    char *str = XMALLOC (char, len);
+    sprintf (str, "%s=%s", name, value);
+    if (putenv (str) != EXIT_SUCCESS)
+      {
+        XFREE (str);
+      }
+#endif
+  }
+}
+
+char *
+lt_extend_str (const char *orig_value, const char *add, int to_end)
+{
+  char *new_value;
+  if (orig_value && *orig_value)
+    {
+      size_t orig_value_len = strlen (orig_value);
+      size_t add_len = strlen (add);
+      new_value = XMALLOC (char, add_len + orig_value_len + 1);
+      if (to_end)
+        {
+          strcpy (new_value, orig_value);
+          strcpy (new_value + orig_value_len, add);
+        }
+      else
+        {
+          strcpy (new_value, add);
+          strcpy (new_value + add_len, orig_value);
+        }
+    }
+  else
+    {
+      new_value = xstrdup (add);
+    }
+  return new_value;
+}
+
+void
+lt_update_exe_path (const char *name, const char *value)
+{
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_update_exe_path) modifying '%s' by prepending '%s'\n",
+                  nonnull (name), nonnull (value));
+
+  if (name && *name && value && *value)
+    {
+      char *new_value = lt_extend_str (getenv (name), value, 0);
+      /* some systems can't cope with a ':'-terminated path #' */
+      size_t len = strlen (new_value);
+      while ((len > 0) && IS_PATH_SEPARATOR (new_value[len-1]))
+        {
+          new_value[--len] = '\0';
+        }
+      lt_setenv (name, new_value);
+      XFREE (new_value);
+    }
+}
+
+void
+lt_update_lib_path (const char *name, const char *value)
+{
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_update_lib_path) modifying '%s' by prepending '%s'\n",
+                  nonnull (name), nonnull (value));
+
+  if (name && *name && value && *value)
+    {
+      char *new_value = lt_extend_str (getenv (name), value, 0);
+      lt_setenv (name, new_value);
+      XFREE (new_value);
+    }
+}
+
+EOF
+	    case $host_os in
+	      mingw*)
+		cat <<"EOF"
+
+/* Prepares an argument vector before calling spawn().
+   Note that spawn() does not by itself call the command interpreter
+     (getenv ("COMSPEC") != NULL ? getenv ("COMSPEC") :
+      ({ OSVERSIONINFO v; v.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+         GetVersionEx(&v);
+         v.dwPlatformId == VER_PLATFORM_WIN32_NT;
+      }) ? "cmd.exe" : "command.com").
+   Instead it simply concatenates the arguments, separated by ' ', and calls
+   CreateProcess().  We must quote the arguments since Win32 CreateProcess()
+   interprets characters like ' ', '\t', '\\', '"' (but not '<' and '>') in a
+   special way:
+   - Space and tab are interpreted as delimiters. They are not treated as
+     delimiters if they are surrounded by double quotes: "...".
+   - Unescaped double quotes are removed from the input. Their only effect is
+     that within double quotes, space and tab are treated like normal
+     characters.
+   - Backslashes not followed by double quotes are not special.
+   - But 2*n+1 backslashes followed by a double quote become
+     n backslashes followed by a double quote (n >= 0):
+       \" -> "
+       \\\" -> \"
+       \\\\\" -> \\"
+ */
+#define SHELL_SPECIAL_CHARS "\"\\ \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037"
+#define SHELL_SPACE_CHARS " \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037"
+char **
+prepare_spawn (char **argv)
+{
+  size_t argc;
+  char **new_argv;
+  size_t i;
+
+  /* Count number of arguments.  */
+  for (argc = 0; argv[argc] != NULL; argc++)
+    ;
+
+  /* Allocate new argument vector.  */
+  new_argv = XMALLOC (char *, argc + 1);
+
+  /* Put quoted arguments into the new argument vector.  */
+  for (i = 0; i < argc; i++)
+    {
+      const char *string = argv[i];
+
+      if (string[0] == '\0')
+	new_argv[i] = xstrdup ("\"\"");
+      else if (strpbrk (string, SHELL_SPECIAL_CHARS) != NULL)
+	{
+	  int quote_around = (strpbrk (string, SHELL_SPACE_CHARS) != NULL);
+	  size_t length;
+	  unsigned int backslashes;
+	  const char *s;
+	  char *quoted_string;
+	  char *p;
+
+	  length = 0;
+	  backslashes = 0;
+	  if (quote_around)
+	    length++;
+	  for (s = string; *s != '\0'; s++)
+	    {
+	      char c = *s;
+	      if (c == '"')
+		length += backslashes + 1;
+	      length++;
+	      if (c == '\\')
+		backslashes++;
+	      else
+		backslashes = 0;
+	    }
+	  if (quote_around)
+	    length += backslashes + 1;
+
+	  quoted_string = XMALLOC (char, length + 1);
+
+	  p = quoted_string;
+	  backslashes = 0;
+	  if (quote_around)
+	    *p++ = '"';
+	  for (s = string; *s != '\0'; s++)
+	    {
+	      char c = *s;
+	      if (c == '"')
+		{
+		  unsigned int j;
+		  for (j = backslashes + 1; j > 0; j--)
+		    *p++ = '\\';
+		}
+	      *p++ = c;
+	      if (c == '\\')
+		backslashes++;
+	      else
+		backslashes = 0;
+	    }
+	  if (quote_around)
+	    {
+	      unsigned int j;
+	      for (j = backslashes; j > 0; j--)
+		*p++ = '\\';
+	      *p++ = '"';
+	    }
+	  *p = '\0';
+
+	  new_argv[i] = quoted_string;
+	}
+      else
+	new_argv[i] = (char *) string;
+    }
+  new_argv[argc] = NULL;
+
+  return new_argv;
+}
+EOF
+		;;
+	    esac
+
+            cat <<"EOF"
+void lt_dump_script (FILE* f)
+{
+EOF
+	    func_emit_wrapper yes |
+	      $SED -n -e '
+s/^\(.\{79\}\)\(..*\)/\1\
+\2/
+h
+s/\([\\"]\)/\\\1/g
+s/$/\\n/
+s/\([^\n]*\).*/  fputs ("\1", f);/p
+g
+D'
+            cat <<"EOF"
+}
+EOF
+}
+# end: func_emit_cwrapperexe_src
+
+# func_win32_import_lib_p ARG
+# True if ARG is an import lib, as indicated by $file_magic_cmd
+func_win32_import_lib_p ()
+{
+    $debug_cmd
+
+    case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in
+    *import*) : ;;
+    *) false ;;
+    esac
+}
+
+# func_suncc_cstd_abi
+# !!ONLY CALL THIS FOR SUN CC AFTER $compile_command IS FULLY EXPANDED!!
+# Several compiler flags select an ABI that is incompatible with the
+# Cstd library. Avoid specifying it if any are in CXXFLAGS.
+func_suncc_cstd_abi ()
+{
+    $debug_cmd
+
+    case " $compile_command " in
+    *" -compat=g "*|*\ -std=c++[0-9][0-9]\ *|*" -library=stdcxx4 "*|*" -library=stlport4 "*)
+      suncc_use_cstd_abi=no
+      ;;
+    *)
+      suncc_use_cstd_abi=yes
+      ;;
+    esac
+}
+
+# func_mode_link arg...
+func_mode_link ()
+{
+    $debug_cmd
+
+    case $host in
+    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
+      # It is impossible to link a dll without this setting, and
+      # we shouldn't force the makefile maintainer to figure out
+      # what system we are compiling for in order to pass an extra
+      # flag for every libtool invocation.
+      # allow_undefined=no
+
+      # FIXME: Unfortunately, there are problems with the above when trying
+      # to make a dll that has undefined symbols, in which case not
+      # even a static library is built.  For now, we need to specify
+      # -no-undefined on the libtool link line when we can be certain
+      # that all symbols are satisfied, otherwise we get a static library.
+      allow_undefined=yes
+      ;;
+    *)
+      allow_undefined=yes
+      ;;
+    esac
+    libtool_args=$nonopt
+    base_compile="$nonopt $@"
+    compile_command=$nonopt
+    finalize_command=$nonopt
+
+    compile_rpath=
+    finalize_rpath=
+    compile_shlibpath=
+    finalize_shlibpath=
+    convenience=
+    old_convenience=
+    deplibs=
+    old_deplibs=
+    compiler_flags=
+    linker_flags=
+    dllsearchpath=
+    lib_search_path=`pwd`
+    inst_prefix_dir=
+    new_inherited_linker_flags=
+
+    avoid_version=no
+    bindir=
+    dlfiles=
+    dlprefiles=
+    dlself=no
+    export_dynamic=no
+    export_symbols=
+    export_symbols_regex=
+    generated=
+    libobjs=
+    ltlibs=
+    module=no
+    no_install=no
+    objs=
+    os2dllname=
+    non_pic_objects=
+    precious_files_regex=
+    prefer_static_libs=no
+    preload=false
+    prev=
+    prevarg=
+    release=
+    rpath=
+    xrpath=
+    perm_rpath=
+    temp_rpath=
+    thread_safe=no
+    vinfo=
+    vinfo_number=no
+    weak_libs=
+    single_module=$wl-single_module
+    func_infer_tag $base_compile
+
+    # We need to know -static, to get the right output filenames.
+    for arg
+    do
+      case $arg in
+      -shared)
+	test yes != "$build_libtool_libs" \
+	  && func_fatal_configuration "cannot build a shared library"
+	build_old_libs=no
+	break
+	;;
+      -all-static | -static | -static-libtool-libs)
+	case $arg in
+	-all-static)
+	  if test yes = "$build_libtool_libs" && test -z "$link_static_flag"; then
+	    func_warning "complete static linking is impossible in this configuration"
+	  fi
+	  if test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	  prefer_static_libs=yes
+	  ;;
+	-static)
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	  prefer_static_libs=built
+	  ;;
+	-static-libtool-libs)
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	  prefer_static_libs=yes
+	  ;;
+	esac
+	build_libtool_libs=no
+	build_old_libs=yes
+	break
+	;;
+      esac
+    done
+
+    # See if our shared archives depend on static archives.
+    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
+
+    # Go through the arguments, transforming them on the way.
+    while test "$#" -gt 0; do
+      arg=$1
+      shift
+      func_quote_for_eval "$arg"
+      qarg=$func_quote_for_eval_unquoted_result
+      func_append libtool_args " $func_quote_for_eval_result"
+
+      # If the previous option needs an argument, assign it.
+      if test -n "$prev"; then
+	case $prev in
+	output)
+	  func_append compile_command " @OUTPUT@"
+	  func_append finalize_command " @OUTPUT@"
+	  ;;
+	esac
+
+	case $prev in
+	bindir)
+	  bindir=$arg
+	  prev=
+	  continue
+	  ;;
+	dlfiles|dlprefiles)
+	  $preload || {
+	    # Add the symbol object into the linking commands.
+	    func_append compile_command " @SYMFILE@"
+	    func_append finalize_command " @SYMFILE@"
+	    preload=:
+	  }
+	  case $arg in
+	  *.la | *.lo) ;;  # We handle these cases below.
+	  force)
+	    if test no = "$dlself"; then
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  self)
+	    if test dlprefiles = "$prev"; then
+	      dlself=yes
+	    elif test dlfiles = "$prev" && test yes != "$dlopen_self"; then
+	      dlself=yes
+	    else
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  *)
+	    if test dlfiles = "$prev"; then
+	      func_append dlfiles " $arg"
+	    else
+	      func_append dlprefiles " $arg"
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  esac
+	  ;;
+	expsyms)
+	  export_symbols=$arg
+	  test -f "$arg" \
+	    || func_fatal_error "symbol file '$arg' does not exist"
+	  prev=
+	  continue
+	  ;;
+	expsyms_regex)
+	  export_symbols_regex=$arg
+	  prev=
+	  continue
+	  ;;
+	framework)
+	  case $host in
+	    *-*-darwin*)
+	      case "$deplibs " in
+		*" $qarg.ltframework "*) ;;
+		*) func_append deplibs " $qarg.ltframework" # this is fixed later
+		   ;;
+	      esac
+	      ;;
+	  esac
+	  prev=
+	  continue
+	  ;;
+	inst_prefix)
+	  inst_prefix_dir=$arg
+	  prev=
+	  continue
+	  ;;
+	mllvm)
+	  # Clang does not use LLVM to link, so we can simply discard any
+	  # '-mllvm $arg' options when doing the link step.
+	  prev=
+	  continue
+	  ;;
+	objectlist)
+	  if test -f "$arg"; then
+	    save_arg=$arg
+	    moreargs=
+	    for fil in `cat "$save_arg"`
+	    do
+#	      func_append moreargs " $fil"
+	      arg=$fil
+	      # A libtool-controlled object.
+
+	      # Check to see that this really is a libtool object.
+	      if func_lalib_unsafe_p "$arg"; then
+		pic_object=
+		non_pic_object=
+
+		# Read the .lo file
+		func_source "$arg"
+
+		if test -z "$pic_object" ||
+		   test -z "$non_pic_object" ||
+		   test none = "$pic_object" &&
+		   test none = "$non_pic_object"; then
+		  func_fatal_error "cannot find name of object for '$arg'"
+		fi
+
+		# Extract subdirectory from the argument.
+		func_dirname "$arg" "/" ""
+		xdir=$func_dirname_result
+
+		if test none != "$pic_object"; then
+		  # Prepend the subdirectory the object is found in.
+		  pic_object=$xdir$pic_object
+
+		  if test dlfiles = "$prev"; then
+		    if test yes = "$build_libtool_libs" && test yes = "$dlopen_support"; then
+		      func_append dlfiles " $pic_object"
+		      prev=
+		      continue
+		    else
+		      # If libtool objects are unsupported, then we need to preload.
+		      prev=dlprefiles
+		    fi
+		  fi
+
+		  # CHECK ME:  I think I busted this.  -Ossama
+		  if test dlprefiles = "$prev"; then
+		    # Preload the old-style object.
+		    func_append dlprefiles " $pic_object"
+		    prev=
+		  fi
+
+		  # A PIC object.
+		  func_append libobjs " $pic_object"
+		  arg=$pic_object
+		fi
+
+		# Non-PIC object.
+		if test none != "$non_pic_object"; then
+		  # Prepend the subdirectory the object is found in.
+		  non_pic_object=$xdir$non_pic_object
+
+		  # A standard non-PIC object
+		  func_append non_pic_objects " $non_pic_object"
+		  if test -z "$pic_object" || test none = "$pic_object"; then
+		    arg=$non_pic_object
+		  fi
+		else
+		  # If the PIC object exists, use it instead.
+		  # $xdir was prepended to $pic_object above.
+		  non_pic_object=$pic_object
+		  func_append non_pic_objects " $non_pic_object"
+		fi
+	      else
+		# Only an error if not doing a dry-run.
+		if $opt_dry_run; then
+		  # Extract subdirectory from the argument.
+		  func_dirname "$arg" "/" ""
+		  xdir=$func_dirname_result
+
+		  func_lo2o "$arg"
+		  pic_object=$xdir$objdir/$func_lo2o_result
+		  non_pic_object=$xdir$func_lo2o_result
+		  func_append libobjs " $pic_object"
+		  func_append non_pic_objects " $non_pic_object"
+	        else
+		  func_fatal_error "'$arg' is not a valid libtool object"
+		fi
+	      fi
+	    done
+	  else
+	    func_fatal_error "link input file '$arg' does not exist"
+	  fi
+	  arg=$save_arg
+	  prev=
+	  continue
+	  ;;
+	os2dllname)
+	  os2dllname=$arg
+	  prev=
+	  continue
+	  ;;
+	precious_regex)
+	  precious_files_regex=$arg
+	  prev=
+	  continue
+	  ;;
+	release)
+	  release=-$arg
+	  prev=
+	  continue
+	  ;;
+	rpath | xrpath)
+	  # We need an absolute path.
+	  case $arg in
+	  [\\/]* | [A-Za-z]:[\\/]*) ;;
+	  *)
+	    func_fatal_error "only absolute run-paths are allowed"
+	    ;;
+	  esac
+	  if test rpath = "$prev"; then
+	    case "$rpath " in
+	    *" $arg "*) ;;
+	    *) func_append rpath " $arg" ;;
+	    esac
+	  else
+	    case "$xrpath " in
+	    *" $arg "*) ;;
+	    *) func_append xrpath " $arg" ;;
+	    esac
+	  fi
+	  prev=
+	  continue
+	  ;;
+	shrext)
+	  shrext_cmds=$arg
+	  prev=
+	  continue
+	  ;;
+	weak)
+	  func_append weak_libs " $arg"
+	  prev=
+	  continue
+	  ;;
+	xcclinker)
+	  func_append linker_flags " $qarg"
+	  func_append compiler_flags " $qarg"
+	  prev=
+	  func_append compile_command " $qarg"
+	  func_append finalize_command " $qarg"
+	  continue
+	  ;;
+	xcompiler)
+	  func_append compiler_flags " $qarg"
+	  prev=
+	  func_append compile_command " $qarg"
+	  func_append finalize_command " $qarg"
+	  continue
+	  ;;
+	xlinker)
+	  func_append linker_flags " $qarg"
+	  func_append compiler_flags " $wl$qarg"
+	  prev=
+	  func_append compile_command " $wl$qarg"
+	  func_append finalize_command " $wl$qarg"
+	  continue
+	  ;;
+	*)
+	  eval "$prev=\"\$arg\""
+	  prev=
+	  continue
+	  ;;
+	esac
+      fi # test -n "$prev"
+
+      prevarg=$arg
+
+      case $arg in
+      -all-static)
+	if test -n "$link_static_flag"; then
+	  # See comment for -static flag below, for more details.
+	  func_append compile_command " $link_static_flag"
+	  func_append finalize_command " $link_static_flag"
+	fi
+	continue
+	;;
+
+      -allow-undefined)
+	# FIXME: remove this flag sometime in the future.
+	func_fatal_error "'-allow-undefined' must not be used because it is the default"
+	;;
+
+      -avoid-version)
+	avoid_version=yes
+	continue
+	;;
+
+      -bindir)
+	prev=bindir
+	continue
+	;;
+
+      -dlopen)
+	prev=dlfiles
+	continue
+	;;
+
+      -dlpreopen)
+	prev=dlprefiles
+	continue
+	;;
+
+      -export-dynamic)
+	export_dynamic=yes
+	continue
+	;;
+
+      -export-symbols | -export-symbols-regex)
+	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	  func_fatal_error "more than one -exported-symbols argument is not allowed"
+	fi
+	if test X-export-symbols = "X$arg"; then
+	  prev=expsyms
+	else
+	  prev=expsyms_regex
+	fi
+	continue
+	;;
+
+      -framework)
+	prev=framework
+	continue
+	;;
+
+      -inst-prefix-dir)
+	prev=inst_prefix
+	continue
+	;;
+
+      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
+      # so, if we see these flags be careful not to treat them like -L
+      -L[A-Z][A-Z]*:*)
+	case $with_gcc/$host in
+	no/*-*-irix* | /*-*-irix*)
+	  func_append compile_command " $arg"
+	  func_append finalize_command " $arg"
+	  ;;
+	esac
+	continue
+	;;
+
+      -L*)
+	func_stripname "-L" '' "$arg"
+	if test -z "$func_stripname_result"; then
+	  if test "$#" -gt 0; then
+	    func_fatal_error "require no space between '-L' and '$1'"
+	  else
+	    func_fatal_error "need path for '-L' option"
+	  fi
+	fi
+	func_resolve_sysroot "$func_stripname_result"
+	dir=$func_resolve_sysroot_result
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  absdir=`cd "$dir" && pwd`
+	  test -z "$absdir" && \
+	    func_fatal_error "cannot determine absolute directory name of '$dir'"
+	  dir=$absdir
+	  ;;
+	esac
+	case "$deplibs " in
+	*" -L$dir "* | *" $arg "*)
+	  # Will only happen for absolute or sysroot arguments
+	  ;;
+	*)
+	  # Preserve sysroot, but never include relative directories
+	  case $dir in
+	    [\\/]* | [A-Za-z]:[\\/]* | =*) func_append deplibs " $arg" ;;
+	    *) func_append deplibs " -L$dir" ;;
+	  esac
+	  func_append lib_search_path " $dir"
+	  ;;
+	esac
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
+	  testbindir=`$ECHO "$dir" | $SED 's*/lib$*/bin*'`
+	  case :$dllsearchpath: in
+	  *":$dir:"*) ;;
+	  ::) dllsearchpath=$dir;;
+	  *) func_append dllsearchpath ":$dir";;
+	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  ::) dllsearchpath=$testbindir;;
+	  *) func_append dllsearchpath ":$testbindir";;
+	  esac
+	  ;;
+	esac
+	continue
+	;;
+
+      -l*)
+	if test X-lc = "X$arg" || test X-lm = "X$arg"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*)
+	    # These systems don't actually have a C or math library (as such)
+	    continue
+	    ;;
+	  *-*-os2*)
+	    # These systems don't actually have a C library (as such)
+	    test X-lc = "X$arg" && continue
+	    ;;
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly* | *-*-bitrig*)
+	    # Do not include libc due to us having libc/libc_r.
+	    test X-lc = "X$arg" && continue
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C and math libraries are in the System framework
+	    func_append deplibs " System.ltframework"
+	    continue
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    test X-lc = "X$arg" && continue
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
+	    test X-lc = "X$arg" && continue
+	    ;;
+	  esac
+	elif test X-lc_r = "X$arg"; then
+	 case $host in
+	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly* | *-*-bitrig*)
+	   # Do not include libc_r directly, use -pthread flag.
+	   continue
+	   ;;
+	 esac
+	fi
+	func_append deplibs " $arg"
+	continue
+	;;
+
+      -mllvm)
+	prev=mllvm
+	continue
+	;;
+
+      -module)
+	module=yes
+	continue
+	;;
+
+      # Tru64 UNIX uses -model [arg] to determine the layout of C++
+      # classes, name mangling, and exception handling.
+      # Darwin uses the -arch flag to determine output architecture.
+      -model|-arch|-isysroot|--sysroot)
+	func_append compiler_flags " $arg"
+	func_append compile_command " $arg"
+	func_append finalize_command " $arg"
+	prev=xcompiler
+	continue
+	;;
+
+      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+      |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
+	func_append compiler_flags " $arg"
+	func_append compile_command " $arg"
+	func_append finalize_command " $arg"
+	case "$new_inherited_linker_flags " in
+	    *" $arg "*) ;;
+	    * ) func_append new_inherited_linker_flags " $arg" ;;
+	esac
+	continue
+	;;
+
+      -multi_module)
+	single_module=$wl-multi_module
+	continue
+	;;
+
+      -no-fast-install)
+	fast_install=no
+	continue
+	;;
+
+      -no-install)
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin* | *-cegcc*)
+	  # The PATH hackery in wrapper scripts is required on Windows
+	  # and Darwin in order for the loader to find any dlls it needs.
+	  func_warning "'-no-install' is ignored for $host"
+	  func_warning "assuming '-no-fast-install' instead"
+	  fast_install=no
+	  ;;
+	*) no_install=yes ;;
+	esac
+	continue
+	;;
+
+      -no-undefined)
+	allow_undefined=no
+	continue
+	;;
+
+      -objectlist)
+	prev=objectlist
+	continue
+	;;
+
+      -os2dllname)
+	prev=os2dllname
+	continue
+	;;
+
+      -o) prev=output ;;
+
+      -precious-files-regex)
+	prev=precious_regex
+	continue
+	;;
+
+      -release)
+	prev=release
+	continue
+	;;
+
+      -rpath)
+	prev=rpath
+	continue
+	;;
+
+      -R)
+	prev=xrpath
+	continue
+	;;
+
+      -R*)
+	func_stripname '-R' '' "$arg"
+	dir=$func_stripname_result
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	=*)
+	  func_stripname '=' '' "$dir"
+	  dir=$lt_sysroot$func_stripname_result
+	  ;;
+	*)
+	  func_fatal_error "only absolute run-paths are allowed"
+	  ;;
+	esac
+	case "$xrpath " in
+	*" $dir "*) ;;
+	*) func_append xrpath " $dir" ;;
+	esac
+	continue
+	;;
+
+      -shared)
+	# The effects of -shared are defined in a previous loop.
+	continue
+	;;
+
+      -shrext)
+	prev=shrext
+	continue
+	;;
+
+      -static | -static-libtool-libs)
+	# The effects of -static are defined in a previous loop.
+	# We used to do the same as -all-static on platforms that
+	# didn't have a PIC flag, but the assumption that the effects
+	# would be equivalent was wrong.  It would break on at least
+	# Digital Unix and AIX.
+	continue
+	;;
+
+      -thread-safe)
+	thread_safe=yes
+	continue
+	;;
+
+      -version-info)
+	prev=vinfo
+	continue
+	;;
+
+      -version-number)
+	prev=vinfo
+	vinfo_number=yes
+	continue
+	;;
+
+      -weak)
+        prev=weak
+	continue
+	;;
+
+      -Wc,*)
+	func_stripname '-Wc,' '' "$arg"
+	args=$func_stripname_result
+	arg=
+	save_ifs=$IFS; IFS=,
+	for flag in $args; do
+	  IFS=$save_ifs
+          func_quote_for_eval "$flag"
+	  func_append arg " $func_quote_for_eval_result"
+	  func_append compiler_flags " $func_quote_for_eval_result"
+	done
+	IFS=$save_ifs
+	func_stripname ' ' '' "$arg"
+	arg=$func_stripname_result
+	;;
+
+      -Wl,*)
+	func_stripname '-Wl,' '' "$arg"
+	args=$func_stripname_result
+	arg=
+	save_ifs=$IFS; IFS=,
+	for flag in $args; do
+	  IFS=$save_ifs
+          func_quote_for_eval "$flag"
+	  func_append arg " $wl$func_quote_for_eval_result"
+	  func_append compiler_flags " $wl$func_quote_for_eval_result"
+	  func_append linker_flags " $func_quote_for_eval_result"
+	done
+	IFS=$save_ifs
+	func_stripname ' ' '' "$arg"
+	arg=$func_stripname_result
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Xlinker)
+	prev=xlinker
+	continue
+	;;
+
+      -XCClinker)
+	prev=xcclinker
+	continue
+	;;
+
+      # -msg_* for osf cc
+      -msg_*)
+	func_quote_for_eval "$arg"
+	arg=$func_quote_for_eval_result
+	;;
+
+      # Flags to be passed through unchanged, with rationale:
+      # -64, -mips[0-9]      enable 64-bit mode for the SGI compiler
+      # -r[0-9][0-9]*        specify processor for the SGI compiler
+      # -xarch=*, -xtarget=* enable 64-bit mode for the Sun compiler
+      # +DA*, +DD*           enable 64-bit mode for the HP compiler
+      # -q*                  compiler args for the IBM compiler
+      # -m*, -t[45]*, -txscale* architecture-specific flags for GCC
+      # -F/path              path to uninstalled frameworks, gcc on darwin
+      # -p, -pg, --coverage, -fprofile-*  profiling flags for GCC
+      # -fstack-protector*   stack protector flags for GCC
+      # @file                GCC response files
+      # -tp=*                Portland pgcc target processor selection
+      # --sysroot=*          for sysroot support
+      # -O*, -g*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
+      # -specs=*             GCC specs files
+      # -stdlib=*            select c++ std lib with clang
+      # -fsanitize=*         Clang/GCC memory and address sanitizer
+      # -fuse-ld=*           Linker select flags for GCC
+      # -static-*            direct GCC to link specific libraries statically
+      # -fcilkplus           Cilk Plus language extension features for C/C++
+      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
+      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
+      -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \
+      -specs=*|-fsanitize=*|-fuse-ld=*|-static-*|-fcilkplus)
+        func_quote_for_eval "$arg"
+	arg=$func_quote_for_eval_result
+        func_append compile_command " $arg"
+        func_append finalize_command " $arg"
+        func_append compiler_flags " $arg"
+        continue
+        ;;
+
+      -Z*)
+        if test os2 = "`expr $host : '.*\(os2\)'`"; then
+          # OS/2 uses -Zxxx to specify OS/2-specific options
+	  compiler_flags="$compiler_flags $arg"
+	  func_append compile_command " $arg"
+	  func_append finalize_command " $arg"
+	  case $arg in
+	  -Zlinker | -Zstack)
+	    prev=xcompiler
+	    ;;
+	  esac
+	  continue
+        else
+	  # Otherwise treat like 'Some other compiler flag' below
+	  func_quote_for_eval "$arg"
+	  arg=$func_quote_for_eval_result
+        fi
+	;;
+
+      # Some other compiler flag.
+      -* | +*)
+        func_quote_for_eval "$arg"
+	arg=$func_quote_for_eval_result
+	;;
+
+      *.$objext)
+	# A standard object.
+	func_append objs " $arg"
+	;;
+
+      *.lo)
+	# A libtool-controlled object.
+
+	# Check to see that this really is a libtool object.
+	if func_lalib_unsafe_p "$arg"; then
+	  pic_object=
+	  non_pic_object=
+
+	  # Read the .lo file
+	  func_source "$arg"
+
+	  if test -z "$pic_object" ||
+	     test -z "$non_pic_object" ||
+	     test none = "$pic_object" &&
+	     test none = "$non_pic_object"; then
+	    func_fatal_error "cannot find name of object for '$arg'"
+	  fi
+
+	  # Extract subdirectory from the argument.
+	  func_dirname "$arg" "/" ""
+	  xdir=$func_dirname_result
+
+	  test none = "$pic_object" || {
+	    # Prepend the subdirectory the object is found in.
+	    pic_object=$xdir$pic_object
+
+	    if test dlfiles = "$prev"; then
+	      if test yes = "$build_libtool_libs" && test yes = "$dlopen_support"; then
+		func_append dlfiles " $pic_object"
+		prev=
+		continue
+	      else
+		# If libtool objects are unsupported, then we need to preload.
+		prev=dlprefiles
+	      fi
+	    fi
+
+	    # CHECK ME:  I think I busted this.  -Ossama
+	    if test dlprefiles = "$prev"; then
+	      # Preload the old-style object.
+	      func_append dlprefiles " $pic_object"
+	      prev=
+	    fi
+
+	    # A PIC object.
+	    func_append libobjs " $pic_object"
+	    arg=$pic_object
+	  }
+
+	  # Non-PIC object.
+	  if test none != "$non_pic_object"; then
+	    # Prepend the subdirectory the object is found in.
+	    non_pic_object=$xdir$non_pic_object
+
+	    # A standard non-PIC object
+	    func_append non_pic_objects " $non_pic_object"
+	    if test -z "$pic_object" || test none = "$pic_object"; then
+	      arg=$non_pic_object
+	    fi
+	  else
+	    # If the PIC object exists, use it instead.
+	    # $xdir was prepended to $pic_object above.
+	    non_pic_object=$pic_object
+	    func_append non_pic_objects " $non_pic_object"
+	  fi
+	else
+	  # Only an error if not doing a dry-run.
+	  if $opt_dry_run; then
+	    # Extract subdirectory from the argument.
+	    func_dirname "$arg" "/" ""
+	    xdir=$func_dirname_result
+
+	    func_lo2o "$arg"
+	    pic_object=$xdir$objdir/$func_lo2o_result
+	    non_pic_object=$xdir$func_lo2o_result
+	    func_append libobjs " $pic_object"
+	    func_append non_pic_objects " $non_pic_object"
+	  else
+	    func_fatal_error "'$arg' is not a valid libtool object"
+	  fi
+	fi
+	;;
+
+      *.$libext)
+	# An archive.
+	func_append deplibs " $arg"
+	func_append old_deplibs " $arg"
+	continue
+	;;
+
+      *.la)
+	# A libtool-controlled library.
+
+	func_resolve_sysroot "$arg"
+	if test dlfiles = "$prev"; then
+	  # This library was specified with -dlopen.
+	  func_append dlfiles " $func_resolve_sysroot_result"
+	  prev=
+	elif test dlprefiles = "$prev"; then
+	  # The library was specified with -dlpreopen.
+	  func_append dlprefiles " $func_resolve_sysroot_result"
+	  prev=
+	else
+	  func_append deplibs " $func_resolve_sysroot_result"
+	fi
+	continue
+	;;
+
+      # Some other compiler argument.
+      *)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	func_quote_for_eval "$arg"
+	arg=$func_quote_for_eval_result
+	;;
+      esac # arg
+
+      # Now actually substitute the argument into the commands.
+      if test -n "$arg"; then
+	func_append compile_command " $arg"
+	func_append finalize_command " $arg"
+      fi
+    done # argument parsing loop
+
+    test -n "$prev" && \
+      func_fatal_help "the '$prevarg' option requires an argument"
+
+    if test yes = "$export_dynamic" && test -n "$export_dynamic_flag_spec"; then
+      eval arg=\"$export_dynamic_flag_spec\"
+      func_append compile_command " $arg"
+      func_append finalize_command " $arg"
+    fi
+
+    oldlibs=
+    # calculate the name of the file, without its directory
+    func_basename "$output"
+    outputname=$func_basename_result
+    libobjs_save=$libobjs
+
+    if test -n "$shlibpath_var"; then
+      # get the directories listed in $shlibpath_var
+      eval shlib_search_path=\`\$ECHO \"\$$shlibpath_var\" \| \$SED \'s/:/ /g\'\`
+    else
+      shlib_search_path=
+    fi
+    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
+    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
+
+    # Definition is injected by LT_CONFIG during libtool generation.
+    func_munge_path_list sys_lib_dlsearch_path "$LT_SYS_LIBRARY_PATH"
+
+    func_dirname "$output" "/" ""
+    output_objdir=$func_dirname_result$objdir
+    func_to_tool_file "$output_objdir/"
+    tool_output_objdir=$func_to_tool_file_result
+    # Create the object directory.
+    func_mkdir_p "$output_objdir"
+
+    # Determine the type of output
+    case $output in
+    "")
+      func_fatal_help "you must specify an output file"
+      ;;
+    *.$libext) linkmode=oldlib ;;
+    *.lo | *.$objext) linkmode=obj ;;
+    *.la) linkmode=lib ;;
+    *) linkmode=prog ;; # Anything else should be a program.
+    esac
+
+    specialdeplibs=
+
+    libs=
+    # Find all interdependent deplibs by searching for libraries
+    # that are linked more than once (e.g. -la -lb -la)
+    for deplib in $deplibs; do
+      if $opt_preserve_dup_deps; then
+	case "$libs " in
+	*" $deplib "*) func_append specialdeplibs " $deplib" ;;
+	esac
+      fi
+      func_append libs " $deplib"
+    done
+
+    if test lib = "$linkmode"; then
+      libs="$predeps $libs $compiler_lib_search_path $postdeps"
+
+      # Compute libraries that are listed more than once in $predeps
+      # $postdeps and mark them as special (i.e., whose duplicates are
+      # not to be eliminated).
+      pre_post_deps=
+      if $opt_duplicate_compiler_generated_deps; then
+	for pre_post_dep in $predeps $postdeps; do
+	  case "$pre_post_deps " in
+	  *" $pre_post_dep "*) func_append specialdeplibs " $pre_post_deps" ;;
+	  esac
+	  func_append pre_post_deps " $pre_post_dep"
+	done
+      fi
+      pre_post_deps=
+    fi
+
+    deplibs=
+    newdependency_libs=
+    newlib_search_path=
+    need_relink=no # whether we're linking any uninstalled libtool libraries
+    notinst_deplibs= # not-installed libtool libraries
+    notinst_path= # paths that contain not-installed libtool libraries
+
+    case $linkmode in
+    lib)
+	passes="conv dlpreopen link"
+	for file in $dlfiles $dlprefiles; do
+	  case $file in
+	  *.la) ;;
+	  *)
+	    func_fatal_help "libraries can '-dlopen' only libtool libraries: $file"
+	    ;;
+	  esac
+	done
+	;;
+    prog)
+	compile_deplibs=
+	finalize_deplibs=
+	alldeplibs=false
+	newdlfiles=
+	newdlprefiles=
+	passes="conv scan dlopen dlpreopen link"
+	;;
+    *)  passes="conv"
+	;;
+    esac
+
+    for pass in $passes; do
+      # The preopen pass in lib mode reverses $deplibs; put it back here
+      # so that -L comes before libs that need it for instance...
+      if test lib,link = "$linkmode,$pass"; then
+	## FIXME: Find the place where the list is rebuilt in the wrong
+	##        order, and fix it there properly
+        tmp_deplibs=
+	for deplib in $deplibs; do
+	  tmp_deplibs="$deplib $tmp_deplibs"
+	done
+	deplibs=$tmp_deplibs
+      fi
+
+      if test lib,link = "$linkmode,$pass" ||
+	 test prog,scan = "$linkmode,$pass"; then
+	libs=$deplibs
+	deplibs=
+      fi
+      if test prog = "$linkmode"; then
+	case $pass in
+	dlopen) libs=$dlfiles ;;
+	dlpreopen) libs=$dlprefiles ;;
+	link)
+	  libs="$deplibs %DEPLIBS%"
+	  test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs"
+	  ;;
+	esac
+      fi
+      if test lib,dlpreopen = "$linkmode,$pass"; then
+	# Collect and forward deplibs of preopened libtool libs
+	for lib in $dlprefiles; do
+	  # Ignore non-libtool-libs
+	  dependency_libs=
+	  func_resolve_sysroot "$lib"
+	  case $lib in
+	  *.la)	func_source "$func_resolve_sysroot_result" ;;
+	  esac
+
+	  # Collect preopened libtool deplibs, except any this library
+	  # has declared as weak libs
+	  for deplib in $dependency_libs; do
+	    func_basename "$deplib"
+            deplib_base=$func_basename_result
+	    case " $weak_libs " in
+	    *" $deplib_base "*) ;;
+	    *) func_append deplibs " $deplib" ;;
+	    esac
+	  done
+	done
+	libs=$dlprefiles
+      fi
+      if test dlopen = "$pass"; then
+	# Collect dlpreopened libraries
+	save_deplibs=$deplibs
+	deplibs=
+      fi
+
+      for deplib in $libs; do
+	lib=
+	found=false
+	case $deplib in
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+        |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
+	  if test prog,link = "$linkmode,$pass"; then
+	    compile_deplibs="$deplib $compile_deplibs"
+	    finalize_deplibs="$deplib $finalize_deplibs"
+	  else
+	    func_append compiler_flags " $deplib"
+	    if test lib = "$linkmode"; then
+		case "$new_inherited_linker_flags " in
+		    *" $deplib "*) ;;
+		    * ) func_append new_inherited_linker_flags " $deplib" ;;
+		esac
+	    fi
+	  fi
+	  continue
+	  ;;
+	-l*)
+	  if test lib != "$linkmode" && test prog != "$linkmode"; then
+	    func_warning "'-l' is ignored for archives/objects"
+	    continue
+	  fi
+	  func_stripname '-l' '' "$deplib"
+	  name=$func_stripname_result
+	  if test lib = "$linkmode"; then
+	    searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path"
+	  else
+	    searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path"
+	  fi
+	  for searchdir in $searchdirs; do
+	    for search_ext in .la $std_shrext .so .a; do
+	      # Search the libtool library
+	      lib=$searchdir/lib$name$search_ext
+	      if test -f "$lib"; then
+		if test .la = "$search_ext"; then
+		  found=:
+		else
+		  found=false
+		fi
+		break 2
+	      fi
+	    done
+	  done
+	  if $found; then
+	    # deplib is a libtool library
+	    # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib,
+	    # We need to do some special things here, and not later.
+	    if test yes = "$allow_libtool_libs_with_static_runtimes"; then
+	      case " $predeps $postdeps " in
+	      *" $deplib "*)
+		if func_lalib_p "$lib"; then
+		  library_names=
+		  old_library=
+		  func_source "$lib"
+		  for l in $old_library $library_names; do
+		    ll=$l
+		  done
+		  if test "X$ll" = "X$old_library"; then # only static version available
+		    found=false
+		    func_dirname "$lib" "" "."
+		    ladir=$func_dirname_result
+		    lib=$ladir/$old_library
+		    if test prog,link = "$linkmode,$pass"; then
+		      compile_deplibs="$deplib $compile_deplibs"
+		      finalize_deplibs="$deplib $finalize_deplibs"
+		    else
+		      deplibs="$deplib $deplibs"
+		      test lib = "$linkmode" && newdependency_libs="$deplib $newdependency_libs"
+		    fi
+		    continue
+		  fi
+		fi
+		;;
+	      *) ;;
+	      esac
+	    fi
+	  else
+	    # deplib doesn't seem to be a libtool library
+	    if test prog,link = "$linkmode,$pass"; then
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      deplibs="$deplib $deplibs"
+	      test lib = "$linkmode" && newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    continue
+	  fi
+	  ;; # -l
+	*.ltframework)
+	  if test prog,link = "$linkmode,$pass"; then
+	    compile_deplibs="$deplib $compile_deplibs"
+	    finalize_deplibs="$deplib $finalize_deplibs"
+	  else
+	    deplibs="$deplib $deplibs"
+	    if test lib = "$linkmode"; then
+		case "$new_inherited_linker_flags " in
+		    *" $deplib "*) ;;
+		    * ) func_append new_inherited_linker_flags " $deplib" ;;
+		esac
+	    fi
+	  fi
+	  continue
+	  ;;
+	-L*)
+	  case $linkmode in
+	  lib)
+	    deplibs="$deplib $deplibs"
+	    test conv = "$pass" && continue
+	    newdependency_libs="$deplib $newdependency_libs"
+	    func_stripname '-L' '' "$deplib"
+	    func_resolve_sysroot "$func_stripname_result"
+	    func_append newlib_search_path " $func_resolve_sysroot_result"
+	    ;;
+	  prog)
+	    if test conv = "$pass"; then
+	      deplibs="$deplib $deplibs"
+	      continue
+	    fi
+	    if test scan = "$pass"; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    func_stripname '-L' '' "$deplib"
+	    func_resolve_sysroot "$func_stripname_result"
+	    func_append newlib_search_path " $func_resolve_sysroot_result"
+	    ;;
+	  *)
+	    func_warning "'-L' is ignored for archives/objects"
+	    ;;
+	  esac # linkmode
+	  continue
+	  ;; # -L
+	-R*)
+	  if test link = "$pass"; then
+	    func_stripname '-R' '' "$deplib"
+	    func_resolve_sysroot "$func_stripname_result"
+	    dir=$func_resolve_sysroot_result
+	    # Make sure the xrpath contains only unique directories.
+	    case "$xrpath " in
+	    *" $dir "*) ;;
+	    *) func_append xrpath " $dir" ;;
+	    esac
+	  fi
+	  deplibs="$deplib $deplibs"
+	  continue
+	  ;;
+	*.la)
+	  func_resolve_sysroot "$deplib"
+	  lib=$func_resolve_sysroot_result
+	  ;;
+	*.$libext)
+	  if test conv = "$pass"; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  case $linkmode in
+	  lib)
+	    # Linking convenience modules into shared libraries is allowed,
+	    # but linking other static libraries is non-portable.
+	    case " $dlpreconveniencelibs " in
+	    *" $deplib "*) ;;
+	    *)
+	      valid_a_lib=false
+	      case $deplibs_check_method in
+		match_pattern*)
+		  set dummy $deplibs_check_method; shift
+		  match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
+		  if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \
+		    | $EGREP "$match_pattern_regex" > /dev/null; then
+		    valid_a_lib=:
+		  fi
+		;;
+		pass_all)
+		  valid_a_lib=:
+		;;
+	      esac
+	      if $valid_a_lib; then
+		echo
+		$ECHO "*** Warning: Linking the shared library $output against the"
+		$ECHO "*** static library $deplib is not portable!"
+		deplibs="$deplib $deplibs"
+	      else
+		echo
+		$ECHO "*** Warning: Trying to link with static lib archive $deplib."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because the file extensions .$libext of this argument makes me believe"
+		echo "*** that it is just a static archive that I should not use here."
+	      fi
+	      ;;
+	    esac
+	    continue
+	    ;;
+	  prog)
+	    if test link != "$pass"; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    continue
+	    ;;
+	  esac # linkmode
+	  ;; # *.$libext
+	*.lo | *.$objext)
+	  if test conv = "$pass"; then
+	    deplibs="$deplib $deplibs"
+	  elif test prog = "$linkmode"; then
+	    if test dlpreopen = "$pass" || test yes != "$dlopen_support" || test no = "$build_libtool_libs"; then
+	      # If there is no dlopen support or we're linking statically,
+	      # we need to preload.
+	      func_append newdlprefiles " $deplib"
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      func_append newdlfiles " $deplib"
+	    fi
+	  fi
+	  continue
+	  ;;
+	%DEPLIBS%)
+	  alldeplibs=:
+	  continue
+	  ;;
+	esac # case $deplib
+
+	$found || test -f "$lib" \
+	  || func_fatal_error "cannot find the library '$lib' or unhandled argument '$deplib'"
+
+	# Check to see that this really is a libtool archive.
+	func_lalib_unsafe_p "$lib" \
+	  || func_fatal_error "'$lib' is not a valid libtool archive"
+
+	func_dirname "$lib" "" "."
+	ladir=$func_dirname_result
+
+	dlname=
+	dlopen=
+	dlpreopen=
+	libdir=
+	library_names=
+	old_library=
+	inherited_linker_flags=
+	# If the library was installed with an old release of libtool,
+	# it will not redefine variables installed, or shouldnotlink
+	installed=yes
+	shouldnotlink=no
+	avoidtemprpath=
+
+
+	# Read the .la file
+	func_source "$lib"
+
+	# Convert "-framework foo" to "foo.ltframework"
+	if test -n "$inherited_linker_flags"; then
+	  tmp_inherited_linker_flags=`$ECHO "$inherited_linker_flags" | $SED 's/-framework \([^ $]*\)/\1.ltframework/g'`
+	  for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do
+	    case " $new_inherited_linker_flags " in
+	      *" $tmp_inherited_linker_flag "*) ;;
+	      *) func_append new_inherited_linker_flags " $tmp_inherited_linker_flag";;
+	    esac
+	  done
+	fi
+	dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	if test lib,link = "$linkmode,$pass" ||
+	   test prog,scan = "$linkmode,$pass" ||
+	   { test prog != "$linkmode" && test lib != "$linkmode"; }; then
+	  test -n "$dlopen" && func_append dlfiles " $dlopen"
+	  test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen"
+	fi
+
+	if test conv = "$pass"; then
+	  # Only check for convenience libraries
+	  deplibs="$lib $deplibs"
+	  if test -z "$libdir"; then
+	    if test -z "$old_library"; then
+	      func_fatal_error "cannot find name of link library for '$lib'"
+	    fi
+	    # It is a libtool convenience library, so add in its objects.
+	    func_append convenience " $ladir/$objdir/$old_library"
+	    func_append old_convenience " $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+	      if $opt_preserve_dup_deps; then
+		case "$tmp_libs " in
+		*" $deplib "*) func_append specialdeplibs " $deplib" ;;
+		esac
+	      fi
+	      func_append tmp_libs " $deplib"
+	    done
+	  elif test prog != "$linkmode" && test lib != "$linkmode"; then
+	    func_fatal_error "'$lib' is not a convenience library"
+	  fi
+	  continue
+	fi # $pass = conv
+
+
+	# Get the name of the library we link against.
+	linklib=
+	if test -n "$old_library" &&
+	   { test yes = "$prefer_static_libs" ||
+	     test built,no = "$prefer_static_libs,$installed"; }; then
+	  linklib=$old_library
+	else
+	  for l in $old_library $library_names; do
+	    linklib=$l
+	  done
+	fi
+	if test -z "$linklib"; then
+	  func_fatal_error "cannot find name of link library for '$lib'"
+	fi
+
+	# This library was specified with -dlopen.
+	if test dlopen = "$pass"; then
+	  test -z "$libdir" \
+	    && func_fatal_error "cannot -dlopen a convenience library: '$lib'"
+	  if test -z "$dlname" ||
+	     test yes != "$dlopen_support" ||
+	     test no = "$build_libtool_libs"
+	  then
+	    # If there is no dlname, no dlopen support or we're linking
+	    # statically, we need to preload.  We also need to preload any
+	    # dependent libraries so libltdl's deplib preloader doesn't
+	    # bomb out in the load deplibs phase.
+	    func_append dlprefiles " $lib $dependency_libs"
+	  else
+	    func_append newdlfiles " $lib"
+	  fi
+	  continue
+	fi # $pass = dlopen
+
+	# We need an absolute path.
+	case $ladir in
+	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir=$ladir ;;
+	*)
+	  abs_ladir=`cd "$ladir" && pwd`
+	  if test -z "$abs_ladir"; then
+	    func_warning "cannot determine absolute directory name of '$ladir'"
+	    func_warning "passing it literally to the linker, although it might fail"
+	    abs_ladir=$ladir
+	  fi
+	  ;;
+	esac
+	func_basename "$lib"
+	laname=$func_basename_result
+
+	# Find the relevant object directory and library name.
+	if test yes = "$installed"; then
+	  if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    func_warning "library '$lib' was moved."
+	    dir=$ladir
+	    absdir=$abs_ladir
+	    libdir=$abs_ladir
+	  else
+	    dir=$lt_sysroot$libdir
+	    absdir=$lt_sysroot$libdir
+	  fi
+	  test yes = "$hardcode_automatic" && avoidtemprpath=yes
+	else
+	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    dir=$ladir
+	    absdir=$abs_ladir
+	    # Remove this search path later
+	    func_append notinst_path " $abs_ladir"
+	  else
+	    dir=$ladir/$objdir
+	    absdir=$abs_ladir/$objdir
+	    # Remove this search path later
+	    func_append notinst_path " $abs_ladir"
+	  fi
+	fi # $installed = yes
+	func_stripname 'lib' '.la' "$laname"
+	name=$func_stripname_result
+
+	# This library was specified with -dlpreopen.
+	if test dlpreopen = "$pass"; then
+	  if test -z "$libdir" && test prog = "$linkmode"; then
+	    func_fatal_error "only libraries may -dlpreopen a convenience library: '$lib'"
+	  fi
+	  case $host in
+	    # special handling for platforms with PE-DLLs.
+	    *cygwin* | *mingw* | *cegcc* )
+	      # Linker will automatically link against shared library if both
+	      # static and shared are present.  Therefore, ensure we extract
+	      # symbols from the import library if a shared library is present
+	      # (otherwise, the dlopen module name will be incorrect).  We do
+	      # this by putting the import library name into $newdlprefiles.
+	      # We recover the dlopen module name by 'saving' the la file
+	      # name in a special purpose variable, and (later) extracting the
+	      # dlname from the la file.
+	      if test -n "$dlname"; then
+	        func_tr_sh "$dir/$linklib"
+	        eval "libfile_$func_tr_sh_result=\$abs_ladir/\$laname"
+	        func_append newdlprefiles " $dir/$linklib"
+	      else
+	        func_append newdlprefiles " $dir/$old_library"
+	        # Keep a list of preopened convenience libraries to check
+	        # that they are being used correctly in the link pass.
+	        test -z "$libdir" && \
+	          func_append dlpreconveniencelibs " $dir/$old_library"
+	      fi
+	    ;;
+	    * )
+	      # Prefer using a static library (so that no silly _DYNAMIC symbols
+	      # are required to link).
+	      if test -n "$old_library"; then
+	        func_append newdlprefiles " $dir/$old_library"
+	        # Keep a list of preopened convenience libraries to check
+	        # that they are being used correctly in the link pass.
+	        test -z "$libdir" && \
+	          func_append dlpreconveniencelibs " $dir/$old_library"
+	      # Otherwise, use the dlname, so that lt_dlopen finds it.
+	      elif test -n "$dlname"; then
+	        func_append newdlprefiles " $dir/$dlname"
+	      else
+	        func_append newdlprefiles " $dir/$linklib"
+	      fi
+	    ;;
+	  esac
+	fi # $pass = dlpreopen
+
+	if test -z "$libdir"; then
+	  # Link the convenience library
+	  if test lib = "$linkmode"; then
+	    deplibs="$dir/$old_library $deplibs"
+	  elif test prog,link = "$linkmode,$pass"; then
+	    compile_deplibs="$dir/$old_library $compile_deplibs"
+	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
+	  else
+	    deplibs="$lib $deplibs" # used for prog,scan pass
+	  fi
+	  continue
+	fi
+
+
+	if test prog = "$linkmode" && test link != "$pass"; then
+	  func_append newlib_search_path " $ladir"
+	  deplibs="$lib $deplibs"
+
+	  linkalldeplibs=false
+	  if test no != "$link_all_deplibs" || test -z "$library_names" ||
+	     test no = "$build_libtool_libs"; then
+	    linkalldeplibs=:
+	  fi
+
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    case $deplib in
+	    -L*) func_stripname '-L' '' "$deplib"
+	         func_resolve_sysroot "$func_stripname_result"
+	         func_append newlib_search_path " $func_resolve_sysroot_result"
+		 ;;
+	    esac
+	    # Need to link against all dependency_libs?
+	    if $linkalldeplibs; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      # Need to hardcode shared library paths
+	      # or/and link against static libraries
+	      newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    if $opt_preserve_dup_deps; then
+	      case "$tmp_libs " in
+	      *" $deplib "*) func_append specialdeplibs " $deplib" ;;
+	      esac
+	    fi
+	    func_append tmp_libs " $deplib"
+	  done # for deplib
+	  continue
+	fi # $linkmode = prog...
+
+	if test prog,link = "$linkmode,$pass"; then
+	  if test -n "$library_names" &&
+	     { { test no = "$prefer_static_libs" ||
+	         test built,yes = "$prefer_static_libs,$installed"; } ||
+	       test -z "$old_library"; }; then
+	    # We need to hardcode the library path
+	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath"; then
+	      # Make sure the rpath contains only unique directories.
+	      case $temp_rpath: in
+	      *"$absdir:"*) ;;
+	      *) func_append temp_rpath "$absdir:" ;;
+	      esac
+	    fi
+
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) func_append compile_rpath " $absdir" ;;
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) func_append finalize_rpath " $libdir" ;;
+	      esac
+	      ;;
+	    esac
+	  fi # $linkmode,$pass = prog,link...
+
+	  if $alldeplibs &&
+	     { test pass_all = "$deplibs_check_method" ||
+	       { test yes = "$build_libtool_libs" &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+	fi
+
+	link_static=no # Whether the deplib will be linked statically
+	use_static_libs=$prefer_static_libs
+	if test built = "$use_static_libs" && test yes = "$installed"; then
+	  use_static_libs=no
+	fi
+	if test -n "$library_names" &&
+	   { test no = "$use_static_libs" || test -z "$old_library"; }; then
+	  case $host in
+	  *cygwin* | *mingw* | *cegcc* | *os2*)
+	      # No point in relinking DLLs because paths are not encoded
+	      func_append notinst_deplibs " $lib"
+	      need_relink=no
+	    ;;
+	  *)
+	    if test no = "$installed"; then
+	      func_append notinst_deplibs " $lib"
+	      need_relink=yes
+	    fi
+	    ;;
+	  esac
+	  # This is a shared library
+
+	  # Warn about portability, can't link against -module's on some
+	  # systems (darwin).  Don't bleat about dlopened modules though!
+	  dlopenmodule=
+	  for dlpremoduletest in $dlprefiles; do
+	    if test "X$dlpremoduletest" = "X$lib"; then
+	      dlopenmodule=$dlpremoduletest
+	      break
+	    fi
+	  done
+	  if test -z "$dlopenmodule" && test yes = "$shouldnotlink" && test link = "$pass"; then
+	    echo
+	    if test prog = "$linkmode"; then
+	      $ECHO "*** Warning: Linking the executable $output against the loadable module"
+	    else
+	      $ECHO "*** Warning: Linking the shared library $output against the loadable module"
+	    fi
+	    $ECHO "*** $linklib is not portable!"
+	  fi
+	  if test lib = "$linkmode" &&
+	     test yes = "$hardcode_into_libs"; then
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) func_append compile_rpath " $absdir" ;;
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) func_append finalize_rpath " $libdir" ;;
+	      esac
+	      ;;
+	    esac
+	  fi
+
+	  if test -n "$old_archive_from_expsyms_cmds"; then
+	    # figure out the soname
+	    set dummy $library_names
+	    shift
+	    realname=$1
+	    shift
+	    libname=`eval "\\$ECHO \"$libname_spec\""`
+	    # use dlname if we got it. it's perfectly good, no?
+	    if test -n "$dlname"; then
+	      soname=$dlname
+	    elif test -n "$soname_spec"; then
+	      # bleh windows
+	      case $host in
+	      *cygwin* | mingw* | *cegcc* | *os2*)
+	        func_arith $current - $age
+		major=$func_arith_result
+		versuffix=-$major
+		;;
+	      esac
+	      eval soname=\"$soname_spec\"
+	    else
+	      soname=$realname
+	    fi
+
+	    # Make a new name for the extract_expsyms_cmds to use
+	    soroot=$soname
+	    func_basename "$soroot"
+	    soname=$func_basename_result
+	    func_stripname 'lib' '.dll' "$soname"
+	    newlib=libimp-$func_stripname_result.a
+
+	    # If the library has no export list, then create one now
+	    if test -f "$output_objdir/$soname-def"; then :
+	    else
+	      func_verbose "extracting exported symbol list from '$soname'"
+	      func_execute_cmds "$extract_expsyms_cmds" 'exit $?'
+	    fi
+
+	    # Create $newlib
+	    if test -f "$output_objdir/$newlib"; then :; else
+	      func_verbose "generating import library for '$soname'"
+	      func_execute_cmds "$old_archive_from_expsyms_cmds" 'exit $?'
+	    fi
+	    # make sure the library variables are pointing to the new library
+	    dir=$output_objdir
+	    linklib=$newlib
+	  fi # test -n "$old_archive_from_expsyms_cmds"
+
+	  if test prog = "$linkmode" || test relink != "$opt_mode"; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    lib_linked=yes
+	    case $hardcode_action in
+	    immediate | unsupported)
+	      if test no = "$hardcode_direct"; then
+		add=$dir/$linklib
+		case $host in
+		  *-*-sco3.2v5.0.[024]*) add_dir=-L$dir ;;
+		  *-*-sysv4*uw2*) add_dir=-L$dir ;;
+		  *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \
+		    *-*-unixware7*) add_dir=-L$dir ;;
+		  *-*-darwin* )
+		    # if the lib is a (non-dlopened) module then we cannot
+		    # link against it, someone is ignoring the earlier warnings
+		    if /usr/bin/file -L $add 2> /dev/null |
+			 $GREP ": [^:]* bundle" >/dev/null; then
+		      if test "X$dlopenmodule" != "X$lib"; then
+			$ECHO "*** Warning: lib $linklib is a module, not a shared library"
+			if test -z "$old_library"; then
+			  echo
+			  echo "*** And there doesn't seem to be a static archive available"
+			  echo "*** The link will probably fail, sorry"
+			else
+			  add=$dir/$old_library
+			fi
+		      elif test -n "$old_library"; then
+			add=$dir/$old_library
+		      fi
+		    fi
+		esac
+	      elif test no = "$hardcode_minus_L"; then
+		case $host in
+		*-*-sunos*) add_shlibpath=$dir ;;
+		esac
+		add_dir=-L$dir
+		add=-l$name
+	      elif test no = "$hardcode_shlibpath_var"; then
+		add_shlibpath=$dir
+		add=-l$name
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    relink)
+	      if test yes = "$hardcode_direct" &&
+	         test no = "$hardcode_direct_absolute"; then
+		add=$dir/$linklib
+	      elif test yes = "$hardcode_minus_L"; then
+		add_dir=-L$absdir
+		# Try looking first in the location we're being installed to.
+		if test -n "$inst_prefix_dir"; then
+		  case $libdir in
+		    [\\/]*)
+		      func_append add_dir " -L$inst_prefix_dir$libdir"
+		      ;;
+		  esac
+		fi
+		add=-l$name
+	      elif test yes = "$hardcode_shlibpath_var"; then
+		add_shlibpath=$dir
+		add=-l$name
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    *) lib_linked=no ;;
+	    esac
+
+	    if test yes != "$lib_linked"; then
+	      func_fatal_configuration "unsupported hardcode properties"
+	    fi
+
+	    if test -n "$add_shlibpath"; then
+	      case :$compile_shlibpath: in
+	      *":$add_shlibpath:"*) ;;
+	      *) func_append compile_shlibpath "$add_shlibpath:" ;;
+	      esac
+	    fi
+	    if test prog = "$linkmode"; then
+	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
+	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	      if test yes != "$hardcode_direct" &&
+		 test yes != "$hardcode_minus_L" &&
+		 test yes = "$hardcode_shlibpath_var"; then
+		case :$finalize_shlibpath: in
+		*":$libdir:"*) ;;
+		*) func_append finalize_shlibpath "$libdir:" ;;
+		esac
+	      fi
+	    fi
+	  fi
+
+	  if test prog = "$linkmode" || test relink = "$opt_mode"; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    # Finalize command for both is simple: just hardcode it.
+	    if test yes = "$hardcode_direct" &&
+	       test no = "$hardcode_direct_absolute"; then
+	      add=$libdir/$linklib
+	    elif test yes = "$hardcode_minus_L"; then
+	      add_dir=-L$libdir
+	      add=-l$name
+	    elif test yes = "$hardcode_shlibpath_var"; then
+	      case :$finalize_shlibpath: in
+	      *":$libdir:"*) ;;
+	      *) func_append finalize_shlibpath "$libdir:" ;;
+	      esac
+	      add=-l$name
+	    elif test yes = "$hardcode_automatic"; then
+	      if test -n "$inst_prefix_dir" &&
+		 test -f "$inst_prefix_dir$libdir/$linklib"; then
+		add=$inst_prefix_dir$libdir/$linklib
+	      else
+		add=$libdir/$linklib
+	      fi
+	    else
+	      # We cannot seem to hardcode it, guess we'll fake it.
+	      add_dir=-L$libdir
+	      # Try looking first in the location we're being installed to.
+	      if test -n "$inst_prefix_dir"; then
+		case $libdir in
+		  [\\/]*)
+		    func_append add_dir " -L$inst_prefix_dir$libdir"
+		    ;;
+		esac
+	      fi
+	      add=-l$name
+	    fi
+
+	    if test prog = "$linkmode"; then
+	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
+	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	    fi
+	  fi
+	elif test prog = "$linkmode"; then
+	  # Here we assume that one of hardcode_direct or hardcode_minus_L
+	  # is not unsupported.  This is valid on all known static and
+	  # shared platforms.
+	  if test unsupported != "$hardcode_direct"; then
+	    test -n "$old_library" && linklib=$old_library
+	    compile_deplibs="$dir/$linklib $compile_deplibs"
+	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
+	  else
+	    compile_deplibs="-l$name -L$dir $compile_deplibs"
+	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
+	  fi
+	elif test yes = "$build_libtool_libs"; then
+	  # Not a shared library
+	  if test pass_all != "$deplibs_check_method"; then
+	    # We're trying link a shared library against a static one
+	    # but the system doesn't support it.
+
+	    # Just print a warning and add the library to dependency_libs so
+	    # that the program can be linked against the static library.
+	    echo
+	    $ECHO "*** Warning: This system cannot link to static lib archive $lib."
+	    echo "*** I have the capability to make that library automatically link in when"
+	    echo "*** you link to this library.  But I can only do this if you have a"
+	    echo "*** shared version of the library, which you do not appear to have."
+	    if test yes = "$module"; then
+	      echo "*** But as you try to build a module library, libtool will still create "
+	      echo "*** a static module, that should work as long as the dlopening application"
+	      echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
+	      if test -z "$global_symbol_pipe"; then
+		echo
+		echo "*** However, this would only work if libtool was able to extract symbol"
+		echo "*** lists from a program, using 'nm' or equivalent, but libtool could"
+		echo "*** not find such a program.  So, this module is probably useless."
+		echo "*** 'nm' from GNU binutils and a full rebuild may help."
+	      fi
+	      if test no = "$build_old_libs"; then
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  else
+	    deplibs="$dir/$old_library $deplibs"
+	    link_static=yes
+	  fi
+	fi # link shared/static library?
+
+	if test lib = "$linkmode"; then
+	  if test -n "$dependency_libs" &&
+	     { test yes != "$hardcode_into_libs" ||
+	       test yes = "$build_old_libs" ||
+	       test yes = "$link_static"; }; then
+	    # Extract -R from dependency_libs
+	    temp_deplibs=
+	    for libdir in $dependency_libs; do
+	      case $libdir in
+	      -R*) func_stripname '-R' '' "$libdir"
+	           temp_xrpath=$func_stripname_result
+		   case " $xrpath " in
+		   *" $temp_xrpath "*) ;;
+		   *) func_append xrpath " $temp_xrpath";;
+		   esac;;
+	      *) func_append temp_deplibs " $libdir";;
+	      esac
+	    done
+	    dependency_libs=$temp_deplibs
+	  fi
+
+	  func_append newlib_search_path " $absdir"
+	  # Link against this library
+	  test no = "$link_static" && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
+	  # ... and its dependency_libs
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    newdependency_libs="$deplib $newdependency_libs"
+	    case $deplib in
+              -L*) func_stripname '-L' '' "$deplib"
+                   func_resolve_sysroot "$func_stripname_result";;
+              *) func_resolve_sysroot "$deplib" ;;
+            esac
+	    if $opt_preserve_dup_deps; then
+	      case "$tmp_libs " in
+	      *" $func_resolve_sysroot_result "*)
+                func_append specialdeplibs " $func_resolve_sysroot_result" ;;
+	      esac
+	    fi
+	    func_append tmp_libs " $func_resolve_sysroot_result"
+	  done
+
+	  if test no != "$link_all_deplibs"; then
+	    # Add the search paths of all dependency libraries
+	    for deplib in $dependency_libs; do
+	      path=
+	      case $deplib in
+	      -L*) path=$deplib ;;
+	      *.la)
+	        func_resolve_sysroot "$deplib"
+	        deplib=$func_resolve_sysroot_result
+	        func_dirname "$deplib" "" "."
+		dir=$func_dirname_result
+		# We need an absolute path.
+		case $dir in
+		[\\/]* | [A-Za-z]:[\\/]*) absdir=$dir ;;
+		*)
+		  absdir=`cd "$dir" && pwd`
+		  if test -z "$absdir"; then
+		    func_warning "cannot determine absolute directory name of '$dir'"
+		    absdir=$dir
+		  fi
+		  ;;
+		esac
+		if $GREP "^installed=no" $deplib > /dev/null; then
+		case $host in
+		*-*-darwin*)
+		  depdepl=
+		  eval deplibrary_names=`$SED -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
+		  if test -n "$deplibrary_names"; then
+		    for tmp in $deplibrary_names; do
+		      depdepl=$tmp
+		    done
+		    if test -f "$absdir/$objdir/$depdepl"; then
+		      depdepl=$absdir/$objdir/$depdepl
+		      darwin_install_name=`$OTOOL -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'`
+                      if test -z "$darwin_install_name"; then
+                          darwin_install_name=`$OTOOL64 -L $depdepl  | awk '{if (NR == 2) {print $1;exit}}'`
+                      fi
+		      func_append compiler_flags " $wl-dylib_file $wl$darwin_install_name:$depdepl"
+		      func_append linker_flags " -dylib_file $darwin_install_name:$depdepl"
+		      path=
+		    fi
+		  fi
+		  ;;
+		*)
+		  path=-L$absdir/$objdir
+		  ;;
+		esac
+		else
+		  eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  test -z "$libdir" && \
+		    func_fatal_error "'$deplib' is not a valid libtool archive"
+		  test "$absdir" != "$libdir" && \
+		    func_warning "'$deplib' seems to be moved"
+
+		  path=-L$absdir
+		fi
+		;;
+	      esac
+	      case " $deplibs " in
+	      *" $path "*) ;;
+	      *) deplibs="$path $deplibs" ;;
+	      esac
+	    done
+	  fi # link_all_deplibs != no
+	fi # linkmode = lib
+      done # for deplib in $libs
+      if test link = "$pass"; then
+	if test prog = "$linkmode"; then
+	  compile_deplibs="$new_inherited_linker_flags $compile_deplibs"
+	  finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs"
+	else
+	  compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	fi
+      fi
+      dependency_libs=$newdependency_libs
+      if test dlpreopen = "$pass"; then
+	# Link the dlpreopened libraries before other libraries
+	for deplib in $save_deplibs; do
+	  deplibs="$deplib $deplibs"
+	done
+      fi
+      if test dlopen != "$pass"; then
+	test conv = "$pass" || {
+	  # Make sure lib_search_path contains only unique directories.
+	  lib_search_path=
+	  for dir in $newlib_search_path; do
+	    case "$lib_search_path " in
+	    *" $dir "*) ;;
+	    *) func_append lib_search_path " $dir" ;;
+	    esac
+	  done
+	  newlib_search_path=
+	}
+
+	if test prog,link = "$linkmode,$pass"; then
+	  vars="compile_deplibs finalize_deplibs"
+	else
+	  vars=deplibs
+	fi
+	for var in $vars dependency_libs; do
+	  # Add libraries to $var in reverse order
+	  eval tmp_libs=\"\$$var\"
+	  new_libs=
+	  for deplib in $tmp_libs; do
+	    # FIXME: Pedantically, this is the right thing to do, so
+	    #        that some nasty dependency loop isn't accidentally
+	    #        broken:
+	    #new_libs="$deplib $new_libs"
+	    # Pragmatically, this seems to cause very few problems in
+	    # practice:
+	    case $deplib in
+	    -L*) new_libs="$deplib $new_libs" ;;
+	    -R*) ;;
+	    *)
+	      # And here is the reason: when a library appears more
+	      # than once as an explicit dependence of a library, or
+	      # is implicitly linked in more than once by the
+	      # compiler, it is considered special, and multiple
+	      # occurrences thereof are not removed.  Compare this
+	      # with having the same library being listed as a
+	      # dependency of multiple other libraries: in this case,
+	      # we know (pedantically, we assume) the library does not
+	      # need to be listed more than once, so we keep only the
+	      # last copy.  This is not always right, but it is rare
+	      # enough that we require users that really mean to play
+	      # such unportable linking tricks to link the library
+	      # using -Wl,-lname, so that libtool does not consider it
+	      # for duplicate removal.
+	      case " $specialdeplibs " in
+	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
+	      *)
+		case " $new_libs " in
+		*" $deplib "*) ;;
+		*) new_libs="$deplib $new_libs" ;;
+		esac
+		;;
+	      esac
+	      ;;
+	    esac
+	  done
+	  tmp_libs=
+	  for deplib in $new_libs; do
+	    case $deplib in
+	    -L*)
+	      case " $tmp_libs " in
+	      *" $deplib "*) ;;
+	      *) func_append tmp_libs " $deplib" ;;
+	      esac
+	      ;;
+	    *) func_append tmp_libs " $deplib" ;;
+	    esac
+	  done
+	  eval $var=\"$tmp_libs\"
+	done # for var
+      fi
+
+      # Add Sun CC postdeps if required:
+      test CXX = "$tagname" && {
+        case $host_os in
+        linux*)
+          case `$CC -V 2>&1 | sed 5q` in
+          *Sun\ C*) # Sun C++ 5.9
+            func_suncc_cstd_abi
+
+            if test no != "$suncc_use_cstd_abi"; then
+              func_append postdeps ' -library=Cstd -library=Crun'
+            fi
+            ;;
+          esac
+          ;;
+
+        solaris*)
+          func_cc_basename "$CC"
+          case $func_cc_basename_result in
+          CC* | sunCC*)
+            func_suncc_cstd_abi
+
+            if test no != "$suncc_use_cstd_abi"; then
+              func_append postdeps ' -library=Cstd -library=Crun'
+            fi
+            ;;
+          esac
+          ;;
+        esac
+      }
+
+      # Last step: remove runtime libs from dependency_libs
+      # (they stay in deplibs)
+      tmp_libs=
+      for i in $dependency_libs; do
+	case " $predeps $postdeps $compiler_lib_search_path " in
+	*" $i "*)
+	  i=
+	  ;;
+	esac
+	if test -n "$i"; then
+	  func_append tmp_libs " $i"
+	fi
+      done
+      dependency_libs=$tmp_libs
+    done # for pass
+    if test prog = "$linkmode"; then
+      dlfiles=$newdlfiles
+    fi
+    if test prog = "$linkmode" || test lib = "$linkmode"; then
+      dlprefiles=$newdlprefiles
+    fi
+
+    case $linkmode in
+    oldlib)
+      if test -n "$dlfiles$dlprefiles" || test no != "$dlself"; then
+	func_warning "'-dlopen' is ignored for archives"
+      fi
+
+      case " $deplibs" in
+      *\ -l* | *\ -L*)
+	func_warning "'-l' and '-L' are ignored for archives" ;;
+      esac
+
+      test -n "$rpath" && \
+	func_warning "'-rpath' is ignored for archives"
+
+      test -n "$xrpath" && \
+	func_warning "'-R' is ignored for archives"
+
+      test -n "$vinfo" && \
+	func_warning "'-version-info/-version-number' is ignored for archives"
+
+      test -n "$release" && \
+	func_warning "'-release' is ignored for archives"
+
+      test -n "$export_symbols$export_symbols_regex" && \
+	func_warning "'-export-symbols' is ignored for archives"
+
+      # Now set the variables for building old libraries.
+      build_libtool_libs=no
+      oldlibs=$output
+      func_append objs "$old_deplibs"
+      ;;
+
+    lib)
+      # Make sure we only generate libraries of the form 'libNAME.la'.
+      case $outputname in
+      lib*)
+	func_stripname 'lib' '.la' "$outputname"
+	name=$func_stripname_result
+	eval shared_ext=\"$shrext_cmds\"
+	eval libname=\"$libname_spec\"
+	;;
+      *)
+	test no = "$module" \
+	  && func_fatal_help "libtool library '$output' must begin with 'lib'"
+
+	if test no != "$need_lib_prefix"; then
+	  # Add the "lib" prefix for modules if required
+	  func_stripname '' '.la' "$outputname"
+	  name=$func_stripname_result
+	  eval shared_ext=\"$shrext_cmds\"
+	  eval libname=\"$libname_spec\"
+	else
+	  func_stripname '' '.la' "$outputname"
+	  libname=$func_stripname_result
+	fi
+	;;
+      esac
+
+      if test -n "$objs"; then
+	if test pass_all != "$deplibs_check_method"; then
+	  func_fatal_error "cannot build libtool library '$output' from non-libtool objects on this host:$objs"
+	else
+	  echo
+	  $ECHO "*** Warning: Linking the shared library $output against the non-libtool"
+	  $ECHO "*** objects $objs is not portable!"
+	  func_append libobjs " $objs"
+	fi
+      fi
+
+      test no = "$dlself" \
+	|| func_warning "'-dlopen self' is ignored for libtool libraries"
+
+      set dummy $rpath
+      shift
+      test 1 -lt "$#" \
+	&& func_warning "ignoring multiple '-rpath's for a libtool library"
+
+      install_libdir=$1
+
+      oldlibs=
+      if test -z "$rpath"; then
+	if test yes = "$build_libtool_libs"; then
+	  # Building a libtool convenience library.
+	  # Some compilers have problems with a '.al' extension so
+	  # convenience libraries should have the same extension an
+	  # archive normally would.
+	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
+	  build_libtool_libs=convenience
+	  build_old_libs=yes
+	fi
+
+	test -n "$vinfo" && \
+	  func_warning "'-version-info/-version-number' is ignored for convenience libraries"
+
+	test -n "$release" && \
+	  func_warning "'-release' is ignored for convenience libraries"
+      else
+
+	# Parse the version information argument.
+	save_ifs=$IFS; IFS=:
+	set dummy $vinfo 0 0 0
+	shift
+	IFS=$save_ifs
+
+	test -n "$7" && \
+	  func_fatal_help "too many parameters to '-version-info'"
+
+	# convert absolute version numbers to libtool ages
+	# this retains compatibility with .la files and attempts
+	# to make the code below a bit more comprehensible
+
+	case $vinfo_number in
+	yes)
+	  number_major=$1
+	  number_minor=$2
+	  number_revision=$3
+	  #
+	  # There are really only two kinds -- those that
+	  # use the current revision as the major version
+	  # and those that subtract age and use age as
+	  # a minor version.  But, then there is irix
+	  # that has an extra 1 added just for fun
+	  #
+	  case $version_type in
+	  # correct linux to gnu/linux during the next big refactor
+	  darwin|freebsd-elf|linux|osf|windows|none)
+	    func_arith $number_major + $number_minor
+	    current=$func_arith_result
+	    age=$number_minor
+	    revision=$number_revision
+	    ;;
+	  freebsd-aout|qnx|sunos)
+	    current=$number_major
+	    revision=$number_minor
+	    age=0
+	    ;;
+	  irix|nonstopux)
+	    func_arith $number_major + $number_minor
+	    current=$func_arith_result
+	    age=$number_minor
+	    revision=$number_minor
+	    lt_irix_increment=no
+	    ;;
+	  *)
+	    func_fatal_configuration "$modename: unknown library version type '$version_type'"
+	    ;;
+	  esac
+	  ;;
+	no)
+	  current=$1
+	  revision=$2
+	  age=$3
+	  ;;
+	esac
+
+	# Check that each of the things are valid numbers.
+	case $current in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  func_error "CURRENT '$current' must be a nonnegative integer"
+	  func_fatal_error "'$vinfo' is not valid version information"
+	  ;;
+	esac
+
+	case $revision in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  func_error "REVISION '$revision' must be a nonnegative integer"
+	  func_fatal_error "'$vinfo' is not valid version information"
+	  ;;
+	esac
+
+	case $age in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  func_error "AGE '$age' must be a nonnegative integer"
+	  func_fatal_error "'$vinfo' is not valid version information"
+	  ;;
+	esac
+
+	if test "$age" -gt "$current"; then
+	  func_error "AGE '$age' is greater than the current interface number '$current'"
+	  func_fatal_error "'$vinfo' is not valid version information"
+	fi
+
+	# Calculate the version variables.
+	major=
+	versuffix=
+	verstring=
+	case $version_type in
+	none) ;;
+
+	darwin)
+	  # Like Linux, but with the current version available in
+	  # verstring for coding it into the library header
+	  func_arith $current - $age
+	  major=.$func_arith_result
+	  versuffix=$major.$age.$revision
+	  # Darwin ld doesn't like 0 for these options...
+	  func_arith $current + 1
+	  minor_current=$func_arith_result
+	  xlcverstring="$wl-compatibility_version $wl$minor_current $wl-current_version $wl$minor_current.$revision"
+	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
+          # On Darwin other compilers
+          case $CC in
+              nagfor*)
+                  verstring="$wl-compatibility_version $wl$minor_current $wl-current_version $wl$minor_current.$revision"
+                  ;;
+              *)
+                  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
+                  ;;
+          esac
+	  ;;
+
+	freebsd-aout)
+	  major=.$current
+	  versuffix=.$current.$revision
+	  ;;
+
+	freebsd-elf)
+	  func_arith $current - $age
+	  major=.$func_arith_result
+	  versuffix=$major.$age.$revision
+	  ;;
+
+	irix | nonstopux)
+	  if test no = "$lt_irix_increment"; then
+	    func_arith $current - $age
+	  else
+	    func_arith $current - $age + 1
+	  fi
+	  major=$func_arith_result
+
+	  case $version_type in
+	    nonstopux) verstring_prefix=nonstopux ;;
+	    *)         verstring_prefix=sgi ;;
+	  esac
+	  verstring=$verstring_prefix$major.$revision
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$revision
+	  while test 0 -ne "$loop"; do
+	    func_arith $revision - $loop
+	    iface=$func_arith_result
+	    func_arith $loop - 1
+	    loop=$func_arith_result
+	    verstring=$verstring_prefix$major.$iface:$verstring
+	  done
+
+	  # Before this point, $major must not contain '.'.
+	  major=.$major
+	  versuffix=$major.$revision
+	  ;;
+
+	linux) # correct to gnu/linux during the next big refactor
+	  func_arith $current - $age
+	  major=.$func_arith_result
+	  versuffix=$major.$age.$revision
+	  ;;
+
+	osf)
+	  func_arith $current - $age
+	  major=.$func_arith_result
+	  versuffix=.$current.$age.$revision
+	  verstring=$current.$age.$revision
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$age
+	  while test 0 -ne "$loop"; do
+	    func_arith $current - $loop
+	    iface=$func_arith_result
+	    func_arith $loop - 1
+	    loop=$func_arith_result
+	    verstring=$verstring:$iface.0
+	  done
+
+	  # Make executables depend on our current version.
+	  func_append verstring ":$current.0"
+	  ;;
+
+	qnx)
+	  major=.$current
+	  versuffix=.$current
+	  ;;
+
+	sco)
+	  major=.$current
+	  versuffix=.$current
+	  ;;
+
+	sunos)
+	  major=.$current
+	  versuffix=.$current.$revision
+	  ;;
+
+	windows)
+	  # Use '-' rather than '.', since we only want one
+	  # extension on DOS 8.3 file systems.
+	  func_arith $current - $age
+	  major=$func_arith_result
+	  versuffix=-$major
+	  ;;
+
+	*)
+	  func_fatal_configuration "unknown library version type '$version_type'"
+	  ;;
+	esac
+
+	# Clear the version info if we defaulted, and they specified a release.
+	if test -z "$vinfo" && test -n "$release"; then
+	  major=
+	  case $version_type in
+	  darwin)
+	    # we can't check for "0.0" in archive_cmds due to quoting
+	    # problems, so we reset it completely
+	    verstring=
+	    ;;
+	  *)
+	    verstring=0.0
+	    ;;
+	  esac
+	  if test no = "$need_version"; then
+	    versuffix=
+	  else
+	    versuffix=.0.0
+	  fi
+	fi
+
+	# Remove version info from name if versioning should be avoided
+	if test yes,no = "$avoid_version,$need_version"; then
+	  major=
+	  versuffix=
+	  verstring=
+	fi
+
+	# Check to see if the archive will have undefined symbols.
+	if test yes = "$allow_undefined"; then
+	  if test unsupported = "$allow_undefined_flag"; then
+	    if test yes = "$build_old_libs"; then
+	      func_warning "undefined symbols not allowed in $host shared libraries; building static only"
+	      build_libtool_libs=no
+	    else
+	      func_fatal_error "can't build $host shared library unless -no-undefined is specified"
+	    fi
+	  fi
+	else
+	  # Don't allow undefined symbols.
+	  allow_undefined_flag=$no_undefined_flag
+	fi
+
+      fi
+
+      func_generate_dlsyms "$libname" "$libname" :
+      func_append libobjs " $symfileobj"
+      test " " = "$libobjs" && libobjs=
+
+      if test relink != "$opt_mode"; then
+	# Remove our outputs, but don't remove object files since they
+	# may have been created when compiling PIC objects.
+	removelist=
+	tempremovelist=`$ECHO "$output_objdir/*"`
+	for p in $tempremovelist; do
+	  case $p in
+	    *.$objext | *.gcno)
+	       ;;
+	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/$libname$release.*)
+	       if test -n "$precious_files_regex"; then
+		 if $ECHO "$p" | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
+		 then
+		   continue
+		 fi
+	       fi
+	       func_append removelist " $p"
+	       ;;
+	    *) ;;
+	  esac
+	done
+	test -n "$removelist" && \
+	  func_show_eval "${RM}r \$removelist"
+      fi
+
+      # Now set the variables for building old libraries.
+      if test yes = "$build_old_libs" && test convenience != "$build_libtool_libs"; then
+	func_append oldlibs " $output_objdir/$libname.$libext"
+
+	# Transform .lo files to .o files.
+	oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.$libext$/d; $lo2o" | $NL2SP`
+      fi
+
+      # Eliminate all temporary directories.
+      #for path in $notinst_path; do
+      #	lib_search_path=`$ECHO "$lib_search_path " | $SED "s% $path % %g"`
+      #	deplibs=`$ECHO "$deplibs " | $SED "s% -L$path % %g"`
+      #	dependency_libs=`$ECHO "$dependency_libs " | $SED "s% -L$path % %g"`
+      #done
+
+      if test -n "$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	temp_xrpath=
+	for libdir in $xrpath; do
+	  func_replace_sysroot "$libdir"
+	  func_append temp_xrpath " -R$func_replace_sysroot_result"
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) func_append finalize_rpath " $libdir" ;;
+	  esac
+	done
+	if test yes != "$hardcode_into_libs" || test yes = "$build_old_libs"; then
+	  dependency_libs="$temp_xrpath $dependency_libs"
+	fi
+      fi
+
+      # Make sure dlfiles contains only unique files that won't be dlpreopened
+      old_dlfiles=$dlfiles
+      dlfiles=
+      for lib in $old_dlfiles; do
+	case " $dlprefiles $dlfiles " in
+	*" $lib "*) ;;
+	*) func_append dlfiles " $lib" ;;
+	esac
+      done
+
+      # Make sure dlprefiles contains only unique files
+      old_dlprefiles=$dlprefiles
+      dlprefiles=
+      for lib in $old_dlprefiles; do
+	case "$dlprefiles " in
+	*" $lib "*) ;;
+	*) func_append dlprefiles " $lib" ;;
+	esac
+      done
+
+      if test yes = "$build_libtool_libs"; then
+	if test -n "$rpath"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*)
+	    # these systems don't actually have a c library (as such)!
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C library is in the System framework
+	    func_append deplibs " System.ltframework"
+	    ;;
+	  *-*-netbsd*)
+	    # Don't link with libc until the a.out ld.so is fixed.
+	    ;;
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	    # Do not include libc due to us having libc/libc_r.
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
+	    ;;
+	  *)
+	    # Add libc to deplibs on all other systems if necessary.
+	    if test yes = "$build_libtool_need_lc"; then
+	      func_append deplibs " -lc"
+	    fi
+	    ;;
+	  esac
+	fi
+
+	# Transform deplibs into only deplibs that can be linked in shared.
+	name_save=$name
+	libname_save=$libname
+	release_save=$release
+	versuffix_save=$versuffix
+	major_save=$major
+	# I'm not sure if I'm treating the release correctly.  I think
+	# release should show up in the -l (ie -lgmp5) so we don't want to
+	# add it in twice.  Is that correct?
+	release=
+	versuffix=
+	major=
+	newdeplibs=
+	droppeddeps=no
+	case $deplibs_check_method in
+	pass_all)
+	  # Don't check for shared/static.  Everything works.
+	  # This might be a little naive.  We might want to check
+	  # whether the library exists or not.  But this is on
+	  # osf3 & osf4 and I'm not really sure... Just
+	  # implementing what was already the behavior.
+	  newdeplibs=$deplibs
+	  ;;
+	test_compile)
+	  # This code stresses the "libraries are programs" paradigm to its
+	  # limits. Maybe even breaks it.  We compile a program, linking it
+	  # against the deplibs as a proxy for the library.  Then we can check
+	  # whether they linked in statically or dynamically with ldd.
+	  $opt_dry_run || $RM conftest.c
+	  cat > conftest.c <<EOF
+	  int main() { return 0; }
+EOF
+	  $opt_dry_run || $RM conftest
+	  if $LTCC $LTCFLAGS -o conftest conftest.c $deplibs; then
+	    ldd_output=`ldd conftest`
+	    for i in $deplibs; do
+	      case $i in
+	      -l*)
+		func_stripname -l '' "$i"
+		name=$func_stripname_result
+		if test yes = "$allow_libtool_libs_with_static_runtimes"; then
+		  case " $predeps $postdeps " in
+		  *" $i "*)
+		    func_append newdeplibs " $i"
+		    i=
+		    ;;
+		  esac
+		fi
+		if test -n "$i"; then
+		  libname=`eval "\\$ECHO \"$libname_spec\""`
+		  deplib_matches=`eval "\\$ECHO \"$library_names_spec\""`
+		  set dummy $deplib_matches; shift
+		  deplib_match=$1
+		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0; then
+		    func_append newdeplibs " $i"
+		  else
+		    droppeddeps=yes
+		    echo
+		    $ECHO "*** Warning: dynamic linker does not accept needed library $i."
+		    echo "*** I have the capability to make that library automatically link in when"
+		    echo "*** you link to this library.  But I can only do this if you have a"
+		    echo "*** shared version of the library, which I believe you do not have"
+		    echo "*** because a test_compile did reveal that the linker did not use it for"
+		    echo "*** its dynamic dependency list that programs get resolved with at runtime."
+		  fi
+		fi
+		;;
+	      *)
+		func_append newdeplibs " $i"
+		;;
+	      esac
+	    done
+	  else
+	    # Error occurred in the first compile.  Let's try to salvage
+	    # the situation: Compile a separate program for each library.
+	    for i in $deplibs; do
+	      case $i in
+	      -l*)
+		func_stripname -l '' "$i"
+		name=$func_stripname_result
+		$opt_dry_run || $RM conftest
+		if $LTCC $LTCFLAGS -o conftest conftest.c $i; then
+		  ldd_output=`ldd conftest`
+		  if test yes = "$allow_libtool_libs_with_static_runtimes"; then
+		    case " $predeps $postdeps " in
+		    *" $i "*)
+		      func_append newdeplibs " $i"
+		      i=
+		      ;;
+		    esac
+		  fi
+		  if test -n "$i"; then
+		    libname=`eval "\\$ECHO \"$libname_spec\""`
+		    deplib_matches=`eval "\\$ECHO \"$library_names_spec\""`
+		    set dummy $deplib_matches; shift
+		    deplib_match=$1
+		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0; then
+		      func_append newdeplibs " $i"
+		    else
+		      droppeddeps=yes
+		      echo
+		      $ECHO "*** Warning: dynamic linker does not accept needed library $i."
+		      echo "*** I have the capability to make that library automatically link in when"
+		      echo "*** you link to this library.  But I can only do this if you have a"
+		      echo "*** shared version of the library, which you do not appear to have"
+		      echo "*** because a test_compile did reveal that the linker did not use this one"
+		      echo "*** as a dynamic dependency that programs can get resolved with at runtime."
+		    fi
+		  fi
+		else
+		  droppeddeps=yes
+		  echo
+		  $ECHO "*** Warning!  Library $i is needed by this library but I was not able to"
+		  echo "*** make it link in!  You will probably need to install it or some"
+		  echo "*** library that it depends on before this library will be fully"
+		  echo "*** functional.  Installing it before continuing would be even better."
+		fi
+		;;
+	      *)
+		func_append newdeplibs " $i"
+		;;
+	      esac
+	    done
+	  fi
+	  ;;
+	file_magic*)
+	  set dummy $deplibs_check_method; shift
+	  file_magic_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    case $a_deplib in
+	    -l*)
+	      func_stripname -l '' "$a_deplib"
+	      name=$func_stripname_result
+	      if test yes = "$allow_libtool_libs_with_static_runtimes"; then
+		case " $predeps $postdeps " in
+		*" $a_deplib "*)
+		  func_append newdeplibs " $a_deplib"
+		  a_deplib=
+		  ;;
+		esac
+	      fi
+	      if test -n "$a_deplib"; then
+		libname=`eval "\\$ECHO \"$libname_spec\""`
+		if test -n "$file_magic_glob"; then
+		  libnameglob=`func_echo_all "$libname" | $SED -e $file_magic_glob`
+		else
+		  libnameglob=$libname
+		fi
+		test yes = "$want_nocaseglob" && nocaseglob=`shopt -p nocaseglob`
+		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		  if test yes = "$want_nocaseglob"; then
+		    shopt -s nocaseglob
+		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
+		    $nocaseglob
+		  else
+		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
+		  fi
+		  for potent_lib in $potential_libs; do
+		      # Follow soft links.
+		      if ls -lLd "$potent_lib" 2>/dev/null |
+			 $GREP " -> " >/dev/null; then
+			continue
+		      fi
+		      # The statement above tries to avoid entering an
+		      # endless loop below, in case of cyclic links.
+		      # We might still enter an endless loop, since a link
+		      # loop can be closed while we follow links,
+		      # but so what?
+		      potlib=$potent_lib
+		      while test -h "$potlib" 2>/dev/null; do
+			potliblink=`ls -ld $potlib | $SED 's/.* -> //'`
+			case $potliblink in
+			[\\/]* | [A-Za-z]:[\\/]*) potlib=$potliblink;;
+			*) potlib=`$ECHO "$potlib" | $SED 's|[^/]*$||'`"$potliblink";;
+			esac
+		      done
+		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null |
+			 $SED -e 10q |
+			 $EGREP "$file_magic_regex" > /dev/null; then
+			func_append newdeplibs " $a_deplib"
+			a_deplib=
+			break 2
+		      fi
+		  done
+		done
+	      fi
+	      if test -n "$a_deplib"; then
+		droppeddeps=yes
+		echo
+		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because I did check the linker path looking for a file starting"
+		if test -z "$potlib"; then
+		  $ECHO "*** with $libname but no candidates were found. (...for file magic test)"
+		else
+		  $ECHO "*** with $libname and none of the candidates passed a file format test"
+		  $ECHO "*** using a file magic. Last file checked: $potlib"
+		fi
+	      fi
+	      ;;
+	    *)
+	      # Add a -L argument.
+	      func_append newdeplibs " $a_deplib"
+	      ;;
+	    esac
+	  done # Gone through all deplibs.
+	  ;;
+	match_pattern*)
+	  set dummy $deplibs_check_method; shift
+	  match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    case $a_deplib in
+	    -l*)
+	      func_stripname -l '' "$a_deplib"
+	      name=$func_stripname_result
+	      if test yes = "$allow_libtool_libs_with_static_runtimes"; then
+		case " $predeps $postdeps " in
+		*" $a_deplib "*)
+		  func_append newdeplibs " $a_deplib"
+		  a_deplib=
+		  ;;
+		esac
+	      fi
+	      if test -n "$a_deplib"; then
+		libname=`eval "\\$ECHO \"$libname_spec\""`
+		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  for potent_lib in $potential_libs; do
+		    potlib=$potent_lib # see symlink-check above in file_magic test
+		    if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \
+		       $EGREP "$match_pattern_regex" > /dev/null; then
+		      func_append newdeplibs " $a_deplib"
+		      a_deplib=
+		      break 2
+		    fi
+		  done
+		done
+	      fi
+	      if test -n "$a_deplib"; then
+		droppeddeps=yes
+		echo
+		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because I did check the linker path looking for a file starting"
+		if test -z "$potlib"; then
+		  $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)"
+		else
+		  $ECHO "*** with $libname and none of the candidates passed a file format test"
+		  $ECHO "*** using a regex pattern. Last file checked: $potlib"
+		fi
+	      fi
+	      ;;
+	    *)
+	      # Add a -L argument.
+	      func_append newdeplibs " $a_deplib"
+	      ;;
+	    esac
+	  done # Gone through all deplibs.
+	  ;;
+	none | unknown | *)
+	  newdeplibs=
+	  tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'`
+	  if test yes = "$allow_libtool_libs_with_static_runtimes"; then
+	    for i in $predeps $postdeps; do
+	      # can't use Xsed below, because $i might contain '/'
+	      tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s|$i||"`
+	    done
+	  fi
+	  case $tmp_deplibs in
+	  *[!\	\ ]*)
+	    echo
+	    if test none = "$deplibs_check_method"; then
+	      echo "*** Warning: inter-library dependencies are not supported in this platform."
+	    else
+	      echo "*** Warning: inter-library dependencies are not known to be supported."
+	    fi
+	    echo "*** All declared inter-library dependencies are being dropped."
+	    droppeddeps=yes
+	    ;;
+	  esac
+	  ;;
+	esac
+	versuffix=$versuffix_save
+	major=$major_save
+	release=$release_save
+	libname=$libname_save
+	name=$name_save
+
+	case $host in
+	*-*-rhapsody* | *-*-darwin1.[012])
+	  # On Rhapsody replace the C library with the System framework
+	  newdeplibs=`$ECHO " $newdeplibs" | $SED 's/ -lc / System.ltframework /'`
+	  ;;
+	esac
+
+	if test yes = "$droppeddeps"; then
+	  if test yes = "$module"; then
+	    echo
+	    echo "*** Warning: libtool could not satisfy all declared inter-library"
+	    $ECHO "*** dependencies of module $libname.  Therefore, libtool will create"
+	    echo "*** a static module, that should work as long as the dlopening"
+	    echo "*** application is linked with the -dlopen flag."
+	    if test -z "$global_symbol_pipe"; then
+	      echo
+	      echo "*** However, this would only work if libtool was able to extract symbol"
+	      echo "*** lists from a program, using 'nm' or equivalent, but libtool could"
+	      echo "*** not find such a program.  So, this module is probably useless."
+	      echo "*** 'nm' from GNU binutils and a full rebuild may help."
+	    fi
+	    if test no = "$build_old_libs"; then
+	      oldlibs=$output_objdir/$libname.$libext
+	      build_libtool_libs=module
+	      build_old_libs=yes
+	    else
+	      build_libtool_libs=no
+	    fi
+	  else
+	    echo "*** The inter-library dependencies that have been dropped here will be"
+	    echo "*** automatically added whenever a program is linked with this library"
+	    echo "*** or is declared to -dlopen it."
+
+	    if test no = "$allow_undefined"; then
+	      echo
+	      echo "*** Since this library must not contain undefined symbols,"
+	      echo "*** because either the platform does not support them or"
+	      echo "*** it was explicitly requested with -no-undefined,"
+	      echo "*** libtool will only create a static version of it."
+	      if test no = "$build_old_libs"; then
+		oldlibs=$output_objdir/$libname.$libext
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  fi
+	fi
+	# Done checking deplibs!
+	deplibs=$newdeplibs
+      fi
+      # Time to change all our "foo.ltframework" stuff back to "-framework foo"
+      case $host in
+	*-*-darwin*)
+	  newdeplibs=`$ECHO " $newdeplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  new_inherited_linker_flags=`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  deplibs=`$ECHO " $deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  ;;
+      esac
+
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $deplibs " in
+	  *" -L$path/$objdir "*)
+	    func_append new_libs " -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) func_append new_libs " $deplib" ;;
+	  esac
+	  ;;
+	*) func_append new_libs " $deplib" ;;
+	esac
+      done
+      deplibs=$new_libs
+
+      # All the library-specific variables (install_libdir is set above).
+      library_names=
+      old_library=
+      dlname=
+
+      # Test again, we may have decided not to build it any more
+      if test yes = "$build_libtool_libs"; then
+	# Remove $wl instances when linking with ld.
+	# FIXME: should test the right _cmds variable.
+	case $archive_cmds in
+	  *\$LD\ *) wl= ;;
+        esac
+	if test yes = "$hardcode_into_libs"; then
+	  # Hardcode the library paths
+	  hardcode_libdirs=
+	  dep_rpath=
+	  rpath=$finalize_rpath
+	  test relink = "$opt_mode" || rpath=$compile_rpath$rpath
+	  for libdir in $rpath; do
+	    if test -n "$hardcode_libdir_flag_spec"; then
+	      if test -n "$hardcode_libdir_separator"; then
+		func_replace_sysroot "$libdir"
+		libdir=$func_replace_sysroot_result
+		if test -z "$hardcode_libdirs"; then
+		  hardcode_libdirs=$libdir
+		else
+		  # Just accumulate the unique libdirs.
+		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		    ;;
+		  *)
+		    func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
+		    ;;
+		  esac
+		fi
+	      else
+		eval flag=\"$hardcode_libdir_flag_spec\"
+		func_append dep_rpath " $flag"
+	      fi
+	    elif test -n "$runpath_var"; then
+	      case "$perm_rpath " in
+	      *" $libdir "*) ;;
+	      *) func_append perm_rpath " $libdir" ;;
+	      esac
+	    fi
+	  done
+	  # Substitute the hardcoded libdirs into the rpath.
+	  if test -n "$hardcode_libdir_separator" &&
+	     test -n "$hardcode_libdirs"; then
+	    libdir=$hardcode_libdirs
+	    eval "dep_rpath=\"$hardcode_libdir_flag_spec\""
+	  fi
+	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
+	    # We should set the runpath_var.
+	    rpath=
+	    for dir in $perm_rpath; do
+	      func_append rpath "$dir:"
+	    done
+	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
+	  fi
+	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
+	fi
+
+	shlibpath=$finalize_shlibpath
+	test relink = "$opt_mode" || shlibpath=$compile_shlibpath$shlibpath
+	if test -n "$shlibpath"; then
+	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
+	fi
+
+	# Get the real and link names of the library.
+	eval shared_ext=\"$shrext_cmds\"
+	eval library_names=\"$library_names_spec\"
+	set dummy $library_names
+	shift
+	realname=$1
+	shift
+
+	if test -n "$soname_spec"; then
+	  eval soname=\"$soname_spec\"
+	else
+	  soname=$realname
+	fi
+	if test -z "$dlname"; then
+	  dlname=$soname
+	fi
+
+	lib=$output_objdir/$realname
+	linknames=
+	for link
+	do
+	  func_append linknames " $link"
+	done
+
+	# Use standard objects if they are pic
+	test -z "$pic_flag" && libobjs=`$ECHO "$libobjs" | $SP2NL | $SED "$lo2o" | $NL2SP`
+	test "X$libobjs" = "X " && libobjs=
+
+	delfiles=
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp"
+	  export_symbols=$output_objdir/$libname.uexp
+	  func_append delfiles " $export_symbols"
+	fi
+
+	orig_export_symbols=
+	case $host_os in
+	cygwin* | mingw* | cegcc*)
+	  if test -n "$export_symbols" && test -z "$export_symbols_regex"; then
+	    # exporting using user supplied symfile
+	    func_dll_def_p "$export_symbols" || {
+	      # and it's NOT already a .def file. Must figure out
+	      # which of the given symbols are data symbols and tag
+	      # them as such. So, trigger use of export_symbols_cmds.
+	      # export_symbols gets reassigned inside the "prepare
+	      # the list of exported symbols" if statement, so the
+	      # include_expsyms logic still works.
+	      orig_export_symbols=$export_symbols
+	      export_symbols=
+	      always_export_symbols=yes
+	    }
+	  fi
+	  ;;
+	esac
+
+	# Prepare the list of exported symbols
+	if test -z "$export_symbols"; then
+	  if test yes = "$always_export_symbols" || test -n "$export_symbols_regex"; then
+	    func_verbose "generating symbol list for '$libname.la'"
+	    export_symbols=$output_objdir/$libname.exp
+	    $opt_dry_run || $RM $export_symbols
+	    cmds=$export_symbols_cmds
+	    save_ifs=$IFS; IFS='~'
+	    for cmd1 in $cmds; do
+	      IFS=$save_ifs
+	      # Take the normal branch if the nm_file_list_spec branch
+	      # doesn't work or if tool conversion is not needed.
+	      case $nm_file_list_spec~$to_tool_file_cmd in
+		*~func_convert_file_noop | *~func_convert_file_msys_to_w32 | ~*)
+		  try_normal_branch=yes
+		  eval cmd=\"$cmd1\"
+		  func_len " $cmd"
+		  len=$func_len_result
+		  ;;
+		*)
+		  try_normal_branch=no
+		  ;;
+	      esac
+	      if test yes = "$try_normal_branch" \
+		 && { test "$len" -lt "$max_cmd_len" \
+		      || test "$max_cmd_len" -le -1; }
+	      then
+		func_show_eval "$cmd" 'exit $?'
+		skipped_export=false
+	      elif test -n "$nm_file_list_spec"; then
+		func_basename "$output"
+		output_la=$func_basename_result
+		save_libobjs=$libobjs
+		save_output=$output
+		output=$output_objdir/$output_la.nm
+		func_to_tool_file "$output"
+		libobjs=$nm_file_list_spec$func_to_tool_file_result
+		func_append delfiles " $output"
+		func_verbose "creating $NM input file list: $output"
+		for obj in $save_libobjs; do
+		  func_to_tool_file "$obj"
+		  $ECHO "$func_to_tool_file_result"
+		done > "$output"
+		eval cmd=\"$cmd1\"
+		func_show_eval "$cmd" 'exit $?'
+		output=$save_output
+		libobjs=$save_libobjs
+		skipped_export=false
+	      else
+		# The command line is too long to execute in one step.
+		func_verbose "using reloadable object file for export list..."
+		skipped_export=:
+		# Break out early, otherwise skipped_export may be
+		# set to false by a later but shorter cmd.
+		break
+	      fi
+	    done
+	    IFS=$save_ifs
+	    if test -n "$export_symbols_regex" && test : != "$skipped_export"; then
+	      func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      func_show_eval '$MV "${export_symbols}T" "$export_symbols"'
+	    fi
+	  fi
+	fi
+
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  tmp_export_symbols=$export_symbols
+	  test -n "$orig_export_symbols" && tmp_export_symbols=$orig_export_symbols
+	  $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
+	fi
+
+	if test : != "$skipped_export" && test -n "$orig_export_symbols"; then
+	  # The given exports_symbols file has to be filtered, so filter it.
+	  func_verbose "filter symbol list for '$libname.la' to tag DATA exports"
+	  # FIXME: $output_objdir/$libname.filter potentially contains lots of
+	  # 's' commands, which not all seds can handle. GNU sed should be fine
+	  # though. Also, the filter scales superlinearly with the number of
+	  # global variables. join(1) would be nice here, but unfortunately
+	  # isn't a blessed tool.
+	  $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
+	  func_append delfiles " $export_symbols $output_objdir/$libname.filter"
+	  export_symbols=$output_objdir/$libname.def
+	  $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
+	fi
+
+	tmp_deplibs=
+	for test_deplib in $deplibs; do
+	  case " $convenience " in
+	  *" $test_deplib "*) ;;
+	  *)
+	    func_append tmp_deplibs " $test_deplib"
+	    ;;
+	  esac
+	done
+	deplibs=$tmp_deplibs
+
+	if test -n "$convenience"; then
+	  if test -n "$whole_archive_flag_spec" &&
+	    test yes = "$compiler_needs_object" &&
+	    test -z "$libobjs"; then
+	    # extract the archives, so we have objects to list.
+	    # TODO: could optimize this to just extract one archive.
+	    whole_archive_flag_spec=
+	  fi
+	  if test -n "$whole_archive_flag_spec"; then
+	    save_libobjs=$libobjs
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	    test "X$libobjs" = "X " && libobjs=
+	  else
+	    gentop=$output_objdir/${outputname}x
+	    func_append generated " $gentop"
+
+	    func_extract_archives $gentop $convenience
+	    func_append libobjs " $func_extract_archives_result"
+	    test "X$libobjs" = "X " && libobjs=
+	  fi
+	fi
+
+	if test yes = "$thread_safe" && test -n "$thread_safe_flag_spec"; then
+	  eval flag=\"$thread_safe_flag_spec\"
+	  func_append linker_flags " $flag"
+	fi
+
+	# Make a backup of the uninstalled library when relinking
+	if test relink = "$opt_mode"; then
+	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $?
+	fi
+
+	# Do each of the archive commands.
+	if test yes = "$module" && test -n "$module_cmds"; then
+	  if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
+	    eval test_cmds=\"$module_expsym_cmds\"
+	    cmds=$module_expsym_cmds
+	  else
+	    eval test_cmds=\"$module_cmds\"
+	    cmds=$module_cmds
+	  fi
+	else
+	  if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	    eval test_cmds=\"$archive_expsym_cmds\"
+	    cmds=$archive_expsym_cmds
+	  else
+	    eval test_cmds=\"$archive_cmds\"
+	    cmds=$archive_cmds
+	  fi
+	fi
+
+	if test : != "$skipped_export" &&
+	   func_len " $test_cmds" &&
+	   len=$func_len_result &&
+	   test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	  :
+	else
+	  # The command line is too long to link in one step, link piecewise
+	  # or, if using GNU ld and skipped_export is not :, use a linker
+	  # script.
+
+	  # Save the value of $output and $libobjs because we want to
+	  # use them later.  If we have whole_archive_flag_spec, we
+	  # want to use save_libobjs as it was before
+	  # whole_archive_flag_spec was expanded, because we can't
+	  # assume the linker understands whole_archive_flag_spec.
+	  # This may have to be revisited, in case too many
+	  # convenience libraries get linked in and end up exceeding
+	  # the spec.
+	  if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then
+	    save_libobjs=$libobjs
+	  fi
+	  save_output=$output
+	  func_basename "$output"
+	  output_la=$func_basename_result
+
+	  # Clear the reloadable object creation command queue and
+	  # initialize k to one.
+	  test_cmds=
+	  concat_cmds=
+	  objlist=
+	  last_robj=
+	  k=1
+
+	  if test -n "$save_libobjs" && test : != "$skipped_export" && test yes = "$with_gnu_ld"; then
+	    output=$output_objdir/$output_la.lnkscript
+	    func_verbose "creating GNU ld script: $output"
+	    echo 'INPUT (' > $output
+	    for obj in $save_libobjs
+	    do
+	      func_to_tool_file "$obj"
+	      $ECHO "$func_to_tool_file_result" >> $output
+	    done
+	    echo ')' >> $output
+	    func_append delfiles " $output"
+	    func_to_tool_file "$output"
+	    output=$func_to_tool_file_result
+	  elif test -n "$save_libobjs" && test : != "$skipped_export" && test -n "$file_list_spec"; then
+	    output=$output_objdir/$output_la.lnk
+	    func_verbose "creating linker input file list: $output"
+	    : > $output
+	    set x $save_libobjs
+	    shift
+	    firstobj=
+	    if test yes = "$compiler_needs_object"; then
+	      firstobj="$1 "
+	      shift
+	    fi
+	    for obj
+	    do
+	      func_to_tool_file "$obj"
+	      $ECHO "$func_to_tool_file_result" >> $output
+	    done
+	    func_append delfiles " $output"
+	    func_to_tool_file "$output"
+	    output=$firstobj\"$file_list_spec$func_to_tool_file_result\"
+	  else
+	    if test -n "$save_libobjs"; then
+	      func_verbose "creating reloadable object files..."
+	      output=$output_objdir/$output_la-$k.$objext
+	      eval test_cmds=\"$reload_cmds\"
+	      func_len " $test_cmds"
+	      len0=$func_len_result
+	      len=$len0
+
+	      # Loop over the list of objects to be linked.
+	      for obj in $save_libobjs
+	      do
+		func_len " $obj"
+		func_arith $len + $func_len_result
+		len=$func_arith_result
+		if test -z "$objlist" ||
+		   test "$len" -lt "$max_cmd_len"; then
+		  func_append objlist " $obj"
+		else
+		  # The command $test_cmds is almost too long, add a
+		  # command to the queue.
+		  if test 1 -eq "$k"; then
+		    # The first file doesn't have a previous command to add.
+		    reload_objs=$objlist
+		    eval concat_cmds=\"$reload_cmds\"
+		  else
+		    # All subsequent reloadable object files will link in
+		    # the last one created.
+		    reload_objs="$objlist $last_robj"
+		    eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\"
+		  fi
+		  last_robj=$output_objdir/$output_la-$k.$objext
+		  func_arith $k + 1
+		  k=$func_arith_result
+		  output=$output_objdir/$output_la-$k.$objext
+		  objlist=" $obj"
+		  func_len " $last_robj"
+		  func_arith $len0 + $func_len_result
+		  len=$func_arith_result
+		fi
+	      done
+	      # Handle the remaining objects by creating one last
+	      # reloadable object file.  All subsequent reloadable object
+	      # files will link in the last one created.
+	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	      reload_objs="$objlist $last_robj"
+	      eval concat_cmds=\"\$concat_cmds$reload_cmds\"
+	      if test -n "$last_robj"; then
+	        eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\"
+	      fi
+	      func_append delfiles " $output"
+
+	    else
+	      output=
+	    fi
+
+	    ${skipped_export-false} && {
+	      func_verbose "generating symbol list for '$libname.la'"
+	      export_symbols=$output_objdir/$libname.exp
+	      $opt_dry_run || $RM $export_symbols
+	      libobjs=$output
+	      # Append the command to create the export file.
+	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	      eval concat_cmds=\"\$concat_cmds$export_symbols_cmds\"
+	      if test -n "$last_robj"; then
+		eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\"
+	      fi
+	    }
+
+	    test -n "$save_libobjs" &&
+	      func_verbose "creating a temporary reloadable object file: $output"
+
+	    # Loop through the commands generated above and execute them.
+	    save_ifs=$IFS; IFS='~'
+	    for cmd in $concat_cmds; do
+	      IFS=$save_ifs
+	      $opt_quiet || {
+		  func_quote_for_expand "$cmd"
+		  eval "func_echo $func_quote_for_expand_result"
+	      }
+	      $opt_dry_run || eval "$cmd" || {
+		lt_exit=$?
+
+		# Restore the uninstalled library and exit
+		if test relink = "$opt_mode"; then
+		  ( cd "$output_objdir" && \
+		    $RM "${realname}T" && \
+		    $MV "${realname}U" "$realname" )
+		fi
+
+		exit $lt_exit
+	      }
+	    done
+	    IFS=$save_ifs
+
+	    if test -n "$export_symbols_regex" && ${skipped_export-false}; then
+	      func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      func_show_eval '$MV "${export_symbols}T" "$export_symbols"'
+	    fi
+	  fi
+
+          ${skipped_export-false} && {
+	    if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	      tmp_export_symbols=$export_symbols
+	      test -n "$orig_export_symbols" && tmp_export_symbols=$orig_export_symbols
+	      $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
+	    fi
+
+	    if test -n "$orig_export_symbols"; then
+	      # The given exports_symbols file has to be filtered, so filter it.
+	      func_verbose "filter symbol list for '$libname.la' to tag DATA exports"
+	      # FIXME: $output_objdir/$libname.filter potentially contains lots of
+	      # 's' commands, which not all seds can handle. GNU sed should be fine
+	      # though. Also, the filter scales superlinearly with the number of
+	      # global variables. join(1) would be nice here, but unfortunately
+	      # isn't a blessed tool.
+	      $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
+	      func_append delfiles " $export_symbols $output_objdir/$libname.filter"
+	      export_symbols=$output_objdir/$libname.def
+	      $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
+	    fi
+	  }
+
+	  libobjs=$output
+	  # Restore the value of output.
+	  output=$save_output
+
+	  if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	    test "X$libobjs" = "X " && libobjs=
+	  fi
+	  # Expand the library linking commands again to reset the
+	  # value of $libobjs for piecewise linking.
+
+	  # Do each of the archive commands.
+	  if test yes = "$module" && test -n "$module_cmds"; then
+	    if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
+	      cmds=$module_expsym_cmds
+	    else
+	      cmds=$module_cmds
+	    fi
+	  else
+	    if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	      cmds=$archive_expsym_cmds
+	    else
+	      cmds=$archive_cmds
+	    fi
+	  fi
+	fi
+
+	if test -n "$delfiles"; then
+	  # Append the command to remove temporary files to $cmds.
+	  eval cmds=\"\$cmds~\$RM $delfiles\"
+	fi
+
+	# Add any objects from preloaded convenience libraries
+	if test -n "$dlprefiles"; then
+	  gentop=$output_objdir/${outputname}x
+	  func_append generated " $gentop"
+
+	  func_extract_archives $gentop $dlprefiles
+	  func_append libobjs " $func_extract_archives_result"
+	  test "X$libobjs" = "X " && libobjs=
+	fi
+
+	save_ifs=$IFS; IFS='~'
+	for cmd in $cmds; do
+	  IFS=$sp$nl
+	  eval cmd=\"$cmd\"
+	  IFS=$save_ifs
+	  $opt_quiet || {
+	    func_quote_for_expand "$cmd"
+	    eval "func_echo $func_quote_for_expand_result"
+	  }
+	  $opt_dry_run || eval "$cmd" || {
+	    lt_exit=$?
+
+	    # Restore the uninstalled library and exit
+	    if test relink = "$opt_mode"; then
+	      ( cd "$output_objdir" && \
+	        $RM "${realname}T" && \
+		$MV "${realname}U" "$realname" )
+	    fi
+
+	    exit $lt_exit
+	  }
+	done
+	IFS=$save_ifs
+
+	# Restore the uninstalled library and exit
+	if test relink = "$opt_mode"; then
+	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $?
+
+	  if test -n "$convenience"; then
+	    if test -z "$whole_archive_flag_spec"; then
+	      func_show_eval '${RM}r "$gentop"'
+	    fi
+	  fi
+
+	  exit $EXIT_SUCCESS
+	fi
+
+	# Create links to the real library.
+	for linkname in $linknames; do
+	  if test "$realname" != "$linkname"; then
+	    func_show_eval '(cd "$output_objdir" && $RM "$linkname" && $LN_S "$realname" "$linkname")' 'exit $?'
+	  fi
+	done
+
+	# If -module or -export-dynamic was specified, set the dlname.
+	if test yes = "$module" || test yes = "$export_dynamic"; then
+	  # On all known operating systems, these are identical.
+	  dlname=$soname
+	fi
+      fi
+      ;;
+
+    obj)
+      if test -n "$dlfiles$dlprefiles" || test no != "$dlself"; then
+	func_warning "'-dlopen' is ignored for objects"
+      fi
+
+      case " $deplibs" in
+      *\ -l* | *\ -L*)
+	func_warning "'-l' and '-L' are ignored for objects" ;;
+      esac
+
+      test -n "$rpath" && \
+	func_warning "'-rpath' is ignored for objects"
+
+      test -n "$xrpath" && \
+	func_warning "'-R' is ignored for objects"
+
+      test -n "$vinfo" && \
+	func_warning "'-version-info' is ignored for objects"
+
+      test -n "$release" && \
+	func_warning "'-release' is ignored for objects"
+
+      case $output in
+      *.lo)
+	test -n "$objs$old_deplibs" && \
+	  func_fatal_error "cannot build library object '$output' from non-libtool objects"
+
+	libobj=$output
+	func_lo2o "$libobj"
+	obj=$func_lo2o_result
+	;;
+      *)
+	libobj=
+	obj=$output
+	;;
+      esac
+
+      # Delete the old objects.
+      $opt_dry_run || $RM $obj $libobj
+
+      # Objects from convenience libraries.  This assumes
+      # single-version convenience libraries.  Whenever we create
+      # different ones for PIC/non-PIC, this we'll have to duplicate
+      # the extraction.
+      reload_conv_objs=
+      gentop=
+      # if reload_cmds runs $LD directly, get rid of -Wl from
+      # whole_archive_flag_spec and hope we can get by with turning comma
+      # into space.
+      case $reload_cmds in
+        *\$LD[\ \$]*) wl= ;;
+      esac
+      if test -n "$convenience"; then
+	if test -n "$whole_archive_flag_spec"; then
+	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
+	  test -n "$wl" || tmp_whole_archive_flags=`$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'`
+	  reload_conv_objs=$reload_objs\ $tmp_whole_archive_flags
+	else
+	  gentop=$output_objdir/${obj}x
+	  func_append generated " $gentop"
+
+	  func_extract_archives $gentop $convenience
+	  reload_conv_objs="$reload_objs $func_extract_archives_result"
+	fi
+      fi
+
+      # If we're not building shared, we need to use non_pic_objs
+      test yes = "$build_libtool_libs" || libobjs=$non_pic_objects
+
+      # Create the old-style object.
+      reload_objs=$objs$old_deplibs' '`$ECHO "$libobjs" | $SP2NL | $SED "/\.$libext$/d; /\.lib$/d; $lo2o" | $NL2SP`' '$reload_conv_objs
+
+      output=$obj
+      func_execute_cmds "$reload_cmds" 'exit $?'
+
+      # Exit if we aren't doing a library object file.
+      if test -z "$libobj"; then
+	if test -n "$gentop"; then
+	  func_show_eval '${RM}r "$gentop"'
+	fi
+
+	exit $EXIT_SUCCESS
+      fi
+
+      test yes = "$build_libtool_libs" || {
+	if test -n "$gentop"; then
+	  func_show_eval '${RM}r "$gentop"'
+	fi
+
+	# Create an invalid libtool object if no PIC, so that we don't
+	# accidentally link it into a program.
+	# $show "echo timestamp > $libobj"
+	# $opt_dry_run || eval "echo timestamp > $libobj" || exit $?
+	exit $EXIT_SUCCESS
+      }
+
+      if test -n "$pic_flag" || test default != "$pic_mode"; then
+	# Only do commands if we really have different PIC objects.
+	reload_objs="$libobjs $reload_conv_objs"
+	output=$libobj
+	func_execute_cmds "$reload_cmds" 'exit $?'
+      fi
+
+      if test -n "$gentop"; then
+	func_show_eval '${RM}r "$gentop"'
+      fi
+
+      exit $EXIT_SUCCESS
+      ;;
+
+    prog)
+      case $host in
+	*cygwin*) func_stripname '' '.exe' "$output"
+	          output=$func_stripname_result.exe;;
+      esac
+      test -n "$vinfo" && \
+	func_warning "'-version-info' is ignored for programs"
+
+      test -n "$release" && \
+	func_warning "'-release' is ignored for programs"
+
+      $preload \
+	&& test unknown,unknown,unknown = "$dlopen_support,$dlopen_self,$dlopen_self_static" \
+	&& func_warning "'LT_INIT([dlopen])' not used. Assuming no dlopen support."
+
+      case $host in
+      *-*-rhapsody* | *-*-darwin1.[012])
+	# On Rhapsody replace the C library is the System framework
+	compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's/ -lc / System.ltframework /'`
+	finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's/ -lc / System.ltframework /'`
+	;;
+      esac
+
+      case $host in
+      *-*-darwin*)
+	# Don't allow lazy linking, it breaks C++ global constructors
+	# But is supposedly fixed on 10.4 or later (yay!).
+	if test CXX = "$tagname"; then
+	  case ${MACOSX_DEPLOYMENT_TARGET-10.0} in
+	    10.[0123])
+	      func_append compile_command " $wl-bind_at_load"
+	      func_append finalize_command " $wl-bind_at_load"
+	    ;;
+	  esac
+	fi
+	# Time to change all our "foo.ltframework" stuff back to "-framework foo"
+	compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	;;
+      esac
+
+
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $compile_deplibs " in
+	  *" -L$path/$objdir "*)
+	    func_append new_libs " -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $compile_deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) func_append new_libs " $deplib" ;;
+	  esac
+	  ;;
+	*) func_append new_libs " $deplib" ;;
+	esac
+      done
+      compile_deplibs=$new_libs
+
+
+      func_append compile_command " $compile_deplibs"
+      func_append finalize_command " $finalize_deplibs"
+
+      if test -n "$rpath$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	for libdir in $rpath $xrpath; do
+	  # This is the magic to use -rpath.
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) func_append finalize_rpath " $libdir" ;;
+	  esac
+	done
+      fi
+
+      # Now hardcode the library paths
+      rpath=
+      hardcode_libdirs=
+      for libdir in $compile_rpath $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs=$libdir
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    func_append rpath " $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) func_append perm_rpath " $libdir" ;;
+	  esac
+	fi
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
+	  testbindir=`$ECHO "$libdir" | $SED -e 's*/lib$*/bin*'`
+	  case :$dllsearchpath: in
+	  *":$libdir:"*) ;;
+	  ::) dllsearchpath=$libdir;;
+	  *) func_append dllsearchpath ":$libdir";;
+	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  ::) dllsearchpath=$testbindir;;
+	  *) func_append dllsearchpath ":$testbindir";;
+	  esac
+	  ;;
+	esac
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir=$hardcode_libdirs
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      compile_rpath=$rpath
+
+      rpath=
+      hardcode_libdirs=
+      for libdir in $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs=$libdir
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    func_append rpath " $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$finalize_perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) func_append finalize_perm_rpath " $libdir" ;;
+	  esac
+	fi
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir=$hardcode_libdirs
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      finalize_rpath=$rpath
+
+      if test -n "$libobjs" && test yes = "$build_old_libs"; then
+	# Transform all the library objects into standard objects.
+	compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
+	finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
+      fi
+
+      func_generate_dlsyms "$outputname" "@PROGRAM@" false
+
+      # template prelinking step
+      if test -n "$prelink_cmds"; then
+	func_execute_cmds "$prelink_cmds" 'exit $?'
+      fi
+
+      wrappers_required=:
+      case $host in
+      *cegcc* | *mingw32ce*)
+        # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway.
+        wrappers_required=false
+        ;;
+      *cygwin* | *mingw* )
+        test yes = "$build_libtool_libs" || wrappers_required=false
+        ;;
+      *)
+        if test no = "$need_relink" || test yes != "$build_libtool_libs"; then
+          wrappers_required=false
+        fi
+        ;;
+      esac
+      $wrappers_required || {
+	# Replace the output file specification.
+	compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
+	link_command=$compile_command$compile_rpath
+
+	# We have no uninstalled library dependencies, so finalize right now.
+	exit_status=0
+	func_show_eval "$link_command" 'exit_status=$?'
+
+	if test -n "$postlink_cmds"; then
+	  func_to_tool_file "$output"
+	  postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	  func_execute_cmds "$postlink_cmds" 'exit $?'
+	fi
+
+	# Delete the generated files.
+	if test -f "$output_objdir/${outputname}S.$objext"; then
+	  func_show_eval '$RM "$output_objdir/${outputname}S.$objext"'
+	fi
+
+	exit $exit_status
+      }
+
+      if test -n "$compile_shlibpath$finalize_shlibpath"; then
+	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
+      fi
+      if test -n "$finalize_shlibpath"; then
+	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+      fi
+
+      compile_var=
+      finalize_var=
+      if test -n "$runpath_var"; then
+	if test -n "$perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $perm_rpath; do
+	    func_append rpath "$dir:"
+	  done
+	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+	if test -n "$finalize_perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $finalize_perm_rpath; do
+	    func_append rpath "$dir:"
+	  done
+	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+      fi
+
+      if test yes = "$no_install"; then
+	# We don't need to create a wrapper script.
+	link_command=$compile_var$compile_command$compile_rpath
+	# Replace the output file specification.
+	link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
+	# Delete the old output file.
+	$opt_dry_run || $RM $output
+	# Link the executable and exit
+	func_show_eval "$link_command" 'exit $?'
+
+	if test -n "$postlink_cmds"; then
+	  func_to_tool_file "$output"
+	  postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	  func_execute_cmds "$postlink_cmds" 'exit $?'
+	fi
+
+	exit $EXIT_SUCCESS
+      fi
+
+      case $hardcode_action,$fast_install in
+        relink,*)
+	  # Fast installation is not supported
+	  link_command=$compile_var$compile_command$compile_rpath
+	  relink_command=$finalize_var$finalize_command$finalize_rpath
+
+	  func_warning "this platform does not like uninstalled shared libraries"
+	  func_warning "'$output' will be relinked during installation"
+	  ;;
+        *,yes)
+	  link_command=$finalize_var$compile_command$finalize_rpath
+	  relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'`
+          ;;
+	*,no)
+	  link_command=$compile_var$compile_command$compile_rpath
+	  relink_command=$finalize_var$finalize_command$finalize_rpath
+          ;;
+	*,needless)
+	  link_command=$finalize_var$compile_command$finalize_rpath
+	  relink_command=
+          ;;
+      esac
+
+      # Replace the output file specification.
+      link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+
+      # Delete the old output files.
+      $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname
+
+      func_show_eval "$link_command" 'exit $?'
+
+      if test -n "$postlink_cmds"; then
+	func_to_tool_file "$output_objdir/$outputname"
+	postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	func_execute_cmds "$postlink_cmds" 'exit $?'
+      fi
+
+      # Now create the wrapper script.
+      func_verbose "creating $output"
+
+      # Quote the relink command for shipping.
+      if test -n "$relink_command"; then
+	# Preserve any variables that may affect compiler behavior
+	for var in $variables_saved_for_relink; do
+	  if eval test -z \"\${$var+set}\"; then
+	    relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command"
+	  elif eval var_value=\$$var; test -z "$var_value"; then
+	    relink_command="$var=; export $var; $relink_command"
+	  else
+	    func_quote_for_eval "$var_value"
+	    relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command"
+	  fi
+	done
+	relink_command="(cd `pwd`; $relink_command)"
+	relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
+      fi
+
+      # Only actually do things if not in dry run mode.
+      $opt_dry_run || {
+	# win32 will think the script is a binary if it has
+	# a .exe suffix, so we strip it off here.
+	case $output in
+	  *.exe) func_stripname '' '.exe' "$output"
+	         output=$func_stripname_result ;;
+	esac
+	# test for cygwin because mv fails w/o .exe extensions
+	case $host in
+	  *cygwin*)
+	    exeext=.exe
+	    func_stripname '' '.exe' "$outputname"
+	    outputname=$func_stripname_result ;;
+	  *) exeext= ;;
+	esac
+	case $host in
+	  *cygwin* | *mingw* )
+	    func_dirname_and_basename "$output" "" "."
+	    output_name=$func_basename_result
+	    output_path=$func_dirname_result
+	    cwrappersource=$output_path/$objdir/lt-$output_name.c
+	    cwrapper=$output_path/$output_name.exe
+	    $RM $cwrappersource $cwrapper
+	    trap "$RM $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
+
+	    func_emit_cwrapperexe_src > $cwrappersource
+
+	    # The wrapper executable is built using the $host compiler,
+	    # because it contains $host paths and files. If cross-
+	    # compiling, it, like the target executable, must be
+	    # executed on the $host or under an emulation environment.
+	    $opt_dry_run || {
+	      $LTCC $LTCFLAGS -o $cwrapper $cwrappersource
+	      $STRIP $cwrapper
+	    }
+
+	    # Now, create the wrapper script for func_source use:
+	    func_ltwrapper_scriptname $cwrapper
+	    $RM $func_ltwrapper_scriptname_result
+	    trap "$RM $func_ltwrapper_scriptname_result; exit $EXIT_FAILURE" 1 2 15
+	    $opt_dry_run || {
+	      # note: this script will not be executed, so do not chmod.
+	      if test "x$build" = "x$host"; then
+		$cwrapper --lt-dump-script > $func_ltwrapper_scriptname_result
+	      else
+		func_emit_wrapper no > $func_ltwrapper_scriptname_result
+	      fi
+	    }
+	  ;;
+	  * )
+	    $RM $output
+	    trap "$RM $output; exit $EXIT_FAILURE" 1 2 15
+
+	    func_emit_wrapper no > $output
+	    chmod +x $output
+	  ;;
+	esac
+      }
+      exit $EXIT_SUCCESS
+      ;;
+    esac
+
+    # See if we need to build an old-fashioned archive.
+    for oldlib in $oldlibs; do
+
+      case $build_libtool_libs in
+        convenience)
+	  oldobjs="$libobjs_save $symfileobj"
+	  addlibs=$convenience
+	  build_libtool_libs=no
+	  ;;
+	module)
+	  oldobjs=$libobjs_save
+	  addlibs=$old_convenience
+	  build_libtool_libs=no
+          ;;
+	*)
+	  oldobjs="$old_deplibs $non_pic_objects"
+	  $preload && test -f "$symfileobj" \
+	    && func_append oldobjs " $symfileobj"
+	  addlibs=$old_convenience
+	  ;;
+      esac
+
+      if test -n "$addlibs"; then
+	gentop=$output_objdir/${outputname}x
+	func_append generated " $gentop"
+
+	func_extract_archives $gentop $addlibs
+	func_append oldobjs " $func_extract_archives_result"
+      fi
+
+      # Do each command in the archive commands.
+      if test -n "$old_archive_from_new_cmds" && test yes = "$build_libtool_libs"; then
+	cmds=$old_archive_from_new_cmds
+      else
+
+	# Add any objects from preloaded convenience libraries
+	if test -n "$dlprefiles"; then
+	  gentop=$output_objdir/${outputname}x
+	  func_append generated " $gentop"
+
+	  func_extract_archives $gentop $dlprefiles
+	  func_append oldobjs " $func_extract_archives_result"
+	fi
+
+	# POSIX demands no paths to be encoded in archives.  We have
+	# to avoid creating archives with duplicate basenames if we
+	# might have to extract them afterwards, e.g., when creating a
+	# static archive out of a convenience library, or when linking
+	# the entirety of a libtool archive into another (currently
+	# not supported by libtool).
+	if (for obj in $oldobjs
+	    do
+	      func_basename "$obj"
+	      $ECHO "$func_basename_result"
+	    done | sort | sort -uc >/dev/null 2>&1); then
+	  :
+	else
+	  echo "copying selected object files to avoid basename conflicts..."
+	  gentop=$output_objdir/${outputname}x
+	  func_append generated " $gentop"
+	  func_mkdir_p "$gentop"
+	  save_oldobjs=$oldobjs
+	  oldobjs=
+	  counter=1
+	  for obj in $save_oldobjs
+	  do
+	    func_basename "$obj"
+	    objbase=$func_basename_result
+	    case " $oldobjs " in
+	    " ") oldobjs=$obj ;;
+	    *[\ /]"$objbase "*)
+	      while :; do
+		# Make sure we don't pick an alternate name that also
+		# overlaps.
+		newobj=lt$counter-$objbase
+		func_arith $counter + 1
+		counter=$func_arith_result
+		case " $oldobjs " in
+		*[\ /]"$newobj "*) ;;
+		*) if test ! -f "$gentop/$newobj"; then break; fi ;;
+		esac
+	      done
+	      func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
+	      func_append oldobjs " $gentop/$newobj"
+	      ;;
+	    *) func_append oldobjs " $obj" ;;
+	    esac
+	  done
+	fi
+	func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+	tool_oldlib=$func_to_tool_file_result
+	eval cmds=\"$old_archive_cmds\"
+
+	func_len " $cmds"
+	len=$func_len_result
+	if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	  cmds=$old_archive_cmds
+	elif test -n "$archiver_list_spec"; then
+	  func_verbose "using command file archive linking..."
+	  for obj in $oldobjs
+	  do
+	    func_to_tool_file "$obj"
+	    $ECHO "$func_to_tool_file_result"
+	  done > $output_objdir/$libname.libcmd
+	  func_to_tool_file "$output_objdir/$libname.libcmd"
+	  oldobjs=" $archiver_list_spec$func_to_tool_file_result"
+	  cmds=$old_archive_cmds
+	else
+	  # the command line is too long to link in one step, link in parts
+	  func_verbose "using piecewise archive linking..."
+	  save_RANLIB=$RANLIB
+	  RANLIB=:
+	  objlist=
+	  concat_cmds=
+	  save_oldobjs=$oldobjs
+	  oldobjs=
+	  # Is there a better way of finding the last object in the list?
+	  for obj in $save_oldobjs
+	  do
+	    last_oldobj=$obj
+	  done
+	  eval test_cmds=\"$old_archive_cmds\"
+	  func_len " $test_cmds"
+	  len0=$func_len_result
+	  len=$len0
+	  for obj in $save_oldobjs
+	  do
+	    func_len " $obj"
+	    func_arith $len + $func_len_result
+	    len=$func_arith_result
+	    func_append objlist " $obj"
+	    if test "$len" -lt "$max_cmd_len"; then
+	      :
+	    else
+	      # the above command should be used before it gets too long
+	      oldobjs=$objlist
+	      if test "$obj" = "$last_oldobj"; then
+		RANLIB=$save_RANLIB
+	      fi
+	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	      eval concat_cmds=\"\$concat_cmds$old_archive_cmds\"
+	      objlist=
+	      len=$len0
+	    fi
+	  done
+	  RANLIB=$save_RANLIB
+	  oldobjs=$objlist
+	  if test -z "$oldobjs"; then
+	    eval cmds=\"\$concat_cmds\"
+	  else
+	    eval cmds=\"\$concat_cmds~\$old_archive_cmds\"
+	  fi
+	fi
+      fi
+      func_execute_cmds "$cmds" 'exit $?'
+    done
+
+    test -n "$generated" && \
+      func_show_eval "${RM}r$generated"
+
+    # Now create the libtool archive.
+    case $output in
+    *.la)
+      old_library=
+      test yes = "$build_old_libs" && old_library=$libname.$libext
+      func_verbose "creating $output"
+
+      # Preserve any variables that may affect compiler behavior
+      for var in $variables_saved_for_relink; do
+	if eval test -z \"\${$var+set}\"; then
+	  relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command"
+	elif eval var_value=\$$var; test -z "$var_value"; then
+	  relink_command="$var=; export $var; $relink_command"
+	else
+	  func_quote_for_eval "$var_value"
+	  relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command"
+	fi
+      done
+      # Quote the link command for shipping.
+      relink_command="(cd `pwd`; $SHELL \"$progpath\" $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
+      relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
+      if test yes = "$hardcode_automatic"; then
+	relink_command=
+      fi
+
+      # Only create the output if not a dry run.
+      $opt_dry_run || {
+	for installed in no yes; do
+	  if test yes = "$installed"; then
+	    if test -z "$install_libdir"; then
+	      break
+	    fi
+	    output=$output_objdir/${outputname}i
+	    # Replace all uninstalled libtool libraries with the installed ones
+	    newdependency_libs=
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      *.la)
+		func_basename "$deplib"
+		name=$func_basename_result
+		func_resolve_sysroot "$deplib"
+		eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result`
+		test -z "$libdir" && \
+		  func_fatal_error "'$deplib' is not a valid libtool archive"
+		func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name"
+		;;
+	      -L*)
+		func_stripname -L '' "$deplib"
+		func_replace_sysroot "$func_stripname_result"
+		func_append newdependency_libs " -L$func_replace_sysroot_result"
+		;;
+	      -R*)
+		func_stripname -R '' "$deplib"
+		func_replace_sysroot "$func_stripname_result"
+		func_append newdependency_libs " -R$func_replace_sysroot_result"
+		;;
+	      *) func_append newdependency_libs " $deplib" ;;
+	      esac
+	    done
+	    dependency_libs=$newdependency_libs
+	    newdlfiles=
+
+	    for lib in $dlfiles; do
+	      case $lib in
+	      *.la)
+	        func_basename "$lib"
+		name=$func_basename_result
+		eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+		test -z "$libdir" && \
+		  func_fatal_error "'$lib' is not a valid libtool archive"
+		func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name"
+		;;
+	      *) func_append newdlfiles " $lib" ;;
+	      esac
+	    done
+	    dlfiles=$newdlfiles
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      case $lib in
+	      *.la)
+		# Only pass preopened files to the pseudo-archive (for
+		# eventual linking with the app. that links it) if we
+		# didn't already link the preopened objects directly into
+		# the library:
+		func_basename "$lib"
+		name=$func_basename_result
+		eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+		test -z "$libdir" && \
+		  func_fatal_error "'$lib' is not a valid libtool archive"
+		func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name"
+		;;
+	      esac
+	    done
+	    dlprefiles=$newdlprefiles
+	  else
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      case $lib in
+		[\\/]* | [A-Za-z]:[\\/]*) abs=$lib ;;
+		*) abs=`pwd`"/$lib" ;;
+	      esac
+	      func_append newdlfiles " $abs"
+	    done
+	    dlfiles=$newdlfiles
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      case $lib in
+		[\\/]* | [A-Za-z]:[\\/]*) abs=$lib ;;
+		*) abs=`pwd`"/$lib" ;;
+	      esac
+	      func_append newdlprefiles " $abs"
+	    done
+	    dlprefiles=$newdlprefiles
+	  fi
+	  $RM $output
+	  # place dlname in correct position for cygwin
+	  # In fact, it would be nice if we could use this code for all target
+	  # systems that can't hard-code library paths into their executables
+	  # and that have no shared library path variable independent of PATH,
+	  # but it turns out we can't easily determine that from inspecting
+	  # libtool variables, so we have to hard-code the OSs to which it
+	  # applies here; at the moment, that means platforms that use the PE
+	  # object format with DLL files.  See the long comment at the top of
+	  # tests/bindir.at for full details.
+	  tdlname=$dlname
+	  case $host,$output,$installed,$module,$dlname in
+	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll)
+	      # If a -bindir argument was supplied, place the dll there.
+	      if test -n "$bindir"; then
+		func_relative_path "$install_libdir" "$bindir"
+		tdlname=$func_relative_path_result/$dlname
+	      else
+		# Otherwise fall back on heuristic.
+		tdlname=../bin/$dlname
+	      fi
+	      ;;
+	  esac
+	  $ECHO > $output "\
+# $outputname - a libtool library file
+# Generated by $PROGRAM (GNU $PACKAGE) $VERSION
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# The name that we can dlopen(3).
+dlname='$tdlname'
+
+# Names of this library.
+library_names='$library_names'
+
+# The name of the static archive.
+old_library='$old_library'
+
+# Linker flags that cannot go in dependency_libs.
+inherited_linker_flags='$new_inherited_linker_flags'
+
+# Libraries that this one depends upon.
+dependency_libs='$dependency_libs'
+
+# Names of additional weak libraries provided by this library
+weak_library_names='$weak_libs'
+
+# Version information for $libname.
+current=$current
+age=$age
+revision=$revision
+
+# Is this an already installed library?
+installed=$installed
+
+# Should we warn about portability when linking against -modules?
+shouldnotlink=$module
+
+# Files to dlopen/dlpreopen
+dlopen='$dlfiles'
+dlpreopen='$dlprefiles'
+
+# Directory that this library needs to be installed in:
+libdir='$install_libdir'"
+	  if test no,yes = "$installed,$need_relink"; then
+	    $ECHO >> $output "\
+relink_command=\"$relink_command\""
+	  fi
+	done
+      }
+
+      # Do a symbolic link so that the libtool archive can be found in
+      # LD_LIBRARY_PATH before the program is installed.
+      func_show_eval '( cd "$output_objdir" && $RM "$outputname" && $LN_S "../$outputname" "$outputname" )' 'exit $?'
+      ;;
+    esac
+    exit $EXIT_SUCCESS
+}
+
+if test link = "$opt_mode" || test relink = "$opt_mode"; then
+  func_mode_link ${1+"$@"}
+fi
+
+
+# func_mode_uninstall arg...
+func_mode_uninstall ()
+{
+    $debug_cmd
+
+    RM=$nonopt
+    files=
+    rmforce=false
+    exit_status=0
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic=$magic
+
+    for arg
+    do
+      case $arg in
+      -f) func_append RM " $arg"; rmforce=: ;;
+      -*) func_append RM " $arg" ;;
+      *) func_append files " $arg" ;;
+      esac
+    done
+
+    test -z "$RM" && \
+      func_fatal_help "you must specify an RM program"
+
+    rmdirs=
+
+    for file in $files; do
+      func_dirname "$file" "" "."
+      dir=$func_dirname_result
+      if test . = "$dir"; then
+	odir=$objdir
+      else
+	odir=$dir/$objdir
+      fi
+      func_basename "$file"
+      name=$func_basename_result
+      test uninstall = "$opt_mode" && odir=$dir
+
+      # Remember odir for removal later, being careful to avoid duplicates
+      if test clean = "$opt_mode"; then
+	case " $rmdirs " in
+	  *" $odir "*) ;;
+	  *) func_append rmdirs " $odir" ;;
+	esac
+      fi
+
+      # Don't error if the file doesn't exist and rm -f was used.
+      if { test -L "$file"; } >/dev/null 2>&1 ||
+	 { test -h "$file"; } >/dev/null 2>&1 ||
+	 test -f "$file"; then
+	:
+      elif test -d "$file"; then
+	exit_status=1
+	continue
+      elif $rmforce; then
+	continue
+      fi
+
+      rmfiles=$file
+
+      case $name in
+      *.la)
+	# Possibly a libtool archive, so verify it.
+	if func_lalib_p "$file"; then
+	  func_source $dir/$name
+
+	  # Delete the libtool libraries and symlinks.
+	  for n in $library_names; do
+	    func_append rmfiles " $odir/$n"
+	  done
+	  test -n "$old_library" && func_append rmfiles " $odir/$old_library"
+
+	  case $opt_mode in
+	  clean)
+	    case " $library_names " in
+	    *" $dlname "*) ;;
+	    *) test -n "$dlname" && func_append rmfiles " $odir/$dlname" ;;
+	    esac
+	    test -n "$libdir" && func_append rmfiles " $odir/$name $odir/${name}i"
+	    ;;
+	  uninstall)
+	    if test -n "$library_names"; then
+	      # Do each command in the postuninstall commands.
+	      func_execute_cmds "$postuninstall_cmds" '$rmforce || exit_status=1'
+	    fi
+
+	    if test -n "$old_library"; then
+	      # Do each command in the old_postuninstall commands.
+	      func_execute_cmds "$old_postuninstall_cmds" '$rmforce || exit_status=1'
+	    fi
+	    # FIXME: should reinstall the best remaining shared library.
+	    ;;
+	  esac
+	fi
+	;;
+
+      *.lo)
+	# Possibly a libtool object, so verify it.
+	if func_lalib_p "$file"; then
+
+	  # Read the .lo file
+	  func_source $dir/$name
+
+	  # Add PIC object to the list of files to remove.
+	  if test -n "$pic_object" && test none != "$pic_object"; then
+	    func_append rmfiles " $dir/$pic_object"
+	  fi
+
+	  # Add non-PIC object to the list of files to remove.
+	  if test -n "$non_pic_object" && test none != "$non_pic_object"; then
+	    func_append rmfiles " $dir/$non_pic_object"
+	  fi
+	fi
+	;;
+
+      *)
+	if test clean = "$opt_mode"; then
+	  noexename=$name
+	  case $file in
+	  *.exe)
+	    func_stripname '' '.exe' "$file"
+	    file=$func_stripname_result
+	    func_stripname '' '.exe' "$name"
+	    noexename=$func_stripname_result
+	    # $file with .exe has already been added to rmfiles,
+	    # add $file without .exe
+	    func_append rmfiles " $file"
+	    ;;
+	  esac
+	  # Do a test to see if this is a libtool program.
+	  if func_ltwrapper_p "$file"; then
+	    if func_ltwrapper_executable_p "$file"; then
+	      func_ltwrapper_scriptname "$file"
+	      relink_command=
+	      func_source $func_ltwrapper_scriptname_result
+	      func_append rmfiles " $func_ltwrapper_scriptname_result"
+	    else
+	      relink_command=
+	      func_source $dir/$noexename
+	    fi
+
+	    # note $name still contains .exe if it was in $file originally
+	    # as does the version of $file that was added into $rmfiles
+	    func_append rmfiles " $odir/$name $odir/${name}S.$objext"
+	    if test yes = "$fast_install" && test -n "$relink_command"; then
+	      func_append rmfiles " $odir/lt-$name"
+	    fi
+	    if test "X$noexename" != "X$name"; then
+	      func_append rmfiles " $odir/lt-$noexename.c"
+	    fi
+	  fi
+	fi
+	;;
+      esac
+      func_show_eval "$RM $rmfiles" 'exit_status=1'
+    done
+
+    # Try to remove the $objdir's in the directories where we deleted files
+    for dir in $rmdirs; do
+      if test -d "$dir"; then
+	func_show_eval "rmdir $dir >/dev/null 2>&1"
+      fi
+    done
+
+    exit $exit_status
+}
+
+if test uninstall = "$opt_mode" || test clean = "$opt_mode"; then
+  func_mode_uninstall ${1+"$@"}
+fi
+
+test -z "$opt_mode" && {
+  help=$generic_help
+  func_fatal_help "you must specify a MODE"
+}
+
+test -z "$exec_cmd" && \
+  func_fatal_help "invalid operation mode '$opt_mode'"
+
+if test -n "$exec_cmd"; then
+  eval exec "$exec_cmd"
+  exit $EXIT_FAILURE
+fi
+
+exit $exit_status
+
+
+# The TAGs below are defined such that we never get into a situation
+# where we disable both kinds of libraries.  Given conflicting
+# choices, we go for a static library, that is the most portable,
+# since we can't tell whether shared libraries were disabled because
+# the user asked for that or because the platform doesn't support
+# them.  This is particularly important on AIX, because we don't
+# support having both static and shared libraries enabled at the same
+# time on that platform, so we default to a shared-only configuration.
+# If a disable-shared tag is given, we'll fallback to a static-only
+# configuration.  But we'll never go from static-only to shared-only.
+
+# ### BEGIN LIBTOOL TAG CONFIG: disable-shared
+build_libtool_libs=no
+build_old_libs=yes
+# ### END LIBTOOL TAG CONFIG: disable-shared
+
+# ### BEGIN LIBTOOL TAG CONFIG: disable-static
+build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac`
+# ### END LIBTOOL TAG CONFIG: disable-static
+
+# Local Variables:
+# mode:shell-script
+# sh-indentation:2
+# End:
diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4
new file mode 100644
index 0000000..cf3d9f4
--- /dev/null
+++ b/m4/ax_check_compile_flag.m4
@@ -0,0 +1,55 @@
+# SPDX-License-Identifier: FSFAP
+#
+# ===========================================================================
+#  https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
+#
+# DESCRIPTION
+#
+#   Check whether the given FLAG works with the current language's compiler
+#   or gives an error.  (Warnings, however, are ignored)
+#
+#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+#   success/failure.
+#
+#   If EXTRA-FLAGS is defined, it is added to the current language's default
+#   flags (e.g. CFLAGS) when the check is done.  The check is thus made with
+#   the flags: "CFLAGS EXTRA-FLAGS FLAG".  This can for example be used to
+#   force the compiler to issue an error when a bad flag is given.
+#
+#   INPUT gives an alternative input source to AC_COMPILE_IFELSE.
+#
+#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+#   macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved.  This file is offered as-is, without any
+#   warranty.
+
+#serial 6
+
+AC_DEFUN([AX_CHECK_COMPILE_FLAG],
+[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
+AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
+  ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
+  _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
+  AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
+    [AS_VAR_SET(CACHEVAR,[yes])],
+    [AS_VAR_SET(CACHEVAR,[no])])
+  _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
+AS_VAR_IF(CACHEVAR,yes,
+  [m4_default([$2], :)],
+  [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_COMPILE_FLAGS
diff --git a/m4/ax_check_link_flag.m4 b/m4/ax_check_link_flag.m4
new file mode 100644
index 0000000..6a0c465
--- /dev/null
+++ b/m4/ax_check_link_flag.m4
@@ -0,0 +1,55 @@
+# SPDX-License-Identifier: FSFAP
+#
+# ===========================================================================
+#    https://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
+#
+# DESCRIPTION
+#
+#   Check whether the given FLAG works with the linker or gives an error.
+#   (Warnings, however, are ignored)
+#
+#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+#   success/failure.
+#
+#   If EXTRA-FLAGS is defined, it is added to the linker's default flags
+#   when the check is done.  The check is thus made with the flags: "LDFLAGS
+#   EXTRA-FLAGS FLAG".  This can for example be used to force the linker to
+#   issue an error when a bad flag is given.
+#
+#   INPUT gives an alternative input source to AC_LINK_IFELSE.
+#
+#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+#   macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved.  This file is offered as-is, without any
+#   warranty.
+
+#serial 6
+
+AC_DEFUN([AX_CHECK_LINK_FLAG],
+[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
+AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
+  ax_check_save_flags=$LDFLAGS
+  LDFLAGS="$LDFLAGS $4 $1"
+  AC_LINK_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
+    [AS_VAR_SET(CACHEVAR,[yes])],
+    [AS_VAR_SET(CACHEVAR,[no])])
+  LDFLAGS=$ax_check_save_flags])
+AS_VAR_IF(CACHEVAR,yes,
+  [m4_default([$2], :)],
+  [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_LINK_FLAGS
diff --git a/m4/ax_check_openssl.m4 b/m4/ax_check_openssl.m4
new file mode 100644
index 0000000..af88f10
--- /dev/null
+++ b/m4/ax_check_openssl.m4
@@ -0,0 +1,117 @@
+# SPDX-License-Identifier: FSFAP
+#
+# ===========================================================================
+#     https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]])
+#
+# DESCRIPTION
+#
+#   Look for OpenSSL in a number of default spots, or in a user-selected
+#   spot (via --with-openssl).  Sets
+#
+#     OPENSSL_CFLAGS to the include directives required
+#     OPENSSL_LIBS to the -l directives required
+#
+#   and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately
+#
+#   This macro sets OPENSSL_CFLAGS such that source files should use the
+#   openssl/ directory in include directives:
+#
+#     #include <openssl/hmac.h>
+#
+# LICENSE
+#
+#   Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/>
+#   Copyright (c) 2009,2010 Dustin J. Mitchell <dustin@zmanda.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 10
+
+AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL])
+AC_DEFUN([AX_CHECK_OPENSSL], [
+    found=false
+    default_ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/local/opt/openssl /usr/local/opt/libressl /usr"
+    AC_ARG_WITH([openssl],
+        [AS_HELP_STRING([--with-openssl=DIR],
+            [root of the OpenSSL directory])],
+        [
+	    AS_CASE([$with_openssl],
+	        [""|y|ye|yes],[ssldirs="$default_ssldirs"],
+	    	[n|no],[AC_MSG_ERROR([Invalid --with-openssl value])],
+            	[*],[ssldirs="$withval"],
+	    	[ssldirs="$default_ssldirs"]
+	    )
+        ], [
+            # if pkg-config is installed and openssl has installed a .pc file,
+            # then use that information and don't search ssldirs
+	    PKG_CHECK_MODULES([OPENSSL], [crypto],
+ 	        [found=true],
+	    	[ssldirs="$default_ssldirs"])
+	
+        ]
+    )
+
+
+    # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
+    # an 'openssl' subdirectory
+
+    AS_IF([! $found],[
+        OPENSSL_CFLAGS=
+        for ssldir in $ssldirs; do
+            AC_MSG_CHECKING([for openssl/ssl.h in $ssldir])
+	    AS_IF([test -f "$ssldir/include/openssl/ssl.h"],
+	        [
+		    OPENSSL_CFLAGS="-I$ssldir/include"
+                    OPENSSL_LIBS="-L$ssldir/lib -lssl -lcrypto"
+                    found=true
+                    AC_MSG_RESULT([yes])
+                    break
+		],
+		[
+		    AC_MSG_RESULT([no])
+		])
+        done
+
+        # if the file wasn't found, well, go ahead and try the link anyway -- maybe
+        # it will just work!
+    ])
+
+    # try the preprocessor and linker with our new flags,
+    # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
+
+    AC_MSG_CHECKING([whether compiling and linking against OpenSSL works])
+    # AC_MSG_NOTICE([Trying link with OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_CFLAGS=$OPENSSL_CFLAGS])
+
+    save_LIBS="$LIBS"
+    save_CPPFLAGS="$CPPFLAGS"
+    LIBS="$OPENSSL_LIBS $LIBS"
+    CPPFLAGS="$OPENSSL_CFLAGS $CPPFLAGS"
+    AC_LINK_IFELSE(
+        [AC_LANG_PROGRAM(
+            [
+                #include <openssl/crypto.h>
+            ],
+            [
+	        OPENSSL_free(NULL);
+	    ])],
+        [
+            AC_MSG_RESULT([yes])
+            $1
+        ], [
+            AC_MSG_RESULT([no])
+            $2
+        ])
+    CPPFLAGS="$save_CPPFLAGS"
+    LIBS="$save_LIBS"
+
+    AC_SUBST([OPENSSL_CFLAGS])
+    AC_SUBST([OPENSSL_LIBS])
+])
diff --git a/m4/ax_check_preproc_flag.m4 b/m4/ax_check_preproc_flag.m4
new file mode 100644
index 0000000..ee0ccb6
--- /dev/null
+++ b/m4/ax_check_preproc_flag.m4
@@ -0,0 +1,55 @@
+# SPDX-License-Identifier: FSFAP
+#
+# ===========================================================================
+#  https://www.gnu.org/software/autoconf-archive/ax_check_preproc_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_PREPROC_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
+#
+# DESCRIPTION
+#
+#   Check whether the given FLAG works with the current language's
+#   preprocessor or gives an error.  (Warnings, however, are ignored)
+#
+#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+#   success/failure.
+#
+#   If EXTRA-FLAGS is defined, it is added to the preprocessor's default
+#   flags when the check is done.  The check is thus made with the flags:
+#   "CPPFLAGS EXTRA-FLAGS FLAG".  This can for example be used to force the
+#   preprocessor to issue an error when a bad flag is given.
+#
+#   INPUT gives an alternative input source to AC_PREPROC_IFELSE.
+#
+#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+#   macro in sync with AX_CHECK_{COMPILE,LINK}_FLAG.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved.  This file is offered as-is, without any
+#   warranty.
+
+#serial 6
+
+AC_DEFUN([AX_CHECK_PREPROC_FLAG],
+[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]cppflags_$4_$1])dnl
+AC_CACHE_CHECK([whether _AC_LANG preprocessor accepts $1], CACHEVAR, [
+  ax_check_save_flags=$CPPFLAGS
+  CPPFLAGS="$CPPFLAGS $4 $1"
+  AC_PREPROC_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
+    [AS_VAR_SET(CACHEVAR,[yes])],
+    [AS_VAR_SET(CACHEVAR,[no])])
+  CPPFLAGS=$ax_check_save_flags])
+AS_VAR_IF(CACHEVAR,yes,
+  [m4_default([$2], :)],
+  [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_PREPROC_FLAGS
diff --git a/m4/ax_gcc_func_attribute.m4 b/m4/ax_gcc_func_attribute.m4
new file mode 100644
index 0000000..f2af85b
--- /dev/null
+++ b/m4/ax_gcc_func_attribute.m4
@@ -0,0 +1,244 @@
+# SPDX-License-Identifier: FSFAP
+#
+# ===========================================================================
+#  https://www.gnu.org/software/autoconf-archive/ax_gcc_func_attribute.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_GCC_FUNC_ATTRIBUTE(ATTRIBUTE)
+#
+# DESCRIPTION
+#
+#   This macro checks if the compiler supports one of GCC's function
+#   attributes; many other compilers also provide function attributes with
+#   the same syntax. Compiler warnings are used to detect supported
+#   attributes as unsupported ones are ignored by default so quieting
+#   warnings when using this macro will yield false positives.
+#
+#   The ATTRIBUTE parameter holds the name of the attribute to be checked.
+#
+#   If ATTRIBUTE is supported define HAVE_FUNC_ATTRIBUTE_<ATTRIBUTE>.
+#
+#   The macro caches its result in the ax_cv_have_func_attribute_<attribute>
+#   variable.
+#
+#   The macro currently supports the following function attributes:
+#
+#    alias
+#    aligned
+#    alloc_size
+#    always_inline
+#    artificial
+#    cold
+#    const
+#    constructor
+#    constructor_priority for constructor attribute with priority
+#    deprecated
+#    destructor
+#    dllexport
+#    dllimport
+#    error
+#    externally_visible
+#    fallthrough
+#    flatten
+#    format
+#    format_arg
+#    gnu_format
+#    gnu_inline
+#    hot
+#    ifunc
+#    leaf
+#    malloc
+#    noclone
+#    noinline
+#    nonnull
+#    noreturn
+#    nothrow
+#    optimize
+#    pure
+#    sentinel
+#    sentinel_position
+#    unused
+#    used
+#    visibility
+#    warning
+#    warn_unused_result
+#    weak
+#    weakref
+#
+#   Unsupported function attributes will be tested with a prototype
+#   returning an int and not accepting any arguments and the result of the
+#   check might be wrong or meaningless so use with care.
+#
+# LICENSE
+#
+#   Copyright (c) 2013 Gabriele Svelto <gabriele.svelto@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved.  This file is offered as-is, without any
+#   warranty.
+
+#serial 10
+
+AC_DEFUN([AX_GCC_FUNC_ATTRIBUTE], [
+    AS_VAR_PUSHDEF([ac_var], [ax_cv_have_func_attribute_$1])
+
+    AC_CACHE_CHECK([for __attribute__(($1))], [ac_var], [
+        AC_LINK_IFELSE([AC_LANG_PROGRAM([
+            m4_case([$1],
+                [alias], [
+                    int foo( void ) { return 0; }
+                    int bar( void ) __attribute__(($1("foo")));
+                ],
+                [aligned], [
+                    int foo( void ) __attribute__(($1(32)));
+                ],
+                [alloc_size], [
+                    void *foo(int a) __attribute__(($1(1)));
+                ],
+                [always_inline], [
+                    inline __attribute__(($1)) int foo( void ) { return 0; }
+                ],
+                [artificial], [
+                    inline __attribute__(($1)) int foo( void ) { return 0; }
+                ],
+                [cold], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [const], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [constructor_priority], [
+                    int foo( void ) __attribute__((__constructor__(65535/2)));
+                ],
+                [constructor], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [deprecated], [
+                    int foo( void ) __attribute__(($1("")));
+                ],
+                [destructor], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [dllexport], [
+                    __attribute__(($1)) int foo( void ) { return 0; }
+                ],
+                [dllimport], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [error], [
+                    int foo( void ) __attribute__(($1("")));
+                ],
+                [externally_visible], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [fallthrough], [
+                    int foo( void ) {switch (0) { case 1: __attribute__(($1)); case 2: break ; }};
+                ],
+                [flatten], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [format], [
+                    int foo(const char *p, ...) __attribute__(($1(printf, 1, 2)));
+                ],
+                [gnu_format], [
+                    int foo(const char *p, ...) __attribute__((format(gnu_printf, 1, 2)));
+                ],
+                [format_arg], [
+                    char *foo(const char *p) __attribute__(($1(1)));
+                ],
+                [gnu_inline], [
+                    inline __attribute__(($1)) int foo( void ) { return 0; }
+                ],
+                [hot], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [ifunc], [
+                    int my_foo( void ) { return 0; }
+                    static int (*resolve_foo(void))(void) { return my_foo; }
+                    int foo( void ) __attribute__(($1("resolve_foo")));
+                ],
+                [leaf], [
+                    __attribute__(($1)) int foo( void ) { return 0; }
+                ],
+                [malloc], [
+                    void *foo( void ) __attribute__(($1));
+                ],
+                [noclone], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [noinline], [
+                    __attribute__(($1)) int foo( void ) { return 0; }
+                ],
+                [nonnull], [
+                    int foo(char *p) __attribute__(($1(1)));
+                ],
+                [noreturn], [
+                    void foo( void ) __attribute__(($1));
+                ],
+                [nothrow], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [optimize], [
+                    __attribute__(($1(3))) int foo( void ) { return 0; }
+                ],
+                [pure], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [sentinel], [
+                    int foo(void *p, ...) __attribute__(($1));
+                ],
+                [sentinel_position], [
+                    int foo(void *p, ...) __attribute__(($1(1)));
+                ],
+                [returns_nonnull], [
+                    void *foo( void ) __attribute__(($1));
+                ],
+                [unused], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [used], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [visibility], [
+                    int foo_def( void ) __attribute__(($1("default")));
+                    int foo_hid( void ) __attribute__(($1("hidden")));
+                    int foo_int( void ) __attribute__(($1("internal")));
+                    int foo_pro( void ) __attribute__(($1("protected")));
+                ],
+                [warning], [
+                    int foo( void ) __attribute__(($1("")));
+                ],
+                [warn_unused_result], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [weak], [
+                    int foo( void ) __attribute__(($1));
+                ],
+                [weakref], [
+                    static int foo( void ) { return 0; }
+                    static int bar( void ) __attribute__(($1("foo")));
+                ],
+                [
+                 m4_warn([syntax], [Unsupported attribute $1, the test may fail])
+                 int foo( void ) __attribute__(($1));
+                ]
+            )], [])
+            ],
+            dnl GCC doesn't exit with an error if an unknown attribute is
+            dnl provided but only outputs a warning, so accept the attribute
+            dnl only if no warning were issued.
+            [AS_IF([test -s conftest.err],
+                [AS_VAR_SET([ac_var], [no])],
+                [AS_VAR_SET([ac_var], [yes])])],
+            [AS_VAR_SET([ac_var], [no])])
+    ])
+
+    AS_IF([test yes = AS_VAR_GET([ac_var])],
+        [AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_FUNC_ATTRIBUTE_$1), 1,
+            [Define to 1 if the system has the `$1' function attribute])], [])
+
+    AS_VAR_POPDEF([ac_var])
+])
diff --git a/m4/ax_posix_shell.m4 b/m4/ax_posix_shell.m4
new file mode 100644
index 0000000..2755fae
--- /dev/null
+++ b/m4/ax_posix_shell.m4
@@ -0,0 +1,39 @@
+# SPDX-License-Identifier: FSFAP
+#
+# AX_POSIX_SHELL
+# -------------
+# Check for a POSIX-compatible shell.
+#
+# LICENSE
+#
+#   Copyright (c) 2021 Internet Systems Consortium
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+AC_DEFUN([AX_POSIX_SHELL],
+	 [AC_CACHE_CHECK([for a POSIX-compatible shell], [ac_cv_prog_shell],
+			 [ac_test_shell_script='
+			  test "$(expr 1 + 1)" = "2" &&
+			  test "$(( 1 + 1 ))" = "2"
+			  '
+
+			  for ac_cv_prog_shell in \
+			    "$CONFIG_SHELL" "$SHELL" /bin/sh /bin/bash /bin/ksh /bin/sh5 no; do
+			    AS_CASE([$ac_cv_prog_shell],
+				    [/*],[
+				      AS_IF(["$ac_cv_prog_shell" -c "$ac_test_shell_script" 2>/dev/null],
+					    [break])
+				    ])
+			  done
+			 ])
+	  AS_IF([test "$ac_cv_prog_shell" = "no"],
+		[SHELL=/bin/sh
+		 AC_MSG_WARN([using $SHELL, even though it does not conform to POSIX])
+		],
+		[SHELL="$ac_cv_prog_shell"
+		])
+	  AC_SUBST([SHELL])
+	 ])
diff --git a/m4/ax_pthread.m4 b/m4/ax_pthread.m4
new file mode 100644
index 0000000..a5c90bc
--- /dev/null
+++ b/m4/ax_pthread.m4
@@ -0,0 +1,487 @@
+# SPDX-License-Identifier: GPL-3.0-or-later WITH Autoconf-exception-3.0
+#
+# ===========================================================================
+#        https://www.gnu.org/software/autoconf-archive/ax_pthread.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
+#
+# DESCRIPTION
+#
+#   This macro figures out how to build C programs using POSIX threads. It
+#   sets the PTHREAD_LIBS output variable to the threads library and linker
+#   flags, and the PTHREAD_CFLAGS output variable to any special C compiler
+#   flags that are needed. (The user can also force certain compiler
+#   flags/libs to be tested by setting these environment variables.)
+#
+#   Also sets PTHREAD_CC to any special C compiler that is needed for
+#   multi-threaded programs (defaults to the value of CC otherwise). (This
+#   is necessary on AIX to use the special cc_r compiler alias.)
+#
+#   NOTE: You are assumed to not only compile your program with these flags,
+#   but also to link with them as well. For example, you might link with
+#   $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
+#
+#   If you are only building threaded programs, you may wish to use these
+#   variables in your default LIBS, CFLAGS, and CC:
+#
+#     LIBS="$PTHREAD_LIBS $LIBS"
+#     CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+#     CC="$PTHREAD_CC"
+#
+#   In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
+#   has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to
+#   that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
+#
+#   Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
+#   PTHREAD_PRIO_INHERIT symbol is defined when compiling with
+#   PTHREAD_CFLAGS.
+#
+#   ACTION-IF-FOUND is a list of shell commands to run if a threads library
+#   is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
+#   is not found. If ACTION-IF-FOUND is not specified, the default action
+#   will define HAVE_PTHREAD.
+#
+#   Please let the authors know if this macro fails on any platform, or if
+#   you have any other suggestions or comments. This macro was based on work
+#   by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
+#   from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
+#   Alejandro Forero Cuervo to the autoconf macro repository. We are also
+#   grateful for the helpful feedback of numerous users.
+#
+#   Updated for Autoconf 2.68 by Daniel Richard G.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu>
+#   Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG>
+#
+#   This program is free software: you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <https://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 24
+
+AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
+AC_DEFUN([AX_PTHREAD], [
+AC_REQUIRE([AC_CANONICAL_HOST])
+AC_REQUIRE([AC_PROG_CC])
+AC_REQUIRE([AC_PROG_SED])
+AC_LANG_PUSH([C])
+ax_pthread_ok=no
+
+# We used to check for pthread.h first, but this fails if pthread.h
+# requires special compiler flags (e.g. on Tru64 or Sequent).
+# It gets checked for in the link test anyway.
+
+# First of all, check if the user has set any of the PTHREAD_LIBS,
+# etcetera environment variables, and if threads linking works using
+# them:
+if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then
+        ax_pthread_save_CC="$CC"
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"])
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+        AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS])
+        AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes])
+        AC_MSG_RESULT([$ax_pthread_ok])
+        if test "x$ax_pthread_ok" = "xno"; then
+                PTHREAD_LIBS=""
+                PTHREAD_CFLAGS=""
+        fi
+        CC="$ax_pthread_save_CC"
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+fi
+
+# We must check for the threads library under a number of different
+# names; the ordering is very important because some systems
+# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
+# libraries is broken (non-POSIX).
+
+# Create a list of thread flags to try.  Items starting with a "-" are
+# C compiler flags, and other items are library names, except for "none"
+# which indicates that we try without any flags at all, and "pthread-config"
+# which is a program returning the flags for the Pth emulation library.
+
+ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
+
+# The ordering *is* (sometimes) important.  Some notes on the
+# individual items follow:
+
+# pthreads: AIX (must check this before -lpthread)
+# none: in case threads are in libc; should be tried before -Kthread and
+#       other compiler flags to prevent continual compiler warnings
+# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
+# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64
+#           (Note: HP C rejects this with "bad form for `-t' option")
+# -pthreads: Solaris/gcc (Note: HP C also rejects)
+# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
+#      doesn't hurt to check since this sometimes defines pthreads and
+#      -D_REENTRANT too), HP C (must be checked before -lpthread, which
+#      is present but should not be used directly; and before -mthreads,
+#      because the compiler interprets this as "-mt" + "-hreads")
+# -mthreads: Mingw32/gcc, Lynx/gcc
+# pthread: Linux, etcetera
+# --thread-safe: KAI C++
+# pthread-config: use pthread-config program (for GNU Pth library)
+
+case $host_os in
+
+        freebsd*)
+
+        # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
+        # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
+
+        ax_pthread_flags="-kthread lthread $ax_pthread_flags"
+        ;;
+
+        hpux*)
+
+        # From the cc(1) man page: "[-mt] Sets various -D flags to enable
+        # multi-threading and also sets -lpthread."
+
+        ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags"
+        ;;
+
+        openedition*)
+
+        # IBM z/OS requires a feature-test macro to be defined in order to
+        # enable POSIX threads at all, so give the user a hint if this is
+        # not set. (We don't define these ourselves, as they can affect
+        # other portions of the system API in unpredictable ways.)
+
+        AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING],
+            [
+#            if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS)
+             AX_PTHREAD_ZOS_MISSING
+#            endif
+            ],
+            [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])])
+        ;;
+
+        solaris*)
+
+        # On Solaris (at least, for some versions), libc contains stubbed
+        # (non-functional) versions of the pthreads routines, so link-based
+        # tests will erroneously succeed. (N.B.: The stubs are missing
+        # pthread_cleanup_push, or rather a function called by this macro,
+        # so we could check for that, but who knows whether they'll stub
+        # that too in a future libc.)  So we'll check first for the
+        # standard Solaris way of linking pthreads (-mt -lpthread).
+
+        ax_pthread_flags="-mt,pthread pthread $ax_pthread_flags"
+        ;;
+esac
+
+# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC)
+
+AS_IF([test "x$GCC" = "xyes"],
+      [ax_pthread_flags="-pthread -pthreads $ax_pthread_flags"])
+
+# The presence of a feature test macro requesting re-entrant function
+# definitions is, on some systems, a strong hint that pthreads support is
+# correctly enabled
+
+case $host_os in
+        darwin* | hpux* | linux* | osf* | solaris*)
+        ax_pthread_check_macro="_REENTRANT"
+        ;;
+
+        aix*)
+        ax_pthread_check_macro="_THREAD_SAFE"
+        ;;
+
+        *)
+        ax_pthread_check_macro="--"
+        ;;
+esac
+AS_IF([test "x$ax_pthread_check_macro" = "x--"],
+      [ax_pthread_check_cond=0],
+      [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"])
+
+# Are we compiling with Clang?
+
+AC_CACHE_CHECK([whether $CC is Clang],
+    [ax_cv_PTHREAD_CLANG],
+    [ax_cv_PTHREAD_CLANG=no
+     # Note that Autoconf sets GCC=yes for Clang as well as GCC
+     if test "x$GCC" = "xyes"; then
+        AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG],
+            [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */
+#            if defined(__clang__) && defined(__llvm__)
+             AX_PTHREAD_CC_IS_CLANG
+#            endif
+            ],
+            [ax_cv_PTHREAD_CLANG=yes])
+     fi
+    ])
+ax_pthread_clang="$ax_cv_PTHREAD_CLANG"
+
+ax_pthread_clang_warning=no
+
+# Clang needs special handling, because older versions handle the -pthread
+# option in a rather... idiosyncratic way
+
+if test "x$ax_pthread_clang" = "xyes"; then
+
+        # Clang takes -pthread; it has never supported any other flag
+
+        # (Note 1: This will need to be revisited if a system that Clang
+        # supports has POSIX threads in a separate library.  This tends not
+        # to be the way of modern systems, but it's conceivable.)
+
+        # (Note 2: On some systems, notably Darwin, -pthread is not needed
+        # to get POSIX threads support; the API is always present and
+        # active.  We could reasonably leave PTHREAD_CFLAGS empty.  But
+        # -pthread does define _REENTRANT, and while the Darwin headers
+        # ignore this macro, third-party headers might not.)
+
+        PTHREAD_CFLAGS="-pthread"
+        PTHREAD_LIBS=
+
+        ax_pthread_ok=yes
+
+        # However, older versions of Clang make a point of warning the user
+        # that, in an invocation where only linking and no compilation is
+        # taking place, the -pthread option has no effect ("argument unused
+        # during compilation").  They expect -pthread to be passed in only
+        # when source code is being compiled.
+        #
+        # Problem is, this is at odds with the way Automake and most other
+        # C build frameworks function, which is that the same flags used in
+        # compilation (CFLAGS) are also used in linking.  Many systems
+        # supported by AX_PTHREAD require exactly this for POSIX threads
+        # support, and in fact it is often not straightforward to specify a
+        # flag that is used only in the compilation phase and not in
+        # linking.  Such a scenario is extremely rare in practice.
+        #
+        # Even though use of the -pthread flag in linking would only print
+        # a warning, this can be a nuisance for well-run software projects
+        # that build with -Werror.  So if the active version of Clang has
+        # this misfeature, we search for an option to squash it.
+
+        AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread],
+            [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG],
+            [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown
+             # Create an alternate version of $ac_link that compiles and
+             # links in two steps (.c -> .o, .o -> exe) instead of one
+             # (.c -> exe), because the warning occurs only in the second
+             # step
+             ax_pthread_save_ac_link="$ac_link"
+             ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g'
+             ax_pthread_link_step=`$as_echo "$ac_link" | sed "$ax_pthread_sed"`
+             ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)"
+             ax_pthread_save_CFLAGS="$CFLAGS"
+             for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do
+                AS_IF([test "x$ax_pthread_try" = "xunknown"], [break])
+                CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS"
+                ac_link="$ax_pthread_save_ac_link"
+                AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])],
+                    [ac_link="$ax_pthread_2step_ac_link"
+                     AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])],
+                         [break])
+                    ])
+             done
+             ac_link="$ax_pthread_save_ac_link"
+             CFLAGS="$ax_pthread_save_CFLAGS"
+             AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no])
+             ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try"
+            ])
+
+        case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in
+                no | unknown) ;;
+                *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;;
+        esac
+
+fi # $ax_pthread_clang = yes
+
+if test "x$ax_pthread_ok" = "xno"; then
+for ax_pthread_try_flag in $ax_pthread_flags; do
+
+        case $ax_pthread_try_flag in
+                none)
+                AC_MSG_CHECKING([whether pthreads work without any flags])
+                ;;
+
+                -mt,pthread)
+                AC_MSG_CHECKING([whether pthreads work with -mt -lpthread])
+                PTHREAD_CFLAGS="-mt"
+                PTHREAD_LIBS="-lpthread"
+                ;;
+
+                -*)
+                AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag])
+                PTHREAD_CFLAGS="$ax_pthread_try_flag"
+                ;;
+
+                pthread-config)
+                AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
+                AS_IF([test "x$ax_pthread_config" = "xno"], [continue])
+                PTHREAD_CFLAGS="`pthread-config --cflags`"
+                PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
+                ;;
+
+                *)
+                AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag])
+                PTHREAD_LIBS="-l$ax_pthread_try_flag"
+                ;;
+        esac
+
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+
+        # Check for various functions.  We must include pthread.h,
+        # since some functions may be macros.  (On the Sequent, we
+        # need a special flag -Kthread to make this header compile.)
+        # We check for pthread_join because it is in -lpthread on IRIX
+        # while pthread_create is in libc.  We check for pthread_attr_init
+        # due to DEC craziness with -lpthreads.  We check for
+        # pthread_cleanup_push because it is one of the few pthread
+        # functions on Solaris that doesn't have a non-functional libc stub.
+        # We try pthread_create on general principles.
+
+        AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
+#                       if $ax_pthread_check_cond
+#                        error "$ax_pthread_check_macro must be defined"
+#                       endif
+                        static void routine(void *a) { a = 0; }
+                        static void *start_routine(void *a) { return a; }],
+                       [pthread_t th; pthread_attr_t attr;
+                        pthread_create(&th, 0, start_routine, 0);
+                        pthread_join(th, 0);
+                        pthread_attr_init(&attr);
+                        pthread_cleanup_push(routine, 0);
+                        pthread_cleanup_pop(0) /* ; */])],
+            [ax_pthread_ok=yes],
+            [])
+
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+
+        AC_MSG_RESULT([$ax_pthread_ok])
+        AS_IF([test "x$ax_pthread_ok" = "xyes"], [break])
+
+        PTHREAD_LIBS=""
+        PTHREAD_CFLAGS=""
+done
+fi
+
+# Various other checks:
+if test "x$ax_pthread_ok" = "xyes"; then
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+
+        # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
+        AC_CACHE_CHECK([for joinable pthread attribute],
+            [ax_cv_PTHREAD_JOINABLE_ATTR],
+            [ax_cv_PTHREAD_JOINABLE_ATTR=unknown
+             for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
+                 AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
+                                                 [int attr = $ax_pthread_attr; return attr /* ; */])],
+                                [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break],
+                                [])
+             done
+            ])
+        AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \
+               test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \
+               test "x$ax_pthread_joinable_attr_defined" != "xyes"],
+              [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE],
+                                  [$ax_cv_PTHREAD_JOINABLE_ATTR],
+                                  [Define to necessary symbol if this constant
+                                   uses a non-standard name on your system.])
+               ax_pthread_joinable_attr_defined=yes
+              ])
+
+        AC_CACHE_CHECK([whether more special flags are required for pthreads],
+            [ax_cv_PTHREAD_SPECIAL_FLAGS],
+            [ax_cv_PTHREAD_SPECIAL_FLAGS=no
+             case $host_os in
+             solaris*)
+             ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS"
+             ;;
+             esac
+            ])
+        AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \
+               test "x$ax_pthread_special_flags_added" != "xyes"],
+              [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS"
+               ax_pthread_special_flags_added=yes])
+
+        AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
+            [ax_cv_PTHREAD_PRIO_INHERIT],
+            [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
+                                             [[int i = PTHREAD_PRIO_INHERIT;]])],
+                            [ax_cv_PTHREAD_PRIO_INHERIT=yes],
+                            [ax_cv_PTHREAD_PRIO_INHERIT=no])
+            ])
+        AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \
+               test "x$ax_pthread_prio_inherit_defined" != "xyes"],
+              [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])
+               ax_pthread_prio_inherit_defined=yes
+              ])
+
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+
+        # More AIX lossage: compile with *_r variant
+        if test "x$GCC" != "xyes"; then
+            case $host_os in
+                aix*)
+                AS_CASE(["x/$CC"],
+                    [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6],
+                    [#handle absolute path differently from PATH based program lookup
+                     AS_CASE(["x$CC"],
+                         [x/*],
+                         [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])],
+                         [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])])
+                ;;
+            esac
+        fi
+fi
+
+test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
+
+AC_SUBST([PTHREAD_LIBS])
+AC_SUBST([PTHREAD_CFLAGS])
+AC_SUBST([PTHREAD_CC])
+
+# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
+if test "x$ax_pthread_ok" = "xyes"; then
+        ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
+        :
+else
+        ax_pthread_ok=no
+        $2
+fi
+AC_LANG_POP
+])dnl AX_PTHREAD
diff --git a/m4/ax_restore_flags.m4 b/m4/ax_restore_flags.m4
new file mode 100644
index 0000000..7379460
--- /dev/null
+++ b/m4/ax_restore_flags.m4
@@ -0,0 +1,54 @@
+# SPDX-License-Identifier: FSFAP
+#
+# ===========================================================================
+#     https://www.gnu.org/software/autoconf-archive/ax_restore_flags.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_RESTORE_FLAGS([namespace])
+#
+# DESCRIPTION
+#
+#   Restore common compilation flags from temporary variables.
+#
+#   Compilation flags includes: CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS, LIBS,
+#   OBJCFLAGS.
+#
+#   By default these flags are restored to a global (empty) namespace, but
+#   user could restore from specific NAMESPACE by using
+#   AX_RESTORE_FLAGS(NAMESPACE) macro.
+#
+#   Typical usage is like:
+#
+#     AX_SAVE_FLAGS(mypackage)
+#     CPPFLAGS="-Imypackagespath ${CPPFLAGS}"
+#     dnl ... do some detection ...
+#     AX_RESTORE_FLAGS(mypackage)
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Filippo Giunchedi <filippo@esaurito.net>
+#   Copyright (c) 2011 The Board of Trustees of the Leland Stanford Junior University
+#   Copyright (c) 2011 Russ Allbery <rra@stanford.edu>
+#   Copyright (c) 2013 Bastien ROUCARIES <roucaries.bastien+autoconf@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 7
+
+# save one flag in name space
+AC_DEFUN([_AX_RESTORE_ONE_FLAG],[dnl
+  AS_VAR_PUSHDEF([_ax_restore_flag_var], [$2[]_$1[]_ax_save_flags])
+  AS_VAR_COPY($2[],_ax_restore_flag_var)
+  AS_VAR_POPDEF([_ax_restore_flag_var])
+])
+
+AC_DEFUN([AX_RESTORE_FLAGS], [dnl
+   m4_foreach([FLAG], dnl
+	      [_AX_SAVE_FLAGS_LIST()], dnl
+	      [_AX_RESTORE_ONE_FLAG([$1],FLAG)])
+])
diff --git a/m4/ax_save_flags.m4 b/m4/ax_save_flags.m4
new file mode 100644
index 0000000..b0bba80
--- /dev/null
+++ b/m4/ax_save_flags.m4
@@ -0,0 +1,73 @@
+# SPDX-License-Identifier: FSFAP
+#
+# ===========================================================================
+#      https://www.gnu.org/software/autoconf-archive/ax_save_flags.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_SAVE_FLAGS([NAMESPACE])
+#
+# DESCRIPTION
+#
+#   Save common compilation flags into temporary variables.
+#
+#   Compilation flags includes: CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS, LIBS,
+#   OBJCFLAGS.
+#
+#   By default these flags are saved to a global (empty) namespace, but user
+#   could specify a specific NAMESPACE to AX_SAVE_FLAGS macro and latter
+#   restore it by using AX_RESTORE_FLAGS(NAMESPACE).
+#
+#     AX_SAVE_FLAGS(mypackage)
+#     CPPFLAGS="-Imypackagespath ${CPPFLAGS}"
+#     dnl .. do some detection ...
+#     AX_RESTORE_FLAGS(mypackage)
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Filippo Giunchedi <filippo@esaurito.net>
+#   Copyright (c) 2011 The Board of Trustees of the Leland Stanford Junior University
+#   Copyright (c) 2011 Russ Allbery <rra@stanford.edu>
+#   Copyright (c) 2013 Bastien ROUCARIES <roucaries.bastien+autoconf@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 8
+
+# list of flag to save
+AC_DEFUN([_AX_SAVE_FLAGS_LIST],[dnl
+[CCASFLAGS],dnl
+[CFLAGS],dnl
+[CPPFLAGS],dnl
+[CXXFLAGS],dnl
+[ERLCFLAGS],dnl
+[FCFLAGS],dnl
+[FCLIBS],dnl
+[FFLAGS],dnl
+[FLIBS],dnl
+[GCJFLAGS],dnl
+[JAVACFLAGS],dnl
+[LDFLAGS],dnl
+[LIBS],dnl
+[OBJCFLAGS],dnl
+[OBJCXXFLAGS],dnl
+[UPCFLAGS],dnl
+[VALAFLAGS]dnl
+])
+
+# save one flag in name space
+AC_DEFUN([_AX_SAVE_ONE_FLAG],[
+  AS_VAR_PUSHDEF([_ax_save_flag_var], [$2[]_$1[]_ax_save_flags])
+  AS_VAR_COPY(_ax_save_flag_var, $2[])
+  AS_VAR_POPDEF([_ax_save_flag_var])
+])
+
+AC_DEFUN([AX_SAVE_FLAGS],[dnl
+   m4_foreach([FLAG], dnl
+	      [_AX_SAVE_FLAGS_LIST()], dnl
+	      [_AX_SAVE_ONE_FLAG([$1],FLAG)])
+])
diff --git a/m4/compat.m4 b/m4/compat.m4
new file mode 100644
index 0000000..2d204b2
--- /dev/null
+++ b/m4/compat.m4
@@ -0,0 +1,28 @@
+# Copyright (c) 2021 Internet Systems Consortium
+#
+# SPDX-License-Identifier: FSFAP
+#
+# backwards compat with older pkg-config
+# - pull in AC_DEFUN from pkg.m4
+m4_ifndef([PKG_CHECK_VAR], [
+# PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
+# [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+# -------------------------------------------
+# Retrieves the value of the pkg-config variable for the given module.
+AC_DEFUN([PKG_CHECK_VAR],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
+
+_PKG_CONFIG([$1], [variable="][$3]["], [$2])
+AS_VAR_COPY([$1], [pkg_cv_][$1])
+
+AS_VAR_IF([$1], [""], [$5], [$4])dnl
+])# PKG_CHECK_VAR
+])
+
+# This hack makes PKG_CHECK_VARS from m4/pkg.m4 work on autoconf 2.63
+# ( courtesy of sunnybear in https://github.com/gdnsd/gdnsd/issues/85 )
+m4_ifndef([AS_VAR_COPY],
+[m4_define([AS_VAR_COPY],
+[AS_LITERAL_IF([$1[]$2], [$1=$$2], [eval $1=\$$2])])])
+## End Autoconf-2.63-Compat
diff --git a/m4/libtool.m4 b/m4/libtool.m4
new file mode 100644
index 0000000..c4c0294
--- /dev/null
+++ b/m4/libtool.m4
@@ -0,0 +1,8394 @@
+# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
+#
+#   Copyright (C) 1996-2001, 2003-2015 Free Software Foundation, Inc.
+#   Written by Gordon Matzigkeit, 1996
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+m4_define([_LT_COPYING], [dnl
+# Copyright (C) 2014 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.  There is NO
+# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+# GNU Libtool is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of of the License, or
+# (at your option) any later version.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program or library that is built
+# using GNU Libtool, you may include this file under the  same
+# distribution terms that you use for the rest of that program.
+#
+# GNU Libtool is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+])
+
+# serial 58 LT_INIT
+
+
+# LT_PREREQ(VERSION)
+# ------------------
+# Complain and exit if this libtool version is less that VERSION.
+m4_defun([LT_PREREQ],
+[m4_if(m4_version_compare(m4_defn([LT_PACKAGE_VERSION]), [$1]), -1,
+       [m4_default([$3],
+		   [m4_fatal([Libtool version $1 or higher is required],
+		             63)])],
+       [$2])])
+
+
+# _LT_CHECK_BUILDDIR
+# ------------------
+# Complain if the absolute build directory name contains unusual characters
+m4_defun([_LT_CHECK_BUILDDIR],
+[case `pwd` in
+  *\ * | *\	*)
+    AC_MSG_WARN([Libtool does not cope well with whitespace in `pwd`]) ;;
+esac
+])
+
+
+# LT_INIT([OPTIONS])
+# ------------------
+AC_DEFUN([LT_INIT],
+[AC_PREREQ([2.62])dnl We use AC_PATH_PROGS_FEATURE_CHECK
+AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl
+AC_BEFORE([$0], [LT_LANG])dnl
+AC_BEFORE([$0], [LT_OUTPUT])dnl
+AC_BEFORE([$0], [LTDL_INIT])dnl
+m4_require([_LT_CHECK_BUILDDIR])dnl
+
+dnl Autoconf doesn't catch unexpanded LT_ macros by default:
+m4_pattern_forbid([^_?LT_[A-Z_]+$])dnl
+m4_pattern_allow([^(_LT_EOF|LT_DLGLOBAL|LT_DLLAZY_OR_NOW|LT_MULTI_MODULE)$])dnl
+dnl aclocal doesn't pull ltoptions.m4, ltsugar.m4, or ltversion.m4
+dnl unless we require an AC_DEFUNed macro:
+AC_REQUIRE([LTOPTIONS_VERSION])dnl
+AC_REQUIRE([LTSUGAR_VERSION])dnl
+AC_REQUIRE([LTVERSION_VERSION])dnl
+AC_REQUIRE([LTOBSOLETE_VERSION])dnl
+m4_require([_LT_PROG_LTMAIN])dnl
+
+_LT_SHELL_INIT([SHELL=${CONFIG_SHELL-/bin/sh}])
+
+dnl Parse OPTIONS
+_LT_SET_OPTIONS([$0], [$1])
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS=$ltmain
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+_LT_SETUP
+
+# Only expand once:
+m4_define([LT_INIT])
+])# LT_INIT
+
+# Old names:
+AU_ALIAS([AC_PROG_LIBTOOL], [LT_INIT])
+AU_ALIAS([AM_PROG_LIBTOOL], [LT_INIT])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_PROG_LIBTOOL], [])
+dnl AC_DEFUN([AM_PROG_LIBTOOL], [])
+
+
+# _LT_PREPARE_CC_BASENAME
+# -----------------------
+m4_defun([_LT_PREPARE_CC_BASENAME], [
+# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
+func_cc_basename ()
+{
+    for cc_temp in @S|@*""; do
+      case $cc_temp in
+        compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
+        distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
+        \-*) ;;
+        *) break;;
+      esac
+    done
+    func_cc_basename_result=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"`
+}
+])# _LT_PREPARE_CC_BASENAME
+
+
+# _LT_CC_BASENAME(CC)
+# -------------------
+# It would be clearer to call AC_REQUIREs from _LT_PREPARE_CC_BASENAME,
+# but that macro is also expanded into generated libtool script, which
+# arranges for $SED and $ECHO to be set by different means.
+m4_defun([_LT_CC_BASENAME],
+[m4_require([_LT_PREPARE_CC_BASENAME])dnl
+AC_REQUIRE([_LT_DECL_SED])dnl
+AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl
+func_cc_basename $1
+cc_basename=$func_cc_basename_result
+])
+
+
+# _LT_FILEUTILS_DEFAULTS
+# ----------------------
+# It is okay to use these file commands and assume they have been set
+# sensibly after 'm4_require([_LT_FILEUTILS_DEFAULTS])'.
+m4_defun([_LT_FILEUTILS_DEFAULTS],
+[: ${CP="cp -f"}
+: ${MV="mv -f"}
+: ${RM="rm -f"}
+])# _LT_FILEUTILS_DEFAULTS
+
+
+# _LT_SETUP
+# ---------
+m4_defun([_LT_SETUP],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl
+AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl
+
+_LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl
+dnl
+_LT_DECL([], [host_alias], [0], [The host system])dnl
+_LT_DECL([], [host], [0])dnl
+_LT_DECL([], [host_os], [0])dnl
+dnl
+_LT_DECL([], [build_alias], [0], [The build system])dnl
+_LT_DECL([], [build], [0])dnl
+_LT_DECL([], [build_os], [0])dnl
+dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([LT_PATH_LD])dnl
+AC_REQUIRE([LT_PATH_NM])dnl
+dnl
+AC_REQUIRE([AC_PROG_LN_S])dnl
+test -z "$LN_S" && LN_S="ln -s"
+_LT_DECL([], [LN_S], [1], [Whether we need soft or hard links])dnl
+dnl
+AC_REQUIRE([LT_CMD_MAX_LEN])dnl
+_LT_DECL([objext], [ac_objext], [0], [Object file suffix (normally "o")])dnl
+_LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl
+dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_CHECK_SHELL_FEATURES])dnl
+m4_require([_LT_PATH_CONVERSION_FUNCTIONS])dnl
+m4_require([_LT_CMD_RELOAD])dnl
+m4_require([_LT_CHECK_MAGIC_METHOD])dnl
+m4_require([_LT_CHECK_SHAREDLIB_FROM_LINKLIB])dnl
+m4_require([_LT_CMD_OLD_ARCHIVE])dnl
+m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
+m4_require([_LT_WITH_SYSROOT])dnl
+m4_require([_LT_CMD_TRUNCATE])dnl
+
+_LT_CONFIG_LIBTOOL_INIT([
+# See if we are running on zsh, and set the options that allow our
+# commands through without removal of \ escapes INIT.
+if test -n "\${ZSH_VERSION+set}"; then
+   setopt NO_GLOB_SUBST
+fi
+])
+if test -n "${ZSH_VERSION+set}"; then
+   setopt NO_GLOB_SUBST
+fi
+
+_LT_CHECK_OBJDIR
+
+m4_require([_LT_TAG_COMPILER])dnl
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test set != "${COLLECT_NAMES+set}"; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Global variables:
+ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a '.a' archive for static linking (except MSVC,
+# which needs '.lib').
+libext=a
+
+with_gnu_ld=$lt_cv_prog_gnu_ld
+
+old_CC=$CC
+old_CFLAGS=$CFLAGS
+
+# Set sane defaults for various variables
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
+test -z "$LD" && LD=ld
+test -z "$ac_objext" && ac_objext=o
+
+_LT_CC_BASENAME([$compiler])
+
+# Only perform the check for file, if the check method requires it
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    _LT_PATH_MAGIC
+  fi
+  ;;
+esac
+
+# Use C for the default configuration in the libtool script
+LT_SUPPORTED_TAG([CC])
+_LT_LANG_C_CONFIG
+_LT_LANG_DEFAULT_CONFIG
+_LT_CONFIG_COMMANDS
+])# _LT_SETUP
+
+
+# _LT_PREPARE_SED_QUOTE_VARS
+# --------------------------
+# Define a few sed substitution that help us do robust quoting.
+m4_defun([_LT_PREPARE_SED_QUOTE_VARS],
+[# Backslashify metacharacters that are still active within
+# double-quoted strings.
+sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\([["`\\]]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+])
+
+# _LT_PROG_LTMAIN
+# ---------------
+# Note that this code is called both from 'configure', and 'config.status'
+# now that we use AC_CONFIG_COMMANDS to generate libtool.  Notably,
+# 'config.status' has no value for ac_aux_dir unless we are using Automake,
+# so we pass a copy along to make sure it has a sensible value anyway.
+m4_defun([_LT_PROG_LTMAIN],
+[m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([ltmain.sh])])dnl
+_LT_CONFIG_LIBTOOL_INIT([ac_aux_dir='$ac_aux_dir'])
+ltmain=$ac_aux_dir/ltmain.sh
+])# _LT_PROG_LTMAIN
+
+
+## ------------------------------------- ##
+## Accumulate code for creating libtool. ##
+## ------------------------------------- ##
+
+# So that we can recreate a full libtool script including additional
+# tags, we accumulate the chunks of code to send to AC_CONFIG_COMMANDS
+# in macros and then make a single call at the end using the 'libtool'
+# label.
+
+
+# _LT_CONFIG_LIBTOOL_INIT([INIT-COMMANDS])
+# ----------------------------------------
+# Register INIT-COMMANDS to be passed to AC_CONFIG_COMMANDS later.
+m4_define([_LT_CONFIG_LIBTOOL_INIT],
+[m4_ifval([$1],
+          [m4_append([_LT_OUTPUT_LIBTOOL_INIT],
+                     [$1
+])])])
+
+# Initialize.
+m4_define([_LT_OUTPUT_LIBTOOL_INIT])
+
+
+# _LT_CONFIG_LIBTOOL([COMMANDS])
+# ------------------------------
+# Register COMMANDS to be passed to AC_CONFIG_COMMANDS later.
+m4_define([_LT_CONFIG_LIBTOOL],
+[m4_ifval([$1],
+          [m4_append([_LT_OUTPUT_LIBTOOL_COMMANDS],
+                     [$1
+])])])
+
+# Initialize.
+m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS])
+
+
+# _LT_CONFIG_SAVE_COMMANDS([COMMANDS], [INIT_COMMANDS])
+# -----------------------------------------------------
+m4_defun([_LT_CONFIG_SAVE_COMMANDS],
+[_LT_CONFIG_LIBTOOL([$1])
+_LT_CONFIG_LIBTOOL_INIT([$2])
+])
+
+
+# _LT_FORMAT_COMMENT([COMMENT])
+# -----------------------------
+# Add leading comment marks to the start of each line, and a trailing
+# full-stop to the whole comment if one is not present already.
+m4_define([_LT_FORMAT_COMMENT],
+[m4_ifval([$1], [
+m4_bpatsubst([m4_bpatsubst([$1], [^ *], [# ])],
+              [['`$\]], [\\\&])]m4_bmatch([$1], [[!?.]$], [], [.])
+)])
+
+
+
+## ------------------------ ##
+## FIXME: Eliminate VARNAME ##
+## ------------------------ ##
+
+
+# _LT_DECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION], [IS-TAGGED?])
+# -------------------------------------------------------------------
+# CONFIGNAME is the name given to the value in the libtool script.
+# VARNAME is the (base) name used in the configure script.
+# VALUE may be 0, 1 or 2 for a computed quote escaped value based on
+# VARNAME.  Any other value will be used directly.
+m4_define([_LT_DECL],
+[lt_if_append_uniq([lt_decl_varnames], [$2], [, ],
+    [lt_dict_add_subkey([lt_decl_dict], [$2], [libtool_name],
+	[m4_ifval([$1], [$1], [$2])])
+    lt_dict_add_subkey([lt_decl_dict], [$2], [value], [$3])
+    m4_ifval([$4],
+	[lt_dict_add_subkey([lt_decl_dict], [$2], [description], [$4])])
+    lt_dict_add_subkey([lt_decl_dict], [$2],
+	[tagged?], [m4_ifval([$5], [yes], [no])])])
+])
+
+
+# _LT_TAGDECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION])
+# --------------------------------------------------------
+m4_define([_LT_TAGDECL], [_LT_DECL([$1], [$2], [$3], [$4], [yes])])
+
+
+# lt_decl_tag_varnames([SEPARATOR], [VARNAME1...])
+# ------------------------------------------------
+m4_define([lt_decl_tag_varnames],
+[_lt_decl_filter([tagged?], [yes], $@)])
+
+
+# _lt_decl_filter(SUBKEY, VALUE, [SEPARATOR], [VARNAME1..])
+# ---------------------------------------------------------
+m4_define([_lt_decl_filter],
+[m4_case([$#],
+  [0], [m4_fatal([$0: too few arguments: $#])],
+  [1], [m4_fatal([$0: too few arguments: $#: $1])],
+  [2], [lt_dict_filter([lt_decl_dict], [$1], [$2], [], lt_decl_varnames)],
+  [3], [lt_dict_filter([lt_decl_dict], [$1], [$2], [$3], lt_decl_varnames)],
+  [lt_dict_filter([lt_decl_dict], $@)])[]dnl
+])
+
+
+# lt_decl_quote_varnames([SEPARATOR], [VARNAME1...])
+# --------------------------------------------------
+m4_define([lt_decl_quote_varnames],
+[_lt_decl_filter([value], [1], $@)])
+
+
+# lt_decl_dquote_varnames([SEPARATOR], [VARNAME1...])
+# ---------------------------------------------------
+m4_define([lt_decl_dquote_varnames],
+[_lt_decl_filter([value], [2], $@)])
+
+
+# lt_decl_varnames_tagged([SEPARATOR], [VARNAME1...])
+# ---------------------------------------------------
+m4_define([lt_decl_varnames_tagged],
+[m4_assert([$# <= 2])dnl
+_$0(m4_quote(m4_default([$1], [[, ]])),
+    m4_ifval([$2], [[$2]], [m4_dquote(lt_decl_tag_varnames)]),
+    m4_split(m4_normalize(m4_quote(_LT_TAGS)), [ ]))])
+m4_define([_lt_decl_varnames_tagged],
+[m4_ifval([$3], [lt_combine([$1], [$2], [_], $3)])])
+
+
+# lt_decl_all_varnames([SEPARATOR], [VARNAME1...])
+# ------------------------------------------------
+m4_define([lt_decl_all_varnames],
+[_$0(m4_quote(m4_default([$1], [[, ]])),
+     m4_if([$2], [],
+	   m4_quote(lt_decl_varnames),
+	m4_quote(m4_shift($@))))[]dnl
+])
+m4_define([_lt_decl_all_varnames],
+[lt_join($@, lt_decl_varnames_tagged([$1],
+			lt_decl_tag_varnames([[, ]], m4_shift($@))))dnl
+])
+
+
+# _LT_CONFIG_STATUS_DECLARE([VARNAME])
+# ------------------------------------
+# Quote a variable value, and forward it to 'config.status' so that its
+# declaration there will have the same value as in 'configure'.  VARNAME
+# must have a single quote delimited value for this to work.
+m4_define([_LT_CONFIG_STATUS_DECLARE],
+[$1='`$ECHO "$][$1" | $SED "$delay_single_quote_subst"`'])
+
+
+# _LT_CONFIG_STATUS_DECLARATIONS
+# ------------------------------
+# We delimit libtool config variables with single quotes, so when
+# we write them to config.status, we have to be sure to quote all
+# embedded single quotes properly.  In configure, this macro expands
+# each variable declared with _LT_DECL (and _LT_TAGDECL) into:
+#
+#    <var>='`$ECHO "$<var>" | $SED "$delay_single_quote_subst"`'
+m4_defun([_LT_CONFIG_STATUS_DECLARATIONS],
+[m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames),
+    [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])])
+
+
+# _LT_LIBTOOL_TAGS
+# ----------------
+# Output comment and list of tags supported by the script
+m4_defun([_LT_LIBTOOL_TAGS],
+[_LT_FORMAT_COMMENT([The names of the tagged configurations supported by this script])dnl
+available_tags='_LT_TAGS'dnl
+])
+
+
+# _LT_LIBTOOL_DECLARE(VARNAME, [TAG])
+# -----------------------------------
+# Extract the dictionary values for VARNAME (optionally with TAG) and
+# expand to a commented shell variable setting:
+#
+#    # Some comment about what VAR is for.
+#    visible_name=$lt_internal_name
+m4_define([_LT_LIBTOOL_DECLARE],
+[_LT_FORMAT_COMMENT(m4_quote(lt_dict_fetch([lt_decl_dict], [$1],
+					   [description])))[]dnl
+m4_pushdef([_libtool_name],
+    m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [libtool_name])))[]dnl
+m4_case(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [value])),
+    [0], [_libtool_name=[$]$1],
+    [1], [_libtool_name=$lt_[]$1],
+    [2], [_libtool_name=$lt_[]$1],
+    [_libtool_name=lt_dict_fetch([lt_decl_dict], [$1], [value])])[]dnl
+m4_ifval([$2], [_$2])[]m4_popdef([_libtool_name])[]dnl
+])
+
+
+# _LT_LIBTOOL_CONFIG_VARS
+# -----------------------
+# Produce commented declarations of non-tagged libtool config variables
+# suitable for insertion in the LIBTOOL CONFIG section of the 'libtool'
+# script.  Tagged libtool config variables (even for the LIBTOOL CONFIG
+# section) are produced by _LT_LIBTOOL_TAG_VARS.
+m4_defun([_LT_LIBTOOL_CONFIG_VARS],
+[m4_foreach([_lt_var],
+    m4_quote(_lt_decl_filter([tagged?], [no], [], lt_decl_varnames)),
+    [m4_n([_LT_LIBTOOL_DECLARE(_lt_var)])])])
+
+
+# _LT_LIBTOOL_TAG_VARS(TAG)
+# -------------------------
+m4_define([_LT_LIBTOOL_TAG_VARS],
+[m4_foreach([_lt_var], m4_quote(lt_decl_tag_varnames),
+    [m4_n([_LT_LIBTOOL_DECLARE(_lt_var, [$1])])])])
+
+
+# _LT_TAGVAR(VARNAME, [TAGNAME])
+# ------------------------------
+m4_define([_LT_TAGVAR], [m4_ifval([$2], [$1_$2], [$1])])
+
+
+# _LT_CONFIG_COMMANDS
+# -------------------
+# Send accumulated output to $CONFIG_STATUS.  Thanks to the lists of
+# variables for single and double quote escaping we saved from calls
+# to _LT_DECL, we can put quote escaped variables declarations
+# into 'config.status', and then the shell code to quote escape them in
+# for loops in 'config.status'.  Finally, any additional code accumulated
+# from calls to _LT_CONFIG_LIBTOOL_INIT is expanded.
+m4_defun([_LT_CONFIG_COMMANDS],
+[AC_PROVIDE_IFELSE([LT_OUTPUT],
+	dnl If the libtool generation code has been placed in $CONFIG_LT,
+	dnl instead of duplicating it all over again into config.status,
+	dnl then we will have config.status run $CONFIG_LT later, so it
+	dnl needs to know what name is stored there:
+        [AC_CONFIG_COMMANDS([libtool],
+            [$SHELL $CONFIG_LT || AS_EXIT(1)], [CONFIG_LT='$CONFIG_LT'])],
+    dnl If the libtool generation code is destined for config.status,
+    dnl expand the accumulated commands and init code now:
+    [AC_CONFIG_COMMANDS([libtool],
+        [_LT_OUTPUT_LIBTOOL_COMMANDS], [_LT_OUTPUT_LIBTOOL_COMMANDS_INIT])])
+])#_LT_CONFIG_COMMANDS
+
+
+# Initialize.
+m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS_INIT],
+[
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+sed_quote_subst='$sed_quote_subst'
+double_quote_subst='$double_quote_subst'
+delay_variable_subst='$delay_variable_subst'
+_LT_CONFIG_STATUS_DECLARATIONS
+LTCC='$LTCC'
+LTCFLAGS='$LTCFLAGS'
+compiler='$compiler_DEFAULT'
+
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$[]1
+_LTECHO_EOF'
+}
+
+# Quote evaled strings.
+for var in lt_decl_all_varnames([[ \
+]], lt_decl_quote_varnames); do
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
+    *[[\\\\\\\`\\"\\\$]]*)
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" ## exclude from sc_prohibit_nested_quotes
+      ;;
+    *)
+      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
+      ;;
+    esac
+done
+
+# Double-quote double-evaled strings.
+for var in lt_decl_all_varnames([[ \
+]], lt_decl_dquote_varnames); do
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
+    *[[\\\\\\\`\\"\\\$]]*)
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" ## exclude from sc_prohibit_nested_quotes
+      ;;
+    *)
+      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
+      ;;
+    esac
+done
+
+_LT_OUTPUT_LIBTOOL_INIT
+])
+
+# _LT_GENERATED_FILE_INIT(FILE, [COMMENT])
+# ------------------------------------
+# Generate a child script FILE with all initialization necessary to
+# reuse the environment learned by the parent script, and make the
+# file executable.  If COMMENT is supplied, it is inserted after the
+# '#!' sequence but before initialization text begins.  After this
+# macro, additional text can be appended to FILE to form the body of
+# the child script.  The macro ends with non-zero status if the
+# file could not be fully written (such as if the disk is full).
+m4_ifdef([AS_INIT_GENERATED],
+[m4_defun([_LT_GENERATED_FILE_INIT],[AS_INIT_GENERATED($@)])],
+[m4_defun([_LT_GENERATED_FILE_INIT],
+[m4_require([AS_PREPARE])]dnl
+[m4_pushdef([AS_MESSAGE_LOG_FD])]dnl
+[lt_write_fail=0
+cat >$1 <<_ASEOF || lt_write_fail=1
+#! $SHELL
+# Generated by $as_me.
+$2
+SHELL=\${CONFIG_SHELL-$SHELL}
+export SHELL
+_ASEOF
+cat >>$1 <<\_ASEOF || lt_write_fail=1
+AS_SHELL_SANITIZE
+_AS_PREPARE
+exec AS_MESSAGE_FD>&1
+_ASEOF
+test 0 = "$lt_write_fail" && chmod +x $1[]dnl
+m4_popdef([AS_MESSAGE_LOG_FD])])])# _LT_GENERATED_FILE_INIT
+
+# LT_OUTPUT
+# ---------
+# This macro allows early generation of the libtool script (before
+# AC_OUTPUT is called), incase it is used in configure for compilation
+# tests.
+AC_DEFUN([LT_OUTPUT],
+[: ${CONFIG_LT=./config.lt}
+AC_MSG_NOTICE([creating $CONFIG_LT])
+_LT_GENERATED_FILE_INIT(["$CONFIG_LT"],
+[# Run this file to recreate a libtool stub with the current configuration.])
+
+cat >>"$CONFIG_LT" <<\_LTEOF
+lt_cl_silent=false
+exec AS_MESSAGE_LOG_FD>>config.log
+{
+  echo
+  AS_BOX([Running $as_me.])
+} >&AS_MESSAGE_LOG_FD
+
+lt_cl_help="\
+'$as_me' creates a local libtool stub from the current configuration,
+for use in further configure time tests before the real libtool is
+generated.
+
+Usage: $[0] [[OPTIONS]]
+
+  -h, --help      print this help, then exit
+  -V, --version   print version number, then exit
+  -q, --quiet     do not print progress messages
+  -d, --debug     don't remove temporary files
+
+Report bugs to <bug-libtool@gnu.org>."
+
+lt_cl_version="\
+m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
+m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
+configured by $[0], generated by m4_PACKAGE_STRING.
+
+Copyright (C) 2011 Free Software Foundation, Inc.
+This config.lt script is free software; the Free Software Foundation
+gives unlimited permision to copy, distribute and modify it."
+
+while test 0 != $[#]
+do
+  case $[1] in
+    --version | --v* | -V )
+      echo "$lt_cl_version"; exit 0 ;;
+    --help | --h* | -h )
+      echo "$lt_cl_help"; exit 0 ;;
+    --debug | --d* | -d )
+      debug=: ;;
+    --quiet | --q* | --silent | --s* | -q )
+      lt_cl_silent=: ;;
+
+    -*) AC_MSG_ERROR([unrecognized option: $[1]
+Try '$[0] --help' for more information.]) ;;
+
+    *) AC_MSG_ERROR([unrecognized argument: $[1]
+Try '$[0] --help' for more information.]) ;;
+  esac
+  shift
+done
+
+if $lt_cl_silent; then
+  exec AS_MESSAGE_FD>/dev/null
+fi
+_LTEOF
+
+cat >>"$CONFIG_LT" <<_LTEOF
+_LT_OUTPUT_LIBTOOL_COMMANDS_INIT
+_LTEOF
+
+cat >>"$CONFIG_LT" <<\_LTEOF
+AC_MSG_NOTICE([creating $ofile])
+_LT_OUTPUT_LIBTOOL_COMMANDS
+AS_EXIT(0)
+_LTEOF
+chmod +x "$CONFIG_LT"
+
+# configure is writing to config.log, but config.lt does its own redirection,
+# appending to config.log, which fails on DOS, as config.log is still kept
+# open by configure.  Here we exec the FD to /dev/null, effectively closing
+# config.log, so it can be properly (re)opened and appended to by config.lt.
+lt_cl_success=:
+test yes = "$silent" &&
+  lt_config_lt_args="$lt_config_lt_args --quiet"
+exec AS_MESSAGE_LOG_FD>/dev/null
+$SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
+exec AS_MESSAGE_LOG_FD>>config.log
+$lt_cl_success || AS_EXIT(1)
+])# LT_OUTPUT
+
+
+# _LT_CONFIG(TAG)
+# ---------------
+# If TAG is the built-in tag, create an initial libtool script with a
+# default configuration from the untagged config vars.  Otherwise add code
+# to config.status for appending the configuration named by TAG from the
+# matching tagged config vars.
+m4_defun([_LT_CONFIG],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+_LT_CONFIG_SAVE_COMMANDS([
+  m4_define([_LT_TAG], m4_if([$1], [], [C], [$1]))dnl
+  m4_if(_LT_TAG, [C], [
+    # See if we are running on zsh, and set the options that allow our
+    # commands through without removal of \ escapes.
+    if test -n "${ZSH_VERSION+set}"; then
+      setopt NO_GLOB_SUBST
+    fi
+
+    cfgfile=${ofile}T
+    trap "$RM \"$cfgfile\"; exit 1" 1 2 15
+    $RM "$cfgfile"
+
+    cat <<_LT_EOF >> "$cfgfile"
+#! $SHELL
+# Generated automatically by $as_me ($PACKAGE) $VERSION
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+
+# Provide generalized library-building support services.
+# Written by Gordon Matzigkeit, 1996
+
+_LT_COPYING
+_LT_LIBTOOL_TAGS
+
+# Configured defaults for sys_lib_dlsearch_path munging.
+: \${LT_SYS_LIBRARY_PATH="$configure_time_lt_sys_library_path"}
+
+# ### BEGIN LIBTOOL CONFIG
+_LT_LIBTOOL_CONFIG_VARS
+_LT_LIBTOOL_TAG_VARS
+# ### END LIBTOOL CONFIG
+
+_LT_EOF
+
+    cat <<'_LT_EOF' >> "$cfgfile"
+
+# ### BEGIN FUNCTIONS SHARED WITH CONFIGURE
+
+_LT_PREPARE_MUNGE_PATH_LIST
+_LT_PREPARE_CC_BASENAME
+
+# ### END FUNCTIONS SHARED WITH CONFIGURE
+
+_LT_EOF
+
+  case $host_os in
+  aix3*)
+    cat <<\_LT_EOF >> "$cfgfile"
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test set != "${COLLECT_NAMES+set}"; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+_LT_EOF
+    ;;
+  esac
+
+  _LT_PROG_LTMAIN
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '$q' "$ltmain" >> "$cfgfile" \
+     || (rm -f "$cfgfile"; exit 1)
+
+   mv -f "$cfgfile" "$ofile" ||
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+],
+[cat <<_LT_EOF >> "$ofile"
+
+dnl Unfortunately we have to use $1 here, since _LT_TAG is not expanded
+dnl in a comment (ie after a #).
+# ### BEGIN LIBTOOL TAG CONFIG: $1
+_LT_LIBTOOL_TAG_VARS(_LT_TAG)
+# ### END LIBTOOL TAG CONFIG: $1
+_LT_EOF
+])dnl /m4_if
+],
+[m4_if([$1], [], [
+    PACKAGE='$PACKAGE'
+    VERSION='$VERSION'
+    RM='$RM'
+    ofile='$ofile'], [])
+])dnl /_LT_CONFIG_SAVE_COMMANDS
+])# _LT_CONFIG
+
+
+# LT_SUPPORTED_TAG(TAG)
+# ---------------------
+# Trace this macro to discover what tags are supported by the libtool
+# --tag option, using:
+#    autoconf --trace 'LT_SUPPORTED_TAG:$1'
+AC_DEFUN([LT_SUPPORTED_TAG], [])
+
+
+# C support is built-in for now
+m4_define([_LT_LANG_C_enabled], [])
+m4_define([_LT_TAGS], [])
+
+
+# LT_LANG(LANG)
+# -------------
+# Enable libtool support for the given language if not already enabled.
+AC_DEFUN([LT_LANG],
+[AC_BEFORE([$0], [LT_OUTPUT])dnl
+m4_case([$1],
+  [C],			[_LT_LANG(C)],
+  [C++],		[_LT_LANG(CXX)],
+  [Go],			[_LT_LANG(GO)],
+  [Java],		[_LT_LANG(GCJ)],
+  [Fortran 77],		[_LT_LANG(F77)],
+  [Fortran],		[_LT_LANG(FC)],
+  [Windows Resource],	[_LT_LANG(RC)],
+  [m4_ifdef([_LT_LANG_]$1[_CONFIG],
+    [_LT_LANG($1)],
+    [m4_fatal([$0: unsupported language: "$1"])])])dnl
+])# LT_LANG
+
+
+# _LT_LANG(LANGNAME)
+# ------------------
+m4_defun([_LT_LANG],
+[m4_ifdef([_LT_LANG_]$1[_enabled], [],
+  [LT_SUPPORTED_TAG([$1])dnl
+  m4_append([_LT_TAGS], [$1 ])dnl
+  m4_define([_LT_LANG_]$1[_enabled], [])dnl
+  _LT_LANG_$1_CONFIG($1)])dnl
+])# _LT_LANG
+
+
+m4_ifndef([AC_PROG_GO], [
+############################################################
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_GO.  When it is available in    #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+############################################################
+m4_defun([AC_PROG_GO],
+[AC_LANG_PUSH(Go)dnl
+AC_ARG_VAR([GOC],     [Go compiler command])dnl
+AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl
+_AC_ARG_VAR_LDFLAGS()dnl
+AC_CHECK_TOOL(GOC, gccgo)
+if test -z "$GOC"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo])
+  fi
+fi
+if test -z "$GOC"; then
+  AC_CHECK_PROG(GOC, gccgo, gccgo, false)
+fi
+])#m4_defun
+])#m4_ifndef
+
+
+# _LT_LANG_DEFAULT_CONFIG
+# -----------------------
+m4_defun([_LT_LANG_DEFAULT_CONFIG],
+[AC_PROVIDE_IFELSE([AC_PROG_CXX],
+  [LT_LANG(CXX)],
+  [m4_define([AC_PROG_CXX], defn([AC_PROG_CXX])[LT_LANG(CXX)])])
+
+AC_PROVIDE_IFELSE([AC_PROG_F77],
+  [LT_LANG(F77)],
+  [m4_define([AC_PROG_F77], defn([AC_PROG_F77])[LT_LANG(F77)])])
+
+AC_PROVIDE_IFELSE([AC_PROG_FC],
+  [LT_LANG(FC)],
+  [m4_define([AC_PROG_FC], defn([AC_PROG_FC])[LT_LANG(FC)])])
+
+dnl The call to [A][M_PROG_GCJ] is quoted like that to stop aclocal
+dnl pulling things in needlessly.
+AC_PROVIDE_IFELSE([AC_PROG_GCJ],
+  [LT_LANG(GCJ)],
+  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
+    [LT_LANG(GCJ)],
+    [AC_PROVIDE_IFELSE([LT_PROG_GCJ],
+      [LT_LANG(GCJ)],
+      [m4_ifdef([AC_PROG_GCJ],
+	[m4_define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[LT_LANG(GCJ)])])
+       m4_ifdef([A][M_PROG_GCJ],
+	[m4_define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[LT_LANG(GCJ)])])
+       m4_ifdef([LT_PROG_GCJ],
+	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
+
+AC_PROVIDE_IFELSE([AC_PROG_GO],
+  [LT_LANG(GO)],
+  [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])])
+
+AC_PROVIDE_IFELSE([LT_PROG_RC],
+  [LT_LANG(RC)],
+  [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
+])# _LT_LANG_DEFAULT_CONFIG
+
+# Obsolete macros:
+AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)])
+AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)])
+AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)])
+AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)])
+AU_DEFUN([AC_LIBTOOL_RC], [LT_LANG(Windows Resource)])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_CXX], [])
+dnl AC_DEFUN([AC_LIBTOOL_F77], [])
+dnl AC_DEFUN([AC_LIBTOOL_FC], [])
+dnl AC_DEFUN([AC_LIBTOOL_GCJ], [])
+dnl AC_DEFUN([AC_LIBTOOL_RC], [])
+
+
+# _LT_TAG_COMPILER
+# ----------------
+m4_defun([_LT_TAG_COMPILER],
+[AC_REQUIRE([AC_PROG_CC])dnl
+
+_LT_DECL([LTCC], [CC], [1], [A C compiler])dnl
+_LT_DECL([LTCFLAGS], [CFLAGS], [1], [LTCC compiler flags])dnl
+_LT_TAGDECL([CC], [compiler], [1], [A language specific compiler])dnl
+_LT_TAGDECL([with_gcc], [GCC], [0], [Is the compiler the GNU compiler?])dnl
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+])# _LT_TAG_COMPILER
+
+
+# _LT_COMPILER_BOILERPLATE
+# ------------------------
+# Check for compiler boilerplate output or warnings with
+# the simple compiler test code.
+m4_defun([_LT_COMPILER_BOILERPLATE],
+[m4_require([_LT_DECL_SED])dnl
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$RM conftest*
+])# _LT_COMPILER_BOILERPLATE
+
+
+# _LT_LINKER_BOILERPLATE
+# ----------------------
+# Check for linker boilerplate output or warnings with
+# the simple link test code.
+m4_defun([_LT_LINKER_BOILERPLATE],
+[m4_require([_LT_DECL_SED])dnl
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$RM -r conftest*
+])# _LT_LINKER_BOILERPLATE
+
+# _LT_REQUIRED_DARWIN_CHECKS
+# -------------------------
+m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
+  case $host_os in
+    rhapsody* | darwin*)
+    AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:])
+    AC_CHECK_TOOL([NMEDIT], [nmedit], [:])
+    AC_CHECK_TOOL([LIPO], [lipo], [:])
+    AC_CHECK_TOOL([OTOOL], [otool], [:])
+    AC_CHECK_TOOL([OTOOL64], [otool64], [:])
+    _LT_DECL([], [DSYMUTIL], [1],
+      [Tool to manipulate archived DWARF debug symbol files on Mac OS X])
+    _LT_DECL([], [NMEDIT], [1],
+      [Tool to change global to local symbols on Mac OS X])
+    _LT_DECL([], [LIPO], [1],
+      [Tool to manipulate fat objects and archives on Mac OS X])
+    _LT_DECL([], [OTOOL], [1],
+      [ldd/readelf like tool for Mach-O binaries on Mac OS X])
+    _LT_DECL([], [OTOOL64], [1],
+      [ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4])
+
+    AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod],
+      [lt_cv_apple_cc_single_mod=no
+      if test -z "$LT_MULTI_MODULE"; then
+	# By default we will add the -single_module flag. You can override
+	# by either setting the environment variable LT_MULTI_MODULE
+	# non-empty at configure time, or by adding -multi_module to the
+	# link flags.
+	rm -rf libconftest.dylib*
+	echo "int foo(void){return 1;}" > conftest.c
+	echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+-dynamiclib -Wl,-single_module conftest.c" >&AS_MESSAGE_LOG_FD
+	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
+        _lt_result=$?
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&AS_MESSAGE_LOG_FD
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test 0 = "$_lt_result"; then
+	  lt_cv_apple_cc_single_mod=yes
+	else
+	  cat conftest.err >&AS_MESSAGE_LOG_FD
+	fi
+	rm -rf libconftest.dylib*
+	rm -f conftest.*
+      fi])
+
+    AC_CACHE_CHECK([for -exported_symbols_list linker flag],
+      [lt_cv_ld_exported_symbols_list],
+      [lt_cv_ld_exported_symbols_list=no
+      save_LDFLAGS=$LDFLAGS
+      echo "_main" > conftest.sym
+      LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
+      AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
+	[lt_cv_ld_exported_symbols_list=yes],
+	[lt_cv_ld_exported_symbols_list=no])
+	LDFLAGS=$save_LDFLAGS
+    ])
+
+    AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load],
+      [lt_cv_ld_force_load=no
+      cat > conftest.c << _LT_EOF
+int forced_loaded() { return 2;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
+      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
+      echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
+      $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
+      echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
+      $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
+      cat > conftest.c << _LT_EOF
+int main() { return 0;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD
+      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
+      _lt_result=$?
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&AS_MESSAGE_LOG_FD
+      elif test -f conftest && test 0 = "$_lt_result" && $GREP forced_load conftest >/dev/null 2>&1; then
+	lt_cv_ld_force_load=yes
+      else
+	cat conftest.err >&AS_MESSAGE_LOG_FD
+      fi
+        rm -f conftest.err libconftest.a conftest conftest.c
+        rm -rf conftest.dSYM
+    ])
+    case $host_os in
+    rhapsody* | darwin1.[[012]])
+      _lt_dar_allow_undefined='$wl-undefined ${wl}suppress' ;;
+    darwin1.*)
+      _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;;
+    darwin*) # darwin 5.x on
+      # if running on 10.5 or later, the deployment target defaults
+      # to the OS version, if on x86, and 10.4, the deployment
+      # target defaults to 10.4. Don't you love it?
+      case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
+	10.0,*86*-darwin8*|10.0,*-darwin[[912]]*)
+	  _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;;
+	10.[[012]][[,.]]*)
+	  _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;;
+	10.*|11.*)
+	  _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;;
+      esac
+    ;;
+  esac
+    if test yes = "$lt_cv_apple_cc_single_mod"; then
+      _lt_dar_single_mod='$single_module'
+    fi
+    if test yes = "$lt_cv_ld_exported_symbols_list"; then
+      _lt_dar_export_syms=' $wl-exported_symbols_list,$output_objdir/$libname-symbols.expsym'
+    else
+      _lt_dar_export_syms='~$NMEDIT -s $output_objdir/$libname-symbols.expsym $lib'
+    fi
+    if test : != "$DSYMUTIL" && test no = "$lt_cv_ld_force_load"; then
+      _lt_dsymutil='~$DSYMUTIL $lib || :'
+    else
+      _lt_dsymutil=
+    fi
+    ;;
+  esac
+])
+
+
+# _LT_DARWIN_LINKER_FEATURES([TAG])
+# ---------------------------------
+# Checks for linker and compiler features on darwin
+m4_defun([_LT_DARWIN_LINKER_FEATURES],
+[
+  m4_require([_LT_REQUIRED_DARWIN_CHECKS])
+  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+  _LT_TAGVAR(hardcode_direct, $1)=no
+  _LT_TAGVAR(hardcode_automatic, $1)=yes
+  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  if test yes = "$lt_cv_ld_force_load"; then
+    _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience $wl-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+    m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes],
+                  [FC],  [_LT_TAGVAR(compiler_needs_object, $1)=yes])
+  else
+    _LT_TAGVAR(whole_archive_flag_spec, $1)=''
+  fi
+  _LT_TAGVAR(link_all_deplibs, $1)=yes
+  _LT_TAGVAR(allow_undefined_flag, $1)=$_lt_dar_allow_undefined
+  case $cc_basename in
+     ifort*|nagfor*) _lt_dar_can_shared=yes ;;
+     *) _lt_dar_can_shared=$GCC ;;
+  esac
+  if test yes = "$_lt_dar_can_shared"; then
+    output_verbose_link_cmd=func_echo_all
+    _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dsymutil"
+    _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dsymutil"
+    _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dar_export_syms$_lt_dsymutil"
+    _LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dar_export_syms$_lt_dsymutil"
+    m4_if([$1], [CXX],
+[   if test yes != "$lt_cv_apple_cc_single_mod"; then
+      _LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \$lib-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$lib-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring$_lt_dsymutil"
+      _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \$lib-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$lib-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring$_lt_dar_export_syms$_lt_dsymutil"
+    fi
+],[])
+  else
+  _LT_TAGVAR(ld_shlibs, $1)=no
+  fi
+])
+
+# _LT_SYS_MODULE_PATH_AIX([TAGNAME])
+# ----------------------------------
+# Links a minimal program and checks the executable
+# for the system default hardcoded library path. In most cases,
+# this is /usr/lib:/lib, but when the MPI compilers are used
+# the location of the communication and MPI libs are included too.
+# If we don't find anything, use the default library path according
+# to the aix ld manual.
+# Store the results from the different compilers for each TAGNAME.
+# Allow to override them for all tags through lt_cv_aix_libpath.
+m4_defun([_LT_SYS_MODULE_PATH_AIX],
+[m4_require([_LT_DECL_SED])dnl
+if test set = "${lt_cv_aix_libpath+set}"; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  AC_CACHE_VAL([_LT_TAGVAR([lt_cv_aix_libpath_], [$1])],
+  [AC_LINK_IFELSE([AC_LANG_PROGRAM],[
+  lt_aix_libpath_sed='[
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }]'
+  _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then
+    _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi],[])
+  if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then
+    _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=/usr/lib:/lib
+  fi
+  ])
+  aix_libpath=$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])
+fi
+])# _LT_SYS_MODULE_PATH_AIX
+
+
+# _LT_SHELL_INIT(ARG)
+# -------------------
+m4_define([_LT_SHELL_INIT],
+[m4_divert_text([M4SH-INIT], [$1
+])])# _LT_SHELL_INIT
+
+
+
+# _LT_PROG_ECHO_BACKSLASH
+# -----------------------
+# Find how we can fake an echo command that does not interpret backslash.
+# In particular, with Autoconf 2.60 or later we add some code to the start
+# of the generated configure script that will find a shell with a builtin
+# printf (that we can use as an echo command).
+m4_defun([_LT_PROG_ECHO_BACKSLASH],
+[ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+
+AC_MSG_CHECKING([how to print strings])
+# Test print first, because it will be a builtin if present.
+if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \
+   test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='print -r --'
+elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='printf %s\n'
+else
+  # Use this function as a fallback that always works.
+  func_fallback_echo ()
+  {
+    eval 'cat <<_LTECHO_EOF
+$[]1
+_LTECHO_EOF'
+  }
+  ECHO='func_fallback_echo'
+fi
+
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO "$*"
+}
+
+case $ECHO in
+  printf*) AC_MSG_RESULT([printf]) ;;
+  print*) AC_MSG_RESULT([print -r]) ;;
+  *) AC_MSG_RESULT([cat]) ;;
+esac
+
+m4_ifdef([_AS_DETECT_SUGGESTED],
+[_AS_DETECT_SUGGESTED([
+  test -n "${ZSH_VERSION+set}${BASH_VERSION+set}" || (
+    ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+    ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+    ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+    PATH=/empty FPATH=/empty; export PATH FPATH
+    test "X`printf %s $ECHO`" = "X$ECHO" \
+      || test "X`print -r -- $ECHO`" = "X$ECHO" )])])
+
+_LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts])
+_LT_DECL([], [ECHO], [1], [An echo program that protects backslashes])
+])# _LT_PROG_ECHO_BACKSLASH
+
+
+# _LT_WITH_SYSROOT
+# ----------------
+AC_DEFUN([_LT_WITH_SYSROOT],
+[AC_MSG_CHECKING([for sysroot])
+AC_ARG_WITH([sysroot],
+[AS_HELP_STRING([--with-sysroot@<:@=DIR@:>@],
+  [Search for dependent libraries within DIR (or the compiler's sysroot
+   if not specified).])],
+[], [with_sysroot=no])
+
+dnl lt_sysroot will always be passed unquoted.  We quote it here
+dnl in case the user passed a directory name.
+lt_sysroot=
+case $with_sysroot in #(
+ yes)
+   if test yes = "$GCC"; then
+     lt_sysroot=`$CC --print-sysroot 2>/dev/null`
+   fi
+   ;; #(
+ /*)
+   lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"`
+   ;; #(
+ no|'')
+   ;; #(
+ *)
+   AC_MSG_RESULT([$with_sysroot])
+   AC_MSG_ERROR([The sysroot must be an absolute path.])
+   ;;
+esac
+
+ AC_MSG_RESULT([${lt_sysroot:-no}])
+_LT_DECL([], [lt_sysroot], [0], [The root where to search for ]dnl
+[dependent libraries, and where our libraries should be installed.])])
+
+# _LT_ENABLE_LOCK
+# ---------------
+m4_defun([_LT_ENABLE_LOCK],
+[AC_ARG_ENABLE([libtool-lock],
+  [AS_HELP_STRING([--disable-libtool-lock],
+    [avoid locking (might break parallel builds)])])
+test no = "$enable_libtool_lock" || enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out what ABI is being produced by ac_compile, and set mode
+  # options accordingly.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.$ac_objext` in
+      *ELF-32*)
+	HPUX_IA64_MODE=32
+	;;
+      *ELF-64*)
+	HPUX_IA64_MODE=64
+	;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out what ABI is being produced by ac_compile, and set linker
+  # options accordingly.
+  echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    if test yes = "$lt_cv_prog_gnu_ld"; then
+      case `/usr/bin/file conftest.$ac_objext` in
+	*32-bit*)
+	  LD="${LD-ld} -melf32bsmip"
+	  ;;
+	*N32*)
+	  LD="${LD-ld} -melf32bmipn32"
+	  ;;
+	*64-bit*)
+	  LD="${LD-ld} -melf64bmip"
+	;;
+      esac
+    else
+      case `/usr/bin/file conftest.$ac_objext` in
+	*32-bit*)
+	  LD="${LD-ld} -32"
+	  ;;
+	*N32*)
+	  LD="${LD-ld} -n32"
+	  ;;
+	*64-bit*)
+	  LD="${LD-ld} -64"
+	  ;;
+      esac
+    fi
+  fi
+  rm -rf conftest*
+  ;;
+
+mips64*-*linux*)
+  # Find out what ABI is being produced by ac_compile, and set linker
+  # options accordingly.
+  echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    emul=elf
+    case `/usr/bin/file conftest.$ac_objext` in
+      *32-bit*)
+	emul="${emul}32"
+	;;
+      *64-bit*)
+	emul="${emul}64"
+	;;
+    esac
+    case `/usr/bin/file conftest.$ac_objext` in
+      *MSB*)
+	emul="${emul}btsmip"
+	;;
+      *LSB*)
+	emul="${emul}ltsmip"
+	;;
+    esac
+    case `/usr/bin/file conftest.$ac_objext` in
+      *N32*)
+	emul="${emul}n32"
+	;;
+    esac
+    LD="${LD-ld} -m $emul"
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*kfreebsd*-gnu|x86_64-*linux*|powerpc*-*linux*| \
+s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
+  # Find out what ABI is being produced by ac_compile, and set linker
+  # options accordingly.  Note that the listed cases only cover the
+  # situations where additional linker options are needed (such as when
+  # doing 32-bit compilation for a host where ld defaults to 64-bit, or
+  # vice versa); the common cases where no linker options are needed do
+  # not appear in the list.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.o` in
+      *32-bit*)
+	case $host in
+	  x86_64-*kfreebsd*-gnu)
+	    LD="${LD-ld} -m elf_i386_fbsd"
+	    ;;
+	  x86_64-*linux*)
+	    case `/usr/bin/file conftest.o` in
+	      *x86-64*)
+		LD="${LD-ld} -m elf32_x86_64"
+		;;
+	      *)
+		LD="${LD-ld} -m elf_i386"
+		;;
+	    esac
+	    ;;
+	  powerpc64le-*linux*)
+	    LD="${LD-ld} -m elf32lppclinux"
+	    ;;
+	  powerpc64-*linux*)
+	    LD="${LD-ld} -m elf32ppclinux"
+	    ;;
+	  s390x-*linux*)
+	    LD="${LD-ld} -m elf_s390"
+	    ;;
+	  sparc64-*linux*)
+	    LD="${LD-ld} -m elf32_sparc"
+	    ;;
+	esac
+	;;
+      *64-bit*)
+	case $host in
+	  x86_64-*kfreebsd*-gnu)
+	    LD="${LD-ld} -m elf_x86_64_fbsd"
+	    ;;
+	  x86_64-*linux*)
+	    LD="${LD-ld} -m elf_x86_64"
+	    ;;
+	  powerpcle-*linux*)
+	    LD="${LD-ld} -m elf64lppc"
+	    ;;
+	  powerpc-*linux*)
+	    LD="${LD-ld} -m elf64ppc"
+	    ;;
+	  s390*-*linux*|s390*-*tpf*)
+	    LD="${LD-ld} -m elf64_s390"
+	    ;;
+	  sparc*-*linux*)
+	    LD="${LD-ld} -m elf64_sparc"
+	    ;;
+	esac
+	;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS=$CFLAGS
+  CFLAGS="$CFLAGS -belf"
+  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
+    [AC_LANG_PUSH(C)
+     AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],[[]])],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
+     AC_LANG_POP])
+  if test yes != "$lt_cv_cc_needs_belf"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS=$SAVE_CFLAGS
+  fi
+  ;;
+*-*solaris*)
+  # Find out what ABI is being produced by ac_compile, and set linker
+  # options accordingly.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*)
+        case $host in
+        i?86-*-solaris*|x86_64-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD=${LD-ld}_sol2
+        fi
+        ;;
+      *)
+	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
+	  LD="${LD-ld} -64"
+	fi
+	;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+esac
+
+need_locks=$enable_libtool_lock
+])# _LT_ENABLE_LOCK
+
+
+# _LT_PROG_AR
+# -----------
+m4_defun([_LT_PROG_AR],
+[AC_CHECK_TOOLS(AR, [ar], false)
+: ${AR=ar}
+: ${AR_FLAGS=cr}
+_LT_DECL([], [AR], [1], [The archiver])
+_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
+
+AC_CACHE_CHECK([for archiver @FILE support], [lt_cv_ar_at_file],
+  [lt_cv_ar_at_file=no
+   AC_COMPILE_IFELSE([AC_LANG_PROGRAM],
+     [echo conftest.$ac_objext > conftest.lst
+      lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&AS_MESSAGE_LOG_FD'
+      AC_TRY_EVAL([lt_ar_try])
+      if test 0 -eq "$ac_status"; then
+	# Ensure the archiver fails upon bogus file names.
+	rm -f conftest.$ac_objext libconftest.a
+	AC_TRY_EVAL([lt_ar_try])
+	if test 0 -ne "$ac_status"; then
+          lt_cv_ar_at_file=@
+        fi
+      fi
+      rm -f conftest.* libconftest.a
+     ])
+  ])
+
+if test no = "$lt_cv_ar_at_file"; then
+  archiver_list_spec=
+else
+  archiver_list_spec=$lt_cv_ar_at_file
+fi
+_LT_DECL([], [archiver_list_spec], [1],
+  [How to feed a file listing to the archiver])
+])# _LT_PROG_AR
+
+
+# _LT_CMD_OLD_ARCHIVE
+# -------------------
+m4_defun([_LT_CMD_OLD_ARCHIVE],
+[_LT_PROG_AR
+
+AC_CHECK_TOOL(STRIP, strip, :)
+test -z "$STRIP" && STRIP=:
+_LT_DECL([], [STRIP], [1], [A symbol stripping program])
+
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+test -z "$RANLIB" && RANLIB=:
+_LT_DECL([], [RANLIB], [1],
+    [Commands used to install an old-style archive])
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  bitrig* | openbsd*)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
+    ;;
+  *)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
+fi
+
+case $host_os in
+  darwin*)
+    lock_old_archive_extraction=yes ;;
+  *)
+    lock_old_archive_extraction=no ;;
+esac
+_LT_DECL([], [old_postinstall_cmds], [2])
+_LT_DECL([], [old_postuninstall_cmds], [2])
+_LT_TAGDECL([], [old_archive_cmds], [2],
+    [Commands used to build an old-style archive])
+_LT_DECL([], [lock_old_archive_extraction], [0],
+    [Whether to use a lock for old archive extraction])
+])# _LT_CMD_OLD_ARCHIVE
+
+
+# _LT_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
+# ----------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([_LT_COMPILER_OPTION],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_SED])dnl
+AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+   m4_if([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$3"  ## exclude from sc_useless_quotes_in_assignment
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       $2=yes
+     fi
+   fi
+   $RM conftest*
+])
+
+if test yes = "[$]$2"; then
+    m4_if([$5], , :, [$5])
+else
+    m4_if([$6], , :, [$6])
+fi
+])# _LT_COMPILER_OPTION
+
+# Old name:
+AU_ALIAS([AC_LIBTOOL_COMPILER_OPTION], [_LT_COMPILER_OPTION])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], [])
+
+
+# _LT_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#                  [ACTION-SUCCESS], [ACTION-FAILURE])
+# ----------------------------------------------------
+# Check whether the given linker option works
+AC_DEFUN([_LT_LINKER_OPTION],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_SED])dnl
+AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+   save_LDFLAGS=$LDFLAGS
+   LDFLAGS="$LDFLAGS $3"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&AS_MESSAGE_LOG_FD
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         $2=yes
+       fi
+     else
+       $2=yes
+     fi
+   fi
+   $RM -r conftest*
+   LDFLAGS=$save_LDFLAGS
+])
+
+if test yes = "[$]$2"; then
+    m4_if([$4], , :, [$4])
+else
+    m4_if([$5], , :, [$5])
+fi
+])# _LT_LINKER_OPTION
+
+# Old name:
+AU_ALIAS([AC_LIBTOOL_LINKER_OPTION], [_LT_LINKER_OPTION])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], [])
+
+
+# LT_CMD_MAX_LEN
+#---------------
+AC_DEFUN([LT_CMD_MAX_LEN],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+# find the maximum length of command line arguments
+AC_MSG_CHECKING([the maximum length of command line arguments])
+AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
+  i=0
+  teststring=ABCD
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw* | cegcc*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  mint*)
+    # On MiNT this can take a long time and run out of memory.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  bitrig* | darwin* | dragonfly* | freebsd* | netbsd* | openbsd*)
+    # This has been around since 386BSD, at least.  Likely further.
+    if test -x /sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
+    elif test -x /usr/sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
+    else
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
+    fi
+    # And add a safety zone
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    ;;
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
+    ;;
+
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
+    ;;
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
+    ;;
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[	 ]]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
+    ;;
+  *)
+    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
+    if test -n "$lt_cv_sys_max_cmd_len" && \
+       test undefined != "$lt_cv_sys_max_cmd_len"; then
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    else
+      # Make teststring a little bigger before we do anything with it.
+      # a 1K string should be a reasonable start.
+      for i in 1 2 3 4 5 6 7 8; do
+        teststring=$teststring$teststring
+      done
+      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+      # If test is not a shell built-in, we'll probably end up computing a
+      # maximum length that is only half of the actual maximum length, but
+      # we can't tell.
+      while { test X`env echo "$teststring$teststring" 2>/dev/null` \
+	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
+	      test 17 != "$i" # 1/2 MB should be enough
+      do
+        i=`expr $i + 1`
+        teststring=$teststring$teststring
+      done
+      # Only check the string length outside the loop.
+      lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1`
+      teststring=
+      # Add a significant safety factor because C++ compilers can tack on
+      # massive amounts of additional arguments before passing them to the
+      # linker.  It appears as though 1/2 is a usable value.
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    fi
+    ;;
+  esac
+])
+if test -n "$lt_cv_sys_max_cmd_len"; then
+  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
+else
+  AC_MSG_RESULT(none)
+fi
+max_cmd_len=$lt_cv_sys_max_cmd_len
+_LT_DECL([], [max_cmd_len], [0],
+    [What is the maximum length of a command?])
+])# LT_CMD_MAX_LEN
+
+# Old name:
+AU_ALIAS([AC_LIBTOOL_SYS_MAX_CMD_LEN], [LT_CMD_MAX_LEN])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], [])
+
+
+# _LT_HEADER_DLFCN
+# ----------------
+m4_defun([_LT_HEADER_DLFCN],
+[AC_CHECK_HEADERS([dlfcn.h], [], [], [AC_INCLUDES_DEFAULT])dnl
+])# _LT_HEADER_DLFCN
+
+
+# _LT_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
+#                      ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
+# ----------------------------------------------------------------
+m4_defun([_LT_TRY_DLOPEN_SELF],
+[m4_require([_LT_HEADER_DLFCN])dnl
+if test yes = "$cross_compiling"; then :
+  [$4]
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<_LT_EOF
+[#line $LINENO "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+/* When -fvisibility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined __GNUC__ && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
+
+  return status;
+}]
+_LT_EOF
+  if AC_TRY_EVAL(ac_link) && test -s "conftest$ac_exeext" 2>/dev/null; then
+    (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) $1 ;;
+      x$lt_dlneed_uscore) $2 ;;
+      x$lt_dlunknown|x*) $3 ;;
+    esac
+  else :
+    # compilation failed
+    $3
+  fi
+fi
+rm -fr conftest*
+])# _LT_TRY_DLOPEN_SELF
+
+
+# LT_SYS_DLOPEN_SELF
+# ------------------
+AC_DEFUN([LT_SYS_DLOPEN_SELF],
+[m4_require([_LT_HEADER_DLFCN])dnl
+if test yes != "$enable_dlopen"; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen=load_add_on
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32* | cegcc*)
+    lt_cv_dlopen=LoadLibrary
+    lt_cv_dlopen_libs=
+    ;;
+
+  cygwin*)
+    lt_cv_dlopen=dlopen
+    lt_cv_dlopen_libs=
+    ;;
+
+  darwin*)
+    # if libdl is installed we need to link against it
+    AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-ldl],[
+    lt_cv_dlopen=dyld
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ])
+    ;;
+
+  tpf*)
+    # Don't try to run any link tests for TPF.  We know it's impossible
+    # because TPF is a cross-compiler, and we know how we open DSOs.
+    lt_cv_dlopen=dlopen
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=no
+    ;;
+
+  *)
+    AC_CHECK_FUNC([shl_load],
+	  [lt_cv_dlopen=shl_load],
+      [AC_CHECK_LIB([dld], [shl_load],
+	    [lt_cv_dlopen=shl_load lt_cv_dlopen_libs=-ldld],
+	[AC_CHECK_FUNC([dlopen],
+	      [lt_cv_dlopen=dlopen],
+	  [AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-ldl],
+	    [AC_CHECK_LIB([svld], [dlopen],
+		  [lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-lsvld],
+	      [AC_CHECK_LIB([dld], [dld_link],
+		    [lt_cv_dlopen=dld_link lt_cv_dlopen_libs=-ldld])
+	      ])
+	    ])
+	  ])
+	])
+      ])
+    ;;
+  esac
+
+  if test no = "$lt_cv_dlopen"; then
+    enable_dlopen=no
+  else
+    enable_dlopen=yes
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS=$CPPFLAGS
+    test yes = "$ac_cv_header_dlfcn_h" && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS=$LDFLAGS
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS=$LIBS
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    AC_CACHE_CHECK([whether a program can dlopen itself],
+	  lt_cv_dlopen_self, [dnl
+	  _LT_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
+	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
+    ])
+
+    if test yes = "$lt_cv_dlopen_self"; then
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
+      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
+	  lt_cv_dlopen_self_static, [dnl
+	  _LT_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
+	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
+      ])
+    fi
+
+    CPPFLAGS=$save_CPPFLAGS
+    LDFLAGS=$save_LDFLAGS
+    LIBS=$save_LIBS
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+_LT_DECL([dlopen_support], [enable_dlopen], [0],
+	 [Whether dlopen is supported])
+_LT_DECL([dlopen_self], [enable_dlopen_self], [0],
+	 [Whether dlopen of programs is supported])
+_LT_DECL([dlopen_self_static], [enable_dlopen_self_static], [0],
+	 [Whether dlopen of statically linked programs is supported])
+])# LT_SYS_DLOPEN_SELF
+
+# Old name:
+AU_ALIAS([AC_LIBTOOL_DLOPEN_SELF], [LT_SYS_DLOPEN_SELF])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], [])
+
+
+# _LT_COMPILER_C_O([TAGNAME])
+# ---------------------------
+# Check to see if options -c and -o are simultaneously supported by compiler.
+# This macro does not hard code the compiler like AC_PROG_CC_C_O.
+m4_defun([_LT_COMPILER_C_O],
+[m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_TAG_COMPILER])dnl
+AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
+  [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
+  [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
+   $RM -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+     fi
+   fi
+   chmod u+w . 2>&AS_MESSAGE_LOG_FD
+   $RM conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files
+   $RM out/* && rmdir out
+   cd ..
+   $RM -r conftest
+   $RM conftest*
+])
+_LT_TAGDECL([compiler_c_o], [lt_cv_prog_compiler_c_o], [1],
+	[Does compiler simultaneously support -c and -o options?])
+])# _LT_COMPILER_C_O
+
+
+# _LT_COMPILER_FILE_LOCKS([TAGNAME])
+# ----------------------------------
+# Check to see if we can do hard links to lock some files if needed
+m4_defun([_LT_COMPILER_FILE_LOCKS],
+[m4_require([_LT_ENABLE_LOCK])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+_LT_COMPILER_C_O([$1])
+
+hard_links=nottested
+if test no = "$_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)" && test no != "$need_locks"; then
+  # do not overwrite the value of need_locks provided by the user
+  AC_MSG_CHECKING([if we can lock with hard links])
+  hard_links=yes
+  $RM conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  AC_MSG_RESULT([$hard_links])
+  if test no = "$hard_links"; then
+    AC_MSG_WARN(['$CC' does not support '-c -o', so 'make -j' may be unsafe])
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+_LT_DECL([], [need_locks], [1], [Must we lock files when doing compilation?])
+])# _LT_COMPILER_FILE_LOCKS
+
+
+# _LT_CHECK_OBJDIR
+# ----------------
+m4_defun([_LT_CHECK_OBJDIR],
+[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
+[rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null])
+objdir=$lt_cv_objdir
+_LT_DECL([], [objdir], [0],
+         [The name of the directory that contains temporary libtool files])dnl
+m4_pattern_allow([LT_OBJDIR])dnl
+AC_DEFINE_UNQUOTED([LT_OBJDIR], "$lt_cv_objdir/",
+  [Define to the sub-directory where libtool stores uninstalled libraries.])
+])# _LT_CHECK_OBJDIR
+
+
+# _LT_LINKER_HARDCODE_LIBPATH([TAGNAME])
+# --------------------------------------
+# Check hardcoding attributes.
+m4_defun([_LT_LINKER_HARDCODE_LIBPATH],
+[AC_MSG_CHECKING([how to hardcode library paths into programs])
+_LT_TAGVAR(hardcode_action, $1)=
+if test -n "$_LT_TAGVAR(hardcode_libdir_flag_spec, $1)" ||
+   test -n "$_LT_TAGVAR(runpath_var, $1)" ||
+   test yes = "$_LT_TAGVAR(hardcode_automatic, $1)"; then
+
+  # We can hardcode non-existent directories.
+  if test no != "$_LT_TAGVAR(hardcode_direct, $1)" &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test no != "$_LT_TAGVAR(hardcode_shlibpath_var, $1)" &&
+     test no != "$_LT_TAGVAR(hardcode_minus_L, $1)"; then
+    # Linking always hardcodes the temporary library directory.
+    _LT_TAGVAR(hardcode_action, $1)=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    _LT_TAGVAR(hardcode_action, $1)=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  _LT_TAGVAR(hardcode_action, $1)=unsupported
+fi
+AC_MSG_RESULT([$_LT_TAGVAR(hardcode_action, $1)])
+
+if test relink = "$_LT_TAGVAR(hardcode_action, $1)" ||
+   test yes = "$_LT_TAGVAR(inherit_rpath, $1)"; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test yes = "$shlibpath_overrides_runpath" ||
+     test no = "$enable_shared"; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+_LT_TAGDECL([], [hardcode_action], [0],
+    [How to hardcode a shared library path into an executable])
+])# _LT_LINKER_HARDCODE_LIBPATH
+
+
+# _LT_CMD_STRIPLIB
+# ----------------
+m4_defun([_LT_CMD_STRIPLIB],
+[m4_require([_LT_DECL_EGREP])
+striplib=
+old_striplib=
+AC_MSG_CHECKING([whether stripping libraries is possible])
+if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  AC_MSG_RESULT([yes])
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+  darwin*)
+    if test -n "$STRIP"; then
+      striplib="$STRIP -x"
+      old_striplib="$STRIP -S"
+      AC_MSG_RESULT([yes])
+    else
+      AC_MSG_RESULT([no])
+    fi
+    ;;
+  *)
+    AC_MSG_RESULT([no])
+    ;;
+  esac
+fi
+_LT_DECL([], [old_striplib], [1], [Commands to strip libraries])
+_LT_DECL([], [striplib], [1])
+])# _LT_CMD_STRIPLIB
+
+
+# _LT_PREPARE_MUNGE_PATH_LIST
+# ---------------------------
+# Make sure func_munge_path_list() is defined correctly.
+m4_defun([_LT_PREPARE_MUNGE_PATH_LIST],
+[[# func_munge_path_list VARIABLE PATH
+# -----------------------------------
+# VARIABLE is name of variable containing _space_ separated list of
+# directories to be munged by the contents of PATH, which is string
+# having a format:
+# "DIR[:DIR]:"
+#       string "DIR[ DIR]" will be prepended to VARIABLE
+# ":DIR[:DIR]"
+#       string "DIR[ DIR]" will be appended to VARIABLE
+# "DIRP[:DIRP]::[DIRA:]DIRA"
+#       string "DIRP[ DIRP]" will be prepended to VARIABLE and string
+#       "DIRA[ DIRA]" will be appended to VARIABLE
+# "DIR[:DIR]"
+#       VARIABLE will be replaced by "DIR[ DIR]"
+func_munge_path_list ()
+{
+    case x@S|@2 in
+    x)
+        ;;
+    *:)
+        eval @S|@1=\"`$ECHO @S|@2 | $SED 's/:/ /g'` \@S|@@S|@1\"
+        ;;
+    x:*)
+        eval @S|@1=\"\@S|@@S|@1 `$ECHO @S|@2 | $SED 's/:/ /g'`\"
+        ;;
+    *::*)
+        eval @S|@1=\"\@S|@@S|@1\ `$ECHO @S|@2 | $SED -e 's/.*:://' -e 's/:/ /g'`\"
+        eval @S|@1=\"`$ECHO @S|@2 | $SED -e 's/::.*//' -e 's/:/ /g'`\ \@S|@@S|@1\"
+        ;;
+    *)
+        eval @S|@1=\"`$ECHO @S|@2 | $SED 's/:/ /g'`\"
+        ;;
+    esac
+}
+]])# _LT_PREPARE_PATH_LIST
+
+
+# _LT_SYS_DYNAMIC_LINKER([TAG])
+# -----------------------------
+# PORTME Fill in your ld.so characteristics
+m4_defun([_LT_SYS_DYNAMIC_LINKER],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_OBJDUMP])dnl
+m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_CHECK_SHELL_FEATURES])dnl
+m4_require([_LT_PREPARE_MUNGE_PATH_LIST])dnl
+AC_MSG_CHECKING([dynamic linker characteristics])
+m4_if([$1],
+	[], [
+if test yes = "$GCC"; then
+  case $host_os in
+    darwin*) lt_awk_arg='/^libraries:/,/LR/' ;;
+    *) lt_awk_arg='/^libraries:/' ;;
+  esac
+  case $host_os in
+    mingw* | cegcc*) lt_sed_strip_eq='s|=\([[A-Za-z]]:\)|\1|g' ;;
+    *) lt_sed_strip_eq='s|=/|/|g' ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq`
+  case $lt_search_path_spec in
+  *\;*)
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'`
+    ;;
+  *)
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"`
+    ;;
+  esac
+  # Ok, now we have the path, separated by spaces, we can step through it
+  # and add multilib dir if necessary...
+  lt_tmp_lt_search_path_spec=
+  lt_multi_os_dir=/`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
+  # ...but if some path component already ends with the multilib dir we assume
+  # that all is fine and trust -print-search-dirs as is (GCC 4.2? or newer).
+  case "$lt_multi_os_dir; $lt_search_path_spec " in
+  "/; "* | "/.; "* | "/./; "* | *"$lt_multi_os_dir "* | *"$lt_multi_os_dir/ "*)
+    lt_multi_os_dir=
+    ;;
+  esac
+  for lt_sys_path in $lt_search_path_spec; do
+    if test -d "$lt_sys_path$lt_multi_os_dir"; then
+      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path$lt_multi_os_dir"
+    elif test -n "$lt_multi_os_dir"; then
+      test -d "$lt_sys_path" && \
+	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
+    fi
+  done
+  lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk '
+BEGIN {RS = " "; FS = "/|\n";} {
+  lt_foo = "";
+  lt_count = 0;
+  for (lt_i = NF; lt_i > 0; lt_i--) {
+    if ($lt_i != "" && $lt_i != ".") {
+      if ($lt_i == "..") {
+        lt_count++;
+      } else {
+        if (lt_count == 0) {
+          lt_foo = "/" $lt_i lt_foo;
+        } else {
+          lt_count--;
+        }
+      }
+    }
+  }
+  if (lt_foo != "") { lt_freq[[lt_foo]]++; }
+  if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
+}'`
+  # AWK program above erroneously prepends '/' to C:/dos/paths
+  # for these hosts.
+  case $host_os in
+    mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\
+      $SED 's|/\([[A-Za-z]]:\)|\1|g'` ;;
+  esac
+  sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP`
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi])
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=.so
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+AC_ARG_VAR([LT_SYS_LIBRARY_PATH],
+[User-defined run-time library search path.])
+
+case $host_os in
+aix3*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  library_names_spec='$libname$release$shared_ext$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='$libname$release$shared_ext$major'
+  ;;
+
+aix[[4-9]]*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test ia64 = "$host_cpu"; then
+    # AIX 5 supports IA64
+    library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line '#! .'.  This would cause the generated library to
+    # depend on '.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[[01]] | aix4.[[01]].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | $CC -E - | $GREP yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # Using Import Files as archive members, it is possible to support
+    # filename-based versioning of shared library archives on AIX. While
+    # this would work for both with and without runtime linking, it will
+    # prevent static linking of such archives. So we do filename-based
+    # shared library versioning with .so extension only, which is used
+    # when both runtime linking and shared linking is enabled.
+    # Unfortunately, runtime linking may impact performance, so we do
+    # not want this to be the default eventually. Also, we use the
+    # versioned .so libs for executables only if there is the -brtl
+    # linker flag in LDFLAGS as well, or --with-aix-soname=svr4 only.
+    # To allow for filename-based versioning support, we need to create
+    # libNAME.so.V as an archive file, containing:
+    # *) an Import File, referring to the versioned filename of the
+    #    archive as well as the shared archive member, telling the
+    #    bitwidth (32 or 64) of that shared object, and providing the
+    #    list of exported symbols of that shared object, eventually
+    #    decorated with the 'weak' keyword
+    # *) the shared object with the F_LOADONLY flag set, to really avoid
+    #    it being seen by the linker.
+    # At run time we better use the real file rather than another symlink,
+    # but for link time we create the symlink libNAME.so -> libNAME.so.V
+
+    case $with_aix_soname,$aix_use_runtimelinking in
+    # AIX (on Power*) has no versioning support, so currently we cannot hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    aix,yes) # traditional libtool
+      dynamic_linker='AIX unversionable lib.so'
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+      ;;
+    aix,no) # traditional AIX only
+      dynamic_linker='AIX lib.a[(]lib.so.V[)]'
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='$libname$release.a $libname.a'
+      soname_spec='$libname$release$shared_ext$major'
+      ;;
+    svr4,*) # full svr4 only
+      dynamic_linker="AIX lib.so.V[(]$shared_archive_member_spec.o[)]"
+      library_names_spec='$libname$release$shared_ext$major $libname$shared_ext'
+      # We do not specify a path in Import Files, so LIBPATH fires.
+      shlibpath_overrides_runpath=yes
+      ;;
+    *,yes) # both, prefer svr4
+      dynamic_linker="AIX lib.so.V[(]$shared_archive_member_spec.o[)], lib.a[(]lib.so.V[)]"
+      library_names_spec='$libname$release$shared_ext$major $libname$shared_ext'
+      # unpreferred sharedlib libNAME.a needs extra handling
+      postinstall_cmds='test -n "$linkname" || linkname="$realname"~func_stripname "" ".so" "$linkname"~$install_shared_prog "$dir/$func_stripname_result.$libext" "$destdir/$func_stripname_result.$libext"~test -z "$tstripme" || test -z "$striplib" || $striplib "$destdir/$func_stripname_result.$libext"'
+      postuninstall_cmds='for n in $library_names $old_library; do :; done~func_stripname "" ".so" "$n"~test "$func_stripname_result" = "$n" || func_append rmfiles " $odir/$func_stripname_result.$libext"'
+      # We do not specify a path in Import Files, so LIBPATH fires.
+      shlibpath_overrides_runpath=yes
+      ;;
+    *,no) # both, prefer aix
+      dynamic_linker="AIX lib.a[(]lib.so.V[)], lib.so.V[(]$shared_archive_member_spec.o[)]"
+      library_names_spec='$libname$release.a $libname.a'
+      soname_spec='$libname$release$shared_ext$major'
+      # unpreferred sharedlib libNAME.so.V and symlink libNAME.so need extra handling
+      postinstall_cmds='test -z "$dlname" || $install_shared_prog $dir/$dlname $destdir/$dlname~test -z "$tstripme" || test -z "$striplib" || $striplib $destdir/$dlname~test -n "$linkname" || linkname=$realname~func_stripname "" ".a" "$linkname"~(cd "$destdir" && $LN_S -f $dlname $func_stripname_result.so)'
+      postuninstall_cmds='test -z "$dlname" || func_append rmfiles " $odir/$dlname"~for n in $old_library $library_names; do :; done~func_stripname "" ".a" "$n"~func_append rmfiles " $odir/$func_stripname_result.so"'
+      ;;
+    esac
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  case $host_cpu in
+  powerpc)
+    # Since July 2007 AmigaOS4 officially supports .so libraries.
+    # When compiling the executable, add -use-dynld -Lsobjs: to the compileline.
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+    ;;
+  m68k)
+    library_names_spec='$libname.ixlibrary $libname.a'
+    # Create ${libname}_ixlibrary.a entries in /sys/libs.
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    ;;
+  esac
+  ;;
+
+beos*)
+  library_names_spec='$libname$shared_ext'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[[45]]*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32* | cegcc*)
+  version_type=windows
+  shrext_cmds=.dll
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$cc_basename in
+  yes,*)
+    # gcc
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \$file`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname~
+      if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then
+        eval '\''$striplib \$dldir/$dlname'\'' || exit \$?;
+      fi'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo $libname | sed -e 's/^lib/cyg/'``echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext'
+m4_if([$1], [],[
+      sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"])
+      ;;
+    mingw* | cegcc*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='$libname`echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext'
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo $libname | sed -e 's/^lib/pw/'``echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext'
+      ;;
+    esac
+    dynamic_linker='Win32 ld.exe'
+    ;;
+
+  *,cl*)
+    # Native MSVC
+    libname_spec='$name'
+    soname_spec='$libname`echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext'
+    library_names_spec='$libname.dll.lib'
+
+    case $build_os in
+    mingw*)
+      sys_lib_search_path_spec=
+      lt_save_ifs=$IFS
+      IFS=';'
+      for lt_path in $LIB
+      do
+        IFS=$lt_save_ifs
+        # Let DOS variable expansion print the short 8.3 style file name.
+        lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"`
+        sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path"
+      done
+      IFS=$lt_save_ifs
+      # Convert to MSYS style.
+      sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([[a-zA-Z]]\\):| /\\1|g' -e 's|^ ||'`
+      ;;
+    cygwin*)
+      # Convert to unix form, then to dos form, then back to unix form
+      # but this time dos style (no spaces!) so that the unix form looks
+      # like /cygdrive/c/PROGRA~1:/cygdr...
+      sys_lib_search_path_spec=`cygpath --path --unix "$LIB"`
+      sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null`
+      sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      ;;
+    *)
+      sys_lib_search_path_spec=$LIB
+      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
+        # It is most probably a Windows format PATH.
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      # FIXME: find the short name or the path components, as spaces are
+      # common. (e.g. "Program Files" -> "PROGRA~1")
+      ;;
+    esac
+
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \$file`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+    dynamic_linker='Win32 link.exe'
+    ;;
+
+  *)
+    # Assume MSVC wrapper
+    library_names_spec='$libname`echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext $libname.lib'
+    dynamic_linker='Win32 ld.exe'
+    ;;
+  esac
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$major$shared_ext $libname$shared_ext'
+  soname_spec='$libname$release$major$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+m4_if([$1], [],[
+  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"])
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[[23]].*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+      soname_spec='$libname$release$shared_ext$major'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2.*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[[01]]* | freebsdelf3.[[01]]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \
+  freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  *) # from 4.6 on, and DragonFly
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+haiku*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  dynamic_linker="$host_os runtime_loader"
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+    soname_spec='$libname$release$shared_ext$major'
+    if test 32 = "$HPUX_IA64_MODE"; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+      sys_lib_dlsearch_path_spec=/usr/lib/hpux32
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+      sys_lib_dlsearch_path_spec=/usr/lib/hpux64
+    fi
+    ;;
+  hppa*64*)
+    shrext_cmds='.sl'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+    soname_spec='$libname$release$shared_ext$major'
+    sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+  *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+    soname_spec='$libname$release$shared_ext$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555, ...
+  postinstall_cmds='chmod 555 $lib'
+  # or fails outright, so override atomically:
+  install_override_mode=555
+  ;;
+
+interix[[3-9]]*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test yes = "$lt_cv_prog_gnu_ld"; then
+		version_type=linux # correct to gnu/linux during the next big refactor
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='$libname$release$shared_ext$major'
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$release$shared_ext $libname$shared_ext'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
+  sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+linux*android*)
+  version_type=none # Android doesn't support versioned libraries.
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext'
+  soname_spec='$libname$release$shared_ext'
+  finish_cmds=
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  dynamic_linker='Android linker'
+  # Don't embed -rpath directories since the linker doesn't support them.
+  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+  ;;
+
+# This must be glibc/ELF.
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+
+  # Some binutils ld are patched to set DT_RUNPATH
+  AC_CACHE_VAL([lt_cv_shlibpath_overrides_runpath],
+    [lt_cv_shlibpath_overrides_runpath=no
+    save_LDFLAGS=$LDFLAGS
+    save_libdir=$libdir
+    eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
+	 LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
+      [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
+	 [lt_cv_shlibpath_overrides_runpath=yes])])
+    LDFLAGS=$save_LDFLAGS
+    libdir=$save_libdir
+    ])
+  shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath
+
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Ideally, we could use ldconfig to report *all* directores which are
+  # searched for libraries, however this is still not possible.  Aside from not
+  # being certain /sbin/ldconfig is available, command
+  # 'ldconfig -N -X -v | grep ^/' on 64bit Fedora does not report /usr/lib64,
+  # even though it is searched at run-time.  Try to do the best guess by
+  # appending ld.so.conf contents (and includes) to the search path.
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+    soname_spec='$libname$release$shared_ext$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+*nto* | *qnx*)
+  version_type=qnx
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='ldqnx.so'
+  ;;
+
+openbsd* | bitrig*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec=/usr/lib
+  need_lib_prefix=no
+  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then
+    need_version=no
+  else
+    need_version=yes
+  fi
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+os2*)
+  libname_spec='$name'
+  version_type=windows
+  shrext_cmds=.dll
+  need_version=no
+  need_lib_prefix=no
+  # OS/2 can only load a DLL with a base name of 8 characters or less.
+  soname_spec='`test -n "$os2dllname" && libname="$os2dllname";
+    v=$($ECHO $release$versuffix | tr -d .-);
+    n=$($ECHO $libname | cut -b -$((8 - ${#v})) | tr . _);
+    $ECHO $n$v`$shared_ext'
+  library_names_spec='${libname}_dll.$libext'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=BEGINLIBPATH
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+  postinstall_cmds='base_file=`basename \$file`~
+    dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; $ECHO \$dlname'\''`~
+    dldir=$destdir/`dirname \$dlpath`~
+    test -d \$dldir || mkdir -p \$dldir~
+    $install_prog $dir/$dlname \$dldir/$dlname~
+    chmod a+x \$dldir/$dlname~
+    if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then
+      eval '\''$striplib \$dldir/$dlname'\'' || exit \$?;
+    fi'
+  postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; $ECHO \$dlname'\''`~
+    dlpath=$dir/\$dldll~
+    $RM \$dlpath'
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='$libname$release$shared_ext$major'
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+  ;;
+
+rdos*)
+  dynamic_linker=no
+  ;;
+
+solaris*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test yes = "$with_gnu_ld"; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec; then
+    version_type=linux # correct to gnu/linux during the next big refactor
+    library_names_spec='$libname$shared_ext.$versuffix $libname$shared_ext.$major $libname$shared_ext'
+    soname_spec='$libname$shared_ext.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=sco
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  if test yes = "$with_gnu_ld"; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+tpf*)
+  # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
+  version_type=linux # correct to gnu/linux during the next big refactor
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+uts4*)
+  version_type=linux # correct to gnu/linux during the next big refactor
+  library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
+  soname_spec='$libname$release$shared_ext$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+AC_MSG_RESULT([$dynamic_linker])
+test no = "$dynamic_linker" && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test yes = "$GCC"; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+if test set = "${lt_cv_sys_lib_search_path_spec+set}"; then
+  sys_lib_search_path_spec=$lt_cv_sys_lib_search_path_spec
+fi
+
+if test set = "${lt_cv_sys_lib_dlsearch_path_spec+set}"; then
+  sys_lib_dlsearch_path_spec=$lt_cv_sys_lib_dlsearch_path_spec
+fi
+
+# remember unaugmented sys_lib_dlsearch_path content for libtool script decls...
+configure_time_dlsearch_path=$sys_lib_dlsearch_path_spec
+
+# ... but it needs LT_SYS_LIBRARY_PATH munging for other configure-time code
+func_munge_path_list sys_lib_dlsearch_path_spec "$LT_SYS_LIBRARY_PATH"
+
+# to be used as default LT_SYS_LIBRARY_PATH value in generated libtool
+configure_time_lt_sys_library_path=$LT_SYS_LIBRARY_PATH
+
+_LT_DECL([], [variables_saved_for_relink], [1],
+    [Variables whose values should be saved in libtool wrapper scripts and
+    restored at link time])
+_LT_DECL([], [need_lib_prefix], [0],
+    [Do we need the "lib" prefix for modules?])
+_LT_DECL([], [need_version], [0], [Do we need a version for libraries?])
+_LT_DECL([], [version_type], [0], [Library versioning type])
+_LT_DECL([], [runpath_var], [0],  [Shared library runtime path variable])
+_LT_DECL([], [shlibpath_var], [0],[Shared library path variable])
+_LT_DECL([], [shlibpath_overrides_runpath], [0],
+    [Is shlibpath searched before the hard-coded library search path?])
+_LT_DECL([], [libname_spec], [1], [Format of library name prefix])
+_LT_DECL([], [library_names_spec], [1],
+    [[List of archive names.  First name is the real one, the rest are links.
+    The last name is the one that the linker finds with -lNAME]])
+_LT_DECL([], [soname_spec], [1],
+    [[The coded name of the library, if different from the real name]])
+_LT_DECL([], [install_override_mode], [1],
+    [Permission mode override for installation of shared libraries])
+_LT_DECL([], [postinstall_cmds], [2],
+    [Command to use after installation of a shared archive])
+_LT_DECL([], [postuninstall_cmds], [2],
+    [Command to use after uninstallation of a shared archive])
+_LT_DECL([], [finish_cmds], [2],
+    [Commands used to finish a libtool library installation in a directory])
+_LT_DECL([], [finish_eval], [1],
+    [[As "finish_cmds", except a single script fragment to be evaled but
+    not shown]])
+_LT_DECL([], [hardcode_into_libs], [0],
+    [Whether we should hardcode library paths into libraries])
+_LT_DECL([], [sys_lib_search_path_spec], [2],
+    [Compile-time system search path for libraries])
+_LT_DECL([sys_lib_dlsearch_path_spec], [configure_time_dlsearch_path], [2],
+    [Detected run-time system search path for libraries])
+_LT_DECL([], [configure_time_lt_sys_library_path], [2],
+    [Explicit LT_SYS_LIBRARY_PATH set during ./configure time])
+])# _LT_SYS_DYNAMIC_LINKER
+
+
+# _LT_PATH_TOOL_PREFIX(TOOL)
+# --------------------------
+# find a file program that can recognize shared library
+AC_DEFUN([_LT_PATH_TOOL_PREFIX],
+[m4_require([_LT_DECL_EGREP])dnl
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
+[case $MAGIC_CMD in
+[[\\/*] |  ?:[\\/]*])
+  lt_cv_path_MAGIC_CMD=$MAGIC_CMD # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD=$MAGIC_CMD
+  lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR
+dnl $ac_dummy forces splitting on constant user-supplied paths.
+dnl POSIX.2 word splitting is done only on the output of word expansions,
+dnl not every word.  This closes a longstanding sh security hole.
+  ac_dummy="m4_if([$2], , $PATH, [$2])"
+  for ac_dir in $ac_dummy; do
+    IFS=$lt_save_ifs
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$1"; then
+      lt_cv_path_MAGIC_CMD=$ac_dir/"$1"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD=$lt_cv_path_MAGIC_CMD
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<_LT_EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+_LT_EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS=$lt_save_ifs
+  MAGIC_CMD=$lt_save_MAGIC_CMD
+  ;;
+esac])
+MAGIC_CMD=$lt_cv_path_MAGIC_CMD
+if test -n "$MAGIC_CMD"; then
+  AC_MSG_RESULT($MAGIC_CMD)
+else
+  AC_MSG_RESULT(no)
+fi
+_LT_DECL([], [MAGIC_CMD], [0],
+	 [Used to examine libraries when file_magic_cmd begins with "file"])dnl
+])# _LT_PATH_TOOL_PREFIX
+
+# Old name:
+AU_ALIAS([AC_PATH_TOOL_PREFIX], [_LT_PATH_TOOL_PREFIX])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_PATH_TOOL_PREFIX], [])
+
+
+# _LT_PATH_MAGIC
+# --------------
+# find a file program that can recognize a shared library
+m4_defun([_LT_PATH_MAGIC],
+[_LT_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    _LT_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
+  else
+    MAGIC_CMD=:
+  fi
+fi
+])# _LT_PATH_MAGIC
+
+
+# LT_PATH_LD
+# ----------
+# find the pathname to the GNU or non-GNU linker
+AC_DEFUN([LT_PATH_LD],
+[AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_PROG_ECHO_BACKSLASH])dnl
+
+AC_ARG_WITH([gnu-ld],
+    [AS_HELP_STRING([--with-gnu-ld],
+	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
+    [test no = "$withval" || with_gnu_ld=yes],
+    [with_gnu_ld=no])dnl
+
+ac_prog=ld
+if test yes = "$GCC"; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  AC_MSG_CHECKING([for ld used by $CC])
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return, which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [[\\/]]* | ?:[[\\/]]*)
+      re_direlt='/[[^/]][[^/]]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'`
+      while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD=$ac_prog
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test yes = "$with_gnu_ld"; then
+  AC_MSG_CHECKING([for GNU ld])
+else
+  AC_MSG_CHECKING([for non-GNU ld])
+fi
+AC_CACHE_VAL(lt_cv_path_LD,
+[if test -z "$LD"; then
+  lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS=$lt_save_ifs
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD=$ac_dir/$ac_prog
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some variants of GNU ld only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test no != "$with_gnu_ld" && break
+	;;
+      *)
+	test yes != "$with_gnu_ld" && break
+	;;
+      esac
+    fi
+  done
+  IFS=$lt_save_ifs
+else
+  lt_cv_path_LD=$LD # Let the user override the test with a path.
+fi])
+LD=$lt_cv_path_LD
+if test -n "$LD"; then
+  AC_MSG_RESULT($LD)
+else
+  AC_MSG_RESULT(no)
+fi
+test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
+_LT_PATH_LD_GNU
+AC_SUBST([LD])
+
+_LT_TAGDECL([], [LD], [1], [The linker used to build libraries])
+])# LT_PATH_LD
+
+# Old names:
+AU_ALIAS([AM_PROG_LD], [LT_PATH_LD])
+AU_ALIAS([AC_PROG_LD], [LT_PATH_LD])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_PROG_LD], [])
+dnl AC_DEFUN([AC_PROG_LD], [])
+
+
+# _LT_PATH_LD_GNU
+#- --------------
+m4_defun([_LT_PATH_LD_GNU],
+[AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
+[# I'd rather use --version here, but apparently some GNU lds only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac])
+with_gnu_ld=$lt_cv_prog_gnu_ld
+])# _LT_PATH_LD_GNU
+
+
+# _LT_CMD_RELOAD
+# --------------
+# find reload flag for linker
+#   -- PORTME Some linkers may need a different reload flag.
+m4_defun([_LT_CMD_RELOAD],
+[AC_CACHE_CHECK([for $LD option to reload object files],
+  lt_cv_ld_reload_flag,
+  [lt_cv_ld_reload_flag='-r'])
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    if test yes != "$GCC"; then
+      reload_cmds=false
+    fi
+    ;;
+  darwin*)
+    if test yes = "$GCC"; then
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib $wl-r -o $output$reload_objs'
+    else
+      reload_cmds='$LD$reload_flag -o $output$reload_objs'
+    fi
+    ;;
+esac
+_LT_TAGDECL([], [reload_flag], [1], [How to create reloadable object files])dnl
+_LT_TAGDECL([], [reload_cmds], [2])dnl
+])# _LT_CMD_RELOAD
+
+
+# _LT_PATH_DD
+# -----------
+# find a working dd
+m4_defun([_LT_PATH_DD],
+[AC_CACHE_CHECK([for a working dd], [ac_cv_path_lt_DD],
+[printf 0123456789abcdef0123456789abcdef >conftest.i
+cat conftest.i conftest.i >conftest2.i
+: ${lt_DD:=$DD}
+AC_PATH_PROGS_FEATURE_CHECK([lt_DD], [dd],
+[if "$ac_path_lt_DD" bs=32 count=1 <conftest2.i >conftest.out 2>/dev/null; then
+  cmp -s conftest.i conftest.out \
+  && ac_cv_path_lt_DD="$ac_path_lt_DD" ac_path_lt_DD_found=:
+fi])
+rm -f conftest.i conftest2.i conftest.out])
+])# _LT_PATH_DD
+
+
+# _LT_CMD_TRUNCATE
+# ----------------
+# find command to truncate a binary pipe
+m4_defun([_LT_CMD_TRUNCATE],
+[m4_require([_LT_PATH_DD])
+AC_CACHE_CHECK([how to truncate binary pipes], [lt_cv_truncate_bin],
+[printf 0123456789abcdef0123456789abcdef >conftest.i
+cat conftest.i conftest.i >conftest2.i
+lt_cv_truncate_bin=
+if "$ac_cv_path_lt_DD" bs=32 count=1 <conftest2.i >conftest.out 2>/dev/null; then
+  cmp -s conftest.i conftest.out \
+  && lt_cv_truncate_bin="$ac_cv_path_lt_DD bs=4096 count=1"
+fi
+rm -f conftest.i conftest2.i conftest.out
+test -z "$lt_cv_truncate_bin" && lt_cv_truncate_bin="$SED -e 4q"])
+_LT_DECL([lt_truncate_bin], [lt_cv_truncate_bin], [1],
+  [Command to truncate a binary pipe])
+])# _LT_CMD_TRUNCATE
+
+
+# _LT_CHECK_MAGIC_METHOD
+# ----------------------
+# how to check for library dependencies
+#  -- PORTME fill in with the dynamic library characteristics
+m4_defun([_LT_CHECK_MAGIC_METHOD],
+[m4_require([_LT_DECL_EGREP])
+m4_require([_LT_DECL_OBJDUMP])
+AC_CACHE_CHECK([how to recognize dependent libraries],
+lt_cv_deplibs_check_method,
+[lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# 'unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# that responds to the $file_magic_cmd with a given extended regex.
+# If you have 'file' or equivalent on your system and you're not sure
+# whether 'pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix[[4-9]]*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi[[45]]*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # func_win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='func_win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # func_win32_libid shell function, so use a weaker test based on 'objdump',
+  # unless we find 'file', for example because we are cross-compiling.
+  if ( file / ) >/dev/null 2>&1; then
+    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+    lt_cv_file_magic_cmd='func_win32_libid'
+  else
+    # Keep this pattern in sync with the one in func_win32_libid.
+    lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)'
+    lt_cv_file_magic_cmd='$OBJDUMP -f'
+  fi
+  ;;
+
+cegcc*)
+  # use the weaker test based on 'objdump'. See mingw*.
+  lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | dragonfly*)
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+haiku*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case $host_cpu in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]']
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]]\.[[0-9]]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+interix[[3-9]]*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be glibc/ELF.
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd* | netbsdelf*-gnu)
+  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+*nto* | *qnx*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+openbsd* | bitrig*)
+  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+rdos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.3*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+tpf*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+os2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+])
+
+file_magic_glob=
+want_nocaseglob=no
+if test "$build" = "$host"; then
+  case $host_os in
+  mingw* | pw32*)
+    if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then
+      want_nocaseglob=yes
+    else
+      file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[[\1]]\/[[\1]]\/g;/g"`
+    fi
+    ;;
+  esac
+fi
+
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+
+_LT_DECL([], [deplibs_check_method], [1],
+    [Method to check whether dependent libraries are shared objects])
+_LT_DECL([], [file_magic_cmd], [1],
+    [Command to use when deplibs_check_method = "file_magic"])
+_LT_DECL([], [file_magic_glob], [1],
+    [How to find potential files when deplibs_check_method = "file_magic"])
+_LT_DECL([], [want_nocaseglob], [1],
+    [Find potential files using nocaseglob when deplibs_check_method = "file_magic"])
+])# _LT_CHECK_MAGIC_METHOD
+
+
+# LT_PATH_NM
+# ----------
+# find the pathname to a BSD- or MS-compatible name lister
+AC_DEFUN([LT_PATH_NM],
+[AC_REQUIRE([AC_PROG_CC])dnl
+AC_CACHE_CHECK([for BSD- or MS-compatible name lister (nm)], lt_cv_path_NM,
+[if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM=$NM
+else
+  lt_nm_to_check=${ac_tool_prefix}nm
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
+    lt_nm_to_check="$lt_nm_to_check nm"
+  fi
+  for lt_tmp_nm in $lt_nm_to_check; do
+    lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR
+    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
+      IFS=$lt_save_ifs
+      test -z "$ac_dir" && ac_dir=.
+      tmp_nm=$ac_dir/$lt_tmp_nm
+      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext"; then
+	# Check to see if the nm accepts a BSD-compat flag.
+	# Adding the 'sed 1q' prevents false positives on HP-UX, which says:
+	#   nm: unknown option "B" ignored
+	# Tru64's nm complains that /dev/null is an invalid object file
+	# MSYS converts /dev/null to NUL, MinGW nm treats NUL as empty
+	case $build_os in
+	mingw*) lt_bad_file=conftest.nm/nofile ;;
+	*) lt_bad_file=/dev/null ;;
+	esac
+	case `"$tmp_nm" -B $lt_bad_file 2>&1 | sed '1q'` in
+	*$lt_bad_file* | *'Invalid file or object type'*)
+	  lt_cv_path_NM="$tmp_nm -B"
+	  break 2
+	  ;;
+	*)
+	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	  */dev/null*)
+	    lt_cv_path_NM="$tmp_nm -p"
+	    break 2
+	    ;;
+	  *)
+	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	    continue # so that we can try to find one that supports BSD flags
+	    ;;
+	  esac
+	  ;;
+	esac
+      fi
+    done
+    IFS=$lt_save_ifs
+  done
+  : ${lt_cv_path_NM=no}
+fi])
+if test no != "$lt_cv_path_NM"; then
+  NM=$lt_cv_path_NM
+else
+  # Didn't find any BSD compatible name lister, look for dumpbin.
+  if test -n "$DUMPBIN"; then :
+    # Let the user override the test.
+  else
+    AC_CHECK_TOOLS(DUMPBIN, [dumpbin "link -dump"], :)
+    case `$DUMPBIN -symbols -headers /dev/null 2>&1 | sed '1q'` in
+    *COFF*)
+      DUMPBIN="$DUMPBIN -symbols -headers"
+      ;;
+    *)
+      DUMPBIN=:
+      ;;
+    esac
+  fi
+  AC_SUBST([DUMPBIN])
+  if test : != "$DUMPBIN"; then
+    NM=$DUMPBIN
+  fi
+fi
+test -z "$NM" && NM=nm
+AC_SUBST([NM])
+_LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl
+
+AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface],
+  [lt_cv_nm_interface="BSD nm"
+  echo "int some_variable = 0;" > conftest.$ac_ext
+  (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
+  (eval "$ac_compile" 2>conftest.err)
+  cat conftest.err >&AS_MESSAGE_LOG_FD
+  (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
+  (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
+  cat conftest.err >&AS_MESSAGE_LOG_FD
+  (eval echo "\"\$as_me:$LINENO: output\"" >&AS_MESSAGE_LOG_FD)
+  cat conftest.out >&AS_MESSAGE_LOG_FD
+  if $GREP 'External.*some_variable' conftest.out > /dev/null; then
+    lt_cv_nm_interface="MS dumpbin"
+  fi
+  rm -f conftest*])
+])# LT_PATH_NM
+
+# Old names:
+AU_ALIAS([AM_PROG_NM], [LT_PATH_NM])
+AU_ALIAS([AC_PROG_NM], [LT_PATH_NM])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_PROG_NM], [])
+dnl AC_DEFUN([AC_PROG_NM], [])
+
+# _LT_CHECK_SHAREDLIB_FROM_LINKLIB
+# --------------------------------
+# how to determine the name of the shared library
+# associated with a specific link library.
+#  -- PORTME fill in with the dynamic library characteristics
+m4_defun([_LT_CHECK_SHAREDLIB_FROM_LINKLIB],
+[m4_require([_LT_DECL_EGREP])
+m4_require([_LT_DECL_OBJDUMP])
+m4_require([_LT_DECL_DLLTOOL])
+AC_CACHE_CHECK([how to associate runtime and link libraries],
+lt_cv_sharedlib_from_linklib_cmd,
+[lt_cv_sharedlib_from_linklib_cmd='unknown'
+
+case $host_os in
+cygwin* | mingw* | pw32* | cegcc*)
+  # two different shell functions defined in ltmain.sh;
+  # decide which one to use based on capabilities of $DLLTOOL
+  case `$DLLTOOL --help 2>&1` in
+  *--identify-strict*)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib
+    ;;
+  *)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback
+    ;;
+  esac
+  ;;
+*)
+  # fallback: assume linklib IS sharedlib
+  lt_cv_sharedlib_from_linklib_cmd=$ECHO
+  ;;
+esac
+])
+sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd
+test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO
+
+_LT_DECL([], [sharedlib_from_linklib_cmd], [1],
+    [Command to associate shared and link libraries])
+])# _LT_CHECK_SHAREDLIB_FROM_LINKLIB
+
+
+# _LT_PATH_MANIFEST_TOOL
+# ----------------------
+# locate the manifest tool
+m4_defun([_LT_PATH_MANIFEST_TOOL],
+[AC_CHECK_TOOL(MANIFEST_TOOL, mt, :)
+test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt
+AC_CACHE_CHECK([if $MANIFEST_TOOL is a manifest tool], [lt_cv_path_mainfest_tool],
+  [lt_cv_path_mainfest_tool=no
+  echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&AS_MESSAGE_LOG_FD
+  $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out
+  cat conftest.err >&AS_MESSAGE_LOG_FD
+  if $GREP 'Manifest Tool' conftest.out > /dev/null; then
+    lt_cv_path_mainfest_tool=yes
+  fi
+  rm -f conftest*])
+if test yes != "$lt_cv_path_mainfest_tool"; then
+  MANIFEST_TOOL=:
+fi
+_LT_DECL([], [MANIFEST_TOOL], [1], [Manifest tool])dnl
+])# _LT_PATH_MANIFEST_TOOL
+
+
+# _LT_DLL_DEF_P([FILE])
+# ---------------------
+# True iff FILE is a Windows DLL '.def' file.
+# Keep in sync with func_dll_def_p in the libtool script
+AC_DEFUN([_LT_DLL_DEF_P],
+[dnl
+  test DEF = "`$SED -n dnl
+    -e '\''s/^[[	 ]]*//'\'' dnl Strip leading whitespace
+    -e '\''/^\(;.*\)*$/d'\'' dnl      Delete empty lines and comments
+    -e '\''s/^\(EXPORTS\|LIBRARY\)\([[	 ]].*\)*$/DEF/p'\'' dnl
+    -e q dnl                          Only consider the first "real" line
+    $1`" dnl
+])# _LT_DLL_DEF_P
+
+
+# LT_LIB_M
+# --------
+# check for math library
+AC_DEFUN([LT_LIB_M],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+LIBM=
+case $host in
+*-*-beos* | *-*-cegcc* | *-*-cygwin* | *-*-haiku* | *-*-pw32* | *-*-darwin*)
+  # These system don't have libm, or don't need it
+  ;;
+*-ncr-sysv4.3*)
+  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM=-lmw)
+  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
+  ;;
+*)
+  AC_CHECK_LIB(m, cos, LIBM=-lm)
+  ;;
+esac
+AC_SUBST([LIBM])
+])# LT_LIB_M
+
+# Old name:
+AU_ALIAS([AC_CHECK_LIBM], [LT_LIB_M])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_CHECK_LIBM], [])
+
+
+# _LT_COMPILER_NO_RTTI([TAGNAME])
+# -------------------------------
+m4_defun([_LT_COMPILER_NO_RTTI],
+[m4_require([_LT_TAG_COMPILER])dnl
+
+_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+
+if test yes = "$GCC"; then
+  case $cc_basename in
+  nvcc*)
+    _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -Xcompiler -fno-builtin' ;;
+  *)
+    _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' ;;
+  esac
+
+  _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
+    lt_cv_prog_compiler_rtti_exceptions,
+    [-fno-rtti -fno-exceptions], [],
+    [_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
+fi
+_LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1],
+	[Compiler flag to turn off builtin functions])
+])# _LT_COMPILER_NO_RTTI
+
+
+# _LT_CMD_GLOBAL_SYMBOLS
+# ----------------------
+m4_defun([_LT_CMD_GLOBAL_SYMBOLS],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_AWK])dnl
+AC_REQUIRE([LT_PATH_NM])dnl
+AC_REQUIRE([LT_PATH_LD])dnl
+m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_TAG_COMPILER])dnl
+
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+AC_MSG_CHECKING([command to parse $NM output from $compiler object])
+AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
+[
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[[BCDEGRST]]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[[BCDT]]'
+  ;;
+cygwin* | mingw* | pw32* | cegcc*)
+  symcode='[[ABCDGISTW]]'
+  ;;
+hpux*)
+  if test ia64 = "$host_cpu"; then
+    symcode='[[ABCDEGRST]]'
+  fi
+  ;;
+irix* | nonstopux*)
+  symcode='[[BCDEGRST]]'
+  ;;
+osf*)
+  symcode='[[BCDEGQRST]]'
+  ;;
+solaris*)
+  symcode='[[BDRT]]'
+  ;;
+sco3.2v5*)
+  symcode='[[DT]]'
+  ;;
+sysv4.2uw2*)
+  symcode='[[DT]]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[[ABDT]]'
+  ;;
+sysv4)
+  symcode='[[DFNSTU]]'
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[[ABCDGIRSTW]]' ;;
+esac
+
+if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+  # Gets list of data symbols to import.
+  lt_cv_sys_global_symbol_to_import="sed -n -e 's/^I .* \(.*\)$/\1/p'"
+  # Adjust the below global symbol transforms to fixup imported variables.
+  lt_cdecl_hook=" -e 's/^I .* \(.*\)$/extern __declspec(dllimport) char \1;/p'"
+  lt_c_name_hook=" -e 's/^I .* \(.*\)$/  {\"\1\", (void *) 0},/p'"
+  lt_c_name_lib_hook="\
+  -e 's/^I .* \(lib.*\)$/  {\"\1\", (void *) 0},/p'\
+  -e 's/^I .* \(.*\)$/  {\"lib\1\", (void *) 0},/p'"
+else
+  # Disable hooks by default.
+  lt_cv_sys_global_symbol_to_import=
+  lt_cdecl_hook=
+  lt_c_name_hook=
+  lt_c_name_lib_hook=
+fi
+
+# Transform an extracted symbol line into a proper C declaration.
+# Some systems (esp. on ia64) link data and code symbols differently,
+# so use this general approach.
+lt_cv_sys_global_symbol_to_cdecl="sed -n"\
+$lt_cdecl_hook\
+" -e 's/^T .* \(.*\)$/extern int \1();/p'"\
+" -e 's/^$symcode$symcode* .* \(.*\)$/extern char \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n"\
+$lt_c_name_hook\
+" -e 's/^: \(.*\) .*$/  {\"\1\", (void *) 0},/p'"\
+" -e 's/^$symcode$symcode* .* \(.*\)$/  {\"\1\", (void *) \&\1},/p'"
+
+# Transform an extracted symbol line into symbol name with lib prefix and
+# symbol address.
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n"\
+$lt_c_name_lib_hook\
+" -e 's/^: \(.*\) .*$/  {\"\1\", (void *) 0},/p'"\
+" -e 's/^$symcode$symcode* .* \(lib.*\)$/  {\"\1\", (void *) \&\1},/p'"\
+" -e 's/^$symcode$symcode* .* \(.*\)$/  {\"lib\1\", (void *) \&\1},/p'"
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# Try without a prefix underscore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
+
+  # Write the raw and C identifiers.
+  if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+    # Fake it for dumpbin and say T for any non-static function,
+    # D for any global variable and I for any imported variable.
+    # Also find C++ and __fastcall symbols from MSVC++,
+    # which start with @ or ?.
+    lt_cv_sys_global_symbol_pipe="$AWK ['"\
+"     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
+"     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
+"     /^ *Symbol name *: /{split(\$ 0,sn,\":\"); si=substr(sn[2],2)};"\
+"     /^ *Type *: code/{print \"T\",si,substr(si,length(prfx))};"\
+"     /^ *Type *: data/{print \"I\",si,substr(si,length(prfx))};"\
+"     \$ 0!~/External *\|/{next};"\
+"     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
+"     {if(hide[section]) next};"\
+"     {f=\"D\"}; \$ 0~/\(\).*\|/{f=\"T\"};"\
+"     {split(\$ 0,a,/\||\r/); split(a[2],s)};"\
+"     s[1]~/^[@?]/{print f,s[1],s[1]; next};"\
+"     s[1]~prfx {split(s[1],t,\"@\"); print f,t[1],substr(t[1],length(prfx))}"\
+"     ' prfx=^$ac_symprfx]"
+  else
+    lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[	 ]]\($symcode$symcode*\)[[	 ]][[	 ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+  fi
+  lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<_LT_EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(void);
+void nm_test_func(void){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+_LT_EOF
+
+  if AC_TRY_EVAL(ac_compile); then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD
+    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
+	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<_LT_EOF > conftest.$ac_ext
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined _WIN32 || defined __CYGWIN__ || defined _WIN32_WCE
+/* DATA imports from DLLs on WIN32 can't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT@&t@_DLSYM_CONST
+#elif defined __osf__
+/* This system does not cope well with relocations in const data.  */
+# define LT@&t@_DLSYM_CONST
+#else
+# define LT@&t@_DLSYM_CONST const
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+_LT_EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext'
+
+	  cat <<_LT_EOF >> conftest.$ac_ext
+
+/* The mapping between symbol names and symbols.  */
+LT@&t@_DLSYM_CONST struct {
+  const char *name;
+  void       *address;
+}
+lt__PROGRAM__LTX_preloaded_symbols[[]] =
+{
+  { "@PROGRAM@", (void *) 0 },
+_LT_EOF
+	  $SED "s/^$symcode$symcode* .* \(.*\)$/  {\"\1\", (void *) \&\1},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext
+	  cat <<\_LT_EOF >> conftest.$ac_ext
+  {0, (void *) 0}
+};
+
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt__PROGRAM__LTX_preloaded_symbols;
+}
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+_LT_EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_globsym_save_LIBS=$LIBS
+	  lt_globsym_save_CFLAGS=$CFLAGS
+	  LIBS=conftstm.$ac_objext
+	  CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
+	  if AC_TRY_EVAL(ac_link) && test -s conftest$ac_exeext; then
+	    pipe_works=yes
+	  fi
+	  LIBS=$lt_globsym_save_LIBS
+	  CFLAGS=$lt_globsym_save_CFLAGS
+	else
+	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
+    fi
+  else
+    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
+    cat conftest.$ac_ext >&5
+  fi
+  rm -rf conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test yes = "$pipe_works"; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+])
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  AC_MSG_RESULT(failed)
+else
+  AC_MSG_RESULT(ok)
+fi
+
+# Response file support.
+if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+  nm_file_list_spec='@'
+elif $NM --help 2>/dev/null | grep '[[@]]FILE' >/dev/null; then
+  nm_file_list_spec='@'
+fi
+
+_LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1],
+    [Take the output of nm and produce a listing of raw symbols and C names])
+_LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1],
+    [Transform the output of nm in a proper C declaration])
+_LT_DECL([global_symbol_to_import], [lt_cv_sys_global_symbol_to_import], [1],
+    [Transform the output of nm into a list of symbols to manually relocate])
+_LT_DECL([global_symbol_to_c_name_address],
+    [lt_cv_sys_global_symbol_to_c_name_address], [1],
+    [Transform the output of nm in a C name address pair])
+_LT_DECL([global_symbol_to_c_name_address_lib_prefix],
+    [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1],
+    [Transform the output of nm in a C name address pair when lib prefix is needed])
+_LT_DECL([nm_interface], [lt_cv_nm_interface], [1],
+    [The name lister interface])
+_LT_DECL([], [nm_file_list_spec], [1],
+    [Specify filename containing input files for $NM])
+]) # _LT_CMD_GLOBAL_SYMBOLS
+
+
+# _LT_COMPILER_PIC([TAGNAME])
+# ---------------------------
+m4_defun([_LT_COMPILER_PIC],
+[m4_require([_LT_TAG_COMPILER])dnl
+_LT_TAGVAR(lt_prog_compiler_wl, $1)=
+_LT_TAGVAR(lt_prog_compiler_pic, $1)=
+_LT_TAGVAR(lt_prog_compiler_static, $1)=
+
+m4_if([$1], [CXX], [
+  # C++ specific cases for pic, static, wl, etc.
+  if test yes = "$GXX"; then
+    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
+      if test ia64 = "$host_cpu"; then
+	# AIX 5 now supports IA64 processor
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+        ;;
+      m68k)
+            # FIXME: we need at least 68020 code to build shared libraries, but
+            # adding the '-m68020' flag to GCC prevents building anything better,
+            # like '-m68040'.
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+        ;;
+      esac
+      ;;
+
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | cygwin* | os2* | pw32* | cegcc*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      m4_if([$1], [GCJ], [],
+	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      case $host_os in
+      os2*)
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-static'
+	;;
+      esac
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+      ;;
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)=
+      ;;
+    interix[[3-9]]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
+      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
+      # sets the default TLS model and affects inlining.
+      case $host_cpu in
+      hppa*64*)
+	;;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+    *qnx* | *nto*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+      ;;
+    *)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    case $host_os in
+      aix[[4-9]]*)
+	# All AIX code is PIC.
+	if test ia64 = "$host_cpu"; then
+	  # AIX 5 now supports IA64 processor
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	else
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+	fi
+	;;
+      chorus*)
+	case $cc_basename in
+	cxch68*)
+	  # Green Hills C++ Compiler
+	  # _LT_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
+	  ;;
+	esac
+	;;
+      mingw* | cygwin* | os2* | pw32* | cegcc*)
+	# This hack is so that the source file can tell whether it is being
+	# built for inclusion in a dll (and should export symbols for example).
+	m4_if([$1], [GCJ], [],
+	  [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+	;;
+      dgux*)
+	case $cc_basename in
+	  ec++*)
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  ghcx*)
+	    # Green Hills C++ Compiler
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | dragonfly*)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-a ${wl}archive'
+	    if test ia64 != "$host_cpu"; then
+	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	    fi
+	    ;;
+	  aCC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-a ${wl}archive'
+	    case $host_cpu in
+	    hppa*64*|ia64*)
+	      # +Z the default
+	      ;;
+	    *)
+	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	      ;;
+	    esac
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      interix*)
+	# This is c89, which is MS Visual C++ (no shared libs)
+	# Anyone wants to do a port?
+	;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+	case $cc_basename in
+	  KCC*)
+	    # KAI C++ Compiler
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  ecpc* )
+	    # old Intel C++ for x86_64, which still supported -KPIC.
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
+	  icpc* )
+	    # Intel C++, used to be incompatible with GCC.
+	    # ICC 10 doesn't accept -KPIC any more.
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
+	  pgCC* | pgcpp*)
+	    # Portland Group C++ compiler
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  cxx*)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  xlc* | xlC* | bgxl[[cC]]* | mpixl[[cC]]*)
+	    # IBM XL 8.0, 9.0 on PPC and BlueGene
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
+	    ;;
+	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	      ;;
+	    esac
+	    ;;
+	esac
+	;;
+      lynxos*)
+	;;
+      m88k*)
+	;;
+      mvs*)
+	case $cc_basename in
+	  cxx*)
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      netbsd* | netbsdelf*-gnu)
+	;;
+      *qnx* | *nto*)
+        # QNX uses GNU C++, but need to define -shared option too, otherwise
+        # it will coredump.
+        _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+        ;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    ;;
+	  RCC*)
+	    # Rational C++ 2.4.1
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  cxx*)
+	    # Digital/Compaq C++
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      psos*)
+	;;
+      solaris*)
+	case $cc_basename in
+	  CC* | sunCC*)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	    ;;
+	  gcx*)
+	    # Green Hills C++ Compiler
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sunos4*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.x
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  lcc*)
+	    # Lucid
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+	case $cc_basename in
+	  CC*)
+	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	esac
+	;;
+      tandem*)
+	case $cc_basename in
+	  NCC*)
+	    # NonStop-UX NCC 3.20
+	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      vxworks*)
+	;;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+	;;
+    esac
+  fi
+],
+[
+  if test yes = "$GCC"; then
+    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test ia64 = "$host_cpu"; then
+	# AIX 5 now supports IA64 processor
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+        ;;
+      m68k)
+            # FIXME: we need at least 68020 code to build shared libraries, but
+            # adding the '-m68020' flag to GCC prevents building anything better,
+            # like '-m68040'.
+            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+        ;;
+      esac
+      ;;
+
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      m4_if([$1], [GCJ], [],
+	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      case $host_os in
+      os2*)
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-static'
+	;;
+      esac
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)=
+      ;;
+
+    hpux*)
+      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
+      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
+      # sets the default TLS model and affects inlining.
+      case $host_cpu in
+      hppa*64*)
+	# +Z the default
+	;;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+
+    interix[[3-9]]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      enable_shared=no
+      ;;
+
+    *nto* | *qnx*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+
+    *)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+
+    case $cc_basename in
+    nvcc*) # Cuda Compiler Driver 2.2
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker '
+      if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
+        _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)"
+      fi
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      if test ia64 = "$host_cpu"; then
+	# AIX 5 now supports IA64 processor
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      else
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      case $cc_basename in
+      nagfor*)
+        # NAG Fortran compiler
+        _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,-Wl,,'
+        _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+        _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+        ;;
+      esac
+      ;;
+
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      m4_if([$1], [GCJ], [],
+	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+      case $host_os in
+      os2*)
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-static'
+	;;
+      esac
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC (with -KPIC) is the default.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+      case $cc_basename in
+      # old Intel for x86_64, which still supported -KPIC.
+      ecc*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      # flang / f18. f95 an alias for gfortran or flang on Debian
+      flang* | f18* | f95*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      # icc used to be incompatible with GCC.
+      # ICC 10 doesn't accept -KPIC any more.
+      icc* | ifort*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      # Lahey Fortran 8.1.
+      lf95*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='--static'
+	;;
+      nagfor*)
+	# NAG Fortran compiler
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,-Wl,,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	;;
+      tcc*)
+	# Fabrice Bellard et al's Tiny C Compiler
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	;;
+      pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+        ;;
+      ccc*)
+        _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+        # All Alpha code is PIC.
+        _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+        ;;
+      xl* | bgxl* | bgf* | mpixl*)
+	# IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
+	;;
+      *)
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
+	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	  ;;
+	*Sun\ C*)
+	  # Sun C 5.9
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  ;;
+        *Intel*\ [[CF]]*Compiler*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	  ;;
+	*Portland\ Group*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  ;;
+	esac
+	;;
+      esac
+      ;;
+
+    newsos6)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    *nto* | *qnx*)
+      # QNX uses GNU C++, but need to define -shared option too, otherwise
+      # it will coredump.
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
+      ;;
+
+    osf3* | osf4* | osf5*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # All OSF/1 code is PIC.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    rdos*)
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    solaris*)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
+      *)
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    unicos*)
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+
+    uts4*)
+      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    *)
+      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+    esac
+  fi
+])
+case $host_os in
+  # For platforms that do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
+    ;;
+  *)
+    _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])"
+    ;;
+esac
+
+AC_CACHE_CHECK([for $compiler option to produce PIC],
+  [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)],
+  [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
+_LT_TAGVAR(lt_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
+  _LT_COMPILER_OPTION([if $compiler PIC flag $_LT_TAGVAR(lt_prog_compiler_pic, $1) works],
+    [_LT_TAGVAR(lt_cv_prog_compiler_pic_works, $1)],
+    [$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])], [],
+    [case $_LT_TAGVAR(lt_prog_compiler_pic, $1) in
+     "" | " "*) ;;
+     *) _LT_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_TAGVAR(lt_prog_compiler_pic, $1)" ;;
+     esac],
+    [_LT_TAGVAR(lt_prog_compiler_pic, $1)=
+     _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
+fi
+_LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1],
+	[Additional compiler flags for building library objects])
+
+_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
+	[How to pass a linker flag through the compiler])
+#
+# Check to make sure the static flag actually works.
+#
+wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_TAGVAR(lt_prog_compiler_static, $1)\"
+_LT_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
+  _LT_TAGVAR(lt_cv_prog_compiler_static_works, $1),
+  $lt_tmp_static_flag,
+  [],
+  [_LT_TAGVAR(lt_prog_compiler_static, $1)=])
+_LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1],
+	[Compiler flag to prevent dynamic linking])
+])# _LT_COMPILER_PIC
+
+
+# _LT_LINKER_SHLIBS([TAGNAME])
+# ----------------------------
+# See if the linker supports building shared libraries.
+m4_defun([_LT_LINKER_SHLIBS],
+[AC_REQUIRE([LT_PATH_LD])dnl
+AC_REQUIRE([LT_PATH_NM])dnl
+m4_require([_LT_PATH_MANIFEST_TOOL])dnl
+m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
+m4_require([_LT_TAG_COMPILER])dnl
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+m4_if([$1], [CXX], [
+  _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
+  case $host_os in
+  aix[[4-9]]*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to GNU nm, but means don't demangle to AIX nm.
+    # Without the "-l" option, or with the "-B" option, AIX nm treats
+    # weak defined symbols like other global defined symbols, whereas
+    # GNU nm marks them as "W".
+    # While the 'weak' keyword is ignored in the Export File, we need
+    # it in the Import File for the 'aix-soname' feature, so we have
+    # to replace the "-B" option with "-P" for AIX nm.
+    if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { if (\$ 2 == "W") { print \$ 3 " weak" } else { print \$ 3 } } }'\'' | sort -u > $export_symbols'
+    else
+      _LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    _LT_TAGVAR(export_symbols_cmds, $1)=$ltdll_cmds
+    ;;
+  cygwin* | mingw* | cegcc*)
+    case $cc_basename in
+    cl*)
+      _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+      ;;
+    *)
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
+      ;;
+    esac
+    ;;
+  linux* | k*bsd*-gnu | gnu*)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+    ;;
+  *)
+    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+    ;;
+  esac
+], [
+  runpath_var=
+  _LT_TAGVAR(allow_undefined_flag, $1)=
+  _LT_TAGVAR(always_export_symbols, $1)=no
+  _LT_TAGVAR(archive_cmds, $1)=
+  _LT_TAGVAR(archive_expsym_cmds, $1)=
+  _LT_TAGVAR(compiler_needs_object, $1)=no
+  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+  _LT_TAGVAR(export_dynamic_flag_spec, $1)=
+  _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  _LT_TAGVAR(hardcode_automatic, $1)=no
+  _LT_TAGVAR(hardcode_direct, $1)=no
+  _LT_TAGVAR(hardcode_direct_absolute, $1)=no
+  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+  _LT_TAGVAR(hardcode_libdir_separator, $1)=
+  _LT_TAGVAR(hardcode_minus_L, $1)=no
+  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  _LT_TAGVAR(inherit_rpath, $1)=no
+  _LT_TAGVAR(link_all_deplibs, $1)=unknown
+  _LT_TAGVAR(module_cmds, $1)=
+  _LT_TAGVAR(module_expsym_cmds, $1)=
+  _LT_TAGVAR(old_archive_from_new_cmds, $1)=
+  _LT_TAGVAR(old_archive_from_expsyms_cmds, $1)=
+  _LT_TAGVAR(thread_safe_flag_spec, $1)=
+  _LT_TAGVAR(whole_archive_flag_spec, $1)=
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  _LT_TAGVAR(include_expsyms, $1)=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ' (' and ')$', so one must not match beginning or
+  # end of line.  Example: 'a|bc|.*d.*' will exclude the symbols 'a' and 'bc',
+  # as well as any symbol that contains 'd'.
+  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  # Exclude shared library initialization/finalization symbols.
+dnl Note also adjust exclude_expsyms for C++ above.
+  extract_expsyms_cmds=
+
+  case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test yes != "$GCC"; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd* | bitrig*)
+    with_gnu_ld=no
+    ;;
+  linux* | k*bsd*-gnu | gnu*)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+    ;;
+  esac
+
+  _LT_TAGVAR(ld_shlibs, $1)=yes
+
+  # On some targets, GNU ld is compatible enough with the native linker
+  # that we're better off using the native interface for both.
+  lt_use_gnu_ld_interface=no
+  if test yes = "$with_gnu_ld"; then
+    case $host_os in
+      aix*)
+	# The AIX port of GNU ld has always aspired to compatibility
+	# with the native linker.  However, as the warning in the GNU ld
+	# block says, versions before 2.19.5* couldn't really create working
+	# shared libraries, regardless of the interface used.
+	case `$LD -v 2>&1` in
+	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
+	  *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;;
+	  *\ \(GNU\ Binutils\)\ [[3-9]]*) ;;
+	  *)
+	    lt_use_gnu_ld_interface=yes
+	    ;;
+	esac
+	;;
+      *)
+	lt_use_gnu_ld_interface=yes
+	;;
+    esac
+  fi
+
+  if test yes = "$lt_use_gnu_ld_interface"; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='$wl'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+    _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
+      _LT_TAGVAR(whole_archive_flag_spec, $1)=$wlarc'--whole-archive$convenience '$wlarc'--no-whole-archive'
+    else
+      _LT_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v | $SED -e 's/([^)]\+)\s\+//' 2>&1` in
+      *GNU\ gold*) supports_anon_versioning=yes ;;
+      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix[[3-9]]*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test ia64 != "$host_cpu"; then
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.19, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to install binutils
+*** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
+*** You will then need to restart the configuration process.
+
+_LT_EOF
+      fi
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+            _LT_TAGVAR(archive_expsym_cmds, $1)=''
+        ;;
+      m68k)
+            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+            _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+            _LT_TAGVAR(hardcode_minus_L, $1)=yes
+        ;;
+      esac
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	_LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32* | cegcc*)
+      # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+      # as there is no search path for DLLs.
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-all-symbols'
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_TAGVAR(always_export_symbols, $1)=no
+      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
+
+      if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file, use it as
+	# is; otherwise, prepend EXPORTS...
+	_LT_TAGVAR(archive_expsym_cmds, $1)='if _LT_DLL_DEF_P([$export_symbols]); then
+          cp $export_symbols $output_objdir/$soname.def;
+        else
+          echo EXPORTS > $output_objdir/$soname.def;
+          cat $export_symbols >> $output_objdir/$soname.def;
+        fi~
+        $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    haiku*)
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    os2*)
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      shrext_cmds=.dll
+      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~
+	$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~
+	$ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~
+	$ECHO EXPORTS >> $output_objdir/$libname.def~
+	emxexp $libobjs | $SED /"_DLL_InitTerm"/d >> $output_objdir/$libname.def~
+	$CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~
+	emximp -o $lib $output_objdir/$libname.def'
+      _LT_TAGVAR(archive_expsym_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~
+	$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~
+	$ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~
+	$ECHO EXPORTS >> $output_objdir/$libname.def~
+	prefix_cmds="$SED"~
+	if test EXPORTS = "`$SED 1q $export_symbols`"; then
+	  prefix_cmds="$prefix_cmds -e 1d";
+	fi~
+	prefix_cmds="$prefix_cmds -e \"s/^\(.*\)$/_\1/g\""~
+	cat $export_symbols | $prefix_cmds >> $output_objdir/$libname.def~
+	$CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~
+	emximp -o $lib $output_objdir/$libname.def'
+      _LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def'
+      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      ;;
+
+    interix[[3-9]]*)
+      _LT_TAGVAR(hardcode_direct, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir'
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s|^|_|" $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--retain-symbols-file,$output_objdir/$soname.expsym $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu)
+      tmp_diet=no
+      if test linux-dietlibc = "$host_os"; then
+	case $cc_basename in
+	  diet\ *) tmp_diet=yes;;	# linux-dietlibc with static linking (!diet-dyn)
+	esac
+      fi
+      if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
+	 && test no = "$tmp_diet"
+      then
+	tmp_addflag=' $pic_flag'
+	tmp_sharedflag='-shared'
+	case $cc_basename,$host_cpu in
+        pgcc*)				# Portland Group C compiler
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95* | pgfortran*)
+					# Portland Group f77 and f90 compilers
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	lf95*)				# Lahey Fortran 8.1
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)=
+	  tmp_sharedflag='--shared' ;;
+        nagfor*)                        # NAGFOR 5.3
+          tmp_sharedflag='-Wl,-shared' ;;
+	xl[[cC]]* | bgxl[[cC]]* | mpixl[[cC]]*) # IBM XL C 8.0 on PPC (deal with xlf below)
+	  tmp_sharedflag='-qmkshrobj'
+	  tmp_addflag= ;;
+	nvcc*)	# Cuda Compiler Driver 2.2
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
+	  _LT_TAGVAR(compiler_needs_object, $1)=yes
+	  ;;
+	esac
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
+	  _LT_TAGVAR(compiler_needs_object, $1)=yes
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	esac
+	_LT_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+
+        if test yes = "$supports_anon_versioning"; then
+          _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
+            cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+            echo "local: *; };" >> $output_objdir/$libname.ver~
+            $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-version-script $wl$output_objdir/$libname.ver -o $lib'
+        fi
+
+	case $cc_basename in
+	tcc*)
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='-rdynamic'
+	  ;;
+	xlf* | bgf* | bgxlf* | mpixlf*)
+	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
+	  if test yes = "$supports_anon_versioning"; then
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
+              cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+              echo "local: *; };" >> $output_objdir/$libname.ver~
+              $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	  fi
+	  ;;
+	esac
+      else
+        _LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+      elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 cannot
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  # For security reasons, it is highly recommended that you always
+	  # use absolute paths for naming shared libraries, and exclude the
+	  # DT_RUNPATH tag from executables and libraries.  But doing so
+	  # requires that you compile everything twice, which is a pain.
+	  if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+	  else
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+
+    if test no = "$_LT_TAGVAR(ld_shlibs, $1)"; then
+      runpath_var=
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)=
+      _LT_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_TAGVAR(always_export_symbols, $1)=yes
+      _LT_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      if test yes = "$GCC" && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	_LT_TAGVAR(hardcode_direct, $1)=unsupported
+      fi
+      ;;
+
+    aix[[4-9]]*)
+      if test ia64 = "$host_cpu"; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to GNU nm, but means don't demangle to AIX nm.
+	# Without the "-l" option, or with the "-B" option, AIX nm treats
+	# weak defined symbols like other global defined symbols, whereas
+	# GNU nm marks them as "W".
+	# While the 'weak' keyword is ignored in the Export File, we need
+	# it in the Import File for the 'aix-soname' feature, so we have
+	# to replace the "-B" option with "-P" for AIX nm.
+	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
+	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { if (\$ 2 == "W") { print \$ 3 " weak" } else { print \$ 3 } } }'\'' | sort -u > $export_symbols'
+	else
+	  _LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# have runtime linking enabled, and use it for executables.
+	# For shared libraries, we enable/disable runtime linking
+	# depending on the kind of the shared library created -
+	# when "with_aix_soname,aix_use_runtimelinking" is:
+	# "aix,no"   lib.a(lib.so.V) shared, rtl:no,  for executables
+	# "aix,yes"  lib.so          shared, rtl:yes, for executables
+	#            lib.a           static archive
+	# "both,no"  lib.so.V(shr.o) shared, rtl:yes
+	#            lib.a(lib.so.V) shared, rtl:no,  for executables
+	# "both,yes" lib.so.V(shr.o) shared, rtl:yes, for executables
+	#            lib.a(lib.so.V) shared, rtl:no
+	# "svr4,*"   lib.so.V(shr.o) shared, rtl:yes, for executables
+	#            lib.a           static archive
+	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
+	  for ld_flag in $LDFLAGS; do
+	  if (test x-brtl = "x$ld_flag" || test x-Wl,-brtl = "x$ld_flag"); then
+	    aix_use_runtimelinking=yes
+	    break
+	  fi
+	  done
+	  if test svr4,no = "$with_aix_soname,$aix_use_runtimelinking"; then
+	    # With aix-soname=svr4, we create the lib.so.V shared archives only,
+	    # so we don't have lib.a shared libs to link our executables.
+	    # We have to force runtime linking in this case.
+	    aix_use_runtimelinking=yes
+	    LDFLAGS="$LDFLAGS -Wl,-brtl"
+	  fi
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      _LT_TAGVAR(archive_cmds, $1)=''
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_TAGVAR(file_list_spec, $1)='$wl-f,'
+      case $with_aix_soname,$aix_use_runtimelinking in
+      aix,*) ;; # traditional, no import file
+      svr4,* | *,yes) # use import file
+	# The Import File defines what to hardcode.
+	_LT_TAGVAR(hardcode_direct, $1)=no
+	_LT_TAGVAR(hardcode_direct_absolute, $1)=no
+	;;
+      esac
+
+      if test yes = "$GCC"; then
+	case $host_os in aix4.[[012]]|aix4.[[012]].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`$CC -print-prog-name=collect2`
+	  if test -f "$collect2name" &&
+	   strings "$collect2name" | $GREP resolve_lib_name >/dev/null
+	  then
+	  # We have reworked collect2
+	  :
+	  else
+	  # We have old collect2
+	  _LT_TAGVAR(hardcode_direct, $1)=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  _LT_TAGVAR(hardcode_minus_L, $1)=yes
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test yes = "$aix_use_runtimelinking"; then
+	  shared_flag="$shared_flag "'$wl-G'
+	fi
+	# Need to ensure runtime linking is disabled for the traditional
+	# shared library, or the linker may eventually find shared libraries
+	# /with/ Import File - we do not want to mix them.
+	shared_flag_aix='-shared'
+	shared_flag_svr4='-shared $wl-G'
+      else
+	# not using gcc
+	if test ia64 = "$host_cpu"; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test yes = "$aix_use_runtimelinking"; then
+	    shared_flag='$wl-G'
+	  else
+	    shared_flag='$wl-bM:SRE'
+	  fi
+	  shared_flag_aix='$wl-bM:SRE'
+	  shared_flag_svr4='$wl-G'
+	fi
+      fi
+
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-bexpall'
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      _LT_TAGVAR(always_export_symbols, $1)=yes
+      if test aix,yes = "$with_aix_soname,$aix_use_runtimelinking"; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	_LT_TAGVAR(allow_undefined_flag, $1)='-berok'
+        # Determine the default libpath from the value encoded in an
+        # empty executable.
+        _LT_SYS_MODULE_PATH_AIX([$1])
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-blibpath:$libdir:'"$aix_libpath"
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs $wl'$no_entry_flag' $compiler_flags `if test -n "$allow_undefined_flag"; then func_echo_all "$wl$allow_undefined_flag"; else :; fi` $wl'$exp_sym_flag:\$export_symbols' '$shared_flag
+      else
+	if test ia64 = "$host_cpu"; then
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $libdir:/usr/lib:/lib'
+	  _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an
+	 # empty executable.
+	 _LT_SYS_MODULE_PATH_AIX([$1])
+	 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  _LT_TAGVAR(no_undefined_flag, $1)=' $wl-bernotok'
+	  _LT_TAGVAR(allow_undefined_flag, $1)=' $wl-berok'
+	  if test yes = "$with_gnu_ld"; then
+	    # We only use this code for GNU lds that support --whole-archive.
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive$convenience $wl--no-whole-archive'
+	  else
+	    # Exported symbols can be pulled into shared objects from archives
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  fi
+	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='$RM -r $output_objdir/$realname.d~$MKDIR $output_objdir/$realname.d'
+	  # -brtl affects multiple linker settings, -berok does not and is overridden later
+	  compiler_flags_filtered='`func_echo_all "$compiler_flags " | $SED -e "s%-brtl\\([[, ]]\\)%-berok\\1%g"`'
+	  if test svr4 != "$with_aix_soname"; then
+	    # This is similar to how AIX traditionally builds its shared libraries.
+	    _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$CC '$shared_flag_aix' -o $output_objdir/$realname.d/$soname $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$realname.d/$soname'
+	  fi
+	  if test aix != "$with_aix_soname"; then
+	    _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$CC '$shared_flag_svr4' -o $output_objdir/$realname.d/$shared_archive_member_spec.o $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$STRIP -e $output_objdir/$realname.d/$shared_archive_member_spec.o~( func_echo_all "#! $soname($shared_archive_member_spec.o)"; if test shr_64 = "$shared_archive_member_spec"; then func_echo_all "# 64"; else func_echo_all "# 32"; fi; cat $export_symbols ) > $output_objdir/$realname.d/$shared_archive_member_spec.imp~$AR $AR_FLAGS $output_objdir/$soname $output_objdir/$realname.d/$shared_archive_member_spec.o $output_objdir/$realname.d/$shared_archive_member_spec.imp'
+	  else
+	    # used by -dlpreopen to get the symbols
+	    _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$MV  $output_objdir/$realname.d/$soname $output_objdir'
+	  fi
+	  _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$RM -r $output_objdir/$realname.d'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      case $host_cpu in
+      powerpc)
+            # see comment about AmigaOS4 .so support
+            _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+            _LT_TAGVAR(archive_expsym_cmds, $1)=''
+        ;;
+      m68k)
+            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+            _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+            _LT_TAGVAR(hardcode_minus_L, $1)=yes
+        ;;
+      esac
+      ;;
+
+    bsdi[[45]]*)
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32* | cegcc*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      case $cc_basename in
+      cl*)
+	# Native MSVC
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	_LT_TAGVAR(always_export_symbols, $1)=yes
+	_LT_TAGVAR(file_list_spec, $1)='@'
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=.dll
+	# FIXME: Setting linknames here is a bad hack.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~linknames='
+	_LT_TAGVAR(archive_expsym_cmds, $1)='if _LT_DLL_DEF_P([$export_symbols]); then
+            cp "$export_symbols" "$output_objdir/$soname.def";
+            echo "$tool_output_objdir$soname.def" > "$output_objdir/$soname.exp";
+          else
+            $SED -e '\''s/^/-link -EXPORT:/'\'' < $export_symbols > $output_objdir/$soname.exp;
+          fi~
+          $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+          linknames='
+	# The linker will not automatically build a static lib if we build a DLL.
+	# _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	_LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+	_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+	# Don't use ranlib
+	_LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
+	_LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~
+          lt_tool_outputfile="@TOOL_OUTPUT@"~
+          case $lt_outputfile in
+            *.exe|*.EXE) ;;
+            *)
+              lt_outputfile=$lt_outputfile.exe
+              lt_tool_outputfile=$lt_tool_outputfile.exe
+              ;;
+          esac~
+          if test : != "$MANIFEST_TOOL" && test -f "$lt_outputfile.manifest"; then
+            $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+            $RM "$lt_outputfile.manifest";
+          fi'
+	;;
+      *)
+	# Assume MSVC wrapper
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=.dll
+	# FIXME: Setting linknames here is a bad hack.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames='
+	# The linker will automatically build a .lib file if we build a DLL.
+	_LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	# FIXME: Should let the user specify the lib program.
+	_LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
+	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	;;
+      esac
+      ;;
+
+    darwin* | rhapsody*)
+      _LT_DARWIN_LINKER_FEATURES($1)
+      ;;
+
+    dgux*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2.*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | dragonfly*)
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    hpux9*)
+      if test yes = "$GCC"; then
+	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared $pic_flag $wl+b $wl$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib'
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl+b $wl$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E'
+      ;;
+
+    hpux10*)
+      if test yes,no = "$GCC,$with_gnu_ld"; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test no = "$with_gnu_ld"; then
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl+b $wl$libdir'
+	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
+	_LT_TAGVAR(hardcode_direct, $1)=yes
+	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E'
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	_LT_TAGVAR(hardcode_minus_L, $1)=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test yes,no = "$GCC,$with_gnu_ld"; then
+	case $host_cpu in
+	hppa*64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $wl+h $wl$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $wl+h $wl$soname $wl+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname $wl+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	m4_if($1, [], [
+	  # Older versions of the 11.00 compiler do not understand -b yet
+	  # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does)
+	  _LT_LINKER_OPTION([if $CC understands -b],
+	    _LT_TAGVAR(lt_cv_prog_compiler__b, $1), [-b],
+	    [_LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags'],
+	    [_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'])],
+	  [_LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags'])
+	  ;;
+	esac
+      fi
+      if test no = "$with_gnu_ld"; then
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl+b $wl$libdir'
+	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  _LT_TAGVAR(hardcode_direct, $1)=no
+	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  ;;
+	*)
+	  _LT_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test yes = "$GCC"; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
+	# Try to use the -exported_symbol ld option, if it does not
+	# work, assume that -exports_file does not work either and
+	# implicitly export all symbols.
+	# This should be the same for all languages, so no per-tag cache variable.
+	AC_CACHE_CHECK([whether the $host_os linker accepts -exported_symbol],
+	  [lt_cv_irix_exported_symbol],
+	  [save_LDFLAGS=$LDFLAGS
+	   LDFLAGS="$LDFLAGS -shared $wl-exported_symbol ${wl}foo $wl-update_registry $wl/dev/null"
+	   AC_LINK_IFELSE(
+	     [AC_LANG_SOURCE(
+	        [AC_LANG_CASE([C], [[int foo (void) { return 0; }]],
+			      [C++], [[int foo (void) { return 0; }]],
+			      [Fortran 77], [[
+      subroutine foo
+      end]],
+			      [Fortran], [[
+      subroutine foo
+      end]])])],
+	      [lt_cv_irix_exported_symbol=yes],
+	      [lt_cv_irix_exported_symbol=no])
+           LDFLAGS=$save_LDFLAGS])
+	if test yes = "$lt_cv_irix_exported_symbol"; then
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
+	fi
+	_LT_TAGVAR(link_all_deplibs, $1)=no
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
+      fi
+      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_TAGVAR(inherit_rpath, $1)=yes
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    linux*)
+      case $cc_basename in
+      tcc*)
+	# Fabrice Bellard et al's Tiny C Compiler
+	_LT_TAGVAR(ld_shlibs, $1)=yes
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      esac
+      ;;
+
+    netbsd* | netbsdelf*-gnu)
+      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    newsos6)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *nto* | *qnx*)
+      ;;
+
+    openbsd* | bitrig*)
+      if test -f /usr/libexec/ld.so; then
+	_LT_TAGVAR(hardcode_direct, $1)=yes
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir'
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E'
+	else
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir'
+	fi
+      else
+	_LT_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    os2*)
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+      shrext_cmds=.dll
+      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~
+	$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~
+	$ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~
+	$ECHO EXPORTS >> $output_objdir/$libname.def~
+	emxexp $libobjs | $SED /"_DLL_InitTerm"/d >> $output_objdir/$libname.def~
+	$CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~
+	emximp -o $lib $output_objdir/$libname.def'
+      _LT_TAGVAR(archive_expsym_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~
+	$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~
+	$ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~
+	$ECHO EXPORTS >> $output_objdir/$libname.def~
+	prefix_cmds="$SED"~
+	if test EXPORTS = "`$SED 1q $export_symbols`"; then
+	  prefix_cmds="$prefix_cmds -e 1d";
+	fi~
+	prefix_cmds="$prefix_cmds -e \"s/^\(.*\)$/_\1/g\""~
+	cat $export_symbols | $prefix_cmds >> $output_objdir/$libname.def~
+	$CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~
+	emximp -o $lib $output_objdir/$libname.def'
+      _LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def'
+      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      ;;
+
+    osf3*)
+      if test yes = "$GCC"; then
+	_LT_TAGVAR(allow_undefined_flag, $1)=' $wl-expect_unresolved $wl\*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
+      else
+	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
+      fi
+      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test yes = "$GCC"; then
+	_LT_TAGVAR(allow_undefined_flag, $1)=' $wl-expect_unresolved $wl\*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+      else
+	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
+          $CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+      fi
+      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    solaris*)
+      _LT_TAGVAR(no_undefined_flag, $1)=' -z defs'
+      if test yes = "$GCC"; then
+	wlarc='$wl'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $wl-z ${wl}text $wl-h $wl$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+          $CC -shared $pic_flag $wl-z ${wl}text $wl-M $wl$lib.exp $wl-h $wl$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+      else
+	case `$CC -V 2>&1` in
+	*"Compilers 5.0"*)
+	  wlarc=''
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G$allow_undefined_flag -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+            $LD -G$allow_undefined_flag -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp'
+	  ;;
+	*)
+	  wlarc='$wl'
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -G$allow_undefined_flag -h $soname -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+            $CC -G$allow_undefined_flag -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  ;;
+	esac
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      case $host_os in
+      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+      *)
+	# The compiler driver will combine and reorder linker options,
+	# but understands '-z linker_flag'.  GCC discards it without '$wl',
+	# but is careful enough not to reorder.
+	# Supported since Solaris 2.6 (maybe 2.5.1?)
+	if test yes = "$GCC"; then
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl-z ${wl}allextract$convenience $wl-z ${wl}defaultextract'
+	else
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+	fi
+	;;
+      esac
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    sunos4*)
+      if test sequent = "$host_vendor"; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -G $wl-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_direct, $1)=yes
+      _LT_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(hardcode_direct, $1)=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
+	  _LT_TAGVAR(hardcode_direct, $1)=no
+        ;;
+	motorola)
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4.3*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	_LT_TAGVAR(ld_shlibs, $1)=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+      _LT_TAGVAR(no_undefined_flag, $1)='$wl-z,text'
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
+
+      if test yes = "$GCC"; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We CANNOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      _LT_TAGVAR(no_undefined_flag, $1)='$wl-z,text'
+      _LT_TAGVAR(allow_undefined_flag, $1)='$wl-z,nodefs'
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R,$libdir'
+      _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test yes = "$GCC"; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_TAGVAR(archive_cmds, $1)='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      _LT_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    esac
+
+    if test sni = "$host_vendor"; then
+      case $host in
+      sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-Blargedynsym'
+	;;
+      esac
+    fi
+  fi
+])
+AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)])
+test no = "$_LT_TAGVAR(ld_shlibs, $1)" && can_build_shared=no
+
+_LT_TAGVAR(with_gnu_ld, $1)=$with_gnu_ld
+
+_LT_DECL([], [libext], [0], [Old archive suffix (normally "a")])dnl
+_LT_DECL([], [shrext_cmds], [1], [Shared library suffix (normally ".so")])dnl
+_LT_DECL([], [extract_expsyms_cmds], [2],
+    [The commands to extract the exported symbol list from a shared archive])
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$_LT_TAGVAR(archive_cmds_need_lc, $1)" in
+x|xyes)
+  # Assume -lc should be added
+  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+
+  if test yes,yes = "$GCC,$enable_shared"; then
+    case $_LT_TAGVAR(archive_cmds, $1) in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      AC_CACHE_CHECK([whether -lc should be explicitly linked in],
+	[lt_cv_]_LT_TAGVAR(archive_cmds_need_lc, $1),
+	[$RM conftest*
+	echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+	if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+	  soname=conftest
+	  lib=conftest
+	  libobjs=conftest.$ac_objext
+	  deplibs=
+	  wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
+	  pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
+	  compiler_flags=-v
+	  linker_flags=-v
+	  verstring=
+	  output_objdir=.
+	  libname=conftest
+	  lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
+	  _LT_TAGVAR(allow_undefined_flag, $1)=
+	  if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
+	  then
+	    lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+	  else
+	    lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  fi
+	  _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+	else
+	  cat conftest.err 1>&5
+	fi
+	$RM conftest*
+	])
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=$lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+_LT_TAGDECL([build_libtool_need_lc], [archive_cmds_need_lc], [0],
+    [Whether or not to add -lc for building shared libraries])
+_LT_TAGDECL([allow_libtool_libs_with_static_runtimes],
+    [enable_shared_with_static_runtimes], [0],
+    [Whether or not to disallow shared libs when runtime libs are static])
+_LT_TAGDECL([], [export_dynamic_flag_spec], [1],
+    [Compiler flag to allow reflexive dlopens])
+_LT_TAGDECL([], [whole_archive_flag_spec], [1],
+    [Compiler flag to generate shared objects directly from archives])
+_LT_TAGDECL([], [compiler_needs_object], [1],
+    [Whether the compiler copes with passing no objects directly])
+_LT_TAGDECL([], [old_archive_from_new_cmds], [2],
+    [Create an old-style archive from a shared archive])
+_LT_TAGDECL([], [old_archive_from_expsyms_cmds], [2],
+    [Create a temporary old-style archive to link instead of a shared archive])
+_LT_TAGDECL([], [archive_cmds], [2], [Commands used to build a shared archive])
+_LT_TAGDECL([], [archive_expsym_cmds], [2])
+_LT_TAGDECL([], [module_cmds], [2],
+    [Commands used to build a loadable module if different from building
+    a shared archive.])
+_LT_TAGDECL([], [module_expsym_cmds], [2])
+_LT_TAGDECL([], [with_gnu_ld], [1],
+    [Whether we are building with GNU ld or not])
+_LT_TAGDECL([], [allow_undefined_flag], [1],
+    [Flag that allows shared libraries with undefined symbols to be built])
+_LT_TAGDECL([], [no_undefined_flag], [1],
+    [Flag that enforces no undefined symbols])
+_LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
+    [Flag to hardcode $libdir into a binary during linking.
+    This must work even if $libdir does not exist])
+_LT_TAGDECL([], [hardcode_libdir_separator], [1],
+    [Whether we need a single "-rpath" flag with a separated argument])
+_LT_TAGDECL([], [hardcode_direct], [0],
+    [Set to "yes" if using DIR/libNAME$shared_ext during linking hardcodes
+    DIR into the resulting binary])
+_LT_TAGDECL([], [hardcode_direct_absolute], [0],
+    [Set to "yes" if using DIR/libNAME$shared_ext during linking hardcodes
+    DIR into the resulting binary and the resulting library dependency is
+    "absolute", i.e impossible to change by setting $shlibpath_var if the
+    library is relocated])
+_LT_TAGDECL([], [hardcode_minus_L], [0],
+    [Set to "yes" if using the -LDIR flag during linking hardcodes DIR
+    into the resulting binary])
+_LT_TAGDECL([], [hardcode_shlibpath_var], [0],
+    [Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR
+    into the resulting binary])
+_LT_TAGDECL([], [hardcode_automatic], [0],
+    [Set to "yes" if building a shared library automatically hardcodes DIR
+    into the library and all subsequent libraries and executables linked
+    against it])
+_LT_TAGDECL([], [inherit_rpath], [0],
+    [Set to yes if linker adds runtime paths of dependent libraries
+    to runtime path list])
+_LT_TAGDECL([], [link_all_deplibs], [0],
+    [Whether libtool must link a program against all its dependency libraries])
+_LT_TAGDECL([], [always_export_symbols], [0],
+    [Set to "yes" if exported symbols are required])
+_LT_TAGDECL([], [export_symbols_cmds], [2],
+    [The commands to list exported symbols])
+_LT_TAGDECL([], [exclude_expsyms], [1],
+    [Symbols that should not be listed in the preloaded symbols])
+_LT_TAGDECL([], [include_expsyms], [1],
+    [Symbols that must always be exported])
+_LT_TAGDECL([], [prelink_cmds], [2],
+    [Commands necessary for linking programs (against libraries) with templates])
+_LT_TAGDECL([], [postlink_cmds], [2],
+    [Commands necessary for finishing linking programs])
+_LT_TAGDECL([], [file_list_spec], [1],
+    [Specify filename containing input files])
+dnl FIXME: Not yet implemented
+dnl _LT_TAGDECL([], [thread_safe_flag_spec], [1],
+dnl    [Compiler flag to generate thread safe objects])
+])# _LT_LINKER_SHLIBS
+
+
+# _LT_LANG_C_CONFIG([TAG])
+# ------------------------
+# Ensure that the configuration variables for a C compiler are suitably
+# defined.  These variables are subsequently used by _LT_CONFIG to write
+# the compiler configuration to 'libtool'.
+m4_defun([_LT_LANG_C_CONFIG],
+[m4_require([_LT_DECL_EGREP])dnl
+lt_save_CC=$CC
+AC_LANG_PUSH(C)
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}'
+
+_LT_TAG_COMPILER
+# Save the default compiler, since it gets overwritten when the other
+# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP.
+compiler_DEFAULT=$CC
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_SYS_DYNAMIC_LINKER($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+  LT_SYS_DLOPEN_SELF
+  _LT_CMD_STRIPLIB
+
+  # Report what library types will actually be built
+  AC_MSG_CHECKING([if libtool supports shared libraries])
+  AC_MSG_RESULT([$can_build_shared])
+
+  AC_MSG_CHECKING([whether to build shared libraries])
+  test no = "$can_build_shared" && enable_shared=no
+
+  # On AIX, shared libraries and static libraries use the same namespace, and
+  # are all built from PIC.
+  case $host_os in
+  aix3*)
+    test yes = "$enable_shared" && enable_static=no
+    if test -n "$RANLIB"; then
+      archive_cmds="$archive_cmds~\$RANLIB \$lib"
+      postinstall_cmds='$RANLIB $lib'
+    fi
+    ;;
+
+  aix[[4-9]]*)
+    if test ia64 != "$host_cpu"; then
+      case $enable_shared,$with_aix_soname,$aix_use_runtimelinking in
+      yes,aix,yes) ;;			# shared object as lib.so file only
+      yes,svr4,*) ;;			# shared object as lib.so archive member only
+      yes,*) enable_static=no ;;	# shared object in lib.a archive as well
+      esac
+    fi
+    ;;
+  esac
+  AC_MSG_RESULT([$enable_shared])
+
+  AC_MSG_CHECKING([whether to build static libraries])
+  # Make sure either enable_shared or enable_static is yes.
+  test yes = "$enable_shared" || enable_static=yes
+  AC_MSG_RESULT([$enable_static])
+
+  _LT_CONFIG($1)
+fi
+AC_LANG_POP
+CC=$lt_save_CC
+])# _LT_LANG_C_CONFIG
+
+
+# _LT_LANG_CXX_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for a C++ compiler are suitably
+# defined.  These variables are subsequently used by _LT_CONFIG to write
+# the compiler configuration to 'libtool'.
+m4_defun([_LT_LANG_CXX_CONFIG],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_PATH_MANIFEST_TOOL])dnl
+if test -n "$CXX" && ( test no != "$CXX" &&
+    ( (test g++ = "$CXX" && `g++ -v >/dev/null 2>&1` ) ||
+    (test g++ != "$CXX"))); then
+  AC_PROG_CXXCPP
+else
+  _lt_caught_CXX_error=yes
+fi
+
+AC_LANG_PUSH(C++)
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_TAGVAR(allow_undefined_flag, $1)=
+_LT_TAGVAR(always_export_symbols, $1)=no
+_LT_TAGVAR(archive_expsym_cmds, $1)=
+_LT_TAGVAR(compiler_needs_object, $1)=no
+_LT_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_TAGVAR(hardcode_direct, $1)=no
+_LT_TAGVAR(hardcode_direct_absolute, $1)=no
+_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_TAGVAR(hardcode_minus_L, $1)=no
+_LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+_LT_TAGVAR(hardcode_automatic, $1)=no
+_LT_TAGVAR(inherit_rpath, $1)=no
+_LT_TAGVAR(module_cmds, $1)=
+_LT_TAGVAR(module_expsym_cmds, $1)=
+_LT_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
+_LT_TAGVAR(no_undefined_flag, $1)=
+_LT_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for C++ test sources.
+ac_ext=cpp
+
+# Object file extension for compiled C++ test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# No sense in running all these tests if we already determined that
+# the CXX compiler isn't working.  Some variables (like enable_shared)
+# are currently assumed to apply to all compilers on this platform,
+# and will be corrupted by setting them based on a non-working compiler.
+if test yes != "$_lt_caught_CXX_error"; then
+  # Code to be used in simple compile tests
+  lt_simple_compile_test_code="int some_variable = 0;"
+
+  # Code to be used in simple link tests
+  lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }'
+
+  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
+  _LT_TAG_COMPILER
+
+  # save warnings/boilerplate of simple test code
+  _LT_COMPILER_BOILERPLATE
+  _LT_LINKER_BOILERPLATE
+
+  # Allow CC to be a program name with arguments.
+  lt_save_CC=$CC
+  lt_save_CFLAGS=$CFLAGS
+  lt_save_LD=$LD
+  lt_save_GCC=$GCC
+  GCC=$GXX
+  lt_save_with_gnu_ld=$with_gnu_ld
+  lt_save_path_LD=$lt_cv_path_LD
+  if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+    lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+  else
+    $as_unset lt_cv_prog_gnu_ld
+  fi
+  if test -n "${lt_cv_path_LDCXX+set}"; then
+    lt_cv_path_LD=$lt_cv_path_LDCXX
+  else
+    $as_unset lt_cv_path_LD
+  fi
+  test -z "${LDCXX+set}" || LD=$LDCXX
+  CC=${CXX-"c++"}
+  CFLAGS=$CXXFLAGS
+  compiler=$CC
+  _LT_TAGVAR(compiler, $1)=$CC
+  _LT_CC_BASENAME([$compiler])
+
+  if test -n "$compiler"; then
+    # We don't want -fno-exception when compiling C++ code, so set the
+    # no_builtin_flag separately
+    if test yes = "$GXX"; then
+      _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+    else
+      _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+    fi
+
+    if test yes = "$GXX"; then
+      # Set up default GNU C++ configuration
+
+      LT_PATH_LD
+
+      # Check if GNU C++ uses GNU ld as the underlying linker, since the
+      # archiving commands below assume that GNU ld is being used.
+      if test yes = "$with_gnu_ld"; then
+        _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib'
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+        _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic'
+
+        # If archive_cmds runs LD, not CC, wlarc should be empty
+        # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+        #     investigate it a little bit more. (MM)
+        wlarc='$wl'
+
+        # ancient GNU ld didn't support --whole-archive et. al.
+        if eval "`$CC -print-prog-name=ld` --help 2>&1" |
+	  $GREP 'no-whole-archive' > /dev/null; then
+          _LT_TAGVAR(whole_archive_flag_spec, $1)=$wlarc'--whole-archive$convenience '$wlarc'--no-whole-archive'
+        else
+          _LT_TAGVAR(whole_archive_flag_spec, $1)=
+        fi
+      else
+        with_gnu_ld=no
+        wlarc=
+
+        # A generic and very simple default shared library creation
+        # command for GNU C++ for the case where it uses the native
+        # linker, instead of GNU ld.  If possible, this setting should
+        # overridden to take advantage of the native linker features on
+        # the platform it is being used on.
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+      fi
+
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+
+    else
+      GXX=no
+      with_gnu_ld=no
+      wlarc=
+    fi
+
+    # PORTME: fill in a description of your system's C++ link characteristics
+    AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+    _LT_TAGVAR(ld_shlibs, $1)=yes
+    case $host_os in
+      aix3*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+      aix[[4-9]]*)
+        if test ia64 = "$host_cpu"; then
+          # On IA64, the linker does run time linking by default, so we don't
+          # have to do anything special.
+          aix_use_runtimelinking=no
+          exp_sym_flag='-Bexport'
+          no_entry_flag=
+        else
+          aix_use_runtimelinking=no
+
+          # Test if we are trying to use run time linking or normal
+          # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+          # have runtime linking enabled, and use it for executables.
+          # For shared libraries, we enable/disable runtime linking
+          # depending on the kind of the shared library created -
+          # when "with_aix_soname,aix_use_runtimelinking" is:
+          # "aix,no"   lib.a(lib.so.V) shared, rtl:no,  for executables
+          # "aix,yes"  lib.so          shared, rtl:yes, for executables
+          #            lib.a           static archive
+          # "both,no"  lib.so.V(shr.o) shared, rtl:yes
+          #            lib.a(lib.so.V) shared, rtl:no,  for executables
+          # "both,yes" lib.so.V(shr.o) shared, rtl:yes, for executables
+          #            lib.a(lib.so.V) shared, rtl:no
+          # "svr4,*"   lib.so.V(shr.o) shared, rtl:yes, for executables
+          #            lib.a           static archive
+          case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
+	    for ld_flag in $LDFLAGS; do
+	      case $ld_flag in
+	      *-brtl*)
+	        aix_use_runtimelinking=yes
+	        break
+	        ;;
+	      esac
+	    done
+	    if test svr4,no = "$with_aix_soname,$aix_use_runtimelinking"; then
+	      # With aix-soname=svr4, we create the lib.so.V shared archives only,
+	      # so we don't have lib.a shared libs to link our executables.
+	      # We have to force runtime linking in this case.
+	      aix_use_runtimelinking=yes
+	      LDFLAGS="$LDFLAGS -Wl,-brtl"
+	    fi
+	    ;;
+          esac
+
+          exp_sym_flag='-bexport'
+          no_entry_flag='-bnoentry'
+        fi
+
+        # When large executables or shared objects are built, AIX ld can
+        # have problems creating the table of contents.  If linking a library
+        # or program results in "error TOC overflow" add -mminimal-toc to
+        # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+        # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+        _LT_TAGVAR(archive_cmds, $1)=''
+        _LT_TAGVAR(hardcode_direct, $1)=yes
+        _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+        _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+        _LT_TAGVAR(link_all_deplibs, $1)=yes
+        _LT_TAGVAR(file_list_spec, $1)='$wl-f,'
+        case $with_aix_soname,$aix_use_runtimelinking in
+        aix,*) ;;	# no import file
+        svr4,* | *,yes) # use import file
+          # The Import File defines what to hardcode.
+          _LT_TAGVAR(hardcode_direct, $1)=no
+          _LT_TAGVAR(hardcode_direct_absolute, $1)=no
+          ;;
+        esac
+
+        if test yes = "$GXX"; then
+          case $host_os in aix4.[[012]]|aix4.[[012]].*)
+          # We only want to do this on AIX 4.2 and lower, the check
+          # below for broken collect2 doesn't work under 4.3+
+	  collect2name=`$CC -print-prog-name=collect2`
+	  if test -f "$collect2name" &&
+	     strings "$collect2name" | $GREP resolve_lib_name >/dev/null
+	  then
+	    # We have reworked collect2
+	    :
+	  else
+	    # We have old collect2
+	    _LT_TAGVAR(hardcode_direct, $1)=unsupported
+	    # It fails to find uninstalled libraries when the uninstalled
+	    # path is not listed in the libpath.  Setting hardcode_minus_L
+	    # to unsupported forces relinking
+	    _LT_TAGVAR(hardcode_minus_L, $1)=yes
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+          esac
+          shared_flag='-shared'
+	  if test yes = "$aix_use_runtimelinking"; then
+	    shared_flag=$shared_flag' $wl-G'
+	  fi
+	  # Need to ensure runtime linking is disabled for the traditional
+	  # shared library, or the linker may eventually find shared libraries
+	  # /with/ Import File - we do not want to mix them.
+	  shared_flag_aix='-shared'
+	  shared_flag_svr4='-shared $wl-G'
+        else
+          # not using gcc
+          if test ia64 = "$host_cpu"; then
+	  # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	  # chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+          else
+	    if test yes = "$aix_use_runtimelinking"; then
+	      shared_flag='$wl-G'
+	    else
+	      shared_flag='$wl-bM:SRE'
+	    fi
+	    shared_flag_aix='$wl-bM:SRE'
+	    shared_flag_svr4='$wl-G'
+          fi
+        fi
+
+        _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-bexpall'
+        # It seems that -bexpall does not export symbols beginning with
+        # underscore (_), so it is better to generate a list of symbols to
+	# export.
+        _LT_TAGVAR(always_export_symbols, $1)=yes
+	if test aix,yes = "$with_aix_soname,$aix_use_runtimelinking"; then
+          # Warning - without using the other runtime loading flags (-brtl),
+          # -berok will link without error, but may produce a broken library.
+          # The "-G" linker flag allows undefined symbols.
+          _LT_TAGVAR(no_undefined_flag, $1)='-bernotok'
+          # Determine the default libpath from the value encoded in an empty
+          # executable.
+          _LT_SYS_MODULE_PATH_AIX([$1])
+          _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-blibpath:$libdir:'"$aix_libpath"
+
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs $wl'$no_entry_flag' $compiler_flags `if test -n "$allow_undefined_flag"; then func_echo_all "$wl$allow_undefined_flag"; else :; fi` $wl'$exp_sym_flag:\$export_symbols' '$shared_flag
+        else
+          if test ia64 = "$host_cpu"; then
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $libdir:/usr/lib:/lib'
+	    _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	    _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols"
+          else
+	    # Determine the default libpath from the value encoded in an
+	    # empty executable.
+	    _LT_SYS_MODULE_PATH_AIX([$1])
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-blibpath:$libdir:'"$aix_libpath"
+	    # Warning - without using the other run time loading flags,
+	    # -berok will link without error, but may produce a broken library.
+	    _LT_TAGVAR(no_undefined_flag, $1)=' $wl-bernotok'
+	    _LT_TAGVAR(allow_undefined_flag, $1)=' $wl-berok'
+	    if test yes = "$with_gnu_ld"; then
+	      # We only use this code for GNU lds that support --whole-archive.
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive$convenience $wl--no-whole-archive'
+	    else
+	      # Exported symbols can be pulled into shared objects from archives
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	    fi
+	    _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$RM -r $output_objdir/$realname.d~$MKDIR $output_objdir/$realname.d'
+	    # -brtl affects multiple linker settings, -berok does not and is overridden later
+	    compiler_flags_filtered='`func_echo_all "$compiler_flags " | $SED -e "s%-brtl\\([[, ]]\\)%-berok\\1%g"`'
+	    if test svr4 != "$with_aix_soname"; then
+	      # This is similar to how AIX traditionally builds its shared
+	      # libraries. Need -bnortl late, we may have -brtl in LDFLAGS.
+	      _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$CC '$shared_flag_aix' -o $output_objdir/$realname.d/$soname $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$realname.d/$soname'
+	    fi
+	    if test aix != "$with_aix_soname"; then
+	      _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$CC '$shared_flag_svr4' -o $output_objdir/$realname.d/$shared_archive_member_spec.o $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$STRIP -e $output_objdir/$realname.d/$shared_archive_member_spec.o~( func_echo_all "#! $soname($shared_archive_member_spec.o)"; if test shr_64 = "$shared_archive_member_spec"; then func_echo_all "# 64"; else func_echo_all "# 32"; fi; cat $export_symbols ) > $output_objdir/$realname.d/$shared_archive_member_spec.imp~$AR $AR_FLAGS $output_objdir/$soname $output_objdir/$realname.d/$shared_archive_member_spec.o $output_objdir/$realname.d/$shared_archive_member_spec.imp'
+	    else
+	      # used by -dlpreopen to get the symbols
+	      _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$MV  $output_objdir/$realname.d/$soname $output_objdir'
+	    fi
+	    _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$RM -r $output_objdir/$realname.d'
+          fi
+        fi
+        ;;
+
+      beos*)
+	if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	  # support --undefined.  This deserves some investigation.  FIXME
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+	else
+	  _LT_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+
+      chorus*)
+        case $cc_basename in
+          *)
+	  # FIXME: insert proper C++ library support
+	  _LT_TAGVAR(ld_shlibs, $1)=no
+	  ;;
+        esac
+        ;;
+
+      cygwin* | mingw* | pw32* | cegcc*)
+	case $GXX,$cc_basename in
+	,cl* | no,cl*)
+	  # Native MSVC
+	  # hardcode_libdir_flag_spec is actually meaningless, as there is
+	  # no search path for DLLs.
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  _LT_TAGVAR(always_export_symbols, $1)=yes
+	  _LT_TAGVAR(file_list_spec, $1)='@'
+	  # Tell ltmain to make .lib files, not .a files.
+	  libext=lib
+	  # Tell ltmain to make .dll files, not .so files.
+	  shrext_cmds=.dll
+	  # FIXME: Setting linknames here is a bad hack.
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~linknames='
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='if _LT_DLL_DEF_P([$export_symbols]); then
+              cp "$export_symbols" "$output_objdir/$soname.def";
+              echo "$tool_output_objdir$soname.def" > "$output_objdir/$soname.exp";
+            else
+              $SED -e '\''s/^/-link -EXPORT:/'\'' < $export_symbols > $output_objdir/$soname.exp;
+            fi~
+            $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+            linknames='
+	  # The linker will not automatically build a static lib if we build a DLL.
+	  # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	  # Don't use ranlib
+	  _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
+	  _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~
+            lt_tool_outputfile="@TOOL_OUTPUT@"~
+            case $lt_outputfile in
+              *.exe|*.EXE) ;;
+              *)
+                lt_outputfile=$lt_outputfile.exe
+                lt_tool_outputfile=$lt_tool_outputfile.exe
+                ;;
+            esac~
+            func_to_tool_file "$lt_outputfile"~
+            if test : != "$MANIFEST_TOOL" && test -f "$lt_outputfile.manifest"; then
+              $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+              $RM "$lt_outputfile.manifest";
+            fi'
+	  ;;
+	*)
+	  # g++
+	  # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+	  # as there is no search path for DLLs.
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-all-symbols'
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  _LT_TAGVAR(always_export_symbols, $1)=no
+	  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+	  if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	    # If the export-symbols file already is a .def file, use it as
+	    # is; otherwise, prepend EXPORTS...
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='if _LT_DLL_DEF_P([$export_symbols]); then
+              cp $export_symbols $output_objdir/$soname.def;
+            else
+              echo EXPORTS > $output_objdir/$soname.def;
+              cat $export_symbols >> $output_objdir/$soname.def;
+            fi~
+            $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	  else
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	  ;;
+	esac
+	;;
+      darwin* | rhapsody*)
+        _LT_DARWIN_LINKER_FEATURES($1)
+	;;
+
+      os2*)
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	_LT_TAGVAR(hardcode_minus_L, $1)=yes
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	shrext_cmds=.dll
+	_LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~
+	  $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~
+	  $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~
+	  $ECHO EXPORTS >> $output_objdir/$libname.def~
+	  emxexp $libobjs | $SED /"_DLL_InitTerm"/d >> $output_objdir/$libname.def~
+	  $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~
+	  emximp -o $lib $output_objdir/$libname.def'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~
+	  $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~
+	  $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~
+	  $ECHO EXPORTS >> $output_objdir/$libname.def~
+	  prefix_cmds="$SED"~
+	  if test EXPORTS = "`$SED 1q $export_symbols`"; then
+	    prefix_cmds="$prefix_cmds -e 1d";
+	  fi~
+	  prefix_cmds="$prefix_cmds -e \"s/^\(.*\)$/_\1/g\""~
+	  cat $export_symbols | $prefix_cmds >> $output_objdir/$libname.def~
+	  $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~
+	  emximp -o $lib $output_objdir/$libname.def'
+	_LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def'
+	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	;;
+
+      dgux*)
+        case $cc_basename in
+          ec++*)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          ghcx*)
+	    # Green Hills C++ Compiler
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+        esac
+        ;;
+
+      freebsd2.*)
+        # C++ shared libraries reported to be fairly broken before
+	# switch to ELF
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+
+      freebsd-elf*)
+        _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+        ;;
+
+      freebsd* | dragonfly*)
+        # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+        # conventions
+        _LT_TAGVAR(ld_shlibs, $1)=yes
+        ;;
+
+      haiku*)
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+        _LT_TAGVAR(link_all_deplibs, $1)=yes
+        ;;
+
+      hpux9*)
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl+b $wl$libdir'
+        _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+        _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E'
+        _LT_TAGVAR(hardcode_direct, $1)=yes
+        _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+				             # but as the default
+				             # location of the library.
+
+        case $cc_basename in
+          CC*)
+            # FIXME: insert proper C++ library support
+            _LT_TAGVAR(ld_shlibs, $1)=no
+            ;;
+          aCC*)
+            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -b $wl+b $wl$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib'
+            # Commands to make compiler produce verbose output that lists
+            # what "hidden" libraries, object files and flags are used when
+            # linking a shared library.
+            #
+            # There doesn't appear to be a way to prevent this compiler from
+            # explicitly linking system object files so we need to strip them
+            # from the output so that they don't get included in the library
+            # dependencies.
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+            ;;
+          *)
+            if test yes = "$GXX"; then
+              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib $pic_flag $wl+b $wl$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib'
+            else
+              # FIXME: insert proper C++ library support
+              _LT_TAGVAR(ld_shlibs, $1)=no
+            fi
+            ;;
+        esac
+        ;;
+
+      hpux10*|hpux11*)
+        if test no = "$with_gnu_ld"; then
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl+b $wl$libdir'
+	  _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+          case $host_cpu in
+            hppa*64*|ia64*)
+              ;;
+            *)
+	      _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E'
+              ;;
+          esac
+        fi
+        case $host_cpu in
+          hppa*64*|ia64*)
+            _LT_TAGVAR(hardcode_direct, $1)=no
+            _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+            ;;
+          *)
+            _LT_TAGVAR(hardcode_direct, $1)=yes
+            _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+            _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					         # but as the default
+					         # location of the library.
+            ;;
+        esac
+
+        case $cc_basename in
+          CC*)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          aCC*)
+	    case $host_cpu in
+	      hppa*64*)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	        ;;
+	      ia64*)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname $wl+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	        ;;
+	      *)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	        ;;
+	    esac
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+	    ;;
+          *)
+	    if test yes = "$GXX"; then
+	      if test no = "$with_gnu_ld"; then
+	        case $host_cpu in
+	          hppa*64*)
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC $wl+h $wl$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            ;;
+	          ia64*)
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag $wl+h $wl$soname $wl+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            ;;
+	          *)
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            ;;
+	        esac
+	      fi
+	    else
+	      # FIXME: insert proper C++ library support
+	      _LT_TAGVAR(ld_shlibs, $1)=no
+	    fi
+	    ;;
+        esac
+        ;;
+
+      interix[[3-9]]*)
+	_LT_TAGVAR(hardcode_direct, $1)=no
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir'
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E'
+	# Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+	# Instead, shared libraries are loaded at an image base (0x10000000 by
+	# default) and relocated if they conflict, which is a slow very memory
+	# consuming and fragmenting process.  To avoid this, we pick a random,
+	# 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+	# time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='sed "s|^|_|" $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--retain-symbols-file,$output_objdir/$soname.expsym $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+	;;
+      irix5* | irix6*)
+        case $cc_basename in
+          CC*)
+	    # SGI C++
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
+
+	    # Archives containing C++ object files must be created using
+	    # "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	    # necessary to make sure instantiated templates are included
+	    # in the archive.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	    ;;
+          *)
+	    if test yes = "$GXX"; then
+	      if test no = "$with_gnu_ld"; then
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
+	      else
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` -o $lib'
+	      fi
+	    fi
+	    _LT_TAGVAR(link_all_deplibs, $1)=yes
+	    ;;
+        esac
+        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+        _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+        _LT_TAGVAR(inherit_rpath, $1)=yes
+        ;;
+
+      linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+        case $cc_basename in
+          KCC*)
+	    # Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	    # KCC will only create a shared library if the output file
+	    # ends with ".so" (or ".sl" for HP-UX), so rename the library
+	    # to its proper name (with version) after linking.
+	    _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\$tempext\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\$tempext\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib $wl-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic'
+
+	    # Archives containing C++ object files must be created using
+	    # "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+	    ;;
+	  icpc* | ecpc* )
+	    # Intel C++
+	    with_gnu_ld=yes
+	    # version 8.0 and above of icpc choke on multiply defined symbols
+	    # if we add $predep_objects and $postdep_objects, however 7.1 and
+	    # earlier do not add the objects themselves.
+	    case `$CC -V 2>&1` in
+	      *"Version 7."*)
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib'
+		_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+		;;
+	      *)  # Version 8.0 or newer
+	        tmp_idyn=
+	        case $host_cpu in
+		  ia64*) tmp_idyn=' -i_dynamic';;
+		esac
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+		_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+		;;
+	    esac
+	    _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive$convenience $wl--no-whole-archive'
+	    ;;
+          pgCC* | pgcpp*)
+            # Portland Group C++ compiler
+	    case `$CC -V` in
+	    *pgCC\ [[1-5]].* | *pgcpp\ [[1-5]].*)
+	      _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
+               rm -rf $tpldir~
+               $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+               compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+	      _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
+                rm -rf $tpldir~
+                $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+                $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+                $RANLIB $oldlib'
+	      _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
+                rm -rf $tpldir~
+                $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+                $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib'
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
+                rm -rf $tpldir~
+                $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+                $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+	      ;;
+	    *) # Version 6 and above use weak symbols
+	      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib'
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
+	      ;;
+	    esac
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl--rpath $wl$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
+            ;;
+	  cxx*)
+	    # Compaq C++
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname  -o $lib $wl-retain-symbols-file $wl$export_symbols'
+
+	    runpath_var=LD_RUN_PATH
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "X$list" | $Xsed'
+	    ;;
+	  xl* | mpixl* | bgxl*)
+	    # IBM XL 8.0 on PPC, with GNU ld
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
+	    if test yes = "$supports_anon_versioning"; then
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
+                cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+                echo "local: *; };" >> $output_objdir/$libname.ver~
+                $CC -qmkshrobj $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-version-script $wl$output_objdir/$libname.ver -o $lib'
+	    fi
+	    ;;
+	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	      _LT_TAGVAR(archive_cmds, $1)='$CC -G$allow_undefined_flag -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G$allow_undefined_flag -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-retain-symbols-file $wl$export_symbols'
+	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive'
+	      _LT_TAGVAR(compiler_needs_object, $1)=yes
+
+	      # Not sure whether something based on
+	      # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
+	      # would be better.
+	      output_verbose_link_cmd='func_echo_all'
+
+	      # Archives containing C++ object files must be created using
+	      # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	      # necessary to make sure instantiated templates are included
+	      # in the archive.
+	      _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	      ;;
+	    esac
+	    ;;
+	esac
+	;;
+
+      lynxos*)
+        # FIXME: insert proper C++ library support
+	_LT_TAGVAR(ld_shlibs, $1)=no
+	;;
+
+      m88k*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+	;;
+
+      mvs*)
+        case $cc_basename in
+          cxx*)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+	  *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+	esac
+	;;
+
+      netbsd*)
+        if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+	  wlarc=
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	  _LT_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	fi
+	# Workaround some broken pre-1.5 toolchains
+	output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+	;;
+
+      *nto* | *qnx*)
+        _LT_TAGVAR(ld_shlibs, $1)=yes
+	;;
+
+      openbsd* | bitrig*)
+	if test -f /usr/libexec/ld.so; then
+	  _LT_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir'
+	  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`"; then
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-retain-symbols-file,$export_symbols -o $lib'
+	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)=$wlarc'--whole-archive$convenience '$wlarc'--no-whole-archive'
+	  fi
+	  output_verbose_link_cmd=func_echo_all
+	else
+	  _LT_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+
+      osf3* | osf4* | osf5*)
+        case $cc_basename in
+          KCC*)
+	    # Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	    # KCC will only create a shared library if the output file
+	    # ends with ".so" (or ".sl" for HP-UX), so rename the library
+	    # to its proper name (with version) after linking.
+	    _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo "$lib" | $SED -e "s/\$tempext\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir'
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	    # Archives containing C++ object files must be created using
+	    # the KAI C++ compiler.
+	    case $host in
+	      osf3*) _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;;
+	      *) _LT_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' ;;
+	    esac
+	    ;;
+          RCC*)
+	    # Rational C++ 2.4.1
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          cxx*)
+	    case $host in
+	      osf3*)
+	        _LT_TAGVAR(allow_undefined_flag, $1)=' $wl-expect_unresolved $wl\*'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $soname `test -n "$verstring" && func_echo_all "$wl-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
+	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+		;;
+	      *)
+	        _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
+	        _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+                  echo "-hidden">> $lib.exp~
+                  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname $wl-input $wl$lib.exp  `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~
+                  $RM $lib.exp'
+	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+		;;
+	    esac
+
+	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    #
+	    # There doesn't appear to be a way to prevent this compiler from
+	    # explicitly linking system object files so we need to strip them
+	    # from the output so that they don't get included in the library
+	    # dependencies.
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
+	    ;;
+	  *)
+	    if test yes,no = "$GXX,$with_gnu_ld"; then
+	      _LT_TAGVAR(allow_undefined_flag, $1)=' $wl-expect_unresolved $wl\*'
+	      case $host in
+	        osf3*)
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
+		  ;;
+	        *)
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
+		  ;;
+	      esac
+
+	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir'
+	      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	      # Commands to make compiler produce verbose output that lists
+	      # what "hidden" libraries, object files and flags are used when
+	      # linking a shared library.
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+
+	    else
+	      # FIXME: insert proper C++ library support
+	      _LT_TAGVAR(ld_shlibs, $1)=no
+	    fi
+	    ;;
+        esac
+        ;;
+
+      psos*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+
+      sunos4*)
+        case $cc_basename in
+          CC*)
+	    # Sun C++ 4.x
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          lcc*)
+	    # Lucid
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+        esac
+        ;;
+
+      solaris*)
+        case $cc_basename in
+          CC* | sunCC*)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+            _LT_TAGVAR(archive_cmds_need_lc,$1)=yes
+	    _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -G$allow_undefined_flag -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+              $CC -G$allow_undefined_flag $wl-M $wl$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+
+	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	    _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	    case $host_os in
+	      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+	      *)
+		# The compiler driver will combine and reorder linker options,
+		# but understands '-z linker_flag'.
+	        # Supported since Solaris 2.6 (maybe 2.5.1?)
+		_LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+	        ;;
+	    esac
+	    _LT_TAGVAR(link_all_deplibs, $1)=yes
+
+	    output_verbose_link_cmd='func_echo_all'
+
+	    # Archives containing C++ object files must be created using
+	    # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	    # necessary to make sure instantiated templates are included
+	    # in the archive.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	    ;;
+          gcx*)
+	    # Green Hills C++ Compiler
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-h $wl$soname -o $lib'
+
+	    # The C++ compiler must be used to create the archive.
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	    ;;
+          *)
+	    # GNU C++ compiler with Solaris linker
+	    if test yes,no = "$GXX,$with_gnu_ld"; then
+	      _LT_TAGVAR(no_undefined_flag, $1)=' $wl-z ${wl}defs'
+	      if $CC --version | $GREP -v '^2\.7' > /dev/null; then
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-h $wl$soname -o $lib'
+	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+                  $CC -shared $pic_flag -nostdlib $wl-M $wl$lib.exp $wl-h $wl$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+
+	        # Commands to make compiler produce verbose output that lists
+	        # what "hidden" libraries, object files and flags are used when
+	        # linking a shared library.
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+	      else
+	        # g++ 2.7 appears to require '-G' NOT '-shared' on this
+	        # platform.
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-h $wl$soname -o $lib'
+	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
+                  $CC -G -nostdlib $wl-M $wl$lib.exp $wl-h $wl$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+
+	        # Commands to make compiler produce verbose output that lists
+	        # what "hidden" libraries, object files and flags are used when
+	        # linking a shared library.
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"'
+	      fi
+
+	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir'
+	      case $host_os in
+		solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+		*)
+		  _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl-z ${wl}allextract$convenience $wl-z ${wl}defaultextract'
+		  ;;
+	      esac
+	    fi
+	    ;;
+        esac
+        ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+      _LT_TAGVAR(no_undefined_flag, $1)='$wl-z,text'
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
+
+      case $cc_basename in
+        CC*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+      esac
+      ;;
+
+      sysv5* | sco3.2v5* | sco5v6*)
+	# Note: We CANNOT use -z defs as we might desire, because we do not
+	# link with -lc, and that would cause any symbols used from libc to
+	# always be unresolved, which means just about no library would
+	# ever link correctly.  If we're not using GNU ld we use -z text
+	# though, which does catch some bad symbols but isn't as heavy-handed
+	# as -z defs.
+	_LT_TAGVAR(no_undefined_flag, $1)='$wl-z,text'
+	_LT_TAGVAR(allow_undefined_flag, $1)='$wl-z,nodefs'
+	_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R,$libdir'
+	_LT_TAGVAR(hardcode_libdir_separator, $1)=':'
+	_LT_TAGVAR(link_all_deplibs, $1)=yes
+	_LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-Bexport'
+	runpath_var='LD_RUN_PATH'
+
+	case $cc_basename in
+          CC*)
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -Tprelink_objects $oldobjs~
+              '"$_LT_TAGVAR(old_archive_cmds, $1)"
+	    _LT_TAGVAR(reload_cmds, $1)='$CC -Tprelink_objects $reload_objs~
+              '"$_LT_TAGVAR(reload_cmds, $1)"
+	    ;;
+	  *)
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    ;;
+	esac
+      ;;
+
+      tandem*)
+        case $cc_basename in
+          NCC*)
+	    # NonStop-UX NCC 3.20
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+          *)
+	    # FIXME: insert proper C++ library support
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	    ;;
+        esac
+        ;;
+
+      vxworks*)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+
+      *)
+        # FIXME: insert proper C++ library support
+        _LT_TAGVAR(ld_shlibs, $1)=no
+        ;;
+    esac
+
+    AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)])
+    test no = "$_LT_TAGVAR(ld_shlibs, $1)" && can_build_shared=no
+
+    _LT_TAGVAR(GCC, $1)=$GXX
+    _LT_TAGVAR(LD, $1)=$LD
+
+    ## CAVEAT EMPTOR:
+    ## There is no encapsulation within the following macros, do not change
+    ## the running order or otherwise move them around unless you know exactly
+    ## what you are doing...
+    _LT_SYS_HIDDEN_LIBDEPS($1)
+    _LT_COMPILER_PIC($1)
+    _LT_COMPILER_C_O($1)
+    _LT_COMPILER_FILE_LOCKS($1)
+    _LT_LINKER_SHLIBS($1)
+    _LT_SYS_DYNAMIC_LINKER($1)
+    _LT_LINKER_HARDCODE_LIBPATH($1)
+
+    _LT_CONFIG($1)
+  fi # test -n "$compiler"
+
+  CC=$lt_save_CC
+  CFLAGS=$lt_save_CFLAGS
+  LDCXX=$LD
+  LD=$lt_save_LD
+  GCC=$lt_save_GCC
+  with_gnu_ld=$lt_save_with_gnu_ld
+  lt_cv_path_LDCXX=$lt_cv_path_LD
+  lt_cv_path_LD=$lt_save_path_LD
+  lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+  lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+fi # test yes != "$_lt_caught_CXX_error"
+
+AC_LANG_POP
+])# _LT_LANG_CXX_CONFIG
+
+
+# _LT_FUNC_STRIPNAME_CNF
+# ----------------------
+# func_stripname_cnf prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+#
+# This function is identical to the (non-XSI) version of func_stripname,
+# except this one can be used by m4 code that may be executed by configure,
+# rather than the libtool script.
+m4_defun([_LT_FUNC_STRIPNAME_CNF],[dnl
+AC_REQUIRE([_LT_DECL_SED])
+AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])
+func_stripname_cnf ()
+{
+  case @S|@2 in
+  .*) func_stripname_result=`$ECHO "@S|@3" | $SED "s%^@S|@1%%; s%\\\\@S|@2\$%%"`;;
+  *)  func_stripname_result=`$ECHO "@S|@3" | $SED "s%^@S|@1%%; s%@S|@2\$%%"`;;
+  esac
+} # func_stripname_cnf
+])# _LT_FUNC_STRIPNAME_CNF
+
+
+# _LT_SYS_HIDDEN_LIBDEPS([TAGNAME])
+# ---------------------------------
+# Figure out "hidden" library dependencies from verbose
+# compiler output when linking a shared library.
+# Parse the compiler output and extract the necessary
+# objects, libraries and library flags.
+m4_defun([_LT_SYS_HIDDEN_LIBDEPS],
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+AC_REQUIRE([_LT_FUNC_STRIPNAME_CNF])dnl
+# Dependencies to place before and after the object being linked:
+_LT_TAGVAR(predep_objects, $1)=
+_LT_TAGVAR(postdep_objects, $1)=
+_LT_TAGVAR(predeps, $1)=
+_LT_TAGVAR(postdeps, $1)=
+_LT_TAGVAR(compiler_lib_search_path, $1)=
+
+dnl we can't use the lt_simple_compile_test_code here,
+dnl because it contains code intended for an executable,
+dnl not a library.  It's possible we should let each
+dnl tag define a new lt_????_link_test_code variable,
+dnl but it's only used here...
+m4_if([$1], [], [cat > conftest.$ac_ext <<_LT_EOF
+int a;
+void foo (void) { a = 0; }
+_LT_EOF
+], [$1], [CXX], [cat > conftest.$ac_ext <<_LT_EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+_LT_EOF
+], [$1], [F77], [cat > conftest.$ac_ext <<_LT_EOF
+      subroutine foo
+      implicit none
+      integer*4 a
+      a=0
+      return
+      end
+_LT_EOF
+], [$1], [FC], [cat > conftest.$ac_ext <<_LT_EOF
+      subroutine foo
+      implicit none
+      integer a
+      a=0
+      return
+      end
+_LT_EOF
+], [$1], [GCJ], [cat > conftest.$ac_ext <<_LT_EOF
+public class foo {
+  private int a;
+  public void bar (void) {
+    a = 0;
+  }
+};
+_LT_EOF
+], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF
+package foo
+func foo() {
+}
+_LT_EOF
+])
+
+_lt_libdeps_save_CFLAGS=$CFLAGS
+case "$CC $CFLAGS " in #(
+*\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;;
+*\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;;
+*\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;;
+esac
+
+dnl Parse the compiler output and extract the necessary
+dnl objects, libraries and library flags.
+if AC_TRY_EVAL(ac_compile); then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  for p in `eval "$output_verbose_link_cmd"`; do
+    case $prev$p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test x-L = "$p" ||
+          test x-R = "$p"; then
+	 prev=$p
+	 continue
+       fi
+
+       # Expand the sysroot to ease extracting the directories later.
+       if test -z "$prev"; then
+         case $p in
+         -L*) func_stripname_cnf '-L' '' "$p"; prev=-L; p=$func_stripname_result ;;
+         -R*) func_stripname_cnf '-R' '' "$p"; prev=-R; p=$func_stripname_result ;;
+         -l*) func_stripname_cnf '-l' '' "$p"; prev=-l; p=$func_stripname_result ;;
+         esac
+       fi
+       case $p in
+       =*) func_stripname_cnf '=' '' "$p"; p=$lt_sysroot$func_stripname_result ;;
+       esac
+       if test no = "$pre_test_object_deps_done"; then
+	 case $prev in
+	 -L | -R)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$_LT_TAGVAR(compiler_lib_search_path, $1)"; then
+	     _LT_TAGVAR(compiler_lib_search_path, $1)=$prev$p
+	   else
+	     _LT_TAGVAR(compiler_lib_search_path, $1)="${_LT_TAGVAR(compiler_lib_search_path, $1)} $prev$p"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$_LT_TAGVAR(postdeps, $1)"; then
+	   _LT_TAGVAR(postdeps, $1)=$prev$p
+	 else
+	   _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} $prev$p"
+	 fi
+       fi
+       prev=
+       ;;
+
+    *.lto.$objext) ;; # Ignore GCC LTO objects
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test no = "$pre_test_object_deps_done"; then
+	 if test -z "$_LT_TAGVAR(predep_objects, $1)"; then
+	   _LT_TAGVAR(predep_objects, $1)=$p
+	 else
+	   _LT_TAGVAR(predep_objects, $1)="$_LT_TAGVAR(predep_objects, $1) $p"
+	 fi
+       else
+	 if test -z "$_LT_TAGVAR(postdep_objects, $1)"; then
+	   _LT_TAGVAR(postdep_objects, $1)=$p
+	 else
+	   _LT_TAGVAR(postdep_objects, $1)="$_LT_TAGVAR(postdep_objects, $1) $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling $1 test program"
+fi
+
+$RM -f confest.$objext
+CFLAGS=$_lt_libdeps_save_CFLAGS
+
+# PORTME: override above test on systems where it is broken
+m4_if([$1], [CXX],
+[case $host_os in
+interix[[3-9]]*)
+  # Interix 3.5 installs completely hosed .la files for C++, so rather than
+  # hack all around it, let's just trust "g++" to DTRT.
+  _LT_TAGVAR(predep_objects,$1)=
+  _LT_TAGVAR(postdep_objects,$1)=
+  _LT_TAGVAR(postdeps,$1)=
+  ;;
+esac
+])
+
+case " $_LT_TAGVAR(postdeps, $1) " in
+*" -lc "*) _LT_TAGVAR(archive_cmds_need_lc, $1)=no ;;
+esac
+ _LT_TAGVAR(compiler_lib_search_dirs, $1)=
+if test -n "${_LT_TAGVAR(compiler_lib_search_path, $1)}"; then
+ _LT_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_TAGVAR(compiler_lib_search_path, $1)}" | $SED -e 's! -L! !g' -e 's!^ !!'`
+fi
+_LT_TAGDECL([], [compiler_lib_search_dirs], [1],
+    [The directories searched by this compiler when creating a shared library])
+_LT_TAGDECL([], [predep_objects], [1],
+    [Dependencies to place before and after the objects being linked to
+    create a shared library])
+_LT_TAGDECL([], [postdep_objects], [1])
+_LT_TAGDECL([], [predeps], [1])
+_LT_TAGDECL([], [postdeps], [1])
+_LT_TAGDECL([], [compiler_lib_search_path], [1],
+    [The library search path used internally by the compiler when linking
+    a shared library])
+])# _LT_SYS_HIDDEN_LIBDEPS
+
+
+# _LT_LANG_F77_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for a Fortran 77 compiler are
+# suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to 'libtool'.
+m4_defun([_LT_LANG_F77_CONFIG],
+[AC_LANG_PUSH(Fortran 77)
+if test -z "$F77" || test no = "$F77"; then
+  _lt_disable_F77=yes
+fi
+
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_TAGVAR(allow_undefined_flag, $1)=
+_LT_TAGVAR(always_export_symbols, $1)=no
+_LT_TAGVAR(archive_expsym_cmds, $1)=
+_LT_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_TAGVAR(hardcode_direct, $1)=no
+_LT_TAGVAR(hardcode_direct_absolute, $1)=no
+_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_TAGVAR(hardcode_minus_L, $1)=no
+_LT_TAGVAR(hardcode_automatic, $1)=no
+_LT_TAGVAR(inherit_rpath, $1)=no
+_LT_TAGVAR(module_cmds, $1)=
+_LT_TAGVAR(module_expsym_cmds, $1)=
+_LT_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
+_LT_TAGVAR(no_undefined_flag, $1)=
+_LT_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# No sense in running all these tests if we already determined that
+# the F77 compiler isn't working.  Some variables (like enable_shared)
+# are currently assumed to apply to all compilers on this platform,
+# and will be corrupted by setting them based on a non-working compiler.
+if test yes != "$_lt_disable_F77"; then
+  # Code to be used in simple compile tests
+  lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
+
+  # Code to be used in simple link tests
+  lt_simple_link_test_code="\
+      program t
+      end
+"
+
+  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
+  _LT_TAG_COMPILER
+
+  # save warnings/boilerplate of simple test code
+  _LT_COMPILER_BOILERPLATE
+  _LT_LINKER_BOILERPLATE
+
+  # Allow CC to be a program name with arguments.
+  lt_save_CC=$CC
+  lt_save_GCC=$GCC
+  lt_save_CFLAGS=$CFLAGS
+  CC=${F77-"f77"}
+  CFLAGS=$FFLAGS
+  compiler=$CC
+  _LT_TAGVAR(compiler, $1)=$CC
+  _LT_CC_BASENAME([$compiler])
+  GCC=$G77
+  if test -n "$compiler"; then
+    AC_MSG_CHECKING([if libtool supports shared libraries])
+    AC_MSG_RESULT([$can_build_shared])
+
+    AC_MSG_CHECKING([whether to build shared libraries])
+    test no = "$can_build_shared" && enable_shared=no
+
+    # On AIX, shared libraries and static libraries use the same namespace, and
+    # are all built from PIC.
+    case $host_os in
+      aix3*)
+        test yes = "$enable_shared" && enable_static=no
+        if test -n "$RANLIB"; then
+          archive_cmds="$archive_cmds~\$RANLIB \$lib"
+          postinstall_cmds='$RANLIB $lib'
+        fi
+        ;;
+      aix[[4-9]]*)
+	if test ia64 != "$host_cpu"; then
+	  case $enable_shared,$with_aix_soname,$aix_use_runtimelinking in
+	  yes,aix,yes) ;;		# shared object as lib.so file only
+	  yes,svr4,*) ;;		# shared object as lib.so archive member only
+	  yes,*) enable_static=no ;;	# shared object in lib.a archive as well
+	  esac
+	fi
+        ;;
+    esac
+    AC_MSG_RESULT([$enable_shared])
+
+    AC_MSG_CHECKING([whether to build static libraries])
+    # Make sure either enable_shared or enable_static is yes.
+    test yes = "$enable_shared" || enable_static=yes
+    AC_MSG_RESULT([$enable_static])
+
+    _LT_TAGVAR(GCC, $1)=$G77
+    _LT_TAGVAR(LD, $1)=$LD
+
+    ## CAVEAT EMPTOR:
+    ## There is no encapsulation within the following macros, do not change
+    ## the running order or otherwise move them around unless you know exactly
+    ## what you are doing...
+    _LT_COMPILER_PIC($1)
+    _LT_COMPILER_C_O($1)
+    _LT_COMPILER_FILE_LOCKS($1)
+    _LT_LINKER_SHLIBS($1)
+    _LT_SYS_DYNAMIC_LINKER($1)
+    _LT_LINKER_HARDCODE_LIBPATH($1)
+
+    _LT_CONFIG($1)
+  fi # test -n "$compiler"
+
+  GCC=$lt_save_GCC
+  CC=$lt_save_CC
+  CFLAGS=$lt_save_CFLAGS
+fi # test yes != "$_lt_disable_F77"
+
+AC_LANG_POP
+])# _LT_LANG_F77_CONFIG
+
+
+# _LT_LANG_FC_CONFIG([TAG])
+# -------------------------
+# Ensure that the configuration variables for a Fortran compiler are
+# suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to 'libtool'.
+m4_defun([_LT_LANG_FC_CONFIG],
+[AC_LANG_PUSH(Fortran)
+
+if test -z "$FC" || test no = "$FC"; then
+  _lt_disable_FC=yes
+fi
+
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_TAGVAR(allow_undefined_flag, $1)=
+_LT_TAGVAR(always_export_symbols, $1)=no
+_LT_TAGVAR(archive_expsym_cmds, $1)=
+_LT_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_TAGVAR(hardcode_direct, $1)=no
+_LT_TAGVAR(hardcode_direct_absolute, $1)=no
+_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_TAGVAR(hardcode_minus_L, $1)=no
+_LT_TAGVAR(hardcode_automatic, $1)=no
+_LT_TAGVAR(inherit_rpath, $1)=no
+_LT_TAGVAR(module_cmds, $1)=
+_LT_TAGVAR(module_expsym_cmds, $1)=
+_LT_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
+_LT_TAGVAR(no_undefined_flag, $1)=
+_LT_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for fc test sources.
+ac_ext=${ac_fc_srcext-f}
+
+# Object file extension for compiled fc test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# No sense in running all these tests if we already determined that
+# the FC compiler isn't working.  Some variables (like enable_shared)
+# are currently assumed to apply to all compilers on this platform,
+# and will be corrupted by setting them based on a non-working compiler.
+if test yes != "$_lt_disable_FC"; then
+  # Code to be used in simple compile tests
+  lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
+
+  # Code to be used in simple link tests
+  lt_simple_link_test_code="\
+      program t
+      end
+"
+
+  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
+  _LT_TAG_COMPILER
+
+  # save warnings/boilerplate of simple test code
+  _LT_COMPILER_BOILERPLATE
+  _LT_LINKER_BOILERPLATE
+
+  # Allow CC to be a program name with arguments.
+  lt_save_CC=$CC
+  lt_save_GCC=$GCC
+  lt_save_CFLAGS=$CFLAGS
+  CC=${FC-"f95"}
+  CFLAGS=$FCFLAGS
+  compiler=$CC
+  GCC=$ac_cv_fc_compiler_gnu
+
+  _LT_TAGVAR(compiler, $1)=$CC
+  _LT_CC_BASENAME([$compiler])
+
+  if test -n "$compiler"; then
+    AC_MSG_CHECKING([if libtool supports shared libraries])
+    AC_MSG_RESULT([$can_build_shared])
+
+    AC_MSG_CHECKING([whether to build shared libraries])
+    test no = "$can_build_shared" && enable_shared=no
+
+    # On AIX, shared libraries and static libraries use the same namespace, and
+    # are all built from PIC.
+    case $host_os in
+      aix3*)
+        test yes = "$enable_shared" && enable_static=no
+        if test -n "$RANLIB"; then
+          archive_cmds="$archive_cmds~\$RANLIB \$lib"
+          postinstall_cmds='$RANLIB $lib'
+        fi
+        ;;
+      aix[[4-9]]*)
+	if test ia64 != "$host_cpu"; then
+	  case $enable_shared,$with_aix_soname,$aix_use_runtimelinking in
+	  yes,aix,yes) ;;		# shared object as lib.so file only
+	  yes,svr4,*) ;;		# shared object as lib.so archive member only
+	  yes,*) enable_static=no ;;	# shared object in lib.a archive as well
+	  esac
+	fi
+        ;;
+    esac
+    AC_MSG_RESULT([$enable_shared])
+
+    AC_MSG_CHECKING([whether to build static libraries])
+    # Make sure either enable_shared or enable_static is yes.
+    test yes = "$enable_shared" || enable_static=yes
+    AC_MSG_RESULT([$enable_static])
+
+    _LT_TAGVAR(GCC, $1)=$ac_cv_fc_compiler_gnu
+    _LT_TAGVAR(LD, $1)=$LD
+
+    ## CAVEAT EMPTOR:
+    ## There is no encapsulation within the following macros, do not change
+    ## the running order or otherwise move them around unless you know exactly
+    ## what you are doing...
+    _LT_SYS_HIDDEN_LIBDEPS($1)
+    _LT_COMPILER_PIC($1)
+    _LT_COMPILER_C_O($1)
+    _LT_COMPILER_FILE_LOCKS($1)
+    _LT_LINKER_SHLIBS($1)
+    _LT_SYS_DYNAMIC_LINKER($1)
+    _LT_LINKER_HARDCODE_LIBPATH($1)
+
+    _LT_CONFIG($1)
+  fi # test -n "$compiler"
+
+  GCC=$lt_save_GCC
+  CC=$lt_save_CC
+  CFLAGS=$lt_save_CFLAGS
+fi # test yes != "$_lt_disable_FC"
+
+AC_LANG_POP
+])# _LT_LANG_FC_CONFIG
+
+
+# _LT_LANG_GCJ_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for the GNU Java Compiler compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to 'libtool'.
+m4_defun([_LT_LANG_GCJ_CONFIG],
+[AC_REQUIRE([LT_PROG_GCJ])dnl
+AC_LANG_SAVE
+
+# Source file extension for Java test sources.
+ac_ext=java
+
+# Object file extension for compiled Java test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
+lt_save_GCC=$GCC
+GCC=yes
+CC=${GCJ-"gcj"}
+CFLAGS=$GCJFLAGS
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_TAGVAR(LD, $1)=$LD
+_LT_CC_BASENAME([$compiler])
+
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+
+  _LT_CONFIG($1)
+fi
+
+AC_LANG_RESTORE
+
+GCC=$lt_save_GCC
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
+])# _LT_LANG_GCJ_CONFIG
+
+
+# _LT_LANG_GO_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for the GNU Go compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to 'libtool'.
+m4_defun([_LT_LANG_GO_CONFIG],
+[AC_REQUIRE([LT_PROG_GO])dnl
+AC_LANG_SAVE
+
+# Source file extension for Go test sources.
+ac_ext=go
+
+# Object file extension for compiled Go test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="package main; func main() { }"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='package main; func main() { }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
+lt_save_GCC=$GCC
+GCC=yes
+CC=${GOC-"gccgo"}
+CFLAGS=$GOFLAGS
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_TAGVAR(LD, $1)=$LD
+_LT_CC_BASENAME([$compiler])
+
+# Go did not exist at the time GCC didn't implicitly link libc in.
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+
+  _LT_CONFIG($1)
+fi
+
+AC_LANG_RESTORE
+
+GCC=$lt_save_GCC
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
+])# _LT_LANG_GO_CONFIG
+
+
+# _LT_LANG_RC_CONFIG([TAG])
+# -------------------------
+# Ensure that the configuration variables for the Windows resource compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to 'libtool'.
+m4_defun([_LT_LANG_RC_CONFIG],
+[AC_REQUIRE([LT_PROG_RC])dnl
+AC_LANG_SAVE
+
+# Source file extension for RC test sources.
+ac_ext=rc
+
+# Object file extension for compiled RC test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
+
+# Code to be used in simple link tests
+lt_simple_link_test_code=$lt_simple_compile_test_code
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
+lt_save_GCC=$GCC
+GCC=
+CC=${RC-"windres"}
+CFLAGS=
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+
+if test -n "$compiler"; then
+  :
+  _LT_CONFIG($1)
+fi
+
+GCC=$lt_save_GCC
+AC_LANG_RESTORE
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
+])# _LT_LANG_RC_CONFIG
+
+
+# LT_PROG_GCJ
+# -----------
+AC_DEFUN([LT_PROG_GCJ],
+[m4_ifdef([AC_PROG_GCJ], [AC_PROG_GCJ],
+  [m4_ifdef([A][M_PROG_GCJ], [A][M_PROG_GCJ],
+    [AC_CHECK_TOOL(GCJ, gcj,)
+      test set = "${GCJFLAGS+set}" || GCJFLAGS="-g -O2"
+      AC_SUBST(GCJFLAGS)])])[]dnl
+])
+
+# Old name:
+AU_ALIAS([LT_AC_PROG_GCJ], [LT_PROG_GCJ])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
+
+
+# LT_PROG_GO
+# ----------
+AC_DEFUN([LT_PROG_GO],
+[AC_CHECK_TOOL(GOC, gccgo,)
+])
+
+
+# LT_PROG_RC
+# ----------
+AC_DEFUN([LT_PROG_RC],
+[AC_CHECK_TOOL(RC, windres,)
+])
+
+# Old name:
+AU_ALIAS([LT_AC_PROG_RC], [LT_PROG_RC])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([LT_AC_PROG_RC], [])
+
+
+# _LT_DECL_EGREP
+# --------------
+# If we don't have a new enough Autoconf to choose the best grep
+# available, choose the one first in the user's PATH.
+m4_defun([_LT_DECL_EGREP],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_REQUIRE([AC_PROG_FGREP])dnl
+test -z "$GREP" && GREP=grep
+_LT_DECL([], [GREP], [1], [A grep program that handles long lines])
+_LT_DECL([], [EGREP], [1], [An ERE matcher])
+_LT_DECL([], [FGREP], [1], [A literal string matcher])
+dnl Non-bleeding-edge autoconf doesn't subst GREP, so do it here too
+AC_SUBST([GREP])
+])
+
+
+# _LT_DECL_OBJDUMP
+# --------------
+# If we don't have a new enough Autoconf to choose the best objdump
+# available, choose the one first in the user's PATH.
+m4_defun([_LT_DECL_OBJDUMP],
+[AC_CHECK_TOOL(OBJDUMP, objdump, false)
+test -z "$OBJDUMP" && OBJDUMP=objdump
+_LT_DECL([], [OBJDUMP], [1], [An object symbol dumper])
+AC_SUBST([OBJDUMP])
+])
+
+# _LT_DECL_DLLTOOL
+# ----------------
+# Ensure DLLTOOL variable is set.
+m4_defun([_LT_DECL_DLLTOOL],
+[AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+_LT_DECL([], [DLLTOOL], [1], [DLL creation program])
+AC_SUBST([DLLTOOL])
+])
+
+# _LT_DECL_SED
+# ------------
+# Check for a fully-functional sed program, that truncates
+# as few characters as possible.  Prefer GNU sed if found.
+m4_defun([_LT_DECL_SED],
+[AC_PROG_SED
+test -z "$SED" && SED=sed
+Xsed="$SED -e 1s/^X//"
+_LT_DECL([], [SED], [1], [A sed program that does not truncate output])
+_LT_DECL([], [Xsed], ["\$SED -e 1s/^X//"],
+    [Sed that helps us avoid accidentally triggering echo(1) options like -n])
+])# _LT_DECL_SED
+
+m4_ifndef([AC_PROG_SED], [
+############################################################
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+############################################################
+
+m4_defun([AC_PROG_SED],
+[AC_MSG_CHECKING([for a sed that does not truncate output])
+AC_CACHE_VAL(lt_cv_path_SED,
+[# Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+IFS=$as_save_IFS
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f "$lt_ac_sed" && continue
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test 10 -lt "$lt_ac_count" && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test "$lt_ac_count" -gt "$lt_ac_max"; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+])
+SED=$lt_cv_path_SED
+AC_SUBST([SED])
+AC_MSG_RESULT([$SED])
+])#AC_PROG_SED
+])#m4_ifndef
+
+# Old name:
+AU_ALIAS([LT_AC_PROG_SED], [AC_PROG_SED])
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([LT_AC_PROG_SED], [])
+
+
+# _LT_CHECK_SHELL_FEATURES
+# ------------------------
+# Find out whether the shell is Bourne or XSI compatible,
+# or has some other useful features.
+m4_defun([_LT_CHECK_SHELL_FEATURES],
+[if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  lt_unset=unset
+else
+  lt_unset=false
+fi
+_LT_DECL([], [lt_unset], [0], [whether the shell understands "unset"])dnl
+
+# test EBCDIC or ASCII
+case `echo X|tr X '\101'` in
+ A) # ASCII based system
+    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
+  lt_SP2NL='tr \040 \012'
+  lt_NL2SP='tr \015\012 \040\040'
+  ;;
+ *) # EBCDIC based system
+  lt_SP2NL='tr \100 \n'
+  lt_NL2SP='tr \r\n \100\100'
+  ;;
+esac
+_LT_DECL([SP2NL], [lt_SP2NL], [1], [turn spaces into newlines])dnl
+_LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl
+])# _LT_CHECK_SHELL_FEATURES
+
+
+# _LT_PATH_CONVERSION_FUNCTIONS
+# -----------------------------
+# Determine what file name conversion functions should be used by
+# func_to_host_file (and, implicitly, by func_to_host_path).  These are needed
+# for certain cross-compile configurations and native mingw.
+m4_defun([_LT_PATH_CONVERSION_FUNCTIONS],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_MSG_CHECKING([how to convert $build file names to $host format])
+AC_CACHE_VAL(lt_cv_to_host_file_cmd,
+[case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32
+        ;;
+    esac
+    ;;
+  *-*-cygwin* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_noop
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin
+        ;;
+    esac
+    ;;
+  * ) # unhandled hosts (and "normal" native builds)
+    lt_cv_to_host_file_cmd=func_convert_file_noop
+    ;;
+esac
+])
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+AC_MSG_RESULT([$lt_cv_to_host_file_cmd])
+_LT_DECL([to_host_file_cmd], [lt_cv_to_host_file_cmd],
+         [0], [convert $build file names to $host format])dnl
+
+AC_MSG_CHECKING([how to convert $build file names to toolchain format])
+AC_CACHE_VAL(lt_cv_to_tool_file_cmd,
+[#assume ordinary cross tools, or native build.
+lt_cv_to_tool_file_cmd=func_convert_file_noop
+case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32
+        ;;
+    esac
+    ;;
+esac
+])
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
+AC_MSG_RESULT([$lt_cv_to_tool_file_cmd])
+_LT_DECL([to_tool_file_cmd], [lt_cv_to_tool_file_cmd],
+         [0], [convert $build files to toolchain format])dnl
+])# _LT_PATH_CONVERSION_FUNCTIONS
diff --git a/m4/ltoptions.m4 b/m4/ltoptions.m4
new file mode 100644
index 0000000..94b0829
--- /dev/null
+++ b/m4/ltoptions.m4
@@ -0,0 +1,437 @@
+# Helper functions for option handling.                    -*- Autoconf -*-
+#
+#   Copyright (C) 2004-2005, 2007-2009, 2011-2015 Free Software
+#   Foundation, Inc.
+#   Written by Gary V. Vaughan, 2004
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# serial 8 ltoptions.m4
+
+# This is to help aclocal find these macros, as it can't see m4_define.
+AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
+
+
+# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME)
+# ------------------------------------------
+m4_define([_LT_MANGLE_OPTION],
+[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])])
+
+
+# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME)
+# ---------------------------------------
+# Set option OPTION-NAME for macro MACRO-NAME, and if there is a
+# matching handler defined, dispatch to it.  Other OPTION-NAMEs are
+# saved as a flag.
+m4_define([_LT_SET_OPTION],
+[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl
+m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]),
+        _LT_MANGLE_DEFUN([$1], [$2]),
+    [m4_warning([Unknown $1 option '$2'])])[]dnl
+])
+
+
+# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET])
+# ------------------------------------------------------------
+# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
+m4_define([_LT_IF_OPTION],
+[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])])
+
+
+# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET)
+# -------------------------------------------------------
+# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME
+# are set.
+m4_define([_LT_UNLESS_OPTIONS],
+[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
+	    [m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option),
+		      [m4_define([$0_found])])])[]dnl
+m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3
+])[]dnl
+])
+
+
+# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST)
+# ----------------------------------------
+# OPTION-LIST is a space-separated list of Libtool options associated
+# with MACRO-NAME.  If any OPTION has a matching handler declared with
+# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about
+# the unknown option and exit.
+m4_defun([_LT_SET_OPTIONS],
+[# Set options
+m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
+    [_LT_SET_OPTION([$1], _LT_Option)])
+
+m4_if([$1],[LT_INIT],[
+  dnl
+  dnl Simply set some default values (i.e off) if boolean options were not
+  dnl specified:
+  _LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no
+  ])
+  _LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no
+  ])
+  dnl
+  dnl If no reference was made to various pairs of opposing options, then
+  dnl we run the default mode handler for the pair.  For example, if neither
+  dnl 'shared' nor 'disable-shared' was passed, we enable building of shared
+  dnl archives by default:
+  _LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED])
+  _LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC])
+  _LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC])
+  _LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install],
+		   [_LT_ENABLE_FAST_INSTALL])
+  _LT_UNLESS_OPTIONS([LT_INIT], [aix-soname=aix aix-soname=both aix-soname=svr4],
+		   [_LT_WITH_AIX_SONAME([aix])])
+  ])
+])# _LT_SET_OPTIONS
+
+
+## --------------------------------- ##
+## Macros to handle LT_INIT options. ##
+## --------------------------------- ##
+
+# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME)
+# -----------------------------------------
+m4_define([_LT_MANGLE_DEFUN],
+[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])])
+
+
+# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE)
+# -----------------------------------------------
+m4_define([LT_OPTION_DEFINE],
+[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl
+])# LT_OPTION_DEFINE
+
+
+# dlopen
+# ------
+LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes
+])
+
+AU_DEFUN([AC_LIBTOOL_DLOPEN],
+[_LT_SET_OPTION([LT_INIT], [dlopen])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you
+put the 'dlopen' option into LT_INIT's first parameter.])
+])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], [])
+
+
+# win32-dll
+# ---------
+# Declare package support for building win32 dll's.
+LT_OPTION_DEFINE([LT_INIT], [win32-dll],
+[enable_win32_dll=yes
+
+case $host in
+*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+  ;;
+esac
+
+test -z "$AS" && AS=as
+_LT_DECL([], [AS],      [1], [Assembler program])dnl
+
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
+
+test -z "$OBJDUMP" && OBJDUMP=objdump
+_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
+])# win32-dll
+
+AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+_LT_SET_OPTION([LT_INIT], [win32-dll])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you
+put the 'win32-dll' option into LT_INIT's first parameter.])
+])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], [])
+
+
+# _LT_ENABLE_SHARED([DEFAULT])
+# ----------------------------
+# implement the --enable-shared flag, and supports the 'shared' and
+# 'disable-shared' LT_INIT options.
+# DEFAULT is either 'yes' or 'no'.  If omitted, it defaults to 'yes'.
+m4_define([_LT_ENABLE_SHARED],
+[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl
+AC_ARG_ENABLE([shared],
+    [AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
+	[build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
+      for pkg in $enableval; do
+	IFS=$lt_save_ifs
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS=$lt_save_ifs
+      ;;
+    esac],
+    [enable_shared=]_LT_ENABLE_SHARED_DEFAULT)
+
+    _LT_DECL([build_libtool_libs], [enable_shared], [0],
+	[Whether or not to build shared libraries])
+])# _LT_ENABLE_SHARED
+
+LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])])
+LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])])
+
+# Old names:
+AC_DEFUN([AC_ENABLE_SHARED],
+[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared])
+])
+
+AC_DEFUN([AC_DISABLE_SHARED],
+[_LT_SET_OPTION([LT_INIT], [disable-shared])
+])
+
+AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)])
+AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_ENABLE_SHARED], [])
+dnl AC_DEFUN([AM_DISABLE_SHARED], [])
+
+
+
+# _LT_ENABLE_STATIC([DEFAULT])
+# ----------------------------
+# implement the --enable-static flag, and support the 'static' and
+# 'disable-static' LT_INIT options.
+# DEFAULT is either 'yes' or 'no'.  If omitted, it defaults to 'yes'.
+m4_define([_LT_ENABLE_STATIC],
+[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl
+AC_ARG_ENABLE([static],
+    [AS_HELP_STRING([--enable-static@<:@=PKGS@:>@],
+	[build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
+      for pkg in $enableval; do
+	IFS=$lt_save_ifs
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS=$lt_save_ifs
+      ;;
+    esac],
+    [enable_static=]_LT_ENABLE_STATIC_DEFAULT)
+
+    _LT_DECL([build_old_libs], [enable_static], [0],
+	[Whether or not to build static libraries])
+])# _LT_ENABLE_STATIC
+
+LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])])
+LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])])
+
+# Old names:
+AC_DEFUN([AC_ENABLE_STATIC],
+[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static])
+])
+
+AC_DEFUN([AC_DISABLE_STATIC],
+[_LT_SET_OPTION([LT_INIT], [disable-static])
+])
+
+AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)])
+AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AM_ENABLE_STATIC], [])
+dnl AC_DEFUN([AM_DISABLE_STATIC], [])
+
+
+
+# _LT_ENABLE_FAST_INSTALL([DEFAULT])
+# ----------------------------------
+# implement the --enable-fast-install flag, and support the 'fast-install'
+# and 'disable-fast-install' LT_INIT options.
+# DEFAULT is either 'yes' or 'no'.  If omitted, it defaults to 'yes'.
+m4_define([_LT_ENABLE_FAST_INSTALL],
+[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl
+AC_ARG_ENABLE([fast-install],
+    [AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
+    [optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
+      for pkg in $enableval; do
+	IFS=$lt_save_ifs
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS=$lt_save_ifs
+      ;;
+    esac],
+    [enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT)
+
+_LT_DECL([fast_install], [enable_fast_install], [0],
+	 [Whether or not to optimize for fast installation])dnl
+])# _LT_ENABLE_FAST_INSTALL
+
+LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])])
+LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])])
+
+# Old names:
+AU_DEFUN([AC_ENABLE_FAST_INSTALL],
+[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you put
+the 'fast-install' option into LT_INIT's first parameter.])
+])
+
+AU_DEFUN([AC_DISABLE_FAST_INSTALL],
+[_LT_SET_OPTION([LT_INIT], [disable-fast-install])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you put
+the 'disable-fast-install' option into LT_INIT's first parameter.])
+])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], [])
+dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
+
+
+# _LT_WITH_AIX_SONAME([DEFAULT])
+# ----------------------------------
+# implement the --with-aix-soname flag, and support the `aix-soname=aix'
+# and `aix-soname=both' and `aix-soname=svr4' LT_INIT options. DEFAULT
+# is either `aix', `both' or `svr4'.  If omitted, it defaults to `aix'.
+m4_define([_LT_WITH_AIX_SONAME],
+[m4_define([_LT_WITH_AIX_SONAME_DEFAULT], [m4_if($1, svr4, svr4, m4_if($1, both, both, aix))])dnl
+shared_archive_member_spec=
+case $host,$enable_shared in
+power*-*-aix[[5-9]]*,yes)
+  AC_MSG_CHECKING([which variant of shared library versioning to provide])
+  AC_ARG_WITH([aix-soname],
+    [AS_HELP_STRING([--with-aix-soname=aix|svr4|both],
+      [shared library versioning (aka "SONAME") variant to provide on AIX, @<:@default=]_LT_WITH_AIX_SONAME_DEFAULT[@:>@.])],
+    [case $withval in
+    aix|svr4|both)
+      ;;
+    *)
+      AC_MSG_ERROR([Unknown argument to --with-aix-soname])
+      ;;
+    esac
+    lt_cv_with_aix_soname=$with_aix_soname],
+    [AC_CACHE_VAL([lt_cv_with_aix_soname],
+      [lt_cv_with_aix_soname=]_LT_WITH_AIX_SONAME_DEFAULT)
+    with_aix_soname=$lt_cv_with_aix_soname])
+  AC_MSG_RESULT([$with_aix_soname])
+  if test aix != "$with_aix_soname"; then
+    # For the AIX way of multilib, we name the shared archive member
+    # based on the bitwidth used, traditionally 'shr.o' or 'shr_64.o',
+    # and 'shr.imp' or 'shr_64.imp', respectively, for the Import File.
+    # Even when GNU compilers ignore OBJECT_MODE but need '-maix64' flag,
+    # the AIX toolchain works better with OBJECT_MODE set (default 32).
+    if test 64 = "${OBJECT_MODE-32}"; then
+      shared_archive_member_spec=shr_64
+    else
+      shared_archive_member_spec=shr
+    fi
+  fi
+  ;;
+*)
+  with_aix_soname=aix
+  ;;
+esac
+
+_LT_DECL([], [shared_archive_member_spec], [0],
+    [Shared archive member basename, for filename based shared library versioning on AIX])dnl
+])# _LT_WITH_AIX_SONAME
+
+LT_OPTION_DEFINE([LT_INIT], [aix-soname=aix], [_LT_WITH_AIX_SONAME([aix])])
+LT_OPTION_DEFINE([LT_INIT], [aix-soname=both], [_LT_WITH_AIX_SONAME([both])])
+LT_OPTION_DEFINE([LT_INIT], [aix-soname=svr4], [_LT_WITH_AIX_SONAME([svr4])])
+
+
+# _LT_WITH_PIC([MODE])
+# --------------------
+# implement the --with-pic flag, and support the 'pic-only' and 'no-pic'
+# LT_INIT options.
+# MODE is either 'yes' or 'no'.  If omitted, it defaults to 'both'.
+m4_define([_LT_WITH_PIC],
+[AC_ARG_WITH([pic],
+    [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
+	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
+    [lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
+      for lt_pkg in $withval; do
+	IFS=$lt_save_ifs
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS=$lt_save_ifs
+      ;;
+    esac],
+    [pic_mode=m4_default([$1], [default])])
+
+_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl
+])# _LT_WITH_PIC
+
+LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])])
+LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])])
+
+# Old name:
+AU_DEFUN([AC_LIBTOOL_PICMODE],
+[_LT_SET_OPTION([LT_INIT], [pic-only])
+AC_DIAGNOSE([obsolete],
+[$0: Remove this warning and the call to _LT_SET_OPTION when you
+put the 'pic-only' option into LT_INIT's first parameter.])
+])
+
+dnl aclocal-1.4 backwards compatibility:
+dnl AC_DEFUN([AC_LIBTOOL_PICMODE], [])
+
+## ----------------- ##
+## LTDL_INIT Options ##
+## ----------------- ##
+
+m4_define([_LTDL_MODE], [])
+LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive],
+		 [m4_define([_LTDL_MODE], [nonrecursive])])
+LT_OPTION_DEFINE([LTDL_INIT], [recursive],
+		 [m4_define([_LTDL_MODE], [recursive])])
+LT_OPTION_DEFINE([LTDL_INIT], [subproject],
+		 [m4_define([_LTDL_MODE], [subproject])])
+
+m4_define([_LTDL_TYPE], [])
+LT_OPTION_DEFINE([LTDL_INIT], [installable],
+		 [m4_define([_LTDL_TYPE], [installable])])
+LT_OPTION_DEFINE([LTDL_INIT], [convenience],
+		 [m4_define([_LTDL_TYPE], [convenience])])
diff --git a/m4/ltsugar.m4 b/m4/ltsugar.m4
new file mode 100644
index 0000000..48bc934
--- /dev/null
+++ b/m4/ltsugar.m4
@@ -0,0 +1,124 @@
+# ltsugar.m4 -- libtool m4 base layer.                         -*-Autoconf-*-
+#
+# Copyright (C) 2004-2005, 2007-2008, 2011-2015 Free Software
+# Foundation, Inc.
+# Written by Gary V. Vaughan, 2004
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# serial 6 ltsugar.m4
+
+# This is to help aclocal find these macros, as it can't see m4_define.
+AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])])
+
+
+# lt_join(SEP, ARG1, [ARG2...])
+# -----------------------------
+# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their
+# associated separator.
+# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier
+# versions in m4sugar had bugs.
+m4_define([lt_join],
+[m4_if([$#], [1], [],
+       [$#], [2], [[$2]],
+       [m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])])
+m4_define([_lt_join],
+[m4_if([$#$2], [2], [],
+       [m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])])
+
+
+# lt_car(LIST)
+# lt_cdr(LIST)
+# ------------
+# Manipulate m4 lists.
+# These macros are necessary as long as will still need to support
+# Autoconf-2.59, which quotes differently.
+m4_define([lt_car], [[$1]])
+m4_define([lt_cdr],
+[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
+       [$#], 1, [],
+       [m4_dquote(m4_shift($@))])])
+m4_define([lt_unquote], $1)
+
+
+# lt_append(MACRO-NAME, STRING, [SEPARATOR])
+# ------------------------------------------
+# Redefine MACRO-NAME to hold its former content plus 'SEPARATOR''STRING'.
+# Note that neither SEPARATOR nor STRING are expanded; they are appended
+# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked).
+# No SEPARATOR is output if MACRO-NAME was previously undefined (different
+# than defined and empty).
+#
+# This macro is needed until we can rely on Autoconf 2.62, since earlier
+# versions of m4sugar mistakenly expanded SEPARATOR but not STRING.
+m4_define([lt_append],
+[m4_define([$1],
+	   m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])])
+
+
+
+# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...])
+# ----------------------------------------------------------
+# Produce a SEP delimited list of all paired combinations of elements of
+# PREFIX-LIST with SUFFIX1 through SUFFIXn.  Each element of the list
+# has the form PREFIXmINFIXSUFFIXn.
+# Needed until we can rely on m4_combine added in Autoconf 2.62.
+m4_define([lt_combine],
+[m4_if(m4_eval([$# > 3]), [1],
+       [m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl
+[[m4_foreach([_Lt_prefix], [$2],
+	     [m4_foreach([_Lt_suffix],
+		]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[,
+	[_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])])
+
+
+# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ])
+# -----------------------------------------------------------------------
+# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited
+# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ.
+m4_define([lt_if_append_uniq],
+[m4_ifdef([$1],
+	  [m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1],
+		 [lt_append([$1], [$2], [$3])$4],
+		 [$5])],
+	  [lt_append([$1], [$2], [$3])$4])])
+
+
+# lt_dict_add(DICT, KEY, VALUE)
+# -----------------------------
+m4_define([lt_dict_add],
+[m4_define([$1($2)], [$3])])
+
+
+# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE)
+# --------------------------------------------
+m4_define([lt_dict_add_subkey],
+[m4_define([$1($2:$3)], [$4])])
+
+
+# lt_dict_fetch(DICT, KEY, [SUBKEY])
+# ----------------------------------
+m4_define([lt_dict_fetch],
+[m4_ifval([$3],
+	m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]),
+    m4_ifdef([$1($2)], [m4_defn([$1($2)])]))])
+
+
+# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE])
+# -----------------------------------------------------------------
+m4_define([lt_if_dict_fetch],
+[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4],
+	[$5],
+    [$6])])
+
+
+# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...])
+# --------------------------------------------------------------
+m4_define([lt_dict_filter],
+[m4_if([$5], [], [],
+  [lt_join(m4_quote(m4_default([$4], [[, ]])),
+           lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]),
+		      [lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl
+])
diff --git a/m4/ltversion.m4 b/m4/ltversion.m4
new file mode 100644
index 0000000..fa04b52
--- /dev/null
+++ b/m4/ltversion.m4
@@ -0,0 +1,23 @@
+# ltversion.m4 -- version numbers			-*- Autoconf -*-
+#
+#   Copyright (C) 2004, 2011-2015 Free Software Foundation, Inc.
+#   Written by Scott James Remnant, 2004
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# @configure_input@
+
+# serial 4179 ltversion.m4
+# This file is part of GNU Libtool
+
+m4_define([LT_PACKAGE_VERSION], [2.4.6])
+m4_define([LT_PACKAGE_REVISION], [2.4.6])
+
+AC_DEFUN([LTVERSION_VERSION],
+[macro_version='2.4.6'
+macro_revision='2.4.6'
+_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
+_LT_DECL(, macro_revision, 0)
+])
diff --git a/m4/lt~obsolete.m4 b/m4/lt~obsolete.m4
new file mode 100644
index 0000000..c6b26f8
--- /dev/null
+++ b/m4/lt~obsolete.m4
@@ -0,0 +1,99 @@
+# lt~obsolete.m4 -- aclocal satisfying obsolete definitions.    -*-Autoconf-*-
+#
+#   Copyright (C) 2004-2005, 2007, 2009, 2011-2015 Free Software
+#   Foundation, Inc.
+#   Written by Scott James Remnant, 2004.
+#
+# This file is free software; the Free Software Foundation gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+
+# serial 5 lt~obsolete.m4
+
+# These exist entirely to fool aclocal when bootstrapping libtool.
+#
+# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN),
+# which have later been changed to m4_define as they aren't part of the
+# exported API, or moved to Autoconf or Automake where they belong.
+#
+# The trouble is, aclocal is a bit thick.  It'll see the old AC_DEFUN
+# in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us
+# using a macro with the same name in our local m4/libtool.m4 it'll
+# pull the old libtool.m4 in (it doesn't see our shiny new m4_define
+# and doesn't know about Autoconf macros at all.)
+#
+# So we provide this file, which has a silly filename so it's always
+# included after everything else.  This provides aclocal with the
+# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything
+# because those macros already exist, or will be overwritten later.
+# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6.
+#
+# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here.
+# Yes, that means every name once taken will need to remain here until
+# we give up compatibility with versions before 1.7, at which point
+# we need to keep only those names which we still refer to.
+
+# This is to help aclocal find these macros, as it can't see m4_define.
+AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])])
+
+m4_ifndef([AC_LIBTOOL_LINKER_OPTION],	[AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])])
+m4_ifndef([AC_PROG_EGREP],		[AC_DEFUN([AC_PROG_EGREP])])
+m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH],	[AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])])
+m4_ifndef([_LT_AC_SHELL_INIT],		[AC_DEFUN([_LT_AC_SHELL_INIT])])
+m4_ifndef([_LT_AC_SYS_LIBPATH_AIX],	[AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])])
+m4_ifndef([_LT_PROG_LTMAIN],		[AC_DEFUN([_LT_PROG_LTMAIN])])
+m4_ifndef([_LT_AC_TAGVAR],		[AC_DEFUN([_LT_AC_TAGVAR])])
+m4_ifndef([AC_LTDL_ENABLE_INSTALL],	[AC_DEFUN([AC_LTDL_ENABLE_INSTALL])])
+m4_ifndef([AC_LTDL_PREOPEN],		[AC_DEFUN([AC_LTDL_PREOPEN])])
+m4_ifndef([_LT_AC_SYS_COMPILER],	[AC_DEFUN([_LT_AC_SYS_COMPILER])])
+m4_ifndef([_LT_AC_LOCK],		[AC_DEFUN([_LT_AC_LOCK])])
+m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE],	[AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])])
+m4_ifndef([_LT_AC_TRY_DLOPEN_SELF],	[AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])])
+m4_ifndef([AC_LIBTOOL_PROG_CC_C_O],	[AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])])
+m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])])
+m4_ifndef([AC_LIBTOOL_OBJDIR],		[AC_DEFUN([AC_LIBTOOL_OBJDIR])])
+m4_ifndef([AC_LTDL_OBJDIR],		[AC_DEFUN([AC_LTDL_OBJDIR])])
+m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])])
+m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP],	[AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])])
+m4_ifndef([AC_PATH_MAGIC],		[AC_DEFUN([AC_PATH_MAGIC])])
+m4_ifndef([AC_PROG_LD_GNU],		[AC_DEFUN([AC_PROG_LD_GNU])])
+m4_ifndef([AC_PROG_LD_RELOAD_FLAG],	[AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])])
+m4_ifndef([AC_DEPLIBS_CHECK_METHOD],	[AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])])
+m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])])
+m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])])
+m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])])
+m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS],	[AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])])
+m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP],	[AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])])
+m4_ifndef([LT_AC_PROG_EGREP],		[AC_DEFUN([LT_AC_PROG_EGREP])])
+m4_ifndef([LT_AC_PROG_SED],		[AC_DEFUN([LT_AC_PROG_SED])])
+m4_ifndef([_LT_CC_BASENAME],		[AC_DEFUN([_LT_CC_BASENAME])])
+m4_ifndef([_LT_COMPILER_BOILERPLATE],	[AC_DEFUN([_LT_COMPILER_BOILERPLATE])])
+m4_ifndef([_LT_LINKER_BOILERPLATE],	[AC_DEFUN([_LT_LINKER_BOILERPLATE])])
+m4_ifndef([_AC_PROG_LIBTOOL],		[AC_DEFUN([_AC_PROG_LIBTOOL])])
+m4_ifndef([AC_LIBTOOL_SETUP],		[AC_DEFUN([AC_LIBTOOL_SETUP])])
+m4_ifndef([_LT_AC_CHECK_DLFCN],		[AC_DEFUN([_LT_AC_CHECK_DLFCN])])
+m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER],	[AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])])
+m4_ifndef([_LT_AC_TAGCONFIG],		[AC_DEFUN([_LT_AC_TAGCONFIG])])
+m4_ifndef([AC_DISABLE_FAST_INSTALL],	[AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
+m4_ifndef([_LT_AC_LANG_CXX],		[AC_DEFUN([_LT_AC_LANG_CXX])])
+m4_ifndef([_LT_AC_LANG_F77],		[AC_DEFUN([_LT_AC_LANG_F77])])
+m4_ifndef([_LT_AC_LANG_GCJ],		[AC_DEFUN([_LT_AC_LANG_GCJ])])
+m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
+m4_ifndef([_LT_AC_LANG_C_CONFIG],	[AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
+m4_ifndef([_LT_AC_LANG_CXX_CONFIG],	[AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])])
+m4_ifndef([_LT_AC_LANG_F77_CONFIG],	[AC_DEFUN([_LT_AC_LANG_F77_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])])
+m4_ifndef([_LT_AC_LANG_GCJ_CONFIG],	[AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])])
+m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
+m4_ifndef([_LT_AC_LANG_RC_CONFIG],	[AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
+m4_ifndef([AC_LIBTOOL_CONFIG],		[AC_DEFUN([AC_LIBTOOL_CONFIG])])
+m4_ifndef([_LT_AC_FILE_LTDLL_C],	[AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
+m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS],	[AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])])
+m4_ifndef([_LT_AC_PROG_CXXCPP],		[AC_DEFUN([_LT_AC_PROG_CXXCPP])])
+m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS],	[AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])])
+m4_ifndef([_LT_PROG_ECHO_BACKSLASH],	[AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])])
+m4_ifndef([_LT_PROG_F77],		[AC_DEFUN([_LT_PROG_F77])])
+m4_ifndef([_LT_PROG_FC],		[AC_DEFUN([_LT_PROG_FC])])
+m4_ifndef([_LT_PROG_CXX],		[AC_DEFUN([_LT_PROG_CXX])])
diff --git a/make/Makefile.in b/make/Makefile.in
new file mode 100644
index 0000000..7bbbca9
--- /dev/null
+++ b/make/Makefile.in
@@ -0,0 +1,22 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS=
+TARGETS=
+
+@BIND9_MAKE_RULES@
+
+distclean::
+	rm -f rules mkdep includes
diff --git a/make/includes.in b/make/includes.in
new file mode 100644
index 0000000..1a0cb16
--- /dev/null
+++ b/make/includes.in
@@ -0,0 +1,43 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Search for machine-generated header files in the build tree,
+# and for normal headers in the source tree (${top_srcdir}).
+# We only need to look in OS-specific subdirectories for the
+# latter case, because there are no machine-generated OS-specific
+# headers.
+
+ISC_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/isc \
+	-I${top_srcdir}/lib/isc/include \
+	-I${top_srcdir}/lib/isc/unix/include \
+	-I${top_srcdir}/lib/isc/pthreads/include
+
+ISCCC_INCLUDES = @BIND9_ISCCC_BUILDINCLUDE@ \
+       -I${top_srcdir}/lib/isccc/include
+
+ISCCFG_INCLUDES = @BIND9_ISCCFG_BUILDINCLUDE@ \
+       -I${top_srcdir}/lib/isccfg/include
+
+DNS_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/dns/include
+
+NS_INCLUDES = @BIND9_NS_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/ns/include
+
+IRS_INCLUDES = @BIND9_IRS_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/irs/include
+
+BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/bind9/include
+
+TEST_INCLUDES = \
+	-I${top_srcdir}/lib/tests/include
diff --git a/make/mkdep.in b/make/mkdep.in
new file mode 100644
index 0000000..9699b40
--- /dev/null
+++ b/make/mkdep.in
@@ -0,0 +1,148 @@
+#!/bin/sh -
+
+##
+## Modified to handle -vpath <path> option by Michael Graff, ISC.
+## The purpose of this is to allow this script to run outside of the
+## source directory, for instance when running configure with
+##   ../bind9-mainline/configure
+## and still have "make depend" work.
+##
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+# Copyright (c) 1987 Regents of the University of California.
+# Copyright (c) 1993 by Digital Equipment Corporation.
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+#	@(#)mkdep.sh	5.12 (Berkeley) 6/30/88
+#
+
+MAKE=Makefile			# default makefile name is "Makefile"
+
+while :
+	do case "$1" in
+		# -vpath allows one to select a virtual path for .c files
+		-vpath)
+			VPATH=$2;
+			shift; shift ;;
+		# -f allows you to select a makefile name
+		-f)
+			MAKE=$2
+			shift; shift ;;
+
+		# the -p flag produces "program: program.c" style dependencies
+		# so .o's don't get produced
+		-p)
+			SED='s;\.o;;'
+			shift ;;
+		*)
+			break ;;
+	esac
+done
+
+if [ $# = 0 ] ; then
+	echo 'usage: mkdep [-vpath path] [-p] [-f makefile] [flags] file ...'
+	exit 1
+fi
+
+if [ ! -w $MAKE ]; then
+	echo "mkdep: no writeable file \"$MAKE\""
+	exit 1
+fi
+
+TMP=mkdep$$
+
+trap 'rm -f $TMP ; exit 1' 1 2 3 13 15
+
+cp $MAKE ${MAKE}.bak
+
+sed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP
+
+cat << _EOF_ >> $TMP
+# DO NOT DELETE THIS LINE -- mkdep uses it.
+# DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY.
+
+_EOF_
+
+# If your compiler doesn't have -M, add it.  If you can't, the next two
+# lines will try and replace the "cc -M".  The real problem is that this
+# hack can't deal with anything that requires a search path, and doesn't
+# even try for anything using bracket (<>) syntax.
+#
+# egrep '^#include[ 	]*".*"' /dev/null $* |
+# sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' |
+
+if [ X"${VPATH}" != X ] ; then
+    for arg in $* ; do
+	case "$arg" in
+	    -*)
+		newargs="$newargs $arg"
+		;;
+	    *)
+		newargs="$newargs $VPATH/$arg"
+		;;
+	esac
+    done
+else
+    newargs="$*";
+fi
+
+MKDEPPROG="@MKDEPPROG@"
+if [ X"${MKDEPPROG}" != X ]; then
+    @SHELL@ -c "${MKDEPPROG} ${newargs}"
+else
+    @MKDEPCC@ @MKDEPCFLAGS@ ${newargs} |
+    sed "
+	s; \\./; ;g
+	s; \\\\; ;g
+	@LIBTOOL_MKDEP_SED@
+	$SED" |
+    awk '$1 ~ /:$/ {
+		if (rec != "")
+			 print rec;
+		if (NF == 1)
+			rec = $1;
+		else
+			rec = $1 " " $2;
+		for (i = 3; i <= NF; i++) {
+			if (length(rec $i) > 76) {
+				print rec " \\";
+				rec = "    " $i;
+			} else {
+				rec = rec " " $i;
+			}
+		}
+		next;
+	}
+	{
+		for (i = 1; i <= NF; i++) {
+			if (length(rec $i) > 76) {
+				print rec, "\\";
+				rec =  "    " $i;
+			} else {
+				rec = rec " " $i;
+			}
+		}
+	}
+    END {
+	print rec
+    }' >> $TMP
+fi
+
+cat << _EOF_ >> $TMP
+
+# IF YOU PUT ANYTHING HERE IT WILL GO AWAY
+_EOF_
+
+# copy to preserve permissions
+cp $TMP $MAKE
+rm -f ${MAKE}.bak $TMP
+exit 0
diff --git a/make/rules.in b/make/rules.in
new file mode 100644
index 0000000..4f6c15b
--- /dev/null
+++ b/make/rules.in
@@ -0,0 +1,386 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+###
+### Common Makefile rules for BIND 9.
+###
+
+###
+### Paths
+###
+### Note: paths that vary by Makefile MUST NOT be listed
+### here, or they won't get expanded correctly.
+
+prefix =	@prefix@
+exec_prefix =	@exec_prefix@
+bindir =	@bindir@
+sbindir =	@sbindir@
+includedir =	@includedir@
+libdir =	@libdir@
+sysconfdir =	@sysconfdir@
+localstatedir =	@localstatedir@
+mandir =	@mandir@
+datarootdir =   @datarootdir@
+
+plugindir =	${libdir}/named
+
+DESTDIR =
+
+@SET_MAKE@
+
+top_builddir =	@BIND9_TOP_BUILDDIR@
+
+###
+### All
+###
+### Makefile may define:
+###	PREREQS
+###	TARGETS
+
+all: ${PREREQS} subdirs ${TARGETS} testdirs
+
+###
+### Subdirectories
+###
+### Makefile may define:
+###	SUBDIRS
+###	DEPDIRS
+
+ALL_SUBDIRS = ${SUBDIRS} nulldir
+ALL_TESTDIRS = ${TESTDIRS} nulldir
+
+#
+# We use a single-colon rule so that additional dependencies of
+# subdirectories can be specified after the inclusion of this file.
+# The "depend" and "testdirs" targets are treated the same way.
+#
+subdirs:
+	@for i in ${ALL_SUBDIRS}; do \
+		if [ "$$i" != "nulldir" -a -d $$i ]; then \
+			echo "making all in `pwd`/$$i"; \
+			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" all) || exit 1; \
+		fi; \
+	done
+
+#
+# Tests are built after the targets instead of before
+#
+testdirs: subdirs ${TARGETS}
+	@for i in ${ALL_TESTDIRS}; do \
+		if [ "$$i" != "nulldir" -a -d $$i ]; then \
+			echo "making all in `pwd`/$$i"; \
+			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" all) || exit 1; \
+		fi; \
+	done
+
+install:: all
+
+install uninstall clean distclean maintainer-clean doc docclean man manclean::
+	@for i in ${ALL_SUBDIRS} ${ALL_TESTDIRS}; do \
+		if [ "$$i" != "nulldir" -a -d $$i -a -f $$i/Makefile ]; then \
+			echo "making $@ in `pwd`/$$i"; \
+			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
+		fi; \
+	done
+
+###
+### C Programs
+###
+### Makefile must define
+###	CC
+### Makefile may define
+###	CFLAGS
+###	LDFLAGS
+###	CINCLUDES
+###	CDEFINES
+###	CWARNINGS
+### User may define externally
+###     EXT_CFLAGS
+
+CC = 		@CC@
+CFLAGS =	@CFLAGS@
+LDFLAGS =	@LDFLAGS@
+STD_CINCLUDES =	@STD_CINCLUDES@
+STD_CDEFINES =	@STD_CDEFINES@
+STD_CWARNINGS =	@STD_CWARNINGS@
+
+BUILD_CC = @BUILD_CC@
+BUILD_CFLAGS = @BUILD_CFLAGS@
+BUILD_CPPFLAGS = @BUILD_CPPFLAGS@
+BUILD_LDFLAGS = @BUILD_LDFLAGS@
+BUILD_LIBS = @BUILD_LIBS@
+
+FSTRM_CFLAGS = @FSTRM_CFLAGS@
+FSTRM_LIBS = @FSTRM_LIBS@
+
+GSSAPI_LIBS = @DNS_CRYPTO_LIBS@
+
+JSON_C_CFLAGS = @JSON_C_CFLAGS@
+JSON_C_LIBS = @JSON_C_LIBS@
+
+LFS_CFLAGS = @LFS_CFLAGS@
+LFS_LDFLAGS = @LFS_LDFLAGS@
+LFS_LIBS = @LFS_LIBS@
+
+LIBUV_CFLAGS = @LIBUV_CFLAGS@
+LIBUV_LIBS = @LIBUV_LIBS@
+
+LIBXML2_CFLAGS = @LIBXML2_CFLAGS@
+LIBXML2_LIBS = @LIBXML2_LIBS@
+
+LMDB_CFLAGS = @LMDB_CFLAGS@
+LMDB_LIBS = @LMDB_LIBS@
+
+MAXMINDDB_CFLAGS = @MAXMINDDB_CFLAGS@
+MAXMINDDB_LIBS = @MAXMINDDB_LIBS@
+
+OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
+OPENSSL_LIBS = @OPENSSL_LIBS@
+
+PROTOBUF_C_CFLAGS = @PROTOBUF_C_CFLAGS@
+PROTOBUF_C_LIBS = @PROTOBUF_C_LIBS@
+
+ZLIB_CFLAGS = @ZLIB_CFLAGS@
+ZLIB_LIBS = @ZLIB_LIBS@
+
+NO_LIBTOOL_ISCLIBS = ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS} ${LIBUV_LIBS}
+NO_LIBTOOL_DNSLIBS = ${LMDB_LIBS} ${MAXMINDDB_LIBS} ${GSSAPI_LIBS} ${PROTOBUF_C_LIBS} ${FSTRM_LIBS}
+
+.SUFFIXES:
+.SUFFIXES: .c .@O@
+
+ALWAYS_INCLUDES = -include ${top_builddir}/config.h -I${top_builddir} -I${top_srcdir}
+ALWAYS_DEFINES = @ALWAYS_DEFINES@
+ALWAYS_WARNINGS =
+
+ALL_CPPFLAGS = \
+	${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
+	${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
+
+ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \
+	${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS}
+
+@BIND9_CO_RULE@
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c $<
+
+SHELL = @SHELL@
+LIBTOOL = @LIBTOOL@
+LIBTOOL_MODE_COMPILE = ${LIBTOOL} @LIBTOOL_MODE_COMPILE@
+LIBTOOL_MODE_INSTALL = ${LIBTOOL} @LIBTOOL_MODE_INSTALL@
+LIBTOOL_MODE_LINK = ${LIBTOOL} @LIBTOOL_MODE_LINK@
+LIBTOOL_MODE_UNINSTALL = ${LIBTOOL} @LIBTOOL_MODE_UNINSTALL@
+PURIFY = @PURIFY@
+
+MKDEP = ${SHELL} ${top_builddir}/make/mkdep
+
+###
+### This is a template compound command to build an executable binary with
+### an internal symbol table.
+### This process is tricky.  We first link all objects including a tentative
+### empty symbol table, then get a tentative list of symbols from the resulting
+### binary ($@tmp0).  Next, we re-link all objects, but this time with the
+### symbol table just created ($tmp@1).  The set of symbols should be the same,
+### but the corresponding addresses would be changed due to the difference on
+### the size of symbol tables.  So we create the symbol table and re-create the
+### objects once again.  Finally, we check the symbol table embedded in the
+### final binaryis consistent with the binary itself; otherwise the process is
+### terminated.
+###
+### To minimize the overhead of creating symbol tables, the autoconf switch
+### --enable-symtable takes an argument so that the symbol table can be created
+### on a per application basis: unless the argument is set to "all", the symbol
+### table is created only when a shell (environment) variable "MAKE_SYMTABLE" is
+### set to a non-null value in the rule to build the executable binary.
+###
+### Each Makefile.in that uses this macro is expected to define "LIBS" and
+### "NOSYMLIBS"; the former includes libisc with an empty symbol table, and
+### the latter includes libisc without the definition of a symbol table.
+### The rule to make the executable binary will look like this
+### binary@EXEEXT@: ${OBJS}
+###     #export MAKE_SYMTABLE="yes"; \  <- enable if symtable is always needed
+###	export BASEOBJS="${OBJS}"; \
+###	${FINALBUILDCMD}
+###
+### Normally, ${LIBS} includes all necessary libraries to build the binary;
+### there are some exceptions however, where the rule lists some of the
+### necessary libraries explicitly in addition to (or instead of) ${LIBS},
+### like this:
+### binary@EXEEXT@: ${OBJS}
+###     cc -o $@ ${OBJS} ${OTHERLIB1} ${OTHERLIB2} ${LIBS}
+### in order to modify such a rule to use this compound command, a separate
+### variable "LIBS0" should be deinfed for the explicitly listed libraries,
+### while making sure ${LIBS} still includes libisc.  So the above rule would
+### be modified as follows:
+### binary@EXEEXT@: ${OBJS}
+###	export BASEOBJS="${OBJS}"; \
+###	export LIBS0="${OTHERLIB1} ${OTHERLIB2}"; \
+###     ${FINALBUILDCMD}
+### See bin/check/Makefile.in for a complete example of the use of LIBS0.
+###
+FINALBUILDCMD = if [ X"${MKSYMTBL_PROGRAM}" = X -o X"$${MAKE_SYMTABLE:-${ALWAYS_MAKE_SYMTABLE}}" = X ] ; then \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@ $${BASEOBJS} $${LIBS0} ${LIBS}; \
+	else \
+		rm -f $@tmp0; \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@tmp0 $${BASEOBJS} $${LIBS0} ${LIBS} || exit 1; \
+		rm -f $@-symtbl.c $@-symtbl.@O@; \
+		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+		-o $@-symtbl.c $@tmp0 || exit 1; \
+		$(MAKE) $@-symtbl.@O@ || exit 1; \
+		rm -f $@tmp1; \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@tmp1 $${BASEOBJS} $@-symtbl.@O@ $${LIBS0} ${NOSYMLIBS} || exit 1; \
+		rm -f $@-symtbl.c $@-symtbl.@O@; \
+		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+		-o $@-symtbl.c $@tmp1 || exit 1; \
+		$(MAKE) $@-symtbl.@O@ || exit 1; \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+		-o $@tmp2 $${BASEOBJS} $@-symtbl.@O@ $${LIBS0} ${NOSYMLIBS}; \
+		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+		-o $@-symtbl2.c $@tmp2; \
+		count=0; \
+		until diff $@-symtbl.c $@-symtbl2.c > /dev/null ; \
+		do \
+			count=`expr $$count + 1` ; \
+			test $$count = 42 && exit 1 ; \
+			rm -f $@-symtbl.c $@-symtbl.@O@; \
+			${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+			-o $@-symtbl.c $@tmp2 || exit 1; \
+			$(MAKE) $@-symtbl.@O@ || exit 1; \
+			${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} \
+			${LDFLAGS} -o $@tmp2 $${BASEOBJS} $@-symtbl.@O@ \
+			$${LIBS0} ${NOSYMLIBS}; \
+			${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+			-o $@-symtbl2.c $@tmp2; \
+		done ; \
+		mv $@tmp2 $@; \
+		rm -f $@tmp0 $@tmp1 $@tmp2 $@-symtbl2.c; \
+	fi
+
+cleandir: distclean
+superclean: maintainer-clean
+
+clean distclean maintainer-clean::
+	rm -f *.@O@ *.o *.lo *.la core *.core *-symtbl.c *tmp0 *tmp1 *tmp2
+	rm -rf .depend .libs
+
+distclean maintainer-clean::
+	rm -f Makefile
+
+depend:
+	@for i in ${ALL_SUBDIRS} ${ALL_TESTDIRS}; do \
+		if [ "$$i" != "nulldir" -a -d $$i ]; then \
+			echo "making depend in `pwd`/$$i"; \
+			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
+		fi; \
+	done
+	@if [ X"${srcdir}" != X. ] ; then \
+		if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			echo ${MKDEP} -vpath ${srcdir} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -vpath ${srcdir} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${SRCS}" != X ] ; then \
+			echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -vpath ${srcdir} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		fi \
+	else \
+		if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${SRCS}" != X ] ; then \
+			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		fi \
+	fi
+
+FORCE:
+
+###
+### Libraries
+###
+
+AR =		@AR@
+ARFLAGS =	@ARFLAGS@
+RANLIB =	@RANLIB@
+
+###
+### Installation
+###
+
+INSTALL =		@INSTALL@
+INSTALL_PROGRAM =	@INSTALL_PROGRAM@
+LINK_PROGRAM =		@LN_S@
+INSTALL_SCRIPT =	@INSTALL_SCRIPT@
+INSTALL_DATA =		@INSTALL_DATA@
+INSTALL_LIBRARY =	@INSTALL_LIBRARY@
+
+PERL =			@PERL@
+
+###
+### Script language program used to create internal symbol tables
+###
+MKSYMTBL_PROGRAM =	@MKSYMTBL_PROGRAM@
+
+###
+### Switch to create internal symbol table selectively
+###
+ALWAYS_MAKE_SYMTABLE =	@ALWAYS_MAKE_SYMTABLE@
+
+###
+### DocBook -> HTML
+### DocBook -> man page
+###
+
+.SUFFIXES: .docbook .html .1 .2 .3 .4 .5 .6 .7 .8
+
+.docbook.html:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-docbook-html.xsl $<
+
+.docbook.1:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.2:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.3:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.4:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.5:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.6:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.7:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
+.docbook.8:
+	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+
diff --git a/mkinstalldirs b/mkinstalldirs
new file mode 100644
index 0000000..f945dbf
--- /dev/null
+++ b/mkinstalldirs
@@ -0,0 +1,38 @@
+#! /bin/sh
+# mkinstalldirs --- make directory hierarchy
+# Author: Noah Friedman <friedman@prep.ai.mit.edu>
+# Created: 1993-05-16
+# Public domain
+
+errstatus=0
+
+for file
+do
+   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
+   shift
+
+   pathcomp=
+   for d
+   do
+     pathcomp="$pathcomp$d"
+     case "$pathcomp" in
+       -* ) pathcomp=./$pathcomp ;;
+     esac
+
+     if test ! -d "$pathcomp"; then
+        echo "mkdir $pathcomp" 1>&2
+
+        mkdir "$pathcomp" || lasterr=$?
+
+        if test ! -d "$pathcomp"; then
+  	  errstatus=$lasterr
+        fi
+     fi
+
+     pathcomp="$pathcomp/"
+   done
+done
+
+exit $errstatus
+
+# mkinstalldirs ends here
diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644
index 0000000..e88ed29
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,2 @@
+sonar.projectKey=isc-projects_bind9
+sonar.organization=isc-projects
diff --git a/srcid b/srcid
new file mode 100644
index 0000000..8c8e5ef
--- /dev/null
+++ b/srcid
@@ -0,0 +1 @@
+SRCID=cd2b460
diff --git a/unit/README b/unit/README
new file mode 100644
index 0000000..9cdcf9b
--- /dev/null
+++ b/unit/README
@@ -0,0 +1,8 @@
+Unit tests for BIND 9 are based on the CMocka testing framework and
+the Kyua test execution engine.
+
+If your distribution of choice doesn't include packages for kyua or cmocka, the
+sources can be found here:
+
+ * Kyua 0.13 - https://github.com/jmmv/kyua/releases
+ * CMocka 1.0 - https://cmocka.org/files/
diff --git a/unit/gdb b/unit/gdb
new file mode 100755
index 0000000..0eedd63
--- /dev/null
+++ b/unit/gdb
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# `kyua debug` command does not work with libtool (see
+# https://github.com/jmmv/kyua/issues/207).  On some distributions `kyua debug`
+# runs the first `gdb` it finds in $PATH, but on Debian and Ubuntu it looks for
+# `/usr/bin/gdb`.  This script expects `gdb` to be moved to `gdb.orig` and
+# executed from there.
+coredump="$6"
+binary=$(gdb.orig --batch --core="${coredump}" 2>/dev/null | sed -ne "s/Core was generated by \`\(.*\)'./\1/p")
+# GDB 6.3 from OpenBSD 6.6 does not tell the full path of the broken binary.
+# We need to fix it. Either the binary or it's libtool script will do.
+if [ ! -e "${binary}" ]; then
+       binary="$(find "${TOP}" -name "${binary}" | head -n 1)"
+fi
+
+# $TOP points to BIND sources and should be set on `kyua debug` invocation.
+"${TOP}/libtool" --mode=execute gdb.orig \
+	--batch \
+	--command="${TOP}/bin/tests/system/run.gdb" \
+	--core="${coredump}" \
+	-- \
+	"${binary}"
diff --git a/unit/unittest.sh.in b/unit/unittest.sh.in
new file mode 100755
index 0000000..b707e70
--- /dev/null
+++ b/unit/unittest.sh.in
@@ -0,0 +1,96 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Find the top of the BIND9 tree.
+export TOP=@abs_top_builddir@
+KYUA=@KYUA@
+CMOCKA_MESSAGE_OUTPUT=TAP
+export CMOCKA_MESSAGE_OUTPUT
+GDB="$(command -v gdb)"
+
+kyua_report() {
+	${KYUA} --logfile /dev/null report --results-file "${KYUA_RESULT:-LATEST}"
+}
+
+clear_kyua_work_dir() {
+	KYUA_WORK_DIR="$(grep -i -m1 "failed" "${1}" | sed -n 's|.*\(/tmp/kyua\.[A-Za-z0-9]*\).*|\1|p')"
+	if [ -n "${CI}" ] && [ -d "${KYUA_WORK_DIR}" ]; then
+		find "${KYUA_WORK_DIR}" \( -name 'core*' -o -name '*.core' \) -exec mv -v {} . \;
+		rm -rf "${KYUA_WORK_DIR}"
+	fi
+}
+
+if [ -z "${KYUA}" ]; then
+	exit 0
+fi
+
+echo "S:unit:$(date)"
+echo "T:unit:1:A"
+echo "I:unit tests (using kyua)"
+
+${KYUA} -v parallelism="${TEST_PARALLEL_JOBS:-1}" --logfile kyua.log --loglevel debug test --results-file "${KYUA_RESULT:-NEW}"
+status=$?
+
+kyua_report
+
+clear_kyua_work_dir kyua.log
+
+# Use kyua-debug(1) facility to gather additional data on failed tests.
+# Some runs will just show verbose information from the run, some will
+# show backtrace via gdb(1).
+USER_ID=$(id -u)
+BROKEN_TESTS=$(kyua_report | awk '$2 == "->" && ( $3 == "broken:" || $3 == "failed:" ) { print $1 }')
+# Conditions for getting kyua debug info and GDB backtrace: runs under CI
+# (safety), GDB present, root privileges, failed tests.
+if [ -n "${CI}" ] && [ -n "${GDB}" ] && [ "${USER_ID:-1}" -eq 0 ] && [ -n "${BROKEN_TESTS}" ]; then
+	if [ "$(uname -s)" = "Linux" ] && ! sysctl -n "kernel.core_pattern" | grep -xq "core.%p"; then
+		echo "I:*** kernel.core_pattern is not set to 'core.%p'"
+		echo "I:*** kyua may not be able to find core dumps for broken tests"
+	fi
+	if [ "$(uname -s)" = "FreeBSD" ] && ! sysctl -n "kern.corefile" | grep -xq "core.%P"; then
+		echo "I:*** kern.corefile is not set to 'core.%P'"
+		echo "I:*** kyua may not be able to find core dumps for broken tests"
+	fi
+	if grep '^#define USE_LIBTOOL 1$' "${TOP}/config.h" >/dev/null; then
+		# kyua debug command misidentifies broken binaries when libtool
+		# is used (see https://github.com/jmmv/kyua/issues/207).
+		# Here we try to "trick" kyua to use our custom gdb script instead
+		# of using gdb(1) directly. Hence this part needs to be run as root
+		# and, for safety reasons, only in the CI.
+		mv "${GDB}" "${GDB}.orig"
+		cp "${TOP}/unit/gdb" "${GDB}"
+	fi
+	i=1
+	for test in ${BROKEN_TESTS}; do
+		echo
+		echo "----- $test -----"
+		KYUA_DEBUG_LOG="kyua.debug.log.${i}"
+		${KYUA} debug "${test}" 2>&1 | tee "${KYUA_DEBUG_LOG}"
+		clear_kyua_work_dir "${KYUA_DEBUG_LOG}"
+		i=$((i + 1))
+	done
+	if grep '^#define USE_LIBTOOL 1$' "${TOP}/config.h" >/dev/null; then
+		mv "${GDB}.orig" "${GDB}"
+	fi
+fi
+
+if [ "${status}" -eq 0 ]
+then
+	rm -f kyua.log
+	echo "R:PASS"
+else
+	echo "R:FAIL:status:${status}"
+fi
+echo "E:unit:$(date)"
+
+exit ${status}
diff --git a/util/bindkeys.pl b/util/bindkeys.pl
new file mode 100755
index 0000000..085b6be
--- /dev/null
+++ b/util/bindkeys.pl
@@ -0,0 +1,49 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+my $lines;
+while (<>) {
+    chomp;
+    if (/\/\* .Id:.* \*\//) {
+	next;
+    }
+    s/\"/\\\"/g;
+    s/$/\\n\\/;
+    $lines .= $_ . "\n";
+}
+
+my $mkey = "#define TRUST_ANCHORS \\\n\t\"\\\n" . $lines . "\"\n";
+
+print <<END;
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+END
+
+print "#ifndef BIND_KEYS_H\n";
+print "#define BIND_KEYS_H 1\n";
+print $mkey;
+print "#endif /* BIND_KEYS_H */\n";
diff --git a/util/check-make-install.in b/util/check-make-install.in
new file mode 100644
index 0000000..94ab48c
--- /dev/null
+++ b/util/check-make-install.in
@@ -0,0 +1,62 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+abs_top_srcdir=@abs_top_srcdir@
+abs_builddir=@abs_builddir@
+prefix=@prefix@
+includedir=@includedir@
+install_dir="${DESTDIR}@prefix@"
+
+headers_to_install() {
+	find "${abs_top_srcdir}/lib" -name "*.h" -or -name "*.h.in" |
+		grep -v -F /win32/ |
+		sed -n \
+		    -e "s|\.h\.in$|\.h|" \
+		    -e "s|.*include/|${DESTDIR}${includedir}/|p" |
+		sort -u
+}
+
+status=0
+
+for header in $(headers_to_install); do
+	if [ ! -f "${header}" ]; then
+		echo "Missing $header"
+		status=1
+	fi
+done
+
+named_binary_path="${install_dir}/sbin/named"
+if [ ! -x "${named_binary_path}" ]; then
+	echo "ERROR: ${named_binary_path} does not exist or is not executable"
+	status=1
+fi
+
+named_man_page_path="${install_dir}/share/man/man8/named.8"
+if [ ! -f "${named_man_page_path}" ]; then
+	echo "ERROR: ${named_man_page_path} does not exist"
+	status=1
+fi
+
+if [ -n "${DESTDIR}" ]; then
+	for expected_subdir in bin etc include lib sbin share; do
+		echo "${install_dir}/${expected_subdir}" >> "${abs_builddir}/expected_dirs"
+	done
+	find "${install_dir}" -maxdepth 1 -mindepth 1 -type d | sort > "${abs_builddir}/existing_dirs"
+	if ! diff -u "${abs_builddir}/expected_dirs" "${abs_builddir}/existing_dirs"; then
+		echo "ERROR: Contents of DESTDIR do not match expectations"
+		status=1
+	fi
+	rm -f "${abs_builddir}/expected_dirs" "${abs_builddir}/existing_dirs"
+fi
+
+exit $status
diff --git a/util/mksymtbl.pl b/util/mksymtbl.pl
new file mode 100755
index 0000000..8747a2f
--- /dev/null
+++ b/util/mksymtbl.pl
@@ -0,0 +1,99 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use diagnostics;
+$^W = 1;
+
+my $rev = '$Id$';
+$rev =~ s/\$//g;
+$rev =~ s/,v//g;
+$rev =~ s/Id: //;
+
+use Getopt::Std;
+my %options;
+getopts('i:o:', \%options);
+
+my ($binname, $need_uscorefix, $outputfile, $nsyms, $ostype, $nm_prog);
+my %symmap;
+
+$binname = $ARGV[0];
+$need_uscorefix = 0;
+if ($options{'o'}) {
+	$outputfile = $options{'o'};
+} else {
+	$outputfile = "symtbl.c";
+}
+
+# OS-depending configuration
+$nm_prog = "nm";
+$ostype = `uname -s`;
+chop($ostype);
+
+if ($options{'i'}) {
+	open(SYMBOLS, $options{'i'}) || die "failed to open $options{'i'}";
+} else {
+	open(SYMBOLS, "$nm_prog $binname |") ||
+	    die "failed to invoke utility to get symbols";
+}
+open(TBLFILE, ">$outputfile") || die "failed to open output file: $outputfile";
+
+$nsyms = 0;
+while (<SYMBOLS>) {
+	my ($addr, $symbol) = (0, "");
+	# *BSDs, Linux, etc.
+	if (/([0-9a-f]*)\s[tT]\s(.*)/) {
+		($addr, $symbol) = ($1, $2);
+		# heuristics: some compilers add a "_" to all program
+		# defined symbols.  Detect and fix it for a well known
+		# symbol of "main".
+		$need_uscorefix = 1 if ($symbol eq "_main");
+	}
+	if ($symbol ne "") {
+		next if ($symmap{$addr});
+
+		$symmap{$addr} = $symbol;
+		$nsyms++;
+	}
+}
+
+sub lhex {
+	my $la = substr($a, -8);
+	my $lb = substr($b, -8);
+	my $ha = substr($a, 0, length($a) - length($la));
+	my $hb = substr($b, 0, length($b) - length($lb));
+	$ha = "0" if ($ha eq "");
+	$ha = "0" if ($hb eq "");
+	if (hex($ha) != hex($hb)) {
+		$la = $ha;
+		$lb = $hb;
+	}
+	hex($la) <=> hex($lb)
+}
+
+print TBLFILE "/*\n * Generated by $rev \n */\n";
+print TBLFILE "#include <isc/backtrace.h>\n";
+print TBLFILE "const int isc__backtrace_nsymbols = $nsyms;\n";
+print TBLFILE "const isc_backtrace_symmap_t isc__backtrace_symtable[] = {\n";
+foreach (sort lhex keys(%symmap)) {
+	my ($addr, $symbol) = ($_, $symmap{$_});
+	if ($need_uscorefix && $symbol =~ /^_(.*)/) {
+		$symbol = $1;
+	}
+	print TBLFILE "\t{ (void *)0x$addr, \"$symbol\" },\n";
+}
+print TBLFILE "\t{ (void *)0x0, \"\" },\n";
+print TBLFILE "};\n";
+
+close(TBLFILE);
+close(SYMBOLS);
diff --git a/version b/version
new file mode 100644
index 0000000..d5bc6d4
--- /dev/null
+++ b/version
@@ -0,0 +1,11 @@
+# This file must follow /bin/sh rules.  It is imported directly via
+# configure.
+#
+PRODUCT=BIND
+DESCRIPTION="(Extended Support Version)"
+MAJORVER=9
+MINORVER=16
+PATCHVER=44
+RELEASETYPE=
+RELEASEVER=
+EXTENSIONS=
diff --git a/win32utils/Configure b/win32utils/Configure
new file mode 100644
index 0000000..44afdae
--- /dev/null
+++ b/win32utils/Configure
@@ -0,0 +1,2778 @@
+#!/usr/bin/perl
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Configure
+#
+# This script builds nmake and visual studio build files
+#
+
+require 5.000;
+use strict;
+use File::Spec;
+use Cwd;
+
+# files to configure
+
+my $configfile = "..\\config.h";
+my $platformfile = "..\\lib\\isc\\win32\\include\\isc\\platform.h";
+my $confshfile = "..\\bin\\tests\\system\\conf.sh";
+
+my @filelist = ("..\\bin\\python\\dnssec-checkds.py",
+                "..\\bin\\python\\dnssec-coverage.py",
+                "..\\bin\\python\\dnssec-keymgr.py",
+                "..\\bin\\python\\isc\\__init__.py",
+                "..\\bin\\python\\isc\\checkds.py",
+                "..\\bin\\python\\isc\\coverage.py",
+                "..\\bin\\python\\isc\\dnskey.py",
+                "..\\bin\\python\\isc\\eventlist.py",
+                "..\\bin\\python\\isc\\keydict.py",
+                "..\\bin\\python\\isc\\keyevent.py",
+                "..\\bin\\python\\isc\\keymgr.py",
+                "..\\bin\\python\\isc\\keyseries.py",
+                "..\\bin\\python\\isc\\keyzone.py",
+                "..\\bin\\python\\isc\\policy.py",
+                "..\\bin\\python\\isc\\rndc.py",
+                "..\\bin\\python\\isc\\tests\\dnskey_test.py",
+                "..\\bin\\python\\isc\\tests\\policy_test.py",
+                "..\\bin\\python\\isc\\utils.py",
+                "..\\lib\\dns\\win32\\libdns.def",
+                "..\\lib\\isc\\win32\\libisc.def");
+
+my @projectlist = ("..\\bin\\check\\win32\\checkconf.vcxproj",
+                   "..\\bin\\check\\win32\\checkconf.vcxproj.filters",
+                   "..\\bin\\check\\win32\\checktool.vcxproj",
+                   "..\\bin\\check\\win32\\checktool.vcxproj.filters",
+                   "..\\bin\\check\\win32\\checkzone.vcxproj",
+                   "..\\bin\\check\\win32\\checkzone.vcxproj.filters",
+                   "..\\bin\\confgen\\win32\\confgentool.vcxproj",
+                   "..\\bin\\confgen\\win32\\confgentool.vcxproj.filters",
+                   "..\\bin\\confgen\\win32\\ddnsconfgen.vcxproj",
+                   "..\\bin\\confgen\\win32\\ddnsconfgen.vcxproj.filters",
+                   "..\\bin\\confgen\\win32\\rndcconfgen.vcxproj",
+                   "..\\bin\\confgen\\win32\\rndcconfgen.vcxproj.filters",
+                   "..\\bin\\delv\\win32\\delv.vcxproj",
+                   "..\\bin\\delv\\win32\\delv.vcxproj.filters",
+                   "..\\bin\\dig\\win32\\dig.vcxproj",
+                   "..\\bin\\dig\\win32\\dig.vcxproj.filters",
+                   "..\\bin\\dig\\win32\\dighost.vcxproj",
+                   "..\\bin\\dig\\win32\\dighost.vcxproj.filters",
+                   "..\\bin\\dig\\win32\\host.vcxproj",
+                   "..\\bin\\dig\\win32\\host.vcxproj.filters",
+                   "..\\bin\\dig\\win32\\nslookup.vcxproj",
+                   "..\\bin\\dig\\win32\\nslookup.vcxproj.filters",
+                   "..\\bin\\dnssec\\win32\\cds.vcxproj",
+                   "..\\bin\\dnssec\\win32\\cds.vcxproj.filters",
+                   "..\\bin\\dnssec\\win32\\dnssectool.vcxproj",
+                   "..\\bin\\dnssec\\win32\\dnssectool.vcxproj.filters",
+                   "..\\bin\\dnssec\\win32\\dsfromkey.vcxproj",
+                   "..\\bin\\dnssec\\win32\\dsfromkey.vcxproj.filters",
+                   "..\\bin\\dnssec\\win32\\importkey.vcxproj",
+                   "..\\bin\\dnssec\\win32\\importkey.vcxproj.filters",
+                   "..\\bin\\dnssec\\win32\\keyfromlabel.vcxproj",
+                   "..\\bin\\dnssec\\win32\\keyfromlabel.vcxproj.filters",
+                   "..\\bin\\dnssec\\win32\\keygen.vcxproj",
+                   "..\\bin\\dnssec\\win32\\keygen.vcxproj.filters",
+                   "..\\bin\\dnssec\\win32\\revoke.vcxproj",
+                   "..\\bin\\dnssec\\win32\\revoke.vcxproj.filters",
+                   "..\\bin\\dnssec\\win32\\settime.vcxproj",
+                   "..\\bin\\dnssec\\win32\\settime.vcxproj.filters",
+                   "..\\bin\\dnssec\\win32\\signzone.vcxproj",
+                   "..\\bin\\dnssec\\win32\\signzone.vcxproj.filters",
+                   "..\\bin\\dnssec\\win32\\verify.vcxproj",
+                   "..\\bin\\dnssec\\win32\\verify.vcxproj.filters",
+                   "..\\bin\\named\\win32\\named.vcxproj",
+                   "..\\bin\\named\\win32\\named.vcxproj.filters",
+                   "..\\bin\\nsupdate\\win32\\nsupdate.vcxproj",
+                   "..\\bin\\nsupdate\\win32\\nsupdate.vcxproj.filters",
+                   "..\\bin\\pkcs11\\win32\\pk11destroy.vcxproj",
+                   "..\\bin\\pkcs11\\win32\\pk11destroy.vcxproj.filters",
+                   "..\\bin\\pkcs11\\win32\\pk11keygen.vcxproj",
+                   "..\\bin\\pkcs11\\win32\\pk11keygen.vcxproj.filters",
+                   "..\\bin\\pkcs11\\win32\\pk11list.vcxproj",
+                   "..\\bin\\pkcs11\\win32\\pk11list.vcxproj.filters",
+                   "..\\bin\\pkcs11\\win32\\pk11tokens.vcxproj",
+                   "..\\bin\\pkcs11\\win32\\pk11tokens.vcxproj.filters",
+                   "..\\bin\\rndc\\win32\\rndc.vcxproj",
+                   "..\\bin\\rndc\\win32\\rndc.vcxproj.filters",
+                   "..\\bin\\rndc\\win32\\rndcutil.vcxproj",
+                   "..\\bin\\rndc\\win32\\rndcutil.vcxproj.filters",
+                   "..\\bin\\tools\\win32\\arpaname.vcxproj",
+                   "..\\bin\\tools\\win32\\arpaname.vcxproj.filters",
+                   "..\\bin\\tools\\win32\\journalprint.vcxproj",
+                   "..\\bin\\tools\\win32\\journalprint.vcxproj.filters",
+                   "..\\bin\\tools\\win32\\mdig.vcxproj",
+                   "..\\bin\\tools\\win32\\mdig.vcxproj.filters",
+                   "..\\bin\\tools\\win32\\nsec3hash.vcxproj",
+                   "..\\bin\\tools\\win32\\nsec3hash.vcxproj.filters",
+                   "..\\bin\\tools\\win32\\rrchecker.vcxproj",
+                   "..\\bin\\tools\\win32\\rrchecker.vcxproj.filters",
+                   "..\\bin\\tests\\system\\win32\\bigkey.vcxproj",
+                   "..\\bin\\tests\\system\\win32\\bigkey.vcxproj.filters",
+                   "..\\bin\\tests\\system\\win32\\feature-test.vcxproj",
+                   "..\\bin\\tests\\system\\win32\\feature-test.vcxproj.filters",
+                   "..\\bin\\tests\\system\\win32\\gencheck.vcxproj",
+                   "..\\bin\\tests\\system\\win32\\gencheck.vcxproj.filters",
+                   "..\\bin\\tests\\system\\win32\\keycreate.vcxproj",
+                   "..\\bin\\tests\\system\\win32\\keycreate.vcxproj.filters",
+                   "..\\bin\\tests\\system\\win32\\keydelete.vcxproj",
+                   "..\\bin\\tests\\system\\win32\\keydelete.vcxproj.filters",
+                   "..\\bin\\tests\\system\\win32\\pipequeries.vcxproj",
+                   "..\\bin\\tests\\system\\win32\\pipequeries.vcxproj.filters",
+                   "..\\bin\\tests\\system\\win32\\resolve.vcxproj",
+                   "..\\bin\\tests\\system\\win32\\resolve.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\backtrace_test.vcxproj",
+                   "..\\bin\\tests\\win32\\backtrace_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\inter_test.vcxproj",
+                   "..\\bin\\tests\\win32\\inter_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\makejournal.vcxproj",
+                   "..\\bin\\tests\\win32\\makejournal.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\rwlock_test.vcxproj",
+                   "..\\bin\\tests\\win32\\rwlock_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\shutdown_test.vcxproj",
+                   "..\\bin\\tests\\win32\\shutdown_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\sock_test.vcxproj",
+                   "..\\bin\\tests\\win32\\sock_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\task_test.vcxproj",
+                   "..\\bin\\tests\\win32\\task_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\timer_test.vcxproj",
+                   "..\\bin\\tests\\win32\\timer_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\inter_test.vcxproj",
+                   "..\\bin\\tests\\win32\\inter_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\rwlock_test.vcxproj",
+                   "..\\bin\\tests\\win32\\rwlock_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\shutdown_test.vcxproj",
+                   "..\\bin\\tests\\win32\\shutdown_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\sock_test.vcxproj",
+                   "..\\bin\\tests\\win32\\sock_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\task_test.vcxproj",
+                   "..\\bin\\tests\\win32\\task_test.vcxproj.filters",
+                   "..\\bin\\tests\\win32\\timer_test.vcxproj",
+                   "..\\bin\\tests\\win32\\timer_test.vcxproj.filters",
+                   "..\\bin\\win32\\BINDInstall\\BINDInstall.vcxproj",
+                   "..\\bin\\win32\\BINDInstall\\BINDInstall.vcxproj.filters",
+                   "..\\lib\\bind9\\win32\\libbind9.vcxproj",
+                   "..\\lib\\bind9\\win32\\libbind9.vcxproj.filters",
+                   "..\\lib\\dns\\win32\\gen.vcxproj",
+                   "..\\lib\\dns\\win32\\gen.vcxproj.filters",
+                   "..\\lib\\dns\\win32\\libdns.vcxproj",
+                   "..\\lib\\dns\\win32\\libdns.vcxproj.filters",
+                   "..\\lib\\irs\\win32\\libirs.vcxproj",
+                   "..\\lib\\irs\\win32\\libirs.vcxproj.filters",
+                   "..\\lib\\isc\\win32\\libisc.vcxproj",
+                   "..\\lib\\isc\\win32\\libisc.vcxproj.filters",
+                   "..\\lib\\isccc\\win32\\libisccc.vcxproj",
+                   "..\\lib\\isccc\\win32\\libisccc.vcxproj.filters",
+                   "..\\lib\\isccfg\\win32\\libisccfg.vcxproj",
+                   "..\\lib\\isccfg\\win32\\libisccfg.vcxproj.filters",
+                   "..\\lib\\ns\\win32\\libns.vcxproj",
+                   "..\\lib\\win32\\bindevt\\bindevt.vcxproj",
+                   "..\\lib\\win32\\bindevt\\bindevt.vcxproj.filters",
+                   "bind9.sln");
+
+# for config.h
+
+my %configdefh;
+
+my @substdefh = ("CONFIGARGS",
+                 "DNS_RDATASET_FIXED",
+                 "HAVE_GEOIP2",
+                 "HAVE_LIBXML2",
+                 "USE_BACKTRACE",
+                 "USE_OPENSSL",
+                 "USE_PKCS11",
+                 "HAVE_READLINE",
+                 "HAVE_ZLIB",
+                 "ISC_LIST_CHECKINIT",
+                 "TUNE_LARGE",
+                 "WANT_QUERYTRACE",
+                 "WITH_IDN",
+                 "CPU_RELAX",
+                 "VALIDATION_DEFAULT",
+    );
+
+# for platform.h
+
+my %configdefp;
+
+my @substdefp = ();
+
+# for conf.sh
+
+my %configtest;
+
+my @substtest = ("CHECKDS",
+                 "COVERAGE",
+                 "CRYPTO",
+                 "DNSTAP",
+                 "FSTRM_CAPTURE",
+                 "JSONSTATS",
+                 "KEYMGR",
+                 "NZD_TOOLS",
+                 "XMLSTATS",
+                 "ZLIB"),
+
+# includes
+
+my %configinc;
+
+my @substinc = ("GSSAPI_INC",
+                "GEOIP_INC",
+                "IDN_INC",
+                "LIBXML2_INC",
+                "LIBUV_INC",
+                "OPENSSL_INC",
+                "READLINE_INC",
+                "ZLIB_INC");
+
+# libraries
+
+my %configlib;
+
+my @substlib = ("GSSAPI_LIB",
+                "GEOIP_LIB",
+                "IDN_LIB",
+                "KRB5_LIB",
+                "LIBXML2_LIB",
+                "LIBUV_LIB",
+                "OPENSSL_LIBCRYPTO",
+                "OPENSSL_LIBSSL",
+                "READLINE_LIB",
+                "READLINE_LIBD",
+                "ZLIB_LIB");
+
+# DLLs
+
+my %configdll;
+
+my @substdll = ("COMERR_DLL",
+                "GSSAPI_DLL",
+                "ICONV_DLL",
+                "IDN_DLL",
+                "KRB5_DLL",
+                "K5SPRT_DLL",
+                "LIBXML2_DLL",
+                "LIBUV_DLL",
+                "OPENSSL_DLLCRYPTO",
+                "OPENSSL_DLLSSL",
+                "WSHELP_DLL",
+                "ZLIB_DLL");
+
+# variables
+
+my %configvar = (
+	"TOOLS_VERSION" => "4.0",
+);
+
+my @substvar = ("BIND9_VERSION",
+                "BUILD_MACHINE",
+                "BUILD_PLATFORM",
+                "COPTI",
+                "COPTML",
+                "COPTMLD",
+                "COPTX",
+                "COPTY",
+                "DLZ_SYSTEM_TEST",
+                "EXEEXT",
+                "expanded_sysconfdir",
+                "INTRINSIC",
+                "MACHINE",
+                "OPENSSL_PATH",
+                "PLATFORM",
+                "PKCS11_TOOLS",
+                "PLATFORM_TOOLSET",
+                "prefix",
+                "PSSUSPEND",
+                "PYTHON",
+                "PYTHON_INSTALL_DIR",
+                "TOOLS_VERSION",
+                "VCREDIST_PATH",
+                "WINDOWS_TARGET_PLATFORM_VERSION"),
+
+# defines
+
+my %configdefd;
+
+my @substdefd = ("PK11_LIB_LOCATION",
+                 "USE_GSSAPI",
+                 "USE_PYTHON");
+
+# conditions
+
+my %configcond;
+
+my @substcond = ("ATOMIC",
+                 "GSSAPI",
+                 "GEOIP",
+                 "IDNKIT",
+                 "LIBXML2",
+                 "OPENSSL",
+                 "PKCS11",
+                 "PYTHON",
+                 "STESTS",
+                 "TESTS",
+                 "XTESTS",
+                 "ZLIB");
+
+my @allcond = (@substcond, "NOTYET", "NOLONGER");
+
+# arguments
+
+# enable-xxx/disable-xxx
+
+my @enablelist = ("developer",
+                  "fixed-rrset",
+                  "intrinsics",
+                  "native-pkcs11",
+                  "openssl-hash",
+                  "querytrace");
+
+# with-xxx/without-xxx
+
+my @withlist = ("aes",
+                "cross-compile",
+                "extra-tests",
+                "gssapi",
+                "geoip2",
+                "iconv",
+                "idn",
+                "openssl",
+                "libxml2",
+                "pkcs11",
+                "pssuspend",
+                "python",
+                "readline",
+                "system-tests",
+                "tests",
+                "tuning",
+                "libuv",
+                "vcredist",
+                "zlib");
+
+# general arguments
+
+my @optionlist = ("help", "verbose", "legacy", "win32", "x64", "clean");
+
+# usage
+
+my @usage = ("Usage: perl Configure help\n",
+             "       perl Configure options* win32|x64\n",
+             "       perl Configure clean\n");
+
+# help
+
+my @help = (
+"'Configure' configures BIND9 build files.\n\n",
+@usage,
+"\nGeneral Options and Commands:\n",
+"  verbose               (options) print messages\n",
+"  help                  (command) print this help\n",
+"  win32                 (command) configure for Win32 platform\n",
+"  x64                   (command) configure for x64 platform\n",
+"  clean                 (command) clean up generated files\n",
+"  <none>                (command) print a summary of the configuration\n",
+"\nOptional Features:\n",
+"  enable-intrinsics     enable intrinsic/atomic functions [default=yes]\n",
+"  enable-native-pkcs11  use native PKCS#11 for all crypto [default=no]\n",
+"  enable-openssl-hash   use OpenSSL for hash functions [default=yes]\n",
+"  enable-fixed-rrset    enable fixed rrset ordering [default=no]\n",
+"  enable-developer      enable developer build settings [default=no]\n",
+"  enable-querytrace     enable very verbose query trace [default=no]\n",
+"\nOptional Packages:\n",
+"  with-tests            build with test suite\n",
+"  with-extra-tests      build with extra test suite\n",
+"  with-system-tests     build with system test suite\n",
+"  with-openssl[=PATH]   build with OpenSSL yes|path (mandatory)\n",
+"  with-libuv[=PATH]     build with libuv yes|path (mandatory)\n",
+"  with-pkcs11[=PATH]    build with PKCS#11 support yes|no|provider-path\n",
+"  with-gssapi[=PATH]    build with MIT KfW GSSAPI yes|no|path\n",
+"  with-libxml2[=PATH]   build with libxml2 library yes|no|path\n",
+"  with-geoip2[=PATH]    build with GeoIP2 support yes|no|path\n",
+"  with-pssuspend[=COMMAND] specify pssuspend command\n",
+"  with-python[=COMMAND] specify python interpreter python|command\n",
+"  with-readline[=PATH]  build with readline library support yes|no|path\n",
+"  with-idn[=PATH]       build with IDN kit support yes|no|path\n",
+"  with-iconv[=PATH]     path of the iconv DLL [default=same than idn]\n",
+"  with-zlib[=PATH]      build with zlib library yes|no|path\n",
+"  with-vcredist[=PATH]  visual C++ redistributable package yes|path\n",
+"  with-tuning=OPTION    tune for platform size (small|default)\n",
+"  with-cross-compile    32 / 64 bit build / host platforms\n",
+"\nOptional Visual Studio project parameters:\n",
+"  with-tools-version=VERSION     set the ToolsVersion attribute to VERSION\n",
+"  with-platform-toolset=VERSION  use supplied toolset VERSION for building\n",
+"  with-platform-version=VERSION  use supplied Windows SDK VERSION for building\n");
+
+# Parse arguments
+
+my $verbose = 0;
+my $legacy_only = 0;
+my $want_help = "no";
+my $want_win32 = "no";
+my $want_x64 = "no";
+my $want_clean = "no";
+my $want_unknown = "no";
+my $unknown_value;
+my $enable_intrinsics = "yes";
+my $cryptolib = "";
+my $enable_native_pkcs11 = "no";
+my $enable_crypto_rand = "yes";
+my $enable_fixed_rrset = "no";
+my $enable_developer = "no";
+my $enable_querytrace = "no";
+my $enable_rpz_nsip = "yes";
+my $enable_rpz_nsdname = "yes";
+my $use_tests = "no";
+my $use_xtests = "no";
+my $use_stests = "no";
+my $use_libuv = "auto";
+my $libuv_path = "..\\..\\";
+my $use_openssl = "auto";
+my $openssl_path = "..\\..\\";
+my $use_pkcs11 = "no";
+my $pkcs11_path = "unknown";
+my $use_aes = "auto";
+my $use_gssapi = "no";
+my $validation_default = "auto";
+my $gssapi_path = "C:\\Program\ Files\\MIT\\Kerberos\\";
+my $use_geoip2 = "no";
+my $geoip2_path = "";
+my $use_libxml2 = "auto";
+my $libxml2_path = "..\\..\\";
+my $with_pssuspend = "no";
+my $pssuspend_command = "pssuspend.exe";
+my $use_python = "auto";
+my $python_command = "python.exe";
+my $use_readline = "no";
+my $readline_path = "..\\..\\";
+my $use_idn = "no";
+my $idn_path = "..\\..\\";
+my $iconv_path = " --idn-- ";
+my $use_zlib = "no";
+my $zlib_path = "..\\..\\";
+my $use_vcredist = "yes";
+my $vcredist_path = " --infer-- ";
+my $cross_compile = "no";
+my $tuning = "default";
+my $want_checkfiles = "no";
+
+# no arguments -> usage
+
+if ($#ARGV < 0) {
+    foreach (@usage) {
+        print $_;
+    }
+    exit 1;
+}
+
+# parse arguments
+
+foreach (@ARGV) {
+    if (/^verbose$/i) {
+        $verbose = 1;
+    } elsif (/^help$/i) {
+        $want_help = "yes";
+    } elsif (/^disable-(.*)$/i) {
+        appargs($_);
+        myenable($1, "no");
+    } elsif (/^enable-(.*)$/i) {
+        appargs($_);
+        myenable($1, "yes");
+    } elsif (/^without-(.*)$/i) {
+        appargs($_);
+        mywith($1, "no");
+    } elsif (/^with-(.*)=(.*)$/i) {
+        appargs($_);
+        mywith($1, $2);
+    } elsif (/^with-(.*)$/i) {
+        appargs($_);
+        mywith($1, "yes");
+    } elsif (/^legacy$/i) {
+        $legacy_only = 1;
+    } elsif (/^win32$/i) {
+        $want_win32 = "yes";
+    } elsif (/^x64$/i) {
+        appargs($_);
+        $want_x64 = "yes";
+    } elsif (/^clean$/i) {
+        $want_clean = "yes";
+    } elsif (/^checkfiles$/i) {
+        $want_checkfiles = "yes";
+    } else {
+        $want_unknown = "yes";
+        $unknown_value = $_;
+    }
+}
+
+# old legacy mode
+
+if ($legacy_only) {
+    print "legacy mode is obsolete (so ignored)\n";
+}
+
+if ($want_checkfiles eq "yes") {
+        my $status=0;
+        foreach (@filelist) {
+                my $name = $_;
+                $name =~ s/\\/\\\\/g;
+                next if -r $_ . ".in";
+                s/\\/\//g;
+                next if -r $_ . ".in";
+                print "remove '$name' from filelist in win32utils/Configure or add to repository\n";
+                $status = 1;
+        }
+        foreach (@projectlist) {
+                my $name = $_;
+                $name =~ s/\\/\\\\/g;
+                next if -r $_ . ".in";
+                s/\\/\//g;
+                next if -r $_ . ".in";
+                print "remove '$name' from projectlist in win32utils/Configure or add to repository\n";
+                $status = 1;
+        }
+        exit($status);
+}
+
+# configure the platform
+
+if (($want_win32 eq "yes") && ($want_x64 eq "yes")) {
+    die "can't ask for both Win32 and x64 platforms\n";
+} elsif ($want_win32 eq "yes") {
+    $configvar{"PLATFORM"} = "Win32";
+    $configvar{"BUILD_PLATFORM"} = "Win32";
+    $configvar{"MACHINE"} = "/machine:X86";
+    $configvar{"BUILD_MACHINE"} = "/machine:X86";
+} elsif ($want_x64 eq "yes") {
+    $configvar{"PLATFORM"} = "x64";
+    $configvar{"BUILD_PLATFORM"} = "x64";
+    $configvar{"MACHINE"} = "/machine:X64";
+    $configvar{"BUILD_MACHINE"} = "/machine:X64";
+}
+# Standard configure variable
+$configvar{"EXEEXT"} = ".exe";
+
+# get the version information
+
+my %Versions;
+
+sub getversion {
+    my $data;
+    my $name;
+    my $value;
+    my $version;
+
+    open V, "..\\version" || die $!;
+    while (<V>) {
+        chomp;
+        ($data) = split(/\#/);
+        if ($data) {
+            ($name, $value) = split(/=/, $data);
+            ($name) = split(/\s+/, $name);
+            if ($name eq 'PRODUCT' || $name eq 'DESCRIPTION') {
+                ($value) =~ s/^["\s]+//;
+                ($value) =~ s/["\s]+$//;
+            } else {
+                ($value) = split(/\s+/, $value);
+            }
+            $Versions{$name} = $value;
+        }
+    }
+    close V;
+
+    $version = "$Versions{'MAJORVER'}.$Versions{'MINORVER'}";
+    if ($Versions{'PATCHVER'} ne "") {
+        $version = "$version.$Versions{'PATCHVER'}";
+    }
+    $version = "$version$Versions{'RELEASETYPE'}$Versions{'RELEASEVER'}";
+    $version = "$version$Versions{'EXTENSIONS'}";
+    $configvar{"BIND9_VERSION"} = "$version";
+}
+
+getversion();
+
+# append seen args to CONFIGARGS define
+
+sub appargs {
+    my $arg = $_[0];
+    # escape backslashes and double quotes
+    $arg =~ s/([\\"])/\\$1/g;
+    $arg =~ s/([\s])/\\\\$1/g;
+    if (defined($configdefh{"CONFIGARGS"})) {
+        $configdefh{"CONFIGARGS"} .= " " . $arg;
+    } else {
+        $configdefh{"CONFIGARGS"} = $arg;
+    }
+}
+
+if (!$configdefh{"CONFIGARGS"}) {
+    # CONFIGARGS default is "default"
+    $configdefh{"CONFIGARGS"} = "\"default\"";
+} else {
+    my $val = $configdefh{"CONFIGARGS"};
+    $configdefh{"CONFIGARGS"} = "\"'$val'\"";
+}
+
+# parse enable/disable
+
+sub myenable {
+    my $key = $_[0];
+    my $val = $_[1];
+
+    if ($key =~ /^intrinsics$/i) {
+        if ($val =~ /^no$/i) {
+            $enable_intrinsics = "no";
+        }
+    } elsif ($key =~ /^native-pkcs11$/i) {
+        if ($val =~ /^yes$/i) {
+            $enable_native_pkcs11 = "yes";
+        }
+    } elsif ($key =~ /^fixed-rrset$/i) {
+        if ($val =~ /^yes$/i) {
+            $enable_fixed_rrset = "yes";
+        }
+    } elsif ($key =~ /^developer$/i) {
+        if ($val =~ /^yes$/i) {
+            $enable_developer = "yes";
+        }
+    } elsif ($key =~ /^querytrace$/i) {
+        if ($val =~ /^yes$/i) {
+            $enable_querytrace = "yes";
+        }
+    } elsif ($key =~ /^auto-validation$/i) {
+        if ($val =~ /^no$/i) {
+            $validation_default = "yes";
+        }
+    } else {
+        $want_unknown = "yes";
+        if ($val eq "no") {
+            $unknown_value = "disable-" . $key;
+        } else {
+            $unknown_value = "enable-". $key;
+        }
+    }
+}
+
+# enable-developer expansion now
+
+if ($enable_developer eq "yes") {
+    $configdefh{"ISC_LIST_CHECKINIT"} = 1;
+    $enable_querytrace = "yes";
+    # no atf on WIN32
+    $enable_fixed_rrset = "yes";
+    # TODO: dlz filesystem
+    $use_tests = "yes";
+    $use_xtests = "yes";
+    $use_stests = "yes";
+}
+
+# parse with/without
+
+sub mywith {
+    my $key = $_[0];
+    my $val = $_[1];
+
+    if ($key =~ /^tests$/i) {
+        if ($val =~ /^yes$/i) {
+            $use_tests = "yes";
+        }
+    } elsif ($key =~ /^extra-tests$/i) {
+        if ($val =~ /^yes$/i) {
+            $use_tests = "yes";
+            $use_xtests = "yes";
+        }
+    } elsif ($key =~ /^system-tests$/i) {
+        if ($val =~ /^yes$/i) {
+            $use_tests = "yes";
+            $use_stests = "yes";
+        }
+    } elsif ($key =~ /^openssl$/i) {
+        if ($val =~ /^no$/i) {
+            die "OpenSSL support is now mandatory\n";
+        } elsif ($val !~ /^yes$/i) {
+            $use_openssl = "yes";
+            $openssl_path = $val;
+        }
+    } elsif ($key =~ /^libuv$/i) {
+        if ($val =~ /^no$/i) {
+            die "libuv is required\n";
+        } elsif ($val !~ /^yes$/i) {
+            $use_libuv = "yes";
+            $libuv_path = $val;
+        }
+    } elsif ($key =~ /^pkcs11$/i) {
+        if ($val =~ /^yes$/i) {
+            $use_pkcs11 = "yes";
+        } elsif ($val !~ /^no$/i) {
+            $use_pkcs11= "yes";
+            $pkcs11_path = $val;
+            $pkcs11_path =~ s/\.dll$//i;
+        }
+    } elsif ($key =~ /^aes$/i) {
+        if ($val =~ /^no$/i) {
+            $use_aes = "no";
+        } elsif ($val =~ /^yes$/i) {
+            $use_aes = "yes";
+        }
+    } elsif ($key =~ /^gssapi$/i) {
+        if ($val !~ /^no$/i) {
+            $use_gssapi = "yes";
+            if ($val !~ /^yes$/i) {
+                $gssapi_path = $val;
+            }
+        }
+    } elsif ($key =~ /^libxml2$/i) {
+        if ($val =~ /^no$/i) {
+            $use_libxml2 = "no";
+        } elsif ($val !~ /^yes$/i) {
+            $use_libxml2 = "yes";
+            $libxml2_path = $val;
+        }
+    } elsif ($key =~ /^geoip2$/i) {
+        if ($val !~ /^no$/i) {
+            $use_geoip2 = "yes";
+            if ($val !~ /^yes$/i) {
+                $geoip2_path = $val;
+            } else {
+                $geoip2_path = "..\\..\\GeoIP2";
+            }
+        }
+    } elsif ($key =~ /^readline$/i) {
+        if ($val !~ /^no$/i) {
+            $use_readline = "yes";
+            if ($val !~ /^yes$/i) {
+                $readline_path = $val;
+            }
+        }
+    } elsif ($key =~ /^idn$/i) {
+        if ($val !~ /^no$/i) {
+            $use_idn = "yes";
+            if ($val !~ /^yes$/i) {
+                $idn_path = $val;
+            }
+        }
+    } elsif ($key =~ /^iconv$/i) {
+        if ($val =~ /^no$/i) {
+            $want_unknown = "yes";
+            $unknown_value = "without-iconv doesn't make sense)";
+        } elsif ($val !~ /^yes$/i) {
+            $iconv_path = $val;
+        }
+    } elsif ($key =~ /^zlib$/i) {
+        if ($val !~ /^no$/i) {
+            $use_zlib = "yes";
+            if ($val !~ /^yes$/i) {
+                $zlib_path = $val;
+            }
+        }
+    } elsif ($key =~ /^pssuspend$/i) {
+        if ($val =~ /^no$/i) {
+            $with_pssuspend = "no";
+        } else {
+            if ($val !~ /^yes$/i) {
+                $pssuspend_command = $val;
+            }
+        }
+    } elsif ($key =~ /^python$/i) {
+        if ($val =~ /^no$/i) {
+            $use_python = "no";
+        } else {
+            $use_python = "yes";
+            if ($val !~ /^yes$/i) {
+                $python_command = $val;
+            }
+        }
+    } elsif ($key =~ /^vcredist$/i) {
+        if ($val =~ /^no$/i) {
+            $want_unknown = "yes";
+            $unknown_value = "without-vcredist (vcredist is required)";
+        } elsif ($val !~ /^yes$/i) {
+            $vcredist_path = $val;
+        }
+    } elsif ($key =~ /^cross-compile$/i) {
+        if ($val =~ /^yes$/i) {
+            $cross_compile = "yes";
+        }
+    } elsif ($key =~ /^tuning$/i) {
+        if ($val =~ /^small$/i) {
+            $tuning = "small";
+        }
+    } elsif ($key =~ /^tools-version$/i) {
+        $configvar{"TOOLS_VERSION"} = $val;
+    } elsif ($key =~ /^platform-version$/i) {
+        $configvar{"WINDOWS_TARGET_PLATFORM_VERSION"} = "<WindowsTargetPlatformVersion>$val</WindowsTargetPlatformVersion>";
+    } elsif ($key =~ /^platform-toolset$/i) {
+        $configvar{"PLATFORM_TOOLSET"} = "<PlatformToolset>$val</PlatformToolset>";
+    } else {
+        $want_unknown = "yes";
+        if ($val eq "no") {
+            $unknown_value = "without-" . $key;
+        } else {
+            $unknown_value = "with-" . $key;
+        }
+    }
+}
+
+if ($want_help ne "no") {
+    foreach (@help) {
+        print $_;
+    }
+    exit 1;
+}
+
+# clean up and exit if requested
+if ($want_clean eq "yes") {
+    my $file;
+
+    unlink($configfile);
+    unlink($platformfile);
+    unlink($confshfile);
+
+    foreach $file (@filelist) {
+        unlink($file);
+    }
+
+    foreach $file (@projectlist) {
+        unlink($file);
+    }
+
+    exit 0;
+}
+
+if ($want_unknown ne "no") {
+    print STDERR "can't parse $unknown_value\n";
+    exit 1;
+}
+
+if ($verbose) {
+    if ($want_win32 eq "yes") {
+        print "configure for win32\n";
+    }
+    if ($want_x64 eq "yes") {
+        print "configure for x64\n";
+    }
+    if ($cross_compile eq "yes") {
+        print "cross compiling";
+        if ($want_x64 eq "yes") {
+            print ": build on win32 for x64 host\n";
+        } elsif ($want_win32 eq "yes") {
+            print ": build on x64 for win32 host\n";
+        } else {
+            print "\n";
+        }
+    }
+    if ($enable_intrinsics eq "yes") {
+        print "intrinsics: enabled\n";
+    } else {
+        print "intrinsics: disabled\n";
+    }
+    if ($enable_native_pkcs11 eq "yes") {
+        print "native-pkcs11: enabled\n";
+    } else {
+        print "native-pkcs11: disabled\n";
+    }
+    print "openssl-hash: enabled\n";
+    if ($enable_fixed_rrset eq "yes") {
+        print "fixed-rrset: enabled\n";
+    } else {
+        print "fixed-rrset: disabled\n";
+    }
+    if ($enable_developer eq "yes") {
+        print "developer: enabled\n";
+    } else {
+        print "developer: disabled\n";
+    }
+    if ($enable_querytrace eq "yes") {
+        print "querytrace: enabled\n";
+    } else {
+        print "querytrace: disabled\n";
+    }
+    print "libuv-path: $libuv_path\n";
+    print "openssl-path: $openssl_path\n";
+    if ($use_tests eq "yes") {
+        print "tests: enabled\n";
+    }
+    if ($use_xtests eq "yes") {
+        print "extra tests: enabled\n";
+    }
+    if ($use_stests eq "yes") {
+        print "system tests: enabled\n";
+    }
+    if ($use_pkcs11 eq "no") {
+        print "pkcs11: disabled\n";
+    } else {
+        print "pkcs11-provider-path: $pkcs11_path\n";
+    }
+    if ($use_aes eq "no") {
+        print "aes: disabled\n";
+    } else {
+        print "aes: enabled\n";
+    }
+    if ($use_gssapi eq "no") {
+        print "gssapi: disabled\n";
+    } else {
+        print "gssapi-path: $gssapi_path\n";
+    }
+    if ($use_libxml2 eq "no") {
+        print "libxml2: disabled\n";
+    } else {
+        print "libxml2-path: $libxml2_path\n";
+    }
+    if ($use_geoip2 eq "no") {
+        print "geoip2: disabled\n";
+    } else {
+        print "geoip2-path: $geoip2_path\n";
+    }
+    if ($use_readline eq "no") {
+        print "readline: disabled\n";
+    } else {
+        print "readline-path: $readline_path\n";
+    }
+    if ($use_idn eq "no") {
+        print "idn: disabled\n";
+    } else {
+        print "idn-path: $idn_path\n";
+        if ($iconv_path ne " --idn-- ") {
+            print "iconv-path: $iconv_path\n";
+        }
+    }
+    if ($use_zlib eq "no") {
+        print "zlib: disabled\n";
+    } else {
+        print "zlib-path: $zlib_path\n";
+    }
+    if ($with_pssuspend eq "no") {
+        print "pssuspend: disabled\n";
+    } else {
+        print "pssuspend-command: $pssuspend_command\n";
+    }
+    if ($use_python eq "no") {
+        print "python: disabled\n";
+    } else {
+        print "python-command: $python_command\n";
+    }
+    print "vcredist-path: $vcredist_path\n";
+}
+
+# Check environment
+
+# infer vcredist when not given
+if ($vcredist_path eq " --infer-- ") {
+    if ($verbose) {
+        print "trying to infer vcredist path from build environment\n";
+    }
+
+    my @vcpaths = {};
+    push(@vcpaths, $ENV{"VCRedistPath"}) if ($ENV{"VCRedistPath"} ne "");
+    push(@vcpaths, File::Spec->catfile( cwd(), "..", ".." ));
+
+    if ($ENV{"FrameworkSDKDir"} ne "" && $want_win32 eq "yes") {
+        push(@vcpaths, File::Spec->catfile($ENV{"FrameworkSDKDir"},
+                                           "BootStrapper", "Packages",
+                                           "vcredist_x86"));
+    } elsif ($ENV{"FrameworkSDKDir"} ne "" && $want_x64 eq "yes") {
+        push(@vcpaths, File::Spec->catfile($ENV{"FrameworkSDKDir"},
+                                           "BootStrapper", "Packages",
+                                           "vcredist_x64"));
+    }
+
+    if ($ENV{"WindowsSDKDir"} ne "" && $want_win32 eq "yes") {
+        push(@vcpaths, File::Spec->catfile($ENV{"WindowsSDKDir"},
+                                           "BootStrapper", "Packages",
+                                           "vcredist_x86"));
+    } elsif ($ENV{"WindowsSDKDir"} ne "" && $want_x64 eq "yes") {
+        push(@vcpaths, File::Spec->catfile($ENV{"WindowsSDKDir"},
+                                           "BootStrapper", "Packages",
+                                           "vcredist_x64"));
+    }
+
+    if ($ENV{"WindowsSDKDir_old"} ne "" && $want_win32 eq "yes") {
+        push(@vcpaths, File::Spec->catfile($ENV{"WindowsSDKDir_old"},
+                                           "BootStrapper", "Packages",
+                                           "vcredist_x86"));
+    } elsif ($ENV{"WindowsSDKDir_old"} ne "" && $want_x64 eq "yes") {
+        push(@vcpaths, File::Spec->catfile($ENV{"WindowsSDKDir_old"},
+                                           "BootStrapper", "Packages",
+                                           "vcredist_x64"));
+    }
+
+    if ($ENV{"VCINSTALLDIR"}) {
+        push(@vcpaths, File::Spec->catfile($ENV{"VCINSTALLDIR"},
+                                           "redist", "1033"));
+    }
+
+    # 'VCToolsRedistDir' is available since Visual Studio 2017.
+    if ($ENV{"VCToolsRedistDir"}) {
+        push(@vcpaths, $ENV{"VCToolsRedistDir"});
+    }
+
+    my $rfile;
+    if ($want_win32 eq "yes") {
+        $rfile = "vcredist_x86.exe";
+    } else {
+        $rfile = "vcredist_x64.exe";
+    }
+
+    foreach (@vcpaths) {
+        my $vp = File::Spec->catfile($_, $rfile);
+        if (-f $vp) {
+            $vcredist_path = $vp;
+            last;
+        }
+    }
+
+    if ($vcredist_path eq " --infer-- ") {
+        die "with-vcredist is REQUIRED\n";
+    }
+
+    if ($verbose) {
+        print "found vcredist at " . $vcredist_path . "\n";
+    }
+}
+
+my $msc_ver = 0;
+
+open F, ">mscver.c" || die $!;
+print F << 'EOF';
+#include <windows.h>
+#include <stdio.h>
+
+int
+main(void)
+{
+        printf("%d\n", _MSC_VER);
+        return(0);
+}
+EOF
+close F;
+my $compret = `cl /nologo /MD mscver.c`;
+if (grep { -f and -x } ".\\mscver.exe") {
+    $msc_ver = `.\\mscver.exe`;
+} else {
+    die "can't get _MSC_VER value: $compret\n";
+}
+if ($verbose) {
+    print "_MSC_VER == $msc_ver\n";
+}
+if ($msc_ver < 1600) {
+    print STDERR "too old version of C++ compiler/Visual Studio\n";
+    exit 1;
+}
+
+# gen single threaded for < VS 2005
+
+if ($msc_ver < 1400) {
+    $configvar{"COPTML"} = "/ML";
+    $configvar{"COPTMLD"} = "/MLD";
+}
+
+# /GX deprecated in VS 2005
+
+if ($msc_ver < 1400) {
+    $configvar{"COPTX"} = "/GX";
+} else {
+    $configvar{"COPTX"} = "/EHsc";
+}
+
+# /YX for < VS 2005
+
+if ($msc_ver < 1400) {
+    $configvar{"COPTY"} = "/YX";
+}
+
+# backtrace for >= VS 2012
+
+if ($msc_ver >= 1700) {
+    $configdefh{"USE_BACKTRACE"} = 1;
+}
+
+# warn when cross compiling
+
+if ($cross_compile eq "yes") {
+    if ($want_x64 eq "yes") {
+        $configvar{"BUILD_PLATFORM"} = "Win32";
+        $configvar{"BUILD_MACHINE"} = "/machine:X86";
+    }
+    if ($want_win32 eq "yes") {
+        $configvar{"BUILD_PLATFORM"} = "x64";
+        $configvar{"BUILD_MACHINE"} = "/machine:X64";
+    }
+} elsif ($want_win32 eq "yes") {
+    open F, ">cross.c" || die $!;
+    print F << 'EOF';
+#include <windows.h>
+#include <stdio.h>
+
+int
+main(void)
+{
+#ifdef _WIN64
+        fprintf(stderr, "compiling for x64 when win32 was asked?!\n");
+#endif
+        return(0);
+}
+EOF
+    close F;
+    my $compret = `cl /nologo /MD cross.c`;
+    if (grep { -f and -x } ".\\cross.exe") {
+        my $cross = `.\\cross.exe`;
+        if ($cross) {
+            print STDERR $cross;
+        }
+    } else {
+        print STDERR "can't check cross compile: $compret\n";
+    }
+} else {
+    open F, ">cross.c" || die $!;
+    print F << 'EOF';
+#include <windows.h>
+#include <stdio.h>
+
+int
+main(void)
+{
+#ifndef _WIN64
+        fprintf(stderr, "compiling in 32 bits when x64 was asked?!\n");
+#endif
+        return(0);
+}
+EOF
+    close F;
+    my $compret = `cl /nologo /MD cross.c`;
+    if (grep { -f and -x } ".\\cross.exe") {
+        my $cross = `.\\cross.exe`;
+        if ($cross) {
+            print STDERR $cross;
+        }
+    } else {
+        print STDERR "can't check cross compile: $compret\n";
+    }
+}
+
+# Process arguments
+
+# enable-native-pkcs11
+if ($enable_native_pkcs11 eq "yes") {
+    $cryptolib = "pkcs11";
+    if ($use_pkcs11 ne "yes") {
+        if ($verbose) {
+            print "native PKCS#11 support: force with-pkcs11\n";
+        }
+        $use_pkcs11 = "yes";
+    }
+    if ($pkcs11_path eq "unknown") {
+        if ($verbose) {
+            print "native PKCS#11 support: no PKCS#11 provider defined?\n";
+        }
+    }
+}
+
+# enable-fixed-rrset
+if ($enable_fixed_rrset eq "yes") {
+    $configdefh{"DNS_RDATASET_FIXED"} = 1;
+}
+
+# enable-querytrace
+if ($enable_querytrace eq "yes") {
+    $configdefh{"WANT_QUERYTRACE"} = 1;
+}
+
+# with-tests
+if ($use_tests eq "yes") {
+    $configcond{"TESTS"} = 1;
+}
+
+# with-extra-tests
+if ($use_xtests eq "yes") {
+    $configcond{"XTESTS"} = 1;
+}
+
+# with-system-tests
+if ($use_stests eq "yes") {
+    $configcond{"STESTS"} = 1;
+}
+
+# with-libuv
+if ($use_libuv eq "auto") {
+    if ($verbose) {
+        print "checking for an libuv built directory at sibling root\n";
+    }
+    opendir DIR, $libuv_path || die "No Directory: $!\n";
+    my @dirlist = grep (/^libuv-v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+){0,1}$/i,
+                        readdir(DIR));
+    closedir(DIR);
+
+    # Make sure we have something
+    if (scalar(@dirlist) == 0) {
+        die "can't find an libuv at sibling root\n";
+    }
+    # Now see if we have a directory or just a file.
+    # Make sure we are case insensitive
+    my $file;
+    foreach $file (sort {uc($b) cmp uc($a)} @dirlist) {
+        if (-f File::Spec->catfile($libuv_path,
+                                   $file,
+                                   "include\\uv.h")) {
+            $libuv_path = File::Spec->catdir($libuv_path, $file);
+            $use_libuv = "yes";
+            last;
+        }
+    }
+
+    # If we have one use it otherwise report the error
+    if ($use_libuv eq "auto") {
+        die "can't find an libuv built directory at sibling root\n";
+    }
+}
+# falls into (so no else)
+if ($use_libuv eq "yes") {
+    $libuv_path = File::Spec->rel2abs($libuv_path);
+    if ($verbose) {
+        print "checking for libuv built directory at \"$libuv_path\"\n";
+    }
+    my $libuv_new = 0;
+    if (!-f File::Spec->catfile($libuv_path,
+                                "include\\uv.h")) {
+        die "can't find libuv uv.h include\n";
+    }
+    my $libuv_inc = File::Spec->catdir($libuv_path, "include");
+    my $libuv_libdir = File::Spec->catdir($libuv_path, "build\\Release");
+    my $libuv_lib = File::Spec->catfile($libuv_libdir, "uv.lib");
+    my $libuv_dll = File::Spec->catfile($libuv_libdir, "uv.dll");
+    if (!-f $libuv_lib) {
+       die "can't find uv.lib library\n";
+    }
+    if (!-f $libuv_dll) {
+       die "can't find uv.dll library\n";
+    }
+    $configvar{"LIBUV_PATH"} = "$libuv_path";
+    $configinc{"LIBUV_INC"} = "$libuv_inc";
+    $configlib{"LIBUV_LIB"} = "$libuv_lib";
+    $configdll{"LIBUV_DLL"} = "$libuv_dll";
+}
+
+# with-openssl
+if ($use_openssl eq "auto") {
+    if ($verbose) {
+        print "checking for an OpenSSL built directory at sibling root\n";
+    }
+    opendir DIR, $openssl_path || die "No Directory: $!\n";
+    my @dirlist = grep (/^openssl-[0-9]+\.[0-9]+\.[0-9]+[a-z]{0,1}$/i,
+                        readdir(DIR));
+    closedir(DIR);
+
+    # Make sure we have something
+    if (scalar(@dirlist) == 0) {
+        die "can't find an OpenSSL at sibling root\n";
+    }
+    # Now see if we have a directory or just a file.
+    # Make sure we are case insensitive
+    my $file;
+    foreach $file (sort {uc($b) cmp uc($a)} @dirlist) {
+        if (-f File::Spec->catfile($openssl_path,
+                                   $file,
+                                   "inc32\\openssl\\opensslv.h")) {
+            $openssl_path = File::Spec->catdir($openssl_path, $file);
+            $use_openssl = "yes";
+            last;
+        }
+        if (-f File::Spec->catfile($openssl_path,
+                                   $file,
+                                   "include\\openssl\\opensslv.h")) {
+            $openssl_path = File::Spec->catdir($openssl_path, $file);
+            $use_openssl = "yes";
+            last;
+        }
+    }
+
+    # If we have one use it otherwise report the error
+    if ($use_openssl eq "auto") {
+        die "can't find an OpenSSL built directory at sibling root\n";
+    }
+}
+# falls into (so no else)
+if ($use_openssl eq "yes") {
+    my @dirlist;
+    $openssl_path = File::Spec->rel2abs($openssl_path);
+    if ($verbose) {
+        print "checking for OpenSSL built directory at \"$openssl_path\"\n";
+    }
+    if (!-f File::Spec->catfile($openssl_path,
+                                "include/openssl/opensslv.h")) {
+	die "can't find OpenSSL 1.1 opensslv.h include\n";
+    }
+    my $openssl_inc = File::Spec->catdir($openssl_path, "include");
+    my $openssl_libdir = $openssl_path;
+    my $openssl_libcrypto = File::Spec->catfile($openssl_path, "libcrypto.lib");
+    my $openssl_libssl = File::Spec->catfile($openssl_libdir, "libssl.lib");
+    my $openssl_dllcrypto = File::Spec->catfile($openssl_libdir, "libcrypto.dll");
+    my $openssl_dllssl = File::Spec->catfile($openssl_libdir, "libssl.dll");
+
+    if (!-f $openssl_libcrypto) {
+	die "can't find OpenSSL libcrypto.lib library\n";
+    }
+    opendir DIR, $openssl_path || die "No Directory: $!\n";
+    @dirlist = grep (/^libcrypto-[^.]+\.dll$/i, readdir(DIR));
+    closedir(DIR);
+    # We must get one file only
+    if (scalar(@dirlist) == 0) {
+	die "can't find OpenSSL libcrypto-*.dll DLL\n";
+    }
+    if (scalar(@dirlist) != 1) {
+	die "found more than one OpenSSL libcrypto-*.dll DLL candidate\n";
+    }
+    $openssl_dllcrypto = File::Spec->catdir($openssl_path, "$dirlist[0]");
+
+    if (!-f $openssl_libssl) {
+	die "can't find OpenSSL libssl.lib library\n";
+    }
+    opendir DIR, $openssl_path || die "No Directory: $!\n";
+    @dirlist = grep (/^libssl-[^.]+\.dll$/i, readdir(DIR));
+    closedir(DIR);
+    # We must get one file only
+    if (scalar(@dirlist) == 0) {
+	die "can't find OpenSSL libssl-*.dll DLL\n";
+    }
+    if (scalar(@dirlist) != 1) {
+	die "found more than one OpenSSL libssl-*.dll DLL candidate\n";
+    }
+    $openssl_dllssl = File::Spec->catdir($openssl_path, "$dirlist[0]");
+
+    $cryptolib = "openssl";
+    $configvar{"OPENSSL_PATH"} = "$openssl_path";
+    $configinc{"OPENSSL_INC"} = "$openssl_inc";
+    $configlib{"OPENSSL_LIBCRYPTO"} = "$openssl_libcrypto";
+    $configdll{"OPENSSL_DLLCRYPTO"} = "$openssl_dllcrypto";
+    $configlib{"OPENSSL_LIBSSL"} = "$openssl_libssl";
+    $configdll{"OPENSSL_DLLSSL"} = "$openssl_dllssl";
+}
+
+if ($cryptolib eq "openssl") {
+    $configdefh{"USE_OPENSSL"} = 1;
+    $configtest{"CRYPTO"} = "OpenSSL";
+} else {
+    $configdefh{"USE_PKCS11"} = 1;
+    $configtest{"CRYPTO"} = "pkcs11";
+}
+
+# check OpenSSL
+if ($use_openssl eq "yes") {
+#prepare the environment
+    my $dll = $configdll{"OPENSSL_DLLCRYPTO"};
+    my $ret = `copy "$dll" .`;
+    if ($? != 0) {
+        die "Can't copy OpenSSL DLL to working directory: $ret\n";
+    }
+
+    $dll = $configdll{"OPENSSL_DLLSSL"};
+    $ret = `copy "$dll" .`;
+    if ($? != 0) {
+        die "Can't copy OpenSSL DLL to working directory: $ret\n";
+    }
+
+    my $include = $configinc{"OPENSSL_INC"};
+    my $libcrypto = $configlib{"OPENSSL_LIBCRYPTO"};
+    my $libssl = $configlib{"OPENSSL_LIBSSL"};
+
+# check libcrypto
+    if ($verbose) {
+        print "checking whether linking with OpenSSL libcrypto works\n";
+    }
+
+    open F, ">testossl.c" || die $!;
+    print F << 'EOF';
+#include <openssl/err.h>
+
+int
+main(void)
+{
+        ERR_clear_error();
+        return(0);
+}
+EOF
+    close F;
+
+    $compret = `cl /nologo /MD /I "$include" testossl.c "$libcrypto"`;
+    if (grep { -f and -x } "./testossl.exe") {
+        `./testossl.exe`;
+        if ($? != 0) {
+            die "OpenSSL libcrypto test failed\n";
+        }
+    } else {
+        die "can't compile OpenSSL libcrypto test: $compret\n";
+    }
+
+    if ($verbose) {
+	print "checking whether linking with OpenSSL libssl works\n";
+    }
+
+    open F, ">testossl.c" || die $!;
+    print F << 'EOF';
+#include <openssl/ssl.h>
+
+int
+main(void)
+{
+        SSL_CTX *ctx = SSL_CTX_new(SSLv23_method());
+        SSL_CTX_free(ctx);
+        return(0);
+}
+EOF
+    close F;
+    $compret = `cl /nologo /MD /I "$include" testossl.c "$libcrypto" "$libssl"`;
+    if (grep { -f and -x } "./testossl.exe") {
+        `./testossl.exe`;
+        if ($? != 0) {
+            die "OpenSSL libssl test failed\n";
+        }
+    } else {
+        die "can't compile OpenSSL libssl test: $compret\n";
+    }
+
+# check OpenSSL version
+    if ($verbose) {
+        printf "checking OpenSSL library version\n";
+    }
+    open F, ">testosslv.c" || die $!;
+    print F << 'EOF';
+#include <stdio.h>
+#include <openssl/opensslv.h>
+
+int main() {
+        if (OPENSSL_VERSION_NUMBER >= 0x10101000L) {
+                return (0);
+        }
+        printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
+               OPENSSL_VERSION_NUMBER);
+        printf("Require OPENSSL_VERSION_NUMBER 0x10101000L or greater (1.1.1)\n\n");
+        return (1);
+}
+EOF
+    close F;
+
+    $compret = `cl /nologo /MD /I "$include" testosslv.c "$libcrypto"`;
+    if (grep { -f and -x } "./testosslv.exe") {
+        `./testosslv.exe`;
+        if ($? != 0) {
+            die "OpenSSL version test failed\n";
+        }
+    } else {
+        die "can't compile OpenSSL version test: $compret\n";
+    }
+
+    if ($verbose) {
+        print "checking for OpenSSL Ed25519 support\n";
+    }
+    open F, ">tested25519.c" || die $!;
+    print F << 'EOF';
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+int
+main(void)
+{
+        EVP_PKEY_CTX *ctx;
+
+        ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
+        if (ctx == NULL)
+                return (2);
+        return (0);
+}
+EOF
+    close F;
+
+    $compret = `cl /nologo /MD /I "$include" tested25519.c "$libcrypto"`;
+    if (grep { -f and -x } "./tested25519.exe") {
+        `./tested25519.exe`;
+        if ($? == 0) {
+            $configdefh{"HAVE_OPENSSL_ED25519"} = 1;
+        } else {
+            if ($verbose) {
+                print "Ed25519 test failed: disabling Ed25519\n";
+            }
+        }
+    } else {
+        if ($verbose) {
+            print "can't compile Ed25519 test: $compret\n";
+            print "disabling Ed25519\n";
+        }
+    }
+
+    if ($verbose) {
+        print "checking for OpenSSL Ed448 support\n";
+    }
+    open F, ">tested448.c" || die $!;
+    print F << 'EOF';
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+int
+main(void)
+{
+        EVP_PKEY_CTX *ctx;
+
+        ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
+        if (ctx == NULL)
+                return (2);
+        return (0);
+}
+EOF
+    close F;
+
+    $compret = `cl /nologo /MD /I "$include" tested448.c "$libcrypto"`;
+    if (grep { -f and -x } "./tested448.exe") {
+        `./tested448.exe`;
+        if ($? == 0) {
+            $configdefh{"HAVE_OPENSSL_ED448"} = 1;
+        } else {
+            if ($verbose) {
+                print "Ed448 test failed: disabling Ed448\n";
+            }
+        }
+    } else {
+        if ($verbose) {
+            print "can't compile Ed448 test: $compret\n";
+            print "disabling Ed448\n";
+        }
+    }
+}
+
+# with-aes
+if ($use_openssl eq "no") {
+    if ($use_aes ne "pkcs11") {
+        $use_aes = "no";
+    }
+}
+
+if ($cryptolib ne "") {
+    print "Cryptographic library for DNSSEC: $cryptolib\n";
+} else {
+    die "No cryptography library has been found or provided."
+}
+
+# with-pkcs11
+if ($use_pkcs11 ne "no") {
+    $configcond{"PKCS11"} = 1;
+    $configvar{"PKCS11_TOOLS"} = "pkcs11";
+    $configdefd{"PK11_LIB_LOCATION"} = "PK11_LIB_LOCATION=\"$pkcs11_path\"";
+}
+
+# with-gssapi
+if ($use_gssapi eq "no") {
+    if ($verbose) {
+        print "gssapi library is disabled\n";
+    }
+} else {
+    $gssapi_path = File::Spec->rel2abs($gssapi_path);
+    if ($verbose) {
+        print "checking for gssapi directory at \"$gssapi_path\"\n";
+    }
+    $configcond{"GSSAPI"} = 1;
+    $configdefd{"USE_GSSAPI"} = "GSSAPI";
+    if (!-f File::Spec->catfile($gssapi_path, "include",
+                                "gssapi", "gssapi.h")) {
+        die "can't find gssapi.h include\n";
+    }
+    if (!-f File::Spec->catfile($gssapi_path, "include",
+                                "gssapi", "gssapi_krb5.h")) {
+        die "can't find gssapi_krb5.h include\n";
+    }
+    if (!-f File::Spec->catfile($gssapi_path, "include",
+                                "krb5", "krb5.h")) {
+        die "can't find krb5.h include\n";
+    }
+    $configinc{"GSSAPI_INC"} = File::Spec->catdir($gssapi_path, "include");
+    my $bits = "32";
+    my $gssapi_lib;
+    my $krb5_lib;
+    if ($want_win32 eq "yes") {
+        $bits = "32";
+        if (!-f File::Spec->catfile($gssapi_path, "lib", "i386",
+                                    "gssapi${bits}.lib")) {
+            die "can't find gssapi${bits}.lib library\n";
+        }
+        $gssapi_lib = File::Spec->catfile($gssapi_path, "lib", "i386",
+                                          "gssapi${bits}.lib");
+        if (!-f File::Spec->catfile($gssapi_path, "lib", "i386",
+                                    "krb5_${bits}.lib")) {
+            die "can't find krb5_${bits}.lib library\n";
+        }
+        $krb5_lib = File::Spec->catfile($gssapi_path, "lib", "i386",
+                                             "krb5_${bits}.lib");
+    } elsif ($want_x64 eq "yes") {
+        $bits = "64";
+        if (!-f File::Spec->catfile($gssapi_path, "lib", "amd64",
+                                    "gssapi${bits}.lib")) {
+            die "can't find gssapi${bits}.lib library\n";
+        }
+        $gssapi_lib = File::Spec->catfile($gssapi_path, "lib", "amd64",
+                                             "gssapi${bits}.lib");
+        if (!-f File::Spec->catfile($gssapi_path, "lib", "amd64",
+                                    "krb5_${bits}.lib")) {
+            die "can't find krb5_${bits}.lib library\n";
+        }
+        $krb5_lib = File::Spec->catfile($gssapi_path, "lib", "amd64",
+                                        "krb5_${bits}.lib");
+    } else {
+        die "can't happen: no choice between Win32 and x64\n";
+    }
+    if (!-f File::Spec->catfile($gssapi_path, "bin", "gssapi${bits}.dll")) {
+        die "can't find gssapi${bits}.dll DLL\n";
+    }
+    if (!-f File::Spec->catfile($gssapi_path, "bin", "krb5_${bits}.dll")) {
+        die "can't find krb5_${bits}.dll DLL\n";
+    }
+    if (!-f File::Spec->catfile($gssapi_path, "bin", "comerr${bits}.dll")) {
+        die "can't find comerr${bits}.dll DLL\n";
+    }
+    if (!-f File::Spec->catfile($gssapi_path, "bin", "k5sprt${bits}.dll")) {
+        die "can't find k5sprt${bits}.dll DLL\n";
+    }
+    if (!-f File::Spec->catfile($gssapi_path, "bin", "wshelp${bits}.dll")) {
+        die "can't find wshelp${bits}.dll DLL\n";
+    }
+    $configlib{"GSSAPI_LIB"} = "$gssapi_lib";
+    $configlib{"KRB5_LIB"} = "$krb5_lib";
+    my $gssapi_dll = File::Spec->catfile($gssapi_path, "bin",
+                                         "gssapi${bits}.dll");
+    $configdll{"GSSAPI_DLL"} = "$gssapi_dll";
+    my $krb5_dll = File::Spec->catfile($gssapi_path, "bin",
+                                         "krb5_${bits}.dll");
+    $configdll{"KRB5_DLL"} = "$krb5_dll";
+    my $comerr_dll = File::Spec->catfile($gssapi_path, "bin",
+                                         "comerr${bits}.dll");
+    $configdll{"COMERR_DLL"} = "$comerr_dll";
+    my $k5sprt_dll = File::Spec->catfile($gssapi_path, "bin",
+                                         "k5sprt${bits}.dll");
+    $configdll{"K5SPRT_DLL"} = "$k5sprt_dll";
+    my $wshelp_dll = File::Spec->catfile($gssapi_path, "bin",
+                                         "wshelp${bits}.dll");
+    $configdll{"WSHELP_DLL"} = "$wshelp_dll";
+}
+
+# disable-auto-validation
+$configdefh{"VALIDATION_DEFAULT"} = "\"$validation_default\"";
+
+# with-geoip2
+if ($use_geoip2 eq "no") {
+    if ($verbose) {
+        print "geoip2 library is disabled\n";
+    }
+} else {
+    $configcond{"GEOIP"} = 1;
+    $geoip2_path = File::Spec->rel2abs($geoip2_path);
+    if ($verbose) {
+        print "checking for geoip2 directory at \"$geoip2_path\"\n";
+    }
+    if (!-f File::Spec->catfile($geoip2_path, "maxminddb.h")) {
+        die "can't find maxminddb.h include\n";
+    }
+    if (!-f File::Spec->catfile($geoip2_path, "maxminddb_config.h")) {
+        die "can't find maxminddb_config.h include\n";
+    }
+    if (!-f File::Spec->catfile($geoip2_path, "libmaxminddb.lib")) {
+        die "can't find libmaxminddb.lib library\n";
+    }
+    $configinc{"GEOIP_INC"} = "$geoip2_path";
+    my $geoip2_lib = File::Spec->catfile($geoip2_path, "libmaxminddb.lib");
+    $configlib{"GEOIP_LIB"} = "$geoip2_lib";
+    my $geoip_inc = qq(/I "$geoip2_path");
+    my $geoip2_libs = qq("$geoip2_lib" Ws2_32.Lib);
+
+    if ($verbose) {
+        print "checking for GeoIP2 support\n";
+    }
+    open F, ">testgeoip2.c" || die $!;
+    print F << 'EOF';
+#include <maxminddb.h>
+int main(void) {
+       return MMDB_lib_version() != 0;
+}
+EOF
+    close F;
+    $compret = `cl /nologo $geoip_inc /MD testgeoip2.c $geoip2_libs`;
+    if (grep { -f and -x } ".\\testgeoip2.exe") {
+        `.\\testgeoip2.exe`;
+        if ($? == 0) {
+            die "GeoIP2 test failed\n";
+        }
+    } else {
+        die "can't compile GeoIP2 test: $compret\n";
+    }
+    $configdefh{"HAVE_GEOIP2"} = 1;
+}
+
+# with-readline
+if ($use_readline eq "no") {
+    if ($verbose) {
+        print "readline library is disabled\n";
+    }
+} else {
+    $readline_path = File::Spec->rel2abs($readline_path);
+    if ($verbose) {
+        print "checking for readline directory at \"$readline_path\"\n";
+    }
+    if (!-f File::Spec->catfile($readline_path, "readline", "readline.h")) {
+        die "can't find readline.h include\n";
+    }
+    if (!-f File::Spec->catfile($readline_path, "readline", "readline.lib")) {
+        die "can't find readline.lib library\n";
+    }
+    $configdefh{"HAVE_READLINE"} = 1;
+    $configinc{"READLINE_INC"} = "$readline_path";
+    my $readline_lib = File::Spec->catfile($readline_path,
+                                           "readline", "readline.lib");
+    $configlib{"READLINE_LIB"} = "$readline_lib";
+    if (-f File::Spec->catfile($readline_path, "readline", "readlineD.lib")) {
+        my $readline_libd = File::Spec->catfile($readline_path,
+                                                "readline", "readlineD.lib");
+        $configlib{"READLINE_LIBD"} = "$readline_libd";
+    } else {
+        $configlib{"READLINE_LIBD"} = "$readline_lib";
+    }
+}
+
+# with-idn (including with-iconv)
+if ($use_idn eq "no") {
+    if ($verbose) {
+        print "IDN kit is disabled\n";
+    }
+} else {
+    $idn_path = File::Spec->rel2abs($idn_path);
+    if ($verbose) {
+        print "checking for IDN kit directory at \"$idn_path\"\n";
+    }
+    if (!-f File::Spec->catfile($idn_path, "idn", "api.h")) {
+        die "can't find idn\\api.h include\n";
+    }
+    if (!-f File::Spec->catfile($idn_path, "idn", "idnkit.lib")) {
+        die "can't find idnkit.lib library\n";
+    }
+    if (!-f File::Spec->catfile($idn_path, "idn", "idnkit.dll")) {
+        die "can't find idnkit.dll DLL\n";
+    }
+    $configcond{"IDNKIT"} = 1;
+    $configdefh{"WITH_IDN"} = 1;
+    $configinc{"IDN_INC"} = "$idn_path";
+    my $idn_lib = File::Spec->catfile($idn_path, "idn", "idnkit.lib");
+    $configlib{"IDN_LIB"} = "$idn_lib";
+    my $idn_dll = File::Spec->catfile($idn_path, "idn", "idnkit.dll");
+    $configdll{"IDN_DLL"} = "$idn_dll";
+    if ($iconv_path eq " --idn-- ") {
+        my $iconv_dll = File::Spec->catfile($idn_path, "idn", "iconv.dll");
+        $configdll{"ICONV_DLL"} = "$iconv_dll";
+    } else {
+        my $iconv_dll =File::Spec->catfile($iconv_path, "iconv.dll");
+        $configdll{"ICONV_DLL"} = "$iconv_dll";
+    }
+}
+
+# with-libxml2
+if ($use_libxml2 eq "no") {
+    if ($verbose) {
+        print "libxml2 library is disabled\n";
+    }
+} elsif ($use_libxml2 eq "auto") {
+    if ($verbose) {
+        print "checking for a libxml2 built directory at sibling root\n";
+    }
+    opendir DIR, $libxml2_path || die "No Directory: $!\n";
+    my @dirlist = grep (/^libxml2-[0-9]+\.[0-9]+\.[0-9]+[a-z]*/i,
+                        readdir(DIR));
+    closedir(DIR);
+
+    # Make sure we have something
+    if (scalar(@dirlist) == 0) {
+        die "can't find a libxml2 at sibling root\n";
+    }
+    # Now see if we have a directory or just a file.
+    # Make sure we are case insensitive
+    my $file;
+    foreach $file (sort {uc($b) cmp uc($a)} @dirlist) {
+        if (-f File::Spec->catfile($libxml2_path,
+                                   $file,
+                                   "include\\libxml",
+                                   "xmlversion.h")) {
+            $libxml2_path = File::Spec->catdir($libxml2_path, $file);
+            $use_libxml2 = "yes";
+            last;
+        }
+    }
+
+    # If we have one use it otherwise report the error
+    if ($use_libxml2 eq "auto") {
+        die "can't find a libxml2 built directory at sibling root\n";
+    }
+}
+# falls into (so no else)
+if ($use_libxml2 eq "yes") {
+    $libxml2_path = File::Spec->rel2abs($libxml2_path);
+    if ($verbose) {
+        print "checking for libxml2 built directory at \"$libxml2_path\"\n";
+    }
+    if (!-f File::Spec->catfile($libxml2_path,
+                                "include\\libxml",
+                                "xmlversion.h")) {
+        die "can't find libxml2 xmlversion.h include\n";
+    }
+    if (!-f File::Spec->catfile($libxml2_path,
+                                "win32\\bin.msvc",
+                                "libxml2.lib")) {
+        die "can't find Libxml2 libxml2.lib library\n";
+    }
+    if (!-f File::Spec->catfile($libxml2_path,
+                                "win32\\bin.msvc",
+                                "libxml2.dll")) {
+        die "can't find Libxml2 DLL\n";
+    }
+    $configcond{"LIBXML2"} = 1;
+    $configdefh{"HAVE_LIBXML2"} = 1;
+    $configtest{"XMLSTATS"} = 1;
+    my $libxml2_inc = File::Spec->catdir($libxml2_path, "include");
+    $configinc{"LIBXML2_INC"} = "$libxml2_inc";
+    my $libxml2_libdir = File::Spec->catdir($libxml2_path, "win32\\bin.msvc");
+    my $libxml2_lib = File::Spec->catfile($libxml2_libdir, "libxml2.lib");
+    $configlib{"LIBXML2_LIB"} = "$libxml2_lib";
+    my $libxml2_dll = File::Spec->catfile($libxml2_libdir, "libxml2.dll");
+    $configdll{"LIBXML2_DLL"} = "$libxml2_dll";
+}
+
+# with-zlib
+if ($use_zlib eq "no") {
+    if ($verbose) {
+        print "zlib library is disabled\n";
+    }
+} else {
+    $configcond{"ZLIB"} = 1;
+    $configtest{"ZLIB"} = 1;
+    $zlib_path = File::Spec->rel2abs($zlib_path);
+    if ($verbose) {
+        print "checking for zlib directory at \"$zlib_path\"\n";
+    }
+    if (!-f File::Spec->catfile($zlib_path, "zlib.h")) {
+        die "can't find zlib.h include\n";
+    }
+    if (!-f File::Spec->catfile($zlib_path, "zdll.lib")) {
+        die "can't find zdll.lib library\n";
+    }
+    if (!-f File::Spec->catfile($zlib_path, "zlib1.dll")) {
+        die "can't find zlib1.dll DLL\n";
+    }
+    $configdefh{"HAVE_ZLIB"} = 1;
+    $configinc{"ZLIB_INC"} = "$zlib_path";
+    my $zlib_lib = File::Spec->catfile($zlib_path, "zdll.lib");
+    $configlib{"ZLIB_LIB"} = "$zlib_lib";
+    my $zlib_dll = File::Spec->catfile($zlib_path, "zlib1.dll");
+    $configdll{"ZLIB_DLL"} = "$zlib_dll";
+}
+
+if ($with_pssuspend ne "no") {
+    $configvar{"PSSUSPEND"} = "$pssuspend_command";
+}
+
+# with-python
+if ($use_python eq "no") {
+    if ($verbose) {
+        print "python is disabled\n";
+    }
+} elsif ($use_python eq "auto") {
+    if ($verbose) {
+        print "checking for python in path\n";
+    }
+    my $pythonret = `python.exe -c "quit()" 2>&1`;
+    if ($? != 0) {
+        print STDERR "can't launch the python interpreter: $pythonret\n";
+        $use_python = "no";
+    }
+}
+if ($use_python ne "no") {
+    if ($use_python ne "auto") {
+        if ($verbose) {
+           print "checking for $python_command\n";
+        }
+        my $pythonret = `"$python_command" -c "quit()" 2>&1`;
+        if ($? != 0) {
+            die "can't launch $python_command: $pythonret\n";
+        }
+    }
+    if ($python_command !~ /\.exe$/i) {
+        $python_command = $python_command . ".exe";
+    }
+    # tried to use the full path without success here
+    if ($verbose) {
+        print "checking for python module 'argparse'\n";
+    }
+    my $pythonret = `"$python_command" -c "import argparse" 2>&1`;
+    if ($? != 0) {
+        if ($use_python ne "auto") {
+            die "can't find python module 'argparse': $pythonret\n";
+        } else {
+            print STDERR "can't find python module 'argparse': $pythonret\n";
+            $use_python = "no";
+        }
+    }
+    if ($use_python ne "no") {
+        if ($verbose) {
+            print "checking for python module 'ply'\n";
+        }
+        $pythonret = `"$python_command" -c "from ply import *" 2>&1`;
+        if ($? != 0) {
+            if ($use_python ne "auto") {
+                die "can't find python module 'ply': $pythonret\n";
+            } else {
+                print STDERR "can't find python module 'ply': $pythonret\n";
+                $use_python = "no";
+            }
+        }
+    }
+    if ($use_python ne "no") {
+        if ($verbose) {
+            print "checking for python module 'win32api'\n";
+        }
+        $pythonret = `"$python_command" -c "import win32api" 2>&1`;
+        if ($? != 0) {
+            if ($use_python ne "auto") {
+                die "can't find python module 'win32api': $pythonret\n";
+            } else {
+                print STDERR
+                    "can't find python module 'win32api': $pythonret\n";
+                $use_python = "no";
+            }
+        }
+    }
+    if ($use_python ne "no") {
+        if ($verbose) {
+            print "checking for python module 'win32con'\n";
+        }
+        $pythonret = `"$python_command" -c "import win32con" 2>&1`;
+        if ($? != 0) {
+            if ($use_python ne "auto") {
+                die "can't find python module 'win32con': $pythonret\n";
+            } else {
+                print STDERR
+                    "can't find python module 'win32con': $pythonret\n";
+                $use_python = "no";
+            }
+        }
+    }
+    if ($use_python ne "no") {
+        $configcond{"PYTHON"} = 1;
+        $configdefd{"USE_PYTHON"} = "USE_PYTHON";
+        $configvar{"PYTHON"} = "$python_command";
+        $configtest{"CHECKDS"} = "checkdstool";
+        $configtest{"COVERAGE"} = "coverage";
+        $configtest{"KEYMGR"} = "keymgr";
+        # Doesn't matter
+        $configvar{"prefix"} = "__prefix__";
+        $configvar{"expanded_sysconfdir"} = "__prefix__\\etc";
+    }
+}
+
+# with-vcredist
+$vcredist_path = File::Spec->rel2abs($vcredist_path);
+if (!grep { -f and -x } $vcredist_path) {
+    die "$vcredist_path is not correct\n";
+} else {
+    $configvar{"VCREDIST_PATH"} = "$vcredist_path";
+}
+
+# tuning
+if ($tuning ne "small") {
+    $configdefh{"TUNE_LARGE"} = 1;
+}
+
+# escape spaces
+
+sub kw {
+    if ($_[0] =~ / /) {
+        return "\"$_[0]\"";
+    } else {
+        return "$_[0]";
+    }
+}
+
+# setup config.h with %configdefh
+
+sub setupconfigh {
+    my $line;
+    my @Lines;
+
+    open F, $configfile . ".win32" || die $!;
+    @Lines = <F>;
+    close F;
+
+    foreach $line (@Lines) {
+        chomp $line;
+        if ($line =~ /^@([^@]+)\@$/) {
+            if (defined($configdefh{$1})) {
+                $line = "#define $1 $configdefh{$1}";
+            } else {
+                $line = "/* #undef $1 */";
+            }
+        }
+    }
+
+    open F, ">" . $configfile || die $!;
+    if ($verbose) {
+        print "Setting up $configfile\n";
+    }
+    foreach $line (@Lines) {
+        print F $line . "\n";
+    }
+    close F;
+}
+
+# setup platform.h with %configdefp
+
+sub setupplatformh {
+    my $line;
+    my @Lines;
+
+    open F, $platformfile . ".in" || die $!;
+    @Lines = <F>;
+    close F;
+
+    foreach $line (@Lines) {
+        chomp $line;
+        if ($line =~ /^@([^@]+)\@$/) {
+            if (defined($configdefp{$1})) {
+                $line = "#define $1 $configdefp{$1}";
+            } else {
+                $line = "/* #undef $1 */";
+            }
+        }
+    }
+
+    open F, ">" . $platformfile || die $!;
+    if ($verbose) {
+        print "Setting up $platformfile\n";
+    }
+    foreach $line (@Lines) {
+        print F $line . "\n";
+    }
+    close F;
+}
+
+# setup conf.sh with %configtest and %configvar
+
+sub setupconfsh {
+    my $line;
+    my @Lines;
+    my $val;
+
+    open F, $confshfile . ".win32" || die $!;
+    @Lines = <F>;
+    close F;
+
+    foreach $line (@Lines) {
+        chomp $line;
+        while ($line =~ /@([^@]+)\@/) {
+            if ($1 ~~ @substtest) {
+                if (defined($configtest{$1})) {
+                    $val = kw($configtest{$1});
+                    $line = "$`$val$'";
+                } else {
+                    $line = "$`$'";
+                }
+            } elsif ($1 ~~ @substvar) {
+                if (defined($configvar{$1})) {
+                    $val = kw($configvar{$1});
+                    $line = "$`$val$'";
+                } else {
+                    $line = "$`$'";
+                }
+            }  else {
+                die "unknown control $& in $confshfile.win32\n";
+            }
+        }
+    }
+
+    open F, ">" . $confshfile || die $!;
+    if ($verbose) {
+        print "Setting up $confshfile\n";
+    }
+    binmode(F);
+    foreach $line (@Lines) {
+        print F $line . "\n";
+    }
+    close F;
+}
+
+# setup a file with %configcond stack and %config{var,defd,inc,lib,dll,test}
+
+sub setupfile {
+    my $line;
+    my @Linesin;
+    my @Linesout;
+    my $filename = $_[0];
+    my $cond;
+    my @conds;
+    my $pass = 1;
+    my @passes;
+    my $val;
+
+    open F, $filename . ".in" || die $!;
+    @Linesin = <F>;
+    close F;
+
+    foreach $line (@Linesin) {
+        chomp $line;
+        if ($line =~ /^\@IF (.*)$/) {
+            if (defined($cond)) {
+                unshift(@conds, $cond);
+                unshift(@passes, $pass);
+            }
+            if ($1 ~~ @allcond) {
+                $cond = $1;
+                if (defined($configcond{$cond})) {
+                    # do nothing
+                } else {
+                    $pass = 0;
+                }
+            } else {
+                die "unknown condition \@IF $1 in $filename\n";
+            }
+            next;
+        } elsif ($line =~ /^\@ELSE (.*)$/) {
+            if ($cond ne $1) {
+                die "\@ELSE $1 mismatch in $filename\n";
+            }
+            if (defined($configcond{$cond})) {
+                $pass = 0;
+            } else {
+                if (scalar(@conds) > 0) {
+                    $pass = $passes[0];
+                } else {
+                    $pass = 1;
+                }
+            }
+            next;
+        } elsif ($line =~ /^\@END (.*)$/) {
+            if ($cond ne $1) {
+                die "\@END $1 mismatch in $filename\n";
+            }
+            $cond = shift(@conds);
+            if (scalar(@passes) > 0) {
+                $pass = shift(@passes);
+            } else {
+                $pass = 1;
+            }
+            next;
+        }
+        if ($pass == 0) {
+            next;
+        }
+        while ($line =~ /@([^@ ]*)@/) {
+            if ($1 ~~ @substvar) {
+                if (defined($configvar{$1})) {
+                    $val = kw($configvar{$1});
+                    $line = "$`$val$'";
+                } else {
+                    $line = "$`$'";
+                }
+            } elsif ($1 ~~ @substdefd) {
+                if (defined($configdefd{$1})) {
+                    my $def = $configdefd{$1};
+                    my $pre = "$`";
+                    my $post = "$'";
+                    $def =~ s/([\\ "])/\\$1/g;
+                    $line = qq($pre/D "$def"$post);
+                } else {
+                    $line = "$`$'";
+                }
+            } elsif ($1 ~~ @substinc) {
+                if (defined($configinc{$1})) {
+                    $line = qq($`/I "$configinc{$1}"$');
+                } else {
+                    $line = "$`$'";
+                }
+            } elsif ($1 ~~ @substlib) {
+                if (defined($configlib{$1})) {
+                    $val = kw($configlib{$1});
+                    $line = "$`$val$'";
+                } else {
+                    $line = "$`$'";
+                }
+            } elsif ($1 ~~ @substdll) {
+                if (defined($configdll{$1})) {
+                    $val = kw($configdll{$1});
+                    $line = "$`$val$'";
+                } else {
+                    $line = "$`$'";
+                }
+            } else {
+                die "unknown control $& in $filename\n";
+            }
+        }
+        push @Linesout, $line;
+    }
+
+    open F, ">" . $filename || die $!;
+    if ($verbose) {
+        print "Setting up $filename\n";
+    }
+    binmode(F);
+    foreach $line (@Linesout) {
+        print F $line . "\n";
+    }
+    close F;
+}
+
+# setup a project with %configcond stack and %config{var,defd,inc,lib,dll}
+
+sub setupproject {
+    my $line;
+    my @Linesin;
+    my @Linesout;
+    my $projectname = $_[0];
+    my $cond;
+    my @conds;
+    my $pass = 1;
+    my @passes;
+    my $val;
+
+    open F, $projectname . ".in" || die $!;
+    @Linesin = <F>;
+    close F;
+
+    foreach $line (@Linesin) {
+        chomp $line;
+        if ($line =~ /^\@IF (.*)$/) {
+            if (defined($cond)) {
+                unshift(@conds, $cond);
+                unshift(@passes, $pass);
+            }
+            if ($1 ~~ @allcond) {
+                $cond = $1;
+                if (defined($configcond{$cond})) {
+                    # do nothing
+                } else {
+                    $pass = 0;
+                }
+            } else {
+                die "unknown condition \@IF $1 in $projectname\n";
+            }
+            next;
+        } elsif ($line =~ /^\@ELSE (.*)$/) {
+            if ($cond ne $1) {
+                die "\@ELSE $1 mismatch in $projectname\n";
+            }
+            if (defined($configcond{$cond})) {
+                $pass = 0;
+            } else {
+                if (scalar(@conds) > 0) {
+                    $pass = $passes[0];
+                } else {
+                    $pass = 1;
+                }
+            }
+            next;
+        } elsif ($line =~ /^\@END (.*)$/) {
+            if ($cond ne $1) {
+                die "\@END $1 mismatch in $projectname\n";
+            }
+            $cond = shift(@conds);
+            if (scalar(@passes) > 0) {
+                $pass = shift(@passes);
+            } else {
+                $pass = 1;
+            }
+            next;
+        }
+        if ($pass == 0) {
+            next;
+        }
+        while ($line =~ /@([^@ ]*)@/) {
+            if ($1 ~~ @substvar) {
+                if (defined($configvar{$1})) {
+                    $val = kw($configvar{$1});
+                    $line = "$`$val$'";
+                } else {
+                    $line = "$`$'";
+                }
+            } elsif ($1 ~~ @substdefd) {
+                if (defined($configdefd{$1})) {
+                    $val = kw($configdefd{$1});
+                    $line = "$`$val;$'";
+                } else {
+                    $line = "$`$'";
+                }
+            } elsif ($1 ~~ @substinc) {
+                if (defined($configinc{$1})) {
+                    $val = kw($configinc{$1});
+                    $line = "$`$val;$'";
+                } else {
+                    $line = "$`$'";
+                }
+            } elsif ($1 ~~ @substlib) {
+                if (defined($configlib{$1})) {
+                    $val = kw($configlib{$1});
+                    $line = "$`$val;$'";
+                } else {
+                    $line = "$`$'";
+                }
+            } elsif ($1 ~~ @substdll) {
+                if (defined($configdll{$1})) {
+                    $val = kw($configdll{$1});
+                    $line = "$`$val$'";
+                } else {
+                    $line = "$`$'";
+                }
+            } else {
+                die "unknown control $& in $projectname\n";
+            }
+        }
+        push @Linesout, $line;
+    }
+
+    open F, ">" . $projectname || die $!;
+    if ($verbose) {
+        print "Setting up $projectname\n";
+    }
+    foreach $line (@Linesout) {
+        print F $line . "\n";
+    }
+    close F;
+}
+
+# make versions.h
+
+sub makeversion {
+    # List of directories with version files
+
+    my $Version;
+    my $Mapapi;
+    my $versionfile = "versions.h";
+    my $versionpath = "..\\$versionfile";
+
+    my $data;
+    my $name;
+    my $value;
+
+    # And the mapapi one
+
+    open M, "..\\lib\\dns\\mapapi" || die $!;
+    while (<M>) {
+        chomp;
+        ($data) = split(/\#/);
+        if ($data) {
+            ($name, $value) = split(/=/, $data);
+            ($name) = split(/\s+/, $name);
+            if ($name eq 'MAPAPI') {
+                ($value) =~ s/^["\s]+//;
+                ($value) =~ s/["\s]+$//;
+            } else {
+                ($value) = split(/\s+/, $value);
+            }
+            $Mapapi = $value;
+        }
+    }
+    close M;
+
+    # Now set up the output version file
+
+    my $ThisDate = scalar localtime();
+    open O, ">$versionpath" ||
+        die "Can't open output file $versionpath: $!\n";
+
+    # Standard Header
+
+    print O '/*
+ * Copyright (C) 2001  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+';
+
+    print O "/*\n";
+    print O " * $versionfile.";
+    print O "  Generated automatically by Configure.pl.\n";
+    print O " * Date generated: $ThisDate\n";
+    print O " */\n\n";
+
+    print O '
+#ifndef  VERSIONS_H
+#define VERSIONS_H 1
+
+';
+
+    $Version = "$Versions{'MAJORVER'}.$Versions{'MINORVER'}";
+    if ($Versions{'PATCHVER'} ne "") {
+        $Version = "$Version.$Versions{'PATCHVER'}";
+    }
+    $Version = "$Version$Versions{'RELEASETYPE'}$Versions{'RELEASEVER'}";
+    $Version = "$Version$Versions{'EXTENSIONS'}";
+    if ($verbose) {
+        print "BIND Version: $Version\n";
+    }
+
+    print O "#define VERSION \"$Version\"\n";
+    print O "#define PRODUCT \"$Versions{'PRODUCT'}\"\n\n";
+    print O "#define DESCRIPTION \"$Versions{'DESCRIPTION'}\"\n\n";
+    print O
+        "#define MAJOR \"$Versions{'MAJORVER'}.$Versions{'MINORVER'}\"\n\n";
+    print O "#define MAPAPI \"$Mapapi\"\n\n";
+
+    print O "#endif /* VERSIONS_H */\n";
+    close O;
+}
+
+# make srcid.h
+
+sub makesrcid {
+    my $data;
+    my $name;
+    my $value;
+    my $srcid = "unset_id";
+
+    open SOUT, ">..\\srcid.h" || die "cannot open srcid.h: $!\n";
+    if (open (SIN, "..\\srcid")) {
+      LOOP: while (<SIN>) {
+          chomp;
+          ($data) = split(/\#/);
+          if ($data) {
+              ($name, $value) = split(/=/, $data);
+              ($name) = split(/\s+/, $name);
+              ($value) = split(/\s+/, $value);
+              next LOOP if ($name != "SRCID");
+              $srcid = $value;
+          }
+        }
+        close SIN;
+    }
+
+    if ($srcid eq "unset_id" and -d "..\\.git") {
+        $data = `git rev-list --max-count=1 HEAD`;
+        if (length($data) > 0) {
+            $srcid = substr($data, 0, 7);
+        }
+    }
+
+    # Now set up the output version file
+
+    my $ThisDate = scalar localtime();
+
+    # Standard Header
+
+    print SOUT '/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+';
+
+    print SOUT "/*\n";
+    print SOUT " * srcid.h";
+    print SOUT " * Generated automatically by Configure.pl.\n";
+    print SOUT " * Date generated: $ThisDate\n";
+    print SOUT " */\n\n";
+
+    print SOUT '
+#ifndef  SRCID_H
+#define SRCID_H 1
+';
+
+    if ($verbose) {
+        print "BIND SRCID: $srcid\n";
+    }
+
+    print SOUT "#define SRCID\t\"$srcid\"\n";
+    print SOUT "#endif /* SRCID_H */\n";
+    close SOUT;
+}
+
+# Build install files
+
+sub makeinstallfile {
+    open FOUT, ">InstallFlags" || die "cannot open InstallFlags: $!\n";
+    print FOUT "# Flags for BINDInstall\n";
+    if ($msc_ver >= 1400) {
+        print FOUT "runvcredist\n";
+    }
+    if ($want_x64 eq "yes") {
+        print FOUT "forwin64\n";
+    }
+    close FOUT;
+
+    open LOUT, ">InstallFiles" || die "cannot open InstallFiles: $!\n";
+    print LOUT "# File list for BINDInstall\n";
+    if ($msc_ver < 1400) {
+        if ($msc_ver >= 1310) {
+            print LOUT "mfc71.dll-WCTT\n";
+            print LOUT "msvcr71.dll-WCTT\n";
+        } elsif (($msc_ver > 1200) && ($msc_ver < 1310)) {
+            print LOUT "mfc70.dll-WCTT\n";
+            print LOUT "msvcr70.dll-WCTT\n";
+        }
+    }
+    print LOUT "bindevt.dll-BNFT\n";
+    print LOUT "libbind9.dll-BCFT\n";
+    print LOUT "libisc.dll-BCFT\n";
+    print LOUT "libisccfg.dll-BCFT\n";
+    print LOUT "libisccc.dll-BCFT\n";
+    print LOUT "libdns.dll-BCFT\n";
+    print LOUT "libirs.dll-BCFT\n";
+    print LOUT "libns.dll-BCFT\n";
+    print LOUT "uv.dll-BCFT\n";
+    if ($use_openssl eq "yes") {
+        my $v;
+        my $d;
+        my $name;
+        ($v, $d, $name) =File::Spec->splitpath($configdll{"OPENSSL_DLLCRYPTO"});
+        print LOUT "${name}-BCFT\n";
+        ($v, $d, $name) =File::Spec->splitpath($configdll{"OPENSSL_DLLSSL"});
+        print LOUT "${name}-BCFT\n";
+    }
+    if ($use_libxml2 eq "yes") {
+        print LOUT "libxml2.dll-BCFT\n";
+    }
+    if ($use_gssapi eq "yes") {
+        if ($want_x64 eq "yes") {
+            print LOUT "gssapi64.dll-BCFT\n";
+            print LOUT "krb5_64.dll-BCFT\n";
+        } else {
+            print LOUT "gssapi32.dll-BCFT\n";
+            print LOUT "krb5_32.dll-BCFT\n";
+        }
+    }
+    if ($use_idn eq "yes") {
+        print LOUT "idnkit.dll-BCFT\n";
+        print LOUT "iconv.dll-BCFT\n";
+    }
+    print LOUT "named.exe-BCFF\n";
+    print LOUT "nsupdate.exe-BNFT\n";
+    print LOUT "BINDInstall.exe-BNFT\n";
+    print LOUT "InstallFlags-BNFT\n";
+    print LOUT "InstallFiles-BNFT\n";
+    print LOUT "rndc.exe-BNFF\n";
+    print LOUT "dig.exe-BNFT\n";
+    print LOUT "host.exe-BNFT\n";
+    print LOUT "mdig.exe-BNFT\n";
+    print LOUT "nslookup.exe-BNFT\n";
+    print LOUT "delv.exe-BNFT\n";
+    print LOUT "arpaname.exe-BNFT\n";
+    print LOUT "nsec3hash.exe-BNFF\n";
+    print LOUT "rndc-confgen.exe-BNFF\n";
+    print LOUT "ddns-confgen.exe-BNFF\n";
+    print LOUT "tsig-keygen.exe-BNFF\n";
+    print LOUT "dnssec-keygen.exe-BNFF\n";
+    print LOUT "dnssec-signzone.exe-BNFF\n";
+    print LOUT "dnssec-dsfromkey.exe-BNFF\n";
+    print LOUT "dnssec-importkey.exe-BNFF\n";
+    print LOUT "dnssec-keyfromlabel.exe-BNFF\n";
+    print LOUT "dnssec-revoke.exe-BNFF\n";
+    print LOUT "dnssec-settime.exe-BNFF\n";
+    print LOUT "dnssec-verify.exe-BNFF\n";
+    print LOUT "named-checkconf.exe-BNFF\n";
+    print LOUT "named-checkzone.exe-BNFF\n";
+    print LOUT "named-compilezone.exe-BNFF\n";
+    print LOUT "named-journalprint.exe-BNFF\n";
+    print LOUT "named-rrchecker.exe-BNFF\n";
+    if ($use_pkcs11 eq "yes") {
+        print LOUT "pkcs11-destroy.exe-BNFF\n";
+        print LOUT "pkcs11-keygen.exe-BNFF\n";
+        print LOUT "pkcs11-list.exe-BNFF\n";
+        print LOUT "pkcs11-tokens.exe-BNFF\n";
+    }
+    if ($use_python ne "no") {
+        print LOUT "dnssec-checkds.py-BNFF\n";
+        print LOUT "dnssec-coverage.py-BNFF\n";
+        print LOUT "dnssec-keymgr.py-BNFF\n";
+    }
+    print LOUT "readme1st.txt-BTFT\n";
+    close LOUT;
+}
+
+# Adjust system tests
+
+# dnstap not supported
+#$configtest{"DNSTAP"} = "dnstap";
+#$configtest{"FSTRM_CAPTURE"} = "fstrm_capture";
+
+# no json-c library for WIN32
+#$configtest{"JSONSTATS"} = 1;
+
+# lmdb not supported
+#$configtest{"NZD_TOOLS"} = "nzd";
+
+# TODO check for pkcs11ssl and set PKCS11_TEST
+
+# Status
+
+if ($verbose) {
+    my $name;
+
+    print "Configuration Status\n";
+
+    print "\tconfig.h:\n";
+    foreach $name (@substdefh) {
+        if (defined($configdefh{$name})) {
+            print qq(\t\t$name defined to "$configdefh{$name}"\n);
+        } else {
+            printf qq(\t\t$name undefined\n);
+        }
+    }
+
+    print "\tplatform.h:\n";
+    foreach $name (@substdefp) {
+        if (defined($configdefp{$name})) {
+            print qq(\t\t$name defined to "$configdefp{$name}"\n);
+        } else {
+            printf qq(\t\t$name undefined\n);
+        }
+    }
+
+    print "\tconf.sh:\n";
+    foreach $name (@substtest) {
+        if (defined($configtest{$name})) {
+            print qq(\t\t$name defined to "$configtest{$name}"\n);
+        } else {
+            printf qq(\t\t$name undefined\n);
+        }
+    }
+
+    print "\tconditions:\n";
+    foreach $name (@substcond) {
+        if (defined($configcond{$name})) {
+            print "\t\t$name is true\n";
+        } else {
+            print "\t\t$name is false\n";
+        }
+    }
+
+    print "\tsubstitutions:\n";
+    foreach $name (@substvar) {
+        if (defined($configvar{$name})) {
+            print qq(\t\t$name -> "$configvar{$name}"\n);
+        }
+    }
+
+    print "\tdefines:\n";
+    foreach $name (@substdefd) {
+        if (defined($configdefd{$name})) {
+            print qq(\t\t/D "$configdefd{$name}"\n);
+        }
+    }
+
+    print "\tincludes:\n";
+    foreach $name (@substinc) {
+        if (defined($configinc{$name})) {
+            print qq(\t\t/I "$configinc{$name}"\n);
+        }
+    }
+
+    print "\tlibraries:\n";
+    foreach $name (@substlib) {
+        if (defined($configlib{$name})) {
+            print "\t\t$configlib{$name}\n";
+        }
+    }
+
+    print "\tDLLs:\n";
+    foreach $name (@substdll) {
+        if (defined($configdll{$name})) {
+            print "\t\t$configdll{$name}\n";
+        }
+    }
+
+    print "\n";
+}
+
+# Setup
+if (($want_win32 eq "yes") || ($want_x64 eq "yes")) {
+    setupconfigh();
+
+    setupplatformh();
+
+    setupconfsh();
+
+    my $file;
+    foreach $file (@filelist) {
+        setupfile($file);
+    }
+
+    foreach $file (@projectlist) {
+        setupproject($file);
+    }
+
+    makeversion();
+
+    makesrcid();
+
+    makeinstallfile();
+
+    print "Configured.\n";
+} else {
+    print "add win32 or x64 to commit configuration to build files\n";
+}
+
+exit 0;
+
+# Notes: Unix configure.in options
+#  --enable-developer partially supported
+#  --enable-newstats (9.9/9.9sub only)
+#  --enable-native-pkcs11 supported
+#  --enable-openssl-version-check included without a way to disable it
+#  --enable-openssl-hash supported
+#  --enable-threads included without a way to disable it
+#  --enable-backtrace backtrace included without a way to disable it
+#  --enable-symtable incompatible with DLLs (or libtool)
+#  --enable-ipv6 included without a way to disable it
+#  --enable-atomic supported (renamed to intrinsic)
+#  --enable-fixed-rrset supported
+#  --enable-querytrace supported
+#  --enable-full-report supported by verbose
+#  --enable-dnstap not supported (requires libfstrm support on WIN32)
+#  --enable-afl not supported (not yet available on Visual Studio C++)
+#  --disable-auto-validation supported
+#  --with-python supported
+#  --with-openssl supported
+#  --with-pkcs11 supported
+#  --with-aes supported
+#  --with-randomdev not supported on WIN32 (makes no sense)
+#  --with-geoip2 supported
+#  --with-gssapi supported with MIT (K)erberos (f)or (W)indows
+#  --with-lmdb no supported on WIN32 (port is not reliable)
+#  --with-libxml2 supported
+#  --with-json-c not supported on WIN32 (package not available on WIN32)
+#  --with-zlib supported
+#  --with-purify not supported (package available on WIN32 but for free?)
+#  --with-gperftools-profiler not supported (package not available on WIN32)
+#  --with-libtool not supported on WIN32 (never)
+#  --with-locktype not supported on WIN32 (not yet available on WIN32)
+#  --with-readline supported
+#  --with-protobuf-c not supported (no reason to until libfstrm is ready)
+#  --with-libfrtrm not supported (not yet available on WIN32)
+#  --with-docbook-xsl not supported (?)
+#  --with-idn[lib] supported
+#  --with-[lib]iconv supported (part of IDN)
+#  --with-atf not supported on WIN32 (package not available on WIN32)
+#  --with-tuning supported
+#  --with-dlopen included without a way to disable it
+#  --with-dlz-* ?
+#
+# Notes: MSVC versions
+# MSVC 15.x _MSC_VER == 191y (VS 2017)
+# MSVC 14.0 _MSC_VER == 1900 (VS 2015)
+# MSVC 12.0 _MSC_VER == 1800 (VS 2013)
+# MSVC 11.0 _MSC_VER == 1700 (VS 2012)
+# MSVC 10.0 _MSC_VER == 1600 (VS 2010)
+# MSVC 9.0  _MSC_VER == 1500 (VS 2008)
+# MSVC 8.0  _MSC_VER == 1400 (VS 2005)
+# MSVC 7.1  _MSC_VER == 1310 (VS .NET 2003)
+# MSVC 7.0  _MSC_VER == 1300 (VS .NET (2002))
+# MSVC 6.0  _MSC_VER == 1200 (VS 6.0 (1998))
+# MSVC 5.0  _MSC_VER == 1100 (VS 97)
diff --git a/win32utils/GeoIP.diff b/win32utils/GeoIP.diff
new file mode 100644
index 0000000..bc9b6bc
--- /dev/null
+++ b/win32utils/GeoIP.diff
@@ -0,0 +1,345 @@
+diff -ruN dists/GeoIP-1.5.1/libGeoIP/GeoIP.c dev/GeoIP-1.5.1/libGeoIP/GeoIP.c
+--- dists/GeoIP-1.5.1/libGeoIP/GeoIP.c	2013-03-23 03:26:09.000000000 +0100
++++ dev/GeoIP-1.5.1/libGeoIP/GeoIP.c	2013-07-19 16:56:58.000000000 +0200
+@@ -19,6 +19,7 @@
+  */
+ 
+ #include "GeoIP.h"
++#include "GeoIP_internal.h"
+ 
+ static geoipv6_t IPV6_NULL;
+ 
+@@ -44,6 +45,10 @@
+ #include <stdint.h>     /* For uint32_t */
+ #endif
+ 
++#if defined(_WIN32)
++#include "pread.h"
++#endif
++
+ #ifdef _UNUSED
+ #elif defined(__GNUC__)
+ #define _UNUSED __attribute__ ((unused))
+diff -ruN dists/GeoIP-1.5.1/libGeoIP/GeoIP.h dev/GeoIP-1.5.1/libGeoIP/GeoIP.h
+--- dists/GeoIP-1.5.1/libGeoIP/GeoIP.h	2013-03-23 03:26:09.000000000 +0100
++++ dev/GeoIP-1.5.1/libGeoIP/GeoIP.h	2013-07-19 16:53:33.000000000 +0200
+@@ -154,31 +154,33 @@
+ 	GEOIP_CORPORATE_SPEED = 3,
+ } GeoIPNetspeedValues;
+ 
++#ifdef GEOIP_EXPORTS
++#define GEOIP_API __declspec(dllexport)
++#define GEOIP_DATA __declspec(dllexport)
++#else
++#define GEOIP_DATA __declspec(dllimport)
++#define GEOIP_API
++#endif  /* GEOIP_EXPORTS */
++
+ extern char **GeoIPDBFileName;
+-extern const char * GeoIPDBDescription[NUM_DB_TYPES];
+-extern const char *GeoIPCountryDBFileName;
+-extern const char *GeoIPRegionDBFileName;
+-extern const char *GeoIPCityDBFileName;
+-extern const char *GeoIPOrgDBFileName;
+-extern const char *GeoIPISPDBFileName;
+-extern const char *GeoIPLocationADBFileName;
+-extern const char *GeoIPAccuracyRadiusFileName;
+-extern const char *GeoIPCityConfidenceFileName;
++extern GEOIP_DATA const char * GeoIPDBDescription[NUM_DB_TYPES];
++extern GEOIP_DATA const char *GeoIPCountryDBFileName;
++extern GEOIP_DATA const char *GeoIPRegionDBFileName;
++extern GEOIP_DATA const char *GeoIPCityDBFileName;
++extern GEOIP_DATA const char *GeoIPOrgDBFileName;
++extern GEOIP_DATA const char *GeoIPISPDBFileName;
++extern GEOIP_DATA const char *GeoIPLocationADBFileName;
++extern GEOIP_DATA const char *GeoIPAccuracyRadiusFileName;
++extern GEOIP_DATA const char *GeoIPCityConfidenceFileName;
+ extern char * GeoIP_custom_directory;
+ 
+ /* Warning: do not use those arrays as doing so may break your
+  * program with newer GeoIP versions */
+-extern const char GeoIP_country_code[255][3];
+-extern const char GeoIP_country_code3[255][4];
+-extern const char * GeoIP_country_name[255];
+-extern const char * GeoIP_utf8_country_name[255];
+-extern const char GeoIP_country_continent[255][3];
+-
+-#ifdef DLL
+-#define GEOIP_API __declspec(dllexport)
+-#else
+-#define GEOIP_API
+-#endif  /* DLL */
++extern GEOIP_DATA const char GeoIP_country_code[255][3];
++extern GEOIP_DATA const char GeoIP_country_code3[255][4];
++extern GEOIP_DATA const char * GeoIP_country_name[255];
++extern GEOIP_DATA const char * GeoIP_utf8_country_name[255];
++extern GEOIP_DATA const char GeoIP_country_continent[255][3];
+ 
+ GEOIP_API void GeoIP_setup_custom_directory(char *dir);
+ GEOIP_API GeoIP* GeoIP_open_type (int type, int flags);
+diff -ruN dists/GeoIP-1.5.1/libGeoIP/GeoIPCity.c dev/GeoIP-1.5.1/libGeoIP/GeoIPCity.c
+--- dists/GeoIP-1.5.1/libGeoIP/GeoIPCity.c	2013-03-23 03:26:09.000000000 +0100
++++ dev/GeoIP-1.5.1/libGeoIP/GeoIPCity.c	2013-07-19 15:41:05.000000000 +0200
+@@ -35,6 +35,10 @@
+ #include <stdint.h>	/* For uint32_t */
+ #endif
+ 
++#if defined(_WIN32)
++#include "pread.h"
++#endif
++
+ #ifndef HAVE_PREAD
+ #define pread(fd, buf, count, offset) \
+         ( \
+diff -ruN dists/GeoIP-1.5.1/libGeoIP/GeoIPCity.h dev/GeoIP-1.5.1/libGeoIP/GeoIPCity.h
+--- dists/GeoIP-1.5.1/libGeoIP/GeoIPCity.h	2013-03-23 03:26:09.000000000 +0100
++++ dev/GeoIP-1.5.1/libGeoIP/GeoIPCity.h	2013-07-19 16:23:58.000000000 +0200
+@@ -48,22 +48,22 @@
+         int netmask;	
+ } GeoIPRecord;
+ 
+-GeoIPRecord * GeoIP_record_by_ipnum (GeoIP* gi, unsigned long ipnum);
+-GeoIPRecord * GeoIP_record_by_addr (GeoIP* gi, const char *addr);
+-GeoIPRecord * GeoIP_record_by_name (GeoIP* gi, const char *host);
+-
+-GeoIPRecord * GeoIP_record_by_ipnum_v6 (GeoIP* gi, geoipv6_t ipnum);
+-GeoIPRecord * GeoIP_record_by_addr_v6 (GeoIP* gi, const char *addr);
+-GeoIPRecord * GeoIP_record_by_name_v6 (GeoIP* gi, const char *host);
++GEOIP_API GeoIPRecord * GeoIP_record_by_ipnum (GeoIP* gi, unsigned long ipnum);
++GEOIP_API GeoIPRecord * GeoIP_record_by_addr (GeoIP* gi, const char *addr);
++GEOIP_API GeoIPRecord * GeoIP_record_by_name (GeoIP* gi, const char *host);
++
++GEOIP_API GeoIPRecord * GeoIP_record_by_ipnum_v6 (GeoIP* gi, geoipv6_t ipnum);
++GEOIP_API GeoIPRecord * GeoIP_record_by_addr_v6 (GeoIP* gi, const char *addr);
++GEOIP_API GeoIPRecord * GeoIP_record_by_name_v6 (GeoIP* gi, const char *host);
+ 
+-int GeoIP_record_id_by_addr (GeoIP* gi, const char *addr);
+-int GeoIP_record_id_by_addr_v6 (GeoIP* gi, const char *addr);
++GEOIP_API int GeoIP_record_id_by_addr (GeoIP* gi, const char *addr);
++GEOIP_API int GeoIP_record_id_by_addr_v6 (GeoIP* gi, const char *addr);
+ 
+-int GeoIP_init_record_iter (GeoIP* gi);
++GEOIP_API int GeoIP_init_record_iter (GeoIP* gi);
+ /* returns 0 on success, 1 on failure */
+-int GeoIP_next_record (GeoIP* gi, GeoIPRecord **gir, int *record_iter);
++GEOIP_API int GeoIP_next_record (GeoIP* gi, GeoIPRecord **gir, int *record_iter);
+ 
+-void GeoIPRecord_delete (GeoIPRecord *gir);
++GEOIP_API void GeoIPRecord_delete (GeoIPRecord *gir);
+ 
+ /* NULL on failure otherwise a malloced string in utf8 */
+ /* char * GeoIP_iso_8859_1__utf8(const char *); */
+diff -ruN dists/GeoIP-1.5.1/libGeoIP/Makefile.vc dev/GeoIP-1.5.1/libGeoIP/Makefile.vc
+--- dists/GeoIP-1.5.1/libGeoIP/Makefile.vc	2013-03-23 03:26:09.000000000 +0100
++++ dev/GeoIP-1.5.1/libGeoIP/Makefile.vc	2013-07-19 16:47:45.000000000 +0200
+@@ -1,29 +1,42 @@
+ #NMAKE makefile for Windows developers. 
+-#Produces a static library (GeoIP.lib). 
++##Produces a static library (GeoIP.lib). 
++#Produces a DLL (GeoIP.dll) and library (GeoIP.lib).
+  
+ COMPILER=cl 
+  
+-CFLAGS=-DWIN32 -MD -nologo 
++CFLAGS=-DWIN32 -DGEOIP_EXPORTS -MD -nologo 
+  
+ GEOIPINC = -I..\libGeoIP 
+  
+-CC1 = $(COMPILER) $(CFLAGS) $(GEOIPINC) -DGEOIPDATADIR=\"$(GEOIPDATADIR)\" 
++CC1 = $(COMPILER) $(CFLAGS) $(GEOIPINC) -DGEOIPDATADIR=\"$(GEOIPDATADIR)\" -DPACKAGE_VERSION=\"1.5.1\"
+  
+-OBJS=GeoIP.obj GeoIPCity.obj regionName.obj md5.obj timeZone.obj
++LINKER=link
++
++LDFLAGS=/DLL /nologo /subsystem:console
++
++LD1 = $(LINKER) $(LDFLAGS)
++
++OBJS=GeoIP.obj GeoIPCity.obj GeoIP_depreciated.obj regionName.obj md5.obj timeZone.obj pread.obj
+  
+-EXTRA_LIBS= advapi32.lib wsock32.lib 
++EXTRA_LIBS= ws2_32.lib
+  
+ AR=lib 
+  
+-GeoIP.lib:  GeoIP.obj GeoIPCity.obj regionName.obj md5.obj timeZone.obj
+-   $(AR) -nologo $(OBJS) $(EXTRA_LIBS) /OUT:GeoIP.lib 
++#GeoIP.lib:  GeoIP.obj GeoIPCity.obj regionName.obj md5.obj timeZone.obj pread.obj
++#   $(AR) -nologo $(OBJS) $(EXTRA_LIBS) /OUT:GeoIP.lib 
+  
++GeoIP.dll GeoIP.lib: $(OBJS)
++   $(LD1) $(OBJS) $(EXTRA_LIBS) /out:GeoIP.dll /implib:GeoIP.lib
++
+ GeoIP.obj: GeoIP.c 
+    $(CC1) -c GeoIP.c $(GEOIPINC) 
+  
+ GeoIPCity.obj: GeoIPCity.c 
+    $(CC1) -c GeoIPCity.c $(GEOIPINC)
+ 
++GeoIP_depreciated.obj: GeoIP_depreciated.c 
++   $(CC1) -c GeoIP_depreciated.c $(GEOIPINC)
++
+ regionName.obj: regionName.c 
+    $(CC1) -c regionName.c $(GEOIPINC)
+ 
+@@ -32,3 +45,6 @@
+ 
+ timeZone.obj: timeZone.c 
+    $(CC1) -c timeZone.c $(GEOIPINC)
++
++pread.obj: pread.c 
++   $(CC1) -c pread.c $(GEOIPINC)
+diff -ruN dists/GeoIP-1.5.1/libGeoIP/pread.c dev/GeoIP-1.5.1/libGeoIP/pread.c
+--- dists/GeoIP-1.5.1/libGeoIP/pread.c	1970-01-01 01:00:00.000000000 +0100
++++ dev/GeoIP-1.5.1/libGeoIP/pread.c	2013-07-19 15:37:44.000000000 +0200
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++#include <windows.h>
++#include <io.h>
++
++#include "pread.h"
++
++CRITICAL_SECTION preadsc;
++
++#ifdef _WIN64
++int pread(int fd, void *buf, unsigned int nbyte, __int64 offset)
++{
++	int cc = -1;
++	__int64 prev = (__int64)-1L;
++
++	EnterCriticalSection(&preadsc);
++	prev = _lseeki64(fd, 0L, SEEK_CUR);
++	if (prev == (__int64)-1L)
++		goto done;
++	if (_lseeki64(fd, offset, SEEK_SET) != offset)
++		goto done;
++	cc = _read(fd, buf, nbyte);
++
++done:
++	if (prev != (__int64)-1L)
++		(void)_lseeki64(fd, prev, SEEK_SET);
++	LeaveCriticalSection(&preadsc);
++
++	return cc;
++}
++#else
++int pread(int fd, void *buf, unsigned int nbyte, long offset)
++{
++	int cc = -1;
++	long prev = -1L;
++
++	EnterCriticalSection(&preadsc);
++	prev = _lseek(fd, 0L, SEEK_CUR);
++	if (prev == -1L)
++		goto done;
++	if (_lseek(fd, offset, SEEK_SET) != offset)
++		goto done;
++	cc = _read(fd, buf, nbyte);
++
++done:
++	if (prev != -1L)
++		(void)_lseek(fd, prev, SEEK_SET);
++	LeaveCriticalSection(&preadsc);
++
++	return cc;
++}
++#endif
++
++BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved )
++{
++	if (fdwReason == DLL_PROCESS_ATTACH)
++		InitializeCriticalSection(&preadsc);
++	return TRUE;
++}
+diff -ruN dists/GeoIP-1.5.1/libGeoIP/pread.h dev/GeoIP-1.5.1/libGeoIP/pread.h
+--- dists/GeoIP-1.5.1/libGeoIP/pread.h	1970-01-01 01:00:00.000000000 +0100
++++ dev/GeoIP-1.5.1/libGeoIP/pread.h	2013-07-19 15:39:01.000000000 +0200
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++#ifdef _WIN64
++typedef __int64 ssize_t;
++
++int pread(int fd, void *buf, unsigned int nbyte, __int64 offset);
++#else
++typedef int ssize_t;
++
++int pread(int fd, void *buf, unsigned int nbyte, long offset);
++#endif
++
++#define HAVE_PREAD
++
++extern CRITICAL_SECTION preadsc;
+diff -ruN dists/GeoIP-1.5.1/libGeoIP/regionName.c dev/GeoIP-1.5.1/libGeoIP/regionName.c
+--- dists/GeoIP-1.5.1/libGeoIP/regionName.c	2013-03-23 03:26:09.000000000 +0100
++++ dev/GeoIP-1.5.1/libGeoIP/regionName.c	2013-07-19 16:37:56.000000000 +0200
+@@ -1,3 +1,5 @@
++#include "GeoIP.h"
++
+ #include <string.h>
+ #include <stdio.h>
+ 
+diff -ruN dists/GeoIP-1.5.1/libGeoIP/timeZone.c dev/GeoIP-1.5.1/libGeoIP/timeZone.c
+--- dists/GeoIP-1.5.1/libGeoIP/timeZone.c	2013-03-23 03:26:09.000000000 +0100
++++ dev/GeoIP-1.5.1/libGeoIP/timeZone.c	2013-07-19 17:22:44.000000000 +0200
+@@ -1,4 +1,7 @@
++#include "GeoIP.h"
++
+ #include <string.h> 
++
+ const char* GeoIP_time_zone_by_country_and_region(const char * country,const char * region) {
+   const char* timezone = NULL;
+   if (country == NULL) {
+diff -ruN dists/GeoIP-1.5.1/test/Makefile.vc dev/GeoIP-1.5.1/test/Makefile.vc
+--- dists/GeoIP-1.5.1/test/Makefile.vc	2013-03-23 03:26:09.000000000 +0100
++++ dev/GeoIP-1.5.1/test/Makefile.vc	2013-07-19 16:48:55.000000000 +0200
+@@ -9,7 +9,7 @@
+  
+ GEOIPINC = -I..\libGeoIP 
+  
+-CC1 = $(COMPILER) $(CFLAGS) $(GEOIPINC) 
++CC1 = $(COMPILER) $(CFLAGS) $(GEOIPINC) -DSRCDIR=\"../\"
+  
+ GEOIPLIB = ..\libGeoIP\GeoIP.lib 
+  
+diff -ruN dists/GeoIP-1.5.1/test/benchmark.c dev/GeoIP-1.5.1/test/benchmark.c
+--- dists/GeoIP-1.5.1/test/benchmark.c	2013-03-23 03:26:09.000000000 +0100
++++ dev/GeoIP-1.5.1/test/benchmark.c	2013-07-19 16:26:23.000000000 +0200
+@@ -81,7 +81,7 @@
+ void testgeoiporg(int flags, const char *msg, int numlookups)
+ {
+     GeoIP *i = NULL;
+-    GeoIPRegion *i3 = NULL;
++    char *i3 = NULL;
+     int i4 = 0;
+     int i2 = 0;
+     double t = 0;
diff --git a/win32utils/bind9.sln.in b/win32utils/bind9.sln.in
new file mode 100644
index 0000000..001b56d
--- /dev/null
+++ b/win32utils/bind9.sln.in
@@ -0,0 +1,772 @@
+
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual C++ Express 2010
+# BINDInstall must be the first project
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BINDInstall", "..\bin\win32\BINDInstall\BINDInstall.vcxproj", "{190CC424-E8CC-46F2-9013-3152D6905118}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{B556705F-1920-4400-878A-B259D3556047} = {B556705F-1920-4400-878A-B259D3556047}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{82ACD33C-E75F-45B8-BB6D-42643A10D7EE} = {82ACD33C-E75F-45B8-BB6D-42643A10D7EE}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{E741C10B-B075-4206-9596-46765B665E03} = {E741C10B-B075-4206-9596-46765B665E03}
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919} = {A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}
+		{0D745CD9-FC3B-49DC-99BE-1E6DF85593F0} = {0D745CD9-FC3B-49DC-99BE-1E6DF85593F0}
+		{723C65DA-A96C-4BA3-A34E-44F11CA346F9} = {723C65DA-A96C-4BA3-A34E-44F11CA346F9}
+		{7C8681A1-E3A8-470E-9EEF-16054D111A19} = {7C8681A1-E3A8-470E-9EEF-16054D111A19}
+		{39721F26-8B80-4AA9-9826-2AEF7322C3D5} = {39721F26-8B80-4AA9-9826-2AEF7322C3D5}
+		{140DE800-E552-43CC-B0C7-A33A92E368CA} = {140DE800-E552-43CC-B0C7-A33A92E368CA}
+		{F938F9B8-D395-4A40-BEC7-0122D289C692} = {F938F9B8-D395-4A40-BEC7-0122D289C692}
+		{BA1048A8-6961-4A20-BE12-08BE20611C9D} = {BA1048A8-6961-4A20-BE12-08BE20611C9D}
+		{C15A6E1A-94CE-4686-99F9-6BC5FD623EB5} = {C15A6E1A-94CE-4686-99F9-6BC5FD623EB5}
+		{BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F} = {BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F}
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70} = {2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}
+		{0BF11E21-168C-4CAA-B784-429D126BBAE5} = {0BF11E21-168C-4CAA-B784-429D126BBAE5}
+		{205ED8A9-2E4C-41CC-9385-F3613402AA90} = {205ED8A9-2E4C-41CC-9385-F3613402AA90}
+		{17455DC6-5FBB-47C3-8F44-7DB574A188D3} = {17455DC6-5FBB-47C3-8F44-7DB574A188D3}
+		{6E6297F4-69D7-4533-85E1-BD17C30017C8} = {6E6297F4-69D7-4533-85E1-BD17C30017C8}
+		{D171F185-D3C2-4463-9CF3-ED1D0B1D6832} = {D171F185-D3C2-4463-9CF3-ED1D0B1D6832}
+		{03FB7588-C5A7-4572-968F-14F1206BC69C} = {03FB7588-C5A7-4572-968F-14F1206BC69C}
+		{FD653434-F1A8-44A9-85B2-A7468491DA6D} = {FD653434-F1A8-44A9-85B2-A7468491DA6D}
+		{AB6690A0-055E-458F-BAC5-BF38BCC5834F} = {AB6690A0-055E-458F-BAC5-BF38BCC5834F}
+		{91E60FDA-E48C-4DA0-92A2-97F963348E00} = {91E60FDA-E48C-4DA0-92A2-97F963348E00}
+		{B19042CE-D3D9-469B-BCD2-C3140150939A} = {B19042CE-D3D9-469B-BCD2-C3140150939A}
+		{4EE91023-94C3-48C0-B71C-5333B726C2EE} = {4EE91023-94C3-48C0-B71C-5333B726C2EE}
+		{98743A7C-6AF8-467F-9911-FA69C451AF2B} = {98743A7C-6AF8-467F-9911-FA69C451AF2B}
+		{3115091C-8135-481F-9757-F013A26255E0} = {3115091C-8135-481F-9757-F013A26255E0}
+		{C41266C7-E27E-4D60-9815-82D3B32BF82F} = {C41266C7-E27E-4D60-9815-82D3B32BF82F}
+		{2C1F7096-C5B5-48D4-846F-A7ACA454335D} = {2C1F7096-C5B5-48D4-846F-A7ACA454335D}
+		{03A96113-CB14-43AA-AEB2-48950E3915C5} = {03A96113-CB14-43AA-AEB2-48950E3915C5}
+		{66028555-7DD5-4016-B601-9EF9A1EE8BFA} = {66028555-7DD5-4016-B601-9EF9A1EE8BFA}
+		{64964B03-4815-41F0-9057-E766A94AF197} = {64964B03-4815-41F0-9057-E766A94AF197}
+		{1E2C1635-3093-4D59-80E7-4743AC10F22F} = {1E2C1635-3093-4D59-80E7-4743AC10F22F}
+		{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1} = {1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}
+@IF PKCS11
+		{5042D371-0402-4FA3-A52A-769708694422} = {5042D371-0402-4FA3-A52A-769708694422}
+		{C663B088-F7BC-4C8C-8D06-A76636EED651} = {C663B088-F7BC-4C8C-8D06-A76636EED651}
+		{5B3137E5-7E1F-49AA-8810-A09AA417D326} = {5B3137E5-7E1F-49AA-8810-A09AA417D326}
+		{403FD4B1-A4F9-4159-9013-5860E3A4417D} = {403FD4B1-A4F9-4159-9013-5860E3A4417D}
+@END PKCS11
+@IF XTESTS
+		{14751171-C40E-40EE-A2F0-37FFC3CCD4A2} = {14751171-C40E-40EE-A2F0-37FFC3CCD4A2}
+		{06AA5F16-7121-4C3A-91EF-AFC3BF3B8CE1} = {06AA5F16-7121-4C3A-91EF-AFC3BF3B8CE1}
+		{7705EEF6-6980-48F9-A045-699DAFE860C9} = {7705EEF6-6980-48F9-A045-699DAFE860C9}
+		{551561F6-4A2A-4824-8A34-A4AF0EB7C179} = {551561F6-4A2A-4824-8A34-A4AF0EB7C179}
+		{6200ED9D-CAB1-4C00-8D79-478F64A19B8F} = {6200ED9D-CAB1-4C00-8D79-478F64A19B8F}
+		{CC7340C1-CBAF-4145-969A-73AE960401D6} = {CC7340C1-CBAF-4145-969A-73AE960401D6}
+		{E55653C8-5501-4871-A97C-C926631F40F9} = {E55653C8-5501-4871-A97C-C926631F40F9}
+@END XTESTS
+@IF STESTS
+		{31715139-2C27-47D2-8394-71B71A8AC3D5} = {31715139-2C27-47D2-8394-71B71A8AC3D5}
+		{764DBE24-C8B3-46E8-BE73-196431353A5D} = {764DBE24-C8B3-46E8-BE73-196431353A5D}
+		{61F9D673-EB5C-47A5-8907-24E034C75EF8} = {61F9D673-EB5C-47A5-8907-24E034C75EF8}
+		{E1478F40-786C-4738-8E99-E7A71DD98661} = {E1478F40-786C-4738-8E99-E7A71DD98661}
+		{4F9A0F6F-366D-4483-B131-793832840508} = {4F9A0F6F-366D-4483-B131-793832840508}
+		{85ADFF2A-BE31-4B8D-9089-9AD56CE78D7E} = {85ADFF2A-BE31-4B8D-9089-9AD56CE78D7E}
+		{63A921F6-1200-4723-828A-98960127B73D} = {63A921F6-1200-4723-828A-98960127B73D}
+		{F66D8B7E-721D-4602-99AD-820D19AD1313} = {F66D8B7E-721D-4602-99AD-820D19AD1313}
+@END STESTS
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gen", "..\lib\dns\win32\gen.vcxproj", "{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libisc", "..\lib\isc\win32\libisc.vcxproj", "{3840E563-D180-4761-AA9C-E6155F02EAFF}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libisccc", "..\lib\isccc\win32\libisccc.vcxproj", "{B556705F-1920-4400-878A-B259D3556047}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libdns", "..\lib\dns\win32\libdns.vcxproj", "{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libns", "..\lib\ns\win32\libns.vcxproj", "{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libisccfg", "..\lib\isccfg\win32\libisccfg.vcxproj", "{B2DFA58C-6347-478E-81E8-01E06999D4F1}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbind9", "..\lib\bind9\win32\libbind9.vcxproj", "{E741C10B-B075-4206-9596-46765B665E03}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{B556705F-1920-4400-878A-B259D3556047} = {B556705F-1920-4400-878A-B259D3556047}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libirs", "..\lib\irs\win32\libirs.vcxproj", "{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "bindevt", "..\lib\win32\bindevt\bindevt.vcxproj", "{0D745CD9-FC3B-49DC-99BE-1E6DF85593F0}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "named", "..\bin\named\win32\named.vcxproj", "{723C65DA-A96C-4BA3-A34E-44F11CA346F9}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{B556705F-1920-4400-878A-B259D3556047} = {B556705F-1920-4400-878A-B259D3556047}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{82ACD33C-E75F-45B8-BB6D-42643A10D7EE} = {82ACD33C-E75F-45B8-BB6D-42643A10D7EE}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{E741C10B-B075-4206-9596-46765B665E03} = {E741C10B-B075-4206-9596-46765B665E03}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rndcutil", "..\bin\rndc\win32\rndcutil.vcxproj", "{7C8681A1-E3A8-470E-9EEF-16054D111A19}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rndc", "..\bin\rndc\win32\rndc.vcxproj", "{39721F26-8B80-4AA9-9826-2AEF7322C3D5}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{B556705F-1920-4400-878A-B259D3556047} = {B556705F-1920-4400-878A-B259D3556047}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{E741C10B-B075-4206-9596-46765B665E03} = {E741C10B-B075-4206-9596-46765B665E03}
+		{7C8681A1-E3A8-470E-9EEF-16054D111A19} = {7C8681A1-E3A8-470E-9EEF-16054D111A19}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dighost", "..\bin\dig\win32\dighost.vcxproj", "{140DE800-E552-43CC-B0C7-A33A92E368CA}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{E741C10B-B075-4206-9596-46765B665E03} = {E741C10B-B075-4206-9596-46765B665E03}
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919} = {A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dig", "..\bin\dig\win32\dig.vcxproj", "{F938F9B8-D395-4A40-BEC7-0122D289C692}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{E741C10B-B075-4206-9596-46765B665E03} = {E741C10B-B075-4206-9596-46765B665E03}
+		{140DE800-E552-43CC-B0C7-A33A92E368CA} = {140DE800-E552-43CC-B0C7-A33A92E368CA}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "host", "..\bin\dig\win32\host.vcxproj", "{BA1048A8-6961-4A20-BE12-08BE20611C9D}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{E741C10B-B075-4206-9596-46765B665E03} = {E741C10B-B075-4206-9596-46765B665E03}
+		{140DE800-E552-43CC-B0C7-A33A92E368CA} = {140DE800-E552-43CC-B0C7-A33A92E368CA}
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919} = {A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "nslookup", "..\bin\dig\win32\nslookup.vcxproj", "{C15A6E1A-94CE-4686-99F9-6BC5FD623EB5}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{E741C10B-B075-4206-9596-46765B665E03} = {E741C10B-B075-4206-9596-46765B665E03}
+		{140DE800-E552-43CC-B0C7-A33A92E368CA} = {140DE800-E552-43CC-B0C7-A33A92E368CA}
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919} = {A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "delv", "..\bin\delv\win32\delv.vcxproj", "{BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919} = {A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dnssectool", "..\bin\dnssec\win32\dnssectool.vcxproj", "{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "keygen", "..\bin\dnssec\win32\keygen.vcxproj", "{0BF11E21-168C-4CAA-B784-429D126BBAE5}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70} = {2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "signzone", "..\bin\dnssec\win32\signzone.vcxproj", "{205ED8A9-2E4C-41CC-9385-F3613402AA90}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70} = {2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cds", "..\bin\dnssec\win32\cds.vcxproj", "{0EB1727E-2BBD-47A6-AD12-418F9DEB0531}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70} = {2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "keyfromlabel", "..\bin\dnssec\win32\keyfromlabel.vcxproj", "{17455DC6-5FBB-47C3-8F44-7DB574A188D3}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70} = {2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dsfromkey", "..\bin\dnssec\win32\dsfromkey.vcxproj", "{6E6297F4-69D7-4533-85E1-BD17C30017C8}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70} = {2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "revoke", "..\bin\dnssec\win32\revoke.vcxproj", "{D171F185-D3C2-4463-9CF3-ED1D0B1D6832}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70} = {2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "settime", "..\bin\dnssec\win32\settime.vcxproj", "{03FB7588-C5A7-4572-968F-14F1206BC69C}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70} = {2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "verify", "..\bin\dnssec\win32\verify.vcxproj", "{FD653434-F1A8-44A9-85B2-A7468491DA6D}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70} = {2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "importkey", "..\bin\dnssec\win32\importkey.vcxproj", "{AB6690A0-055E-458F-BAC5-BF38BCC5834F}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70} = {2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "arpaname", "..\bin\tools\win32\arpaname.vcxproj", "{91E60FDA-E48C-4DA0-92A2-97F963348E00}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "journalprint", "..\bin\tools\win32\journalprint.vcxproj", "{B19042CE-D3D9-469B-BCD2-C3140150939A}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "nsec3hash", "..\bin\tools\win32\nsec3hash.vcxproj", "{4EE91023-94C3-48C0-B71C-5333B726C2EE}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rrchecker", "..\bin\tools\win32\rrchecker.vcxproj", "{98743A7C-6AF8-467F-9911-FA69C451AF2B}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mdig", "..\bin\tools\win32\mdig.vcxproj", "{3115091C-8135-481F-9757-F013A26255E0}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{E741C10B-B075-4206-9596-46765B665E03} = {E741C10B-B075-4206-9596-46765B665E03}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "nsupdate", "..\bin\nsupdate\win32\nsupdate.vcxproj", "{C41266C7-E27E-4D60-9815-82D3B32BF82F}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{E741C10B-B075-4206-9596-46765B665E03} = {E741C10B-B075-4206-9596-46765B665E03}
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919} = {A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "checktool", "..\bin\check\win32\checktool.vcxproj", "{2C1F7096-C5B5-48D4-846F-A7ACA454335D}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{82ACD33C-E75F-45B8-BB6D-42643A10D7EE} = {82ACD33C-E75F-45B8-BB6D-42643A10D7EE}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "checkconf", "..\bin\check\win32\checkconf.vcxproj", "{03A96113-CB14-43AA-AEB2-48950E3915C5}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{E741C10B-B075-4206-9596-46765B665E03} = {E741C10B-B075-4206-9596-46765B665E03}
+		{2C1F7096-C5B5-48D4-846F-A7ACA454335D} = {2C1F7096-C5B5-48D4-846F-A7ACA454335D}
+		{82ACD33C-E75F-45B8-BB6D-42643A10D7EE} = {82ACD33C-E75F-45B8-BB6D-42643A10D7EE}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "checkzone", "..\bin\check\win32\checkzone.vcxproj", "{66028555-7DD5-4016-B601-9EF9A1EE8BFA}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{2C1F7096-C5B5-48D4-846F-A7ACA454335D} = {2C1F7096-C5B5-48D4-846F-A7ACA454335D}
+		{82ACD33C-E75F-45B8-BB6D-42643A10D7EE} = {82ACD33C-E75F-45B8-BB6D-42643A10D7EE}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "confgentool", "..\bin\confgen\win32\confgentool.vcxproj", "{64964B03-4815-41F0-9057-E766A94AF197}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{B556705F-1920-4400-878A-B259D3556047} = {B556705F-1920-4400-878A-B259D3556047}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rndcconfgen", "..\bin\confgen\win32\rndcconfgen.vcxproj", "{1E2C1635-3093-4D59-80E7-4743AC10F22F}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{B556705F-1920-4400-878A-B259D3556047} = {B556705F-1920-4400-878A-B259D3556047}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{64964B03-4815-41F0-9057-E766A94AF197} = {64964B03-4815-41F0-9057-E766A94AF197}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ddnsconfgen", "..\bin\confgen\win32\ddnsconfgen.vcxproj", "{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{B556705F-1920-4400-878A-B259D3556047} = {B556705F-1920-4400-878A-B259D3556047}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{64964B03-4815-41F0-9057-E766A94AF197} = {64964B03-4815-41F0-9057-E766A94AF197}
+	EndProjectSection
+EndProject
+@IF PKCS11
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11keygen", "..\bin\pkcs11\win32\pk11keygen.vcxproj", "{5042D371-0402-4FA3-A52A-769708694422}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11list", "..\bin\pkcs11\win32\pk11list.vcxproj", "{C663B088-F7BC-4C8C-8D06-A76636EED651}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11destroy", "..\bin\pkcs11\win32\pk11destroy.vcxproj", "{5B3137E5-7E1F-49AA-8810-A09AA417D326}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11tokens", "..\bin\pkcs11\win32\pk11tokens.vcxproj", "{403FD4B1-A4F9-4159-9013-5860E3A4417D}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+@END PKCS11
+@IF XTESTS
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "backtrace_test", "..\bin\tests\win32\backtrace_test.vcxproj", "{14751171-C40E-40EE-A2F0-37FFC3CCD4A2}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inter_test", "..\bin\tests\win32\inter_test.vcxproj", "{06AA5F16-7121-4C3A-91EF-AFC3BF3B8CE1}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rwlock_test", "..\bin\tests\win32\rwlock_test.vcxproj", "{7705EEF6-6980-48F9-A045-699DAFE860C9}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shutdown_test", "..\bin\tests\win32\shutdown_test.vcxproj", "{551561F6-4A2A-4824-8A34-A4AF0EB7C179}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sock_test", "..\bin\tests\win32\sock_test.vcxproj", "{6200ED9D-CAB1-4C00-8D79-478F64A19B8F}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "task_test", "..\bin\tests\win32\task_test.vcxproj", "{CC7340C1-CBAF-4145-969A-73AE960401D6}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "timer_test", "..\bin\tests\win32\timer_test.vcxproj", "{E55653C8-5501-4871-A97C-C926631F40F9}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+@END XTESTS
+@IF STESTS
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "makejournal", "..\bin\tests\win32\makejournal.vcxproj", "{31715139-2C27-47D2-8394-71B71A8AC3D5}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gencheck", "..\bin\tests\system\win32\gencheck.vcxproj", "{764DBE24-C8B3-46E8-BE73-196431353A5D}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "bigkey", "..\bin\tests\system\win32\bigkey.vcxproj", "{61F9D673-EB5C-47A5-8907-24E034C75EF8}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pipequeries", "..\bin\tests\system\win32\pipequeries.vcxproj", "{E1478F40-786C-4738-8E99-E7A71DD98661}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "keycreate", "..\bin\tests\system\win32\keycreate.vcxproj", "{4F9A0F6F-366D-4483-B131-793832840508}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "keydelete", "..\bin\tests\system\win32\keydelete.vcxproj", "{85ADFF2A-BE31-4B8D-9089-9AD56CE78D7E}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "feature-test", "..\bin\tests\system\win32\feature-test.vcxproj", "{63A921F6-1200-4723-828A-98960127B73D}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "resolve", "..\bin\tests\system\win32\resolve.vcxproj", "{F66D8B7E-721D-4602-99AD-820D19AD1313}"
+	ProjectSection(ProjectDependencies) = postProject
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
+		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1} = {B2DFA58C-6347-478E-81E8-01E06999D4F1}
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919} = {A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}
+	EndProjectSection
+EndProject
+@END STESTS
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|@PLATFORM@ = Debug|@PLATFORM@
+		Release|@PLATFORM@ = Release|@PLATFORM@
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{190CC424-E8CC-46F2-9013-3152D6905118}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{190CC424-E8CC-46F2-9013-3152D6905118}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{190CC424-E8CC-46F2-9013-3152D6905118}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{190CC424-E8CC-46F2-9013-3152D6905118}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}.Debug|@BUILD_PLATFORM@.ActiveCfg = Debug|@BUILD_PLATFORM@
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}.Debug|@BUILD_PLATFORM@.Build.0 = Debug|@BUILD_PLATFORM@
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}.Release|@BUILD_PLATFORM@.ActiveCfg = Release|@BUILD_PLATFORM@
+		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}.Release|@BUILD_PLATFORM@.Build.0 = Release|@BUILD_PLATFORM@
+		{3840E563-D180-4761-AA9C-E6155F02EAFF}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{3840E563-D180-4761-AA9C-E6155F02EAFF}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{3840E563-D180-4761-AA9C-E6155F02EAFF}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{3840E563-D180-4761-AA9C-E6155F02EAFF}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{B556705F-1920-4400-878A-B259D3556047}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{B556705F-1920-4400-878A-B259D3556047}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{B556705F-1920-4400-878A-B259D3556047}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{B556705F-1920-4400-878A-B259D3556047}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{82ACD33C-E75F-45B8-BB6D-42643A10D7EE}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{B2DFA58C-6347-478E-81E8-01E06999D4F1}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{E741C10B-B075-4206-9596-46765B665E03}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{E741C10B-B075-4206-9596-46765B665E03}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{E741C10B-B075-4206-9596-46765B665E03}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{E741C10B-B075-4206-9596-46765B665E03}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{0D745CD9-FC3B-49DC-99BE-1E6DF85593F0}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{0D745CD9-FC3B-49DC-99BE-1E6DF85593F0}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{0D745CD9-FC3B-49DC-99BE-1E6DF85593F0}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{0D745CD9-FC3B-49DC-99BE-1E6DF85593F0}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{723C65DA-A96C-4BA3-A34E-44F11CA346F9}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{723C65DA-A96C-4BA3-A34E-44F11CA346F9}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{723C65DA-A96C-4BA3-A34E-44F11CA346F9}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{723C65DA-A96C-4BA3-A34E-44F11CA346F9}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{7C8681A1-E3A8-470E-9EEF-16054D111A19}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{7C8681A1-E3A8-470E-9EEF-16054D111A19}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{7C8681A1-E3A8-470E-9EEF-16054D111A19}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{7C8681A1-E3A8-470E-9EEF-16054D111A19}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{39721F26-8B80-4AA9-9826-2AEF7322C3D5}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{39721F26-8B80-4AA9-9826-2AEF7322C3D5}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{39721F26-8B80-4AA9-9826-2AEF7322C3D5}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{39721F26-8B80-4AA9-9826-2AEF7322C3D5}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{140DE800-E552-43CC-B0C7-A33A92E368CA}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{140DE800-E552-43CC-B0C7-A33A92E368CA}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{140DE800-E552-43CC-B0C7-A33A92E368CA}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{140DE800-E552-43CC-B0C7-A33A92E368CA}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{F938F9B8-D395-4A40-BEC7-0122D289C692}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{F938F9B8-D395-4A40-BEC7-0122D289C692}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{F938F9B8-D395-4A40-BEC7-0122D289C692}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{F938F9B8-D395-4A40-BEC7-0122D289C692}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{BA1048A8-6961-4A20-BE12-08BE20611C9D}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{BA1048A8-6961-4A20-BE12-08BE20611C9D}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{BA1048A8-6961-4A20-BE12-08BE20611C9D}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{BA1048A8-6961-4A20-BE12-08BE20611C9D}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{C15A6E1A-94CE-4686-99F9-6BC5FD623EB5}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{C15A6E1A-94CE-4686-99F9-6BC5FD623EB5}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{C15A6E1A-94CE-4686-99F9-6BC5FD623EB5}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{C15A6E1A-94CE-4686-99F9-6BC5FD623EB5}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{0BF11E21-168C-4CAA-B784-429D126BBAE5}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{0BF11E21-168C-4CAA-B784-429D126BBAE5}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{0BF11E21-168C-4CAA-B784-429D126BBAE5}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{0BF11E21-168C-4CAA-B784-429D126BBAE5}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{205ED8A9-2E4C-41CC-9385-F3613402AA90}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{205ED8A9-2E4C-41CC-9385-F3613402AA90}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{205ED8A9-2E4C-41CC-9385-F3613402AA90}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{205ED8A9-2E4C-41CC-9385-F3613402AA90}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{0EB1727E-2BBD-47A6-AD12-418F9DEB0531}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{0EB1727E-2BBD-47A6-AD12-418F9DEB0531}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{0EB1727E-2BBD-47A6-AD12-418F9DEB0531}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{0EB1727E-2BBD-47A6-AD12-418F9DEB0531}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{17455DC6-5FBB-47C3-8F44-7DB574A188D3}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{17455DC6-5FBB-47C3-8F44-7DB574A188D3}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{17455DC6-5FBB-47C3-8F44-7DB574A188D3}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{17455DC6-5FBB-47C3-8F44-7DB574A188D3}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{6E6297F4-69D7-4533-85E1-BD17C30017C8}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{6E6297F4-69D7-4533-85E1-BD17C30017C8}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{6E6297F4-69D7-4533-85E1-BD17C30017C8}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{6E6297F4-69D7-4533-85E1-BD17C30017C8}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{D171F185-D3C2-4463-9CF3-ED1D0B1D6832}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{D171F185-D3C2-4463-9CF3-ED1D0B1D6832}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{D171F185-D3C2-4463-9CF3-ED1D0B1D6832}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{D171F185-D3C2-4463-9CF3-ED1D0B1D6832}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{03FB7588-C5A7-4572-968F-14F1206BC69C}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{03FB7588-C5A7-4572-968F-14F1206BC69C}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{03FB7588-C5A7-4572-968F-14F1206BC69C}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{03FB7588-C5A7-4572-968F-14F1206BC69C}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{FD653434-F1A8-44A9-85B2-A7468491DA6D}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{FD653434-F1A8-44A9-85B2-A7468491DA6D}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{FD653434-F1A8-44A9-85B2-A7468491DA6D}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{FD653434-F1A8-44A9-85B2-A7468491DA6D}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{AB6690A0-055E-458F-BAC5-BF38BCC5834F}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{AB6690A0-055E-458F-BAC5-BF38BCC5834F}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{AB6690A0-055E-458F-BAC5-BF38BCC5834F}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{AB6690A0-055E-458F-BAC5-BF38BCC5834F}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{91E60FDA-E48C-4DA0-92A2-97F963348E00}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{91E60FDA-E48C-4DA0-92A2-97F963348E00}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{91E60FDA-E48C-4DA0-92A2-97F963348E00}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{91E60FDA-E48C-4DA0-92A2-97F963348E00}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{B19042CE-D3D9-469B-BCD2-C3140150939A}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{B19042CE-D3D9-469B-BCD2-C3140150939A}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{B19042CE-D3D9-469B-BCD2-C3140150939A}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{B19042CE-D3D9-469B-BCD2-C3140150939A}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{4EE91023-94C3-48C0-B71C-5333B726C2EE}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{4EE91023-94C3-48C0-B71C-5333B726C2EE}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{4EE91023-94C3-48C0-B71C-5333B726C2EE}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{4EE91023-94C3-48C0-B71C-5333B726C2EE}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{98743A7C-6AF8-467F-9911-FA69C451AF2B}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{98743A7C-6AF8-467F-9911-FA69C451AF2B}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{98743A7C-6AF8-467F-9911-FA69C451AF2B}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{98743A7C-6AF8-467F-9911-FA69C451AF2B}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{3115091C-8135-481F-9757-F013A26255E0}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{3115091C-8135-481F-9757-F013A26255E0}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{3115091C-8135-481F-9757-F013A26255E0}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{3115091C-8135-481F-9757-F013A26255E0}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{C41266C7-E27E-4D60-9815-82D3B32BF82F}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{C41266C7-E27E-4D60-9815-82D3B32BF82F}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{C41266C7-E27E-4D60-9815-82D3B32BF82F}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{C41266C7-E27E-4D60-9815-82D3B32BF82F}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{2C1F7096-C5B5-48D4-846F-A7ACA454335D}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{2C1F7096-C5B5-48D4-846F-A7ACA454335D}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{2C1F7096-C5B5-48D4-846F-A7ACA454335D}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{2C1F7096-C5B5-48D4-846F-A7ACA454335D}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{03A96113-CB14-43AA-AEB2-48950E3915C5}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{03A96113-CB14-43AA-AEB2-48950E3915C5}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{03A96113-CB14-43AA-AEB2-48950E3915C5}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{03A96113-CB14-43AA-AEB2-48950E3915C5}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{66028555-7DD5-4016-B601-9EF9A1EE8BFA}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{66028555-7DD5-4016-B601-9EF9A1EE8BFA}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{66028555-7DD5-4016-B601-9EF9A1EE8BFA}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{66028555-7DD5-4016-B601-9EF9A1EE8BFA}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{64964B03-4815-41F0-9057-E766A94AF197}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{64964B03-4815-41F0-9057-E766A94AF197}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{64964B03-4815-41F0-9057-E766A94AF197}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{64964B03-4815-41F0-9057-E766A94AF197}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{1E2C1635-3093-4D59-80E7-4743AC10F22F}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{1E2C1635-3093-4D59-80E7-4743AC10F22F}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{1E2C1635-3093-4D59-80E7-4743AC10F22F}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{1E2C1635-3093-4D59-80E7-4743AC10F22F}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+@IF PKCS11
+		{5042D371-0402-4FA3-A52A-769708694422}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{5042D371-0402-4FA3-A52A-769708694422}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{5042D371-0402-4FA3-A52A-769708694422}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{5042D371-0402-4FA3-A52A-769708694422}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{C663B088-F7BC-4C8C-8D06-A76636EED651}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{C663B088-F7BC-4C8C-8D06-A76636EED651}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{C663B088-F7BC-4C8C-8D06-A76636EED651}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{C663B088-F7BC-4C8C-8D06-A76636EED651}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{5B3137E5-7E1F-49AA-8810-A09AA417D326}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{5B3137E5-7E1F-49AA-8810-A09AA417D326}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{5B3137E5-7E1F-49AA-8810-A09AA417D326}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{5B3137E5-7E1F-49AA-8810-A09AA417D326}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{403FD4B1-A4F9-4159-9013-5860E3A4417D}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{403FD4B1-A4F9-4159-9013-5860E3A4417D}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{403FD4B1-A4F9-4159-9013-5860E3A4417D}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{403FD4B1-A4F9-4159-9013-5860E3A4417D}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+@END PKCS11
+@IF XTESTS
+		{14751171-C40E-40EE-A2F0-37FFC3CCD4A2}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{14751171-C40E-40EE-A2F0-37FFC3CCD4A2}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{14751171-C40E-40EE-A2F0-37FFC3CCD4A2}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{14751171-C40E-40EE-A2F0-37FFC3CCD4A2}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{06AA5F16-7121-4C3A-91EF-AFC3BF3B8CE1}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{06AA5F16-7121-4C3A-91EF-AFC3BF3B8CE1}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{06AA5F16-7121-4C3A-91EF-AFC3BF3B8CE1}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{06AA5F16-7121-4C3A-91EF-AFC3BF3B8CE1}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{7705EEF6-6980-48F9-A045-699DAFE860C9}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{7705EEF6-6980-48F9-A045-699DAFE860C9}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{7705EEF6-6980-48F9-A045-699DAFE860C9}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{7705EEF6-6980-48F9-A045-699DAFE860C9}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{551561F6-4A2A-4824-8A34-A4AF0EB7C179}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{551561F6-4A2A-4824-8A34-A4AF0EB7C179}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{551561F6-4A2A-4824-8A34-A4AF0EB7C179}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{551561F6-4A2A-4824-8A34-A4AF0EB7C179}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{6200ED9D-CAB1-4C00-8D79-478F64A19B8F}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{6200ED9D-CAB1-4C00-8D79-478F64A19B8F}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{6200ED9D-CAB1-4C00-8D79-478F64A19B8F}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{6200ED9D-CAB1-4C00-8D79-478F64A19B8F}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{CC7340C1-CBAF-4145-969A-73AE960401D6}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{CC7340C1-CBAF-4145-969A-73AE960401D6}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{CC7340C1-CBAF-4145-969A-73AE960401D6}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{CC7340C1-CBAF-4145-969A-73AE960401D6}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{E55653C8-5501-4871-A97C-C926631F40F9}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{E55653C8-5501-4871-A97C-C926631F40F9}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{E55653C8-5501-4871-A97C-C926631F40F9}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{E55653C8-5501-4871-A97C-C926631F40F9}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+@END XTESTS
+@IF STESTS
+		{31715139-2C27-47D2-8394-71B71A8AC3D5}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{31715139-2C27-47D2-8394-71B71A8AC3D5}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{31715139-2C27-47D2-8394-71B71A8AC3D5}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{31715139-2C27-47D2-8394-71B71A8AC3D5}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{764DBE24-C8B3-46E8-BE73-196431353A5D}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{764DBE24-C8B3-46E8-BE73-196431353A5D}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{764DBE24-C8B3-46E8-BE73-196431353A5D}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{764DBE24-C8B3-46E8-BE73-196431353A5D}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{61F9D673-EB5C-47A5-8907-24E034C75EF8}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{61F9D673-EB5C-47A5-8907-24E034C75EF8}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{61F9D673-EB5C-47A5-8907-24E034C75EF8}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{61F9D673-EB5C-47A5-8907-24E034C75EF8}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{E1478F40-786C-4738-8E99-E7A71DD98661}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{E1478F40-786C-4738-8E99-E7A71DD98661}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{E1478F40-786C-4738-8E99-E7A71DD98661}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{E1478F40-786C-4738-8E99-E7A71DD98661}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{4F9A0F6F-366D-4483-B131-793832840508}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{4F9A0F6F-366D-4483-B131-793832840508}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{4F9A0F6F-366D-4483-B131-793832840508}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{4F9A0F6F-366D-4483-B131-793832840508}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{85ADFF2A-BE31-4B8D-9089-9AD56CE78D7E}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{85ADFF2A-BE31-4B8D-9089-9AD56CE78D7E}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{85ADFF2A-BE31-4B8D-9089-9AD56CE78D7E}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{85ADFF2A-BE31-4B8D-9089-9AD56CE78D7E}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{63A921F6-1200-4723-828A-98960127B73D}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{63A921F6-1200-4723-828A-98960127B73D}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{63A921F6-1200-4723-828A-98960127B73D}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{63A921F6-1200-4723-828A-98960127B73D}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+		{F66D8B7E-721D-4602-99AD-820D19AD1313}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@
+		{F66D8B7E-721D-4602-99AD-820D19AD1313}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@
+		{F66D8B7E-721D-4602-99AD-820D19AD1313}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@
+		{F66D8B7E-721D-4602-99AD-820D19AD1313}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@
+@END STESTS
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/win32utils/build.txt b/win32utils/build.txt
new file mode 100644
index 0000000..0f598f1
--- /dev/null
+++ b/win32utils/build.txt
@@ -0,0 +1,293 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+
+Building BIND 9 on Windows has the following prerequisites:
+
+1) You need to install Perl for Windows.  ActivePerl
+(http://www.activestate.com/) and Strawberry Perl
+(http://www.strawberryperl.com) have both been tested and found
+to work.
+
+2) libuv (https://libuv.org/) must be downloaded and built on the
+system on which you are building BIND 9.
+
+3) OpenSSL (https://www.openssl.org) must be downloaded and built on
+the system on which you are building BIND 9.
+
+4) If you wish to use the statistics channel, LibXML2
+(ftp://xmlsoft.org/libxml2) must be downloaded and built on
+the system on which you are building BIND 9.
+
+5) Optional external packages (not used by default)
+
+If you wish to use IP geolocation, GeoIP API and database must be
+downloaded, patched and built on the system on which you are building
+BIND 9.
+
+If you wish to use zlib/deflate on the statistics channel, zlib
+must be downloaded and built on the system on which you are building
+BIND 9.
+
+If you wish to use python tools, you need a python (version 2 or 3)
+interpreter with its standard libraries.
+
+If you wish to use readline, the readline library must be downloaded
+and built on the system on which you are building BIND 9.
+
+6) The BIND 9 Installer (BINDInstall) includes a copy of the
+redistributable runtime object vcredist_x86.exe (or vcredist_x64.exe),
+which is included with Visual Studio and can be downloaded from
+Microsoft.  This file must be in place prior to running Configure.
+
+Step 1: Download and build libuv
+
+  Download and untar the libuv sources from https://libuv.org/ in the same
+  directory in which you extracted the BIND 9 source: if BIND 9 is in
+  \build\bind-9.16.9, for instance, libuv should be in \build\libuv-v1.40.0
+  (subject to version number changes).
+
+  As of this writing, a patch (win32utils/libuv.diff) needs to be applied
+  to the libuv source code in order for it to work with BIND on Windows.  A
+  pull request including the changes from this patch has been submitted to
+  the libuv maintainers:
+
+      https://github.com/libuv/libuv/pull/2653
+
+  Applying the win32utils/libuv.diff patch will no longer be necessary
+  for libuv versions released after this pull request has been merged.
+
+  On Windows, libuv is built using CMake.  Here is a sample sequence of
+  commands which builds a 64-bit shared libuv library:
+
+      cd libuv-v1.40.0
+      mkdir build
+      cd build
+      cmake -DCMAKE_GENERATOR_PLATFORM=x64 ..
+      cmake --build . --config Release
+
+Step 2: Download and build OpenSSL
+
+  Download and untar the OpenSSL sources from https://www.openssl.org/ in
+  the same directory in which you extracted the BIND 9 source: if BIND 9 is
+  in \build\bind-9.16.0, for instance, OpenSSL should be in
+  \build\openssl-1.1.1d (subject to version number changes).
+
+  Note: Building OpenSSL requires that you install Perl and NASM as it
+  uses these during its build process. The following commands work as of
+  openssl-1.1.1d, but you should check the OpenSSL distribution to see
+  if the build instructions in the INSTALL file have changed:
+
+      (In an x64 Visual Studio Command Prompt window)
+      cd openssl-1.1.1d
+      perl Configure VC-WIN64A
+      nmake
+
+Step 3: Download and build LibXML2
+
+  LibXML2 is required to use the statistics channel. If you wish to
+  build BIND 9 without support for this feature, skip to step 4.
+
+  Download and untar the libxml2 sources from ftp://xmlsoft.org/libxml2 in
+  the same directory in which you extracted the BIND 9 source: if BIND 9 is
+  in \build\bind-9.16.0, for instance, libxml2 should be in
+  \build\libxml2-2.9.2 (subject to version number changes).
+
+  Now build libxml2:
+
+    cd libxml2-2.9.2\win32
+    cscript configure.js iconv=no
+    nmake /f Makefile.msvc
+
+Step 4: Download and build zlib
+
+  The statistics channel (aka internal HTTP server) can support
+  zlib "deflate" compression method. If you don't want to this
+  feature, skip to step 5.
+
+  Download and untar the zlib sources from https://www.zlib.net in the same
+  directory in which you extracted the BIND 9 source: if BIND 9 is in
+  \build\bind-9.16.0, for instance, zlib should be in \build\zlib-1.2.11
+  (subject to version number changes).
+
+  Read the win32\Makefile.msc for the Usage comment at the beginning of
+  this file, then build the zlib1.dll DLL for the intended processor (i.e.,
+  win32 aka x86, or x64), e.g.:
+
+    cd zlib-1.2.11
+    nmake /f win32\Makefile.msc
+
+Step 5: Download and build GeoIP
+
+  Geographic ("geoip") ACLs require libGeoIP. If you wish to build BIND 9
+  without support for this feature, skip to step 6.
+
+  The libGeoIP source code is available from:
+
+    https://github.com/maxmind/geoip-api-c/releases.
+
+  As of this writing, the current version of libGeoIP is 1.6.0.  There
+  is a known bug in this and all prior versions which prevents it from
+  building a suitable DLL with thread support on Windows.  You can apply
+  the patch file bind9/win32utils/GeoIP.diff to address the problem.
+  This patch has been submitted upstream, and will be included in
+  future versions of libGeoIP.
+
+Step 6: Enable python tools
+
+  Some python packages are required: argparse, ply, win32con and win32api.
+  Last CPython's (version 2 or 3) from https://www.python.org include
+  the pip package manager which can install missing packages, for
+  instance for the 2 last packages 'pip install pypiwin32' downloads and
+  installs win32con and win32api.
+
+  Note when the python interpreter is in the command path and
+  the required packages available the Configure script will detect
+  them and add python tools to the BIND 9 build.
+
+  To be used a python tool must be invoked with python (e.g.,
+  python dnssec-checkds.py <args>) as the shebang doesn't work
+  on Windows. The isc package should be installed too, cf step 12.
+  Unlike on Unix systems, this isc package uses the Registry to
+  learn where BIND 9 was installed in step 11.
+
+Step 7: Download and build Readline
+
+  The readline library adds command-line editing in nslookup and nsupdate.
+  If you wish to build BIND 9 without support for this feature, skip to
+  step 8.
+
+  Because the original GNU source for the readline library has no WIN32
+  support, it will be necessary to download a version of the static
+  readline library source that is ready to be built by Visual Studio.  One
+  such version is available at:
+
+    http://gpsim.sourceforge.net/gpsimWin32/gpsimWin32.html#readline_lib
+
+  Note: Windows command (cmd.exe) provides an integrated line editing
+  feature so it is not recommended to configure bind with readline.
+
+Step 8: Make the redistributable runtime object available
+
+  Check that the Microsoft redistributable object (vcredist_x86.exe or
+  vcredist_x64.exe) is available to the build.  The file may be placed
+  in the directory in which the BIND 9 source was extracted (for
+  instance, if BIND 9 is in \build\bind-9.16.0, the redistributable
+  may be placed in \build\vcredist_x86.exe).  Or, the path to the file
+  can be specified via the VCREDIST_PATH environment variable, or via
+  the "with-vcredist=PATH" option to the configuration script (see
+  step 9). If none of these options is used, Configure will attempt to
+  find the redistributable based on clues in the build environment.
+
+Step 9: Configuring the BIND 9 build
+
+  From the command prompt, cd to the win32utils directory under
+  the BIND 9 root:
+
+    cd bind-9.16.0\win32utils
+
+  In this directory, you can prepare the Windows build by running:
+
+    perl Configure <options> x64
+
+  This will set up all the files needed for building BIND 9 according
+  to the given options.  To see the available options, run:
+
+    perl Configure help
+
+  To remove all files generated by Configure, run:
+
+    perl Configure clean
+
+Step 10: Building BIND 9
+
+  Building using 'nmake' or older versions of Visual Studio
+  (e.g. VS 2005 or VS 2008) is no longer supported.
+
+  Building with a version of Visual Studio newer than VS 2010
+  requires the solution to first be upgraded by running:
+
+    devenv bind9.sln /upgrade
+
+  If the build host only has Visual Studio Build Tools available
+  and not a full Visual Studio installation, devenv.exe will not
+  be present.  In that case, the Configure invocation from step 9
+  must be extended with the following parameters set to values
+  matching the Visual Studio Build Tools version used:
+
+    with-tools-version
+    with-platform-version
+    with-platform-toolset
+
+  Example use for a 64-bit Visual Studio 2017 build:
+
+    perl Configure ^
+      with-tools-version=15.0 ^
+      with-platform-toolset=v141 ^
+      with-platform-version=10.0.17763.0 ^
+      ...
+      x64
+
+  To build using the Visual Studio GUI in VS 2010 or newer:
+  open the bind9.sln solution file; this will load the project
+  files for all of the BIND 9 libraries and applications.  Select
+  "Build->Batch Build", click "Select All", then click "Build".
+
+  To build using MSBuild in VS 2010 or newer: call MSBuild on
+  the bind9.sln solution file:
+
+    msbuild /t:Build /p:Configuration=Release bind9.sln
+    msbuild /t:Build /p:Configuration=Debug bind9.sln
+
+  Note: This mode does not support building for Windows XP.
+
+  After this step this documentation applies to external or remote
+  builds, i.e., is common with installation.
+
+Step 11: Install
+
+  Installation is accomplished by running the BINDInstall program. All
+  DLL's are copied to the Program Files area and all applications
+  (including BINDInstall which may be necessary for uninstalling BIND
+  9) to the bin directory.  If BIND 8 has previously been installed on
+  the system it must be uninstalled first by running it's own
+  BINDInstall program.  The BIND 9 installer does not yet do this.
+
+  Note: BINDInstall.exe requires the MFC (Microsoft Foundation Class).
+  This is only distributed with non-free (i.e., not "Express") versions of
+  Visual Studio. The other BIND 9 libraries and applications do not have
+  this dependency.
+
+  The very last version of BINDInstall uses two files created by
+  the Configure perl script:
+   - InstallFlags: 32/64 bit build, and/or should the redistributable
+    object be run.
+   - InstallFiles: the list of files to install with for each files
+    4 flags (destination, importance, check version and part of tools).
+  The idea is to be able to use any BINDInstall.exe binary so
+  a non-free version of Visual Studio is no longer required.
+
+Step 12: Python package install
+
+  When BIND 9 was built with python support, the isc python package
+  must be installed locally by:
+
+   cd <top-bind9-directory>
+   cd bin/python
+   python setup.py install
+
+  (replace 'python' by the path of your python interpreter if needed.)
+
+  BIND 9 python tools should work with version 2 or 3, 32 or 64 bits.
+
+Please report bugs, whether in the process of building the application
+or in BIND 9 itself, at https://gitlab.isc.org/isc-projects/bind9.
diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt
new file mode 100644
index 0000000..58cc36c
--- /dev/null
+++ b/win32utils/readme1st.txt
@@ -0,0 +1,158 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+
+KIT INSTALLATION:
+
+Unpack the kit into any convenient directory and run the BINDInstall
+program.  This will install the named and associated programs into
+the correct directories and set up the required registry keys.
+
+Usually BINDInstall must be run by/as Administrator or it can fail
+to operate on the filesystem or the registry or even return messages
+like "A referral was returned from the server". The best way to
+avoid this kind of problems on Windows 7 or newer is:
+ - open a "Windows Explorer" window
+ - go where the distribution was extracted
+ - click right on the BINDInstall application
+ - open "Properties" (last) menu
+ - open "Compatibility" (second) tab
+ - check the (last) "Run this program as an administrator" box
+Unfortunately this is not saved by zip (or any archiver?) as
+it is a property saved in the Registry.
+
+BINDInstall requires that you install it under an account with
+restricted privileges. The installer will prompt you for an account
+name (the default is "named") and a password for that account. It
+will also check for the existence of that account.  If it does not
+exist is will create it with only the privileges required to run
+BIND 9. If the account does exist it will check that it has only the
+one privilege required: "Log on as a service".  If it has too many
+privileges it will prompt you if you want to continue.
+
+With BIND 9 running under an account name, it is necessary for all
+files and directories that BIND 9 uses to have permissions set up for
+the named account if the files are on an NTFS disk. BIND 9 requires
+that the account have read and write access to the directory for
+the pid file, any files that are maintained either for slave zones
+or for master zones supporting dynamic updates. The account will
+also need read access to the named.conf and any other file that it
+needs to read.
+
+"NT AUTHORITY\LocalService" is also an acceptable account
+(and the only acceptable on some recent versions of Windows).
+This account is built into Windows and no password is required.
+Appropriate file permissions will also need to be set for "NT
+AUTHORITY\LocalService" similar to those that would have been
+required for the "named" account.
+
+It is important that on Windows the directory directive is used in
+the options section to tell BIND 9 where to find the files used in
+named.conf (default "%ProgramFiles%\ISC BIND 9\etc\named.conf"). For
+example:
+
+	options {
+		directory "C:\Program Files (x86)\ISC BIND 9\etc";
+	};
+
+for a 32 bit BIND 9 on a 64 bit US Domestic Windows system.
+Messages are logged to the Application log in the EventViewer.
+
+CONTROLLING BIND 9:
+
+Windows uses the same rndc program as is used on Unix systems.  The
+rndc.conf file must be configured for your system in order to work.
+You will need to generate a key for this. To do this use the
+rndc-confgen program. The program will be installed in the same
+directory as named: "%ProgramFiles%\ISC BIND 9\bin".  From the DOS
+prompt, use the command this way:
+
+rndc-confgen -a
+
+which will create a rndc.key file in the "%ProgramFiles%\ISC BIND 9\etc"
+directory. This will allow you to run rndc without an explicit
+rndc.conf file or key and control entry in named.conf file. See
+the ARM for details of this. An rndc.conf can also be generated by
+running:
+
+rndc-confgen > rndc.conf
+
+which will create the rndc.conf file in the current directory, but
+not copy it to the "%ProgramFiles%\ISC BIND 9\etc" directory where
+it needs to reside. If you create rndc.conf this way you will need
+to copy the same key statement into named.conf.
+
+The additions look like the following:
+
+key "rndc-key" { algorithm hmac-sha256; secret "xxxxxxxxx=="; };
+
+controls {
+	inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };
+};
+
+Note that the value of the secret must come from the key generated
+above for rndc and must be the same key value for both. Details of
+this may be found in the ARM. If you have rndc on a Unix box you can
+use it to control BIND 9 on the Windows box as well as using the Windows
+version of rndc to control a BIND 9 daemon on a Unix box. However you
+must have key statements valid for the servers you wish to control,
+specifically the IP address and key in both named.conf and rndc.conf.
+Again see the ARM for details.
+
+In order to run rndc from a different system it is important to
+ensure that the clocks are synchronized. The clocks must be kept
+within 5 minutes of each other or the rndc commands will fail
+authentication. Use NTP or other time synchronization software to
+keep your clocks accurate. NTP can be found at http://www.ntp.org/.
+
+In addition BIND 9 is installed as a win32 system service, can be
+started and stopped in the same way as any other service and
+automatically starts whenever the system is booted. Signals are not
+supported and are in fact ignored.
+
+Note: Unlike most Windows applications, named does not change its
+working directory when started as a service.  If you wish to use
+relative files in named.conf you will need to specify a working
+directory using the directory directive options.
+
+DOCUMENTATION:
+
+This kit includes Documentation in HTML format.  The documentation
+is not copied during the installation process so you should move
+it to any convenient location for later reference. Of particular
+importance is the BIND 9 Administrator's Reference Manual (Bv9ARM*.html)
+which provides detailed information on BIND 9. In addition, there
+are HTML pages for each of the BIND 9 applications.
+
+IMPORTANT NOTE ON USING BIND 9 TOOLS:
+
+It is no longer necessary to create a resolv.conf file on Windows
+as BIND 9 tools will look in the registry for the required name server
+information. However, if you do create a resolv.conf file as follows,
+the tools will use it in preference to the registry name server
+entries.
+
+Place resolv.conf the "%ProgramFiles%\ISC BIND 9\etc" directory.
+It must contain a list of recursive server addresses.  The format
+of this file is:
+
+nameserver 1.2.3.4
+nameserver 5.6.7.8
+
+Replace the above IP addresses with the real name server addresses.
+127.0.0.1 is a valid address if you are running a recursive name
+server on the localhost.
+
+PROBLEMS:
+
+Please report bugs at https://gitlab.isc.org/isc-projects/bind9.
+Other questions can go to the bind-users@isc.org mailing list.